From 4cd4aa1675df4a3d5187add9252a553fac4c0770 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 7 Jul 2020 15:13:02 +0200 Subject: [PATCH 01/19] Fix assertion in fields validation --- libbeat/scripts/generate_fields_docs.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libbeat/scripts/generate_fields_docs.py b/libbeat/scripts/generate_fields_docs.py index ecedb17d7b6..f25ebc00779 100644 --- a/libbeat/scripts/generate_fields_docs.py +++ b/libbeat/scripts/generate_fields_docs.py @@ -121,9 +121,8 @@ def fields_to_asciidoc(input, output, beat): for field in section["fields"]: name = field["name"] if name in fields: - assert field["type"] == (fields[name]["type"], - 'field "{}" redefined with different type "{}"'.format( - name, field["type"])) + assert field["type"] == fields[name]["type"], 'field "{}" redefined with different type "{}"'.format( + name, field["type"]) fields[name].update(field) else: fields[name] = field From 2453c87f7ebe44e77571ab3722a6416e5bab1cd1 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 7 Jul 2020 11:57:40 +0200 Subject: [PATCH 02/19] Terminate fortinet fileset docs --- x-pack/filebeat/module/fortinet/_meta/docs.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc index a879cd60e06..fb967629981 100644 --- a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc @@ -59,6 +59,8 @@ A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[fortinet-firewall, forwarded]`. +:fileset_ex!: + [float] ==== Fortinet ECS fields From 44d6e9951970923009cc0a2f707747ba55c66f04 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 6 Jul 2020 16:18:16 +0200 Subject: [PATCH 03/19] Drop @timestamp for comparison in a few new filesets This is caused by the log generator not being able to add valid timestamps to the logs. --- filebeat/tests/system/test_modules.py | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 731b6c194d6..3cbe147525a 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -228,8 +228,24 @@ def clean_keys(obj): # ECS versions change for any ECS release, large or small ecs_key = ["ecs.version"] # datasets for which @timestamp is removed due to date missing - remove_timestamp = {"icinga.startup", "redis.log", "haproxy.log", - "system.auth", "system.syslog", "cef.log", "activemq.audit", "iptables.log", "cisco.asa", "cisco.ios"} + remove_timestamp = { + "activemq.audit", + "barracuda.waf", + "bluecoat.director", + "cef.log", + "cisco.asa", + "cisco.ios", + "f5.firepass", + "haproxy.log", + "icinga.startup", + "imperva.securesphere", + "infoblox.nios", + "iptables.log", + "rapid7.nexpose", + "redis.log", + "system.auth", + "system.syslog", + } # dataset + log file pairs for which @timestamp is kept as an exception from above remove_timestamp_exception = { ('system.syslog', 'tz-offset.log'), From ce6baeff0c2fd675cc98351974a33193a81bc6ef Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 13 Jul 2020 10:23:06 +0200 Subject: [PATCH 04/19] Ignore custom rsa key in addition to `@timestamp` in tests --- filebeat/tests/system/test_modules.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 3cbe147525a..727775d8fa7 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -269,6 +269,8 @@ def clean_keys(obj): if obj["event.dataset"] in remove_timestamp: if not (obj['event.dataset'], filename) in remove_timestamp_exception: delete_key(obj, "@timestamp") + # Also remove alternate time field from rsa parsers. + delete_key(obj, "rsa.time.event_time") else: # excluded events need to have their filename saved to the expected.json # so that the exception mechanism can be triggered when the json is From 3bafcf30d372514060c93e40e7ed9fa7835c56f0 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 7 Jul 2020 20:31:33 +0200 Subject: [PATCH 05/19] Update cisco docs to mention new fileset --- filebeat/docs/modules/cisco.asciidoc | 1 + x-pack/filebeat/module/cisco/_meta/docs.asciidoc | 1 + 2 files changed, 2 insertions(+) diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc index ec13e658c7f..5405762bbe4 100644 --- a/filebeat/docs/modules/cisco.asciidoc +++ b/filebeat/docs/modules/cisco.asciidoc @@ -16,6 +16,7 @@ filesets for receiving logs over syslog or read from a file: - `asa` fileset: supports Cisco ASA firewall logs. - `ftd` fileset: supports Cisco Firepower Threat Defense logs. - `ios` fileset: supports Cisco IOS router and switch logs. +- `nexus` fileset: supports Cisco Nexus switch logs. Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc index 477bc2f86a1..4d9f80121f2 100644 --- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -11,6 +11,7 @@ filesets for receiving logs over syslog or read from a file: - `asa` fileset: supports Cisco ASA firewall logs. - `ftd` fileset: supports Cisco Firepower Threat Defense logs. - `ios` fileset: supports Cisco IOS router and switch logs. +- `nexus` fileset: supports Cisco Nexus switch logs. Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in From d8dbfa7f70fbf5d69a4c618b4f30e9838d3d52d2 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 7 Jul 2020 19:01:33 +0200 Subject: [PATCH 06/19] Add 21 autogenerated filesets from rsa2elk devices This adds the following experimental filesets based on Apache 2 license device parsers: - tomcat.log - netscout.sightline - barracuda.waf - f5.bigipapm - bluecoat.director - cisco.nexus - citrix.virtualapps - cylance.protect - f5.firepass - fortinet.clientendpoint - imperva.securesphere - infoblox.nios - juniper.junos - kaspersky.av - microsoft.dhcp - tenable.nessus_security - rapid7.nexpose - radware.defensepro - sonicwall.firewall - squid.log - zscaler.zia --- filebeat/docs/fields.asciidoc | 134678 +++++++++++++-- filebeat/docs/modules/barracuda.asciidoc | 79 + filebeat/docs/modules/bluecoat.asciidoc | 79 + filebeat/docs/modules/cisco.asciidoc | 45 + filebeat/docs/modules/citrix.asciidoc | 79 + filebeat/docs/modules/cylance.asciidoc | 79 + filebeat/docs/modules/f5.asciidoc | 124 + filebeat/docs/modules/fortinet.asciidoc | 47 + filebeat/docs/modules/imperva.asciidoc | 79 + filebeat/docs/modules/infoblox.asciidoc | 79 + filebeat/docs/modules/juniper.asciidoc | 79 + filebeat/docs/modules/kaspersky.asciidoc | 79 + filebeat/docs/modules/microsoft.asciidoc | 79 + filebeat/docs/modules/netscout.asciidoc | 79 + filebeat/docs/modules/radware.asciidoc | 79 + filebeat/docs/modules/rapid7.asciidoc | 79 + filebeat/docs/modules/sonicwall.asciidoc | 79 + filebeat/docs/modules/squid.asciidoc | 79 + filebeat/docs/modules/tenable.asciidoc | 79 + filebeat/docs/modules/tomcat.asciidoc | 79 + filebeat/docs/modules/zscaler.asciidoc | 79 + filebeat/docs/modules_list.asciidoc | 36 + x-pack/filebeat/filebeat.reference.yml | 435 + x-pack/filebeat/include/list.go | 18 + x-pack/filebeat/module/barracuda/README.md | 7 + .../module/barracuda/_meta/config.yml | 19 + .../module/barracuda/_meta/docs.asciidoc | 66 + .../module/barracuda/_meta/fields.yml | 5 + x-pack/filebeat/module/barracuda/fields.go | 23 + .../module/barracuda/waf/_meta/fields.yml | 1945 + .../module/barracuda/waf/config/input.yml | 45 + .../barracuda/waf/config/liblogparser.js | 2327 + .../module/barracuda/waf/config/pipeline.js | 1344 + .../module/barracuda/waf/ingest/pipeline.yml | 55 + .../module/barracuda/waf/manifest.yml | 31 + .../module/barracuda/waf/test/generated.log | 100 + .../waf/test/generated.log-expected.json | 1994 + x-pack/filebeat/module/bluecoat/README.md | 7 + .../filebeat/module/bluecoat/_meta/config.yml | 19 + .../module/bluecoat/_meta/docs.asciidoc | 66 + .../filebeat/module/bluecoat/_meta/fields.yml | 5 + .../module/bluecoat/director/_meta/fields.yml | 1945 + .../module/bluecoat/director/config/input.yml | 45 + .../bluecoat/director/config/liblogparser.js | 2327 + .../bluecoat/director/config/pipeline.js | 1175 + .../bluecoat/director/ingest/pipeline.yml | 55 + .../module/bluecoat/director/manifest.yml | 31 + .../bluecoat/director/test/generated.log | 100 + .../director/test/generated.log-expected.json | 2231 + x-pack/filebeat/module/bluecoat/fields.go | 23 + x-pack/filebeat/module/cisco/_meta/config.yml | 19 + .../filebeat/module/cisco/_meta/docs.asciidoc | 45 + x-pack/filebeat/module/cisco/fields.go | 2 +- .../module/cisco/nexus/_meta/fields.yml | 1945 + .../module/cisco/nexus/config/input.yml | 45 + .../module/cisco/nexus/config/liblogparser.js | 2327 + .../module/cisco/nexus/config/pipeline.js | 4598 + .../module/cisco/nexus/ingest/pipeline.yml | 55 + .../filebeat/module/cisco/nexus/manifest.yml | 31 + x-pack/filebeat/module/citrix/README.md | 7 + .../filebeat/module/citrix/_meta/config.yml | 19 + .../module/citrix/_meta/docs.asciidoc | 66 + .../filebeat/module/citrix/_meta/fields.yml | 5 + x-pack/filebeat/module/citrix/fields.go | 23 + .../citrix/virtualapps/_meta/fields.yml | 1945 + .../citrix/virtualapps/config/input.yml | 45 + .../citrix/virtualapps/config/liblogparser.js | 2327 + .../citrix/virtualapps/config/pipeline.js | 188 + .../citrix/virtualapps/ingest/pipeline.yml | 55 + .../module/citrix/virtualapps/manifest.yml | 31 + x-pack/filebeat/module/cylance/README.md | 7 + .../filebeat/module/cylance/_meta/config.yml | 19 + .../module/cylance/_meta/docs.asciidoc | 66 + .../filebeat/module/cylance/_meta/fields.yml | 5 + x-pack/filebeat/module/cylance/fields.go | 23 + .../module/cylance/protect/_meta/fields.yml | 1945 + .../module/cylance/protect/config/input.yml | 45 + .../cylance/protect/config/liblogparser.js | 2327 + .../module/cylance/protect/config/pipeline.js | 992 + .../cylance/protect/ingest/pipeline.yml | 55 + .../module/cylance/protect/manifest.yml | 31 + .../module/cylance/protect/test/generated.log | 100 + .../protect/test/generated.log-expected.json | 3452 + x-pack/filebeat/module/f5/README.md | 7 + x-pack/filebeat/module/f5/_meta/config.yml | 38 + x-pack/filebeat/module/f5/_meta/docs.asciidoc | 111 + x-pack/filebeat/module/f5/_meta/fields.yml | 5 + .../module/f5/bigipapm/_meta/fields.yml | 1945 + .../module/f5/bigipapm/config/input.yml | 45 + .../module/f5/bigipapm/config/liblogparser.js | 2327 + .../module/f5/bigipapm/config/pipeline.js | 1073 + .../module/f5/bigipapm/ingest/pipeline.yml | 55 + .../filebeat/module/f5/bigipapm/manifest.yml | 31 + .../module/f5/bigipapm/test/generated.log | 100 + .../bigipapm/test/generated.log-expected.json | 2597 + x-pack/filebeat/module/f5/fields.go | 23 + .../module/f5/firepass/_meta/fields.yml | 1945 + .../module/f5/firepass/config/input.yml | 45 + .../module/f5/firepass/config/liblogparser.js | 2327 + .../module/f5/firepass/config/pipeline.js | 892 + .../module/f5/firepass/ingest/pipeline.yml | 55 + .../filebeat/module/f5/firepass/manifest.yml | 31 + .../module/f5/firepass/test/generated.log | 100 + .../firepass/test/generated.log-expected.json | 2281 + .../filebeat/module/fortinet/_meta/config.yml | 19 + .../module/fortinet/_meta/docs.asciidoc | 45 + .../fortinet/clientendpoint/_meta/fields.yml | 1945 + .../fortinet/clientendpoint/config/input.yml | 45 + .../clientendpoint/config/liblogparser.js | 2327 + .../clientendpoint/config/pipeline.js | 180 + .../clientendpoint/ingest/pipeline.yml | 55 + .../fortinet/clientendpoint/manifest.yml | 31 + .../clientendpoint/test/generated.log | 100 + .../test/generated.log-expected.json | 2302 + x-pack/filebeat/module/fortinet/fields.go | 2 +- x-pack/filebeat/module/imperva/README.md | 7 + .../filebeat/module/imperva/_meta/config.yml | 19 + .../module/imperva/_meta/docs.asciidoc | 66 + .../filebeat/module/imperva/_meta/fields.yml | 5 + x-pack/filebeat/module/imperva/fields.go | 23 + .../imperva/securesphere/_meta/fields.yml | 1945 + .../imperva/securesphere/config/input.yml | 45 + .../securesphere/config/liblogparser.js | 2327 + .../imperva/securesphere/config/pipeline.js | 316 + .../imperva/securesphere/ingest/pipeline.yml | 55 + .../module/imperva/securesphere/manifest.yml | 31 + .../imperva/securesphere/test/generated.log | 100 + .../test/generated.log-expected.json | 5693 + x-pack/filebeat/module/infoblox/README.md | 7 + .../filebeat/module/infoblox/_meta/config.yml | 19 + .../module/infoblox/_meta/docs.asciidoc | 66 + .../filebeat/module/infoblox/_meta/fields.yml | 5 + x-pack/filebeat/module/infoblox/fields.go | 23 + .../module/infoblox/nios/_meta/fields.yml | 1945 + .../module/infoblox/nios/config/input.yml | 45 + .../infoblox/nios/config/liblogparser.js | 2327 + .../module/infoblox/nios/config/pipeline.js | 3702 + .../module/infoblox/nios/ingest/pipeline.yml | 55 + .../module/infoblox/nios/manifest.yml | 31 + .../module/infoblox/nios/test/generated.log | 100 + .../nios/test/generated.log-expected.json | 2476 + x-pack/filebeat/module/juniper/README.md | 7 + .../filebeat/module/juniper/_meta/config.yml | 19 + .../module/juniper/_meta/docs.asciidoc | 66 + .../filebeat/module/juniper/_meta/fields.yml | 5 + x-pack/filebeat/module/juniper/fields.go | 23 + .../module/juniper/junos/_meta/fields.yml | 1945 + .../module/juniper/junos/config/input.yml | 45 + .../juniper/junos/config/liblogparser.js | 2327 + .../module/juniper/junos/config/pipeline.js | 9969 ++ .../module/juniper/junos/ingest/pipeline.yml | 55 + .../module/juniper/junos/manifest.yml | 31 + x-pack/filebeat/module/kaspersky/README.md | 7 + .../module/kaspersky/_meta/config.yml | 19 + .../module/kaspersky/_meta/docs.asciidoc | 66 + .../module/kaspersky/_meta/fields.yml | 5 + .../module/kaspersky/av/_meta/fields.yml | 1945 + .../module/kaspersky/av/config/input.yml | 45 + .../kaspersky/av/config/liblogparser.js | 2327 + .../module/kaspersky/av/config/pipeline.js | 917 + .../module/kaspersky/av/ingest/pipeline.yml | 55 + .../filebeat/module/kaspersky/av/manifest.yml | 31 + x-pack/filebeat/module/kaspersky/fields.go | 23 + x-pack/filebeat/module/microsoft/README.md | 7 + .../module/microsoft/_meta/config.yml | 19 + .../module/microsoft/_meta/docs.asciidoc | 66 + .../module/microsoft/_meta/fields.yml | 5 + .../module/microsoft/dhcp/_meta/fields.yml | 1945 + .../module/microsoft/dhcp/config/input.yml | 45 + .../microsoft/dhcp/config/liblogparser.js | 2327 + .../module/microsoft/dhcp/config/pipeline.js | 1057 + .../module/microsoft/dhcp/ingest/pipeline.yml | 55 + .../module/microsoft/dhcp/manifest.yml | 31 + .../module/microsoft/dhcp/test/generated.log | 100 + .../dhcp/test/generated.log-expected.json | 3042 + x-pack/filebeat/module/microsoft/fields.go | 23 + x-pack/filebeat/module/netscout/README.md | 7 + .../filebeat/module/netscout/_meta/config.yml | 19 + .../module/netscout/_meta/docs.asciidoc | 66 + .../filebeat/module/netscout/_meta/fields.yml | 5 + x-pack/filebeat/module/netscout/fields.go | 23 + .../netscout/sightline/_meta/fields.yml | 1945 + .../netscout/sightline/config/input.yml | 45 + .../netscout/sightline/config/liblogparser.js | 2327 + .../netscout/sightline/config/pipeline.js | 1022 + .../netscout/sightline/ingest/pipeline.yml | 55 + .../module/netscout/sightline/manifest.yml | 31 + .../netscout/sightline/test/generated.log | 100 + .../test/generated.log-expected.json | 2487 + x-pack/filebeat/module/radware/README.md | 7 + .../filebeat/module/radware/_meta/config.yml | 19 + .../module/radware/_meta/docs.asciidoc | 66 + .../filebeat/module/radware/_meta/fields.yml | 5 + .../radware/defensepro/_meta/fields.yml | 1945 + .../radware/defensepro/config/input.yml | 45 + .../radware/defensepro/config/liblogparser.js | 2327 + .../radware/defensepro/config/pipeline.js | 905 + .../radware/defensepro/ingest/pipeline.yml | 55 + .../module/radware/defensepro/manifest.yml | 31 + x-pack/filebeat/module/radware/fields.go | 23 + x-pack/filebeat/module/rapid7/README.md | 7 + .../filebeat/module/rapid7/_meta/config.yml | 19 + .../module/rapid7/_meta/docs.asciidoc | 66 + .../filebeat/module/rapid7/_meta/fields.yml | 5 + x-pack/filebeat/module/rapid7/fields.go | 23 + .../module/rapid7/nexpose/_meta/fields.yml | 1945 + .../module/rapid7/nexpose/config/input.yml | 45 + .../rapid7/nexpose/config/liblogparser.js | 2327 + .../module/rapid7/nexpose/config/pipeline.js | 5891 + .../module/rapid7/nexpose/ingest/pipeline.yml | 55 + .../module/rapid7/nexpose/manifest.yml | 31 + .../module/rapid7/nexpose/test/generated.log | 100 + .../nexpose/test/generated.log-expected.json | 1901 + x-pack/filebeat/module/sonicwall/README.md | 7 + .../module/sonicwall/_meta/config.yml | 19 + .../module/sonicwall/_meta/docs.asciidoc | 66 + .../module/sonicwall/_meta/fields.yml | 5 + x-pack/filebeat/module/sonicwall/fields.go | 23 + .../sonicwall/firewall/_meta/fields.yml | 1945 + .../sonicwall/firewall/config/input.yml | 45 + .../sonicwall/firewall/config/liblogparser.js | 2327 + .../sonicwall/firewall/config/pipeline.js | 7233 + .../sonicwall/firewall/ingest/pipeline.yml | 55 + .../module/sonicwall/firewall/manifest.yml | 31 + .../sonicwall/firewall/test/general.log | 21 + .../firewall/test/general.log-expected.json | 639 + .../sonicwall/firewall/test/generated.log | 100 + .../firewall/test/generated.log-expected.json | 2261 + x-pack/filebeat/module/squid/README.md | 7 + x-pack/filebeat/module/squid/_meta/config.yml | 19 + .../filebeat/module/squid/_meta/docs.asciidoc | 66 + x-pack/filebeat/module/squid/_meta/fields.yml | 5 + x-pack/filebeat/module/squid/fields.go | 23 + .../module/squid/log/_meta/fields.yml | 1945 + .../module/squid/log/config/input.yml | 45 + .../module/squid/log/config/liblogparser.js | 2327 + .../module/squid/log/config/pipeline.js | 463 + .../module/squid/log/ingest/pipeline.yml | 55 + x-pack/filebeat/module/squid/log/manifest.yml | 31 + .../module/squid/log/test/access1.log | 100 + .../squid/log/test/access1.log-expected.json | 5610 + .../module/squid/log/test/access2.log | 100 + .../squid/log/test/access2.log-expected.json | 5510 + .../module/squid/log/test/access3.log | 100 + .../squid/log/test/access3.log-expected.json | 5520 + .../module/squid/log/test/access4.log | 100 + .../squid/log/test/access4.log-expected.json | 5788 + x-pack/filebeat/module/tenable/README.md | 7 + .../filebeat/module/tenable/_meta/config.yml | 19 + .../module/tenable/_meta/docs.asciidoc | 66 + .../filebeat/module/tenable/_meta/fields.yml | 5 + x-pack/filebeat/module/tenable/fields.go | 23 + .../tenable/nessus_security/_meta/fields.yml | 1945 + .../tenable/nessus_security/config/input.yml | 45 + .../nessus_security/config/liblogparser.js | 2327 + .../nessus_security/config/pipeline.js | 552 + .../nessus_security/ingest/pipeline.yml | 55 + .../tenable/nessus_security/manifest.yml | 31 + x-pack/filebeat/module/tomcat/README.md | 7 + .../filebeat/module/tomcat/_meta/config.yml | 19 + .../module/tomcat/_meta/docs.asciidoc | 66 + .../filebeat/module/tomcat/_meta/fields.yml | 5 + x-pack/filebeat/module/tomcat/fields.go | 23 + .../module/tomcat/log/_meta/fields.yml | 1945 + .../module/tomcat/log/config/input.yml | 45 + .../module/tomcat/log/config/liblogparser.js | 2327 + .../module/tomcat/log/config/pipeline.js | 173 + .../module/tomcat/log/ingest/pipeline.yml | 55 + .../filebeat/module/tomcat/log/manifest.yml | 31 + .../module/tomcat/log/test/generated.log | 100 + .../log/test/generated.log-expected.json | 5422 + x-pack/filebeat/module/zscaler/README.md | 7 + .../filebeat/module/zscaler/_meta/config.yml | 19 + .../module/zscaler/_meta/docs.asciidoc | 66 + .../filebeat/module/zscaler/_meta/fields.yml | 5 + x-pack/filebeat/module/zscaler/fields.go | 23 + .../module/zscaler/zia/_meta/fields.yml | 1945 + .../module/zscaler/zia/config/input.yml | 45 + .../module/zscaler/zia/config/liblogparser.js | 2327 + .../module/zscaler/zia/config/pipeline.js | 61 + .../module/zscaler/zia/ingest/pipeline.yml | 55 + .../filebeat/module/zscaler/zia/manifest.yml | 31 + .../module/zscaler/zia/test/generated.log | 100 + .../zia/test/generated.log-expected.json | 7176 + .../filebeat/module/zscaler/zia/test/test.log | 1 + .../zscaler/zia/test/test.log-expected.json | 56 + .../filebeat/modules.d/barracuda.yml.disabled | 22 + .../filebeat/modules.d/bluecoat.yml.disabled | 22 + x-pack/filebeat/modules.d/cisco.yml.disabled | 19 + x-pack/filebeat/modules.d/citrix.yml.disabled | 22 + .../filebeat/modules.d/cylance.yml.disabled | 22 + x-pack/filebeat/modules.d/f5.yml.disabled | 41 + .../filebeat/modules.d/fortinet.yml.disabled | 19 + .../filebeat/modules.d/imperva.yml.disabled | 22 + .../filebeat/modules.d/infoblox.yml.disabled | 22 + .../filebeat/modules.d/juniper.yml.disabled | 22 + .../filebeat/modules.d/kaspersky.yml.disabled | 22 + .../filebeat/modules.d/microsoft.yml.disabled | 22 + .../filebeat/modules.d/netscout.yml.disabled | 22 + .../filebeat/modules.d/radware.yml.disabled | 22 + x-pack/filebeat/modules.d/rapid7.yml.disabled | 22 + .../filebeat/modules.d/sonicwall.yml.disabled | 22 + x-pack/filebeat/modules.d/squid.yml.disabled | 22 + .../filebeat/modules.d/tenable.yml.disabled | 22 + x-pack/filebeat/modules.d/tomcat.yml.disabled | 22 + .../filebeat/modules.d/zscaler.yml.disabled | 22 + 306 files changed, 331962 insertions(+), 12999 deletions(-) create mode 100644 filebeat/docs/modules/barracuda.asciidoc create mode 100644 filebeat/docs/modules/bluecoat.asciidoc create mode 100644 filebeat/docs/modules/citrix.asciidoc create mode 100644 filebeat/docs/modules/cylance.asciidoc create mode 100644 filebeat/docs/modules/f5.asciidoc create mode 100644 filebeat/docs/modules/imperva.asciidoc create mode 100644 filebeat/docs/modules/infoblox.asciidoc create mode 100644 filebeat/docs/modules/juniper.asciidoc create mode 100644 filebeat/docs/modules/kaspersky.asciidoc create mode 100644 filebeat/docs/modules/microsoft.asciidoc create mode 100644 filebeat/docs/modules/netscout.asciidoc create mode 100644 filebeat/docs/modules/radware.asciidoc create mode 100644 filebeat/docs/modules/rapid7.asciidoc create mode 100644 filebeat/docs/modules/sonicwall.asciidoc create mode 100644 filebeat/docs/modules/squid.asciidoc create mode 100644 filebeat/docs/modules/tenable.asciidoc create mode 100644 filebeat/docs/modules/tomcat.asciidoc create mode 100644 filebeat/docs/modules/zscaler.asciidoc create mode 100644 x-pack/filebeat/module/barracuda/README.md create mode 100644 x-pack/filebeat/module/barracuda/_meta/config.yml create mode 100644 x-pack/filebeat/module/barracuda/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/barracuda/_meta/fields.yml create mode 100644 x-pack/filebeat/module/barracuda/fields.go create mode 100644 x-pack/filebeat/module/barracuda/waf/_meta/fields.yml create mode 100644 x-pack/filebeat/module/barracuda/waf/config/input.yml create mode 100644 x-pack/filebeat/module/barracuda/waf/config/liblogparser.js create mode 100644 x-pack/filebeat/module/barracuda/waf/config/pipeline.js create mode 100644 x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/barracuda/waf/manifest.yml create mode 100644 x-pack/filebeat/module/barracuda/waf/test/generated.log create mode 100644 x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/bluecoat/README.md create mode 100644 x-pack/filebeat/module/bluecoat/_meta/config.yml create mode 100644 x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/bluecoat/_meta/fields.yml create mode 100644 x-pack/filebeat/module/bluecoat/director/_meta/fields.yml create mode 100644 x-pack/filebeat/module/bluecoat/director/config/input.yml create mode 100644 x-pack/filebeat/module/bluecoat/director/config/liblogparser.js create mode 100644 x-pack/filebeat/module/bluecoat/director/config/pipeline.js create mode 100644 x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/bluecoat/director/manifest.yml create mode 100644 x-pack/filebeat/module/bluecoat/director/test/generated.log create mode 100644 x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/bluecoat/fields.go create mode 100644 x-pack/filebeat/module/cisco/nexus/_meta/fields.yml create mode 100644 x-pack/filebeat/module/cisco/nexus/config/input.yml create mode 100644 x-pack/filebeat/module/cisco/nexus/config/liblogparser.js create mode 100644 x-pack/filebeat/module/cisco/nexus/config/pipeline.js create mode 100644 x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/cisco/nexus/manifest.yml create mode 100644 x-pack/filebeat/module/citrix/README.md create mode 100644 x-pack/filebeat/module/citrix/_meta/config.yml create mode 100644 x-pack/filebeat/module/citrix/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/citrix/_meta/fields.yml create mode 100644 x-pack/filebeat/module/citrix/fields.go create mode 100644 x-pack/filebeat/module/citrix/virtualapps/_meta/fields.yml create mode 100644 x-pack/filebeat/module/citrix/virtualapps/config/input.yml create mode 100644 x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js create mode 100644 x-pack/filebeat/module/citrix/virtualapps/config/pipeline.js create mode 100644 x-pack/filebeat/module/citrix/virtualapps/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/citrix/virtualapps/manifest.yml create mode 100644 x-pack/filebeat/module/cylance/README.md create mode 100644 x-pack/filebeat/module/cylance/_meta/config.yml create mode 100644 x-pack/filebeat/module/cylance/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/cylance/_meta/fields.yml create mode 100644 x-pack/filebeat/module/cylance/fields.go create mode 100644 x-pack/filebeat/module/cylance/protect/_meta/fields.yml create mode 100644 x-pack/filebeat/module/cylance/protect/config/input.yml create mode 100644 x-pack/filebeat/module/cylance/protect/config/liblogparser.js create mode 100644 x-pack/filebeat/module/cylance/protect/config/pipeline.js create mode 100644 x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/cylance/protect/manifest.yml create mode 100644 x-pack/filebeat/module/cylance/protect/test/generated.log create mode 100644 x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/f5/README.md create mode 100644 x-pack/filebeat/module/f5/_meta/config.yml create mode 100644 x-pack/filebeat/module/f5/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/f5/_meta/fields.yml create mode 100644 x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml create mode 100644 x-pack/filebeat/module/f5/bigipapm/config/input.yml create mode 100644 x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js create mode 100644 x-pack/filebeat/module/f5/bigipapm/config/pipeline.js create mode 100644 x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/f5/bigipapm/manifest.yml create mode 100644 x-pack/filebeat/module/f5/bigipapm/test/generated.log create mode 100644 x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/f5/fields.go create mode 100644 x-pack/filebeat/module/f5/firepass/_meta/fields.yml create mode 100644 x-pack/filebeat/module/f5/firepass/config/input.yml create mode 100644 x-pack/filebeat/module/f5/firepass/config/liblogparser.js create mode 100644 x-pack/filebeat/module/f5/firepass/config/pipeline.js create mode 100644 x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/f5/firepass/manifest.yml create mode 100644 x-pack/filebeat/module/f5/firepass/test/generated.log create mode 100644 x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml create mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml create mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js create mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/config/pipeline.js create mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml create mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log create mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/imperva/README.md create mode 100644 x-pack/filebeat/module/imperva/_meta/config.yml create mode 100644 x-pack/filebeat/module/imperva/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/imperva/_meta/fields.yml create mode 100644 x-pack/filebeat/module/imperva/fields.go create mode 100644 x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml create mode 100644 x-pack/filebeat/module/imperva/securesphere/config/input.yml create mode 100644 x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js create mode 100644 x-pack/filebeat/module/imperva/securesphere/config/pipeline.js create mode 100644 x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/imperva/securesphere/manifest.yml create mode 100644 x-pack/filebeat/module/imperva/securesphere/test/generated.log create mode 100644 x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/infoblox/README.md create mode 100644 x-pack/filebeat/module/infoblox/_meta/config.yml create mode 100644 x-pack/filebeat/module/infoblox/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/infoblox/_meta/fields.yml create mode 100644 x-pack/filebeat/module/infoblox/fields.go create mode 100644 x-pack/filebeat/module/infoblox/nios/_meta/fields.yml create mode 100644 x-pack/filebeat/module/infoblox/nios/config/input.yml create mode 100644 x-pack/filebeat/module/infoblox/nios/config/liblogparser.js create mode 100644 x-pack/filebeat/module/infoblox/nios/config/pipeline.js create mode 100644 x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/infoblox/nios/manifest.yml create mode 100644 x-pack/filebeat/module/infoblox/nios/test/generated.log create mode 100644 x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/juniper/README.md create mode 100644 x-pack/filebeat/module/juniper/_meta/config.yml create mode 100644 x-pack/filebeat/module/juniper/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/juniper/_meta/fields.yml create mode 100644 x-pack/filebeat/module/juniper/fields.go create mode 100644 x-pack/filebeat/module/juniper/junos/_meta/fields.yml create mode 100644 x-pack/filebeat/module/juniper/junos/config/input.yml create mode 100644 x-pack/filebeat/module/juniper/junos/config/liblogparser.js create mode 100644 x-pack/filebeat/module/juniper/junos/config/pipeline.js create mode 100644 x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/juniper/junos/manifest.yml create mode 100644 x-pack/filebeat/module/kaspersky/README.md create mode 100644 x-pack/filebeat/module/kaspersky/_meta/config.yml create mode 100644 x-pack/filebeat/module/kaspersky/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/kaspersky/_meta/fields.yml create mode 100644 x-pack/filebeat/module/kaspersky/av/_meta/fields.yml create mode 100644 x-pack/filebeat/module/kaspersky/av/config/input.yml create mode 100644 x-pack/filebeat/module/kaspersky/av/config/liblogparser.js create mode 100644 x-pack/filebeat/module/kaspersky/av/config/pipeline.js create mode 100644 x-pack/filebeat/module/kaspersky/av/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/kaspersky/av/manifest.yml create mode 100644 x-pack/filebeat/module/kaspersky/fields.go create mode 100644 x-pack/filebeat/module/microsoft/README.md create mode 100644 x-pack/filebeat/module/microsoft/_meta/config.yml create mode 100644 x-pack/filebeat/module/microsoft/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/microsoft/_meta/fields.yml create mode 100644 x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml create mode 100644 x-pack/filebeat/module/microsoft/dhcp/config/input.yml create mode 100644 x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js create mode 100644 x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js create mode 100644 x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/microsoft/dhcp/manifest.yml create mode 100644 x-pack/filebeat/module/microsoft/dhcp/test/generated.log create mode 100644 x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/microsoft/fields.go create mode 100644 x-pack/filebeat/module/netscout/README.md create mode 100644 x-pack/filebeat/module/netscout/_meta/config.yml create mode 100644 x-pack/filebeat/module/netscout/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/netscout/_meta/fields.yml create mode 100644 x-pack/filebeat/module/netscout/fields.go create mode 100644 x-pack/filebeat/module/netscout/sightline/_meta/fields.yml create mode 100644 x-pack/filebeat/module/netscout/sightline/config/input.yml create mode 100644 x-pack/filebeat/module/netscout/sightline/config/liblogparser.js create mode 100644 x-pack/filebeat/module/netscout/sightline/config/pipeline.js create mode 100644 x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/netscout/sightline/manifest.yml create mode 100644 x-pack/filebeat/module/netscout/sightline/test/generated.log create mode 100644 x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/radware/README.md create mode 100644 x-pack/filebeat/module/radware/_meta/config.yml create mode 100644 x-pack/filebeat/module/radware/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/radware/_meta/fields.yml create mode 100644 x-pack/filebeat/module/radware/defensepro/_meta/fields.yml create mode 100644 x-pack/filebeat/module/radware/defensepro/config/input.yml create mode 100644 x-pack/filebeat/module/radware/defensepro/config/liblogparser.js create mode 100644 x-pack/filebeat/module/radware/defensepro/config/pipeline.js create mode 100644 x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/radware/defensepro/manifest.yml create mode 100644 x-pack/filebeat/module/radware/fields.go create mode 100644 x-pack/filebeat/module/rapid7/README.md create mode 100644 x-pack/filebeat/module/rapid7/_meta/config.yml create mode 100644 x-pack/filebeat/module/rapid7/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/rapid7/_meta/fields.yml create mode 100644 x-pack/filebeat/module/rapid7/fields.go create mode 100644 x-pack/filebeat/module/rapid7/nexpose/_meta/fields.yml create mode 100644 x-pack/filebeat/module/rapid7/nexpose/config/input.yml create mode 100644 x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js create mode 100644 x-pack/filebeat/module/rapid7/nexpose/config/pipeline.js create mode 100644 x-pack/filebeat/module/rapid7/nexpose/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/rapid7/nexpose/manifest.yml create mode 100644 x-pack/filebeat/module/rapid7/nexpose/test/generated.log create mode 100644 x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/sonicwall/README.md create mode 100644 x-pack/filebeat/module/sonicwall/_meta/config.yml create mode 100644 x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/sonicwall/_meta/fields.yml create mode 100644 x-pack/filebeat/module/sonicwall/fields.go create mode 100644 x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml create mode 100644 x-pack/filebeat/module/sonicwall/firewall/config/input.yml create mode 100644 x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js create mode 100644 x-pack/filebeat/module/sonicwall/firewall/config/pipeline.js create mode 100644 x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/sonicwall/firewall/manifest.yml create mode 100644 x-pack/filebeat/module/sonicwall/firewall/test/general.log create mode 100644 x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json create mode 100644 x-pack/filebeat/module/sonicwall/firewall/test/generated.log create mode 100644 x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/squid/README.md create mode 100644 x-pack/filebeat/module/squid/_meta/config.yml create mode 100644 x-pack/filebeat/module/squid/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/squid/_meta/fields.yml create mode 100644 x-pack/filebeat/module/squid/fields.go create mode 100644 x-pack/filebeat/module/squid/log/_meta/fields.yml create mode 100644 x-pack/filebeat/module/squid/log/config/input.yml create mode 100644 x-pack/filebeat/module/squid/log/config/liblogparser.js create mode 100644 x-pack/filebeat/module/squid/log/config/pipeline.js create mode 100644 x-pack/filebeat/module/squid/log/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/squid/log/manifest.yml create mode 100644 x-pack/filebeat/module/squid/log/test/access1.log create mode 100644 x-pack/filebeat/module/squid/log/test/access1.log-expected.json create mode 100644 x-pack/filebeat/module/squid/log/test/access2.log create mode 100644 x-pack/filebeat/module/squid/log/test/access2.log-expected.json create mode 100644 x-pack/filebeat/module/squid/log/test/access3.log create mode 100644 x-pack/filebeat/module/squid/log/test/access3.log-expected.json create mode 100644 x-pack/filebeat/module/squid/log/test/access4.log create mode 100644 x-pack/filebeat/module/squid/log/test/access4.log-expected.json create mode 100644 x-pack/filebeat/module/tenable/README.md create mode 100644 x-pack/filebeat/module/tenable/_meta/config.yml create mode 100644 x-pack/filebeat/module/tenable/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/tenable/_meta/fields.yml create mode 100644 x-pack/filebeat/module/tenable/fields.go create mode 100644 x-pack/filebeat/module/tenable/nessus_security/_meta/fields.yml create mode 100644 x-pack/filebeat/module/tenable/nessus_security/config/input.yml create mode 100644 x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js create mode 100644 x-pack/filebeat/module/tenable/nessus_security/config/pipeline.js create mode 100644 x-pack/filebeat/module/tenable/nessus_security/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/tenable/nessus_security/manifest.yml create mode 100644 x-pack/filebeat/module/tomcat/README.md create mode 100644 x-pack/filebeat/module/tomcat/_meta/config.yml create mode 100644 x-pack/filebeat/module/tomcat/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/tomcat/_meta/fields.yml create mode 100644 x-pack/filebeat/module/tomcat/fields.go create mode 100644 x-pack/filebeat/module/tomcat/log/_meta/fields.yml create mode 100644 x-pack/filebeat/module/tomcat/log/config/input.yml create mode 100644 x-pack/filebeat/module/tomcat/log/config/liblogparser.js create mode 100644 x-pack/filebeat/module/tomcat/log/config/pipeline.js create mode 100644 x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/tomcat/log/manifest.yml create mode 100644 x-pack/filebeat/module/tomcat/log/test/generated.log create mode 100644 x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/zscaler/README.md create mode 100644 x-pack/filebeat/module/zscaler/_meta/config.yml create mode 100644 x-pack/filebeat/module/zscaler/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/zscaler/_meta/fields.yml create mode 100644 x-pack/filebeat/module/zscaler/fields.go create mode 100644 x-pack/filebeat/module/zscaler/zia/_meta/fields.yml create mode 100644 x-pack/filebeat/module/zscaler/zia/config/input.yml create mode 100644 x-pack/filebeat/module/zscaler/zia/config/liblogparser.js create mode 100644 x-pack/filebeat/module/zscaler/zia/config/pipeline.js create mode 100644 x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/zscaler/zia/manifest.yml create mode 100644 x-pack/filebeat/module/zscaler/zia/test/generated.log create mode 100644 x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/zscaler/zia/test/test.log create mode 100644 x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json create mode 100644 x-pack/filebeat/modules.d/barracuda.yml.disabled create mode 100644 x-pack/filebeat/modules.d/bluecoat.yml.disabled create mode 100644 x-pack/filebeat/modules.d/citrix.yml.disabled create mode 100644 x-pack/filebeat/modules.d/cylance.yml.disabled create mode 100644 x-pack/filebeat/modules.d/f5.yml.disabled create mode 100644 x-pack/filebeat/modules.d/imperva.yml.disabled create mode 100644 x-pack/filebeat/modules.d/infoblox.yml.disabled create mode 100644 x-pack/filebeat/modules.d/juniper.yml.disabled create mode 100644 x-pack/filebeat/modules.d/kaspersky.yml.disabled create mode 100644 x-pack/filebeat/modules.d/microsoft.yml.disabled create mode 100644 x-pack/filebeat/modules.d/netscout.yml.disabled create mode 100644 x-pack/filebeat/modules.d/radware.yml.disabled create mode 100644 x-pack/filebeat/modules.d/rapid7.yml.disabled create mode 100644 x-pack/filebeat/modules.d/sonicwall.yml.disabled create mode 100644 x-pack/filebeat/modules.d/squid.yml.disabled create mode 100644 x-pack/filebeat/modules.d/tenable.yml.disabled create mode 100644 x-pack/filebeat/modules.d/tomcat.yml.disabled create mode 100644 x-pack/filebeat/modules.d/zscaler.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index aa33db1c611..2e97c5c150e 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -18,18 +18,23 @@ grouped in the following categories: * <> * <> * <> +* <> * <> +* <> * <> * <> * <> * <> +* <> * <> * <> * <> +* <> * <> * <> * <> * <> +* <> * <> * <> * <> @@ -38,19 +43,25 @@ grouped in the following categories: * <> * <> * <> +* <> +* <> * <> * <> +* <> * <> +* <> * <> * <> * <> * <> +* <> * <> * <> * <> * <> * <> * <> +* <> * <> * <> * <> @@ -59,13 +70,20 @@ grouped in the following categories: * <> * <> * <> +* <> +* <> * <> * <> * <> +* <> +* <> * <> * <> +* <> +* <> * <> * <> +* <> -- [[exported-fields-activemq]] @@ -3267,19650 +3285,17624 @@ type: keyword -- -[[exported-fields-beat-common]] -== Beat fields +[[exported-fields-barracuda]] +== Barracuda Web Application Firewall fields -Contains common beat fields available in all event types. +barracuda fields. -*`agent.hostname`*:: +*`network.interface.name`*:: + -- -Deprecated - use agent.name or agent.id to identify an agent. - +Name of the network interface where the traffic has been observed. -type: alias -alias to: agent.name +type: keyword -- -*`beat.timezone`*:: + + +*`rsa.internal.msg`*:: + -- -type: alias +This key is used to capture the raw message that comes into the Log Decoder -alias to: event.timezone +type: keyword -- -*`fields`*:: +*`rsa.internal.messageid`*:: + -- -Contains user configurable fields. - - -type: object +type: keyword -- -*`beat.name`*:: +*`rsa.internal.event_desc`*:: + -- -type: alias - -alias to: host.name +type: keyword -- -*`beat.hostname`*:: +*`rsa.internal.message`*:: + -- -type: alias +This key captures the contents of instant messages -alias to: agent.name +type: keyword -- -*`timeseries.instance`*:: +*`rsa.internal.time`*:: + -- -Time series instance id +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: keyword +type: date -- -[[exported-fields-cef]] -== Decode CEF processor fields fields - -Common Event Format (CEF) data. - +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. +type: long -[float] -=== cef +-- -By default the `decode_cef` processor writes all data from the CEF message to this `cef` object. It contains the CEF header fields and the extension data. +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword +-- -*`cef.version`*:: +*`rsa.internal.msg_vid`*:: + -- -Version of the CEF specification used by the message. - +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.device.vendor`*:: +*`rsa.internal.data`*:: + -- -Vendor of the device that produced the message. - +Deprecated key defined only in table map. type: keyword -- -*`cef.device.product`*:: +*`rsa.internal.obj_server`*:: + -- -Product of the device that produced the message. - +Deprecated key defined only in table map. type: keyword -- -*`cef.device.version`*:: +*`rsa.internal.obj_val`*:: + -- -Version of the product that produced the message. - +Deprecated key defined only in table map. type: keyword -- -*`cef.device.event_class_id`*:: +*`rsa.internal.resource`*:: + -- -Unique identifier of the event type. - +Deprecated key defined only in table map. type: keyword -- -*`cef.severity`*:: +*`rsa.internal.obj_id`*:: + -- -Importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High. - +Deprecated key defined only in table map. type: keyword -example: Very-High - -- -*`cef.name`*:: +*`rsa.internal.statement`*:: + -- -Short description of the event. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== extensions - -Collection of key-value pairs carried in the CEF extension field. +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`cef.extensions.agentAddress`*:: +*`rsa.internal.entry`*:: + -- -The IP address of the ArcSight connector that processed the event. +Deprecated key defined only in table map. -type: ip +type: keyword -- -*`cef.extensions.agentDnsDomain`*:: +*`rsa.internal.hcode`*:: + -- -The DNS domain name of the ArcSight connector that processed the event. +Deprecated key defined only in table map. type: keyword -- -*`cef.extensions.agentHostName`*:: +*`rsa.internal.inode`*:: + -- -The hostname of the ArcSight connector that processed the event. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`cef.extensions.agentId`*:: +*`rsa.internal.resource_class`*:: + -- -The agent ID of the ArcSight connector that processed the event. +Deprecated key defined only in table map. type: keyword -- -*`cef.extensions.agentMacAddress`*:: +*`rsa.internal.dead`*:: + -- -The MAC address of the ArcSight connector that processed the event. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`cef.extensions.agentNtDomain`*:: +*`rsa.internal.feed_desc`*:: + -- -None +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentReceiptTime`*:: +*`rsa.internal.feed_name`*:: + -- -The time at which information about the event was received by the ArcSight connector. +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: date +type: keyword -- -*`cef.extensions.agentTimeZone`*:: +*`rsa.internal.cid`*:: + -- -The agent time zone of the ArcSight connector that processed the event. +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentTranslatedAddress`*:: +*`rsa.internal.device_class`*:: + -- -None +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: ip +type: keyword -- -*`cef.extensions.agentTranslatedZoneExternalID`*:: +*`rsa.internal.device_group`*:: + -- -None +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentTranslatedZoneURI`*:: +*`rsa.internal.device_host`*:: + -- -None +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentType`*:: +*`rsa.internal.device_ip`*:: + -- -The agent type of the ArcSight connector that processed the event +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`cef.extensions.agentVersion`*:: +*`rsa.internal.device_ipv6`*:: + -- -The version of the ArcSight connector that processed the event. +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`cef.extensions.agentZoneExternalID`*:: +*`rsa.internal.device_type`*:: + -- -None +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentZoneURI`*:: +*`rsa.internal.device_type_id`*:: + -- -None +Deprecated key defined only in table map. -type: keyword +type: long -- -*`cef.extensions.applicationProtocol`*:: +*`rsa.internal.did`*:: + -- -Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.baseEventCount`*:: +*`rsa.internal.entropy_req`*:: + -- -A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration type: long -- -*`cef.extensions.bytesIn`*:: +*`rsa.internal.entropy_res`*:: + -- -Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration type: long -- -*`cef.extensions.bytesOut`*:: +*`rsa.internal.event_name`*:: + -- -Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. +Deprecated key defined only in table map. -type: long +type: keyword -- -*`cef.extensions.customerExternalID`*:: +*`rsa.internal.feed_category`*:: + -- -None +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.customerURI`*:: +*`rsa.internal.forward_ip`*:: + -- -None +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`cef.extensions.destinationAddress`*:: +*`rsa.internal.forward_ipv6`*:: + -- -Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: ip -- -*`cef.extensions.destinationDnsDomain`*:: +*`rsa.internal.header_id`*:: + -- -The DNS domain part of the complete fully qualified domain name (FQDN). +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.destinationGeoLatitude`*:: +*`rsa.internal.lc_cid`*:: + -- -The latitudinal value from which the destination's IP address belongs. +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: double +type: keyword -- -*`cef.extensions.destinationGeoLongitude`*:: +*`rsa.internal.lc_ctime`*:: + -- -The longitudinal value from which the destination's IP address belongs. +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: double +type: date -- -*`cef.extensions.destinationHostName`*:: +*`rsa.internal.mcb_req`*:: + -- -Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`cef.extensions.destinationMacAddress`*:: +*`rsa.internal.mcb_res`*:: + -- -Six colon-seperated hexadecimal numbers. +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`cef.extensions.destinationNtDomain`*:: +*`rsa.internal.mcbc_req`*:: + -- -The Windows domain name of the destination address. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`cef.extensions.destinationPort`*:: +*`rsa.internal.mcbc_res`*:: + -- -The valid port numbers are between 0 and 65535. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams type: long -- -*`cef.extensions.destinationProcessId`*:: +*`rsa.internal.medium`*:: + -- -Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session type: long -- -*`cef.extensions.destinationProcessName`*:: +*`rsa.internal.node_name`*:: + -- -The name of the event's destination process. +Deprecated key defined only in table map. type: keyword -- -*`cef.extensions.destinationServiceName`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -The service targeted by this event. +This key denotes that event is endpoint related type: keyword -- -*`cef.extensions.destinationTranslatedAddress`*:: +*`rsa.internal.parse_error`*:: + -- -Identifies the translated destination that the event refers to in an IP network. +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: ip +type: keyword -- -*`cef.extensions.destinationTranslatedPort`*:: +*`rsa.internal.payload_req`*:: + -- -Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep type: long -- -*`cef.extensions.destinationTranslatedZoneExternalID`*:: +*`rsa.internal.payload_res`*:: + -- -None +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`cef.extensions.destinationTranslatedZoneURI`*:: +*`rsa.internal.process_vid_dst`*:: + -- -The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`cef.extensions.destinationUserId`*:: +*`rsa.internal.process_vid_src`*:: + -- -Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0. +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`cef.extensions.destinationUserName`*:: +*`rsa.internal.rid`*:: + -- -Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`cef.extensions.destinationUserPrivileges`*:: +*`rsa.internal.session_split`*:: + -- -The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.destinationZoneExternalID`*:: +*`rsa.internal.site`*:: + -- -None +Deprecated key defined only in table map. type: keyword -- -*`cef.extensions.destinationZoneURI`*:: +*`rsa.internal.size`*:: + -- -The URI for the Zone that the destination asset has been assigned to in ArcSight. +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`cef.extensions.deviceAction`*:: +*`rsa.internal.sourcefile`*:: + -- -Action taken by the device. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.deviceAddress`*:: +*`rsa.internal.ubc_req`*:: + -- -Identifies the device address that an event refers to in an IP network. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: ip +type: long -- -*`cef.extensions.deviceCustomFloatingPoint1Label`*:: +*`rsa.internal.ubc_res`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`cef.extensions.deviceCustomFloatingPoint3Label`*:: +*`rsa.internal.word`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint4Label`*:: + +*`rsa.time.event_time`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`cef.extensions.deviceCustomDate1`*:: +*`rsa.time.duration_time`*:: + -- -One of two timestamp fields available to map fields that do not apply to any other in this dictionary. +This key is used to capture the normalized duration/lifetime in seconds. -type: date +type: double -- -*`cef.extensions.deviceCustomDate1Label`*:: +*`rsa.time.event_time_str`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`cef.extensions.deviceCustomDate2`*:: +*`rsa.time.starttime`*:: + -- -One of two timestamp fields available to map fields that do not apply to any other in this dictionary. +This key is used to capture the Start time mentioned in a session in a standard form type: date -- -*`cef.extensions.deviceCustomDate2Label`*:: +*`rsa.time.month`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint1`*:: +*`rsa.time.day`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. - -type: double +type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint2`*:: +*`rsa.time.endtime`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. +This key is used to capture the End time mentioned in a session in a standard form -type: double +type: date -- -*`cef.extensions.deviceCustomFloatingPoint2Label`*:: +*`rsa.time.timezone`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture the timezone of the Event Time type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint3`*:: +*`rsa.time.duration_str`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. +A text string version of the duration -type: double +type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint4`*:: +*`rsa.time.date`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. +type: keyword -type: double +-- +*`rsa.time.year`*:: ++ -- +type: keyword -*`cef.extensions.deviceCustomIPv6Address1`*:: +-- + +*`rsa.time.recorded_time`*:: + -- -One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: ip +type: date -- -*`cef.extensions.deviceCustomIPv6Address1Label`*:: +*`rsa.time.datetime`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomIPv6Address2`*:: +*`rsa.time.effective_time`*:: + -- -One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: ip +type: date -- -*`cef.extensions.deviceCustomIPv6Address2Label`*:: +*`rsa.time.expire_time`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is the timestamp that explicitly refers to an expiration. -type: keyword +type: date -- -*`cef.extensions.deviceCustomIPv6Address3`*:: +*`rsa.time.process_time`*:: + -- -One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. +Deprecated, use duration.time -type: ip +type: keyword -- -*`cef.extensions.deviceCustomIPv6Address3Label`*:: +*`rsa.time.hour`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomIPv6Address4`*:: +*`rsa.time.min`*:: + -- -One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - -type: ip +type: keyword -- -*`cef.extensions.deviceCustomIPv6Address4Label`*:: +*`rsa.time.timestamp`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomNumber1`*:: +*`rsa.time.event_queue_time`*:: + -- -One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This key is the Time that the event was queued. -type: long +type: date -- -*`cef.extensions.deviceCustomNumber1Label`*:: +*`rsa.time.p_time1`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomNumber2`*:: +*`rsa.time.tzone`*:: + -- -One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - -type: long +type: keyword -- -*`cef.extensions.deviceCustomNumber2Label`*:: +*`rsa.time.eventtime`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomNumber3`*:: +*`rsa.time.gmtdate`*:: + -- -One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - -type: long +type: keyword -- -*`cef.extensions.deviceCustomNumber3Label`*:: +*`rsa.time.gmttime`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomString1`*:: +*`rsa.time.p_date`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - type: keyword -- -*`cef.extensions.deviceCustomString1Label`*:: +*`rsa.time.p_month`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomString2`*:: +*`rsa.time.p_time`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - type: keyword -- -*`cef.extensions.deviceCustomString2Label`*:: +*`rsa.time.p_time2`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomString3`*:: +*`rsa.time.p_year`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - type: keyword -- -*`cef.extensions.deviceCustomString3Label`*:: +*`rsa.time.expire_time_str`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`cef.extensions.deviceCustomString4`*:: +*`rsa.time.stamp`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +Deprecated key defined only in table map. -type: keyword +type: date -- -*`cef.extensions.deviceCustomString4Label`*:: + +*`rsa.misc.action`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomString5`*:: +*`rsa.misc.result`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`cef.extensions.deviceCustomString5Label`*:: +*`rsa.misc.severity`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture the severity given the session type: keyword -- -*`cef.extensions.deviceCustomString6`*:: +*`rsa.misc.event_type`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This key captures the event category type as specified by the event source. type: keyword -- -*`cef.extensions.deviceCustomString6Label`*:: +*`rsa.misc.reference_id`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture an event id from the session directly type: keyword -- -*`cef.extensions.deviceDirection`*:: +*`rsa.misc.version`*:: + -- -Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. +This key captures Version of the application or OS which is generating the event. -type: long +type: keyword -- -*`cef.extensions.deviceDnsDomain`*:: +*`rsa.misc.disposition`*:: + -- -The DNS domain part of the complete fully qualified domain name (FQDN). +This key captures the The end state of an action. type: keyword -- -*`cef.extensions.deviceEventCategory`*:: +*`rsa.misc.result_code`*:: + -- -Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`cef.extensions.deviceExternalId`*:: +*`rsa.misc.category`*:: + -- -A name that uniquely identifies the device generating this event. +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`cef.extensions.deviceFacility`*:: +*`rsa.misc.obj_name`*:: + -- -The facility generating this event. For example, Syslog has an explicit facility associated with every event. +This is used to capture name of object type: keyword -- -*`cef.extensions.deviceFlexNumber1`*:: +*`rsa.misc.obj_type`*:: + -- -One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This is used to capture type of object -type: long +type: keyword -- -*`cef.extensions.deviceFlexNumber1Label`*:: +*`rsa.misc.event_source`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key captures Source of the event that’s not a hostname type: keyword -- -*`cef.extensions.deviceFlexNumber2`*:: +*`rsa.misc.log_session_id`*:: + -- -One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This key is used to capture a sessionid from the session directly -type: long +type: keyword -- -*`cef.extensions.deviceFlexNumber2Label`*:: +*`rsa.misc.group`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key captures the Group Name value type: keyword -- -*`cef.extensions.deviceHostName`*:: +*`rsa.misc.policy_name`*:: + -- -The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. +This key is used to capture the Policy Name only. type: keyword -- -*`cef.extensions.deviceInboundInterface`*:: +*`rsa.misc.rule_name`*:: + -- -Interface on which the packet or data entered the device. +This key captures the Rule Name type: keyword -- -*`cef.extensions.deviceMacAddress`*:: +*`rsa.misc.context`*:: + -- -Six colon-separated hexadecimal numbers. +This key captures Information which adds additional context to the event. type: keyword -- -*`cef.extensions.deviceNtDomain`*:: +*`rsa.misc.change_new`*:: + -- -The Windows domain name of the device address. +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`cef.extensions.deviceOutboundInterface`*:: +*`rsa.misc.space`*:: + -- -Interface on which the packet or data left the device. - type: keyword -- -*`cef.extensions.devicePayloadId`*:: +*`rsa.misc.client`*:: + -- -Unique identifier for the payload associated with the event. +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`cef.extensions.deviceProcessId`*:: +*`rsa.misc.msgIdPart1`*:: + -- -Provides the ID of the process on the device generating the event. - -type: long +type: keyword -- -*`cef.extensions.deviceProcessName`*:: +*`rsa.misc.msgIdPart2`*:: + -- -Process name associated with the event. An example might be the process generating the syslog entry in UNIX. - type: keyword -- -*`cef.extensions.deviceReceiptTime`*:: +*`rsa.misc.change_old`*:: + -- -The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) +This key is used to capture the old value of the attribute that’s changing in a session -type: date +type: keyword -- -*`cef.extensions.deviceTimeZone`*:: +*`rsa.misc.operation_id`*:: + -- -The time zone for the device generating the event. +An alert number or operation number. The values should be unique and non-repeating. type: keyword -- -*`cef.extensions.deviceTranslatedAddress`*:: +*`rsa.misc.event_state`*:: + -- -Identifies the translated device address that the event refers to in an IP network. +This key captures the current state of the object/item referenced within the event. Describing an on-going event. -type: ip +type: keyword -- -*`cef.extensions.deviceTranslatedZoneExternalID`*:: +*`rsa.misc.group_object`*:: + -- -None +This key captures a collection/grouping of entities. Specific usage type: keyword -- -*`cef.extensions.deviceTranslatedZoneURI`*:: +*`rsa.misc.node`*:: + -- -The URI for the Translated Zone that the device asset has been assigned to in ArcSight. +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`cef.extensions.deviceZoneExternalID`*:: +*`rsa.misc.rule`*:: + -- -None +This key captures the Rule number type: keyword -- -*`cef.extensions.deviceZoneURI`*:: +*`rsa.misc.device_name`*:: + -- -Thee URI for the Zone that the device asset has been assigned to in ArcSight. +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`cef.extensions.endTime`*:: +*`rsa.misc.param`*:: + -- -The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session. +This key is the parameters passed as part of a command or application, etc. -type: date +type: keyword -- -*`cef.extensions.eventId`*:: +*`rsa.misc.change_attrib`*:: + -- -This is a unique ID that ArcSight assigns to each event. +This key is used to capture the name of the attribute that’s changing in a session -type: long +type: keyword -- -*`cef.extensions.eventOutcome`*:: +*`rsa.misc.event_computer`*:: + -- -Displays the outcome, usually as 'success' or 'failure'. +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`cef.extensions.externalId`*:: +*`rsa.misc.reference_id1`*:: + -- -The ID used by an originating device. They are usually increasing numbers, associated with events. +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`cef.extensions.fileCreateTime`*:: +*`rsa.misc.event_log`*:: + -- -Time when the file was created. +This key captures the Name of the event log -type: date +type: keyword -- -*`cef.extensions.fileHash`*:: +*`rsa.misc.OS`*:: + -- -Hash of a file. +This key captures the Name of the Operating System type: keyword -- -*`cef.extensions.fileId`*:: +*`rsa.misc.terminal`*:: + -- -An ID associated with a file could be the inode. +This key captures the Terminal Names only type: keyword -- -*`cef.extensions.fileModificationTime`*:: +*`rsa.misc.msgIdPart3`*:: + -- -Time when the file was last modified. - -type: date +type: keyword -- -*`cef.extensions.filename`*:: +*`rsa.misc.filter`*:: + -- -Name of the file only (without its path). +This key captures Filter used to reduce result set type: keyword -- -*`cef.extensions.filePath`*:: +*`rsa.misc.serial_number`*:: + -- -Full path to the file, including file name itself. +This key is the Serial number associated with a physical asset. type: keyword -- -*`cef.extensions.filePermission`*:: +*`rsa.misc.checksum`*:: + -- -Permissions of the file. +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -- -*`cef.extensions.fileSize`*:: +*`rsa.misc.event_user`*:: + -- -Size of the file. +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. -type: long +type: keyword -- -*`cef.extensions.fileType`*:: +*`rsa.misc.virusname`*:: + -- -Type of file (pipe, socket, etc.) +This key captures the name of the virus type: keyword -- -*`cef.extensions.flexDate1`*:: +*`rsa.misc.content_type`*:: + -- -A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. +This key is used to capture Content Type only. -type: date +type: keyword -- -*`cef.extensions.flexDate1Label`*:: +*`rsa.misc.group_id`*:: + -- -The label field is a string and describes the purpose of the flex field. +This key captures Group ID Number (related to the group name) type: keyword -- -*`cef.extensions.flexString1`*:: +*`rsa.misc.policy_id`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise type: keyword -- -*`cef.extensions.flexString2`*:: +*`rsa.misc.vsys`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. +This key captures Virtual System Name type: keyword -- -*`cef.extensions.flexString1Label`*:: +*`rsa.misc.connection_id`*:: + -- -The label field is a string and describes the purpose of the flex field. +This key captures the Connection ID type: keyword -- -*`cef.extensions.flexString2Label`*:: +*`rsa.misc.reference_id2`*:: + -- -The label field is a string and describes the purpose of the flex field. +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. type: keyword -- -*`cef.extensions.message`*:: +*`rsa.misc.sensor`*:: + -- -An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -- -*`cef.extensions.oldFileCreateTime`*:: +*`rsa.misc.sig_id`*:: + -- -Time when old file was created. +This key captures IDS/IPS Int Signature ID -type: date +type: long -- -*`cef.extensions.oldFileHash`*:: +*`rsa.misc.port_name`*:: + -- -Hash of the old file. +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`cef.extensions.oldFileId`*:: +*`rsa.misc.rule_group`*:: + -- -An ID associated with the old file could be the inode. +This key captures the Rule group name type: keyword -- -*`cef.extensions.oldFileModificationTime`*:: +*`rsa.misc.risk_num`*:: + -- -Time when old file was last modified. +This key captures a Numeric Risk value -type: date +type: double -- -*`cef.extensions.oldFileName`*:: +*`rsa.misc.trigger_val`*:: + -- -Name of the old file. +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`cef.extensions.oldFilePath`*:: +*`rsa.misc.log_session_id1`*:: + -- -Full path to the old file, including the file name itself. +This key is used to capture a Linked (Related) Session ID from the session directly type: keyword -- -*`cef.extensions.oldFilePermission`*:: +*`rsa.misc.comp_version`*:: + -- -Permissions of the old file. +This key captures the Version level of a sub-component of a product. type: keyword -- -*`cef.extensions.oldFileSize`*:: +*`rsa.misc.content_version`*:: + -- -Size of the old file. +This key captures Version level of a signature or database content. -type: long +type: keyword -- -*`cef.extensions.oldFileType`*:: +*`rsa.misc.hardware_id`*:: + -- -Type of the old file (pipe, socket, etc.) +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`cef.extensions.rawEvent`*:: +*`rsa.misc.risk`*:: + -- -None +This key captures the non-numeric risk value type: keyword -- -*`cef.extensions.Reason`*:: +*`rsa.misc.event_id`*:: + -- -The reason an audit event was generated. For example "bad password" or "unknown user". This could also be an error or return code. Example "0x1234". - type: keyword -- -*`cef.extensions.requestClientApplication`*:: +*`rsa.misc.reason`*:: + -- -The User-Agent associated with the request. - type: keyword -- -*`cef.extensions.requestContext`*:: +*`rsa.misc.status`*:: + -- -Description of the content from which the request originated (for example, HTTP Referrer) - type: keyword -- -*`cef.extensions.requestCookies`*:: +*`rsa.misc.mail_id`*:: + -- -Cookies associated with the request. +This key is used to capture the mailbox id/name type: keyword -- -*`cef.extensions.requestMethod`*:: +*`rsa.misc.rule_uid`*:: + -- -The HTTP method used to access a URL. +This key is the Unique Identifier for a rule. type: keyword -- -*`cef.extensions.requestUrl`*:: +*`rsa.misc.trigger_desc`*:: + -- -In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. +This key captures the Description of the trigger or threshold condition. type: keyword -- -*`cef.extensions.sourceAddress`*:: +*`rsa.misc.inout`*:: + -- -Identifies the source that an event refers to in an IP network. - -type: ip +type: keyword -- -*`cef.extensions.sourceDnsDomain`*:: +*`rsa.misc.p_msgid`*:: + -- -The DNS domain part of the complete fully qualified domain name (FQDN). - type: keyword -- -*`cef.extensions.sourceGeoLatitude`*:: +*`rsa.misc.data_type`*:: + -- -None - -type: double +type: keyword -- -*`cef.extensions.sourceGeoLongitude`*:: +*`rsa.misc.msgIdPart4`*:: + -- -None - -type: double +type: keyword -- -*`cef.extensions.sourceHostName`*:: +*`rsa.misc.error`*:: + -- -Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: 'host' or 'host.domain.com'. - +This key captures All non successful Error codes or responses type: keyword -- -*`cef.extensions.sourceMacAddress`*:: +*`rsa.misc.index`*:: + -- -Six colon-separated hexadecimal numbers. - type: keyword -example: 00:0d:60:af:1b:61 - -- -*`cef.extensions.sourceNtDomain`*:: +*`rsa.misc.listnum`*:: + -- -The Windows domain name for the source address. +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -- -*`cef.extensions.sourcePort`*:: +*`rsa.misc.ntype`*:: + -- -The valid port numbers are 0 to 65535. - -type: long +type: keyword -- -*`cef.extensions.sourceProcessId`*:: +*`rsa.misc.observed_val`*:: + -- -The ID of the source process associated with the event. +This key captures the Value observed (from the perspective of the device generating the log). -type: long +type: keyword -- -*`cef.extensions.sourceProcessName`*:: +*`rsa.misc.policy_value`*:: + -- -The name of the event's source process. +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`cef.extensions.sourceServiceName`*:: +*`rsa.misc.pool_name`*:: + -- -The service that is responsible for generating this event. +This key captures the name of a resource pool type: keyword -- -*`cef.extensions.sourceTranslatedAddress`*:: +*`rsa.misc.rule_template`*:: + -- -Identifies the translated source that the event refers to in an IP network. +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -type: ip +type: keyword -- -*`cef.extensions.sourceTranslatedPort`*:: +*`rsa.misc.count`*:: + -- -A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. - -type: long +type: keyword -- -*`cef.extensions.sourceTranslatedZoneExternalID`*:: +*`rsa.misc.number`*:: + -- -None - type: keyword -- -*`cef.extensions.sourceTranslatedZoneURI`*:: +*`rsa.misc.sigcat`*:: + -- -The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. - type: keyword -- -*`cef.extensions.sourceUserId`*:: +*`rsa.misc.type`*:: + -- -Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. - type: keyword -- -*`cef.extensions.sourceUserName`*:: +*`rsa.misc.comments`*:: + -- -Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. +Comment information provided in the log message type: keyword -- -*`cef.extensions.sourceUserPrivileges`*:: +*`rsa.misc.doc_number`*:: + -- -The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". +This key captures File Identification number -type: keyword +type: long -- -*`cef.extensions.sourceZoneExternalID`*:: +*`rsa.misc.expected_val`*:: + -- -None +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`cef.extensions.sourceZoneURI`*:: +*`rsa.misc.job_num`*:: + -- -The URI for the Zone that the source asset has been assigned to in ArcSight. +This key captures the Job Number type: keyword -- -*`cef.extensions.startTime`*:: +*`rsa.misc.spi_dst`*:: + -- -The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) +Destination SPI Index -type: date +type: keyword -- -*`cef.extensions.transportProtocol`*:: +*`rsa.misc.spi_src`*:: + -- -Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. +Source SPI Index type: keyword -- -*`cef.extensions.type`*:: +*`rsa.misc.code`*:: + -- -0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). - -type: long +type: keyword -- -*`cef.extensions.categoryDeviceType`*:: +*`rsa.misc.agent_id`*:: + -- -Device type. Examples - Proxy, IDS, Web Server +This key is used to capture agent id type: keyword -- -*`cef.extensions.categoryObject`*:: +*`rsa.misc.message_body`*:: + -- -Object that the event is about. For example it can be an operating sytem, database, file, etc. +This key captures the The contents of the message body. type: keyword -- -*`cef.extensions.categoryBehavior`*:: +*`rsa.misc.phone`*:: + -- -Action or a behavior associated with an event. It's what is being done to the object. - type: keyword -- -*`cef.extensions.categoryTechnique`*:: +*`rsa.misc.sig_id_str`*:: + -- -Technique being used (e.g. /DoS). +This key captures a string object of the sigid variable. type: keyword -- -*`cef.extensions.categoryDeviceGroup`*:: +*`rsa.misc.cmd`*:: + -- -General device group like Firewall. - type: keyword -- -*`cef.extensions.categorySignificance`*:: +*`rsa.misc.misc`*:: + -- -Characterization of the importance of the event. - type: keyword -- -*`cef.extensions.categoryOutcome`*:: +*`rsa.misc.name`*:: + -- -Outcome of the event (e.g. sucess, failure, or attempt). - type: keyword -- -*`cef.extensions.managerReceiptTime`*:: +*`rsa.misc.cpu`*:: + -- -When the Arcsight ESM received the event. +This key is the CPU time used in the execution of the event being recorded. -type: date +type: long -- -*`source.service.name`*:: +*`rsa.misc.event_desc`*:: + -- -Service that is the source of the event. +This key is used to capture a description of an event available directly or inferred type: keyword -- -*`destination.service.name`*:: +*`rsa.misc.sig_id1`*:: + -- -Service that is the target of the event. +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -type: keyword +type: long -- -[[exported-fields-cef-module]] -== CEF fields - -Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides. - - - -[float] -=== forcepoint - -Fields for Forcepoint Custom String mappings - - - -*`forcepoint.virus_id`*:: +*`rsa.misc.im_buddyid`*:: + -- -Virus ID - - type: keyword -- -[float] -=== checkpoint - -Fields for Check Point custom string mappings. - +*`rsa.misc.im_client`*:: ++ +-- +type: keyword +-- -*`checkpoint.app_risk`*:: +*`rsa.misc.im_userid`*:: + -- -Application risk. - type: keyword -- -*`checkpoint.app_severity`*:: +*`rsa.misc.pid`*:: + -- -Application threat severity. - type: keyword -- -*`checkpoint.app_sig_id`*:: +*`rsa.misc.priority`*:: + -- -The signature ID which the application was detected by. - type: keyword -- -*`checkpoint.auth_method`*:: +*`rsa.misc.context_subject`*:: + -- -Password authentication protocol used. +This key is to be used in an audit context where the subject is the object being identified type: keyword -- -*`checkpoint.category`*:: +*`rsa.misc.context_target`*:: + -- -Category. - type: keyword -- -*`checkpoint.confidence_level`*:: +*`rsa.misc.cve`*:: + -- -Confidence level determined. +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. -type: integer +type: keyword -- -*`checkpoint.connectivity_state`*:: +*`rsa.misc.fcatnum`*:: + -- -Connectivity state. +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`checkpoint.cookie`*:: +*`rsa.misc.library`*:: + -- -IKE cookie. +This key is used to capture library information in mainframe devices type: keyword -- -*`checkpoint.dst_phone_number`*:: +*`rsa.misc.parent_node`*:: + -- -Destination IP-Phone. +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`checkpoint.email_control`*:: +*`rsa.misc.risk_info`*:: + -- -Engine name. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`checkpoint.email_id`*:: +*`rsa.misc.tcp_flags`*:: + -- -Internal email ID. +This key is captures the TCP flags set in any packet of session -type: keyword +type: long -- -*`checkpoint.email_recipients_num`*:: +*`rsa.misc.tos`*:: + -- -Number of recipients. +This key describes the type of service type: long -- -*`checkpoint.email_session_id`*:: +*`rsa.misc.vm_target`*:: + -- -Internal email session ID. +VMWare Target **VMWARE** only varaible. type: keyword -- -*`checkpoint.email_spool_id`*:: +*`rsa.misc.workspace`*:: + -- -Internal email spool ID. +This key captures Workspace Description type: keyword -- -*`checkpoint.email_subject`*:: +*`rsa.misc.command`*:: + -- -Email subject. - type: keyword -- -*`checkpoint.event_count`*:: +*`rsa.misc.event_category`*:: + -- -Number of events associated with the log. - -type: long +type: keyword -- -*`checkpoint.frequency`*:: +*`rsa.misc.facilityname`*:: + -- -Scan frequency. - type: keyword -- -*`checkpoint.icmp_type`*:: +*`rsa.misc.forensic_info`*:: + -- -ICMP type. - -type: long +type: keyword -- -*`checkpoint.icmp_code`*:: +*`rsa.misc.jobname`*:: + -- -ICMP code. - -type: long +type: keyword -- -*`checkpoint.identity_type`*:: +*`rsa.misc.mode`*:: + -- -Identity type. - type: keyword -- -*`checkpoint.incident_extension`*:: +*`rsa.misc.policy`*:: + -- -Format of original data. - type: keyword -- -*`checkpoint.integrity_av_invoke_type`*:: +*`rsa.misc.policy_waiver`*:: + -- -Scan invoke type. - type: keyword -- -*`checkpoint.malware_family`*:: +*`rsa.misc.second`*:: + -- -Malware family. - type: keyword -- -*`checkpoint.peer_gateway`*:: +*`rsa.misc.space1`*:: + -- -Main IP of the peer Security Gateway. - -type: ip +type: keyword -- -*`checkpoint.performance_impact`*:: +*`rsa.misc.subcategory`*:: + -- -Protection performance impact. +type: keyword -type: integer +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword -- -*`checkpoint.protection_id`*:: +*`rsa.misc.alert_id`*:: + -- -Protection malware ID. +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`checkpoint.protection_name`*:: +*`rsa.misc.checksum_dst`*:: + -- -Specific signature name of the attack. +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`checkpoint.protection_type`*:: +*`rsa.misc.checksum_src`*:: + -- -Type of protection used to detect the attack. +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`checkpoint.scan_result`*:: +*`rsa.misc.fresult`*:: + -- -Scan result. +This key captures the Filter Result -type: keyword +type: long -- -*`checkpoint.sensor_mode`*:: +*`rsa.misc.payload_dst`*:: + -- -Sensor mode. +This key is used to capture destination payload type: keyword -- -*`checkpoint.severity`*:: +*`rsa.misc.payload_src`*:: + -- -Threat severity. +This key is used to capture source payload type: keyword -- -*`checkpoint.spyware_name`*:: +*`rsa.misc.pool_id`*:: + -- -Spyware name. +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`checkpoint.spyware_status`*:: +*`rsa.misc.process_id_val`*:: + -- -Spyware status. +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`checkpoint.subs_exp`*:: +*`rsa.misc.risk_num_comm`*:: + -- -The expiration date of the subscription. +This key captures Risk Number Community -type: date +type: double -- -*`checkpoint.tcp_flags`*:: +*`rsa.misc.risk_num_next`*:: + -- -TCP packet flags. +This key captures Risk Number NextGen -type: keyword +type: double -- -*`checkpoint.termination_reason`*:: +*`rsa.misc.risk_num_sand`*:: + -- -Termination reason. +This key captures Risk Number SandBox -type: keyword +type: double -- -*`checkpoint.update_status`*:: +*`rsa.misc.risk_num_static`*:: + -- -Update status. +This key captures Risk Number Static -type: keyword +type: double -- -*`checkpoint.user_status`*:: +*`rsa.misc.risk_suspicious`*:: + -- -User response. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`checkpoint.uuid`*:: +*`rsa.misc.risk_warning`*:: + -- -External ID. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`checkpoint.virus_name`*:: +*`rsa.misc.snmp_oid`*:: + -- -Virus name. +SNMP Object Identifier type: keyword -- -*`checkpoint.voip_log_type`*:: +*`rsa.misc.sql`*:: + -- -VoIP log types. +This key captures the SQL query type: keyword -- -[float] -=== cef.extensions - -Extra vendor-specific extensions. +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details +type: keyword +-- -*`cef.extensions.cp_app_risk`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`cef.extensions.cp_severity`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`cef.extensions.ifname`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`cef.extensions.inzone`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`cef.extensions.layer_uuid`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`cef.extensions.layer_name`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`cef.extensions.logid`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`cef.extensions.loguid`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`cef.extensions.match_id`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`cef.extensions.nat_addtnl_rulenum`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`cef.extensions.nat_rulenum`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`cef.extensions.origin`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`cef.extensions.originsicname`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`cef.extensions.outzone`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`cef.extensions.parent_rule`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`cef.extensions.product`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`cef.extensions.rule_action`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`cef.extensions.rule_uid`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`cef.extensions.sequencenum`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`cef.extensions.service_id`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`cef.extensions.version`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -[[exported-fields-checkpoint]] -== Checkpoint fields - -Some checkpoint module - - - -[float] -=== checkpoint - -Module for parsing Checkpoint syslog. - - - -*`checkpoint.confidence_level`*:: +*`rsa.misc.clustermembers`*:: + -- -Confidence level determined by ThreatCloud. - - -type: integer +type: keyword -- -*`checkpoint.calc_desc`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Log description. - - type: keyword -- -*`checkpoint.dst_country`*:: +*`rsa.misc.cn_asn_src`*:: + -- -Destination country. - - type: keyword -- -*`checkpoint.dst_user_name`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -Connected user name on the destination IP. - - type: keyword -- -*`checkpoint.email_id`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -Email number in smtp connection. - - type: keyword -- -*`checkpoint.email_subject`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -Original email subject. - - type: keyword -- -*`checkpoint.email_session_id`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -Connection uuid. - - type: keyword -- -*`checkpoint.event_count`*:: +*`rsa.misc.cn_engine_id`*:: + -- -Number of events associated with the log. - - -type: long +type: keyword -- -*`checkpoint.sys_message`*:: +*`rsa.misc.cn_engine_type`*:: + -- -System messages - - type: keyword -- -*`checkpoint.logid`*:: +*`rsa.misc.cn_f_switch`*:: + -- -System messages - - type: keyword -- -*`checkpoint.failure_impact`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -The impact of update service failure. - - type: keyword -- -*`checkpoint.id`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -Override application ID. - - -type: integer +type: keyword -- -*`checkpoint.information`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -Policy installation status for a specific blade. - - type: keyword -- -*`checkpoint.layer_name`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -Layer name. - - type: keyword -- -*`checkpoint.layer_uuid`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -Layer UUID. - - type: keyword -- -*`checkpoint.log_id`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -Unique identity for logs. - - -type: integer +type: keyword -- -*`checkpoint.malware_family`*:: +*`rsa.misc.cn_invalid`*:: + -- -Additional information on protection. - - type: keyword -- -*`checkpoint.origin_sic_name`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -Machine SIC. - - type: keyword -- -*`checkpoint.policy_mgmt`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -Name of the Management Server that manages this Security Gateway. - - type: keyword -- -*`checkpoint.policy_name`*:: +*`rsa.misc.cn_l_switch`*:: + -- -Name of the last policy that this Security Gateway fetched. - - type: keyword -- -*`checkpoint.protection_id`*:: +*`rsa.misc.cn_log_did`*:: + -- -Protection malware id. - - type: keyword -- -*`checkpoint.protection_name`*:: +*`rsa.misc.cn_log_rid`*:: + -- -Specific signature name of the attack. - - type: keyword -- -*`checkpoint.protection_type`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -Type of protection used to detect the attack. - - type: keyword -- -*`checkpoint.protocol`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -Protocol detected on the connection. - - type: keyword -- -*`checkpoint.proxy_src_ip`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -Sender source IP (even when using proxy). - - -type: ip +type: keyword -- -*`checkpoint.rule`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -Matched rule number. - - -type: integer +type: keyword -- -*`checkpoint.rule_action`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -Action of the matched rule in the access policy. - - type: keyword -- -*`checkpoint.scan_direction`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -Scan direction. - - type: keyword -- -*`checkpoint.session_id`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -Log uuid. - - type: keyword -- -*`checkpoint.source_os`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -OS which generated the attack. - - type: keyword -- -*`checkpoint.src_country`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -Country name, derived from connection source IP address. - - type: keyword -- -*`checkpoint.src_user_name`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -User name connected to source IP - - type: keyword -- -*`checkpoint.ticket_id`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -Unique ID per file. - - type: keyword -- -*`checkpoint.tls_server_host_name`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -SNI/CN from encrypted TLS connection used by URLF for categorization. - - type: keyword -- -*`checkpoint.verdict`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -TE engine verdict Possible values: Malicious/Benign/Error. - - type: keyword -- -*`checkpoint.user`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -Source user name. - - type: keyword -- -*`checkpoint.vendor_list`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -The vendor name that provided the verdict for a malicious URL. - - type: keyword -- -*`checkpoint.web_server_type`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -Web server detected in the HTTP response. - - type: keyword -- -*`checkpoint.client_name`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -Client Application or Software Blade that detected the event. - - type: keyword -- -*`checkpoint.client_version`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -Build version of SandBlast Agent client installed on the computer. - - type: keyword -- -*`checkpoint.extension_version`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -Build version of the SandBlast Agent browser extension. - - type: keyword -- -*`checkpoint.host_time`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -Local time on the endpoint computer. - - type: keyword -- -*`checkpoint.installed_products`*:: +*`rsa.misc.cn_sampint`*:: + -- -List of installed Endpoint Software Blades. - - type: keyword -- -*`checkpoint.cc`*:: +*`rsa.misc.cn_seqctr`*:: + -- -The Carbon Copy address of the email. - - type: keyword -- -*`checkpoint.parent_process_username`*:: +*`rsa.misc.cn_spackets`*:: + -- -Owner username of the parent process of the process that triggered the attack. +type: keyword +-- +*`rsa.misc.cn_src_tos`*:: ++ +-- type: keyword -- -*`checkpoint.process_username`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -Owner username of the process that triggered the attack. +type: keyword +-- +*`rsa.misc.cn_sysuptime`*:: ++ +-- type: keyword -- -*`checkpoint.audit_status`*:: +*`rsa.misc.cn_template_id`*:: + -- -Audit Status. Can be Success or Failure. +type: keyword +-- +*`rsa.misc.cn_totbytsexp`*:: ++ +-- type: keyword -- -*`checkpoint.objecttable`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -Table of affected objects. +type: keyword +-- +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- type: keyword -- -*`checkpoint.objecttype`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -The type of the affected object. +type: keyword +-- +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- type: keyword -- -*`checkpoint.operation_number`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -The operation nuber. +type: keyword +-- +*`rsa.misc.comp_class`*:: ++ +-- type: keyword -- -*`checkpoint.email_recipients_num`*:: +*`rsa.misc.comp_name`*:: + -- -Amount of recipients whom the mail was sent to. - - -type: integer +type: keyword -- -*`checkpoint.suppressed_logs`*:: +*`rsa.misc.comp_rbytes`*:: + -- -Aggregated connections for five minutes on the same source, destination and port. - - -type: integer +type: keyword -- -*`checkpoint.blade_name`*:: +*`rsa.misc.comp_sbytes`*:: + -- -Blade name. - - type: keyword -- -*`checkpoint.status`*:: +*`rsa.misc.cpu_data`*:: + -- -Ok/Warning/Error. - - type: keyword -- -*`checkpoint.short_desc`*:: +*`rsa.misc.criticality`*:: + -- -Short description of the process that was executed. - - type: keyword -- -*`checkpoint.long_desc`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -More information on the process (usually describing error reason in failure). - - type: keyword -- -*`checkpoint.scan_hosts_hour`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -Number of unique hosts during the last hour. - - -type: integer +type: keyword -- -*`checkpoint.scan_hosts_day`*:: +*`rsa.misc.cs_av_other`*:: + -- -Number of unique hosts during the last day. - - -type: integer +type: keyword -- -*`checkpoint.scan_hosts_week`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Number of unique hosts during the last week. - - -type: integer +type: keyword -- -*`checkpoint.unique_detected_hour`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -Detected virus for a specific host during the last hour. - - -type: integer +type: keyword -- -*`checkpoint.unique_detected_day`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -Detected virus for a specific host during the last day. - - -type: integer +type: keyword -- -*`checkpoint.unique_detected_week`*:: +*`rsa.misc.cs_bit9status`*:: + -- -Detected virus for a specific host during the last week. - - -type: integer +type: keyword -- -*`checkpoint.scan_mail`*:: +*`rsa.misc.cs_context`*:: + -- -Number of emails that were scanned by "AB malicious activity" engine. - - -type: integer +type: keyword -- -*`checkpoint.additional_ip`*:: +*`rsa.misc.cs_control`*:: + -- -DNS host name. - - type: keyword -- -*`checkpoint.description`*:: +*`rsa.misc.cs_data`*:: + -- -Additional explanation how the security gateway enforced the connection. - - type: keyword -- -*`checkpoint.email_spam_category`*:: +*`rsa.misc.cs_datecret`*:: + -- -Email categories. Possible values: spam/not spam/phishing. - - type: keyword -- -*`checkpoint.email_control_analysis`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -Message classification, received from spam vendor engine. - - type: keyword -- -*`checkpoint.scan_results`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -"Infected"/description of a failure. - - type: keyword -- -*`checkpoint.original_queue_id`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -Original postfix email queue id. - - type: keyword -- -*`checkpoint.risk`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -Risk level we got from the engine. - - type: keyword -- -*`checkpoint.observable_name`*:: +*`rsa.misc.cs_filetype`*:: + -- -IOC observable signature name. - - type: keyword -- -*`checkpoint.observable_id`*:: +*`rsa.misc.cs_fld`*:: + -- -IOC observable signature id. - - type: keyword -- -*`checkpoint.observable_comment`*:: +*`rsa.misc.cs_if_desc`*:: + -- -IOC observable signature description. - - type: keyword -- -*`checkpoint.indicator_name`*:: +*`rsa.misc.cs_if_name`*:: + -- -IOC indicator name. - - type: keyword -- -*`checkpoint.indicator_description`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -IOC indicator description. - - type: keyword -- -*`checkpoint.indicator_reference`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -IOC indicator reference. - - type: keyword -- -*`checkpoint.indicator_uuid`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -IOC indicator uuid. - - type: keyword -- -*`checkpoint.app_desc`*:: +*`rsa.misc.cs_lifetime`*:: + -- -Application description. - - type: keyword -- -*`checkpoint.app_id`*:: +*`rsa.misc.cs_log_medium`*:: + -- -Application ID. - - -type: integer +type: keyword -- -*`checkpoint.app_sig_id`*:: +*`rsa.misc.cs_loginname`*:: + -- -IOC indicator description. - - type: keyword -- -*`checkpoint.certificate_resource`*:: +*`rsa.misc.cs_modulescore`*:: + -- -HTTPS resource Possible values: SNI or domain name (DN). - - type: keyword -- -*`checkpoint.certificate_validation`*:: +*`rsa.misc.cs_modulesign`*:: + -- -Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. - - type: keyword -- -*`checkpoint.browse_time`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -Application session browse time. - - type: keyword -- -*`checkpoint.limit_requested`*:: +*`rsa.misc.cs_payload`*:: + -- -Indicates whether data limit was requested for the session. - - -type: integer +type: keyword -- -*`checkpoint.limit_applied`*:: +*`rsa.misc.cs_registrant`*:: + -- -Indicates whether the session was actually date limited. - - -type: integer +type: keyword -- -*`checkpoint.dropped_total`*:: +*`rsa.misc.cs_registrar`*:: + -- -Amount of dropped packets (both incoming and outgoing). - - -type: integer +type: keyword -- -*`checkpoint.client_type_os`*:: +*`rsa.misc.cs_represult`*:: + -- -Client OS detected in the HTTP request. - - type: keyword -- -*`checkpoint.name`*:: +*`rsa.misc.cs_rpayload`*:: + -- -Application name. - - type: keyword -- -*`checkpoint.properties`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -Application categories. - - type: keyword -- -*`checkpoint.sig_id`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -Application's signature ID which how it was detected by. - - type: keyword -- -*`checkpoint.desc`*:: +*`rsa.misc.cs_streams`*:: + -- -Override application description. - - type: keyword -- -*`checkpoint.referrer_self_uid`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -UUID of the current log. - - type: keyword -- -*`checkpoint.referrer_parent_uid`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -Log UUID of the referring application. - - type: keyword -- -*`checkpoint.needs_browse_time`*:: +*`rsa.misc.cs_whois_server`*:: + -- -Browse time required for the connection. - - -type: integer +type: keyword -- -*`checkpoint.cluster_info`*:: +*`rsa.misc.cs_yararesult`*:: + -- -Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. - - type: keyword -- -*`checkpoint.sync`*:: +*`rsa.misc.description`*:: + -- -Sync status and the reason (stable, at risk). - - type: keyword -- -*`checkpoint.file_direction`*:: +*`rsa.misc.devvendor`*:: + -- -File direction. Possible options: upload/download. - - type: keyword -- -*`checkpoint.invalid_file_size`*:: +*`rsa.misc.distance`*:: + -- -File_size field is valid only if this field is set to 0. - - -type: integer +type: keyword -- -*`checkpoint.top_archive_file_name`*:: +*`rsa.misc.dstburb`*:: + -- -In case of archive file: the file that was sent/received. - - type: keyword -- -*`checkpoint.data_type_name`*:: +*`rsa.misc.edomain`*:: + -- -Data type in rulebase that was matched. - - type: keyword -- -*`checkpoint.specific_data_type_name`*:: +*`rsa.misc.edomaub`*:: + -- -Compound/Group scenario, data type that was matched. - - type: keyword -- -*`checkpoint.word_list`*:: +*`rsa.misc.euid`*:: + -- -Words matched by data type. - - type: keyword -- -*`checkpoint.info`*:: +*`rsa.misc.facility`*:: + -- -Special log message. - - type: keyword -- -*`checkpoint.outgoing_url`*:: +*`rsa.misc.finterface`*:: + -- -URL related to this log (for HTTP). - - type: keyword -- -*`checkpoint.dlp_rule_name`*:: +*`rsa.misc.flags`*:: + -- -Matched rule name. - - type: keyword -- -*`checkpoint.dlp_recipients`*:: +*`rsa.misc.gaddr`*:: + -- -Mail recipients. - - type: keyword -- -*`checkpoint.dlp_subject`*:: +*`rsa.misc.id3`*:: + -- -Mail subject. - - type: keyword -- -*`checkpoint.dlp_word_list`*:: +*`rsa.misc.im_buddyname`*:: + -- -Phrases matched by data type. - - type: keyword -- -*`checkpoint.dlp_template_score`*:: +*`rsa.misc.im_croomid`*:: + -- -Template data type match score. - - type: keyword -- -*`checkpoint.message_size`*:: +*`rsa.misc.im_croomtype`*:: + -- -Mail/post size. - - -type: integer +type: keyword -- -*`checkpoint.dlp_incident_uid`*:: +*`rsa.misc.im_members`*:: + -- -Unique ID of the matched rule. - - type: keyword -- -*`checkpoint.dlp_related_incident_uid`*:: +*`rsa.misc.im_username`*:: + -- -Other ID related to this one. - - type: keyword -- -*`checkpoint.dlp_data_type_name`*:: +*`rsa.misc.ipkt`*:: + -- -Matched data type. - - type: keyword -- -*`checkpoint.dlp_data_type_uid`*:: +*`rsa.misc.ipscat`*:: + -- -Unique ID of the matched data type. - - type: keyword -- -*`checkpoint.dlp_violation_description`*:: +*`rsa.misc.ipspri`*:: + -- -Violation descriptions described in the rulebase. - - type: keyword -- -*`checkpoint.dlp_relevant_data_types`*:: +*`rsa.misc.latitude`*:: + -- -In case of Compound/Group: the inner data types that were matched. - - type: keyword -- -*`checkpoint.dlp_action_reason`*:: +*`rsa.misc.linenum`*:: + -- -Action chosen reason. - - type: keyword -- -*`checkpoint.dlp_categories`*:: +*`rsa.misc.list_name`*:: + -- -Data type category. - - type: keyword -- -*`checkpoint.dlp_transint`*:: +*`rsa.misc.load_data`*:: + -- -HTTP/SMTP/FTP. - - type: keyword -- -*`checkpoint.duplicate`*:: +*`rsa.misc.location_floor`*:: + -- -Log marked as duplicated, when mail is split and the Security Gateway sees it twice. - - type: keyword -- -*`checkpoint.incident_extension`*:: +*`rsa.misc.location_mark`*:: + -- -Matched data type. - - type: keyword -- -*`checkpoint.matched_file`*:: +*`rsa.misc.log_id`*:: + -- -Unique ID of the matched data type. - - type: keyword -- -*`checkpoint.matched_file_text_segments`*:: +*`rsa.misc.log_type`*:: + -- -Fingerprint: number of text segments matched by this traffic. - - -type: integer +type: keyword -- -*`checkpoint.matched_file_percentage`*:: +*`rsa.misc.logid`*:: + -- -Fingerprint: match percentage of the traffic. - - -type: integer +type: keyword -- -*`checkpoint.dlp_additional_action`*:: +*`rsa.misc.logip`*:: + -- -Watermark/None. - - type: keyword -- -*`checkpoint.dlp_watermark_profile`*:: +*`rsa.misc.logname`*:: + -- -Watermark which was applied. - - type: keyword -- -*`checkpoint.dlp_repository_id`*:: +*`rsa.misc.longitude`*:: + -- -ID of scanned repository. - - type: keyword -- -*`checkpoint.dlp_repository_root_path`*:: +*`rsa.misc.lport`*:: + -- -Repository path. - - type: keyword -- -*`checkpoint.scan_id`*:: +*`rsa.misc.mbug_data`*:: + -- -Sequential number of scan. - - type: keyword -- -*`checkpoint.special_properties`*:: +*`rsa.misc.misc_name`*:: + -- -If this field is set to '1' the log will not be shown (in use for monitoring scan progress). - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_total_size`*:: +*`rsa.misc.msg_type`*:: + -- -Repository size. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_files_number`*:: +*`rsa.misc.msgid`*:: + -- -Number of files in repository. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_scanned_files_number`*:: +*`rsa.misc.netsessid`*:: + -- -Number of scanned files in repository. - - -type: integer +type: keyword -- -*`checkpoint.duration`*:: +*`rsa.misc.num`*:: + -- -Scan duration. - - type: keyword -- -*`checkpoint.dlp_fingerprint_long_status`*:: +*`rsa.misc.number1`*:: + -- -Scan status - long format. - - type: keyword -- -*`checkpoint.dlp_fingerprint_short_status`*:: +*`rsa.misc.number2`*:: + -- -Scan status - short format. - - type: keyword -- -*`checkpoint.dlp_repository_directories_number`*:: +*`rsa.misc.nwwn`*:: + -- -Number of directories in repository. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_unreachable_directories_number`*:: +*`rsa.misc.object`*:: + -- -Number of directories the Security Gateway was unable to read. - - -type: integer +type: keyword -- -*`checkpoint.dlp_fingerprint_files_number`*:: +*`rsa.misc.operation`*:: + -- -Number of successfully scanned files in repository. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_skipped_files_number`*:: +*`rsa.misc.opkt`*:: + -- -Skipped number of files because of configuration. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_scanned_directories_number`*:: +*`rsa.misc.orig_from`*:: + -- -Amount of directories scanned. - - -type: integer +type: keyword -- -*`checkpoint.number_of_errors`*:: +*`rsa.misc.owner_id`*:: + -- -Number of files that were not scanned due to an error. - - -type: integer +type: keyword -- -*`checkpoint.next_scheduled_scan_date`*:: +*`rsa.misc.p_action`*:: + -- -Next scan scheduled time according to time object. - - type: keyword -- -*`checkpoint.dlp_repository_scanned_total_size`*:: +*`rsa.misc.p_filter`*:: + -- -Size scanned. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_reached_directories_number`*:: +*`rsa.misc.p_group_object`*:: + -- -Number of scanned directories in repository. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_not_scanned_directories_percentage`*:: +*`rsa.misc.p_id`*:: + -- -Percentage of directories the Security Gateway was unable to read. - - -type: integer +type: keyword -- -*`checkpoint.speed`*:: +*`rsa.misc.p_msgid1`*:: + -- -Current scan speed. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_scan_progress`*:: +*`rsa.misc.p_msgid2`*:: + -- -Scan percentage. - - -type: integer +type: keyword -- -*`checkpoint.sub_policy_name`*:: +*`rsa.misc.p_result1`*:: + -- -Layer name. - - type: keyword -- -*`checkpoint.sub_policy_uid`*:: +*`rsa.misc.password_chg`*:: + -- -Layer uid. - - type: keyword -- -*`checkpoint.fw_message`*:: +*`rsa.misc.password_expire`*:: + -- -Used for various firewall errors. - - type: keyword -- -*`checkpoint.message`*:: +*`rsa.misc.permgranted`*:: + -- -ISP link has failed. - - type: keyword -- -*`checkpoint.isp_link`*:: +*`rsa.misc.permwanted`*:: + -- -Name of ISP link. - - type: keyword -- -*`checkpoint.fw_subproduct`*:: +*`rsa.misc.pgid`*:: + -- -Can be vpn/non vpn. - - type: keyword -- -*`checkpoint.sctp_error`*:: +*`rsa.misc.policyUUID`*:: + -- -Error information, what caused sctp to fail on out_of_state. - - type: keyword -- -*`checkpoint.chunk_type`*:: +*`rsa.misc.prog_asp_num`*:: + -- -Chunck of the sctp stream. - - type: keyword -- -*`checkpoint.sctp_association_state`*:: +*`rsa.misc.program`*:: + -- -The bad state you were trying to update to. - - type: keyword -- -*`checkpoint.tcp_packet_out_of_state`*:: +*`rsa.misc.real_data`*:: + -- -State violation. +type: keyword +-- +*`rsa.misc.rec_asp_device`*:: ++ +-- type: keyword -- -*`checkpoint.tcp_flags`*:: +*`rsa.misc.rec_asp_num`*:: + -- -TCP packet flags (SYN, ACK, etc.,). +type: keyword +-- +*`rsa.misc.rec_library`*:: ++ +-- type: keyword -- -*`checkpoint.connectivity_level`*:: +*`rsa.misc.recordnum`*:: + -- -Log for a new connection in wire mode. +type: keyword +-- +*`rsa.misc.ruid`*:: ++ +-- type: keyword -- -*`checkpoint.ip_option`*:: +*`rsa.misc.sburb`*:: + -- -IP option that was dropped. - - -type: integer +type: keyword -- -*`checkpoint.tcp_state`*:: +*`rsa.misc.sdomain_fld`*:: + -- -Log reinting a tcp state change. - - type: keyword -- -*`checkpoint.expire_time`*:: +*`rsa.misc.sec`*:: + -- -Connection closing time. - - type: keyword -- -*`checkpoint.icmp_type`*:: +*`rsa.misc.sensorname`*:: + -- -In case a connection is ICMP, type info will be added to the log. - - -type: integer +type: keyword -- -*`checkpoint.icmp_code`*:: +*`rsa.misc.seqnum`*:: + -- -In case a connection is ICMP, code info will be added to the log. - - -type: integer +type: keyword -- -*`checkpoint.rpc_prog`*:: +*`rsa.misc.session`*:: + -- -Log for new RPC state - prog values. - - -type: integer +type: keyword -- -*`checkpoint.dce-rpc_interface_uuid`*:: +*`rsa.misc.sessiontype`*:: + -- -Log for new RPC state - UUID values - - type: keyword -- -*`checkpoint.elapsed`*:: +*`rsa.misc.sigUUID`*:: + -- -Time passed since start time. - - type: keyword -- -*`checkpoint.icmp`*:: +*`rsa.misc.spi`*:: + -- -Number of packets, received by the client. - - type: keyword -- -*`checkpoint.capture_uuid`*:: +*`rsa.misc.srcburb`*:: + -- -UUID generated for the capture. Used when enabling the capture when logging. - - type: keyword -- -*`checkpoint.diameter_app_ID`*:: +*`rsa.misc.srcdom`*:: + -- -The ID of diameter application. - - -type: integer +type: keyword -- -*`checkpoint.diameter_cmd_code`*:: +*`rsa.misc.srcservice`*:: + -- -Diameter not allowed application command id. - - -type: integer +type: keyword -- -*`checkpoint.diameter_msg_type`*:: +*`rsa.misc.state`*:: + -- -Diameter message type. +type: keyword +-- +*`rsa.misc.status1`*:: ++ +-- type: keyword -- -*`checkpoint.cp_message`*:: +*`rsa.misc.svcno`*:: + -- -Used to log a general message. +type: keyword +-- -type: integer +*`rsa.misc.system`*:: ++ +-- +type: keyword -- -*`checkpoint.log_delay`*:: +*`rsa.misc.tbdstr1`*:: + -- -Time left before deleting template. +type: keyword +-- -type: integer +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword -- -*`checkpoint.attack_status`*:: +*`rsa.misc.tgtdomain`*:: + -- -In case of a malicious event on an endpoint computer, the status of the attack. +type: keyword +-- +*`rsa.misc.threshold`*:: ++ +-- type: keyword -- -*`checkpoint.impacted_files`*:: +*`rsa.misc.type1`*:: + -- -In case of an infection on an endpoint computer, the list of files that the malware impacted. +type: keyword +-- +*`rsa.misc.udb_class`*:: ++ +-- type: keyword -- -*`checkpoint.remediated_files`*:: +*`rsa.misc.url_fld`*:: + -- -In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. +type: keyword +-- +*`rsa.misc.user_div`*:: ++ +-- type: keyword -- -*`checkpoint.triggered_by`*:: +*`rsa.misc.userid`*:: + -- -The name of the mechanism that triggered the Software Blade to enforce a protection. +type: keyword +-- +*`rsa.misc.username_fld`*:: ++ +-- type: keyword -- -*`checkpoint.https_inspection_rule_id`*:: +*`rsa.misc.utcstamp`*:: + -- -ID of the matched rule. +type: keyword +-- +*`rsa.misc.v_instafname`*:: ++ +-- type: keyword -- -*`checkpoint.https_inspection_rule_name`*:: +*`rsa.misc.virt_data`*:: + -- -Name of the matched rule. +type: keyword +-- +*`rsa.misc.vpnid`*:: ++ +-- type: keyword -- -*`checkpoint.app_properties`*:: +*`rsa.misc.autorun_type`*:: + -- -List of all found categories. - +This is used to capture Auto Run type type: keyword -- -*`checkpoint.https_validation`*:: +*`rsa.misc.cc_number`*:: + -- -Precise error, describing HTTPS inspection failure. +Valid Credit Card Numbers only - -type: keyword +type: long -- -*`checkpoint.https_inspection_action`*:: +*`rsa.misc.content`*:: + -- -HTTPS inspection action (Inspect/Bypass/Error). - +This key captures the content type from protocol headers type: keyword -- -*`checkpoint.icap_service_id`*:: +*`rsa.misc.ein_number`*:: + -- -Service ID, can work with multiple servers, treated as services. +Employee Identification Numbers only - -type: integer +type: long -- -*`checkpoint.icap_server_name`*:: +*`rsa.misc.found`*:: + -- -Server name. - +This is used to capture the results of regex match type: keyword -- -*`checkpoint.internal_error`*:: +*`rsa.misc.language`*:: + -- -Internal error, for troubleshooting - +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`checkpoint.icap_more_info`*:: +*`rsa.misc.lifetime`*:: + -- -Free text for verdict. - +This key is used to capture the session lifetime in seconds. -type: integer +type: long -- -*`checkpoint.reply_status`*:: +*`rsa.misc.link`*:: + -- -ICAP reply status code, e.g. 200 or 204. +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: integer +type: keyword -- -*`checkpoint.icap_server_service`*:: +*`rsa.misc.match`*:: + -- -Service name, as given in the ICAP URI - +This key is for regex match name from search.ini type: keyword -- -*`checkpoint.mirror_and_decrypt_type`*:: +*`rsa.misc.param_dst`*:: + -- -Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). - +This key captures the command line/launch argument of the target process or file type: keyword -- -*`checkpoint.interface_name`*:: +*`rsa.misc.param_src`*:: + -- -Designated interface for mirror And decrypt. - +This key captures source parameter type: keyword -- -*`checkpoint.session_uid`*:: +*`rsa.misc.search_text`*:: + -- -HTTP session-id. - +This key captures the Search Text used type: keyword -- -*`checkpoint.broker_publisher`*:: +*`rsa.misc.sig_name`*:: + -- -IP address of the broker publisher who shared the session information. - +This key is used to capture the Signature Name only. -type: ip +type: keyword -- -*`checkpoint.src_user_dn`*:: +*`rsa.misc.snmp_value`*:: + -- -User distinguished name connected to source IP. - +SNMP set request value type: keyword -- -*`checkpoint.proxy_user_name`*:: +*`rsa.misc.streams`*:: + -- -User name connected to proxy IP. - +This key captures number of streams in session -type: keyword +type: long -- -*`checkpoint.proxy_machine_name`*:: + +*`rsa.db.index`*:: + -- -Machine name connected to proxy IP. - +This key captures IndexID of the index. -type: integer +type: keyword -- -*`checkpoint.proxy_user_dn`*:: +*`rsa.db.instance`*:: + -- -User distinguished name connected to proxy IP. - +This key is used to capture the database server instance name type: keyword -- -*`checkpoint.query`*:: +*`rsa.db.database`*:: + -- -DNS query. - +This key is used to capture the name of a database or an instance as seen in a session type: keyword -- -*`checkpoint.dns_query`*:: +*`rsa.db.transact_id`*:: + -- -DNS query. - +This key captures the SQL transantion ID of the current session type: keyword -- -*`checkpoint.inspection_item`*:: +*`rsa.db.permissions`*:: + -- -Blade element performed inspection. - +This key captures permission or privilege level assigned to a resource. type: keyword -- -*`checkpoint.performance_impact`*:: +*`rsa.db.table_name`*:: + -- -Protection performance impact. +This key is used to capture the table name - -type: integer +type: keyword -- -*`checkpoint.inspection_category`*:: +*`rsa.db.db_id`*:: + -- -Inspection category: protocol anomaly, signature etc. - +This key is used to capture the unique identifier for a database type: keyword -- -*`checkpoint.inspection_profile`*:: +*`rsa.db.db_pid`*:: + -- -Profile which the activated protection belongs to. +This key captures the process id of a connection with database server - -type: keyword +type: long -- -*`checkpoint.summary`*:: +*`rsa.db.lread`*:: + -- -Summary message of a non-compliant DNS traffic drops or detects. - +This key is used for the number of logical reads -type: keyword +type: long -- -*`checkpoint.question_rdata`*:: +*`rsa.db.lwrite`*:: + -- -List of question records domains. +This key is used for the number of logical writes - -type: keyword +type: long -- -*`checkpoint.answer_rdata`*:: +*`rsa.db.pread`*:: + -- -List of answer resource records to the questioned domains. - +This key is used for the number of physical writes -type: keyword +type: long -- -*`checkpoint.authority_rdata`*:: + +*`rsa.network.alias_host`*:: + -- -List of authoritative servers. - +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -- -*`checkpoint.additional_rdata`*:: +*`rsa.network.domain`*:: + -- -List of additional resource records. - - type: keyword -- -*`checkpoint.files_names`*:: +*`rsa.network.host_dst`*:: + -- -List of files requested by FTP. - +This key should only be used when it’s a Destination Hostname type: keyword -- -*`checkpoint.ftp_user`*:: +*`rsa.network.network_service`*:: + -- -FTP username. - +This is used to capture layer 7 protocols/service names type: keyword -- -*`checkpoint.mime_from`*:: +*`rsa.network.interface`*:: + -- -Sender's address. - +This key should be used when the source or destination context of an interface is not clear type: keyword -- -*`checkpoint.mime_to`*:: +*`rsa.network.network_port`*:: + -- -List of receiver address. - +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- -*`checkpoint.bcc`*:: +*`rsa.network.eth_host`*:: + -- -List of BCC addresses. - +Deprecated, use alias.mac type: keyword -- -*`checkpoint.content_type`*:: +*`rsa.network.sinterface`*:: + -- -Mail content type. Possible values: application/msword, text/html, image/gif etc. - +This key should only be used when it’s a Source Interface type: keyword -- -*`checkpoint.user_agent`*:: +*`rsa.network.dinterface`*:: + -- -String identifying requesting software user agent. - +This key should only be used when it’s a Destination Interface type: keyword -- -*`checkpoint.referrer`*:: +*`rsa.network.vlan`*:: + -- -Referrer HTTP request header, previous web page address. - +This key should only be used to capture the ID of the Virtual LAN -type: keyword +type: long -- -*`checkpoint.http_location`*:: +*`rsa.network.zone_src`*:: + -- -Response header, indicates the URL to redirect a page to. - +This key should only be used when it’s a Source Zone. type: keyword -- -*`checkpoint.content_disposition`*:: +*`rsa.network.zone`*:: + -- -Indicates how the content is expected to be displayed inline in the browser. - +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -*`checkpoint.via`*:: +*`rsa.network.zone_dst`*:: + -- -Via header is added by proxies for tracking purposes to avoid sending reqests in loop. - +This key should only be used when it’s a Destination Zone. type: keyword -- -*`checkpoint.http_server`*:: +*`rsa.network.gateway`*:: + -- -Server HTTP header value, contains information about the software used by the origin server, which handles the request. - +This key is used to capture the IP Address of the gateway type: keyword -- -*`checkpoint.content_length`*:: +*`rsa.network.icmp_type`*:: + -- -Indicates the size of the entity-body of the HTTP header. +This key is used to capture the ICMP type only - -type: keyword +type: long -- -*`checkpoint.authorization`*:: +*`rsa.network.mask`*:: + -- -Authorization HTTP header value. - +This key is used to capture the device network IPmask. type: keyword -- -*`checkpoint.http_host`*:: +*`rsa.network.icmp_code`*:: + -- -Domain name of the server that the HTTP request is sent to. +This key is used to capture the ICMP code only - -type: keyword +type: long -- -*`checkpoint.inspection_settings_log`*:: +*`rsa.network.protocol_detail`*:: + -- -Indicats that the log was released by inspection settings. - +This key should be used to capture additional protocol information type: keyword -- -*`checkpoint.cvpn_resource`*:: +*`rsa.network.dmask`*:: + -- -Mobile Access application. - +This key is used for Destionation Device network mask type: keyword -- -*`checkpoint.cvpn_category`*:: +*`rsa.network.port`*:: + -- -Mobile Access application type. - +This key should only be used to capture a Network Port when the directionality is not clear -type: keyword +type: long -- -*`checkpoint.url`*:: +*`rsa.network.smask`*:: + -- -Translated URL. - +This key is used for capturing source Network Mask type: keyword -- -*`checkpoint.reject_id`*:: +*`rsa.network.netname`*:: + -- -A reject ID that corresponds to the one presented in the Mobile Access error page. - +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -- -*`checkpoint.fs-proto`*:: +*`rsa.network.paddr`*:: + -- -The file share protocol used in mobile acess file share application. +Deprecated - -type: keyword +type: ip -- -*`checkpoint.app_package`*:: +*`rsa.network.faddr`*:: + -- -Unique identifier of the application on the protected mobile device. +type: keyword +-- +*`rsa.network.lhost`*:: ++ +-- type: keyword -- -*`checkpoint.appi_name`*:: +*`rsa.network.origin`*:: + -- -Name of application downloaded on the protected mobile device. +type: keyword +-- +*`rsa.network.remote_domain_id`*:: ++ +-- type: keyword -- -*`checkpoint.app_repackaged`*:: +*`rsa.network.addr`*:: + -- -Indicates whether the original application was repackage not by the official developer. +type: keyword +-- +*`rsa.network.dns_a_record`*:: ++ +-- type: keyword -- -*`checkpoint.app_sid_id`*:: +*`rsa.network.dns_ptr_record`*:: + -- -Unique SHA identifier of a mobile application. +type: keyword +-- +*`rsa.network.fhost`*:: ++ +-- type: keyword -- -*`checkpoint.app_version`*:: +*`rsa.network.fport`*:: + -- -Version of the application downloaded on the protected mobile device. +type: keyword +-- +*`rsa.network.laddr`*:: ++ +-- type: keyword -- -*`checkpoint.developer_certificate_name`*:: +*`rsa.network.linterface`*:: + -- -Name of the developer's certificate that was used to sign the mobile application. +type: keyword +-- +*`rsa.network.phost`*:: ++ +-- type: keyword -- -*`checkpoint.email_control`*:: +*`rsa.network.ad_computer_dst`*:: + -- -Engine name. - +Deprecated, use host.dst type: keyword -- -*`checkpoint.email_message_id`*:: +*`rsa.network.eth_type`*:: + -- -Email session id (uniqe ID of the mail). +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: keyword +type: long -- -*`checkpoint.email_queue_id`*:: +*`rsa.network.ip_proto`*:: + -- -Postfix email queue id. - +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: keyword +type: long -- -*`checkpoint.email_queue_name`*:: +*`rsa.network.dns_cname_record`*:: + -- -Postfix email queue name. +type: keyword +-- +*`rsa.network.dns_id`*:: ++ +-- type: keyword -- -*`checkpoint.file_name`*:: +*`rsa.network.dns_opcode`*:: + -- -Malicious file name. +type: keyword +-- +*`rsa.network.dns_resp`*:: ++ +-- type: keyword -- -*`checkpoint.failure_reason`*:: +*`rsa.network.dns_type`*:: + -- -MTA failure description. +type: keyword +-- +*`rsa.network.domain1`*:: ++ +-- type: keyword -- -*`checkpoint.email_headers`*:: +*`rsa.network.host_type`*:: + -- -String containing all the email headers. +type: keyword +-- +*`rsa.network.packet_length`*:: ++ +-- type: keyword -- -*`checkpoint.arrival_time`*:: +*`rsa.network.host_orig`*:: + -- -Email arrival timestamp. - +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`checkpoint.email_status`*:: +*`rsa.network.rpayload`*:: + -- -Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended - +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -- -*`checkpoint.status_update`*:: +*`rsa.network.vlan_name`*:: + -- -Last time log was updated. - +This key should only be used to capture the name of the Virtual LAN type: keyword -- -*`checkpoint.delivery_time`*:: + +*`rsa.investigations.ec_activity`*:: + -- -Timestamp of when email was delivered (MTA finished handling the email. - +This key captures the particular event activity(Ex:Logoff) type: keyword -- -*`checkpoint.links_num`*:: +*`rsa.investigations.ec_theme`*:: + -- -Number of links in the mail. - +This key captures the Theme of a particular Event(Ex:Authentication) -type: integer +type: keyword -- -*`checkpoint.attachments_num`*:: +*`rsa.investigations.ec_subject`*:: + -- -Number of attachments in the mail. +This key captures the Subject of a particular Event(Ex:User) - -type: integer +type: keyword -- -*`checkpoint.email_content`*:: +*`rsa.investigations.ec_outcome`*:: + -- -Mail contents. Possible options: attachments/links & attachments/links/text only. - +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -*`checkpoint.allocated_ports`*:: +*`rsa.investigations.event_cat`*:: + -- -Amount of allocated ports. +This key captures the Event category number - -type: integer +type: long -- -*`checkpoint.capacity`*:: +*`rsa.investigations.event_cat_name`*:: + -- -Capacity of the ports. - +This key captures the event category name corresponding to the event cat code -type: integer +type: keyword -- -*`checkpoint.ports_usage`*:: +*`rsa.investigations.event_vcat`*:: + -- -Percentage of allocated ports. +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: integer +type: keyword -- -*`checkpoint.nat_exhausted_pool`*:: +*`rsa.investigations.analysis_file`*:: + -- -4-tuple of an exhausted pool. - +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -- -*`checkpoint.nat_rulenum`*:: +*`rsa.investigations.analysis_service`*:: + -- -NAT rulebase first matched rule. +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: integer +type: keyword -- -*`checkpoint.nat_addtnl_rulenum`*:: +*`rsa.investigations.analysis_session`*:: + -- -When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. - +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session -type: integer +type: keyword -- -*`checkpoint.message_info`*:: +*`rsa.investigations.boc`*:: + -- -Used for information messages, for example:NAT connection has ended. - +This is used to capture behaviour of compromise type: keyword -- -*`checkpoint.nat46`*:: +*`rsa.investigations.eoc`*:: + -- -NAT 46 status, in most cases "enabled". - +This is used to capture Enablers of Compromise type: keyword -- -*`checkpoint.end_time`*:: +*`rsa.investigations.inv_category`*:: + -- -TCP connection end time. - +This used to capture investigation category type: keyword -- -*`checkpoint.tcp_end_reason`*:: +*`rsa.investigations.inv_context`*:: + -- -Reason for TCP connection closure. - +This used to capture investigation context type: keyword -- -*`checkpoint.cgnet`*:: +*`rsa.investigations.ioc`*:: + -- -Describes NAT allocation for specific subscriber. - +This is key capture indicator of compromise type: keyword -- -*`checkpoint.subscriber`*:: + +*`rsa.counters.dclass_c1`*:: + -- -Source IP before CGNAT. +This is a generic counter key that should be used with the label dclass.c1.str only - -type: ip +type: long -- -*`checkpoint.hide_ip`*:: +*`rsa.counters.dclass_c2`*:: + -- -Source IP which will be used after CGNAT. - +This is a generic counter key that should be used with the label dclass.c2.str only -type: ip +type: long -- -*`checkpoint.int_start`*:: +*`rsa.counters.event_counter`*:: + -- -Subscriber start int which will be used for NAT. +This is used to capture the number of times an event repeated - -type: integer +type: long -- -*`checkpoint.int_end`*:: +*`rsa.counters.dclass_r1`*:: + -- -Subscriber end int which will be used for NAT. - +This is a generic ratio key that should be used with the label dclass.r1.str only -type: integer +type: keyword -- -*`checkpoint.packet_amount`*:: +*`rsa.counters.dclass_c3`*:: + -- -Amount of packets dropped. +This is a generic counter key that should be used with the label dclass.c3.str only - -type: integer +type: long -- -*`checkpoint.monitor_reason`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -Aggregated logs of monitored packets. - +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -*`checkpoint.drops_amount`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -Amount of multicast packets dropped. +This is a generic counter string key that should be used with the label dclass.c2 only - -type: integer +type: keyword -- -*`checkpoint.securexl_message`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. - +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`checkpoint.conns_amount`*:: +*`rsa.counters.dclass_r2`*:: + -- -Connections amount of aggregated log info. +This is a generic ratio key that should be used with the label dclass.r2.str only - -type: integer +type: keyword -- -*`checkpoint.scope`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -IP related to the attack. - +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -- -*`checkpoint.analyzed_on`*:: +*`rsa.counters.dclass_r3`*:: + -- -Check Point ThreatCloud / emulator name. - +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`checkpoint.detected_on`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -System and applications version the file was emulated on. - +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -- -*`checkpoint.dropped_file_name`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -List of names dropped from the original file. - +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -*`checkpoint.dropped_file_type`*:: + +*`rsa.identity.auth_method`*:: + -- -List of file types dropped from the original file. - +This key is used to capture authentication methods used only type: keyword -- -*`checkpoint.dropped_file_hash`*:: +*`rsa.identity.user_role`*:: + -- -List of file hashes dropped from the original file. - +This key is used to capture the Role of a user only type: keyword -- -*`checkpoint.dropped_file_verdict`*:: +*`rsa.identity.dn`*:: + -- -List of file verdics dropped from the original file. - +X.500 (LDAP) Distinguished Name type: keyword -- -*`checkpoint.emulated_on`*:: +*`rsa.identity.logon_type`*:: + -- -Images the files were emulated on. - +This key is used to capture the type of logon method used. type: keyword -- -*`checkpoint.extracted_file_type`*:: +*`rsa.identity.profile`*:: + -- -Types of extracted files in case of an archive. - +This key is used to capture the user profile type: keyword -- -*`checkpoint.extracted_file_names`*:: +*`rsa.identity.accesses`*:: + -- -Names of extracted files in case of an archive. - +This key is used to capture actual privileges used in accessing an object type: keyword -- -*`checkpoint.extracted_file_hash`*:: +*`rsa.identity.realm`*:: + -- -Archive hash in case of extracted files. - +Radius realm or similar grouping of accounts type: keyword -- -*`checkpoint.extracted_file_verdict`*:: +*`rsa.identity.user_sid_dst`*:: + -- -Verdict of extracted files in case of an archive. - +This key captures Destination User Session ID type: keyword -- -*`checkpoint.extracted_file_uid`*:: +*`rsa.identity.dn_src`*:: + -- -UID of extracted files in case of an archive. - +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn type: keyword -- -*`checkpoint.mitre_initial_access`*:: +*`rsa.identity.org`*:: + -- -The adversary is trying to break into your network. - +This key captures the User organization type: keyword -- -*`checkpoint.mitre_execution`*:: +*`rsa.identity.dn_dst`*:: + -- -The adversary is trying to run malicious code. - +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`checkpoint.mitre_persistence`*:: +*`rsa.identity.firstname`*:: + -- -The adversary is trying to maintain his foothold. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.mitre_privilege_escalation`*:: +*`rsa.identity.lastname`*:: + -- -The adversary is trying to gain higher-level permissions. - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.mitre_defense_evasion`*:: +*`rsa.identity.user_dept`*:: + -- -The adversary is trying to avoid being detected. - +User's Department Names only type: keyword -- -*`checkpoint.mitre_credential_access`*:: +*`rsa.identity.user_sid_src`*:: + -- -The adversary is trying to steal account names and passwords. - +This key captures Source User Session ID type: keyword -- -*`checkpoint.mitre_discovery`*:: +*`rsa.identity.federated_sp`*:: + -- -The adversary is trying to expose information about your environment. - +This key is the Federated Service Provider. This is the application requesting authentication. type: keyword -- -*`checkpoint.mitre_lateral_movement`*:: +*`rsa.identity.federated_idp`*:: + -- -The adversary is trying to explore your environment. - +This key is the federated Identity Provider. This is the server providing the authentication. type: keyword -- -*`checkpoint.mitre_collection`*:: +*`rsa.identity.logon_type_desc`*:: + -- -The adversary is trying to collect data of interest to achieve his goal. - +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -- -*`checkpoint.mitre_command_and_control`*:: +*`rsa.identity.middlename`*:: + -- -The adversary is trying to communicate with compromised systems in order to control them. - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.mitre_exfiltration`*:: +*`rsa.identity.password`*:: + -- -The adversary is trying to steal data. - +This key is for Passwords seen in any session, plain text or encrypted type: keyword -- -*`checkpoint.mitre_impact`*:: +*`rsa.identity.host_role`*:: + -- -The adversary is trying to manipulate, interrupt, or destroy your systems and data. - +This key should only be used to capture the role of a Host Machine type: keyword -- -*`checkpoint.parent_file_hash`*:: +*`rsa.identity.ldap`*:: + -- -Archive's hash in case of extracted files. - +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- -*`checkpoint.parent_file_name`*:: +*`rsa.identity.ldap_query`*:: + -- -Archive's name in case of extracted files. - +This key is the Search criteria from an LDAP search type: keyword -- -*`checkpoint.parent_file_uid`*:: +*`rsa.identity.ldap_response`*:: + -- -Archive's UID in case of extracted files. - +This key is to capture Results from an LDAP search type: keyword -- -*`checkpoint.similiar_iocs`*:: +*`rsa.identity.owner`*:: + -- -Other IoCs similar to the ones found, related to the malicious file. - +This is used to capture username the process or service is running as, the author of the task type: keyword -- -*`checkpoint.similar_hashes`*:: +*`rsa.identity.service_account`*:: + -- -Hashes found similar to the malicious file. - +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage type: keyword -- -*`checkpoint.similar_strings`*:: + +*`rsa.email.email_dst`*:: + -- -Strings found similar to the malicious file. - +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`checkpoint.similar_communication`*:: +*`rsa.email.email_src`*:: + -- -Network action found similar to the malicious file. - +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -- -*`checkpoint.te_verdict_determined_by`*:: +*`rsa.email.subject`*:: + -- -Emulators determined file verdict. - +This key is used to capture the subject string from an Email only. type: keyword -- -*`checkpoint.packet_capture_unique_id`*:: +*`rsa.email.email`*:: + -- -Identifier of the packet capture files. - +This key is used to capture a generic email address where the source or destination context is not clear type: keyword -- -*`checkpoint.total_attachments`*:: +*`rsa.email.trans_from`*:: + -- -The number of attachments in an email. - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`checkpoint.additional_info`*:: +*`rsa.email.trans_to`*:: + -- -ID of original file/mail which are sent by admin. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.content_risk`*:: + +*`rsa.file.privilege`*:: + -- -File risk. +Deprecated, use permissions - -type: integer +type: keyword -- -*`checkpoint.operation`*:: +*`rsa.file.attachment`*:: + -- -Operation made by Threat Extraction. - +This key captures the attachment file name type: keyword -- -*`checkpoint.scrubbed_content`*:: +*`rsa.file.filesystem`*:: + -- -Active content that was found. - - type: keyword -- -*`checkpoint.scrub_time`*:: +*`rsa.file.binary`*:: + -- -Extraction process duration. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.scrub_download_time`*:: +*`rsa.file.filename_dst`*:: + -- -File download time from resource. - +This is used to capture name of the file targeted by the action type: keyword -- -*`checkpoint.scrub_total_time`*:: +*`rsa.file.filename_src`*:: + -- -Threat extraction total file handling time. - +This is used to capture name of the parent filename, the file which performed the action type: keyword -- -*`checkpoint.scrub_activity`*:: +*`rsa.file.filename_tmp`*:: + -- -The result of the extraction +type: keyword +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file type: keyword -- -*`checkpoint.watermark`*:: +*`rsa.file.directory_src`*:: + -- -Reports whether watermark is added to the cleaned file. - +This key is used to capture the directory of the source process or file type: keyword -- -*`checkpoint.source_object`*:: +*`rsa.file.file_entropy`*:: + -- -Matched object name on source column. - +This is used to capture entropy vale of a file -type: integer +type: double -- -*`checkpoint.destination_object`*:: +*`rsa.file.file_vendor`*:: + -- -Matched object name on destination column. - +This is used to capture Company name of file located in version_info type: keyword -- -*`checkpoint.drop_reason`*:: +*`rsa.file.task_name`*:: + -- -Drop reason description. - +This is used to capture name of the task type: keyword -- -*`checkpoint.hit`*:: + +*`rsa.web.fqdn`*:: + -- -Number of hits on a rule. - +Fully Qualified Domain Names -type: integer +type: keyword -- -*`checkpoint.rulebase_id`*:: +*`rsa.web.web_cookie`*:: + -- -Layer number. +This key is used to capture the Web cookies specifically. - -type: integer +type: keyword -- -*`checkpoint.first_hit_time`*:: +*`rsa.web.alias_host`*:: + -- -First hit time in current interval. - - -type: integer +type: keyword -- -*`checkpoint.last_hit_time`*:: +*`rsa.web.reputation_num`*:: + -- -Last hit time in current interval. - +Reputation Number of an entity. Typically used for Web Domains -type: integer +type: double -- -*`checkpoint.rematch_info`*:: +*`rsa.web.web_ref_domain`*:: + -- -Information sent when old connections cannot be matched during policy installation. - +Web referer's domain type: keyword -- -*`checkpoint.last_rematch_time`*:: +*`rsa.web.web_ref_query`*:: + -- -Connection rematched time. - +This key captures Web referer's query portion of the URL type: keyword -- -*`checkpoint.action_reason`*:: +*`rsa.web.remote_domain`*:: + -- -Connection drop reason. - - -type: integer +type: keyword -- -*`checkpoint.c_bytes`*:: +*`rsa.web.web_ref_page`*:: + -- -Boolean value indicates whether bytes sent from the client side are used. +This key captures Web referer's page information - -type: integer +type: keyword -- -*`checkpoint.context_num`*:: +*`rsa.web.web_ref_root`*:: + -- -Serial number of the log for a specific connection. - +Web referer's root URL path -type: integer +type: keyword -- -*`checkpoint.match_id`*:: +*`rsa.web.cn_asn_dst`*:: + -- -Private key of the rule - - -type: integer +type: keyword -- -*`checkpoint.alert`*:: +*`rsa.web.cn_rpackets`*:: + -- -Alert level of matched rule (for connection logs). +type: keyword +-- +*`rsa.web.urlpage`*:: ++ +-- type: keyword -- -*`checkpoint.parent_rule`*:: +*`rsa.web.urlroot`*:: + -- -Parent rule number, in case of inline layer. +type: keyword +-- -type: integer +*`rsa.web.p_url`*:: ++ +-- +type: keyword -- -*`checkpoint.match_fk`*:: +*`rsa.web.p_user_agent`*:: + -- -Rule number. +type: keyword +-- -type: integer +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword -- -*`checkpoint.dropped_outgoing`*:: +*`rsa.web.p_web_method`*:: + -- -Number of outgoing bytes dropped when using UP-limit feature. +type: keyword +-- -type: integer +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword -- -*`checkpoint.dropped_incoming`*:: +*`rsa.web.web_extension_tmp`*:: + -- -Number of incoming bytes dropped when using UP-limit feature. +type: keyword +-- -type: integer +*`rsa.web.web_page`*:: ++ +-- +type: keyword -- -*`checkpoint.media_type`*:: + +*`rsa.threat.threat_category`*:: + -- -Media used (audio, video, etc.) - +This key captures Threat Name/Threat Category/Categorization of alert type: keyword -- -*`checkpoint.sip_reason`*:: +*`rsa.threat.threat_desc`*:: + -- -Explains why 'source_ip' isn't allowed to redirect (handover). - +This key is used to capture the threat description from the session directly or inferred type: keyword -- -*`checkpoint.voip_method`*:: +*`rsa.threat.alert`*:: + -- -Registration request. - +This key is used to capture name of the alert type: keyword -- -*`checkpoint.registered_ip-phones`*:: +*`rsa.threat.threat_source`*:: + -- -Registered IP-Phones. - +This key is used to capture source of the threat type: keyword -- -*`checkpoint.voip_reg_user_type`*:: + +*`rsa.crypto.crypto`*:: + -- -Registered IP-Phone type. - +This key is used to capture the Encryption Type or Encryption Key only type: keyword -- -*`checkpoint.voip_call_id`*:: +*`rsa.crypto.cipher_src`*:: + -- -Call-ID. - +This key is for Source (Client) Cipher type: keyword -- -*`checkpoint.voip_reg_int`*:: +*`rsa.crypto.cert_subject`*:: + -- -Registration port. +This key is used to capture the Certificate organization only - -type: integer +type: keyword -- -*`checkpoint.voip_reg_ipp`*:: +*`rsa.crypto.peer`*:: + -- -Registration IP protocol. - +This key is for Encryption peer's IP Address -type: integer +type: keyword -- -*`checkpoint.voip_reg_period`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -Registration period. +This key captures Source (Client) Cipher Size - -type: integer +type: long -- -*`checkpoint.voip_log_type`*:: +*`rsa.crypto.ike`*:: + -- -VoIP log types. Possible values: reject, call, registration. - +IKE negotiation phase. type: keyword -- -*`checkpoint.src_phone_number`*:: +*`rsa.crypto.scheme`*:: + -- -Source IP-Phone. - +This key captures the Encryption scheme used type: keyword -- -*`checkpoint.voip_from_user_type`*:: +*`rsa.crypto.peer_id`*:: + -- -Source IP-Phone type. - +This key is for Encryption peer’s identity type: keyword -- -*`checkpoint.dst_phone_number`*:: +*`rsa.crypto.sig_type`*:: + -- -Destination IP-Phone. - +This key captures the Signature Type type: keyword -- -*`checkpoint.voip_to_user_type`*:: +*`rsa.crypto.cert_issuer`*:: + -- -Destination IP-Phone type. - - type: keyword -- -*`checkpoint.voip_call_dir`*:: +*`rsa.crypto.cert_host_name`*:: + -- -Call direction: in/out. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.voip_call_state`*:: +*`rsa.crypto.cert_error`*:: + -- -Call state. Possible values: in/out. - +This key captures the Certificate Error String type: keyword -- -*`checkpoint.voip_call_term_time`*:: +*`rsa.crypto.cipher_dst`*:: + -- -Call termination time stamp. - +This key is for Destination (Server) Cipher type: keyword -- -*`checkpoint.voip_duration`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -Call duration (seconds). +This key captures Destination (Server) Cipher Size - -type: keyword +type: long -- -*`checkpoint.voip_media_port`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -Media int. - +Deprecated, use version type: keyword -- -*`checkpoint.voip_media_ipp`*:: +*`rsa.crypto.d_certauth`*:: + -- -Media IP protocol. +type: keyword +-- +*`rsa.crypto.s_certauth`*:: ++ +-- type: keyword -- -*`checkpoint.voip_est_codec`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -Estimated codec. - +ID of the negotiation — sent for ISAKMP Phase One type: keyword -- -*`checkpoint.voip_exp`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -Expiration. - +ID of the negotiation — sent for ISAKMP Phase Two -type: integer +type: keyword -- -*`checkpoint.voip_attach_sz`*:: +*`rsa.crypto.cert_checksum`*:: + -- -Attachment size. - - -type: integer +type: keyword -- -*`checkpoint.voip_attach_action_info`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -Attachment action Info. - +This key is used for the hostname category value of a certificate type: keyword -- -*`checkpoint.voip_media_codec`*:: +*`rsa.crypto.cert_serial`*:: + -- -Estimated codec. - +This key is used to capture the Certificate serial number only type: keyword -- -*`checkpoint.voip_reject_reason`*:: +*`rsa.crypto.cert_status`*:: + -- -Reject reason. - +This key captures Certificate validation status type: keyword -- -*`checkpoint.voip_reason_info`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -Information. - +Deprecated, use version type: keyword -- -*`checkpoint.voip_config`*:: +*`rsa.crypto.cert_keysize`*:: + -- -Configuration. +type: keyword +-- +*`rsa.crypto.cert_username`*:: ++ +-- type: keyword -- -*`checkpoint.voip_reg_server`*:: +*`rsa.crypto.https_insact`*:: + -- -Registrar server IP address. +type: keyword +-- -type: ip +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword -- -*`checkpoint.scv_user`*:: +*`rsa.crypto.cert_ca`*:: + -- -Username whose packets are dropped on SCV. - +This key is used to capture the Certificate signing authority only type: keyword -- -*`checkpoint.scv_message_info`*:: +*`rsa.crypto.cert_common`*:: + -- -Drop reason. - +This key is used to capture the Certificate common name only type: keyword -- -*`checkpoint.ppp`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -Authentication status. - +This key is used to capture the ssid of a Wireless Session type: keyword -- -*`checkpoint.scheme`*:: +*`rsa.wireless.access_point`*:: + -- -Describes the scheme used for the log. - +This key is used to capture the access point name. type: keyword -- -*`checkpoint.auth_method`*:: +*`rsa.wireless.wlan_channel`*:: + -- -Password authentication protocol used (PAP or EAP). - +This is used to capture the channel names -type: keyword +type: long -- -*`checkpoint.machine`*:: +*`rsa.wireless.wlan_name`*:: + -- -L2TP machine which triggered the log and the log refers to it. - +This key captures either WLAN number/name type: keyword -- -*`checkpoint.vpn_feature_name`*:: + +*`rsa.storage.disk_volume`*:: + -- -L2TP /IKE / Link Selection. - +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`checkpoint.reject_category`*:: +*`rsa.storage.lun`*:: + -- -Authentication failure reason. - +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`checkpoint.peer_ip_probing_status_update`*:: +*`rsa.storage.pwwn`*:: + -- -IP address response status. - +This uniquely identifies a port on a HBA. type: keyword -- -*`checkpoint.peer_ip`*:: + +*`rsa.physical.org_dst`*:: + -- -IP address which the client connects to. - +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`checkpoint.peer_gateway`*:: +*`rsa.physical.org_src`*:: + -- -Main IP of the peer Security Gateway. - +This is used to capture the source organization based on the GEOPIP Maxmind database. -type: ip +type: keyword -- -*`checkpoint.link_probing_status_update`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -IP address response status. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.source_interface`*:: +*`rsa.healthcare.patient_id`*:: + -- -External Interface name for source interface or Null if not found. - +This key captures the unique ID for a patient type: keyword -- -*`checkpoint.next_hop_ip`*:: +*`rsa.healthcare.patient_lname`*:: + -- -Next hop IP address. - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.srckeyid`*:: +*`rsa.healthcare.patient_mname`*:: + -- -Initiator Spi ID. - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.dstkeyid`*:: + +*`rsa.endpoint.host_state`*:: + -- -Responder Spi ID. - +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`checkpoint.encryption_failure`*:: +*`rsa.endpoint.registry_key`*:: + -- -Message indicating why the encryption failed. - +This key captures the path to the registry key type: keyword -- -*`checkpoint.ike_ids`*:: +*`rsa.endpoint.registry_value`*:: + -- -All QM ids. - +This key captures values or decorators used within a registry entry type: keyword -- -*`checkpoint.community`*:: +[[exported-fields-beat-common]] +== Beat fields + +Contains common beat fields available in all event types. + + + +*`agent.hostname`*:: + -- -Community name for the IPSec key and the use of the IKEv. +Deprecated - use agent.name or agent.id to identify an agent. -type: keyword +type: alias + +alias to: agent.name -- -*`checkpoint.ike`*:: +*`beat.timezone`*:: + -- -IKEMode (PHASE1, PHASE2, etc..). - +type: alias -type: keyword +alias to: event.timezone -- -*`checkpoint.cookieI`*:: +*`fields`*:: + -- -Initiator cookie. +Contains user configurable fields. -type: keyword +type: object -- -*`checkpoint.cookieR`*:: +*`beat.name`*:: + -- -Responder cookie. - +type: alias -type: keyword +alias to: host.name -- -*`checkpoint.msgid`*:: +*`beat.hostname`*:: + -- -Message ID. - +type: alias -type: keyword +alias to: agent.name -- -*`checkpoint.methods`*:: +*`timeseries.instance`*:: + -- -IPSEc methods. - +Time series instance id type: keyword -- -*`checkpoint.connection_uid`*:: +[[exported-fields-bluecoat]] +== Blue Coat Director fields + +bluecoat fields. + + + +*`network.interface.name`*:: + -- -Calculation of md5 of the IP and user name as UID. +Name of the network interface where the traffic has been observed. type: keyword -- -*`checkpoint.site_name`*:: + + +*`rsa.internal.msg`*:: + -- -Site name. - +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`checkpoint.esod_rule_name`*:: +*`rsa.internal.messageid`*:: + -- -Unknown rule name. +type: keyword +-- +*`rsa.internal.event_desc`*:: ++ +-- type: keyword -- -*`checkpoint.esod_rule_action`*:: +*`rsa.internal.message`*:: + -- -Unknown rule action. - +This key captures the contents of instant messages type: keyword -- -*`checkpoint.esod_rule_type`*:: +*`rsa.internal.time`*:: + -- -Unknown rule type. +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: keyword +type: date -- -*`checkpoint.esod_noncompliance_reason`*:: +*`rsa.internal.level`*:: + -- -Non-compliance reason. - +Deprecated key defined only in table map. -type: keyword +type: long -- -*`checkpoint.esod_associated_policies`*:: +*`rsa.internal.msg_id`*:: + -- -Associated policies. - +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`checkpoint.spyware_name`*:: +*`rsa.internal.msg_vid`*:: + -- -Spyware name. - +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`checkpoint.spyware_type`*:: +*`rsa.internal.data`*:: + -- -Spyware type. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.anti_virus_type`*:: +*`rsa.internal.obj_server`*:: + -- -Anti virus type. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.end_user_firewall_type`*:: +*`rsa.internal.obj_val`*:: + -- -End user firewall type. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.esod_scan_status`*:: +*`rsa.internal.resource`*:: + -- -Scan failed. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.esod_access_status`*:: +*`rsa.internal.obj_id`*:: + -- -Access denied. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.client_type`*:: +*`rsa.internal.statement`*:: + -- -Endpoint Connect. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.precise_error`*:: +*`rsa.internal.audit_class`*:: + -- -HTTP parser error. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.method`*:: +*`rsa.internal.entry`*:: + -- -HTTP method. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.trusted_domain`*:: +*`rsa.internal.hcode`*:: + -- -In case of phishing event, the domain, which the attacker was impersonating. - +Deprecated key defined only in table map. type: keyword -- -[[exported-fields-cisco]] -== Cisco fields +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. -Module for handling Cisco network device logs. +type: long +-- +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. -[float] -=== cisco - -Fields from Cisco logs. - - - -[float] -=== asa - -Fields for Cisco ASA Firewall. - +type: keyword +-- -*`cisco.asa.message_id`*:: +*`rsa.internal.dead`*:: + -- -The Cisco ASA message identifier. +Deprecated key defined only in table map. - -type: keyword +type: long -- -*`cisco.asa.suffix`*:: +*`rsa.internal.feed_desc`*:: + -- -Optional suffix after %ASA identifier. - +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: session - -- -*`cisco.asa.source_interface`*:: +*`rsa.internal.feed_name`*:: + -- -Source interface for the flow or event. - +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.destination_interface`*:: +*`rsa.internal.cid`*:: + -- -Destination interface for the flow or event. - +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.rule_name`*:: +*`rsa.internal.device_class`*:: + -- -Name of the Access Control List rule that matched this event. - +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.source_username`*:: +*`rsa.internal.device_group`*:: + -- -Name of the user that is the source for this event. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.destination_username`*:: +*`rsa.internal.device_host`*:: + -- -Name of the user that is the destination for this event. - +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.mapped_source_ip`*:: +*`rsa.internal.device_ip`*:: + -- -The translated source IP address. - +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: ip -- -*`cisco.asa.mapped_source_host`*:: +*`rsa.internal.device_ipv6`*:: + -- -The translated source host. +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: ip -- -*`cisco.asa.mapped_source_port`*:: +*`rsa.internal.device_type`*:: + -- -The translated source port. - +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: keyword -- -*`cisco.asa.mapped_destination_ip`*:: +*`rsa.internal.device_type_id`*:: + -- -The translated destination IP address. +Deprecated key defined only in table map. - -type: ip +type: long -- -*`cisco.asa.mapped_destination_host`*:: +*`rsa.internal.did`*:: + -- -The translated destination host. - +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.mapped_destination_port`*:: +*`rsa.internal.entropy_req`*:: + -- -The translated destination port. - +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration type: long -- -*`cisco.asa.threat_level`*:: +*`rsa.internal.entropy_res`*:: + -- -Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. - +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`cisco.asa.threat_category`*:: +*`rsa.internal.event_name`*:: + -- -Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. - +Deprecated key defined only in table map. type: keyword -- -*`cisco.asa.connection_id`*:: +*`rsa.internal.feed_category`*:: + -- -Unique identifier for a flow. - +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.icmp_type`*:: +*`rsa.internal.forward_ip`*:: + -- -ICMP type. +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: short +type: ip -- -*`cisco.asa.icmp_code`*:: +*`rsa.internal.forward_ipv6`*:: + -- -ICMP code. - +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: short +type: ip -- -*`cisco.asa.connection_type`*:: +*`rsa.internal.header_id`*:: + -- -The VPN connection type - +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.dap_records`*:: +*`rsa.internal.lc_cid`*:: + -- -The assigned DAP records - +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== ftd - -Fields for Cisco Firepower Threat Defense Firewall. - - - -*`cisco.ftd.message_id`*:: +*`rsa.internal.lc_ctime`*:: + -- -The Cisco FTD message identifier. - +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`cisco.ftd.suffix`*:: +*`rsa.internal.mcb_req`*:: + -- -Optional suffix after %FTD identifier. - - -type: keyword +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -example: session +type: long -- -*`cisco.ftd.source_interface`*:: +*`rsa.internal.mcb_res`*:: + -- -Source interface for the flow or event. - +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`cisco.ftd.destination_interface`*:: +*`rsa.internal.mcbc_req`*:: + -- -Destination interface for the flow or event. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: keyword +type: long -- -*`cisco.ftd.rule_name`*:: +*`rsa.internal.mcbc_res`*:: + -- -Name of the Access Control List rule that matched this event. - +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`cisco.ftd.source_username`*:: +*`rsa.internal.medium`*:: + -- -Name of the user that is the source for this event. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: keyword +type: long -- -*`cisco.ftd.destination_username`*:: +*`rsa.internal.node_name`*:: + -- -Name of the user that is the destination for this event. - +Deprecated key defined only in table map. type: keyword -- -*`cisco.ftd.mapped_source_ip`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -The translated source IP address. Use ECS source.nat.ip. +This key denotes that event is endpoint related - -type: ip +type: keyword -- -*`cisco.ftd.mapped_source_host`*:: +*`rsa.internal.parse_error`*:: + -- -The translated source host. - +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.ftd.mapped_source_port`*:: +*`rsa.internal.payload_req`*:: + -- -The translated source port. Use ECS source.nat.port. - +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep type: long -- -*`cisco.ftd.mapped_destination_ip`*:: +*`rsa.internal.payload_res`*:: + -- -The translated destination IP address. Use ECS destination.nat.ip. - +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: ip +type: long -- -*`cisco.ftd.mapped_destination_host`*:: +*`rsa.internal.process_vid_dst`*:: + -- -The translated destination host. - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`cisco.ftd.mapped_destination_port`*:: +*`rsa.internal.process_vid_src`*:: + -- -The translated destination port. Use ECS destination.nat.port. - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. -type: long +type: keyword -- -*`cisco.ftd.threat_level`*:: +*`rsa.internal.rid`*:: + -- -Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: long -- -*`cisco.ftd.threat_category`*:: +*`rsa.internal.session_split`*:: + -- -Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.ftd.connection_id`*:: +*`rsa.internal.site`*:: + -- -Unique identifier for a flow. - +Deprecated key defined only in table map. type: keyword -- -*`cisco.ftd.icmp_type`*:: +*`rsa.internal.size`*:: + -- -ICMP type. - +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: short +type: long -- -*`cisco.ftd.icmp_code`*:: +*`rsa.internal.sourcefile`*:: + -- -ICMP code. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: short +type: keyword -- -*`cisco.ftd.security`*:: +*`rsa.internal.ubc_req`*:: + -- -Raw fields for Security Events. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: object +type: long -- -*`cisco.ftd.connection_type`*:: +*`rsa.internal.ubc_res`*:: + -- -The VPN connection type - +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`cisco.ftd.dap_records`*:: +*`rsa.internal.word`*:: + -- -The assigned DAP records - +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -[float] -=== ios -Fields for Cisco IOS logs. +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +type: date +-- -*`cisco.ios.access_list`*:: +*`rsa.time.duration_time`*:: + -- -Name of the IP access list. +This key is used to capture the normalized duration/lifetime in seconds. - -type: keyword +type: double -- -*`cisco.ios.facility`*:: +*`rsa.time.event_time_str`*:: + -- -The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. - +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -example: SEC - -- -[[exported-fields-cloud]] -== Cloud provider metadata fields - -Metadata from cloud providers added by the add_cloud_metadata processor. - - - -*`cloud.project.id`*:: +*`rsa.time.starttime`*:: + -- -Name of the project in Google Cloud. - +This key is used to capture the Start time mentioned in a session in a standard form -example: project-x +type: date -- -*`cloud.image.id`*:: +*`rsa.time.month`*:: + -- -Image ID for the cloud instance. +type: keyword +-- -example: ami-abcd1234 +*`rsa.time.day`*:: ++ +-- +type: keyword -- -*`meta.cloud.provider`*:: +*`rsa.time.endtime`*:: + -- -type: alias +This key is used to capture the End time mentioned in a session in a standard form -alias to: cloud.provider +type: date -- -*`meta.cloud.instance_id`*:: +*`rsa.time.timezone`*:: + -- -type: alias +This key is used to capture the timezone of the Event Time -alias to: cloud.instance.id +type: keyword -- -*`meta.cloud.instance_name`*:: +*`rsa.time.duration_str`*:: + -- -type: alias +A text string version of the duration -alias to: cloud.instance.name +type: keyword -- -*`meta.cloud.machine_type`*:: +*`rsa.time.date`*:: + -- -type: alias - -alias to: cloud.machine.type +type: keyword -- -*`meta.cloud.availability_zone`*:: +*`rsa.time.year`*:: + -- -type: alias - -alias to: cloud.availability_zone +type: keyword -- -*`meta.cloud.project_id`*:: +*`rsa.time.recorded_time`*:: + -- -type: alias +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -alias to: cloud.project.id +type: date -- -*`meta.cloud.region`*:: +*`rsa.time.datetime`*:: + -- -type: alias +type: keyword -alias to: cloud.region +-- +*`rsa.time.effective_time`*:: ++ -- +This key is the effective time referenced by an individual event in a Standard Timestamp format -[[exported-fields-coredns]] -== Coredns fields +type: date -Module for handling logs produced by coredns +-- +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. +type: date -[float] -=== coredns +-- -coredns fields after normalization +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time +type: keyword +-- -*`coredns.id`*:: +*`rsa.time.hour`*:: + -- -id of the DNS transaction +type: keyword +-- +*`rsa.time.min`*:: ++ +-- type: keyword -- -*`coredns.query.size`*:: +*`rsa.time.timestamp`*:: + -- -size of the DNS query +type: keyword +-- -type: integer +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. -format: bytes +type: date -- -*`coredns.query.class`*:: +*`rsa.time.p_time1`*:: + -- -DNS query class - - type: keyword -- -*`coredns.query.name`*:: +*`rsa.time.tzone`*:: + -- -DNS query name +type: keyword +-- +*`rsa.time.eventtime`*:: ++ +-- type: keyword -- -*`coredns.query.type`*:: +*`rsa.time.gmtdate`*:: + -- -DNS query type +type: keyword +-- +*`rsa.time.gmttime`*:: ++ +-- type: keyword -- -*`coredns.response.code`*:: +*`rsa.time.p_date`*:: + -- -DNS response code +type: keyword +-- +*`rsa.time.p_month`*:: ++ +-- type: keyword -- -*`coredns.response.flags`*:: +*`rsa.time.p_time`*:: + -- -DNS response flags +type: keyword +-- +*`rsa.time.p_time2`*:: ++ +-- type: keyword -- -*`coredns.response.size`*:: +*`rsa.time.p_year`*:: + -- -size of the DNS response +type: keyword +-- -type: integer +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. -format: bytes +type: keyword -- -*`coredns.dnssec_ok`*:: +*`rsa.time.stamp`*:: + -- -dnssec flag +Deprecated key defined only in table map. - -type: boolean +type: date -- -[[exported-fields-crowdstrike]] -== Crowdstrike fields -Module for collecting Crowdstrike events. +*`rsa.misc.action`*:: ++ +-- +type: keyword +-- +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. -[float] -=== crowdstrike +type: keyword -Fields for Crowdstrike Falcon event and alert data. +-- +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session +type: keyword -[float] -=== metadata +-- -Meta data fields for each event that include type and timestamp. +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. +type: keyword +-- -*`crowdstrike.metadata.eventType`*:: +*`rsa.misc.reference_id`*:: + -- -DetectionSummaryEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent - +This key is used to capture an event id from the session directly type: keyword -- -*`crowdstrike.metadata.eventCreationTime`*:: +*`rsa.misc.version`*:: + -- -The time this event occurred on the endpoint in UTC UNIX_MS format. - +This key captures Version of the application or OS which is generating the event. -type: date +type: keyword -- -*`crowdstrike.metadata.offset`*:: +*`rsa.misc.disposition`*:: + -- -Offset number that tracks the location of the event in stream. This is used to identify unique detection events. +This key captures the The end state of an action. - -type: integer +type: keyword -- -*`crowdstrike.metadata.customerIDString`*:: +*`rsa.misc.result_code`*:: + -- -Customer identifier - +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`crowdstrike.metadata.version`*:: +*`rsa.misc.category`*:: + -- -Schema version - +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -[float] -=== event - -Event data fields for each event and alert. +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object +type: keyword +-- -*`crowdstrike.event.ProcessStartTime`*:: +*`rsa.misc.obj_type`*:: + -- -The process start time in UTC UNIX_MS format. - +This is used to capture type of object -type: date +type: keyword -- -*`crowdstrike.event.ProcessEndTime`*:: +*`rsa.misc.event_source`*:: + -- -The process termination time in UTC UNIX_MS format. +This key captures Source of the event that’s not a hostname - -type: date +type: keyword -- -*`crowdstrike.event.ProcessId`*:: +*`rsa.misc.log_session_id`*:: + -- -Process ID related to the detection. - +This key is used to capture a sessionid from the session directly -type: integer +type: keyword -- -*`crowdstrike.event.ParentProcessId`*:: +*`rsa.misc.group`*:: + -- -Parent process ID related to the detection. +This key captures the Group Name value - -type: integer +type: keyword -- -*`crowdstrike.event.ComputerName`*:: +*`rsa.misc.policy_name`*:: + -- -Name of the computer where the detection occurred. - +This key is used to capture the Policy Name only. type: keyword -- -*`crowdstrike.event.UserName`*:: +*`rsa.misc.rule_name`*:: + -- -User name associated with the detection. - +This key captures the Rule Name type: keyword -- -*`crowdstrike.event.DetectName`*:: +*`rsa.misc.context`*:: + -- -Name of the detection. - +This key captures Information which adds additional context to the event. type: keyword -- -*`crowdstrike.event.DetectDescription`*:: +*`rsa.misc.change_new`*:: + -- -Description of the detection. - +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`crowdstrike.event.Severity`*:: +*`rsa.misc.space`*:: + -- -Severity score of the detection. - - -type: integer +type: keyword -- -*`crowdstrike.event.SeverityName`*:: +*`rsa.misc.client`*:: + -- -Severity score text. - +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`crowdstrike.event.FileName`*:: +*`rsa.misc.msgIdPart1`*:: + -- -File name of the associated process for the detection. +type: keyword +-- +*`rsa.misc.msgIdPart2`*:: ++ +-- type: keyword -- -*`crowdstrike.event.FilePath`*:: +*`rsa.misc.change_old`*:: + -- -Path of the executable associated with the detection. - +This key is used to capture the old value of the attribute that’s changing in a session type: keyword -- -*`crowdstrike.event.CommandLine`*:: +*`rsa.misc.operation_id`*:: + -- -Executable path with command line arguments. - +An alert number or operation number. The values should be unique and non-repeating. type: keyword -- -*`crowdstrike.event.SHA256String`*:: +*`rsa.misc.event_state`*:: + -- -SHA256 sum of the executable associated with the detection. - +This key captures the current state of the object/item referenced within the event. Describing an on-going event. type: keyword -- -*`crowdstrike.event.MD5String`*:: +*`rsa.misc.group_object`*:: + -- -MD5 sum of the executable associated with the detection. - +This key captures a collection/grouping of entities. Specific usage type: keyword -- -*`crowdstrike.event.MachineDomain`*:: +*`rsa.misc.node`*:: + -- -Domain for the machine associated with the detection. - +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`crowdstrike.event.FalconHostLink`*:: +*`rsa.misc.rule`*:: + -- -URL to view the detection in Falcon. - +This key captures the Rule number type: keyword -- -*`crowdstrike.event.SensorId`*:: +*`rsa.misc.device_name`*:: + -- -Unique ID associated with the Falcon sensor. - +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`crowdstrike.event.DetectId`*:: +*`rsa.misc.param`*:: + -- -Unique ID associated with the detection. - +This key is the parameters passed as part of a command or application, etc. type: keyword -- -*`crowdstrike.event.LocalIP`*:: +*`rsa.misc.change_attrib`*:: + -- -IP address of the host associated with the detection. - +This key is used to capture the name of the attribute that’s changing in a session type: keyword -- -*`crowdstrike.event.MACAddress`*:: +*`rsa.misc.event_computer`*:: + -- -MAC address of the host associated with the detection. - +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`crowdstrike.event.Tactic`*:: +*`rsa.misc.reference_id1`*:: + -- -MITRE tactic category of the detection. - +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`crowdstrike.event.Technique`*:: +*`rsa.misc.event_log`*:: + -- -MITRE technique category of the detection. - +This key captures the Name of the event log type: keyword -- -*`crowdstrike.event.Objective`*:: +*`rsa.misc.OS`*:: + -- -Method of detection. - +This key captures the Name of the Operating System type: keyword -- -*`crowdstrike.event.PatternDispositionDescription`*:: +*`rsa.misc.terminal`*:: + -- -Action taken by Falcon. - +This key captures the Terminal Names only type: keyword -- -*`crowdstrike.event.PatternDispositionValue`*:: +*`rsa.misc.msgIdPart3`*:: + -- -Unique ID associated with action taken. - - -type: integer +type: keyword -- -*`crowdstrike.event.PatternDispositionFlags`*:: +*`rsa.misc.filter`*:: + -- -Flags indicating actions taken. +This key captures Filter used to reduce result set - -type: object +type: keyword -- -*`crowdstrike.event.State`*:: +*`rsa.misc.serial_number`*:: + -- -Whether the incident summary is open and ongoing or closed. - +This key is the Serial number associated with a physical asset. type: keyword -- -*`crowdstrike.event.IncidentStartTime`*:: +*`rsa.misc.checksum`*:: + -- -Start time for the incident in UTC UNIX format. +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: date +type: keyword -- -*`crowdstrike.event.IncidentEndTime`*:: +*`rsa.misc.event_user`*:: + -- -End time for the incident in UTC UNIX format. - +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. -type: date +type: keyword -- -*`crowdstrike.event.FineScore`*:: +*`rsa.misc.virusname`*:: + -- -Score for incident. +This key captures the name of the virus - -type: float +type: keyword -- -*`crowdstrike.event.UserId`*:: +*`rsa.misc.content_type`*:: + -- -Email address or user ID associated with the event. - +This key is used to capture Content Type only. type: keyword -- -*`crowdstrike.event.UserIp`*:: +*`rsa.misc.group_id`*:: + -- -IP address associated with the user. - +This key captures Group ID Number (related to the group name) type: keyword -- -*`crowdstrike.event.OperationName`*:: +*`rsa.misc.policy_id`*:: + -- -Event subtype. - +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise type: keyword -- -*`crowdstrike.event.ServiceName`*:: +*`rsa.misc.vsys`*:: + -- -Service associated with this event. - +This key captures Virtual System Name type: keyword -- -*`crowdstrike.event.Success`*:: +*`rsa.misc.connection_id`*:: + -- -Indicator of whether or not this event was successful. - +This key captures the Connection ID -type: boolean +type: keyword -- -*`crowdstrike.event.UTCTimestamp`*:: +*`rsa.misc.reference_id2`*:: + -- -Timestamp associated with this event in UTC UNIX format. +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: date +type: keyword -- -*`crowdstrike.event.AuditKeyValues`*:: +*`rsa.misc.sensor`*:: + -- -Fields that were changed in this event. - +This key captures Name of the sensor. Typically used in IDS/IPS based devices -type: nested +type: keyword -- -*`crowdstrike.event.SessionId`*:: +*`rsa.misc.sig_id`*:: + -- -Session ID of the remote response session. +This key captures IDS/IPS Int Signature ID - -type: keyword +type: long -- -*`crowdstrike.event.HostnameField`*:: +*`rsa.misc.port_name`*:: + -- -Host name of the machine for the remote session. - +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`crowdstrike.event.StartTimestamp`*:: +*`rsa.misc.rule_group`*:: + -- -Start time for the remote session in UTC UNIX format. +This key captures the Rule group name - -type: date +type: keyword -- -*`crowdstrike.event.EndTimestamp`*:: +*`rsa.misc.risk_num`*:: + -- -End time for the remote session in UTC UNIX format. +This key captures a Numeric Risk value +type: double -type: date +-- +*`rsa.misc.trigger_val`*:: ++ -- +This key captures the Value of the trigger or threshold condition. -[[exported-fields-docker-processor]] -== Docker fields +type: keyword -Docker stats collected from Docker. +-- +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly +type: keyword +-- -*`docker.container.id`*:: +*`rsa.misc.comp_version`*:: + -- -type: alias +This key captures the Version level of a sub-component of a product. -alias to: container.id +type: keyword -- -*`docker.container.image`*:: +*`rsa.misc.content_version`*:: + -- -type: alias +This key captures Version level of a signature or database content. -alias to: container.image.name +type: keyword -- -*`docker.container.name`*:: +*`rsa.misc.hardware_id`*:: + -- -type: alias +This key is used to capture unique identifier for a device or system (NOT a Mac address) -alias to: container.name +type: keyword -- -*`docker.container.labels`*:: +*`rsa.misc.risk`*:: + -- -Image labels. +This key captures the non-numeric risk value - -type: object +type: keyword -- -[[exported-fields-ecs]] -== ECS fields - -ECS Fields. +*`rsa.misc.event_id`*:: ++ +-- +type: keyword +-- -*`@timestamp`*:: +*`rsa.misc.reason`*:: + -- -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. - -type: date +type: keyword -example: 2016-05-23T08:05:34.853Z +-- -required: True +*`rsa.misc.status`*:: ++ +-- +type: keyword -- -*`labels`*:: +*`rsa.misc.mail_id`*:: + -- -Custom key/value pairs. -Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. -Example: `docker` and `k8s` labels. - -type: object +This key is used to capture the mailbox id/name -example: {"application": "foo-bar", "env": "production"} +type: keyword -- -*`message`*:: +*`rsa.misc.rule_uid`*:: + -- -For log events the message field contains the log message, optimized for viewing in a log viewer. -For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. -If multiple messages exist, they can be combined into one message. - -type: text +This key is the Unique Identifier for a rule. -example: Hello World +type: keyword -- -*`tags`*:: +*`rsa.misc.trigger_desc`*:: + -- -List of keywords used to tag each event. +This key captures the Description of the trigger or threshold condition. type: keyword -example: ["production", "env2"] +-- +*`rsa.misc.inout`*:: ++ -- +type: keyword -[float] -=== agent +-- -The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. -Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword +-- -*`agent.ephemeral_id`*:: +*`rsa.misc.data_type`*:: + -- -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. - type: keyword -example: 8a4f500f - -- -*`agent.id`*:: +*`rsa.misc.msgIdPart4`*:: + -- -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. - type: keyword -example: 8a4f500d - -- -*`agent.name`*:: +*`rsa.misc.error`*:: + -- -Custom name of the agent. -This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. -If no name is given, the name is often left empty. +This key captures All non successful Error codes or responses type: keyword -example: foo - -- -*`agent.type`*:: +*`rsa.misc.index`*:: + -- -Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - type: keyword -example: filebeat - -- -*`agent.version`*:: +*`rsa.misc.listnum`*:: + -- -Version of the agent. +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -example: 6.0.0-rc2 - -- -[float] -=== as - -An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. +*`rsa.misc.ntype`*:: ++ +-- +type: keyword +-- -*`as.number`*:: +*`rsa.misc.observed_val`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +This key captures the Value observed (from the perspective of the device generating the log). -example: 15169 +type: keyword -- -*`as.organization.name`*:: +*`rsa.misc.policy_value`*:: + -- -Organization name. +This key captures the contents of the policy. This contains details about the policy type: keyword -example: Google LLC - -- -*`as.organization.name.text`*:: +*`rsa.misc.pool_name`*:: + -- -type: text +This key captures the name of a resource pool + +type: keyword -- -[float] -=== client +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +type: keyword +-- -*`client.address`*:: +*`rsa.misc.count`*:: + -- -Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - type: keyword -- -*`client.as.number`*:: +*`rsa.misc.number`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +type: keyword -type: long +-- -example: 15169 +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword -- -*`client.as.organization.name`*:: +*`rsa.misc.type`*:: + -- -Organization name. - type: keyword -example: Google LLC - -- -*`client.as.organization.name.text`*:: +*`rsa.misc.comments`*:: + -- -type: text +Comment information provided in the log message + +type: keyword -- -*`client.bytes`*:: +*`rsa.misc.doc_number`*:: + -- -Bytes sent from the client to the server. +This key captures File Identification number type: long -example: 184 - -format: bytes - -- -*`client.domain`*:: +*`rsa.misc.expected_val`*:: + -- -Client domain. +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`client.geo.city_name`*:: +*`rsa.misc.job_num`*:: + -- -City name. +This key captures the Job Number type: keyword -example: Montreal - -- -*`client.geo.continent_name`*:: +*`rsa.misc.spi_dst`*:: + -- -Name of the continent. +Destination SPI Index type: keyword -example: North America - -- -*`client.geo.country_iso_code`*:: +*`rsa.misc.spi_src`*:: + -- -Country ISO code. +Source SPI Index type: keyword -example: CA - -- -*`client.geo.country_name`*:: +*`rsa.misc.code`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`client.geo.location`*:: +*`rsa.misc.agent_id`*:: + -- -Longitude and latitude. +This key is used to capture agent id -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`client.geo.name`*:: +*`rsa.misc.message_body`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +This key captures the The contents of the message body. type: keyword -example: boston-dc - -- -*`client.geo.region_iso_code`*:: +*`rsa.misc.phone`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`client.geo.region_name`*:: +*`rsa.misc.sig_id_str`*:: + -- -Region name. +This key captures a string object of the sigid variable. type: keyword -example: Quebec - -- -*`client.ip`*:: +*`rsa.misc.cmd`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. - -type: ip +type: keyword -- -*`client.mac`*:: +*`rsa.misc.misc`*:: + -- -MAC address of the client. - type: keyword -- -*`client.nat.ip`*:: +*`rsa.misc.name`*:: + -- -Translated IP of source based NAT sessions (e.g. internal client to internet). -Typically connections traversing load balancers, firewalls, or routers. - -type: ip +type: keyword -- -*`client.nat.port`*:: +*`rsa.misc.cpu`*:: + -- -Translated port of source based NAT sessions (e.g. internal client to internet). -Typically connections traversing load balancers, firewalls, or routers. +This key is the CPU time used in the execution of the event being recorded. type: long -format: string - -- -*`client.packets`*:: +*`rsa.misc.event_desc`*:: + -- -Packets sent from the client to the server. - -type: long +This key is used to capture a description of an event available directly or inferred -example: 12 +type: keyword -- -*`client.port`*:: +*`rsa.misc.sig_id1`*:: + -- -Port of the client. +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id type: long -format: string - -- -*`client.registered_domain`*:: +*`rsa.misc.im_buddyid`*:: + -- -The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - type: keyword -example: google.com - -- -*`client.top_level_domain`*:: +*`rsa.misc.im_client`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - type: keyword -example: co.uk - -- -*`client.user.domain`*:: +*`rsa.misc.im_userid`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`client.user.email`*:: +*`rsa.misc.pid`*:: + -- -User email address. - type: keyword -- -*`client.user.full_name`*:: +*`rsa.misc.priority`*:: + -- -User's full name, if available. - type: keyword -example: Albert Einstein - -- -*`client.user.full_name.text`*:: +*`rsa.misc.context_subject`*:: + -- -type: text +This key is to be used in an audit context where the subject is the object being identified + +type: keyword -- -*`client.user.group.domain`*:: +*`rsa.misc.context_target`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`client.user.group.id`*:: +*`rsa.misc.cve`*:: + -- -Unique identifier for the group on the system/platform. +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword -- -*`client.user.group.name`*:: +*`rsa.misc.fcatnum`*:: + -- -Name of the group. +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`client.user.hash`*:: +*`rsa.misc.library`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +This key is used to capture library information in mainframe devices type: keyword -- -*`client.user.id`*:: +*`rsa.misc.parent_node`*:: + -- -Unique identifiers of the user. +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`client.user.name`*:: +*`rsa.misc.risk_info`*:: + -- -Short name or login of the user. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -example: albert - -- -*`client.user.name.text`*:: +*`rsa.misc.tcp_flags`*:: + -- -type: text +This key is captures the TCP flags set in any packet of session + +type: long -- -[float] -=== cloud +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service -Fields related to the cloud or infrastructure the events are coming from. +type: long +-- -*`cloud.account.id`*:: +*`rsa.misc.vm_target`*:: + -- -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. +VMWare Target **VMWARE** only varaible. type: keyword -example: 666777888999 - -- -*`cloud.availability_zone`*:: +*`rsa.misc.workspace`*:: + -- -Availability zone in which this host is running. +This key captures Workspace Description type: keyword -example: us-east-1c - -- -*`cloud.instance.id`*:: +*`rsa.misc.command`*:: + -- -Instance ID of the host machine. - type: keyword -example: i-1234567890abcdef0 - -- -*`cloud.instance.name`*:: +*`rsa.misc.event_category`*:: + -- -Instance name of the host machine. - type: keyword -- -*`cloud.machine.type`*:: +*`rsa.misc.facilityname`*:: + -- -Machine type of the host machine. - type: keyword -example: t2.medium - -- -*`cloud.provider`*:: +*`rsa.misc.forensic_info`*:: + -- -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - type: keyword -example: aws - -- -*`cloud.region`*:: +*`rsa.misc.jobname`*:: + -- -Region in which this host is running. - type: keyword -example: us-east-1 - -- -[float] -=== code_signature - -These fields contain information about binary code signatures. - - -*`code_signature.exists`*:: +*`rsa.misc.mode`*:: + -- -Boolean to capture if a signature is present. - -type: boolean - -example: true +type: keyword -- -*`code_signature.status`*:: +*`rsa.misc.policy`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`code_signature.subject_name`*:: +*`rsa.misc.policy_waiver`*:: + -- -Subject name of the code signer - type: keyword -example: Microsoft Corporation - -- -*`code_signature.trusted`*:: +*`rsa.misc.second`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true +type: keyword -- -*`code_signature.valid`*:: +*`rsa.misc.space1`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean +type: keyword -example: true +-- +*`rsa.misc.subcategory`*:: ++ -- +type: keyword -[float] -=== container +-- -Container fields are used for meta information about the specific container that is the source of information. -These fields help correlate data based containers from any runtime. +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword +-- -*`container.id`*:: +*`rsa.misc.alert_id`*:: + -- -Unique container id. +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`container.image.name`*:: +*`rsa.misc.checksum_dst`*:: + -- -Name of the image the container was built on. +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`container.image.tag`*:: +*`rsa.misc.checksum_src`*:: + -- -Container image tags. +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`container.labels`*:: +*`rsa.misc.fresult`*:: + -- -Image labels. +This key captures the Filter Result -type: object +type: long -- -*`container.name`*:: +*`rsa.misc.payload_dst`*:: + -- -Container name. +This key is used to capture destination payload type: keyword -- -*`container.runtime`*:: +*`rsa.misc.payload_src`*:: + -- -Runtime managing this container. +This key is used to capture source payload type: keyword -example: docker - -- -[float] -=== destination +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool -Destination fields describe details about the destination of a packet/event. -Destination fields are usually populated in conjunction with source fields. +type: keyword +-- -*`destination.address`*:: +*`rsa.misc.process_id_val`*:: + -- -Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`destination.as.number`*:: +*`rsa.misc.risk_num_comm`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +This key captures Risk Number Community -example: 15169 +type: double -- -*`destination.as.organization.name`*:: +*`rsa.misc.risk_num_next`*:: + -- -Organization name. +This key captures Risk Number NextGen -type: keyword - -example: Google LLC +type: double -- -*`destination.as.organization.name.text`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: text +This key captures Risk Number SandBox + +type: double -- -*`destination.bytes`*:: +*`rsa.misc.risk_num_static`*:: + -- -Bytes sent from the destination to the source. - -type: long +This key captures Risk Number Static -example: 184 - -format: bytes +type: double -- -*`destination.domain`*:: +*`rsa.misc.risk_suspicious`*:: + -- -Destination domain. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`destination.geo.city_name`*:: +*`rsa.misc.risk_warning`*:: + -- -City name. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -example: Montreal - -- -*`destination.geo.continent_name`*:: +*`rsa.misc.snmp_oid`*:: + -- -Name of the continent. +SNMP Object Identifier type: keyword -example: North America - -- -*`destination.geo.country_iso_code`*:: +*`rsa.misc.sql`*:: + -- -Country ISO code. +This key captures the SQL query type: keyword -example: CA - -- -*`destination.geo.country_name`*:: +*`rsa.misc.vuln_ref`*:: + -- -Country name. +This key captures the Vulnerability Reference details type: keyword -example: Canada - -- -*`destination.geo.location`*:: +*`rsa.misc.acl_id`*:: + -- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`destination.geo.name`*:: +*`rsa.misc.acl_op`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`destination.geo.region_iso_code`*:: +*`rsa.misc.acl_pos`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`destination.geo.region_name`*:: +*`rsa.misc.acl_table`*:: + -- -Region name. - type: keyword -example: Quebec - -- -*`destination.ip`*:: +*`rsa.misc.admin`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. - -type: ip +type: keyword -- -*`destination.mac`*:: +*`rsa.misc.alarm_id`*:: + -- -MAC address of the destination. - type: keyword -- -*`destination.nat.ip`*:: +*`rsa.misc.alarmname`*:: + -- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. - -type: ip +type: keyword -- -*`destination.nat.port`*:: +*`rsa.misc.app_id`*:: + -- -Port the source session is translated to by NAT Device. -Typically used with load balancers, firewalls, or routers. - -type: long - -format: string +type: keyword -- -*`destination.packets`*:: +*`rsa.misc.audit`*:: + -- -Packets sent from the destination to the source. +type: keyword -type: long +-- -example: 12 +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword -- -*`destination.port`*:: +*`rsa.misc.auditdata`*:: + -- -Port of the destination. +type: keyword -type: long +-- -format: string +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword -- -*`destination.registered_domain`*:: +*`rsa.misc.bypass`*:: + -- -The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - type: keyword -example: google.com - -- -*`destination.top_level_domain`*:: +*`rsa.misc.cache`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - type: keyword -example: co.uk - -- -*`destination.user.domain`*:: +*`rsa.misc.cache_hit`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`destination.user.email`*:: +*`rsa.misc.cefversion`*:: + -- -User email address. - type: keyword -- -*`destination.user.full_name`*:: +*`rsa.misc.cfg_attr`*:: + -- -User's full name, if available. - type: keyword -example: Albert Einstein - -- -*`destination.user.full_name.text`*:: +*`rsa.misc.cfg_obj`*:: + -- -type: text +type: keyword -- -*`destination.user.group.domain`*:: +*`rsa.misc.cfg_path`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`destination.user.group.id`*:: +*`rsa.misc.changes`*:: + -- -Unique identifier for the group on the system/platform. - type: keyword -- -*`destination.user.group.name`*:: +*`rsa.misc.client_ip`*:: + -- -Name of the group. - type: keyword -- -*`destination.user.hash`*:: +*`rsa.misc.clustermembers`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - type: keyword -- -*`destination.user.id`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Unique identifiers of the user. - type: keyword -- -*`destination.user.name`*:: +*`rsa.misc.cn_asn_src`*:: + -- -Short name or login of the user. - type: keyword -example: albert - -- -*`destination.user.name.text`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -type: text +type: keyword -- -[float] -=== dll +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword -These fields contain information about code libraries dynamically loaded into processes. +-- -Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: -* Dynamic-link library (`.dll`) commonly used on Windows -* Shared Object (`.so`) commonly used on Unix-like operating systems -* Dynamic library (`.dylib`) commonly used on macOS +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword +-- -*`dll.code_signature.exists`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -Boolean to capture if a signature is present. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword -- -*`dll.code_signature.status`*:: +*`rsa.misc.cn_engine_type`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`dll.code_signature.subject_name`*:: +*`rsa.misc.cn_f_switch`*:: + -- -Subject name of the code signer - type: keyword -example: Microsoft Corporation - -- -*`dll.code_signature.trusted`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword -- -*`dll.code_signature.valid`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword -- -*`dll.hash.md5`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -MD5 hash. - type: keyword -- -*`dll.hash.sha1`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -SHA1 hash. - type: keyword -- -*`dll.hash.sha256`*:: +*`rsa.misc.cn_invalid`*:: + -- -SHA256 hash. - type: keyword -- -*`dll.hash.sha512`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -SHA512 hash. - type: keyword -- -*`dll.name`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -Name of the library. -This generally maps to the name of the file on disk. - type: keyword -example: kernel32.dll - -- -*`dll.path`*:: +*`rsa.misc.cn_l_switch`*:: + -- -Full file path of the library. - type: keyword -example: C:\Windows\System32\kernel32.dll - -- -*`dll.pe.company`*:: +*`rsa.misc.cn_log_did`*:: + -- -Internal company name of the file, provided at compile-time. - type: keyword -example: Microsoft Corporation - -- -*`dll.pe.description`*:: +*`rsa.misc.cn_log_rid`*:: + -- -Internal description of the file, provided at compile-time. - type: keyword -example: Paint - -- -*`dll.pe.file_version`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -Internal version of the file, provided at compile-time. - type: keyword -example: 6.3.9600.17415 - -- -*`dll.pe.original_file_name`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -Internal name of the file, provided at compile-time. - type: keyword -example: MSPAINT.EXE - -- -*`dll.pe.product`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -Internal product name of the file, provided at compile-time. - type: keyword -example: Microsoft® Windows® Operating System +-- +*`rsa.misc.cn_minpcktlen`*:: ++ -- +type: keyword -[float] -=== dns +-- -Fields describing DNS queries and answers. -DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword +-- -*`dns.answers`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -An array containing an object for each answer section returned by the server. -The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. -Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - -type: object +type: keyword -- -*`dns.answers.class`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -The class of DNS data contained in this resource record. - type: keyword -example: IN - -- -*`dns.answers.data`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -The data describing the resource. -The meaning of this data depends on the type and class of the resource record. - type: keyword -example: 10.10.10.10 - -- -*`dns.answers.name`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -The domain name to which this resource record pertains. -If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - type: keyword -example: www.google.com - -- -*`dns.answers.ttl`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. +type: keyword -type: long +-- -example: 180 +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword -- -*`dns.answers.type`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -The type of data contained in this resource record. - type: keyword -example: CNAME - -- -*`dns.header_flags`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -Array of 2 letter DNS header flags. -Expected values are: AA, TC, RD, RA, AD, CD, DO. - type: keyword -example: ['RD', 'RA'] - -- -*`dns.id`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - type: keyword -example: 62111 - -- -*`dns.op_code`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - type: keyword -example: QUERY - -- -*`dns.question.class`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -The class of records being queried. - type: keyword -example: IN - -- -*`dns.question.name`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -The name being queried. -If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - type: keyword -example: www.google.com - -- -*`dns.question.registered_domain`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - type: keyword -example: google.com - -- -*`dns.question.subdomain`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -The subdomain is all of the labels under the registered_domain. -If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - type: keyword -example: www - -- -*`dns.question.top_level_domain`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - type: keyword -example: co.uk - -- -*`dns.question.type`*:: +*`rsa.misc.cn_sampint`*:: + -- -The type of record being queried. - type: keyword -example: AAAA - -- -*`dns.resolved_ip`*:: +*`rsa.misc.cn_seqctr`*:: + -- -Array containing all IPs seen in `answers.data`. -The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. +type: keyword -type: ip +-- -example: ['10.10.10.10', '10.10.10.11'] +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword -- -*`dns.response_code`*:: +*`rsa.misc.cn_src_tos`*:: + -- -The DNS response code. - type: keyword -example: NOERROR - -- -*`dns.type`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -The type of DNS event captured, query or answer. -If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. -If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - type: keyword -example: answer +-- +*`rsa.misc.cn_sysuptime`*:: ++ -- +type: keyword -[float] -=== ecs +-- -Meta-information specific to ECS. +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword +-- -*`ecs.version`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - type: keyword -example: 1.0.0 - -required: True +-- +*`rsa.misc.cn_totflowexp`*:: ++ -- +type: keyword -[float] -=== error +-- -These fields can represent errors of any kind. -Use them for errors that happen while fetching events or in cases where the event itself contains an error. +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword +-- -*`error.code`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -Error code describing the error. - type: keyword -- -*`error.id`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -Unique identifier for the error. - type: keyword -- -*`error.message`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -Error message. - -type: text +type: keyword -- -*`error.stack_trace`*:: +*`rsa.misc.comp_class`*:: + -- -The stack trace of this error in plain text. - type: keyword -- -*`error.stack_trace.text`*:: +*`rsa.misc.comp_name`*:: + -- -type: text +type: keyword -- -*`error.type`*:: +*`rsa.misc.comp_rbytes`*:: + -- -The type of the error, for example the class name of the exception. - type: keyword -example: java.lang.NullPointerException +-- +*`rsa.misc.comp_sbytes`*:: ++ -- +type: keyword -[float] -=== event +-- -The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword +-- -*`event.action`*:: +*`rsa.misc.criticality`*:: + -- -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - type: keyword -example: user-password-change - -- -*`event.category`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. -`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. -This field is an array. This will allow proper categorization of some events that fall in multiple categories. - type: keyword -example: authentication - -- -*`event.code`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -Identification code for this event, if one exists. -Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - type: keyword -example: 4648 - -- -*`event.created`*:: +*`rsa.misc.cs_av_other`*:: + -- -event.created contains the date/time when the event was first read by an agent, or by your pipeline. -This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. -In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. -In case the two timestamps are identical, @timestamp should be used. +type: keyword -type: date +-- -example: 2016-05-23T08:05:34.857Z +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword -- -*`event.dataset`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -Name of the dataset. -If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. -It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - type: keyword -example: apache.access - -- -*`event.duration`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. +type: keyword -type: long +-- -format: duration +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword -- -*`event.end`*:: +*`rsa.misc.cs_context`*:: + -- -event.end contains the date when the event ended or when the activity was last observed. - -type: date +type: keyword -- -*`event.hash`*:: +*`rsa.misc.cs_control`*:: + -- -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - type: keyword -example: 123456789012345678901234567890ABCD - -- -*`event.id`*:: +*`rsa.misc.cs_data`*:: + -- -Unique ID to describe the event. - type: keyword -example: 8a4f500d - -- -*`event.ingested`*:: +*`rsa.misc.cs_datecret`*:: + -- -Timestamp when an event arrived in the central data store. -This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. -In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. +type: keyword -type: date +-- -example: 2016-05-23T08:05:35.101Z +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword -- -*`event.kind`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. -`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. -The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - type: keyword -example: alert - -- -*`event.module`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -Name of the module this data is coming from. -If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - type: keyword -example: apache - -- -*`event.original`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. - type: keyword -example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - -- -*`event.outcome`*:: +*`rsa.misc.cs_filetype`*:: + -- -This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. -Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. -Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. -Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - type: keyword -example: success - -- -*`event.provider`*:: +*`rsa.misc.cs_fld`*:: + -- -Source of the event. -Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - type: keyword -example: kernel - -- -*`event.reference`*:: +*`rsa.misc.cs_if_desc`*:: + -- -Reference URL linking to additional information about this event. -This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - type: keyword -example: https://system.vendor.com/event/#0001234 - -- -*`event.risk_score`*:: +*`rsa.misc.cs_if_name`*:: + -- -Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - -type: float +type: keyword -- -*`event.risk_score_norm`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -Normalized risk score or priority of the event, on a scale of 0 to 100. -This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. - -type: float +type: keyword -- -*`event.sequence`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. +type: keyword -type: long +-- -format: string +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword -- -*`event.severity`*:: +*`rsa.misc.cs_lifetime`*:: + -- -The numeric severity of the event according to your event source. -What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. -The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - -type: long +type: keyword -example: 7 +-- -format: string +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword -- -*`event.start`*:: +*`rsa.misc.cs_loginname`*:: + -- -event.start contains the date when the event started or when the activity was first observed. - -type: date +type: keyword -- -*`event.timezone`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. -Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - type: keyword -- -*`event.type`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. -`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. -This field is an array. This will allow proper categorization of some events that fall in multiple event types. - type: keyword -- -*`event.url`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +-- +*`rsa.misc.cs_payload`*:: ++ -- +type: keyword -[float] -=== file +-- -A file is defined as a set of information that has been created on, or has existed on a filesystem. -File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword +-- -*`file.accessed`*:: +*`rsa.misc.cs_registrar`*:: + -- -Last time the file was accessed. -Note that not all filesystems keep track of access time. - -type: date +type: keyword -- -*`file.attributes`*:: +*`rsa.misc.cs_represult`*:: + -- -Array of file attributes. -Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - type: keyword -example: ["readonly", "system"] - -- -*`file.code_signature.exists`*:: +*`rsa.misc.cs_rpayload`*:: + -- -Boolean to capture if a signature is present. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword -- -*`file.code_signature.status`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`file.code_signature.subject_name`*:: +*`rsa.misc.cs_streams`*:: + -- -Subject name of the code signer - type: keyword -example: Microsoft Corporation - -- -*`file.code_signature.trusted`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword -- -*`file.code_signature.valid`*:: +*`rsa.misc.cs_whois_server`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword -- -*`file.created`*:: +*`rsa.misc.description`*:: + -- -File creation time. -Note that not all filesystems store the creation time. - -type: date +type: keyword -- -*`file.ctime`*:: +*`rsa.misc.devvendor`*:: + -- -Last time the file attributes or metadata changed. -Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - -type: date +type: keyword -- -*`file.device`*:: +*`rsa.misc.distance`*:: + -- -Device that is the source of the file. - type: keyword -example: sda - -- -*`file.directory`*:: +*`rsa.misc.dstburb`*:: + -- -Directory where the file is located. It should include the drive letter, when appropriate. - type: keyword -example: /home/alice - -- -*`file.drive_letter`*:: +*`rsa.misc.edomain`*:: + -- -Drive letter where the file is located. This field is only relevant on Windows. -The value should be uppercase, and not include the colon. - type: keyword -example: C - -- -*`file.extension`*:: +*`rsa.misc.edomaub`*:: + -- -File extension. - type: keyword -example: png - -- -*`file.gid`*:: +*`rsa.misc.euid`*:: + -- -Primary group ID (GID) of the file. - type: keyword -example: 1001 - -- -*`file.group`*:: +*`rsa.misc.facility`*:: + -- -Primary group name of the file. - type: keyword -example: alice - -- -*`file.hash.md5`*:: +*`rsa.misc.finterface`*:: + -- -MD5 hash. - type: keyword -- -*`file.hash.sha1`*:: +*`rsa.misc.flags`*:: + -- -SHA1 hash. - type: keyword -- -*`file.hash.sha256`*:: +*`rsa.misc.gaddr`*:: + -- -SHA256 hash. - type: keyword -- -*`file.hash.sha512`*:: +*`rsa.misc.id3`*:: + -- -SHA512 hash. - type: keyword -- -*`file.inode`*:: +*`rsa.misc.im_buddyname`*:: + -- -Inode representing the file in the filesystem. - type: keyword -example: 256383 - -- -*`file.mime_type`*:: +*`rsa.misc.im_croomid`*:: + -- -MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - type: keyword -- -*`file.mode`*:: +*`rsa.misc.im_croomtype`*:: + -- -Mode of the file in octal representation. - type: keyword -example: 0640 - -- -*`file.mtime`*:: +*`rsa.misc.im_members`*:: + -- -Last time the file content was modified. - -type: date +type: keyword -- -*`file.name`*:: +*`rsa.misc.im_username`*:: + -- -Name of the file including the extension, without the directory. - type: keyword -example: example.png - -- -*`file.owner`*:: +*`rsa.misc.ipkt`*:: + -- -File owner's username. - type: keyword -example: alice - -- -*`file.path`*:: +*`rsa.misc.ipscat`*:: + -- -Full path to the file, including the file name. It should include the drive letter, when appropriate. - type: keyword -example: /home/alice/example.png - -- -*`file.path.text`*:: +*`rsa.misc.ipspri`*:: + -- -type: text +type: keyword -- -*`file.pe.company`*:: +*`rsa.misc.latitude`*:: + -- -Internal company name of the file, provided at compile-time. - type: keyword -example: Microsoft Corporation - -- -*`file.pe.description`*:: +*`rsa.misc.linenum`*:: + -- -Internal description of the file, provided at compile-time. - type: keyword -example: Paint - -- -*`file.pe.file_version`*:: +*`rsa.misc.list_name`*:: + -- -Internal version of the file, provided at compile-time. - type: keyword -example: 6.3.9600.17415 - -- -*`file.pe.original_file_name`*:: +*`rsa.misc.load_data`*:: + -- -Internal name of the file, provided at compile-time. - type: keyword -example: MSPAINT.EXE - -- -*`file.pe.product`*:: +*`rsa.misc.location_floor`*:: + -- -Internal product name of the file, provided at compile-time. - type: keyword -example: Microsoft® Windows® Operating System - -- -*`file.size`*:: +*`rsa.misc.location_mark`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +type: keyword -type: long +-- -example: 16384 +*`rsa.misc.log_id`*:: ++ +-- +type: keyword -- -*`file.target_path`*:: +*`rsa.misc.log_type`*:: + -- -Target path for symlinks. - type: keyword -- -*`file.target_path.text`*:: +*`rsa.misc.logid`*:: + -- -type: text +type: keyword -- -*`file.type`*:: +*`rsa.misc.logip`*:: + -- -File type (file, dir, or symlink). - type: keyword -example: file - -- -*`file.uid`*:: +*`rsa.misc.logname`*:: + -- -The user ID (UID) or security identifier (SID) of the file owner. - type: keyword -example: 1001 +-- +*`rsa.misc.longitude`*:: ++ -- +type: keyword -[float] -=== geo +-- -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +*`rsa.misc.lport`*:: ++ +-- +type: keyword +-- -*`geo.city_name`*:: +*`rsa.misc.mbug_data`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`geo.continent_name`*:: +*`rsa.misc.misc_name`*:: + -- -Name of the continent. - type: keyword -example: North America - -- -*`geo.country_iso_code`*:: +*`rsa.misc.msg_type`*:: + -- -Country ISO code. - type: keyword -example: CA - -- -*`geo.country_name`*:: +*`rsa.misc.msgid`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`geo.location`*:: +*`rsa.misc.netsessid`*:: + -- -Longitude and latitude. +type: keyword -type: geo_point +-- -example: { "lon": -73.614830, "lat": 45.505918 } +*`rsa.misc.num`*:: ++ +-- +type: keyword -- -*`geo.name`*:: +*`rsa.misc.number1`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`geo.region_iso_code`*:: +*`rsa.misc.number2`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`geo.region_name`*:: +*`rsa.misc.nwwn`*:: + -- -Region name. - type: keyword -example: Quebec +-- +*`rsa.misc.object`*:: ++ -- +type: keyword -[float] -=== group +-- -The group fields are meant to represent groups that are relevant to the event. +*`rsa.misc.operation`*:: ++ +-- +type: keyword +-- -*`group.domain`*:: +*`rsa.misc.opkt`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`group.id`*:: +*`rsa.misc.orig_from`*:: + -- -Unique identifier for the group on the system/platform. - type: keyword -- -*`group.name`*:: +*`rsa.misc.owner_id`*:: + -- -Name of the group. - type: keyword -- -[float] -=== hash - -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +*`rsa.misc.p_action`*:: ++ +-- +type: keyword +-- -*`hash.md5`*:: +*`rsa.misc.p_filter`*:: + -- -MD5 hash. - type: keyword -- -*`hash.sha1`*:: +*`rsa.misc.p_group_object`*:: + -- -SHA1 hash. - type: keyword -- -*`hash.sha256`*:: +*`rsa.misc.p_id`*:: + -- -SHA256 hash. - type: keyword -- -*`hash.sha512`*:: +*`rsa.misc.p_msgid1`*:: + -- -SHA512 hash. - type: keyword -- -[float] -=== host - -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword +-- -*`host.architecture`*:: +*`rsa.misc.p_result1`*:: + -- -Operating system architecture. - type: keyword -example: x86_64 - -- -*`host.domain`*:: +*`rsa.misc.password_chg`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - type: keyword -example: CONTOSO - -- -*`host.geo.city_name`*:: +*`rsa.misc.password_expire`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`host.geo.continent_name`*:: +*`rsa.misc.permgranted`*:: + -- -Name of the continent. - type: keyword -example: North America - -- -*`host.geo.country_iso_code`*:: +*`rsa.misc.permwanted`*:: + -- -Country ISO code. - type: keyword -example: CA - -- -*`host.geo.country_name`*:: +*`rsa.misc.pgid`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`host.geo.location`*:: +*`rsa.misc.policyUUID`*:: + -- -Longitude and latitude. +type: keyword -type: geo_point +-- -example: { "lon": -73.614830, "lat": 45.505918 } +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword -- -*`host.geo.name`*:: +*`rsa.misc.program`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`host.geo.region_iso_code`*:: +*`rsa.misc.real_data`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`host.geo.region_name`*:: +*`rsa.misc.rec_asp_device`*:: + -- -Region name. - type: keyword -example: Quebec - -- -*`host.hostname`*:: +*`rsa.misc.rec_asp_num`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. - type: keyword -- -*`host.id`*:: +*`rsa.misc.rec_library`*:: + -- -Unique host id. -As hostname is not always unique, use values that are meaningful in your environment. -Example: The current usage of `beat.name`. - type: keyword -- -*`host.ip`*:: +*`rsa.misc.recordnum`*:: + -- -Host ip addresses. - -type: ip +type: keyword -- -*`host.mac`*:: +*`rsa.misc.ruid`*:: + -- -Host mac addresses. - type: keyword -- -*`host.name`*:: +*`rsa.misc.sburb`*:: + -- -Name of the host. -It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - type: keyword -- -*`host.os.family`*:: +*`rsa.misc.sdomain_fld`*:: + -- -OS family (such as redhat, debian, freebsd, windows). - type: keyword -example: debian - -- -*`host.os.full`*:: +*`rsa.misc.sec`*:: + -- -Operating system name, including the version or code name. - type: keyword -example: Mac OS Mojave - -- -*`host.os.full.text`*:: +*`rsa.misc.sensorname`*:: + -- -type: text +type: keyword -- -*`host.os.kernel`*:: +*`rsa.misc.seqnum`*:: + -- -Operating system kernel version as a raw string. - type: keyword -example: 4.4.0-112-generic - -- -*`host.os.name`*:: +*`rsa.misc.session`*:: + -- -Operating system name, without the version. - type: keyword -example: Mac OS X - -- -*`host.os.name.text`*:: +*`rsa.misc.sessiontype`*:: + -- -type: text +type: keyword -- -*`host.os.platform`*:: +*`rsa.misc.sigUUID`*:: + -- -Operating system platform (such centos, ubuntu, windows). - type: keyword -example: darwin - -- -*`host.os.version`*:: +*`rsa.misc.spi`*:: + -- -Operating system version as a raw string. - type: keyword -example: 10.14.1 - -- -*`host.type`*:: +*`rsa.misc.srcburb`*:: + -- -Type of host. -For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - type: keyword -- -*`host.uptime`*:: +*`rsa.misc.srcdom`*:: + -- -Seconds the host has been up. +type: keyword -type: long +-- -example: 1325 +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword -- -*`host.user.domain`*:: +*`rsa.misc.state`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`host.user.email`*:: +*`rsa.misc.status1`*:: + -- -User email address. - type: keyword -- -*`host.user.full_name`*:: +*`rsa.misc.svcno`*:: + -- -User's full name, if available. - type: keyword -example: Albert Einstein - -- -*`host.user.full_name.text`*:: +*`rsa.misc.system`*:: + -- -type: text +type: keyword -- -*`host.user.group.domain`*:: +*`rsa.misc.tbdstr1`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`host.user.group.id`*:: +*`rsa.misc.tgtdom`*:: + -- -Unique identifier for the group on the system/platform. - type: keyword -- -*`host.user.group.name`*:: +*`rsa.misc.tgtdomain`*:: + -- -Name of the group. - type: keyword -- -*`host.user.hash`*:: +*`rsa.misc.threshold`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - type: keyword -- -*`host.user.id`*:: +*`rsa.misc.type1`*:: + -- -Unique identifiers of the user. - type: keyword -- -*`host.user.name`*:: +*`rsa.misc.udb_class`*:: + -- -Short name or login of the user. - type: keyword -example: albert - -- -*`host.user.name.text`*:: +*`rsa.misc.url_fld`*:: + -- -type: text +type: keyword -- -[float] -=== http - -Fields related to HTTP activity. Use the `url` field set to store the url of the request. - - -*`http.request.body.bytes`*:: +*`rsa.misc.user_div`*:: + -- -Size in bytes of the request body. - -type: long +type: keyword -example: 887 +-- -format: bytes +*`rsa.misc.userid`*:: ++ +-- +type: keyword -- -*`http.request.body.content`*:: +*`rsa.misc.username_fld`*:: + -- -The full HTTP request body. - type: keyword -example: Hello world - -- -*`http.request.body.content.text`*:: +*`rsa.misc.utcstamp`*:: + -- -type: text +type: keyword -- -*`http.request.bytes`*:: +*`rsa.misc.v_instafname`*:: + -- -Total size in bytes of the request (body and headers). - -type: long +type: keyword -example: 1437 +-- -format: bytes +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword -- -*`http.request.method`*:: +*`rsa.misc.vpnid`*:: + -- -HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - type: keyword -example: get, post, put - -- -*`http.request.referrer`*:: +*`rsa.misc.autorun_type`*:: + -- -Referrer for this HTTP request. +This is used to capture Auto Run type type: keyword -example: https://blog.example.com/ - -- -*`http.response.body.bytes`*:: +*`rsa.misc.cc_number`*:: + -- -Size in bytes of the response body. +Valid Credit Card Numbers only type: long -example: 887 - -format: bytes - -- -*`http.response.body.content`*:: +*`rsa.misc.content`*:: + -- -The full HTTP response body. +This key captures the content type from protocol headers type: keyword -example: Hello world - -- -*`http.response.body.content.text`*:: +*`rsa.misc.ein_number`*:: + -- -type: text +Employee Identification Numbers only + +type: long -- -*`http.response.bytes`*:: +*`rsa.misc.found`*:: + -- -Total size in bytes of the response (body and headers). +This is used to capture the results of regex match -type: long +type: keyword -example: 1437 +-- -format: bytes +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword -- -*`http.response.status_code`*:: +*`rsa.misc.lifetime`*:: + -- -HTTP response status code. +This key is used to capture the session lifetime in seconds. type: long -example: 404 - -format: string - -- -*`http.version`*:: +*`rsa.misc.link`*:: + -- -HTTP version. +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: 1.1 - -- -[float] -=== interface - -The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. - - -*`interface.alias`*:: +*`rsa.misc.match`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +This key is for regex match name from search.ini type: keyword -example: outside - -- -*`interface.id`*:: +*`rsa.misc.param_dst`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +This key captures the command line/launch argument of the target process or file type: keyword -example: 10 - -- -*`interface.name`*:: +*`rsa.misc.param_src`*:: + -- -Interface name as reported by the system. +This key captures source parameter type: keyword -example: eth0 - -- -[float] -=== log +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used -Details about the event's logging mechanism or logging transport. -The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. -The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +type: keyword +-- -*`log.level`*:: +*`rsa.misc.sig_name`*:: + -- -Original log level of the log event. -If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). -Some examples are `warn`, `err`, `i`, `informational`. +This key is used to capture the Signature Name only. type: keyword -example: error - -- -*`log.logger`*:: +*`rsa.misc.snmp_value`*:: + -- -The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. +SNMP set request value type: keyword -example: org.elasticsearch.bootstrap.Bootstrap - -- -*`log.origin.file.line`*:: +*`rsa.misc.streams`*:: + -- -The line number of the file containing the source code which originated the log event. - -type: integer +This key captures number of streams in session -example: 42 +type: long -- -*`log.origin.file.name`*:: + +*`rsa.db.index`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +This key captures IndexID of the index. type: keyword -example: Bootstrap.java - -- -*`log.origin.function`*:: +*`rsa.db.instance`*:: + -- -The name of the function or method which originated the log event. +This key is used to capture the database server instance name type: keyword -example: init - -- -*`log.original`*:: +*`rsa.db.database`*:: + -- -This is the original log message and contains the full log message before splitting it up in multiple parts. -In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. -This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. +This key is used to capture the name of a database or an instance as seen in a session type: keyword -example: Sep 19 08:26:10 localhost My log - -- -*`log.syslog`*:: +*`rsa.db.transact_id`*:: + -- -The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. +This key captures the SQL transantion ID of the current session -type: object +type: keyword -- -*`log.syslog.facility.code`*:: +*`rsa.db.permissions`*:: + -- -The Syslog numeric facility of the log event, if available. -According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. +This key captures permission or privilege level assigned to a resource. -type: long - -example: 23 - -format: string +type: keyword -- -*`log.syslog.facility.name`*:: +*`rsa.db.table_name`*:: + -- -The Syslog text-based facility of the log event, if available. +This key is used to capture the table name type: keyword -example: local7 - -- -*`log.syslog.priority`*:: +*`rsa.db.db_id`*:: + -- -Syslog numeric priority of the event, if available. -According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - -type: long - -example: 135 +This key is used to capture the unique identifier for a database -format: string +type: keyword -- -*`log.syslog.severity.code`*:: +*`rsa.db.db_pid`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. +This key captures the process id of a connection with database server type: long -example: 3 - -- -*`log.syslog.severity.name`*:: +*`rsa.db.lread`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - -type: keyword +This key is used for the number of logical reads -example: Error +type: long -- -[float] -=== network - -The network is defined as the communication path over which a host or network event happens. -The network.* fields should be populated with details about the network activity associated with an event. - - -*`network.application`*:: +*`rsa.db.lwrite`*:: + -- -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -type: keyword +This key is used for the number of logical writes -example: aim +type: long -- -*`network.bytes`*:: +*`rsa.db.pread`*:: + -- -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. +This key is used for the number of physical writes type: long -example: 368 - -format: bytes - -- -*`network.community_id`*:: + +*`rsa.network.alias_host`*:: + -- -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= - -- -*`network.direction`*:: +*`rsa.network.domain`*:: + -- -Direction of the network traffic. -Recommended values are: - * inbound - * outbound - * internal - * external - * unknown - -When mapping events from a host-based monitoring context, populate this field from the host's point of view. -When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. - type: keyword -example: inbound - -- -*`network.forwarded_ip`*:: +*`rsa.network.host_dst`*:: + -- -Host IP address when the source IP address is the proxy. - -type: ip +This key should only be used when it’s a Destination Hostname -example: 192.1.1.2 +type: keyword -- -*`network.iana_number`*:: +*`rsa.network.network_service`*:: + -- -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. +This is used to capture layer 7 protocols/service names type: keyword -example: 6 - -- -*`network.inner`*:: +*`rsa.network.interface`*:: + -- -Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) +This key should be used when the source or destination context of an interface is not clear -type: object +type: keyword -- -*`network.inner.vlan.id`*:: +*`rsa.network.network_port`*:: + -- -VLAN ID as reported by the observer. +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword - -example: 10 +type: long -- -*`network.inner.vlan.name`*:: +*`rsa.network.eth_host`*:: + -- -Optional VLAN name as reported by the observer. +Deprecated, use alias.mac type: keyword -example: outside - -- -*`network.name`*:: +*`rsa.network.sinterface`*:: + -- -Name given by operators to sections of their network. +This key should only be used when it’s a Source Interface type: keyword -example: Guest Wifi - -- -*`network.packets`*:: +*`rsa.network.dinterface`*:: + -- -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - -type: long +This key should only be used when it’s a Destination Interface -example: 24 +type: keyword -- -*`network.protocol`*:: +*`rsa.network.vlan`*:: + -- -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -type: keyword +This key should only be used to capture the ID of the Virtual LAN -example: http +type: long -- -*`network.transport`*:: +*`rsa.network.zone_src`*:: + -- -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +This key should only be used when it’s a Source Zone. type: keyword -example: tcp - -- -*`network.type`*:: +*`rsa.network.zone`*:: + -- -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +This key should be used when the source or destination context of a Zone is not clear type: keyword -example: ipv4 - -- -*`network.vlan.id`*:: +*`rsa.network.zone_dst`*:: + -- -VLAN ID as reported by the observer. +This key should only be used when it’s a Destination Zone. type: keyword -example: 10 - -- -*`network.vlan.name`*:: +*`rsa.network.gateway`*:: + -- -Optional VLAN name as reported by the observer. +This key is used to capture the IP Address of the gateway type: keyword -example: outside - -- -[float] -=== observer - -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. -This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. - - -*`observer.egress`*:: +*`rsa.network.icmp_type`*:: + -- -Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. +This key is used to capture the ICMP type only -type: object +type: long -- -*`observer.egress.interface.alias`*:: +*`rsa.network.mask`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +This key is used to capture the device network IPmask. type: keyword -example: outside - -- -*`observer.egress.interface.id`*:: +*`rsa.network.icmp_code`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). - -type: keyword +This key is used to capture the ICMP code only -example: 10 +type: long -- -*`observer.egress.interface.name`*:: +*`rsa.network.protocol_detail`*:: + -- -Interface name as reported by the system. +This key should be used to capture additional protocol information type: keyword -example: eth0 - -- -*`observer.egress.vlan.id`*:: +*`rsa.network.dmask`*:: + -- -VLAN ID as reported by the observer. +This key is used for Destionation Device network mask type: keyword -example: 10 - -- -*`observer.egress.vlan.name`*:: +*`rsa.network.port`*:: + -- -Optional VLAN name as reported by the observer. - -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear -example: outside +type: long -- -*`observer.egress.zone`*:: +*`rsa.network.smask`*:: + -- -Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. +This key is used for capturing source Network Mask type: keyword -example: Public_Internet - -- -*`observer.geo.city_name`*:: +*`rsa.network.netname`*:: + -- -City name. +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -example: Montreal - -- -*`observer.geo.continent_name`*:: +*`rsa.network.paddr`*:: + -- -Name of the continent. - -type: keyword +Deprecated -example: North America +type: ip -- -*`observer.geo.country_iso_code`*:: +*`rsa.network.faddr`*:: + -- -Country ISO code. - type: keyword -example: CA - -- -*`observer.geo.country_name`*:: +*`rsa.network.lhost`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`observer.geo.location`*:: +*`rsa.network.origin`*:: + -- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`observer.geo.name`*:: +*`rsa.network.remote_domain_id`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`observer.geo.region_iso_code`*:: +*`rsa.network.addr`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`observer.geo.region_name`*:: +*`rsa.network.dns_a_record`*:: + -- -Region name. - type: keyword -example: Quebec - -- -*`observer.hostname`*:: +*`rsa.network.dns_ptr_record`*:: + -- -Hostname of the observer. - type: keyword -- -*`observer.ingress`*:: +*`rsa.network.fhost`*:: + -- -Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. - -type: object +type: keyword -- -*`observer.ingress.interface.alias`*:: +*`rsa.network.fport`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - type: keyword -example: outside - -- -*`observer.ingress.interface.id`*:: +*`rsa.network.laddr`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). - type: keyword -example: 10 - -- -*`observer.ingress.interface.name`*:: +*`rsa.network.linterface`*:: + -- -Interface name as reported by the system. - type: keyword -example: eth0 - -- -*`observer.ingress.vlan.id`*:: +*`rsa.network.phost`*:: + -- -VLAN ID as reported by the observer. - type: keyword -example: 10 - -- -*`observer.ingress.vlan.name`*:: +*`rsa.network.ad_computer_dst`*:: + -- -Optional VLAN name as reported by the observer. +Deprecated, use host.dst type: keyword -example: outside - -- -*`observer.ingress.zone`*:: +*`rsa.network.eth_type`*:: + -- -Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only -example: DMZ +type: long -- -*`observer.ip`*:: +*`rsa.network.ip_proto`*:: + -- -IP addresses of the observer. +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: ip +type: long -- -*`observer.mac`*:: +*`rsa.network.dns_cname_record`*:: + -- -MAC addresses of the observer - type: keyword -- -*`observer.name`*:: +*`rsa.network.dns_id`*:: + -- -Custom name of the observer. -This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. -If no custom name is needed, the field can be left empty. - type: keyword -example: 1_proxySG - -- -*`observer.os.family`*:: +*`rsa.network.dns_opcode`*:: + -- -OS family (such as redhat, debian, freebsd, windows). - type: keyword -example: debian - -- -*`observer.os.full`*:: +*`rsa.network.dns_resp`*:: + -- -Operating system name, including the version or code name. - type: keyword -example: Mac OS Mojave - -- -*`observer.os.full.text`*:: +*`rsa.network.dns_type`*:: + -- -type: text +type: keyword -- -*`observer.os.kernel`*:: +*`rsa.network.domain1`*:: + -- -Operating system kernel version as a raw string. - type: keyword -example: 4.4.0-112-generic - -- -*`observer.os.name`*:: +*`rsa.network.host_type`*:: + -- -Operating system name, without the version. - type: keyword -example: Mac OS X - -- -*`observer.os.name.text`*:: +*`rsa.network.packet_length`*:: + -- -type: text +type: keyword -- -*`observer.os.platform`*:: +*`rsa.network.host_orig`*:: + -- -Operating system platform (such centos, ubuntu, windows). +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -example: darwin - -- -*`observer.os.version`*:: +*`rsa.network.rpayload`*:: + -- -Operating system version as a raw string. +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -example: 10.14.1 - -- -*`observer.product`*:: +*`rsa.network.vlan_name`*:: + -- -The product name of the observer. +This key should only be used to capture the name of the Virtual LAN type: keyword -example: s200 - -- -*`observer.serial_number`*:: + +*`rsa.investigations.ec_activity`*:: + -- -Observer serial number. +This key captures the particular event activity(Ex:Logoff) type: keyword -- -*`observer.type`*:: +*`rsa.investigations.ec_theme`*:: + -- -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -example: firewall - -- -*`observer.vendor`*:: +*`rsa.investigations.ec_subject`*:: + -- -Vendor name of the observer. +This key captures the Subject of a particular Event(Ex:User) type: keyword -example: Symantec - -- -*`observer.version`*:: +*`rsa.investigations.ec_outcome`*:: + -- -Observer version. +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -[float] -=== organization +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number -The organization fields enrich data with information about the company or entity the data is associated with. -These fields help you arrange or filter data stored in an index by one or multiple organizations. +type: long +-- -*`organization.id`*:: +*`rsa.investigations.event_cat_name`*:: + -- -Unique identifier for the organization. +This key captures the event category name corresponding to the event cat code type: keyword -- -*`organization.name`*:: +*`rsa.investigations.event_vcat`*:: + -- -Organization name. +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. type: keyword -- -*`organization.name.text`*:: +*`rsa.investigations.analysis_file`*:: + -- -type: text - --- - -[float] -=== os +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file -The OS fields contain information about the operating system. +type: keyword +-- -*`os.family`*:: +*`rsa.investigations.analysis_service`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service type: keyword -example: debian - -- -*`os.full`*:: +*`rsa.investigations.analysis_session`*:: + -- -Operating system name, including the version or code name. +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session type: keyword -example: Mac OS Mojave - -- -*`os.full.text`*:: +*`rsa.investigations.boc`*:: + -- -type: text +This is used to capture behaviour of compromise + +type: keyword -- -*`os.kernel`*:: +*`rsa.investigations.eoc`*:: + -- -Operating system kernel version as a raw string. +This is used to capture Enablers of Compromise type: keyword -example: 4.4.0-112-generic - -- -*`os.name`*:: +*`rsa.investigations.inv_category`*:: + -- -Operating system name, without the version. +This used to capture investigation category type: keyword -example: Mac OS X - -- -*`os.name.text`*:: +*`rsa.investigations.inv_context`*:: + -- -type: text +This used to capture investigation context + +type: keyword -- -*`os.platform`*:: +*`rsa.investigations.ioc`*:: + -- -Operating system platform (such centos, ubuntu, windows). +This is key capture indicator of compromise type: keyword -example: darwin - -- -*`os.version`*:: + +*`rsa.counters.dclass_c1`*:: + -- -Operating system version as a raw string. +This is a generic counter key that should be used with the label dclass.c1.str only -type: keyword - -example: 10.14.1 +type: long -- -[float] -=== package +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only -These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. +type: long +-- -*`package.architecture`*:: +*`rsa.counters.event_counter`*:: + -- -Package architecture. - -type: keyword +This is used to capture the number of times an event repeated -example: x86_64 +type: long -- -*`package.build_version`*:: +*`rsa.counters.dclass_r1`*:: + -- -Additional information about the build version of the installed package. -For example use the commit SHA of a non-released package. +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -example: 36f4f7e89dd61b0988b12ee000b98966867710cd - -- -*`package.checksum`*:: +*`rsa.counters.dclass_c3`*:: + -- -Checksum of the installed package for verification. +This is a generic counter key that should be used with the label dclass.c3.str only -type: keyword - -example: 68b329da9893e34099c7d8ad5cb9c940 +type: long -- -*`package.description`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -Description of the package. +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -example: Open source programming language to build simple/reliable/efficient software. - -- -*`package.install_scope`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -Indicating how the package was installed, e.g. user-local, global. +This is a generic counter string key that should be used with the label dclass.c2 only type: keyword -example: global - -- -*`package.installed`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -Time when package was installed. +This is a generic ratio string key that should be used with the label dclass.r1 only -type: date +type: keyword -- -*`package.license`*:: +*`rsa.counters.dclass_r2`*:: + -- -License under which the package was released. -Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). +This is a generic ratio key that should be used with the label dclass.r2.str only type: keyword -example: Apache License 2.0 - -- -*`package.name`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -Package name +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -example: go - -- -*`package.path`*:: +*`rsa.counters.dclass_r3`*:: + -- -Path where the package is installed. +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -example: /usr/local/Cellar/go/1.12.9/ - -- -*`package.reference`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -Home page or reference URL of the software in this package, if available. +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -example: https://golang.org - -- -*`package.size`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -Package size in bytes. - -type: long - -example: 62231 +This is a generic ratio string key that should be used with the label dclass.r3 only -format: string +type: keyword -- -*`package.type`*:: + +*`rsa.identity.auth_method`*:: + -- -Type of package. -This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. +This key is used to capture authentication methods used only type: keyword -example: rpm - -- -*`package.version`*:: +*`rsa.identity.user_role`*:: + -- -Package version +This key is used to capture the Role of a user only type: keyword -example: 1.12.9 - -- -[float] -=== pe +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name -These fields contain Windows Portable Executable (PE) metadata. +type: keyword +-- -*`pe.company`*:: +*`rsa.identity.logon_type`*:: + -- -Internal company name of the file, provided at compile-time. +This key is used to capture the type of logon method used. type: keyword -example: Microsoft Corporation - -- -*`pe.description`*:: +*`rsa.identity.profile`*:: + -- -Internal description of the file, provided at compile-time. +This key is used to capture the user profile type: keyword -example: Paint - -- -*`pe.file_version`*:: +*`rsa.identity.accesses`*:: + -- -Internal version of the file, provided at compile-time. +This key is used to capture actual privileges used in accessing an object type: keyword -example: 6.3.9600.17415 - -- -*`pe.original_file_name`*:: +*`rsa.identity.realm`*:: + -- -Internal name of the file, provided at compile-time. +Radius realm or similar grouping of accounts type: keyword -example: MSPAINT.EXE - -- -*`pe.product`*:: +*`rsa.identity.user_sid_dst`*:: + -- -Internal product name of the file, provided at compile-time. +This key captures Destination User Session ID type: keyword -example: Microsoft® Windows® Operating System - -- -[float] -=== process +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn -These fields contain information about a process. -These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +type: keyword +-- -*`process.args`*:: +*`rsa.identity.org`*:: + -- -Array of process arguments, starting with the absolute path to the executable. -May be filtered to protect sensitive information. +This key captures the User organization type: keyword -example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] - -- -*`process.args_count`*:: +*`rsa.identity.dn_dst`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - -type: long +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn -example: 4 +type: keyword -- -*`process.code_signature.exists`*:: +*`rsa.identity.firstname`*:: + -- -Boolean to capture if a signature is present. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: boolean - -example: true +type: keyword -- -*`process.code_signature.status`*:: +*`rsa.identity.lastname`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`process.code_signature.subject_name`*:: +*`rsa.identity.user_dept`*:: + -- -Subject name of the code signer +User's Department Names only type: keyword -example: Microsoft Corporation - -- -*`process.code_signature.trusted`*:: +*`rsa.identity.user_sid_src`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +This key captures Source User Session ID -type: boolean - -example: true +type: keyword -- -*`process.code_signature.valid`*:: +*`rsa.identity.federated_sp`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean +This key is the Federated Service Provider. This is the application requesting authentication. -example: true +type: keyword -- -*`process.command_line`*:: +*`rsa.identity.federated_idp`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +This key is the federated Identity Provider. This is the server providing the authentication. type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 - -- -*`process.command_line.text`*:: +*`rsa.identity.logon_type_desc`*:: + -- -type: text +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword -- -*`process.entity_id`*:: +*`rsa.identity.middlename`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: c2c455d9f99375d - -- -*`process.executable`*:: +*`rsa.identity.password`*:: + -- -Absolute path to the process executable. +This key is for Passwords seen in any session, plain text or encrypted type: keyword -example: /usr/bin/ssh - -- -*`process.executable.text`*:: +*`rsa.identity.host_role`*:: + -- -type: text +This key should only be used to capture the role of a Host Machine + +type: keyword -- -*`process.exit_code`*:: +*`rsa.identity.ldap`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). - -type: long +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context -example: 137 +type: keyword -- -*`process.hash.md5`*:: +*`rsa.identity.ldap_query`*:: + -- -MD5 hash. +This key is the Search criteria from an LDAP search type: keyword -- -*`process.hash.sha1`*:: +*`rsa.identity.ldap_response`*:: + -- -SHA1 hash. +This key is to capture Results from an LDAP search type: keyword -- -*`process.hash.sha256`*:: +*`rsa.identity.owner`*:: + -- -SHA256 hash. +This is used to capture username the process or service is running as, the author of the task type: keyword -- -*`process.hash.sha512`*:: +*`rsa.identity.service_account`*:: + -- -SHA512 hash. +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage type: keyword -- -*`process.name`*:: + +*`rsa.email.email_dst`*:: + -- -Process name. -Sometimes called program name or similar. +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -example: ssh - -- -*`process.name.text`*:: +*`rsa.email.email_src`*:: + -- -type: text +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword -- -*`process.parent.args`*:: +*`rsa.email.subject`*:: + -- -Array of process arguments. -May be filtered to protect sensitive information. +This key is used to capture the subject string from an Email only. type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] - -- -*`process.parent.args_count`*:: +*`rsa.email.email`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - -type: long +This key is used to capture a generic email address where the source or destination context is not clear -example: 4 +type: keyword -- -*`process.parent.code_signature.exists`*:: +*`rsa.email.trans_from`*:: + -- -Boolean to capture if a signature is present. - -type: boolean +Deprecated key defined only in table map. -example: true +type: keyword -- -*`process.parent.code_signature.status`*:: +*`rsa.email.trans_to`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +Deprecated key defined only in table map. type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`process.parent.code_signature.subject_name`*:: + +*`rsa.file.privilege`*:: + -- -Subject name of the code signer +Deprecated, use permissions type: keyword -example: Microsoft Corporation - -- -*`process.parent.code_signature.trusted`*:: +*`rsa.file.attachment`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean +This key captures the attachment file name -example: true +type: keyword -- -*`process.parent.code_signature.valid`*:: +*`rsa.file.filesystem`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean - -example: true +type: keyword -- -*`process.parent.command_line`*:: +*`rsa.file.binary`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +Deprecated key defined only in table map. type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 - -- -*`process.parent.command_line.text`*:: +*`rsa.file.filename_dst`*:: + -- -type: text +This is used to capture name of the file targeted by the action + +type: keyword -- -*`process.parent.entity_id`*:: +*`rsa.file.filename_src`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +This is used to capture name of the parent filename, the file which performed the action type: keyword -example: c2c455d9f99375d +-- +*`rsa.file.filename_tmp`*:: ++ -- +type: keyword -*`process.parent.executable`*:: +-- + +*`rsa.file.directory_dst`*:: + -- -Absolute path to the process executable. +This key is used to capture the directory of the target process or file type: keyword -example: /usr/bin/ssh - -- -*`process.parent.executable.text`*:: +*`rsa.file.directory_src`*:: + -- -type: text +This key is used to capture the directory of the source process or file + +type: keyword -- -*`process.parent.exit_code`*:: +*`rsa.file.file_entropy`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). +This is used to capture entropy vale of a file -type: long - -example: 137 +type: double -- -*`process.parent.hash.md5`*:: +*`rsa.file.file_vendor`*:: + -- -MD5 hash. +This is used to capture Company name of file located in version_info type: keyword -- -*`process.parent.hash.sha1`*:: +*`rsa.file.task_name`*:: + -- -SHA1 hash. +This is used to capture name of the task type: keyword -- -*`process.parent.hash.sha256`*:: + +*`rsa.web.fqdn`*:: + -- -SHA256 hash. +Fully Qualified Domain Names type: keyword -- -*`process.parent.hash.sha512`*:: +*`rsa.web.web_cookie`*:: + -- -SHA512 hash. +This key is used to capture the Web cookies specifically. type: keyword -- -*`process.parent.name`*:: +*`rsa.web.alias_host`*:: + -- -Process name. -Sometimes called program name or similar. - type: keyword -example: ssh - -- -*`process.parent.name.text`*:: +*`rsa.web.reputation_num`*:: + -- -type: text +Reputation Number of an entity. Typically used for Web Domains + +type: double -- -*`process.parent.pgid`*:: +*`rsa.web.web_ref_domain`*:: + -- -Identifier of the group of processes the process belongs to. - -type: long +Web referer's domain -format: string +type: keyword -- -*`process.parent.pid`*:: +*`rsa.web.web_ref_query`*:: + -- -Process id. +This key captures Web referer's query portion of the URL -type: long +type: keyword -example: 4242 +-- -format: string +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword -- -*`process.parent.ppid`*:: +*`rsa.web.web_ref_page`*:: + -- -Parent process' pid. +This key captures Web referer's page information -type: long +type: keyword -example: 4241 +-- -format: string +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword -- -*`process.parent.start`*:: +*`rsa.web.cn_asn_dst`*:: + -- -The time the process started. +type: keyword -type: date +-- -example: 2016-05-23T08:05:34.853Z +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword -- -*`process.parent.thread.id`*:: +*`rsa.web.urlpage`*:: + -- -Thread ID. - -type: long +type: keyword -example: 4242 +-- -format: string +*`rsa.web.urlroot`*:: ++ +-- +type: keyword -- -*`process.parent.thread.name`*:: +*`rsa.web.p_url`*:: + -- -Thread name. - type: keyword -example: thread-0 - -- -*`process.parent.title`*:: +*`rsa.web.p_user_agent`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - type: keyword -- -*`process.parent.title.text`*:: +*`rsa.web.p_web_cookie`*:: + -- -type: text +type: keyword -- -*`process.parent.uptime`*:: +*`rsa.web.p_web_method`*:: + -- -Seconds the process has been up. +type: keyword -type: long +-- -example: 1325 +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword -- -*`process.parent.working_directory`*:: +*`rsa.web.web_extension_tmp`*:: + -- -The working directory of the process. - type: keyword -example: /home/alice - -- -*`process.parent.working_directory.text`*:: +*`rsa.web.web_page`*:: + -- -type: text +type: keyword -- -*`process.pe.company`*:: + +*`rsa.threat.threat_category`*:: + -- -Internal company name of the file, provided at compile-time. +This key captures Threat Name/Threat Category/Categorization of alert type: keyword -example: Microsoft Corporation - -- -*`process.pe.description`*:: +*`rsa.threat.threat_desc`*:: + -- -Internal description of the file, provided at compile-time. +This key is used to capture the threat description from the session directly or inferred type: keyword -example: Paint - -- -*`process.pe.file_version`*:: +*`rsa.threat.alert`*:: + -- -Internal version of the file, provided at compile-time. +This key is used to capture name of the alert type: keyword -example: 6.3.9600.17415 - -- -*`process.pe.original_file_name`*:: +*`rsa.threat.threat_source`*:: + -- -Internal name of the file, provided at compile-time. +This key is used to capture source of the threat type: keyword -example: MSPAINT.EXE - -- -*`process.pe.product`*:: + +*`rsa.crypto.crypto`*:: + -- -Internal product name of the file, provided at compile-time. +This key is used to capture the Encryption Type or Encryption Key only type: keyword -example: Microsoft® Windows® Operating System - -- -*`process.pgid`*:: +*`rsa.crypto.cipher_src`*:: + -- -Identifier of the group of processes the process belongs to. - -type: long +This key is for Source (Client) Cipher -format: string +type: keyword -- -*`process.pid`*:: +*`rsa.crypto.cert_subject`*:: + -- -Process id. +This key is used to capture the Certificate organization only -type: long +type: keyword -example: 4242 +-- -format: string +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword -- -*`process.ppid`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -Parent process' pid. +This key captures Source (Client) Cipher Size type: long -example: 4241 - -format: string - -- -*`process.start`*:: +*`rsa.crypto.ike`*:: + -- -The time the process started. - -type: date +IKE negotiation phase. -example: 2016-05-23T08:05:34.853Z +type: keyword -- -*`process.thread.id`*:: +*`rsa.crypto.scheme`*:: + -- -Thread ID. - -type: long - -example: 4242 +This key captures the Encryption scheme used -format: string +type: keyword -- -*`process.thread.name`*:: +*`rsa.crypto.peer_id`*:: + -- -Thread name. +This key is for Encryption peer’s identity type: keyword -example: thread-0 - -- -*`process.title`*:: +*`rsa.crypto.sig_type`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +This key captures the Signature Type type: keyword -- -*`process.title.text`*:: +*`rsa.crypto.cert_issuer`*:: + -- -type: text +type: keyword -- -*`process.uptime`*:: +*`rsa.crypto.cert_host_name`*:: + -- -Seconds the process has been up. - -type: long +Deprecated key defined only in table map. -example: 1325 +type: keyword -- -*`process.working_directory`*:: +*`rsa.crypto.cert_error`*:: + -- -The working directory of the process. +This key captures the Certificate Error String type: keyword -example: /home/alice - -- -*`process.working_directory.text`*:: +*`rsa.crypto.cipher_dst`*:: + -- -type: text +This key is for Destination (Server) Cipher + +type: keyword -- -[float] -=== registry +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size -Fields related to Windows Registry operations. +type: long +-- -*`registry.data.bytes`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. +Deprecated, use version type: keyword -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - -- -*`registry.data.strings`*:: +*`rsa.crypto.d_certauth`*:: + -- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - type: keyword -example: ["C:\rta\red_ttp\bin\myapp.exe"] - -- -*`registry.data.type`*:: +*`rsa.crypto.s_certauth`*:: + -- -Standard registry type for encoding contents - type: keyword -example: REG_SZ - -- -*`registry.hive`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -Abbreviated name for the hive. +ID of the negotiation — sent for ISAKMP Phase One type: keyword -example: HKLM - -- -*`registry.key`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -Hive-relative path of keys. +ID of the negotiation — sent for ISAKMP Phase Two type: keyword -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - -- -*`registry.path`*:: +*`rsa.crypto.cert_checksum`*:: + -- -Full path, including hive, key and value - type: keyword -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - -- -*`registry.value`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -Name of the value written. +This key is used for the hostname category value of a certificate type: keyword -example: Debugger - -- -[float] -=== related - -This field set is meant to facilitate pivoting around a piece of data. -Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. - - -*`related.hash`*:: +*`rsa.crypto.cert_serial`*:: + -- -All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). +This key is used to capture the Certificate serial number only type: keyword -- -*`related.ip`*:: +*`rsa.crypto.cert_status`*:: + -- -All of the IPs seen on your event. +This key captures Certificate validation status -type: ip +type: keyword -- -*`related.user`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -All the user names seen on your event. +Deprecated, use version type: keyword -- -[float] -=== rule - -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. -Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. - - -*`rule.author`*:: +*`rsa.crypto.cert_keysize`*:: + -- -Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. - type: keyword -example: ['Star-Lord'] - -- -*`rule.category`*:: +*`rsa.crypto.cert_username`*:: + -- -A categorization value keyword used by the entity using the rule for detection of this event. - type: keyword -example: Attempted Information Leak - -- -*`rule.description`*:: +*`rsa.crypto.https_insact`*:: + -- -The description of the rule generating the event. - type: keyword -example: Block requests to public DNS over HTTPS / TLS protocols - -- -*`rule.id`*:: +*`rsa.crypto.https_valid`*:: + -- -A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - type: keyword -example: 101 - -- -*`rule.license`*:: +*`rsa.crypto.cert_ca`*:: + -- -Name of the license under which the rule used to generate this event is made available. +This key is used to capture the Certificate signing authority only type: keyword -example: Apache 2.0 - -- -*`rule.name`*:: +*`rsa.crypto.cert_common`*:: + -- -The name of the rule or signature generating the event. +This key is used to capture the Certificate common name only type: keyword -example: BLOCK_DNS_over_TLS - -- -*`rule.reference`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -Reference URL to additional information about the rule used to generate this event. -The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. +This key is used to capture the ssid of a Wireless Session type: keyword -example: https://en.wikipedia.org/wiki/DNS_over_TLS - -- -*`rule.ruleset`*:: +*`rsa.wireless.access_point`*:: + -- -Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. +This key is used to capture the access point name. type: keyword -example: Standard_Protocol_Filters - -- -*`rule.uuid`*:: +*`rsa.wireless.wlan_channel`*:: + -- -A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - -type: keyword +This is used to capture the channel names -example: 1100110011 +type: long -- -*`rule.version`*:: +*`rsa.wireless.wlan_name`*:: + -- -The version / revision of the rule being used for analysis. +This key captures either WLAN number/name type: keyword -example: 1.1 - -- -[float] -=== server - -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. - -*`server.address`*:: +*`rsa.storage.disk_volume`*:: + -- -Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`server.as.number`*:: +*`rsa.storage.lun`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +Logical Unit Number.This key is a very useful concept in Storage. -example: 15169 +type: keyword -- -*`server.as.organization.name`*:: +*`rsa.storage.pwwn`*:: + -- -Organization name. +This uniquely identifies a port on a HBA. type: keyword -example: Google LLC - --- - -*`server.as.organization.name.text`*:: -+ -- -type: text --- -*`server.bytes`*:: +*`rsa.physical.org_dst`*:: + -- -Bytes sent from the server to the client. - -type: long - -example: 184 +This is used to capture the destination organization based on the GEOPIP Maxmind database. -format: bytes +type: keyword -- -*`server.domain`*:: +*`rsa.physical.org_src`*:: + -- -Server domain. +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`server.geo.city_name`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -City name. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: Montreal - -- -*`server.geo.continent_name`*:: +*`rsa.healthcare.patient_id`*:: + -- -Name of the continent. +This key captures the unique ID for a patient type: keyword -example: North America - -- -*`server.geo.country_iso_code`*:: +*`rsa.healthcare.patient_lname`*:: + -- -Country ISO code. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: CA - -- -*`server.geo.country_name`*:: +*`rsa.healthcare.patient_mname`*:: + -- -Country name. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: Canada - --- - -*`server.geo.location`*:: -+ -- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } --- -*`server.geo.name`*:: +*`rsa.endpoint.host_state`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -example: boston-dc - -- -*`server.geo.region_iso_code`*:: +*`rsa.endpoint.registry_key`*:: + -- -Region ISO code. +This key captures the path to the registry key type: keyword -example: CA-QC - -- -*`server.geo.region_name`*:: +*`rsa.endpoint.registry_value`*:: + -- -Region name. +This key captures values or decorators used within a registry entry type: keyword -example: Quebec - --- - -*`server.ip`*:: -+ -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. -type: ip +[[exported-fields-cef]] +== Decode CEF processor fields fields --- +Common Event Format (CEF) data. -*`server.mac`*:: -+ --- -MAC address of the server. -type: keyword --- +[float] +=== cef -*`server.nat.ip`*:: -+ --- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. +By default the `decode_cef` processor writes all data from the CEF message to this `cef` object. It contains the CEF header fields and the extension data. -type: ip --- -*`server.nat.port`*:: +*`cef.version`*:: + -- -Translated port of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. +Version of the CEF specification used by the message. -type: long -format: string +type: keyword -- -*`server.packets`*:: +*`cef.device.vendor`*:: + -- -Packets sent from the server to the client. +Vendor of the device that produced the message. -type: long -example: 12 +type: keyword -- -*`server.port`*:: +*`cef.device.product`*:: + -- -Port of the server. +Product of the device that produced the message. -type: long -format: string +type: keyword -- -*`server.registered_domain`*:: +*`cef.device.version`*:: + -- -The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +Version of the product that produced the message. -type: keyword -example: google.com +type: keyword -- -*`server.top_level_domain`*:: +*`cef.device.event_class_id`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +Unique identifier of the event type. -type: keyword -example: co.uk +type: keyword -- -*`server.user.domain`*:: +*`cef.severity`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +Importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High. + type: keyword +example: Very-High + -- -*`server.user.email`*:: +*`cef.name`*:: + -- -User email address. +Short description of the event. + type: keyword -- -*`server.user.full_name`*:: -+ --- -User's full name, if available. +[float] +=== extensions -type: keyword +Collection of key-value pairs carried in the CEF extension field. -example: Albert Einstein --- -*`server.user.full_name.text`*:: +*`cef.extensions.agentAddress`*:: + -- -type: text +The IP address of the ArcSight connector that processed the event. + +type: ip -- -*`server.user.group.domain`*:: +*`cef.extensions.agentDnsDomain`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +The DNS domain name of the ArcSight connector that processed the event. type: keyword -- -*`server.user.group.id`*:: +*`cef.extensions.agentHostName`*:: + -- -Unique identifier for the group on the system/platform. +The hostname of the ArcSight connector that processed the event. type: keyword -- -*`server.user.group.name`*:: +*`cef.extensions.agentId`*:: + -- -Name of the group. +The agent ID of the ArcSight connector that processed the event. type: keyword -- -*`server.user.hash`*:: +*`cef.extensions.agentMacAddress`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +The MAC address of the ArcSight connector that processed the event. type: keyword -- -*`server.user.id`*:: +*`cef.extensions.agentNtDomain`*:: + -- -Unique identifiers of the user. +None type: keyword -- -*`server.user.name`*:: +*`cef.extensions.agentReceiptTime`*:: + -- -Short name or login of the user. - -type: keyword +The time at which information about the event was received by the ArcSight connector. -example: albert +type: date -- -*`server.user.name.text`*:: +*`cef.extensions.agentTimeZone`*:: + -- -type: text - --- - -[float] -=== service +The agent time zone of the ArcSight connector that processed the event. -The service fields describe the service for or from which the data was collected. -These fields help you find and correlate logs for a specific service and version. +type: keyword +-- -*`service.ephemeral_id`*:: +*`cef.extensions.agentTranslatedAddress`*:: + -- -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. - -type: keyword +None -example: 8a4f500f +type: ip -- -*`service.id`*:: +*`cef.extensions.agentTranslatedZoneExternalID`*:: + -- -Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. -This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. -Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. +None type: keyword -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - -- -*`service.name`*:: +*`cef.extensions.agentTranslatedZoneURI`*:: + -- -Name of the service data is collected from. -The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. -In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. +None type: keyword -example: elasticsearch-metrics - -- -*`service.node.name`*:: +*`cef.extensions.agentType`*:: + -- -Name of a service node. -This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. -In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +The agent type of the ArcSight connector that processed the event type: keyword -example: instance-0000000016 - -- -*`service.state`*:: +*`cef.extensions.agentVersion`*:: + -- -Current state of the service. +The version of the ArcSight connector that processed the event. type: keyword -- -*`service.type`*:: +*`cef.extensions.agentZoneExternalID`*:: + -- -The type of the service data is collected from. -The type can be used to group and correlate logs and metrics from one service type. -Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +None type: keyword -example: elasticsearch - -- -*`service.version`*:: +*`cef.extensions.agentZoneURI`*:: + -- -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. +None type: keyword -example: 3.2.4 - -- -[float] -=== source - -Source fields describe details about the source of a packet/event. -Source fields are usually populated in conjunction with destination fields. - - -*`source.address`*:: +*`cef.extensions.applicationProtocol`*:: + -- -Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. type: keyword -- -*`source.as.number`*:: +*`cef.extensions.baseEventCount`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. type: long -example: 15169 - -- -*`source.as.organization.name`*:: +*`cef.extensions.bytesIn`*:: + -- -Organization name. - -type: keyword +Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. -example: Google LLC +type: long -- -*`source.as.organization.name.text`*:: +*`cef.extensions.bytesOut`*:: + -- -type: text +Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. + +type: long -- -*`source.bytes`*:: +*`cef.extensions.customerExternalID`*:: + -- -Bytes sent from the source to the destination. - -type: long - -example: 184 +None -format: bytes +type: keyword -- -*`source.domain`*:: +*`cef.extensions.customerURI`*:: + -- -Source domain. +None type: keyword -- -*`source.geo.city_name`*:: +*`cef.extensions.destinationAddress`*:: + -- -City name. - -type: keyword +Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. -example: Montreal +type: ip -- -*`source.geo.continent_name`*:: +*`cef.extensions.destinationDnsDomain`*:: + -- -Name of the continent. +The DNS domain part of the complete fully qualified domain name (FQDN). type: keyword -example: North America - -- -*`source.geo.country_iso_code`*:: +*`cef.extensions.destinationGeoLatitude`*:: + -- -Country ISO code. - -type: keyword +The latitudinal value from which the destination's IP address belongs. -example: CA +type: double -- -*`source.geo.country_name`*:: +*`cef.extensions.destinationGeoLongitude`*:: + -- -Country name. - -type: keyword +The longitudinal value from which the destination's IP address belongs. -example: Canada +type: double -- -*`source.geo.location`*:: +*`cef.extensions.destinationHostName`*:: + -- -Longitude and latitude. - -type: geo_point +Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`source.geo.name`*:: +*`cef.extensions.destinationMacAddress`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +Six colon-seperated hexadecimal numbers. type: keyword -example: boston-dc - -- -*`source.geo.region_iso_code`*:: +*`cef.extensions.destinationNtDomain`*:: + -- -Region ISO code. +The Windows domain name of the destination address. type: keyword -example: CA-QC - -- -*`source.geo.region_name`*:: +*`cef.extensions.destinationPort`*:: + -- -Region name. - -type: keyword +The valid port numbers are between 0 and 65535. -example: Quebec +type: long -- -*`source.ip`*:: +*`cef.extensions.destinationProcessId`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID. -type: ip +type: long -- -*`source.mac`*:: +*`cef.extensions.destinationProcessName`*:: + -- -MAC address of the source. +The name of the event's destination process. type: keyword -- -*`source.nat.ip`*:: +*`cef.extensions.destinationServiceName`*:: + -- -Translated ip of source based NAT sessions (e.g. internal client to internet) -Typically connections traversing load balancers, firewalls, or routers. +The service targeted by this event. -type: ip +type: keyword -- -*`source.nat.port`*:: +*`cef.extensions.destinationTranslatedAddress`*:: + -- -Translated port of source based NAT sessions. (e.g. internal client to internet) -Typically used with load balancers, firewalls, or routers. - -type: long +Identifies the translated destination that the event refers to in an IP network. -format: string +type: ip -- -*`source.packets`*:: +*`cef.extensions.destinationTranslatedPort`*:: + -- -Packets sent from the source to the destination. +Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. type: long -example: 12 - -- -*`source.port`*:: +*`cef.extensions.destinationTranslatedZoneExternalID`*:: + -- -Port of the source. - -type: long +None -format: string +type: keyword -- -*`source.registered_domain`*:: +*`cef.extensions.destinationTranslatedZoneURI`*:: + -- -The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. type: keyword -example: google.com - -- -*`source.top_level_domain`*:: +*`cef.extensions.destinationUserId`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0. type: keyword -example: co.uk - -- -*`source.user.domain`*:: +*`cef.extensions.destinationUserName`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. type: keyword -- -*`source.user.email`*:: +*`cef.extensions.destinationUserPrivileges`*:: + -- -User email address. +The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". type: keyword -- -*`source.user.full_name`*:: +*`cef.extensions.destinationZoneExternalID`*:: + -- -User's full name, if available. +None type: keyword -example: Albert Einstein - -- -*`source.user.full_name.text`*:: +*`cef.extensions.destinationZoneURI`*:: + -- -type: text +The URI for the Zone that the destination asset has been assigned to in ArcSight. + +type: keyword -- -*`source.user.group.domain`*:: +*`cef.extensions.deviceAction`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Action taken by the device. type: keyword -- -*`source.user.group.id`*:: +*`cef.extensions.deviceAddress`*:: + -- -Unique identifier for the group on the system/platform. +Identifies the device address that an event refers to in an IP network. -type: keyword +type: ip -- -*`source.user.group.name`*:: +*`cef.extensions.deviceCustomFloatingPoint1Label`*:: + -- -Name of the group. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -- -*`source.user.hash`*:: +*`cef.extensions.deviceCustomFloatingPoint3Label`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -- -*`source.user.id`*:: +*`cef.extensions.deviceCustomFloatingPoint4Label`*:: + -- -Unique identifiers of the user. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -- -*`source.user.name`*:: +*`cef.extensions.deviceCustomDate1`*:: + -- -Short name or login of the user. - -type: keyword +One of two timestamp fields available to map fields that do not apply to any other in this dictionary. -example: albert +type: date -- -*`source.user.name.text`*:: +*`cef.extensions.deviceCustomDate1Label`*:: + -- -type: text +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword -- -[float] -=== threat +*`cef.extensions.deviceCustomDate2`*:: ++ +-- +One of two timestamp fields available to map fields that do not apply to any other in this dictionary. -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. -These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). +type: date +-- -*`threat.framework`*:: +*`cef.extensions.deviceCustomDate2Label`*:: + -- -Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: MITRE ATT&CK - -- -*`threat.tactic.id`*:: +*`cef.extensions.deviceCustomFloatingPoint1`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) - -type: keyword +One of four floating point fields available to map fields that do not apply to any other in this dictionary. -example: TA0040 +type: double -- -*`threat.tactic.name`*:: +*`cef.extensions.deviceCustomFloatingPoint2`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) - -type: keyword +One of four floating point fields available to map fields that do not apply to any other in this dictionary. -example: impact +type: double -- -*`threat.tactic.reference`*:: +*`cef.extensions.deviceCustomFloatingPoint2Label`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: https://attack.mitre.org/tactics/TA0040/ - -- -*`threat.technique.id`*:: +*`cef.extensions.deviceCustomFloatingPoint3`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) - -type: keyword +One of four floating point fields available to map fields that do not apply to any other in this dictionary. -example: T1499 +type: double -- -*`threat.technique.name`*:: +*`cef.extensions.deviceCustomFloatingPoint4`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) - -type: keyword +One of four floating point fields available to map fields that do not apply to any other in this dictionary. -example: endpoint denial of service +type: double -- -*`threat.technique.name.text`*:: +*`cef.extensions.deviceCustomIPv6Address1`*:: + -- -type: text +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + +type: ip -- -*`threat.technique.reference`*:: +*`cef.extensions.deviceCustomIPv6Address1Label`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: https://attack.mitre.org/techniques/T1499/ - -- -[float] -=== tls - -Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. - - -*`tls.cipher`*:: +*`cef.extensions.deviceCustomIPv6Address2`*:: + -- -String indicating the cipher used during the current connection. - -type: keyword +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. -example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +type: ip -- -*`tls.client.certificate`*:: +*`cef.extensions.deviceCustomIPv6Address2Label`*:: + -- -PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: MII... - -- -*`tls.client.certificate_chain`*:: +*`cef.extensions.deviceCustomIPv6Address3`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - -type: keyword +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. -example: ['MII...', 'MII...'] +type: ip -- -*`tls.client.hash.md5`*:: +*`cef.extensions.deviceCustomIPv6Address3Label`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC - -- -*`tls.client.hash.sha1`*:: +*`cef.extensions.deviceCustomIPv6Address4`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +type: ip -- -*`tls.client.hash.sha256`*:: +*`cef.extensions.deviceCustomIPv6Address4Label`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 - -- -*`tls.client.issuer`*:: +*`cef.extensions.deviceCustomNumber1`*:: + -- -Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - -type: keyword +One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +type: long -- -*`tls.client.ja3`*:: +*`cef.extensions.deviceCustomNumber1Label`*:: + -- -A hash that identifies clients based on how they perform an SSL/TLS handshake. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: d4e5b18d6b55c71272893221c96ba240 - -- -*`tls.client.not_after`*:: +*`cef.extensions.deviceCustomNumber2`*:: + -- -Date/Time indicating when client certificate is no longer considered valid. - -type: date +One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -example: 2021-01-01T00:00:00.000Z +type: long -- -*`tls.client.not_before`*:: +*`cef.extensions.deviceCustomNumber2Label`*:: + -- -Date/Time indicating when client certificate is first considered valid. - -type: date +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. -example: 1970-01-01T00:00:00.000Z +type: keyword -- -*`tls.client.server_name`*:: +*`cef.extensions.deviceCustomNumber3`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. - -type: keyword +One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -example: www.elastic.co +type: long -- -*`tls.client.subject`*:: +*`cef.extensions.deviceCustomNumber3Label`*:: + -- -Distinguished name of subject of the x.509 certificate presented by the client. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com - -- -*`tls.client.supported_ciphers`*:: +*`cef.extensions.deviceCustomString1`*:: + -- -Array of ciphers offered by the client during the client hello. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. type: keyword -example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...'] - -- -*`tls.curve`*:: +*`cef.extensions.deviceCustomString1Label`*:: + -- -String indicating the curve used for the given cipher, when applicable. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: secp256r1 - -- -*`tls.established`*:: +*`cef.extensions.deviceCustomString2`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -type: boolean +type: keyword -- -*`tls.next_protocol`*:: +*`cef.extensions.deviceCustomString2Label`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: http/1.1 - -- -*`tls.resumed`*:: +*`cef.extensions.deviceCustomString3`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -type: boolean +type: keyword -- -*`tls.server.certificate`*:: +*`cef.extensions.deviceCustomString3Label`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: MII... - -- -*`tls.server.certificate_chain`*:: +*`cef.extensions.deviceCustomString4`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. type: keyword -example: ['MII...', 'MII...'] - -- -*`tls.server.hash.md5`*:: +*`cef.extensions.deviceCustomString4Label`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC - -- -*`tls.server.hash.sha1`*:: +*`cef.extensions.deviceCustomString5`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A - -- -*`tls.server.hash.sha256`*:: +*`cef.extensions.deviceCustomString5Label`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 - -- -*`tls.server.issuer`*:: +*`cef.extensions.deviceCustomString6`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com - -- -*`tls.server.ja3s`*:: +*`cef.extensions.deviceCustomString6Label`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 394441ab65754e2207b1e1b457b3641d - -- -*`tls.server.not_after`*:: +*`cef.extensions.deviceDirection`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. - -type: date +Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. -example: 2021-01-01T00:00:00.000Z +type: long -- -*`tls.server.not_before`*:: +*`cef.extensions.deviceDnsDomain`*:: + -- -Timestamp indicating when server certificate is first considered valid. - -type: date +The DNS domain part of the complete fully qualified domain name (FQDN). -example: 1970-01-01T00:00:00.000Z +type: keyword -- -*`tls.server.subject`*:: +*`cef.extensions.deviceEventCategory`*:: + -- -Subject of the x.509 certificate presented by the server. +Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". type: keyword -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com - -- -*`tls.version`*:: +*`cef.extensions.deviceExternalId`*:: + -- -Numeric part of the version parsed from the original string. +A name that uniquely identifies the device generating this event. type: keyword -example: 1.2 - -- -*`tls.version_protocol`*:: +*`cef.extensions.deviceFacility`*:: + -- -Normalized lowercase protocol name parsed from original string. +The facility generating this event. For example, Syslog has an explicit facility associated with every event. type: keyword -example: tls - -- -[float] -=== tracing +*`cef.extensions.deviceFlexNumber1`*:: ++ +-- +One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. +type: long +-- -*`tracing.trace.id`*:: +*`cef.extensions.deviceFlexNumber1Label`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 - -- -*`tracing.transaction.id`*:: +*`cef.extensions.deviceFlexNumber2`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. - -type: keyword +One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -example: 00f067aa0ba902b7 +type: long -- -[float] -=== url +*`cef.extensions.deviceFlexNumber2Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: keyword +-- -*`url.domain`*:: +*`cef.extensions.deviceHostName`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. type: keyword -example: www.elastic.co - -- -*`url.extension`*:: +*`cef.extensions.deviceInboundInterface`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". +Interface on which the packet or data entered the device. type: keyword -example: png - -- -*`url.fragment`*:: +*`cef.extensions.deviceMacAddress`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +Six colon-separated hexadecimal numbers. type: keyword -- -*`url.full`*:: +*`cef.extensions.deviceNtDomain`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +The Windows domain name of the device address. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top - -- -*`url.full.text`*:: +*`cef.extensions.deviceOutboundInterface`*:: + -- -type: text +Interface on which the packet or data left the device. + +type: keyword -- -*`url.original`*:: +*`cef.extensions.devicePayloadId`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +Unique identifier for the payload associated with the event. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - -- -*`url.original.text`*:: +*`cef.extensions.deviceProcessId`*:: + -- -type: text +Provides the ID of the process on the device generating the event. + +type: long -- -*`url.password`*:: +*`cef.extensions.deviceProcessName`*:: + -- -Password of the request. +Process name associated with the event. An example might be the process generating the syslog entry in UNIX. type: keyword -- -*`url.path`*:: +*`cef.extensions.deviceReceiptTime`*:: + -- -Path of the request, such as "/search". +The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) -type: keyword +type: date -- -*`url.port`*:: +*`cef.extensions.deviceTimeZone`*:: + -- -Port of the request, such as 443. - -type: long - -example: 443 +The time zone for the device generating the event. -format: string +type: keyword -- -*`url.query`*:: +*`cef.extensions.deviceTranslatedAddress`*:: + -- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +Identifies the translated device address that the event refers to in an IP network. -type: keyword +type: ip -- -*`url.registered_domain`*:: +*`cef.extensions.deviceTranslatedZoneExternalID`*:: + -- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +None type: keyword -example: google.com - -- -*`url.scheme`*:: +*`cef.extensions.deviceTranslatedZoneURI`*:: + -- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. +The URI for the Translated Zone that the device asset has been assigned to in ArcSight. type: keyword -example: https - -- -*`url.top_level_domain`*:: +*`cef.extensions.deviceZoneExternalID`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +None type: keyword -example: co.uk - -- -*`url.username`*:: +*`cef.extensions.deviceZoneURI`*:: + -- -Username of the request. +Thee URI for the Zone that the device asset has been assigned to in ArcSight. type: keyword -- -[float] -=== user +*`cef.extensions.endTime`*:: ++ +-- +The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session. -The user fields describe information about the user that is relevant to the event. -Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +type: date +-- -*`user.domain`*:: +*`cef.extensions.eventId`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +This is a unique ID that ArcSight assigns to each event. -type: keyword +type: long -- -*`user.email`*:: +*`cef.extensions.eventOutcome`*:: + -- -User email address. +Displays the outcome, usually as 'success' or 'failure'. type: keyword -- -*`user.full_name`*:: +*`cef.extensions.externalId`*:: + -- -User's full name, if available. +The ID used by an originating device. They are usually increasing numbers, associated with events. type: keyword -example: Albert Einstein - -- -*`user.full_name.text`*:: +*`cef.extensions.fileCreateTime`*:: + -- -type: text +Time when the file was created. + +type: date -- -*`user.group.domain`*:: +*`cef.extensions.fileHash`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Hash of a file. type: keyword -- -*`user.group.id`*:: +*`cef.extensions.fileId`*:: + -- -Unique identifier for the group on the system/platform. +An ID associated with a file could be the inode. type: keyword -- -*`user.group.name`*:: +*`cef.extensions.fileModificationTime`*:: + -- -Name of the group. +Time when the file was last modified. -type: keyword +type: date -- -*`user.hash`*:: +*`cef.extensions.filename`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +Name of the file only (without its path). type: keyword -- -*`user.id`*:: +*`cef.extensions.filePath`*:: + -- -Unique identifiers of the user. +Full path to the file, including file name itself. type: keyword -- -*`user.name`*:: +*`cef.extensions.filePermission`*:: + -- -Short name or login of the user. +Permissions of the file. type: keyword -example: albert - -- -*`user.name.text`*:: +*`cef.extensions.fileSize`*:: + -- -type: text - --- - -[float] -=== user_agent +Size of the file. -The user_agent fields normally come from a browser request. -They often show up in web service logs coming from the parsed user agent string. +type: long +-- -*`user_agent.device.name`*:: +*`cef.extensions.fileType`*:: + -- -Name of the device. +Type of file (pipe, socket, etc.) type: keyword -example: iPhone - -- -*`user_agent.name`*:: +*`cef.extensions.flexDate1`*:: + -- -Name of the user agent. - -type: keyword +A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. -example: Safari +type: date -- -*`user_agent.original`*:: +*`cef.extensions.flexDate1Label`*:: + -- -Unparsed user_agent string. +The label field is a string and describes the purpose of the flex field. type: keyword -example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 - -- -*`user_agent.original.text`*:: +*`cef.extensions.flexString1`*:: + -- -type: text +One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. + +type: keyword -- -*`user_agent.os.family`*:: +*`cef.extensions.flexString2`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. type: keyword -example: debian - -- -*`user_agent.os.full`*:: +*`cef.extensions.flexString1Label`*:: + -- -Operating system name, including the version or code name. +The label field is a string and describes the purpose of the flex field. type: keyword -example: Mac OS Mojave - -- -*`user_agent.os.full.text`*:: +*`cef.extensions.flexString2Label`*:: + -- -type: text +The label field is a string and describes the purpose of the flex field. + +type: keyword -- -*`user_agent.os.kernel`*:: +*`cef.extensions.message`*:: + -- -Operating system kernel version as a raw string. +An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. type: keyword -example: 4.4.0-112-generic - -- -*`user_agent.os.name`*:: +*`cef.extensions.oldFileCreateTime`*:: + -- -Operating system name, without the version. - -type: keyword +Time when old file was created. -example: Mac OS X +type: date -- -*`user_agent.os.name.text`*:: +*`cef.extensions.oldFileHash`*:: + -- -type: text +Hash of the old file. + +type: keyword -- -*`user_agent.os.platform`*:: +*`cef.extensions.oldFileId`*:: + -- -Operating system platform (such centos, ubuntu, windows). +An ID associated with the old file could be the inode. type: keyword -example: darwin - -- -*`user_agent.os.version`*:: +*`cef.extensions.oldFileModificationTime`*:: + -- -Operating system version as a raw string. - -type: keyword +Time when old file was last modified. -example: 10.14.1 +type: date -- -*`user_agent.version`*:: +*`cef.extensions.oldFileName`*:: + -- -Version of the user agent. +Name of the old file. type: keyword -example: 12.0 - -- -[float] -=== vlan - -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. -Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. -Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. -Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. - - -*`vlan.id`*:: +*`cef.extensions.oldFilePath`*:: + -- -VLAN ID as reported by the observer. +Full path to the old file, including the file name itself. type: keyword -example: 10 - -- -*`vlan.name`*:: +*`cef.extensions.oldFilePermission`*:: + -- -Optional VLAN name as reported by the observer. +Permissions of the old file. type: keyword -example: outside - -- -[float] -=== vulnerability +*`cef.extensions.oldFileSize`*:: ++ +-- +Size of the old file. -The vulnerability fields describe information about a vulnerability that is relevant to an event. +type: long +-- -*`vulnerability.category`*:: +*`cef.extensions.oldFileType`*:: + -- -The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) -This field must be an array. +Type of the old file (pipe, socket, etc.) type: keyword -example: ["Firewall"] - -- -*`vulnerability.classification`*:: +*`cef.extensions.rawEvent`*:: + -- -The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) +None type: keyword -example: CVSS - -- -*`vulnerability.description`*:: +*`cef.extensions.Reason`*:: + -- -The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) +The reason an audit event was generated. For example "bad password" or "unknown user". This could also be an error or return code. Example "0x1234". type: keyword -example: In macOS before 2.12.6, there is a vulnerability in the RPC... - -- -*`vulnerability.description.text`*:: +*`cef.extensions.requestClientApplication`*:: + -- -type: text +The User-Agent associated with the request. + +type: keyword -- -*`vulnerability.enumeration`*:: +*`cef.extensions.requestContext`*:: + -- -The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) +Description of the content from which the request originated (for example, HTTP Referrer) type: keyword -example: CVE - -- -*`vulnerability.id`*:: +*`cef.extensions.requestCookies`*:: + -- -The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] +Cookies associated with the request. type: keyword -example: CVE-2019-00001 - -- -*`vulnerability.reference`*:: +*`cef.extensions.requestMethod`*:: + -- -A resource that provides additional information, context, and mitigations for the identified vulnerability. +The HTTP method used to access a URL. type: keyword -example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 - -- -*`vulnerability.report_id`*:: +*`cef.extensions.requestUrl`*:: + -- -The report or scan identification number. +In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. type: keyword -example: 20191018.0001 - -- -*`vulnerability.scanner.vendor`*:: +*`cef.extensions.sourceAddress`*:: + -- -The name of the vulnerability scanner vendor. - -type: keyword +Identifies the source that an event refers to in an IP network. -example: Tenable +type: ip -- -*`vulnerability.score.base`*:: +*`cef.extensions.sourceDnsDomain`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) - -type: float +The DNS domain part of the complete fully qualified domain name (FQDN). -example: 5.5 +type: keyword -- -*`vulnerability.score.environmental`*:: +*`cef.extensions.sourceGeoLatitude`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) - -type: float +None -example: 5.5 +type: double -- -*`vulnerability.score.temporal`*:: +*`cef.extensions.sourceGeoLongitude`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) +None -type: float +type: double -- -*`vulnerability.score.version`*:: +*`cef.extensions.sourceHostName`*:: + -- -The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. -CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) +Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: 'host' or 'host.domain.com'. -type: keyword -example: 2.0 +type: keyword -- -*`vulnerability.severity`*:: +*`cef.extensions.sourceMacAddress`*:: + -- -The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) +Six colon-separated hexadecimal numbers. type: keyword -example: Critical +example: 00:0d:60:af:1b:61 -- -[[exported-fields-elasticsearch]] -== Elasticsearch fields - -elasticsearch Module - +*`cef.extensions.sourceNtDomain`*:: ++ +-- +The Windows domain name for the source address. +type: keyword -[float] -=== elasticsearch +-- +*`cef.extensions.sourcePort`*:: ++ +-- +The valid port numbers are 0 to 65535. +type: long +-- -*`elasticsearch.component`*:: +*`cef.extensions.sourceProcessId`*:: + -- -Elasticsearch component from where the log event originated - -type: keyword +The ID of the source process associated with the event. -example: o.e.c.m.MetaDataCreateIndexService +type: long -- -*`elasticsearch.cluster.uuid`*:: +*`cef.extensions.sourceProcessName`*:: + -- -UUID of the cluster +The name of the event's source process. type: keyword -example: GmvrbHlNTiSVYiPf8kxg9g - -- -*`elasticsearch.cluster.name`*:: +*`cef.extensions.sourceServiceName`*:: + -- -Name of the cluster +The service that is responsible for generating this event. type: keyword -example: docker-cluster - -- -*`elasticsearch.node.id`*:: +*`cef.extensions.sourceTranslatedAddress`*:: + -- -ID of the node - -type: keyword +Identifies the translated source that the event refers to in an IP network. -example: DSiWcTyeThWtUXLB9J0BMw +type: ip -- -*`elasticsearch.node.name`*:: +*`cef.extensions.sourceTranslatedPort`*:: + -- -Name of the node - -type: keyword +A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. -example: vWNJsZ3 +type: long -- -*`elasticsearch.index.name`*:: +*`cef.extensions.sourceTranslatedZoneExternalID`*:: + -- -Index name +None type: keyword -example: filebeat-test-input - -- -*`elasticsearch.index.id`*:: +*`cef.extensions.sourceTranslatedZoneURI`*:: + -- -Index id +The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. type: keyword -example: aOGgDwbURfCV57AScqbCgw - -- -*`elasticsearch.shard.id`*:: +*`cef.extensions.sourceUserId`*:: + -- -Id of the shard +Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. type: keyword -example: 0 - -- -[float] -=== audit - +*`cef.extensions.sourceUserName`*:: ++ +-- +Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. +type: keyword +-- -*`elasticsearch.audit.layer`*:: +*`cef.extensions.sourceUserPrivileges`*:: + -- -The layer from which this event originated: rest, transport or ip_filter +The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". type: keyword -example: rest - -- -*`elasticsearch.audit.event_type`*:: +*`cef.extensions.sourceZoneExternalID`*:: + -- -The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied +None type: keyword -example: access_granted - -- -*`elasticsearch.audit.origin.type`*:: +*`cef.extensions.sourceZoneURI`*:: + -- -Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) +The URI for the Zone that the source asset has been assigned to in ArcSight. type: keyword -example: local_node - -- -*`elasticsearch.audit.realm`*:: +*`cef.extensions.startTime`*:: + -- -The authentication realm the authentication was validated against +The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) -type: keyword +type: date -- -*`elasticsearch.audit.user.realm`*:: +*`cef.extensions.transportProtocol`*:: + -- -The user's authentication realm, if authenticated +Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. type: keyword -- -*`elasticsearch.audit.user.roles`*:: +*`cef.extensions.type`*:: + -- -Roles to which the principal belongs - -type: keyword +0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). -example: ['kibana_user', 'beats_admin'] +type: long -- -*`elasticsearch.audit.action`*:: +*`cef.extensions.categoryDeviceType`*:: + -- -The name of the action that was executed +Device type. Examples - Proxy, IDS, Web Server type: keyword -example: cluster:monitor/main - -- -*`elasticsearch.audit.url.params`*:: +*`cef.extensions.categoryObject`*:: + -- -REST URI parameters +Object that the event is about. For example it can be an operating sytem, database, file, etc. -example: {username=jacknich2} +type: keyword -- -*`elasticsearch.audit.indices`*:: +*`cef.extensions.categoryBehavior`*:: + -- -Indices accessed by action +Action or a behavior associated with an event. It's what is being done to the object. type: keyword -example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] - -- -*`elasticsearch.audit.request.id`*:: +*`cef.extensions.categoryTechnique`*:: + -- -Unique ID of request +Technique being used (e.g. /DoS). type: keyword -example: WzL_kb6VSvOhAq0twPvHOQ - -- -*`elasticsearch.audit.request.name`*:: +*`cef.extensions.categoryDeviceGroup`*:: + -- -The type of request that was executed +General device group like Firewall. type: keyword -example: ClearScrollRequest - -- -*`elasticsearch.audit.request_body`*:: +*`cef.extensions.categorySignificance`*:: + -- -type: alias +Characterization of the importance of the event. -alias to: http.request.body.content +type: keyword -- -*`elasticsearch.audit.origin_address`*:: +*`cef.extensions.categoryOutcome`*:: + -- -type: alias +Outcome of the event (e.g. sucess, failure, or attempt). -alias to: source.ip +type: keyword -- -*`elasticsearch.audit.uri`*:: +*`cef.extensions.managerReceiptTime`*:: + -- -type: alias +When the Arcsight ESM received the event. -alias to: url.original +type: date -- -*`elasticsearch.audit.principal`*:: +*`source.service.name`*:: + -- -type: alias +Service that is the source of the event. -alias to: user.name +type: keyword -- -*`elasticsearch.audit.message`*:: +*`destination.service.name`*:: + -- -type: text +Service that is the target of the event. + +type: keyword -- -[float] -=== deprecation +[[exported-fields-cef-module]] +== CEF fields + +Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides. [float] -=== gc +=== forcepoint + +Fields for Forcepoint Custom String mappings + + + +*`forcepoint.virus_id`*:: ++ +-- +Virus ID -GC fileset fields. +type: keyword +-- [float] -=== phase +=== checkpoint -Fields specific to GC phase. +Fields for Check Point custom string mappings. -*`elasticsearch.gc.phase.name`*:: +*`checkpoint.app_risk`*:: + -- -Name of the GC collection phase. - +Application risk. type: keyword -- -*`elasticsearch.gc.phase.duration_sec`*:: +*`checkpoint.app_severity`*:: + -- -Collection phase duration according to the Java virtual machine. - +Application threat severity. -type: float +type: keyword -- -*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: +*`checkpoint.app_sig_id`*:: + -- -Pause time in seconds cleaning up symbol tables. - +The signature ID which the application was detected by. -type: float +type: keyword -- -*`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: +*`checkpoint.auth_method`*:: + -- -Pause time in seconds cleaning up string tables. - +Password authentication protocol used. -type: float +type: keyword -- -*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: +*`checkpoint.category`*:: + -- -Time spent processing weak references in seconds. - +Category. -type: float +type: keyword -- -*`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: +*`checkpoint.confidence_level`*:: + -- -Time spent in seconds marking live objects while application is stopped. - +Confidence level determined. -type: float +type: integer -- -*`elasticsearch.gc.phase.class_unload_time_sec`*:: +*`checkpoint.connectivity_state`*:: + -- -Time spent unloading unused classes in seconds. - +Connectivity state. -type: float +type: keyword -- -[float] -=== cpu_time - -Process CPU time spent performing collections. +*`checkpoint.cookie`*:: ++ +-- +IKE cookie. +type: keyword +-- -*`elasticsearch.gc.phase.cpu_time.user_sec`*:: +*`checkpoint.dst_phone_number`*:: + -- -CPU time spent outside the kernel. - +Destination IP-Phone. -type: float +type: keyword -- -*`elasticsearch.gc.phase.cpu_time.sys_sec`*:: +*`checkpoint.email_control`*:: + -- -CPU time spent inside the kernel. - +Engine name. -type: float +type: keyword -- -*`elasticsearch.gc.phase.cpu_time.real_sec`*:: +*`checkpoint.email_id`*:: + -- -Total elapsed CPU time spent to complete the collection from start to finish. - +Internal email ID. -type: float +type: keyword -- -*`elasticsearch.gc.jvm_runtime_sec`*:: +*`checkpoint.email_recipients_num`*:: + -- -The time from JVM start up in seconds, as a floating point number. - +Number of recipients. -type: float +type: long -- -*`elasticsearch.gc.threads_total_stop_time_sec`*:: +*`checkpoint.email_session_id`*:: + -- -Garbage collection threads total stop time seconds. - +Internal email session ID. -type: float +type: keyword -- -*`elasticsearch.gc.stopping_threads_time_sec`*:: +*`checkpoint.email_spool_id`*:: + -- -Time took to stop threads seconds. - +Internal email spool ID. -type: float +type: keyword -- -*`elasticsearch.gc.tags`*:: +*`checkpoint.email_subject`*:: + -- -GC logging tags. - +Email subject. type: keyword -- -[float] -=== heap - -Heap allocation and total size. +*`checkpoint.event_count`*:: ++ +-- +Number of events associated with the log. +type: long +-- -*`elasticsearch.gc.heap.size_kb`*:: +*`checkpoint.frequency`*:: + -- -Total heap size in kilobytes. - +Scan frequency. -type: integer +type: keyword -- -*`elasticsearch.gc.heap.used_kb`*:: +*`checkpoint.icmp_type`*:: + -- -Used heap in kilobytes. - +ICMP type. -type: integer +type: long -- -[float] -=== old_gen - -Old generation occupancy and total size. +*`checkpoint.icmp_code`*:: ++ +-- +ICMP code. +type: long +-- -*`elasticsearch.gc.old_gen.size_kb`*:: +*`checkpoint.identity_type`*:: + -- -Total size of old generation in kilobytes. - +Identity type. -type: integer +type: keyword -- -*`elasticsearch.gc.old_gen.used_kb`*:: +*`checkpoint.incident_extension`*:: + -- -Old generation occupancy in kilobytes. - +Format of original data. -type: integer +type: keyword -- -[float] -=== young_gen - -Young generation occupancy and total size. +*`checkpoint.integrity_av_invoke_type`*:: ++ +-- +Scan invoke type. +type: keyword +-- -*`elasticsearch.gc.young_gen.size_kb`*:: +*`checkpoint.malware_family`*:: + -- -Total size of young generation in kilobytes. - +Malware family. -type: integer +type: keyword -- -*`elasticsearch.gc.young_gen.used_kb`*:: +*`checkpoint.peer_gateway`*:: + -- -Young generation occupancy in kilobytes. - +Main IP of the peer Security Gateway. -type: integer +type: ip -- -[float] -=== server +*`checkpoint.performance_impact`*:: ++ +-- +Protection performance impact. -Server log file +type: integer +-- -*`elasticsearch.server.stacktrace`*:: +*`checkpoint.protection_id`*:: + -- -Field is not indexed. +Protection malware ID. + +type: keyword -- -[float] -=== gc +*`checkpoint.protection_name`*:: ++ +-- +Specific signature name of the attack. -GC log +type: keyword +-- -[float] -=== young +*`checkpoint.protection_type`*:: ++ +-- +Type of protection used to detect the attack. -Young GC +type: keyword +-- -*`elasticsearch.server.gc.young.one`*:: +*`checkpoint.scan_result`*:: + -- +Scan result. - -type: long - -example: +type: keyword -- -*`elasticsearch.server.gc.young.two`*:: +*`checkpoint.sensor_mode`*:: + -- +Sensor mode. - -type: long - -example: +type: keyword -- -*`elasticsearch.server.gc.overhead_seq`*:: +*`checkpoint.severity`*:: + -- -Sequence number - -type: long +Threat severity. -example: 3449992 +type: keyword -- -*`elasticsearch.server.gc.collection_duration.ms`*:: +*`checkpoint.spyware_name`*:: + -- -Time spent in GC, in milliseconds - -type: float +Spyware name. -example: 1600 +type: keyword -- -*`elasticsearch.server.gc.observation_duration.ms`*:: +*`checkpoint.spyware_status`*:: + -- -Total time over which collection was observed, in milliseconds - -type: float +Spyware status. -example: 1800 +type: keyword -- -[float] -=== slowlog +*`checkpoint.subs_exp`*:: ++ +-- +The expiration date of the subscription. -Slowlog events from Elasticsearch +type: date +-- -*`elasticsearch.slowlog.logger`*:: +*`checkpoint.tcp_flags`*:: + -- -Logger name +TCP packet flags. type: keyword -example: index.search.slowlog.fetch - -- -*`elasticsearch.slowlog.took`*:: +*`checkpoint.termination_reason`*:: + -- -Time it took to execute the query +Termination reason. type: keyword -example: 300ms - -- -*`elasticsearch.slowlog.types`*:: +*`checkpoint.update_status`*:: + -- -Types +Update status. type: keyword -example: - -- -*`elasticsearch.slowlog.stats`*:: +*`checkpoint.user_status`*:: + -- -Stats groups +User response. type: keyword -example: group1 - -- -*`elasticsearch.slowlog.search_type`*:: +*`checkpoint.uuid`*:: + -- -Search type +External ID. type: keyword -example: QUERY_THEN_FETCH - -- -*`elasticsearch.slowlog.source_query`*:: +*`checkpoint.virus_name`*:: + -- -Slow query +Virus name. type: keyword -example: {"query":{"match_all":{"boost":1.0}}} - -- -*`elasticsearch.slowlog.extra_source`*:: +*`checkpoint.voip_log_type`*:: + -- -Extra source information +VoIP log types. type: keyword -example: - -- -*`elasticsearch.slowlog.total_hits`*:: -+ --- -Total hits +[float] +=== cef.extensions -type: keyword +Extra vendor-specific extensions. -example: 42 --- -*`elasticsearch.slowlog.total_shards`*:: +*`cef.extensions.cp_app_risk`*:: + -- -Total queried shards - type: keyword -example: 22 - -- -*`elasticsearch.slowlog.routing`*:: +*`cef.extensions.cp_severity`*:: + -- -Routing - type: keyword -example: s01HZ2QBk9jw4gtgaFtn - -- -*`elasticsearch.slowlog.id`*:: +*`cef.extensions.ifname`*:: + -- -Id - type: keyword -example: - -- -*`elasticsearch.slowlog.type`*:: +*`cef.extensions.inzone`*:: + -- -Type - type: keyword -example: doc - -- -*`elasticsearch.slowlog.source`*:: +*`cef.extensions.layer_uuid`*:: + -- -Source of document that was indexed - type: keyword -- -[[exported-fields-envoyproxy]] -== Envoyproxy fields +*`cef.extensions.layer_name`*:: ++ +-- +type: keyword -Module for handling logs produced by envoy +-- +*`cef.extensions.logid`*:: ++ +-- +type: keyword +-- -[float] -=== envoyproxy +*`cef.extensions.loguid`*:: ++ +-- +type: keyword -Fields from envoy proxy logs after normalization +-- +*`cef.extensions.match_id`*:: ++ +-- +type: keyword +-- -*`envoyproxy.log_type`*:: +*`cef.extensions.nat_addtnl_rulenum`*:: + -- -Envoy log type, normally ACCESS +type: keyword +-- +*`cef.extensions.nat_rulenum`*:: ++ +-- type: keyword -- -*`envoyproxy.response_flags`*:: +*`cef.extensions.origin`*:: + -- -Response flags +type: keyword +-- +*`cef.extensions.originsicname`*:: ++ +-- type: keyword -- -*`envoyproxy.upstream_service_time`*:: +*`cef.extensions.outzone`*:: + -- -Upstream service time in nanoseconds - +type: keyword -type: long +-- -format: duration +*`cef.extensions.parent_rule`*:: ++ +-- +type: keyword -- -*`envoyproxy.request_id`*:: +*`cef.extensions.product`*:: + -- -ID of the request +type: keyword +-- +*`cef.extensions.rule_action`*:: ++ +-- type: keyword -- -*`envoyproxy.authority`*:: +*`cef.extensions.rule_uid`*:: + -- -Envoy proxy authority field +type: keyword +-- +*`cef.extensions.sequencenum`*:: ++ +-- type: keyword -- -*`envoyproxy.proxy_type`*:: +*`cef.extensions.service_id`*:: + -- -Envoy proxy type, tcp or http +type: keyword +-- +*`cef.extensions.version`*:: ++ +-- type: keyword -- -[[exported-fields-fortinet]] -== Fortinet fields +[[exported-fields-checkpoint]] +== Checkpoint fields -fortinet Module +Some checkpoint module [float] -=== fortinet +=== checkpoint -Fields from fortinet FortiOS +Module for parsing Checkpoint syslog. -*`fortinet.file.hash.crc32`*:: +*`checkpoint.confidence_level`*:: + -- -CRC32 Hash of file +Confidence level determined by ThreatCloud. -type: keyword +type: integer -- -[float] -=== firewall - -Module for parsing Fortinet syslog. - - - -*`fortinet.firewall.acct_stat`*:: +*`checkpoint.calc_desc`*:: + -- -Accounting state (RADIUS) +Log description. type: keyword -- -*`fortinet.firewall.acktime`*:: +*`checkpoint.dst_country`*:: + -- -Alarm Acknowledge Time +Destination country. type: keyword -- -*`fortinet.firewall.act`*:: +*`checkpoint.dst_user_name`*:: + -- -Action +Connected user name on the destination IP. type: keyword -- -*`fortinet.firewall.action`*:: +*`checkpoint.email_id`*:: + -- -Status of the session +Email number in smtp connection. type: keyword -- -*`fortinet.firewall.activity`*:: +*`checkpoint.email_subject`*:: + -- -HA activity message +Original email subject. type: keyword -- -*`fortinet.firewall.addr`*:: +*`checkpoint.email_session_id`*:: + -- -IP Address +Connection uuid. -type: ip +type: keyword -- -*`fortinet.firewall.addr_type`*:: +*`checkpoint.event_count`*:: + -- -Address Type +Number of events associated with the log. -type: keyword +type: long -- -*`fortinet.firewall.addrgrp`*:: +*`checkpoint.sys_message`*:: + -- -Address Group +System messages type: keyword -- -*`fortinet.firewall.adgroup`*:: +*`checkpoint.logid`*:: + -- -AD Group Name +System messages type: keyword -- -*`fortinet.firewall.admin`*:: +*`checkpoint.failure_impact`*:: + -- -Admin User +The impact of update service failure. type: keyword -- -*`fortinet.firewall.age`*:: +*`checkpoint.id`*:: + -- -Time in seconds - time passed since last seen +Override application ID. type: integer -- -*`fortinet.firewall.agent`*:: +*`checkpoint.information`*:: + -- -User agent - eg. agent="Mozilla/5.0" +Policy installation status for a specific blade. type: keyword -- -*`fortinet.firewall.alarmid`*:: +*`checkpoint.layer_name`*:: + -- -Alarm ID +Layer name. -type: integer +type: keyword -- -*`fortinet.firewall.alert`*:: +*`checkpoint.layer_uuid`*:: + -- -Alert +Layer UUID. type: keyword -- -*`fortinet.firewall.analyticscksum`*:: +*`checkpoint.log_id`*:: + -- -The checksum of the file submitted for analytics +Unique identity for logs. -type: keyword +type: integer -- -*`fortinet.firewall.analyticssubmit`*:: +*`checkpoint.malware_family`*:: + -- -The flag for analytics submission +Additional information on protection. type: keyword -- -*`fortinet.firewall.ap`*:: +*`checkpoint.origin_sic_name`*:: + -- -Access Point +Machine SIC. type: keyword -- -*`fortinet.firewall.app-type`*:: +*`checkpoint.policy_mgmt`*:: + -- -Address Type +Name of the Management Server that manages this Security Gateway. type: keyword -- -*`fortinet.firewall.appact`*:: +*`checkpoint.policy_name`*:: + -- -The security action from app control +Name of the last policy that this Security Gateway fetched. type: keyword -- -*`fortinet.firewall.appid`*:: +*`checkpoint.protection_id`*:: + -- -Application ID +Protection malware id. -type: integer +type: keyword -- -*`fortinet.firewall.applist`*:: +*`checkpoint.protection_name`*:: + -- -Application Control profile +Specific signature name of the attack. type: keyword -- -*`fortinet.firewall.apprisk`*:: +*`checkpoint.protection_type`*:: + -- -Application Risk Level +Type of protection used to detect the attack. type: keyword -- -*`fortinet.firewall.apscan`*:: +*`checkpoint.protocol`*:: + -- -The name of the AP, which scanned and detected the rogue AP +Protocol detected on the connection. type: keyword -- -*`fortinet.firewall.apsn`*:: +*`checkpoint.proxy_src_ip`*:: + -- -Access Point +Sender source IP (even when using proxy). -type: keyword +type: ip -- -*`fortinet.firewall.apstatus`*:: +*`checkpoint.rule`*:: + -- -Access Point status +Matched rule number. -type: keyword +type: integer -- -*`fortinet.firewall.aptype`*:: +*`checkpoint.rule_action`*:: + -- -Access Point type +Action of the matched rule in the access policy. type: keyword -- -*`fortinet.firewall.assigned`*:: +*`checkpoint.scan_direction`*:: + -- -Assigned IP Address +Scan direction. -type: ip +type: keyword -- -*`fortinet.firewall.assignip`*:: +*`checkpoint.session_id`*:: + -- -Assigned IP Address +Log uuid. -type: ip +type: keyword -- -*`fortinet.firewall.attachment`*:: +*`checkpoint.source_os`*:: + -- -The flag for email attachement +OS which generated the attack. type: keyword -- -*`fortinet.firewall.attack`*:: +*`checkpoint.src_country`*:: + -- -Attack Name +Country name, derived from connection source IP address. type: keyword -- -*`fortinet.firewall.attackcontext`*:: +*`checkpoint.src_user_name`*:: + -- -The trigger patterns and the packetdata with base64 encoding +User name connected to source IP type: keyword -- -*`fortinet.firewall.attackcontextid`*:: +*`checkpoint.ticket_id`*:: + -- -Attack context id / total +Unique ID per file. type: keyword -- -*`fortinet.firewall.attackid`*:: +*`checkpoint.tls_server_host_name`*:: + -- -Attack ID +SNI/CN from encrypted TLS connection used by URLF for categorization. -type: integer +type: keyword -- -*`fortinet.firewall.auditid`*:: +*`checkpoint.verdict`*:: + -- -Audit ID +TE engine verdict Possible values: Malicious/Benign/Error. -type: long +type: keyword -- -*`fortinet.firewall.auditscore`*:: +*`checkpoint.user`*:: + -- -The Audit Score +Source user name. type: keyword -- -*`fortinet.firewall.audittime`*:: +*`checkpoint.vendor_list`*:: + -- -The time of the audit +The vendor name that provided the verdict for a malicious URL. -type: long +type: keyword -- -*`fortinet.firewall.authgrp`*:: +*`checkpoint.web_server_type`*:: + -- -Authorization Group +Web server detected in the HTTP response. type: keyword -- -*`fortinet.firewall.authid`*:: +*`checkpoint.client_name`*:: + -- -Authentication ID +Client Application or Software Blade that detected the event. type: keyword -- -*`fortinet.firewall.authproto`*:: +*`checkpoint.client_version`*:: + -- -The protocol that initiated the authentication +Build version of SandBlast Agent client installed on the computer. type: keyword -- -*`fortinet.firewall.authserver`*:: +*`checkpoint.extension_version`*:: + -- -Authentication server +Build version of the SandBlast Agent browser extension. type: keyword -- -*`fortinet.firewall.bandwidth`*:: +*`checkpoint.host_time`*:: + -- -Bandwidth +Local time on the endpoint computer. type: keyword -- -*`fortinet.firewall.banned_rule`*:: +*`checkpoint.installed_products`*:: + -- -NAC quarantine Banned Rule Name +List of installed Endpoint Software Blades. type: keyword -- -*`fortinet.firewall.banned_src`*:: +*`checkpoint.cc`*:: + -- -NAC quarantine Banned Source IP +The Carbon Copy address of the email. type: keyword -- -*`fortinet.firewall.banword`*:: +*`checkpoint.parent_process_username`*:: + -- -Banned word +Owner username of the parent process of the process that triggered the attack. type: keyword -- -*`fortinet.firewall.botnetdomain`*:: +*`checkpoint.process_username`*:: + -- -Botnet Domain Name +Owner username of the process that triggered the attack. type: keyword -- -*`fortinet.firewall.botnetip`*:: +*`checkpoint.audit_status`*:: + -- -Botnet IP Address +Audit Status. Can be Success or Failure. -type: ip +type: keyword -- -*`fortinet.firewall.bssid`*:: +*`checkpoint.objecttable`*:: + -- -Service Set ID +Table of affected objects. type: keyword -- -*`fortinet.firewall.call_id`*:: +*`checkpoint.objecttype`*:: + -- -Caller ID +The type of the affected object. type: keyword -- -*`fortinet.firewall.carrier_ep`*:: +*`checkpoint.operation_number`*:: + -- -The FortiOS Carrier end-point identification +The operation nuber. type: keyword -- -*`fortinet.firewall.cat`*:: +*`checkpoint.email_recipients_num`*:: + -- -DNS category ID +Amount of recipients whom the mail was sent to. type: integer -- -*`fortinet.firewall.category`*:: +*`checkpoint.suppressed_logs`*:: + -- -Authentication category +Aggregated connections for five minutes on the same source, destination and port. -type: keyword +type: integer -- -*`fortinet.firewall.cc`*:: +*`checkpoint.blade_name`*:: + -- -CC Email Address +Blade name. type: keyword -- -*`fortinet.firewall.cdrcontent`*:: +*`checkpoint.status`*:: + -- -Cdrcontent +Ok/Warning/Error. type: keyword -- -*`fortinet.firewall.centralnatid`*:: +*`checkpoint.short_desc`*:: + -- -Central NAT ID +Short description of the process that was executed. -type: integer +type: keyword -- -*`fortinet.firewall.cert`*:: +*`checkpoint.long_desc`*:: + -- -Certificate +More information on the process (usually describing error reason in failure). type: keyword -- -*`fortinet.firewall.cert-type`*:: +*`checkpoint.scan_hosts_hour`*:: + -- -Certificate type +Number of unique hosts during the last hour. -type: keyword +type: integer -- -*`fortinet.firewall.certhash`*:: +*`checkpoint.scan_hosts_day`*:: + -- -Certificate hash +Number of unique hosts during the last day. -type: keyword +type: integer -- -*`fortinet.firewall.cfgattr`*:: +*`checkpoint.scan_hosts_week`*:: + -- -Configuration attribute +Number of unique hosts during the last week. -type: keyword +type: integer -- -*`fortinet.firewall.cfgobj`*:: +*`checkpoint.unique_detected_hour`*:: + -- -Configuration object +Detected virus for a specific host during the last hour. -type: keyword +type: integer -- -*`fortinet.firewall.cfgpath`*:: +*`checkpoint.unique_detected_day`*:: + -- -Configuration path +Detected virus for a specific host during the last day. -type: keyword +type: integer -- -*`fortinet.firewall.cfgtid`*:: +*`checkpoint.unique_detected_week`*:: + -- -Configuration transaction ID +Detected virus for a specific host during the last week. -type: keyword +type: integer -- -*`fortinet.firewall.cfgtxpower`*:: +*`checkpoint.scan_mail`*:: + -- -Configuration TX power +Number of emails that were scanned by "AB malicious activity" engine. type: integer -- -*`fortinet.firewall.channel`*:: +*`checkpoint.additional_ip`*:: + -- -Wireless Channel +DNS host name. -type: integer +type: keyword -- -*`fortinet.firewall.channeltype`*:: +*`checkpoint.description`*:: + -- -SSH channel type +Additional explanation how the security gateway enforced the connection. type: keyword -- -*`fortinet.firewall.chassisid`*:: +*`checkpoint.email_spam_category`*:: + -- -Chassis ID +Email categories. Possible values: spam/not spam/phishing. -type: integer +type: keyword -- -*`fortinet.firewall.checksum`*:: +*`checkpoint.email_control_analysis`*:: + -- -The checksum of the scanned file +Message classification, received from spam vendor engine. type: keyword -- -*`fortinet.firewall.chgheaders`*:: +*`checkpoint.scan_results`*:: + -- -HTTP Headers +"Infected"/description of a failure. type: keyword -- -*`fortinet.firewall.cldobjid`*:: +*`checkpoint.original_queue_id`*:: + -- -Connector object ID +Original postfix email queue id. type: keyword -- -*`fortinet.firewall.client_addr`*:: +*`checkpoint.risk`*:: + -- -Wifi client address +Risk level we got from the engine. type: keyword -- -*`fortinet.firewall.cloudaction`*:: +*`checkpoint.observable_name`*:: + -- -Cloud Action +IOC observable signature name. type: keyword -- -*`fortinet.firewall.clouduser`*:: +*`checkpoint.observable_id`*:: + -- -Cloud User +IOC observable signature id. type: keyword -- -*`fortinet.firewall.column`*:: +*`checkpoint.observable_comment`*:: + -- -VOIP Column +IOC observable signature description. -type: integer +type: keyword -- -*`fortinet.firewall.command`*:: +*`checkpoint.indicator_name`*:: + -- -CLI Command +IOC indicator name. type: keyword -- -*`fortinet.firewall.community`*:: +*`checkpoint.indicator_description`*:: + -- -SNMP Community +IOC indicator description. type: keyword -- -*`fortinet.firewall.configcountry`*:: +*`checkpoint.indicator_reference`*:: + -- -Configuration country +IOC indicator reference. type: keyword -- -*`fortinet.firewall.connection_type`*:: +*`checkpoint.indicator_uuid`*:: + -- -FortiClient Connection Type +IOC indicator uuid. type: keyword -- -*`fortinet.firewall.conserve`*:: +*`checkpoint.app_desc`*:: + -- -Flag for conserve mode +Application description. type: keyword -- -*`fortinet.firewall.constraint`*:: +*`checkpoint.app_id`*:: + -- -WAF http protocol restrictions +Application ID. -type: keyword +type: integer -- -*`fortinet.firewall.contentdisarmed`*:: +*`checkpoint.app_sig_id`*:: + -- -Email scanned content +IOC indicator description. type: keyword -- -*`fortinet.firewall.contenttype`*:: +*`checkpoint.certificate_resource`*:: + -- -Content Type from HTTP header +HTTPS resource Possible values: SNI or domain name (DN). type: keyword -- -*`fortinet.firewall.cookies`*:: +*`checkpoint.certificate_validation`*:: + -- -VPN Cookie +Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. type: keyword -- -*`fortinet.firewall.count`*:: +*`checkpoint.browse_time`*:: + -- -Counts of action type +Application session browse time. -type: integer +type: keyword -- -*`fortinet.firewall.countapp`*:: +*`checkpoint.limit_requested`*:: + -- -Number of App Ctrl logs associated with the session +Indicates whether data limit was requested for the session. type: integer -- -*`fortinet.firewall.countav`*:: +*`checkpoint.limit_applied`*:: + -- -Number of AV logs associated with the session +Indicates whether the session was actually date limited. type: integer -- -*`fortinet.firewall.countcifs`*:: +*`checkpoint.dropped_total`*:: + -- -Number of CIFS logs associated with the session +Amount of dropped packets (both incoming and outgoing). type: integer -- -*`fortinet.firewall.countdlp`*:: +*`checkpoint.client_type_os`*:: + -- -Number of DLP logs associated with the session +Client OS detected in the HTTP request. -type: integer +type: keyword -- -*`fortinet.firewall.countdns`*:: +*`checkpoint.name`*:: + -- -Number of DNS logs associated with the session +Application name. -type: integer +type: keyword -- -*`fortinet.firewall.countemail`*:: +*`checkpoint.properties`*:: + -- -Number of email logs associated with the session +Application categories. -type: integer +type: keyword -- -*`fortinet.firewall.countff`*:: +*`checkpoint.sig_id`*:: + -- -Number of ff logs associated with the session +Application's signature ID which how it was detected by. -type: integer +type: keyword -- -*`fortinet.firewall.countips`*:: +*`checkpoint.desc`*:: + -- -Number of IPS logs associated with the session +Override application description. -type: integer +type: keyword -- -*`fortinet.firewall.countssh`*:: +*`checkpoint.referrer_self_uid`*:: + -- -Number of SSH logs associated with the session +UUID of the current log. -type: integer +type: keyword -- -*`fortinet.firewall.countssl`*:: +*`checkpoint.referrer_parent_uid`*:: + -- -Number of SSL logs associated with the session +Log UUID of the referring application. -type: integer +type: keyword -- -*`fortinet.firewall.countwaf`*:: +*`checkpoint.needs_browse_time`*:: + -- -Number of WAF logs associated with the session +Browse time required for the connection. type: integer -- -*`fortinet.firewall.countweb`*:: +*`checkpoint.cluster_info`*:: + -- -Number of Web filter logs associated with the session +Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. -type: integer +type: keyword -- -*`fortinet.firewall.cpu`*:: +*`checkpoint.sync`*:: + -- -CPU Usage +Sync status and the reason (stable, at risk). -type: integer +type: keyword -- -*`fortinet.firewall.craction`*:: +*`checkpoint.file_direction`*:: + -- -Client Reputation Action +File direction. Possible options: upload/download. -type: integer +type: keyword -- -*`fortinet.firewall.criticalcount`*:: +*`checkpoint.invalid_file_size`*:: + -- -Number of critical ratings +File_size field is valid only if this field is set to 0. type: integer -- -*`fortinet.firewall.crl`*:: +*`checkpoint.top_archive_file_name`*:: + -- -Client Reputation Level +In case of archive file: the file that was sent/received. type: keyword -- -*`fortinet.firewall.crlevel`*:: +*`checkpoint.data_type_name`*:: + -- -Client Reputation Level +Data type in rulebase that was matched. type: keyword -- -*`fortinet.firewall.crscore`*:: +*`checkpoint.specific_data_type_name`*:: + -- -Some description +Compound/Group scenario, data type that was matched. -type: integer +type: keyword -- -*`fortinet.firewall.cveid`*:: +*`checkpoint.word_list`*:: + -- -CVE ID +Words matched by data type. type: keyword -- -*`fortinet.firewall.daemon`*:: +*`checkpoint.info`*:: + -- -Daemon name +Special log message. type: keyword -- -*`fortinet.firewall.datarange`*:: +*`checkpoint.outgoing_url`*:: + -- -Data range for reports +URL related to this log (for HTTP). type: keyword -- -*`fortinet.firewall.date`*:: +*`checkpoint.dlp_rule_name`*:: + -- -Date +Matched rule name. type: keyword -- -*`fortinet.firewall.ddnsserver`*:: +*`checkpoint.dlp_recipients`*:: + -- -DDNS server +Mail recipients. -type: ip +type: keyword -- -*`fortinet.firewall.desc`*:: +*`checkpoint.dlp_subject`*:: + -- -Description +Mail subject. type: keyword -- -*`fortinet.firewall.detectionmethod`*:: +*`checkpoint.dlp_word_list`*:: + -- -Detection method +Phrases matched by data type. type: keyword -- -*`fortinet.firewall.devcategory`*:: +*`checkpoint.dlp_template_score`*:: + -- -Device category +Template data type match score. type: keyword -- -*`fortinet.firewall.devintfname`*:: +*`checkpoint.message_size`*:: + -- -HA device Interface Name +Mail/post size. -type: keyword +type: integer -- -*`fortinet.firewall.devtype`*:: +*`checkpoint.dlp_incident_uid`*:: + -- -Device type +Unique ID of the matched rule. type: keyword -- -*`fortinet.firewall.dhcp_msg`*:: +*`checkpoint.dlp_related_incident_uid`*:: + -- -DHCP Message +Other ID related to this one. type: keyword -- -*`fortinet.firewall.dintf`*:: +*`checkpoint.dlp_data_type_name`*:: + -- -Destination interface +Matched data type. type: keyword -- -*`fortinet.firewall.disk`*:: +*`checkpoint.dlp_data_type_uid`*:: + -- -Assosciated disk +Unique ID of the matched data type. type: keyword -- -*`fortinet.firewall.disklograte`*:: +*`checkpoint.dlp_violation_description`*:: + -- -Disk logging rate +Violation descriptions described in the rulebase. -type: long +type: keyword -- -*`fortinet.firewall.dlpextra`*:: +*`checkpoint.dlp_relevant_data_types`*:: + -- -DLP extra information +In case of Compound/Group: the inner data types that were matched. type: keyword -- -*`fortinet.firewall.docsource`*:: +*`checkpoint.dlp_action_reason`*:: + -- -DLP fingerprint document source +Action chosen reason. type: keyword -- -*`fortinet.firewall.domainctrlauthstate`*:: +*`checkpoint.dlp_categories`*:: + -- -CIFS domain auth state +Data type category. -type: integer +type: keyword -- -*`fortinet.firewall.domainctrlauthtype`*:: +*`checkpoint.dlp_transint`*:: + -- -CIFS domain auth type +HTTP/SMTP/FTP. -type: integer +type: keyword -- -*`fortinet.firewall.domainctrldomain`*:: +*`checkpoint.duplicate`*:: + -- -CIFS domain auth domain +Log marked as duplicated, when mail is split and the Security Gateway sees it twice. type: keyword -- -*`fortinet.firewall.domainctrlip`*:: +*`checkpoint.incident_extension`*:: + -- -CIFS Domain IP +Matched data type. -type: ip +type: keyword -- -*`fortinet.firewall.domainctrlname`*:: +*`checkpoint.matched_file`*:: + -- -CIFS Domain name +Unique ID of the matched data type. type: keyword -- -*`fortinet.firewall.domainctrlprotocoltype`*:: +*`checkpoint.matched_file_text_segments`*:: + -- -CIFS Domain connection protocol +Fingerprint: number of text segments matched by this traffic. type: integer -- -*`fortinet.firewall.domainctrlusername`*:: +*`checkpoint.matched_file_percentage`*:: + -- -CIFS Domain username +Fingerprint: match percentage of the traffic. -type: keyword +type: integer -- -*`fortinet.firewall.domainfilteridx`*:: +*`checkpoint.dlp_additional_action`*:: + -- -Domain filter ID +Watermark/None. -type: integer +type: keyword -- -*`fortinet.firewall.domainfilterlist`*:: +*`checkpoint.dlp_watermark_profile`*:: + -- -Domain filter name +Watermark which was applied. type: keyword -- -*`fortinet.firewall.ds`*:: +*`checkpoint.dlp_repository_id`*:: + -- -Direction with distribution system +ID of scanned repository. type: keyword -- -*`fortinet.firewall.dst_int`*:: +*`checkpoint.dlp_repository_root_path`*:: + -- -Destination interface +Repository path. type: keyword -- -*`fortinet.firewall.dstintfrole`*:: +*`checkpoint.scan_id`*:: + -- -Destination interface role +Sequential number of scan. type: keyword -- -*`fortinet.firewall.dstcountry`*:: +*`checkpoint.special_properties`*:: + -- -Destination country +If this field is set to '1' the log will not be shown (in use for monitoring scan progress). -type: keyword +type: integer -- -*`fortinet.firewall.dstdevcategory`*:: +*`checkpoint.dlp_repository_total_size`*:: + -- -Destination device category +Repository size. -type: keyword +type: integer -- -*`fortinet.firewall.dstdevtype`*:: +*`checkpoint.dlp_repository_files_number`*:: + -- -Destination device type +Number of files in repository. -type: keyword +type: integer -- -*`fortinet.firewall.dstfamily`*:: +*`checkpoint.dlp_repository_scanned_files_number`*:: + -- -Destination OS family +Number of scanned files in repository. -type: keyword +type: integer -- -*`fortinet.firewall.dsthwvendor`*:: +*`checkpoint.duration`*:: + -- -Destination HW vendor +Scan duration. type: keyword -- -*`fortinet.firewall.dsthwversion`*:: +*`checkpoint.dlp_fingerprint_long_status`*:: + -- -Destination HW version +Scan status - long format. type: keyword -- -*`fortinet.firewall.dstinetsvc`*:: +*`checkpoint.dlp_fingerprint_short_status`*:: + -- -Destination interface service +Scan status - short format. type: keyword -- -*`fortinet.firewall.dstosname`*:: +*`checkpoint.dlp_repository_directories_number`*:: + -- -Destination OS name +Number of directories in repository. -type: keyword +type: integer -- -*`fortinet.firewall.dstosversion`*:: +*`checkpoint.dlp_repository_unreachable_directories_number`*:: + -- -Destination OS version +Number of directories the Security Gateway was unable to read. -type: keyword +type: integer -- -*`fortinet.firewall.dstserver`*:: +*`checkpoint.dlp_fingerprint_files_number`*:: + -- -Destination server +Number of successfully scanned files in repository. type: integer -- -*`fortinet.firewall.dstssid`*:: +*`checkpoint.dlp_repository_skipped_files_number`*:: + -- -Destination SSID +Skipped number of files because of configuration. -type: keyword +type: integer -- -*`fortinet.firewall.dstswversion`*:: +*`checkpoint.dlp_repository_scanned_directories_number`*:: + -- -Destination software version +Amount of directories scanned. -type: keyword +type: integer -- -*`fortinet.firewall.dstunauthusersource`*:: +*`checkpoint.number_of_errors`*:: + -- -Destination unauthenticated source +Number of files that were not scanned due to an error. -type: keyword +type: integer -- -*`fortinet.firewall.dstuuid`*:: +*`checkpoint.next_scheduled_scan_date`*:: + -- -UUID of the Destination IP address +Next scan scheduled time according to time object. type: keyword -- -*`fortinet.firewall.duid`*:: +*`checkpoint.dlp_repository_scanned_total_size`*:: + -- -DHCP UID +Size scanned. -type: keyword +type: integer -- -*`fortinet.firewall.eapolcnt`*:: +*`checkpoint.dlp_repository_reached_directories_number`*:: + -- -EAPOL packet count +Number of scanned directories in repository. type: integer -- -*`fortinet.firewall.eapoltype`*:: +*`checkpoint.dlp_repository_not_scanned_directories_percentage`*:: + -- -EAPOL packet type +Percentage of directories the Security Gateway was unable to read. -type: keyword +type: integer -- -*`fortinet.firewall.encrypt`*:: +*`checkpoint.speed`*:: + -- -Whether the packet is encrypted or not +Current scan speed. type: integer -- -*`fortinet.firewall.encryption`*:: +*`checkpoint.dlp_repository_scan_progress`*:: + -- -Encryption method +Scan percentage. -type: keyword +type: integer -- -*`fortinet.firewall.epoch`*:: +*`checkpoint.sub_policy_name`*:: + -- -Epoch used for locating file +Layer name. -type: integer +type: keyword -- -*`fortinet.firewall.espauth`*:: +*`checkpoint.sub_policy_uid`*:: + -- -ESP Authentication +Layer uid. type: keyword -- -*`fortinet.firewall.esptransform`*:: +*`checkpoint.fw_message`*:: + -- -ESP Transform +Used for various firewall errors. type: keyword -- -*`fortinet.firewall.exch`*:: +*`checkpoint.message`*:: + -- -Mail Exchanges from DNS response answer section +ISP link has failed. type: keyword -- -*`fortinet.firewall.exchange`*:: +*`checkpoint.isp_link`*:: + -- -Mail Exchanges from DNS response answer section +Name of ISP link. type: keyword -- -*`fortinet.firewall.expectedsignature`*:: +*`checkpoint.fw_subproduct`*:: + -- -Expected SSL signature +Can be vpn/non vpn. type: keyword -- -*`fortinet.firewall.expiry`*:: +*`checkpoint.sctp_error`*:: + -- -FortiGuard override expiry timestamp +Error information, what caused sctp to fail on out_of_state. type: keyword -- -*`fortinet.firewall.fams_pause`*:: +*`checkpoint.chunk_type`*:: + -- -Fortinet Analysis and Management Service Pause +Chunck of the sctp stream. -type: integer +type: keyword -- -*`fortinet.firewall.fazlograte`*:: +*`checkpoint.sctp_association_state`*:: + -- -FortiAnalyzer Logging Rate +The bad state you were trying to update to. -type: long +type: keyword -- -*`fortinet.firewall.fctemssn`*:: +*`checkpoint.tcp_packet_out_of_state`*:: + -- -FortiClient Endpoint SSN +State violation. type: keyword -- -*`fortinet.firewall.fctuid`*:: +*`checkpoint.tcp_flags`*:: + -- -FortiClient UID +TCP packet flags (SYN, ACK, etc.,). type: keyword -- -*`fortinet.firewall.field`*:: +*`checkpoint.connectivity_level`*:: + -- -NTP status field +Log for a new connection in wire mode. type: keyword -- -*`fortinet.firewall.filefilter`*:: +*`checkpoint.ip_option`*:: + -- -The filter used to identify the affected file +IP option that was dropped. -type: keyword +type: integer -- -*`fortinet.firewall.filehashsrc`*:: +*`checkpoint.tcp_state`*:: + -- -Filehash source +Log reinting a tcp state change. type: keyword -- -*`fortinet.firewall.filtercat`*:: +*`checkpoint.expire_time`*:: + -- -DLP filter category +Connection closing time. type: keyword -- -*`fortinet.firewall.filteridx`*:: +*`checkpoint.icmp_type`*:: + -- -DLP filter ID +In case a connection is ICMP, type info will be added to the log. type: integer -- -*`fortinet.firewall.filtername`*:: +*`checkpoint.icmp_code`*:: + -- -DLP rule name +In case a connection is ICMP, code info will be added to the log. -type: keyword +type: integer -- -*`fortinet.firewall.filtertype`*:: +*`checkpoint.rpc_prog`*:: + -- -DLP filter type +Log for new RPC state - prog values. -type: keyword +type: integer -- -*`fortinet.firewall.fortiguardresp`*:: +*`checkpoint.dce-rpc_interface_uuid`*:: + -- -Antispam ESP value +Log for new RPC state - UUID values type: keyword -- -*`fortinet.firewall.forwardedfor`*:: +*`checkpoint.elapsed`*:: + -- -Email address forwarded +Time passed since start time. type: keyword -- -*`fortinet.firewall.fqdn`*:: +*`checkpoint.icmp`*:: + -- -FQDN +Number of packets, received by the client. type: keyword -- -*`fortinet.firewall.frametype`*:: +*`checkpoint.capture_uuid`*:: + -- -Wireless frametype +UUID generated for the capture. Used when enabling the capture when logging. type: keyword -- -*`fortinet.firewall.freediskstorage`*:: +*`checkpoint.diameter_app_ID`*:: + -- -Free disk integer +The ID of diameter application. type: integer -- -*`fortinet.firewall.from`*:: +*`checkpoint.diameter_cmd_code`*:: + -- -From email address +Diameter not allowed application command id. -type: keyword +type: integer -- -*`fortinet.firewall.from_vcluster`*:: +*`checkpoint.diameter_msg_type`*:: + -- -Source virtual cluster number +Diameter message type. -type: integer +type: keyword -- -*`fortinet.firewall.fsaverdict`*:: +*`checkpoint.cp_message`*:: + -- -FSA verdict +Used to log a general message. -type: keyword +type: integer -- -*`fortinet.firewall.fwserver_name`*:: +*`checkpoint.log_delay`*:: + -- -Web proxy server name +Time left before deleting template. -type: keyword +type: integer -- -*`fortinet.firewall.gateway`*:: +*`checkpoint.attack_status`*:: + -- -Gateway ip address for PPPoE status report +In case of a malicious event on an endpoint computer, the status of the attack. -type: ip +type: keyword -- -*`fortinet.firewall.green`*:: +*`checkpoint.impacted_files`*:: + -- -Memory status +In case of an infection on an endpoint computer, the list of files that the malware impacted. type: keyword -- -*`fortinet.firewall.groupid`*:: +*`checkpoint.remediated_files`*:: + -- -User Group ID +In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. -type: integer +type: keyword -- -*`fortinet.firewall.ha-prio`*:: +*`checkpoint.triggered_by`*:: + -- -HA Priority +The name of the mechanism that triggered the Software Blade to enforce a protection. -type: integer +type: keyword -- -*`fortinet.firewall.ha_group`*:: +*`checkpoint.https_inspection_rule_id`*:: + -- -HA Group +ID of the matched rule. type: keyword -- -*`fortinet.firewall.ha_role`*:: +*`checkpoint.https_inspection_rule_name`*:: + -- -HA Role +Name of the matched rule. type: keyword -- -*`fortinet.firewall.handshake`*:: +*`checkpoint.app_properties`*:: + -- -SSL Handshake +List of all found categories. type: keyword -- -*`fortinet.firewall.hash`*:: +*`checkpoint.https_validation`*:: + -- -Hash value of downloaded file +Precise error, describing HTTPS inspection failure. type: keyword -- -*`fortinet.firewall.hbdn_reason`*:: +*`checkpoint.https_inspection_action`*:: + -- -Heartbeat down reason +HTTPS inspection action (Inspect/Bypass/Error). type: keyword -- -*`fortinet.firewall.highcount`*:: +*`checkpoint.icap_service_id`*:: + -- -Highcount fabric summary +Service ID, can work with multiple servers, treated as services. type: integer -- -*`fortinet.firewall.host`*:: +*`checkpoint.icap_server_name`*:: + -- -Hostname +Server name. type: keyword -- -*`fortinet.firewall.iaid`*:: +*`checkpoint.internal_error`*:: + -- -DHCPv6 id +Internal error, for troubleshooting type: keyword -- -*`fortinet.firewall.icmpcode`*:: +*`checkpoint.icap_more_info`*:: + -- -Destination Port of the ICMP message +Free text for verdict. -type: keyword +type: integer -- -*`fortinet.firewall.icmpid`*:: +*`checkpoint.reply_status`*:: + -- -Source port of the ICMP message +ICAP reply status code, e.g. 200 or 204. -type: keyword +type: integer -- -*`fortinet.firewall.icmptype`*:: +*`checkpoint.icap_server_service`*:: + -- -The type of ICMP message +Service name, as given in the ICAP URI type: keyword -- -*`fortinet.firewall.identifier`*:: +*`checkpoint.mirror_and_decrypt_type`*:: + -- -Network traffic identifier +Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). -type: integer +type: keyword -- -*`fortinet.firewall.in_spi`*:: +*`checkpoint.interface_name`*:: + -- -IPSEC inbound SPI +Designated interface for mirror And decrypt. type: keyword -- -*`fortinet.firewall.incidentserialno`*:: +*`checkpoint.session_uid`*:: + -- -Incident serial number +HTTP session-id. -type: integer +type: keyword -- -*`fortinet.firewall.infected`*:: +*`checkpoint.broker_publisher`*:: + -- -Infected MMS +IP address of the broker publisher who shared the session information. -type: integer +type: ip -- -*`fortinet.firewall.infectedfilelevel`*:: +*`checkpoint.src_user_dn`*:: + -- -DLP infected file level +User distinguished name connected to source IP. -type: integer +type: keyword -- -*`fortinet.firewall.informationsource`*:: +*`checkpoint.proxy_user_name`*:: + -- -Information source +User name connected to proxy IP. type: keyword -- -*`fortinet.firewall.init`*:: +*`checkpoint.proxy_machine_name`*:: + -- -IPSEC init stage +Machine name connected to proxy IP. -type: keyword +type: integer -- -*`fortinet.firewall.initiator`*:: +*`checkpoint.proxy_user_dn`*:: + -- -Original login user name for Fortiguard override +User distinguished name connected to proxy IP. type: keyword -- -*`fortinet.firewall.interface`*:: +*`checkpoint.query`*:: + -- -Related interface +DNS query. type: keyword -- -*`fortinet.firewall.intf`*:: +*`checkpoint.dns_query`*:: + -- -Related interface +DNS query. type: keyword -- -*`fortinet.firewall.invalidmac`*:: +*`checkpoint.inspection_item`*:: + -- -The MAC address with invalid OUI +Blade element performed inspection. type: keyword -- -*`fortinet.firewall.ip`*:: +*`checkpoint.performance_impact`*:: + -- -Related IP +Protection performance impact. -type: ip +type: integer -- -*`fortinet.firewall.iptype`*:: +*`checkpoint.inspection_category`*:: + -- -Related IP type +Inspection category: protocol anomaly, signature etc. type: keyword -- -*`fortinet.firewall.keyword`*:: +*`checkpoint.inspection_profile`*:: + -- -Keyword used for search +Profile which the activated protection belongs to. type: keyword -- -*`fortinet.firewall.kind`*:: +*`checkpoint.summary`*:: + -- -VOIP kind +Summary message of a non-compliant DNS traffic drops or detects. type: keyword -- -*`fortinet.firewall.lanin`*:: +*`checkpoint.question_rdata`*:: + -- -LAN incoming traffic in bytes +List of question records domains. -type: long +type: keyword -- -*`fortinet.firewall.lanout`*:: +*`checkpoint.answer_rdata`*:: + -- -LAN outbound traffic in bytes +List of answer resource records to the questioned domains. -type: long +type: keyword -- -*`fortinet.firewall.lease`*:: +*`checkpoint.authority_rdata`*:: + -- -DHCP lease +List of authoritative servers. -type: integer +type: keyword -- -*`fortinet.firewall.license_limit`*:: +*`checkpoint.additional_rdata`*:: + -- -Maximum Number of FortiClients for the License +List of additional resource records. type: keyword -- -*`fortinet.firewall.limit`*:: +*`checkpoint.files_names`*:: + -- -Virtual Domain Resource Limit +List of files requested by FTP. -type: integer +type: keyword -- -*`fortinet.firewall.line`*:: +*`checkpoint.ftp_user`*:: + -- -VOIP line +FTP username. type: keyword -- -*`fortinet.firewall.live`*:: +*`checkpoint.mime_from`*:: + -- -Time in seconds +Sender's address. -type: integer +type: keyword -- -*`fortinet.firewall.local`*:: +*`checkpoint.mime_to`*:: + -- -Local IP for a PPPD Connection +List of receiver address. -type: ip +type: keyword -- -*`fortinet.firewall.log`*:: +*`checkpoint.bcc`*:: + -- -Log message +List of BCC addresses. type: keyword -- -*`fortinet.firewall.login`*:: +*`checkpoint.content_type`*:: + -- -SSH login +Mail content type. Possible values: application/msword, text/html, image/gif etc. type: keyword -- -*`fortinet.firewall.lowcount`*:: +*`checkpoint.user_agent`*:: + -- -Fabric lowcount +String identifying requesting software user agent. -type: integer +type: keyword -- -*`fortinet.firewall.mac`*:: +*`checkpoint.referrer`*:: + -- -DHCP mac address +Referrer HTTP request header, previous web page address. type: keyword -- -*`fortinet.firewall.malform_data`*:: +*`checkpoint.http_location`*:: + -- -VOIP malformed data +Response header, indicates the URL to redirect a page to. -type: integer +type: keyword -- -*`fortinet.firewall.malform_desc`*:: +*`checkpoint.content_disposition`*:: + -- -VOIP malformed data description +Indicates how the content is expected to be displayed inline in the browser. type: keyword -- -*`fortinet.firewall.manuf`*:: +*`checkpoint.via`*:: + -- -Manufacturer name +Via header is added by proxies for tracking purposes to avoid sending reqests in loop. type: keyword -- -*`fortinet.firewall.masterdstmac`*:: +*`checkpoint.http_server`*:: + -- -Master mac address for a host with multiple network interfaces +Server HTTP header value, contains information about the software used by the origin server, which handles the request. type: keyword -- -*`fortinet.firewall.mastersrcmac`*:: +*`checkpoint.content_length`*:: + -- -The master MAC address for a host that has multiple network interfaces +Indicates the size of the entity-body of the HTTP header. type: keyword -- -*`fortinet.firewall.mediumcount`*:: +*`checkpoint.authorization`*:: + -- -Fabric medium count +Authorization HTTP header value. -type: integer +type: keyword -- -*`fortinet.firewall.mem`*:: +*`checkpoint.http_host`*:: + -- -Memory usage system statistics +Domain name of the server that the HTTP request is sent to. type: keyword -- -*`fortinet.firewall.meshmode`*:: +*`checkpoint.inspection_settings_log`*:: + -- -Wireless mesh mode +Indicats that the log was released by inspection settings. type: keyword -- -*`fortinet.firewall.message_type`*:: +*`checkpoint.cvpn_resource`*:: + -- -VOIP message type +Mobile Access application. type: keyword -- -*`fortinet.firewall.method`*:: +*`checkpoint.cvpn_category`*:: + -- -HTTP method +Mobile Access application type. type: keyword -- -*`fortinet.firewall.mgmtcnt`*:: +*`checkpoint.url`*:: + -- -The number of unauthorized client flooding managemet frames +Translated URL. -type: integer +type: keyword -- -*`fortinet.firewall.mode`*:: +*`checkpoint.reject_id`*:: + -- -IPSEC mode +A reject ID that corresponds to the one presented in the Mobile Access error page. type: keyword -- -*`fortinet.firewall.module`*:: +*`checkpoint.fs-proto`*:: + -- -PCI-DSS module +The file share protocol used in mobile acess file share application. type: keyword -- -*`fortinet.firewall.monitor-name`*:: +*`checkpoint.app_package`*:: + -- -Health Monitor Name +Unique identifier of the application on the protected mobile device. type: keyword -- -*`fortinet.firewall.monitor-type`*:: +*`checkpoint.appi_name`*:: + -- -Health Monitor Type +Name of application downloaded on the protected mobile device. type: keyword -- -*`fortinet.firewall.mpsk`*:: +*`checkpoint.app_repackaged`*:: + -- -Wireless MPSK +Indicates whether the original application was repackage not by the official developer. type: keyword -- -*`fortinet.firewall.msgproto`*:: +*`checkpoint.app_sid_id`*:: + -- -Message Protocol Number +Unique SHA identifier of a mobile application. type: keyword -- -*`fortinet.firewall.mtu`*:: +*`checkpoint.app_version`*:: + -- -Max Transmission Unit Value +Version of the application downloaded on the protected mobile device. -type: integer +type: keyword -- -*`fortinet.firewall.name`*:: +*`checkpoint.developer_certificate_name`*:: + -- -Name +Name of the developer's certificate that was used to sign the mobile application. type: keyword -- -*`fortinet.firewall.nat`*:: +*`checkpoint.email_control`*:: + -- -NAT IP Address +Engine name. type: keyword -- -*`fortinet.firewall.netid`*:: +*`checkpoint.email_message_id`*:: + -- -Connector NetID +Email session id (uniqe ID of the mail). type: keyword -- -*`fortinet.firewall.new_status`*:: +*`checkpoint.email_queue_id`*:: + -- -New status on user change +Postfix email queue id. type: keyword -- -*`fortinet.firewall.new_value`*:: +*`checkpoint.email_queue_name`*:: + -- -New Virtual Domain Name +Postfix email queue name. type: keyword -- -*`fortinet.firewall.newchannel`*:: +*`checkpoint.file_name`*:: + -- -New Channel Number +Malicious file name. -type: integer +type: keyword -- -*`fortinet.firewall.newchassisid`*:: +*`checkpoint.failure_reason`*:: + -- -New Chassis ID +MTA failure description. -type: integer +type: keyword -- -*`fortinet.firewall.newslot`*:: +*`checkpoint.email_headers`*:: + -- -New Slot Number +String containing all the email headers. -type: integer +type: keyword -- -*`fortinet.firewall.nextstat`*:: +*`checkpoint.arrival_time`*:: + -- -Time interval in seconds for the next statistics. +Email arrival timestamp. -type: integer +type: keyword -- -*`fortinet.firewall.nf_type`*:: +*`checkpoint.email_status`*:: + -- -Notification Type +Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended type: keyword -- -*`fortinet.firewall.noise`*:: +*`checkpoint.status_update`*:: + -- -Wifi Noise +Last time log was updated. -type: integer +type: keyword -- -*`fortinet.firewall.old_status`*:: +*`checkpoint.delivery_time`*:: + -- -Original Status +Timestamp of when email was delivered (MTA finished handling the email. type: keyword -- -*`fortinet.firewall.old_value`*:: +*`checkpoint.links_num`*:: + -- -Original Virtual Domain name +Number of links in the mail. -type: keyword +type: integer -- -*`fortinet.firewall.oldchannel`*:: +*`checkpoint.attachments_num`*:: + -- -Original channel +Number of attachments in the mail. type: integer -- -*`fortinet.firewall.oldchassisid`*:: +*`checkpoint.email_content`*:: + -- -Original Chassis Number +Mail contents. Possible options: attachments/links & attachments/links/text only. -type: integer +type: keyword -- -*`fortinet.firewall.oldslot`*:: +*`checkpoint.allocated_ports`*:: + -- -Original Slot Number +Amount of allocated ports. type: integer -- -*`fortinet.firewall.oldsn`*:: +*`checkpoint.capacity`*:: + -- -Old Serial number +Capacity of the ports. -type: keyword +type: integer -- -*`fortinet.firewall.oldwprof`*:: +*`checkpoint.ports_usage`*:: + -- -Old Web Filter Profile +Percentage of allocated ports. -type: keyword - --- - -*`fortinet.firewall.onwire`*:: -+ --- -A flag to indicate if the AP is onwire or not - - -type: keyword +type: integer -- -*`fortinet.firewall.opercountry`*:: +*`checkpoint.nat_exhausted_pool`*:: + -- -Operating Country +4-tuple of an exhausted pool. type: keyword -- -*`fortinet.firewall.opertxpower`*:: +*`checkpoint.nat_rulenum`*:: + -- -Operating TX power +NAT rulebase first matched rule. type: integer -- -*`fortinet.firewall.osname`*:: +*`checkpoint.nat_addtnl_rulenum`*:: + -- -Operating System name +When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. -type: keyword +type: integer -- -*`fortinet.firewall.osversion`*:: +*`checkpoint.message_info`*:: + -- -Operating System version +Used for information messages, for example:NAT connection has ended. type: keyword -- -*`fortinet.firewall.out_spi`*:: +*`checkpoint.nat46`*:: + -- -Out SPI +NAT 46 status, in most cases "enabled". type: keyword -- -*`fortinet.firewall.outintf`*:: +*`checkpoint.end_time`*:: + -- -Out interface +TCP connection end time. type: keyword -- -*`fortinet.firewall.passedcount`*:: -+ --- -Fabric passed count - - -type: integer - --- - -*`fortinet.firewall.passwd`*:: +*`checkpoint.tcp_end_reason`*:: + -- -Changed user password information +Reason for TCP connection closure. type: keyword -- -*`fortinet.firewall.path`*:: +*`checkpoint.cgnet`*:: + -- -Path of looped configuration for security fabric +Describes NAT allocation for specific subscriber. type: keyword -- -*`fortinet.firewall.peer`*:: +*`checkpoint.subscriber`*:: + -- -WAN optimization peer +Source IP before CGNAT. -type: keyword +type: ip -- -*`fortinet.firewall.peer_notif`*:: +*`checkpoint.hide_ip`*:: + -- -VPN peer notification +Source IP which will be used after CGNAT. -type: keyword +type: ip -- -*`fortinet.firewall.phase2_name`*:: +*`checkpoint.int_start`*:: + -- -VPN phase2 name +Subscriber start int which will be used for NAT. -type: keyword +type: integer -- -*`fortinet.firewall.phone`*:: +*`checkpoint.int_end`*:: + -- -VOIP Phone +Subscriber end int which will be used for NAT. -type: keyword +type: integer -- -*`fortinet.firewall.pid`*:: +*`checkpoint.packet_amount`*:: + -- -Process ID +Amount of packets dropped. type: integer -- -*`fortinet.firewall.policytype`*:: +*`checkpoint.monitor_reason`*:: + -- -Policy Type +Aggregated logs of monitored packets. type: keyword -- -*`fortinet.firewall.poolname`*:: +*`checkpoint.drops_amount`*:: + -- -IP Pool name +Amount of multicast packets dropped. -type: keyword +type: integer -- -*`fortinet.firewall.port`*:: +*`checkpoint.securexl_message`*:: + -- -Log upload error port +Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. -type: integer +type: keyword -- -*`fortinet.firewall.portbegin`*:: +*`checkpoint.conns_amount`*:: + -- -IP Pool port number to begin +Connections amount of aggregated log info. type: integer -- -*`fortinet.firewall.portend`*:: +*`checkpoint.scope`*:: + -- -IP Pool port number to end +IP related to the attack. -type: integer +type: keyword -- -*`fortinet.firewall.probeproto`*:: +*`checkpoint.analyzed_on`*:: + -- -Link Monitor Probe Protocol +Check Point ThreatCloud / emulator name. type: keyword -- -*`fortinet.firewall.process`*:: +*`checkpoint.detected_on`*:: + -- -URL Filter process +System and applications version the file was emulated on. type: keyword -- -*`fortinet.firewall.processtime`*:: +*`checkpoint.dropped_file_name`*:: + -- -Process time for reports +List of names dropped from the original file. -type: integer +type: keyword -- -*`fortinet.firewall.profile`*:: +*`checkpoint.dropped_file_type`*:: + -- -Profile Name +List of file types dropped from the original file. type: keyword -- -*`fortinet.firewall.profile_vd`*:: +*`checkpoint.dropped_file_hash`*:: + -- -Virtual Domain Name +List of file hashes dropped from the original file. type: keyword -- -*`fortinet.firewall.profilegroup`*:: +*`checkpoint.dropped_file_verdict`*:: + -- -Profile Group Name +List of file verdics dropped from the original file. type: keyword -- -*`fortinet.firewall.profiletype`*:: +*`checkpoint.emulated_on`*:: + -- -Profile Type +Images the files were emulated on. type: keyword -- -*`fortinet.firewall.qtypeval`*:: +*`checkpoint.extracted_file_type`*:: + -- -DNS question type value +Types of extracted files in case of an archive. -type: integer +type: keyword -- -*`fortinet.firewall.quarskip`*:: +*`checkpoint.extracted_file_names`*:: + -- -Quarantine skip explanation +Names of extracted files in case of an archive. type: keyword -- -*`fortinet.firewall.quotaexceeded`*:: +*`checkpoint.extracted_file_hash`*:: + -- -If quota has been exceeded +Archive hash in case of extracted files. type: keyword -- -*`fortinet.firewall.quotamax`*:: +*`checkpoint.extracted_file_verdict`*:: + -- -Maximum quota allowed - in seconds if time-based - in bytes if traffic-based +Verdict of extracted files in case of an archive. -type: long +type: keyword -- -*`fortinet.firewall.quotatype`*:: +*`checkpoint.extracted_file_uid`*:: + -- -Quota type +UID of extracted files in case of an archive. type: keyword -- -*`fortinet.firewall.quotaused`*:: +*`checkpoint.mitre_initial_access`*:: + -- -Quota used - in seconds if time-based - in bytes if trafficbased) +The adversary is trying to break into your network. -type: long +type: keyword -- -*`fortinet.firewall.radioband`*:: +*`checkpoint.mitre_execution`*:: + -- -Radio band +The adversary is trying to run malicious code. type: keyword -- -*`fortinet.firewall.radioid`*:: +*`checkpoint.mitre_persistence`*:: + -- -Radio ID +The adversary is trying to maintain his foothold. -type: integer +type: keyword -- -*`fortinet.firewall.radioidclosest`*:: +*`checkpoint.mitre_privilege_escalation`*:: + -- -Radio ID on the AP closest the rogue AP +The adversary is trying to gain higher-level permissions. -type: integer +type: keyword -- -*`fortinet.firewall.radioiddetected`*:: +*`checkpoint.mitre_defense_evasion`*:: + -- -Radio ID on the AP which detected the rogue AP +The adversary is trying to avoid being detected. -type: integer +type: keyword -- -*`fortinet.firewall.rate`*:: +*`checkpoint.mitre_credential_access`*:: + -- -Wireless rogue rate value +The adversary is trying to steal account names and passwords. type: keyword -- -*`fortinet.firewall.rawdata`*:: +*`checkpoint.mitre_discovery`*:: + -- -Raw data value +The adversary is trying to expose information about your environment. type: keyword -- -*`fortinet.firewall.rawdataid`*:: +*`checkpoint.mitre_lateral_movement`*:: + -- -Raw data ID +The adversary is trying to explore your environment. type: keyword -- -*`fortinet.firewall.rcvddelta`*:: +*`checkpoint.mitre_collection`*:: + -- -Received bytes delta +The adversary is trying to collect data of interest to achieve his goal. type: keyword -- -*`fortinet.firewall.reason`*:: +*`checkpoint.mitre_command_and_control`*:: + -- -Alert reason +The adversary is trying to communicate with compromised systems in order to control them. type: keyword -- -*`fortinet.firewall.received`*:: +*`checkpoint.mitre_exfiltration`*:: + -- -Server key exchange received +The adversary is trying to steal data. -type: integer +type: keyword -- -*`fortinet.firewall.receivedsignature`*:: +*`checkpoint.mitre_impact`*:: + -- -Server key exchange received signature +The adversary is trying to manipulate, interrupt, or destroy your systems and data. type: keyword -- -*`fortinet.firewall.red`*:: +*`checkpoint.parent_file_hash`*:: + -- -Memory information in red +Archive's hash in case of extracted files. type: keyword -- -*`fortinet.firewall.referralurl`*:: +*`checkpoint.parent_file_name`*:: + -- -Web filter referralurl +Archive's name in case of extracted files. type: keyword -- -*`fortinet.firewall.remote`*:: +*`checkpoint.parent_file_uid`*:: + -- -Remote PPP IP address +Archive's UID in case of extracted files. -type: ip +type: keyword -- -*`fortinet.firewall.remotewtptime`*:: +*`checkpoint.similiar_iocs`*:: + -- -Remote Wifi Radius authentication time +Other IoCs similar to the ones found, related to the malicious file. type: keyword -- -*`fortinet.firewall.reporttype`*:: +*`checkpoint.similar_hashes`*:: + -- -Report type +Hashes found similar to the malicious file. type: keyword -- -*`fortinet.firewall.reqtype`*:: +*`checkpoint.similar_strings`*:: + -- -Request type +Strings found similar to the malicious file. type: keyword -- -*`fortinet.firewall.request_name`*:: +*`checkpoint.similar_communication`*:: + -- -VOIP request name +Network action found similar to the malicious file. type: keyword -- -*`fortinet.firewall.result`*:: +*`checkpoint.te_verdict_determined_by`*:: + -- -VPN phase result +Emulators determined file verdict. type: keyword -- -*`fortinet.firewall.role`*:: +*`checkpoint.packet_capture_unique_id`*:: + -- -VPN Phase 2 role +Identifier of the packet capture files. type: keyword -- -*`fortinet.firewall.rssi`*:: +*`checkpoint.total_attachments`*:: + -- -Received signal strength indicator +The number of attachments in an email. type: integer -- -*`fortinet.firewall.rsso_key`*:: +*`checkpoint.additional_info`*:: + -- -RADIUS SSO attribute value +ID of original file/mail which are sent by admin. type: keyword -- -*`fortinet.firewall.ruledata`*:: +*`checkpoint.content_risk`*:: + -- -Rule data +File risk. -type: keyword +type: integer -- -*`fortinet.firewall.ruletype`*:: +*`checkpoint.operation`*:: + -- -Rule type +Operation made by Threat Extraction. type: keyword -- -*`fortinet.firewall.scanned`*:: -+ --- -Number of Scanned MMSs - - -type: integer - --- - -*`fortinet.firewall.scantime`*:: +*`checkpoint.scrubbed_content`*:: + -- -Scanned time +Active content that was found. -type: long +type: keyword -- -*`fortinet.firewall.scope`*:: +*`checkpoint.scrub_time`*:: + -- -FortiGuard Override Scope +Extraction process duration. type: keyword -- -*`fortinet.firewall.security`*:: +*`checkpoint.scrub_download_time`*:: + -- -Wireless rogue security +File download time from resource. type: keyword -- -*`fortinet.firewall.sensitivity`*:: +*`checkpoint.scrub_total_time`*:: + -- -Sensitivity for document fingerprint +Threat extraction total file handling time. type: keyword -- -*`fortinet.firewall.sensor`*:: +*`checkpoint.scrub_activity`*:: + -- -NAC Sensor Name +The result of the extraction type: keyword -- -*`fortinet.firewall.sentdelta`*:: +*`checkpoint.watermark`*:: + -- -Sent bytes delta +Reports whether watermark is added to the cleaned file. type: keyword -- -*`fortinet.firewall.seq`*:: +*`checkpoint.source_object`*:: + -- -Sequence number +Matched object name on source column. -type: keyword +type: integer -- -*`fortinet.firewall.serial`*:: +*`checkpoint.destination_object`*:: + -- -WAN optimisation serial +Matched object name on destination column. type: keyword -- -*`fortinet.firewall.serialno`*:: +*`checkpoint.drop_reason`*:: + -- -Serial number +Drop reason description. type: keyword -- -*`fortinet.firewall.server`*:: +*`checkpoint.hit`*:: + -- -AD server FQDN or IP +Number of hits on a rule. -type: keyword +type: integer -- -*`fortinet.firewall.session_id`*:: +*`checkpoint.rulebase_id`*:: + -- -Session ID +Layer number. -type: keyword +type: integer -- -*`fortinet.firewall.sessionid`*:: +*`checkpoint.first_hit_time`*:: + -- -WAD Session ID +First hit time in current interval. type: integer -- -*`fortinet.firewall.setuprate`*:: +*`checkpoint.last_hit_time`*:: + -- -Session Setup Rate +Last hit time in current interval. -type: long +type: integer -- -*`fortinet.firewall.severity`*:: +*`checkpoint.rematch_info`*:: + -- -Severity +Information sent when old connections cannot be matched during policy installation. type: keyword -- -*`fortinet.firewall.shaperdroprcvdbyte`*:: +*`checkpoint.last_rematch_time`*:: + -- -Received bytes dropped by shaper +Connection rematched time. -type: integer +type: keyword -- -*`fortinet.firewall.shaperdropsentbyte`*:: +*`checkpoint.action_reason`*:: + -- -Sent bytes dropped by shaper +Connection drop reason. type: integer -- -*`fortinet.firewall.shaperperipdropbyte`*:: +*`checkpoint.c_bytes`*:: + -- -Dropped bytes per IP by shaper +Boolean value indicates whether bytes sent from the client side are used. type: integer -- -*`fortinet.firewall.shaperperipname`*:: +*`checkpoint.context_num`*:: + -- -Traffic shaper name (per IP) +Serial number of the log for a specific connection. -type: keyword +type: integer -- -*`fortinet.firewall.shaperrcvdname`*:: +*`checkpoint.match_id`*:: + -- -Traffic shaper name for received traffic +Private key of the rule -type: keyword +type: integer -- -*`fortinet.firewall.shapersentname`*:: +*`checkpoint.alert`*:: + -- -Traffic shaper name for sent traffic +Alert level of matched rule (for connection logs). type: keyword -- -*`fortinet.firewall.shapingpolicyid`*:: +*`checkpoint.parent_rule`*:: + -- -Traffic shaper policy ID +Parent rule number, in case of inline layer. type: integer -- -*`fortinet.firewall.signal`*:: +*`checkpoint.match_fk`*:: + -- -Wireless rogue API signal +Rule number. type: integer -- -*`fortinet.firewall.size`*:: +*`checkpoint.dropped_outgoing`*:: + -- -Email size in bytes +Number of outgoing bytes dropped when using UP-limit feature. -type: long +type: integer -- -*`fortinet.firewall.slot`*:: +*`checkpoint.dropped_incoming`*:: + -- -Slot number +Number of incoming bytes dropped when using UP-limit feature. type: integer -- -*`fortinet.firewall.sn`*:: +*`checkpoint.media_type`*:: + -- -Security fabric serial number +Media used (audio, video, etc.) type: keyword -- -*`fortinet.firewall.snclosest`*:: +*`checkpoint.sip_reason`*:: + -- -SN of the AP closest to the rogue AP +Explains why 'source_ip' isn't allowed to redirect (handover). type: keyword -- -*`fortinet.firewall.sndetected`*:: +*`checkpoint.voip_method`*:: + -- -SN of the AP which detected the rogue AP +Registration request. type: keyword -- -*`fortinet.firewall.snmeshparent`*:: +*`checkpoint.registered_ip-phones`*:: + -- -SN of the mesh parent +Registered IP-Phones. type: keyword -- -*`fortinet.firewall.spi`*:: +*`checkpoint.voip_reg_user_type`*:: + -- -IPSEC SPI +Registered IP-Phone type. type: keyword -- -*`fortinet.firewall.src_int`*:: +*`checkpoint.voip_call_id`*:: + -- -Source interface +Call-ID. type: keyword -- -*`fortinet.firewall.srcintfrole`*:: +*`checkpoint.voip_reg_int`*:: + -- -Source interface role +Registration port. -type: keyword +type: integer -- -*`fortinet.firewall.srccountry`*:: +*`checkpoint.voip_reg_ipp`*:: + -- -Source country +Registration IP protocol. -type: keyword +type: integer -- -*`fortinet.firewall.srcfamily`*:: +*`checkpoint.voip_reg_period`*:: + -- -Source family +Registration period. -type: keyword +type: integer -- -*`fortinet.firewall.srchwvendor`*:: +*`checkpoint.voip_log_type`*:: + -- -Source hardware vendor +VoIP log types. Possible values: reject, call, registration. type: keyword -- -*`fortinet.firewall.srchwversion`*:: +*`checkpoint.src_phone_number`*:: + -- -Source hardware version +Source IP-Phone. type: keyword -- -*`fortinet.firewall.srcinetsvc`*:: +*`checkpoint.voip_from_user_type`*:: + -- -Source interface service +Source IP-Phone type. type: keyword -- -*`fortinet.firewall.srcname`*:: +*`checkpoint.dst_phone_number`*:: + -- -Source name +Destination IP-Phone. type: keyword -- -*`fortinet.firewall.srcserver`*:: +*`checkpoint.voip_to_user_type`*:: + -- -Source server +Destination IP-Phone type. -type: integer +type: keyword -- -*`fortinet.firewall.srcssid`*:: +*`checkpoint.voip_call_dir`*:: + -- -Source SSID +Call direction: in/out. type: keyword -- -*`fortinet.firewall.srcswversion`*:: +*`checkpoint.voip_call_state`*:: + -- -Source software version +Call state. Possible values: in/out. type: keyword -- -*`fortinet.firewall.srcuuid`*:: +*`checkpoint.voip_call_term_time`*:: + -- -Source UUID +Call termination time stamp. type: keyword -- -*`fortinet.firewall.sscname`*:: +*`checkpoint.voip_duration`*:: + -- -SSC name +Call duration (seconds). type: keyword -- -*`fortinet.firewall.ssid`*:: +*`checkpoint.voip_media_port`*:: + -- -Base Service Set ID +Media int. type: keyword -- -*`fortinet.firewall.sslaction`*:: +*`checkpoint.voip_media_ipp`*:: + -- -SSL Action +Media IP protocol. type: keyword -- -*`fortinet.firewall.ssllocal`*:: +*`checkpoint.voip_est_codec`*:: + -- -WAD SSL local +Estimated codec. type: keyword -- -*`fortinet.firewall.sslremote`*:: +*`checkpoint.voip_exp`*:: + -- -WAD SSL remote +Expiration. -type: keyword +type: integer -- -*`fortinet.firewall.stacount`*:: +*`checkpoint.voip_attach_sz`*:: + -- -Number of stations/clients +Attachment size. type: integer -- -*`fortinet.firewall.stage`*:: +*`checkpoint.voip_attach_action_info`*:: + -- -IPSEC stage +Attachment action Info. type: keyword -- -*`fortinet.firewall.stamac`*:: +*`checkpoint.voip_media_codec`*:: + -- -802.1x station mac +Estimated codec. type: keyword -- -*`fortinet.firewall.state`*:: +*`checkpoint.voip_reject_reason`*:: + -- -Admin login state +Reject reason. type: keyword -- -*`fortinet.firewall.status`*:: +*`checkpoint.voip_reason_info`*:: + -- -Status +Information. type: keyword -- -*`fortinet.firewall.stitch`*:: +*`checkpoint.voip_config`*:: + -- -Automation stitch triggered +Configuration. type: keyword -- -*`fortinet.firewall.subject`*:: +*`checkpoint.voip_reg_server`*:: + -- -Email subject +Registrar server IP address. -type: keyword +type: ip -- -*`fortinet.firewall.submodule`*:: +*`checkpoint.scv_user`*:: + -- -Configuration Sub-Module Name +Username whose packets are dropped on SCV. type: keyword -- -*`fortinet.firewall.subservice`*:: +*`checkpoint.scv_message_info`*:: + -- -AV subservice +Drop reason. type: keyword -- -*`fortinet.firewall.subtype`*:: +*`checkpoint.ppp`*:: + -- -Log subtype +Authentication status. type: keyword -- -*`fortinet.firewall.suspicious`*:: +*`checkpoint.scheme`*:: + -- -Number of Suspicious MMSs +Describes the scheme used for the log. -type: integer +type: keyword -- -*`fortinet.firewall.switchproto`*:: +*`checkpoint.auth_method`*:: + -- -Protocol change information +Password authentication protocol used (PAP or EAP). type: keyword -- -*`fortinet.firewall.sync_status`*:: +*`checkpoint.machine`*:: + -- -The sync status with the master +L2TP machine which triggered the log and the log refers to it. type: keyword -- -*`fortinet.firewall.sync_type`*:: +*`checkpoint.vpn_feature_name`*:: + -- -The sync type with the master +L2TP /IKE / Link Selection. type: keyword -- -*`fortinet.firewall.sysuptime`*:: +*`checkpoint.reject_category`*:: + -- -System uptime +Authentication failure reason. type: keyword -- -*`fortinet.firewall.tamac`*:: +*`checkpoint.peer_ip_probing_status_update`*:: + -- -the MAC address of Transmitter, if none, then Receiver +IP address response status. type: keyword -- -*`fortinet.firewall.threattype`*:: +*`checkpoint.peer_ip`*:: + -- -WIDS threat type +IP address which the client connects to. type: keyword -- -*`fortinet.firewall.time`*:: +*`checkpoint.peer_gateway`*:: + -- -Time of the event +Main IP of the peer Security Gateway. -type: keyword +type: ip -- -*`fortinet.firewall.to`*:: +*`checkpoint.link_probing_status_update`*:: + -- -Email to field +IP address response status. type: keyword -- -*`fortinet.firewall.to_vcluster`*:: +*`checkpoint.source_interface`*:: + -- -destination virtual cluster number +External Interface name for source interface or Null if not found. -type: integer +type: keyword -- -*`fortinet.firewall.total`*:: +*`checkpoint.next_hop_ip`*:: + -- -Total memory +Next hop IP address. -type: integer +type: keyword -- -*`fortinet.firewall.totalsession`*:: +*`checkpoint.srckeyid`*:: + -- -Total Number of Sessions +Initiator Spi ID. -type: integer +type: keyword -- -*`fortinet.firewall.trace_id`*:: +*`checkpoint.dstkeyid`*:: + -- -Session clash trace ID +Responder Spi ID. type: keyword -- -*`fortinet.firewall.trandisp`*:: +*`checkpoint.encryption_failure`*:: + -- -NAT translation type +Message indicating why the encryption failed. type: keyword -- -*`fortinet.firewall.transid`*:: +*`checkpoint.ike_ids`*:: + -- -HTTP transaction ID +All QM ids. -type: integer +type: keyword -- -*`fortinet.firewall.translationid`*:: +*`checkpoint.community`*:: + -- -DNS filter transaltion ID +Community name for the IPSec key and the use of the IKEv. type: keyword -- -*`fortinet.firewall.trigger`*:: +*`checkpoint.ike`*:: + -- -Automation stitch trigger +IKEMode (PHASE1, PHASE2, etc..). type: keyword -- -*`fortinet.firewall.trueclntip`*:: +*`checkpoint.cookieI`*:: + -- -File filter true client IP +Initiator cookie. -type: ip +type: keyword -- -*`fortinet.firewall.tunnelid`*:: +*`checkpoint.cookieR`*:: + -- -IPSEC tunnel ID +Responder cookie. -type: integer +type: keyword -- -*`fortinet.firewall.tunnelip`*:: +*`checkpoint.msgid`*:: + -- -IPSEC tunnel IP +Message ID. -type: ip +type: keyword -- -*`fortinet.firewall.tunneltype`*:: +*`checkpoint.methods`*:: + -- -IPSEC tunnel type +IPSEc methods. type: keyword -- -*`fortinet.firewall.type`*:: +*`checkpoint.connection_uid`*:: + -- -Module type +Calculation of md5 of the IP and user name as UID. type: keyword -- -*`fortinet.firewall.ui`*:: +*`checkpoint.site_name`*:: + -- -Admin authentication UI type +Site name. type: keyword -- -*`fortinet.firewall.unauthusersource`*:: +*`checkpoint.esod_rule_name`*:: + -- -Unauthenticated user source +Unknown rule name. type: keyword -- -*`fortinet.firewall.unit`*:: +*`checkpoint.esod_rule_action`*:: + -- -Power supply unit +Unknown rule action. -type: integer +type: keyword -- -*`fortinet.firewall.urlfilteridx`*:: +*`checkpoint.esod_rule_type`*:: + -- -URL filter ID +Unknown rule type. -type: integer +type: keyword -- -*`fortinet.firewall.urlfilterlist`*:: +*`checkpoint.esod_noncompliance_reason`*:: + -- -URL filter list +Non-compliance reason. type: keyword -- -*`fortinet.firewall.urlsource`*:: +*`checkpoint.esod_associated_policies`*:: + -- -URL filter source +Associated policies. type: keyword -- -*`fortinet.firewall.urltype`*:: +*`checkpoint.spyware_name`*:: + -- -URL filter type +Spyware name. type: keyword -- -*`fortinet.firewall.used`*:: +*`checkpoint.spyware_type`*:: + -- -Number of Used IPs +Spyware type. -type: integer +type: keyword -- -*`fortinet.firewall.used_for_type`*:: +*`checkpoint.anti_virus_type`*:: + -- -Connection for the type +Anti virus type. -type: integer +type: keyword -- -*`fortinet.firewall.utmaction`*:: +*`checkpoint.end_user_firewall_type`*:: + -- -Security action performed by UTM +End user firewall type. type: keyword -- -*`fortinet.firewall.vap`*:: +*`checkpoint.esod_scan_status`*:: + -- -Virtual AP +Scan failed. type: keyword -- -*`fortinet.firewall.vapmode`*:: +*`checkpoint.esod_access_status`*:: + -- -Virtual AP mode +Access denied. type: keyword -- -*`fortinet.firewall.vcluster`*:: +*`checkpoint.client_type`*:: + -- -virtual cluster id +Endpoint Connect. -type: integer +type: keyword -- -*`fortinet.firewall.vcluster_member`*:: +*`checkpoint.precise_error`*:: + -- -Virtual cluster member +HTTP parser error. -type: integer +type: keyword -- -*`fortinet.firewall.vcluster_state`*:: +*`checkpoint.method`*:: + -- -Virtual cluster state +HTTP method. type: keyword -- -*`fortinet.firewall.vd`*:: +*`checkpoint.trusted_domain`*:: + -- -Virtual Domain Name +In case of phishing event, the domain, which the attacker was impersonating. type: keyword -- -*`fortinet.firewall.vdname`*:: +[[exported-fields-cisco]] +== Cisco fields + +Module for handling Cisco network device logs. + + + +[float] +=== cisco + +Fields from Cisco logs. + + + +[float] +=== asa + +Fields for Cisco ASA Firewall. + + + +*`cisco.asa.message_id`*:: + -- -Virtual Domain Name +The Cisco ASA message identifier. type: keyword -- -*`fortinet.firewall.vendorurl`*:: +*`cisco.asa.suffix`*:: + -- -Vulnerability scan vendor name +Optional suffix after %ASA identifier. type: keyword +example: session + -- -*`fortinet.firewall.version`*:: +*`cisco.asa.source_interface`*:: + -- -Version +Source interface for the flow or event. type: keyword -- -*`fortinet.firewall.vip`*:: +*`cisco.asa.destination_interface`*:: + -- -Virtual IP +Destination interface for the flow or event. type: keyword -- -*`fortinet.firewall.virus`*:: +*`cisco.asa.rule_name`*:: + -- -Virus name +Name of the Access Control List rule that matched this event. type: keyword -- -*`fortinet.firewall.virusid`*:: +*`cisco.asa.source_username`*:: + -- -Virus ID (unique virus identifier) +Name of the user that is the source for this event. -type: integer +type: keyword -- -*`fortinet.firewall.voip_proto`*:: +*`cisco.asa.destination_username`*:: + -- -VOIP protocol +Name of the user that is the destination for this event. type: keyword -- -*`fortinet.firewall.vpn`*:: +*`cisco.asa.mapped_source_ip`*:: + -- -VPN description +The translated source IP address. -type: keyword +type: ip -- -*`fortinet.firewall.vpntunnel`*:: +*`cisco.asa.mapped_source_host`*:: + -- -IPsec Vpn Tunnel Name +The translated source host. type: keyword -- -*`fortinet.firewall.vpntype`*:: +*`cisco.asa.mapped_source_port`*:: + -- -The type of the VPN tunnel +The translated source port. -type: keyword +type: long -- -*`fortinet.firewall.vrf`*:: +*`cisco.asa.mapped_destination_ip`*:: + -- -VRF number +The translated destination IP address. -type: integer +type: ip -- -*`fortinet.firewall.vulncat`*:: +*`cisco.asa.mapped_destination_host`*:: + -- -Vulnerability Category +The translated destination host. type: keyword -- -*`fortinet.firewall.vulnid`*:: +*`cisco.asa.mapped_destination_port`*:: + -- -Vulnerability ID +The translated destination port. -type: integer +type: long -- -*`fortinet.firewall.vulnname`*:: +*`cisco.asa.threat_level`*:: + -- -Vulnerability name +Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. type: keyword -- -*`fortinet.firewall.vwlid`*:: +*`cisco.asa.threat_category`*:: + -- -VWL ID +Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. -type: integer +type: keyword -- -*`fortinet.firewall.vwlquality`*:: +*`cisco.asa.connection_id`*:: + -- -VWL quality +Unique identifier for a flow. type: keyword -- -*`fortinet.firewall.vwlservice`*:: +*`cisco.asa.icmp_type`*:: + -- -VWL service +ICMP type. -type: keyword +type: short -- -*`fortinet.firewall.vwpvlanid`*:: +*`cisco.asa.icmp_code`*:: + -- -VWP VLAN ID +ICMP code. -type: integer +type: short -- -*`fortinet.firewall.wanin`*:: +*`cisco.asa.connection_type`*:: + -- -WAN incoming traffic in bytes +The VPN connection type -type: long +type: keyword -- -*`fortinet.firewall.wanoptapptype`*:: +*`cisco.asa.dap_records`*:: + -- -WAN Optimization Application type +The assigned DAP records type: keyword -- -*`fortinet.firewall.wanout`*:: -+ --- -WAN outgoing traffic in bytes +[float] +=== ftd +Fields for Cisco Firepower Threat Defense Firewall. -type: long --- -*`fortinet.firewall.weakwepiv`*:: +*`cisco.ftd.message_id`*:: + -- -Weak Wep Initiation Vector +The Cisco FTD message identifier. type: keyword -- -*`fortinet.firewall.xauthgroup`*:: +*`cisco.ftd.suffix`*:: + -- -XAuth Group Name +Optional suffix after %FTD identifier. type: keyword +example: session + -- -*`fortinet.firewall.xauthuser`*:: +*`cisco.ftd.source_interface`*:: + -- -XAuth User Name +Source interface for the flow or event. type: keyword -- -*`fortinet.firewall.xid`*:: +*`cisco.ftd.destination_interface`*:: + -- -Wireless X ID +Destination interface for the flow or event. -type: integer +type: keyword -- -[[exported-fields-googlecloud]] -== Google Cloud fields - -Module for handling logs from Google Cloud. - - - -[float] -=== googlecloud +*`cisco.ftd.rule_name`*:: ++ +-- +Name of the Access Control List rule that matched this event. -Fields from Google Cloud logs. +type: keyword +-- -[float] -=== destination.instance +*`cisco.ftd.source_username`*:: ++ +-- +Name of the user that is the source for this event. -If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. +type: keyword +-- -*`googlecloud.destination.instance.project_id`*:: +*`cisco.ftd.destination_username`*:: + -- -ID of the project containing the VM. +Name of the user that is the destination for this event. type: keyword -- -*`googlecloud.destination.instance.region`*:: +*`cisco.ftd.mapped_source_ip`*:: + -- -Region of the VM. +The translated source IP address. Use ECS source.nat.ip. -type: keyword +type: ip -- -*`googlecloud.destination.instance.zone`*:: +*`cisco.ftd.mapped_source_host`*:: + -- -Zone of the VM. +The translated source host. type: keyword -- -[float] -=== destination.vpc +*`cisco.ftd.mapped_source_port`*:: ++ +-- +The translated source port. Use ECS source.nat.port. -If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. +type: long +-- -*`googlecloud.destination.vpc.project_id`*:: +*`cisco.ftd.mapped_destination_ip`*:: + -- -ID of the project containing the VM. +The translated destination IP address. Use ECS destination.nat.ip. -type: keyword +type: ip -- -*`googlecloud.destination.vpc.vpc_name`*:: +*`cisco.ftd.mapped_destination_host`*:: + -- -VPC on which the VM is operating. +The translated destination host. type: keyword -- -*`googlecloud.destination.vpc.subnetwork_name`*:: +*`cisco.ftd.mapped_destination_port`*:: + -- -Subnetwork on which the VM is operating. +The translated destination port. Use ECS destination.nat.port. -type: keyword +type: long -- -[float] -=== source.instance +*`cisco.ftd.threat_level`*:: ++ +-- +Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. -If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. +type: keyword +-- -*`googlecloud.source.instance.project_id`*:: +*`cisco.ftd.threat_category`*:: + -- -ID of the project containing the VM. +Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. type: keyword -- -*`googlecloud.source.instance.region`*:: +*`cisco.ftd.connection_id`*:: + -- -Region of the VM. +Unique identifier for a flow. type: keyword -- -*`googlecloud.source.instance.zone`*:: +*`cisco.ftd.icmp_type`*:: + -- -Zone of the VM. +ICMP type. -type: keyword +type: short -- -[float] -=== source.vpc +*`cisco.ftd.icmp_code`*:: ++ +-- +ICMP code. -If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. +type: short +-- -*`googlecloud.source.vpc.project_id`*:: +*`cisco.ftd.security`*:: + -- -ID of the project containing the VM. - +Raw fields for Security Events. -type: keyword +type: object -- -*`googlecloud.source.vpc.vpc_name`*:: +*`cisco.ftd.connection_type`*:: + -- -VPC on which the VM is operating. +The VPN connection type type: keyword -- -*`googlecloud.source.vpc.subnetwork_name`*:: +*`cisco.ftd.dap_records`*:: + -- -Subnetwork on which the VM is operating. +The assigned DAP records type: keyword @@ -22918,18057 +20910,128749 @@ type: keyword -- [float] -=== audit +=== ios -Fields for Google Cloud audit logs. +Fields for Cisco IOS logs. -*`googlecloud.audit.type`*:: +*`cisco.ios.access_list`*:: + -- -Type property. +Name of the IP access list. type: keyword -- -[float] -=== authentication_info +*`cisco.ios.facility`*:: ++ +-- +The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. -Authentication information. +type: keyword + +example: SEC +-- -*`googlecloud.audit.authentication_info.principal_email`*:: +*`cisco.network.interface.name`*:: + -- -The email address of the authenticated user making the request. +Name of the network interface where the traffic has been observed. type: keyword -- -*`googlecloud.audit.authentication_info.authority_selector`*:: + + +*`cisco.rsa.internal.msg`*:: + -- -The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. - +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`googlecloud.audit.authorization_info`*:: +*`cisco.rsa.internal.messageid`*:: + -- -Authorization information for the operation. +type: keyword +-- -type: array +*`cisco.rsa.internal.event_desc`*:: ++ +-- +type: keyword -- -*`googlecloud.audit.method_name`*:: +*`cisco.rsa.internal.message`*:: + -- -The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - +This key captures the contents of instant messages type: keyword -- -*`googlecloud.audit.num_response_items`*:: +*`cisco.rsa.internal.time`*:: + -- -The number of items returned from a List or Query API method, if applicable. +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: long +type: date -- -[float] -=== request - -The operation request. +*`cisco.rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. +type: long +-- -*`googlecloud.audit.request.proto_name`*:: +*`cisco.rsa.internal.msg_id`*:: + -- -Type property of the request. - +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.audit.request.filter`*:: +*`cisco.rsa.internal.msg_vid`*:: + -- -Filter of the request. - +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.audit.request.name`*:: +*`cisco.rsa.internal.data`*:: + -- -Name of the request. - +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.audit.request.resource_name`*:: +*`cisco.rsa.internal.obj_server`*:: + -- -Name of the request resource. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== request_metadata - -Metadata about the request. - - - -*`googlecloud.audit.request_metadata.caller_ip`*:: +*`cisco.rsa.internal.obj_val`*:: + -- -The IP address of the caller. - +Deprecated key defined only in table map. -type: ip +type: keyword -- -*`googlecloud.audit.request_metadata.caller_supplied_user_agent`*:: +*`cisco.rsa.internal.resource`*:: + -- -The user agent of the caller. This information is not authenticated and should be treated accordingly. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== response - -The operation response. - - - -*`googlecloud.audit.response.proto_name`*:: +*`cisco.rsa.internal.obj_id`*:: + -- -Type property of the response. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== details - -The details of the response. - - - -*`googlecloud.audit.response.details.group`*:: +*`cisco.rsa.internal.statement`*:: + -- -The name of the group. - +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.audit.response.details.kind`*:: +*`cisco.rsa.internal.audit_class`*:: + -- -The kind of the response details. - +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.audit.response.details.name`*:: +*`cisco.rsa.internal.entry`*:: + -- -The name of the response details. - +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.audit.response.details.uid`*:: +*`cisco.rsa.internal.hcode`*:: + -- -The uid of the response details. - +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.audit.response.status`*:: +*`cisco.rsa.internal.inode`*:: + -- -Status of the response. +Deprecated key defined only in table map. - -type: keyword +type: long -- -*`googlecloud.audit.resource_name`*:: +*`cisco.rsa.internal.resource_class`*:: + -- -The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== resource_location - -The location of the resource. +*`cisco.rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. +type: long +-- -*`googlecloud.audit.resource_location.current_locations`*:: +*`cisco.rsa.internal.feed_desc`*:: + -- -Current locations of the resource. - +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.audit.service_name`*:: +*`cisco.rsa.internal.feed_name`*:: + -- -The name of the API service performing the operation. For example, datastore.googleapis.com. - +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== status - -The status of the overall operation. +*`cisco.rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword +-- -*`googlecloud.audit.status.code`*:: +*`cisco.rsa.internal.device_class`*:: + -- -The status code, which should be an enum value of google.rpc.Code. +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: integer +type: keyword -- -*`googlecloud.audit.status.message`*:: +*`cisco.rsa.internal.device_group`*:: + -- -A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== firewall - -Fields for Google Cloud Firewall logs. - +*`cisco.rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword -[float] -=== rule_details +-- -Description of the firewall rule that matched this connection. +*`cisco.rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: ip +-- -*`googlecloud.firewall.rule_details.priority`*:: +*`cisco.rsa.internal.device_ipv6`*:: + -- -The priority for the firewall rule. +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: ip -- -*`googlecloud.firewall.rule_details.action`*:: +*`cisco.rsa.internal.device_type`*:: + -- -Action that the rule performs on match. +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.firewall.rule_details.direction`*:: +*`cisco.rsa.internal.device_type_id`*:: + -- -Direction of traffic that matches this rule. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`googlecloud.firewall.rule_details.reference`*:: +*`cisco.rsa.internal.did`*:: + -- -Reference to the firewall rule. +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.firewall.rule_details.source_range`*:: +*`cisco.rsa.internal.entropy_req`*:: + -- -List of source ranges that the firewall rule applies to. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`googlecloud.firewall.rule_details.destination_range`*:: +*`cisco.rsa.internal.entropy_res`*:: + -- -List of destination ranges that the firewall applies to. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`googlecloud.firewall.rule_details.source_tag`*:: +*`cisco.rsa.internal.event_name`*:: + -- -List of all the source tags that the firewall rule applies to. - +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.firewall.rule_details.target_tag`*:: +*`cisco.rsa.internal.feed_category`*:: + -- -List of all the target tags that the firewall rule applies to. - +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.firewall.rule_details.ip_port_info`*:: +*`cisco.rsa.internal.forward_ip`*:: + -- -List of ip protocols and applicable port ranges for rules. +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: array +type: ip -- -*`googlecloud.firewall.rule_details.source_service_account`*:: +*`cisco.rsa.internal.forward_ipv6`*:: + -- -List of all the source service accounts that the firewall rule applies to. - +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`googlecloud.firewall.rule_details.target_service_account`*:: +*`cisco.rsa.internal.header_id`*:: + -- -List of all the target service accounts that the firewall rule applies to. - +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== vpcflow - -Fields for Google Cloud VPC flow logs. - - - -*`googlecloud.vpcflow.reporter`*:: +*`cisco.rsa.internal.lc_cid`*:: + -- -The side which reported the flow. Can be either 'SRC' or 'DEST'. - +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.vpcflow.rtt.ms`*:: +*`cisco.rsa.internal.lc_ctime`*:: + -- -Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: date -type: long +-- +*`cisco.rsa.internal.mcb_req`*:: ++ -- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -[[exported-fields-gsuite]] -== gsuite fields +type: long -gsuite Module +-- +*`cisco.rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +type: long -[float] -=== gsuite +-- -Gsuite specific fields. -More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list +*`cisco.rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +type: long +-- -*`gsuite.actor.type`*:: +*`cisco.rsa.internal.mcbc_res`*:: + -- -The type of actor. -Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: keyword +type: long -- -*`gsuite.actor.key`*:: +*`cisco.rsa.internal.medium`*:: + -- -Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -type: keyword +type: long -- -*`gsuite.event.type`*:: +*`cisco.rsa.internal.node_name`*:: + -- -The type of GSuite event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - +Deprecated key defined only in table map. type: keyword -example: audit#activity - -- -*`gsuite.kind`*:: +*`cisco.rsa.internal.nwe_callback_id`*:: + -- -The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - +This key denotes that event is endpoint related type: keyword -example: audit#activity - -- -*`gsuite.organization.domain`*:: +*`cisco.rsa.internal.parse_error`*:: + -- -The domain that is affected by the report's event. - +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- - -*`gsuite.saml.application_name`*:: +*`cisco.rsa.internal.payload_req`*:: + -- -Saml SP application name. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: keyword +type: long -- -*`gsuite.saml.failure_type`*:: +*`cisco.rsa.internal.payload_res`*:: + -- -Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. - +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`gsuite.saml.initiated_by`*:: +*`cisco.rsa.internal.process_vid_dst`*:: + -- -Requester of SAML authentication. - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`gsuite.saml.orgunit_path`*:: +*`cisco.rsa.internal.process_vid_src`*:: + -- -User orgunit. - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`gsuite.saml.status_code`*:: +*`cisco.rsa.internal.rid`*:: + -- -SAML status code. - +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: long -- -*`gsuite.saml.second_level_status_code`*:: +*`cisco.rsa.internal.session_split`*:: + -- -SAML second level status code. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: keyword -- -[[exported-fields-haproxy]] -== HAProxy fields - -haproxy Module - - - -[float] -=== haproxy - +*`cisco.rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`haproxy.frontend_name`*:: +*`cisco.rsa.internal.size`*:: + -- -Name of the frontend (or listener) which received and processed the connection. +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`haproxy.backend_name`*:: +*`cisco.rsa.internal.sourcefile`*:: + -- -Name of the backend (or listener) which was selected to manage the connection to the server. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`haproxy.server_name`*:: +*`cisco.rsa.internal.ubc_req`*:: + -- -Name of the last server to which the connection was sent. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`haproxy.total_waiting_time_ms`*:: +*`cisco.rsa.internal.ubc_res`*:: + -- -Total time in milliseconds spent waiting in the various queues +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once type: long -- -*`haproxy.connection_wait_time_ms`*:: +*`cisco.rsa.internal.word`*:: + -- -Total time in milliseconds spent waiting for the connection to establish to the final server +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log -type: long +type: keyword -- -*`haproxy.bytes_read`*:: + +*`cisco.rsa.time.event_time`*:: + -- -Total number of bytes transmitted to the client when the log is emitted. +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: long +type: date -- -*`haproxy.time_queue`*:: +*`cisco.rsa.time.duration_time`*:: + -- -Total time in milliseconds spent waiting in the various queues. +This key is used to capture the normalized duration/lifetime in seconds. -type: long +type: double -- -*`haproxy.time_backend_connect`*:: +*`cisco.rsa.time.event_time_str`*:: + -- -Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. +This key is used to capture the incomplete time mentioned in a session as a string -type: long +type: keyword -- -*`haproxy.server_queue`*:: +*`cisco.rsa.time.starttime`*:: + -- -Total number of requests which were processed before this one in the server queue. +This key is used to capture the Start time mentioned in a session in a standard form -type: long +type: date -- -*`haproxy.backend_queue`*:: +*`cisco.rsa.time.month`*:: + -- -Total number of requests which were processed before this one in the backend's global queue. - -type: long +type: keyword -- -*`haproxy.bind_name`*:: +*`cisco.rsa.time.day`*:: + -- -Name of the listening address which received the connection. +type: keyword -- -*`haproxy.error_message`*:: +*`cisco.rsa.time.endtime`*:: + -- -Error message logged by HAProxy in case of error. +This key is used to capture the End time mentioned in a session in a standard form -type: text +type: date -- -*`haproxy.source`*:: +*`cisco.rsa.time.timezone`*:: + -- -The HAProxy source of the log +This key is used to capture the timezone of the Event Time type: keyword -- -*`haproxy.termination_state`*:: +*`cisco.rsa.time.duration_str`*:: + -- -Condition the session was in when the session ended. +A text string version of the duration + +type: keyword -- -*`haproxy.mode`*:: +*`cisco.rsa.time.date`*:: + -- -mode that the frontend is operating (TCP or HTTP) - type: keyword -- -[float] -=== connections - -Contains various counts of connections active in the process. +*`cisco.rsa.time.year`*:: ++ +-- +type: keyword +-- -*`haproxy.connections.active`*:: +*`cisco.rsa.time.recorded_time`*:: + -- -Total number of concurrent connections on the process when the session was logged. +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: long +type: date -- -*`haproxy.connections.frontend`*:: +*`cisco.rsa.time.datetime`*:: + -- -Total number of concurrent connections on the frontend when the session was logged. - -type: long +type: keyword -- -*`haproxy.connections.backend`*:: +*`cisco.rsa.time.effective_time`*:: + -- -Total number of concurrent connections handled by the backend when the session was logged. +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: long +type: date -- -*`haproxy.connections.server`*:: +*`cisco.rsa.time.expire_time`*:: + -- -Total number of concurrent connections still active on the server when the session was logged. +This key is the timestamp that explicitly refers to an expiration. -type: long +type: date -- -*`haproxy.connections.retries`*:: +*`cisco.rsa.time.process_time`*:: + -- -Number of connection retries experienced by this session when trying to connect to the server. +Deprecated, use duration.time -type: long +type: keyword -- -[float] -=== client - -Information about the client doing the request +*`cisco.rsa.time.hour`*:: ++ +-- +type: keyword +-- -*`haproxy.client.ip`*:: +*`cisco.rsa.time.min`*:: + -- -type: alias - -alias to: source.address +type: keyword -- -*`haproxy.client.port`*:: +*`cisco.rsa.time.timestamp`*:: + -- -type: alias - -alias to: source.port +type: keyword -- -*`haproxy.process_name`*:: +*`cisco.rsa.time.event_queue_time`*:: + -- -type: alias +This key is the Time that the event was queued. -alias to: process.name +type: date -- -*`haproxy.pid`*:: +*`cisco.rsa.time.p_time1`*:: + -- -type: alias - -alias to: process.pid +type: keyword -- -[float] -=== destination - -Destination information +*`cisco.rsa.time.tzone`*:: ++ +-- +type: keyword +-- -*`haproxy.destination.port`*:: +*`cisco.rsa.time.eventtime`*:: + -- -type: alias - -alias to: destination.port +type: keyword -- -*`haproxy.destination.ip`*:: +*`cisco.rsa.time.gmtdate`*:: + -- -type: alias - -alias to: destination.ip +type: keyword -- -[float] -=== geoip +*`cisco.rsa.time.gmttime`*:: ++ +-- +type: keyword -Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used. +-- +*`cisco.rsa.time.p_date`*:: ++ +-- +type: keyword +-- -*`haproxy.geoip.continent_name`*:: +*`cisco.rsa.time.p_month`*:: + -- -type: alias - -alias to: source.geo.continent_name +type: keyword -- -*`haproxy.geoip.country_iso_code`*:: +*`cisco.rsa.time.p_time`*:: + -- -type: alias - -alias to: source.geo.country_iso_code +type: keyword -- -*`haproxy.geoip.location`*:: +*`cisco.rsa.time.p_time2`*:: + -- -type: alias - -alias to: source.geo.location +type: keyword -- -*`haproxy.geoip.region_name`*:: +*`cisco.rsa.time.p_year`*:: + -- -type: alias - -alias to: source.geo.region_name +type: keyword -- -*`haproxy.geoip.city_name`*:: +*`cisco.rsa.time.expire_time_str`*:: + -- -type: alias +This key is used to capture incomplete timestamp that explicitly refers to an expiration. -alias to: source.geo.city_name +type: keyword -- -*`haproxy.geoip.region_iso_code`*:: +*`cisco.rsa.time.stamp`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: source.geo.region_iso_code +type: date -- -[float] -=== http -Please add description +*`cisco.rsa.misc.action`*:: ++ +-- +type: keyword +-- -[float] -=== response +*`cisco.rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. -Fields related to the HTTP response +type: keyword +-- -*`haproxy.http.response.captured_cookie`*:: +*`cisco.rsa.misc.severity`*:: + -- -Optional "name=value" entry indicating that the client had this cookie in the response. +This key is used to capture the severity given the session +type: keyword -- -*`haproxy.http.response.captured_headers`*:: +*`cisco.rsa.misc.event_type`*:: + -- -List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. - +This key captures the event category type as specified by the event source. type: keyword -- -*`haproxy.http.response.status_code`*:: +*`cisco.rsa.misc.reference_id`*:: + -- -type: alias +This key is used to capture an event id from the session directly -alias to: http.response.status_code +type: keyword -- -[float] -=== request +*`cisco.rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. -Fields related to the HTTP request +type: keyword +-- -*`haproxy.http.request.captured_cookie`*:: +*`cisco.rsa.misc.disposition`*:: + -- -Optional "name=value" entry indicating that the server has returned a cookie with its request. +This key captures the The end state of an action. +type: keyword -- -*`haproxy.http.request.captured_headers`*:: +*`cisco.rsa.misc.result_code`*:: + -- -List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. - +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`haproxy.http.request.raw_request_line`*:: +*`cisco.rsa.misc.category`*:: + -- -Complete HTTP request line, including the method, request and HTTP version string. +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`haproxy.http.request.time_wait_without_data_ms`*:: +*`cisco.rsa.misc.obj_name`*:: + -- -Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. +This is used to capture name of object -type: long +type: keyword -- -*`haproxy.http.request.time_wait_ms`*:: +*`cisco.rsa.misc.obj_type`*:: + -- -Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. +This is used to capture type of object -type: long +type: keyword -- -[float] -=== tcp +*`cisco.rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname -TCP log format +type: keyword +-- -*`haproxy.tcp.connection_waiting_time_ms`*:: +*`cisco.rsa.misc.log_session_id`*:: + -- -Total time in milliseconds elapsed between the accept and the last close +This key is used to capture a sessionid from the session directly -type: long +type: keyword -- -[[exported-fields-host-processor]] -== Host fields +*`cisco.rsa.misc.group`*:: ++ +-- +This key captures the Group Name value -Info collected for the host machine. +type: keyword +-- +*`cisco.rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. +type: keyword -*`host.containerized`*:: -+ -- -If the host is a container. +*`cisco.rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name -type: boolean +type: keyword -- -*`host.os.build`*:: +*`cisco.rsa.misc.context`*:: + -- -OS build information. - +This key captures Information which adds additional context to the event. type: keyword -example: 18D109 - -- -*`host.os.codename`*:: +*`cisco.rsa.misc.change_new`*:: + -- -OS codename, if any. - +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -example: stretch - -- -[[exported-fields-ibmmq]] -== ibmmq fields - -ibmmq Module - - - -[float] -=== ibmmq - - +*`cisco.rsa.misc.space`*:: ++ +-- +type: keyword +-- -[float] -=== errorlog +*`cisco.rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. -IBM MQ error logs +type: keyword +-- -*`ibmmq.errorlog.installation`*:: +*`cisco.rsa.misc.msgIdPart1`*:: + -- -This is the installation name which can be given at installation time. -Each installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation. +type: keyword +-- +*`cisco.rsa.misc.msgIdPart2`*:: ++ +-- type: keyword -- -*`ibmmq.errorlog.qmgr`*:: +*`cisco.rsa.misc.change_old`*:: + -- -Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them. - +This key is used to capture the old value of the attribute that’s changing in a session type: keyword -- -*`ibmmq.errorlog.arithinsert`*:: +*`cisco.rsa.misc.operation_id`*:: + -- -Changing content based on error.id +An alert number or operation number. The values should be unique and non-repeating. type: keyword -- -*`ibmmq.errorlog.commentinsert`*:: +*`cisco.rsa.misc.event_state`*:: + -- -Changing content based on error.id +This key captures the current state of the object/item referenced within the event. Describing an on-going event. type: keyword -- -*`ibmmq.errorlog.errordescription`*:: +*`cisco.rsa.misc.group_object`*:: + -- -Please add description - -type: text +This key captures a collection/grouping of entities. Specific usage -example: Please add example +type: keyword -- -*`ibmmq.errorlog.explanation`*:: +*`cisco.rsa.misc.node`*:: + -- -Explaines the error in more detail +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`ibmmq.errorlog.action`*:: +*`cisco.rsa.misc.rule`*:: + -- -Defines what to do when the error occurs +This key captures the Rule number type: keyword -- -*`ibmmq.errorlog.code`*:: +*`cisco.rsa.misc.device_name`*:: + -- -Error code. +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -[[exported-fields-icinga]] -== Icinga fields +*`cisco.rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. -Icinga Module +type: keyword +-- +*`cisco.rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session -[float] -=== icinga +type: keyword +-- +*`cisco.rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. +type: keyword -[float] -=== debug +-- -Contains fields for the Icinga debug logs. +*`cisco.rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" +type: keyword +-- -*`icinga.debug.facility`*:: +*`cisco.rsa.misc.event_log`*:: + -- -Specifies what component of Icinga logged the message. - +This key captures the Name of the event log type: keyword -- -*`icinga.debug.severity`*:: +*`cisco.rsa.misc.OS`*:: + -- -type: alias +This key captures the Name of the Operating System -alias to: log.level +type: keyword -- -*`icinga.debug.message`*:: +*`cisco.rsa.misc.terminal`*:: + -- -type: alias +This key captures the Terminal Names only -alias to: message +type: keyword -- -[float] -=== main - -Contains fields for the Icinga main logs. - +*`cisco.rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword +-- -*`icinga.main.facility`*:: +*`cisco.rsa.misc.filter`*:: + -- -Specifies what component of Icinga logged the message. - +This key captures Filter used to reduce result set type: keyword -- -*`icinga.main.severity`*:: +*`cisco.rsa.misc.serial_number`*:: + -- -type: alias +This key is the Serial number associated with a physical asset. -alias to: log.level +type: keyword -- -*`icinga.main.message`*:: +*`cisco.rsa.misc.checksum`*:: + -- -type: alias +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. -alias to: message +type: keyword -- -[float] -=== startup - -Contains fields for the Icinga startup logs. +*`cisco.rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. +type: keyword +-- -*`icinga.startup.facility`*:: +*`cisco.rsa.misc.virusname`*:: + -- -Specifies what component of Icinga logged the message. - +This key captures the name of the virus type: keyword -- -*`icinga.startup.severity`*:: +*`cisco.rsa.misc.content_type`*:: + -- -type: alias +This key is used to capture Content Type only. -alias to: log.level +type: keyword -- -*`icinga.startup.message`*:: +*`cisco.rsa.misc.group_id`*:: + -- -type: alias +This key captures Group ID Number (related to the group name) -alias to: message +type: keyword -- -[[exported-fields-iis]] -== IIS fields +*`cisco.rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise -Module for parsing IIS log files. +type: keyword +-- +*`cisco.rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name -[float] -=== iis +type: keyword -Fields from IIS log files. +-- +*`cisco.rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID +type: keyword -[float] -=== access +-- -Contains fields for IIS access logs. +*`cisco.rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. +type: keyword +-- -*`iis.access.sub_status`*:: +*`cisco.rsa.misc.sensor`*:: + -- -The HTTP substatus code. - +This key captures Name of the sensor. Typically used in IDS/IPS based devices -type: long +type: keyword -- -*`iis.access.win32_status`*:: +*`cisco.rsa.misc.sig_id`*:: + -- -The Windows status code. - +This key captures IDS/IPS Int Signature ID type: long -- -*`iis.access.site_name`*:: +*`cisco.rsa.misc.port_name`*:: + -- -The site name and instance number. - +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`iis.access.server_name`*:: +*`cisco.rsa.misc.rule_group`*:: + -- -The name of the server on which the log file entry was generated. - +This key captures the Rule group name type: keyword -- -*`iis.access.cookie`*:: +*`cisco.rsa.misc.risk_num`*:: + -- -The content of the cookie sent or received, if any. - +This key captures a Numeric Risk value -type: keyword +type: double -- -*`iis.access.body_received.bytes`*:: +*`cisco.rsa.misc.trigger_val`*:: + -- -type: alias +This key captures the Value of the trigger or threshold condition. -alias to: http.request.body.bytes +type: keyword -- -*`iis.access.body_sent.bytes`*:: +*`cisco.rsa.misc.log_session_id1`*:: + -- -type: alias +This key is used to capture a Linked (Related) Session ID from the session directly -alias to: http.response.body.bytes +type: keyword -- -*`iis.access.server_ip`*:: +*`cisco.rsa.misc.comp_version`*:: + -- -type: alias +This key captures the Version level of a sub-component of a product. -alias to: destination.address +type: keyword -- -*`iis.access.method`*:: +*`cisco.rsa.misc.content_version`*:: + -- -type: alias +This key captures Version level of a signature or database content. -alias to: http.request.method +type: keyword -- -*`iis.access.url`*:: +*`cisco.rsa.misc.hardware_id`*:: + -- -type: alias +This key is used to capture unique identifier for a device or system (NOT a Mac address) -alias to: url.path +type: keyword -- -*`iis.access.query_string`*:: +*`cisco.rsa.misc.risk`*:: + -- -type: alias +This key captures the non-numeric risk value -alias to: url.query +type: keyword -- -*`iis.access.port`*:: +*`cisco.rsa.misc.event_id`*:: + -- -type: alias - -alias to: destination.port +type: keyword -- -*`iis.access.user_name`*:: +*`cisco.rsa.misc.reason`*:: + -- -type: alias - -alias to: user.name +type: keyword -- -*`iis.access.remote_ip`*:: +*`cisco.rsa.misc.status`*:: + -- -type: alias - -alias to: source.address +type: keyword -- -*`iis.access.referrer`*:: +*`cisco.rsa.misc.mail_id`*:: + -- -type: alias +This key is used to capture the mailbox id/name -alias to: http.request.referrer +type: keyword -- -*`iis.access.response_code`*:: +*`cisco.rsa.misc.rule_uid`*:: + -- -type: alias +This key is the Unique Identifier for a rule. -alias to: http.response.status_code +type: keyword -- -*`iis.access.http_version`*:: +*`cisco.rsa.misc.trigger_desc`*:: + -- -type: alias +This key captures the Description of the trigger or threshold condition. -alias to: http.version +type: keyword -- -*`iis.access.hostname`*:: +*`cisco.rsa.misc.inout`*:: + -- -type: alias - -alias to: host.hostname +type: keyword -- - -*`iis.access.user_agent.device`*:: +*`cisco.rsa.misc.p_msgid`*:: + -- -type: alias - -alias to: user_agent.device.name +type: keyword -- -*`iis.access.user_agent.name`*:: +*`cisco.rsa.misc.data_type`*:: + -- -type: alias - -alias to: user_agent.name +type: keyword -- -*`iis.access.user_agent.os`*:: +*`cisco.rsa.misc.msgIdPart4`*:: + -- -type: alias - -alias to: user_agent.os.full_name +type: keyword -- -*`iis.access.user_agent.os_name`*:: +*`cisco.rsa.misc.error`*:: + -- -type: alias +This key captures All non successful Error codes or responses -alias to: user_agent.os.name +type: keyword -- -*`iis.access.user_agent.original`*:: +*`cisco.rsa.misc.index`*:: + -- -type: alias - -alias to: user_agent.original +type: keyword -- - -*`iis.access.geoip.continent_name`*:: +*`cisco.rsa.misc.listnum`*:: + -- -type: alias +This key is used to capture listname or listnumber, primarily for collecting access-list -alias to: source.geo.continent_name +type: keyword -- -*`iis.access.geoip.country_iso_code`*:: +*`cisco.rsa.misc.ntype`*:: + -- -type: alias - -alias to: source.geo.country_iso_code +type: keyword -- -*`iis.access.geoip.location`*:: +*`cisco.rsa.misc.observed_val`*:: + -- -type: alias +This key captures the Value observed (from the perspective of the device generating the log). -alias to: source.geo.location +type: keyword -- -*`iis.access.geoip.region_name`*:: +*`cisco.rsa.misc.policy_value`*:: + -- -type: alias +This key captures the contents of the policy. This contains details about the policy -alias to: source.geo.region_name +type: keyword -- -*`iis.access.geoip.city_name`*:: +*`cisco.rsa.misc.pool_name`*:: + -- -type: alias +This key captures the name of a resource pool -alias to: source.geo.city_name +type: keyword -- -*`iis.access.geoip.region_iso_code`*:: +*`cisco.rsa.misc.rule_template`*:: + -- -type: alias +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -alias to: source.geo.region_iso_code +type: keyword -- -[float] -=== error - -Contains fields for IIS error logs. - - - -*`iis.error.reason_phrase`*:: +*`cisco.rsa.misc.count`*:: + -- -The HTTP reason phrase. - - type: keyword -- -*`iis.error.queue_name`*:: +*`cisco.rsa.misc.number`*:: + -- -The IIS application pool name. +type: keyword +-- +*`cisco.rsa.misc.sigcat`*:: ++ +-- type: keyword -- -*`iis.error.remote_ip`*:: +*`cisco.rsa.misc.type`*:: + -- -type: alias - -alias to: source.address +type: keyword -- -*`iis.error.remote_port`*:: +*`cisco.rsa.misc.comments`*:: + -- -type: alias +Comment information provided in the log message -alias to: source.port +type: keyword -- -*`iis.error.server_ip`*:: +*`cisco.rsa.misc.doc_number`*:: + -- -type: alias +This key captures File Identification number -alias to: destination.address +type: long -- -*`iis.error.server_port`*:: +*`cisco.rsa.misc.expected_val`*:: + -- -type: alias +This key captures the Value expected (from the perspective of the device generating the log). -alias to: destination.port +type: keyword -- -*`iis.error.http_version`*:: +*`cisco.rsa.misc.job_num`*:: + -- -type: alias +This key captures the Job Number -alias to: http.version +type: keyword -- -*`iis.error.method`*:: +*`cisco.rsa.misc.spi_dst`*:: + -- -type: alias +Destination SPI Index -alias to: http.request.method +type: keyword -- -*`iis.error.url`*:: +*`cisco.rsa.misc.spi_src`*:: + -- -type: alias +Source SPI Index -alias to: url.original +type: keyword -- -*`iis.error.response_code`*:: +*`cisco.rsa.misc.code`*:: + -- -type: alias - -alias to: http.response.status_code +type: keyword -- - -*`iis.error.geoip.continent_name`*:: +*`cisco.rsa.misc.agent_id`*:: + -- -type: alias +This key is used to capture agent id -alias to: source.geo.continent_name +type: keyword -- -*`iis.error.geoip.country_iso_code`*:: +*`cisco.rsa.misc.message_body`*:: + -- -type: alias +This key captures the The contents of the message body. -alias to: source.geo.country_iso_code +type: keyword -- -*`iis.error.geoip.location`*:: +*`cisco.rsa.misc.phone`*:: + -- -type: alias - -alias to: source.geo.location +type: keyword -- -*`iis.error.geoip.region_name`*:: +*`cisco.rsa.misc.sig_id_str`*:: + -- -type: alias +This key captures a string object of the sigid variable. -alias to: source.geo.region_name +type: keyword -- -*`iis.error.geoip.city_name`*:: +*`cisco.rsa.misc.cmd`*:: + -- -type: alias - -alias to: source.geo.city_name +type: keyword -- -*`iis.error.geoip.region_iso_code`*:: +*`cisco.rsa.misc.misc`*:: + -- -type: alias - -alias to: source.geo.region_iso_code +type: keyword -- -[[exported-fields-iptables]] -== iptables fields +*`cisco.rsa.misc.name`*:: ++ +-- +type: keyword -Module for handling the iptables logs. +-- +*`cisco.rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. +type: long -[float] -=== iptables +-- -Fields from the iptables logs. +*`cisco.rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred +type: keyword +-- -*`iptables.ether_type`*:: +*`cisco.rsa.misc.sig_id1`*:: + -- -Value of the ethernet type field identifying the network layer protocol. - +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id type: long -- -*`iptables.flow_label`*:: +*`cisco.rsa.misc.im_buddyid`*:: + -- -IPv6 flow label. +type: keyword +-- -type: integer +*`cisco.rsa.misc.im_client`*:: ++ +-- +type: keyword -- -*`iptables.fragment_flags`*:: +*`cisco.rsa.misc.im_userid`*:: + -- -IP fragment flags. A combination of CE, DF and MF. +type: keyword +-- +*`cisco.rsa.misc.pid`*:: ++ +-- type: keyword -- -*`iptables.fragment_offset`*:: +*`cisco.rsa.misc.priority`*:: + -- -Offset of the current IP fragment. - +type: keyword -type: long +-- +*`cisco.rsa.misc.context_subject`*:: ++ -- +This key is to be used in an audit context where the subject is the object being identified -[float] -=== icmp +type: keyword -ICMP fields. +-- +*`cisco.rsa.misc.context_target`*:: ++ +-- +type: keyword +-- -*`iptables.icmp.code`*:: +*`cisco.rsa.misc.cve`*:: + -- -ICMP code. - +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. -type: long +type: keyword -- -*`iptables.icmp.id`*:: +*`cisco.rsa.misc.fcatnum`*:: + -- -ICMP ID. +This key captures Filter Category Number. Legacy Usage - -type: long +type: keyword -- -*`iptables.icmp.parameter`*:: +*`cisco.rsa.misc.library`*:: + -- -ICMP parameter. - +This key is used to capture library information in mainframe devices -type: long +type: keyword -- -*`iptables.icmp.redirect`*:: +*`cisco.rsa.misc.parent_node`*:: + -- -ICMP redirect address. +This key captures the Parent Node Name. Must be related to node variable. - -type: ip +type: keyword -- -*`iptables.icmp.seq`*:: +*`cisco.rsa.misc.risk_info`*:: + -- -ICMP sequence number. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -type: long +type: keyword -- -*`iptables.icmp.type`*:: +*`cisco.rsa.misc.tcp_flags`*:: + -- -ICMP type. - +This key is captures the TCP flags set in any packet of session type: long -- -*`iptables.id`*:: +*`cisco.rsa.misc.tos`*:: + -- -Packet identifier. - +This key describes the type of service type: long -- -*`iptables.incomplete_bytes`*:: +*`cisco.rsa.misc.vm_target`*:: + -- -Number of incomplete bytes. +VMWare Target **VMWARE** only varaible. - -type: long +type: keyword -- -*`iptables.input_device`*:: +*`cisco.rsa.misc.workspace`*:: + -- -Device that received the packet. - +This key captures Workspace Description type: keyword -- -*`iptables.precedence_bits`*:: +*`cisco.rsa.misc.command`*:: + -- -IP precedence bits. +type: keyword +-- -type: short +*`cisco.rsa.misc.event_category`*:: ++ +-- +type: keyword -- -*`iptables.tos`*:: +*`cisco.rsa.misc.facilityname`*:: + -- -IP Type of Service field. +type: keyword +-- -type: long +*`cisco.rsa.misc.forensic_info`*:: ++ +-- +type: keyword -- -*`iptables.length`*:: +*`cisco.rsa.misc.jobname`*:: + -- -Packet length. +type: keyword +-- -type: long +*`cisco.rsa.misc.mode`*:: ++ +-- +type: keyword -- -*`iptables.output_device`*:: +*`cisco.rsa.misc.policy`*:: + -- -Device that output the packet. +type: keyword +-- +*`cisco.rsa.misc.policy_waiver`*:: ++ +-- type: keyword -- -[float] -=== tcp +*`cisco.rsa.misc.second`*:: ++ +-- +type: keyword -TCP fields. +-- +*`cisco.rsa.misc.space1`*:: ++ +-- +type: keyword +-- -*`iptables.tcp.flags`*:: +*`cisco.rsa.misc.subcategory`*:: + -- -TCP flags. +type: keyword +-- +*`cisco.rsa.misc.tbdstr2`*:: ++ +-- type: keyword -- -*`iptables.tcp.reserved_bits`*:: +*`cisco.rsa.misc.alert_id`*:: + -- -TCP reserved bits. - +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -type: short +type: keyword -- -*`iptables.tcp.seq`*:: +*`cisco.rsa.misc.checksum_dst`*:: + -- -TCP sequence number. +This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: long +type: keyword -- -*`iptables.tcp.ack`*:: +*`cisco.rsa.misc.checksum_src`*:: + -- -TCP Acknowledgment number. - +This key is used to capture the checksum or hash of the source entity such as a file or process. -type: long +type: keyword -- -*`iptables.tcp.window`*:: +*`cisco.rsa.misc.fresult`*:: + -- -Advertised TCP window size. - +This key captures the Filter Result type: long -- -*`iptables.ttl`*:: +*`cisco.rsa.misc.payload_dst`*:: + -- -Time To Live field. - +This key is used to capture destination payload -type: integer +type: keyword -- -[float] -=== udp - -UDP fields. - - - -*`iptables.udp.length`*:: +*`cisco.rsa.misc.payload_src`*:: + -- -Length of the UDP header and payload. - +This key is used to capture source payload -type: long +type: keyword -- -[float] -=== ubiquiti - -Fields for Ubiquiti network devices. - - - -*`iptables.ubiquiti.input_zone`*:: +*`cisco.rsa.misc.pool_id`*:: + -- -Input zone. - +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`iptables.ubiquiti.output_zone`*:: +*`cisco.rsa.misc.process_id_val`*:: + -- -Output zone. - +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`iptables.ubiquiti.rule_number`*:: +*`cisco.rsa.misc.risk_num_comm`*:: + -- -The rule number within the rule set. +This key captures Risk Number Community -type: keyword +type: double -- -*`iptables.ubiquiti.rule_set`*:: +*`cisco.rsa.misc.risk_num_next`*:: + -- -The rule set name. +This key captures Risk Number NextGen -type: keyword +type: double -- -[[exported-fields-jolokia-autodiscover]] -== Jolokia Discovery autodiscover provider fields - -Metadata from Jolokia Discovery added by the jolokia provider. +*`cisco.rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox +type: double +-- -*`jolokia.agent.version`*:: +*`cisco.rsa.misc.risk_num_static`*:: + -- -Version number of jolokia agent. - +This key captures Risk Number Static -type: keyword +type: double -- -*`jolokia.agent.id`*:: +*`cisco.rsa.misc.risk_suspicious`*:: + -- -Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`jolokia.server.product`*:: +*`cisco.rsa.misc.risk_warning`*:: + -- -The container product if detected. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`jolokia.server.version`*:: +*`cisco.rsa.misc.snmp_oid`*:: + -- -The container's version (if detected). - +SNMP Object Identifier type: keyword -- -*`jolokia.server.vendor`*:: +*`cisco.rsa.misc.sql`*:: + -- -The vendor of the container the agent is running in. - +This key captures the SQL query type: keyword -- -*`jolokia.url`*:: +*`cisco.rsa.misc.vuln_ref`*:: + -- -The URL how this agent can be contacted. - +This key captures the Vulnerability Reference details type: keyword -- -*`jolokia.secured`*:: +*`cisco.rsa.misc.acl_id`*:: + -- -Whether the agent was configured for authentication or not. - - -type: boolean +type: keyword -- -[[exported-fields-kafka]] -== Kafka fields - -Kafka module - - - -[float] -=== kafka - - - - -[float] -=== log - -Kafka log lines. - - - -*`kafka.log.level`*:: +*`cisco.rsa.misc.acl_op`*:: + -- -type: alias - -alias to: log.level +type: keyword -- -*`kafka.log.message`*:: +*`cisco.rsa.misc.acl_pos`*:: + -- -type: alias - -alias to: message +type: keyword -- -*`kafka.log.component`*:: +*`cisco.rsa.misc.acl_table`*:: + -- -Component the log is coming from. - - type: keyword -- -*`kafka.log.class`*:: +*`cisco.rsa.misc.admin`*:: + -- -Java class the log is coming from. - - type: keyword -- -*`kafka.log.thread`*:: +*`cisco.rsa.misc.alarm_id`*:: + -- -Thread name the log is coming from. - - type: keyword -- -[float] -=== trace - -Trace in the log line. - - - -*`kafka.log.trace.class`*:: +*`cisco.rsa.misc.alarmname`*:: + -- -Java class the trace is coming from. - - type: keyword -- -*`kafka.log.trace.message`*:: +*`cisco.rsa.misc.app_id`*:: + -- -Message part of the trace. - - -type: text +type: keyword -- -[[exported-fields-kibana]] -== kibana fields - -kibana Module - - - -[float] -=== kibana - - - - -[float] -=== log +*`cisco.rsa.misc.audit`*:: ++ +-- +type: keyword -Kafka log lines. +-- +*`cisco.rsa.misc.audit_object`*:: ++ +-- +type: keyword +-- -*`kibana.log.tags`*:: +*`cisco.rsa.misc.auditdata`*:: + -- -Kibana logging tags. +type: keyword +-- +*`cisco.rsa.misc.benchmark`*:: ++ +-- type: keyword -- -*`kibana.log.state`*:: +*`cisco.rsa.misc.bypass`*:: + -- -Current state of Kibana. +type: keyword +-- +*`cisco.rsa.misc.cache`*:: ++ +-- type: keyword -- -*`kibana.log.meta`*:: +*`cisco.rsa.misc.cache_hit`*:: + -- -type: object +type: keyword -- -*`kibana.log.kibana.log.meta.req.headers.referer`*:: +*`cisco.rsa.misc.cefversion`*:: + -- -type: alias - -alias to: http.request.referrer +type: keyword -- -*`kibana.log.kibana.log.meta.req.referer`*:: +*`cisco.rsa.misc.cfg_attr`*:: + -- -type: alias - -alias to: http.request.referrer +type: keyword -- -*`kibana.log.kibana.log.meta.req.headers.user-agent`*:: +*`cisco.rsa.misc.cfg_obj`*:: + -- -type: alias - -alias to: user_agent.original +type: keyword -- -*`kibana.log.kibana.log.meta.req.remoteAddress`*:: +*`cisco.rsa.misc.cfg_path`*:: + -- -type: alias - -alias to: source.address +type: keyword -- -*`kibana.log.kibana.log.meta.req.url`*:: +*`cisco.rsa.misc.changes`*:: + -- -type: alias - -alias to: url.original +type: keyword -- -*`kibana.log.kibana.log.meta.statusCode`*:: +*`cisco.rsa.misc.client_ip`*:: + -- -type: alias - -alias to: http.response.status_code +type: keyword -- -*`kibana.log.kibana.log.meta.method`*:: +*`cisco.rsa.misc.clustermembers`*:: + -- -type: alias +type: keyword -alias to: http.request.method +-- +*`cisco.rsa.misc.cn_acttimeout`*:: ++ -- +type: keyword -[[exported-fields-kubernetes-processor]] -== Kubernetes fields +-- -Kubernetes metadata added by the kubernetes processor +*`cisco.rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword +-- +*`cisco.rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword +-- -*`kubernetes.pod.name`*:: +*`cisco.rsa.misc.cn_ctr_dst_code`*:: + -- -Kubernetes pod name +type: keyword +-- +*`cisco.rsa.misc.cn_dst_tos`*:: ++ +-- type: keyword -- -*`kubernetes.pod.uid`*:: +*`cisco.rsa.misc.cn_dst_vlan`*:: + -- -Kubernetes Pod UID +type: keyword +-- +*`cisco.rsa.misc.cn_engine_id`*:: ++ +-- type: keyword -- -*`kubernetes.namespace`*:: +*`cisco.rsa.misc.cn_engine_type`*:: + -- -Kubernetes namespace +type: keyword +-- +*`cisco.rsa.misc.cn_f_switch`*:: ++ +-- type: keyword -- -*`kubernetes.node.name`*:: +*`cisco.rsa.misc.cn_flowsampid`*:: + -- -Kubernetes node name +type: keyword +-- +*`cisco.rsa.misc.cn_flowsampintv`*:: ++ +-- type: keyword -- -*`kubernetes.labels.*`*:: +*`cisco.rsa.misc.cn_flowsampmode`*:: + -- -Kubernetes labels map +type: keyword +-- -type: object +*`cisco.rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword -- -*`kubernetes.annotations.*`*:: +*`cisco.rsa.misc.cn_inpermbyts`*:: + -- -Kubernetes annotations map +type: keyword +-- -type: object +*`cisco.rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword -- -*`kubernetes.replicaset.name`*:: +*`cisco.rsa.misc.cn_invalid`*:: + -- -Kubernetes replicaset name +type: keyword +-- +*`cisco.rsa.misc.cn_ip_proto_ver`*:: ++ +-- type: keyword -- -*`kubernetes.deployment.name`*:: +*`cisco.rsa.misc.cn_ipv4_ident`*:: + -- -Kubernetes deployment name +type: keyword +-- +*`cisco.rsa.misc.cn_l_switch`*:: ++ +-- type: keyword -- -*`kubernetes.statefulset.name`*:: +*`cisco.rsa.misc.cn_log_did`*:: + -- -Kubernetes statefulset name +type: keyword +-- +*`cisco.rsa.misc.cn_log_rid`*:: ++ +-- type: keyword -- -*`kubernetes.container.name`*:: +*`cisco.rsa.misc.cn_max_ttl`*:: + -- -Kubernetes container name +type: keyword +-- +*`cisco.rsa.misc.cn_maxpcktlen`*:: ++ +-- type: keyword -- -*`kubernetes.container.image`*:: +*`cisco.rsa.misc.cn_min_ttl`*:: + -- -Kubernetes container image +type: keyword +-- +*`cisco.rsa.misc.cn_minpcktlen`*:: ++ +-- type: keyword -- -[[exported-fields-log]] -== Log file content fields +*`cisco.rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword -Contains log file lines. +-- +*`cisco.rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword +-- -*`log.file.path`*:: +*`cisco.rsa.misc.cn_mpls_lbl_2`*:: + -- -The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`. +type: keyword +-- +*`cisco.rsa.misc.cn_mpls_lbl_3`*:: ++ +-- type: keyword -required: False - -- -*`log.source.address`*:: +*`cisco.rsa.misc.cn_mpls_lbl_4`*:: + -- -Source address from which the log event was read / sent from. +type: keyword +-- +*`cisco.rsa.misc.cn_mpls_lbl_5`*:: ++ +-- type: keyword -required: False - -- -*`log.offset`*:: +*`cisco.rsa.misc.cn_mpls_lbl_6`*:: + -- -The file offset the reported line starts at. - +type: keyword -type: long +-- -required: False +*`cisco.rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword -- -*`stream`*:: +*`cisco.rsa.misc.cn_mpls_lbl_8`*:: + -- -Log stream when reading container logs, can be 'stdout' or 'stderr' +type: keyword +-- +*`cisco.rsa.misc.cn_mpls_lbl_9`*:: ++ +-- type: keyword -required: False - -- -*`input.type`*:: +*`cisco.rsa.misc.cn_mplstoplabel`*:: + -- -The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file. +type: keyword +-- -required: True +*`cisco.rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword -- -*`syslog.facility`*:: +*`cisco.rsa.misc.cn_mul_dst_byt`*:: + -- -The facility extracted from the priority. - +type: keyword -type: long +-- -required: False +*`cisco.rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword -- -*`syslog.priority`*:: +*`cisco.rsa.misc.cn_muligmptype`*:: + -- -The priority of the syslog event. - +type: keyword -type: long +-- -required: False +*`cisco.rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword -- -*`syslog.severity_label`*:: +*`cisco.rsa.misc.cn_sampint`*:: + -- -The human readable severity. +type: keyword +-- +*`cisco.rsa.misc.cn_seqctr`*:: ++ +-- type: keyword -required: False - -- -*`syslog.facility_label`*:: +*`cisco.rsa.misc.cn_spackets`*:: + -- -The human readable facility. +type: keyword +-- +*`cisco.rsa.misc.cn_src_tos`*:: ++ +-- type: keyword -required: False - -- -*`process.program`*:: +*`cisco.rsa.misc.cn_src_vlan`*:: + -- -The name of the program. +type: keyword +-- +*`cisco.rsa.misc.cn_sysuptime`*:: ++ +-- type: keyword -required: False - -- -*`log.flags`*:: +*`cisco.rsa.misc.cn_template_id`*:: + -- -This field contains the flags of the event. - +type: keyword -- -*`http.response.content_length`*:: +*`cisco.rsa.misc.cn_totbytsexp`*:: + -- -type: alias - -alias to: http.response.body.bytes +type: keyword -- +*`cisco.rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword +-- -*`user_agent.os.full_name`*:: +*`cisco.rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`fileset.name`*:: +*`cisco.rsa.misc.cn_unixnanosecs`*:: + -- -The Filebeat fileset that generated this event. +type: keyword +-- +*`cisco.rsa.misc.cn_v6flowlabel`*:: ++ +-- type: keyword -- -*`fileset.module`*:: +*`cisco.rsa.misc.cn_v6optheaders`*:: + -- -type: alias - -alias to: event.module +type: keyword -- -*`read_timestamp`*:: +*`cisco.rsa.misc.comp_class`*:: + -- -type: alias - -alias to: event.created +type: keyword -- -*`docker.attrs`*:: +*`cisco.rsa.misc.comp_name`*:: + -- -docker.attrs contains labels and environment variables written by docker's JSON File logging driver. These fields are only available when they are configured in the logging driver options. +type: keyword +-- -type: object +*`cisco.rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword -- -*`icmp.code`*:: +*`cisco.rsa.misc.comp_sbytes`*:: + -- -ICMP code. +type: keyword +-- +*`cisco.rsa.misc.cpu_data`*:: ++ +-- type: keyword -- -*`icmp.type`*:: +*`cisco.rsa.misc.criticality`*:: + -- -ICMP type. +type: keyword +-- +*`cisco.rsa.misc.cs_agency_dst`*:: ++ +-- type: keyword -- -*`igmp.type`*:: +*`cisco.rsa.misc.cs_analyzedby`*:: + -- -IGMP type. +type: keyword +-- +*`cisco.rsa.misc.cs_av_other`*:: ++ +-- type: keyword -- - -*`azure.eventhub`*:: +*`cisco.rsa.misc.cs_av_primary`*:: + -- -Name of the eventhub. +type: keyword +-- +*`cisco.rsa.misc.cs_av_secondary`*:: ++ +-- type: keyword -- -*`azure.offset`*:: +*`cisco.rsa.misc.cs_bgpv6nxthop`*:: + -- -The offset. +type: keyword +-- -type: long +*`cisco.rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword -- -*`azure.enqueued_time`*:: +*`cisco.rsa.misc.cs_context`*:: + -- -The enqueued time. +type: keyword +-- -type: date +*`cisco.rsa.misc.cs_control`*:: ++ +-- +type: keyword -- -*`azure.partition_id`*:: +*`cisco.rsa.misc.cs_data`*:: + -- -The partition id. +type: keyword +-- -type: long +*`cisco.rsa.misc.cs_datecret`*:: ++ +-- +type: keyword -- -*`azure.consumer_group`*:: +*`cisco.rsa.misc.cs_dst_tld`*:: + -- -The consumer group. +type: keyword +-- +*`cisco.rsa.misc.cs_eth_dst_ven`*:: ++ +-- type: keyword -- -*`azure.sequence_number`*:: +*`cisco.rsa.misc.cs_eth_src_ven`*:: + -- -The sequence number. - +type: keyword -type: long +-- +*`cisco.rsa.misc.cs_event_uuid`*:: ++ -- +type: keyword +-- -*`kafka.topic`*:: +*`cisco.rsa.misc.cs_filetype`*:: + -- -Kafka topic +type: keyword +-- +*`cisco.rsa.misc.cs_fld`*:: ++ +-- type: keyword -- -*`kafka.partition`*:: +*`cisco.rsa.misc.cs_if_desc`*:: + -- -Kafka partition number +type: keyword +-- -type: long +*`cisco.rsa.misc.cs_if_name`*:: ++ +-- +type: keyword -- -*`kafka.offset`*:: +*`cisco.rsa.misc.cs_ip_next_hop`*:: + -- -Kafka offset of this message +type: keyword +-- -type: long +*`cisco.rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword -- -*`kafka.key`*:: +*`cisco.rsa.misc.cs_ipv4srcpre`*:: + -- -Kafka key, corresponding to the Kafka value stored in the message +type: keyword +-- +*`cisco.rsa.misc.cs_lifetime`*:: ++ +-- type: keyword -- -*`kafka.block_timestamp`*:: +*`cisco.rsa.misc.cs_log_medium`*:: + -- -Kafka outer (compressed) block timestamp +type: keyword +-- -type: date +*`cisco.rsa.misc.cs_loginname`*:: ++ +-- +type: keyword -- -*`kafka.headers`*:: +*`cisco.rsa.misc.cs_modulescore`*:: + -- -An array of Kafka header strings for this message, in the form ": ". +type: keyword +-- -type: array +*`cisco.rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword -- -[[exported-fields-logstash]] -== logstash fields +*`cisco.rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword -logstash Module +-- +*`cisco.rsa.misc.cs_payload`*:: ++ +-- +type: keyword +-- -[float] -=== logstash +*`cisco.rsa.misc.cs_registrant`*:: ++ +-- +type: keyword +-- +*`cisco.rsa.misc.cs_registrar`*:: ++ +-- +type: keyword +-- -[float] -=== log +*`cisco.rsa.misc.cs_represult`*:: ++ +-- +type: keyword -Fields from the Logstash logs. +-- +*`cisco.rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword +-- -*`logstash.log.module`*:: +*`cisco.rsa.misc.cs_sampler_name`*:: + -- -The module or class where the event originate. +type: keyword +-- +*`cisco.rsa.misc.cs_sourcemodule`*:: ++ +-- type: keyword -- -*`logstash.log.thread`*:: +*`cisco.rsa.misc.cs_streams`*:: + -- -Information about the running thread where the log originate. +type: keyword +-- +*`cisco.rsa.misc.cs_targetmodule`*:: ++ +-- type: keyword -- -*`logstash.log.thread.text`*:: +*`cisco.rsa.misc.cs_v6nxthop`*:: + -- -type: text +type: keyword -- -*`logstash.log.log_event`*:: +*`cisco.rsa.misc.cs_whois_server`*:: + -- -key and value debugging information. +type: keyword +-- -type: object +*`cisco.rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword -- -*`logstash.log.pipeline_id`*:: +*`cisco.rsa.misc.description`*:: + -- -The ID of the pipeline. +type: keyword +-- +*`cisco.rsa.misc.devvendor`*:: ++ +-- type: keyword -example: main - -- -*`logstash.log.message`*:: +*`cisco.rsa.misc.distance`*:: + -- -type: alias - -alias to: message +type: keyword -- -*`logstash.log.level`*:: +*`cisco.rsa.misc.dstburb`*:: + -- -type: alias - -alias to: log.level +type: keyword -- -[float] -=== slowlog +*`cisco.rsa.misc.edomain`*:: ++ +-- +type: keyword -slowlog +-- +*`cisco.rsa.misc.edomaub`*:: ++ +-- +type: keyword +-- -*`logstash.slowlog.module`*:: +*`cisco.rsa.misc.euid`*:: + -- -The module or class where the event originate. +type: keyword +-- +*`cisco.rsa.misc.facility`*:: ++ +-- type: keyword -- -*`logstash.slowlog.thread`*:: +*`cisco.rsa.misc.finterface`*:: + -- -Information about the running thread where the log originate. +type: keyword +-- +*`cisco.rsa.misc.flags`*:: ++ +-- type: keyword -- -*`logstash.slowlog.thread.text`*:: +*`cisco.rsa.misc.gaddr`*:: + -- -type: text +type: keyword -- -*`logstash.slowlog.event`*:: +*`cisco.rsa.misc.id3`*:: + -- -Raw dump of the original event +type: keyword +-- +*`cisco.rsa.misc.im_buddyname`*:: ++ +-- type: keyword -- -*`logstash.slowlog.event.text`*:: +*`cisco.rsa.misc.im_croomid`*:: + -- -type: text +type: keyword -- -*`logstash.slowlog.plugin_name`*:: +*`cisco.rsa.misc.im_croomtype`*:: + -- -Name of the plugin +type: keyword +-- +*`cisco.rsa.misc.im_members`*:: ++ +-- type: keyword -- -*`logstash.slowlog.plugin_type`*:: +*`cisco.rsa.misc.im_username`*:: + -- -Type of the plugin: Inputs, Filters, Outputs or Codecs. +type: keyword +-- +*`cisco.rsa.misc.ipkt`*:: ++ +-- type: keyword -- -*`logstash.slowlog.took_in_millis`*:: +*`cisco.rsa.misc.ipscat`*:: + -- -Execution time for the plugin in milliseconds. +type: keyword +-- -type: long +*`cisco.rsa.misc.ipspri`*:: ++ +-- +type: keyword -- -*`logstash.slowlog.plugin_params`*:: +*`cisco.rsa.misc.latitude`*:: + -- -String value of the plugin configuration +type: keyword +-- +*`cisco.rsa.misc.linenum`*:: ++ +-- type: keyword -- -*`logstash.slowlog.plugin_params.text`*:: +*`cisco.rsa.misc.list_name`*:: + -- -type: text +type: keyword -- -*`logstash.slowlog.plugin_params_object`*:: +*`cisco.rsa.misc.load_data`*:: + -- -key -> value of the configuration used by the plugin. +type: keyword +-- -type: object +*`cisco.rsa.misc.location_floor`*:: ++ +-- +type: keyword -- -*`logstash.slowlog.level`*:: +*`cisco.rsa.misc.location_mark`*:: + -- -type: alias - -alias to: log.level +type: keyword -- -*`logstash.slowlog.took_in_nanos`*:: +*`cisco.rsa.misc.log_id`*:: + -- -type: alias - -alias to: event.duration +type: keyword -- -[[exported-fields-misp]] -== MISP fields +*`cisco.rsa.misc.log_type`*:: ++ +-- +type: keyword -Module for handling threat information from MISP. +-- +*`cisco.rsa.misc.logid`*:: ++ +-- +type: keyword +-- -[float] -=== misp +*`cisco.rsa.misc.logip`*:: ++ +-- +type: keyword -Fields from MISP threat information. +-- +*`cisco.rsa.misc.logname`*:: ++ +-- +type: keyword +-- -[float] -=== attack_pattern +*`cisco.rsa.misc.longitude`*:: ++ +-- +type: keyword -Fields provide support for specifying information about attack patterns. +-- +*`cisco.rsa.misc.lport`*:: ++ +-- +type: keyword +-- -*`misp.attack_pattern.id`*:: +*`cisco.rsa.misc.mbug_data`*:: + -- -Identifier of the threat indicator. +type: keyword +-- +*`cisco.rsa.misc.misc_name`*:: ++ +-- type: keyword -- -*`misp.attack_pattern.name`*:: +*`cisco.rsa.misc.msg_type`*:: + -- -Name of the attack pattern. +type: keyword +-- +*`cisco.rsa.misc.msgid`*:: ++ +-- type: keyword -- -*`misp.attack_pattern.description`*:: +*`cisco.rsa.misc.netsessid`*:: + -- -Description of the attack pattern. +type: keyword +-- -type: text +*`cisco.rsa.misc.num`*:: ++ +-- +type: keyword -- -*`misp.attack_pattern.kill_chain_phases`*:: +*`cisco.rsa.misc.number1`*:: + -- -The kill chain phase(s) to which this attack pattern corresponds. +type: keyword +-- +*`cisco.rsa.misc.number2`*:: ++ +-- type: keyword -- -[float] -=== campaign +*`cisco.rsa.misc.nwwn`*:: ++ +-- +type: keyword -Fields provide support for specifying information about campaigns. +-- +*`cisco.rsa.misc.object`*:: ++ +-- +type: keyword +-- -*`misp.campaign.id`*:: +*`cisco.rsa.misc.operation`*:: + -- -Identifier of the campaign. +type: keyword +-- +*`cisco.rsa.misc.opkt`*:: ++ +-- type: keyword -- -*`misp.campaign.name`*:: +*`cisco.rsa.misc.orig_from`*:: + -- -Name of the campaign. +type: keyword +-- +*`cisco.rsa.misc.owner_id`*:: ++ +-- type: keyword -- -*`misp.campaign.description`*:: +*`cisco.rsa.misc.p_action`*:: + -- -Description of the campaign. +type: keyword +-- -type: text +*`cisco.rsa.misc.p_filter`*:: ++ +-- +type: keyword -- -*`misp.campaign.aliases`*:: +*`cisco.rsa.misc.p_group_object`*:: + -- -Alternative names used to identify this campaign. +type: keyword +-- -type: text +*`cisco.rsa.misc.p_id`*:: ++ +-- +type: keyword -- -*`misp.campaign.first_seen`*:: +*`cisco.rsa.misc.p_msgid1`*:: + -- -The time that this Campaign was first seen, in RFC3339 format. +type: keyword +-- -type: date +*`cisco.rsa.misc.p_msgid2`*:: ++ +-- +type: keyword -- -*`misp.campaign.last_seen`*:: +*`cisco.rsa.misc.p_result1`*:: + -- -The time that this Campaign was last seen, in RFC3339 format. +type: keyword +-- -type: date +*`cisco.rsa.misc.password_chg`*:: ++ +-- +type: keyword -- -*`misp.campaign.objective`*:: +*`cisco.rsa.misc.password_expire`*:: + -- -This field defines the Campaign's primary goal, objective, desired outcome, or intended effect. +type: keyword +-- +*`cisco.rsa.misc.permgranted`*:: ++ +-- type: keyword -- -[float] -=== course_of_action +*`cisco.rsa.misc.permwanted`*:: ++ +-- +type: keyword -A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. +-- +*`cisco.rsa.misc.pgid`*:: ++ +-- +type: keyword +-- -*`misp.course_of_action.id`*:: +*`cisco.rsa.misc.policyUUID`*:: + -- -Identifier of the Course of Action. +type: keyword +-- +*`cisco.rsa.misc.prog_asp_num`*:: ++ +-- type: keyword -- -*`misp.course_of_action.name`*:: +*`cisco.rsa.misc.program`*:: + -- -The name used to identify the Course of Action. +type: keyword +-- +*`cisco.rsa.misc.real_data`*:: ++ +-- type: keyword -- -*`misp.course_of_action.description`*:: +*`cisco.rsa.misc.rec_asp_device`*:: + -- -Description of the Course of Action. +type: keyword +-- -type: text +*`cisco.rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword -- -[float] -=== identity +*`cisco.rsa.misc.rec_library`*:: ++ +-- +type: keyword -Identity can represent actual individuals, organizations, or groups, as well as classes of individuals, organizations, or groups. +-- +*`cisco.rsa.misc.recordnum`*:: ++ +-- +type: keyword +-- -*`misp.identity.id`*:: +*`cisco.rsa.misc.ruid`*:: + -- -Identifier of the Identity. +type: keyword +-- +*`cisco.rsa.misc.sburb`*:: ++ +-- type: keyword -- -*`misp.identity.name`*:: +*`cisco.rsa.misc.sdomain_fld`*:: + -- -The name used to identify the Identity. +type: keyword +-- +*`cisco.rsa.misc.sec`*:: ++ +-- type: keyword -- -*`misp.identity.description`*:: +*`cisco.rsa.misc.sensorname`*:: + -- -Description of the Identity. +type: keyword +-- -type: text +*`cisco.rsa.misc.seqnum`*:: ++ +-- +type: keyword -- -*`misp.identity.identity_class`*:: +*`cisco.rsa.misc.session`*:: + -- -The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov +type: keyword +-- +*`cisco.rsa.misc.sessiontype`*:: ++ +-- type: keyword -- -*`misp.identity.labels`*:: +*`cisco.rsa.misc.sigUUID`*:: + -- -The list of roles that this Identity performs. +type: keyword +-- +*`cisco.rsa.misc.spi`*:: ++ +-- type: keyword -example: CEO +-- +*`cisco.rsa.misc.srcburb`*:: ++ +-- +type: keyword -- -*`misp.identity.sectors`*:: +*`cisco.rsa.misc.srcdom`*:: + -- -The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov +type: keyword +-- +*`cisco.rsa.misc.srcservice`*:: ++ +-- type: keyword -- -*`misp.identity.contact_information`*:: +*`cisco.rsa.misc.state`*:: + -- -The contact information (e-mail, phone number, etc.) for this Identity. +type: keyword +-- -type: text +*`cisco.rsa.misc.status1`*:: ++ +-- +type: keyword -- -[float] -=== intrusion_set +*`cisco.rsa.misc.svcno`*:: ++ +-- +type: keyword -An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization. +-- +*`cisco.rsa.misc.system`*:: ++ +-- +type: keyword +-- -*`misp.intrusion_set.id`*:: +*`cisco.rsa.misc.tbdstr1`*:: + -- -Identifier of the Intrusion Set. +type: keyword +-- +*`cisco.rsa.misc.tgtdom`*:: ++ +-- type: keyword -- -*`misp.intrusion_set.name`*:: +*`cisco.rsa.misc.tgtdomain`*:: + -- -The name used to identify the Intrusion Set. +type: keyword +-- +*`cisco.rsa.misc.threshold`*:: ++ +-- type: keyword -- -*`misp.intrusion_set.description`*:: +*`cisco.rsa.misc.type1`*:: + -- -Description of the Intrusion Set. +type: keyword +-- -type: text +*`cisco.rsa.misc.udb_class`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.aliases`*:: +*`cisco.rsa.misc.url_fld`*:: + -- -Alternative names used to identify the Intrusion Set. +type: keyword +-- -type: text +*`cisco.rsa.misc.user_div`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.first_seen`*:: +*`cisco.rsa.misc.userid`*:: + -- -The time that this Intrusion Set was first seen, in RFC3339 format. +type: keyword +-- -type: date +*`cisco.rsa.misc.username_fld`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.last_seen`*:: +*`cisco.rsa.misc.utcstamp`*:: + -- -The time that this Intrusion Set was last seen, in RFC3339 format. +type: keyword +-- -type: date +*`cisco.rsa.misc.v_instafname`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.goals`*:: +*`cisco.rsa.misc.virt_data`*:: + -- -The high level goals of this Intrusion Set, namely, what are they trying to do. +type: keyword +-- -type: text +*`cisco.rsa.misc.vpnid`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.resource_level`*:: +*`cisco.rsa.misc.autorun_type`*:: + -- -This defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov +This is used to capture Auto Run type - -type: text +type: keyword -- -*`misp.intrusion_set.primary_motivation`*:: +*`cisco.rsa.misc.cc_number`*:: + -- -The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov - +Valid Credit Card Numbers only -type: text +type: long -- -*`misp.intrusion_set.secondary_motivations`*:: +*`cisco.rsa.misc.content`*:: + -- -The secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov +This key captures the content type from protocol headers - -type: text +type: keyword -- -[float] -=== malware - -Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. +*`cisco.rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only +type: long +-- -*`misp.malware.id`*:: +*`cisco.rsa.misc.found`*:: + -- -Identifier of the Malware. - +This is used to capture the results of regex match type: keyword -- -*`misp.malware.name`*:: +*`cisco.rsa.misc.language`*:: + -- -The name used to identify the Malware. - +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`misp.malware.description`*:: +*`cisco.rsa.misc.lifetime`*:: + -- -Description of the Malware. - +This key is used to capture the session lifetime in seconds. -type: text +type: long -- -*`misp.malware.labels`*:: +*`cisco.rsa.misc.link`*:: + -- -The type of malware being described. Open Vocab - malware-label-ov. adware,backdoor,bot,ddos,dropper,exploit-kit,keylogger,ransomware, remote-access-trojan,resource-exploitation,rogue-security-software,rootkit, screen-capture,spyware,trojan,virus,worm - +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`misp.malware.kill_chain_phases`*:: +*`cisco.rsa.misc.match`*:: + -- -The list of kill chain phases for which this Malware instance can be used. - +This key is for regex match name from search.ini type: keyword -format: string - -- -[float] -=== note - -A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object. - - - -*`misp.note.id`*:: +*`cisco.rsa.misc.param_dst`*:: + -- -Identifier of the Note. - +This key captures the command line/launch argument of the target process or file type: keyword -- -*`misp.note.summary`*:: +*`cisco.rsa.misc.param_src`*:: + -- -A brief description used as a summary of the Note. - +This key captures source parameter type: keyword -- -*`misp.note.description`*:: +*`cisco.rsa.misc.search_text`*:: + -- -The content of the Note. - +This key captures the Search Text used -type: text +type: keyword -- -*`misp.note.authors`*:: +*`cisco.rsa.misc.sig_name`*:: + -- -The name of the author(s) of this Note. - +This key is used to capture the Signature Name only. type: keyword -- -*`misp.note.object_refs`*:: +*`cisco.rsa.misc.snmp_value`*:: + -- -The STIX Objects (SDOs and SROs) that the note is being applied to. - +SNMP set request value type: keyword -- -[float] -=== threat_indicator +*`cisco.rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session -Fields provide support for specifying information about threat indicators, and related matching patterns. +type: long +-- -*`misp.threat_indicator.labels`*:: +*`cisco.rsa.db.index`*:: + -- -list of type open-vocab that specifies the type of indicator. - +This key captures IndexID of the index. type: keyword -example: Domain Watchlist - - -- -*`misp.threat_indicator.id`*:: +*`cisco.rsa.db.instance`*:: + -- -Identifier of the threat indicator. - +This key is used to capture the database server instance name type: keyword -- -*`misp.threat_indicator.version`*:: +*`cisco.rsa.db.database`*:: + -- -Version of the threat indicator. - +This key is used to capture the name of a database or an instance as seen in a session type: keyword -- -*`misp.threat_indicator.type`*:: +*`cisco.rsa.db.transact_id`*:: + -- -Type of the threat indicator. - +This key captures the SQL transantion ID of the current session type: keyword -- -*`misp.threat_indicator.description`*:: +*`cisco.rsa.db.permissions`*:: + -- -Description of the threat indicator. +This key captures permission or privilege level assigned to a resource. - -type: text +type: keyword -- -*`misp.threat_indicator.feed`*:: +*`cisco.rsa.db.table_name`*:: + -- -Name of the threat feed. - +This key is used to capture the table name -type: text +type: keyword -- -*`misp.threat_indicator.valid_from`*:: +*`cisco.rsa.db.db_id`*:: + -- -The time from which this Indicator should be considered valuable intelligence, in RFC3339 format. +This key is used to capture the unique identifier for a database - -type: date +type: keyword -- -*`misp.threat_indicator.valid_until`*:: +*`cisco.rsa.db.db_pid`*:: + -- -The time at which this Indicator should no longer be considered valuable intelligence. If the valid_until property is omitted, then there is no constraint on the latest time for which the indicator should be used, in RFC3339 format. - +This key captures the process id of a connection with database server -type: date +type: long -- -*`misp.threat_indicator.severity`*:: +*`cisco.rsa.db.lread`*:: + -- -Threat severity to which this indicator corresponds. +This key is used for the number of logical reads +type: long -type: keyword +-- -example: high +*`cisco.rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes -format: string +type: long -- -*`misp.threat_indicator.confidence`*:: +*`cisco.rsa.db.pread`*:: + -- -Confidence level to which this indicator corresponds. - - -type: keyword +This key is used for the number of physical writes -example: high +type: long -- -*`misp.threat_indicator.kill_chain_phases`*:: + +*`cisco.rsa.network.alias_host`*:: + -- -The kill chain phase(s) to which this indicator corresponds. - +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -format: string - -- -*`misp.threat_indicator.mitre_tactic`*:: +*`cisco.rsa.network.domain`*:: + -- -MITRE tactics to which this indicator corresponds. - - type: keyword -example: Initial Access - -format: string - -- -*`misp.threat_indicator.mitre_technique`*:: +*`cisco.rsa.network.host_dst`*:: + -- -MITRE techniques to which this indicator corresponds. - +This key should only be used when it’s a Destination Hostname type: keyword -example: Drive-by Compromise - -format: string - -- -*`misp.threat_indicator.attack_pattern`*:: +*`cisco.rsa.network.network_service`*:: + -- -The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning. - +This is used to capture layer 7 protocols/service names type: keyword -example: [destination:ip = '91.219.29.188/32'] - - -- -*`misp.threat_indicator.attack_pattern_kql`*:: +*`cisco.rsa.network.interface`*:: + -- -The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format. - +This key should be used when the source or destination context of an interface is not clear type: keyword -example: destination.ip: "91.219.29.188/32" - - -- -*`misp.threat_indicator.negate`*:: +*`cisco.rsa.network.network_port`*:: + -- -When set to true, it specifies the absence of the attack_pattern. +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: boolean +type: long -- -*`misp.threat_indicator.intrusion_set`*:: +*`cisco.rsa.network.eth_host`*:: + -- -Name of the intrusion set if known. - +Deprecated, use alias.mac type: keyword -- -*`misp.threat_indicator.campaign`*:: +*`cisco.rsa.network.sinterface`*:: + -- -Name of the attack campaign if known. - +This key should only be used when it’s a Source Interface type: keyword -- -*`misp.threat_indicator.threat_actor`*:: +*`cisco.rsa.network.dinterface`*:: + -- -Name of the threat actor if known. - +This key should only be used when it’s a Destination Interface type: keyword -- -[float] -=== observed_data - -Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification. +*`cisco.rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN +type: long +-- -*`misp.observed_data.id`*:: +*`cisco.rsa.network.zone_src`*:: + -- -Identifier of the Observed Data. - +This key should only be used when it’s a Source Zone. type: keyword -- -*`misp.observed_data.first_observed`*:: +*`cisco.rsa.network.zone`*:: + -- -The beginning of the time window that the data was observed, in RFC3339 format. - +This key should be used when the source or destination context of a Zone is not clear -type: date +type: keyword -- -*`misp.observed_data.last_observed`*:: +*`cisco.rsa.network.zone_dst`*:: + -- -The end of the time window that the data was observed, in RFC3339 format. +This key should only be used when it’s a Destination Zone. - -type: date +type: keyword -- -*`misp.observed_data.number_observed`*:: +*`cisco.rsa.network.gateway`*:: + -- -The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive. - +This key is used to capture the IP Address of the gateway -type: integer +type: keyword -- -*`misp.observed_data.objects`*:: +*`cisco.rsa.network.icmp_type`*:: + -- -A dictionary of Cyber Observable Objects that describes the single fact that was observed. +This key is used to capture the ICMP type only - -type: keyword +type: long -- -[float] -=== report - -Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. +*`cisco.rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. +type: keyword +-- -*`misp.report.id`*:: +*`cisco.rsa.network.icmp_code`*:: + -- -Identifier of the Report. - +This key is used to capture the ICMP code only -type: keyword +type: long -- -*`misp.report.labels`*:: +*`cisco.rsa.network.protocol_detail`*:: + -- -This field is an Open Vocabulary that specifies the primary subject of this report. Open Vocab - report-label-ov. threat-report,attack-pattern,campaign,identity,indicator,malware,observed-data,threat-actor,tool,vulnerability - +This key should be used to capture additional protocol information type: keyword -- -*`misp.report.name`*:: +*`cisco.rsa.network.dmask`*:: + -- -The name used to identify the Report. - +This key is used for Destionation Device network mask type: keyword -- -*`misp.report.description`*:: +*`cisco.rsa.network.port`*:: + -- -A description that provides more details and context about Report. +This key should only be used to capture a Network Port when the directionality is not clear - -type: text +type: long -- -*`misp.report.published`*:: +*`cisco.rsa.network.smask`*:: + -- -The date that this report object was officially published by the creator of this report, in RFC3339 format. - +This key is used for capturing source Network Mask -type: date +type: keyword -- -*`misp.report.object_refs`*:: +*`cisco.rsa.network.netname`*:: + -- -Specifies the STIX Objects that are referred to by this Report. +This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: text +type: keyword -- -[float] -=== threat_actor - -Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. +*`cisco.rsa.network.paddr`*:: ++ +-- +Deprecated +type: ip +-- -*`misp.threat_actor.id`*:: +*`cisco.rsa.network.faddr`*:: + -- -Identifier of the Threat Actor. - - type: keyword -- -*`misp.threat_actor.labels`*:: +*`cisco.rsa.network.lhost`*:: + -- -This field specifies the type of threat actor. Open Vocab - threat-actor-label-ov. activist,competitor,crime-syndicate,criminal,hacker,insider-accidental,insider-disgruntled,nation-state,sensationalist,spy,terrorist - - type: keyword -- -*`misp.threat_actor.name`*:: +*`cisco.rsa.network.origin`*:: + -- -The name used to identify this Threat Actor or Threat Actor group. - - type: keyword -- -*`misp.threat_actor.description`*:: +*`cisco.rsa.network.remote_domain_id`*:: + -- -A description that provides more details and context about the Threat Actor. - - -type: text +type: keyword -- -*`misp.threat_actor.aliases`*:: +*`cisco.rsa.network.addr`*:: + -- -A list of other names that this Threat Actor is believed to use. - - -type: text +type: keyword -- -*`misp.threat_actor.roles`*:: +*`cisco.rsa.network.dns_a_record`*:: + -- -This is a list of roles the Threat Actor plays. Open Vocab - threat-actor-role-ov. agent,director,independent,sponsor,infrastructure-operator,infrastructure-architect,malware-author - - -type: text +type: keyword -- -*`misp.threat_actor.goals`*:: +*`cisco.rsa.network.dns_ptr_record`*:: + -- -The high level goals of this Threat Actor, namely, what are they trying to do. - - -type: text +type: keyword -- -*`misp.threat_actor.sophistication`*:: +*`cisco.rsa.network.fhost`*:: + -- -The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. Open Vocab - threat-actor-sophistication-ov. none,minimal,intermediate,advanced,strategic,expert,innovator - - -type: text +type: keyword -- -*`misp.threat_actor.resource_level`*:: +*`cisco.rsa.network.fport`*:: + -- -This defines the organizational level at which this Threat Actor typically works. Open Vocab - attack-resource-level-ov. individual,club,contest,team,organization,government +type: keyword +-- -type: text +*`cisco.rsa.network.laddr`*:: ++ +-- +type: keyword -- -*`misp.threat_actor.primary_motivation`*:: +*`cisco.rsa.network.linterface`*:: + -- -The primary reason, motivation, or purpose behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable +type: keyword +-- -type: text +*`cisco.rsa.network.phost`*:: ++ +-- +type: keyword -- -*`misp.threat_actor.secondary_motivations`*:: +*`cisco.rsa.network.ad_computer_dst`*:: + -- -The secondary reasons, motivations, or purposes behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable - +Deprecated, use host.dst -type: text +type: keyword -- -*`misp.threat_actor.personal_motivations`*:: +*`cisco.rsa.network.eth_type`*:: + -- -The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: text +type: long -- -[float] -=== tool - -Tools are legitimate software that can be used by threat actors to perform attacks. +*`cisco.rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +type: long +-- -*`misp.tool.id`*:: +*`cisco.rsa.network.dns_cname_record`*:: + -- -Identifier of the Tool. +type: keyword +-- +*`cisco.rsa.network.dns_id`*:: ++ +-- type: keyword -- -*`misp.tool.labels`*:: +*`cisco.rsa.network.dns_opcode`*:: + -- -The kind(s) of tool(s) being described. Open Vocab - tool-label-ov. denial-of-service,exploitation,information-gathering,network-capture,credential-exploitation,remote-access,vulnerability-scanning +type: keyword +-- +*`cisco.rsa.network.dns_resp`*:: ++ +-- type: keyword -- -*`misp.tool.name`*:: +*`cisco.rsa.network.dns_type`*:: + -- -The name used to identify the Tool. +type: keyword +-- +*`cisco.rsa.network.domain1`*:: ++ +-- type: keyword -- -*`misp.tool.description`*:: +*`cisco.rsa.network.host_type`*:: + -- -A description that provides more details and context about the Tool. +type: keyword +-- -type: text +*`cisco.rsa.network.packet_length`*:: ++ +-- +type: keyword -- -*`misp.tool.tool_version`*:: +*`cisco.rsa.network.host_orig`*:: + -- -The version identifier associated with the Tool. - +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`misp.tool.kill_chain_phases`*:: +*`cisco.rsa.network.rpayload`*:: + -- -The list of kill chain phases for which this Tool instance can be used. +This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: text +type: keyword -- -[float] -=== vulnerability +*`cisco.rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN -A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. +type: keyword +-- -*`misp.vulnerability.id`*:: +*`cisco.rsa.investigations.ec_activity`*:: + -- -Identifier of the Vulnerability. - +This key captures the particular event activity(Ex:Logoff) type: keyword -- -*`misp.vulnerability.name`*:: +*`cisco.rsa.investigations.ec_theme`*:: + -- -The name used to identify the Vulnerability. - +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -- -*`misp.vulnerability.description`*:: +*`cisco.rsa.investigations.ec_subject`*:: + -- -A description that provides more details and context about the Vulnerability. +This key captures the Subject of a particular Event(Ex:User) - -type: text +type: keyword -- -[[exported-fields-mongodb]] -== mongodb fields +*`cisco.rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) -Module for parsing MongoDB log files. +type: keyword +-- +*`cisco.rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number -[float] -=== mongodb +type: long -Fields from MongoDB logs. +-- +*`cisco.rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code +type: keyword -[float] -=== log +-- -Contains fields from MongoDB logs. +*`cisco.rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +type: keyword +-- -*`mongodb.log.component`*:: +*`cisco.rsa.investigations.analysis_file`*:: + -- -Functional categorization of message - +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -example: COMMAND - -- -*`mongodb.log.context`*:: +*`cisco.rsa.investigations.analysis_service`*:: + -- -Context of message - +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service type: keyword -example: initandlisten - -- -*`mongodb.log.severity`*:: +*`cisco.rsa.investigations.analysis_session`*:: + -- -type: alias +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session -alias to: log.level +type: keyword -- -*`mongodb.log.message`*:: +*`cisco.rsa.investigations.boc`*:: + -- -type: alias +This is used to capture behaviour of compromise -alias to: message +type: keyword -- -[[exported-fields-mssql]] -== mssql fields +*`cisco.rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise -MS SQL Filebeat Module +type: keyword +-- -[float] -=== mssql +*`cisco.rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category -Fields from the MSSQL log files +type: keyword +-- -[float] -=== log +*`cisco.rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context -Common log fields +type: keyword +-- -*`mssql.log.origin`*:: +*`cisco.rsa.investigations.ioc`*:: + -- -Origin of the message, usually the server but it can also be a recovery process +This is key capture indicator of compromise type: keyword -- -[[exported-fields-mysql]] -== MySQL fields - -Module for parsing the MySQL log files. +*`cisco.rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only +type: long -[float] -=== mysql +-- -Fields from the MySQL log files. +*`cisco.rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only +type: long +-- -*`mysql.thread_id`*:: +*`cisco.rsa.counters.event_counter`*:: + -- -The connection or thread ID for the query. - +This is used to capture the number of times an event repeated type: long -- -[float] -=== error - -Contains fields from the MySQL error logs. +*`cisco.rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only +type: keyword +-- -*`mysql.error.thread_id`*:: +*`cisco.rsa.counters.dclass_c3`*:: + -- -type: alias +This is a generic counter key that should be used with the label dclass.c3.str only -alias to: mysql.thread_id +type: long -- -*`mysql.error.level`*:: +*`cisco.rsa.counters.dclass_c1_str`*:: + -- -type: alias +This is a generic counter string key that should be used with the label dclass.c1 only -alias to: log.level +type: keyword -- -*`mysql.error.message`*:: +*`cisco.rsa.counters.dclass_c2_str`*:: + -- -type: alias +This is a generic counter string key that should be used with the label dclass.c2 only -alias to: message +type: keyword -- -[float] -=== slowlog - -Contains fields from the MySQL slow logs. +*`cisco.rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only +type: keyword +-- -*`mysql.slowlog.lock_time.sec`*:: +*`cisco.rsa.counters.dclass_r2`*:: + -- -The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number. - +This is a generic ratio key that should be used with the label dclass.r2.str only -type: float +type: keyword -- -*`mysql.slowlog.rows_sent`*:: +*`cisco.rsa.counters.dclass_c3_str`*:: + -- -The number of rows returned by the query. +This is a generic counter string key that should be used with the label dclass.c3 only - -type: long +type: keyword -- -*`mysql.slowlog.rows_examined`*:: +*`cisco.rsa.counters.dclass_r3`*:: + -- -The number of rows scanned by the query. - +This is a generic ratio key that should be used with the label dclass.r3.str only -type: long +type: keyword -- -*`mysql.slowlog.rows_affected`*:: +*`cisco.rsa.counters.dclass_r2_str`*:: + -- -The number of rows modified by the query. +This is a generic ratio string key that should be used with the label dclass.r2 only - -type: long +type: keyword -- -*`mysql.slowlog.bytes_sent`*:: +*`cisco.rsa.counters.dclass_r3_str`*:: + -- -The number of bytes sent to client. - - -type: long +This is a generic ratio string key that should be used with the label dclass.r3 only -format: bytes +type: keyword -- -*`mysql.slowlog.bytes_received`*:: + +*`cisco.rsa.identity.auth_method`*:: + -- -The number of bytes received from client. - - -type: long +This key is used to capture authentication methods used only -format: bytes +type: keyword -- -*`mysql.slowlog.query`*:: +*`cisco.rsa.identity.user_role`*:: + -- -The slow query. +This key is used to capture the Role of a user only +type: keyword -- -*`mysql.slowlog.id`*:: +*`cisco.rsa.identity.dn`*:: + -- -type: alias +X.500 (LDAP) Distinguished Name -alias to: mysql.thread_id +type: keyword -- -*`mysql.slowlog.schema`*:: +*`cisco.rsa.identity.logon_type`*:: + -- -The schema where the slow query was executed. - +This key is used to capture the type of logon method used. type: keyword -- -*`mysql.slowlog.current_user`*:: +*`cisco.rsa.identity.profile`*:: + -- -Current authenticated user, used to determine access privileges. Can differ from the value for user. - +This key is used to capture the user profile type: keyword -- -*`mysql.slowlog.last_errno`*:: +*`cisco.rsa.identity.accesses`*:: + -- -Last SQL error seen. - +This key is used to capture actual privileges used in accessing an object type: keyword -- -*`mysql.slowlog.killed`*:: +*`cisco.rsa.identity.realm`*:: + -- -Code of the reason if the query was killed. - +Radius realm or similar grouping of accounts type: keyword -- -*`mysql.slowlog.query_cache_hit`*:: +*`cisco.rsa.identity.user_sid_dst`*:: + -- -Whether the query cache was hit. - +This key captures Destination User Session ID -type: boolean +type: keyword -- -*`mysql.slowlog.tmp_table`*:: +*`cisco.rsa.identity.dn_src`*:: + -- -Whether a temporary table was used to resolve the query. +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: boolean +type: keyword -- -*`mysql.slowlog.tmp_table_on_disk`*:: +*`cisco.rsa.identity.org`*:: + -- -Whether the query needed temporary tables on disk. - +This key captures the User organization -type: boolean +type: keyword -- -*`mysql.slowlog.tmp_tables`*:: +*`cisco.rsa.identity.dn_dst`*:: + -- -Number of temporary tables created for this query +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: long +type: keyword -- -*`mysql.slowlog.tmp_disk_tables`*:: +*`cisco.rsa.identity.firstname`*:: + -- -Number of temporary tables created on disk for this query. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`mysql.slowlog.tmp_table_sizes`*:: +*`cisco.rsa.identity.lastname`*:: + -- -Size of temporary tables created for this query. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information -type: long - -format: bytes +type: keyword -- -*`mysql.slowlog.filesort`*:: +*`cisco.rsa.identity.user_dept`*:: + -- -Whether filesort optimization was used. +User's Department Names only - -type: boolean +type: keyword -- -*`mysql.slowlog.filesort_on_disk`*:: +*`cisco.rsa.identity.user_sid_src`*:: + -- -Whether filesort optimization was used and it needed temporary tables on disk. +This key captures Source User Session ID - -type: boolean +type: keyword -- -*`mysql.slowlog.priority_queue`*:: +*`cisco.rsa.identity.federated_sp`*:: + -- -Whether a priority queue was used for filesort. +This key is the Federated Service Provider. This is the application requesting authentication. - -type: boolean +type: keyword -- -*`mysql.slowlog.full_scan`*:: +*`cisco.rsa.identity.federated_idp`*:: + -- -Whether a full table scan was needed for the slow query. - +This key is the federated Identity Provider. This is the server providing the authentication. -type: boolean +type: keyword -- -*`mysql.slowlog.full_join`*:: +*`cisco.rsa.identity.logon_type_desc`*:: + -- -Whether a full join was needed for the slow query (no indexes were used for joins). +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: boolean +type: keyword -- -*`mysql.slowlog.merge_passes`*:: +*`cisco.rsa.identity.middlename`*:: + -- -Number of merge passes executed for the query. - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`mysql.slowlog.sort_merge_passes`*:: +*`cisco.rsa.identity.password`*:: + -- -Number of merge passes that the sort algorithm has had to do. +This key is for Passwords seen in any session, plain text or encrypted - -type: long +type: keyword -- -*`mysql.slowlog.sort_range_count`*:: +*`cisco.rsa.identity.host_role`*:: + -- -Number of sorts that were done using ranges. - +This key should only be used to capture the role of a Host Machine -type: long +type: keyword -- -*`mysql.slowlog.sort_rows`*:: +*`cisco.rsa.identity.ldap`*:: + -- -Number of sorted rows. +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: long +type: keyword -- -*`mysql.slowlog.sort_scan_count`*:: +*`cisco.rsa.identity.ldap_query`*:: + -- -Number of sorts that were done by scanning the table. - +This key is the Search criteria from an LDAP search -type: long +type: keyword -- -*`mysql.slowlog.log_slow_rate_type`*:: +*`cisco.rsa.identity.ldap_response`*:: + -- -Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query. - +This key is to capture Results from an LDAP search type: keyword -- -*`mysql.slowlog.log_slow_rate_limit`*:: +*`cisco.rsa.identity.owner`*:: + -- -Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged. - +This is used to capture username the process or service is running as, the author of the task type: keyword -- -*`mysql.slowlog.read_first`*:: +*`cisco.rsa.identity.service_account`*:: + -- -The number of times the first entry in an index was read. +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: long +type: keyword -- -*`mysql.slowlog.read_last`*:: + +*`cisco.rsa.email.email_dst`*:: + -- -The number of times the last key in an index was read. +This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: long +type: keyword -- -*`mysql.slowlog.read_key`*:: +*`cisco.rsa.email.email_src`*:: + -- -The number of requests to read a row based on a key. - +This key is used to capture the source email address only, when the source context is not clear use email -type: long +type: keyword -- -*`mysql.slowlog.read_next`*:: +*`cisco.rsa.email.subject`*:: + -- -The number of requests to read the next row in key order. +This key is used to capture the subject string from an Email only. - -type: long +type: keyword -- -*`mysql.slowlog.read_prev`*:: +*`cisco.rsa.email.email`*:: + -- -The number of requests to read the previous row in key order. - +This key is used to capture a generic email address where the source or destination context is not clear -type: long +type: keyword -- -*`mysql.slowlog.read_rnd`*:: +*`cisco.rsa.email.trans_from`*:: + -- -The number of requests to read a row based on a fixed position. +Deprecated key defined only in table map. - -type: long +type: keyword -- -*`mysql.slowlog.read_rnd_next`*:: +*`cisco.rsa.email.trans_to`*:: + -- -The number of requests to read the next row in the data file. - +Deprecated key defined only in table map. -type: long +type: keyword -- -[float] -=== innodb - -Contains fields relative to InnoDB engine - - -*`mysql.slowlog.innodb.trx_id`*:: +*`cisco.rsa.file.privilege`*:: + -- -Transaction ID - +Deprecated, use permissions type: keyword -- -*`mysql.slowlog.innodb.io_r_ops`*:: +*`cisco.rsa.file.attachment`*:: + -- -Number of page read operations. - +This key captures the attachment file name -type: long +type: keyword -- -*`mysql.slowlog.innodb.io_r_bytes`*:: +*`cisco.rsa.file.filesystem`*:: + -- -Bytes read during page read operations. - - -type: long - -format: bytes +type: keyword -- -*`mysql.slowlog.innodb.io_r_wait.sec`*:: +*`cisco.rsa.file.binary`*:: + -- -How long it took to read all needed data from storage. +Deprecated key defined only in table map. - -type: long +type: keyword -- -*`mysql.slowlog.innodb.rec_lock_wait.sec`*:: +*`cisco.rsa.file.filename_dst`*:: + -- -How long the query waited for locks. - +This is used to capture name of the file targeted by the action -type: long +type: keyword -- -*`mysql.slowlog.innodb.queue_wait.sec`*:: +*`cisco.rsa.file.filename_src`*:: + -- -How long the query waited to enter the InnoDB queue and to be executed once in the queue. +This is used to capture name of the parent filename, the file which performed the action - -type: long +type: keyword -- -*`mysql.slowlog.innodb.pages_distinct`*:: +*`cisco.rsa.file.filename_tmp`*:: + -- -Approximated count of pages accessed to execute the query. - - -type: long +type: keyword -- -*`mysql.slowlog.user`*:: +*`cisco.rsa.file.directory_dst`*:: + -- -type: alias +This key is used to capture the directory of the target process or file -alias to: user.name +type: keyword -- -*`mysql.slowlog.host`*:: +*`cisco.rsa.file.directory_src`*:: + -- -type: alias +This key is used to capture the directory of the source process or file -alias to: source.domain +type: keyword -- -*`mysql.slowlog.ip`*:: +*`cisco.rsa.file.file_entropy`*:: + -- -type: alias +This is used to capture entropy vale of a file -alias to: source.ip +type: double -- -[[exported-fields-nats]] -== NATS fields - -Module for parsing NATS log files. +*`cisco.rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info +type: keyword +-- -[float] -=== nats +*`cisco.rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task -Fields from NATS logs. +type: keyword +-- -[float] -=== log +*`cisco.rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names -Nats log files +type: keyword +-- +*`cisco.rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. -[float] -=== client +type: keyword -Fields from NATS logs client. +-- +*`cisco.rsa.web.alias_host`*:: ++ +-- +type: keyword +-- -*`nats.log.client.id`*:: +*`cisco.rsa.web.reputation_num`*:: + -- -The id of the client +Reputation Number of an entity. Typically used for Web Domains - -type: integer +type: double -- -[float] -=== msg - -Fields from NATS logs message. +*`cisco.rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain +type: keyword +-- -*`nats.log.msg.bytes`*:: +*`cisco.rsa.web.web_ref_query`*:: + -- -Size of the payload in bytes +This key captures Web referer's query portion of the URL +type: keyword -type: long +-- -format: bytes +*`cisco.rsa.web.remote_domain`*:: ++ +-- +type: keyword -- -*`nats.log.msg.type`*:: +*`cisco.rsa.web.web_ref_page`*:: + -- -The protocol message type - +This key captures Web referer's page information type: keyword -- -*`nats.log.msg.subject`*:: +*`cisco.rsa.web.web_ref_root`*:: + -- -Subject name this message was received on - +Web referer's root URL path type: keyword -- -*`nats.log.msg.sid`*:: +*`cisco.rsa.web.cn_asn_dst`*:: + -- -The unique alphanumeric subscription ID of the subject - - -type: integer +type: keyword -- -*`nats.log.msg.reply_to`*:: +*`cisco.rsa.web.cn_rpackets`*:: + -- -The inbox subject on which the publisher is listening for responses +type: keyword +-- +*`cisco.rsa.web.urlpage`*:: ++ +-- type: keyword -- -*`nats.log.msg.max_messages`*:: +*`cisco.rsa.web.urlroot`*:: + -- -An optional number of messages to wait for before automatically unsubscribing +type: keyword +-- -type: integer +*`cisco.rsa.web.p_url`*:: ++ +-- +type: keyword -- -*`nats.log.msg.error.message`*:: +*`cisco.rsa.web.p_user_agent`*:: + -- -Details about the error occurred +type: keyword +-- -type: text +*`cisco.rsa.web.p_web_cookie`*:: ++ +-- +type: keyword -- -*`nats.log.msg.queue_group`*:: +*`cisco.rsa.web.p_web_method`*:: + -- -The queue group which subscriber will join +type: keyword +-- -type: text +*`cisco.rsa.web.p_web_referer`*:: ++ +-- +type: keyword -- -[[exported-fields-netflow]] -== NetFlow fields +*`cisco.rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword -Fields from NetFlow and IPFIX flows. +-- +*`cisco.rsa.web.web_page`*:: ++ +-- +type: keyword +-- -[float] -=== netflow -Fields from NetFlow and IPFIX. +*`cisco.rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert +type: keyword +-- -*`netflow.type`*:: +*`cisco.rsa.threat.threat_desc`*:: + -- -The type of NetFlow record described by this event. - +This key is used to capture the threat description from the session directly or inferred type: keyword -- -[float] -=== exporter - -Metadata related to the exporter device that generated this record. +*`cisco.rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert +type: keyword +-- -*`netflow.exporter.address`*:: +*`cisco.rsa.threat.threat_source`*:: + -- -Exporter's network address in IP:port format. - +This key is used to capture source of the threat type: keyword -- -*`netflow.exporter.source_id`*:: + +*`cisco.rsa.crypto.crypto`*:: + -- -Observation domain ID to which this record belongs. - +This key is used to capture the Encryption Type or Encryption Key only -type: long +type: keyword -- -*`netflow.exporter.timestamp`*:: +*`cisco.rsa.crypto.cipher_src`*:: + -- -Time and date of export. +This key is for Source (Client) Cipher - -type: date +type: keyword -- -*`netflow.exporter.uptime_millis`*:: +*`cisco.rsa.crypto.cert_subject`*:: + -- -How long the exporter process has been running, in milliseconds. - +This key is used to capture the Certificate organization only -type: long +type: keyword -- -*`netflow.exporter.version`*:: +*`cisco.rsa.crypto.peer`*:: + -- -NetFlow version used. +This key is for Encryption peer's IP Address - -type: integer +type: keyword -- -*`netflow.octet_delta_count`*:: +*`cisco.rsa.crypto.cipher_size_src`*:: + -- +This key captures Source (Client) Cipher Size + type: long -- -*`netflow.packet_delta_count`*:: +*`cisco.rsa.crypto.ike`*:: + -- -type: long +IKE negotiation phase. + +type: keyword -- -*`netflow.delta_flow_count`*:: +*`cisco.rsa.crypto.scheme`*:: + -- -type: long +This key captures the Encryption scheme used + +type: keyword -- -*`netflow.protocol_identifier`*:: +*`cisco.rsa.crypto.peer_id`*:: + -- -type: short +This key is for Encryption peer’s identity + +type: keyword -- -*`netflow.ip_class_of_service`*:: +*`cisco.rsa.crypto.sig_type`*:: + -- -type: short +This key captures the Signature Type + +type: keyword -- -*`netflow.tcp_control_bits`*:: +*`cisco.rsa.crypto.cert_issuer`*:: + -- -type: integer +type: keyword -- -*`netflow.source_transport_port`*:: +*`cisco.rsa.crypto.cert_host_name`*:: + -- -type: integer +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.source_ipv4_address`*:: +*`cisco.rsa.crypto.cert_error`*:: + -- -type: ip +This key captures the Certificate Error String + +type: keyword -- -*`netflow.source_ipv4_prefix_length`*:: +*`cisco.rsa.crypto.cipher_dst`*:: + -- -type: short +This key is for Destination (Server) Cipher + +type: keyword -- -*`netflow.ingress_interface`*:: +*`cisco.rsa.crypto.cipher_size_dst`*:: + -- +This key captures Destination (Server) Cipher Size + type: long -- -*`netflow.destination_transport_port`*:: +*`cisco.rsa.crypto.ssl_ver_src`*:: + -- -type: integer +Deprecated, use version + +type: keyword -- -*`netflow.destination_ipv4_address`*:: +*`cisco.rsa.crypto.d_certauth`*:: + -- -type: ip +type: keyword -- -*`netflow.destination_ipv4_prefix_length`*:: +*`cisco.rsa.crypto.s_certauth`*:: + -- -type: short +type: keyword -- -*`netflow.egress_interface`*:: +*`cisco.rsa.crypto.ike_cookie1`*:: + -- -type: long +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword -- -*`netflow.ip_next_hop_ipv4_address`*:: +*`cisco.rsa.crypto.ike_cookie2`*:: + -- -type: ip +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword -- -*`netflow.bgp_source_as_number`*:: +*`cisco.rsa.crypto.cert_checksum`*:: + -- -type: long +type: keyword -- -*`netflow.bgp_destination_as_number`*:: +*`cisco.rsa.crypto.cert_host_cat`*:: + -- -type: long +This key is used for the hostname category value of a certificate + +type: keyword -- -*`netflow.bgp_next_hop_ipv4_address`*:: +*`cisco.rsa.crypto.cert_serial`*:: + -- -type: ip +This key is used to capture the Certificate serial number only + +type: keyword -- -*`netflow.post_mcast_packet_delta_count`*:: +*`cisco.rsa.crypto.cert_status`*:: + -- -type: long +This key captures Certificate validation status + +type: keyword -- -*`netflow.post_mcast_octet_delta_count`*:: +*`cisco.rsa.crypto.ssl_ver_dst`*:: + -- -type: long +Deprecated, use version + +type: keyword -- -*`netflow.flow_end_sys_up_time`*:: +*`cisco.rsa.crypto.cert_keysize`*:: + -- -type: long +type: keyword -- -*`netflow.flow_start_sys_up_time`*:: +*`cisco.rsa.crypto.cert_username`*:: + -- -type: long +type: keyword -- -*`netflow.post_octet_delta_count`*:: +*`cisco.rsa.crypto.https_insact`*:: + -- -type: long +type: keyword -- -*`netflow.post_packet_delta_count`*:: +*`cisco.rsa.crypto.https_valid`*:: + -- -type: long +type: keyword -- -*`netflow.minimum_ip_total_length`*:: +*`cisco.rsa.crypto.cert_ca`*:: + -- -type: long +This key is used to capture the Certificate signing authority only + +type: keyword -- -*`netflow.maximum_ip_total_length`*:: +*`cisco.rsa.crypto.cert_common`*:: + -- -type: long +This key is used to capture the Certificate common name only --- +type: keyword -*`netflow.source_ipv6_address`*:: -+ -- -type: ip --- -*`netflow.destination_ipv6_address`*:: +*`cisco.rsa.wireless.wlan_ssid`*:: + -- -type: ip +This key is used to capture the ssid of a Wireless Session + +type: keyword -- -*`netflow.source_ipv6_prefix_length`*:: +*`cisco.rsa.wireless.access_point`*:: + -- -type: short +This key is used to capture the access point name. + +type: keyword -- -*`netflow.destination_ipv6_prefix_length`*:: +*`cisco.rsa.wireless.wlan_channel`*:: + -- -type: short +This is used to capture the channel names + +type: long -- -*`netflow.flow_label_ipv6`*:: +*`cisco.rsa.wireless.wlan_name`*:: + -- -type: long +This key captures either WLAN number/name + +type: keyword -- -*`netflow.icmp_type_code_ipv4`*:: + +*`cisco.rsa.storage.disk_volume`*:: + -- -type: integer +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword -- -*`netflow.igmp_type`*:: +*`cisco.rsa.storage.lun`*:: + -- -type: short +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword -- -*`netflow.sampling_interval`*:: +*`cisco.rsa.storage.pwwn`*:: + -- -type: long +This uniquely identifies a port on a HBA. + +type: keyword -- -*`netflow.sampling_algorithm`*:: + +*`cisco.rsa.physical.org_dst`*:: + -- -type: short +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword -- -*`netflow.flow_active_timeout`*:: +*`cisco.rsa.physical.org_src`*:: + -- -type: integer +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword -- -*`netflow.flow_idle_timeout`*:: + +*`cisco.rsa.healthcare.patient_fname`*:: + -- -type: integer +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`netflow.engine_type`*:: +*`cisco.rsa.healthcare.patient_id`*:: + -- -type: short +This key captures the unique ID for a patient + +type: keyword -- -*`netflow.engine_id`*:: +*`cisco.rsa.healthcare.patient_lname`*:: + -- -type: short +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`netflow.exported_octet_total_count`*:: +*`cisco.rsa.healthcare.patient_mname`*:: + -- -type: long +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`netflow.exported_message_total_count`*:: + +*`cisco.rsa.endpoint.host_state`*:: + -- -type: long +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword -- -*`netflow.exported_flow_record_total_count`*:: +*`cisco.rsa.endpoint.registry_key`*:: + -- -type: long +This key captures the path to the registry key + +type: keyword -- -*`netflow.ipv4_router_sc`*:: +*`cisco.rsa.endpoint.registry_value`*:: + -- -type: ip +This key captures values or decorators used within a registry entry + +type: keyword -- -*`netflow.source_ipv4_prefix`*:: +[[exported-fields-citrix]] +== Citrix XenApp fields + +citrix fields. + + + +*`network.interface.name`*:: + -- -type: ip +Name of the network interface where the traffic has been observed. + + +type: keyword -- -*`netflow.destination_ipv4_prefix`*:: + + +*`rsa.internal.msg`*:: + -- -type: ip +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword -- -*`netflow.mpls_top_label_type`*:: +*`rsa.internal.messageid`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_top_label_ipv4_address`*:: +*`rsa.internal.event_desc`*:: + -- -type: ip +type: keyword -- -*`netflow.sampler_id`*:: +*`rsa.internal.message`*:: + -- -type: short +This key captures the contents of instant messages + +type: keyword -- -*`netflow.sampler_mode`*:: +*`rsa.internal.time`*:: + -- -type: short +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date -- -*`netflow.sampler_random_interval`*:: +*`rsa.internal.level`*:: + -- +Deprecated key defined only in table map. + type: long -- -*`netflow.class_id`*:: +*`rsa.internal.msg_id`*:: + -- -type: long +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.minimum_ttl`*:: +*`rsa.internal.msg_vid`*:: + -- -type: short +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.maximum_ttl`*:: +*`rsa.internal.data`*:: + -- -type: short +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.fragment_identification`*:: +*`rsa.internal.obj_server`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.post_ip_class_of_service`*:: +*`rsa.internal.obj_val`*:: + -- -type: short +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.source_mac_address`*:: +*`rsa.internal.resource`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`netflow.post_destination_mac_address`*:: +*`rsa.internal.obj_id`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`netflow.vlan_id`*:: +*`rsa.internal.statement`*:: + -- -type: integer +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.post_vlan_id`*:: +*`rsa.internal.audit_class`*:: + -- -type: integer +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.ip_version`*:: +*`rsa.internal.entry`*:: + -- -type: short +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.flow_direction`*:: +*`rsa.internal.hcode`*:: + -- -type: short +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.ip_next_hop_ipv6_address`*:: +*`rsa.internal.inode`*:: + -- -type: ip +Deprecated key defined only in table map. + +type: long -- -*`netflow.bgp_next_hop_ipv6_address`*:: +*`rsa.internal.resource_class`*:: + -- -type: ip +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.ipv6_extension_headers`*:: +*`rsa.internal.dead`*:: + -- +Deprecated key defined only in table map. + type: long -- -*`netflow.mpls_top_label_stack_section`*:: +*`rsa.internal.feed_desc`*:: + -- -type: short +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_label_stack_section2`*:: +*`rsa.internal.feed_name`*:: + -- -type: short +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_label_stack_section3`*:: +*`rsa.internal.cid`*:: + -- -type: short +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_label_stack_section4`*:: +*`rsa.internal.device_class`*:: + -- -type: short +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_label_stack_section5`*:: +*`rsa.internal.device_group`*:: + -- -type: short +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_label_stack_section6`*:: +*`rsa.internal.device_host`*:: + -- -type: short +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_label_stack_section7`*:: +*`rsa.internal.device_ip`*:: + -- -type: short +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`netflow.mpls_label_stack_section8`*:: +*`rsa.internal.device_ipv6`*:: + -- -type: short +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`netflow.mpls_label_stack_section9`*:: +*`rsa.internal.device_type`*:: + -- -type: short +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_label_stack_section10`*:: +*`rsa.internal.device_type_id`*:: + -- -type: short +Deprecated key defined only in table map. + +type: long -- -*`netflow.destination_mac_address`*:: +*`rsa.internal.did`*:: + -- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`netflow.post_source_mac_address`*:: +*`rsa.internal.entropy_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`netflow.interface_name`*:: +*`rsa.internal.entropy_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`netflow.interface_description`*:: +*`rsa.internal.event_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`netflow.sampler_name`*:: +*`rsa.internal.feed_category`*:: + -- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`netflow.octet_total_count`*:: +*`rsa.internal.forward_ip`*:: + -- -type: long - --- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -*`netflow.packet_total_count`*:: -+ --- -type: long +type: ip -- -*`netflow.flags_and_sampler_id`*:: +*`rsa.internal.forward_ipv6`*:: + -- -type: long +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`netflow.fragment_offset`*:: +*`rsa.internal.header_id`*:: + -- -type: integer +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.forwarding_status`*:: +*`rsa.internal.lc_cid`*:: + -- -type: short +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_vpn_route_distinguisher`*:: +*`rsa.internal.lc_ctime`*:: + -- -type: short +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date -- -*`netflow.mpls_top_label_prefix_length`*:: +*`rsa.internal.mcb_req`*:: + -- -type: short +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`netflow.src_traffic_index`*:: +*`rsa.internal.mcb_res`*:: + -- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + type: long -- -*`netflow.dst_traffic_index`*:: +*`rsa.internal.mcbc_req`*:: + -- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + type: long -- -*`netflow.application_description`*:: +*`rsa.internal.mcbc_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long -- -*`netflow.application_id`*:: +*`rsa.internal.medium`*:: + -- -type: short +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long -- -*`netflow.application_name`*:: +*`rsa.internal.node_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`netflow.post_ip_diff_serv_code_point`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -type: short - --- +This key denotes that event is endpoint related -*`netflow.multicast_replication_factor`*:: -+ --- -type: long +type: keyword -- -*`netflow.class_name`*:: +*`rsa.internal.parse_error`*:: + -- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`netflow.classification_engine_id`*:: +*`rsa.internal.payload_req`*:: + -- -type: short - --- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -*`netflow.layer2packet_section_offset`*:: -+ --- -type: integer +type: long -- -*`netflow.layer2packet_section_size`*:: +*`rsa.internal.payload_res`*:: + -- -type: integer +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`netflow.layer2packet_section_data`*:: +*`rsa.internal.process_vid_dst`*:: + -- -type: short +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword -- -*`netflow.bgp_next_adjacent_as_number`*:: +*`rsa.internal.process_vid_src`*:: + -- -type: long +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword -- -*`netflow.bgp_prev_adjacent_as_number`*:: +*`rsa.internal.rid`*:: + -- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: long -- -*`netflow.exporter_ipv4_address`*:: +*`rsa.internal.session_split`*:: + -- -type: ip +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.exporter_ipv6_address`*:: +*`rsa.internal.site`*:: + -- -type: ip +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.dropped_octet_delta_count`*:: +*`rsa.internal.size`*:: + -- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: long -- -*`netflow.dropped_packet_delta_count`*:: +*`rsa.internal.sourcefile`*:: + -- -type: long +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.dropped_octet_total_count`*:: +*`rsa.internal.ubc_req`*:: + -- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + type: long -- -*`netflow.dropped_packet_total_count`*:: +*`rsa.internal.ubc_res`*:: + -- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + type: long -- -*`netflow.flow_end_reason`*:: +*`rsa.internal.word`*:: + -- -type: short +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword -- -*`netflow.common_properties_id`*:: + +*`rsa.time.event_time`*:: + -- -type: long +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date -- -*`netflow.observation_point_id`*:: +*`rsa.time.duration_time`*:: + -- -type: long +This key is used to capture the normalized duration/lifetime in seconds. + +type: double -- -*`netflow.icmp_type_code_ipv6`*:: +*`rsa.time.event_time_str`*:: + -- -type: integer +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword -- -*`netflow.mpls_top_label_ipv6_address`*:: +*`rsa.time.starttime`*:: + -- -type: ip +This key is used to capture the Start time mentioned in a session in a standard form + +type: date -- -*`netflow.line_card_id`*:: +*`rsa.time.month`*:: + -- -type: long +type: keyword -- -*`netflow.port_id`*:: +*`rsa.time.day`*:: + -- -type: long +type: keyword -- -*`netflow.metering_process_id`*:: +*`rsa.time.endtime`*:: + -- -type: long +This key is used to capture the End time mentioned in a session in a standard form + +type: date -- -*`netflow.exporting_process_id`*:: +*`rsa.time.timezone`*:: + -- -type: long +This key is used to capture the timezone of the Event Time + +type: keyword -- -*`netflow.template_id`*:: +*`rsa.time.duration_str`*:: + -- -type: integer +A text string version of the duration + +type: keyword -- -*`netflow.wlan_channel_id`*:: +*`rsa.time.date`*:: + -- -type: short +type: keyword -- -*`netflow.wlan_ssid`*:: +*`rsa.time.year`*:: + -- type: keyword -- -*`netflow.flow_id`*:: +*`rsa.time.recorded_time`*:: + -- -type: long +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date -- -*`netflow.observation_domain_id`*:: +*`rsa.time.datetime`*:: + -- -type: long +type: keyword -- -*`netflow.flow_start_seconds`*:: +*`rsa.time.effective_time`*:: + -- +This key is the effective time referenced by an individual event in a Standard Timestamp format + type: date -- -*`netflow.flow_end_seconds`*:: +*`rsa.time.expire_time`*:: + -- +This key is the timestamp that explicitly refers to an expiration. + type: date -- -*`netflow.flow_start_milliseconds`*:: +*`rsa.time.process_time`*:: + -- -type: date +Deprecated, use duration.time + +type: keyword -- -*`netflow.flow_end_milliseconds`*:: +*`rsa.time.hour`*:: + -- -type: date +type: keyword -- -*`netflow.flow_start_microseconds`*:: +*`rsa.time.min`*:: + -- -type: date +type: keyword -- -*`netflow.flow_end_microseconds`*:: +*`rsa.time.timestamp`*:: + -- -type: date +type: keyword -- -*`netflow.flow_start_nanoseconds`*:: +*`rsa.time.event_queue_time`*:: + -- +This key is the Time that the event was queued. + type: date -- -*`netflow.flow_end_nanoseconds`*:: +*`rsa.time.p_time1`*:: + -- -type: date +type: keyword -- -*`netflow.flow_start_delta_microseconds`*:: +*`rsa.time.tzone`*:: + -- -type: long +type: keyword -- -*`netflow.flow_end_delta_microseconds`*:: +*`rsa.time.eventtime`*:: + -- -type: long +type: keyword -- -*`netflow.system_init_time_milliseconds`*:: +*`rsa.time.gmtdate`*:: + -- -type: date +type: keyword -- -*`netflow.flow_duration_milliseconds`*:: +*`rsa.time.gmttime`*:: + -- -type: long +type: keyword -- -*`netflow.flow_duration_microseconds`*:: +*`rsa.time.p_date`*:: + -- -type: long +type: keyword -- -*`netflow.observed_flow_total_count`*:: +*`rsa.time.p_month`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_packet_total_count`*:: +*`rsa.time.p_time`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_octet_total_count`*:: +*`rsa.time.p_time2`*:: + -- -type: long +type: keyword -- -*`netflow.not_sent_flow_total_count`*:: +*`rsa.time.p_year`*:: + -- -type: long +type: keyword -- -*`netflow.not_sent_packet_total_count`*:: +*`rsa.time.expire_time_str`*:: + -- -type: long +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword -- -*`netflow.not_sent_octet_total_count`*:: +*`rsa.time.stamp`*:: + -- -type: long +Deprecated key defined only in table map. + +type: date -- -*`netflow.destination_ipv6_prefix`*:: + +*`rsa.misc.action`*:: + -- -type: ip +type: keyword -- -*`netflow.source_ipv6_prefix`*:: +*`rsa.misc.result`*:: + -- -type: ip +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword -- -*`netflow.post_octet_total_count`*:: +*`rsa.misc.severity`*:: + -- -type: long +This key is used to capture the severity given the session + +type: keyword -- -*`netflow.post_packet_total_count`*:: +*`rsa.misc.event_type`*:: + -- -type: long +This key captures the event category type as specified by the event source. + +type: keyword -- -*`netflow.flow_key_indicator`*:: +*`rsa.misc.reference_id`*:: + -- -type: long +This key is used to capture an event id from the session directly + +type: keyword -- -*`netflow.post_mcast_packet_total_count`*:: +*`rsa.misc.version`*:: + -- -type: long +This key captures Version of the application or OS which is generating the event. + +type: keyword -- -*`netflow.post_mcast_octet_total_count`*:: +*`rsa.misc.disposition`*:: + -- -type: long +This key captures the The end state of an action. + +type: keyword -- -*`netflow.icmp_type_ipv4`*:: +*`rsa.misc.result_code`*:: + -- -type: short +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword -- -*`netflow.icmp_code_ipv4`*:: +*`rsa.misc.category`*:: + -- -type: short +This key is used to capture the category of an event given by the vendor in the session + +type: keyword -- -*`netflow.icmp_type_ipv6`*:: +*`rsa.misc.obj_name`*:: + -- -type: short +This is used to capture name of object + +type: keyword -- -*`netflow.icmp_code_ipv6`*:: +*`rsa.misc.obj_type`*:: + -- -type: short +This is used to capture type of object + +type: keyword -- -*`netflow.udp_source_port`*:: +*`rsa.misc.event_source`*:: + -- -type: integer +This key captures Source of the event that’s not a hostname + +type: keyword -- -*`netflow.udp_destination_port`*:: +*`rsa.misc.log_session_id`*:: + -- -type: integer +This key is used to capture a sessionid from the session directly + +type: keyword -- -*`netflow.tcp_source_port`*:: +*`rsa.misc.group`*:: + -- -type: integer +This key captures the Group Name value + +type: keyword -- -*`netflow.tcp_destination_port`*:: +*`rsa.misc.policy_name`*:: + -- -type: integer +This key is used to capture the Policy Name only. + +type: keyword -- -*`netflow.tcp_sequence_number`*:: +*`rsa.misc.rule_name`*:: + -- -type: long +This key captures the Rule Name + +type: keyword -- -*`netflow.tcp_acknowledgement_number`*:: +*`rsa.misc.context`*:: + -- -type: long +This key captures Information which adds additional context to the event. + +type: keyword -- -*`netflow.tcp_window_size`*:: +*`rsa.misc.change_new`*:: + -- -type: integer +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword -- -*`netflow.tcp_urgent_pointer`*:: +*`rsa.misc.space`*:: + -- -type: integer +type: keyword -- -*`netflow.tcp_header_length`*:: +*`rsa.misc.client`*:: + -- -type: short +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword -- -*`netflow.ip_header_length`*:: +*`rsa.misc.msgIdPart1`*:: + -- -type: short +type: keyword -- -*`netflow.total_length_ipv4`*:: +*`rsa.misc.msgIdPart2`*:: + -- -type: integer +type: keyword -- -*`netflow.payload_length_ipv6`*:: +*`rsa.misc.change_old`*:: + -- -type: integer +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword -- -*`netflow.ip_ttl`*:: +*`rsa.misc.operation_id`*:: + -- -type: short +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword -- -*`netflow.next_header_ipv6`*:: +*`rsa.misc.event_state`*:: + -- -type: short +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword -- -*`netflow.mpls_payload_length`*:: +*`rsa.misc.group_object`*:: + -- -type: long +This key captures a collection/grouping of entities. Specific usage + +type: keyword -- -*`netflow.ip_diff_serv_code_point`*:: +*`rsa.misc.node`*:: + -- -type: short +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword -- -*`netflow.ip_precedence`*:: +*`rsa.misc.rule`*:: + -- -type: short +This key captures the Rule number + +type: keyword -- -*`netflow.fragment_flags`*:: +*`rsa.misc.device_name`*:: + -- -type: short +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword -- -*`netflow.octet_delta_sum_of_squares`*:: +*`rsa.misc.param`*:: + -- -type: long +This key is the parameters passed as part of a command or application, etc. + +type: keyword -- -*`netflow.octet_total_sum_of_squares`*:: +*`rsa.misc.change_attrib`*:: + -- -type: long +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword -- -*`netflow.mpls_top_label_ttl`*:: +*`rsa.misc.event_computer`*:: + -- -type: short +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword -- -*`netflow.mpls_label_stack_length`*:: +*`rsa.misc.reference_id1`*:: + -- -type: long +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword -- -*`netflow.mpls_label_stack_depth`*:: +*`rsa.misc.event_log`*:: + -- -type: long +This key captures the Name of the event log + +type: keyword -- -*`netflow.mpls_top_label_exp`*:: +*`rsa.misc.OS`*:: + -- -type: short +This key captures the Name of the Operating System + +type: keyword -- -*`netflow.ip_payload_length`*:: +*`rsa.misc.terminal`*:: + -- -type: long +This key captures the Terminal Names only + +type: keyword -- -*`netflow.udp_message_length`*:: +*`rsa.misc.msgIdPart3`*:: + -- -type: integer +type: keyword -- -*`netflow.is_multicast`*:: +*`rsa.misc.filter`*:: + -- -type: short +This key captures Filter used to reduce result set + +type: keyword -- -*`netflow.ipv4_ihl`*:: +*`rsa.misc.serial_number`*:: + -- -type: short +This key is the Serial number associated with a physical asset. + +type: keyword -- -*`netflow.ipv4_options`*:: +*`rsa.misc.checksum`*:: + -- -type: long +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword -- -*`netflow.tcp_options`*:: +*`rsa.misc.event_user`*:: + -- -type: long +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword -- -*`netflow.padding_octets`*:: +*`rsa.misc.virusname`*:: + -- -type: short +This key captures the name of the virus + +type: keyword -- -*`netflow.collector_ipv4_address`*:: +*`rsa.misc.content_type`*:: + -- -type: ip +This key is used to capture Content Type only. + +type: keyword -- -*`netflow.collector_ipv6_address`*:: +*`rsa.misc.group_id`*:: + -- -type: ip +This key captures Group ID Number (related to the group name) + +type: keyword -- -*`netflow.export_interface`*:: +*`rsa.misc.policy_id`*:: + -- -type: long +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword -- -*`netflow.export_protocol_version`*:: +*`rsa.misc.vsys`*:: + -- -type: short +This key captures Virtual System Name + +type: keyword -- -*`netflow.export_transport_protocol`*:: +*`rsa.misc.connection_id`*:: + -- -type: short +This key captures the Connection ID + +type: keyword -- -*`netflow.collector_transport_port`*:: +*`rsa.misc.reference_id2`*:: + -- -type: integer +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword -- -*`netflow.exporter_transport_port`*:: +*`rsa.misc.sensor`*:: + -- -type: integer +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword -- -*`netflow.tcp_syn_total_count`*:: +*`rsa.misc.sig_id`*:: + -- +This key captures IDS/IPS Int Signature ID + type: long -- -*`netflow.tcp_fin_total_count`*:: +*`rsa.misc.port_name`*:: + -- -type: long +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword -- -*`netflow.tcp_rst_total_count`*:: +*`rsa.misc.rule_group`*:: + -- -type: long +This key captures the Rule group name + +type: keyword -- -*`netflow.tcp_psh_total_count`*:: +*`rsa.misc.risk_num`*:: + -- -type: long +This key captures a Numeric Risk value + +type: double -- -*`netflow.tcp_ack_total_count`*:: +*`rsa.misc.trigger_val`*:: + -- -type: long +This key captures the Value of the trigger or threshold condition. + +type: keyword -- -*`netflow.tcp_urg_total_count`*:: +*`rsa.misc.log_session_id1`*:: + -- -type: long +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword -- -*`netflow.ip_total_length`*:: +*`rsa.misc.comp_version`*:: + -- -type: long +This key captures the Version level of a sub-component of a product. + +type: keyword -- -*`netflow.post_nat_source_ipv4_address`*:: +*`rsa.misc.content_version`*:: + -- -type: ip +This key captures Version level of a signature or database content. + +type: keyword -- -*`netflow.post_nat_destination_ipv4_address`*:: +*`rsa.misc.hardware_id`*:: + -- -type: ip +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword -- -*`netflow.post_napt_source_transport_port`*:: +*`rsa.misc.risk`*:: + -- -type: integer +This key captures the non-numeric risk value + +type: keyword -- -*`netflow.post_napt_destination_transport_port`*:: +*`rsa.misc.event_id`*:: + -- -type: integer +type: keyword -- -*`netflow.nat_originating_address_realm`*:: +*`rsa.misc.reason`*:: + -- -type: short +type: keyword -- -*`netflow.nat_event`*:: +*`rsa.misc.status`*:: + -- -type: short +type: keyword -- -*`netflow.initiator_octets`*:: +*`rsa.misc.mail_id`*:: + -- -type: long +This key is used to capture the mailbox id/name + +type: keyword -- -*`netflow.responder_octets`*:: +*`rsa.misc.rule_uid`*:: + -- -type: long +This key is the Unique Identifier for a rule. + +type: keyword -- -*`netflow.firewall_event`*:: +*`rsa.misc.trigger_desc`*:: + -- -type: short +This key captures the Description of the trigger or threshold condition. + +type: keyword -- -*`netflow.ingress_vrfid`*:: +*`rsa.misc.inout`*:: + -- -type: long +type: keyword -- -*`netflow.egress_vrfid`*:: +*`rsa.misc.p_msgid`*:: + -- -type: long +type: keyword -- -*`netflow.vr_fname`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`netflow.post_mpls_top_label_exp`*:: +*`rsa.misc.msgIdPart4`*:: + -- -type: short +type: keyword -- -*`netflow.tcp_window_scale`*:: +*`rsa.misc.error`*:: + -- -type: integer +This key captures All non successful Error codes or responses + +type: keyword -- -*`netflow.biflow_direction`*:: +*`rsa.misc.index`*:: + -- -type: short +type: keyword -- -*`netflow.ethernet_header_length`*:: +*`rsa.misc.listnum`*:: + -- -type: short +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword -- -*`netflow.ethernet_payload_length`*:: +*`rsa.misc.ntype`*:: + -- -type: integer +type: keyword -- -*`netflow.ethernet_total_length`*:: +*`rsa.misc.observed_val`*:: + -- -type: integer +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword -- -*`netflow.dot1q_vlan_id`*:: +*`rsa.misc.policy_value`*:: + -- -type: integer +This key captures the contents of the policy. This contains details about the policy + +type: keyword -- -*`netflow.dot1q_priority`*:: +*`rsa.misc.pool_name`*:: + -- -type: short +This key captures the name of a resource pool + +type: keyword -- -*`netflow.dot1q_customer_vlan_id`*:: +*`rsa.misc.rule_template`*:: + -- -type: integer +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword -- -*`netflow.dot1q_customer_priority`*:: +*`rsa.misc.count`*:: + -- -type: short +type: keyword -- -*`netflow.metro_evc_id`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`netflow.metro_evc_type`*:: +*`rsa.misc.sigcat`*:: + -- -type: short +type: keyword -- -*`netflow.pseudo_wire_id`*:: +*`rsa.misc.type`*:: + -- -type: long +type: keyword -- -*`netflow.pseudo_wire_type`*:: +*`rsa.misc.comments`*:: + -- -type: integer +Comment information provided in the log message + +type: keyword -- -*`netflow.pseudo_wire_control_word`*:: +*`rsa.misc.doc_number`*:: + -- +This key captures File Identification number + type: long -- -*`netflow.ingress_physical_interface`*:: +*`rsa.misc.expected_val`*:: + -- -type: long +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword -- -*`netflow.egress_physical_interface`*:: +*`rsa.misc.job_num`*:: + -- -type: long +This key captures the Job Number + +type: keyword -- -*`netflow.post_dot1q_vlan_id`*:: +*`rsa.misc.spi_dst`*:: + -- -type: integer +Destination SPI Index + +type: keyword -- -*`netflow.post_dot1q_customer_vlan_id`*:: +*`rsa.misc.spi_src`*:: + -- -type: integer +Source SPI Index + +type: keyword -- -*`netflow.ethernet_type`*:: +*`rsa.misc.code`*:: + -- -type: integer +type: keyword -- -*`netflow.post_ip_precedence`*:: +*`rsa.misc.agent_id`*:: + -- -type: short +This key is used to capture agent id + +type: keyword -- -*`netflow.collection_time_milliseconds`*:: +*`rsa.misc.message_body`*:: + -- -type: date +This key captures the The contents of the message body. + +type: keyword -- -*`netflow.export_sctp_stream_id`*:: +*`rsa.misc.phone`*:: + -- -type: integer +type: keyword -- -*`netflow.max_export_seconds`*:: +*`rsa.misc.sig_id_str`*:: + -- -type: date +This key captures a string object of the sigid variable. + +type: keyword -- -*`netflow.max_flow_end_seconds`*:: +*`rsa.misc.cmd`*:: + -- -type: date +type: keyword -- -*`netflow.message_md5_checksum`*:: +*`rsa.misc.misc`*:: + -- -type: short +type: keyword -- -*`netflow.message_scope`*:: +*`rsa.misc.name`*:: + -- -type: short +type: keyword -- -*`netflow.min_export_seconds`*:: +*`rsa.misc.cpu`*:: + -- -type: date +This key is the CPU time used in the execution of the event being recorded. + +type: long -- -*`netflow.min_flow_start_seconds`*:: +*`rsa.misc.event_desc`*:: + -- -type: date +This key is used to capture a description of an event available directly or inferred + +type: keyword -- -*`netflow.opaque_octets`*:: +*`rsa.misc.sig_id1`*:: + -- -type: short +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long -- -*`netflow.session_scope`*:: +*`rsa.misc.im_buddyid`*:: + -- -type: short +type: keyword -- -*`netflow.max_flow_end_microseconds`*:: +*`rsa.misc.im_client`*:: + -- -type: date +type: keyword -- -*`netflow.max_flow_end_milliseconds`*:: +*`rsa.misc.im_userid`*:: + -- -type: date +type: keyword -- -*`netflow.max_flow_end_nanoseconds`*:: +*`rsa.misc.pid`*:: + -- -type: date +type: keyword -- -*`netflow.min_flow_start_microseconds`*:: +*`rsa.misc.priority`*:: + -- -type: date +type: keyword -- -*`netflow.min_flow_start_milliseconds`*:: +*`rsa.misc.context_subject`*:: + -- -type: date +This key is to be used in an audit context where the subject is the object being identified + +type: keyword -- -*`netflow.min_flow_start_nanoseconds`*:: +*`rsa.misc.context_target`*:: + -- -type: date +type: keyword -- -*`netflow.collector_certificate`*:: +*`rsa.misc.cve`*:: + -- -type: short +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword -- -*`netflow.exporter_certificate`*:: +*`rsa.misc.fcatnum`*:: + -- -type: short +This key captures Filter Category Number. Legacy Usage + +type: keyword -- -*`netflow.data_records_reliability`*:: +*`rsa.misc.library`*:: + -- -type: boolean +This key is used to capture library information in mainframe devices + +type: keyword -- -*`netflow.observation_point_type`*:: +*`rsa.misc.parent_node`*:: + -- -type: short +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword -- -*`netflow.new_connection_delta_count`*:: +*`rsa.misc.risk_info`*:: + -- -type: long +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword -- -*`netflow.connection_sum_duration_seconds`*:: +*`rsa.misc.tcp_flags`*:: + -- +This key is captures the TCP flags set in any packet of session + type: long -- -*`netflow.connection_transaction_id`*:: +*`rsa.misc.tos`*:: + -- +This key describes the type of service + type: long -- -*`netflow.post_nat_source_ipv6_address`*:: +*`rsa.misc.vm_target`*:: + -- -type: ip +VMWare Target **VMWARE** only varaible. + +type: keyword -- -*`netflow.post_nat_destination_ipv6_address`*:: +*`rsa.misc.workspace`*:: + -- -type: ip +This key captures Workspace Description + +type: keyword -- -*`netflow.nat_pool_id`*:: +*`rsa.misc.command`*:: + -- -type: long +type: keyword -- -*`netflow.nat_pool_name`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`netflow.anonymization_flags`*:: +*`rsa.misc.facilityname`*:: + -- -type: integer +type: keyword -- -*`netflow.anonymization_technique`*:: +*`rsa.misc.forensic_info`*:: + -- -type: integer +type: keyword -- -*`netflow.information_element_index`*:: +*`rsa.misc.jobname`*:: + -- -type: integer +type: keyword -- -*`netflow.p2p_technology`*:: +*`rsa.misc.mode`*:: + -- type: keyword -- -*`netflow.tunnel_technology`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`netflow.encrypted_technology`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`netflow.bgp_validity_state`*:: +*`rsa.misc.second`*:: + -- -type: short +type: keyword -- -*`netflow.ip_sec_spi`*:: +*`rsa.misc.space1`*:: + -- -type: long +type: keyword -- -*`netflow.gre_key`*:: +*`rsa.misc.subcategory`*:: + -- -type: long +type: keyword -- -*`netflow.nat_type`*:: +*`rsa.misc.tbdstr2`*:: + -- -type: short +type: keyword -- -*`netflow.initiator_packets`*:: +*`rsa.misc.alert_id`*:: + -- -type: long +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword -- -*`netflow.responder_packets`*:: +*`rsa.misc.checksum_dst`*:: + -- -type: long +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword -- -*`netflow.observation_domain_name`*:: +*`rsa.misc.checksum_src`*:: + -- +This key is used to capture the checksum or hash of the source entity such as a file or process. + type: keyword -- -*`netflow.selection_sequence_id`*:: +*`rsa.misc.fresult`*:: + -- +This key captures the Filter Result + type: long -- -*`netflow.selector_id`*:: +*`rsa.misc.payload_dst`*:: + -- -type: long +This key is used to capture destination payload + +type: keyword -- -*`netflow.information_element_id`*:: +*`rsa.misc.payload_src`*:: + -- -type: integer +This key is used to capture source payload + +type: keyword -- -*`netflow.selector_algorithm`*:: +*`rsa.misc.pool_id`*:: + -- -type: integer +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword -- -*`netflow.sampling_packet_interval`*:: +*`rsa.misc.process_id_val`*:: + -- -type: long +This key is a failure key for Process ID when it is not an integer value + +type: keyword -- -*`netflow.sampling_packet_space`*:: +*`rsa.misc.risk_num_comm`*:: + -- -type: long +This key captures Risk Number Community + +type: double -- -*`netflow.sampling_time_interval`*:: +*`rsa.misc.risk_num_next`*:: + -- -type: long +This key captures Risk Number NextGen + +type: double -- -*`netflow.sampling_time_space`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: long +This key captures Risk Number SandBox + +type: double -- -*`netflow.sampling_size`*:: +*`rsa.misc.risk_num_static`*:: + -- -type: long +This key captures Risk Number Static + +type: double -- -*`netflow.sampling_population`*:: +*`rsa.misc.risk_suspicious`*:: + -- -type: long +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword -- -*`netflow.sampling_probability`*:: +*`rsa.misc.risk_warning`*:: + -- -type: double +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword -- -*`netflow.data_link_frame_size`*:: +*`rsa.misc.snmp_oid`*:: + -- -type: integer +SNMP Object Identifier + +type: keyword -- -*`netflow.ip_header_packet_section`*:: +*`rsa.misc.sql`*:: + -- -type: short +This key captures the SQL query + +type: keyword -- -*`netflow.ip_payload_packet_section`*:: +*`rsa.misc.vuln_ref`*:: + -- -type: short +This key captures the Vulnerability Reference details + +type: keyword -- -*`netflow.data_link_frame_section`*:: +*`rsa.misc.acl_id`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_label_stack_section`*:: +*`rsa.misc.acl_op`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_payload_packet_section`*:: +*`rsa.misc.acl_pos`*:: + -- -type: short +type: keyword -- -*`netflow.selector_id_total_pkts_observed`*:: +*`rsa.misc.acl_table`*:: + -- -type: long +type: keyword -- -*`netflow.selector_id_total_pkts_selected`*:: +*`rsa.misc.admin`*:: + -- -type: long +type: keyword -- -*`netflow.absolute_error`*:: +*`rsa.misc.alarm_id`*:: + -- -type: double +type: keyword -- -*`netflow.relative_error`*:: +*`rsa.misc.alarmname`*:: + -- -type: double +type: keyword -- -*`netflow.observation_time_seconds`*:: +*`rsa.misc.app_id`*:: + -- -type: date +type: keyword -- -*`netflow.observation_time_milliseconds`*:: +*`rsa.misc.audit`*:: + -- -type: date +type: keyword -- -*`netflow.observation_time_microseconds`*:: +*`rsa.misc.audit_object`*:: + -- -type: date +type: keyword -- -*`netflow.observation_time_nanoseconds`*:: +*`rsa.misc.auditdata`*:: + -- -type: date +type: keyword -- -*`netflow.digest_hash_value`*:: +*`rsa.misc.benchmark`*:: + -- -type: long +type: keyword -- -*`netflow.hash_ip_payload_offset`*:: +*`rsa.misc.bypass`*:: + -- -type: long +type: keyword -- -*`netflow.hash_ip_payload_size`*:: +*`rsa.misc.cache`*:: + -- -type: long +type: keyword -- -*`netflow.hash_output_range_min`*:: +*`rsa.misc.cache_hit`*:: + -- -type: long +type: keyword -- -*`netflow.hash_output_range_max`*:: +*`rsa.misc.cefversion`*:: + -- -type: long +type: keyword -- -*`netflow.hash_selected_range_min`*:: +*`rsa.misc.cfg_attr`*:: + -- -type: long +type: keyword -- -*`netflow.hash_selected_range_max`*:: +*`rsa.misc.cfg_obj`*:: + -- -type: long +type: keyword -- -*`netflow.hash_digest_output`*:: +*`rsa.misc.cfg_path`*:: + -- -type: boolean +type: keyword -- -*`netflow.hash_initialiser_value`*:: +*`rsa.misc.changes`*:: + -- -type: long +type: keyword -- -*`netflow.selector_name`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`netflow.upper_ci_limit`*:: +*`rsa.misc.clustermembers`*:: + -- -type: double +type: keyword -- -*`netflow.lower_ci_limit`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -type: double +type: keyword -- -*`netflow.confidence_level`*:: +*`rsa.misc.cn_asn_src`*:: + -- -type: double +type: keyword -- -*`netflow.information_element_data_type`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -type: short +type: keyword -- -*`netflow.information_element_description`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`netflow.information_element_name`*:: +*`rsa.misc.cn_dst_tos`*:: + -- type: keyword -- -*`netflow.information_element_range_begin`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -type: long +type: keyword -- -*`netflow.information_element_range_end`*:: +*`rsa.misc.cn_engine_id`*:: + -- -type: long +type: keyword -- -*`netflow.information_element_semantics`*:: +*`rsa.misc.cn_engine_type`*:: + -- -type: short +type: keyword -- -*`netflow.information_element_units`*:: +*`rsa.misc.cn_f_switch`*:: + -- -type: integer +type: keyword -- -*`netflow.private_enterprise_number`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -type: long +type: keyword -- -*`netflow.virtual_station_interface_id`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -type: short +type: keyword -- -*`netflow.virtual_station_interface_name`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`netflow.virtual_station_uuid`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -type: short +type: keyword -- -*`netflow.virtual_station_name`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- type: keyword -- -*`netflow.layer2_segment_id`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_octet_delta_count`*:: +*`rsa.misc.cn_invalid`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_octet_total_count`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -type: long +type: keyword -- -*`netflow.ingress_unicast_packet_total_count`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -type: long +type: keyword -- -*`netflow.ingress_multicast_packet_total_count`*:: +*`rsa.misc.cn_l_switch`*:: + -- -type: long +type: keyword -- -*`netflow.ingress_broadcast_packet_total_count`*:: +*`rsa.misc.cn_log_did`*:: + -- -type: long +type: keyword -- -*`netflow.egress_unicast_packet_total_count`*:: +*`rsa.misc.cn_log_rid`*:: + -- -type: long +type: keyword -- -*`netflow.egress_broadcast_packet_total_count`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -type: long +type: keyword -- -*`netflow.monitoring_interval_start_milli_seconds`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -type: date +type: keyword -- -*`netflow.monitoring_interval_end_milli_seconds`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -type: date +type: keyword -- -*`netflow.port_range_start`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -type: integer +type: keyword -- -*`netflow.port_range_end`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -type: integer +type: keyword -- -*`netflow.port_range_step_size`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -type: integer +type: keyword -- -*`netflow.port_range_num_ports`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -type: integer +type: keyword -- -*`netflow.sta_mac_address`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`netflow.sta_ipv4_address`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -type: ip +type: keyword -- -*`netflow.wtp_mac_address`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`netflow.ingress_interface_type`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -type: long +type: keyword -- -*`netflow.egress_interface_type`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -type: long +type: keyword -- -*`netflow.rtp_sequence_number`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -type: integer +type: keyword -- -*`netflow.user_name`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`netflow.application_category_name`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`netflow.application_sub_category_name`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`netflow.application_group_name`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`netflow.original_flows_present`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -type: long +type: keyword -- -*`netflow.original_flows_initiated`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -type: long +type: keyword -- -*`netflow.original_flows_completed`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_source_ip_address`*:: +*`rsa.misc.cn_sampint`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_destination_ip_address`*:: +*`rsa.misc.cn_seqctr`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_source_ipv4_address`*:: +*`rsa.misc.cn_spackets`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_destination_ipv4_address`*:: +*`rsa.misc.cn_src_tos`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_source_ipv6_address`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_destination_ipv6_address`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -type: long +type: keyword -- -*`netflow.value_distribution_method`*:: +*`rsa.misc.cn_template_id`*:: + -- -type: short +type: keyword -- -*`netflow.rfc3550_jitter_milliseconds`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -type: long +type: keyword -- -*`netflow.rfc3550_jitter_microseconds`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -type: long +type: keyword -- -*`netflow.rfc3550_jitter_nanoseconds`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -type: long +type: keyword -- -*`netflow.dot1q_dei`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -type: boolean +type: keyword -- -*`netflow.dot1q_customer_dei`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -type: boolean +type: keyword -- -*`netflow.flow_selector_algorithm`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -type: integer +type: keyword -- -*`netflow.flow_selected_octet_delta_count`*:: +*`rsa.misc.comp_class`*:: + -- -type: long +type: keyword -- -*`netflow.flow_selected_packet_delta_count`*:: +*`rsa.misc.comp_name`*:: + -- -type: long +type: keyword -- -*`netflow.flow_selected_flow_delta_count`*:: +*`rsa.misc.comp_rbytes`*:: + -- -type: long +type: keyword -- -*`netflow.selector_id_total_flows_observed`*:: +*`rsa.misc.comp_sbytes`*:: + -- -type: long +type: keyword -- -*`netflow.selector_id_total_flows_selected`*:: +*`rsa.misc.cpu_data`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_flow_interval`*:: +*`rsa.misc.criticality`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_flow_spacing`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -type: long +type: keyword -- -*`netflow.flow_sampling_time_interval`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -type: long +type: keyword -- -*`netflow.flow_sampling_time_spacing`*:: +*`rsa.misc.cs_av_other`*:: + -- -type: long +type: keyword -- -*`netflow.hash_flow_domain`*:: +*`rsa.misc.cs_av_primary`*:: + -- -type: integer +type: keyword -- -*`netflow.transport_octet_delta_count`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -type: long +type: keyword -- -*`netflow.transport_packet_delta_count`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -type: long +type: keyword -- -*`netflow.original_exporter_ipv4_address`*:: +*`rsa.misc.cs_bit9status`*:: + -- -type: ip +type: keyword -- -*`netflow.original_exporter_ipv6_address`*:: +*`rsa.misc.cs_context`*:: + -- -type: ip +type: keyword -- -*`netflow.original_observation_domain_id`*:: +*`rsa.misc.cs_control`*:: + -- -type: long +type: keyword -- -*`netflow.intermediate_process_id`*:: +*`rsa.misc.cs_data`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_data_record_total_count`*:: +*`rsa.misc.cs_datecret`*:: + -- -type: long +type: keyword -- -*`netflow.data_link_frame_type`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -type: integer +type: keyword -- -*`netflow.section_offset`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -type: integer +type: keyword -- -*`netflow.section_exported_octets`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -type: integer +type: keyword -- -*`netflow.dot1q_service_instance_tag`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -type: short +type: keyword -- -*`netflow.dot1q_service_instance_id`*:: +*`rsa.misc.cs_filetype`*:: + -- -type: long +type: keyword -- -*`netflow.dot1q_service_instance_priority`*:: +*`rsa.misc.cs_fld`*:: + -- -type: short +type: keyword -- -*`netflow.dot1q_customer_source_mac_address`*:: +*`rsa.misc.cs_if_desc`*:: + -- type: keyword -- -*`netflow.dot1q_customer_destination_mac_address`*:: +*`rsa.misc.cs_if_name`*:: + -- type: keyword -- -*`netflow.post_layer2_octet_delta_count`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -type: long +type: keyword -- -*`netflow.post_mcast_layer2_octet_delta_count`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -type: long +type: keyword -- -*`netflow.post_layer2_octet_total_count`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -type: long +type: keyword -- -*`netflow.post_mcast_layer2_octet_total_count`*:: +*`rsa.misc.cs_lifetime`*:: + -- -type: long +type: keyword -- -*`netflow.minimum_layer2_total_length`*:: +*`rsa.misc.cs_log_medium`*:: + -- -type: long +type: keyword -- -*`netflow.maximum_layer2_total_length`*:: +*`rsa.misc.cs_loginname`*:: + -- -type: long +type: keyword -- -*`netflow.dropped_layer2_octet_delta_count`*:: +*`rsa.misc.cs_modulescore`*:: + -- -type: long +type: keyword -- -*`netflow.dropped_layer2_octet_total_count`*:: +*`rsa.misc.cs_modulesign`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_layer2_octet_total_count`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -type: long +type: keyword -- -*`netflow.not_sent_layer2_octet_total_count`*:: +*`rsa.misc.cs_payload`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_octet_delta_sum_of_squares`*:: +*`rsa.misc.cs_registrant`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_octet_total_sum_of_squares`*:: +*`rsa.misc.cs_registrar`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_frame_delta_count`*:: +*`rsa.misc.cs_represult`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_frame_total_count`*:: +*`rsa.misc.cs_rpayload`*:: + -- -type: long +type: keyword -- -*`netflow.pseudo_wire_destination_ipv4_address`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -type: ip +type: keyword -- -*`netflow.ignored_layer2_frame_total_count`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -type: long +type: keyword -- -*`netflow.mib_object_value_integer`*:: +*`rsa.misc.cs_streams`*:: + -- -type: integer +type: keyword -- -*`netflow.mib_object_value_octet_string`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -type: short +type: keyword -- -*`netflow.mib_object_value_oid`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -type: short +type: keyword -- -*`netflow.mib_object_value_bits`*:: +*`rsa.misc.cs_whois_server`*:: + -- -type: short +type: keyword -- -*`netflow.mib_object_value_ip_address`*:: +*`rsa.misc.cs_yararesult`*:: + -- -type: ip +type: keyword -- -*`netflow.mib_object_value_counter`*:: +*`rsa.misc.description`*:: + -- -type: long +type: keyword -- -*`netflow.mib_object_value_gauge`*:: +*`rsa.misc.devvendor`*:: + -- -type: long +type: keyword -- -*`netflow.mib_object_value_time_ticks`*:: +*`rsa.misc.distance`*:: + -- -type: long +type: keyword -- -*`netflow.mib_object_value_unsigned`*:: +*`rsa.misc.dstburb`*:: + -- -type: long +type: keyword -- -*`netflow.mib_object_identifier`*:: +*`rsa.misc.edomain`*:: + -- -type: short +type: keyword -- -*`netflow.mib_sub_identifier`*:: +*`rsa.misc.edomaub`*:: + -- -type: long +type: keyword -- -*`netflow.mib_index_indicator`*:: +*`rsa.misc.euid`*:: + -- -type: long +type: keyword -- -*`netflow.mib_capture_time_semantics`*:: +*`rsa.misc.facility`*:: + -- -type: short +type: keyword -- -*`netflow.mib_context_engine_id`*:: +*`rsa.misc.finterface`*:: + -- -type: short +type: keyword -- -*`netflow.mib_context_name`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`netflow.mib_object_name`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`netflow.mib_object_description`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`netflow.mib_object_syntax`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`netflow.mib_module_name`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`netflow.mobile_imsi`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`netflow.mobile_msisdn`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`netflow.http_status_code`*:: +*`rsa.misc.im_username`*:: + -- -type: integer +type: keyword -- -*`netflow.source_transport_ports_limit`*:: +*`rsa.misc.ipkt`*:: + -- -type: integer +type: keyword -- -*`netflow.http_request_method`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`netflow.http_request_host`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`netflow.http_request_target`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`netflow.http_message_version`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`netflow.nat_instance_id`*:: +*`rsa.misc.list_name`*:: + -- -type: long +type: keyword -- -*`netflow.internal_address_realm`*:: +*`rsa.misc.load_data`*:: + -- -type: short +type: keyword -- -*`netflow.external_address_realm`*:: +*`rsa.misc.location_floor`*:: + -- -type: short +type: keyword -- -*`netflow.nat_quota_exceeded_event`*:: +*`rsa.misc.location_mark`*:: + -- -type: long +type: keyword -- -*`netflow.nat_threshold_event`*:: +*`rsa.misc.log_id`*:: + -- -type: long +type: keyword -- -*`netflow.http_user_agent`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`netflow.http_content_type`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`netflow.http_reason_phrase`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`netflow.max_session_entries`*:: +*`rsa.misc.logname`*:: + -- -type: long +type: keyword -- -*`netflow.max_bib_entries`*:: +*`rsa.misc.longitude`*:: + -- -type: long +type: keyword -- -*`netflow.max_entries_per_user`*:: +*`rsa.misc.lport`*:: + -- -type: long +type: keyword -- -*`netflow.max_subscribers`*:: +*`rsa.misc.mbug_data`*:: + -- -type: long +type: keyword -- -*`netflow.max_fragments_pending_reassembly`*:: +*`rsa.misc.misc_name`*:: + -- -type: long +type: keyword -- -*`netflow.address_pool_high_threshold`*:: +*`rsa.misc.msg_type`*:: + -- -type: long +type: keyword -- -*`netflow.address_pool_low_threshold`*:: +*`rsa.misc.msgid`*:: + -- -type: long +type: keyword -- -*`netflow.address_port_mapping_high_threshold`*:: +*`rsa.misc.netsessid`*:: + -- -type: long +type: keyword -- -*`netflow.address_port_mapping_low_threshold`*:: +*`rsa.misc.num`*:: + -- -type: long +type: keyword -- -*`netflow.address_port_mapping_per_user_high_threshold`*:: +*`rsa.misc.number1`*:: + -- -type: long +type: keyword -- -*`netflow.global_address_mapping_high_threshold`*:: +*`rsa.misc.number2`*:: + -- -type: long +type: keyword -- -*`netflow.vpn_identifier`*:: +*`rsa.misc.nwwn`*:: + -- -type: short +type: keyword -- -[[exported-fields-nginx]] -== Nginx fields - -Module for parsing the Nginx log files. - +*`rsa.misc.object`*:: ++ +-- +type: keyword +-- -[float] -=== nginx +*`rsa.misc.operation`*:: ++ +-- +type: keyword -Fields from the Nginx log files. +-- +*`rsa.misc.opkt`*:: ++ +-- +type: keyword +-- -[float] -=== access +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword -Contains fields for the Nginx access logs. +-- +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword +-- -*`nginx.access.remote_ip_list`*:: +*`rsa.misc.p_action`*:: + -- -An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. +type: keyword +-- -type: array +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword -- -*`nginx.access.body_sent.bytes`*:: +*`rsa.misc.p_group_object`*:: + -- -type: alias - -alias to: http.response.body.bytes +type: keyword -- -*`nginx.access.user_name`*:: +*`rsa.misc.p_id`*:: + -- -type: alias - -alias to: user.name +type: keyword -- -*`nginx.access.method`*:: +*`rsa.misc.p_msgid1`*:: + -- -type: alias - -alias to: http.request.method +type: keyword -- -*`nginx.access.url`*:: +*`rsa.misc.p_msgid2`*:: + -- -type: alias - -alias to: url.original +type: keyword -- -*`nginx.access.http_version`*:: +*`rsa.misc.p_result1`*:: + -- -type: alias - -alias to: http.version +type: keyword -- -*`nginx.access.response_code`*:: +*`rsa.misc.password_chg`*:: + -- -type: alias - -alias to: http.response.status_code +type: keyword -- -*`nginx.access.referrer`*:: +*`rsa.misc.password_expire`*:: + -- -type: alias - -alias to: http.request.referrer +type: keyword -- -*`nginx.access.agent`*:: +*`rsa.misc.permgranted`*:: + -- -type: alias +type: keyword -alias to: user_agent.original +-- +*`rsa.misc.permwanted`*:: ++ -- +type: keyword +-- -*`nginx.access.user_agent.device`*:: +*`rsa.misc.pgid`*:: + -- -type: alias - -alias to: user_agent.device.name +type: keyword -- -*`nginx.access.user_agent.name`*:: +*`rsa.misc.policyUUID`*:: + -- -type: alias - -alias to: user_agent.name +type: keyword -- -*`nginx.access.user_agent.os`*:: +*`rsa.misc.prog_asp_num`*:: + -- -type: alias - -alias to: user_agent.os.full_name +type: keyword -- -*`nginx.access.user_agent.os_name`*:: +*`rsa.misc.program`*:: + -- -type: alias - -alias to: user_agent.os.name +type: keyword -- -*`nginx.access.user_agent.original`*:: +*`rsa.misc.real_data`*:: + -- -type: alias +type: keyword -alias to: user_agent.original +-- +*`rsa.misc.rec_asp_device`*:: ++ -- +type: keyword +-- -*`nginx.access.geoip.continent_name`*:: +*`rsa.misc.rec_asp_num`*:: + -- -type: alias - -alias to: source.geo.continent_name +type: keyword -- -*`nginx.access.geoip.country_iso_code`*:: +*`rsa.misc.rec_library`*:: + -- -type: alias - -alias to: source.geo.country_iso_code +type: keyword -- -*`nginx.access.geoip.location`*:: +*`rsa.misc.recordnum`*:: + -- -type: alias - -alias to: source.geo.location +type: keyword -- -*`nginx.access.geoip.region_name`*:: +*`rsa.misc.ruid`*:: + -- -type: alias - -alias to: source.geo.region_name +type: keyword -- -*`nginx.access.geoip.city_name`*:: +*`rsa.misc.sburb`*:: + -- -type: alias - -alias to: source.geo.city_name +type: keyword -- -*`nginx.access.geoip.region_iso_code`*:: +*`rsa.misc.sdomain_fld`*:: + -- -type: alias - -alias to: source.geo.region_iso_code +type: keyword -- -[float] -=== error +*`rsa.misc.sec`*:: ++ +-- +type: keyword -Contains fields for the Nginx error logs. +-- +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword +-- -*`nginx.error.connection_id`*:: +*`rsa.misc.seqnum`*:: + -- -Connection identifier. +type: keyword +-- -type: long +*`rsa.misc.session`*:: ++ +-- +type: keyword -- -*`nginx.error.level`*:: +*`rsa.misc.sessiontype`*:: + -- -type: alias - -alias to: log.level +type: keyword -- -*`nginx.error.pid`*:: +*`rsa.misc.sigUUID`*:: + -- -type: alias - -alias to: process.pid +type: keyword -- -*`nginx.error.tid`*:: +*`rsa.misc.spi`*:: + -- -type: alias - -alias to: process.thread.id +type: keyword -- -*`nginx.error.message`*:: +*`rsa.misc.srcburb`*:: + -- -type: alias - -alias to: message +type: keyword -- -[float] -=== ingress_controller +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword -Contains fields for the Ingress Nginx controller access logs. +-- +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword +-- -*`nginx.ingress_controller.remote_ip_list`*:: +*`rsa.misc.state`*:: + -- -An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. +type: keyword +-- -type: array +*`rsa.misc.status1`*:: ++ +-- +type: keyword -- -*`nginx.ingress_controller.http.request.length`*:: +*`rsa.misc.svcno`*:: + -- -The request length (including request line, header, and request body) - +type: keyword -type: long +-- -format: bytes +*`rsa.misc.system`*:: ++ +-- +type: keyword -- -*`nginx.ingress_controller.http.request.time`*:: +*`rsa.misc.tbdstr1`*:: + -- -Time elapsed since the first bytes were read from the client - +type: keyword -type: double +-- -format: duration +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword -- -*`nginx.ingress_controller.upstream.name`*:: +*`rsa.misc.tgtdomain`*:: + -- -The name of the upstream. +type: keyword +-- +*`rsa.misc.threshold`*:: ++ +-- type: keyword -- -*`nginx.ingress_controller.upstream.alternative_name`*:: +*`rsa.misc.type1`*:: + -- -The name of the alternative upstream. +type: keyword +-- +*`rsa.misc.udb_class`*:: ++ +-- type: keyword -- -*`nginx.ingress_controller.upstream.response.length`*:: +*`rsa.misc.url_fld`*:: + -- -The length of the response obtained from the upstream server - +type: keyword -type: long +-- -format: bytes +*`rsa.misc.user_div`*:: ++ +-- +type: keyword -- -*`nginx.ingress_controller.upstream.response.time`*:: +*`rsa.misc.userid`*:: + -- -The time spent on receiving the response from the upstream server as seconds with millisecond resolution - +type: keyword -type: double +-- -format: duration +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword -- -*`nginx.ingress_controller.upstream.response.status_code`*:: +*`rsa.misc.utcstamp`*:: + -- -The status code of the response obtained from the upstream server +type: keyword +-- -type: long +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword -- -*`nginx.ingress_controller.http.request.id`*:: +*`rsa.misc.virt_data`*:: + -- -The randomly generated ID of the request +type: keyword +-- +*`rsa.misc.vpnid`*:: ++ +-- type: keyword -- -*`nginx.ingress_controller.upstream.ip`*:: +*`rsa.misc.autorun_type`*:: + -- -The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas. +This is used to capture Auto Run type - -type: ip +type: keyword -- -*`nginx.ingress_controller.upstream.port`*:: +*`rsa.misc.cc_number`*:: + -- -The port of the upstream server. - +Valid Credit Card Numbers only type: long -- -*`nginx.ingress_controller.body_sent.bytes`*:: +*`rsa.misc.content`*:: + -- -type: alias +This key captures the content type from protocol headers -alias to: http.response.body.bytes +type: keyword -- -*`nginx.ingress_controller.user_name`*:: +*`rsa.misc.ein_number`*:: + -- -type: alias +Employee Identification Numbers only -alias to: user.name +type: long -- -*`nginx.ingress_controller.method`*:: +*`rsa.misc.found`*:: + -- -type: alias +This is used to capture the results of regex match -alias to: http.request.method +type: keyword -- -*`nginx.ingress_controller.url`*:: +*`rsa.misc.language`*:: + -- -type: alias +This is used to capture list of languages the client support and what it prefers -alias to: url.original +type: keyword -- -*`nginx.ingress_controller.http_version`*:: +*`rsa.misc.lifetime`*:: + -- -type: alias +This key is used to capture the session lifetime in seconds. -alias to: http.version +type: long -- -*`nginx.ingress_controller.response_code`*:: +*`rsa.misc.link`*:: + -- -type: alias +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -alias to: http.response.status_code +type: keyword -- -*`nginx.ingress_controller.referrer`*:: +*`rsa.misc.match`*:: + -- -type: alias +This key is for regex match name from search.ini -alias to: http.request.referrer +type: keyword -- -*`nginx.ingress_controller.agent`*:: +*`rsa.misc.param_dst`*:: + -- -type: alias +This key captures the command line/launch argument of the target process or file -alias to: user_agent.original +type: keyword -- - -*`nginx.ingress_controller.user_agent.device`*:: +*`rsa.misc.param_src`*:: + -- -type: alias +This key captures source parameter -alias to: user_agent.device.name +type: keyword -- -*`nginx.ingress_controller.user_agent.name`*:: +*`rsa.misc.search_text`*:: + -- -type: alias +This key captures the Search Text used -alias to: user_agent.name +type: keyword -- -*`nginx.ingress_controller.user_agent.os`*:: +*`rsa.misc.sig_name`*:: + -- -type: alias +This key is used to capture the Signature Name only. -alias to: user_agent.os.full_name +type: keyword -- -*`nginx.ingress_controller.user_agent.os_name`*:: +*`rsa.misc.snmp_value`*:: + -- -type: alias +SNMP set request value -alias to: user_agent.os.name +type: keyword -- -*`nginx.ingress_controller.user_agent.original`*:: +*`rsa.misc.streams`*:: + -- -type: alias +This key captures number of streams in session -alias to: user_agent.original +type: long -- -*`nginx.ingress_controller.geoip.continent_name`*:: +*`rsa.db.index`*:: + -- -type: alias +This key captures IndexID of the index. -alias to: source.geo.continent_name +type: keyword -- -*`nginx.ingress_controller.geoip.country_iso_code`*:: +*`rsa.db.instance`*:: + -- -type: alias +This key is used to capture the database server instance name -alias to: source.geo.country_iso_code +type: keyword -- -*`nginx.ingress_controller.geoip.location`*:: +*`rsa.db.database`*:: + -- -type: alias +This key is used to capture the name of a database or an instance as seen in a session -alias to: source.geo.location +type: keyword -- -*`nginx.ingress_controller.geoip.region_name`*:: +*`rsa.db.transact_id`*:: + -- -type: alias +This key captures the SQL transantion ID of the current session -alias to: source.geo.region_name +type: keyword -- -*`nginx.ingress_controller.geoip.city_name`*:: +*`rsa.db.permissions`*:: + -- -type: alias +This key captures permission or privilege level assigned to a resource. -alias to: source.geo.city_name +type: keyword -- -*`nginx.ingress_controller.geoip.region_iso_code`*:: +*`rsa.db.table_name`*:: + -- -type: alias +This key is used to capture the table name -alias to: source.geo.region_iso_code +type: keyword -- -[[exported-fields-o365]] -== Office 365 fields +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database -Module for handling logs from Office 365. +type: keyword +-- +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server -[float] -=== o365.audit +type: long -Fields from Office 365 Management API audit logs. +-- +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads +type: long -*`o365.audit.Actor`*:: +-- + +*`rsa.db.lwrite`*:: + -- -type: array +This key is used for the number of logical writes + +type: long -- -*`o365.audit.ActorContextId`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes + +type: long -- -*`o365.audit.ActorIpAddress`*:: + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`o365.audit.ActorUserId`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`o365.audit.ActorYammerUserId`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- -*`o365.audit.AlertEntityId`*:: +*`rsa.network.network_service`*:: + -- +This is used to capture layer 7 protocols/service names + type: keyword -- -*`o365.audit.AlertId`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`o365.audit.AlertLinks`*:: +*`rsa.network.network_port`*:: + -- -type: array +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long -- -*`o365.audit.AlertType`*:: +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`o365.audit.AppId`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`o365.audit.ApplicationDisplayName`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`o365.audit.ApplicationId`*:: +*`rsa.network.vlan`*:: + -- -type: keyword +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`o365.audit.AzureActiveDirectoryEventType`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`o365.audit.ExchangeMetaData.*`*:: +*`rsa.network.zone`*:: + -- -type: object +This key should be used when the source or destination context of a Zone is not clear + +type: keyword -- -*`o365.audit.Category`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`o365.audit.ClientAppId`*:: +*`rsa.network.gateway`*:: + -- +This key is used to capture the IP Address of the gateway + type: keyword -- -*`o365.audit.ClientInfoString`*:: +*`rsa.network.icmp_type`*:: + -- -type: keyword +This key is used to capture the ICMP type only + +type: long -- -*`o365.audit.ClientIP`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`o365.audit.ClientIPAddress`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`o365.audit.Comments`*:: +*`rsa.network.protocol_detail`*:: + -- -type: text +This key should be used to capture additional protocol information + +type: keyword -- -*`o365.audit.CorrelationId`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`o365.audit.CreationTime`*:: +*`rsa.network.port`*:: + -- -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear + +type: long -- -*`o365.audit.CustomUniqueId`*:: +*`rsa.network.smask`*:: + -- +This key is used for capturing source Network Mask + type: keyword -- -*`o365.audit.Data`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`o365.audit.DataType`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`o365.audit.EntityType`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`o365.audit.EventData`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`o365.audit.EventSource`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`o365.audit.ExceptionInfo.*`*:: +*`rsa.network.remote_domain_id`*:: + -- -type: object +type: keyword -- -*`o365.audit.ExtendedProperties.*`*:: +*`rsa.network.addr`*:: + -- -type: object +type: keyword -- -*`o365.audit.ExternalAccess`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`o365.audit.GroupName`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`o365.audit.Id`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`o365.audit.ImplicitShare`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`o365.audit.IncidentId`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`o365.audit.InternalLogonType`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`o365.audit.InterSystemsId`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`o365.audit.IntraSystemId`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`o365.audit.Item.*`*:: +*`rsa.network.eth_type`*:: + -- -type: object +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`o365.audit.Item.*.*`*:: +*`rsa.network.ip_proto`*:: + -- -type: object +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long -- -*`o365.audit.ItemName`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`o365.audit.ItemType`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`o365.audit.ListId`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`o365.audit.ListItemUniqueId`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`o365.audit.LogonError`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`o365.audit.LogonType`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`o365.audit.LogonUserSid`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`o365.audit.MailboxGuid`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`o365.audit.MailboxOwnerMasterAccountSid`*:: +*`rsa.network.host_orig`*:: + -- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + type: keyword -- -*`o365.audit.MailboxOwnerSid`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`o365.audit.MailboxOwnerUPN`*:: +*`rsa.network.vlan_name`*:: + -- +This key should only be used to capture the name of the Virtual LAN + type: keyword -- -*`o365.audit.Members`*:: + +*`rsa.investigations.ec_activity`*:: + -- -type: array +This key captures the particular event activity(Ex:Logoff) + +type: keyword -- -*`o365.audit.Members.*`*:: +*`rsa.investigations.ec_theme`*:: + -- -type: object +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword -- -*`o365.audit.ModifiedProperties.*.*`*:: +*`rsa.investigations.ec_subject`*:: + -- -type: object +This key captures the Subject of a particular Event(Ex:User) + +type: keyword -- -*`o365.audit.Name`*:: +*`rsa.investigations.ec_outcome`*:: + -- +This key captures the outcome of a particular Event(Ex:Success) + type: keyword -- -*`o365.audit.ObjectId`*:: +*`rsa.investigations.event_cat`*:: + -- -type: keyword +This key captures the Event category number + +type: long -- -*`o365.audit.Operation`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`o365.audit.OrganizationId`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`o365.audit.OrganizationName`*:: +*`rsa.investigations.analysis_file`*:: + -- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + type: keyword -- -*`o365.audit.OriginatingServer`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`o365.audit.Parameters.*`*:: +*`rsa.investigations.analysis_session`*:: + -- -type: object +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword -- -*`o365.audit.PolicyDetails`*:: +*`rsa.investigations.boc`*:: + -- -type: array +This is used to capture behaviour of compromise + +type: keyword -- -*`o365.audit.PolicyId`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`o365.audit.RecordType`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`o365.audit.ResultStatus`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`o365.audit.SensitiveInfoDetectionIsIncluded`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`o365.audit.SharePointMetaData.*`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: object +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`o365.audit.SessionId`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`o365.audit.Severity`*:: +*`rsa.counters.event_counter`*:: + -- -type: keyword +This is used to capture the number of times an event repeated + +type: long -- -*`o365.audit.Site`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`o365.audit.SiteUrl`*:: +*`rsa.counters.dclass_c3`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long -- -*`o365.audit.Source`*:: +*`rsa.counters.dclass_c1_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c1 only + type: keyword -- -*`o365.audit.SourceFileExtension`*:: +*`rsa.counters.dclass_c2_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c2 only + type: keyword -- -*`o365.audit.SourceFileName`*:: +*`rsa.counters.dclass_r1_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r1 only + type: keyword -- -*`o365.audit.SourceRelativeUrl`*:: +*`rsa.counters.dclass_r2`*:: + -- +This is a generic ratio key that should be used with the label dclass.r2.str only + type: keyword -- -*`o365.audit.Status`*:: +*`rsa.counters.dclass_c3_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c3 only + type: keyword -- -*`o365.audit.SupportTicketId`*:: +*`rsa.counters.dclass_r3`*:: + -- +This is a generic ratio key that should be used with the label dclass.r3.str only + type: keyword -- -*`o365.audit.Target`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -type: array +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword -- -*`o365.audit.TargetContextId`*:: +*`rsa.counters.dclass_r3_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r3 only + type: keyword -- -*`o365.audit.TargetUserOrGroupName`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`o365.audit.TargetUserOrGroupType`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`o365.audit.TeamName`*:: +*`rsa.identity.dn`*:: + -- +X.500 (LDAP) Distinguished Name + type: keyword -- -*`o365.audit.TeamGuid`*:: +*`rsa.identity.logon_type`*:: + -- +This key is used to capture the type of logon method used. + type: keyword -- -*`o365.audit.UniqueSharingId`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`o365.audit.UserAgent`*:: +*`rsa.identity.accesses`*:: + -- +This key is used to capture actual privileges used in accessing an object + type: keyword -- -*`o365.audit.UserId`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`o365.audit.UserKey`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`o365.audit.UserType`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`o365.audit.Version`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`o365.audit.WebId`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`o365.audit.Workload`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`o365.audit.YammerNetworkId`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -[[exported-fields-okta]] -== Okta fields - -Module for handling system logs from Okta. - - - -[float] -=== okta - -Fields from Okta. - - - -*`okta.uuid`*:: +*`rsa.identity.user_dept`*:: + -- -The unique identifier of the Okta LogEvent. - +User's Department Names only type: keyword -- -*`okta.event_type`*:: +*`rsa.identity.user_sid_src`*:: + -- -The type of the LogEvent. - +This key captures Source User Session ID type: keyword -- -*`okta.version`*:: +*`rsa.identity.federated_sp`*:: + -- -The version of the LogEvent. - +This key is the Federated Service Provider. This is the application requesting authentication. type: keyword -- -*`okta.severity`*:: +*`rsa.identity.federated_idp`*:: + -- -The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. - +This key is the federated Identity Provider. This is the server providing the authentication. type: keyword -- -*`okta.display_message`*:: +*`rsa.identity.logon_type_desc`*:: + -- -The display message of the LogEvent. - +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -- -[float] -=== actor - -Fields that let you store information of the actor for the LogEvent. +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +type: keyword +-- -*`okta.actor.id`*:: +*`rsa.identity.password`*:: + -- -Identifier of the actor. - +This key is for Passwords seen in any session, plain text or encrypted type: keyword -- -*`okta.actor.type`*:: +*`rsa.identity.host_role`*:: + -- -Type of the actor. - +This key should only be used to capture the role of a Host Machine type: keyword -- -*`okta.actor.alternate_id`*:: +*`rsa.identity.ldap`*:: + -- -Alternate identifier of the actor. - +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- -*`okta.actor.display_name`*:: +*`rsa.identity.ldap_query`*:: + -- -Display name of the actor. - +This key is the Search criteria from an LDAP search type: keyword -- -[float] -=== client - -Fields that let you store information about the client of the actor. +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search +type: keyword +-- -*`okta.client.ip`*:: +*`rsa.identity.owner`*:: + -- -The IP address of the client. +This is used to capture username the process or service is running as, the author of the task - -type: ip +type: keyword -- -[float] -=== user_agent +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage -Fields about the user agent information of the client. +type: keyword +-- -*`okta.client.user_agent.raw_user_agent`*:: +*`rsa.email.email_dst`*:: + -- -The raw informaton of the user agent. - +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`okta.client.user_agent.os`*:: +*`rsa.email.email_src`*:: + -- -The OS informaton. - +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -- -*`okta.client.user_agent.browser`*:: +*`rsa.email.subject`*:: + -- -The browser informaton of the client. - +This key is used to capture the subject string from an Email only. type: keyword -- -*`okta.client.zone`*:: +*`rsa.email.email`*:: + -- -The zone information of the client. - +This key is used to capture a generic email address where the source or destination context is not clear type: keyword -- -*`okta.client.device`*:: +*`rsa.email.trans_from`*:: + -- -The information of the client device. - +Deprecated key defined only in table map. type: keyword -- -*`okta.client.id`*:: +*`rsa.email.trans_to`*:: + -- -The identifier of the client. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== outcome - -Fields that let you store information about the outcome. - - -*`okta.outcome.reason`*:: +*`rsa.file.privilege`*:: + -- -The reason of the outcome. - +Deprecated, use permissions type: keyword -- -*`okta.outcome.result`*:: +*`rsa.file.attachment`*:: + -- -The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. - +This key captures the attachment file name type: keyword -- -*`okta.target`*:: +*`rsa.file.filesystem`*:: + -- -The list of targets. - - -type: array +type: keyword -- -[float] -=== transaction - -Fields that let you store information about related transaction. - - - -*`okta.transaction.id`*:: +*`rsa.file.binary`*:: + -- -Identifier of the transaction. - +Deprecated key defined only in table map. type: keyword -- -*`okta.transaction.type`*:: +*`rsa.file.filename_dst`*:: + -- -The type of transaction. Must be one of "WEB", "JOB". - +This is used to capture name of the file targeted by the action type: keyword -- -[float] -=== debug_context - -Fields that let you store information about the debug context. - - - -[float] -=== debug_data - -The debug data. - - - -*`okta.debug_context.debug_data.device_fingerprint`*:: +*`rsa.file.filename_src`*:: + -- -The fingerprint of the device. - +This is used to capture name of the parent filename, the file which performed the action type: keyword -- -*`okta.debug_context.debug_data.request_id`*:: +*`rsa.file.filename_tmp`*:: + -- -The identifier of the request. - - type: keyword -- -*`okta.debug_context.debug_data.request_uri`*:: +*`rsa.file.directory_dst`*:: + -- -The request URI. - +This key is used to capture the directory of the target process or file type: keyword -- -*`okta.debug_context.debug_data.threat_suspected`*:: +*`rsa.file.directory_src`*:: + -- -Threat suspected. - +This key is used to capture the directory of the source process or file type: keyword -- -*`okta.debug_context.debug_data.url`*:: +*`rsa.file.file_entropy`*:: + -- -The URL. +This is used to capture entropy vale of a file - -type: keyword +type: double -- -[float] -=== authentication_context - -Fields that let you store information about authentication context. +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info +type: keyword +-- -*`okta.authentication_context.authentication_provider`*:: +*`rsa.file.task_name`*:: + -- -The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. - +This is used to capture name of the task type: keyword -- -*`okta.authentication_context.authentication_step`*:: + +*`rsa.web.fqdn`*:: + -- -The authentication step. - +Fully Qualified Domain Names -type: integer +type: keyword -- -*`okta.authentication_context.credential_provider`*:: +*`rsa.web.web_cookie`*:: + -- -The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. - +This key is used to capture the Web cookies specifically. type: keyword -- -*`okta.authentication_context.credential_type`*:: +*`rsa.web.alias_host`*:: + -- -The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. - - type: keyword -- -*`okta.authentication_context.issuer`*:: +*`rsa.web.reputation_num`*:: + -- -The information about the issuer. - +Reputation Number of an entity. Typically used for Web Domains -type: array +type: double -- -*`okta.authentication_context.external_session_id`*:: +*`rsa.web.web_ref_domain`*:: + -- -The session identifer of the external session if any. - +Web referer's domain type: keyword -- -*`okta.authentication_context.interface`*:: +*`rsa.web.web_ref_query`*:: + -- -The interface used. e.g., Outlook, Office365, wsTrust - +This key captures Web referer's query portion of the URL type: keyword -- -[float] -=== security_context +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword -Fields that let you store information about security context. +-- +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information +type: keyword -[float] -=== as +-- -The autonomous system. +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path +type: keyword +-- -*`okta.security_context.as.number`*:: +*`rsa.web.cn_asn_dst`*:: + -- -The AS number. - - -type: integer +type: keyword -- -[float] -=== organization +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword -The organization that owns the AS number. +-- +*`rsa.web.urlpage`*:: ++ +-- +type: keyword +-- -*`okta.security_context.as.organization.name`*:: +*`rsa.web.urlroot`*:: + -- -The organization name. +type: keyword +-- +*`rsa.web.p_url`*:: ++ +-- type: keyword -- -*`okta.security_context.isp`*:: +*`rsa.web.p_user_agent`*:: + -- -The Internet Service Provider. +type: keyword +-- +*`rsa.web.p_web_cookie`*:: ++ +-- type: keyword -- -*`okta.security_context.domain`*:: +*`rsa.web.p_web_method`*:: + -- -The domain name. +type: keyword +-- +*`rsa.web.p_web_referer`*:: ++ +-- type: keyword -- -*`okta.security_context.is_proxy`*:: +*`rsa.web.web_extension_tmp`*:: + -- -Whether it is a proxy or not. - - -type: boolean +type: keyword -- -[float] -=== request - -Fields that let you store information about the request, in the form of list of ip_chain. - - - -[float] -=== ip_chain - -List of ip_chain objects. +*`rsa.web.web_page`*:: ++ +-- +type: keyword +-- -*`okta.request.ip_chain.ip`*:: +*`rsa.threat.threat_category`*:: + -- -IP address. +This key captures Threat Name/Threat Category/Categorization of alert - -type: ip +type: keyword -- -*`okta.request.ip_chain.version`*:: +*`rsa.threat.threat_desc`*:: + -- -IP version. Must be one of V4, V6. - +This key is used to capture the threat description from the session directly or inferred type: keyword -- -*`okta.request.ip_chain.source`*:: +*`rsa.threat.alert`*:: + -- -Source information. - +This key is used to capture name of the alert type: keyword -- -[float] -=== geographical_context +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat -Geographical information. +type: keyword +-- -*`okta.request.ip_chain.geographical_context.city`*:: +*`rsa.crypto.crypto`*:: + -- -The city. +This key is used to capture the Encryption Type or Encryption Key only type: keyword -- -*`okta.request.ip_chain.geographical_context.state`*:: +*`rsa.crypto.cipher_src`*:: + -- -The state. +This key is for Source (Client) Cipher type: keyword -- -*`okta.request.ip_chain.geographical_context.postal_code`*:: +*`rsa.crypto.cert_subject`*:: + -- -The postal code. +This key is used to capture the Certificate organization only type: keyword -- -*`okta.request.ip_chain.geographical_context.country`*:: +*`rsa.crypto.peer`*:: + -- -The country. +This key is for Encryption peer's IP Address type: keyword -- -*`okta.request.ip_chain.geographical_context.geolocation`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -Geolocation information. +This key captures Source (Client) Cipher Size - -type: geo_point +type: long -- -[[exported-fields-osquery]] -== Osquery fields +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. -Fields exported by the `osquery` module +type: keyword +-- +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used -[float] -=== osquery +type: keyword +-- +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity +type: keyword -[float] -=== result +-- -Common fields exported by the result metricset. +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type +type: keyword +-- -*`osquery.result.name`*:: +*`rsa.crypto.cert_issuer`*:: + -- -The name of the query that generated this event. +type: keyword + +-- +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. type: keyword -- -*`osquery.result.action`*:: +*`rsa.crypto.cert_error`*:: + -- -For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot". - +This key captures the Certificate Error String type: keyword -- -*`osquery.result.host_identifier`*:: +*`rsa.crypto.cipher_dst`*:: + -- -The identifier for the host on which the osquery agent is running. Normally the hostname. - +This key is for Destination (Server) Cipher type: keyword -- -*`osquery.result.unix_time`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column. - +This key captures Destination (Server) Cipher Size type: long -- -*`osquery.result.calendar_time`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -String representation of the collection time, as formatted by osquery. - +Deprecated, use version type: keyword -- -[[exported-fields-panw]] -== panw fields - -Module for Palo Alto Networks (PAN-OS) - - - -[float] -=== panw - -Fields from the panw module. +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword +-- +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword -[float] -=== panos +-- -Fields for the Palo Alto Networks PAN-OS logs. +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One +type: keyword +-- -*`panw.panos.ruleset`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -Name of the rule that matched this session. - +ID of the negotiation — sent for ISAKMP Phase Two type: keyword -- -[float] -=== source - -Fields to extend the top-level source object. - +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword +-- -*`panw.panos.source.zone`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -Source zone for this session. - +This key is used for the hostname category value of a certificate type: keyword -- -*`panw.panos.source.interface`*:: +*`rsa.crypto.cert_serial`*:: + -- -Source interface for this session. - +This key is used to capture the Certificate serial number only type: keyword -- -[float] -=== nat - -Post-NAT source address, if source NAT is performed. +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status +type: keyword +-- -*`panw.panos.source.nat.ip`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -Post-NAT source IP. +Deprecated, use version - -type: ip +type: keyword -- -*`panw.panos.source.nat.port`*:: +*`rsa.crypto.cert_keysize`*:: + -- -Post-NAT source port. +type: keyword +-- -type: long +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword -- -[float] -=== destination +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword -Fields to extend the top-level destination object. +-- +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword +-- -*`panw.panos.destination.zone`*:: +*`rsa.crypto.cert_ca`*:: + -- -Destination zone for this session. - +This key is used to capture the Certificate signing authority only type: keyword -- -*`panw.panos.destination.interface`*:: +*`rsa.crypto.cert_common`*:: + -- -Destination interface for this session. - +This key is used to capture the Certificate common name only type: keyword -- -[float] -=== nat -Post-NAT destination address, if destination NAT is performed. +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session +type: keyword +-- -*`panw.panos.destination.nat.ip`*:: +*`rsa.wireless.access_point`*:: + -- -Post-NAT destination IP. - +This key is used to capture the access point name. -type: ip +type: keyword -- -*`panw.panos.destination.nat.port`*:: +*`rsa.wireless.wlan_channel`*:: + -- -Post-NAT destination port. - +This is used to capture the channel names type: long -- -[float] -=== network - -Fields to extend the top-level network object. - - - -*`panw.panos.network.pcap_id`*:: +*`rsa.wireless.wlan_name`*:: + -- -Packet capture ID for a threat. - +This key captures either WLAN number/name type: keyword -- -*`panw.panos.network.nat.community_id`*:: +*`rsa.storage.disk_volume`*:: + -- -Community ID flow-hash for the NAT 5-tuple. - +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -[float] -=== file - -Fields to extend the top-level file object. - - - -*`panw.panos.file.hash`*:: +*`rsa.storage.lun`*:: + -- -Binary hash for a threat file sent to be analyzed by the WildFire service. - +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -[float] -=== url - -Fields to extend the top-level url object. - - - -*`panw.panos.url.category`*:: +*`rsa.storage.pwwn`*:: + -- -For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. - +This uniquely identifies a port on a HBA. type: keyword -- -*`panw.panos.flow_id`*:: + +*`rsa.physical.org_dst`*:: + -- -Internal numeric identifier for each session. - +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`panw.panos.sequence_number`*:: +*`rsa.physical.org_src`*:: + -- -Log entry identifier that is incremented sequentially. Unique for each log type. +This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: long +type: keyword -- -*`panw.panos.threat.resource`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -URL or file name for a threat. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`panw.panos.threat.id`*:: +*`rsa.healthcare.patient_id`*:: + -- -Palo Alto Networks identifier for the threat. - +This key captures the unique ID for a patient type: keyword -- -*`panw.panos.threat.name`*:: +*`rsa.healthcare.patient_lname`*:: + -- -Palo Alto Networks name for the threat. - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`panw.panos.action`*:: +*`rsa.healthcare.patient_mname`*:: + -- -Action taken for the session. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -[[exported-fields-postgresql]] -== PostgreSQL fields - -Module for parsing the PostgreSQL log files. - - - -[float] -=== postgresql - -Fields from PostgreSQL logs. - - - -[float] -=== log - -Fields from the PostgreSQL log files. - - -*`postgresql.log.timestamp`*:: +*`rsa.endpoint.host_state`*:: + -- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on -deprecated:[7.3.0] - -The timestamp from the log line. - +type: keyword -- -*`postgresql.log.core_id`*:: +*`rsa.endpoint.registry_key`*:: + -- -Core id - +This key captures the path to the registry key -type: long +type: keyword -- -*`postgresql.log.database`*:: +*`rsa.endpoint.registry_value`*:: + -- -Name of database +This key captures values or decorators used within a registry entry - -example: mydb +type: keyword -- -*`postgresql.log.query`*:: -+ --- -Query statement. +[[exported-fields-cloud]] +== Cloud provider metadata fields +Metadata from cloud providers added by the add_cloud_metadata processor. -example: SELECT * FROM users; --- -*`postgresql.log.query_step`*:: +*`cloud.project.id`*:: + -- -Statement step when using extended query protocol (one of statement, parse, bind or execute) +Name of the project in Google Cloud. -example: parse +example: project-x -- -*`postgresql.log.query_name`*:: +*`cloud.image.id`*:: + -- -Name given to a query when using extended query protocol. If it is "", or not present, this field is ignored. +Image ID for the cloud instance. -example: pdo_stmt_00000001 +example: ami-abcd1234 -- -*`postgresql.log.error.code`*:: +*`meta.cloud.provider`*:: + -- -Error code returned by Postgres (if any) +type: alias -type: long +alias to: cloud.provider -- -*`postgresql.log.timezone`*:: +*`meta.cloud.instance_id`*:: + -- type: alias -alias to: event.timezone +alias to: cloud.instance.id -- -*`postgresql.log.thread_id`*:: +*`meta.cloud.instance_name`*:: + -- type: alias -alias to: process.pid +alias to: cloud.instance.name -- -*`postgresql.log.user`*:: +*`meta.cloud.machine_type`*:: + -- type: alias -alias to: user.name +alias to: cloud.machine.type -- -*`postgresql.log.level`*:: +*`meta.cloud.availability_zone`*:: + -- type: alias -alias to: log.level +alias to: cloud.availability_zone -- -*`postgresql.log.message`*:: +*`meta.cloud.project_id`*:: + -- type: alias -alias to: message +alias to: cloud.project.id -- -[[exported-fields-process]] -== Process fields - -Process metadata fields - - - - -*`process.exe`*:: +*`meta.cloud.region`*:: + -- type: alias -alias to: process.executable +alias to: cloud.region -- -[[exported-fields-rabbitmq]] -== RabbitMQ fields +[[exported-fields-coredns]] +== Coredns fields -RabbitMQ Module +Module for handling logs produced by coredns [float] -=== rabbitmq +=== coredns +coredns fields after normalization -[float] -=== log +*`coredns.id`*:: ++ +-- +id of the DNS transaction -RabbitMQ log files +type: keyword +-- -*`rabbitmq.log.pid`*:: +*`coredns.query.size`*:: + -- -The Erlang process id +size of the DNS query -type: keyword -example: <0.222.0> +type: integer + +format: bytes -- -[[exported-fields-redis]] -== Redis fields +*`coredns.query.class`*:: ++ +-- +DNS query class -Redis Module +type: keyword +-- -[float] -=== redis +*`coredns.query.name`*:: ++ +-- +DNS query name +type: keyword +-- -[float] -=== log +*`coredns.query.type`*:: ++ +-- +DNS query type -Redis log files +type: keyword +-- -*`redis.log.role`*:: +*`coredns.response.code`*:: + -- -The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. +DNS response code type: keyword -- -*`redis.log.pid`*:: +*`coredns.response.flags`*:: + -- -type: alias +DNS response flags -alias to: process.pid + +type: keyword -- -*`redis.log.level`*:: +*`coredns.response.size`*:: + -- -type: alias +size of the DNS response -alias to: log.level + +type: integer + +format: bytes -- -*`redis.log.message`*:: +*`coredns.dnssec_ok`*:: + -- -type: alias +dnssec flag -alias to: message + +type: boolean -- +[[exported-fields-crowdstrike]] +== Crowdstrike fields + +Module for collecting Crowdstrike events. + + + [float] -=== slowlog +=== crowdstrike -Slow logs are retrieved from Redis via a network connection. +Fields for Crowdstrike Falcon event and alert data. -*`redis.slowlog.cmd`*:: +[float] +=== metadata + +Meta data fields for each event that include type and timestamp. + + + +*`crowdstrike.metadata.eventType`*:: + -- -The command executed. +DetectionSummaryEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent type: keyword -- -*`redis.slowlog.duration.us`*:: +*`crowdstrike.metadata.eventCreationTime`*:: + -- -How long it took to execute the command in microseconds. +The time this event occurred on the endpoint in UTC UNIX_MS format. -type: long +type: date -- -*`redis.slowlog.id`*:: +*`crowdstrike.metadata.offset`*:: + -- -The ID of the query. +Offset number that tracks the location of the event in stream. This is used to identify unique detection events. -type: long +type: integer -- -*`redis.slowlog.key`*:: +*`crowdstrike.metadata.customerIDString`*:: + -- -The key on which the command was executed. +Customer identifier type: keyword -- -*`redis.slowlog.args`*:: +*`crowdstrike.metadata.version`*:: + -- -The arguments with which the command was called. +Schema version type: keyword -- -[[exported-fields-s3]] -== s3 fields +[float] +=== event -S3 fields from s3 input. +Event data fields for each event and alert. -*`bucket_name`*:: +*`crowdstrike.event.ProcessStartTime`*:: + -- -Name of the S3 bucket that this log retrieved from. +The process start time in UTC UNIX_MS format. -type: keyword +type: date -- -*`object_key`*:: +*`crowdstrike.event.ProcessEndTime`*:: + -- -Name of the S3 object that this log retrieved from. +The process termination time in UTC UNIX_MS format. -type: keyword +type: date -- -[[exported-fields-santa]] -== Google Santa fields +*`crowdstrike.event.ProcessId`*:: ++ +-- +Process ID related to the detection. -Santa Module +type: integer +-- -[float] -=== santa +*`crowdstrike.event.ParentProcessId`*:: ++ +-- +Parent process ID related to the detection. +type: integer +-- -*`santa.action`*:: +*`crowdstrike.event.ComputerName`*:: + -- -Action +Name of the computer where the detection occurred. -type: keyword -example: EXEC +type: keyword -- -*`santa.decision`*:: +*`crowdstrike.event.UserName`*:: + -- -Decision that santad took. +User name associated with the detection. -type: keyword -example: ALLOW +type: keyword -- -*`santa.reason`*:: +*`crowdstrike.event.DetectName`*:: + -- -Reason for the decsision. +Name of the detection. -type: keyword -example: CERT +type: keyword -- -*`santa.mode`*:: +*`crowdstrike.event.DetectDescription`*:: + -- -Operating mode of Santa. +Description of the detection. + type: keyword -example: M +-- +*`crowdstrike.event.Severity`*:: ++ -- +Severity score of the detection. -[float] -=== disk -Fields for DISKAPPEAR actions. +type: integer +-- -*`santa.disk.volume`*:: +*`crowdstrike.event.SeverityName`*:: + -- -The volume name. +Severity score text. --- -*`santa.disk.bus`*:: -+ --- -The disk bus protocol. +type: keyword -- -*`santa.disk.serial`*:: +*`crowdstrike.event.FileName`*:: + -- -The disk serial number. +File name of the associated process for the detection. + + +type: keyword -- -*`santa.disk.bsdname`*:: +*`crowdstrike.event.FilePath`*:: + -- -The disk BSD name. +Path of the executable associated with the detection. -example: disk1s3 + +type: keyword -- -*`santa.disk.model`*:: +*`crowdstrike.event.CommandLine`*:: + -- -The disk model. +Executable path with command line arguments. -example: APPLE SSD SM0512L + +type: keyword -- -*`santa.disk.fs`*:: +*`crowdstrike.event.SHA256String`*:: + -- -The disk volume kind (filesystem type). +SHA256 sum of the executable associated with the detection. -example: apfs + +type: keyword -- -*`santa.disk.mount`*:: +*`crowdstrike.event.MD5String`*:: + -- -The disk volume path. +MD5 sum of the executable associated with the detection. + + +type: keyword -- -*`santa.certificate.common_name`*:: +*`crowdstrike.event.MachineDomain`*:: + -- -Common name from code signing certificate. +Domain for the machine associated with the detection. + type: keyword -- -*`santa.certificate.sha256`*:: +*`crowdstrike.event.FalconHostLink`*:: + -- -SHA256 hash of code signing certificate. +URL to view the detection in Falcon. + type: keyword -- -[[exported-fields-suricata]] -== Suricata fields +*`crowdstrike.event.SensorId`*:: ++ +-- +Unique ID associated with the Falcon sensor. -Module for handling the EVE JSON logs produced by Suricata. +type: keyword +-- -[float] -=== suricata +*`crowdstrike.event.DetectId`*:: ++ +-- +Unique ID associated with the detection. -Fields from the Suricata EVE log file. +type: keyword +-- -[float] -=== eve +*`crowdstrike.event.LocalIP`*:: ++ +-- +IP address of the host associated with the detection. -Fields exported by the EVE JSON logs +type: keyword +-- -*`suricata.eve.event_type`*:: +*`crowdstrike.event.MACAddress`*:: + -- +MAC address of the host associated with the detection. + + type: keyword -- -*`suricata.eve.app_proto_orig`*:: +*`crowdstrike.event.Tactic`*:: + -- +MITRE tactic category of the detection. + + type: keyword -- - -*`suricata.eve.tcp.tcp_flags`*:: +*`crowdstrike.event.Technique`*:: + -- +MITRE technique category of the detection. + + type: keyword -- -*`suricata.eve.tcp.psh`*:: +*`crowdstrike.event.Objective`*:: + -- -type: boolean +Method of detection. + + +type: keyword -- -*`suricata.eve.tcp.tcp_flags_tc`*:: +*`crowdstrike.event.PatternDispositionDescription`*:: + -- +Action taken by Falcon. + + type: keyword -- -*`suricata.eve.tcp.ack`*:: +*`crowdstrike.event.PatternDispositionValue`*:: + -- -type: boolean +Unique ID associated with action taken. + + +type: integer -- -*`suricata.eve.tcp.syn`*:: +*`crowdstrike.event.PatternDispositionFlags`*:: + -- -type: boolean +Flags indicating actions taken. + + +type: object -- -*`suricata.eve.tcp.state`*:: +*`crowdstrike.event.State`*:: + -- +Whether the incident summary is open and ongoing or closed. + + type: keyword -- -*`suricata.eve.tcp.tcp_flags_ts`*:: +*`crowdstrike.event.IncidentStartTime`*:: + -- -type: keyword +Start time for the incident in UTC UNIX format. + + +type: date -- -*`suricata.eve.tcp.rst`*:: +*`crowdstrike.event.IncidentEndTime`*:: + -- -type: boolean +End time for the incident in UTC UNIX format. + + +type: date -- -*`suricata.eve.tcp.fin`*:: +*`crowdstrike.event.FineScore`*:: + -- -type: boolean +Score for incident. --- +type: float -*`suricata.eve.fileinfo.sha1`*:: +-- + +*`crowdstrike.event.UserId`*:: + -- +Email address or user ID associated with the event. + + type: keyword -- -*`suricata.eve.fileinfo.filename`*:: +*`crowdstrike.event.UserIp`*:: + -- -type: alias +IP address associated with the user. -alias to: file.path + +type: keyword -- -*`suricata.eve.fileinfo.tx_id`*:: +*`crowdstrike.event.OperationName`*:: + -- -type: long +Event subtype. --- -*`suricata.eve.fileinfo.state`*:: -+ --- type: keyword -- -*`suricata.eve.fileinfo.stored`*:: +*`crowdstrike.event.ServiceName`*:: + -- -type: boolean +Service associated with this event. + + +type: keyword -- -*`suricata.eve.fileinfo.gaps`*:: +*`crowdstrike.event.Success`*:: + -- +Indicator of whether or not this event was successful. + + type: boolean -- -*`suricata.eve.fileinfo.sha256`*:: +*`crowdstrike.event.UTCTimestamp`*:: + -- -type: keyword +Timestamp associated with this event in UTC UNIX format. --- -*`suricata.eve.fileinfo.md5`*:: -+ --- -type: keyword +type: date -- -*`suricata.eve.fileinfo.size`*:: +*`crowdstrike.event.AuditKeyValues`*:: + -- -type: alias +Fields that were changed in this event. -alias to: file.size + +type: nested -- -*`suricata.eve.icmp_type`*:: +*`crowdstrike.event.SessionId`*:: + -- -type: long +Session ID of the remote response session. + + +type: keyword -- -*`suricata.eve.dest_port`*:: +*`crowdstrike.event.HostnameField`*:: + -- -type: alias +Host name of the machine for the remote session. -alias to: destination.port + +type: keyword -- -*`suricata.eve.src_port`*:: +*`crowdstrike.event.StartTimestamp`*:: + -- -type: alias +Start time for the remote session in UTC UNIX format. -alias to: source.port + +type: date -- -*`suricata.eve.proto`*:: +*`crowdstrike.event.EndTimestamp`*:: + -- -type: alias +End time for the remote session in UTC UNIX format. -alias to: network.transport --- +type: date -*`suricata.eve.pcap_cnt`*:: -+ -- -type: long --- +[[exported-fields-cylance]] +== CylanceProtect fields -*`suricata.eve.src_ip`*:: +cylance fields. + + + +*`network.interface.name`*:: + -- -type: alias +Name of the network interface where the traffic has been observed. -alias to: source.ip + +type: keyword -- -*`suricata.eve.dns.type`*:: + +*`rsa.internal.msg`*:: + -- +This key is used to capture the raw message that comes into the Log Decoder + type: keyword -- -*`suricata.eve.dns.rrtype`*:: +*`rsa.internal.messageid`*:: + -- type: keyword -- -*`suricata.eve.dns.rrname`*:: +*`rsa.internal.event_desc`*:: + -- type: keyword -- -*`suricata.eve.dns.rdata`*:: +*`rsa.internal.message`*:: + -- +This key captures the contents of instant messages + type: keyword -- -*`suricata.eve.dns.tx_id`*:: +*`rsa.internal.time`*:: + -- -type: long +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date -- -*`suricata.eve.dns.ttl`*:: +*`rsa.internal.level`*:: + -- +Deprecated key defined only in table map. + type: long -- -*`suricata.eve.dns.rcode`*:: +*`rsa.internal.msg_id`*:: + -- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`suricata.eve.dns.id`*:: +*`rsa.internal.msg_vid`*:: + -- -type: long +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.flow_id`*:: +*`rsa.internal.data`*:: + -- +Deprecated key defined only in table map. + type: keyword -- - -*`suricata.eve.email.status`*:: +*`rsa.internal.obj_server`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`suricata.eve.dest_ip`*:: +*`rsa.internal.obj_val`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: destination.ip +type: keyword -- -*`suricata.eve.icmp_code`*:: +*`rsa.internal.resource`*:: + -- -type: long +Deprecated key defined only in table map. --- +type: keyword +-- -*`suricata.eve.http.status`*:: +*`rsa.internal.obj_id`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: http.response.status_code +type: keyword -- -*`suricata.eve.http.redirect`*:: +*`rsa.internal.statement`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`suricata.eve.http.http_user_agent`*:: +*`rsa.internal.audit_class`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: user_agent.original +type: keyword -- -*`suricata.eve.http.protocol`*:: +*`rsa.internal.entry`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`suricata.eve.http.http_refer`*:: +*`rsa.internal.hcode`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: http.request.referrer +type: keyword -- -*`suricata.eve.http.url`*:: +*`rsa.internal.inode`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: url.original +type: long -- -*`suricata.eve.http.hostname`*:: +*`rsa.internal.resource_class`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: url.domain +type: keyword -- -*`suricata.eve.http.length`*:: +*`rsa.internal.dead`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: http.response.body.bytes +type: long -- -*`suricata.eve.http.http_method`*:: +*`rsa.internal.feed_desc`*:: + -- -type: alias +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -alias to: http.request.method +type: keyword -- -*`suricata.eve.http.http_content_type`*:: +*`rsa.internal.feed_name`*:: + -- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`suricata.eve.timestamp`*:: +*`rsa.internal.cid`*:: + -- -type: alias +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -alias to: @timestamp +type: keyword -- -*`suricata.eve.in_iface`*:: +*`rsa.internal.device_class`*:: + -- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- - -*`suricata.eve.alert.category`*:: +*`rsa.internal.device_group`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`suricata.eve.alert.severity`*:: +*`rsa.internal.device_host`*:: + -- -type: alias +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -alias to: event.severity +type: keyword -- -*`suricata.eve.alert.rev`*:: +*`rsa.internal.device_ip`*:: + -- -type: long +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`suricata.eve.alert.gid`*:: +*`rsa.internal.device_ipv6`*:: + -- -type: long +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`suricata.eve.alert.signature`*:: +*`rsa.internal.device_type`*:: + -- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`suricata.eve.alert.action`*:: +*`rsa.internal.device_type_id`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: event.outcome +type: long -- -*`suricata.eve.alert.signature_id`*:: +*`rsa.internal.did`*:: + -- -type: long - --- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword +-- -*`suricata.eve.ssh.client.proto_version`*:: +*`rsa.internal.entropy_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`suricata.eve.ssh.client.software_version`*:: +*`rsa.internal.entropy_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration --- +type: long +-- -*`suricata.eve.ssh.server.proto_version`*:: +*`rsa.internal.event_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`suricata.eve.ssh.server.software_version`*:: +*`rsa.internal.feed_category`*:: + -- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- - - -*`suricata.eve.stats.capture.kernel_packets`*:: +*`rsa.internal.forward_ip`*:: + -- -type: long +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip -- -*`suricata.eve.stats.capture.kernel_drops`*:: +*`rsa.internal.forward_ipv6`*:: + -- -type: long +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`suricata.eve.stats.capture.kernel_ifdrops`*:: +*`rsa.internal.header_id`*:: + -- -type: long +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.uptime`*:: +*`rsa.internal.lc_cid`*:: + -- -type: long +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness --- +type: keyword +-- -*`suricata.eve.stats.detect.alert`*:: +*`rsa.internal.lc_ctime`*:: + -- -type: long +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness --- +type: date +-- -*`suricata.eve.stats.http.memcap`*:: +*`rsa.internal.mcb_req`*:: + -- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + type: long -- -*`suricata.eve.stats.http.memuse`*:: +*`rsa.internal.mcb_res`*:: + -- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + type: long -- - -*`suricata.eve.stats.file_store.open_files`*:: +*`rsa.internal.mcbc_req`*:: + -- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + type: long -- - -*`suricata.eve.stats.defrag.max_frag_hits`*:: +*`rsa.internal.mcbc_res`*:: + -- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + type: long -- - -*`suricata.eve.stats.defrag.ipv4.timeouts`*:: +*`rsa.internal.medium`*:: + -- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + type: long -- -*`suricata.eve.stats.defrag.ipv4.fragments`*:: +*`rsa.internal.node_name`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`suricata.eve.stats.defrag.ipv4.reassembled`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -type: long +This key denotes that event is endpoint related --- +type: keyword +-- -*`suricata.eve.stats.defrag.ipv6.timeouts`*:: +*`rsa.internal.parse_error`*:: + -- -type: long +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.defrag.ipv6.fragments`*:: +*`rsa.internal.payload_req`*:: + -- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + type: long -- -*`suricata.eve.stats.defrag.ipv6.reassembled`*:: +*`rsa.internal.payload_res`*:: + -- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + type: long -- - -*`suricata.eve.stats.flow.tcp_reuse`*:: +*`rsa.internal.process_vid_dst`*:: + -- -type: long +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword -- -*`suricata.eve.stats.flow.udp`*:: +*`rsa.internal.process_vid_src`*:: + -- -type: long +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword -- -*`suricata.eve.stats.flow.memcap`*:: +*`rsa.internal.rid`*:: + -- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: long -- -*`suricata.eve.stats.flow.emerg_mode_entered`*:: +*`rsa.internal.session_split`*:: + -- -type: long +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.flow.emerg_mode_over`*:: +*`rsa.internal.site`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`suricata.eve.stats.flow.tcp`*:: +*`rsa.internal.size`*:: + -- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: long -- -*`suricata.eve.stats.flow.icmpv6`*:: +*`rsa.internal.sourcefile`*:: + -- -type: long +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.flow.icmpv4`*:: +*`rsa.internal.ubc_req`*:: + -- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + type: long -- -*`suricata.eve.stats.flow.spare`*:: +*`rsa.internal.ubc_res`*:: + -- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + type: long -- -*`suricata.eve.stats.flow.memuse`*:: +*`rsa.internal.word`*:: + -- -type: long +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword -- -*`suricata.eve.stats.tcp.pseudo_failed`*:: +*`rsa.time.event_time`*:: + -- -type: long +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date -- -*`suricata.eve.stats.tcp.ssn_memcap_drop`*:: +*`rsa.time.duration_time`*:: + -- -type: long +This key is used to capture the normalized duration/lifetime in seconds. + +type: double -- -*`suricata.eve.stats.tcp.insert_data_overlap_fail`*:: +*`rsa.time.event_time_str`*:: + -- -type: long +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword -- -*`suricata.eve.stats.tcp.sessions`*:: +*`rsa.time.starttime`*:: + -- -type: long +This key is used to capture the Start time mentioned in a session in a standard form + +type: date -- -*`suricata.eve.stats.tcp.pseudo`*:: +*`rsa.time.month`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.synack`*:: +*`rsa.time.day`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.insert_data_normal_fail`*:: +*`rsa.time.endtime`*:: + -- -type: long +This key is used to capture the End time mentioned in a session in a standard form + +type: date -- -*`suricata.eve.stats.tcp.syn`*:: +*`rsa.time.timezone`*:: + -- -type: long +This key is used to capture the timezone of the Event Time + +type: keyword -- -*`suricata.eve.stats.tcp.memuse`*:: +*`rsa.time.duration_str`*:: + -- -type: long +A text string version of the duration + +type: keyword -- -*`suricata.eve.stats.tcp.invalid_checksum`*:: +*`rsa.time.date`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.segment_memcap_drop`*:: +*`rsa.time.year`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.overlap`*:: +*`rsa.time.recorded_time`*:: + -- -type: long +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date -- -*`suricata.eve.stats.tcp.insert_list_fail`*:: +*`rsa.time.datetime`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.rst`*:: +*`rsa.time.effective_time`*:: + -- -type: long +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date -- -*`suricata.eve.stats.tcp.stream_depth_reached`*:: +*`rsa.time.expire_time`*:: + -- -type: long +This key is the timestamp that explicitly refers to an expiration. + +type: date -- -*`suricata.eve.stats.tcp.reassembly_memuse`*:: +*`rsa.time.process_time`*:: + -- -type: long +Deprecated, use duration.time + +type: keyword -- -*`suricata.eve.stats.tcp.reassembly_gap`*:: +*`rsa.time.hour`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.overlap_diff_data`*:: +*`rsa.time.min`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.no_flow`*:: +*`rsa.time.timestamp`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.stats.decoder.avg_pkt_size`*:: +*`rsa.time.event_queue_time`*:: + -- -type: long +This key is the Time that the event was queued. + +type: date -- -*`suricata.eve.stats.decoder.bytes`*:: +*`rsa.time.p_time1`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.tcp`*:: +*`rsa.time.tzone`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.raw`*:: +*`rsa.time.eventtime`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.ppp`*:: +*`rsa.time.gmtdate`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.vlan_qinq`*:: +*`rsa.time.gmttime`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.null`*:: +*`rsa.time.p_date`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.stats.decoder.ltnull.unsupported_type`*:: +*`rsa.time.p_month`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*:: +*`rsa.time.p_time`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.invalid`*:: +*`rsa.time.p_time2`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.gre`*:: +*`rsa.time.p_year`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.ipv4`*:: +*`rsa.time.expire_time_str`*:: + -- -type: long +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword -- -*`suricata.eve.stats.decoder.ipv6`*:: +*`rsa.time.stamp`*:: + -- -type: long +Deprecated key defined only in table map. + +type: date -- -*`suricata.eve.stats.decoder.pkts`*:: + +*`rsa.misc.action`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.ipv6_in_ipv6`*:: +*`rsa.misc.result`*:: + -- -type: long +This key is used to capture the outcome/result string value of an action in a session. --- +type: keyword +-- -*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*:: +*`rsa.misc.severity`*:: + -- -type: long +This key is used to capture the severity given the session + +type: keyword -- -*`suricata.eve.stats.decoder.pppoe`*:: +*`rsa.misc.event_type`*:: + -- -type: long +This key captures the event category type as specified by the event source. + +type: keyword -- -*`suricata.eve.stats.decoder.udp`*:: +*`rsa.misc.reference_id`*:: + -- -type: long +This key is used to capture an event id from the session directly --- +type: keyword +-- -*`suricata.eve.stats.decoder.dce.pkt_too_small`*:: +*`rsa.misc.version`*:: + -- -type: long +This key captures Version of the application or OS which is generating the event. + +type: keyword -- -*`suricata.eve.stats.decoder.vlan`*:: +*`rsa.misc.disposition`*:: + -- -type: long +This key captures the The end state of an action. + +type: keyword -- -*`suricata.eve.stats.decoder.sctp`*:: +*`rsa.misc.result_code`*:: + -- -type: long +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword -- -*`suricata.eve.stats.decoder.max_pkt_size`*:: +*`rsa.misc.category`*:: + -- -type: long +This key is used to capture the category of an event given by the vendor in the session + +type: keyword -- -*`suricata.eve.stats.decoder.teredo`*:: +*`rsa.misc.obj_name`*:: + -- -type: long +This is used to capture name of object + +type: keyword -- -*`suricata.eve.stats.decoder.mpls`*:: +*`rsa.misc.obj_type`*:: + -- -type: long +This is used to capture type of object + +type: keyword -- -*`suricata.eve.stats.decoder.sll`*:: +*`rsa.misc.event_source`*:: + -- -type: long +This key captures Source of the event that’s not a hostname + +type: keyword -- -*`suricata.eve.stats.decoder.icmpv6`*:: +*`rsa.misc.log_session_id`*:: + -- -type: long +This key is used to capture a sessionid from the session directly + +type: keyword -- -*`suricata.eve.stats.decoder.icmpv4`*:: +*`rsa.misc.group`*:: + -- -type: long +This key captures the Group Name value + +type: keyword -- -*`suricata.eve.stats.decoder.erspan`*:: +*`rsa.misc.policy_name`*:: + -- -type: long +This key is used to capture the Policy Name only. + +type: keyword -- -*`suricata.eve.stats.decoder.ethernet`*:: +*`rsa.misc.rule_name`*:: + -- -type: long +This key captures the Rule Name + +type: keyword -- -*`suricata.eve.stats.decoder.ipv4_in_ipv6`*:: +*`rsa.misc.context`*:: + -- -type: long +This key captures Information which adds additional context to the event. + +type: keyword -- -*`suricata.eve.stats.decoder.ieee8021ah`*:: +*`rsa.misc.change_new`*:: + -- -type: long +This key is used to capture the new values of the attribute that’s changing in a session --- +type: keyword +-- -*`suricata.eve.stats.dns.memcap_global`*:: +*`rsa.misc.space`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.dns.memcap_state`*:: +*`rsa.misc.client`*:: + -- -type: long +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword -- -*`suricata.eve.stats.dns.memuse`*:: +*`rsa.misc.msgIdPart1`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.stats.flow_mgr.rows_busy`*:: +*`rsa.misc.msgIdPart2`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_timeout`*:: +*`rsa.misc.change_old`*:: + -- -type: long +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_notimeout`*:: +*`rsa.misc.operation_id`*:: + -- -type: long +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_skipped`*:: +*`rsa.misc.event_state`*:: + -- -type: long +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.closed_pruned`*:: +*`rsa.misc.group_object`*:: + -- -type: long +This key captures a collection/grouping of entities. Specific usage + +type: keyword -- -*`suricata.eve.stats.flow_mgr.new_pruned`*:: +*`rsa.misc.node`*:: + -- -type: long +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_removed`*:: +*`rsa.misc.rule`*:: + -- -type: long +This key captures the Rule number + +type: keyword -- -*`suricata.eve.stats.flow_mgr.bypassed_pruned`*:: +*`rsa.misc.device_name`*:: + -- -type: long +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword -- -*`suricata.eve.stats.flow_mgr.est_pruned`*:: +*`rsa.misc.param`*:: + -- -type: long +This key is the parameters passed as part of a command or application, etc. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*:: +*`rsa.misc.change_attrib`*:: + -- -type: long +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_checked`*:: +*`rsa.misc.event_computer`*:: + -- -type: long +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_maxlen`*:: +*`rsa.misc.reference_id1`*:: + -- -type: long +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_checked`*:: +*`rsa.misc.event_log`*:: + -- -type: long +This key captures the Name of the event log + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_empty`*:: +*`rsa.misc.OS`*:: + -- -type: long +This key captures the Name of the Operating System +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ -- +This key captures the Terminal Names only +type: keyword +-- -*`suricata.eve.stats.app_layer.flow.tls`*:: +*`rsa.misc.msgIdPart3`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.app_layer.flow.ftp`*:: +*`rsa.misc.filter`*:: + -- -type: long +This key captures Filter used to reduce result set + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.http`*:: +*`rsa.misc.serial_number`*:: + -- -type: long +This key is the Serial number associated with a physical asset. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.failed_udp`*:: +*`rsa.misc.checksum`*:: + -- -type: long +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dns_udp`*:: +*`rsa.misc.event_user`*:: + -- -type: long +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dns_tcp`*:: +*`rsa.misc.virusname`*:: + -- -type: long +This key captures the name of the virus + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.smtp`*:: +*`rsa.misc.content_type`*:: + -- -type: long +This key is used to capture Content Type only. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.failed_tcp`*:: +*`rsa.misc.group_id`*:: + -- -type: long +This key captures Group ID Number (related to the group name) + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.msn`*:: +*`rsa.misc.policy_id`*:: + -- -type: long +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.ssh`*:: +*`rsa.misc.vsys`*:: + -- -type: long +This key captures Virtual System Name + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.imap`*:: +*`rsa.misc.connection_id`*:: + -- -type: long +This key captures the Connection ID + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*:: +*`rsa.misc.reference_id2`*:: + -- -type: long +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*:: +*`rsa.misc.sensor`*:: + -- -type: long +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.smb`*:: +*`rsa.misc.sig_id`*:: + -- +This key captures IDS/IPS Int Signature ID + type: long -- - -*`suricata.eve.stats.app_layer.tx.tls`*:: +*`rsa.misc.port_name`*:: + -- -type: long +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.ftp`*:: +*`rsa.misc.rule_group`*:: + -- -type: long +This key captures the Rule group name + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.http`*:: +*`rsa.misc.risk_num`*:: + -- -type: long +This key captures a Numeric Risk value + +type: double -- -*`suricata.eve.stats.app_layer.tx.dns_udp`*:: +*`rsa.misc.trigger_val`*:: + -- -type: long +This key captures the Value of the trigger or threshold condition. + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.dns_tcp`*:: +*`rsa.misc.log_session_id1`*:: + -- -type: long +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.smtp`*:: +*`rsa.misc.comp_version`*:: + -- -type: long +This key captures the Version level of a sub-component of a product. + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.ssh`*:: +*`rsa.misc.content_version`*:: + -- -type: long +This key captures Version level of a signature or database content. + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*:: +*`rsa.misc.hardware_id`*:: + -- -type: long +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*:: +*`rsa.misc.risk`*:: + -- -type: long +This key captures the non-numeric risk value + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.smb`*:: +*`rsa.misc.event_id`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.tls.notbefore`*:: +*`rsa.misc.reason`*:: + -- -type: date +type: keyword -- -*`suricata.eve.tls.issuerdn`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`suricata.eve.tls.sni`*:: +*`rsa.misc.mail_id`*:: + -- +This key is used to capture the mailbox id/name + type: keyword -- -*`suricata.eve.tls.version`*:: +*`rsa.misc.rule_uid`*:: + -- +This key is the Unique Identifier for a rule. + type: keyword -- -*`suricata.eve.tls.session_resumed`*:: +*`rsa.misc.trigger_desc`*:: + -- -type: boolean +This key captures the Description of the trigger or threshold condition. + +type: keyword -- -*`suricata.eve.tls.fingerprint`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`suricata.eve.tls.serial`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`suricata.eve.tls.notafter`*:: +*`rsa.misc.data_type`*:: + -- -type: date +type: keyword -- -*`suricata.eve.tls.subject`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- - -*`suricata.eve.tls.ja3s.string`*:: +*`rsa.misc.error`*:: + -- +This key captures All non successful Error codes or responses + type: keyword -- -*`suricata.eve.tls.ja3s.hash`*:: +*`rsa.misc.index`*:: + -- type: keyword -- - -*`suricata.eve.tls.ja3.string`*:: +*`rsa.misc.listnum`*:: + -- +This key is used to capture listname or listnumber, primarily for collecting access-list + type: keyword -- -*`suricata.eve.tls.ja3.hash`*:: +*`rsa.misc.ntype`*:: + -- type: keyword -- -*`suricata.eve.app_proto_ts`*:: +*`rsa.misc.observed_val`*:: + -- +This key captures the Value observed (from the perspective of the device generating the log). + type: keyword -- - -*`suricata.eve.flow.bytes_toclient`*:: +*`rsa.misc.policy_value`*:: + -- -type: alias +This key captures the contents of the policy. This contains details about the policy -alias to: destination.bytes +type: keyword -- -*`suricata.eve.flow.start`*:: +*`rsa.misc.pool_name`*:: + -- -type: alias +This key captures the name of a resource pool -alias to: event.start +type: keyword -- -*`suricata.eve.flow.pkts_toclient`*:: +*`rsa.misc.rule_template`*:: + -- -type: alias +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -alias to: destination.packets +type: keyword -- -*`suricata.eve.flow.age`*:: +*`rsa.misc.count`*:: + -- -type: long +type: keyword -- -*`suricata.eve.flow.state`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`suricata.eve.flow.bytes_toserver`*:: +*`rsa.misc.sigcat`*:: + -- -type: alias - -alias to: source.bytes +type: keyword -- -*`suricata.eve.flow.reason`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`suricata.eve.flow.pkts_toserver`*:: +*`rsa.misc.comments`*:: + -- -type: alias +Comment information provided in the log message -alias to: source.packets +type: keyword -- -*`suricata.eve.flow.end`*:: +*`rsa.misc.doc_number`*:: + -- -type: date +This key captures File Identification number + +type: long -- -*`suricata.eve.flow.alerted`*:: +*`rsa.misc.expected_val`*:: + -- -type: boolean +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword -- -*`suricata.eve.app_proto`*:: +*`rsa.misc.job_num`*:: + -- -type: alias +This key captures the Job Number -alias to: network.protocol +type: keyword -- -*`suricata.eve.tx_id`*:: +*`rsa.misc.spi_dst`*:: + -- -type: long +Destination SPI Index + +type: keyword -- -*`suricata.eve.app_proto_tc`*:: +*`rsa.misc.spi_src`*:: + -- +Source SPI Index + type: keyword -- - -*`suricata.eve.smtp.rcpt_to`*:: +*`rsa.misc.code`*:: + -- type: keyword -- -*`suricata.eve.smtp.mail_from`*:: +*`rsa.misc.agent_id`*:: + -- +This key is used to capture agent id + type: keyword -- -*`suricata.eve.smtp.helo`*:: +*`rsa.misc.message_body`*:: + -- +This key captures the The contents of the message body. + type: keyword -- -*`suricata.eve.app_proto_expected`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -[[exported-fields-system]] -== System fields - -Module for parsing system log files. - - - -[float] -=== system - -Fields from the system log files. +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. +type: keyword +-- -[float] -=== auth +*`rsa.misc.cmd`*:: ++ +-- +type: keyword -Fields from the Linux authorization logs. +-- +*`rsa.misc.misc`*:: ++ +-- +type: keyword +-- -*`system.auth.timestamp`*:: +*`rsa.misc.name`*:: + -- -type: alias - -alias to: @timestamp +type: keyword -- -*`system.auth.hostname`*:: +*`rsa.misc.cpu`*:: + -- -type: alias +This key is the CPU time used in the execution of the event being recorded. -alias to: host.hostname +type: long -- -*`system.auth.program`*:: +*`rsa.misc.event_desc`*:: + -- -type: alias +This key is used to capture a description of an event available directly or inferred -alias to: process.name +type: keyword -- -*`system.auth.pid`*:: +*`rsa.misc.sig_id1`*:: + -- -type: alias +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -alias to: process.pid +type: long -- -*`system.auth.message`*:: +*`rsa.misc.im_buddyid`*:: + -- -type: alias - -alias to: message +type: keyword -- -*`system.auth.user`*:: +*`rsa.misc.im_client`*:: + -- -type: alias +type: keyword -alias to: user.name +-- +*`rsa.misc.im_userid`*:: ++ -- +type: keyword +-- -*`system.auth.ssh.method`*:: +*`rsa.misc.pid`*:: + -- -The SSH authentication method. Can be one of "password" or "publickey". - +type: keyword -- -*`system.auth.ssh.signature`*:: +*`rsa.misc.priority`*:: + -- -The signature of the client public key. - +type: keyword -- -*`system.auth.ssh.dropped_ip`*:: +*`rsa.misc.context_subject`*:: + -- -The client IP from SSH connections that are open and immediately dropped. - +This key is to be used in an audit context where the subject is the object being identified -type: ip +type: keyword -- -*`system.auth.ssh.event`*:: +*`rsa.misc.context_target`*:: + -- -The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - - -example: Accepted +type: keyword -- -*`system.auth.ssh.ip`*:: +*`rsa.misc.cve`*:: + -- -type: alias +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. -alias to: source.ip +type: keyword -- -*`system.auth.ssh.port`*:: +*`rsa.misc.fcatnum`*:: + -- -type: alias +This key captures Filter Category Number. Legacy Usage -alias to: source.port +type: keyword -- - -*`system.auth.ssh.geoip.continent_name`*:: +*`rsa.misc.library`*:: + -- -type: alias +This key is used to capture library information in mainframe devices -alias to: source.geo.continent_name +type: keyword -- -*`system.auth.ssh.geoip.country_iso_code`*:: +*`rsa.misc.parent_node`*:: + -- -type: alias +This key captures the Parent Node Name. Must be related to node variable. -alias to: source.geo.country_iso_code +type: keyword -- -*`system.auth.ssh.geoip.location`*:: +*`rsa.misc.risk_info`*:: + -- -type: alias +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -alias to: source.geo.location +type: keyword -- -*`system.auth.ssh.geoip.region_name`*:: +*`rsa.misc.tcp_flags`*:: + -- -type: alias +This key is captures the TCP flags set in any packet of session -alias to: source.geo.region_name +type: long -- -*`system.auth.ssh.geoip.city_name`*:: +*`rsa.misc.tos`*:: + -- -type: alias +This key describes the type of service -alias to: source.geo.city_name +type: long -- -*`system.auth.ssh.geoip.region_iso_code`*:: +*`rsa.misc.vm_target`*:: + -- -type: alias +VMWare Target **VMWARE** only varaible. -alias to: source.geo.region_iso_code +type: keyword -- -[float] -=== sudo - -Fields specific to events created by the `sudo` command. +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description +type: keyword +-- -*`system.auth.sudo.error`*:: +*`rsa.misc.command`*:: + -- -The error message in case the sudo command failed. - - -example: user NOT in sudoers +type: keyword -- -*`system.auth.sudo.tty`*:: +*`rsa.misc.event_category`*:: + -- -The TTY where the sudo command is executed. - +type: keyword -- -*`system.auth.sudo.pwd`*:: +*`rsa.misc.facilityname`*:: + -- -The current directory where the sudo command is executed. - +type: keyword -- -*`system.auth.sudo.user`*:: +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-docker-processor]] +== Docker fields + +Docker stats collected from Docker. + + + + +*`docker.container.id`*:: ++ +-- +type: alias + +alias to: container.id + +-- + +*`docker.container.image`*:: ++ +-- +type: alias + +alias to: container.image.name + +-- + +*`docker.container.name`*:: ++ +-- +type: alias + +alias to: container.name + +-- + +*`docker.container.labels`*:: ++ +-- +Image labels. + + +type: object + +-- + +[[exported-fields-ecs]] +== ECS fields + +ECS Fields. + + +*`@timestamp`*:: ++ +-- +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. + +type: date + +example: 2016-05-23T08:05:34.853Z + +required: True + +-- + +*`labels`*:: ++ +-- +Custom key/value pairs. +Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. +Example: `docker` and `k8s` labels. + +type: object + +example: {"application": "foo-bar", "env": "production"} + +-- + +*`message`*:: ++ +-- +For log events the message field contains the log message, optimized for viewing in a log viewer. +For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. +If multiple messages exist, they can be combined into one message. + +type: text + +example: Hello World + +-- + +*`tags`*:: ++ +-- +List of keywords used to tag each event. + +type: keyword + +example: ["production", "env2"] + +-- + +[float] +=== agent + +The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. +Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. + + +*`agent.ephemeral_id`*:: ++ +-- +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. + +type: keyword + +example: 8a4f500f + +-- + +*`agent.id`*:: ++ +-- +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. + +type: keyword + +example: 8a4f500d + +-- + +*`agent.name`*:: ++ +-- +Custom name of the agent. +This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. +If no name is given, the name is often left empty. + +type: keyword + +example: foo + +-- + +*`agent.type`*:: ++ +-- +Type of the agent. +The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + +type: keyword + +example: filebeat + +-- + +*`agent.version`*:: ++ +-- +Version of the agent. + +type: keyword + +example: 6.0.0-rc2 + +-- + +[float] +=== as + +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + + +*`as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`as.organization.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== client + +A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + + +*`client.address`*:: ++ +-- +Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword + +-- + +*`client.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`client.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`client.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`client.bytes`*:: ++ +-- +Bytes sent from the client to the server. + +type: long + +example: 184 + +format: bytes + +-- + +*`client.domain`*:: ++ +-- +Client domain. + +type: keyword + +-- + +*`client.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`client.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`client.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`client.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`client.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`client.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`client.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`client.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`client.ip`*:: ++ +-- +IP address of the client. +Can be one or multiple IPv4 or IPv6 addresses. + +type: ip + +-- + +*`client.mac`*:: ++ +-- +MAC address of the client. + +type: keyword + +-- + +*`client.nat.ip`*:: ++ +-- +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`client.nat.port`*:: ++ +-- +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: long + +format: string + +-- + +*`client.packets`*:: ++ +-- +Packets sent from the client to the server. + +type: long + +example: 12 + +-- + +*`client.port`*:: ++ +-- +Port of the client. + +type: long + +format: string + +-- + +*`client.registered_domain`*:: ++ +-- +The highest registered client domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`client.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`client.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`client.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`client.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`client.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`client.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`client.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`client.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`client.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`client.user.id`*:: ++ +-- +Unique identifiers of the user. + +type: keyword + +-- + +*`client.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`client.user.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== cloud + +Fields related to the cloud or infrastructure the events are coming from. + + +*`cloud.account.id`*:: ++ +-- +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + +type: keyword + +example: 666777888999 + +-- + +*`cloud.availability_zone`*:: ++ +-- +Availability zone in which this host is running. + +type: keyword + +example: us-east-1c + +-- + +*`cloud.instance.id`*:: ++ +-- +Instance ID of the host machine. + +type: keyword + +example: i-1234567890abcdef0 + +-- + +*`cloud.instance.name`*:: ++ +-- +Instance name of the host machine. + +type: keyword + +-- + +*`cloud.machine.type`*:: ++ +-- +Machine type of the host machine. + +type: keyword + +example: t2.medium + +-- + +*`cloud.provider`*:: ++ +-- +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + +type: keyword + +example: aws + +-- + +*`cloud.region`*:: ++ +-- +Region in which this host is running. + +type: keyword + +example: us-east-1 + +-- + +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +[float] +=== container + +Container fields are used for meta information about the specific container that is the source of information. +These fields help correlate data based containers from any runtime. + + +*`container.id`*:: ++ +-- +Unique container id. + +type: keyword + +-- + +*`container.image.name`*:: ++ +-- +Name of the image the container was built on. + +type: keyword + +-- + +*`container.image.tag`*:: ++ +-- +Container image tags. + +type: keyword + +-- + +*`container.labels`*:: ++ +-- +Image labels. + +type: object + +-- + +*`container.name`*:: ++ +-- +Container name. + +type: keyword + +-- + +*`container.runtime`*:: ++ +-- +Runtime managing this container. + +type: keyword + +example: docker + +-- + +[float] +=== destination + +Destination fields describe details about the destination of a packet/event. +Destination fields are usually populated in conjunction with source fields. + + +*`destination.address`*:: ++ +-- +Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword + +-- + +*`destination.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`destination.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`destination.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`destination.bytes`*:: ++ +-- +Bytes sent from the destination to the source. + +type: long + +example: 184 + +format: bytes + +-- + +*`destination.domain`*:: ++ +-- +Destination domain. + +type: keyword + +-- + +*`destination.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`destination.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`destination.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`destination.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`destination.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`destination.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`destination.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`destination.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`destination.ip`*:: ++ +-- +IP address of the destination. +Can be one or multiple IPv4 or IPv6 addresses. + +type: ip + +-- + +*`destination.mac`*:: ++ +-- +MAC address of the destination. + +type: keyword + +-- + +*`destination.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`destination.nat.port`*:: ++ +-- +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + +*`destination.packets`*:: ++ +-- +Packets sent from the destination to the source. + +type: long + +example: 12 + +-- + +*`destination.port`*:: ++ +-- +Port of the destination. + +type: long + +format: string + +-- + +*`destination.registered_domain`*:: ++ +-- +The highest registered destination domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`destination.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`destination.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`destination.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`destination.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`destination.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`destination.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`destination.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`destination.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`destination.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`destination.user.id`*:: ++ +-- +Unique identifiers of the user. + +type: keyword + +-- + +*`destination.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`destination.user.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +[float] +=== dns + +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). + + +*`dns.answers`*:: ++ +-- +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + +type: object + +-- + +*`dns.answers.class`*:: ++ +-- +The class of DNS data contained in this resource record. + +type: keyword + +example: IN + +-- + +*`dns.answers.data`*:: ++ +-- +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. + +type: keyword + +example: 10.10.10.10 + +-- + +*`dns.answers.name`*:: ++ +-- +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + +type: keyword + +example: www.google.com + +-- + +*`dns.answers.ttl`*:: ++ +-- +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + +type: long + +example: 180 + +-- + +*`dns.answers.type`*:: ++ +-- +The type of data contained in this resource record. + +type: keyword + +example: CNAME + +-- + +*`dns.header_flags`*:: ++ +-- +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. + +type: keyword + +example: ['RD', 'RA'] + +-- + +*`dns.id`*:: ++ +-- +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + +type: keyword + +example: 62111 + +-- + +*`dns.op_code`*:: ++ +-- +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + +type: keyword + +example: QUERY + +-- + +*`dns.question.class`*:: ++ +-- +The class of records being queried. + +type: keyword + +example: IN + +-- + +*`dns.question.name`*:: ++ +-- +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + +type: keyword + +example: www.google.com + +-- + +*`dns.question.registered_domain`*:: ++ +-- +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`dns.question.subdomain`*:: ++ +-- +The subdomain is all of the labels under the registered_domain. +If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + +example: www + +-- + +*`dns.question.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`dns.question.type`*:: ++ +-- +The type of record being queried. + +type: keyword + +example: AAAA + +-- + +*`dns.resolved_ip`*:: ++ +-- +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + +type: ip + +example: ['10.10.10.10', '10.10.10.11'] + +-- + +*`dns.response_code`*:: ++ +-- +The DNS response code. + +type: keyword + +example: NOERROR + +-- + +*`dns.type`*:: ++ +-- +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + +type: keyword + +example: answer + +-- + +[float] +=== ecs + +Meta-information specific to ECS. + + +*`ecs.version`*:: ++ +-- +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + +type: keyword + +example: 1.0.0 + +required: True + +-- + +[float] +=== error + +These fields can represent errors of any kind. +Use them for errors that happen while fetching events or in cases where the event itself contains an error. + + +*`error.code`*:: ++ +-- +Error code describing the error. + +type: keyword + +-- + +*`error.id`*:: ++ +-- +Unique identifier for the error. + +type: keyword + +-- + +*`error.message`*:: ++ +-- +Error message. + +type: text + +-- + +*`error.stack_trace`*:: ++ +-- +The stack trace of this error in plain text. + +type: keyword + +-- + +*`error.stack_trace.text`*:: ++ +-- +type: text + +-- + +*`error.type`*:: ++ +-- +The type of the error, for example the class name of the exception. + +type: keyword + +example: java.lang.NullPointerException + +-- + +[float] +=== event + +The event fields are used for context information about the log or metric event itself. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. + + +*`event.action`*:: ++ +-- +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + +type: keyword + +example: user-password-change + +-- + +*`event.category`*:: ++ +-- +This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. +`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. +This field is an array. This will allow proper categorization of some events that fall in multiple categories. + +type: keyword + +example: authentication + +-- + +*`event.code`*:: ++ +-- +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + +type: keyword + +example: 4648 + +-- + +*`event.created`*:: ++ +-- +event.created contains the date/time when the event was first read by an agent, or by your pipeline. +This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. +In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. +In case the two timestamps are identical, @timestamp should be used. + +type: date + +example: 2016-05-23T08:05:34.857Z + +-- + +*`event.dataset`*:: ++ +-- +Name of the dataset. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + +type: keyword + +example: apache.access + +-- + +*`event.duration`*:: ++ +-- +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. + +type: long + +format: duration + +-- + +*`event.end`*:: ++ +-- +event.end contains the date when the event ended or when the activity was last observed. + +type: date + +-- + +*`event.hash`*:: ++ +-- +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + +type: keyword + +example: 123456789012345678901234567890ABCD + +-- + +*`event.id`*:: ++ +-- +Unique ID to describe the event. + +type: keyword + +example: 8a4f500d + +-- + +*`event.ingested`*:: ++ +-- +Timestamp when an event arrived in the central data store. +This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. +In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + +type: date + +example: 2016-05-23T08:05:35.101Z + +-- + +*`event.kind`*:: ++ +-- +This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. +`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. +The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + +type: keyword + +example: alert + +-- + +*`event.module`*:: ++ +-- +Name of the module this data is coming from. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. + +type: keyword + +example: apache + +-- + +*`event.original`*:: ++ +-- +Raw text message of entire event. Used to demonstrate log integrity. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. + +type: keyword + +example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + +-- + +*`event.outcome`*:: ++ +-- +This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + +type: keyword + +example: success + +-- + +*`event.provider`*:: ++ +-- +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + +type: keyword + +example: kernel + +-- + +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + +*`event.risk_score`*:: ++ +-- +Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + +type: float + +-- + +*`event.risk_score_norm`*:: ++ +-- +Normalized risk score or priority of the event, on a scale of 0 to 100. +This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. + +type: float + +-- + +*`event.sequence`*:: ++ +-- +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + +type: long + +format: string + +-- + +*`event.severity`*:: ++ +-- +The numeric severity of the event according to your event source. +What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. +The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + +type: long + +example: 7 + +format: string + +-- + +*`event.start`*:: ++ +-- +event.start contains the date when the event started or when the activity was first observed. + +type: date + +-- + +*`event.timezone`*:: ++ +-- +This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. +Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + +type: keyword + +-- + +*`event.type`*:: ++ +-- +This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. +`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. +This field is an array. This will allow proper categorization of some events that fall in multiple event types. + +type: keyword + +-- + +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + +[float] +=== file + +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. + + +*`file.accessed`*:: ++ +-- +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date + +-- + +*`file.attributes`*:: ++ +-- +Array of file attributes. +Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + +type: keyword + +example: ["readonly", "system"] + +-- + +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`file.created`*:: ++ +-- +File creation time. +Note that not all filesystems store the creation time. + +type: date + +-- + +*`file.ctime`*:: ++ +-- +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + +type: date + +-- + +*`file.device`*:: ++ +-- +Device that is the source of the file. + +type: keyword + +example: sda + +-- + +*`file.directory`*:: ++ +-- +Directory where the file is located. It should include the drive letter, when appropriate. + +type: keyword + +example: /home/alice + +-- + +*`file.drive_letter`*:: ++ +-- +Drive letter where the file is located. This field is only relevant on Windows. +The value should be uppercase, and not include the colon. + +type: keyword + +example: C + +-- + +*`file.extension`*:: ++ +-- +File extension. + +type: keyword + +example: png + +-- + +*`file.gid`*:: ++ +-- +Primary group ID (GID) of the file. + +type: keyword + +example: 1001 + +-- + +*`file.group`*:: ++ +-- +Primary group name of the file. + +type: keyword + +example: alice + +-- + +*`file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`file.inode`*:: ++ +-- +Inode representing the file in the filesystem. + +type: keyword + +example: 256383 + +-- + +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + +*`file.mode`*:: ++ +-- +Mode of the file in octal representation. + +type: keyword + +example: 0640 + +-- + +*`file.mtime`*:: ++ +-- +Last time the file content was modified. + +type: date + +-- + +*`file.name`*:: ++ +-- +Name of the file including the extension, without the directory. + +type: keyword + +example: example.png + +-- + +*`file.owner`*:: ++ +-- +File owner's username. + +type: keyword + +example: alice + +-- + +*`file.path`*:: ++ +-- +Full path to the file, including the file name. It should include the drive letter, when appropriate. + +type: keyword + +example: /home/alice/example.png + +-- + +*`file.path.text`*:: ++ +-- +type: text + +-- + +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 + +-- + +*`file.target_path`*:: ++ +-- +Target path for symlinks. + +type: keyword + +-- + +*`file.target_path.text`*:: ++ +-- +type: text + +-- + +*`file.type`*:: ++ +-- +File type (file, dir, or symlink). + +type: keyword + +example: file + +-- + +*`file.uid`*:: ++ +-- +The user ID (UID) or security identifier (SID) of the file owner. + +type: keyword + +example: 1001 + +-- + +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: ++ +-- +Operating system architecture. + +type: keyword + +example: x86_64 + +-- + +*`host.domain`*:: ++ +-- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + +type: keyword + +example: CONTOSO + +-- + +*`host.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`host.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`host.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`host.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`host.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`host.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`host.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`host.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`host.hostname`*:: ++ +-- +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. + +type: keyword + +-- + +*`host.id`*:: ++ +-- +Unique host id. +As hostname is not always unique, use values that are meaningful in your environment. +Example: The current usage of `beat.name`. + +type: keyword + +-- + +*`host.ip`*:: ++ +-- +Host ip addresses. + +type: ip + +-- + +*`host.mac`*:: ++ +-- +Host mac addresses. + +type: keyword + +-- + +*`host.name`*:: ++ +-- +Name of the host. +It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + +type: keyword + +-- + +*`host.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`host.os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`host.os.full.text`*:: ++ +-- +type: text + +-- + +*`host.os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`host.os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`host.os.name.text`*:: ++ +-- +type: text + +-- + +*`host.os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`host.os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +*`host.type`*:: ++ +-- +Type of host. +For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + +type: keyword + +-- + +*`host.uptime`*:: ++ +-- +Seconds the host has been up. + +type: long + +example: 1325 + +-- + +*`host.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`host.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`host.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`host.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`host.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`host.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`host.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`host.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`host.user.id`*:: ++ +-- +Unique identifiers of the user. + +type: keyword + +-- + +*`host.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`host.user.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== http + +Fields related to HTTP activity. Use the `url` field set to store the url of the request. + + +*`http.request.body.bytes`*:: ++ +-- +Size in bytes of the request body. + +type: long + +example: 887 + +format: bytes + +-- + +*`http.request.body.content`*:: ++ +-- +The full HTTP request body. + +type: keyword + +example: Hello world + +-- + +*`http.request.body.content.text`*:: ++ +-- +type: text + +-- + +*`http.request.bytes`*:: ++ +-- +Total size in bytes of the request (body and headers). + +type: long + +example: 1437 + +format: bytes + +-- + +*`http.request.method`*:: ++ +-- +HTTP request method. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: get, post, put + +-- + +*`http.request.referrer`*:: ++ +-- +Referrer for this HTTP request. + +type: keyword + +example: https://blog.example.com/ + +-- + +*`http.response.body.bytes`*:: ++ +-- +Size in bytes of the response body. + +type: long + +example: 887 + +format: bytes + +-- + +*`http.response.body.content`*:: ++ +-- +The full HTTP response body. + +type: keyword + +example: Hello world + +-- + +*`http.response.body.content.text`*:: ++ +-- +type: text + +-- + +*`http.response.bytes`*:: ++ +-- +Total size in bytes of the response (body and headers). + +type: long + +example: 1437 + +format: bytes + +-- + +*`http.response.status_code`*:: ++ +-- +HTTP response status code. + +type: long + +example: 404 + +format: string + +-- + +*`http.version`*:: ++ +-- +HTTP version. + +type: keyword + +example: 1.1 + +-- + +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +[float] +=== log + +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. + + +*`log.level`*:: ++ +-- +Original log level of the log event. +If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). +Some examples are `warn`, `err`, `i`, `informational`. + +type: keyword + +example: error + +-- + +*`log.logger`*:: ++ +-- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: keyword + +example: org.elasticsearch.bootstrap.Bootstrap + +-- + +*`log.origin.file.line`*:: ++ +-- +The line number of the file containing the source code which originated the log event. + +type: integer + +example: 42 + +-- + +*`log.origin.file.name`*:: ++ +-- +The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. + +type: keyword + +example: Bootstrap.java + +-- + +*`log.origin.function`*:: ++ +-- +The name of the function or method which originated the log event. + +type: keyword + +example: init + +-- + +*`log.original`*:: ++ +-- +This is the original log message and contains the full log message before splitting it up in multiple parts. +In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. +This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. + +type: keyword + +example: Sep 19 08:26:10 localhost My log + +-- + +*`log.syslog`*:: ++ +-- +The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. + +type: object + +-- + +*`log.syslog.facility.code`*:: ++ +-- +The Syslog numeric facility of the log event, if available. +According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + +type: long + +example: 23 + +format: string + +-- + +*`log.syslog.facility.name`*:: ++ +-- +The Syslog text-based facility of the log event, if available. + +type: keyword + +example: local7 + +-- + +*`log.syslog.priority`*:: ++ +-- +Syslog numeric priority of the event, if available. +According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + +type: long + +example: 135 + +format: string + +-- + +*`log.syslog.severity.code`*:: ++ +-- +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + +type: long + +example: 3 + +-- + +*`log.syslog.severity.name`*:: ++ +-- +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + +type: keyword + +example: Error + +-- + +[float] +=== network + +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. + + +*`network.application`*:: ++ +-- +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: aim + +-- + +*`network.bytes`*:: ++ +-- +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + +type: long + +example: 368 + +format: bytes + +-- + +*`network.community_id`*:: ++ +-- +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. + +type: keyword + +example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + +-- + +*`network.direction`*:: ++ +-- +Direction of the network traffic. +Recommended values are: + * inbound + * outbound + * internal + * external + * unknown + +When mapping events from a host-based monitoring context, populate this field from the host's point of view. +When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. + +type: keyword + +example: inbound + +-- + +*`network.forwarded_ip`*:: ++ +-- +Host IP address when the source IP address is the proxy. + +type: ip + +example: 192.1.1.2 + +-- + +*`network.iana_number`*:: ++ +-- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + +type: keyword + +example: 6 + +-- + +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`network.name`*:: ++ +-- +Name given by operators to sections of their network. + +type: keyword + +example: Guest Wifi + +-- + +*`network.packets`*:: ++ +-- +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + +type: long + +example: 24 + +-- + +*`network.protocol`*:: ++ +-- +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: http + +-- + +*`network.transport`*:: ++ +-- +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: tcp + +-- + +*`network.type`*:: ++ +-- +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: ipv4 + +-- + +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +[float] +=== observer + +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. + + +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + +*`observer.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`observer.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`observer.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`observer.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`observer.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`observer.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`observer.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`observer.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`observer.hostname`*:: ++ +-- +Hostname of the observer. + +type: keyword + +-- + +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + +*`observer.ip`*:: ++ +-- +IP addresses of the observer. + +type: ip + +-- + +*`observer.mac`*:: ++ +-- +MAC addresses of the observer + +type: keyword + +-- + +*`observer.name`*:: ++ +-- +Custom name of the observer. +This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. +If no custom name is needed, the field can be left empty. + +type: keyword + +example: 1_proxySG + +-- + +*`observer.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`observer.os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`observer.os.full.text`*:: ++ +-- +type: text + +-- + +*`observer.os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`observer.os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`observer.os.name.text`*:: ++ +-- +type: text + +-- + +*`observer.os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`observer.os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +*`observer.product`*:: ++ +-- +The product name of the observer. + +type: keyword + +example: s200 + +-- + +*`observer.serial_number`*:: ++ +-- +Observer serial number. + +type: keyword + +-- + +*`observer.type`*:: ++ +-- +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + +type: keyword + +example: firewall + +-- + +*`observer.vendor`*:: ++ +-- +Vendor name of the observer. + +type: keyword + +example: Symantec + +-- + +*`observer.version`*:: ++ +-- +Observer version. + +type: keyword + +-- + +[float] +=== organization + +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. + + +*`organization.id`*:: ++ +-- +Unique identifier for the organization. + +type: keyword + +-- + +*`organization.name`*:: ++ +-- +Organization name. + +type: keyword + +-- + +*`organization.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== os + +The OS fields contain information about the operating system. + + +*`os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`os.full.text`*:: ++ +-- +type: text + +-- + +*`os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`os.name.text`*:: ++ +-- +type: text + +-- + +*`os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +[float] +=== package + +These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. + + +*`package.architecture`*:: ++ +-- +Package architecture. + +type: keyword + +example: x86_64 + +-- + +*`package.build_version`*:: ++ +-- +Additional information about the build version of the installed package. +For example use the commit SHA of a non-released package. + +type: keyword + +example: 36f4f7e89dd61b0988b12ee000b98966867710cd + +-- + +*`package.checksum`*:: ++ +-- +Checksum of the installed package for verification. + +type: keyword + +example: 68b329da9893e34099c7d8ad5cb9c940 + +-- + +*`package.description`*:: ++ +-- +Description of the package. + +type: keyword + +example: Open source programming language to build simple/reliable/efficient software. + +-- + +*`package.install_scope`*:: ++ +-- +Indicating how the package was installed, e.g. user-local, global. + +type: keyword + +example: global + +-- + +*`package.installed`*:: ++ +-- +Time when package was installed. + +type: date + +-- + +*`package.license`*:: ++ +-- +License under which the package was released. +Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). + +type: keyword + +example: Apache License 2.0 + +-- + +*`package.name`*:: ++ +-- +Package name + +type: keyword + +example: go + +-- + +*`package.path`*:: ++ +-- +Path where the package is installed. + +type: keyword + +example: /usr/local/Cellar/go/1.12.9/ + +-- + +*`package.reference`*:: ++ +-- +Home page or reference URL of the software in this package, if available. + +type: keyword + +example: https://golang.org + +-- + +*`package.size`*:: ++ +-- +Package size in bytes. + +type: long + +example: 62231 + +format: string + +-- + +*`package.type`*:: ++ +-- +Type of package. +This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. + +type: keyword + +example: rpm + +-- + +*`package.version`*:: ++ +-- +Package version + +type: keyword + +example: 1.12.9 + +-- + +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +[float] +=== process + +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. + + +*`process.args`*:: ++ +-- +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. + +type: keyword + +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] + +-- + +*`process.args_count`*:: ++ +-- +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + +type: long + +example: 4 + +-- + +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`process.command_line`*:: ++ +-- +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. + +type: keyword + +example: /usr/bin/ssh -l user 10.0.0.16 + +-- + +*`process.command_line.text`*:: ++ +-- +type: text + +-- + +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + +*`process.executable`*:: ++ +-- +Absolute path to the process executable. + +type: keyword + +example: /usr/bin/ssh + +-- + +*`process.executable.text`*:: ++ +-- +type: text + +-- + +*`process.exit_code`*:: ++ +-- +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). + +type: long + +example: 137 + +-- + +*`process.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`process.name`*:: ++ +-- +Process name. +Sometimes called program name or similar. + +type: keyword + +example: ssh + +-- + +*`process.name.text`*:: ++ +-- +type: text + +-- + +*`process.parent.args`*:: ++ +-- +Array of process arguments. +May be filtered to protect sensitive information. + +type: keyword + +example: ['ssh', '-l', 'user', '10.0.0.16'] + +-- + +*`process.parent.args_count`*:: ++ +-- +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + +type: long + +example: 4 + +-- + +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`process.parent.command_line`*:: ++ +-- +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. + +type: keyword + +example: /usr/bin/ssh -l user 10.0.0.16 + +-- + +*`process.parent.command_line.text`*:: ++ +-- +type: text + +-- + +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + +*`process.parent.executable`*:: ++ +-- +Absolute path to the process executable. + +type: keyword + +example: /usr/bin/ssh + +-- + +*`process.parent.executable.text`*:: ++ +-- +type: text + +-- + +*`process.parent.exit_code`*:: ++ +-- +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). + +type: long + +example: 137 + +-- + +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`process.parent.name`*:: ++ +-- +Process name. +Sometimes called program name or similar. + +type: keyword + +example: ssh + +-- + +*`process.parent.name.text`*:: ++ +-- +type: text + +-- + +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.parent.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.parent.start`*:: ++ +-- +The time the process started. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + +*`process.parent.thread.id`*:: ++ +-- +Thread ID. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + +*`process.parent.title`*:: ++ +-- +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + +type: keyword + +-- + +*`process.parent.title.text`*:: ++ +-- +type: text + +-- + +*`process.parent.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + +*`process.parent.working_directory`*:: ++ +-- +The working directory of the process. + +type: keyword + +example: /home/alice + +-- + +*`process.parent.working_directory.text`*:: ++ +-- +type: text + +-- + +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.start`*:: ++ +-- +The time the process started. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + +*`process.thread.id`*:: ++ +-- +Thread ID. + +type: long + +example: 4242 + +format: string + +-- + +*`process.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + +*`process.title`*:: ++ +-- +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + +type: keyword + +-- + +*`process.title.text`*:: ++ +-- +type: text + +-- + +*`process.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + +*`process.working_directory`*:: ++ +-- +The working directory of the process. + +type: keyword + +example: /home/alice + +-- + +*`process.working_directory.text`*:: ++ +-- +type: text + +-- + +[float] +=== registry + +Fields related to Windows Registry operations. + + +*`registry.data.bytes`*:: ++ +-- +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + +type: keyword + +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + +-- + +*`registry.data.strings`*:: ++ +-- +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + +type: keyword + +example: ["C:\rta\red_ttp\bin\myapp.exe"] + +-- + +*`registry.data.type`*:: ++ +-- +Standard registry type for encoding contents + +type: keyword + +example: REG_SZ + +-- + +*`registry.hive`*:: ++ +-- +Abbreviated name for the hive. + +type: keyword + +example: HKLM + +-- + +*`registry.key`*:: ++ +-- +Hive-relative path of keys. + +type: keyword + +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + +-- + +*`registry.path`*:: ++ +-- +Full path, including hive, key and value + +type: keyword + +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + +-- + +*`registry.value`*:: ++ +-- +Name of the value written. + +type: keyword + +example: Debugger + +-- + +[float] +=== related + +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword + +-- + +*`related.ip`*:: ++ +-- +All of the IPs seen on your event. + +type: ip + +-- + +*`related.user`*:: ++ +-- +All the user names seen on your event. + +type: keyword + +-- + +[float] +=== rule + +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. + + +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + +*`rule.category`*:: ++ +-- +A categorization value keyword used by the entity using the rule for detection of this event. + +type: keyword + +example: Attempted Information Leak + +-- + +*`rule.description`*:: ++ +-- +The description of the rule generating the event. + +type: keyword + +example: Block requests to public DNS over HTTPS / TLS protocols + +-- + +*`rule.id`*:: ++ +-- +A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + +type: keyword + +example: 101 + +-- + +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + +*`rule.name`*:: ++ +-- +The name of the rule or signature generating the event. + +type: keyword + +example: BLOCK_DNS_over_TLS + +-- + +*`rule.reference`*:: ++ +-- +Reference URL to additional information about the rule used to generate this event. +The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. + +type: keyword + +example: https://en.wikipedia.org/wiki/DNS_over_TLS + +-- + +*`rule.ruleset`*:: ++ +-- +Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + +type: keyword + +example: Standard_Protocol_Filters + +-- + +*`rule.uuid`*:: ++ +-- +A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + +type: keyword + +example: 1100110011 + +-- + +*`rule.version`*:: ++ +-- +The version / revision of the rule being used for analysis. + +type: keyword + +example: 1.1 + +-- + +[float] +=== server + +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + + +*`server.address`*:: ++ +-- +Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword + +-- + +*`server.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`server.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`server.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`server.bytes`*:: ++ +-- +Bytes sent from the server to the client. + +type: long + +example: 184 + +format: bytes + +-- + +*`server.domain`*:: ++ +-- +Server domain. + +type: keyword + +-- + +*`server.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`server.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`server.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`server.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`server.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`server.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`server.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`server.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`server.ip`*:: ++ +-- +IP address of the server. +Can be one or multiple IPv4 or IPv6 addresses. + +type: ip + +-- + +*`server.mac`*:: ++ +-- +MAC address of the server. + +type: keyword + +-- + +*`server.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`server.nat.port`*:: ++ +-- +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + +*`server.packets`*:: ++ +-- +Packets sent from the server to the client. + +type: long + +example: 12 + +-- + +*`server.port`*:: ++ +-- +Port of the server. + +type: long + +format: string + +-- + +*`server.registered_domain`*:: ++ +-- +The highest registered server domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`server.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`server.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`server.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`server.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`server.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`server.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`server.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`server.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`server.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`server.user.id`*:: ++ +-- +Unique identifiers of the user. + +type: keyword + +-- + +*`server.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`server.user.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== service + +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. + + +*`service.ephemeral_id`*:: ++ +-- +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. + +type: keyword + +example: 8a4f500f + +-- + +*`service.id`*:: ++ +-- +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + +type: keyword + +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + +-- + +*`service.name`*:: ++ +-- +Name of the service data is collected from. +The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. +In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + +type: keyword + +example: elasticsearch-metrics + +-- + +*`service.node.name`*:: ++ +-- +Name of a service node. +This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. +In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + +type: keyword + +example: instance-0000000016 + +-- + +*`service.state`*:: ++ +-- +Current state of the service. + +type: keyword + +-- + +*`service.type`*:: ++ +-- +The type of the service data is collected from. +The type can be used to group and correlate logs and metrics from one service type. +Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + +type: keyword + +example: elasticsearch + +-- + +*`service.version`*:: ++ +-- +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. + +type: keyword + +example: 3.2.4 + +-- + +[float] +=== source + +Source fields describe details about the source of a packet/event. +Source fields are usually populated in conjunction with destination fields. + + +*`source.address`*:: ++ +-- +Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword + +-- + +*`source.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`source.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`source.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`source.bytes`*:: ++ +-- +Bytes sent from the source to the destination. + +type: long + +example: 184 + +format: bytes + +-- + +*`source.domain`*:: ++ +-- +Source domain. + +type: keyword + +-- + +*`source.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`source.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`source.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`source.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`source.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`source.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`source.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`source.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`source.ip`*:: ++ +-- +IP address of the source. +Can be one or multiple IPv4 or IPv6 addresses. + +type: ip + +-- + +*`source.mac`*:: ++ +-- +MAC address of the source. + +type: keyword + +-- + +*`source.nat.ip`*:: ++ +-- +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`source.nat.port`*:: ++ +-- +Translated port of source based NAT sessions. (e.g. internal client to internet) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + +*`source.packets`*:: ++ +-- +Packets sent from the source to the destination. + +type: long + +example: 12 + +-- + +*`source.port`*:: ++ +-- +Port of the source. + +type: long + +format: string + +-- + +*`source.registered_domain`*:: ++ +-- +The highest registered source domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`source.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`source.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`source.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`source.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`source.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`source.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`source.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`source.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`source.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`source.user.id`*:: ++ +-- +Unique identifiers of the user. + +type: keyword + +-- + +*`source.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`source.user.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== threat + +Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). + + +*`threat.framework`*:: ++ +-- +Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. + +type: keyword + +example: MITRE ATT&CK + +-- + +*`threat.tactic.id`*:: ++ +-- +The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) + +type: keyword + +example: TA0040 + +-- + +*`threat.tactic.name`*:: ++ +-- +Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) + +type: keyword + +example: impact + +-- + +*`threat.tactic.reference`*:: ++ +-- +The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) + +type: keyword + +example: https://attack.mitre.org/tactics/TA0040/ + +-- + +*`threat.technique.id`*:: ++ +-- +The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) + +type: keyword + +example: T1499 + +-- + +*`threat.technique.name`*:: ++ +-- +The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) + +type: keyword + +example: endpoint denial of service + +-- + +*`threat.technique.name.text`*:: ++ +-- +type: text + +-- + +*`threat.technique.reference`*:: ++ +-- +The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) + +type: keyword + +example: https://attack.mitre.org/techniques/T1499/ + +-- + +[float] +=== tls + +Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. + + +*`tls.cipher`*:: ++ +-- +String indicating the cipher used during the current connection. + +type: keyword + +example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + +-- + +*`tls.client.certificate`*:: ++ +-- +PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. + +type: keyword + +example: MII... + +-- + +*`tls.client.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.client.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.client.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.client.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.client.issuer`*:: ++ +-- +Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + +type: keyword + +example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com + +-- + +*`tls.client.ja3`*:: ++ +-- +A hash that identifies clients based on how they perform an SSL/TLS handshake. + +type: keyword + +example: d4e5b18d6b55c71272893221c96ba240 + +-- + +*`tls.client.not_after`*:: ++ +-- +Date/Time indicating when client certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.client.not_before`*:: ++ +-- +Date/Time indicating when client certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.client.server_name`*:: ++ +-- +Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. + +type: keyword + +example: www.elastic.co + +-- + +*`tls.client.subject`*:: ++ +-- +Distinguished name of subject of the x.509 certificate presented by the client. + +type: keyword + +example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com + +-- + +*`tls.client.supported_ciphers`*:: ++ +-- +Array of ciphers offered by the client during the client hello. + +type: keyword + +example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...'] + +-- + +*`tls.curve`*:: ++ +-- +String indicating the curve used for the given cipher, when applicable. + +type: keyword + +example: secp256r1 + +-- + +*`tls.established`*:: ++ +-- +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean + +-- + +*`tls.next_protocol`*:: ++ +-- +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. + +type: keyword + +example: http/1.1 + +-- + +*`tls.resumed`*:: ++ +-- +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. + +type: boolean + +-- + +*`tls.server.certificate`*:: ++ +-- +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. + +type: keyword + +example: MII... + +-- + +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.server.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.server.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.server.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.server.issuer`*:: ++ +-- +Subject of the issuer of the x.509 certificate presented by the server. + +type: keyword + +example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com + +-- + +*`tls.server.ja3s`*:: ++ +-- +A hash that identifies servers based on how they perform an SSL/TLS handshake. + +type: keyword + +example: 394441ab65754e2207b1e1b457b3641d + +-- + +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.server.not_before`*:: ++ +-- +Timestamp indicating when server certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.server.subject`*:: ++ +-- +Subject of the x.509 certificate presented by the server. + +type: keyword + +example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`url.query`*:: ++ +-- +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + +type: keyword + +-- + +*`url.registered_domain`*:: ++ +-- +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`url.scheme`*:: ++ +-- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + +type: keyword + +example: https + +-- + +*`url.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`url.username`*:: ++ +-- +Username of the request. + +type: keyword + +-- + +[float] +=== user + +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. + + +*`user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.id`*:: ++ +-- +Unique identifiers of the user. + +type: keyword + +-- + +*`user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== user_agent + +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. + + +*`user_agent.device.name`*:: ++ +-- +Name of the device. + +type: keyword + +example: iPhone + +-- + +*`user_agent.name`*:: ++ +-- +Name of the user agent. + +type: keyword + +example: Safari + +-- + +*`user_agent.original`*:: ++ +-- +Unparsed user_agent string. + +type: keyword + +example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 + +-- + +*`user_agent.original.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`user_agent.os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`user_agent.os.full.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`user_agent.os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`user_agent.os.name.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`user_agent.os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +*`user_agent.version`*:: ++ +-- +Version of the user agent. + +type: keyword + +example: 12.0 + +-- + +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +[float] +=== vulnerability + +The vulnerability fields describe information about a vulnerability that is relevant to an event. + + +*`vulnerability.category`*:: ++ +-- +The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) +This field must be an array. + +type: keyword + +example: ["Firewall"] + +-- + +*`vulnerability.classification`*:: ++ +-- +The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) + +type: keyword + +example: CVSS + +-- + +*`vulnerability.description`*:: ++ +-- +The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) + +type: keyword + +example: In macOS before 2.12.6, there is a vulnerability in the RPC... + +-- + +*`vulnerability.description.text`*:: ++ +-- +type: text + +-- + +*`vulnerability.enumeration`*:: ++ +-- +The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) + +type: keyword + +example: CVE + +-- + +*`vulnerability.id`*:: ++ +-- +The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] + +type: keyword + +example: CVE-2019-00001 + +-- + +*`vulnerability.reference`*:: ++ +-- +A resource that provides additional information, context, and mitigations for the identified vulnerability. + +type: keyword + +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 + +-- + +*`vulnerability.report_id`*:: ++ +-- +The report or scan identification number. + +type: keyword + +example: 20191018.0001 + +-- + +*`vulnerability.scanner.vendor`*:: ++ +-- +The name of the vulnerability scanner vendor. + +type: keyword + +example: Tenable + +-- + +*`vulnerability.score.base`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) + +type: float + +example: 5.5 + +-- + +*`vulnerability.score.environmental`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) + +type: float + +example: 5.5 + +-- + +*`vulnerability.score.temporal`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) + +type: float + +-- + +*`vulnerability.score.version`*:: ++ +-- +The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. +CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) + +type: keyword + +example: 2.0 + +-- + +*`vulnerability.severity`*:: ++ +-- +The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + +type: keyword + +example: Critical + +-- + +[[exported-fields-elasticsearch]] +== Elasticsearch fields + +elasticsearch Module + + + +[float] +=== elasticsearch + + + + +*`elasticsearch.component`*:: ++ +-- +Elasticsearch component from where the log event originated + +type: keyword + +example: o.e.c.m.MetaDataCreateIndexService + +-- + +*`elasticsearch.cluster.uuid`*:: ++ +-- +UUID of the cluster + +type: keyword + +example: GmvrbHlNTiSVYiPf8kxg9g + +-- + +*`elasticsearch.cluster.name`*:: ++ +-- +Name of the cluster + +type: keyword + +example: docker-cluster + +-- + +*`elasticsearch.node.id`*:: ++ +-- +ID of the node + +type: keyword + +example: DSiWcTyeThWtUXLB9J0BMw + +-- + +*`elasticsearch.node.name`*:: ++ +-- +Name of the node + +type: keyword + +example: vWNJsZ3 + +-- + +*`elasticsearch.index.name`*:: ++ +-- +Index name + +type: keyword + +example: filebeat-test-input + +-- + +*`elasticsearch.index.id`*:: ++ +-- +Index id + +type: keyword + +example: aOGgDwbURfCV57AScqbCgw + +-- + +*`elasticsearch.shard.id`*:: ++ +-- +Id of the shard + +type: keyword + +example: 0 + +-- + +[float] +=== audit + + + + +*`elasticsearch.audit.layer`*:: ++ +-- +The layer from which this event originated: rest, transport or ip_filter + +type: keyword + +example: rest + +-- + +*`elasticsearch.audit.event_type`*:: ++ +-- +The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied + +type: keyword + +example: access_granted + +-- + +*`elasticsearch.audit.origin.type`*:: ++ +-- +Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) + +type: keyword + +example: local_node + +-- + +*`elasticsearch.audit.realm`*:: ++ +-- +The authentication realm the authentication was validated against + +type: keyword + +-- + +*`elasticsearch.audit.user.realm`*:: ++ +-- +The user's authentication realm, if authenticated + +type: keyword + +-- + +*`elasticsearch.audit.user.roles`*:: ++ +-- +Roles to which the principal belongs + +type: keyword + +example: ['kibana_user', 'beats_admin'] + +-- + +*`elasticsearch.audit.action`*:: ++ +-- +The name of the action that was executed + +type: keyword + +example: cluster:monitor/main + +-- + +*`elasticsearch.audit.url.params`*:: ++ +-- +REST URI parameters + +example: {username=jacknich2} + +-- + +*`elasticsearch.audit.indices`*:: ++ +-- +Indices accessed by action + +type: keyword + +example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] + +-- + +*`elasticsearch.audit.request.id`*:: ++ +-- +Unique ID of request + +type: keyword + +example: WzL_kb6VSvOhAq0twPvHOQ + +-- + +*`elasticsearch.audit.request.name`*:: ++ +-- +The type of request that was executed + +type: keyword + +example: ClearScrollRequest + +-- + +*`elasticsearch.audit.request_body`*:: ++ +-- +type: alias + +alias to: http.request.body.content + +-- + +*`elasticsearch.audit.origin_address`*:: ++ +-- +type: alias + +alias to: source.ip + +-- + +*`elasticsearch.audit.uri`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`elasticsearch.audit.principal`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`elasticsearch.audit.message`*:: ++ +-- +type: text + +-- + +[float] +=== deprecation + + + +[float] +=== gc + +GC fileset fields. + + + +[float] +=== phase + +Fields specific to GC phase. + + + +*`elasticsearch.gc.phase.name`*:: ++ +-- +Name of the GC collection phase. + + +type: keyword + +-- + +*`elasticsearch.gc.phase.duration_sec`*:: ++ +-- +Collection phase duration according to the Java virtual machine. + + +type: float + +-- + +*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: ++ +-- +Pause time in seconds cleaning up symbol tables. + + +type: float + +-- + +*`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: ++ +-- +Pause time in seconds cleaning up string tables. + + +type: float + +-- + +*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: ++ +-- +Time spent processing weak references in seconds. + + +type: float + +-- + +*`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: ++ +-- +Time spent in seconds marking live objects while application is stopped. + + +type: float + +-- + +*`elasticsearch.gc.phase.class_unload_time_sec`*:: ++ +-- +Time spent unloading unused classes in seconds. + + +type: float + +-- + +[float] +=== cpu_time + +Process CPU time spent performing collections. + + + +*`elasticsearch.gc.phase.cpu_time.user_sec`*:: ++ +-- +CPU time spent outside the kernel. + + +type: float + +-- + +*`elasticsearch.gc.phase.cpu_time.sys_sec`*:: ++ +-- +CPU time spent inside the kernel. + + +type: float + +-- + +*`elasticsearch.gc.phase.cpu_time.real_sec`*:: ++ +-- +Total elapsed CPU time spent to complete the collection from start to finish. + + +type: float + +-- + +*`elasticsearch.gc.jvm_runtime_sec`*:: ++ +-- +The time from JVM start up in seconds, as a floating point number. + + +type: float + +-- + +*`elasticsearch.gc.threads_total_stop_time_sec`*:: ++ +-- +Garbage collection threads total stop time seconds. + + +type: float + +-- + +*`elasticsearch.gc.stopping_threads_time_sec`*:: ++ +-- +Time took to stop threads seconds. + + +type: float + +-- + +*`elasticsearch.gc.tags`*:: ++ +-- +GC logging tags. + + +type: keyword + +-- + +[float] +=== heap + +Heap allocation and total size. + + + +*`elasticsearch.gc.heap.size_kb`*:: ++ +-- +Total heap size in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.heap.used_kb`*:: ++ +-- +Used heap in kilobytes. + + +type: integer + +-- + +[float] +=== old_gen + +Old generation occupancy and total size. + + + +*`elasticsearch.gc.old_gen.size_kb`*:: ++ +-- +Total size of old generation in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.old_gen.used_kb`*:: ++ +-- +Old generation occupancy in kilobytes. + + +type: integer + +-- + +[float] +=== young_gen + +Young generation occupancy and total size. + + + +*`elasticsearch.gc.young_gen.size_kb`*:: ++ +-- +Total size of young generation in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.young_gen.used_kb`*:: ++ +-- +Young generation occupancy in kilobytes. + + +type: integer + +-- + +[float] +=== server + +Server log file + + +*`elasticsearch.server.stacktrace`*:: ++ +-- +Field is not indexed. + +-- + +[float] +=== gc + +GC log + + +[float] +=== young + +Young GC + + +*`elasticsearch.server.gc.young.one`*:: ++ +-- + + +type: long + +example: + +-- + +*`elasticsearch.server.gc.young.two`*:: ++ +-- + + +type: long + +example: + +-- + +*`elasticsearch.server.gc.overhead_seq`*:: ++ +-- +Sequence number + +type: long + +example: 3449992 + +-- + +*`elasticsearch.server.gc.collection_duration.ms`*:: ++ +-- +Time spent in GC, in milliseconds + +type: float + +example: 1600 + +-- + +*`elasticsearch.server.gc.observation_duration.ms`*:: ++ +-- +Total time over which collection was observed, in milliseconds + +type: float + +example: 1800 + +-- + +[float] +=== slowlog + +Slowlog events from Elasticsearch + + +*`elasticsearch.slowlog.logger`*:: ++ +-- +Logger name + +type: keyword + +example: index.search.slowlog.fetch + +-- + +*`elasticsearch.slowlog.took`*:: ++ +-- +Time it took to execute the query + +type: keyword + +example: 300ms + +-- + +*`elasticsearch.slowlog.types`*:: ++ +-- +Types + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.stats`*:: ++ +-- +Stats groups + +type: keyword + +example: group1 + +-- + +*`elasticsearch.slowlog.search_type`*:: ++ +-- +Search type + +type: keyword + +example: QUERY_THEN_FETCH + +-- + +*`elasticsearch.slowlog.source_query`*:: ++ +-- +Slow query + +type: keyword + +example: {"query":{"match_all":{"boost":1.0}}} + +-- + +*`elasticsearch.slowlog.extra_source`*:: ++ +-- +Extra source information + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.total_hits`*:: ++ +-- +Total hits + +type: keyword + +example: 42 + +-- + +*`elasticsearch.slowlog.total_shards`*:: ++ +-- +Total queried shards + +type: keyword + +example: 22 + +-- + +*`elasticsearch.slowlog.routing`*:: ++ +-- +Routing + +type: keyword + +example: s01HZ2QBk9jw4gtgaFtn + +-- + +*`elasticsearch.slowlog.id`*:: ++ +-- +Id + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.type`*:: ++ +-- +Type + +type: keyword + +example: doc + +-- + +*`elasticsearch.slowlog.source`*:: ++ +-- +Source of document that was indexed + +type: keyword + +-- + +[[exported-fields-envoyproxy]] +== Envoyproxy fields + +Module for handling logs produced by envoy + + + +[float] +=== envoyproxy + +Fields from envoy proxy logs after normalization + + + +*`envoyproxy.log_type`*:: ++ +-- +Envoy log type, normally ACCESS + + +type: keyword + +-- + +*`envoyproxy.response_flags`*:: ++ +-- +Response flags + + +type: keyword + +-- + +*`envoyproxy.upstream_service_time`*:: ++ +-- +Upstream service time in nanoseconds + + +type: long + +format: duration + +-- + +*`envoyproxy.request_id`*:: ++ +-- +ID of the request + + +type: keyword + +-- + +*`envoyproxy.authority`*:: ++ +-- +Envoy proxy authority field + + +type: keyword + +-- + +*`envoyproxy.proxy_type`*:: ++ +-- +Envoy proxy type, tcp or http + + +type: keyword + +-- + +[[exported-fields-f5]] +== Big-IP Access Policy Manager fields + +f5 fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-fortinet]] +== Fortinet fields + +fortinet Module + + + +[float] +=== fortinet + +Fields from fortinet FortiOS + + + +*`fortinet.file.hash.crc32`*:: ++ +-- +CRC32 Hash of file + + +type: keyword + +-- + +*`fortinet.network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`fortinet.rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`fortinet.rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`fortinet.rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`fortinet.rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`fortinet.rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`fortinet.rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`fortinet.rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`fortinet.rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`fortinet.rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`fortinet.rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`fortinet.rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`fortinet.rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`fortinet.rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`fortinet.rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`fortinet.rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`fortinet.rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`fortinet.rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`fortinet.rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`fortinet.rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`fortinet.rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`fortinet.rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`fortinet.rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`fortinet.rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`fortinet.rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`fortinet.rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`fortinet.rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`fortinet.rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`fortinet.rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`fortinet.rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`fortinet.rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`fortinet.rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`fortinet.rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`fortinet.rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`fortinet.rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`fortinet.rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`fortinet.rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`fortinet.rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`fortinet.rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`fortinet.rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`fortinet.rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`fortinet.rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`fortinet.rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`fortinet.rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`fortinet.rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`fortinet.rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`fortinet.rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`fortinet.rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`fortinet.rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`fortinet.rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`fortinet.rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`fortinet.rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`fortinet.rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`fortinet.rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`fortinet.rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`fortinet.rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`fortinet.rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`fortinet.rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`fortinet.rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`fortinet.rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`fortinet.rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`fortinet.rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`fortinet.rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`fortinet.rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`fortinet.rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`fortinet.rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`fortinet.rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`fortinet.rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`fortinet.rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`fortinet.rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`fortinet.rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`fortinet.rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`fortinet.rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`fortinet.rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`fortinet.rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`fortinet.rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`fortinet.rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`fortinet.rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`fortinet.rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`fortinet.rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`fortinet.rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`fortinet.rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`fortinet.rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`fortinet.rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`fortinet.rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`fortinet.rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`fortinet.rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`fortinet.rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`fortinet.rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`fortinet.rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`fortinet.rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`fortinet.rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`fortinet.rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`fortinet.rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`fortinet.rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`fortinet.rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`fortinet.rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`fortinet.rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`fortinet.rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`fortinet.rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`fortinet.rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`fortinet.rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`fortinet.rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`fortinet.rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`fortinet.rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`fortinet.rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`fortinet.rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`fortinet.rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`fortinet.rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`fortinet.rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`fortinet.rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`fortinet.rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`fortinet.rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`fortinet.rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`fortinet.rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`fortinet.rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`fortinet.rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`fortinet.rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`fortinet.rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`fortinet.rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`fortinet.rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`fortinet.rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`fortinet.rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`fortinet.rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`fortinet.rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`fortinet.rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`fortinet.rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`fortinet.rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`fortinet.rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`fortinet.rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`fortinet.rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`fortinet.rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`fortinet.rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`fortinet.rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`fortinet.rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`fortinet.rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`fortinet.rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`fortinet.rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`fortinet.rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`fortinet.rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`fortinet.rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`fortinet.rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`fortinet.rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`fortinet.rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`fortinet.rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`fortinet.rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`fortinet.rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`fortinet.rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`fortinet.rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`fortinet.rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`fortinet.rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`fortinet.rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`fortinet.rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`fortinet.rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`fortinet.rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`fortinet.rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`fortinet.rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`fortinet.rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`fortinet.rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`fortinet.rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`fortinet.rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`fortinet.rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`fortinet.rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`fortinet.rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`fortinet.rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`fortinet.rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`fortinet.rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`fortinet.rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`fortinet.rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`fortinet.rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`fortinet.rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`fortinet.rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`fortinet.rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`fortinet.rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`fortinet.rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`fortinet.rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`fortinet.rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`fortinet.rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`fortinet.rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`fortinet.rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`fortinet.rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`fortinet.rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`fortinet.rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`fortinet.rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`fortinet.rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`fortinet.rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`fortinet.rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`fortinet.rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`fortinet.rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`fortinet.rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`fortinet.rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`fortinet.rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`fortinet.rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`fortinet.rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`fortinet.rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`fortinet.rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`fortinet.rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`fortinet.rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`fortinet.rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`fortinet.rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`fortinet.rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`fortinet.rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`fortinet.rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`fortinet.rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`fortinet.rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`fortinet.rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`fortinet.rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`fortinet.rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`fortinet.rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`fortinet.rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`fortinet.rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`fortinet.rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`fortinet.rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`fortinet.rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`fortinet.rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`fortinet.rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`fortinet.rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`fortinet.rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`fortinet.rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`fortinet.rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`fortinet.rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`fortinet.rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`fortinet.rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`fortinet.rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`fortinet.rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`fortinet.rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`fortinet.rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`fortinet.rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`fortinet.rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`fortinet.rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`fortinet.rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`fortinet.rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`fortinet.rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`fortinet.rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`fortinet.rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`fortinet.rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`fortinet.rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`fortinet.rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`fortinet.rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`fortinet.rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`fortinet.rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`fortinet.rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`fortinet.rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`fortinet.rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`fortinet.rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`fortinet.rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`fortinet.rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`fortinet.rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`fortinet.rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`fortinet.rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`fortinet.rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`fortinet.rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`fortinet.rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`fortinet.rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`fortinet.rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`fortinet.rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`fortinet.rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`fortinet.rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`fortinet.rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`fortinet.rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`fortinet.rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`fortinet.rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`fortinet.rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`fortinet.rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`fortinet.rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`fortinet.rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`fortinet.rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`fortinet.rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`fortinet.rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`fortinet.rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`fortinet.rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`fortinet.rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`fortinet.rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`fortinet.rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`fortinet.rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`fortinet.rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`fortinet.rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`fortinet.rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`fortinet.rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`fortinet.rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`fortinet.rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`fortinet.rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`fortinet.rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`fortinet.rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`fortinet.rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`fortinet.rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`fortinet.rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`fortinet.rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`fortinet.rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`fortinet.rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`fortinet.rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`fortinet.rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`fortinet.rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`fortinet.rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`fortinet.rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`fortinet.rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`fortinet.rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`fortinet.rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`fortinet.rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`fortinet.rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`fortinet.rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[float] +=== firewall + +Module for parsing Fortinet syslog. + + + +*`fortinet.firewall.acct_stat`*:: ++ +-- +Accounting state (RADIUS) + + +type: keyword + +-- + +*`fortinet.firewall.acktime`*:: ++ +-- +Alarm Acknowledge Time + + +type: keyword + +-- + +*`fortinet.firewall.act`*:: ++ +-- +Action + + +type: keyword + +-- + +*`fortinet.firewall.action`*:: ++ +-- +Status of the session + + +type: keyword + +-- + +*`fortinet.firewall.activity`*:: ++ +-- +HA activity message + + +type: keyword + +-- + +*`fortinet.firewall.addr`*:: ++ +-- +IP Address + + +type: ip + +-- + +*`fortinet.firewall.addr_type`*:: ++ +-- +Address Type + + +type: keyword + +-- + +*`fortinet.firewall.addrgrp`*:: ++ +-- +Address Group + + +type: keyword + +-- + +*`fortinet.firewall.adgroup`*:: ++ +-- +AD Group Name + + +type: keyword + +-- + +*`fortinet.firewall.admin`*:: ++ +-- +Admin User + + +type: keyword + +-- + +*`fortinet.firewall.age`*:: ++ +-- +Time in seconds - time passed since last seen + + +type: integer + +-- + +*`fortinet.firewall.agent`*:: ++ +-- +User agent - eg. agent="Mozilla/5.0" + + +type: keyword + +-- + +*`fortinet.firewall.alarmid`*:: ++ +-- +Alarm ID + + +type: integer + +-- + +*`fortinet.firewall.alert`*:: ++ +-- +Alert + + +type: keyword + +-- + +*`fortinet.firewall.analyticscksum`*:: ++ +-- +The checksum of the file submitted for analytics + + +type: keyword + +-- + +*`fortinet.firewall.analyticssubmit`*:: ++ +-- +The flag for analytics submission + + +type: keyword + +-- + +*`fortinet.firewall.ap`*:: ++ +-- +Access Point + + +type: keyword + +-- + +*`fortinet.firewall.app-type`*:: ++ +-- +Address Type + + +type: keyword + +-- + +*`fortinet.firewall.appact`*:: ++ +-- +The security action from app control + + +type: keyword + +-- + +*`fortinet.firewall.appid`*:: ++ +-- +Application ID + + +type: integer + +-- + +*`fortinet.firewall.applist`*:: ++ +-- +Application Control profile + + +type: keyword + +-- + +*`fortinet.firewall.apprisk`*:: ++ +-- +Application Risk Level + + +type: keyword + +-- + +*`fortinet.firewall.apscan`*:: ++ +-- +The name of the AP, which scanned and detected the rogue AP + + +type: keyword + +-- + +*`fortinet.firewall.apsn`*:: ++ +-- +Access Point + + +type: keyword + +-- + +*`fortinet.firewall.apstatus`*:: ++ +-- +Access Point status + + +type: keyword + +-- + +*`fortinet.firewall.aptype`*:: ++ +-- +Access Point type + + +type: keyword + +-- + +*`fortinet.firewall.assigned`*:: ++ +-- +Assigned IP Address + + +type: ip + +-- + +*`fortinet.firewall.assignip`*:: ++ +-- +Assigned IP Address + + +type: ip + +-- + +*`fortinet.firewall.attachment`*:: ++ +-- +The flag for email attachement + + +type: keyword + +-- + +*`fortinet.firewall.attack`*:: ++ +-- +Attack Name + + +type: keyword + +-- + +*`fortinet.firewall.attackcontext`*:: ++ +-- +The trigger patterns and the packetdata with base64 encoding + + +type: keyword + +-- + +*`fortinet.firewall.attackcontextid`*:: ++ +-- +Attack context id / total + + +type: keyword + +-- + +*`fortinet.firewall.attackid`*:: ++ +-- +Attack ID + + +type: integer + +-- + +*`fortinet.firewall.auditid`*:: ++ +-- +Audit ID + + +type: long + +-- + +*`fortinet.firewall.auditscore`*:: ++ +-- +The Audit Score + + +type: keyword + +-- + +*`fortinet.firewall.audittime`*:: ++ +-- +The time of the audit + + +type: long + +-- + +*`fortinet.firewall.authgrp`*:: ++ +-- +Authorization Group + + +type: keyword + +-- + +*`fortinet.firewall.authid`*:: ++ +-- +Authentication ID + + +type: keyword + +-- + +*`fortinet.firewall.authproto`*:: ++ +-- +The protocol that initiated the authentication + + +type: keyword + +-- + +*`fortinet.firewall.authserver`*:: ++ +-- +Authentication server + + +type: keyword + +-- + +*`fortinet.firewall.bandwidth`*:: ++ +-- +Bandwidth + + +type: keyword + +-- + +*`fortinet.firewall.banned_rule`*:: ++ +-- +NAC quarantine Banned Rule Name + + +type: keyword + +-- + +*`fortinet.firewall.banned_src`*:: ++ +-- +NAC quarantine Banned Source IP + + +type: keyword + +-- + +*`fortinet.firewall.banword`*:: ++ +-- +Banned word + + +type: keyword + +-- + +*`fortinet.firewall.botnetdomain`*:: ++ +-- +Botnet Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.botnetip`*:: ++ +-- +Botnet IP Address + + +type: ip + +-- + +*`fortinet.firewall.bssid`*:: ++ +-- +Service Set ID + + +type: keyword + +-- + +*`fortinet.firewall.call_id`*:: ++ +-- +Caller ID + + +type: keyword + +-- + +*`fortinet.firewall.carrier_ep`*:: ++ +-- +The FortiOS Carrier end-point identification + + +type: keyword + +-- + +*`fortinet.firewall.cat`*:: ++ +-- +DNS category ID + + +type: integer + +-- + +*`fortinet.firewall.category`*:: ++ +-- +Authentication category + + +type: keyword + +-- + +*`fortinet.firewall.cc`*:: ++ +-- +CC Email Address + + +type: keyword + +-- + +*`fortinet.firewall.cdrcontent`*:: ++ +-- +Cdrcontent + + +type: keyword + +-- + +*`fortinet.firewall.centralnatid`*:: ++ +-- +Central NAT ID + + +type: integer + +-- + +*`fortinet.firewall.cert`*:: ++ +-- +Certificate + + +type: keyword + +-- + +*`fortinet.firewall.cert-type`*:: ++ +-- +Certificate type + + +type: keyword + +-- + +*`fortinet.firewall.certhash`*:: ++ +-- +Certificate hash + + +type: keyword + +-- + +*`fortinet.firewall.cfgattr`*:: ++ +-- +Configuration attribute + + +type: keyword + +-- + +*`fortinet.firewall.cfgobj`*:: ++ +-- +Configuration object + + +type: keyword + +-- + +*`fortinet.firewall.cfgpath`*:: ++ +-- +Configuration path + + +type: keyword + +-- + +*`fortinet.firewall.cfgtid`*:: ++ +-- +Configuration transaction ID + + +type: keyword + +-- + +*`fortinet.firewall.cfgtxpower`*:: ++ +-- +Configuration TX power + + +type: integer + +-- + +*`fortinet.firewall.channel`*:: ++ +-- +Wireless Channel + + +type: integer + +-- + +*`fortinet.firewall.channeltype`*:: ++ +-- +SSH channel type + + +type: keyword + +-- + +*`fortinet.firewall.chassisid`*:: ++ +-- +Chassis ID + + +type: integer + +-- + +*`fortinet.firewall.checksum`*:: ++ +-- +The checksum of the scanned file + + +type: keyword + +-- + +*`fortinet.firewall.chgheaders`*:: ++ +-- +HTTP Headers + + +type: keyword + +-- + +*`fortinet.firewall.cldobjid`*:: ++ +-- +Connector object ID + + +type: keyword + +-- + +*`fortinet.firewall.client_addr`*:: ++ +-- +Wifi client address + + +type: keyword + +-- + +*`fortinet.firewall.cloudaction`*:: ++ +-- +Cloud Action + + +type: keyword + +-- + +*`fortinet.firewall.clouduser`*:: ++ +-- +Cloud User + + +type: keyword + +-- + +*`fortinet.firewall.column`*:: ++ +-- +VOIP Column + + +type: integer + +-- + +*`fortinet.firewall.command`*:: ++ +-- +CLI Command + + +type: keyword + +-- + +*`fortinet.firewall.community`*:: ++ +-- +SNMP Community + + +type: keyword + +-- + +*`fortinet.firewall.configcountry`*:: ++ +-- +Configuration country + + +type: keyword + +-- + +*`fortinet.firewall.connection_type`*:: ++ +-- +FortiClient Connection Type + + +type: keyword + +-- + +*`fortinet.firewall.conserve`*:: ++ +-- +Flag for conserve mode + + +type: keyword + +-- + +*`fortinet.firewall.constraint`*:: ++ +-- +WAF http protocol restrictions + + +type: keyword + +-- + +*`fortinet.firewall.contentdisarmed`*:: ++ +-- +Email scanned content + + +type: keyword + +-- + +*`fortinet.firewall.contenttype`*:: ++ +-- +Content Type from HTTP header + + +type: keyword + +-- + +*`fortinet.firewall.cookies`*:: ++ +-- +VPN Cookie + + +type: keyword + +-- + +*`fortinet.firewall.count`*:: ++ +-- +Counts of action type + + +type: integer + +-- + +*`fortinet.firewall.countapp`*:: ++ +-- +Number of App Ctrl logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countav`*:: ++ +-- +Number of AV logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countcifs`*:: ++ +-- +Number of CIFS logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countdlp`*:: ++ +-- +Number of DLP logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countdns`*:: ++ +-- +Number of DNS logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countemail`*:: ++ +-- +Number of email logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countff`*:: ++ +-- +Number of ff logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countips`*:: ++ +-- +Number of IPS logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countssh`*:: ++ +-- +Number of SSH logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countssl`*:: ++ +-- +Number of SSL logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countwaf`*:: ++ +-- +Number of WAF logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countweb`*:: ++ +-- +Number of Web filter logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.cpu`*:: ++ +-- +CPU Usage + + +type: integer + +-- + +*`fortinet.firewall.craction`*:: ++ +-- +Client Reputation Action + + +type: integer + +-- + +*`fortinet.firewall.criticalcount`*:: ++ +-- +Number of critical ratings + + +type: integer + +-- + +*`fortinet.firewall.crl`*:: ++ +-- +Client Reputation Level + + +type: keyword + +-- + +*`fortinet.firewall.crlevel`*:: ++ +-- +Client Reputation Level + + +type: keyword + +-- + +*`fortinet.firewall.crscore`*:: ++ +-- +Some description + + +type: integer + +-- + +*`fortinet.firewall.cveid`*:: ++ +-- +CVE ID + + +type: keyword + +-- + +*`fortinet.firewall.daemon`*:: ++ +-- +Daemon name + + +type: keyword + +-- + +*`fortinet.firewall.datarange`*:: ++ +-- +Data range for reports + + +type: keyword + +-- + +*`fortinet.firewall.date`*:: ++ +-- +Date + + +type: keyword + +-- + +*`fortinet.firewall.ddnsserver`*:: ++ +-- +DDNS server + + +type: ip + +-- + +*`fortinet.firewall.desc`*:: ++ +-- +Description + + +type: keyword + +-- + +*`fortinet.firewall.detectionmethod`*:: ++ +-- +Detection method + + +type: keyword + +-- + +*`fortinet.firewall.devcategory`*:: ++ +-- +Device category + + +type: keyword + +-- + +*`fortinet.firewall.devintfname`*:: ++ +-- +HA device Interface Name + + +type: keyword + +-- + +*`fortinet.firewall.devtype`*:: ++ +-- +Device type + + +type: keyword + +-- + +*`fortinet.firewall.dhcp_msg`*:: ++ +-- +DHCP Message + + +type: keyword + +-- + +*`fortinet.firewall.dintf`*:: ++ +-- +Destination interface + + +type: keyword + +-- + +*`fortinet.firewall.disk`*:: ++ +-- +Assosciated disk + + +type: keyword + +-- + +*`fortinet.firewall.disklograte`*:: ++ +-- +Disk logging rate + + +type: long + +-- + +*`fortinet.firewall.dlpextra`*:: ++ +-- +DLP extra information + + +type: keyword + +-- + +*`fortinet.firewall.docsource`*:: ++ +-- +DLP fingerprint document source + + +type: keyword + +-- + +*`fortinet.firewall.domainctrlauthstate`*:: ++ +-- +CIFS domain auth state + + +type: integer + +-- + +*`fortinet.firewall.domainctrlauthtype`*:: ++ +-- +CIFS domain auth type + + +type: integer + +-- + +*`fortinet.firewall.domainctrldomain`*:: ++ +-- +CIFS domain auth domain + + +type: keyword + +-- + +*`fortinet.firewall.domainctrlip`*:: ++ +-- +CIFS Domain IP + + +type: ip + +-- + +*`fortinet.firewall.domainctrlname`*:: ++ +-- +CIFS Domain name + + +type: keyword + +-- + +*`fortinet.firewall.domainctrlprotocoltype`*:: ++ +-- +CIFS Domain connection protocol + + +type: integer + +-- + +*`fortinet.firewall.domainctrlusername`*:: ++ +-- +CIFS Domain username + + +type: keyword + +-- + +*`fortinet.firewall.domainfilteridx`*:: ++ +-- +Domain filter ID + + +type: integer + +-- + +*`fortinet.firewall.domainfilterlist`*:: ++ +-- +Domain filter name + + +type: keyword + +-- + +*`fortinet.firewall.ds`*:: ++ +-- +Direction with distribution system + + +type: keyword + +-- + +*`fortinet.firewall.dst_int`*:: ++ +-- +Destination interface + + +type: keyword + +-- + +*`fortinet.firewall.dstintfrole`*:: ++ +-- +Destination interface role + + +type: keyword + +-- + +*`fortinet.firewall.dstcountry`*:: ++ +-- +Destination country + + +type: keyword + +-- + +*`fortinet.firewall.dstdevcategory`*:: ++ +-- +Destination device category + + +type: keyword + +-- + +*`fortinet.firewall.dstdevtype`*:: ++ +-- +Destination device type + + +type: keyword + +-- + +*`fortinet.firewall.dstfamily`*:: ++ +-- +Destination OS family + + +type: keyword + +-- + +*`fortinet.firewall.dsthwvendor`*:: ++ +-- +Destination HW vendor + + +type: keyword + +-- + +*`fortinet.firewall.dsthwversion`*:: ++ +-- +Destination HW version + + +type: keyword + +-- + +*`fortinet.firewall.dstinetsvc`*:: ++ +-- +Destination interface service + + +type: keyword + +-- + +*`fortinet.firewall.dstosname`*:: ++ +-- +Destination OS name + + +type: keyword + +-- + +*`fortinet.firewall.dstosversion`*:: ++ +-- +Destination OS version + + +type: keyword + +-- + +*`fortinet.firewall.dstserver`*:: ++ +-- +Destination server + + +type: integer + +-- + +*`fortinet.firewall.dstssid`*:: ++ +-- +Destination SSID + + +type: keyword + +-- + +*`fortinet.firewall.dstswversion`*:: ++ +-- +Destination software version + + +type: keyword + +-- + +*`fortinet.firewall.dstunauthusersource`*:: ++ +-- +Destination unauthenticated source + + +type: keyword + +-- + +*`fortinet.firewall.dstuuid`*:: ++ +-- +UUID of the Destination IP address + + +type: keyword + +-- + +*`fortinet.firewall.duid`*:: ++ +-- +DHCP UID + + +type: keyword + +-- + +*`fortinet.firewall.eapolcnt`*:: ++ +-- +EAPOL packet count + + +type: integer + +-- + +*`fortinet.firewall.eapoltype`*:: ++ +-- +EAPOL packet type + + +type: keyword + +-- + +*`fortinet.firewall.encrypt`*:: ++ +-- +Whether the packet is encrypted or not + + +type: integer + +-- + +*`fortinet.firewall.encryption`*:: ++ +-- +Encryption method + + +type: keyword + +-- + +*`fortinet.firewall.epoch`*:: ++ +-- +Epoch used for locating file + + +type: integer + +-- + +*`fortinet.firewall.espauth`*:: ++ +-- +ESP Authentication + + +type: keyword + +-- + +*`fortinet.firewall.esptransform`*:: ++ +-- +ESP Transform + + +type: keyword + +-- + +*`fortinet.firewall.exch`*:: ++ +-- +Mail Exchanges from DNS response answer section + + +type: keyword + +-- + +*`fortinet.firewall.exchange`*:: ++ +-- +Mail Exchanges from DNS response answer section + + +type: keyword + +-- + +*`fortinet.firewall.expectedsignature`*:: ++ +-- +Expected SSL signature + + +type: keyword + +-- + +*`fortinet.firewall.expiry`*:: ++ +-- +FortiGuard override expiry timestamp + + +type: keyword + +-- + +*`fortinet.firewall.fams_pause`*:: ++ +-- +Fortinet Analysis and Management Service Pause + + +type: integer + +-- + +*`fortinet.firewall.fazlograte`*:: ++ +-- +FortiAnalyzer Logging Rate + + +type: long + +-- + +*`fortinet.firewall.fctemssn`*:: ++ +-- +FortiClient Endpoint SSN + + +type: keyword + +-- + +*`fortinet.firewall.fctuid`*:: ++ +-- +FortiClient UID + + +type: keyword + +-- + +*`fortinet.firewall.field`*:: ++ +-- +NTP status field + + +type: keyword + +-- + +*`fortinet.firewall.filefilter`*:: ++ +-- +The filter used to identify the affected file + + +type: keyword + +-- + +*`fortinet.firewall.filehashsrc`*:: ++ +-- +Filehash source + + +type: keyword + +-- + +*`fortinet.firewall.filtercat`*:: ++ +-- +DLP filter category + + +type: keyword + +-- + +*`fortinet.firewall.filteridx`*:: ++ +-- +DLP filter ID + + +type: integer + +-- + +*`fortinet.firewall.filtername`*:: ++ +-- +DLP rule name + + +type: keyword + +-- + +*`fortinet.firewall.filtertype`*:: ++ +-- +DLP filter type + + +type: keyword + +-- + +*`fortinet.firewall.fortiguardresp`*:: ++ +-- +Antispam ESP value + + +type: keyword + +-- + +*`fortinet.firewall.forwardedfor`*:: ++ +-- +Email address forwarded + + +type: keyword + +-- + +*`fortinet.firewall.fqdn`*:: ++ +-- +FQDN + + +type: keyword + +-- + +*`fortinet.firewall.frametype`*:: ++ +-- +Wireless frametype + + +type: keyword + +-- + +*`fortinet.firewall.freediskstorage`*:: ++ +-- +Free disk integer + + +type: integer + +-- + +*`fortinet.firewall.from`*:: ++ +-- +From email address + + +type: keyword + +-- + +*`fortinet.firewall.from_vcluster`*:: ++ +-- +Source virtual cluster number + + +type: integer + +-- + +*`fortinet.firewall.fsaverdict`*:: ++ +-- +FSA verdict + + +type: keyword + +-- + +*`fortinet.firewall.fwserver_name`*:: ++ +-- +Web proxy server name + + +type: keyword + +-- + +*`fortinet.firewall.gateway`*:: ++ +-- +Gateway ip address for PPPoE status report + + +type: ip + +-- + +*`fortinet.firewall.green`*:: ++ +-- +Memory status + + +type: keyword + +-- + +*`fortinet.firewall.groupid`*:: ++ +-- +User Group ID + + +type: integer + +-- + +*`fortinet.firewall.ha-prio`*:: ++ +-- +HA Priority + + +type: integer + +-- + +*`fortinet.firewall.ha_group`*:: ++ +-- +HA Group + + +type: keyword + +-- + +*`fortinet.firewall.ha_role`*:: ++ +-- +HA Role + + +type: keyword + +-- + +*`fortinet.firewall.handshake`*:: ++ +-- +SSL Handshake + + +type: keyword + +-- + +*`fortinet.firewall.hash`*:: ++ +-- +Hash value of downloaded file + + +type: keyword + +-- + +*`fortinet.firewall.hbdn_reason`*:: ++ +-- +Heartbeat down reason + + +type: keyword + +-- + +*`fortinet.firewall.highcount`*:: ++ +-- +Highcount fabric summary + + +type: integer + +-- + +*`fortinet.firewall.host`*:: ++ +-- +Hostname + + +type: keyword + +-- + +*`fortinet.firewall.iaid`*:: ++ +-- +DHCPv6 id + + +type: keyword + +-- + +*`fortinet.firewall.icmpcode`*:: ++ +-- +Destination Port of the ICMP message + + +type: keyword + +-- + +*`fortinet.firewall.icmpid`*:: ++ +-- +Source port of the ICMP message + + +type: keyword + +-- + +*`fortinet.firewall.icmptype`*:: ++ +-- +The type of ICMP message + + +type: keyword + +-- + +*`fortinet.firewall.identifier`*:: ++ +-- +Network traffic identifier + + +type: integer + +-- + +*`fortinet.firewall.in_spi`*:: ++ +-- +IPSEC inbound SPI + + +type: keyword + +-- + +*`fortinet.firewall.incidentserialno`*:: ++ +-- +Incident serial number + + +type: integer + +-- + +*`fortinet.firewall.infected`*:: ++ +-- +Infected MMS + + +type: integer + +-- + +*`fortinet.firewall.infectedfilelevel`*:: ++ +-- +DLP infected file level + + +type: integer + +-- + +*`fortinet.firewall.informationsource`*:: ++ +-- +Information source + + +type: keyword + +-- + +*`fortinet.firewall.init`*:: ++ +-- +IPSEC init stage + + +type: keyword + +-- + +*`fortinet.firewall.initiator`*:: ++ +-- +Original login user name for Fortiguard override + + +type: keyword + +-- + +*`fortinet.firewall.interface`*:: ++ +-- +Related interface + + +type: keyword + +-- + +*`fortinet.firewall.intf`*:: ++ +-- +Related interface + + +type: keyword + +-- + +*`fortinet.firewall.invalidmac`*:: ++ +-- +The MAC address with invalid OUI + + +type: keyword + +-- + +*`fortinet.firewall.ip`*:: ++ +-- +Related IP + + +type: ip + +-- + +*`fortinet.firewall.iptype`*:: ++ +-- +Related IP type + + +type: keyword + +-- + +*`fortinet.firewall.keyword`*:: ++ +-- +Keyword used for search + + +type: keyword + +-- + +*`fortinet.firewall.kind`*:: ++ +-- +VOIP kind + + +type: keyword + +-- + +*`fortinet.firewall.lanin`*:: ++ +-- +LAN incoming traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.lanout`*:: ++ +-- +LAN outbound traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.lease`*:: ++ +-- +DHCP lease + + +type: integer + +-- + +*`fortinet.firewall.license_limit`*:: ++ +-- +Maximum Number of FortiClients for the License + + +type: keyword + +-- + +*`fortinet.firewall.limit`*:: ++ +-- +Virtual Domain Resource Limit + + +type: integer + +-- + +*`fortinet.firewall.line`*:: ++ +-- +VOIP line + + +type: keyword + +-- + +*`fortinet.firewall.live`*:: ++ +-- +Time in seconds + + +type: integer + +-- + +*`fortinet.firewall.local`*:: ++ +-- +Local IP for a PPPD Connection + + +type: ip + +-- + +*`fortinet.firewall.log`*:: ++ +-- +Log message + + +type: keyword + +-- + +*`fortinet.firewall.login`*:: ++ +-- +SSH login + + +type: keyword + +-- + +*`fortinet.firewall.lowcount`*:: ++ +-- +Fabric lowcount + + +type: integer + +-- + +*`fortinet.firewall.mac`*:: ++ +-- +DHCP mac address + + +type: keyword + +-- + +*`fortinet.firewall.malform_data`*:: ++ +-- +VOIP malformed data + + +type: integer + +-- + +*`fortinet.firewall.malform_desc`*:: ++ +-- +VOIP malformed data description + + +type: keyword + +-- + +*`fortinet.firewall.manuf`*:: ++ +-- +Manufacturer name + + +type: keyword + +-- + +*`fortinet.firewall.masterdstmac`*:: ++ +-- +Master mac address for a host with multiple network interfaces + + +type: keyword + +-- + +*`fortinet.firewall.mastersrcmac`*:: ++ +-- +The master MAC address for a host that has multiple network interfaces + + +type: keyword + +-- + +*`fortinet.firewall.mediumcount`*:: ++ +-- +Fabric medium count + + +type: integer + +-- + +*`fortinet.firewall.mem`*:: ++ +-- +Memory usage system statistics + + +type: keyword + +-- + +*`fortinet.firewall.meshmode`*:: ++ +-- +Wireless mesh mode + + +type: keyword + +-- + +*`fortinet.firewall.message_type`*:: ++ +-- +VOIP message type + + +type: keyword + +-- + +*`fortinet.firewall.method`*:: ++ +-- +HTTP method + + +type: keyword + +-- + +*`fortinet.firewall.mgmtcnt`*:: ++ +-- +The number of unauthorized client flooding managemet frames + + +type: integer + +-- + +*`fortinet.firewall.mode`*:: ++ +-- +IPSEC mode + + +type: keyword + +-- + +*`fortinet.firewall.module`*:: ++ +-- +PCI-DSS module + + +type: keyword + +-- + +*`fortinet.firewall.monitor-name`*:: ++ +-- +Health Monitor Name + + +type: keyword + +-- + +*`fortinet.firewall.monitor-type`*:: ++ +-- +Health Monitor Type + + +type: keyword + +-- + +*`fortinet.firewall.mpsk`*:: ++ +-- +Wireless MPSK + + +type: keyword + +-- + +*`fortinet.firewall.msgproto`*:: ++ +-- +Message Protocol Number + + +type: keyword + +-- + +*`fortinet.firewall.mtu`*:: ++ +-- +Max Transmission Unit Value + + +type: integer + +-- + +*`fortinet.firewall.name`*:: ++ +-- +Name + + +type: keyword + +-- + +*`fortinet.firewall.nat`*:: ++ +-- +NAT IP Address + + +type: keyword + +-- + +*`fortinet.firewall.netid`*:: ++ +-- +Connector NetID + + +type: keyword + +-- + +*`fortinet.firewall.new_status`*:: ++ +-- +New status on user change + + +type: keyword + +-- + +*`fortinet.firewall.new_value`*:: ++ +-- +New Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.newchannel`*:: ++ +-- +New Channel Number + + +type: integer + +-- + +*`fortinet.firewall.newchassisid`*:: ++ +-- +New Chassis ID + + +type: integer + +-- + +*`fortinet.firewall.newslot`*:: ++ +-- +New Slot Number + + +type: integer + +-- + +*`fortinet.firewall.nextstat`*:: ++ +-- +Time interval in seconds for the next statistics. + + +type: integer + +-- + +*`fortinet.firewall.nf_type`*:: ++ +-- +Notification Type + + +type: keyword + +-- + +*`fortinet.firewall.noise`*:: ++ +-- +Wifi Noise + + +type: integer + +-- + +*`fortinet.firewall.old_status`*:: ++ +-- +Original Status + + +type: keyword + +-- + +*`fortinet.firewall.old_value`*:: ++ +-- +Original Virtual Domain name + + +type: keyword + +-- + +*`fortinet.firewall.oldchannel`*:: ++ +-- +Original channel + + +type: integer + +-- + +*`fortinet.firewall.oldchassisid`*:: ++ +-- +Original Chassis Number + + +type: integer + +-- + +*`fortinet.firewall.oldslot`*:: ++ +-- +Original Slot Number + + +type: integer + +-- + +*`fortinet.firewall.oldsn`*:: ++ +-- +Old Serial number + + +type: keyword + +-- + +*`fortinet.firewall.oldwprof`*:: ++ +-- +Old Web Filter Profile + + +type: keyword + +-- + +*`fortinet.firewall.onwire`*:: ++ +-- +A flag to indicate if the AP is onwire or not + + +type: keyword + +-- + +*`fortinet.firewall.opercountry`*:: ++ +-- +Operating Country + + +type: keyword + +-- + +*`fortinet.firewall.opertxpower`*:: ++ +-- +Operating TX power + + +type: integer + +-- + +*`fortinet.firewall.osname`*:: ++ +-- +Operating System name + + +type: keyword + +-- + +*`fortinet.firewall.osversion`*:: ++ +-- +Operating System version + + +type: keyword + +-- + +*`fortinet.firewall.out_spi`*:: ++ +-- +Out SPI + + +type: keyword + +-- + +*`fortinet.firewall.outintf`*:: ++ +-- +Out interface + + +type: keyword + +-- + +*`fortinet.firewall.passedcount`*:: ++ +-- +Fabric passed count + + +type: integer + +-- + +*`fortinet.firewall.passwd`*:: ++ +-- +Changed user password information + + +type: keyword + +-- + +*`fortinet.firewall.path`*:: ++ +-- +Path of looped configuration for security fabric + + +type: keyword + +-- + +*`fortinet.firewall.peer`*:: ++ +-- +WAN optimization peer + + +type: keyword + +-- + +*`fortinet.firewall.peer_notif`*:: ++ +-- +VPN peer notification + + +type: keyword + +-- + +*`fortinet.firewall.phase2_name`*:: ++ +-- +VPN phase2 name + + +type: keyword + +-- + +*`fortinet.firewall.phone`*:: ++ +-- +VOIP Phone + + +type: keyword + +-- + +*`fortinet.firewall.pid`*:: ++ +-- +Process ID + + +type: integer + +-- + +*`fortinet.firewall.policytype`*:: ++ +-- +Policy Type + + +type: keyword + +-- + +*`fortinet.firewall.poolname`*:: ++ +-- +IP Pool name + + +type: keyword + +-- + +*`fortinet.firewall.port`*:: ++ +-- +Log upload error port + + +type: integer + +-- + +*`fortinet.firewall.portbegin`*:: ++ +-- +IP Pool port number to begin + + +type: integer + +-- + +*`fortinet.firewall.portend`*:: ++ +-- +IP Pool port number to end + + +type: integer + +-- + +*`fortinet.firewall.probeproto`*:: ++ +-- +Link Monitor Probe Protocol + + +type: keyword + +-- + +*`fortinet.firewall.process`*:: ++ +-- +URL Filter process + + +type: keyword + +-- + +*`fortinet.firewall.processtime`*:: ++ +-- +Process time for reports + + +type: integer + +-- + +*`fortinet.firewall.profile`*:: ++ +-- +Profile Name + + +type: keyword + +-- + +*`fortinet.firewall.profile_vd`*:: ++ +-- +Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.profilegroup`*:: ++ +-- +Profile Group Name + + +type: keyword + +-- + +*`fortinet.firewall.profiletype`*:: ++ +-- +Profile Type + + +type: keyword + +-- + +*`fortinet.firewall.qtypeval`*:: ++ +-- +DNS question type value + + +type: integer + +-- + +*`fortinet.firewall.quarskip`*:: ++ +-- +Quarantine skip explanation + + +type: keyword + +-- + +*`fortinet.firewall.quotaexceeded`*:: ++ +-- +If quota has been exceeded + + +type: keyword + +-- + +*`fortinet.firewall.quotamax`*:: ++ +-- +Maximum quota allowed - in seconds if time-based - in bytes if traffic-based + + +type: long + +-- + +*`fortinet.firewall.quotatype`*:: ++ +-- +Quota type + + +type: keyword + +-- + +*`fortinet.firewall.quotaused`*:: ++ +-- +Quota used - in seconds if time-based - in bytes if trafficbased) + + +type: long + +-- + +*`fortinet.firewall.radioband`*:: ++ +-- +Radio band + + +type: keyword + +-- + +*`fortinet.firewall.radioid`*:: ++ +-- +Radio ID + + +type: integer + +-- + +*`fortinet.firewall.radioidclosest`*:: ++ +-- +Radio ID on the AP closest the rogue AP + + +type: integer + +-- + +*`fortinet.firewall.radioiddetected`*:: ++ +-- +Radio ID on the AP which detected the rogue AP + + +type: integer + +-- + +*`fortinet.firewall.rate`*:: ++ +-- +Wireless rogue rate value + + +type: keyword + +-- + +*`fortinet.firewall.rawdata`*:: ++ +-- +Raw data value + + +type: keyword + +-- + +*`fortinet.firewall.rawdataid`*:: ++ +-- +Raw data ID + + +type: keyword + +-- + +*`fortinet.firewall.rcvddelta`*:: ++ +-- +Received bytes delta + + +type: keyword + +-- + +*`fortinet.firewall.reason`*:: ++ +-- +Alert reason + + +type: keyword + +-- + +*`fortinet.firewall.received`*:: ++ +-- +Server key exchange received + + +type: integer + +-- + +*`fortinet.firewall.receivedsignature`*:: ++ +-- +Server key exchange received signature + + +type: keyword + +-- + +*`fortinet.firewall.red`*:: ++ +-- +Memory information in red + + +type: keyword + +-- + +*`fortinet.firewall.referralurl`*:: ++ +-- +Web filter referralurl + + +type: keyword + +-- + +*`fortinet.firewall.remote`*:: ++ +-- +Remote PPP IP address + + +type: ip + +-- + +*`fortinet.firewall.remotewtptime`*:: ++ +-- +Remote Wifi Radius authentication time + + +type: keyword + +-- + +*`fortinet.firewall.reporttype`*:: ++ +-- +Report type + + +type: keyword + +-- + +*`fortinet.firewall.reqtype`*:: ++ +-- +Request type + + +type: keyword + +-- + +*`fortinet.firewall.request_name`*:: ++ +-- +VOIP request name + + +type: keyword + +-- + +*`fortinet.firewall.result`*:: ++ +-- +VPN phase result + + +type: keyword + +-- + +*`fortinet.firewall.role`*:: ++ +-- +VPN Phase 2 role + + +type: keyword + +-- + +*`fortinet.firewall.rssi`*:: ++ +-- +Received signal strength indicator + + +type: integer + +-- + +*`fortinet.firewall.rsso_key`*:: ++ +-- +RADIUS SSO attribute value + + +type: keyword + +-- + +*`fortinet.firewall.ruledata`*:: ++ +-- +Rule data + + +type: keyword + +-- + +*`fortinet.firewall.ruletype`*:: ++ +-- +Rule type + + +type: keyword + +-- + +*`fortinet.firewall.scanned`*:: ++ +-- +Number of Scanned MMSs + + +type: integer + +-- + +*`fortinet.firewall.scantime`*:: ++ +-- +Scanned time + + +type: long + +-- + +*`fortinet.firewall.scope`*:: ++ +-- +FortiGuard Override Scope + + +type: keyword + +-- + +*`fortinet.firewall.security`*:: ++ +-- +Wireless rogue security + + +type: keyword + +-- + +*`fortinet.firewall.sensitivity`*:: ++ +-- +Sensitivity for document fingerprint + + +type: keyword + +-- + +*`fortinet.firewall.sensor`*:: ++ +-- +NAC Sensor Name + + +type: keyword + +-- + +*`fortinet.firewall.sentdelta`*:: ++ +-- +Sent bytes delta + + +type: keyword + +-- + +*`fortinet.firewall.seq`*:: ++ +-- +Sequence number + + +type: keyword + +-- + +*`fortinet.firewall.serial`*:: ++ +-- +WAN optimisation serial + + +type: keyword + +-- + +*`fortinet.firewall.serialno`*:: ++ +-- +Serial number + + +type: keyword + +-- + +*`fortinet.firewall.server`*:: ++ +-- +AD server FQDN or IP + + +type: keyword + +-- + +*`fortinet.firewall.session_id`*:: ++ +-- +Session ID + + +type: keyword + +-- + +*`fortinet.firewall.sessionid`*:: ++ +-- +WAD Session ID + + +type: integer + +-- + +*`fortinet.firewall.setuprate`*:: ++ +-- +Session Setup Rate + + +type: long + +-- + +*`fortinet.firewall.severity`*:: ++ +-- +Severity + + +type: keyword + +-- + +*`fortinet.firewall.shaperdroprcvdbyte`*:: ++ +-- +Received bytes dropped by shaper + + +type: integer + +-- + +*`fortinet.firewall.shaperdropsentbyte`*:: ++ +-- +Sent bytes dropped by shaper + + +type: integer + +-- + +*`fortinet.firewall.shaperperipdropbyte`*:: ++ +-- +Dropped bytes per IP by shaper + + +type: integer + +-- + +*`fortinet.firewall.shaperperipname`*:: ++ +-- +Traffic shaper name (per IP) + + +type: keyword + +-- + +*`fortinet.firewall.shaperrcvdname`*:: ++ +-- +Traffic shaper name for received traffic + + +type: keyword + +-- + +*`fortinet.firewall.shapersentname`*:: ++ +-- +Traffic shaper name for sent traffic + + +type: keyword + +-- + +*`fortinet.firewall.shapingpolicyid`*:: ++ +-- +Traffic shaper policy ID + + +type: integer + +-- + +*`fortinet.firewall.signal`*:: ++ +-- +Wireless rogue API signal + + +type: integer + +-- + +*`fortinet.firewall.size`*:: ++ +-- +Email size in bytes + + +type: long + +-- + +*`fortinet.firewall.slot`*:: ++ +-- +Slot number + + +type: integer + +-- + +*`fortinet.firewall.sn`*:: ++ +-- +Security fabric serial number + + +type: keyword + +-- + +*`fortinet.firewall.snclosest`*:: ++ +-- +SN of the AP closest to the rogue AP + + +type: keyword + +-- + +*`fortinet.firewall.sndetected`*:: ++ +-- +SN of the AP which detected the rogue AP + + +type: keyword + +-- + +*`fortinet.firewall.snmeshparent`*:: ++ +-- +SN of the mesh parent + + +type: keyword + +-- + +*`fortinet.firewall.spi`*:: ++ +-- +IPSEC SPI + + +type: keyword + +-- + +*`fortinet.firewall.src_int`*:: ++ +-- +Source interface + + +type: keyword + +-- + +*`fortinet.firewall.srcintfrole`*:: ++ +-- +Source interface role + + +type: keyword + +-- + +*`fortinet.firewall.srccountry`*:: ++ +-- +Source country + + +type: keyword + +-- + +*`fortinet.firewall.srcfamily`*:: ++ +-- +Source family + + +type: keyword + +-- + +*`fortinet.firewall.srchwvendor`*:: ++ +-- +Source hardware vendor + + +type: keyword + +-- + +*`fortinet.firewall.srchwversion`*:: ++ +-- +Source hardware version + + +type: keyword + +-- + +*`fortinet.firewall.srcinetsvc`*:: ++ +-- +Source interface service + + +type: keyword + +-- + +*`fortinet.firewall.srcname`*:: ++ +-- +Source name + + +type: keyword + +-- + +*`fortinet.firewall.srcserver`*:: ++ +-- +Source server + + +type: integer + +-- + +*`fortinet.firewall.srcssid`*:: ++ +-- +Source SSID + + +type: keyword + +-- + +*`fortinet.firewall.srcswversion`*:: ++ +-- +Source software version + + +type: keyword + +-- + +*`fortinet.firewall.srcuuid`*:: ++ +-- +Source UUID + + +type: keyword + +-- + +*`fortinet.firewall.sscname`*:: ++ +-- +SSC name + + +type: keyword + +-- + +*`fortinet.firewall.ssid`*:: ++ +-- +Base Service Set ID + + +type: keyword + +-- + +*`fortinet.firewall.sslaction`*:: ++ +-- +SSL Action + + +type: keyword + +-- + +*`fortinet.firewall.ssllocal`*:: ++ +-- +WAD SSL local + + +type: keyword + +-- + +*`fortinet.firewall.sslremote`*:: ++ +-- +WAD SSL remote + + +type: keyword + +-- + +*`fortinet.firewall.stacount`*:: ++ +-- +Number of stations/clients + + +type: integer + +-- + +*`fortinet.firewall.stage`*:: ++ +-- +IPSEC stage + + +type: keyword + +-- + +*`fortinet.firewall.stamac`*:: ++ +-- +802.1x station mac + + +type: keyword + +-- + +*`fortinet.firewall.state`*:: ++ +-- +Admin login state + + +type: keyword + +-- + +*`fortinet.firewall.status`*:: ++ +-- +Status + + +type: keyword + +-- + +*`fortinet.firewall.stitch`*:: ++ +-- +Automation stitch triggered + + +type: keyword + +-- + +*`fortinet.firewall.subject`*:: ++ +-- +Email subject + + +type: keyword + +-- + +*`fortinet.firewall.submodule`*:: ++ +-- +Configuration Sub-Module Name + + +type: keyword + +-- + +*`fortinet.firewall.subservice`*:: ++ +-- +AV subservice + + +type: keyword + +-- + +*`fortinet.firewall.subtype`*:: ++ +-- +Log subtype + + +type: keyword + +-- + +*`fortinet.firewall.suspicious`*:: ++ +-- +Number of Suspicious MMSs + + +type: integer + +-- + +*`fortinet.firewall.switchproto`*:: ++ +-- +Protocol change information + + +type: keyword + +-- + +*`fortinet.firewall.sync_status`*:: ++ +-- +The sync status with the master + + +type: keyword + +-- + +*`fortinet.firewall.sync_type`*:: ++ +-- +The sync type with the master + + +type: keyword + +-- + +*`fortinet.firewall.sysuptime`*:: ++ +-- +System uptime + + +type: keyword + +-- + +*`fortinet.firewall.tamac`*:: ++ +-- +the MAC address of Transmitter, if none, then Receiver + + +type: keyword + +-- + +*`fortinet.firewall.threattype`*:: ++ +-- +WIDS threat type + + +type: keyword + +-- + +*`fortinet.firewall.time`*:: ++ +-- +Time of the event + + +type: keyword + +-- + +*`fortinet.firewall.to`*:: ++ +-- +Email to field + + +type: keyword + +-- + +*`fortinet.firewall.to_vcluster`*:: ++ +-- +destination virtual cluster number + + +type: integer + +-- + +*`fortinet.firewall.total`*:: ++ +-- +Total memory + + +type: integer + +-- + +*`fortinet.firewall.totalsession`*:: ++ +-- +Total Number of Sessions + + +type: integer + +-- + +*`fortinet.firewall.trace_id`*:: ++ +-- +Session clash trace ID + + +type: keyword + +-- + +*`fortinet.firewall.trandisp`*:: ++ +-- +NAT translation type + + +type: keyword + +-- + +*`fortinet.firewall.transid`*:: ++ +-- +HTTP transaction ID + + +type: integer + +-- + +*`fortinet.firewall.translationid`*:: ++ +-- +DNS filter transaltion ID + + +type: keyword + +-- + +*`fortinet.firewall.trigger`*:: ++ +-- +Automation stitch trigger + + +type: keyword + +-- + +*`fortinet.firewall.trueclntip`*:: ++ +-- +File filter true client IP + + +type: ip + +-- + +*`fortinet.firewall.tunnelid`*:: ++ +-- +IPSEC tunnel ID + + +type: integer + +-- + +*`fortinet.firewall.tunnelip`*:: ++ +-- +IPSEC tunnel IP + + +type: ip + +-- + +*`fortinet.firewall.tunneltype`*:: ++ +-- +IPSEC tunnel type + + +type: keyword + +-- + +*`fortinet.firewall.type`*:: ++ +-- +Module type + + +type: keyword + +-- + +*`fortinet.firewall.ui`*:: ++ +-- +Admin authentication UI type + + +type: keyword + +-- + +*`fortinet.firewall.unauthusersource`*:: ++ +-- +Unauthenticated user source + + +type: keyword + +-- + +*`fortinet.firewall.unit`*:: ++ +-- +Power supply unit + + +type: integer + +-- + +*`fortinet.firewall.urlfilteridx`*:: ++ +-- +URL filter ID + + +type: integer + +-- + +*`fortinet.firewall.urlfilterlist`*:: ++ +-- +URL filter list + + +type: keyword + +-- + +*`fortinet.firewall.urlsource`*:: ++ +-- +URL filter source + + +type: keyword + +-- + +*`fortinet.firewall.urltype`*:: ++ +-- +URL filter type + + +type: keyword + +-- + +*`fortinet.firewall.used`*:: ++ +-- +Number of Used IPs + + +type: integer + +-- + +*`fortinet.firewall.used_for_type`*:: ++ +-- +Connection for the type + + +type: integer + +-- + +*`fortinet.firewall.utmaction`*:: ++ +-- +Security action performed by UTM + + +type: keyword + +-- + +*`fortinet.firewall.vap`*:: ++ +-- +Virtual AP + + +type: keyword + +-- + +*`fortinet.firewall.vapmode`*:: ++ +-- +Virtual AP mode + + +type: keyword + +-- + +*`fortinet.firewall.vcluster`*:: ++ +-- +virtual cluster id + + +type: integer + +-- + +*`fortinet.firewall.vcluster_member`*:: ++ +-- +Virtual cluster member + + +type: integer + +-- + +*`fortinet.firewall.vcluster_state`*:: ++ +-- +Virtual cluster state + + +type: keyword + +-- + +*`fortinet.firewall.vd`*:: ++ +-- +Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.vdname`*:: ++ +-- +Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.vendorurl`*:: ++ +-- +Vulnerability scan vendor name + + +type: keyword + +-- + +*`fortinet.firewall.version`*:: ++ +-- +Version + + +type: keyword + +-- + +*`fortinet.firewall.vip`*:: ++ +-- +Virtual IP + + +type: keyword + +-- + +*`fortinet.firewall.virus`*:: ++ +-- +Virus name + + +type: keyword + +-- + +*`fortinet.firewall.virusid`*:: ++ +-- +Virus ID (unique virus identifier) + + +type: integer + +-- + +*`fortinet.firewall.voip_proto`*:: ++ +-- +VOIP protocol + + +type: keyword + +-- + +*`fortinet.firewall.vpn`*:: ++ +-- +VPN description + + +type: keyword + +-- + +*`fortinet.firewall.vpntunnel`*:: ++ +-- +IPsec Vpn Tunnel Name + + +type: keyword + +-- + +*`fortinet.firewall.vpntype`*:: ++ +-- +The type of the VPN tunnel + + +type: keyword + +-- + +*`fortinet.firewall.vrf`*:: ++ +-- +VRF number + + +type: integer + +-- + +*`fortinet.firewall.vulncat`*:: ++ +-- +Vulnerability Category + + +type: keyword + +-- + +*`fortinet.firewall.vulnid`*:: ++ +-- +Vulnerability ID + + +type: integer + +-- + +*`fortinet.firewall.vulnname`*:: ++ +-- +Vulnerability name + + +type: keyword + +-- + +*`fortinet.firewall.vwlid`*:: ++ +-- +VWL ID + + +type: integer + +-- + +*`fortinet.firewall.vwlquality`*:: ++ +-- +VWL quality + + +type: keyword + +-- + +*`fortinet.firewall.vwlservice`*:: ++ +-- +VWL service + + +type: keyword + +-- + +*`fortinet.firewall.vwpvlanid`*:: ++ +-- +VWP VLAN ID + + +type: integer + +-- + +*`fortinet.firewall.wanin`*:: ++ +-- +WAN incoming traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.wanoptapptype`*:: ++ +-- +WAN Optimization Application type + + +type: keyword + +-- + +*`fortinet.firewall.wanout`*:: ++ +-- +WAN outgoing traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.weakwepiv`*:: ++ +-- +Weak Wep Initiation Vector + + +type: keyword + +-- + +*`fortinet.firewall.xauthgroup`*:: ++ +-- +XAuth Group Name + + +type: keyword + +-- + +*`fortinet.firewall.xauthuser`*:: ++ +-- +XAuth User Name + + +type: keyword + +-- + +*`fortinet.firewall.xid`*:: ++ +-- +Wireless X ID + + +type: integer + +-- + +[[exported-fields-googlecloud]] +== Google Cloud fields + +Module for handling logs from Google Cloud. + + + +[float] +=== googlecloud + +Fields from Google Cloud logs. + + + +[float] +=== destination.instance + +If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. + + + +*`googlecloud.destination.instance.project_id`*:: ++ +-- +ID of the project containing the VM. + + +type: keyword + +-- + +*`googlecloud.destination.instance.region`*:: ++ +-- +Region of the VM. + + +type: keyword + +-- + +*`googlecloud.destination.instance.zone`*:: ++ +-- +Zone of the VM. + + +type: keyword + +-- + +[float] +=== destination.vpc + +If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. + + + +*`googlecloud.destination.vpc.project_id`*:: ++ +-- +ID of the project containing the VM. + + +type: keyword + +-- + +*`googlecloud.destination.vpc.vpc_name`*:: ++ +-- +VPC on which the VM is operating. + + +type: keyword + +-- + +*`googlecloud.destination.vpc.subnetwork_name`*:: ++ +-- +Subnetwork on which the VM is operating. + + +type: keyword + +-- + +[float] +=== source.instance + +If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. + + + +*`googlecloud.source.instance.project_id`*:: ++ +-- +ID of the project containing the VM. + + +type: keyword + +-- + +*`googlecloud.source.instance.region`*:: ++ +-- +Region of the VM. + + +type: keyword + +-- + +*`googlecloud.source.instance.zone`*:: ++ +-- +Zone of the VM. + + +type: keyword + +-- + +[float] +=== source.vpc + +If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. + + + +*`googlecloud.source.vpc.project_id`*:: ++ +-- +ID of the project containing the VM. + + +type: keyword + +-- + +*`googlecloud.source.vpc.vpc_name`*:: ++ +-- +VPC on which the VM is operating. + + +type: keyword + +-- + +*`googlecloud.source.vpc.subnetwork_name`*:: ++ +-- +Subnetwork on which the VM is operating. + + +type: keyword + +-- + +[float] +=== audit + +Fields for Google Cloud audit logs. + + + +*`googlecloud.audit.type`*:: ++ +-- +Type property. + + +type: keyword + +-- + +[float] +=== authentication_info + +Authentication information. + + + +*`googlecloud.audit.authentication_info.principal_email`*:: ++ +-- +The email address of the authenticated user making the request. + + +type: keyword + +-- + +*`googlecloud.audit.authentication_info.authority_selector`*:: ++ +-- +The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. + + +type: keyword + +-- + +*`googlecloud.audit.authorization_info`*:: ++ +-- +Authorization information for the operation. + + +type: array + +-- + +*`googlecloud.audit.method_name`*:: ++ +-- +The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. + + +type: keyword + +-- + +*`googlecloud.audit.num_response_items`*:: ++ +-- +The number of items returned from a List or Query API method, if applicable. + + +type: long + +-- + +[float] +=== request + +The operation request. + + + +*`googlecloud.audit.request.proto_name`*:: ++ +-- +Type property of the request. + + +type: keyword + +-- + +*`googlecloud.audit.request.filter`*:: ++ +-- +Filter of the request. + + +type: keyword + +-- + +*`googlecloud.audit.request.name`*:: ++ +-- +Name of the request. + + +type: keyword + +-- + +*`googlecloud.audit.request.resource_name`*:: ++ +-- +Name of the request resource. + + +type: keyword + +-- + +[float] +=== request_metadata + +Metadata about the request. + + + +*`googlecloud.audit.request_metadata.caller_ip`*:: ++ +-- +The IP address of the caller. + + +type: ip + +-- + +*`googlecloud.audit.request_metadata.caller_supplied_user_agent`*:: ++ +-- +The user agent of the caller. This information is not authenticated and should be treated accordingly. + + +type: keyword + +-- + +[float] +=== response + +The operation response. + + + +*`googlecloud.audit.response.proto_name`*:: ++ +-- +Type property of the response. + + +type: keyword + +-- + +[float] +=== details + +The details of the response. + + + +*`googlecloud.audit.response.details.group`*:: ++ +-- +The name of the group. + + +type: keyword + +-- + +*`googlecloud.audit.response.details.kind`*:: ++ +-- +The kind of the response details. + + +type: keyword + +-- + +*`googlecloud.audit.response.details.name`*:: ++ +-- +The name of the response details. + + +type: keyword + +-- + +*`googlecloud.audit.response.details.uid`*:: ++ +-- +The uid of the response details. + + +type: keyword + +-- + +*`googlecloud.audit.response.status`*:: ++ +-- +Status of the response. + + +type: keyword + +-- + +*`googlecloud.audit.resource_name`*:: ++ +-- +The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. + + +type: keyword + +-- + +[float] +=== resource_location + +The location of the resource. + + + +*`googlecloud.audit.resource_location.current_locations`*:: ++ +-- +Current locations of the resource. + + +type: keyword + +-- + +*`googlecloud.audit.service_name`*:: ++ +-- +The name of the API service performing the operation. For example, datastore.googleapis.com. + + +type: keyword + +-- + +[float] +=== status + +The status of the overall operation. + + + +*`googlecloud.audit.status.code`*:: ++ +-- +The status code, which should be an enum value of google.rpc.Code. + + +type: integer + +-- + +*`googlecloud.audit.status.message`*:: ++ +-- +A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + +type: keyword + +-- + +[float] +=== firewall + +Fields for Google Cloud Firewall logs. + + + +[float] +=== rule_details + +Description of the firewall rule that matched this connection. + + + +*`googlecloud.firewall.rule_details.priority`*:: ++ +-- +The priority for the firewall rule. + +type: long + +-- + +*`googlecloud.firewall.rule_details.action`*:: ++ +-- +Action that the rule performs on match. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.direction`*:: ++ +-- +Direction of traffic that matches this rule. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.reference`*:: ++ +-- +Reference to the firewall rule. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.source_range`*:: ++ +-- +List of source ranges that the firewall rule applies to. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.destination_range`*:: ++ +-- +List of destination ranges that the firewall applies to. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.source_tag`*:: ++ +-- +List of all the source tags that the firewall rule applies to. + + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.target_tag`*:: ++ +-- +List of all the target tags that the firewall rule applies to. + + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.ip_port_info`*:: ++ +-- +List of ip protocols and applicable port ranges for rules. + + +type: array + +-- + +*`googlecloud.firewall.rule_details.source_service_account`*:: ++ +-- +List of all the source service accounts that the firewall rule applies to. + + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.target_service_account`*:: ++ +-- +List of all the target service accounts that the firewall rule applies to. + + +type: keyword + +-- + +[float] +=== vpcflow + +Fields for Google Cloud VPC flow logs. + + + +*`googlecloud.vpcflow.reporter`*:: ++ +-- +The side which reported the flow. Can be either 'SRC' or 'DEST'. + + +type: keyword + +-- + +*`googlecloud.vpcflow.rtt.ms`*:: ++ +-- +Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. + + +type: long + +-- + +[[exported-fields-gsuite]] +== gsuite fields + +gsuite Module + + + +[float] +=== gsuite + +Gsuite specific fields. +More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + + + +*`gsuite.actor.type`*:: ++ +-- +The type of actor. +Values can be: + *USER*: Another user in the same domain. + *EXTERNAL_USER*: A user outside the domain. + *KEY*: A non-human actor. + + +type: keyword + +-- + +*`gsuite.actor.key`*:: ++ +-- +Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. + + +type: keyword + +-- + +*`gsuite.event.type`*:: ++ +-- +The type of GSuite event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + + +type: keyword + +example: audit#activity + +-- + +*`gsuite.kind`*:: ++ +-- +The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + + +type: keyword + +example: audit#activity + +-- + +*`gsuite.organization.domain`*:: ++ +-- +The domain that is affected by the report's event. + + +type: keyword + +-- + + +*`gsuite.saml.application_name`*:: ++ +-- +Saml SP application name. + + +type: keyword + +-- + +*`gsuite.saml.failure_type`*:: ++ +-- +Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. + + +type: keyword + +-- + +*`gsuite.saml.initiated_by`*:: ++ +-- +Requester of SAML authentication. + + +type: keyword + +-- + +*`gsuite.saml.orgunit_path`*:: ++ +-- +User orgunit. + + +type: keyword + +-- + +*`gsuite.saml.status_code`*:: ++ +-- +SAML status code. + + +type: long + +-- + +*`gsuite.saml.second_level_status_code`*:: ++ +-- +SAML second level status code. + + +type: long + +-- + +[[exported-fields-haproxy]] +== HAProxy fields + +haproxy Module + + + +[float] +=== haproxy + + + + +*`haproxy.frontend_name`*:: ++ +-- +Name of the frontend (or listener) which received and processed the connection. + +-- + +*`haproxy.backend_name`*:: ++ +-- +Name of the backend (or listener) which was selected to manage the connection to the server. + +-- + +*`haproxy.server_name`*:: ++ +-- +Name of the last server to which the connection was sent. + +-- + +*`haproxy.total_waiting_time_ms`*:: ++ +-- +Total time in milliseconds spent waiting in the various queues + +type: long + +-- + +*`haproxy.connection_wait_time_ms`*:: ++ +-- +Total time in milliseconds spent waiting for the connection to establish to the final server + +type: long + +-- + +*`haproxy.bytes_read`*:: ++ +-- +Total number of bytes transmitted to the client when the log is emitted. + +type: long + +-- + +*`haproxy.time_queue`*:: ++ +-- +Total time in milliseconds spent waiting in the various queues. + +type: long + +-- + +*`haproxy.time_backend_connect`*:: ++ +-- +Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. + +type: long + +-- + +*`haproxy.server_queue`*:: ++ +-- +Total number of requests which were processed before this one in the server queue. + +type: long + +-- + +*`haproxy.backend_queue`*:: ++ +-- +Total number of requests which were processed before this one in the backend's global queue. + +type: long + +-- + +*`haproxy.bind_name`*:: ++ +-- +Name of the listening address which received the connection. + +-- + +*`haproxy.error_message`*:: ++ +-- +Error message logged by HAProxy in case of error. + +type: text + +-- + +*`haproxy.source`*:: ++ +-- +The HAProxy source of the log + +type: keyword + +-- + +*`haproxy.termination_state`*:: ++ +-- +Condition the session was in when the session ended. + +-- + +*`haproxy.mode`*:: ++ +-- +mode that the frontend is operating (TCP or HTTP) + +type: keyword + +-- + +[float] +=== connections + +Contains various counts of connections active in the process. + + +*`haproxy.connections.active`*:: ++ +-- +Total number of concurrent connections on the process when the session was logged. + +type: long + +-- + +*`haproxy.connections.frontend`*:: ++ +-- +Total number of concurrent connections on the frontend when the session was logged. + +type: long + +-- + +*`haproxy.connections.backend`*:: ++ +-- +Total number of concurrent connections handled by the backend when the session was logged. + +type: long + +-- + +*`haproxy.connections.server`*:: ++ +-- +Total number of concurrent connections still active on the server when the session was logged. + +type: long + +-- + +*`haproxy.connections.retries`*:: ++ +-- +Number of connection retries experienced by this session when trying to connect to the server. + +type: long + +-- + +[float] +=== client + +Information about the client doing the request + + +*`haproxy.client.ip`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`haproxy.client.port`*:: ++ +-- +type: alias + +alias to: source.port + +-- + +*`haproxy.process_name`*:: ++ +-- +type: alias + +alias to: process.name + +-- + +*`haproxy.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +[float] +=== destination + +Destination information + + +*`haproxy.destination.port`*:: ++ +-- +type: alias + +alias to: destination.port + +-- + +*`haproxy.destination.ip`*:: ++ +-- +type: alias + +alias to: destination.ip + +-- + +[float] +=== geoip + +Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used. + + + +*`haproxy.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`haproxy.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`haproxy.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`haproxy.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`haproxy.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`haproxy.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[float] +=== http + +Please add description + + +[float] +=== response + +Fields related to the HTTP response + + +*`haproxy.http.response.captured_cookie`*:: ++ +-- +Optional "name=value" entry indicating that the client had this cookie in the response. + + +-- + +*`haproxy.http.response.captured_headers`*:: ++ +-- +List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. + + +type: keyword + +-- + +*`haproxy.http.response.status_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +[float] +=== request + +Fields related to the HTTP request + + +*`haproxy.http.request.captured_cookie`*:: ++ +-- +Optional "name=value" entry indicating that the server has returned a cookie with its request. + + +-- + +*`haproxy.http.request.captured_headers`*:: ++ +-- +List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. + + +type: keyword + +-- + +*`haproxy.http.request.raw_request_line`*:: ++ +-- +Complete HTTP request line, including the method, request and HTTP version string. + +type: keyword + +-- + +*`haproxy.http.request.time_wait_without_data_ms`*:: ++ +-- +Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. + +type: long + +-- + +*`haproxy.http.request.time_wait_ms`*:: ++ +-- +Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. + +type: long + +-- + +[float] +=== tcp + +TCP log format + + +*`haproxy.tcp.connection_waiting_time_ms`*:: ++ +-- +Total time in milliseconds elapsed between the accept and the last close + +type: long + +-- + +[[exported-fields-host-processor]] +== Host fields + +Info collected for the host machine. + + + + +*`host.containerized`*:: ++ +-- +If the host is a container. + + +type: boolean + +-- + +*`host.os.build`*:: ++ +-- +OS build information. + + +type: keyword + +example: 18D109 + +-- + +*`host.os.codename`*:: ++ +-- +OS codename, if any. + + +type: keyword + +example: stretch + +-- + +[[exported-fields-ibmmq]] +== ibmmq fields + +ibmmq Module + + + +[float] +=== ibmmq + + + + +[float] +=== errorlog + +IBM MQ error logs + + +*`ibmmq.errorlog.installation`*:: ++ +-- +This is the installation name which can be given at installation time. +Each installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation. + + +type: keyword + +-- + +*`ibmmq.errorlog.qmgr`*:: ++ +-- +Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them. + + +type: keyword + +-- + +*`ibmmq.errorlog.arithinsert`*:: ++ +-- +Changing content based on error.id + +type: keyword + +-- + +*`ibmmq.errorlog.commentinsert`*:: ++ +-- +Changing content based on error.id + +type: keyword + +-- + +*`ibmmq.errorlog.errordescription`*:: ++ +-- +Please add description + +type: text + +example: Please add example + +-- + +*`ibmmq.errorlog.explanation`*:: ++ +-- +Explaines the error in more detail + +type: keyword + +-- + +*`ibmmq.errorlog.action`*:: ++ +-- +Defines what to do when the error occurs + +type: keyword + +-- + +*`ibmmq.errorlog.code`*:: ++ +-- +Error code. + +type: keyword + +-- + +[[exported-fields-icinga]] +== Icinga fields + +Icinga Module + + + +[float] +=== icinga + + + + +[float] +=== debug + +Contains fields for the Icinga debug logs. + + + +*`icinga.debug.facility`*:: ++ +-- +Specifies what component of Icinga logged the message. + + +type: keyword + +-- + +*`icinga.debug.severity`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`icinga.debug.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== main + +Contains fields for the Icinga main logs. + + + +*`icinga.main.facility`*:: ++ +-- +Specifies what component of Icinga logged the message. + + +type: keyword + +-- + +*`icinga.main.severity`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`icinga.main.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== startup + +Contains fields for the Icinga startup logs. + + + +*`icinga.startup.facility`*:: ++ +-- +Specifies what component of Icinga logged the message. + + +type: keyword + +-- + +*`icinga.startup.severity`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`icinga.startup.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[[exported-fields-iis]] +== IIS fields + +Module for parsing IIS log files. + + + +[float] +=== iis + +Fields from IIS log files. + + + +[float] +=== access + +Contains fields for IIS access logs. + + + +*`iis.access.sub_status`*:: ++ +-- +The HTTP substatus code. + + +type: long + +-- + +*`iis.access.win32_status`*:: ++ +-- +The Windows status code. + + +type: long + +-- + +*`iis.access.site_name`*:: ++ +-- +The site name and instance number. + + +type: keyword + +-- + +*`iis.access.server_name`*:: ++ +-- +The name of the server on which the log file entry was generated. + + +type: keyword + +-- + +*`iis.access.cookie`*:: ++ +-- +The content of the cookie sent or received, if any. + + +type: keyword + +-- + +*`iis.access.body_received.bytes`*:: ++ +-- +type: alias + +alias to: http.request.body.bytes + +-- + +*`iis.access.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`iis.access.server_ip`*:: ++ +-- +type: alias + +alias to: destination.address + +-- + +*`iis.access.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`iis.access.url`*:: ++ +-- +type: alias + +alias to: url.path + +-- + +*`iis.access.query_string`*:: ++ +-- +type: alias + +alias to: url.query + +-- + +*`iis.access.port`*:: ++ +-- +type: alias + +alias to: destination.port + +-- + +*`iis.access.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`iis.access.remote_ip`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`iis.access.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`iis.access.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`iis.access.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`iis.access.hostname`*:: ++ +-- +type: alias + +alias to: host.hostname + +-- + + +*`iis.access.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`iis.access.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`iis.access.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`iis.access.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`iis.access.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`iis.access.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`iis.access.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`iis.access.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`iis.access.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`iis.access.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`iis.access.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[float] +=== error + +Contains fields for IIS error logs. + + + +*`iis.error.reason_phrase`*:: ++ +-- +The HTTP reason phrase. + + +type: keyword + +-- + +*`iis.error.queue_name`*:: ++ +-- +The IIS application pool name. + + +type: keyword + +-- + +*`iis.error.remote_ip`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`iis.error.remote_port`*:: ++ +-- +type: alias + +alias to: source.port + +-- + +*`iis.error.server_ip`*:: ++ +-- +type: alias + +alias to: destination.address + +-- + +*`iis.error.server_port`*:: ++ +-- +type: alias + +alias to: destination.port + +-- + +*`iis.error.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`iis.error.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`iis.error.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`iis.error.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + + +*`iis.error.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`iis.error.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`iis.error.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`iis.error.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`iis.error.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`iis.error.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[[exported-fields-imperva]] +== Imperva SecureSphere fields + +imperva fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-infoblox]] +== Infoblox NIOS fields + +infoblox fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-iptables]] +== iptables fields + +Module for handling the iptables logs. + + + +[float] +=== iptables + +Fields from the iptables logs. + + + +*`iptables.ether_type`*:: ++ +-- +Value of the ethernet type field identifying the network layer protocol. + + +type: long + +-- + +*`iptables.flow_label`*:: ++ +-- +IPv6 flow label. + + +type: integer + +-- + +*`iptables.fragment_flags`*:: ++ +-- +IP fragment flags. A combination of CE, DF and MF. + + +type: keyword + +-- + +*`iptables.fragment_offset`*:: ++ +-- +Offset of the current IP fragment. + + +type: long + +-- + +[float] +=== icmp + +ICMP fields. + + + +*`iptables.icmp.code`*:: ++ +-- +ICMP code. + + +type: long + +-- + +*`iptables.icmp.id`*:: ++ +-- +ICMP ID. + + +type: long + +-- + +*`iptables.icmp.parameter`*:: ++ +-- +ICMP parameter. + + +type: long + +-- + +*`iptables.icmp.redirect`*:: ++ +-- +ICMP redirect address. + + +type: ip + +-- + +*`iptables.icmp.seq`*:: ++ +-- +ICMP sequence number. + + +type: long + +-- + +*`iptables.icmp.type`*:: ++ +-- +ICMP type. + + +type: long + +-- + +*`iptables.id`*:: ++ +-- +Packet identifier. + + +type: long + +-- + +*`iptables.incomplete_bytes`*:: ++ +-- +Number of incomplete bytes. + + +type: long + +-- + +*`iptables.input_device`*:: ++ +-- +Device that received the packet. + + +type: keyword + +-- + +*`iptables.precedence_bits`*:: ++ +-- +IP precedence bits. + + +type: short + +-- + +*`iptables.tos`*:: ++ +-- +IP Type of Service field. + + +type: long + +-- + +*`iptables.length`*:: ++ +-- +Packet length. + + +type: long + +-- + +*`iptables.output_device`*:: ++ +-- +Device that output the packet. + + +type: keyword + +-- + +[float] +=== tcp + +TCP fields. + + + +*`iptables.tcp.flags`*:: ++ +-- +TCP flags. + + +type: keyword + +-- + +*`iptables.tcp.reserved_bits`*:: ++ +-- +TCP reserved bits. + + +type: short + +-- + +*`iptables.tcp.seq`*:: ++ +-- +TCP sequence number. + + +type: long + +-- + +*`iptables.tcp.ack`*:: ++ +-- +TCP Acknowledgment number. + + +type: long + +-- + +*`iptables.tcp.window`*:: ++ +-- +Advertised TCP window size. + + +type: long + +-- + +*`iptables.ttl`*:: ++ +-- +Time To Live field. + + +type: integer + +-- + +[float] +=== udp + +UDP fields. + + + +*`iptables.udp.length`*:: ++ +-- +Length of the UDP header and payload. + + +type: long + +-- + +[float] +=== ubiquiti + +Fields for Ubiquiti network devices. + + + +*`iptables.ubiquiti.input_zone`*:: ++ +-- +Input zone. + + +type: keyword + +-- + +*`iptables.ubiquiti.output_zone`*:: ++ +-- +Output zone. + + +type: keyword + +-- + +*`iptables.ubiquiti.rule_number`*:: ++ +-- +The rule number within the rule set. + +type: keyword + +-- + +*`iptables.ubiquiti.rule_set`*:: ++ +-- +The rule set name. + +type: keyword + +-- + +[[exported-fields-jolokia-autodiscover]] +== Jolokia Discovery autodiscover provider fields + +Metadata from Jolokia Discovery added by the jolokia provider. + + + +*`jolokia.agent.version`*:: ++ +-- +Version number of jolokia agent. + + +type: keyword + +-- + +*`jolokia.agent.id`*:: ++ +-- +Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. + + +type: keyword + +-- + +*`jolokia.server.product`*:: ++ +-- +The container product if detected. + + +type: keyword + +-- + +*`jolokia.server.version`*:: ++ +-- +The container's version (if detected). + + +type: keyword + +-- + +*`jolokia.server.vendor`*:: ++ +-- +The vendor of the container the agent is running in. + + +type: keyword + +-- + +*`jolokia.url`*:: ++ +-- +The URL how this agent can be contacted. + + +type: keyword + +-- + +*`jolokia.secured`*:: ++ +-- +Whether the agent was configured for authentication or not. + + +type: boolean + +-- + +[[exported-fields-juniper]] +== Juniper JUNOS fields + +juniper fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-kafka]] +== Kafka fields + +Kafka module + + + +[float] +=== kafka + + + + +[float] +=== log + +Kafka log lines. + + + +*`kafka.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`kafka.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +*`kafka.log.component`*:: ++ +-- +Component the log is coming from. + + +type: keyword + +-- + +*`kafka.log.class`*:: ++ +-- +Java class the log is coming from. + + +type: keyword + +-- + +*`kafka.log.thread`*:: ++ +-- +Thread name the log is coming from. + + +type: keyword + +-- + +[float] +=== trace + +Trace in the log line. + + + +*`kafka.log.trace.class`*:: ++ +-- +Java class the trace is coming from. + + +type: keyword + +-- + +*`kafka.log.trace.message`*:: ++ +-- +Message part of the trace. + + +type: text + +-- + +[[exported-fields-kaspersky]] +== Kaspersky Anti-Virus fields + +kaspersky fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-kibana]] +== kibana fields + +kibana Module + + + +[float] +=== kibana + + + + +[float] +=== log + +Kafka log lines. + + + +*`kibana.log.tags`*:: ++ +-- +Kibana logging tags. + + +type: keyword + +-- + +*`kibana.log.state`*:: ++ +-- +Current state of Kibana. + + +type: keyword + +-- + +*`kibana.log.meta`*:: ++ +-- +type: object + +-- + +*`kibana.log.kibana.log.meta.req.headers.referer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`kibana.log.kibana.log.meta.req.referer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`kibana.log.kibana.log.meta.req.headers.user-agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + +*`kibana.log.kibana.log.meta.req.remoteAddress`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`kibana.log.kibana.log.meta.req.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`kibana.log.kibana.log.meta.statusCode`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`kibana.log.kibana.log.meta.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +[[exported-fields-kubernetes-processor]] +== Kubernetes fields + +Kubernetes metadata added by the kubernetes processor + + + + +*`kubernetes.pod.name`*:: ++ +-- +Kubernetes pod name + + +type: keyword + +-- + +*`kubernetes.pod.uid`*:: ++ +-- +Kubernetes Pod UID + + +type: keyword + +-- + +*`kubernetes.namespace`*:: ++ +-- +Kubernetes namespace + + +type: keyword + +-- + +*`kubernetes.node.name`*:: ++ +-- +Kubernetes node name + + +type: keyword + +-- + +*`kubernetes.labels.*`*:: ++ +-- +Kubernetes labels map + + +type: object + +-- + +*`kubernetes.annotations.*`*:: ++ +-- +Kubernetes annotations map + + +type: object + +-- + +*`kubernetes.replicaset.name`*:: ++ +-- +Kubernetes replicaset name + + +type: keyword + +-- + +*`kubernetes.deployment.name`*:: ++ +-- +Kubernetes deployment name + + +type: keyword + +-- + +*`kubernetes.statefulset.name`*:: ++ +-- +Kubernetes statefulset name + + +type: keyword + +-- + +*`kubernetes.container.name`*:: ++ +-- +Kubernetes container name + + +type: keyword + +-- + +*`kubernetes.container.image`*:: ++ +-- +Kubernetes container image + + +type: keyword + +-- + +[[exported-fields-log]] +== Log file content fields + +Contains log file lines. + + + +*`log.file.path`*:: ++ +-- +The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`. + + +type: keyword + +required: False + +-- + +*`log.source.address`*:: ++ +-- +Source address from which the log event was read / sent from. + + +type: keyword + +required: False + +-- + +*`log.offset`*:: ++ +-- +The file offset the reported line starts at. + + +type: long + +required: False + +-- + +*`stream`*:: ++ +-- +Log stream when reading container logs, can be 'stdout' or 'stderr' + + +type: keyword + +required: False + +-- + +*`input.type`*:: ++ +-- +The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file. + + +required: True + +-- + +*`syslog.facility`*:: ++ +-- +The facility extracted from the priority. + + +type: long + +required: False + +-- + +*`syslog.priority`*:: ++ +-- +The priority of the syslog event. + + +type: long + +required: False + +-- + +*`syslog.severity_label`*:: ++ +-- +The human readable severity. + + +type: keyword + +required: False + +-- + +*`syslog.facility_label`*:: ++ +-- +The human readable facility. + + +type: keyword + +required: False + +-- + +*`process.program`*:: ++ +-- +The name of the program. + + +type: keyword + +required: False + +-- + +*`log.flags`*:: ++ +-- +This field contains the flags of the event. + + +-- + +*`http.response.content_length`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + + + +*`user_agent.os.full_name`*:: ++ +-- +type: keyword + +-- + +*`fileset.name`*:: ++ +-- +The Filebeat fileset that generated this event. + + +type: keyword + +-- + +*`fileset.module`*:: ++ +-- +type: alias + +alias to: event.module + +-- + +*`read_timestamp`*:: ++ +-- +type: alias + +alias to: event.created + +-- + +*`docker.attrs`*:: ++ +-- +docker.attrs contains labels and environment variables written by docker's JSON File logging driver. These fields are only available when they are configured in the logging driver options. + + +type: object + +-- + +*`icmp.code`*:: ++ +-- +ICMP code. + + +type: keyword + +-- + +*`icmp.type`*:: ++ +-- +ICMP type. + + +type: keyword + +-- + +*`igmp.type`*:: ++ +-- +IGMP type. + + +type: keyword + +-- + + +*`azure.eventhub`*:: ++ +-- +Name of the eventhub. + + +type: keyword + +-- + +*`azure.offset`*:: ++ +-- +The offset. + + +type: long + +-- + +*`azure.enqueued_time`*:: ++ +-- +The enqueued time. + + +type: date + +-- + +*`azure.partition_id`*:: ++ +-- +The partition id. + + +type: long + +-- + +*`azure.consumer_group`*:: ++ +-- +The consumer group. + + +type: keyword + +-- + +*`azure.sequence_number`*:: ++ +-- +The sequence number. + + +type: long + +-- + + +*`kafka.topic`*:: ++ +-- +Kafka topic + + +type: keyword + +-- + +*`kafka.partition`*:: ++ +-- +Kafka partition number + + +type: long + +-- + +*`kafka.offset`*:: ++ +-- +Kafka offset of this message + + +type: long + +-- + +*`kafka.key`*:: ++ +-- +Kafka key, corresponding to the Kafka value stored in the message + + +type: keyword + +-- + +*`kafka.block_timestamp`*:: ++ +-- +Kafka outer (compressed) block timestamp + + +type: date + +-- + +*`kafka.headers`*:: ++ +-- +An array of Kafka header strings for this message, in the form ": ". + + +type: array + +-- + +[[exported-fields-logstash]] +== logstash fields + +logstash Module + + + +[float] +=== logstash + + + + +[float] +=== log + +Fields from the Logstash logs. + + + +*`logstash.log.module`*:: ++ +-- +The module or class where the event originate. + + +type: keyword + +-- + +*`logstash.log.thread`*:: ++ +-- +Information about the running thread where the log originate. + + +type: keyword + +-- + +*`logstash.log.thread.text`*:: ++ +-- +type: text + +-- + +*`logstash.log.log_event`*:: ++ +-- +key and value debugging information. + + +type: object + +-- + +*`logstash.log.pipeline_id`*:: ++ +-- +The ID of the pipeline. + + +type: keyword + +example: main + +-- + +*`logstash.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +*`logstash.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +[float] +=== slowlog + +slowlog + + + +*`logstash.slowlog.module`*:: ++ +-- +The module or class where the event originate. + + +type: keyword + +-- + +*`logstash.slowlog.thread`*:: ++ +-- +Information about the running thread where the log originate. + + +type: keyword + +-- + +*`logstash.slowlog.thread.text`*:: ++ +-- +type: text + +-- + +*`logstash.slowlog.event`*:: ++ +-- +Raw dump of the original event + + +type: keyword + +-- + +*`logstash.slowlog.event.text`*:: ++ +-- +type: text + +-- + +*`logstash.slowlog.plugin_name`*:: ++ +-- +Name of the plugin + + +type: keyword + +-- + +*`logstash.slowlog.plugin_type`*:: ++ +-- +Type of the plugin: Inputs, Filters, Outputs or Codecs. + + +type: keyword + +-- + +*`logstash.slowlog.took_in_millis`*:: ++ +-- +Execution time for the plugin in milliseconds. + + +type: long + +-- + +*`logstash.slowlog.plugin_params`*:: ++ +-- +String value of the plugin configuration + + +type: keyword + +-- + +*`logstash.slowlog.plugin_params.text`*:: ++ +-- +type: text + +-- + +*`logstash.slowlog.plugin_params_object`*:: ++ +-- +key -> value of the configuration used by the plugin. + + +type: object + +-- + +*`logstash.slowlog.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`logstash.slowlog.took_in_nanos`*:: ++ +-- +type: alias + +alias to: event.duration + +-- + +[[exported-fields-microsoft]] +== Microsoft DHCP fields + +microsoft fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-misp]] +== MISP fields + +Module for handling threat information from MISP. + + + +[float] +=== misp + +Fields from MISP threat information. + + + +[float] +=== attack_pattern + +Fields provide support for specifying information about attack patterns. + + + +*`misp.attack_pattern.id`*:: ++ +-- +Identifier of the threat indicator. + + +type: keyword + +-- + +*`misp.attack_pattern.name`*:: ++ +-- +Name of the attack pattern. + + +type: keyword + +-- + +*`misp.attack_pattern.description`*:: ++ +-- +Description of the attack pattern. + + +type: text + +-- + +*`misp.attack_pattern.kill_chain_phases`*:: ++ +-- +The kill chain phase(s) to which this attack pattern corresponds. + + +type: keyword + +-- + +[float] +=== campaign + +Fields provide support for specifying information about campaigns. + + + +*`misp.campaign.id`*:: ++ +-- +Identifier of the campaign. + + +type: keyword + +-- + +*`misp.campaign.name`*:: ++ +-- +Name of the campaign. + + +type: keyword + +-- + +*`misp.campaign.description`*:: ++ +-- +Description of the campaign. + + +type: text + +-- + +*`misp.campaign.aliases`*:: ++ +-- +Alternative names used to identify this campaign. + + +type: text + +-- + +*`misp.campaign.first_seen`*:: ++ +-- +The time that this Campaign was first seen, in RFC3339 format. + + +type: date + +-- + +*`misp.campaign.last_seen`*:: ++ +-- +The time that this Campaign was last seen, in RFC3339 format. + + +type: date + +-- + +*`misp.campaign.objective`*:: ++ +-- +This field defines the Campaign's primary goal, objective, desired outcome, or intended effect. + + +type: keyword + +-- + +[float] +=== course_of_action + +A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. + + + +*`misp.course_of_action.id`*:: ++ +-- +Identifier of the Course of Action. + + +type: keyword + +-- + +*`misp.course_of_action.name`*:: ++ +-- +The name used to identify the Course of Action. + + +type: keyword + +-- + +*`misp.course_of_action.description`*:: ++ +-- +Description of the Course of Action. + + +type: text + +-- + +[float] +=== identity + +Identity can represent actual individuals, organizations, or groups, as well as classes of individuals, organizations, or groups. + + + +*`misp.identity.id`*:: ++ +-- +Identifier of the Identity. + + +type: keyword + +-- + +*`misp.identity.name`*:: ++ +-- +The name used to identify the Identity. + + +type: keyword + +-- + +*`misp.identity.description`*:: ++ +-- +Description of the Identity. + + +type: text + +-- + +*`misp.identity.identity_class`*:: ++ +-- +The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov + + +type: keyword + +-- + +*`misp.identity.labels`*:: ++ +-- +The list of roles that this Identity performs. + + +type: keyword + +example: CEO + + +-- + +*`misp.identity.sectors`*:: ++ +-- +The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov + + +type: keyword + +-- + +*`misp.identity.contact_information`*:: ++ +-- +The contact information (e-mail, phone number, etc.) for this Identity. + + +type: text + +-- + +[float] +=== intrusion_set + +An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization. + + + +*`misp.intrusion_set.id`*:: ++ +-- +Identifier of the Intrusion Set. + + +type: keyword + +-- + +*`misp.intrusion_set.name`*:: ++ +-- +The name used to identify the Intrusion Set. + + +type: keyword + +-- + +*`misp.intrusion_set.description`*:: ++ +-- +Description of the Intrusion Set. + + +type: text + +-- + +*`misp.intrusion_set.aliases`*:: ++ +-- +Alternative names used to identify the Intrusion Set. + + +type: text + +-- + +*`misp.intrusion_set.first_seen`*:: ++ +-- +The time that this Intrusion Set was first seen, in RFC3339 format. + + +type: date + +-- + +*`misp.intrusion_set.last_seen`*:: ++ +-- +The time that this Intrusion Set was last seen, in RFC3339 format. + + +type: date + +-- + +*`misp.intrusion_set.goals`*:: ++ +-- +The high level goals of this Intrusion Set, namely, what are they trying to do. + + +type: text + +-- + +*`misp.intrusion_set.resource_level`*:: ++ +-- +This defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov + + +type: text + +-- + +*`misp.intrusion_set.primary_motivation`*:: ++ +-- +The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov + + +type: text + +-- + +*`misp.intrusion_set.secondary_motivations`*:: ++ +-- +The secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov + + +type: text + +-- + +[float] +=== malware + +Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. + + + +*`misp.malware.id`*:: ++ +-- +Identifier of the Malware. + + +type: keyword + +-- + +*`misp.malware.name`*:: ++ +-- +The name used to identify the Malware. + + +type: keyword + +-- + +*`misp.malware.description`*:: ++ +-- +Description of the Malware. + + +type: text + +-- + +*`misp.malware.labels`*:: ++ +-- +The type of malware being described. Open Vocab - malware-label-ov. adware,backdoor,bot,ddos,dropper,exploit-kit,keylogger,ransomware, remote-access-trojan,resource-exploitation,rogue-security-software,rootkit, screen-capture,spyware,trojan,virus,worm + + +type: keyword + +-- + +*`misp.malware.kill_chain_phases`*:: ++ +-- +The list of kill chain phases for which this Malware instance can be used. + + +type: keyword + +format: string + +-- + +[float] +=== note + +A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object. + + + +*`misp.note.id`*:: ++ +-- +Identifier of the Note. + + +type: keyword + +-- + +*`misp.note.summary`*:: ++ +-- +A brief description used as a summary of the Note. + + +type: keyword + +-- + +*`misp.note.description`*:: ++ +-- +The content of the Note. + + +type: text + +-- + +*`misp.note.authors`*:: ++ +-- +The name of the author(s) of this Note. + + +type: keyword + +-- + +*`misp.note.object_refs`*:: ++ +-- +The STIX Objects (SDOs and SROs) that the note is being applied to. + + +type: keyword + +-- + +[float] +=== threat_indicator + +Fields provide support for specifying information about threat indicators, and related matching patterns. + + + +*`misp.threat_indicator.labels`*:: ++ +-- +list of type open-vocab that specifies the type of indicator. + + +type: keyword + +example: Domain Watchlist + + +-- + +*`misp.threat_indicator.id`*:: ++ +-- +Identifier of the threat indicator. + + +type: keyword + +-- + +*`misp.threat_indicator.version`*:: ++ +-- +Version of the threat indicator. + + +type: keyword + +-- + +*`misp.threat_indicator.type`*:: ++ +-- +Type of the threat indicator. + + +type: keyword + +-- + +*`misp.threat_indicator.description`*:: ++ +-- +Description of the threat indicator. + + +type: text + +-- + +*`misp.threat_indicator.feed`*:: ++ +-- +Name of the threat feed. + + +type: text + +-- + +*`misp.threat_indicator.valid_from`*:: ++ +-- +The time from which this Indicator should be considered valuable intelligence, in RFC3339 format. + + +type: date + +-- + +*`misp.threat_indicator.valid_until`*:: ++ +-- +The time at which this Indicator should no longer be considered valuable intelligence. If the valid_until property is omitted, then there is no constraint on the latest time for which the indicator should be used, in RFC3339 format. + + +type: date + +-- + +*`misp.threat_indicator.severity`*:: ++ +-- +Threat severity to which this indicator corresponds. + + +type: keyword + +example: high + +format: string + +-- + +*`misp.threat_indicator.confidence`*:: ++ +-- +Confidence level to which this indicator corresponds. + + +type: keyword + +example: high + +-- + +*`misp.threat_indicator.kill_chain_phases`*:: ++ +-- +The kill chain phase(s) to which this indicator corresponds. + + +type: keyword + +format: string + +-- + +*`misp.threat_indicator.mitre_tactic`*:: ++ +-- +MITRE tactics to which this indicator corresponds. + + +type: keyword + +example: Initial Access + +format: string + +-- + +*`misp.threat_indicator.mitre_technique`*:: ++ +-- +MITRE techniques to which this indicator corresponds. + + +type: keyword + +example: Drive-by Compromise + +format: string + +-- + +*`misp.threat_indicator.attack_pattern`*:: ++ +-- +The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning. + + +type: keyword + +example: [destination:ip = '91.219.29.188/32'] + + +-- + +*`misp.threat_indicator.attack_pattern_kql`*:: ++ +-- +The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format. + + +type: keyword + +example: destination.ip: "91.219.29.188/32" + + +-- + +*`misp.threat_indicator.negate`*:: ++ +-- +When set to true, it specifies the absence of the attack_pattern. + + +type: boolean + +-- + +*`misp.threat_indicator.intrusion_set`*:: ++ +-- +Name of the intrusion set if known. + + +type: keyword + +-- + +*`misp.threat_indicator.campaign`*:: ++ +-- +Name of the attack campaign if known. + + +type: keyword + +-- + +*`misp.threat_indicator.threat_actor`*:: ++ +-- +Name of the threat actor if known. + + +type: keyword + +-- + +[float] +=== observed_data + +Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification. + + + +*`misp.observed_data.id`*:: ++ +-- +Identifier of the Observed Data. + + +type: keyword + +-- + +*`misp.observed_data.first_observed`*:: ++ +-- +The beginning of the time window that the data was observed, in RFC3339 format. + + +type: date + +-- + +*`misp.observed_data.last_observed`*:: ++ +-- +The end of the time window that the data was observed, in RFC3339 format. + + +type: date + +-- + +*`misp.observed_data.number_observed`*:: ++ +-- +The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive. + + +type: integer + +-- + +*`misp.observed_data.objects`*:: ++ +-- +A dictionary of Cyber Observable Objects that describes the single fact that was observed. + + +type: keyword + +-- + +[float] +=== report + +Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. + + + +*`misp.report.id`*:: ++ +-- +Identifier of the Report. + + +type: keyword + +-- + +*`misp.report.labels`*:: ++ +-- +This field is an Open Vocabulary that specifies the primary subject of this report. Open Vocab - report-label-ov. threat-report,attack-pattern,campaign,identity,indicator,malware,observed-data,threat-actor,tool,vulnerability + + +type: keyword + +-- + +*`misp.report.name`*:: ++ +-- +The name used to identify the Report. + + +type: keyword + +-- + +*`misp.report.description`*:: ++ +-- +A description that provides more details and context about Report. + + +type: text + +-- + +*`misp.report.published`*:: ++ +-- +The date that this report object was officially published by the creator of this report, in RFC3339 format. + + +type: date + +-- + +*`misp.report.object_refs`*:: ++ +-- +Specifies the STIX Objects that are referred to by this Report. + + +type: text + +-- + +[float] +=== threat_actor + +Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. + + + +*`misp.threat_actor.id`*:: ++ +-- +Identifier of the Threat Actor. + + +type: keyword + +-- + +*`misp.threat_actor.labels`*:: ++ +-- +This field specifies the type of threat actor. Open Vocab - threat-actor-label-ov. activist,competitor,crime-syndicate,criminal,hacker,insider-accidental,insider-disgruntled,nation-state,sensationalist,spy,terrorist + + +type: keyword + +-- + +*`misp.threat_actor.name`*:: ++ +-- +The name used to identify this Threat Actor or Threat Actor group. + + +type: keyword + +-- + +*`misp.threat_actor.description`*:: ++ +-- +A description that provides more details and context about the Threat Actor. + + +type: text + +-- + +*`misp.threat_actor.aliases`*:: ++ +-- +A list of other names that this Threat Actor is believed to use. + + +type: text + +-- + +*`misp.threat_actor.roles`*:: ++ +-- +This is a list of roles the Threat Actor plays. Open Vocab - threat-actor-role-ov. agent,director,independent,sponsor,infrastructure-operator,infrastructure-architect,malware-author + + +type: text + +-- + +*`misp.threat_actor.goals`*:: ++ +-- +The high level goals of this Threat Actor, namely, what are they trying to do. + + +type: text + +-- + +*`misp.threat_actor.sophistication`*:: ++ +-- +The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. Open Vocab - threat-actor-sophistication-ov. none,minimal,intermediate,advanced,strategic,expert,innovator + + +type: text + +-- + +*`misp.threat_actor.resource_level`*:: ++ +-- +This defines the organizational level at which this Threat Actor typically works. Open Vocab - attack-resource-level-ov. individual,club,contest,team,organization,government + + +type: text + +-- + +*`misp.threat_actor.primary_motivation`*:: ++ +-- +The primary reason, motivation, or purpose behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable + + +type: text + +-- + +*`misp.threat_actor.secondary_motivations`*:: ++ +-- +The secondary reasons, motivations, or purposes behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable + + +type: text + +-- + +*`misp.threat_actor.personal_motivations`*:: ++ +-- +The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable + + +type: text + +-- + +[float] +=== tool + +Tools are legitimate software that can be used by threat actors to perform attacks. + + + +*`misp.tool.id`*:: ++ +-- +Identifier of the Tool. + + +type: keyword + +-- + +*`misp.tool.labels`*:: ++ +-- +The kind(s) of tool(s) being described. Open Vocab - tool-label-ov. denial-of-service,exploitation,information-gathering,network-capture,credential-exploitation,remote-access,vulnerability-scanning + + +type: keyword + +-- + +*`misp.tool.name`*:: ++ +-- +The name used to identify the Tool. + + +type: keyword + +-- + +*`misp.tool.description`*:: ++ +-- +A description that provides more details and context about the Tool. + + +type: text + +-- + +*`misp.tool.tool_version`*:: ++ +-- +The version identifier associated with the Tool. + + +type: keyword + +-- + +*`misp.tool.kill_chain_phases`*:: ++ +-- +The list of kill chain phases for which this Tool instance can be used. + + +type: text + +-- + +[float] +=== vulnerability + +A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. + + + +*`misp.vulnerability.id`*:: ++ +-- +Identifier of the Vulnerability. + + +type: keyword + +-- + +*`misp.vulnerability.name`*:: ++ +-- +The name used to identify the Vulnerability. + + +type: keyword + +-- + +*`misp.vulnerability.description`*:: ++ +-- +A description that provides more details and context about the Vulnerability. + + +type: text + +-- + +[[exported-fields-mongodb]] +== mongodb fields + +Module for parsing MongoDB log files. + + + +[float] +=== mongodb + +Fields from MongoDB logs. + + + +[float] +=== log + +Contains fields from MongoDB logs. + + + +*`mongodb.log.component`*:: ++ +-- +Functional categorization of message + + +type: keyword + +example: COMMAND + +-- + +*`mongodb.log.context`*:: ++ +-- +Context of message + + +type: keyword + +example: initandlisten + +-- + +*`mongodb.log.severity`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`mongodb.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[[exported-fields-mssql]] +== mssql fields + +MS SQL Filebeat Module + + +[float] +=== mssql + +Fields from the MSSQL log files + + +[float] +=== log + +Common log fields + + +*`mssql.log.origin`*:: ++ +-- +Origin of the message, usually the server but it can also be a recovery process + +type: keyword + +-- + +[[exported-fields-mysql]] +== MySQL fields + +Module for parsing the MySQL log files. + + + +[float] +=== mysql + +Fields from the MySQL log files. + + + +*`mysql.thread_id`*:: ++ +-- +The connection or thread ID for the query. + + +type: long + +-- + +[float] +=== error + +Contains fields from the MySQL error logs. + + + +*`mysql.error.thread_id`*:: ++ +-- +type: alias + +alias to: mysql.thread_id + +-- + +*`mysql.error.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`mysql.error.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== slowlog + +Contains fields from the MySQL slow logs. + + + +*`mysql.slowlog.lock_time.sec`*:: ++ +-- +The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number. + + +type: float + +-- + +*`mysql.slowlog.rows_sent`*:: ++ +-- +The number of rows returned by the query. + + +type: long + +-- + +*`mysql.slowlog.rows_examined`*:: ++ +-- +The number of rows scanned by the query. + + +type: long + +-- + +*`mysql.slowlog.rows_affected`*:: ++ +-- +The number of rows modified by the query. + + +type: long + +-- + +*`mysql.slowlog.bytes_sent`*:: ++ +-- +The number of bytes sent to client. + + +type: long + +format: bytes + +-- + +*`mysql.slowlog.bytes_received`*:: ++ +-- +The number of bytes received from client. + + +type: long + +format: bytes + +-- + +*`mysql.slowlog.query`*:: ++ +-- +The slow query. + + +-- + +*`mysql.slowlog.id`*:: ++ +-- +type: alias + +alias to: mysql.thread_id + +-- + +*`mysql.slowlog.schema`*:: ++ +-- +The schema where the slow query was executed. + + +type: keyword + +-- + +*`mysql.slowlog.current_user`*:: ++ +-- +Current authenticated user, used to determine access privileges. Can differ from the value for user. + + +type: keyword + +-- + +*`mysql.slowlog.last_errno`*:: ++ +-- +Last SQL error seen. + + +type: keyword + +-- + +*`mysql.slowlog.killed`*:: ++ +-- +Code of the reason if the query was killed. + + +type: keyword + +-- + +*`mysql.slowlog.query_cache_hit`*:: ++ +-- +Whether the query cache was hit. + + +type: boolean + +-- + +*`mysql.slowlog.tmp_table`*:: ++ +-- +Whether a temporary table was used to resolve the query. + + +type: boolean + +-- + +*`mysql.slowlog.tmp_table_on_disk`*:: ++ +-- +Whether the query needed temporary tables on disk. + + +type: boolean + +-- + +*`mysql.slowlog.tmp_tables`*:: ++ +-- +Number of temporary tables created for this query + + +type: long + +-- + +*`mysql.slowlog.tmp_disk_tables`*:: ++ +-- +Number of temporary tables created on disk for this query. + + +type: long + +-- + +*`mysql.slowlog.tmp_table_sizes`*:: ++ +-- +Size of temporary tables created for this query. + +type: long + +format: bytes + +-- + +*`mysql.slowlog.filesort`*:: ++ +-- +Whether filesort optimization was used. + + +type: boolean + +-- + +*`mysql.slowlog.filesort_on_disk`*:: ++ +-- +Whether filesort optimization was used and it needed temporary tables on disk. + + +type: boolean + +-- + +*`mysql.slowlog.priority_queue`*:: ++ +-- +Whether a priority queue was used for filesort. + + +type: boolean + +-- + +*`mysql.slowlog.full_scan`*:: ++ +-- +Whether a full table scan was needed for the slow query. + + +type: boolean + +-- + +*`mysql.slowlog.full_join`*:: ++ +-- +Whether a full join was needed for the slow query (no indexes were used for joins). + + +type: boolean + +-- + +*`mysql.slowlog.merge_passes`*:: ++ +-- +Number of merge passes executed for the query. + + +type: long + +-- + +*`mysql.slowlog.sort_merge_passes`*:: ++ +-- +Number of merge passes that the sort algorithm has had to do. + + +type: long + +-- + +*`mysql.slowlog.sort_range_count`*:: ++ +-- +Number of sorts that were done using ranges. + + +type: long + +-- + +*`mysql.slowlog.sort_rows`*:: ++ +-- +Number of sorted rows. + + +type: long + +-- + +*`mysql.slowlog.sort_scan_count`*:: ++ +-- +Number of sorts that were done by scanning the table. + + +type: long + +-- + +*`mysql.slowlog.log_slow_rate_type`*:: ++ +-- +Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query. + + +type: keyword + +-- + +*`mysql.slowlog.log_slow_rate_limit`*:: ++ +-- +Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged. + + +type: keyword + +-- + +*`mysql.slowlog.read_first`*:: ++ +-- +The number of times the first entry in an index was read. + + +type: long + +-- + +*`mysql.slowlog.read_last`*:: ++ +-- +The number of times the last key in an index was read. + + +type: long + +-- + +*`mysql.slowlog.read_key`*:: ++ +-- +The number of requests to read a row based on a key. + + +type: long + +-- + +*`mysql.slowlog.read_next`*:: ++ +-- +The number of requests to read the next row in key order. + + +type: long + +-- + +*`mysql.slowlog.read_prev`*:: ++ +-- +The number of requests to read the previous row in key order. + + +type: long + +-- + +*`mysql.slowlog.read_rnd`*:: ++ +-- +The number of requests to read a row based on a fixed position. + + +type: long + +-- + +*`mysql.slowlog.read_rnd_next`*:: ++ +-- +The number of requests to read the next row in the data file. + + +type: long + +-- + +[float] +=== innodb + +Contains fields relative to InnoDB engine + + + +*`mysql.slowlog.innodb.trx_id`*:: ++ +-- +Transaction ID + + +type: keyword + +-- + +*`mysql.slowlog.innodb.io_r_ops`*:: ++ +-- +Number of page read operations. + + +type: long + +-- + +*`mysql.slowlog.innodb.io_r_bytes`*:: ++ +-- +Bytes read during page read operations. + + +type: long + +format: bytes + +-- + +*`mysql.slowlog.innodb.io_r_wait.sec`*:: ++ +-- +How long it took to read all needed data from storage. + + +type: long + +-- + +*`mysql.slowlog.innodb.rec_lock_wait.sec`*:: ++ +-- +How long the query waited for locks. + + +type: long + +-- + +*`mysql.slowlog.innodb.queue_wait.sec`*:: ++ +-- +How long the query waited to enter the InnoDB queue and to be executed once in the queue. + + +type: long + +-- + +*`mysql.slowlog.innodb.pages_distinct`*:: ++ +-- +Approximated count of pages accessed to execute the query. + + +type: long + +-- + +*`mysql.slowlog.user`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`mysql.slowlog.host`*:: ++ +-- +type: alias + +alias to: source.domain + +-- + +*`mysql.slowlog.ip`*:: ++ +-- +type: alias + +alias to: source.ip + +-- + +[[exported-fields-nats]] +== NATS fields + +Module for parsing NATS log files. + + + +[float] +=== nats + +Fields from NATS logs. + + + +[float] +=== log + +Nats log files + + + +[float] +=== client + +Fields from NATS logs client. + + + +*`nats.log.client.id`*:: ++ +-- +The id of the client + + +type: integer + +-- + +[float] +=== msg + +Fields from NATS logs message. + + + +*`nats.log.msg.bytes`*:: ++ +-- +Size of the payload in bytes + + +type: long + +format: bytes + +-- + +*`nats.log.msg.type`*:: ++ +-- +The protocol message type + + +type: keyword + +-- + +*`nats.log.msg.subject`*:: ++ +-- +Subject name this message was received on + + +type: keyword + +-- + +*`nats.log.msg.sid`*:: ++ +-- +The unique alphanumeric subscription ID of the subject + + +type: integer + +-- + +*`nats.log.msg.reply_to`*:: ++ +-- +The inbox subject on which the publisher is listening for responses + + +type: keyword + +-- + +*`nats.log.msg.max_messages`*:: ++ +-- +An optional number of messages to wait for before automatically unsubscribing + + +type: integer + +-- + +*`nats.log.msg.error.message`*:: ++ +-- +Details about the error occurred + + +type: text + +-- + +*`nats.log.msg.queue_group`*:: ++ +-- +The queue group which subscriber will join + + +type: text + +-- + +[[exported-fields-netflow]] +== NetFlow fields + +Fields from NetFlow and IPFIX flows. + + + +[float] +=== netflow + +Fields from NetFlow and IPFIX. + + + +*`netflow.type`*:: ++ +-- +The type of NetFlow record described by this event. + + +type: keyword + +-- + +[float] +=== exporter + +Metadata related to the exporter device that generated this record. + + + +*`netflow.exporter.address`*:: ++ +-- +Exporter's network address in IP:port format. + + +type: keyword + +-- + +*`netflow.exporter.source_id`*:: ++ +-- +Observation domain ID to which this record belongs. + + +type: long + +-- + +*`netflow.exporter.timestamp`*:: ++ +-- +Time and date of export. + + +type: date + +-- + +*`netflow.exporter.uptime_millis`*:: ++ +-- +How long the exporter process has been running, in milliseconds. + + +type: long + +-- + +*`netflow.exporter.version`*:: ++ +-- +NetFlow version used. + + +type: integer + +-- + +*`netflow.octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.delta_flow_count`*:: ++ +-- +type: long + +-- + +*`netflow.protocol_identifier`*:: ++ +-- +type: short + +-- + +*`netflow.ip_class_of_service`*:: ++ +-- +type: short + +-- + +*`netflow.tcp_control_bits`*:: ++ +-- +type: integer + +-- + +*`netflow.source_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.source_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv4_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.ingress_interface`*:: ++ +-- +type: long + +-- + +*`netflow.destination_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.destination_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.destination_ipv4_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.egress_interface`*:: ++ +-- +type: long + +-- + +*`netflow.ip_next_hop_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.bgp_source_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.bgp_destination_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.bgp_next_hop_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_mcast_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_end_sys_up_time`*:: ++ +-- +type: long + +-- + +*`netflow.flow_start_sys_up_time`*:: ++ +-- +type: long + +-- + +*`netflow.post_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.minimum_ip_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.maximum_ip_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.source_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.destination_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv6_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.destination_ipv6_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.flow_label_ipv6`*:: ++ +-- +type: long + +-- + +*`netflow.icmp_type_code_ipv4`*:: ++ +-- +type: integer + +-- + +*`netflow.igmp_type`*:: ++ +-- +type: short + +-- + +*`netflow.sampling_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_algorithm`*:: ++ +-- +type: short + +-- + +*`netflow.flow_active_timeout`*:: ++ +-- +type: integer + +-- + +*`netflow.flow_idle_timeout`*:: ++ +-- +type: integer + +-- + +*`netflow.engine_type`*:: ++ +-- +type: short + +-- + +*`netflow.engine_id`*:: ++ +-- +type: short + +-- + +*`netflow.exported_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.exported_message_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.exported_flow_record_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ipv4_router_sc`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv4_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.destination_ipv4_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.mpls_top_label_type`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_top_label_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.sampler_id`*:: ++ +-- +type: short + +-- + +*`netflow.sampler_mode`*:: ++ +-- +type: short + +-- + +*`netflow.sampler_random_interval`*:: ++ +-- +type: long + +-- + +*`netflow.class_id`*:: ++ +-- +type: long + +-- + +*`netflow.minimum_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.maximum_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.fragment_identification`*:: ++ +-- +type: long + +-- + +*`netflow.post_ip_class_of_service`*:: ++ +-- +type: short + +-- + +*`netflow.source_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_destination_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.post_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.ip_version`*:: ++ +-- +type: short + +-- + +*`netflow.flow_direction`*:: ++ +-- +type: short + +-- + +*`netflow.ip_next_hop_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.bgp_next_hop_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.ipv6_extension_headers`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_top_label_stack_section`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section2`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section3`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section4`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section5`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section6`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section7`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section8`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section9`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section10`*:: ++ +-- +type: short + +-- + +*`netflow.destination_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_source_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.interface_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.interface_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.sampler_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.flags_and_sampler_id`*:: ++ +-- +type: long + +-- + +*`netflow.fragment_offset`*:: ++ +-- +type: integer + +-- + +*`netflow.forwarding_status`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_vpn_route_distinguisher`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_top_label_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.src_traffic_index`*:: ++ +-- +type: long + +-- + +*`netflow.dst_traffic_index`*:: ++ +-- +type: long + +-- + +*`netflow.application_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_id`*:: ++ +-- +type: short + +-- + +*`netflow.application_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_ip_diff_serv_code_point`*:: ++ +-- +type: short + +-- + +*`netflow.multicast_replication_factor`*:: ++ +-- +type: long + +-- + +*`netflow.class_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.classification_engine_id`*:: ++ +-- +type: short + +-- + +*`netflow.layer2packet_section_offset`*:: ++ +-- +type: integer + +-- + +*`netflow.layer2packet_section_size`*:: ++ +-- +type: integer + +-- + +*`netflow.layer2packet_section_data`*:: ++ +-- +type: short + +-- + +*`netflow.bgp_next_adjacent_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.bgp_prev_adjacent_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.exporter_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.exporter_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.dropped_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_end_reason`*:: ++ +-- +type: short + +-- + +*`netflow.common_properties_id`*:: ++ +-- +type: long + +-- + +*`netflow.observation_point_id`*:: ++ +-- +type: long + +-- + +*`netflow.icmp_type_code_ipv6`*:: ++ +-- +type: integer + +-- + +*`netflow.mpls_top_label_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.line_card_id`*:: ++ +-- +type: long + +-- + +*`netflow.port_id`*:: ++ +-- +type: long + +-- + +*`netflow.metering_process_id`*:: ++ +-- +type: long + +-- + +*`netflow.exporting_process_id`*:: ++ +-- +type: long + +-- + +*`netflow.template_id`*:: ++ +-- +type: integer + +-- + +*`netflow.wlan_channel_id`*:: ++ +-- +type: short + +-- + +*`netflow.wlan_ssid`*:: ++ +-- +type: keyword + +-- + +*`netflow.flow_id`*:: ++ +-- +type: long + +-- + +*`netflow.observation_domain_id`*:: ++ +-- +type: long + +-- + +*`netflow.flow_start_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_delta_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.flow_end_delta_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.system_init_time_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_duration_milliseconds`*:: ++ +-- +type: long + +-- + +*`netflow.flow_duration_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.observed_flow_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_flow_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.destination_ipv6_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv6_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.post_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_key_indicator`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.icmp_type_ipv4`*:: ++ +-- +type: short + +-- + +*`netflow.icmp_code_ipv4`*:: ++ +-- +type: short + +-- + +*`netflow.icmp_type_ipv6`*:: ++ +-- +type: short + +-- + +*`netflow.icmp_code_ipv6`*:: ++ +-- +type: short + +-- + +*`netflow.udp_source_port`*:: ++ +-- +type: integer + +-- + +*`netflow.udp_destination_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_source_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_destination_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_sequence_number`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_acknowledgement_number`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_window_size`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_urgent_pointer`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_header_length`*:: ++ +-- +type: short + +-- + +*`netflow.ip_header_length`*:: ++ +-- +type: short + +-- + +*`netflow.total_length_ipv4`*:: ++ +-- +type: integer + +-- + +*`netflow.payload_length_ipv6`*:: ++ +-- +type: integer + +-- + +*`netflow.ip_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.next_header_ipv6`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_payload_length`*:: ++ +-- +type: long + +-- + +*`netflow.ip_diff_serv_code_point`*:: ++ +-- +type: short + +-- + +*`netflow.ip_precedence`*:: ++ +-- +type: short + +-- + +*`netflow.fragment_flags`*:: ++ +-- +type: short + +-- + +*`netflow.octet_delta_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.octet_total_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_top_label_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_length`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_label_stack_depth`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_top_label_exp`*:: ++ +-- +type: short + +-- + +*`netflow.ip_payload_length`*:: ++ +-- +type: long + +-- + +*`netflow.udp_message_length`*:: ++ +-- +type: integer + +-- + +*`netflow.is_multicast`*:: ++ +-- +type: short + +-- + +*`netflow.ipv4_ihl`*:: ++ +-- +type: short + +-- + +*`netflow.ipv4_options`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_options`*:: ++ +-- +type: long + +-- + +*`netflow.padding_octets`*:: ++ +-- +type: short + +-- + +*`netflow.collector_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.collector_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.export_interface`*:: ++ +-- +type: long + +-- + +*`netflow.export_protocol_version`*:: ++ +-- +type: short + +-- + +*`netflow.export_transport_protocol`*:: ++ +-- +type: short + +-- + +*`netflow.collector_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.exporter_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_syn_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_fin_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_rst_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_psh_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_ack_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_urg_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ip_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.post_nat_source_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_nat_destination_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_napt_source_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.post_napt_destination_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.nat_originating_address_realm`*:: ++ +-- +type: short + +-- + +*`netflow.nat_event`*:: ++ +-- +type: short + +-- + +*`netflow.initiator_octets`*:: ++ +-- +type: long + +-- + +*`netflow.responder_octets`*:: ++ +-- +type: long + +-- + +*`netflow.firewall_event`*:: ++ +-- +type: short + +-- + +*`netflow.ingress_vrfid`*:: ++ +-- +type: long + +-- + +*`netflow.egress_vrfid`*:: ++ +-- +type: long + +-- + +*`netflow.vr_fname`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_mpls_top_label_exp`*:: ++ +-- +type: short + +-- + +*`netflow.tcp_window_scale`*:: ++ +-- +type: integer + +-- + +*`netflow.biflow_direction`*:: ++ +-- +type: short + +-- + +*`netflow.ethernet_header_length`*:: ++ +-- +type: short + +-- + +*`netflow.ethernet_payload_length`*:: ++ +-- +type: integer + +-- + +*`netflow.ethernet_total_length`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_priority`*:: ++ +-- +type: short + +-- + +*`netflow.dot1q_customer_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_customer_priority`*:: ++ +-- +type: short + +-- + +*`netflow.metro_evc_id`*:: ++ +-- +type: keyword + +-- + +*`netflow.metro_evc_type`*:: ++ +-- +type: short + +-- + +*`netflow.pseudo_wire_id`*:: ++ +-- +type: long + +-- + +*`netflow.pseudo_wire_type`*:: ++ +-- +type: integer + +-- + +*`netflow.pseudo_wire_control_word`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_physical_interface`*:: ++ +-- +type: long + +-- + +*`netflow.egress_physical_interface`*:: ++ +-- +type: long + +-- + +*`netflow.post_dot1q_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.post_dot1q_customer_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.ethernet_type`*:: ++ +-- +type: integer + +-- + +*`netflow.post_ip_precedence`*:: ++ +-- +type: short + +-- + +*`netflow.collection_time_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.export_sctp_stream_id`*:: ++ +-- +type: integer + +-- + +*`netflow.max_export_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.max_flow_end_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.message_md5_checksum`*:: ++ +-- +type: short + +-- + +*`netflow.message_scope`*:: ++ +-- +type: short + +-- + +*`netflow.min_export_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.opaque_octets`*:: ++ +-- +type: short + +-- + +*`netflow.session_scope`*:: ++ +-- +type: short + +-- + +*`netflow.max_flow_end_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.max_flow_end_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.max_flow_end_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.collector_certificate`*:: ++ +-- +type: short + +-- + +*`netflow.exporter_certificate`*:: ++ +-- +type: short + +-- + +*`netflow.data_records_reliability`*:: ++ +-- +type: boolean + +-- + +*`netflow.observation_point_type`*:: ++ +-- +type: short + +-- + +*`netflow.new_connection_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.connection_sum_duration_seconds`*:: ++ +-- +type: long + +-- + +*`netflow.connection_transaction_id`*:: ++ +-- +type: long + +-- + +*`netflow.post_nat_source_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_nat_destination_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.nat_pool_id`*:: ++ +-- +type: long + +-- + +*`netflow.nat_pool_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.anonymization_flags`*:: ++ +-- +type: integer + +-- + +*`netflow.anonymization_technique`*:: ++ +-- +type: integer + +-- + +*`netflow.information_element_index`*:: ++ +-- +type: integer + +-- + +*`netflow.p2p_technology`*:: ++ +-- +type: keyword + +-- + +*`netflow.tunnel_technology`*:: ++ +-- +type: keyword + +-- + +*`netflow.encrypted_technology`*:: ++ +-- +type: keyword + +-- + +*`netflow.bgp_validity_state`*:: ++ +-- +type: short + +-- + +*`netflow.ip_sec_spi`*:: ++ +-- +type: long + +-- + +*`netflow.gre_key`*:: ++ +-- +type: long + +-- + +*`netflow.nat_type`*:: ++ +-- +type: short + +-- + +*`netflow.initiator_packets`*:: ++ +-- +type: long + +-- + +*`netflow.responder_packets`*:: ++ +-- +type: long + +-- + +*`netflow.observation_domain_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.selection_sequence_id`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id`*:: ++ +-- +type: long + +-- + +*`netflow.information_element_id`*:: ++ +-- +type: integer + +-- + +*`netflow.selector_algorithm`*:: ++ +-- +type: integer + +-- + +*`netflow.sampling_packet_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_packet_space`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_time_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_time_space`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_size`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_population`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_probability`*:: ++ +-- +type: double + +-- + +*`netflow.data_link_frame_size`*:: ++ +-- +type: integer + +-- + +*`netflow.ip_header_packet_section`*:: ++ +-- +type: short + +-- + +*`netflow.ip_payload_packet_section`*:: ++ +-- +type: short + +-- + +*`netflow.data_link_frame_section`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_payload_packet_section`*:: ++ +-- +type: short + +-- + +*`netflow.selector_id_total_pkts_observed`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id_total_pkts_selected`*:: ++ +-- +type: long + +-- + +*`netflow.absolute_error`*:: ++ +-- +type: double + +-- + +*`netflow.relative_error`*:: ++ +-- +type: double + +-- + +*`netflow.observation_time_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.observation_time_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.observation_time_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.observation_time_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.digest_hash_value`*:: ++ +-- +type: long + +-- + +*`netflow.hash_ip_payload_offset`*:: ++ +-- +type: long + +-- + +*`netflow.hash_ip_payload_size`*:: ++ +-- +type: long + +-- + +*`netflow.hash_output_range_min`*:: ++ +-- +type: long + +-- + +*`netflow.hash_output_range_max`*:: ++ +-- +type: long + +-- + +*`netflow.hash_selected_range_min`*:: ++ +-- +type: long + +-- + +*`netflow.hash_selected_range_max`*:: ++ +-- +type: long + +-- + +*`netflow.hash_digest_output`*:: ++ +-- +type: boolean + +-- + +*`netflow.hash_initialiser_value`*:: ++ +-- +type: long + +-- + +*`netflow.selector_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.upper_ci_limit`*:: ++ +-- +type: double + +-- + +*`netflow.lower_ci_limit`*:: ++ +-- +type: double + +-- + +*`netflow.confidence_level`*:: ++ +-- +type: double + +-- + +*`netflow.information_element_data_type`*:: ++ +-- +type: short + +-- + +*`netflow.information_element_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.information_element_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.information_element_range_begin`*:: ++ +-- +type: long + +-- + +*`netflow.information_element_range_end`*:: ++ +-- +type: long + +-- + +*`netflow.information_element_semantics`*:: ++ +-- +type: short + +-- + +*`netflow.information_element_units`*:: ++ +-- +type: integer + +-- + +*`netflow.private_enterprise_number`*:: ++ +-- +type: long + +-- + +*`netflow.virtual_station_interface_id`*:: ++ +-- +type: short + +-- + +*`netflow.virtual_station_interface_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.virtual_station_uuid`*:: ++ +-- +type: short + +-- + +*`netflow.virtual_station_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.layer2_segment_id`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_unicast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_multicast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_broadcast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.egress_unicast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.egress_broadcast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.monitoring_interval_start_milli_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.monitoring_interval_end_milli_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.port_range_start`*:: ++ +-- +type: integer + +-- + +*`netflow.port_range_end`*:: ++ +-- +type: integer + +-- + +*`netflow.port_range_step_size`*:: ++ +-- +type: integer + +-- + +*`netflow.port_range_num_ports`*:: ++ +-- +type: integer + +-- + +*`netflow.sta_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.sta_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.wtp_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.ingress_interface_type`*:: ++ +-- +type: long + +-- + +*`netflow.egress_interface_type`*:: ++ +-- +type: long + +-- + +*`netflow.rtp_sequence_number`*:: ++ +-- +type: integer + +-- + +*`netflow.user_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_category_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_sub_category_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_group_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.original_flows_present`*:: ++ +-- +type: long + +-- + +*`netflow.original_flows_initiated`*:: ++ +-- +type: long + +-- + +*`netflow.original_flows_completed`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_source_ip_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_destination_ip_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_source_ipv4_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_destination_ipv4_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_source_ipv6_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_destination_ipv6_address`*:: ++ +-- +type: long + +-- + +*`netflow.value_distribution_method`*:: ++ +-- +type: short + +-- + +*`netflow.rfc3550_jitter_milliseconds`*:: ++ +-- +type: long + +-- + +*`netflow.rfc3550_jitter_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.rfc3550_jitter_nanoseconds`*:: ++ +-- +type: long + +-- + +*`netflow.dot1q_dei`*:: ++ +-- +type: boolean + +-- + +*`netflow.dot1q_customer_dei`*:: ++ +-- +type: boolean + +-- + +*`netflow.flow_selector_algorithm`*:: ++ +-- +type: integer + +-- + +*`netflow.flow_selected_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_selected_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_selected_flow_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id_total_flows_observed`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id_total_flows_selected`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_flow_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_flow_spacing`*:: ++ +-- +type: long + +-- + +*`netflow.flow_sampling_time_interval`*:: ++ +-- +type: long + +-- + +*`netflow.flow_sampling_time_spacing`*:: ++ +-- +type: long + +-- + +*`netflow.hash_flow_domain`*:: ++ +-- +type: integer + +-- + +*`netflow.transport_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.transport_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.original_exporter_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.original_exporter_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.original_observation_domain_id`*:: ++ +-- +type: long + +-- + +*`netflow.intermediate_process_id`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_data_record_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.data_link_frame_type`*:: ++ +-- +type: integer + +-- + +*`netflow.section_offset`*:: ++ +-- +type: integer + +-- + +*`netflow.section_exported_octets`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_service_instance_tag`*:: ++ +-- +type: short + +-- + +*`netflow.dot1q_service_instance_id`*:: ++ +-- +type: long + +-- + +*`netflow.dot1q_service_instance_priority`*:: ++ +-- +type: short + +-- + +*`netflow.dot1q_customer_source_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.dot1q_customer_destination_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.minimum_layer2_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.maximum_layer2_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_delta_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_total_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_frame_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_frame_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.pseudo_wire_destination_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.ignored_layer2_frame_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_integer`*:: ++ +-- +type: integer + +-- + +*`netflow.mib_object_value_octet_string`*:: ++ +-- +type: short + +-- + +*`netflow.mib_object_value_oid`*:: ++ +-- +type: short + +-- + +*`netflow.mib_object_value_bits`*:: ++ +-- +type: short + +-- + +*`netflow.mib_object_value_ip_address`*:: ++ +-- +type: ip + +-- + +*`netflow.mib_object_value_counter`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_gauge`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_time_ticks`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_unsigned`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_identifier`*:: ++ +-- +type: short + +-- + +*`netflow.mib_sub_identifier`*:: ++ +-- +type: long + +-- + +*`netflow.mib_index_indicator`*:: ++ +-- +type: long + +-- + +*`netflow.mib_capture_time_semantics`*:: ++ +-- +type: short + +-- + +*`netflow.mib_context_engine_id`*:: ++ +-- +type: short + +-- + +*`netflow.mib_context_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_object_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_object_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_object_syntax`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_module_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.mobile_imsi`*:: ++ +-- +type: keyword + +-- + +*`netflow.mobile_msisdn`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_status_code`*:: ++ +-- +type: integer + +-- + +*`netflow.source_transport_ports_limit`*:: ++ +-- +type: integer + +-- + +*`netflow.http_request_method`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_request_host`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_request_target`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_message_version`*:: ++ +-- +type: keyword + +-- + +*`netflow.nat_instance_id`*:: ++ +-- +type: long + +-- + +*`netflow.internal_address_realm`*:: ++ +-- +type: short + +-- + +*`netflow.external_address_realm`*:: ++ +-- +type: short + +-- + +*`netflow.nat_quota_exceeded_event`*:: ++ +-- +type: long + +-- + +*`netflow.nat_threshold_event`*:: ++ +-- +type: long + +-- + +*`netflow.http_user_agent`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_content_type`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_reason_phrase`*:: ++ +-- +type: keyword + +-- + +*`netflow.max_session_entries`*:: ++ +-- +type: long + +-- + +*`netflow.max_bib_entries`*:: ++ +-- +type: long + +-- + +*`netflow.max_entries_per_user`*:: ++ +-- +type: long + +-- + +*`netflow.max_subscribers`*:: ++ +-- +type: long + +-- + +*`netflow.max_fragments_pending_reassembly`*:: ++ +-- +type: long + +-- + +*`netflow.address_pool_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_pool_low_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_port_mapping_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_port_mapping_low_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_port_mapping_per_user_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.global_address_mapping_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.vpn_identifier`*:: ++ +-- +type: short + +-- + +[[exported-fields-netscout]] +== Arbor Peakflow SP fields + +netscout fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-nginx]] +== Nginx fields + +Module for parsing the Nginx log files. + + + +[float] +=== nginx + +Fields from the Nginx log files. + + + +[float] +=== access + +Contains fields for the Nginx access logs. + + + +*`nginx.access.remote_ip_list`*:: ++ +-- +An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. + + +type: array + +-- + +*`nginx.access.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`nginx.access.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`nginx.access.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`nginx.access.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`nginx.access.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`nginx.access.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`nginx.access.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`nginx.access.agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.access.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`nginx.access.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`nginx.access.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`nginx.access.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`nginx.access.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.access.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`nginx.access.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`nginx.access.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`nginx.access.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`nginx.access.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`nginx.access.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[float] +=== error + +Contains fields for the Nginx error logs. + + + +*`nginx.error.connection_id`*:: ++ +-- +Connection identifier. + + +type: long + +-- + +*`nginx.error.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`nginx.error.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`nginx.error.tid`*:: ++ +-- +type: alias + +alias to: process.thread.id + +-- + +*`nginx.error.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== ingress_controller + +Contains fields for the Ingress Nginx controller access logs. + + + +*`nginx.ingress_controller.remote_ip_list`*:: ++ +-- +An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. + + +type: array + +-- + +*`nginx.ingress_controller.http.request.length`*:: ++ +-- +The request length (including request line, header, and request body) + + +type: long + +format: bytes + +-- + +*`nginx.ingress_controller.http.request.time`*:: ++ +-- +Time elapsed since the first bytes were read from the client + + +type: double + +format: duration + +-- + +*`nginx.ingress_controller.upstream.name`*:: ++ +-- +The name of the upstream. + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.alternative_name`*:: ++ +-- +The name of the alternative upstream. + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.response.length`*:: ++ +-- +The length of the response obtained from the upstream server + + +type: long + +format: bytes + +-- + +*`nginx.ingress_controller.upstream.response.time`*:: ++ +-- +The time spent on receiving the response from the upstream server as seconds with millisecond resolution + + +type: double + +format: duration + +-- + +*`nginx.ingress_controller.upstream.response.status_code`*:: ++ +-- +The status code of the response obtained from the upstream server + + +type: long + +-- + +*`nginx.ingress_controller.http.request.id`*:: ++ +-- +The randomly generated ID of the request + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.ip`*:: ++ +-- +The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas. + + +type: ip + +-- + +*`nginx.ingress_controller.upstream.port`*:: ++ +-- +The port of the upstream server. + + +type: long + +-- + +*`nginx.ingress_controller.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`nginx.ingress_controller.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`nginx.ingress_controller.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`nginx.ingress_controller.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`nginx.ingress_controller.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`nginx.ingress_controller.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`nginx.ingress_controller.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`nginx.ingress_controller.agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.ingress_controller.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`nginx.ingress_controller.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`nginx.ingress_controller.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`nginx.ingress_controller.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`nginx.ingress_controller.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.ingress_controller.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`nginx.ingress_controller.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`nginx.ingress_controller.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`nginx.ingress_controller.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`nginx.ingress_controller.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`nginx.ingress_controller.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[[exported-fields-o365]] +== Office 365 fields + +Module for handling logs from Office 365. + + + +[float] +=== o365.audit + +Fields from Office 365 Management API audit logs. + + + +*`o365.audit.Actor`*:: ++ +-- +type: array + +-- + +*`o365.audit.ActorContextId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorIpAddress`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorUserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorYammerUserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertEntityId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertLinks`*:: ++ +-- +type: array + +-- + +*`o365.audit.AlertType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AppId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ApplicationDisplayName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ApplicationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AzureActiveDirectoryEventType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ExchangeMetaData.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Category`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientAppId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientInfoString`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientIP`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientIPAddress`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Comments`*:: ++ +-- +type: text + +-- + +*`o365.audit.CorrelationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.CreationTime`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.CustomUniqueId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Data`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.DataType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EntityType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EventData`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EventSource`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ExceptionInfo.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ExtendedProperties.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ExternalAccess`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.GroupName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Id`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ImplicitShare`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.IncidentId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.InternalLogonType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.InterSystemsId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.IntraSystemId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Item.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Item.*.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ItemName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ItemType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ListId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ListItemUniqueId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonError`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonUserSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxGuid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerMasterAccountSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerUPN`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Members`*:: ++ +-- +type: array + +-- + +*`o365.audit.Members.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ModifiedProperties.*.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Name`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ObjectId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Operation`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OrganizationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OrganizationName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OriginatingServer`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Parameters.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.PolicyDetails`*:: ++ +-- +type: array + +-- + +*`o365.audit.PolicyId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.RecordType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ResultStatus`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SensitiveInfoDetectionIsIncluded`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SharePointMetaData.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.SessionId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Severity`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Site`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SiteUrl`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Source`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceFileExtension`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceFileName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceRelativeUrl`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Status`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SupportTicketId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Target`*:: ++ +-- +type: array + +-- + +*`o365.audit.TargetContextId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TargetUserOrGroupName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TargetUserOrGroupType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TeamName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TeamGuid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UniqueSharingId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserAgent`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserKey`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Version`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.WebId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Workload`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.YammerNetworkId`*:: ++ +-- +type: keyword + +-- + +[[exported-fields-okta]] +== Okta fields + +Module for handling system logs from Okta. + + + +[float] +=== okta + +Fields from Okta. + + + +*`okta.uuid`*:: ++ +-- +The unique identifier of the Okta LogEvent. + + +type: keyword + +-- + +*`okta.event_type`*:: ++ +-- +The type of the LogEvent. + + +type: keyword + +-- + +*`okta.version`*:: ++ +-- +The version of the LogEvent. + + +type: keyword + +-- + +*`okta.severity`*:: ++ +-- +The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. + + +type: keyword + +-- + +*`okta.display_message`*:: ++ +-- +The display message of the LogEvent. + + +type: keyword + +-- + +[float] +=== actor + +Fields that let you store information of the actor for the LogEvent. + + + +*`okta.actor.id`*:: ++ +-- +Identifier of the actor. + + +type: keyword + +-- + +*`okta.actor.type`*:: ++ +-- +Type of the actor. + + +type: keyword + +-- + +*`okta.actor.alternate_id`*:: ++ +-- +Alternate identifier of the actor. + + +type: keyword + +-- + +*`okta.actor.display_name`*:: ++ +-- +Display name of the actor. + + +type: keyword + +-- + +[float] +=== client + +Fields that let you store information about the client of the actor. + + + +*`okta.client.ip`*:: ++ +-- +The IP address of the client. + + +type: ip + +-- + +[float] +=== user_agent + +Fields about the user agent information of the client. + + + +*`okta.client.user_agent.raw_user_agent`*:: ++ +-- +The raw informaton of the user agent. + + +type: keyword + +-- + +*`okta.client.user_agent.os`*:: ++ +-- +The OS informaton. + + +type: keyword + +-- + +*`okta.client.user_agent.browser`*:: ++ +-- +The browser informaton of the client. + + +type: keyword + +-- + +*`okta.client.zone`*:: ++ +-- +The zone information of the client. + + +type: keyword + +-- + +*`okta.client.device`*:: ++ +-- +The information of the client device. + + +type: keyword + +-- + +*`okta.client.id`*:: ++ +-- +The identifier of the client. + + +type: keyword + +-- + +[float] +=== outcome + +Fields that let you store information about the outcome. + + + +*`okta.outcome.reason`*:: ++ +-- +The reason of the outcome. + + +type: keyword + +-- + +*`okta.outcome.result`*:: ++ +-- +The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. + + +type: keyword + +-- + +*`okta.target`*:: ++ +-- +The list of targets. + + +type: array + +-- + +[float] +=== transaction + +Fields that let you store information about related transaction. + + + +*`okta.transaction.id`*:: ++ +-- +Identifier of the transaction. + + +type: keyword + +-- + +*`okta.transaction.type`*:: ++ +-- +The type of transaction. Must be one of "WEB", "JOB". + + +type: keyword + +-- + +[float] +=== debug_context + +Fields that let you store information about the debug context. + + + +[float] +=== debug_data + +The debug data. + + + +*`okta.debug_context.debug_data.device_fingerprint`*:: ++ +-- +The fingerprint of the device. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.request_id`*:: ++ +-- +The identifier of the request. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.request_uri`*:: ++ +-- +The request URI. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.threat_suspected`*:: ++ +-- +Threat suspected. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.url`*:: ++ +-- +The URL. + + +type: keyword + +-- + +[float] +=== authentication_context + +Fields that let you store information about authentication context. + + + +*`okta.authentication_context.authentication_provider`*:: ++ +-- +The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. + + +type: keyword + +-- + +*`okta.authentication_context.authentication_step`*:: ++ +-- +The authentication step. + + +type: integer + +-- + +*`okta.authentication_context.credential_provider`*:: ++ +-- +The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. + + +type: keyword + +-- + +*`okta.authentication_context.credential_type`*:: ++ +-- +The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. + + +type: keyword + +-- + +*`okta.authentication_context.issuer`*:: ++ +-- +The information about the issuer. + + +type: array + +-- + +*`okta.authentication_context.external_session_id`*:: ++ +-- +The session identifer of the external session if any. + + +type: keyword + +-- + +*`okta.authentication_context.interface`*:: ++ +-- +The interface used. e.g., Outlook, Office365, wsTrust + + +type: keyword + +-- + +[float] +=== security_context + +Fields that let you store information about security context. + + + +[float] +=== as + +The autonomous system. + + + +*`okta.security_context.as.number`*:: ++ +-- +The AS number. + + +type: integer + +-- + +[float] +=== organization + +The organization that owns the AS number. + + + +*`okta.security_context.as.organization.name`*:: ++ +-- +The organization name. + + +type: keyword + +-- + +*`okta.security_context.isp`*:: ++ +-- +The Internet Service Provider. + + +type: keyword + +-- + +*`okta.security_context.domain`*:: ++ +-- +The domain name. + + +type: keyword + +-- + +*`okta.security_context.is_proxy`*:: ++ +-- +Whether it is a proxy or not. + + +type: boolean + +-- + +[float] +=== request + +Fields that let you store information about the request, in the form of list of ip_chain. + + + +[float] +=== ip_chain + +List of ip_chain objects. + + + +*`okta.request.ip_chain.ip`*:: ++ +-- +IP address. + + +type: ip + +-- + +*`okta.request.ip_chain.version`*:: ++ +-- +IP version. Must be one of V4, V6. + + +type: keyword + +-- + +*`okta.request.ip_chain.source`*:: ++ +-- +Source information. + + +type: keyword + +-- + +[float] +=== geographical_context + +Geographical information. + + + +*`okta.request.ip_chain.geographical_context.city`*:: ++ +-- +The city. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.state`*:: ++ +-- +The state. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.postal_code`*:: ++ +-- +The postal code. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.country`*:: ++ +-- +The country. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.geolocation`*:: ++ +-- +Geolocation information. + + +type: geo_point + +-- + +[[exported-fields-osquery]] +== Osquery fields + +Fields exported by the `osquery` module + + + +[float] +=== osquery + + + + +[float] +=== result + +Common fields exported by the result metricset. + + + +*`osquery.result.name`*:: ++ +-- +The name of the query that generated this event. + + +type: keyword + +-- + +*`osquery.result.action`*:: ++ +-- +For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot". + + +type: keyword + +-- + +*`osquery.result.host_identifier`*:: ++ +-- +The identifier for the host on which the osquery agent is running. Normally the hostname. + + +type: keyword + +-- + +*`osquery.result.unix_time`*:: ++ +-- +Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column. + + +type: long + +-- + +*`osquery.result.calendar_time`*:: ++ +-- +String representation of the collection time, as formatted by osquery. + + +type: keyword + +-- + +[[exported-fields-panw]] +== panw fields + +Module for Palo Alto Networks (PAN-OS) + + + +[float] +=== panw + +Fields from the panw module. + + + +[float] +=== panos + +Fields for the Palo Alto Networks PAN-OS logs. + + + +*`panw.panos.ruleset`*:: ++ +-- +Name of the rule that matched this session. + + +type: keyword + +-- + +[float] +=== source + +Fields to extend the top-level source object. + + + +*`panw.panos.source.zone`*:: ++ +-- +Source zone for this session. + + +type: keyword + +-- + +*`panw.panos.source.interface`*:: ++ +-- +Source interface for this session. + + +type: keyword + +-- + +[float] +=== nat + +Post-NAT source address, if source NAT is performed. + + + +*`panw.panos.source.nat.ip`*:: ++ +-- +Post-NAT source IP. + + +type: ip + +-- + +*`panw.panos.source.nat.port`*:: ++ +-- +Post-NAT source port. + + +type: long + +-- + +[float] +=== destination + +Fields to extend the top-level destination object. + + + +*`panw.panos.destination.zone`*:: ++ +-- +Destination zone for this session. + + +type: keyword + +-- + +*`panw.panos.destination.interface`*:: ++ +-- +Destination interface for this session. + + +type: keyword + +-- + +[float] +=== nat + +Post-NAT destination address, if destination NAT is performed. + + + +*`panw.panos.destination.nat.ip`*:: ++ +-- +Post-NAT destination IP. + + +type: ip + +-- + +*`panw.panos.destination.nat.port`*:: ++ +-- +Post-NAT destination port. + + +type: long + +-- + +[float] +=== network + +Fields to extend the top-level network object. + + + +*`panw.panos.network.pcap_id`*:: ++ +-- +Packet capture ID for a threat. + + +type: keyword + +-- + + +*`panw.panos.network.nat.community_id`*:: ++ +-- +Community ID flow-hash for the NAT 5-tuple. + + +type: keyword + +-- + +[float] +=== file + +Fields to extend the top-level file object. + + + +*`panw.panos.file.hash`*:: ++ +-- +Binary hash for a threat file sent to be analyzed by the WildFire service. + + +type: keyword + +-- + +[float] +=== url + +Fields to extend the top-level url object. + + + +*`panw.panos.url.category`*:: ++ +-- +For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. + + +type: keyword + +-- + +*`panw.panos.flow_id`*:: ++ +-- +Internal numeric identifier for each session. + + +type: keyword + +-- + +*`panw.panos.sequence_number`*:: ++ +-- +Log entry identifier that is incremented sequentially. Unique for each log type. + + +type: long + +-- + +*`panw.panos.threat.resource`*:: ++ +-- +URL or file name for a threat. + + +type: keyword + +-- + +*`panw.panos.threat.id`*:: ++ +-- +Palo Alto Networks identifier for the threat. + + +type: keyword + +-- + +*`panw.panos.threat.name`*:: ++ +-- +Palo Alto Networks name for the threat. + + +type: keyword + +-- + +*`panw.panos.action`*:: ++ +-- +Action taken for the session. + +type: keyword + +-- + +[[exported-fields-postgresql]] +== PostgreSQL fields + +Module for parsing the PostgreSQL log files. + + + +[float] +=== postgresql + +Fields from PostgreSQL logs. + + + +[float] +=== log + +Fields from the PostgreSQL log files. + + + +*`postgresql.log.timestamp`*:: ++ +-- + +deprecated:[7.3.0] + +The timestamp from the log line. + + +-- + +*`postgresql.log.core_id`*:: ++ +-- +Core id + + +type: long + +-- + +*`postgresql.log.database`*:: ++ +-- +Name of database + + +example: mydb + +-- + +*`postgresql.log.query`*:: ++ +-- +Query statement. + + +example: SELECT * FROM users; + +-- + +*`postgresql.log.query_step`*:: ++ +-- +Statement step when using extended query protocol (one of statement, parse, bind or execute) + + +example: parse + +-- + +*`postgresql.log.query_name`*:: ++ +-- +Name given to a query when using extended query protocol. If it is "", or not present, this field is ignored. + + +example: pdo_stmt_00000001 + +-- + +*`postgresql.log.error.code`*:: ++ +-- +Error code returned by Postgres (if any) + +type: long + +-- + +*`postgresql.log.timezone`*:: ++ +-- +type: alias + +alias to: event.timezone + +-- + +*`postgresql.log.thread_id`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`postgresql.log.user`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`postgresql.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`postgresql.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[[exported-fields-process]] +== Process fields + +Process metadata fields + + + + +*`process.exe`*:: ++ +-- +type: alias + +alias to: process.executable + +-- + +[[exported-fields-rabbitmq]] +== RabbitMQ fields + +RabbitMQ Module + + + +[float] +=== rabbitmq + + + + +[float] +=== log + +RabbitMQ log files + + + +*`rabbitmq.log.pid`*:: ++ +-- +The Erlang process id + +type: keyword + +example: <0.222.0> + +-- + +[[exported-fields-radware]] +== Radware DefensePro fields + +radware fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-rapid7]] +== Rapid7 NeXpose fields + +rapid7 fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-redis]] +== Redis fields + +Redis Module + + + +[float] +=== redis + + + + +[float] +=== log + +Redis log files + + + +*`redis.log.role`*:: ++ +-- +The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. + + +type: keyword + +-- + +*`redis.log.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`redis.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`redis.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== slowlog + +Slow logs are retrieved from Redis via a network connection. + + + +*`redis.slowlog.cmd`*:: ++ +-- +The command executed. + + +type: keyword + +-- + +*`redis.slowlog.duration.us`*:: ++ +-- +How long it took to execute the command in microseconds. + + +type: long + +-- + +*`redis.slowlog.id`*:: ++ +-- +The ID of the query. + + +type: long + +-- + +*`redis.slowlog.key`*:: ++ +-- +The key on which the command was executed. + + +type: keyword + +-- + +*`redis.slowlog.args`*:: ++ +-- +The arguments with which the command was called. + + +type: keyword + +-- + +[[exported-fields-s3]] +== s3 fields + +S3 fields from s3 input. + + + +*`bucket_name`*:: ++ +-- +Name of the S3 bucket that this log retrieved from. + + +type: keyword + +-- + +*`object_key`*:: ++ +-- +Name of the S3 object that this log retrieved from. + + +type: keyword + +-- + +[[exported-fields-santa]] +== Google Santa fields + +Santa Module + + + +[float] +=== santa + + + + +*`santa.action`*:: ++ +-- +Action + +type: keyword + +example: EXEC + +-- + +*`santa.decision`*:: ++ +-- +Decision that santad took. + +type: keyword + +example: ALLOW + +-- + +*`santa.reason`*:: ++ +-- +Reason for the decsision. + +type: keyword + +example: CERT + +-- + +*`santa.mode`*:: ++ +-- +Operating mode of Santa. + +type: keyword + +example: M + +-- + +[float] +=== disk + +Fields for DISKAPPEAR actions. + + +*`santa.disk.volume`*:: ++ +-- +The volume name. + +-- + +*`santa.disk.bus`*:: ++ +-- +The disk bus protocol. + +-- + +*`santa.disk.serial`*:: ++ +-- +The disk serial number. + +-- + +*`santa.disk.bsdname`*:: ++ +-- +The disk BSD name. + +example: disk1s3 + +-- + +*`santa.disk.model`*:: ++ +-- +The disk model. + +example: APPLE SSD SM0512L + +-- + +*`santa.disk.fs`*:: ++ +-- +The disk volume kind (filesystem type). + +example: apfs + +-- + +*`santa.disk.mount`*:: ++ +-- +The disk volume path. + +-- + +*`santa.certificate.common_name`*:: ++ +-- +Common name from code signing certificate. + +type: keyword + +-- + +*`santa.certificate.sha256`*:: ++ +-- +SHA256 hash of code signing certificate. + +type: keyword + +-- + +[[exported-fields-sonicwall]] +== Sonicwall-FW fields + +sonicwall fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-squid]] +== Squid fields + +squid fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-suricata]] +== Suricata fields + +Module for handling the EVE JSON logs produced by Suricata. + + + +[float] +=== suricata + +Fields from the Suricata EVE log file. + + + +[float] +=== eve + +Fields exported by the EVE JSON logs + + + +*`suricata.eve.event_type`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.app_proto_orig`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.tcp.tcp_flags`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tcp.psh`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tcp.tcp_flags_tc`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tcp.ack`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tcp.syn`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tcp.state`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tcp.tcp_flags_ts`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tcp.rst`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tcp.fin`*:: ++ +-- +type: boolean + +-- + + +*`suricata.eve.fileinfo.sha1`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.fileinfo.filename`*:: ++ +-- +type: alias + +alias to: file.path + +-- + +*`suricata.eve.fileinfo.tx_id`*:: ++ +-- +type: long + +-- + +*`suricata.eve.fileinfo.state`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.fileinfo.stored`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.fileinfo.gaps`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.fileinfo.sha256`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.fileinfo.md5`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.fileinfo.size`*:: ++ +-- +type: alias + +alias to: file.size + +-- + +*`suricata.eve.icmp_type`*:: ++ +-- +type: long + +-- + +*`suricata.eve.dest_port`*:: ++ +-- +type: alias + +alias to: destination.port + +-- + +*`suricata.eve.src_port`*:: ++ +-- +type: alias + +alias to: source.port + +-- + +*`suricata.eve.proto`*:: ++ +-- +type: alias + +alias to: network.transport + +-- + +*`suricata.eve.pcap_cnt`*:: ++ +-- +type: long + +-- + +*`suricata.eve.src_ip`*:: ++ +-- +type: alias + +alias to: source.ip + +-- + + +*`suricata.eve.dns.type`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.rrtype`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.rrname`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.rdata`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.tx_id`*:: ++ +-- +type: long + +-- + +*`suricata.eve.dns.ttl`*:: ++ +-- +type: long + +-- + +*`suricata.eve.dns.rcode`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.id`*:: ++ +-- +type: long + +-- + +*`suricata.eve.flow_id`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.email.status`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dest_ip`*:: ++ +-- +type: alias + +alias to: destination.ip + +-- + +*`suricata.eve.icmp_code`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.http.status`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`suricata.eve.http.redirect`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.http.http_user_agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + +*`suricata.eve.http.protocol`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.http.http_refer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`suricata.eve.http.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`suricata.eve.http.hostname`*:: ++ +-- +type: alias + +alias to: url.domain + +-- + +*`suricata.eve.http.length`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`suricata.eve.http.http_method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`suricata.eve.http.http_content_type`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.timestamp`*:: ++ +-- +type: alias + +alias to: @timestamp + +-- + +*`suricata.eve.in_iface`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.alert.category`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.alert.severity`*:: ++ +-- +type: alias + +alias to: event.severity + +-- + +*`suricata.eve.alert.rev`*:: ++ +-- +type: long + +-- + +*`suricata.eve.alert.gid`*:: ++ +-- +type: long + +-- + +*`suricata.eve.alert.signature`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.alert.action`*:: ++ +-- +type: alias + +alias to: event.outcome + +-- + +*`suricata.eve.alert.signature_id`*:: ++ +-- +type: long + +-- + + + +*`suricata.eve.ssh.client.proto_version`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.ssh.client.software_version`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.ssh.server.proto_version`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.ssh.server.software_version`*:: ++ +-- +type: keyword + +-- + + + +*`suricata.eve.stats.capture.kernel_packets`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.capture.kernel_drops`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.capture.kernel_ifdrops`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.uptime`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.detect.alert`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.http.memcap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.http.memuse`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.file_store.open_files`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.defrag.max_frag_hits`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.defrag.ipv4.timeouts`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.defrag.ipv4.fragments`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.defrag.ipv4.reassembled`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.defrag.ipv6.timeouts`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.defrag.ipv6.fragments`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.defrag.ipv6.reassembled`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.flow.tcp_reuse`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.memcap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.emerg_mode_entered`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.emerg_mode_over`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.icmpv6`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.icmpv4`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.spare`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.memuse`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.tcp.pseudo_failed`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.ssn_memcap_drop`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.insert_data_overlap_fail`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.sessions`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.pseudo`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.synack`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.insert_data_normal_fail`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.syn`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.memuse`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.invalid_checksum`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.segment_memcap_drop`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.overlap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.insert_list_fail`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.rst`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.stream_depth_reached`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.reassembly_memuse`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.reassembly_gap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.overlap_diff_data`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.no_flow`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.decoder.avg_pkt_size`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.bytes`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.raw`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ppp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.vlan_qinq`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.null`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.decoder.ltnull.unsupported_type`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.invalid`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.gre`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ipv4`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ipv6`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.pkts`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ipv6_in_ipv6`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.pppoe`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.udp`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.decoder.dce.pkt_too_small`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.vlan`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.sctp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.max_pkt_size`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.teredo`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.mpls`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.sll`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.icmpv6`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.icmpv4`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.erspan`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ethernet`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ipv4_in_ipv6`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ieee8021ah`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.dns.memcap_global`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.dns.memcap_state`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.dns.memuse`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.flow_mgr.rows_busy`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_timeout`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_notimeout`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.rows_skipped`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.closed_pruned`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.new_pruned`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_removed`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.bypassed_pruned`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.est_pruned`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_checked`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.rows_maxlen`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.rows_checked`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.rows_empty`*:: ++ +-- +type: long + +-- + + + +*`suricata.eve.stats.app_layer.flow.tls`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.ftp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.http`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.failed_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.dns_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.dns_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.smtp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.failed_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.msn`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.ssh`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.imap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.smb`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.app_layer.tx.tls`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.ftp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.http`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.dns_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.dns_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.smtp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.ssh`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.smb`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.tls.notbefore`*:: ++ +-- +type: date + +-- + +*`suricata.eve.tls.issuerdn`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.sni`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.version`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.session_resumed`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tls.fingerprint`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.serial`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.notafter`*:: ++ +-- +type: date + +-- + +*`suricata.eve.tls.subject`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.tls.ja3s.string`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.ja3s.hash`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.tls.ja3.string`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.ja3.hash`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.app_proto_ts`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.flow.bytes_toclient`*:: ++ +-- +type: alias + +alias to: destination.bytes + +-- + +*`suricata.eve.flow.start`*:: ++ +-- +type: alias + +alias to: event.start + +-- + +*`suricata.eve.flow.pkts_toclient`*:: ++ +-- +type: alias + +alias to: destination.packets + +-- + +*`suricata.eve.flow.age`*:: ++ +-- +type: long + +-- + +*`suricata.eve.flow.state`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.flow.bytes_toserver`*:: ++ +-- +type: alias + +alias to: source.bytes + +-- + +*`suricata.eve.flow.reason`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.flow.pkts_toserver`*:: ++ +-- +type: alias + +alias to: source.packets + +-- + +*`suricata.eve.flow.end`*:: ++ +-- +type: date + +-- + +*`suricata.eve.flow.alerted`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.app_proto`*:: ++ +-- +type: alias + +alias to: network.protocol + +-- + +*`suricata.eve.tx_id`*:: ++ +-- +type: long + +-- + +*`suricata.eve.app_proto_tc`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.smtp.rcpt_to`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.smtp.mail_from`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.smtp.helo`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.app_proto_expected`*:: ++ +-- +type: keyword + +-- + +[[exported-fields-system]] +== System fields + +Module for parsing system log files. + + + +[float] +=== system + +Fields from the system log files. + + + +[float] +=== auth + +Fields from the Linux authorization logs. + + + +*`system.auth.timestamp`*:: ++ +-- +type: alias + +alias to: @timestamp + +-- + +*`system.auth.hostname`*:: ++ +-- +type: alias + +alias to: host.hostname + +-- + +*`system.auth.program`*:: ++ +-- +type: alias + +alias to: process.name + +-- + +*`system.auth.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`system.auth.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +*`system.auth.user`*:: ++ +-- +type: alias + +alias to: user.name + +-- + + +*`system.auth.ssh.method`*:: ++ +-- +The SSH authentication method. Can be one of "password" or "publickey". + + +-- + +*`system.auth.ssh.signature`*:: ++ +-- +The signature of the client public key. + + +-- + +*`system.auth.ssh.dropped_ip`*:: ++ +-- +The client IP from SSH connections that are open and immediately dropped. + + +type: ip + +-- + +*`system.auth.ssh.event`*:: ++ +-- +The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) + + +example: Accepted + +-- + +*`system.auth.ssh.ip`*:: ++ +-- +type: alias + +alias to: source.ip + +-- + +*`system.auth.ssh.port`*:: ++ +-- +type: alias + +alias to: source.port + +-- + + +*`system.auth.ssh.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`system.auth.ssh.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`system.auth.ssh.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`system.auth.ssh.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`system.auth.ssh.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`system.auth.ssh.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[float] +=== sudo + +Fields specific to events created by the `sudo` command. + + + +*`system.auth.sudo.error`*:: ++ +-- +The error message in case the sudo command failed. + + +example: user NOT in sudoers + +-- + +*`system.auth.sudo.tty`*:: ++ +-- +The TTY where the sudo command is executed. + + +-- + +*`system.auth.sudo.pwd`*:: ++ +-- +The current directory where the sudo command is executed. + + +-- + +*`system.auth.sudo.user`*:: + -- The target user to which the sudo command is switching. -example: root +example: root + +-- + +*`system.auth.sudo.command`*:: ++ +-- +The command executed via sudo. + + +-- + +[float] +=== useradd + +Fields specific to events created by the `useradd` command. + + + +*`system.auth.useradd.home`*:: ++ +-- +The home folder for the new user. + +-- + +*`system.auth.useradd.shell`*:: ++ +-- +The default shell for the new user. + +-- + +*`system.auth.useradd.name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`system.auth.useradd.uid`*:: ++ +-- +type: alias + +alias to: user.id + +-- + +*`system.auth.useradd.gid`*:: ++ +-- +type: alias + +alias to: group.id + +-- + +[float] +=== groupadd + +Fields specific to events created by the `groupadd` command. + + + +*`system.auth.groupadd.name`*:: ++ +-- +type: alias + +alias to: group.name + +-- + +*`system.auth.groupadd.gid`*:: ++ +-- +type: alias + +alias to: group.id + +-- + +[float] +=== syslog + +Contains fields from the syslog system logs. + + + +*`system.syslog.timestamp`*:: ++ +-- +type: alias + +alias to: @timestamp + +-- + +*`system.syslog.hostname`*:: ++ +-- +type: alias + +alias to: host.hostname + +-- + +*`system.syslog.program`*:: ++ +-- +type: alias + +alias to: process.name + +-- + +*`system.syslog.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`system.syslog.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[[exported-fields-tenable]] +== Tenable Network Security Nessus fields + +tenable fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-tomcat]] +== Apache Tomcat fields + +tomcat fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-traefik]] +== Traefik fields + +Module for parsing the Traefik log files. + + + +[float] +=== traefik + +Fields from the Traefik log files. + + + +[float] +=== access + +Contains fields for the Traefik access logs. + + + +*`traefik.access.user_identifier`*:: ++ +-- +Is the RFC 1413 identity of the client + + +type: keyword + +-- + +*`traefik.access.request_count`*:: ++ +-- +The number of requests + + +type: long + +-- + +*`traefik.access.frontend_name`*:: ++ +-- +The name of the frontend used + + +type: keyword + +-- + +*`traefik.access.backend_url`*:: ++ +-- +The url of the backend where request is forwarded + +type: keyword + +-- + +*`traefik.access.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`traefik.access.remote_ip`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`traefik.access.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`traefik.access.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`traefik.access.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`traefik.access.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`traefik.access.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`traefik.access.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`traefik.access.agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`traefik.access.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`traefik.access.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`traefik.access.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`traefik.access.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`traefik.access.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`traefik.access.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`traefik.access.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`traefik.access.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`traefik.access.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`traefik.access.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`traefik.access.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[[exported-fields-zeek]] +== Zeek fields + +Module for handling logs produced by Zeek/Bro + + + +[float] +=== zeek + +Fields from Zeek/Bro logs after normalization + + + +*`zeek.session_id`*:: ++ +-- +A unique identifier of the session + + +type: keyword + +-- + +[float] +=== capture_loss + +Fields exported by the Zeek capture_loss log + + + +*`zeek.capture_loss.ts_delta`*:: ++ +-- +The time delay between this measurement and the last. + + +type: integer + +-- + +*`zeek.capture_loss.peer`*:: ++ +-- +In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. + + +type: keyword + +-- + +*`zeek.capture_loss.gaps`*:: ++ +-- +Number of missed ACKs from the previous measurement interval. + + +type: integer + +-- + +*`zeek.capture_loss.acks`*:: ++ +-- +Total number of ACKs seen in the previous measurement interval. + + +type: integer + +-- + +*`zeek.capture_loss.percent_lost`*:: ++ +-- +Percentage of ACKs seen where the data being ACKed wasn't seen. + + +type: double + +-- + +[float] +=== connection + +Fields exported by the Zeek Connection log + + + +*`zeek.connection.local_orig`*:: ++ +-- +Indicates whether the session is originated locally. + + +type: boolean + +-- + +*`zeek.connection.local_resp`*:: ++ +-- +Indicates whether the session is responded locally. + + +type: boolean + +-- + +*`zeek.connection.missed_bytes`*:: ++ +-- +Missed bytes for the session. + + +type: long + +-- + +*`zeek.connection.state`*:: ++ +-- +Code indicating the state of the session. + + +type: keyword + +-- + +*`zeek.connection.state_message`*:: ++ +-- +The state of the session. + + +type: keyword + +-- + + +*`zeek.connection.icmp.type`*:: ++ +-- +ICMP message type. + + +type: integer + +-- + +*`zeek.connection.icmp.code`*:: ++ +-- +ICMP message code. + + +type: integer + +-- + +*`zeek.connection.history`*:: ++ +-- +Flags indicating the history of the session. + + +type: keyword + +-- + +*`zeek.connection.vlan`*:: ++ +-- +VLAN identifier. + + +type: integer + +-- + +*`zeek.connection.inner_vlan`*:: ++ +-- +VLAN identifier. + + +type: integer + +-- + +[float] +=== dce_rpc + +Fields exported by the Zeek DCE_RPC log + + + +*`zeek.dce_rpc.rtt`*:: ++ +-- +Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. + + +type: integer + +-- + +*`zeek.dce_rpc.named_pipe`*:: ++ +-- +Remote pipe name. + + +type: keyword + +-- + +*`zeek.dce_rpc.endpoint`*:: ++ +-- +Endpoint name looked up from the uuid. + + +type: keyword + +-- + +*`zeek.dce_rpc.operation`*:: ++ +-- +Operation seen in the call. + + +type: keyword + +-- + +[float] +=== dhcp + +Fields exported by the Zeek DHCP log + + + +*`zeek.dhcp.domain`*:: ++ +-- +Domain given by the server in option 15. + + +type: keyword + +-- + +*`zeek.dhcp.duration`*:: ++ +-- +Duration of the DHCP session representing the time from the first +message to the last, in seconds. + + +type: double + +-- + +*`zeek.dhcp.hostname`*:: ++ +-- +Name given by client in Hostname option 12. + + +type: keyword + +-- + +*`zeek.dhcp.client_fqdn`*:: ++ +-- +FQDN given by client in Client FQDN option 81. + + +type: keyword + +-- + +*`zeek.dhcp.lease_time`*:: ++ +-- +IP address lease interval in seconds. + + +type: integer + +-- + +[float] +=== address + +Addresses seen in this DHCP exchange. + + + +*`zeek.dhcp.address.assigned`*:: ++ +-- +IP address assigned by the server. + + +type: ip + +-- + +*`zeek.dhcp.address.client`*:: ++ +-- +IP address of the client. If a transaction is only a client sending +INFORM messages then there is no lease information exchanged so this +is helpful to know who sent the messages. Getting an address in this +field does require that the client sources at least one DHCP message +using a non-broadcast address. + + +type: ip + +-- + +*`zeek.dhcp.address.mac`*:: ++ +-- +Client's hardware address. + + +type: keyword + +-- + +*`zeek.dhcp.address.requested`*:: ++ +-- +IP address requested by the client. + + +type: ip + +-- + +*`zeek.dhcp.address.server`*:: ++ +-- +IP address of the DHCP server. + + +type: ip + +-- + + +*`zeek.dhcp.msg.types`*:: ++ +-- +List of DHCP message types seen in this exchange. + + +type: keyword + +-- + +*`zeek.dhcp.msg.origin`*:: ++ +-- +(present if policy/protocols/dhcp/msg-orig.bro is loaded) +The address that originated each message from the msg.types field. + + +type: ip + +-- + +*`zeek.dhcp.msg.client`*:: ++ +-- +Message typically accompanied with a DHCP_DECLINE so the client can +tell the server why it rejected an address. + + +type: keyword + +-- + +*`zeek.dhcp.msg.server`*:: ++ +-- +Message typically accompanied with a DHCP_NAK to let the client know +why it rejected the request. + + +type: keyword + +-- + + +*`zeek.dhcp.software.client`*:: ++ +-- +(present if policy/protocols/dhcp/software.bro is loaded) +Software reported by the client in the vendor_class option. + + +type: keyword + +-- + +*`zeek.dhcp.software.server`*:: ++ +-- +(present if policy/protocols/dhcp/software.bro is loaded) +Software reported by the client in the vendor_class option. + + +type: keyword + +-- + + +*`zeek.dhcp.id.circuit`*:: ++ +-- +(present if policy/protocols/dhcp/sub-opts.bro is loaded) +Added by DHCP relay agents which terminate switched or permanent +circuits. It encodes an agent-local identifier of the circuit from +which a DHCP client-to-server packet was received. Typically it +should represent a router or switch interface number. + + +type: keyword + +-- + +*`zeek.dhcp.id.remote_agent`*:: ++ +-- +(present if policy/protocols/dhcp/sub-opts.bro is loaded) +A globally unique identifier added by relay agents to identify the +remote host end of the circuit. + + +type: keyword + +-- + +*`zeek.dhcp.id.subscriber`*:: ++ +-- +(present if policy/protocols/dhcp/sub-opts.bro is loaded) +The subscriber ID is a value independent of the physical network +configuration so that a customer's DHCP configuration can be given +to them correctly no matter where they are physically connected. + + +type: keyword + +-- + +[float] +=== dnp3 + +Fields exported by the Zeek DNP3 log + + + + +*`zeek.dnp3.function.request`*:: ++ +-- +The name of the function message in the request. + + +type: keyword + +-- + +*`zeek.dnp3.function.reply`*:: ++ +-- +The name of the function message in the reply. + + +type: keyword + +-- + +*`zeek.dnp3.id`*:: ++ +-- +The response's internal indication number. + + +type: integer + +-- + +[float] +=== dns + +Fields exported by the Zeek DNS log + + + +*`zeek.dns.trans_id`*:: ++ +-- +DNS transaction identifier. + + +type: keyword + +-- + +*`zeek.dns.rtt`*:: ++ +-- +Round trip time for the query and response. + + +type: double + +-- + +*`zeek.dns.query`*:: ++ +-- +The domain name that is the subject of the DNS query. + + +type: keyword + +-- + +*`zeek.dns.qclass`*:: ++ +-- +The QCLASS value specifying the class of the query. + + +type: long + +-- + +*`zeek.dns.qclass_name`*:: ++ +-- +A descriptive name for the class of the query. + + +type: keyword + +-- + +*`zeek.dns.qtype`*:: ++ +-- +A QTYPE value specifying the type of the query. + + +type: long + +-- + +*`zeek.dns.qtype_name`*:: ++ +-- +A descriptive name for the type of the query. + + +type: keyword + +-- + +*`zeek.dns.rcode`*:: ++ +-- +The response code value in DNS response messages. + + +type: long + +-- + +*`zeek.dns.rcode_name`*:: ++ +-- +A descriptive name for the response code value. + + +type: keyword + +-- + +*`zeek.dns.AA`*:: ++ +-- +The Authoritative Answer bit for response messages specifies that the responding +name server is an authority for the domain name in the question section. + + +type: boolean + +-- + +*`zeek.dns.TC`*:: ++ +-- +The Truncation bit specifies that the message was truncated. + + +type: boolean + +-- + +*`zeek.dns.RD`*:: ++ +-- +The Recursion Desired bit in a request message indicates that the client +wants recursive service for this query. + + +type: boolean + +-- + +*`zeek.dns.RA`*:: ++ +-- +The Recursion Available bit in a response message indicates that the name +server supports recursive queries. + + +type: boolean + +-- + +*`zeek.dns.answers`*:: ++ +-- +The set of resource descriptions in the query answer. + + +type: keyword + +-- + +*`zeek.dns.TTLs`*:: ++ +-- +The caching intervals of the associated RRs described by the answers field. + + +type: double + +-- + +*`zeek.dns.rejected`*:: ++ +-- +Indicates whether the DNS query was rejected by the server. + + +type: boolean + +-- + +*`zeek.dns.total_answers`*:: ++ +-- +The total number of resource records in the reply. + + +type: integer + +-- + +*`zeek.dns.total_replies`*:: ++ +-- +The total number of resource records in the reply message. + + +type: integer + +-- + +*`zeek.dns.saw_query`*:: ++ +-- +Whether the full DNS query has been seen. + + +type: boolean + +-- + +*`zeek.dns.saw_reply`*:: ++ +-- +Whether the full DNS reply has been seen. + + +type: boolean + +-- + +[float] +=== dpd + +Fields exported by the Zeek DPD log + + + +*`zeek.dpd.analyzer`*:: ++ +-- +The analyzer that generated the violation. + + +type: keyword + +-- + +*`zeek.dpd.failure_reason`*:: ++ +-- +The textual reason for the analysis failure. + + +type: keyword + +-- + +*`zeek.dpd.packet_segment`*:: ++ +-- +(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) +A chunk of the payload that most likely resulted in the protocol violation. + + +type: keyword + +-- + +[float] +=== files + +Fields exported by the Zeek Files log. + + + +*`zeek.files.fuid`*:: ++ +-- +A file unique identifier. + + +type: keyword + +-- + +*`zeek.files.tx_host`*:: ++ +-- +The host that transferred the file. + + +type: ip + +-- + +*`zeek.files.rx_host`*:: ++ +-- +The host that received the file. + + +type: ip + +-- + +*`zeek.files.session_ids`*:: ++ +-- +The sessions that have this file. + + +type: keyword + +-- + +*`zeek.files.source`*:: ++ +-- +An identification of the source of the file data. E.g. it may be a network protocol +over which it was transferred, or a local file path which was read, or some other +input source. + + +type: keyword + +-- + +*`zeek.files.depth`*:: ++ +-- +A value to represent the depth of this file in relation to its source. In SMTP, it +is the depth of the MIME attachment on the message. In HTTP, it is the depth of the +request within the TCP connection. + + +type: long + +-- + +*`zeek.files.analyzers`*:: ++ +-- +A set of analysis types done during the file analysis. + + +type: keyword + +-- + +*`zeek.files.mime_type`*:: ++ +-- +Mime type of the file. + + +type: keyword + +-- + +*`zeek.files.filename`*:: ++ +-- +Name of the file if available. + + +type: keyword + +-- + +*`zeek.files.local_orig`*:: ++ +-- +If the source of this file is a network connection, this field indicates if the data +originated from the local network or not. + + +type: boolean + +-- + +*`zeek.files.is_orig`*:: ++ +-- +If the source of this file is a network connection, this field indicates if the file is +being sent by the originator of the connection or the responder. + + +type: boolean + +-- + +*`zeek.files.duration`*:: ++ +-- +The duration the file was analyzed for. Not the duration of the session. + + +type: double + +-- + +*`zeek.files.seen_bytes`*:: ++ +-- +Number of bytes provided to the file analysis engine for the file. + + +type: long + +-- + +*`zeek.files.total_bytes`*:: ++ +-- +Total number of bytes that are supposed to comprise the full file. + + +type: long + +-- + +*`zeek.files.missing_bytes`*:: ++ +-- +The number of bytes in the file stream that were completely missed during the process +of analysis. + + +type: long + +-- + +*`zeek.files.overflow_bytes`*:: ++ +-- +The number of bytes in the file stream that were not delivered to stream file analyzers. +This could be overlapping bytes or bytes that couldn't be reassembled. + + +type: long + +-- + +*`zeek.files.timedout`*:: ++ +-- +Whether the file analysis timed out at least once for the file. + + +type: boolean + +-- + +*`zeek.files.parent_fuid`*:: ++ +-- +Identifier associated with a container file from which this one was extracted as part of +the file analysis. + + +type: keyword + +-- + +*`zeek.files.md5`*:: ++ +-- +An MD5 digest of the file contents. + + +type: keyword + +-- + +*`zeek.files.sha1`*:: ++ +-- +A SHA1 digest of the file contents. + + +type: keyword + +-- + +*`zeek.files.sha256`*:: ++ +-- +A SHA256 digest of the file contents. + + +type: keyword + +-- + +*`zeek.files.extracted`*:: ++ +-- +Local filename of extracted file. + + +type: keyword + +-- + +*`zeek.files.extracted_cutoff`*:: ++ +-- +Indicate whether the file being extracted was cut off hence not extracted completely. + + +type: boolean + +-- + +*`zeek.files.extracted_size`*:: ++ +-- +The number of bytes extracted to disk. + + +type: long + +-- + +*`zeek.files.entropy`*:: ++ +-- +The information density of the contents of the file. + + +type: double + +-- + +[float] +=== ftp + +Fields exported by the Zeek FTP log + + + +*`zeek.ftp.user`*:: ++ +-- +User name for the current FTP session. + + +type: keyword + +-- + +*`zeek.ftp.password`*:: ++ +-- +Password for the current FTP session if captured. + + +type: keyword + +-- + +*`zeek.ftp.command`*:: ++ +-- +Command given by the client. + + +type: keyword + +-- + +*`zeek.ftp.arg`*:: ++ +-- +Argument for the command if one is given. + + +type: keyword + +-- + + +*`zeek.ftp.file.size`*:: ++ +-- +Size of the file if the command indicates a file transfer. + + +type: long + +-- + +*`zeek.ftp.file.mime_type`*:: ++ +-- +Sniffed mime type of file. + + +type: keyword + +-- + +*`zeek.ftp.file.fuid`*:: ++ +-- +(present if base/protocols/ftp/files.bro is loaded) +File unique ID. + + +type: keyword + +-- + + +*`zeek.ftp.reply.code`*:: ++ +-- +Reply code from the server in response to the command. + + +type: integer + +-- + +*`zeek.ftp.reply.msg`*:: ++ +-- +Reply message from the server in response to the command. + + +type: keyword + +-- + +[float] +=== data_channel + +Expected FTP data channel. + + + +*`zeek.ftp.data_channel.passive`*:: ++ +-- +Whether PASV mode is toggled for control channel. + + +type: boolean + +-- + +*`zeek.ftp.data_channel.originating_host`*:: ++ +-- +The host that will be initiating the data connection. + + +type: ip + +-- + +*`zeek.ftp.data_channel.response_host`*:: ++ +-- +The host that will be accepting the data connection. + + +type: ip + +-- + +*`zeek.ftp.data_channel.response_port`*:: ++ +-- +The port at which the acceptor is listening for the data connection. + + +type: integer + +-- + +*`zeek.ftp.cwd`*:: ++ +-- +Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. + + +type: keyword + +-- + +[float] +=== cmdarg + +Command that is currently waiting for a response. + + + +*`zeek.ftp.cmdarg.cmd`*:: ++ +-- +Command. + + +type: keyword + +-- + +*`zeek.ftp.cmdarg.arg`*:: ++ +-- +Argument for the command if one was given. + + +type: keyword + +-- + +*`zeek.ftp.cmdarg.seq`*:: ++ +-- +Counter to track how many commands have been executed. + + +type: integer + +-- + +*`zeek.ftp.pending_commands`*:: ++ +-- +Queue for commands that have been sent but not yet responded to are tracked here. + + +type: integer + +-- + +*`zeek.ftp.passive`*:: ++ +-- +Indicates if the session is in active or passive mode. + + +type: boolean + +-- + +*`zeek.ftp.capture_password`*:: ++ +-- +Determines if the password will be captured for this request. + + +type: boolean + +-- + +*`zeek.ftp.last_auth_requested`*:: ++ +-- +present if base/protocols/ftp/gridftp.bro is loaded. +Last authentication/security mechanism that was used. + + +type: keyword + +-- + +[float] +=== http + +Fields exported by the Zeek HTTP log + + + +*`zeek.http.trans_depth`*:: ++ +-- +Represents the pipelined depth into the connection of this request/response transaction. + + +type: integer + +-- + +*`zeek.http.status_msg`*:: ++ +-- +Status message returned by the server. + + +type: keyword + +-- + +*`zeek.http.info_code`*:: ++ +-- +Last seen 1xx informational reply code returned by the server. + + +type: integer + +-- + +*`zeek.http.info_msg`*:: ++ +-- +Last seen 1xx informational reply message returned by the server. + + +type: keyword + +-- + +*`zeek.http.tags`*:: ++ +-- +A set of indicators of various attributes discovered and related to a particular +request/response pair. + + +type: keyword + +-- + +*`zeek.http.password`*:: ++ +-- +Password if basic-auth is performed for the request. + + +type: keyword + +-- + +*`zeek.http.captured_password`*:: ++ +-- +Determines if the password will be captured for this request. + + +type: boolean + +-- + +*`zeek.http.proxied`*:: ++ +-- +All of the headers that may indicate if the HTTP request was proxied. + + +type: keyword + +-- + +*`zeek.http.range_request`*:: ++ +-- +Indicates if this request can assume 206 partial content in response. + + +type: boolean + +-- + +*`zeek.http.client_header_names`*:: ++ +-- +The vector of HTTP header names sent by the client. No header values +are included here, just the header names. + + +type: keyword + +-- + +*`zeek.http.server_header_names`*:: ++ +-- +The vector of HTTP header names sent by the server. No header values +are included here, just the header names. + + +type: keyword + +-- + +*`zeek.http.orig_fuids`*:: ++ +-- +An ordered vector of file unique IDs from the originator. + + +type: keyword + +-- + +*`zeek.http.orig_mime_types`*:: ++ +-- +An ordered vector of mime types from the originator. + + +type: keyword + +-- + +*`zeek.http.orig_filenames`*:: ++ +-- +An ordered vector of filenames from the originator. + + +type: keyword + +-- + +*`zeek.http.resp_fuids`*:: ++ +-- +An ordered vector of file unique IDs from the responder. + + +type: keyword + +-- + +*`zeek.http.resp_mime_types`*:: ++ +-- +An ordered vector of mime types from the responder. + + +type: keyword + +-- + +*`zeek.http.resp_filenames`*:: ++ +-- +An ordered vector of filenames from the responder. + + +type: keyword + +-- + +*`zeek.http.orig_mime_depth`*:: ++ +-- +Current number of MIME entities in the HTTP request message body. + + +type: integer + +-- + +*`zeek.http.resp_mime_depth`*:: ++ +-- +Current number of MIME entities in the HTTP response message body. + + +type: integer + +-- + +[float] +=== intel + +Fields exported by the Zeek Intel log. + + + + +*`zeek.intel.seen.indicator`*:: ++ +-- +The intelligence indicator. + + +type: keyword + +-- + +*`zeek.intel.seen.indicator_type`*:: ++ +-- +The type of data the indicator represents. + + +type: keyword + +-- + +*`zeek.intel.seen.host`*:: ++ +-- +If the indicator type was Intel::ADDR, then this field will be present. + + +type: keyword + +-- + +*`zeek.intel.seen.conn`*:: ++ +-- +If the data was discovered within a connection, the connection record should go here to give context to the data. + + +type: keyword + +-- + +*`zeek.intel.seen.where`*:: ++ +-- +Where the data was discovered. + + +type: keyword + +-- + +*`zeek.intel.seen.node`*:: ++ +-- +The name of the node where the match was discovered. + + +type: keyword + +-- + +*`zeek.intel.seen.uid`*:: ++ +-- +If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. + + +type: keyword + +-- + +*`zeek.intel.seen.f`*:: ++ +-- +If the data was discovered within a file, the file record should go here to provide context to the data. + + +type: object + +-- + +*`zeek.intel.seen.fuid`*:: ++ +-- +If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. + + +type: keyword + +-- + +*`zeek.intel.matched`*:: ++ +-- +Event to represent a match in the intelligence data from data that was seen. + + +type: keyword + +-- + +*`zeek.intel.sources`*:: ++ +-- +Sources which supplied data for this match. + + +type: keyword + +-- + +*`zeek.intel.fuid`*:: ++ +-- +If a file was associated with this intelligence hit, this is the uid for the file. + + +type: keyword + +-- + +*`zeek.intel.file_mime_type`*:: ++ +-- +A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. + + +type: keyword + +-- + +*`zeek.intel.file_desc`*:: ++ +-- +Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. + + +type: keyword + +-- + +[float] +=== irc + +Fields exported by the Zeek IRC log + + + +*`zeek.irc.nick`*:: ++ +-- +Nickname given for the connection. + + +type: keyword + +-- + +*`zeek.irc.user`*:: ++ +-- +Username given for the connection. + + +type: keyword + +-- + +*`zeek.irc.command`*:: ++ +-- +Command given by the client. + + +type: keyword + +-- + +*`zeek.irc.value`*:: ++ +-- +Value for the command given by the client. + + +type: keyword + +-- + +*`zeek.irc.addl`*:: ++ +-- +Any additional data for the command. + + +type: keyword + +-- + + + +*`zeek.irc.dcc.file.name`*:: ++ +-- +Present if base/protocols/irc/dcc-send.bro is loaded. +DCC filename requested. + + +type: keyword + +-- + +*`zeek.irc.dcc.file.size`*:: ++ +-- +Present if base/protocols/irc/dcc-send.bro is loaded. +Size of the DCC transfer as indicated by the sender. + + +type: long + +-- + +*`zeek.irc.dcc.mime_type`*:: ++ +-- +present if base/protocols/irc/dcc-send.bro is loaded. +Sniffed mime type of the file. + + +type: keyword + +-- + +*`zeek.irc.fuid`*:: ++ +-- +present if base/protocols/irc/files.bro is loaded. +File unique ID. + + +type: keyword + +-- + +[float] +=== kerberos + +Fields exported by the Zeek Kerberos log + + + +*`zeek.kerberos.request_type`*:: ++ +-- +Request type - Authentication Service (AS) or Ticket Granting Service (TGS). + + +type: keyword + +-- + +*`zeek.kerberos.client`*:: ++ +-- +Client name. + + +type: keyword + +-- + +*`zeek.kerberos.service`*:: ++ +-- +Service name. + + +type: keyword + +-- + +*`zeek.kerberos.success`*:: ++ +-- +Request result. + + +type: boolean + +-- + + +*`zeek.kerberos.error.code`*:: ++ +-- +Error code. + + +type: integer + +-- + +*`zeek.kerberos.error.msg`*:: ++ +-- +Error message. + + +type: keyword + +-- + + +*`zeek.kerberos.valid.from`*:: ++ +-- +Ticket valid from. + + +type: date + +-- + +*`zeek.kerberos.valid.until`*:: ++ +-- +Ticket valid until. + + +type: date + +-- + +*`zeek.kerberos.valid.days`*:: ++ +-- +Number of days the ticket is valid for. + + +type: integer + +-- + +*`zeek.kerberos.cipher`*:: ++ +-- +Ticket encryption type. + + +type: keyword + +-- + +*`zeek.kerberos.forwardable`*:: ++ +-- +Forwardable ticket requested. + + +type: boolean + +-- + +*`zeek.kerberos.renewable`*:: ++ +-- +Renewable ticket requested. + + +type: boolean + +-- + + +*`zeek.kerberos.ticket.auth`*:: ++ +-- +Hash of ticket used to authorize request/transaction. + + +type: keyword + +-- + +*`zeek.kerberos.ticket.new`*:: ++ +-- +Hash of ticket returned by the KDC. + + +type: keyword + +-- + + + +*`zeek.kerberos.cert.client.value`*:: ++ +-- +Client certificate. + + +type: keyword + +-- + +*`zeek.kerberos.cert.client.fuid`*:: ++ +-- +File unique ID of client cert. + + +type: keyword + +-- + +*`zeek.kerberos.cert.client.subject`*:: ++ +-- +Subject of client certificate. + + +type: keyword + +-- + + +*`zeek.kerberos.cert.server.value`*:: ++ +-- +Server certificate. + + +type: keyword + +-- + +*`zeek.kerberos.cert.server.fuid`*:: ++ +-- +File unique ID of server certificate. + + +type: keyword + +-- + +*`zeek.kerberos.cert.server.subject`*:: ++ +-- +Subject of server certificate. + + +type: keyword + +-- + +[float] +=== modbus + +Fields exported by the Zeek modbus log. + + + +*`zeek.modbus.function`*:: ++ +-- +The name of the function message that was sent. + + +type: keyword + +-- + +*`zeek.modbus.exception`*:: ++ +-- +The exception if the response was a failure. + + +type: keyword + +-- + +*`zeek.modbus.track_address`*:: ++ +-- +Present if policy/protocols/modbus/track-memmap.bro is loaded. +Modbus track address. + + +type: integer + +-- + +[float] +=== mysql + +Fields exported by the Zeek MySQL log. + + + +*`zeek.mysql.cmd`*:: ++ +-- +The command that was issued. + + +type: keyword + +-- + +*`zeek.mysql.arg`*:: ++ +-- +The argument issued to the command. + + +type: keyword + +-- + +*`zeek.mysql.success`*:: ++ +-- +Whether the command succeeded. + + +type: boolean + +-- + +*`zeek.mysql.rows`*:: ++ +-- +The number of affected rows, if any. + + +type: integer + +-- + +*`zeek.mysql.response`*:: ++ +-- +Server message, if any. + + +type: keyword + +-- + +[float] +=== notice + +Fields exported by the Zeek Notice log. + + + +*`zeek.notice.connection_id`*:: ++ +-- +Identifier of the related connection session. + + +type: keyword + +-- + +*`zeek.notice.icmp_id`*:: ++ +-- +Identifier of the related ICMP session. + + +type: keyword + +-- + +*`zeek.notice.file.id`*:: ++ +-- +An identifier associated with a single file that is related to this notice. + + +type: keyword + +-- + +*`zeek.notice.file.parent_id`*:: ++ +-- +Identifier associated with a container file from which this one was extracted. + + +type: keyword + +-- + +*`zeek.notice.file.source`*:: ++ +-- +An identification of the source of the file data. E.g. it may be a network protocol +over which it was transferred, or a local file path which was read, or some other +input source. + + +type: keyword + +-- + +*`zeek.notice.file.mime_type`*:: ++ +-- +A mime type if the notice is related to a file. + + +type: keyword + +-- + +*`zeek.notice.file.is_orig`*:: ++ +-- +If the source of this file is a network connection, this field indicates if the file is +being sent by the originator of the connection or the responder. + + +type: boolean + +-- + +*`zeek.notice.file.seen_bytes`*:: ++ +-- +Number of bytes provided to the file analysis engine for the file. + + +type: long + +-- + +*`zeek.notice.ffile.total_bytes`*:: ++ +-- +Total number of bytes that are supposed to comprise the full file. + + +type: long + +-- + +*`zeek.notice.file.missing_bytes`*:: ++ +-- +The number of bytes in the file stream that were completely missed during the process +of analysis. + + +type: long + +-- + +*`zeek.notice.file.overflow_bytes`*:: ++ +-- +The number of bytes in the file stream that were not delivered to stream file analyzers. +This could be overlapping bytes or bytes that couldn't be reassembled. + + +type: long + +-- + +*`zeek.notice.fuid`*:: ++ +-- +A file unique ID if this notice is related to a file. + + +type: keyword + +-- + +*`zeek.notice.note`*:: ++ +-- +The type of the notice. + + +type: keyword + +-- + +*`zeek.notice.msg`*:: ++ +-- +The human readable message for the notice. + + +type: keyword + +-- + +*`zeek.notice.sub`*:: ++ +-- +The human readable sub-message. + + +type: keyword + +-- + +*`zeek.notice.n`*:: ++ +-- +Associated count, or a status code. + + +type: long + +-- + +*`zeek.notice.peer_name`*:: ++ +-- +Name of remote peer that raised this notice. + + +type: keyword + +-- + +*`zeek.notice.peer_descr`*:: ++ +-- +Textual description for the peer that raised this notice. + + +type: text + +-- + +*`zeek.notice.actions`*:: ++ +-- +The actions which have been applied to this notice. + + +type: keyword + +-- + +*`zeek.notice.email_body_sections`*:: ++ +-- +By adding chunks of text into this element, other scripts can expand on notices +that are being emailed. + + +type: text + +-- + +*`zeek.notice.email_delay_tokens`*:: ++ +-- +Adding a string token to this set will cause the built-in emailing functionality +to delay sending the email either the token has been removed or the email +has been delayed for the specified time duration. + + +type: keyword + +-- + +*`zeek.notice.identifier`*:: ++ +-- +This field is provided when a notice is generated for the purpose of deduplicating notices. + + +type: keyword + +-- + +*`zeek.notice.suppress_for`*:: ++ +-- +This field indicates the length of time that this unique notice should be suppressed. + + +type: double + +-- + +*`zeek.notice.dropped`*:: ++ +-- +Indicate if the source IP address was dropped and denied network access. + + +type: boolean + +-- + +[float] +=== ntlm + +Fields exported by the Zeek NTLM log. + + + +*`zeek.ntlm.domain`*:: ++ +-- +Domain name given by the client. + + +type: keyword + +-- + +*`zeek.ntlm.hostname`*:: ++ +-- +Hostname given by the client. + + +type: keyword + +-- + +*`zeek.ntlm.success`*:: ++ +-- +Indicate whether or not the authentication was successful. + + +type: boolean + +-- + +*`zeek.ntlm.username`*:: ++ +-- +Username given by the client. + + +type: keyword + +-- + + + +*`zeek.ntlm.server.name.dns`*:: ++ +-- +DNS name given by the server in a CHALLENGE. + + +type: keyword + +-- + +*`zeek.ntlm.server.name.netbios`*:: ++ +-- +NetBIOS name given by the server in a CHALLENGE. + + +type: keyword + +-- + +*`zeek.ntlm.server.name.tree`*:: ++ +-- +Tree name given by the server in a CHALLENGE. + + +type: keyword + +-- + +[float] +=== ocsp + +Fields exported by the Zeek OCSP log +Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. + + + +*`zeek.ocsp.file_id`*:: ++ +-- +File id of the OCSP reply. + + +type: keyword + +-- + + +*`zeek.ocsp.hash.algorithm`*:: ++ +-- +Hash algorithm used to generate issuerNameHash and issuerKeyHash. + + +type: keyword + +-- + + +*`zeek.ocsp.hash.issuer.name`*:: ++ +-- +Hash of the issuer's distingueshed name. + + +type: keyword + +-- + +*`zeek.ocsp.hash.issuer.key`*:: ++ +-- +Hash of the issuer's public key. + + +type: keyword + +-- + +*`zeek.ocsp.serial_number`*:: ++ +-- +Serial number of the affected certificate. + + +type: keyword + +-- + +*`zeek.ocsp.status`*:: ++ +-- +Status of the affected certificate. + + +type: keyword + +-- + + +*`zeek.ocsp.revoke.time`*:: ++ +-- +Time at which the certificate was revoked. + + +type: date + +-- + +*`zeek.ocsp.revoke.reason`*:: ++ +-- +Reason for which the certificate was revoked. + + +type: keyword + +-- + + +*`zeek.ocsp.update.this`*:: ++ +-- +The time at which the status being shows is known to have been correct. + + +type: date + +-- + +*`zeek.ocsp.update.next`*:: ++ +-- +The latest time at which new information about the status of the certificate will be available. + + +type: date + +-- + +[float] +=== pe + +Fields exported by the Zeek pe log. + + + +*`zeek.pe.client`*:: ++ +-- +The client's version string. + + +type: keyword + +-- + +*`zeek.pe.id`*:: ++ +-- +File id of this portable executable file. + + +type: keyword + +-- + +*`zeek.pe.machine`*:: ++ +-- +The target machine that the file was compiled for. + + +type: keyword + +-- + +*`zeek.pe.compile_time`*:: ++ +-- +The time that the file was created at. + + +type: date + +-- + +*`zeek.pe.os`*:: ++ +-- +The required operating system. + + +type: keyword + +-- + +*`zeek.pe.subsystem`*:: ++ +-- +The subsystem that is required to run this file. + + +type: keyword + +-- + +*`zeek.pe.is_exe`*:: ++ +-- +Is the file an executable, or just an object file? + + +type: boolean + +-- + +*`zeek.pe.is_64bit`*:: ++ +-- +Is the file a 64-bit executable? + + +type: boolean + +-- + +*`zeek.pe.uses_aslr`*:: ++ +-- +Does the file support Address Space Layout Randomization? + + +type: boolean + +-- + +*`zeek.pe.uses_dep`*:: ++ +-- +Does the file support Data Execution Prevention? + + +type: boolean + +-- + +*`zeek.pe.uses_code_integrity`*:: ++ +-- +Does the file enforce code integrity checks? + + +type: boolean + +-- + +*`zeek.pe.uses_seh`*:: ++ +-- +Does the file use structured exception handing? + + +type: boolean + +-- + +*`zeek.pe.has_import_table`*:: ++ +-- +Does the file have an import table? + + +type: boolean + +-- + +*`zeek.pe.has_export_table`*:: ++ +-- +Does the file have an export table? + + +type: boolean + +-- + +*`zeek.pe.has_cert_table`*:: ++ +-- +Does the file have an attribute certificate table? + + +type: boolean + +-- + +*`zeek.pe.has_debug_data`*:: ++ +-- +Does the file have a debug table? + + +type: boolean + +-- + +*`zeek.pe.section_names`*:: ++ +-- +The names of the sections, in order. + + +type: keyword + +-- + +[float] +=== radius + +Fields exported by the Zeek Radius log. + + + +*`zeek.radius.username`*:: ++ +-- +The username, if present. + + +type: keyword + +-- + +*`zeek.radius.mac`*:: ++ +-- +MAC address, if present. + + +type: keyword + +-- + +*`zeek.radius.framed_addr`*:: ++ +-- +The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. + + +type: ip + +-- + +*`zeek.radius.remote_ip`*:: ++ +-- +Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. + + +type: ip + +-- + +*`zeek.radius.connect_info`*:: ++ +-- +Connect info, if present. + + +type: keyword + +-- + +*`zeek.radius.reply_msg`*:: ++ +-- +Reply message from the server challenge. This is frequently shown to the user authenticating. + + +type: keyword + +-- + +*`zeek.radius.result`*:: ++ +-- +Successful or failed authentication. + + +type: keyword + +-- + +*`zeek.radius.ttl`*:: ++ +-- +The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. + + +type: integer + +-- + +*`zeek.radius.logged`*:: ++ +-- +Whether this has already been logged and can be ignored. + + +type: boolean + +-- + +[float] +=== rdp + +Fields exported by the Zeek RDP log. + + + +*`zeek.rdp.cookie`*:: ++ +-- +Cookie value used by the client machine. This is typically a username. + + +type: keyword + +-- + +*`zeek.rdp.result`*:: ++ +-- +Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. + + +type: keyword + +-- + +*`zeek.rdp.security_protocol`*:: ++ +-- +Security protocol chosen by the server. + + +type: keyword + +-- + +*`zeek.rdp.keyboard_layout`*:: ++ +-- +Keyboard layout (language) of the client machine. + + +type: keyword + +-- + + +*`zeek.rdp.client.build`*:: ++ +-- +RDP client version used by the client machine. + + +type: keyword + +-- + +*`zeek.rdp.client.client_name`*:: ++ +-- +Name of the client machine. + + +type: keyword + +-- + +*`zeek.rdp.client.product_id`*:: ++ +-- +Product ID of the client machine. + + +type: keyword + +-- + + +*`zeek.rdp.desktop.width`*:: ++ +-- +Desktop width of the client machine. + + +type: integer + +-- + +*`zeek.rdp.desktop.height`*:: ++ +-- +Desktop height of the client machine. + + +type: integer + +-- + +*`zeek.rdp.desktop.color_depth`*:: ++ +-- +The color depth requested by the client in the high_color_depth field. + + +type: keyword + +-- + + +*`zeek.rdp.cert.type`*:: ++ +-- +If the connection is being encrypted with native RDP encryption, this is the type of cert being used. + + +type: keyword + +-- + +*`zeek.rdp.cert.count`*:: ++ +-- +The number of certs seen. X.509 can transfer an entire certificate chain. + + +type: integer + +-- + +*`zeek.rdp.cert.permanent`*:: ++ +-- +Indicates if the provided certificate or certificate chain is permanent or temporary. + + +type: boolean + +-- + + +*`zeek.rdp.encryption.level`*:: ++ +-- +Encryption level of the connection. + + +type: keyword + +-- + +*`zeek.rdp.encryption.method`*:: ++ +-- +Encryption method of the connection. + + +type: keyword + +-- + +*`zeek.rdp.done`*:: ++ +-- +Track status of logging RDP connections. + + +type: boolean + +-- + +*`zeek.rdp.ssl`*:: ++ +-- +(present if policy/protocols/rdp/indicate_ssl.bro is loaded) +Flag the connection if it was seen over SSL. + + +type: boolean + +-- + +[float] +=== rfb + +Fields exported by the Zeek RFB log. + + + + + +*`zeek.rfb.version.client.major`*:: ++ +-- +Major version of the client. + + +type: keyword + +-- + +*`zeek.rfb.version.client.minor`*:: ++ +-- +Minor version of the client. + + +type: keyword + +-- + + +*`zeek.rfb.version.server.major`*:: ++ +-- +Major version of the server. + + +type: keyword + +-- + +*`zeek.rfb.version.server.minor`*:: ++ +-- +Minor version of the server. + + +type: keyword + +-- + + +*`zeek.rfb.auth.success`*:: ++ +-- +Whether or not authentication was successful. + + +type: boolean + +-- + +*`zeek.rfb.auth.method`*:: ++ +-- +Identifier of authentication method used. + + +type: keyword + +-- + +*`zeek.rfb.share_flag`*:: ++ +-- +Whether the client has an exclusive or a shared session. + + +type: boolean + +-- + +*`zeek.rfb.desktop_name`*:: ++ +-- +Name of the screen that is being shared. + + +type: keyword + +-- + +*`zeek.rfb.width`*:: ++ +-- +Width of the screen that is being shared. + + +type: integer + +-- + +*`zeek.rfb.height`*:: ++ +-- +Height of the screen that is being shared. + + +type: integer + +-- + +[float] +=== sip + +Fields exported by the Zeek SIP log. + + + +*`zeek.sip.transaction_depth`*:: ++ +-- +Represents the pipelined depth into the connection of this request/response transaction. + + +type: integer + +-- + + +*`zeek.sip.sequence.method`*:: ++ +-- +Verb used in the SIP request (INVITE, REGISTER etc.). + + +type: keyword + +-- + +*`zeek.sip.sequence.number`*:: ++ +-- +Contents of the CSeq: header from the client. + + +type: keyword + +-- + +*`zeek.sip.uri`*:: ++ +-- +URI used in the request. + + +type: keyword + +-- + +*`zeek.sip.date`*:: ++ +-- +Contents of the Date: header from the client. + + +type: keyword + +-- + + +*`zeek.sip.request.from`*:: ++ +-- +Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. + + +type: keyword + +-- + +*`zeek.sip.request.to`*:: ++ +-- +Contents of the To: header. + + +type: keyword + +-- + +*`zeek.sip.request.path`*:: ++ +-- +The client message transmission path, as extracted from the headers. + + +type: keyword + +-- + +*`zeek.sip.request.body_length`*:: ++ +-- +Contents of the Content-Length: header from the client. + + +type: long + +-- + + +*`zeek.sip.response.from`*:: ++ +-- +Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. + + +type: keyword + +-- + +*`zeek.sip.response.to`*:: ++ +-- +Contents of the response To: header. + + +type: keyword + +-- + +*`zeek.sip.response.path`*:: ++ +-- +The server message transmission path, as extracted from the headers. + + +type: keyword + +-- + +*`zeek.sip.response.body_length`*:: ++ +-- +Contents of the Content-Length: header from the server. + + +type: long + +-- + +*`zeek.sip.reply_to`*:: ++ +-- +Contents of the Reply-To: header. + + +type: keyword + +-- + +*`zeek.sip.call_id`*:: ++ +-- +Contents of the Call-ID: header from the client. + + +type: keyword + +-- + +*`zeek.sip.subject`*:: ++ +-- +Contents of the Subject: header from the client. + + +type: keyword + +-- + +*`zeek.sip.user_agent`*:: ++ +-- +Contents of the User-Agent: header from the client. + + +type: keyword + +-- + + +*`zeek.sip.status.code`*:: ++ +-- +Status code returned by the server. + + +type: integer + +-- + +*`zeek.sip.status.msg`*:: ++ +-- +Status message returned by the server. + + +type: keyword + +-- + +*`zeek.sip.warning`*:: ++ +-- +Contents of the Warning: header. + + +type: keyword + +-- + +*`zeek.sip.content_type`*:: ++ +-- +Contents of the Content-Type: header from the server. + + +type: keyword + +-- + +[float] +=== smb_cmd + +Fields exported by the Zeek smb_cmd log. + + + +*`zeek.smb_cmd.command`*:: ++ +-- +The command sent by the client. + + +type: keyword + +-- + +*`zeek.smb_cmd.sub_command`*:: ++ +-- +The subcommand sent by the client, if present. + + +type: keyword + +-- + +*`zeek.smb_cmd.argument`*:: ++ +-- +Command argument sent by the client, if any. + + +type: keyword + +-- + +*`zeek.smb_cmd.status`*:: ++ +-- +Server reply to the client's command. + + +type: keyword + +-- + +*`zeek.smb_cmd.rtt`*:: ++ +-- +Round trip time from the request to the response. + + +type: double + +-- + +*`zeek.smb_cmd.version`*:: ++ +-- +Version of SMB for the command. + + +type: keyword + +-- + +*`zeek.smb_cmd.username`*:: ++ +-- +Authenticated username, if available. + + +type: keyword + +-- + +*`zeek.smb_cmd.tree`*:: ++ +-- +If this is related to a tree, this is the tree that was used for the current command. + + +type: keyword + +-- + +*`zeek.smb_cmd.tree_service`*:: ++ +-- +The type of tree (disk share, printer share, named pipe, etc.). + + +type: keyword + +-- + +[float] +=== file + +If the command referenced a file, store it here. + + + +*`zeek.smb_cmd.file.name`*:: ++ +-- +Filename if one was seen. + + +type: keyword + +-- + +*`zeek.smb_cmd.file.action`*:: ++ +-- +Action this log record represents. + + +type: keyword + +-- + +*`zeek.smb_cmd.file.uid`*:: ++ +-- +UID of the referenced file. + + +type: keyword + +-- + + +*`zeek.smb_cmd.file.host.tx`*:: ++ +-- +Address of the transmitting host. + + +type: ip + +-- + +*`zeek.smb_cmd.file.host.rx`*:: ++ +-- +Address of the receiving host. + + +type: ip + +-- + +*`zeek.smb_cmd.smb1_offered_dialects`*:: ++ +-- +Present if base/protocols/smb/smb1-main.bro is loaded. +Dialects offered by the client. + + +type: keyword + +-- + +*`zeek.smb_cmd.smb2_offered_dialects`*:: ++ +-- +Present if base/protocols/smb/smb2-main.bro is loaded. +Dialects offered by the client. + + +type: integer + +-- + +[float] +=== smb_files + +Fields exported by the Zeek SMB Files log. + + + +*`zeek.smb_files.action`*:: ++ +-- +Action this log record represents. + + +type: keyword + +-- + +*`zeek.smb_files.fid`*:: ++ +-- +ID referencing this file. + + +type: integer + +-- + +*`zeek.smb_files.name`*:: ++ +-- +Filename if one was seen. + + +type: keyword + +-- + +*`zeek.smb_files.path`*:: ++ +-- +Path pulled from the tree this file was transferred to or from. + + +type: keyword + +-- + +*`zeek.smb_files.previous_name`*:: ++ +-- +If the rename action was seen, this will be the file's previous name. + + +type: keyword + +-- + +*`zeek.smb_files.size`*:: ++ +-- +Byte size of the file. + + +type: long + +-- + +[float] +=== times + +Timestamps of the file. + + + +*`zeek.smb_files.times.accessed`*:: ++ +-- +The file's access time. + + +type: date + +-- + +*`zeek.smb_files.times.changed`*:: ++ +-- +The file's change time. + + +type: date + +-- + +*`zeek.smb_files.times.created`*:: ++ +-- +The file's create time. + + +type: date + +-- + +*`zeek.smb_files.times.modified`*:: ++ +-- +The file's modify time. + + +type: date + +-- + +*`zeek.smb_files.uuid`*:: ++ +-- +UUID referencing this file if DCE/RPC. + + +type: keyword + +-- + +[float] +=== smb_mapping + +Fields exported by the Zeek SMB_Mapping log. + + + +*`zeek.smb_mapping.path`*:: ++ +-- +Name of the tree path. + + +type: keyword + +-- + +*`zeek.smb_mapping.service`*:: ++ +-- +The type of resource of the tree (disk share, printer share, named pipe, etc.). + + +type: keyword + +-- + +*`zeek.smb_mapping.native_file_system`*:: ++ +-- +File system of the tree. + + +type: keyword + +-- + +*`zeek.smb_mapping.share_type`*:: ++ +-- +If this is SMB2, a share type will be included. For SMB1, the type of share +will be deduced and included as well. + + +type: keyword + +-- + +[float] +=== smtp + +Fields exported by the Zeek SMTP log. + + + +*`zeek.smtp.transaction_depth`*:: ++ +-- +A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. + + +type: integer + +-- + +*`zeek.smtp.helo`*:: ++ +-- +Contents of the Helo header. + + +type: keyword + +-- + +*`zeek.smtp.mail_from`*:: ++ +-- +Email addresses found in the MAIL FROM header. + + +type: keyword + +-- + +*`zeek.smtp.rcpt_to`*:: ++ +-- +Email addresses found in the RCPT TO header. + + +type: keyword + +-- + +*`zeek.smtp.date`*:: ++ +-- +Contents of the Date header. + + +type: date + +-- + +*`zeek.smtp.from`*:: ++ +-- +Contents of the From header. + + +type: keyword + +-- + +*`zeek.smtp.to`*:: ++ +-- +Contents of the To header. + + +type: keyword + +-- + +*`zeek.smtp.cc`*:: ++ +-- +Contents of the CC header. + + +type: keyword + +-- + +*`zeek.smtp.reply_to`*:: ++ +-- +Contents of the ReplyTo header. + + +type: keyword + +-- + +*`zeek.smtp.msg_id`*:: ++ +-- +Contents of the MsgID header. + + +type: keyword + +-- + +*`zeek.smtp.in_reply_to`*:: ++ +-- +Contents of the In-Reply-To header. + + +type: keyword + +-- + +*`zeek.smtp.subject`*:: ++ +-- +Contents of the Subject header. + + +type: keyword + +-- + +*`zeek.smtp.x_originating_ip`*:: ++ +-- +Contents of the X-Originating-IP header. + + +type: keyword + +-- + +*`zeek.smtp.first_received`*:: ++ +-- +Contents of the first Received header. + + +type: keyword + +-- + +*`zeek.smtp.second_received`*:: ++ +-- +Contents of the second Received header. + + +type: keyword + +-- + +*`zeek.smtp.last_reply`*:: ++ +-- +The last message that the server sent to the client. + + +type: keyword + +-- + +*`zeek.smtp.path`*:: ++ +-- +The message transmission path, as extracted from the headers. + + +type: ip + +-- + +*`zeek.smtp.user_agent`*:: ++ +-- +Value of the User-Agent header from the client. + + +type: keyword + +-- + +*`zeek.smtp.tls`*:: ++ +-- +Indicates that the connection has switched to using TLS. + + +type: boolean + +-- + +*`zeek.smtp.process_received_from`*:: ++ +-- +Indicates if the "Received: from" headers should still be processed. + + +type: boolean + +-- + +*`zeek.smtp.has_client_activity`*:: ++ +-- +Indicates if client activity has been seen, but not yet logged. + + +type: boolean + +-- + +*`zeek.smtp.fuids`*:: ++ +-- +(present if base/protocols/smtp/files.bro is loaded) +An ordered vector of file unique IDs seen attached to the message. + + +type: keyword + +-- + +*`zeek.smtp.is_webmail`*:: ++ +-- +Indicates if the message was sent through a webmail interface. + + +type: boolean + +-- + +[float] +=== snmp + +Fields exported by the Zeek SNMP log. + + + +*`zeek.snmp.duration`*:: ++ +-- +The amount of time between the first packet beloning to the SNMP session and the latest one seen. + + +type: double + +-- + +*`zeek.snmp.version`*:: ++ +-- +The version of SNMP being used. + + +type: keyword + +-- + +*`zeek.snmp.community`*:: ++ +-- +The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. + + +type: keyword + +-- + + +*`zeek.snmp.get.requests`*:: ++ +-- +The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. + + +type: integer + +-- + +*`zeek.snmp.get.bulk_requests`*:: ++ +-- +The number of variable bindings in GetBulkRequest PDUs seen for the session. + + +type: integer + +-- + +*`zeek.snmp.get.responses`*:: ++ +-- +The number of variable bindings in GetResponse/Response PDUs seen for the session. + + +type: integer + +-- + + +*`zeek.snmp.set.requests`*:: ++ +-- +The number of variable bindings in SetRequest PDUs seen for the session. + + +type: integer + +-- + +*`zeek.snmp.display_string`*:: ++ +-- +A system description of the SNMP responder endpoint. + + +type: keyword + +-- + +*`zeek.snmp.up_since`*:: ++ +-- +The time at which the SNMP responder endpoint claims it's been up since. + + +type: date + +-- + +[float] +=== socks + +Fields exported by the Zeek SOCKS log. + + + +*`zeek.socks.version`*:: ++ +-- +Protocol version of SOCKS. + + +type: integer + +-- + +*`zeek.socks.user`*:: ++ +-- +Username used to request a login to the proxy. + + +type: keyword + +-- + +*`zeek.socks.password`*:: ++ +-- +Password used to request a login to the proxy. + + +type: keyword + +-- + +*`zeek.socks.status`*:: ++ +-- +Server status for the attempt at using the proxy. + + +type: keyword + +-- + + +*`zeek.socks.request.host`*:: ++ +-- +Client requested SOCKS address. Could be an address, a name or both. + + +type: keyword + +-- + +*`zeek.socks.request.port`*:: ++ +-- +Client requested port. + + +type: integer + +-- + + +*`zeek.socks.bound.host`*:: ++ +-- +Server bound address. Could be an address, a name or both. + + +type: keyword + +-- + +*`zeek.socks.bound.port`*:: ++ +-- +Server bound port. + + +type: integer + +-- + +*`zeek.socks.capture_password`*:: ++ +-- +Determines if the password will be captured for this request. + + +type: boolean + +-- + +[float] +=== ssh + +Fields exported by the Zeek SSH log. + + + +*`zeek.ssh.client`*:: ++ +-- +The client's version string. + + +type: keyword + +-- + +*`zeek.ssh.direction`*:: ++ +-- +Direction of the connection. If the client was a local host logging into +an external host, this would be OUTBOUND. INBOUND would be set for the +opposite situation. + + +type: keyword + +-- + +*`zeek.ssh.host_key`*:: ++ +-- +The server's key thumbprint. + + +type: keyword + +-- + +*`zeek.ssh.server`*:: ++ +-- +The server's version string. + + +type: keyword + +-- + +*`zeek.ssh.version`*:: ++ +-- +SSH major version (1 or 2). + + +type: integer + +-- + +[float] +=== algorithm + +Cipher algorithms used in this session. + + + +*`zeek.ssh.algorithm.cipher`*:: ++ +-- +The encryption algorithm in use. + + +type: keyword + +-- + +*`zeek.ssh.algorithm.compression`*:: ++ +-- +The compression algorithm in use. + + +type: keyword + +-- + +*`zeek.ssh.algorithm.host_key`*:: ++ +-- +The server host key's algorithm. + + +type: keyword + +-- + +*`zeek.ssh.algorithm.key_exchange`*:: ++ +-- +The key exchange algorithm in use. + + +type: keyword + +-- + +*`zeek.ssh.algorithm.mac`*:: ++ +-- +The signing (MAC) algorithm in use. + + +type: keyword + +-- + + +*`zeek.ssh.auth.attempts`*:: ++ +-- +The number of authentication attemps we observed. There's always at +least one, since some servers might support no authentication at all. +It's important to note that not all of these are failures, since some +servers require two-factor auth (e.g. password AND pubkey). + + +type: integer + +-- + +*`zeek.ssh.auth.success`*:: ++ +-- +Authentication result. + + +type: boolean + +-- + +[float] +=== ssl + +Fields exported by the Zeek SSL log. + + + +*`zeek.ssl.version`*:: ++ +-- +SSL/TLS version that was logged. + + +type: keyword + +-- + +*`zeek.ssl.cipher`*:: ++ +-- +SSL/TLS cipher suite that was logged. + + +type: keyword + +-- + +*`zeek.ssl.curve`*:: ++ +-- +Elliptic curve that was logged when using ECDH/ECDHE. + + +type: keyword + +-- + +*`zeek.ssl.resumed`*:: ++ +-- +Flag to indicate if the session was resumed reusing the key material exchanged in an +earlier connection. + + +type: boolean + +-- + +*`zeek.ssl.next_protocol`*:: ++ +-- +Next protocol the server chose using the application layer next protocol extension. + + +type: keyword + +-- + +*`zeek.ssl.established`*:: ++ +-- +Flag to indicate if this ssl session has been established successfully. + + +type: boolean + +-- + + +*`zeek.ssl.validation.status`*:: ++ +-- +Result of certificate validation for this connection. + + +type: keyword + +-- + +*`zeek.ssl.validation.code`*:: ++ +-- +Result of certificate validation for this connection, given as OpenSSL validation code. + + +type: keyword + +-- + +*`zeek.ssl.last_alert`*:: ++ +-- +Last alert that was seen during the connection. + + +type: keyword + +-- + + +*`zeek.ssl.server.name`*:: ++ +-- +Value of the Server Name Indicator SSL/TLS extension. It indicates the server name +that the client was requesting. + + +type: keyword + +-- + +*`zeek.ssl.server.cert_chain`*:: ++ +-- +Chain of certificates offered by the server to validate its complete signing chain. + + +type: keyword + +-- + +*`zeek.ssl.server.cert_chain_fuids`*:: ++ +-- +An ordered vector of certificate file identifiers for the certificates offered by the server. + + +type: keyword + +-- + +[float] +=== issuer + +Subject of the signer of the X.509 certificate offered by the server. + + + +*`zeek.ssl.server.issuer.common_name`*:: ++ +-- +Common name of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.country`*:: ++ +-- +Country code of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.locality`*:: ++ +-- +Locality of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.organization`*:: ++ +-- +Organization of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.organizational_unit`*:: ++ +-- +Organizational unit of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.state`*:: ++ +-- +State or province name of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +[float] +=== subject + +Subject of the X.509 certificate offered by the server. + + + +*`zeek.ssl.server.subject.common_name`*:: ++ +-- +Common name of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.country`*:: ++ +-- +Country code of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.locality`*:: ++ +-- +Locality of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.organization`*:: ++ +-- +Organization of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.organizational_unit`*:: ++ +-- +Organizational unit of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.state`*:: ++ +-- +State or province name of the X.509 certificate offered by the server. + + +type: keyword + +-- + + +*`zeek.ssl.client.cert_chain`*:: ++ +-- +Chain of certificates offered by the client to validate its complete signing chain. + + +type: keyword + +-- + +*`zeek.ssl.client.cert_chain_fuids`*:: ++ +-- +An ordered vector of certificate file identifiers for the certificates offered by the client. + + +type: keyword + +-- + +[float] +=== issuer + +Subject of the signer of the X.509 certificate offered by the client. + + + +*`zeek.ssl.client.issuer.common_name`*:: ++ +-- +Common name of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.country`*:: ++ +-- +Country code of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.locality`*:: ++ +-- +Locality of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.organization`*:: ++ +-- +Organization of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.organizational_unit`*:: ++ +-- +Organizational unit of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.state`*:: ++ +-- +State or province name of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +[float] +=== subject + +Subject of the X.509 certificate offered by the client. + + + +*`zeek.ssl.client.subject.common_name`*:: ++ +-- +Common name of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.country`*:: ++ +-- +Country code of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.locality`*:: ++ +-- +Locality of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.organization`*:: ++ +-- +Organization of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.organizational_unit`*:: ++ +-- +Organizational unit of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.state`*:: ++ +-- +State or province name of the X.509 certificate offered by the client. + + +type: keyword + +-- + +[float] +=== stats + +Fields exported by the Zeek stats log. + + + +*`zeek.stats.peer`*:: ++ +-- +Peer that generated this log. Mostly for clusters. + + +type: keyword + +-- + +*`zeek.stats.memory`*:: ++ +-- +Amount of memory currently in use in MB. + + +type: integer + +-- + + +*`zeek.stats.packets.processed`*:: ++ +-- +Number of packets processed since the last stats interval. + + +type: long + +-- + +*`zeek.stats.packets.dropped`*:: ++ +-- +Number of packets dropped since the last stats interval if reading live traffic. + + +type: long -- -*`system.auth.sudo.command`*:: +*`zeek.stats.packets.received`*:: + -- -The command executed via sudo. +Number of packets seen on the link since the last stats interval if reading live traffic. + + +type: long + +-- + + +*`zeek.stats.bytes.received`*:: ++ +-- +Number of bytes received since the last stats interval if reading live traffic. + + +type: long + +-- + + + +*`zeek.stats.connections.tcp.active`*:: ++ +-- +TCP connections currently in memory. + + +type: integer + +-- + +*`zeek.stats.connections.tcp.count`*:: ++ +-- +TCP connections seen since last stats interval. + + +type: integer + +-- + + +*`zeek.stats.connections.udp.active`*:: ++ +-- +UDP connections currently in memory. + + +type: integer + +-- + +*`zeek.stats.connections.udp.count`*:: ++ +-- +UDP connections seen since last stats interval. + + +type: integer + +-- + + +*`zeek.stats.connections.icmp.active`*:: ++ +-- +ICMP connections currently in memory. + + +type: integer + +-- + +*`zeek.stats.connections.icmp.count`*:: ++ +-- +ICMP connections seen since last stats interval. + + +type: integer + +-- + + +*`zeek.stats.events.processed`*:: ++ +-- +Number of events processed since the last stats interval. + + +type: integer + +-- + +*`zeek.stats.events.queued`*:: ++ +-- +Number of events that have been queued since the last stats interval. + + +type: integer + +-- + + +*`zeek.stats.timers.count`*:: ++ +-- +Number of timers scheduled since last stats interval. + + +type: integer + +-- + +*`zeek.stats.timers.active`*:: ++ +-- +Current number of scheduled timers. + +type: integer + +-- + + +*`zeek.stats.files.count`*:: ++ +-- +Number of files seen since last stats interval. + + +type: integer + +-- + +*`zeek.stats.files.active`*:: ++ +-- +Current number of files actively being seen. + + +type: integer + +-- + + +*`zeek.stats.dns_requests.count`*:: ++ +-- +Number of DNS requests seen since last stats interval. + + +type: integer + +-- + +*`zeek.stats.dns_requests.active`*:: ++ +-- +Current number of DNS requests awaiting a reply. + + +type: integer + +-- + + +*`zeek.stats.reassembly_size.tcp`*:: ++ +-- +Current size of TCP data in reassembly. + + +type: integer + +-- + +*`zeek.stats.reassembly_size.file`*:: ++ +-- +Current size of File data in reassembly. + + +type: integer + +-- + +*`zeek.stats.reassembly_size.frag`*:: ++ +-- +Current size of packet fragment data in reassembly. + + +type: integer + +-- + +*`zeek.stats.reassembly_size.unknown`*:: ++ +-- +Current size of unknown data in reassembly (this is only PIA buffer right now). + + +type: integer + +-- + +*`zeek.stats.timestamp_lag`*:: ++ +-- +Lag between the wall clock and packet timestamps if reading live traffic. + + +type: integer -- [float] -=== useradd +=== syslog -Fields specific to events created by the `useradd` command. +Fields exported by the Zeek syslog log. -*`system.auth.useradd.home`*:: +*`zeek.syslog.facility`*:: + -- -The home folder for the new user. +Syslog facility for the message. + + +type: keyword -- -*`system.auth.useradd.shell`*:: +*`zeek.syslog.severity`*:: + -- -The default shell for the new user. +Syslog severity for the message. + + +type: keyword -- -*`system.auth.useradd.name`*:: +*`zeek.syslog.message`*:: + -- -type: alias +The plain text message. -alias to: user.name + +type: keyword -- -*`system.auth.useradd.uid`*:: +[float] +=== tunnel + +Fields exported by the Zeek SSH log. + + + +*`zeek.tunnel.type`*:: + -- -type: alias +The type of tunnel. -alias to: user.id + +type: keyword -- -*`system.auth.useradd.gid`*:: +*`zeek.tunnel.action`*:: + -- -type: alias +The type of activity that occurred. -alias to: group.id + +type: keyword + +-- + +[float] +=== weird + +Fields exported by the Zeek Weird log. + + + +*`zeek.weird.name`*:: ++ +-- +The name of the weird that occurred. + + +type: keyword + +-- + +*`zeek.weird.additional_info`*:: ++ +-- +Additional information accompanying the weird if any. + + +type: keyword + +-- + +*`zeek.weird.notice`*:: ++ +-- +Indicate if this weird was also turned into a notice. + + +type: boolean + +-- + +*`zeek.weird.peer`*:: ++ +-- +The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. + + +type: keyword + +-- + +*`zeek.weird.identifier`*:: ++ +-- +This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. + + +type: keyword + +-- + +[float] +=== x509 + +Fields exported by the Zeek x509 log. + + + +*`zeek.x509.id`*:: ++ +-- +File id of this certificate. + + +type: keyword + +-- + +[float] +=== certificate + +Basic information about the certificate. + + + +*`zeek.x509.certificate.version`*:: ++ +-- +Version number. + + +type: integer + +-- + +*`zeek.x509.certificate.serial`*:: ++ +-- +Serial number. + + +type: keyword + +-- + +[float] +=== subject + +Subject. + + + +*`zeek.x509.certificate.subject.country`*:: ++ +-- +Country provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.common_name`*:: ++ +-- +Common name provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.locality`*:: ++ +-- +Locality provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.organization`*:: ++ +-- +Organization provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.organizational_unit`*:: ++ +-- +Organizational unit provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.state`*:: ++ +-- +State or province provided in the certificate subject. + + +type: keyword + +-- + +[float] +=== issuer + +Issuer. + + + +*`zeek.x509.certificate.issuer.country`*:: ++ +-- +Country provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.common_name`*:: ++ +-- +Common name provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.locality`*:: ++ +-- +Locality provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.organization`*:: ++ +-- +Organization provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.organizational_unit`*:: ++ +-- +Organizational unit provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.state`*:: ++ +-- +State or province provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.common_name`*:: ++ +-- +Last (most specific) common name. + + +type: keyword -- [float] -=== groupadd +=== valid -Fields specific to events created by the `groupadd` command. +Certificate validity timestamps -*`system.auth.groupadd.name`*:: +*`zeek.x509.certificate.valid.from`*:: + -- -type: alias +Timestamp before when certificate is not valid. -alias to: group.name --- +type: date -*`system.auth.groupadd.gid`*:: -+ -- -type: alias - -alias to: group.id +*`zeek.x509.certificate.valid.until`*:: ++ -- +Timestamp after when certificate is not valid. -[float] -=== syslog -Contains fields from the syslog system logs. +type: date +-- -*`system.syslog.timestamp`*:: +*`zeek.x509.certificate.key.algorithm`*:: + -- -type: alias +Name of the key algorithm. -alias to: @timestamp + +type: keyword -- -*`system.syslog.hostname`*:: +*`zeek.x509.certificate.key.type`*:: + -- -type: alias +Key type, if key parseable by openssl (either rsa, dsa or ec). -alias to: host.hostname + +type: keyword -- -*`system.syslog.program`*:: +*`zeek.x509.certificate.key.length`*:: + -- -type: alias +Key length in bits. -alias to: process.name + +type: integer -- -*`system.syslog.pid`*:: +*`zeek.x509.certificate.signature_algorithm`*:: + -- -type: alias +Name of the signature algorithm. -alias to: process.pid --- +type: keyword -*`system.syslog.message`*:: -+ -- -type: alias - -alias to: message +*`zeek.x509.certificate.exponent`*:: ++ -- +Exponent, if RSA-certificate. -[[exported-fields-traefik]] -== Traefik fields - -Module for parsing the Traefik log files. +type: keyword +-- -[float] -=== traefik +*`zeek.x509.certificate.curve`*:: ++ +-- +Curve, if EC-certificate. -Fields from the Traefik log files. +type: keyword +-- [float] -=== access +=== san -Contains fields for the Traefik access logs. +Subject alternative name extension of the certificate. -*`traefik.access.user_identifier`*:: +*`zeek.x509.san.dns`*:: + -- -Is the RFC 1413 identity of the client +List of DNS entries in SAN. type: keyword -- -*`traefik.access.request_count`*:: +*`zeek.x509.san.uri`*:: + -- -The number of requests +List of URI entries in SAN. -type: long +type: keyword -- -*`traefik.access.frontend_name`*:: +*`zeek.x509.san.email`*:: + -- -The name of the frontend used +List of email entries in SAN. type: keyword -- -*`traefik.access.backend_url`*:: +*`zeek.x509.san.ip`*:: + -- -The url of the backend where request is forwarded +List of IP entries in SAN. -type: keyword + +type: ip -- -*`traefik.access.body_sent.bytes`*:: +*`zeek.x509.san.other_fields`*:: + -- -type: alias +True if the certificate contained other, not recognized or parsed name fields. -alias to: http.response.body.bytes --- +type: boolean -*`traefik.access.remote_ip`*:: -+ -- -type: alias -alias to: source.address +[float] +=== basic_constraints --- +Basic constraints extension of the certificate. -*`traefik.access.user_name`*:: + + +*`zeek.x509.basic_constraints.certificate_authority`*:: + -- -type: alias +CA flag set or not. -alias to: user.name + +type: boolean -- -*`traefik.access.method`*:: +*`zeek.x509.basic_constraints.path_length`*:: + -- -type: alias +Maximum path length. -alias to: http.request.method + +type: integer -- -*`traefik.access.url`*:: +*`zeek.x509.log_cert`*:: + -- -type: alias +Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded +Logging of certificate is suppressed if set to F. -alias to: url.original --- +type: boolean -*`traefik.access.http_version`*:: -+ -- -type: alias -alias to: http.version +[[exported-fields-zscaler]] +== Zscaler NSS fields --- +zscaler fields. -*`traefik.access.response_code`*:: + + +*`network.interface.name`*:: + -- -type: alias +Name of the network interface where the traffic has been observed. -alias to: http.response.status_code --- +type: keyword -*`traefik.access.referrer`*:: -+ -- -type: alias -alias to: http.request.referrer --- -*`traefik.access.agent`*:: +*`rsa.internal.msg`*:: + -- -type: alias +This key is used to capture the raw message that comes into the Log Decoder -alias to: user_agent.original +type: keyword -- - -*`traefik.access.user_agent.device`*:: +*`rsa.internal.messageid`*:: + -- -type: alias - -alias to: user_agent.device.name +type: keyword -- -*`traefik.access.user_agent.name`*:: +*`rsa.internal.event_desc`*:: + -- -type: alias - -alias to: user_agent.name +type: keyword -- -*`traefik.access.user_agent.os`*:: +*`rsa.internal.message`*:: + -- -type: alias +This key captures the contents of instant messages -alias to: user_agent.os.full_name +type: keyword -- -*`traefik.access.user_agent.os_name`*:: +*`rsa.internal.time`*:: + -- -type: alias +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -alias to: user_agent.os.name +type: date -- -*`traefik.access.user_agent.original`*:: +*`rsa.internal.level`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: user_agent.original +type: long -- - -*`traefik.access.geoip.continent_name`*:: +*`rsa.internal.msg_id`*:: + -- -type: alias +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -alias to: source.geo.continent_name +type: keyword -- -*`traefik.access.geoip.country_iso_code`*:: +*`rsa.internal.msg_vid`*:: + -- -type: alias +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -alias to: source.geo.country_iso_code +type: keyword -- -*`traefik.access.geoip.location`*:: +*`rsa.internal.data`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: source.geo.location +type: keyword -- -*`traefik.access.geoip.region_name`*:: +*`rsa.internal.obj_server`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: source.geo.region_name +type: keyword -- -*`traefik.access.geoip.city_name`*:: +*`rsa.internal.obj_val`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: source.geo.city_name +type: keyword -- -*`traefik.access.geoip.region_iso_code`*:: +*`rsa.internal.resource`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: source.geo.region_iso_code +type: keyword -- -[[exported-fields-zeek]] -== Zeek fields - -Module for handling logs produced by Zeek/Bro - - - -[float] -=== zeek - -Fields from Zeek/Bro logs after normalization +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`zeek.session_id`*:: +*`rsa.internal.statement`*:: + -- -A unique identifier of the session - +Deprecated key defined only in table map. type: keyword -- -[float] -=== capture_loss - -Fields exported by the Zeek capture_loss log +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`zeek.capture_loss.ts_delta`*:: +*`rsa.internal.entry`*:: + -- -The time delay between this measurement and the last. - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`zeek.capture_loss.peer`*:: +*`rsa.internal.hcode`*:: + -- -In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. - +Deprecated key defined only in table map. type: keyword -- -*`zeek.capture_loss.gaps`*:: +*`rsa.internal.inode`*:: + -- -Number of missed ACKs from the previous measurement interval. - +Deprecated key defined only in table map. -type: integer +type: long -- -*`zeek.capture_loss.acks`*:: +*`rsa.internal.resource_class`*:: + -- -Total number of ACKs seen in the previous measurement interval. +Deprecated key defined only in table map. - -type: integer +type: keyword -- -*`zeek.capture_loss.percent_lost`*:: +*`rsa.internal.dead`*:: + -- -Percentage of ACKs seen where the data being ACKed wasn't seen. - +Deprecated key defined only in table map. -type: double +type: long -- -[float] -=== connection - -Fields exported by the Zeek Connection log +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword +-- -*`zeek.connection.local_orig`*:: +*`rsa.internal.feed_name`*:: + -- -Indicates whether the session is originated locally. +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: boolean +type: keyword -- -*`zeek.connection.local_resp`*:: +*`rsa.internal.cid`*:: + -- -Indicates whether the session is responded locally. - +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: boolean +type: keyword -- -*`zeek.connection.missed_bytes`*:: +*`rsa.internal.device_class`*:: + -- -Missed bytes for the session. +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`zeek.connection.state`*:: +*`rsa.internal.device_group`*:: + -- -Code indicating the state of the session. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.connection.state_message`*:: +*`rsa.internal.device_host`*:: + -- -The state of the session. - +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- - -*`zeek.connection.icmp.type`*:: +*`rsa.internal.device_ip`*:: + -- -ICMP message type. +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: integer +type: ip -- -*`zeek.connection.icmp.code`*:: +*`rsa.internal.device_ipv6`*:: + -- -ICMP message code. - +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: integer +type: ip -- -*`zeek.connection.history`*:: +*`rsa.internal.device_type`*:: + -- -Flags indicating the history of the session. - +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.connection.vlan`*:: +*`rsa.internal.device_type_id`*:: + -- -VLAN identifier. - +Deprecated key defined only in table map. -type: integer +type: long -- -*`zeek.connection.inner_vlan`*:: +*`rsa.internal.did`*:: + -- -VLAN identifier. +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: integer +type: keyword -- -[float] -=== dce_rpc - -Fields exported by the Zeek DCE_RPC log - - - -*`zeek.dce_rpc.rtt`*:: +*`rsa.internal.entropy_req`*:: + -- -Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: integer +type: long -- -*`zeek.dce_rpc.named_pipe`*:: +*`rsa.internal.entropy_res`*:: + -- -Remote pipe name. - +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`zeek.dce_rpc.endpoint`*:: +*`rsa.internal.event_name`*:: + -- -Endpoint name looked up from the uuid. - +Deprecated key defined only in table map. type: keyword -- -*`zeek.dce_rpc.operation`*:: +*`rsa.internal.feed_category`*:: + -- -Operation seen in the call. - +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== dhcp - -Fields exported by the Zeek DHCP log - - - -*`zeek.dhcp.domain`*:: +*`rsa.internal.forward_ip`*:: + -- -Domain given by the server in option 15. - +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`zeek.dhcp.duration`*:: +*`rsa.internal.forward_ipv6`*:: + -- -Duration of the DHCP session representing the time from the first -message to the last, in seconds. - +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: double +type: ip -- -*`zeek.dhcp.hostname`*:: +*`rsa.internal.header_id`*:: + -- -Name given by client in Hostname option 12. - +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dhcp.client_fqdn`*:: +*`rsa.internal.lc_cid`*:: + -- -FQDN given by client in Client FQDN option 81. - +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dhcp.lease_time`*:: +*`rsa.internal.lc_ctime`*:: + -- -IP address lease interval in seconds. +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: integer +type: date -- -[float] -=== address - -Addresses seen in this DHCP exchange. - - - -*`zeek.dhcp.address.assigned`*:: +*`rsa.internal.mcb_req`*:: + -- -IP address assigned by the server. +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: ip +type: long -- -*`zeek.dhcp.address.client`*:: +*`rsa.internal.mcb_res`*:: + -- -IP address of the client. If a transaction is only a client sending -INFORM messages then there is no lease information exchanged so this -is helpful to know who sent the messages. Getting an address in this -field does require that the client sources at least one DHCP message -using a non-broadcast address. - +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: ip +type: long -- -*`zeek.dhcp.address.mac`*:: +*`rsa.internal.mcbc_req`*:: + -- -Client's hardware address. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: keyword +type: long -- -*`zeek.dhcp.address.requested`*:: +*`rsa.internal.mcbc_res`*:: + -- -IP address requested by the client. - +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: ip +type: long -- -*`zeek.dhcp.address.server`*:: +*`rsa.internal.medium`*:: + -- -IP address of the DHCP server. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: ip +type: long -- - -*`zeek.dhcp.msg.types`*:: +*`rsa.internal.node_name`*:: + -- -List of DHCP message types seen in this exchange. - +Deprecated key defined only in table map. type: keyword -- -*`zeek.dhcp.msg.origin`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -(present if policy/protocols/dhcp/msg-orig.bro is loaded) -The address that originated each message from the msg.types field. +This key denotes that event is endpoint related - -type: ip +type: keyword -- -*`zeek.dhcp.msg.client`*:: +*`rsa.internal.parse_error`*:: + -- -Message typically accompanied with a DHCP_DECLINE so the client can -tell the server why it rejected an address. - +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dhcp.msg.server`*:: +*`rsa.internal.payload_req`*:: + -- -Message typically accompanied with a DHCP_NAK to let the client know -why it rejected the request. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +type: long -type: keyword +-- +*`rsa.internal.payload_res`*:: ++ -- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +type: long -*`zeek.dhcp.software.client`*:: -+ -- -(present if policy/protocols/dhcp/software.bro is loaded) -Software reported by the client in the vendor_class option. +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`zeek.dhcp.software.server`*:: +*`rsa.internal.process_vid_src`*:: + -- -(present if policy/protocols/dhcp/software.bro is loaded) -Software reported by the client in the vendor_class option. - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- - -*`zeek.dhcp.id.circuit`*:: +*`rsa.internal.rid`*:: + -- -(present if policy/protocols/dhcp/sub-opts.bro is loaded) -Added by DHCP relay agents which terminate switched or permanent -circuits. It encodes an agent-local identifier of the circuit from -which a DHCP client-to-server packet was received. Typically it -should represent a router or switch interface number. +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: long -- -*`zeek.dhcp.id.remote_agent`*:: +*`rsa.internal.session_split`*:: + -- -(present if policy/protocols/dhcp/sub-opts.bro is loaded) -A globally unique identifier added by relay agents to identify the -remote host end of the circuit. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dhcp.id.subscriber`*:: +*`rsa.internal.site`*:: + -- -(present if policy/protocols/dhcp/sub-opts.bro is loaded) -The subscriber ID is a value independent of the physical network -configuration so that a customer's DHCP configuration can be given -to them correctly no matter where they are physically connected. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== dnp3 - -Fields exported by the Zeek DNP3 log - +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: long +-- -*`zeek.dnp3.function.request`*:: +*`rsa.internal.sourcefile`*:: + -- -The name of the function message in the request. - +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dnp3.function.reply`*:: +*`rsa.internal.ubc_req`*:: + -- -The name of the function message in the reply. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: keyword +type: long -- -*`zeek.dnp3.id`*:: +*`rsa.internal.ubc_res`*:: + -- -The response's internal indication number. - +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: integer +type: long -- -[float] -=== dns +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log -Fields exported by the Zeek DNS log +type: keyword +-- -*`zeek.dns.trans_id`*:: +*`rsa.time.event_time`*:: + -- -DNS transaction identifier. - +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`zeek.dns.rtt`*:: +*`rsa.time.duration_time`*:: + -- -Round trip time for the query and response. - +This key is used to capture the normalized duration/lifetime in seconds. type: double -- -*`zeek.dns.query`*:: +*`rsa.time.event_time_str`*:: + -- -The domain name that is the subject of the DNS query. - +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`zeek.dns.qclass`*:: +*`rsa.time.starttime`*:: + -- -The QCLASS value specifying the class of the query. +This key is used to capture the Start time mentioned in a session in a standard form - -type: long +type: date -- -*`zeek.dns.qclass_name`*:: +*`rsa.time.month`*:: + -- -A descriptive name for the class of the query. +type: keyword +-- +*`rsa.time.day`*:: ++ +-- type: keyword -- -*`zeek.dns.qtype`*:: +*`rsa.time.endtime`*:: + -- -A QTYPE value specifying the type of the query. - +This key is used to capture the End time mentioned in a session in a standard form -type: long +type: date -- -*`zeek.dns.qtype_name`*:: +*`rsa.time.timezone`*:: + --- -A descriptive name for the type of the query. - +-- +This key is used to capture the timezone of the Event Time type: keyword -- -*`zeek.dns.rcode`*:: +*`rsa.time.duration_str`*:: + -- -The response code value in DNS response messages. - +A text string version of the duration -type: long +type: keyword -- -*`zeek.dns.rcode_name`*:: +*`rsa.time.date`*:: + -- -A descriptive name for the response code value. +type: keyword +-- +*`rsa.time.year`*:: ++ +-- type: keyword -- -*`zeek.dns.AA`*:: +*`rsa.time.recorded_time`*:: + -- -The Authoritative Answer bit for response messages specifies that the responding -name server is an authority for the domain name in the question section. - +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: boolean +type: date -- -*`zeek.dns.TC`*:: +*`rsa.time.datetime`*:: + -- -The Truncation bit specifies that the message was truncated. - - -type: boolean +type: keyword -- -*`zeek.dns.RD`*:: +*`rsa.time.effective_time`*:: + -- -The Recursion Desired bit in a request message indicates that the client -wants recursive service for this query. - +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: boolean +type: date -- -*`zeek.dns.RA`*:: +*`rsa.time.expire_time`*:: + -- -The Recursion Available bit in a response message indicates that the name -server supports recursive queries. - +This key is the timestamp that explicitly refers to an expiration. -type: boolean +type: date -- -*`zeek.dns.answers`*:: +*`rsa.time.process_time`*:: + -- -The set of resource descriptions in the query answer. - +Deprecated, use duration.time type: keyword -- -*`zeek.dns.TTLs`*:: +*`rsa.time.hour`*:: + -- -The caching intervals of the associated RRs described by the answers field. - - -type: double +type: keyword -- -*`zeek.dns.rejected`*:: +*`rsa.time.min`*:: + -- -Indicates whether the DNS query was rejected by the server. - - -type: boolean +type: keyword -- -*`zeek.dns.total_answers`*:: +*`rsa.time.timestamp`*:: + -- -The total number of resource records in the reply. - - -type: integer +type: keyword -- -*`zeek.dns.total_replies`*:: +*`rsa.time.event_queue_time`*:: + -- -The total number of resource records in the reply message. - +This key is the Time that the event was queued. -type: integer +type: date -- -*`zeek.dns.saw_query`*:: +*`rsa.time.p_time1`*:: + -- -Whether the full DNS query has been seen. +type: keyword +-- -type: boolean +*`rsa.time.tzone`*:: ++ +-- +type: keyword -- -*`zeek.dns.saw_reply`*:: +*`rsa.time.eventtime`*:: + -- -Whether the full DNS reply has been seen. +type: keyword +-- -type: boolean +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword -- -[float] -=== dpd +*`rsa.time.gmttime`*:: ++ +-- +type: keyword -Fields exported by the Zeek DPD log +-- +*`rsa.time.p_date`*:: ++ +-- +type: keyword +-- -*`zeek.dpd.analyzer`*:: +*`rsa.time.p_month`*:: + -- -The analyzer that generated the violation. +type: keyword +-- +*`rsa.time.p_time`*:: ++ +-- type: keyword -- -*`zeek.dpd.failure_reason`*:: +*`rsa.time.p_time2`*:: + -- -The textual reason for the analysis failure. +type: keyword +-- +*`rsa.time.p_year`*:: ++ +-- type: keyword -- -*`zeek.dpd.packet_segment`*:: +*`rsa.time.expire_time_str`*:: + -- -(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) -A chunk of the payload that most likely resulted in the protocol violation. - +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -[float] -=== files +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. -Fields exported by the Zeek Files log. +type: date +-- -*`zeek.files.fuid`*:: +*`rsa.misc.action`*:: + -- -A file unique identifier. - - type: keyword -- -*`zeek.files.tx_host`*:: +*`rsa.misc.result`*:: + -- -The host that transferred the file. +This key is used to capture the outcome/result string value of an action in a session. - -type: ip +type: keyword -- -*`zeek.files.rx_host`*:: +*`rsa.misc.severity`*:: + -- -The host that received the file. - +This key is used to capture the severity given the session -type: ip +type: keyword -- -*`zeek.files.session_ids`*:: +*`rsa.misc.event_type`*:: + -- -The sessions that have this file. - +This key captures the event category type as specified by the event source. type: keyword -- -*`zeek.files.source`*:: +*`rsa.misc.reference_id`*:: + -- -An identification of the source of the file data. E.g. it may be a network protocol -over which it was transferred, or a local file path which was read, or some other -input source. - +This key is used to capture an event id from the session directly type: keyword -- -*`zeek.files.depth`*:: +*`rsa.misc.version`*:: + -- -A value to represent the depth of this file in relation to its source. In SMTP, it -is the depth of the MIME attachment on the message. In HTTP, it is the depth of the -request within the TCP connection. +This key captures Version of the application or OS which is generating the event. - -type: long +type: keyword -- -*`zeek.files.analyzers`*:: +*`rsa.misc.disposition`*:: + -- -A set of analysis types done during the file analysis. - +This key captures the The end state of an action. type: keyword -- -*`zeek.files.mime_type`*:: +*`rsa.misc.result_code`*:: + -- -Mime type of the file. - +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`zeek.files.filename`*:: +*`rsa.misc.category`*:: + -- -Name of the file if available. - +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`zeek.files.local_orig`*:: +*`rsa.misc.obj_name`*:: + -- -If the source of this file is a network connection, this field indicates if the data -originated from the local network or not. - +This is used to capture name of object -type: boolean +type: keyword -- -*`zeek.files.is_orig`*:: +*`rsa.misc.obj_type`*:: + -- -If the source of this file is a network connection, this field indicates if the file is -being sent by the originator of the connection or the responder. - +This is used to capture type of object -type: boolean +type: keyword -- -*`zeek.files.duration`*:: +*`rsa.misc.event_source`*:: + -- -The duration the file was analyzed for. Not the duration of the session. +This key captures Source of the event that’s not a hostname - -type: double +type: keyword -- -*`zeek.files.seen_bytes`*:: +*`rsa.misc.log_session_id`*:: + -- -Number of bytes provided to the file analysis engine for the file. - +This key is used to capture a sessionid from the session directly -type: long +type: keyword -- -*`zeek.files.total_bytes`*:: +*`rsa.misc.group`*:: + -- -Total number of bytes that are supposed to comprise the full file. +This key captures the Group Name value - -type: long +type: keyword -- -*`zeek.files.missing_bytes`*:: +*`rsa.misc.policy_name`*:: + -- -The number of bytes in the file stream that were completely missed during the process -of analysis. +This key is used to capture the Policy Name only. - -type: long +type: keyword -- -*`zeek.files.overflow_bytes`*:: +*`rsa.misc.rule_name`*:: + -- -The number of bytes in the file stream that were not delivered to stream file analyzers. -This could be overlapping bytes or bytes that couldn't be reassembled. +This key captures the Rule Name - -type: long +type: keyword -- -*`zeek.files.timedout`*:: +*`rsa.misc.context`*:: + -- -Whether the file analysis timed out at least once for the file. - +This key captures Information which adds additional context to the event. -type: boolean +type: keyword -- -*`zeek.files.parent_fuid`*:: +*`rsa.misc.change_new`*:: + -- -Identifier associated with a container file from which this one was extracted as part of -the file analysis. - +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`zeek.files.md5`*:: +*`rsa.misc.space`*:: + -- -An MD5 digest of the file contents. - - type: keyword -- -*`zeek.files.sha1`*:: +*`rsa.misc.client`*:: + -- -A SHA1 digest of the file contents. - +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`zeek.files.sha256`*:: +*`rsa.misc.msgIdPart1`*:: + -- -A SHA256 digest of the file contents. - - type: keyword -- -*`zeek.files.extracted`*:: +*`rsa.misc.msgIdPart2`*:: + -- -Local filename of extracted file. - - type: keyword -- -*`zeek.files.extracted_cutoff`*:: +*`rsa.misc.change_old`*:: + -- -Indicate whether the file being extracted was cut off hence not extracted completely. - +This key is used to capture the old value of the attribute that’s changing in a session -type: boolean +type: keyword -- -*`zeek.files.extracted_size`*:: +*`rsa.misc.operation_id`*:: + -- -The number of bytes extracted to disk. +An alert number or operation number. The values should be unique and non-repeating. - -type: long +type: keyword -- -*`zeek.files.entropy`*:: +*`rsa.misc.event_state`*:: + -- -The information density of the contents of the file. - +This key captures the current state of the object/item referenced within the event. Describing an on-going event. -type: double +type: keyword -- -[float] -=== ftp - -Fields exported by the Zeek FTP log +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage +type: keyword +-- -*`zeek.ftp.user`*:: +*`rsa.misc.node`*:: + -- -User name for the current FTP session. - +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`zeek.ftp.password`*:: +*`rsa.misc.rule`*:: + -- -Password for the current FTP session if captured. - +This key captures the Rule number type: keyword -- -*`zeek.ftp.command`*:: +*`rsa.misc.device_name`*:: + -- -Command given by the client. - +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`zeek.ftp.arg`*:: +*`rsa.misc.param`*:: + -- -Argument for the command if one is given. - +This key is the parameters passed as part of a command or application, etc. type: keyword -- - -*`zeek.ftp.file.size`*:: +*`rsa.misc.change_attrib`*:: + -- -Size of the file if the command indicates a file transfer. - +This key is used to capture the name of the attribute that’s changing in a session -type: long +type: keyword -- -*`zeek.ftp.file.mime_type`*:: +*`rsa.misc.event_computer`*:: + -- -Sniffed mime type of file. - +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`zeek.ftp.file.fuid`*:: +*`rsa.misc.reference_id1`*:: + -- -(present if base/protocols/ftp/files.bro is loaded) -File unique ID. - +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- - -*`zeek.ftp.reply.code`*:: +*`rsa.misc.event_log`*:: + -- -Reply code from the server in response to the command. +This key captures the Name of the event log - -type: integer +type: keyword -- -*`zeek.ftp.reply.msg`*:: +*`rsa.misc.OS`*:: + -- -Reply message from the server in response to the command. - +This key captures the Name of the Operating System type: keyword -- -[float] -=== data_channel - -Expected FTP data channel. +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only +type: keyword +-- -*`zeek.ftp.data_channel.passive`*:: +*`rsa.misc.msgIdPart3`*:: + -- -Whether PASV mode is toggled for control channel. - - -type: boolean +type: keyword -- -*`zeek.ftp.data_channel.originating_host`*:: +*`rsa.misc.filter`*:: + -- -The host that will be initiating the data connection. +This key captures Filter used to reduce result set - -type: ip +type: keyword -- -*`zeek.ftp.data_channel.response_host`*:: +*`rsa.misc.serial_number`*:: + -- -The host that will be accepting the data connection. - +This key is the Serial number associated with a physical asset. -type: ip +type: keyword -- -*`zeek.ftp.data_channel.response_port`*:: +*`rsa.misc.checksum`*:: + -- -The port at which the acceptor is listening for the data connection. +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: integer +type: keyword -- -*`zeek.ftp.cwd`*:: +*`rsa.misc.event_user`*:: + -- -Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. - +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. type: keyword -- -[float] -=== cmdarg - -Command that is currently waiting for a response. +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus +type: keyword +-- -*`zeek.ftp.cmdarg.cmd`*:: +*`rsa.misc.content_type`*:: + -- -Command. - +This key is used to capture Content Type only. type: keyword -- -*`zeek.ftp.cmdarg.arg`*:: +*`rsa.misc.group_id`*:: + -- -Argument for the command if one was given. - +This key captures Group ID Number (related to the group name) type: keyword -- -*`zeek.ftp.cmdarg.seq`*:: +*`rsa.misc.policy_id`*:: + -- -Counter to track how many commands have been executed. +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: integer +type: keyword -- -*`zeek.ftp.pending_commands`*:: +*`rsa.misc.vsys`*:: + -- -Queue for commands that have been sent but not yet responded to are tracked here. - +This key captures Virtual System Name -type: integer +type: keyword -- -*`zeek.ftp.passive`*:: +*`rsa.misc.connection_id`*:: + -- -Indicates if the session is in active or passive mode. +This key captures the Connection ID - -type: boolean +type: keyword -- -*`zeek.ftp.capture_password`*:: +*`rsa.misc.reference_id2`*:: + -- -Determines if the password will be captured for this request. - +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. -type: boolean +type: keyword -- -*`zeek.ftp.last_auth_requested`*:: +*`rsa.misc.sensor`*:: + -- -present if base/protocols/ftp/gridftp.bro is loaded. -Last authentication/security mechanism that was used. - +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -- -[float] -=== http - -Fields exported by the Zeek HTTP log +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID +type: long +-- -*`zeek.http.trans_depth`*:: +*`rsa.misc.port_name`*:: + -- -Represents the pipelined depth into the connection of this request/response transaction. +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: integer +type: keyword -- -*`zeek.http.status_msg`*:: +*`rsa.misc.rule_group`*:: + -- -Status message returned by the server. - +This key captures the Rule group name type: keyword -- -*`zeek.http.info_code`*:: +*`rsa.misc.risk_num`*:: + -- -Last seen 1xx informational reply code returned by the server. +This key captures a Numeric Risk value - -type: integer +type: double -- -*`zeek.http.info_msg`*:: +*`rsa.misc.trigger_val`*:: + -- -Last seen 1xx informational reply message returned by the server. - +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`zeek.http.tags`*:: +*`rsa.misc.log_session_id1`*:: + -- -A set of indicators of various attributes discovered and related to a particular -request/response pair. - +This key is used to capture a Linked (Related) Session ID from the session directly type: keyword -- -*`zeek.http.password`*:: +*`rsa.misc.comp_version`*:: + -- -Password if basic-auth is performed for the request. - +This key captures the Version level of a sub-component of a product. type: keyword -- -*`zeek.http.captured_password`*:: +*`rsa.misc.content_version`*:: + -- -Determines if the password will be captured for this request. - +This key captures Version level of a signature or database content. -type: boolean +type: keyword -- -*`zeek.http.proxied`*:: +*`rsa.misc.hardware_id`*:: + -- -All of the headers that may indicate if the HTTP request was proxied. - +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`zeek.http.range_request`*:: +*`rsa.misc.risk`*:: + -- -Indicates if this request can assume 206 partial content in response. - +This key captures the non-numeric risk value -type: boolean +type: keyword -- -*`zeek.http.client_header_names`*:: +*`rsa.misc.event_id`*:: + -- -The vector of HTTP header names sent by the client. No header values -are included here, just the header names. - - type: keyword -- -*`zeek.http.server_header_names`*:: +*`rsa.misc.reason`*:: + -- -The vector of HTTP header names sent by the server. No header values -are included here, just the header names. - - type: keyword -- -*`zeek.http.orig_fuids`*:: +*`rsa.misc.status`*:: + -- -An ordered vector of file unique IDs from the originator. - - type: keyword -- -*`zeek.http.orig_mime_types`*:: +*`rsa.misc.mail_id`*:: + -- -An ordered vector of mime types from the originator. - +This key is used to capture the mailbox id/name type: keyword -- -*`zeek.http.orig_filenames`*:: +*`rsa.misc.rule_uid`*:: + -- -An ordered vector of filenames from the originator. - +This key is the Unique Identifier for a rule. type: keyword -- -*`zeek.http.resp_fuids`*:: +*`rsa.misc.trigger_desc`*:: + -- -An ordered vector of file unique IDs from the responder. - +This key captures the Description of the trigger or threshold condition. type: keyword -- -*`zeek.http.resp_mime_types`*:: +*`rsa.misc.inout`*:: + -- -An ordered vector of mime types from the responder. - - type: keyword -- -*`zeek.http.resp_filenames`*:: +*`rsa.misc.p_msgid`*:: + -- -An ordered vector of filenames from the responder. - - type: keyword -- -*`zeek.http.orig_mime_depth`*:: +*`rsa.misc.data_type`*:: + -- -Current number of MIME entities in the HTTP request message body. - - -type: integer +type: keyword -- -*`zeek.http.resp_mime_depth`*:: +*`rsa.misc.msgIdPart4`*:: + -- -Current number of MIME entities in the HTTP response message body. - - -type: integer +type: keyword -- -[float] -=== intel - -Fields exported by the Zeek Intel log. - +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses +type: keyword +-- -*`zeek.intel.seen.indicator`*:: +*`rsa.misc.index`*:: + -- -The intelligence indicator. - - type: keyword -- -*`zeek.intel.seen.indicator_type`*:: +*`rsa.misc.listnum`*:: + -- -The type of data the indicator represents. - +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -- -*`zeek.intel.seen.host`*:: +*`rsa.misc.ntype`*:: + -- -If the indicator type was Intel::ADDR, then this field will be present. - - type: keyword -- -*`zeek.intel.seen.conn`*:: +*`rsa.misc.observed_val`*:: + -- -If the data was discovered within a connection, the connection record should go here to give context to the data. - +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -- -*`zeek.intel.seen.where`*:: +*`rsa.misc.policy_value`*:: + -- -Where the data was discovered. - +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`zeek.intel.seen.node`*:: +*`rsa.misc.pool_name`*:: + -- -The name of the node where the match was discovered. - +This key captures the name of a resource pool type: keyword -- -*`zeek.intel.seen.uid`*:: +*`rsa.misc.rule_template`*:: + -- -If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. - +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template type: keyword -- -*`zeek.intel.seen.f`*:: +*`rsa.misc.count`*:: + -- -If the data was discovered within a file, the file record should go here to provide context to the data. +type: keyword +-- -type: object +*`rsa.misc.number`*:: ++ +-- +type: keyword -- -*`zeek.intel.seen.fuid`*:: +*`rsa.misc.sigcat`*:: + -- -If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. +type: keyword +-- +*`rsa.misc.type`*:: ++ +-- type: keyword -- -*`zeek.intel.matched`*:: +*`rsa.misc.comments`*:: + -- -Event to represent a match in the intelligence data from data that was seen. - +Comment information provided in the log message type: keyword -- -*`zeek.intel.sources`*:: +*`rsa.misc.doc_number`*:: + -- -Sources which supplied data for this match. +This key captures File Identification number - -type: keyword +type: long -- -*`zeek.intel.fuid`*:: +*`rsa.misc.expected_val`*:: + -- -If a file was associated with this intelligence hit, this is the uid for the file. - +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`zeek.intel.file_mime_type`*:: +*`rsa.misc.job_num`*:: + -- -A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. - +This key captures the Job Number type: keyword -- -*`zeek.intel.file_desc`*:: +*`rsa.misc.spi_dst`*:: + -- -Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. - +Destination SPI Index type: keyword -- -[float] -=== irc - -Fields exported by the Zeek IRC log +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index +type: keyword +-- -*`zeek.irc.nick`*:: +*`rsa.misc.code`*:: + -- -Nickname given for the connection. - - type: keyword -- -*`zeek.irc.user`*:: +*`rsa.misc.agent_id`*:: + -- -Username given for the connection. - +This key is used to capture agent id type: keyword -- -*`zeek.irc.command`*:: +*`rsa.misc.message_body`*:: + -- -Command given by the client. - +This key captures the The contents of the message body. type: keyword -- -*`zeek.irc.value`*:: +*`rsa.misc.phone`*:: + -- -Value for the command given by the client. - - type: keyword -- -*`zeek.irc.addl`*:: +*`rsa.misc.sig_id_str`*:: + -- -Any additional data for the command. - +This key captures a string object of the sigid variable. type: keyword -- +*`rsa.misc.cmd`*:: ++ +-- +type: keyword +-- -*`zeek.irc.dcc.file.name`*:: +*`rsa.misc.misc`*:: + -- -Present if base/protocols/irc/dcc-send.bro is loaded. -DCC filename requested. +type: keyword +-- +*`rsa.misc.name`*:: ++ +-- type: keyword -- -*`zeek.irc.dcc.file.size`*:: +*`rsa.misc.cpu`*:: + -- -Present if base/protocols/irc/dcc-send.bro is loaded. -Size of the DCC transfer as indicated by the sender. - +This key is the CPU time used in the execution of the event being recorded. type: long -- -*`zeek.irc.dcc.mime_type`*:: +*`rsa.misc.event_desc`*:: + -- -present if base/protocols/irc/dcc-send.bro is loaded. -Sniffed mime type of the file. - +This key is used to capture a description of an event available directly or inferred type: keyword -- -*`zeek.irc.fuid`*:: +*`rsa.misc.sig_id1`*:: + -- -present if base/protocols/irc/files.bro is loaded. -File unique ID. - +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -type: keyword +type: long -- -[float] -=== kerberos - -Fields exported by the Zeek Kerberos log - - - -*`zeek.kerberos.request_type`*:: +*`rsa.misc.im_buddyid`*:: + -- -Request type - Authentication Service (AS) or Ticket Granting Service (TGS). - - type: keyword -- -*`zeek.kerberos.client`*:: +*`rsa.misc.im_client`*:: + -- -Client name. +type: keyword +-- +*`rsa.misc.im_userid`*:: ++ +-- type: keyword -- -*`zeek.kerberos.service`*:: +*`rsa.misc.pid`*:: + -- -Service name. +type: keyword +-- +*`rsa.misc.priority`*:: ++ +-- type: keyword -- -*`zeek.kerberos.success`*:: +*`rsa.misc.context_subject`*:: + -- -Request result. - +This key is to be used in an audit context where the subject is the object being identified -type: boolean +type: keyword -- - -*`zeek.kerberos.error.code`*:: +*`rsa.misc.context_target`*:: + -- -Error code. - - -type: integer +type: keyword -- -*`zeek.kerberos.error.msg`*:: +*`rsa.misc.cve`*:: + -- -Error message. - +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword -- - -*`zeek.kerberos.valid.from`*:: +*`rsa.misc.fcatnum`*:: + -- -Ticket valid from. - +This key captures Filter Category Number. Legacy Usage -type: date +type: keyword -- -*`zeek.kerberos.valid.until`*:: +*`rsa.misc.library`*:: + -- -Ticket valid until. +This key is used to capture library information in mainframe devices - -type: date +type: keyword -- -*`zeek.kerberos.valid.days`*:: +*`rsa.misc.parent_node`*:: + -- -Number of days the ticket is valid for. - +This key captures the Parent Node Name. Must be related to node variable. -type: integer +type: keyword -- -*`zeek.kerberos.cipher`*:: +*`rsa.misc.risk_info`*:: + -- -Ticket encryption type. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`zeek.kerberos.forwardable`*:: +*`rsa.misc.tcp_flags`*:: + -- -Forwardable ticket requested. - +This key is captures the TCP flags set in any packet of session -type: boolean +type: long -- -*`zeek.kerberos.renewable`*:: +*`rsa.misc.tos`*:: + -- -Renewable ticket requested. +This key describes the type of service - -type: boolean +type: long -- - -*`zeek.kerberos.ticket.auth`*:: +*`rsa.misc.vm_target`*:: + -- -Hash of ticket used to authorize request/transaction. - +VMWare Target **VMWARE** only varaible. type: keyword -- -*`zeek.kerberos.ticket.new`*:: +*`rsa.misc.workspace`*:: + -- -Hash of ticket returned by the KDC. - +This key captures Workspace Description type: keyword -- - - -*`zeek.kerberos.cert.client.value`*:: +*`rsa.misc.command`*:: + -- -Client certificate. +type: keyword +-- +*`rsa.misc.event_category`*:: ++ +-- type: keyword -- -*`zeek.kerberos.cert.client.fuid`*:: +*`rsa.misc.facilityname`*:: + -- -File unique ID of client cert. +type: keyword +-- +*`rsa.misc.forensic_info`*:: ++ +-- type: keyword -- -*`zeek.kerberos.cert.client.subject`*:: +*`rsa.misc.jobname`*:: + -- -Subject of client certificate. +type: keyword +-- +*`rsa.misc.mode`*:: ++ +-- type: keyword -- - -*`zeek.kerberos.cert.server.value`*:: +*`rsa.misc.policy`*:: + -- -Server certificate. +type: keyword +-- +*`rsa.misc.policy_waiver`*:: ++ +-- type: keyword -- -*`zeek.kerberos.cert.server.fuid`*:: +*`rsa.misc.second`*:: + -- -File unique ID of server certificate. +type: keyword +-- +*`rsa.misc.space1`*:: ++ +-- type: keyword -- -*`zeek.kerberos.cert.server.subject`*:: +*`rsa.misc.subcategory`*:: + -- -Subject of server certificate. +type: keyword +-- +*`rsa.misc.tbdstr2`*:: ++ +-- type: keyword -- -[float] -=== modbus - -Fields exported by the Zeek modbus log. +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +type: keyword +-- -*`zeek.modbus.function`*:: +*`rsa.misc.checksum_dst`*:: + -- -The name of the function message that was sent. - +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`zeek.modbus.exception`*:: +*`rsa.misc.checksum_src`*:: + -- -The exception if the response was a failure. - +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`zeek.modbus.track_address`*:: +*`rsa.misc.fresult`*:: + -- -Present if policy/protocols/modbus/track-memmap.bro is loaded. -Modbus track address. +This key captures the Filter Result - -type: integer +type: long -- -[float] -=== mysql - -Fields exported by the Zeek MySQL log. +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload +type: keyword +-- -*`zeek.mysql.cmd`*:: +*`rsa.misc.payload_src`*:: + -- -The command that was issued. - +This key is used to capture source payload type: keyword -- -*`zeek.mysql.arg`*:: +*`rsa.misc.pool_id`*:: + -- -The argument issued to the command. - +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`zeek.mysql.success`*:: +*`rsa.misc.process_id_val`*:: + -- -Whether the command succeeded. - +This key is a failure key for Process ID when it is not an integer value -type: boolean +type: keyword -- -*`zeek.mysql.rows`*:: +*`rsa.misc.risk_num_comm`*:: + -- -The number of affected rows, if any. +This key captures Risk Number Community - -type: integer +type: double -- -*`zeek.mysql.response`*:: +*`rsa.misc.risk_num_next`*:: + -- -Server message, if any. - +This key captures Risk Number NextGen -type: keyword +type: double -- -[float] -=== notice - -Fields exported by the Zeek Notice log. +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox +type: double +-- -*`zeek.notice.connection_id`*:: +*`rsa.misc.risk_num_static`*:: + -- -Identifier of the related connection session. +This key captures Risk Number Static - -type: keyword +type: double -- -*`zeek.notice.icmp_id`*:: +*`rsa.misc.risk_suspicious`*:: + -- -Identifier of the related ICMP session. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`zeek.notice.file.id`*:: +*`rsa.misc.risk_warning`*:: + -- -An identifier associated with a single file that is related to this notice. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`zeek.notice.file.parent_id`*:: +*`rsa.misc.snmp_oid`*:: + -- -Identifier associated with a container file from which this one was extracted. - +SNMP Object Identifier type: keyword -- -*`zeek.notice.file.source`*:: +*`rsa.misc.sql`*:: + -- -An identification of the source of the file data. E.g. it may be a network protocol -over which it was transferred, or a local file path which was read, or some other -input source. - +This key captures the SQL query type: keyword -- -*`zeek.notice.file.mime_type`*:: +*`rsa.misc.vuln_ref`*:: + -- -A mime type if the notice is related to a file. - +This key captures the Vulnerability Reference details type: keyword -- -*`zeek.notice.file.is_orig`*:: +*`rsa.misc.acl_id`*:: + -- -If the source of this file is a network connection, this field indicates if the file is -being sent by the originator of the connection or the responder. +type: keyword +-- -type: boolean +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword -- -*`zeek.notice.file.seen_bytes`*:: +*`rsa.misc.acl_pos`*:: + -- -Number of bytes provided to the file analysis engine for the file. +type: keyword +-- -type: long +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword -- -*`zeek.notice.ffile.total_bytes`*:: +*`rsa.misc.admin`*:: + -- -Total number of bytes that are supposed to comprise the full file. +type: keyword +-- -type: long +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword -- -*`zeek.notice.file.missing_bytes`*:: +*`rsa.misc.alarmname`*:: + -- -The number of bytes in the file stream that were completely missed during the process -of analysis. +type: keyword +-- -type: long +*`rsa.misc.app_id`*:: ++ +-- +type: keyword -- -*`zeek.notice.file.overflow_bytes`*:: +*`rsa.misc.audit`*:: + -- -The number of bytes in the file stream that were not delivered to stream file analyzers. -This could be overlapping bytes or bytes that couldn't be reassembled. +type: keyword +-- -type: long +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword -- -*`zeek.notice.fuid`*:: +*`rsa.misc.auditdata`*:: + -- -A file unique ID if this notice is related to a file. +type: keyword +-- +*`rsa.misc.benchmark`*:: ++ +-- type: keyword -- -*`zeek.notice.note`*:: +*`rsa.misc.bypass`*:: + -- -The type of the notice. +type: keyword +-- +*`rsa.misc.cache`*:: ++ +-- type: keyword -- -*`zeek.notice.msg`*:: +*`rsa.misc.cache_hit`*:: + -- -The human readable message for the notice. +type: keyword +-- +*`rsa.misc.cefversion`*:: ++ +-- type: keyword -- -*`zeek.notice.sub`*:: +*`rsa.misc.cfg_attr`*:: + -- -The human readable sub-message. +type: keyword +-- +*`rsa.misc.cfg_obj`*:: ++ +-- type: keyword -- -*`zeek.notice.n`*:: +*`rsa.misc.cfg_path`*:: + -- -Associated count, or a status code. +type: keyword +-- -type: long +*`rsa.misc.changes`*:: ++ +-- +type: keyword -- -*`zeek.notice.peer_name`*:: +*`rsa.misc.client_ip`*:: + -- -Name of remote peer that raised this notice. +type: keyword +-- +*`rsa.misc.clustermembers`*:: ++ +-- type: keyword -- -*`zeek.notice.peer_descr`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Textual description for the peer that raised this notice. +type: keyword +-- -type: text +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword -- -*`zeek.notice.actions`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -The actions which have been applied to this notice. +type: keyword +-- +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- type: keyword -- -*`zeek.notice.email_body_sections`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -By adding chunks of text into this element, other scripts can expand on notices -that are being emailed. +type: keyword +-- -type: text +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword -- -*`zeek.notice.email_delay_tokens`*:: +*`rsa.misc.cn_engine_id`*:: + -- -Adding a string token to this set will cause the built-in emailing functionality -to delay sending the email either the token has been removed or the email -has been delayed for the specified time duration. +type: keyword +-- +*`rsa.misc.cn_engine_type`*:: ++ +-- type: keyword -- -*`zeek.notice.identifier`*:: +*`rsa.misc.cn_f_switch`*:: + -- -This field is provided when a notice is generated for the purpose of deduplicating notices. +type: keyword +-- +*`rsa.misc.cn_flowsampid`*:: ++ +-- type: keyword -- -*`zeek.notice.suppress_for`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -This field indicates the length of time that this unique notice should be suppressed. +type: keyword +-- -type: double +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword -- -*`zeek.notice.dropped`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -Indicate if the source IP address was dropped and denied network access. +type: keyword +-- -type: boolean +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword -- -[float] -=== ntlm +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword -Fields exported by the Zeek NTLM log. +-- +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword +-- -*`zeek.ntlm.domain`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -Domain name given by the client. +type: keyword +-- +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- type: keyword -- -*`zeek.ntlm.hostname`*:: +*`rsa.misc.cn_l_switch`*:: + -- -Hostname given by the client. +type: keyword +-- +*`rsa.misc.cn_log_did`*:: ++ +-- type: keyword -- -*`zeek.ntlm.success`*:: +*`rsa.misc.cn_log_rid`*:: + -- -Indicate whether or not the authentication was successful. +type: keyword +-- -type: boolean +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword -- -*`zeek.ntlm.username`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -Username given by the client. +type: keyword +-- +*`rsa.misc.cn_min_ttl`*:: ++ +-- type: keyword -- +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword +-- -*`zeek.ntlm.server.name.dns`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -DNS name given by the server in a CHALLENGE. +type: keyword +-- +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- type: keyword -- -*`zeek.ntlm.server.name.netbios`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -NetBIOS name given by the server in a CHALLENGE. +type: keyword +-- +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- type: keyword -- -*`zeek.ntlm.server.name.tree`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -Tree name given by the server in a CHALLENGE. +type: keyword +-- +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- type: keyword -- -[float] -=== ocsp +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword -Fields exported by the Zeek OCSP log -Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. +-- +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword +-- -*`zeek.ocsp.file_id`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -File id of the OCSP reply. +type: keyword +-- +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- type: keyword -- - -*`zeek.ocsp.hash.algorithm`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -Hash algorithm used to generate issuerNameHash and issuerKeyHash. +type: keyword +-- +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- type: keyword -- - -*`zeek.ocsp.hash.issuer.name`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -Hash of the issuer's distingueshed name. +type: keyword +-- +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- type: keyword -- -*`zeek.ocsp.hash.issuer.key`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -Hash of the issuer's public key. +type: keyword +-- +*`rsa.misc.cn_sampalgo`*:: ++ +-- type: keyword -- -*`zeek.ocsp.serial_number`*:: +*`rsa.misc.cn_sampint`*:: + -- -Serial number of the affected certificate. +type: keyword +-- +*`rsa.misc.cn_seqctr`*:: ++ +-- type: keyword -- -*`zeek.ocsp.status`*:: +*`rsa.misc.cn_spackets`*:: + -- -Status of the affected certificate. +type: keyword +-- +*`rsa.misc.cn_src_tos`*:: ++ +-- type: keyword -- - -*`zeek.ocsp.revoke.time`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -Time at which the certificate was revoked. +type: keyword +-- -type: date +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword -- -*`zeek.ocsp.revoke.reason`*:: +*`rsa.misc.cn_template_id`*:: + -- -Reason for which the certificate was revoked. +type: keyword +-- +*`rsa.misc.cn_totbytsexp`*:: ++ +-- type: keyword -- - -*`zeek.ocsp.update.this`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -The time at which the status being shows is known to have been correct. +type: keyword +-- -type: date +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword -- -*`zeek.ocsp.update.next`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -The latest time at which new information about the status of the certificate will be available. +type: keyword +-- -type: date +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword -- -[float] -=== pe +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword -Fields exported by the Zeek pe log. +-- +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword +-- -*`zeek.pe.client`*:: +*`rsa.misc.comp_name`*:: + -- -The client's version string. +type: keyword +-- +*`rsa.misc.comp_rbytes`*:: ++ +-- type: keyword -- -*`zeek.pe.id`*:: +*`rsa.misc.comp_sbytes`*:: + -- -File id of this portable executable file. - - type: keyword -- -*`zeek.pe.machine`*:: +*`rsa.misc.cpu_data`*:: + -- -The target machine that the file was compiled for. - - type: keyword -- -*`zeek.pe.compile_time`*:: +*`rsa.misc.criticality`*:: + -- -The time that the file was created at. - - -type: date +type: keyword -- -*`zeek.pe.os`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -The required operating system. - - type: keyword -- -*`zeek.pe.subsystem`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -The subsystem that is required to run this file. - - type: keyword -- -*`zeek.pe.is_exe`*:: +*`rsa.misc.cs_av_other`*:: + -- -Is the file an executable, or just an object file? - - -type: boolean +type: keyword -- -*`zeek.pe.is_64bit`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Is the file a 64-bit executable? - - -type: boolean +type: keyword -- -*`zeek.pe.uses_aslr`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -Does the file support Address Space Layout Randomization? - - -type: boolean +type: keyword -- -*`zeek.pe.uses_dep`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -Does the file support Data Execution Prevention? - - -type: boolean +type: keyword -- -*`zeek.pe.uses_code_integrity`*:: +*`rsa.misc.cs_bit9status`*:: + -- -Does the file enforce code integrity checks? - - -type: boolean +type: keyword -- -*`zeek.pe.uses_seh`*:: +*`rsa.misc.cs_context`*:: + -- -Does the file use structured exception handing? - - -type: boolean +type: keyword -- -*`zeek.pe.has_import_table`*:: +*`rsa.misc.cs_control`*:: + -- -Does the file have an import table? - - -type: boolean +type: keyword -- -*`zeek.pe.has_export_table`*:: +*`rsa.misc.cs_data`*:: + -- -Does the file have an export table? - - -type: boolean +type: keyword -- -*`zeek.pe.has_cert_table`*:: +*`rsa.misc.cs_datecret`*:: + -- -Does the file have an attribute certificate table? - - -type: boolean +type: keyword -- -*`zeek.pe.has_debug_data`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -Does the file have a debug table? - - -type: boolean +type: keyword -- -*`zeek.pe.section_names`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -The names of the sections, in order. - - type: keyword -- -[float] -=== radius - -Fields exported by the Zeek Radius log. - - - -*`zeek.radius.username`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -The username, if present. - - type: keyword -- -*`zeek.radius.mac`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -MAC address, if present. - - type: keyword -- -*`zeek.radius.framed_addr`*:: +*`rsa.misc.cs_filetype`*:: + -- -The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. - - -type: ip +type: keyword -- -*`zeek.radius.remote_ip`*:: +*`rsa.misc.cs_fld`*:: + -- -Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. - - -type: ip +type: keyword -- -*`zeek.radius.connect_info`*:: +*`rsa.misc.cs_if_desc`*:: + -- -Connect info, if present. - - type: keyword -- -*`zeek.radius.reply_msg`*:: +*`rsa.misc.cs_if_name`*:: + -- -Reply message from the server challenge. This is frequently shown to the user authenticating. - - type: keyword -- -*`zeek.radius.result`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -Successful or failed authentication. - - type: keyword -- -*`zeek.radius.ttl`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. - - -type: integer +type: keyword -- -*`zeek.radius.logged`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -Whether this has already been logged and can be ignored. - - -type: boolean +type: keyword -- -[float] -=== rdp - -Fields exported by the Zeek RDP log. - - - -*`zeek.rdp.cookie`*:: +*`rsa.misc.cs_lifetime`*:: + -- -Cookie value used by the client machine. This is typically a username. - - type: keyword -- -*`zeek.rdp.result`*:: +*`rsa.misc.cs_log_medium`*:: + -- -Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. +type: keyword +-- +*`rsa.misc.cs_loginname`*:: ++ +-- type: keyword -- -*`zeek.rdp.security_protocol`*:: +*`rsa.misc.cs_modulescore`*:: + -- -Security protocol chosen by the server. +type: keyword +-- +*`rsa.misc.cs_modulesign`*:: ++ +-- type: keyword -- -*`zeek.rdp.keyboard_layout`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -Keyboard layout (language) of the client machine. +type: keyword +-- +*`rsa.misc.cs_payload`*:: ++ +-- type: keyword -- - -*`zeek.rdp.client.build`*:: +*`rsa.misc.cs_registrant`*:: + -- -RDP client version used by the client machine. +type: keyword +-- +*`rsa.misc.cs_registrar`*:: ++ +-- type: keyword -- -*`zeek.rdp.client.client_name`*:: +*`rsa.misc.cs_represult`*:: + -- -Name of the client machine. +type: keyword +-- +*`rsa.misc.cs_rpayload`*:: ++ +-- type: keyword -- -*`zeek.rdp.client.product_id`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -Product ID of the client machine. +type: keyword +-- +*`rsa.misc.cs_sourcemodule`*:: ++ +-- type: keyword -- - -*`zeek.rdp.desktop.width`*:: +*`rsa.misc.cs_streams`*:: + -- -Desktop width of the client machine. +type: keyword +-- -type: integer +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword -- -*`zeek.rdp.desktop.height`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -Desktop height of the client machine. +type: keyword +-- -type: integer +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword -- -*`zeek.rdp.desktop.color_depth`*:: +*`rsa.misc.cs_yararesult`*:: + -- -The color depth requested by the client in the high_color_depth field. +type: keyword +-- +*`rsa.misc.description`*:: ++ +-- type: keyword -- - -*`zeek.rdp.cert.type`*:: +*`rsa.misc.devvendor`*:: + -- -If the connection is being encrypted with native RDP encryption, this is the type of cert being used. +type: keyword +-- +*`rsa.misc.distance`*:: ++ +-- type: keyword -- -*`zeek.rdp.cert.count`*:: +*`rsa.misc.dstburb`*:: + -- -The number of certs seen. X.509 can transfer an entire certificate chain. +type: keyword +-- -type: integer +*`rsa.misc.edomain`*:: ++ +-- +type: keyword -- -*`zeek.rdp.cert.permanent`*:: +*`rsa.misc.edomaub`*:: + -- -Indicates if the provided certificate or certificate chain is permanent or temporary. - +type: keyword -type: boolean +-- +*`rsa.misc.euid`*:: ++ -- +type: keyword +-- -*`zeek.rdp.encryption.level`*:: +*`rsa.misc.facility`*:: + -- -Encryption level of the connection. +type: keyword +-- +*`rsa.misc.finterface`*:: ++ +-- type: keyword -- -*`zeek.rdp.encryption.method`*:: +*`rsa.misc.flags`*:: + -- -Encryption method of the connection. +type: keyword +-- +*`rsa.misc.gaddr`*:: ++ +-- type: keyword -- -*`zeek.rdp.done`*:: +*`rsa.misc.id3`*:: + -- -Track status of logging RDP connections. +type: keyword +-- -type: boolean +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword -- -*`zeek.rdp.ssl`*:: +*`rsa.misc.im_croomid`*:: + -- -(present if policy/protocols/rdp/indicate_ssl.bro is loaded) -Flag the connection if it was seen over SSL. +type: keyword +-- -type: boolean +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword -- -[float] -=== rfb +*`rsa.misc.im_members`*:: ++ +-- +type: keyword -Fields exported by the Zeek RFB log. +-- +*`rsa.misc.im_username`*:: ++ +-- +type: keyword +-- +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword +-- -*`zeek.rfb.version.client.major`*:: +*`rsa.misc.ipscat`*:: + -- -Major version of the client. +type: keyword +-- +*`rsa.misc.ipspri`*:: ++ +-- type: keyword -- -*`zeek.rfb.version.client.minor`*:: +*`rsa.misc.latitude`*:: + -- -Minor version of the client. +type: keyword +-- +*`rsa.misc.linenum`*:: ++ +-- type: keyword -- - -*`zeek.rfb.version.server.major`*:: +*`rsa.misc.list_name`*:: + -- -Major version of the server. +type: keyword +-- +*`rsa.misc.load_data`*:: ++ +-- type: keyword -- -*`zeek.rfb.version.server.minor`*:: +*`rsa.misc.location_floor`*:: + -- -Minor version of the server. +type: keyword +-- +*`rsa.misc.location_mark`*:: ++ +-- type: keyword -- - -*`zeek.rfb.auth.success`*:: +*`rsa.misc.log_id`*:: + -- -Whether or not authentication was successful. +type: keyword +-- -type: boolean +*`rsa.misc.log_type`*:: ++ +-- +type: keyword -- -*`zeek.rfb.auth.method`*:: +*`rsa.misc.logid`*:: + -- -Identifier of authentication method used. +type: keyword +-- +*`rsa.misc.logip`*:: ++ +-- type: keyword -- -*`zeek.rfb.share_flag`*:: +*`rsa.misc.logname`*:: + -- -Whether the client has an exclusive or a shared session. +type: keyword +-- -type: boolean +*`rsa.misc.longitude`*:: ++ +-- +type: keyword -- -*`zeek.rfb.desktop_name`*:: +*`rsa.misc.lport`*:: + -- -Name of the screen that is being shared. +type: keyword +-- +*`rsa.misc.mbug_data`*:: ++ +-- type: keyword -- -*`zeek.rfb.width`*:: +*`rsa.misc.misc_name`*:: + -- -Width of the screen that is being shared. +type: keyword +-- -type: integer +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword -- -*`zeek.rfb.height`*:: +*`rsa.misc.msgid`*:: + -- -Height of the screen that is being shared. +type: keyword +-- -type: integer +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword -- -[float] -=== sip +*`rsa.misc.num`*:: ++ +-- +type: keyword -Fields exported by the Zeek SIP log. +-- +*`rsa.misc.number1`*:: ++ +-- +type: keyword +-- -*`zeek.sip.transaction_depth`*:: +*`rsa.misc.number2`*:: + -- -Represents the pipelined depth into the connection of this request/response transaction. - +type: keyword -type: integer +-- +*`rsa.misc.nwwn`*:: ++ -- +type: keyword +-- -*`zeek.sip.sequence.method`*:: +*`rsa.misc.object`*:: + -- -Verb used in the SIP request (INVITE, REGISTER etc.). +type: keyword +-- +*`rsa.misc.operation`*:: ++ +-- type: keyword -- -*`zeek.sip.sequence.number`*:: +*`rsa.misc.opkt`*:: + -- -Contents of the CSeq: header from the client. +type: keyword +-- +*`rsa.misc.orig_from`*:: ++ +-- type: keyword -- -*`zeek.sip.uri`*:: +*`rsa.misc.owner_id`*:: + -- -URI used in the request. +type: keyword +-- +*`rsa.misc.p_action`*:: ++ +-- type: keyword -- -*`zeek.sip.date`*:: +*`rsa.misc.p_filter`*:: + -- -Contents of the Date: header from the client. +type: keyword +-- +*`rsa.misc.p_group_object`*:: ++ +-- type: keyword -- - -*`zeek.sip.request.from`*:: +*`rsa.misc.p_id`*:: + -- -Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. +type: keyword +-- +*`rsa.misc.p_msgid1`*:: ++ +-- type: keyword -- -*`zeek.sip.request.to`*:: +*`rsa.misc.p_msgid2`*:: + -- -Contents of the To: header. +type: keyword +-- +*`rsa.misc.p_result1`*:: ++ +-- type: keyword -- -*`zeek.sip.request.path`*:: +*`rsa.misc.password_chg`*:: + -- -The client message transmission path, as extracted from the headers. +type: keyword +-- +*`rsa.misc.password_expire`*:: ++ +-- type: keyword -- -*`zeek.sip.request.body_length`*:: +*`rsa.misc.permgranted`*:: + -- -Contents of the Content-Length: header from the client. - +type: keyword -type: long +-- +*`rsa.misc.permwanted`*:: ++ -- +type: keyword +-- -*`zeek.sip.response.from`*:: +*`rsa.misc.pgid`*:: + -- -Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. +type: keyword +-- +*`rsa.misc.policyUUID`*:: ++ +-- type: keyword -- -*`zeek.sip.response.to`*:: +*`rsa.misc.prog_asp_num`*:: + -- -Contents of the response To: header. +type: keyword +-- +*`rsa.misc.program`*:: ++ +-- type: keyword -- -*`zeek.sip.response.path`*:: +*`rsa.misc.real_data`*:: + -- -The server message transmission path, as extracted from the headers. +type: keyword +-- +*`rsa.misc.rec_asp_device`*:: ++ +-- type: keyword -- -*`zeek.sip.response.body_length`*:: +*`rsa.misc.rec_asp_num`*:: + -- -Contents of the Content-Length: header from the server. +type: keyword +-- -type: long +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword -- -*`zeek.sip.reply_to`*:: +*`rsa.misc.recordnum`*:: + -- -Contents of the Reply-To: header. +type: keyword +-- +*`rsa.misc.ruid`*:: ++ +-- type: keyword -- -*`zeek.sip.call_id`*:: +*`rsa.misc.sburb`*:: + -- -Contents of the Call-ID: header from the client. +type: keyword +-- +*`rsa.misc.sdomain_fld`*:: ++ +-- type: keyword -- -*`zeek.sip.subject`*:: +*`rsa.misc.sec`*:: + -- -Contents of the Subject: header from the client. +type: keyword +-- +*`rsa.misc.sensorname`*:: ++ +-- type: keyword -- -*`zeek.sip.user_agent`*:: +*`rsa.misc.seqnum`*:: + -- -Contents of the User-Agent: header from the client. +type: keyword +-- +*`rsa.misc.session`*:: ++ +-- type: keyword -- - -*`zeek.sip.status.code`*:: +*`rsa.misc.sessiontype`*:: + -- -Status code returned by the server. +type: keyword +-- -type: integer +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword -- -*`zeek.sip.status.msg`*:: +*`rsa.misc.spi`*:: + -- -Status message returned by the server. +type: keyword +-- +*`rsa.misc.srcburb`*:: ++ +-- type: keyword -- -*`zeek.sip.warning`*:: +*`rsa.misc.srcdom`*:: + -- -Contents of the Warning: header. +type: keyword +-- +*`rsa.misc.srcservice`*:: ++ +-- type: keyword -- -*`zeek.sip.content_type`*:: +*`rsa.misc.state`*:: + -- -Contents of the Content-Type: header from the server. +type: keyword +-- +*`rsa.misc.status1`*:: ++ +-- type: keyword -- -[float] -=== smb_cmd +*`rsa.misc.svcno`*:: ++ +-- +type: keyword -Fields exported by the Zeek smb_cmd log. +-- +*`rsa.misc.system`*:: ++ +-- +type: keyword +-- -*`zeek.smb_cmd.command`*:: +*`rsa.misc.tbdstr1`*:: + -- -The command sent by the client. +type: keyword +-- +*`rsa.misc.tgtdom`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.sub_command`*:: +*`rsa.misc.tgtdomain`*:: + -- -The subcommand sent by the client, if present. - - type: keyword -- -*`zeek.smb_cmd.argument`*:: +*`rsa.misc.threshold`*:: + -- -Command argument sent by the client, if any. - - type: keyword -- -*`zeek.smb_cmd.status`*:: +*`rsa.misc.type1`*:: + -- -Server reply to the client's command. +type: keyword +-- +*`rsa.misc.udb_class`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.rtt`*:: +*`rsa.misc.url_fld`*:: + -- -Round trip time from the request to the response. +type: keyword +-- -type: double +*`rsa.misc.user_div`*:: ++ +-- +type: keyword -- -*`zeek.smb_cmd.version`*:: +*`rsa.misc.userid`*:: + -- -Version of SMB for the command. +type: keyword +-- +*`rsa.misc.username_fld`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.username`*:: +*`rsa.misc.utcstamp`*:: + -- -Authenticated username, if available. +type: keyword +-- +*`rsa.misc.v_instafname`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.tree`*:: +*`rsa.misc.virt_data`*:: + -- -If this is related to a tree, this is the tree that was used for the current command. +type: keyword +-- +*`rsa.misc.vpnid`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.tree_service`*:: +*`rsa.misc.autorun_type`*:: + -- -The type of tree (disk share, printer share, named pipe, etc.). - +This is used to capture Auto Run type type: keyword -- -[float] -=== file - -If the command referenced a file, store it here. +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only +type: long +-- -*`zeek.smb_cmd.file.name`*:: +*`rsa.misc.content`*:: + -- -Filename if one was seen. - +This key captures the content type from protocol headers type: keyword -- -*`zeek.smb_cmd.file.action`*:: +*`rsa.misc.ein_number`*:: + -- -Action this log record represents. +Employee Identification Numbers only - -type: keyword +type: long -- -*`zeek.smb_cmd.file.uid`*:: +*`rsa.misc.found`*:: + -- -UID of the referenced file. - +This is used to capture the results of regex match type: keyword -- - -*`zeek.smb_cmd.file.host.tx`*:: +*`rsa.misc.language`*:: + -- -Address of the transmitting host. - +This is used to capture list of languages the client support and what it prefers -type: ip +type: keyword -- -*`zeek.smb_cmd.file.host.rx`*:: +*`rsa.misc.lifetime`*:: + -- -Address of the receiving host. +This key is used to capture the session lifetime in seconds. - -type: ip +type: long -- -*`zeek.smb_cmd.smb1_offered_dialects`*:: +*`rsa.misc.link`*:: + -- -Present if base/protocols/smb/smb1-main.bro is loaded. -Dialects offered by the client. - +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.smb_cmd.smb2_offered_dialects`*:: +*`rsa.misc.match`*:: + -- -Present if base/protocols/smb/smb2-main.bro is loaded. -Dialects offered by the client. +This key is for regex match name from search.ini - -type: integer +type: keyword -- -[float] -=== smb_files - -Fields exported by the Zeek SMB Files log. - - - -*`zeek.smb_files.action`*:: +*`rsa.misc.param_dst`*:: + -- -Action this log record represents. - +This key captures the command line/launch argument of the target process or file type: keyword -- -*`zeek.smb_files.fid`*:: +*`rsa.misc.param_src`*:: + -- -ID referencing this file. - +This key captures source parameter -type: integer +type: keyword -- -*`zeek.smb_files.name`*:: +*`rsa.misc.search_text`*:: + -- -Filename if one was seen. - +This key captures the Search Text used type: keyword -- -*`zeek.smb_files.path`*:: +*`rsa.misc.sig_name`*:: + -- -Path pulled from the tree this file was transferred to or from. - +This key is used to capture the Signature Name only. type: keyword -- -*`zeek.smb_files.previous_name`*:: +*`rsa.misc.snmp_value`*:: + -- -If the rename action was seen, this will be the file's previous name. - +SNMP set request value type: keyword -- -*`zeek.smb_files.size`*:: +*`rsa.misc.streams`*:: + -- -Byte size of the file. - +This key captures number of streams in session type: long -- -[float] -=== times - -Timestamps of the file. - - -*`zeek.smb_files.times.accessed`*:: +*`rsa.db.index`*:: + -- -The file's access time. +This key captures IndexID of the index. - -type: date +type: keyword -- -*`zeek.smb_files.times.changed`*:: +*`rsa.db.instance`*:: + -- -The file's change time. - +This key is used to capture the database server instance name -type: date +type: keyword -- -*`zeek.smb_files.times.created`*:: +*`rsa.db.database`*:: + -- -The file's create time. +This key is used to capture the name of a database or an instance as seen in a session - -type: date +type: keyword -- -*`zeek.smb_files.times.modified`*:: +*`rsa.db.transact_id`*:: + -- -The file's modify time. - +This key captures the SQL transantion ID of the current session -type: date +type: keyword -- -*`zeek.smb_files.uuid`*:: +*`rsa.db.permissions`*:: + -- -UUID referencing this file if DCE/RPC. - +This key captures permission or privilege level assigned to a resource. type: keyword -- -[float] -=== smb_mapping - -Fields exported by the Zeek SMB_Mapping log. +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name +type: keyword +-- -*`zeek.smb_mapping.path`*:: +*`rsa.db.db_id`*:: + -- -Name of the tree path. - +This key is used to capture the unique identifier for a database type: keyword -- -*`zeek.smb_mapping.service`*:: +*`rsa.db.db_pid`*:: + -- -The type of resource of the tree (disk share, printer share, named pipe, etc.). +This key captures the process id of a connection with database server - -type: keyword +type: long -- -*`zeek.smb_mapping.native_file_system`*:: +*`rsa.db.lread`*:: + -- -File system of the tree. - +This key is used for the number of logical reads -type: keyword +type: long -- -*`zeek.smb_mapping.share_type`*:: +*`rsa.db.lwrite`*:: + -- -If this is SMB2, a share type will be included. For SMB1, the type of share -will be deduced and included as well. - +This key is used for the number of logical writes -type: keyword +type: long -- -[float] -=== smtp +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes -Fields exported by the Zeek SMTP log. +type: long +-- -*`zeek.smtp.transaction_depth`*:: +*`rsa.network.alias_host`*:: + -- -A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. - +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. -type: integer +type: keyword -- -*`zeek.smtp.helo`*:: +*`rsa.network.domain`*:: + -- -Contents of the Helo header. - - type: keyword -- -*`zeek.smtp.mail_from`*:: +*`rsa.network.host_dst`*:: + -- -Email addresses found in the MAIL FROM header. - +This key should only be used when it’s a Destination Hostname type: keyword -- -*`zeek.smtp.rcpt_to`*:: +*`rsa.network.network_service`*:: + -- -Email addresses found in the RCPT TO header. - +This is used to capture layer 7 protocols/service names type: keyword -- -*`zeek.smtp.date`*:: +*`rsa.network.interface`*:: + -- -Contents of the Date header. +This key should be used when the source or destination context of an interface is not clear - -type: date +type: keyword -- -*`zeek.smtp.from`*:: +*`rsa.network.network_port`*:: + -- -Contents of the From header. - +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- -*`zeek.smtp.to`*:: +*`rsa.network.eth_host`*:: + -- -Contents of the To header. - +Deprecated, use alias.mac type: keyword -- -*`zeek.smtp.cc`*:: +*`rsa.network.sinterface`*:: + -- -Contents of the CC header. - +This key should only be used when it’s a Source Interface type: keyword -- -*`zeek.smtp.reply_to`*:: +*`rsa.network.dinterface`*:: + -- -Contents of the ReplyTo header. - +This key should only be used when it’s a Destination Interface type: keyword -- -*`zeek.smtp.msg_id`*:: +*`rsa.network.vlan`*:: + -- -Contents of the MsgID header. - +This key should only be used to capture the ID of the Virtual LAN -type: keyword +type: long -- -*`zeek.smtp.in_reply_to`*:: +*`rsa.network.zone_src`*:: + -- -Contents of the In-Reply-To header. - +This key should only be used when it’s a Source Zone. type: keyword -- -*`zeek.smtp.subject`*:: +*`rsa.network.zone`*:: + -- -Contents of the Subject header. - +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -*`zeek.smtp.x_originating_ip`*:: +*`rsa.network.zone_dst`*:: + -- -Contents of the X-Originating-IP header. - +This key should only be used when it’s a Destination Zone. type: keyword -- -*`zeek.smtp.first_received`*:: +*`rsa.network.gateway`*:: + -- -Contents of the first Received header. - +This key is used to capture the IP Address of the gateway type: keyword -- -*`zeek.smtp.second_received`*:: +*`rsa.network.icmp_type`*:: + -- -Contents of the second Received header. +This key is used to capture the ICMP type only - -type: keyword +type: long -- -*`zeek.smtp.last_reply`*:: +*`rsa.network.mask`*:: + -- -The last message that the server sent to the client. - +This key is used to capture the device network IPmask. type: keyword -- -*`zeek.smtp.path`*:: +*`rsa.network.icmp_code`*:: + -- -The message transmission path, as extracted from the headers. +This key is used to capture the ICMP code only - -type: ip +type: long -- -*`zeek.smtp.user_agent`*:: +*`rsa.network.protocol_detail`*:: + -- -Value of the User-Agent header from the client. - +This key should be used to capture additional protocol information type: keyword -- -*`zeek.smtp.tls`*:: +*`rsa.network.dmask`*:: + -- -Indicates that the connection has switched to using TLS. +This key is used for Destionation Device network mask - -type: boolean +type: keyword -- -*`zeek.smtp.process_received_from`*:: +*`rsa.network.port`*:: + -- -Indicates if the "Received: from" headers should still be processed. - +This key should only be used to capture a Network Port when the directionality is not clear -type: boolean +type: long -- -*`zeek.smtp.has_client_activity`*:: +*`rsa.network.smask`*:: + -- -Indicates if client activity has been seen, but not yet logged. +This key is used for capturing source Network Mask - -type: boolean +type: keyword -- -*`zeek.smtp.fuids`*:: +*`rsa.network.netname`*:: + -- -(present if base/protocols/smtp/files.bro is loaded) -An ordered vector of file unique IDs seen attached to the message. - +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -- -*`zeek.smtp.is_webmail`*:: +*`rsa.network.paddr`*:: + -- -Indicates if the message was sent through a webmail interface. - +Deprecated -type: boolean +type: ip -- -[float] -=== snmp - -Fields exported by the Zeek SNMP log. - - - -*`zeek.snmp.duration`*:: +*`rsa.network.faddr`*:: + -- -The amount of time between the first packet beloning to the SNMP session and the latest one seen. - - -type: double +type: keyword -- -*`zeek.snmp.version`*:: +*`rsa.network.lhost`*:: + -- -The version of SNMP being used. - - type: keyword -- -*`zeek.snmp.community`*:: +*`rsa.network.origin`*:: + -- -The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. - - type: keyword -- - -*`zeek.snmp.get.requests`*:: +*`rsa.network.remote_domain_id`*:: + -- -The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. - - -type: integer +type: keyword -- -*`zeek.snmp.get.bulk_requests`*:: +*`rsa.network.addr`*:: + -- -The number of variable bindings in GetBulkRequest PDUs seen for the session. - - -type: integer +type: keyword -- -*`zeek.snmp.get.responses`*:: +*`rsa.network.dns_a_record`*:: + -- -The number of variable bindings in GetResponse/Response PDUs seen for the session. - - -type: integer +type: keyword -- - -*`zeek.snmp.set.requests`*:: +*`rsa.network.dns_ptr_record`*:: + -- -The number of variable bindings in SetRequest PDUs seen for the session. - - -type: integer +type: keyword -- -*`zeek.snmp.display_string`*:: +*`rsa.network.fhost`*:: + -- -A system description of the SNMP responder endpoint. - - type: keyword -- -*`zeek.snmp.up_since`*:: +*`rsa.network.fport`*:: + -- -The time at which the SNMP responder endpoint claims it's been up since. - - -type: date +type: keyword -- -[float] -=== socks - -Fields exported by the Zeek SOCKS log. - - - -*`zeek.socks.version`*:: +*`rsa.network.laddr`*:: + -- -Protocol version of SOCKS. - - -type: integer +type: keyword -- -*`zeek.socks.user`*:: +*`rsa.network.linterface`*:: + -- -Username used to request a login to the proxy. - - type: keyword -- -*`zeek.socks.password`*:: +*`rsa.network.phost`*:: + -- -Password used to request a login to the proxy. - - type: keyword -- -*`zeek.socks.status`*:: +*`rsa.network.ad_computer_dst`*:: + -- -Server status for the attempt at using the proxy. - +Deprecated, use host.dst type: keyword -- - -*`zeek.socks.request.host`*:: +*`rsa.network.eth_type`*:: + -- -Client requested SOCKS address. Could be an address, a name or both. +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: keyword +type: long -- -*`zeek.socks.request.port`*:: +*`rsa.network.ip_proto`*:: + -- -Client requested port. - +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: integer +type: long -- - -*`zeek.socks.bound.host`*:: +*`rsa.network.dns_cname_record`*:: + -- -Server bound address. Could be an address, a name or both. - - type: keyword -- -*`zeek.socks.bound.port`*:: +*`rsa.network.dns_id`*:: + -- -Server bound port. - - -type: integer +type: keyword -- -*`zeek.socks.capture_password`*:: +*`rsa.network.dns_opcode`*:: + -- -Determines if the password will be captured for this request. - - -type: boolean +type: keyword -- -[float] -=== ssh - -Fields exported by the Zeek SSH log. - +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword +-- -*`zeek.ssh.client`*:: +*`rsa.network.dns_type`*:: + -- -The client's version string. +type: keyword +-- +*`rsa.network.domain1`*:: ++ +-- type: keyword -- -*`zeek.ssh.direction`*:: +*`rsa.network.host_type`*:: + -- -Direction of the connection. If the client was a local host logging into -an external host, this would be OUTBOUND. INBOUND would be set for the -opposite situation. +type: keyword +-- +*`rsa.network.packet_length`*:: ++ +-- type: keyword -- -*`zeek.ssh.host_key`*:: +*`rsa.network.host_orig`*:: + -- -The server's key thumbprint. - +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`zeek.ssh.server`*:: +*`rsa.network.rpayload`*:: + -- -The server's version string. - +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -- -*`zeek.ssh.version`*:: +*`rsa.network.vlan_name`*:: + -- -SSH major version (1 or 2). +This key should only be used to capture the name of the Virtual LAN - -type: integer +type: keyword -- -[float] -=== algorithm -Cipher algorithms used in this session. +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) +type: keyword +-- -*`zeek.ssh.algorithm.cipher`*:: +*`rsa.investigations.ec_theme`*:: + -- -The encryption algorithm in use. - +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -- -*`zeek.ssh.algorithm.compression`*:: +*`rsa.investigations.ec_subject`*:: + -- -The compression algorithm in use. - +This key captures the Subject of a particular Event(Ex:User) type: keyword -- -*`zeek.ssh.algorithm.host_key`*:: +*`rsa.investigations.ec_outcome`*:: + -- -The server host key's algorithm. - +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -*`zeek.ssh.algorithm.key_exchange`*:: +*`rsa.investigations.event_cat`*:: + -- -The key exchange algorithm in use. - +This key captures the Event category number -type: keyword +type: long -- -*`zeek.ssh.algorithm.mac`*:: +*`rsa.investigations.event_cat_name`*:: + -- -The signing (MAC) algorithm in use. - +This key captures the event category name corresponding to the event cat code type: keyword -- - -*`zeek.ssh.auth.attempts`*:: +*`rsa.investigations.event_vcat`*:: + -- -The number of authentication attemps we observed. There's always at -least one, since some servers might support no authentication at all. -It's important to note that not all of these are failures, since some -servers require two-factor auth (e.g. password AND pubkey). - +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. -type: integer +type: keyword -- -*`zeek.ssh.auth.success`*:: +*`rsa.investigations.analysis_file`*:: + -- -Authentication result. +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: boolean +type: keyword -- -[float] -=== ssl - -Fields exported by the Zeek SSL log. +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +type: keyword +-- -*`zeek.ssl.version`*:: +*`rsa.investigations.analysis_session`*:: + -- -SSL/TLS version that was logged. - +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session type: keyword -- -*`zeek.ssl.cipher`*:: +*`rsa.investigations.boc`*:: + -- -SSL/TLS cipher suite that was logged. - +This is used to capture behaviour of compromise type: keyword -- -*`zeek.ssl.curve`*:: +*`rsa.investigations.eoc`*:: + -- -Elliptic curve that was logged when using ECDH/ECDHE. - +This is used to capture Enablers of Compromise type: keyword -- -*`zeek.ssl.resumed`*:: +*`rsa.investigations.inv_category`*:: + -- -Flag to indicate if the session was resumed reusing the key material exchanged in an -earlier connection. - +This used to capture investigation category -type: boolean +type: keyword -- -*`zeek.ssl.next_protocol`*:: +*`rsa.investigations.inv_context`*:: + -- -Next protocol the server chose using the application layer next protocol extension. - +This used to capture investigation context type: keyword -- -*`zeek.ssl.established`*:: +*`rsa.investigations.ioc`*:: + -- -Flag to indicate if this ssl session has been established successfully. - +This is key capture indicator of compromise -type: boolean +type: keyword -- -*`zeek.ssl.validation.status`*:: +*`rsa.counters.dclass_c1`*:: + -- -Result of certificate validation for this connection. +This is a generic counter key that should be used with the label dclass.c1.str only - -type: keyword +type: long -- -*`zeek.ssl.validation.code`*:: +*`rsa.counters.dclass_c2`*:: + -- -Result of certificate validation for this connection, given as OpenSSL validation code. - +This is a generic counter key that should be used with the label dclass.c2.str only -type: keyword +type: long -- -*`zeek.ssl.last_alert`*:: +*`rsa.counters.event_counter`*:: + -- -Last alert that was seen during the connection. +This is used to capture the number of times an event repeated - -type: keyword +type: long -- - -*`zeek.ssl.server.name`*:: +*`rsa.counters.dclass_r1`*:: + -- -Value of the Server Name Indicator SSL/TLS extension. It indicates the server name -that the client was requesting. - +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -- -*`zeek.ssl.server.cert_chain`*:: +*`rsa.counters.dclass_c3`*:: + -- -Chain of certificates offered by the server to validate its complete signing chain. +This is a generic counter key that should be used with the label dclass.c3.str only - -type: keyword +type: long -- -*`zeek.ssl.server.cert_chain_fuids`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -An ordered vector of certificate file identifiers for the certificates offered by the server. - +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -[float] -=== issuer - -Subject of the signer of the X.509 certificate offered by the server. +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only +type: keyword +-- -*`zeek.ssl.server.issuer.common_name`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -Common name of the signer of the X.509 certificate offered by the server. - +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`zeek.ssl.server.issuer.country`*:: +*`rsa.counters.dclass_r2`*:: + -- -Country code of the signer of the X.509 certificate offered by the server. - +This is a generic ratio key that should be used with the label dclass.r2.str only type: keyword -- -*`zeek.ssl.server.issuer.locality`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -Locality of the signer of the X.509 certificate offered by the server. - +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -- -*`zeek.ssl.server.issuer.organization`*:: +*`rsa.counters.dclass_r3`*:: + -- -Organization of the signer of the X.509 certificate offered by the server. - +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`zeek.ssl.server.issuer.organizational_unit`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -Organizational unit of the signer of the X.509 certificate offered by the server. - +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -- -*`zeek.ssl.server.issuer.state`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -State or province name of the signer of the X.509 certificate offered by the server. - +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -[float] -=== subject -Subject of the X.509 certificate offered by the server. +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only +type: keyword +-- -*`zeek.ssl.server.subject.common_name`*:: +*`rsa.identity.user_role`*:: + -- -Common name of the X.509 certificate offered by the server. - +This key is used to capture the Role of a user only type: keyword -- -*`zeek.ssl.server.subject.country`*:: +*`rsa.identity.dn`*:: + -- -Country code of the X.509 certificate offered by the server. - +X.500 (LDAP) Distinguished Name type: keyword -- -*`zeek.ssl.server.subject.locality`*:: +*`rsa.identity.logon_type`*:: + -- -Locality of the X.509 certificate offered by the server. - +This key is used to capture the type of logon method used. type: keyword -- -*`zeek.ssl.server.subject.organization`*:: +*`rsa.identity.profile`*:: + -- -Organization of the X.509 certificate offered by the server. - +This key is used to capture the user profile type: keyword -- -*`zeek.ssl.server.subject.organizational_unit`*:: +*`rsa.identity.accesses`*:: + -- -Organizational unit of the X.509 certificate offered by the server. - +This key is used to capture actual privileges used in accessing an object type: keyword -- -*`zeek.ssl.server.subject.state`*:: +*`rsa.identity.realm`*:: + -- -State or province name of the X.509 certificate offered by the server. - +Radius realm or similar grouping of accounts type: keyword -- - -*`zeek.ssl.client.cert_chain`*:: +*`rsa.identity.user_sid_dst`*:: + -- -Chain of certificates offered by the client to validate its complete signing chain. - +This key captures Destination User Session ID type: keyword -- -*`zeek.ssl.client.cert_chain_fuids`*:: +*`rsa.identity.dn_src`*:: + -- -An ordered vector of certificate file identifiers for the certificates offered by the client. - +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn type: keyword -- -[float] -=== issuer - -Subject of the signer of the X.509 certificate offered by the client. +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization +type: keyword +-- -*`zeek.ssl.client.issuer.common_name`*:: +*`rsa.identity.dn_dst`*:: + -- -Common name of the signer of the X.509 certificate offered by the client. - +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`zeek.ssl.client.issuer.country`*:: +*`rsa.identity.firstname`*:: + -- -Country code of the signer of the X.509 certificate offered by the client. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`zeek.ssl.client.issuer.locality`*:: +*`rsa.identity.lastname`*:: + -- -Locality of the signer of the X.509 certificate offered by the client. - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`zeek.ssl.client.issuer.organization`*:: +*`rsa.identity.user_dept`*:: + -- -Organization of the signer of the X.509 certificate offered by the client. - +User's Department Names only type: keyword -- -*`zeek.ssl.client.issuer.organizational_unit`*:: +*`rsa.identity.user_sid_src`*:: + -- -Organizational unit of the signer of the X.509 certificate offered by the client. - +This key captures Source User Session ID type: keyword -- -*`zeek.ssl.client.issuer.state`*:: +*`rsa.identity.federated_sp`*:: + -- -State or province name of the signer of the X.509 certificate offered by the client. - +This key is the Federated Service Provider. This is the application requesting authentication. type: keyword -- -[float] -=== subject - -Subject of the X.509 certificate offered by the client. +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. +type: keyword +-- -*`zeek.ssl.client.subject.common_name`*:: +*`rsa.identity.logon_type_desc`*:: + -- -Common name of the X.509 certificate offered by the client. - +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -- -*`zeek.ssl.client.subject.country`*:: +*`rsa.identity.middlename`*:: + -- -Country code of the X.509 certificate offered by the client. - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`zeek.ssl.client.subject.locality`*:: +*`rsa.identity.password`*:: + -- -Locality of the X.509 certificate offered by the client. - +This key is for Passwords seen in any session, plain text or encrypted type: keyword -- -*`zeek.ssl.client.subject.organization`*:: +*`rsa.identity.host_role`*:: + -- -Organization of the X.509 certificate offered by the client. - +This key should only be used to capture the role of a Host Machine type: keyword -- -*`zeek.ssl.client.subject.organizational_unit`*:: +*`rsa.identity.ldap`*:: + -- -Organizational unit of the X.509 certificate offered by the client. - +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- -*`zeek.ssl.client.subject.state`*:: +*`rsa.identity.ldap_query`*:: + -- -State or province name of the X.509 certificate offered by the client. - +This key is the Search criteria from an LDAP search type: keyword -- -[float] -=== stats - -Fields exported by the Zeek stats log. +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search +type: keyword +-- -*`zeek.stats.peer`*:: +*`rsa.identity.owner`*:: + -- -Peer that generated this log. Mostly for clusters. - +This is used to capture username the process or service is running as, the author of the task type: keyword -- -*`zeek.stats.memory`*:: +*`rsa.identity.service_account`*:: + -- -Amount of memory currently in use in MB. - +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage -type: integer +type: keyword -- -*`zeek.stats.packets.processed`*:: +*`rsa.email.email_dst`*:: + -- -Number of packets processed since the last stats interval. +This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: long +type: keyword -- -*`zeek.stats.packets.dropped`*:: +*`rsa.email.email_src`*:: + -- -Number of packets dropped since the last stats interval if reading live traffic. - +This key is used to capture the source email address only, when the source context is not clear use email -type: long +type: keyword -- -*`zeek.stats.packets.received`*:: +*`rsa.email.subject`*:: + -- -Number of packets seen on the link since the last stats interval if reading live traffic. +This key is used to capture the subject string from an Email only. - -type: long +type: keyword -- - -*`zeek.stats.bytes.received`*:: +*`rsa.email.email`*:: + -- -Number of bytes received since the last stats interval if reading live traffic. +This key is used to capture a generic email address where the source or destination context is not clear - -type: long +type: keyword -- - - -*`zeek.stats.connections.tcp.active`*:: +*`rsa.email.trans_from`*:: + -- -TCP connections currently in memory. - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`zeek.stats.connections.tcp.count`*:: +*`rsa.email.trans_to`*:: + -- -TCP connections seen since last stats interval. +Deprecated key defined only in table map. - -type: integer +type: keyword -- -*`zeek.stats.connections.udp.active`*:: +*`rsa.file.privilege`*:: + -- -UDP connections currently in memory. - +Deprecated, use permissions -type: integer +type: keyword -- -*`zeek.stats.connections.udp.count`*:: +*`rsa.file.attachment`*:: + -- -UDP connections seen since last stats interval. +This key captures the attachment file name - -type: integer +type: keyword -- - -*`zeek.stats.connections.icmp.active`*:: +*`rsa.file.filesystem`*:: + -- -ICMP connections currently in memory. - - -type: integer +type: keyword -- -*`zeek.stats.connections.icmp.count`*:: +*`rsa.file.binary`*:: + -- -ICMP connections seen since last stats interval. +Deprecated key defined only in table map. - -type: integer +type: keyword -- - -*`zeek.stats.events.processed`*:: +*`rsa.file.filename_dst`*:: + -- -Number of events processed since the last stats interval. +This is used to capture name of the file targeted by the action - -type: integer +type: keyword -- -*`zeek.stats.events.queued`*:: +*`rsa.file.filename_src`*:: + -- -Number of events that have been queued since the last stats interval. +This is used to capture name of the parent filename, the file which performed the action +type: keyword -type: integer +-- +*`rsa.file.filename_tmp`*:: ++ -- +type: keyword +-- -*`zeek.stats.timers.count`*:: +*`rsa.file.directory_dst`*:: + -- -Number of timers scheduled since last stats interval. - +This key is used to capture the directory of the target process or file -type: integer +type: keyword -- -*`zeek.stats.timers.active`*:: +*`rsa.file.directory_src`*:: + -- -Current number of scheduled timers. +This key is used to capture the directory of the source process or file +type: keyword -type: integer +-- +*`rsa.file.file_entropy`*:: ++ -- +This is used to capture entropy vale of a file +type: double -*`zeek.stats.files.count`*:: -+ -- -Number of files seen since last stats interval. +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info -type: integer +type: keyword -- -*`zeek.stats.files.active`*:: +*`rsa.file.task_name`*:: + -- -Current number of files actively being seen. +This is used to capture name of the task - -type: integer +type: keyword -- -*`zeek.stats.dns_requests.count`*:: +*`rsa.web.fqdn`*:: + -- -Number of DNS requests seen since last stats interval. - +Fully Qualified Domain Names -type: integer +type: keyword -- -*`zeek.stats.dns_requests.active`*:: +*`rsa.web.web_cookie`*:: + -- -Current number of DNS requests awaiting a reply. +This key is used to capture the Web cookies specifically. +type: keyword -type: integer +-- +*`rsa.web.alias_host`*:: ++ -- +type: keyword +-- -*`zeek.stats.reassembly_size.tcp`*:: +*`rsa.web.reputation_num`*:: + -- -Current size of TCP data in reassembly. +Reputation Number of an entity. Typically used for Web Domains - -type: integer +type: double -- -*`zeek.stats.reassembly_size.file`*:: +*`rsa.web.web_ref_domain`*:: + -- -Current size of File data in reassembly. - +Web referer's domain -type: integer +type: keyword -- -*`zeek.stats.reassembly_size.frag`*:: +*`rsa.web.web_ref_query`*:: + -- -Current size of packet fragment data in reassembly. +This key captures Web referer's query portion of the URL - -type: integer +type: keyword -- -*`zeek.stats.reassembly_size.unknown`*:: +*`rsa.web.remote_domain`*:: + -- -Current size of unknown data in reassembly (this is only PIA buffer right now). - - -type: integer +type: keyword -- -*`zeek.stats.timestamp_lag`*:: +*`rsa.web.web_ref_page`*:: + -- -Lag between the wall clock and packet timestamps if reading live traffic. - +This key captures Web referer's page information -type: integer +type: keyword -- -[float] -=== syslog - -Fields exported by the Zeek syslog log. +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path +type: keyword +-- -*`zeek.syslog.facility`*:: +*`rsa.web.cn_asn_dst`*:: + -- -Syslog facility for the message. - - type: keyword -- -*`zeek.syslog.severity`*:: +*`rsa.web.cn_rpackets`*:: + -- -Syslog severity for the message. +type: keyword +-- +*`rsa.web.urlpage`*:: ++ +-- type: keyword -- -*`zeek.syslog.message`*:: +*`rsa.web.urlroot`*:: + -- -The plain text message. +type: keyword +-- +*`rsa.web.p_url`*:: ++ +-- type: keyword -- -[float] -=== tunnel +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword -Fields exported by the Zeek SSH log. +-- +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword +-- -*`zeek.tunnel.type`*:: +*`rsa.web.p_web_method`*:: + -- -The type of tunnel. +type: keyword +-- +*`rsa.web.p_web_referer`*:: ++ +-- type: keyword -- -*`zeek.tunnel.action`*:: +*`rsa.web.web_extension_tmp`*:: + -- -The type of activity that occurred. +type: keyword +-- +*`rsa.web.web_page`*:: ++ +-- type: keyword -- -[float] -=== weird -Fields exported by the Zeek Weird log. +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert +type: keyword +-- -*`zeek.weird.name`*:: +*`rsa.threat.threat_desc`*:: + -- -The name of the weird that occurred. - +This key is used to capture the threat description from the session directly or inferred type: keyword -- -*`zeek.weird.additional_info`*:: +*`rsa.threat.alert`*:: + -- -Additional information accompanying the weird if any. - +This key is used to capture name of the alert type: keyword -- -*`zeek.weird.notice`*:: +*`rsa.threat.threat_source`*:: + -- -Indicate if this weird was also turned into a notice. +This key is used to capture source of the threat - -type: boolean +type: keyword -- -*`zeek.weird.peer`*:: + +*`rsa.crypto.crypto`*:: + -- -The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. - +This key is used to capture the Encryption Type or Encryption Key only type: keyword -- -*`zeek.weird.identifier`*:: +*`rsa.crypto.cipher_src`*:: + -- -This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. - +This key is for Source (Client) Cipher type: keyword -- -[float] -=== x509 - -Fields exported by the Zeek x509 log. +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only +type: keyword +-- -*`zeek.x509.id`*:: +*`rsa.crypto.peer`*:: + -- -File id of this certificate. - +This key is for Encryption peer's IP Address type: keyword -- -[float] -=== certificate - -Basic information about the certificate. +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size +type: long +-- -*`zeek.x509.certificate.version`*:: +*`rsa.crypto.ike`*:: + -- -Version number. - +IKE negotiation phase. -type: integer +type: keyword -- -*`zeek.x509.certificate.serial`*:: +*`rsa.crypto.scheme`*:: + -- -Serial number. - +This key captures the Encryption scheme used type: keyword -- -[float] -=== subject - -Subject. +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity +type: keyword +-- -*`zeek.x509.certificate.subject.country`*:: +*`rsa.crypto.sig_type`*:: + -- -Country provided in the certificate subject. - +This key captures the Signature Type type: keyword -- -*`zeek.x509.certificate.subject.common_name`*:: +*`rsa.crypto.cert_issuer`*:: + -- -Common name provided in the certificate subject. - - type: keyword -- -*`zeek.x509.certificate.subject.locality`*:: +*`rsa.crypto.cert_host_name`*:: + -- -Locality provided in the certificate subject. - +Deprecated key defined only in table map. type: keyword -- -*`zeek.x509.certificate.subject.organization`*:: +*`rsa.crypto.cert_error`*:: + -- -Organization provided in the certificate subject. - +This key captures the Certificate Error String type: keyword -- -*`zeek.x509.certificate.subject.organizational_unit`*:: +*`rsa.crypto.cipher_dst`*:: + -- -Organizational unit provided in the certificate subject. - +This key is for Destination (Server) Cipher type: keyword -- -*`zeek.x509.certificate.subject.state`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -State or province provided in the certificate subject. +This key captures Destination (Server) Cipher Size +type: long -type: keyword +-- +*`rsa.crypto.ssl_ver_src`*:: ++ -- +Deprecated, use version -[float] -=== issuer +type: keyword -Issuer. +-- +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword +-- -*`zeek.x509.certificate.issuer.country`*:: +*`rsa.crypto.s_certauth`*:: + -- -Country provided in the certificate issuer field. +type: keyword + +-- +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One type: keyword -- -*`zeek.x509.certificate.issuer.common_name`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -Common name provided in the certificate issuer field. - +ID of the negotiation — sent for ISAKMP Phase Two type: keyword -- -*`zeek.x509.certificate.issuer.locality`*:: +*`rsa.crypto.cert_checksum`*:: + -- -Locality provided in the certificate issuer field. +type: keyword + +-- +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate type: keyword -- -*`zeek.x509.certificate.issuer.organization`*:: +*`rsa.crypto.cert_serial`*:: + -- -Organization provided in the certificate issuer field. - +This key is used to capture the Certificate serial number only type: keyword -- -*`zeek.x509.certificate.issuer.organizational_unit`*:: +*`rsa.crypto.cert_status`*:: + -- -Organizational unit provided in the certificate issuer field. - +This key captures Certificate validation status type: keyword -- -*`zeek.x509.certificate.issuer.state`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -State or province provided in the certificate issuer field. - +Deprecated, use version type: keyword -- -*`zeek.x509.certificate.common_name`*:: +*`rsa.crypto.cert_keysize`*:: + -- -Last (most specific) common name. +type: keyword +-- +*`rsa.crypto.cert_username`*:: ++ +-- type: keyword -- -[float] -=== valid +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword -Certificate validity timestamps +-- +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword +-- -*`zeek.x509.certificate.valid.from`*:: +*`rsa.crypto.cert_ca`*:: + -- -Timestamp before when certificate is not valid. - +This key is used to capture the Certificate signing authority only -type: date +type: keyword -- -*`zeek.x509.certificate.valid.until`*:: +*`rsa.crypto.cert_common`*:: + -- -Timestamp after when certificate is not valid. +This key is used to capture the Certificate common name only - -type: date +type: keyword -- -*`zeek.x509.certificate.key.algorithm`*:: +*`rsa.wireless.wlan_ssid`*:: + -- -Name of the key algorithm. - +This key is used to capture the ssid of a Wireless Session type: keyword -- -*`zeek.x509.certificate.key.type`*:: +*`rsa.wireless.access_point`*:: + -- -Key type, if key parseable by openssl (either rsa, dsa or ec). - +This key is used to capture the access point name. type: keyword -- -*`zeek.x509.certificate.key.length`*:: +*`rsa.wireless.wlan_channel`*:: + -- -Key length in bits. - +This is used to capture the channel names -type: integer +type: long -- -*`zeek.x509.certificate.signature_algorithm`*:: +*`rsa.wireless.wlan_name`*:: + -- -Name of the signature algorithm. - +This key captures either WLAN number/name type: keyword -- -*`zeek.x509.certificate.exponent`*:: + +*`rsa.storage.disk_volume`*:: + -- -Exponent, if RSA-certificate. - +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`zeek.x509.certificate.curve`*:: +*`rsa.storage.lun`*:: + -- -Curve, if EC-certificate. - +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -[float] -=== san +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. -Subject alternative name extension of the certificate. +type: keyword +-- -*`zeek.x509.san.dns`*:: +*`rsa.physical.org_dst`*:: + -- -List of DNS entries in SAN. - +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`zeek.x509.san.uri`*:: +*`rsa.physical.org_src`*:: + -- -List of URI entries in SAN. - +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`zeek.x509.san.email`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -List of email entries in SAN. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`zeek.x509.san.ip`*:: +*`rsa.healthcare.patient_id`*:: + -- -List of IP entries in SAN. - +This key captures the unique ID for a patient -type: ip +type: keyword -- -*`zeek.x509.san.other_fields`*:: +*`rsa.healthcare.patient_lname`*:: + -- -True if the certificate contained other, not recognized or parsed name fields. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: boolean +type: keyword -- -[float] -=== basic_constraints +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information -Basic constraints extension of the certificate. +type: keyword +-- -*`zeek.x509.basic_constraints.certificate_authority`*:: +*`rsa.endpoint.host_state`*:: + -- -CA flag set or not. +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: boolean +type: keyword -- -*`zeek.x509.basic_constraints.path_length`*:: +*`rsa.endpoint.registry_key`*:: + -- -Maximum path length. - +This key captures the path to the registry key -type: integer +type: keyword -- -*`zeek.x509.log_cert`*:: +*`rsa.endpoint.registry_value`*:: + -- -Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded -Logging of certificate is suppressed if set to F. - +This key captures values or decorators used within a registry entry -type: boolean +type: keyword -- diff --git a/filebeat/docs/modules/barracuda.asciidoc b/filebeat/docs/modules/barracuda.asciidoc new file mode 100644 index 00000000000..5929c50d7d4 --- /dev/null +++ b/filebeat/docs/modules/barracuda.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-barracuda]] +[role="xpack"] + +:modulename: barracuda +:has-dashboards: false + +== Barracuda module + +experimental[] + +This is a module for receiving Barracuda Web Application Firewall logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: waf + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `waf` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "barracudawaf" device revision 132. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9503` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/bluecoat.asciidoc b/filebeat/docs/modules/bluecoat.asciidoc new file mode 100644 index 00000000000..753db835b54 --- /dev/null +++ b/filebeat/docs/modules/bluecoat.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-bluecoat]] +[role="xpack"] + +:modulename: bluecoat +:has-dashboards: false + +== Bluecoat module + +experimental[] + +This is a module for receiving Blue Coat Director logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: director + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `director` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "bluecoatdirector" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9505` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc index 5405762bbe4..c072057cd22 100644 --- a/filebeat/docs/modules/cisco.asciidoc +++ b/filebeat/docs/modules/cisco.asciidoc @@ -300,6 +300,51 @@ include::../include/timezone-support.asciidoc[] :fileset_ex!: +[float] +==== `nexus` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "cisconxos" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9506` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + [float] [[dynamic-script-compilations]] === Dynamic Script Compilations diff --git a/filebeat/docs/modules/citrix.asciidoc b/filebeat/docs/modules/citrix.asciidoc new file mode 100644 index 00000000000..ab0ade1561d --- /dev/null +++ b/filebeat/docs/modules/citrix.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-citrix]] +[role="xpack"] + +:modulename: citrix +:has-dashboards: false + +== Citrix module + +experimental[] + +This is a module for receiving Citrix XenApp logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: virtualapps + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `virtualapps` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "citrixxa" device revision 79. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9507` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/cylance.asciidoc b/filebeat/docs/modules/cylance.asciidoc new file mode 100644 index 00000000000..1e27640f8df --- /dev/null +++ b/filebeat/docs/modules/cylance.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-cylance]] +[role="xpack"] + +:modulename: cylance +:has-dashboards: false + +== Cylance module + +experimental[] + +This is a module for receiving CylanceProtect logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: protect + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `protect` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "cylance" device revision 127. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9508` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/f5.asciidoc b/filebeat/docs/modules/f5.asciidoc new file mode 100644 index 00000000000..e0f69dbffac --- /dev/null +++ b/filebeat/docs/modules/f5.asciidoc @@ -0,0 +1,124 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-f5]] +[role="xpack"] + +:modulename: f5 +:has-dashboards: false + +== F5 module + +experimental[] + +This is a module for receiving Big-IP Access Policy Manager logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: bigipapm + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `bigipapm` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "bigipapm" device revision 113. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9504` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +[float] +==== `firepass` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "firepass" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9509` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/fortinet.asciidoc b/filebeat/docs/modules/fortinet.asciidoc index 47a421ca2f2..cef820bd0bb 100644 --- a/filebeat/docs/modules/fortinet.asciidoc +++ b/filebeat/docs/modules/fortinet.asciidoc @@ -64,6 +64,53 @@ A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[fortinet-firewall, forwarded]`. +:fileset_ex!: + +[float] +==== `clientendpoint` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "forticlientendpoint" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9510` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + [float] ==== Fortinet ECS fields diff --git a/filebeat/docs/modules/imperva.asciidoc b/filebeat/docs/modules/imperva.asciidoc new file mode 100644 index 00000000000..7aa882cca43 --- /dev/null +++ b/filebeat/docs/modules/imperva.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-imperva]] +[role="xpack"] + +:modulename: imperva +:has-dashboards: false + +== Imperva module + +experimental[] + +This is a module for receiving Imperva SecureSphere logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: securesphere + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `securesphere` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "impervawaf" device revision 117. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9511` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/infoblox.asciidoc b/filebeat/docs/modules/infoblox.asciidoc new file mode 100644 index 00000000000..17a789383c3 --- /dev/null +++ b/filebeat/docs/modules/infoblox.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-infoblox]] +[role="xpack"] + +:modulename: infoblox +:has-dashboards: false + +== Infoblox module + +experimental[] + +This is a module for receiving Infoblox NIOS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nios + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nios` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "infobloxnios" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9512` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/juniper.asciidoc b/filebeat/docs/modules/juniper.asciidoc new file mode 100644 index 00000000000..68d0fb7d52f --- /dev/null +++ b/filebeat/docs/modules/juniper.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-juniper]] +[role="xpack"] + +:modulename: juniper +:has-dashboards: false + +== Juniper module + +experimental[] + +This is a module for receiving Juniper JUNOS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: junos + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `junos` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "junosrouter" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9513` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/kaspersky.asciidoc b/filebeat/docs/modules/kaspersky.asciidoc new file mode 100644 index 00000000000..864adc6f859 --- /dev/null +++ b/filebeat/docs/modules/kaspersky.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-kaspersky]] +[role="xpack"] + +:modulename: kaspersky +:has-dashboards: false + +== Kaspersky module + +experimental[] + +This is a module for receiving Kaspersky Anti-Virus logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: av + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `av` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "kasperskyav" device revision 127. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9514` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/microsoft.asciidoc b/filebeat/docs/modules/microsoft.asciidoc new file mode 100644 index 00000000000..d58edefe56c --- /dev/null +++ b/filebeat/docs/modules/microsoft.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-microsoft]] +[role="xpack"] + +:modulename: microsoft +:has-dashboards: false + +== Microsoft module + +experimental[] + +This is a module for receiving Microsoft DHCP logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: dhcp + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `dhcp` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9515` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/netscout.asciidoc b/filebeat/docs/modules/netscout.asciidoc new file mode 100644 index 00000000000..d53fec8c56e --- /dev/null +++ b/filebeat/docs/modules/netscout.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-netscout]] +[role="xpack"] + +:modulename: netscout +:has-dashboards: false + +== Netscout module + +experimental[] + +This is a module for receiving Arbor Peakflow SP logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: sightline + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `sightline` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "arborpeakflowsp" device revision 109. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9502` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/radware.asciidoc b/filebeat/docs/modules/radware.asciidoc new file mode 100644 index 00000000000..4531c23d470 --- /dev/null +++ b/filebeat/docs/modules/radware.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-radware]] +[role="xpack"] + +:modulename: radware +:has-dashboards: false + +== Radware module + +experimental[] + +This is a module for receiving Radware DefensePro logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: defensepro + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `defensepro` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "radwaredp" device revision 114. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9518` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/rapid7.asciidoc b/filebeat/docs/modules/rapid7.asciidoc new file mode 100644 index 00000000000..a74bdaa2dcd --- /dev/null +++ b/filebeat/docs/modules/rapid7.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-rapid7]] +[role="xpack"] + +:modulename: rapid7 +:has-dashboards: false + +== Rapid7 module + +experimental[] + +This is a module for receiving Rapid7 NeXpose logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nexpose + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nexpose` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "nexpose" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9517` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/sonicwall.asciidoc b/filebeat/docs/modules/sonicwall.asciidoc new file mode 100644 index 00000000000..d1a8f65838c --- /dev/null +++ b/filebeat/docs/modules/sonicwall.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-sonicwall]] +[role="xpack"] + +:modulename: sonicwall +:has-dashboards: false + +== Sonicwall module + +experimental[] + +This is a module for receiving Sonicwall-FW logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "sonicwall" device revision 124. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9519` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/squid.asciidoc b/filebeat/docs/modules/squid.asciidoc new file mode 100644 index 00000000000..187eed663b2 --- /dev/null +++ b/filebeat/docs/modules/squid.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-squid]] +[role="xpack"] + +:modulename: squid +:has-dashboards: false + +== Squid module + +experimental[] + +This is a module for receiving Squid logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "squid" device revision 112. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9520` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/tenable.asciidoc b/filebeat/docs/modules/tenable.asciidoc new file mode 100644 index 00000000000..ec8a168d19d --- /dev/null +++ b/filebeat/docs/modules/tenable.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-tenable]] +[role="xpack"] + +:modulename: tenable +:has-dashboards: false + +== Tenable module + +experimental[] + +This is a module for receiving Tenable Network Security Nessus logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nessus_security + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nessus_security` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "nessusvs" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9516` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/tomcat.asciidoc b/filebeat/docs/modules/tomcat.asciidoc new file mode 100644 index 00000000000..7a46670144d --- /dev/null +++ b/filebeat/docs/modules/tomcat.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-tomcat]] +[role="xpack"] + +:modulename: tomcat +:has-dashboards: false + +== Tomcat module + +experimental[] + +This is a module for receiving Apache Tomcat logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "apachetomcat" device revision 105. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9501` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/zscaler.asciidoc b/filebeat/docs/modules/zscaler.asciidoc new file mode 100644 index 00000000000..f969982851e --- /dev/null +++ b/filebeat/docs/modules/zscaler.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-zscaler]] +[role="xpack"] + +:modulename: zscaler +:has-dashboards: false + +== Zscaler module + +experimental[] + +This is a module for receiving Zscaler NSS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: zia + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `zia` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "zscalernss" device revision 108. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9521` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 2fad0a66105..345ee94ce87 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -8,13 +8,18 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> + * <> * <> * <> * <> + * <> * <> * <> + * <> * <> * <> + * <> * <> * <> * <> @@ -22,16 +27,22 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> + * <> * <> + * <> * <> + * <> * <> * <> + * <> * <> * <> * <> * <> * <> * <> + * <> * <> * <> * <> @@ -39,12 +50,19 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> + * <> * <> * <> + * <> + * <> * <> * <> + * <> + * <> * <> * <> + * <> -- @@ -55,13 +73,18 @@ include::modules/apache.asciidoc[] include::modules/auditd.asciidoc[] include::modules/aws.asciidoc[] include::modules/azure.asciidoc[] +include::modules/barracuda.asciidoc[] +include::modules/bluecoat.asciidoc[] include::modules/cef.asciidoc[] include::modules/checkpoint.asciidoc[] include::modules/cisco.asciidoc[] +include::modules/citrix.asciidoc[] include::modules/coredns.asciidoc[] include::modules/crowdstrike.asciidoc[] +include::modules/cylance.asciidoc[] include::modules/elasticsearch.asciidoc[] include::modules/envoyproxy.asciidoc[] +include::modules/f5.asciidoc[] include::modules/fortinet.asciidoc[] include::modules/googlecloud.asciidoc[] include::modules/gsuite.asciidoc[] @@ -69,16 +92,22 @@ include::modules/haproxy.asciidoc[] include::modules/ibmmq.asciidoc[] include::modules/icinga.asciidoc[] include::modules/iis.asciidoc[] +include::modules/imperva.asciidoc[] +include::modules/infoblox.asciidoc[] include::modules/iptables.asciidoc[] +include::modules/juniper.asciidoc[] include::modules/kafka.asciidoc[] +include::modules/kaspersky.asciidoc[] include::modules/kibana.asciidoc[] include::modules/logstash.asciidoc[] +include::modules/microsoft.asciidoc[] include::modules/misp.asciidoc[] include::modules/mongodb.asciidoc[] include::modules/mssql.asciidoc[] include::modules/mysql.asciidoc[] include::modules/nats.asciidoc[] include::modules/netflow.asciidoc[] +include::modules/netscout.asciidoc[] include::modules/nginx.asciidoc[] include::modules/o365.asciidoc[] include::modules/okta.asciidoc[] @@ -86,9 +115,16 @@ include::modules/osquery.asciidoc[] include::modules/panw.asciidoc[] include::modules/postgresql.asciidoc[] include::modules/rabbitmq.asciidoc[] +include::modules/radware.asciidoc[] +include::modules/rapid7.asciidoc[] include::modules/redis.asciidoc[] include::modules/santa.asciidoc[] +include::modules/sonicwall.asciidoc[] +include::modules/squid.asciidoc[] include::modules/suricata.asciidoc[] include::modules/system.asciidoc[] +include::modules/tenable.asciidoc[] +include::modules/tomcat.asciidoc[] include::modules/traefik.asciidoc[] include::modules/zeek.asciidoc[] +include::modules/zscaler.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 7af1ee43ef7..853eec3f827 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -334,6 +334,48 @@ filebeat.modules: # storage_account: "" # storage_account_key: "" +#------------------ Barracuda Web Application Firewall Module ------------------ +- module: barracuda + waf: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9503 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#-------------------------- Blue Coat Director Module -------------------------- +- module: bluecoat + director: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9505 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #--------------------------------- CEF Module --------------------------------- - module: cef log: @@ -412,6 +454,46 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: + nexus: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9506 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#---------------------------- Citrix XenApp Module ---------------------------- +- module: citrix + virtualapps: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9507 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Coredns Module ------------------------------- - module: coredns # Fileset for native deployment @@ -432,6 +514,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#---------------------------- CylanceProtect Module ---------------------------- +- module: cylance + protect: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9508 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #---------------------------- Elasticsearch Module ---------------------------- - module: elasticsearch # Server log @@ -476,6 +579,46 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#--------------------- Big-IP Access Policy Manager Module --------------------- +- module: f5 + bigipapm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9504 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + firepass: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9509 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Fortinet Module ------------------------------- - module: fortinet firewall: @@ -491,6 +634,25 @@ filebeat.modules: # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9004 + clientendpoint: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9510 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #----------------------------- Google Cloud Module ----------------------------- - module: googlecloud vpcflow: @@ -642,6 +804,48 @@ filebeat.modules: # can be added under this section. #input: +#------------------------- Imperva SecureSphere Module ------------------------- +- module: imperva + securesphere: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9511 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#---------------------------- Infoblox NIOS Module ---------------------------- +- module: infoblox + nios: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9512 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Iptables Module ------------------------------- - module: iptables log: @@ -654,6 +858,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#---------------------------- Juniper JUNOS Module ---------------------------- +- module: juniper + junos: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9513 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #-------------------------------- Kafka Module -------------------------------- - module: kafka # All logs @@ -668,6 +893,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#------------------------- Kaspersky Anti-Virus Module ------------------------- +- module: kaspersky + av: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9514 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #-------------------------------- Kibana Module -------------------------------- - module: kibana # All logs @@ -696,6 +942,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#---------------------------- Microsoft DHCP Module ---------------------------- +- module: microsoft + dhcp: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9515 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #--------------------------------- MISP Module --------------------------------- - module: misp threat: @@ -783,6 +1050,27 @@ filebeat.modules: netflow_host: localhost netflow_port: 2055 +#-------------------------- Arbor Peakflow SP Module -------------------------- +- module: netscout + sightline: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9502 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #-------------------------------- Nginx Module -------------------------------- #- module: nginx # Access logs @@ -923,6 +1211,48 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] +#-------------------------- Radware DefensePro Module -------------------------- +- module: radware + defensepro: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9518 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#---------------------------- Rapid7 NeXpose Module ---------------------------- +- module: rapid7 + nexpose: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9517 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #-------------------------------- Redis Module -------------------------------- #- module: redis # Main logs @@ -951,6 +1281,48 @@ filebeat.modules: # Filebeat will choose the the default path. #var.paths: +#----------------------------- Sonicwall-FW Module ----------------------------- +- module: sonicwall + firewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9519 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#-------------------------------- Squid Module -------------------------------- +- module: squid + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9520 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Suricata Module ------------------------------- - module: suricata # All logs @@ -961,6 +1333,48 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#------------------- Tenable Network Security Nessus Module ------------------- +- module: tenable + nessus_security: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9516 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#---------------------------- Apache Tomcat Module ---------------------------- +- module: tomcat + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9501 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Traefik Module ------------------------------- #- module: traefik # Access logs @@ -1056,6 +1470,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#----------------------------- Zscaler NSS Module ----------------------------- +- module: zscaler + zia: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9521 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #=========================== Filebeat inputs ============================= diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 7d20d33952d..1e2831bb599 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -18,25 +18,43 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/activemq" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/aws" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/azure" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/barracuda" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/bluecoat" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cef" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/checkpoint" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cisco" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/citrix" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/coredns" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/crowdstrike" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cylance" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/envoyproxy" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/f5" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/fortinet" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/googlecloud" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/gsuite" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/ibmmq" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/imperva" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/infoblox" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/iptables" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/juniper" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/kaspersky" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/microsoft" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/misp" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/mssql" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/netflow" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/netscout" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/o365" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/okta" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/panw" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rabbitmq" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/radware" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rapid7" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sonicwall" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/squid" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tenable" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tomcat" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zeek" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zscaler" _ "github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef" ) diff --git a/x-pack/filebeat/module/barracuda/README.md b/x-pack/filebeat/module/barracuda/README.md new file mode 100644 index 00000000000..1abdf86578e --- /dev/null +++ b/x-pack/filebeat/module/barracuda/README.md @@ -0,0 +1,7 @@ +# barracuda module + +This is a module for Barracuda Web Application Firewall logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML barracudawaf version 132 +at 2020-07-07 18:10:41.17065 +0000 UTC. + diff --git a/x-pack/filebeat/module/barracuda/_meta/config.yml b/x-pack/filebeat/module/barracuda/_meta/config.yml new file mode 100644 index 00000000000..12971cecc2a --- /dev/null +++ b/x-pack/filebeat/module/barracuda/_meta/config.yml @@ -0,0 +1,19 @@ +- module: barracuda + waf: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9503 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc b/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc new file mode 100644 index 00000000000..5ebc34fa334 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: barracuda +:has-dashboards: false + +== Barracuda module + +experimental[] + +This is a module for receiving Barracuda Web Application Firewall logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: waf + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `waf` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "barracudawaf" device revision 132. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9503` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/barracuda/_meta/fields.yml b/x-pack/filebeat/module/barracuda/_meta/fields.yml new file mode 100644 index 00000000000..c12b3acd69f --- /dev/null +++ b/x-pack/filebeat/module/barracuda/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: barracuda + title: Barracuda Web Application Firewall + description: > + barracuda fields. + fields: diff --git a/x-pack/filebeat/module/barracuda/fields.go b/x-pack/filebeat/module/barracuda/fields.go new file mode 100644 index 00000000000..8d0ab20845b --- /dev/null +++ b/x-pack/filebeat/module/barracuda/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package barracuda + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "barracuda", asset.ModuleFieldsPri, AssetBarracuda); err != nil { + panic(err) + } +} + +// AssetBarracuda returns asset data. +// This is the base64 encoded gzipped contents of module/barracuda. +func AssetBarracuda() string { + return "eJzsfe+T2zay4Pf9K3D5cLFTznjj/Hi3vn17NTsz2cyt7czz2Mmrq61iQWRLQgYEGACURv7rr9AAf4gEJRGk7Pjd+YPLltToRgNodDf6x9fkAXYvyYIqRdMyo38ixDDD4SX5e/UR+RUW5LIoOEupYVKQH5mCLeX8T4RkoFPFCvvxS/K3PxFCmqHIkgHP9MWfiP/XS/ze/vmaCJrDSyLAbKV6uGDCgFrSFC7s5/XPCDG7Al5aErdSZa3PM1jSkpsEB35JlpRr2Pu6R1b15w3NgcglMWuo0JMaPdmuQQF+ZxRdLllK1lSTBYAgcqFBbSC76M1CadojeaVkWZxOcJdBzeBIm6B8bxJhHKFhmoFyvdr7fJi5PQ6+WzNtf0eYJqWGjBhJUlqY0vNK0S3JQWu6sv+nhqQyB21Jl/b7ztCEvJIrcg2pzECFSXVjsS5RwwRXkLABYRJL/GhQj3QyjzxjNHImlcKAMNruOCa0ocJUiHSQCsPyMAkZNd0v+viZw2oHIdSQ7Zqla0KJBq3twV0zowklb8D8yowAratVuOgtUT0dvZYlz4iADSiygHr9C6o0kNdgqCWNkqWSeQvVk1dypZ/f0fQBjH7aG/6aKUgN3z0jxtNNyVtwB8ztNNEi8yLIKg4b4EFecSm6e32PV9dQKEip8bgyWDIBGZGCI2JDFxxITosw3lyvkhFb88A6vfZn5vb6G7KhvPSnh2UgDFsyv4fgkaaGcLlyPFc9ZiL9DEWzW3H8nWVpQZVhacmpQni/OBeDq9sbOmq1Q6vbG3l4tQeZvpmb6y/+P9cPc91ijWX5tEMmF78lSGqX8R8R/4aGxcvZkSvQslRp9F00ferxJ20abm2ogRyE+TToaZkxk6Scds7DRyMAhFG7T4N6bTWBT4OaiSHU573Jq3P2KVc8Axo+a+ed+hIgG6cnD9yoIXug9cPK1LL4ejdg73qapmV2bsDe6Ee0zGE+dYzS2fgkWrZokEGOIb2JzMQgEuDRaAal8yhlpWC/l9AoYaqeof9ot2+4XEmRWmFJjfyjWy8Dx37DpgqeNv+u7EBsWblo/KayhvaNNYnJPQo6UooMlFVRFXiB0Zvckj1CRjQYO8ge8D4OPazQVmzujT1Zoa3Z3Bt6FNv7npMYSz9uc/UoHzHrcbNcSx2tR7X31k9Sm7ao4t1dpUFkTKyqL3Vo6VvW/OfDQRbeJL2PB1l3e7f5jtAsU1ZmDR3KLvt68zPyc2Xf5ofpDPzh/10GWm7NcYK7p9e5NNp+i4xQsmIbELW74vO9VC2LhizY82rV2adRhj4PL+6gwSuLXaLg96j1aj9N4CLhzBY75OONG5zc4XZ/5r1/hpJ3uwJISvsneQEEmFmDIu9vhfnmByIV+ZFLar59QRZU406oHPtLtioVqkJHZhZW8D7jmeEjyxSjaAbb1UKvZLyz5JBdVo392RuvUm2pyiaoMS3Z0ZpYm1e3d7/saTiUKOC0uyyE6J02kPsrxxNmR1uD20/ascf+Xyq2YoLyCmb/9j4y03iN48AD5+3dLz8EJukJ7M11+iRrivp8nEOSN5utryrFSvI10AzUTC9jP+Fg5PZ6yguNo6j9UIPDxL3T/KGdMDxNZvDD0ErxuG0UD9zsVuG+kpxDaqT6HAWh5c9ZXtbtvmGapI45kFla9lSzV7J7yZMDrPwDWiJ5uvh4ylkuNQaP5FKQxa63LIQo+L0EbeyAmuUF3/mVsD+2ApcATddEswzIkz8Ts1YlefH990/JlmqiAUSN5cBcP5K6dsJcdSGFhvNNNv0DrWwqS2Fqe7XMF0742AOngyOQJ3QhN9CaLhPBaKNKzGijgOaDuzz9Ay39J2YGZKzsajWnseKLkCZVG61sSZj5V/niz9/8RTvh+bxAUVWR9a8evf+ydsorugNFXpAbkdJCl9z5uK2pM0qChkaf6IYOxCqFsHz7gvy7ne4z8u235N9JKpXVH3EWHukz8t+5+Z/2h0yTfaZ8EVwkITP4hDaY2EKSUs4XNH2YqvM59EIa3NzUOF3ZMgJEVkgmDKrbBsKBe7jACSglo2NFGg1IF5AyypEmpEUbqay2KHbuFrZfbChnmVu+EFpClrIUmZXWHJA8JlZeWTgaDLS/b3sjz/F24jftARf9AJ93XNLs490ZHiHR7AOQHIxiaUBX9iZa+8doo7nLsRJ39pKkptHh5LJamAvyk9xa5vdtISaIVNaEMJI8ABRH2PKRbo/PhC1KpqB1smFZksW/Q91UEmAFAhQ1eBQzy6OWvbJhypSUW3Nxz0cqAuYzy5k1+PAFEKfr6PQH8vaaKCsXNRrryBaqVmDqnx2dq1bRIRWffK4uGubwXFWkY70vYm+vK//aW8ilAXLvd2WqAK+lxW5IJNk/ldP7M3Bye0yJLjib9iL7hzYVNeupsh8rbJB9iIsfa9v2KE/9jqz2RqVNe3H8X+PNxR3zJeNneVu041ql/e7q8s7rcykVlgEsL6TqanEEL5TP7oG2/FjG83sn9tHIQ7Mw5BDbNxPLBqQxBt29j1bfBXnx/Q9ki5zNgQpCOQ/boeh8RbWh8S+QLShww1JDOFBtiBSdYOV9Nn0ExejzZlPgvMU9ZHnu/CpVhqzBqAhI10Jyudp1nzWWTPU0M0K+J+maKpoaxyZ79HZIITo3BSmFjxjge77NwQymmGQ198Q4zWV74D0Hdd3cqk5SVE5bRbeD8gOlWEdZoinqYc4jLLzNKtO0VNWI2lCRUZURIVVOOfsQiraTKg9yIPMvsAeYIMtFT4SPYkNDV43uOWdLwDkFDEQNqRTZgGLYLFmizTRL/ADJTKQyLziY4CIOursoKp5GsY7IaeUdKHO27XZvRw9uuqENt79/BjdJLoVZn8zqJqvn9FfzJpohOxt7bkR2DubYIT9IMT2j84AQseNXyo8LSXvX5VLvQE84HZfEwKPxG5lsQOlWsG92KGYjsEbHF30H9HRSm6SKVKoMsinS2z+Xe+Gq6zGr+616M69/2H6D68tYJfMLHLXExD+dgqCKSaf45SU37GvDQBHaSnJvMsFzKugqlJRECEfHdGUzOKIcrZow86Umciuc197QvOh6WjzFFpslsb/PjSbpmln9V2agL8jrUhtUpNuD2v1PzUA8GjUwuAwHj/tyaSnbwDx3MC5UNaSbv4IlKBCpW1Rqla+MbVhm71Rc0/Cxv6+O/bsOA8LTeCyYmnEODdedn/rR7hdm+M5NR1sRYXUBixa30WF/0ailGTSYn1npVJ/+i96gdYCGLMef5rynBhyHqbk0ftuhDvF7CeWMi2Z3iluvRl5sqSaIJhtYIUT/zfipj7pw9qYddU5XuYmS7Ks8Dl+RRKErkjhNpRh3RPbBXkTARd14LSlzLtW3o/YGZVBPYI6SScMH9th5i3HdNeKlk4EYYyzStKf2nKao6JJPd8cOaIeyNKnM4bnDUqtsGM0ml721osJPY0/1HVgqa5IzMy309QDp1fg+IaDlDz1k+E1NVejVTnGSuo7FtaOhP7aAlC1ZowyGtQXn5BzK+/W6xxwv1wEm1u4AljUBn5UpmnnnY5Ayr9LPx8hf9m2EtoYrFfn53ocUMV09OnUtZMRfcXko60EXUrNRh/CkHYCGgMhcVQAMRaxOyWA+d8lNMiWRfeSxFmUOiqVjz3WQ+lki2g+Q3o5qr3eoO+LuJPWI34DIpPKhRAdpl4vfzpIlXT0uyMVvkIZ1fIt6jjypHsusvDmM2km+abU6vuhvfZ/V5o+st4TXtI6cEtIQStY+KzMcHsTlKqmeHc8k5KoNMVrIzZN9uycp/oFP3FjbDY9iWL2TnKW76fv0wBm7QxS+yJzguwE5VfJpsVthJrwtOSDqsHiRwsDjdH2nRnkrnOXdVECiWabtX3gVUF6hDKUDH7lS0jUVK0gEbKefqyHnN2xbDzd4ORqj2KI00Dpt/Wg+7Yiz2lxbpIePoS7oCNFQz56zCSVwDk0clfLuq61D19YNAqYExl3bSVdFU3TzVq42oC7IPTjGlhrUBV0BlrrzEXNLqSoaemNXwzi9LkV44uBbGZBSkYWSW/td9anXY5xqPVir7Ta7o8qMN+Vr0PF2pN+9spcbMd/ulTyrlY5zbV5ZgHdZx98gl4JQDsrU766qGdZ/5lyz/ii2ks3weTagUGVESPG1ggJQWz30GoWK47xCNi2Vsluz1klxNVBHeM6c/7dybPZo3zKz9sqUk33kGhEuMD5UECm+Xkn77wOSES/PJKCUTJoZbTmjnyMKS4ZcEnvSDAN9Qe6b89ktk9mOSY6l6coFs5faKqou6cE9UWZeWHnmUZLyUptq2/j/9FiNIEzb1fCZOd5atGoTfjt8NZ/hVnY7PWw9uaT1KerAl8fUZ0vHNeIhVGuZMvTWWI4G9X5k+iv2AC8JJcV6p1lKuTXzHp6RQmFF2mcETPplWM2iioazB0ZeXi5+VdEcDChNCqqxToHGxD2XmZbKPLcSQe493vRDVsGkBxUNJz3Pp2u01uEMgtoJu1TmRdk/C1Gsp2TLRCa3PvImlSKFwjyrX8UGp9ubyLLkfEd+Lyl3TptM5pQJfz5FCxGXA6K87a05/Ro/MDmrjLxi4gEyH0VbBZZRjfa6V2DtN1/UyC9Ydoj5vJfnN1FstOtUOxOwi6Ii4Of782H+ufA+IXLfT3WuHz1A5axbonq688ePivS4fXhYT/t2tJ62ZHyO81KT/SOOVx8JBVmZAqk8wBB2ImhQjPIkcENMEJv3OGildHVlfkuoW5k6aINB+qAHEsHm8Ef58a3wXlO9rne7VTkC0eyltTCtaKoiTOtw9qtqpE6pArkBVaO50Cq1UPX/+1kJxMo3QRjGE5Qi5UCV/QjLZjSk+TB276VRVYrAcf+kExVlP1f9E8voVOYLJurKcW0R7RMQ1Ah5vWGq1PN7N9p3KKIY9nLM9RwR2LhXbnxXZ2XYw+O09BkcbzULnIfr9pq8cWf6iU+JI67Gvk/ysNifHnJ+nccX2HJ93V4jW3xodX0g+3bcvu/cBTE4Ii/cUttTt2U6bGps9G5a3cT9VxKfVOMuuYM+NOGMpFnX1rLvqh6a3F4f1YNO90kc0YMs6hcia/ShC3LlovV9tSDuvjisC9k/Uu3/4psvvINiUZo6jl+aWjiXgoN2c5dOwG4l2VDF6IL3IsZdQhsTpOB04MhpEHpiBujeorTVIDf2hT319tasYtGZXav757d3XQ2M+JJKzrYbypYZbCNwcmR844t1ZJBbYcg9WwmKx3JgIxVSTSvf9GVPFtitdFfpFBLrqeA/LarWqcG9kMnA8r75+R1hIuVlBlY0+MYsFvyCPLl5pHnB4SW5c8anGxZl3UXYBkUP+xneGdCYb0RtGDfTD1adC2IeEbTdcs688aLyLdMPBx44jGKrFagphevD0/6l7Wn0WFDzWSvQa8kzu8bOahro1bH3HDWLFdd/j/Iy7MlbdzM+rRMKb6/DAZYnv1hZ0zqZ/W0eOevf57GZifNp6HLxtUUoBWYULLFcr8zKdEhP9yrP2WIH2rTVskUqzLyycq6iYKCuPFXZlqpzxVr0ayVaWUS96LVkDhTpemJFDiWvaVpV9gorTvY4z6zJSvF1pfyowyfaWQwRjZAUUB0RE6UNNeXpilVtg1PGz6ha2uEX8pGw7Pmw1LUSv5yHBovzfa8UlttXFk94o1fSd3JV/d6Gue7X048RwkzI8vQ3g1bspl5F7EArHcaZYT2PznejQadXAdlj/iXn9rQSXaYpaL0sObmxGEgqM9CW+VWRprCOx0QGj6MnwZk2Q/rDxNOEQ6Niqyo0C1Do1c+pYhxfagP+Afc2JFaEIiO+trBB2kXUile99c6mufjxyZM6UqUApQufkODOVG/a/gppAuOqHOenA0HjzsTuS/Ppj46tNnJIvLOT3a/tl5QJTTIwlPGA6bSQpWnBDRAv+RliUiqvDa3jBhDTsAg3kBd8wqvtZdVqsWph0HpB8lEqVnvZgOJ0h2HKRnqxTp4E9r79Ai0NDw3LKo/F+dy0YabEUh0kSHqjpfWTko8fjJFe4ZZtmdLx2KLObirz3O7N2AW7cvCEtcKJCiU3LHMWdlVXINSfsb5rZHrIgT7env6R8ebuT9vRCuFr57HAR+Zzya9q/PPKr9/kYtBujZ7A/5YL77IM79SCTSkPdI1BSW597u9uyW3vwm0jmlCbx8dkHsYxKvC4zl5YjVTxx9jEPooqrGa5A5UsZDY95rgXt929sqr+sBbbwPW5jsmdcm60WfJuWg4Xn67hwmxqLyBbsax2UQ4Y4/l4TbmXBHPSzTDmqq6pK8ppArLqNnT33mVxVm5QfBx7hLRs2yju2XoBoZSCKqP30EPZLIZU0FOU7RtUdTQ83VDGad9BR2r3EMF4+CUoNVCN0O3HsIdrPr+uV/1ynxDsnPR9/5as9u3FgAxgebIos2wXYd+xPBkZp9qCLDUMFRI7aIvGwCgmR2VLdQKmE13OE2zHdDvWxNVSwYaTdZx0k3PucYaKgzfxhu5oNa6vw9Nwr9TjubCZ0SK4+uWGPPGRfr+U3OolC8YxwBBfmm8eC6ntL5+Sr/tmjOh6+R6E3Io9xVFDWmLq2mZ/9IGuASmdxdDuBoBcVZk2b3yA6ytY0XRH3g8qsJwtFD1P6o8feo9NTJCcMrG0ltHBR6qCKuz1MUdG1Z6KcIcDkzcycwFHTXGD1rt2AC05cv/i44udarxGuZ9X/wa25KdSoPr8WmbAyRMmNhdfPSNMps/Iwv4F9i8qKN9ppi++CvuRTVokS0573anG38D7utbVHcFh0d5FqbKrCgjL5cGkLSMn0uI+XXhKqoQpDcpuqCDKTT5WDnVw//L6V2u/v3MhN1999cvrXy/f3nz1lYuB2VBF2eDe2Er1MC4h4+hW/rUasu2jHTSTqRh/ffnYzrG5gbWIo6kVgbsodXEpFQjN0nEHqmVORmHNY6yogGfrdLBkS9mYTuNNyEEqI5YUN8z4hBRdLqK3gVlk2qjxmSyYuzFLN/Bn80nSKoJviuMgNjixKQncu5h8cGATp+jjE+0QSzZoMFaTmeCciJ1MMHM1MJFuwGVYWByopzDe8LHkeW3qbX/cRj1xtbfPtBGylnfJozpIxpmWsPKbH6JAylkeYPf439K2n5g68ql6ucaKHE/RfA5Y98d8/VUJJDaPzxTDYZeUccuvKuHwzp+/2+t2XC9mT1sV2MAqkDg0/BZfxfUk9ioPUhwT3IMhPT6m01pGpejaqj38YiiNdyr+N/Bo/gFh/aXGroe0mKnY76nI/i7DntUGu6GGhU/ZZPz9offQ61IXLGVyRHzEx7ItkL4tVaLvavv0xGmRF4mMF073b17fkZ+dx6MJxwij+n3m55f7/3hFfi9BDVRrKblIFHSrfkx98mm5LnbkbRVSG3zerfW0dJT4b4PJ8WXaLFgxYDwegzMB9+oJkFlMITrKqcqj+GIBo4wXWowK+6/BymxEZ4A9qLG5wHvAGTXd2/s45AJEus6pOj0srobcFbTXyuEEHyRNe8+bJ0Il6wi+prAcG0xZgy5XmEwaBSgXv0XBFTSitp7LfI1YDHT6D/WUPQyJudo52Os2ArFIaIplC2PC2Cy0FqNU9BboYlVsvhOPZh0hLVORpEZZG2VcZaoWvIUd8tadALrhvYbQJ8GCWDExKnC3DxwXUyKSZaK3zKQR+1okSy63muYxr0VtaGE2U+Cj/FipSJiYts2ZKEDli92IkJwedJE+xIJjc7Qo0CIplDQyiXHFIfzmuwRt1hhoPmG/cblKxrT+74DGvISmIsnpY2LM6QrvPqhdYQ5RYiFnIhoxE1MQF1wnfMGT8c7TPeg/TwKPqAfUgh6fpd6GHh8R3Yb+fhJ0uLH6qdD/Ngn6f0yC/ksstJEFpwuI2+o1fIyqJJK85Hh5L3ZR8qwCLx6i5HhecrbKi9jb295/lK/GPxp5WBYnxDX8nsbo3iLR7sk0ildapbHamQWN1c70TpdFVH3sVNRh1pHKnZHGKhjwGLW1jTRWSYqHRvUkErwU7FFQITX02maeBL/5wdIeLRY2P8jCrIFmUSaQzIsk5VE2tAWNcmkgpMI2WXGwOhK2KJMo/0SqmGEp5VFBXzqhKxDpbtSbUhtaUL77ANkiDvcmwWT4SFiXxhOL2T1nR8JbC/mHWAtZJwtm/hKZfJjqZGxt0w6okhFHWUduToSDVMXE4mnnCRhRV7IFCmbtvAExyrcDx+sqEtzVvhmTodmCXjIOcbqITpZx7GLLcQHI+6BxklZbI1jAo0kij5G1gTNtil6Rn5OhtUojoavOcVGwcpXkkLERwZj70EzEcjyXWclBpzJu1h6craJOhSz0lpqRnSha8KGYgBNBFayYNorGaNoNdNRN5TopRk5ZTZizxjoiKvp0uqgGt+RR8NhYNOqKc0FH8ainXM7btWQ6cXWeY+B3VNHIBc8GwipPg924DgbjIZk2tNus9SRAbRalOr2QaAUHruZaHFwZgS/mHq5iSccDYtWeZUwp9OGI6UNQK5pl41edZeOdc1UCTZREYXmSKinzyOwbCxqlFLE8iX2E87k7cdMtHiKShQodk8rMCl0oNhqMU8NMGfFuw5mAMakkDZweWYurhsTAxxgThEuX0ZwsuYwQjjV4VAiA1fQi9rsFi9rrVjeMQhfhteVyFbmUYhW57Qqpxh+OfFGu4rZOznQat11zHbmAcdVnBBhMfYmAjDjFrjTA+FcpBzf+QUlst+N1hcg4obpdQwRkhLyXiq2SQLW2EyC3AlSMbCmSyA6CRTKygnQDGNXGoQGPmiWepPGb1APGtNN0Sn8ESqq1/TJJ16fHs/aAXV/O8fCg8pW1i3sZ1afBbiNBY8Scy196/75T6fMkUCVXCdXFqJIfbeAxXR4qOAWUx908ClKk1mWrRoPHTNbCjk3QbcFKlUVhjTHRdJT1qZ31GeUp1TDeRerK6UapERp+j2FmKA12BFyU4qLZKupg6mK83aJVGrfyKs0irlqt0lCW70mgo1oytaFKHZEzuUnF+CCEYMXQ42AuyTKiafjKxCyCA4vxGtUVI8dD7oqIzNUyW0S+WpeKR0mlUoNKMjY+fjOyMEnlE4kj1qRx7fI3CRPa0GWUJN0wZeKu4k0holIcjFSlOEuv1svSSPK2FKQ3eO2FnlQg7hfKWUauFGTMkCuqMp8zdqAtja9/NWmmQ3UgcRjXdBUjZlPJSSikpPb2MjFl9jd5weUOegXxjvJgKcsR6fGn9uVdVy11sLaYghU8kpx2Q3cbj55Yld2yKzOQwZnGAhvV+LrdSlOXBZao76dKErJdU0OYIYVrzx8m+tBT6phSIeH27q7ieYWEMOErGQxkdnMmplfAbhFjx2tToomRK2yyc9H83nWM6HFPwAZUXUTJSFJQpYG8BkOx4rA7FXW/NPLklVzp53cuuO8pufZlvFx7kt7omEb8FnyxWCRbkDdgfmVGgA6vVX/rRbJnieWE692Mw7vpaKAqXV8wwQYMXkXnKYbQETautx5nAp5zWgqsnboqc1+W/kAphE7lgwNUz5EyX1NdJ8r7iq8DKr1lZjJvL2TXc8sOTN7Bo8HdOWQUnLUBdVMk7kgPaszKnVSqGPNyNZiqOfCB1PlD797ja0NUrWSX1bhOgnUtvPpNdt8sclj7vUGwnoF+GaR/XB3vEzpnZ/B4e10dIhx9qGT7yIfokdulbuHgHvdrfKS3R2tueohzUSTqgtE1bVK5gg1BVhBCNdEAYq9PZth4UVRoms5SbLWXJe4GF76BU91au+oWfICsAlTO3EU4H1nNoK5wC9swDivwvTyo1mwlHPObytwDbQ3oYq5u9QNLjhgO7LjFGVtLDLYPCW3zFkVDuYVxlW6q+5JlVVvbumMSNmwcOHSEBGJyaq1NwUCQ1GgFsmoU1gjeqr+TxTGgwm4VG3D0zIgfkQyULjzn/Ov+mT0CWg+QW9l5H4+5eihnVCdrOYN21+mOiTVxmjJQ2NGnVfAoHFNN3Aa19AjfYltIQ7BV5sUl19KaNp3mJViF/CcPcUEuxa7+X290g9aRFobQ7KLqaBwWTJHOL0v6FGX5iy4/sfLgHlOZb+tsrYl2hfJq1uFGwn7HJGM9q6carHQHivxb7THQzz0iRD/Uv2Rs3Nb5955oqNrbfQd5OhgmcUwWfNkti+Na0r35+d2NnR0ocEYjemQyplMFBRXpzmol/vLn/V62lgfPyLvXL8mtMN++eEZu31zf/OdL8v5WmB++I0+26x0RvgFjupbal3GTylqv+Ktvfvhf/+1puPcdmPUkedGdMUqgi5yGSyPpyXtk5IHylfhvK7Thw5R9bLLa5/wIbYMJfydfTCGKOopNo4NWzU1fXb4JkvNBCphih8et3/+RAi7C/Pkwpg/AR7jsLKnHRQ2y8dPcKwd4uaIGtvQshaVxl92RS9c8r9ptIYT1dZLmxbD/f6pf8/bq9Z2Tw8O94ukMvfyGTGmn51StS2/vLLIBq97yYbAWzCx8sKMP86HSARJXU2zuw9butZC5jnSUN08VrUrkYdk96zJZ5R0Pi/Sn5Xp/oXrImtiaSJ3hVDFNyRtPw51UphZRPSHkek8gE333+cOSSM/OP0cxE6tKfFaEvx5inoCQfj+fl8jjRxuEai1ThkXj0Vru3a7EyilFxQouavU4lWLJVqWCjCx2vrm/a3U/0J1mMKWgFyg8oE0Fh11GZSrwUfpdO7QywmBSkEsDiY8Rinn5jZliJnRCExc+FQVcGBULvoxi7zIqFpvHbYD4jJoianI0SyprfFq/rn3bwtJy0R2vbcicRVu4sYaVAEPe7Qp4Rt5XYu4VmsjfkrvKRO7JkZ+HbtSqeNUsF8aASl+RRaqunZTz4IVRND/EB3qqMHRgA8pg5xkjqwZXTJD3t4NHKMWQlglnMKZtrNCJLKIK5VlQBXp8HI0FjArxczJxfEAU+qCiMLoyNQkHsYqo+Yh47TUwt3MJmxLh9UJ5yzkoSIoPONaK+lGqLVVZqBnYJbapQ7/7nZKP+Oq+ALMFGOhkPDoHeOyLhDSUt929Dh3BQib42tSbg2+CpgAfgnJm7FHzRYXCk9hwKuZ5VznBHVA9q7UcAr0p7DsIGh/gxmrPK1Se9yVijD8bUsy22IzJIz3tDYUqw9KSU1U1c/Nontw8vnwlV3K5DNenhjQxa5i78e07O6Tv3t9QdmMpswRdlmYNwvhQqkHC5uo9tv9cWdZtDcPEvdegBkmSpUnl3Nzygw6TdO86cA9QVfXImXb77lGEmEnVcOVg89cK+xnaJ0OHCnuK0Q2sCykybOkqgypADdhvSrpP92ZMdu3AbUCJy7PHuDfOIKsp9vZWR69hgmhmyoBEIRggV3XB86OuqSY0kwV2BVsDU0RuRacxEjH0UQqZD0S7VDXqk1440gyXn1XDmMjsWZZKN+39XBfhy6o8fm+ip7hPRE26OxuD4VT1DM/0fDQ4yXv/ijTvPA81EWtNdVxWx4SpuqiAex9VOPdch4NDFnJafFxgegtY0w2TJWo21qhTMmcDkQ4wP/obQRccw4aX5OowdiY24zufhcjo0rCn05Agij0aRpYXiyAhgKGmYPoatO6VZmcPLn8Twl4K0w1RjtH5Mkz+SNIJXXHxlsFO5iytCMNpYcBA97GHmbXrdR6o0kg8ORfpNxfaqGEneUV1OPH1k1H94jDV/lp0uCZRHjQjapPIsBybtnpNQ0EBg05Oz8kRqVFHmYkp6RNZqU7cAOGqMJ9sA3x7GtXfTO6JHiTeO46OzaFHPc6pOXonHLs/Mv0vjtKvZua/2/CzUK+Oc39ETYqPc1SPSL36qP6RN823x9l+egGqj8P202SNmvmszrnXTzipM2+aOanvbZlaKcxcl87JuhktzTrJwazlWbypdM/PRRwi/7PBhcHsXSUnWuoH/LtvJfe+JovqwA6Jti3/8+L7P/+ZPHl1fXn3lFwzbZhYlUyvIcPEnCA2LldyhvzYQ35t36IbMfnFwB8OvHkrOdlfcij23vI+hKPem+jzG1E6fMzGTDEors6MaLk0EGvonYKKUBGl5p2c8tOz+DukvqUZK7Ubg0hFNMsZp8odZitI7G5N8T4Kh+rimdFsnl64tQ+yHWX23i5X5QHp1LVoDsyUSMJLcejcoPPTx4e3/E/edMZveivmjV1oBR5mYUeLVNMexXquW2SXVCsq2IcDsU5iyoKdyrAIbrVXfoBlS6aCUfzR2a8/2gFRPrqkcpeluxeJ9BNQbtYpVUAKBZnMmaDBEOvWUb+jhoEw+mjgGafzzucV/aTTcUUwoIjeXnYLf2mFQEGVwbTfZjKHhdCsab3+4J4if5aQgaIGsmREGMCBVcQ25NWYtav7TskNy+p0df87WhTc6zm95fMpslaQ72tEA73U62mwbLZ51IP6Og5mNzCRYKFnjCrZMPfmtO4qdgOFA2qFZlwp/bFaDTziXd4CamWKhJp8O/0HtSGqiTZSOfloR8vBUMT2Jf7qwv7qy/D8cpZlHOaUGK9xxFNlRmCJWjIkSmZUxfPmmtCdH6+Voyt21YvHM1JwatlubySpCIhU7YohLyIGr8xiFZwQL6FqC+EnqQ15TdM1EwNqe0ajz+gXXX69FxjZVyiwB9Xe6i6tXl+QVxktyC/4H3erZ1K4fIB/9a8LsqYbsPc9B6pcC2uC9SV0IYWGSg8IJw3YGSX9ttcTZI+vjZAqZkCxqkqHcBN0FRmGKamInoWYZpnf+iIyp9KC9UWnugm6e60qHLWXBmz1f3/VME1UKQJ93Qmh+lktid1rjkumHojI9iMm3oqYg5mUbJnI5FYTXUDKliy13zwLxY37+KP+RrUTcBQ1r77kiaq6ntdiGZ8Znrb4QUqBN9crWNF0R97r/SI/9XtI3k1wiIpasqPMYloN3GFtdRuRYdQ0bgZ7C/T4VuczBbKY9jIEMMy2z4T9ic2hrg1VG3LKW2BOOIfghvAwEdOZK15qaDI+cso79yrJcYOTG6610qd3LidG7XTc528TQuNY2eNyOP3teGoJBjeOK888GAGOk8pgyYT3BeJRx1oQOS0GilEg/oEw6zNhb8zdjuoRI0hqf9P0Gfh85IHqIbUPzRiarvPZS9E14yJjSE8LbrMtsqDmgokxNXdn3WmWbAx/nyr0A8e2HYyLzHNltJpUpEA98h5dU2X2EboKqqq1tR8/a4jdrlmv4Bmx+9BaFi5E76QJmIiKly4VTqpx7Rk70/+rLqj429F8zgrVfq2zSkkLiVQ7tb8+x9GPUH/GC7dHd1UV7TDdg2uVgDBKFuFjmMly0TPITtprflRr3cCR0EakYmQnpxOpuJJ5YQ3SaufjBscGJ07z3ICyojWxZnP4QqL6YXrc75Gz2NHpK9xbmF7ZbPl7/BvXjyXnO/IfJeVsySAj15gN45wXQWRbWCSplA/sbE9Kv8KCOAyNTUL5kF4WUVuneewpSuPa4AzVIz9+Nt7Wg/haqt5t5bxzF+TdrnDkNxaVnaDj8zCLFSyTkcVxOoRZLM4EU1/qUKGdLrp5nAW1grGP33kvCqkqzx4+r7x9NbAwrWzV0ctazaeYWjH2wHTs2Ef9cBUhSsroe24frR3Jco0U1IQdHKlIqB73HtUCVbEd1EvFR7G7BTeKO7UKnpRqfL/fAvueYXPoGJQRom8feGSIxj6w3wVRxwEeDQi8BGMUNjvCiNWtr9W1gs4DZczt5oaZJ4Z870S/w4Hxqnvu/33lkTz3//CvviGnF+WgwjEEnuCzvpY4ctuPJejHaBVk7hGc+bLJVllkYglKDfjo+zObifK2OnSUfUGnxyxkVNWDli1WBrYvPmPIyds3MMyMG+HGvbbYDfAO44JU+6N/Qv8RerjYPSvWoOayaqye4998n1xhQfWn5AoxhJGDMrMlSg7w6gqUL3wPezEdB0rswMTHghYzWstih/1St+ouHVwP9mHYTzA+LTK8JuSefRhI33mIPoO3/7whAlbSMMfmYk31QH1anc6fvNtiuBt+uKC3XZAJ9Wl7D4Cdta4KflXxnuEHO81GNlc8LU+4riX+brCthj17TOsypjG0hcVH3Sn28zQvH9IASk30LPRY15YXN3Z4co9PBodO60yvS3W9K+/bf3KP4RyHRWhLXgyRMV5eHKBiWGhozZPNtLuk6yL3TpywSy6xW4CWEcU0dDwoewBvDUSnRH3RFHhsC0qUF98Rjb5bqcjt/eU/X9+ROys/yc9ioCJlQ0903kcMPe+2MkwPHst0DemDjmj21giWqbntoSLQdXWTOvUcAzR84e7m3B/QVUCxXvmNs6gqDlOdtTeoviFV2GJtPjHYpmNDOcvchgig6R79GetLHTr6OOsH2OmuKDp5j0V3Ql8bU+iEYTeCSGBkaRzZ6ektv6bsPbYSVbyjVMzsjuy/VOb5xFz+EylzmLxJGU6v2TIFvKtdx5hwW05FMqoP9diQBF01DfjV01zFyIYNdExuSArJ5gkBCpHkcBDEgWjDuheyJl1TIXoJaNMTlf24iGrAUz5b+aVa5PmK3b++unzjZe7zDoJa1Bmpul6xmO2VMf2QbCQv46dxWfXAEL6WZt0ZpGqyUApmNHni0OinmLuGyQRVF4SAv2ggCI2X0Sf8lafmvWDGP5dc7AejbUDhS8my5CSVIoXCWBPg3vF6IMVpTCf1YF0HZJ41NqoWIpYU7P4mLY9++vtlKJgkyLqYHSDV6hwhCt3Qsj2nx4K69L1gAuM/bn6+u70jr+ljzkRWty4Js99Sf4ZAhr1C3wOEe0J79B8ivL6CwyHYUQFBLjI7GdfE8w+eSFNNau5GS15S3V77ejwez0Ea+JyM/cQZPdWc8v8COQd1cKTI+tpIzElCi29ce+mRik3dzcugH9hZu7lLDXhGdBkIi6Ka/FUbJcXqbwtO0wfOtIHsr8/9Z8/qb5lYQhr+askUbCkPXrN0wVswhIqMaEkGto+CFdNG7azVM+/BLKhZ+1J0NRbSxdIjY1L7wT4hLlHCxbamUrWqd9UaS00bCKN2f/q/AQAA//+ArbbC" +} diff --git a/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml b/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/barracuda/waf/config/input.yml b/x-pack/filebeat/module/barracuda/waf/config/input.yml new file mode 100644 index 00000000000..30e0d5f2745 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Barracuda" + product: "Web" + type: "WAF" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/barracuda/waf/config/liblogparser.js + - ${path.home}/module/barracuda/waf/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} %{p0}"); + +var dup13 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{result}]\" %{p0}"); + +var dup14 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); + +var dup15 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol}- %{stransaddr->} %{stransport->} %{web_referer}"); + +var dup16 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol}\"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); + +var dup17 = setc("eventcategory","1204000000"); + +var dup18 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type->} "); + +var dup19 = match("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "%{stransport}"); + +var dup20 = setf("msg_id","web_method"); + +var dup21 = setc("category","TR"); + +var dup22 = setc("vid","TR_Logs"); + +var dup23 = linear_select([ + dup13, + dup14, +]); + +var dup24 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context}[%{result}] %{web_method->} %{url->} %{protocol}\"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, +])); + +var dup25 = linear_select([ + dup18, + dup19, +]); + +var dup26 = all_match({ + processors: [ + dup12, + dup23, + dup15, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); + +var dup27 = all_match({ + processors: [ + dup12, + dup23, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); + +var hdr1 = match("HEADER#0:0001", "message", "%{messageid}:%{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(":"), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0005", "message", "time=%{hfld1->} %{hfld2->} %{timezone}Unit=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0005"), +])); + +var hdr3 = match("HEADER#2:0003", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hfld12->} %{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, +])); + +var hdr4 = match("HEADER#3:0002", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, +])); + +var hdr5 = match("HEADER#4:0009", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3}TR %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ + setc("header_id","0009"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("TR "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr6 = match("HEADER#5:0007", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3}AUDIT %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ + setc("header_id","0007"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("AUDIT "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr7 = match("HEADER#6:0008", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3}WF %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ + setc("header_id","0008"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("WF "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr8 = match("HEADER#7:0006", "message", "%{hmonth->} %{hday->} %{htime}BARRACUDAWAF %{hhost->} %{hdate->} %{htime->} %{htimezone->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hhost"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("htimezone"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr9 = match("HEADER#8:0004", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hhost->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld10"), + constant(" "), + field("hfld11"), + constant(" "), + field("hhost"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, +]); + +var part1 = match("MESSAGE#0:UPDATE", "nwparser.payload", "UPDATE: [ALERT:%{fld3}] New attack definition version %{version}is available", processor_chain([ + setc("eventcategory","1502030000"), + setc("event_description","UPDATE: ALERT New attack definition version is available"), +])); + +var msg1 = msg("UPDATE", part1); + +var part2 = match("MESSAGE#1:STM:01", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}[ALERT:%{id}] Server %{daddr}:%{dport}is disabled by out of band monitor ( new mode out_of_service_all ) Reason:%{result}", processor_chain([ + setc("eventcategory","1603000000"), + setc("event_description","STM: LB Server disabled by out of band monitor"), +])); + +var msg2 = msg("STM:01", part2); + +var part3 = match("MESSAGE#2:STM:02", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}Server %{saddr}is created.", processor_chain([ + dup3, + setc("event_description","STM: LB Server created."), +])); + +var msg3 = msg("STM:02", part3); + +var part4 = match("MESSAGE#3:STM:03", "nwparser.payload", "STM: SSKey-%{fld1->} %{fld2}Cookie Encryption Key has already expired", processor_chain([ + setc("eventcategory","1613030100"), + setc("event_description","STM: SSKEY Cookie Encryption Key has already expired."), +])); + +var msg4 = msg("STM:03", part4); + +var part5 = match("MESSAGE#4:STM:04", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2}Module CookieKey registered with Stateful Failover module.", processor_chain([ + dup4, + setc("event_description","STM:FAILOVE Module CookieKey registered with Stateful Failover module."), +])); + +var msg5 = msg("STM:04", part5); + +var part6 = match("MESSAGE#5:STM:05", "nwparser.payload", "STM: FEHCMON-%{fld1->} %{fld2}FEHC Monitor Module initialized.", processor_chain([ + dup3, + setc("event_description","STM:FECHMON FEHC Monitor Module initialized."), +])); + +var msg6 = msg("STM:05", part6); + +var part7 = match("MESSAGE#6:STM:06", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2}Stateful Failover Module initialized.", processor_chain([ + dup3, + setc("event_description","STM: FAILOVE Stateful Failover Module initialized."), +])); + +var msg7 = msg("STM:06", part7); + +var part8 = match("MESSAGE#7:STM:07", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld3}[%{fld2}] New Service (ID %{fld4}) Created at %{saddr}:%{sport}", processor_chain([ + dup3, + setc("event_description","STM: SERVICE New Service created."), +])); + +var msg8 = msg("STM:07", part8); + +var part9 = match("MESSAGE#8:STM:08", "nwparser.payload", "STM: SSL-%{fld1->} %{fld2}Ssl Initialization", processor_chain([ + dup4, + setc("event_description","STM: SSL Initialization."), +])); + +var msg9 = msg("STM:08", part9); + +var part10 = match("MESSAGE#9:STM:09", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}LookupServerCtx = %{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB-LookupServerCtx."), +])); + +var msg10 = msg("STM:09", part10); + +var part11 = match("MESSAGE#10:STM:10", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}ParamProtectionClonePatterns: Old:%{change_old}, New:%{change_new}, PatternsNode:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps ParamProtectionClonePatterns values changed."), +])); + +var msg11 = msg("STM:10", part11); + +var part12 = match("MESSAGE#11:STM:11", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} %{obj_name}SapCtx %{fld3}, SapId %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SapCtx log."), +])); + +var msg12 = msg("STM:11", part12); + +var part13 = match("MESSAGE#12:STM:12", "nwparser.payload", "STM: CACHE-%{fld1->} %{fld2->} %{obj_name}SapCtx %{fld3}, SapId %{fld4}, Return Code %{result}", processor_chain([ + dup3, + setc("event_description","STM: CACHE SapCtx log."), +])); + +var msg13 = msg("STM:12", part13); + +var part14 = match("MESSAGE#13:STM:13", "nwparser.payload", "STM: FTPSVC-%{fld1->} %{fld2}Ftp proxy initialized %{info}", processor_chain([ + dup3, + setc("event_description","STM: FTPSVC Ftp proxy initialized."), +])); + +var msg14 = msg("STM:13", part14); + +var part15 = match("MESSAGE#14:STM:14", "nwparser.payload", "STM: STM-%{fld1->} %{fld2}Secure Traffic Manager Initialization complete: %{info}", processor_chain([ + dup3, + setc("event_description","STM: STM Secure Traffic Manager Initialization complete."), +])); + +var msg15 = msg("STM:14", part15); + +var part16 = match("MESSAGE#15:STM:15", "nwparser.payload", "STM: COOKIE-%{fld1->} %{fld2->} %{obj_name}= %{info}", processor_chain([ + dup3, + setc("event_description","STM: COOKIE Cookie parameters set."), +])); + +var msg16 = msg("STM:15", part16); + +var part17 = match("MESSAGE#16:STM:16", "nwparser.payload", "STM: WebLog-%{fld1->} %{fld2->} %{obj_name}: SapCtx=%{fld3},SapId=%{fld4}, %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: WebLog Set Sap variable."), +])); + +var msg17 = msg("STM:16", part17); + +var part18 = match("MESSAGE#17:STM:17", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}AddIpsPatternGroup SapCtx : %{fld3}, grp_id : %{fld4}, type : %{fld5}grp: %{info}", processor_chain([ + dup3, + setc("event_description","STM: aps Set AddIpsPatternGroup."), +])); + +var msg18 = msg("STM:17", part18); + +var part19 = match("MESSAGE#18:STM:18", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}AddPCInfoKeyWordMeta: Info:%{fld3}, Table:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps AddPCInfoKeyWordMeta."), +])); + +var msg19 = msg("STM:18", part19); + +var part20 = match("MESSAGE#19:STM:19", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}AddParamClass: %{fld3}: KeyWords:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClass."), +])); + +var msg20 = msg("STM:19", part20); + +var part21 = match("MESSAGE#20:STM:20", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}SetParamClassPatternsAndDFA: Ctx:%{fld3}, type:%{fld4}, dfaId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClassPatternsAndDFA."), +])); + +var msg21 = msg("STM:20", part21); + +var part22 = match("MESSAGE#21:STM:21", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}ParamClassClonePatternsInfo: Old:%{fld3}, New:%{fld4}, PatternsNode:%{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClassClonePatternsInfo."), +])); + +var msg22 = msg("STM:21", part22); + +var part23 = match("MESSAGE#22:STM:22", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}SetIpsLogIntrusionOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsLogIntrusionOn."), +])); + +var msg23 = msg("STM:22", part23); + +var part24 = match("MESSAGE#23:STM:23", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}AddIpsCloakFilterRespHeader [%{fld3}] Ret %{fld4}, SapCtx %{fld5}, sapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: aps AddIpsCloakFilterRespHeader."), +])); + +var msg24 = msg("STM:23", part24); + +var part25 = match("MESSAGE#24:STM:24", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}SetIpsTheftPolicy SapCtx %{fld3}, Policy %{fld4}, Return %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsTheftPolicy."), +])); + +var msg25 = msg("STM:24", part25); + +var part26 = match("MESSAGE#25:STM:25", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}SetIpsTheftPolicyDfa SapCtx %{fld3}, Policy %{fld4}, mode %{fld5}, bytes %{fld6}, Return %{fld7}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsTheftPolicyDfa."), +])); + +var msg26 = msg("STM:25", part26); + +var part27 = match("MESSAGE#26:STM:26", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}SetIpsLimitPolicy Return Code %{fld3}", processor_chain([ + dup3, + dup5, +])); + +var msg27 = msg("STM:26", part27); + +var part28 = match("MESSAGE#27:STM:27", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}CreateRC: RC Add policy Success", processor_chain([ + dup3, + setc("event_description","STM: aps CreateRC: RC Add policy Success."), +])); + +var msg28 = msg("STM:27", part28); + +var part29 = match("MESSAGE#28:STM:28", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}SetSap%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Set Sap command."), +])); + +var msg29 = msg("STM:28", part29); + +var part30 = match("MESSAGE#29:STM:29", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}SetServer%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Set Server command."), +])); + +var msg30 = msg("STM:29", part30); + +var part31 = match("MESSAGE#30:STM:30", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}AddServer%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Add Server command."), +])); + +var msg31 = msg("STM:30", part31); + +var part32 = match("MESSAGE#31:STM:31", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}CreateServer =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Create Server command."), +])); + +var msg32 = msg("STM:31", part32); + +var part33 = match("MESSAGE#32:STM:32", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}EnableServer =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Enable Server command."), +])); + +var msg33 = msg("STM:32", part33); + +var part34 = match("MESSAGE#33:STM:33", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}ActiveServerOutOfBandMonitorAttr =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB ActiveServerOutOfBandMonitorAttr command."), +])); + +var msg34 = msg("STM:33", part34); + +var part35 = match("MESSAGE#34:STM:34", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}BindServerToSap =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB BindServerToSap command."), +])); + +var msg35 = msg("STM:34", part35); + +var part36 = match("MESSAGE#35:STM:35", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}[ALERT:%{fld3}] Server %{saddr}:%{sport}is enabled by out of band monitor. Reason:out of band monitor", processor_chain([ + dup3, + setc("event_description","STM: LB Server is enabled by out of band monitor Reason out of band monitor"), +])); + +var msg36 = msg("STM:35", part36); + +var part37 = match("MESSAGE#36:STM:36", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld2}[%{saddr}:%{sport}] Service Started %{fld3}:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: SERVICE Server service started command."), +])); + +var msg37 = msg("STM:36", part37); + +var part38 = match("MESSAGE#37:STM:37", "nwparser.payload", "STM: RespPage-%{fld1->} %{fld2}CreateRP: Response Page %{fld3}created successfully", processor_chain([ + dup3, + setc("event_description","STM: RespPage Response Page created successfully."), +])); + +var msg38 = msg("STM:37", part38); + +var part39 = match("MESSAGE#38:STM:38", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2}AddWATReqRewriteRule AclName [%{fld3}] Ret %{fld4}SapCtx %{fld5}, SapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: AddWATReqRewriteRule AclName."), +])); + +var msg39 = msg("STM:38", part39); + +var part40 = match("MESSAGE#39:STM:39", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2}SetWATReqRewriteRuleNameWithKe AclName [%{fld3}] Ret %{fld4}SapCtx %{fld5}, SapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: SetWATReqRewriteRuleNameWithKe AclName."), +])); + +var msg40 = msg("STM:39", part40); + +var part41 = match("MESSAGE#40:STM:40", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2}SetWATReqRewritePolicyOn - %{fld6}Ret %{fld3}SapCtx %{fld4}, SapId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: SetWATReqRewritePolicyOn."), +])); + +var msg41 = msg("STM:40", part41); + +var part42 = match("MESSAGE#41:STM:41", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}SetIpsOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsOn."), +])); + +var msg42 = msg("STM:41", part42); + +var part43 = match("MESSAGE#42:STM:42", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}SetIpsLimitPolicyOn Return Code %{fld3}", processor_chain([ + dup3, + dup5, +])); + +var msg43 = msg("STM:42", part43); + +var part44 = match("MESSAGE#43:STM:43", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2}SetWATRespRewritePolicyOn - %{fld6}Ret %{fld3}SapCtx %{fld4}, SapId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: SetWATRespRewritePolicyOn."), +])); + +var msg44 = msg("STM:43", part44); + +var select2 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, +]); + +var part45 = match("MESSAGE#44:STM_WRAPPER:01", "nwparser.payload", "STM_WRAPPER: command(--digest) execution status = %{info}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: command execution status."), +])); + +var msg45 = msg("STM_WRAPPER:01", part45); + +var part46 = match("MESSAGE#45:STM_WRAPPER:02", "nwparser.payload", "STM_WRAPPER: [ALERT:%{fld1}] Configuration size is %{fld2}which exceeds the %{fld3}safe limit. Please check your configuration.", processor_chain([ + dup6, + setc("event_description","STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit."), +])); + +var msg46 = msg("STM_WRAPPER:02", part46); + +var part47 = match("MESSAGE#46:STM_WRAPPER:03", "nwparser.payload", "STM_WRAPPER: Committing UI configuration.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Committing UI configuration."), +])); + +var msg47 = msg("STM_WRAPPER:03", part47); + +var part48 = match("MESSAGE#47:STM_WRAPPER:04", "nwparser.payload", "STM_WRAPPER: Successfully stopped STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Successfully stopped STM."), +])); + +var msg48 = msg("STM_WRAPPER:04", part48); + +var part49 = match("MESSAGE#48:STM_WRAPPER:05", "nwparser.payload", "STM_WRAPPER: Successfully initialized STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Successfully initialized STM."), +])); + +var msg49 = msg("STM_WRAPPER:05", part49); + +var part50 = match("MESSAGE#49:STM_WRAPPER:06", "nwparser.payload", "STM_WRAPPER: Initializing STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Initializing STM."), +])); + +var msg50 = msg("STM_WRAPPER:06", part50); + +var part51 = match("MESSAGE#50:STM_WRAPPER:07", "nwparser.payload", "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed."), +])); + +var msg51 = msg("STM_WRAPPER:07", part51); + +var select3 = linear_select([ + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, +]); + +var part52 = match("MESSAGE#51:CONFIG_AGENT:01", "nwparser.payload", "CONFIG_AGENT: %{fld1}RPC Name =%{fld2}, RPC Result: %{fld3}", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT: RPC information."), +])); + +var msg52 = msg("CONFIG_AGENT:01", part52); + +var part53 = match("MESSAGE#52:CONFIG_AGENT:02", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2}Received put-tree command ", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Received put-tree command."), +])); + +var msg53 = msg("CONFIG_AGENT:02", part53); + +var part54 = match("MESSAGE#53:CONFIG_AGENT:03", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2}It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., %{fld3->} ", processor_chain([ + dup4, + setc("event_description","It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time."), +])); + +var msg54 = msg("CONFIG_AGENT:03", part54); + +var part55 = match("MESSAGE#54:CONFIG_AGENT:04", "nwparser.payload", "CONFIG_AGENT: %{fld1}Initiating config_agent database commit phase.", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Initiating config_agent database commit phase."), +])); + +var msg55 = msg("CONFIG_AGENT:04", part55); + +var part56 = match("MESSAGE#55:CONFIG_AGENT:05", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2}Update succeeded", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Update succeded."), +])); + +var msg56 = msg("CONFIG_AGENT:05", part56); + +var part57 = match("MESSAGE#56:CONFIG_AGENT:06", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2}No rules, %{fld3->} ", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:No rules."), +])); + +var msg57 = msg("CONFIG_AGENT:06", part57); + +var select4 = linear_select([ + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, +]); + +var part58 = match("MESSAGE#57:PROCMON:01", "nwparser.payload", "PROCMON: Started monitoring%{}", processor_chain([ + dup3, + setc("event_description","PROCMON: Started monitoring"), +])); + +var msg58 = msg("PROCMON:01", part58); + +var part59 = match("MESSAGE#58:PROCMON:02", "nwparser.payload", "PROCMON: number of stm worker threads is%{info}", processor_chain([ + dup3, + setc("event_description","PROCMON: number of stm worker threads"), +])); + +var msg59 = msg("PROCMON:02", part59); + +var part60 = match("MESSAGE#59:PROCMON:03", "nwparser.payload", "PROCMON: Monitoring links: %{interface}", processor_chain([ + dup3, + setc("event_description","PROCMON: Monitoring links."), +])); + +var msg60 = msg("PROCMON:03", part60); + +var part61 = match("MESSAGE#60:PROCMON:04", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] %{interface}: link is up", processor_chain([ + dup3, + setc("event_description","PROCMON:Link is up."), +])); + +var msg61 = msg("PROCMON:04", part61); + +var part62 = match("MESSAGE#61:PROCMON:05", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] Firmware storage exceeds %{info}", processor_chain([ + setc("eventcategory","1607000000"), + setc("event_description","PROCMON:Firmware storage exceeding."), +])); + +var msg62 = msg("PROCMON:05", part62); + +var part63 = match("MESSAGE#62:PROCMON:06", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] One of the RAID arrays is degrading.", processor_chain([ + dup6, + setc("event_description","PROCMON:One of the RAID arrays is degrading."), +])); + +var msg63 = msg("PROCMON:06", part63); + +var select5 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, +]); + +var part64 = match("MESSAGE#63:BYPASS:01", "nwparser.payload", "BYPASS: State set to normal: starting heartbeat.%{}", processor_chain([ + dup3, + setc("event_description","BYPASS: State set to normal: starting heartbeat."), +])); + +var msg64 = msg("BYPASS:01", part64); + +var part65 = match("MESSAGE#64:BYPASS:02", "nwparser.payload", "BYPASS: Mode change: %{fld1},%{fld2}", processor_chain([ + dup3, + setc("event_description","Mode change."), +])); + +var msg65 = msg("BYPASS:02", part65); + +var part66 = match("MESSAGE#65:BYPASS:03", "nwparser.payload", "BYPASS: Mode set to BYPASS (%{fld2}).", processor_chain([ + dup3, + setc("event_description"," Mode set to BYPASS."), +])); + +var msg66 = msg("BYPASS:03", part66); + +var part67 = match("MESSAGE#66:BYPASS:04", "nwparser.payload", "BYPASS: Mode set to never bypass.%{}", processor_chain([ + dup3, + setc("event_description"," Mode set to never BYPASS."), +])); + +var msg67 = msg("BYPASS:04", part67); + +var select6 = linear_select([ + msg64, + msg65, + msg66, + msg67, +]); + +var part68 = match("MESSAGE#67:INSTALL:01", "nwparser.payload", "INSTALL: Migrating configuration from %{fld2}to %{fld3}", processor_chain([ + dup3, + setc("event_description"," INSTALL: migrating configuration."), +])); + +var msg68 = msg("INSTALL:01", part68); + +var part69 = match("MESSAGE#68:INSTALL:02", "nwparser.payload", "INSTALL: Loading the snapshot for %{fld2}release.", processor_chain([ + dup3, + setc("event_description"," INSTALL: Loading snapshot from previous version."), +])); + +var msg69 = msg("INSTALL:02", part69); + +var select7 = linear_select([ + msg68, + msg69, +]); + +var part70 = match("MESSAGE#69:eventmgr:01", "nwparser.payload", "eventmgr: Forwarding log messages to syslog host #%{fld3}, address=%{hostip}", processor_chain([ + dup3, + setc("event_description","eventmgr: Forwarding log messages to syslog host"), +])); + +var msg70 = msg("eventmgr:01", part70); + +var part71 = match("MESSAGE#70:eventmgr:02", "nwparser.payload", "eventmgr: Event manager startup succeeded.%{}", processor_chain([ + dup3, + setc("event_description","eventmgr: Event manager startup succeeded."), +])); + +var msg71 = msg("eventmgr:02", part71); + +var select8 = linear_select([ + msg70, + msg71, +]); + +var part72 = match("MESSAGE#71:CONFIG", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup7, + setc("event_description"," Configuration changes made."), + dup8, +])); + +var msg72 = msg("CONFIG", part72); + +var part73 = match("MESSAGE#72:LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ + setc("eventcategory","1401060000"), + setc("event_description"," Login."), + dup8, +])); + +var msg73 = msg("LOGIN", part73); + +var part74 = match("MESSAGE#73:SESSION_TIMEOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup9, + setc("event_description"," Session timeout."), + dup8, +])); + +var msg74 = msg("SESSION_TIMEOUT", part74); + +var part75 = match("MESSAGE#74:LOGOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup9, + setc("ec_subject","User"), + setc("ec_activity","Logoff"), + setc("ec_theme","Authentication"), + setc("ec_outcome","Success"), + setc("event_description"," Logout."), + dup8, +])); + +var msg75 = msg("LOGOUT", part75); + +var part76 = match("MESSAGE#75:UNSUCCESSFUL_LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ + setc("eventcategory","1401030000"), + setc("event_description"," Unsuccessful login."), + dup8, +])); + +var msg76 = msg("UNSUCCESSFUL_LOGIN", part76); + +var part77 = match("MESSAGE#76:TRANSPARENT_MODE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Operating in Transport Mode"), + dup8, +])); + +var msg77 = msg("TRANSPARENT_MODE", part77); + +var part78 = match("MESSAGE#77:SUPPORT_TUNNEL_OPEN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Support Tunnel Opened"), + dup8, +])); + +var msg78 = msg("SUPPORT_TUNNEL_OPEN", part78); + +var part79 = match("MESSAGE#78:FIRMWARE_UPDATE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Firmware Update"), + dup8, +])); + +var msg79 = msg("FIRMWARE_UPDATE", part79); + +var part80 = match("MESSAGE#79:FIRMWARE_REVERT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Firmware Revert."), + dup8, +])); + +var msg80 = msg("FIRMWARE_REVERT", part80); + +var part81 = match("MESSAGE#80:REBOOT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," System Reboot."), + dup8, +])); + +var msg81 = msg("REBOOT", part81); + +var part82 = match("MESSAGE#81:ROLLBACK", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," System ROLLBACK."), + dup8, +])); + +var msg82 = msg("ROLLBACK", part82); + +var part83 = match("MESSAGE#82:HEADER_COUNT_EXCEEDED:01", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context}\"[%{result}]\" %{web_method->} %{url->} %{protocol}\"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup11, + dup8, +])); + +var msg83 = msg("HEADER_COUNT_EXCEEDED:01", part83); + +var part84 = match("MESSAGE#83:HEADER_COUNT_EXCEEDED:02", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context}[%{result}] %{web_method->} %{url->} %{protocol}\"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup11, + dup8, +])); + +var msg84 = msg("HEADER_COUNT_EXCEEDED:02", part84); + +var msg85 = msg("HEADER_COUNT_EXCEEDED", dup26); + +var select9 = linear_select([ + msg83, + msg84, + msg85, +]); + +var msg86 = msg("CROSS_SITE_SCRIPTING_IN_PARAM:01", dup27); + +var msg87 = msg("CROSS_SITE_SCRIPTING_IN_PARAM", dup26); + +var select10 = linear_select([ + msg86, + msg87, +]); + +var msg88 = msg("SQL_INJECTION_IN_URL:01", dup27); + +var msg89 = msg("SQL_INJECTION_IN_URL", dup26); + +var select11 = linear_select([ + msg88, + msg89, +]); + +var msg90 = msg("OS_CMD_INJECTION_IN_URL:01", dup27); + +var msg91 = msg("OS_CMD_INJECTION_IN_URL", dup26); + +var select12 = linear_select([ + msg90, + msg91, +]); + +var msg92 = msg("TILDE_IN_URL:01", dup27); + +var msg93 = msg("TILDE_IN_URL", dup26); + +var select13 = linear_select([ + msg92, + msg93, +]); + +var msg94 = msg("SQL_INJECTION_IN_PARAM:01", dup27); + +var msg95 = msg("SQL_INJECTION_IN_PARAM", dup26); + +var select14 = linear_select([ + msg94, + msg95, +]); + +var part85 = match("MESSAGE#95:OS_CMD_INJECTION_IN_PARAM:01/1_1", "nwparser.p0", "[%{result->} \"] %{p0}"); + +var select15 = linear_select([ + dup13, + part85, + dup14, +]); + +var all1 = all_match({ + processors: [ + dup12, + select15, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); + +var msg96 = msg("OS_CMD_INJECTION_IN_PARAM:01", all1); + +var msg97 = msg("OS_CMD_INJECTION_IN_PARAM", dup26); + +var select16 = linear_select([ + msg96, + msg97, +]); + +var msg98 = msg("METHOD_NOT_ALLOWED:01", dup27); + +var msg99 = msg("METHOD_NOT_ALLOWED", dup26); + +var select17 = linear_select([ + msg98, + msg99, +]); + +var msg100 = msg("ERROR_RESPONSE_SUPPRESSED:01", dup27); + +var msg101 = msg("ERROR_RESPONSE_SUPPRESSED", dup26); + +var select18 = linear_select([ + msg100, + msg101, +]); + +var msg102 = msg("DENY_ACL_MATCHED:01", dup27); + +var msg103 = msg("DENY_ACL_MATCHED", dup26); + +var select19 = linear_select([ + msg102, + msg103, +]); + +var msg104 = msg("NO_DOMAIN_MATCH_IN_PROFILE", dup24); + +var msg105 = msg("NO_URL_PROFILE_MATCH", dup24); + +var msg106 = msg("UNRECOGNIZED_COOKIE", dup24); + +var msg107 = msg("HEADER_VALUE_LENGTH_EXCEEDED", dup24); + +var msg108 = msg("UNKNOWN_CONTENT_TYPE", dup24); + +var msg109 = msg("INVALID_URL_ENCODING", dup24); + +var msg110 = msg("INVALID_URL_CHARSET", dup24); + +var msg111 = msg("CROSS_SITE_SCRIPTING_IN_URL:01", dup27); + +var msg112 = msg("CROSS_SITE_SCRIPTING_IN_URL", dup26); + +var select20 = linear_select([ + msg111, + msg112, +]); + +var msg113 = msg("SLASH_DOT_IN_URL:01", dup27); + +var msg114 = msg("SLASH_DOT_IN_URL", dup26); + +var select21 = linear_select([ + msg113, + msg114, +]); + +var part86 = match("MESSAGE#114:SYS", "nwparser.payload", "%{fld9->} %{fld10->} %{timezone->} %{fld11->} %{category->} %{event_type->} %{severity->} %{operation_id->} %{event_description}", processor_chain([ + dup3, + date_time({ + dest: "event_time", + args: ["hfld9","hfld10"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), +])); + +var msg115 = msg("SYS", part86); + +var part87 = match("MESSAGE#115:BARRACUDAWAF", "nwparser.payload", "Log=%{event_log}Severity=%{severity}Protocol=%{protocol}SourceIP=%{saddr}SourcePort=%{sport}DestIP=%{daddr}DestPort=%{dport}Action=%{action}AdminName=%{administrator}Details=%{info}", processor_chain([ + dup17, + date_time({ + dest: "event_time", + args: ["hfld1","hfld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), +])); + +var msg116 = msg("BARRACUDAWAF", part87); + +var part88 = match("MESSAGE#116:Audit_Logs", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone}AUDIT %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup7, + dup8, + setc("category","AUDIT"), + setc("vid","Audit_Logs"), +])); + +var msg117 = msg("Audit_Logs", part88); + +var part89 = match("MESSAGE#117:WF", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone}WF %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context}[%{result}] %{web_method->} %{url->} %{protocol}\"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, + setc("category","WF"), + setc("vid","WF"), +])); + +var msg118 = msg("WF", part89); + +var part90 = match("MESSAGE#118:TR_Logs:01/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone}TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes}\"-\" \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); + +var all2 = all_match({ + processors: [ + part90, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), +}); + +var msg119 = msg("TR_Logs:01", all2); + +var part91 = match("MESSAGE#119:TR_Logs:02/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone}TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query}\"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); + +var all3 = all_match({ + processors: [ + part91, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), +}); + +var msg120 = msg("TR_Logs:02", all3); + +var part92 = match("MESSAGE#120:TR_Logs:03/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone}TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes}\"-\" %{web_cookie}\"%{user_agent}\" %{stransaddr->} %{p0}"); + +var all4 = all_match({ + processors: [ + part92, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), +}); + +var msg121 = msg("TR_Logs:03", all4); + +var part93 = match("MESSAGE#121:TR_Logs/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone}TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} %{web_cookie}\"%{user_agent}\" %{stransaddr->} %{p0}"); + +var all5 = all_match({ + processors: [ + part93, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), +}); + +var msg122 = msg("TR_Logs", all5); + +var select22 = linear_select([ + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "BARRACUDAWAF": msg116, + "BARRACUDA_GENRIC": select22, + "BYPASS": select6, + "CONFIG": msg72, + "CONFIG_AGENT": select4, + "CROSS_SITE_SCRIPTING_IN_PARAM": select10, + "CROSS_SITE_SCRIPTING_IN_URL": select20, + "DENY_ACL_MATCHED": select19, + "ERROR_RESPONSE_SUPPRESSED": select18, + "FIRMWARE_REVERT": msg80, + "FIRMWARE_UPDATE": msg79, + "HEADER_COUNT_EXCEEDED": select9, + "HEADER_VALUE_LENGTH_EXCEEDED": msg107, + "INSTALL": select7, + "INVALID_URL_CHARSET": msg110, + "INVALID_URL_ENCODING": msg109, + "LOGIN": msg73, + "LOGOUT": msg75, + "METHOD_NOT_ALLOWED": select17, + "NO_DOMAIN_MATCH_IN_PROFILE": msg104, + "NO_URL_PROFILE_MATCH": msg105, + "OS_CMD_INJECTION_IN_PARAM": select16, + "OS_CMD_INJECTION_IN_URL": select12, + "PROCMON": select5, + "REBOOT": msg81, + "ROLLBACK": msg82, + "SESSION_TIMEOUT": msg74, + "SLASH_DOT_IN_URL": select21, + "SQL_INJECTION_IN_PARAM": select14, + "SQL_INJECTION_IN_URL": select11, + "STM": select2, + "STM_WRAPPER": select3, + "SUPPORT_TUNNEL_OPEN": msg78, + "SYS": msg115, + "TILDE_IN_URL": select13, + "TRANSPARENT_MODE": msg77, + "UNKNOWN_CONTENT_TYPE": msg108, + "UNRECOGNIZED_COOKIE": msg106, + "UNSUCCESSFUL_LOGIN": msg76, + "UPDATE": msg1, + "eventmgr": select8, + }), +]); + +var part94 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} %{p0}"); + +var part95 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{result}]\" %{p0}"); + +var part96 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); + +var part97 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol}- %{stransaddr->} %{stransport->} %{web_referer}"); + +var part98 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol}\"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); + +var part99 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type->} "); + +var part100 = match("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "%{stransport}"); + +var select23 = linear_select([ + dup13, + dup14, +]); + +var part101 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context}[%{result}] %{web_method->} %{url->} %{protocol}\"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, +])); + +var select24 = linear_select([ + dup18, + dup19, +]); + +var all6 = all_match({ + processors: [ + dup12, + dup23, + dup15, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); + +var all7 = all_match({ + processors: [ + dup12, + dup23, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); diff --git a/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml b/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml new file mode 100644 index 00000000000..dffea972086 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Barracuda Web Application Firewall + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/barracuda/waf/manifest.yml b/x-pack/filebeat/module/barracuda/waf/manifest.yml new file mode 100644 index 00000000000..a49e3f69f81 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["barracuda.waf", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9503 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/barracuda/waf/test/generated.log b/x-pack/filebeat/module/barracuda/waf/test/generated.log new file mode 100644 index 00000000000..9a7dd018f64 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/test/generated.log @@ -0,0 +1,100 @@ +PROCMON: Started monitoring +BYPASS: Mode set to BYPASS (nbyCic). +UPDATE: [ALERT:tvolup] New attack definition version 1.1000 is available +STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. +STM_WRAPPER: Successfully initialized STM. +STM_WRAPPER: Initializing STM. +eventmgr: Forwarding log messages to syslog host #imadm, address=10.16.222.151 +PROCMON: [ALERT:eritqui] One of the RAID arrays is degrading. +BYPASS: Mode change: ccusant,epteurs +UPDATE: [ALERT:modoco] New attack definition version 1.3971 is available +STM: LB-doloreeu elillumq CreateServer =loremeum +STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu +UPDATE: [ALERT:xcepte] New attack definition version 1.4012 is available +PROCMON: Monitoring links: lo4933 +PROCMON: [ALERT:doconse] One of the RAID arrays is degrading. +CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet +STM: LB-tet voluptas ActiveServerOutOfBandMonitorAttr =inv +STM_WRAPPER: [ALERT:obeata] Configuration size is pexeaco which exceeds the ercitati safe limit. Please check your configuration. +BYPASS: Mode change: urEx,labo +eventmgr: Event manager startup succeeded. +STM: LB-Maloru lapariat SetServerdmin=oinBCSed +STM_WRAPPER: Successfully stopped STM. +PROCMON: [ALERT:amv] Firmware storage exceeds ipsaqua +STM: LB-isistena Malorum SetSapquelauda=enderit +eventmgr: Forwarding log messages to syslog host #equun, address=10.4.65.246 +UPDATE: [ALERT:exer] New attack definition version 1.481 is available +eventmgr: Event manager startup succeeded. +STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. +CONFIG_AGENT: isnisiu aspernat Update succeeded +INSTALL: Loading the snapshot for mquel release. +INSTALL: Migrating configuration from ueporr to ptate +PROCMON: [ALERT:onsequ] enp0s7094: link is up +CONFIG_AGENT: iquip tDuisau It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., amali +eventmgr: Event manager startup succeeded. +PROCMON: Started monitoring +STM: LB-mveniam rvelill EnableServer =iame +PROCMON: number of stm worker threads iseuf +STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios +STM_WRAPPER: Successfully stopped STM. +eventmgr: Forwarding log messages to syslog host #ccusa, address=10.58.33.30 +PROCMON: [ALERT:uiadolo] eth321: link is up +CONFIG_AGENT: rsi ciduntut Update succeeded +CONFIG_AGENT: radipis RPC Name =isa, RPC Result: aal +INSTALL: Loading the snapshot for ris release. +CONFIG_AGENT: aliqui rcitat Update succeeded +CONFIG_AGENT: aeconse Initiating config_agent database commit phase. +PROCMON: Started monitoring +CONFIG_AGENT: iaecon ipexea Update succeeded +INSTALL: Migrating configuration from nulapa to cillu +PROCMON: [ALERT:ectetura] Firmware storage exceeds didun +CONFIG_AGENT: rcit nul Received put-tree command +UPDATE: [ALERT:aliquaU] New attack definition version 1.1278 is available +UPDATE: [ALERT:amei] New attack definition version 1.7778 is available +UPDATE: [ALERT:gelitse] New attack definition version 1.3018 is available +INSTALL: Migrating configuration from iceroin to qui +INSTALL: Migrating configuration from pariatu to issusc +STM: FAILOVE-roinBCSe oreet Stateful Failover Module initialized. +STM_WRAPPER: Committing UI configuration. +STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. +eventmgr: Forwarding log messages to syslog host #rroquisq, address=10.126.62.60 +STM_WRAPPER: Successfully initialized STM. +STM: RespPage-rinrepr rvelill CreateRP: Response Page mve created successfully +STM_WRAPPER: [ALERT:ineav] Configuration size is onp which exceeds the gnaaliqu safe limit. Please check your configuration. +PROCMON: [ALERT:eumfu] eth5074: link is up +CONFIG_AGENT: tutlabo Initiating config_agent database commit phase. +INSTALL: Loading the snapshot for pli release. +CONFIG_AGENT: erit Initiating config_agent database commit phase. +INSTALL: Loading the snapshot for mod release. +INSTALL: Loading the snapshot for lamcolab release. +INSTALL: Migrating configuration from estlab to tis +PROCMON: [ALERT:uamqua] Firmware storage exceeds labo +INSTALL: Migrating configuration from tfugit to taspern +eventmgr: Forwarding log messages to syslog host #meiusm, address=10.48.248.158 +STM_WRAPPER: Successfully initialized STM. +PROCMON: number of stm worker threads isonula +STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor +PROCMON: [ALERT:atev] One of the RAID arrays is degrading. +CONFIG_AGENT: amaliq ept Received put-tree command +BYPASS: Mode set to BYPASS (ectetura). +STM: COOKIE-icab quiado scipit = quiavolu +BYPASS: Mode set to never bypass. +STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success +STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors +INSTALL: Loading the snapshot for admi release. +STM: aps-Bon seosqui AddIpsCloakFilterRespHeader [idu] Ret stquidol, SapCtx itautfug, sapId byCi +STM_WRAPPER: Successfully stopped STM. +PROCMON: Started monitoring +UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available +INSTALL: Loading the snapshot for stru release. +PROCMON: Monitoring links: enp0s6182 +STM_WRAPPER: command(--digest) execution status = quaeratv +STM_WRAPPER: Successfully initialized STM. +eventmgr: Event manager startup succeeded. +STM_WRAPPER: Initializing STM. +STM_WRAPPER: Successfully initialized STM. +PROCMON: Started monitoring +CONFIG_AGENT: tDuis isnis It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., metMa +STM_WRAPPER: Initializing STM. +STM: aps-quam etquasi CreateRC: RC Add policy Success +STM: WebLog-untutl eseosqui user: SapCtx=ons,SapId=ation, eabilloi diff --git a/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json new file mode 100644 index 00000000000..e2bb7b8cf53 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json @@ -0,0 +1,1994 @@ +[ + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 0, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode set to BYPASS (nbyCic).", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 28, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " Mode set to BYPASS.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:tvolup] New attack definition version 1.1000 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 65, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.1000", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.1000", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 138, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 227, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Initializing STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 270, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #imadm, address=10.16.222.151", + "fileset.name": "waf", + "host.ip": "10.16.222.151", + "input.type": "log", + "log.offset": 301, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.16.222.151" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:eritqui] One of the RAID arrays is degrading.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 380, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode change: ccusant,epteurs", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 442, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "Mode change.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:modoco] New attack definition version 1.3971 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 479, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.3971", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.3971", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-doloreeu elillumq CreateServer =loremeum", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 552, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 607, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:xcepte] New attack definition version 1.4012 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 668, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.4012", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.4012", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Monitoring links: lo4933", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 741, + "network.interface.name": "lo4933", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Monitoring links.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "lo4933", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:doconse] One of the RAID arrays is degrading.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 775, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet ", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 837, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-tet voluptas ActiveServerOutOfBandMonitorAttr =inv", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 968, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: [ALERT:obeata] Configuration size is pexeaco which exceeds the ercitati safe limit. Please check your configuration.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1033, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode change: urEx,labo", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1163, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "Mode change.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Event manager startup succeeded.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1194, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-Maloru lapariat SetServerdmin=oinBCSed", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1237, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully stopped STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1290, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:amv] Firmware storage exceeds ipsaqua", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1329, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "ipsaqua", + "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-isistena Malorum SetSapquelauda=enderit", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1383, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #equun, address=10.4.65.246", + "fileset.name": "waf", + "host.ip": "10.4.65.246", + "input.type": "log", + "log.offset": 1437, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.4.65.246" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:exer] New attack definition version 1.481 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1514, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.481", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.481", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Event manager startup succeeded.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1584, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1627, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: isnisiu aspernat Update succeeded", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1716, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for mquel release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1764, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from ueporr to ptate", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1813, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:onsequ] enp0s7094: link is up", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1867, + "network.interface.name": "enp0s7094", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:Link is up.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "enp0s7094", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: iquip tDuisau It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., amali ", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1913, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Event manager startup succeeded.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2047, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2090, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-mveniam rvelill EnableServer =iame", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2118, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: number of stm worker threads iseuf", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2167, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "euf", + "rsa.internal.event_desc": "PROCMON: number of stm worker threads", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2211, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully stopped STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2285, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #ccusa, address=10.58.33.30", + "fileset.name": "waf", + "host.ip": "10.58.33.30", + "input.type": "log", + "log.offset": 2324, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.58.33.30" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:uiadolo] eth321: link is up", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2401, + "network.interface.name": "eth321", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:Link is up.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "eth321", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: rsi ciduntut Update succeeded", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2445, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: radipis RPC Name =isa, RPC Result: aal", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2489, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT: RPC information.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for ris release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2542, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: aliqui rcitat Update succeeded", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2589, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: aeconse Initiating config_agent database commit phase.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2634, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2703, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: iaecon ipexea Update succeeded", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2731, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from nulapa to cillu", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2776, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:ectetura] Firmware storage exceeds didun", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2830, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "didun", + "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: rcit nul Received put-tree command ", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2887, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:aliquaU] New attack definition version 1.1278 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2937, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.1278", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.1278", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:amei] New attack definition version 1.7778 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3011, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.7778", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.7778", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:gelitse] New attack definition version 1.3018 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3082, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.3018", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.3018", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from iceroin to qui", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3156, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from pariatu to issusc", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3209, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: FAILOVE-roinBCSe oreet Stateful Failover Module initialized.", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3265, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Committing UI configuration.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3332, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Committing UI configuration.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3374, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #rroquisq, address=10.126.62.60", + "fileset.name": "waf", + "host.ip": "10.126.62.60", + "input.type": "log", + "log.offset": 3463, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.126.62.60" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3544, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: RespPage-rinrepr rvelill CreateRP: Response Page mve created successfully", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3587, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM: RespPage Response Page created successfully.", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: [ALERT:ineav] Configuration size is onp which exceeds the gnaaliqu safe limit. Please check your configuration.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3688, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:eumfu] eth5074: link is up", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3813, + "network.interface.name": "eth5074", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:Link is up.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "eth5074", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: tutlabo Initiating config_agent database commit phase.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3856, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for pli release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3925, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: erit Initiating config_agent database commit phase.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3972, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for mod release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4038, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for lamcolab release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4085, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from estlab to tis", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4137, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:uamqua] Firmware storage exceeds labo", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4189, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "labo", + "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from tfugit to taspern", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4243, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #meiusm, address=10.48.248.158", + "fileset.name": "waf", + "host.ip": "10.48.248.158", + "input.type": "log", + "log.offset": 4299, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.48.248.158" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4379, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: number of stm worker threads isonula", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4422, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "onula", + "rsa.internal.event_desc": "PROCMON: number of stm worker threads", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4468, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:atev] One of the RAID arrays is degrading.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4523, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: amaliq ept Received put-tree command ", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4582, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode set to BYPASS (ectetura).", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4634, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " Mode set to BYPASS.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: COOKIE-icab quiado scipit = quiavolu", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4673, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode set to never bypass.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4717, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " Mode set to never BYPASS.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4751, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4829, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for admi release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4931, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: aps-Bon seosqui AddIpsCloakFilterRespHeader [idu] Ret stquidol, SapCtx itautfug, sapId byCi", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4979, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully stopped STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5084, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5123, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5151, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.7781", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.7781", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for stru release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5222, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Monitoring links: enp0s6182", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5270, + "network.interface.name": "enp0s6182", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Monitoring links.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "enp0s6182", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: command(--digest) execution status = quaeratv", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5307, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "quaeratv", + "rsa.internal.event_desc": "STM_WRAPPER: command execution status.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5366, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Event manager startup succeeded.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5409, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Initializing STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5452, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5483, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5526, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: tDuis isnis It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., metMa ", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5554, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Initializing STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5686, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: aps-quam etquasi CreateRC: RC Add policy Success", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5717, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: WebLog-untutl eseosqui user: SapCtx=ons,SapId=ation, eabilloi", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5776, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/bluecoat/README.md b/x-pack/filebeat/module/bluecoat/README.md new file mode 100644 index 00000000000..b47b2262762 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/README.md @@ -0,0 +1,7 @@ +# bluecoat module + +This is a module for Blue Coat Director logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML bluecoatdirector version 0 +at 2020-07-07 18:10:42.748595 +0000 UTC. + diff --git a/x-pack/filebeat/module/bluecoat/_meta/config.yml b/x-pack/filebeat/module/bluecoat/_meta/config.yml new file mode 100644 index 00000000000..b4c71666b1c --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/_meta/config.yml @@ -0,0 +1,19 @@ +- module: bluecoat + director: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9505 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc b/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc new file mode 100644 index 00000000000..e2c798214dd --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: bluecoat +:has-dashboards: false + +== Bluecoat module + +experimental[] + +This is a module for receiving Blue Coat Director logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: director + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `director` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "bluecoatdirector" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9505` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/bluecoat/_meta/fields.yml b/x-pack/filebeat/module/bluecoat/_meta/fields.yml new file mode 100644 index 00000000000..2efac151801 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: bluecoat + title: Blue Coat Director + description: > + bluecoat fields. + fields: diff --git a/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml b/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/bluecoat/director/config/input.yml b/x-pack/filebeat/module/bluecoat/director/config/input.yml new file mode 100644 index 00000000000..7fc587fb028 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Bluecoat" + product: "Director" + type: "Configuration" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/bluecoat/director/config/liblogparser.js + - ${path.home}/module/bluecoat/director/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i %{p0}"); + +var dup3 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "%{username}@::%{fld5}:%{saddr->} %{p0}"); + +var dup4 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{username}@%{domain->} %{p0}"); + +var dup5 = setc("eventcategory","1605000000"); + +var dup6 = setf("msg","$MSG"); + +var dup7 = setc("event_description","bad variable"); + +var dup8 = setc("event_description","This file is automatically generated"); + +var dup9 = setc("eventcategory","1603000000"); + +var dup10 = setc("event_description","authentication failure"); + +var dup11 = linear_select([ + dup3, + dup4, +]); + +var dup12 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ + dup5, + dup6, + dup7, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld1}]: %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld1"), + constant("]: "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{messageid}: %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, +])); + +var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}[%{hfld5}]: %{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld5"), + constant("]: "), + field("payload"), + ], + }), +])); + +var hdr4 = match("HEADER#3:0004", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0004"), + dup1, +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, +]); + +var part1 = match("MESSAGE#0:cli/2", "nwparser.p0", ": Processing command: %{action}"); + +var all1 = all_match({ + processors: [ + dup2, + dup11, + part1, + ], + on_success: processor_chain([ + dup5, + dup6, + ]), +}); + +var msg1 = msg("cli", all1); + +var part2 = match("MESSAGE#1:cli:01/2", "nwparser.p0", ": Processing command %{action}"); + +var all2 = all_match({ + processors: [ + dup2, + dup11, + part2, + ], + on_success: processor_chain([ + dup5, + dup6, + ]), +}); + +var msg2 = msg("cli:01", all2); + +var part3 = match("MESSAGE#2:cli:02/2", "nwparser.p0", ": Leaving config mode%{}"); + +var all3 = all_match({ + processors: [ + dup2, + dup11, + part3, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Leaving config mode"), + ]), +}); + +var msg3 = msg("cli:02", all3); + +var part4 = match("MESSAGE#3:cli:03/2", "nwparser.p0", ": Entering config mode%{}"); + +var all4 = all_match({ + processors: [ + dup2, + dup11, + part4, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Entering config mode"), + ]), +}); + +var msg4 = msg("cli:03", all4); + +var part5 = match("MESSAGE#4:cli:04/2", "nwparser.p0", ": CLI exiting%{}"); + +var all5 = all_match({ + processors: [ + dup2, + dup11, + part5, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","CLI exiting"), + ]), +}); + +var msg5 = msg("cli:04", all5); + +var part6 = match("MESSAGE#5:cli:05/2", "nwparser.p0", ": CLI launched%{}"); + +var all6 = all_match({ + processors: [ + dup2, + dup11, + part6, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","CLI launched"), + ]), +}); + +var msg6 = msg("cli:05", all6); + +var part7 = match("MESSAGE#6:Automatically/2", "nwparser.p0", ": Automatically logged out due to keyboard inactivity.%{}"); + +var all7 = all_match({ + processors: [ + dup2, + dup11, + part7, + ], + on_success: processor_chain([ + dup5, + setc("ec_subject","User"), + setc("ec_activity","Logoff"), + dup6, + setc("event_description","Automatically logged out due to keyboard inactivity"), + ]), +}); + +var msg7 = msg("Automatically", all7); + +var part8 = match("MESSAGE#7:cli:06/2", "nwparser.p0", ": Entering enable mode%{}"); + +var all8 = all_match({ + processors: [ + dup2, + dup11, + part8, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Entering enable mode"), + ]), +}); + +var msg8 = msg("cli:06", all8); + +var part9 = match("MESSAGE#8:cli:07/2", "nwparser.p0", ": Leaving enable mode%{}"); + +var all9 = all_match({ + processors: [ + dup2, + dup11, + part9, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Leaving enable mode"), + ]), +}); + +var msg9 = msg("cli:07", all9); + +var part10 = match("MESSAGE#9:Processing/2", "nwparser.p0", ": Processing a secure command...%{}"); + +var all10 = all_match({ + processors: [ + dup2, + dup11, + part10, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Processing a secure command"), + ]), +}); + +var msg10 = msg("Processing", all10); + +var msg11 = msg("cli:pam", dup12); + +var select2 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, +]); + +var part11 = match("MESSAGE#11:schedulerd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executing Job \"%{operation_id}\" execution %{fld6}", processor_chain([ + dup5, + dup6, +])); + +var msg12 = msg("schedulerd", part11); + +var part12 = match("MESSAGE#12:schedulerd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System time changed, recomputing job run times.", processor_chain([ + dup5, + dup6, + setc("event_description","System time changed, recomputing job run times"), +])); + +var msg13 = msg("schedulerd:01", part12); + +var select3 = linear_select([ + msg12, + msg13, +]); + +var part13 = match("MESSAGE#13:configd:Rotating", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Rotating out backup file \"%{filename}\" for device \"%{hostname}\".", processor_chain([ + dup5, + dup6, +])); + +var msg14 = msg("configd:Rotating", part13); + +var part14 = match("MESSAGE#14:configd:Deleting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Deleting backup %{filename}from device \"%{hostname}\"", processor_chain([ + dup5, + dup6, +])); + +var msg15 = msg("configd:Deleting", part14); + +var part15 = match("MESSAGE#15:configd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) \u003c\u003c%{action}> ...", processor_chain([ + dup5, + dup6, +])); + +var msg16 = msg("configd", part15); + +var part16 = match("MESSAGE#16:configd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Sending commands to Device %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg17 = msg("configd:01", part16); + +var part17 = match("MESSAGE#17:configd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Sending commands to Device %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg18 = msg("configd:11", part17); + +var part18 = match("MESSAGE#18:file", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action};; CPL generated by Visual Policy Manager: %{fld10};%{fld11}; %{fld12}; %{info}", processor_chain([ + dup5, + dup6, + dup8, +])); + +var msg19 = msg("file", part18); + +var part19 = match("MESSAGE#19:configd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg20 = msg("configd:02", part19); + +var part20 = match("MESSAGE#20:configd:22", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: command: %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg21 = msg("configd:22", part20); + +var part21 = match("MESSAGE#21:configd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Commands sent to Device %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg22 = msg("configd:03", part21); + +var part22 = match("MESSAGE#22:configd:33", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Commands sent to Device %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg23 = msg("configd:33", part22); + +var part23 = match("MESSAGE#23:Backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup import command finished for all devices.", processor_chain([ + dup5, + dup6, + setc("event_description","Backup import command finished for all devices"), +])); + +var msg24 = msg("Backup", part23); + +var part24 = match("MESSAGE#24:Beginning", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Beginning to make backup of cache %{hostname}", processor_chain([ + dup5, + dup6, + setc("event_description","Beginning to make backup of cache"), +])); + +var msg25 = msg("Beginning", part24); + +var part25 = match("MESSAGE#25:Inputting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Inputting overlay \u003c\u003c%{fld10}>", processor_chain([ + dup5, + dup6, + setc("event_description","Inputting overlay"), +])); + +var msg26 = msg("Inputting", part25); + +var part26 = match("MESSAGE#26:Saved", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Saved %{info}to %{filename}", processor_chain([ + dup5, + dup6, +])); + +var msg27 = msg("Saved", part26); + +var part27 = match("MESSAGE#27:Importing", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Importing overlay \u003c\u003c%{fld25}> from %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg28 = msg("Importing", part27); + +var part28 = match("MESSAGE#28:Overlay", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Overlay \"%{fld25}\" imported from device \"%{hostname}\"", processor_chain([ + dup5, + dup6, +])); + +var msg29 = msg("Overlay", part28); + +var part29 = match("MESSAGE#29:Executed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executed the last created overlay. The filename is %{filename}", processor_chain([ + dup5, + dup6, +])); + +var msg30 = msg("Executed", part29); + +var part30 = match("MESSAGE#30:Configuration", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Configuration system online", processor_chain([ + dup5, + dup6, + setc("event_description","Configuration system online"), +])); + +var msg31 = msg("Configuration", part30); + +var part31 = match("MESSAGE#31:Create", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CREATE %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","Table creation"), +])); + +var msg32 = msg("Create", part31); + +var part32 = match("MESSAGE#32:Loaded", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Loaded config file initial", processor_chain([ + dup5, + dup6, + setc("event_description","Loaded config file initial"), +])); + +var msg33 = msg("Loaded", part32); + +var part33 = match("MESSAGE#33:Setting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Setting set-reply timeout to %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","Setting set-reply timeout"), +])); + +var msg34 = msg("Setting", part33); + +var part34 = match("MESSAGE#34:CCD", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CCD lost connection to device \"%{hostname}\": %{event_description}", processor_chain([ + dup5, + dup6, +])); + +var msg35 = msg("CCD", part34); + +var part35 = match("MESSAGE#35:Device", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" is now online.", processor_chain([ + dup5, + dup6, +])); + +var msg36 = msg("Device", part35); + +var part36 = match("MESSAGE#36:Output", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: %{fld9}Output for device \"%{hostname}\" %{fld10}", processor_chain([ + dup5, + dup6, +])); + +var msg37 = msg("Output", part36); + +var part37 = match("MESSAGE#37:ssh", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> (ssh) %{event_description}", processor_chain([ + dup5, + dup6, +])); + +var msg38 = msg("ssh", part37); + +var part38 = match("MESSAGE#38:Applying", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to group %{group_object}", processor_chain([ + dup5, + dup6, + setc("event_description","Applying overlay to group"), +])); + +var msg39 = msg("Applying", part38); + +var part39 = match("MESSAGE#39:Applying:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to cache %{hostname}", processor_chain([ + dup5, + dup6, + setc("event_description","Applying overlay to cache"), +])); + +var msg40 = msg("Applying:01", part39); + +var part40 = match("MESSAGE#40:configd:backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup complete for device \"%{hostname}\". ID %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","Backup complete for device"), +])); + +var msg41 = msg("configd:backup", part40); + +var part41 = match("MESSAGE#41:file:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) %{action};; CPL generated by Visual Policy Manager: %{fld10};%{fld11}; %{fld12}; %{info}", processor_chain([ + dup5, + dup6, + dup8, +])); + +var msg42 = msg("file:01", part41); + +var part42 = match("MESSAGE#42:configd:connection", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> read: Connection reset by peer", processor_chain([ + dup5, + dup6, + setc("event_description","Connection reset by peer"), +])); + +var msg43 = msg("configd:connection", part42); + +var part43 = match("MESSAGE#43:configd:failed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{info}failed", processor_chain([ + dup5, + dup6, + setc("event_description","cd session read failed"), +])); + +var msg44 = msg("configd:failed", part43); + +var select4 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, +]); + +var part44 = match("MESSAGE#44:poller", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Querying content system for job results.", processor_chain([ + dup5, + dup6, + setc("event_description","Querying content system for job results"), +])); + +var msg45 = msg("poller", part44); + +var part45 = match("MESSAGE#45:heartbeat", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg46 = msg("heartbeat", part45); + +var part46 = match("MESSAGE#46:heartbeat:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> The HB command is %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg47 = msg("heartbeat:01", part46); + +var part47 = match("MESSAGE#47:heartbeat:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client exiting.", processor_chain([ + dup5, + dup6, + setc("event_description","director heartbeat client exiting"), +])); + +var msg48 = msg("heartbeat:02", part47); + +var part48 = match("MESSAGE#48:heartbeat:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client launched.", processor_chain([ + dup5, + dup6, + setc("event_description","director heartbeat client launched"), +])); + +var msg49 = msg("heartbeat:03", part48); + +var part49 = match("MESSAGE#49:heartbeat:crit1", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{filename}: undefined symbol: %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","undefined symbol"), +])); + +var msg50 = msg("heartbeat:crit1", part49); + +var part50 = match("MESSAGE#50:heartbeat:crit2", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> connect: %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","No such file or directory"), +])); + +var msg51 = msg("heartbeat:crit2", part50); + +var select5 = linear_select([ + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, +]); + +var part51 = match("MESSAGE#51:runner", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6}command %{fld7}: \"%{action}\". Output %{fld9}: %{result}", processor_chain([ + dup5, + dup6, +])); + +var msg52 = msg("runner", part51); + +var part52 = match("MESSAGE#52:runner:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg53 = msg("runner:01", part52); + +var part53 = match("MESSAGE#53:runner:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6}finished running.", processor_chain([ + dup5, + dup6, +])); + +var msg54 = msg("runner:02", part53); + +var part54 = match("MESSAGE#54:runner:crit1", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Failed to exec %{filename}", processor_chain([ + dup5, + dup6, +])); + +var msg55 = msg("runner:crit1", part54); + +var part55 = match("MESSAGE#55:runner:crit2", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> File reading failed", processor_chain([ + dup5, + dup6, + setc("event_description","File reading failed"), +])); + +var msg56 = msg("runner:crit2", part55); + +var select6 = linear_select([ + msg52, + msg53, + msg54, + msg55, + msg56, +]); + +var part56 = match("MESSAGE#56:ccd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: attempting connection using %{fld6}on port: %{fld7}", processor_chain([ + dup5, + dup6, +])); + +var msg57 = msg("ccd", part56); + +var part57 = match("MESSAGE#57:ccd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{event_description}, Reason %{result}", processor_chain([ + dup5, + dup6, +])); + +var msg58 = msg("ccd:01", part57); + +var part58 = match("MESSAGE#58:ccd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: couldn't match the response \u003c\u003c%{event_description}>", processor_chain([ + dup5, + dup6, +])); + +var msg59 = msg("ccd:03", part58); + +var part59 = match("MESSAGE#59:ccd:04", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: Did not get echo for the command \u003c\u003c%{action}>for past %{fld10}", processor_chain([ + dup5, + dup6, +])); + +var msg60 = msg("ccd:04", part59); + +var part60 = match("MESSAGE#60:ccd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","info on device connection"), +])); + +var msg61 = msg("ccd:02", part60); + +var part61 = match("MESSAGE#61:ccd:05", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> write to %{fld1}pipe : %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","write to ssh pipe"), +])); + +var msg62 = msg("ccd:05", part61); + +var part62 = match("MESSAGE#62:ccd:06", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> ccd_handle_read_failure(), %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","ccd handle read failure"), +])); + +var msg63 = msg("ccd:06", part62); + +var part63 = match("MESSAGE#63:ccd:07", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device Communication Daemon online", processor_chain([ + dup5, + dup6, + setc("event_description","device communication daemon online"), +])); + +var msg64 = msg("ccd:07", part63); + +var part64 = match("MESSAGE#64:ccd:08", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System memory is: %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","system memory size"), +])); + +var msg65 = msg("ccd:08", part64); + +var select7 = linear_select([ + msg57, + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + msg64, + msg65, +]); + +var part65 = match("MESSAGE#65:sshd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> error: Bind to port %{fld10}on %{fld5}failed: %{result}", processor_chain([ + dup9, + dup6, +])); + +var msg66 = msg("sshd", part65); + +var part66 = match("MESSAGE#66:sshd:01", "nwparser.payload", "%{agent}: bad username %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","bad username"), +])); + +var msg67 = msg("sshd:01", part66); + +var part67 = match("MESSAGE#67:sshd:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): authentication failure; %{info}", processor_chain([ + dup5, + dup6, + dup10, +])); + +var msg68 = msg("sshd:02", part67); + +var part68 = match("MESSAGE#68:sshd:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): check pass; %{fld3}", processor_chain([ + dup5, + dup6, + setc("event_description","check pass, user unknown"), +])); + +var msg69 = msg("sshd:03", part68); + +var part69 = match("MESSAGE#69:sshd:04", "nwparser.payload", "%{agent}[%{process_id}]: PAM %{fld1}more authentication failure; %{info}", processor_chain([ + dup5, + dup6, + dup10, +])); + +var msg70 = msg("sshd:04", part69); + +var msg71 = msg("sshd:pam", dup12); + +var select8 = linear_select([ + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, +]); + +var part70 = match("MESSAGE#71:dmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> inserted device id = %{hostname}and serial number = %{fld6}into DB", processor_chain([ + dup5, + dup6, +])); + +var msg72 = msg("dmd", part70); + +var part71 = match("MESSAGE#72:dmd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for metric\"%{hostname}\" \"%{change_old}\" changed to \"%{change_new}\", reason: \"%{result}\"", processor_chain([ + dup5, + dup6, +])); + +var msg73 = msg("dmd:01", part71); + +var part72 = match("MESSAGE#73:dmd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for group \"%{group_object}\" changed from \"%{change_old}\" to \"%{change_new}\"", processor_chain([ + dup5, + dup6, +])); + +var msg74 = msg("dmd:11", part72); + +var part73 = match("MESSAGE#74:dmd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Filter on (%{fld5}) things. %{event_description}", processor_chain([ + dup5, + dup6, +])); + +var msg75 = msg("dmd:02", part73); + +var part74 = match("MESSAGE#75:dmd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device ID \"%{hostname}\" error: %{event_description}", processor_chain([ + dup9, + dup6, +])); + +var msg76 = msg("dmd:03", part74); + +var select9 = linear_select([ + msg72, + msg73, + msg74, + msg75, + msg76, +]); + +var part75 = match("MESSAGE#76:logrotate", "nwparser.payload", "%{agent}: ALERT exited abnormally with %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","ALERT exited abnormally"), +])); + +var msg77 = msg("logrotate", part75); + +var part76 = match("MESSAGE#77:ntpd", "nwparser.payload", "%{agent}[%{process_id}]: kernel time sync enabled %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","kernel time sync enabled"), +])); + +var msg78 = msg("ntpd", part76); + +var part77 = match("MESSAGE#78:ntpd:01", "nwparser.payload", "%{agent}[%{process_id}]: time reset %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","time reset"), +])); + +var msg79 = msg("ntpd:01", part77); + +var part78 = match("MESSAGE#79:ntpd:02", "nwparser.payload", "%{agent}[%{process_id}]: ntpd %{fld10}-r %{fld11}", processor_chain([ + dup5, + dup6, +])); + +var msg80 = msg("ntpd:02", part78); + +var part79 = match("MESSAGE#80:ntpd:03", "nwparser.payload", "%{agent}[%{process_id}]: ntpd exiting on signal %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","ntpd exiting on signal"), +])); + +var msg81 = msg("ntpd:03", part79); + +var select10 = linear_select([ + msg78, + msg79, + msg80, + msg81, +]); + +var part80 = match("MESSAGE#81:pm", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd will start in %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","ntpd will start in few secs"), +])); + +var msg82 = msg("pm", part80); + +var part81 = match("MESSAGE#82:pm:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd started", processor_chain([ + dup5, + dup6, + setc("event_description","ntpd started"), +])); + +var msg83 = msg("pm:01", part81); + +var part82 = match("MESSAGE#83:pm:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> print_msg(), %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","print message"), +])); + +var msg84 = msg("pm:02", part82); + +var part83 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info}started", processor_chain([ + dup5, + dup6, + setc("event_description","service started"), +])); + +var msg85 = msg("pm:03", part83); + +var part84 = match("MESSAGE#85:pm:04", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info}will start in %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","service will start"), +])); + +var msg86 = msg("pm:04", part84); + +var part85 = match("MESSAGE#86:pm:05", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> check_license_validity(), %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","check license validity"), +])); + +var msg87 = msg("pm:05", part85); + +var part86 = match("MESSAGE#87:pm:06", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Connected to config daemon", processor_chain([ + dup5, + dup6, + setc("event_description","connected to config daemon"), +])); + +var msg88 = msg("pm:06", part86); + +var select11 = linear_select([ + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, +]); + +var part87 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process_id}]: Updated timestamp for job %{info}to %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","updated timestamp"), +])); + +var msg89 = msg("anacron", part87); + +var part88 = match("MESSAGE#89:anacron:01", "nwparser.payload", "%{agent}[%{process_id}]: Anacron %{version}started on %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","anacron started"), +])); + +var msg90 = msg("anacron:01", part88); + +var part89 = match("MESSAGE#90:anacron:02", "nwparser.payload", "%{agent}[%{process_id}]: Normal exit %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","normal exit"), +])); + +var msg91 = msg("anacron:02", part89); + +var select12 = linear_select([ + msg89, + msg90, + msg91, +]); + +var part90 = match("MESSAGE#91:epmd", "nwparser.payload", "%{agent}: epmd: invalid packet size (%{fld1})", processor_chain([ + dup5, + dup6, + setc("event_description","invalid packet size"), +])); + +var msg92 = msg("epmd", part90); + +var part91 = match("MESSAGE#92:epmd:01", "nwparser.payload", "%{agent}: epmd: got %{info}", processor_chain([ + dup5, + dup6, +])); + +var msg93 = msg("epmd:01", part91); + +var part92 = match("MESSAGE#93:epmd:02", "nwparser.payload", "%{agent}: epmd: epmd running %{info}", processor_chain([ + dup5, + dup6, +])); + +var msg94 = msg("epmd:02", part92); + +var select13 = linear_select([ + msg92, + msg93, + msg94, +]); + +var part93 = match("MESSAGE#94:xinetd", "nwparser.payload", "%{agent}[%{process_id}]: xinetd %{event_description}", processor_chain([ + dup5, + dup6, +])); + +var msg95 = msg("xinetd", part93); + +var part94 = match("MESSAGE#95:xinetd:01", "nwparser.payload", "%{agent}[%{process_id}]: Started working: %{fld1}available services", processor_chain([ + dup5, + dup6, +])); + +var msg96 = msg("xinetd:01", part94); + +var select14 = linear_select([ + msg95, + msg96, +]); + +var part95 = match("MESSAGE#96:auditd", "nwparser.payload", "%{agent}[%{process_id}]: Audit daemon rotating log files", processor_chain([ + dup5, + dup6, + setc("event_description","Audit daemon rotating log files"), +])); + +var msg97 = msg("auditd", part95); + +var part96 = match("MESSAGE#97:restorecond", "nwparser.payload", "%{agent}: Reset file context %{filename}: %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","Reset file"), +])); + +var msg98 = msg("restorecond", part96); + +var part97 = match("MESSAGE#98:authd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> handle_authd unknown message =%{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","handle authd unknown message"), +])); + +var msg99 = msg("authd", part97); + +var part98 = match("MESSAGE#99:authd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_signal_handler(), %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","authd signal handler"), +])); + +var msg100 = msg("authd:01", part98); + +var part99 = match("MESSAGE#100:authd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_close(): %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","authd close"), +])); + +var msg101 = msg("authd:02", part99); + +var select15 = linear_select([ + msg99, + msg100, + msg101, +]); + +var part100 = match("MESSAGE#101:rsyslogd/0", "nwparser.payload", "%{agent}: W%{p0}"); + +var part101 = match("MESSAGE#101:rsyslogd/1_0", "nwparser.p0", "ARNING%{p0}"); + +var part102 = match("MESSAGE#101:rsyslogd/1_1", "nwparser.p0", "arning%{p0}"); + +var select16 = linear_select([ + part101, + part102, +]); + +var part103 = match("MESSAGE#101:rsyslogd/2", "nwparser.p0", ": %{event_description}"); + +var all11 = all_match({ + processors: [ + part100, + select16, + part103, + ], + on_success: processor_chain([ + dup5, + dup6, + ]), +}); + +var msg102 = msg("rsyslogd", all11); + +var part104 = match("MESSAGE#102:shutdown", "nwparser.payload", "%{agent}[%{process_id}]: shutting down %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","shutting down"), +])); + +var msg103 = msg("shutdown", part104); + +var part105 = match("MESSAGE#103:cmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> cmd starting %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","cmd starting"), +])); + +var msg104 = msg("cmd", part105); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "anacron": select12, + "auditd": msg97, + "authd": select15, + "ccd": select7, + "cli": select2, + "cmd": msg104, + "configd": select4, + "dmd": select9, + "epmd": select13, + "heartbeat": select5, + "logrotate": msg77, + "ntpd": select10, + "pm": select11, + "poller": msg45, + "restorecond": msg98, + "rsyslogd": msg102, + "runner": select6, + "schedulerd": select3, + "shutdown": msg103, + "sshd": select8, + "xinetd": select14, + }), +]); + +var part106 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{p0}"); + +var part107 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "%{username}@::%{fld5}:%{saddr->} %{p0}"); + +var part108 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{username}@%{domain->} %{p0}"); + +var select17 = linear_select([ + dup3, + dup4, +]); + +var part109 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ + dup5, + dup6, + dup7, +])); diff --git a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml new file mode 100644 index 00000000000..e26891a1ad0 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Blue Coat Director + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/bluecoat/director/manifest.yml b/x-pack/filebeat/module/bluecoat/director/manifest.yml new file mode 100644 index 00000000000..10ad36cde94 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["bluecoat.director", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9505 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log b/x-pack/filebeat/module/bluecoat/director/test/generated.log new file mode 100644 index 00000000000..7035845d2c6 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/test/generated.log @@ -0,0 +1,100 @@ +ntpd[1001]: kernel time sync enabled utl +restorecond: : Reset file context quasiarc: liqua +auditd[5699]: Audit daemon rotating log files +anacron[5066]: Normal exit ehend +restorecond: : Reset file context vol: luptat +heartbeat: : < Processing command: accept +restorecond: : Reset file context nci: ofdeFin +auditd[6668]: Audit daemon rotating log files +anacron[1613]: Normal exit mvolu +ntpd[2959]: ntpd gelit-r tatno +anacron[654]: Updated timestamp for job rmagni to sit +dmd: : < Health state for metric"seq3874.mail.domain" "quid" changed to "fug", reason: "success" +auditd[2067]: Audit daemon rotating log files +pm[5969]: < check_license_validity(), tae +logrotate: : ALERT exited abnormally with temUten +sshd: : < error: Bind to port Duisau on psum failed: failure +configd: : < itaut@rveli: command: accept +authd: : < authd_signal_handler(), quam +xinetd[6547]: Started working: onproide available services +logrotate: : ALERT exited abnormally with tfug +heartbeat: : < Processing command: deny +sshd: : < error: Bind to port erc on amqu failed: unknown +ntpd[4515]: ntpd emp-r aperia +restorecond: : Reset file context run: vol +logrotate: : ALERT exited abnormally with mporain +heartbeat: : < connect: atu +cmd: : < cmd starting adeseru +pm[7061]: < ntpd will start in tlabo +poller[795]: < Querying content system for job results. +runner[6134]: < Processing command: allow +epmd: : epmd: epmd running orpor +runner[602]: < Failed to exec olup +shutdown[2807]: shutting down non +configd: : < sperna@sintocc: command: cancel +auditd[2986]: Audit daemon rotating log files +configd: : < CREATE onsequ +auditd[1243]: Audit daemon rotating log files +xinetd[6599]: Started working: naal available services +xinetd[5850]: Started working: rQu available services +heartbeat: : < queips: undefined symbol: ncidi +authd: : < authd_close(): npr +anacron[6373]: Anacron 1.3962 started on epre +cmd: : < cmd starting isiuta +sshd[5227]: dutp(psaquaea:taevita): pam_putenv: ameiusm +ccd: : < Device elitse6672.internal.localdomain: mquisno +runner[1859]: < Failed to exec umSe +shutdown[6110]: shutting down itau +sshd[2415]: PAM lorsita more authentication failure; dolore +heartbeat: : < connect: inimveni +authd: : < authd_close(): psumqu +runner[2558]: < Failed to exec edquiac +anacron[4538]: Updated timestamp for job remips to uisaute +auditd[6837]: Audit daemon rotating log files +pm[1493]: < print_msg(), dic +configd: : < Device "itation4168.api.domain" completed command(s) accept ;; CPL generated by Visual Policy Manager: isciv ;rroqu ; nofd ; dipisci +epmd: : epmd: invalid packet size (mquae) +runner[429]: < File reading failed +shutdown[7595]: shutting down emqu +heartbeat: : < The HB command is accept +authd: : < authd_signal_handler(), isetquas +authd: : < authd_signal_handler(), gnaal +logrotate: : ALERT exited abnormally with voluptas +ntpd[627]: ntpd exiting on signal orin +restorecond: : Reset file context ecillu: mmodoc +sshd: : bad username mquisn +ntpd[1313]: ntpd derit-r orese +ccd: : < Device Communication Daemon online +restorecond: : Reset file context olup: aco +shutdown[609]: shutting down ser +ntpd[2991]: ntpd orinrep-r quiavol +dmd: : < inserted device id = sBonor2001.www5.example and serial number = amc into DB +ccd: : < ccd_handle_read_failure(), uid +cmd: : < cmd starting lmolesti +dmd: : < inserted device id = ersp6625.internal.domain and serial number = seq into DB +cmd: : < cmd starting uipexe +heartbeat: : < The HB command is cancel +anacron[7360]: Normal exit tperspic +dmd: : < Filter on (tetura) things. riosamni +ccd: : < Device eleumiu2454.api.local: tat +schedulerd: : < System time changed, recomputing job run times. +xinetd[3450]: Started working: aconsequ available services +authd: : < handle_authd unknown message =utemvel +ntpd[16]: time reset stquido +ccd: : < Device olu5333.www.domain: orumSe +anacron[80]: Normal exit ici +ntpd[7612]: kernel time sync enabled nturmag +cli[7128]: eseruntm(lpaquiof:oloreeu): pam_putenv: olor +schedulerd: : < Executing Job "tquo" execution iatnu +logrotate: : ALERT exited abnormally with ntut +poller[7151]: < Querying content system for job results. +ntpd[2314]: ntpd litanim-r rQuisaut +heartbeat: : < Processing command: block +epmd: : epmd: got emp +schedulerd: : < System time changed, recomputing job run times. +dmd: : < Health state for group "lab" changed from "llumq" to "tenim" +pm[5899]: < print_msg(), orem +epmd: : epmd: epmd running inBC +pm[2746]: < print_msg(), ptate +schedulerd: : < Executing Job "CSe" execution exerci +auditd[6012]: Audit daemon rotating log files diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json new file mode 100644 index 00000000000..2e02578175e --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json @@ -0,0 +1,2231 @@ +[ + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[1001]: kernel time sync enabled utl", + "fileset.name": "director", + "input.type": "log", + "log.offset": 0, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1001, + "rsa.internal.event_desc": "kernel time sync enabled", + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context quasiarc: liqua", + "file.name": "quasiarc", + "fileset.name": "director", + "input.type": "log", + "log.offset": 41, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[5699]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 91, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5699, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[5066]: Normal exit ehend", + "fileset.name": "director", + "input.type": "log", + "log.offset": 137, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5066, + "rsa.internal.event_desc": "normal exit", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context vol: luptat", + "file.name": "vol", + "fileset.name": "director", + "input.type": "log", + "log.offset": 170, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < Processing command: accept", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 216, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context nci: ofdeFin", + "file.name": "nci", + "fileset.name": "director", + "input.type": "log", + "log.offset": 272, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[6668]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 319, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6668, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[1613]: Normal exit mvolu", + "fileset.name": "director", + "input.type": "log", + "log.offset": 365, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1613, + "rsa.internal.event_desc": "normal exit", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[2959]: ntpd gelit-r tatno", + "fileset.name": "director", + "input.type": "log", + "log.offset": 398, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2959, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[654]: Updated timestamp for job rmagni to sit", + "fileset.name": "director", + "input.type": "log", + "log.offset": 429, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 654, + "rsa.db.index": "rmagni", + "rsa.internal.event_desc": "updated timestamp", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < Health state for metric\"seq3874.mail.domain\" \"quid\" changed to \"fug\", reason: \"success\"", + "fileset.name": "director", + "host.name": "seq3874.mail.domain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 483, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "dmd", + "rsa.misc.change_new": "fug", + "rsa.misc.change_old": "quid", + "rsa.misc.client": "dmd:", + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "seq3874.mail.domain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[2067]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 598, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2067, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[5969]: < check_license_validity(), tae", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 644, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5969, + "rsa.internal.event_desc": "check license validity", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with temUten", + "fileset.name": "director", + "input.type": "log", + "log.offset": 705, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd: : < error: Bind to port Duisau on psum failed: failure", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 755, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd:", + "rsa.misc.result": "failure", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "configd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "configd: : < itaut@rveli: command: accept", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 828, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "configd", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.client": "configd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ], + "user.name": [ + "itaut" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_signal_handler(), quam", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 882, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "authd signal handler", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "xinetd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "xinetd[6547]: Started working: onproide available services", + "fileset.name": "director", + "input.type": "log", + "log.offset": 934, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6547, + "rsa.internal.messageid": "xinetd", + "rsa.misc.client": "xinetd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with tfug", + "fileset.name": "director", + "input.type": "log", + "log.offset": 993, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < Processing command: deny", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 1040, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd: : < error: Bind to port erc on amqu failed: unknown", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 1092, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd:", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[4515]: ntpd emp-r aperia", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1164, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 4515, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context run: vol", + "file.name": "run", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1194, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with mporain", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1237, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < connect: atu", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1287, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "No such file or directory", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cmd: : < cmd starting adeseru", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 1332, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "cmd starting", + "rsa.internal.messageid": "cmd", + "rsa.misc.client": "cmd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[7061]: < ntpd will start in tlabo", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1375, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7061, + "rsa.internal.event_desc": "ntpd will start in few secs", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "poller", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "poller[795]: < Querying content system for job results.", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 1430, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 795, + "rsa.internal.event_desc": "Querying content system for job results", + "rsa.internal.messageid": "poller", + "rsa.misc.client": "poller", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[6134]: < Processing command: allow", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1500, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6134, + "rsa.internal.messageid": "runner", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.client": "runner", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "epmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "epmd: : epmd: epmd running orpor", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1557, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "orpor", + "rsa.internal.messageid": "epmd", + "rsa.misc.client": "epmd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[602]: < Failed to exec olup", + "file.name": "olup", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1590, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 602, + "rsa.internal.messageid": "runner", + "rsa.misc.client": "runner", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "shutdown[2807]: shutting down non", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1642, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2807, + "rsa.db.index": "non", + "rsa.internal.event_desc": "shutting down", + "rsa.internal.messageid": "shutdown", + "rsa.misc.client": "shutdown", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "configd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "configd: : < sperna@sintocc: command: cancel", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 1676, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "configd", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "configd:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ], + "user.name": [ + "sperna" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[2986]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1735, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2986, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "configd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "configd: : < CREATE onsequ", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 1781, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "onsequ", + "rsa.internal.event_desc": "Table creation", + "rsa.internal.messageid": "configd", + "rsa.misc.client": "configd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[1243]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1824, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1243, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "xinetd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "xinetd[6599]: Started working: naal available services", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1870, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6599, + "rsa.internal.messageid": "xinetd", + "rsa.misc.client": "xinetd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "xinetd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "xinetd[5850]: Started working: rQu available services", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1925, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5850, + "rsa.internal.messageid": "xinetd", + "rsa.misc.client": "xinetd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < queips: undefined symbol: ncidi", + "file.name": "queips", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 1979, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "ncidi", + "rsa.internal.event_desc": "undefined symbol", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_close(): npr", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2037, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "npr", + "rsa.internal.event_desc": "authd close", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[6373]: Anacron 1.3962 started on epre", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2083, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "observer.version": "1.3962", + "process.pid": 6373, + "rsa.internal.event_desc": "anacron started", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "rsa.misc.version": "1.3962", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cmd: : < cmd starting isiuta", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 2129, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "cmd starting", + "rsa.internal.messageid": "cmd", + "rsa.misc.client": "cmd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd[5227]: dutp(psaquaea:taevita): pam_putenv: ameiusm", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2170, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5227, + "rsa.internal.event_desc": "bad variable", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < Device elitse6672.internal.localdomain: mquisno", + "fileset.name": "director", + "host.name": "elitse6672.internal.localdomain", + "input.type": "log", + "log.level": "low", + "log.offset": 2226, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "mquisno", + "rsa.internal.event_desc": "info on device connection", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "elitse6672.internal.localdomain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[1859]: < Failed to exec umSe", + "file.name": "umSe", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 2293, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1859, + "rsa.internal.messageid": "runner", + "rsa.misc.client": "runner", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "shutdown[6110]: shutting down itau", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2344, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6110, + "rsa.db.index": "itau", + "rsa.internal.event_desc": "shutting down", + "rsa.internal.messageid": "shutdown", + "rsa.misc.client": "shutdown", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd[2415]: PAM lorsita more authentication failure; dolore", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2379, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2415, + "rsa.db.index": "dolore", + "rsa.internal.event_desc": "authentication failure", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < connect: inimveni", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 2439, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "No such file or directory", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_close(): psumqu", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 2486, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "psumqu", + "rsa.internal.event_desc": "authd close", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[2558]: < Failed to exec edquiac", + "file.name": "edquiac", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 2531, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2558, + "rsa.internal.messageid": "runner", + "rsa.misc.client": "runner", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[4538]: Updated timestamp for job remips to uisaute", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2582, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 4538, + "rsa.db.index": "remips", + "rsa.internal.event_desc": "updated timestamp", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[6837]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2641, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6837, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[1493]: < print_msg(), dic", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 2687, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1493, + "rsa.db.index": "dic", + "rsa.internal.event_desc": "print message", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "configd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "configd: : < Device \"itation4168.api.domain\" completed command(s) accept ;; CPL generated by Visual Policy Manager: isciv ;rroqu ; nofd ; dipisci", + "fileset.name": "director", + "host.name": "itation4168.api.domain", + "input.type": "log", + "log.level": "low", + "log.offset": 2730, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "dipisci", + "rsa.internal.event_desc": "This file is automatically generated", + "rsa.internal.messageid": "configd", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.client": "configd:", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "itation4168.api.domain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "epmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "epmd: : epmd: invalid packet size (mquae)", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2889, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "invalid packet size", + "rsa.internal.messageid": "epmd", + "rsa.misc.client": "epmd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[429]: < File reading failed", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2931, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 429, + "rsa.internal.event_desc": "File reading failed", + "rsa.internal.messageid": "runner", + "rsa.misc.client": "runner", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "shutdown[7595]: shutting down emqu", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2985, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7595, + "rsa.db.index": "emqu", + "rsa.internal.event_desc": "shutting down", + "rsa.internal.messageid": "shutdown", + "rsa.misc.client": "shutdown", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < The HB command is accept", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 3020, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_signal_handler(), isetquas", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3073, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "authd signal handler", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_signal_handler(), gnaal", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 3132, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "authd signal handler", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with voluptas", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3188, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[627]: ntpd exiting on signal orin", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3239, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 627, + "rsa.internal.event_desc": "ntpd exiting on signal", + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context ecillu: mmodoc", + "file.name": "ecillu", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3278, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd: : bad username mquisn", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3327, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "bad username", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[1313]: ntpd derit-r orese", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3355, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1313, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < Device Communication Daemon online", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 3386, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "device communication daemon online", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context olup: aco", + "file.name": "olup", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3446, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "shutdown[609]: shutting down ser", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3490, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 609, + "rsa.db.index": "ser", + "rsa.internal.event_desc": "shutting down", + "rsa.internal.messageid": "shutdown", + "rsa.misc.client": "shutdown", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[2991]: ntpd orinrep-r quiavol", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3523, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2991, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < inserted device id = sBonor2001.www5.example and serial number = amc into DB", + "fileset.name": "director", + "host.name": "sBonor2001.www5.example", + "input.type": "log", + "log.level": "medium", + "log.offset": 3558, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "dmd", + "rsa.misc.client": "dmd:", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "sBonor2001.www5.example" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < ccd_handle_read_failure(), uid", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3657, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "uid", + "rsa.internal.event_desc": "ccd handle read failure", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cmd: : < cmd starting lmolesti", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 3712, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "cmd starting", + "rsa.internal.messageid": "cmd", + "rsa.misc.client": "cmd:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < inserted device id = ersp6625.internal.domain and serial number = seq into DB", + "fileset.name": "director", + "host.name": "ersp6625.internal.domain", + "input.type": "log", + "log.level": "high", + "log.offset": 3756, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "dmd", + "rsa.misc.client": "dmd:", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "ersp6625.internal.domain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cmd: : < cmd starting uipexe", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 3858, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "cmd starting", + "rsa.internal.messageid": "cmd", + "rsa.misc.client": "cmd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < The HB command is cancel", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 3903, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[7360]: Normal exit tperspic", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3952, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7360, + "rsa.internal.event_desc": "normal exit", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < Filter on (tetura) things. riosamni", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3988, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "riosamni", + "rsa.internal.messageid": "dmd", + "rsa.misc.client": "dmd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < Device eleumiu2454.api.local: tat", + "fileset.name": "director", + "host.name": "eleumiu2454.api.local", + "input.type": "log", + "log.level": "low", + "log.offset": 4048, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "tat", + "rsa.internal.event_desc": "info on device connection", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "eleumiu2454.api.local" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "schedulerd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "schedulerd: : < System time changed, recomputing job run times.", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4103, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "System time changed, recomputing job run times", + "rsa.internal.messageid": "schedulerd", + "rsa.misc.client": "schedulerd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "xinetd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "xinetd[3450]: Started working: aconsequ available services", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4184, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 3450, + "rsa.internal.messageid": "xinetd", + "rsa.misc.client": "xinetd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < handle_authd unknown message =utemvel", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 4243, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "handle authd unknown message", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[16]: time reset stquido", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4305, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 16, + "rsa.internal.event_desc": "time reset", + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < Device olu5333.www.domain: orumSe", + "fileset.name": "director", + "host.name": "olu5333.www.domain", + "input.type": "log", + "log.level": "high", + "log.offset": 4334, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "orumSe", + "rsa.internal.event_desc": "info on device connection", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "olu5333.www.domain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[80]: Normal exit ici", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4389, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 80, + "rsa.internal.event_desc": "normal exit", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[7612]: kernel time sync enabled nturmag", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4418, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7612, + "rsa.internal.event_desc": "kernel time sync enabled", + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cli", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cli[7128]: eseruntm(lpaquiof:oloreeu): pam_putenv: olor", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4463, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7128, + "rsa.internal.event_desc": "bad variable", + "rsa.internal.messageid": "cli", + "rsa.misc.client": "cli", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "schedulerd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "schedulerd: : < Executing Job \"tquo\" execution iatnu", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4519, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "schedulerd", + "rsa.misc.client": "schedulerd:", + "rsa.misc.operation_id": "tquo", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with ntut", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4587, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "poller", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "poller[7151]: < Querying content system for job results.", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 4634, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7151, + "rsa.internal.event_desc": "Querying content system for job results", + "rsa.internal.messageid": "poller", + "rsa.misc.client": "poller", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[2314]: ntpd litanim-r rQuisaut", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4701, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2314, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < Processing command: block", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 4737, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "epmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "epmd: : epmd: got emp", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4790, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "emp", + "rsa.internal.messageid": "epmd", + "rsa.misc.client": "epmd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "schedulerd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "schedulerd: : < System time changed, recomputing job run times.", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4812, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "System time changed, recomputing job run times", + "rsa.internal.messageid": "schedulerd", + "rsa.misc.client": "schedulerd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < Health state for group \"lab\" changed from \"llumq\" to \"tenim\"", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 4893, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "dmd", + "rsa.misc.change_new": "tenim", + "rsa.misc.change_old": "llumq", + "rsa.misc.client": "dmd:", + "rsa.misc.group_object": "lab", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[5899]: < print_msg(), orem", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 4978, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5899, + "rsa.db.index": "orem", + "rsa.internal.event_desc": "print message", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "epmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "epmd: : epmd: epmd running inBC", + "fileset.name": "director", + "input.type": "log", + "log.offset": 5018, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "inBC", + "rsa.internal.messageid": "epmd", + "rsa.misc.client": "epmd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[2746]: < print_msg(), ptate", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5050, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2746, + "rsa.db.index": "ptate", + "rsa.internal.event_desc": "print message", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "schedulerd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "schedulerd: : < Executing Job \"CSe\" execution exerci", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 5099, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "schedulerd", + "rsa.misc.client": "schedulerd:", + "rsa.misc.operation_id": "CSe", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[6012]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 5163, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6012, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/bluecoat/fields.go b/x-pack/filebeat/module/bluecoat/fields.go new file mode 100644 index 00000000000..d050907ed44 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package bluecoat + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "bluecoat", asset.ModuleFieldsPri, AssetBluecoat); err != nil { + panic(err) + } +} + +// AssetBluecoat returns asset data. +// This is the base64 encoded gzipped contents of module/bluecoat. +func AssetBluecoat() string { + return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZvdC090e940k96ole+NiIirAqiSJaRRQBlBk07/+AgnUB6tQJAtVlKy904NCIpnIRAJIZCby42vyAPuXZMlLSCU1fyLEMMPhJfkrL4FcSWrINVOQGqn+REgGOlWsMEyKl+Tf/0QIqSHJigHP9OJPxP/rJX5t/3xNBM3hJRFgdlI9LJgwoFY0hYX9vP4ZIWZfwEtL0E6qrPV5BitacpPgwC/JinINB1/3qKr+vKU5ELkiZgMVelKjJ7sNKMDvjKKrFUvJhmqyBBBELjWoLWSL3iyUpj2S10qWxfkEdxnUDI60CcoPJhHGERqmGSjX64PPh5nb4+D7DdP2d4RpUmrIiJEkpYUpPa8U3ZEctKZr+39qSCpz0JZ0ab/vDE3Ia7km15DKDFSYVDcW6xI1THAFCVsQJrHEjwb1SCfzyDNGI2dSKQwIo+2OY0IbKkyFSAepMCwPk5BR0/2ij585rHYQQg3ZbVi6IZRo0JpJQTbMaELJWzC/MiNA62oVFr0lqqejN7LkGRGwBUWWUK9/QZUG8gYMtaRRslIyb6F68lqu9fM7mj6A0U97wzsJwvfPiPF0U/IO3AFzO020yFwEWcVhCzzIKy5Fd68f8OoaCgUpNR5XBismICNScERs6JIDyWkRxpvrdTJiax5Zpzf+zNxef0O21IpXPD0sA2HYivk9BI80NYTLteO56jET6Wd2eL/i+DvL0oIqw9KSU4XwfnEWg6vbGzpqtUOr2xt5eLUHmb6dm+sv/j/Xj3PdYo1l+bRDJpf/TJDULuM/Iv4tDYuXiyNXoGWp0ui7aPrU40/aNNzaUAM5CPNp0NMyYyZJOe2ch49GAAij9p8G9cZqAp8GNRNDqC97k1fn7FOueAY0fNYuO/UVQDZOTx64UUP2QOuHlall8fVuwN71NE3L7NyAvdFPaJnDfOoYpbPxSbRs0SCDHEN6E5mJQSTAo9EMSudRykrBfiuhUcJUPUP/0f7QcLmSIrXCkhr5R7deBo79lk0VPG3+XdmB2IqltH3qrKF9Y01ico+CjpQiA2VVVAVeYPQmt2KPkBENxg5yAHyIQw8rtBWbe2NPVmhrNveGHsX2vuckxtKP21w9ykfMetwsN1JH61HtvfWT1KYtqnh3V2kQGRPr6ksdWvqWNf/5cJCFN0nv40HW3d5tvyM0y5SVWUOHssu+3vyM/FzZt/1hOgN/+H+XgZZbc5zg7ul1Lo223yIjlKzZFkTtrvh8L1XLoiEL9rJadfZplKHPw4s7aPDKYp8o+C1qvdpPE7hIOLPlHvl44wYnd7jdn3nvn6Hk/b4AktL+SV4CAWY2oMiHW2G++YFIRX7kkppvX5Al1bgTKsf+iq1LharQiZmFFbzPeGb4yDLFKJrBdrXQaxnvLDlml1Vjf/bGq1Q7qrIJakxLdrQm1ubV7d0vBxoOJQo47S4LIXqvDeT+yvGE2dE24PaTduyx/5eKrZmgvII5vL1PzDRe4zjywHl798sPgUl6AntznT7JmqI+H+eQ5M1m66tKsZJ8AzQDNdPL2E84GLm9nvJC4yhqP9TgMHHvNH9oJwxPkxn8MLRSPG4bxQM3u1W4ryTnGPTxOQpCy5+LvKzbfcM0SR1zILO0HKhmr2X3kidHWPkHtETydPnxlLNcagweyaUgy31vWQhR8FsJ2tgBNcsLvvcrYX9sBS4Bmm6IZhmQJ38mZqNK8uL775+SHdVEA4gay5G5fiR17Yy56kIKDZebbPoHWtlUlsLU9mqZL53wsQdOB0cgT+hSbqE1XSaC0UaVmNFGAc0Hd3n6B1r6T8wMyFjZ1WrOY8UXIU2qNlrZijDzj/LFn7/5V+2E5/MCRVVF1j969P7D2imv6R4UeUFuREoLXXLn47amzigJGhp9ohs6EKsUwvLtC/JvdrrPyLffkn8jqVRWf8RZeKTPyH/n5n/aHzJNDpnyRXCRhMzgE9pgYgdJSjlf0vRhqs7n0AtpcHNT43RlywgQWSGZMKhuGwgH7uECJ6CUjI4VaTQgXUDKKEeakBZtpLLaoti7W9h+saWcZW75QmgJWclSZFZac0DymFh7ZeFkMNDhvu2NPMfbid+0R1z0A3zec0mzj3dneIREs9+B5GAUSwO6sjfR2j9GG81djpW4s5ckNY0OJ1fVwizIT3Jnmd+3hZggUlkTwkjyAFCcYMtHuj0+E7YomYLWyZZlSRb/DnVTSYA1CFDU4FHMLI9a9sqWKVNSbs3FAx+pCJjPLGfW4MMXQJyuo9MfyNtroqxc1GisI1uoWoOpf3ZyrlpFh1R88rm6aJjjc1WRjvW+iL29rvxr7yCXBsi935WpAryWlvshkWT/VE7vz8DJ7TEluuBs2ovsH9pU1Kynyn6ssEH2e1z8WNu2R3nqd2S1Nypt2ovj/xpvLu6Yrxi/yNuiHdcq7XdXr+68PpdSYRnA8kKqrhZH8EL57B5oy49lPH9wYh+NPDQLQw6xQzOxbEAaY9Dd+2j1LciL738gO+RsDlQQynnYDkXnK6oNjX+B7ECBG5YawoFqQ6ToBCsfsukjKEafN5sC5y3uIctz51epMmQNRkVAuhGSy/W++6yxYqqnmRHyPUk3VNHUODbZo7dHCtG5KUgpfMQAP/BtDmYwxSSruSfGaS7bI+85qOvmVnWSonLaKroblB8oxTrKEk1RD3MeYeFtVpmmpapG1IaKjKqMCKlyytnvoWg7qfIgBzL/AnuECbJc9kT4KDY0dNXonnO2ApxTwEDUkEqRDSiGzZIl2kyzxI+QzEQq84KDCS7ioLuLouJpFOuInFbegTIX2273dvTgphvacIf7Z3CT5FKYzdmsbrJ6zn81b6IZsoux50Zkl2COHfJ3KaZndB4RInb8SvlxIWnvu1zqHegJp+MVMfBo/EYmW1C6FeybHYvZCKzR6UXfAz2f1CapIpUqg2yK9PbP5V646nrM6n6r3szrH7bf4PoyVsl8gaOWmPinUxBUMekUv7zkhn1tGChCi4JXEdRNJnhOBV2HkpII4eiYrmwGR5SjVRNmvtRE7oTz2huaF11Pi6fYYrMk9ve50STdMKv/ygz0grwptUFFuj2o3f/UDMSjUQODy3D0uK9WlrItzHMH40JVQ7r5K1iBApG6RaVW+crYlmX2TsU1DR/7++rYv+8wIDyNx4KpGefQcN35qR/tfmGG7910tBURVhewaHEbHfcXjVqaQYP5mZVO9elf9AatAzRkOf405z014DRMzaXx2w51iN9KKGdcNLtT3Ho18mJHNUE02cAKIfpvxk991IVzMO2oc7rOTZRkX+dx+IokCl2RxGkqxbgjcgj2IgIu6sZrSZlLqb4dtTcog3oCc5RMGj6wp85bjOuuES+dDMQYY5GmPbXnPEVFl3y6O3ZAO5SlSWUOzx2WWmXDaDa56q0VFX4aB6rvwFJZk5yZaaGvR0ivxvcJAS1/6DHDb2qqQq92ipPUdSyuHQ39sQWkbMUaZTCsLTgn51Der9c95ni5DjCxdgewrAn4rEzRzDsfg5R5lX4+Rv5yaCO0NVypyM/3PqSI6erRqWshI/6Ky0NZD7qQmo06hGftADQEROaqAmAoYnVKBvO5S26SKYnsI4+1KHNQLB17roPUzxLRfoT0dlR7vUPdEXcnqUf8FkQmlQ8lOkq7XP7zIlnS1eOCXP4T0rCOb1HPkSfVY5mVN8dRO8k3rVbHF/2t77Pa/JH1lvCG1pFTQhpCycZnZYbDg7hcJ9Wz44WEXLUhRgu5ebJvDyTF3/CJG2u74VEMq3eSs3Q/fZ8eOWN3iMIXmRN8PyCnSj4tdivMhHclB0QdFi9SGHicru/UKG+Fs7ybCkg0y7T9C68CyiuUoXTgE1dKuqFiDYmA3fRzNeT8hl3r4QYvR2MUW5YGWqetH82nHXFWm2uL9PAx1AUdIRrq2XM2oQTOsYmjUt59tXXo2rpBwJTAuGs76apoim7eytUW1ILcg2NsqUEt6Bqw1J2PmFtJVdHQG7saxul1KcITB9/KgJSKLJXc2e+qT70e41TrwVptt9kdVWa8KV+Djrcj/e6VvdyI+Xav5FmtdFxq88oCvMs6/gZ5JQjloEz97qqaYf1nzjXrj2Ir2QyfZwMKVUaEFF8rKAC11WOvUag4zitk01IpuzVrnRRXA3WE58z5fyvHZo/2HTMbr0w52UeuEeES40MFkeLrtbT/PiIZ8fJMAkrJpJnRljP6OaKwZMgVsSfNMNALct+cz26ZzHZMcixNVy6YvdRWUXVJD+6JMvPCyjOPkpSX2lTbxv+nx2oEYdquhs/M8daiVZvw2+Gr+QK3stvpYevJJa1PUQe+PKU+WzquEQ+hWsuUobfGcjSo9yPTX7MHeEkoKTZ7zVLKrZn38IwUCivSPiNg0i/DahZVNJw9MPLycvGriuZgQGlSUI11CjQm7rnMtFTmuZUI8uDxph+yCiY9qmg46Xk5XaO1DhcQ1E7YpTIvyv5ZiGI9JTsmMrnzkTepFCkU5ln9KjY43d5EViXne/JbSblz2mQyp0z48ylaiLgcEOVtb8351/iRyVll5DUTD5D5KNoqsIxqtNe9Amu/+aJGvmDZMebzXp7fRLHRrlPtTMAuioqAn+8vh/nnwvuEyH0/1bl+9ACVs26J6unOHz8q0uP24XE97dvRetqK8TnOS032jzhefSQUZGUKpPIAQ9iJoEExypPADTFBbN7joJXS1ZX5LaFuZeqgDQbpgx5IBJvDH+XHt8J7Q/Wm3u1W5QhEs5fWwrSiqYowrcPZr6qROqUK5BZUjWahVWqh6v/3sxKIlW+CMIwnKEXKgSr7EZbNaEjzYezeS6OqFIHT/kknKsp+rvonltGpzJdM1JXj2iLaJyCoEfJ6y1Sp5/dutO9QRDHs5ZjrOSKwca/c+K7OyrCHx2npMzjeahY4D9ftNXnrzvQTnxJHXI19n+RhsT895vy6jC+w5fq6vUa2+NDq+kD27bhD37kLYnBELtxS21O3Yzpsamz1flrdxMNXEp9U4y65oz404YykWdfWsu+qHprcXp/Ug873SZzQgyzqFyJr9KEFuXLR+r5aEHdfHNeF7B+pDn/xzRfeQbEsTR3HL00tnEvBQbu5Sydgd5JsqWJ0yXsR4y6hjQlScDpw5DQIPTED9GBR2mqQG3thT729NatYdGbX6v757V1XAyO+pJKz7YayZQbbCJwdGd/4Yh0Z5FYYcs/WguKxHNhIhVTTyjd92ZMFdivdVTqFxHoq+E+LqnVqcC9kMrC8b39+T5hIeZmBFQ2+MYsFX5AnN480Lzi8JHfO+HTDoqxbhG1Q9LBf4J0BjflG1IZxM/1g1bkg5hFB2y3nzFsvKt8x/XDkgcMotl6DmlK4PjztX9qeRo8FNZ+NAr2RPLNr7KymgV4dB89Rs1hx/fcoL8OevHM349M6ofD2OhxgefaLlTWtk9nf5pGz/n0em5k4n4Yul19bhFJgRsEKy/XKrEyH9HSv8lwsdqBNWy1bpMLMKyvnKgoG6spTle2oulSsRb9WopVF1IteS+ZAka4nVuRQ8oamVWWvsOJkj/PMmqwUX1fKjzp+op3FENEISQHVETFR2lBTnq9Y1TY4ZfyCqqUdfikfCcueD0tdK/HLeWiwOD/0SmG5fWXxhDd6JX0nV9XvbZjrfj39GCHMhCzPfzNoxW7qdcQOtNJhnBnW8+h8Nxp0ehWQA+a/4tyeVqLLNAWtVyUnNxYDSWUG2jK/KtIU1vGYyOBx9CQ402ZIf5h4mnBoVGxVhWYJCr36OVWM40ttwD/g3obEmlBkxNcWNki7iFrxqrfexTQXPz55UkeqFKB04RMS3JnqTdtfIU1gXJXj/HQgaNyZ2H1pPv3RsdVGDol3drL7tf2SMqFJBoYyHjCdlrI0LbgB4iW/QExK5bWhddwAYhoW4Qbygk94tX1VtVqsWhi0XpB8lIrVXragON1jmLKRXqyTJ4G9b79AS8NDw6rKY3E+N22YKbFUBwmS3mhp/aTk0wdjpFe4ZVumdDy2qLObyjy3ezN2wa4cPGGtcKJCyS3LnIVd1RUI9Wes7xqZHnOgj7enf2S8ufvTdrRC+Np5LPCR+VLyqxr/svLrn3I5aLdGT+B/y6V3WYZ3asGmlAe6xqAktz73d7fktnfhthFNqM3jYzKP4xgVeFxnL6xHqvhjbGIfRRVWs9yBSpYymx5z3Ivb7l5ZVX9Yi23g+tzE5E45N9oseTcth4tP13BhNrUXkK1ZVrsoB4zxfLym3EuCOetmGHNV19QV5TQBWXUbuvvgsjgrNyg+jj1CWrZtFPdsvYRQSkGV0XvsoWwWQyroKcoODao6Gp5uKeO076AjtXuIYDz8CpQaqEbo9mPYwzWfX9erfrlPCHZO+r5/S1b7djEgA1ieLMss20fYdyxPRsaptiBLDUOFxI7aojEwislR2VKdgOlEl/ME2zHdjjVxtVSw4WQdJ93knHucoeLgTbyhO1qN6+v4NNwr9XgubGe0CK5+uSFPfKTfLyW3esmScQwwxJfmm8dCavvLp+Trvhkjul6+ByF34kBx1JCWmLq2PRx9oGtASmcxtLsBIFdVps1bH+D6GtY03ZMPgwosZ0tFL5P644c+YBMTJKdMrKxldPSRqqAKe33MkVF1oCLc4cDkrcxcwFFT3KD1rh1AS07cv/j4Yqcar1Ee5tW/hR35qRSoPr+RGXDyhInt4qtnhMn0GVnav8D+RQXle8304quwH9mkRbLitNedavwNfKhrXd0RHBbtXZQq+6qAsFwdTdoyciIt7tOlp6RKmNKg7IYKotzmY+VQB/cvb3619vt7F3Lz1Ve/vPn11bubr75yMTBbqigb3Bs7qR7GJWSc3Mq/VkO2fbSDZjIV468vH9s5NjewFnE0tSJwH6UurqQCoVk67kC1zMkorHmMFRXwbJ0PluwoG9NpvAk5SGXEkuKGGZ+Qostl9DYwy0wbNT6TBXM3ZukG/mw+SVpF8E1xHMQGJzYlgXsXkw8ObOIUfXyiHWLFBg3GajITnBOxkwlmrgYm0g24DAuLI/UUxhs+ljyvTb3rj9uoJ6729oU2QtbyLnlUR8m40BJWfvNjFEg5ywPsAf9b2vYTU0c+VS/XWJHjKZrPAev+lK+/KoHE5vGZYjjsijJu+VUlHN7583d73Y7rxexpqwIbWAcSh4bf4qu4nsRe5UGKY4J7MKTHx3Ray6gUXVu1h18MpfFOxf8WHs3fIKy/1Nj1kBYzFfs9FdlfZdiz2mA31LDwKZuMvz/0AXpd6oKlTI6Ij/hYtgXSt6NK9F1tn544LfIikfHC6f7tmzvys/N4NOEYYVS/zfz8cv8fr8lvJaiBai0lF4mCbtWPqU8+LdfFnryrQmqDz7u1npaOEv9tMDm+TJsFKwaMx1NwJuBePQMyiylERzlVeRRfLGCU8UKLUWH/NViZjegMcAA1Nhf4ADijpnt7n4Zcgkg3OVXnh8XVkPuC9lo5nOGDpGnvefNMqGQTwdcUVmODKWvQ1RqTSaMA5fKfUXAFjait5zJfIxYDnf5DPWWPQ2Kudg72uo1ALBKaYtnCmDA2C63FKBW9BbpcF9vvxKPZREjLVCSpUdZGGVeZqgVvYYe8dWeAbnmvIfRZsCDWTIwK3O0Dx8WUiGSV6B0zacS+FsmKy52mecxrURtamO0U+Cg/VioSJqZtcyYKUPlyPyIkpwddpA+x4NgcLQq0SAoljUxiXHEIv/0uQZs1BppP2G9crpMxrf87oDEvoalIcvqYGHO+wnsIaleYQ5RYyJmIRszEFMQF1wlf8mS88/QA+s+TwCPqAbWgx2ept6HHR0S3ob+fBB1urH4u9L9Mgv4fk6D/NRbayILTJcRt9Ro+RlUSSV5yvLyX+yh5VoEXD1FyPC85W+dF7O1t7z/K1+MfjTwsixPiGn5LY3RvkWj3ZBrFK63SWO3MgsZqZ3qvyyKqPnYq6jDrSOXOSGMVDHiM2tpGGqskxUOjehIJXgr2KKiQGnptM8+C3/5gaY8WC9sfZGE2QLMoE0jmRZLyKBvagka5NBBSYZusOFgdCVuUSZR/IlXMsJTyqKAvndA1iHQ/6k2pDS0o3/8O2TIO9zbBZPhIWJfGE4vZPWdHwlsL+YdYC1knS2b+NTL5MNXJ2NqmHVAlI46yjtycCAepionF084TMKKuZAsUzMZ5A2KUbweO11UkuKt9MyZDswW9YhzidBGdrOLYxVbjApAPQeMkrbZGsIBHk0QeI2sDZ9oUvSI/Z0NrlUZCV53jomDlOskhYyOCMQ+hmYjleC6zkoNOZdysPThbR50KWegdNSM7UbTgQzEBZ4IqWDNtFI3RtBvoqJvKdVKMnLKaMGeNdURU9Ol0UQ1uyaPgsbFo1BXngo7iUU+5nHcbyXTi6jzHwO+popELng2EVZ4Hu3UdDMZDMm1ot1nrWYDaLEt1fiHRCg5czbU4uDICX8w9XMWSjgfEqj2rmFLowxHTx6DWNMvGrzrLxjvnqgSaKInC8iRVUuaR2TcWNEopYnkS+wjnc3fipls8RCQLFTomlZkVulBsNBinhpky4t2GMwFjUkkaOD2yFlcNiYGPMSYIly6jOVlxGSEca/CoEACr6UXsdwsWtdetbhiFLsJry+U6cinFOnLbFVKNPxz5slzHbZ2c6TRuu+Y6cgHjqs8IMJj6EgEZcYpdaYDxr1IObvyDktjtxusKkXFCdbuGCMgIeS8VWyeBam1nQO4EqBjZUiSRHQSLZGQF6QYwqo1DAx41SzxJ4zepB4xpp+mU/giUVGv7ZZJuzo9n7QG7vpzj4UHla2sX9zKqz4PdRYLGiDmXv/ThQ6fS51mgSq4TqotRJT/awGO6PFRwCiiPu3kUpEity1aNBo+ZrIUdm6DbgpUqi8IaY6LpKOtTO+szylOqYbyL1JXTjVIjNPwWw8xQGuwIuCjFRbN11MHUxXi7Ras0buVVmkVctVqloSzfs0BHtWRqQ5U6Imdym4rxQQjBiqGnwVySZUTT8LWJWQQHFuM1qitGjofcFxGZq2W2jHy1LhWPkkqlBpVkbHz8ZmRhksonEkesSePa5W8TJrShqyhJumXKxF3F20JEpTgYqUpxkV6tr0ojybtSkN7gtRd6UoG4XyhnGblSkDFDrqjKfM7YkbY0vv7VpJkO1YHEYVzTVYyYTSUnoZCS2tvLxJTZ3+QFl3voFcQ7yYOVLEekx5/bl3dTtdTB2mIK1vBIctoN3W08emJddsuuzEAGZxoLbFTj63YrTV0WWKK+nypJyG5DDWGGFK49f5joY0+pY0qFhNu7u4rnFRLChK9kMJDZzZmYXgG7RYwdr02JJkauscnOovm96xjR456ALai6iJKRpKBKA3kDhmLFYXcq6n5p5MlrudbP71xw31Ny7ct4ufYkvdExjfgd+GKxSLYgb8H8yowAHV6r/taLZM8KywnXuxmHd9PRQFW6WTDBBgxeRecphtARNq63HmcCnnNaCqydui5zX5b+SCmETuWDI1TPkTJfU10nyvuKrwMqvWVmMm8vZNdzyw5M3sOjwd05ZBRctAF1UyTuRA9qzMqdVKoY83I1mKo58JHU+WPv3uNrQ1StZFfVuE6CdS28+k320CxyWPu9QbCegX4ZpH9cHe8zOmdn8Hh7XR0iHH2oZPvIh+iR26Vu4eAe92t8pLdHa256iEtRJOqC0TVtUrmCDUFWEEI10QDioE9m2HhRVGiazlJstZcl7gYXvoFT3Vq76hZ8hKwCVM7cRTgfWc2grnAL2zIOa/C9PKjWbC0c85vK3ANtDehyrm71A0uOGI7suOUFW0sMtg8JbfMWRUO5hXGVbqr7kmVVW9u6YxI2bBw4dIQEYnJqrU3BQJDUaAWyahTWCN6qv5PFMaDC7hQbcPTMiB+RDJQuvOT86/6ZPQJaD5A72Xkfj7l6KGdUJxs5g3bX6Y6JNXGaMlDY0adV8CgcU03cBrX0CN9iW0hDsFXm4hXX0po2neYlWIX8Jw+xIK/Evv5fb3SD1pEWhtBsUXU0DgumSOeXJX2KsvxFl59YefCAqcy3dbbWRLtCeTXrcCNhv2OSsZ7Vcw1WugdF/qX2GOjnHhGiH+pfMjZu6/J7TzRUHey+ozwdDJM4JQu+7JbFcS3p3v78/sbODhQ4oxE9MhnTqYKCinRvtRJ/+fN+L1vLg2fk/ZuX5FaYb188I7dvr2/+8yX5cCvMD9+RJ7vNngjfgDHdSO3LuEllrVf81Tc//K//9jTc+w7MZpK86M4YJdAip+HSSHryHhl5oHwl/tsKbfgwZR+brPY5P0HbYMLf2RdTiKKOYtPooFVz09ev3gbJ+V0KmGKHx63f/5ECFmH+/D6mD8BHuOwsqadFDbLx09wrR3i5pgZ29CKFpXGX3ZFXrnletdtCCOvrJM2LYf//VL/m7dWbOyeHh3vF0xl6+Q2Z0k7PqVqX3t5ZZANWveXDYC2YWfhgRx/mQ6UDJK6m2NyHrd1rIXMd6ShvnipalcjDsnvWZbLKOx4W6U/L9eFC9ZA1sTWROsO5YpqSt56GO6lMLaJ6Qsj1nkAm+u7zxyWRnp1/jmIm1pX4rAh/M8Q8ASH9fj4vkcePNgjVWqYMi8ajtdy7XYmVU4qKNSxq9TiVYsXWpYKMLPe+ub9rdT/QnWYwpaAXKDygTQWHXUVlKvBR+l07tDLCYFKQSwOJjxGKefmNmWImdEITFz4VBVwYFQu+imLvKioWm8dtgPiMmiJqcjRLKmt8Wr+uQ9vC0rLojtc2ZC6iLdxYw0qAIe/3BTwjHyox9xpN5G/JXWUi9+TIz0M3alW8apYLY0Clr8giVddOynnwwiiaH+IDPVUYOrAFZbDzjJFVgysmyIfbwSOUYkjLhDMY0zZW6EQWUYXyLKgCPT6OxgJGhfg5mTg+IAp9UFEYXZmahINYR9R8RLz2GpjbuYRNifB6obzlHBQkxQcca0X9KNWOqizUDOwVtqlDv/udko/46r4EswMY6GQ8Ogd47IuENJS33b0OHcFCJvja1JuDb4KmAB+CcmbsUfNFhcKT2HIq5nlXOcMdUD2rtRwCvSkcOggaH+DWas9rVJ4PJWKMPxtSzLbYjskjPe8NhSrD0pJTVTVz82ie3Dy+fC3XcrUK16eGNDEbmLvx7Xs7pO/e31B2YymzBL0qzQaE8aFUg4TN1Xvs8LmyrNsahon7oEENkiRLk8q5ueUHHSbp3nXgHqCq6pEz7fY9oAgxk6rhytHmrxX2C7RPhg4V9hSjG1gXUmTY0lUGVYAasN+U9JDu7Zjs2oHbgBKXZ49xb5xBVlPs7a2OXsME0cyUAYlCMECu6oLnR91QTWgmC+wKtgGmiNyJTmMkYuijFDIfiHapatQnvXCkGS4/q4YxkdmzLJVu2vu5LsKvqvL4vYme4z4RNenubAyGU9UzvNDz0eAk7/0r0rzzPNZErDXVcVkdE6bqogLufVTh3HMdDg5ZymnxcYHpLWFDt0yWqNlYo07JnA1EOsD86G8EXXIMG16Rq+PYmdiO73wWIqNLw4FOQ4IoDmgYWV4sgoQAhpqC6WvQuleanT24/E0IeylMN0Q5RufLMPkjSSd0xcVbBjuZs7QiDKeFAQPdxx5mNq7XeaBKI/HkLNJvFtqoYSd5RXU48fWTUf3iONX+WnS4JlEeNCNqk8iwHJu2ek1DQQGDTk7PyRGpUSeZiSnpE1mpztwA4aown2wDfHse1d9M7okeJN47jk7NoUc9zqk5emccuz8y/S9O0q9m5r/b8LNQr05zf0RNio9zVE9Ivfqo/pE3zben2X5+AaqPw/bzZI2a+azOudfPOKkzb5o5qe9tmVopzFyXzsm6GS3NJsnBbORFvKn0wM9FHCL/s8GFwexdJSda6kf8u+8k974mi+rIDom2Lf9z8f2f/0yevL5+dfeUXDNtmFiXTG8gw8ScIDYu13KG/Nhjfm3fohsx+cXAHw68eSs52V9yLPbe8j6Eo96b6PMbUTp8zMZMMSiuzoxouTQQa+idgopQEaXmnZzy87P4O6S+oxkrtRuDSEU0yxmnyh1mK0jsbk3xPgqH6uKZ0WyeXri1D7IdZfbBLlflAenUtWgOzJRIwlfi2LlB56ePD2/5n7zpjN/0Vswbu9AKPMzCjhappj2K9Vy3yC6p1lSw34/EOokpC3YuwyK41V75AZatmApG8Udnv/5oB0T56JLKXZbuQSTST0C52aRUASkUZDJnggZDrFtH/Y4aBsLok4FnnM47n9f0k07HFcGAInp72S38pRUCBVUG036byRwXQrOm9fqDe478WUEGihrIkhFhAEdWEduQV2PWru47Jbcsq9PV/e9oUXCv5/SWz6fIWkF+qBEN9FKvp8Gy2eZRD+rrOJj9wESChZ4xqmTL3JvTpqvYDRQOqBWacaX0x2o18Ih3eQuolSkSavLt9B/Uhqgm2kjl5KMdLQdDEduX+KuF/dWX4fnlLMs4zCkx3uCI58qMwBK1ZEiUzKiK5801oTs/XitHV+yrF49npODUst3eSFIREKnaF0NeRAxemcUqOCNeQtUWwk9SG/KGphsmBtT2jEaf0S+6/PogMLKvUGAPqr3VXVq9XpDXGS3IL/gfd6tnUrh8gH/0rwuyoVuw9z0HqlwLa4L1JXQhhYZKDwgnDdgZJf221xNkj6+NkCpmQLGqSodwE3QVGYYpqYiehZhmmd/5IjLn0oL1Rae6Cbp7rSocdZAGbPV/f9UwTVQpAn3dCaH6WS2J3WuOS6YeiMj2IybeipiDmZTsmMjkThNdQMpWLLXfPAvFjfv4o/5GtRNwFDWvvuSJqrqe12IZnxmetvhBSoE312tY03RPPujDIj/1e0jeTXCIilqyo8xiWg3cYW11G5Fh1DRuBnsL9PhW5zMFspgOMgQwzLbPhMOJzaGuDVUbcspbYE44h+CG8DAR05krXmpoMj5yyjv3Kslxg5MbrrXSp3cuJ0btdDzkbxNC41jZ43I4/e10agkGN44rzzwYAY6TymDFhPcF4lHHWhA5LQaKUSD+gTDrC2FvzN2O6hEjSGp/0/QZ+HzkgeohtQ/NGJpu8tlL0TXjImNITwtusy2yoOaSiTE1d2fdaZZsDH+fKvQDx7YdjIvMc2W0mlSkQD3yHl1TZfYJugqqqrW1Hz9riN1tWK/gGbH70FoWLkTvrAmYiIqXLhVOqnHtGTvT/4suqPj3k/mcFarDWmeVkhYSqXZqf3mOo5+g/oIXbo/uqiracboH1yoBYZQswscwk+WyZ5Cdtdf8qNa6gROhjUjFyE5OZ1JxJfPCGqTVzscNjg1OnOa5BWVFa2LN5vCFRPXD9LjfE2exo9NXuHcwvbLZ6rf4N64fS8735D9KytmKQUauMRvGOS+CyHawTFIpH9jFnpR+hSVxGBqbhPIhvSyitk7z2FOUxrXBGapHfvpsvKsH8bVUvdvKeecW5P2+cOQ3FpWdoOPzMIsVrJKRxXE6hFkszgRTX+pQoZ0uunmcBbWCcYjfeS8KqSrPHj6vvHs9sDCtbNXRy1rNp5haMfbIdOzYJ/1wFSFKyuh77hCtHclyjRTUhB0cqUioHvce1QJVsR3US8VHsbsFN4o7tQqelGp8v98C+55hc+gYlBGi7xB4ZIjGIbDfBVHHAR4NCLwEYxQ2O8KI1a2v1Y2CzgNlzO3mhpknhvzgRL/HgfGqe+7/feWRPPf/8K++IacX5aDCMQSe4Iu+ljhy248l6MdoFWTuEZz5sslWWWRiBUoN+Oj7M5uJ8rY6dJJ9QafHLGRU1YNWLVYGti8+Y8jJ2zcwzIwb4ca9ttgN8B7jglT7o79D/xF6uNg9Kzag5rJqrJ7j33yfXGFB9afkCjGEkYMysyVKDvDqCpQvfA8HMR1HSuzAxMeCFjNay2KH/VK36i4dXQ/2+7CfYHxaZHhNyD37fSB95yH6DN7+/YYIWEvDHJuLDdUD9Wl1On/ybovhbvjhgt52QSbUp+09AHbWuir4VcV7hh/sNBvZXPG8POG6lvj7wbYa9uwxrcuYxtAWFh91p9jP07x8SAMoNdGz0GNdW17c2OHJPT4ZHDutM70u1fWuvG//yT2GcxwXoS15MUTGeHlxhIphoaE1T7bT7pKui9w7ccIuucRuAVpGFNPQ8aDsAbw1EJ0S9UVT4LEtKFFefEc0+m6lIrf3r/7+5o7cWflJfhYDFSkbeqLzPmLoeb+TYXrwWKYbSB90RLO3RrBMzW0PFYGuq5vUqecYoOELdzfn/oiuAor1ym9cRFVxmOqsvUH1DanCFmvzicE2HVvKWeY2RABN9+jPWF/q2NHHWT/AXndF0dl7LLoT+saYQicMuxFEAiNL48hOz2/5NWXvsbWo4h2lYmZ/Yv+lMs8n5vKfSZnD5E3KcHrNjingXe06xoTbcSqSUX2ox4Yk6KppwK+e5ipGNmygY3JDUkg2TwhQiCSHgyAORBvWvZA16YYK0UtAm56o7MdFVAOe8tnKL9Uiz1fs/vX1q7de5j7vIKhFnZGq6xWL2V4Z0w/JVvIyfhqvqh4YwtfSrDuDVE0WSsGMJk8cGv0Uc9cwmaDqghDwFw0EofEy+oS/9tR8EMz455LFYTDaFhS+lKxKTlIpUiiMNQHuHa8HUpzGdFIP1nVA5lljo2ohYknB7m/S8uinv74KBZMEWRezA6RaXyJEoRtaduD0WFKXvhdMYPzbzc93t3fkDX3Mmcjq1iVh9lvqLxDIcFDoe4BwT2iP/mOE11dwOAQ7KiDIRWYn45p4/sETaapJzd1oyUuq22tfj8fjOUoDn5Oxnzijp5pT/l8g56AOjhRZXxuJOUlo8Y1rLz1Ssam7eRn0AztrN3epAc+ILgNhUVSTv2ijpFj/+5LT9IEzbSD7y3P/2bP6WyZWkIa/WjEFO8qD1yxd8hYMoSIjWpKB7aNgzbRRe2v1zHswC2o2vhRdjYV0sfTImNR+sE+IS5Rwsa2pVK3qXbXGUtMGwqj9n/5vAAAA///uPK/0" +} diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index b5d555b03b5..056512d4769 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -51,3 +51,22 @@ # Set custom paths for the log files when using file input. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + nexus: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9506 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc index 4d9f80121f2..b5d7a81d900 100644 --- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -295,6 +295,51 @@ include::../include/timezone-support.asciidoc[] :fileset_ex!: +[float] +==== `nexus` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "cisconxos" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9506` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + [float] [[dynamic-script-compilations]] === Dynamic Script Compilations diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 58624e92659..c2f1123cd4c 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsmU1v4zYQhu/5FXMp0AKOe/ehQOAkQIDmA/VugZ4Mhhxa3FAclRzF639fkJJtWVBkuVHaDWAdglgf8z7k0MN5rUt4wc0MpAmSLgDYsMUZzOuPCoP0pmBDbga/XQAA3JMqLYImD5lwyhq3qm4Hh7wm/wIKX41EsLQK0wsAbdCqMEsPX4ITOe7l4sGbAmew8lQW9ZkO1XjcpkCgPeW14lYiHk2ZppQIYneuS6xHsClKvta8WlzBrfG4FtZOG7e29fcEOYYgVrg06iByhfKCmzX5wys9OABfMmyQ1LHBKHRstEG/Z+pACaXW5vtADPwu8iKuhoAhGHLDGR/TeWFrPRCa0cNPEXgoKJVe4tI4Rq+FxDFmbpFiwi5mSipnCNrSGsgDvqLjXiyFgY0TMf64bNf7wO8C9KXFZfx3DKgHkSOQTghXUmIIMCfHniz8bgInMeBMMOSCZYYKODNhAGWd3TKg/wjWGLfiMiGdqPTq6RxE2Ez0f4bZED2FNRdFgWq5/coUHZytk0cLDHvhghWMajt3d08glPIYwgksGQUePGtalJaXqYzOQAsb8L3MUf4E2oJ8F60lt3ovSQw9hOSgvoycyObqOi2bTar/K6VN+qF5bXJ/RHKbTEczzJlHwUuLr2jH6QNiPEjxUrXIhV0Lj/ArPBM75EiqtZFTeHSp5ryi31xaWk8g/mmFy0mhF4wTyMwqi5tNuj1+GDIsKRhX5DdjjGxex9ptf2+P7DZuits25dX4Mkzqe9rjY0/fhJsAsuwdjyTnUFZfwFH6ta/O/F02G7Q0LJH29F4SI/NiGUU7KELWXs69DHfz+6f05HFBSWoswRhq6Fy/Mc6PKSt/Pj00tOFAu6sXEMXSoySvwmkg7+jwRQhm5VDB9dUTtMW3YJrVqNYm2pqC1ui3xeUaNbqAP4jfuf1y/bn8TgQ++52z3zn7nU/td+BrQLiZL+pLUyd4aoqzDfqXNqhrOn9gf7TDbVw/YQmcvdNxpsNl0Z7ns7M6O6uzszoQPOqsAsrSG+5aNPT8DeXbgi25P8S67vTT5C7quHATd+n+H48+ubv7SMRB7s5QGNXd3T0uDl6YQa+JE6n/XVpzwpY1sA+Mm2vVXcfovWtIC2ls9zrudXCLm/lpGdkKAROsMyOzqjzWbtOjRh/gZ70vihNYPNw/TWDx12ICwsUWpxVWk+fslylc7YNL4eAZQUAmvEqFt3pXOgEBhScmSXYCqYjl1WtW0u1qG9v7TWDMIZDmGGQKdwwKHTEetP91jZeiDLu5rx5t71DVMKcX/wQAAP//vCMXEQ==" + return "eJzsfWuT4zaS4Pf5FThH3LnbUVaP24+98c3ORW1VeVw3/ajt6m7vXUwEAyJTElwgQAOgVPKvv0ACpCgSlESQ6seu+0NHtyQgEwkgke/8mjzA9keSMp3KPxFimOHwI7ny/81Ap4oVhknxI/nbnwgh5KXMSg5kIRVZUZFxJpbu50SA2Uj1QDJYsxQIl0s9+xMhCwY80z/i4K+JoDnswNk/ZlvAj2SpZFn4TwJQ7Z+fcCKyUDL3ECsQ9k8TTBMU1bT+LATsAMAmUKk8zMv7S/ITU7ChnM8aP23D32GQg9Z0CQnL9mZ2qDzAdiPV/jcH0CHk7QoamPi5CctAGLZgoHY4BVDR5WLBHk9EAx5pXtjToEFrJsXpOL7Gzyn38AhdGFDkv1uET0VUliqFhAkDakFTmIJy9zgnqefETTUrIAsuN0QqAmsQ5iBaGWjDBLXzT4vb9W7iUQiqkkNi/zkFUq9oDkQuEIXLNAWtyZUURklOXjBtEBgxK2pITk26goyYFdMnYOl3t9SgzoGrndfhxTR+4OB5cp6EYXOjPxiaDaBDcM1pUUCWVFemCODZ+vAogzGKCs2pgayi3e0doVmmQOsBuKykNidTbUFLbhJkoz+SBeUaxuJswQ/AtpAqhC2XYjkWEzv1KZjs8ZeJN7J5uobtZhOrj7WlTexP3dcm3ufY3CZOR3fYrBRQk3BYA59GDrDzEZwPuUVO+YYqIM/IXBoBxmK6WLB0Rl4L5DlrUNuvudxcEPtXa7pcZqCogQuyYsuVfWzw5/Y/pywrpQaWUm2nWNmVn6t+/vpX9pN9FCsxZc1UqS/8b9rrM0r+SsUFAZMeXE8qhYDUXcBJ5LV3gv1WNgU0XBbFN/0gJizNi8QCDWChV+3jfBCH26uXdzjyOMBUZlMBtFOdSuuedZ6Hrby/e9WATfZgh2QBWiQKUqkyPQyRERI+1ZotBWTk+vKOtIFXiC1MNqlqY9WaQm5AVczlGhYgNHwi+s5Pb68/L33HIvyHvvOHvvOHvvNZ6zvknQZyc3Xvv5oJamas+EMNilSDQuT8hPWjGt3G9wOOwB+603Gc9o9Fm85/aFZ/aFZ/aFZ7AI9qVhrSUjETOjRy/iuk/QBb4N7QjZf0kbj3fl5yY1/pw8ajz1y7OyeKJ2l3TOpJtbvb1/d7DjNyUImjKP8mnA14sk6UA+3j6qRrO/vBM7SgKePhc3xQg7u/uRq2IxUgYiTZrFi6cuzRa5sKFqA0ebLYMcULcv/q5d0Fuf+/9xeECivitKZdSGVWT2fkcjd5SgWZA6FkRVWGjNf5Si8IJYWSRqaSXxBkYrlzs8pFm9ta8X6rDeREy4Wxk8zIrSEZCGlgT/z3PD6lpa5p74a2Xyi3zFnnCHqP7qzW0GYtvaBvK45ckQPb0TwolUN5pyBuVqAAv/MPFVlRTeYAgsi5BrWGrLsKdZIH+CDC/fcEcRM0JHi0YYSmachdetne6t5z3qLgW6s3PcDW6lWltmqpJCktTOlppeimPsqof6UyB21Rl/b71tSEvJBLcg32kVFhVN1crI1UP8LVSFTurGyZDh7qgY6mkSeMuympFMY+ZPbEMaENFaYCpINYGJaHUcioaX/Rhe/1XjsJocYzGlrZm8iKGU0oeQXmF2aEZZB+F2adLaqXo1ey5BkRsAZleUu1/wVVGshLMNSiRl3UxA7UkxdyqZ/d0fQBjH7amf6aKUgN3144nZxZtN6Au2DupIkGmrMgqbryeK/i0KLVNRQKUlQTLKwMFsw+llJwBGzonFvRtQjDzfWyLWAOPSd+n176O3N7/Q1ZU17621MLnO5X8EhTY19WR3PVISbiz1AYcTuOv7MkLagyLC05VTjeb86sd3c7U0ftdmh3OzP373Yv0ddTU/35H1Q/THULNZbk4y6ZnP+aIKptwn9A+GsaZi9nB67ASVgfb+nxN20cbG2ogRyE+TjgaZkxk6Sctu7DB0MAhGlZYj4Y6FXHfvDBQDPRB/q8L3l1zz7mjmdAw3ftvEtfgLPBni4n97yoIX2g8cNK1bLwOi9g53kaJ2W2XsDO7EekzH46dZxVE9FJNHTRIIEcQToLmYhAJECjwQRKpxHKyo6ttVqh/2i7r7hcSZFaZkmN/NS1l55rv2ZjGU+Tfld2IrZgKW3eOqtooyW18tWXIgOFxiDwDKOzuAV7hIxoMHaSvcH7MHS/QFuRuTP3aIG2JnNn6kFk71pOYjT9uMPVwXzAqoetsuMOjDxbP0ttmqyKt0+VBpExsay+1KGtb2jznw8FWfiQdD7uJd3t3fq7ytPbeynb5Ousz8jPlXzrH8YT8If/ugTs+LUib3D79jqTRtNukRFKlmwNojZXfL6PqiVRnwZ7Xqk6+zjC0Odhxe1VeGWxTRT8FrVfTdcEbhKubL5FOt64yckdHvcLb/0zlLzdFkBS2r3JcyDAzAoUeXcrzDc/EKnIT1xS8+1zMqcaT0Jl2F+wZalQFDqysrCA9xmvDJ0sY5SiCXTXYNjKRHpZNfdnr7xKtaEqGyHGNHhHY2FNWt3evd+TcChRwGl7W0jlU3ZPjkcMA1zBnSefd2v/LxVbMox2dmP2X+8jK42XOA44OG/v3v8QWGTY200mWGSNUZeOU3Dy3WHrikqxnHwFNAM1kWfsZ5yM3F6P8dA4jJqOGpwmzk/zSRtheJpMYIehleBxuxM88LBbgftKcg6pkepzZISWPmfxrNtzwzRJHXEgs7jsiWYvZPuRJwdI+QlqInk6/3DCWS41Bo/kUpD5trMthCj4rQSNAf6a5QXf+p2wP8ZQNKDpimiWAXnyZ2JWqiTPv//+KdlQTTSAqKEcWOsHEtdOWKsupNBwvsWmn9DOprIUdeKGKPO5Yz72wungDOQJncs1NJbLRDDaqGIz2iigee8pTz+hrf/IxICMlW2p5jRSfBGSpGqllS0IM/8sn//5m79oxzyfFciqKrT+2cH3n1ZPeUG3oMhzciNSWuiSOxu3VXUGcdDQ7CPN0IFYpRCUb5+Tf7XLvSDffkv+laRSWfkRV+GBXpD/wc3/sj9kmuwT5YvgJgmZBRLTPpgOJjaQpJTzOU0fxsp8DnwVXkqNk5UtIUBkhWTCoLhtIBy4hxucgFIyOlZkJwHpAlJGOeKEuGgjlZUWxda9wvaLNeUsc9sXAkvIQpYis9yaA6LHxNILC0eDgfbPbWfmKXwn/tAeMNH30HnLJc0+3JvhARLNfgeSg1EsDcjKXkVr/hh1NPc4VuzOPpLU7GQ4uag2ZkZ+lhtL/K4uxASRyqoQRpIHgOIIWT7Q6/GZkEVJDPBfsyzJ4v1QNxUHWILALCeNwfCl0+C8vrJmypSUW3Vxz0YqAuozy5lV+NADiMt1ePoLeXtNlOWLGpV1JAtVSzD1z46uVavokIqPvtYqi/LQWlWkYb3LYm+vK/vaG8ilAXLvT2WqAJ+l+baPJRHM8HZG78/AyO0hJbrgbJxH9pNWFTXriLIfKmyQ/R4XP9bU7ZGfVmks/mxU0rRnx/85fC7umi8YP4tv0c5rhfa7q8s7L8/5tCSWF1K1pTiCD8pn56AtP5Ty7JNQUclDtTBkENtXE8vdkJ0y6N591Ppm5Pn3P5ANUjYHKgjlPKyHovEVxYadfYFsQIGbFpOYqTZEilaw8j6ZPoBg9HmTKXDf4hxZnjq/SJUhaTAqAtKVkFwut223xoKpjmRGyPckXVFFU+PIZK/eFjFE46YgpfARA3zPttmbwRSTrOZcjONMtgf8OSjr5lZ0kqIy2iq66eUfyMVawhJNUQ5zFmHhdVaZpqWqZtSGioyqjAipcsrZ76FoO6nyIAUy74E9QARZzjssfBAZdnjV4J5xtgBcU0BB1JBKkfUIhrstS7QZp4kfQJmJVOYFBxPcxF5zF0XB0yjWYjmNvANlznbc7u3swUPXd+D2z0/vIcmlMKuTSb3L6jnda76LZsjORp4bkZ2DOHbK36UYn9F5gInY+Svhx4WkvW1TqXOhR9yOS2Lg0fiDTNagdCPYNzsUsxHYo+ObvgV6Oqq7pIpUqgyyMdzbu8s9c9X1nNX7VvnM6x82fXBdHqtkPsNZS0z80ykIqph0gl9ecsO+NgwUoUXBqwjqXSZ4TgVdhpKSCOFomN5Lfa/KLRBmvtREboSz2huaF21Li8cYq1Mp2Q0jYEaTdMWs/Csz0DPystQGBenmpPb8U9MTj0YN9G7Dweu+WFjM1jDNG4wbVU3p1o8lD0CkblOpFb4ytmaZfVNxT8PX/r669m9bBAgv47FgasI17Kju7NSP9rwww7dVBQcjURawYF2BoYP2okFb06swX1juVN/+WWfSOkBDlsNvc94RA46Pqak0/NihDPFbCeWEm2ZPituvHb/YUE0QTNazQwj+m+FLH/Tg7C076p4ucxPF2Zd5HLwiiQJXJHGSSjHsiuwPex4xLurFa3CZc4m+LbE3yIM6DHMQT+q/sMfuW4zpbsdeWhmIMcoiTTtiz2mCii75eHNsj3QoS5PKHJ45KLXIhtFsnaI7xO6QW8ae6NuzVVYlbxctmhD1an6fENCwhx5S/MamKnRqpzhOXcfi2tnQHltAyhZsJwyGpQVf/LFn573sMYXnOkDE2hzAsl3AZ6WKZt74GMTMi/TTEfL9vo7QlHClIq/vfUgR05XTqa0hE18TqlU2lexlPehCajboEp50AlAREJmrCoChiNUt6c3nLrnpFsI737UWZQ6KpUPvdRD7SSLaD6DejGqvT6i74u4mdZBfg8ik8qFEB3GX81/PkiVdORcCRQWboKfIk+qQzPKbw6Ad5xtXq+OL7tH3WW3+ynpNeEXryCkhDaFYaNWiEQ4P4nKZVG7HMzG56kAMZnLTZN/ucYq/o4sba7vhVQyLd5KzdDv+nB64Y3cIwheZE3zbw6eCRcVHE+FNyQFBh9mLFAYex8s7Nchb4TTvXQUkmmXa/oVPAeUVyFA68JEnJV1RsYREwGb8veozfsOm4bjBx9EYxealgcZt60bzaYecleaaLD18DXXRrmd/imSacjaiBM6hhaNQ3vbaOnBN2SCgSmDctV10VTRF73zlag1qRu7BEbbUoGZ0CVjqzkfMLaSqcOjMXU3j5LrUlXF34xsZkFKRuZIb+131qZdjnGjdW6vtNrujygxX5euhw/VIf3plJzdiutMreVYLHec6vLIAb7KOf0EuBaEclKn9rmo3rf/MmWb9VWwkm6F7NiBQZURI8bWCAlBaPeSNQsFxWiablkrZo1nLpLgbKCM8Y87+Wxk2O7hvmFl5YcrxPnKNAOcYHyqIFF8vpf33Ac6Ij2cSEEpGrYw2jNHPEIRFQy6IvWmGgZ6R+939bJfJbMYkx+J05YLZS20FVZf04FyUmWdWnniUpLzUpjo2/j8dUuMQpu1u+Mwcry1asQm/7X+az/Aqu5Me1p5c0voYceDLY+KzxePadU2lWsuUobXGUjQo9yPRX7AH+JFQUqy2mqWUWzXv4YIUCivSYjn2L8NiFlU0nD0w8PFy8auK5mBAaVJQjXUKNCbuucy0VOa55Qhyz3nTDVndqx1Puqzacc/zyRqNfTgDo3bMLpV5UXbvQhTpKdkwkcmNj7xJpUihMBe1V6x3uZ2FLErOt+S3knJntMlkTpnw91M0AHHZw8qb1prTn/EDi7PCyAsmHiDzUbRVYBnVqK97AdZ+80UNfMayQ8TnnTy/kWyjWafaqYBtEBUCr+/PB/l14W1C5L6b6lw7PUDlrF2ierzxx8+K+LhzeFhO+3awnLZgfIr7UqP9E85XXwkFWZkCqSzAEDYiaFCM8iTwQoxgm/c4aSV0tXl+g6lbntqrg0H6oHsSwaawR/n5CXb61qv6tFuRIxDNXloN07KmKsK0Dme/qmZqlSqQa1A1mJlWqR1V/7+blUAsfxOEYTxBKVIOVNmPsGzGDjUfxr4rgu9SBI7bJx2rKLu56h+ZR6cyn1e9cuRij0X7BAQ1gF9jM5fprRvNNxRB9Fs5pnJHBA7ulZvf1Vnpt/A4KX0Cw1tNAmfhur0mr9ydfuJT4oirse+TPCz0p4eMX+exBTZMX7fXSBYfWl1fyK4et287d0EMDsmZ22p76zZMh1WNtd6Oq5u47yXxSTXukTtoQ+tpMTT6eF/tOsrcXh+Vg063SRyRgyzo5yLbyUMzcuWi9X21IO6+OCwL2T9S7f/imy+8gWJemjqOX5qaOZeCg3Zrl47BbiRZU8XonHcixl1CGxOk4LTnymkQemQG6N6mNMUgN/fM3nr7alax6Mzu1f2z27u2BEZ8SSWn2/Vly/S2ETg5Mn5ni3VokFthyD1bCorXsucgFVKNK9/0ZYcX2KN0V8kUEuup4D8tqGazJHsWMhnY3lev3xImUl5mYFmDb8ziGrc9uana7tw55dNNi7xuFtZB0cJ+Bj8DKvM7VhuGzfSDFeeCkAcEbTeMM688q3zD9MMBB4dRbLkENaZwfXjZ75uWRg/Ftf9RoFeSZ3aPndbU06tjzx01iRbX9Ud5HvbkjXsZn9YJhbfX4QDLkz1WVrVOJvfNI2W9f941A0Sbhi7nX1uAUmBGwcL1bsrKtE9O9yLP2WIHmrjVvEUqzLyyfK7CoKeuvG9FdSbRo1sr0TXpc6zXotlTpOuJZTmUvKRpVdkrLDjZ6zyxJCvF15Xwow7faKcxRDRCUkB1REyUNtSUpwtWtQ5OGT+jaGmnn8tHwrJn/VzXcvxyGhwszHedUljuXFk44YNecd/RVfU7B+a6W08/hgkzIcvTfQaN2E29jDiBljsMU8M6Fp3vBg8dXwVkj/iXnNvbSnSJ/QQXJSc3FgI2yNSW+FWRprCMx0QGj4MXwZk2ffLDyNuEU6Ngqyowc1Bo1c+pYhw9tQH7gPMNiaVvrPh1p21j7QKK2vGqt97ZJBc/P3lSR6oUoHThExLcneos2z8hu8C4Ksf5aU/QuFOxu9x8vNOx0UYOkXd6svu1/ZIyoUkGhjIeUJ3msjSNcT3IS36GmJTKakPruAGE1M/CDeQFH+G1vaxaLVYtDBoeJB+lYqWXNShOtximbKRn6+RJ4OzbL1DT8KNhUeWxOJubNsyUWKqDBFHfSWndpOTjF2OgVbihW6Z0OLSou5vKPLdnM3bDrtx4whrhRIWSa5Y5DbuqKxDqz1i/NTI9ZEAfrk//xPju7U+b0QrhZ+exQCfzufhXNf95+devct6rt0Yv4P/IuTdZhk9qwcaUB7pudHm/v7slt50HtwloRG0eH5N5GMagwOM6e2E5UMQfohP7KKqwmOUuVDKX2fiY407cdvvJqvrDWmg9z+cqJnfKmdEmybtpGFx8uoYLs6mtgGzJstpE2aOM58Ml5U4SzEkvw5CnusauKMcxyKrb0N07l8VZmUHROfYIadnUUZzbeg6hlIIqo/eQo2wSRSpoKcr2Fao6Gp6uKeO0a6AjtXmIYDz8ApTqqUbozmPYwjWdXdeLfrlPCHZG+q59S1bndtbDA1iezMss20bodyxPBsapNkaWGvoKiR3URWPGKCYHZUu1AqYTXU4TbMd0M9bE1VLBhpN1nPQu59zDDBUH38Ubuqu1M30dXobzUg+nwnpCjeDq/Q154iP93pfcyiVzxjHAED3NN4+F1PaXT8nXXTVGtK18D0JuxJ7gqCEtMXVtvT97T9eAlE6iaLcDQK6qTJtXPsD1BSxpuiXvegVYzuaKnif1x0+9RyYmSE6ZWFjN6KCTqqAKe31MkVG1JyLc4cTklcxcwNGuuEHDrx0AS468v+h8sUuNlyj38+pfwYb8XAoUn1/KDDh5wsR69tUFYTK9IHP7F9i/qKB8q5mefRW2I5u0SBacdrpTDX+B92WtqzuC06K+i1xlWxUQlouDSVtGjsTFfTr3mFQJUxqUPVBBkOt8KB9qwX7/8herv791ITdfffX+5S+Xb26++srFwKypoqz3bGykehiWkHH0KP9STdm00faqyVQMf758bOfQ3MCaxdHUssBtlLi4kAqEZumwC9VQJ6Og5jFaVMCydfqwZEPZkE7ju5CDVEZsKR6Y4QkpupxHHwMzz7RRwzNZMHdjkm7gF9Nx0iqCb4zhIDY4cVcSuPMw+eDAXZyij0+0UyxYr8JYLWaEcSJ2McHM1cBC2gGXYWZxoJ7CcMXHouelqTfdeXfiiau9faaDkDWsSx7UQTTOtIWV3fwQBlJO4oDdo39D2n5i6sinynONFTmeovoc0O6P2fqrEkhsGpsphsMuKOOWXlXC4Z2/f7fXzbhezJ62IrCBZSBxqN8XX8X1JPYpD2IcE9yDIT0+ptNqRqVo66od+KIvjXcs/FfwaP4OYfmlhq77pJix0O+pyP5Nhi2rO+iGGha+ZaPhd6feA69LXbCUyQHxER9Kt0D8NlSJrqnt4yOnRV4kMp453b96eUdeO4vHLhwjDOq3id0v9//+gvxWguqp1lJykShoV/0Y6/JpmC625E0VUht079ZyWjqI/TeHyeFl2uywokd5PDbOBMyrJ4zMYgrRUU5VHkUXOzBKeaHFoLD/eliZDegMsDdqaC7w3uCMmvbrfXzkHES6yqk6PSyuHrktaKeVwwk2SJp23JsnjkpWEXRNYTE0mLIeulhiMmnUQDn/NWpcQSNq67nM14jNQKN/X0/ZwyMxVzsH+9xGABYJTbFsYUwYmx2txSARvTF0vizW34lHs4rglqlIUqOsjjKsMlVjvB3bZ607YeiadxpCnzQWxJKJQYG73cFxMSUiWSR6w0waca5FsuByo2ke4y1qjhZmPWZ8lB0rFQkT4445EwWofL4dEJLTGV2kD7HDsTla1NAiKZQ0MokxxeH49XcJ6qwxo/mI88blMhnS+r81NMYTmookp4+JMacLvPtD7Q5ziGILORPRgJkYA7jgOuFzngw3nu6N/vOo4RH1gBqjh2epN0cPj4hujv5+1OhwY/VTR//LqNH/c9Tov8SONrLgdA5xR70eHyMqiSQvOT7e820UP6uGFw9RfDwvOVvmRezrbd8/ypfDnUZ+LItj4hp+S2Nkb5Fo5zKNopVWaax0ZofGSmd6q8siqj52Kuow60jhzkhjBQx4jDraRhorJMWPRvEkcngp2KOgQmrotM08afz6B4t7NFtY/yALswKaRalAMi+SlEfp0HZolEkDRypskxU3VkeOLcokyj6RKmZYSnlU0JdO6BJEuh3kU2qOFpRvf4dsHgd7nWAyfORYl8YTC9m5syPHWw35h1gNWSdzZv4SmXyY6mRobdPWUCUjrrKOPJw4DlIVE4unnSVgQF3JxlAwK2cNiBG+3XB8riKHu9o3QzI0G6MXjEOcLKKTRRy52GJYAPL+0DhOq60SLODRJJHXyOrAmTZFp8jPyaO1SiNHV53josbKZZJDxgYEY+6PZiKW4rnMSg46lXGr9sPZMupWyEJvqBnYiaIxPhQTcOJQBUumjaIxkvZudNRL5TopRi5ZjVizxjoiKvp2uqgGt+VR47GxaNQT54KO4kGPeZw3K8l04uo8x4zfUkUjNzzrCas8bezadTAYPpJpQ9vNWk8aqM28VKcXEq3Ggau5FjeujIAX8w5XsaTDB2LVnkVMKfT+iOlDo5Y0y4bvOsuGG+eqBJoojsLyJFVS5pHZN3ZolFDE8iTWCedzd+KWWzxEJAsVOiaVmRW6UGzwME4NM2WE34YzAUNSSXbj9MBaXPVIDHyMUUG4dBnNyYLLCOZYD48KAbCSXsR5t8OizrqVDaPARVhtuVxGbqVYRh67QqrhlyOfl8u4o5MzncYd11xHbmBc9RkBBlNfIkZG3GJXGmC4V8qNG+5QEpvNcFkhMk6obtcQMTKC30vFlkmgWtsJIzcCVAxvKZLIDoJFMrCC9G5gVBuH3fCoVeJNGn5I/cCYdppO6I8ASbW2Xybp6vR41s5g15dz+HhQ+dLqxZ2M6tPGbiKHxrA5l7/07l2r0udJQ5VcJlQXg0p+NAcP6fJQjVNAedzLoyBFbF22avTwmMXasUMTdBtjpcqioMaoaDpK+9RO+4yylGoYbiJ15XSjxAgNv8UQM5QGO2BclOCi2TLqYupiuN6iVRq38yrNIp5ardJQlu9JQwe1ZGqOKnVEzuQ6FcODEIIVQ48Pc0mWEU3DlyZmE9ywGKtRXTFy+MhtEZG5WmbzSK91qXgUVyo1qCRjw+M3IwuTVDaROGRNGtcuf50woQ1dRHHSNVMm7ileFyIqxcFIVYqz9Gq9LI0kb0pBOpPXVuhRBeLeU84ycqUgY4ZcUZX5nLEDbWl8/atRK+2rA4nTuKarGDGbSk5CISW1tZeJMau/yQsut9ApiHeUBgtZDkiPP7Uv76pqqYO1xRQs4ZHktB26u7PoiWXZLrsyARqcaSywUc2vm600dVlgifpuqiQhmxU1hBlSuPb8YaQPuVKHlAoJt3d3Fc8rIIQJX8mgJ7ObMzG+AnYDGTtfExNNjFxik53Z7veuY0SHegLWoOoiSkaSgioN5CUYihWH3a2o+6WRJy/kUj+7c8F9T8m1L+Pl2pN0Zsc04jfgi8Ui2oK8AvMLMwJ0eK+6Ry+SPAssJ1yfZpzeLUcDVelqxgTrUXgVnaYYQovZuN56nAl4xmkpsHbqssx9WfoDpRBalQ8OYD1FynyNdZ0o7yu+9oj0lpjJtL2QXc8tOzF5C48GT2efUnDWBtS7InFHelBjVu6oUsWYl6vBVM2BD6TOH/J7D68NUbWSXVTzOg7W1vBqn+y+WuSgdnuDYD0D/WMQ/2F1vE/onJ3B4+11dYlw9r6S7QMd0QOPS93CwTn3a3ikc0ZravoR58JI1AWja9ykcgUbgqQghGqiAcRen8yw8qKo0DSdpNhqJ0vcTS58A6e6tXbVLfgAWgWonLmHcDq0dpO6wi1szTgswffyoFqzpXDE31Xm7mlrQOdTdavv2XKEcODEzc/YWqK3fUjomDcw6sstjKt0U72XLKva2tYdk7BhY8+lIyQQk1NLbQp6gqQGC5BVo7Ad4636O1kYPSLsRrEeQ8+E8BFIT+nCc66/7p/ZQaDhgNzIln885umhnFGdrOQE0l2rOybWxNmVgcKOPo2CR+GYauIOqMVH+BbbQhqCrTJnl1xLq9q0mpdgFfKf/YgZuRTb+n+d2Q1qR1oYQrNZ1dE4zJgijV8W9THC8hdtemLlwT2iMt/W2WoTzQrl1arDjYT9iUmGWlZPVVjpFhT5l9pioJ95QAi+r3/J0Lit8589scNq7/QdpGlvmMQxXvBluyyOa0n36vXbG7s6UOCURrTIZEynCgoq0q2VSvzjz7u9bC0NLsjblz+SW2G+fX5Bbl9d3/zHj+TdrTA/fEeebFZbInwDxnQltS/jJpXVXvFX3/zwv//b03DvOzCrUfyivWLkQLOchksj6dFnZOCF8pX4byuw4cuUfWi0mvf8CG69CX8nP0whjFqCzU4GrZqbvrh8FUTndylgjB4et3//TwqYhenz+5A+AB/gsbOoHmc1SMaP864coOWSGtjQsxSWxlN2Ry5d87zqtIUA1s9Jmhf99v+xds3bq5d3jg/394qnE/Ty61OlnZxTtS69vbPAerR6S4feWjCT0MHO3k+HSgZIXE2xqS9bs9dC5jrSUb5zVTQqkYd596TbZIV3vCzS35br/Y3qANvF1kTKDKeyaUpeeRzupDI1i+owIdd7Aonou88f5kR6cvo5jJlYVuyzQvxlH/EEhOT76axEHj7qIFRrmTIsGo/acud1JZZPKSqWMKvF41SKBVuWCjIy3/rm/q7VfU93mt6Ugk6gcI80FZx2EZWpwAfJd83QygiFSUEuDSQ+RijG8xuzxEzohCYufCpqcGFU7PBFFHkXUbHYPO4AxGfUFFGLo1lSaePj+nXt6xYWl1l7vqYicxZp4cYqVgIMebst4IK8q9jcC1SRvyV3lYrc4SOv+17UqnjVJA9Gj0hfoUWqrp2U8+CDUex+iA56qjB0YA3KYOcZI6sGV0yQd7e9VyjFkJYRdzCmbazQiSyiCuXZoQr08DgaOzAqxM/xxOEBUWiDioLoytQkHMQyouYjwrXPwNTGJWxKhM8L5Q3joCApOnCsFvWTVBuqslAzsEtsU4d29zslH9HrPgezAejpZDw4B3ioR0IaypvmXgeOYCET9DZ11uCboClAR1DOjL1qvqhQeBFrTsU0fpUTzAGVW61hEOgsYd9AsLMBrq30vETheZ8jxtizIcVsi/WQPNLTfChUGZaWnKqqmZsH8+Tm8ccXcikXi3B9akgTs4KpG9++tVP67v07zG4sZhahy9KsQBgfStWL2FS9x/bdlWXd1jCM3DsNqhclWZpUTk0tP2k/SveuA3cPVlWPnHGv7x5GCJlUDVcONn+toJ+hfTK0sLC3GM3AupAiw5auMigC1AO7TUn38V4Pya7teQ0ocXn2GPfGGWQ1xl7fask1TBDNTBngKAQD5KoueH7WFdWEZrLArmArYIrIjWg1RiKGPkoh855ol6pGfdIJR5rg8bNiGBOZvctS6V17P9dF+LIqj99Z6CnmE1Gj7u5GbzhVvcIzuY96F3nvvUjTrvNQE7HGUodldYxYqosKuPdRhVOvtT84ZC7HxccFljeHFV0zWaJkY5U6JXPWE+kA04O/EXTOMWx4Qa4OQ2diPbzzWQiNNg57Mg0JgtjDYWB5sQgUAhBqDMbvQeNd2Z3s3u3fhbCXwrRDlGNkvgyTP5J0RFdcfGWwkzlLK8RwWRgw0Hb2MLNyvc4DVRqJR2eWfjPTRvUbySusw4mvHw3r54ex9s+igzUK86AaUatEhuXYtNVLGgoK6DVyekoOSI06SkxMSR9JSnXiAQhXhfloB+Db07D+ZnRP9CDy3nB0bA0d7HFNu6t3wrX7lPF/fhR/NTH93YGfBHt1nPoDalJ8mKt6hOvVV/VTPjTfHif76QWoPgzZT+M1auK7OuVZP+GmTnxopsS+c2RqoTBzXTpHy2a0NKskB7OSZ7Gm0j07F3GA/M96Nwazd5UcqakfsO++kdzbmiyoAyckWrf8j9n3f/4zefLi+vLuKblm2jCxLJleQYaJOUFoXC7lBPmxh+zavkU3QvKbgT/s8XkrOdpecij23tI+BKM+m2jzG1A6fMjBTDEors6MaJg0EGrIT0FFqIjSzk9O+elZ/C1U39CMldrNQaQimuWMU+Uus2Uk9rSm+B6FQ3Xxzmg2TS/c2gbZjDJ7Z7ersoC06lrsLsyYSMJLcejeoPHTx4c37E9edcZvOjvmlV1oBB5mYUOLVOOcYh3TLZJLqiUV7PcDsU5izIadSrAIajV3vodkC6aCUfzR2a8/2QmRP7qkcpeluxeJ9DNQblYpVUAKBZnMmaDBEOvGVb+jhoEw+mjgGafTrucF/ajLcUUwoIg+XvYIf2mZQEGVwbTf3WIOM6FJ03r9xT2F/ywgA0UNZMmAMIADu4htyKs5a1P3nZJrltXp6v53tCi4l3M62+dTZC0j35eIenqp18tg2WTrqCf1dRzMtmchwULPGFWyZs7ntGoLdj2FA2qBZlgp/aFSDTziW94Y1MgUCTX5dvIPSkNUE22kcvzRzpaDoQjtS/zVzP7qy/D6cpZlHKbkGC9xxlN5RmCLGjwkimdUxfOmWtCdn6+Royu2lcfjghScWrLbF0kqAiJV26LPiojBK5NoBSfES6haQ/hZakNe0nTFRI/YntHoO/pFm17vBEb2FQrsRbWvukur1zPyIqMFeY//ca96JoXLB/hn97kgK7oG+95zoMq1sCZYX0IXUmio5IBw0oBdUdJtez2C9/jaCKliBhSrqnQIt0BXkaEfkwrpSZDZbfMbX0TmVFywvuhYM0H7rFWFo/bSgK38758apokqRaCvOyFUX9Sc2HlzXDJ1T0S2nzHxWsQUxKRkw0QmN5roAlK2YKn95iIUN+7jj7oH1S7AYbTz+pInqup6XrNldDM8bdCDlAJfrhewpOmWvNP7RX5qf0jeTnCIilqys0yiWvW8YU1xG4Fh1DQeBvsKdOhW5zMFspj2MgQwzLZLhP2FTSGu9VUbcsJbYE24huCB8GMiljNVvFTfYnzklDfuVZzjBhfXX2uli+9URoza6LhP310IjSNlh8rh9LfjqSUY3DisPHNvBDguKoMFE94WiFcda0HktOgpRoHwe8KszwR9p+62RI8YRlLbm8avwOcj91QPqW1oxtB0lU9eim43LxKGdKTgJtkiC2rOmRhSc3fSk2bRxvD3sUw/cG2bwbhIPFdGa5eKFKhH3sFrLM8+gldBVbW39uOLHbKbFesUPCP2HFrNwoXonbQAE1Hx0qXCSTWsPWNr+X/VBRV/O5rPWYHar3VWCWkhlmqX9tdnOPsR7M/44HbwrqqiHca7d68SEEbJInwNM1nOOwrZSWfNz2q1GzgS2ohYDOzkdCIWVzIvrEJanXw84NjgxEmea1CWtSZWbQ4/SFQ/jI/7PXIXWzJ9BXsD4yubLX6L93H9VHK+Jf9eUs4WDDJyjdkwzngRBLaBeZJK+cDO5lL6BebEQdjpJJT3yWURtXV2zp6iNK4NTl898uN34009ia+l6s1Wzjo3I2+3hUN/p1HZBTo695NYwSIZWBynhZiF4lQw9aUOFdppg5vGWFALGPvwnfWikKqy7KF75c2Lno1pZKsO3tZqPcXYirEHlmPnPmqHqxBRUka/c/tg7UyWaqSgJmzgSEVC9TB/VGOoiu2gXio+iNyNcYOoU4vgSamG9/stsO8ZNoeOARnB+vYHDwzR2B/sT0HUdYBHAwIfwRiBzc4wYHfrZ3WloOWgjHnd3DTTxJDv3ei3ODE+dc/8v688kGf+H97rGzJ6UQ4qHEPgET6rt8Sh23SWoB2jUZC5g3DmyyZbYZGJBSjVY6PvrmwizJvi0FHyBY0ek6BRVQ9aNEgZOL7oxpCjj29gmgkPwo3zttgD8BbjglTzo39A1wndX+yeFStQU2k1Vs7xPt8nV1hQ/Sm5Qghh4KDMZImSPbS6AuUL38NeTMeBEjsw0lnQIEZjW+y0X+pG3aWD+8F+77cTDE+LDO8JuWe/96TvPETfwdt/3BABS2mYI3OxorqnPq1Op0/ebRDcTd9f0NtuyIj6tB0HYGuvq4JfVbxn2GGn2cDmiqflCde1xN/2ttWwd49pXcY0hrZj0ak7Rn8eZ+VDHECpkZaFDuma/OLGTk/u0WVw6LZO5F2q61152/6TewznOMxCG/yiD43h/OIAFv1MQ2uerMe9JW0TuTfihE1yiT0CtIwopqHjh7IH8NpAdErUF7sCj01GifziO6LRdisVub2//MfLO3Jn+Sd5LXoqUu7wic77iMHn7UaG8cFrma4gfdARzd52jGVsbnuoCHRd3aROPccADV+4e3fvD8gqoFin/MZZRBUHqc7a6xXfECtssTYdG2zisaacZe5ABMC0r/6E9aUOXX1c9QNsdZsVnXzGojuhr4wpdMKwG0HkYCRpHNrp6S2/xpw9thRVvKNUzGyPnL9U5vnIXP4TMXOQvEoZTq/ZMAW8LV3HqHAbTkUyqA/10JAEXTUN+MXjXMXIhhV0TG5ICsmmCQEKoeRgEISBYMOyF5ImXVEhOglo4xOV/bwIqsdSPln5pZrl+Yrdv7y4fOV57rMWgJrVGanaVrGY45Ux/ZCsJS/jl3FZ9cAQvpZm3RmkarJQCmY0eeLA6KeYu4bJBFUXhIC9qCcIjZfRN/yFx+adYMa7S2b7wWhrUOgpWZScpFKkUBirAtw7WvekOA3ppB6s64DEs8pG1ULEooLd36Sl0c//dhkKJgmSLuYESLU8R4hCO7Rsz+gxpy59L5jA+Peb13e3d+QlfcyZyOrWJWHyW+zPEMiwV+i7B3GPaAf/Q4jXT3A4BDsqIMhFZifDmnh+4ok01aKmbrTkOdXtta/H4+EcxIFPSdiPnNFTrSn/T5BzUAdHiqwrjcTcJNT4hrWXHijY1N28DNqBnbabu9SAC6LLQFgU1eSv2igpln+bc5o+cKYNZH995j+7qL9lYgFp+KsFU7ChPPjM0jlvjCFUZERL0nN8FCyZNmprtZ5pL2ZBzcqXoquhkDaUDhqj2g92EXGJEi62NZWqUb2rllhq3EAYtf3T/w8AAP//r8OpSw==" } diff --git a/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml b/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/cisco/nexus/config/input.yml b/x-pack/filebeat/module/cisco/nexus/config/input.yml new file mode 100644 index 00000000000..5608926d955 --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Cisco" + product: "Nexus" + type: "Switches" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/cisco/nexus/config/liblogparser.js + - ${path.home}/module/cisco/nexus/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{p0}"); + +var dup68 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + +var dup69 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "%{info}"); + +var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + +var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + +var dup72 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + +var dup73 = setc("ec_outcome","Error"); + +var dup74 = setc("eventcategory","1703000000"); + +var dup75 = setc("obj_type","vPC"); + +var dup76 = setc("ec_subject","OS"); + +var dup77 = setc("ec_activity","Start"); + +var dup78 = setc("eventcategory","1801010000"); + +var dup79 = setc("ec_activity","Receive"); + +var dup80 = setc("ec_activity","Send"); + +var dup81 = setc("ec_activity","Create"); + +var dup82 = setc("event_description","Switchover completed."); + +var dup83 = setc("event_description","Invalid user"); + +var dup84 = setc("eventcategory","1401000000"); + +var dup85 = setc("ec_subject","Service"); + +var dup86 = setc("event_description","Duplicate address Detected."); + +var dup87 = match("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var dup88 = match("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var dup89 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var dup90 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43}Interface %{interface}is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var dup91 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var dup92 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var dup93 = linear_select([ + dup27, + dup28, +]); + +var dup94 = match("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var dup95 = match("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "%{event_description}", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var dup96 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43}Interface %{interface}is down (%{result}) ", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var dup97 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52}Interface %{interface}is down (%{result})", processor_chain([ + dup24, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, +])); + +var dup98 = match("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ + dup34, + dup2, + dup3, + dup4, +])); + +var dup99 = linear_select([ + dup47, + dup48, +]); + +var dup100 = linear_select([ + dup50, + dup51, +]); + +var dup101 = linear_select([ + dup55, + dup56, +]); + +var dup102 = linear_select([ + dup58, + dup59, +]); + +var dup103 = match("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "%{event_description}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var dup104 = linear_select([ + dup66, + dup67, +]); + +var dup105 = linear_select([ + dup68, + dup69, +]); + +var dup106 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var dup107 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43}Interface %{interface}is down%{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var dup108 = linear_select([ + dup71, + dup72, +]); + +var dup109 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup62, + dup2, + dup3, + dup4, +])); + +var hdr1 = match("HEADER#0:0001", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr2 = match("HEADER#1:0007", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0007"), +])); + +var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0005"), +])); + +var hdr4 = match("HEADER#3:0002", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0002"), +])); + +var hdr5 = match("HEADER#4:0012", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0012"), +])); + +var hdr6 = match("HEADER#5:0008", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0008"), +])); + +var hdr7 = match("HEADER#6:0011", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}[%{hfld18}]:%{payload}", processor_chain([ + setc("header_id","0011"), +])); + +var hdr8 = match("HEADER#7:0003", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0003"), +])); + +var hdr9 = match("HEADER#8:0004", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var hdr10 = match("HEADER#9:0009", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0009"), +])); + +var hdr11 = match("HEADER#10:0013", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0013"), +])); + +var hdr12 = match("HEADER#11:0010", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0010"), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, +]); + +var msg1 = msg("LOG-7-SYSTEM_MSG", dup87); + +var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username}from %{saddr}- %{agent}[%{process_id}] ", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, +])); + +var msg2 = msg("SYSTEM_MSG", part1); + +var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username}from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, +])); + +var msg3 = msg("SYSTEM_MSG:12", part2); + +var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username}from %{saddr}- %{agent}[%{process_id}] ", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, +])); + +var msg4 = msg("SYSTEM_MSG:01", part3); + +var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username}from %{shost->} ", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, +])); + +var msg5 = msg("SYSTEM_MSG:11", part4); + +var part5 = match("MESSAGE#5:SYSTEM_MSG:19/0", "nwparser.payload", "error: maximum authentication attempts exceeded for %{p0}"); + +var part6 = match("MESSAGE#5:SYSTEM_MSG:19/1_0", "nwparser.p0", "invalid user %{username->} from %{p0}"); + +var part7 = match("MESSAGE#5:SYSTEM_MSG:19/1_1", "nwparser.p0", "%{username->} from %{p0}"); + +var select2 = linear_select([ + part6, + part7, +]); + +var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr}port %{sport->} %{protocol}- %{agent}[%{process_id}]"); + +var all1 = all_match({ + processors: [ + part5, + select2, + part8, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + ]), +}); + +var msg6 = msg("SYSTEM_MSG:19", all1); + +var part9 = match("MESSAGE#6:SYSTEM_MSG:02", "nwparser.payload", "error:%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var msg7 = msg("SYSTEM_MSG:02", part9); + +var part10 = match("MESSAGE#7:SYSTEM_MSG:03/0_0", "nwparser.payload", "(pam_unix)%{p0}"); + +var part11 = match("MESSAGE#7:SYSTEM_MSG:03/0_1", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}):%{p0}"); + +var select3 = linear_select([ + part10, + part11, +]); + +var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20}uid=%{fld21}euid=%{fld22}tty=%{terminal}ruser=%{fld24}rhost=%{p0}"); + +var part13 = match("MESSAGE#7:SYSTEM_MSG:03/2_0", "nwparser.p0", "%{fld25->} user=%{username->} - %{p0}"); + +var part14 = match("MESSAGE#7:SYSTEM_MSG:03/2_1", "nwparser.p0", "%{fld25->} - %{p0}"); + +var select4 = linear_select([ + part13, + part14, +]); + +var part15 = match("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "%{agent}"); + +var all2 = all_match({ + processors: [ + select3, + part12, + select4, + part15, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), +}); + +var msg8 = msg("SYSTEM_MSG:03", all2); + +var part16 = match("MESSAGE#8:SYSTEM_MSG:04", "nwparser.payload", "(pam_unix) %{event_description}", processor_chain([ + dup8, + dup2, + dup3, + dup4, +])); + +var msg9 = msg("SYSTEM_MSG:04", part16); + +var part17 = match("MESSAGE#9:SYSTEM_MSG:05/0", "nwparser.payload", "pam_aaa:Authentication failed f%{p0}"); + +var part18 = match("MESSAGE#9:SYSTEM_MSG:05/1_0", "nwparser.p0", "or user %{username->} from%{p0}"); + +var part19 = match("MESSAGE#9:SYSTEM_MSG:05/1_1", "nwparser.p0", "rom%{p0}"); + +var select5 = linear_select([ + part18, + part19, +]); + +var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr}- %{agent}[%{process_id}]"); + +var all3 = all_match({ + processors: [ + part17, + select5, + part20, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), +}); + +var msg10 = msg("SYSTEM_MSG:05", all3); + +var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21}FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg11 = msg("SYSTEM_MSG:06", part21); + +var part22 = match("MESSAGE#11:SYSTEM_MSG:07", "nwparser.payload", "fatal:%{event_description}", processor_chain([ + dup9, + dup2, + dup3, + dup4, +])); + +var msg12 = msg("SYSTEM_MSG:07", part22); + +var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname}- kernel", processor_chain([ + dup9, + dup2, + dup3, + dup4, +])); + +var msg13 = msg("SYSTEM_MSG:09", part23); + +var part24 = match("MESSAGE#13:SYSTEM_MSG:10", "nwparser.payload", "Unauthorized access by NFS client %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg14 = msg("SYSTEM_MSG:10", part24); + +var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43}: SNMP UDP authentication failed for %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg15 = msg("SYSTEM_MSG:13", part25); + +var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43}: Subsequent authentication success for user (%{username}) failed.", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg16 = msg("SYSTEM_MSG:14", part26); + +var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1}: TTY=%{terminal}; PWD=%{directory}; USER=%{username}; COMMAND=%{param}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup11, + dup12, +])); + +var msg17 = msg("SYSTEM_MSG:15", part27); + +var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username}- %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup11, + dup13, + dup12, + dup14, +])); + +var msg18 = msg("SYSTEM_MSG:16", part28); + +var part29 = match("MESSAGE#18:SYSTEM_MSG:17/0", "nwparser.payload", "NTP: Peer %{hostip->} %{p0}"); + +var part30 = match("MESSAGE#18:SYSTEM_MSG:17/1_0", "nwparser.p0", "with stratum %{fld1->} selected - %{p0}"); + +var part31 = match("MESSAGE#18:SYSTEM_MSG:17/1_1", "nwparser.p0", "is %{disposition->} - %{p0}"); + +var select6 = linear_select([ + part30, + part31, +]); + +var part32 = match("MESSAGE#18:SYSTEM_MSG:17/2", "nwparser.p0", "%{agent}[%{process_id}]"); + +var all4 = all_match({ + processors: [ + part29, + select6, + part32, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg19 = msg("SYSTEM_MSG:17", all4); + +var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username}- %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, +])); + +var msg20 = msg("SYSTEM_MSG:20", part33); + +var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username}- %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + setc("ec_subject","Password"), + dup16, + dup12, + dup17, +])); + +var msg21 = msg("SYSTEM_MSG:21", part34); + +var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username}- %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, +])); + +var msg22 = msg("SYSTEM_MSG:22", part35); + +var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2}- %{agent}[%{process_id}]", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, +])); + +var msg23 = msg("SYSTEM_MSG:23", part36); + +var part37 = match("MESSAGE#23:SYSTEM_MSG:24/0", "nwparser.payload", "delete user %{p0}"); + +var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{username}'%{p0}"); + +var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{username}'%{p0}"); + +var select7 = linear_select([ + part38, + part39, +]); + +var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "%{}- %{agent}[%{process_id}]"); + +var all5 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup20, + dup17, + ]), +}); + +var msg24 = msg("SYSTEM_MSG:24", all5); + +var part41 = match("MESSAGE#24:SYSTEM_MSG:08/1_0", "nwparser.p0", "%{event_description->} - %{agent}"); + +var select8 = linear_select([ + part41, + dup22, +]); + +var all6 = all_match({ + processors: [ + dup21, + select8, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg25 = msg("SYSTEM_MSG:08", all6); + +var select9 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, +]); + +var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1}hostname changed to %{hostname}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); + +var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname}is activated by profile %{username}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + setc("action","activated"), + setc("event_description","Policy is activated by profile"), +])); + +var msg27 = msg("POLICY_ACTIVATE_EVENT", part43); + +var part44 = match("MESSAGE#27:POLICY_COMMIT_EVENT", "nwparser.payload", "Commit operation %{disposition}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg28 = msg("POLICY_COMMIT_EVENT", part44); + +var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname}is de-activated by last referring profile %{username}", processor_chain([ + setc("eventcategory","1701070000"), + dup2, + dup3, + dup4, + setc("action","de-activated"), + setc("event_description","Policy is de-activated by last referring profile"), +])); + +var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); + +var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname}rule=%{rulename}action=%{action}direction=%{direction}src.net.ip-address=%{saddr}src.net.port=%{sport}dst.net.ip-address=%{daddr}dst.net.port=%{dport}net.protocol=%{protocol}net.ethertype=%{fld2}dst.zone.name=%{dst_zone}src.zone.name=%{src_zone->} ", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg30 = msg("POLICY_LOOKUP_EVENT:01", part46); + +var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname}rule=%{rulename}action=%{action}direction=%{direction}src.net.ip-address=%{saddr}src.net.port=%{sport}dst.net.ip-address=%{daddr}dst.net.port=%{dport}net.protocol=%{protocol}net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg31 = msg("POLICY_LOOKUP_EVENT", part47); + +var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname}rule=%{rulename}action=%{action}direction=%{direction}net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg32 = msg("POLICY_LOOKUP_EVENT:02", part48); + +var select10 = linear_select([ + msg30, + msg31, + msg32, +]); + +var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup88); + +var msg34 = msg("MTSERROR", dup87); + +var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface}is down (Error disabled. Reason:%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg35 = msg("IF_DOWN_ERROR_DISABLED", part49); + +var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup89); + +var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup90); + +var select11 = linear_select([ + msg36, + msg37, +]); + +var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup91); + +var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup92); + +var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + dup26, +])); + +var msg40 = msg("IF_DOWN_LINK_FAILURE", part50); + +var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup90); + +var select12 = linear_select([ + msg40, + msg41, +]); + +var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup92); + +var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup89); + +var part51 = match("MESSAGE#43:IF_DUPLEX", "nwparser.payload", "Interface %{interface}, operational duplex mode changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface duplex mode changed"), +])); + +var msg44 = msg("IF_DUPLEX", part51); + +var part52 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Receive Flow Cont%{p0}"); + +var all7 = all_match({ + processors: [ + part52, + dup93, + dup29, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Receive Flow Control state changed"), + ]), +}); + +var msg45 = msg("IF_RX_FLOW_CONTROL", all7); + +var part53 = match("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "%{result}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg46 = msg("IF_SEQ_ERROR", part53); + +var part54 = match("MESSAGE#46:IF_TX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Transmit Flow Cont%{p0}"); + +var all8 = all_match({ + processors: [ + part54, + dup93, + dup29, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Transmit Flow Control state changed"), + ]), +}); + +var msg47 = msg("IF_TX_FLOW_CONTROL", all8); + +var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43}Interface %{sinterface}is up in mode %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up in mode"), +])); + +var msg48 = msg("IF_UP", part55); + +var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface}is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up"), +])); + +var msg49 = msg("IF_UP:01", part56); + +var select13 = linear_select([ + msg48, + msg49, +]); + +var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interface}, operational speed changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational speed changed"), +])); + +var msg50 = msg("SPEED", part57); + +var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object}created", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg51 = msg("CREATED", part58); + +var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old}to %{change_new}", processor_chain([ + dup31, + dup2, + dup3, + dup4, +])); + +var msg52 = msg("FOP_CHANGED", part59); + +var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface}is down", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg53 = msg("PORT_DOWN", part60); + +var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface}is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg54 = msg("PORT_UP", part61); + +var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface}is added to %{group_object}with subgroup id %{fld20}", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); + +var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface}is removed from %{group_object}with subgroup id %{fld20}", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg56 = msg("SUBGROUP_ID_PORT_REMOVED", part63); + +var msg57 = msg("MTS_DROP", dup88); + +var msg58 = msg("SYSLOG_LOG_WARNING", dup88); + +var msg59 = msg("IM_SEQ_ERROR", dup94); + +var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup88); + +var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup88); + +var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup88); + +var msg63 = msg("IMG_DNLD_COMPLETE", dup88); + +var msg64 = msg("IMG_DNLD_STARTED", dup88); + +var part64 = match("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "%{result}", processor_chain([ + dup32, + dup2, + dup3, + dup4, +])); + +var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); + +var msg66 = msg("MSM_CRIT", dup94); + +var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost}(%{result})", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, +])); + +var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); + +var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup88); + +var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20}(serial: %{serial_number}) failed", processor_chain([ + dup33, + dup2, + dup3, + dup4, +])); + +var msg69 = msg("MOD_FAIL", part66); + +var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20}(serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ + dup34, + dup2, + dup3, + dup4, +])); + +var msg70 = msg("MOD_MAJORSWFAIL", part67); + +var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20}(serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); + +var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20}(serial: %{serial_number}) reported warnings on %{info}due to %{result}in device %{fld23}(device error %{fld22})", processor_chain([ + dup33, + dup2, + dup3, + dup4, +])); + +var msg72 = msg("MOD_WARNING:01", part69); + +var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20}(serial: %{serial_number}) reported warning %{info}due to %{result}in device %{fld23}(device error %{fld22})", processor_chain([ + dup33, + dup2, + dup3, + dup4, +])); + +var msg73 = msg("MOD_WARNING", part70); + +var select14 = linear_select([ + msg72, + msg73, +]); + +var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20}is active (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg74 = msg("ACTIVE_SUP_OK", part71); + +var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20}is online (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg75 = msg("MOD_OK", part72); + +var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20}is restarting after image download", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg76 = msg("MOD_RESTART", part73); + +var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname}on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute resolved for port on VLAN"), +])); + +var msg77 = msg("DISPUTE_CLEARED", part74); + +var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname}on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute detected on port on VLAN"), +])); + +var msg78 = msg("DISPUTE_DETECTED", part75); + +var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup88); + +var msg80 = msg("CHASSIS_CLKMODOK", dup88); + +var msg81 = msg("CHASSIS_CLKSRC", dup88); + +var msg82 = msg("FAN_OK", dup88); + +var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19}detected (Serial number %{serial_number}) Module-Type %{fld20}Model %{fld21}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg83 = msg("MOD_DETECT", part76); + +var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19}powered down (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg84 = msg("MOD_PWRDN", part77); + +var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19}powered up (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg85 = msg("MOD_PWRUP", part78); + +var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19}removed (Serial number %{serial_number})", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg86 = msg("MOD_REMOVE", part79); + +var msg87 = msg("PFM_MODULE_POWER_ON", dup88); + +var msg88 = msg("PFM_SYSTEM_RESET", dup88); + +var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup95); + +var msg90 = msg("PFM_VEM_REMOVE_RESET", dup95); + +var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup95); + +var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup95); + +var msg93 = msg("PFM_VEM_UNLICENSED", dup88); + +var msg94 = msg("PS_FANOK", dup88); + +var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19}ok (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg95 = msg("PS_OK", part80); + +var part81 = match("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "%{event_description}", processor_chain([ + dup32, + dup2, + dup3, + dup4, +])); + +var msg96 = msg("MOD_BRINGUP_MULTI_LIMIT", part81); + +var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19}(Serial number %{serial_number}) %{fld20}detected", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg97 = msg("FAN_DETECT", part82); + +var msg98 = msg("MOD_STATUS", dup88); + +var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name}configured vlans changed", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC configured vlans changed"), +])); + +var msg99 = msg("PEER_VPC_CFGD_VLANS_CHANGED", part83); + +var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name}deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg100 = msg("PEER_VPC_DELETED", part84); + +var msg101 = msg("PFM_VEM_DETECTED", dup88); + +var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19}found (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg102 = msg("PS_FOUND", part85); + +var part86 = match("MESSAGE#102:PS_STATUS/1_0", "nwparser.p0", "PowerSupply %{fld1->} current-status is %{disposition}"); + +var select15 = linear_select([ + part86, + dup22, +]); + +var all9 = all_match({ + processors: [ + dup21, + select15, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg103 = msg("PS_STATUS", all9); + +var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1}changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg104 = msg("PS_CAPACITY_CHANGE:01", part87); + +var msg105 = msg("PS_CAPACITY_CHANGE", dup88); + +var select16 = linear_select([ + msg104, + msg105, +]); + +var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup89); + +var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup90); + +var select17 = linear_select([ + msg106, + msg107, +]); + +var part88 = match("MESSAGE#107:IF_DOWN_INITIALIZING", "nwparser.payload", "Interface %{interface}is down (%{result}) ", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg108 = msg("IF_DOWN_INITIALIZING", part88); + +var msg109 = msg("IF_DOWN_INITIALIZING:01", dup96); + +var select18 = linear_select([ + msg108, + msg109, +]); + +var part89 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ + dup24, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, +])); + +var msg110 = msg("IF_DOWN_NONE", part89); + +var msg111 = msg("IF_DOWN_NONE:01", dup97); + +var select19 = linear_select([ + msg110, + msg111, +]); + +var msg112 = msg("IF_DOWN_NOS_RCVD", dup89); + +var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup90); + +var select20 = linear_select([ + msg112, + msg113, +]); + +var msg114 = msg("IF_DOWN_OFFLINE", dup89); + +var msg115 = msg("IF_DOWN_OLS_RCVD", dup89); + +var part90 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ + dup32, + dup2, + dup3, + dup4, +])); + +var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part90); + +var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup91); + +var part91 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20}is down (%{info}) ", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg118 = msg("IF_TRUNK_DOWN", part91); + +var part92 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan}down", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg119 = msg("IF_TRUNK_DOWN:01", part92); + +var part93 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43}Interface %{interface}, vsan %{vlan}is down %{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg120 = msg("IF_TRUNK_DOWN:02", part93); + +var select21 = linear_select([ + msg118, + msg119, + msg120, +]); + +var part94 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20}is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg121 = msg("IF_TRUNK_UP", part94); + +var part95 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan}up", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg122 = msg("IF_TRUNK_UP:01", part95); + +var part96 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43}Interface %{interface}, vsan %{vlan}is up %{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg123 = msg("IF_TRUNK_UP:02", part96); + +var select22 = linear_select([ + msg121, + msg122, + msg123, +]); + +var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup98); + +var part97 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface}is inheriting port-profile %{fld20}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg125 = msg("IF_PORTPROFILE_ATTACHED", part97); + +var msg126 = msg("STANDBY_SUP_OK", dup88); + +var part98 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname}and %{info}vlan %{vlan}- %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Loops detected in the network among ports"), +])); + +var msg127 = msg("STM_LOOP_DETECT", part98); + +var part99 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg128 = msg("SYNC_COMPLETE", part99); + +var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup98); + +var msg130 = msg("MESG", dup88); + +var part100 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ + dup34, + dup2, + dup3, + dup4, +])); + +var msg131 = msg("ERR_MSG", part100); + +var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup98); + +var part101 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg133 = msg("CFGWRITE_ABORTED_LOCK", part101); + +var part102 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg134 = msg("CFGWRITE_FAILED", part102); + +var msg135 = msg("CFGWRITE_ABORTED", dup88); + +var msg136 = msg("CFGWRITE_DONE", dup88); + +var part103 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", " %{event_description->} (PID %{process_id})."); + +var part104 = match("MESSAGE#136:CFGWRITE_STARTED/0_1", "nwparser.payload", "%{event_description}"); + +var select23 = linear_select([ + part103, + part104, +]); + +var all10 = all_match({ + processors: [ + select23, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg137 = msg("CFGWRITE_STARTED", all10); + +var msg138 = msg("IF_ATTACHED", dup88); + +var msg139 = msg("IF_DELETE_AUTO", dup95); + +var part105 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface}is detached", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg140 = msg("IF_DETACHED", part105); + +var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup95); + +var msg142 = msg("IF_DOWN_INACTIVE", dup89); + +var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup89); + +var part106 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface}is down", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part106); + +var part107 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname}connected to the vCenter Server.", processor_chain([ + dup37, + dup2, + dup3, + dup4, +])); + +var msg145 = msg("CONN_CONNECT", part107); + +var part108 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname}disconnected from the vCenter Server.", processor_chain([ + setc("eventcategory","1801030000"), + dup2, + dup3, + dup4, +])); + +var msg146 = msg("CONN_DISCONNECT", part108); + +var part109 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info}on the vCenter Server.", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg147 = msg("DVPG_CREATE", part109); + +var part110 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info}from the vCenter Server.", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg148 = msg("DVPG_DELETE", part110); + +var msg149 = msg("DVS_HOSTMEMBER_INFO", dup88); + +var part111 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info}on the vCenter Server.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg150 = msg("DVS_NAME_CHANGE", part111); + +var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup88); + +var part112 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name}is deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg152 = msg("VPC_DELETED", part112); + +var part113 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name}is up", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","VPC is up"), +])); + +var msg153 = msg("VPC_UP", part113); + +var part114 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username}on %{p0}"); + +var part115 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); + +var part116 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "%{saddr}"); + +var select24 = linear_select([ + part115, + part116, +]); + +var all11 = all_match({ + processors: [ + part114, + select24, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); + +var part117 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part117); + +var select25 = linear_select([ + msg154, + msg155, +]); + +var part118 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol}(%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part118); + +var part119 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ + dup23, + dup38, + dup39, + dup17, + dup2, + dup3, + dup4, + dup40, + dup41, +])); + +var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part119); + +var part120 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username->} ", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","program start"), +])); + +var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part120); + +var part121 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part121); + +var part122 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part122); + +var part123 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part123); + +var part124 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, +])); + +var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part124); + +var part125 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part125); + +var part126 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost}address:%{daddr}:%{dport}) deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part126); + +var part127 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost}address:%{daddr}:%{dport}timeout:%{fld44}retry:%{fld45}tagList:trap params:%{fld46}) added", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part127); + +var part128 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface}state updated to up", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part128); + +var part129 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface}state updated to down", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part129); + +var part130 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part130); + +var part131 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1}(%{result}) ", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup42, +])); + +var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part131); + +var part132 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part132); + +var part133 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1}(%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup42, +])); + +var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part133); + +var part134 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); + +var part135 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); + +var select26 = linear_select([ + part134, + part135, +]); + +var all12 = all_match({ + processors: [ + dup43, + select26, + dup44, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup45, + ]), +}); + +var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); + +var part136 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); + +var part137 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); + +var select27 = linear_select([ + part136, + part137, +]); + +var all13 = all_match({ + processors: [ + dup43, + select27, + dup44, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup45, + ]), +}); + +var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); + +var part138 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}(%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part138); + +var part139 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Added user"), + dup45, +])); + +var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part139); + +var part140 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Deleted user"), + dup45, +])); + +var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part140); + +var part141 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part141); + +var part142 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part142); + +var part143 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part143); + +var part144 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part144); + +var part145 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part145); + +var part146 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part146); + +var part147 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","shell terminated"), +])); + +var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part147); + +var part148 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part148); + +var part149 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part149); + +var part150 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part150); + +var select28 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, + msg178, + msg179, + msg180, + msg181, + msg182, + msg183, + msg184, + msg185, + msg186, +]); + +var all14 = all_match({ + processors: [ + dup46, + dup99, + dup49, + dup100, + dup52, + dup99, + dup53, + dup100, + dup54, + dup101, + dup57, + dup102, + dup60, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Log Flow Interval"), + dup61, + ]), +}); + +var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); + +var part151 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3}reached for number of flows", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part151); + +var all15 = all_match({ + processors: [ + dup46, + dup99, + dup49, + dup100, + dup52, + dup99, + dup53, + dup100, + dup54, + dup101, + dup57, + dup102, + dup60, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Lof New Flow"), + dup61, + ]), +}); + +var msg189 = msg("ACLLOG_NEW_FLOW", all15); + +var part152 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process}[%{process_id}] Source address of packet received from %{smacaddr}on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), +])); + +var msg190 = msg("DUP_VADDR_SRC_IP", part152); + +var part153 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan}on Interface %{sinterface}are removed from suspended state.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg191 = msg("IF_ERROR_VLANS_REMOVED", part153); + +var part154 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan}on Interface %{sinterface}are being suspended. (Reason: %{info})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part154); + +var part155 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface}is down(%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg193 = msg("IF_DOWN_CFG_CHANGE", part155); + +var part156 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg194 = msg("PFM_CLOCK_CHANGE", part156); + +var part157 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3}causing standby to reset.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part157); + +var part158 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg196 = msg("snmpd", part158); + +var part159 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg197 = msg("snmpd:01", part159); + +var select29 = linear_select([ + msg196, + msg197, +]); + +var part160 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg198 = msg("CFGWRITE_USER_ABORT", part160); + +var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup96); + +var part161 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1}time ", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","last message repeated number of times."), + setc("dclass_counter1_string","Number of times repeated"), +])); + +var msg200 = msg("last", part161); + +var part162 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service}(PID %{parent_pid}) hasn't caught signal %{fld43}(%{result}).", processor_chain([ + dup33, + dup2, + dup3, + dup4, +])); + +var msg201 = msg("SERVICE_CRASHED", part162); + +var part163 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service}lost on WCCP Client %{saddr}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("event_description","Service lost on WCCP Client"), +])); + +var msg202 = msg("SERVICELOST", part163); + +var part164 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface}is allowed to come up even with SFP checksum error", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part164); + +var part165 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43}failed or shut%{p0}"); + +var part166 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); + +var part167 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); + +var select30 = linear_select([ + part166, + part167, +]); + +var part168 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "%{}(Serial number %{serial_number})"); + +var all16 = all_match({ + processors: [ + part165, + select30, + part168, + ], + on_success: processor_chain([ + dup24, + dup2, + dup3, + dup4, + ]), +}); + +var msg204 = msg("PS_FAIL", all16); + +var msg205 = msg("INFORMATION", dup88); + +var msg206 = msg("EVENT", dup88); + +var part169 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg207 = msg("NATIVE_VLAN_MISMATCH", part169); + +var part170 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22}discovered of type %{fld23}with port %{fld24}on incoming port %{interface}with ip addr %{fld25}and mgmt ip %{hostip}", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg208 = msg("NEIGHBOR_ADDED", part170); + +var part171 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22}on port %{interface}has been removed", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg209 = msg("NEIGHBOR_REMOVED", part171); + +var part172 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg210 = msg("IF_BANDWIDTH_CHANGE", part172); + +var part173 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface}is down (Parent interface down)", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part173); + +var part174 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface}is down", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg212 = msg("PORT_INDIVIDUAL_DOWN", part174); + +var part175 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface}is suspended", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg213 = msg("PORT_SUSPENDED", part175); + +var part176 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22}of Fex %{fld23}that is connected with %{interface}changed its status from %{change_old}to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","status"), +])); + +var msg214 = msg("FEX_PORT_STATUS_NOTI", part176); + +var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup103); + +var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup88); + +var msg217 = msg("ADJCHANGE", dup88); + +var part177 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan}with role %{fld22}, state %{disposition}, %{info}", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg218 = msg("PORT_ADDED", part177); + +var part178 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg219 = msg("PORT_DELETED", part178); + +var part179 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface}instance VLAN%{vlan}role changed to %{fld22}", processor_chain([ + dup63, + dup2, + dup3, + dup4, +])); + +var msg220 = msg("PORT_ROLE", part179); + +var part180 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface}instance VLAN%{vlan}moving from %{change_old}to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","Port state"), +])); + +var msg221 = msg("PORT_STATE", part180); + +var part181 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol}(%{result}) %{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part181); + +var part182 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ + dup23, + dup38, + dup39, + dup17, + dup2, + dup3, + dup4, + dup40, + dup41, +])); + +var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part182); + +var part183 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface}(%{result})%{info}", processor_chain([ + dup64, + dup2, + dup4, +])); + +var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part183); + +var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); + +var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); + +var part186 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); + +var select31 = linear_select([ + part185, + part186, +]); + +var part187 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); + +var all17 = all_match({ + processors: [ + part184, + select31, + part187, + ], + on_success: processor_chain([ + dup64, + dup2, + dup4, + ]), +}); + +var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); + +var part188 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string}(%{result})%{info}", processor_chain([ + dup64, + dup2, + dup4, +])); + +var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part188); + +var part189 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ + dup64, + dup2, + dup4, + setc("event_description","Performing configuration copy"), +])); + +var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part189); + +var part190 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); + +var all18 = all_match({ + processors: [ + dup65, + dup104, + part190, + dup105, + ], + on_success: processor_chain([ + dup64, + dup2, + dup4, + setc("event_description","shell terminated because of session timeout"), + ]), +}); + +var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); + +var part191 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); + +var all19 = all_match({ + processors: [ + dup65, + dup104, + part191, + dup105, + ], + on_success: processor_chain([ + dup64, + dup2, + dup4, + ]), +}); + +var msg229 = msg("TACACS_ACCOUNTING_MESSAGE:07", all19); + +var select32 = linear_select([ + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, + msg228, + msg229, +]); + +var msg230 = msg("TACACS_ERROR_MESSAGE", dup103); + +var msg231 = msg("IF_SFP_WARNING", dup106); + +var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup107); + +var msg233 = msg("FCIP_PEER_CAVIUM", dup88); + +var msg234 = msg("IF_DOWN_PEER_CLOSE", dup107); + +var msg235 = msg("IF_DOWN_PEER_RESET", dup107); + +var part192 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name}configuration is not consistent (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","configuration is not consistent in domain"), +])); + +var msg236 = msg("INTF_CONSISTENCY_FAILED", part192); + +var part193 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name}configuration is consistent", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","configuration is consistent in domain"), +])); + +var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part193); + +var msg238 = msg("INTF_COUNTERS_CLEARED", dup106); + +var msg239 = msg("IF_HARDWARE", dup106); + +var part194 = match("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ + setc("eventcategory","1604010000"), + dup2, + dup3, + dup4, +])); + +var msg240 = msg("HEARTBEAT_FAILURE", part194); + +var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup88); + +var msg242 = msg("PFM_FAN_FLTR_STATUS", dup88); + +var msg243 = msg("MOUNT", dup88); + +var msg244 = msg("LOG_CMP_UP", dup88); + +var part195 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "%{}Temperature Warning cleared"); + +var all20 = all_match({ + processors: [ + dup70, + dup108, + part195, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg245 = msg("IF_XCVR_WARNING", all20); + +var msg246 = msg("IF_XCVR_WARNING:01", dup109); + +var select33 = linear_select([ + msg245, + msg246, +]); + +var part196 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "%{}Temperature Alarm cleared"); + +var all21 = all_match({ + processors: [ + dup70, + dup108, + part196, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg247 = msg("IF_XCVR_ALARM", all21); + +var msg248 = msg("IF_XCVR_ALARM:01", dup109); + +var select34 = linear_select([ + msg247, + msg248, +]); + +var msg249 = msg("MEMORY_ALERT", dup88); + +var msg250 = msg("MEMORY_ALERT_RECOVERED", dup88); + +var part197 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "%{}Rx Power Alarm cleared"); + +var all22 = all_match({ + processors: [ + dup70, + dup108, + part197, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg251 = msg("IF_SFP_ALARM", all22); + +var msg252 = msg("IF_SFP_ALARM:01", dup109); + +var select35 = linear_select([ + msg251, + msg252, +]); + +var part198 = match("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "%{event_description}", processor_chain([ + dup62, + dup2, + dup3, + dup4, +])); + +var msg253 = msg("NBRCHANGE_DUAL", part198); + +var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{device->} %{action}: System %{p0}"); + +var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "%{device->} System %{p0}"); + +var select36 = linear_select([ + part199, + part200, +]); + +var part201 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "%{}minor alarm on fans in fan tray %{dclass_counter1}"); + +var all23 = all_match({ + processors: [ + dup21, + select36, + part201, + ], + on_success: processor_chain([ + dup62, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","System minor alarm on fans in fan tray"), + ]), +}); + +var msg254 = msg("SOHMS_DIAG_ERROR", all23); + +var part202 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device}System minor alarm on power supply %{fld42}: %{result->} ", processor_chain([ + dup62, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","FEX-System minor alarm on power supply."), +])); + +var msg255 = msg("SOHMS_DIAG_ERROR:01", part202); + +var part203 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description->} ", processor_chain([ + dup62, + dup39, + dup73, + dup2, + dup3, + dup4, +])); + +var msg256 = msg("SOHMS_DIAG_ERROR:02", part203); + +var select37 = linear_select([ + msg254, + msg255, + msg256, +]); + +var part204 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device}for group: %{fld1}, (%{fld2}(%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ + dup74, + dup35, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","Failed to program the mac table"), +])); + +var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part204); + +var part205 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ + dup19, + dup11, + dup20, + setc("ec_theme","UserGroup"), + dup2, + dup3, + dup4, + setc("event_description","deleting expired user account"), +])); + +var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part205); + +var part206 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface}is admin up", processor_chain([ + dup31, + dup35, + dup39, + dup17, + dup2, + dup3, + dup4, + setc("event_description","Interface is admin up."), +])); + +var msg259 = msg("IF_ADMIN_UP", part206); + +var part207 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name}is configured", processor_chain([ + dup31, + dup35, + dup39, + dup17, + dup2, + dup3, + dup4, + setc("event_description","vPC is configured"), + dup75, +])); + +var msg260 = msg("VPC_CFGD", part207); + +var part208 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ + dup31, + dup39, + dup17, + dup2, + dup3, + dup4, + setc("event_description","System Manager has received notification of local module becoming online."), +])); + +var msg261 = msg("MODULE_ONLINE", part208); + +var part209 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ + dup31, + dup76, + dup77, + dup2, + dup3, + dup4, + setc("event_description","System booted from Primary BIOS Flash"), +])); + +var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part209); + +var part210 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name}is down ()", processor_chain([ + dup78, + dup35, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC is down"), + dup75, +])); + +var msg263 = msg("PEER_VPC_DOWN", part210); + +var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); + +var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); + +var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); + +var select38 = linear_select([ + part212, + part213, +]); + +var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); + +var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); + +var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); + +var select39 = linear_select([ + part215, + part216, +]); + +var part217 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); + +var all24 = all_match({ + processors: [ + part211, + select38, + part214, + select39, + part217, + ], + on_success: processor_chain([ + dup37, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive received on interface"), + ]), +}); + +var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); + +var part218 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ + dup37, + dup35, + dup79, + dup36, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive receive is successful"), +])); + +var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part218); + +var part219 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ + dup78, + dup35, + dup79, + dup36, + dup14, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer keep-alive receive has failed"), +])); + +var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part219); + +var part220 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ + dup37, + dup35, + dup80, + dup36, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive sent on interface"), +])); + +var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part220); + +var part221 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ + dup37, + dup35, + dup80, + dup36, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive send is successful"), +])); + +var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part221); + +var part222 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ + dup31, + dup35, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Peer keep-alive status changed."), + setc("change_attribute","peer keep-alive status"), +])); + +var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part222); + +var part223 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47}has changed, %{info}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Ejectors' status in slot has changed."), +])); + +var msg270 = msg("EJECTOR_STAT_CHANGED", part223); + +var part224 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41}detected (Serial number %{fld42})", processor_chain([ + dup30, + setc("ec_activity","Detect"), + dup39, + dup2, + dup3, + dup4, + setc("event_description","Xbar detected"), +])); + +var msg271 = msg("XBAR_DETECT", part224); + +var part225 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41}powered up (Serial number %{fld42})", processor_chain([ + dup15, + dup76, + dup77, + dup2, + dup3, + dup4, + setc("event_description","Xbar powered up"), +])); + +var msg272 = msg("XBAR_PWRUP", part225); + +var part226 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41}powered down (Serial number %{fld42})", processor_chain([ + dup15, + dup76, + setc("ec_activity","Stop"), + dup2, + dup3, + dup4, + setc("event_description","Xbar powered down"), +])); + +var msg273 = msg("XBAR_PWRDN", part226); + +var part227 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41}is online (serial: %{fld42})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Xbar is online"), +])); + +var msg274 = msg("XBAR_OK", part227); + +var part228 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU start, locking configuration"), +])); + +var msg275 = msg("VPC_ISSU_START", part228); + +var part229 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU end, unlocking configuration"), +])); + +var msg276 = msg("VPC_ISSU_END", part229); + +var part230 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name}interface=%{interface}mst=%{fld42}", processor_chain([ + dup63, + dup2, + dup3, + dup4, + setc("obj_type","new_role"), +])); + +var msg277 = msg("PORT_RANGE_ROLE", part230); + +var part231 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name}interface=%{interface}mst=%{fld42}", processor_chain([ + dup63, + dup2, + dup3, + dup4, + setc("obj_type","new_state"), +])); + +var msg278 = msg("PORT_RANGE_STATE", part231); + +var part232 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface}removed from mst=%{fld42}", processor_chain([ + dup25, + dup35, + dup20, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Interface removed from MST."), +])); + +var msg279 = msg("PORT_RANGE_DELETED", part232); + +var part233 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface}added to mst=%{fld42}with %{info}", processor_chain([ + dup30, + dup35, + dup81, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Interface added to MST."), +])); + +var msg280 = msg("PORT_RANGE_ADDED", part233); + +var part234 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname}removed as MST Boundary port", processor_chain([ + dup25, + dup35, + dup20, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Port removed as MST Boundary port"), +])); + +var msg281 = msg("MST_PORT_BOUNDARY", part234); + +var part235 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info->} ", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Non-transactional PIXM Error"), +])); + +var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part235); + +var part236 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface}is %{obj_name}in vdc %{fld43->} ", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("obj_type"," Interface state"), +])); + +var msg283 = msg("IM_INTF_STATE", part236); + +var part237 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43}state changed to %{obj_name->} ", processor_chain([ + dup63, + dup35, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","VDC state changed."), + setc("obj_type"," VDC state"), +])); + +var msg284 = msg("VDC_STATE_CHANGE", part237); + +var part238 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup82, +])); + +var msg285 = msg("SWITCHOVER_OVER", part238); + +var part239 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ + dup63, + dup16, + dup39, + dup2, + dup3, + dup4, + dup82, + setc("obj_type"," New Module type"), +])); + +var msg286 = msg("VDC_MODULETYPE", part239); + +var part240 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44}for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ + dup78, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Unable to sync HA sequence number for service"), +])); + +var msg287 = msg("HASEQNO_SYNC_FAILED", part240); + +var part241 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ + dup1, + dup35, + dup80, + dup36, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failure in sending message to standby causing standby to reset."), +])); + +var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part241); + +var part242 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Failed to lock the local module to avoid reset"), +])); + +var msg289 = msg("MODULE_LOCK_FAILED", part242); + +var part243 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ + dup1, + dup35, + dup80, + dup36, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failed to send Mac New Learns/Mac moves due to mts send failure."), +])); + +var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part243); + +var part244 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id}Port ID %{fld45}management address %{fld46}discovered on local port %{portname}in vlan %{vlan->} %{info}", processor_chain([ + dup30, + dup81, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Server discovered on local in vlan 0 with enabled capability Station"), +])); + +var msg291 = msg("SERVER_ADDED", part244); + +var part245 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id}Port ID %{fld45}on local port %{portname}has been removed", processor_chain([ + dup25, + dup20, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Server on local port has been removed"), +])); + +var msg292 = msg("SERVER_REMOVED", part245); + +var part246 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface}is down %{info}", processor_chain([ + dup24, + dup35, + dup73, + dup2, + dup3, + dup4, + dup26, +])); + +var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part246); + +var part247 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname}is operationally individual", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","port is operationally individual"), +])); + +var msg294 = msg("PORT_INDIVIDUAL", part247); + +var part248 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface}is down %{info}", processor_chain([ + dup24, + dup35, + dup39, + dup73, + dup2, + dup3, + dup4, + dup26, +])); + +var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part248); + +var part249 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface}is being recovered from error disabled state %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + setc("event_description","Interface is being recovered from error disabled state"), +])); + +var msg296 = msg("IF_ERRDIS_RECOVERY", part249); + +var part250 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface}is detected", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Non-Cisco transceiver on interface is detected"), +])); + +var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part250); + +var part251 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47}is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Active supervisor is running with less memory than standby supervisor."), +])); + +var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part251); + +var part252 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Configuration update started."), +])); + +var msg299 = msg("READCONF_STARTED", part252); + +var part253 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47}is running with less memory than active supervisor in slot %{fld48}", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Supervisor is running with less memory than active supervisor."), +])); + +var msg300 = msg("SUP_POWERDOWN", part253); + +var part254 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Starting linecard upgrade"), +])); + +var msg301 = msg("LC_UPGRADE_START", part254); + +var part255 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Rebooting linecard as a part of upgrade"), +])); + +var msg302 = msg("LC_UPGRADE_REBOOT", part255); + +var part256 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Runtime database controller started."), +])); + +var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part256); + +var part257 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Runtime database successfully restored."), +])); + +var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part257); + +var part258 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49}started", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module started"), +])); + +var msg305 = msg("LCM_MODULE_UPGRADE_START", part258); + +var part259 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49}ended", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module ended"), +])); + +var msg306 = msg("LCM_MODULE_UPGRADE_END", part259); + +var part260 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ + dup64, + dup35, + dup79, + dup36, + dup2, + dup3, + dup4, + setc("event_description","Recieved insert for lc mod"), +])); + +var msg307 = msg("FIPS_POST_INFO_MSG", part260); + +var part261 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name}is configured", processor_chain([ + dup31, + dup35, + dup39, + dup17, + dup2, + dup3, + dup4, + setc("event_description","peer vPC is configured"), + dup75, +])); + +var msg308 = msg("PEER_VPC_CFGD", part261); + +var part262 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ + dup74, + dup35, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","Potential Interop issue on interface."), +])); + +var msg309 = msg("SYN_COLL_DIS_EN", part262); + +var part263 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device}Off-line (Serial Number %{fld42})", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","FEX OFFLINE"), +])); + +var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part263); + +var part264 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device}On-line", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","FEX ONLINE"), +])); + +var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part264); + +var part265 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device}is online", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Fex is online"), +])); + +var msg312 = msg("FEX_STATUS_online", part265); + +var part266 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device}is offline", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Fex is offline"), +])); + +var msg313 = msg("FEX_STATUS_offline", part266); + +var select40 = linear_select([ + msg312, + msg313, +]); + +var part267 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41}present but all AC/DC inputs are not connected, power redundancy might be affected ", processor_chain([ + dup74, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","Power supply present but all AC/DC inputs are not connected, power redundancy might be affected"), +])); + +var msg314 = msg("PS_PWR_INPUT_MISSING", part267); + +var part268 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Power redundancy operational mode changed."), + setc("change_attribute","operational mode"), +])); + +var msg315 = msg("PS_RED_MODE_RESTORED", part268); + +var part269 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41}will not be powered up (Serial number %{fld42})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","All ejectors open, Module will not be powered up."), +])); + +var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part269); + +var part270 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device}pinning information is changed", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Fex pinning information is changed"), +])); + +var msg317 = msg("PINNING_CHANGED", part270); + +var part271 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device}Module %{fld41}: Cold boot", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","FEX-100 Module -Cold boot"), +])); + +var msg318 = msg("SATCTRL", part271); + +var part272 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51}[%{fld52}] Client %{fld43}register more than once with same pid%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Client register more than once with same pid"), +])); + +var msg319 = msg("DUP_REGISTER", part272); + +var part273 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51}[%{fld52}] Unknown mtype: %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Unknown mtype"), +])); + +var msg320 = msg("UNKNOWN_MTYPE", part273); + +var part274 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, +])); + +var msg321 = msg("SATCTRL_IMAGE", part274); + +var part275 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51}[%{fld52}] %{event_description}", processor_chain([ + dup1, + setc("ec_subject","Process"), + dup14, + dup2, + dup3, + dup4, +])); + +var msg322 = msg("API_FAILED", part275); + +var part276 = match("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "%{event_description}", processor_chain([ + dup8, + dup2, + dup3, + dup4, +])); + +var msg323 = msg("SENSOR_MSG1", part276); + +var part277 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51}[%{fld52}] %{event_description}", processor_chain([ + dup31, + dup2, + dup3, + dup4, +])); + +var msg324 = msg("API_INIT_SEM_CLEAR", part277); + +var part278 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51}has come online", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","vdc has come online"), +])); + +var msg325 = msg("VDC_ONLINE", part278); + +var part279 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname}of port-channel %{interface}not receiving any LACP BPDUs %{result}", processor_chain([ + dup78, + dup35, + dup79, + dup36, + dup73, + dup2, + dup3, + dup4, + setc("event_description","LACP port of port-channel not receiving any LACP BPDUs."), +])); + +var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part279); + +var part280 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ + dup8, + dup2, + dup3, + dup4, +])); + +var msg327 = msg("dstats", part280); + +var part281 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52}[VSAN %{fld51}, Interface %{interface}: %{fld53}Nx Port %{portname}logged OUT.", processor_chain([ + dup78, + dup35, + setc("ec_activity","Logoff"), + dup36, + dup2, + dup3, + dup4, +])); + +var msg328 = msg("MSG_PORT_LOGGED_OUT", part281); + +var part282 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52}[VSAN %{fld51}, Interface %{interface}: %{fld53}Nx Port %{portname}with FCID %{fld54}logged IN.", processor_chain([ + dup78, + dup35, + dup13, + dup36, + dup2, + dup3, + dup4, +])); + +var msg329 = msg("MSG_PORT_LOGGED_IN", part282); + +var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup97); + +var part283 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52}Zone merge failure, isolating interface %{interface}reason: %{result}:[%{resultcode}]", processor_chain([ + dup24, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, +])); + +var msg331 = msg("ZS_MERGE_FAILED", part283); + +var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup97); + +var part284 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname}in vlan %{vlan}is flapping between port %{change_old}and port %{change_new->} ", processor_chain([ + dup24, + dup35, + dup36, + dup2, + dup3, + dup4, + setc("change_attribute","Port"), +])); + +var msg333 = msg("MAC_MOVE_NOTIFICATION", part284); + +var part285 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ + dup8, + dup2, + dup3, + dup4, +])); + +var msg334 = msg("zone", part285); + +var part286 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ + dup1, + dup35, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg335 = msg("ERROR", part286); + +var part287 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent}[%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr}on %{interface}", processor_chain([ + dup78, + dup35, + dup79, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg336 = msg("INVAL_IP", part287); + +var part288 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1}times in last %{duration}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var msg337 = msg("SYSLOG_SL_MSG_WARNING", part288); + +var part289 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ + dup78, + dup35, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg338 = msg("DUPLEX_MISMATCH", part289); + +var part290 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ + dup78, + dup35, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg339 = msg("NOHMS_DIAG_ERROR", part290); + +var part291 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ + dup15, + dup35, + dup36, + dup2, + dup3, + dup4, +])); + +var msg340 = msg("STM_LEARNING_RE_ENABLE", part291); + +var part292 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ + dup78, + dup35, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg341 = msg("UDLD_PORT_DISABLED", part292); + +var part293 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg342 = msg("ntpd", part293); + +var part294 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg343 = msg("ntpd:01", part294); + +var part295 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg344 = msg("ntpd:02", part295); + +var part296 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg345 = msg("ntpd:03", part296); + +var part297 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg346 = msg("ntpd:04", part297); + +var select41 = linear_select([ + msg342, + msg343, + msg344, + msg345, + msg346, +]); + +var part298 = match("MESSAGE#340:PFM_ALERT", "nwparser.payload", "%{event_description}", processor_chain([ + dup9, + dup2, + dup3, + dup4, +])); + +var msg347 = msg("PFM_ALERT", part298); + +var part299 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service}acquired on WCCP Client %{saddr}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Client"), +])); + +var msg348 = msg("SERVICEFOUND", part299); + +var part300 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service}acquired on WCCP Router %{saddr}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Router"), +])); + +var msg349 = msg("ROUTERFOUND", part300); + +var part301 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost}- %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Authentication failed"), +])); + +var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part301); + +var part302 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username}- %{agent}", processor_chain([ + dup18, + dup2, + dup12, + dup3, + dup4, + setc("event_description","New user added"), +])); + +var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part302); + +var part303 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service}pid=%{process_id}from=::ffff:%{saddr}- %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, +])); + +var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part303); + +var part304 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username}by (uid=%{uid}) - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + setc("event_description","session opened for user"), +])); + +var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part304); + +var select42 = linear_select([ + msg352, + msg353, +]); + +var part305 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg354 = msg("%USER-3-SYSTEM_MSG", part305); + +var part306 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username}from %{saddr}- %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup83, +])); + +var msg355 = msg("%USER-6-SYSTEM_MSG", part306); + +var part307 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username}- %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup83, +])); + +var msg356 = msg("%USER-6-SYSTEM_MSG:01", part307); + +var part308 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username}from %{saddr}port %{sport->} %{protocol}- %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Failed none for invalid user"), +])); + +var msg357 = msg("%USER-6-SYSTEM_MSG:02", part308); + +var part309 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username}from %{saddr}port %{sport->} %{protocol}- %{agent}", processor_chain([ + dup84, + dup2, + dup3, + dup4, + setc("event_description","Accepted password for user"), +])); + +var msg358 = msg("%USER-6-SYSTEM_MSG:03", part309); + +var part310 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ + dup84, + dup2, + dup3, + dup4, + setc("event_description","No such file or directory"), +])); + +var msg359 = msg("%USER-6-SYSTEM_MSG:04", part310); + +var part311 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type}- %{agent}", processor_chain([ + dup84, + dup2, + dup3, + dup4, + setc("event_description","Could not load host key"), +])); + +var msg360 = msg("%USER-6-SYSTEM_MSG:05", part311); + +var part312 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description}- %{agent}", processor_chain([ + dup84, + dup2, + dup3, + dup4, +])); + +var msg361 = msg("%USER-6-SYSTEM_MSG:06", part312); + +var select43 = linear_select([ + msg355, + msg356, + msg357, + msg358, + msg359, + msg360, + msg361, +]); + +var part313 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan}for %{duration}s due to too many mac moves", processor_chain([ + dup31, + dup2, + dup4, + setc("ec_activity","Disable"), +])); + +var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part313); + +var part314 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ + dup31, + dup2, + dup4, + dup38, +])); + +var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part314); + +var part315 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1}is %{disposition}, ps-redundancy might be affected", processor_chain([ + dup1, + dup2, + dup4, +])); + +var msg364 = msg("PS_ABSENT", part315); + +var part316 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1}detected but %{disposition}(Serial number %{serial_number})", processor_chain([ + dup1, + dup2, + dup4, +])); + +var msg365 = msg("PS_DETECT", part316); + +var part317 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result}(%{resultcode}).", processor_chain([ + dup1, + dup2, + dup4, +])); + +var msg366 = msg("SUBPROC_TERMINATED", part317); + +var part318 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result}(%{resultcode}).", processor_chain([ + dup15, + dup2, + dup4, + dup85, + dup17, +])); + +var msg367 = msg("SUBPROC_SUCCESS_EXIT", part318); + +var part319 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ + dup31, + dup2, + dup4, +])); + +var msg368 = msg("UPDOWN", part319); + +var part320 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr}in vlan %{vlan}has moved between %{change_old}to %{change_new}", processor_chain([ + dup31, + dup2, + dup4, + setc("change_attribute","Interface"), +])); + +var msg369 = msg("L2FM_MAC_MOVE2", part320); + +var part321 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ + dup31, + dup2, + dup4, + dup39, +])); + +var msg370 = msg("PFM_PS_RED_MODE_CHG", part321); + +var part322 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ + dup31, + dup2, + dup4, + dup39, +])); + +var msg371 = msg("PS_RED_MODE_CHG", part322); + +var part323 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent}[%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr}on %{vlan}", processor_chain([ + dup64, + dup2, + dup4, +])); + +var msg372 = msg("INVAL_MAC", part323); + +var part324 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old}to %{change_new}in vdc %{fld1}.", processor_chain([ + dup15, + dup2, + dup4, + setc("change_attribute","Service status"), +])); + +var msg373 = msg("SRVSTATE_CHANGED", part324); + +var part325 = match("MESSAGE#367:INFO", "nwparser.payload", "%{event_description}", processor_chain([ + dup64, + dup2, + dup4, +])); + +var msg374 = msg("INFO", part325); + +var part326 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1}started with PID(%{process_id}).", processor_chain([ + dup15, + dup2, + dup4, + dup85, + dup77, + dup17, +])); + +var msg375 = msg("SERVICE_STARTED", part326); + +var part327 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process}[%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr}on %{vlan}with destination set to our local Virtual ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup86, +])); + +var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part327); + +var part328 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process}[%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr}on %{vlan}with destination set to our local ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup86, +])); + +var msg377 = msg("DUP_SRCIP_PROBE", part328); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "%AUTHPRIV-3-SYSTEM_MSG": msg350, + "%AUTHPRIV-5-SYSTEM_MSG": msg351, + "%AUTHPRIV-6-SYSTEM_MSG": select42, + "%USER-3-SYSTEM_MSG": msg354, + "%USER-6-SYSTEM_MSG": select43, + "AAA_ACCOUNTING_MESSAGE": select28, + "ACLLOG_FLOW_INTERVAL": msg187, + "ACLLOG_MAXFLOW_REACHED": msg188, + "ACLLOG_NEW_FLOW": msg189, + "ACTIVE_LOWER_MEM_THAN_STANDBY": msg298, + "ACTIVE_SUP_OK": msg74, + "ADDON_IMG_DNLD_COMPLETE": msg60, + "ADDON_IMG_DNLD_STARTED": msg61, + "ADDON_IMG_DNLD_SUCCESSFUL": msg62, + "ADJCHANGE": msg217, + "API_FAILED": msg322, + "API_INIT_SEM_CLEAR": msg324, + "BIOS_DAEMON_LC_PRI_BOOT": msg262, + "CFGWRITE_ABORTED": msg135, + "CFGWRITE_ABORTED_LOCK": msg133, + "CFGWRITE_DONE": msg136, + "CFGWRITE_FAILED": msg134, + "CFGWRITE_STARTED": msg137, + "CFGWRITE_USER_ABORT": msg198, + "CHASSIS_CLKMODOK": msg80, + "CHASSIS_CLKSRC": msg81, + "CONN_CONNECT": msg145, + "CONN_DISCONNECT": msg146, + "CREATED": msg51, + "DELETE_STALE_USER_ACCOUNT": msg258, + "DISPUTE_CLEARED": msg77, + "DISPUTE_DETECTED": msg78, + "DOMAIN_CFG_SYNC_DONE": msg79, + "DUPLEX_MISMATCH": msg338, + "DUP_REGISTER": msg319, + "DUP_SRCIP_PROBE": msg377, + "DUP_VADDR_SRCIP_PROBE": msg376, + "DUP_VADDR_SRC_IP": msg190, + "DVPG_CREATE": msg147, + "DVPG_DELETE": msg148, + "DVS_HOSTMEMBER_INFO": msg149, + "DVS_NAME_CHANGE": msg150, + "EJECTOR_STAT_CHANGED": msg270, + "ERROR": msg335, + "ERR_MSG": msg131, + "EVENT": msg206, + "FAN_DETECT": msg97, + "FAN_OK": msg82, + "FCIP_PEER_CAVIUM": msg233, + "FEX_PORT_STATUS_NOTI": msg214, + "FEX_STATUS": select40, + "FIPS_POST_INFO_MSG": msg307, + "FOP_CHANGED": msg52, + "HASEQNO_SYNC_FAILED": msg287, + "HEARTBEAT_FAILURE": msg240, + "IF_ADMIN_UP": msg259, + "IF_ATTACHED": msg138, + "IF_BANDWIDTH_CHANGE": msg210, + "IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR": msg203, + "IF_DELETE_AUTO": msg139, + "IF_DETACHED": msg140, + "IF_DETACHED_MODULE_REMOVED": msg141, + "IF_DOWN_ADMIN_DOWN": select11, + "IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED": msg199, + "IF_DOWN_CFG_CHANGE": msg193, + "IF_DOWN_CHANNEL_ADMIN_DOWN": msg295, + "IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS": msg38, + "IF_DOWN_ELP_FAILURE_ISOLATION": msg330, + "IF_DOWN_ERROR_DISABLED": msg35, + "IF_DOWN_FCOT_NOT_PRESENT": select17, + "IF_DOWN_INACTIVE": msg142, + "IF_DOWN_INITIALIZING": select18, + "IF_DOWN_INTERFACE_REMOVED": msg39, + "IF_DOWN_LINK_FAILURE": select12, + "IF_DOWN_MODULE_REMOVED": msg42, + "IF_DOWN_NONE": select19, + "IF_DOWN_NON_PARTICIPATING": msg143, + "IF_DOWN_NOS_RCVD": select20, + "IF_DOWN_OFFLINE": msg114, + "IF_DOWN_OLS_RCVD": msg115, + "IF_DOWN_PARENT_ADMIN_DOWN": msg211, + "IF_DOWN_PEER_CLOSE": msg234, + "IF_DOWN_PEER_RESET": msg235, + "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN": msg43, + "IF_DOWN_SOFTWARE_FAILURE": msg116, + "IF_DOWN_SRC_PORT_NOT_BOUND": msg117, + "IF_DOWN_SUSPENDED_BY_SPEED": msg293, + "IF_DOWN_TCP_MAX_RETRANSMIT": msg232, + "IF_DOWN_VEM_UNLICENSED": msg144, + "IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION": msg332, + "IF_DUPLEX": msg44, + "IF_ERRDIS_RECOVERY": msg296, + "IF_ERROR_VLANS_REMOVED": msg191, + "IF_ERROR_VLANS_SUSPENDED": msg192, + "IF_HARDWARE": msg239, + "IF_NON_CISCO_TRANSCEIVER": msg297, + "IF_PORTPROFILE_ATTACHED": msg125, + "IF_RX_FLOW_CONTROL": msg45, + "IF_SEQ_ERROR": msg46, + "IF_SFP_ALARM": select35, + "IF_SFP_WARNING": msg231, + "IF_TRUNK_DOWN": select21, + "IF_TRUNK_UP": select22, + "IF_TX_FLOW_CONTROL": msg47, + "IF_UP": select13, + "IF_XCVR_ALARM": select34, + "IF_XCVR_WARNING": select33, + "IMG_DNLD_COMPLETE": msg63, + "IMG_DNLD_STARTED": msg64, + "IM_INTF_STATE": msg283, + "IM_SEQ_ERROR": msg59, + "INFO": msg374, + "INFORMATION": msg205, + "INTF_CONSISTENCY_FAILED": msg236, + "INTF_CONSISTENCY_SUCCESS": msg237, + "INTF_COUNTERS_CLEARED": msg238, + "INVAL_IP": msg336, + "INVAL_MAC": msg372, + "L2FMC_NL_MTS_SEND_FAILURE": msg290, + "L2FM_MAC_FLAP_DISABLE_LEARN": msg362, + "L2FM_MAC_FLAP_RE_ENABLE_LEARN": msg363, + "L2FM_MAC_MOVE2": msg369, + "LACP_SUSPEND_INDIVIDUAL": msg326, + "LCM_MODULE_UPGRADE_END": msg306, + "LCM_MODULE_UPGRADE_START": msg305, + "LC_UPGRADE_REBOOT": msg302, + "LC_UPGRADE_START": msg301, + "LOG-7-SYSTEM_MSG": msg1, + "LOG_CMP_AAA_FAILURE": msg67, + "LOG_CMP_UP": msg244, + "LOG_LIC_N1K_EXPIRY_WARNING": msg68, + "M2FIB_MAC_TBL_PRGMING": msg257, + "MAC_MOVE_NOTIFICATION": msg333, + "MEMORY_ALERT": msg249, + "MEMORY_ALERT_RECOVERED": msg250, + "MESG": msg130, + "MODULE_LOCK_FAILED": msg289, + "MODULE_ONLINE": msg261, + "MOD_BRINGUP_MULTI_LIMIT": msg96, + "MOD_DETECT": msg83, + "MOD_FAIL": msg69, + "MOD_MAJORSWFAIL": msg70, + "MOD_OK": msg75, + "MOD_PWRDN": msg84, + "MOD_PWRFAIL_EJECTORS_OPEN": msg316, + "MOD_PWRUP": msg85, + "MOD_REMOVE": msg86, + "MOD_RESTART": msg76, + "MOD_SRG_NOT_COMPATIBLE": msg71, + "MOD_STATUS": msg98, + "MOD_WARNING": select14, + "MOUNT": msg243, + "MSG_PORT_LOGGED_IN": msg329, + "MSG_PORT_LOGGED_OUT": msg328, + "MSG_SEND_FAILURE_STANDBY_RESET": msg288, + "MSM_CRIT": msg66, + "MST_PORT_BOUNDARY": msg281, + "MTSERROR": msg34, + "MTS_DROP": msg57, + "NATIVE_VLAN_MISMATCH": msg207, + "NBRCHANGE_DUAL": msg253, + "NEIGHBOR_ADDED": msg208, + "NEIGHBOR_REMOVED": msg209, + "NEIGHBOR_UPDATE_AUTOCOPY": msg33, + "NOHMS_DIAG_ERROR": msg339, + "NOHMS_DIAG_ERR_PS_FAIL": msg215, + "NOHMS_DIAG_ERR_PS_RECOVERED": msg216, + "NOHMS_ENV_FEX_OFFLINE": msg310, + "NOHMS_ENV_FEX_ONLINE": msg311, + "PEER_KEEP_ALIVE_RECV_FAIL": msg266, + "PEER_KEEP_ALIVE_RECV_INT_LATEST": msg264, + "PEER_KEEP_ALIVE_RECV_SUCCESS": msg265, + "PEER_KEEP_ALIVE_SEND_INT_LATEST": msg267, + "PEER_KEEP_ALIVE_SEND_SUCCESS": msg268, + "PEER_KEEP_ALIVE_STATUS": msg269, + "PEER_VPC_CFGD": msg308, + "PEER_VPC_CFGD_VLANS_CHANGED": msg99, + "PEER_VPC_DELETED": msg100, + "PEER_VPC_DOWN": msg263, + "PFM_ALERT": msg347, + "PFM_CLOCK_CHANGE": msg194, + "PFM_FAN_FLTR_STATUS": msg242, + "PFM_MODULE_POWER_ON": msg87, + "PFM_PS_RED_MODE_CHG": msg370, + "PFM_SYSTEM_RESET": msg88, + "PFM_VEM_DETECTED": msg101, + "PFM_VEM_REMOVE_NO_HB": msg89, + "PFM_VEM_REMOVE_RESET": msg90, + "PFM_VEM_REMOVE_STATE_CONFLICT": msg91, + "PFM_VEM_REMOVE_TWO_ACT_VSM": msg92, + "PFM_VEM_UNLICENSED": msg93, + "PINNING_CHANGED": msg317, + "PIXM_SYSLOG_MESSAGE_TYPE_CRIT": msg282, + "POLICY_ACTIVATE_EVENT": msg27, + "POLICY_COMMIT_EVENT": msg28, + "POLICY_DEACTIVATE_EVENT": msg29, + "POLICY_LOOKUP_EVENT": select10, + "PORT_ADDED": msg218, + "PORT_DELETED": msg219, + "PORT_DOWN": msg53, + "PORT_INDIVIDUAL": msg294, + "PORT_INDIVIDUAL_DOWN": msg212, + "PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE": msg124, + "PORT_RANGE_ADDED": msg280, + "PORT_RANGE_DELETED": msg279, + "PORT_RANGE_ROLE": msg277, + "PORT_RANGE_STATE": msg278, + "PORT_ROLE": msg220, + "PORT_SOFTWARE_FAILURE": msg65, + "PORT_STATE": msg221, + "PORT_SUSPENDED": msg213, + "PORT_UP": msg54, + "PS_ABSENT": msg364, + "PS_CAPACITY_CHANGE": select16, + "PS_DETECT": msg365, + "PS_FAIL": msg204, + "PS_FANOK": msg94, + "PS_FOUND": msg102, + "PS_OK": msg95, + "PS_PWR_INPUT_MISSING": msg314, + "PS_RED_MODE_CHG": msg371, + "PS_RED_MODE_RESTORED": msg315, + "PS_STATUS": msg103, + "PVLAN_PPM_PORT_CONFIG_FAILED": msg129, + "READCONF_STARTED": msg299, + "RM_VICPP_RECREATE_ERROR": msg132, + "ROUTERFOUND": msg349, + "RUNTIME_DB_RESTORE_STARTED": msg303, + "RUNTIME_DB_RESTORE_SUCCESS": msg304, + "SATCTRL": msg318, + "SATCTRL_IMAGE": msg321, + "SENSOR_MSG1": msg323, + "SERVER_ADDED": msg291, + "SERVER_REMOVED": msg292, + "SERVICEFOUND": msg348, + "SERVICELOST": msg202, + "SERVICE_CRASHED": msg201, + "SERVICE_STARTED": msg375, + "SOHMS_DIAG_ERROR": select37, + "SPEED": msg50, + "SRVSTATE_CHANGED": msg373, + "STANDBY_SUP_OK": msg126, + "STM_LEARNING_RE_ENABLE": msg340, + "STM_LOOP_DETECT": msg127, + "SUBGROUP_ID_PORT_ADDED": msg55, + "SUBGROUP_ID_PORT_REMOVED": msg56, + "SUBPROC_SUCCESS_EXIT": msg367, + "SUBPROC_TERMINATED": msg366, + "SUP_POWERDOWN": msg300, + "SWITCHOVER_OVER": msg285, + "SYNC_COMPLETE": msg128, + "SYNC_FAILURE_STANDBY_RESET": msg195, + "SYN_COLL_DIS_EN": msg309, + "SYSLOG_LOG_WARNING": msg58, + "SYSLOG_SL_MSG_WARNING": msg337, + "SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG": msg241, + "SYSTEM_MSG": select9, + "TACACS_ACCOUNTING_MESSAGE": select32, + "TACACS_ERROR_MESSAGE": msg230, + "UDLD_PORT_DISABLED": msg341, + "UNKNOWN_MTYPE": msg320, + "UPDOWN": msg368, + "VDC_HOSTNAME_CHANGE": msg26, + "VDC_MODULETYPE": msg286, + "VDC_ONLINE": msg325, + "VDC_STATE_CHANGE": msg284, + "VMS_PPM_SYNC_COMPLETE": msg151, + "VPC_CFGD": msg260, + "VPC_DELETED": msg152, + "VPC_ISSU_END": msg276, + "VPC_ISSU_START": msg275, + "VPC_UP": msg153, + "VSHD_SYSLOG_CONFIG_I": select25, + "XBAR_DETECT": msg271, + "XBAR_OK": msg274, + "XBAR_PWRDN": msg273, + "XBAR_PWRUP": msg272, + "ZS_MERGE_FAILED": msg331, + "dstats": msg327, + "last": msg200, + "ntpd": select41, + "snmpd": select29, + "zone": msg334, + }), +]); + +var part329 = match("MESSAGE#24:SYSTEM_MSG:08/0", "nwparser.payload", "%{} %{p0}"); + +var part330 = match("MESSAGE#24:SYSTEM_MSG:08/1_1", "nwparser.p0", "%{event_description}"); + +var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); + +var part332 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); + +var part333 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); + +var part334 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); + +var part335 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); + +var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); + +var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); + +var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); + +var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); + +var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); + +var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); + +var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); + +var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); + +var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); + +var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); + +var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); + +var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); + +var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); + +var part349 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); + +var part350 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "%{}\"%{protocol}\"(%{protocol_detail}),%{space}Hit-count = %{dclass_counter1}"); + +var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + +var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + +var part353 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + +var part354 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + +var part355 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "%{info}"); + +var part356 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + +var part357 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + +var part358 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + +var part359 = match("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var part360 = match("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var part361 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var part362 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43}Interface %{interface}is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var part363 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var part364 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var select44 = linear_select([ + dup27, + dup28, +]); + +var part365 = match("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var part366 = match("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "%{event_description}", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var part367 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43}Interface %{interface}is down (%{result}) ", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var part368 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52}Interface %{interface}is down (%{result})", processor_chain([ + dup24, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, +])); + +var part369 = match("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ + dup34, + dup2, + dup3, + dup4, +])); + +var select45 = linear_select([ + dup47, + dup48, +]); + +var select46 = linear_select([ + dup50, + dup51, +]); + +var select47 = linear_select([ + dup55, + dup56, +]); + +var select48 = linear_select([ + dup58, + dup59, +]); + +var part370 = match("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "%{event_description}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var select49 = linear_select([ + dup66, + dup67, +]); + +var select50 = linear_select([ + dup68, + dup69, +]); + +var part371 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var part372 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43}Interface %{interface}is down%{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var select51 = linear_select([ + dup71, + dup72, +]); + +var part373 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup62, + dup2, + dup3, + dup4, +])); diff --git a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml new file mode 100644 index 00000000000..33dda070fcb --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Cisco Nexus + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/cisco/nexus/manifest.yml b/x-pack/filebeat/module/cisco/nexus/manifest.yml new file mode 100644 index 00000000000..37ec55fcf9f --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["cisco.nexus", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9506 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/citrix/README.md b/x-pack/filebeat/module/citrix/README.md new file mode 100644 index 00000000000..55d5668065d --- /dev/null +++ b/x-pack/filebeat/module/citrix/README.md @@ -0,0 +1,7 @@ +# citrix module + +This is a module for Citrix XenApp logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML citrixxa version 79 +at 2020-07-07 18:10:43.76927 +0000 UTC. + diff --git a/x-pack/filebeat/module/citrix/_meta/config.yml b/x-pack/filebeat/module/citrix/_meta/config.yml new file mode 100644 index 00000000000..d894a18356d --- /dev/null +++ b/x-pack/filebeat/module/citrix/_meta/config.yml @@ -0,0 +1,19 @@ +- module: citrix + virtualapps: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9507 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/citrix/_meta/docs.asciidoc b/x-pack/filebeat/module/citrix/_meta/docs.asciidoc new file mode 100644 index 00000000000..fd7f80791a0 --- /dev/null +++ b/x-pack/filebeat/module/citrix/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: citrix +:has-dashboards: false + +== Citrix module + +experimental[] + +This is a module for receiving Citrix XenApp logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: virtualapps + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `virtualapps` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "citrixxa" device revision 79. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9507` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/citrix/_meta/fields.yml b/x-pack/filebeat/module/citrix/_meta/fields.yml new file mode 100644 index 00000000000..836b1bbca37 --- /dev/null +++ b/x-pack/filebeat/module/citrix/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: citrix + title: Citrix XenApp + description: > + citrix fields. + fields: diff --git a/x-pack/filebeat/module/citrix/fields.go b/x-pack/filebeat/module/citrix/fields.go new file mode 100644 index 00000000000..f201f2f2603 --- /dev/null +++ b/x-pack/filebeat/module/citrix/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package citrix + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "citrix", asset.ModuleFieldsPri, AssetCitrix); err != nil { + panic(err) + } +} + +// AssetCitrix returns asset data. +// This is the base64 encoded gzipped contents of module/citrix. +func AssetCitrix() string { + return "eJzsfe+T2zay4Pf9K3D5cLFTznjj/Hi3vn17NW9msplb25nnsZOtq61iQWRLQgYEGACURv7rr9AAf4gEJRGk7Pjd5UPKI6nRjQbQ6G70j6/JA+xekpQZxR7/RIhhhsNLcoV/k3+CuCyKPxGSgU4VKwyT4iX5258IIR6ELBnwTF/8ifh/vcQv7X9fE0FzeEkEmK1UDxdMGFBLmsKF/bz+GSFmV8BLS8dWqqz1eQZLWnKT4MAvyZJyDXtf92iq/ntDcyByScwaKvSkRk+2a1CA3xlFl0uWkjXVZAEgiFxoUBvILnqzUJr2SF4pWRanE9xlUDM40iYo35tEGEdomGagXK/2Ph9mbo+D79ZM298RpkmpISNGkpQWpvS8UnRLctCaruzf1JBU5qAt6dJ+3xmakFdyRa4hlRmoMKluLNYlapjgChI2IExiiR8N6pFO5pFnjEbOpFIYEEbbHceENlSYCpEOUmFYHiYho6b7RR8/c1jtIIQasl2zdE0o0aA1k4KsmdGEkjdgfmVGgNbVKlz0lqiejl7LkmdEwAYUWUC9/gVVGshrMNSSRslSybyF6skrudLP72j6AEY/7Q1/zRSkhu+eEePppuQtuAPmdppokXkRZBWHDfAgr7gU3b2+x6trKBSk1HhcGSyZgIxIwRGxoQsOJKdFGG+uV8mIrXlgnV77M3N7/Q3ZUF7608MyEIYtmd9D8EhTQ7hcOZ6rHjORfmaH9yuOv7MsLagyLC05VQjvF+dicHV7Q0etdmh1eyMPr/Yg0zdzc/3F/+f6Ya5brLEsn3bI5OK3BEntMv4j4t/QsHg5O3IFWpYqjb6Lpk89/qRNw60NNZCDMJ8GPS0zZpKU0855+GgEgDBq92lQr60m8GlQMzGE+rw3eXXOPuWKZ0DDZ+28U18CZOP05IEbNWQPtH5YmVoWX+8G7F1P07TMzg3YG/2IljnMp45ROhufRMsWDTLIMaQ3kZkYRAI8Gs2gdB6lrBTs9xIaJUzVM/Qf7fYNlyspUissqZF/dOtl4Nhv2FTB0+bflR2ILVlK26fOGto31iQm9yjoSCkyUFZFVeAFRm9yS/YIGdFg7CB7wPs49LBCW7G5N/ZkhbZmc2/oUWzve05iLP24zdWjfMSsx81yLXW0HtXeWz9Jbdqiind3lQaRMbGqvtShpW9Z858PB1l4k/Q+HmTd7d3mO0KzTFmZNXQou+zrzc/Iz5V9mx+mM/CH/3cZaLk1xwnunl7n0mj7LTJCyYptQNTuis/3UrUsGrJgz6tVZ59GGfo8vLiDBq8sdomC36PWq/00gYuEM1vskI83bnByh9v9mff+GUre7QogKe2f5AUQYGYNiry/FeabH4hU5Ecuqfn2BVlQjTuhcuwv2apUqAodmVlYwfuMZ4aPLFOMohlsVwu9kvHOkkN2WTX2Z2+8SrWlKpugxrRkR2tibV7d3v2yp+FQooDT7rIQonfaQO6vHE+YHW0Nbj9pxx77t1RsxQTlFcz+7X1kpvEax4EHztu7X34ITNIT2Jvr9EnWFPX5OIckbzZbX1WKleRroBmomV7GfsLByO31lBcaR1H7oQaHiXun+UM7YXiazOCHoZXicdsoHrjZrcJ9JTmH1Ej1OQpCy5+zvKzbfcM0SR1zILO07Klmr2T3kicHWPkHtETydPHxlLNcagweyaUgi11vWQhR8HsJ2tgBNcsLvvMrYX9sBS4Bmq6JZhmQJ38mZq1K8uL775+SLdVEA4gay4G5fiR17YS56kIKDeebbPoHWtlUlsLU9mqZL5zwsQdOB0cgT+hCbqA1XSaC0UaVmNFGAc0Hd3n6B1r6T8wMyFjZ1WpOY8UXIU2qNlrZkjDzr/LFn7/5i3bC83mBoqoi6189ev9l7ZRXdAeKvCA3IqWFLrnzcVtTZ5QEDY0+0Q0diFUKYfn2Bfl3O91n5Ntvyb+TVCqrP+IsPNJn5L9z8z/tD5km+0z5IrhIQmbwCW0wsYUkpZwvaPowVedz6IU0uLmpcbqyZQSIrJBMGFS3DYQD93CBE1BKRseKNBqQLiBllCNNSIs2UlltUezcLWy/2FDOMrd8IbSELGUpMiutOSB5TKy8snA0GGh/3/ZGnuPtxG/aAy76AT7vuKTZx7szPEKi2QcgORjF0oCu7E209o/RRnOXYyXu7CVJTaPDyWW1MBfkJ7m1zO/bQkwQqawJYSR5ACiOsOUj3R6fCVuUTEHrZMOyJIt/h7qpJMAKBChq8Chmlkcte2XDlCkpt+bino9UBMxnljNr8OELIE7X0ekP5O01UVYuajTWkS1UrcDUPzs6V62iQyo++VxdNMzhuapIx3pfxN5eV/61t5BLA+Te78pUAV5Li92QSLL/VU7vz8DJ7TEluuBs2ovsH9pU1Kynyn6ssEH2IS5+rG3bozz1O7LaG5U27cXxf403F3fMl4yf5W3RjmuV9ruryzuvz6VUWAawvJCqq8URvFA+uwfa8mMZz++d2EcjD83CkENs30wsG5DGGHT3Plp9F+TF9z+QLXI2ByoI5Txsh6LzFdWGxr9AtqDADUsN4UC1IVJ0gpX32fQRFKPPm02B8xb3kOW586tUGbIGoyIgXQvJ5WrXfdZYMtXTzAj5nqRrqmhqHJvs0dshhejcFKQUPmKA7/k2BzOYYpLV3BPjNJftgfcc1HVzqzpJUTltFd0Oyg+UYh1liaaohzmPsPA2q0zTUlUjakNFRlVGhFQ55exDKNpOqjzIgcy/wB5ggiwXPRE+ig0NXTW655wtAecUMBA1pFJkA4phs2SJNtMs8QMkM5HKvOBggos46O6iqHgaxToip5V3oMzZttu9HT246YY23P7+GdwkuRRmfTKrm6ye01/Nm2iG7GzsuRHZOZhjh/wgxfSMzgNCxI5fKT8uJO1dl0u9Az3hdFwSA4/Gb2SyAaVbwb7ZoZiNwBodX/Qd0NNJbZIqUqkyyKZIb/9c7oWrrses7rfqzbz+YfsNri9jlcwvcNQSE/90CoIqJp3il5fcsK8NA0VoUfAqgrrJBM+poKtQUhIhHB3Tlc3giHK0asLMl5rIrXBee0Pzoutp8RRbbJbE/j43mqRrZvVfmYG+IK9LbVCRbg9q9z81A/Fo1MDgMhw87sulpWwD89zBuFDVkG7+CpagQKRuUalVvjK2YZm9U3FNw8f+vjr27zoMCE/jsWBqxjk0XHd+6ke7X5jhOzcdbUWE1QUsWtxGh/1Fo5Zm0GB+ZqVTffoveoPWARqyHH+a854acBym5tL4bYc6xO8llDMumt0pbr0aebGlmiCabGCFEP0346c+6sLZm3bUOV3lJkqyr/I4fEUSha5I4jSVYtwR2Qd7EQEXdeO1pMy5VN+O2huUQT2BOUomDR/YY+ctxnXXiJdOBmKMsUjTntpzmqKiSz7dHTugHcrSpDKH5w5LrbJhNJtc9taKCj+NPdV3YKmsSc7MtNDXA6RX4/uEgJY/9JDhNzVVoVc7xUnqOhbXjob+2AJStmSNMhjWFpyTcyjv1+sec7xcB5hYuwNY1gR8VqZo5p2PQcq8Sj8fI3/ZtxHaGq5U5Od7H1LEdPXo1LWQEX/F5aGsB11IzUYdwpN2ABoCInNVATAUsTolg/ncJTfJlET2kcdalDkolo4910HqZ4loP0B6O6q93qHuiLuT1CN+AyKTyocSHaRdLn47S5Z09bggF79BGtbxLeo58qR6LLPy5jBqJ/mm1er4or/1fVabP7LeEl7TOnJKSEMoWfuszHB4EJerpHp2PJOQqzbEaCE3T/btnqT4Oz5xY203PIph9U5ylu6m79MDZ+wOUfgic4LvBuRUyafFboWZ8LbkgKjD4kUKA4/T9Z0a5a1wlndTAYlmmbb/w6uA8gplKB34yJWSrqlYQSJgO/1cDTm/Ydt6uMHL0RjFFqWB1mnrR/NpR5zV5toiPXwMdUFHiIZ69pxNKIFzaOKolHdfbR26tm4QMCUw7tpOuiqaopu3crUBdUHuwTG21KAu6Aqw1J2PmFtKVdHQG7saxul1KcITB9/KgJSKLJTc2u+qT70e41TrwVptt9kdVWa8KV+Djrcj/e6VvdyI+Xav5FmtdJxr88oCvMs6/ga5FIRyUKZ+d1XNsP4z55r1R7GVbIbPswGFKiNCiq8VFIDa6qHXKFQc5xWyaamU3Zq1ToqrgTrCc+b8v5Vjs0f7lpm1V6ac7CPXiHCB8aGCSPH1Stp/H5CMeHkmAaVk0sxoyxn9HFFYMuSS2JNmGOgLct+cz26ZzHZMcixNVy6YvdRWUXVJD+6JMvPCyjOPkpSX2lTbxv/RYzWCMG1Xw2fmeGvRqk347fDVfIZb2e30sPXkktanqANfHlOfLR3XiIdQrWXK0FtjORrU+5Hpr9gDvCSUFOudZinl1sx7eEYKhRVpnxEw6ZdhNYsqGs4eGHl5ufhVRXMwoDQpqMY6BRoT91xmWirz3EoEufd40w9ZBZMeVDSc9DyfrtFahzMIaifsUpkXZf8sRLGeki0Tmdz6yJtUihQK86x+FRucbm8iy5LzHfm9pNw5bTKZUyb8+RQtRFwOiPK2t+b0a/zA5Kwy8oqJB8h8FG0VWEY12utegbXffFEjv2DZIebzXp7fRLHRrlPtTMAuioqAn+/Ph/nnwvuEyH0/1bl+9ACVs26J6unOHz8q0uP24WE97dvRetqS8TnOS032jzhefSQUZGUKpPIAQ9iJoEExypPADTFBbN7joJXS1ZX5LaFuZeqgDQbpgx5IBJvDH+XHt8J7TfW63u1W5QhEs5fWwrSiqYowrcPZr6qROqUK5AZUjeZCq9RC1X/3sxKIlW+CMIwnKEXKgSr7EZbNaEjzYezeS6OqFIHj/kknKsp+rvonltGpzBdM1JXj2iLaJyCoEfJ6w1Sp5/dutO9QRDHs5ZjrOSKwca/c+K7OyrCHx2npMzjeahY4D9ftNXnjzvQTnxJHXI19n+RhsT895Pw6jy+w5fq6vUa2+NDq+kD27bh937kLYnBEXriltqduy3TY1Njo3bS6ifuvJD6pxl1yB31owhlJs66tZd9VPTS5vT6qB53ukziiB1nUL0TW6EMX5MpF6/tqQdx9cVgXsv9Jtf+Lb77wDopFaeo4fmlq4VwKDtrNXToBu5VkQxWjC96LGHcJbUyQgtOBI6dB6IkZoHuL0laD3NgX9tTbW7OKRWd2re6f3951NTDiSyo5224oW2awjcDJkfGNL9aRQW6FIfdsJSgey4GNVEg1rXzTlz1ZYLfSXaVTSKyngv+0qFqnBvdCJgPL++bnd4SJlJcZWNHgG7NY8Avy5OaR5gWHl+TOGZ9uWJR1F2EbFD3sZ3hnQGO+EbVh3Ew/WHUuiHlE0HbLOfPGi8q3TD8ceOAwiq1WoKYUrg9P+5e2p9FjQc1nrUCvJc/sGjuraaBXx95z1CxWXP89ysuwJ2/dzfi0Tii8vQ4HWJ78YmVN62T2t3nkrH+fx2Ymzqehy8XXFqEUmFGwxHK9MivTIT3dqzxnix1o01bLFqkw88rKuYqCgbryVGVbqs4Va9GvlWhlEfWi15I5UKTriRU5lLymaVXZK6w42eM8syYrxdeV8qMOn2hnMUQ0QlJAdURMlDbUlKcrVrUNThk/o2pph1/IR8Ky58NS10r8ch4aLM73vVJYbl9ZPOGNXknfyVX1exvmul9PP0YIMyHL098MWrGbehWxA610GGeG9Tw6340GnV4FZI/5l5zb00p0maag9bLk5MZiIKnMQFvmV0WawjoeExk8jp4EZ9oM6Q8TTxMOjYqtqtAsQKFXP6eKcXypDfgH3NuQWBGKjPjawgZpF1ErXvXWO5vm4scnT+pIlQKULnxCgjtTvWn7K6QJjKtynJ8OBI07E7svzac/OrbayCHxzk52v7ZfUiY0ycBQxgOm00KWpgU3QLzkZ4hJqbw2tI4bQEzDItxAXvAJr7aXVavFqoVB6wXJR6lY7WUDitMdhikb6cU6eRLY+/YLtDQ8NCyrPBbnc9OGmRJLdZAg6Y2W1k9KPn4wRnqFW7ZlSsdjizq7qcxzuzdjF+zKwRPWCicqlNywzFnYVV2BUH/G+q6R6SEH+nh7+kfGm7s/bUcrhK+dxwIfmc8lv6rxzyu/fpOLQbs1egL/Wy68yzK8Uws2pTzQNQYlufW5v7slt70Lt41oQm0eH5N5GMeowOM6e2E1UsUfYxP7KKqwmuUOVLKQ2fSY417cdvfKqvrDWmwD1+c6JnfKudFmybtpOVx8uoYLs6m9gGzFstpFOWCM5+M15V4SzEk3w5iruqauKKcJyKrb0N17l8VZuUHxcewR0rJto7hn6wWEUgqqjN5DD2WzGFJBT1G2b1DV0fB0QxmnfQcdqd1DBOPhl6DUQDVCtx/DHq75/Lpe9ct9QrBz0vf9W7LatxcDMoDlyaLMsl2EfcfyZGScaguy1DBUSOygLRoDo5gclS3VCZhOdDlPsB3T7VgTV0sFG07WcdJNzrnHGSoO3sQbuqPVuL4OT8O9Uo/nwmZGi+DqlxvyxEf6/VJyq5csGMcAQ3xpvnkspLa/fEq+7psxouvlexByK/YURw1pialrm/3RB7oGpHQWQ7sbAHJVZdq88QGur2BF0x15P6jAcrZQ9DypP37oPTYxQXLKxNJaRgcfqQqqsNfHHBlVeyrCHQ5M3sjMBRw1xQ1a79oBtOTI/YuPL3aq8Rrlfl79G9iSn0qB6vNrmQEnT5jYXHz1jDCZPiML+z+w/6OC8p1m+uKrsB/ZpEWy5LTXnWr8Dbyva13dERwW7V2UKruqgLBcHkzaMnIiLe7ThaekSpjSoOyGCqLc5GPlUAf3L69/tfb7Oxdy89VXv7z+9fLtzVdfuRiYDVWUDe6NrVQP4xIyjm7lX6sh2z7aQTOZivHXl4/tHJsbWIs4mloRuItSF5dSgdAsHXegWuZkFNY8xooKeLZOB0u2lI3pNN6EHKQyYklxw4xPSNHlInobmEWmjRqfyYK5G7N0A382nyStIvimOA5igxObksC9i8kHBzZxij4+0Q6xZIMGYzWZCc6J2MkEM1cDE+kGXIaFxYF6CuMNH0ue16be9sdt1BNXe/tMGyFreZc8qoNknGkJK7/5IQqknOUBdo//LW37iakjn6qXa6zI8RTN54B1f8zXX5VAYvP4TDEcdkkZt/yqEg7v/Pm7vW7H9WL2tFWBDawCiUPDb/FVXE9ir/IgxTHBPRjS42M6rWVUiq6t2sMvhtJ4p+J/A4/m7xDWX2rsekiLmYr9norsP2TYs9pgN9Sw8CmbjL8/9B56XeqCpUyOiI/4WLYF0relSvRdbZ+eOC3yIpHxwun+zes78rPzeDThGGFUv8/8/HL/n6/I7yWogWotJReJgm7Vj6lPPi3XxY68rUJqg8+7tZ6WjhL/bTA5vkybBSsGjMdjcCbgXj0BMospREc5VXkUXyxglPFCi1Fh/zVYmY3oDLAHNTYXeA84o6Z7ex+HXIBI1zlVp4fF1ZC7gvZaOZzgg6Rp73nzRKhkHcHXFJZjgylr0OUKk0mjAOXityi4gkbU1nOZrxGLgU7/oZ6yhyExVzsHe91GIBYJTbFsYUwYm4XWYpSK3gJdrIrNd+LRrCOkZSqS1Chro4yrTNWCt7BD3roTQDe81xD6JFgQKyZGBe72geNiSkSyTPSWmTRiX4tkyeVW0zzmtagNLcxmCnyUHysVCRPTtjkTBah8sRsRktODLtKHWHBsjhYFWiSFkkYmMa44hN98l6DNGgPNJ+w3LlfJmNb/HdCYl9BUJDl9TIw5XeHdB7UrzCFKLORMRCNmYgriguuEL3gy3nm6B/3nSeAR9YBa0OOz1NvQ4yOi29DfT4ION1Y/FfrfJkH/j0nQf4mFNrLgdAFxW72Gj1GVRJKXHC/vxS5KnlXgxUOUHM9LzlZ5EXt72/uP8tX4RyMPy+KEuIbf0xjdWyTaPZlG8UqrNFY7s6Cx2pne6bKIqo+dijrMOlK5M9JYBQMeo7a2kcYqSfHQqJ5EgpeCPQoqpIZe28yT4Dc/WNqjxcLmB1mYNdAsygSSeZGkPMqGtqBRLg2EVNgmKw5WR8IWZRLln0gVMyylPCroSyd0BSLdjXpTakMLyncfIFvE4d4kmAwfCevSeGIxu+fsSHhrIf8QayHrZMHMXyKTD1OdjK1t2gFVMuIo68jNiXCQqphYPO08ASPqSrZAwaydNyBG+XbgeF1FgrvaN2MyNFvQS8YhThfRyTKOXWw5LgB5HzRO0mprBAt4NEnkMbI2cKZN0SvyczK0VmkkdNU5LgpWrpIcMjYiGHMfmolYjucyKznoVMbN2oOzVdSpkIXeUjOyE0ULPhQTcCKoghXTRtEYTbuBjrqpXCfFyCmrCXPWWEdERZ9OF9XgljwKHhuLRl1xLugoHvWUy3m7lkwnrs5zDPyOKhq54NlAWOVpsBvXwWA8JNOGdpu1ngSozaJUpxcSreDA1VyLgysj8MXcw1Us6XhArNqzjCmFPhwxfQhqRbNs/KqzbLxzrkqgiZIoLE9SJWUemX1jQaOUIpYnsY9wPncnbrrFQ0SyUKFjUplZoQvFRoNxapgpI95tOBMwJpWkgdMja3HVkBj4GGOCcOkympMllxHCsQaPCgGwml7EfrdgUXvd6oZR6CK8tlyuIpdSrCK3XSHV+MORL8pV3NbJmU7jtmuuIxcwrvqMAIOpLxGQEafYlQYY/yrl4MY/KIntdryuEBknVLdriICMkPdSsVUSqNZ2AuRWgIqRLUUS2UGwSEZWkG4Ao9o4NOBRs8STNH6TesCYdppO6Y9ASbW2Xybp+vR41h6w68s5Hh5UvrJ2cS+j+jTYbSRojJhz+Uvv33cqfZ4EquQqoboYVfKjDTymy0MFp4DyuJtHQYrUumzVaPCYyVrYsQm6LVipsiisMSaajrI+tbM+ozylGsa7SF053Sg1QsPvMcwMpcGOgItSXDRbRR1MXYy3W7RK41ZepVnEVatVGsryPQl0VEumNlSpI3ImN6kYH4QQrBh6HMwlWUY0DV+ZmEVwYDFeo7pi5HjIXRGRuVpmi8hX61LxKKlUalBJxsbHb0YWJql8InHEmjSuXf4mYUIbuoySpBumTNxVvClEVIqDkaoUZ+nVelkaSd6WgvQGr73QkwrE/UI5y8iVgowZckVV5nPGDrSl8fWvJs10qA4kDuOarmLEbCo5CYWU1N5eJqbM/iYvuNxBryDeUR4sZTkiPf7UvrzrqqUO1hZTsIJHktNu6G7j0ROrslt2ZQYyONNYYKMaX7dbaeqywBL1/VRJQrZraggzpHDt+cNEH3pKHVMqJNze3VU8r5AQJnwlg4HMbs7E9ArYLWLseG1KNDFyhU12Lprfu44RPe4J2ICqiygZSQqqNJDXYChWHHanou6XRp68kiv9/M4F9z0l176Ml2tP0hsd04jfgi8Wi2QL8gbMr8wI0OG16m+9SPYssZxwvZtxeDcdDVSl6wsm2IDBq+g8xRA6wsb11uNMwHNOS4G1U1dl7svSHyiF0Kl8cIDqOVLma6rrRHlf8XVApbfMTObthex6btmByTt4NLg7h4yCszagborEHelBjVm5k0oVY16uBlM1Bz6QOn/o3Xt8bYiqleyyGtdJsK6FV7/J7ptFDmu/NwjWM9Avg/SPq+N9QufsDB5vr6tDhKMPlWwf+RA9crvULRzc436Nj/T2aM1ND3EuikRdMLqmTSpXsCHICkKoJhpA7PXJDBsvigpN01mKrfayxN3gwjdwqltrV92CD5BVgMqZuwjnI6sZ1BVuYRvGYQW+lwfVmq2EY35TmXugrQFdzNWtfmDJEcOBHbc4Y2uJwfYhoW3eomgotzCu0k11X7Ksamtbd0zCho0Dh46QQExOrbUpGAiSGq1AVo3CGsFb9XeyOAZU2K1iA46eGfEjkoHSheecf90/s0dA6wFyKzvv4zFXD+WM6mQtZ9DuOt0xsSZOUwYKO/q0Ch6FY6qJ26CWHuFbbAtpCLbKvLjkWlrTptO8BKuQ/+QhLsil2NV/9UY3aB1pYQjNLqqOxmHBFOn8sqRPUZa/6PITKw/uMZX5ts7WmmhXKK9mHW4k7HdMMtazeqrBSnegyL/VHgP93CNC9EP9S8bGbZ1/74mGqr3dd5Cng2ESx2TBl92yOK4l3Zuf393Y2YECZzSiRyZjOlVQUJHurFbiL3/e72VrefCMvHv9ktwK8+2LZ+T2zfXNP1+S97fC/PAdebJd74jwDRjTtdS+jJtU1nrFX33zw//6b0/Dve/ArCfJi+6MUQJd5DRcGklP3iMjD5SvxH9boQ0fpuxjk9U+50doG0z4O/liClHUUWwaHbRqbvrq8k2QnA9SwBQ7PG79/o8UcBHmz4cxfQA+wmVnST0uapCNn+ZeOcDLFTWwpWcpLI277I5cuuZ51W4LIayvkzQvhv3/U/2at1ev75wcHu4VT2fo5TdkSjs9p2pdentnkQ1Y9ZYPg7VgZuGDHX2YD5UOkLiaYnMftnavhcx1pKO8eapoVSIPy+5Zl8kq73hYpD8t1/sL1UPWxNZE6gynimlK3nga7qQytYjqCSHXewKZ6LvPH5ZEenb+OYqZWFXisyL89RDzBIT0+/m8RB4/2iBUa5kyLBqP1nLvdiVWTikqVnBRq8epFEu2KhVkZLHzzf1dq/uB7jSDKQW9QOEBbSo47DIqU4GP0u/aoZURBpOCXBpIfIxQzMtvzBQzoROauPCpKODCqFjwZRR7l1Gx2DxuA8Rn1BRRk6NZUlnj0/p17dsWlpaL7nhtQ+Ys2sKNNawEGPJuV8Az8r4Sc6/QRP6W3FUmck+O/Dx0o1bFq2a5MAZU+oosUnXtpJwHL4yi+SE+0FOFoQMbUAY7zxhZNbhigry/HTxCKYa0TDiDMW1jhU5kEVUoz4Iq0OPjaCxgVIifk4njA6LQBxWF0ZWpSTiIVUTNR8Rrr4G5nUvYlAivF8pbzkFBUnzAsVbUj1JtqcpCzcAusU0d+t3vlHzEV/cFmC3AQCfj0TnAY18kpKG87e516AgWMsHXpt4cfBM0BfgQlDNjj5ovKhSexIZTMc+7ygnugOpZreUQ6E1h30HQ+AA3VnteofK8LxFj/NmQYrbFZkwe6WlvKFQZlpacqqqZm0fz5Obx5Su5kstluD41pIlZw9yNb9/ZIX33/oayG0uZJeiyNGsQxodSDRI2V++x/efKsm5rGCbuvQY1SJIsTSrn5pYfdJike9eBe4CqqkfOtNt3jyLETKqGKwebv1bYz9A+GTpU2FOMbmBdSJFhS1cZVAFqwH5T0n26N2OyawduA0pcnj3GvXEGWU2xt7c6eg0TRDNTBiQKwQC5qgueH3VNNaGZLLAr2BqYInIrOo2RiKGPUsh8INqlqlGf9MKRZrj8rBrGRGbPslS6ae/nughfVuXxexM9xX0iatLd2RgMp6pneKbno8FJ3vtXpHnneaiJWGuq47I6JkzVRQXc+6jCuec6HByykNPi4wLTW8CabpgsUbOxRp2SORuIdID50d8IuuAYNrwkV4exM7EZ3/ksREaXhj2dhgRR7NEwsrxYBAkBDDUF09egda80O3tw+ZsQ9lKYbohyjM6XYfJHkk7oiou3DHYyZ2lFGE4LAwa6jz3MrF2v80CVRuLJuUi/udBGDTvJK6rDia+fjOoXh6n216LDNYnyoBlRm0SG5di01WsaCgoYdHJ6To5IjTrKTExJn8hKdeIGCFeF+WQb4NvTqP5mck/0IPHecXRsDj3qcU7N0Tvh2P2R6X9xlH41M//dhp+FenWc+yNqUnyco3pE6tVH9Y+8ab49zvbTC1B9HLafJmvUzGd1zr1+wkmdedPMSX1vy9RKYea6dE7WzWhp1kkOZi3P4k2le34u4hD5nw0uDGbvKjnRUj/g330rufc1WVQHdki0bfnPi+///Gfy5NX15d1Tcs20YWJVMr2GDBNzgti4XMkZ8mMP+bV9i27E5BcDfzjw5q3kZH/Jodh7y/sQjnpvos9vROnwMRszxaC4OjOi5dJArKF3CipCRZSad3LKT8/i75D6lmas1G4MIhXRLGecKneYrSCxuzXF+ygcqotnRrN5euHWPsh2lNl7u1yVB6RT16I5MFMiCS/FoXODzk8fH97yP3nTGb/prZg3dqEVeJiFHS1STXsU67lukV1SrahgHw7EOokpC3YqwyK41V75AZYtmQpG8Udnv/5oB0T56JLKXZbuXiTST0C5WadUASkUZDJnggZDrFtH/Y4aBsLoo4FnnM47n1f0k07HFcGAInp72S38pRUCBVUG036byRwWQrOm9fqDe4r8WUIGihrIkhFhAAdWEduQV2PWru47JTcsq9PV/e9oUXCv5/SWz6fIWkG+rxEN9FKvp8Gy2eZRD+rrOJjdwESChZ4xqmTD3JvTuqvYDRQOqBWacaX0x2o18Ih3eQuolSkSavLt9B/Uhqgm2kjl5KMdLQdDEduX+KsL+6svw/PLWZZxmFNivMYRT5UZgSVqyZAomVEVz5trQnd+vFaOrthVLx7PSMGpZbu9kaQiIFK1K4a8iBi8MotVcEK8hKothJ+kNuQ1TddMDKjtGY0+o190+fVeYGRfocAeVHuru7R6fUFeZbQgv+Af7lbPpHD5AP/qXxdkTTdg73sOVLkW1gTrS+hCCg2VHhBOGrAzSvptryfIHl8bIVXMgGJVlQ7hJugqMgxTUhE9CzHNMr/1RWROpQXri051E3T3WlU4ai8N2Or//qphmqhSBPq6E0L1s1oSu9ccl0w9EJHtR0y8FTEHMynZMpHJrSa6gJQtWWq/eRaKG/fxR/2NaifgKGpefckTVXU9r8UyPjM8bfGDlAJvrlewoumOvNf7RX7q95C8m+AQFbVkR5nFtBq4w9rqNiLDqGncDPYW6PGtzmcKZDHtZQhgmG2fCfsTm0NdG6o25JS3wJxwDsEN4WEipjNXvNTQZHzklHfuVZLjBic3XGulT+9cToza6bjP3yaExrGyx+Vw+tvx1BIMbhxXnnkwAhwnlcGSCe8LxKOOtSByWgwUo0D8A2HWZ8LemLsd1SNGkNT+pukz8PnIA9VDah+aMTRd57OXomvGRcaQnhbcZltkQc0FE2Nq7s660yzZGP4+VegHjm07GBeZ58poNalIgXrkPbqmyuwjdBVUVWtrP37WELtds17BM2L3obUsXIjeSRMwERUvXSqcVOPaM3am/1ddUPG3o/mcFar9WmeVkhYSqXZqf32Oox+h/owXbo/uqiraYboH1yoBYZQswscwk+WiZ5CdtNf8qNa6gSOhjUjFyE5OJ1JxJfPCGqTVzscNjg1OnOa5AWVFa2LN5vCFRPXD9LjfI2exo9NXuLcwvbLZ8vf4N64fS8535D9LytmSQUauMRvGOS+CyLawSFIpH9jZnpR+hQVxGBqbhPIhvSyitk7z2FOUxrXBGapHfvxsvK0H8bVUvdvKeecuyLtd4chvLCo7QcfnYRYrWCYji+N0CLNYnAmmvtShQjtddPM4C2oFYx+/814UUlWePXxeeftqYGFa2aqjl7WaTzG1YuyB6dixj/rhKkKUlNH33D5aO5LlGimoCTs4UpFQPe49qgWqYjuol4qPYncLbhR3ahU8KdX4fr8F9j3D5tAxKCNE3z7wyBCNfWC/C6KOAzwaEHgJxihsdoQRq1tfq2sFnQfKmNvNDTNPDPneiX6HA+NV99z/+8ojee7/4V99Q04vykGFYwg8wWd9LXHkth9L0I/RKsjcIzjzZZOtssjEEpQa8NH3ZzYT5W116Cj7gk6PWcioqgctW6wMbF98xpCTt29gmBk3wo17bbEb4B3GBan2R/+A/iP0cLF7VqxBzWXVWD3Hv/k+ucKC6k/JFWIIIwdlZkuUHODVFShf+B72YjoOlNiBiY8FLWa0lsUO+6Vu1V06uB7sw7CfYHxaZHhNyD37MJC+8xB9Bm//cUMErKRhjs3FmuqB+rQ6nT95t8VwN/xwQW+7IBPq0/YeADtrXRX8quI9ww92mo1srnhannBdS/zdYFsNe/aY1mVMY2gLi4+6U+znaV4+pAGUmuhZ6LGuLS9u7PDkHp8MDp3WmV6X6npX3rf/5B7DOQ6L0Ja8GCJjvLw4QMWw0NCaJ5tpd0nXRe6dOGGXXGK3AC0jimnoeFD2AN4aiE6J+qIp8NgWlCgvviMafbdSkdv7y3+8viN3Vn6Sn8VARcqGnui8jxh63m1lmB48luka0gcd0eytESxTc9tDRaDr6iZ16jkGaPjC3c25P6CrgGK98htnUVUcpjprb1B9Q6qwxdp8YrBNx4ZylrkNEUDTPfoz1pc6dPRx1g+w011RdPIei+6Evjam0AnDbgSRwMjSOLLT01t+Tdl7bCWqeEepmNkd2X+pzPOJufwnUuYweZMynF6zZQp4V7uOMeG2nIpkVB/qsSEJumoa8KunuYqRDRvomNyQFJLNEwIUIsnhIIgD0YZ1L2RNuqZC9BLQpicq+3ER1YCnfLbyS7XI8xW7f311+cbL3OcdBLWoM1J1vWIx2ytj+iHZSF7GT+Oy6oEhfC3NujNI1WShFMxo8sSh0U8xdw2TCaouCAF/0UAQGi+jT/grT817wYx/LrnYD0bbgMKXkmXJSSpFCoWxJsC94/VAitOYTurBug7IPGtsVC1ELCnY/U1aHv30H5ehYJIg62J2gFSrc4QodEPL9pweC+rS94IJjH+/+fnu9o68po85E1nduiTMfkv9GQIZ9gp9DxDuCe3Rf4jw+goOh2BHBQS5yOxkXBPPP3giTTWpuRsteUl1e+3r8Xg8B2ngczL2E2f0VHPK/wvkHNTBkSLrayMxJwktvnHtpUcqNnU3L4N+YGft5i414BnRZSAsimryV22UFKu/LThNHzjTBrK/PvefPau/ZWIJafirJVOwpTx4zdIFb8EQKjKiJRnYPgpWTBu1s1bPvAezoGbtS9HVWEgXS4+MSe0H+4S4RAkX25pK1areVWssNW0gjNr96f8GAAD//720rNA=" +} diff --git a/x-pack/filebeat/module/citrix/virtualapps/_meta/fields.yml b/x-pack/filebeat/module/citrix/virtualapps/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/citrix/virtualapps/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/citrix/virtualapps/config/input.yml b/x-pack/filebeat/module/citrix/virtualapps/config/input.yml new file mode 100644 index 00000000000..a70d6b3c181 --- /dev/null +++ b/x-pack/filebeat/module/citrix/virtualapps/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Citrix" + product: "Virtual" + type: "Virtualization" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/citrix/virtualapps/config/liblogparser.js + - ${path.home}/module/citrix/virtualapps/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js b/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2}.%{fld3}^^%{event_type}^^%{saddr}^^%{event_description}^^%{application}", processor_chain([ + dup1, + dup2, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%citrixxa: %{hdatetime}^^%{messageid}^^%{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdatetime"), + constant("^^"), + field("messageid"), + constant("^^"), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%citrixxa: %{hdatetime}^^%{msgIdPart1->} %{msgIdPart2}^^%{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_"), + field("msgIdPart2"), + ], + }), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdatetime"), + constant("^^"), + field("msgIdPart1"), + constant(" "), + field("msgIdPart2"), + constant("^^"), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, +]); + +var part1 = match("MESSAGE#0:CONFIGINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{administrator}^^%{shost}^^%{hostname}^^%{operation_id}^^%{obj_type}^^%{obj_name}", processor_chain([ + dup1, + dup2, + lookup({ + dest: "nwparser.operation_id", + map: map_operationtype, + key: field("operation_id"), + }), + lookup({ + dest: "nwparser.obj_type", + map: map_AdminTaskType, + key: field("obj_type"), + }), +])); + +var msg1 = msg("CONFIGINFO", part1); + +var part2 = match("MESSAGE#1:SESSIONINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{username}^^%{hostname}^^%{saddr}^^%{application}^^%{fld4->} %{fld5}.%{fld6}", processor_chain([ + dup1, + date_time({ + dest: "starttime", + args: ["fld1","fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), + date_time({ + dest: "endtime", + args: ["fld4","fld5"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), +])); + +var msg2 = msg("SESSIONINFO", part2); + +var part3 = match("MESSAGE#2:APPINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{domain}^^%{group_object}^^%{hostname}^^%{application}", processor_chain([ + dup1, + dup2, +])); + +var msg3 = msg("APPINFO", part3); + +var msg4 = msg("Broker_SDK", dup3); + +var msg5 = msg("ConfigurationLogging", dup3); + +var msg6 = msg("Monitor", dup3); + +var msg7 = msg("Analytics", dup3); + +var msg8 = msg("Storefront", dup3); + +var msg9 = msg("Configuration", dup3); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "APPINFO": msg3, + "Analytics": msg7, + "Broker_SDK": msg4, + "CONFIGINFO": msg1, + "Configuration": msg9, + "ConfigurationLogging": msg5, + "Monitor": msg6, + "SESSIONINFO": msg2, + "Storefront": msg8, + }), +]); + +var part4 = match("MESSAGE#3:Broker_SDK", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{saddr}^^%{event_description}^^%{application}", processor_chain([ + dup1, + dup2, +])); diff --git a/x-pack/filebeat/module/citrix/virtualapps/ingest/pipeline.yml b/x-pack/filebeat/module/citrix/virtualapps/ingest/pipeline.yml new file mode 100644 index 00000000000..9b7b503ea67 --- /dev/null +++ b/x-pack/filebeat/module/citrix/virtualapps/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Citrix XenApp + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/citrix/virtualapps/manifest.yml b/x-pack/filebeat/module/citrix/virtualapps/manifest.yml new file mode 100644 index 00000000000..05766fb7f5a --- /dev/null +++ b/x-pack/filebeat/module/citrix/virtualapps/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["citrix.virtualapps", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9507 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/cylance/README.md b/x-pack/filebeat/module/cylance/README.md new file mode 100644 index 00000000000..a225855204f --- /dev/null +++ b/x-pack/filebeat/module/cylance/README.md @@ -0,0 +1,7 @@ +# cylance module + +This is a module for CylanceProtect logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML cylance version 127 +at 2020-07-07 18:10:44.005162 +0000 UTC. + diff --git a/x-pack/filebeat/module/cylance/_meta/config.yml b/x-pack/filebeat/module/cylance/_meta/config.yml new file mode 100644 index 00000000000..f48f72b6065 --- /dev/null +++ b/x-pack/filebeat/module/cylance/_meta/config.yml @@ -0,0 +1,19 @@ +- module: cylance + protect: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9508 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/cylance/_meta/docs.asciidoc b/x-pack/filebeat/module/cylance/_meta/docs.asciidoc new file mode 100644 index 00000000000..ffb6b412573 --- /dev/null +++ b/x-pack/filebeat/module/cylance/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: cylance +:has-dashboards: false + +== Cylance module + +experimental[] + +This is a module for receiving CylanceProtect logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: protect + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `protect` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "cylance" device revision 127. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9508` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/cylance/_meta/fields.yml b/x-pack/filebeat/module/cylance/_meta/fields.yml new file mode 100644 index 00000000000..9cd4579d60e --- /dev/null +++ b/x-pack/filebeat/module/cylance/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: cylance + title: CylanceProtect + description: > + cylance fields. + fields: diff --git a/x-pack/filebeat/module/cylance/fields.go b/x-pack/filebeat/module/cylance/fields.go new file mode 100644 index 00000000000..2263f458fa6 --- /dev/null +++ b/x-pack/filebeat/module/cylance/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package cylance + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "cylance", asset.ModuleFieldsPri, AssetCylance); err != nil { + panic(err) + } +} + +// AssetCylance returns asset data. +// This is the base64 encoded gzipped contents of module/cylance. +func AssetCylance() string { + return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIipAVJLENAooAyiy6V9/ga+qYhWKZKGKkrV3elBIJBOZSACJzER+fI0eYP8SkT3DnMCfENJUM3iJrtwHd1JoIPpPCOWgiKSlpoK/RH/9E0IoAKEVBZarxZ+Q/9dL+6358zXiuICXiIPeCfmwoFyDXGECC/N5/TOE9L6El4aUnZB56/McVrhiOrMDv0QrzBQcfN0jKvx5iwtAYoX0BgJ6VKNHuw1IsN9piVcrStAGK7QE4EgsFcgt5IveLKTCPZLXUlTl+QR3GdQMbmnjmB1MIo4jNkwzUKHWB58PM7fHwfcbqszvEFWoUpAjLRDBpa48ryTeoQKUwmvzf6wREQUoQ7ow33eGRui1WKNrICIHGSfVjUW7RA0THCBhC1xnhvjRoB7pZB55xijLGSK4Bq6V2XGUK425DohUlApNizgJOdbdL/r4qcNqBkFYo92Gkg3CSIFSVHC0oVohjN6C/pVqDkqFVVj0lqiejtqIiuWIwxYkWkK9/iWWCtAb0NiQhtFKiqKF6slrsVbP7zB5AK2e9oa/phKIZvtnSHu6MXoH7oC5ncZbZC6irGKwBRblFRO8u9cPeHUNpQSCtceVw4pyyJHgzCLWeMkAFbiM4y3UOhuxNY+s0xt/Zm6vv0FbzCp/emgOXNMV9XsIHjHRiIm147nsMdPST83wfsXt7wxLSyw1JRXD0sL7xVkMrm5v6KTVjq1ub+Th1R5k+nZurr/4/1w/znWDNZXl0w6ZWP4zs6R2Gf8R8W9xXLxcHLkEJSpJku+i6VNPP2nTcCuNNRTA9adBj6uc6oww3DkPH40A4FruPw3qjdEEPg1qyodQX/YmD+fsU654Djh+1i479RVAPk5PHrhRY/ZA64fB1DL4ejdg73qapmV2bsDe6Ce0zGE+dYzS2fjEW7ZolEGOIb2JzMQgFOHRaAaReZSyitPfKmiUMFnP0H+0PzRcrgQnRlhiLf7o1svAsd/SqYKnzb8rMxBdUYLbp84Y2jfGJEb3VtChiucgjYoqwQuM3uRW9BFypECbQQ6AD3GoYYU2sLk39mSFtmZzb+hRbO97TlIs/bTN1aN8xKzHzXIjVLIe1d5bPwml26KKdXeVAp5Tvg5fqtjSt6z5z4eDNL5Jeh8Psu72bvsdwnkujcwaOpRd9vXmp8Xnyr7tD9MZ+MP/uww03JrjBHdPr3NptP0WOcJoTbfAa3fF53upGhYNWbCX1arzT6MMfR5e3EGDV5T7TMJvSevVfpqwi2RnttxbPt64wdGd3e7PvPdPY/R+XwIiuH+Sl4CA6g1I9OGW629+QEKiH5nA+tsXaImV3QnBsb+i60paVejEzOIK3mc8M/vIMsUomsF2NdBrke4sOWaXhbE/e+NVyB2W+QQ1piU7WhNr8+r27pcDDQcjCQx3lwUhtVcaCn/leMLMaBtw+0k59pj/C0nXlGMWYA5v7xMzTdc4jjxw3t798kNkkp7A3lynT7KmqM/HOSR5s9n6qlKqJN8AzkHO9DL2kx0M3V5PeaFxFLUfauwwae80f2gnDCPZDH4YHBSP20bxsJvdKNxXgjEgWsjPURAa/lzkZd3sG6oQccyB3NByoJq9Ft1LHh1h5R/QEinI8uMpZ4VQNnikEBwt971lQUjCbxUobQZUtCjZ3q+E+bERuAgw2SBFc0BP/oz0RlboxfffP0U7rJAC4DWWI3P9SOraGXNVpeAKLjdZ8gdaWSIqrmt7tSqWTviYA6eiI6AneCm20Jou5dFooyBmlJaAi8FdTv5AS/+JmQE5rbpazXms+CKmSdVGK10hqv9RvfjzN/+qnPB8XlpRFcj6R4/efxg75TXeg0Qv0A0nuFQVcz5uY+qMkqCx0Se6oSOxSjEs375A/2am+wx9+y36N0SENPqjnYVH+gz9d6b/p/khVeiQKV9EF4mLHD6hDcZ3kBHM2BKTh6k6n0PPhbabG2unKxtGAM9LQbm26raGeOCeXeAMpBTJsSKNBqRKIBQzS5OlRWkhjbbI9+4WNl9sMaO5W74YWoRWouK5kdYMLHmUr72ycDIY6HDf9kae4+3Eb9ojLvoBPu+ZwPnHuzM8QqTo74AK0JKSiK7sTbT2j62N5i7HIO7MJYl1o8OJVViYBfpJ7Azz+7YQ5UhIY0JogR4AyhNs+Ui3x2fCFikIKJVtaZ7l6e9QN0ECrIGDxNoexdzwqGWvbKnUFWbGXDzwkfKI+UwLagw++wJop+vo9Afy9hpJIxeVNdYtW7Bcg65/dnKuSiaHVHzyubpomONzlYmO9b6Ivb0O/rV3UAgN6N7vSiLBXkvL/ZBIMn+C0/szcHJ7TJkqGZ32IvuHNhUV7amyHytskP6eFj/Wtu2tPPU7MuyNoE17cfxf483FHfMVZRd5WzTjGqX97urVndfnCOaGAbQohexqccheKJ/dA231sYznD07sWyPPmoUxh9ihmVg1II0x6O59a/Ut0Ivvf0A7y9kCMEeYsbgdap2vVm1o/AtoBxLcsFgjBlhpJHgnWPmQTR9BMfq82RQ5b2kPWZ47vwqZW9bYqAggGy6YWO+7zxorKnuaGULfI7LBEhPt2GSO3t5SaJ2bHFXcRwywA9/mYAZTSrKae2Kc5rI98p5jdd3CqE6CB6etxLtB+WGlWEdZwsTqYc4jzL3NKgipZBhRacxzLHPEhSwwo7/Hou2ELKIcyP0L7BEmiGrZE+Gj2NDQVaN7zugK7JwiBqICIng+oBg2S5YpPc0SP0Iy5UQUJQMdXcRBdxe2iqeWtCNyWnkHUl9su92b0aObbmjDHe6fwU1SCK43Z7O6yeo5/9W8iWbIL8aeG55fgjlmyN8Fn57ReUSImPGD8uNC0t53udQ70BNOxyuk4VH7jYy2IFUr2Dc/FrMRWaPTi74HfD6pTVIFETKHfIr09s/lXriqesxwv4U38/qH7Te4voyVoljYUSub+KcIcCypcIpfUTFNv9YUJMJlyUIEdZMJXmCO17GkJISYdUwHm8ER5WhViOovFRI77rz2Ghdl19PiKTbYDIn9fa4VIhtq9F+Rg1qgN5XSVpFuD2r2P9YD8WhYw+AyHD3uq5WhbAvz3MF2ocKQbv4SViCBE7eo2ChfOd3S3Nypdk3jx/4+HPv3HQbEp/FYUjnjHBquOz/1o9kvVLO9m44yIsLoAgat3UbH/UWjlmbQYH5mpFN9+he9QesADVGNP81FTw04DVNzafy2szrEbxVUMy6a2SluvRp5scMKWTT5wApZ9N+Mn/qoC+dg2knndF3oJMm+LtLwlVkSujJL01TKcUfkEOxFAlzSjdeSMpdSfTtqb1QG9QTmKJk0fGBPnbcU110jXjoZiCnGIiY9tec8RUVVbLo7dkA7FJUmooDnDkutstloNrHqrRXmfhoHqu/AUhmTnOppoa9HSA/j+4SAlj/0mOE3NVWhVzvFSeo6FteMZv2xJRC6oo0yGNcWnJNzKO/X6x5zvFxHmFi7A2jeBHwGUzT3zscoZV6ln4+RvxzaCG0NV0j0870PKaIqPDp1LWSLP3B5KOtBlULRUYfwrB1gDQGeu6oANhQxnJLBfO6K6WxKIvvIY82rAiQlY891lPpZItqPkN6Oaq93qDvi7iT1iN8Cz4X0oURHaRfLf14kSzo8LojlP125sTjqOfKkeiwz8uY4aif5ptXq+KK/9X1Wmz+y3hLe4DpyiguNMNr4rMx4eBAT6yw8O15IyIUNMVrIzZN9eyAp/mafuG1tN3sU4+qdYJTsp+/TI2fszqLwReY42w/IqYpNi92KM+FdxcCijosXwTU8Ttd3apS33FneTQUknOfK/GWvAswCylg68IkrhWwwX0PGYTf9XA05v2HXerixl6PWki4rDa3T1o/mU444o821RXr8GKoSjxAN9ewZnVAC59jErVLefbV16Nq6QcSUsHHXZtKhaIpq3srlFuQC3YNjbKVALvAabKk7HzG3EjLQ0Bs7DOP0OmLhkYNvZUAKiZZS7Mx34VOvxzjVerBW221+h6Ueb8rXoOPtSL97RS83Yr7dK1heKx2X2ryiBO+yTr9BXnGEGUhdv7vKZlj/mXPN+qPYSjazz7MRhSpHXPCvJZRgtdVjr1FWcZxXyJJKSrM1a53UrobVEZ5T5/8Njs0e7TuqN16ZcrIPXVuESxsfypHgX6+F+fcRyWgvzyyilEyaGW45o59bFIYMsULmpGkKaoHum/PZLZPZjklOpenKBbNXyiiqLunBPVHmXlh55mFEWKV02Db+Pz1WWxCqzGr4zBxvLRq1yX47fDVf4FZ2Oz1uPbmk9SnqwJen1GdDx7XFg7BSglDrrTEcjer9lumv6QO8RBiVm72iBDNj5j08Q6W0FWmfIdDky7iahSWOZw+MvLxc/KrEBWiQCpVY2ToFyibuucw0IorCSARx8HjTD1kFTY4qGk56Xk7XaK3DBQS1E3ZEFGXVPwtJrMdoR3kudj7yhghOoNTP6lexwen2JrKqGNuj3yrMnNMmFwWm3J9P3kLExIAob3trzr/Gj0zOKCOvKX+A3EfRhsAyrKy97hVY880XNfIFzY8xn/Xy/CaKjXadamcCdlEEAn6+vxzmn0vvE0L3/VTn+tEDZEG7JaqnO3/8qJYetw+P62nfjtbTVpTNcV5qsn+049VHQkJeEUDBAwxxJ4ICSTHLIjfEBLF5bwcNSldX5reEupGpgzYYkAc1kAg2hz/Kj2+E9warTb3bjcoRiWavjIVpRFOIMK3D2a/CSJ1SBWILskazUJIYqPr//awEZOQbR9TGE1ScMMDSfGTLZjSk+TB276WRIUXgtH/SiYqqn6v+iWU0EcWS8rpyXFtE+wQEOUJeb6ms1PzejfYdalEMeznmeo6IbNwrN76rszLs4XFa+gyOt5oFzsN1e43eujP9xKfEIVdj3yd5GOxPjzm/LuMLbLm+bq8tW3xodX0g+3bcoe/cBTE4Ihduqc2p21EVNzW2aj+tbuLhK4lPqnGX3FEfGndG0qxra9h3VQ+Nbq9P6kHn+yRO6EEG9QueN/rQAl25aH1fLYi5L47rQuaPkIe/+OYL76BYVrqO4xe6Fs4VZ6Dc3IUTsDuBtlhSvGS9iHGX0EY5KhkeOHIKuJqYAXqwKG01yI29MKfe3JohFp2atbp/fnvX1cCQL6nkbLuhbJnBNgJnR8Y3vlhHBrrlGt3TNcf2WA5spFLIaeWbvuzJArOV7oJOIWw9FftPg6p1auxeyEVked/+/B5RTliVgxENvjGLAV+gJzePuCgZvER3zvh0w1pZt4jboNbDfoF3BmvMN6I2jpuqB6PORTGPCNpuOWfeelH5jqqHIw8cWtL1GuSUwvXxaf/S9jR6LFbz2UhQG8Fys8bOahro1XHwHDWLFdd/j/Iy7Mk7dzM+rRMKb6/jAZZnv1gZ0zqb/W3ecta/z9tmJs6noarl1wah4DajYGXL9Yq8IkN6uld5LhY70Katli1C2swrI+cCBQN15bHMd1heKtaiXyvRyCLsRa8hc6BI1xMjcjB6g0mo7BVXnMxxnlmTFfzroPzI4yfaWQwJjZAkYJUQE6U01tX5ilVtg2PKLqhamuGX4hHR/Pmw1DUSv5qHBoPzQ68UlttXBk98owfpO7mqfm/DXPfr6acIYcpFdf6bQSt2U60TdqCRDuPMsJ5H57vRoNOrgBww/xVj5rQiVRECSq0qhm4MBkREDsowPxRpiut4lOfwOHoSjCo9pD9MPE12aKvYyoBmCdJ69QssKbMvtRH/gHsb4muELSO+NrBR2nnSiofeehfTXPz46EkdqVKCVKVPSHBnqjdtf4U0gXEhx/npQNC4M7H70nz6o2OrjZwl3tnJ7tfmS0y5QjloTFnEdFqKSrfgBogX7AIxKcFrg+u4AYtpWIRrKEo24dX2VWi1GFoYtF6QfJSK0V62IBne2zBlLbxYR08ie998YS0NDw2rkMfifG5KU13ZUh0oSnqjpfWTkk8fjJFe4ZZtSfB4bElnl4iiMHszdcGuHDyirXCiUootzZ2FHeoKxPoz1neNIMcc6OPt6R8pa+5+0o5WiF87j6V9ZL6U/ArjX1Z+/VMsB+3W5An8b7H0Lsv4Ti3plPJA1zYoya3P/d0tuu1duG1EE2rz+JjM4zhGBR7X2QvrkSr+GJvYR1HF1Sx3oLKlyKfHHPfitrtXVugPa7ANXJ+blNwp50abJe+m5XDx6RouzKb2AtI1zWsX5YAxXozXlHtJMGfdDGOu6pq6spomIEO3obsPLoszuEHt49gjkKpto7hn6yXEUgpCRu+xh7JZDKmopyg/NKjqaHi8xZThvoMO1e4hZOPhVyDlQDVCtx/jHq75/Lpe9St8QrBz0vf9WyLs28WADKBFtqzyfJ9g39EiGxmn2oKsFAwVEjtqi6bASCpGZUt1AqYzVc0TbEdVO9bE1VKxDSfrOOkm59zjjBUHb+IN3dFqXF/Hp+FeqcdzYTujRXD1yw164iP9fqmY0UuWlNkAQ/vSfPNYCmV++RR93TdjeNfL98DFjh8ojgpIZVPXtoejD3QNIHgWQ7sbAHIVMm3e+gDX17DGZI8+DCqwjC4lvkzqjx/6gE2UowJTvjKW0dFHqhJL2+tjjoyqAxXhzg6M3orcBRw1xQ1a79oRtOjE/WsfX8xU0zXKw7z6t7BDP1Xcqs9vRA4MPaF8u/jqGaKCPENL8xeYvzDHbK+oWnwV9yNrUmYrhnvdqcbfwIe61tUdssNae9dKlX0oICxWR5O2tJhIi/t06SkJCVMKpNlQUZTbYqwc6uD+5c2vxn5/70Juvvrqlze/vnp389VXLgZmiyWmg3tjJ+TDuISMk1v51zBk20c7aCZjPv768rGdY3MDaxGHiRGB+yR1cSUkcEXJuAPVMieTsBYpVlTEs3U+WLbDdEyn8SbkgIiEJbUbZnxCiqqWydtAL3Ol5fhMFpu7MUs38GfzSdIQwTfFcZAanNiUBO5dTD44sIlT9PGJZogVHTQYw2QmOCdSJxPNXI1MpBtwGRcWR+opjDd8DHlem3rXH7dRT1zt7QtthLzlXfKojpJxoSUMfvNjFAgxywPsAf9b2vYTXUc+hZdrW5HjqTWfI9b9KV9/KIFE5/GZ2nDYFabM8CskHN7583d73Y7rtdnTRgXWsI4kDg2/xYe4nsxc5VGKU4J7bEiPj+k0llHFu7ZqDz8fSuOdiv8tPOq/QVx/qbGrIS1mKvZ7zPN/F3HPaoNdY03jp2wy/v7QB+hVpUpKqBgRH/GxbAtL3w5L3ne1fXriFC/KTKQLp/u3b+7Qz87j0YRjxFH9NvPzy/1/vEa/VSAHqrVUjGcSulU/pj75tFwXe/QuhNRGn3drPY2MEv9tMDG+TJsBKweMx1NwOuJePQMyTylEhxmWRRJfDGCS8YLLUWH/NViVj+gMcAA1Nhf4ADjHunt7n4ZcAiebAsvzw+JqyH2Je60czvBBYtJ73jwTKtsk8JXAamwwZQ26Wttk0iRAsfxnElyJE2rruczXhMWwTv+hnrLHIW2udgHmuk1AzDNMbNnClDA2A634KBW9Bbpcl9vv+KPeJEhLwjOipbFRxlWmasEb2CFv3RmgW9ZrCH0WLPA15aMCd/vAaTElPFtlakc1SdjXPFsxsVO4SHktakNzvZ0Cn+THIjyjfNo2p7wEWSz3I0JyetAleUgFt83RkkDLrJRCiyzFFWfht99l1mZNgWYT9hsT62xM6/8OaMpLKOFZgR8zrc9XeA9BzQozSBILBeXJiCmfgrhkKmNLlo13nh5A/3kSeEI9oBb0+Cz1NvT4iOg29PeToOON1c+F/pdJ0P9jEvS/pkJrUTK8hLStXsOnqEo8KypmL+/lPkmeBfDyIUmOFxWj66JMvb3N/YfZevyjkYelaUJcwW8kRffmmXJPpkm8UpKkamcGNFU7U3tVlUn1sQmvw6wTlTsttFEw4DFpa2uhjZKUDm3Vk0TwitNHjrlQ0GubeRb89gdDe7JY2P4gSr0BnCeZQKIoM8KSbGgDmuTSsJDStslKg1WJsGWVJfkniKSaEsySgr5UhtfAyX7Um1IbmmO2/x3yZRrubWaT4RNhXRpPKmb3nJ0IbyzkH1ItZJUtqf7XxORDorKxtU07oFIkHGWVuDktHBCZEounnCdgRF3JFijojfMGpCjfDtxeV4ngrvbNmAzNFvSKMkjTRVS2SmMXXY0LQD4ETZO0yhjBHB51lniMjA2cK132ivycDa0kSYQOneOSYMU6KyCnI4IxD6EpT+V4IfKKgSIibdYenK6TToUo1Q7rkZ0oWvCxmIAzQSWsqdISp2jaDXTSTeU6KSZOWU6Ys7J1RGTy6XRRDW7Jk+BtY9GkK84FHaWjnnI57zaCqszVeU6B32OJExc8HwirPA926zoYjIekSuNus9azAJVeVvL8QqIBDlzNtTS4KgFfyj0cYknHA9qqPauUUujDEdPHoNY4z8evOs3HO+dCAk2SRKFFRqQQRWL2jQFNUopokaU+wvncnbTplg8JyUKlSkllpqUqJR0NxrCmukp4t2GUw5hUkgZOjazFVUPawMcUE4QJl9GcrZhIEI41eFIIgNH0Eva7AUva60Y3TEKX4LVlYp24lHyduO1KIccfjmJZrdO2TkEVSduuhUpcwLTqMxy0TX1JgEw4xa40wPhXKQc3/kGJ73bjdYXEOKG6XUMCZIK8F5Kus0i1tjMgdxxkimwps8QOgmU2soJ0A5jUxqEBT5qlPUnjN6kHTGmn6ZT+BJRYKfNlRjbnx7P2gF1fzvHwIIu1sYt7GdXnwe4SQVPEnMtf+vChU+nzLFAp1hlW5aiSH23gMV0eApwEzNJuHgnEUuuyVZPBUyZrYMcm6LZghcyTsKaYaCrJ+lTO+kzylCoY7yJ15XST1AgFv6UwM5YGOwIuSXFRdJ10MFU53m5RkqStvCR5wlWrJIll+Z4FOqolUxuqUgk5k1vCxwchRCuGngZzSZYJTcPXOmURHFiK16iuGDkecl8mZK5W+TLx1bqSLEkqVQpkltPx8ZuJhUmCTySNWE3S2uVvM8qVxqskSbqlUqddxduSJ6U4aCErfpFera8qLdC7iqPe4LUXelKBuF8wozm6kpBTja6wzH3O2JG2NL7+1aSZDtWBtMO4pqs2YpYIhmIhJbW3l/Ips78pSib20CuId5IHK1GNSI8/ty/vJrTUsbXFJKzhERW4G7rbePT4uuqWXZmBDEaVLbARxlftVpqqKm2J+n6qJEK7DdaIalS69vxxoo89pY4pFRJv7+4qngckiHJfyWAgs5tRPr0CdosYM16bEoW0WNsmO4vm965jRI97HLYg6yJKWqASSwXoDWhsKw67U1H3S0NPXou1en7ngvueomtfxsu1J+mNbtOI34EvFmvJ5ugt6F+p5qDia9XfeonsWdlywvVutsO76SjAkmwWlNMBg1fieYohdISN663HKIfnDFfc1k5dV4UvS3+kFEKn8sERqudIma+prhPlfcXXAZXeMDObtxey67llBkbv4VHb3TlkFFy0AXVTJO5ED2qblTupVLHNy1WgQ3PgI6nzx969x9eGCK1kV2FcJ8G6Fl79JntoFjms/d4gtp6Behmlf1wd7zM6Z+fweHsdDpEdfahk+8iH6JHbpW7h4B73a3yot0drbnqIS1HE64LRNW1CuoINUVYghBVSAPygT2bceJGYK0xmKbbayxJ3g3PfwKlurR26BR8hqwRZUHcRzkdWM6gr3EK3lMEafC8PrBRdc8f8pjL3QFsDvJyrW/3AklsMR3bc8oKtJQbbh8S2eYuiodzCtEo34b6keWhrW3dMsg0bBw4dQpGYnFprkzAQJDVagQyNwhrBG/o7GRwDKuxO0gFHz4z4LZKB0oWXnH/dP7NHQOsBcic67+MpVw9mFKtsI2bQ7jrdMW1NnKYMlO3o0yp4FI+pRm6DGnq4b7HNhUa2VebiFVPCmDad5iW2CvlPHmKBXvF9/b/e6NpaR4prhPNF6GgcF0yJzi9D+hRl+YsuP23lwQOmUt/W2VgT7QrlYdbxRsJ+x2RjPavnGqx4DxL9S+0xUM89Iot+qH/J2Lity+893lB1sPuO8nQwTOKULPiyWxbHtaR7+/P7GzM7kOCMRuuRyakiEkrMyd5oJf7yZ/1etoYHz9D7Ny/RLdffvniGbt9e3/znS/ThlusfvkNPdps94r4BI9kI5cu4CWmsV/urb374X//tabz3HejNJHnRnbGVQIsCx0sjqcl7ZOSB8pX4bwPa+GHKPzZZ7XN+grbBhL+zL6YYRR3FptFBQ3PT16/eRsn5XXCYYoenrd//ERwWcf78PqYPwEe47Aypp0WNZeOnuVeO8HKNNezwRQpL2112h1655nlht8UQ1tcJKcph//9Uv+bt1Zs7J4eHe8XjGXr5DZnSTs8JrUtv7wyyAave8GGwFswsfDCjD/Mh6ACZqyk292Fr91rIXUc6zJqnilYl8rjsnnWZjPJuD4vwp+X6cKF6yJrYmkSd4VwxjdFbT8OdkLoWUT0h5HpPWCb67vPHJZGanX+OYsrXQXwGwt8MMY9DTL+fz0vk8VsbBCslCLVF46213LtdkZFTEvM1LGr1mAi+outKQo6We9/c37W6H+hOM5hS0AsUHtCmosOukjIV2Cj9rh1amWAwSSiEhszHCKW8/KZMMecqw5kLn0oCLrVMBV8lsXeVFIvN0jZAekZNmTQ5nGfBGp/Wr+vQtjC0LLrjtQ2Zi2gLN8aw4qDR+30Jz9CHIOZeWxP5W3QXTOSeHPl56EYNxatmuTAGVPpAFgpdOzFj0QujbH5oH+ixtKEDW5Dadp7RIjS4ohx9uB08QsSGtEw4gyltY7nKRJlUKM+ASlDj42gMYFKIn5OJ4wOirA8qCaMrU5Mx4OuEmo8Wr7kG5nYu2aZE9nrBrOUc5IjYBxxjRf0o5A7LPNYM7JVtU2f97ndSPNpX9yXoHcBAJ+PROcBjXySExqzt7nXokC1kYl+benPwTdAk2Ieggmpz1HxRofgktgzzed5VznAHhGe1lkOgN4VDB0HjA9wa7XltledDiZjizwZisy22Y/JIz3tDwVJTUjEsQzM3j+bJzePL12ItVqt4fWogmd7A3I1v35shfff+hrIbQ5kh6FWlN8C1D6UaJGyu3mOHz5VV3dYwTtwHBXKQJFFpIubmlh90mKR714F7gKrQI2fa7XtAkcWMQsOVo81fA/YLtE+GDhXmFFs3sCoFz21LVxFVAWrAflPSQ7q3Y7JrB24DjFyevY17YxTymmJvb3X0GsqRorqKSBRkA+RCFzw/6gYrhHNR2q5gG6ASiR3vNEZCGj8KLoqBaJdQoz7rhSPNcPkZNYzy3JxlIVXT3s91EX4VyuP3JnqO+4TXpLuzMRhOVc/wQs9Hg5O8969I887zWBOx1lTHZXVMmKqLCrj3UYVzz3U4OGQppsXHRaa3hA3eUlFZzcYYdVIUdCDSAeZHf8Pxktmw4RW6Oo6d8u34zmcxMro0HOg0KIrigIaR5cUSSIhgqCmYvgate6XZ2YPL34SwV1x3Q5RTdL7cJn9kZEJXXHvL2E7mlATC7LRswED3sYfqjet1HqnSiDw5C/LNQmk57CQPVMcTXz8Z1S+OU+2vRYdrEuVRM6I2iTQtbNNWr2lIKGHQyek5OSI16iQzbUr6RFbKMzdAvCrMJ9sA355H9TeTe6JHifeOo1Nz6FFv59QcvTOO3R+Z/hcn6Zcz899t+Fmol6e5P6Imxcc5qiekXn1U/8ib5tvTbD+/ANXHYft5skbOfFbn3OtnnNSZN82c1Pe2TK0U5q5L52TdDFd6kxWgN+Ii3lR84OdCDpH/2eDC2OxdKSZa6kf8u+8E874mg+rIDkm2Lf9z8f2f/4yevL5+dfcUXVOlKV9XVG0gt4k5UWxMrMUM+bHH/Nq+RbfF5BfD/nDgzVuKyf6SY7H3hvcxHPXetD6/EaXDx2xMYoPi6syIlkvDYo29U2AeK6LUvJNjdn4Wf4fUdzinlXJjICGRogVlWLrDbASJ2a3E3kfxUF17ZhSdpxdu7YNsR5l9MMsVPCCduhbNgZkSSfiKHzs31vnp48Nb/idvOttveivmjV1oBR7mcUeLkNMexXquW8suIdeY09+PxDrxKQt2LsMSuNVe+QGWraiMRvEnZ7/+aAa08tEllbss3YNIpJ8AM70hWAIqJeSioBxHQ6xbR/0Oawpcq5OBZwzPO5/X+JNOxxXBgDJ5e5kt/KURAiWW2qb9NpM5LoRmTev1B/cc+bOCHCTWkGcjwgCOrKJtQx7GrF3dd1JsaV6nq/vf4bJkXs/pLZ9PkTWC/FAjGuilXk+D5rPNox7U13HQ+4GJRAs926iSLXVvTpuuYjdQOKBWaMaV0h+r1cCjvctbQK1MkViTb6f/WG0IK6S0kE4+mtEK0Nhi+9L+amF+9WV8fgXNcwZzSow3dsRzZUZkiVoyJElmhOJ5c03ozo/XytHl+/Di8QyVDBu2mxtJSAScyH055EW0wSuzWAVnxEvI2kL4SSiN3mCyoXxAbc9x8hn9osuvD9xG9pUSzEE1t7pLq1cL9DrHJfrF/sfd6rngLh/gH/3rAm3wFsx9zwBL18Ia2foSqhRcQdAD4kkDZkZZv+31BNnjayMQSTVIGqp0cDdBV5FhmJJA9CzENMv8zheROZcWW190qpugu9dC4aiDNGCj//urhiokKx7p644QVs9qSexec1wy9UBEth8x81bEHMzEaEd5LnYKqRIIXVFivnkWixv38Uf9jWom4ChqXn3RExm6ntdi2T4zPG3xA1Xc3lyvYY3JHn1Qh0V+6veQopvgkBS1ZEaZxbQauMPa6rZFZqOm7WYwt0CPb3U+UySL6SBDwIbZ9plwOLE51LWhakNOeYvMyc4huiE8TMJ05oqXGpqMj5zyzr0gOW7s5IZrrfTpncuJUTsdD/nbhNA4Vva4HE9/O51aYoMbx5VnHowAt5PKYUW59wXao25rQRS4HChGYfEPhFlfCHtj7nZUjxRBUvubps/A5yMPVA+pfWhaY7IpZi9F14xrGYN6WnCbbYkFNZeUj6m5O+tOM2Tb8PepQj9ybNvBuJZ5roxWk4oUqUfeo2uqzD5BV4llWFvz8bOG2N2G9gqeIbMPjWXhQvTOmoBOqHjpUuGEHNeesTP9v6gS87+ezOcMqA5rnQUlLSZSzdT+8tyOfoL6C164PbpDVbTjdA+uVQZcS1HGj2EuqmXPIDtrr/lRjXUDJ0IbLRUjOzmdScWVKEpjkIadbze4bXDiNM8tSCNaM2M2xy8krB6mx/2eOIsdnT7g3sH0ymar39LfuH6sGNuj/6gwoysKObq22TDOeRFFtoNlRoR4oBd7UvoVlshhaGwSzIb0soTaOs1jT1lp1wZnqB756bPxrh7E11L1bivnnVug9/vSkd9YVGaCjs/DLJawykYWx+kQZrA4E0x+qWKFdrro5nEW1ArGIX7nvSiFDJ49+7zy7vXAwrSyVUcva5hPObVi7JHpmLFP+uECIVKI5HvuEK0ZyXANlVjHHRyEZ1iNe49qgcrUDuqVZKPY3YIbxZ1aBc8qOb7fb2n7ntnm0CkoE0TfIfDIEI1DYL8Lko4DPGrg9hJMUdjMCCNWt75WNxI6D5Qpt5sbZp4Y8oMT/d4ObK+65/7fVx7Jc/8P/+obc3phBjIeQ+AJvuhriSO3/Vhi/Ritgsw9gnNfNtkoi5SvQMoBH31/ZjNR3laHTrIv6vSYhYxQPWjVYmVk+9pnDDF5+0aGmXEj3LjXFrMB3tu4INn+6O/Qf4QeLnZPyw3Iuawao+f4N98nV7ag+lN0ZTHEkYPUsyVKDvDqCqQvfA8HMR1HSuzAxMeCFjNay2KG/VK16i4dXQ/6+7CfYHxaZHxN0D39fSB95yH5DN7+/QZxWAtNHZvLDVYD9WkVmT95t8VwN/xwQW+zIBPq0/YeADtrHQp+hXjP+IOdoiObK56XJ1zXEn8/2FbDnD2qVJXSGNrA2kfdKfbzNC+fpQGknOhZ6LGuLS9uzPDo3j4ZHDutM70u1fWuvG//yb0N5zguQlvyYoiM8fLiCBXDQkMplm2n3SVdF7l34sRdcpnZArhKKKah0kHpA3hrIDkl6oumwGNbUFp58R1S1ncrJLq9f/X3N3fozshP9DMfqEjZ0JOc95FCz/udiNNjjyXZAHlQCc3eGsEyNbc9VgS6rm5Sp57bAA1fuLs590d0FZC0V37jIqqKw1Rn7Q2qb5Yq22JtPjHYpmOLGc3dhoig6R79GetLHTv6dtYPsFddUXT2HkvuhL7RulQZtd0IEoEtS9PIJue3/Jqy9+iah3hHIanen9h/RBTFxFz+MylzmLxJGU+v2VEJrKtdp5hwO4Z5NqoP9diQBBWaBvzqaQ4xsnED3SY3ZKWg84QAxUhyOJDFYdHGdS/LGrLBnPcS0KYnKvtxLaoBT/ls5Zdqkecrdv/6+tVbL3OfdxDUok4L2fWKpWyvnKqHbCtYlT6NV6EHBve1NOvOIKHJQsWpVuiJQ6Oe2tw1m0wQuiBE/EUDQWisSj7hrz01HzjV/rlkcRiMtgVpX0pWFUNEcAKlNibAveP1QIrTmE7q0boOlnnG2AgtRAwptvubMDz66d9fxYJJoqxL2QFCri8RotANLTtweiyxS9+LJjD+7ebnu9s79AY/FpTndeuSOPsN9RcIZDgo9D1AuCe0R/8xwusrOB6CnRQQ5CKzs3FNPP/giTRhUnM3WvKS6vba1+PxeI7SwOZk7CfO6AlzKv4L5BzUwZE872sjKSfJWnzj2kuPVGzqbl7a+oGdtVu41IBnSFWRsCis0F+UloKv/7pkmDwwqjTkf3nuP3tWf0v5Ckj8qxWVsMMses3iJWvBIMxzpAQa2D4S1lRpuTdWz7wHs8R640vR1VhQF0uPjEntB/uEuEQJF9tKhGxV76o1lpo24Fru//R/AwAA//8qRq4p" +} diff --git a/x-pack/filebeat/module/cylance/protect/_meta/fields.yml b/x-pack/filebeat/module/cylance/protect/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/cylance/protect/config/input.yml b/x-pack/filebeat/module/cylance/protect/config/input.yml new file mode 100644 index 00000000000..fc90f92344c --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Cylance" + product: "Protect" + type: "Anti-Virus" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/cylance/protect/config/liblogparser.js + - ${path.home}/module/cylance/protect/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld14->} %{p0}"); + +var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + +var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + +var dup5 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname}(%{mail_id})"); + +var dup6 = setc("eventcategory","1901000000"); + +var dup7 = setc("vendor_event_cat"," AuditLog"); + +var dup8 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup9 = field("event_type"); + +var dup10 = field("event_cat"); + +var dup11 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + +var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + +var dup13 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + +var dup14 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}"); + +var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + +var dup16 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}"); + +var dup17 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + +var dup18 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}"); + +var dup19 = date_time({ + dest: "event_time", + args: ["hmonth","hdate","hhour","hmin","hsec"], + fmts: [ + [dB,dF,dN,dU,dO], + ], +}); + +var dup20 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + +var dup21 = constant("1701000000"); + +var dup22 = constant("1804000000"); + +var dup23 = constant("1003010000"); + +var dup24 = linear_select([ + dup3, + dup4, +]); + +var dup25 = lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: dup9, +}); + +var dup26 = lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: dup10, +}); + +var dup27 = linear_select([ + dup12, + dup13, +]); + +var dup28 = linear_select([ + dup15, + dup16, +]); + +var dup29 = linear_select([ + dup17, + dup18, +]); + +var dup30 = linear_select([ + dup20, + dup14, +]); + +var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2}\u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname}CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0001"), + dup1, +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname}CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, +])); + +var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname}CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0004"), + dup1, +])); + +var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost}CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, +]); + +var part1 = match("MESSAGE#0:CylancePROTECT:01/2", "nwparser.p0", "%{event_type}, Message: S%{p0}"); + +var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{checksum}; %{p0}"); + +var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{checksum}; %{p0}"); + +var select2 = linear_select([ + part2, + part3, +]); + +var part4 = match("MESSAGE#0:CylancePROTECT:01/4_0", "nwparser.p0", "Category: %{category}; Reason: %{result}, User: %{p0}"); + +var part5 = match("MESSAGE#0:CylancePROTECT:01/4_1", "nwparser.p0", "Reason: %{result}, User: %{p0}"); + +var select3 = linear_select([ + part4, + part5, +]); + +var all1 = all_match({ + processors: [ + dup2, + dup24, + part1, + select2, + select3, + dup5, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg1 = msg("CylancePROTECT:01", all1); + +var part6 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}"); + +var part7 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}"); + +var select4 = linear_select([ + part6, + part7, +]); + +var part8 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{user_fname->} %{user_lname->} (%{mail_id})%{p0}"); + +var part9 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{user_fname->} %{user_lname->} (%{mail_id})%{p0}"); + +var select5 = linear_select([ + part8, + part9, +]); + +var part10 = match("MESSAGE#1:CylancePROTECT:02/5", "nwparser.p0", "%{} "); + +var all2 = all_match({ + processors: [ + dup2, + dup24, + dup11, + select4, + select5, + part10, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg2 = msg("CylancePROTECT:02", all2); + +var part11 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}"); + +var part12 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}"); + +var part13 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}"); + +var select6 = linear_select([ + part11, + part12, + part13, +]); + +var part14 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname}(%{mail_id})"); + +var all3 = all_match({ + processors: [ + dup2, + dup24, + dup11, + select6, + part14, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg3 = msg("CylancePROTECT:03", all3); + +var part15 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname}(%{mail_id})"); + +var all4 = all_match({ + processors: [ + dup2, + dup24, + part15, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg4 = msg("CylancePROTECT:04", all4); + +var part16 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}"); + +var part17 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", " Provider: %{product}, Source IP: %{saddr}, User: %{p0}"); + +var part18 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}"); + +var select7 = linear_select([ + part16, + part17, + part18, +]); + +var all5 = all_match({ + processors: [ + dup2, + dup24, + dup11, + select7, + dup5, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg5 = msg("CylancePROTECT:05", all5); + +var part19 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node}was auto assigned to the Zone: IP Address: %{p0}"); + +var part20 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); + +var part21 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}"); + +var select8 = linear_select([ + part20, + part21, +]); + +var part22 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", " (%{mail_id})"); + +var part23 = match("MESSAGE#5:CylancePROTECT:06/4_1", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); + +var select9 = linear_select([ + part22, + part23, +]); + +var all6 = all_match({ + processors: [ + dup2, + dup24, + part19, + select8, + select9, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg6 = msg("CylancePROTECT:06", all6); + +var part24 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); + +var part25 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", " %{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); + +var select10 = linear_select([ + part24, + part25, +]); + +var part26 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); + +var all7 = all_match({ + processors: [ + dup2, + select10, + part26, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," ExploitAttempt"), + dup8, + dup25, + dup26, + ]), +}); + +var msg7 = msg("CylancePROTECT:07", all7); + +var part27 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); + +var part28 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", " %{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); + +var select11 = linear_select([ + part27, + part28, +]); + +var part29 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); + +var all8 = all_match({ + processors: [ + dup2, + select11, + part29, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," DeviceControl"), + dup8, + dup25, + dup26, + ]), +}); + +var msg8 = msg("CylancePROTECT:08", all8); + +var part30 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}(%{fld3}), Zone Names: %{p0}"); + +var part31 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); + +var select12 = linear_select([ + part31, + dup14, +]); + +var all9 = all_match({ + processors: [ + dup2, + dup27, + part30, + select12, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," ScriptControl"), + dup8, + dup25, + dup26, + ]), +}); + +var msg9 = msg("CylancePROTECT:09", all9); + +var part32 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); + +var part33 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", " %{fld4->} Event Type: Threat, Event Name: %{p0}"); + +var select13 = linear_select([ + part32, + part33, +]); + +var part34 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype->} "); + +var all10 = all_match({ + processors: [ + dup2, + select13, + part34, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," Threat"), + dup8, + dup25, + dup26, + ]), +}); + +var msg10 = msg("CylancePROTECT:10", all10); + +var part35 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); + +var part36 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", " %{fld5->} Event Type: AppControl, Event Name: %{p0}"); + +var select14 = linear_select([ + part35, + part36, +]); + +var part37 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); + +var all11 = all_match({ + processors: [ + dup2, + select14, + part37, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," AppControl"), + dup25, + dup26, + ]), +}); + +var msg11 = msg("CylancePROTECT:11", all11); + +var part38 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); + +var all12 = all_match({ + processors: [ + dup2, + dup28, + part38, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg12 = msg("CylancePROTECT:15", all12); + +var part39 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname}(%{mail_id})"); + +var all13 = all_match({ + processors: [ + dup2, + dup28, + part39, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg13 = msg("CylancePROTECT:14", all13); + +var part40 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); + +var all14 = all_match({ + processors: [ + dup2, + dup28, + part40, + dup29, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg14 = msg("CylancePROTECT:13", all14); + +var part41 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); + +var all15 = all_match({ + processors: [ + dup2, + dup28, + part41, + dup29, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg15 = msg("CylancePROTECT:16", all15); + +var part42 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); + +var all16 = all_match({ + processors: [ + dup2, + dup27, + part42, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg16 = msg("CylancePROTECT:25", all16); + +var part43 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); + +var part44 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); + +var part45 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); + +var part46 = match("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "%{fld1}"); + +var select15 = linear_select([ + part44, + part45, + part46, +]); + +var all17 = all_match({ + processors: [ + dup2, + dup28, + part43, + select15, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg17 = msg("CylancePROTECT:12", all17); + +var part47 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); + +var part48 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); + +var part49 = match("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "%{username}"); + +var select16 = linear_select([ + part48, + part49, +]); + +var all18 = all_match({ + processors: [ + part47, + select16, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg18 = msg("CylancePROTECT:17", all18); + +var part50 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ + dup6, + dup19, + dup25, + dup26, +])); + +var msg19 = msg("CylancePROTECT:18", part50); + +var part51 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); + +var part52 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname->} "); + +var select17 = linear_select([ + part52, + dup14, +]); + +var all19 = all_match({ + processors: [ + part51, + select17, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg20 = msg("CylancePROTECT:19", all19); + +var part53 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); + +var part54 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); + +var part55 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); + +var select18 = linear_select([ + part54, + part55, +]); + +var part56 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned %{p0}"); + +var part57 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", "to the%{p0}"); + +var part58 = match("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", " to%{p0}"); + +var select19 = linear_select([ + part57, + part58, +]); + +var part59 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); + +var all20 = all_match({ + processors: [ + part53, + select18, + part56, + select19, + part59, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg21 = msg("CylancePROTECT:20", all20); + +var part60 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ + dup6, + dup19, + dup25, + dup26, + date_time({ + dest: "effective_time", + args: ["fld51"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dQ], + ], + }), +])); + +var msg22 = msg("CylancePROTECT:21", part60); + +var part61 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); + +var part62 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); + +var part63 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); + +var select20 = linear_select([ + part62, + part63, +]); + +var all21 = all_match({ + processors: [ + part61, + select20, + dup30, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg23 = msg("CylancePROTECT:22", all21); + +var part64 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ + dup6, + dup19, + dup25, + dup26, +])); + +var msg24 = msg("CylancePROTECT:23", part64); + +var part65 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname}(%{p0}"); + +var part66 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "%{mail_id})#015"); + +var part67 = match("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", "%{mail_id})"); + +var select21 = linear_select([ + part66, + part67, +]); + +var all22 = all_match({ + processors: [ + part65, + select21, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg25 = msg("CylancePROTECT:24", all22); + +var part68 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4}to '%{policyname}', User: %{user_fname->} %{user_lname}(%{mail_id}), Zone Names:%{p0}"); + +var all23 = all_match({ + processors: [ + part68, + dup30, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg26 = msg("CylancePROTECT:26", all23); + +var part69 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); + +var part70 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); + +var part71 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); + +var select22 = linear_select([ + part70, + part71, +]); + +var part72 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname}(%{mail_id}), Zone Names:%{p0}"); + +var part73 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); + +var select23 = linear_select([ + part73, + dup14, +]); + +var all24 = all_match({ + processors: [ + part69, + select22, + part72, + select23, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg27 = msg("CylancePROTECT:27", all24); + +var part74 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); + +var part75 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); + +var part76 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); + +var select24 = linear_select([ + part75, + part76, +]); + +var part77 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "%{}Zone Names: %{info}Device Id: %{fld3}"); + +var all25 = all_match({ + processors: [ + part74, + select24, + part77, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg28 = msg("CylancePROTECT:28", all25); + +var select25 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "CylancePROTECT": select25, + }), +]); + +var part78 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); + +var part79 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + +var part80 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + +var part81 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname}(%{mail_id})"); + +var part82 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + +var part83 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + +var part84 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + +var part85 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}"); + +var part86 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + +var part87 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}"); + +var part88 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + +var part89 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}"); + +var part90 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + +var select26 = linear_select([ + dup3, + dup4, +]); + +var select27 = linear_select([ + dup12, + dup13, +]); + +var select28 = linear_select([ + dup15, + dup16, +]); + +var select29 = linear_select([ + dup17, + dup18, +]); + +var select30 = linear_select([ + dup20, + dup14, +]); diff --git a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml new file mode 100644 index 00000000000..d6bca1e8c47 --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for CylanceProtect + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/cylance/protect/manifest.yml b/x-pack/filebeat/module/cylance/protect/manifest.yml new file mode 100644 index 00000000000..d0f61417f4b --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["cylance.protect", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9508 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log b/x-pack/filebeat/module/cylance/protect/test/generated.log new file mode 100644 index 00000000000..212f72f087c --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log @@ -0,0 +1,100 @@ +29-January-2016 06:09:59 high boNemoe4402.www.invalid dolore <abo 2016-1-29T6:09:59.squira nostrud4819.mail.test CylancePROTECT mqui nci [billoi] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:orev; Devices: pisciv , User: uii umexe (estlabo) +2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol, User: luptat isiutal (moenimi) +26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: lupt tia (oloremqu), Zone Names: temvel Device Id: iatu +2016-3-12T3:17:42.ceroinBC ratvolup497.www.corp CylancePROTECT ionofde con [uia] Event Type: AuditLog, Event Name: SystemSecurity, Message: ommodic, User: mipsu consec (taliquip) +2016-3-26T10:20:16.gelit tatno5625.api.local CylancePROTECT taev roidents [oluptas] Event Type: AuditLog, Event Name: Alert, Message: Source: taliqu; SHA256: ommod; Reason: failure, User: tur aperi (iveli) +uatDuis 2016-4-9T5:22:51.ude maveniam1399.mail.lan CylancePROTECT siutaliq exercit [tempor] Event Type: omnis, Event Name: SystemSecurity, Device Name: eip, Agent Version: lupta, IP Address: (10.124.61.119), MAC Address: (01:00:5e:dc:bb:8b), Logged On Users: (occ), OS: ect Zone Names: reetdolo +24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: urerep aquaeab (liqu), Zone Names: lorem Device Id: emq +ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: dmi olab (mquisnos) +2016-5-22T2:30:33.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan +2016-6-5T9:33:08.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc +20-Jun-2016 4:35:42 high fugit7668.www5.invalid lupt <qua 20T04:35:42.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu +2016-7-4T11:38:16.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute +July 2016/07/18 18:40:50 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc +olupt 2016-8-2T1:43:25.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend +2016-8-16T8:45:59.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd +ipitla 2016-8-30T3:48:33.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib +13-Sep-2016 10:51:07 low eav3687.internal.local siar <iamquis 13T22:51:07.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae +Sep 28 5:53:42 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit +12-October-2016 12:56:16 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-10-12T12:56:16.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat +ommodico 2016-10-26T7:58:50.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi +Nov 10 3:01:24 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam +24-Nov-2016 10:03:59 very-high reme622.mail.example isnisiu <tsu 24T10:03:59.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: idata rumwritt (magnid), Zone Names: enderit Device Id: untex +8-Dec-2016 5:06:33 medium tvolu3997.mail.home eiu <autfu 8T17:06:33.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum +Dec 23 12:09:07 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur +6-January-2017 07:11:41 very-high orem6702.invalid tev <ntocca 2017-1-6T7:11:41.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame +20-Jan-2017 2:14:16 high tobea2364.internal.localhost itinvol <fugiatn 20T14:14:16.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame +2017-2-3T9:16:50.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi) +uamni 2017-2-18T4:19:24.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte) +2017-3-4T11:21:59.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser (oin) +2017-3-18T6:24:33.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat) +uat 2017-4-2T1:27:07.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu +Apr 16 8:29:41 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015 +30-April-2017 15:32:16 high isiu5733.api.domain etdolor <xeaco 2017-4-30T3:32:16.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites) +14-May-2017 10:34:50 high nvol6269.internal.local tla <nimid 14T22:34:50.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq +iuntNe 2017-5-29T5:37:24.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom +2017-6-12T12:39:58.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte +2017-6-26T7:42:33.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: dol sciun (metcons) +11-July-2017 02:45:07 low oloreseo5039.test derit <dolor 2017-7-11T2:45:07.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid +25-Jul-2017 9:47:41 very-high idolor3916.www5.home tas <tasun 25T09:47:41.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo +8-August-2017 16:50:15 medium taliqui5348.mail.localdomain loremag <iatqu 2017-8-8T4:50:15.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni +Aug 22 11:52:50 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu +September 2017/09/06 06:55:24 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute +2017-9-20T1:57:58.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea +4-Oct-2017 9:00:32 high uptatem4483.localhost inrepr <umdolors 4T21:00:32.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide +nde 2017-10-19T4:03:07.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita +Nov 2 11:05:41 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema +16-November-2017 18:08:15 high oeni179.api.localhost gna <lumqu 2017-11-16T6:08:15.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm +1-Dec-2017 1:10:49 very-high trudex4443.www5.localhost lor <eseruntm 1T01:10:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau +hend 2017-12-15T8:13:24.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai +ostr 2017-12-29T3:15:58.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici +Jan 12 10:18:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud +Jan 27 5:21:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat +bore 2018-2-10T12:23:41.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad) +Feb 24 7:26:15 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse +Mar 11 2:28:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: nvo iamqui (tassita), Zone Names: colabori Device Id: imidestl +2018-3-25T9:31:24.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: (ever) +quiav 2018-4-8T4:33:58.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum +2018-4-22T11:36:32.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev) +hilmole 2018-5-7T6:39:06.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido +2018-5-21T1:41:41.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad) +2018-6-4T8:44:15.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun +2018-6-19T3:46:49.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui +3-July-2018 10:49:23 low sumd3215.test aUtenima <taevi 2018-7-3T10:49:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati +17-July-2018 17:51:58 high taspe1205.mail.domain cti <nse 2018-7-17T5:51:58.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu) +edqu 2018-8-1T12:54:32.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine +15-Aug-2018 7:57:06 low ditaut33.mail.localhost iumdo <mea 15T07:57:06.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo +29-August-2018 14:59:40 low iaturE3103.api.domain aturve <iatu 2018/08/29T14:59:40.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia +2018-9-12T10:02:15.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug) +2018-9-27T5:04:49.data ugits5961.www5.local CylancePROTECT uam quis [exe] Event Type: naa, Event Name: SyslogSettingsSave, Device Name: idolo, Agent Version: mqu, IP Address: (10.91.2.225, rcitat), MAC Address: (01:00:5e:42:41:00, ionofdeF), Logged On Users: (rsp), OS: imipsa Zone Names: nostrum +2018-10-11T12:07:23.onsecte prehende5460.mail.localdomain CylancePROTECT equatD uidol [inculpa] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: uido, IP Address: (10.191.99.14), Action: block, Process ID: 601, Process Name: nimadmi.exe, User Name: lapa, Violation Type: emoenimi, Zone Names: iquipex +25-Oct-2018 7:09:57 high abill5290.lan mini <tionev 25T19:09:57.uasiarch velites1745.api.corp CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: psaqu Agent Self Protection Level Changed: 'nimides' to 'olorsit', User: naaliq plica (asiarc), Zone Names: lor Device Id: nvolupt +9-Nov-2018 2:12:32 high bori319.api.localdomain utf <dexe 9T02:12:32.nemul Duis583.api.local CylancePROTECT Event Name:LoginSuccess, Threat Class:dminim, Threat Subclass:ptatevel, SHA256:aperiame, MD5:stenat +inrepreh 2018-11-23T9:15:06.rit velitess2401.www.lan CylancePROTECT vel ionevo [ntsun] Event Type: ScriptControl, Event Name: DeviceEdit, Device Name: volupta, File Path: umfu, Interpreter: utla, Interpreter Version: 1.2478 (tDuisaut), Zone Names: dolo +2018-12-7T4:17:40.quisnost sequines3991.mail.local CylancePROTECT illum ore [spici] Event Type: AuditLog, Event Name: pechange, Message: Policy: iquamqu; SHA256: eumfugia; Category: reeufugi, User: sequines minimve (texplica) +21-December-2018 23:20:14 very-high olup3841.mail.invalid idolor <uira 2018-12-21T11:20:14.eosqui iatquo2815.mail.host CylancePROTECT aliqu sequine [utaliqui] Event Type: Threat, Event Name: pechange, Device Name: imveni, IP Address: (10.181.215.164), File Name: itationu, Path: setquas, Drive Type: nbyCi, SHA256: runtmoll, MD5: busBon, Status: norumetM, Cylance Score: 38.593000, Found Date: vitaedi, File Type: rna, Is Running: cons, Auto Run: Except, Detected By: lestiae, Zone Names: iav, Is Malware: umiure, Is Unique To Cylance: isiut, Threat Classification: tin +Jan 5 6:22:49 reetdo6578.mail.domain CylancePROTECT Event Type:inBC, Event Name:Device Policy Assigned, Device Message: Device: atevelit; Zones Removed: ugitsed; Zones Added: dminimve, User: remips laboreet (uptate), Zone Names:tot Device Id: reme +19-Jan-2019 1:25:23 very-high ide4421.api.localdomain isautem <gnamali 19T13:25:23.iumtota issusci7005.mail.host CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: ore Agent Self Protection Level Changed: 'lors' to 'saute', User: ecillumd iumto (sequatu), Zone Names: tiumtot Device Id: tate +inBCSed 2019/02/02T20:27:57.cteturad umq7428.invalid CylancePROTECT psum tate [dtempo] Event Type: AppControl, Event Name: SyslogSettingsSave, Device Name: iad, IP Address: (10.164.59.219), Action: accept, Action Type: billoi, File Path: reseo, SHA256: quam, Zone Names: ulpaquio +Feb 17 3:30:32 iconsequ5445.local CylancePROTECT Event Type:archite, Event Name:PolicyAdd, Device Message: Device: rem User: onorumet iscivel (rinci), Zone Names: eacomm Device Id: aboNem +odit 2019/03/03T10:33:06.vol epteurs5503.www5.home CylancePROTECT modi cip [tla] Event Type: AppControl, Event Name: threat_found, Device Name: iscive, IP Address: (10.1.193.187), Action: block, Action Type: nproiden, File Path: ionem, SHA256: taevitae, Zone Names: dminimv +Mar 17 5:35:40 rep6417.internal.test CylancePROTECT Event Type:ipiscin, Event Name:DeviceRemove, Device Message: Device: orinr; Policy Changed: ineavol to 'umdo', User: tass ugi (riat), Zone Names:atvol, Device Id: emipsum +1-Apr-2019 12:38:14 medium atDuisa4718.www.domain dolo <umexe 1T00:38:14.xce omnisis5339.www5.local CylancePROTECT Event Name:DeviceEdit, Device Name:stiaec, External Device Type:Cicero, External Device Vendor ID:ven, External Device Name:ipsaqua, External Device Product ID:uel, External Device Serial Number:mqui, Zone Names:deom, Device Id: tiumdo, Policy Name: rautod +15-April-2019 07:40:49 medium mvol3890.localhost reh <tcons 2019-4-15T7:40:49.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill; User: imveniam sunte (exerc) +isquames 2019-4-29T2:43:23.mvolupta undeom7847.api.corp CylancePROTECT orainci orese [aev] Event Type: uelaudan, Event Name: Alert, Device Name: teiru, Agent Version: mquamei, IP Address: (10.146.228.234, uradi), MAC Address: (01:00:5e:9a:f3:b9, iusmod), Logged On Users: (susc), OS: taed Zone Names: eatae +2019-5-13T9:45:57.rcit dolo6230.mail.invalid CylancePROTECT evelite remquela [toreve] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97, User: (niam) +2019-5-28T4:48:31.uisaut nvolup6280.api.home CylancePROTECT eomn esse [nihi] Event Type: xeaco, Event Name: SyslogSettingsSave, Device Names: (uianonn), Policy Name: eavolupt, User: dantium ors (dqu) +11-June-2019 11:51:06 high asia5842.localhost rit <iavol 2019-6-11T11:51:06.psumdol urautodi3892.www5.example CylancePROTECT edict nost [orisnis] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: nibu; Policy: quatur; Value: isiutali, User: mdolo nof (usantiu) +Jun 25 6:53:40 litess7754.www5.invalid CylancePROTECT Event Type:itempo, Event Name: Alert, Device Name: isciveli, IP Address: (10.36.18.24), Action: allow, Process ID: 452, Process Name: lab.exe, User Name: nsequ, Violation Type: ing, Zone Names:ollita +10-July-2019 01:56:14 low ptat5268.www5.localdomain emq <untur 2019-7-10T1:56:14.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: ExploitAttempt, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Process ID: 4608, Process Name: oluptat.exe, User Name: stenatus, Violation Type: eabillo, Zone Names: iaecon +24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam +Aug 7 4:01:23 ncu3839.www.localhost CylancePROTECT Event Type:snos, Event Name:threat_changed, Device Message: Device: utod; Zones Removed: ostr; Zones Added: amcorp, User: iadolo ecatcup (orinrep), Zone Names:uamnihil Device Id: nisi +21-August-2019 23:03:57 high mfugi4289.internal.home maveni <commod 2019-8-21T11:03:57.umqu umet5891.api.localdomain CylancePROTECT aliqua upt [giatquo] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: dipisciv, IP Address: (10.8.150.213), Action: deny, Process ID: 4190, Process Name: ngelitse.exe, User Name: ugiatnul, Violation Type: mips, Zone Names: hil +5-Sep-2019 6:06:31 medium ncidid126.localhost aecatcu <eosqu 5T06:06:31.reetdolo umquam5574.internal.test CylancePROTECT Event Name:DeviceEdit, Message: Provider:itationu, Source IP:10.108.59.10, User: magnama reprehe (citatio)#015 +19-September-2019 13:09:05 medium ocons2813.mail.lan natu <acomm 2019-9-19T1:09:05.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did) +Oct 3 8:11:40 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod +Oct 18 3:14:14 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit +rinci 2019-11-1T10:16:48.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta +15-Nov-2019 5:19:22 low ntutlabo6923.localhost eacommo <tionevol 15T17:19:22.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni, User: officiad veniam (labo), Zone Names:ssecill Device Id: umquam +ali 2019-11-30T12:21:57.ionu perna6751.internal.home CylancePROTECT ess ria [ationevo] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233, User: (orisnis) +14-December-2019 07:24:31 medium olor874.internal.lan mquis <samnisiu 2019-12-14T7:24:31.yCiceroi evolupta7790.internal.local CylancePROTECT equamnih isetqua [turExce] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: rehe; Policy: aper; Value: gnaa, User: tam deser (int) diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json new file mode 100644 index 00000000000..e4101954f32 --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -0,0 +1,3452 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "event.category": "ZoneAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "29-January-2016 06:09:59 high boNemoe4402.www.invalid dolore <abo 2016-1-29T6:09:59.squira nostrud4819.mail.test CylancePROTECT mqui nci [billoi] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:orev; Devices: pisciv , User: uii umexe (estlabo)", + "fileset.name": "protect", + "host.name": "nostrud4819.mail.test", + "input.type": "log", + "log.offset": 0, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "uii", + "rsa.identity.lastname": "umexe", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "estlabo", + "rsa.misc.node": "pisciv", + "rsa.misc.policy_name": "orev", + "rsa.network.alias_host": [ + "nostrud4819.mail.test" + ], + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-12T03:12:33.000Z", + "event.category": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol, User: luptat isiutal (moenimi)", + "fileset.name": "protect", + "host.name": "volup208.invalid", + "input.type": "log", + "log.offset": 271, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "luptat", + "rsa.identity.lastname": "isiutal", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.mail_id": "moenimi", + "rsa.misc.node": "vol", + "rsa.network.alias_host": [ + "volup208.invalid" + ], + "rsa.time.event_time": "2016-02-12T03:12:33.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-26T10:15:08.000Z", + "event.category": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: lupt tia (oloremqu), Zone Names: temvel Device Id: iatu", + "fileset.name": "protect", + "host.name": "eius6159.www5.localhost", + "input.type": "log", + "log.offset": 453, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "temvel", + "rsa.identity.firstname": "lupt", + "rsa.identity.lastname": "tia", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.misc.device_name": "aer", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "oloremqu", + "rsa.network.alias_host": [ + "eius6159.www5.localhost" + ], + "rsa.time.event_time": "2020-02-26T10:15:08.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "event.category": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-3-12T3:17:42.ceroinBC ratvolup497.www.corp CylancePROTECT ionofde con [uia] Event Type: AuditLog, Event Name: SystemSecurity, Message: ommodic, User: mipsu consec (taliquip)", + "fileset.name": "protect", + "host.name": "ratvolup497.www.corp", + "input.type": "log", + "log.offset": 690, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ommodic", + "rsa.identity.firstname": "mipsu", + "rsa.identity.lastname": "consec", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "taliquip", + "rsa.network.alias_host": [ + "ratvolup497.www.corp" + ], + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "event.category": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-3-26T10:20:16.gelit tatno5625.api.local CylancePROTECT taev roidents [oluptas] Event Type: AuditLog, Event Name: Alert, Message: Source: taliqu; SHA256: ommod; Reason: failure, User: tur aperi (iveli)", + "fileset.name": "protect", + "host.name": "tatno5625.api.local", + "input.type": "log", + "log.offset": 869, + "observer.product": "taliqu", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "tur", + "rsa.identity.lastname": "aperi", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "ommod", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "iveli", + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "tatno5625.api.local" + ], + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-09T07:22:51.000Z", + "event.category": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "uatDuis 2016-4-9T5:22:51.ude maveniam1399.mail.lan CylancePROTECT siutaliq exercit [tempor] Event Type: omnis, Event Name: SystemSecurity, Device Name: eip, Agent Version: lupta, IP Address: (10.124.61.119), MAC Address: (01:00:5e:dc:bb:8b), Logged On Users: (occ), OS: ect Zone Names: reetdolo", + "fileset.name": "protect", + "host.name": "maveniam1399.mail.lan", + "input.type": "log", + "log.offset": 1075, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.124.61.119" + ], + "rsa.db.index": "reetdolo", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": "omnis", + "rsa.misc.OS": "ect", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "eip", + "rsa.network.alias_host": [ + "maveniam1399.mail.lan" + ], + "rsa.network.eth_host": "01:00:5e:dc:bb:8b", + "rsa.time.event_time": "2016-04-09T07:22:51.000Z", + "service.type": "cylance", + "source.ip": [ + "10.124.61.119" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "occ" + ] + }, + { + "@timestamp": "2020-04-24T14:25:25.000Z", + "event.category": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: urerep aquaeab (liqu), Zone Names: lorem Device Id: emq", + "fileset.name": "protect", + "host.name": "nimadmin6499.local", + "input.type": "log", + "log.offset": 1370, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "lorem", + "rsa.identity.firstname": "urerep", + "rsa.identity.lastname": "aquaeab", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.misc.device_name": "dexe", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.mail_id": "liqu", + "rsa.network.alias_host": [ + "nimadmin6499.local" + ], + "rsa.time.event_time": "2020-04-24T14:25:25.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "event.category": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: dmi olab (mquisnos) ", + "fileset.name": "protect", + "host.name": "suntinc4934.www5.test", + "input.type": "log", + "log.offset": 1612, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "dmi", + "rsa.identity.lastname": "olab", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "uovol", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "mquisnos", + "rsa.misc.policy_name": "uptatev; SHA256: uovol", + "rsa.network.alias_host": [ + "suntinc4934.www5.test" + ], + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-22T04:30:33.000Z", + "event.category": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-5-22T2:30:33.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan", + "file.directory": "aspern", + "fileset.name": "protect", + "host.name": "reetdolo2451.www.example", + "input.type": "log", + "log.offset": 1815, + "network.application": "itlabori", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.2344", + "rsa.db.index": "ollit", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "llam", + "rsa.misc.version": "1.2344", + "rsa.network.alias_host": [ + "reetdolo2451.www.example" + ], + "rsa.time.event_time": "2016-05-22T04:30:33.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "usan" + ] + }, + { + "@timestamp": "2016-06-05T11:33:08.000Z", + "event.category": "Registration", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-6-5T9:33:08.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc", + "fileset.name": "protect", + "host.name": "uis7612.www5.domain", + "input.type": "log", + "log.offset": 2075, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "emeumfug", + "rsa.misc.event_type": "Registration", + "rsa.network.alias_host": [ + "uis7612.www5.domain" + ], + "rsa.time.event_time": "2016-06-05T11:33:08.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-20T06:35:42.000Z", + "event.category": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "20-Jun-2016 4:35:42 high fugit7668.www5.invalid lupt <qua 20T04:35:42.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu", + "fileset.name": "protect", + "host.name": "admi3749.api.lan", + "input.type": "log", + "log.offset": 2211, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "nimadmin", + "rsa.identity.firstname": "iqui", + "rsa.identity.lastname": "etc", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.misc.device_name": "tinvol", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.mail_id": "etM", + "rsa.network.alias_host": [ + "admi3749.api.lan" + ], + "rsa.time.event_time": "2020-06-20T06:35:42.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "event.category": "fullaccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-7-4T11:38:16.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute", + "file.directory": "Nemoen", + "fileset.name": "protect", + "host.name": "rudexerc703.internal.host", + "input.type": "log", + "log.offset": 2488, + "network.application": "tfug", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.5383", + "rsa.db.index": "urE", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.node": "onproide", + "rsa.misc.version": "1.5383", + "rsa.network.alias_host": [ + "rudexerc703.internal.host" + ], + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "isaute" + ] + }, + { + "@timestamp": "2016-07-18T20:40:00.000Z", + "event.action": "cancel", + "event.category": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "July 2016/07/18 18:40:50 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc", + "file.directory": "Lor", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 2755, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.199.98.186" + ], + "rsa.db.index": "erc", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.checksum": "itecto", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "sequatur", + "rsa.time.event_time": "2016-07-18T20:40:00.000Z", + "service.type": "cylance", + "source.ip": [ + "10.199.98.186" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "event.category": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "olupt 2016-8-2T1:43:25.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend ", + "fileset.name": "protect", + "host.name": "estqu1709.internal.example", + "input.type": "log", + "log.offset": 3048, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": " iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": "Threat", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu", + "rsa.network.alias_host": [ + "estqu1709.internal.example" + ], + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "event.category": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-8-16T8:45:59.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd", + "fileset.name": "protect", + "host.name": "xeac7155.www.localdomain", + "input.type": "log", + "log.offset": 3565, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.143.239.210" + ], + "rsa.db.index": "sedd", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "pida", + "rsa.misc.OS": "mnisist", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "idolor", + "rsa.network.alias_host": [ + "xeac7155.www.localdomain" + ], + "rsa.network.eth_host": "01:00:5e:93:1c:9f", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "service.type": "cylance", + "source.ip": [ + "10.143.239.210" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "oinBCSe" + ] + }, + { + "@timestamp": "2016-08-30T05:48:33.000Z", + "event.action": "accept", + "event.category": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ipitla 2016-8-30T3:48:33.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib", + "fileset.name": "protect", + "host.name": "maccusa5126.api.domain", + "input.type": "log", + "log.offset": 3856, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "aliqu.exe", + "process.pid": 2289, + "related.ip": [ + "10.32.143.134" + ], + "rsa.db.index": "eFinib", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "olorema", + "rsa.misc.policy_name": "mipsumd", + "rsa.network.alias_host": [ + "maccusa5126.api.domain" + ], + "rsa.time.event_time": "2016-08-30T05:48:33.000Z", + "service.type": "cylance", + "source.ip": [ + "10.32.143.134" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "olupta" + ] + }, + { + "@timestamp": "2019-09-13T12:51:07.000Z", + "event.category": "DeviceEdit", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "13-Sep-2016 10:51:07 low eav3687.internal.local siar <iamquis 13T22:51:07.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae", + "fileset.name": "protect", + "host.name": "llu4718.localhost", + "input.type": "log", + "log.offset": 4161, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "psaquae", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.device_name": "oidentsu", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "conseq", + "rsa.misc.serial_number": "ern", + "rsa.network.alias_host": [ + "llu4718.localhost" + ], + "rsa.time.event_time": "2019-09-13T12:51:07.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-28T07:53:42.000Z", + "event.category": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Sep 28 5:53:42 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 4506, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ari", + "rsa.identity.firstname": "rinrepre", + "rsa.identity.lastname": "etconse", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "stquidol", + "rsa.misc.device_name": "leumiu", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.mail_id": "tincu", + "rsa.misc.policy_name": "taevit", + "rsa.time.event_time": "2019-09-28T07:53:42.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "event.category": "ZoneAddDevice", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "12-October-2016 12:56:16 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-10-12T12:56:16.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat", + "fileset.name": "protect", + "host.name": "eaq908.api.home", + "input.type": "log", + "log.offset": 4739, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "equat", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "tNequepo", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.node": "luptasn", + "rsa.network.alias_host": [ + "eaq908.api.home" + ], + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-26T09:58:50.000Z", + "event.category": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ommodico 2016-10-26T7:58:50.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi", + "file.directory": "olor", + "fileset.name": "protect", + "host.name": "mcolab379.internal.home", + "input.type": "log", + "log.offset": 4993, + "network.application": "Neque", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.4129", + "rsa.db.index": "iutali", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "tper", + "rsa.misc.version": "1.4129", + "rsa.network.alias_host": [ + "mcolab379.internal.home" + ], + "rsa.time.event_time": "2016-10-26T09:58:50.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "fdeFi" + ] + }, + { + "@timestamp": "2019-11-10T05:01:24.000Z", + "event.category": "threat_quarantined", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Nov 10 3:01:24 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 5270, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.237.205.140" + ], + "rsa.db.index": "veniam", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "boN", + "rsa.misc.OS": "iduntu", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.node": "ectio", + "rsa.network.eth_host": "01:00:5e:3f:c4:6c", + "rsa.time.event_time": "2019-11-10T05:01:24.000Z", + "service.type": "cylance", + "source.ip": [ + "10.237.205.140" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "uames" + ] + }, + { + "@timestamp": "2019-11-24T12:03:59.000Z", + "event.category": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "24-Nov-2016 10:03:59 very-high reme622.mail.example isnisiu <tsu 24T10:03:59.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: idata rumwritt (magnid), Zone Names: enderit Device Id: untex", + "fileset.name": "protect", + "host.name": "sciun4694.api.lan", + "input.type": "log", + "log.offset": 5529, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "enderit", + "rsa.identity.firstname": "idata", + "rsa.identity.lastname": "rumwritt", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.device_name": "nsect", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.mail_id": "magnid", + "rsa.network.alias_host": [ + "sciun4694.api.lan" + ], + "rsa.time.event_time": "2019-11-24T12:03:59.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-08T07:06:33.000Z", + "event.category": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "8-Dec-2016 5:06:33 medium tvolu3997.mail.home eiu <autfu 8T17:06:33.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum", + "fileset.name": "protect", + "host.name": "mni7200.mail.localdomain", + "input.type": "log", + "log.offset": 5774, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "uisau", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "pechange", + "rsa.misc.node": "idolor", + "rsa.network.alias_host": [ + "mni7200.mail.localdomain" + ], + "rsa.time.event_time": "2019-12-08T07:06:33.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-23T14:09:07.000Z", + "event.category": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Dec 23 12:09:07 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 5975, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "tur", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "officiad", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "quinesc", + "rsa.network.zone": "madmi", + "rsa.time.event_time": "2019-12-23T14:09:07.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "event.category": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "6-January-2017 07:11:41 very-high orem6702.invalid tev <ntocca 2017-1-6T7:11:41.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame", + "file.directory": "orro", + "fileset.name": "protect", + "host.name": "ntoccae1705.internal.invalid", + "input.type": "log", + "log.offset": 6152, + "network.application": "tae", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.3212", + "rsa.db.index": "tlab", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "sBon", + "rsa.misc.version": "1.3212", + "rsa.network.alias_host": [ + "ntoccae1705.internal.invalid" + ], + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "aperiame" + ] + }, + { + "@timestamp": "2020-01-20T04:14:16.000Z", + "event.category": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "20-Jan-2017 2:14:16 high tobea2364.internal.localhost itinvol <fugiatn 20T14:14:16.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame", + "fileset.name": "protect", + "host.name": "etconsec6708.internal.invalid", + "input.type": "log", + "log.offset": 6479, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "mquame", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.misc.device_name": "tquov", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "ersp", + "rsa.misc.serial_number": "tes", + "rsa.network.alias_host": [ + "etconsec6708.internal.invalid" + ], + "rsa.time.event_time": "2020-01-20T04:14:16.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-03T11:16:50.000Z", + "event.category": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-2-3T9:16:50.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi)", + "fileset.name": "protect", + "host.name": "Sedutp7428.internal.home", + "input.type": "log", + "log.offset": 6843, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "iquipe", + "rsa.identity.firstname": "upida", + "rsa.identity.lastname": "tvolupt", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "eufugi", + "rsa.misc.policy_name": "itempor", + "rsa.network.alias_host": [ + "Sedutp7428.internal.home" + ], + "rsa.time.event_time": "2017-02-03T11:16:50.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "event.category": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "uamni 2017-2-18T4:19:24.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte)", + "fileset.name": "protect", + "host.name": "ati4639.www5.home", + "input.type": "log", + "log.offset": 7061, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "con", + "rsa.identity.lastname": "nisist", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "usmodte", + "rsa.misc.node": "ven", + "rsa.network.alias_host": [ + "ati4639.www5.home" + ], + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "event.category": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-3-4T11:21:59.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser (oin)", + "fileset.name": "protect", + "host.name": "torever662.www5.home", + "input.type": "log", + "log.offset": 7235, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240", + "rsa.identity.firstname": "amcol", + "rsa.identity.lastname": "adeser", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "oin", + "rsa.network.alias_host": [ + "torever662.www5.home" + ], + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-18T08:24:33.000Z", + "event.category": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-3-18T6:24:33.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat) ", + "fileset.name": "protect", + "host.name": "emeumfug4387.internal.lan", + "input.type": "log", + "log.offset": 7476, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "ccaeca", + "rsa.identity.lastname": "niamq", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "iduntu", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "lapariat", + "rsa.misc.node": "untincul", + "rsa.network.alias_host": [ + "emeumfug4387.internal.lan" + ], + "rsa.time.event_time": "2017-03-18T08:24:33.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "event.category": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "uat 2017-4-2T1:27:07.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu", + "fileset.name": "protect", + "host.name": "rumwrit764.www5.local", + "input.type": "log", + "log.offset": 7682, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "miu", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "etMal", + "rsa.misc.serial_number": "onula", + "rsa.network.alias_host": [ + "rumwrit764.www5.local" + ], + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-16T10:29:41.000Z", + "event.category": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Apr 16 8:29:41 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 8022, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.13.66.97" + ], + "rsa.identity.firstname": "dicta", + "rsa.identity.lastname": "taedicta", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "luptat", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.mail_id": "ritt", + "rsa.time.event_time": "2020-04-16T10:29:41.000Z", + "service.type": "cylance", + "source.ip": [ + "10.13.66.97" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-30T05:32:16.000Z", + "event.category": "threat_quarantined", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "30-April-2017 15:32:16 high isiu5733.api.domain etdolor <xeaco 2017-4-30T3:32:16.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites)", + "fileset.name": "protect", + "host.name": "oremi1485.api.localhost", + "input.type": "log", + "log.offset": 8198, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "atisund", + "rsa.identity.lastname": "xea", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "amvolupt", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.mail_id": "ites", + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "oremi1485.api.localhost" + ], + "rsa.time.event_time": "2017-04-30T05:32:16.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-14T12:34:50.000Z", + "event.category": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "14-May-2017 10:34:50 high nvol6269.internal.local tla <nimid 14T22:34:50.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq", + "fileset.name": "protect", + "host.name": "periam126.api.host", + "input.type": "log", + "log.offset": 8478, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "rExc", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.checksum": "tame", + "rsa.misc.event_type": "threat_found", + "rsa.network.alias_host": [ + "periam126.api.host" + ], + "rsa.time.event_time": "2020-05-14T12:34:50.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "event.category": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "iuntNe 2017-5-29T5:37:24.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom ", + "fileset.name": "protect", + "host.name": "tate6578.api.localdomain", + "input.type": "log", + "log.offset": 8686, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": " turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": "Threat", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa", + "rsa.network.alias_host": [ + "tate6578.api.localdomain" + ], + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "event.category": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-6-12T12:39:58.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte", + "fileset.name": "protect", + "host.name": "midestl1919.host", + "input.type": "log", + "log.offset": 9198, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.124.88.222" + ], + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "ntNeq", + "rsa.misc.OS": "liquaUte", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "aUt", + "rsa.network.alias_host": [ + "midestl1919.host" + ], + "rsa.network.eth_host": "01:00:5e:f9:78:c2", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "service.type": "cylance", + "source.ip": [ + "10.124.88.222" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "onu" + ] + }, + { + "@timestamp": "2017-06-26T09:42:33.000Z", + "event.category": "ZoneAddDevice", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-6-26T7:42:33.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: dol sciun (metcons) ", + "fileset.name": "protect", + "host.name": "eiusmod3517.internal.invalid", + "input.type": "log", + "log.offset": 9473, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "dol", + "rsa.identity.lastname": "sciun", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "labor", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "metcons", + "rsa.misc.node": "olup", + "rsa.network.alias_host": [ + "eiusmod3517.internal.invalid" + ], + "rsa.time.event_time": "2017-06-26T09:42:33.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "event.category": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "11-July-2017 02:45:07 low oloreseo5039.test derit <dolor 2017-7-11T2:45:07.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid", + "fileset.name": "protect", + "host.name": "ntexpl3889.www.home", + "input.type": "log", + "log.offset": 9683, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.156.34.19" + ], + "rsa.db.index": "stquid", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "Cic", + "rsa.misc.OS": "ariaturE", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "saqu", + "rsa.network.alias_host": [ + "ntexpl3889.www.home" + ], + "rsa.network.eth_host": "01:00:5e:54:ab:3f", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "service.type": "cylance", + "source.ip": [ + "10.156.34.19" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "imveni" + ] + }, + { + "@timestamp": "2019-07-25T11:47:41.000Z", + "event.category": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "25-Jul-2017 9:47:41 very-high idolor3916.www5.home tas <tasun 25T09:47:41.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo", + "fileset.name": "protect", + "host.name": "ntium4450.www5.localdomain", + "input.type": "log", + "log.offset": 10032, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.22.94.10" + ], + "rsa.db.index": "mpo", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.misc.OS": "animid", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "vol", + "rsa.network.alias_host": [ + "ntium4450.www5.localdomain" + ], + "rsa.network.eth_host": "01:00:5e:ee:e8:77", + "rsa.time.event_time": "2019-07-25T11:47:41.000Z", + "service.type": "cylance", + "source.ip": [ + "10.22.94.10" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "ssusci" + ] + }, + { + "@timestamp": "2017-08-08T06:50:15.000Z", + "event.category": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "8-August-2017 16:50:15 medium taliqui5348.mail.localdomain loremag <iatqu 2017-8-8T4:50:15.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni", + "fileset.name": "protect", + "host.name": "erspi5757.local", + "input.type": "log", + "log.offset": 10346, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "undeomni", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "uov", + "rsa.misc.serial_number": "quaU", + "rsa.network.alias_host": [ + "erspi5757.local" + ], + "rsa.time.event_time": "2017-08-08T06:50:15.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-22T13:52:50.000Z", + "event.category": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Aug 22 11:52:50 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 10760, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "lmolesti", + "rsa.identity.firstname": "uptate", + "rsa.identity.lastname": "lloinven", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "idolo", + "rsa.misc.device_name": "edolo", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "econs", + "rsa.time.event_time": "2019-08-22T13:52:50.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-06T08:55:00.000Z", + "event.action": "allow", + "event.category": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "September 2017/09/06 06:55:24 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute", + "file.directory": "isi", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 11002, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.153.34.43" + ], + "rsa.db.index": "saute", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.checksum": "culpaq", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "fugits", + "rsa.time.event_time": "2017-09-06T08:55:00.000Z", + "service.type": "cylance", + "source.ip": [ + "10.153.34.43" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-20T03:57:58.000Z", + "event.category": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-9-20T1:57:58.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea", + "fileset.name": "protect", + "host.name": "magnid3343.home", + "input.type": "log", + "log.offset": 11295, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "obea", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "gitse", + "rsa.misc.serial_number": "col", + "rsa.network.alias_host": [ + "magnid3343.home" + ], + "rsa.time.event_time": "2017-09-20T03:57:58.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-04T11:00:32.000Z", + "event.category": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "4-Oct-2017 9:00:32 high uptatem4483.localhost inrepr <umdolors 4T21:00:32.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide", + "fileset.name": "protect", + "host.name": "asperna7623.www.home", + "input.type": "log", + "log.offset": 11628, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "onproide", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "dexe", + "rsa.network.alias_host": [ + "asperna7623.www.home" + ], + "rsa.network.zone": "tat", + "rsa.time.event_time": "2019-10-04T11:00:32.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "event.category": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "nde 2017-10-19T4:03:07.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita", + "file.directory": "seddoeiu", + "fileset.name": "protect", + "host.name": "undeom845.www5.example", + "input.type": "log", + "log.offset": 11842, + "network.application": "nse", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.3421", + "rsa.db.index": "quira", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "liq", + "rsa.misc.version": "1.3421", + "rsa.network.alias_host": [ + "undeom845.www5.example" + ], + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "tassita" + ] + }, + { + "@timestamp": "2019-11-02T13:05:41.000Z", + "event.category": "threat_changed", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Nov 2 11:05:41 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 12106, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "tatema", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "nisiut", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.node": "quira", + "rsa.network.zone": "rror", + "rsa.time.event_time": "2019-11-02T13:05:41.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-16T08:08:15.000Z", + "event.category": "threat_quarantined", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "16-November-2017 18:08:15 high oeni179.api.localhost gna <lumqu 2017-11-16T6:08:15.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm ", + "fileset.name": "protect", + "host.name": "ons5050.mail.test", + "input.type": "log", + "log.offset": 12274, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": " cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "Threat", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.node": "mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere", + "rsa.network.alias_host": [ + "ons5050.mail.test" + ], + "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-01T03:10:49.000Z", + "event.category": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "1-Dec-2017 1:10:49 very-high trudex4443.www5.localhost lor <eseruntm 1T01:10:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau", + "fileset.name": "protect", + "host.name": "oloreeu7597.mail.home", + "input.type": "log", + "log.offset": 12840, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.7.99.47" + ], + "rsa.db.index": "ditau", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.misc.OS": "teturadi", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "nula", + "rsa.network.alias_host": [ + "oloreeu7597.mail.home" + ], + "rsa.network.eth_host": "01:00:5e:e8:41:ae", + "rsa.time.event_time": "2019-12-01T03:10:49.000Z", + "service.type": "cylance", + "source.ip": [ + "10.7.99.47" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "evolupta" + ] + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "event.category": "Device Updated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "hend 2017-12-15T8:13:24.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai", + "fileset.name": "protect", + "host.name": "ueip5847.api.test", + "input.type": "log", + "log.offset": 13156, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "Nemoenim", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_vcat": "sed", + "rsa.misc.checksum": "labori", + "rsa.misc.event_type": "Device Updated", + "rsa.network.alias_host": [ + "ueip5847.api.test" + ], + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-29T05:15:58.000Z", + "event.category": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ostr 2017-12-29T3:15:58.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici", + "file.directory": "eufug", + "fileset.name": "protect", + "host.name": "uid3520.www.home", + "input.type": "log", + "log.offset": 13361, + "network.application": "roquisq", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.989", + "rsa.db.index": "civelits", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "prehend", + "rsa.misc.version": "1.989", + "rsa.network.alias_host": [ + "uid3520.www.home" + ], + "rsa.time.event_time": "2017-12-29T05:15:58.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "ici" + ] + }, + { + "@timestamp": "2020-01-12T12:18:32.000Z", + "event.category": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Jan 12 10:18:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 13629, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "nostrud", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "iduntu", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "inibusB", + "rsa.time.event_time": "2020-01-12T12:18:32.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-27T07:21:06.000Z", + "event.category": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Jan 27 5:21:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 13778, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "ugiat", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "pariatur", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "imavenia", + "rsa.network.zone": "expli", + "rsa.time.event_time": "2020-01-27T07:21:06.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "event.category": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "bore 2018-2-10T12:23:41.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad)", + "fileset.name": "protect", + "host.name": "teir7585.www5.localdomain", + "input.type": "log", + "log.offset": 13951, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "scip", + "rsa.identity.lastname": "Finibus", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "Utenimad", + "rsa.misc.node": "oreverit", + "rsa.network.alias_host": [ + "teir7585.www5.localdomain" + ], + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-24T09:26:15.000Z", + "event.category": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Feb 24 7:26:15 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse ", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 14150, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ptate, Device Id: entsu, Policy Name: conse", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ali", + "rsa.misc.device_name": "itasp", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "quunt", + "rsa.misc.serial_number": "volup", + "rsa.time.event_time": "2020-02-24T09:26:15.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-11T04:28:49.000Z", + "event.category": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Mar 11 2:28:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: nvo iamqui (tassita), Zone Names: colabori Device Id: imidestl", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 14477, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "colabori", + "rsa.identity.firstname": "nvo", + "rsa.identity.lastname": "iamqui", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "atura", + "rsa.misc.device_name": "oreeu", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "tassita", + "rsa.time.event_time": "2020-03-11T04:28:49.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "event.category": "ZoneAddDevice", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-3-25T9:31:24.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: (ever)", + "fileset.name": "protect", + "host.name": "serrorsi1096.www5.localdomain", + "input.type": "log", + "log.offset": 14659, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices", + "rsa.identity.firstname": "", + "rsa.identity.lastname": "", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "ever", + "rsa.network.alias_host": [ + "serrorsi1096.www5.localdomain" + ], + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-08T06:33:58.000Z", + "event.category": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "quiav 2018-4-8T4:33:58.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum", + "fileset.name": "protect", + "host.name": "prehen4807.mail.invalid", + "input.type": "log", + "log.offset": 14896, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "meum", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "remq", + "rsa.misc.serial_number": "ugia", + "rsa.network.alias_host": [ + "prehen4807.mail.invalid" + ], + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-22T13:36:32.000Z", + "event.category": "ZoneAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-4-22T11:36:32.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev)", + "fileset.name": "protect", + "host.name": "sit1400.www.lan", + "input.type": "log", + "log.offset": 15232, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ntsunti", + "rsa.identity.firstname": "uid", + "rsa.identity.lastname": "idatat", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "onev", + "rsa.misc.policy_name": "borios", + "rsa.network.alias_host": [ + "sit1400.www.lan" + ], + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "event.category": "Device Updated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "hilmole 2018-5-7T6:39:06.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido", + "fileset.name": "protect", + "host.name": "sectetu7182.localdomain", + "input.type": "log", + "log.offset": 15425, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_vcat": "orissus", + "rsa.misc.event_type": "Device Updated", + "rsa.network.alias_host": [ + "sectetu7182.localdomain" + ], + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-21T03:41:41.000Z", + "event.category": "ZoneAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-5-21T1:41:41.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad)", + "fileset.name": "protect", + "host.name": "officiad4982.www5.domain", + "input.type": "log", + "log.offset": 15573, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "etdolore", + "rsa.identity.lastname": "magnaa", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "sumquiad", + "rsa.misc.node": "umtota", + "rsa.network.alias_host": [ + "officiad4982.www5.domain" + ], + "rsa.time.event_time": "2018-05-21T03:41:41.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T10:44:15.000Z", + "event.category": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-6-4T8:44:15.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun", + "fileset.name": "protect", + "host.name": "consequa1486.internal.localdomain", + "input.type": "log", + "log.offset": 15760, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "quaeratv", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ptatemse", + "rsa.misc.checksum": "tobeata", + "rsa.misc.event_type": "pechange", + "rsa.network.alias_host": [ + "consequa1486.internal.localdomain" + ], + "rsa.time.event_time": "2018-06-04T10:44:15.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "event.category": "fullaccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-6-19T3:46:49.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui", + "fileset.name": "protect", + "host.name": "its6443.mail.example", + "input.type": "log", + "log.offset": 15980, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.139.80.71" + ], + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "miurere", + "rsa.misc.OS": "eniamqui", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.node": "tlabo", + "rsa.network.alias_host": [ + "its6443.mail.example" + ], + "rsa.network.eth_host": "01:00:5e:bc:c1:21", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "service.type": "cylance", + "source.ip": [ + "10.139.80.71" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "orem" + ] + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "event.category": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "3-July-2018 10:49:23 low sumd3215.test aUtenima <taevi 2018-7-3T10:49:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati ", + "fileset.name": "protect", + "host.name": "tconsec7604.corp", + "input.type": "log", + "log.offset": 16254, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": " con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "Threat", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua", + "rsa.network.alias_host": [ + "tconsec7604.corp" + ], + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-17T07:51:58.000Z", + "event.category": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "17-July-2018 17:51:58 high taspe1205.mail.domain cti <nse 2018-7-17T5:51:58.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu)", + "fileset.name": "protect", + "host.name": "tuser2694.internal.invalid", + "input.type": "log", + "log.offset": 16795, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "natus", + "rsa.identity.lastname": "boreet", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ugiatqu", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "luptasnu", + "rsa.misc.node": "turveli", + "rsa.misc.policy_name": "isciv", + "rsa.network.alias_host": [ + "tuser2694.internal.invalid" + ], + "rsa.time.event_time": "2018-07-17T07:51:58.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-01T14:54:32.000Z", + "event.category": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "edqu 2018-8-1T12:54:32.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine", + "fileset.name": "protect", + "host.name": "gnaaliq5240.api.test", + "input.type": "log", + "log.offset": 17076, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "ratvo", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "esciun", + "rsa.misc.checksum": "volupt", + "rsa.misc.event_type": "pechange", + "rsa.network.alias_host": [ + "gnaaliq5240.api.test" + ], + "rsa.time.event_time": "2018-08-01T14:54:32.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-15T09:57:06.000Z", + "event.category": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "15-Aug-2018 7:57:06 low ditaut33.mail.localhost iumdo <mea 15T07:57:06.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo", + "fileset.name": "protect", + "host.name": "illum2625.test", + "input.type": "log", + "log.offset": 17277, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "iaeconse", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.checksum": "nimadmin", + "rsa.misc.event_type": "LoginSuccess", + "rsa.network.alias_host": [ + "illum2625.test" + ], + "rsa.time.event_time": "2019-08-15T09:57:06.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-29T16:59:40.000Z", + "event.action": "deny", + "event.category": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "29-August-2018 14:59:40 low iaturE3103.api.domain aturve <iatu 2018/08/29T14:59:40.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia", + "file.directory": "emporin", + "fileset.name": "protect", + "host.name": "nulamc5617.mail.host", + "input.type": "log", + "log.offset": 17487, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.134.137.205" + ], + "rsa.db.index": "etquasia", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.checksum": "oreseosq", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "ntu", + "rsa.network.alias_host": [ + "nulamc5617.mail.host" + ], + "rsa.time.event_time": "2018-08-29T16:59:40.000Z", + "service.type": "cylance", + "source.ip": [ + "10.134.137.205" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-12T12:02:15.000Z", + "event.category": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-9-12T10:02:15.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug)", + "fileset.name": "protect", + "host.name": "tatem4713.internal.host", + "input.type": "log", + "log.offset": 17834, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "usci", + "rsa.identity.firstname": "lupta", + "rsa.identity.lastname": "ura", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "oreeufug", + "rsa.misc.policy_name": "unturmag", + "rsa.network.alias_host": [ + "tatem4713.internal.host" + ], + "rsa.time.event_time": "2018-09-12T12:02:15.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "event.category": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-9-27T5:04:49.data ugits5961.www5.local CylancePROTECT uam quis [exe] Event Type: naa, Event Name: SyslogSettingsSave, Device Name: idolo, Agent Version: mqu, IP Address: (10.91.2.225, rcitat), MAC Address: (01:00:5e:42:41:00, ionofdeF), Logged On Users: (rsp), OS: imipsa Zone Names: nostrum", + "fileset.name": "protect", + "host.name": "ugits5961.www5.local", + "input.type": "log", + "log.offset": 18050, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.91.2.225" + ], + "rsa.db.index": "nostrum", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "naa", + "rsa.misc.OS": "imipsa", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "idolo", + "rsa.network.alias_host": [ + "ugits5961.www5.local" + ], + "rsa.network.eth_host": "01:00:5e:42:41:00", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "service.type": "cylance", + "source.ip": [ + "10.91.2.225" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "rsp" + ] + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "event.action": "block", + "event.category": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-10-11T12:07:23.onsecte prehende5460.mail.localdomain CylancePROTECT equatD uidol [inculpa] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: uido, IP Address: (10.191.99.14), Action: block, Process ID: 601, Process Name: nimadmi.exe, User Name: lapa, Violation Type: emoenimi, Zone Names: iquipex", + "fileset.name": "protect", + "host.name": "prehende5460.mail.localdomain", + "input.type": "log", + "log.offset": 18347, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "nimadmi.exe", + "process.pid": 601, + "related.ip": [ + "10.191.99.14" + ], + "rsa.db.index": "iquipex", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "uido", + "rsa.misc.policy_name": "emoenimi", + "rsa.network.alias_host": [ + "prehende5460.mail.localdomain" + ], + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "service.type": "cylance", + "source.ip": [ + "10.191.99.14" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "lapa" + ] + }, + { + "@timestamp": "2019-10-25T09:09:57.000Z", + "event.category": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "25-Oct-2018 7:09:57 high abill5290.lan mini <tionev 25T19:09:57.uasiarch velites1745.api.corp CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: psaqu Agent Self Protection Level Changed: 'nimides' to 'olorsit', User: naaliq plica (asiarc), Zone Names: lor Device Id: nvolupt", + "fileset.name": "protect", + "host.name": "velites1745.api.corp", + "input.type": "log", + "log.offset": 18667, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "lor", + "rsa.identity.firstname": "naaliq", + "rsa.identity.lastname": "plica", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.misc.change_new": "olorsit", + "rsa.misc.change_old": "nimides", + "rsa.misc.device_name": "psaqu", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.mail_id": "asiarc", + "rsa.network.alias_host": [ + "velites1745.api.corp" + ], + "rsa.time.event_time": "2019-10-25T09:09:57.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-09T04:12:32.000Z", + "event.category": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "9-Nov-2018 2:12:32 high bori319.api.localdomain utf <dexe 9T02:12:32.nemul Duis583.api.local CylancePROTECT Event Name:LoginSuccess, Threat Class:dminim, Threat Subclass:ptatevel, SHA256:aperiame, MD5:stenat", + "fileset.name": "protect", + "host.name": "Duis583.api.local", + "input.type": "log", + "log.offset": 18971, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "dminim", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.checksum": "aperiame", + "rsa.misc.event_type": "LoginSuccess", + "rsa.network.alias_host": [ + "Duis583.api.local" + ], + "rsa.time.event_time": "2019-11-09T04:12:32.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "event.category": "DeviceEdit", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "inrepreh 2018-11-23T9:15:06.rit velitess2401.www.lan CylancePROTECT vel ionevo [ntsun] Event Type: ScriptControl, Event Name: DeviceEdit, Device Name: volupta, File Path: umfu, Interpreter: utla, Interpreter Version: 1.2478 (tDuisaut), Zone Names: dolo", + "file.directory": "umfu", + "fileset.name": "protect", + "host.name": "velitess2401.www.lan", + "input.type": "log", + "log.offset": 19186, + "network.application": "utla", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.2478", + "rsa.db.index": "dolo", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "volupta", + "rsa.misc.version": "1.2478", + "rsa.network.alias_host": [ + "velitess2401.www.lan" + ], + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-07T06:17:40.000Z", + "event.category": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-12-7T4:17:40.quisnost sequines3991.mail.local CylancePROTECT illum ore [spici] Event Type: AuditLog, Event Name: pechange, Message: Policy: iquamqu; SHA256: eumfugia; Category: reeufugi, User: sequines minimve (texplica) ", + "fileset.name": "protect", + "host.name": "sequines3991.mail.local", + "input.type": "log", + "log.offset": 19439, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "sequines", + "rsa.identity.lastname": "minimve", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.category": "reeufugi", + "rsa.misc.checksum": "eumfugia", + "rsa.misc.event_type": "pechange", + "rsa.misc.mail_id": "texplica", + "rsa.misc.policy_name": "iquamqu; SHA256: eumfugia; Category: reeufugi", + "rsa.network.alias_host": [ + "sequines3991.mail.local" + ], + "rsa.time.event_time": "2018-12-07T06:17:40.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-21T13:20:14.000Z", + "event.category": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "21-December-2018 23:20:14 very-high olup3841.mail.invalid idolor <uira 2018-12-21T11:20:14.eosqui iatquo2815.mail.host CylancePROTECT aliqu sequine [utaliqui] Event Type: Threat, Event Name: pechange, Device Name: imveni, IP Address: (10.181.215.164), File Name: itationu, Path: setquas, Drive Type: nbyCi, SHA256: runtmoll, MD5: busBon, Status: norumetM, Cylance Score: 38.593000, Found Date: vitaedi, File Type: rna, Is Running: cons, Auto Run: Except, Detected By: lestiae, Zone Names: iav, Is Malware: umiure, Is Unique To Cylance: isiut, Threat Classification: tin ", + "fileset.name": "protect", + "host.name": "iatquo2815.mail.host", + "input.type": "log", + "log.offset": 19666, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": " iav, Is Malware: umiure, Is Unique To Cylance: isiut, Threat Classification: tin", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "Threat", + "rsa.misc.event_type": "pechange", + "rsa.misc.node": "imveni, IP Address: (10.181.215.164), File Name: itationu, Path: setquas, Drive Type: nbyCi, SHA256: runtmoll, MD5: busBon, Status: norumetM, Cylance Score: 38.593000, Found Date: vitaedi, File Type: rna, Is Running: cons, Auto Run: Except, Detected By: lestiae", + "rsa.network.alias_host": [ + "iatquo2815.mail.host" + ], + "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-05T08:22:49.000Z", + "event.category": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Jan 5 6:22:49 reetdo6578.mail.domain CylancePROTECT Event Type:inBC, Event Name:Device Policy Assigned, Device Message: Device: atevelit; Zones Removed: ugitsed; Zones Added: dminimve, User: remips laboreet (uptate), Zone Names:tot Device Id: reme", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 20243, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "tot", + "rsa.identity.firstname": "remips", + "rsa.identity.lastname": "laboreet", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "inBC", + "rsa.misc.device_name": "atevelit", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.mail_id": "uptate", + "rsa.time.event_time": "2020-01-05T08:22:49.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-19T03:25:23.000Z", + "event.category": "ZoneAddDevice", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "19-Jan-2019 1:25:23 very-high ide4421.api.localdomain isautem <gnamali 19T13:25:23.iumtota issusci7005.mail.host CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: ore Agent Self Protection Level Changed: 'lors' to 'saute', User: ecillumd iumto (sequatu), Zone Names: tiumtot Device Id: tate", + "fileset.name": "protect", + "host.name": "issusci7005.mail.host", + "input.type": "log", + "log.offset": 20491, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "tiumtot", + "rsa.identity.firstname": "ecillumd", + "rsa.identity.lastname": "iumto", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.change_new": "saute", + "rsa.misc.change_old": "lors", + "rsa.misc.device_name": "ore", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "sequatu", + "rsa.network.alias_host": [ + "issusci7005.mail.host" + ], + "rsa.time.event_time": "2020-01-19T03:25:23.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-02T22:27:57.000Z", + "event.action": "accept", + "event.category": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "inBCSed 2019/02/02T20:27:57.cteturad umq7428.invalid CylancePROTECT psum tate [dtempo] Event Type: AppControl, Event Name: SyslogSettingsSave, Device Name: iad, IP Address: (10.164.59.219), Action: accept, Action Type: billoi, File Path: reseo, SHA256: quam, Zone Names: ulpaquio", + "file.directory": "reseo", + "fileset.name": "protect", + "host.name": "umq7428.invalid", + "input.type": "log", + "log.offset": 20803, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.164.59.219" + ], + "rsa.db.index": "ulpaquio", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.checksum": "quam", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "iad", + "rsa.network.alias_host": [ + "umq7428.invalid" + ], + "rsa.time.event_time": "2019-02-02T22:27:57.000Z", + "service.type": "cylance", + "source.ip": [ + "10.164.59.219" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-17T05:30:32.000Z", + "event.category": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Feb 17 3:30:32 iconsequ5445.local CylancePROTECT Event Type:archite, Event Name:PolicyAdd, Device Message: Device: rem User: onorumet iscivel (rinci), Zone Names: eacomm Device Id: aboNem", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 21083, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "eacomm", + "rsa.identity.firstname": "onorumet", + "rsa.identity.lastname": "iscivel", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": "archite", + "rsa.misc.device_name": "rem", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "rinci", + "rsa.time.event_time": "2020-02-17T05:30:32.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "event.action": "block", + "event.category": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "odit 2019/03/03T10:33:06.vol epteurs5503.www5.home CylancePROTECT modi cip [tla] Event Type: AppControl, Event Name: threat_found, Device Name: iscive, IP Address: (10.1.193.187), Action: block, Action Type: nproiden, File Path: ionem, SHA256: taevitae, Zone Names: dminimv", + "file.directory": "ionem", + "fileset.name": "protect", + "host.name": "epteurs5503.www5.home", + "input.type": "log", + "log.offset": 21271, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.1.193.187" + ], + "rsa.db.index": "dminimv", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.checksum": "taevitae", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "iscive", + "rsa.network.alias_host": [ + "epteurs5503.www5.home" + ], + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "service.type": "cylance", + "source.ip": [ + "10.1.193.187" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-17T07:35:40.000Z", + "event.category": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Mar 17 5:35:40 rep6417.internal.test CylancePROTECT Event Type:ipiscin, Event Name:DeviceRemove, Device Message: Device: orinr; Policy Changed: ineavol to 'umdo', User: tass ugi (riat), Zone Names:atvol, Device Id: emipsum", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 21545, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "atvol", + "rsa.identity.firstname": "tass", + "rsa.identity.lastname": "ugi", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "ipiscin", + "rsa.misc.device_name": "orinr", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.mail_id": "riat", + "rsa.misc.policy_name": "umdo", + "rsa.time.event_time": "2020-03-17T07:35:40.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-01T14:38:14.000Z", + "event.category": "DeviceEdit", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "1-Apr-2019 12:38:14 medium atDuisa4718.www.domain dolo <umexe 1T00:38:14.xce omnisis5339.www5.local CylancePROTECT Event Name:DeviceEdit, Device Name:stiaec, External Device Type:Cicero, External Device Vendor ID:ven, External Device Name:ipsaqua, External Device Product ID:uel, External Device Serial Number:mqui, Zone Names:deom, Device Id: tiumdo, Policy Name: rautod ", + "fileset.name": "protect", + "host.name": "omnisis5339.www5.local", + "input.type": "log", + "log.offset": 21768, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "deom, Device Id: tiumdo, Policy Name: rautod", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.device_name": "Cicero", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "stiaec", + "rsa.misc.serial_number": "mqui", + "rsa.network.alias_host": [ + "omnisis5339.www5.local" + ], + "rsa.time.event_time": "2020-04-01T14:38:14.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "event.category": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "15-April-2019 07:40:49 medium mvol3890.localhost reh <tcons 2019-4-15T7:40:49.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill; User: imveniam sunte (exerc)", + "fileset.name": "protect", + "host.name": "ction491.www5.local", + "input.type": "log", + "log.offset": 22149, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "imveniam", + "rsa.identity.lastname": "sunte", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "exerc", + "rsa.misc.node": "ill", + "rsa.network.alias_host": [ + "ction491.www5.local" + ], + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-29T04:43:23.000Z", + "event.category": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "isquames 2019-4-29T2:43:23.mvolupta undeom7847.api.corp CylancePROTECT orainci orese [aev] Event Type: uelaudan, Event Name: Alert, Device Name: teiru, Agent Version: mquamei, IP Address: (10.146.228.234, uradi), MAC Address: (01:00:5e:9a:f3:b9, iusmod), Logged On Users: (susc), OS: taed Zone Names: eatae", + "fileset.name": "protect", + "host.name": "undeom7847.api.corp", + "input.type": "log", + "log.offset": 22400, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.146.228.234" + ], + "rsa.db.index": "eatae", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "uelaudan", + "rsa.misc.OS": "taed", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "teiru", + "rsa.network.alias_host": [ + "undeom7847.api.corp" + ], + "rsa.network.eth_host": "01:00:5e:9a:f3:b9", + "rsa.time.event_time": "2019-04-29T04:43:23.000Z", + "service.type": "cylance", + "source.ip": [ + "10.146.228.234" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "susc" + ] + }, + { + "@timestamp": "2019-05-13T11:45:57.000Z", + "event.category": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2019-5-13T9:45:57.rcit dolo6230.mail.invalid CylancePROTECT evelite remquela [toreve] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97, User: (niam)", + "fileset.name": "protect", + "host.name": "dolo6230.mail.invalid", + "input.type": "log", + "log.offset": 22707, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97", + "rsa.identity.firstname": "", + "rsa.identity.lastname": "", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "niam", + "rsa.network.alias_host": [ + "dolo6230.mail.invalid" + ], + "rsa.time.event_time": "2019-05-13T11:45:57.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "event.category": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2019-5-28T4:48:31.uisaut nvolup6280.api.home CylancePROTECT eomn esse [nihi] Event Type: xeaco, Event Name: SyslogSettingsSave, Device Names: (uianonn), Policy Name: eavolupt, User: dantium ors (dqu)", + "fileset.name": "protect", + "host.name": "nvolup6280.api.home", + "input.type": "log", + "log.offset": 22941, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "dantium", + "rsa.identity.lastname": "ors", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "xeaco", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.mail_id": "dqu", + "rsa.misc.node": "uianonn", + "rsa.misc.policy_name": "eavolupt", + "rsa.network.alias_host": [ + "nvolup6280.api.home" + ], + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.category": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "11-June-2019 11:51:06 high asia5842.localhost rit <iavol 2019-6-11T11:51:06.psumdol urautodi3892.www5.example CylancePROTECT edict nost [orisnis] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: nibu; Policy: quatur; Value: isiutali, User: mdolo nof (usantiu)", + "fileset.name": "protect", + "host.name": "urautodi3892.www5.example", + "input.type": "log", + "log.offset": 23141, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "nibu", + "rsa.identity.firstname": "mdolo", + "rsa.identity.lastname": "nof", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "usantiu", + "rsa.misc.policy_name": "quatur", + "rsa.network.alias_host": [ + "urautodi3892.www5.example" + ], + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-25T08:53:40.000Z", + "event.action": "allow", + "event.category": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Jun 25 6:53:40 litess7754.www5.invalid CylancePROTECT Event Type:itempo, Event Name: Alert, Device Name: isciveli, IP Address: (10.36.18.24), Action: allow, Process ID: 452, Process Name: lab.exe, User Name: nsequ, Violation Type: ing, Zone Names:ollita", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 23421, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "lab.exe", + "process.pid": 452, + "related.ip": [ + "10.36.18.24" + ], + "rsa.db.index": "ollita", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "itempo", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.device_name": "isciveli", + "rsa.misc.event_type": "Alert", + "rsa.misc.policy_name": "ing", + "rsa.time.event_time": "2020-06-25T08:53:40.000Z", + "service.type": "cylance", + "source.ip": [ + "10.36.18.24" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "nsequ" + ] + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.action": "block", + "event.category": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "10-July-2019 01:56:14 low ptat5268.www5.localdomain emq <untur 2019-7-10T1:56:14.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: ExploitAttempt, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Process ID: 4608, Process Name: oluptat.exe, User Name: stenatus, Violation Type: eabillo, Zone Names: iaecon", + "fileset.name": "protect", + "host.name": "uraut3756.www5.test", + "input.type": "log", + "log.offset": 23675, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "oluptat.exe", + "process.pid": 4608, + "related.ip": [ + "10.127.30.119" + ], + "rsa.db.index": "iaecon", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "ollita", + "rsa.misc.policy_name": "eabillo", + "rsa.network.alias_host": [ + "uraut3756.www5.test" + ], + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "service.type": "cylance", + "source.ip": [ + "10.127.30.119" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "stenatus" + ] + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.category": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam", + "fileset.name": "protect", + "host.name": "squ2213.www.test", + "input.type": "log", + "log.offset": 24057, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "rExce", + "rsa.identity.firstname": "rinc", + "rsa.identity.lastname": "tno", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.misc.device_name": "ncididu", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "meumf", + "rsa.network.alias_host": [ + "squ2213.www.test" + ], + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-07T06:01:23.000Z", + "event.category": "threat_changed", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Aug 7 4:01:23 ncu3839.www.localhost CylancePROTECT Event Type:snos, Event Name:threat_changed, Device Message: Device: utod; Zones Removed: ostr; Zones Added: amcorp, User: iadolo ecatcup (orinrep), Zone Names:uamnihil Device Id: nisi", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 24343, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "uamnihil", + "rsa.identity.firstname": "iadolo", + "rsa.identity.lastname": "ecatcup", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "snos", + "rsa.misc.device_name": "utod", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.mail_id": "orinrep", + "rsa.time.event_time": "2019-08-07T06:01:23.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-21T13:03:57.000Z", + "event.action": "deny", + "event.category": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "21-August-2019 23:03:57 high mfugi4289.internal.home maveni <commod 2019-8-21T11:03:57.umqu umet5891.api.localdomain CylancePROTECT aliqua upt [giatquo] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: dipisciv, IP Address: (10.8.150.213), Action: deny, Process ID: 4190, Process Name: ngelitse.exe, User Name: ugiatnul, Violation Type: mips, Zone Names: hil", + "fileset.name": "protect", + "host.name": "umet5891.api.localdomain", + "input.type": "log", + "log.offset": 24578, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "ngelitse.exe", + "process.pid": 4190, + "related.ip": [ + "10.8.150.213" + ], + "rsa.db.index": "hil", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "dipisciv", + "rsa.misc.policy_name": "mips", + "rsa.network.alias_host": [ + "umet5891.api.localdomain" + ], + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "service.type": "cylance", + "source.ip": [ + "10.8.150.213" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "ugiatnul" + ] + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.category": "DeviceEdit", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "5-Sep-2019 6:06:31 medium ncidid126.localhost aecatcu <eosqu 5T06:06:31.reetdolo umquam5574.internal.test CylancePROTECT Event Name:DeviceEdit, Message: Provider:itationu, Source IP:10.108.59.10, User: magnama reprehe (citatio)#015", + "fileset.name": "protect", + "host.name": "umquam5574.internal.test", + "input.type": "log", + "log.offset": 24963, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.108.59.10" + ], + "rsa.identity.firstname": "magnama", + "rsa.identity.lastname": "reprehe", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.mail_id": "citatio", + "rsa.network.alias_host": [ + "umquam5574.internal.test" + ], + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "service.type": "cylance", + "source.ip": [ + "10.108.59.10" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-19T03:09:05.000Z", + "event.category": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "19-September-2019 13:09:05 medium ocons2813.mail.lan natu <acomm 2019-9-19T1:09:05.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did) ", + "fileset.name": "protect", + "host.name": "volupt6822.api.invalid", + "input.type": "log", + "log.offset": 25200, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "qui", + "rsa.identity.lastname": "epteurs", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.category": "tio", + "rsa.misc.checksum": "gnaa", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "did", + "rsa.misc.node": "xcepte", + "rsa.network.alias_host": [ + "volupt6822.api.invalid" + ], + "rsa.time.event_time": "2019-09-19T03:09:05.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-03T10:11:40.000Z", + "event.category": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Oct 3 8:11:40 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 25481, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "commod", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "rauto", + "rsa.misc.device_name": "rissusci", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "stl", + "rsa.misc.serial_number": "eumfugi", + "rsa.time.event_time": "2019-10-03T10:11:40.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "event.category": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Oct 18 3:14:14 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit ", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 25783, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "aqua, Device Id: edquiac, Policy Name: sit", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "incidi", + "rsa.misc.device_name": "nto", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "tutlabo", + "rsa.misc.serial_number": "ateveli", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.category": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "rinci 2019-11-1T10:16:48.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta", + "file.directory": "sunt", + "fileset.name": "protect", + "host.name": "amvol4075.mail.localhost", + "input.type": "log", + "log.offset": 26120, + "network.application": "orumSe", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.3237", + "rsa.db.index": "psa", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "onsequa", + "rsa.misc.version": "1.3237", + "rsa.network.alias_host": [ + "amvol4075.mail.localhost" + ], + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": [ + "pta" + ] + }, + { + "@timestamp": "2019-11-15T07:19:22.000Z", + "event.category": "Registration", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "15-Nov-2019 5:19:22 low ntutlabo6923.localhost eacommo <tionevol 15T17:19:22.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni, User: officiad veniam (labo), Zone Names:ssecill Device Id: umquam", + "fileset.name": "protect", + "host.name": "asi4651.api.test", + "input.type": "log", + "log.offset": 26390, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ssecill", + "rsa.identity.firstname": "officiad", + "rsa.identity.lastname": "veniam", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.device_name": "emp", + "rsa.misc.event_type": "Registration", + "rsa.misc.mail_id": "labo", + "rsa.network.alias_host": [ + "asi4651.api.test" + ], + "rsa.time.event_time": "2019-11-15T07:19:22.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-30T14:21:57.000Z", + "event.category": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ali 2019-11-30T12:21:57.ionu perna6751.internal.home CylancePROTECT ess ria [ationevo] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233, User: (orisnis)", + "fileset.name": "protect", + "host.name": "perna6751.internal.home", + "input.type": "log", + "log.offset": 26655, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233", + "rsa.identity.firstname": "", + "rsa.identity.lastname": "", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.mail_id": "orisnis", + "rsa.network.alias_host": [ + "perna6751.internal.home" + ], + "rsa.time.event_time": "2019-11-30T14:21:57.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "event.category": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "14-December-2019 07:24:31 medium olor874.internal.lan mquis <samnisiu 2019-12-14T7:24:31.yCiceroi evolupta7790.internal.local CylancePROTECT equamnih isetqua [turExce] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: rehe; Policy: aper; Value: gnaa, User: tam deser (int)", + "fileset.name": "protect", + "host.name": "evolupta7790.internal.local", + "input.type": "log", + "log.offset": 26905, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "rehe", + "rsa.identity.firstname": "tam", + "rsa.identity.lastname": "deser", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "int", + "rsa.misc.policy_name": "aper", + "rsa.network.alias_host": [ + "evolupta7790.internal.local" + ], + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/f5/README.md b/x-pack/filebeat/module/f5/README.md new file mode 100644 index 00000000000..9c5a174994d --- /dev/null +++ b/x-pack/filebeat/module/f5/README.md @@ -0,0 +1,7 @@ +# f5 module + +This is a module for Big-IP Access Policy Manager logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML bigipapm version 113 +at 2020-07-07 18:10:42.301446 +0000 UTC. + diff --git a/x-pack/filebeat/module/f5/_meta/config.yml b/x-pack/filebeat/module/f5/_meta/config.yml new file mode 100644 index 00000000000..a40427c7730 --- /dev/null +++ b/x-pack/filebeat/module/f5/_meta/config.yml @@ -0,0 +1,38 @@ +- module: f5 + bigipapm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9504 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + firepass: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9509 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/f5/_meta/docs.asciidoc b/x-pack/filebeat/module/f5/_meta/docs.asciidoc new file mode 100644 index 00000000000..058a7aa3ea9 --- /dev/null +++ b/x-pack/filebeat/module/f5/_meta/docs.asciidoc @@ -0,0 +1,111 @@ +[role="xpack"] + +:modulename: f5 +:has-dashboards: false + +== F5 module + +experimental[] + +This is a module for receiving Big-IP Access Policy Manager logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: bigipapm + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `bigipapm` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "bigipapm" device revision 113. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9504` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +[float] +==== `firepass` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "firepass" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9509` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/f5/_meta/fields.yml b/x-pack/filebeat/module/f5/_meta/fields.yml new file mode 100644 index 00000000000..7cd2cda6541 --- /dev/null +++ b/x-pack/filebeat/module/f5/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: f5 + title: Big-IP Access Policy Manager + description: > + f5 fields. + fields: diff --git a/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml b/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/f5/bigipapm/config/input.yml b/x-pack/filebeat/module/f5/bigipapm/config/input.yml new file mode 100644 index 00000000000..2cfda9d24b5 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "F5" + product: "Big-IP" + type: "Access" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/f5/bigipapm/config/liblogparser.js + - ${path.home}/module/f5/bigipapm/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}"); + +var dup5 = setc("eventcategory","1801000000"); + +var dup6 = setc("eventcategory","1801010000"); + +var dup7 = setc("eventcategory","1502000000"); + +var dup8 = setc("eventcategory","1805010000"); + +var dup9 = setc("eventcategory","1803000000"); + +var dup10 = setc("eventcategory","1803030000"); + +var dup11 = setc("disposition"," Successful"); + +var dup12 = setc("dclass_counter1_string"," Logon Attempt"); + +var dup13 = setc("eventcategory","1204000000"); + +var dup14 = date_time({ + dest: "event_time", + args: ["fld20"], + fmts: [ + [dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup15 = setc("eventcategory","1605000000"); + +var dup16 = setc("eventcategory","1612000000"); + +var dup17 = date_time({ + dest: "event_time", + args: ["fld1","fld2","fld3"], + fmts: [ + [dB,dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup18 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup1, + dup2, +])); + +var dup19 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup15, + dup2, +])); + +var dup20 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([ + dup5, + dup2, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("["), + field("hfld4"), + constant("]: "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(": "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0003", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: [%{messageid}]%{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(": ["), + field("messageid"), + constant("]"), + field("payload"), + ], + }), +])); + +var hdr4 = match("HEADER#3:0004", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{payload}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant("["), + field("hfld3"), + constant("]:"), + field("payload"), + ], + }), +])); + +var hdr5 = match("HEADER#4:0005", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}:%{payload}", processor_chain([ + setc("header_id","0005"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant(":"), + field("payload"), + ], + }), +])); + +var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid}/%{payload}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("["), + field("hfld4"), + constant("]: "), + field("messageid"), + constant("/"), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, +]); + +var msg1 = msg("01490502", dup18); + +var part1 = match("MESSAGE#1:01490521", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session statistics - bytes in:%{rbytes}, bytes out: %{sbytes}", processor_chain([ + dup3, + dup2, +])); + +var msg2 = msg("01490521", part1); + +var part2 = match("MESSAGE#2:01490506", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received User-Agent header: %{user_agent}", processor_chain([ + dup3, + dup2, +])); + +var msg3 = msg("01490506", part2); + +var part3 = match("MESSAGE#3:01490113:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.name is %{fqdn}", processor_chain([ + dup3, + dup2, +])); + +var msg4 = msg("01490113:01", part3); + +var part4 = match("MESSAGE#4:01490113:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.port is %{network_port}", processor_chain([ + dup3, + dup2, +])); + +var msg5 = msg("01490113:02", part4); + +var part5 = match("MESSAGE#5:01490113:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.listener.name is %{service}", processor_chain([ + dup3, + dup2, +])); + +var msg6 = msg("01490113:03", part5); + +var part6 = match("MESSAGE#6:01490113:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.protocol is %{network_service}", processor_chain([ + dup3, + dup2, +])); + +var msg7 = msg("01490113:04", part6); + +var part7 = match("MESSAGE#7:01490113:05", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.agent is %{info}", processor_chain([ + dup3, + dup2, +])); + +var msg8 = msg("01490113:05", part7); + +var part8 = match("MESSAGE#8:01490113:06", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.clientip is %{saddr}", processor_chain([ + dup3, + dup2, +])); + +var msg9 = msg("01490113:06", part8); + +var part9 = match("MESSAGE#9:01490113", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.%{info}", processor_chain([ + dup3, + dup2, +])); + +var msg10 = msg("01490113", part9); + +var select2 = linear_select([ + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, +]); + +var part10 = match("MESSAGE#10:01490010/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: Username '%{p0}"); + +var part11 = match("MESSAGE#10:01490010/1_1", "nwparser.p0", "%{sessionid}: Username '%{p0}"); + +var select3 = linear_select([ + part10, + part11, +]); + +var part12 = match("MESSAGE#10:01490010/2", "nwparser.p0", "%{username}'"); + +var all1 = all_match({ + processors: [ + dup4, + select3, + part12, + ], + on_success: processor_chain([ + setc("eventcategory","1401000000"), + dup2, + ]), +}); + +var msg11 = msg("01490010", all1); + +var part13 = match("MESSAGE#11:01490009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: ACL '%{policyname}' assigned", processor_chain([ + setc("eventcategory","1501020000"), + dup2, +])); + +var msg12 = msg("01490009", part13); + +var part14 = match("MESSAGE#12:01490102", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access policy result: %{result}", processor_chain([ + setc("eventcategory","1501000000"), + dup2, +])); + +var msg13 = msg("01490102", part14); + +var part15 = match("MESSAGE#13:01490000:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{authmethod}authentication for user %{username}using config %{fld8}", processor_chain([ + dup5, + dup2, +])); + +var msg14 = msg("01490000:02", part15); + +var part16 = match("MESSAGE#14:01490000:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: found HTTP %{resultcode}in response header", processor_chain([ + dup6, + dup2, +])); + +var msg15 = msg("01490000:01", part16); + +var part17 = match("MESSAGE#15:01490000", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{filename}func: \"%{action}\" line: %{fld8}Msg: %{result}", processor_chain([ + dup5, + dup2, +])); + +var msg16 = msg("01490000", part17); + +var part18 = match("MESSAGE#16:01490000:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{event_description}", processor_chain([ + dup5, + dup2, +])); + +var msg17 = msg("01490000:03", part18); + +var select4 = linear_select([ + msg14, + msg15, + msg16, + msg17, +]); + +var part19 = match("MESSAGE#17:01490004", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Executed agent '%{application}', return value %{resultcode}", processor_chain([ + dup5, + dup2, +])); + +var msg18 = msg("01490004", part19); + +var part20 = match("MESSAGE#18:01490500/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: New session from client IP %{p0}"); + +var part21 = match("MESSAGE#18:01490500/1_1", "nwparser.p0", "%{sessionid}: New session from client IP %{p0}"); + +var select5 = linear_select([ + part20, + part21, +]); + +var part22 = match("MESSAGE#18:01490500/2", "nwparser.p0", "%{saddr}(ST=%{location_state}/CC=%{location_country}/C=%{location_city}) at VIP %{p0}"); + +var part23 = match("MESSAGE#18:01490500/3_0", "nwparser.p0", "%{daddr->} Listener %{fld8->} (Reputation=%{category})"); + +var part24 = match("MESSAGE#18:01490500/3_1", "nwparser.p0", "%{daddr->} Listener %{fld8}"); + +var part25 = match("MESSAGE#18:01490500/3_2", "nwparser.p0", "%{daddr}"); + +var select6 = linear_select([ + part23, + part24, + part25, +]); + +var all2 = all_match({ + processors: [ + dup4, + select5, + part22, + select6, + ], + on_success: processor_chain([ + dup3, + dup2, + ]), +}); + +var msg19 = msg("01490500", all2); + +var part26 = match("MESSAGE#19:01490005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8}from item %{fld9}to ending %{fld10}", processor_chain([ + dup7, + dup2, +])); + +var msg20 = msg("01490005", part26); + +var part27 = match("MESSAGE#20:01490006", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8}from item '%{fld9}' to item '%{fld10}'", processor_chain([ + dup7, + dup2, +])); + +var msg21 = msg("01490006", part27); + +var part28 = match("MESSAGE#21:01490007", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session variable '%{change_attribute}' set to %{change_new}", processor_chain([ + dup7, + dup2, +])); + +var msg22 = msg("01490007", part28); + +var part29 = match("MESSAGE#22:01490008", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Connectivity resource %{application}assigned", processor_chain([ + dup3, + dup2, +])); + +var msg23 = msg("01490008", part29); + +var part30 = match("MESSAGE#23:01490514", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Access encountered error: %{result}. File: %{filename}, Function: %{action}, Line: %{fld9}", processor_chain([ + dup6, + dup2, +])); + +var msg24 = msg("01490514", part30); + +var part31 = match("MESSAGE#24:01490505", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup5, + dup2, +])); + +var msg25 = msg("01490505", part31); + +var msg26 = msg("01490501", dup18); + +var msg27 = msg("01490520", dup18); + +var part32 = match("MESSAGE#27:01490142", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + setc("eventcategory","1609000000"), + dup2, +])); + +var msg28 = msg("01490142", part32); + +var part33 = match("MESSAGE#28:01490504", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{fqdn}can not be resolved.", processor_chain([ + dup8, + dup2, +])); + +var msg29 = msg("01490504", part33); + +var part34 = match("MESSAGE#29:01490538", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Configuration snapshot deleted by Access.", processor_chain([ + dup8, + dup2, +])); + +var msg30 = msg("01490538", part34); + +var part35 = match("MESSAGE#30:01490107:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{fld8}' failed: Clients credentials have been revoked, principal name: %{username}@%{fqdn}. %{result->} %{fld9}", processor_chain([ + dup9, + dup2, +])); + +var msg31 = msg("01490107:01", part35); + +var part36 = match("MESSAGE#31:01490107", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: %{result->} %{fld8}", processor_chain([ + dup9, + dup2, +])); + +var msg32 = msg("01490107", part36); + +var part37 = match("MESSAGE#32:01490107:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: %{p0}"); + +var part38 = match("MESSAGE#32:01490107:02/1_0", "nwparser.p0", "Client '%{fqdn}' not found in Kerberos database, principal name:%{fld10->} %{p0}"); + +var part39 = match("MESSAGE#32:01490107:02/1_1", "nwparser.p0", "%{result->} %{p0}"); + +var select7 = linear_select([ + part38, + part39, +]); + +var part40 = match("MESSAGE#32:01490107:02/2", "nwparser.p0", "%{info}"); + +var all3 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup9, + dup2, + ]), +}); + +var msg33 = msg("01490107:02", all3); + +var select8 = linear_select([ + msg31, + msg32, + msg33, +]); + +var part41 = match("MESSAGE#33:01490106", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([ + dup9, + dup2, +])); + +var msg34 = msg("01490106", part41); + +var part42 = match("MESSAGE#34:01490106:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([ + dup9, + dup2, +])); + +var msg35 = msg("01490106:01", part42); + +var select9 = linear_select([ + msg34, + msg35, +]); + +var part43 = match("MESSAGE#35:01490128", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Webtop %{application}assigned", processor_chain([ + dup5, + dup2, +])); + +var msg36 = msg("01490128", part43); + +var part44 = match("MESSAGE#36:01490101", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access profile: %{fld8}configuration has been applied. Newly active generation count is: %{dclass_counter1}", processor_chain([ + dup10, + dup2, + setc("dclass_counter1_string","Newly active generation count"), +])); + +var msg37 = msg("01490101", part44); + +var part45 = match("MESSAGE#37:01490103", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Retry Username '%{username}'", processor_chain([ + dup10, + dup2, +])); + +var msg38 = msg("01490103", part45); + +var part46 = match("MESSAGE#38:01490115", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{rulename}from item %{fld9}to terminalout %{fld10}", processor_chain([ + dup7, + dup2, +])); + +var msg39 = msg("01490115", part46); + +var part47 = match("MESSAGE#39:01490017", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' successful", processor_chain([ + dup7, + dup2, + dup11, + dup12, +])); + +var msg40 = msg("01490017", part47); + +var part48 = match("MESSAGE#41:01490017:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' failed", processor_chain([ + dup7, + dup2, + setc("disposition"," Failed"), + dup12, +])); + +var msg41 = msg("01490017:01", part48); + +var select10 = linear_select([ + msg40, + msg41, +]); + +var part49 = match("MESSAGE#40:01490013", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Retrieving AAA server: %{fld8}", processor_chain([ + dup7, + dup2, +])); + +var msg42 = msg("01490013", part49); + +var part50 = match("MESSAGE#42:01490019", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Query: query with '(sAMAccountName=%{username})' successful", processor_chain([ + dup7, + dup2, + dup11, +])); + +var msg43 = msg("01490019", part50); + +var part51 = match("MESSAGE#43:01490544", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received client info - %{web_referer}", processor_chain([ + dup7, + dup2, +])); + +var msg44 = msg("01490544", part51); + +var part52 = match("MESSAGE#44:01490511", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Initializing Access profile %{fld8}with max concurrent user sessions limit: %{dclass_counter1}", processor_chain([ + dup7, + dup2, + setc("dclass_counter1_string"," Max Concurrent User Sessions Limit"), +])); + +var msg45 = msg("01490511", part52); + +var part53 = match("MESSAGE#45:014d0002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon succeeded, config %{fld8}form %{fld9}", processor_chain([ + dup7, + dup2, + setc("disposition","Succeeded"), +])); + +var msg46 = msg("014d0002", part53); + +var part54 = match("MESSAGE#46:014d0002:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon failed, config %{fld8}form %{fld9}", processor_chain([ + dup7, + dup2, + setc("disposition","Failed"), +])); + +var msg47 = msg("014d0002:01", part54); + +var select11 = linear_select([ + msg46, + msg47, +]); + +var part55 = match("MESSAGE#47:01490079", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: Access policy '%{fld8}' configuration has changed.Access profile '%{fld9}' configuration changes need to be applied for the new configuration", processor_chain([ + dup7, + dup2, +])); + +var msg48 = msg("01490079", part55); + +var part56 = match("MESSAGE#48:01490165", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Access profile: %{fld8}initialized with configuration snapshot catalog: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg49 = msg("01490165", part56); + +var part57 = match("MESSAGE#49:01490166", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8}retrieved from session db for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg50 = msg("01490166", part57); + +var part58 = match("MESSAGE#50:01490167", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8}updated inside session db for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg51 = msg("01490167", part58); + +var part59 = match("MESSAGE#51:01490169", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Snapshot catalog entry: %{fld8}added for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg52 = msg("01490169", part59); + +var part60 = match("MESSAGE#52:0149016a", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Initiating snapshot creation: %{fld8}for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg53 = msg("0149016a", part60); + +var part61 = match("MESSAGE#53:0149016b", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Completed snapshot creation: %{fld8}for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg54 = msg("0149016b", part61); + +var part62 = match("MESSAGE#54:ssl_acc/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}] %{saddr}- %{p0}"); + +var part63 = match("MESSAGE#54:ssl_acc/1_0", "nwparser.p0", "- %{p0}"); + +var part64 = match("MESSAGE#54:ssl_acc/1_1", "nwparser.p0", "%{username->} %{p0}"); + +var select12 = linear_select([ + part63, + part64, +]); + +var part65 = match("MESSAGE#54:ssl_acc/2", "nwparser.p0", "%{}[%{fld20->} %{timezone}] \"%{url}\" %{resultcode->} %{rbytes}"); + +var all4 = all_match({ + processors: [ + part62, + select12, + part65, + ], + on_success: processor_chain([ + dup13, + dup14, + dup2, + ]), +}); + +var msg55 = msg("ssl_acc", all4); + +var part66 = match("MESSAGE#55:ssl_req", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] %{saddr->} %{protocol->} %{encryption_type}\"%{url}\" %{rbytes}", processor_chain([ + dup13, + dup14, + dup2, +])); + +var msg56 = msg("ssl_req", part66); + +var part67 = match("MESSAGE#56:acc", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] \"%{web_method->} %{url->} %{version}\" %{resultcode->} %{rbytes}\"%{fld7}\" \"%{user_agent}\"", processor_chain([ + dup13, + dup14, + dup2, +])); + +var msg57 = msg("acc", part67); + +var part68 = match("MESSAGE#57:crond", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{username}(%{sessionid}): %{action}", processor_chain([ + dup15, + dup2, +])); + +var msg58 = msg("crond", part68); + +var msg59 = msg("crond:01", dup19); + +var part69 = match("MESSAGE#59:crond:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) %{info}", processor_chain([ + dup15, + dup2, +])); + +var msg60 = msg("crond:02", part69); + +var select13 = linear_select([ + msg58, + msg59, + msg60, +]); + +var part70 = match("MESSAGE#60:sSMTP", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + setc("eventcategory","1207000000"), + dup2, +])); + +var msg61 = msg("sSMTP", part70); + +var part71 = match("MESSAGE#61:01420002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{fld5}: AUDIT - pid=%{parent_pid}user=%{username}folder=%{directory}module=%{fld6}status=%{result}cmd_data=%{info->} ", processor_chain([ + dup16, + dup2, +])); + +var msg62 = msg("01420002", part71); + +var part72 = match("MESSAGE#62:syslog-ng", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + dup15, + dup2, +])); + +var msg63 = msg("syslog-ng", part72); + +var part73 = match("MESSAGE#63:syslog-ng:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}: %{info}", processor_chain([ + dup15, + dup2, +])); + +var msg64 = msg("syslog-ng:01", part73); + +var select14 = linear_select([ + msg63, + msg64, +]); + +var part74 = match("MESSAGE#64:auditd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + dup16, + dup2, +])); + +var msg65 = msg("auditd", part74); + +var part75 = match("MESSAGE#65:014d0001", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ssoMethod: %{authmethod}usernameSource: %{fld9}passwordSource: %{fld10}ntlmdomain: %{c_domain}", processor_chain([ + dup5, + dup2, +])); + +var msg66 = msg("014d0001", part75); + +var part76 = match("MESSAGE#66:014d0001:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ctx: %{fld9}, %{p0}"); + +var part77 = match("MESSAGE#66:014d0001:01/1_0", "nwparser.p0", "SERVER %{p0}"); + +var part78 = match("MESSAGE#66:014d0001:01/1_1", "nwparser.p0", "CLIENT %{p0}"); + +var select15 = linear_select([ + part77, + part78, +]); + +var part79 = match("MESSAGE#66:014d0001:01/2", "nwparser.p0", ": %{info}"); + +var all5 = all_match({ + processors: [ + part76, + select15, + part79, + ], + on_success: processor_chain([ + dup5, + dup2, + ]), +}); + +var msg67 = msg("014d0001:01", all5); + +var msg68 = msg("014d0001:02", dup20); + +var select16 = linear_select([ + msg66, + msg67, + msg68, +]); + +var msg69 = msg("014d0044", dup20); + +var part80 = match("MESSAGE#69:01490549/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Assigned PPP Dynamic IPv4: %{stransaddr}Tunnel Type: %{group->} %{fld8}Resource: %{rulename}Client IP: %{p0}"); + +var part81 = match("MESSAGE#69:01490549/1_0", "nwparser.p0", "%{saddr->} - %{fld9->} "); + +var part82 = match("MESSAGE#69:01490549/1_1", "nwparser.p0", " %{saddr}"); + +var select17 = linear_select([ + part81, + part82, +]); + +var all6 = all_match({ + processors: [ + part80, + select17, + ], + on_success: processor_chain([ + dup3, + dup2, + ]), +}); + +var msg70 = msg("01490549", all6); + +var part83 = match("MESSAGE#70:01490547", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: Access Profile %{rulename}: %{result}for %{saddr}", processor_chain([ + dup3, + dup2, +])); + +var msg71 = msg("01490547", part83); + +var part84 = match("MESSAGE#71:01490517", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{result}", processor_chain([ + dup3, + dup2, +])); + +var msg72 = msg("01490517", part84); + +var part85 = match("MESSAGE#72:011f0005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{result}(Client side: vip=%{url}profile=%{protocol}pool=%{fld8}client_ip=%{saddr})", processor_chain([ + dup3, + dup2, +])); + +var msg73 = msg("011f0005", part85); + +var part86 = match("MESSAGE#73:014d0048", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7->} %{rulename}\u003c\u003c%{event_description}>: APM_EVENT=%{action}| %{username}| %{fld8}***%{result}***", processor_chain([ + dup3, + dup2, +])); + +var msg74 = msg("014d0048", part86); + +var part87 = match("MESSAGE#74:error", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: [%{fld7}] [client %{saddr}] %{result}: %{url}", processor_chain([ + dup3, + dup2, +])); + +var msg75 = msg("error", part87); + +var msg76 = msg("CROND:03", dup19); + +var part88 = match("MESSAGE#76:01260009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]:%{fld7}:%{fld6}: Connection error:%{event_description}", processor_chain([ + dup6, + dup2, +])); + +var msg77 = msg("01260009", part88); + +var part89 = match("MESSAGE#77:apmd:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4}/Common/home_agent_tca:Common:%{fld5}: %{fld6}- Hostname: %{shost}Type: %{fld7}Version: %{version}Platform: %{os}CPU: %{fld8}Mode:%{fld9}", processor_chain([ + dup15, + dup2, + dup17, +])); + +var msg78 = msg("apmd:04", part89); + +var part90 = match("MESSAGE#78:apmd:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4}/Common/home_agent_tca:Common:%{fld5}: RADIUS module: parseResponse(): Access-Reject packet from host %{saddr}:%{sport->} %{fld7}", processor_chain([ + dup9, + dup2, + dup17, +])); + +var msg79 = msg("apmd:03", part90); + +var part91 = match("MESSAGE#79:apmd:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4}/Common/home_agent_tca:Common:%{fld5}: RADIUS module: authentication with '%{username}' failed: %{p0}"); + +var part92 = match("MESSAGE#79:apmd:02/1_0", "nwparser.p0", "%{fld6->} from host %{saddr}:%{sport->} %{fld7}"); + +var part93 = match("MESSAGE#79:apmd:02/1_1", "nwparser.p0", " %{fld8}"); + +var select18 = linear_select([ + part92, + part93, +]); + +var all7 = all_match({ + processors: [ + part91, + select18, + ], + on_success: processor_chain([ + dup9, + dup2, + dup17, + ]), +}); + +var msg80 = msg("apmd:02", all7); + +var part94 = match("MESSAGE#80:apmd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]:%{info}", processor_chain([ + dup15, + dup2, + dup17, +])); + +var msg81 = msg("apmd", part94); + +var select19 = linear_select([ + msg78, + msg79, + msg80, + msg81, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "011f0005": msg73, + "01260009": msg77, + "01420002": msg62, + "01490000": select4, + "01490004": msg18, + "01490005": msg20, + "01490006": msg21, + "01490007": msg22, + "01490008": msg23, + "01490009": msg12, + "01490010": msg11, + "01490013": msg42, + "01490017": select10, + "01490019": msg43, + "01490079": msg48, + "01490101": msg37, + "01490102": msg13, + "01490103": msg38, + "01490106": select9, + "01490107": select8, + "01490113": select2, + "01490115": msg39, + "01490128": msg36, + "01490142": msg28, + "01490165": msg49, + "01490166": msg50, + "01490167": msg51, + "01490169": msg52, + "0149016a": msg53, + "0149016b": msg54, + "01490500": msg19, + "01490501": msg26, + "01490502": msg1, + "01490504": msg29, + "01490505": msg25, + "01490506": msg3, + "01490511": msg45, + "01490514": msg24, + "01490517": msg72, + "01490520": msg27, + "01490521": msg2, + "01490538": msg30, + "01490544": msg44, + "01490547": msg71, + "01490549": msg70, + "014d0001": select16, + "014d0002": select11, + "014d0044": msg69, + "CROND": msg76, + "Rule": msg74, + "acc": msg57, + "apmd": select19, + "auditd": msg65, + "crond": select13, + "error": msg75, + "sSMTP": msg61, + "ssl_acc": msg55, + "ssl_req": msg56, + "syslog-ng": select14, + }), +]); + +var part95 = match("MESSAGE#10:01490010/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}"); + +var part96 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup1, + dup2, +])); + +var part97 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup15, + dup2, +])); + +var part98 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([ + dup5, + dup2, +])); diff --git a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml new file mode 100644 index 00000000000..0ea72c6ba4d --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Big-IP Access Policy Manager + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/f5/bigipapm/manifest.yml b/x-pack/filebeat/module/f5/bigipapm/manifest.yml new file mode 100644 index 00000000000..f1b52ccede2 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["f5.bigipapm", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9504 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log b/x-pack/filebeat/module/f5/bigipapm/test/generated.log new file mode 100644 index 00000000000..cb46f8af2f4 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log @@ -0,0 +1,100 @@ +January 2016/01/29 06:09:59 aliqu high equepor[6720]: 01490106: :dolore: sequa: AD module: authentication with 'abo' failed: Preauthentication failed, principal name: squira. success reeufugi +February 2016/02/12 13:12:33 billoi medium orev[6153]: 01490504: :tatemU: deF: sist1803.mail.local can not be resolved. +February 2016/02/26 20:15:08 aqui low sSMTP[1166]: isetq +March 2016/03/12 03:17:42 seq high crond[5738]: (ccaecat) veleumi +March 2016/03/26 10:20:16 ude very-high veri[5990]: 01490113: :tempo: inv: session.user.clientip is 10.134.175.248 +April 2016/04/09 17:22:51 lupta low rsitvolu[2044]: 01490128: :pori: occ: Webtop ect assigned +April 2016/04/24 00:25:25 aedic high gni: [syslog-ng] +May 2016/05/08 07:27:59 labor low isqu: 01490167: :uis: Current snapshot ID: idolore updated inside session db for access profile: onse +May 2016/05/22 14:30:33 metcon low emeumfug[6823]: 01490505: :emporinc: untutlab: tem +June 2016/06/05 21:33:08 tessec very-high ali[6446]: sSMTP: +June 2016/06/20 04:35:42 riat medium atvol[98]: 014d0044: :uames: tati +July 2016/07/04 11:38:16 sinto very-high CSed[2857]: 01490514: :utlabore: ecillu: Access encountered error: success. File: mnisist, Function: deny, Line: icons +July 2016/07/18 18:40:50 lum high CROND[1675]: (sitvolup) CMD (cancel) +August 2016/08/02 01:43:25 uipe very-high siarchi[2289]: 01490500: :aliqu: olupta:mipsumd:eFinib: New session from client IP 10.204.123.107 (ST=saute/CC=ercit/C=usmodt) at VIP 10.225.160.182 Listener mque +August 2016/08/16 08:45:59 dol high quiratio[3386]: 01490511: :tisetq: tevelite: Initializing Access profile orporiss with max concurrent user sessions limit: 4739 +August 2016/08/30 15:48:33 paquioff medium derit[4688]: 01490544: :hende: piscin: Received client info - https://mail.example.com/laboree/tfu.html?liqu=eporr#xeacomm +September 2016/09/13 22:51:07 fugiatnu high tobea[2364]: 014d0001: :tateve: ctx: itinvol, SERVER : eavolup +September 2016/09/28 05:53:42 remag very-high abor[5983]: 01490103: :tquiin: tse: Retry Username 'tenimad' +October 2016/10/12 12:56:16 niamqui low amcol[5625]: 01490113: :ipisci: gitsed: session.server.network.port is 4374 +October 2016/10/26 19:58:50 nturma low cusant[4946]: 01490106: :etur: itecto: AD module: authentication with 'reetdol' failed: Preauthentication failed, principal name: totamre. success ercita +November 2016/11/10 03:01:24 proiden medium mvele[5737]: 014d0044: :aco: tio +November 2016/11/24 10:03:59 quaea very-high mvel[1188]: 01490520: :porinc: tetur: xce +December 2016/12/08 17:06:33 aincidu very-high uaeab[5960]: 01490008: :licabo: enimadmi: Connectivity resource utaliqu assigned +December 2016/12/23 00:09:07 cola high oremi[1485]: 01490128: :ineavol: iosa: Webtop boNemoe assigned +January 2017/01/06 07:11:41 Nequepor medium rem[5461]: 01490538: :esseq: adminima: Configuration snapshot deleted by Access. +January 2017/01/20 14:14:16 ptateve very-high miurerep: 01490165: :toccaec: Access profile: fugi initialized with configuration snapshot catalog: labo +February 2017/02/03 21:16:50 sBono high equ[4808]: 01490005: :amvo: siuta: Following rule urmagn from item dquia to ending temporin +February 2017/02/18 04:19:24 iruredol very-high derit[5270]: 01490106: :atquo: cupi: AD module: authentication with 'strude' failed in allow: Preauthentication failed, principal name: dunt. success yCic +March 2017/03/04 11:21:59 unte very-high ueipsa[748]: 011f0005: :cti: failure (Client side: vip=https://www5.example.com/olli/rever.html?rsp=oluptat#metco profile=ipv6-icmp pool=edolorin client_ip=10.104.110.134) +March 2017/03/18 18:24:33 ptasnula high syslog-ng[2638]: ill +April 2017/04/02 01:27:07 caboNem medium laudan[7589]: 01490107: :oconse: mag: AD module: authentication with 'tob' failed: Client 'dolores2519.mail.host' not found in Kerberos database, principal name:deF itempo +April 2017/04/16 08:29:41 meaque high mip[5899]: 01490107: :lamc: mvolupta: AD module: authentication with 'Utenima' failed: Clients credentials have been revoked, principal name: iqua@luptat2979.internal.local. unknown cididu +April 2017/04/30 15:32:16 atDuis medium nisiut: 01490166: :rumwri: Current snapshot ID: velill retrieved from session db for access profile: ore +May 2017/05/14 22:34:50 uptat high amquisno: 0149016b: :uido: Completed snapshot creation: tla for access profile: mquiad +May 2017/05/29 05:37:24 atur very-high ditau[4727]: 01490514: :piscivel: hend: Access encountered error: success. File: cepteur, Function: accept, Line: maliqu +June 2017/06/12 12:39:58 acon very-high sun[5971]: 01490501: :labori: porai: umiure +June 2017/06/26 19:42:33 eufug low uido[4318]: 01490500: :ici: snulap: New session from client IP 10.122.204.151 (ST=writte/CC=sitvo/C=ine) at VIP 10.169.101.161 Listener itessequ +July 2017/07/11 02:45:07 udan low essequam[3682]: 01490113: :urQuis: etcon: session.server.network.protocol is onsequu +July 2017/07/25 09:47:41 gelitse very-high arc[2412]: 01490013: :radip: upta: AD agent: Retrieving AAA server: tetura +August 2017/08/08 16:50:15 imavenia low mquido[5899]: 01490517: :rnat: rur: success +August 2017/08/22 23:52:50 nonn high met[1580]: 01420002: : AUDIT - pid=2037 user=ptate folder=entsu module=conse status=failure cmd_data=ntut +September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem +September 2017/09/20 13:57:58 reetdo medium lup[5051]: 01260009: :eos: Connection error:ipitlabo +October 2017/10/04 21:00:32 reprehen very-high syslog-ng[6438]: imid +October 2017/10/19 04:03:07 sunt very-high aturQu[7083]: 01490128: :tDuis: iqu: Webtop oriosamn assigned +November 2017/11/02 11:05:41 iquip very-high sedquian[4212]: 01490004: :etdolore: magnaa: Executed agent 'sumquiad', return value iusmodt +November 2017/11/16 18:08:15 equam low eaqueip[5207]: 01490538: :aevitaed: byCic: Configuration snapshot deleted by Access. +December 2017/12/01 01:10:49 xerc high eturad[1760]: 01490506: :nvol: enimadmi: Received User-Agent header: mobmail android 2.1.3.3150 +December 2017/12/15 08:13:24 sumdolo medium rors[1935]: 01490538: :oremque: quaU: Configuration snapshot deleted by Access. +December 2017/12/29 15:15:58 ioff medium quioff: 0149016a: :iuntN: Initiating snapshot creation: ipis for access profile: itautfu +January 2018/01/12 22:18:32 rchit medium roquisqu[5924]: 01490005: :iquid: evo: Following rule mcorpori from item mqu to ending pteursi +January 2018/01/27 05:21:06 itessequ low fdeFinib[2580]: 01490128: :sumd: sectetur: Webtop edquian assigned +February 2018/02/10 12:23:41 quiav low rit: 0149016a: :eumfu: Initiating snapshot creation: lors for access profile: oluptat +February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa +March 2018/03/11 02:28:49 ore low ovolupta: 0149016b: :volup: Completed snapshot creation: macc for access profile: ria +March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei +April 2018/04/08 16:33:58 liq low mvolupta: syslog-ng: +April 2018/04/22 23:36:32 exe high illum[2625]: 01490101: :emi: reprehen: Access profile: tvol configuration has been applied. Newly active generation count is: 5959 +May 2018/05/07 06:39:06 iumt medium nulapari[1973]: 01490500: :tsunt: rnat:oremi:ectobeat: New session from client IP 10.187.64.126 (ST=uasiarch/CC=Malor/C=boriosa) at VIP 10.47.99.72 Listener upt (Reputation=oremipsu) +May 2018/05/21 13:41:41 sint low auditd[3376]: ctobeat +June 2018/06/04 20:44:15 lorumw high tdolo[3872]: syslog-ng: +June 2018/06/19 03:46:49 namaliqu medium aeca[4543]: 014d0044: :autemv: sciveli +July 2018/07/03 10:49:23 piciati medium ntin[4646]: 01260009: :rcitat: Connection error:cinge +July 2018/07/17 17:51:58 iqui low litani[3126]: 01490142: :itanimi: onoru: data +August 2018/08/01 00:54:32 uptatem high ruredol: 01490079: :iadeseru: loremagn: Access policy 'acons' configuration has changed.Access profile 'nimadmi' configuration changes need to be applied for the new configuration +August 2018/08/15 07:57:06 lupt very-high eavolupt: 01490167: :uipe: Current snapshot ID: ipsa updated inside session db for access profile: con +August 2018/08/29 14:59:40 nesciu low ssequ[4877]: 01490008: :emse: emqui: Connectivity resource cipitla assigned +September 2018/09/12 22:02:15 ionevo high ptate[52]: 01490102: :uira: todita: Access policy result: failure +September 2018/09/27 05:04:49 iqu low tatis[7767]: 01490113: :reeufugi: sequines: session.server.network.protocol is minimve +October 2018/10/11 12:07:23 aborio low setquas: 014d0002: :nbyCi: runtmoll: SSOv2 Logon failed, config busBon form norumetM +October 2018/10/25 19:09:57 billoinv high deomn[904]: 01490113: :mali: roinBCSe: session.server.network.port is 3959 +November 2018/11/09 02:12:32 rch high sedd: 01490079: :atione: tvolup: Access policy 'oremeu' configuration has changed.Access profile 'lab' configuration changes need to be applied for the new configuration +November 2018/11/23 09:15:06 urau medium upt[4762]: 01490538: :itaedict: eroi: Configuration snapshot deleted by Access. +December 2018/12/07 16:17:40 reetdo low nidol[4345]: 01490113: :writtenb: atevelit: session.server.listener.name is ugitsed +December 2018/12/21 23:20:14 uatDuisa high ano[4054]: 01490102: :uunturm: iatn: Access policy result: unknown +January 2019/01/05 06:22:49 psum very-high exerci[3923]: 01490113: :lumqu: moen: session.oinvento +January 2019/01/19 13:25:23 volup very-high crond[4071]: (iconsequ) CMD (block) +February 2019/02/02 20:27:57 archite high rem[6473]: 01490008: :emp: inBC: Connectivity resource did assigned +February 2019/02/17 03:30:32 etconse medium uinesci: 0149016a: :otamr: Initiating snapshot creation: tsed for access profile: rExc +March 2019/03/03 10:33:06 omnisis very-high uptatema[7023]: 01490501: :stiaec: Cicero: ven +March 2019/03/17 17:35:40 cons low ine[870]: 011f0005: :amquisn: success (Client side: vip=https://example.net/equamn/scipi.txt?eiu=maliquam#gnama profile=rdp pool=squamest client_ip=10.24.113.101) +April 2019/04/01 00:38:14 uelaudan low teiru[4918]: 014d0044: :orinrep: pta +April 2019/04/15 07:40:49 sis very-high rchite[7405]: 01490521: :rvelill: rors: Session statistics - bytes in:6092, bytes out: 1363 +April 2019/04/29 14:43:23 Nequepo high CROND[2977]: (emac) CMD (cancel) +May 2019/05/13 21:45:57 isci high ugiatn: 0149016b: :squa: Completed snapshot creation: deseru for access profile: aquioff +May 2019/05/28 04:48:31 onsequat high giatq[7733]: 01490106: :imad: tura: AD module: authentication with 'equuntur' failed: Preauthentication failed, principal name: rve. success mqua +June 2019/06/11 11:51:06 utlabore very-high exea[2867]: 01490008: :amquisn: itquii: Connectivity resource imaven assigned +June 2019/06/25 18:53:40 lloinve low nim[7673]: 01490511: :edquiac: psamvolu: Initializing Access profile teturad with max concurrent user sessions limit: 7783 +July 2019/07/10 01:56:14 tatemse low vitae[72]: 01490000: :samvolu: dip +July 2019/07/24 08:58:48 Dui medium nostrude[7057]: 01490007: :ione: ecillum: Session variable 'maccu' set to ame +August 2019/08/07 16:01:23 reprehe medium enimipsa[2698]: 01490521: :samn: quisnos: Session statistics - bytes in:2132, bytes out: 2552 +August 2019/08/21 23:03:57 Nequepor low temseq[613]: 01490019: :ostrumex: suscipi: AD agent: Query: query with '(sAMAccountName=xplicabo)' successful +September 2019/09/05 06:06:31 ameaquei very-high uelaud[1306]: 01490544: :ameiu: utei: Received client info - https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia +September 2019/09/19 13:09:05 psumqui high ncu: 01490079: :quaturve: ciad: Access policy 'diconseq' configuration has changed.Access profile 'utod' configuration changes need to be applied for the new configuration +October 2019/10/03 20:11:40 giatquo low dipisciv[5944]: 01490013: :atquo: umetMa: AD agent: Retrieving AAA server: ngelitse +October 2019/10/18 03:14:14 tem very-high giatnula[71]: Rule: enimadmi <: APM_EVENT=deny | aecon | sedq ***failure*** +November 2019/11/01 10:16:48 erc low tasnu: [syslog-ng] +November 2019/11/15 17:19:22 ationevo very-high datatno[3538]: 01490019: :siar: orisnis: AD agent: Query: query with '(sAMAccountName=texp)' successful +November 2019/11/30 00:21:57 pidat very-high sSMTP[6673]: ptateve +December 2019/12/14 07:24:31 olupta medium oremagn[2121]: 01490106: :itseddo: uptatev: AD module: authentication with 'oditem' failed in allow: Preauthentication failed, principal name: inimaven. failure olor diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json new file mode 100644 index 00000000000..639dbf62a61 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -0,0 +1,2597 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2016/01/29 06:09:59 aliqu high equepor[6720]: 01490106: :dolore: sequa: AD module: authentication with 'abo' failed: Preauthentication failed, principal name: squira. success reeufugi", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 0, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6720, + "rsa.internal.messageid": "01490106", + "rsa.misc.log_session_id": "sequa", + "rsa.misc.result": "success", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "abo" + ] + }, + { + "@timestamp": "2016-02-12T15:12:33.000Z", + "event.code": "01490504", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2016/02/12 13:12:33 billoi medium orev[6153]: 01490504: :tatemU: deF: sist1803.mail.local can not be resolved.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 192, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6153, + "rsa.internal.messageid": "01490504", + "rsa.misc.log_session_id": "deF", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2016-02-12T15:12:33.000Z", + "rsa.web.fqdn": "sist1803.mail.local", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-26T22:15:08.000Z", + "event.code": "sSMTP", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2016/02/26 20:15:08 aqui low sSMTP[1166]: isetq", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 312, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1166, + "rsa.db.index": "isetq", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.client": "sSMTP", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-02-26T22:15:08.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "event.code": "crond", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2016/03/12 03:17:42 seq high crond[5738]: (ccaecat) veleumi", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 369, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5738, + "rsa.db.index": "veleumi", + "rsa.internal.messageid": "crond", + "rsa.misc.client": "crond", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "ccaecat" + ] + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2016/03/26 10:20:16 ude very-high veri[5990]: 01490113: :tempo: inv: session.user.clientip is 10.134.175.248", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 435, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5990, + "related.ip": [ + "10.134.175.248" + ], + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "inv", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "service.type": "f5", + "source.ip": [ + "10.134.175.248" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-09T19:22:51.000Z", + "event.code": "01490128", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2016/04/09 17:22:51 lupta low rsitvolu[2044]: 01490128: :pori: occ: Webtop ect assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 550, + "network.application": "ect", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2044, + "rsa.internal.messageid": "01490128", + "rsa.misc.log_session_id": "occ", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-04-09T19:22:51.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-24T02:25:25.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2016/04/24 00:25:25 aedic high gni: [syslog-ng]", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 644, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.db.index": "[syslog-ng]", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "gni", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-04-24T02:25:25.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "event.code": "01490167", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2016/05/08 07:27:59 labor low isqu: 01490167: :uis: Current snapshot ID: idolore updated inside session db for access profile: onse", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 698, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490167", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-22T16:30:33.000Z", + "event.code": "01490505", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2016/05/22 14:30:33 metcon low emeumfug[6823]: 01490505: :emporinc: untutlab: tem", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 834, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6823, + "rsa.internal.event_desc": "tem", + "rsa.internal.messageid": "01490505", + "rsa.misc.log_session_id": "untutlab", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-05-22T16:30:33.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-05T23:33:08.000Z", + "event.code": "sSMTP", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2016/06/05 21:33:08 tessec very-high ali[6446]: sSMTP: ", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 920, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6446, + "rsa.db.index": "sSMTP:", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.client": "ali", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-06-05T23:33:08.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "event.code": "014d0044", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2016/06/20 04:35:42 riat medium atvol[98]: 014d0044: :uames: tati", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 981, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 98, + "rsa.db.index": "tati", + "rsa.internal.messageid": "014d0044", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "event.action": "deny", + "event.code": "01490514", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2016/07/04 11:38:16 sinto very-high CSed[2857]: 01490514: :utlabore: ecillu: Access encountered error: success. File: mnisist, Function: deny, Line: icons", + "file.name": "mnisist", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1052, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2857, + "rsa.internal.messageid": "01490514", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-18T20:40:50.000Z", + "event.action": "cancel", + "event.code": "CROND", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2016/07/18 18:40:50 lum high CROND[1675]: (sitvolup) CMD (cancel)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 1212, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1675, + "rsa.internal.messageid": "CROND", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "CROND", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-07-18T20:40:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "sitvolup" + ] + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "destination.ip": [ + "10.225.160.182" + ], + "event.code": "01490500", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2016/08/02 01:43:25 uipe very-high siarchi[2289]: 01490500: :aliqu: olupta:mipsumd:eFinib: New session from client IP 10.204.123.107 (ST=saute/CC=ercit/C=usmodt) at VIP 10.225.160.182 Listener mque", + "fileset.name": "bigipapm", + "geo.city_name": "usmodt", + "geo.country_name": "ercit", + "geo.region_name": "saute", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1283, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2289, + "related.ip": [ + "10.225.160.182", + "10.204.123.107" + ], + "rsa.internal.messageid": "01490500", + "rsa.misc.log_session_id": "eFinib", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "service.type": "f5", + "source.ip": [ + "10.204.123.107" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "event.code": "01490511", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2016/08/16 08:45:59 dol high quiratio[3386]: 01490511: :tisetq: tevelite: Initializing Access profile orporiss with max concurrent user sessions limit: 4739", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 1488, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3386, + "rsa.counters.dclass_c1": 4739, + "rsa.counters.dclass_c1_str": " Max Concurrent User Sessions Limit", + "rsa.internal.messageid": "01490511", + "rsa.misc.log_session_id": "tevelite", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-30T17:48:33.000Z", + "event.code": "01490544", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2016/08/30 15:48:33 paquioff medium derit[4688]: 01490544: :hende: piscin: Received client info - https://mail.example.com/laboree/tfu.html?liqu=eporr#xeacomm", + "fileset.name": "bigipapm", + "http.request.referrer": "https://mail.example.com/laboree/tfu.html?liqu=eporr#xeacomm", + "input.type": "log", + "log.level": "medium", + "log.offset": 1652, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4688, + "rsa.internal.messageid": "01490544", + "rsa.misc.log_session_id": "piscin", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2016-08-30T17:48:33.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-14T00:51:07.000Z", + "event.code": "014d0001", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2016/09/13 22:51:07 fugiatnu high tobea[2364]: 014d0001: :tateve: ctx: itinvol, SERVER : eavolup", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 1818, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2364, + "rsa.db.index": "ctx: itinvol, SERVER : eavolup", + "rsa.internal.messageid": "014d0001", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-09-14T00:51:07.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "event.code": "01490103", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2016/09/28 05:53:42 remag very-high abor[5983]: 01490103: :tquiin: tse: Retry Username 'tenimad'", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1926, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5983, + "rsa.internal.messageid": "01490103", + "rsa.misc.log_session_id": "tse", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "tenimad" + ] + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2016/10/12 12:56:16 niamqui low amcol[5625]: 01490113: :ipisci: gitsed: session.server.network.port is 4374", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 2033, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5625, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "gitsed", + "rsa.misc.severity": "low", + "rsa.network.network_port": 4374, + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-26T21:58:50.000Z", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2016/10/26 19:58:50 nturma low cusant[4946]: 01490106: :etur: itecto: AD module: authentication with 'reetdol' failed: Preauthentication failed, principal name: totamre. success ercita", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 2149, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4946, + "rsa.internal.messageid": "01490106", + "rsa.misc.log_session_id": "itecto", + "rsa.misc.result": "success", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-10-26T21:58:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "reetdol" + ] + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "event.code": "014d0044", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2016/11/10 03:01:24 proiden medium mvele[5737]: 014d0044: :aco: tio", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 2342, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5737, + "rsa.db.index": "tio", + "rsa.internal.messageid": "014d0044", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "event.code": "01490520", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2016/11/24 10:03:59 quaea very-high mvel[1188]: 01490520: :porinc: tetur: xce", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2419, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1188, + "rsa.internal.event_desc": "xce", + "rsa.internal.messageid": "01490520", + "rsa.misc.log_session_id": "tetur", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-08T19:06:33.000Z", + "event.code": "01490008", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2016/12/08 17:06:33 aincidu very-high uaeab[5960]: 01490008: :licabo: enimadmi: Connectivity resource utaliqu assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2506, + "network.application": "utaliqu", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5960, + "rsa.internal.messageid": "01490008", + "rsa.misc.log_session_id": "enimadmi", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-12-08T19:06:33.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-23T02:09:07.000Z", + "event.code": "01490128", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2016/12/23 00:09:07 cola high oremi[1485]: 01490128: :ineavol: iosa: Webtop boNemoe assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 2634, + "network.application": "boNemoe", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1485, + "rsa.internal.messageid": "01490128", + "rsa.misc.log_session_id": "iosa", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-12-23T02:09:07.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "event.code": "01490538", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2017/01/06 07:11:41 Nequepor medium rem[5461]: 01490538: :esseq: adminima: Configuration snapshot deleted by Access.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 2736, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5461, + "rsa.internal.messageid": "01490538", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-20T16:14:16.000Z", + "event.code": "01490165", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2017/01/20 14:14:16 ptateve very-high miurerep: 01490165: :toccaec: Access profile: fugi initialized with configuration snapshot catalog: labo", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2861, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490165", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-01-20T16:14:16.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-03T23:16:50.000Z", + "event.code": "01490005", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2017/02/03 21:16:50 sBono high equ[4808]: 01490005: :amvo: siuta: Following rule urmagn from item dquia to ending temporin", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 3012, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4808, + "rsa.internal.messageid": "01490005", + "rsa.misc.log_session_id": "siuta", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-02-03T23:16:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "event.action": "allow", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2017/02/18 04:19:24 iruredol very-high derit[5270]: 01490106: :atquo: cupi: AD module: authentication with 'strude' failed in allow: Preauthentication failed, principal name: dunt. success yCic", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3144, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5270, + "rsa.internal.messageid": "01490106", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.log_session_id": "cupi", + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "strude" + ] + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "event.code": "011f0005", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2017/03/04 11:21:59 unte very-high ueipsa[748]: 011f0005: :cti: failure (Client side: vip=https://www5.example.com/olli/rever.html?rsp=oluptat#metco profile=ipv6-icmp pool=edolorin client_ip=10.104.110.134)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3347, + "network.protocol": "ipv6-icmp", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 748, + "related.ip": [ + "10.104.110.134" + ], + "rsa.internal.messageid": "011f0005", + "rsa.misc.result": "failure", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "service.type": "f5", + "source.ip": [ + "10.104.110.134" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "url.original": "https://www5.example.com/olli/rever.html?rsp=oluptat#metco" + }, + { + "@timestamp": "2017-03-18T20:24:33.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2017/03/18 18:24:33 ptasnula high syslog-ng[2638]: ill", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 3560, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2638, + "rsa.db.index": "ill", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "syslog-ng", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-03-18T20:24:33.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "event.code": "01490107", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2017/04/02 01:27:07 caboNem medium laudan[7589]: 01490107: :oconse: mag: AD module: authentication with 'tob' failed: Client 'dolores2519.mail.host' not found in Kerberos database, principal name:deF itempo", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 3621, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7589, + "rsa.db.index": "itempo", + "rsa.internal.messageid": "01490107", + "rsa.misc.log_session_id": "mag", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "rsa.web.fqdn": "dolores2519.mail.host", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "tob" + ] + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "event.code": "01490107", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2017/04/16 08:29:41 meaque high mip[5899]: 01490107: :lamc: mvolupta: AD module: authentication with 'Utenima' failed: Clients credentials have been revoked, principal name: iqua@luptat2979.internal.local. unknown cididu", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 3834, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5899, + "rsa.internal.messageid": "01490107", + "rsa.misc.log_session_id": "mvolupta", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "rsa.web.fqdn": "luptat2979.internal.local", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "iqua" + ] + }, + { + "@timestamp": "2017-04-30T17:32:16.000Z", + "event.code": "01490166", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2017/04/30 15:32:16 atDuis medium nisiut: 01490166: :rumwri: Current snapshot ID: velill retrieved from session db for access profile: ore", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 4062, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490166", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-04-30T17:32:16.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-15T00:34:50.000Z", + "event.code": "0149016b", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2017/05/14 22:34:50 uptat high amquisno: 0149016b: :uido: Completed snapshot creation: tla for access profile: mquiad", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 4207, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016b", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-05-15T00:34:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "event.action": "accept", + "event.code": "01490514", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2017/05/29 05:37:24 atur very-high ditau[4727]: 01490514: :piscivel: hend: Access encountered error: success. File: cepteur, Function: accept, Line: maliqu", + "file.name": "cepteur", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4329, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4727, + "rsa.internal.messageid": "01490514", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "event.code": "01490501", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2017/06/12 12:39:58 acon very-high sun[5971]: 01490501: :labori: porai: umiure", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4489, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5971, + "rsa.internal.event_desc": "umiure", + "rsa.internal.messageid": "01490501", + "rsa.misc.log_session_id": "porai", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-26T21:42:33.000Z", + "destination.ip": [ + "10.169.101.161" + ], + "event.code": "01490500", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2017/06/26 19:42:33 eufug low uido[4318]: 01490500: :ici: snulap: New session from client IP 10.122.204.151 (ST=writte/CC=sitvo/C=ine) at VIP 10.169.101.161 Listener itessequ", + "fileset.name": "bigipapm", + "geo.city_name": "ine", + "geo.country_name": "sitvo", + "geo.region_name": "writte", + "input.type": "log", + "log.level": "low", + "log.offset": 4573, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4318, + "related.ip": [ + "10.169.101.161", + "10.122.204.151" + ], + "rsa.internal.messageid": "01490500", + "rsa.misc.log_session_id": "snulap", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2017-06-26T21:42:33.000Z", + "service.type": "f5", + "source.ip": [ + "10.122.204.151" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2017/07/11 02:45:07 udan low essequam[3682]: 01490113: :urQuis: etcon: session.server.network.protocol is onsequu", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 4753, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3682, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "etcon", + "rsa.misc.severity": "low", + "rsa.network.network_service": "onsequu", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "event.code": "01490013", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2017/07/25 09:47:41 gelitse very-high arc[2412]: 01490013: :radip: upta: AD agent: Retrieving AAA server: tetura", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4872, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2412, + "rsa.internal.messageid": "01490013", + "rsa.misc.log_session_id": "upta", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-08T18:50:15.000Z", + "event.code": "01490517", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2017/08/08 16:50:15 imavenia low mquido[5899]: 01490517: :rnat: rur: success", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 4990, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5899, + "rsa.internal.messageid": "01490517", + "rsa.misc.log_session_id": "rur", + "rsa.misc.result": "success", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2017-08-08T18:50:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-23T01:52:50.000Z", + "event.code": "01420002", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2017/08/22 23:52:50 nonn high met[1580]: 01420002: : AUDIT - pid=2037 user=ptate folder=entsu module=conse status=failure cmd_data=ntut ", + "fileset.name": "bigipapm", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5074, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01420002", + "rsa.time.event_time": "2017-08-23T01:52:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "event.code": "01490549", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem ", + "fileset.name": "bigipapm", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.level": "high", + "log.offset": 5218, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 571, + "related.ip": [ + "10.6.32.7" + ], + "rsa.internal.messageid": "01490549", + "rsa.misc.group": "exerci", + "rsa.misc.log_session_id": "atev", + "rsa.misc.rule_name": "quid", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "rule.name": "quid", + "service.type": "f5", + "source.nat.ip": "10.6.32.7", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-20T15:57:58.000Z", + "event.code": "01260009", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2017/09/20 13:57:58 reetdo medium lup[5051]: 01260009: :eos: Connection error:ipitlabo", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 5410, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5051, + "rsa.internal.event_desc": "ipitlabo", + "rsa.internal.messageid": "01260009", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-09-20T15:57:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-04T23:00:32.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2017/10/04 21:00:32 reprehen very-high syslog-ng[6438]: imid", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5507, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6438, + "rsa.db.index": "imid", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "syslog-ng", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-10-04T23:00:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "event.code": "01490128", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2017/10/19 04:03:07 sunt very-high aturQu[7083]: 01490128: :tDuis: iqu: Webtop oriosamn assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5576, + "network.application": "oriosamn", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7083, + "rsa.internal.messageid": "01490128", + "rsa.misc.log_session_id": "iqu", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "event.code": "01490004", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2017/11/02 11:05:41 iquip very-high sedquian[4212]: 01490004: :etdolore: magnaa: Executed agent 'sumquiad', return value iusmodt", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5681, + "network.application": "sumquiad", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4212, + "rsa.internal.messageid": "01490004", + "rsa.misc.result_code": "iusmodt", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-16T20:08:15.000Z", + "event.code": "01490538", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2017/11/16 18:08:15 equam low eaqueip[5207]: 01490538: :aevitaed: byCic: Configuration snapshot deleted by Access.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 5819, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5207, + "rsa.internal.messageid": "01490538", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2017-11-16T20:08:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "event.code": "01490506", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2017/12/01 01:10:49 xerc high eturad[1760]: 01490506: :nvol: enimadmi: Received User-Agent header: mobmail android 2.1.3.3150", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 5943, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1760, + "rsa.internal.messageid": "01490506", + "rsa.misc.log_session_id": "enimadmi", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "event.code": "01490538", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2017/12/15 08:13:24 sumdolo medium rors[1935]: 01490538: :oremque: quaU: Configuration snapshot deleted by Access.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 6078, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1935, + "rsa.internal.messageid": "01490538", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-29T17:15:58.000Z", + "event.code": "0149016a", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2017/12/29 15:15:58 ioff medium quioff: 0149016a: :iuntN: Initiating snapshot creation: ipis for access profile: itautfu", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 6202, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016a", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-12-29T17:15:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-13T00:18:32.000Z", + "event.code": "01490005", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2018/01/12 22:18:32 rchit medium roquisqu[5924]: 01490005: :iquid: evo: Following rule mcorpori from item mqu to ending pteursi", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 6332, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5924, + "rsa.internal.messageid": "01490005", + "rsa.misc.log_session_id": "evo", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-01-13T00:18:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "event.code": "01490128", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2018/01/27 05:21:06 itessequ low fdeFinib[2580]: 01490128: :sumd: sectetur: Webtop edquian assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 6468, + "network.application": "edquian", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2580, + "rsa.internal.messageid": "01490128", + "rsa.misc.log_session_id": "sectetur", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "event.code": "0149016a", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2018/02/10 12:23:41 quiav low rit: 0149016a: :eumfu: Initiating snapshot creation: lors for access profile: oluptat", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 6576, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016a", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-24T21:26:15.000Z", + "event.code": "01420002", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa ", + "fileset.name": "bigipapm", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6701, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01420002", + "rsa.time.event_time": "2018-02-24T21:26:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "event.code": "0149016b", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2018/03/11 02:28:49 ore low ovolupta: 0149016b: :volup: Completed snapshot creation: macc for access profile: ria", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 6867, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016b", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "event.code": "01490549", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei ", + "fileset.name": "bigipapm", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.level": "high", + "log.offset": 6987, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2943, + "related.ip": [ + "10.142.213.80" + ], + "rsa.internal.messageid": "01490549", + "rsa.misc.group": "tationu", + "rsa.misc.log_session_id": "ueporroq", + "rsa.misc.rule_name": "olore", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rule.name": "olore", + "service.type": "f5", + "source.nat.ip": "10.142.213.80", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-08T18:33:58.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2018/04/08 16:33:58 liq low mvolupta: syslog-ng: ", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 7188, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.db.index": "syslog-ng:", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "mvolupta", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-04-08T18:33:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-23T01:36:32.000Z", + "event.code": "01490101", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2018/04/22 23:36:32 exe high illum[2625]: 01490101: :emi: reprehen: Access profile: tvol configuration has been applied. Newly active generation count is: 5959", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 7244, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2625, + "rsa.counters.dclass_c1": 5959, + "rsa.counters.dclass_c1_str": "Newly active generation count", + "rsa.internal.messageid": "01490101", + "rsa.misc.log_session_id": "reprehen", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-04-23T01:36:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "destination.ip": [ + "10.47.99.72" + ], + "event.code": "01490500", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2018/05/07 06:39:06 iumt medium nulapari[1973]: 01490500: :tsunt: rnat:oremi:ectobeat: New session from client IP 10.187.64.126 (ST=uasiarch/CC=Malor/C=boriosa) at VIP 10.47.99.72 Listener upt (Reputation=oremipsu)", + "fileset.name": "bigipapm", + "geo.city_name": "boriosa", + "geo.country_name": "Malor", + "geo.region_name": "uasiarch", + "input.type": "log", + "log.level": "medium", + "log.offset": 7410, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1973, + "related.ip": [ + "10.47.99.72", + "10.187.64.126" + ], + "rsa.internal.messageid": "01490500", + "rsa.misc.category": "oremipsu", + "rsa.misc.log_session_id": "ectobeat", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "service.type": "f5", + "source.ip": [ + "10.187.64.126" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-21T15:41:41.000Z", + "event.code": "auditd", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2018/05/21 13:41:41 sint low auditd[3376]: ctobeat", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 7629, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3376, + "rsa.db.index": "ctobeat", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-05-21T15:41:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T22:44:15.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2018/06/04 20:44:15 lorumw high tdolo[3872]: syslog-ng: ", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 7684, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3872, + "rsa.db.index": "syslog-ng:", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "tdolo", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-06-04T22:44:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "event.code": "014d0044", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2018/06/19 03:46:49 namaliqu medium aeca[4543]: 014d0044: :autemv: sciveli", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 7746, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4543, + "rsa.db.index": "sciveli", + "rsa.internal.messageid": "014d0044", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "event.code": "01260009", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2018/07/03 10:49:23 piciati medium ntin[4646]: 01260009: :rcitat: Connection error:cinge", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 7826, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4646, + "rsa.internal.event_desc": "cinge", + "rsa.internal.messageid": "01260009", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-17T19:51:58.000Z", + "event.code": "01490142", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2018/07/17 17:51:58 iqui low litani[3126]: 01490142: :itanimi: onoru: data", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 7920, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3126, + "rsa.internal.event_desc": "data", + "rsa.internal.messageid": "01490142", + "rsa.misc.log_session_id": "onoru", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-07-17T19:51:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-01T02:54:32.000Z", + "event.code": "01490079", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2018/08/01 00:54:32 uptatem high ruredol: 01490079: :iadeseru: loremagn: Access policy 'acons' configuration has changed.Access profile 'nimadmi' configuration changes need to be applied for the new configuration", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 8000, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490079", + "rsa.misc.log_session_id": "loremagn", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-08-01T02:54:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "event.code": "01490167", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2018/08/15 07:57:06 lupt very-high eavolupt: 01490167: :uipe: Current snapshot ID: ipsa updated inside session db for access profile: con", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 8220, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490167", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-29T16:59:40.000Z", + "event.code": "01490008", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2018/08/29 14:59:40 nesciu low ssequ[4877]: 01490008: :emse: emqui: Connectivity resource cipitla assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 8365, + "network.application": "cipitla", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4877, + "rsa.internal.messageid": "01490008", + "rsa.misc.log_session_id": "emqui", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-08-29T16:59:40.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-13T00:02:15.000Z", + "event.code": "01490102", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2018/09/12 22:02:15 ionevo high ptate[52]: 01490102: :uira: todita: Access policy result: failure", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 8479, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 52, + "rsa.internal.messageid": "01490102", + "rsa.misc.log_session_id": "todita", + "rsa.misc.result": "failure", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-09-13T00:02:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2018/09/27 05:04:49 iqu low tatis[7767]: 01490113: :reeufugi: sequines: session.server.network.protocol is minimve", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 8587, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7767, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "sequines", + "rsa.misc.severity": "low", + "rsa.network.network_service": "minimve", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "event.code": "014d0002", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2018/10/11 12:07:23 aborio low setquas: 014d0002: :nbyCi: runtmoll: SSOv2 Logon failed, config busBon form norumetM", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 8712, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "014d0002", + "rsa.misc.disposition": "Failed", + "rsa.misc.log_session_id": "runtmoll", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-25T21:09:57.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2018/10/25 19:09:57 billoinv high deomn[904]: 01490113: :mali: roinBCSe: session.server.network.port is 3959", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 8836, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 904, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "roinBCSe", + "rsa.misc.severity": "high", + "rsa.network.network_port": 3959, + "rsa.time.event_time": "2018-10-25T21:09:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "event.code": "01490079", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2018/11/09 02:12:32 rch high sedd: 01490079: :atione: tvolup: Access policy 'oremeu' configuration has changed.Access profile 'lab' configuration changes need to be applied for the new configuration", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 8953, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490079", + "rsa.misc.log_session_id": "tvolup", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "event.code": "01490538", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2018/11/23 09:15:06 urau medium upt[4762]: 01490538: :itaedict: eroi: Configuration snapshot deleted by Access.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 9161, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4762, + "rsa.internal.messageid": "01490538", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-07T18:17:40.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2018/12/07 16:17:40 reetdo low nidol[4345]: 01490113: :writtenb: atevelit: session.server.listener.name is ugitsed", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 9282, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4345, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "atevelit", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-12-07T18:17:40.000Z", + "service.name": "ugitsed", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-22T01:20:14.000Z", + "event.code": "01490102", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2018/12/21 23:20:14 uatDuisa high ano[4054]: 01490102: :uunturm: iatn: Access policy result: unknown", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 9406, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4054, + "rsa.internal.messageid": "01490102", + "rsa.misc.log_session_id": "iatn", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-12-22T01:20:14.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2019/01/05 06:22:49 psum very-high exerci[3923]: 01490113: :lumqu: moen: session.oinvento", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 9516, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3923, + "rsa.db.index": "oinvento", + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "moen", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-19T15:25:23.000Z", + "event.action": "block", + "event.code": "crond", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2019/01/19 13:25:23 volup very-high crond[4071]: (iconsequ) CMD (block)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 9614, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4071, + "rsa.internal.messageid": "crond", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.client": "crond", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-01-19T15:25:23.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "iconsequ" + ] + }, + { + "@timestamp": "2019-02-02T22:27:57.000Z", + "event.code": "01490008", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2019/02/02 20:27:57 archite high rem[6473]: 01490008: :emp: inBC: Connectivity resource did assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 9694, + "network.application": "did", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6473, + "rsa.internal.messageid": "01490008", + "rsa.misc.log_session_id": "inBC", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-02-02T22:27:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "event.code": "0149016a", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2019/02/17 03:30:32 etconse medium uinesci: 0149016a: :otamr: Initiating snapshot creation: tsed for access profile: rExc", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 9804, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016a", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "event.code": "01490501", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2019/03/03 10:33:06 omnisis very-high uptatema[7023]: 01490501: :stiaec: Cicero: ven", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 9935, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7023, + "rsa.internal.event_desc": "ven", + "rsa.internal.messageid": "01490501", + "rsa.misc.log_session_id": "Cicero", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-17T19:35:40.000Z", + "event.code": "011f0005", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2019/03/17 17:35:40 cons low ine[870]: 011f0005: :amquisn: success (Client side: vip=https://example.net/equamn/scipi.txt?eiu=maliquam#gnama profile=rdp pool=squamest client_ip=10.24.113.101)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 10026, + "network.protocol": "rdp", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 870, + "related.ip": [ + "10.24.113.101" + ], + "rsa.internal.messageid": "011f0005", + "rsa.misc.result": "success", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-03-17T19:35:40.000Z", + "service.type": "f5", + "source.ip": [ + "10.24.113.101" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "url.original": "https://example.net/equamn/scipi.txt?eiu=maliquam#gnama" + }, + { + "@timestamp": "2019-04-01T02:38:14.000Z", + "event.code": "014d0044", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2019/04/01 00:38:14 uelaudan low teiru[4918]: 014d0044: :orinrep: pta", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 10224, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4918, + "rsa.db.index": "pta", + "rsa.internal.messageid": "014d0044", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-04-01T02:38:14.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "destination.bytes": 6092, + "event.code": "01490521", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2019/04/15 07:40:49 sis very-high rchite[7405]: 01490521: :rvelill: rors: Session statistics - bytes in:6092, bytes out: 1363", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 10300, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7405, + "rsa.internal.messageid": "01490521", + "rsa.misc.log_session_id": "rors", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "service.type": "f5", + "source.bytes": 1363, + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-29T16:43:23.000Z", + "event.action": "cancel", + "event.code": "CROND", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2019/04/29 14:43:23 Nequepo high CROND[2977]: (emac) CMD (cancel)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 10432, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2977, + "rsa.internal.messageid": "CROND", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "CROND", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-04-29T16:43:23.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "emac" + ] + }, + { + "@timestamp": "2019-05-13T23:45:57.000Z", + "event.code": "0149016b", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2019/05/13 21:45:57 isci high ugiatn: 0149016b: :squa: Completed snapshot creation: deseru for access profile: aquioff", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 10504, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016b", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-05-13T23:45:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2019/05/28 04:48:31 onsequat high giatq[7733]: 01490106: :imad: tura: AD module: authentication with 'equuntur' failed: Preauthentication failed, principal name: rve. success mqua", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 10627, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7733, + "rsa.internal.messageid": "01490106", + "rsa.misc.log_session_id": "tura", + "rsa.misc.result": "success", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "equuntur" + ] + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.code": "01490008", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2019/06/11 11:51:06 utlabore very-high exea[2867]: 01490008: :amquisn: itquii: Connectivity resource imaven assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 10811, + "network.application": "imaven", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2867, + "rsa.internal.messageid": "01490008", + "rsa.misc.log_session_id": "itquii", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-25T20:53:40.000Z", + "event.code": "01490511", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2019/06/25 18:53:40 lloinve low nim[7673]: 01490511: :edquiac: psamvolu: Initializing Access profile teturad with max concurrent user sessions limit: 7783", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 10933, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7673, + "rsa.counters.dclass_c1": 7783, + "rsa.counters.dclass_c1_str": " Max Concurrent User Sessions Limit", + "rsa.internal.messageid": "01490511", + "rsa.misc.log_session_id": "psamvolu", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-06-25T20:53:40.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.code": "01490000", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2019/07/10 01:56:14 tatemse low vitae[72]: 01490000: :samvolu: dip", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 11093, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 72, + "rsa.internal.event_desc": "dip", + "rsa.internal.messageid": "01490000", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.code": "01490007", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2019/07/24 08:58:48 Dui medium nostrude[7057]: 01490007: :ione: ecillum: Session variable 'maccu' set to ame", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 11165, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7057, + "rsa.internal.messageid": "01490007", + "rsa.misc.change_attrib": "maccu", + "rsa.misc.change_new": "ame", + "rsa.misc.log_session_id": "ecillum", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-07T18:01:23.000Z", + "destination.bytes": 2132, + "event.code": "01490521", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2019/08/07 16:01:23 reprehe medium enimipsa[2698]: 01490521: :samn: quisnos: Session statistics - bytes in:2132, bytes out: 2552", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 11279, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2698, + "rsa.internal.messageid": "01490521", + "rsa.misc.log_session_id": "quisnos", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "service.type": "f5", + "source.bytes": 2552, + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-22T01:03:57.000Z", + "event.code": "01490019", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2019/08/21 23:03:57 Nequepor low temseq[613]: 01490019: :ostrumex: suscipi: AD agent: Query: query with '(sAMAccountName=xplicabo)' successful", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 11415, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 613, + "rsa.internal.messageid": "01490019", + "rsa.misc.disposition": " Successful", + "rsa.misc.log_session_id": "suscipi", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "xplicabo" + ] + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.code": "01490544", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2019/09/05 06:06:31 ameaquei very-high uelaud[1306]: 01490544: :ameiu: utei: Received client info - https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia", + "fileset.name": "bigipapm", + "http.request.referrer": "https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia", + "input.type": "log", + "log.level": "very-high", + "log.offset": 11565, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1306, + "rsa.internal.messageid": "01490544", + "rsa.misc.log_session_id": "utei", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-19T15:09:05.000Z", + "event.code": "01490079", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2019/09/19 13:09:05 psumqui high ncu: 01490079: :quaturve: ciad: Access policy 'diconseq' configuration has changed.Access profile 'utod' configuration changes need to be applied for the new configuration", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 11748, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490079", + "rsa.misc.log_session_id": "ciad", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-03T22:11:40.000Z", + "event.code": "01490013", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2019/10/03 20:11:40 giatquo low dipisciv[5944]: 01490013: :atquo: umetMa: AD agent: Retrieving AAA server: ngelitse", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 11963, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5944, + "rsa.internal.messageid": "01490013", + "rsa.misc.log_session_id": "umetMa", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "event.action": "deny", + "event.code": "Rule", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2019/10/18 03:14:14 tem very-high giatnula[71]: Rule: enimadmi <: APM_EVENT=deny | aecon | sedq ***failure***", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 12087, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 71, + "rsa.internal.event_desc": "qui", + "rsa.internal.messageid": "Rule", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.misc.rule_name": "enimadmi", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rule.name": "enimadmi", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "aecon" + ] + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2019/11/01 10:16:48 erc low tasnu: [syslog-ng]", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 12211, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.db.index": "[syslog-ng]", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "tasnu", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-15T19:19:22.000Z", + "event.code": "01490019", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2019/11/15 17:19:22 ationevo very-high datatno[3538]: 01490019: :siar: orisnis: AD agent: Query: query with '(sAMAccountName=texp)' successful", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 12267, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3538, + "rsa.internal.messageid": "01490019", + "rsa.misc.disposition": " Successful", + "rsa.misc.log_session_id": "orisnis", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-11-15T19:19:22.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "texp" + ] + }, + { + "@timestamp": "2019-11-30T02:21:57.000Z", + "event.code": "sSMTP", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2019/11/30 00:21:57 pidat very-high sSMTP[6673]: ptateve", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 12419, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6673, + "rsa.db.index": "ptateve", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.client": "sSMTP", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-11-30T02:21:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "event.action": "allow", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2019/12/14 07:24:31 olupta medium oremagn[2121]: 01490106: :itseddo: uptatev: AD module: authentication with 'oditem' failed in allow: Preauthentication failed, principal name: inimaven. failure olor", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 12485, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2121, + "rsa.internal.messageid": "01490106", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.log_session_id": "uptatev", + "rsa.misc.result": "failure", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": [ + "oditem" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/f5/fields.go b/x-pack/filebeat/module/f5/fields.go new file mode 100644 index 00000000000..c39bf4417c1 --- /dev/null +++ b/x-pack/filebeat/module/f5/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package f5 + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "f5", asset.ModuleFieldsPri, AssetF5); err != nil { + panic(err) + } +} + +// AssetF5 returns asset data. +// This is the base64 encoded gzipped contents of module/f5. +func AssetF5() string { + return "eJzsfV2T2ziS4Pv+Clw/nO0Od3na/bG3vtm5qKmqnq4b213rst0bFxPBgEhIwhQIsAFQKvWvv0ACICkSkESQstt75weHLSmRiQSQyEzkxzfogexeoeUP/4KQppqRV+ivdPXN7R26zHOiFLoTjOY79AZzvCLyXxAqiMolrTQV/BX6y78ghNDyB7SkhBXq4l+Q+9cr+ML8+QZxXJJXiBO9FfLhgnJN5BLn5MJ83vwMIb2ryCtDzlbIovN5QZa4ZjqDgV+hJWaK7H09oMf/eYtLgsQS6TXx6FGDHm3XRBL4Tku8XNIcrbFCC0I4EgtF5IYUF4NZSIUHJK+kqKvTCe4zqB0caOOY7U0ijCM0TDtQqVZ7n8eZO+Dg+zVV5neIKlQrUiAtUI4rXTteSbxFJVEKr8z/sUa5KIkypAvzfW9ohF6LFbomuShg8wRItWPRPlFxgj0k2RCuM0P8aFCHdDKPHGMUcCYXXBOuldlxlCuNufaIVJAKTcswCQXW/S+G+KnFagZBWKPtmuZrhJEiSlHB0ZpqhTB6S/SvVHNzkt0qXAyWqJmOWouaFYiTDZFoQZr1r7BUBL0hGhvSMFpKUXZQPX0tVurFHc4fiFbPBsNfU0lyzXbPkXZ0Y/SO2ANmdxrvkHkRZBUjG8KCvGKC9/f6Hq+uSSVJjrXDVZAl5aRAgjNArPGCEVTiKoy3VKtsxNY8sE5v3Jm5vf4WbTCr3emhBeGaLqnbQ+QR5xoxsbI8lwNmAv3UDO9WHH5nWFphqWleMywB3i3ORXR1B0MnrXZodQcjx1c7yvTN3Fx/+f+5fpjrBmsqy6cdMrH4Zwak9hn/CfFvcFi8nB25JErUMk++i6ZPPf2kTcOtNNakJFx/HvS4LqjOcoZ75+GTEUC4lrvPg3ptNIHPg5ryGOrz3uT+nH3OFS8IDp+18059SUgxTk+O3Kghe6DzQ29qGXyDG3BwPU3TMns34GD0I1pmnE89o3Q2PvGOLRpkkGXIYCIzMQgFeDSaQfk8SlnN6W81aZUw2czQfbTbN1yuBM+NsMRa/NGtl8ix39CpgqfLvyszEF3SHHdPnTG0b4xJjO5B0KGaF0QaFVUSJzAGk1vSR1IgRbQZZA94H4eKK7SezYOxJyu0DZsHQ49i+9BzkmLpp22uAeUjZj1ulmuhkvWo7t76WSjdFVWsv6sU4QXlK/+lCi19x5r/cjhIw5tk8HGUdbd3m+8RLgppZFbsUPbZN5ifFl8q+zY/Tmfgj//vMtBwa44T3D+91qXR9VsUCKMV3RDeuCu+3EvVsChmwZ5Xqy4+jzL0ZXhxowavqHaZJL8lrVf3aQIWCWa22AEfb+zg6A62+3Pn/dMYvd9VBOV4eJIXBBGq10SiD7dcf/sjEhL9xATW371EC6xgJ3jH/pKuagmq0JGZhRW8L3hm8MgyxSiawXY10CuR7iw5ZJf5sb9441XILZbFBDWmIzs6E+vy6vbu456Gg5EkDPeXBSG1U5qU7spxhJnR1sTuJ2XZY/4vJF1RjpmH2b+9j8w0XeM48MB5e/fxx8AkHYGDuU6fZEPRkI9zSPJ2sw1VpVRJvia4IHKml7GfYTB0ez3lhcZS1H2ogWHS3mn+0E4Ylmcz+GGwVzxuW8UDNrtRuK8EYyTXQn6JgtDw5ywv62bfUIVyyxxSGFr2VLPXon/JowOs/ANaImW++HTKWSkUBI+UgqPFbrAsCEnyW02UNgMqWlZs51bC/NgIXERwvkaKFgQ9/RPSa1mjlz/88AxtsUKKEN5gOTDXT6SunTBXVQmuyPkmm/+BVjYXNdeNvVqXCyt8zIFTwRHQU7wQG9KZLuXBaCMvZpSWBJfRXZ7/gZb+MzODFLTuazWnseKrkCbVGK10iaj+R/3yT9/+m7LC80UFosqT9Y8Bvf8wdsprvCMSvUQ3PMeVqpn1cRtTZ5QEDY0+0Q0diFUKYfnuJfp3M93n6Lvv0L+jXEijP8IsHNLn6L8z/T/ND6lC+0z5KrhIXBTkM9pgfEuyHDO2wPnDVJ3PoudCw+bG2urKhhGEF5WgXIO6rUk4cA8WOCNSiuRYkVYDUhXJKWZAE9CitJBGW+Q7ewubLzaY0cIuXwgtQktR88JIa0aAPMpXTlk4Ggy0v28HI8/xduI27QEXfYTPOyZw8enuDIcQKfo7QSXRkuYBXdmZaN0fg41mL0cv7swliXWrw4mlX5gL9LPYGuYPbSHKkZDGhNACPRBSHWHLJ7o9vhC2SJETpbINLbIi/R3qxkuAFeFEYg1HsTA86tgrGyp1jZkxF/d8pDxgPtOSGoMPXgBhupZOdyBvr5E0clGBsQ5swXJFdPOzo3NVMjmk4rPP1UbDHJ6rTHSsD0Xs7bX3r70jpdAE3btdmUsC19JiFxNJ5o93en8BTm6HKVMVo9NeZP/QpqKiA1X2U4UN0t/T4se6tj3IU7cj/d7w2rQTx/813lzsMV9Sdpa3RTOuUdrvri7vnD6XY24YQMtKyL4Wh+BC+eIeaOtPZTx/sGIfjDwwC0MOsX0zsW5BWmPQ3vtg9V2glz/8iLbA2ZJgjjBjYTsUnK+gNrT+BbQlkthhsUaMYKWR4L1g5X02fQLF6MtmU+C8pT1kOe78KmQBrIGoCJKvuWBites/ayypHGhmCP2A8jWWONeWTebo7YBCcG5yVHMXMcD2fJvRDKaUZDX7xDjNZXvgPQd03dKoToJ7p63E26j8ACnWU5ZwDnqY9QhzZ7OKPK+lH1FpzAssC8SFLDGjv4ei7YQsgxwo3AvsASaIejEQ4aPY0NLVoHvB6JLAnAIGoiK54EVEMWyXLFN6miV+gGTKc1FWjOjgIkbdXRgUTy1pT+R08g6kPtt2uzejBzddbMPt75/oJikF1+uTWd1m9Zz+at5GMxRnY88NL87BHDPk74JPz+g8IETM+F75sSFp7/tcGhzoCafjEmnyqN1GRhsiVSfYtzgUsxFYo+OLviP4dFLbpIpcyIIUU6S3ey53wlU1Y/r7zb+ZNz/svsENZawU5QWMWkPin8oJx5IKq/iVNdP0G02JRLiqmI+gbjPBS0hzDyQlIcTAMe1tBkuUpVUhqp8oJLbceu01Lqu+p8VRbLAZEof7XCuUr6nRf0VB1AV6UysNinR3ULP/sY7Eo2FNostw8Lgvl4ayDZnnDoaF8kPa+UuyJJLw3C4qNspXQTe0MHcqrGn42N/7Y/++x4DwNB4rKmecQ8t166d+NPuFaraz01FGRBhdwKCFbXTYXzRqaaIG83MjnZrTfzEYtAnQEPX401wO1IDjMA2Xxm870CF+q0k946KZnWLXq5UXW6wQoCkiKwTovx0/9VEXzt60k87pqtRJkn1VpuGrsiR0VZamqVTjjsg+2MsEuKQbryNlzqX69tTeoAwaCMxRMil+YI+dtxTXXSteehmIKcYizgdqz2mKiqrZdHdsRDsUtc5FSV5YLI3KBtFsYjlYK8zdNPZU38hSGZOc6mmhrwdI9+O7hICOP/SQ4Tc1VWFQO8VK6iYW14wG/tiK5HRJW2UwrC1YJ2cs79fpHnO8XAeY2LgDaNEGfHpTtHDOxyBlTqWfj5Ef922EroYrJPrl3oUUUeUfnfoWMuD3XI5lPahKKDrqEJ60A8AQ4IWtCgChiP6URPO5a6azKYnsI481r0siaT72XAepnyWi/QDp3aj2ZofaI25P0oD4DeGFkC6U6CDtYvHPs2RJ+8cFsfgnycM6vkE9R57UgGVG3hxGbSXftFodXw23vstqc0fWWcJr3EROcaERRmuXlRkOD2JilflnxzMJOb8hRgu5ebJv9yTF3+CJG2q7wVEMq3dQtm76Pj1wxlxlPFtkjrNdRE7VbFrsVpgJ72pGAHVYvAiuyeN0fadBecut5d1WQMJFocxfcBVg5lGG0oGPXCn5GvMVyTjZTj9XMec32XYebuBy1FrSRa1J57QNo/mUJc5oc12RHj6GqsIjREMze0YnlMA5NHFQyvuvthZdVzcImBIQd20m7YumqPatXG6IvED3xDK2VkRe4BWBUncuYm4ppKdhMLYfxup1OcAjC9/JgBQSLaTYmu/8p06Psap1tFbbbXGHpR5vyjeg4+1It3vFIDdivt0rWNEoHefavKIizmWdfoNccoQZkbp5d5XtsO4z65p1R7GTbAbPswGFqkBc8G8kqQhoq4deo0BxnFfI5rWUZms2OimsBugIL6j1/3rH5oD2LdVrp0xZ2YeuAeEC4kM5EvyblTD/PiAZ4fLMAkrJpJnhjjP6BaAwZIglMidNU6Iu0H17PvtlMrsxyak0Xdlg9loZRdUmPdgnysIJK8c8jHJWK+23jfvPgNUAQpVZDZeZ46xFozbBt/Gr+Qy3st3pYevJJq1PUQeeHFOfDR3XgAdhpUROwVtjOBrU+4Hpr+kDeYUwqtY7RXPMjJn38BxVEirSPkdE50/CahaWOJw9MPLysvGrEpdEE6lQhRXUKVCQuGcz03JRlkYiiL3Hm2HIKtH5QUXDSs/z6RqddTiDoLbCLhdlVQ/PQhLrMdpSXoiti7zJBc9JpZ83r2LR6Q4msqwZ26Hfasys06YQJabcnU/eQcRERJR3vTWnX+MHJmeUkdeUP5DCRdH6wDKswF53Cqz55qsG+QUtDjGfDfL8JoqNbp1qawL2UXgCfrk/H+ZfKucTQvfDVOfm0YPIkvZLVE93/rhRgR67Dw/rad+N1tOWlM1xXhqyf4LxmiMhSVHnBHkPMAk7ERSRFLMscENMEJv3MKhXuvoyvyPUjUyN2mAkf1CRRLA5/FFufCO811itm91uVI5ANHttLEwjmnyEaRPOfuVH6pUqEBsiGzQXSuYGqvn/MCsBGfnGEYV4gprnjGBpPoKyGS1pLozdeWmkTxE47p+0oqIe5qp/Zhmdi3JBeVM5riuiXQKCHCGvN1TWan7vRvcOBRRxL8dczxGBjXtlx7d1VuIeHqulz+B4a1hgPVy31+itPdNPXUocsjX2XZKHwf7skPPrPL7Ajuvr9hrY4kKrmwM5tOP2fec2iMESeWGX2py6LVVhU2OjdtPqJu6/krikGnvJHfShcWskzbq2hn1XzdDo9vqoHnS6T+KIHmRQv+RFqw9doCsbre+qBTH7xWFdyPwRcv8X337lHBSLWjdx/EI3wrnmjCg7d2EF7FagDZYUL9ggYtwmtFGOKoYjR04RriZmgO4tSlcNsmNfmFNvbk0fi07NWt2/uL3ra2DIlVSytl0sWybaRuDkyPjWF2vJQLdco3u64hiOZWQjVUJOK9/0ZCALzFa68zqFgHoq8E+DqnNqYC8UIrC8b395jyjPWV0QIxpcYxYDfoGe3jzismLkFbqzxqcdFmTdRdgGBQ/7Gd4ZwJhvRW0YN1UPRp0LYh4RtN1xzrx1ovIdVQ8HHji0pKsVkVMK14en/bHraXRYQPNZS6LWghVmja3VFOnVsfccNYsVN3yPcjLs6Tt7Mz5rEgpvr8MBlie/WBnTOpv9bR44697noZmJ9WmoevGNQSg4ZBQsoVyvKOo8pqc7ledssQNd2hrZIiRkXhk55ymI1JXHsthiea5Yi2GtRCOLsBO9hsxIka6nRuRg9AbnvrJXWHEyx3lmTVbwb7zyIw+faGsxJDRCkgSrhJgopbGuT1esGhscU3ZG1dIMvxCPiBYv4lLXSPx6HhoMzg+DUlh2Xxk84Y3upe/kqvqDDXM9rKefIoQpF/Xpbwad2E21StiBRjqMM8MGHp3vR4NOrwKyx/xLxsxpRaqGxnfLmqEbgwHloiDKMN8XaQrreJQX5HH0JBhVOqY/TDxNMDQottKjWRAJXv0SS8rgpTbgH7BvQ3yFMDDiGwMbpJ0nrbjvrXc2zcWNj542kSoVkapyCQn2TA2m7a6QNjDO5zg/iwSNWxN7KM2nPzp22sgB8dZOtr82X2LKFSqIxpQFTKeFqHUHLkK8YGeISfFeG9zEDQCmuAjXpKzYhFfbS99q0bcw6LwguSgVo71siGR4B2HKWjixjp4G9r75AiwNB02WPo/F+tyUprqGUh0oSHqrpQ2Tko8fjJFe4Y5tmePx2JLObi7K0uzN1AW7svCIdsKJKik2tLAWtq8rEOrP2Nw1Ij/kQB9vT/9EWXv3591ohfC181jBI/O55Jcf/7zy659iEbVbkyfwv8XCuSzDO7WiU8oDXUNQkl2f+7tbdDu4cLuIJtTmcTGZh3GMCjxushdWI1X8MTaxi6IKq1n2QGULUUyPOR7EbfevLN8f1mCLXJ/rlNwp60abJe+m43Bx6Ro2zKbxAtIVLRoXZcQYL8dryoMkmJNuhjFXdUNdVU8TkL7b0N0Hm8Xp3aDwOPZI8rpro9hn6wUJpRT4jN5DD2WzGFJBT1Gxb1A10fB4gynDQwcdatxDCOLhl0TKSDVCux/DHq75/LpO9StdQrB10g/9W8Lv24uIDKBltqiLYpdg39EyGxmn2oGsFYkVEjtoi6bASCpGZUv1AqYzVc8TbEdVN9bE1lKBhpNNnHSbc+5whoqDt/GG9mi1rq/D07Cv1OO5sJnRIrj6eIOeuki/jzUzesmCMggwhJfmm8dKKPPLZ+iboRnD+16+By62fE9xVCSvIXVtsz96pGtAjmcxtPsBIFc+0+atC3B9TVY436EPUQWW0YXE50n9cUPvsYlyVGLKl8YyOvhIVWEJvT7myKjaUxHuYGD0VhQ24KgtbtB51w6gRUfuX3h8MVNN1yj38+rfki36ueagPr8RBWHoKeWbi6+fIyry52hh/iLmL8wx2ymqLr4O+5F1XmVLhgfdqcbfwPu61tUdgmHB3gWpsvMFhMXyYNKWFhNpsZ8uHCU+YUoRaTZUEOWmHCuHerg/vvnV2O/vbcjN119/fPPr5bubr7+2MTAbLDGN7o2tkA/jEjKObuVf/ZBdH23UTMZ8/PXlYjvH5gY2Ig7nRgTuktTFpZCEK5qPO1AdczIJa5liRQU8W6eDZVtMx3Qab0MOcpGwpLBhxiekqHqRvA30olBajs9kgdyNWbqBP59PkvoIvimOg9TgxLYk8OBicsGBbZyii080Qyxp1GD0k5ngnEidTDBzNTCRfsBlWFgcqKcw3vAx5Dlt6t1w3FY9sbW3z7QRio53yaE6SMaZltD7zQ9RIMQsD7B7/O9o2091E/nkX66hIsczMJ8D1v0xX78vgUTn8ZlCOOwSU2b45RMO79z5u73uxvVC9rRRgTVZBRKH4m/xPq4nM1d5kOKU4B4I6XExncYyqnnfVh3g57E03qn435JH/TcS1l8a7CqmxUzFfo958VcR9qy22DXWNHzKJuMfDr2HXtWqojkVI+IjPpVtAfRtseRDV9vnJ07xsspEunC6f/vmDv1iPR5tOEYY1W8zP7/c/8dr9FtNZKRaS814Jkm/6sfUJ5+O62KH3vmQ2uDzbqOn5aPEfxdMjC/TZsCqiPF4DE4H3KsnQBYphegww7JM4osBTDJecDUq7L8Bq4sRnQH2oMbmAu8BF1j3b+/jkAvC83WJ5elhcQ3krsKDVg4n+CBxPnjePBEqWyfwNSfLscGUDehyBcmkSYBi8c8kuAon1Nazma8JiwFO/1hP2cOQkKtdEnPdJiDmGc6hbGFKGJuBVnyUit4BXayqzff8Ua8TpGXOs1xLY6OMq0zVgTewMW/dCaAbNmgIfRIs4SvKRwXuDoHTYkp4tszUluo8YV/zbMnEVuEy5bWoC831Zgp8kh8r5xnl07Y55RWR5WI3IiRnAF3lD6ng0BwtCbTKKim0yFJccQC/+T4DmzUFmk3Yb0yssjGt/3ugKS+hOc9K/JhpfbrCuw9qVpiRJLFQUp6MmPIpiCumMrZg2Xjn6R70nyaBJ9QD6kCPz1LvQo+PiO5C/zAJOtxY/VTof50E/T8mQf9bKrQWFcMLkrbVG/gUVYlnZc3g8l7skuSZB68ekuR4WTO6KqvU29vcf5itxj8aOViaJsQV+S1P0b15puyTaRKvlMxTtTMDmqqdqZ2qq6T62DlvwqwTlTsttFEwyGPS1tZCGyUpHRrUk0TwmtNHjrlQZNA28yT4zY+G9mSxsPlRVHpNcJFkAomyynKWZEMb0CSXBkBKaJOVBqsSYas6S/JP5JJqmmOWFPSlMrwiPN+NelPqQnPMdr+TYpGGe5NBMnwirE3jScVsn7MT4Y2F/GOqhayyBdX/lph8mKtsbG3THqgUCUdZJW5OgCO5TInFU9YTMKKuZAeU6LX1BqQo3xYcrqtEcFv7ZkyGZgd6SRlJ00VUtkxjF12OC0DeB02TtMoYwZw86izxGBkbuFC6GhT5ORlayTwR2neOS4IVq6wkBR0RjLkPTXkqx0tR1IyoXKTN2oHTVdKpEJXaYj2yE0UHPhQTcCKoJCuqtMQpmnYLnXRT2U6KiVOWE+asoI6ITD6dNqrBLnkSPDQWTbribNBROuopl/N2LajKbJ3nFPgdljhxwYtIWOVpsBvbwWA8JFUa95u1ngSo9KKWpxcS9XDE1lxLg6sT8KXcwz6WdDwgVO1ZppRCj0dMH4Ja4aIYv+q0GO+c8wk0SRKFllkuhSgTs28MaJJSRMss9RHO5e6kTbd6SEgWqlRKKjOtVCXpaDCGNdV1wrsNo5yMSSVp4dTIWlwNJAQ+ppggTNiM5mzJRIJwbMCTQgCMppew3w1Y0l43umESugSvLROrxKXkq8RtVwk5/nCUi3qVtnVKqvK07VqqxAVMqz7DiYbUlwTIhFNsSwOMf5WycOMflPh2O15XSIwTato1JEAmyHsh6SoLVGs7AXLLiUyRLVWW2EGwykZWkG4Bk9o4tOBJs4STNH6TOsCUdppW6U9AiZUyX2b5+vR41gGw7cs5Hp7IcmXs4kFG9Wmw20TQFDFn85c+fOhV+jwJVIpVhlU1quRHF3hMlwcPJwlmaTePJDlQa7NVk8FTJmtgxybodmCFLJKwpphoKsn6VNb6TPKUKjLeRWrL6SapEYr8lsLMUBrsCLgkxUXRVdLBVNV4u0XJPG3lZV4kXLVK5qEs35NAR7Vk6kLVKiFncpPz8UEIwYqhx8FskmVC0/CVTlkEC5biNWoqRo6H3FUJmat1sUh8ta4lS5JKtSIyK+j4+M3EwiTeJ5JGrM7T2uVvMsqVxsskSbqhUqddxZuKJ6U4aCFrfpZerZe1FuhdzdFg8MYLPalA3EfMaIGuJCmoRldYFi5n7EBbGlf/atJMY3UgYRjbdBUiZnPBUCikpPH2Uj5l9jdlxcSODAriHeXBUtQj0uNP7cu79i11oLaYJCvyiErcD91tPXp8VffLrsxABqMKCmz48VW3laaqKyhRP0yVRGi7xhpRjSrbnj9M9KGn1DGlQsLt3W3Fc48EUe4qGUQyuxnl0ytgd4gx43UpUUiLFTTZuWh/bztGDLjHyYbIpoiSFqjCUhH0hmgMFYftqWj6paGnr8VKvbizwX3P0LUr42XbkwxGhzTid8QViwWyOXpL9K9Uc6LCazXceonsWUI54WY3w/B2Oopgma8vKKcRg1fieYoh9ISN7a3HKCcvGK451E5d1aUrS3+gFEKv8sEBqudImW+obhLlXcXXiEpvmJnN2wvZ9twyA6P35FHD7owZBWdtQN0WiTvSgxqycieVKoa8XEW0bw58IHX+0Lv3+NoQvpXs0o9rJVjfwmveZPfNIot12BsE6hmoV0H6x9XxPqFzdkEeb6/9IYLRYyXbRz5Ej9wuTQsH+7jf4EODPdpw00GciyLeFIxuaBPSFmwIsgIhrJAihO/1yQwbLxJzhfNZiq0OssTt4Nw1cGpaa/tuwQfIqogsqb0I5yOrHdQWbqEbysiKuF4eWCm64pb5bWXuSFsDvJirW31kyQHDgR23OGNriWj7kNA271AUyy1Mq3Tj70ta+La2TcckaNgYOXQIBWJyGq1NkkiQ1GgF0jcKawWv7+9kcERU2K2kEUfPjPgBSaR04Tnn3/TPHBDQeYDcit77eMrVgxnFKluLGbS7XndMqInTloGCjj6dgkfhmGpkN6ihh7sW21xoBK0yLy6ZEsa06TUvgSrkPzuIC3TJd83/BqNrsI4U1wgXF76jcVgwJTq/DOlTlOWv+vyEyoN7TKWurbOxJroVyv2sw42E3Y7JxnpWTzVY8Y5I9K+Nx0C9cIgAfax/ydi4rfPvPd5Stbf7DvI0GiZxTBY86ZfFsS3p3v7y/sbMjkhijUbwyBRU5ZJUmOc7o5W4y58Ne9kaHjxH79+8Qrdcf/fyObp9e33zn6/Qh1uuf/wePd2ud4i7Boz5WihXxk1IY73Cr7798X/9t2fh3ndEryfJi/6MQQJdlDhcGklN3iMjD5SrxH/r0YYPU/Gpyeqe8yO0RRP+Tr6YQhT1FJtWB/XNTV9fvg2S87vgZIodnrZ+/0dwchHmz+9j+gB8gsvOkHpc1AAbP8+9coCXK6zJFp+lsDTssjt0aZvn+d0WQthcJ3lZxf3/U/2at1dv7qwcjveKxzP08ouZ0lbP8a1Lb+8MsohVb/gQrQUzCx/M6HE+eB0gszXF5j5s3V4Lhe1Ih1n7VNGpRB6W3bMuk1He4bAId1qu9xdqgKyNrUnUGU4V0xi9dTTcCakbETUQQrb3BDDRdZ8/LInU7PyzFFO+8uLTE/4mxjxOQvr9fF4ihx9sEKyUyCkUjQdreXC7IiOnJOYrctGox7ngS7qqJSnQYuea+9tW95HuNNGUgkGgcESbCg67TMpUYKP0u25oZYLBJEkpNMlcjFDKy2/KFAuuMpzZ8Kkk4ErLVPBlEnuXSbHYLG0DpGfUVEmTw0XmrfFp/br2bQtDy0V/vK4hcxZt4cYYVpxo9H5Xkefogxdzr8FE/g7deRN5IEd+id2ovnjVLBdGRKX3ZCHftRMzFrwwqvaH8ECPJYQObIjU0HlGC9/ginL04TZ6hHIIaZlwBlPaxnKViSqpUJ4BlUSNj6MxgEkhflYmjg+IAh9UEkZbpiZjhK8Saj4CXnMNzO1cgqZEcL1g1nEOcpTDA46xon4ScotlEWoGdglt6sDvfifFI7y6L4jeEhLpZDw6B3jsi4TQmHXdvRYdgkIm8No0mINrgiYJPASVVJuj5ooKhSexYZjP865ygjvAP6t1HAKDKew7CFof4MZozytQnvclYoo/m+SQbbEZk0d62hsKlprmNcPSN3NzaJ7ePL56LVZiuQzXpyZ5ptdk7sa3782Qrnt/S9mNocwQdFnrNeHahVJFCZur99j+c2XdtDUME/dBERklSdQ6F3Nzyw0aJ+neduCOUOV75Ey7ffcoAszIN1w52PzVYz9D+2TSo8KcYnADq0rwAlq6iqAK0AAOm5Lu070Zk10buQ0wsnn2EPfGKCkaip291dNrKEeK6jogURAEyPkueG7UNVYIF6KCrmBrQiUSW95rjIQ0fhRclJFoF1+jPhuEI81w+Rk1jPLCnGUhVdvez3YRvvTl8QcTPcV9whvS7dmIhlM1MzzT81F0kvfuFWneeR5qItaZ6risjglTtVEB9y6qcO65xoNDFmJafFxgeguyxhsqatBsjFEnRUkjkQ5kfvQ3HC8YhA0v0dVh7JRvxnc+C5HRp2FPp0FBFHs0jCwvlkBCAENDwfQ16Nwr7c6OLn8bwl5z3Q9RTtH5Ckj+yPIJXXHhloFO5jT3hMG0IGCg/9hD9dr2Og9UaUSOnIv82wulZdxJ7qkOJ75+NqpfHqbaXYsW1yTKg2ZEYxJpWkLTVqdpSFKRqJPTcXJEatRRZkJK+kRWyhM3QLgqzGfbAN+dRvW3k3uiB4l3jqNjcxhQD3Nqj94Jx+6PTP/Lo/TLmflvN/ws1Mvj3B9Rk+LTHNUjUq85qn/kTfPdcbafXoDq07D9NFkjZz6rc+71E07qzJtmTuoHW6ZRCgvbpXOyboZrvc5KotfiLN5UvOfnQhaR+1l0YSB7V4qJlvoB/+47wZyvyaA6sEOSbcv/vPjhT39CT19fX949Q9dUacpXNVVrUkBiThAbEysxQ37sIb+2a9ENmNxiwA8jb95STPaXHIq9N7wP4Wj2Jvj8RpQOH7MxcwiKazIjOi4NwBp6p8A8VESpfSfH7PQs/h6p73BBa2XHQEIiRUvKsLSH2QgSs1tzuI/CobpwZhSdpxdu44PsRpl9MMvlPSC9uhbtgZkSSXjJD50bcH66+PCO/8mZzvDNYMWcsUs6gYdF2NEi5LRHsYHrFtgl5Apz+vuBWCc+ZcFOZVgCt7orH2HZkspgFH9y9utPZkCQjzap3Gbp7kUi/Uww0+scS4IqSQpRUo6DIdado36HNSVcq6OBZwzPO5/X+LNOxxbBIFXy9jJb+IkRAhWWGtJ+28kcFkKzpvW6g3uK/FmSgkisSZGNCAM4sIrQhtyP2bi676TY0KJJV3e/w1XFnJ4zWD6XImsE+b5GFOml3kyDFrPNoxnU1XHQu8hEgoWeIapkQ+2b07qv2EUKBzQKzbhS+mO1GvIId3kHqJMpEmrybfUf0IawQkoLaeWjGa0kGgO2J/CrC/OrJ+H5lbQoGJlTYryBEU+VGYEl6siQJJnhi+fNNaE7N14nR5fv/IvHc1QxbNhubiQhEeG53FUxLyIEr8xiFZwQLyEbC+FnoTR6g/M15RG1vcDJZ/SrPr8+cIjsqyQxB9Xc6jatXl2g1wWu0Ef4j73VC8FtPsA/htcFWuMNMfc9I1jaFtYI6kuoSnBFvB4QThowM8qGba8nyB5XGyGXVBNJfZUObidoKzLEKfFEz0JMu8zvXBGZU2mB+qJT3QT9veYLR+2lARv93101VCFZ80Bfd4Swet5IYvuaY5OpIxHZbsTMWRFzMBOjLeWF2CqkKpLTJc3NN89DceMu/mi4Uc0ELEXtqy96Kn3X80YswzPDsw4/UM3h5npNVjjfoQ9qv8hP8x5S9hMckqKWzCizmFaRO6yrbgMyiJqGzWBugQHfmnymQBbTXoYAhNkOmbA/sTnUtVi1Iau8BeYEcwhuCAeTMJ254qVik3GRU8655yXHDUwuXmtlSO9cTozG6bjP3zaExrJywOVw+tvx1BIIbhxXnjkaAQ6TKsiScucLhKMOtSBKXEWKUQD+SJj1mbC35m5P9UgRJI2/afoMXD5ypHpI40PTGufrcvZSdO24wBg00IK7bEssqLmgfEzN3Vl3miEbwt+nCv3Ase0G4wLzbBmtNhUpUI98QNdUmX2ErgpLv7bm4+ctsds1HRQ8Q2YfGsvChuidNAGdUPHSpsIJOa49Y2/6f1YV5n85ms/pUe3XOvNKWkikmqn9+QWMfoT6M164A7p9VbTDdEfXKiNcS1GFj2Eh6sXAIDtpr7lRjXVDjoQ2AhUjOzmdSMWVKCtjkPqdDxscGpxYzXNDpBGtmTGbwxcSVg/T436PnMWeTu9xb8n0ymbL39LfuH6qGduh/6gxo0tKCnQN2TDWeRFEtiWLLBfigZ7tSelXskAWQ2uTYBbTyxJq67SPPVWtbRucWD3y42fjXTOIq6Xq3FbWO3eB3u8qS35rUZkJWj7HWSzJMhtZHKdHmMFiTTD5RIUK7fTRzeMsaBSMffzWe1EJ6T178Lzy7nVkYTrZqqOX1c+nmlox9sB0zNhH/XCeEClE8j23j9aMZLiGKqzDDo6cZ1iNe4/qgMrUDuq1ZKPY3YEbxZ1GBc9qOb7fbwV9z6A5dArKBNG3DzwyRGMf2O2CpONAHjXhcAmmKGxmhBGr21yra0l6D5Qpt5sdZp4Y8r0T/R4Ghqvuhfv3lUPywv3DvfqGnF6YERmOIXAEn/W1xJLbfSwBP0anIPOA4MKVTTbKIuVLImXERz+c2UyUd9Who+wLOj1mIcNXD1p2WBnYvvCMISZv38AwM26EG/vaYjbAe4gLkt2P/k6Gj9DxYve0WhM5l1Vj9Bz35vv0CgqqP0NXgCGMnEg9W6JkhFdXRLrC92QvpuNAiR0y8bGgw4zOsphhn6hO3aWD60F/j/sJxqdFhtcE3dPfI+k7D8ln8PbvN4iTldDUsrlaYxWpT6vy+ZN3Owy3w8cLepsFmVCfdvAA2FtrX/DLx3uGH+wUHdlc8bQ84aaW+PtoWw1z9qhSdUpjaAMLj7pT7OdpXj6ggUg50bMwYF1XXtyY4dE9PBkcOq0zvS419a6cb//pPYRzHBahHXkRI2O8vDhARVxoKMWyzbS7pO8id06csEsuM1sA1wnFNFQ6KH0gzhpITon6qi3w2BWUIC++Rwp8t0Ki2/vLv7+5Q3dGfqJfeKQiZUtPct5HCj3vtyJMDxzLfE3yB5XQ7K0VLFNz20NFoJvqJk3qOQRouMLd7bk/oKsQSQflN86iqlhMTdZeVH0DqqDF2nxisEvHBjNa2A0RQNM/+jPWlzp09GHWD2Sn+qLo5D2W3Al9rXWlMgrdCBKBgaVpZOent/yasvfoivt4RyGp3h3Zf7koy4m5/CdSZjE5kzKcXrOlkrC+dp1iwm0Z5tmoPtRjQxKUbxrwq6PZx8iGDXRIbsgqQecJAQqRZHEgwAFow7oXsCZfY84HCWjTE5XduIAq4imfrfxSI/Jcxe5fX1++dTL3RQ9BI+q0kH2vWMr2Kqh6yDaC1enTuPQ9MLirpdl0BvFNFmpOtUJPLRr1DHLXIJnAd0EI+IsiQWisTj7hrx01HzjV7rnkYj8YbUMkvJQsa4ZywXNSaWMC3FteR1KcxnRSD9Z1AOYZY8O3EDGkQPc3YXj0818vQ8EkQdal7AAhV+cIUeiHlu05PRbYpu8FExj/dvPL3e0deoMfS8qLpnVJmP2G+jMEMuwV+o4Q7ggd0H+I8OYKDodgJwUE2cjsbFwTzz94Io2f1NyNlpykur129XgcnoM0sDkZ+5kzevycyv8COQdNcCQvhtpIykkCi29ce+mRik3TzUuDH9hau6VNDXiOVB0Ii8IK/VlpKfjqLwuG8wdGlSbFn1+4z54331K+JHn4qyWVZItZ8JrFC9aBQZgXSAkU2T6SrKjScmesnnkPZoX12pWia7CgPpYBGZPaDw4JsYkSNrY1F7JTvavRWBraCNed90BPmSsrftFUV77oHbQYdQVZ4prpDPbnK7TEbC9dYY/w/diwt52HLV/VvG1w0wbyaomXS5pDMbwFIRyJhW1TejGYhVR4QHL/KB0heHjOGleRoY3PoLiUanrCbaw9MN6ikiiFVy7/NRdGtkHh45DK8lqs0DXJRRFxj7qxEuxtW41p1HNuD+m859Q1kIbia7ahovaIwlZStAtxMZSzQdUM9i41loW2kaOd5rxrY1fgToNdvwrH6+pN6wM8GH6/L/CxPsCRbEeySTRkp71hlGo1VdFy6/TGnZnb62+dU9Om27eWDWTiPOJcG+PQ8nyYXQn0Q9cPt+LwO7Vf2dXAu8UZdH1uVncw9Bxdn2F1ByOP7fqsVtlmbq6//P9cP8x1gzWV5dMOmVj8MwvmRX9C/Jv0R4NpyH2D2M839fSTNg03aPpTkmemocd1QXUGtaA+DwH7avInRb0e1QNiVtSUp/bmmuecfc4VL1K75k5MtyKkmB72GHdkdgtD2GIYpBjcgIPraZqW2bsBB6Mf0TLjfDpHvkm/SUSQQZYhg4nMxCAU4NFoBuXzKGXDvuB+hu6j3b7hciV4boQl1uKPbr1Ejj0UB5gkeLr8uzID2QfXzqkzhrZtrOBiCSGH36iokjiBMZjckj6SAikC/Sr2gPdxqLhC69k89F1OVWgbNg+GHsX2oeckxdJP21wDykfMetwsJzcxd3vLt9H2u4r1d5UivKlTxMRKhZa+Y81/ORwctBq0/DvcgbDLutu7zfdtFYbIoeyzbzA/Lb5U9m1+nM7AH//fZeDkGGPHxf7ptS6Nrt+iQBit6Ibwxl3x5V6qhkUxC/a8WnXxeZShL8OLGzV4RbXLJPktab26TxOwSDAzV9bhxuW838F2f+68fxrb/Js80Ld2QXxQkW36j4REPzGB9Xcv94MZfDvb+NtxO7OwgvcFzwweWT5fEgHYZLPkGMbenX2k8ZduvNoWkBPUmMOdlewF/XFPw8FIEjZogI+QLUnjrhxHmCteAvtJtVmRTWNLB7N/ex+ZabrGceCB8/bu44+BSaJgnR00wyQbioZ8nEOSt5ttqCqlSvI1wcWk1Kw9kwMGQ7fXU15oLEXdhxoYJu2d5g/thGF5NoMfBjfxXq3iAZvdKNxXgjGoc/MlCkLDn7O8rJt9A83tgTm+6HdHNXsthoUk46z8A1oiZb74dMpZKZT26QKL3WBZmrrOZkBFy4rt3EqYH0PgHMH5GilaEPT0T0ivZY1e/vDDM7TFriCux3Jgrp9IXTthrq527Nkmm/+BVtaWJPX2aq/tWWgE9BQvxIZ0pkvDAdJezCgtCS6juzz/Ay39Z2YGKWgkDfAYK74KaVKN0UqXiGqfYQ3C84UtYuPJGhZW/geCKOAdkegluuE5rlTNcFNEYZQEDY0+0Q0diFUKYfnuJfp3M93n6Lvv0L/bjsJuFk1p7v/O9P80P6QK7TMlnLLJRUE+ow3GtyTLMWMLnD/MEXZeEC60L7RtWxxS1cQqg7odq1MOCzxDUjksLBQxwwxosn2ktJDQeHFnb2HzRSe9MoQWoaWoeWGkNYPCjgry8k4LBtrft4OR53g7cZv2gIs+wmdoyv/p7gyHECn6O7QJkDQP6MrOROv+GGw0ezl6cWcuSaxbHU4s/cJcoJ/F1jB/aAtRjoQ0JoQW6IGQ6ghbPtHt8YWwxZa/zDbTWiTdeAkAhZdtrxwOPbQ69sqGSmhIcXu97yPlAfO52+cJpmvpdAfy9hpJIxcVGOvDKqTRvl3NXCdkV332ue5XLo3EzCQ61ociti1g8A5qCDa9ZnIJrW3NGYiIJPPHO72/ACe3w5SpitHpWcB/WFNR0fRUoIlhg7GSAqfuStj9Rp76Gr5ub3ht2onj/xpvLvaYT+40GHlbhJK+QqK7q8s7p8/lmBsG0LISsq/FIbhQvrgH2vpTGc8frNgHIy/USAQNzcS6BWmNQXvvg9V3gV7+8CPaAmdLgjnCjIXtUJ/htUStfwFtiSR2WKwRI1hpJHgerr9Sfyqz+stmU+C8pT1kOe78KmQBrIGoCJKvuWBites/a0BDwcFsfkD5Gkuca8smAmn+hgrbTQrV3EUMsD3fZjSDKSVZzT4xTnPZHqrJaXTd0qhOgnunrcTbqPwAKdZTllxDU+sR9m35RZ7X0o+oNOYFlgXiQpaY0d9D0XZClkEOFO4F9gATTqsFf4ANLV0NuheMLgnMKWAgKpILXkQUw3bJJrd3PkAy5bkoK0Z0cBGj7i4Mime8JJzSWOqzbbd7M3pw08U23P7+iW6SUvCEamjF4Hn2hMRKXpyNPTe8OAdzzJC/C36+5s5ufK/82JC0930uDQ70hNNxaVv3uXZIrtiWx18citkIrNHxRd/12xKdAiRJLmRBiinS2z2XO+GqmjH9/ebfzJsfdt/ghjJWivICRq0h8U/lhGNJhVX8yppp+o2mRHY7inYywUvM8SqUlIQQA8e0txksUZZWhah+opDYcuu117is+p4WR7GvCD3c51qhfE2N/isKoi7Qm1ppUKS7g9paD5F4NKxJdBkOHvfl0lC2IfPcwbBQfkg7/07HucXO9g4t6IYW5k6FNQ0f+3t/7N/3GBCexmNF5YxzaLlu/dSPZr9QzXZ2OtDu0OgCBu2BPq3eXzRqaY5U3vOn/2IwaFuvox5/msuEpg4Nl8ZvO9AhfqtJPeOimZ1i16uVF1sMbS7qaCd+QH96sdBm6qMunL1pJ53TVamTJPuqTMNXZUnoqixNU6nGHZF9sNNLq7ZwSTdeR8qcS/Xtqb1BGTQQmKNkUvzAHjtvU3r8lbSXgZhiLAaan52mqKiana0oo6h1LkrywmJpVDZXunawVpi7aeypvpGlMiY51bM0Cw5WcnPju4SAWKOKnuE3ezl0K6mbWFztu4fbNlOtMhjWFqyTM5b363SPOV6uQ21CvTuAFoNeH01vjyBlofq5kxj5cd9G6Gq4QqJf7l1IEVX+0SnU+bjhcizrQVVC0VGH8KQdAIYAL9r6X80pieZz10xnUxLZRx5rXpfQDnbkuQ5SP1vXnBOi2psdao+4PUkD4m0PQN8R+hDtYvHPs3blE8NuI13Uc+RJDVgGPVoOoraSb1qtjq+ifT/ckXWW8Bo3kVNcaISbuuiRlvJilflnxzMJOb8hRgu5ebJv9yTF3+CJG2q7DYvcNeqdYDTfzVODOHLG7gCFKzIX7U8tazYtdivMhHe1KysZFi+25/R8KG/bMpM+HroolPkLrgLMmjbXgXTgI1dKvsZ8RTJOttPPVcz5TbadhxttWyxLuqg16Zy2YTSfssQZba4r0iONYio8QjQ0s2eDKqsz7VFQyvuvthZdVzcImBIQd20m7YumqPatXG6IvED3xDK2VkReQN8+VPqIuaWQnobB2H4Y1z4U4JGF72RACokWUmzNd/7T3Hc4MKp1tFbbbXGHpR5vyjeg4+1It3vFIDdivt0rWNH2wTjT5hUVcS7r9Bvkktv2cc27q2yHdZ9Z16w7ip1kM3ieDShUBeKCfyNJRUBbPfQaNU912v2KjqGatFZHeEGt/9c7Nge0u7KorexD14BwAfGhHAn+zUqYfx+QjHB5ZgGlZNLMcMcZ/QJQGDLE0rbGpURdoPv2fPbLZHZjklNpurLB7LUyiqpNerBPlIUTVk1N2ZzVSvtt4/4zYDWAUGVWw2XmOGvRqE3wbfxqPsOtbHd62HqySetT1IEnx9RnQ8c14EFYKZFT8NYYjgb1fmD6a/pAXnWaDkCTgeeoklCR9jkiOn8SVrOwxKc3ETrivIXBiCZSoQorqFOgIHHP9f8RZWkkgth7vBmGrBKdH1Q0rPQ8n67R7aY5v6C2wi4XZVUPz0IS6zHaUl6IrYu8cd0dnjevYtHpDiayhKblvzVNy22jaHc+eQcRExFR3vXWJLfvGhSWp/yBFC6K1geWYQX2ulNgzTdfNcgvaHGI+WyQ5zdRbHTrVFsTsI/CE/DL/fkw/1I5nxC6H6Y6N48eRJa0X6J6uvPHjdoplH9YT/tutJ62pGyO89KQ/ROM1xwJSYo6J8h7gEnYiWB7hmWBG2KC2Lzfa0TWl/kdoW5katQGG9kPbqw/yo1vhPcaq3Wz26Hx5lAi1sbCNKLJR5g24exXfqReqQKxIbJBc6FkbqCa/w+zEpCRbxxRiCeoec4IluYjKJvRkubC2H2/E58icNw/aUVFPcxV/8wyOhflomk8s9wT0S4BQY6Q1xsqazW/d6N7hwKKuJdjrueIwMa9suO7Ds5RD4/V0udsx2I9XLfXrhUTeupS4nwXCJvkYbA/O+T8Ol9jNOf6ur3u9jRpDuTQjtv3ndsgBkvkhV1qc+q2VIVNjY3azdg78aNLqrGX3EEfGrdG0uytdq6aodHt9VE9KLltaF8PMqhf8qLVhy7QlY3Wd9WCmP3isC5k/gi5/4tvv3IOikWtmzh+oRvhXHNongfmsxWwW4E2WFK8YIOIcZvQRjmqGI4cOUW4mrOtcFcNsmNfmFNvbk0fi07NWt2/uL3ra2DIlVSytl0sWybaRmB8619HBrrlutNGOrKRKiGnlW96MpAFZivdeZ1CyKaVHfRla08N7IVCBJb37S/vEeU5qwtiRINrzGLAL9DTm0dcVoy8QnfW+LTDgqy7CNug4GE/wzsDGPOtqA3jpurBqHNBzCOCtjvOmbdOVL6j6uHAA4eWdLUickrh+vC0P3Y9jQ4LaD5rSdRasMKssbWaIr069p6jZrHihu9RToY9fWdvxmdNQuHtdTjA8uQXK2NaZ7O/zQNn3fs8NDOxPg1VL74xCAWHjIIllOsVRZ3H9HSn8pwtdqBLWyNbhGw69nkKInXlsSy2WJ4r1mJYK9G2qrOi15AZKdL11IgcjN7g3Ff2CitOst9bc7omK/g3XvmRh0+0tRgSGiFJglVCTNTIptSNDY4pO6NqaYZfiEdEi35/157Er+ehweD8MCiFZfeVwRPe6F76Tq6qP9gw18N6+ilCmHJRj29/XWWlWiXsQCMdxplhA4/O96NBp1cB2WP+JWPmtCJVQ4vlZc3QjcGAclHYzne+SFNYx6O8II+jJ8Go0jH9YeJpgqFBsZUezYJI8OqXWFIGL7UB/4B9G+Ir12v6GwMbpJ0nrbjvrXc2zcWNj542kSoVkapyCQn2TA2m7a6QNjDO5zg/iwSNWxN75i6LutdGDoi3drL9tfkSU65QQTSmLGA6LUStO3AR4gU7Q0yK99rgJm4AMMVFuCZlxSa82l76Vou+hUHnBclFqRjtZUMkwzsIU9bCiXX0NLD3zRdgaThosvR5LNbnpjTVNZTqQEHSWy1tmJR8/GCM9Ap3bMscj8eWdHZzUZZmb6Yu2JWF73atNfruhhbWwvZ1BUL9GZu7RuSHHOjj7emfKGvv/rwbrRC+dh4reGQ+l/zy459Xfv1TLKJ2a/IE/rdYOJdleKdWdEp5oOtOy/T7u1t0O7hwu4gm1OZxMZmHcYwKPG6yF1Yzde4O2cQuiiqsZtkDlS1EMXN34veBK8v3hzXYItfnOiV3yrrRZsm76ThcXLqGDbNpvIB0RYvGRRkxxsvxmvIgCeakm2HMVd1QV9XTBKTvNnT3wWZxejcoPI49krzu2ij22XpBQikFPqP30EPZLIZU0FNU7BtUTTQ83mDK8NBBhxr3EIJ4+CWRMlKN0O7HsIdrPr+uU/1KlxBsnfRD/5bw+/YiIgNomS3qotgl2He0zEbGqXYga0VihcQO2qIpMJKKUdlSvYDpTNXzBNtR1Y01sbVUoOFkEyfd5pw7nKHi4G28oT1arevr8DTsK/V4LmxmtAiuPt6gpy7S72PNjF6yoAwCDOGl+eaxEsr88hn6ZmjG8L6X74GLLd9THBXJa0hd2+yPHukakONZDO1+AMiVz7R56wJcX5MVznfoQ1SBZXQh8XlSf9zQe2yiHJWY8qWxjA4+UlVYQq+POTKq9lSEOxgYvRWFDThqixt03rUDaNGR+xceX8xU0zXK/bz6t2SLfq45qM9vREEYekr55uLr54iK/DlamL+I+QtzzHaKqouvw35knVfZkuFBd6rxN/C+rnV1h2BYsHdBqux8AWGxPJi0pcVEWuynC0eJT5hSRJoNFUS5KcfKoR7uj29+Nfb7exty8/XXH9/8evnu5uuvbQzMBktMo3tjK+TDuISMo1v5Vz9k10cbNZMxH399udjOsbmBjYjDuRGBuyR1cSkk4Yrm4w5Ux5xMwlqmWFEBz9bpYNkW0zGdxtuQg1wkLClsmPEJKapeJG8DvSiUluMzWSB3Y5Zu4M/nk6Q+gm+K4yA1OLEtCTy4mFxwYBun6OITzRBLGjUY/WQmOCdSJxPMXA1MpB9wGRYWB+opjDd8DHlOm3o3HLdVT2zt7TNthKLjXXKoDpJxpiX0fvNDFAgxywPsHv872vZT3UQ++ZdrqMjxDMzngHV/zNfvSyDReXymEA67xJQZfvmEwzt3/m6vu3G9kD1tVGBNVoHEofhbvI/rycxVHqQ4JbgHQnpcTKexjGret1UH+HksjXcq/rfkUf+NhPWXBruKaTFTsd9jXvxVhD2rLXaNNQ2fssn4h0PvoVe1qmhOxYj4iE9lWwB9Wyz50NX2+YlTvKwykS6c7t++uUO/WI9HG44RRvXbzM8v9//xGv1WExmp1lIznknSr/ox9cmn47rYoXc+pDb4vNvoafko8d8FE+PLtBmwKmI8HoPTAffqCZBFSiE6zLAsk/hiAJOMF1yNCvtvwOpiRGeAPaixucB7wAXW/dv7OOSC8HxdYnl6WFwDuavwoJXDCT5InA+eN0+EytYJfM3JcmwwZQO6XEEyaRKgWPwzCa7CCbX1bOZrwmKA0z/WU/YwJORql8RctwmIeYZzKFuYEsZmoBUfpaJ3QBeravM9f9TrBGmZ8yzX0tgo4ypTdeANbMxbdwLohg0aQp8ES/iK8lGBu0PgtJgSni0ztaU6T9jXPFsysVW4THkt6kJzvZkCn+THynlG+bRtTnlFZLnYjQjJGUBX+UMqODRHSwKtskoKLbIUVxzAb77PwGZNgWYT9hsTq2xM6/8eaMpLaM6zEj9mWp+u8O6DmhVmJEkslJQnI6Z8CuKKqYwtWDbeeboH/adJ4An1gDrQ47PUu9DjI6K70D9Mgg43Vj8V+l8nQf+PSdD/lgqtRcXwgqRt9QY+RVXiWVkzuLwXuyR55sGrhyQ5XtaMrsoq9fY29x9mq/GPRg6WpglxRX7LU3Rvnin7ZJrEKyXzVO3MgKZqZ2qn6iqpPnbOmzDrROVOC20UDPKYtLW10EZJSocG9SQRvOb0kWMuFBm0zTwJfvOjoT1ZLGx+FJVeE1wkmUCirLKcJdnQBjTJpQGQEtpkpcGqRNiqzpL8E7mkmuaYJQV9qQyvCM93o96UutAcs93vpFik4d5kkAyfCGvTeFIx2+fsRHhjIf+YaiGrbEH1vyUmH+YqG1vbtAcqRcJRVombE+BILlNi8ZT1BIyoK9kBJXptvQEpyrcFh+sqEdzWvhmTodmBXlJG0nQRlS3T2EWX4wKQ90HTJK0yRjAnjzpLPEbGBi6UrgZFfk6GVjJPhPad45JgxSorSUFHBGPuQ1OeyvFSFDUjKhdps3bgdJV0KkSltliP7ETRgQ/FBJwIKsmKKi1xiqbdQifdVLaTYuKU5YQ5K6gjIpNPp41qsEueBA+NRZOuOBt0lI56yuW8XQuqMlvnOQV+hyVOXPAiElZ5GuzGdjAYD0mVxv1mrScBKr2o5emFRD0csTXX0uDqBHwp97CPJR0PCFV7liml0OMR04egVrgoxq86LcY753wCTZJEoWWWSyHKxOwbA5qkFNEyS32Ec7k7adOtHhKShSqVkspMK1VJOhqMYU11nfBuwygnY1JJWjg1shZXAwmBjykmCBM2ozlbMpEgHBvwpBAAo+kl7HcDlrTXjW6YhC7Ba8vEKnEp+Spx21VCjj8c5aJepW2dkqo8bbuWKnEB06rPcKIh9SUBMuEU29IA41+lLNz4ByW+3Y7XFRLjhJp2DQmQCfJeSLrKAtXaToDcciJTZEuVJXYQrLKRFaRbwKQ2Di140izhJI3fpA4wpZ2mVfoTUGKlzJdZvj49nnUAbPtyjocnslwZu3iQUX0a7DYRNEXM2fylDx96lT5PApVilWFVjSr50QUe0+XBw0mCWdrNI0kO1Nps1WTwlMka2LEJuh1YIYskrCkmmkqyPpW1PpM8pYqMd5HacrpJaoQiv6UwM5QGOwIuSXFRdJV0MFU13m5RMk9beZkXCVetknkoy/ck0FEtmbpQtUrImdzkfHwQQrBi6HEwm2SZ0DR8pVMWwYKleI2aipHjIXdVQuZqXSwSX61ryZKkUq2IzAo6Pn4zsTCJ94mkEavztHb5m4xypfEySZJuqNRpV/Gm4kkpDlrImp+lV+tlrQV6V3M0GLzxQk8qEPcRM1qgK0kKqtEVloXLGTvQlsbVv5o001gdSBjGNl2FiNlcMBQKKWm8vZRPmf1NWTGxI4OCeEd5sBT1iPT4U/vyrn1LHagtJsmKPKIS90N3W48eX9X9siszkMGoggIbfnzVbaWp6gpK1A9TJRHarrFGVKPKtucPE33oKXVMqZBwe3db8dwjQZS7SgaRzG5G+fQK2B1izHhdShTSYgVNdi7a39uOEQPucbIhsimipAWqsFQEvSEaQ8Vheyqafmno6WuxUi/ubHDfM3TtynjZ9iSD0SGN+B1xxWKBbI7eEv0r1Zyo8FoNt14ie5ZQTrjZzTC8nY4iWObrC8ppxOCVeJ5iCD1hY3vrMcrJC4ZrDrVTV3XpytIfKIXQq3xwgOo5UuYbqptEeVfxNaLSG2Zm8/ZCtj23zMDoPXnUsDtjRsFZG1C3ReKO9KCGrNxJpYohL1cR7ZsDH0idP/TuPb42hG8lu/TjWgnWt/CaN9l9s8hiHfYGgXoG6lWQ/nF1vE/onF2Qx9trf4hg9FjJ9pEP0SO3S9PCwT7uN/jQYI823HQQ56KINwWjG9qEtAUbgqxACCukCOF7fTLDxovEXOF8lmKrgyxxOzh3DZya1tq+W/ABsioiS2ovwvnIage1hVvohjKyIq6XB1aKrrhlfluZO9LWAC/m6lYfWXLAcGDHLc7YWiLaPiS0zTsUxXIL0yrd+PuSFr6tbdMxCRo2Rg4dQoGYnEZrkyQSJDVagfSNwlrB6/s7GRwRFXYracTRMyN+QBIpXXjO+Tf9MwcEdB4gt6L3Pp5y9WBGscrWYgbtrtcdE2ritGWgoKNPp+BROKYa2Q1q6OGuxTYXGkGrzItLpoQxbXrNS6AK+c8O4gJd8l3zv8HoGqwjxTXCxYXvaBwWTInOL0P6FGX5qz4/ofLgHlOpa+tsrIluhXI/63AjYbdjsrGe1VMNVrwjEv1r4zFQLxwiQB/rXzI2buv8e4+3VO3tvoM8jYZJHJMFT/plcWxLure/vL8xsyOSWKMRPDIFVbkkFeb5zmgl7vJnw162hgfP0fs3r9At19+9fI5u317f/Ocr9OGW6x+/R0+36x3irgFjvhbKlXET0liv8Ktvf/xf/+1ZuPcd0etJ8qI/Y5BAFyUOl0ZSk/fIyAPlKvHferThw1R8arK65/wIbdGEv5MvphBFPcWm1UF9c9PXl2+D5PwuOJlih6et3/8RnFyE+fP7mD4An+CyM6QeFzXAxs9zrxzg5QprssVnKSwNu+wOXdrmeX63hRA210leVnH//1S/5u3Vmzsrh+O94vEMvfxiprTVc3zr0ts7gyxi1Rs+RGvBzMIHM3qcD14HyGxNsbkPW7fXQmE70mHWPlV0KpGHZfesy2SUdzgswp2W6/2FGiBrY2sSdYZTxTRGbx0Nd0LqRkQNhJDtPQFMdN3nD0siNTv/LMWUr7z49IS/iTGPk5B+P5+XyOEHGwQrJXIKRePBWh7crsjIKYn5ilw06nEu+JKuakkKtNi55v621X2kO000pWAQKBzRpoLDLpMyFdgo/a4bWplgMElSCk0yFyOU8vKbMsWCqwxnNnwqCbjSMhV8mcTeZVIsNkvbAOkZNVXS5HCReWt8Wr+ufdvC0HLRH69ryJxFW7gxhhUnGr3fVeQ5+uDF3Gswkb9Dd95EHsiRX2I3qi9eNcuFEVHpPVnId+3EjAUvjKr9ITzQYwmhAxsiNXSe0cI3uKIcfbiNHqEcQlomnMGUtrFcZaJKKpRnQCVR4+NoDGBSiJ+VieMDosAHlYTRlqnJGOGrhJqPgNdcA3M7l6ApEVwvmHWcgxzl8IBjrKifhNxiWYSagV1Cmzrwu99J8Qiv7guit4REOhmPzgEe+yIhNGZdd69Fh6CQCbw2DebgmqBJAg9BJdXmqLmiQuFJbBjm87yrnOAO8M9qHYfAYAr7DoLWB7gx2vMKlOd9iZjizyY5ZFtsxuSRnvaGgqWmec2w9M3cHJqnN4+vXouVWC7D9alJnuk1mbvx7XszpOve31J2YygzBF3Wek24dqFUUcLm6j22/1xZN20Nw8R9UERGSRK1zsXc3HKDxkm6tx24I1T5HjnTbt89igAz8g1XDjZ/9djP0D6Z9KgwpxjcwKoSvICWriKoAjSAw6ak+3RvxmTXRm4DjGyePcS9MUqKhmJnb/X0GsqRoroOSBQEAXK+C54bdY0VwoWooCvYmlCJxJb3GiMhjR8FF2Uk2sXXqM8G4UgzXH5GDaO8MGdZSNW297NdhC99efzBRE9xn/CGdHs2ouFUzQzP9HwUneS9e0Wad56Hmoh1pjouq2PCVG1UwL2LKpx7rvHgkIWYFh8XmN6CrPGGiho0G2PUSVHSSKQDmR/9DccLBmHDS3R1GDvlm/Gdz0Jk9GnY02lQEMUeDSPLiyWQEMDQUDB9DTr3Sruzo8vfhrDXXPdDlFN0vgKSP7J8QldcuGWgkznNPWEwLQgY6D/2UL22vc4DVRqRI+ci//ZCaRl3knuqw4mvn43ql4epdteixTWJ8qAZ0ZhEmpbQtNVpGpJUJOrkdJwckRp1lJmQkj6RlfLEDRCuCvPZNsB3p1H97eSe6EHinePo2BwG1MOc2qN3wrH7I9P/8ij9cmb+2w0/C/XyOPdH1KT4NEf1iNRrjuofedN8d5ztpxeg+jRsP03WyJnP6px7/YSTOvOmmZP6wZZplMLCdumcrJvhWq+zkui1OIs3Fe/5uZBF5H4WXRjI3pVioqV+wL/7TjDnazKoDuyQZNvyPy9++NOf0NPX15d3z9A1VZryVU3VmhSQmBPExsRKzJAfe8iv7Vp0Aya3GPDDyJu3FJP9JYdi7w3vQziavQk+vxGlw8dszByC4prMiI5LA7CG3ikwDxVRat/JMTs9i79H6jtc0FrZMZCQSNGSMiztYTaCxOzWHO6jcKgunBlF5+mF2/ggu1FmH8xyeQ9Ir65Fe2CmRBJe8kPnBpyfLj68439ypjN8M1gxZ+ySTuBhEXa0CDntUWzgugV2CbnCnP5+INaJT1mwUxmWwK3uykdYtqQyGMWfnP36kxkQ5KNNKrdZunuRSD8TzPQ6x5KgSpJClJTjYIh156jfYU0J1+po4BnD887nNf6s07FFMEiVvL3MFn5ihECFpYa033Yyh4XQrGm97uCeIn+WpCASa1JkI8IADqwitCH3Yzau7jspNrRo0tXd73BVMafnDJbPpcgaQb6vEUV6qTfToMVs82gGdXUc9C4ykWChZ4gq2VD75rTuK3aRwgGNQjOulP5YrYY8wl3eAepkioSafFv9B7QhrJDSQlr5aEYricaA7Qn86sL86kl4fiUtCkbmlBhvYMRTZUZgiToyJElm+OJ5c03ozo3XydHlO//i8RxVDBu2mxtJSER4LndVzIsIwSuzWAUnxEvIxkL4WSiN3uB8TXlEbS9w8hn9qs+vDxwi+ypJzEE1t7pNq1cX6HWBK/QR/mNv9UJwmw/wj+F1gdZ4Q8x9zwiWtoU1gvoSqhJcEa8HhJMGzIyyYdvrCbLH1UbIJdVEUl+lg9sJ2ooMcUo80bMQ0y7zO1dE5lRaoL7oVDdBf6/5wlF7acBG/3dXDVVI1jzQ1x0hrJ43kti+5thk6khEthsxc1bEHMzEaEt5IbYKqYrkdElz883zUNy4iz8ablQzAUtR++qLnkrf9bwRy/DM8KzDD1RzuLlekxXOd+iD2i/y07yHlP0Eh6SoJTPKLKZV5A7rqtuADKKmYTOYW2DAtyafKZDFtJchAGG2QybsT2wOdS1Wbcgqb4E5wRyCG8LBJExnrnip2GRc5JRz7nnJcQOTi9daGdI7lxOjcTru87cNobGsHHA5nP52PLUEghvHlWeORoDDpAqypNz5AuGoQy2IEleRYhSAPxJmfSbsrbnbUz1SBEnjb5o+A5ePHKke0vjQtMb5upy9FF07LjAGDbTgLtsSC2ouKB9Tc3fWnWbIhvD3qUI/cGy7wbjAPFtGq01FCtQjH9A1VWYfoavC0q+t+fh5S+x2TQcFz5DZh8aysCF6J01AJ1S8tKlwQo5rz9ib/p9VhflfjuZzelT7tc68khYSqWZqf34Box+h/owX7oBuXxXtMN3RtcoI11JU4WNYiHoxMMhO2mtuVGPdkCOhjUDFyE5OJ1JxJcrKGKR+58MGhwYnVvPcEGlEa2bM5vCFhNXD9LjfI2exp9N73FsyvbLZ8rf0N66fasZ26D9qzOiSkgJdQzaMdV4EkW3JIsuFeKBne1L6lSyQxdDaJJjF9LKE2jrtY09Va9sGJ1aP/PjZeNcM4mqpOreV9c5doPe7ypLfWlRmgpbPcRZLssxGFsfpEWawWBNMPlGhQjt9dPM4CxoFYx+/9V5UQnrPHjyvvHsdWZhOturoZfXzqaZWjD0wHTP2UT+cJ0QKkXzP7aM1IxmuoQrrsIMj5xlW496jOqAytYN6LdkodnfgRnGnUcGzWo7v91tB3zNoDp2CMkH07QOPDNHYB3a7IOk4kEdNOFyCKQqbGWHE6jbX6lqS3gNlyu1mh5knhnzvRL+HgeGqe+H+feWQvHD/cK++IacXZkSGYwgcwWd9LbHkdh9LwI/RKcg8ILhwZZONskj5kkgZ8dEPZzYT5V116Cj7gk6PWcjw1YOWHVYGti88Y4jJ2zcwzIwb4ca+tpgN8B7igmT3o7+T4SN0vNg9rdZEzmXVGD3Hvfk+vYKC6s/QFWAIIydSz5YoGeHVFZGu8D3Zi+k4UGKHTHws6DCjsyxm2CeqU3fp4HrQ3+N+gvFpkeE1Qff090j6zkPyGbz9+w3iZCU0tWyu1lhF6tOqfP7k3Q7D7fDxgt5mQSbUpx08APbW2hf88vGe4Qc7RUc2VzwtT7ipJf4+2lbDnD2qVJ3SGNrAwqPuFPt5mpcPaCBSTvQsDFjXlRc3Znh0D08Gh07rTK9LTb0r59t/eg/hHIdFaEdexMgYLy8OUBEXGkqxbDPtLum7yJ0TJ+ySy8wWwHVCMQ2VDkofiLMGklOivmoLPHYFJciL75EC362Q6Pb+8u9v7tCdkZ/oFx6pSNnSk5z3kULP+60I0wPHMl+T/EElNHtrBcvU3PZQEeimukmTeg4BGq5wd3vuD+gqRNJB+Y2zqCoWU5O1F1XfgCposTafGOzSscGMFnZDBND0j/6M9aUOHX2Y9QPZqb4oOnmPJXdCX2tdqYxCN4JEYGBpGtn56S2/puw9uuI+3lFIqndH9l8uynJiLv+JlFlMzqQMp9dsqSSsr12nmHBbhnk2qg/12JAE5ZsG/Opo9jGyYQMdkhuyStB5QoBCJFkcCHAA2rDuBazJ15jzQQLa9ERlNy6ginjKZyu/1Ig8V7H719eXb53MfdFD0Ig6LWTfK5ayvQqqHrKNYHX6NC59Dwzuamk2nUF8k4WaU63QU4tGPYPcNUgm8F0QAv6iSBAaq5NP+GtHzQdOtXsuudgPRtsQCS8ly5qhXPCcVNqYAPeW15EUpzGd1IN1HYB5xtjwLUQMKdD9TRge/fzXy1AwSZB1KTtAyNU5QhT6oWV7To8Ftul7wQTGv938cnd7h97gx5LyomldEma/of4MgQx7hb4jhDtCB/QfIry5gsMh2EkBQTYyOxvXxPMPnkjjJzV3oyUnqW6vXT0eh+cgDWxOxn7mjB4/p/K/QM5BExzJi6E2knKSwOIb1156pGLTdPPS4Ae21m5pUwOeI1UHwqKwQn9WWgq++suC4fyBUaVJ8ecX7rPnzbeUL0ke/mpJJdliFrxm8YJ1YBDmBVICRbaPJCuqtNwZq2feg1lhvXal6BosqI9lQMak9oNDQmyihI1tzYXsVO9qNJaGNsK13P3L/w0AAP//0uU//w==" +} diff --git a/x-pack/filebeat/module/f5/firepass/_meta/fields.yml b/x-pack/filebeat/module/f5/firepass/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/f5/firepass/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/f5/firepass/config/input.yml b/x-pack/filebeat/module/f5/firepass/config/input.yml new file mode 100644 index 00000000000..467922155dc --- /dev/null +++ b/x-pack/filebeat/module/f5/firepass/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "F5" + product: "FirePass" + type: "VPN" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/f5/firepass/config/liblogparser.js + - ${path.home}/module/f5/firepass/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js b/x-pack/filebeat/module/f5/firepass/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/f5/firepass/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: [%{husername}] [%{hfld2}] %{payload}", processor_chain([ + setc("header_id","0005"), +])); + +var hdr2 = match("HEADER#1:0006", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: [%{husername}] %{payload}", processor_chain([ + setc("header_id","0006"), +])); + +var hdr3 = match("HEADER#2:0007", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: %{payload}", processor_chain([ + setc("header_id","0007"), +])); + +var hdr4 = match("HEADER#3:0008", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0008"), + dup1, +])); + +var hdr5 = match("HEADER#4:0001", "message", "%{messageid}[%{hfld1}]: [%{husername}] [%{hfld2}] %{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr6 = match("HEADER#5:0002", "message", "%{messageid}[%{hfld1}]: [%{husername}] %{payload}", processor_chain([ + setc("header_id","0002"), +])); + +var hdr7 = match("HEADER#6:0003", "message", "%{messageid}[%{hfld1}]: %{payload}", processor_chain([ + setc("header_id","0003"), +])); + +var hdr8 = match("HEADER#7:0004", "message", "%{messageid}: %{payload}", processor_chain([ + setc("header_id","0004"), + dup1, +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, +]); + +var part1 = match("MESSAGE#0:firepass:01", "nwparser.payload", "Entered %{fld2}", processor_chain([ + dup2, + dup3, + dup4, +])); + +var msg1 = msg("firepass:01", part1); + +var part2 = match("MESSAGE#1:firepass:02", "nwparser.payload", "Logged out%{}", processor_chain([ + setc("eventcategory","1401070000"), + dup5, + dup6, + dup3, + dup4, +])); + +var msg2 = msg("firepass:02", part2); + +var part3 = match("MESSAGE#2:firepass:03", "nwparser.payload", "Finished using %{fld2}", processor_chain([ + dup2, + dup3, + dup4, +])); + +var msg3 = msg("firepass:03", part3); + +var part4 = match("MESSAGE#3:firepass:04", "nwparser.payload", "Open %{fld2}to Remote Host:%{dhost}", processor_chain([ + dup7, + dup3, + dup4, +])); + +var msg4 = msg("firepass:04", part4); + +var part5 = match("MESSAGE#4:firepass:05", "nwparser.payload", "param %{fld1}= %{fld2}", processor_chain([ + setc("eventcategory","1701020000"), + dup3, + dup4, +])); + +var msg5 = msg("firepass:05", part5); + +var part6 = match("MESSAGE#5:firepass:06", "nwparser.payload", "Access menu %{fld2}", processor_chain([ + dup2, + dup3, + dup4, +])); + +var msg6 = msg("firepass:06", part6); + +var part7 = match("MESSAGE#6:firepass:07", "nwparser.payload", "Accessing %{url}", processor_chain([ + dup2, + dup3, + dup4, +])); + +var msg7 = msg("firepass:07", part7); + +var part8 = match("MESSAGE#7:firepass:08", "nwparser.payload", "Network Access: dialing Click to connect to Network Access%{}", processor_chain([ + setc("eventcategory","1801000000"), + dup3, + dup4, +])); + +var msg8 = msg("firepass:08", part8); + +var part9 = match("MESSAGE#8:firepass:09", "nwparser.payload", "FirePass service stopped on %{hostname}", processor_chain([ + dup8, + dup9, + setc("ec_activity","Stop"), + dup3, + dup4, +])); + +var msg9 = msg("firepass:09", part9); + +var part10 = match("MESSAGE#9:firepass:10", "nwparser.payload", "FirePass service started on %{hostname}", processor_chain([ + dup8, + dup9, + setc("ec_activity","Start"), + dup3, + dup4, +])); + +var msg10 = msg("firepass:10", part10); + +var part11 = match("MESSAGE#10:firepass:11", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ + setc("eventcategory","1606000000"), + dup3, + setc("event_description","shutting down for system reboot"), +])); + +var msg11 = msg("firepass:11", part11); + +var part12 = match("MESSAGE#11:firepass:12", "nwparser.payload", "%{event_description}", processor_chain([ + dup8, + dup3, +])); + +var msg12 = msg("firepass:12", part12); + +var select2 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, +]); + +var part13 = match("MESSAGE#12:GarbageCollection:01", "nwparser.payload", "User: '%{username}' session expired due to inactivity. %{result}.", processor_chain([ + dup10, + dup3, +])); + +var msg13 = msg("GarbageCollection:01", part13); + +var part14 = match("MESSAGE#13:GarbageCollection:02", "nwparser.payload", "User: '%{username}' session was terminated.", processor_chain([ + dup10, + dup3, +])); + +var msg14 = msg("GarbageCollection:02", part14); + +var part15 = match("MESSAGE#14:GarbageCollection:03", "nwparser.payload", "session '%{sessionid}' is expired due to inactivity. %{result}.", processor_chain([ + dup10, + dup3, +])); + +var msg15 = msg("GarbageCollection:03", part15); + +var part16 = match("MESSAGE#15:GarbageCollection:04", "nwparser.payload", "apache server is not running. start it%{}", processor_chain([ + dup8, + dup3, +])); + +var msg16 = msg("GarbageCollection:04", part16); + +var part17 = match("MESSAGE#16:GarbageCollection:05", "nwparser.payload", "%{fld2}already started with pid %{process_id}", processor_chain([ + dup8, + dup3, +])); + +var msg17 = msg("GarbageCollection:05", part17); + +var part18 = match("MESSAGE#17:GarbageCollection:06", "nwparser.payload", "no servers defined for Radius Accounting%{}", processor_chain([ + dup11, + dup3, +])); + +var msg18 = msg("GarbageCollection:06", part18); + +var part19 = match("MESSAGE#18:GarbageCollection:07", "nwparser.payload", "DHCP Agent is not running... Restarting it.%{}", processor_chain([ + dup11, + dup3, +])); + +var msg19 = msg("GarbageCollection:07", part19); + +var part20 = match("MESSAGE#19:GarbageCollection:08", "nwparser.payload", "session '%{sessionid}' is terminated.", processor_chain([ + dup11, + dup3, +])); + +var msg20 = msg("GarbageCollection:08", part20); + +var part21 = match("MESSAGE#20:GarbageCollection:09", "nwparser.payload", "can not connect to database %{fld1}", processor_chain([ + dup11, + dup3, + setc("event_description","can not connect to database"), +])); + +var msg21 = msg("GarbageCollection:09", part21); + +var part22 = match("MESSAGE#21:GarbageCollection:10", "nwparser.payload", "timeout happened. restarting %{fld1}services", processor_chain([ + dup11, + dup3, + setc("event_description","timeout happened. restarting services"), +])); + +var msg22 = msg("GarbageCollection:10", part22); + +var select3 = linear_select([ + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, +]); + +var part23 = match("MESSAGE#22:maintenance:01", "nwparser.payload", "Failed to upload backup file %{filename}. %{info}Server returned:%{result}", processor_chain([ + dup11, + dup3, + dup4, +])); + +var msg23 = msg("maintenance:01", part23); + +var part24 = match("MESSAGE#23:maintenance:02", "nwparser.payload", "Logged out Sid = %{sessionid->} ", processor_chain([ + dup8, + dup12, + dup6, + dup13, + dup3, + dup4, +])); + +var msg24 = msg("maintenance:02", part24); + +var part25 = match("MESSAGE#24:maintenance:03", "nwparser.payload", "Network Access: %{info->} ", processor_chain([ + dup8, + dup3, + dup4, +])); + +var msg25 = msg("maintenance:03", part25); + +var part26 = match("MESSAGE#25:maintenance:04", "nwparser.payload", "Trying connect to %{fld2}on %{fqdn}:%{network_port->} ", processor_chain([ + dup11, + dup3, + dup4, +])); + +var msg26 = msg("maintenance:04", part26); + +var part27 = match("MESSAGE#26:maintenance:05", "nwparser.payload", "%{info->} ", processor_chain([ + dup11, + dup3, + dup4, +])); + +var msg27 = msg("maintenance:05", part27); + +var select4 = linear_select([ + msg23, + msg24, + msg25, + msg26, + msg27, +]); + +var part28 = match("MESSAGE#27:NetworkAccess:01", "nwparser.payload", "\u003c\u003c%{sessionid}> Open Network Access Connection using remote IP address %{daddr}", processor_chain([ + dup7, + dup12, + dup13, + dup3, + dup4, +])); + +var msg28 = msg("NetworkAccess:01", part28); + +var part29 = match("MESSAGE#28:NetworkAccess:02", "nwparser.payload", "\u003c\u003c%{sessionid}> Network Access Connection terminated", processor_chain([ + dup10, + dup12, + dup13, + dup3, + dup4, +])); + +var msg29 = msg("NetworkAccess:02", part29); + +var part30 = match("MESSAGE#29:NetworkAccess:03", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - %{info}", processor_chain([ + setc("eventcategory","1801010000"), + dup12, + dup13, + dup3, + dup4, +])); + +var msg30 = msg("NetworkAccess:03", part30); + +var select5 = linear_select([ + msg28, + msg29, + msg30, +]); + +var part31 = match("MESSAGE#30:security:01/0", "nwparser.payload", "User %{username}logged on from %{p0}"); + +var part32 = match("MESSAGE#30:security:01/1_0", "nwparser.p0", "%{saddr->} to %{daddr->} Sid = %{sessionid->} "); + +var part33 = match("MESSAGE#30:security:01/1_1", "nwparser.p0", "%{saddr->} Sid = %{sessionid->} "); + +var part34 = match("MESSAGE#30:security:01/1_2", "nwparser.p0", "%{saddr->} "); + +var select6 = linear_select([ + part32, + part33, + part34, +]); + +var all1 = all_match({ + processors: [ + part31, + select6, + ], + on_success: processor_chain([ + setc("eventcategory","1401060000"), + dup5, + dup14, + dup15, + dup3, + ]), +}); + +var msg31 = msg("security:01", all1); + +var part35 = match("MESSAGE#31:security:02/0", "nwparser.payload", "%{} %{p0}"); + +var part36 = match("MESSAGE#31:security:02/1_0", "nwparser.p0", "Invalid %{p0}"); + +var part37 = match("MESSAGE#31:security:02/1_1", "nwparser.p0", "Valid %{p0}"); + +var select7 = linear_select([ + part36, + part37, +]); + +var part38 = match("MESSAGE#31:security:02/2", "nwparser.p0", "%{}user %{username}failed to log on from %{saddr}"); + +var all2 = all_match({ + processors: [ + part35, + select7, + part38, + ], + on_success: processor_chain([ + dup16, + dup5, + dup14, + dup15, + dup17, + dup3, + ]), +}); + +var msg32 = msg("security:02", all2); + +var part39 = match("MESSAGE#32:security:03", "nwparser.payload", "Successful password update for user %{user_fullname}, username: %{username->} ", processor_chain([ + setc("eventcategory","1402040100"), + setc("ec_activity","Modify"), + setc("ec_theme","Password"), + setc("ec_outcome","Success"), + dup3, +])); + +var msg33 = msg("security:03", part39); + +var part40 = match("MESSAGE#33:security:04", "nwparser.payload", "Possible intrusion attempt! %{fld1}consecutive authentication failures happened within %{fld2}min. Last Source IP Address: %{saddr->} %{info}", processor_chain([ + dup16, + dup14, + dup15, + dup17, + dup3, +])); + +var msg34 = msg("security:04", part40); + +var part41 = match("MESSAGE#34:security:05", "nwparser.payload", "User [%{action}] logon from %{saddr}", processor_chain([ + dup18, + dup5, + dup14, + dup15, + setc("ec_outcome","Error"), + dup3, +])); + +var msg35 = msg("security:05", part41); + +var part42 = match("MESSAGE#35:security:06", "nwparser.payload", "Non-administrator account %{username}attempted to access admin account", processor_chain([ + dup18, + dup5, + dup14, + setc("ec_theme","Policy"), + dup17, + dup3, +])); + +var msg36 = msg("security:06", part42); + +var part43 = match("MESSAGE#36:security:07", "nwparser.payload", "User %{username}exceeded the allowed number of concurrent logons", processor_chain([ + dup16, + dup5, + dup14, + dup15, + dup17, + dup3, + setc("event_description","user exceeded the allowed number of concurrent logons"), +])); + +var msg37 = msg("security:07", part43); + +var part44 = match("MESSAGE#37:security:08", "nwparser.payload", "User %{username}from %{saddr}presented with challenge", processor_chain([ + dup19, + dup5, + dup3, + setc("event_description","user presented with challenge"), +])); + +var msg38 = msg("security:08", part44); + +var part45 = match("MESSAGE#38:security:09", "nwparser.payload", "Possible intrusion attempt detected against account %{fld1}from source IP address %{saddr}for URI=[%{fld2}]%{info}", processor_chain([ + dup19, + dup5, + dup3, + setc("event_description","Possible intrusion attempt detected"), +])); + +var msg39 = msg("security:09", part45); + +var select8 = linear_select([ + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, +]); + +var part46 = match("MESSAGE#39:httpd", "nwparser.payload", "scr_monitor: %{fld1}", processor_chain([ + dup8, + dup3, + dup4, +])); + +var msg40 = msg("httpd", part46); + +var part47 = match("MESSAGE#40:Miscellaneous:01", "nwparser.payload", "Purge logs: not started. Next purge scheduled time %{fld1}is not exceeded", processor_chain([ + dup8, + dup3, + dup4, +])); + +var msg41 = msg("Miscellaneous:01", part47); + +var part48 = match("MESSAGE#41:Miscellaneous:02", "nwparser.payload", "Purge logs: finished. Deleted %{fld1}logon records", processor_chain([ + dup8, + dup3, + dup4, +])); + +var msg42 = msg("Miscellaneous:02", part48); + +var part49 = match("MESSAGE#42:Miscellaneous:03", "nwparser.payload", "Purge logs: auto started%{}", processor_chain([ + dup8, + dup3, + dup4, +])); + +var msg43 = msg("Miscellaneous:03", part49); + +var part50 = match("MESSAGE#43:Miscellaneous:04", "nwparser.payload", "Database error detected, dump: %{info}", processor_chain([ + setc("eventcategory","1603000000"), + dup3, + dup4, +])); + +var msg44 = msg("Miscellaneous:04", part50); + +var part51 = match("MESSAGE#44:Miscellaneous:05", "nwparser.payload", "Recovered database successfully%{}", processor_chain([ + dup8, + dup3, + dup4, +])); + +var msg45 = msg("Miscellaneous:05", part51); + +var select9 = linear_select([ + msg41, + msg42, + msg43, + msg44, + msg45, +]); + +var part52 = match("MESSAGE#45:kernel:07", "nwparser.payload", "kernel: Marketing_resource:%{fld1}SRC=%{saddr}DST=%{daddr->} %{info}PROTO=%{protocol}SPT=%{sport}DPT=%{dport->} %{fld3}", processor_chain([ + dup8, + dup3, +])); + +var msg46 = msg("kernel:07", part52); + +var part53 = match("MESSAGE#46:kernel:01", "nwparser.payload", "kernel: Marketing_resource: %{info}", processor_chain([ + dup8, + dup3, +])); + +var msg47 = msg("kernel:01", part53); + +var part54 = match("MESSAGE#47:kernel:02", "nwparser.payload", "kernel: CSLIP: %{info}", processor_chain([ + dup8, + dup3, +])); + +var msg48 = msg("kernel:02", part54); + +var part55 = match("MESSAGE#48:kernel:03", "nwparser.payload", "kernel: PPP %{info}", processor_chain([ + dup8, + dup3, +])); + +var msg49 = msg("kernel:03", part55); + +var part56 = match("MESSAGE#49:kernel:04", "nwparser.payload", "kernel: cdrom: open failed.%{}", processor_chain([ + dup8, + dup3, +])); + +var msg50 = msg("kernel:04", part56); + +var part57 = match("MESSAGE#50:kernel:06", "nwparser.payload", "kernel: GlobalFilter:%{fld1}SRC=%{saddr}DST=%{daddr->} %{info}PROTO=%{protocol}SPT=%{sport}DPT=%{dport->} %{fld3->} ", processor_chain([ + dup8, + dup3, +])); + +var msg51 = msg("kernel:06", part57); + +var part58 = match("MESSAGE#51:kernel:05", "nwparser.payload", "kernel: %{info}", processor_chain([ + dup8, + dup3, +])); + +var msg52 = msg("kernel:05", part58); + +var select10 = linear_select([ + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, +]); + +var part59 = match("MESSAGE#52:sshd", "nwparser.payload", "Accepted publickey for %{username}from %{saddr}port %{sport->} %{fld2}", processor_chain([ + setc("eventcategory","1401050100"), + dup3, +])); + +var msg53 = msg("sshd", part59); + +var part60 = match("MESSAGE#53:ntpd:01", "nwparser.payload", "frequency initialized %{fld1}PPM from %{fld2}", processor_chain([ + dup8, + dup3, +])); + +var msg54 = msg("ntpd:01", part60); + +var part61 = match("MESSAGE#54:ntpd:02", "nwparser.payload", "kernel time sync status %{resultcode}", processor_chain([ + dup8, + dup3, +])); + +var msg55 = msg("ntpd:02", part61); + +var part62 = match("MESSAGE#55:ntpd:03", "nwparser.payload", "Listening on interface %{interface}, %{hostip}#%{network_port}", processor_chain([ + dup8, + dup3, +])); + +var msg56 = msg("ntpd:03", part62); + +var part63 = match("MESSAGE#56:ntpd:04", "nwparser.payload", "precision = %{duration_string}", processor_chain([ + dup8, + dup3, +])); + +var msg57 = msg("ntpd:04", part63); + +var part64 = match("MESSAGE#57:ntpd:05", "nwparser.payload", "ntpd %{info}", processor_chain([ + dup8, + dup3, +])); + +var msg58 = msg("ntpd:05", part64); + +var select11 = linear_select([ + msg54, + msg55, + msg56, + msg57, + msg58, +]); + +var part65 = match("MESSAGE#58:AppTunnel:01", "nwparser.payload", "\u003c\u003c%{sessionid}> %{fld2}connection to %{dhost}(%{daddr}):%{dport}terminated", processor_chain([ + dup10, + dup12, + dup13, + dup3, + dup4, +])); + +var msg59 = msg("AppTunnel:01", part65); + +var part66 = match("MESSAGE#59:AppTunnel:02", "nwparser.payload", "\u003c\u003c%{sessionid}> %{fld2}connection to %{dhost}(%{daddr}):%{dport}", processor_chain([ + dup7, + dup12, + dup13, + dup3, + dup4, +])); + +var msg60 = msg("AppTunnel:02", part66); + +var part67 = match("MESSAGE#60:AppTunnel:03", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - Connection timed out", processor_chain([ + dup7, + dup12, + dup13, + dup17, + dup3, + dup4, +])); + +var msg61 = msg("AppTunnel:03", part67); + +var part68 = match("MESSAGE#61:AppTunnel:04", "nwparser.payload", "Connection to %{daddr}port %{dport}failed", processor_chain([ + dup7, + dup12, + dup13, + dup17, + dup3, + dup4, +])); + +var msg62 = msg("AppTunnel:04", part68); + +var part69 = match("MESSAGE#62:AppTunnel:05", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - Invalid session id", processor_chain([ + dup7, + dup12, + dup13, + dup3, +])); + +var msg63 = msg("AppTunnel:05", part69); + +var select12 = linear_select([ + msg59, + msg60, + msg61, + msg62, + msg63, +]); + +var part70 = match("MESSAGE#63:run-crons", "nwparser.payload", "%{fld2}returned %{resultcode}", processor_chain([ + dup8, + dup3, +])); + +var msg64 = msg("run-crons", part70); + +var part71 = match("MESSAGE#64:/USR/SBIN/CRON", "nwparser.payload", "(%{username}) CMD (%{action}) ", processor_chain([ + dup2, + dup3, +])); + +var msg65 = msg("/USR/SBIN/CRON", part71); + +var part72 = match("MESSAGE#65:ntpdate", "nwparser.payload", "adjust time server %{daddr}offset %{duration_string}", processor_chain([ + setc("eventcategory","1605030000"), + dup3, +])); + +var msg66 = msg("ntpdate", part72); + +var part73 = match("MESSAGE#66:heartbeat", "nwparser.payload", "info: %{info}", processor_chain([ + setc("eventcategory","1604000000"), + dup3, +])); + +var msg67 = msg("heartbeat", part73); + +var part74 = match("MESSAGE#67:mailer", "nwparser.payload", "Failed to send \\'%{subject}\\' to \\'%{to}\\'", processor_chain([ + setc("eventcategory","1207010200"), + setc("ec_subject","Message"), + setc("ec_activity","Send"), + dup13, + dup17, + dup3, +])); + +var msg68 = msg("mailer", part74); + +var part75 = match("MESSAGE#68:EndpointSecurity/0", "nwparser.payload", "id[%{fld1}]: \"%{p0}"); + +var part76 = match("MESSAGE#68:EndpointSecurity/1_0", "nwparser.p0", "%{fld2->} - Connected%{p0}"); + +var part77 = match("MESSAGE#68:EndpointSecurity/1_1", "nwparser.p0", "Connected%{p0}"); + +var select13 = linear_select([ + part76, + part77, +]); + +var part78 = match("MESSAGE#68:EndpointSecurity/2", "nwparser.p0", "%{}from %{saddr->} %{info}\""); + +var all3 = all_match({ + processors: [ + part75, + select13, + part78, + ], + on_success: processor_chain([ + dup20, + dup13, + dup3, + ]), +}); + +var msg69 = msg("EndpointSecurity", all3); + +var part79 = match("MESSAGE#69:EndpointSecurity:01", "nwparser.payload", "id[%{fld1}]: %{event_description}", processor_chain([ + dup20, + dup13, + dup3, +])); + +var msg70 = msg("EndpointSecurity:01", part79); + +var select14 = linear_select([ + msg69, + msg70, +]); + +var part80 = match("MESSAGE#70:snmp", "nwparser.payload", "SNMP handler started%{}", processor_chain([ + dup20, + dup3, + setc("event_description","SNMP handler started"), + setc("action","started"), + setc("protocol","SNMP"), +])); + +var msg71 = msg("snmp", part80); + +var part81 = match("MESSAGE#71:snmp:01", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup3, +])); + +var msg72 = msg("snmp:01", part81); + +var select15 = linear_select([ + msg71, + msg72, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "/USR/SBIN/CRON": msg65, + "AppTunnel": select12, + "EndpointSecurity": select14, + "GarbageCollection": select3, + "Miscellaneous": select9, + "NetworkAccess": select5, + "firepass": select2, + "heartbeat": msg67, + "httpd": msg40, + "kernel": select10, + "mailer": msg68, + "maintenance": select4, + "ntpd": select11, + "ntpdate": msg66, + "run-crons": msg64, + "security": select8, + "snmp": select15, + "sshd": msg53, + }), +]); diff --git a/x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml b/x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml new file mode 100644 index 00000000000..d303dbfff86 --- /dev/null +++ b/x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for F5 Firepass + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/f5/firepass/manifest.yml b/x-pack/filebeat/module/f5/firepass/manifest.yml new file mode 100644 index 00000000000..becd0eb7cd1 --- /dev/null +++ b/x-pack/filebeat/module/f5/firepass/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["f5.firepass", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9509 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log b/x-pack/filebeat/module/f5/firepass/test/generated.log new file mode 100644 index 00000000000..09ed80351e3 --- /dev/null +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log @@ -0,0 +1,100 @@ +January 29 06:09:59 avolupt1396.www.invalid ntpdate[nto]: adjust time server 10.232.59.7 offset tur +February 12 13:12:33 aliqu5634.api.host ntpd[eni]: [vento] [ehend] Listening on interface lo4377, 10.58.254.89#4819 +February 26 20:15:08 mqui5286.mail.home sshd[litesse]: [orev] [pisciv] Accepted publickey for uii from 10.36.11.87 port 1803 doeiu +firepass[eporr]: [quipexe] [alo] FirePass service stopped on eosquir5191.www.example +NetworkAccess[ctetur]: [uidolor] < Open Network Access Connection using remote IP address 10.194.156.105 +April 9 17:22:51 itamet3338.mail.host EndpointSecurity[squame]: [ntex] [eius] id[luptat]: emape +GarbageCollection[nse]: [eumiu] [uame] no servers defined for Radius Accounting +May 8 07:27:59 orisn6294.www.lan heartbeat[ofdeF]: [metcons] info: roinBCS +May 22 14:30:33 eataevi4044.mail.localhost firepass[ptas]: [nevolu] equat +June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: "con - Connected from 10.38.189.242 ommodic" +/USR/SBIN/CRON[consec]: [taliquip] [psumq] (atcup) CMD (accept) +/USR/SBIN/CRON[llu]: (uptassi) CMD (accept) +/USR/SBIN/CRON[aqui]: [radipis] (isetq) CMD (deny) +August 2 01:43:25 magn2890.api.localhost sshd[eum]: Accepted publickey for sum from 10.175.6.112 port 5509 onev +maintenance[giatq]: [quid] [fug] uatDuis +firepass[veri]: [rsita] [siutaliq] exercit +September 13 22:51:07 Cice513.api.local kernel[doloreeu]: [pori] kernel: Marketing_resource:occ SRC=10.18.220.102 DST=10.230.12.79 obeataev PROTO=ggp SPT=5000 DPT=340 autfu +September 28 05:53:42 aboris2946.api.host mailer[ssitaspe]: [gitsedqu] Failed to send \'uam\' to \'temq\' +October 12 12:56:16 nsequat6875.www.lan EndpointSecurity[llamcorp]: id[ari]: "eataevit - Connected from 10.50.112.141 mqua" +sshd[ptat]: [ore] [etconsec] Accepted publickey for err from 10.61.78.108 port 2398 eci +November 10 03:01:24 ugits4426.mail.corp mailer[ipit]: Failed to send \'idexea\' to \'riat\' +heartbeat[umdolor]: [osquir] info: inim +December 8 17:06:33 tquovol3689.lan GarbageCollection[tatno]: timeout happened. restarting imav services +December 23 00:09:07 turQuisa1567.www5.domain EndpointSecurity[ite]: [ntN] [ciati] id[ercit]: "Connected from 10.243.206.225 mol" +January 6 07:11:41 turveli6399.host kernel[erc]: [taliqu] [temUten] kernel: ccusan +January 20 14:14:16 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records +snmp[gni]: [tquiinea] [mquaera] SNMP handler started +February 18 04:19:24 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb +March 4 11:21:59 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it +sshd[tessec]: [remipsum] [liq] Accepted publickey for ist from 10.169.144.147 port 2399 nibus +April 2 01:27:07 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm +ntpdate[Nemoeni]: adjust time server 10.196.105.137 offset lup +April 30 15:32:16 lor3224.host mailer[rsitamet]: Failed to send \'lupt\' to \'xea\' +run-crons[luptatev]: admi returned modocons +May 29 05:37:24 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam +June 12 12:39:58 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214 +June 26 19:42:33 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem +firepass[rehe]: [ume] Logged out +July 25 09:47:41 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel) +August 8 16:50:15 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc +kernel[olupt]: [modoco] kernel: cdrom: open failed. +September 6 06:55:24 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia +September 20 13:57:58 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames +Miscellaneous[iciatisu]: [rehender] Purge logs: auto started +October 19 04:03:07 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42 +heartbeat[dolo]: [Loremip] [idolor] info: emeumfu +November 16 18:08:15 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio +EndpointSecurity[rumetM]: [equi] id[agnaali]: "gnam - Connected from 10.26.236.35 lumqui" +httpd[rpo]: [uipe] [inesci] scr_monitor: serror +ntpd[apariat]: kernel time sync status tlabore +January 12 22:18:32 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny) +snmp[ationemu]: [ice] estiae +February 10 12:23:41 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect +maintenance[etconse]: [tincu] ari +March 11 02:28:49 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp +Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded +EndpointSecurity[rehender]: [iae] id[dantiumt]: "luptasn - Connected from 10.164.6.207 olestiae" +/USR/SBIN/CRON[ihilmole]: [eriamea] (amre) CMD (allow) +May 7 06:39:06 pisciv7108.lan mailer[boris]: [nti] [abi] Failed to send \'sectetur\' to \'uioffi\' +May 21 13:41:41 temqu3331.api.host mailer[ipi]: Failed to send \'reseos\' to \'pariatu\' +June 4 20:44:15 tenima5685.internal.example heartbeat[eabilloi]: [estia] [tper] info: olor +June 19 03:46:49 orem2138.internal.lan run-crons[fdeFi]: texp returned tasuntex +/USR/SBIN/CRON[sequine]: [ectio] [dutper] (lamcolab) CMD (deny) +run-crons: returned gel +August 1 00:54:32 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate +August 15 07:57:06 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started +mailer[itatione]: [isnis] [uptasn] Failed to send \'reme\' to \'acommod\' +mailer[udantium]: Failed to send \'pre\' to \'xeacom\' +httpd[dictasu]: [lorinre] scr_monitor: olorsita +ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide +October 25 19:09:57 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc +ntpd[aturQui]: frequency initialized utlabor PPM from rau +firepass[nisi]: [dant] shutting down for system reboot +AppTunnel[tinvolu]: < Error - Invalid session id +December 21 23:20:14 quidolor5025.home run-crons: returned rem +run-crons[idolor]: [uisau] [eleum] sintoc returned volupt +heartbeat[uiinea]: info: Utenima +February 2 20:27:57 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese +February 17 03:30:32 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc +kernel: ionofdeF +March 17 17:35:40 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte +AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id +/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny) +April 29 14:43:23 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980 +heartbeat[exe]: [imadmini] [sauteiru] info: mod +/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny) +httpd[eriti]: [litessec] scr_monitor: itas +June 25 18:53:40 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor +July 10 01:56:14 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host +mailer[untut]: [uamni] Failed to send \'ctet\' to \'ati\' +August 7 16:01:23 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist +August 21 23:03:57 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel) +kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm +September 19 13:09:05 velitse543.api.example heartbeat[torever]: info: oremi +October 3 20:11:40 temUt631.www5.example heartbeat[npr]: info: mquelau +October 18 03:14:14 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo +November 1 10:16:48 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account +heartbeat[iduntu]: [idestlab] info: rnatur +run-crons[essequam]: acommo returned nturma +December 14 07:24:31 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json new file mode 100644 index 00000000000..8ba18eb4858 --- /dev/null +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json @@ -0,0 +1,2281 @@ +[ + { + "destination.ip": [ + "10.232.59.7" + ], + "event.code": "ntpdate", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "January 29 06:09:59 avolupt1396.www.invalid ntpdate[nto]: adjust time server 10.232.59.7 offset tur", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 0, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.232.59.7" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.time.duration_str": "tur", + "rsa.time.event_time": "2020-01-29T08:09:59.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "February 12 13:12:33 aliqu5634.api.host ntpd[eni]: [vento] [ehend] Listening on interface lo4377, 10.58.254.89#4819", + "fileset.name": "firepass", + "host.ip": "10.58.254.89", + "input.type": "log", + "log.offset": 100, + "network.interface.name": "lo4377", + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.58.254.89" + ], + "rsa.internal.messageid": "ntpd", + "rsa.network.interface": "lo4377", + "rsa.network.network_port": 4819, + "rsa.time.event_time": "2020-02-12T15:12:33.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "February 26 20:15:08 mqui5286.mail.home sshd[litesse]: [orev] [pisciv] Accepted publickey for uii from 10.36.11.87 port 1803 doeiu", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 216, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.36.11.87" + ], + "rsa.internal.messageid": "sshd", + "rsa.time.event_time": "2020-02-26T22:15:08.000Z", + "service.type": "f5", + "source.ip": [ + "10.36.11.87" + ], + "source.port": 1803, + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "uii" + ] + }, + { + "event.code": "firepass", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "firepass[eporr]: [quipexe] [alo] FirePass service stopped on eosquir5191.www.example", + "fileset.name": "firepass", + "host.name": "eosquir5191.www.example", + "input.type": "log", + "log.offset": 347, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "firepass", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_subject": "Service", + "rsa.network.alias_host": [ + "eosquir5191.www.example" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "quipexe" + ] + }, + { + "destination.ip": [ + "10.194.156.105" + ], + "event.code": "NetworkAccess", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "NetworkAccess[ctetur]: [uidolor] < Open Network Access Connection using remote IP address 10.194.156.105", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 432, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.194.156.105" + ], + "rsa.internal.messageid": "NetworkAccess", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.log_session_id": "nibus", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "uidolor" + ] + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "April 9 17:22:51 itamet3338.mail.host EndpointSecurity[squame]: [ntex] [eius] id[luptat]: emape", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 544, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "emape", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2020-04-09T19:22:51.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "GarbageCollection", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "GarbageCollection[nse]: [eumiu] [uame] no servers defined for Radius Accounting", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 640, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "GarbageCollection", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "May 8 07:27:59 orisn6294.www.lan heartbeat[ofdeF]: [metcons] info: roinBCS", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 720, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "roinBCS", + "rsa.internal.messageid": "heartbeat", + "rsa.time.event_time": "2020-05-08T09:27:59.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "firepass", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "May 22 14:30:33 eataevi4044.mail.localhost firepass[ptas]: [nevolu] equat", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 795, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "equat", + "rsa.internal.messageid": "firepass", + "rsa.time.event_time": "2020-05-22T16:30:33.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: \"con - Connected from 10.38.189.242 ommodic\"", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 869, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.38.189.242" + ], + "rsa.db.index": "ommodic", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2020-06-05T23:33:08.000Z", + "service.type": "f5", + "source.ip": [ + "10.38.189.242" + ], + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "/USR/SBIN/CRON[consec]: [taliquip] [psumq] (atcup) CMD (accept) ", + "fileset.name": "firepass", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 996, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "/USR/SBIN/CRON", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "/USR/SBIN/CRON[llu]: (uptassi) CMD (accept) ", + "fileset.name": "firepass", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1061, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "/USR/SBIN/CRON", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "/USR/SBIN/CRON[aqui]: [radipis] (isetq) CMD (deny) ", + "fileset.name": "firepass", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1106, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "/USR/SBIN/CRON", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "August 2 01:43:25 magn2890.api.localhost sshd[eum]: Accepted publickey for sum from 10.175.6.112 port 5509 onev", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1158, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.175.6.112" + ], + "rsa.internal.messageid": "sshd", + "rsa.time.event_time": "2019-08-02T03:43:25.000Z", + "service.type": "f5", + "source.ip": [ + "10.175.6.112" + ], + "source.port": 5509, + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "sum" + ] + }, + { + "event.code": "maintenance", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "maintenance[giatq]: [quid] [fug] uatDuis ", + "fileset.name": "firepass", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1270, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "maintenance", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "firepass", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "firepass[veri]: [rsita] [siutaliq] exercit", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1312, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "exercit", + "rsa.internal.messageid": "firepass", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.230.12.79" + ], + "destination.port": 340, + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "September 13 22:51:07 Cice513.api.local kernel[doloreeu]: [pori] kernel: Marketing_resource:occ SRC=10.18.220.102 DST=10.230.12.79 obeataev PROTO=ggp SPT=5000 DPT=340 autfu", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1355, + "network.protocol": "ggp", + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.230.12.79", + "10.18.220.102" + ], + "rsa.db.index": "obeataev", + "rsa.internal.messageid": "kernel", + "rsa.time.event_time": "2019-09-14T00:51:07.000Z", + "service.type": "f5", + "source.ip": [ + "10.18.220.102" + ], + "source.port": 5000, + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "September 28 05:53:42 aboris2946.api.host mailer[ssitaspe]: [gitsedqu] Failed to send \\'uam\\' to \\'temq\\'", + "event.outcome": "Failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1528, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "temq", + "rsa.email.subject": "uam", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2019-09-28T07:53:42.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "October 12 12:56:16 nsequat6875.www.lan EndpointSecurity[llamcorp]: id[ari]: \"eataevit - Connected from 10.50.112.141 mqua\"", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1634, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.50.112.141" + ], + "rsa.db.index": "mqua", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2019-10-12T14:56:16.000Z", + "service.type": "f5", + "source.ip": [ + "10.50.112.141" + ], + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "sshd[ptat]: [ore] [etconsec] Accepted publickey for err from 10.61.78.108 port 2398 eci", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1758, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.61.78.108" + ], + "rsa.internal.messageid": "sshd", + "service.type": "f5", + "source.ip": [ + "10.61.78.108" + ], + "source.port": 2398, + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "err" + ] + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "November 10 03:01:24 ugits4426.mail.corp mailer[ipit]: Failed to send \\'idexea\\' to \\'riat\\'", + "event.outcome": "Failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1846, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "riat", + "rsa.email.subject": "idexea", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2019-11-10T05:01:24.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "heartbeat[umdolor]: [osquir] info: inim", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1939, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "inim", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "GarbageCollection", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "December 8 17:06:33 tquovol3689.lan GarbageCollection[tatno]: timeout happened. restarting imav services", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1979, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "timeout happened. restarting services", + "rsa.internal.messageid": "GarbageCollection", + "rsa.time.event_time": "2019-12-08T19:06:33.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "December 23 00:09:07 turQuisa1567.www5.domain EndpointSecurity[ite]: [ntN] [ciati] id[ercit]: \"Connected from 10.243.206.225 mol\"", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2084, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.243.206.225" + ], + "rsa.db.index": "mol", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2019-12-23T02:09:07.000Z", + "service.type": "f5", + "source.ip": [ + "10.243.206.225" + ], + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "January 6 07:11:41 turveli6399.host kernel[erc]: [taliqu] [temUten] kernel: ccusan", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2214, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "ccusan", + "rsa.internal.messageid": "kernel", + "rsa.time.event_time": "2020-01-06T09:11:41.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "Miscellaneous", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "January 20 14:14:16 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2297, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "Miscellaneous", + "rsa.time.event_time": "2020-01-20T16:14:16.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "taevi" + ] + }, + { + "event.action": "started", + "event.code": "snmp", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "snmp[gni]: [tquiinea] [mquaera] SNMP handler started", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2430, + "network.protocol": "SNMP", + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "SNMP handler started", + "rsa.internal.messageid": "snmp", + "rsa.misc.action": [ + "started" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "February 18 04:19:24 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2483, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.0.3.58" + ], + "rsa.internal.messageid": "sshd", + "rsa.time.event_time": "2020-02-18T06:19:24.000Z", + "service.type": "f5", + "source.ip": [ + "10.0.3.58" + ], + "source.port": 7224, + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "labor" + ] + }, + { + "event.code": "GarbageCollection", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "March 4 11:21:59 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2609, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "GarbageCollection", + "rsa.time.event_time": "2020-03-04T13:21:59.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "sshd[tessec]: [remipsum] [liq] Accepted publickey for ist from 10.169.144.147 port 2399 nibus", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2736, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.169.144.147" + ], + "rsa.internal.messageid": "sshd", + "service.type": "f5", + "source.ip": [ + "10.169.144.147" + ], + "source.port": 2399, + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "ist" + ] + }, + { + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "April 2 01:27:07 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2830, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "omm", + "rsa.internal.messageid": "kernel", + "rsa.time.event_time": "2020-04-02T03:27:07.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.196.105.137" + ], + "event.code": "ntpdate", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "ntpdate[Nemoeni]: adjust time server 10.196.105.137 offset lup", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2925, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.196.105.137" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.time.duration_str": "lup", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "April 30 15:32:16 lor3224.host mailer[rsitamet]: Failed to send \\'lupt\\' to \\'xea\\'", + "event.outcome": "Failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2988, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "xea", + "rsa.email.subject": "lupt", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2020-04-30T17:32:16.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "run-crons[luptatev]: admi returned modocons", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3072, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "modocons", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.46.158.31" + ], + "destination.port": 3369, + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "May 29 05:37:24 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3116, + "network.protocol": "rdp", + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.117.146.33", + "10.46.158.31" + ], + "rsa.db.index": "dun", + "rsa.internal.messageid": "kernel", + "rsa.time.event_time": "2020-05-29T07:37:24.000Z", + "service.type": "f5", + "source.ip": [ + "10.117.146.33" + ], + "source.port": 703, + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "security", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "June 12 12:39:58 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214", + "event.outcome": "Error", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3291, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.196.136.214" + ], + "rsa.internal.messageid": "security", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Error", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.time.event_time": "2020-06-12T14:39:58.000Z", + "service.type": "f5", + "source.ip": [ + "10.196.136.214" + ], + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "maintenance", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "June 26 19:42:33 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem ", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3389, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "Logged", + "rsa.internal.messageid": "maintenance", + "rsa.time.event_time": "2020-06-26T21:42:33.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "mexercit" + ] + }, + { + "event.code": "firepass", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "firepass[rehe]: [ume] Logged out", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3482, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "firepass", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_subject": "User", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "ume" + ] + }, + { + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "July 25 09:47:41 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel) ", + "fileset.name": "firepass", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3515, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.time.event_time": "2019-07-25T11:47:41.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "snmp", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "August 8 16:50:15 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3608, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "erc", + "rsa.internal.messageid": "snmp", + "rsa.time.event_time": "2019-08-08T18:50:15.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "kernel[olupt]: [modoco] kernel: cdrom: open failed.", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3676, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "kernel", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "September 6 06:55:24 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3728, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "uasia", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2019-09-06T08:55:24.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "September 20 13:57:58 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3814, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "uames", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2019-09-20T15:57:58.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "Miscellaneous", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "Miscellaneous[iciatisu]: [rehender] Purge logs: auto started", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3904, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "Miscellaneous", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "rehender" + ] + }, + { + "destination.ip": [ + "10.192.18.42" + ], + "event.code": "NetworkAccess", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "October 19 04:03:07 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3965, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.192.18.42" + ], + "rsa.internal.messageid": "NetworkAccess", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.log_session_id": "isno", + "rsa.time.event_time": "2019-10-19T06:03:07.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "equatD" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "heartbeat[dolo]: [Loremip] [idolor] info: emeumfu", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4109, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "emeumfu", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "November 16 18:08:15 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4159, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.86.63.253" + ], + "rsa.internal.messageid": "sshd", + "rsa.time.event_time": "2019-11-16T20:08:15.000Z", + "service.type": "f5", + "source.ip": [ + "10.86.63.253" + ], + "source.port": 2133, + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "amvolup" + ] + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "EndpointSecurity[rumetM]: [equi] id[agnaali]: \"gnam - Connected from 10.26.236.35 lumqui\"", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4294, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.26.236.35" + ], + "rsa.db.index": "lumqui", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "source.ip": [ + "10.26.236.35" + ], + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "httpd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "httpd[rpo]: [uipe] [inesci] scr_monitor: serror", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4384, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "httpd", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "uipe" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "ntpd[apariat]: kernel time sync status tlabore", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4432, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "ntpd", + "rsa.misc.result_code": "tlabore", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "January 12 22:18:32 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny) ", + "fileset.name": "firepass", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4479, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.time.event_time": "2020-01-13T00:18:32.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "snmp", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "snmp[ationemu]: [ice] estiae", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4576, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "estiae", + "rsa.internal.messageid": "snmp", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.170.148.40" + ], + "event.code": "ntpdate", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "February 10 12:23:41 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4605, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.170.148.40" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.time.duration_str": "hitect", + "rsa.time.event_time": "2020-02-10T14:23:41.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "maintenance", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "maintenance[etconse]: [tincu] ari ", + "fileset.name": "firepass", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4713, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "maintenance", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "March 11 02:28:49 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4748, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "texp", + "rsa.internal.messageid": "heartbeat", + "rsa.time.event_time": "2020-03-11T04:28:49.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "Miscellaneous", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4827, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "Miscellaneous", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "eaq" + ] + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "EndpointSecurity[rehender]: [iae] id[dantiumt]: \"luptasn - Connected from 10.164.6.207 olestiae\"", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4927, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.164.6.207" + ], + "rsa.db.index": "olestiae", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "source.ip": [ + "10.164.6.207" + ], + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "/USR/SBIN/CRON[ihilmole]: [eriamea] (amre) CMD (allow) ", + "fileset.name": "firepass", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5024, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "/USR/SBIN/CRON", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "May 7 06:39:06 pisciv7108.lan mailer[boris]: [nti] [abi] Failed to send \\'sectetur\\' to \\'uioffi\\'", + "event.outcome": "Failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5080, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "uioffi", + "rsa.email.subject": "sectetur", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2020-05-07T08:39:06.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "May 21 13:41:41 temqu3331.api.host mailer[ipi]: Failed to send \\'reseos\\' to \\'pariatu\\'", + "event.outcome": "Failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5179, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "pariatu", + "rsa.email.subject": "reseos", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2020-05-21T15:41:41.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "June 4 20:44:15 tenima5685.internal.example heartbeat[eabilloi]: [estia] [tper] info: olor", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5268, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "olor", + "rsa.internal.messageid": "heartbeat", + "rsa.time.event_time": "2020-06-04T22:44:15.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "June 19 03:46:49 orem2138.internal.lan run-crons[fdeFi]: texp returned tasuntex", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5359, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "tasuntex", + "rsa.time.event_time": "2020-06-19T05:46:49.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "/USR/SBIN/CRON[sequine]: [ectio] [dutper] (lamcolab) CMD (deny) ", + "fileset.name": "firepass", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5439, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "/USR/SBIN/CRON", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "run-crons: returned gel", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5504, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "gel", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "August 1 00:54:32 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5529, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "uptate", + "rsa.internal.messageid": "heartbeat", + "rsa.time.event_time": "2019-08-01T02:54:32.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "Miscellaneous", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "August 15 07:57:06 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5609, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "Miscellaneous", + "rsa.time.event_time": "2019-08-15T09:57:06.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "aliquam" + ] + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "mailer[itatione]: [isnis] [uptasn] Failed to send \\'reme\\' to \\'acommod\\'", + "event.outcome": "Failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5702, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "acommod", + "rsa.email.subject": "reme", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "mailer[udantium]: Failed to send \\'pre\\' to \\'xeacom\\'", + "event.outcome": "Failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5776, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "xeacom", + "rsa.email.subject": "pre", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "httpd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "httpd[dictasu]: [lorinre] scr_monitor: olorsita", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5831, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "httpd", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "lorinre" + ] + }, + { + "destination.ip": [ + "10.105.76.230" + ], + "event.code": "ntpdate", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5879, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.105.76.230" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.time.duration_str": "aliquide", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "October 25 19:09:57 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5952, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "intocc", + "rsa.time.event_time": "2019-10-25T21:09:57.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "ntpd[aturQui]: frequency initialized utlabor PPM from rau", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6046, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "ntpd", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "firepass", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "firepass[nisi]: [dant] shutting down for system reboot", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6104, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "shutting down for system reboot", + "rsa.internal.messageid": "firepass", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "AppTunnel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "AppTunnel[tinvolu]: < Error - Invalid session id", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6159, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "AppTunnel", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.log_session_id": "iurer", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "December 21 23:20:14 quidolor5025.home run-crons: returned rem", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6215, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "rem", + "rsa.time.event_time": "2019-12-22T01:20:14.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "run-crons[idolor]: [uisau] [eleum] sintoc returned volupt", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6279, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "volupt", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "heartbeat[uiinea]: info: Utenima", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6337, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "Utenima", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.25.52.65" + ], + "event.code": "ntpdate", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "February 2 20:27:57 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6370, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.25.52.65" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.time.duration_str": "ese", + "rsa.time.event_time": "2020-02-02T22:27:57.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "February 17 03:30:32 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6476, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "ntocc", + "rsa.internal.messageid": "heartbeat", + "rsa.time.event_time": "2020-02-17T05:30:32.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "kernel: ionofdeF", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6557, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "ionofdeF", + "rsa.internal.messageid": "kernel", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "March 17 17:35:40 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6574, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "ntpd", + "rsa.time.duration_str": "epte", + "rsa.time.event_time": "2020-03-17T19:35:40.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "AppTunnel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6646, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "AppTunnel", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.log_session_id": "uatD", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny) ", + "fileset.name": "firepass", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6719, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "/USR/SBIN/CRON", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "maintenance", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "April 29 14:43:23 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980 ", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6775, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "Trying", + "rsa.internal.messageid": "maintenance", + "rsa.time.event_time": "2020-04-29T16:43:23.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "ntmollit" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "heartbeat[exe]: [imadmini] [sauteiru] info: mod", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6898, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "mod", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny) ", + "fileset.name": "firepass", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6946, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "/USR/SBIN/CRON", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "httpd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "httpd[eriti]: [litessec] scr_monitor: itas", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6998, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "httpd", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "litessec" + ] + }, + { + "destination.ip": [ + "10.186.101.163" + ], + "event.code": "ntpdate", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "June 25 18:53:40 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7041, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.186.101.163" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.time.duration_str": "utlabor", + "rsa.time.event_time": "2020-06-25T20:53:40.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "firepass", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "July 10 01:56:14 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host", + "fileset.name": "firepass", + "host.name": "eufugi2923.internal.host", + "input.type": "log", + "log.offset": 7164, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "firepass", + "rsa.investigations.ec_activity": "Start", + "rsa.investigations.ec_subject": "Service", + "rsa.network.alias_host": [ + "eufugi2923.internal.host" + ], + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "tvolupt" + ] + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "mailer[untut]: [uamni] Failed to send \\'ctet\\' to \\'ati\\'", + "event.outcome": "Failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7283, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "ati", + "rsa.email.subject": "ctet", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "NetworkAccess", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "August 7 16:01:23 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7341, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "nisist", + "rsa.internal.messageid": "NetworkAccess", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.log_session_id": "con", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "ven" + ] + }, + { + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "August 21 23:03:57 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel) ", + "fileset.name": "firepass", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 7429, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7532, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "runtm", + "rsa.internal.messageid": "kernel", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "September 19 13:09:05 velitse543.api.example heartbeat[torever]: info: oremi", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7583, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "oremi", + "rsa.internal.messageid": "heartbeat", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "October 3 20:11:40 temUt631.www5.example heartbeat[npr]: info: mquelau", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7660, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "mquelau", + "rsa.internal.messageid": "heartbeat", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "October 18 03:14:14 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7731, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "idolo", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "security", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "November 1 10:16:48 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account", + "event.outcome": "Failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7835, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "security", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Policy", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": [ + "fugi" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "heartbeat[iduntu]: [idestlab] info: rnatur", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7962, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "rnatur", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "run-crons[essequam]: acommo returned nturma", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 8005, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "nturma", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "December 14 07:24:31 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut ", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 8049, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut", + "rsa.internal.messageid": "kernel", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/_meta/config.yml b/x-pack/filebeat/module/fortinet/_meta/config.yml index 969d618f808..0b2eb336295 100644 --- a/x-pack/filebeat/module/fortinet/_meta/config.yml +++ b/x-pack/filebeat/module/fortinet/_meta/config.yml @@ -11,3 +11,22 @@ # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9004 + + clientendpoint: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9510 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc index fb967629981..ee6448f4cdd 100644 --- a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc @@ -61,6 +61,51 @@ events. Defaults to `[fortinet-firewall, forwarded]`. :fileset_ex!: +[float] +==== `clientendpoint` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "forticlientendpoint" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9510` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + [float] ==== Fortinet ECS fields diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml b/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml new file mode 100644 index 00000000000..2792f46aafd --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Fortinet" + product: "FortiClient" + type: "Anti-Virus" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/fortinet/clientendpoint/config/liblogparser.js + - ${path.home}/module/fortinet/clientendpoint/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{hostname}proto=%{protocol}service=%{network_service}status=deny src=%{saddr}dst=%{daddr}src_port=%{sport}dst_port=%{dport}server_app=%{fld12}pid=%{process_id}app_name=%{fld14}traff_direct=%{direction}block_count=%{dclass_counter1}logon_user=%{username}@%{domain}msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{hdate->} %{hhostname}proto=%{hprotocol}service=%{messageid}status=%{haction}src=%{hsaddr}dst=%{hdaddr}src_port=%{hsport}dst_port=%{hdport->} %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("hdate"), + constant(" "), + field("hhostname"), + constant("proto="), + field("hprotocol"), + constant("service="), + field("messageid"), + constant("status="), + field("haction"), + constant("src="), + field("hsaddr"), + constant("dst="), + field("hdaddr"), + constant("src_port="), + field("hsport"), + constant("dst_port="), + field("hdport"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{hdate->} %{hhostname}(%{messageid->} %{hfld5}times in last %{hfld6}) %{hfld7->} %{hfld8}::%{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("hdate"), + constant(" "), + field("hhostname"), + constant("("), + field("messageid"), + constant(" "), + field("hfld5"), + constant("times in last "), + field("hfld6"), + constant(") "), + field("hfld7"), + constant(" "), + field("hfld8"), + constant("::"), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{hdate->} %{hhostname->} %{messageid->} %{hfld5}::%{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("hdate"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(" "), + field("hfld5"), + constant("::"), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, +]); + +var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname}enter %{info}", processor_chain([ + dup1, + dup2, +])); + +var msg1 = msg("enter", part1); + +var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname}(repeated %{fld5}times in last %{fld6}) enter %{info}", processor_chain([ + dup1, + dup2, +])); + +var msg2 = msg("repeated", part2); + +var msg3 = msg("ms-wbt-server", dup9); + +var msg4 = msg("http", dup9); + +var msg5 = msg("https", dup9); + +var msg6 = msg("smtp", dup9); + +var msg7 = msg("pop3", dup9); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "enter": msg1, + "http": msg4, + "https": msg5, + "ms-wbt-server": msg3, + "pop3": msg7, + "repeated": msg2, + "smtp": msg6, + }), +]); + +var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname}proto=%{protocol}service=%{network_service}status=deny src=%{saddr}dst=%{daddr}src_port=%{sport}dst_port=%{dport}server_app=%{fld12}pid=%{process_id}app_name=%{fld14}traff_direct=%{direction}block_count=%{dclass_counter1}logon_user=%{username}@%{domain}msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, +])); diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml new file mode 100644 index 00000000000..1897a785e50 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Fortinet FortiClient Endpoint Security + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml b/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml new file mode 100644 index 00000000000..b070cd9c37e --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["fortinet.clientendpoint", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9510 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log new file mode 100644 index 00000000000..565e8412547 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log @@ -0,0 +1,100 @@ +January 29 2016/01/29 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=sperna block_count=884 logon_user=billoi@oreetdol1714.internal.corp msg=failure +February 12 2016/02/12 agn2581.www5.corp proto=rdp service=smtp status=deny src=10.22.119.124 dst=10.102.218.31 src_port=4402 dst_port=3376 server_app=mod pid=6183 app_name=enatus traff_direct=mquia block_count=873 logon_user=itamet@tetur6657.internal.domain msg=success +February 26 2016/02/26 iin6287.mail.domain proto=ggp service=https status=deny src=10.135.105.231 dst=10.26.46.95 src_port=1327 dst_port=7599 server_app=quis pid=1130 app_name=serror traff_direct=anti block_count=4454 logon_user=meumfug@tetu5280.www5.invalid msg=unknown +March 12 2016/03/12 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=onsect block_count=101 logon_user=con@uia351.api.localhost msg=unknown +March 26 2016/03/26 aqui4726.mail.localhost proto=icmp service=https status=deny src=10.85.66.161 dst=10.131.115.96 src_port=2638 dst_port=1890 server_app=eum pid=654 app_name=rmagni traff_direct=sit block_count=5509 logon_user=onev@tenima1073.local msg=success +April 9 2016/04/09 uatDuis2964.test proto=udp service=http status=deny src=10.183.202.41 dst=10.11.200.161 src_port=4470 dst_port=4665 server_app=inimve pid=4243 app_name=antium traff_direct=Cice block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown +April 24 2016/04/24 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=nimadmin block_count=6499 logon_user=uam@temq1198.internal.example msg=success +May 8 2016/05/08 ari1508.api.localdomain proto=tcp service=pop3 status=deny src=10.64.155.245 dst=10.233.127.83 src_port=4512 dst_port=3676 server_app=eataevit pid=3904 app_name=iam traff_direct=mqua block_count=3391 logon_user=olab@mquisnos5771.example msg=unknown +May 22 2016/05/22 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=luptatem block_count=5812 logon_user=moll@tatione2046.home msg=unknown +June 5 2016/06/05 turveli6399.host proto=ipv6 service=smtp status=deny src=10.197.5.210 dst=10.10.65.154 src_port=689 dst_port=7572 server_app=Ciceroi pid=3592 app_name=usan traff_direct=aper block_count=5529 logon_user=olo@uaera6620.www5.domain msg=unknown +June 20 2016/06/20 tquiinea7522.test proto=igmp service=http status=deny src=10.89.185.38 dst=10.177.124.147 src_port=6024 dst_port=4173 server_app=undeo pid=5794 app_name=labor traff_direct=atuse block_count=2703 logon_user=uis@idolore1057.www5.domain msg=failure +July 4 2016/07/04 litessec3743.domain proto=ipv6-icmp service=http status=deny src=10.212.55.143 dst=10.157.213.15 src_port=3539 dst_port=600 server_app=liq pid=3480 app_name=ntutl traff_direct=caecatc block_count=2399 logon_user=nibus@edquiano6061.internal.invalid msg=failure +July 18 2016/07/18 ctetura4886.www5.lan proto=icmp service=smtp status=deny src=10.208.134.60 dst=10.124.100.32 src_port=7385 dst_port=7699 server_app=lupt pid=5376 app_name=remeum traff_direct=orain block_count=4111 logon_user=admi@modocons6461.api.home msg=failure +August 2 2016/08/02 urE6771.www5.example proto=udp service=http status=deny src=10.75.148.116 dst=10.55.77.49 src_port=3653 dst_port=4683 server_app=dtem pid=1577 app_name=des traff_direct=rehe block_count=2460 logon_user=tdolorem@ono4861.www5.test msg=success +August 16 2016/08/16 sumquiad2872.api.domain proto=ggp service=http status=deny src=10.210.74.24 dst=10.21.92.218 src_port=4125 dst_port=5716 server_app=ommod pid=3671 app_name=inima traff_direct=tlabo block_count=6088 logon_user=nihi@Lor5841.internal.example msg=success +August 30 2016/08/30 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=isnostru block_count=1559 logon_user=deFinibu@iadese6958.www5.local msg=unknown +September 13 2016/09/13 tatn2376.www5.corp proto=ipv6-icmp service=ms-wbt-server status=deny src=10.47.241.218 dst=10.76.229.163 src_port=2890 dst_port=6387 server_app=CSed pid=2857 app_name=utlabore traff_direct=ecillu block_count=391 logon_user=mnisist@sedd3727.api.home msg=unknown +September 28 2016/09/28 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=maccusa block_count=5126 logon_user=rQuisau@idex2012.localdomain msg=unknown +October 12 2016/10/12 uipe5643.api.home proto=rdp service=smtp status=deny src=10.118.80.140 dst=10.252.122.195 src_port=6003 dst_port=2807 server_app=ihilm pid=1669 app_name=saute traff_direct=ercit block_count=2385 logon_user=remagn@run3361.api.test msg=failure +October 26 2016/10/26 aturve2031.www5.test proto=rdp service=ms-wbt-server status=deny src=10.195.36.51 dst=10.31.95.218 src_port=2883 dst_port=7042 server_app=iadese pid=2374 app_name=ice traff_direct=estiae block_count=3750 logon_user=laborum@tionof7613.domain msg=failure +November 10 2016/11/10 ationul2530.internal.example proto=ipv6-icmp service=http status=deny src=10.197.250.10 dst=10.170.148.40 src_port=261 dst_port=6371 server_app=dol pid=753 app_name=modocon traff_direct=que block_count=651 logon_user=rinrepre@etconse7424.internal.lan msg=failure +November 24 2016/11/24 quamnih5993.mail.corp proto=ipv6 service=https status=deny src=10.19.145.131 dst=10.233.171.118 src_port=4798 dst_port=7410 server_app=emoe pid=6540 app_name=atur traff_direct=itanimi block_count=2924 logon_user=modtemp@rehender2628.www5.localdomain msg=failure +December 8 2016/12/08 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=sectetur block_count=1713 logon_user=fugitse@veniamq1608.www.localdomain msg=unknown +December 23 2016/12/23 reseos556.internal.example proto=rdp service=https status=deny src=10.59.122.242 dst=10.177.238.183 src_port=4821 dst_port=6458 server_app=dolorem pid=5251 app_name=olor traff_direct=Neque block_count=4129 logon_user=xerc@iutali2138.www.localdomain msg=success +January 6 2017/01/06 radi1512.mail.example proto=rdp service=http status=deny src=10.74.33.75 dst=10.10.27.73 src_port=3410 dst_port=2574 server_app=liqui pid=6106 app_name=dolore traff_direct=amvolu block_count=766 logon_user=quaturve@sequa2851.home msg=success +January 20 2017/01/20 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=nsect block_count=7400 logon_user=asia@econs4164.api.corp msg=unknown +February 3 2017/02/03 tevelite245.mail.local proto=tcp service=pop3 status=deny src=10.167.85.181 dst=10.14.36.202 src_port=6409 dst_port=6036 server_app=numqua pid=1411 app_name=inculpa traff_direct=abo block_count=1637 logon_user=dtemp@aliquide3073.www5.domain msg=unknown +February 18 2017/02/18 uptatema6843.www.host proto=icmp service=ms-wbt-server status=deny src=10.104.64.94 dst=10.164.39.248 src_port=3221 dst_port=5194 server_app=sequam pid=3609 app_name=idex traff_direct=mfugiat block_count=3370 logon_user=dant@rroquis6074.api.host msg=unknown +March 4 2017/03/04 rem3420.mail.localhost proto=udp service=http status=deny src=10.208.14.185 dst=10.135.187.104 src_port=7557 dst_port=4708 server_app=siste pid=5919 app_name=riosamn traff_direct=ept block_count=1871 logon_user=rcitati@eni465.home msg=failure +March 18 2017/03/18 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=boree block_count=513 logon_user=nevo@ide2767.www5.local msg=failure +April 2 2017/04/02 edquiac2646.www.invalid proto=ipv6-icmp service=https status=deny src=10.46.49.26 dst=10.145.26.181 src_port=634 dst_port=6088 server_app=autf pid=3471 app_name=temquiav traff_direct=equatu block_count=1399 logon_user=cons@sBon1759.invalid msg=success +April 16 2017/04/16 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=antiu block_count=6129 logon_user=evolu@ersp3536.www5.lan msg=unknown +April 30 2017/04/30 ntiumt699.corp proto=icmp service=ms-wbt-server status=deny src=10.151.58.196 dst=10.201.238.90 src_port=2715 dst_port=7130 server_app=pici pid=55 app_name=ccaecat traff_direct=tquiin block_count=7440 logon_user=temqu@ovol3674.www5.host msg=success +May 14 2017/05/14 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=ven block_count=660 logon_user=siutali@amnih2718.internal.example msg=failure +May 29 2017/05/29 laudant6813.mail.home proto=icmp service=https status=deny src=10.184.18.202 dst=10.226.83.168 src_port=5780 dst_port=4153 server_app=molli pid=4306 app_name=aturauto traff_direct=eturadi block_count=2512 logon_user=borios@rsitvolu3751.mail.lan msg=success +June 12 2017/06/12 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=luptate block_count=2612 logon_user=atisun@esci7741.www.host msg=success +June 26 2017/06/26 nturma18.internal.example proto=icmp service=https status=deny src=10.173.136.186 dst=10.43.226.231 src_port=7222 dst_port=2778 server_app=isnostr pid=829 app_name=ciadeser traff_direct=emquia block_count=1497 logon_user=uscipitl@uia5567.mail.lan msg=success +July 11 2017/07/11 uisa5736.internal.local proto=udp service=pop3 status=deny src=10.58.64.108 dst=10.54.37.86 src_port=1540 dst_port=5089 server_app=commodo pid=6867 app_name=tutlab traff_direct=sau block_count=1865 logon_user=dolorsit@sau4293.www.corp msg=unknown +July 25 2017/07/25 uptate2244.api.lan proto=ipv6-icmp service=https status=deny src=10.205.228.138 dst=10.159.119.34 src_port=3854 dst_port=6197 server_app=tsed pid=7536 app_name=ameiusm traff_direct=proide block_count=3714 logon_user=aquae@boreetdo7005.www5.home msg=unknown +August 8 2017/08/08 veli2530.www.host proto=ggp service=http status=deny src=10.163.93.20 dst=10.29.133.28 src_port=2382 dst_port=1085 server_app=umwrit pid=5433 app_name=eacommod traff_direct=ctetura block_count=2486 logon_user=tpersp@stla1871.www5.local msg=unknown +August 22 2017/08/22 tiaec5551.www.local proto=rdp service=pop3 status=deny src=10.113.30.163 dst=10.50.0.61 src_port=6110 dst_port=5905 server_app=itla pid=658 app_name=vitaedi traff_direct=lorsita block_count=2019 logon_user=dolore@onsecte587.localdomain msg=unknown +September 6 2017/09/06 ate7247.www5.local proto=ggp service=ms-wbt-server status=deny src=10.39.145.136 dst=10.30.47.165 src_port=631 dst_port=3801 server_app=ulapar pid=6827 app_name=etdo traff_direct=par block_count=992 logon_user=invo@hit3912.www5.localhost msg=unknown +September 20 2017/09/20 proiden887.mail.example proto=rdp service=https status=deny src=10.30.25.84 dst=10.36.112.145 src_port=238 dst_port=7122 server_app=dantium pid=246 app_name=teirured traff_direct=onemulla block_count=5608 logon_user=bor@rauto112.www.host msg=success +October 4 2017/10/04 osqui2751.api.home proto=tcp service=pop3 status=deny src=10.97.96.177 dst=10.162.114.217 src_port=1859 dst_port=7503 server_app=dun pid=1276 app_name=evitaed traff_direct=inimveni block_count=2826 logon_user=itse@umexerc5717.internal.host msg=failure +October 19 2017/10/19 ccaeca5504.internal.example proto=tcp service=smtp status=deny src=10.229.71.175 dst=10.140.7.83 src_port=3856 dst_port=3298 server_app=olupt pid=2189 app_name=gna traff_direct=con block_count=4969 logon_user=eseru@quamest2520.localdomain msg=unknown +November 2 2017/11/02 mex2054.mail.corp proto=udp service=pop3 status=deny src=10.232.254.65 dst=10.149.13.76 src_port=7809 dst_port=2000 server_app=uisaute pid=1478 app_name=ritt traff_direct=iaeco block_count=7037 logon_user=itesseq@dictasun2399.internal.example msg=unknown +November 16 2017/11/16 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=xeaco block_count=4762 logon_user=amcor@rcitat364.mail.lan msg=unknown +December 1 2017/12/01 tur4900.www5.lan proto=icmp service=smtp status=deny src=10.98.194.212 dst=10.243.237.151 src_port=6941 dst_port=6296 server_app=issuscip pid=4003 app_name=dipisci traff_direct=spernatu block_count=5539 logon_user=eri@quunt2072.home msg=success +December 15 2017/12/15 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=leumiu block_count=3030 logon_user=luptatem@uaeratv3432.invalid msg=failure +December 29 2017/12/29 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=maliquam block_count=2147 logon_user=atione@lores627.www.invalid msg=failure +January 12 2018/01/12 mmodoc4947.internal.test proto=ggp service=ms-wbt-server status=deny src=10.107.45.175 dst=10.201.237.233 src_port=4593 dst_port=3023 server_app=atise pid=3421 app_name=umetMalo traff_direct=oluptas block_count=6981 logon_user=aeconseq@lor4040.localhost msg=success +January 27 2018/01/27 itaedict7233.mail.localdomain proto=ipv6-icmp service=smtp status=deny src=10.239.80.120 dst=10.196.206.130 src_port=2741 dst_port=1725 server_app=its pid=7867 app_name=risnis traff_direct=uov block_count=3896 logon_user=isn@sBono898.localdomain msg=unknown +February 10 2018/02/10 ore1441.home proto=ipv6 service=ms-wbt-server status=deny src=10.234.222.214 dst=10.47.24.77 src_port=4614 dst_port=1919 server_app=hil pid=6717 app_name=squ traff_direct=uiadol block_count=6068 logon_user=ntNeq@tate6291.mail.invalid msg=unknown +February 24 2018/02/24 onevo3446.www5.host proto=udp service=http status=deny src=10.202.7.89 dst=10.139.127.232 src_port=2179 dst_port=1812 server_app=quidolor pid=4116 app_name=agnaaliq traff_direct=tlaboree block_count=6412 logon_user=osquir@mod4104.api.localdomain msg=success +March 11 2018/03/11 lloin4019.www.localhost proto=igmp service=smtp status=deny src=10.130.241.232 dst=10.40.35.49 src_port=3112 dst_port=3071 server_app=edquian pid=3178 app_name=qua traff_direct=volupta block_count=3552 logon_user=aturQu@aaliq221.mail.localdomain msg=success +March 25 2018/03/25 iciad7874.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.157.196.101 dst=10.167.252.183 src_port=2003 dst_port=5107 server_app=dtempori pid=5735 app_name=caboNemo traff_direct=dexerc block_count=2302 logon_user=tatem@metcons6200.mail.corp msg=unknown +April 8 2018/04/08 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=quames block_count=3665 logon_user=esseq@aincidun2168.api.invalid msg=failure +April 22 2018/04/22 itq494.api.lan proto=ggp service=pop3 status=deny src=10.28.105.124 dst=10.151.129.181 src_port=3889 dst_port=5773 server_app=litsedq pid=5026 app_name=nder traff_direct=mdolore block_count=2604 logon_user=nesciun@saqu6897.mail.lan msg=failure +May 7 2018/05/07 autfugi4010.internal.invalid proto=tcp service=pop3 status=deny src=10.128.63.143 dst=10.145.101.26 src_port=7596 dst_port=2559 server_app=oremquel pid=3992 app_name=modoc traff_direct=boNem block_count=5137 logon_user=ssusci@animid1644.www5.lan msg=unknown +May 21 2018/05/21 roquisqu1205.api.domain proto=ipv6 service=pop3 status=deny src=10.2.244.159 dst=10.62.229.89 src_port=951 dst_port=5348 server_app=isnis pid=5140 app_name=olupta traff_direct=tsuntinc block_count=2159 logon_user=inBCSedu@erspi5757.local msg=failure +June 4 2018/06/04 quaeab2653.mail.localdomain proto=rdp service=ms-wbt-server status=deny src=10.250.19.146 dst=10.54.83.119 src_port=5283 dst_port=338 server_app=natu pid=315 app_name=itat traff_direct=stlaboru block_count=7074 logon_user=radi@xeacom7662.www.test msg=failure +June 19 2018/06/19 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=uptate block_count=1049 logon_user=snos@orsi7617.www5.corp msg=success +July 3 2018/07/03 msequ4308.api.localdomain proto=ipv6 service=https status=deny src=10.126.87.182 dst=10.94.114.83 src_port=1043 dst_port=4803 server_app=rumetMal pid=3411 app_name=atcupida traff_direct=tessequa block_count=291 logon_user=dolores@equamnih6028.localdomain msg=failure +July 17 2018/07/17 dolorema2984.www.home proto=ipv6 service=smtp status=deny src=10.206.165.83 dst=10.38.28.151 src_port=3736 dst_port=347 server_app=ratv pid=2649 app_name=ever traff_direct=tali block_count=2124 logon_user=erspi@iqu7509.api.corp msg=success +August 1 2018/08/01 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=magnid block_count=3343 logon_user=ame@tesseq7693.localdomain msg=failure +August 15 2018/08/15 tdolore388.localdomain proto=igmp service=smtp status=deny src=10.42.252.243 dst=10.57.85.98 src_port=3286 dst_port=1444 server_app=oinv pid=5493 app_name=inrepr traff_direct=mol block_count=4145 logon_user=nisiu@imad4450.internal.example msg=unknown +August 29 2018/08/29 olest5343.mail.corp proto=rdp service=https status=deny src=10.7.43.184 dst=10.193.66.155 src_port=7278 dst_port=4965 server_app=ame pid=2913 app_name=uid traff_direct=equaturv block_count=1129 logon_user=tobeatae@maccusa7248.www.home msg=failure +September 12 2018/09/12 uradi3827.mail.localhost proto=icmp service=ms-wbt-server status=deny src=10.196.96.162 dst=10.81.234.34 src_port=7349 dst_port=1710 server_app=aconse pid=1526 app_name=quameiu traff_direct=diduntu block_count=4798 logon_user=aliqui@ess3889.www5.localhost msg=failure +September 27 2018/09/27 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=niamquis block_count=1471 logon_user=ptatems@runtmo438.invalid msg=failure +October 11 2018/10/11 tas6029.lan proto=rdp service=smtp status=deny src=10.118.82.34 dst=10.108.45.59 src_port=5129 dst_port=7229 server_app=sBonorum pid=2162 app_name=aali traff_direct=edictasu block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure +October 25 2018/10/25 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=cive block_count=2292 logon_user=orumSec@nisiuta905.www5.home msg=failure +November 9 2018/11/09 tiaecon5380.lan proto=udp service=pop3 status=deny src=10.123.74.66 dst=10.83.119.181 src_port=6984 dst_port=5693 server_app=lors pid=7553 app_name=nculpaq traff_direct=reseosqu block_count=1629 logon_user=ursin@utemvel5325.host msg=success +November 23 2018/11/23 iam7526.mail.test proto=icmp service=smtp status=deny src=10.225.255.211 dst=10.141.143.56 src_port=4076 dst_port=2442 server_app=eursinto pid=3628 app_name=tutla traff_direct=licaboNe block_count=5104 logon_user=aaliq@nat4367.www5.example msg=failure +December 7 2018/12/07 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=itametc block_count=3006 logon_user=olup@remipsu2220.corp msg=success +December 21 2018/12/21 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=emp block_count=2563 logon_user=roquisq@temporai6835.www5.host msg=failure +January 5 2019/01/05 urerepre1960.www5.localhost proto=ipv6-icmp service=https status=deny src=10.179.147.45 dst=10.202.132.214 src_port=2208 dst_port=3392 server_app=mmodoco pid=2581 app_name=rumexerc traff_direct=isiutali block_count=3575 logon_user=stquidol@Nemoenim1325.lan msg=failure +January 19 2019/01/19 evitae7333.www.lan proto=ggp service=ms-wbt-server status=deny src=10.51.221.217 dst=10.169.98.165 src_port=6833 dst_port=6084 server_app=saquaea pid=2280 app_name=rQuisaut traff_direct=quas block_count=3630 logon_user=metco@cillu7822.mail.localhost msg=success +February 2 2019/02/02 orp5697.www.invalid proto=ggp service=ms-wbt-server status=deny src=10.243.6.41 dst=10.85.104.146 src_port=780 dst_port=4438 server_app=orum pid=4887 app_name=qua traff_direct=agnamal block_count=73 logon_user=emacc@emp1636.www.invalid msg=unknown +February 17 2019/02/17 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=esse block_count=3795 logon_user=osqu@pariatur7238.www5.invalid msg=unknown +March 3 2019/03/03 orum5045.domain proto=igmp service=https status=deny src=10.37.174.58 dst=10.167.9.200 src_port=4003 dst_port=4568 server_app=exercita pid=2068 app_name=elillum traff_direct=veleumi block_count=4337 logon_user=tvol@oluptate6978.localdomain msg=failure +March 17 2019/03/17 iciade3900.example proto=ggp service=ms-wbt-server status=deny src=10.221.220.148 dst=10.251.29.244 src_port=98 dst_port=919 server_app=eturadip pid=6261 app_name=psumd traff_direct=oloree block_count=355 logon_user=ptate@teir7585.www5.localdomain msg=failure +April 1 2019/04/01 texpli7157.mail.invalid proto=ggp service=ms-wbt-server status=deny src=10.198.143.216 dst=10.189.82.19 src_port=4267 dst_port=4057 server_app=mini pid=1816 app_name=tur traff_direct=tur block_count=5914 logon_user=iamqui@tassita6539.www.lan msg=success +April 15 2019/04/15 CSe7575.www5.example proto=rdp service=smtp status=deny src=10.141.216.14 dst=10.70.29.203 src_port=5994 dst_port=6317 server_app=ate pid=4386 app_name=fugitse traff_direct=minimve block_count=2465 logon_user=dese@duntutla4724.www.host msg=success +April 29 2019/04/29 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=uinesc block_count=4248 logon_user=idatat@onev595.mail.domain msg=failure +May 13 2019/05/13 sis3986.internal.lan proto=rdp service=https status=deny src=10.10.86.55 dst=10.158.54.131 src_port=911 dst_port=1585 server_app=mmodi pid=7353 app_name=rvelill traff_direct=lupta block_count=7608 logon_user=tatevel@midestl7500.www.home msg=unknown +May 28 2019/05/28 oremeumf32.www.lan proto=ggp service=http status=deny src=10.105.136.146 dst=10.187.170.23 src_port=541 dst_port=3220 server_app=sectetu pid=7182 app_name=its traff_direct=dolor block_count=5957 logon_user=uatu@mquis5526.mail.test msg=unknown +June 11 2019/06/11 ice6331.invalid proto=ipv6 service=https status=deny src=10.114.211.238 dst=10.125.166.198 src_port=3824 dst_port=6301 server_app=tinculpa pid=6537 app_name=cti traff_direct=rumSecti block_count=111 logon_user=sumquiad@iusmodt3432.mail.localdomain msg=unknown +June 25 2019/06/25 aevitaed1082.localdomain proto=tcp service=ms-wbt-server status=deny src=10.29.7.142 dst=10.209.239.122 src_port=4053 dst_port=1450 server_app=edic pid=2758 app_name=amcolab traff_direct=olabori block_count=3307 logon_user=atatnon@lica2780.www5.home msg=success +July 10 2019/07/10 lloinve551.internal.local proto=ipv6-icmp service=http status=deny src=10.144.109.148 dst=10.146.57.23 src_port=4855 dst_port=5483 server_app=tno pid=5772 app_name=psumq traff_direct=ptatev block_count=6552 logon_user=xerc@ctetura7556.mail.corp msg=unknown +July 24 2019/07/24 tmo508.example proto=rdp service=smtp status=deny src=10.69.230.223 dst=10.11.2.200 src_port=6071 dst_port=7541 server_app=ostrudex pid=4542 app_name=niamqui traff_direct=usmodite block_count=7154 logon_user=uatu@uto2438.www5.corp msg=success +August 7 2019/08/07 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=iduntutl block_count=4047 logon_user=orsitvol@ntor5561.www.local msg=success +August 21 2019/08/21 velites4233.internal.home proto=ggp service=http status=deny src=10.153.166.133 dst=10.90.50.149 src_port=1936 dst_port=7260 server_app=asp pid=4025 app_name=ncul traff_direct=taliq block_count=5213 logon_user=porissu@umd3889.api.localhost msg=failure +September 5 2019/09/05 eeufugi6539.api.local proto=tcp service=ms-wbt-server status=deny src=10.230.130.3 dst=10.117.190.234 src_port=3485 dst_port=7475 server_app=iav pid=5792 app_name=usBono traff_direct=rumexe block_count=5360 logon_user=ttenb@olor5978.www.local msg=failure +September 19 2019/09/19 rem3131.home proto=igmp service=https status=deny src=10.55.103.200 dst=10.203.117.6 src_port=4894 dst_port=2510 server_app=uredol pid=3142 app_name=temsequi traff_direct=mquia block_count=1119 logon_user=enbyCic@iveli3387.host msg=success +October 3 2019/10/03 ommodoc4758.host proto=tcp service=https status=deny src=10.244.52.142 dst=10.75.122.228 src_port=2129 dst_port=5 server_app=scipit pid=730 app_name=ugiatqu traff_direct=eruntmo block_count=2894 logon_user=isciv@natus4803.mail.localhost msg=failure +October 18 2019/10/18 udexerc4535.www.home proto=ipv6-icmp service=http status=deny src=10.7.142.212 dst=10.119.143.168 src_port=2952 dst_port=4131 server_app=tuser pid=6944 app_name=qua traff_direct=iarchite block_count=1612 logon_user=oinven@natu1957.mail.corp msg=failure +November 1 2019/11/01 adipi2840.mail.domain proto=udp service=pop3 status=deny src=10.116.105.31 dst=10.252.146.103 src_port=3181 dst_port=5995 server_app=rinrepr pid=7279 app_name=consequu traff_direct=modo block_count=3194 logon_user=rsint@rsi5358.www.domain msg=failure +November 15 2019/11/15 onse3998.internal.invalid proto=udp service=ms-wbt-server status=deny src=10.163.239.13 dst=10.213.41.210 src_port=3650 dst_port=3626 server_app=aco pid=7260 app_name=adese traff_direct=olorsi block_count=4955 logon_user=aedictas@rumetMa2554.domain msg=failure +November 30 2019/11/30 mvolupta225.mail.invalid proto=icmp service=https status=deny src=10.184.109.84 dst=10.190.36.112 src_port=6960 dst_port=4829 server_app=reprehen pid=3793 app_name=uisa traff_direct=nimadmin block_count=5630 logon_user=uat@eniamqu985.test msg=unknown +December 14 2019/12/14 officiad6348.mail.lan proto=icmp service=http status=deny src=10.175.181.138 dst=10.19.21.239 src_port=1495 dst_port=6995 server_app=velite pid=5985 app_name=litse traff_direct=san block_count=3326 logon_user=aliqu@taedict4891.api.host msg=failure diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json new file mode 100644 index 00000000000..967a60d6404 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -0,0 +1,2302 @@ +[ + { + "@timestamp": "2016-01-29T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 29 2016/01/29 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=sperna block_count=884 logon_user=billoi@oreetdol1714.internal.corp msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 0, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2016-01-29T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-12T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 12 2016/02/12 agn2581.www5.corp proto=rdp service=smtp status=deny src=10.22.119.124 dst=10.102.218.31 src_port=4402 dst_port=3376 server_app=mod pid=6183 app_name=enatus traff_direct=mquia block_count=873 logon_user=itamet@tetur6657.internal.domain msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 285, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2016-02-12T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-26T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 26 2016/02/26 iin6287.mail.domain proto=ggp service=https status=deny src=10.135.105.231 dst=10.26.46.95 src_port=1327 dst_port=7599 server_app=quis pid=1130 app_name=serror traff_direct=anti block_count=4454 logon_user=meumfug@tetu5280.www5.invalid msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 556, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2016-02-26T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-12T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 12 2016/03/12 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=onsect block_count=101 logon_user=con@uia351.api.localhost msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 827, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2016-03-12T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-26T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 26 2016/03/26 aqui4726.mail.localhost proto=icmp service=https status=deny src=10.85.66.161 dst=10.131.115.96 src_port=2638 dst_port=1890 server_app=eum pid=654 app_name=rmagni traff_direct=sit block_count=5509 logon_user=onev@tenima1073.local msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1103, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2016-03-26T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-09T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 9 2016/04/09 uatDuis2964.test proto=udp service=http status=deny src=10.183.202.41 dst=10.11.200.161 src_port=4470 dst_port=4665 server_app=inimve pid=4243 app_name=antium traff_direct=Cice block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1365, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2016-04-09T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-24T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 24 2016/04/24 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=nimadmin block_count=6499 logon_user=uam@temq1198.internal.example msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1631, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2016-04-24T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-08T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 8 2016/05/08 ari1508.api.localdomain proto=tcp service=pop3 status=deny src=10.64.155.245 dst=10.233.127.83 src_port=4512 dst_port=3676 server_app=eataevit pid=3904 app_name=iam traff_direct=mqua block_count=3391 logon_user=olab@mquisnos5771.example msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1911, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2016-05-08T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-22T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 22 2016/05/22 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=luptatem block_count=5812 logon_user=moll@tatione2046.home msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2177, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2016-05-22T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-05T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 5 2016/06/05 turveli6399.host proto=ipv6 service=smtp status=deny src=10.197.5.210 dst=10.10.65.154 src_port=689 dst_port=7572 server_app=Ciceroi pid=3592 app_name=usan traff_direct=aper block_count=5529 logon_user=olo@uaera6620.www5.domain msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2446, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2016-06-05T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-20T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 20 2016/06/20 tquiinea7522.test proto=igmp service=http status=deny src=10.89.185.38 dst=10.177.124.147 src_port=6024 dst_port=4173 server_app=undeo pid=5794 app_name=labor traff_direct=atuse block_count=2703 logon_user=uis@idolore1057.www5.domain msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2704, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2016-06-20T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-04T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 4 2016/07/04 litessec3743.domain proto=ipv6-icmp service=http status=deny src=10.212.55.143 dst=10.157.213.15 src_port=3539 dst_port=600 server_app=liq pid=3480 app_name=ntutl traff_direct=caecatc block_count=2399 logon_user=nibus@edquiano6061.internal.invalid msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2969, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2016-07-04T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-18T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 18 2016/07/18 ctetura4886.www5.lan proto=icmp service=smtp status=deny src=10.208.134.60 dst=10.124.100.32 src_port=7385 dst_port=7699 server_app=lupt pid=5376 app_name=remeum traff_direct=orain block_count=4111 logon_user=admi@modocons6461.api.home msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3247, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2016-07-18T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-02T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 2 2016/08/02 urE6771.www5.example proto=udp service=http status=deny src=10.75.148.116 dst=10.55.77.49 src_port=3653 dst_port=4683 server_app=dtem pid=1577 app_name=des traff_direct=rehe block_count=2460 logon_user=tdolorem@ono4861.www5.test msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3514, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2016-08-02T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-16T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 16 2016/08/16 sumquiad2872.api.domain proto=ggp service=http status=deny src=10.210.74.24 dst=10.21.92.218 src_port=4125 dst_port=5716 server_app=ommod pid=3671 app_name=inima traff_direct=tlabo block_count=6088 logon_user=nihi@Lor5841.internal.example msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3775, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2016-08-16T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-30T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 30 2016/08/30 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=isnostru block_count=1559 logon_user=deFinibu@iadese6958.www5.local msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4047, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2016-08-30T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-13T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 13 2016/09/13 tatn2376.www5.corp proto=ipv6-icmp service=ms-wbt-server status=deny src=10.47.241.218 dst=10.76.229.163 src_port=2890 dst_port=6387 server_app=CSed pid=2857 app_name=utlabore traff_direct=ecillu block_count=391 logon_user=mnisist@sedd3727.api.home msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4331, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2016-09-13T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-28T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 28 2016/09/28 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=maccusa block_count=5126 logon_user=rQuisau@idex2012.localdomain msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4616, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2016-09-28T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-12T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 12 2016/10/12 uipe5643.api.home proto=rdp service=smtp status=deny src=10.118.80.140 dst=10.252.122.195 src_port=6003 dst_port=2807 server_app=ihilm pid=1669 app_name=saute traff_direct=ercit block_count=2385 logon_user=remagn@run3361.api.test msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4893, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2016-10-12T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-26T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 26 2016/10/26 aturve2031.www5.test proto=rdp service=ms-wbt-server status=deny src=10.195.36.51 dst=10.31.95.218 src_port=2883 dst_port=7042 server_app=iadese pid=2374 app_name=ice traff_direct=estiae block_count=3750 logon_user=laborum@tionof7613.domain msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5157, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2016-10-26T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-11-10T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 10 2016/11/10 ationul2530.internal.example proto=ipv6-icmp service=http status=deny src=10.197.250.10 dst=10.170.148.40 src_port=261 dst_port=6371 server_app=dol pid=753 app_name=modocon traff_direct=que block_count=651 logon_user=rinrepre@etconse7424.internal.lan msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5432, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2016-11-10T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-11-24T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 24 2016/11/24 quamnih5993.mail.corp proto=ipv6 service=https status=deny src=10.19.145.131 dst=10.233.171.118 src_port=4798 dst_port=7410 server_app=emoe pid=6540 app_name=atur traff_direct=itanimi block_count=2924 logon_user=modtemp@rehender2628.www5.localdomain msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5718, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2016-11-24T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-08T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 8 2016/12/08 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=sectetur block_count=1713 logon_user=fugitse@veniamq1608.www.localdomain msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6003, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2016-12-08T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-23T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 23 2016/12/23 reseos556.internal.example proto=rdp service=https status=deny src=10.59.122.242 dst=10.177.238.183 src_port=4821 dst_port=6458 server_app=dolorem pid=5251 app_name=olor traff_direct=Neque block_count=4129 logon_user=xerc@iutali2138.www.localdomain msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6287, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2016-12-23T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-06T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 6 2017/01/06 radi1512.mail.example proto=rdp service=http status=deny src=10.74.33.75 dst=10.10.27.73 src_port=3410 dst_port=2574 server_app=liqui pid=6106 app_name=dolore traff_direct=amvolu block_count=766 logon_user=quaturve@sequa2851.home msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6571, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2017-01-06T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-20T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 20 2017/01/20 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=nsect block_count=7400 logon_user=asia@econs4164.api.corp msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6834, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2017-01-20T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-03T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 3 2017/02/03 tevelite245.mail.local proto=tcp service=pop3 status=deny src=10.167.85.181 dst=10.14.36.202 src_port=6409 dst_port=6036 server_app=numqua pid=1411 app_name=inculpa traff_direct=abo block_count=1637 logon_user=dtemp@aliquide3073.www5.domain msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 7108, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2017-02-03T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-18T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 18 2017/02/18 uptatema6843.www.host proto=icmp service=ms-wbt-server status=deny src=10.104.64.94 dst=10.164.39.248 src_port=3221 dst_port=5194 server_app=sequam pid=3609 app_name=idex traff_direct=mfugiat block_count=3370 logon_user=dant@rroquis6074.api.host msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 7383, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2017-02-18T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-04T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 4 2017/03/04 rem3420.mail.localhost proto=udp service=http status=deny src=10.208.14.185 dst=10.135.187.104 src_port=7557 dst_port=4708 server_app=siste pid=5919 app_name=riosamn traff_direct=ept block_count=1871 logon_user=rcitati@eni465.home msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 7664, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2017-03-04T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-18T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 18 2017/03/18 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=boree block_count=513 logon_user=nevo@ide2767.www5.local msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 7926, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2017-03-18T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-02T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 2 2017/04/02 edquiac2646.www.invalid proto=ipv6-icmp service=https status=deny src=10.46.49.26 dst=10.145.26.181 src_port=634 dst_port=6088 server_app=autf pid=3471 app_name=temquiav traff_direct=equatu block_count=1399 logon_user=cons@sBon1759.invalid msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 8189, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2017-04-02T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-16T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 16 2017/04/16 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=antiu block_count=6129 logon_user=evolu@ersp3536.www5.lan msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 8460, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2017-04-16T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-30T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 30 2017/04/30 ntiumt699.corp proto=icmp service=ms-wbt-server status=deny src=10.151.58.196 dst=10.201.238.90 src_port=2715 dst_port=7130 server_app=pici pid=55 app_name=ccaecat traff_direct=tquiin block_count=7440 logon_user=temqu@ovol3674.www5.host msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 8733, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2017-04-30T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-14T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 14 2017/05/14 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=ven block_count=660 logon_user=siutali@amnih2718.internal.example msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 9002, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2017-05-14T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-29T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 29 2017/05/29 laudant6813.mail.home proto=icmp service=https status=deny src=10.184.18.202 dst=10.226.83.168 src_port=5780 dst_port=4153 server_app=molli pid=4306 app_name=aturauto traff_direct=eturadi block_count=2512 logon_user=borios@rsitvolu3751.mail.lan msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 9282, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2017-05-29T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-12T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 12 2017/06/12 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=luptate block_count=2612 logon_user=atisun@esci7741.www.host msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 9557, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2017-06-12T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-26T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 26 2017/06/26 nturma18.internal.example proto=icmp service=https status=deny src=10.173.136.186 dst=10.43.226.231 src_port=7222 dst_port=2778 server_app=isnostr pid=829 app_name=ciadeser traff_direct=emquia block_count=1497 logon_user=uscipitl@uia5567.mail.lan msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 9826, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2017-06-26T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-11T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 11 2017/07/11 uisa5736.internal.local proto=udp service=pop3 status=deny src=10.58.64.108 dst=10.54.37.86 src_port=1540 dst_port=5089 server_app=commodo pid=6867 app_name=tutlab traff_direct=sau block_count=1865 logon_user=dolorsit@sau4293.www.corp msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 10104, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2017-07-11T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-25T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 25 2017/07/25 uptate2244.api.lan proto=ipv6-icmp service=https status=deny src=10.205.228.138 dst=10.159.119.34 src_port=3854 dst_port=6197 server_app=tsed pid=7536 app_name=ameiusm traff_direct=proide block_count=3714 logon_user=aquae@boreetdo7005.www5.home msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 10370, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2017-07-25T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-08T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 8 2017/08/08 veli2530.www.host proto=ggp service=http status=deny src=10.163.93.20 dst=10.29.133.28 src_port=2382 dst_port=1085 server_app=umwrit pid=5433 app_name=eacommod traff_direct=ctetura block_count=2486 logon_user=tpersp@stla1871.www5.local msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 10646, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2017-08-08T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-22T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 22 2017/08/22 tiaec5551.www.local proto=rdp service=pop3 status=deny src=10.113.30.163 dst=10.50.0.61 src_port=6110 dst_port=5905 server_app=itla pid=658 app_name=vitaedi traff_direct=lorsita block_count=2019 logon_user=dolore@onsecte587.localdomain msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 10914, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2017-08-22T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-06T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 6 2017/09/06 ate7247.www5.local proto=ggp service=ms-wbt-server status=deny src=10.39.145.136 dst=10.30.47.165 src_port=631 dst_port=3801 server_app=ulapar pid=6827 app_name=etdo traff_direct=par block_count=992 logon_user=invo@hit3912.www5.localhost msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 11183, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2017-09-06T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-20T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 20 2017/09/20 proiden887.mail.example proto=rdp service=https status=deny src=10.30.25.84 dst=10.36.112.145 src_port=238 dst_port=7122 server_app=dantium pid=246 app_name=teirured traff_direct=onemulla block_count=5608 logon_user=bor@rauto112.www.host msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 11456, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2017-09-20T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-04T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 4 2017/10/04 osqui2751.api.home proto=tcp service=pop3 status=deny src=10.97.96.177 dst=10.162.114.217 src_port=1859 dst_port=7503 server_app=dun pid=1276 app_name=evitaed traff_direct=inimveni block_count=2826 logon_user=itse@umexerc5717.internal.host msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 11730, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2017-10-04T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-19T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 19 2017/10/19 ccaeca5504.internal.example proto=tcp service=smtp status=deny src=10.229.71.175 dst=10.140.7.83 src_port=3856 dst_port=3298 server_app=olupt pid=2189 app_name=gna traff_direct=con block_count=4969 logon_user=eseru@quamest2520.localdomain msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 12003, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2017-10-19T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-02T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 2 2017/11/02 mex2054.mail.corp proto=udp service=pop3 status=deny src=10.232.254.65 dst=10.149.13.76 src_port=7809 dst_port=2000 server_app=uisaute pid=1478 app_name=ritt traff_direct=iaeco block_count=7037 logon_user=itesseq@dictasun2399.internal.example msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 12276, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2017-11-02T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-16T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 16 2017/11/16 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=xeaco block_count=4762 logon_user=amcor@rcitat364.mail.lan msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 12553, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2017-11-16T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-01T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 1 2017/12/01 tur4900.www5.lan proto=icmp service=smtp status=deny src=10.98.194.212 dst=10.243.237.151 src_port=6941 dst_port=6296 server_app=issuscip pid=4003 app_name=dipisci traff_direct=spernatu block_count=5539 logon_user=eri@quunt2072.home msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 12823, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2017-12-01T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-15T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 15 2017/12/15 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=leumiu block_count=3030 logon_user=luptatem@uaeratv3432.invalid msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 13090, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2017-12-15T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-29T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 29 2017/12/29 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=maliquam block_count=2147 logon_user=atione@lores627.www.invalid msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 13368, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2017-12-29T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-12T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 12 2018/01/12 mmodoc4947.internal.test proto=ggp service=ms-wbt-server status=deny src=10.107.45.175 dst=10.201.237.233 src_port=4593 dst_port=3023 server_app=atise pid=3421 app_name=umetMalo traff_direct=oluptas block_count=6981 logon_user=aeconseq@lor4040.localhost msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 13662, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2018-01-12T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-27T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 27 2018/01/27 itaedict7233.mail.localdomain proto=ipv6-icmp service=smtp status=deny src=10.239.80.120 dst=10.196.206.130 src_port=2741 dst_port=1725 server_app=its pid=7867 app_name=risnis traff_direct=uov block_count=3896 logon_user=isn@sBono898.localdomain msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 13950, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2018-01-27T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-10T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 10 2018/02/10 ore1441.home proto=ipv6 service=ms-wbt-server status=deny src=10.234.222.214 dst=10.47.24.77 src_port=4614 dst_port=1919 server_app=hil pid=6717 app_name=squ traff_direct=uiadol block_count=6068 logon_user=ntNeq@tate6291.mail.invalid msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 14230, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2018-02-10T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-24T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 24 2018/02/24 onevo3446.www5.host proto=udp service=http status=deny src=10.202.7.89 dst=10.139.127.232 src_port=2179 dst_port=1812 server_app=quidolor pid=4116 app_name=agnaaliq traff_direct=tlaboree block_count=6412 logon_user=osquir@mod4104.api.localdomain msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 14499, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2018-02-24T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-11T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 11 2018/03/11 lloin4019.www.localhost proto=igmp service=smtp status=deny src=10.130.241.232 dst=10.40.35.49 src_port=3112 dst_port=3071 server_app=edquian pid=3178 app_name=qua traff_direct=volupta block_count=3552 logon_user=aturQu@aaliq221.mail.localdomain msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 14780, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2018-03-11T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-25T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 25 2018/03/25 iciad7874.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.157.196.101 dst=10.167.252.183 src_port=2003 dst_port=5107 server_app=dtempori pid=5735 app_name=caboNemo traff_direct=dexerc block_count=2302 logon_user=tatem@metcons6200.mail.corp msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 15058, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2018-03-25T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-08T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 8 2018/04/08 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=quames block_count=3665 logon_user=esseq@aincidun2168.api.invalid msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 15342, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2018-04-08T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-22T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 22 2018/04/22 itq494.api.lan proto=ggp service=pop3 status=deny src=10.28.105.124 dst=10.151.129.181 src_port=3889 dst_port=5773 server_app=litsedq pid=5026 app_name=nder traff_direct=mdolore block_count=2604 logon_user=nesciun@saqu6897.mail.lan msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 15611, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2018-04-22T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-07T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 7 2018/05/07 autfugi4010.internal.invalid proto=tcp service=pop3 status=deny src=10.128.63.143 dst=10.145.101.26 src_port=7596 dst_port=2559 server_app=oremquel pid=3992 app_name=modoc traff_direct=boNem block_count=5137 logon_user=ssusci@animid1644.www5.lan msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 15875, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2018-05-07T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-21T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 21 2018/05/21 roquisqu1205.api.domain proto=ipv6 service=pop3 status=deny src=10.2.244.159 dst=10.62.229.89 src_port=951 dst_port=5348 server_app=isnis pid=5140 app_name=olupta traff_direct=tsuntinc block_count=2159 logon_user=inBCSedu@erspi5757.local msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 16150, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2018-05-21T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 4 2018/06/04 quaeab2653.mail.localdomain proto=rdp service=ms-wbt-server status=deny src=10.250.19.146 dst=10.54.83.119 src_port=5283 dst_port=338 server_app=natu pid=315 app_name=itat traff_direct=stlaboru block_count=7074 logon_user=radi@xeacom7662.www.test msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 16418, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2018-06-04T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-19T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 19 2018/06/19 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=uptate block_count=1049 logon_user=snos@orsi7617.www5.corp msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 16695, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2018-06-19T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-03T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 3 2018/07/03 msequ4308.api.localdomain proto=ipv6 service=https status=deny src=10.126.87.182 dst=10.94.114.83 src_port=1043 dst_port=4803 server_app=rumetMal pid=3411 app_name=atcupida traff_direct=tessequa block_count=291 logon_user=dolores@equamnih6028.localdomain msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 16967, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2018-07-03T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-17T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 17 2018/07/17 dolorema2984.www.home proto=ipv6 service=smtp status=deny src=10.206.165.83 dst=10.38.28.151 src_port=3736 dst_port=347 server_app=ratv pid=2649 app_name=ever traff_direct=tali block_count=2124 logon_user=erspi@iqu7509.api.corp msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 17252, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2018-07-17T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-01T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 1 2018/08/01 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=magnid block_count=3343 logon_user=ame@tesseq7693.localdomain msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 17511, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2018-08-01T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-15T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 15 2018/08/15 tdolore388.localdomain proto=igmp service=smtp status=deny src=10.42.252.243 dst=10.57.85.98 src_port=3286 dst_port=1444 server_app=oinv pid=5493 app_name=inrepr traff_direct=mol block_count=4145 logon_user=nisiu@imad4450.internal.example msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 17776, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2018-08-15T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-29T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 29 2018/08/29 olest5343.mail.corp proto=rdp service=https status=deny src=10.7.43.184 dst=10.193.66.155 src_port=7278 dst_port=4965 server_app=ame pid=2913 app_name=uid traff_direct=equaturv block_count=1129 logon_user=tobeatae@maccusa7248.www.home msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 18048, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2018-08-29T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-12T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 12 2018/09/12 uradi3827.mail.localhost proto=icmp service=ms-wbt-server status=deny src=10.196.96.162 dst=10.81.234.34 src_port=7349 dst_port=1710 server_app=aconse pid=1526 app_name=quameiu traff_direct=diduntu block_count=4798 logon_user=aliqui@ess3889.www5.localhost msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 18316, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2018-09-12T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-27T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 27 2018/09/27 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=niamquis block_count=1471 logon_user=ptatems@runtmo438.invalid msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 18608, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2018-09-27T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-11T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 11 2018/10/11 tas6029.lan proto=rdp service=smtp status=deny src=10.118.82.34 dst=10.108.45.59 src_port=5129 dst_port=7229 server_app=sBonorum pid=2162 app_name=aali traff_direct=edictasu block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 18886, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2018-10-11T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-25T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 25 2018/10/25 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=cive block_count=2292 logon_user=orumSec@nisiuta905.www5.home msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 19161, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2018-10-25T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-09T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 9 2018/11/09 tiaecon5380.lan proto=udp service=pop3 status=deny src=10.123.74.66 dst=10.83.119.181 src_port=6984 dst_port=5693 server_app=lors pid=7553 app_name=nculpaq traff_direct=reseosqu block_count=1629 logon_user=ursin@utemvel5325.host msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 19438, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2018-11-09T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-23T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 23 2018/11/23 iam7526.mail.test proto=icmp service=smtp status=deny src=10.225.255.211 dst=10.141.143.56 src_port=4076 dst_port=2442 server_app=eursinto pid=3628 app_name=tutla traff_direct=licaboNe block_count=5104 logon_user=aaliq@nat4367.www5.example msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 19701, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2018-11-23T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-07T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 7 2018/12/07 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=itametc block_count=3006 logon_user=olup@remipsu2220.corp msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 19976, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2018-12-07T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-21T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 21 2018/12/21 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=emp block_count=2563 logon_user=roquisq@temporai6835.www5.host msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 20251, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2018-12-21T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-05T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 5 2019/01/05 urerepre1960.www5.localhost proto=ipv6-icmp service=https status=deny src=10.179.147.45 dst=10.202.132.214 src_port=2208 dst_port=3392 server_app=mmodoco pid=2581 app_name=rumexerc traff_direct=isiutali block_count=3575 logon_user=stquidol@Nemoenim1325.lan msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 20527, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2019-01-05T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-19T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 19 2019/01/19 evitae7333.www.lan proto=ggp service=ms-wbt-server status=deny src=10.51.221.217 dst=10.169.98.165 src_port=6833 dst_port=6084 server_app=saquaea pid=2280 app_name=rQuisaut traff_direct=quas block_count=3630 logon_user=metco@cillu7822.mail.localhost msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 20817, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2019-01-19T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-02T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 2 2019/02/02 orp5697.www.invalid proto=ggp service=ms-wbt-server status=deny src=10.243.6.41 dst=10.85.104.146 src_port=780 dst_port=4438 server_app=orum pid=4887 app_name=qua traff_direct=agnamal block_count=73 logon_user=emacc@emp1636.www.invalid msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 21101, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2019-02-02T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-17T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 17 2019/02/17 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=esse block_count=3795 logon_user=osqu@pariatur7238.www5.invalid msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 21371, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2019-02-17T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-03T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 3 2019/03/03 orum5045.domain proto=igmp service=https status=deny src=10.37.174.58 dst=10.167.9.200 src_port=4003 dst_port=4568 server_app=exercita pid=2068 app_name=elillum traff_direct=veleumi block_count=4337 logon_user=tvol@oluptate6978.localdomain msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 21643, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2019-03-03T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-17T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 17 2019/03/17 iciade3900.example proto=ggp service=ms-wbt-server status=deny src=10.221.220.148 dst=10.251.29.244 src_port=98 dst_port=919 server_app=eturadip pid=6261 app_name=psumd traff_direct=oloree block_count=355 logon_user=ptate@teir7585.www5.localdomain msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 21914, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2019-03-17T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-01T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 1 2019/04/01 texpli7157.mail.invalid proto=ggp service=ms-wbt-server status=deny src=10.198.143.216 dst=10.189.82.19 src_port=4267 dst_port=4057 server_app=mini pid=1816 app_name=tur traff_direct=tur block_count=5914 logon_user=iamqui@tassita6539.www.lan msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 22194, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2019-04-01T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-15T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 15 2019/04/15 CSe7575.www5.example proto=rdp service=smtp status=deny src=10.141.216.14 dst=10.70.29.203 src_port=5994 dst_port=6317 server_app=ate pid=4386 app_name=fugitse traff_direct=minimve block_count=2465 logon_user=dese@duntutla4724.www.host msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 22467, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2019-04-15T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-29T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 29 2019/04/29 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=uinesc block_count=4248 logon_user=idatat@onev595.mail.domain msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 22735, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2019-04-29T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-13T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 13 2019/05/13 sis3986.internal.lan proto=rdp service=https status=deny src=10.10.86.55 dst=10.158.54.131 src_port=911 dst_port=1585 server_app=mmodi pid=7353 app_name=rvelill traff_direct=lupta block_count=7608 logon_user=tatevel@midestl7500.www.home msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 23010, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2019-05-13T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-28T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 28 2019/05/28 oremeumf32.www.lan proto=ggp service=http status=deny src=10.105.136.146 dst=10.187.170.23 src_port=541 dst_port=3220 server_app=sectetu pid=7182 app_name=its traff_direct=dolor block_count=5957 logon_user=uatu@mquis5526.mail.test msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 23277, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2019-05-28T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-11T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 11 2019/06/11 ice6331.invalid proto=ipv6 service=https status=deny src=10.114.211.238 dst=10.125.166.198 src_port=3824 dst_port=6301 server_app=tinculpa pid=6537 app_name=cti traff_direct=rumSecti block_count=111 logon_user=sumquiad@iusmodt3432.mail.localdomain msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 23538, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2019-06-11T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-25T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 25 2019/06/25 aevitaed1082.localdomain proto=tcp service=ms-wbt-server status=deny src=10.29.7.142 dst=10.209.239.122 src_port=4053 dst_port=1450 server_app=edic pid=2758 app_name=amcolab traff_direct=olabori block_count=3307 logon_user=atatnon@lica2780.www5.home msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 23817, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2019-06-25T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-10T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 10 2019/07/10 lloinve551.internal.local proto=ipv6-icmp service=http status=deny src=10.144.109.148 dst=10.146.57.23 src_port=4855 dst_port=5483 server_app=tno pid=5772 app_name=psumq traff_direct=ptatev block_count=6552 logon_user=xerc@ctetura7556.mail.corp msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 24098, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2019-07-10T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-24T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 24 2019/07/24 tmo508.example proto=rdp service=smtp status=deny src=10.69.230.223 dst=10.11.2.200 src_port=6071 dst_port=7541 server_app=ostrudex pid=4542 app_name=niamqui traff_direct=usmodite block_count=7154 logon_user=uatu@uto2438.www5.corp msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 24374, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2019-07-24T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-07T02:00:00.000Z", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 7 2019/08/07 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=iduntutl block_count=4047 logon_user=orsitvol@ntor5561.www.local msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 24636, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "smtp", + "rsa.time.event_time": "2019-08-07T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-21T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 21 2019/08/21 velites4233.internal.home proto=ggp service=http status=deny src=10.153.166.133 dst=10.90.50.149 src_port=1936 dst_port=7260 server_app=asp pid=4025 app_name=ncul traff_direct=taliq block_count=5213 logon_user=porissu@umd3889.api.localhost msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 24912, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2019-08-21T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-05T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 5 2019/09/05 eeufugi6539.api.local proto=tcp service=ms-wbt-server status=deny src=10.230.130.3 dst=10.117.190.234 src_port=3485 dst_port=7475 server_app=iav pid=5792 app_name=usBono traff_direct=rumexe block_count=5360 logon_user=ttenb@olor5978.www.local msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 25185, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2019-09-05T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-19T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 19 2019/09/19 rem3131.home proto=igmp service=https status=deny src=10.55.103.200 dst=10.203.117.6 src_port=4894 dst_port=2510 server_app=uredol pid=3142 app_name=temsequi traff_direct=mquia block_count=1119 logon_user=enbyCic@iveli3387.host msg=success", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 25463, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2019-09-19T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-03T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 3 2019/10/03 ommodoc4758.host proto=tcp service=https status=deny src=10.244.52.142 dst=10.75.122.228 src_port=2129 dst_port=5 server_app=scipit pid=730 app_name=ugiatqu traff_direct=eruntmo block_count=2894 logon_user=isciv@natus4803.mail.localhost msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 25727, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2019-10-03T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-18T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 18 2019/10/18 udexerc4535.www.home proto=ipv6-icmp service=http status=deny src=10.7.142.212 dst=10.119.143.168 src_port=2952 dst_port=4131 server_app=tuser pid=6944 app_name=qua traff_direct=iarchite block_count=1612 logon_user=oinven@natu1957.mail.corp msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 25997, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2019-10-18T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-01T02:00:00.000Z", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 1 2019/11/01 adipi2840.mail.domain proto=udp service=pop3 status=deny src=10.116.105.31 dst=10.252.146.103 src_port=3181 dst_port=5995 server_app=rinrepr pid=7279 app_name=consequu traff_direct=modo block_count=3194 logon_user=rsint@rsi5358.www.domain msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 26272, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "pop3", + "rsa.time.event_time": "2019-11-01T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-15T02:00:00.000Z", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 15 2019/11/15 onse3998.internal.invalid proto=udp service=ms-wbt-server status=deny src=10.163.239.13 dst=10.213.41.210 src_port=3650 dst_port=3626 server_app=aco pid=7260 app_name=adese traff_direct=olorsi block_count=4955 logon_user=aedictas@rumetMa2554.domain msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 26545, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.time.event_time": "2019-11-15T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-30T02:00:00.000Z", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 30 2019/11/30 mvolupta225.mail.invalid proto=icmp service=https status=deny src=10.184.109.84 dst=10.190.36.112 src_port=6960 dst_port=4829 server_app=reprehen pid=3793 app_name=uisa traff_direct=nimadmin block_count=5630 logon_user=uat@eniamqu985.test msg=unknown", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 26829, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "https", + "rsa.time.event_time": "2019-11-30T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-14T02:00:00.000Z", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 14 2019/12/14 officiad6348.mail.lan proto=icmp service=http status=deny src=10.175.181.138 dst=10.19.21.239 src_port=1495 dst_port=6995 server_app=velite pid=5985 app_name=litse traff_direct=san block_count=3326 logon_user=aliqu@taedict4891.api.host msg=failure", + "fileset.name": "clientendpoint", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 27103, + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "rsa.internal.messageid": "http", + "rsa.time.event_time": "2019-12-14T02:00:00.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/fields.go b/x-pack/filebeat/module/fortinet/fields.go index 1c8ac2e4fc3..0d9ccb18d51 100644 --- a/x-pack/filebeat/module/fortinet/fields.go +++ b/x-pack/filebeat/module/fortinet/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFortinet returns asset data. // This is the base64 encoded gzipped contents of module/fortinet. func AssetFortinet() string { - return "eJzMXV9z47iRf8+nQOUpqYonuc1d6mqq7qoUaRyrYstay3/2TQWRLRFrEOAAoGTPp78CQEokTRqQ1No9P+2O6f79CAKNRnej+4q8wvtXspbKMAHmD4QYZjh8JdeHf0lBJ4oVhknxlfzvHwgh++fJnUxLDn8gZM2Ap/qr++0VETSHllT7Y94L+Eo2SpZF9S89ku3PtZNF1krmByRH6H5RPdSEa0EyDl8yqrMviUr+/tP+9zX6K7zvpEob/z7Awf6MH8Z//4ncUJ0RuXaie/AU7CjnH4Car2l/FHCgGr6SFRjagl/Tkpule6GvZE25hjh2fujtAJGCKs3EZv/RiH7XXG6+NJ7vDljzJWiSmKU21LR+OzxkAWL2Z5QkshTGkrKCgfzpYTSZPi3+vH9ygMmrYTkg8uBU5WSUvAq545BugDw25Q+QQB0I+5sgYPOZszEXhppS2zlrMiAatI6isGXmHY/EzWgvlOSgNd2Ehj1NVS88K45Dns7JKE0VaB0GXFoIxK/tccljU+og+EZ13wwB+l8txTOA3dVO52JPPCyZ0eDiSnOGONVHVhx50qACsJv+r8yEgQ10510A1KoQwgTRkEiRanJFrNIiBdUaUqKZSIBwqg3RAKF1twGBqG3sQHiZ5IrA5ov/7//54538wTinf/2vL3/7Y4CQVZisC3vGYHkNPJ2EYEFhat2WuH5EQfm7YYlOXnWZ40E/ZkCSDJzUWgVb04HocpUzYyB1W/YePpKl/2tcmmtON20ynqTbL0iAGKb6SBKrueaSidBHK4qr301jFwWqZfDo9uakVHaH9CaAN3lpUZBECqMkDzJCXalFwVlCHZHgerXPaswV2wAf+5cnhZIto3uIiWL69TJMHph+JbewheCX0AlF3Nbs3LCSawUymv+F7DKWZMTiCEgJFSlJwUBiFYp9RMlNaR8MEsXcfY9YuNoZpZfBJh3hAxSQNUeTgAmrD63ZRsDAej3SxB1VwuJtXfcHH2B+K3RjaJLlqKZOawODnDJewUALZ5gPpspw8mKsX/egVe7whjwWRrHNBhQpqDGghHYawiqGgiavYFJqKNkxk5EV1fCP/yQgEpkysTmC8MBmc86QVZIJS8lfiZGGhhSt+zPUXc8TCW54ZcqGBoDLxjDGgVppcZg6kQpRa9mp4tEXLcHDBAYdMse/tpun7LCtOfkhCibDPSeXJpOK/fAbfMxpuTQZ6swvTQbCRFtapckKJY3EnQNOZCI5MRk1hAlmGK1NCdpiGKanQW0/LDu8EeqI76WxoiLdsdRkeCz++UHkELKAdKlKjrhKZ6Mx+V5SRYVhAiwVu90+lBwiNpmKkVbJpQktZKkSINOA0bmiogfxvE9j4Vt/2I8sjQCTypxiOp3+6aSSiRMb80Hc80jGVwUea3qttMZUXgtQW5YAWUB4+0oo50tM8DHlHFQErlIM1BIQdw2rMqsIFBl7+QREelU465+lVl2toxRmMhBmOcl4mcwWViBspHqPGBf/4MUU9QeAfhqIamk8Jt+c6R+1FpJUOXsT8xgy/iizHxuEUZQLOmREnvT9x14qmY0ew58f1cM6BlXN+IDys7DIPrsGdsTB2xLIqEa0DJr4Lcn9+OsNNQbRPBpLsWabUvlFZ2WzVRn8DOuNXP16KRJy9SskoRWw3hQU00BrU2jJHiKAeoRt4xtFha7cuMGluN6Yt0LuBozm01RBi83jL6Qtv59HZg0pjkfihSngoDUZdyR/Bo+rHBaLm1pwjHLIqNZsyEQ67UN4keFJUAWJcI2Ubuip9heHHelJtsmApqAQnbQ3j49zctOR2o/OU7n6FXl5CkiMVJV2Cn8QzkCY5WAewkksXtiaVZJdzD9spHBZptgZIWMrNCoXxcGXGvM478HDMfpE8jLvf+mTFuLz/XROxm2hA8B5TgXm1LudknFH6CByKVDzbhazu7kDb8sdgLd7hsvUwjwWtLeirvghJnaxMimQM3LcoW3s1994DxIR7k2kcI4nRCp1tKIWTXKZRrAwijLMI8vL6JpkxhQHH6ACbRRzIxPSTv6skzJNVT4QzDqJlD/G1btV3JHKP4R8tvBC3QTx4Xi3h/mdMcRHvjJA3D2f5zMydkJDwOXA/DjRkiyFcemDlTkbYUbZP6HFgIfrFBKzMl+BsiRGRUHGRnHC5UYTqrVMvKvaRbOiMxw9xe1FGD5jcEvYun/unMluPL1eYPBL+UU+7+R2jsJOXGTwJjOUsXPx6Uvw84FvBIbr9SXordcY3FhxkW87naN8Wz3gWjqTnT3HorC7yLxbLG4x2O3oRaadtXAw2MHqIuxgZY/jBtS5JIsScdefP5GncJZ+oj45m54G7I3zByhK408MUedUxQxLKEe2fQ5fqQYg9hgjNiG7WPUvsxMPzN0RiUhBTBRvPfR7sRjOVznpgyxkDs1nAvBbQHUhPX8Leo1SCjmmq2bi5DnhIWBDFRUDFxtOxDaUOJnunKqgkMoEZn7ajABhMAi9dir0Jwknx4bTJ9bCi8kwsXIQ3zN2RvscXyZFDiaTiHN7UgsmHckDNLb44eMJuFyCuLBxClsmzLq1Ls5mcDNychMgU2FArWkSk2CTwhbX6VANRPicnWZJscx1N+3uHOib8ZzcxdzPS+3wo64Aw4TfWFg9+CEGqHn+Wktd2V0tyYPYXG7UkLY7PhlywvSrNQA3TGyICus9XsCbURTxC9zOiRNJmFhLlUckr6Qy0S7nC5fFmokNqEIxYSxEmVvDowM0wCenTCRGcZeHaIa+zmmG6fR6USG4NEfSlh9BaFBL4PCJ0Bd7Otg5cB/IdAACdJCS4RyLKg8vlIV4AMfdQ5ocIqy2PYva+36BSVKxOQRV9q7+WHKlBnW5Yfog/RM2/qTM0je8MapYVGfwoIHfoIF7563NI2JAEGMLE6aqqeF8DinTPo3IJVy/awN54AJoqs0SNSx1ikFg/8KslcTMve7lQVoYQ2TQI6lNLlFx1FSbC5nqByLpUWa7I4RtLn8gE7EVarOmOeMXGpT7BemIH2KR7bYgUomYYNHkcfNCOuI/46E0aprJByIq7MR0axiM3uKernuWsPa560E6UuPufJ1pEqPnjdQX/Tj3i+iP85mv5aTNt0Ejyu+iDe4VhiaBxSK4+2ujL7tQtFybHVUQ/UVKYQ1ua0Ohn8UatDxKld0PadxxTJuyxPxWT0/TSZ3J2CQ3nccl06WobJyv5Ck0Y4AWkieYQYlvo/n9bXWP15sBAdvMUcDdc1scwrstiES9F4hj8JKByUA1bjQTpmsYSIlURMjguPjHUZfyt73MKEcqFDJBjBd/s+LsecpXleEycdGqiHRf0IVd4IgDsZh3LgQFCbic+bVUiDnQlsXjB7H9BN4GvsRJwHeUcfLtLcmo2EBVvHAyWxAFupBCA6FC70ARDRHRTajk/L+lV7jCI5ptBDUl5v30b5Vol2HwUf4QHYZ52HE5o/8qqUqJ3IJSLIUKw91e14bmRUDTrGmulwUtNaJrZ1/dcSQof9fMl3i4o4JuXM2L/eXMeQt3gN8PXG+2I+eI/QBFbiu39kPQYbpODOQasyhNM+P3m0j9Dc3FYhbkgWorNFkETQZXnBMPe/Y4ryridCQPgHPwLig8Bo++6JkB5fcmI+s7su++wsB67Vd5eJ+yT2RUZ6jX2a8roVFWrX+RoXu7ZwQ93PjEuVEu4QU9cAjPT/sY8qn4dk5UySHiPOzhkX1Ih7cPW7OuCPHGbgh2u8QjMRKG6YLmzmrZUl6GeeyoSiFdY7qPfOp9dZ46YASofE8xdfbPk5B+VjQH3Cmwv6z4UfYABYCU6VdtpEKtJ3qtAFyA+cOfD/CQiAbztbUEoTkFwujLbcJLPbRjnJjn5UqJbJkyJeWkkk+Ey8cLMNJ0CyplmMUZrxcj0hXaD77zTqwlrnZ8gRUplHx7r3xkEVpyQw3saL8ZfGxc9V9eFmFFUy+Q+Xwuv9Wmhc8OC3BSzQq4Z4/KHeRSvUdV+3MVjjGv9brSur7KcWi7zOhVoVh/waaTsG9GZK6YVMELfRldIpd2vhnF1MjK6BI3CHczIg/BiFtGRaoz+op6e/yW3HwQO4COWVPCdRlwJgCRa5LKneCSplEWcrZKxVIB1ZhurRugyqyAGseFdMT382CbDDkd+6YWSdZ0pVhCdJnnNGQsZxIzSn8jtQlrX0axPc3bfxAWMMJYkhdJ8w7p+cANJ/tcKlM736fju3lcGX/LCbXilDcMipPJ4BqNroThe+FW6RE8qgJRmBbTDMxOqldiFF2vWdKH0c9FLHXB8EZkOl98GxMmVrIUKVnMpyH4xDHVoBjlAnGXnFaSiRcdZTsy4R0RmCwq18bd3SIO22r44bsbJ5/ta/G++jwP391oZIFiBxanB9FRLhcmMGvd1zOUuULRwbXqa2FinrDvFdswQd1FzSr9zYE5o/p671zYe5tDBLvJUWcTfADugryReVe4meBHg28pZ2lOEf2BVqvfjcb7w47LiauAyP1TSKXhJLPW4xBKZGXIW9oBN8IV1o9wBvq//R8dYpgaqEoCpbxeGWa5FlcopiWyF5RTMZBBfXy45HY0szuhzJnYHHZwQVbvBgInW06FLPu142k8ZGn83n0kD6CY0S2XXNGW2Q/LEhAalpyh9kO5o28sL/PGBdBGBMd7P6zpeevRQxSHqJ1Wx6jyiVXpwg/gd1By24IZYCIQFYVbJy2RA6ADVXMwmi0FoGVCB8yoI5XxrZVkVaLrj0Pm8/mkUT8oxALxgtat3MSdMZxtgYdb1R8IXengcod85r/2J/0PgnvhUa0Ap4JymsQ5wnPKrVG7TKnpv5R1etGySjSkpCX8cxqo91N7aMTfws6pKBHtwzsrjiamVFF+8JxqAyrVBnVu3DmpzdlRaYZMauPtxbzkhhUciKhO5nuDNjiTrGytEnSb1ktumbYN1q70f0b1GcwhZWV+GQXgZZMYJQCI8bAqxlBahVvfhNGGGqbD3dpy0FmO6o/bxyit6Ih6cdVOgVxEz2sDLzrijIB9Vd1VYItJrsw3uUHNvHV9uPYWoU+Jlor9gLSu6bnm0rXRsUrP5WEZH04OzRTUWeIdHBGzo+7WjIQ7H0+vJotFV+4AtmBGqivcOOkNUG4ycueFR9zdr2ngLpAOjXB1ybzAvMq+1xJ388W/A8B6g9xNpioeQOZ1NclZhN81N4ili+7om8/5rVtXPglmyHM4nwZ3LoYnn8DMIXM1/yO7gAjArnxelVaegQlFwwXsltjN/2awq9MQZOVP7SRMD1Jpp1mhMOkc0CPmAezQS69bIlXV9agV6DlgFz+vWEQVQBew01xiFu+CHVlwaSLf/80M9rw/x1NhQG0pb/aHrp1HFrJhS34JEFwjW3EzeehRE7FFCckw/XuuEPqsJbMXVvIUXV3s4y+LiMwhSwBZSezxO5oifJiVPEXXFHs2XcmfMMDWE3sOtbKIWbKSp7gK4zAvYrWGpYDoZLvnKVnER6slT3eFkoi+FUvgBVbk2qdCz2M6LkuxY5hXfka+j6uRhInUd9VhddtjwnSFV93wC1ArQKEXYbgvwNeA9JWxQ9lHlgN6d5cDh7jOLth32A/4C+8SiVBd+FfYP7CIujItS4Ob8XJfmnCeiywNbpjcokaGyAuqNaSXcct52TFuOfvkDvPU4Sz81Jv7TrhUaXztMtzmU3NqMiLXhEtZ+IYFjZYXPoxdtfb3mYsBboB5++plNCOyMCyvu9y2xA8SWAprIOLReJ7PnFwiZGxzxCKjGn5CzqV3PJzgCK1VZBI9ZDpvyeyHxTSu5kq61vShA1ghOUvecQ8Zcycz4nhRSIlciM2OtJQ85iPLgVaIJw33rdyQsuCSpgSUkoqE70XYJ1YwFK89Le+wenuXKFv5rI0kbZRBMjCQT4NJBUIJNoWSK0D2Tt4y8br3y84twN5RGSSTNP1qZzN5eritzeyu7M8IDLZfP0s1uC7s0TWei86x4OyxqM4ZEa6yCnq5xcz3OtZfV5FAvlpTD4K/VBTNAllfVyTCCvu7RdkOpdec2r34ewna1E2GYu7Afi+p0q8DKZcnDcHPh77mVjCBt4JTEWGtfC+lofCWAKSYrbCmay/ZheZXAIJ8wBimk9P+K+LHpwbWGXGeC+Vc7iAlV03Hpj2msxyuVlTXv3KJg+4XPpnQ/y6COO60/tmRDoeqHXSpBz7f8YPmcUt9wki5X/35c7qKpkyuUHsVPliRZBVsVeigMa1UDxyyUSvYhEsNA7e6zkInVvV4V1OF4f5XyU1p/zGKnK/Rj3mJpIfdLmNJRmqoo0hiNmjYh5o9uBUeo7UV3Q3myZ04bXc+Ky0eHDMCuocPzt9km6bAUV8dEmBbSCsN0pbeTwL5cuiIgzJRd0JVxRVvaSz8ffhXeN9XyfqI8imXC1St+oxUbBUrhWlDVFlsDeeY3XJUeIjWoBTlJWY7o0a/qz75A0RyOVTL/+hrNVYUmc/n0WUjPfrOFIOHrxMXrmPiIqFWw5ea0FbBPNLCG6Bmz2vYF4DcST1sLSn4jo3s7P84aPsktmvwfjqvRUf4jRTokiOm8Ow9k13J/eioFRYs9txh/xRR3Fxp3R9AOc28aalGTrRRIDbuyp0LAIaqVyut5fIVEGN8D6PJ9GlBFot7Qo2vhB9n15QckA2bkkNE2r8FRl6LFji8EKsWzXiTodFUsur+fHe3CChoS2JQNx9/aquBw+pXJxK9O7mvNHlfV5pctCD6WVSxpYuZ9R8ABmgIzQzb4vavPwh1Dsp9P6BGk6AwLczb27PR2LGKyi/WIAyyvb+wbx9t62v4jgn9vQSRQFR2ii+7gDgn92FMvS8X3wT4hMRAWYlTbfvY/JxPauWfds6a1OW/rn+ezIhUwbvhVd/YJWoFFi8zeNStsDF9RC+jyRHwpiwQK9rWuAsrN6KSrYYt4CrlRVdiP25GC1CpkoVKtqnVExcw1Cr1o2RRuP+rUGOZWa2Iy6ypFE9hVYBihf1LXFqTPRfLrAC7Yk8ghnvKeazu9XsAh0b+5LkF/M3+L+y8ujwjH42s5lvlE49hZ+fWb8POIu2LJISpMbHxGRaYGrHDzQOEdaM7ZyHq5ba5OJpPuxADNH5gaWdftNYKjCxXgZs57BKGo0wCzCv57ZSyY+pcafFZBOU0NrO6HlszdiKPiExo8Wnk5HxWJ8dMtMhBZwVVgNnh7sDN3ebtiO8ngl+pLZi5qlWC29mvKuEXmbyqVYLf1K9LIcLlpVWCnkpe0Yhq5adVgt2wroKPaVSnVYLfqK7Cz6hKq45X4U51FRHkTPKPTCISyd3MRG5V92FiRnWp0yrBNXkqGmEXuFYJdke4CjumGZxFR20GV2GH+8BZ5ItNw+NawGmV4HZZq1g8BfuUaI097RbjmDmH+sn/STXsW+UswISNZ81pu+oTwnvfklFEJSmt+XBJqxOdahOH3hY7BP5JGPYs9I7cfnhDkW+wHCIN7hKuFPqvvopH6Ohghto9nGGGRVQi1YaiVgT677/99OU/3uqXb9XOGsLH/PijNGeiKoEa0Uof+xJwzN1fbZjBbAo3Ko2sy9460cQottlAMBFDl6tfAbOhRXVe7ogdwsYuFDNuXY9alKurO4cQE1ApV12T6Gw6o+c+sUPwuGHWW7n5IHQAWRcsYXJgDZwba91Ljwm37uzcRb6Zsa8XU+VLRV/k0+8iQS8R8JiBE1yXFXEV3cy+hFoEI9xpsufj8uKPZKNL5Myl6rptR2wvOvKeZTqVmeW6LvVjDKi/ELYmQgr4i31Q1PGKwACZTAFFzqF6mU4WleCIJArcr+MKj1SeJdgGfUqYi9hvK0bGNBo08gJ9o9JGw4pTmkcZaTAd449WHMld9mUEcBUyxcZvqHkPoAPhCqNoAhcJGiec6szLDx60jKIiZZgN9majRydVc7q/ZBTmgFrpxBUvdFL9ITJqFCq+qC1lZot9w0PHhkeycfbqb2ASh3iUkHBhkGrtXzMOh+EooS7nGMqvMKUQwDHnhz8Nernhr+HhccagjRz14rh7ZotAxNJEBa8OIGHYEjEC44/AnaTvp2kMC1d7tNSgsHuzPIkGn7q8RkyTlnKoSctpN5Olaz9eFgV/b4vuB1f8Aj1xnx5uY3vi7glwhhlVbTBoCR7igD4bDvhRc0Ah64QGfsSiGLq4eebh+Em7diiBU7FFX66lGj75nUTj0GVgXzgwYiRMju6jrrMNKrulAFVVg1+9k6fHu88JbSmiGVdf2A+F7be0wC2sfACOqK6Mf7jpHmhC/QBrBsscWiefs4k8d4h05H9OBtmN3OUS4Ur+XYtHYOfOHU/ARdlRr/Q9l1yAoivGrYLQCRUVSkQ0Dz2I+hwTNN1iVoyoP0HIaN4yhemjfLbiYkbYPod5RvHA0wn5UynY9xI8QqPjZCCNdCtZsUR2H7ure0VUKZ9tgTnb5rPmI0Fkf7zBw5/ONSTkuRDk0R+cIhRAIfCd06ZqgmrtEzsmnffsJ6L6y8udNikfrqM8fNuSiwSz8Hpb+Y2pgU3Q22dJoK7IFofQWcWiI29CLfwIlbRDdZo8v9yGX3rHv5eUo97IsLhdoUPg6FFLCx4Vs9zuii2nuPPtZU6eb0ez4KjvEJskvpzeJHFHhSwMLZBbZVpG983KmqOi4PvL+8FT2g6zdeOLb924kSeMDtDXHRRsizgyQF/JCxRk6tvn2gF5dj0iPqfyRkuTIRdW+2VUmiy6rNpb7VjDJvCkIebG6Bvqhbn6YsYvvSv18B//FwAA//8G/IQ4" + return "eJzsvd1z3DiWL/g+fwW2HrZcHbbc5eque6d2ZjY0kt3WtiRnOyW7Y6MjGEgSmYkSCNAAmKmsv34DH2TyA0iSINKuunv7oaMsCTg/gMDB+T6vwBM6/ALWjEtMkfw3ACSWBP0C3h1/kiGRclxIzOgv4L/+DQBQ/z24Y1lJ0L8BsMaIZOIX/dtXgMIctWZV/5OHAv0CNpyVhf2JY2b1v3d6LrDmLD9S0oA+LO0fNcm1SGKCLrZQbC9Snv70pv59Rf0JHfaMZ42fezCo/119vPrpDXgPxRawtZ66R48iuWf86QJTifgapuhC/XwU2TUsiUz0Qn4Ba0gEGofqHuZI4ZFbVJEHNXmw3yKO9O8kh+s1TsEWCrBCiAK2EojvUHbRWwUXsAe5+Z1GAO5+kOPkGhuFpLUINw3XNMeJcrFp/dy/ub0dfNhiof4OYAFKgTIgGUhhIUu7VxzuQY6EgBv1byhBynIkFHSmft+ZGoBbtgHXKGUZ4m6oZi7cBeUHXI1EO0RlosBPHmqJzt4juzFC70zKqERUCnXiMBUSUlkREk4UEuduCBmU3V/06WNDVU0CoAT7LU63AAKBhMCMgi2WAkBwj+RnLCkSovoKF71PVC9HbFlJMkDRDnGwQvX3LyAXCNwhCRU0aNjNkdSLW7YRrxcwfUJS/NCb/hpzlEpyeAmkxQ3BR2QumDlptAHzwrlVBO0Qce4VYbR71lt7dY0KjlIoLa0MrTFFGWCUaMISrggCOSzcdHOxSSYczRPf6c7emZvrH8EOktLeHpwhKvEa2zOEnmEqAWEbs+e8t5kaP1bT2y+u/05taQG5xGlJINfj7ce58H7d3tRBX9v1dXsz+7+2d9N3sXf9zf/e9dO7rqiGbvm8S8ZWvyYaanfjvyL9HXSzl7MT50iwkqfBb9H8pYfftHm0hYQS5YjKb0MelhmWSUpg5z58NQCISn74NqS3ShL4NqQx9ZE+70te3bNv+cUzBN137bxLXyOUTZOTPS+qSx9o/GGlail6vRew9zzNkzI7L2Bv9gEp079PHaU02j7Rhi7q3CCzIb2FRNog4NijyRuUxhHKSoq/lOgohPF6hfZHh7bicsVoqpgllOz3rr14rv0Oz2U8zf27UhPhNU5h89YpRfutUonBUjM6UNIMcSWicmQZRm9xa/yMMiCQVJO0BrdpCL9AW21zb+7ZAm29zb2pJ21733ISoumHHa4e8gmrnrbKLRPBclTzbL1nQjZZFemeKoFohumm+qVwffqGNv/H2UHsPiS9H3u37max+wuAWcYVz/Jdyu729dYn2R91+3Y/z9/An///u4Fqt2Lc4O7tNSaNpt0iAxBs8A7R2lzxx31U1Rb5NNjzStXZtxGG/hhWXK/Cy4pDwtGXoO/VdE3oj6RXtjrofXxrJgcLfdxfWuufhODhUCCQwv5NXiGAsNwiDh5vqPzxZ8A4eEcYlD+9ASso9EmoDPtrvCm5FoUGVuYW8P7AK9NOljlKUQTdVY3esHBjySm9rJr7D6+8Mr6HPJshxjR4R2Nhzb26WXxqSTgQcERg97MAIA5Cotw+ORaYmm2LzHmyDmv1b8bxBlNIqjHt13tgpeESxwkH583i08+ORVqAvbXOX2SNqL+PMTj58bD1RaVQTr5FMEM8kmfsvZ4M3FzP8dAYRE1HjZ4mzE/zuzbCkDSJYIeBleBxcxQ89GFXAvcVIwSlkvE/IiNU+3MWz7o6N1iA1GwOyhSWlmh2y7qPPDixlb9DTSRPV19POMuZ0MEjOaNgdeh9FgA4+lIiIdWEAucFOdgvof5YMVyAYLoFAmcIvPgzkFtegjd//esPYA8FEAjRmsqJtX4lcW3EWkXBqEDnW2z6O/qyKSuprPXVMl8Z5qMunHDOAF7AFduhxnIxdUYbVWxGSI5g7j3l6e/o03/jzUAZLrtSzbit+M4lSdVKK14DLP9Vvvnzj/8uDPN8XWhWVcH6Vw/vv5SecgsPiIM34C1NYSFKYmzcStWZxEFds880QztilVxUfnoD/lMt9yX46SfwnyBlXMmPehWW6EvwfxL5f6k/xAK0N+U750eiLEPfUAeje5SkkJAVTJ/mynyGPGVSH24ojaysNgLRrGCYSi1uS+QO3NMfOEGcs+BYkaMEJAqUYkg0Jo1FSMaVtEgP5hVWv9hBgjPz+VxkAVizkmaKWxOk4WG6scLCYDBQ+9z2Zo7hO7GH9oSJ3rPPB8Jg9vXeDEsQCPwbAjmSHKcOWdmqaM0/1jqaeRwrdqceSSiPMhxbVx/mArxne7X5fV0IU8C4UiEkA08IFQPb8pVejz/ItnCWIiGSHc6SLNwP9bbiABtEEYdSX8VM7VFDX9lhLktIlLrYspFSh/qMc6wUPu0B1Ms1OO2FvLkGXPFFoZV1vS2Qb5Cs/2xwrYIHh1R887WaaJjTa+WBhvU+i725ruxrH1HOJAJLeypTjvSztDr4WJL6X2X0/gMYuS2lRBQEz/PI/q5VRYF7ouzXChvEv4XFjzV1e81P7YmszkYlTVt2/L+Gz8Vc81ZCzsSvdcq3qOZVQvvi6nJh5bkUUrUBOC8Y70pxQD8ofzgHbfm1lOdHw/a1kqfVQpdBrK0mlschR2XQvPta67sAb/76M9jrnc0RpAAS4tZDtfFViw1H+wLYI47MtFACgqCQgNFOsHJ7m76CYPTH3ibHfQtzZNnd+cx4prdGR0WgdEsZYZtD162xxrwnmQHwV5BuIYepNNukrt5BI9TGTQpKaiMGSMu26c1gCklWMy7GeSbbE/4cLevmSnRitDLacrj38g/NxTrCEky1HGYswtTqrCxNS17NKCSkGeQZoIznkODfXNF2jOfOHcisB/bEJrBy1WPhk7bhiKsm95rgNdJrciiIAqWMZh7B8PjJEiHnaeInIGOasrwgSDo/otfcBbXgKTnusJxG3gGXZztuSzW789D5Dlz7/HgPSc6o3I7e6mNWz3iv+TGaITvb9ryl2Tk2R035G6PzMzpPMBE1fyX8mJC0h+4u9S70jNtxCSR6lvYggx3iohHsm52K2XB8o+GPfkBwPNRjUkXKeIayOdzbusstcxX1nNX7VvnM6z9s+uD6PJaz/ELPWurEP5EiCjlmRvDLSyLxK4kRB7AoSBVBfcwEzyGFG1dSEgBEG6YrncGAMlgFwPJ7AdieGqu9hHnRtbRYxIqagtg/51KAdIuV/MsyJC7AXSmkFqSbk6rzD6UnHg1K5P0MJ6/7eq2Q7VCcN1h/qGpKs36O1ogjmpqPCpXwleEdztSbqr+p+9ovq2v/0NkA9zKeC8wjruG468ZO/azOC5bkYJYjFItQsoAiq4/RaXvRpE/jVZhfKu5U3/6L3qR1gAYrp9/mvCcGDI+pd2n6sdMyxJcSlRE/mjop5nsd+cUeCqDJZJ4vpMn/OH3pkx6c1rKD7ukml0GcfZOH0SuSIHJFEiapFNOuSHvYm4BxQS9eg8ucS/TtiL1OHtRjmJN4kv/CDt23ENPdkb10MhBDlEWY9sSecYKKKMl8c6xHOmSlTFmOXhsqtcimo9nYuvetILXLaIm+nk+lVHIs54W+noBezW8TAhr20FOK39xUhV7tFMOp61hcNZu2xxYoxWt8FAbd0oIxcvryfq3sEcNz7djE2hyAs2PAZ6WKZtb46ERmRfp4G/mprSM0JVzGwYelDSnConI6dTVkTb/aZV/WgyiYwJMu4agToBUBmpmqADoUsbol3nzukshkTiL7xGtNyxxxnE691070USLaT0BvRrXXJ9RccXOTeuB3iGaM21Cik9jZ6tezZElXzgW2+hWlbhlfkY6RJ9XbMsVvTpM2nG9erY7v+kffZrXZK2s14S2sI6cokwCCrc3KdIcHEbZJKrfjmZhcdSAmM7k42bctTvE37eLWtd30VXSLd4zg9DD/nJ64YwtNwhaZo+Tg4VMlmRe75d6EjyVBmrSbvTAq0fN8eacmeUON5n2sgASzTKj/008BJBVJVzrwwJOSbiHdoISi/fx75TN+o33DcaMfRyk5XpUSNW5bP5pPGHBKmmuydPc1FAWcwBrq1RM8owTOqYVrobzrtTXkmrKBQ5XQcddq0VXRFHH0lfMd4hdgiczGlgLxC7hButSdjZhbM15h6M1dTWPkulSPB2Z8IwOScbDibK9+V/3UyjFGtPbWarvJFpDL6ap8PXS6HmlPL+vlRsQ7vYxktdBxrsPLCmRN1uEvyCUFkCAua78rP05rf2ZMs/YqNpLNtHvWIVBlgDL6iqMCaWn1lDdKC45xmWxacq6OZi2T6q+hZYTX2Nh/K8NmD/sey60VpgzvA9ea4ErHh1LA6KsNU/99gjPqxzNxCCWzVgYbxujXmoSCwdZA3TSJkbgAy+P97JbJbMYkh2K6MsHspVCCqkl6MC7KzDIru3kQpKQUsjo29h+9rdZDsFBfw2bmWG1RiU36t/6n+Qyvsjnpbu3JJK3PEQe+HxKfFY5rTQdAIViKtbVG7ahT7tebfouf0C8AgmJ7EDiFRKl5Ty9BwXVF2pcAyfR7t5gFOXRnD0x8vEz8Koc5kogLUECh6xQInbhnMtNSlueKI7CW86YfsopkelLQMNzzfLJG4zucgVEbZpeyvCj7dyFo6yHYY5qxvY28SRlNUSFf1l4x73J7C1mXhBzAlxISY7TJWA4xtfeTNggR5mHlTWvN+Gf8xOKUMHKL6RPKbBRtFVgGhdbXrQCrfvNdTfwCZ6c2n/Ty/GayjWadaqMCdklUAOqq3meg/KGwNiGw7Kc6104PxHPcLVE93/hjZ9V4zDk8Laf9NFlOW2MS477UsN/p+eorwVFWpghUFmDkNiIIxDEkieOFmME2l3rSSujq8vwGU1c81auDofRJeBLBYtij7PyKeW9tlXh92pXI4YhmL5WGqVhTFWFah7NfVTN1ShWwHeI1mQvBUzWq/nc/KwEo/kYB1vEEJU0Jglz9SJfNOEKzYezWSsOrFIFh+6RhFWU/V/0b8+iU5StM68pxTRZtExD4BH69w7wU8a0bzTdUk/BbOWK5IxwH98rMb+qs+C08RkqPYHirt8BYuG6uwb250y9sShwwNfZtkoei/sMp49d5bIEN09fNtd4WG1pdX8i+Hte2nZsgBgPywnxqdev2WLhVjZ04zKub2PaS2KQa88idtKFRoyRF/bZq+67qqcHN9aAcNN4mMSAHKdJvaHaUhy7AlYnWt9WCiPnFaVlI/Y/x9l/8+J01UKxKWcfxM1kz55ISJMzamWGwewZ2kGO4Ir2IcZPQhikoCPRcOYGomJkB2vooTTHIzH2hbr16NatYdKy+1fL1zaIrgQFbUsnodr5sGW8bgdGR8UdbrIEBbqgES7yhUF9Lz0EqGJ9Xvun7Hi9QR2lRyRRM11PR/6lINW6NPgsZc3ze+w8PANOUlBlSrME2ZlHDL8CLt88wLwj6BSyM8mmm1bzuwq2Dagv7GfwMWpk/slo3bSyelDjnpDwhaLthnLm3rPIjFk8nHByS480G8TmF693L/tS0NFoqWvLZciS2jGTqGxutydOro+WOiqLF9f1Rloe9+Ghexh/qhMKba3eA5WiPlVKtk+i+eb2z1j+vm5kYm4YoV68UQUZ1RsFal+tlWZn65HQr8pwtdqCJreYtjOvMK8XnKgSeuvKQZ3vIzxVr0a+VqHgRtKxXwfQU6XqhWA4EdzCtKnu5BSd1nSNLsoy+qoQffvpGG40hoBESR1AExEQJCWU5XrCqdXCIyRlFSzX9ij0DnL32c13F8cs4GBTNx14pLHOuFB33Qa+47+yq+r0Dc92vpx/ChDFl5XifQSN2U2wCTqDiDtPUsJ5F5y+Th86vAtLa/EtC1G0FokxTJMS6JOCtogBSliGhNr8q0uSW8TDN0PPkRRAspE9+mHmb9NRasOUVmRXi2qqfQ46J9tQ67APGN0Q3AOqNeKXGOrHToC9e9dY7m+Ri5wcv6kiVAnFR2IQEc6d6y7ZPyDEwrspx/sETNG5U7D43n+90bLSR0+CNnmz+Wv0SYipAhiTExKE6rVgpG+M84Bk5Q0xKZbWBddyApuRn4RLlBZnhtb2sWi1WLQwaHiQbpaKklx3iBB50mLJklq2DF46zr36hNQ07Gq2rPBZjcxMSy1KX6gBO6EcprZ+UPHwxJlqFG7plCqdTC7q7KctzdTZDP9iVGQ9wI5yo4GyHM6NhV3UFXP0Z67eGpacM6NP16XeYHN/+tBmt4H52ngvtZD4X/6rmPy//+pWtvHpr8AL+H7ayJkv3SS3wnPJA1zooyXyf5eIG3PQe3CahGbV5bEzmaRqTAo/r7IXNRBF/ik5so6jcYpa5UMmKZfNjjntx290nq+oPq6h5ns9tSO6UMaNFybtpGFxsuoYJs6mtgHiDs9pE6VHG8+mSci8JZtTLMOWprtEV5TwGWXUbWjyaLM7KDKqdY88oLZs6inFbr5ArpaDK6D3lKIuiSDktRVlboaqj4eEOYgL7BjpQm4eAjodfI8491QjNeXRbuOLZda3ol9uEYGOk79u3WHVuLzw8AOfJqsyyQ4B+h/NkYpxqY2QpkK+Q2EldNGQMx2xStlQnYDoRZZxgOyyasSamlopuOFnHSR9zzi1NV3HwY7yhuVpH09fpZRgv9fRd2EXUCK4+vQUvbKTfp5IouWSFiQ4w1J7mt88FE+ovfwCv+moM7Vr5nijb05bgKFBa6tS1XXt2T9eAFEZRtLsBIFdVps29DXC9RRuYHsCjV4AleMXheVJ/7NStbcIU5BDTtdKMTjqpCsh1r48YGVUtEWGhJwb3LDMBR8fiBg2/toMsGHh/tfNFLTVcomzn1d+jPXhfUi0+37EMEfAC093Fn14CzNKXYKX+D6n/gxSSg8Di4k9uO7JMi2RNYK871fQXuC1rXS2Anlbru5qrHKoCwmx9MmlLsplYzE9XFkmVMCUQVwfKSXKXT+VDHdqf7j4r/f3BhNz86U+f7j5ffnz7pz+ZGJgd5BB7z8ae8adpCRmDR/lzNWXTRutVkyGd/nzZ2M6puYE1i4OpYoGHIHFxzTiiAqfTLlRDnQyimodoUQ7L1vhhyR7iKZ3GjyEHKQv4pPrATE9IEeUq+BjIVSYkn57JonM3onQDfxmPk1YRfHMMB6HBiceSwL2HyQYHHuMUbXyimmKNvQpjtZgZxonQxTgzVx0L6QZcupnFiXoK0xUfBc9KUx/78x7FE1N7+0wHIWtYlyypkzDO9Akru/kpBIxFccC29r8hbb+QdeRT5bnWFTl+0OqzQ7sfsvVXJZBwHJupDoddQ0zUflUJhwt7/26um3G9OntaicASbRyJQ35ffBXXk6in3Ik4JLhHh/TYmE6lGZW0q6v26FNfGu9c+vfoWf4NueWXmrrwSTFzqS8hzf6buS2rR+oSSuy+ZbPp96dukRelKHCK2YT4iK+lW2h8e8hp39T27cEJmhcJC2dOy/u7BfhgLB7HcAw3qS+R3S/Lf9yCLyXinmotJaEJR92qH3NdPg3TxQF8rEJqne7dWk5LJ7H/5jA2vUybGlZ4lMehcdJhXh0xMgspRAcJ5HnQvqiBQcoLLCaF/dfDymxCZ4DWqKm5wK3BGZTd13t45ArRdJtDPj4srh55KGCvlcMIGyRMe+7NkaOSbcC+pmg9NZiyHrre6GTSoIFs9WvQuAIG1NYzma8BH0Mb/X09ZU+P1LnaOVLPbQBhmsBUly0MCWNTowWdJKI3hq42xe4v9FluA7hlSpNUcqWjTKtM1RivxvqsdSOG7kivIfSosYhuMJ0UuNsfHBZTQpN1IvZYpgHnmiZrwvYC5iHeouZoKndzxgfZsVKaYDrvmGNaIJ6vDhNCcnqji/QpdLhujhY0tEgKziRLQkxxevzuL4nWWUNGkxnnjbBNMqX1f2doiCc0pUkOnxMpxwu87aHqCxMUxBZyTIMJYzqHcEFEQlYkmW48bY3+86zhAfWAGqOnZ6k3R0+PiG6O/uus0e7G6mNH/49Zo//nrNH/HjpasoLAFQo76vX4EFGJJnlJ9OO9OgTxs2p48RTEx/OS4E1ehL7e6v2DZDPdaWTH4jAmLtCXNET2pokwLtOgvRI8DZXO1NBQ6UwcRFkE1cdOaR1mHSjcSSaVgIGeg462ZFIJSeGjtXgSOLyk+JlCygTqtc0cNX73s8IezBZ2P7NCbhHMglQglhdJSoJ0aDU0yKShR3LdJitsrAgcW5RJkH0i5VjiFJKgoC+RwA2i6WGST6k5mkJy+A1lqzDau0QnwweONWk8oZSNOztwvNKQfw7VkEWywvLfA5MPU5FMrW3aGcpZwFUWgYdTj0MpD4nFE8YSMKGuZGMokltjDQgRvs1w/VwFDje1b6ZkaDZGrzFBYbKISNZh24XX0wKQ20PDOK1QSjBFzzIJvEZKB86ELHpFfkaPFjwNHF11jgsayzZJjjI8IRizPRrT0B3PWVYSJFIWtmo7HG+CbgUrxB7KiZ0oGuNdMQEjh3K0wUJyGCJpH0cHvVSmk2LgkvmMNQtdR4QH304T1WA+edB43Vg06IkzQUfhpOc8zvstwyIxdZ5Dxh8gh4EfPPOEVY4buzMdDKaPxELCbrPWUQOFXJV8fCHRahwyNdfCxpUB9ELe4SqWdPpAXbVnHVIK3R8xfWrUBmbZ9K+Os+nGuSqBJoij4DxJOWN5YPaNGhokFOE8CXXC2dydsOUWTwHJQoUISWXGhSg4njyMQIllGeC3IZiiKakkx3FiYi2ueqQOfAxRQQgzGc3JmrAA5lgPDwoBUJJewHlXw4LOupINg8gFWG0J2wR+SroJPHYF49MvR74qN2FHJ8ciDTuuuQj8gGHVZyiSOvUlYGTALTalAaZ7pcy46Q4lut9PlxUC44Tqdg0BIwP4PeN4kziqtY0YuaeIh/CWIgnsIFgkEytIHwcGtXE4Dg9apb5J0w+pHRjSTtMI/QEkoRDql0m6HR/P2hts+nJOH494vlF6cS+jetzYfeDQEDZn8pceHzuVPkcN5WyTQFFMKvnRHDyly0M1jiNIwl4ejlKN1mSrBg8PWawaOzVBtzGW8SyIaoiKJoK0T2G0zyBLqUDTTaSmnG6QGCHQl5DNdKXBThgXJLgIvAm6mKKYrrcInoZ9eZ5mAU+t4Kkry3fU0EktmZqjShGQM7lL6fQgBGfF0OFhJskyoGn4RoZ8BDMsxGpUV4ycPvJQBGSultkq0GtdchLElUqBeJLh6fGbgYVJKptIGFiZhrXL3yWYCgnXQZx0h7kMe4p3BQ1KcZCMl/QsvVovS8nAx5KC3uS1FXpWgbhPkOAMXHGUYQmuIM9sztiJtjS2/tWslfrqQOppTNNVHTGbMgJcISW1tRfTOat/mxeEHVCvIN7gHqxZOSE9fmxf3m3VUkfXFuNog55BDruhu0eLHt2U3bIrEWAQLHSBjWp+0WylKcpCl6jvp0oCsN9CCbAEhWnP7wZ9ypU6pVSIu727qXheEQGY2koGnsxugun8CtgNMGq+JhIBJNvoJjsXx783HSN6u0fRDvG6iJJkoIBcIHCHJNQVh82tqPulgRe3bCNeL0xw3w/g2pbxMu1JerPrNOKPyBaL1bApuEfyM5YUCfe36h+9wO1Z63LC9WnW05vlCAR5ur3AFHsUXg7jFEPoMBvTW49gil4TWFJdO3VT5rYs/YlSCJ3KBydQx0iZr1HXifK24qtHpFebmcTthWx6bqmJwQN6lvp0+pSCszagPhaJG+hBrbNyZ5Uq1nm5AsmqOfCJ1PlTfu/ptSGqVrLral7DwboaXu2TbatFhmq/N4iuZyB+ceKfVsd7ROfsDD3fXFeXSM/uK9k+0RE98bjULRyMc7+mB3pntN5NO+JciGhdMLrGxrgp2ODcCgCgAAIh2uqT6VZeOKQCplGKrfayxM3k1DZwqltrV92CT8AqEM+xeQjjwTpOagq34B0maINsLw8oBN5Qs/nHytyetgZwFatbveeTawonTtzqjK0lvO1DXMe8gciXWxhW6aZ6L3FWtbWtOybpho2eSweAIyanlto48gRJTRYgq0ZhR8Zb9XdSNDwi7J5jj6EnIn1NxFO68Jzrr/tn9gA0HJB71vGPhzw9kGAoki2LIN11umPqmjjHMlC6o0+j4JE7phqYA6rwUNtimzIJdKvMi0simFJtOs1LdBXy93bEBbikh/pfvdml1o4ElQBmF1VHYzdjCjR+KehzhOXvuvupKw+2NhXbts5Km2hWKK9W7W4kbE9MMtWyOlZhhQfEwf+oLQbitSWkyfv6l0yN2zr/2aNHVK3Td3JPvWESQ7zg+25ZHNOS7v7Dw1u1OsSRURq1RSbDIuWogDQ9KKnEPv6k38tW7cFL8HD3C7ih8qc3L8HN/fXbf/4CHm+o/Pkv4MV+ewDUNmBMt0zYMm6MK+1V/9WPP//f/8cP7t53SG5n8YvuijUHusihuzSSmH1GJl4oW4n/piLrvkzZ14bVvOcD2LwJf6MfJheijmBzlEGr5qa3l/dOOL8xiubo4WHf7/9lFF249+e3KX0AvsJjp6AOsxq9jd/mXTmxlxso0R6epbC0PmULcGma51WnzUWwfk7SvPDb/+faNW+u7haGD/t7xcMIvfx8qrSRc6rWpTcLRcyj1at98NaCibIPanb/PlQyQGJqisW+bM1eC5npSAfJ0VXRqETu5t1RP5MS3vVlYfa2XLc/VI/YMbYmUGYYy6YhuLcYFozLmkX1mJDpPaE30XafP82JRPT9M4gx3VTsswJ+59s8ilzyfTwrkaWvdRAoBEuxLhqvteXe6woUn+KQbtBFLR6njK7xpuQoA6uDbe5vWt17utN4Uwp6gcIeaco57TooU4FMku+aoZUBChNHOZMosTFCIZ7fkCVmVCQwMeFTQYMLyUOHr4O2dx0Ui03CDkB4Rk0RtDiYJZU2Pq9fV1u3UFguuvM1FZmzSAtvlWJFkQQPhwK9BI8Vm7vVKvJPYFGpyD0+8sH3olbFq6I8GB6RvoIFqq6dkBDng1Ec/1A76CHXoQM7xKXuPCNZ1eAKU/B4471CqQ5pmXEHQ9rGUpGwIqhQnhrKkZgeR6MGBoX4GZ44PSBK26CCKJoyNQlBdBNQ81HTVc9AbOOSbkqknxdIGsZBClLtwFFa1DvG95BnrmZgl7pNnba7Lzh71l73FZJ7hDydjCfnAE/1SDAJSdPca8gBXchEe5t6a7BN0DjSjqAcS3XVbFEh9yJ2BNI4fpUR5oDKrdYwCPSW0DYQHG2AOyU9b7Tw3OaIIfZslOpsi92UPNJxPhTIJU5LAnnVzM2SefH2+ZdbtmHrtbs+NUoTuUWxG98+qClt9/4jsrcKmQJ0WcototKGUnmBxeo91nZXlnVbQze4R4G4FxIrZcpi75ad1A9paTpwe1BVPXLmvb4tRJoyqBqunGz+WlE/Q/tk1EGhbrE2A4uC0Uy3dGVOEaAe2G9K2sa9m5Jd63kNIDB59jrujWCU1YitvtWRazAFAsvSwVGADpCruuDZWbdQAJixQncF2yLMAdvTTmMkIOEzoyz3RLtUNeqTXjhShMdPiWGYZuouMy6O7f1MF+HLqjx+b6FjzCe0hm7uhjecql7hmdxH3kUurRcp7jpPNRFrLHVaVseMpZqogKWNKoy9Vn9wyIrNi49zLG+FtnCHWaklG6XUcZZjT6QDik/+LYUrosOG1+DqNHVMd9M7n7lgdDG0ZBrgJNHCMLG8WAAEB4Uawfxv0HhXjifb+/mPIewlld0Q5RCZL9PJH0k6oyuufmV0J3OcVsD0snTAQNfZg+XW9Dp3VGkEFs5F+uOFkNxvJK9QuxNfvxnqN6dR22fR0JqF3KlG1CqRxLlu2molDY4K5DVy2p2ckBo1uJk6JX3mVvKRB8BdFeabHYCfxqH+cXZPdCd4azgaWkMPvV7T8eqNuHa/Z/xvBvHzyPtvDnwU9Hx49yfUpPg6V3WA69VX9fd8aH4a3vbxBai+zraP4zU88l2NedZH3NTIhyYm+t6RqYXCzHTpnC2bwVJukxzJLTuLNRW27FzAELJ/5v0wOnuXs5ma+gn77kdGrK1JkTpxQoJ1y39e/PXPfwYvbq8vFz+AaywkppsSiy3KdGKOkxphGxYhP/aUXdu26NaU7MfQf+jxeXM2215yKvZe7b2LRn02tc1vQunwKQcz1UFxdWZEw6Shqbr8FJC6iigd/eSQjM/i70D9CDNcCjMHYBwInGMCubnMipGo05rq98gdqqvvjMBxeuHWNshmlNmj+lyVBaRT1+J4YeZEEl7SU/dGGz9tfHjD/mRVZ/2b3hezyi5qBB5mbkML4/OcYj3Trd4uxjeQ4t9OxDrROR9s7IYF7Fbzy3u2bI25M4o/OPv1nZpQ80eTVG6ydFuRSO8RJHKbQo5AwVHGckyhM8S6cdUXUGJEpRgMPCMw7npu4TddjimCgYrg46WO8PeKCRSQS532e1zMaSYUNa3XXtwx/GeNMsShRFkyIQzgxFfUbcirOWtT94KzHc7qdHX7d7AoiJVzep/PpsgqRt6WiDy91Otl4CzaOupJbR0HefAsxFnoWUeV7LDxOW27gp2ncEAt0EwrpT9VqkHP+i1vDGpkiriafBv5R0tDUAAhGTf8Uc2WIwk1te/1X12ov/revb4cZxlBMTnGnZ5xLM9wfKIGDwniGVXxvFgLWtj5Gjm69FB5PF6CgkC17epFYhwgmvJD4bMi6uCVKFrBiHgJXmsI75mQ4A6mW0w9YnsGg+/od939eqQ6sq/gSF1U9aqbtHpxAW4zWIBP+h/mVc8YNfkA/+o/F2ALd0i99wRBblpYA11fQhSMClTJAe6kAbWipN/2egbvsbURUo4l4riq0kHNAk1FBj+SCnQUMMfP/NEWkRmLRdcXnWsm6J61qnBUKw1Yyf/2qcEC8JI6+roDAMXLmhMbb45JpvZEZNsZE6tFxNhMCPaYZmwvgChQitc4Vb956Yobt/FH/YOqFmAQHb2+4AWvup7XbFm7GX5o7AcoqX65btEGpgfwKNpFfmp/SN5NcAiKWlKzRFGtPG9YU9zWxHTUtD4M6hXo7Vudz+TIYmplCOgw2/4mtBcWQ1zzVRsywptjTXoNzgNhxwQsJ1a8lG8xNnLKGvcqzvFWL85fa6WPN5YRozY6tvf3GEJjtrK3y+70t+HUEh3cOK08szcCXC8qQ2tMrS1QX3VdCyKHhacYhabvCbM+E/WjutsRPUIYSW1vmr8Cm4/sqR5S29CkhOk2j16K7jiv3hjQk4Kb2xZYUHOF6ZSau1FPmoKtw9/nMn3HtW0G4+rNM2W0jqlIjnrkPVxzefYArgLy6tuqH788gt1vca/gGVDnUGkWJkRv1AJkQMVLkwrH+LT2jJ3l/4coIP2vwXzOilS71lklpLlYqlraf7zWsw+gP+OD28NdVUU7jdv7rRJEJWeF+xpmrFz1FLJRZ83OqrQbNBDaqFFM7OQ0EsUVywulkFYnXx9w3eDESJ47xBVrTZTa7H6QoHiaH/c7cBc7Mn1Fe4/mVzZbfwn3cb0rCTmAf5SQ4DVGGbjW2TDGeOEktkerJGXsCZ/NpfQZrYChcNRJIPHJZQG1dY7OnqKUpg2Orx758N34WE9ia6las5Wxzl2Ah0Nh4B81KrVAs8/+LeZonUwsjtMBpqgYFYx/L1yFdrrk4hgLagGjTd9YLwrGK8uedq98vPV8mEa26uTPWq2nmFsx9sRy1NyDdrgKCGcs+J1rk1UzqV0DBZRuA0dKEyim+aMaQ3loB/WSk0nb3Rg3aXdqETwp+fR+v4Xue6abQ4eQDGB97cETQzTag+0pCLoO6Fkiqh/BEIFNzTDh69bP6pajjoMy5HUz08SJIW/d6Ac9sX7qXtv/vrJEXtv/sF5fl9ELEsTdMQQW8Fm9JQZu01mi7RiNgsw9wJktm6yERUzXiHOPjb6/skjIm+LQ4PY5jR5RYFTVg9aNrXQcX+3GYLOPr2OaiAfhrfG2qAPwoOOCePNHf0d9J7S/2D0utojH0mqUnGN9vi+udEH1H8CVpuAmjriMlijp2asrxG3he9SK6ThRYgfNdBY0NqPxWdS034tG3aWT3wP/5rcTTE+LdH8TsMS/edJ3noLv4M3f3wKKNkxis83FFgpPfVqRxk/ebWy4md5f0Ft9kBn1aXsOwM63rgp+VfGeboedwBObK47LE65riT9422qou4eFKEMaQ6ux2qk7R3+eZ+XTGBDnMy0Lva1r8ou3anqw1C6DU7c1kneprndlbfsvljqc4zQLbfALH4zp/OIECj/TEIIku3lvSddEbo04bpNcoo4ALAOKaYjwofgJWW0gOCXqu2OBxyaj1PziL0Bo2y3j4GZ5+fe7BVgo/gk+UE9FyiOe4LyPEDwPe+bGo69lukXpkwho9nZkLHNz211FoOvqJnXquQ7QsIW7j/f+hKyCOO6V3ziLqGIo1Vl7XvFNo9It1uKxwSaOHSQ4MwfCQaZ79SPWlzp19fWqn9BBdFnR6DMW3Al9K2UhEqy7EQQO1lsaBjsd3/JrztnDG1rFOzKO5WHg/KUsz2fm8o9EZihZldKdXrPHHJGudB2iwu0JpMmkPtRTQxJE1TTgs8Vcxci6FXSd3JAUDMcJAXJBMjSApqHJumUvvTXpFlLaS0Cbn6hs59WkPJbyaOWXapZnK3Z/vr28tzz3dYdAzeok412rWMjxyrB4SnaMlOHLuKx6YFBbS7PuDFI1WSgplgK8MGTEDzp3TScTVF0QHPYiTxAaKYNv+K1F80ixtO6Si3Yw2g5x7SlZlwSkjKaokEoFWJq99qQ4Temk7qzroDdPKRtVCxEFRXd/Y2qP3v/3pSuYxLl1ISeA8c05QhS6oWUto8cKmvQ9ZwLj395+WNwswB18zjHN6tYl7u1X6M8QyNAq9O0BboH28J8CXj/B7hDsoIAgE5mdTGvi+TtPpKkWFbvRkuVUN9e2Ho+lcxIDibmx3zijp1pT/r9AzkEdHEmzvjQScpO0xjetvfREwabu5iW1Hdhou7lJDXgJROkIi4IC/IeQnNHNf60ITJ8IFhJl//Ha/uxl/VtM1yh1/2qNOdpD4nxm4Yo0xgBIMyAY8BwfjjZYSH5QWk/ci1lAubWl6GoqoEulB2NW+8E+EJMoYWJbU8Yb1btqiaXGhqhs+AMbGY3dnXafRCVpQ4F+ASvUaqCcoTUsiUz0Of0FrCFppS20FtCOEbtjWUmQvmwF5EJpTu8Yl5giCcRBELZpPkQnM/rT1NyD0J39r95BuzQR+roAvD77Lz5eXt88Lo/lGD1InrxdbMNwEMhzcJk+UbYnKNsg8NCc3wMi6ka0uJiP4IyidH2aS20xqaP5OsqdF8KcCqt9EO8v60lBjkQr2cINIaxcfp+yw9XlJTjLCeL42jacvuX+8BLf8OA0MD/pv7UYj4d2/52cR/vakG1XqvDQzsOjzFyrzrEpNDBA1hNQ4s73HCD60O6BDV7p2mY6ExJlQGCaIp0Z3q777MMVblbpI9MZz3pO8AqgzYX57//87o79hgmBr/968efvBgAphumRwoM2y3DgRva1h+yMMBAX0eZ0booUkoPEqZjmMhg+HNqWZBwRrZB9Ua5skW+tilTkR6I0o+PCXBO4aYMxIE3C/ACwmOzDmP8WLaHeQ7V49c04dlFElQwe9NucltrSbUQAmx9WFDq/ijMyiCjqTT2WIxi+r+pvw41Ip4lfmcX3Kv34kPCu8TAako9YPIFbtEODX0KknhZ9wWejGcB2uXhpsmiAokNRpvW2DEmtAdr8802p/nAQaMzXd8LFnectPE276yP0QIjMOZoA5DD7sHbyKCLuZWV0Hy3r6gE9Ml+L+uyUwoEHzCazajKoRcePJybL0PONkX71H86sDu3eC8nxZoM4KKCUiFOhOYSxtKRPSGZQQlNDcAUF+vkvANGUtXqrDAMON856t6zOI87Aa9NEZQyeqK+eATL44JUZ9m3AkNvRQVTNNo6mSFnPhjrzqBjqy9bEfgBeg8z0Zetzihtx2Wr+IQhyG1dPNtEF1r8zRlsu5TbqyW8XuBw+BHLrbxQWfAbqjl+mPh7F0vRD7FdqGobnLP8Ub4c60zthrCDN9jibEFk3iOK/e1P6KFOUJbwMLzPUp31/eQW+lJBDKjFFCop6bj+W1usyCtEML+lYQFVn7QGhcwXpnApRzk+jyLcGuikzSZGcl9roIK9nbWavjkERSfiyxMeKXqs5oUQO07Ktt7NEw89XCgmZ4dDtE7+ChCA+gi7nGPEERXw1FMvU3pUPS3Bl5geIZq9MyFIVyTGGYfoiTIOEl+v75TGqdHhf5iW1DTLqHgE3jIhs6erKltIZdRfSjGt5M6YactWf000bUckhodAnRAZ9/yszK7i/fBj+/FEtrFeOuGUv2cg2u2Zo5rDirQBsoYgoGTTpt2Z2019voAwvF+8gbxtRm0un5sarcvAzrDds9eu5QHSKXPsQ9BLJI0Joze0DEFWFbdPXhaasGXfwKq438rlge4/QHMYKWmge/gna87txnIilDQJRRxRfdWY+RT4uc1gu39exvCOYwxYKgX0iUtiHMFMOH4Kp2SpBrqfKXjxsSE+3my2CWbd917wggIeHBXjfmdVNnWRs9Wvk60l1XSPLnYY/iM5STSa1Vx9xI9bYzlwV2xtCwcosdkTIlZp0VCyKJl+KmOq8IT7so08ZKXP3ooMu4qcPNwtw1Z7UQzjPIY159G5vwFVnUi/lkkaNu1ne3y008fa8HvLqzdCRWjHVgvZT1J3eh0RdVjyznUkfi1baTP55xRGq+gWDiLThKSKUyltRTQ3yZqddLwrJ4YzcGwdLunynU8KONkCOhORY78wQdzK6ToYF5LnHmRUEyqhx1Ws1TqUyfxRZtzCTmgIX2h2v3zDzMg7h0WXE4mH5tLgHV+0SQB7CvvLMgZJkSaXpNGsuywgxSg2BhcfCFQLiWN7ssijAleQEELYRAArBUmOqrjuSjYpwNBB3Z0H4KQa2FK/dZ2cmuqubd8sY+DJyls97fbuIgq7XFzwOuvsoe+ev5zwTn3F8R0C47hadigJvvY6BDRdn+bY3iyjfVnhMSzPRKT02CrqznLvl8jYGuj08y7FTEk4MdJ1yqbHQoZVSxyXic0EWZcRXf/HYaYngpslP6KZhhI1w3ihtOkpP5VjiFJLIss/xK1UEdHdOuhmSiycUiAzYkREhiCknrT/6Vij88SpBH2TJctT8mwHyOxTVhPTp7aDVKINoRhUKh0tPzwfooFc5gxJySMPLzrpoSwj0nFpP5ahgXA6c/GxG+qQTwdCyMypOBJxMdadfKwlvTIRJNqPCpoPs2BNtYnwxo/M67roQ2IlBZ2YPjF189/E10rEE49zGGdphKmclvTuT1DID4oZKxNcwHRNgk6FdXKOD3YhhPTvbpkWSi+DGow7S768W4G5Mfl6mtj/qDahrReBq84cQRI3zF4IJK3e1ZvbSJmzDfdxuejDkNRZPSgDcYLoBfJjvkQI9Sx5cickB4HYB9JTOfHs3CJbOK5XrRrHGdIN4wTGVikSpm8R0CHnw5BDTVHKi4xC9qfxhgunNu6WloMMcQXv+EYC8XCIOnhH8ooYTOwauB6ZDYABOpGA4jcLG4Q1FIR6Jx31DmhhGSG01isr6foZDYtEcnSq1qX8suMmF6iYB681+Ao3RlHH2HG+PLAqrgw8K+A0YcXPe2jhGbEhE38K1LtCujoa2OWRYmDAiHXCtm28NJIBmQiZR3VIhAoEaIddzWryOxAFaNHxgontSr1st90b4UTMhzySqN5q7TxLbNaDY4nIPzIinUMg1zHGvrlIkHB+WoDO9D8V2P68z1Wkc7z+DzvSncPRrncYFwoeNmPoOIyl2cbVrxxW2vWIH4TAR9+XrHJMxfF4ycdaP82E5+uOcsrUEPb4NGKPsLkLGTWFoAlguB19/IcV5L4pga7mHvF962IenpErgVjJUdF2sActQsdH9KBunjglZljG/1ePjsUh4E9zNYlwwXRYVjbaVPA6dGAQLRtKYTom3l4sPtzaP14gBA7KZhhD3zW1hGH5tbWP+eHvweYt0qdxjRjPA4tj/HzCuGxGPQhX1Kjfab4wxpKKC9Yr+zTkaarpj1UXdiFI3mh4M90WimNSJYBjKctFJCBoEoGPm14xHjIFWKB5607oBPHu+RBDhO4gJePucbiHdIGFCx67vl4AjUTAqEIBU7BEHAo3wbiI7z+8WXqELj4iq30vE72en1hEG/fl9cHBMZUfHjP6thDwDbIc4xxmyNHT2upAwLwY4zRrmIilgKSKadurqjpcUkoPApsTDHaRwo2te1MmZixZdD77f4lqzNTgN7DfEwa01a38cNJiuU4lyEbMoTTPi960tFQuWy/tBHFFlhSaKQZFBF+eMR/v+YWEr4nRm9hAnyJig4iF4MEXPJOJ1WVybI2vbla9N7doR75T6iy0U26jp7O/spKOkWrOQGZ1hfE4PvT/jzCjnsIIeMQyfT/VnkbXi2wXgJUEj9GFDPrIN6bj6YWl2rS7zRj0I6rmMB+KSSiwKmGuppV3b2IdjD3mGsnVM85EJvbf61JHGAJQZbcAd9/Ef10P8mcMcxT0CdbJif24PBIQyLJ5crTjmPewcIe1g7g334GARBeZ3ShJEzSMwTD3ZpaQUvhcjMM5LlxLZYS5LSICd3zZFGUAk4A7xDMcszvhueQm6k7qJ740Ra1ZjGMfZRCtQcPZ8sDayEVxyAyXaQ7cYPNWv+jczF8BFky+AxWLB3laihYkOG8DEmxVwZ+/KHcoZP4yq9qcrHMdM69WldU2V46HncgtfFRy7CzYF0X5/CRYc655YQ5STyKWd31+OqZG1hUlcJ9z7S/Bx0OO2hTQTWxjeNNaVPX4L3vem9VCPWVPivZJG676AGdtTwmA2SkLerjKacARFTLPWewS5XOm+32xPQWd6Nw682UYOx35fTQnWcMVxCkSZ53BIWN6ymF7697Z942maGMa2NO9+BnhACMNpXqTNHNL5hBtG9oVuSWWM7zdXd4txZfwVpqgVp4xgUASDiSs06hKGuvn5egqOqtVXRInpHsk9409Acrhe49RFw42FJqLA8XbkZrF8ewUwXbGSZmC5uBkin2qkptMojfhK3tiZ201Mh9AYQ0RMFNa0cXe3HEdbcXh/7kawbl9Nb6rPk+HcjUYUaGzH4s1x6lEmF0xj1rqvTijWhaIH76qphRlTw/7A8QZTqBM1bfibJmZar9XGhdraPASwGxw1G+BHRLSTd2TcVdxI8MnEdSfbHEa0Byqufnd5VSs7OibOEgIfHodYWpxg1mofhgJZceQn7Uh3hCnMTWEG9b+bQUcfpkCQpwOlvJ5wzHItulBMa0onUQKpJ4J6urvk9vJevYQsx3RzfMEpWB0kGtBsCaSsDOu478bBSmne7ok4EIzp3dLBFe053WRxiqhACcFR+6HcwWecl3kjAbThwRF1L/dbQ30Iog9aWB0jaxOz4cIfkW1Uetsi40FCIzIKfU9aU3qIeqrmxGi2NECa9ZsLhzHjWzWTYommb+hisbhu1A8aQhExQeuWbcbpGFq2iEfX1h8YSukgbB9Z539nNP3exE7yUaUAzYJymI4zhOeQKKE2yaB0J2WFFy2zUyPTU3gkjKj5qQ4Y47Owc0jLiPLhnZoOprLko+zgORQS8UzIqGfjTs/aPB2WM2yZkEZezEsicUEQoFYzrwXawZOk5hY8jS7Tmplbom0DtS79v4ViBnKU4TI/DwMwc4MxTABF9IdZH0OpGG6VCSMklFgMd2vLkdjmUe1xtY9STT2iXpx9KSIX0TPcwEw9QkeInaquK7CNCa7MN7mMGnmr+3DVEqEJiWYc/4ayqqbnmjDdRkcxPR2HJY07eeikRD0lxsAx4nTolsHx6C6ubl5dL5fdeT20KZaMv4rrJzVtxsGdmXxE7n4FI+4F6cAYri6ZFzFT2WsucbdY/n2AsNhE7iZjiweARVVN8n6E3TWXEUsX3cFnE/Nbta58pFiCT8PxNHHP4vDhozFjyHTN/5FdQCiKXfnclla+R3LIG07RPond/O8e7aswBGbtqZ2AaS+UWS3k3Ug6CvqIc4D20UuvKyC26vqoG2gwxC5+blGMKoBO0V4QFrN4F9qDJWFy5Pqfpbfn/RxLhUR8B0mzP3RlPFIkG7LkxQDAdWQp7p4de9SMeKIowzHte7oQ+n1rTidZRrLo7KL2vyxHRA4pAJGZRE2/wymGlVlGsuicokbTnfkEgth8osZQMYsxV5aRLC7DOJ6LsVxDQYhoZPtAMrAc761mJNsXnEW0rSgAn9EKvDOh0IsxHZcZ3eOYKT+Xpo+rZADTzHTVwVXbY4CFpWcz/AagFYhHL8LwoUCmBqSpjD0UfaQwRO/ucsQwrrNL7Bz2I/2lMYmMYF3xU9h7KEalTLNSxo14+VDK4TgXVsq4bnJFdaSLvIBCoOw8Zjkz9xiznPrLfUytQ0v4mRH39eSMZ+Nrl8VtPrWAcgvYGhDGCtOwoNHywrixbWt/E7k4gA3FzL76fHkPWCFxXnW5bU3vBZBQJSDGg/Fpca/nBZSNbY5YbKFAbyLH0msceuIRXKvYsugu00VrTjfZmMLVgjPdmn5IASsYwekhrpKx0HOOUC8KxiIXYlM7zRgZ85GZpxVi0Hbfsg0oC8JgBhDnjIPhvAj1Fyvk89eGxR3a1etAWWuzlgy0qXjBIE88TUwoaCjApuBshSJbJ28xfartsgtFoDZUDoJJm3a12UgeP95WYnZ37lMAvO3XZ7EG3YV9dI3noqMWzN4Lq2eMMJVZ0skuZrzXVHudBRE5tabaBJNUNBpFZH5tQQwz7C+Kys4XXhPavfhLiYSsmgyNyYH9UkIunjwhl0Fb8I9jX3M1MUDPBYF0hLTypWQSoucUoSxmK6ybtZlZu+ZXCFHQo+GHk0N3ivj00MAqIs5ggYSwPcrAq6ZhU6npOEevVlBUv9KBg/oXJpjQ/G4E8LjH+h8a9LCrWpMuhefzTd80Q7cUATulf/XDabgcZpitovYq/KimBKvBVoWadEwp1RAeklEt2ZQwgTxZXbOoA8V6jKnJ0tD/5GxTqh+OAmdq9MdMInGg229xugUVqUkgYzZoqF3NhriafAzX5nDvjZMLPLZ7E5U2nnhMD2hNfvD8prssQyTq0lGK8A5lloO0Z3eDiJwcekkQl6NyQrnFGu9qLE0+/BM61FWy+lROYjlD1apToMZWseIxZQgbxdYwjqknhw9v0RpxDkkZs51Ro9+Va34PkJz5avlPTqtRU4HFYjG6bKShvpeFV/kKvLgaifaEKg5fCgBbBfNAi54HmtLXYicAaU19WFri6Etsylr+H0da/WVs0+CHm0U19Qi7EUeiJBFDeGrLZHdmN/WoFRYU7YWm/WZEcXMuhNuBEibetFgjAUJyRDc65U47AIeqV3MhWPKEIvr4Pl5e3zwuwXL5AUBpKuGPk2tKgiILNiVBI8L+FeHId1ERHr6ItkVzvMPQaCppuz/f3S0HGLQC4eXN07W2ivAw+xUpi96d3FSa/FBVmly2SLhRWN/S2cT6HgEPDCqwxLu4/euPk2oDZd0PqNEkaBhWzOzt+8srjWpUfLFAVEaW95dq9aNlfYG+xCT9pUQ0RaOiU0zZhYhnsnZjirpcfJPACRCeshKhsv3Y+JwTtfLD9KzrqvzXu39c3wPGB3PDbd/YJGoFFjPnoKprace0EX2+vJ5AXpZFxIq2Fd2lmndEJVuBdiguU152Z3TT3cIC8Yyzgqe7TPGJMwhqlv1wVhT6X5bqWGSKK8ZF1mSKIagKxHGhRsaFdV1jUcgKpG5sALC4Ws6Dzes3BDQ18MJgG7A3mxHqXJ0fkfFG2vNmbeJj0Kmz9XXQKUp1kYRhaJhuTIRFTI7YwWYIDPNGrWdF5MttcfFycdMl4YHxWyzubIrWqglHlquIGzmsA4ZHiQQxU/LbIWVT6lwJesqDEobmvqrH1vSdsAmeCUFPek7mowr2mQiaI7EtIEcxO9wdsels3s70biDxK7UNRq4Knsbt7GdL+I0MXhU8jd/UrwthhMlL8DR6KLmFMaqVn+Bp7IZ1lvyYRnWCp/Eb1Vn6W8gz2/FquFOdBRI5kryPZEQguT6ZkVvV9Q7mqC51gqdxRR4LY9gELngauyOcpT2mGZyiHrUZnKU93AdOUT7bMZzWAk7wNG6XNYvicbBPiRCxj93yasyZi/rJ/xsKVLfKWSI5LDwLAttVnyKs+xZcjqgkJQTxl7QKNKpda+rtaX3ET7hhZ1HvzOsmL2HkDJajp0En4TIqXpsqHkOqg/S1e5ghho2oRCokjFoR6H/++c3Fj8/V4lu1s3z0Y378yyzH1JZAHdFKP3YS8JjcXyGxjNkU7rKUrCp7q6cGkuPNBg0GYohy9SuK2dDC6sudaX20YxeKuWqlRy3L1as7TWGMQ6VcdUWi2XAuP7mm9ZGP62a9ZZvepB7KosApZp47MNfXWs8+xt26V2c3cmZGXS/GxkuNTuQTB5pGLxHwsEV64qqsiK7oJusSaiMQxT0mNR4dFz8RjSgjRy7ZdNvOtE7qkd8s2anMzNZVqR8pEX8J8BpQRtFL9Ye08lcMbJDccgQjx1B9vrle2olHBFHE/Tq68Ii1LKHdoE0p5iU2z4pkYxoNSnaGvlFZo2FFSPMoyWRMw/iDmg7kOvpyBGHrMo1Nv8HmDQEx4K6QHKboLE7jlECxNfMPKlqSQ5rhmA327i8f9KyCwDrJaBhD1EonunihntUokaN2weKN2lLmflk3PNRoyEg0Wl79CiLxEI4SpYTKSLX232GCjttRoqqc41B8hSwpRSTm+TDaoJl3+GsY8nH2oE151MLjvpktACOuZlTiVgEZJltG9MAYFbgT9P14MwaFrj1aCsRj92Z5pA08VXmNMU1aSl+TlrDMZKbbj5dFQQ7tqd3EOTlDT9zHj7dje+LWAAiO6VVtIGhN7MMQ/TQc6Y86AzwyT2jQH3EpfImbM5XjR6HboQxoxYp6smbcr/kFwTh2GagLB47YCZlHt1FX0QZWbikQt9XgVwfw+HB3GtAORhTjqoT9Ibf9DhZxCysfCY+orhxfuekqNEP9ACsESY5ams9sIJ86QDrznwYT2YzcxTLClPxNi0fEjp2bDkB72aOm9H0qCUUcrjBRDEKkkFoqI7x50Z2on8Y4TXcxK0ZUn2BIaN5hHtNG+UlNN2aH1d/F1FEM4Ztr8KKk+EuJDIVGx8mBMNIdw0US2XysU/eKUaV8dkXM07a4b/7JIGWj3sSjf7MQKAWfCgoejOI0ggEUNL5xWtomqEo+UXvSWacbCHeXlws7lB/fjbLw7UpC05iF19vM7wpKtBm09ikQUW9kC8OQrqKoR36EWvRHsKR9VKPJp8+3w4veky8lJFEzMhTd7qQ+4tG9lor4KJ/lbl/sCIx73j4vwKfby/vBXd9HbJL4ObxJ4h5SVkhYRG6VqRB9aFbWvCwKUifvD2pp+5itGz+b1o0bFrA7CD7tUYF3EXcGwSfwGRXgxrTPVRvySfeIOA3lGZZyG7mw2j8vS7kdXVbtuTKsxQbwKNCYjNHnqAlzVWLGP5039fgf/18AAAD//w7jFoE=" } diff --git a/x-pack/filebeat/module/imperva/README.md b/x-pack/filebeat/module/imperva/README.md new file mode 100644 index 00000000000..25eedf31517 --- /dev/null +++ b/x-pack/filebeat/module/imperva/README.md @@ -0,0 +1,7 @@ +# imperva module + +This is a module for Imperva SecureSphere logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML impervawaf version 117 +at 2020-07-07 18:10:44.77203 +0000 UTC. + diff --git a/x-pack/filebeat/module/imperva/_meta/config.yml b/x-pack/filebeat/module/imperva/_meta/config.yml new file mode 100644 index 00000000000..2b5660cd4c2 --- /dev/null +++ b/x-pack/filebeat/module/imperva/_meta/config.yml @@ -0,0 +1,19 @@ +- module: imperva + securesphere: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9511 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/imperva/_meta/docs.asciidoc b/x-pack/filebeat/module/imperva/_meta/docs.asciidoc new file mode 100644 index 00000000000..bb1c301cd4c --- /dev/null +++ b/x-pack/filebeat/module/imperva/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: imperva +:has-dashboards: false + +== Imperva module + +experimental[] + +This is a module for receiving Imperva SecureSphere logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: securesphere + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `securesphere` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "impervawaf" device revision 117. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9511` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/imperva/_meta/fields.yml b/x-pack/filebeat/module/imperva/_meta/fields.yml new file mode 100644 index 00000000000..ff50b302fab --- /dev/null +++ b/x-pack/filebeat/module/imperva/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: imperva + title: Imperva SecureSphere + description: > + imperva fields. + fields: diff --git a/x-pack/filebeat/module/imperva/fields.go b/x-pack/filebeat/module/imperva/fields.go new file mode 100644 index 00000000000..213702175fd --- /dev/null +++ b/x-pack/filebeat/module/imperva/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package imperva + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "imperva", asset.ModuleFieldsPri, AssetImperva); err != nil { + panic(err) + } +} + +// AssetImperva returns asset data. +// This is the base64 encoded gzipped contents of module/imperva. +func AssetImperva() string { + return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIipAVJLENAooAyiy6V9/ga+qYhWKZKGKkrV3elBIJBOZSACJzER+fI0eYP8S0aIEucV/QkhTzeAlunUfoHsglYT7cgMS/oRQDopIWmoq+Ev01z8hhAIoWlFguVr8Cfl/vbTfmj9fI44LeIk46J2QDwvKNcgVJrAwn9c/Q0jvS3hpCNoJmbc+z2GFK6YzO/BLtMJMwcHXPaLCn7e4ACRWSG8goEc1erQzs7LfaYlXK0rQBiu0BOBILBXILeSL3iykwj2S11JU5fkEdxnUDG5p45gdTCKOIzZMM1Ch1gefDzO3x8H3G6rM7xBVqFKQIy0QwaWuPK8k3qEClMJr83+sEREFKEO6MN93hkbotVijayAiBxkn1Y1Fu0QNExwgYQtcZ4b40aAe6WQeecYoyxkiuAauldlxlCuNuQ6IVJQKTYs4CTnW3S/6+KnDagZBWKPdhpINwkiBUlRwtKFaIYzegv6Vag5KhVVY9Jaono7aiIrliMMWJFpCvf4llgrQG9DYkIbRSoqiherJa7FWz+8weQCtnvaGv6YSiGb7Z0h7ujF6B+6AuZ3GW2QuoqxisAUW5RUTvLvXD3h1DaUEgrXHlcOKcsiR4Mwi1njJABW4jOMt1DobsTWPrNMbf2Zur79BW8wqf3poDlzTFfV7CB4x0YiJteO57DHT0k/N8H7F7e8MS0ssNSUVw9LC+8VZDK5ub+ik1Y6tbm/k4dUeZPp2bq6/+P9cP851gzWV5dMOmVj+M7Okdhn/EfFvcVy8XBy5BCUqSZLvoulTTz9p03ArjTUUwPWnQY+rnOqMMNw5Dx+NAOBa7j8N6o3RBD4NasqHUF/2Jg/n7FOueA44ftYuO/UVQD5OTx64UWP2QOuHwdQy+Ho3YO96mqZldm7A3ugntMxhPnWM0tn4xFu2aJRBjiG9iczEIBTh0WgGkXmUsorT3ypolDBZz9B/tD80XK4EJ0ZYYi3+6NbLwLHf0qmCp82/KzMQXVGC26fOGNo3xiRG91bQoYrnII2KKsELjN7kVvQRcqRAm0EOgA9xqGGFNrC5N/ZkhbZmc2/oUWzve05SLP20zdWjfMSsx81yI1SyHtXeWz8JpduiinV3lQKeU74OX6rY0res+c+HgzS+SXofD7Lu9m77HcJ5Lo3MGjqUXfb15qfF58q+7Q/TGfjD/7sMNNya4wR3T69zabT9FjnCaE23wGt3xed7qRoWDVmwl9Wq80+jDH0eXtxBg1eU+0zCb0nr1X6asItkZ7bcWz7euMHRnd3uz7z3T2P0fl8CIrh/kpeAgOoNSPThlutvfkBCoh+ZwPrbF2iJld0JwbG/outKWlXoxMziCt5nPDP7yDLFKJrBdjXQa5HuLDlml4WxP3vjVcgdlvkENaYlO1oTa/Pq9u6XAw0HIwkMd5cFIbVXGgp/5XjCzGgbcPtJOfaY/wtJ15RjFmAOb+8TM03XOI48cN7e/fJDZJKewN5cp0+ypqjPxzkkebPZ+qpSqiTfAM5BzvQy9pMdDN1eT3mhcRS1H2rsMGnvNH9oJwwj2Qx+GBwUj9tG8bCb3SjcV4IxIFrIz1EQGv5c5GXd7BuqEHHMgdzQcqCavRbdSx4dYeUf0BIpyPLjKWeFUDZ4pBAcLfe9ZUFIwm8VKG0GVLQo2d6vhPmxEbgIMNkgRXNAT/6M9EZW6MX33z9FO6yQAuA1liNz/Ujq2hlzVaXgCi43WfIHWlkiKq5re7Uqlk74mAOnoiOgJ3gpttCaLuXRaKMgZpSWgIvBXU7+QEv/iZkBOa26Ws15rPgipknVRitdIar/Ub348zf/qpzwfF5aURXI+keP3n8YO+U13oNEL9ANJ7hUFXM+bmPqjJKgsdEnuqEjsUoxLN++QP9mpvsMffst+jdEhDT6o52FR/oM/Xem/6f5IVXokClfRBeJixw+oQ3Gd5ARzNgSk4epOp9Dz4W2mxtrpysbRgDPS0G5tuq2hnjgnl3gDKQUybEijQakSiAUM0uTpUVpIY22yPfuFjZfbDGjuVu+GFqEVqLiuZHWDCx5lK+9snAyGOhw3/ZGnuPtxG/aIy76AT7vmcD5x7szPEKk6O+ACtCSkoiu7E209o+tjeYuxyDuzCWJdaPDiVVYmAX6SewM8/u2EOVISGNCaIEeAMoTbPlIt8dnwhYpCCiVbWme5envUDdBAqyBg8TaHsXc8Khlr2yp1BVmxlw88JHyiPlMC2oMPvsCaKfr6PQH8vYaSSMXlTXWLVuwXIOuf3Zyrkomh1R88rm6aJjjc5WJjvW+iL29Dv61d1AIDeje70oiwV5Ly/2QSDJ/gtP7M3Bye0yZKhmd9iL7hzYVFe2psh8rbJD+nhY/1rbtrTz1OzLsjaBNe3H8X+PNxR3zFWUXeVs04xql/e7q1Z3X5wjmhgG0KIXsanHIXiif3QNt9bGM5w9O7Fsjz5qFMYfYoZlYNSCNMejufWv1LdCL739AO8vZAjBHmLG4HWqdr1ZtaPwLaAcS3LBYIwZYaSR4J1j5kE0fQTH6vNkUOW9pD1meO78KmVvW2KgIIBsumFjvu88aKyp7mhlC3yOywRIT7dhkjt7eUmidmxxV3EcMsAPf5mAGU0qymntinOayPfKeY3XdwqhOggenrcS7QflhpVhHWcLE6mHOI8y9zSoIqWQYUWnMcyxzxIUsMKO/x6LthCyiHMj9C+wRJohq2RPho9jQ0FWje87oCuycIgaiAiJ4PqAYNkuWKT3NEj9CMuVEFCUDHV3EQXcXtoqnlrQjclp5B1JfbLvdm9Gjm25owx3un8FNUgiuN2ezusnqOf/VvIlmyC/GnhueX4I5ZsjfBZ+e0XlEiJjxg/LjQtLed7nUO9ATTscrpOFR+42MtiBVK9g3PxazEVmj04u+B3w+qU1SBREyh3yK9PbP5V64qnrMcL+FN/P6h+03uL6MlaJY2FErm/inCHAsqXCKX1ExTb/WFCTCZclCBHWTCV5gjtexpCSEmHVMB5vBEeVoVYjqLxUSO+689hoXZdfT4ik22AyJ/X2uFSIbavRfkYNaoDeV0laRbg9q9j/WA/FoWMPgMhw97quVoWwL89zBdqHCkG7+ElYggRO3qNgoXznd0tzcqXZN48f+Phz79x0GxKfxWFI54xwarjs/9aPZL1SzvZuOMiLC6AIGrd1Gx/1Fo5Zm0GB+ZqRTffoXvUHrAA1RjT/NRU8NOA1Tc2n8trM6xG8VVDMumtkpbr0aebHDClk0+cAKWfTfjJ/6qAvnYNpJ53Rd6CTJvi7S8JVZEroyS9NUynFH5BDsRQJc0o3XkjKXUn07am9UBvUE5iiZNHxgT523FNddI146GYgpxiImPbXnPEVFVWy6O3ZAOxSVJqKA5w5LrbLZaDax6q0V5n4aB6rvwFIZk5zqaaGvR0gP4/uEgJY/9JjhNzVVoVc7xUnqOhbXjGb9sSUQuqKNMhjXFpyTcyjv1+sec7xcR5hYuwNo3gR8BlM0987HKGVepZ+Pkb8c2ghtDVdI9PO9DymiKjw6dS1kiz9weSjrQZVC0VGH8KwdYA0BnruqADYUMZySwXzuiulsSiL7yGPNqwIkJWPPdZT6WSLaj5Dejmqvd6g74u4k9YjfAs+F9KFER2kXy39eJEs6PC6I5T+BxHV8g3qOPKkey4y8OY7aSb5ptTq+6G99n9Xmj6y3hDe4jpziQiOMNj4rMx4exMQ6C8+OFxJyYUOMFnLzZN8eSIq/2SduW9vNHsW4eicYJfvp+/TIGbuzKHyROc72A3KqYtNit+JMeFcxsKjj4kVwDY/T9Z0a5S13lndTAQnnuTJ/2asAs4Aylg584kohG8zXkHHYTT9XQ85v2LUebuzlqLWky0pD67T1o/mUI85oc22RHj+GqsQjREM9e0YnlMA5NnGrlHdfbR26tm4QMSVs3LWZdCiaopq3crkFuUD34BhbKZALvAZb6s5HzK2EDDT0xg7DOL2OWHjk4FsZkEKipRQ781341OsxTrUerNV2m99hqceb8jXoeDvS717Ry42Yb/cKltdKx6U2ryjBu6zTb5BXHGEGUtfvrrIZ1n/mXLP+KLaSzezzbEShyhEX/GsJJVht9dhrlFUc5xWypJLSbM1aJ7WrYXWE59T5f4Njs0f7juqNV6ac7EPXFuHSxodyJPjXa2H+fUQy2ssziyglk2aGW87o5xaFIUOskDlpmoJaoPvmfHbLZLZjklNpunLB7JUyiqpLenBPlLkXVp55GBFWKR22jf9Pj9UWhCqzGj4zx1uLRm2y3w5fzRe4ld1Oj1tPLml9ijrw5Sn12dBxbfEgrJQg1HprDEejer9l+mv6AC8RRuVmryjBzJh5D89QKW1F2mcINPkyrmZhiePZAyMvLxe/KnEBGqRCJVa2ToGyiXsuM42IojASQRw83vRDVkGTo4qGk56X0zVa63ABQe2EHRFFWfXPQhLrMdpRnoudj7whghMo9bP6VWxwur2JrCrG9ui3CjPntMlFgSn355O3EDExIMrb3przr/EjkzPKyGvKHyD3UbQhsAwra697BdZ880WNfEHzY8xnvTy/iWKjXafamYBdFIGAn+8vh/nn0vuE0H0/1bl+9ABZ0G6J6unOHz+qpcftw+N62rej9bQVZXOcl5rsH+149ZGQkFcEUPAAQ9yJoEBSzLLIDTFBbN7bQYPS1ZX5LaFuZOqgDQbkQQ0kgs3hj/LjG+G9wWpT73ajckSi2StjYRrRFCJM63D2qzBSp1SB2IKs0SyUJAaq/n8/KwEZ+cYRtfEEFScMsDQf2bIZDWk+jN17aWRIETjtn3Siournqn9iGU1EsaS8rhzXFtE+AUGOkNdbKis1v3ejfYdaFMNejrmeIyIb98qN7+qsDHt4nJY+g+OtZoHzcN1eo7fuTD/xKXHI1dj3SR4G+9Njzq/L+AJbrq/ba8sWH1pdH8i+HXfoO3dBDI7IhVtqc+p2VMVNja3aT6ubePhK4pNq3CV31IfGnZE069oa9l3VQ6Pb65N60Pk+iRN6kEH9gueNPrRAVy5a31cLYu6L47qQ+SPk4S+++cI7KJaVruP4ha6Fc8UZKDd34QTsTqAtlhQvWS9i3CW0UY5KhgeOnAKuJmaAHixKWw1yYy/MqTe3ZohFp2at7p/f3nU1MORLKjnbbihbZrCNwNmR8Y0v1pGBbrlG93TNsT2WAxupFHJa+aYve7LAbKW7oFMIW0/F/tOgap0auxdyEVnetz+/R5QTVuVgRINvzGLAF+jJzSMuSgYv0Z0zPt2wVtYt4jao9bBf4J3BGvONqI3jpurBqHNRzCOCtlvOmbdeVL6j6uHIA4eWdL0GOaVwfXzav7Q9jR6L1Xw2EtRGsNyssbOaBnp1HDxHzWLF9d+jvAx78s7djE/rhMLb63iA5dkvVsa0zmZ/m7ec9e/ztpmJ82moavm1QSi4zShY2XK9Iq/IkJ7uVZ6LxQ60aatli5A288rIuUDBQF15LPMdlpeKtejXSjSyCHvRa8gcKNL1xIgcjN5gEip7xRUnc5xn1mQF/zooP/L4iXYWQ0IjJAlYJcREKY11db5iVdvgmLILqpZm+KV4RDR/Pix1jcSv5qHB4PzQK4Xl9pXBE9/oQfpOrqrf2zDX/Xr6KUKYclGd/2bQit1U64QdaKTDODOs59H5bjTo9CogB8x/xZg5rUhVhIBSq4qhG4MBEZGDMswPRZriOh7lOTyOngSjSg/pDxNPkx3aKrYyoFmCtF79AkvK7EttxD/g3ob4GmHLiK8NbJR2nrTiobfexTQXPz56UkeqlCBV6RMS3JnqTdtfIU1gXMhxfjoQNO5M7L40n/7o2GojZ4l3drL7tfkSU65QDhpTFjGdlqLSLbgB4gW7QExK8NrgOm7AYhoW4RqKkk14tX0VWi2GFgatFyQfpWK0ly1Ihvc2TFkLL9bRk8jeN19YS8NDwyrksTifm9JUV7ZUB4qS3mhp/aTk0wdjpFe4ZVsSPB5b0tkloijM3kxdsCsHj2grnKiUYktzZ2GHugKx/oz1XSPIMQf6eHv6R8qau5+0oxXi185jaR+ZLyW/wviXlV//FMtBuzV5Av9bLL3LMr5TSzqlPNC1DUpy63N/d4tuexduG9GE2jw+JvM4jlGBx3X2wnqkij/GJvZRVHE1yx2obCny6THHvbjt7pUV+sMabAPX5yYld8q50WbJu2k5XHy6hguzqb2AdE3z2kU5YIwX4zXlXhLMWTfDmKu6pq6spgnI0G3o7oPL4gxuUPs49gikatso7tl6CbGUgpDRe+yhbBZDKuopyg8NqjoaHm8xZbjvoEO1ewjZePgVSDlQjdDtx7iHaz6/rlf9Cp8Q7Jz0ff+WCPt2MSADaJEtqzzfJ9h3tMhGxqm2ICsFQ4XEjtqiKTCSilHZUp2A6UxV8wTbUdWONXG1VGzDyTpOusk59zhjxcGbeEN3tBrX1/FpuFfq8VzYzmgRXP1yg574SL9fKmb0kiVlNsDQvjTfPJZCmV8+RV/3zRje9fI9cLHjB4qjAlLZ1LXt4egDXQMInsXQ7gaAXIVMm7c+wPU1rDHZow+DCiyjS4kvk/rjhz5gE+WowJSvjGV09JGqxNL2+pgjo+pARbizA6O3IncBR01xg9a7dgQtOnH/2scXM9V0jfIwr/4t7NBPFbfq8xuRA0NPKN8uvnqGqCDP0NL8BeYvzDHbK6oWX8X9yJqU2YrhXneq8Tfwoa51dYfssNbetVJlHwoIi9XRpC0tJtLiPl16SkLClAJpNlQU5bYYK4c6uH9586ux39+7kJuvvvrlza+v3t189ZWLgdliieng3tgJ+TAuIePkVv41DNn20Q6ayZiPv758bOfY3MBaxGFiROA+SV1cCQlcUTLuQLXMySSsRYoVFfFsnQ+W7TAd02m8CTkgImFJ7YYZn5CiqmXyNtDLXGk5PpPF5m7M0g382XySNETwTXEcpAYnNiWBexeTDw5s4hR9fKIZYkUHDcYwmQnOidTJRDNXIxPpBlzGhcWRegrjDR9Dntem3vXHbdQTV3v7Qhshb3mXPKqjZFxoCYPf/BgFQszyAHvA/5a2/UTXkU/h5dpW5HhqzeeIdX/K1x9KINF5fKY2HHaFKTP8CgmHd/783V6343pt9rRRgTWsI4lDw2/xIa4nM1d5lOKU4B4b0uNjOo1lVPGurdrDz4fSeKfifwuP+m8Q119q7GpIi5mK/R7z/N9F3LPaYNdY0/gpm4y/P/QBelWpkhIqRsRHfCzbwtK3w5L3XW2fnjjFizIT6cLp/u2bO/Sz83g04RhxVL/N/Pxy/x+v0W8VyIFqLRXjmYRu1Y+pTz4t18UevQshtdHn3VpPI6PEfxtMjC/TZsDKAePxFJyOuFfPgMxTCtFhhmWRxBcDmGS84HJU2H8NVuUjOgMcQI3NBT4AzrHu3t6nIZfAyabA8vywuBpyX+JeK4czfJCY9J43z4TKNgl8JbAaG0xZg67WNpk0CVAs/5kEV+KE2nou8zVhMazTf6in7HFIm6tdgLluExDzDBNbtjAljM1AKz5KRW+BLtfl9jv+qDcJ0pLwjGhpbJRxlala8AZ2yFt3BuiW9RpCnwULfE35qMDdPnBaTAnPVpnaUU0S9jXPVkzsFC5SXova0Fxvp8An+bEIzyifts0pL0EWy/2IkJwedEkeUsFtc7Qk0DIrpdAiS3HFWfjtd5m1WVOg2YT9xsQ6G9P6vwOa8hJKeFbgx0zr8xXeQ1CzwgySxEJBeTJiyqcgLpnK2JJl452nB9B/ngSeUA+oBT0+S70NPT4iug39/SToeGP1c6H/ZRL0/5gE/a+p0FqUDC8hbavX8CmqEs+KitnLe7lPkmcBvHxIkuNFxei6KFNvb3P/YbYe/2jkYWmaEFfwG0nRvXmm3JNpEq+UJKnamQFN1c7UXlVlUn1swusw60TlTgttFAx4TNraWmijJKVDW/UkEbzi9JFjLhT02maeBb/9wdCeLBa2P4hSbwDnSSaQKMqMsCQb2oAmuTQspLRtstJgVSJsWWVJ/gkiqaYEs6SgL5XhNXCyH/Wm1IbmmO1/h3yZhnub2WT4RFiXxpOK2T1nJ8IbC/mHVAtZZUuq/zUx+ZCobGxt0w6oFAlHWSVuTgsHRKbE4innCRhRV7IFCnrjvAEpyrcDt9dVIrirfTMmQ7MFvaIM0nQRla3S2EVX4wKQD0HTJK0yRjCHR50lHiNjA+dKl70iP2dDK0kSoUPnuCRYsc4KyOmIYMxDaMpTOV6IvGKgiEibtQen66RTIUq1w3pkJ4oWfCwm4ExQCWuqtMQpmnYDnXRTuU6KiVOWE+asbB0RmXw6XVSDW/IkeNtYNOmKc0FH6ainXM67jaAqc3WeU+D3WOLEBc8HwirPg926DgbjIanSuNus9SxApZeVPL+QaIADV3MtDa5KwJdyD4dY0vGAtmrPKqUU+nDE9DGoNc7z8atO8/HOuZBAkyRRaJERKUSRmH1jQJOUIlpkqY9wPncnbbrlQ0KyUKlSUplpqUpJR4MxrKmuEt5tGOUwJpWkgVMja3HVkDbwMcUEYcJlNGcrJhKEYw2eFAJgNL2E/W7Akva60Q2T0CV4bZlYJy4lXyduu1LI8YejWFbrtK1TUEXStmuhEhcwrfoMB21TXxIgE06xKw0w/lXKwY1/UOK73XhdITFOqG7XkACZIO+FpOssUq3tDMgdB5kiW8ossYNgmY2sIN0AJrVxaMCTZmlP0vhN6gFT2mk6pT8BJVbKfJmRzfnxrD1g15dzPDzIYm3s4l5G9Xmwu0TQFDHn8pc+fOhU+jwLVIp1hlU5quRHG3hMl4cAJwGztJtHArHUumzVZPCUyRrYsQm6LVgh8ySsKSaaSrI+lbM+kzylCsa7SF053SQ1QsFvKcyMpcGOgEtSXBRdJx1MVY63W5QkaSsvSZ5w1SpJYlm+Z4GOasnUhqpUQs7klvDxQQjRiqGnwVySZULT8LVOWQQHluI1qitGjofclwmZq1W+THy1riRLkkqVApnldHz8ZmJhkuATSSNWk7R2+duMcqXxKkmSbqnUaVfxtuRJKQ5ayIpfpFfrq0oL9K7iqDd47YWeVCDuF8xojq4k5FSjKyxznzN2pC2Nr381aaZDdSDtMK7pqo2YJYKhWEhJ7e2lfMrsb4qSiT30CuKd5MFKVCPS48/ty7sJLXVsbTEJa3hEBe6G7jYePb6uumVXZiCDUWULbITxVbuVpqpKW6K+nyqJ0G6DNaIala49f5zoY0+pY0qFxNu7u4rnAQmi3FcyGMjsZpRPr4DdIsaM16ZEIS3WtsnOovm96xjR4x6HLci6iJIWqMRSAXoDGtuKw+5U1P3S0JPXYq2e37ngvqfo2pfxcu1JeqPbNOJ34IvFWrI5egv6V6o5qPha9bdeIntWtpxwvZvt8G46CrAkmwXldMDglXieYggdYeN66zHK4TnDFbe1U9dV4cvSHymF0Kl8cITqOVLma6rrRHlf8XVApTfMzObthex6bpmB0Xt41HZ3DhkFF21A3RSJO9GD2mblTipVbPNyFejQHPhI6vyxd+/xtSFCK9lVGNdJsK6FV7/JHppFDmu/N4itZ6BeRukfV8f7jM7ZOTzeXodDZEcfKtk+8iF65HapWzi4x/0aH+rt0ZqbHuJSFPG6YHRNm5CuYEOUFQhhhRQAP+iTGTdeJOYKk1mKrfayxN3g3Ddwqltrh27BR8gqQRbUXYTzkdUM6gq30C1lsAbfywMrRdfcMb+pzD3Q1gAv5+pWP7DkFsORHbe8YGuJwfYhsW3eomgotzCt0k24L2ke2trWHZNsw8aBQ4dQJCan1tokDARJjVYgQ6OwRvCG/k4Gx4AKu5N0wNEzI36LZKB04SXnX/fP7BHQeoDcic77eMrVgxnFKtuIGbS7TndMWxOnKQNlO/q0Ch7FY6qR26CGHu5bbHOhkW2VuXjFlDCmTad5ia1C/pOHWKBXfF//rze6ttaR4hrhfBE6GscFU6Lzy5A+RVn+ostPW3nwgKnUt3U21kS7QnmYdbyRsN8x2VjP6rkGK96DRP9SewzUc4/Ioh/qXzI2buvye483VB3svqM8HQyTOCULvuyWxXEt6d7+/P7GzA4kOKPRemRyqoiEEnOyN1qJv/xZv5et4cEz9P7NS3TL9bcvnqHbt9c3//kSfbjl+ofv0JPdZo+4b8BINkL5Mm5CGuvV/uqbH/7Xf3sa730HejNJXnRnbCXQosDx0khq8h4ZeaB8Jf7bgDZ+mPKPTVb7nJ+gbTDh7+yLKUZRR7FpdNDQ3PT1q7dRcn4XHKbY4Wnr938Eh0WcP7+P6QPwES47Q+ppUWPZ+GnulSO8XGMNO3yRwtJ2l92hV655XthtMYT1dUKKctj/P9WveXv15s7J4eFe8XiGXn5DprTTc0Lr0ts7g2zAqjd8GKwFMwsfzOjDfAg6QOZqis192Nq9FnLXkQ6z5qmiVYk8LrtnXSajvNvDIvxpuT5cqB6yJrYmUWc4V0xj9NbTcCekrkVUTwi53hOWib77/HFJpGbnn6OY8nUQn4HwN0PM4xDT7+fzEnn81gbBSglCbdF4ay33bldk5JTEfA2LWj0mgq/oupKQo+XeN/d3re4HutMMphT0AoUHtKnosKukTAU2Sr9rh1YmGEwSCqEh8zFCKS+/KVPMucpw5sKnkoBLLVPBV0nsXSXFYrO0DZCeUVMmTQ7nWbDGp/XrOrQtDC2L7nhtQ+Yi2sKNMaw4aPR+X8Iz9CGIudfWRP4W3QUTuSdHfh66UUPxqlkujAGVPpCFQtdOzFj0wiibH9oHeixt6MAWpLadZ7QIDa4oRx9uB48QsSEtE85gSttYrjJRJhXKM6AS1Pg4GgOYFOLnZOL4gCjrg0rC6MrUZAz4OqHmo8VrroG5nUu2KZG9XjBrOQc5IvYBx1hRPwq5wzKPNQN7ZdvUWb/7nRSP9tV9CXoHMNDJeHQO8NgXCaExa7t7HTpkC5nY16beHHwTNAn2Iaig2hw1X1QoPoktw3yed5Uz3AHhWa3lEOhN4dBB0PgAt0Z7Xlvl+VAipvizgdhsi+2YPNLz3lCw1JRUDMvQzM2jeXLz+PK1WIvVKl6fGkimNzB349v3Zkjfvb+h7MZQZgh6VekNcO1DqQYJm6v32OFzZVW3NYwT90GBHCRJVJqIubnlBx0m6d514B6gKvTImXb7HlBkMaPQcOVo89eA/QLtk6FDhTnF1g2sSsFz29JVRFWAGrDflPSQ7u2Y7NqB2wAjl2dv494Yhbym2NtbHb2GcqSoriISBdkAudAFz4+6wQrhXJS2K9gGqERixzuNkZDGj4KLYiDaJdSoz3rhSDNcfkYNozw3Z1lI1bT3c12EX4Xy+L2JnuM+4TXp7mwMhlPVM7zQ89HgJO/9K9K88zzWRKw11XFZHROm6qIC7n1U4dxzHQ4OWYpp8XGR6S1hg7dUVFazMUadFAUdiHSA+dHfcLxkNmx4ha6OY6d8O77zWYyMLg0HOg2KojigYWR5sQQSIhhqCqavQeteaXb24PI3IewV190Q5RSdL7fJHxmZ0BXX3jK2kzklgTA7LRsw0H3soXrjep1HqjQiT86CfLNQWg47yQPV8cTXT0b1i+NU+2vR4ZpEedSMqE0iTQvbtNVrGhJKGHRyek6OSI06yUybkj6RlfLMDRCvCvPJNsC351H9zeSe6FHivePo1Bx61Ns5NUfvjGP3R6b/xUn65cz8dxt+Furlae6PqEnxcY7qCalXH9U/8qb59jTbzy9A9XHYfp6skTOf1Tn3+hkndeZNMyf1vS1TK4W569I5WTfDld5kBeiNuIg3FR/4uZBD5H82uDA2e1eKiZb6Ef/uO8G8r8mgOrJDkm3L/1x8/+c/oyevr1/dPUXXVGnK1xVVG8htYk4UGxNrMUN+7DG/tm/RbTH5xbA/HHjzlmKyv+RY7L3hfQxHvTetz29E6fAxG5PYoLg6M6Ll0rBYY+8UmMeKKDXv5Jidn8XfIfUdzmml3BhISKRoQRmW7jAbQWJ2K7H3UTxU154ZRefphVv7INtRZh/McgUPSKeuRXNgpkQSvuLHzo11fvr48Jb/yZvO9pveinljF1qBh3nc0SLktEexnuvWskvINeb09yOxTnzKgp3LsARutVd+gGUrKqNR/MnZrz+aAa18dEnlLkv3IBLpJ8BMbwiWgEoJuSgox9EQ69ZRv8OaAtfqZOAZw/PO5zX+pNNxRTCgTN5eZgt/aYRAiaW2ab/NZI4LoVnTev3BPUf+rCAHiTXk2YgwgCOraNuQhzFrV/edFFua1+nq/ne4LJnXc3rL51NkjSA/1IgGeqnX06D5bPOoB/V1HPR+YCLRQs82qmRL3ZvTpqvYDRQOqBWacaX0x2o18Gjv8hZQK1Mk1uTb6T9WG8IKKS2kk49mtAI0tti+tL9amF99GZ9fQfOcwZwS440d8VyZEVmilgxJkhmheN5cE7rz47VydPk+vHg8QyXDhu3mRhISASdyXw55EW3wyixWwRnxErK2EH4SSqM3mGwoH1Dbc5x8Rr/o8usDt5F9pQRzUM2t7tLq1QK9znGJfrH/cbd6LrjLB/hH/7pAG7wFc98zwNK1sEa2voQqBVcQ9IB40oCZUdZvez1B9vjaCERSDZKGKh3cTdBVZBimJBA9CzHNMr/zRWTOpcXWF53qJujutVA46iAN2Oj//qqhCsmKR/q6I4TVs1oSu9ccl0w9EJHtR8y8FTEHMzHaUZ6LnUKqBEJXlJhvnsXixn38UX+jmgk4ippXX/REhq7ntVi2zwxPW/xAFbc312tYY7JHH9RhkZ/6PaToJjgkRS2ZUWYxrQbusLa6bZHZqGm7Gcwt0ONbnc8UyWI6yBCwYbZ9JhxObA51bajakFPeInOyc4huCA+TMJ254qWGJuMjp7xzL0iOGzu54VorfXrncmLUTsdD/jYhNI6VPS7H099Op5bY4MZx5ZkHI8DtpHJYUe59gfao21oQBS4HilFY/ANh1hfC3pi7HdUjRZDU/qbpM/D5yAPVQ2ofmtaYbIrZS9E141rGoJ4W3GZbYkHNJeVjau7OutMM2Tb8farQjxzbdjCuZZ4ro9WkIkXqkffomiqzT9BVYhnW1nz8rCF2t6G9gmfI7ENjWbgQvbMmoBMqXrpUOCHHtWfsTP8vqsT8ryfzOQOqw1pnQUmLiVQztb88t6OfoP6CF26P7lAV7Tjdg2uVAddSlPFjmItq2TPIztprflRj3cCJ0EZLxchOTmdScSWK0hikYefbDW4bnDjNcwvSiNbMmM3xCwmrh+lxvyfOYkenD7h3ML2y2eq39DeuHyvG9ug/KszoikKOrm02jHNeRJHtYJkRIR7oxZ6UfoUlchgamwSzIb0sobZO89hTVtq1wRmqR376bLyrB/G1VL3bynnnFuj9vnTkNxaVmaDj8zCLJayykcVxOoQZLM4Ek1+qWKGdLrp5nAW1gnGI33kvSiGDZ88+r7x7PbAwrWzV0csa5lNOrRh7ZDpm7JN+uECIFCL5njtEa0YyXEMl1nEHB+EZVuPeo1qgMrWDeiXZKHa34EZxp1bBs0qO7/db2r5ntjl0CsoE0XcIPDJE4xDY74Kk4wCPGri9BFMUNjPCiNWtr9WNhM4DZcrt5oaZJ4b84ES/twPbq+65//eVR/Lc/8O/+sacXpiBjMcQeIIv+lriyG0/llg/Rqsgc4/g3JdNNsoi5SuQcsBH35/ZTJS31aGT7Is6PWYhI1QPWrVYGdm+9hlDTN6+kWFm3Ag37rXFbID3Ni5Itj/6O/QfoYeL3dNyA3Iuq8boOf7N98mVLaj+FF1ZDHHkIPVsiZIDvLoC6Qvfw0FMx5ESOzDxsaDFjNaymGG/VK26S0fXg/4+7CcYnxYZXxN0T38fSN95SD6Dt3+/QRzWQlPH5nKD1UB9WkXmT95tMdwNP1zQ2yzIhPq0vQfAzlqHgl8h3jP+YKfoyOaK5+UJ17XE3w+21TBnjypVpTSGNrD2UXeK/TzNy2dpACknehZ6rGvLixszPLq3TwbHTutMr0t1vSvv239yb8M5jovQlrwYImO8vDhCxbDQUIpl22l3SddF7p04cZdcZrYArhKKaah0UPoA3hpITon6oinw2BaUVl58h5T13QqJbu9f/f3NHboz8hP9zAcqUjb0JOd9pNDzfifi9NhjSTZAHlRCs7dGsEzNbY8Vga6rm9Sp5zZAwxfubs79EV0FJO2V37iIquIw1Vl7g+qbpcq2WJtPDLbp2GJGc7chImi6R3/G+lLHjr6d9QPsVVcUnb3Hkjuhb7QuVUZtN4JEYMvSNLLJ+S2/puw9uuYh3lFIqvcn9h8RRTExl/9Myhwmb1LG02t2VALratcpJtyOYZ6N6kM9NiRBhaYBv3qaQ4xs3EC3yQ1ZKeg8IUAxkhwOZHFYtHHdy7KGbDDnvQS06YnKflyLasBTPlv5pVrk+Yrdv75+9dbL3OcdBLWo00J2vWIp2yun6iHbClalT+NV6IHBfS3NujNIaLJQcaoVeuLQqKc2d80mE4QuCBF/0UAQGquST/hrT80HTrV/LlkcBqNtQdqXklXFEBGcQKmNCXDveD2Q4jSmk3q0roNlnjE2QgsRQ4rt/iYMj37691exYJIo61J2gJDrS4QodEPLDpweS+zS96IJjH+7+fnu9g69wY8F5XnduiTOfkP9BQIZDgp9DxDuCe3Rf4zw+gqOh2AnBQS5yOxsXBPPP3giTZjU3I2WvKS6vfb1eDyeozSwORn7iTN6wpyK/wI5B3VwJM/72kjKSbIW37j20iMVm7qbl7Z+YGftFi414BlSVSQsCiv0F6Wl4Ou/LhkmD4wqDflfnvvPntXfUr4CEv9qRSXsMItes3jJWjAI8xwpgQa2j4Q1VVrujdUz78Essd74UnQ1FtTF0iNjUvvBPiEuUcLFthIhW9W7ao2lpg24lvs//d8AAAD//5qGsHU=" +} diff --git a/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml b/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/imperva/securesphere/config/input.yml b/x-pack/filebeat/module/imperva/securesphere/config/input.yml new file mode 100644 index 00000000000..68b88a27df5 --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Imperva" + product: "Secure" + type: "WAF" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/imperva/securesphere/config/liblogparser.js + - ${path.home}/module/imperva/securesphere/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([ + dup1, + dup2, + dup3, +])); + +var msg1 = msg("IMPERVA_ALERT:02", part1); + +var part2 = match("MESSAGE#1:IMPERVA_ALERT", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([ + dup1, + dup4, + dup3, +])); + +var msg2 = msg("IMPERVA_ALERT", part2); + +var part3 = match("MESSAGE#2:IMPERVA_ALERT:03", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([ + dup1, + dup2, + dup3, +])); + +var msg3 = msg("IMPERVA_ALERT:03", part3); + +var part4 = match("MESSAGE#3:IMPERVA_ALERT:01", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([ + dup1, + dup4, + dup3, +])); + +var msg4 = msg("IMPERVA_ALERT:01", part4); + +var part5 = match("MESSAGE#4:IMPERVA_EVENT:01", "nwparser.payload", "event#=%{fld77},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([ + dup5, + dup2, + dup3, +])); + +var msg5 = msg("IMPERVA_EVENT:01", part5); + +var part6 = match("MESSAGE#5:IMPERVA_EVENT", "nwparser.payload", "event#=%{fld77},createTime=%{fld79},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([ + dup5, + dup4, + dup3, +])); + +var msg6 = msg("IMPERVA_EVENT", part6); + +var part7 = match("MESSAGE#6:IMPERVA_DATABASE_ACTIVITY:03", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, + dup3, + dup13, +])); + +var msg7 = msg("IMPERVA_DATABASE_ACTIVITY:03", part7); + +var part8 = match("MESSAGE#7:IMPERVA_DATABASE_ACTIVITY:06", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup14, + dup7, + dup8, + dup9, + dup15, + dup11, + dup12, + dup3, + dup13, +])); + +var msg8 = msg("IMPERVA_DATABASE_ACTIVITY:06", part8); + +var part9 = match("MESSAGE#8:IMPERVA_DATABASE_ACTIVITY:01", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup16, + dup3, + dup13, +])); + +var msg9 = msg("IMPERVA_DATABASE_ACTIVITY:01", part9); + +var part10 = match("MESSAGE#9:IMPERVA_DATABASE_ACTIVITY:07", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup14, + dup7, + dup8, + dup9, + dup15, + dup11, + dup16, + dup3, + dup13, +])); + +var msg10 = msg("IMPERVA_DATABASE_ACTIVITY:07", part10); + +var part11 = match("MESSAGE#10:IMPERVA_DATABASE_ACTIVITY:04", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup17, + dup7, + dup18, + dup9, + dup10, + dup19, + dup12, + dup3, + dup13, +])); + +var msg11 = msg("IMPERVA_DATABASE_ACTIVITY:04", part11); + +var part12 = match("MESSAGE#11:IMPERVA_DATABASE_ACTIVITY:08", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup17, + dup7, + dup18, + dup9, + dup15, + dup19, + dup12, + dup3, + dup13, +])); + +var msg12 = msg("IMPERVA_DATABASE_ACTIVITY:08", part12); + +var part13 = match("MESSAGE#12:IMPERVA_DATABASE_ACTIVITY:02", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup17, + dup7, + dup18, + dup9, + dup10, + dup19, + dup4, + dup3, + dup13, +])); + +var msg13 = msg("IMPERVA_DATABASE_ACTIVITY:02", part13); + +var part14 = match("MESSAGE#13:IMPERVA_DATABASE_ACTIVITY:09", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup17, + dup7, + dup18, + dup9, + dup15, + dup19, + dup4, + dup3, + dup13, +])); + +var msg14 = msg("IMPERVA_DATABASE_ACTIVITY:09", part14); + +var part15 = match("MESSAGE#14:IMPERVA_DATABASE_ACTIVITY:10", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([ + dup17, + dup20, + dup12, + dup3, + dup13, +])); + +var msg15 = msg("IMPERVA_DATABASE_ACTIVITY:10", part15); + +var part16 = match("MESSAGE#15:IMPERVA_DATABASE_ACTIVITY:11", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([ + dup17, + dup20, + dup12, + dup3, + dup13, +])); + +var msg16 = msg("IMPERVA_DATABASE_ACTIVITY:11", part16); + +var part17 = match("MESSAGE#16:IMPERVA_DATABASE_ACTIVITY:12", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},srvGroup=%{group_object},service=%{service},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=%{fld99},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result}", processor_chain([ + setc("eventcategory","1401050200"), + dup20, + dup12, + dup3, + dup13, +])); + +var msg17 = msg("IMPERVA_DATABASE_ACTIVITY:12", part17); + +var part18 = match("MESSAGE#17:IMPERVA_DATABASE_ACTIVITY", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=%{event_type},usrGroup=%{group},usrAuth=%{fld83},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + setc("eventcategory","1206000000"), + dup4, + dup3, + dup13, +])); + +var msg18 = msg("IMPERVA_DATABASE_ACTIVITY", part18); + +var select2 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "Imperva": select2, + }), +]); diff --git a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml new file mode 100644 index 00000000000..4a84f2a8bc8 --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Imperva SecureSphere + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/imperva/securesphere/manifest.yml b/x-pack/filebeat/module/imperva/securesphere/manifest.yml new file mode 100644 index 00000000000..011afe2d747 --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["imperva.securesphere", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9511 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log b/x-pack/filebeat/module/imperva/securesphere/test/generated.log new file mode 100644 index 00000000000..983515ba14f --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log @@ -0,0 +1,100 @@ +%IMPERVA-Imperva,dstIP=10.70.155.35,dstPort=892,dbUsername=tatno,srcIP=10.81.122.126,srcPort=4141,creatTime=29 January 2016 06:09:59,srvGroup=uam,service=untutl,appName=rad,event#=taliqu,eventType=Login,usrGroup=ommod,usrAuth=True,application="scivel",osUsername=aqui,srcHost=radipis5408.mail.local,dbName=enatuse,schemaName=magn,bindVar=equuntu,sqlError=failure,respSize=5910,respTime=10.347000,affRows=sum,action="cancel",rawQuery="sit" +%IMPERVA-Imperva,event#=nimadmin,createTime=2016-02-12 13:12:33,eventType=erep,eventSev=low,username=temq,subsystem=ugiatqu,message="eacomm" +%IMPERVA-Imperva,dstIP=10.58.116.231,dstPort=996,dbUsername=qua,srcIP=10.159.182.171,srcPort=3947,creatTime=2016-02-26 20:15:08,srvGroup=apariat,service=mol,appName=pteursi,event#=onse,eventType=rumet,usrGroup=oll,usrAuth=erc,application="taliqu",osUsername=temUten,srcHost=ccusan7572.api.home,dbName=aveniam,schemaName=uradi,bindVar=nimadmin,sqlError=failure,respSize=3626,respTime=79.328000,affRows=ender,action="accept",rawQuery="ehenderi" +%IMPERVA-Imperva,alert#=amqu,event#=uines,createTime=2016-03-12 03:17:42,updateTime=nsec,alertSev=medium,group=estqu,ruleName="inibusBo",evntDesc="tat",category=tion,disposition=eataev,eventType=liquide,proto=icmp,srcPort=4515,srcIP=10.64.70.5,dstPort=4782,dstIP=10.157.161.103,policyName="eritquii",occurrences=3561,httpHost=riat,webMethod=taut,url="https://api.example.org/uames/tati.jpg?isnostru=iquaUten#santium",webQuery="iciatisu",soapAction=rehender,resultCode=eporroqu,sessionID=uat,username=tem,addUsername=est,responseTime=iineavo,responseSize=equatD,direction=isno,dbUsername=taliq,queryGroup=intoccae,application="ents",srcHost=pida2286.internal.home,osUsername=emeumfu,schemaName=CSed,dbName=lupt,hdrName=psaquae,action="deny",errormsg="success" +%IMPERVA-Imperva,alert#=datatn,event#=mqu,createTime=2016-03-26 10:20:16,updateTime=apariat,alertSev=high,group=eFinib,ruleName="ihilm",evntDesc="atDu",category=eav,disposition=ionevo,eventType=remagn,proto=tcp,srcPort=5005,srcIP=10.47.202.102,dstPort=5715,dstIP=10.230.76.224,policyName="licab",occurrences=3339,httpHost=aturve,webMethod=emulla,url="https://mail.example.com/aaliquaU/ntor.html?ern=psaquae#ationemu",webQuery="ice",soapAction=estiae,resultCode=sci,sessionID=oei,username=tlabori,addUsername=oin,responseTime=lapari,responseSize=data,direction=dolor,dbUsername=nnum,queryGroup=eritqu,application="uradip",srcHost=wri2784.api.domain,osUsername=hitect,schemaName=dol,dbName=leumiu,hdrName=namali,action=accept +%IMPERVA-Imperva,dstIP=10.10.38.139,dstPort=189,dbUsername=ari,srcIP=10.32.67.231,srcPort=1250,creatTime=9 April 2016 17:22:51,srvGroup=quamnih,service=oluptate,appName=onseq,event#=serunt,eventType=Login,usrGroup=aquaeabi,usrAuth=False,application="lita",osUsername=adeseru,srcHost=emoe6540.www.domain,dbName=itanimi,schemaName=itame,bindVar=intoc,sqlError=success,respSize=2628,respTime=175.601000,affRows=dantiumt,action="block",rawQuery="nula" +%IMPERVA-Imperva,dstIP=10.133.189.215,dstPort=7865,dbUsername=evita,srcIP=10.206.97.204,srcPort=146,creatTime=2016-04-24 00:25:25,srvGroup=magni,service=pisciv,appName=iquidex,event#=radipisc,eventType=tmo,usrGroup=fficiade,usrAuth=uscipit,application="vitaedi",osUsername=fugitse,srcHost=veniamq1608.www.localdomain,dbName=colab,schemaName=ommodico,bindVar=quatD,sqlError=failure,respSize=4842,respTime=67.309000,affRows=tenima,action="block",rawQuery="sperna" +%IMPERVA-Imperva,dstIP=10.145.248.111,dstPort=95,dbUsername=tectobe,srcIP=10.148.106.167,srcPort=4285,creatTime=8 May 2016 07:27:59,srvGroup=ntocc,service=uteirure,appName=nevo,event#=ide,eventType=Login,usrGroup=aali,usrAuth=False,application="adip",osUsername=tium,srcHost=nnum5428.internal.host,dbName=tco,schemaName=uae,bindVar=officiad,sqlError=success,respSize=3994,respTime=57.835000,affRows=madmi,action="deny",rawQuery="turadip" +%IMPERVA-Imperva,dstIP=10.77.52.83,dstPort=2646,dbUsername=atno,srcIP=10.7.46.36,srcPort=837,creatTime=22 May 2016 14:30:33,srvGroup=nonn,service=inventor,appName=quiavol,event#=rrorsi,eventType=Login,usrGroup=temquiav,usrAuth=False,application="equatu",osUsername=upta,srcHost=dex2490.www.host,dbName=tae,schemaName=ccaec,bindVar=ten,sqlError=success,respSize=1458,respTime=129.251000,affRows=ullamcor,action="accept",rawQuery="emaccusa" +%IMPERVA-Imperva,dstIP=10.221.102.245,dstPort=337,dbUsername=rinre,srcIP=10.43.226.231,srcPort=7222,creatTime=2016-06-05 21:33:08,srvGroup=tut,service=ercita,appName=ciadeser,event#=emquia,eventType=Logout,usrGroup=inesci,usrAuth=True,application="isnisi",osUsername=ritatise,srcHost=uamei2389.internal.example,dbName=uisa,schemaName=eFi,bindVar=mexe,sqlError=failure,respSize=302,respTime=93.746000,affRows=ice,action="block",rawQuery="entorev" +%IMPERVA-Imperva,dstIP=10.239.96.8,dstPort=6223,dbUsername=atevelit,srcIP=10.56.136.27,srcPort=4293,creatTime=20 June 2016 04:35:42,srvGroup=labo,service=oNemoeni,appName=ttenby,event#=boris,eventType=Login,usrGroup=stenatu,usrAuth=False,application="isiuta",osUsername=orsitam,srcHost=siutaliq7201.mail.host,dbName=tsed,schemaName=nts,bindVar=siut,sqlError=unknown,respSize=3714,respTime=20.894000,affRows=piscinge,action="allow",rawQuery="aturve" +%IMPERVA-Imperva,dstIP=10.10.216.74,dstPort=7231,dbUsername=sit,srcIP=10.147.76.202,srcPort=2805,creatTime=4 July 2016 11:38:16,srvGroup=ersp,service=enderi,appName=mquisno,event#=odoconse,eventType=Login,usrGroup=quamqua,usrAuth=True,application="eacommod",osUsername=ctetura,srcHost=aveni2929.www.localdomain,dbName=uptatema,schemaName=oeni,bindVar=tdol,sqlError=failure,respSize=5313,respTime=87.380000,affRows=nea,action="cancel",rawQuery="oremagna" +%IMPERVA-Imperva,alert#=asiar,event#=ise,createTime=2016-07-18 18:40:50,updateTime=itau,alertSev=low,group=iamquis,ruleName="asiarc",evntDesc="ian",category=dolore,disposition=onsecte,eventType=nBCSedut,proto=icmp,srcPort=23,srcIP=10.123.199.236,dstPort=2300,dstIP=10.177.219.214,policyName="quatu",occurrences=5653,httpHost=lumdolor,webMethod=nonp,url="https://www.example.com/ulapar/aboreetd.htm?par=lorin#pitl",webQuery="por",soapAction=quidexea,resultCode=nimid,sessionID=runtmol,username=texpli,addUsername=exeacom,responseTime=roidents,responseSize=tem,direction=dol,dbUsername=proiden,queryGroup=urExcept,application="miurerep",srcHost=aco6894.mail.home,osUsername=emUteni,schemaName=rum,dbName=gnaaliqu,hdrName=teirured,action="cancel",errormsg="unknown" +%IMPERVA-Imperva,dstIP=10.110.114.175,dstPort=2639,dbUsername=upt,srcIP=10.20.72.231,srcPort=5300,creatTime=2 August 2016 01:43:25,srvGroup=untutlab,service=amcor,appName=ica,event#=lillum,eventType=Login,usrGroup=remips,usrAuth=True,application="uisaute",osUsername=imide,srcHost=poriss4719.www5.domain,dbName=siu,schemaName=snost,bindVar=tpersp,sqlError=unknown,respSize=5798,respTime=96.768000,affRows=ametcons,action="allow",rawQuery="nof" +%IMPERVA-Imperva,dstIP=10.230.206.60,dstPort=3684,dbUsername=aincidu,srcIP=10.111.90.75,srcPort=5960,creatTime=16 August 2016 08:45:59,srvGroup=licabo,service=enimadmi,appName=utaliqu,event#=dic,eventType=Login,usrGroup=cola,usrAuth=True,application="amcor",osUsername=rcitat,srcHost=ineavol7807.mail.test,dbName=usc,schemaName=rem,bindVar=amvolupt,sqlError=success,respSize=1264,respTime=123.553000,affRows=xea,action="deny",rawQuery="ncidid" +%IMPERVA-Imperva,alert#=velite,event#=teturad,createTime=2016-08-30 15:48:33,updateTime=perspici,alertSev=high,group=rer,ruleName="iconseq",evntDesc="porincid",category=atisetqu,disposition=issuscip,eventType=uisa,proto=tcp,srcPort=3449,srcIP=10.186.77.109,dstPort=1513,dstIP=10.154.53.249,policyName="tae",occurrences=5380,httpHost=eriti,webMethod=atcupi,url="https://api.example.org/borisnis/exeaco.html?inven=eufugi#accusant",webQuery="onse",soapAction=admin,resultCode=stenatu,sessionID=inibu,username=est,addUsername=uptatemU,responseTime=leumiu,responseSize=tla,direction=item,dbUsername=nimid,queryGroup=dat,application="periam",srcHost=dqu6144.api.localhost,osUsername=dutpers,schemaName=erun,dbName=orisn,hdrName=reetd,action=accept +%IMPERVA-Imperva,dstIP=10.201.164.145,dstPort=2700,dbUsername=sequa,srcIP=10.111.233.194,srcPort=5739,creatTime=13 September 2016 22:51:07,srvGroup=rem,service=idid,appName=tesse,event#=sequat,eventType=Login,usrGroup=giatquov,usrAuth=True,application="tconsec",osUsername=miurerep,srcHost=toccaec7645.www5.home,dbName=psaqua,schemaName=ullamcor,bindVar=itationu,sqlError=unknown,respSize=6595,respTime=106.181000,affRows=tame,action="allow",rawQuery="orroq" +%IMPERVA-Imperva,alert#=orisni,event#=ons,createTime=2016-09-28 05:53:42,updateTime=remagn,alertSev=very-high,group=orem,ruleName="rcit",evntDesc="llamco",category=atu,disposition=untincul,eventType=ssecil,proto=ggp,srcPort=4593,srcIP=10.57.164.187,dstPort=3421,dstIP=10.241.230.235,policyName="utp",occurrences=3317,httpHost=isnost,webMethod=olorem,url="https://example.org/emqu/riss.gif?sitvol=dolore#nsequat",webQuery="olorsi",soapAction=aliq,resultCode=mes,sessionID=mven,username=olorsit,addUsername=tore,responseTime=elits,responseSize=consequa,direction=turadip,dbUsername=tatevel,queryGroup=boreetdo,application="undeom",srcHost=uamnihi4791.www.local,osUsername=scingeli,schemaName=isn,dbName=sBono,hdrName=loremqu,action="accept",errormsg="unknown" +%IMPERVA-Imperva,dstIP=10.79.147.101,dstPort=1280,dbUsername=uptat,srcIP=10.105.46.101,srcPort=3346,creatTime=12 October 2016 12:56:16,srvGroup=cons,service=olorese,appName=ori,event#=tconsect,eventType=Login,usrGroup=rum,usrAuth=True,application="eataevi",osUsername=ddoeius,srcHost=ugiatn4084.domain,dbName=hil,schemaName=cingel,bindVar=modocon,sqlError=success,respSize=6068,respTime=61.550000,affRows=lupta,action="deny",rawQuery="urExce" +%IMPERVA-Imperva,alert#=proident,event#=mipsum,createTime=2016-10-26 19:58:50,updateTime=lmo,alertSev=medium,group=doei,ruleName="cipitl",evntDesc="caboNemo",category=dexerc,disposition=strumex,eventType=eprehend,proto=udp,srcPort=6200,srcIP=10.102.166.19,dstPort=4322,dstIP=10.49.71.118,policyName="ationul",occurrences=7731,httpHost=itsedq,webMethod=uto,url="https://mail.example.com/molestia/quir.jpg?elitsed=labore#uela",webQuery="ntexplic",soapAction=uto,resultCode=iuntNequ,sessionID=esseq,username=aincidun,addUsername=quatD,responseTime=isqua,responseSize=uta,direction=emo,dbUsername=itq,queryGroup=derit,application="orese",srcHost=dolor5930.internal.host,osUsername=eritin,schemaName=udan,dbName=yCic,hdrName=nder,action="cancel",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.28.153.102,dstPort=6366,dbUsername=rsita,srcIP=10.50.222.68,srcPort=6657,creatTime=2016-11-10 03:01:24,srvGroup=illu,service=iatqu,appName=lorsi,event#=repreh,eventType=plic,usrGroup=irured,usrAuth=illumqui,application="saq",osUsername=amali,srcHost=ate7311.mail.example,dbName=undeomni,schemaName=tas,bindVar=autfugi,sqlError=unknown,respSize=4527,respTime=82.523000,affRows=eratv,action="allow",rawQuery="iration" +%IMPERVA-Imperva,dstIP=10.199.169.48,dstPort=6443,dbUsername=imadmini,srcIP=10.46.192.198,srcPort=154,creatTime=24 November 2016 10:03:59,srvGroup=uat,service=lupta,appName=npr,event#=etconsec,eventType=Login,usrGroup=caboNem,usrAuth=True,application="urExcept",osUsername=rumetMal,srcHost=oconse2010.www5.example,dbName=sequam,schemaName=oditempo,bindVar=doeiu,sqlError=failure,respSize=4128,respTime=83.673000,affRows=destlabo,action="cancel",rawQuery="redol" +%IMPERVA-Imperva,alert#=radipis,event#=ctetu,createTime=2016-12-08 17:06:33,updateTime=orinrep,alertSev=low,group=nder,ruleName="stenatus",evntDesc="equep",category=ever,disposition=tali,eventType=BCS,proto=icmp,srcPort=4926,srcIP=10.251.1.35,dstPort=6515,dstIP=10.201.81.46,policyName="sBonor",occurrences=2001,httpHost=plicaboN,webMethod=amc,url="https://example.com/admi/onnu.gif?saute=atatnon#tcupida",webQuery="isa",soapAction=riameaqu,resultCode=ame,sessionID=tesseq,username=niam,addUsername=pernat,responseTime=rerepre,responseSize=nculpaq,direction=culpaqui,dbUsername=tvolup,queryGroup=tdolore,application="ventore",srcHost=red5516.localhost,osUsername=agnaaliq,schemaName=est,dbName=mquisno,hdrName=aev,action="block",errormsg="unknown" +%IMPERVA-Imperva,alert#=uid,event#=equaturv,createTime=2016-12-23 00:09:07,updateTime=lamc,alertSev=very-high,group=maccusa,ruleName="ree",evntDesc="nimad",category=ataevita,disposition=oremqu,eventType=uradi,proto=ipv6-icmp,srcPort=194,srcIP=10.131.82.68,dstPort=3984,dstIP=10.7.81.204,policyName="equatDu",occurrences=1710,httpHost=aconse,webMethod=prehe,url="https://www5.example.net/squira/aliqui.gif?veleum=piciatis#nes",webQuery="lmolesti",soapAction=meumfugi,resultCode=tquas,sessionID=aquio,username=ersp,addUsername=iame,responseTime=orroquis,responseSize=aquio,direction=riatu,dbUsername=loinve,queryGroup=tanimid,application="isnostru",srcHost=nofdeFi5182.mail.domain,osUsername=ulap,schemaName=amnisi,dbName=nrepreh,hdrName=abori,action=accept +%IMPERVA-Imperva,dstIP=10.94.132.21,dstPort=2945,dbUsername=odi,srcIP=10.114.193.232,srcPort=3661,creatTime=6 January 2017 07:11:41,srvGroup=ore,service=isund,appName=exerci,event#=tas,eventType=Login,usrGroup=oraincid,usrAuth=False,application="quaer",osUsername=eetdo,srcHost=tlab2033.lan,dbName=seddoeiu,schemaName=nse,bindVar=aali,sqlError=unknown,respSize=6784,respTime=57.532000,affRows=olorem,action="deny",rawQuery="ugitsedq" +%IMPERVA-Imperva,dstIP=10.44.226.104,dstPort=7020,dbUsername=nse,srcIP=10.9.56.220,srcPort=905,creatTime=2017-01-20 14:14:16,srvGroup=suntincu,service=sse,appName=venia,event#=inBCSe,eventType=Logout,usrGroup=otamrem,usrAuth=True,application="tutlabor",osUsername=reseosq,srcHost=gna4901.internal.localhost,dbName=catcupi,schemaName=autf,bindVar=saqu,sqlError=unknown,respSize=5380,respTime=36.114000,affRows=amquisno,action="accept",rawQuery="tiumdol" +%IMPERVA-Imperva,dstIP=10.48.209.115,dstPort=3450,dbUsername=aconsequ,srcIP=10.33.195.166,srcPort=1629,creatTime=2017-02-03 21:16:50,srvGroup=ursin,service=utemvel,appName=epteur,event#=ommo,eventType=Logout,usrGroup=iame,usrAuth=True,application="laudanti",osUsername=umiurer,srcHost=rere5274.mail.domain,dbName=usmo,schemaName=iamea,bindVar=imaveni,sqlError=failure,respSize=3249,respTime=105.870000,affRows=cor,action="cancel",rawQuery="nihil" +%IMPERVA-Imperva,dstIP=10.85.137.156,dstPort=2763,dbUsername=orumSe,srcIP=10.188.121.11,srcPort=537,creatTime=2017-02-18 04:19:24,srvGroup=dtemp,service=ici,appName=nisiuta,event#=iquaUt,eventType=Logout,usrGroup=mnihilm,usrAuth=True,application="redo",osUsername=etMaloru,srcHost=lmo3262.test,dbName=uamqu,schemaName=olori,bindVar=ido,sqlError=success,respSize=2491,respTime=126.010000,affRows=autfugit,action="accept",rawQuery="dolorsi" +%IMPERVA-Imperva,dstIP=10.238.245.236,dstPort=3575,dbUsername=stquidol,srcIP=10.45.215.202,srcPort=3834,creatTime=2017-03-04 11:21:59,srvGroup=ide,service=edq,appName=evitae,event#=amvo,eventType=tnul,usrGroup=expl,usrAuth=ess,application="quiad",osUsername=ihilmole,srcHost=saquaea2280.www5.invalid,dbName=quas,schemaName=gia,bindVar=itatio,sqlError=failure,respSize=7822,respTime=157.184000,affRows=eddoei,action="cancel",rawQuery="sseq" +%IMPERVA-Imperva,dstIP=10.213.109.180,dstPort=6536,dbUsername=essequam,srcIP=10.222.85.95,srcPort=1742,creatTime=18 March 2017 18:24:33,srvGroup=upt,service=orum,appName=Bonoru,event#=madminim,eventType=Login,usrGroup=ents,usrAuth=False,application="emacc",osUsername=emp,srcHost=lamcola4879.www5.localdomain,dbName=dant,schemaName=etdolor,bindVar=uat,sqlError=unknown,respSize=2905,respTime=85.649000,affRows=iti,action="accept",rawQuery="amqu" +%IMPERVA-Imperva,dstIP=10.229.165.102,dstPort=2069,dbUsername=lestia,srcIP=10.18.225.139,srcPort=3302,creatTime=2 April 2017 01:27:07,srvGroup=inibusB,service=nostrud,appName=cteturad,event#=ore,eventType=Login,usrGroup=esse,usrAuth=True,application="veniam",osUsername=edquian,srcHost=sus7859.www5.lan,dbName=mquido,schemaName=orum,bindVar=oinBCSed,sqlError=success,respSize=3553,respTime=116.549000,affRows=ilm,action="cancel",rawQuery="fugiatqu" +%IMPERVA-Imperva,dstIP=10.119.4.120,dstPort=3822,dbUsername=veleumi,srcIP=10.63.177.46,srcPort=4799,creatTime=2017-04-16 08:29:41,srvGroup=adipisci,service=mip,appName=itatio,event#=oquisqu,eventType=turadip,usrGroup=dip,usrAuth=idolo,application="Ute",osUsername=ptassita,srcHost=caecatcu919.www5.corp,dbName=olorsi,schemaName=itseddo,bindVar=bore,sqlError=unknown,respSize=5719,respTime=42.541000,affRows=labo,action="accept",rawQuery="mvenia" +%IMPERVA-Imperva,dstIP=10.189.6.107,dstPort=767,dbUsername=exerci,srcIP=10.50.69.209,srcPort=5406,creatTime=2017-04-30 15:32:16,srvGroup=atcupid,service=onse,appName=psa,event#=ate,eventType=Logout,usrGroup=con,usrAuth=False,application="tqu",osUsername=eirur,srcHost=dese3161.www5.localhost,dbName=lore,schemaName=isci,bindVar=Dui,sqlError=failure,respSize=1684,respTime=75.877000,affRows=lup,action="allow",rawQuery="eos" +%IMPERVA-Imperva,dstIP=10.74.166.70,dstPort=1453,dbUsername=olor,srcIP=10.88.176.226,srcPort=6937,creatTime=2017-05-14 22:34:50,srvGroup=Dui,service=iameaqu,appName=aaliquaU,event#=olu,eventType=Logout,usrGroup=iameaque,usrAuth=True,application="identsun",osUsername=ender,srcHost=inc5923.www.test,dbName=oluptat,schemaName=roinBCSe,bindVar=maperiam,sqlError=success,respSize=723,respTime=156.893000,affRows=nseq,action="accept",rawQuery="uidolo" +%IMPERVA-Imperva,dstIP=10.123.56.46,dstPort=6729,dbUsername=sit,srcIP=10.182.181.162,srcPort=6169,creatTime=2017-05-29 05:37:24,srvGroup=sistena,service=uidexeac,appName=sequa,event#=ntsunti,eventType=Logout,usrGroup=borios,usrAuth=True,application="ani",osUsername=uid,srcHost=idatat6469.api.invalid,dbName=lesti,schemaName=oreseo,bindVar=reprehen,sqlError=failure,respSize=6438,respTime=159.943000,affRows=idolo,action="cancel",rawQuery="tsedquia" +%IMPERVA-Imperva,dstIP=10.169.124.164,dstPort=62,dbUsername=iamqui,srcIP=10.176.83.7,srcPort=5908,creatTime=2017-06-12 12:39:58,srvGroup=inim,service=etdol,appName=Sed,event#=oremeumf,eventType=lesti,usrGroup=sintocca,usrAuth=mipsumqu,application="eprehen",osUsername=hilmole,srcHost=sequ6424.www.invalid,dbName=its,schemaName=dolor,bindVar=lorumwri,sqlError=success,respSize=2894,respTime=68.248000,affRows=lab,action="accept",rawQuery="nimaveni" +%IMPERVA-Imperva,dstIP=10.87.238.169,dstPort=1598,dbUsername=CSedu,srcIP=10.173.125.112,srcPort=7769,creatTime=2017-06-26 19:42:33,srvGroup=iquip,service=tinculpa,appName=umtota,event#=etdolore,eventType=Logout,usrGroup=magnaa,usrAuth=False,application="sumquiad",osUsername=iusmodt,srcHost=tes1898.www5.test,dbName=eaqueip,schemaName=itaedict,bindVar=olorema,sqlError=failure,respSize=7780,respTime=126.440000,affRows=ptatemse,action="block",rawQuery="quaeratv" +%IMPERVA-Imperva,dstIP=10.245.219.7,dstPort=4792,dbUsername=rsit,srcIP=10.53.133.90,srcPort=940,creatTime=11 July 2017 02:45:07,srvGroup=isiutali,service=quaUten,appName=rmagnido,event#=psaquaea,eventType=Login,usrGroup=rchit,usrAuth=False,application="psumq",osUsername=ptatev,srcHost=atu5950.api.corp,dbName=msequ,schemaName=nvol,bindVar=enimadmi,sqlError=unknown,respSize=6066,respTime=143.250000,affRows=sumdolo,action="block",rawQuery="rors" +%IMPERVA-Imperva,alert#=quaU,event#=ufugi,createTime=2017-07-25 09:47:41,updateTime=cin,alertSev=low,group=byC,ruleName="uae",evntDesc="oremip",category=its,disposition=uptasnul,eventType=aliqui,proto=rdp,srcPort=239,srcIP=10.161.64.168,dstPort=4444,dstIP=10.67.173.228,policyName="uatu",occurrences=2448,httpHost=ntoccaec,webMethod=uamestqu,url="https://www.example.net/orem/eniamqui.gif?seq=rumSe#tatnonp",webQuery="ommo",soapAction=adeser,resultCode=uasiarc,sessionID=doeiu,username=onsectet,addUsername=dentsunt,responseTime=inea,responseSize=animid,direction=upta,dbUsername=ioff,queryGroup=oinBCS,application="itsedd",srcHost=upt6017.api.localdomain,osUsername=nesci,schemaName=tam,dbName=sin,hdrName=idexeac,action="block",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.90.50.149,dstPort=1936,dbUsername=olu,srcIP=10.168.225.209,srcPort=6,creatTime=2017-08-08 16:50:15,srvGroup=taliq,service=tautfugi,appName=fdeFinib,event#=uip,eventType=Logout,usrGroup=ectobea,usrAuth=True,application="dat",osUsername=aUtenima,srcHost=turQuis4046.api.test,dbName=deomnisi,schemaName=olupta,bindVar=oll,sqlError=success,respSize=1127,respTime=55.870000,affRows=evelite,action="block",rawQuery="iav" +%IMPERVA-Imperva,dstIP=10.59.182.36,dstPort=5792,dbUsername=mtota,srcIP=10.18.150.82,srcPort=6648,creatTime=22 August 2017 23:52:50,srvGroup=rit,service=eumfu,appName=lors,event#=oluptat,eventType=Login,usrGroup=enimad,usrAuth=True,application="tis",osUsername=qua,srcHost=con6049.internal.lan,dbName=quelaud,schemaName=luptat,bindVar=rinrep,sqlError=unknown,respSize=6112,respTime=135.357000,affRows=nimv,action="allow",rawQuery="tconse" +%IMPERVA-Imperva,event#=rem,createTime=2017-09-06 06:55:24,eventType=ulamcola,eventSev=very-high,username=llita,subsystem=ntsunt,message="nturmag" +%IMPERVA-Imperva,dstIP=10.52.190.18,dstPort=4411,dbUsername=ciati,srcIP=10.198.142.81,srcPort=283,creatTime=20 September 2017 13:57:58,srvGroup=amei,service=doconseq,appName=conseq,event#=emve,eventType=Login,usrGroup=edutpers,usrAuth=False,application="ctobeat",osUsername=upta,srcHost=asper311.www.corp,dbName=inibus,schemaName=secte,bindVar=ctobeat,sqlError=unknown,respSize=1063,respTime=124.881000,affRows=animide,action="cancel",rawQuery="emp" +%IMPERVA-Imperva,alert#=volupta,event#=umfu,createTime=2017-10-04 21:00:32,updateTime=utla,alertSev=low,group=tDuisaut,ruleName="dolo",evntDesc="velites",category=oloremi,disposition=edqui,eventType=strumex,proto=igmp,srcPort=4011,srcIP=10.97.108.108,dstPort=5020,dstIP=10.49.169.175,policyName="nostru",occurrences=4795,httpHost=qui,webMethod=caboN,url="https://api.example.org/eumiu/tatevel.htm?quisnost=sequines#olor",webQuery="sequa",soapAction=lorum,resultCode=suntexpl,sessionID=iqu,username=iquamqu,addUsername=eumfugia,responseTime=reeufugi,responseSize=sequines,direction=minimve,dbUsername=texplica,queryGroup=entorev,application="quuntur",srcHost=olup3841.mail.invalid,osUsername=idolor,schemaName=onpr,dbName=uira,hdrName=eosqui,action=cancel +%IMPERVA-Imperva,dstIP=10.65.185.178,dstPort=7750,dbUsername=tin,srcIP=10.96.216.244,srcPort=3721,creatTime=2017-10-19 04:03:07,srvGroup=etconse,service=nesciu,appName=mali,event#=roinBCSe,eventType=Logout,usrGroup=eetdolor,usrAuth=False,application="tpersp",osUsername=assi,srcHost=rch5094.www.host,dbName=atione,schemaName=tvolup,bindVar=oremeu,sqlError=failure,respSize=5602,respTime=76.644000,affRows=dan,action="accept",rawQuery="aeca" +%IMPERVA-Imperva,dstIP=10.223.71.185,dstPort=916,dbUsername=uptateve,srcIP=10.33.181.176,srcPort=2546,creatTime=2017-11-02 11:05:41,srvGroup=ectet,service=ionu,appName=eratv,event#=des,eventType=deFini,usrGroup=alorumwr,usrAuth=liq,application="xerc",osUsername=atisetqu,srcHost=squir7186.internal.example,dbName=vol,schemaName=loremips,bindVar=serro,sqlError=unknown,respSize=3804,respTime=7.607000,affRows=noru,action="allow",rawQuery="henderi" +%IMPERVA-Imperva,dstIP=10.238.252.246,dstPort=6289,dbUsername=iamea,srcIP=10.255.179.32,srcPort=5472,creatTime=16 November 2017 18:08:15,srvGroup=tur,service=eFi,appName=uatDuisa,event#=ulapari,eventType=Login,usrGroup=eporroq,usrAuth=False,application="uunturm",osUsername=iatn,srcHost=saquaeab5916.www5.invalid,dbName=rroq,schemaName=olore,bindVar=eratvolu,sqlError=unknown,respSize=5626,respTime=121.916000,affRows=volup,action="cancel",rawQuery="ntut" +%IMPERVA-Imperva,dstIP=10.98.52.184,dstPort=7402,dbUsername=umq,srcIP=10.28.124.136,srcPort=1327,creatTime=2017-12-01 01:10:49,srvGroup=olu,service=exerci,appName=isnostru,event#=iad,eventType=Logout,usrGroup=ngelits,usrAuth=True,application="volupt",osUsername=billoi,srcHost=reseo4447.localdomain,dbName=pariat,schemaName=icaboNe,bindVar=boreetd,sqlError=failure,respSize=4298,respTime=59.204000,affRows=lorem,action="cancel",rawQuery="totamr" +%IMPERVA-Imperva,dstIP=10.200.162.248,dstPort=1419,dbUsername=lumdol,srcIP=10.92.177.251,srcPort=4990,creatTime=2017-12-15 08:13:24,srvGroup=liq,service=ihil,appName=oremip,event#=fdeFi,eventType=Logout,usrGroup=periam,usrAuth=False,application="ccusa",osUsername=billo,srcHost=doloremi3365.api.lan,dbName=agn,schemaName=cul,bindVar=tate,sqlError=success,respSize=3914,respTime=111.123000,affRows=iatnulap,action="deny",rawQuery="idents" +%IMPERVA-Imperva,dstIP=10.103.215.159,dstPort=1265,dbUsername=ueporr,srcIP=10.88.60.147,srcPort=4608,creatTime=29 December 2017 15:15:58,srvGroup=rem,service=onorumet,appName=iscivel,event#=rinci,eventType=Login,usrGroup=eacomm,usrAuth=False,application="aboNem",osUsername=mull,srcHost=ent6907.mail.invalid,dbName=datatn,schemaName=seq,bindVar=mquis,sqlError=failure,respSize=392,respTime=80.092000,affRows=sis,action="cancel",rawQuery="tat" +%IMPERVA-Imperva,dstIP=10.93.246.218,dstPort=4628,dbUsername=mtot,srcIP=10.229.190.11,srcPort=2164,creatTime=2018-01-12 22:18:32,srvGroup=eursi,service=liquid,appName=ulapari,event#=ibus,eventType=Logout,usrGroup=isu,usrAuth=False,application="moll",osUsername=roinBCS,srcHost=odit426.internal.corp,dbName=aloru,schemaName=cteturad,bindVar=modi,sqlError=failure,respSize=1929,respTime=38.172000,affRows=ntoccae,action="accept",rawQuery="edut" +%IMPERVA-Imperva,dstIP=10.89.16.162,dstPort=3056,dbUsername=taevitae,srcIP=10.178.183.11,srcPort=4665,creatTime=27 January 2018 05:21:06,srvGroup=saute,service=umdol,appName=rerepr,event#=ipiscin,eventType=Login,usrGroup=trudexe,usrAuth=True,application="qua",osUsername=modit,srcHost=tatione5638.home,dbName=riat,schemaName=atvol,bindVar=emipsum,sqlError=failure,respSize=1449,respTime=82.202000,affRows=quiado,action="cancel",rawQuery="mipsa" +%IMPERVA-Imperva,alert#=tinv,event#=Utenima,createTime=2018-02-10 12:23:41,updateTime=nse,alertSev=high,group=uradip,ruleName="nesci",evntDesc="meaquei",category=snisiu,disposition=atem,eventType=remque,proto=ggp,srcPort=3525,srcIP=10.244.73.167,dstPort=1961,dstIP=10.67.129.100,policyName="lorem",occurrences=2592,httpHost=eosquir,webMethod=tqu,url="https://mail.example.net/smodit/ine.html?amquisn=Finibus#nsequat",webQuery="mvol",soapAction=asiar,resultCode=eiu,sessionID=maliquam,username=gnama,addUsername=ursintoc,responseTime=minimve,responseSize=eprehe,direction=lillumqu,dbUsername=tamet,queryGroup=ate,application="epteur",srcHost=onproi4354.www5.invalid,osUsername=sunte,schemaName=exerc,dbName=tasu,hdrName=sci,action="deny",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.20.158.236,dstPort=4443,dbUsername=dantium,srcIP=10.52.221.103,srcPort=3962,creatTime=24 February 2018 19:26:15,srvGroup=magnido,service=mcolab,appName=mfugia,event#=eacomm,eventType=Login,usrGroup=orr,usrAuth=True,application="pre",osUsername=aute,srcHost=rchite7405.api.local,dbName=rors,schemaName=oinve,bindVar=ptasnul,sqlError=unknown,respSize=6386,respTime=108.472000,affRows=tvol,action="deny",rawQuery="redolo" +%IMPERVA-Imperva,dstIP=10.250.231.196,dstPort=5863,dbUsername=olup,srcIP=10.199.46.88,srcPort=6342,creatTime=2018-03-11 02:28:49,srvGroup=snulap,service=onsequat,appName=tiumd,event#=atuse,eventType=Logout,usrGroup=imad,usrAuth=False,application="tura",osUsername=equuntur,srcHost=rve472.www.localhost,dbName=xer,schemaName=utlabore,bindVar=nulapari,sqlError=unknown,respSize=2867,respTime=54.004000,affRows=eruntmol,action="block",rawQuery="imaven" +%IMPERVA-Imperva,dstIP=10.41.44.94,dstPort=702,dbUsername=nim,srcIP=10.49.122.64,srcPort=2285,creatTime=2018-03-25 09:31:24,srvGroup=rit,service=unturma,appName=iavol,event#=psumdol,eventType=Logout,usrGroup=urautodi,usrAuth=True,application="equamni",osUsername=fugia,srcHost=uptate5787.api.local,dbName=umq,schemaName=suntincu,bindVar=imidest,sqlError=unknown,respSize=1508,respTime=136.809000,affRows=nof,action="block",rawQuery="iavol" +%IMPERVA-Imperva,dstIP=10.101.60.188,dstPort=5558,dbUsername=uptatem,srcIP=10.186.129.34,srcPort=89,creatTime=8 April 2018 16:33:58,srvGroup=roiden,service=eacommod,appName=tali,event#=roinBCSe,eventType=Login,usrGroup=emagnaal,usrAuth=True,application="isauteir",osUsername=eritquii,srcHost=atevelit325.www.local,dbName=ionula,schemaName=itaed,bindVar=invol,sqlError=unknown,respSize=944,respTime=75.182000,affRows=tdolore,action="accept",rawQuery="nimadmi" +%IMPERVA-Imperva,dstIP=10.184.199.84,dstPort=2057,dbUsername=cid,srcIP=10.138.191.99,srcPort=5362,creatTime=22 April 2018 23:36:32,srvGroup=amal,service=gni,appName=luptat,event#=ehend,eventType=Login,usrGroup=involupt,usrAuth=False,application="itempo",osUsername=upt,srcHost=rve426.api.test,dbName=onevo,schemaName=ationem,bindVar=Nem,sqlError=unknown,respSize=3291,respTime=80.991000,affRows=dipisci,action="block",rawQuery="modit" +%IMPERVA-Imperva,alert#=tationem,event#=urere,createTime=2018-05-07 06:39:06,updateTime=tinvo,alertSev=medium,group=tquid,ruleName="giatquo",evntDesc="iatisun",category=cto,disposition=orumSect,eventType=preh,proto=icmp,srcPort=3791,srcIP=10.27.120.57,dstPort=5633,dstIP=10.40.12.51,policyName="ute",occurrences=1576,httpHost=sed,webMethod=uep,url="https://internal.example.com/nde/reprehe.html?enimipsa=mquisno#eaco",webQuery="empor",soapAction=mvele,resultCode=teveli,sessionID=utperspi,username=remeum,addUsername=temseq,responseTime=orin,responseSize=dexea,direction=sedquia,dbUsername=litesse,queryGroup=ntmo,application="aliqu",srcHost=iqu4429.www5.lan,osUsername=doconse,schemaName=volupta,dbName=ptat,hdrName=oreverit,action="cancel",errormsg="success" +%IMPERVA-Imperva,alert#=urQuisa,event#=ipi,createTime=2018-05-21 13:41:41,updateTime=xcepte,alertSev=low,group=onula,ruleName="ostru",evntDesc="por",category=stiae,disposition=icta,eventType=epteu,proto=tcp,srcPort=2191,srcIP=10.106.63.42,dstPort=6845,dstIP=10.86.147.37,policyName="tDui",occurrences=2211,httpHost=etco,webMethod=mip,url="https://www5.example.com/olu/nofdeF.html?ipsu=siarch#itautfu",webQuery="rrorsi",soapAction=ole,resultCode=odi,sessionID=tper,username=olor,addUsername=corpo,responseTime=commod,responseSize=iumd,direction=ntore,dbUsername=tect,queryGroup=ion,application="tutl",srcHost=niam7512.www5.localhost,osUsername=aeca,schemaName=ugitse,dbName=ameiu,hdrName=utei,action="allow",errormsg="success" +%IMPERVA-Imperva,dstIP=10.110.240.8,dstPort=6650,dbUsername=tam,srcIP=10.112.132.76,srcPort=1314,creatTime=4 June 2018 20:44:15,srvGroup=Neq,service=rcita,appName=eeufugia,event#=evolupt,eventType=Login,usrGroup=pre,usrAuth=True,application="tiumtot",osUsername=ulamcola,srcHost=epr3512.internal.domain,dbName=enbyCice,schemaName=equun,bindVar=veli,sqlError=unknown,respSize=5784,respTime=115.111000,affRows=iadeseru,action="cancel",rawQuery="olorsita" +%IMPERVA-Imperva,dstIP=10.76.222.159,dstPort=403,dbUsername=natuser,srcIP=10.7.141.213,srcPort=7283,creatTime=2018-06-19 03:46:49,srvGroup=tati,service=orinc,appName=teursi,event#=pariatur,eventType=Logout,usrGroup=iofficia,usrAuth=True,application="ira",osUsername=niamq,srcHost=quatD260.internal.test,dbName=ionulam,schemaName=labor,bindVar=Sec,sqlError=unknown,respSize=5670,respTime=85.913000,affRows=tquov,action="accept",rawQuery="pta" +%IMPERVA-Imperva,dstIP=10.246.196.160,dstPort=894,dbUsername=equ,srcIP=10.170.90.90,srcPort=2541,creatTime=2018-07-03 10:49:23,srvGroup=eFinib,service=atione,appName=xcepte,event#=gnaa,eventType=Logout,usrGroup=tio,usrAuth=True,application="qui",osUsername=epteurs,srcHost=did6471.internal.localdomain,dbName=tMalo,schemaName=urautod,bindVar=eveli,sqlError=unknown,respSize=4933,respTime=136.206000,affRows=nonproi,action="allow",rawQuery="quaturve" +%IMPERVA-Imperva,event#=officiad,createTime=2018-07-17 17:51:58,eventType=veniam,eventSev=very-high,username=entoreve,subsystem=ion,message="exeaco" +%IMPERVA-Imperva,dstIP=10.209.129.155,dstPort=769,dbUsername=mdolore,srcIP=10.128.118.157,srcPort=4004,creatTime=2018-08-01 00:54:32,srvGroup=odite,service=atn,appName=sectet,event#=boreetd,eventType=Logout,usrGroup=ueporro,usrAuth=True,application="cto",osUsername=essequa,srcHost=gnidolor1901.test,dbName=quian,schemaName=xerci,bindVar=qua,sqlError=success,respSize=2931,respTime=66.399000,affRows=itten,action="block",rawQuery="abo" +%IMPERVA-Imperva,alert#=uradipi,event#=erita,createTime=2018-08-15 07:57:06,updateTime=eursint,alertSev=high,group=illoinve,ruleName="uis",evntDesc="itanimi",category=rinc,disposition=isistena,eventType=nsequatD,proto=rdp,srcPort=1864,srcIP=10.21.69.33,dstPort=2855,dstIP=10.219.218.23,policyName="entore",occurrences=2428,httpHost=magnidol,webMethod=meumfug,url="https://www.example.org/uatu/gel.gif?itsed=mvolu#agn",webQuery="eritinvo",soapAction=aliq,resultCode=dest,sessionID=uisautei,username=labor,addUsername=ihilmol,responseTime=scinge,responseSize=lum,direction=iinea,dbUsername=xercit,queryGroup=reh,application="velitess",srcHost=colab553.api.localdomain,osUsername=orumS,schemaName=tesseq,dbName=exeacomm,hdrName=uptat,action="deny",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.209.39.25,dstPort=3954,dbUsername=tion,srcIP=10.67.163.107,srcPort=1312,creatTime=2018-08-29 14:59:40,srvGroup=tiumtot,service=ctio,appName=imadm,event#=ugiat,eventType=ius,usrGroup=msequ,usrAuth=ciatisun,application="Ute",osUsername=eddoe,srcHost=seq3852.www5.localdomain,dbName=uasi,schemaName=quaeabi,bindVar=sequ,sqlError=failure,respSize=3469,respTime=69.015000,affRows=essecill,action="block",rawQuery="uovolup" +%IMPERVA-Imperva,dstIP=10.61.247.113,dstPort=599,dbUsername=tur,srcIP=10.120.66.172,srcPort=984,creatTime=2018-09-12 22:02:15,srvGroup=aven,service=Sedut,appName=stiaec,event#=rveli,eventType=Logout,usrGroup=serr,usrAuth=True,application="umdolo",osUsername=iduntut,srcHost=admini511.www5.local,dbName=cididun,schemaName=iamqu,bindVar=ommodoc,sqlError=unknown,respSize=2218,respTime=179.909000,affRows=uisaut,action="cancel",rawQuery="onse" +%IMPERVA-Imperva,alert#=orinrepr,event#=tinvo,createTime=2018-09-27 05:04:49,updateTime=oru,alertSev=medium,group=stena,ruleName="tquid",evntDesc="liquaUt",category=tdolorem,disposition=umdolo,eventType=oluptass,proto=udp,srcPort=5328,srcIP=10.31.56.237,dstPort=6326,dstIP=10.206.65.159,policyName="fdeFini",occurrences=1295,httpHost=eetdolo,webMethod=issuscip,url="https://internal.example.com/nde/naturau.txt?sBonor=odit#ercitati",webQuery="lapa",soapAction=enia,resultCode=atis,sessionID=edol,username=cit,addUsername=adip,responseTime=ugiatq,responseSize=mnisiuta,direction=nrepre,dbUsername=eumfu,queryGroup=remap,application="ecatcup",srcHost=olup2082.localhost,osUsername=atem,schemaName=amcorpor,dbName=oloremeu,hdrName=mquisn,action=deny +%IMPERVA-Imperva,event#=eruntm,createTime=2018-10-11 12:07:23,eventType=iades,eventSev=high,username=inculpa,subsystem=vita,message="onorum" +%IMPERVA-Imperva,dstIP=10.108.76.145,dstPort=4698,dbUsername=trumexer,srcIP=10.147.56.184,srcPort=672,creatTime=25 October 2018 19:09:57,srvGroup=emoenim,service=oqui,appName=olab,event#=remagnam,eventType=Login,usrGroup=neavolu,usrAuth=False,application="adipi",osUsername=idid,srcHost=ela5007.www.lan,dbName=lore,schemaName=uisautem,bindVar=olorsi,sqlError=unknown,respSize=1294,respTime=149.161000,affRows=iamq,action="allow",rawQuery="tiumt" +%IMPERVA-Imperva,alert#=expl,event#=animi,createTime=2018-11-09 02:12:32,updateTime=mdoloree,alertSev=medium,group=Loremips,ruleName="taliqui",evntDesc="doloremi",category=uisno,disposition=atevel,eventType=oloremeu,proto=rdp,srcPort=4601,srcIP=10.28.248.90,dstPort=5693,dstIP=10.193.58.50,policyName="sedquian",occurrences=4385,httpHost=secillum,webMethod=sequatD,url="https://api.example.com/veleum/eturad.jpg?eetdol=aut#eriti",webQuery="ipsum",soapAction=com,resultCode=uptate,sessionID=tevelite,username=cto,addUsername=borisn,responseTime=assitasp,responseSize=nima,direction=abore,dbUsername=tur,queryGroup=tlaboru,application="erun",srcHost=mquid2987.host,osUsername=totamrem,schemaName=eaqu,dbName=itani,hdrName=mni,action=cancel +%IMPERVA-Imperva,dstIP=10.84.3.244,dstPort=3154,dbUsername=olest,srcIP=10.211.242.138,srcPort=6661,creatTime=23 November 2018 09:15:06,srvGroup=ola,service=tla,appName=nimve,event#=edutpe,eventType=Login,usrGroup=tenb,usrAuth=True,application="billoinv",osUsername=asia,srcHost=rsitam4260.api.home,dbName=iumto,schemaName=ciun,bindVar=prehe,sqlError=unknown,respSize=545,respTime=157.352000,affRows=nemul,action="block",rawQuery="nsequa" +%IMPERVA-Imperva,event#=evolu,createTime=2018-12-07 16:17:40,eventType=quidolo,eventSev=medium,username=destlabo,subsystem=fficia,message="utaliqui" +%IMPERVA-Imperva,dstIP=10.121.189.113,dstPort=5635,dbUsername=lapa,srcIP=10.13.86.14,srcPort=798,creatTime=21 December 2018 23:20:14,srvGroup=isiutali,service=upidatat,appName=non,event#=Sed,eventType=Login,usrGroup=commod,usrAuth=True,application="equ",osUsername=turvelil,srcHost=lor5252.host,dbName=unt,schemaName=volu,bindVar=iineavo,sqlError=failure,respSize=7284,respTime=172.281000,affRows=tenbyC,action="accept",rawQuery="itquii" +%IMPERVA-Imperva,dstIP=10.32.220.188,dstPort=2394,dbUsername=ectob,srcIP=10.50.195.220,srcPort=1255,creatTime=2019-01-05 06:22:49,srvGroup=orro,service=quepo,appName=tDuisa,event#=iscive,eventType=Logout,usrGroup=prehende,usrAuth=True,application="volup",osUsername=nimi,srcHost=niamqu3513.api.example,dbName=seddoeiu,schemaName=lorinrep,bindVar=isq,sqlError=failure,respSize=2636,respTime=44.636000,affRows=ione,action="accept",rawQuery="abor" +%IMPERVA-Imperva,dstIP=10.189.155.253,dstPort=984,dbUsername=iutaliqu,srcIP=10.29.74.57,srcPort=4226,creatTime=19 January 2019 13:25:23,srvGroup=tam,service=uovo,appName=scivelit,event#=enimadm,eventType=Login,usrGroup=empo,usrAuth=False,application="apa",osUsername=colab,srcHost=sistenat115.mail.local,dbName=Sedutper,schemaName=exe,bindVar=writt,sqlError=unknown,respSize=3432,respTime=35.197000,affRows=amqua,action="allow",rawQuery="taliquip" +%IMPERVA-Imperva,dstIP=10.107.41.59,dstPort=926,dbUsername=oreseo,srcIP=10.149.2.62,srcPort=7493,creatTime=2019-02-02 20:27:57,srvGroup=maven,service=tectob,appName=sequamn,event#=uiaco,eventType=acom,usrGroup=modi,usrAuth=atisun,application="ntu",osUsername=utal,srcHost=ptatev4160.internal.home,dbName=tionemu,schemaName=edictasu,bindVar=quipexea,sqlError=unknown,respSize=3008,respTime=47.865000,affRows=mnis,action="block",rawQuery="aborumSe" +%IMPERVA-Imperva,alert#=laborio,event#=aaliqu,createTime=2019-02-17 03:30:32,updateTime=tevelit,alertSev=low,group=mid,ruleName="henderi",evntDesc="consec",category=dquia,disposition=cep,eventType=erit,proto=udp,srcPort=3382,srcIP=10.11.237.65,dstPort=4062,dstIP=10.20.211.186,policyName="tionem",occurrences=3743,httpHost=olu,webMethod=cae,url="https://www5.example.org/onsequ/Bon.txt?remap=mUt#admi",webQuery="siarch",soapAction=oloremi,resultCode=ididu,sessionID=uov,username=ncidid,addUsername=audantiu,responseTime=lmolest,responseSize=miurerep,direction=orsitame,dbUsername=Sed,queryGroup=isau,application="temvele",srcHost=ntutl6493.mail.home,osUsername=ptassit,schemaName=olo,dbName=ataevit,hdrName=ficiad,action=accept +%IMPERVA-Imperva,dstIP=10.190.18.213,dstPort=2201,dbUsername=rror,srcIP=10.177.60.55,srcPort=7799,creatTime=3 March 2019 10:33:06,srvGroup=tut,service=umdol,appName=nseq,event#=autodita,eventType=Login,usrGroup=loreme,usrAuth=True,application="eratv",osUsername=tametcon,srcHost=orsi1332.www5.corp,dbName=dolorsi,schemaName=etdolore,bindVar=taevita,sqlError=unknown,respSize=7327,respTime=93.075000,affRows=luptatem,action="block",rawQuery="cons" +%IMPERVA-Imperva,dstIP=10.173.169.212,dstPort=292,dbUsername=oinB,srcIP=10.131.253.222,srcPort=1239,creatTime=17 March 2019 17:35:40,srvGroup=enatuser,service=uia,appName=sistena,event#=reetdolo,eventType=Login,usrGroup=psam,usrAuth=False,application="litseddo",osUsername=orumet,srcHost=aliqu5109.www.test,dbName=sun,schemaName=utod,bindVar=queips,sqlError=unknown,respSize=6659,respTime=138.450000,affRows=riatu,action="cancel",rawQuery="serrors" +%IMPERVA-Imperva,dstIP=10.33.131.63,dstPort=1437,dbUsername=imven,srcIP=10.5.54.131,srcPort=1411,creatTime=2019-04-01 00:38:14,srvGroup=sectetu,service=quiratio,appName=aincidu,event#=eseo,eventType=lum,usrGroup=CSe,usrAuth=umqu,application="aeratvol",osUsername=psamvolu,srcHost=urQui381.mail.example,dbName=ionev,schemaName=liq,bindVar=utlab,sqlError=failure,respSize=587,respTime=125.240000,affRows=tassi,action="cancel",rawQuery="orinre" +%IMPERVA-Imperva,dstIP=10.164.123.69,dstPort=2543,dbUsername=litesse,srcIP=10.161.51.238,srcPort=1809,creatTime=2019-04-15 07:40:49,srvGroup=odt,service=riatur,appName=oremeumf,event#=volupt,eventType=Logout,usrGroup=dicon,usrAuth=False,application="psumquia",osUsername=xercitat,srcHost=giatq1967.api.test,dbName=citat,schemaName=xeacomm,bindVar=itvolup,sqlError=success,respSize=5031,respTime=124.913000,affRows=reetd,action="cancel",rawQuery="ngelit" +%IMPERVA-Imperva,dstIP=10.112.73.97,dstPort=6125,dbUsername=quinesc,srcIP=10.227.144.202,srcPort=3803,creatTime=2019-04-29 14:43:23,srvGroup=doeiusmo,service=tev,appName=elaudant,event#=ratvolu,eventType=odte,usrGroup=enderitq,usrAuth=nnumquam,application="abori",osUsername=uelauda,srcHost=urQuis7078.www5.domain,dbName=rumS,schemaName=uelau,bindVar=quidolor,sqlError=failure,respSize=2469,respTime=53.441000,affRows=quinesci,action="accept",rawQuery="lpaqui" +%IMPERVA-Imperva,event#=utlabo,createTime=2019-05-13 21:45:57,eventType=scip,eventSev=low,username=voluptas,subsystem=inv,message="upta" +%IMPERVA-Imperva,dstIP=10.185.248.253,dstPort=3804,dbUsername=nisi,srcIP=10.76.165.58,srcPort=1381,creatTime=28 May 2019 04:48:31,srvGroup=dipis,service=nderitin,appName=ernatu,event#=usant,eventType=Login,usrGroup=uidolore,usrAuth=False,application="litse",osUsername=ugitse,srcHost=utfugi6811.mail.host,dbName=psum,schemaName=amqua,bindVar=mavenia,sqlError=failure,respSize=4963,respTime=99.486000,affRows=ssuscipi,action="block",rawQuery="eturadi" +%IMPERVA-Imperva,alert#=evelit,event#=oluptat,createTime=2019-06-11 11:51:06,updateTime=ditem,alertSev=low,group=pisciv,ruleName="equamnih",evntDesc="rationev",category=etco,disposition=usanti,eventType=itessec,proto=ipv6,srcPort=2772,srcIP=10.163.27.208,dstPort=5686,dstIP=10.177.36.122,policyName="reseo",occurrences=4087,httpHost=iutaliq,webMethod=oriosamn,url="https://www5.example.com/tcu/mmodo.jpg?stlabo=atema#sunt",webQuery="orporiss",soapAction=iamq,resultCode=edolo,sessionID=oditempo,username=eFini,addUsername=ritin,responseTime=iosam,responseSize=olup,direction=eav,dbUsername=archi,queryGroup=nes,application="atvolupt",srcHost=umwritt2172.www.localhost,osUsername=ept,schemaName=avolu,dbName=aaliq,hdrName=olupta,action=accept +%IMPERVA-Imperva,dstIP=10.35.215.152,dstPort=7489,dbUsername=ium,srcIP=10.143.175.148,srcPort=796,creatTime=25 June 2019 18:53:40,srvGroup=tame,service=olo,appName=vel,event#=equamn,eventType=Login,usrGroup=tempora,usrAuth=True,application="enimip",osUsername=itaspern,srcHost=lupta602.mail.localdomain,dbName=uisno,schemaName=etdo,bindVar=edictas,sqlError=failure,respSize=6141,respTime=167.299000,affRows=urerepr,action="block",rawQuery="Maloru" +%IMPERVA-Imperva,dstIP=10.254.252.105,dstPort=146,dbUsername=asp,srcIP=10.25.246.131,srcPort=212,creatTime=2019-07-10 01:56:14,srvGroup=unde,service=raut,appName=suscip,event#=ectetu,eventType=Logout,usrGroup=rem,usrAuth=False,application="ariat",osUsername=ptatemU,srcHost=eriam2051.api.host,dbName=upid,schemaName=ataev,bindVar=nsecte,sqlError=unknown,respSize=2949,respTime=96.394000,affRows=tutla,action="allow",rawQuery="hitect" +%IMPERVA-Imperva,dstIP=10.248.16.82,dstPort=6834,dbUsername=loinv,srcIP=10.44.179.66,srcPort=357,creatTime=24 July 2019 08:58:48,srvGroup=xercit,service=avolup,appName=etdo,event#=tuserror,eventType=Login,usrGroup=nisiutal,usrAuth=False,application="pisciv",osUsername=proiden,srcHost=cita2058.test,dbName=nul,schemaName=xercita,bindVar=tametco,sqlError=success,respSize=2353,respTime=43.922000,affRows=ididunt,action="accept",rawQuery="eum" +%IMPERVA-Imperva,alert#=tlabo,event#=iameaque,createTime=2019-08-07 16:01:23,updateTime=sautemve,alertSev=high,group=emoe,ruleName="ameiusmo",evntDesc="ntiumtot",category=aeab,disposition=idolo,eventType=temac,proto=ipv6,srcPort=622,srcIP=10.55.166.205,dstPort=4048,dstIP=10.88.53.149,policyName="iut",occurrences=6219,httpHost=tess,webMethod=ionulamc,url="https://www.example.net/umSecti/emaccu.html?atu=ddo#veli",webQuery="ata",soapAction=untmoll,resultCode=ididun,sessionID=olo,username=tqui,addUsername=oru,responseTime=ehender,responseSize=abo,direction=onsec,dbUsername=econse,queryGroup=iac,application="cingel",srcHost=siarchit2807.invalid,osUsername=strumex,schemaName=reseosqu,dbName=atus,hdrName=fugiatq,action="allow",errormsg="success" +%IMPERVA-Imperva,alert#=dquiaco,event#=rumw,createTime=2019-08-21 23:03:57,updateTime=ula,alertSev=high,group=uidolore,ruleName="quam",evntDesc="rsitvo",category=esciuntN,disposition=ritatis,eventType=ionevo,proto=rdp,srcPort=7851,srcIP=10.116.180.96,dstPort=1799,dstIP=10.199.117.125,policyName="dolor",occurrences=6700,httpHost=equinesc,webMethod=ectet,url="https://mail.example.com/enatuser/epteurs.txt?orsit=rcit#niamqu",webQuery="nrep",soapAction=lauda,resultCode=ionevo,sessionID=busB,username=pidatatn,addUsername=ipsamvol,responseTime=tconse,responseSize=ima,direction=nimaveni,dbUsername=cepteurs,queryGroup=siutaliq,application="aliqu",srcHost=serro1855.internal.invalid,osUsername=iof,schemaName=ciun,dbName=ssitaspe,hdrName=deomnis,action=cancel +%IMPERVA-Imperva,dstIP=10.64.76.110,dstPort=2200,dbUsername=ptate,srcIP=10.250.226.105,srcPort=4867,creatTime=5 September 2019 06:06:31,srvGroup=atur,service=aquaeabi,appName=olupt,event#=dolor,eventType=Login,usrGroup=fficiade,usrAuth=False,application="rsi",osUsername=imidest,srcHost=ulamc2151.www5.corp,dbName=dip,schemaName=ommod,bindVar=sisten,sqlError=failure,respSize=6041,respTime=43.322000,affRows=nihi,action="cancel",rawQuery="orumetMa" +%IMPERVA-Imperva,alert#=teturad,event#=nesciu,createTime=2019-09-19 13:09:05,updateTime=ueip,alertSev=low,group=orumSe,ruleName="mSe",evntDesc="itame",category=quaturv,disposition=lumdolor,eventType=persp,proto=ggp,srcPort=7684,srcIP=10.29.141.252,dstPort=2077,dstIP=10.164.52.43,policyName="orum",occurrences=249,httpHost=itvolup,webMethod=atemq,url="https://api.example.net/adminimv/equatD.html?obeatae=sedqui#ntNeq",webQuery="aturve",soapAction=tquasiar,resultCode=eetd,sessionID=orem,username=seq,addUsername=cus,responseTime=tnulap,responseSize=amquisno,direction=epreh,dbUsername=uepo,queryGroup=llumqui,application="sedqu",srcHost=ipitlabo5092.local,osUsername=Nemoe,schemaName=reverit,dbName=neavolup,hdrName=uaturve,action="block",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.115.42.231,dstPort=2143,dbUsername=res,srcIP=10.161.212.150,srcPort=2748,creatTime=3 October 2019 20:11:40,srvGroup=corporis,service=turExc,appName=urvelil,event#=ulapa,eventType=Login,usrGroup=abi,usrAuth=False,application="ameiusm",osUsername=tasnul,srcHost=isau4356.www.home,dbName=niamqui,schemaName=sequamn,bindVar=onse,sqlError=failure,respSize=4846,respTime=6.993000,affRows=aliquaUt,action="deny",rawQuery="natus" +%IMPERVA-Imperva,dstIP=10.66.163.3,dstPort=1085,dbUsername=aeconseq,srcIP=10.9.126.156,srcPort=628,creatTime=2019-10-18 03:14:14,srvGroup=mqu,service=inima,appName=emipsum,event#=venia,eventType=Logout,usrGroup=Loremi,usrAuth=True,application="uisnostr",osUsername=accusa,srcHost=utod6468.mail.test,dbName=dipi,schemaName=asnulapa,bindVar=atev,sqlError=success,respSize=7469,respTime=147.141000,affRows=ipiscin,action="accept",rawQuery="tionu" +%IMPERVA-Imperva,event#=uidexea,createTime=2019-11-01 10:16:48,eventType=odtem,eventSev=high,username=mipsa,subsystem=teturad,message="nimide" +%IMPERVA-Imperva,alert#=writ,event#=ema,createTime=2019-11-15 17:19:22,updateTime=ioffici,alertSev=medium,group=uunt,ruleName="pic",evntDesc="unt",category=emUt,disposition=eiru,eventType=sauteir,proto=tcp,srcPort=3341,srcIP=10.220.106.170,dstPort=7276,dstIP=10.217.176.124,policyName="elillum",occurrences=1318,httpHost=reetdo,webMethod=pidatatn,url="https://internal.example.net/fdeFin/ursi.txt?lapariat=red#rinre",webQuery="upta",soapAction=mvolupt,resultCode=mseq,sessionID=consequ,username=min,addUsername=riame,responseTime=gnaal,responseSize=nti,direction=tetura,dbUsername=utlab,queryGroup=colabo,application="ditem",srcHost=did2502.mail.example,osUsername=itsedq,schemaName=uisaute,dbName=iaturEx,hdrName=apa,action=cancel +%IMPERVA-Imperva,dstIP=10.9.248.95,dstPort=2294,dbUsername=iatquovo,srcIP=10.120.18.135,srcPort=6260,creatTime=2019-11-30 00:21:57,srvGroup=itametc,service=oremip,appName=isundeo,event#=eli,eventType=Logout,usrGroup=ore,usrAuth=False,application="ips",osUsername=ratvolup,srcHost=iamqu4015.www5.lan,dbName=tsunti,schemaName=ero,bindVar=iusmodi,sqlError=unknown,respSize=6969,respTime=36.585000,affRows=oreetd,action="deny",rawQuery="Loremips" +%IMPERVA-Imperva,dstIP=10.249.76.99,dstPort=7480,dbUsername=xercita,srcIP=10.109.203.111,srcPort=6875,creatTime=14 December 2019 07:24:31,srvGroup=atemquia,service=rumwritt,appName=tio,event#=aconseq,eventType=Login,usrGroup=erit,usrAuth=False,application="quaeab",osUsername=uis,srcHost=eirured1366.mail.domain,dbName=ntexp,schemaName=atio,bindVar=roquisqu,sqlError=success,respSize=3516,respTime=151.020000,affRows=molestia,action="block",rawQuery="boreetdo" diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json new file mode 100644 index 00000000000..b7c73a47650 --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -0,0 +1,5693 @@ +[ + { + "destination.ip": [ + "10.70.155.35" + ], + "destination.port": 892, + "event.action": "cancel", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.70.155.35,dstPort=892,dbUsername=tatno,srcIP=10.81.122.126,srcPort=4141,creatTime=29 January 2016 06:09:59,srvGroup=uam,service=untutl,appName=rad,event#=taliqu,eventType=Login,usrGroup=ommod,usrAuth=True,application=\"scivel\",osUsername=aqui,srcHost=radipis5408.mail.local,dbName=enatuse,schemaName=magn,bindVar=equuntu,sqlError=failure,respSize=5910,respTime=10.347000,affRows=sum,action=\"cancel\",rawQuery=\"sit\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "radipis5408.mail.local", + "input.type": "log", + "log.offset": 0, + "network.application": "scivel", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.70.155.35", + "10.81.122.126" + ], + "rsa.counters.dclass_c1": 5910, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "enatuse", + "rsa.db.index": "sit", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "ommod", + "rsa.misc.group_object": "uam", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 10.347, + "rsa.time.starttime": "2016-01-29T08:09:59.000Z", + "service.type": "imperva", + "source.address": "radipis5408.mail.local", + "source.ip": [ + "10.81.122.126" + ], + "source.port": 4141, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "aqui", + "tatno", + "magn" + ] + }, + { + "event.category": "erep", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=nimadmin,createTime=2016-02-12 13:12:33,eventType=erep,eventSev=low,username=temq,subsystem=ugiatqu,message=\"eacomm\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "low", + "log.offset": 439, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "rsa.internal.event_desc": "eacomm", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "erep", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2016-02-12T15:12:33.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "temq" + ] + }, + { + "destination.ip": [ + "10.58.116.231" + ], + "destination.port": 996, + "event.action": "accept", + "event.category": "rumet", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.58.116.231,dstPort=996,dbUsername=qua,srcIP=10.159.182.171,srcPort=3947,creatTime=2016-02-26 20:15:08,srvGroup=apariat,service=mol,appName=pteursi,event#=onse,eventType=rumet,usrGroup=oll,usrAuth=erc,application=\"taliqu\",osUsername=temUten,srcHost=ccusan7572.api.home,dbName=aveniam,schemaName=uradi,bindVar=nimadmin,sqlError=failure,respSize=3626,respTime=79.328000,affRows=ender,action=\"accept\",rawQuery=\"ehenderi\"", + "fileset.name": "securesphere", + "host.hostname": "ccusan7572.api.home", + "input.type": "log", + "log.offset": 580, + "network.application": "taliqu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.159.182.171", + "10.58.116.231" + ], + "rsa.counters.dclass_c1": 3626, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "aveniam", + "rsa.db.index": "ehenderi", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "rumet", + "rsa.misc.group": "oll", + "rsa.misc.group_object": "apariat", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 79.328, + "rsa.time.starttime": "2016-02-26T22:15:08.000Z", + "service.type": "imperva", + "source.address": "ccusan7572.api.home", + "source.ip": [ + "10.159.182.171" + ], + "source.port": 3947, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "uradi", + "qua", + "temUten" + ] + }, + { + "destination.ip": [ + "10.157.161.103" + ], + "destination.port": 4782, + "event.action": "deny", + "event.category": "liquide", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=amqu,event#=uines,createTime=2016-03-12 03:17:42,updateTime=nsec,alertSev=medium,group=estqu,ruleName=\"inibusBo\",evntDesc=\"tat\",category=tion,disposition=eataev,eventType=liquide,proto=icmp,srcPort=4515,srcIP=10.64.70.5,dstPort=4782,dstIP=10.157.161.103,policyName=\"eritquii\",occurrences=3561,httpHost=riat,webMethod=taut,url=\"https://api.example.org/uames/tati.jpg?isnostru=iquaUten#santium\",webQuery=\"iciatisu\",soapAction=rehender,resultCode=eporroqu,sessionID=uat,username=tem,addUsername=est,responseTime=iineavo,responseSize=equatD,direction=isno,dbUsername=taliq,queryGroup=intoccae,application=\"ents\",srcHost=pida2286.internal.home,osUsername=emeumfu,schemaName=CSed,dbName=lupt,hdrName=psaquae,action=\"deny\",errormsg=\"success\"", + "fileset.name": "securesphere", + "host.hostname": "pida2286.internal.home", + "input.type": "log", + "log.level": "medium", + "log.offset": 1023, + "network.application": "ents", + "network.direction": "isno", + "network.protocol": "icmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.64.70.5", + "10.157.161.103" + ], + "rsa.counters.event_counter": 3561, + "rsa.db.database": "lupt", + "rsa.internal.event_desc": "tat", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny", + "taut" + ], + "rsa.misc.category": "tion", + "rsa.misc.disposition": "eataev", + "rsa.misc.event_type": "liquide", + "rsa.misc.group": "estqu", + "rsa.misc.log_session_id": "uat", + "rsa.misc.operation_id": "amqu", + "rsa.misc.policy_name": "eritquii", + "rsa.misc.result": "success", + "rsa.misc.result_code": "eporroqu", + "rsa.misc.rule_name": "inibusBo", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2016-03-12T05:17:42.000Z", + "rsa.web.alias_host": "riat", + "rule.name": "inibusBo", + "service.type": "imperva", + "source.address": "pida2286.internal.home", + "source.ip": [ + "10.64.70.5" + ], + "source.port": 4515, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://api.example.org/uames/tati.jpg?isnostru=iquaUten#santium", + "url.query": "iciatisu", + "user.name": [ + "CSed", + "tem", + "emeumfu" + ] + }, + { + "destination.ip": [ + "10.230.76.224" + ], + "destination.port": 5715, + "event.action": "accept", + "event.category": "remagn", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=datatn,event#=mqu,createTime=2016-03-26 10:20:16,updateTime=apariat,alertSev=high,group=eFinib,ruleName=\"ihilm\",evntDesc=\"atDu\",category=eav,disposition=ionevo,eventType=remagn,proto=tcp,srcPort=5005,srcIP=10.47.202.102,dstPort=5715,dstIP=10.230.76.224,policyName=\"licab\",occurrences=3339,httpHost=aturve,webMethod=emulla,url=\"https://mail.example.com/aaliquaU/ntor.html?ern=psaquae#ationemu\",webQuery=\"ice\",soapAction=estiae,resultCode=sci,sessionID=oei,username=tlabori,addUsername=oin,responseTime=lapari,responseSize=data,direction=dolor,dbUsername=nnum,queryGroup=eritqu,application=\"uradip\",srcHost=wri2784.api.domain,osUsername=hitect,schemaName=dol,dbName=leumiu,hdrName=namali,action=accept", + "fileset.name": "securesphere", + "host.hostname": "wri2784.api.domain", + "input.type": "log", + "log.level": "high", + "log.offset": 1782, + "network.application": "uradip", + "network.direction": "dolor", + "network.protocol": "tcp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.230.76.224", + "10.47.202.102" + ], + "rsa.counters.event_counter": 3339, + "rsa.db.database": "leumiu", + "rsa.internal.event_desc": "atDu", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "emulla", + "accept" + ], + "rsa.misc.category": "eav", + "rsa.misc.disposition": "ionevo", + "rsa.misc.event_type": "remagn", + "rsa.misc.group": "eFinib", + "rsa.misc.log_session_id": "oei", + "rsa.misc.operation_id": "datatn", + "rsa.misc.policy_name": "licab", + "rsa.misc.result_code": "sci", + "rsa.misc.rule_name": "ihilm", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2016-03-26T12:20:16.000Z", + "rsa.web.alias_host": "aturve", + "rule.name": "ihilm", + "service.type": "imperva", + "source.address": "wri2784.api.domain", + "source.ip": [ + "10.47.202.102" + ], + "source.port": 5005, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://mail.example.com/aaliquaU/ntor.html?ern=psaquae#ationemu", + "url.query": "ice", + "user.name": [ + "tlabori", + "hitect", + "dol" + ] + }, + { + "destination.ip": [ + "10.10.38.139" + ], + "destination.port": 189, + "event.action": "block", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.10.38.139,dstPort=189,dbUsername=ari,srcIP=10.32.67.231,srcPort=1250,creatTime=9 April 2016 17:22:51,srvGroup=quamnih,service=oluptate,appName=onseq,event#=serunt,eventType=Login,usrGroup=aquaeabi,usrAuth=False,application=\"lita\",osUsername=adeseru,srcHost=emoe6540.www.domain,dbName=itanimi,schemaName=itame,bindVar=intoc,sqlError=success,respSize=2628,respTime=175.601000,affRows=dantiumt,action=\"block\",rawQuery=\"nula\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "emoe6540.www.domain", + "input.type": "log", + "log.offset": 2506, + "network.application": "lita", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.10.38.139", + "10.32.67.231" + ], + "rsa.counters.dclass_c1": 2628, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "itanimi", + "rsa.db.index": "nula", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "aquaeabi", + "rsa.misc.group_object": "quamnih", + "rsa.misc.result": "success", + "rsa.time.duration_time": 175.601, + "rsa.time.starttime": "2016-04-09T19:22:51.000Z", + "service.type": "imperva", + "source.address": "emoe6540.www.domain", + "source.ip": [ + "10.32.67.231" + ], + "source.port": 1250, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "itame", + "adeseru", + "ari" + ] + }, + { + "destination.ip": [ + "10.133.189.215" + ], + "destination.port": 7865, + "event.action": "block", + "event.category": "tmo", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.133.189.215,dstPort=7865,dbUsername=evita,srcIP=10.206.97.204,srcPort=146,creatTime=2016-04-24 00:25:25,srvGroup=magni,service=pisciv,appName=iquidex,event#=radipisc,eventType=tmo,usrGroup=fficiade,usrAuth=uscipit,application=\"vitaedi\",osUsername=fugitse,srcHost=veniamq1608.www.localdomain,dbName=colab,schemaName=ommodico,bindVar=quatD,sqlError=failure,respSize=4842,respTime=67.309000,affRows=tenima,action=\"block\",rawQuery=\"sperna\"", + "fileset.name": "securesphere", + "host.hostname": "veniamq1608.www.localdomain", + "input.type": "log", + "log.offset": 2954, + "network.application": "vitaedi", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.206.97.204", + "10.133.189.215" + ], + "rsa.counters.dclass_c1": 4842, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "colab", + "rsa.db.index": "sperna", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "tmo", + "rsa.misc.group": "fficiade", + "rsa.misc.group_object": "magni", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 67.309, + "rsa.time.starttime": "2016-04-24T02:25:25.000Z", + "service.type": "imperva", + "source.address": "veniamq1608.www.localdomain", + "source.ip": [ + "10.206.97.204" + ], + "source.port": 146, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "ommodico", + "fugitse", + "evita" + ] + }, + { + "destination.ip": [ + "10.145.248.111" + ], + "destination.port": 95, + "event.action": "deny", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.145.248.111,dstPort=95,dbUsername=tectobe,srcIP=10.148.106.167,srcPort=4285,creatTime=8 May 2016 07:27:59,srvGroup=ntocc,service=uteirure,appName=nevo,event#=ide,eventType=Login,usrGroup=aali,usrAuth=False,application=\"adip\",osUsername=tium,srcHost=nnum5428.internal.host,dbName=tco,schemaName=uae,bindVar=officiad,sqlError=success,respSize=3994,respTime=57.835000,affRows=madmi,action=\"deny\",rawQuery=\"turadip\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "nnum5428.internal.host", + "input.type": "log", + "log.offset": 3416, + "network.application": "adip", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.145.248.111", + "10.148.106.167" + ], + "rsa.counters.dclass_c1": 3994, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "tco", + "rsa.db.index": "turadip", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "aali", + "rsa.misc.group_object": "ntocc", + "rsa.misc.result": "success", + "rsa.time.duration_time": 57.835, + "rsa.time.starttime": "2016-05-08T09:27:59.000Z", + "service.type": "imperva", + "source.address": "nnum5428.internal.host", + "source.ip": [ + "10.148.106.167" + ], + "source.port": 4285, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "tium", + "uae", + "tectobe" + ] + }, + { + "destination.ip": [ + "10.77.52.83" + ], + "destination.port": 2646, + "event.action": "accept", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.77.52.83,dstPort=2646,dbUsername=atno,srcIP=10.7.46.36,srcPort=837,creatTime=22 May 2016 14:30:33,srvGroup=nonn,service=inventor,appName=quiavol,event#=rrorsi,eventType=Login,usrGroup=temquiav,usrAuth=False,application=\"equatu\",osUsername=upta,srcHost=dex2490.www.host,dbName=tae,schemaName=ccaec,bindVar=ten,sqlError=success,respSize=1458,respTime=129.251000,affRows=ullamcor,action=\"accept\",rawQuery=\"emaccusa\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "dex2490.www.host", + "input.type": "log", + "log.offset": 3854, + "network.application": "equatu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.77.52.83", + "10.7.46.36" + ], + "rsa.counters.dclass_c1": 1458, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "tae", + "rsa.db.index": "emaccusa", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "temquiav", + "rsa.misc.group_object": "nonn", + "rsa.misc.result": "success", + "rsa.time.duration_time": 129.251, + "rsa.time.starttime": "2016-05-22T16:30:33.000Z", + "service.type": "imperva", + "source.address": "dex2490.www.host", + "source.ip": [ + "10.7.46.36" + ], + "source.port": 837, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "upta", + "ccaec", + "atno" + ] + }, + { + "destination.ip": [ + "10.221.102.245" + ], + "destination.port": 337, + "event.action": "block", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.221.102.245,dstPort=337,dbUsername=rinre,srcIP=10.43.226.231,srcPort=7222,creatTime=2016-06-05 21:33:08,srvGroup=tut,service=ercita,appName=ciadeser,event#=emquia,eventType=Logout,usrGroup=inesci,usrAuth=True,application=\"isnisi\",osUsername=ritatise,srcHost=uamei2389.internal.example,dbName=uisa,schemaName=eFi,bindVar=mexe,sqlError=failure,respSize=302,respTime=93.746000,affRows=ice,action=\"block\",rawQuery=\"entorev\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "uamei2389.internal.example", + "input.type": "log", + "log.offset": 4293, + "network.application": "isnisi", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.43.226.231", + "10.221.102.245" + ], + "rsa.counters.dclass_c1": 302, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "uisa", + "rsa.db.index": "entorev", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "inesci", + "rsa.misc.group_object": "tut", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 93.746, + "rsa.time.starttime": "2016-06-05T23:33:08.000Z", + "service.type": "imperva", + "source.address": "uamei2389.internal.example", + "source.ip": [ + "10.43.226.231" + ], + "source.port": 7222, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "ritatise", + "rinre", + "eFi" + ] + }, + { + "destination.ip": [ + "10.239.96.8" + ], + "destination.port": 6223, + "event.action": "allow", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.239.96.8,dstPort=6223,dbUsername=atevelit,srcIP=10.56.136.27,srcPort=4293,creatTime=20 June 2016 04:35:42,srvGroup=labo,service=oNemoeni,appName=ttenby,event#=boris,eventType=Login,usrGroup=stenatu,usrAuth=False,application=\"isiuta\",osUsername=orsitam,srcHost=siutaliq7201.mail.host,dbName=tsed,schemaName=nts,bindVar=siut,sqlError=unknown,respSize=3714,respTime=20.894000,affRows=piscinge,action=\"allow\",rawQuery=\"aturve\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "siutaliq7201.mail.host", + "input.type": "log", + "log.offset": 4739, + "network.application": "isiuta", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.239.96.8", + "10.56.136.27" + ], + "rsa.counters.dclass_c1": 3714, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "tsed", + "rsa.db.index": "aturve", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "stenatu", + "rsa.misc.group_object": "labo", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 20.894, + "rsa.time.starttime": "2016-06-20T06:35:42.000Z", + "service.type": "imperva", + "source.address": "siutaliq7201.mail.host", + "source.ip": [ + "10.56.136.27" + ], + "source.port": 4293, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "atevelit", + "orsitam", + "nts" + ] + }, + { + "destination.ip": [ + "10.10.216.74" + ], + "destination.port": 7231, + "event.action": "cancel", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.10.216.74,dstPort=7231,dbUsername=sit,srcIP=10.147.76.202,srcPort=2805,creatTime=4 July 2016 11:38:16,srvGroup=ersp,service=enderi,appName=mquisno,event#=odoconse,eventType=Login,usrGroup=quamqua,usrAuth=True,application=\"eacommod\",osUsername=ctetura,srcHost=aveni2929.www.localdomain,dbName=uptatema,schemaName=oeni,bindVar=tdol,sqlError=failure,respSize=5313,respTime=87.380000,affRows=nea,action=\"cancel\",rawQuery=\"oremagna\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "aveni2929.www.localdomain", + "input.type": "log", + "log.offset": 5188, + "network.application": "eacommod", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.10.216.74", + "10.147.76.202" + ], + "rsa.counters.dclass_c1": 5313, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "uptatema", + "rsa.db.index": "oremagna", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "quamqua", + "rsa.misc.group_object": "ersp", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 87.38, + "rsa.time.starttime": "2016-07-04T13:38:16.000Z", + "service.type": "imperva", + "source.address": "aveni2929.www.localdomain", + "source.ip": [ + "10.147.76.202" + ], + "source.port": 2805, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "ctetura", + "sit", + "oeni" + ] + }, + { + "destination.ip": [ + "10.177.219.214" + ], + "destination.port": 2300, + "event.action": "cancel", + "event.category": "nBCSedut", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=asiar,event#=ise,createTime=2016-07-18 18:40:50,updateTime=itau,alertSev=low,group=iamquis,ruleName=\"asiarc\",evntDesc=\"ian\",category=dolore,disposition=onsecte,eventType=nBCSedut,proto=icmp,srcPort=23,srcIP=10.123.199.236,dstPort=2300,dstIP=10.177.219.214,policyName=\"quatu\",occurrences=5653,httpHost=lumdolor,webMethod=nonp,url=\"https://www.example.com/ulapar/aboreetd.htm?par=lorin#pitl\",webQuery=\"por\",soapAction=quidexea,resultCode=nimid,sessionID=runtmol,username=texpli,addUsername=exeacom,responseTime=roidents,responseSize=tem,direction=dol,dbUsername=proiden,queryGroup=urExcept,application=\"miurerep\",srcHost=aco6894.mail.home,osUsername=emUteni,schemaName=rum,dbName=gnaaliqu,hdrName=teirured,action=\"cancel\",errormsg=\"unknown\"", + "fileset.name": "securesphere", + "host.hostname": "aco6894.mail.home", + "input.type": "log", + "log.level": "low", + "log.offset": 5642, + "network.application": "miurerep", + "network.direction": "dol", + "network.protocol": "icmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.123.199.236", + "10.177.219.214" + ], + "rsa.counters.event_counter": 5653, + "rsa.db.database": "gnaaliqu", + "rsa.internal.event_desc": "ian", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel", + "nonp" + ], + "rsa.misc.category": "dolore", + "rsa.misc.disposition": "onsecte", + "rsa.misc.event_type": "nBCSedut", + "rsa.misc.group": "iamquis", + "rsa.misc.log_session_id": "runtmol", + "rsa.misc.operation_id": "asiar", + "rsa.misc.policy_name": "quatu", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "nimid", + "rsa.misc.rule_name": "asiarc", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2016-07-18T20:40:50.000Z", + "rsa.web.alias_host": "lumdolor", + "rule.name": "asiarc", + "service.type": "imperva", + "source.address": "aco6894.mail.home", + "source.ip": [ + "10.123.199.236" + ], + "source.port": 23, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www.example.com/ulapar/aboreetd.htm?par=lorin#pitl", + "url.query": "por", + "user.name": [ + "texpli", + "emUteni", + "rum" + ] + }, + { + "destination.ip": [ + "10.110.114.175" + ], + "destination.port": 2639, + "event.action": "allow", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.110.114.175,dstPort=2639,dbUsername=upt,srcIP=10.20.72.231,srcPort=5300,creatTime=2 August 2016 01:43:25,srvGroup=untutlab,service=amcor,appName=ica,event#=lillum,eventType=Login,usrGroup=remips,usrAuth=True,application=\"uisaute\",osUsername=imide,srcHost=poriss4719.www5.domain,dbName=siu,schemaName=snost,bindVar=tpersp,sqlError=unknown,respSize=5798,respTime=96.768000,affRows=ametcons,action=\"allow\",rawQuery=\"nof\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "poriss4719.www5.domain", + "input.type": "log", + "log.offset": 6405, + "network.application": "uisaute", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.20.72.231", + "10.110.114.175" + ], + "rsa.counters.dclass_c1": 5798, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "siu", + "rsa.db.index": "nof", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "remips", + "rsa.misc.group_object": "untutlab", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 96.768, + "rsa.time.starttime": "2016-08-02T03:43:25.000Z", + "service.type": "imperva", + "source.address": "poriss4719.www5.domain", + "source.ip": [ + "10.20.72.231" + ], + "source.port": 5300, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "imide", + "snost", + "upt" + ] + }, + { + "destination.ip": [ + "10.230.206.60" + ], + "destination.port": 3684, + "event.action": "deny", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.230.206.60,dstPort=3684,dbUsername=aincidu,srcIP=10.111.90.75,srcPort=5960,creatTime=16 August 2016 08:45:59,srvGroup=licabo,service=enimadmi,appName=utaliqu,event#=dic,eventType=Login,usrGroup=cola,usrAuth=True,application=\"amcor\",osUsername=rcitat,srcHost=ineavol7807.mail.test,dbName=usc,schemaName=rem,bindVar=amvolupt,sqlError=success,respSize=1264,respTime=123.553000,affRows=xea,action=\"deny\",rawQuery=\"ncidid\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "ineavol7807.mail.test", + "input.type": "log", + "log.offset": 6849, + "network.application": "amcor", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.230.206.60", + "10.111.90.75" + ], + "rsa.counters.dclass_c1": 1264, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "usc", + "rsa.db.index": "ncidid", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "cola", + "rsa.misc.group_object": "licabo", + "rsa.misc.result": "success", + "rsa.time.duration_time": 123.553, + "rsa.time.starttime": "2016-08-16T10:45:59.000Z", + "service.type": "imperva", + "source.address": "ineavol7807.mail.test", + "source.ip": [ + "10.111.90.75" + ], + "source.port": 5960, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "rcitat", + "rem", + "aincidu" + ] + }, + { + "destination.ip": [ + "10.154.53.249" + ], + "destination.port": 1513, + "event.action": "accept", + "event.category": "uisa", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=velite,event#=teturad,createTime=2016-08-30 15:48:33,updateTime=perspici,alertSev=high,group=rer,ruleName=\"iconseq\",evntDesc=\"porincid\",category=atisetqu,disposition=issuscip,eventType=uisa,proto=tcp,srcPort=3449,srcIP=10.186.77.109,dstPort=1513,dstIP=10.154.53.249,policyName=\"tae\",occurrences=5380,httpHost=eriti,webMethod=atcupi,url=\"https://api.example.org/borisnis/exeaco.html?inven=eufugi#accusant\",webQuery=\"onse\",soapAction=admin,resultCode=stenatu,sessionID=inibu,username=est,addUsername=uptatemU,responseTime=leumiu,responseSize=tla,direction=item,dbUsername=nimid,queryGroup=dat,application=\"periam\",srcHost=dqu6144.api.localhost,osUsername=dutpers,schemaName=erun,dbName=orisn,hdrName=reetd,action=accept", + "fileset.name": "securesphere", + "host.hostname": "dqu6144.api.localhost", + "input.type": "log", + "log.level": "high", + "log.offset": 7293, + "network.application": "periam", + "network.direction": "item", + "network.protocol": "tcp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.154.53.249", + "10.186.77.109" + ], + "rsa.counters.event_counter": 5380, + "rsa.db.database": "orisn", + "rsa.internal.event_desc": "porincid", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "atcupi", + "accept" + ], + "rsa.misc.category": "atisetqu", + "rsa.misc.disposition": "issuscip", + "rsa.misc.event_type": "uisa", + "rsa.misc.group": "rer", + "rsa.misc.log_session_id": "inibu", + "rsa.misc.operation_id": "velite", + "rsa.misc.policy_name": "tae", + "rsa.misc.result_code": "stenatu", + "rsa.misc.rule_name": "iconseq", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2016-08-30T17:48:33.000Z", + "rsa.web.alias_host": "eriti", + "rule.name": "iconseq", + "service.type": "imperva", + "source.address": "dqu6144.api.localhost", + "source.ip": [ + "10.186.77.109" + ], + "source.port": 3449, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://api.example.org/borisnis/exeaco.html?inven=eufugi#accusant", + "url.query": "onse", + "user.name": [ + "est", + "erun", + "dutpers" + ] + }, + { + "destination.ip": [ + "10.201.164.145" + ], + "destination.port": 2700, + "event.action": "allow", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.201.164.145,dstPort=2700,dbUsername=sequa,srcIP=10.111.233.194,srcPort=5739,creatTime=13 September 2016 22:51:07,srvGroup=rem,service=idid,appName=tesse,event#=sequat,eventType=Login,usrGroup=giatquov,usrAuth=True,application=\"tconsec\",osUsername=miurerep,srcHost=toccaec7645.www5.home,dbName=psaqua,schemaName=ullamcor,bindVar=itationu,sqlError=unknown,respSize=6595,respTime=106.181000,affRows=tame,action=\"allow\",rawQuery=\"orroq\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "toccaec7645.www5.home", + "input.type": "log", + "log.offset": 8035, + "network.application": "tconsec", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.111.233.194", + "10.201.164.145" + ], + "rsa.counters.dclass_c1": 6595, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "psaqua", + "rsa.db.index": "orroq", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "giatquov", + "rsa.misc.group_object": "rem", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 106.181, + "rsa.time.starttime": "2016-09-14T00:51:07.000Z", + "service.type": "imperva", + "source.address": "toccaec7645.www5.home", + "source.ip": [ + "10.111.233.194" + ], + "source.port": 5739, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "miurerep", + "sequa", + "ullamcor" + ] + }, + { + "destination.ip": [ + "10.241.230.235" + ], + "destination.port": 3421, + "event.action": "accept", + "event.category": "ssecil", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=orisni,event#=ons,createTime=2016-09-28 05:53:42,updateTime=remagn,alertSev=very-high,group=orem,ruleName=\"rcit\",evntDesc=\"llamco\",category=atu,disposition=untincul,eventType=ssecil,proto=ggp,srcPort=4593,srcIP=10.57.164.187,dstPort=3421,dstIP=10.241.230.235,policyName=\"utp\",occurrences=3317,httpHost=isnost,webMethod=olorem,url=\"https://example.org/emqu/riss.gif?sitvol=dolore#nsequat\",webQuery=\"olorsi\",soapAction=aliq,resultCode=mes,sessionID=mven,username=olorsit,addUsername=tore,responseTime=elits,responseSize=consequa,direction=turadip,dbUsername=tatevel,queryGroup=boreetdo,application=\"undeom\",srcHost=uamnihi4791.www.local,osUsername=scingeli,schemaName=isn,dbName=sBono,hdrName=loremqu,action=\"accept\",errormsg=\"unknown\"", + "fileset.name": "securesphere", + "host.hostname": "uamnihi4791.www.local", + "input.type": "log", + "log.level": "very-high", + "log.offset": 8494, + "network.application": "undeom", + "network.direction": "turadip", + "network.protocol": "ggp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.57.164.187", + "10.241.230.235" + ], + "rsa.counters.event_counter": 3317, + "rsa.db.database": "sBono", + "rsa.internal.event_desc": "llamco", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "accept", + "olorem" + ], + "rsa.misc.category": "atu", + "rsa.misc.disposition": "untincul", + "rsa.misc.event_type": "ssecil", + "rsa.misc.group": "orem", + "rsa.misc.log_session_id": "mven", + "rsa.misc.operation_id": "orisni", + "rsa.misc.policy_name": "utp", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "mes", + "rsa.misc.rule_name": "rcit", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2016-09-28T07:53:42.000Z", + "rsa.web.alias_host": "isnost", + "rule.name": "rcit", + "service.type": "imperva", + "source.address": "uamnihi4791.www.local", + "source.ip": [ + "10.57.164.187" + ], + "source.port": 4593, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://example.org/emqu/riss.gif?sitvol=dolore#nsequat", + "url.query": "olorsi", + "user.name": [ + "isn", + "scingeli", + "olorsit" + ] + }, + { + "destination.ip": [ + "10.79.147.101" + ], + "destination.port": 1280, + "event.action": "deny", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.79.147.101,dstPort=1280,dbUsername=uptat,srcIP=10.105.46.101,srcPort=3346,creatTime=12 October 2016 12:56:16,srvGroup=cons,service=olorese,appName=ori,event#=tconsect,eventType=Login,usrGroup=rum,usrAuth=True,application=\"eataevi\",osUsername=ddoeius,srcHost=ugiatn4084.domain,dbName=hil,schemaName=cingel,bindVar=modocon,sqlError=success,respSize=6068,respTime=61.550000,affRows=lupta,action=\"deny\",rawQuery=\"urExce\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "ugiatn4084.domain", + "input.type": "log", + "log.offset": 9252, + "network.application": "eataevi", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.79.147.101", + "10.105.46.101" + ], + "rsa.counters.dclass_c1": 6068, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "hil", + "rsa.db.index": "urExce", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "rum", + "rsa.misc.group_object": "cons", + "rsa.misc.result": "success", + "rsa.time.duration_time": 61.55, + "rsa.time.starttime": "2016-10-12T14:56:16.000Z", + "service.type": "imperva", + "source.address": "ugiatn4084.domain", + "source.ip": [ + "10.105.46.101" + ], + "source.port": 3346, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "ddoeius", + "cingel", + "uptat" + ] + }, + { + "destination.ip": [ + "10.49.71.118" + ], + "destination.port": 4322, + "event.action": "cancel", + "event.category": "eprehend", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=proident,event#=mipsum,createTime=2016-10-26 19:58:50,updateTime=lmo,alertSev=medium,group=doei,ruleName=\"cipitl\",evntDesc=\"caboNemo\",category=dexerc,disposition=strumex,eventType=eprehend,proto=udp,srcPort=6200,srcIP=10.102.166.19,dstPort=4322,dstIP=10.49.71.118,policyName=\"ationul\",occurrences=7731,httpHost=itsedq,webMethod=uto,url=\"https://mail.example.com/molestia/quir.jpg?elitsed=labore#uela\",webQuery=\"ntexplic\",soapAction=uto,resultCode=iuntNequ,sessionID=esseq,username=aincidun,addUsername=quatD,responseTime=isqua,responseSize=uta,direction=emo,dbUsername=itq,queryGroup=derit,application=\"orese\",srcHost=dolor5930.internal.host,osUsername=eritin,schemaName=udan,dbName=yCic,hdrName=nder,action=\"cancel\",errormsg=\"failure\"", + "fileset.name": "securesphere", + "host.hostname": "dolor5930.internal.host", + "input.type": "log", + "log.level": "medium", + "log.offset": 9695, + "network.application": "orese", + "network.direction": "emo", + "network.protocol": "udp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.102.166.19", + "10.49.71.118" + ], + "rsa.counters.event_counter": 7731, + "rsa.db.database": "yCic", + "rsa.internal.event_desc": "caboNemo", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel", + "uto" + ], + "rsa.misc.category": "dexerc", + "rsa.misc.disposition": "strumex", + "rsa.misc.event_type": "eprehend", + "rsa.misc.group": "doei", + "rsa.misc.log_session_id": "esseq", + "rsa.misc.operation_id": "proident", + "rsa.misc.policy_name": "ationul", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "iuntNequ", + "rsa.misc.rule_name": "cipitl", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2016-10-26T21:58:50.000Z", + "rsa.web.alias_host": "itsedq", + "rule.name": "cipitl", + "service.type": "imperva", + "source.address": "dolor5930.internal.host", + "source.ip": [ + "10.102.166.19" + ], + "source.port": 6200, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://mail.example.com/molestia/quir.jpg?elitsed=labore#uela", + "url.query": "ntexplic", + "user.name": [ + "aincidun", + "eritin", + "udan" + ] + }, + { + "destination.ip": [ + "10.28.153.102" + ], + "destination.port": 6366, + "event.action": "allow", + "event.category": "plic", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.28.153.102,dstPort=6366,dbUsername=rsita,srcIP=10.50.222.68,srcPort=6657,creatTime=2016-11-10 03:01:24,srvGroup=illu,service=iatqu,appName=lorsi,event#=repreh,eventType=plic,usrGroup=irured,usrAuth=illumqui,application=\"saq\",osUsername=amali,srcHost=ate7311.mail.example,dbName=undeomni,schemaName=tas,bindVar=autfugi,sqlError=unknown,respSize=4527,respTime=82.523000,affRows=eratv,action=\"allow\",rawQuery=\"iration\"", + "fileset.name": "securesphere", + "host.hostname": "ate7311.mail.example", + "input.type": "log", + "log.offset": 10455, + "network.application": "saq", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.50.222.68", + "10.28.153.102" + ], + "rsa.counters.dclass_c1": 4527, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "undeomni", + "rsa.db.index": "iration", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "plic", + "rsa.misc.group": "irured", + "rsa.misc.group_object": "illu", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 82.523, + "rsa.time.starttime": "2016-11-10T05:01:24.000Z", + "service.type": "imperva", + "source.address": "ate7311.mail.example", + "source.ip": [ + "10.50.222.68" + ], + "source.port": 6657, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "amali", + "tas", + "rsita" + ] + }, + { + "destination.ip": [ + "10.199.169.48" + ], + "destination.port": 6443, + "event.action": "cancel", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.199.169.48,dstPort=6443,dbUsername=imadmini,srcIP=10.46.192.198,srcPort=154,creatTime=24 November 2016 10:03:59,srvGroup=uat,service=lupta,appName=npr,event#=etconsec,eventType=Login,usrGroup=caboNem,usrAuth=True,application=\"urExcept\",osUsername=rumetMal,srcHost=oconse2010.www5.example,dbName=sequam,schemaName=oditempo,bindVar=doeiu,sqlError=failure,respSize=4128,respTime=83.673000,affRows=destlabo,action=\"cancel\",rawQuery=\"redol\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "oconse2010.www5.example", + "input.type": "log", + "log.offset": 10897, + "network.application": "urExcept", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.199.169.48", + "10.46.192.198" + ], + "rsa.counters.dclass_c1": 4128, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "sequam", + "rsa.db.index": "redol", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "caboNem", + "rsa.misc.group_object": "uat", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 83.673, + "rsa.time.starttime": "2016-11-24T12:03:59.000Z", + "service.type": "imperva", + "source.address": "oconse2010.www5.example", + "source.ip": [ + "10.46.192.198" + ], + "source.port": 154, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "rumetMal", + "oditempo", + "imadmini" + ] + }, + { + "destination.ip": [ + "10.201.81.46" + ], + "destination.port": 6515, + "event.action": "block", + "event.category": "BCS", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=radipis,event#=ctetu,createTime=2016-12-08 17:06:33,updateTime=orinrep,alertSev=low,group=nder,ruleName=\"stenatus\",evntDesc=\"equep\",category=ever,disposition=tali,eventType=BCS,proto=icmp,srcPort=4926,srcIP=10.251.1.35,dstPort=6515,dstIP=10.201.81.46,policyName=\"sBonor\",occurrences=2001,httpHost=plicaboN,webMethod=amc,url=\"https://example.com/admi/onnu.gif?saute=atatnon#tcupida\",webQuery=\"isa\",soapAction=riameaqu,resultCode=ame,sessionID=tesseq,username=niam,addUsername=pernat,responseTime=rerepre,responseSize=nculpaq,direction=culpaqui,dbUsername=tvolup,queryGroup=tdolore,application=\"ventore\",srcHost=red5516.localhost,osUsername=agnaaliq,schemaName=est,dbName=mquisno,hdrName=aev,action=\"block\",errormsg=\"unknown\"", + "fileset.name": "securesphere", + "host.hostname": "red5516.localhost", + "input.type": "log", + "log.level": "low", + "log.offset": 11359, + "network.application": "ventore", + "network.direction": "culpaqui", + "network.protocol": "icmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.201.81.46", + "10.251.1.35" + ], + "rsa.counters.event_counter": 2001, + "rsa.db.database": "mquisno", + "rsa.internal.event_desc": "equep", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "amc", + "block" + ], + "rsa.misc.category": "ever", + "rsa.misc.disposition": "tali", + "rsa.misc.event_type": "BCS", + "rsa.misc.group": "nder", + "rsa.misc.log_session_id": "tesseq", + "rsa.misc.operation_id": "radipis", + "rsa.misc.policy_name": "sBonor", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ame", + "rsa.misc.rule_name": "stenatus", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2016-12-08T19:06:33.000Z", + "rsa.web.alias_host": "plicaboN", + "rule.name": "stenatus", + "service.type": "imperva", + "source.address": "red5516.localhost", + "source.ip": [ + "10.251.1.35" + ], + "source.port": 4926, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://example.com/admi/onnu.gif?saute=atatnon#tcupida", + "url.query": "isa", + "user.name": [ + "niam", + "est", + "agnaaliq" + ] + }, + { + "destination.ip": [ + "10.7.81.204" + ], + "destination.port": 3984, + "event.action": "accept", + "event.category": "uradi", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=uid,event#=equaturv,createTime=2016-12-23 00:09:07,updateTime=lamc,alertSev=very-high,group=maccusa,ruleName=\"ree\",evntDesc=\"nimad\",category=ataevita,disposition=oremqu,eventType=uradi,proto=ipv6-icmp,srcPort=194,srcIP=10.131.82.68,dstPort=3984,dstIP=10.7.81.204,policyName=\"equatDu\",occurrences=1710,httpHost=aconse,webMethod=prehe,url=\"https://www5.example.net/squira/aliqui.gif?veleum=piciatis#nes\",webQuery=\"lmolesti\",soapAction=meumfugi,resultCode=tquas,sessionID=aquio,username=ersp,addUsername=iame,responseTime=orroquis,responseSize=aquio,direction=riatu,dbUsername=loinve,queryGroup=tanimid,application=\"isnostru\",srcHost=nofdeFi5182.mail.domain,osUsername=ulap,schemaName=amnisi,dbName=nrepreh,hdrName=abori,action=accept", + "fileset.name": "securesphere", + "host.hostname": "nofdeFi5182.mail.domain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 12107, + "network.application": "isnostru", + "network.direction": "riatu", + "network.protocol": "ipv6-icmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.7.81.204", + "10.131.82.68" + ], + "rsa.counters.event_counter": 1710, + "rsa.db.database": "nrepreh", + "rsa.internal.event_desc": "nimad", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "accept", + "prehe" + ], + "rsa.misc.category": "ataevita", + "rsa.misc.disposition": "oremqu", + "rsa.misc.event_type": "uradi", + "rsa.misc.group": "maccusa", + "rsa.misc.log_session_id": "aquio", + "rsa.misc.operation_id": "uid", + "rsa.misc.policy_name": "equatDu", + "rsa.misc.result_code": "tquas", + "rsa.misc.rule_name": "ree", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2016-12-23T02:09:07.000Z", + "rsa.web.alias_host": "aconse", + "rule.name": "ree", + "service.type": "imperva", + "source.address": "nofdeFi5182.mail.domain", + "source.ip": [ + "10.131.82.68" + ], + "source.port": 194, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www5.example.net/squira/aliqui.gif?veleum=piciatis#nes", + "url.query": "lmolesti", + "user.name": [ + "amnisi", + "ulap", + "ersp" + ] + }, + { + "destination.ip": [ + "10.94.132.21" + ], + "destination.port": 2945, + "event.action": "deny", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.94.132.21,dstPort=2945,dbUsername=odi,srcIP=10.114.193.232,srcPort=3661,creatTime=6 January 2017 07:11:41,srvGroup=ore,service=isund,appName=exerci,event#=tas,eventType=Login,usrGroup=oraincid,usrAuth=False,application=\"quaer\",osUsername=eetdo,srcHost=tlab2033.lan,dbName=seddoeiu,schemaName=nse,bindVar=aali,sqlError=unknown,respSize=6784,respTime=57.532000,affRows=olorem,action=\"deny\",rawQuery=\"ugitsedq\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "tlab2033.lan", + "input.type": "log", + "log.offset": 12863, + "network.application": "quaer", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.114.193.232", + "10.94.132.21" + ], + "rsa.counters.dclass_c1": 6784, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "seddoeiu", + "rsa.db.index": "ugitsedq", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "oraincid", + "rsa.misc.group_object": "ore", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 57.532, + "rsa.time.starttime": "2017-01-06T09:11:41.000Z", + "service.type": "imperva", + "source.address": "tlab2033.lan", + "source.ip": [ + "10.114.193.232" + ], + "source.port": 3661, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "nse", + "odi", + "eetdo" + ] + }, + { + "destination.ip": [ + "10.44.226.104" + ], + "destination.port": 7020, + "event.action": "accept", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.44.226.104,dstPort=7020,dbUsername=nse,srcIP=10.9.56.220,srcPort=905,creatTime=2017-01-20 14:14:16,srvGroup=suntincu,service=sse,appName=venia,event#=inBCSe,eventType=Logout,usrGroup=otamrem,usrAuth=True,application=\"tutlabor\",osUsername=reseosq,srcHost=gna4901.internal.localhost,dbName=catcupi,schemaName=autf,bindVar=saqu,sqlError=unknown,respSize=5380,respTime=36.114000,affRows=amquisno,action=\"accept\",rawQuery=\"tiumdol\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "gna4901.internal.localhost", + "input.type": "log", + "log.offset": 13297, + "network.application": "tutlabor", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.9.56.220", + "10.44.226.104" + ], + "rsa.counters.dclass_c1": 5380, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "catcupi", + "rsa.db.index": "tiumdol", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "otamrem", + "rsa.misc.group_object": "suntincu", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 36.114, + "rsa.time.starttime": "2017-01-20T16:14:16.000Z", + "service.type": "imperva", + "source.address": "gna4901.internal.localhost", + "source.ip": [ + "10.9.56.220" + ], + "source.port": 905, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "reseosq", + "nse", + "autf" + ] + }, + { + "destination.ip": [ + "10.48.209.115" + ], + "destination.port": 3450, + "event.action": "cancel", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.48.209.115,dstPort=3450,dbUsername=aconsequ,srcIP=10.33.195.166,srcPort=1629,creatTime=2017-02-03 21:16:50,srvGroup=ursin,service=utemvel,appName=epteur,event#=ommo,eventType=Logout,usrGroup=iame,usrAuth=True,application=\"laudanti\",osUsername=umiurer,srcHost=rere5274.mail.domain,dbName=usmo,schemaName=iamea,bindVar=imaveni,sqlError=failure,respSize=3249,respTime=105.870000,affRows=cor,action=\"cancel\",rawQuery=\"nihil\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "rere5274.mail.domain", + "input.type": "log", + "log.offset": 13750, + "network.application": "laudanti", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.48.209.115", + "10.33.195.166" + ], + "rsa.counters.dclass_c1": 3249, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "usmo", + "rsa.db.index": "nihil", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "iame", + "rsa.misc.group_object": "ursin", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 105.87, + "rsa.time.starttime": "2017-02-03T23:16:50.000Z", + "service.type": "imperva", + "source.address": "rere5274.mail.domain", + "source.ip": [ + "10.33.195.166" + ], + "source.port": 1629, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "iamea", + "umiurer", + "aconsequ" + ] + }, + { + "destination.ip": [ + "10.85.137.156" + ], + "destination.port": 2763, + "event.action": "accept", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.85.137.156,dstPort=2763,dbUsername=orumSe,srcIP=10.188.121.11,srcPort=537,creatTime=2017-02-18 04:19:24,srvGroup=dtemp,service=ici,appName=nisiuta,event#=iquaUt,eventType=Logout,usrGroup=mnihilm,usrAuth=True,application=\"redo\",osUsername=etMaloru,srcHost=lmo3262.test,dbName=uamqu,schemaName=olori,bindVar=ido,sqlError=success,respSize=2491,respTime=126.010000,affRows=autfugit,action=\"accept\",rawQuery=\"dolorsi\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "lmo3262.test", + "input.type": "log", + "log.offset": 14197, + "network.application": "redo", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.188.121.11", + "10.85.137.156" + ], + "rsa.counters.dclass_c1": 2491, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "uamqu", + "rsa.db.index": "dolorsi", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "mnihilm", + "rsa.misc.group_object": "dtemp", + "rsa.misc.result": "success", + "rsa.time.duration_time": 126.01, + "rsa.time.starttime": "2017-02-18T06:19:24.000Z", + "service.type": "imperva", + "source.address": "lmo3262.test", + "source.ip": [ + "10.188.121.11" + ], + "source.port": 537, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "etMaloru", + "orumSe", + "olori" + ] + }, + { + "destination.ip": [ + "10.238.245.236" + ], + "destination.port": 3575, + "event.action": "cancel", + "event.category": "tnul", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.238.245.236,dstPort=3575,dbUsername=stquidol,srcIP=10.45.215.202,srcPort=3834,creatTime=2017-03-04 11:21:59,srvGroup=ide,service=edq,appName=evitae,event#=amvo,eventType=tnul,usrGroup=expl,usrAuth=ess,application=\"quiad\",osUsername=ihilmole,srcHost=saquaea2280.www5.invalid,dbName=quas,schemaName=gia,bindVar=itatio,sqlError=failure,respSize=7822,respTime=157.184000,affRows=eddoei,action=\"cancel\",rawQuery=\"sseq\"", + "fileset.name": "securesphere", + "host.hostname": "saquaea2280.www5.invalid", + "input.type": "log", + "log.offset": 14636, + "network.application": "quiad", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.45.215.202", + "10.238.245.236" + ], + "rsa.counters.dclass_c1": 7822, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "quas", + "rsa.db.index": "sseq", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "tnul", + "rsa.misc.group": "expl", + "rsa.misc.group_object": "ide", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 157.184, + "rsa.time.starttime": "2017-03-04T13:21:59.000Z", + "service.type": "imperva", + "source.address": "saquaea2280.www5.invalid", + "source.ip": [ + "10.45.215.202" + ], + "source.port": 3834, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "stquidol", + "gia", + "ihilmole" + ] + }, + { + "destination.ip": [ + "10.213.109.180" + ], + "destination.port": 6536, + "event.action": "accept", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.213.109.180,dstPort=6536,dbUsername=essequam,srcIP=10.222.85.95,srcPort=1742,creatTime=18 March 2017 18:24:33,srvGroup=upt,service=orum,appName=Bonoru,event#=madminim,eventType=Login,usrGroup=ents,usrAuth=False,application=\"emacc\",osUsername=emp,srcHost=lamcola4879.www5.localdomain,dbName=dant,schemaName=etdolor,bindVar=uat,sqlError=unknown,respSize=2905,respTime=85.649000,affRows=iti,action=\"accept\",rawQuery=\"amqu\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "lamcola4879.www5.localdomain", + "input.type": "log", + "log.offset": 15076, + "network.application": "emacc", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.213.109.180", + "10.222.85.95" + ], + "rsa.counters.dclass_c1": 2905, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "dant", + "rsa.db.index": "amqu", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "ents", + "rsa.misc.group_object": "upt", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 85.649, + "rsa.time.starttime": "2017-03-18T20:24:33.000Z", + "service.type": "imperva", + "source.address": "lamcola4879.www5.localdomain", + "source.ip": [ + "10.222.85.95" + ], + "source.port": 1742, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "emp", + "essequam", + "etdolor" + ] + }, + { + "destination.ip": [ + "10.229.165.102" + ], + "destination.port": 2069, + "event.action": "cancel", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.229.165.102,dstPort=2069,dbUsername=lestia,srcIP=10.18.225.139,srcPort=3302,creatTime=2 April 2017 01:27:07,srvGroup=inibusB,service=nostrud,appName=cteturad,event#=ore,eventType=Login,usrGroup=esse,usrAuth=True,application=\"veniam\",osUsername=edquian,srcHost=sus7859.www5.lan,dbName=mquido,schemaName=orum,bindVar=oinBCSed,sqlError=success,respSize=3553,respTime=116.549000,affRows=ilm,action=\"cancel\",rawQuery=\"fugiatqu\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "sus7859.www5.lan", + "input.type": "log", + "log.offset": 15522, + "network.application": "veniam", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.18.225.139", + "10.229.165.102" + ], + "rsa.counters.dclass_c1": 3553, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "mquido", + "rsa.db.index": "fugiatqu", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "esse", + "rsa.misc.group_object": "inibusB", + "rsa.misc.result": "success", + "rsa.time.duration_time": 116.549, + "rsa.time.starttime": "2017-04-02T03:27:07.000Z", + "service.type": "imperva", + "source.address": "sus7859.www5.lan", + "source.ip": [ + "10.18.225.139" + ], + "source.port": 3302, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "lestia", + "edquian", + "orum" + ] + }, + { + "destination.ip": [ + "10.119.4.120" + ], + "destination.port": 3822, + "event.action": "accept", + "event.category": "turadip", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.119.4.120,dstPort=3822,dbUsername=veleumi,srcIP=10.63.177.46,srcPort=4799,creatTime=2017-04-16 08:29:41,srvGroup=adipisci,service=mip,appName=itatio,event#=oquisqu,eventType=turadip,usrGroup=dip,usrAuth=idolo,application=\"Ute\",osUsername=ptassita,srcHost=caecatcu919.www5.corp,dbName=olorsi,schemaName=itseddo,bindVar=bore,sqlError=unknown,respSize=5719,respTime=42.541000,affRows=labo,action=\"accept\",rawQuery=\"mvenia\"", + "fileset.name": "securesphere", + "host.hostname": "caecatcu919.www5.corp", + "input.type": "log", + "log.offset": 15971, + "network.application": "Ute", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.119.4.120", + "10.63.177.46" + ], + "rsa.counters.dclass_c1": 5719, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "olorsi", + "rsa.db.index": "mvenia", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "turadip", + "rsa.misc.group": "dip", + "rsa.misc.group_object": "adipisci", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 42.541, + "rsa.time.starttime": "2017-04-16T10:29:41.000Z", + "service.type": "imperva", + "source.address": "caecatcu919.www5.corp", + "source.ip": [ + "10.63.177.46" + ], + "source.port": 4799, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "itseddo", + "veleumi", + "ptassita" + ] + }, + { + "destination.ip": [ + "10.189.6.107" + ], + "destination.port": 767, + "event.action": "allow", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.189.6.107,dstPort=767,dbUsername=exerci,srcIP=10.50.69.209,srcPort=5406,creatTime=2017-04-30 15:32:16,srvGroup=atcupid,service=onse,appName=psa,event#=ate,eventType=Logout,usrGroup=con,usrAuth=False,application=\"tqu\",osUsername=eirur,srcHost=dese3161.www5.localhost,dbName=lore,schemaName=isci,bindVar=Dui,sqlError=failure,respSize=1684,respTime=75.877000,affRows=lup,action=\"allow\",rawQuery=\"eos\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "dese3161.www5.localhost", + "input.type": "log", + "log.offset": 16417, + "network.application": "tqu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.189.6.107", + "10.50.69.209" + ], + "rsa.counters.dclass_c1": 1684, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "lore", + "rsa.db.index": "eos", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "con", + "rsa.misc.group_object": "atcupid", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 75.877, + "rsa.time.starttime": "2017-04-30T17:32:16.000Z", + "service.type": "imperva", + "source.address": "dese3161.www5.localhost", + "source.ip": [ + "10.50.69.209" + ], + "source.port": 5406, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "eirur", + "exerci", + "isci" + ] + }, + { + "destination.ip": [ + "10.74.166.70" + ], + "destination.port": 1453, + "event.action": "accept", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.74.166.70,dstPort=1453,dbUsername=olor,srcIP=10.88.176.226,srcPort=6937,creatTime=2017-05-14 22:34:50,srvGroup=Dui,service=iameaqu,appName=aaliquaU,event#=olu,eventType=Logout,usrGroup=iameaque,usrAuth=True,application=\"identsun\",osUsername=ender,srcHost=inc5923.www.test,dbName=oluptat,schemaName=roinBCSe,bindVar=maperiam,sqlError=success,respSize=723,respTime=156.893000,affRows=nseq,action=\"accept\",rawQuery=\"uidolo\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "inc5923.www.test", + "input.type": "log", + "log.offset": 16841, + "network.application": "identsun", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.74.166.70", + "10.88.176.226" + ], + "rsa.counters.dclass_c1": 723, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "oluptat", + "rsa.db.index": "uidolo", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "iameaque", + "rsa.misc.group_object": "Dui", + "rsa.misc.result": "success", + "rsa.time.duration_time": 156.893, + "rsa.time.starttime": "2017-05-15T00:34:50.000Z", + "service.type": "imperva", + "source.address": "inc5923.www.test", + "source.ip": [ + "10.88.176.226" + ], + "source.port": 6937, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "roinBCSe", + "olor", + "ender" + ] + }, + { + "destination.ip": [ + "10.123.56.46" + ], + "destination.port": 6729, + "event.action": "cancel", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.123.56.46,dstPort=6729,dbUsername=sit,srcIP=10.182.181.162,srcPort=6169,creatTime=2017-05-29 05:37:24,srvGroup=sistena,service=uidexeac,appName=sequa,event#=ntsunti,eventType=Logout,usrGroup=borios,usrAuth=True,application=\"ani\",osUsername=uid,srcHost=idatat6469.api.invalid,dbName=lesti,schemaName=oreseo,bindVar=reprehen,sqlError=failure,respSize=6438,respTime=159.943000,affRows=idolo,action=\"cancel\",rawQuery=\"tsedquia\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "idatat6469.api.invalid", + "input.type": "log", + "log.offset": 17288, + "network.application": "ani", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.182.181.162", + "10.123.56.46" + ], + "rsa.counters.dclass_c1": 6438, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "lesti", + "rsa.db.index": "tsedquia", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "borios", + "rsa.misc.group_object": "sistena", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 159.943, + "rsa.time.starttime": "2017-05-29T07:37:24.000Z", + "service.type": "imperva", + "source.address": "idatat6469.api.invalid", + "source.ip": [ + "10.182.181.162" + ], + "source.port": 6169, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "sit", + "oreseo", + "uid" + ] + }, + { + "destination.ip": [ + "10.169.124.164" + ], + "destination.port": 62, + "event.action": "accept", + "event.category": "lesti", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.169.124.164,dstPort=62,dbUsername=iamqui,srcIP=10.176.83.7,srcPort=5908,creatTime=2017-06-12 12:39:58,srvGroup=inim,service=etdol,appName=Sed,event#=oremeumf,eventType=lesti,usrGroup=sintocca,usrAuth=mipsumqu,application=\"eprehen\",osUsername=hilmole,srcHost=sequ6424.www.invalid,dbName=its,schemaName=dolor,bindVar=lorumwri,sqlError=success,respSize=2894,respTime=68.248000,affRows=lab,action=\"accept\",rawQuery=\"nimaveni\"", + "fileset.name": "securesphere", + "host.hostname": "sequ6424.www.invalid", + "input.type": "log", + "log.offset": 17738, + "network.application": "eprehen", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.169.124.164", + "10.176.83.7" + ], + "rsa.counters.dclass_c1": 2894, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "its", + "rsa.db.index": "nimaveni", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "lesti", + "rsa.misc.group": "sintocca", + "rsa.misc.group_object": "inim", + "rsa.misc.result": "success", + "rsa.time.duration_time": 68.248, + "rsa.time.starttime": "2017-06-12T14:39:58.000Z", + "service.type": "imperva", + "source.address": "sequ6424.www.invalid", + "source.ip": [ + "10.176.83.7" + ], + "source.port": 5908, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "hilmole", + "iamqui", + "dolor" + ] + }, + { + "destination.ip": [ + "10.87.238.169" + ], + "destination.port": 1598, + "event.action": "block", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.87.238.169,dstPort=1598,dbUsername=CSedu,srcIP=10.173.125.112,srcPort=7769,creatTime=2017-06-26 19:42:33,srvGroup=iquip,service=tinculpa,appName=umtota,event#=etdolore,eventType=Logout,usrGroup=magnaa,usrAuth=False,application=\"sumquiad\",osUsername=iusmodt,srcHost=tes1898.www5.test,dbName=eaqueip,schemaName=itaedict,bindVar=olorema,sqlError=failure,respSize=7780,respTime=126.440000,affRows=ptatemse,action=\"block\",rawQuery=\"quaeratv\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "tes1898.www5.test", + "input.type": "log", + "log.offset": 18186, + "network.application": "sumquiad", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.87.238.169", + "10.173.125.112" + ], + "rsa.counters.dclass_c1": 7780, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "eaqueip", + "rsa.db.index": "quaeratv", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "magnaa", + "rsa.misc.group_object": "iquip", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 126.44, + "rsa.time.starttime": "2017-06-26T21:42:33.000Z", + "service.type": "imperva", + "source.address": "tes1898.www5.test", + "source.ip": [ + "10.173.125.112" + ], + "source.port": 7769, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "iusmodt", + "CSedu", + "itaedict" + ] + }, + { + "destination.ip": [ + "10.245.219.7" + ], + "destination.port": 4792, + "event.action": "block", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.245.219.7,dstPort=4792,dbUsername=rsit,srcIP=10.53.133.90,srcPort=940,creatTime=11 July 2017 02:45:07,srvGroup=isiutali,service=quaUten,appName=rmagnido,event#=psaquaea,eventType=Login,usrGroup=rchit,usrAuth=False,application=\"psumq\",osUsername=ptatev,srcHost=atu5950.api.corp,dbName=msequ,schemaName=nvol,bindVar=enimadmi,sqlError=unknown,respSize=6066,respTime=143.250000,affRows=sumdolo,action=\"block\",rawQuery=\"rors\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "atu5950.api.corp", + "input.type": "log", + "log.offset": 18649, + "network.application": "psumq", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.245.219.7", + "10.53.133.90" + ], + "rsa.counters.dclass_c1": 6066, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "msequ", + "rsa.db.index": "rors", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "rchit", + "rsa.misc.group_object": "isiutali", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 143.25, + "rsa.time.starttime": "2017-07-11T04:45:07.000Z", + "service.type": "imperva", + "source.address": "atu5950.api.corp", + "source.ip": [ + "10.53.133.90" + ], + "source.port": 940, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "nvol", + "ptatev", + "rsit" + ] + }, + { + "destination.ip": [ + "10.67.173.228" + ], + "destination.port": 4444, + "event.action": "block", + "event.category": "aliqui", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=quaU,event#=ufugi,createTime=2017-07-25 09:47:41,updateTime=cin,alertSev=low,group=byC,ruleName=\"uae\",evntDesc=\"oremip\",category=its,disposition=uptasnul,eventType=aliqui,proto=rdp,srcPort=239,srcIP=10.161.64.168,dstPort=4444,dstIP=10.67.173.228,policyName=\"uatu\",occurrences=2448,httpHost=ntoccaec,webMethod=uamestqu,url=\"https://www.example.net/orem/eniamqui.gif?seq=rumSe#tatnonp\",webQuery=\"ommo\",soapAction=adeser,resultCode=uasiarc,sessionID=doeiu,username=onsectet,addUsername=dentsunt,responseTime=inea,responseSize=animid,direction=upta,dbUsername=ioff,queryGroup=oinBCS,application=\"itsedd\",srcHost=upt6017.api.localdomain,osUsername=nesci,schemaName=tam,dbName=sin,hdrName=idexeac,action=\"block\",errormsg=\"failure\"", + "fileset.name": "securesphere", + "host.hostname": "upt6017.api.localdomain", + "input.type": "log", + "log.level": "low", + "log.offset": 19096, + "network.application": "itsedd", + "network.direction": "upta", + "network.protocol": "rdp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.161.64.168", + "10.67.173.228" + ], + "rsa.counters.event_counter": 2448, + "rsa.db.database": "sin", + "rsa.internal.event_desc": "oremip", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "uamestqu", + "block" + ], + "rsa.misc.category": "its", + "rsa.misc.disposition": "uptasnul", + "rsa.misc.event_type": "aliqui", + "rsa.misc.group": "byC", + "rsa.misc.log_session_id": "doeiu", + "rsa.misc.operation_id": "quaU", + "rsa.misc.policy_name": "uatu", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "uasiarc", + "rsa.misc.rule_name": "uae", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2017-07-25T11:47:41.000Z", + "rsa.web.alias_host": "ntoccaec", + "rule.name": "uae", + "service.type": "imperva", + "source.address": "upt6017.api.localdomain", + "source.ip": [ + "10.161.64.168" + ], + "source.port": 239, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www.example.net/orem/eniamqui.gif?seq=rumSe#tatnonp", + "url.query": "ommo", + "user.name": [ + "nesci", + "onsectet", + "tam" + ] + }, + { + "destination.ip": [ + "10.90.50.149" + ], + "destination.port": 1936, + "event.action": "block", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.90.50.149,dstPort=1936,dbUsername=olu,srcIP=10.168.225.209,srcPort=6,creatTime=2017-08-08 16:50:15,srvGroup=taliq,service=tautfugi,appName=fdeFinib,event#=uip,eventType=Logout,usrGroup=ectobea,usrAuth=True,application=\"dat\",osUsername=aUtenima,srcHost=turQuis4046.api.test,dbName=deomnisi,schemaName=olupta,bindVar=oll,sqlError=success,respSize=1127,respTime=55.870000,affRows=evelite,action=\"block\",rawQuery=\"iav\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "turQuis4046.api.test", + "input.type": "log", + "log.offset": 19845, + "network.application": "dat", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.168.225.209", + "10.90.50.149" + ], + "rsa.counters.dclass_c1": 1127, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "deomnisi", + "rsa.db.index": "iav", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ectobea", + "rsa.misc.group_object": "taliq", + "rsa.misc.result": "success", + "rsa.time.duration_time": 55.87, + "rsa.time.starttime": "2017-08-08T18:50:15.000Z", + "service.type": "imperva", + "source.address": "turQuis4046.api.test", + "source.ip": [ + "10.168.225.209" + ], + "source.port": 6, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "olu", + "olupta", + "aUtenima" + ] + }, + { + "destination.ip": [ + "10.59.182.36" + ], + "destination.port": 5792, + "event.action": "allow", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.59.182.36,dstPort=5792,dbUsername=mtota,srcIP=10.18.150.82,srcPort=6648,creatTime=22 August 2017 23:52:50,srvGroup=rit,service=eumfu,appName=lors,event#=oluptat,eventType=Login,usrGroup=enimad,usrAuth=True,application=\"tis\",osUsername=qua,srcHost=con6049.internal.lan,dbName=quelaud,schemaName=luptat,bindVar=rinrep,sqlError=unknown,respSize=6112,respTime=135.357000,affRows=nimv,action=\"allow\",rawQuery=\"tconse\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "con6049.internal.lan", + "input.type": "log", + "log.offset": 20286, + "network.application": "tis", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.18.150.82", + "10.59.182.36" + ], + "rsa.counters.dclass_c1": 6112, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "quelaud", + "rsa.db.index": "tconse", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "enimad", + "rsa.misc.group_object": "rit", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 135.357, + "rsa.time.starttime": "2017-08-23T01:52:50.000Z", + "service.type": "imperva", + "source.address": "con6049.internal.lan", + "source.ip": [ + "10.18.150.82" + ], + "source.port": 6648, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "mtota", + "luptat", + "qua" + ] + }, + { + "event.category": "ulamcola", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=rem,createTime=2017-09-06 06:55:24,eventType=ulamcola,eventSev=very-high,username=llita,subsystem=ntsunt,message=\"nturmag\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "very-high", + "log.offset": 20725, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "rsa.internal.event_desc": "nturmag", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "ulamcola", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2017-09-06T08:55:24.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "llita" + ] + }, + { + "destination.ip": [ + "10.52.190.18" + ], + "destination.port": 4411, + "event.action": "cancel", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.52.190.18,dstPort=4411,dbUsername=ciati,srcIP=10.198.142.81,srcPort=283,creatTime=20 September 2017 13:57:58,srvGroup=amei,service=doconseq,appName=conseq,event#=emve,eventType=Login,usrGroup=edutpers,usrAuth=False,application=\"ctobeat\",osUsername=upta,srcHost=asper311.www.corp,dbName=inibus,schemaName=secte,bindVar=ctobeat,sqlError=unknown,respSize=1063,respTime=124.881000,affRows=animide,action=\"cancel\",rawQuery=\"emp\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "asper311.www.corp", + "input.type": "log", + "log.offset": 20872, + "network.application": "ctobeat", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.198.142.81", + "10.52.190.18" + ], + "rsa.counters.dclass_c1": 1063, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "inibus", + "rsa.db.index": "emp", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "edutpers", + "rsa.misc.group_object": "amei", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 124.881, + "rsa.time.starttime": "2017-09-20T15:57:58.000Z", + "service.type": "imperva", + "source.address": "asper311.www.corp", + "source.ip": [ + "10.198.142.81" + ], + "source.port": 283, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "secte", + "upta", + "ciati" + ] + }, + { + "destination.ip": [ + "10.49.169.175" + ], + "destination.port": 5020, + "event.action": "cancel", + "event.category": "strumex", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=volupta,event#=umfu,createTime=2017-10-04 21:00:32,updateTime=utla,alertSev=low,group=tDuisaut,ruleName=\"dolo\",evntDesc=\"velites\",category=oloremi,disposition=edqui,eventType=strumex,proto=igmp,srcPort=4011,srcIP=10.97.108.108,dstPort=5020,dstIP=10.49.169.175,policyName=\"nostru\",occurrences=4795,httpHost=qui,webMethod=caboN,url=\"https://api.example.org/eumiu/tatevel.htm?quisnost=sequines#olor\",webQuery=\"sequa\",soapAction=lorum,resultCode=suntexpl,sessionID=iqu,username=iquamqu,addUsername=eumfugia,responseTime=reeufugi,responseSize=sequines,direction=minimve,dbUsername=texplica,queryGroup=entorev,application=\"quuntur\",srcHost=olup3841.mail.invalid,osUsername=idolor,schemaName=onpr,dbName=uira,hdrName=eosqui,action=cancel", + "fileset.name": "securesphere", + "host.hostname": "olup3841.mail.invalid", + "input.type": "log", + "log.level": "low", + "log.offset": 21322, + "network.application": "quuntur", + "network.direction": "minimve", + "network.protocol": "igmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.97.108.108", + "10.49.169.175" + ], + "rsa.counters.event_counter": 4795, + "rsa.db.database": "uira", + "rsa.internal.event_desc": "velites", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "caboN", + "cancel" + ], + "rsa.misc.category": "oloremi", + "rsa.misc.disposition": "edqui", + "rsa.misc.event_type": "strumex", + "rsa.misc.group": "tDuisaut", + "rsa.misc.log_session_id": "iqu", + "rsa.misc.operation_id": "volupta", + "rsa.misc.policy_name": "nostru", + "rsa.misc.result_code": "suntexpl", + "rsa.misc.rule_name": "dolo", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2017-10-04T23:00:32.000Z", + "rsa.web.alias_host": "qui", + "rule.name": "dolo", + "service.type": "imperva", + "source.address": "olup3841.mail.invalid", + "source.ip": [ + "10.97.108.108" + ], + "source.port": 4011, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://api.example.org/eumiu/tatevel.htm?quisnost=sequines#olor", + "url.query": "sequa", + "user.name": [ + "onpr", + "idolor", + "iquamqu" + ] + }, + { + "destination.ip": [ + "10.65.185.178" + ], + "destination.port": 7750, + "event.action": "accept", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.65.185.178,dstPort=7750,dbUsername=tin,srcIP=10.96.216.244,srcPort=3721,creatTime=2017-10-19 04:03:07,srvGroup=etconse,service=nesciu,appName=mali,event#=roinBCSe,eventType=Logout,usrGroup=eetdolor,usrAuth=False,application=\"tpersp\",osUsername=assi,srcHost=rch5094.www.host,dbName=atione,schemaName=tvolup,bindVar=oremeu,sqlError=failure,respSize=5602,respTime=76.644000,affRows=dan,action=\"accept\",rawQuery=\"aeca\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "rch5094.www.host", + "input.type": "log", + "log.offset": 22077, + "network.application": "tpersp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.96.216.244", + "10.65.185.178" + ], + "rsa.counters.dclass_c1": 5602, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "atione", + "rsa.db.index": "aeca", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "eetdolor", + "rsa.misc.group_object": "etconse", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 76.644, + "rsa.time.starttime": "2017-10-19T06:03:07.000Z", + "service.type": "imperva", + "source.address": "rch5094.www.host", + "source.ip": [ + "10.96.216.244" + ], + "source.port": 3721, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "tvolup", + "assi", + "tin" + ] + }, + { + "destination.ip": [ + "10.223.71.185" + ], + "destination.port": 916, + "event.action": "allow", + "event.category": "deFini", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.223.71.185,dstPort=916,dbUsername=uptateve,srcIP=10.33.181.176,srcPort=2546,creatTime=2017-11-02 11:05:41,srvGroup=ectet,service=ionu,appName=eratv,event#=des,eventType=deFini,usrGroup=alorumwr,usrAuth=liq,application=\"xerc\",osUsername=atisetqu,srcHost=squir7186.internal.example,dbName=vol,schemaName=loremips,bindVar=serro,sqlError=unknown,respSize=3804,respTime=7.607000,affRows=noru,action=\"allow\",rawQuery=\"henderi\"", + "fileset.name": "securesphere", + "host.hostname": "squir7186.internal.example", + "input.type": "log", + "log.offset": 22518, + "network.application": "xerc", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.223.71.185", + "10.33.181.176" + ], + "rsa.counters.dclass_c1": 3804, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "vol", + "rsa.db.index": "henderi", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "deFini", + "rsa.misc.group": "alorumwr", + "rsa.misc.group_object": "ectet", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 7.607, + "rsa.time.starttime": "2017-11-02T13:05:41.000Z", + "service.type": "imperva", + "source.address": "squir7186.internal.example", + "source.ip": [ + "10.33.181.176" + ], + "source.port": 2546, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "uptateve", + "loremips", + "atisetqu" + ] + }, + { + "destination.ip": [ + "10.238.252.246" + ], + "destination.port": 6289, + "event.action": "cancel", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.238.252.246,dstPort=6289,dbUsername=iamea,srcIP=10.255.179.32,srcPort=5472,creatTime=16 November 2017 18:08:15,srvGroup=tur,service=eFi,appName=uatDuisa,event#=ulapari,eventType=Login,usrGroup=eporroq,usrAuth=False,application=\"uunturm\",osUsername=iatn,srcHost=saquaeab5916.www5.invalid,dbName=rroq,schemaName=olore,bindVar=eratvolu,sqlError=unknown,respSize=5626,respTime=121.916000,affRows=volup,action=\"cancel\",rawQuery=\"ntut\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "saquaeab5916.www5.invalid", + "input.type": "log", + "log.offset": 22965, + "network.application": "uunturm", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.255.179.32", + "10.238.252.246" + ], + "rsa.counters.dclass_c1": 5626, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "rroq", + "rsa.db.index": "ntut", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "eporroq", + "rsa.misc.group_object": "tur", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 121.916, + "rsa.time.starttime": "2017-11-16T20:08:15.000Z", + "service.type": "imperva", + "source.address": "saquaeab5916.www5.invalid", + "source.ip": [ + "10.255.179.32" + ], + "source.port": 5472, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "olore", + "iamea", + "iatn" + ] + }, + { + "destination.ip": [ + "10.98.52.184" + ], + "destination.port": 7402, + "event.action": "cancel", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.98.52.184,dstPort=7402,dbUsername=umq,srcIP=10.28.124.136,srcPort=1327,creatTime=2017-12-01 01:10:49,srvGroup=olu,service=exerci,appName=isnostru,event#=iad,eventType=Logout,usrGroup=ngelits,usrAuth=True,application=\"volupt\",osUsername=billoi,srcHost=reseo4447.localdomain,dbName=pariat,schemaName=icaboNe,bindVar=boreetd,sqlError=failure,respSize=4298,respTime=59.204000,affRows=lorem,action=\"cancel\",rawQuery=\"totamr\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "reseo4447.localdomain", + "input.type": "log", + "log.offset": 23421, + "network.application": "volupt", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.98.52.184", + "10.28.124.136" + ], + "rsa.counters.dclass_c1": 4298, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "pariat", + "rsa.db.index": "totamr", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ngelits", + "rsa.misc.group_object": "olu", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 59.204, + "rsa.time.starttime": "2017-12-01T03:10:49.000Z", + "service.type": "imperva", + "source.address": "reseo4447.localdomain", + "source.ip": [ + "10.28.124.136" + ], + "source.port": 1327, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "billoi", + "umq", + "icaboNe" + ] + }, + { + "destination.ip": [ + "10.200.162.248" + ], + "destination.port": 1419, + "event.action": "deny", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.200.162.248,dstPort=1419,dbUsername=lumdol,srcIP=10.92.177.251,srcPort=4990,creatTime=2017-12-15 08:13:24,srvGroup=liq,service=ihil,appName=oremip,event#=fdeFi,eventType=Logout,usrGroup=periam,usrAuth=False,application=\"ccusa\",osUsername=billo,srcHost=doloremi3365.api.lan,dbName=agn,schemaName=cul,bindVar=tate,sqlError=success,respSize=3914,respTime=111.123000,affRows=iatnulap,action=\"deny\",rawQuery=\"idents\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "doloremi3365.api.lan", + "input.type": "log", + "log.offset": 23867, + "network.application": "ccusa", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.92.177.251", + "10.200.162.248" + ], + "rsa.counters.dclass_c1": 3914, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "agn", + "rsa.db.index": "idents", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "periam", + "rsa.misc.group_object": "liq", + "rsa.misc.result": "success", + "rsa.time.duration_time": 111.123, + "rsa.time.starttime": "2017-12-15T10:13:24.000Z", + "service.type": "imperva", + "source.address": "doloremi3365.api.lan", + "source.ip": [ + "10.92.177.251" + ], + "source.port": 4990, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "billo", + "lumdol", + "cul" + ] + }, + { + "destination.ip": [ + "10.103.215.159" + ], + "destination.port": 1265, + "event.action": "cancel", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.103.215.159,dstPort=1265,dbUsername=ueporr,srcIP=10.88.60.147,srcPort=4608,creatTime=29 December 2017 15:15:58,srvGroup=rem,service=onorumet,appName=iscivel,event#=rinci,eventType=Login,usrGroup=eacomm,usrAuth=False,application=\"aboNem\",osUsername=mull,srcHost=ent6907.mail.invalid,dbName=datatn,schemaName=seq,bindVar=mquis,sqlError=failure,respSize=392,respTime=80.092000,affRows=sis,action=\"cancel\",rawQuery=\"tat\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "ent6907.mail.invalid", + "input.type": "log", + "log.offset": 24305, + "network.application": "aboNem", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.103.215.159", + "10.88.60.147" + ], + "rsa.counters.dclass_c1": 392, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "datatn", + "rsa.db.index": "tat", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "eacomm", + "rsa.misc.group_object": "rem", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 80.092, + "service.type": "imperva", + "source.address": "ent6907.mail.invalid", + "source.ip": [ + "10.88.60.147" + ], + "source.port": 4608, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "seq", + "mull", + "ueporr" + ] + }, + { + "destination.ip": [ + "10.93.246.218" + ], + "destination.port": 4628, + "event.action": "accept", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.93.246.218,dstPort=4628,dbUsername=mtot,srcIP=10.229.190.11,srcPort=2164,creatTime=2018-01-12 22:18:32,srvGroup=eursi,service=liquid,appName=ulapari,event#=ibus,eventType=Logout,usrGroup=isu,usrAuth=False,application=\"moll\",osUsername=roinBCS,srcHost=odit426.internal.corp,dbName=aloru,schemaName=cteturad,bindVar=modi,sqlError=failure,respSize=1929,respTime=38.172000,affRows=ntoccae,action=\"accept\",rawQuery=\"edut\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "odit426.internal.corp", + "input.type": "log", + "log.offset": 24748, + "network.application": "moll", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.229.190.11", + "10.93.246.218" + ], + "rsa.counters.dclass_c1": 1929, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "aloru", + "rsa.db.index": "edut", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "isu", + "rsa.misc.group_object": "eursi", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 38.172, + "rsa.time.starttime": "2018-01-13T00:18:32.000Z", + "service.type": "imperva", + "source.address": "odit426.internal.corp", + "source.ip": [ + "10.229.190.11" + ], + "source.port": 2164, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "roinBCS", + "cteturad", + "mtot" + ] + }, + { + "destination.ip": [ + "10.89.16.162" + ], + "destination.port": 3056, + "event.action": "cancel", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.89.16.162,dstPort=3056,dbUsername=taevitae,srcIP=10.178.183.11,srcPort=4665,creatTime=27 January 2018 05:21:06,srvGroup=saute,service=umdol,appName=rerepr,event#=ipiscin,eventType=Login,usrGroup=trudexe,usrAuth=True,application=\"qua\",osUsername=modit,srcHost=tatione5638.home,dbName=riat,schemaName=atvol,bindVar=emipsum,sqlError=failure,respSize=1449,respTime=82.202000,affRows=quiado,action=\"cancel\",rawQuery=\"mipsa\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "tatione5638.home", + "input.type": "log", + "log.offset": 25191, + "network.application": "qua", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.178.183.11", + "10.89.16.162" + ], + "rsa.counters.dclass_c1": 1449, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "riat", + "rsa.db.index": "mipsa", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "trudexe", + "rsa.misc.group_object": "saute", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 82.202, + "rsa.time.starttime": "2018-01-27T07:21:06.000Z", + "service.type": "imperva", + "source.address": "tatione5638.home", + "source.ip": [ + "10.178.183.11" + ], + "source.port": 4665, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "atvol", + "taevitae", + "modit" + ] + }, + { + "destination.ip": [ + "10.67.129.100" + ], + "destination.port": 1961, + "event.action": "deny", + "event.category": "remque", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=tinv,event#=Utenima,createTime=2018-02-10 12:23:41,updateTime=nse,alertSev=high,group=uradip,ruleName=\"nesci\",evntDesc=\"meaquei\",category=snisiu,disposition=atem,eventType=remque,proto=ggp,srcPort=3525,srcIP=10.244.73.167,dstPort=1961,dstIP=10.67.129.100,policyName=\"lorem\",occurrences=2592,httpHost=eosquir,webMethod=tqu,url=\"https://mail.example.net/smodit/ine.html?amquisn=Finibus#nsequat\",webQuery=\"mvol\",soapAction=asiar,resultCode=eiu,sessionID=maliquam,username=gnama,addUsername=ursintoc,responseTime=minimve,responseSize=eprehe,direction=lillumqu,dbUsername=tamet,queryGroup=ate,application=\"epteur\",srcHost=onproi4354.www5.invalid,osUsername=sunte,schemaName=exerc,dbName=tasu,hdrName=sci,action=\"deny\",errormsg=\"failure\"", + "fileset.name": "securesphere", + "host.hostname": "onproi4354.www5.invalid", + "input.type": "log", + "log.level": "high", + "log.offset": 25636, + "network.application": "epteur", + "network.direction": "lillumqu", + "network.protocol": "ggp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.244.73.167", + "10.67.129.100" + ], + "rsa.counters.event_counter": 2592, + "rsa.db.database": "tasu", + "rsa.internal.event_desc": "meaquei", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "tqu", + "deny" + ], + "rsa.misc.category": "snisiu", + "rsa.misc.disposition": "atem", + "rsa.misc.event_type": "remque", + "rsa.misc.group": "uradip", + "rsa.misc.log_session_id": "maliquam", + "rsa.misc.operation_id": "tinv", + "rsa.misc.policy_name": "lorem", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "eiu", + "rsa.misc.rule_name": "nesci", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2018-02-10T14:23:41.000Z", + "rsa.web.alias_host": "eosquir", + "rule.name": "nesci", + "service.type": "imperva", + "source.address": "onproi4354.www5.invalid", + "source.ip": [ + "10.244.73.167" + ], + "source.port": 3525, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://mail.example.net/smodit/ine.html?amquisn=Finibus#nsequat", + "url.query": "mvol", + "user.name": [ + "sunte", + "exerc", + "gnama" + ] + }, + { + "destination.ip": [ + "10.20.158.236" + ], + "destination.port": 4443, + "event.action": "deny", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.20.158.236,dstPort=4443,dbUsername=dantium,srcIP=10.52.221.103,srcPort=3962,creatTime=24 February 2018 19:26:15,srvGroup=magnido,service=mcolab,appName=mfugia,event#=eacomm,eventType=Login,usrGroup=orr,usrAuth=True,application=\"pre\",osUsername=aute,srcHost=rchite7405.api.local,dbName=rors,schemaName=oinve,bindVar=ptasnul,sqlError=unknown,respSize=6386,respTime=108.472000,affRows=tvol,action=\"deny\",rawQuery=\"redolo\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "rchite7405.api.local", + "input.type": "log", + "log.offset": 26392, + "network.application": "pre", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.52.221.103", + "10.20.158.236" + ], + "rsa.counters.dclass_c1": 6386, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "rors", + "rsa.db.index": "redolo", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "orr", + "rsa.misc.group_object": "magnido", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 108.472, + "rsa.time.starttime": "2018-02-24T21:26:15.000Z", + "service.type": "imperva", + "source.address": "rchite7405.api.local", + "source.ip": [ + "10.52.221.103" + ], + "source.port": 3962, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "oinve", + "aute", + "dantium" + ] + }, + { + "destination.ip": [ + "10.250.231.196" + ], + "destination.port": 5863, + "event.action": "block", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.250.231.196,dstPort=5863,dbUsername=olup,srcIP=10.199.46.88,srcPort=6342,creatTime=2018-03-11 02:28:49,srvGroup=snulap,service=onsequat,appName=tiumd,event#=atuse,eventType=Logout,usrGroup=imad,usrAuth=False,application=\"tura\",osUsername=equuntur,srcHost=rve472.www.localhost,dbName=xer,schemaName=utlabore,bindVar=nulapari,sqlError=unknown,respSize=2867,respTime=54.004000,affRows=eruntmol,action=\"block\",rawQuery=\"imaven\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "rve472.www.localhost", + "input.type": "log", + "log.offset": 26837, + "network.application": "tura", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.250.231.196", + "10.199.46.88" + ], + "rsa.counters.dclass_c1": 2867, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "xer", + "rsa.db.index": "imaven", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "imad", + "rsa.misc.group_object": "snulap", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 54.004, + "rsa.time.starttime": "2018-03-11T04:28:49.000Z", + "service.type": "imperva", + "source.address": "rve472.www.localhost", + "source.ip": [ + "10.199.46.88" + ], + "source.port": 6342, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "utlabore", + "olup", + "equuntur" + ] + }, + { + "destination.ip": [ + "10.41.44.94" + ], + "destination.port": 702, + "event.action": "block", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.41.44.94,dstPort=702,dbUsername=nim,srcIP=10.49.122.64,srcPort=2285,creatTime=2018-03-25 09:31:24,srvGroup=rit,service=unturma,appName=iavol,event#=psumdol,eventType=Logout,usrGroup=urautodi,usrAuth=True,application=\"equamni\",osUsername=fugia,srcHost=uptate5787.api.local,dbName=umq,schemaName=suntincu,bindVar=imidest,sqlError=unknown,respSize=1508,respTime=136.809000,affRows=nof,action=\"block\",rawQuery=\"iavol\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "uptate5787.api.local", + "input.type": "log", + "log.offset": 27287, + "network.application": "equamni", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.41.44.94", + "10.49.122.64" + ], + "rsa.counters.dclass_c1": 1508, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "umq", + "rsa.db.index": "iavol", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "urautodi", + "rsa.misc.group_object": "rit", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 136.809, + "rsa.time.starttime": "2018-03-25T11:31:24.000Z", + "service.type": "imperva", + "source.address": "uptate5787.api.local", + "source.ip": [ + "10.49.122.64" + ], + "source.port": 2285, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "suntincu", + "nim", + "fugia" + ] + }, + { + "destination.ip": [ + "10.101.60.188" + ], + "destination.port": 5558, + "event.action": "accept", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.101.60.188,dstPort=5558,dbUsername=uptatem,srcIP=10.186.129.34,srcPort=89,creatTime=8 April 2018 16:33:58,srvGroup=roiden,service=eacommod,appName=tali,event#=roinBCSe,eventType=Login,usrGroup=emagnaal,usrAuth=True,application=\"isauteir\",osUsername=eritquii,srcHost=atevelit325.www.local,dbName=ionula,schemaName=itaed,bindVar=invol,sqlError=unknown,respSize=944,respTime=75.182000,affRows=tdolore,action=\"accept\",rawQuery=\"nimadmi\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "atevelit325.www.local", + "input.type": "log", + "log.offset": 27727, + "network.application": "isauteir", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.186.129.34", + "10.101.60.188" + ], + "rsa.counters.dclass_c1": 944, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "ionula", + "rsa.db.index": "nimadmi", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "emagnaal", + "rsa.misc.group_object": "roiden", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 75.182, + "rsa.time.starttime": "2018-04-08T18:33:58.000Z", + "service.type": "imperva", + "source.address": "atevelit325.www.local", + "source.ip": [ + "10.186.129.34" + ], + "source.port": 89, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "eritquii", + "uptatem", + "itaed" + ] + }, + { + "destination.ip": [ + "10.184.199.84" + ], + "destination.port": 2057, + "event.action": "block", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.184.199.84,dstPort=2057,dbUsername=cid,srcIP=10.138.191.99,srcPort=5362,creatTime=22 April 2018 23:36:32,srvGroup=amal,service=gni,appName=luptat,event#=ehend,eventType=Login,usrGroup=involupt,usrAuth=False,application=\"itempo\",osUsername=upt,srcHost=rve426.api.test,dbName=onevo,schemaName=ationem,bindVar=Nem,sqlError=unknown,respSize=3291,respTime=80.991000,affRows=dipisci,action=\"block\",rawQuery=\"modit\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "rve426.api.test", + "input.type": "log", + "log.offset": 28186, + "network.application": "itempo", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.184.199.84", + "10.138.191.99" + ], + "rsa.counters.dclass_c1": 3291, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "onevo", + "rsa.db.index": "modit", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "involupt", + "rsa.misc.group_object": "amal", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 80.991, + "rsa.time.starttime": "2018-04-23T01:36:32.000Z", + "service.type": "imperva", + "source.address": "rve426.api.test", + "source.ip": [ + "10.138.191.99" + ], + "source.port": 5362, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "upt", + "ationem", + "cid" + ] + }, + { + "destination.ip": [ + "10.40.12.51" + ], + "destination.port": 5633, + "event.action": "cancel", + "event.category": "preh", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=tationem,event#=urere,createTime=2018-05-07 06:39:06,updateTime=tinvo,alertSev=medium,group=tquid,ruleName=\"giatquo\",evntDesc=\"iatisun\",category=cto,disposition=orumSect,eventType=preh,proto=icmp,srcPort=3791,srcIP=10.27.120.57,dstPort=5633,dstIP=10.40.12.51,policyName=\"ute\",occurrences=1576,httpHost=sed,webMethod=uep,url=\"https://internal.example.com/nde/reprehe.html?enimipsa=mquisno#eaco\",webQuery=\"empor\",soapAction=mvele,resultCode=teveli,sessionID=utperspi,username=remeum,addUsername=temseq,responseTime=orin,responseSize=dexea,direction=sedquia,dbUsername=litesse,queryGroup=ntmo,application=\"aliqu\",srcHost=iqu4429.www5.lan,osUsername=doconse,schemaName=volupta,dbName=ptat,hdrName=oreverit,action=\"cancel\",errormsg=\"success\"", + "fileset.name": "securesphere", + "host.hostname": "iqu4429.www5.lan", + "input.type": "log", + "log.level": "medium", + "log.offset": 28621, + "network.application": "aliqu", + "network.direction": "sedquia", + "network.protocol": "icmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.27.120.57", + "10.40.12.51" + ], + "rsa.counters.event_counter": 1576, + "rsa.db.database": "ptat", + "rsa.internal.event_desc": "iatisun", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel", + "uep" + ], + "rsa.misc.category": "cto", + "rsa.misc.disposition": "orumSect", + "rsa.misc.event_type": "preh", + "rsa.misc.group": "tquid", + "rsa.misc.log_session_id": "utperspi", + "rsa.misc.operation_id": "tationem", + "rsa.misc.policy_name": "ute", + "rsa.misc.result": "success", + "rsa.misc.result_code": "teveli", + "rsa.misc.rule_name": "giatquo", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2018-05-07T08:39:06.000Z", + "rsa.web.alias_host": "sed", + "rule.name": "giatquo", + "service.type": "imperva", + "source.address": "iqu4429.www5.lan", + "source.ip": [ + "10.27.120.57" + ], + "source.port": 3791, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.com/nde/reprehe.html?enimipsa=mquisno#eaco", + "url.query": "empor", + "user.name": [ + "volupta", + "doconse", + "remeum" + ] + }, + { + "destination.ip": [ + "10.86.147.37" + ], + "destination.port": 6845, + "event.action": "allow", + "event.category": "epteu", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=urQuisa,event#=ipi,createTime=2018-05-21 13:41:41,updateTime=xcepte,alertSev=low,group=onula,ruleName=\"ostru\",evntDesc=\"por\",category=stiae,disposition=icta,eventType=epteu,proto=tcp,srcPort=2191,srcIP=10.106.63.42,dstPort=6845,dstIP=10.86.147.37,policyName=\"tDui\",occurrences=2211,httpHost=etco,webMethod=mip,url=\"https://www5.example.com/olu/nofdeF.html?ipsu=siarch#itautfu\",webQuery=\"rrorsi\",soapAction=ole,resultCode=odi,sessionID=tper,username=olor,addUsername=corpo,responseTime=commod,responseSize=iumd,direction=ntore,dbUsername=tect,queryGroup=ion,application=\"tutl\",srcHost=niam7512.www5.localhost,osUsername=aeca,schemaName=ugitse,dbName=ameiu,hdrName=utei,action=\"allow\",errormsg=\"success\"", + "fileset.name": "securesphere", + "host.hostname": "niam7512.www5.localhost", + "input.type": "log", + "log.level": "low", + "log.offset": 29382, + "network.application": "tutl", + "network.direction": "ntore", + "network.protocol": "tcp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.86.147.37", + "10.106.63.42" + ], + "rsa.counters.event_counter": 2211, + "rsa.db.database": "ameiu", + "rsa.internal.event_desc": "por", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "mip", + "allow" + ], + "rsa.misc.category": "stiae", + "rsa.misc.disposition": "icta", + "rsa.misc.event_type": "epteu", + "rsa.misc.group": "onula", + "rsa.misc.log_session_id": "tper", + "rsa.misc.operation_id": "urQuisa", + "rsa.misc.policy_name": "tDui", + "rsa.misc.result": "success", + "rsa.misc.result_code": "odi", + "rsa.misc.rule_name": "ostru", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2018-05-21T15:41:41.000Z", + "rsa.web.alias_host": "etco", + "rule.name": "ostru", + "service.type": "imperva", + "source.address": "niam7512.www5.localhost", + "source.ip": [ + "10.106.63.42" + ], + "source.port": 2191, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www5.example.com/olu/nofdeF.html?ipsu=siarch#itautfu", + "url.query": "rrorsi", + "user.name": [ + "olor", + "ugitse", + "aeca" + ] + }, + { + "destination.ip": [ + "10.110.240.8" + ], + "destination.port": 6650, + "event.action": "cancel", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.110.240.8,dstPort=6650,dbUsername=tam,srcIP=10.112.132.76,srcPort=1314,creatTime=4 June 2018 20:44:15,srvGroup=Neq,service=rcita,appName=eeufugia,event#=evolupt,eventType=Login,usrGroup=pre,usrAuth=True,application=\"tiumtot\",osUsername=ulamcola,srcHost=epr3512.internal.domain,dbName=enbyCice,schemaName=equun,bindVar=veli,sqlError=unknown,respSize=5784,respTime=115.111000,affRows=iadeseru,action=\"cancel\",rawQuery=\"olorsita\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "epr3512.internal.domain", + "input.type": "log", + "log.offset": 30108, + "network.application": "tiumtot", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.112.132.76", + "10.110.240.8" + ], + "rsa.counters.dclass_c1": 5784, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "enbyCice", + "rsa.db.index": "olorsita", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "pre", + "rsa.misc.group_object": "Neq", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 115.111, + "rsa.time.starttime": "2018-06-04T22:44:15.000Z", + "service.type": "imperva", + "source.address": "epr3512.internal.domain", + "source.ip": [ + "10.112.132.76" + ], + "source.port": 1314, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "ulamcola", + "tam", + "equun" + ] + }, + { + "destination.ip": [ + "10.76.222.159" + ], + "destination.port": 403, + "event.action": "accept", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.76.222.159,dstPort=403,dbUsername=natuser,srcIP=10.7.141.213,srcPort=7283,creatTime=2018-06-19 03:46:49,srvGroup=tati,service=orinc,appName=teursi,event#=pariatur,eventType=Logout,usrGroup=iofficia,usrAuth=True,application=\"ira\",osUsername=niamq,srcHost=quatD260.internal.test,dbName=ionulam,schemaName=labor,bindVar=Sec,sqlError=unknown,respSize=5670,respTime=85.913000,affRows=tquov,action=\"accept\",rawQuery=\"pta\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "quatD260.internal.test", + "input.type": "log", + "log.offset": 30561, + "network.application": "ira", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.7.141.213", + "10.76.222.159" + ], + "rsa.counters.dclass_c1": 5670, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "ionulam", + "rsa.db.index": "pta", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "iofficia", + "rsa.misc.group_object": "tati", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 85.913, + "rsa.time.starttime": "2018-06-19T05:46:49.000Z", + "service.type": "imperva", + "source.address": "quatD260.internal.test", + "source.ip": [ + "10.7.141.213" + ], + "source.port": 7283, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "labor", + "niamq", + "natuser" + ] + }, + { + "destination.ip": [ + "10.246.196.160" + ], + "destination.port": 894, + "event.action": "allow", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.246.196.160,dstPort=894,dbUsername=equ,srcIP=10.170.90.90,srcPort=2541,creatTime=2018-07-03 10:49:23,srvGroup=eFinib,service=atione,appName=xcepte,event#=gnaa,eventType=Logout,usrGroup=tio,usrAuth=True,application=\"qui\",osUsername=epteurs,srcHost=did6471.internal.localdomain,dbName=tMalo,schemaName=urautod,bindVar=eveli,sqlError=unknown,respSize=4933,respTime=136.206000,affRows=nonproi,action=\"allow\",rawQuery=\"quaturve\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "did6471.internal.localdomain", + "input.type": "log", + "log.offset": 31003, + "network.application": "qui", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.246.196.160", + "10.170.90.90" + ], + "rsa.counters.dclass_c1": 4933, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "tMalo", + "rsa.db.index": "quaturve", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "tio", + "rsa.misc.group_object": "eFinib", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 136.206, + "rsa.time.starttime": "2018-07-03T12:49:23.000Z", + "service.type": "imperva", + "source.address": "did6471.internal.localdomain", + "source.ip": [ + "10.170.90.90" + ], + "source.port": 2541, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "urautod", + "equ", + "epteurs" + ] + }, + { + "event.category": "veniam", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=officiad,createTime=2018-07-17 17:51:58,eventType=veniam,eventSev=very-high,username=entoreve,subsystem=ion,message=\"exeaco\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "very-high", + "log.offset": 31453, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "rsa.internal.event_desc": "exeaco", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "veniam", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2018-07-17T19:51:58.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "entoreve" + ] + }, + { + "destination.ip": [ + "10.209.129.155" + ], + "destination.port": 769, + "event.action": "block", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.209.129.155,dstPort=769,dbUsername=mdolore,srcIP=10.128.118.157,srcPort=4004,creatTime=2018-08-01 00:54:32,srvGroup=odite,service=atn,appName=sectet,event#=boreetd,eventType=Logout,usrGroup=ueporro,usrAuth=True,application=\"cto\",osUsername=essequa,srcHost=gnidolor1901.test,dbName=quian,schemaName=xerci,bindVar=qua,sqlError=success,respSize=2931,respTime=66.399000,affRows=itten,action=\"block\",rawQuery=\"abo\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "gnidolor1901.test", + "input.type": "log", + "log.offset": 31602, + "network.application": "cto", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.209.129.155", + "10.128.118.157" + ], + "rsa.counters.dclass_c1": 2931, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "quian", + "rsa.db.index": "abo", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ueporro", + "rsa.misc.group_object": "odite", + "rsa.misc.result": "success", + "rsa.time.duration_time": 66.399, + "rsa.time.starttime": "2018-08-01T02:54:32.000Z", + "service.type": "imperva", + "source.address": "gnidolor1901.test", + "source.ip": [ + "10.128.118.157" + ], + "source.port": 4004, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "xerci", + "mdolore", + "essequa" + ] + }, + { + "destination.ip": [ + "10.219.218.23" + ], + "destination.port": 2855, + "event.action": "deny", + "event.category": "nsequatD", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=uradipi,event#=erita,createTime=2018-08-15 07:57:06,updateTime=eursint,alertSev=high,group=illoinve,ruleName=\"uis\",evntDesc=\"itanimi\",category=rinc,disposition=isistena,eventType=nsequatD,proto=rdp,srcPort=1864,srcIP=10.21.69.33,dstPort=2855,dstIP=10.219.218.23,policyName=\"entore\",occurrences=2428,httpHost=magnidol,webMethod=meumfug,url=\"https://www.example.org/uatu/gel.gif?itsed=mvolu#agn\",webQuery=\"eritinvo\",soapAction=aliq,resultCode=dest,sessionID=uisautei,username=labor,addUsername=ihilmol,responseTime=scinge,responseSize=lum,direction=iinea,dbUsername=xercit,queryGroup=reh,application=\"velitess\",srcHost=colab553.api.localdomain,osUsername=orumS,schemaName=tesseq,dbName=exeacomm,hdrName=uptat,action=\"deny\",errormsg=\"failure\"", + "fileset.name": "securesphere", + "host.hostname": "colab553.api.localdomain", + "input.type": "log", + "log.level": "high", + "log.offset": 32038, + "network.application": "velitess", + "network.direction": "iinea", + "network.protocol": "rdp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.219.218.23", + "10.21.69.33" + ], + "rsa.counters.event_counter": 2428, + "rsa.db.database": "exeacomm", + "rsa.internal.event_desc": "itanimi", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "meumfug", + "deny" + ], + "rsa.misc.category": "rinc", + "rsa.misc.disposition": "isistena", + "rsa.misc.event_type": "nsequatD", + "rsa.misc.group": "illoinve", + "rsa.misc.log_session_id": "uisautei", + "rsa.misc.operation_id": "uradipi", + "rsa.misc.policy_name": "entore", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "dest", + "rsa.misc.rule_name": "uis", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2018-08-15T09:57:06.000Z", + "rsa.web.alias_host": "magnidol", + "rule.name": "uis", + "service.type": "imperva", + "source.address": "colab553.api.localdomain", + "source.ip": [ + "10.21.69.33" + ], + "source.port": 1864, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www.example.org/uatu/gel.gif?itsed=mvolu#agn", + "url.query": "eritinvo", + "user.name": [ + "orumS", + "tesseq", + "labor" + ] + }, + { + "destination.ip": [ + "10.209.39.25" + ], + "destination.port": 3954, + "event.action": "block", + "event.category": "ius", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.209.39.25,dstPort=3954,dbUsername=tion,srcIP=10.67.163.107,srcPort=1312,creatTime=2018-08-29 14:59:40,srvGroup=tiumtot,service=ctio,appName=imadm,event#=ugiat,eventType=ius,usrGroup=msequ,usrAuth=ciatisun,application=\"Ute\",osUsername=eddoe,srcHost=seq3852.www5.localdomain,dbName=uasi,schemaName=quaeabi,bindVar=sequ,sqlError=failure,respSize=3469,respTime=69.015000,affRows=essecill,action=\"block\",rawQuery=\"uovolup\"", + "fileset.name": "securesphere", + "host.hostname": "seq3852.www5.localdomain", + "input.type": "log", + "log.offset": 32802, + "network.application": "Ute", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.209.39.25", + "10.67.163.107" + ], + "rsa.counters.dclass_c1": 3469, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "uasi", + "rsa.db.index": "uovolup", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "ius", + "rsa.misc.group": "msequ", + "rsa.misc.group_object": "tiumtot", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 69.015, + "rsa.time.starttime": "2018-08-29T16:59:40.000Z", + "service.type": "imperva", + "source.address": "seq3852.www5.localdomain", + "source.ip": [ + "10.67.163.107" + ], + "source.port": 1312, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "quaeabi", + "tion", + "eddoe" + ] + }, + { + "destination.ip": [ + "10.61.247.113" + ], + "destination.port": 599, + "event.action": "cancel", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.61.247.113,dstPort=599,dbUsername=tur,srcIP=10.120.66.172,srcPort=984,creatTime=2018-09-12 22:02:15,srvGroup=aven,service=Sedut,appName=stiaec,event#=rveli,eventType=Logout,usrGroup=serr,usrAuth=True,application=\"umdolo\",osUsername=iduntut,srcHost=admini511.www5.local,dbName=cididun,schemaName=iamqu,bindVar=ommodoc,sqlError=unknown,respSize=2218,respTime=179.909000,affRows=uisaut,action=\"cancel\",rawQuery=\"onse\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "admini511.www5.local", + "input.type": "log", + "log.offset": 33246, + "network.application": "umdolo", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.61.247.113", + "10.120.66.172" + ], + "rsa.counters.dclass_c1": 2218, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "cididun", + "rsa.db.index": "onse", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "serr", + "rsa.misc.group_object": "aven", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 179.909, + "rsa.time.starttime": "2018-09-13T00:02:15.000Z", + "service.type": "imperva", + "source.address": "admini511.www5.local", + "source.ip": [ + "10.120.66.172" + ], + "source.port": 984, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "tur", + "iduntut", + "iamqu" + ] + }, + { + "destination.ip": [ + "10.206.65.159" + ], + "destination.port": 6326, + "event.action": "deny", + "event.category": "oluptass", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=orinrepr,event#=tinvo,createTime=2018-09-27 05:04:49,updateTime=oru,alertSev=medium,group=stena,ruleName=\"tquid\",evntDesc=\"liquaUt\",category=tdolorem,disposition=umdolo,eventType=oluptass,proto=udp,srcPort=5328,srcIP=10.31.56.237,dstPort=6326,dstIP=10.206.65.159,policyName=\"fdeFini\",occurrences=1295,httpHost=eetdolo,webMethod=issuscip,url=\"https://internal.example.com/nde/naturau.txt?sBonor=odit#ercitati\",webQuery=\"lapa\",soapAction=enia,resultCode=atis,sessionID=edol,username=cit,addUsername=adip,responseTime=ugiatq,responseSize=mnisiuta,direction=nrepre,dbUsername=eumfu,queryGroup=remap,application=\"ecatcup\",srcHost=olup2082.localhost,osUsername=atem,schemaName=amcorpor,dbName=oloremeu,hdrName=mquisn,action=deny", + "fileset.name": "securesphere", + "host.hostname": "olup2082.localhost", + "input.type": "log", + "log.level": "medium", + "log.offset": 33687, + "network.application": "ecatcup", + "network.direction": "nrepre", + "network.protocol": "udp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.31.56.237", + "10.206.65.159" + ], + "rsa.counters.event_counter": 1295, + "rsa.db.database": "oloremeu", + "rsa.internal.event_desc": "liquaUt", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "issuscip", + "deny" + ], + "rsa.misc.category": "tdolorem", + "rsa.misc.disposition": "umdolo", + "rsa.misc.event_type": "oluptass", + "rsa.misc.group": "stena", + "rsa.misc.log_session_id": "edol", + "rsa.misc.operation_id": "orinrepr", + "rsa.misc.policy_name": "fdeFini", + "rsa.misc.result_code": "atis", + "rsa.misc.rule_name": "tquid", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2018-09-27T07:04:49.000Z", + "rsa.web.alias_host": "eetdolo", + "rule.name": "tquid", + "service.type": "imperva", + "source.address": "olup2082.localhost", + "source.ip": [ + "10.31.56.237" + ], + "source.port": 5328, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.com/nde/naturau.txt?sBonor=odit#ercitati", + "url.query": "lapa", + "user.name": [ + "cit", + "amcorpor", + "atem" + ] + }, + { + "event.category": "iades", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=eruntm,createTime=2018-10-11 12:07:23,eventType=iades,eventSev=high,username=inculpa,subsystem=vita,message=\"onorum\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "high", + "log.offset": 34434, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "rsa.internal.event_desc": "onorum", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "iades", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2018-10-11T14:07:23.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "inculpa" + ] + }, + { + "destination.ip": [ + "10.108.76.145" + ], + "destination.port": 4698, + "event.action": "allow", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.108.76.145,dstPort=4698,dbUsername=trumexer,srcIP=10.147.56.184,srcPort=672,creatTime=25 October 2018 19:09:57,srvGroup=emoenim,service=oqui,appName=olab,event#=remagnam,eventType=Login,usrGroup=neavolu,usrAuth=False,application=\"adipi\",osUsername=idid,srcHost=ela5007.www.lan,dbName=lore,schemaName=uisautem,bindVar=olorsi,sqlError=unknown,respSize=1294,respTime=149.161000,affRows=iamq,action=\"allow\",rawQuery=\"tiumt\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "ela5007.www.lan", + "input.type": "log", + "log.offset": 34575, + "network.application": "adipi", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.108.76.145", + "10.147.56.184" + ], + "rsa.counters.dclass_c1": 1294, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "lore", + "rsa.db.index": "tiumt", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "neavolu", + "rsa.misc.group_object": "emoenim", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 149.161, + "rsa.time.starttime": "2018-10-25T21:09:57.000Z", + "service.type": "imperva", + "source.address": "ela5007.www.lan", + "source.ip": [ + "10.147.56.184" + ], + "source.port": 672, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "trumexer", + "uisautem", + "idid" + ] + }, + { + "destination.ip": [ + "10.193.58.50" + ], + "destination.port": 5693, + "event.action": "cancel", + "event.category": "oloremeu", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=expl,event#=animi,createTime=2018-11-09 02:12:32,updateTime=mdoloree,alertSev=medium,group=Loremips,ruleName=\"taliqui\",evntDesc=\"doloremi\",category=uisno,disposition=atevel,eventType=oloremeu,proto=rdp,srcPort=4601,srcIP=10.28.248.90,dstPort=5693,dstIP=10.193.58.50,policyName=\"sedquian\",occurrences=4385,httpHost=secillum,webMethod=sequatD,url=\"https://api.example.com/veleum/eturad.jpg?eetdol=aut#eriti\",webQuery=\"ipsum\",soapAction=com,resultCode=uptate,sessionID=tevelite,username=cto,addUsername=borisn,responseTime=assitasp,responseSize=nima,direction=abore,dbUsername=tur,queryGroup=tlaboru,application=\"erun\",srcHost=mquid2987.host,osUsername=totamrem,schemaName=eaqu,dbName=itani,hdrName=mni,action=cancel", + "fileset.name": "securesphere", + "host.hostname": "mquid2987.host", + "input.type": "log", + "log.level": "medium", + "log.offset": 35021, + "network.application": "erun", + "network.direction": "abore", + "network.protocol": "rdp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.193.58.50", + "10.28.248.90" + ], + "rsa.counters.event_counter": 4385, + "rsa.db.database": "itani", + "rsa.internal.event_desc": "doloremi", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "sequatD", + "cancel" + ], + "rsa.misc.category": "uisno", + "rsa.misc.disposition": "atevel", + "rsa.misc.event_type": "oloremeu", + "rsa.misc.group": "Loremips", + "rsa.misc.log_session_id": "tevelite", + "rsa.misc.operation_id": "expl", + "rsa.misc.policy_name": "sedquian", + "rsa.misc.result_code": "uptate", + "rsa.misc.rule_name": "taliqui", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2018-11-09T04:12:32.000Z", + "rsa.web.alias_host": "secillum", + "rule.name": "taliqui", + "service.type": "imperva", + "source.address": "mquid2987.host", + "source.ip": [ + "10.28.248.90" + ], + "source.port": 4601, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://api.example.com/veleum/eturad.jpg?eetdol=aut#eriti", + "url.query": "ipsum", + "user.name": [ + "cto", + "totamrem", + "eaqu" + ] + }, + { + "destination.ip": [ + "10.84.3.244" + ], + "destination.port": 3154, + "event.action": "block", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.84.3.244,dstPort=3154,dbUsername=olest,srcIP=10.211.242.138,srcPort=6661,creatTime=23 November 2018 09:15:06,srvGroup=ola,service=tla,appName=nimve,event#=edutpe,eventType=Login,usrGroup=tenb,usrAuth=True,application=\"billoinv\",osUsername=asia,srcHost=rsitam4260.api.home,dbName=iumto,schemaName=ciun,bindVar=prehe,sqlError=unknown,respSize=545,respTime=157.352000,affRows=nemul,action=\"block\",rawQuery=\"nsequa\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "rsitam4260.api.home", + "input.type": "log", + "log.offset": 35759, + "network.application": "billoinv", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.211.242.138", + "10.84.3.244" + ], + "rsa.counters.dclass_c1": 545, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "iumto", + "rsa.db.index": "nsequa", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "tenb", + "rsa.misc.group_object": "ola", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 157.352, + "rsa.time.starttime": "2018-11-23T11:15:06.000Z", + "service.type": "imperva", + "source.address": "rsitam4260.api.home", + "source.ip": [ + "10.211.242.138" + ], + "source.port": 6661, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "asia", + "ciun", + "olest" + ] + }, + { + "event.category": "quidolo", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=evolu,createTime=2018-12-07 16:17:40,eventType=quidolo,eventSev=medium,username=destlabo,subsystem=fficia,message=\"utaliqui\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "medium", + "log.offset": 36197, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "rsa.internal.event_desc": "utaliqui", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "quidolo", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2018-12-07T18:17:40.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "destlabo" + ] + }, + { + "destination.ip": [ + "10.121.189.113" + ], + "destination.port": 5635, + "event.action": "accept", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.121.189.113,dstPort=5635,dbUsername=lapa,srcIP=10.13.86.14,srcPort=798,creatTime=21 December 2018 23:20:14,srvGroup=isiutali,service=upidatat,appName=non,event#=Sed,eventType=Login,usrGroup=commod,usrAuth=True,application=\"equ\",osUsername=turvelil,srcHost=lor5252.host,dbName=unt,schemaName=volu,bindVar=iineavo,sqlError=failure,respSize=7284,respTime=172.281000,affRows=tenbyC,action=\"accept\",rawQuery=\"itquii\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "lor5252.host", + "input.type": "log", + "log.offset": 36346, + "network.application": "equ", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.13.86.14", + "10.121.189.113" + ], + "rsa.counters.dclass_c1": 7284, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "unt", + "rsa.db.index": "itquii", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "commod", + "rsa.misc.group_object": "isiutali", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 172.281, + "service.type": "imperva", + "source.address": "lor5252.host", + "source.ip": [ + "10.13.86.14" + ], + "source.port": 798, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "volu", + "turvelil", + "lapa" + ] + }, + { + "destination.ip": [ + "10.32.220.188" + ], + "destination.port": 2394, + "event.action": "accept", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.32.220.188,dstPort=2394,dbUsername=ectob,srcIP=10.50.195.220,srcPort=1255,creatTime=2019-01-05 06:22:49,srvGroup=orro,service=quepo,appName=tDuisa,event#=iscive,eventType=Logout,usrGroup=prehende,usrAuth=True,application=\"volup\",osUsername=nimi,srcHost=niamqu3513.api.example,dbName=seddoeiu,schemaName=lorinrep,bindVar=isq,sqlError=failure,respSize=2636,respTime=44.636000,affRows=ione,action=\"accept\",rawQuery=\"abor\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "niamqu3513.api.example", + "input.type": "log", + "log.offset": 36784, + "network.application": "volup", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.32.220.188", + "10.50.195.220" + ], + "rsa.counters.dclass_c1": 2636, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "seddoeiu", + "rsa.db.index": "abor", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "prehende", + "rsa.misc.group_object": "orro", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 44.636, + "rsa.time.starttime": "2019-01-05T08:22:49.000Z", + "service.type": "imperva", + "source.address": "niamqu3513.api.example", + "source.ip": [ + "10.50.195.220" + ], + "source.port": 1255, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "lorinrep", + "ectob", + "nimi" + ] + }, + { + "destination.ip": [ + "10.189.155.253" + ], + "destination.port": 984, + "event.action": "allow", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.189.155.253,dstPort=984,dbUsername=iutaliqu,srcIP=10.29.74.57,srcPort=4226,creatTime=19 January 2019 13:25:23,srvGroup=tam,service=uovo,appName=scivelit,event#=enimadm,eventType=Login,usrGroup=empo,usrAuth=False,application=\"apa\",osUsername=colab,srcHost=sistenat115.mail.local,dbName=Sedutper,schemaName=exe,bindVar=writt,sqlError=unknown,respSize=3432,respTime=35.197000,affRows=amqua,action=\"allow\",rawQuery=\"taliquip\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "sistenat115.mail.local", + "input.type": "log", + "log.offset": 37229, + "network.application": "apa", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.189.155.253", + "10.29.74.57" + ], + "rsa.counters.dclass_c1": 3432, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "Sedutper", + "rsa.db.index": "taliquip", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "empo", + "rsa.misc.group_object": "tam", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 35.197, + "rsa.time.starttime": "2019-01-19T15:25:23.000Z", + "service.type": "imperva", + "source.address": "sistenat115.mail.local", + "source.ip": [ + "10.29.74.57" + ], + "source.port": 4226, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "exe", + "iutaliqu", + "colab" + ] + }, + { + "destination.ip": [ + "10.107.41.59" + ], + "destination.port": 926, + "event.action": "block", + "event.category": "acom", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.107.41.59,dstPort=926,dbUsername=oreseo,srcIP=10.149.2.62,srcPort=7493,creatTime=2019-02-02 20:27:57,srvGroup=maven,service=tectob,appName=sequamn,event#=uiaco,eventType=acom,usrGroup=modi,usrAuth=atisun,application=\"ntu\",osUsername=utal,srcHost=ptatev4160.internal.home,dbName=tionemu,schemaName=edictasu,bindVar=quipexea,sqlError=unknown,respSize=3008,respTime=47.865000,affRows=mnis,action=\"block\",rawQuery=\"aborumSe\"", + "fileset.name": "securesphere", + "host.hostname": "ptatev4160.internal.home", + "input.type": "log", + "log.offset": 37677, + "network.application": "ntu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.149.2.62", + "10.107.41.59" + ], + "rsa.counters.dclass_c1": 3008, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "tionemu", + "rsa.db.index": "aborumSe", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "acom", + "rsa.misc.group": "modi", + "rsa.misc.group_object": "maven", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 47.865, + "rsa.time.starttime": "2019-02-02T22:27:57.000Z", + "service.type": "imperva", + "source.address": "ptatev4160.internal.home", + "source.ip": [ + "10.149.2.62" + ], + "source.port": 7493, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "utal", + "edictasu", + "oreseo" + ] + }, + { + "destination.ip": [ + "10.20.211.186" + ], + "destination.port": 4062, + "event.action": "accept", + "event.category": "erit", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=laborio,event#=aaliqu,createTime=2019-02-17 03:30:32,updateTime=tevelit,alertSev=low,group=mid,ruleName=\"henderi\",evntDesc=\"consec\",category=dquia,disposition=cep,eventType=erit,proto=udp,srcPort=3382,srcIP=10.11.237.65,dstPort=4062,dstIP=10.20.211.186,policyName=\"tionem\",occurrences=3743,httpHost=olu,webMethod=cae,url=\"https://www5.example.org/onsequ/Bon.txt?remap=mUt#admi\",webQuery=\"siarch\",soapAction=oloremi,resultCode=ididu,sessionID=uov,username=ncidid,addUsername=audantiu,responseTime=lmolest,responseSize=miurerep,direction=orsitame,dbUsername=Sed,queryGroup=isau,application=\"temvele\",srcHost=ntutl6493.mail.home,osUsername=ptassit,schemaName=olo,dbName=ataevit,hdrName=ficiad,action=accept", + "fileset.name": "securesphere", + "host.hostname": "ntutl6493.mail.home", + "input.type": "log", + "log.level": "low", + "log.offset": 38124, + "network.application": "temvele", + "network.direction": "orsitame", + "network.protocol": "udp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.20.211.186", + "10.11.237.65" + ], + "rsa.counters.event_counter": 3743, + "rsa.db.database": "ataevit", + "rsa.internal.event_desc": "consec", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "accept", + "cae" + ], + "rsa.misc.category": "dquia", + "rsa.misc.disposition": "cep", + "rsa.misc.event_type": "erit", + "rsa.misc.group": "mid", + "rsa.misc.log_session_id": "uov", + "rsa.misc.operation_id": "laborio", + "rsa.misc.policy_name": "tionem", + "rsa.misc.result_code": "ididu", + "rsa.misc.rule_name": "henderi", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2019-02-17T05:30:32.000Z", + "rsa.web.alias_host": "olu", + "rule.name": "henderi", + "service.type": "imperva", + "source.address": "ntutl6493.mail.home", + "source.ip": [ + "10.11.237.65" + ], + "source.port": 3382, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www5.example.org/onsequ/Bon.txt?remap=mUt#admi", + "url.query": "siarch", + "user.name": [ + "ptassit", + "ncidid", + "olo" + ] + }, + { + "destination.ip": [ + "10.190.18.213" + ], + "destination.port": 2201, + "event.action": "block", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.190.18.213,dstPort=2201,dbUsername=rror,srcIP=10.177.60.55,srcPort=7799,creatTime=3 March 2019 10:33:06,srvGroup=tut,service=umdol,appName=nseq,event#=autodita,eventType=Login,usrGroup=loreme,usrAuth=True,application=\"eratv\",osUsername=tametcon,srcHost=orsi1332.www5.corp,dbName=dolorsi,schemaName=etdolore,bindVar=taevita,sqlError=unknown,respSize=7327,respTime=93.075000,affRows=luptatem,action=\"block\",rawQuery=\"cons\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "orsi1332.www5.corp", + "input.type": "log", + "log.offset": 38852, + "network.application": "eratv", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.190.18.213", + "10.177.60.55" + ], + "rsa.counters.dclass_c1": 7327, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "dolorsi", + "rsa.db.index": "cons", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "loreme", + "rsa.misc.group_object": "tut", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 93.075, + "rsa.time.starttime": "2019-03-03T12:33:06.000Z", + "service.type": "imperva", + "source.address": "orsi1332.www5.corp", + "source.ip": [ + "10.177.60.55" + ], + "source.port": 7799, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "tametcon", + "rror", + "etdolore" + ] + }, + { + "destination.ip": [ + "10.173.169.212" + ], + "destination.port": 292, + "event.action": "cancel", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.173.169.212,dstPort=292,dbUsername=oinB,srcIP=10.131.253.222,srcPort=1239,creatTime=17 March 2019 17:35:40,srvGroup=enatuser,service=uia,appName=sistena,event#=reetdolo,eventType=Login,usrGroup=psam,usrAuth=False,application=\"litseddo\",osUsername=orumet,srcHost=aliqu5109.www.test,dbName=sun,schemaName=utod,bindVar=queips,sqlError=unknown,respSize=6659,respTime=138.450000,affRows=riatu,action=\"cancel\",rawQuery=\"serrors\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "aliqu5109.www.test", + "input.type": "log", + "log.offset": 39299, + "network.application": "litseddo", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.173.169.212", + "10.131.253.222" + ], + "rsa.counters.dclass_c1": 6659, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "sun", + "rsa.db.index": "serrors", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "psam", + "rsa.misc.group_object": "enatuser", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 138.45, + "rsa.time.starttime": "2019-03-17T19:35:40.000Z", + "service.type": "imperva", + "source.address": "aliqu5109.www.test", + "source.ip": [ + "10.131.253.222" + ], + "source.port": 1239, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "orumet", + "oinB", + "utod" + ] + }, + { + "destination.ip": [ + "10.33.131.63" + ], + "destination.port": 1437, + "event.action": "cancel", + "event.category": "lum", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.33.131.63,dstPort=1437,dbUsername=imven,srcIP=10.5.54.131,srcPort=1411,creatTime=2019-04-01 00:38:14,srvGroup=sectetu,service=quiratio,appName=aincidu,event#=eseo,eventType=lum,usrGroup=CSe,usrAuth=umqu,application=\"aeratvol\",osUsername=psamvolu,srcHost=urQui381.mail.example,dbName=ionev,schemaName=liq,bindVar=utlab,sqlError=failure,respSize=587,respTime=125.240000,affRows=tassi,action=\"cancel\",rawQuery=\"orinre\"", + "fileset.name": "securesphere", + "host.hostname": "urQui381.mail.example", + "input.type": "log", + "log.offset": 39748, + "network.application": "aeratvol", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.5.54.131", + "10.33.131.63" + ], + "rsa.counters.dclass_c1": 587, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "ionev", + "rsa.db.index": "orinre", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "lum", + "rsa.misc.group": "CSe", + "rsa.misc.group_object": "sectetu", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 125.24, + "rsa.time.starttime": "2019-04-01T02:38:14.000Z", + "service.type": "imperva", + "source.address": "urQui381.mail.example", + "source.ip": [ + "10.5.54.131" + ], + "source.port": 1411, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "psamvolu", + "liq", + "imven" + ] + }, + { + "destination.ip": [ + "10.164.123.69" + ], + "destination.port": 2543, + "event.action": "cancel", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.164.123.69,dstPort=2543,dbUsername=litesse,srcIP=10.161.51.238,srcPort=1809,creatTime=2019-04-15 07:40:49,srvGroup=odt,service=riatur,appName=oremeumf,event#=volupt,eventType=Logout,usrGroup=dicon,usrAuth=False,application=\"psumquia\",osUsername=xercitat,srcHost=giatq1967.api.test,dbName=citat,schemaName=xeacomm,bindVar=itvolup,sqlError=success,respSize=5031,respTime=124.913000,affRows=reetd,action=\"cancel\",rawQuery=\"ngelit\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "giatq1967.api.test", + "input.type": "log", + "log.offset": 40190, + "network.application": "psumquia", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.164.123.69", + "10.161.51.238" + ], + "rsa.counters.dclass_c1": 5031, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "citat", + "rsa.db.index": "ngelit", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "dicon", + "rsa.misc.group_object": "odt", + "rsa.misc.result": "success", + "rsa.time.duration_time": 124.913, + "rsa.time.starttime": "2019-04-15T09:40:49.000Z", + "service.type": "imperva", + "source.address": "giatq1967.api.test", + "source.ip": [ + "10.161.51.238" + ], + "source.port": 1809, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "xercitat", + "litesse", + "xeacomm" + ] + }, + { + "destination.ip": [ + "10.112.73.97" + ], + "destination.port": 6125, + "event.action": "accept", + "event.category": "odte", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.112.73.97,dstPort=6125,dbUsername=quinesc,srcIP=10.227.144.202,srcPort=3803,creatTime=2019-04-29 14:43:23,srvGroup=doeiusmo,service=tev,appName=elaudant,event#=ratvolu,eventType=odte,usrGroup=enderitq,usrAuth=nnumquam,application=\"abori\",osUsername=uelauda,srcHost=urQuis7078.www5.domain,dbName=rumS,schemaName=uelau,bindVar=quidolor,sqlError=failure,respSize=2469,respTime=53.441000,affRows=quinesci,action=\"accept\",rawQuery=\"lpaqui\"", + "fileset.name": "securesphere", + "host.hostname": "urQuis7078.www5.domain", + "input.type": "log", + "log.offset": 40644, + "network.application": "abori", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.227.144.202", + "10.112.73.97" + ], + "rsa.counters.dclass_c1": 2469, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "rumS", + "rsa.db.index": "lpaqui", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "odte", + "rsa.misc.group": "enderitq", + "rsa.misc.group_object": "doeiusmo", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 53.441, + "rsa.time.starttime": "2019-04-29T16:43:23.000Z", + "service.type": "imperva", + "source.address": "urQuis7078.www5.domain", + "source.ip": [ + "10.227.144.202" + ], + "source.port": 3803, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "quinesc", + "uelau", + "uelauda" + ] + }, + { + "event.category": "scip", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=utlabo,createTime=2019-05-13 21:45:57,eventType=scip,eventSev=low,username=voluptas,subsystem=inv,message=\"upta\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "low", + "log.offset": 41105, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "rsa.internal.event_desc": "upta", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "scip", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2019-05-13T23:45:57.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "voluptas" + ] + }, + { + "destination.ip": [ + "10.185.248.253" + ], + "destination.port": 3804, + "event.action": "block", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.185.248.253,dstPort=3804,dbUsername=nisi,srcIP=10.76.165.58,srcPort=1381,creatTime=28 May 2019 04:48:31,srvGroup=dipis,service=nderitin,appName=ernatu,event#=usant,eventType=Login,usrGroup=uidolore,usrAuth=False,application=\"litse\",osUsername=ugitse,srcHost=utfugi6811.mail.host,dbName=psum,schemaName=amqua,bindVar=mavenia,sqlError=failure,respSize=4963,respTime=99.486000,affRows=ssuscipi,action=\"block\",rawQuery=\"eturadi\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "utfugi6811.mail.host", + "input.type": "log", + "log.offset": 41242, + "network.application": "litse", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.185.248.253", + "10.76.165.58" + ], + "rsa.counters.dclass_c1": 4963, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "psum", + "rsa.db.index": "eturadi", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "uidolore", + "rsa.misc.group_object": "dipis", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 99.486, + "rsa.time.starttime": "2019-05-28T06:48:31.000Z", + "service.type": "imperva", + "source.address": "utfugi6811.mail.host", + "source.ip": [ + "10.76.165.58" + ], + "source.port": 1381, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "amqua", + "nisi", + "ugitse" + ] + }, + { + "destination.ip": [ + "10.177.36.122" + ], + "destination.port": 5686, + "event.action": "accept", + "event.category": "itessec", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=evelit,event#=oluptat,createTime=2019-06-11 11:51:06,updateTime=ditem,alertSev=low,group=pisciv,ruleName=\"equamnih\",evntDesc=\"rationev\",category=etco,disposition=usanti,eventType=itessec,proto=ipv6,srcPort=2772,srcIP=10.163.27.208,dstPort=5686,dstIP=10.177.36.122,policyName=\"reseo\",occurrences=4087,httpHost=iutaliq,webMethod=oriosamn,url=\"https://www5.example.com/tcu/mmodo.jpg?stlabo=atema#sunt\",webQuery=\"orporiss\",soapAction=iamq,resultCode=edolo,sessionID=oditempo,username=eFini,addUsername=ritin,responseTime=iosam,responseSize=olup,direction=eav,dbUsername=archi,queryGroup=nes,application=\"atvolupt\",srcHost=umwritt2172.www.localhost,osUsername=ept,schemaName=avolu,dbName=aaliq,hdrName=olupta,action=accept", + "fileset.name": "securesphere", + "host.hostname": "umwritt2172.www.localhost", + "input.type": "log", + "log.level": "low", + "log.offset": 41693, + "network.application": "atvolupt", + "network.direction": "eav", + "network.protocol": "ipv6", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.163.27.208", + "10.177.36.122" + ], + "rsa.counters.event_counter": 4087, + "rsa.db.database": "aaliq", + "rsa.internal.event_desc": "rationev", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "oriosamn", + "accept" + ], + "rsa.misc.category": "etco", + "rsa.misc.disposition": "usanti", + "rsa.misc.event_type": "itessec", + "rsa.misc.group": "pisciv", + "rsa.misc.log_session_id": "oditempo", + "rsa.misc.operation_id": "evelit", + "rsa.misc.policy_name": "reseo", + "rsa.misc.result_code": "edolo", + "rsa.misc.rule_name": "equamnih", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2019-06-11T13:51:06.000Z", + "rsa.web.alias_host": "iutaliq", + "rule.name": "equamnih", + "service.type": "imperva", + "source.address": "umwritt2172.www.localhost", + "source.ip": [ + "10.163.27.208" + ], + "source.port": 2772, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www5.example.com/tcu/mmodo.jpg?stlabo=atema#sunt", + "url.query": "orporiss", + "user.name": [ + "avolu", + "eFini", + "ept" + ] + }, + { + "destination.ip": [ + "10.35.215.152" + ], + "destination.port": 7489, + "event.action": "block", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.35.215.152,dstPort=7489,dbUsername=ium,srcIP=10.143.175.148,srcPort=796,creatTime=25 June 2019 18:53:40,srvGroup=tame,service=olo,appName=vel,event#=equamn,eventType=Login,usrGroup=tempora,usrAuth=True,application=\"enimip\",osUsername=itaspern,srcHost=lupta602.mail.localdomain,dbName=uisno,schemaName=etdo,bindVar=edictas,sqlError=failure,respSize=6141,respTime=167.299000,affRows=urerepr,action=\"block\",rawQuery=\"Maloru\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "lupta602.mail.localdomain", + "input.type": "log", + "log.offset": 42435, + "network.application": "enimip", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.35.215.152", + "10.143.175.148" + ], + "rsa.counters.dclass_c1": 6141, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "uisno", + "rsa.db.index": "Maloru", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "tempora", + "rsa.misc.group_object": "tame", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 167.299, + "rsa.time.starttime": "2019-06-25T20:53:40.000Z", + "service.type": "imperva", + "source.address": "lupta602.mail.localdomain", + "source.ip": [ + "10.143.175.148" + ], + "source.port": 796, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "etdo", + "itaspern", + "ium" + ] + }, + { + "destination.ip": [ + "10.254.252.105" + ], + "destination.port": 146, + "event.action": "allow", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.254.252.105,dstPort=146,dbUsername=asp,srcIP=10.25.246.131,srcPort=212,creatTime=2019-07-10 01:56:14,srvGroup=unde,service=raut,appName=suscip,event#=ectetu,eventType=Logout,usrGroup=rem,usrAuth=False,application=\"ariat\",osUsername=ptatemU,srcHost=eriam2051.api.host,dbName=upid,schemaName=ataev,bindVar=nsecte,sqlError=unknown,respSize=2949,respTime=96.394000,affRows=tutla,action=\"allow\",rawQuery=\"hitect\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "eriam2051.api.host", + "input.type": "log", + "log.offset": 42883, + "network.application": "ariat", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.25.246.131", + "10.254.252.105" + ], + "rsa.counters.dclass_c1": 2949, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "upid", + "rsa.db.index": "hitect", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "rem", + "rsa.misc.group_object": "unde", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 96.394, + "rsa.time.starttime": "2019-07-10T03:56:14.000Z", + "service.type": "imperva", + "source.address": "eriam2051.api.host", + "source.ip": [ + "10.25.246.131" + ], + "source.port": 212, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "ataev", + "ptatemU", + "asp" + ] + }, + { + "destination.ip": [ + "10.248.16.82" + ], + "destination.port": 6834, + "event.action": "accept", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.248.16.82,dstPort=6834,dbUsername=loinv,srcIP=10.44.179.66,srcPort=357,creatTime=24 July 2019 08:58:48,srvGroup=xercit,service=avolup,appName=etdo,event#=tuserror,eventType=Login,usrGroup=nisiutal,usrAuth=False,application=\"pisciv\",osUsername=proiden,srcHost=cita2058.test,dbName=nul,schemaName=xercita,bindVar=tametco,sqlError=success,respSize=2353,respTime=43.922000,affRows=ididunt,action=\"accept\",rawQuery=\"eum\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "cita2058.test", + "input.type": "log", + "log.offset": 43317, + "network.application": "pisciv", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.248.16.82", + "10.44.179.66" + ], + "rsa.counters.dclass_c1": 2353, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "nul", + "rsa.db.index": "eum", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "nisiutal", + "rsa.misc.group_object": "xercit", + "rsa.misc.result": "success", + "rsa.time.duration_time": 43.922, + "rsa.time.starttime": "2019-07-24T10:58:48.000Z", + "service.type": "imperva", + "source.address": "cita2058.test", + "source.ip": [ + "10.44.179.66" + ], + "source.port": 357, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "proiden", + "xercita", + "loinv" + ] + }, + { + "destination.ip": [ + "10.88.53.149" + ], + "destination.port": 4048, + "event.action": "allow", + "event.category": "temac", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=tlabo,event#=iameaque,createTime=2019-08-07 16:01:23,updateTime=sautemve,alertSev=high,group=emoe,ruleName=\"ameiusmo\",evntDesc=\"ntiumtot\",category=aeab,disposition=idolo,eventType=temac,proto=ipv6,srcPort=622,srcIP=10.55.166.205,dstPort=4048,dstIP=10.88.53.149,policyName=\"iut\",occurrences=6219,httpHost=tess,webMethod=ionulamc,url=\"https://www.example.net/umSecti/emaccu.html?atu=ddo#veli\",webQuery=\"ata\",soapAction=untmoll,resultCode=ididun,sessionID=olo,username=tqui,addUsername=oru,responseTime=ehender,responseSize=abo,direction=onsec,dbUsername=econse,queryGroup=iac,application=\"cingel\",srcHost=siarchit2807.invalid,osUsername=strumex,schemaName=reseosqu,dbName=atus,hdrName=fugiatq,action=\"allow\",errormsg=\"success\"", + "fileset.name": "securesphere", + "host.hostname": "siarchit2807.invalid", + "input.type": "log", + "log.level": "high", + "log.offset": 43759, + "network.application": "cingel", + "network.direction": "onsec", + "network.protocol": "ipv6", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.55.166.205", + "10.88.53.149" + ], + "rsa.counters.event_counter": 6219, + "rsa.db.database": "atus", + "rsa.internal.event_desc": "ntiumtot", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "allow", + "ionulamc" + ], + "rsa.misc.category": "aeab", + "rsa.misc.disposition": "idolo", + "rsa.misc.event_type": "temac", + "rsa.misc.group": "emoe", + "rsa.misc.log_session_id": "olo", + "rsa.misc.operation_id": "tlabo", + "rsa.misc.policy_name": "iut", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ididun", + "rsa.misc.rule_name": "ameiusmo", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2019-08-07T18:01:23.000Z", + "rsa.web.alias_host": "tess", + "rule.name": "ameiusmo", + "service.type": "imperva", + "source.address": "siarchit2807.invalid", + "source.ip": [ + "10.55.166.205" + ], + "source.port": 622, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www.example.net/umSecti/emaccu.html?atu=ddo#veli", + "url.query": "ata", + "user.name": [ + "tqui", + "strumex", + "reseosqu" + ] + }, + { + "destination.ip": [ + "10.199.117.125" + ], + "destination.port": 1799, + "event.action": "cancel", + "event.category": "ionevo", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=dquiaco,event#=rumw,createTime=2019-08-21 23:03:57,updateTime=ula,alertSev=high,group=uidolore,ruleName=\"quam\",evntDesc=\"rsitvo\",category=esciuntN,disposition=ritatis,eventType=ionevo,proto=rdp,srcPort=7851,srcIP=10.116.180.96,dstPort=1799,dstIP=10.199.117.125,policyName=\"dolor\",occurrences=6700,httpHost=equinesc,webMethod=ectet,url=\"https://mail.example.com/enatuser/epteurs.txt?orsit=rcit#niamqu\",webQuery=\"nrep\",soapAction=lauda,resultCode=ionevo,sessionID=busB,username=pidatatn,addUsername=ipsamvol,responseTime=tconse,responseSize=ima,direction=nimaveni,dbUsername=cepteurs,queryGroup=siutaliq,application=\"aliqu\",srcHost=serro1855.internal.invalid,osUsername=iof,schemaName=ciun,dbName=ssitaspe,hdrName=deomnis,action=cancel", + "fileset.name": "securesphere", + "host.hostname": "serro1855.internal.invalid", + "input.type": "log", + "log.level": "high", + "log.offset": 44508, + "network.application": "aliqu", + "network.direction": "nimaveni", + "network.protocol": "rdp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.199.117.125", + "10.116.180.96" + ], + "rsa.counters.event_counter": 6700, + "rsa.db.database": "ssitaspe", + "rsa.internal.event_desc": "rsitvo", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel", + "ectet" + ], + "rsa.misc.category": "esciuntN", + "rsa.misc.disposition": "ritatis", + "rsa.misc.event_type": "ionevo", + "rsa.misc.group": "uidolore", + "rsa.misc.log_session_id": "busB", + "rsa.misc.operation_id": "dquiaco", + "rsa.misc.policy_name": "dolor", + "rsa.misc.result_code": "ionevo", + "rsa.misc.rule_name": "quam", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2019-08-22T01:03:57.000Z", + "rsa.web.alias_host": "equinesc", + "rule.name": "quam", + "service.type": "imperva", + "source.address": "serro1855.internal.invalid", + "source.ip": [ + "10.116.180.96" + ], + "source.port": 7851, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://mail.example.com/enatuser/epteurs.txt?orsit=rcit#niamqu", + "url.query": "nrep", + "user.name": [ + "pidatatn", + "ciun", + "iof" + ] + }, + { + "destination.ip": [ + "10.64.76.110" + ], + "destination.port": 2200, + "event.action": "cancel", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.64.76.110,dstPort=2200,dbUsername=ptate,srcIP=10.250.226.105,srcPort=4867,creatTime=5 September 2019 06:06:31,srvGroup=atur,service=aquaeabi,appName=olupt,event#=dolor,eventType=Login,usrGroup=fficiade,usrAuth=False,application=\"rsi\",osUsername=imidest,srcHost=ulamc2151.www5.corp,dbName=dip,schemaName=ommod,bindVar=sisten,sqlError=failure,respSize=6041,respTime=43.322000,affRows=nihi,action=\"cancel\",rawQuery=\"orumetMa\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "ulamc2151.www5.corp", + "input.type": "log", + "log.offset": 45266, + "network.application": "rsi", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.250.226.105", + "10.64.76.110" + ], + "rsa.counters.dclass_c1": 6041, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "dip", + "rsa.db.index": "orumetMa", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "fficiade", + "rsa.misc.group_object": "atur", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 43.322, + "rsa.time.starttime": "2019-09-05T08:06:31.000Z", + "service.type": "imperva", + "source.address": "ulamc2151.www5.corp", + "source.ip": [ + "10.250.226.105" + ], + "source.port": 4867, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "ommod", + "imidest", + "ptate" + ] + }, + { + "destination.ip": [ + "10.164.52.43" + ], + "destination.port": 2077, + "event.action": "block", + "event.category": "persp", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=teturad,event#=nesciu,createTime=2019-09-19 13:09:05,updateTime=ueip,alertSev=low,group=orumSe,ruleName=\"mSe\",evntDesc=\"itame\",category=quaturv,disposition=lumdolor,eventType=persp,proto=ggp,srcPort=7684,srcIP=10.29.141.252,dstPort=2077,dstIP=10.164.52.43,policyName=\"orum\",occurrences=249,httpHost=itvolup,webMethod=atemq,url=\"https://api.example.net/adminimv/equatD.html?obeatae=sedqui#ntNeq\",webQuery=\"aturve\",soapAction=tquasiar,resultCode=eetd,sessionID=orem,username=seq,addUsername=cus,responseTime=tnulap,responseSize=amquisno,direction=epreh,dbUsername=uepo,queryGroup=llumqui,application=\"sedqu\",srcHost=ipitlabo5092.local,osUsername=Nemoe,schemaName=reverit,dbName=neavolup,hdrName=uaturve,action=\"block\",errormsg=\"failure\"", + "fileset.name": "securesphere", + "host.hostname": "ipitlabo5092.local", + "input.type": "log", + "log.level": "low", + "log.offset": 45715, + "network.application": "sedqu", + "network.direction": "epreh", + "network.protocol": "ggp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.164.52.43", + "10.29.141.252" + ], + "rsa.counters.event_counter": 249, + "rsa.db.database": "neavolup", + "rsa.internal.event_desc": "itame", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "atemq", + "block" + ], + "rsa.misc.category": "quaturv", + "rsa.misc.disposition": "lumdolor", + "rsa.misc.event_type": "persp", + "rsa.misc.group": "orumSe", + "rsa.misc.log_session_id": "orem", + "rsa.misc.operation_id": "teturad", + "rsa.misc.policy_name": "orum", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "eetd", + "rsa.misc.rule_name": "mSe", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2019-09-19T15:09:05.000Z", + "rsa.web.alias_host": "itvolup", + "rule.name": "mSe", + "service.type": "imperva", + "source.address": "ipitlabo5092.local", + "source.ip": [ + "10.29.141.252" + ], + "source.port": 7684, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://api.example.net/adminimv/equatD.html?obeatae=sedqui#ntNeq", + "url.query": "aturve", + "user.name": [ + "seq", + "Nemoe", + "reverit" + ] + }, + { + "destination.ip": [ + "10.115.42.231" + ], + "destination.port": 2143, + "event.action": "deny", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.115.42.231,dstPort=2143,dbUsername=res,srcIP=10.161.212.150,srcPort=2748,creatTime=3 October 2019 20:11:40,srvGroup=corporis,service=turExc,appName=urvelil,event#=ulapa,eventType=Login,usrGroup=abi,usrAuth=False,application=\"ameiusm\",osUsername=tasnul,srcHost=isau4356.www.home,dbName=niamqui,schemaName=sequamn,bindVar=onse,sqlError=failure,respSize=4846,respTime=6.993000,affRows=aliquaUt,action=\"deny\",rawQuery=\"natus\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "isau4356.www.home", + "input.type": "log", + "log.offset": 46474, + "network.application": "ameiusm", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.161.212.150", + "10.115.42.231" + ], + "rsa.counters.dclass_c1": 4846, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "niamqui", + "rsa.db.index": "natus", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "abi", + "rsa.misc.group_object": "corporis", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 6.993, + "rsa.time.starttime": "2019-10-03T22:11:40.000Z", + "service.type": "imperva", + "source.address": "isau4356.www.home", + "source.ip": [ + "10.161.212.150" + ], + "source.port": 2748, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "tasnul", + "sequamn", + "res" + ] + }, + { + "destination.ip": [ + "10.66.163.3" + ], + "destination.port": 1085, + "event.action": "accept", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.66.163.3,dstPort=1085,dbUsername=aeconseq,srcIP=10.9.126.156,srcPort=628,creatTime=2019-10-18 03:14:14,srvGroup=mqu,service=inima,appName=emipsum,event#=venia,eventType=Logout,usrGroup=Loremi,usrAuth=True,application=\"uisnostr\",osUsername=accusa,srcHost=utod6468.mail.test,dbName=dipi,schemaName=asnulapa,bindVar=atev,sqlError=success,respSize=7469,respTime=147.141000,affRows=ipiscin,action=\"accept\",rawQuery=\"tionu\"", + "event.outcome": "Success", + "fileset.name": "securesphere", + "host.hostname": "utod6468.mail.test", + "input.type": "log", + "log.offset": 46922, + "network.application": "uisnostr", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.66.163.3", + "10.9.126.156" + ], + "rsa.counters.dclass_c1": 7469, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "dipi", + "rsa.db.index": "tionu", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "Loremi", + "rsa.misc.group_object": "mqu", + "rsa.misc.result": "success", + "rsa.time.duration_time": 147.141, + "rsa.time.starttime": "2019-10-18T05:14:14.000Z", + "service.type": "imperva", + "source.address": "utod6468.mail.test", + "source.ip": [ + "10.9.126.156" + ], + "source.port": 628, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "aeconseq", + "asnulapa", + "accusa" + ] + }, + { + "event.category": "odtem", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=uidexea,createTime=2019-11-01 10:16:48,eventType=odtem,eventSev=high,username=mipsa,subsystem=teturad,message=\"nimide\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "high", + "log.offset": 47366, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "rsa.internal.event_desc": "nimide", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "odtem", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2019-11-01T12:16:48.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "mipsa" + ] + }, + { + "destination.ip": [ + "10.217.176.124" + ], + "destination.port": 7276, + "event.action": "cancel", + "event.category": "sauteir", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=writ,event#=ema,createTime=2019-11-15 17:19:22,updateTime=ioffici,alertSev=medium,group=uunt,ruleName=\"pic\",evntDesc=\"unt\",category=emUt,disposition=eiru,eventType=sauteir,proto=tcp,srcPort=3341,srcIP=10.220.106.170,dstPort=7276,dstIP=10.217.176.124,policyName=\"elillum\",occurrences=1318,httpHost=reetdo,webMethod=pidatatn,url=\"https://internal.example.net/fdeFin/ursi.txt?lapariat=red#rinre\",webQuery=\"upta\",soapAction=mvolupt,resultCode=mseq,sessionID=consequ,username=min,addUsername=riame,responseTime=gnaal,responseSize=nti,direction=tetura,dbUsername=utlab,queryGroup=colabo,application=\"ditem\",srcHost=did2502.mail.example,osUsername=itsedq,schemaName=uisaute,dbName=iaturEx,hdrName=apa,action=cancel", + "fileset.name": "securesphere", + "host.hostname": "did2502.mail.example", + "input.type": "log", + "log.level": "medium", + "log.offset": 47509, + "network.application": "ditem", + "network.direction": "tetura", + "network.protocol": "tcp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.217.176.124", + "10.220.106.170" + ], + "rsa.counters.event_counter": 1318, + "rsa.db.database": "iaturEx", + "rsa.internal.event_desc": "unt", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "pidatatn", + "cancel" + ], + "rsa.misc.category": "emUt", + "rsa.misc.disposition": "eiru", + "rsa.misc.event_type": "sauteir", + "rsa.misc.group": "uunt", + "rsa.misc.log_session_id": "consequ", + "rsa.misc.operation_id": "writ", + "rsa.misc.policy_name": "elillum", + "rsa.misc.result_code": "mseq", + "rsa.misc.rule_name": "pic", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2019-11-15T19:19:22.000Z", + "rsa.web.alias_host": "reetdo", + "rule.name": "pic", + "service.type": "imperva", + "source.address": "did2502.mail.example", + "source.ip": [ + "10.220.106.170" + ], + "source.port": 3341, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.net/fdeFin/ursi.txt?lapariat=red#rinre", + "url.query": "upta", + "user.name": [ + "uisaute", + "min", + "itsedq" + ] + }, + { + "destination.ip": [ + "10.9.248.95" + ], + "destination.port": 2294, + "event.action": "deny", + "event.category": "Logout", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.9.248.95,dstPort=2294,dbUsername=iatquovo,srcIP=10.120.18.135,srcPort=6260,creatTime=2019-11-30 00:21:57,srvGroup=itametc,service=oremip,appName=isundeo,event#=eli,eventType=Logout,usrGroup=ore,usrAuth=False,application=\"ips\",osUsername=ratvolup,srcHost=iamqu4015.www5.lan,dbName=tsunti,schemaName=ero,bindVar=iusmodi,sqlError=unknown,respSize=6969,respTime=36.585000,affRows=oreetd,action=\"deny\",rawQuery=\"Loremips\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "iamqu4015.www5.lan", + "input.type": "log", + "log.offset": 48241, + "network.application": "ips", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.120.18.135", + "10.9.248.95" + ], + "rsa.counters.dclass_c1": 6969, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "tsunti", + "rsa.db.index": "Loremips", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ore", + "rsa.misc.group_object": "itametc", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 36.585, + "rsa.time.starttime": "2019-11-30T02:21:57.000Z", + "service.type": "imperva", + "source.address": "iamqu4015.www5.lan", + "source.ip": [ + "10.120.18.135" + ], + "source.port": 6260, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "iatquovo", + "ero", + "ratvolup" + ] + }, + { + "destination.ip": [ + "10.249.76.99" + ], + "destination.port": 7480, + "event.action": "block", + "event.category": "Login", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.249.76.99,dstPort=7480,dbUsername=xercita,srcIP=10.109.203.111,srcPort=6875,creatTime=14 December 2019 07:24:31,srvGroup=atemquia,service=rumwritt,appName=tio,event#=aconseq,eventType=Login,usrGroup=erit,usrAuth=False,application=\"quaeab\",osUsername=uis,srcHost=eirured1366.mail.domain,dbName=ntexp,schemaName=atio,bindVar=roquisqu,sqlError=success,respSize=3516,respTime=151.020000,affRows=molestia,action=\"block\",rawQuery=\"boreetdo\"", + "event.outcome": "Failure", + "fileset.name": "securesphere", + "host.hostname": "eirured1366.mail.domain", + "input.type": "log", + "log.offset": 48684, + "network.application": "quaeab", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.249.76.99", + "10.109.203.111" + ], + "rsa.counters.dclass_c1": 3516, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "ntexp", + "rsa.db.index": "boreetdo", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "erit", + "rsa.misc.group_object": "atemquia", + "rsa.misc.result": "success", + "rsa.time.duration_time": 151.02, + "service.type": "imperva", + "source.address": "eirured1366.mail.domain", + "source.ip": [ + "10.109.203.111" + ], + "source.port": 6875, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": [ + "atio", + "xercita", + "uis" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/infoblox/README.md b/x-pack/filebeat/module/infoblox/README.md new file mode 100644 index 00000000000..931a3bf4d4d --- /dev/null +++ b/x-pack/filebeat/module/infoblox/README.md @@ -0,0 +1,7 @@ +# infoblox module + +This is a module for Infoblox NIOS logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML infobloxnios version 134 +at 2020-07-07 18:10:45.174185 +0000 UTC. + diff --git a/x-pack/filebeat/module/infoblox/_meta/config.yml b/x-pack/filebeat/module/infoblox/_meta/config.yml new file mode 100644 index 00000000000..85df3964b38 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/_meta/config.yml @@ -0,0 +1,19 @@ +- module: infoblox + nios: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9512 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc b/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc new file mode 100644 index 00000000000..9b53fa89810 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: infoblox +:has-dashboards: false + +== Infoblox module + +experimental[] + +This is a module for receiving Infoblox NIOS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nios + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nios` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "infobloxnios" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9512` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/infoblox/_meta/fields.yml b/x-pack/filebeat/module/infoblox/_meta/fields.yml new file mode 100644 index 00000000000..38b39cb5624 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: infoblox + title: Infoblox NIOS + description: > + infoblox fields. + fields: diff --git a/x-pack/filebeat/module/infoblox/fields.go b/x-pack/filebeat/module/infoblox/fields.go new file mode 100644 index 00000000000..9906c9f3bbe --- /dev/null +++ b/x-pack/filebeat/module/infoblox/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package infoblox + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "infoblox", asset.ModuleFieldsPri, AssetInfoblox); err != nil { + panic(err) + } +} + +// AssetInfoblox returns asset data. +// This is the base64 encoded gzipped contents of module/infoblox. +func AssetInfoblox() string { + return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIirAqiSJaRRQBlBk07/+AgnUB6tQJAtVlKy904NCIpnIRAJIZCby42vyAPuXhImVXHL5+CdCDDMcXpJb/wl5e/vz/Z8IyUCnihWGSfGS/PVPhJAaiKwY8Ewv/kT8v17i1/bP10TQHF4SAWYn1cOCCQNqRVNY2M/rnxFi9gW8tLTspMpan2ewoiU3CQ78kqwo13DwdY+q6s9bmgORK2I2UKEnNXqy24AC/M4oulqxlGyoJksAQeRSg9pCtujNQmnaI3mtZFmcT3CXQc3gSJug/GASYRyhYZqBcr0++HyYuT0Ovt8wbX9HmCalhowYSVJamNLzStEdyUFrurb/p4akMgdtSZf2+87QhLyWa3INqcxAhUl1Y7EuUcMEV5CwBWESS/xoUI90Mo88YzRyJpXCgDDa7jgmtKHCVIh0kArD8jAJGTXdL/r4mcNqByHUkN2GpRtCiQatmRRkw4wmlLwF8yszArSuVmHRW6J6OnojS54RAVtQZAn1+hdUaSBvwFBLGiUrJfMWqiev5Vo/v6PpAxj9tDf8NVOQGr5/Roynm5J34A6Y22miReYiyCoOW+BBXnEpunv9gFfXUChIqfG4MlgxARmRgiNiQ5ccSE6LMN5cr5MRW/PIOr3xZ+b2+huypbz0p4dlIAxbMb+H4JGmhnC5djxXPWYi/cwO71ccf2dZWlBlWFpyqhDeL85icHV7Q0etdmh1eyMPr/Yg07dzc/3F/+f6ca5brLEsn3bI5PKfCZLaZfxHxL+lYfFyceQKtCxVGn0XTZ96/EmbhlsbaiAHYT4NelpmzCQpp53z8NEIAGHU/tOg3lhN4NOgZmII9WVv8uqcfcoVz4CGz9plp74CyMbpyQM3asgeaP2wMrUsvt4N2LuepmmZnRuwN/oJLXOYTx2jdDY+iZYtGmSQY0hvIjMxiAR4NJpB6TxKWSnYbyU0SpiqZ+g/2h8aLldSpFZYUiP/6NbLwLHfsqmCp82/KzsQW7GUtk+dNbRvrElM7lHQkVJkoKyKqsALjN7kVuwRMqLB2EEOgA9x6GGFtmJzb+zJCm3N5t7Qo9je95zEWPpxm6tH+YhZj5vlRupoPaq9t36S2rRFFe/uKg0iY2JdfalDS9+y5j8fDrLwJul9PMi627vtd4RmmbIya+hQdtnXm5+Rnyv7tj9MZ+AP/+8y0HJrjhPcPb3OpdH2W2SEkjXbgqjdFZ/vpWpZNGTBXlarzj6NMvR5eHEHDV5Z7BMFv0WtV/tpAhcJZ7bcIx9v3ODkDrf7M+/9M5S83xdAUto/yUsgwMwGFPlwK8w3PxCpyI9cUvPtC7KkGndC5dhfsXWpUBU6MbOwgvcZzwwfWaYYRTPYrhZ6LeOdJcfssmrsz954lWpHVTZBjWnJjtbE2ry6vfvlQMOhRAGn3WUhRO+1gdxfOZ4wO9oG3H7Sjj32/1KxNROUVzCHt/eJmcZrHEceOG/vfvkhMElPYG+u0ydZU9Tn4xySvNlsfVUpVpJvgGagZnoZ+wkHI7fXU15oHEXthxocJu6d5g/thOFpMoMfhlaKx22jeOBmtwr3leQcUiPV5ygILX8u8rJu9w3TJHXMgczScqCavZbdS54cYeUf0BLJ0+XHU85yqTF4JJeCLPe9ZSFEwW8laGMH1Cwv+N6vhP2xFbgEaLohmmVAnvyZmI0qyYvvv39KdlQTDSBqLEfm+pHUtTPmqgspNFxusukfaGVTWQpT26tlvnTCxx44HRyBPKFLuYXWdJkIRhtVYkYbBTQf3OXpH2jpPzEzIGNlV6s5jxVfhDSp2mhlK8LMP8oXf/7mX7UTns8LFFUVWf/o0fsPa6e8pntQ5AW5ESktdMmdj9uaOqMkaGj0iW7oQKxSCMu3L8i/2ek+I99+S/6NpFJZ/RFn4ZE+I/+dm/9pf8g0OWTKF8FFEjKDT2iDiR0kKeV8SdOHqTqfQy+kwc1NjdOVLSNAZIVkwqC6bSAcuIcLnIBSMjpWpNGAdAEpoxxpQlq0kcpqi2LvbmH7xZZylrnlC6ElZCVLkVlpzQHJY2LtlYWTwUCH+7Y38hxvJ37THnHRD/B5zyXNPt6d4RESzX4HkoNRLA3oyt5Ea/8YbTR3OVbizl6S1DQ6nFxVC7MgP8mdZX7fFmKCSGVNCCPJA0Bxgi0f6fb4TNiiZApaJ1uWJVn8O9RNJQHWIEBRg0cxszxq2StbpkxJuTUXD3ykImA+s5xZgw9fAHG6jk5/IG+vibJyUaOxjmyhag2m/tnJuWoVHVLxyefqomGOz1VFOtb7Ivb2uvKvvYNcGiD3flemCvBaWu6HRJL9Uzm9PwMnt8eU6IKzaS+yf2hTUbOeKvuxwgbZ73HxY23bHuWp35HV3qi0aS+O/2u8ubhjvmL8Im+LdlyrtN9dvbrz+lxKhWUAywupulocwQvls3ugLT+W8fzBiX008tAsDDnEDs3EsgFpjEF376PVtyAvvv+B7JCzOVBBKOdhOxSdr6g2NP4FsgMFblhqCAeqDZGiE6x8yKaPoBh93mwKnLe4hyzPnV+lypA1GBUB6UZILtf77rPGiqmeZkbI9yTdUEVT49hkj94eKUTnpiCl8BED/MC3OZjBFJOs5p4Yp7lsj7znoK6bW9VJisppq+huUH6gFOsoSzRFPcx5hIW3WWWalqoaURsqMqoyIqTKKWe/h6LtpMqDHMj8C+wRJshy2RPho9jQ0FWje87ZCnBOAQNRQypFNqAYNkuWaDPNEj9CMhOpzAsOJriIg+4uioqnUawjclp5B8pcbLvd29GDm25owx3un8FNkkthNmezusnqOf/VvIlmyC7GnhuRXYI5dsjfpZie0XlEiNjxK+XHhaS973Kpd6AnnI5XxMCj8RuZbEHpVrBvdixmI7BGpxd9D/R8UpukilSqDLIp0ts/l3vhqusxq/utejOvf9h+g+vLWCXzBY5aYuKfTkFQxaRT/PKSG/a1YaAILQpeRVA3meA5FXQdSkoihKNjurIZHFGOVk2Y+VITuRPOa29oXnQ9LZ5ii82S2N/nRpN0w6z+KzPQC/Km1AYV6fagdv9TMxCPRg0MLsPR475aWcq2MM8djAtVDenmr2AFCkTqFpVa5StjW5bZOxXXNHzs76tj/77DgPA0HgumZpxDw3Xnp360+4UZvnfT0VZEWF3AosVtdNxfNGppBg3mZ1Y61ad/0Ru0DtCQ5fjTnPfUgNMwNZfGbzvUIX4roZxx0exOcevVyIsd1QTRZAMrhOi/GT/1URfOwbSjzuk6N1GSfZ3H4SuSKHRFEqepFOOOyCHYiwi4qBuvJWUupfp21N6gDOoJzFEyafjAnjpvMa67Rrx0MhBjjEWa9tSe8xQVXfLp7tgB7VCWJpU5PHdYapUNo9nkqrdWVPhpHKi+A0tlTXJmpoW+HiG9Gt8nBLT8occMv6mpCr3aKU5S17G4djT0xxaQshVrlMGwtuCcnEN5v173mOPlOsDE2h3AsibgszJFM+98DFLmVfr5GPnLoY3Q1nClIj/f+5AipqtHp66FjPgrLg9lPehCajbqEJ61A9AQEJmrCoChiNUpGcznLrlJpiSyjzzWosxBsXTsuQ5SP0tE+xHS21Ht9Q51R9ydpB7xWxCZVD6U6CjtcvnPi2RJV48LcvlPSMM6vkU9R55Uj2VW3hxH7STftFodX/S3vs9q80fWW8IbWkdOCWkIJRuflRkOD+JynVTPjhcSctWGGC3k5sm+PZAUf8MnbqzthkcxrN5JztL99H165IzdIQpfZE7w/YCcKvm02K0wE96VHBB1WLxIYeBxur5To7wVzvJuKiDRLNP2L7wKKK9QhtKBT1wp6YaKNSQCdtPP1ZDzG3athxu8HI1RbFkaaJ22fjSfdsRZba4t0sPHUBd0hGioZ8/ZhBI4xyaOSnn31daha+sGAVMC467tpKuiKbp5K1dbUAtyD46xpQa1oGvAUnc+Ym4lVUVDb+xqGKfXpQhPHHwrA1IqslRyZ7+rPvV6jFOtB2u13WZ3VJnxpnwNOt6O9LtX9nIj5tu9kme10nGpzSsL8C7r+BvklSCUgzL1u6tqhvWfOdesP4qtZDN8ng0oVBkRUnytoADUVo+9RqHiOK+QTUul7NasdVJcDdQRnjPn/60cmz3ad8xsvDLlZB+5RoRLjA8VRIqv19L++4hkxMszCSglk2ZGW87o54jCkiFXxJ40w0AvyH1zPrtlMtsxybE0Xblg9lJbRdUlPbgnyswLK888SlJealNtG/+fHqsRhGm7Gj4zx1uLVm3Cb4ev5gvcym6nh60nl7Q+RR348pT6bOm4RjyEai1Tht4ay9Gg3o9Mf80e4CWhpNjsNUspt2bewzNSKKxI+4yASb8Mq1lU0XD2wMjLy8WvKpqDAaVJQTXWKdCYuOcy01KZ51YiyIPHm37IKpj0qKLhpOfldI3WOlxAUDthl8q8KPtnIYr1lOyYyOTOR96kUqRQmGf1q9jgdHsTWZWc78lvJeXOaZPJnDLhz6doIeJyQJS3vTXnX+NHJmeVkddMPEDmo2irwDKq0V73Cqz95osa+YJlx5jPe3l+E8VGu061MwG7KCoCsA73hTD/XHifELnvpzrXjx6gctYtUT3d+eNHRXrcPjyup307Wk9bMT7HeanJ/hHHq4+EgqxMgVQeYAg7ETQoRnkSuCEmiM17HLRSuroyvyXUrUwdtMEgfdADiWBz+KP8+FZ4b6je1LvdqhyBaPbSWphWNFURpnU4+1U1UqdUgdyCqtEstEotVP3/flYCsfJNEIbxBKVIOVBlP8KyGQ1pPozde2lUlSJw2j/pREXZz1X/xDI6lfmSibpyXFtE+wQENUJeb5kq9fzejfYdiiiGvRxzPUcENu6VG9/VWRn28DgtfQbHW80C5+G6vSZv3Zl+4lPiiKux75M8LPanx5xfl/EFtlxft9fIFh9aXR/Ivh136Dt3QQyOyIVbanvqdkyHTY2t3k+rm3j4SuKTatwld9SHJpyRNOvaWvZd1UOT2+uTetD5PokTepBF/UJkjT60IFcuWt9XC+Lui+O6kP0j1eEvvvnCOyiWpanj+KWphXMpOGg3d+kE7E6SLVWMLnkvYtwltDFBCk4HjpwGoSdmgB4sSlsNcmMv7Km3t2YVi87sWt0/v73ramDEl1Rytt1QtsxgG4GzI+MbX6wjg9wKQ+7ZWlA8lgMbqZBqWvmmL3uywG6lu0qnkFhPBf9pUbVODe6FTAaW9+3P7wkTKS8zsKLBN2ax4Avy5OaR5gWHl+TOGZ9uWJR1i7ANih72C7wzoDHfiNowbqYfrDoXxDwiaLvlnHnrReU7ph+OPHAYxdZrUFMK14en/Uvb0+ixoOazUaA3kmd2jZ3VNNCr4+A5ahYrrv8e5WXYk3fuZnxaJxTeXocDLM9+sbKmdTL72zxy1r/PYzMT59PQ5fJri1AKzChYYblemZXpkJ7uVZ6LxQ60aatli1SYeWXlXEXBQF15qrIdVZeKtejXSrSyiHrRa8kcKNL1xIocSt7QtKrsFVac7HGeWZOV4utK+VHHT7SzGCIaISmgOiImShtqyvMVq9oGp4xfULW0wy/lI2HZ82GpayV+OQ8NFueHXikst68snvBGr6Tv5Kr6vQ1z3a+nHyOEmZDl+W8GrdhNvY7YgVY6jDPDeh6d70aDTq8CcsD8V5zb00p0maag9ark5MZiIKnMQFvmV0WawjoeExk8jp4EZ9oM6Q8TTxMOjYqtqtAsQaFXP6eKcXypDfgH3NuQWBOKjPjawgZpF1ErXvXWu5jm4scnT+pIlQKULnxCgjtTvWn7K6QJjKtynJ8OBI07E7svzac/OrbayCHxzk52v7ZfUiY0ycBQxgOm01KWpgU3QLzkF4hJqbw2tI4bQEzDItxAXvAJr7avqlaLVQuD1guSj1Kx2ssWFKd7DFM20ot18iSw9+0XaGl4aFhVeSzO56YNMyWW6iBB0hstrZ+UfPpgjPQKt2zLlI7HFnV2U5nndm/GLtiVg8e2oVU4UaHklmXOwq7qCoT6M9Z3jUyPOdDH29M/Mt7c/Wk7WiF87TwW+Mh8KflVjX9Z+fVPuRy0W6Mn8L/l0rsswzu1YFPKA11jUJJbn/u7W3Lbu3DbiCbU5vExmcdxjAo8rrMX1iNV/DE2sY+iCqtZ7kAlS5lNjznuxW13r6yqP6zFNnB9bmJyp5wbbZa8m5bDxadruDCb2gvI1iyrXZQDxng+XlPuJcGcdTOMuapr6opymoCsug3dfXBZnJUbFB/HHiEt2zaKe7ZeQiiloMroPfZQNoshFfQUZYcGVR0NT7eUcdp30JHaPUQwHn4FSg1UI3T7Mezhms+v61W/3CcEOyd9378lq327GJABLE+WZZbtI+w7licj41RbkKWGoUJiR23RGBjF5KhsqU7AdKLLeYLtmG7HmrhaKthwso6TbnLOPc5QcfAm3tAdrcb1dXwa7pV6PBe2M1oEV7/ckCc+0u+Xklu9ZMk4BhjiS/PNYyG1/eVT8nXfjBFdL9+DkDtxoDhqSEtMXdsejj7QNSClsxja3QCQqyrT5q0PcH0Na5ruyYdBBZazpaKXSf3xQx+wiQmSUyZW1jI6+khVUIW9PubIqDpQEe5wYPJWZi7gqClu0HrXDqAlJ+5ffHyxU43XKA/z6t/CjvxUClSf38gMOHnCxHbx1TPCZPqMLO1fYP+igvK9ZnrxVdiPbNIiWXHa6041/gY+1LWu7ggOi/YuSpV9VUBYro4mbRk5kRb36dJTUiVMaVB2QwVRbvOxcqiD+5c3v1r7/b0Lufnqq1/e/Prq3c1XX7kYmC1VlA3ujZ1UD+MSMk5u5V+rIds+2kEzmYrx15eP7RybG1iLOJpaEbiPUhdXUoHQLB13oFrmZBTWPMaKCni2zgdLdpSN6TTehBykMmJJccOMT0jR5TJ6G5hlpo0an8mCuRuzdAN/Np8krSL4pjgOYoMTm5LAvYvJBwc2cYo+PtEOsWKDBmM1mQnOidjJBDNXAxPpBlyGhcWRegrjDR9Lntem3vXHbdQTV3v7Qhsha3mXPKqjZFxoCSu/+TEKpJzlAfaA/y1t+4mpI5+ql2usyPEUzeeAdX/K11+VQGLz+EwxHHZFGbf8qhIO7/z5u71ux/Vi9rRVgQ2sA4lDw2/xVVxPYq/yIMUxwT0Y0uNjOq1lVIqurdrDL4bSeKfifwuP5m8Q1l9q7HpIi5mK/Z6K7N9l2LPaYDfUsPApm4y/P/QBel3qgqVMjoiP+Fi2BdK3o0r0XW2fnjgt8iKR8cLp/u2bO/Kz83g04RhhVL/N/Pxy/x+vyW8lqIFqLSUXiYJu1Y+pTz4t18WevKtCaoPPu7Welo4S/20wOb5MmwUrBozHU3Am4F49AzKLKURHOVV5FF8sYJTxQotRYf81WJmN6AxwADU2F/gAOKOme3ufhlyCSDc5VeeHxdWQ+4L2Wjmc4YOkae9580yoZBPB1xRWY4Mpa9DVGpNJowDl8p9RcAWNqK3nMl8jFgOd/kM9ZY9DYq52Dva6jUAsEppi2cKYMDYLrcUoFb0FulwX2+/Eo9lESMtUJKlR1kYZV5mqBW9hh7x1Z4Buea8h9FmwINZMjArc7QPHxZSIZJXoHTNpxL4WyYrLnaZ5zGtRG1qY7RT4KD9WKhImpm1zJgpQ+XI/IiSnB12kD7Hg2BwtCrRICiWNTGJccQi//S5BmzUGmk/Yb1yukzGt/zugMS+hqUhy+pgYc77CewhqV5hDlFjImYhGzMQUxAXXCV/yZLzz9AD6z5PAI+oBtaDHZ6m3ocdHRLehv58EHW6sfi70v0yC/h+ToP81FtrIgtMlxG31Gj5GVRJJXnK8vJf7KHlWgRcPUXI8Lzlb50Xs7W3vP8rX4x+NPCyLE+IafktjdG+RaPdkGsUrrdJY7cyCxmpneq/LIqo+dirqMOtI5c5IYxUMeIza2kYaqyTFQ6N6EgleCvYoqJAaem0zz4Lf/mBpjxYL2x9kYTZAsygTSOZFkvIoG9qCRrk0EFJhm6w4WB0JW5RJlH8iVcywlPKooC+d0DWIdD/qTakNLSjf/w7ZMg73NsFk+EhYl8YTi9k9Z0fCWwv5h1gLWSdLZv41Mvkw1cnY2qYdUCUjjrKO3JwIB6mKicXTzhMwoq5kCxTMxnkDYpRvB47XVSS4q30zJkOzBb1iHOJ0EZ2s4tjFVuMCkA9B4ySttkawgEeTRB4jawNn2hS9Ij9nQ2uVRkJXneOiYOU6ySFjI4IxD6GZiOV4LrOSg05l3Kw9OFtHnQpZ6B01IztRtOBDMQFngipYM20UjdG0G+iom8p1UoycspowZ411RFT06XRRDW7Jo+CxsWjUFeeCjuJRT7mcdxvJdOLqPMfA76mikQueDYRVnge7dR0MxkMybWi3WetZgNosS3V+IdEKDlzNtTi4MgJfzD1cxZKOB8SqPauYUujDEdPHoNY0y8avOsvGO+eqBJooicLyJFVS5pHZNxY0SilieRL7COdzd+KmWzxEJAsVOiaVmRW6UGw0GKeGmTLi3YYzAWNSSRo4PbIWVw2JgY8xJgiXLqM5WXEZIRxr8KgQAKvpRex3Cxa1161uGIUuwmvL5TpyKcU6ctsVUo0/HPmyXMdtnZzpNG675jpyAeOqzwgwmPoSARlxil1pgPGvUg5u/IOS2O3G6wqRcUJ1u4YIyAh5LxVbJ4FqbWdA7gSoGNlSJJEdBItkZAXpBjCqjUMDHjVLPEnjN6kHjGmn6ZT+CJRUa/tlkm7Oj2ftAbu+nOPhQeVraxf3MqrPg91FgsaIOZe/9OFDp9LnWaBKrhOqi1ElP9rAY7o8VHAKKI+7eRSkSK3LVo0Gj5mshR2boNuClSqLwhpjouko61M76zPKU6phvIvUldONUiM0/BbDzFAa7Ai4KMVFs3XUwdTFeLtFqzRu5VWaRVy1WqWhLN+zQEe1ZGpDlToiZ3KbivFBCMGKoafBXJJlRNPwtYlZBAcW4zWqK0aOh9wXEZmrZbaMfLUuFY+SSqUGlWRsfPxmZGGSyicSR6xJ49rlbxMmtKGrKEm6ZcrEXcXbQkSlOBipSnGRXq2vSiPJu1KQ3uC1F3pSgbhfKGcZuVKQMUOuqMp8ztiRtjS+/tWkmQ7VgcRhXNNVjJhNJSehkJLa28vElNnf5AWXe+gVxDvJg5UsR6THn9uXd1O11MHaYgrW8Ehy2g3dbTx6Yl12y67MQAZnGgtsVOPrditNXRZYor6fKknIbkMNYYYUrj1/mOhjT6ljSoWE27u7iucVEsKEr2QwkNnNmZheAbtFjB2vTYkmRq6xyc6i+b3rGNHjnoAtqLqIkpGkoEoDeQOGYsVhdyrqfmnkyWu51s/vXHDfU3Lty3i59iS90TGN+B34YrFItiBvwfzKjAAdXqv+1otkzwrLCde7GYd309FAVbpZMMEGDF5F5ymG0BE2rrceZwKec1oKrJ26LnNflv5IKYRO5YMjVM+RMl9TXSfK+4qvAyq9ZWYyby9k13PLDkzew6PB3TlkFFy0AXVTJO5ED2rMyp1UqhjzcjWYqjnwkdT5Y+/e42tDVK1kV9W4ToJ1Lbz6TfbQLHJY+71BsJ6Bfhmkf1wd7zM6Z2fweHtdHSIcfahk+8iH6JHbpW7h4B73a3ykt0drbnqIS1Ek6oLRNW1SuYINQVYQQjXRAOKgT2bYeFFUaJrOUmy1lyXuBhe+gVPdWrvqFnyErAJUztxFOB9ZzaCucAvbMg5r8L08qNZsLRzzm8rcA20N6HKubvUDS44Yjuy45QVbSwy2Dwlt8xZFQ7mFcZVuqvuSZVVb27pjEjZsHDh0hARicmqtTcFAkNRoBbJqFNYI3qq/k8UxoMLuFBtw9MyIH5EMlC685Pzr/pk9AloPkDvZeR+PuXooZ1QnGzmDdtfpjok1cZoyUNjRp1XwKBxTTdwGtfQI32JbSEOwVebiFdfSmjad5iVYhfwnD7Egr8S+/l9vdIPWkRaG0GxRdTQOC6ZI55clfYqy/EWXn1h58ICpzLd1ttZEu0J5NetwI2G/Y5KxntVzDVa6B0X+pfYY6OceEaIf6l8yNm7r8ntPNFQd7L6jPB0MkzglC77slsVxLene/vz+xs4OFDijET0yGdOpgoKKdG+1En/5834vW8uDZ+T9m5fkVphvXzwjt2+vb/7zJflwK8wP35Enu82eCN+AMd1I7cu4SWWtV/zVNz/8r//2NNz7Dsxmkrzozhgl0CKn4dJIevIeGXmgfCX+2wpt+DBlH5us9jk/Qdtgwt/ZF1OIoo5i0+igVXPT16/eBsn5XQqYYofHrd//kQIWYf78PqYPwEe47Cypp0UNsvHT3CtHeLmmBnb0IoWlcZfdkVeueV6120II6+skzYth//9Uv+bt1Zs7J4eHe8XTGXr5DZnSTs+pWpfe3llkA1a95cNgLZhZ+GBHH+ZDpQMkrqbY3Iet3Wshcx3pKG+eKlqVyMOye9Zlsso7HhbpT8v14UL1kDWxNZE6w7limpK3noY7qUwtonpCyPWeQCb67vPHJZGenX+OYibWlfisCH8zxDwBIf1+Pi+Rx482CNVapgyLxqO13LtdiZVTioo1LGr1OJVixdalgows9765v2t1P9CdZjCloBcoPKBNBYddRWUq8FH6XTu0MsJgUpBLA4mPEYp5+Y2ZYiZ0QhMXPhUFXBgVC76KYu8qKhabx22A+IyaImpyNEsqa3xav65D28LSsuiO1zZkLqIt3FjDSoAh7/cFPCMfKjH3Gk3kb8ldZSL35MjPQzdqVbxqlgtjQKWvyCJV107KefDCKJof4gM9VRg6sAVlsPOMkVWDKybIh9vBI5RiSMuEMxjTNlboRBZRhfIsqAI9Po7GAkaF+DmZOD4gCn1QURhdmZqEg1hH1HxEvPYamNu5hE2J8HqhvOUcFCTFBxxrRf0o1Y6qLNQM7BW2qUO/+52Sj/jqvgSzAxjoZDw6B3jsi4Q0lLfdvQ4dwUIm+NrUm4NvgqYAH4JyZuxR80WFwpPYcirmeVc5wx1QPau1HAK9KRw6CBof4NZqz2tUng8lYow/G1LMttiOySM97w2FKsPSklNVNXPzaJ7cPL58LddytQrXp4Y0MRuYu/Htezuk797fUHZjKbMEvSrNBoTxoVSDhM3Ve+zwubKs2xqGifugQQ2SJEuTyrm55QcdJunedeAeoKrqkTPt9j2gCDGTquHK0eavFfYLtE+GDhX2FKMbWBdSZNjSVQZVgBqw35T0kO7tmOzagduAEpdnj3FvnEFWU+ztrY5ewwTRzJQBiUIwQK7qgudH3VBNaCYL7Aq2AaaI3IlOYyRi6KMUMh+Idqlq1Ce9cKQZLj+rhjGR2bMslW7a+7kuwq+q8vi9iZ7jPhE16e5sDIZT1TO80PPR4CTv/SvSvPM81kSsNdVxWR0TpuqiAu59VOHccx0ODlnKafFxgektYUO3TJao2VijTsmcDUQ6wPzobwRdcgwbXpGr49iZ2I7vfBYio0vDgU5DgigOaBhZXiyChACGmoLpa9C6V5qdPbj8TQh7KUw3RDlG58sw+SNJJ3TFxVsGO5mztCIMp4UBA93HHmY2rtd5oEoj8eQs0m8W2qhhJ3lFdTjx9ZNR/eI41f5adLgmUR40I2qTyLAcm7Z6TUNBAYNOTs/JEalRJ5mJKekTWanO3ADhqjCfbAN8ex7V30zuiR4k3juOTs2hRz3OqTl6Zxy7PzL9L07Sr2bmv9vws1CvTnN/RE2Kj3NUT0i9+qj+kTfNt6fZfn4Bqo/D9vNkjZr5rM651884qTNvmjmp722ZWinMXJfOyboZLc0mycFs5EW8qfTAz0UcIv+zwYXB7F0lJ1rqR/y77yT3viaL6sgOibYt/3Px/Z//TJ68vn5195RcM22YWJdMbyDDxJwgNi7Xcob82GN+bd+iGzH5xcAfDrx5KznZX3Is9t7yPoSj3pvo8xtROnzMxkwxKK7OjGi5NBBr6J2CilARpeadnPLzs/g7pL6jGSu1G4NIRTTLGafKHWYrSOxuTfE+Cofq4pnRbJ5euLUPsh1l9sEuV+UB6dS1aA7MlEjCV+LYuUHnp48Pb/mfvOmM3/RWzBu70Ao8zMKOFqmmPYr1XLfILqnWVLDfj8Q6iSkLdi7DIrjVXvkBlq2YCkbxR2e//mgHRPnokspdlu5BJNJPQLnZpFQBKRRkMmeCBkOsW0f9jhoGwuiTgWeczjuf1/STTscVwYAienvZLfylFQIFVQbTfpvJHBdCs6b1+oN7jvxZQQaKGsiSEWEAR1YR25BXY9au7jsltyyr09X972hRcK/n9JbPp8haQX6oEQ30Uq+nwbLZ5lEP6us4mP3ARIKFnjGqZMvcm9Omq9gNFA6oFZpxpfTHajXwiHd5C6iVKRJq8u30H9SGqCbaSOXkox0tB0MR25f4q4X91Zfh+eUsyzjMKTHe4IjnyozAErVkSJTMqIrnzTWhOz9eK0dX7KsXj2ek4NSy3d5IUhEQqdoXQ15EDF6ZxSo4I15C1RbCT1Ib8oamGyYG1PaMRp/RL7r8+iAwsq9QYA+qvdVdWr1ekNcZLcgv+B93q2dSuHyAf/SvC7KhW7D3PQeqXAtrgvUldCGFhkoPCCcN2Bkl/bbXE2SPr42QKmZAsapKh3ATdBUZhimpiJ6FmGaZ3/kiMufSgvVFp7oJunutKhx1kAZs9X9/1TBNVCkCfd0JofpZLYnda45Lph6IyPYjJt6KmIOZlOyYyOROE11AylYstd88C8WN+/ij/ka1E3AUNa++5Imqup7XYhmfGZ62+EFKgTfXa1jTdE8+6MMiP/V7SN5NcIiKWrKjzGJaDdxhbXUbkWHUNG4Gewv0+FbnMwWymA4yBDDMts+Ew4nNoa4NVRtyyltgTjiH4IbwMBHTmSteamgyPnLKO/cqyXGDkxuutdKndy4nRu10PORvE0LjWNnjcjj97XRqCQY3jivPPBgBjpPKYMWE9wXiUcdaEDktBopRIP6BMOsLYW/M3Y7qESNIan/T9Bn4fOSB6iG1D80Ymm7y2UvRNeMiY0hPC26zLbKg5pKJMTV3Z91plmwMf58q9APHth2Mi8xzZbSaVKRAPfIeXVNl9gm6CqqqtbUfP2uI3W1Yr+AZsfvQWhYuRO+sCZiIipcuFU6qce0ZO9P/iy6o+OvJfM4K1WGts0pJC4lUO7W/PMfRT1B/wQu3R3dVFe043YNrlYAwShbhY5jJctkzyM7aa35Ua93AidBGpGJkJ6czqbiSeWEN0mrn4wbHBidO89yCsqI1sWZz+EKi+mF63O+Js9jR6SvcO5he2Wz1W/wb148l53vyHyXlbMUgI9eYDeOcF0FkO1gmqZQP7GJPSr/CkjgMjU1C+ZBeFlFbp3nsKUrj2uAM1SM/fTbe1YP4WqrebeW8cwvyfl848huLyk7Q8XmYxQpWycjiOB3CLBZngqkvdajQThfdPM6CWsE4xO+8F4VUlWcPn1fevR5YmFa26uhlreZTTK0Ye2Q6duyTfriKECVl9D13iNaOZLlGCmrCDo5UJFSPe49qgarYDuql4qPY3YIbxZ1aBU9KNb7fb4F9z7A5dAzKCNF3CDwyROMQ2O+CqOMAjwYEXoIxCpsdYcTq1tfqRkHngTLmdnPDzBNDfnCi3+PAeNU99/++8kie+3/4V9+Q04tyUOEYAk/wRV9LHLntxxL0Y7QKMvcIznzZZKssMrECpQZ89P2ZzUR5Wx06yb6g02MWMqrqQasWKwPbF58x5OTtGxhmxo1w415b7AZ4j3FBqv3R36H/CD1c7J4VG1BzWTVWz/Fvvk+usKD6U3KFGMLIQZnZEiUHeHUFyhe+h4OYjiMldmDiY0GLGa1lscN+qVt1l46uB/t92E8wPi0yvCbknv0+kL7zEH0Gb/9+QwSspWGOzcWG6oH6tDqdP3m3xXA3/HBBb7sgE+rT9h4AO2tdFfyq4j3DD3aajWyueF6ecF1L/P1gWw179pjWZUxjaAuLj7pT7OdpXj6kAZSa6Fnosa4tL27s8OQenwyOndaZXpfqelfet//kHsM5jovQlrwYImO8vDhCxbDQ0Jon22l3SddF7p04YZdcYrcALSOKaeh4UPYA3hqITon6oinw2BaUKC++Ixp9t1KR2/tXf39zR+6s/CQ/i4GKlA090XkfMfS838kwPXgs0w2kDzqi2VsjWKbmtoeKQNfVTerUcwzQ8IW7m3N/RFcBxXrlNy6iqjhMddbeoPqGVGGLtfnEYJuOLeUscxsigKZ79GesL3Xs6OOsH2Cvu6Lo7D0W3Ql9Y0yhE4bdCCKBkaVxZKfnt/yasvfYWlTxjlIxsz+x/1KZ5xNz+c+kzGHyJmU4vWbHFPCudh1jwu04FcmoPtRjQxJ01TTgV09zFSMbNtAxuSEpJJsnBChEksNBEAeiDeteyJp0Q4XoJaBNT1T24yKqAU/5bOWXapHnK3b/+vrVWy9zn3cQ1KLOSNX1isVsr4zph2QreRk/jVdVDwzha2nWnUGqJgulYEaTJw6Nfoq5a5hMUHVBCPiLBoLQeBl9wl97aj4IZvxzyeIwGG0LCl9KViUnqRQpFMaaAPeO1wMpTmM6qQfrOiDzrLFRtRCxpGD3N2l59NO/vwoFkwRZF7MDpFpfIkShG1p24PRYUpe+F0xg/NvNz3e3d+QNfcyZyOrWJWH2W+ovEMhwUOh7gHBPaI/+Y4TXV3A4BDsqIMhFZifjmnj+wRNpqknN3WjJS6rba1+Px+M5SgOfk7GfOKOnmlP+XyDnoA6OFFlfG4k5SWjxjWsvPVKxqbt5GfQDO2s3d6kBz4guA2FRVJO/aKOkWP91yWn6wJk2kP3luf/sWf0tEytIw1+tmIId5cFrli55C4ZQkREtycD2UbBm2qi9tXrmPZgFNRtfiq7GQrpYemRMaj/YJ8QlSrjY1lSqVvWuWmOpaQNh1P5P/zcAAP//vguuJw==" +} diff --git a/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml b/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/infoblox/nios/config/input.yml b/x-pack/filebeat/module/infoblox/nios/config/input.yml new file mode 100644 index 00000000000..35ad775a3aa --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Infoblox" + product: "Network" + type: "IPAM" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/infoblox/nios/config/liblogparser.js + - ${path.home}/module/infoblox/nios/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} (%{dhost}) via %{p0}"); + +var dup21 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}"); + +var dup22 = setc("action","DHCPRELEASE"); + +var dup23 = setc("action","DHCPDISCOVER"); + +var dup24 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr}from %{p0}"); + +var dup25 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}"); + +var dup26 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}"); + +var dup27 = setc("action","DHCPREQUEST"); + +var dup28 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}"); + +var dup29 = setc("event_description","unknown network segment"); + +var dup30 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dF,dZ], + ], +}); + +var dup31 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface}relay %{fld1}lease-duration %{duration}"); + +var dup32 = setc("action","DHCPACK"); + +var dup33 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}"); + +var dup34 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}"); + +var dup35 = setf("domain","zone"); + +var dup36 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); + +var dup37 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); + +var dup38 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); + +var dup39 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); + +var dup40 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); + +var dup41 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); + +var dup42 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); + +var dup43 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); + +var dup44 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}"); + +var dup45 = setc("event_description","updating zone"); + +var dup46 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}"); + +var dup47 = setf("domain","hostname"); + +var dup48 = setc("eventcategory","1801010000"); + +var dup49 = setc("ec_activity","Request"); + +var dup50 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); + +var dup51 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}"); + +var dup52 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}"); + +var dup53 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); + +var dup54 = setc("action","Refused"); + +var dup55 = setf("dns_querytype","event_description"); + +var dup56 = setc("eventcategory","1901000000"); + +var dup57 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport}(%{p0}"); + +var dup58 = setc("eventcategory","1801000000"); + +var dup59 = setf("zone","domain"); + +var dup60 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dD,dZ], + ], +}); + +var dup61 = setf("info","hdata"); + +var dup62 = setc("eventcategory","1301000000"); + +var dup63 = setc("eventcategory","1303000000"); + +var dup64 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var dup65 = linear_select([ + dup17, + dup18, +]); + +var dup66 = linear_select([ + dup20, + dup21, +]); + +var dup67 = linear_select([ + dup25, + dup26, +]); + +var dup68 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var dup69 = match("MESSAGE#52:ntpd:02", "nwparser.payload", "%{event_description->} ", processor_chain([ + dup12, + dup6, + dup8, +])); + +var dup70 = linear_select([ + dup33, + dup34, +]); + +var dup71 = linear_select([ + dup37, + dup38, + dup39, +]); + +var dup72 = linear_select([ + dup42, + dup43, + dup44, +]); + +var dup73 = linear_select([ + dup51, + dup52, +]); + +var dup74 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var dup75 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action}: %{event_description}(code=%{resultcode})", processor_chain([ + dup15, + dup6, + dup8, +])); + +var dup76 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var dup77 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description->} ", processor_chain([ + dup12, + dup6, + dup8, + dup61, +])); + +var hdr1 = match("HEADER#0:006/0", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{p0}"); + +var part1 = match("HEADER#0:006/1_0", "nwparser.p0", "%{hhostip->} %{messageid}[%{data}]: %{p0}"); + +var part2 = match("HEADER#0:006/1_1", "nwparser.p0", "%{hhostip->} %{messageid}: %{p0}"); + +var select1 = linear_select([ + part1, + part2, +]); + +var part3 = match("HEADER#0:006/2", "nwparser.p0", "%{payload}"); + +var all1 = all_match({ + processors: [ + hdr1, + select1, + part3, + ], + on_success: processor_chain([ + setc("header_id","006"), + ]), +}); + +var hdr2 = match("HEADER#1:001", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{messageid}[%{data}]: %{payload}", processor_chain([ + setc("header_id","001"), +])); + +var hdr3 = match("HEADER#2:005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{hdata}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","005"), +])); + +var hdr4 = match("HEADER#3:002/0", "message", "%{month->} %{day->} %{time->} %{p0}"); + +var part4 = match("HEADER#3:002/1_0", "nwparser.p0", "%{hhostname->} -%{messageid}:%{p0}"); + +var part5 = match("HEADER#3:002/1_1", "nwparser.p0", "%{hhostname->} %{messageid}:%{p0}"); + +var select2 = linear_select([ + part4, + part5, +]); + +var part6 = match("HEADER#3:002/2", "nwparser.p0", "%{} %{payload}"); + +var all2 = all_match({ + processors: [ + hdr4, + select2, + part6, + ], + on_success: processor_chain([ + setc("header_id","002"), + ]), +}); + +var hdr5 = match("HEADER#4:0003", "message", "%{messageid}[%{data}]: %{payload}", processor_chain([ + setc("header_id","0003"), +])); + +var hdr6 = match("HEADER#5:0004", "message", "%{messageid}: %{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var hdr7 = match("HEADER#6:0005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{fld1}|%{messageid}|%{payload}", processor_chain([ + setc("header_id","0005"), +])); + +var select3 = linear_select([ + all1, + hdr2, + hdr3, + all2, + hdr5, + hdr6, + hdr7, +]); + +var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}[%{username}]: Logout - - ip=%{saddr}group=%{group}trigger_event=%{event_description}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, +])); + +var msg1 = msg("httpd", part7); + +var part8 = match("MESSAGE#1:httpd:01", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}[%{username}]: Login_Allowed - - to=%{fld4}ip=%{saddr}auth=%{authmethod}group=%{group}apparently_via=%{info}", processor_chain([ + dup9, + dup2, + dup3, + dup10, + dup5, + dup6, + dup7, + dup8, +])); + +var msg2 = msg("httpd:01", part8); + +var part9 = match("MESSAGE#2:httpd:02", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}[%{username}]: Called - %{action}message=%{info}", processor_chain([ + dup11, + dup6, + dup7, + dup8, +])); + +var msg3 = msg("httpd:02", part9); + +var part10 = match("MESSAGE#3:httpd:03", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}[%{username}]: Created HostAddress %{hostip}: Set address=\"%{saddr}\",configure_for_dhcp=%{fld10},match_option=\"%{info}\",parent=%{context}", processor_chain([ + dup11, + dup6, + dup7, + dup8, +])); + +var msg4 = msg("httpd:03", part10); + +var part11 = match("MESSAGE#4:httpd:04", "nwparser.payload", "%{shost}: %{fld1}authentication for user %{username}failed", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg5 = msg("httpd:04", part11); + +var part12 = match("MESSAGE#5:httpd:05", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}[%{username}]: Called - %{event_description}", processor_chain([ + dup12, + dup6, + dup7, + dup8, +])); + +var msg6 = msg("httpd:05", part12); + +var part13 = match("MESSAGE#6:httpd:07", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}[%{username}]: Login_Denied - - to=%{terminal}ip=%{saddr}info=%{info}", processor_chain([ + dup13, + dup2, + dup3, + dup10, + dup14, + dup6, + dup7, + dup8, +])); + +var msg7 = msg("httpd:07", part13); + +var msg8 = msg("httpd:06", dup64); + +var select4 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, +]); + +var part14 = match("MESSAGE#8:in.tftpd:01", "nwparser.payload", "RRQ from %{saddr}filename %{filename}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","RRQ from remote host"), +])); + +var msg9 = msg("in.tftpd:01", part14); + +var part15 = match("MESSAGE#9:in.tftpd:02", "nwparser.payload", "sending NAK (%{resultcode}, %{result}) to %{daddr}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","sending NAK to remote host"), +])); + +var msg10 = msg("in.tftpd:02", part15); + +var part16 = match("MESSAGE#10:in.tftpd", "nwparser.payload", "connection refused from %{saddr}", processor_chain([ + setc("eventcategory","1801030000"), + dup6, + dup8, +])); + +var msg11 = msg("in.tftpd", part16); + +var select5 = linear_select([ + msg9, + msg10, + msg11, +]); + +var part17 = match("MESSAGE#11:dhcpd:12/0", "nwparser.payload", "%{event_type}: received a REQUEST DHCP packet from relay-agent %{interface}with a circuit-id of \"%{id}\" and remote-id of \"%{smacaddr}\" for %{hostip}(%{dmacaddr}) lease time is %{p0}"); + +var part18 = match("MESSAGE#11:dhcpd:12/1_0", "nwparser.p0", "undefined %{p0}"); + +var part19 = match("MESSAGE#11:dhcpd:12/1_1", "nwparser.p0", "%{duration->} %{p0}"); + +var select6 = linear_select([ + part18, + part19, +]); + +var part20 = match("MESSAGE#11:dhcpd:12/2", "nwparser.p0", "%{}seconds"); + +var all3 = all_match({ + processors: [ + part17, + select6, + part20, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","received a REQUEST DHCP packet from relay-agent"), + ]), +}); + +var msg12 = msg("dhcpd:12", all3); + +var part21 = match("MESSAGE#12:dhcpd:21", "nwparser.payload", "bind update on %{hostip}from %{hostname}(%{fld1}) rejected: %{result}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","bind update rejected"), +])); + +var msg13 = msg("dhcpd:21", part21); + +var part22 = match("MESSAGE#13:dhcpd:10", "nwparser.payload", "Unable to add forward map from %{shost->} %{fld1}to %{daddr}: %{result}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Unable to add forward map"), +])); + +var msg14 = msg("dhcpd:10", part22); + +var part23 = match("MESSAGE#14:dhcpd:13", "nwparser.payload", "Average %{fld1}dynamic DNS update latency: %{result}micro seconds", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Average dynamic DNS update latency"), +])); + +var msg15 = msg("dhcpd:13", part23); + +var part24 = match("MESSAGE#15:dhcpd:15", "nwparser.payload", "Dynamic DNS update timeout count in last %{info}minutes: %{result}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Dynamic DNS update timeout count"), +])); + +var msg16 = msg("dhcpd:15", part24); + +var part25 = match("MESSAGE#16:dhcpd:22", "nwparser.payload", "Removed forward map from %{shost->} %{fld1}to %{daddr}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Removed forward map"), +])); + +var msg17 = msg("dhcpd:22", part25); + +var part26 = match("MESSAGE#17:dhcpd:25", "nwparser.payload", "Removed reverse map on %{hostname}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Removed reverse map"), +])); + +var msg18 = msg("dhcpd:25", part26); + +var part27 = match("MESSAGE#18:dhcpd:06", "nwparser.payload", "received shutdown -/-/ %{result}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","received shutdown"), +])); + +var msg19 = msg("dhcpd:06", part27); + +var part28 = match("MESSAGE#19:dhcpd:18/2", "nwparser.p0", "%{}new forward map from %{hostname->} %{space->} %{daddr}"); + +var all4 = all_match({ + processors: [ + dup16, + dup65, + part28, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Added new forward map"), + ]), +}); + +var msg20 = msg("dhcpd:18", all4); + +var part29 = match("MESSAGE#20:dhcpd:19/2", "nwparser.p0", "%{}reverse map from %{hostname->} %{space->} %{daddr}"); + +var all5 = all_match({ + processors: [ + dup16, + dup65, + part29, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","added reverse map"), + ]), +}); + +var msg21 = msg("dhcpd:19", all5); + +var part30 = match("MESSAGE#21:dhcpd", "nwparser.payload", "Abandoning IP address %{hostip}: declined", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Abandoning IP declined"), +])); + +var msg22 = msg("dhcpd", part30); + +var part31 = match("MESSAGE#22:dhcpd:30", "nwparser.payload", "Abandoning IP address %{hostip}: pinged before offer", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Abandoning IP pinged before offer"), +])); + +var msg23 = msg("dhcpd:30", part31); + +var part32 = match("MESSAGE#23:dhcpd:01", "nwparser.payload", "DHCPDECLINE of %{saddr}from %{smacaddr}(%{shost}) via %{interface}: %{info}", processor_chain([ + dup15, + dup6, + dup8, + dup19, +])); + +var msg24 = msg("dhcpd:01", part32); + +var part33 = match("MESSAGE#24:dhcpd:02", "nwparser.payload", "DHCPDECLINE of %{saddr}from %{smacaddr}via %{interface}: %{info}", processor_chain([ + dup15, + dup6, + dup8, + dup19, +])); + +var msg25 = msg("dhcpd:02", part33); + +var part34 = match("MESSAGE#25:dhcpd:03/0", "nwparser.payload", "DHCPRELEASE of %{saddr}from %{p0}"); + +var part35 = match("MESSAGE#25:dhcpd:03/2", "nwparser.p0", "%{} %{interface}(%{info})"); + +var all6 = all_match({ + processors: [ + part34, + dup66, + part35, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup22, + ]), +}); + +var msg26 = msg("dhcpd:03", all6); + +var part36 = match("MESSAGE#26:dhcpd:04", "nwparser.payload", "DHCPDISCOVER from %{smacaddr}via %{interface}: network %{mask}: %{info}", processor_chain([ + dup12, + dup6, + dup8, + dup23, +])); + +var msg27 = msg("dhcpd:04", part36); + +var part37 = match("MESSAGE#27:dhcpd:07/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} %{p0}"); + +var part38 = match("MESSAGE#27:dhcpd:07/1_0", "nwparser.p0", "(%{shost}) from %{p0}"); + +var part39 = match("MESSAGE#27:dhcpd:07/1_1", "nwparser.p0", "from %{p0}"); + +var select7 = linear_select([ + part38, + part39, +]); + +var part40 = match("MESSAGE#27:dhcpd:07/2", "nwparser.p0", "%{} %{smacaddr}(%{hostname}) via %{interface}: ignored (%{result})"); + +var all7 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + setc("action","DHCPREQUEST ignored"), + ]), +}); + +var msg28 = msg("dhcpd:07", all7); + +var part41 = match("MESSAGE#28:dhcpd:09/2", "nwparser.p0", "%{} %{interface}: wrong network"); + +var all8 = all_match({ + processors: [ + dup24, + dup67, + part41, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup27, + setc("result","wrong network"), + ]), +}); + +var msg29 = msg("dhcpd:09", all8); + +var part42 = match("MESSAGE#29:dhcpd:26/2", "nwparser.p0", "%{} %{interface}: lease %{hostip}unavailable"); + +var all9 = all_match({ + processors: [ + dup24, + dup67, + part42, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + dup27, + setc("result","lease unavailable"), + ]), +}); + +var msg30 = msg("dhcpd:26", all9); + +var part43 = match("MESSAGE#30:dhcpd:08", "nwparser.payload", "DHCPREQUEST for %{saddr}(%{shost}) from %{smacaddr}(%{hostname}) via %{interface}", processor_chain([ + dup12, + dup6, + dup8, + dup27, +])); + +var msg31 = msg("dhcpd:08", part43); + +var all10 = all_match({ + processors: [ + dup24, + dup67, + dup28, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup27, + ]), +}); + +var msg32 = msg("dhcpd:11", all10); + +var part44 = match("MESSAGE#32:dhcpd:31", "nwparser.payload", "DHCPRELEASE from %{smacaddr}via %{saddr}: unknown network segment", processor_chain([ + dup12, + dup6, + dup8, + dup22, + dup29, +])); + +var msg33 = msg("dhcpd:31", part44); + +var part45 = match("MESSAGE#33:dhcpd:32", "nwparser.payload", "BOOTREQUEST from %{smacaddr}via %{saddr}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, + setc("action","BOOTREQUEST"), + dup30, +])); + +var msg34 = msg("dhcpd:32", part45); + +var part46 = match("MESSAGE#34:dhcpd:33", "nwparser.payload", "Reclaiming abandoned lease %{saddr}.", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Reclaiming abandoned lease"), +])); + +var msg35 = msg("dhcpd:33", part46); + +var part47 = match("MESSAGE#35:dhcpd:34/0", "nwparser.payload", "balanc%{p0}"); + +var part48 = match("MESSAGE#35:dhcpd:34/1_0", "nwparser.p0", "ed%{p0}"); + +var part49 = match("MESSAGE#35:dhcpd:34/1_1", "nwparser.p0", "ing%{p0}"); + +var select8 = linear_select([ + part48, + part49, +]); + +var part50 = match("MESSAGE#35:dhcpd:34/2", "nwparser.p0", "%{}pool %{fld1->} %{saddr}/%{sport}total %{fld2}free %{fld3}backup %{fld4}lts %{fld5}max-%{fld6->} %{p0}"); + +var part51 = match("MESSAGE#35:dhcpd:34/3_0", "nwparser.p0", "(+/-)%{fld7}(%{info})"); + +var part52 = match("MESSAGE#35:dhcpd:34/3_1", "nwparser.p0", "(+/-)%{fld7}"); + +var part53 = match("MESSAGE#35:dhcpd:34/3_2", "nwparser.p0", "%{fld7}"); + +var select9 = linear_select([ + part51, + part52, + part53, +]); + +var all11 = all_match({ + processors: [ + part47, + select8, + part50, + select9, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg36 = msg("dhcpd:34", all11); + +var part54 = match("MESSAGE#36:dhcpd:35", "nwparser.payload", "Unable to add reverse map from %{shost}to %{dhost}: REFUSED", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description"," Unable to add reverse map"), +])); + +var msg37 = msg("dhcpd:35", part54); + +var part55 = match("MESSAGE#37:dhcpd:36", "nwparser.payload", "Forward map from %{shost->} %{fld2}to %{daddr}FAILED: %{fld1}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description"," Forward map failed"), +])); + +var msg38 = msg("dhcpd:36", part55); + +var part56 = match("MESSAGE#38:dhcpd:14/0", "nwparser.payload", "DHCPACK on %{saddr}to %{p0}"); + +var all12 = all_match({ + processors: [ + part56, + dup66, + dup31, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup32, + ]), +}); + +var msg39 = msg("dhcpd:14", all12); + +var part57 = match("MESSAGE#39:dhcpd:24/0", "nwparser.payload", "DHCPOFFER on %{saddr}to %{p0}"); + +var part58 = match("MESSAGE#39:dhcpd:24/1_0", "nwparser.p0", "\"%{dmacaddr}\" (%{dhost}) via %{p0}"); + +var select10 = linear_select([ + part58, + dup20, + dup21, +]); + +var all13 = all_match({ + processors: [ + part57, + select10, + dup31, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + setc("action","DHCPOFFER"), + ]), +}); + +var msg40 = msg("dhcpd:24", all13); + +var part59 = match("MESSAGE#40:dhcpd:17", "nwparser.payload", "DHCPNAK on %{saddr}to %{dmacaddr}via %{interface}", processor_chain([ + dup12, + dup6, + dup8, + setc("action","DHCPNAK"), +])); + +var msg41 = msg("dhcpd:17", part59); + +var part60 = match("MESSAGE#41:dhcpd:05/0", "nwparser.payload", "DHCPDISCOVER from %{p0}"); + +var all14 = all_match({ + processors: [ + part60, + dup67, + dup28, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup23, + ]), +}); + +var msg42 = msg("dhcpd:05", all14); + +var part61 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{daddr}(%{dmacaddr}) via %{interface}", processor_chain([ + dup12, + dup6, + dup8, + dup32, +])); + +var msg43 = msg("dhcpd:16", part61); + +var part62 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from %{saddr}via %{interface}", processor_chain([ + dup12, + dup6, + dup8, + setc("action","DHCPINFORM"), +])); + +var msg44 = msg("dhcpd:20", part62); + +var part63 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{saddr}to %{dmacaddr}", processor_chain([ + dup12, + dup6, + dup8, + setc("action","DHCPEXPIRE"), +])); + +var msg45 = msg("dhcpd:23", part63); + +var part64 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hostip}for client %{smacaddr}is duplicate on %{mask}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg46 = msg("dhcpd:28", part64); + +var part65 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add forward map \"%{shost}\" (and reverse map \"%{dhost}\") for %{saddr}abandoned because of non-retryable failure: %{result}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg47 = msg("dhcpd:29", part65); + +var part66 = match("MESSAGE#191:dhcpd:39", "nwparser.payload", "NOT FREE/BACKUP lease%{hostip}End Time%{fld1}Bind-State %{change_old}Next-Bind-State %{change_new}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg48 = msg("dhcpd:39", part66); + +var part67 = match("MESSAGE#192:dhcpd:41", "nwparser.payload", "RELEASE on%{saddr}to%{dmacaddr}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg49 = msg("dhcpd:41", part67); + +var part68 = match("MESSAGE#193:dhcpd:42", "nwparser.payload", "r-l-e:%{hostip},%{result},%{fld1},%{macaddr},%{fld3},%{fld4},%{fld5},%{info}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg50 = msg("dhcpd:42", part68); + +var part69 = match("MESSAGE#194:dhcpd:43", "nwparser.payload", "failover peer%{fld1}:%{dclass_counter1}leases added to send queue from pool%{fld3->} %{hostip}/%{network_port}", processor_chain([ + dup12, + dup6, + dup8, + setc("dclass_counter1_string","count of leases"), + dup30, +])); + +var msg51 = msg("dhcpd:43", part69); + +var part70 = match("MESSAGE#195:dhcpd:44", "nwparser.payload", "DHCPDECLINE from%{macaddr}via%{hostip}: unknown network segment", processor_chain([ + dup12, + dup6, + dup8, + dup30, + dup29, +])); + +var msg52 = msg("dhcpd:44", part70); + +var part71 = match("MESSAGE#196:dhcpd:45", "nwparser.payload", "Reverse map update for%{hostip}abandoned because of non-retryable failure:%{disposition}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg53 = msg("dhcpd:45", part71); + +var part72 = match("MESSAGE#197:dhcpd:46", "nwparser.payload", "Reclaiming REQUESTed abandoned IP address%{saddr}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Reclaiming REQUESTed abandoned IP address"), +])); + +var msg54 = msg("dhcpd:46", part72); + +var part73 = match("MESSAGE#198:dhcpd:47/0", "nwparser.payload", "%{hostip}: removing client association (%{action})%{p0}"); + +var part74 = match("MESSAGE#198:dhcpd:47/1_0", "nwparser.p0", "uid=%{fld1}hw=%{macaddr}"); + +var part75 = match("MESSAGE#198:dhcpd:47/1_1", "nwparser.p0", "hw=%{macaddr}"); + +var select11 = linear_select([ + part74, + part75, +]); + +var all15 = all_match({ + processors: [ + part73, + select11, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg55 = msg("dhcpd:47", all15); + +var part76 = match("MESSAGE#199:dhcpd:48", "nwparser.payload", "Lease conflict at %{hostip}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg56 = msg("dhcpd:48", part76); + +var part77 = match("MESSAGE#200:dhcpd:49", "nwparser.payload", "ICMP Echo reply while lease %{hostip}valid.", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("protocol","ICMP"), +])); + +var msg57 = msg("dhcpd:49", part77); + +var part78 = match("MESSAGE#201:dhcpd:50", "nwparser.payload", "Lease state %{result}. Not abandoning %{hostip}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg58 = msg("dhcpd:50", part78); + +var part79 = match("MESSAGE#202:dhcpd:51/0_0", "nwparser.payload", "Addition%{p0}"); + +var part80 = match("MESSAGE#202:dhcpd:51/0_1", "nwparser.payload", "Removal%{p0}"); + +var select12 = linear_select([ + part79, + part80, +]); + +var part81 = match("MESSAGE#202:dhcpd:51/1", "nwparser.p0", "%{}of %{p0}"); + +var part82 = match("MESSAGE#202:dhcpd:51/2_0", "nwparser.p0", "forward%{p0}"); + +var part83 = match("MESSAGE#202:dhcpd:51/2_1", "nwparser.p0", "reverse%{p0}"); + +var select13 = linear_select([ + part82, + part83, +]); + +var part84 = match("MESSAGE#202:dhcpd:51/3", "nwparser.p0", "%{}map for %{hostip}deferred"); + +var all16 = all_match({ + processors: [ + select12, + part81, + select13, + part84, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("disposition","deferred"), + ]), +}); + +var msg59 = msg("dhcpd:51", all16); + +var part85 = match("MESSAGE#203:dhcpd:52", "nwparser.payload", "Hostname%{change_old}replaced by%{hostname}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg60 = msg("dhcpd:52", part85); + +var msg61 = msg("dhcpd:37", dup68); + +var select14 = linear_select([ + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, + msg59, + msg60, + msg61, +]); + +var part86 = match("MESSAGE#47:ntpd:05", "nwparser.payload", "system event '%{event_type}' (%{fld1}) status '%{result}' (%{fld2})", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","system event status"), +])); + +var msg62 = msg("ntpd:05", part86); + +var part87 = match("MESSAGE#48:ntpd:04", "nwparser.payload", "frequency initialized %{result}from %{filename}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","frequency initialized from file"), +])); + +var msg63 = msg("ntpd:04", part87); + +var part88 = match("MESSAGE#49:ntpd:03", "nwparser.payload", "ntpd exiting on signal %{dclass_counter1}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","ntpd exiting on signal"), +])); + +var msg64 = msg("ntpd:03", part88); + +var part89 = match("MESSAGE#50:ntpd", "nwparser.payload", "time slew %{result}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","time slew duraion"), +])); + +var msg65 = msg("ntpd", part89); + +var part90 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal %{dclass_counter1}had flags %{result}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","signal had flags"), +])); + +var msg66 = msg("ntpd:01", part90); + +var msg67 = msg("ntpd:02", dup69); + +var select15 = linear_select([ + msg62, + msg63, + msg64, + msg65, + msg66, + msg67, +]); + +var part91 = match("MESSAGE#53:named:16/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: update '%{zone}' %{p0}"); + +var all17 = all_match({ + processors: [ + part91, + dup70, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + ]), +}); + +var msg68 = msg("named:16", all17); + +var part92 = match("MESSAGE#54:named/0", "nwparser.payload", "client %{saddr}#%{sport}: update '%{zone}/IN' %{p0}"); + +var all18 = all_match({ + processors: [ + part92, + dup70, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + dup35, + ]), +}); + +var msg69 = msg("named", all18); + +var part93 = match("MESSAGE#55:named:12/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: signer \"%{owner}\" %{p0}"); + +var all19 = all_match({ + processors: [ + part93, + dup70, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + ]), +}); + +var msg70 = msg("named:12", all19); + +var part94 = match("MESSAGE#56:named:01/1_0", "nwparser.p0", "%{sport}/%{fld1}: signer \"%{p0}"); + +var part95 = match("MESSAGE#56:named:01/1_1", "nwparser.p0", "%{sport}: signer \"%{p0}"); + +var select16 = linear_select([ + part94, + part95, +]); + +var part96 = match("MESSAGE#56:named:01/2", "nwparser.p0", "%{owner}\" %{p0}"); + +var all20 = all_match({ + processors: [ + dup36, + select16, + part96, + dup70, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + ]), +}); + +var msg71 = msg("named:01", all20); + +var part97 = match("MESSAGE#57:named:17/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}/%{p0}"); + +var part98 = match("MESSAGE#57:named:17/2", "nwparser.p0", "': %{p0}"); + +var part99 = match("MESSAGE#57:named:17/3_0", "nwparser.p0", "%{fld2}: %{action->} at '%{p0}"); + +var select17 = linear_select([ + part99, + dup40, +]); + +var part100 = match("MESSAGE#57:named:17/4_1", "nwparser.p0", "%{hostname}' %{p0}"); + +var select18 = linear_select([ + dup41, + part100, +]); + +var all21 = all_match({ + processors: [ + part97, + dup71, + part98, + select17, + select18, + dup72, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup45, + dup35, + ]), +}); + +var msg72 = msg("named:17", all21); + +var part101 = match("MESSAGE#58:named:18/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: updating zone '%{zone}': %{p0}"); + +var part102 = match("MESSAGE#58:named:18/1_0", "nwparser.p0", "adding %{p0}"); + +var part103 = match("MESSAGE#58:named:18/1_1", "nwparser.p0", "deleting%{p0}"); + +var select19 = linear_select([ + part102, + part103, +]); + +var part104 = match("MESSAGE#58:named:18/2", "nwparser.p0", "%{} %{info}at '%{hostname}'"); + +var all22 = all_match({ + processors: [ + part101, + select19, + part104, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg73 = msg("named:18", all22); + +var part105 = match("MESSAGE#59:named:02/0", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}/%{p0}"); + +var part106 = match("MESSAGE#59:named:02/2", "nwparser.p0", "':%{p0}"); + +var part107 = match("MESSAGE#59:named:02/3_0", "nwparser.p0", "%{fld1}: %{action->} at '%{p0}"); + +var select20 = linear_select([ + part107, + dup40, +]); + +var part108 = match("MESSAGE#59:named:02/4_1", "nwparser.p0", "%{hostip}' %{p0}"); + +var select21 = linear_select([ + dup41, + part108, +]); + +var all23 = all_match({ + processors: [ + part105, + dup71, + part106, + select20, + select21, + dup72, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup45, + dup35, + ]), +}); + +var msg74 = msg("named:02", all23); + +var part109 = match("MESSAGE#60:named:19/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': update %{disposition}: %{p0}"); + +var part110 = match("MESSAGE#60:named:19/1_0", "nwparser.p0", "%{hostname}/%{dns_querytype}: %{p0}"); + +var part111 = match("MESSAGE#60:named:19/1_1", "nwparser.p0", "%{hostname}: %{p0}"); + +var select22 = linear_select([ + part110, + part111, +]); + +var all24 = all_match({ + processors: [ + part109, + select22, + dup46, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup47, + ]), +}); + +var msg75 = msg("named:19", all24); + +var part112 = match("MESSAGE#61:named:03", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{hostname}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg76 = msg("named:03", part112); + +var part113 = match("MESSAGE#62:named:11", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: zone is up to date", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","notify zone is up to date"), +])); + +var msg77 = msg("named:11", part113); + +var part114 = match("MESSAGE#63:named:13", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: %{action}, %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg78 = msg("named:13", part114); + +var part115 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: refresh: retry limit for master %{saddr}#%{sport}exceeded (%{action})", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg79 = msg("named:14", part115); + +var part116 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: refresh: failure trying master %{saddr}#%{sport}(source ::#0): %{action}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg80 = msg("named:15", part116); + +var part117 = match("MESSAGE#66:named:25/0", "nwparser.payload", "DNS format error from %{saddr}#%{sport}resolving %{domain}/%{dns_querytype}for client %{daddr}#%{dport}: %{p0}"); + +var part118 = match("MESSAGE#66:named:25/1_0", "nwparser.p0", "%{error}--%{result}"); + +var part119 = match("MESSAGE#66:named:25/1_1", "nwparser.p0", "%{result}"); + +var select23 = linear_select([ + part118, + part119, +]); + +var all25 = all_match({ + processors: [ + part117, + select23, + ], + on_success: processor_chain([ + dup48, + dup49, + dup14, + dup6, + dup8, + setc("event_description","DNS format error"), + dup30, + ]), +}); + +var msg81 = msg("named:25", all25); + +var part120 = match("MESSAGE#67:named:63/2", "nwparser.p0", "%{sport}(#%{fld5}): query: %{domain->} %{fld4}(%{daddr})"); + +var all26 = all_match({ + processors: [ + dup50, + dup73, + part120, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg82 = msg("named:63", all26); + +var part121 = match("MESSAGE#68:named:72/0", "nwparser.payload", "client %{saddr}#%{sport}(%{fld1}): %{p0}"); + +var part122 = match("MESSAGE#68:named:72/1_0", "nwparser.p0", "view%{fld3}: query:%{p0}"); + +var part123 = match("MESSAGE#68:named:72/1_1", "nwparser.p0", "query:%{p0}"); + +var select24 = linear_select([ + part122, + part123, +]); + +var part124 = match("MESSAGE#68:named:72/2", "nwparser.p0", "%{} %{domain->} %{fld2->} %{dns_querytype->} %{context}(%{daddr})"); + +var all27 = all_match({ + processors: [ + part121, + select24, + part124, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg83 = msg("named:72", all27); + +var part125 = match("MESSAGE#69:named:28", "nwparser.payload", "%{action}(%{saddr}#%{sport}) %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg84 = msg("named:28", part125); + +var part126 = match("MESSAGE#70:named:71/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: failed %{p0}"); + +var part127 = match("MESSAGE#70:named:71/1_0", "nwparser.p0", "to connect: %{result}"); + +var part128 = match("MESSAGE#70:named:71/1_1", "nwparser.p0", "while receiving responses: %{result}"); + +var select25 = linear_select([ + part127, + part128, +]); + +var all28 = all_match({ + processors: [ + part126, + select25, + ], + on_success: processor_chain([ + dup48, + dup6, + dup8, + dup30, + setc("event_description","failed"), + ]), +}); + +var msg85 = msg("named:71", all28); + +var part129 = match("MESSAGE#71:named:70/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: %{p0}"); + +var part130 = match("MESSAGE#71:named:70/1_0", "nwparser.p0", "connected using %{daddr}#%{dport}"); + +var select26 = linear_select([ + part130, + dup46, +]); + +var all29 = all_match({ + processors: [ + part129, + select26, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg86 = msg("named:70", all29); + +var part131 = match("MESSAGE#72:named:40/0", "nwparser.payload", "%{fld1}client %{saddr}#%{sport}: %{p0}"); + +var part132 = match("MESSAGE#72:named:40/1_0", "nwparser.p0", "view %{fld2}: %{protocol}: query: %{p0}"); + +var part133 = match("MESSAGE#72:named:40/1_1", "nwparser.p0", "%{protocol}: query: %{p0}"); + +var select27 = linear_select([ + part132, + part133, +]); + +var part134 = match("MESSAGE#72:named:40/2", "nwparser.p0", "%{domain->} %{fld3->} %{dns_querytype}response:%{result->} %{p0}"); + +var part135 = match("MESSAGE#72:named:40/3_0", "nwparser.p0", "%{context->} %{dns.resptext}"); + +var part136 = match("MESSAGE#72:named:40/3_1", "nwparser.p0", "%{context}"); + +var select28 = linear_select([ + part135, + part136, +]); + +var all30 = all_match({ + processors: [ + part131, + select27, + part134, + select28, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg87 = msg("named:40", all30); + +var part137 = match("MESSAGE#73:named:05", "nwparser.payload", "zone '%{zone}' %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg88 = msg("named:05", part137); + +var part138 = match("MESSAGE#74:named:10/1_0", "nwparser.p0", "%{sport->} %{fld22}/%{fld21}:%{p0}"); + +var part139 = match("MESSAGE#74:named:10/1_1", "nwparser.p0", "%{sport}/%{fld21}:%{p0}"); + +var part140 = match("MESSAGE#74:named:10/1_2", "nwparser.p0", "%{sport->} (%{fld21}): %{p0}"); + +var select29 = linear_select([ + part138, + part139, + part140, + dup53, +]); + +var part141 = match("MESSAGE#74:named:10/2", "nwparser.p0", "%{}query: %{domain->} %{info}(%{daddr})"); + +var all31 = all_match({ + processors: [ + dup36, + select29, + part141, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","dns query"), + ]), +}); + +var msg89 = msg("named:10", all31); + +var part142 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}#%{sport}: %{fld1}: received notify for zone '%{zone}' ", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","received notify for zone"), +])); + +var msg90 = msg("named:29", part142); + +var part143 = match("MESSAGE#76:named:08", "nwparser.payload", "client %{saddr}#%{sport}: received notify for zone '%{zone}' ", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","client received notify for zone"), +])); + +var msg91 = msg("named:08", part143); + +var part144 = match("MESSAGE#77:named:09", "nwparser.payload", "client %{saddr}#%{sport}: update forwarding '%{zone}' denied", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","client update forwarding for zone denied"), +])); + +var msg92 = msg("named:09", part144); + +var part145 = match("MESSAGE#78:named:76/0", "nwparser.payload", "zone %{zone}: ZRQ appl%{p0}"); + +var part146 = match("MESSAGE#78:named:76/1_0", "nwparser.p0", "ied%{p0}"); + +var part147 = match("MESSAGE#78:named:76/1_1", "nwparser.p0", "ying%{p0}"); + +var select30 = linear_select([ + part146, + part147, +]); + +var part148 = match("MESSAGE#78:named:76/2", "nwparser.p0", "%{}transaction %{p0}"); + +var part149 = match("MESSAGE#78:named:76/3_0", "nwparser.p0", "%{operation_id->} with SOA serial %{serial_number}. Zone version is now %{version}."); + +var part150 = match("MESSAGE#78:named:76/3_1", "nwparser.p0", "%{fld1}."); + +var select31 = linear_select([ + part149, + part150, +]); + +var all32 = all_match({ + processors: [ + part145, + select30, + part148, + select31, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg93 = msg("named:76", all32); + +var part151 = match("MESSAGE#79:named:75", "nwparser.payload", "zone %{zone}: ZRQ applied %{action}for '%{fld1}': %{fld2->} %{fld3->} %{dns_querytype->} %{info}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg94 = msg("named:75", part151); + +var part152 = match("MESSAGE#80:named:06/0", "nwparser.payload", "zone%{p0}"); + +var part153 = match("MESSAGE#80:named:06/1_0", "nwparser.p0", "_%{fld1}: %{p0}"); + +var part154 = match("MESSAGE#80:named:06/1_1", "nwparser.p0", " %{zone}: %{p0}"); + +var select32 = linear_select([ + part153, + part154, +]); + +var part155 = match("MESSAGE#80:named:06/2", "nwparser.p0", "%{event_description->} "); + +var all33 = all_match({ + processors: [ + part152, + select32, + part155, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg95 = msg("named:06", all33); + +var part156 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup12, + dup49, + dup14, + dup6, + dup8, + dup54, + dup30, + dup55, +])); + +var msg96 = msg("named:20", part156); + +var part157 = match("MESSAGE#82:named:49/0", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{zone}/%{dns_querytype}/IN': %{p0}"); + +var part158 = match("MESSAGE#82:named:49/1_0", "nwparser.p0", "%{daddr}#%{dport}"); + +var part159 = match("MESSAGE#82:named:49/1_1", "nwparser.p0", "%{fld1}"); + +var select33 = linear_select([ + part158, + part159, +]); + +var all34 = all_match({ + processors: [ + part157, + select33, + ], + on_success: processor_chain([ + dup56, + dup49, + dup14, + dup6, + dup8, + dup54, + dup30, + dup35, + ]), +}); + +var msg97 = msg("named:49", all34); + +var part160 = match("MESSAGE#83:named:24/1_0", "nwparser.p0", "%{domain}): %{fld2}: zone transfer%{p0}"); + +var part161 = match("MESSAGE#83:named:24/1_1", "nwparser.p0", "%{domain}): zone transfer%{p0}"); + +var select34 = linear_select([ + part160, + part161, +]); + +var part162 = match("MESSAGE#83:named:24/2", "nwparser.p0", "%{}'%{zone}' %{action}"); + +var all35 = all_match({ + processors: [ + dup57, + select34, + part162, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg98 = msg("named:24", all35); + +var part163 = match("MESSAGE#84:named:26/1_0", "nwparser.p0", "%{domain}): %{fld2}: no more recursive clients %{p0}"); + +var part164 = match("MESSAGE#84:named:26/1_1", "nwparser.p0", "%{domain}): no more recursive clients%{p0}"); + +var select35 = linear_select([ + part163, + part164, +]); + +var part165 = match("MESSAGE#84:named:26/2", "nwparser.p0", "%{}(%{fld3}) %{info}"); + +var all36 = all_match({ + processors: [ + dup57, + select35, + part165, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg99 = msg("named:26", all36); + +var part166 = match("MESSAGE#85:named:27/1_0", "nwparser.p0", "%{domain}): %{fld2->} : %{fld3->} response from Internet for %{p0}"); + +var part167 = match("MESSAGE#85:named:27/1_1", "nwparser.p0", "%{domain}): %{fld3->} response from Internet for %{p0}"); + +var select36 = linear_select([ + part166, + part167, +]); + +var part168 = match("MESSAGE#85:named:27/2", "nwparser.p0", "%{fld4->} "); + +var all37 = all_match({ + processors: [ + dup57, + select36, + part168, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg100 = msg("named:27", all37); + +var part169 = match("MESSAGE#86:named:38/2_0", "nwparser.p0", "%{sport}#%{fld5->} (%{fld6}):%{p0}"); + +var part170 = match("MESSAGE#86:named:38/2_1", "nwparser.p0", "%{sport->} (%{fld5}):%{p0}"); + +var select37 = linear_select([ + part169, + part170, + dup53, +]); + +var part171 = match("MESSAGE#86:named:38/3", "nwparser.p0", "%{}query%{p0}"); + +var part172 = match("MESSAGE#86:named:38/4_0", "nwparser.p0", " (%{fld7}) '%{domain}/%{fld4}' %{result->} "); + +var part173 = match("MESSAGE#86:named:38/4_1", "nwparser.p0", ": %{domain->} %{fld4->} (%{daddr}) "); + +var select38 = linear_select([ + part172, + part173, +]); + +var all38 = all_match({ + processors: [ + dup50, + dup73, + select37, + part171, + select38, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg101 = msg("named:38", all38); + +var part174 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: error (%{result}) resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup12, + dup49, + dup14, + dup6, + dup8, + dup54, +])); + +var msg102 = msg("named:39", part174); + +var part175 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5}(data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg103 = msg("named:46", part175); + +var part176 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info}at %{hostname->} %{dns_querytype}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg104 = msg("named:64", part176); + +var part177 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info}at %{hostname->} %{dns_querytype}", processor_chain([ + dup12, + dup6, + dup8, + dup47, +])); + +var msg105 = msg("named:45", part177); + +var part178 = match("MESSAGE#91:named:44/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: updating zone '%{p0}"); + +var part179 = match("MESSAGE#91:named:44/1_0", "nwparser.p0", "%{domain}/IN'%{p0}"); + +var part180 = match("MESSAGE#91:named:44/1_1", "nwparser.p0", "%{domain}'%{p0}"); + +var select39 = linear_select([ + part179, + part180, +]); + +var part181 = match("MESSAGE#91:named:44/2", "nwparser.p0", ": %{p0}"); + +var part182 = match("MESSAGE#91:named:44/3_0", "nwparser.p0", "deleting an RR at %{daddr}.in-addr.arpa "); + +var part183 = match("MESSAGE#91:named:44/3_1", "nwparser.p0", "deleting an RR at %{daddr}.%{fld6->} "); + +var part184 = match("MESSAGE#91:named:44/3_2", "nwparser.p0", "%{fld5}"); + +var select40 = linear_select([ + part182, + part183, + part184, +]); + +var all39 = all_match({ + processors: [ + part178, + select39, + part181, + select40, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg106 = msg("named:44", all39); + +var part185 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport}(%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg107 = msg("named:43", part185); + +var part186 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result}resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup12, + dup6, + dup8, + dup55, +])); + +var msg108 = msg("named:42", part186); + +var part187 = match("MESSAGE#94:named:41", "nwparser.payload", "%{fld1}: unable to find root NS '%{domain}'", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg109 = msg("named:41", part187); + +var part188 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{event_description}", processor_chain([ + setc("eventcategory","1502000000"), + dup6, + dup8, +])); + +var msg110 = msg("named:47", part188); + +var part189 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport}(%{hostname}): query '%{zone}' %{result}", processor_chain([ + dup56, + dup6, + dup8, + dup30, +])); + +var msg111 = msg("named:48", part189); + +var part190 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}(%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg112 = msg("named:62", part190); + +var part191 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport}(%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg113 = msg("named:53", part191); + +var part192 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport}(%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype}at %{filename}:%{fld2->} ", processor_chain([ + dup48, + dup6, + dup8, + setc("event_description"," query failed"), +])); + +var msg114 = msg("named:77", part192); + +var part193 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport}(%{hostname}): %{info}", processor_chain([ + dup58, + dup6, + dup8, + dup47, +])); + +var msg115 = msg("named:52", part193); + +var part194 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype}(%{saddr}) %{info}", processor_chain([ + dup58, + dup6, + dup8, +])); + +var msg116 = msg("named:50", part194); + +var part195 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2}: REFUSED", processor_chain([ + dup56, + dup6, + dup8, + dup49, + dup14, + dup54, +])); + +var msg117 = msg("named:51", part195); + +var part196 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{network_port}: GSS-TSIG authentication failed:%{event_description}", processor_chain([ + dup58, + dup6, + dup8, + dup2, + dup14, + dup30, +])); + +var msg118 = msg("named:54", part196); + +var part197 = match("MESSAGE#104:named:55/0", "nwparser.payload", "success resolving '%{domain}/%{dns_querytype}' (in '%{fld1}'?) %{p0}"); + +var part198 = match("MESSAGE#104:named:55/1_0", "nwparser.p0", "after disabling EDNS%{}"); + +var part199 = match("MESSAGE#104:named:55/1_1", "nwparser.p0", "%{fld2}"); + +var select41 = linear_select([ + part198, + part199, +]); + +var all40 = all_match({ + processors: [ + part197, + select41, + ], + on_success: processor_chain([ + dup58, + dup6, + dup8, + dup5, + dup30, + dup59, + ]), +}); + +var msg119 = msg("named:55", all40); + +var part200 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpected RCODE resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ + dup58, + dup6, + dup8, + dup49, + dup14, + dup30, + dup59, +])); + +var msg120 = msg("named:56", part200); + +var part201 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ + dup58, + dup6, + dup8, + setc("ec_outcome","Error"), + dup30, + dup59, +])); + +var msg121 = msg("named:57", part201); + +var part202 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action}on %{p0}"); + +var part203 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}"); + +var part204 = match("MESSAGE#107:named:04/1_1", "nwparser.p0", "%{saddr}#%{p0}"); + +var select42 = linear_select([ + part203, + part204, +]); + +var part205 = match("MESSAGE#107:named:04/2", "nwparser.p0", "%{sport}"); + +var all41 = all_match({ + processors: [ + part202, + select42, + part205, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg122 = msg("named:04", all41); + +var part206 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server resolving '%{domain}' (in '%{fld2}'?):%{hostip}#%{network_port}", processor_chain([ + dup58, + dup6, + dup8, + dup30, + dup59, +])); + +var msg123 = msg("named:58", part206); + +var part207 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max queries resolving '%{domain}/%{dns_querytype}'", processor_chain([ + dup12, + dup6, + dup8, + dup30, + dup59, +])); + +var msg124 = msg("named:59", part207); + +var part208 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping nameserver '%{hostname}' because it is a CNAME, while resolving '%{domain}/%{dns_querytype}'", processor_chain([ + dup12, + dup6, + dup8, + dup30, + dup59, + setc("event_description","skipping nameserver because it is a CNAME"), +])); + +var msg125 = msg("named:60", part208); + +var part209 = match("MESSAGE#111:named:61", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg126 = msg("named:61", part209); + +var part210 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/%{dns_querytype}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + dup35, +])); + +var msg127 = msg("named:73", part210); + +var part211 = match("MESSAGE#113:named:74", "nwparser.payload", "decrement_reference: delete from rbt: %{fld1->} %{domain}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg128 = msg("named:74", part211); + +var part212 = match("MESSAGE#114:named:07/0_0", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): view %{fld2}: query: %{web_query}"); + +var part213 = match("MESSAGE#114:named:07/0_1", "nwparser.payload", "%{event_description}"); + +var select43 = linear_select([ + part212, + part213, +]); + +var all42 = all_match({ + processors: [ + select43, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg129 = msg("named:07", all42); + +var select44 = linear_select([ + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + msg89, + msg90, + msg91, + msg92, + msg93, + msg94, + msg95, + msg96, + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, + msg124, + msg125, + msg126, + msg127, + msg128, + msg129, +]); + +var part214 = match("MESSAGE#115:pidof:01", "nwparser.payload", "can't read sid from %{agent}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","can't read sid"), +])); + +var msg130 = msg("pidof:01", part214); + +var part215 = match("MESSAGE#116:pidof", "nwparser.payload", "can't get program name from %{agent}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg131 = msg("pidof", part215); + +var select45 = linear_select([ + msg130, + msg131, +]); + +var part216 = match("MESSAGE#117:validate_dhcpd:01", "nwparser.payload", "Configured local-address not available as source address for DNS updates. %{result}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Configured local-address not available as source address for DNS updates"), +])); + +var msg132 = msg("validate_dhcpd:01", part216); + +var msg133 = msg("validate_dhcpd", dup74); + +var select46 = linear_select([ + msg132, + msg133, +]); + +var msg134 = msg("syslog-ng", dup64); + +var part217 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version}(%{from}) (%{fld1}) %{fld2}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg135 = msg("kernel", part217); + +var msg136 = msg("kernel:01", dup64); + +var select47 = linear_select([ + msg135, + msg136, +]); + +var msg137 = msg("radiusd", dup69); + +var part218 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent}start", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg138 = msg("rc", part218); + +var msg139 = msg("rc3", dup64); + +var part219 = match("MESSAGE#125:rcsysinit", "nwparser.payload", "fsck from %{version}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg140 = msg("rcsysinit", part219); + +var msg141 = msg("rcsysinit:01", dup64); + +var select48 = linear_select([ + msg140, + msg141, +]); + +var part220 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration}secs", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg142 = msg("watchdog", part220); + +var part221 = match("MESSAGE#127:watchdog:01", "nwparser.payload", "%{action}, pid = %{process_id}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg143 = msg("watchdog:01", part221); + +var part222 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{fld1}, cancelling softdog and exiting...", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg144 = msg("watchdog:02", part222); + +var part223 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename}could not be opened, errno = %{resultcode}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg145 = msg("watchdog:03", part223); + +var msg146 = msg("watchdog:04", dup64); + +var select49 = linear_select([ + msg142, + msg143, + msg144, + msg145, + msg146, +]); + +var msg147 = msg("init", dup64); + +var part224 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask}to %{interface}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg148 = msg("logger", part224); + +var msg149 = msg("logger:01", dup64); + +var select50 = linear_select([ + msg148, + msg149, +]); + +var part225 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol}[%{info}] %{event_description}(code=%{resultcode})", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg150 = msg("openvpn-member", part225); + +var msg151 = msg("openvpn-member:01", dup75); + +var part226 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Options error: %{event_description}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg152 = msg("openvpn-member:02", part226); + +var part227 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version}[%{protocol}] [%{fld2}] %{info}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg153 = msg("openvpn-member:03", part227); + +var msg154 = msg("openvpn-member:04", dup76); + +var msg155 = msg("openvpn-member:05", dup64); + +var select51 = linear_select([ + msg150, + msg151, + msg152, + msg153, + msg154, + msg155, +]); + +var part228 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip}port %{network_port}.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg156 = msg("sshd", part228); + +var part229 = match("MESSAGE#140:sshd:01/0", "nwparser.payload", "Accepted password for %{p0}"); + +var part230 = match("MESSAGE#140:sshd:01/1_0", "nwparser.p0", "root from %{p0}"); + +var part231 = match("MESSAGE#140:sshd:01/1_1", "nwparser.p0", "%{username->} from %{p0}"); + +var select52 = linear_select([ + part230, + part231, +]); + +var part232 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr}port %{sport->} %{protocol}"); + +var all43 = all_match({ + processors: [ + part229, + select52, + part232, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg157 = msg("sshd:01", all43); + +var part233 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection closed by %{hostip}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg158 = msg("sshd:02", part233); + +var part234 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port}on %{hostip->} %{result}: %{event_description}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg159 = msg("sshd:03", part234); + +var part235 = match("MESSAGE#143:sshd:04", "nwparser.payload", "%{severity}: Cannot bind any address.", processor_chain([ + setc("eventcategory","1601000000"), + dup6, + dup8, +])); + +var msg160 = msg("sshd:04", part235); + +var part236 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logout() %{result->} ", processor_chain([ + dup1, + dup2, + dup4, + dup14, + dup6, + dup8, + setc("event_description","logout"), +])); + +var msg161 = msg("sshd:05", part236); + +var part237 = match("MESSAGE#145:sshd:06", "nwparser.payload", "Did not receive identification string from %{saddr->} ", processor_chain([ + dup15, + dup6, + setc("result","no identification string"), + setc("event_description","Did not receive identification string from peer"), +])); + +var msg162 = msg("sshd:06", part237); + +var part238 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds for slowing down ssh login%{}", processor_chain([ + dup12, + dup6, + setc("result","slowing down ssh login"), + setc("event_description","Sleep 60 seconds"), +])); + +var msg163 = msg("sshd:07", part238); + +var part239 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod}authentication succeeded for user %{username}", processor_chain([ + setc("eventcategory","1302010300"), + dup6, + setc("event_description","authentication succeeded"), + dup8, + dup60, +])); + +var msg164 = msg("sshd:08", part239); + +var part240 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{group}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","User group"), + dup60, +])); + +var msg165 = msg("sshd:09", part240); + +var part241 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol version identification '%{protocol_detail}' from %{saddr}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Bad protocol version identification"), + dup60, +])); + +var msg166 = msg("sshd:10", part241); + +var select53 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, +]); + +var part242 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version}[%{protocol}] [%{fld1}] %{info}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg167 = msg("openvpn-master", part242); + +var part243 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol}[%{info}]: %{event_description}(code=%{resultcode})", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg168 = msg("openvpn-master:01", part243); + +var msg169 = msg("openvpn-master:02", dup75); + +var part244 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport}TLS Error: TLS handshake failed", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg170 = msg("openvpn-master:03", part244); + +var part245 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport}[%{fld2}] %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg171 = msg("openvpn-master:04", part245); + +var part246 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport}[%{fld1}] %{event_description->} ", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg172 = msg("openvpn-master:05", part246); + +var msg173 = msg("openvpn-master:06", dup76); + +var msg174 = msg("openvpn-master:07", dup64); + +var select54 = linear_select([ + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, +]); + +var part247 = match("MESSAGE#158:INFOBLOX-Grid", "nwparser.payload", "Grid member at %{saddr->} %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg175 = msg("INFOBLOX-Grid", part247); + +var part248 = match("MESSAGE#159:INFOBLOX-Grid:02/0_0", "nwparser.payload", "Started%{p0}"); + +var part249 = match("MESSAGE#159:INFOBLOX-Grid:02/0_1", "nwparser.payload", "Completed%{p0}"); + +var select55 = linear_select([ + part248, + part249, +]); + +var part250 = match("MESSAGE#159:INFOBLOX-Grid:02/1", "nwparser.p0", "%{}distribution on member with IP address %{saddr}"); + +var all44 = all_match({ + processors: [ + select55, + part250, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg176 = msg("INFOBLOX-Grid:02", all44); + +var part251 = match("MESSAGE#160:INFOBLOX-Grid:03", "nwparser.payload", "Upgrade Complete%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Upgrade Complete"), +])); + +var msg177 = msg("INFOBLOX-Grid:03", part251); + +var part252 = match("MESSAGE#161:INFOBLOX-Grid:04", "nwparser.payload", "Upgrade to %{fld1}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg178 = msg("INFOBLOX-Grid:04", part252); + +var select56 = linear_select([ + msg175, + msg176, + msg177, + msg178, +]); + +var part253 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr}is online.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg179 = msg("db_jnld", part253); + +var part254 = match("MESSAGE#219:db_jnld:01/0", "nwparser.payload", "Resolved conflict for replicated delete of %{p0}"); + +var part255 = match("MESSAGE#219:db_jnld:01/1_0", "nwparser.p0", "PTR %{p0}"); + +var part256 = match("MESSAGE#219:db_jnld:01/1_1", "nwparser.p0", "TXT %{p0}"); + +var part257 = match("MESSAGE#219:db_jnld:01/1_2", "nwparser.p0", "A %{p0}"); + +var part258 = match("MESSAGE#219:db_jnld:01/1_3", "nwparser.p0", "CNAME %{p0}"); + +var part259 = match("MESSAGE#219:db_jnld:01/1_4", "nwparser.p0", "SRV %{p0}"); + +var select57 = linear_select([ + part255, + part256, + part257, + part258, + part259, +]); + +var part260 = match("MESSAGE#219:db_jnld:01/2", "nwparser.p0", "%{}\"%{fld1}\" in zone \"%{zone}\""); + +var all45 = all_match({ + processors: [ + part254, + select57, + part260, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg180 = msg("db_jnld:01", all45); + +var select58 = linear_select([ + msg179, + msg180, +]); + +var part261 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to}(%{fld1}) %{p0}"); + +var part262 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes->} "); + +var part263 = match("MESSAGE#163:sSMTP/1_1", "nwparser.p0", "%{space->} "); + +var select59 = linear_select([ + part262, + part263, +]); + +var all46 = all_match({ + processors: [ + part261, + select59, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg181 = msg("sSMTP", all46); + +var part264 = match("MESSAGE#164:sSMTP:02", "nwparser.payload", "Cannot open %{hostname}:%{network_port}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg182 = msg("sSMTP:02", part264); + +var part265 = match("MESSAGE#165:sSMTP:03", "nwparser.payload", "Unable to locate %{hostname}.", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg183 = msg("sSMTP:03", part265); + +var msg184 = msg("sSMTP:04", dup74); + +var select60 = linear_select([ + msg181, + msg182, + msg183, + msg184, +]); + +var part266 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device}was successful - Backup file %{filename}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg185 = msg("scheduled_backups", part266); + +var part267 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device}was successful - Backup file %{filename}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Scheduled backup to the FTP server was successful"), +])); + +var msg186 = msg("scheduled_ftp_backups", part267); + +var part268 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device}failed - %{result}.", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Scheduled backup to the FTP server failed"), +])); + +var msg187 = msg("failed_scheduled_ftp_backups", part268); + +var select61 = linear_select([ + msg186, + msg187, +]); + +var part269 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device}was successful - Backup file %{filename}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Scheduled backup to the SCP server was successful"), +])); + +var msg188 = msg("scheduled_scp_backups", part269); + +var part270 = match("MESSAGE#171:python", "nwparser.payload", "%{action}even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg189 = msg("python", part270); + +var part271 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action}(algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg190 = msg("python:01", part271); + +var part272 = match("MESSAGE#173:python:02", "nwparser.payload", "%{action}: '%{hostname}' in view '%{fld1}'.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg191 = msg("python:02", part272); + +var part273 = match("MESSAGE#174:python:03", "nwparser.payload", "%{action}: FQDN='%{domain}', ADDRESS='%{saddr}', View='%{fld1}'", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg192 = msg("python:03", part273); + +var part274 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQDN='%{domain}', View='%{fld1}'", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg193 = msg("python:04", part274); + +var part275 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3}[%{username}]: Populated %{zone->} %{hostname}DnsView=%{fld4}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg194 = msg("python:05", part275); + +var msg195 = msg("python:06", dup64); + +var select62 = linear_select([ + msg189, + msg190, + msg191, + msg192, + msg193, + msg194, + msg195, +]); + +var part276 = match("MESSAGE#178:monitor", "nwparser.payload", "Type: %{protocol}, State: %{event_state}, Event: %{event_description}.", processor_chain([ + dup11, + dup6, + dup8, +])); + +var msg196 = msg("monitor", part276); + +var part277 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP version %{version->} %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg197 = msg("snmptrapd", part277); + +var part278 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1}sleeps more than %{duration}milliseconds in %{fld2}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg198 = msg("snmptrapd:01", part278); + +var msg199 = msg("snmptrapd:02", dup64); + +var select63 = linear_select([ + msg197, + msg198, + msg199, +]); + +var part279 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr}offset %{duration}sec", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg200 = msg("ntpdate", part279); + +var msg201 = msg("ntpdate:01", dup74); + +var select64 = linear_select([ + msg200, + msg201, +]); + +var msg202 = msg("phonehome", dup64); + +var part280 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Scheduled tasks have been purged%{}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg203 = msg("purge_scheduled_tasks", part280); + +var part281 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22}[%{domain}]: Login_Denied - - to=%{terminal}apparently_via=%{info}ip=%{saddr}error=%{result}", processor_chain([ + dup13, + dup2, + dup3, + dup10, + dup14, + dup6, + date_time({ + dest: "event_time", + args: ["fld20","fld21"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup8, + setc("event_description","Login Denied"), +])); + +var msg204 = msg("serial_console:04", part281); + +var part282 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No authentication methods succeeded for user %{username}", processor_chain([ + dup13, + dup2, + dup3, + dup10, + dup14, + dup6, + dup8, + setc("event_description","No authentication methods succeeded for user"), +])); + +var msg205 = msg("serial_console:03", part282); + +var part283 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}[%{username}]: Login_Allowed - - to=%{terminal}apparently_via=%{info}auth=%{authmethod}group=%{group}", processor_chain([ + dup9, + dup2, + dup3, + dup10, + dup5, + dup6, + dup7, + dup8, +])); + +var msg206 = msg("serial_console", part283); + +var part284 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS authentication succeeded for user %{username}", processor_chain([ + setc("eventcategory","1302010100"), + dup2, + dup3, + dup10, + dup5, + dup6, + dup8, + setc("event_description","RADIUS authentication succeeded for user"), +])); + +var msg207 = msg("serial_console:01", part284); + +var part285 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User group = %{group}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","User group identification"), +])); + +var msg208 = msg("serial_console:02", part285); + +var part286 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1}[%{username}]: rebooted the system", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","system reboot"), +])); + +var msg209 = msg("serial_console:05", part286); + +var part287 = match("MESSAGE#214:serial_console:06", "nwparser.payload", "Local authentication succeeded for user %{username}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Local authentication succeeded for user"), +])); + +var msg210 = msg("serial_console:06", part287); + +var select65 = linear_select([ + msg204, + msg205, + msg206, + msg207, + msg208, + msg209, + msg210, +]); + +var msg211 = msg("rc6", dup64); + +var msg212 = msg("acpid", dup64); + +var msg213 = msg("diskcheck", dup64); + +var part288 = match("MESSAGE#210:debug_mount", "nwparser.payload", "mount %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg214 = msg("debug_mount", part288); + +var msg215 = msg("smart_check_io", dup64); + +var msg216 = msg("speedstep_control", dup64); + +var part289 = match("MESSAGE#215:controld", "nwparser.payload", "Distribution Started%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Distribution Started"), +])); + +var msg217 = msg("controld", part289); + +var part290 = match("MESSAGE#216:controld:02", "nwparser.payload", "Distribution Complete%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Distribution Complete"), +])); + +var msg218 = msg("controld:02", part290); + +var select66 = linear_select([ + msg217, + msg218, +]); + +var part291 = match("MESSAGE#217:shutdown", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","shutting down for system reboot"), +])); + +var msg219 = msg("shutdown", part291); + +var part292 = match("MESSAGE#218:ntpd_initres", "nwparser.payload", "ntpd exiting on signal 15%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","ntpd exiting"), +])); + +var msg220 = msg("ntpd_initres", part292); + +var part293 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup failed for %{saddr}: %{info}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg221 = msg("rsyncd", part293); + +var part294 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost}(%{saddr})", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg222 = msg("rsyncd:01", part294); + +var part295 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename}from %{shost}(%{saddr})", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg223 = msg("rsyncd:02", part295); + +var part296 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes}bytes received %{rbytes}bytes total size %{fld1}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg224 = msg("rsyncd:03", part296); + +var part297 = match("MESSAGE#224:rsyncd:04", "nwparser.payload", "building file list%{}", processor_chain([ + dup12, + dup6, + setc("event_description","building file list"), + dup8, +])); + +var msg225 = msg("rsyncd:04", part297); + +var select67 = linear_select([ + msg221, + msg222, + msg223, + msg224, + msg225, +]); + +var msg226 = msg("syslog", dup77); + +var msg227 = msg("restarting", dup77); + +var part298 = match("MESSAGE#227:ipmievd", "nwparser.payload", "%{fld1->} ", processor_chain([ + dup12, + dup6, + dup8, + dup61, +])); + +var msg228 = msg("ipmievd", part298); + +var part299 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agent}: Processing path%{fld1}, vnid [%{fld2}]", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg229 = msg("netauto_discovery", part299); + +var part300 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version}device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([ + dup58, + dup6, + dup8, + dup60, + setc("event_description","device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll"), +])); + +var msg230 = msg("netauto_discovery:01", part300); + +var part301 = match("MESSAGE#230:netauto_discovery:02", "nwparser.payload", "%{agent}:%{space}Static address already set with IP:%{hostip}, Processing%{fld1}", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg231 = msg("netauto_discovery:02", part301); + +var part302 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}: SNMP Credentials: Failed to authenticate", processor_chain([ + dup62, + dup6, + dup8, + dup60, + dup14, +])); + +var msg232 = msg("netauto_discovery:03", part302); + +var select68 = linear_select([ + msg229, + msg230, + msg231, + msg232, +]); + +var part303 = match("MESSAGE#232:netauto_core:01", "nwparser.payload", "%{agent}: Attempting CLI on device%{device}with interface not in table, ip%{hostip}", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg233 = msg("netauto_core:01", part303); + +var part304 = match("MESSAGE#233:netauto_core", "nwparser.payload", "netautoctl:%{event_description}", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg234 = msg("netauto_core", part304); + +var select69 = linear_select([ + msg233, + msg234, +]); + +var part305 = match("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "%{event_description}", processor_chain([ + dup48, + dup6, + dup8, + dup60, + dup14, +])); + +var msg235 = msg("captured_dns_uploader", part305); + +var part306 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Device%{device}/%{hostip}login failure%{result}", processor_chain([ + dup62, + dup6, + dup8, + dup60, + dup10, + dup14, +])); + +var msg236 = msg("DIS", part306); + +var part307 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip}on %{fld4}, using session ID", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg237 = msg("DIS:01", part307); + +var select70 = linear_select([ + msg236, + msg237, +]); + +var part308 = match("MESSAGE#237:ErrorMsg", "nwparser.payload", "%{result}", processor_chain([ + dup63, + dup6, + dup8, + dup60, +])); + +var msg238 = msg("ErrorMsg", part308); + +var part309 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr}port %{dport}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, + dup60, +])); + +var msg239 = msg("tacacs_acct", part309); + +var part310 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: Accounting request failed. %{fld2}Server is %{daddr}, port is %{dport}.", processor_chain([ + dup63, + dup6, + dup8, + dup60, + setc("event_description","Accounting request failed."), +])); + +var msg240 = msg("tacacs_acct:01", part310); + +var part311 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2}bytes from server %{daddr}port %{dport}, expecting %{fld3}", processor_chain([ + dup12, + dup6, + dup8, + dup60, +])); + +var msg241 = msg("tacacs_acct:02", part311); + +var select71 = linear_select([ + msg239, + msg240, + msg241, +]); + +var part312 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6}port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Relay-forward message"), +])); + +var msg242 = msg("dhcpdv6", part312); + +var part313 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6}port %{sport}from client DUID %{fld1}, transaction ID %{id}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulated Solicit message"), +])); + +var msg243 = msg("dhcpdv6:01", part313); + +var part314 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1}, IP '%{fld2}': No addresses available for this interface", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","IP unknown - No addresses available for this interface"), +])); + +var msg244 = msg("dhcpdv6:02", part314); + +var part315 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6}port %{sport}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulating Advertise message"), +])); + +var msg245 = msg("dhcpdv6:03", part315); + +var part316 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6}port %{sport}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Sending Relay-reply message"), +])); + +var msg246 = msg("dhcpdv6:04", part316); + +var part317 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6}port %{sport}, transaction ID %{id}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulated Information-request message"), +])); + +var msg247 = msg("dhcpdv6:05", part317); + +var part318 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6}port %{sport}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulating Reply message"), +])); + +var msg248 = msg("dhcpdv6:06", part318); + +var part319 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6}port %{sport}from client DUID %{fld1}, transaction ID %{id}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulated Renew message"), +])); + +var msg249 = msg("dhcpdv6:07", part319); + +var part320 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6}to client with duid %{fld1}iaid = %{fld2}static", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg250 = msg("dhcpdv6:08", part320); + +var msg251 = msg("dhcpdv6:09", dup68); + +var select72 = linear_select([ + msg242, + msg243, + msg244, + msg245, + msg246, + msg247, + msg248, + msg249, + msg250, + msg251, +]); + +var msg252 = msg("debug", dup68); + +var part321 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying request to %{hostname}(%{hostip}) %{web_method->} %{url->} %{protocol->} %{info}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","proxying request"), +])); + +var msg253 = msg("cloud_api", part321); + +var chain1 = processor_chain([ + select3, + msgid_select({ + "DIS": select70, + "ErrorMsg": msg238, + "INFOBLOX-Grid": select56, + "acpid": msg212, + "captured_dns_uploader": msg235, + "cloud_api": msg253, + "controld": select66, + "db_jnld": select58, + "debug": msg252, + "debug_mount": msg214, + "dhcpd": select14, + "dhcpdv6": select72, + "diskcheck": msg213, + "httpd": select4, + "in.tftpd": select5, + "init": msg147, + "ipmievd": msg228, + "kernel": select47, + "logger": select50, + "monitor": msg196, + "named": select44, + "netauto_core": select69, + "netauto_discovery": select68, + "ntpd": select15, + "ntpd_initres": msg220, + "ntpdate": select64, + "openvpn-master": select54, + "openvpn-member": select51, + "phonehome": msg202, + "pidof": select45, + "purge_scheduled_tasks": msg203, + "python": select62, + "radiusd": msg137, + "rc": msg138, + "rc3": msg139, + "rc6": msg211, + "rcsysinit": select48, + "restarting": msg227, + "rsyncd": select67, + "sSMTP": select60, + "scheduled_backups": msg185, + "scheduled_ftp_backups": select61, + "scheduled_scp_backups": msg188, + "serial_console": select65, + "shutdown": msg219, + "smart_check_io": msg215, + "snmptrapd": select63, + "speedstep_control": msg216, + "sshd": select53, + "syslog": msg226, + "syslog-ng": msg134, + "tacacs_acct": select71, + "validate_dhcpd": select46, + "watchdog": select49, + }), +]); + +var part322 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); + +var part323 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); + +var part324 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); + +var part325 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}"); + +var part326 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}"); + +var part327 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr}from %{p0}"); + +var part328 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}"); + +var part329 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}"); + +var part330 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}"); + +var part331 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface}relay %{fld1}lease-duration %{duration}"); + +var part332 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}"); + +var part333 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}"); + +var part334 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); + +var part335 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); + +var part336 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); + +var part337 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); + +var part338 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); + +var part339 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); + +var part340 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); + +var part341 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); + +var part342 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}"); + +var part343 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}"); + +var part344 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); + +var part345 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}"); + +var part346 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}"); + +var part347 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); + +var part348 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport}(%{p0}"); + +var part349 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var select73 = linear_select([ + dup17, + dup18, +]); + +var select74 = linear_select([ + dup20, + dup21, +]); + +var select75 = linear_select([ + dup25, + dup26, +]); + +var part350 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var part351 = match("MESSAGE#52:ntpd:02", "nwparser.payload", "%{event_description->} ", processor_chain([ + dup12, + dup6, + dup8, +])); + +var select76 = linear_select([ + dup33, + dup34, +]); + +var select77 = linear_select([ + dup37, + dup38, + dup39, +]); + +var select78 = linear_select([ + dup42, + dup43, + dup44, +]); + +var select79 = linear_select([ + dup51, + dup52, +]); + +var part352 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var part353 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action}: %{event_description}(code=%{resultcode})", processor_chain([ + dup15, + dup6, + dup8, +])); + +var part354 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var part355 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description->} ", processor_chain([ + dup12, + dup6, + dup8, + dup61, +])); diff --git a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml new file mode 100644 index 00000000000..5693b4aea49 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Infoblox NIOS + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/infoblox/nios/manifest.yml b/x-pack/filebeat/module/infoblox/nios/manifest.yml new file mode 100644 index 00000000000..4f6b364c6e7 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["infoblox.nios", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9512 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log b/x-pack/filebeat/module/infoblox/nios/test/generated.log new file mode 100644 index 00000000000..6cfbb384c90 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log @@ -0,0 +1,100 @@ +January 29 06:09:59 volup208.invalid eosquir: openvpn-master OpenVPN 1.5191 [igmp] [nulapari] mwritten +Feb 12 13:12:33 com1060.api.example 10.14.94.160 cloud_api[tur]: proxying request to atio5608.www5.localhost(10.202.204.154) eFini https://www.example.org/exe/iatu.jpg?orsitame=reprehe#rsitam ggp issusci +Feb 26 20:15:08 ptass3168.www5.example 10.62.40.126 netauto_core[taliqu]: ommod: Attempting CLI on devicescivelwith interface not in table, ip10.13.70.213 +March 12 03:17:42 mcolabor1656.www5.corp 10.56.250.70 acpid[veleumi]: tia +March 26 10:20:16 Cice513.api.local 10.143.220.51 openvpn-member: read igmp [occ] ect (code=reetdolo) +April 9 17:22:51 obeataev7086.mail.invalid autfu: speedstep_control natura +Apr 24 00:25:25 nibusBon7400.localhost isiu: ErrorMsg success +May 8 07:27:59 iat1852.api.localdomain 10.64.155.245 ntpd_initres: ntpd exiting on signal 15 +May 22 14:30:33 mquisnos5771.example ntpdate[etconsec]: adjust time server 10.104.111.129 offset 61.614000 sec +June 5 21:33:08 ite996.host kernel[umdo]: Linux version 1.3162 (umdolore) (eniam) reetdolo +June 20 04:35:42 enim2780.www.lan rc6[eriame]: lorema +July 4 11:38:16 emporinc5075.internal.host watchdog[atcu]: oremagna could not be opened, errno = ationu +July 18 18:40:50 strude910.internal.local 10.27.72.147 shutdown: shutting down for system reboot +August 2 01:43:25 fugit7668.www5.invalid -ntpd_initres: ntpd exiting on signal 15 +August 16 08:45:59 itaut7095.invalid 10.103.107.47 rc: executing ritatis start +August 30 15:48:33 colabor1552.www5.local untut: phonehome lorumw +September 13 22:51:07 inima5444.www5.lan validate_dhcpd[nihi]: Lor +September 28 05:53:42 erc3217.internal.lan debug_mount[olupt]: mount modoco +October 12 12:56:16 uames499.internal.host isnostru: named accept on IPv4 interface lo1132, 10.45.25.68#1463 +October 26 19:58:50 iineavo951.internal.test 10.25.192.202 rcsysinit[intoccae]: fsck from 1.2299 +November 10 03:01:24 Loremip6417.mail.test emoeni: syslog oenimips +November 24 10:03:59 mnisist2347.mail.host 10.142.139.20 sSMTP[temveleu]: Sent mail for colabo (eme) +December 8 17:06:33 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm +December 23 00:09:07 ercit2385.internal.home rsyncd[run]: building file list +January 6 07:11:41 quisnos4590.mail.domain nnum: httpd eritqu +January 20 14:14:16 wri2784.api.domain hitect: restarting dol +February 3 21:16:50 asun1250.api.localdomain rc3[oluptate]: onseq +February 18 04:19:24 intoc2428.domain scheduled_backups[dantiumt]: Backup to luptasn was successful - Backup file equat +March 4 11:21:59 ento4488.www5.localhost eriamea: rc6 amre +March 18 18:24:33 boris5916.www5.example 10.2.53.125 controld[uioffi]: Distribution Complete +April 2 01:27:07 temqu3331.api.host ipi: phonehome reseos +April 16 08:29:41 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME "etdol" in zone "uela" +April 30 15:32:16 radi1512.mail.example 10.101.74.101 openvpn-member: read rdp [ris] uamqu (code=lor) +May 14 22:34:50 onsecte7184.mail.domain uptasn: syslog-ng reme +May 29 05:37:24 eveli265.www5.localdomain nse: ipmievd non +Jun 12 12:39:58 derit4688.mail.localhost 10.57.42.152 cloud_api[didunt]: proxying request to uptatema6843.www.host(10.74.104.215) xeacomm https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta tcp rroquis +June 26 19:42:33 evolup4403.local 10.121.203.60 INFOBLOX-Grid[smo]: Upgrade to etcons +July 11 02:45:07 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav +July 25 09:47:41 adm7744.mail.domain 10.26.87.161 rcsysinit: isc +August 8 16:50:15 ios6980.example 10.246.64.161 watchdog: deny, pid = 845 +August 22 23:52:50 osquira6030.internal.corp diskcheck[com]: tnulapa +September 6 06:55:24 squirati63.mail.lan watchdog[nbyCic]: utlabor +September 20 13:57:58 lup2134.www.localhost rc[upida]: executing tvolupt start +October 4 21:00:32 umdo4017.www.local snmptrapd[ati]: uine +October 19 04:03:07 loreme853.www5.localdomain ven: snmptrapd con +November 2 11:05:41 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli) +November 16 18:08:15 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe +December 1 01:10:49 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97 +December 15 08:13:24 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt +December 29 15:15:58 tali7803.www.localdomain its: httpd ender +January 12 22:18:32 uradi6198.test tiaec: ntpd frequency initialized success from psum +January 27 05:21:06 umSe1918.local itau: ntpd ntpd exiting on signal 2836 +February 10 12:23:41 odoconse228.mail.localdomain veli: syslog-ng tenim +February 24 19:26:15 cteturad4074.mail.host nreprehe: validate_dhcpd tetu +March 11 02:28:49 itation6137.home osqui: debug_mount mount sequat +sshd: Sleep 60 seconds for slowing down ssh login +April 8 16:33:58 dun1276.api.localdomain inimveni: ntpd time slew failure +April 22 23:36:32 iquidexe304.mail.test 10.195.64.5 smart_check_io: oreetd +May 07 06:39:06 preh2690.api.localdomain captured_dns_uploader[mac]: qui +May 21 13:41:41 rem3032.mail.domain 10.203.65.161 kernel: Linux version 1.7214 (ica) (lillum) remips +June 4 20:44:15 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv +June 19 03:46:49 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi +July 3 10:49:23 tame4953.mail.localhost prehen: restarting ntutlabo +July 17 17:51:58 loi7596.www5.home 10.31.177.226 scheduled_backups[deserun]: Backup to esseq was successful - Backup file adminima +Aug 01 00:54:32 mmodoc4947.internal.test ErrorMsg[atu]: unknown +August 15 07:57:06 olorem2760.www5.test quunt: ntpd_initres ntpd exiting on signal 15 +August 29 14:59:40 dol3346.www.lan scheduled_ftp_backups[olorese]: Scheduled backup to the ori failed - unknown. +September 12 22:02:15 ercit6496.api.local ugiatn: scheduled_scp_backups Scheduled backup to the midestl was successful - Backup file dictasun +September 27 05:04:49 agnaaliq1829.mail.test ntpd_initres: ntpd exiting on signal 15 +October 11 12:07:23 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807 +October 25 19:09:57 mipsamvo4282.api.home reetdo: init oreveri +Nov 9 02:12:32 umq1309.api.test uae: debug mve +November 23 09:15:06 ugit5828.www5.test rc[asnu]: executing hitec start +December 7 16:17:40 ntexplic4824.internal.localhost ntpd_initres: ntpd exiting on signal 15 +December 21 23:20:14 archite1843.mail.home isqua: radiusd uta +January 5 06:22:49 derit5270.mail.local 10.105.52.140 rcsysinit: ntexpl +January 19 13:25:23 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec +sshd[saquaea]: Did not receive identification string from 10.222.251.114 +February 17 03:30:32 ataevi1984.internal.host plic: in.tftpd connection refused from 10.17.87.79 +March 3 10:33:06 tionula1586.host ntpd_initres[idolor]: ntpd exiting on signal 15 +March 17 17:35:40 llam1884.www.corp quasiarc: ntpd time slew success +April 1 00:38:14 ore5643.api.lan 10.126.163.125 acpid[edolorin]: dolorem +April 15 07:40:49 exeacomm79.api.corp rc3[mides]: ciun +April 29 14:43:23 lorsita6602.mail.local uat: watchdog lupta could not be opened, errno = npr +May 13 21:45:57 ratv2649.www.host speedstep_control[tali]: BCS +May 28 04:48:31 abor4353.www5.host ame: python tesseq +June 11 11:51:06 rerepre6748.internal.domain 10.47.31.181 openvpn-member[tdolore]: OpenVPN 1.388 [icmp] [red] sinto +June 25 18:53:40 qui3176.internal.example 10.165.6.51 rc: executing amvolu start +July 10 01:56:14 der7349.invalid 10.133.146.125 monitor: Type: igmp, State: diduntu, Event: eiusmod. +July 24 08:58:48 veleum3833.internal.test henderi: diskcheck iusmodt +August 7 16:01:23 aquio6685.internal.test 10.17.193.123 rc6[aquio]: riatu +Aug 21 23:03:57 tanimid4871.internal.domain debug[abor]: nBCSe +September 5 06:06:31 icta82.internal.lan 10.252.116.137 pidof[uei]: can't read sid from Nequepo +September 19 13:09:05 dol6197.mail.localdomain speedstep_control[inBCSe]: otamrem +October 3 20:11:40 lumqu617.www.test 10.39.172.93 ntpd: time slew success +October 18 03:14:14 uido492.www5.home pidof[uid]: can't get program name from snostrum +November 1 10:16:48 reseosqu1629.mail.lan 10.36.166.81 snmptrapd: NET-SNMP version 1.6198 ommo +November 15 17:19:22 itseddoe5595.internal.localhost 10.228.102.170 smart_check_io[ehende]: tutla +November 30 00:21:57 olu5333.www.domain orumSe: diskcheck dolor +December 14 07:24:31 dtemp1362.internal.example mips: init itae diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json new file mode 100644 index 00000000000..1cfcd745f62 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -0,0 +1,2476 @@ +[ + { + "event.code": "openvpn-master", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 29 06:09:59 volup208.invalid eosquir: openvpn-master OpenVPN 1.5191 [igmp] [nulapari] mwritten", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 0, + "network.protocol": "igmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.5191", + "rsa.db.index": "mwritten", + "rsa.internal.messageid": "openvpn-master", + "rsa.misc.event_source": "volup208.invalid", + "rsa.misc.version": "1.5191", + "rsa.time.day": "29", + "rsa.time.event_time": "2020-01-29T08:09:59.000Z", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "cloud_api", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Feb 12 13:12:33 com1060.api.example 10.14.94.160 cloud_api[tur]: proxying request to atio5608.www5.localhost(10.202.204.154) eFini https://www.example.org/exe/iatu.jpg?orsitame=reprehe#rsitam ggp issusci", + "fileset.name": "nios", + "host.ip": "10.202.204.154", + "host.name": "atio5608.www5.localhost", + "input.type": "log", + "log.offset": 103, + "network.protocol": "ggp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.202.204.154" + ], + "rsa.db.index": "issusci", + "rsa.internal.data": "tur", + "rsa.internal.event_desc": "proxying request", + "rsa.internal.messageid": "cloud_api", + "rsa.misc.action": [ + "eFini" + ], + "rsa.misc.event_source": "com1060.api.example", + "rsa.network.alias_host": [ + "atio5608.www5.localhost" + ], + "rsa.time.day": "12", + "rsa.time.event_time": "2020-02-12T15:12:33.000Z", + "rsa.time.month": "Feb", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ], + "url.original": "https://www.example.org/exe/iatu.jpg?orsitame=reprehe#rsitam" + }, + { + "event.code": "netauto_core", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Feb 26 20:15:08 ptass3168.www5.example 10.62.40.126 netauto_core[taliqu]: ommod: Attempting CLI on devicescivelwith interface not in table, ip10.13.70.213", + "fileset.name": "nios", + "host.ip": "10.13.70.213", + "input.type": "log", + "log.offset": 307, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.13.70.213" + ], + "rsa.internal.data": "taliqu", + "rsa.internal.messageid": "netauto_core", + "rsa.misc.client": "ommod", + "rsa.misc.device_name": "scivel", + "rsa.misc.event_source": "ptass3168.www5.example", + "rsa.time.day": "26", + "rsa.time.event_time": "2020-02-26T22:15:08.000Z", + "rsa.time.month": "Feb", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "acpid", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 12 03:17:42 mcolabor1656.www5.corp 10.56.250.70 acpid[veleumi]: tia", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 462, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "veleumi", + "rsa.internal.event_desc": "tia", + "rsa.internal.messageid": "acpid", + "rsa.misc.event_source": "mcolabor1656.www5.corp", + "rsa.time.day": "12", + "rsa.time.event_time": "2020-03-12T05:17:42.000Z", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-member", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 26 10:20:16 Cice513.api.local 10.143.220.51 openvpn-member: read igmp [occ] ect (code=reetdolo)", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 536, + "network.protocol": "igmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "occ", + "rsa.internal.event_desc": "ect", + "rsa.internal.messageid": "openvpn-member", + "rsa.misc.event_source": "Cice513.api.local", + "rsa.misc.result_code": "reetdolo", + "rsa.time.day": "26", + "rsa.time.event_time": "2020-03-26T12:20:16.000Z", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "speedstep_control", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 9 17:22:51 obeataev7086.mail.invalid autfu: speedstep_control natura", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 638, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "natura", + "rsa.internal.messageid": "speedstep_control", + "rsa.misc.event_source": "obeataev7086.mail.invalid", + "rsa.time.day": "9", + "rsa.time.event_time": "2020-04-09T19:22:51.000Z", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ErrorMsg", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Apr 24 00:25:25 nibusBon7400.localhost isiu: ErrorMsg success", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 713, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "ErrorMsg", + "rsa.misc.event_source": "nibusBon7400.localhost", + "rsa.misc.result": "success", + "rsa.time.day": "24", + "rsa.time.event_time": "2020-04-24T02:25:25.000Z", + "rsa.time.month": "Apr", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd_initres", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 8 07:27:59 iat1852.api.localdomain 10.64.155.245 ntpd_initres: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 775, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "ntpd exiting", + "rsa.internal.messageid": "ntpd_initres", + "rsa.misc.event_source": "iat1852.api.localdomain", + "rsa.time.day": "8", + "rsa.time.event_time": "2020-05-08T09:27:59.000Z", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpdate", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 22 14:30:33 mquisnos5771.example ntpdate[etconsec]: adjust time server 10.104.111.129 offset 61.614000 sec", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 868, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.104.111.129" + ], + "rsa.internal.data": "etconsec", + "rsa.internal.messageid": "ntpdate", + "rsa.misc.event_source": "mquisnos5771.example", + "rsa.time.day": "22", + "rsa.time.duration_time": 61.614, + "rsa.time.event_time": "2020-05-22T16:30:33.000Z", + "rsa.time.month": "May", + "service.type": "infoblox", + "source.ip": [ + "10.104.111.129" + ], + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 5 21:33:08 ite996.host kernel[umdo]: Linux version 1.3162 (umdolore) (eniam) reetdolo", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 979, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.3162", + "rsa.email.email_src": "umdolore", + "rsa.internal.data": "umdo", + "rsa.internal.messageid": "kernel", + "rsa.misc.event_source": "ite996.host", + "rsa.misc.version": "1.3162", + "rsa.time.day": "5", + "rsa.time.event_time": "2020-06-05T23:33:08.000Z", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc6", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 20 04:35:42 enim2780.www.lan rc6[eriame]: lorema", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1070, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "eriame", + "rsa.internal.event_desc": "lorema", + "rsa.internal.messageid": "rc6", + "rsa.misc.event_source": "enim2780.www.lan", + "rsa.time.day": "20", + "rsa.time.event_time": "2020-06-20T06:35:42.000Z", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "watchdog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 4 11:38:16 emporinc5075.internal.host watchdog[atcu]: oremagna could not be opened, errno = ationu", + "file.name": "oremagna", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1124, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "atcu", + "rsa.internal.messageid": "watchdog", + "rsa.misc.event_source": "emporinc5075.internal.host", + "rsa.misc.result_code": "ationu", + "rsa.time.day": "4", + "rsa.time.event_time": "2020-07-04T13:38:16.000Z", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 18 18:40:50 strude910.internal.local 10.27.72.147 shutdown: shutting down for system reboot", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1228, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "shutting down for system reboot", + "rsa.internal.messageid": "shutdown", + "rsa.misc.event_source": "strude910.internal.local", + "rsa.time.day": "18", + "rsa.time.event_time": "2019-07-18T20:40:50.000Z", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 2 01:43:25 fugit7668.www5.invalid -ntpd_initres: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1325, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "exiting", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "fugit7668.www5.invalid", + "rsa.time.day": "2", + "rsa.time.event_time": "2019-08-02T03:43:25.000Z", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 16 08:45:59 itaut7095.invalid 10.103.107.47 rc: executing ritatis start", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1407, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "ritatis", + "rsa.misc.event_source": "itaut7095.invalid", + "rsa.time.day": "16", + "rsa.time.event_time": "2019-08-16T10:45:59.000Z", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "phonehome", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 30 15:48:33 colabor1552.www5.local untut: phonehome lorumw", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1486, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "lorumw", + "rsa.internal.messageid": "phonehome", + "rsa.misc.event_source": "colabor1552.www5.local", + "rsa.time.day": "30", + "rsa.time.event_time": "2019-08-30T17:48:33.000Z", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "validate_dhcpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 13 22:51:07 inima5444.www5.lan validate_dhcpd[nihi]: Lor", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1552, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "nihi", + "rsa.internal.event_desc": "Lor", + "rsa.internal.messageid": "validate_dhcpd", + "rsa.misc.event_source": "inima5444.www5.lan", + "rsa.time.day": "13", + "rsa.time.event_time": "2019-09-14T00:51:07.000Z", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "debug_mount", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 28 05:53:42 erc3217.internal.lan debug_mount[olupt]: mount modoco", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1619, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "olupt", + "rsa.internal.event_desc": "modoco", + "rsa.internal.messageid": "debug_mount", + "rsa.misc.event_source": "erc3217.internal.lan", + "rsa.time.day": "28", + "rsa.time.event_time": "2019-09-28T07:53:42.000Z", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "named", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 12 12:56:16 uames499.internal.host isnostru: named accept on IPv4 interface lo1132, 10.45.25.68#1463", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1695, + "observer.ingress.interface.name": "lo1132", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.45.25.68" + ], + "rsa.internal.messageid": "named", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_source": "uames499.internal.host", + "rsa.network.sinterface": "lo1132", + "rsa.time.day": "12", + "rsa.time.event_time": "2019-10-12T14:56:16.000Z", + "rsa.time.month": "October", + "service.type": "infoblox", + "source.ip": [ + "10.45.25.68" + ], + "source.port": 1463, + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rcsysinit", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 26 19:58:50 iineavo951.internal.test 10.25.192.202 rcsysinit[intoccae]: fsck from 1.2299", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1804, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.2299", + "rsa.internal.data": "intoccae", + "rsa.internal.messageid": "rcsysinit", + "rsa.misc.event_source": "iineavo951.internal.test", + "rsa.misc.version": "1.2299", + "rsa.time.day": "26", + "rsa.time.event_time": "2019-10-26T21:58:50.000Z", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "syslog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 10 03:01:24 Loremip6417.mail.test emoeni: syslog oenimips ", + "fileset.name": "nios", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1901, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "syslog", + "rsa.time.day": "10", + "rsa.time.event_time": "2019-11-10T05:01:24.000Z", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "sSMTP", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 24 10:03:59 mnisist2347.mail.host 10.142.139.20 sSMTP[temveleu]: Sent mail for colabo (eme) ", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1969, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "temveleu", + "rsa.internal.event_desc": "Sent mail for colabo (eme)", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.event_source": "mnisist2347.mail.host", + "rsa.time.day": "24", + "rsa.time.event_time": "2019-11-24T12:03:59.000Z", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "snmptrapd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 8 17:06:33 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2076, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.2807", + "rsa.internal.event_desc": "ihilm", + "rsa.internal.messageid": "snmptrapd", + "rsa.misc.event_source": "datatn5076.internal.example", + "rsa.misc.version": "1.2807", + "rsa.time.day": "8", + "rsa.time.event_time": "2019-12-08T19:06:33.000Z", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rsyncd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 23 00:09:07 ercit2385.internal.home rsyncd[run]: building file list", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2178, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "run", + "rsa.internal.event_desc": "building file list", + "rsa.internal.messageid": "rsyncd", + "rsa.misc.event_source": "ercit2385.internal.home", + "rsa.time.day": "23", + "rsa.time.event_time": "2019-12-23T02:09:07.000Z", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "httpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 6 07:11:41 quisnos4590.mail.domain nnum: httpd eritqu", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2255, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "eritqu", + "rsa.internal.messageid": "httpd", + "rsa.misc.event_source": "quisnos4590.mail.domain", + "rsa.time.day": "6", + "rsa.time.event_time": "2020-01-06T09:11:41.000Z", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "restarting", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 20 14:14:16 wri2784.api.domain hitect: restarting dol ", + "fileset.name": "nios", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2317, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "restarting", + "rsa.time.day": "20", + "rsa.time.event_time": "2020-01-20T16:14:16.000Z", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc3", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 3 21:16:50 asun1250.api.localdomain rc3[oluptate]: onseq", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2380, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "oluptate", + "rsa.internal.event_desc": "onseq", + "rsa.internal.messageid": "rc3", + "rsa.misc.event_source": "asun1250.api.localdomain", + "rsa.time.day": "3", + "rsa.time.event_time": "2020-02-03T23:16:50.000Z", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 18 04:19:24 intoc2428.domain scheduled_backups[dantiumt]: Backup to luptasn was successful - Backup file equat", + "file.name": "equat", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2446, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "dantiumt", + "rsa.internal.messageid": "scheduled_backups", + "rsa.misc.device_name": "luptasn", + "rsa.misc.event_source": "intoc2428.domain", + "rsa.time.day": "18", + "rsa.time.event_time": "2020-02-18T06:19:24.000Z", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc6", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 4 11:21:59 ento4488.www5.localhost eriamea: rc6 amre", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2566, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "amre", + "rsa.internal.messageid": "rc6", + "rsa.misc.event_source": "ento4488.www5.localhost", + "rsa.time.day": "4", + "rsa.time.event_time": "2020-03-04T13:21:59.000Z", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "controld", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 18 18:24:33 boris5916.www5.example 10.2.53.125 controld[uioffi]: Distribution Complete", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2625, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "uioffi", + "rsa.internal.event_desc": "Distribution Complete", + "rsa.internal.messageid": "controld", + "rsa.misc.event_source": "boris5916.www5.example", + "rsa.time.day": "18", + "rsa.time.event_time": "2020-03-18T20:24:33.000Z", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "phonehome", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 2 01:27:07 temqu3331.api.host ipi: phonehome reseos", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2718, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "reseos", + "rsa.internal.messageid": "phonehome", + "rsa.misc.event_source": "temqu3331.api.host", + "rsa.time.day": "2", + "rsa.time.event_time": "2020-04-02T03:27:07.000Z", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "db_jnld", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 16 08:29:41 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME \"etdol\" in zone \"uela\"", + "fileset.name": "nios", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2776, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "liquide", + "rsa.internal.messageid": "db_jnld", + "rsa.time.day": "16", + "rsa.time.event_time": "2020-04-16T10:29:41.000Z", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-member", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 30 15:32:16 radi1512.mail.example 10.101.74.101 openvpn-member: read rdp [ris] uamqu (code=lor)", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2913, + "network.protocol": "rdp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "ris", + "rsa.internal.event_desc": "uamqu", + "rsa.internal.messageid": "openvpn-member", + "rsa.misc.event_source": "radi1512.mail.example", + "rsa.misc.result_code": "lor", + "rsa.time.day": "30", + "rsa.time.event_time": "2020-04-30T17:32:16.000Z", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "syslog-ng", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 14 22:34:50 onsecte7184.mail.domain uptasn: syslog-ng reme", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3015, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "reme", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.event_source": "onsecte7184.mail.domain", + "rsa.time.day": "14", + "rsa.time.event_time": "2020-05-15T00:34:50.000Z", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ipmievd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 29 05:37:24 eveli265.www5.localdomain nse: ipmievd non ", + "fileset.name": "nios", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3078, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "ipmievd", + "rsa.time.day": "29", + "rsa.time.event_time": "2020-05-29T07:37:24.000Z", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "cloud_api", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Jun 12 12:39:58 derit4688.mail.localhost 10.57.42.152 cloud_api[didunt]: proxying request to uptatema6843.www.host(10.74.104.215) xeacomm https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta tcp rroquis", + "fileset.name": "nios", + "host.ip": "10.74.104.215", + "host.name": "uptatema6843.www.host", + "input.type": "log", + "log.offset": 3138, + "network.protocol": "tcp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.74.104.215" + ], + "rsa.db.index": "rroquis", + "rsa.internal.data": "didunt", + "rsa.internal.event_desc": "proxying request", + "rsa.internal.messageid": "cloud_api", + "rsa.misc.action": [ + "xeacomm" + ], + "rsa.misc.event_source": "derit4688.mail.localhost", + "rsa.network.alias_host": [ + "uptatema6843.www.host" + ], + "rsa.time.day": "12", + "rsa.time.event_time": "2020-06-12T14:39:58.000Z", + "rsa.time.month": "Jun", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ], + "url.original": "https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta" + }, + { + "event.code": "INFOBLOX-Grid", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 26 19:42:33 evolup4403.local 10.121.203.60 INFOBLOX-Grid[smo]: Upgrade to etcons", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3358, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "smo", + "rsa.internal.messageid": "INFOBLOX-Grid", + "rsa.misc.event_source": "evolup4403.local", + "rsa.time.day": "26", + "rsa.time.event_time": "2020-06-26T21:42:33.000Z", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "smart_check_io", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 11 02:45:07 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3444, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "temquiav", + "rsa.internal.messageid": "smart_check_io", + "rsa.misc.event_source": "nonn839.api.corp", + "rsa.time.day": "11", + "rsa.time.event_time": "2019-07-11T04:45:07.000Z", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rcsysinit", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 25 09:47:41 adm7744.mail.domain 10.26.87.161 rcsysinit: isc", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3515, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "isc", + "rsa.internal.messageid": "rcsysinit", + "rsa.misc.event_source": "adm7744.mail.domain", + "rsa.time.day": "25", + "rsa.time.event_time": "2019-07-25T11:47:41.000Z", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "watchdog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 8 16:50:15 ios6980.example 10.246.64.161 watchdog: deny, pid = 845", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3580, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "process.pid": 845, + "rsa.internal.messageid": "watchdog", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_source": "ios6980.example", + "rsa.time.day": "8", + "rsa.time.event_time": "2019-08-08T18:50:15.000Z", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "diskcheck", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 22 23:52:50 osquira6030.internal.corp diskcheck[com]: tnulapa", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3654, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "com", + "rsa.internal.event_desc": "tnulapa", + "rsa.internal.messageid": "diskcheck", + "rsa.misc.event_source": "osquira6030.internal.corp", + "rsa.time.day": "22", + "rsa.time.event_time": "2019-08-23T01:52:50.000Z", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "watchdog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 6 06:55:24 squirati63.mail.lan watchdog[nbyCic]: utlabor", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3723, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "nbyCic", + "rsa.internal.event_desc": "utlabor", + "rsa.internal.messageid": "watchdog", + "rsa.misc.event_source": "squirati63.mail.lan", + "rsa.time.day": "6", + "rsa.time.event_time": "2019-09-06T08:55:24.000Z", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 20 13:57:58 lup2134.www.localhost rc[upida]: executing tvolupt start", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3790, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "upida", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "tvolupt", + "rsa.misc.event_source": "lup2134.www.localhost", + "rsa.time.day": "20", + "rsa.time.event_time": "2019-09-20T15:57:58.000Z", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "snmptrapd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 4 21:00:32 umdo4017.www.local snmptrapd[ati]: uine", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3869, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "ati", + "rsa.internal.event_desc": "uine", + "rsa.internal.messageid": "snmptrapd", + "rsa.misc.event_source": "umdo4017.www.local", + "rsa.time.day": "4", + "rsa.time.event_time": "2019-10-04T23:00:32.000Z", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "snmptrapd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 19 04:03:07 loreme853.www5.localdomain ven: snmptrapd con", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3928, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "con", + "rsa.internal.messageid": "snmptrapd", + "rsa.misc.event_source": "loreme853.www5.localdomain", + "rsa.time.day": "19", + "rsa.time.event_time": "2019-10-19T06:03:07.000Z", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-master", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 2 11:05:41 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli)", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3994, + "network.protocol": "icmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "evit", + "rsa.internal.data": "itess", + "rsa.internal.event_desc": "runtm", + "rsa.internal.messageid": "openvpn-master", + "rsa.misc.event_source": "orumSe728.internal.test", + "rsa.misc.result_code": "molli", + "rsa.time.day": "2", + "rsa.time.event_time": "2019-11-02T13:05:41.000Z", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "acpid", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 16 18:08:15 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4112, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "ineavo", + "rsa.internal.event_desc": "pexe", + "rsa.internal.messageid": "acpid", + "rsa.misc.event_source": "oremi7400.www.local", + "rsa.time.day": "16", + "rsa.time.event_time": "2019-11-16T20:08:15.000Z", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "in.tftpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 1 01:10:49 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4187, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.143.187.97" + ], + "rsa.internal.data": "reprehen", + "rsa.internal.messageid": "in.tftpd", + "rsa.misc.event_source": "ess651.test", + "rsa.time.day": "1", + "rsa.time.event_time": "2019-12-01T03:10:49.000Z", + "rsa.time.month": "December", + "service.type": "infoblox", + "source.ip": [ + "10.143.187.97" + ], + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "serial_console", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 15 08:13:24 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt", + "event.outcome": "Success", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4290, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "atatn", + "rsa.internal.event_desc": "RADIUS authentication succeeded for user", + "rsa.internal.messageid": "serial_console", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.event_source": "epre6970.www.example", + "rsa.time.day": "15", + "rsa.time.event_time": "2019-12-15T10:13:24.000Z", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ], + "user.name": [ + "temUt" + ] + }, + { + "event.code": "httpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 29 15:15:58 tali7803.www.localdomain its: httpd ender", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4415, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "ender", + "rsa.internal.messageid": "httpd", + "rsa.misc.event_source": "tali7803.www.localdomain", + "rsa.time.day": "29", + "rsa.time.event_time": "2019-12-29T17:15:58.000Z", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 12 22:18:32 uradi6198.test tiaec: ntpd frequency initialized success from psum", + "file.name": "psum", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4478, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "frequency initialized from file", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "uradi6198.test", + "rsa.misc.result": "success", + "rsa.time.day": "12", + "rsa.time.event_time": "2020-01-13T00:18:32.000Z", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 27 05:21:06 umSe1918.local itau: ntpd ntpd exiting on signal 2836", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4565, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.counters.dclass_c1": 2836, + "rsa.internal.event_desc": "ntpd exiting on signal", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "umSe1918.local", + "rsa.time.day": "27", + "rsa.time.event_time": "2020-01-27T07:21:06.000Z", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "syslog-ng", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 10 12:23:41 odoconse228.mail.localdomain veli: syslog-ng tenim", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4639, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "tenim", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.event_source": "odoconse228.mail.localdomain", + "rsa.time.day": "10", + "rsa.time.event_time": "2020-02-10T14:23:41.000Z", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "validate_dhcpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 24 19:26:15 cteturad4074.mail.host nreprehe: validate_dhcpd tetu", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4711, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "tetu", + "rsa.internal.messageid": "validate_dhcpd", + "rsa.misc.event_source": "cteturad4074.mail.host", + "rsa.time.day": "24", + "rsa.time.event_time": "2020-02-24T21:26:15.000Z", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "debug_mount", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 11 02:28:49 itation6137.home osqui: debug_mount mount sequat", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4785, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "sequat", + "rsa.internal.messageid": "debug_mount", + "rsa.misc.event_source": "itation6137.home", + "rsa.time.day": "11", + "rsa.time.event_time": "2020-03-11T04:28:49.000Z", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "sshd: Sleep 60 seconds for slowing down ssh login", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4852, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "Sleep 60 seconds", + "rsa.internal.messageid": "sshd", + "rsa.misc.result": "slowing down ssh login", + "rsa.time.day": "Sleep", + "rsa.time.month": "sshd:", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 8 16:33:58 dun1276.api.localdomain inimveni: ntpd time slew failure", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4902, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "time slew duraion", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "dun1276.api.localdomain", + "rsa.misc.result": "failure", + "rsa.time.day": "8", + "rsa.time.event_time": "2020-04-08T18:33:58.000Z", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "smart_check_io", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 22 23:36:32 iquidexe304.mail.test 10.195.64.5 smart_check_io: oreetd", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4976, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "oreetd", + "rsa.internal.messageid": "smart_check_io", + "rsa.misc.event_source": "iquidexe304.mail.test", + "rsa.time.day": "22", + "rsa.time.event_time": "2020-04-23T01:36:32.000Z", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "captured_dns_uploader", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 07 06:39:06 preh2690.api.localdomain captured_dns_uploader[mac]: qui", + "event.outcome": "Failure", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5051, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "mac", + "rsa.internal.event_desc": "qui", + "rsa.internal.messageid": "captured_dns_uploader", + "rsa.investigations.ec_outcome": "Failure", + "rsa.misc.event_source": "preh2690.api.localdomain", + "rsa.time.day": "07", + "rsa.time.event_time": "2020-05-07T08:39:06.000Z", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 21 13:41:41 rem3032.mail.domain 10.203.65.161 kernel: Linux version 1.7214 (ica) (lillum) remips", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5124, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.7214", + "rsa.email.email_src": "ica", + "rsa.internal.messageid": "kernel", + "rsa.misc.event_source": "rem3032.mail.domain", + "rsa.misc.version": "1.7214", + "rsa.time.day": "21", + "rsa.time.event_time": "2020-05-21T15:41:41.000Z", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-member", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 4 20:44:15 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5225, + "network.protocol": "ipv6-icmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.7727", + "rsa.db.index": "itinv", + "rsa.internal.messageid": "openvpn-member", + "rsa.misc.event_source": "tetur2694.mail.local", + "rsa.misc.version": "1.7727", + "rsa.time.day": "4", + "rsa.time.event_time": "2020-06-04T22:44:15.000Z", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "pidof", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 19 03:46:49 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5323, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "can't read sid", + "rsa.internal.messageid": "pidof", + "rsa.misc.client": "oremi", + "rsa.misc.event_source": "utaliqu6138.mail.localhost", + "rsa.time.day": "19", + "rsa.time.event_time": "2020-06-19T05:46:49.000Z", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "restarting", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 3 10:49:23 tame4953.mail.localhost prehen: restarting ntutlabo ", + "fileset.name": "nios", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5408, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "restarting", + "rsa.time.day": "3", + "rsa.time.event_time": "2020-07-03T12:49:23.000Z", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 17 17:51:58 loi7596.www5.home 10.31.177.226 scheduled_backups[deserun]: Backup to esseq was successful - Backup file adminima", + "file.name": "adminima", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5477, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "deserun", + "rsa.internal.messageid": "scheduled_backups", + "rsa.misc.device_name": "esseq", + "rsa.misc.event_source": "loi7596.www5.home", + "rsa.time.day": "17", + "rsa.time.event_time": "2019-07-17T19:51:58.000Z", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ErrorMsg", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Aug 01 00:54:32 mmodoc4947.internal.test ErrorMsg[atu]: unknown", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5608, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "atu", + "rsa.internal.messageid": "ErrorMsg", + "rsa.misc.event_source": "mmodoc4947.internal.test", + "rsa.misc.result": "unknown", + "rsa.time.day": "01", + "rsa.time.event_time": "2019-08-01T02:54:32.000Z", + "rsa.time.month": "Aug", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd_initres", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 15 07:57:06 olorem2760.www5.test quunt: ntpd_initres ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5672, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "ntpd exiting", + "rsa.internal.messageid": "ntpd_initres", + "rsa.misc.event_source": "olorem2760.www5.test", + "rsa.time.day": "15", + "rsa.time.event_time": "2019-08-15T09:57:06.000Z", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_ftp_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 29 14:59:40 dol3346.www.lan scheduled_ftp_backups[olorese]: Scheduled backup to the ori failed - unknown.", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5758, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "olorese", + "rsa.internal.event_desc": "Scheduled backup to the FTP server failed", + "rsa.internal.messageid": "scheduled_ftp_backups", + "rsa.misc.device_name": "ori", + "rsa.misc.event_source": "dol3346.www.lan", + "rsa.misc.result": "unknown", + "rsa.time.day": "29", + "rsa.time.event_time": "2019-08-29T16:59:40.000Z", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_scp_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 12 22:02:15 ercit6496.api.local ugiatn: scheduled_scp_backups Scheduled backup to the midestl was successful - Backup file dictasun", + "file.name": "dictasun", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5871, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "Scheduled backup to the SCP server was successful", + "rsa.internal.messageid": "scheduled_scp_backups", + "rsa.misc.device_name": "midestl", + "rsa.misc.event_source": "ercit6496.api.local", + "rsa.time.day": "12", + "rsa.time.event_time": "2019-09-13T00:02:15.000Z", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 27 05:04:49 agnaaliq1829.mail.test ntpd_initres: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6013, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "exiting", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "agnaaliq1829.mail.test", + "rsa.time.day": "27", + "rsa.time.event_time": "2019-09-27T07:04:49.000Z", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "sSMTP", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 11 12:07:23 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807 ", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6098, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.email.email_dst": "tsed", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.event_source": "col3570.www.invalid", + "rsa.misc.space": "", + "rsa.time.day": "11", + "rsa.time.event_time": "2019-10-11T14:07:23.000Z", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "init", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 25 19:09:57 mipsamvo4282.api.home reetdo: init oreveri", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6218, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "oreveri", + "rsa.internal.messageid": "init", + "rsa.misc.event_source": "mipsamvo4282.api.home", + "rsa.time.day": "25", + "rsa.time.event_time": "2019-10-25T21:09:57.000Z", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "debug", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Nov 9 02:12:32 umq1309.api.test uae: debug mve", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6281, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "mve", + "rsa.internal.messageid": "debug", + "rsa.misc.event_source": "umq1309.api.test", + "rsa.time.day": "9", + "rsa.time.event_time": "2019-11-09T04:12:32.000Z", + "rsa.time.month": "Nov", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 23 09:15:06 ugit5828.www5.test rc[asnu]: executing hitec start", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6328, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "asnu", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "hitec", + "rsa.misc.event_source": "ugit5828.www5.test", + "rsa.time.day": "23", + "rsa.time.event_time": "2019-11-23T11:15:06.000Z", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 7 16:17:40 ntexplic4824.internal.localhost ntpd_initres: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6400, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "exiting", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "ntexplic4824.internal.localhost", + "rsa.time.day": "7", + "rsa.time.event_time": "2019-12-07T18:17:40.000Z", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "radiusd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 21 23:20:14 archite1843.mail.home isqua: radiusd uta ", + "fileset.name": "nios", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6492, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "radiusd", + "rsa.time.day": "21", + "rsa.time.event_time": "2019-12-22T01:20:14.000Z", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rcsysinit", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 5 06:22:49 derit5270.mail.local 10.105.52.140 rcsysinit: ntexpl", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6555, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "ntexpl", + "rsa.internal.messageid": "rcsysinit", + "rsa.misc.event_source": "derit5270.mail.local", + "rsa.time.day": "5", + "rsa.time.event_time": "2020-01-05T08:22:49.000Z", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpdate", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 19 13:25:23 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6627, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.156.34.19" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.misc.event_source": "itanim4024.api.example", + "rsa.time.day": "19", + "rsa.time.duration_time": 98.036, + "rsa.time.event_time": "2020-01-19T15:25:23.000Z", + "rsa.time.month": "January", + "service.type": "infoblox", + "source.ip": [ + "10.156.34.19" + ], + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "sshd[saquaea]: Did not receive identification string from 10.222.251.114 ", + "fileset.name": "nios", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6747, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "saquaea", + "rsa.internal.messageid": "sshd", + "rsa.time.day": "Did", + "rsa.time.month": "sshd[saquaea]:", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "in.tftpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 17 03:30:32 ataevi1984.internal.host plic: in.tftpd connection refused from 10.17.87.79", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6821, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.17.87.79" + ], + "rsa.internal.messageid": "in.tftpd", + "rsa.misc.event_source": "ataevi1984.internal.host", + "rsa.time.day": "17", + "rsa.time.event_time": "2020-02-17T05:30:32.000Z", + "rsa.time.month": "February", + "service.type": "infoblox", + "source.ip": [ + "10.17.87.79" + ], + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd_initres", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 3 10:33:06 tionula1586.host ntpd_initres[idolor]: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6918, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "idolor", + "rsa.internal.event_desc": "ntpd exiting", + "rsa.internal.messageid": "ntpd_initres", + "rsa.misc.event_source": "tionula1586.host", + "rsa.time.day": "3", + "rsa.time.event_time": "2020-03-03T12:33:06.000Z", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 17 17:35:40 llam1884.www.corp quasiarc: ntpd time slew success", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7000, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "time slew duraion", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "llam1884.www.corp", + "rsa.misc.result": "success", + "rsa.time.day": "17", + "rsa.time.event_time": "2020-03-17T19:35:40.000Z", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "acpid", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 1 00:38:14 ore5643.api.lan 10.126.163.125 acpid[edolorin]: dolorem", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7069, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "edolorin", + "rsa.internal.event_desc": "dolorem", + "rsa.internal.messageid": "acpid", + "rsa.misc.event_source": "ore5643.api.lan", + "rsa.time.day": "1", + "rsa.time.event_time": "2020-04-01T02:38:14.000Z", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc3", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 15 07:40:49 exeacomm79.api.corp rc3[mides]: ciun", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7142, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "mides", + "rsa.internal.event_desc": "ciun", + "rsa.internal.messageid": "rc3", + "rsa.misc.event_source": "exeacomm79.api.corp", + "rsa.time.day": "15", + "rsa.time.event_time": "2020-04-15T09:40:49.000Z", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "watchdog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 29 14:43:23 lorsita6602.mail.local uat: watchdog lupta could not be opened, errno = npr", + "file.name": "lupta", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7197, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "watchdog", + "rsa.misc.event_source": "lorsita6602.mail.local", + "rsa.misc.result_code": "npr", + "rsa.time.day": "29", + "rsa.time.event_time": "2020-04-29T16:43:23.000Z", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "speedstep_control", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 13 21:45:57 ratv2649.www.host speedstep_control[tali]: BCS", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7291, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "tali", + "rsa.internal.event_desc": "BCS", + "rsa.internal.messageid": "speedstep_control", + "rsa.misc.event_source": "ratv2649.www.host", + "rsa.time.day": "13", + "rsa.time.event_time": "2020-05-13T23:45:57.000Z", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "python", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 28 04:48:31 abor4353.www5.host ame: python tesseq", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7354, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "tesseq", + "rsa.internal.messageid": "python", + "rsa.misc.event_source": "abor4353.www5.host", + "rsa.time.day": "28", + "rsa.time.event_time": "2020-05-28T06:48:31.000Z", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-member", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 11 11:51:06 rerepre6748.internal.domain 10.47.31.181 openvpn-member[tdolore]: OpenVPN 1.388 [icmp] [red] sinto", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7408, + "network.protocol": "icmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.388", + "rsa.db.index": "sinto", + "rsa.internal.data": "tdolore", + "rsa.internal.messageid": "openvpn-member", + "rsa.misc.event_source": "rerepre6748.internal.domain", + "rsa.misc.version": "1.388", + "rsa.time.day": "11", + "rsa.time.event_time": "2020-06-11T13:51:06.000Z", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 25 18:53:40 qui3176.internal.example 10.165.6.51 rc: executing amvolu start", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7524, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "amvolu", + "rsa.misc.event_source": "qui3176.internal.example", + "rsa.time.day": "25", + "rsa.time.event_time": "2020-06-25T20:53:40.000Z", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "monitor", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 10 01:56:14 der7349.invalid 10.133.146.125 monitor: Type: igmp, State: diduntu, Event: eiusmod.", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7605, + "network.protocol": "igmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "eiusmod", + "rsa.internal.messageid": "monitor", + "rsa.misc.event_source": "der7349.invalid", + "rsa.misc.event_state": "diduntu", + "rsa.time.day": "10", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "diskcheck", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 24 08:58:48 veleum3833.internal.test henderi: diskcheck iusmodt", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7706, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "iusmodt", + "rsa.internal.messageid": "diskcheck", + "rsa.misc.event_source": "veleum3833.internal.test", + "rsa.time.day": "24", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc6", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 7 16:01:23 aquio6685.internal.test 10.17.193.123 rc6[aquio]: riatu", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7775, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "aquio", + "rsa.internal.event_desc": "riatu", + "rsa.internal.messageid": "rc6", + "rsa.misc.event_source": "aquio6685.internal.test", + "rsa.time.day": "7", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "debug", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Aug 21 23:03:57 tanimid4871.internal.domain debug[abor]: nBCSe", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7849, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "abor", + "rsa.internal.event_desc": "nBCSe", + "rsa.internal.messageid": "debug", + "rsa.misc.event_source": "tanimid4871.internal.domain", + "rsa.time.day": "21", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "rsa.time.month": "Aug", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "pidof", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 5 06:06:31 icta82.internal.lan 10.252.116.137 pidof[uei]: can't read sid from Nequepo", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7912, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "uei", + "rsa.internal.event_desc": "can't read sid", + "rsa.internal.messageid": "pidof", + "rsa.misc.client": "Nequepo", + "rsa.misc.event_source": "icta82.internal.lan", + "rsa.time.day": "5", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "speedstep_control", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 19 13:09:05 dol6197.mail.localdomain speedstep_control[inBCSe]: otamrem", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8008, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "inBCSe", + "rsa.internal.event_desc": "otamrem", + "rsa.internal.messageid": "speedstep_control", + "rsa.misc.event_source": "dol6197.mail.localdomain", + "rsa.time.day": "19", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 3 20:11:40 lumqu617.www.test 10.39.172.93 ntpd: time slew success", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8090, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "time slew duraion", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "lumqu617.www.test", + "rsa.misc.result": "success", + "rsa.time.day": "3", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "pidof", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 18 03:14:14 uido492.www5.home pidof[uid]: can't get program name from snostrum", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8164, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "uid", + "rsa.internal.messageid": "pidof", + "rsa.misc.client": "snostrum", + "rsa.misc.event_source": "uido492.www5.home", + "rsa.time.day": "18", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "snmptrapd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 1 10:16:48 reseosqu1629.mail.lan 10.36.166.81 snmptrapd: NET-SNMP version 1.6198 ommo", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8251, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.6198", + "rsa.internal.event_desc": "ommo", + "rsa.internal.messageid": "snmptrapd", + "rsa.misc.event_source": "reseosqu1629.mail.lan", + "rsa.misc.version": "1.6198", + "rsa.time.day": "1", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "smart_check_io", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 15 17:19:22 itseddoe5595.internal.localhost 10.228.102.170 smart_check_io[ehende]: tutla", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8346, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "ehende", + "rsa.internal.event_desc": "tutla", + "rsa.internal.messageid": "smart_check_io", + "rsa.misc.event_source": "itseddoe5595.internal.localhost", + "rsa.time.day": "15", + "rsa.time.event_time": "2019-11-15T19:19:22.000Z", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "diskcheck", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 30 00:21:57 olu5333.www.domain orumSe: diskcheck dolor", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8444, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "dolor", + "rsa.internal.messageid": "diskcheck", + "rsa.misc.event_source": "olu5333.www.domain", + "rsa.time.day": "30", + "rsa.time.event_time": "2019-11-30T02:21:57.000Z", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "init", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 14 07:24:31 dtemp1362.internal.example mips: init itae", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8508, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "itae", + "rsa.internal.messageid": "init", + "rsa.misc.event_source": "dtemp1362.internal.example", + "rsa.time.day": "14", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/README.md b/x-pack/filebeat/module/juniper/README.md new file mode 100644 index 00000000000..7a95241606a --- /dev/null +++ b/x-pack/filebeat/module/juniper/README.md @@ -0,0 +1,7 @@ +# juniper module + +This is a module for Juniper JUNOS logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML junosrouter version 134 +at 2020-07-07 18:10:45.850265 +0000 UTC. + diff --git a/x-pack/filebeat/module/juniper/_meta/config.yml b/x-pack/filebeat/module/juniper/_meta/config.yml new file mode 100644 index 00000000000..12ec5964e29 --- /dev/null +++ b/x-pack/filebeat/module/juniper/_meta/config.yml @@ -0,0 +1,19 @@ +- module: juniper + junos: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9513 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc new file mode 100644 index 00000000000..1c14aa17126 --- /dev/null +++ b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: juniper +:has-dashboards: false + +== Juniper module + +experimental[] + +This is a module for receiving Juniper JUNOS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: junos + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `junos` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "junosrouter" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9513` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/juniper/_meta/fields.yml b/x-pack/filebeat/module/juniper/_meta/fields.yml new file mode 100644 index 00000000000..f8303d0dc88 --- /dev/null +++ b/x-pack/filebeat/module/juniper/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: juniper + title: Juniper JUNOS + description: > + juniper fields. + fields: diff --git a/x-pack/filebeat/module/juniper/fields.go b/x-pack/filebeat/module/juniper/fields.go new file mode 100644 index 00000000000..595fdc9ac51 --- /dev/null +++ b/x-pack/filebeat/module/juniper/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package juniper + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "juniper", asset.ModuleFieldsPri, AssetJuniper); err != nil { + panic(err) + } +} + +// AssetJuniper returns asset data. +// This is the base64 encoded gzipped contents of module/juniper. +func AssetJuniper() string { + return "eJzsvW2T2zayKPx9fwWefHhipxx547ycu7579pbPzGQzu7Yzx2Mnp25tFQsiWxIyIMAAoDTKr7+FBvgiEpREkLKTc68/uGxJjW40gEZ3o1++JA+wf0l+KQUrQP2JEMMMh5fkH+4D8o8Pb3+8/xMhGehUscIwKV6Sv/2JEFLBkBUDnunFn4j/10v81v75kgiaw0siwOykelgwYUCtaAoL+3n9M0LMvoCXlpKdVFnr8wxWtOQmwYFfkhXlGg6+7hFV/XlLcyByRcwGKvSkRk92G1CA3xlFVyuWkg3VZAkgiFxqUFvIFr1ZKE17JK+VLIvzCe4yqBkcaROUH0wijCM0TDNQrtcHnw8zt8fB9xum7e8I06TUkBEjSUoLU3peKbojOWhN1/b/1JBU5qAt6dJ+3xmakNdyTa4hlRlurACpbizWJWqY4AoStiBMYokfDeqRTuaRZ4xGzqRSGBBG2x3HhDZUmAqRDlJhWB4mIaOm+0UfP3NY7SCEGrLbsHRDKNGgNZOCbJjRhJK3YH5mRoDW1SosektUT0dvZMkzImALiiyhXv+CKg3kDRhqSaNkpWTeQvXktVzr53c0fQCjn/aGv2YKUsP3z4jxdFPyDtwBcztNtMhcBFnFYQs8yCsuRXevH/DqGgoFKTUeVwYrJiAjUnBEbOiSA8lpEcab63UyYmseWac3/szcXn9FtpSX/vSwDIRhK+b3EDzS1BAu147nqsdMpJ/Z4f2K4+8sSwuqDEtLThXC+8VZDK5ub+io1Q6tbm/k4dUeZPp2bq6/+H9cP851izWW5dMOmVz+kiCpXcZ/RPxbGhYvF0euQMtSpdF30fSpx5+0abi1oQZyEObToKdlxkyScto5Dx+NABBG7T8N6o3VBD4NaiaGUF/2Jq/O2adc8Qxo+KxdduorgGycnjxwo4bsgdYPK1PL4uvdgL3raZqW2bkBe6Of0DKH+dQxSmfjk2jZokEGOYb0JjITg0iAR6MZlM6jlJWC/VpCo4Speob+o/2h4XIlRWqFJTXy9269DBz7LZsqeNr8u7IDsRVLafvUWUP7xprE5B4FHSlFBsqqqAq8wOhNbsUeISMajB3kAPgQhx5WaCs298aerNDWbO4NPYrtfc9JjKUft7l6lI+Y9bhZbqSO1qPae+sHqU1bVPHurtIgMibW1Zc6tPQta/6Pw0EW3iS9jwdZd3u3/YbQLFNWZg0dyi77evMz8o/Kvu130xn43f+9DLTcmuMEd0+vc2m0/RYZoWTNtiBqd8Uf91K1LBqyYC+rVWefRhn6Y3hxBw1eWewTBb9GrVf7aQIXCWe23CMfb9zg5A63+zPv/TOUvN8XQFLaP8lLIMDMBhT5cCvMV98Rqcj3XFLz9QuypBp3QuXYX7F1qVAVOjGzsIL3B54ZPrJMMYpmsF0t9FrGO0uO2WXV2H9441WqHVXZBDWmJTtaE2vz6vbupwMNhxIFnHaXhRC91wZyf+V4wuxoG3D7STv22P9LxdZMUF7BHN7eJ2Yar3EceeC8vfvpu8AkPYG9uU6fZE1Rn49zSPJms/VVpVhJvgGagZrpZewHHIzcXk95oXEUtR9qcJi4d5rftROGp8kMfhhaKR63jeKBm90q3FeSc0iNVH9EQWj5c5GXdbtvmCapYw5klpYD1ey17F7y5Agrf4eWSJ4uP55ylkuNwSO5FGS57y0LIQp+LUEbO6BmecH3fiXsj63AJUDTDdEsA/Lkz8RsVElefPvtU7KjmmgAUWM5MtePpK6dMVddSKHhcpNNf0crm8pSmNpeLfOlEz72wOngCOQJXcottKbLRDDaqBIz2iig+eAuT39HS/+JmQEZK7tazXms+CykSdVGK1sRZv5VvvjzV3/RTng+L1BUVWT9q0fvv6yd8pruQZEX5EaktNAldz5ua+qMkqCh0Se6oQOxSiEsX78g/26n+4x8/TX5d5JKZfVHnIVH+oz8/9z8T/tDpskhUz4LLpKQGXxCG0zsIEkp50uaPkzV+Rx6IQ1ubmqcrmwZASIrJBMG1W0D4cA9XOAElJLRsSKNBqQLSBnlSBPSoo1UVlsUe3cL2y+2lLPMLV8ILSErWYrMSmsOSB4Ta68snAwGOty3vZHneDvxm/aIi36Az3suafbx7gyPkGj2G5AcjGJpQFf2Jlr7x2ijucuxEnf2kqSm0eHkqlqYBflB7izz+7YQE0Qqa0IYSR4AihNs+Ui3xx+ELUqmoHWyZVmSxb9D3VQSYA0CFDV4FDPLo5a9smXKlJRbc/HARyoC5jPLmTX48AUQp+vo9Afy9pooKxc1GuvIFqrWYOqfnZyrVtEhFZ98ri4a5vhcVaRjvS9ib68r/9o7yKUBcu93ZaoAr6Xlfkgk2T+V0/sP4OT2mBJdcDbtRfZ3bSpq1lNlP1bYIPstLn6sbdujPPU7stoblTbtxfF/jzcXd8xXjF/kbdGOa5X2u6tXd16fS6mwDGB5IVVXiyN4ofzhHmjLj2U8f3BiH408NAtDDrFDM7FsQBpj0N37aPUtyItvvyM75GwOVBDKedgORecrqg2Nf4HsQIEblhrCgWpDpOgEKx+y6SMoRn9sNgXOW9xDlufOz1JlyBqMioB0IySX6333WWPFVE8zI+Rbkm6ooqlxbLJHb48UonNTkFL4iAF+4NsczGCKSVZzT4zTXLZH3nNQ182t6iRF5bRVdDcoP1CKdZQlmqIe5jzCwtusMk1LVY2oDRUZVRkRUuWUs99C0XZS5UEOZP4F9ggTZLnsifBRbGjoqtE952wFOKeAgaghlSIbUAybJUu0mWaJHyGZiVTmBQcTXMRBdxdFxdMo1hE5rbwDZS623e7t6MFNN7ThDvfP4CbJpTCbs1ndZPWc/2reRDNkF2PPjcguwRw75G9STM/oPCJE7PiV8uNC0t53udQ70BNOxyti4NH4jUy2oHQr2Dc7FrMRWKPTi74Hej6pTVJFKlUG2RTp7Z/LvXDV9ZjV/Va9mdc/bL/B9WWskvkCRy0x8U+nIKhi0il+eckN+9IwUIQWBa8iqJtM8JwKug4lJRHC0TFd2QyOKEerJsx8roncCee1NzQvup4WT7HFZkns73OjSbphVv+VGegFeVNqg4p0e1C7/6kZiEejBgaX4ehxX60sZVuY5w7GhaqGdPNXsAIFInWLSq3ylbEty+ydimsaPvb31bF/32FAeBqPBVMzzqHhuvNTP9r9wgzfu+loKyKsLmDR4jY67i8atTSDBvMzK53q07/oDVoHaMhy/GnOe2rAaZiaS+O3HeoQv5ZQzrhodqe49WrkxY5qgmiygRVC9F+Nn/qoC+dg2lHndJ2bKMm+zuPwFUkUuiKJ01SKcUfkEOxFBFzUjdeSMpdSfTtqb1AG9QTmKJk0fGBPnbcY110jXjoZiDHGIk17as95ioou+XR37IB2KEuTyhyeOyy1yobRbHLVWysq/DQOVN+BpbImOTPTQl+PkF6N7xMCWv7QY4bf1FSFXu0UJ6nrWFw7GvpjC0jZijXKYFhbcE7Oobxfr3vM8XIdYGLtDmBZE/BZmaKZdz4GKfMq/XyM/OnQRmhruFKRH+99SBHT1aNT10JG/BWXh7IedCE1G3UIz9oBaAiIzFUFwFDE6pQM5nOX3CRTEtlHHmtR5qBYOvZcB6mfJaL9COntqPZ6h7oj7k5Sj/gtiEwqH0p0lHa5/OUiWdLV44Jc/gJpWMe3qOfIk+qxzMqb46id5JtWq+Oz/tb3WW3+yHpLeEPryCkhDaFk47Myw+FBXK6T6tnxQkKu2hCjhdw82bcHkuLv+MSNtd3wKIbVO8lZup++T4+csTtE4YvMCb4fkFMlnxa7FWbCu5IDog6LFykMPE7Xd2qUt8JZ3k0FJJpl2v6FVwHlFcpQOvCJKyXdULGGRMBu+rkacn7DrvVwg5ejMYotSwOt09aP5tOOOKvNtUV6+Bjqgo4QDfXsOZtQAufYxFEp777aOnRt3SBgSmDctZ10VTRFN2/lagtqQe7BMbbUoBZ0DVjqzkfMraSqaOiNXQ3j9LoU4YmDb2VASkWWSu7sd9WnXo9xqvVgrbbb7I4qM96Ur0HH25F+98pebsR8u1fyrFY6LrV5ZQHeZR1/g7wShHJQpn53Vc2w/jPnmvVHsZVshs+zAYUqI0KKLxUUgNrqsdcoVBznFbJpqZTdmrVOiquBOsJz5vy/lWOzR/uOmY1XppzsI9eIcInxoYJI8eVa2n8fkYx4eSYBpWTSzGjLGf0cUVgy5IrYk2YY6AW5b85nt0xmOyY5lqYrF8xeaquouqQH90SZeWHlmUdJykttqm3j/9NjNYIwbVfDZ+Z4a9GqTfjt8NV8gVvZ7fSw9eSS1qeoA5+fUp8tHdeIh1CtZcrQW2M5GtT7kemv2QO8JJQUm71mKeXWzHt4RgqFFWmfETDp52E1iyoazh4YeXm5+FVFczCgNCmoxjoFGhP3XGZaKvPcSgR58HjTD1kFkx5VNJz0vJyu0VqHCwhqJ+xSmRdl/yxEsZ6SHROZ3PnIm1SKFArzrH4VG5xubyKrkvM9+bWk3DltMplTJvz5FC1EXA6I8ra35vxr/MjkrDLymokHyHwUbRVYRjXa616Btd98ViNfsOwY83kvz2+i2GjXqXYmYBdFRQCW4b4Q5h8L7xMi9/1U5/rRA1TOuiWqpzt//KhIj9uHx/W0r0fraSvG5zgvNdnf43j1kVCQlSmQygMMYSeCBsUoTwI3xASxeY+DVkpXV+a3hLqVqYM2GKQPeiARbA5/lB/fCu8N1Zt6t1uVIxDNXloL04qmKsK0Dme/qkbqlCqQW1A1moVWqYWq/9/PSiBWvgnCMJ6gFCkHquxHWDajIc2HsXsvjapSBE77J52oKPu56p9YRqcyXzJRV45ri2ifgKBGyOstU6We37vRvkMRxbCXY67niMDGvXLjuzorwx4ep6XP4HirWeA8XLfX5K070098ShxxNfZ9kofF/vSY8+syvsCW6+v2GtniQ6vrA9m34w595y6IwRG5cEttT92O6bCpsdX7aXUTD19JfFKNu+SO+tCEM5JmXVvLvqt6aHJ7fVIPOt8ncUIPsqhfiKzRhxbkykXr+2pB3H1xXBeyf6Q6/MVXn3kHxbI0dRy/NLVwLgUH7eYunYDdSbKlitEl70WMu4Q2JkjB6cCR0yD0xAzQg0Vpq0Fu7IU99fbWrGLRmV2r++e3d10NjPiSSs62G8qWGWwjcHZkfOOLdWSQW2HIPVsLisdyYCMVUk0r3/R5TxbYrXRX6RQS66ngPy2q1qnBvZDJwPK+/fE9YSLlZQZWNPjGLBZ8QZ7cPNK84PCS3Dnj0w2Lsm4RtkHRw36BdwY05htRG8bN9INV54KYRwRtt5wzb72ofMf0w5EHDqPYeg1qSuH68LR/ansaPRbUfDYK9EbyzK6xs5oGenUcPEfNYsX136O8DHvyzt2MT+uEwtvrcIDl2S9W1rROZn+bR87693lsZuJ8GrpcfmkRSoEZBSss1yuzMh3S073Kc7HYgTZttWyRCjOvrJyrKBioK09VtqPqUrEW/VqJVhZRL3otmQNFup5YkUPJG5pWlb3CipM9zjNrslJ8WSk/6viJdhZDRCMkBVRHxERpQ015vmJV2+CU8Quqlnb4pXwkLHs+LHWtxC/nocHi/NArheX2lcUT3uiV9J1cVb+3Ya779fRjhDATsjz/zaAVu6nXETvQSodxZljPo/PNaNDpVUAOmP+Kc3taiS7TFLRelZzcWAwklRloy/yqSFNYx2Mig8fRk+BMmyH9YeJpwqFRsVUVmiUo9OrnVDGOL7UB/4B7GxJrQpERX1rYIO0iasWr3noX01z8+ORJHalSgNKFT0hwZ6o3bX+FNIFxVY7z04GgcWdi96X59EfHVhs5JN7Zye7X9kvKhCYZGMp4wHRaytK04AaIl/wCMSmV14bWcQOIaViEG8gLPuHV9lXVarFqYdB6QfJRKlZ72YLidI9hykZ6sU6eBPa+/QItDQ8NqyqPxfnctGGmxFIdJEh6o6X1k5JPH4yRXuGWbZnS8diizm4q89zuzdgFu3LwhLXCiQoltyxzFnZVVyDUn7G+a2R6zIE+3p7+nvHm7k/b0Qrha+exwEfmS8mvavzLyq9f5HLQbo2ewD/k0rsswzu1YFPKA11jUJJbn/u7W3Lbu3DbiCbU5vExmcdxjAo8rrMX1iNV/DE2sY+iCqtZ7kAlS5lNjznuxW13r6yqP6zFNnB9bmJyp5wbbZa8m5bDxadruDCb2gvI1iyrXZQDxng+XlPuJcGcdTOMuapr6opymoCsug3dfXBZnJUbFB/HHiEt2zaKe7ZeQiiloMroPfZQNoshFfQUZYcGVR0NT7eUcdp30JHaPUQwHn4FSg1UI3T7Mezhms+v61W/3CcEOyd9378lq327GJABLE+WZZbtI+w7licj41RbkKWGoUJiR23RGBjF5KhsqU7AdKLLeYLtmG7HmrhaKthwso6TbnLOPc5QcfAm3tAdrcb1dXwa7pV6PBe2M1oEVz/dkCc+0u+nklu9ZMk4BhjiS/PNYyG1/eVT8mXfjBFdL9+DkDtxoDhqSEtMXdsejj7QNSClsxja3QCQqyrT5q0PcH0Na5ruyYdBBZazpaKXSf3xQx+wiQmSUyZW1jI6+khVUIW9PubIqDpQEe5wYPJWZi7gqClu0HrXDqAlJ+5ffHyxU43XKA/z6t/CjvxQClSf38gMOHnCxHbxxTPCZPqMLO1fYP+igvK9ZnrxRdiPbNIiWXHa6041/gY+1LWu7ggOi/YuSpV9VUBYro4mbRk5kRb36dJTUiVMaVB2QwVRbvOxcqiD+6c3P1v7/b0Lufnii5/e/Pzq3c0XX7gYmC1VlA3ujZ1UD+MSMk5u5Z+rIds+2kEzmYrx15eP7RybG1iLOJpaEbiPUhdXUoHQLB13oFrmZBTWPMaKCni2zgdLdpSN6TTehBykMmJJccOMT0jR5TJ6G5hlpo0an8mCuRuzdAN/Np8krSL4pjgOYoMTm5LAvYvJBwc2cYo+PtEOsWKDBmM1mQnOidjJBDNXAxPpBlyGhcWRegrjDR9Lntem3vXHbdQTV3v7Qhsha3mXPKqjZFxoCSu/+TEKpJzlAfaA/y1t+4mpI5+ql2usyPEUzeeAdX/K11+VQGLz+EwxHHZFGbf8qhIO7/z5u71ux/Vi9rRVgQ2sA4lDw2/xVVxPYq/yIMUxwT0Y0uNjOq1lVIqurdrDL4bSeKfifwuP5u8Q1l9q7HpIi5mK/Z6K7D9k2LPaYDfUsPApm4y/P/QBel3qgqVMjoiP+Fi2BdK3o0r0XW2fnjgt8iKR8cLp/u2bO/Kj83g04RhhVL/O/Pxy/5+vya8lqIFqLSUXiYJu1Y+pTz4t18WevKtCaoPPu7Welo4S/20wOb5MmwUrBozHU3Am4F49AzKLKURHOVV5FF8sYJTxQotRYf81WJmN6AxwADU2F/gAOKOme3ufhlyCSDc5VeeHxdWQ+4L2Wjmc4YOkae9580yoZBPB1xRWY4Mpa9DVGpNJowDl8pcouIJG1NZzma8Ri4FO/6GesschMVc7B3vdRiAWCU2xbGFMGJuF1mKUit4CXa6L7Tfi0WwipGUqktQoa6OMq0zVgrewQ966M0C3vNcQ+ixYEGsmRgXu9oHjYkpEskr0jpk0Yl+LZMXlTtM85rWoDS3Mdgp8lB8rFQkT07Y5EwWofLkfEZLTgy7Sh1hwbI4WBVokhZJGJjGuOITffpOgzRoDzSfsNy7XyZjW/x3QmJfQVCQ5fUyMOV/hPQS1K8whSizkTEQjZmIK4oLrhC95Mt55egD950ngEfWAWtDjs9Tb0OMjotvQ306CDjdWPxf63yZB/49J0H+JhTay4HQJcVu9ho9RlUSSlxwv7+U+Sp5V4MVDlBzPS87WeRF7e9v7j/L1+EcjD8vihLiGX9MY3Vsk2j2ZRvFKqzRWO7OgsdqZ3uuyiKqPnYo6zDpSuTPSWAUDHqO2tpHGKknx0KieRIKXgj0KKqSGXtvMs+C331nao8XC9jtZmA3QLMoEknmRpDzKhragUS4NhFTYJisOVkfCFmUS5Z9IFTMspTwq6EsndA0i3Y96U2pDC8r3v0G2jMO9TTAZPhLWpfHEYnbP2ZHw1kL+LtZC1smSmb9EJh+mOhlb27QDqmTEUdaRmxPhIFUxsXjaeQJG1JVsgYLZOG9AjPLtwPG6igR3tW/GZGi2oFeMQ5wuopNVHLvYalwA8iFonKTV1ggW8GiSyGNkbeBMm6JX5OdsaK3SSOiqc1wUrFwnOWRsRDDmITQTsRzPZVZy0KmMm7UHZ+uoUyELvaNmZCeKFnwoJuBMUAVrpo2iMZp2Ax11U7lOipFTVhPmrLGOiIo+nS6qwS15FDw2Fo264lzQUTzqKZfzbiOZTlyd5xj4PVU0csGzgbDK82C3roPBeEimDe02az0LUJtlqc4vJFrBgau5FgdXRuCLuYerWNLxgFi1ZxVTCn04YvoY1Jpm2fhVZ9l451yVQBMlUViepErKPDL7xoJGKUUsT2If4XzuTtx0i4eIZKFCx6Qys0IXio0G49QwU0a823AmYEwqSQOnR9biqiEx8DHGBOHSZTQnKy4jhGMNHhUCYDW9iP1uwaL2utUNo9BFeG25XEcupVhHbrtCqvGHI1+W67itkzOdxm3XXEcuYFz1GQEGU18iICNOsSsNMP5VysGNf1ASu914XSEyTqhu1xABGSHvpWLrJFCt7QzInQAVI1uKJLKDYJGMrCDdAEa1cWjAo2aJJ2n8JvWAMe00ndIfgZJqbb9M0s358aw9YNeXczw8qHxt7eJeRvV5sLtI0Bgx5/KXPnzoVPo8C1TJdUJ1MarkRxt4TJeHCk4B5XE3j4IUqXXZqtHgMZO1sGMTdFuwUmVRWGNMNB1lfWpnfUZ5SjWMd5G6crpRaoSGX2OYGUqDHQEXpbhoto46mLoYb7dolcatvEqziKtWqzSU5XsW6KiWTG2oUkfkTG5TMT4IIVgx9DSYS7KMaBq+NjGL4MBivEZ1xcjxkPsiInO1zJaRr9al4lFSqdSgkoyNj9+MLExS+UTiiDVpXLv8bcKENnQVJUm3TJm4q3hbiKgUByNVKS7Sq/VVaSR5VwrSG7z2Qk8qEPcT5SwjVwoyZsgVVZnPGTvSlsbXv5o006E6kDiMa7qKEbOp5CQUUlJ7e5mYMvubvOByD72CeCd5sJLliPT4c/vybqqWOlhbTMEaHklOu6G7jUdPrMtu2ZUZyOBMY4GNanzdbqWpywJL1PdTJQnZbaghzJDCtecPE33sKXVMqZBwe3dX8bxCQpjwlQwGMrs5E9MrYLeIseO1KdHEyDU22Vk0v3cdI3rcE7AFVRdRMpIUVGkgb8BQrDjsTkXdL408eS3X+vmdC+57Sq59GS/XnqQ3OqYRvwNfLBbJFuQtmJ+ZEaDDa9XfepHsWWE54Xo34/BuOhqoSjcLJtiAwavoPMUQOsLG9dbjTMBzTkuBtVPXZe7L0h8phdCpfHCE6jlS5muq60R5X/F1QKW3zEzm7YXsem7Zgcl7eDS4O4eMgos2oG6KxJ3oQY1ZuZNKFWNergZTNQc+kjp/7N17fG2IqpXsqhrXSbCuhVe/yR6aRQ5rvzcI1jPQL4P0j6vjfUbn7Aweb6+rQ4SjD5VsH/kQPXK71C0c3ON+jY/09mjNTQ9xKYpEXTC6pk0qV7AhyApCqCYaQBz0yQwbL4oKTdNZiq32ssTd4MI3cKpba1fdgo+QVYDKmbsI5yOrGdQVbmFbxmENvpcH1ZqthWN+U5l7oK0BXc7VrX5gyRHDkR23vGBricH2IaFt3qJoKLcwrtJNdV+yrGprW3dMwoaNA4eOkEBMTq21KRgIkhqtQFaNwhrBW/V3sjgGVNidYgOOnhnxI5KB0oWXnH/dP7NHQOsBcic77+MxVw/ljOpkI2fQ7jrdMbEmTlMGCjv6tAoehWOqiduglh7hW2wLaQi2yly84lpa06bTvASrkP/gIRbkldjX/+uNbtA60sIQmi2qjsZhwRTp/LKkT1GWP+vyEysPHjCV+bbO1ppoVyivZh1uJOx3TDLWs3quwUr3oMi/1R4D/dwjQvRD/UvGxm1dfu+JhqqD3XeUp4NhEqdkwefdsjiuJd3bH9/f2NmBAmc0okcmYzpVUFCR7q1W4i9/3u9la3nwjLx/85LcCvP1i2fk9u31zX+9JB9uhfnuG/Jkt9kT4RswphupfRk3qaz1ir/66rv/9f89Dfe+A7OZJC+6M0YJtMhpuDSSnrxHRh4oX4n/tkIbPkzZxyarfc5P0DaY8Hf2xRSiqKPYNDpo1dz09au3QXJ+kwKm2OFx6/e/pYBFmD+/jekD8BEuO0vqaVGDbPw098oRXq6pgR29SGFp3GV35JVrnlftthDC+jpJ82LY/z/Vr3l79ebOyeHhXvF0hl5+Q6a003Oq1qW3dxbZgFVv+TBYC2YWPtjRh/lQ6QCJqyk292Fr91rIXEc6ypunilYl8rDsnnWZrPKOh0X603J9uFA9ZE1sTaTOcK6YpuStp+FOKlOLqJ4Qcr0nkIm++/xxSaRn55+jmIl1JT4rwt8MMU9ASL+fz0vk8aMNQrWWKcOi8Wgt925XYuWUomINi1o9TqVYsXWpICPLvW/u71rdD3SnGUwp6AUKD2hTwWFXUZkKfJR+1w6tjDCYFOTSQOJjhGJefmOmmAmd0MSFT0UBF0bFgq+i2LuKisXmcRsgPqOmiJoczZLKGp/Wr+vQtrC0LLrjtQ2Zi2gLN9awEmDI+30Bz8iHSsy9RhP5a3JXmcg9OfLj0I1aFa+a5cIYUOkrskjVtZNyHrwwiuaH+EBPFYYObEEZ7DxjZNXgigny4XbwCKUY0jLhDMa0jRU6kUVUoTwLqkCPj6OxgFEhfk4mjg+IQh9UFEZXpibhINYRNR8Rr70G5nYuYVMivF4obzkHBUnxAcdaUd9LtaMqCzUDe4Vt6tDvfqfkI766L8HsAAY6GY/OAR77IiEN5W13r0NHsJAJvjb15uCboCnAh6CcGXvUfFGh8CS2nIp53lXOcAdUz2oth0BvCocOgsYHuLXa8xqV50OJGOPPhhSzLbZj8kjPe0OhyrC05FRVzdw8mic3jy9fy7VcrcL1qSFNzAbmbnz73g7pu/c3lN1YyixBr0qzAWF8KNUgYXP1Hjt8rizrtoZh4j5oUIMkydKkcm5u+UGHSbp3HbgHqKp65Ey7fQ8oQsykarhytPlrhf0C7ZOhQ4U9xegG1oUUGbZ0lUEVoAbsNyU9pHs7Jrt24DagxOXZY9wbZ5DVFHt7q6PXMEE0M2VAohAMkKu64PlRN1QTmskCu4JtgCkid6LTGIkY+iiFzAeiXaoa9UkvHGmGy8+qYUxk9ixLpZv2fq6L8KuqPH5voue4T0RNujsbg+FU9Qwv9Hw0OMl7/4o07zyPNRFrTXVcVseEqbqogHsfVTj3XIeDQ5ZyWnxcYHpL2NAtkyVqNtaoUzJnA5EOMD/6G0GXHMOGV+TqOHYmtuM7n4XI6NJwoNOQIIoDGkaWF4sgIYChpmD6GrTulWZnDy5/E8JeCtMNUY7R+TJM/kjSCV1x8ZbBTuYsrQjDaWHAQPexh5mN63UeqNJIPDmL9KuFNmrYSV5RHU58/WRUvzhOtb8WHa5JlAfNiNokMizHpq1e01BQwKCT03NyRGrUSWZiSvpEVqozN0C4Kswn2wBfn0f1V5N7ogeJ946jU3PoUY9zao7eGcfu90z/i5P0q5n57zb8LNSr09wfUZPi4xzVE1KvPqq/503z9Wm2n1+A6uOw/TxZo2Y+q3Pu9TNO6sybZk7qe1umVgoz16Vzsm5GS7NJcjAbeRFvKj3wcxGHyP9scGEwe1fJiZb6Ef/uO8m9r8miOrJDom3L/1p8++c/kyevr1/dPSXXTBsm1iXTG8gwMSeIjcu1nCE/9phf27foRkx+MfCHA2/eSk72lxyLvbe8D+Go9yb6/EaUDh+zMVMMiqszI1ouDcQaeqegIlREqXknp/z8LP4Oqe9oxkrtxiBSEc1yxqlyh9kKErtbU7yPwqG6eGY0m6cXbu2DbEeZfbDLVXlAOnUtmgMzJZLwlTh2btD56ePDW/4nbzrjN70V88YutAIPs7CjRappj2I91y2yS6o1Fey3I7FOYsqCncuwCG61V36AZSumglH80dmv39sBUT66pHKXpXsQifQDUG42KVVACgWZzJmgwRDr1lG/o4aBMPpk4Bmn887nNf2k03FFMKCI3l52C39uhUBBlcG032Yyx4XQrGm9/uCeI39WkIGiBrJkRBjAkVXENuTVmLWr+07JLcvqdHX/O1oU3Os5veXzKbJWkB9qRAO91OtpsGy2edSD+joOZj8wkWChZ4wq2TL35rTpKnYDhQNqhWZcKf2xWg084l3eAmplioSafDv9B7Uhqok2Ujn5aEfLwVDE9jn+amF/9Xl4fjnLMg5zSow3OOK5MiOwRC0ZEiUzquJ5c03ozo/XytEV++rF4xkpOLVstzeSVAREqvbFkBcRg1dmsQrOiJdQtYXwg9SGvKHphokBtT2j0Wf0sy6/PgiM7CsU2INqb3WXVq8X5HVGC/IT/sfd6pkULh/gX/3rgmzoFux9z4Eq18KaYH0JXUihodIDwkkDdkZJv+31BNnjayOkihlQrKrSIdwEXUWGYUoqomchplnmd76IzLm0YH3RqW6C7l6rCkcdpAFb/d9fNUwTVYpAX3dCqH5WS2L3muOSqQcisv2Iibci5mAmJTsmMrnTRBeQshVL7TfPQnHjPv6ov1HtBBxFzasveaKqrue1WMZnhqctfpBS4M31GtY03ZMP+rDIT/0ekncTHKKiluwos5hWA3dYW91GZBg1jZvB3gI9vtX5TIEspoMMAQyz7TPhcGJzqGtD1Yac8haYE84huCE8TMR05oqXGpqMj5zyzr1Kctzg5IZrrfTpncuJUTsdD/nbhNA4Vva4HE5/O51agsGN48ozD0aA46QyWDHhfYF41LEWRE6LgWIUiH8gzPpC2Btzt6N6xAiS2t80fQY+H3mgekjtQzOGppt89lJ0zbjIGNLTgttsiyyouWRiTM3dWXeaJRvD36cK/cCxbQfjIvNcGa0mFSlQj7xH11SZfYKugqpqbe3HzxpidxvWK3hG7D60loUL0TtrAiai4qVLhZNqXHvGzvT/qgsq/nYyn7NCdVjrrFLSQiLVTu2vz3H0E9Rf8MLt0V1VRTtO9+BaJSCMkkX4GGayXPYMsrP2mh/VWjdwIrQRqRjZyelMKq5kXliDtNr5uMGxwYnTPLegrGhNrNkcvpCofpge93viLHZ0+gr3DqZXNlv9Gv/G9X3J+Z78Z0k5WzHIyDVmwzjnRRDZDpZJKuUDu9iT0s+wJA5DY5NQPqSXRdTWaR57itK4NjhD9chPn4139SC+lqp3Wznv3IK83xeO/MaishN0fB5msYJVMrI4Tocwi8WZYOpzHSq000U3j7OgVjAO8TvvRSFV5dnD55V3rwcWppWtOnpZq/kUUyvGHpmOHfukH64iREkZfc8dorUjWa6RgpqwgyMVCdXj3qNaoCq2g3qp+Ch2t+BGcadWwZNSje/3W2DfM2wOHYMyQvQdAo8M0TgE9rsg6jjAowGBl2CMwmZHGLG69bW6UdB5oIy53dww88SQH5zo9zgwXnXP/b+vPJLn/h/+1Tfk9KIcVDiGwBN80dcSR277sQT9GK2CzD2CM1822SqLTKxAqQEffX9mM1HeVodOsi/o9JiFjKp60KrFysD2xWcMOXn7BoaZcSPcuNcWuwHeY1yQan/0T+g/Qg8Xu2fFBtRcVo3Vc/yb75MrLKj+lFwhhjByUGa2RMkBXl2B8oXv4SCm40iJHZj4WNBiRmtZ7LCf61bdpaPrwX4b9hOMT4sMrwm5Z78NpO88RJ/B23/eEAFraZhjc7GheqA+rU7nT95tMdwNP1zQ2y7IhPq0vQfAzlpXBb+qeM/wg51mI5srnpcnXNcSfz/YVsOePaZ1GdMY2sLio+4U+3malw9pAKUmehZ6rGvLixs7PLnHJ4Njp3Wm16W63pX37T+5x3CO4yK0JS+GyBgvL45QMSw0tObJdtpd0nWReydO2CWX2C1Ay4hiGjoelD2AtwaiU6I+awo8tgUlyotviEbfrVTk9v7VP9/ckTsrP8mPYqAiZUNPdN5HDD3vdzJMDx7LdAPpg45o9tYIlqm57aEi0HV1kzr1HAM0fOHu5twf0VVAsV75jYuoKg5TnbU3qL4hVdhibT4x2KZjSznL3IYIoOke/RnrSx07+jjrB9jrrig6e49Fd0LfGFPohGE3gkhgZGkc2en5Lb+m7D22FlW8o1TM7E/sv1Tm+cRc/jMpc5i8SRlOr9kxBbyrXceYcDtORTKqD/XYkARdNQ342dNcxciGDXRMbkgKyeYJAQqR5HAQxIFow7oXsibdUCF6CWjTE5X9uIhqwFM+W/mlWuT5it0/v3711svc5x0EtagzUnW9YjHbK2P6IdlKXsZP41XVA0P4Wpp1Z5CqyUIpmNHkiUOjn2LuGiYTVF0QAv6igSA0Xkaf8Neemg+CGf9csjgMRtuCwpeSVclJKkUKhbEmwL3j9UCK05hO6sG6Dsg8a2xULUQsKdj9TVoe/fAfr0LBJEHWxewAqdaXCFHohpYdOD2W1KXvBRMY/37z493tHXlDH3Mmsrp1SZj9lvoLBDIcFPoeINwT2qP/GOH1FRwOwY4KCHKR2cm4Jp6/80SaalJzN1rykur22tfj8XiO0sDnZOwnzuip5pT/N8g5qIMjRdbXRmJOElp849pLj1Rs6m5eBv3AztrNXWrAM6LLQFgU1eSv2igp1n9bcpo+cKYNZH997j97Vn/LxArS8FcrpmBHefCapUvegiFUZERLMrB9FKyZNmpvrZ55D2ZBzcaXoquxkC6WHhmT2g/2CXGJEi62NZWqVb2r1lhq2kAYtf/T/wkAAP//eYqtUQ==" +} diff --git a/x-pack/filebeat/module/juniper/junos/_meta/fields.yml b/x-pack/filebeat/module/juniper/junos/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/juniper/junos/config/input.yml b/x-pack/filebeat/module/juniper/junos/config/input.yml new file mode 100644 index 00000000000..95d8bf8a477 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Juniper" + product: "Junos" + type: "Routers" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/juniper/junos/config/liblogparser.js + - ${path.home}/module/juniper/junos/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{day->} %{time->} %{p0}"); + +var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); + +var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); + +var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); + +var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); + +var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); + +var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); + +var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); + +var dup9 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("messageid"), + constant(": "), + field("payload"), + ], +}); + +var dup10 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant(": "), + field("payload"), + ], +}); + +var dup11 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": "), + field("payload"), + ], +}); + +var dup12 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); + +var dup13 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); + +var dup14 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); + +var dup15 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); + +var dup16 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid}[%{payload}"); + +var dup17 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + +var dup18 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("pid"), + constant("]: "), + field("payload"), + ], +}); + +var dup19 = setc("messageid","JUNOSROUTER_GENERIC"); + +var dup20 = setc("eventcategory","1605000000"); + +var dup21 = setf("msg","$MSG"); + +var dup22 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dF,dH,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup23 = setf("hostname","hhost"); + +var dup24 = setc("event_description","AUDIT"); + +var dup25 = setc("event_description","CRON command"); + +var dup26 = setc("eventcategory","1801030000"); + +var dup27 = setc("eventcategory","1801020000"); + +var dup28 = setc("eventcategory","1605010000"); + +var dup29 = setc("eventcategory","1603000000"); + +var dup30 = setc("event_description","Process mode"); + +var dup31 = setc("event_description","NTP Server Unreachable"); + +var dup32 = setc("eventcategory","1401060000"); + +var dup33 = setc("ec_theme","Authentication"); + +var dup34 = setc("ec_subject","User"); + +var dup35 = setc("ec_activity","Logon"); + +var dup36 = setc("ec_outcome","Success"); + +var dup37 = setc("event_description","rpd proceeding"); + +var dup38 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); + +var dup39 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); + +var dup40 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); + +var dup41 = setc("eventcategory","1701010000"); + +var dup42 = setc("ec_outcome","Failure"); + +var dup43 = setc("eventcategory","1401030000"); + +var dup44 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}"); + +var dup45 = setc("eventcategory","1803000000"); + +var dup46 = setc("event_type","VPN"); + +var dup47 = setc("eventcategory","1605020000"); + +var dup48 = setc("eventcategory","1602020000"); + +var dup49 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); + +var dup50 = setc("eventcategory","1603020000"); + +var dup51 = date_time({ + dest: "event_time", + args: ["hfld32"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup52 = setc("ec_subject","NetworkComm"); + +var dup53 = setc("ec_activity","Create"); + +var dup54 = setc("ec_activity","Stop"); + +var dup55 = setc("event_description","Trap state change"); + +var dup56 = setc("event_description","peer NLRI mismatch"); + +var dup57 = setc("eventcategory","1605030000"); + +var dup58 = setc("eventcategory","1603010000"); + +var dup59 = setc("eventcategory","1606000000"); + +var dup60 = setf("hostname","hhostname"); + +var dup61 = date_time({ + dest: "event_time", + args: ["hfld6"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup62 = setc("eventcategory","1401050200"); + +var dup63 = setc("event_description","Memory allocation failed during initialization for configuration load"); + +var dup64 = setc("event_description","unable to run in the background as a daemon"); + +var dup65 = setc("event_description","Another copy of this program is running"); + +var dup66 = setc("event_description","Unable to lock PID file"); + +var dup67 = setc("event_description","Unable to update process PID file"); + +var dup68 = setc("eventcategory","1301000000"); + +var dup69 = setc("event_description","Command stopped"); + +var dup70 = setc("event_description","Unable to create pipes for command"); + +var dup71 = setc("event_description","Command exited"); + +var dup72 = setc("eventcategory","1603050000"); + +var dup73 = setc("eventcategory","1801010000"); + +var dup74 = setc("event_description","Login failure"); + +var dup75 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); + +var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); + +var dup77 = setc("event_description","Unable to open file"); + +var dup78 = setc("event_description","SNMP index assigned changed"); + +var dup79 = setc("eventcategory","1302000000"); + +var dup80 = setc("eventcategory","1001020300"); + +var dup81 = setc("event_description","PFE FW SYSLOG_IP"); + +var dup82 = setc("event_description","process_mode"); + +var dup83 = setc("event_description","Logical interface collision"); + +var dup84 = setc("event_description","excessive runtime time during action of module"); + +var dup85 = setc("event_description","Reinitializing"); + +var dup86 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type}[junos@%{obj_name}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); + +var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}"); + +var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}"); + +var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); + +var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}"); + +var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}"); + +var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); + +var dup93 = setc("eventcategory","1803010000"); + +var dup94 = setc("ec_activity","Deny"); + +var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}"); + +var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}"); + +var dup97 = setc("event_description","session denied"); + +var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type}[junos@%{obj_name}reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); + +var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); + +var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); + +var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}"); + +var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}"); + +var dup103 = setc("dclass_counter1_string","No.of packets from client"); + +var dup104 = setc("event_description","SNMPD AUTH FAILURE"); + +var dup105 = setc("event_description","send send-type (index1) failure"); + +var dup106 = setc("event_description","SNMP trap error"); + +var dup107 = setc("event_description","SNMP TRAP LINK DOWN"); + +var dup108 = setc("event_description","SNMP TRAP LINK UP"); + +var dup109 = setc("event_description","Login Failure"); + +var dup110 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); + +var dup111 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "%{space->} "); + +var dup112 = setc("eventcategory","1701020000"); + +var dup113 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); + +var dup114 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\""); + +var dup115 = setc("event_description","User set command"); + +var dup116 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); + +var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); + +var dup118 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); + +var dup119 = setc("event_description","User set groups to secret"); + +var dup120 = setc("event_description","UI CMDLINE READ LINE"); + +var dup121 = setc("event_description","User commit"); + +var dup122 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); + +var dup123 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); + +var dup124 = setc("eventcategory","1401070000"); + +var dup125 = setc("ec_activity","Logoff"); + +var dup126 = setc("event_description","Successful login"); + +var dup127 = setf("hostname","hostip"); + +var dup128 = setc("event_description","TACACS+ failure"); + +var dup129 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); + +var dup130 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); + +var dup131 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); + +var dup132 = setc("eventcategory","1003010000"); + +var dup133 = setc("eventcategory","1901000000"); + +var dup134 = linear_select([ + dup12, + dup13, + dup14, + dup15, +]); + +var dup135 = linear_select([ + dup39, + dup40, +]); + +var dup136 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ + dup20, + dup21, + dup55, + dup22, +])); + +var dup137 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ + dup50, + dup21, + dup63, + dup22, +])); + +var dup138 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ + dup29, + dup21, + dup64, + dup22, +])); + +var dup139 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ + dup29, + dup21, + dup65, + dup22, +])); + +var dup140 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ + dup29, + dup21, + dup66, + dup22, +])); + +var dup141 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ + dup29, + dup21, + dup67, + dup22, +])); + +var dup142 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + dup70, + dup22, +])); + +var dup143 = linear_select([ + dup75, + dup76, +]); + +var dup144 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid}changed from %{dclass_counter1}to %{result}", processor_chain([ + dup29, + dup21, + dup78, + dup22, +])); + +var dup145 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ + dup29, + dup21, + dup83, + dup22, +])); + +var dup146 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ + dup29, + dup21, + dup84, + dup22, +])); + +var dup147 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ + dup20, + dup21, + dup85, + dup22, +])); + +var dup148 = linear_select([ + dup87, + dup88, +]); + +var dup149 = linear_select([ + dup89, + dup90, +]); + +var dup150 = linear_select([ + dup95, + dup96, +]); + +var dup151 = linear_select([ + dup101, + dup102, +]); + +var dup152 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type}[junos@%{obj_name}attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup29, + dup21, + dup51, +])); + +var dup153 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type}[junos@%{obj_name}logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ + dup26, + dup21, + dup51, +])); + +var dup154 = linear_select([ + dup117, + dup118, +]); + +var dup155 = linear_select([ + dup122, + dup123, +]); + +var dup156 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type}[junos@%{fld21}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3}CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}OBJ=%{fld7}USERNAME=%{fld8}ROLES=%{fld9}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var dup157 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([ + dup47, + dup46, + dup22, + dup21, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": restart "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid}message repeated %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("message repeated "), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time}ssb %{messageid}(%{hfld1}): %{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("("), + field("hfld1"), + constant("): "), + field("payload"), + ], + }), +])); + +var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}"); + +var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}"); + +var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}"); + +var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}"); + +var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}"); + +var select1 = linear_select([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + part1, + part2, + part3, + part4, + part5, + dup8, +]); + +var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{payload}"); + +var all1 = all_match({ + processors: [ + dup1, + select1, + part6, + ], + on_success: processor_chain([ + setc("header_id","0004"), + ]), +}); + +var select2 = linear_select([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, +]); + +var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{payload}"); + +var all2 = all_match({ + processors: [ + dup1, + select2, + part7, + ], + on_success: processor_chain([ + setc("header_id","0005"), + ]), +}); + +var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0007"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant("["), + field("hpid"), + constant("]: "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{payload}", processor_chain([ + setc("header_id","0008"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hpid"), + constant("]: "), + field("payload"), + ], + }), +])); + +var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}IFP trace> %{messageid}: %{payload}", processor_chain([ + setc("header_id","0009"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant("IFP trace> "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0010"), + dup9, +])); + +var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0029"), + dup10, +])); + +var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0015"), + dup10, +])); + +var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0011"), + dup9, +])); + +var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname}RT_FLOW: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0027"), + dup11, +])); + +var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0012"), + dup11, +])); + +var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname}RT_FLOW - %{messageid}[%{payload}", processor_chain([ + setc("header_id","0013"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("payload"), + ], + }), +])); + +var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + +var all3 = all_match({ + processors: [ + hdr14, + dup134, + dup16, + ], + on_success: processor_chain([ + setc("header_id","0026.upd.a"), + ]), +}); + +var all4 = all_match({ + processors: [ + dup17, + dup134, + dup16, + ], + on_success: processor_chain([ + setc("header_id","0026.upd.b"), + ]), +}); + +var all5 = all_match({ + processors: [ + dup17, + dup134, + dup16, + ], + on_success: processor_chain([ + setc("header_id","0026"), + ]), +}); + +var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{payload}", processor_chain([ + setc("header_id","0014"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant("["), + field("hpid"), + constant("]: "), + field("payload"), + ], + }), +])); + +var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0016"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(": "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0017"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0018"), + dup18, +])); + +var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0028"), + dup18, +])); + +var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0019"), + dup11, +])); + +var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0020"), + dup18, +])); + +var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time}/%{messageid}: %{payload}", processor_chain([ + setc("header_id","0021"), + dup11, +])); + +var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0022"), + dup11, +])); + +var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0023"), + dup18, +])); + +var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0024"), + dup11, +])); + +var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0025"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0031"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip}(%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0032"), + dup18, +])); + +var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0033"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","3336"), +])); + +var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([ + setc("header_id","3339"), +])); + +var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","3337"), +])); + +var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","3341"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","3338"), +])); + +var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost}node%{p0}"); + +var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld1}.fpc%{hfld2}.pic%{hfld3->} %{p0}"); + +var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld1}.fpc%{hfld2->} %{p0}"); + +var select3 = linear_select([ + part8, + part9, +]); + +var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{payload}"); + +var all6 = all_match({ + processors: [ + hdr35, + select3, + part10, + ], + on_success: processor_chain([ + setc("header_id","3340"), + setc("messageid","node"), + ]), +}); + +var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}"); + +var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}"); + +var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}"); + +var select4 = linear_select([ + hdr36, + hdr37, + hdr38, +]); + +var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}"); + +var all7 = all_match({ + processors: [ + select4, + part11, + ], + on_success: processor_chain([ + setc("header_id","9997"), + dup19, + ]), +}); + +var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{payload}", processor_chain([ + setc("header_id","9995"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld3"), + constant("]:"), + field("payload"), + ], + }), +])); + +var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1}qsfp %{payload}", processor_chain([ + setc("header_id","9994"), + setc("messageid","qsfp"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("hfld1"), + constant("qsfp "), + field("payload"), + ], + }), +])); + +var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{payload}", processor_chain([ + setc("header_id","9999"), + dup19, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hevent_type"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{payload}", processor_chain([ + setc("header_id","9998"), + dup19, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("process"), + constant(": "), + field("payload"), + ], + }), +])); + +var select5 = linear_select([ + hdr1, + hdr2, + hdr3, + all1, + all2, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + hdr13, + all3, + all4, + all5, + hdr15, + hdr16, + hdr17, + hdr18, + hdr19, + hdr20, + hdr21, + hdr22, + hdr23, + hdr24, + hdr25, + hdr26, + hdr27, + hdr28, + hdr29, + hdr30, + hdr31, + hdr32, + hdr33, + hdr34, + all6, + all7, + hdr39, + hdr40, + hdr41, + hdr42, +]); + +var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","sshd exit status"), + dup22, +])); + +var msg1 = msg("/usr/sbin/sshd", part12); + +var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","telnetd exit status"), + dup22, +])); + +var msg2 = msg("/usr/libexec/telnetd", part13); + +var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Alarm Set or Cleared"), + dup22, +])); + +var msg3 = msg("alarmd", part14); + +var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([ + dup20, + dup21, + setc("event_description","Node detected UP"), + dup22, +])); + +var msg4 = msg("bigd", part15); + +var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([ + dup20, + dup21, + setc("event_description","Monitor template id"), + dup22, +])); + +var msg5 = msg("bigd:01", part16); + +var select6 = linear_select([ + msg4, + msg5, +]); + +var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","Loading configuration file"), + dup22, +])); + +var msg6 = msg("bigpipe", part17); + +var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","Begin config install operation"), + dup22, +])); + +var msg7 = msg("bigpipe:01", part18); + +var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action}User: %{username}", processor_chain([ + dup20, + dup21, + setc("event_description","Audit"), + dup22, +])); + +var msg8 = msg("bigpipe:02", part19); + +var select7 = linear_select([ + msg6, + msg7, + msg8, +]); + +var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([ + dup20, + dup21, + setc("event_description","portal shutdown"), + dup22, +])); + +var msg9 = msg("bigstart", part20); + +var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","cga address genration"), + dup22, +])); + +var msg10 = msg("cgatool", part21); + +var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([ + dup20, + dup21, + dup22, + dup23, +])); + +var msg11 = msg("chassisd:01", part22); + +var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action}User: %{username}", processor_chain([ + dup20, + dup21, + dup24, + dup22, +])); + +var msg12 = msg("checkd", part23); + +var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([ + dup20, + dup21, + setc("event_description","checkd exiting"), + dup22, +])); + +var msg13 = msg("checkd:01", part24); + +var select8 = linear_select([ + msg12, + msg13, +]); + +var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1}for intf %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","link protection for interface"), + dup22, +])); + +var msg14 = msg("cosd", part25); + +var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","License expiration warning"), + dup22, +])); + +var msg15 = msg("craftd", part26); + +var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}"); + +var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result}) "); + +var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}' "); + +var select9 = linear_select([ + part28, + part29, +]); + +var all8 = all_match({ + processors: [ + part27, + select9, + ], + on_success: processor_chain([ + dup20, + dup21, + dup25, + dup22, + ]), +}); + +var msg16 = msg("CRON", all8); + +var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}"); + +var part31 = match("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "%{fld2}"); + +var select10 = linear_select([ + part30, + part31, +]); + +var all9 = all_match({ + processors: [ + select10, + ], + on_success: processor_chain([ + dup20, + dup22, + dup21, + ]), +}); + +var msg17 = msg("Cmerror", all9); + +var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action}(%{filename})", processor_chain([ + dup20, + dup21, + setc("event_description","cron RELOAD"), + dup22, +])); + +var msg18 = msg("cron", part32); + +var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup20, + dup21, + dup22, + dup23, +])); + +var msg19 = msg("CROND", part33); + +var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([ + dup26, + dup21, + dup22, + dup23, +])); + +var msg20 = msg("CROND:02", part34); + +var select11 = linear_select([ + msg19, + msg20, +]); + +var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username}by (uid=%{uid})", processor_chain([ + dup27, + dup21, + dup22, + dup23, +])); + +var msg21 = msg("crond:01", part35); + +var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result}Setting ignored, %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Setting ignored"), + dup22, +])); + +var msg22 = msg("dcd", part36); + +var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface}index %{resultcode->} %{p0}"); + +var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{result}> "); + +var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{result}> "); + +var select12 = linear_select([ + part38, + part39, +]); + +var all10 = all_match({ + processors: [ + part37, + select12, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","EVENT"), + dup22, + ]), +}); + +var msg23 = msg("EVENT", all10); + +var part40 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr}(%{shost})", processor_chain([ + setc("eventcategory","1802000000"), + dup21, + setc("event_description","ftpd connection"), + dup22, +])); + +var msg24 = msg("ftpd", part40); + +var part41 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ + dup28, + dup22, + dup21, +])); + +var msg25 = msg("ha_rto_stats_handler", part41); + +var part42 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name}-- LDAP Connection not bound correctly. %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","LDAP Connection not bound correctly"), + dup22, +])); + +var msg26 = msg("hostinit", part42); + +var part43 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","PIC_INFO debug - Added entry"), + dup22, +])); + +var msg27 = msg("ifinfo", part43); + +var part44 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","PIC_INFO debug Initializing spu"), + dup22, +])); + +var msg28 = msg("ifinfo:01", part44); + +var part45 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","PIC_INFO debug delete from list"), + dup22, +])); + +var msg29 = msg("ifinfo:02", part45); + +var select13 = linear_select([ + msg27, + msg28, + msg29, +]); + +var part46 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ + dup20, + dup21, + setc("event_description","IFL anydown change event"), + dup22, +])); + +var msg30 = msg("ifp_ifl_anydown_change_event", part46); + +var part47 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ + dup20, + dup21, + setc("event_description","ifp ifl config_event"), + dup22, +])); + +var msg31 = msg("ifp_ifl_config_event", part47); + +var part48 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid}zone_id %{zone}", processor_chain([ + dup20, + dup21, + setc("event_description","ifp_ifl_ext_chg"), + dup22, +])); + +var msg32 = msg("ifp_ifl_ext_chg", part48); + +var part49 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol}from %{saddr}exceeded counts/min (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","connection exceeded count limit"), + dup22, +])); + +var msg33 = msg("inetd", part49); + +var part50 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","exited"), + dup22, +])); + +var msg34 = msg("inetd:01", part50); + +var select14 = linear_select([ + msg33, + msg34, +]); + +var part51 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type}current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ + dup20, + dup21, + dup30, + dup22, +])); + +var msg35 = msg("init:04", part51); + +var part52 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type}mode=%{protocol}cmd=%{action}master_mode=%{result}", processor_chain([ + dup20, + dup21, + dup30, + dup22, +])); + +var msg36 = msg("init", part52); + +var part53 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","failure target for routing set"), + dup22, +])); + +var msg37 = msg("init:01", part53); + +var part54 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ + dup20, + dup21, + setc("event_description","ntp started"), + dup22, +])); + +var msg38 = msg("init:02", part54); + +var part55 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info}model %{dclass_counter1}", processor_chain([ + dup20, + dup21, + setc("event_description","product mask and model info"), + dup22, +])); + +var msg39 = msg("init:03", part55); + +var select15 = linear_select([ + msg35, + msg36, + msg37, + msg38, + msg39, +]); + +var part56 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode}exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","IPC message exceeds MTU"), + dup22, +])); + +var msg40 = msg("ipc_msg_write", part56); + +var part57 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1}tnpaddr=%{dclass_counter2}", processor_chain([ + dup27, + dup21, + setc("event_description","listener connection established"), + dup22, +])); + +var msg41 = msg("connection_established", part57); + +var part58 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); + +var part59 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport->} "); + +var part60 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2->} "); + +var select16 = linear_select([ + part59, + part60, +]); + +var all11 = all_match({ + processors: [ + part58, + select16, + ], + on_success: processor_chain([ + dup26, + dup21, + setc("event_description","connection dropped"), + dup22, + ]), +}); + +var msg42 = msg("connection_dropped", all11); + +var part61 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Asserting SONET alarm(s)"), + dup22, +])); + +var msg43 = msg("kernel", part61); + +var part62 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface}down: %{result}.", processor_chain([ + dup20, + dup21, + setc("event_description","interface down"), + dup22, +])); + +var msg44 = msg("kernel:01", part62); + +var part63 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","loopback suspected om interface"), + dup22, +])); + +var msg45 = msg("kernel:02", part63); + +var part64 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","soreceive error"), + dup22, +])); + +var msg46 = msg("kernel:03", part64); + +var part65 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service}!VALID(state 4)->%{result}", processor_chain([ + dup20, + dup21, + setc("event_description","pfe_peer_alloc state 4"), + dup22, +])); + +var msg47 = msg("kernel:04", part65); + +var part66 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip}(%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup20, + dup21, + dup31, + dup22, +])); + +var msg48 = msg("kernel:05", part66); + +var part67 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup20, + dup21, + dup31, + dup22, +])); + +var msg49 = msg("kernel:06", part67); + +var select17 = linear_select([ + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, +]); + +var part68 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr}on %{interface}as %{username}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","successful user login"), + dup22, +])); + +var msg50 = msg("successful_login", part68); + +var part69 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username}from host %{hostip}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup21, + setc("event_description","user login attempt"), + dup22, +])); + +var msg51 = msg("login_attempt", part69); + +var part70 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1}returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup32, + dup33, + dup36, + dup21, + setc("event_description","PAM module return from login"), + dup22, +])); + +var msg52 = msg("login", part70); + +var select18 = linear_select([ + msg50, + msg51, + msg52, +]); + +var part71 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","processing lsys root-logical-system"), + dup22, +])); + +var msg53 = msg("lsys_ssam_handler", part71); + +var part72 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Removing mif from group"), + dup22, +])); + +var msg54 = msg("mcsn", part72); + +var part73 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ + dup29, + dup21, + setc("event_description","Firewall rows could not be redirected on device"), + dup22, +])); + +var msg55 = msg("mrvl_dfw_log_effuse_status", part73); + +var part74 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ + dup29, + dup21, + setc("event_description","mfilter already exists for add"), + dup22, +])); + +var msg56 = msg("MRVL-L2", part74); + +var part75 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","processing profile SP-root"), + dup22, +])); + +var msg57 = msg("profile_ssam_handler", part75); + +var part76 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","can't get resource bucket"), + dup22, +])); + +var msg58 = msg("pst_nat_binding_set_profile", part76); + +var part77 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","reinitializing done"), + dup22, +])); + +var msg59 = msg("task_reconfigure", part77); + +var part78 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode->} "); + +var part79 = match("MESSAGE#59:tnetd/0_1", "nwparser.payload", "%{fld3}"); + +var select19 = linear_select([ + part78, + part79, +]); + +var all12 = all_match({ + processors: [ + select19, + ], + on_success: processor_chain([ + dup20, + dup21, + dup22, + dup23, + ]), +}); + +var msg60 = msg("tnetd", all12); + +var part80 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ + dup20, + dup21, + setc("event_description","Session manager active"), + dup22, +])); + +var msg61 = msg("PFEMAN", part80); + +var part81 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ + dup29, + dup21, + setc("event_description","Could not send message to service"), + dup22, +])); + +var msg62 = msg("mgd", part81); + +var part82 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Resolve request came for an address matching on Wrong nh"), + dup22, +])); + +var msg63 = msg("Resolve", part82); + +var part83 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service}exited with status = %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","service exited with status"), + dup22, +])); + +var msg64 = msg("respawn", part83); + +var part84 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ + dup29, + dup21, + setc("event_description","system does not have 3-DNS or Link Controller enabled"), + dup22, +])); + +var msg65 = msg("root", part84); + +var part85 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result}for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","Received data for interface"), + dup22, +])); + +var msg66 = msg("rpd", part85); + +var part86 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr}up on interface %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","RSVP neighbor up on interface "), + dup22, +])); + +var msg67 = msg("rpd:01", part86); + +var part87 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr}(%{shost}): reseting pending active connection", processor_chain([ + dup20, + dup21, + setc("event_description","reseting pending active connection"), + dup22, +])); + +var msg68 = msg("rpd:02", part87); + +var part88 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ + dup20, + dup21, + dup37, + dup22, +])); + +var msg69 = msg("rpd_proceeding", part88); + +var select20 = linear_select([ + msg66, + msg67, + msg68, + msg69, +]); + +var part89 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username}as root: cmd='%{action}' ", processor_chain([ + dup20, + dup21, + setc("event_description","user issuing command as root"), + dup22, +])); + +var msg70 = msg("rshd", part89); + +var part90 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ + dup20, + dup21, + setc("event_description","sfd waiting on accept"), + dup22, +])); + +var msg71 = msg("sfd", part90); + +var part91 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username}from %{saddr}port %{sport->} %{protocol}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","Accepted password"), + dup22, +])); + +var msg72 = msg("sshd", part91); + +var part92 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result->} ", processor_chain([ + dup26, + dup21, + setc("event_description","Received disconnect"), + dup22, +])); + +var msg73 = msg("sshd:02", part92); + +var part93 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr->} ", processor_chain([ + dup29, + dup21, + setc("result","no identification string"), + setc("event_description","Did not receive identification string from peer"), + dup22, +])); + +var msg74 = msg("sshd:03", part93); + +var part94 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ + dup29, + dup21, + setc("event_description","Could not write ident string"), + dup22, +])); + +var msg75 = msg("sshd:04", part94); + +var part95 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ + dup20, + dup21, + setc("event_description","subsystem request for netconf"), + dup22, +])); + +var msg76 = msg("sshd:05", part95); + +var part96 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "%{}sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); + +var all13 = all_match({ + processors: [ + dup38, + dup135, + part96, + ], + on_success: processor_chain([ + dup28, + dup21, + setc("event_description","send message stats"), + dup22, + ]), +}); + +var msg77 = msg("sshd:06", all13); + +var part97 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "%{}Added radius server %{saddr}(%{shost})"); + +var all14 = all_match({ + processors: [ + dup38, + dup135, + part97, + ], + on_success: processor_chain([ + dup41, + setc("ec_theme","Configuration"), + setc("ec_activity","Modify"), + dup36, + dup21, + setc("event_description","Added radius server"), + dup22, + ]), +}); + +var msg78 = msg("sshd:07", all14); + +var part98 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space}[%{resultcode}]authentication error", processor_chain([ + setc("eventcategory","1301020000"), + dup33, + dup42, + dup21, + setc("event_description","authentication error"), + dup22, +])); + +var msg79 = msg("sshd:08", part98); + +var part99 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute->} ", processor_chain([ + dup29, + dup21, + setc("event_description","unrecognized attribute in policy"), + dup22, +])); + +var msg80 = msg("sshd:09", part99); + +var part100 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1}returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup43, + dup33, + dup42, + dup21, + setc("event_description","PAM module return from sshd"), + dup22, +])); + +var msg81 = msg("sshd:10", part100); + +var part101 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup43, + dup33, + dup42, + dup21, + setc("event_description","PAM authentication chain return"), + dup22, +])); + +var msg82 = msg("sshd:11", part101); + +var part102 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","can't get client address"), + dup22, +])); + +var msg83 = msg("sshd:12", part102); + +var part103 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ + dup29, + dup21, + setc("event_description","auth server unresponsive"), + dup22, +])); + +var msg84 = msg("sshd:13", part103); + +var part104 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ + dup29, + dup21, + setc("event_description","No valid RADIUS responses received"), + dup22, +])); + +var msg85 = msg("sshd:14", part104); + +var part105 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ + dup20, + dup21, + setc("event_description","Moving to next server"), + dup22, +])); + +var msg86 = msg("sshd:15", part105); + +var part106 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1}sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ + dup43, + dup33, + dup42, + dup21, + setc("event_description","Login failed for user"), + dup22, +])); + +var msg87 = msg("sshd:16", part106); + +var select21 = linear_select([ + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, +]); + +var part107 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); + +var part108 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); + +var part109 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); + +var select22 = linear_select([ + part108, + part109, + dup44, +]); + +var part110 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{} %{username}from %{saddr}port %{sport->} %{protocol}"); + +var all15 = all_match({ + processors: [ + part107, + select22, + part110, + ], + on_success: processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + setc("event_description","authentication failure"), + dup22, + ]), +}); + +var msg88 = msg("Failed:05", all15); + +var part111 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); + +var part112 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); + +var part113 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); + +var select23 = linear_select([ + part112, + part113, +]); + +var part114 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); + +var all16 = all_match({ + processors: [ + part111, + select23, + part114, + ], + on_success: processor_chain([ + dup45, + dup46, + dup22, + dup21, + ]), +}); + +var msg89 = msg("Failed", all16); + +var part115 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ + dup45, + dup22, + dup21, +])); + +var msg90 = msg("Failed:01", part115); + +var part116 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice "); + +var part117 = match("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "%{fld10}"); + +var select24 = linear_select([ + part116, + part117, +]); + +var all17 = all_match({ + processors: [ + select24, + ], + on_success: processor_chain([ + dup45, + dup22, + dup21, + setf("hostname","hfld1"), + ]), +}); + +var msg91 = msg("Failed:02", all17); + +var select25 = linear_select([ + msg88, + msg89, + msg90, + msg91, +]); + +var part118 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ + dup20, + dup21, + setc("event_description","syslog daemon restart"), + dup22, +])); + +var msg92 = msg("syslogd", part118); + +var part119 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action}User: %{username}", processor_chain([ + dup20, + dup21, + dup24, + dup22, +])); + +var msg93 = msg("ucd-snmp", part119); + +var part120 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ + dup20, + dup21, + setc("event_description","Received TERM or STOP signal"), + dup22, +])); + +var msg94 = msg("ucd-snmp:01", part120); + +var select26 = linear_select([ + msg93, + msg94, +]); + +var part121 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result}(%{resultcode})", processor_chain([ + dup26, + dup21, + setc("event_description","failed to connect to the server"), + dup22, +])); + +var msg95 = msg("usp_ipc_client_reconnect", part121); + +var part122 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ + dup26, + dup21, + setc("event_description","Trace client disconnected"), + dup22, +])); + +var msg96 = msg("usp_trace_ipc_disconnect", part122); + +var part123 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ + dup29, + dup21, + setc("event_description","USP trace client cannot reconnect to server"), + dup22, +])); + +var msg97 = msg("usp_trace_ipc_reconnect", part123); + +var part124 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","flow_print_session_summary_output received"), + dup22, +])); + +var msg98 = msg("uspinfo", part124); + +var part125 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version}by builder on %{event_time_string}", processor_chain([ + dup20, + dup21, + setc("event_description","Version build date"), + dup22, +])); + +var msg99 = msg("Version", part125); + +var part126 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result}from %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","frequency initialized from file"), + dup22, +])); + +var msg100 = msg("xntpd", part126); + +var part127 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string}(%{resultcode})", processor_chain([ + dup20, + dup21, + setc("event_description","nptd version build"), + dup22, +])); + +var msg101 = msg("xntpd:01", part127); + +var part128 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","kernel time sync enabled"), + dup22, +])); + +var msg102 = msg("xntpd:02", part128); + +var part129 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup20, + dup21, + dup31, + dup22, +])); + +var msg103 = msg("xntpd:03", part129); + +var select27 = linear_select([ + msg100, + msg101, + msg102, + msg103, +]); + +var part130 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1}times", processor_chain([ + dup20, + dup21, + setc("event_description","last message repeated"), + dup22, +])); + +var msg104 = msg("last", part130); + +var part131 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1}times", processor_chain([ + dup47, + dup46, + dup22, + dup21, + dup23, +])); + +var msg105 = msg("last:01", part131); + +var select28 = linear_select([ + msg104, + msg105, +]); + +var part132 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ + dup29, + dup21, + setc("event_description","cannot write ucode mask reg"), + dup22, +])); + +var msg106 = msg("BCHIP", part132); + +var part133 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ + dup20, + dup21, + setc("event_description","Slot on-line"), + dup22, +])); + +var msg107 = msg("CM", part133); + +var part134 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Received FC Q map"), + dup22, +])); + +var msg108 = msg("COS", part134); + +var part135 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","ifd error"), + dup22, +])); + +var msg109 = msg("COSFPC", part135); + +var part136 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","delete class to ifl link"), + dup22, +])); + +var msg110 = msg("COSMAN", part136); + +var part137 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","Keepalive timeout"), + dup22, +])); + +var msg111 = msg("RDP", part137); + +var part138 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ + dup29, + dup21, + setc("event_description","Initial time of day set"), + dup22, +])); + +var msg112 = msg("SNTPD", part138); + +var part139 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ + dup20, + dup21, + setc("event_description","Slot serial number"), + dup22, +])); + +var msg113 = msg("SSB", part139); + +var part140 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result}from file %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","Unexpected error"), + dup22, +])); + +var msg114 = msg("ACCT_ACCOUNTING_FERROR", part140); + +var part141 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to open file"), + dup22, +])); + +var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part141); + +var part142 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename}size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ + dup48, + dup21, + setc("event_description","File size mismatch"), + dup22, +])); + +var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part142); + +var part143 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ + dup48, + dup21, + setc("event_description","Invalid statistics record"), + dup22, +])); + +var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part143); + +var part144 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}getting class usage statistics for interface %{interface}: %{result}", processor_chain([ + dup48, + dup21, + setc("event_description","Class usage statistics error for interface"), + dup22, +])); + +var msg118 = msg("ACCT_CU_RTSLIB_error", part144); + +var part145 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); + +var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); + +var select29 = linear_select([ + part145, + part146, +]); + +var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "%{}to get hostname"); + +var all18 = all_match({ + processors: [ + dup49, + select29, + part147, + ], + on_success: processor_chain([ + dup48, + dup21, + setc("event_description","error trying to get hostname"), + dup22, + ]), +}); + +var msg119 = msg("ACCT_GETHOSTNAME_error", all18); + +var part148 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ + dup50, + dup21, + setc("event_description","Memory allocation failure"), + dup22, +])); + +var msg120 = msg("ACCT_MALLOC_FAILURE", part148); + +var part149 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}in accounting profile %{dclass_counter1}is not defined in a firewall using this filter profile", processor_chain([ + dup29, + dup21, + setc("event_description","Accounting profile counter not defined in firewall"), + dup22, +])); + +var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part149); + +var part150 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ + dup29, + dup21, + setc("event_description","ACCT_XFER_FAILED"), + dup22, +])); + +var msg122 = msg("ACCT_XFER_FAILED", part150); + +var part151 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","POPEN FAIL invoking command command to transfer file"), + dup22, +])); + +var msg123 = msg("ACCT_XFER_POPEN_FAIL", part151); + +var part152 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{obj_name}timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ + dup27, + dup21, + dup51, +])); + +var msg124 = msg("APPQOS_LOG_EVENT", part152); + +var part153 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ + dup27, + dup52, + dup53, + dup21, + setc("result","AppTrack session created"), + dup22, +])); + +var msg125 = msg("APPTRACK_SESSION_CREATE", part153); + +var part154 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type}[junos@%{obj_name}reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup27, + dup52, + dup54, + dup21, + dup51, +])); + +var msg126 = msg("APPTRACK_SESSION_CLOSE", part154); + +var part155 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ + dup27, + dup52, + dup54, + dup21, + dup22, +])); + +var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part155); + +var select30 = linear_select([ + msg126, + msg127, +]); + +var part156 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type}[junos@%{obj_name}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup27, + dup52, + dup21, + dup51, +])); + +var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part156); + +var part157 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ + dup27, + dup52, + dup21, + dup22, +])); + +var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part157); + +var select31 = linear_select([ + msg128, + msg129, +]); + +var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup136); + +var msg131 = msg("BFDD_TRAP_STATE_UP", dup136); + +var part158 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr}(%{shost}): %{result->} ", processor_chain([ + dup20, + dup21, + setc("event_description","bgp connect error"), + dup22, +])); + +var msg132 = msg("bgp_connect_start", part158); + +var part159 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr}(%{dhost}) old state %{change_old}event %{action}new state %{change_new->} ", processor_chain([ + dup20, + dup21, + setc("event_description","bgp peer state change"), + dup22, +])); + +var msg133 = msg("bgp_event", part159); + +var part160 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result->} ", processor_chain([ + dup29, + dup21, + setc("event_description","Connection attempt from unconfigured neighbor"), + dup22, +])); + +var msg134 = msg("bgp_listen_accept", part160); + +var part161 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","bgp reset"), + dup22, +])); + +var msg135 = msg("bgp_listen_reset", part161); + +var part162 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr}(%{dhost}) next hop %{saddr}local, %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","peer next hop local"), + dup22, +])); + +var msg136 = msg("bgp_nexthop_sanity", part162); + +var part163 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr}(%{dhost}): code %{severity}(%{action}) subcode %{version}(%{result}) value %{disposition}", processor_chain([ + dup29, + dup21, + setc("event_description","code RED error NOTIFICATION sent"), + dup22, +])); + +var msg137 = msg("bgp_process_caps", part163); + +var part164 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip}(%{hostname}): peer: %{daddr}us: %{saddr}", processor_chain([ + dup29, + dup21, + dup56, + dup22, +])); + +var msg138 = msg("bgp_process_caps:01", part164); + +var select32 = linear_select([ + msg137, + msg138, +]); + +var part165 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr}(%{dhost}), %{info}(%{protocol})", processor_chain([ + dup29, + dup21, + setc("event_description","connection collision"), + setc("result","dropping connection to peer"), + dup22, +])); + +var msg139 = msg("bgp_pp_recv", part165); + +var part166 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr}(%{dhost}): received unexpected EOF", processor_chain([ + dup29, + dup21, + setc("event_description","peer received unexpected EOF"), + dup22, +])); + +var msg140 = msg("bgp_pp_recv:01", part166); + +var select33 = linear_select([ + msg139, + msg140, +]); + +var part167 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes}bytes to %{daddr}(%{dhost}) blocked (%{disposition}): %{result->} ", processor_chain([ + dup29, + dup21, + setc("event_description","bgp send blocked error"), + dup22, +])); + +var msg141 = msg("bgp_send", part167); + +var part168 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr}(%{dhost}): code %{resultcode}(%{action}), Reason: %{result->} ", processor_chain([ + dup29, + dup21, + setc("event_description","bgp timeout NOTIFICATION sent"), + dup22, +])); + +var msg142 = msg("bgp_traffic_timeout", part168); + +var part169 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","boot argument error"), + dup22, +])); + +var msg143 = msg("BOOTPD_ARG_ERR", part169); + +var part170 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","boot unexpected Id value"), + dup22, +])); + +var msg144 = msg("BOOTPD_BAD_ID", part170); + +var part171 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","Invalid boot string"), + dup22, +])); + +var msg145 = msg("BOOTPD_BOOTSTRING", part171); + +var part172 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","configuration file error"), + dup22, +])); + +var msg146 = msg("BOOTPD_CONFIG_ERR", part172); + +var part173 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to open configuration file"), + dup22, +])); + +var msg147 = msg("BOOTPD_CONF_OPEN", part173); + +var part174 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ + dup29, + dup21, + setc("event_description","boot - Duplicate revision"), + dup22, +])); + +var msg148 = msg("BOOTPD_DUP_REV", part174); + +var part175 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ + dup29, + dup21, + setc("event_description","boot - duplicate slot"), + dup22, +])); + +var msg149 = msg("BOOTPD_DUP_SLOT", part175); + +var part176 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id}for model %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","Unexpected ID for model"), + dup22, +])); + +var msg150 = msg("BOOTPD_MODEL_CHK", part176); + +var part177 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unsupported model"), + dup22, +])); + +var msg151 = msg("BOOTPD_MODEL_ERR", part177); + +var part178 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed ", processor_chain([ + dup20, + dup21, + setc("event_description","New configuration installed"), + dup22, +])); + +var msg152 = msg("BOOTPD_NEW_CONF", part178); + +var part179 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","No boot string found"), + dup22, +])); + +var msg153 = msg("BOOTPD_NO_BOOTSTRING", part179); + +var part180 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","No configuration file found"), + dup22, +])); + +var msg154 = msg("BOOTPD_NO_CONFIG", part180); + +var part181 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ + dup29, + dup21, + setc("event_description","parse errors on SIGHUP"), + dup22, +])); + +var msg155 = msg("BOOTPD_PARSE_ERR", part181); + +var part182 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ + dup20, + dup21, + setc("event_description","Reparsing configuration file"), + dup22, +])); + +var msg156 = msg("BOOTPD_REPARSE", part182); + +var part183 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","select error"), + dup22, +])); + +var msg157 = msg("BOOTPD_SELECT_ERR", part183); + +var part184 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result}unreasonable", processor_chain([ + dup29, + dup21, + setc("event_description","timeout unreasonable"), + dup22, +])); + +var msg158 = msg("BOOTPD_TIMEOUT", part184); + +var part185 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version}built by builder on %{event_time_string->} ", processor_chain([ + dup20, + dup21, + setc("event_description","boot version built"), + dup22, +])); + +var msg159 = msg("BOOTPD_VERSION", part185); + +var part186 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version}built by builder on %{event_time_string}", processor_chain([ + dup57, + dup21, + setc("event_description","CHASSISD release built"), + dup22, +])); + +var msg160 = msg("CHASSISD", part186); + +var part187 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result->} ", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD Unknown option"), + dup22, +])); + +var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part187); + +var part188 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ + dup20, + dup21, + setc("event_description","Fans and impellers are now running at normal speed"), + dup22, +])); + +var msg162 = msg("CHASSISD_BLOWERS_SPEED", part188); + +var part189 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ + dup20, + dup21, + setc("event_description","Fans and impellers being set to full speed"), + dup22, +])); + +var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part189); + +var part190 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","reading midplane ID EEPROM"), + dup22, +])); + +var msg164 = msg("CHASSISD_CB_READ", part190); + +var part191 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device}online ack code %{dclass_counter1}- - %{result}, %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD COMMAND ACK ERROR"), + dup22, +])); + +var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part191); + +var part192 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition}- %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD COMMAND ACK SF ERROR"), + dup22, +])); + +var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part192); + +var part193 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2}PIC %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","Cannot set no-concatenated mode for FPC"), + dup22, +])); + +var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part193); + +var part194 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CONFIG File Problem"), + dup22, +])); + +var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part194); + +var part195 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD CONFIG WARNING"), + dup22, +])); + +var msg169 = msg("CHASSISD_CONFIG_WARNING", part195); + +var part196 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","chassisd already running"), + dup22, +])); + +var msg170 = msg("CHASSISD_EXISTS", part196); + +var part197 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ + dup20, + dup21, + setc("event_description","Killing existing chassisd and exiting"), + dup22, +])); + +var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part197); + +var part198 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode}- - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","file open error"), + dup22, +])); + +var msg172 = msg("CHASSISD_FILE_OPEN", part198); + +var part199 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode}- - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD file statistics error"), + dup22, +])); + +var msg173 = msg("CHASSISD_FILE_STAT", part199); + +var part200 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD received restart EVENT"), + dup22, +])); + +var msg174 = msg("CHASSISD_FRU_EVENT", part200); + +var part201 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD restart WRITE_ERROR"), + dup22, +])); + +var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part201); + +var part202 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode}at step %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD FRU STEP ERROR"), + dup22, +])); + +var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part202); + +var part203 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode}- %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","Unexpected error from gettimeofday"), + dup22, +])); + +var msg177 = msg("CHASSISD_GETTIMEOFDAY", part203); + +var part204 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}reading host temperature sensor", processor_chain([ + dup20, + dup21, + setc("event_description","reading host temperature sensor"), + dup22, +])); + +var msg178 = msg("CHASSISD_HOST_TEMP_READ", part204); + +var part205 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ + dup20, + dup21, + setc("event_description","detaching all pseudo devices"), + dup22, +])); + +var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part205); + +var part206 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ + dup20, + dup21, + setc("event_description","CHASSISD IFDEV DETACH FPC"), + dup22, +])); + +var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part206); + +var part207 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ + dup20, + dup21, + setc("event_description","CHASSISD IFDEV DETACH PIC"), + dup22, +])); + +var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part207); + +var part208 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ + dup20, + dup21, + setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), + dup22, +])); + +var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part208); + +var part209 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), + dup22, +])); + +var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part209); + +var part210 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode}- %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","rtslib_ifdm_get_by_index failed"), + dup22, +])); + +var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part210); + +var part211 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Message Queue full"), + dup22, +])); + +var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part211); + +var part212 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Received unexpected message"), + dup22, +])); + +var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part212); + +var part213 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","FRU has no connection pipe"), + dup22, +])); + +var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part213); + +var part214 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","FRU has no connection arguments"), + dup22, +])); + +var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part214); + +var part215 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ + dup29, + dup21, + setc("event_description","chassisd MAC address allocation error"), + dup22, +])); + +var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part215); + +var part216 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ + dup20, + dup21, + setc("event_description","Using default MAC address base"), + dup22, +])); + +var msg190 = msg("CHASSISD_MAC_DEFAULT", part216); + +var part217 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ + dup29, + dup21, + setc("event_description","management bus failed sanity test"), + dup22, +])); + +var msg191 = msg("CHASSISD_MBUS_ERROR", part217); + +var part218 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ + dup20, + dup21, + setc("event_description","Using new configuration"), + dup22, +])); + +var msg192 = msg("CHASSISD_PARSE_COMPLETE", part218); + +var part219 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD PARSE ERROR"), + dup22, +])); + +var msg193 = msg("CHASSISD_PARSE_ERROR", part219); + +var part220 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ + dup20, + dup21, + setc("event_description","Parsing configuration file"), + dup22, +])); + +var msg194 = msg("CHASSISD_PARSE_INIT", part220); + +var part221 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to open PID file"), + dup22, +])); + +var msg195 = msg("CHASSISD_PIDFILE_OPEN", part221); + +var part222 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Pipe error"), + dup22, +])); + +var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part222); + +var part223 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1}not powering up", processor_chain([ + dup58, + dup21, + setc("event_description","device not powering up"), + dup22, +])); + +var msg197 = msg("CHASSISD_POWER_CHECK", part223); + +var part224 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ + dup20, + dup21, + setc("event_description","Successful reconnect on soft restart"), + dup22, +])); + +var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part224); + +var part225 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ + dup20, + dup21, + setc("event_description","Release mastership notification"), + dup22, +])); + +var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part225); + +var part226 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","re_init Invalid RE slot"), + dup22, +])); + +var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part226); + +var part227 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to determine mount point for root directory"), + dup22, +])); + +var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part227); + +var part228 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode}- - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","ifmsg sequence gap"), + dup22, +])); + +var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part228); + +var part229 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ + setc("eventcategory","1603040000"), + dup21, + setc("event_description","Version mismatch"), + dup22, +])); + +var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part229); + +var part230 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode}- - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","Serial ID read error"), + dup22, +])); + +var msg204 = msg("CHASSISD_SERIAL_ID", part230); + +var part231 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","fpga download not complete"), + dup22, +])); + +var msg205 = msg("CHASSISD_SMB_ERROR", part231); + +var part232 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result}(%{info})", processor_chain([ + dup57, + dup21, + setc("event_description","SNMP Trap6 generated"), + dup22, +])); + +var msg206 = msg("CHASSISD_SNMP_TRAP6", part232); + +var part233 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP Trap7 generated"), + dup22, +])); + +var msg207 = msg("CHASSISD_SNMP_TRAP7", part233); + +var part234 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP trap - FRU power on"), + dup22, +])); + +var msg208 = msg("CHASSISD_SNMP_TRAP10", part234); + +var part235 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ + dup59, + dup21, + setc("event_description","Received SIGTERM request"), + dup22, +])); + +var msg209 = msg("CHASSISD_TERM_SIGNAL", part235); + +var part236 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","Taking PIC offline"), + dup22, +])); + +var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part236); + +var part237 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}returned %{resultcode}: %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","UNEXPECTED EXIT"), + dup22, +])); + +var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part237); + +var part238 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1}unsupported with this version of chassisd", processor_chain([ + dup58, + dup21, + setc("event_description","Model number unsupported with this version of chassisd"), + dup22, +])); + +var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part238); + +var part239 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ + dup58, + dup21, + setc("event_description","Chassisd Version mismatch"), + dup22, +])); + +var msg213 = msg("CHASSISD_VERSION_MISMATCH", part239); + +var part240 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type}[junos@%{obj_name}temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ + dup58, + dup21, + setc("event_description","CHASSISD HIGH TEMP CONDITION"), + dup60, + dup61, +])); + +var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part240); + +var part241 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent}RESTART mode %{event_state}new master=%{obj_name}old failover=%{change_old}new failover = %{change_new}", processor_chain([ + dup20, + dup21, + setc("event_description","process RESTART mode"), + dup22, +])); + +var msg215 = msg("clean_process", part241); + +var part242 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group}Linklocal MAC:%{macaddr}", processor_chain([ + dup20, + dup21, + setc("event_description","Chassis Linklocal to MAC"), + dup22, +])); + +var msg216 = msg("CM_JAVA", part242); + +var part243 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup62, + dup21, + setc("event_description","DCD must be run as root"), + dup22, +])); + +var msg217 = msg("DCD_AS_ROOT", part243); + +var part244 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ + dup29, + dup21, + setc("event_description","Filter library initialization failed"), + dup22, +])); + +var msg218 = msg("DCD_FILTER_LIB_ERROR", part244); + +var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup137); + +var part245 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ + dup29, + dup21, + setc("event_description","errors while parsing configuration file"), + dup22, +])); + +var msg220 = msg("DCD_PARSE_EMERGENCY", part245); + +var part246 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ + dup29, + dup21, + setc("event_description","errors while parsing filter index file"), + dup22, +])); + +var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part246); + +var part247 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ + dup29, + dup21, + setc("event_description","errors while parsing configuration overlay"), + dup22, +])); + +var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part247); + +var part248 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ + dup29, + dup21, + setc("event_description","unhandled state was encountered during interface parsing"), + dup22, +])); + +var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part248); + +var part249 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ + dup29, + dup21, + setc("event_description","errors while parsing policer indexfile"), + dup22, +])); + +var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part249); + +var part250 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename}after %{dclass_counter1}retries last error=%{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to pull file"), + dup22, +])); + +var msg225 = msg("DCD_PULL_LOG_FAILURE", part250); + +var part251 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","DFWD ARGUMENT ERROR"), + dup22, +])); + +var msg226 = msg("DFWD_ARGUMENT_ERROR", part251); + +var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup137); + +var part252 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}encountered errors while parsing filter index file", processor_chain([ + dup29, + dup21, + setc("event_description","errors encountered while parsing filter index file"), + dup22, +])); + +var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part252); + +var part253 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}encountered unhandled state while parsing interface", processor_chain([ + dup29, + dup21, + setc("event_description","encountered unhandled state while parsing interface"), + dup22, +])); + +var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part253); + +var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup138); + +var msg231 = msg("ECCD_DUPLICATE", dup139); + +var part254 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ECCD LOOP EXIT FAILURE"), + dup22, +])); + +var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part254); + +var part255 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root ", processor_chain([ + dup62, + dup21, + setc("event_description","ECCD Must be run as root"), + dup22, +])); + +var msg233 = msg("ECCD_NOT_ROOT", part255); + +var part256 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ECCD PCI FILE OPEN FAILED"), + dup22, +])); + +var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part256); + +var part257 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","PCI read failure"), + dup22, +])); + +var msg235 = msg("ECCD_PCI_READ_FAILED", part257); + +var part258 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","PCI write failure"), + dup22, +])); + +var msg236 = msg("ECCD_PCI_WRITE_FAILED", part258); + +var msg237 = msg("ECCD_PID_FILE_LOCK", dup140); + +var msg238 = msg("ECCD_PID_FILE_UPDATE", dup141); + +var part259 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ECCD TRACE FILE OPEN FAILURE"), + dup22, +])); + +var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part259); + +var part260 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","ECCD Usage"), + dup22, +])); + +var msg240 = msg("ECCD_usage", part260); + +var part261 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username}viewed security audit log with arguments: %{param}", processor_chain([ + dup20, + dup21, + setc("event_description","User viewed security audit log with arguments"), + dup22, +])); + +var msg241 = msg("EVENTD_AUDIT_SHOW", part261); + +var part262 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr}destination %{daddr}ipid %{fld11}succeed", processor_chain([ + dup20, + dup21, + dup22, +])); + +var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part262); + +var part263 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to change owner of file"), + dup22, +])); + +var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part263); + +var part264 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","FSAD CONFIG ERROR"), + dup22, +])); + +var msg244 = msg("FSAD_CONFIG_ERROR", part264); + +var part265 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ + dup29, + dup21, + setc("event_description","Connection timed out to client"), + dup22, +])); + +var msg245 = msg("FSAD_CONNTIMEDOUT", part265); + +var part266 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","FSAD_FAILED"), + dup22, +])); + +var msg246 = msg("FSAD_FAILED", part266); + +var part267 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname}for file `%{filename}' timed out", processor_chain([ + dup29, + dup21, + setc("event_description","Fetch to server to get file timed out"), + dup22, +])); + +var msg247 = msg("FSAD_FETCHTIMEDOUT", part267); + +var part268 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","fn failed for file"), + dup22, +])); + +var msg248 = msg("FSAD_FILE_FAILED", part268); + +var part269 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to remove file"), + dup22, +])); + +var msg249 = msg("FSAD_FILE_REMOVE", part269); + +var part270 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to rename file"), + dup22, +])); + +var msg250 = msg("FSAD_FILE_RENAME", part270); + +var part271 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}failed for file pathname %{filename}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","stat failed for file"), + dup22, +])); + +var msg251 = msg("FSAD_FILE_STAT", part271); + +var part272 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to sync file"), + dup22, +])); + +var msg252 = msg("FSAD_FILE_SYNC", part272); + +var part273 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ + dup29, + dup21, + setc("event_description","Upper limit reached in fsad"), + dup22, +])); + +var msg253 = msg("FSAD_MAXCONN", part273); + +var part274 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}failed in the function %{action}(%{resultcode})", processor_chain([ + dup50, + dup21, + setc("event_description","FSAD MEMORYALLOC FAILED"), + dup22, +])); + +var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part274); + +var part275 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root ", processor_chain([ + dup62, + dup21, + setc("event_description","FSAD must be run as root"), + dup22, +])); + +var msg255 = msg("FSAD_NOT_ROOT", part275); + +var part276 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","invalid directory"), + dup22, +])); + +var msg256 = msg("FSAD_PARENT_DIRECTORY", part276); + +var part277 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ + dup29, + dup21, + setc("event_description","File path cannot be a directory"), + dup22, +])); + +var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part277); + +var part278 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ + dup29, + dup21, + setc("event_description","Not a regular file"), + dup22, +])); + +var msg258 = msg("FSAD_PATH_IS_SPECIAL", part278); + +var part279 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type}at (%{saddr}, %{sport})", processor_chain([ + dup29, + dup21, + setc("event_description","fsad received error message from client"), + dup22, +])); + +var msg259 = msg("FSAD_RECVERROR", part279); + +var part280 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ + dup26, + dup21, + setc("event_description","FSAD TERMINATED CONNECTION"), + dup22, +])); + +var msg260 = msg("FSAD_TERMINATED_CONNECTION", part280); + +var part281 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Received terminating signal"), + dup22, +])); + +var msg261 = msg("FSAD_TERMINATING_SIGNAL", part281); + +var part282 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Open operation on trace file failed"), + dup22, +])); + +var msg262 = msg("FSAD_TRACEOPEN_FAILED", part282); + +var part283 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Incorrect FSAD usage"), + dup22, +])); + +var msg263 = msg("FSAD_USAGE", part283); + +var part284 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","GGSN ALARM TRAP FAILED"), + dup22, +])); + +var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part284); + +var part285 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","GGSN ALARM TRAP SEND FAILED"), + dup22, +])); + +var msg265 = msg("GGSN_ALARM_TRAP_SEND", part285); + +var part286 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ + dup29, + dup21, + setc("event_description","Unknown trap request type"), + dup22, +])); + +var msg266 = msg("GGSN_TRAP_SEND", part286); + +var part287 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ + dup68, + dup33, + setc("ec_subject","Service"), + dup42, + dup21, + setc("event_description","Authorization failed"), + dup22, +])); + +var msg267 = msg("JADE_AUTH_ERROR", part287); + +var part288 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","JADE EXEC ERROR"), + dup22, +])); + +var msg268 = msg("JADE_EXEC_ERROR", part288); + +var part289 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username}does not exist", processor_chain([ + dup29, + dup21, + setc("event_description","Local user does not exist"), + dup22, +])); + +var msg269 = msg("JADE_NO_LOCAL_USER", part289); + +var part290 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","JADE PAM error"), + dup22, +])); + +var msg270 = msg("JADE_PAM_ERROR", part290); + +var part291 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to get local username from PAM"), + dup22, +])); + +var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part291); + +var part292 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr}from %{smacaddr}to %{dmacaddr}", processor_chain([ + dup29, + dup21, + setc("event_description","arp info overwritten"), + dup22, +])); + +var msg272 = msg("KERN_ARP_ADDR_CHANGE", part292); + +var part293 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5->} ", processor_chain([ + dup29, + dup21, + setc("event_description","security association has been established"), + dup22, +])); + +var msg273 = msg("KMD_PM_SA_ESTABLISHED", part293); + +var part294 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ + dup20, + dup21, + setc("event_description","Task Reinitialized"), + dup60, + dup22, +])); + +var msg274 = msg("L2CPD_TASK_REINIT", part294); + +var part295 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ + dup20, + dup21, + dup69, + dup22, +])); + +var msg275 = msg("LIBJNX_EXEC_EXITED", part295); + +var part296 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Child exec failed for command"), + dup22, +])); + +var msg276 = msg("LIBJNX_EXEC_FAILED", part296); + +var msg277 = msg("LIBJNX_EXEC_PIPE", dup142); + +var part297 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ + dup29, + dup21, + setc("event_description","Command received signal"), + dup22, +])); + +var msg278 = msg("LIBJNX_EXEC_SIGNALED", part297); + +var part298 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ + dup20, + dup21, + dup71, + dup22, +])); + +var msg279 = msg("LIBJNX_EXEC_WEXIT", part298); + +var part299 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ + dup72, + dup21, + setc("event_description","copy_file_to_transfer_dir failed to copy"), + dup22, +])); + +var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part299); + +var part300 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","Unable to lower privilege level"), + dup22, +])); + +var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part300); + +var part301 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","Unable to raise privilege level"), + dup22, +])); + +var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part301); + +var part302 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","rcp failed"), + dup22, +])); + +var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part302); + +var part303 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1}-f %{action}: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","ROTATE COMPRESS EXEC FAILED"), + dup22, +])); + +var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part303); + +var part304 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ + dup73, + dup21, + setc("event_description","Client connection error"), + dup22, +])); + +var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part304); + +var part305 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","Outbound request failed for command"), + dup22, +])); + +var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part305); + +var part306 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ + dup26, + dup21, + setc("event_description","Connection closed while receiving from client"), + dup22, +])); + +var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part306); + +var part307 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","unable to bind socket"), + dup22, +])); + +var msg288 = msg("LIBSERVICED_SOCKET_BIND", part307); + +var part308 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid}to management routing instance: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to attach socket to management routing instance"), + dup22, +])); + +var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part308); + +var part309 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","LICENSE EXPIRED"), + dup22, +])); + +var msg290 = msg("LICENSE_EXPIRED", part309); + +var part310 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ + dup20, + dup21, + setc("event_description","License key has expired"), + dup22, +])); + +var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part310); + +var part311 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","License key expiration soon"), + dup22, +])); + +var msg292 = msg("LICENSE_NEARING_EXPIRY", part311); + +var part312 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ + dup29, + dup21, + setc("event_description","client aborted login"), + dup22, +])); + +var msg293 = msg("LOGIN_ABORTED", part312); + +var part313 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username}from host %{dhost}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + dup22, +])); + +var msg294 = msg("LOGIN_FAILED", part313); + +var part314 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Incorrect password for user"), + dup22, +])); + +var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part314); + +var part315 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Failed to set context for user"), + dup22, +])); + +var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part315); + +var part316 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Failed to set login ID for user"), + dup22, +])); + +var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part316); + +var part317 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info->} ", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Unable to resolve hostname"), + dup22, +])); + +var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part317); + +var part318 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{} %{event_type}: %{p0}"); + +var part319 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{} %{username}logged in from host %{dhost}on %{p0}"); + +var part320 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); + +var select34 = linear_select([ + part320, + dup44, +]); + +var part321 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{} %{terminal->} "); + +var all19 = all_match({ + processors: [ + dup38, + dup135, + part318, + dup143, + part319, + select34, + part321, + ], + on_success: processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","Successful Login"), + dup22, + ]), +}); + +var msg299 = msg("LOGIN_INFORMATION", all19); + +var part322 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username->} ", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","No entry in local password file for user"), + dup22, +])); + +var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part322); + +var part323 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username->} ", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Invalid username"), + dup22, +])); + +var msg301 = msg("LOGIN_MALFORMED_USER", part323); + +var part324 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); + +var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); + +var select35 = linear_select([ + part324, + part325, +]); + +var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{} %{username->} "); + +var all20 = all_match({ + processors: [ + dup49, + select35, + part326, + ], + on_success: processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","PAM authentication error for user"), + dup22, + ]), +}); + +var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20); + +var part327 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + setc("event_description","PAM authentication failure"), + setc("result","Failure while authenticating user"), + dup22, +])); + +var msg303 = msg("LOGIN_PAM_ERROR", part327); + +var part328 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username->} ", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Too many retries while authenticating user"), + dup22, +])); + +var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part328); + +var part329 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username}authenticated but has no local login ID", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","User authenticated but has no local login ID"), + dup22, +])); + +var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part329); + +var part330 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ + setc("eventcategory","1303000000"), + dup33, + dup42, + dup21, + setc("event_description","Failed to end PAM session"), + dup22, +])); + +var msg306 = msg("LOGIN_PAM_STOP", part330); + +var part331 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Attempt to authenticate unknown user"), + dup22, +])); + +var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part331); + +var part332 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Forcing change of expired password for user"), + dup22, +])); + +var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part332); + +var part333 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username}from host %{shost}on %{terminal}was refused: %{info}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Login of user refused"), + dup22, +])); + +var msg309 = msg("LOGIN_REFUSED", part333); + +var part334 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username}logged in as root from host %{shost}on %{terminal}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","successful login as root"), + setc("result","User logged in as root"), + dup22, +])); + +var msg310 = msg("LOGIN_ROOT", part334); + +var part335 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1}seconds", processor_chain([ + dup43, + dup33, + dup35, + dup42, + dup21, + dup74, + setc("result","Login attempt timed out"), + dup22, +])); + +var msg311 = msg("LOGIN_TIMED_OUT", part335); + +var part336 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D ATM ERROR"), + dup22, +])); + +var msg312 = msg("MIB2D_ATM_ERROR", part336); + +var part337 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CONFIG CHECK FAILED"), + dup22, +])); + +var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part337); + +var part338 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ + dup29, + dup21, + dup77, + dup22, +])); + +var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part338); + +var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup144); + +var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup144); + +var part339 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","mib2d initialization failure"), + dup22, +])); + +var msg317 = msg("MIB2D_INIT_FAILURE", part339); + +var part340 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D KVM FAILURE"), + dup22, +])); + +var msg318 = msg("MIB2D_KVM_FAILURE", part340); + +var part341 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2}index (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D RTSLIB READ FAILURE"), + dup22, +])); + +var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part341); + +var part342 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ + dup29, + dup21, + setc("event_description","RTSLIB sequence mismatch"), + dup22, +])); + +var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part342); + +var part343 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D SYSCTL FAILURE"), + dup22, +])); + +var msg321 = msg("MIB2D_SYSCTL_FAILURE", part343); + +var part344 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ + dup29, + dup21, + setc("event_description","trap_request_header failed"), + dup22, +])); + +var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part344); + +var part345 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D TRAP SEND FAILURE"), + dup22, +])); + +var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part345); + +var part346 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new}sighupped=%{result}", processor_chain([ + dup20, + dup21, + setc("event_description","user sighupped"), + dup22, +])); + +var msg324 = msg("Multiuser", part346); + +var part347 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to allocate authentication handle"), + dup22, +])); + +var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part347); + +var part348 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ + dup79, + dup33, + dup42, + dup21, + setc("event_description","authentication already in progress"), + dup22, +])); + +var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part348); + +var part349 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","unable to obtain hostname for outgoing CHAP message"), + dup22, +])); + +var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part349); + +var part350 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}expected CHAP ID: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), + dup22, +])); + +var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part350); + +var part351 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","CHAP INVALID OPCODE"), + dup22, +])); + +var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part351); + +var part352 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to determine value for username in outgoing CHAP packet"), + dup22, +])); + +var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part352); + +var part353 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","CHAP MESSAGE UNEXPECTED"), + dup22, +])); + +var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part353); + +var part354 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ + dup80, + dup21, + setc("event_description","CHAP REPLAY ATTACK DETECTED"), + dup22, +])); + +var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part354); + +var part355 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to determine last modified time of JUNOS configuration database"), + dup22, +])); + +var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part355); + +var msg334 = msg("NASD_DAEMONIZE_FAILED", dup138); + +var part356 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to allocate database object"), + dup22, +])); + +var msg335 = msg("NASD_DB_ALLOC_FAILURE", part356); + +var part357 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","DB TABLE CREATE FAILURE"), + dup22, +])); + +var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part357); + +var msg337 = msg("NASD_DUPLICATE", dup139); + +var part358 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}with: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","EVLIB CREATE FAILURE"), + dup22, +])); + +var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part358); + +var part359 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}value: %{result}, error: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","EVLIB EXIT FAILURE"), + dup22, +])); + +var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part359); + +var part360 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to allocate LOCAL module handle"), + dup22, +])); + +var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part360); + +var part361 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root ", processor_chain([ + dup62, + dup21, + setc("event_description","NASD must be run as root"), + dup22, +])); + +var msg341 = msg("NASD_NOT_ROOT", part361); + +var msg342 = msg("NASD_PID_FILE_LOCK", dup140); + +var msg343 = msg("NASD_PID_FILE_UPDATE", dup141); + +var part362 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","POST CONFIGURE EVENT FAILED"), + dup22, +])); + +var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part362); + +var part363 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","PPP READ FAILURE"), + dup22, +])); + +var msg345 = msg("NASD_PPP_READ_FAILURE", part363); + +var part364 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to send message"), + dup22, +])); + +var msg346 = msg("NASD_PPP_SEND_FAILURE", part364); + +var part365 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to send all of message"), + dup22, +])); + +var msg347 = msg("NASD_PPP_SEND_PARTIAL", part365); + +var part366 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ + dup29, + dup21, + setc("event_description","Unrecognized authentication protocol"), + dup22, +])); + +var msg348 = msg("NASD_PPP_UNRECOGNIZED", part366); + +var part367 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}when allocating password for RADIUS: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS password allocation failure"), + dup22, +])); + +var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part367); + +var part368 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS CONFIG FAILED"), + dup22, +])); + +var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part368); + +var part369 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to allocate RADIUS module handle"), + dup22, +])); + +var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part369); + +var part370 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS CREATE REQUEST FAILED"), + dup22, +])); + +var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part370); + +var part371 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), + dup22, +])); + +var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part371); + +var part372 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unknown response from RADIUS server"), + dup22, +])); + +var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part372); + +var part373 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS OPEN FAILED"), + dup22, +])); + +var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part373); + +var part374 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS SELECT FAILED"), + dup22, +])); + +var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part374); + +var part375 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS SET TIMER FAILED"), + dup22, +])); + +var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part375); + +var part376 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TRACE FILE OPEN FAILED"), + dup22, +])); + +var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part376); + +var part377 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","NASD Usage"), + dup22, +])); + +var msg359 = msg("NASD_usage", part377); + +var part378 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ + dup20, + dup21, + dup22, +])); + +var msg360 = msg("NOTICE", part378); + +var part379 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport}(%{packets}packets) ", processor_chain([ + dup20, + dup21, + dup81, + dup22, +])); + +var msg361 = msg("PFE_FW_SYSLOG_IP", part379); + +var part380 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport}(%{packets}packets) ", processor_chain([ + dup20, + dup21, + dup81, + dup22, +])); + +var msg362 = msg("PFE_FW_SYSLOG_IP:01", part380); + +var select36 = linear_select([ + msg361, + msg362, +]); + +var part381 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface}throttled", processor_chain([ + dup20, + dup21, + setc("event_description","Next-hop resolution requests throttled"), + dup22, +])); + +var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part381); + +var part382 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","PING TEST COMPLETED"), + dup22, +])); + +var msg364 = msg("PING_TEST_COMPLETED", part382); + +var part383 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","PING TEST FAILED"), + dup22, +])); + +var msg365 = msg("PING_TEST_FAILED", part383); + +var part384 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{} %{p0}"); + +var part385 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); + +var part386 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); + +var select37 = linear_select([ + part385, + part386, +]); + +var part387 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "%{}mode=%{protocol}cmd=%{action}master_mode=%{result}"); + +var all21 = all_match({ + processors: [ + dup38, + dup135, + part384, + select37, + part387, + ], + on_success: processor_chain([ + dup20, + dup21, + dup82, + dup22, + ]), +}); + +var msg366 = msg("process_mode", all21); + +var part388 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ + dup20, + dup21, + dup82, + dup22, +])); + +var msg367 = msg("process_mode:01", part388); + +var select38 = linear_select([ + msg366, + msg367, +]); + +var part389 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent}exiting with status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","process exit with status"), + dup22, +])); + +var msg368 = msg("PWC_EXIT", part389); + +var part390 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent}released child %{child_pid}from %{dclass_counter1}state", processor_chain([ + dup20, + dup21, + setc("event_description","Process released child from state"), + dup22, +])); + +var msg369 = msg("PWC_HOLD_RELEASE", part390); + +var part391 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","invalid runs argument"), + dup22, +])); + +var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part391); + +var part392 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","INVALID TIMEOUT ARGUMENT"), + dup22, +])); + +var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part392); + +var part393 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent}received terminating signal", processor_chain([ + dup20, + dup21, + setc("event_description","pwc process received terminating signal"), + dup22, +])); + +var msg372 = msg("PWC_KILLED_BY_SIGNAL", part393); + +var part394 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode}to child %{child_pid}", processor_chain([ + dup29, + dup21, + setc("event_description","pwc is sending kill event to child"), + dup22, +])); + +var msg373 = msg("PWC_KILL_EVENT", part394); + +var part395 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to kill process"), + dup22, +])); + +var msg374 = msg("PWC_KILL_FAILED", part395); + +var part396 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","kevent failed"), + dup22, +])); + +var msg375 = msg("PWC_KQUEUE_ERROR", part396); + +var part397 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to create kqueue"), + dup22, +])); + +var msg376 = msg("PWC_KQUEUE_INIT", part397); + +var part398 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent}for purpose: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to register kqueue filter"), + dup22, +])); + +var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part398); + +var part399 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","PID lock file has bad format"), + dup22, +])); + +var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part399); + +var part400 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","PID lock file error"), + dup22, +])); + +var msg379 = msg("PWC_LOCKFILE_ERROR", part400); + +var part401 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","PID lock file not found"), + dup22, +])); + +var msg380 = msg("PWC_LOCKFILE_MISSING", part401); + +var part402 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","PID lock file not locked"), + dup22, +])); + +var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part402); + +var part403 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ + dup29, + dup21, + setc("event_description","No process specified for PWC"), + dup22, +])); + +var msg382 = msg("PWC_NO_PROCESS", part403); + +var part404 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent}child %{child_pid}exited with status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","pwc process exited with status"), + dup22, +])); + +var msg383 = msg("PWC_PROCESS_EXIT", part404); + +var part405 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent}forcing hold down of child %{child_pid}until signal", processor_chain([ + dup20, + dup21, + setc("event_description","Process forcing hold down of child until signalled"), + dup22, +])); + +var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part405); + +var part406 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent}holding down child %{child_pid}until signal", processor_chain([ + dup20, + dup21, + setc("event_description","Process holding down child until signalled"), + dup22, +])); + +var msg385 = msg("PWC_PROCESS_HOLD", part406); + +var part407 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent}will not down child %{child_pid}because of %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Process not holding down child"), + dup22, +])); + +var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part407); + +var part408 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to create child process with pidpopen"), + dup22, +])); + +var msg387 = msg("PWC_PROCESS_OPEN", part408); + +var part409 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent}holding down child %{child_pid->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Process holding down child"), + dup22, +])); + +var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part409); + +var part410 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Child process timed out"), + dup22, +])); + +var msg389 = msg("PWC_PROCESS_TIMEOUT", part410); + +var part411 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","signal failure"), + dup22, +])); + +var msg390 = msg("PWC_SIGNAL_INIT", part411); + +var part412 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to connect socket to service"), + dup22, +])); + +var msg391 = msg("PWC_SOCKET_CONNECT", part412); + +var part413 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to create socket"), + dup22, +])); + +var msg392 = msg("PWC_SOCKET_CREATE", part413); + +var part414 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to set socket option"), + dup22, +])); + +var msg393 = msg("PWC_SOCKET_OPTION", part414); + +var part415 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Write to stdout failed"), + dup22, +])); + +var msg394 = msg("PWC_STDOUT_WRITE", part415); + +var part416 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","PWC SYSTEM CALL"), + dup22, +])); + +var msg395 = msg("PWC_SYSTEM_CALL", part416); + +var part417 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ + dup29, + dup21, + setc("event_description","Unknown kill option"), + dup22, +])); + +var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part417); + +var part418 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed ", processor_chain([ + dup29, + dup21, + setc("event_description","Multicast address not allowed"), + dup22, +])); + +var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part418); + +var part419 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RMOPD ADDRESS SOURCE INVALID"), + dup22, +])); + +var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part419); + +var part420 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to convert numeric address to string"), + dup22, +])); + +var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part420); + +var part421 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","rmop_util_set_address status message invalid"), + dup22, +])); + +var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part421); + +var msg401 = msg("RMOPD_DUPLICATE", dup139); + +var part422 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ + dup29, + dup21, + setc("event_description","Only IPv4 source address is supported"), + dup22, +])); + +var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part422); + +var part423 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ + dup29, + dup21, + setc("event_description","No route to host"), + dup22, +])); + +var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part423); + +var part424 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","IFINDEX NOT ACTIVE"), + dup22, +])); + +var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part424); + +var part425 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","IFINDEX NO INFO"), + dup22, +])); + +var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part425); + +var part426 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","RMOPD IFNAME NOT ACTIVE"), + dup22, +])); + +var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part426); + +var part427 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","IFNAME NO INFO"), + dup22, +])); + +var msg407 = msg("RMOPD_IFNAME_NO_INFO", part427); + +var part428 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root ", processor_chain([ + dup62, + dup21, + setc("event_description","RMOPD Must be run as root"), + dup22, +])); + +var msg408 = msg("RMOPD_NOT_ROOT", part428); + +var part429 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","No information for routing instance"), + dup22, +])); + +var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part429); + +var part430 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TRACEROUTE ERROR"), + dup22, +])); + +var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part430); + +var part431 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","RMOPD usage"), + dup22, +])); + +var msg411 = msg("RMOPD_usage", part431); + +var part432 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}version built by builder on %{dclass_counter1}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD ABORT"), + dup22, +])); + +var msg412 = msg("RPD_ABORT", part432); + +var part433 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD exiting with active tasks"), + dup22, +])); + +var msg413 = msg("RPD_ACTIVE_TERMINATE", part433); + +var part434 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD Assertion failed"), + dup22, +])); + +var msg414 = msg("RPD_ASSERT", part434); + +var part435 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD Soft assertion failed"), + dup22, +])); + +var msg415 = msg("RPD_ASSERT_SOFT", part435); + +var part436 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}version built by builder on %{dclass_counter1}", processor_chain([ + dup20, + dup21, + setc("event_description","RPD EXIT"), + dup22, +])); + +var msg416 = msg("RPD_EXIT", part436); + +var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup145); + +var msg418 = msg("RPD_IFL_NAMECOLLISION", dup145); + +var part437 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1}adjacency to %{dclass_counter2}on %{interface}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","IS-IS lost adjacency"), + dup22, +])); + +var msg419 = msg("RPD_ISIS_ADJDOWN", part437); + +var part438 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1}adjacency to %{dclass_counter2->} %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","IS-IS new adjacency"), + dup22, +])); + +var msg420 = msg("RPD_ISIS_ADJUP", part438); + +var part439 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1}adjacency to %{dclass_counter2->} %{interface}without an address", processor_chain([ + dup29, + dup21, + setc("event_description","IS-IS new adjacency without an address"), + dup22, +])); + +var msg421 = msg("RPD_ISIS_ADJUPNOIP", part439); + +var part440 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1}LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ + dup29, + dup21, + setc("event_description","IS-IS LSP checksum error on iterface"), + dup22, +])); + +var msg422 = msg("RPD_ISIS_LSPCKSUM", part440); + +var part441 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ + dup29, + dup21, + setc("event_description","IS-IS database overload"), + dup22, +])); + +var msg423 = msg("RPD_ISIS_OVERLOAD", part441); + +var part442 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent}message with unsupported address family %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","message with unsupported address family received"), + dup22, +])); + +var msg424 = msg("RPD_KRT_AFUNSUPRT", part442); + +var part443 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ + dup29, + dup21, + setc("event_description","RPD KRT CCC IFL MODIFY"), + dup22, +])); + +var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part443); + +var part444 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1}table ID %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","received deleted routing table from kernel"), + dup22, +])); + +var msg426 = msg("RPD_KRT_DELETED_RTT", part444); + +var part445 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ifa generation mismatch"), + dup22, +])); + +var msg427 = msg("RPD_KRT_IFA_GENERATION", part445); + +var part446 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}CHANGE for ifd %{interface}failed, error \"%{result}\"", processor_chain([ + dup29, + dup21, + setc("event_description","CHANGE for ifd failed"), + dup22, +])); + +var msg428 = msg("RPD_KRT_IFDCHANGE", part446); + +var part447 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}SERVICE: %{service}for ifd %{interface}failed, error \"%{result}\"", processor_chain([ + dup29, + dup21, + setc("event_description","GET SERVICE failure on interface"), + dup22, +])); + +var msg429 = msg("RPD_KRT_IFDEST_GET", part447); + +var part448 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}GET index for ifd interface failed, error \"%{result}\"", processor_chain([ + dup29, + dup21, + setc("event_description","GET index for ifd interface failed"), + dup22, +])); + +var msg430 = msg("RPD_KRT_IFDGET", part448); + +var part449 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1}generation mismatch -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ifd generation mismatch"), + dup22, +])); + +var msg431 = msg("RPD_KRT_IFD_GENERATION", part449); + +var part450 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","KRT IFL CELL RELAY MODE INVALID"), + dup22, +])); + +var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part450); + +var part451 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), + dup22, +])); + +var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part451); + +var part452 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface}generation mismatch -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ifl generation mismatch"), + dup22, +])); + +var msg434 = msg("RPD_KRT_IFL_GENERATION", part452); + +var part453 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1}for route %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","lost interface for route"), + dup22, +])); + +var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part453); + +var part454 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","number of next hops exceeded the maximum"), + dup22, +])); + +var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part454); + +var part455 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1}for interface %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","No device for interface"), + dup22, +])); + +var msg437 = msg("RPD_KRT_NOIFD", part455); + +var part456 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","received routing table message for unknown table"), + dup22, +])); + +var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part456); + +var part457 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Routing socket version mismatch"), + dup22, +])); + +var msg439 = msg("RPD_KRT_VERSION", part457); + +var part458 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info}-- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Routing socket message type not supported by kernel"), + dup22, +])); + +var msg440 = msg("RPD_KRT_VERSIONNONE", part458); + +var part459 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Routing socket message type version is older than expected"), + dup22, +])); + +var msg441 = msg("RPD_KRT_VERSIONOLD", part459); + +var part460 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Duplicate session ID detected"), + dup22, +])); + +var msg442 = msg("RPD_LDP_INTF_BLOCKED", part460); + +var part461 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface}is now %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","LDP interface now unblocked"), + dup22, +])); + +var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part461); + +var part462 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr}(%{interface}) is %{result}", processor_chain([ + setc("eventcategory","1603030000"), + dup21, + setc("event_description","LDP neighbor down"), + dup22, +])); + +var msg444 = msg("RPD_LDP_NBRDOWN", part462); + +var part463 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr}(%{interface}) is %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","LDP neighbor up"), + dup22, +])); + +var msg445 = msg("RPD_LDP_NBRUP", part463); + +var part464 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr}is down, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","LDP session down"), + dup22, +])); + +var msg446 = msg("RPD_LDP_SESSIONDOWN", part464); + +var part465 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr}is up", processor_chain([ + dup20, + dup21, + setc("event_description","LDP session up"), + dup22, +])); + +var msg447 = msg("RPD_LDP_SESSIONUP", part465); + +var part466 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to obtain a lock"), + dup22, +])); + +var msg448 = msg("RPD_LOCK_FLOCKED", part466); + +var part467 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to obtain service lock"), + dup22, +])); + +var msg449 = msg("RPD_LOCK_LOCKED", part467); + +var part468 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}Route %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","MPLS LSP CHANGE"), + dup22, +])); + +var msg450 = msg("RPD_MPLS_LSP_CHANGE", part468); + +var part469 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} ", processor_chain([ + dup29, + dup21, + setc("event_description","MPLS LSP DOWN"), + dup22, +])); + +var msg451 = msg("RPD_MPLS_LSP_DOWN", part469); + +var part470 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info->} ", processor_chain([ + dup20, + dup21, + setc("event_description","MPLS LSP SWITCH"), + dup22, +])); + +var msg452 = msg("RPD_MPLS_LSP_SWITCH", part470); + +var part471 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}Route %{info->} ", processor_chain([ + dup20, + dup21, + setc("event_description","MPLS LSP UP"), + dup22, +])); + +var msg453 = msg("RPD_MPLS_LSP_UP", part471); + +var part472 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MSDP PEER DOWN"), + dup22, +])); + +var msg454 = msg("RPD_MSDP_PEER_DOWN", part472); + +var part473 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","MSDP PEER UP"), + dup22, +])); + +var msg455 = msg("RPD_MSDP_PEER_UP", part473); + +var part474 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr}(%{interface}) %{disposition}due to %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","OSPF neighbor down"), + dup22, +])); + +var msg456 = msg("RPD_OSPF_NBRDOWN", part474); + +var part475 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr}(%{interface}) %{disposition}due to %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","OSPF neighbor up"), + dup22, +])); + +var msg457 = msg("RPD_OSPF_NBRUP", part475); + +var part476 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1}KB of memory, %{info}", processor_chain([ + dup50, + dup21, + setc("event_description","OS MEMHIGH"), + dup22, +])); + +var msg458 = msg("RPD_OS_MEMHIGH", part476); + +var part477 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr}timeout interface %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","PIM neighbor down"), + setc("result","timeout"), + dup22, +])); + +var msg459 = msg("RPD_PIM_NBRDOWN", part477); + +var part478 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr}interface %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","PIM neighbor up"), + dup22, +])); + +var msg460 = msg("RPD_PIM_NBRUP", part478); + +var part479 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr}to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Bad checksum for router solicitation"), + dup22, +])); + +var msg461 = msg("RPD_RDISC_CKSUM", part479); + +var part480 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1}on %{interface}-- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Ignoring interface"), + dup22, +])); + +var msg462 = msg("RPD_RDISC_NOMULTI", part480); + +var part481 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr}to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to locate interface for router"), + dup22, +])); + +var msg463 = msg("RPD_RDISC_NORECVIF", part481); + +var part482 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr}to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Expected multicast for router solicitation"), + dup22, +])); + +var msg464 = msg("RPD_RDISC_SOLICITADDR", part482); + +var part483 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr}to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Nonzero ICMP code for router solicitation"), + dup22, +])); + +var msg465 = msg("RPD_RDISC_SOLICITICMP", part483); + +var part484 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr}to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Insufficient length for router solicitation"), + dup22, +])); + +var msg466 = msg("RPD_RDISC_SOLICITLEN", part484); + +var part485 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr}(%{interface})", processor_chain([ + dup29, + dup21, + setc("event_description","RIP update with invalid authentication"), + dup22, +])); + +var msg467 = msg("RPD_RIP_AUTH", part485); + +var part486 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RIP - unable to get broadcast address"), + dup22, +])); + +var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part486); + +var part487 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RIP - Unable to join multicast group"), + dup22, +])); + +var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part487); + +var part488 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface}index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","RIP interface up"), + dup22, +])); + +var msg470 = msg("RPD_RT_IFUP", part488); + +var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup146); + +var part489 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ + dup29, + dup21, + setc("event_description","excessive runtime after action of module"), + dup22, +])); + +var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part489); + +var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup146); + +var part490 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ + dup29, + dup21, + setc("event_description","task extended runtime"), + dup22, +])); + +var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part490); + +var part491 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}termination signal received", processor_chain([ + dup29, + dup21, + setc("event_description","termination signal received for service"), + dup22, +])); + +var msg475 = msg("RPD_SIGNAL_TERMINATE", part491); + +var part492 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1}version version built %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","version built"), + dup22, +])); + +var msg476 = msg("RPD_START", part492); + +var part493 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","system command"), + dup22, +])); + +var msg477 = msg("RPD_SYSTEM", part493); + +var part494 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2}by builder", processor_chain([ + dup20, + dup21, + setc("event_description","Commencing routing updates"), + dup22, +])); + +var msg478 = msg("RPD_TASK_BEGIN", part494); + +var part495 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","task killed by signal"), + dup22, +])); + +var msg479 = msg("RPD_TASK_CHILDKILLED", part495); + +var part496 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","task stopped by signal"), + dup22, +])); + +var msg480 = msg("RPD_TASK_CHILDSTOPPED", part496); + +var part497 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to fork task"), + dup22, +])); + +var msg481 = msg("RPD_TASK_FORK", part497); + +var part498 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","RPD TASK GETWD"), + dup22, +])); + +var msg482 = msg("RPD_TASK_GETWD", part498); + +var part499 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ + dup29, + dup21, + setc("event_description","Reinitialization not possible"), + dup22, +])); + +var msg483 = msg("RPD_TASK_NOREINIT", part499); + +var part500 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to close and remove task"), + dup22, +])); + +var msg484 = msg("RPD_TASK_PIDCLOSED", part500); + +var part501 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD TASK PIDFLOCK"), + dup22, +])); + +var msg485 = msg("RPD_TASK_PIDFLOCK", part501); + +var part502 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to write"), + dup22, +])); + +var msg486 = msg("RPD_TASK_PIDWRITE", part502); + +var msg487 = msg("RPD_TASK_REINIT", dup147); + +var part503 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","ignoring task signal"), + dup22, +])); + +var msg488 = msg("RPD_TASK_SIGNALIGNORE", part503); + +var part504 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1}(%{agent}) failed, err %{resultcode}(%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","COS IPC op failed"), + dup22, +])); + +var msg489 = msg("RT_COS", part504); + +var part505 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); + +var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); + +var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{fld11}\"%{p0}"); + +var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{fld11}\"%{p0}"); + +var select39 = linear_select([ + part507, + part508, +]); + +var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{p0}"); + +var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", "%{dinterface}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); + +var select40 = linear_select([ + part510, + dup91, +]); + +var all22 = all_match({ + processors: [ + dup86, + dup148, + part505, + dup149, + part506, + select39, + part509, + select40, + dup92, + ], + on_success: processor_chain([ + dup27, + dup52, + dup53, + dup21, + dup51, + ]), +}); + +var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22); + +var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", "%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); + +var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_1", "nwparser.p0", "%{dport}\"%{p0}"); + +var select41 = linear_select([ + part511, + part512, +]); + +var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{p0}"); + +var part514 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", "%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); + +var part515 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_1", "nwparser.p0", "%{policyname}\"%{p0}"); + +var select42 = linear_select([ + part514, + part515, +]); + +var all23 = all_match({ + processors: [ + dup86, + select41, + part513, + select42, + dup92, + ], + on_success: processor_chain([ + dup27, + dup52, + dup53, + dup21, + dup51, + ]), +}); + +var msg491 = msg("RT_FLOW_SESSION_CREATE", all23); + +var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created%{p0}"); + +var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created%{p0}"); + +var select43 = linear_select([ + part516, + part517, +]); + +var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); + +var part519 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN "); + +var part520 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15->} "); + +var part521 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "%{info->} "); + +var select44 = linear_select([ + part519, + part520, + part521, +]); + +var all24 = all_match({ + processors: [ + select43, + part518, + select44, + ], + on_success: processor_chain([ + dup27, + dup52, + dup53, + dup21, + setc("event_description","session created"), + dup22, + ]), +}); + +var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24); + +var select45 = linear_select([ + msg490, + msg491, + msg492, +]); + +var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{p0}"); + +var part523 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", "%{dinterface}\" encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); + +var part524 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", "%{dinterface}\" encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); + +var select46 = linear_select([ + part523, + part524, + dup91, +]); + +var all25 = all_match({ + processors: [ + dup86, + dup148, + part522, + select46, + dup92, + ], + on_success: processor_chain([ + dup93, + dup52, + dup94, + dup21, + dup51, + ]), +}); + +var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); + +var part525 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type}[junos@%{obj_name}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ + dup93, + dup52, + dup94, + dup21, + dup51, +])); + +var msg494 = msg("RT_FLOW_SESSION_DENY", part525); + +var part526 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}HTTP %{info}"); + +var all26 = all_match({ + processors: [ + dup150, + part526, + ], + on_success: processor_chain([ + dup26, + dup52, + dup94, + dup21, + dup97, + dup22, + ]), +}); + +var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26); + +var part527 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); + +var all27 = all_match({ + processors: [ + dup150, + part527, + ], + on_success: processor_chain([ + dup26, + dup52, + dup94, + dup21, + dup97, + dup22, + ]), +}); + +var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27); + +var select47 = linear_select([ + msg493, + msg494, + msg495, + msg496, +]); + +var part528 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{p0}"); + +var part529 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", "%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); + +var part530 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_1", "nwparser.p0", "%{duration}\"%{p0}"); + +var select48 = linear_select([ + part529, + part530, +]); + +var all28 = all_match({ + processors: [ + dup98, + dup148, + dup99, + dup149, + dup100, + dup151, + part528, + select48, + dup92, + ], + on_success: processor_chain([ + dup26, + dup52, + dup54, + dup103, + dup21, + dup51, + ]), +}); + +var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); + +var part531 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type}[junos@%{obj_name}reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup26, + dup52, + dup54, + dup21, + dup51, +])); + +var msg498 = msg("RT_FLOW_SESSION_CLOSE", part531); + +var part532 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed%{p0}"); + +var part533 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed%{p0}"); + +var select49 = linear_select([ + part532, + part533, +]); + +var part534 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{} %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); + +var all29 = all_match({ + processors: [ + select49, + part534, + ], + on_success: processor_chain([ + dup26, + dup52, + dup54, + dup21, + setc("event_description","session closed"), + dup22, + ]), +}); + +var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29); + +var part535 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" %{p0}"); + +var part536 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_0", "nwparser.p0", " elapsed-time=\"%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); + +var part537 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " elapsed-time=\"%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); + +var part538 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_2", "nwparser.p0", "elapsed-time=\"%{duration}\"%{p0}"); + +var select50 = linear_select([ + part536, + part537, + part538, +]); + +var part539 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); + +var all30 = all_match({ + processors: [ + dup98, + dup148, + dup99, + dup149, + dup100, + dup151, + part535, + select50, + part539, + ], + on_success: processor_chain([ + dup26, + dup52, + dup54, + dup103, + dup21, + dup51, + dup60, + ]), +}); + +var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30); + +var select51 = linear_select([ + msg497, + msg498, + msg499, + msg500, +]); + +var part540 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","Fragmented traffic"), + dup22, +])); + +var msg501 = msg("RT_SCREEN_IP", part540); + +var part541 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type}[junos@%{obj_name}attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg502 = msg("RT_SCREEN_IP:01", part541); + +var select52 = linear_select([ + msg501, + msg502, +]); + +var msg503 = msg("RT_SCREEN_TCP", dup152); + +var part542 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type}[junos@%{obj_name}attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part542); + +var msg505 = msg("RT_SCREEN_UDP", dup152); + +var part543 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ + dup26, + dup21, + setc("event_description","attempt to connect to interface failed"), + dup22, +])); + +var msg506 = msg("SERVICED_CLIENT_CONNECT", part543); + +var part544 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ + dup26, + dup21, + setc("event_description","unexpected termination of connection"), + dup22, +])); + +var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part544); + +var part545 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","client interface connection failure"), + dup22, +])); + +var msg508 = msg("SERVICED_CLIENT_ERROR", part545); + +var part546 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","remote command execution failed"), + dup22, +])); + +var msg509 = msg("SERVICED_COMMAND_FAILED", part546); + +var part547 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","client commit configuration failed"), + dup22, +])); + +var msg510 = msg("SERVICED_COMMIT_FAILED", part547); + +var part548 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","configuration process failed"), + dup22, +])); + +var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part548); + +var part549 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SERVICED CONFIG ERROR"), + dup22, +])); + +var msg512 = msg("SERVICED_CONFIG_ERROR", part549); + +var part550 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2}failed to read path with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","service failed to read path"), + dup22, +])); + +var msg513 = msg("SERVICED_CONFIG_FILE", part550); + +var part551 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SERVICED CONNECTION ERROR"), + dup22, +])); + +var msg514 = msg("SERVICED_CONNECTION_ERROR", part551); + +var part552 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","GGSN services disabled"), + dup22, +])); + +var msg515 = msg("SERVICED_DISABLED_GGSN", part552); + +var msg516 = msg("SERVICED_DUPLICATE", dup139); + +var part553 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2}failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","event function failed"), + dup22, +])); + +var msg517 = msg("SERVICED_EVENT_FAILED", part553); + +var part554 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","service initialization failed"), + dup22, +])); + +var msg518 = msg("SERVICED_INIT_FAILED", part554); + +var part555 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1}bytes %{bytes}]: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","memory allocation failure"), + dup22, +])); + +var msg519 = msg("SERVICED_MALLOC_FAILURE", part555); + +var part556 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2}had error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","NETWORK FAILURE"), + dup22, +])); + +var msg520 = msg("SERVICED_NETWORK_FAILURE", part556); + +var part557 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup62, + dup21, + setc("event_description","SERVICED must be run as root"), + dup22, +])); + +var msg521 = msg("SERVICED_NOT_ROOT", part557); + +var msg522 = msg("SERVICED_PID_FILE_LOCK", dup140); + +var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup141); + +var part558 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","routing socket sequence error"), + dup22, +])); + +var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part558); + +var part559 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","set up of signal name handler failed"), + dup22, +])); + +var msg525 = msg("SERVICED_SIGNAL_HANDLER", part559); + +var part560 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","socket create failed with error"), + dup22, +])); + +var msg526 = msg("SERVICED_SOCKET_CREATE", part560); + +var part561 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2}failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","socket function failed"), + dup22, +])); + +var msg527 = msg("SERVICED_SOCKET_IO", part561); + +var part562 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","unable to set socket option"), + dup22, +])); + +var msg528 = msg("SERVICED_SOCKET_OPTION", part562); + +var part563 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2}had error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","STDLIB FAILURE"), + dup22, +])); + +var msg529 = msg("SERVICED_STDLIB_FAILURE", part563); + +var part564 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Incorrect service usage"), + dup22, +])); + +var msg530 = msg("SERVICED_USAGE", part564); + +var part565 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","object has unexpected value"), + dup22, +])); + +var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part565); + +var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup153); + +var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup153); + +var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup153); + +var part566 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version}AgentX subagent connected", processor_chain([ + dup20, + dup21, + setc("event_description","AgentX subagent connected"), + dup60, + dup22, +])); + +var msg535 = msg("SNMP_NS_LOG_INFO", part566); + +var part567 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1}rows", processor_chain([ + dup20, + dup21, + setc("event_description","ns_subagent registering rows"), + dup60, + dup22, +])); + +var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part567); + +var part568 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}in %{dclass_counter1}access group %{group}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD ACCESS GROUP ERROR"), + dup22, +])); + +var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part568); + +var part569 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr}to unknown community name (%{pool_name})", processor_chain([ + dup29, + dup21, + dup104, + setc("result","unauthorized SNMP community to unknown community name"), + dup22, +])); + +var msg538 = msg("SNMPD_AUTH_FAILURE", part569); + +var part570 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr}to unknown (%{pool_name})", processor_chain([ + dup29, + dup21, + dup104, + setc("result","failed input interface authorization to unknown"), + dup22, +])); + +var msg539 = msg("SNMPD_AUTH_FAILURE:01", part570); + +var part571 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr}to %{saddr}(%{pool_name})", processor_chain([ + dup29, + dup21, + dup104, + setc("result","unauthorized SNMP community "), + dup22, +])); + +var msg540 = msg("SNMPD_AUTH_FAILURE:02", part571); + +var part572 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type}[junos@%{obj_name}function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ + dup29, + dup21, + dup104, + dup60, + dup61, +])); + +var msg541 = msg("SNMPD_AUTH_FAILURE:03", part572); + +var select53 = linear_select([ + msg538, + msg539, + msg540, + msg541, +]); + +var part573 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP request exceeded community privileges"), + dup22, +])); + +var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part573); + +var part574 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr}not allowed", processor_chain([ + dup47, + dup21, + setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), + setc("result","request not allowed"), + dup22, +])); + +var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part574); + +var part575 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","unauthorized SNMP PDU type"), + dup22, +])); + +var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part575); + +var part576 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ + dup29, + dup21, + setc("event_description","Configuration database has errors"), + dup22, +])); + +var msg545 = msg("SNMPD_CONFIG_ERROR", part576); + +var part577 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}in %{dclass_counter1}context %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD CONTEXT ERROR"), + dup22, +])); + +var msg546 = msg("SNMPD_CONTEXT_ERROR", part577); + +var part578 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD ENGINE FILE FAILURE"), + dup22, +])); + +var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part578); + +var part579 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ + dup29, + dup21, + setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), + dup22, +])); + +var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part579); + +var part580 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD FILE FAILURE"), + dup22, +])); + +var msg549 = msg("SNMPD_FILE_FAILURE", part580); + +var part581 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}in %{dclass_counter1}group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD GROUP ERROR"), + dup22, +])); + +var msg550 = msg("SNMPD_GROUP_ERROR", part581); + +var part582 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","snmpd initialization failure"), + dup22, +])); + +var msg551 = msg("SNMPD_INIT_FAILED", part582); + +var part583 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","LIBJUNIPER FAILURE"), + dup22, +])); + +var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part583); + +var part584 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} ", processor_chain([ + dup29, + dup21, + setc("event_description","LOOPBACK ADDR ERROR"), + dup22, +])); + +var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part584); + +var part585 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ + dup29, + dup21, + setc("event_description","duplicate memory free"), + dup22, +])); + +var msg554 = msg("SNMPD_MEMORY_FREED", part585); + +var part586 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","radix_add failed"), + dup22, +])); + +var msg555 = msg("SNMPD_RADIX_FAILURE", part586); + +var part587 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1}failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD RECEIVE FAILURE"), + dup22, +])); + +var msg556 = msg("SNMPD_RECEIVE_FAILURE", part587); + +var part588 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RMONFILE FAILURE"), + dup22, +])); + +var msg557 = msg("SNMPD_RMONFILE_FAILURE", part588); + +var part589 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ + dup29, + dup21, + setc("event_description","Null cookie"), + dup22, +])); + +var msg558 = msg("SNMPD_RMON_COOKIE", part589); + +var part590 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","RMON EVENTLOG"), + dup22, +])); + +var msg559 = msg("SNMPD_RMON_EVENTLOG", part590); + +var part591 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Received io error"), + dup22, +])); + +var msg560 = msg("SNMPD_RMON_IOERROR", part591); + +var part592 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","internal Get request error"), + dup22, +])); + +var msg561 = msg("SNMPD_RMON_MIBERROR", part592); + +var part593 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","sequence mismatch"), + dup22, +])); + +var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part593); + +var part594 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ + dup29, + dup21, + dup105, + dup22, +])); + +var msg563 = msg("SNMPD_SEND_FAILURE", part594); + +var part595 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ + dup29, + dup21, + dup105, + dup22, +])); + +var msg564 = msg("SNMPD_SEND_FAILURE:01", part595); + +var select54 = linear_select([ + msg563, + msg564, +]); + +var part596 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD SOCKET FAILURE"), + dup22, +])); + +var msg565 = msg("SNMPD_SOCKET_FAILURE", part596); + +var part597 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ + dup29, + dup21, + setc("event_description","No buffers available for subagent"), + dup22, +])); + +var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part597); + +var part598 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Send to subagent failed"), + dup22, +])); + +var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part598); + +var part599 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","system function failed"), + dup22, +])); + +var msg568 = msg("SNMPD_SYSLIB_FAILURE", part599); + +var part600 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ + dup20, + dup21, + setc("event_description","cleared all throttled traps"), + dup22, +])); + +var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part600); + +var part601 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP trap: cold start"), + dup22, +])); + +var msg570 = msg("SNMPD_TRAP_COLD_START", part601); + +var part602 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode}(%{result})", processor_chain([ + dup29, + dup21, + dup106, + dup22, +])); + +var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part602); + +var part603 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ + dup29, + dup21, + dup106, + dup22, +])); + +var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part603); + +var part604 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result}(%{dclass_counter2}) received", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP INVALID DATA"), + dup22, +])); + +var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part604); + +var part605 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info}(%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP ERROR"), + dup22, +])); + +var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part605); + +var part606 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2}to %{obj_name}queue, %{dclass_counter1}traps in queue", processor_chain([ + dup20, + dup21, + setc("event_description","Adding trap to queue"), + dup22, +])); + +var msg575 = msg("SNMPD_TRAP_QUEUED", part606); + +var part607 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name}sent successfully", processor_chain([ + dup20, + dup21, + setc("event_description","traps queued - sent successfully"), + dup22, +])); + +var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part607); + +var part608 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1}attempts, deleting %{dclass_counter2}traps queued to %{obj_name}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), + dup22, +])); + +var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part608); + +var part609 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2}from %{obj_name}queue", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP TRAP maximum queue size exceeded"), + dup22, +])); + +var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part609); + +var part610 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1}traps", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP traps throttled"), + dup22, +])); + +var msg579 = msg("SNMPD_TRAP_THROTTLED", part610); + +var part611 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type})", processor_chain([ + dup29, + dup21, + setc("event_description","unknown SNMP trap type requested"), + dup22, +])); + +var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part611); + +var part612 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1}varbind to be VT_NUMBER (%{resultcode})", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), + dup22, +])); + +var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part612); + +var part613 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP ERROR - invalid version signature"), + dup22, +])); + +var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part613); + +var part614 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ + dup20, + dup21, + setc("event_description","SNMPD TRAP WARM START"), + dup22, +])); + +var msg583 = msg("SNMPD_TRAP_WARM_START", part614); + +var part615 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}in %{dclass_counter1}user '%{username}' %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD USER ERROR"), + dup22, +])); + +var msg584 = msg("SNMPD_USER_ERROR", part615); + +var part616 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP deleting view"), + dup22, +])); + +var msg585 = msg("SNMPD_VIEW_DELETE", part616); + +var part617 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}installing default %{dclass_counter1}view %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","installing default SNMP view"), + dup22, +])); + +var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part617); + +var part618 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2}oid %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","oid parsing failed for SNMP view"), + dup22, +])); + +var msg587 = msg("SNMPD_VIEW_OID_PARSE", part618); + +var part619 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1}failed for %{dclass_counter2}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP_GET_ERROR 1"), + dup22, +])); + +var msg588 = msg("SNMP_GET_ERROR1", part619); + +var part620 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1}failed for %{dclass_counter2}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP GET ERROR 2"), + dup22, +])); + +var msg589 = msg("SNMP_GET_ERROR2", part620); + +var part621 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1}failed for %{dclass_counter2}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP GET ERROR 3"), + dup22, +])); + +var msg590 = msg("SNMP_GET_ERROR3", part621); + +var part622 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1}failed for %{dclass_counter2}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP GET ERROR 4"), + dup22, +])); + +var msg591 = msg("SNMP_GET_ERROR4", part622); + +var part623 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP RTSLIB FAILURE"), + dup22, +])); + +var msg592 = msg("SNMP_RTSLIB_FAILURE", part623); + +var part624 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ + dup29, + dup21, + dup107, + dup22, +])); + +var msg593 = msg("SNMP_TRAP_LINK_DOWN", part624); + +var part625 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type}[junos@%{obj_name}snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ + dup29, + dup21, + dup107, + dup60, + dup61, +])); + +var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part625); + +var select55 = linear_select([ + msg593, + msg594, +]); + +var part626 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ + dup20, + dup21, + dup108, + dup22, +])); + +var msg595 = msg("SNMP_TRAP_LINK_UP", part626); + +var part627 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type}[junos@%{obj_name}snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ + dup20, + dup21, + dup108, + dup60, + dup61, +])); + +var msg596 = msg("SNMP_TRAP_LINK_UP:01", part627); + +var select56 = linear_select([ + msg595, + msg596, +]); + +var part628 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP TRAP PING PROBE FAILED"), + dup22, +])); + +var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part628); + +var part629 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP TRAP PING TEST COMPLETED"), + dup22, +])); + +var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part629); + +var part630 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP TRAP PING TEST FAILED"), + dup22, +])); + +var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part630); + +var part631 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), + dup22, +])); + +var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part631); + +var part632 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), + dup22, +])); + +var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part632); + +var part633 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), + dup22, +])); + +var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part633); + +var part634 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup109, + dup22, +])); + +var msg603 = msg("SSHD_LOGIN_FAILED", part634); + +var part635 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type}[junos@%{obj_name}username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup109, + dup60, + dup51, + setf("process","hfld33"), +])); + +var msg604 = msg("SSHD_LOGIN_FAILED:01", part635); + +var select57 = linear_select([ + msg603, + msg604, +]); + +var part636 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent}addr %{daddr}+%{dport}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","task connect failure"), + dup22, +])); + +var msg605 = msg("task_connect", part636); + +var msg606 = msg("TASK_TASK_REINIT", dup147); + +var part637 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Unexpected address family"), + dup22, +])); + +var msg607 = msg("TFTPD_AF_ERR", part637); + +var part638 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD BIND ERROR"), + dup22, +])); + +var msg608 = msg("TFTPD_BIND_ERR", part638); + +var part639 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD CONNECT ERROR"), + dup22, +])); + +var msg609 = msg("TFTPD_CONNECT_ERR", part639); + +var part640 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol}from address %{daddr}port %{dport}file %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","TFTPD CONNECT INFO"), + dup22, +])); + +var msg610 = msg("TFTPD_CONNECT_INFO", part640); + +var part641 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD CREATE ERROR"), + dup22, +])); + +var msg611 = msg("TFTPD_CREATE_ERR", part641); + +var part642 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD FIO ERR"), + dup22, +])); + +var msg612 = msg("TFTPD_FIO_ERR", part642); + +var part643 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD FORK ERROR"), + dup22, +])); + +var msg613 = msg("TFTPD_FORK_ERR", part643); + +var part644 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD NAK ERROR"), + dup22, +])); + +var msg614 = msg("TFTPD_NAK_ERR", part644); + +var part645 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ + dup29, + dup21, + dup77, + dup22, +])); + +var msg615 = msg("TFTPD_OPEN_ERR", part645); + +var part646 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1}blocks of %{dclass_counter2}size for file '%{filename}'", processor_chain([ + dup20, + dup21, + setc("event_description","TFTPD RECVCOMPLETE INFO"), + dup22, +])); + +var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part646); + +var part647 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD RECVFROM ERROR"), + dup22, +])); + +var msg617 = msg("TFTPD_RECVFROM_ERR", part647); + +var part648 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD RECV ERROR"), + dup22, +])); + +var msg618 = msg("TFTPD_RECV_ERR", part648); + +var part649 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1}blocks of %{dclass_counter2}and %{info}for file '%{filename}'", processor_chain([ + dup20, + dup21, + setc("event_description","TFTPD SENDCOMPLETE INFO"), + dup22, +])); + +var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part649); + +var part650 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD SEND ERROR"), + dup22, +])); + +var msg620 = msg("TFTPD_SEND_ERR", part650); + +var part651 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD SOCKET ERROR"), + dup22, +])); + +var msg621 = msg("TFTPD_SOCKET_ERR", part651); + +var part652 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD STATFS ERROR"), + dup22, +])); + +var msg622 = msg("TFTPD_STATFS_ERR", part652); + +var part653 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1}to interface %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","adding neighbor to interface"), + dup22, +])); + +var msg623 = msg("TNP", part653); + +var part654 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33}started", processor_chain([ + dup20, + dup21, + setc("event_description","tracing to file"), + dup22, + call({ + dest: "nwparser.filename", + fn: RMQ, + args: [ + field("fld33"), + ], + }), +])); + +var msg624 = msg("trace_on", part654); + +var part655 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","trace rotating file"), + dup22, +])); + +var msg625 = msg("trace_rotate", part655); + +var part656 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","transfered file"), + dup22, +])); + +var msg626 = msg("transfer-file", part656); + +var part657 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","ttloop - peer died"), + dup22, +])); + +var msg627 = msg("ttloop", part657); + +var part658 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ + dup79, + dup33, + dup34, + dup36, + dup21, + setc("event_description","Authenticated user"), + dup22, +])); + +var msg628 = msg("UI_AUTH_EVENT", part658); + +var part659 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ + dup29, + dup21, + setc("event_description","Received invalid authentication challenge for user response"), + dup22, +])); + +var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part659); + +var part660 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to fetch boot time"), + dup22, +])); + +var msg630 = msg("UI_BOOTTIME_FAILED", part660); + +var part661 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2}path unknown", processor_chain([ + dup29, + dup21, + setc("event_description","user path unknown"), + dup22, +])); + +var msg631 = msg("UI_CFG_AUDIT_NEW", part661); + +var part662 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename}security policies %{policyname}] %{info}", processor_chain([ + dup41, + dup21, + setc("event_description"," user Inserted Security Policies in config"), + dup22, +])); + +var msg632 = msg("UI_CFG_AUDIT_NEW:01", part662); + +var select58 = linear_select([ + msg631, + msg632, +]); + +var part663 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ + dup20, + dup21, + setc("event_description","User deleted file"), + setc("action","delete"), + dup22, +])); + +var msg633 = msg("UI_CFG_AUDIT_OTHER", part663); + +var part664 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","User rollback file"), + dup22, +])); + +var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part664); + +var part665 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\" "); + +var select59 = linear_select([ + part665, + dup111, +]); + +var all31 = all_match({ + processors: [ + dup110, + select59, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","User set"), + dup22, + ]), +}); + +var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); + +var part666 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename}applications %{info}]", processor_chain([ + dup20, + dup21, + setc("event_description","User config replace"), + setc("action","replace"), + dup22, +])); + +var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part666); + +var part667 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}] ", processor_chain([ + setc("eventcategory","1701070000"), + dup21, + setc("event_description","User deactivating group(s)"), + setc("action","deactivate"), + dup22, +])); + +var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part667); + +var part668 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ + dup112, + dup21, + setc("event_description","User updates config file"), + setc("action","update"), + dup22, +])); + +var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part668); + +var select60 = linear_select([ + msg633, + msg634, + msg635, + msg636, + msg637, + msg638, +]); + +var part669 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); + +var select61 = linear_select([ + part669, + dup113, +]); + +var all32 = all_match({ + processors: [ + dup110, + select61, + dup114, + ], + on_success: processor_chain([ + dup20, + dup21, + dup115, + dup22, + ]), +}); + +var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); + +var part670 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); + +var select62 = linear_select([ + part670, + dup113, +]); + +var all33 = all_match({ + processors: [ + dup110, + select62, + dup114, + ], + on_success: processor_chain([ + dup20, + dup21, + dup115, + dup22, + ]), +}); + +var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); + +var part671 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename}applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ + dup20, + dup21, + setc("event_description","User replace config application(s)"), + dup22, +])); + +var msg641 = msg("UI_CFG_AUDIT_SET", part671); + +var select63 = linear_select([ + msg639, + msg640, + msg641, +]); + +var part672 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info}secret]"); + +var all34 = all_match({ + processors: [ + dup116, + dup154, + part672, + ], + on_success: processor_chain([ + dup112, + dup21, + dup119, + dup22, + ]), +}); + +var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); + +var part673 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); + +var all35 = all_match({ + processors: [ + dup116, + dup154, + part673, + ], + on_success: processor_chain([ + dup112, + dup21, + dup119, + dup22, + ]), +}); + +var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); + +var part674 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ + dup20, + dup21, + setc("event_description","UI CFG AUDIT SET SECRET"), + dup22, +])); + +var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part674); + +var select64 = linear_select([ + msg642, + msg643, + msg644, +]); + +var part675 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ + dup29, + dup21, + setc("event_description","Too many arguments for child process"), + dup22, +])); + +var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part675); + +var part676 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to switch to local user"), + dup22, +])); + +var msg646 = msg("UI_CHILD_CHANGE_USER", part676); + +var part677 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Child exec failed"), + dup22, +])); + +var msg647 = msg("UI_CHILD_EXEC", part677); + +var part678 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ + dup29, + dup21, + setc("event_description","Child exited"), + dup22, +])); + +var msg648 = msg("UI_CHILD_EXITED", part678); + +var part679 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to append to log"), + dup22, +])); + +var msg649 = msg("UI_CHILD_FOPEN", part679); + +var part680 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to create pipe for command"), + dup22, +])); + +var msg650 = msg("UI_CHILD_PIPE_FAILED", part680); + +var part681 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ + dup20, + dup21, + dup60, + setc("event_description","Child received signal"), + dup22, +])); + +var msg651 = msg("UI_CHILD_SIGNALED", part681); + +var part682 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode}command='%{action}')", processor_chain([ + dup20, + dup21, + setc("event_description","Child stopped"), + dup22, +])); + +var msg652 = msg("UI_CHILD_STOPPED", part682); + +var part683 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ + dup20, + dup21, + setc("event_description","Starting child"), + dup22, +])); + +var msg653 = msg("UI_CHILD_START", part683); + +var part684 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Cleanup child"), + dup22, +])); + +var msg654 = msg("UI_CHILD_STATUS", part684); + +var part685 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","waitpid failed"), + dup22, +])); + +var msg655 = msg("UI_CHILD_WAITPID", part685); + +var part686 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Idle timeout for user exceeded"), + dup22, +])); + +var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part686); + +var part687 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ + dup20, + dup21, + dup120, + dup22, +])); + +var msg657 = msg("UI_CMDLINE_READ_LINE", part687); + +var part688 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Command execution failed"), + dup22, +])); + +var msg658 = msg("UI_CMDSET_EXEC_FAILED", part688); + +var part689 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to fork command"), + dup22, +])); + +var msg659 = msg("UI_CMDSET_FORK_FAILED", part689); + +var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup142); + +var part690 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ + dup29, + dup21, + dup69, + dup22, +])); + +var msg661 = msg("UI_CMDSET_STOPPED", part690); + +var part691 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ + dup29, + dup21, + dup71, + dup22, +])); + +var msg662 = msg("UI_CMDSET_WEXITED", part691); + +var part692 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Invalid regexp command"), + dup22, +])); + +var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part692); + +var part693 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info}) "); + +var part694 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action->} "); + +var select65 = linear_select([ + part693, + part694, +]); + +var all36 = all_match({ + processors: [ + dup116, + select65, + ], + on_success: processor_chain([ + dup20, + dup21, + dup121, + dup22, + ]), +}); + +var msg664 = msg("UI_COMMIT", all36); + +var part695 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ + dup20, + dup21, + dup121, + dup22, +])); + +var msg665 = msg("UI_COMMIT_AT", part695); + +var part696 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ + dup20, + dup21, + setc("event_description","User commit successful"), + dup22, +])); + +var msg666 = msg("UI_COMMIT_AT_COMPLETED", part696); + +var part697 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ + dup29, + dup21, + setc("event_description","User commit failed"), + dup22, +])); + +var msg667 = msg("UI_COMMIT_AT_FAILED", part697); + +var part698 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to compress file"), + dup22, +])); + +var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part698); + +var part699 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ + dup20, + dup21, + setc("event_description","UI COMMIT CONFIRMED"), + dup22, +])); + +var msg669 = msg("UI_COMMIT_CONFIRMED", part699); + +var part700 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); + +var part701 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1->} "); + +var part702 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes "); + +var select66 = linear_select([ + part701, + part702, +]); + +var all37 = all_match({ + processors: [ + part700, + select66, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","COMMIT must be confirmed within # minutes"), + dup22, + ]), +}); + +var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); + +var part703 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "%{}'%{username}' performed '%{action}'"); + +var all38 = all_match({ + processors: [ + dup49, + dup143, + part703, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","user performed commit confirm"), + dup22, + ]), +}); + +var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); + +var part704 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Skipped empty object"), + dup22, +])); + +var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part704); + +var part705 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","COMMIT NOT CONFIRMED"), + dup22, +])); + +var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part705); + +var part706 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); + +var part707 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); + +var select67 = linear_select([ + part706, + part707, +]); + +var part708 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); + +var all39 = all_match({ + processors: [ + dup49, + select67, + part708, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","Commit operation in progress"), + dup22, + ]), +}); + +var msg674 = msg("UI_COMMIT_PROGRESS", all39); + +var part709 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","COMMIT QUIT"), + dup22, +])); + +var msg675 = msg("UI_COMMIT_QUIT", part709); + +var part710 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ + dup29, + dup21, + setc("event_description","Automatic rollback failed"), + dup22, +])); + +var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part710); + +var part711 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","COMMIT SYNC"), + dup22, +])); + +var msg677 = msg("UI_COMMIT_SYNC", part711); + +var part712 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","All logins to local configuration database were terminated"), + dup22, +])); + +var msg678 = msg("UI_COMMIT_SYNC_FORCE", part712); + +var part713 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); + +var part714 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); + +var part715 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); + +var select68 = linear_select([ + part714, + part715, +]); + +var part716 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "%{}statement: %{info->} %{p0}"); + +var part717 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); + +var select69 = linear_select([ + part717, + dup111, +]); + +var all40 = all_match({ + processors: [ + part713, + select68, + part716, + select69, + ], + on_success: processor_chain([ + dup29, + dup21, + setc("event_description","CONFIGURATION ERROR"), + dup22, + ]), +}); + +var msg679 = msg("UI_CONFIGURATION_ERROR", all40); + +var part718 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "%{}socket connection accept failed: %{result}"); + +var all41 = all_match({ + processors: [ + dup49, + dup155, + part718, + ], + on_success: processor_chain([ + dup29, + dup21, + setc("event_description","socket connection accept failed"), + dup22, + ]), +}); + +var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); + +var part719 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to create session child"), + dup22, +])); + +var msg681 = msg("UI_DAEMON_FORK_FAILED", part719); + +var part720 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","DAEMON SELECT FAILED"), + dup22, +])); + +var msg682 = msg("UI_DAEMON_SELECT_FAILED", part720); + +var part721 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "%{}socket create failed: %{result}"); + +var all42 = all_match({ + processors: [ + dup49, + dup155, + part721, + ], + on_success: processor_chain([ + dup29, + dup21, + setc("event_description","socket create failed"), + dup22, + ]), +}); + +var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); + +var part722 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to reaccess database file"), + dup22, +])); + +var msg684 = msg("UI_DBASE_ACCESS_FAILED", part722); + +var part723 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ + dup29, + dup21, + setc("event_description","Database is out of data"), + dup22, +])); + +var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part723); + +var part724 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to extend database file"), + dup22, +])); + +var msg686 = msg("UI_DBASE_EXTEND_FAILED", part724); + +var part725 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","User entering configuration mode"), + dup22, +])); + +var msg687 = msg("UI_DBASE_LOGIN_EVENT", part725); + +var part726 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ + dup124, + dup33, + dup34, + dup125, + dup36, + dup21, + setc("event_description","User exiting configuration mode"), + dup22, +])); + +var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part726); + +var part727 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Database header extent mismatch"), + dup22, +])); + +var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part727); + +var part728 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Database header major version number mismatch"), + dup22, +])); + +var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part728); + +var part729 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Database header minor version number mismatch"), + dup22, +])); + +var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part729); + +var part730 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ + dup29, + dup21, + setc("event_description","Database header sequence numbers mismatch"), + dup22, +])); + +var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part730); + +var part731 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Database header size mismatch"), + dup22, +])); + +var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part731); + +var part732 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Database open failed"), + dup22, +])); + +var msg694 = msg("UI_DBASE_OPEN_FAILED", part732); + +var part733 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username}Automatic rebuild of the database '%{filename}' failed", processor_chain([ + dup29, + dup21, + setc("event_description","DBASE REBUILD FAILED"), + dup22, +])); + +var msg695 = msg("UI_DBASE_REBUILD_FAILED", part733); + +var part734 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ + dup29, + dup21, + setc("event_description","Automatic rebuild of the database failed"), + dup22, +])); + +var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part734); + +var part735 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); + +var select70 = linear_select([ + dup75, + part735, +]); + +var part736 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{} %{username}rebuild/rollback of the database '%{filename}' started"); + +var all43 = all_match({ + processors: [ + dup49, + select70, + part736, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","DBASE REBUILD STARTED"), + dup22, + ]), +}); + +var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); + +var part737 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ + dup20, + dup21, + setc("event_description","user attempting database re-creation"), + dup22, +])); + +var msg698 = msg("UI_DBASE_RECREATE", part737); + +var part738 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ + dup29, + dup21, + setc("event_description","Reopen of the database failed"), + dup22, +])); + +var msg699 = msg("UI_DBASE_REOPEN_FAILED", part738); + +var part739 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username}have the same UID %{uid}", processor_chain([ + dup29, + dup21, + setc("event_description","Users have the same UID"), + dup22, +])); + +var msg700 = msg("UI_DUPLICATE_UID", part739); + +var part740 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ + setc("eventcategory","1401050100"), + dup21, + setc("event_description","User used JUNOScript client to run command"), + dup22, +])); + +var msg701 = msg("UI_JUNOSCRIPT_CMD", part740); + +var part741 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","JUNOScript error"), + dup22, +])); + +var msg702 = msg("UI_JUNOSCRIPT_ERROR", part741); + +var part742 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ + dup20, + dup21, + setc("event_description","User command"), + dup22, +])); + +var msg703 = msg("UI_LOAD_EVENT", part742); + +var part743 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ + setc("eventcategory","1701040000"), + dup21, + setc("event_description","Loading default config from file"), + dup22, +])); + +var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part743); + +var part744 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info}'%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + dup126, + dup127, + dup22, +])); + +var msg705 = msg("UI_LOGIN_EVENT:01", part744); + +var part745 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + dup126, + dup22, +])); + +var msg706 = msg("UI_LOGIN_EVENT", part745); + +var select71 = linear_select([ + msg705, + msg706, +]); + +var part746 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ + dup124, + dup33, + dup34, + dup125, + dup36, + dup21, + setc("event_description","User logout"), + dup22, +])); + +var msg707 = msg("UI_LOGOUT_EVENT", part746); + +var part747 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","Lost connection to daemon"), + dup22, +])); + +var msg708 = msg("UI_LOST_CONN", part747); + +var part748 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}by '%{username}'", processor_chain([ + dup20, + dup21, + setc("event_description","MASTERSHIP EVENT"), + dup22, +])); + +var msg709 = msg("UI_MASTERSHIP_EVENT", part748); + +var part749 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","Terminating operation"), + dup22, +])); + +var msg710 = msg("UI_MGD_TERMINATE", part749); + +var part750 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ + dup28, + dup21, + setc("event_description","User used NETCONF client to run command"), + dup22, +])); + +var msg711 = msg("UI_NETCONF_CMD", part750); + +var part751 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","read failed for peer"), + dup22, +])); + +var msg712 = msg("UI_READ_FAILED", part751); + +var part752 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ + dup29, + dup21, + setc("event_description","Timeout on read of peer"), + dup22, +])); + +var msg713 = msg("UI_READ_TIMEOUT", part752); + +var part753 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action}by '%{username}'", processor_chain([ + dup59, + dup21, + setc("event_description","System reboot or halt"), + dup22, +])); + +var msg714 = msg("UI_REBOOT_EVENT", part753); + +var part754 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ + dup28, + dup21, + setc("event_description","user restarting daemon"), + dup22, +])); + +var msg715 = msg("UI_RESTART_EVENT", part754); + +var part755 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Schema is out of date"), + dup22, +])); + +var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part755); + +var part756 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Schema major version mismatch"), + dup22, +])); + +var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part756); + +var part757 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Schema minor version mismatch"), + dup22, +])); + +var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part757); + +var part758 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","Schema header sequence numbers mismatch"), + dup22, +])); + +var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part758); + +var part759 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ + dup29, + dup21, + setc("event_description","Schema sequence number mismatch"), + dup22, +])); + +var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part759); + +var part760 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Configuration synchronization with remote Routing Engine"), + dup22, +])); + +var msg721 = msg("UI_SYNC_OTHER_RE", part760); + +var part761 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ + dup29, + dup21, + dup128, + dup22, +])); + +var msg722 = msg("UI_TACPLUS_ERROR", part761); + +var part762 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to fetch system version"), + dup22, +])); + +var msg723 = msg("UI_VERSION_FAILED", part762); + +var part763 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ + dup20, + dup21, + setc("event_description","Re-establishing connection to peer"), + dup22, +])); + +var msg724 = msg("UI_WRITE_RECONNECT", part763); + +var part764 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface}(local addr: %{saddr}) is now master for %{username}", processor_chain([ + dup20, + dup21, + setc("event_description","Interface new master for User"), + dup22, +])); + +var msg725 = msg("VRRPD_NEWMASTER_TRAP", part764); + +var part765 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name}(username %{c_username})", processor_chain([ + dup68, + dup33, + dup34, + dup42, + dup21, + setc("event_description","Unable to authenticate client"), + dup22, +])); + +var msg726 = msg("WEB_AUTH_FAIL", part765); + +var part766 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent}client (username %{c_username})", processor_chain([ + dup79, + dup33, + dup34, + dup36, + dup21, + setc("event_description","Authenticated client"), + dup22, +])); + +var msg727 = msg("WEB_AUTH_SUCCESS", part766); + +var part767 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ + setc("eventcategory","1001030300"), + dup21, + setc("event_description","web request from unauthorized interface"), + dup22, +])); + +var msg728 = msg("WEB_INTERFACE_UNAUTH", part767); + +var part768 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ + dup73, + dup21, + setc("event_description","Unable to read from client"), + dup22, +])); + +var msg729 = msg("WEB_READ", part768); + +var part769 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ + setc("eventcategory","1204020100"), + dup21, + setc("event_description","failed to check web request"), + dup22, +])); + +var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part769); + +var part770 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type}[junos@%{obj_name}source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ + dup73, + dup52, + dup42, + dup21, + dup51, +])); + +var msg731 = msg("FLOW_REASSEMBLE_FAIL", part770); + +var part771 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ + dup28, + dup21, + setc("event_description","Bridge Address"), + dup22, +])); + +var msg732 = msg("eswd", part771); + +var part772 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface}context id %{id}changed from %{fld3}", processor_chain([ + dup28, + dup21, + setc("event_description","ESWD STP State Change Info"), + dup22, +])); + +var msg733 = msg("eswd:01", part772); + +var select72 = linear_select([ + msg732, + msg733, +]); + +var part773 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ + dup28, + dup21, + dup25, + dup22, +])); + +var msg734 = msg("/usr/sbin/cron", part773); + +var part774 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ + dup28, + dup21, + setc("event_description","Link status change event"), + dup22, +])); + +var msg735 = msg("chassism:02", part774); + +var part775 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ + dup28, + dup21, + setc("event_description","ifd process flaps"), + dup22, +])); + +var msg736 = msg("chassism:01", part775); + +var part776 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ + dup28, + dup21, + setc("event_description","IFCM "), + dup22, +])); + +var msg737 = msg("chassism", part776); + +var select73 = linear_select([ + msg735, + msg736, + msg737, +]); + +var msg738 = msg("WEBFILTER_URL_PERMITTED", dup156); + +var part777 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type}[junos@%{fld21}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3}CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}OBJ=%{fld7}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part777); + +var part778 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type}[junos@%{fld21}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3}CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part778); + +var part779 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type}[junos@%{fld21}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part779); + +var select74 = linear_select([ + msg738, + msg739, + msg740, + msg741, +]); + +var msg742 = msg("WEBFILTER_URL_BLOCKED", dup156); + +var part780 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type}[junos@%{fld21}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3}CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part780); + +var select75 = linear_select([ + msg742, + msg743, +]); + +var part781 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url}on port %{network_port}failed\u003c\u003c%{result}>.", processor_chain([ + dup45, + dup46, + dup22, + dup21, + dup127, +])); + +var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part781); + +var part782 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname}on ip %{hostip}port %{network_port->} %{result}.", processor_chain([ + dup45, + dup46, + dup22, +])); + +var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part782); + +var part783 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ + dup45, + dup46, + dup22, + dup21, + dup127, +])); + +var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part783); + +var part784 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ + dup45, + dup46, + dup22, + dup21, + dup127, +])); + +var msg747 = msg("SECINTEL_ERROR_OTHERS", part784); + +var part785 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ + dup47, + dup46, + dup22, + dup21, + dup127, +])); + +var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part785); + +var part786 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ + dup45, + dup46, + dup22, + dup21, + dup127, +])); + +var msg749 = msg("LACPD_TIMEOUT", part786); + +var msg750 = msg("cli", dup157); + +var msg751 = msg("pfed", dup157); + +var msg752 = msg("idpinfo", dup157); + +var msg753 = msg("kmd", dup157); + +var part787 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node}Next-hop resolution requests from interface %{interface}throttled", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg754 = msg("node:01", part787); + +var part788 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg755 = msg("node:02", part788); + +var part789 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg756 = msg("node:03", part789); + +var part790 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1}key %{fld2->} %{fld3}port priority %{fld6->} %{fld4}port %{portname->} %{fld5}state %{resultcode}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg757 = msg("node:04", part790); + +var select76 = linear_select([ + dup130, + dup131, +]); + +var part791 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); + +var select77 = linear_select([ + dup131, + dup130, +]); + +var part792 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); + +var all44 = all_match({ + processors: [ + dup129, + select76, + part791, + select77, + part792, + ], + on_success: processor_chain([ + dup20, + dup22, + dup21, + ]), +}); + +var msg758 = msg("node:05", all44); + +var part793 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); + +var part794 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); + +var select78 = linear_select([ + part793, + part794, +]); + +var all45 = all_match({ + processors: [ + dup129, + select78, + ], + on_success: processor_chain([ + dup20, + dup22, + dup21, + ]), +}); + +var msg759 = msg("node:06", all45); + +var part795 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface}trigger reth_scan", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg760 = msg("node:07", part795); + +var part796 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg761 = msg("node:08", part796); + +var part797 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg762 = msg("node:09", part797); + +var select79 = linear_select([ + msg754, + msg755, + msg756, + msg757, + msg758, + msg759, + msg760, + msg761, + msg762, +]); + +var part798 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node}kernel: %{event_type}: deleting active remote neighbor entry %{fld2}from interface %{interface}.", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg763 = msg("(FPC:01", part798); + +var part799 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node}kernel: %{event_type}deleting nb %{fld2}on ifd %{interface}for cid %{fld3}from active neighbor table", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg764 = msg("(FPC:02", part799); + +var part800 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node}kernel: %{event_type}: M%{p0}"); + +var part801 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); + +var part802 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); + +var select80 = linear_select([ + part801, + part802, +]); + +var part803 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "%{}received for interface %{interface}, member of %{fld4}"); + +var all46 = all_match({ + processors: [ + part800, + select80, + part803, + ], + on_success: processor_chain([ + dup20, + dup22, + dup21, + dup23, + ]), +}); + +var msg765 = msg("(FPC:03", all46); + +var part804 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node}kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg766 = msg("(FPC:04", part804); + +var part805 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node}kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2}dest %{fld4}:%{fld5}", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg767 = msg("(FPC:05", part805); + +var part806 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg768 = msg("(FPC", part806); + +var select81 = linear_select([ + msg763, + msg764, + msg765, + msg766, + msg767, + msg768, +]); + +var part807 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ + dup47, + dup22, + dup21, + dup23, +])); + +var msg769 = msg("tnp.bootpd", part807); + +var part808 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32}hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ + dup47, + dup51, + dup21, + dup60, +])); + +var msg770 = msg("AAMW_ACTION_LOG", part808); + +var part809 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32}timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ + dup132, + dup51, + dup21, + dup60, +])); + +var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part809); + +var part810 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32}timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ + dup132, + dup51, + dup21, +])); + +var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part810); + +var part811 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32}epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8}inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ + dup80, + dup51, + dup21, + dup60, +])); + +var msg773 = msg("IDP_ATTACK_LOG_EVENT", part811); + +var part812 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32}attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ + dup80, + dup51, + dup21, + dup60, +])); + +var msg774 = msg("RT_SCREEN_ICMP", part812); + +var part813 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32}category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ + dup45, + dup51, + dup21, + dup60, +])); + +var msg775 = msg("SECINTEL_ACTION_LOG", part813); + +var part814 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{p0}"); + +var part815 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{process}: qsfp-%{interface->} Chan# %{p0}"); + +var part816 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "%{fld2->} qsfp-%{interface->} Chan# %{p0}"); + +var select82 = linear_select([ + part815, + part816, +]); + +var part817 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{fld5}:%{event_description}"); + +var all47 = all_match({ + processors: [ + part814, + select82, + part817, + ], + on_success: processor_chain([ + dup20, + dup21, + dup22, + ]), +}); + +var msg776 = msg("qsfp", all47); + +var part818 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ + dup20, + dup21, + dup120, + dup22, +])); + +var msg777 = msg("JUNOSROUTER_GENERIC:03", part818); + +var part819 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ + dup124, + dup33, + dup34, + dup125, + dup36, + dup21, + setc("event_description","LOGOUT"), + dup22, +])); + +var msg778 = msg("JUNOSROUTER_GENERIC:04", part819); + +var part820 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ + dup29, + dup21, + dup128, + dup22, +])); + +var msg779 = msg("JUNOSROUTER_GENERIC:05", part820); + +var part821 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip}(%{hostname}): peer: %{daddr}us: %{saddr}", processor_chain([ + dup29, + dup21, + dup56, + dup22, +])); + +var msg780 = msg("JUNOSROUTER_GENERIC:06", part821); + +var part822 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr}(%{dhost}): code %{resultcode}(%{action}), Reason: %{result->} ", processor_chain([ + dup20, + dup21, + dup37, + dup22, +])); + +var msg781 = msg("JUNOSROUTER_GENERIC:07", part822); + +var part823 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{p0}"); + +var part824 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action}), socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8->} "); + +var part825 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action}) "); + +var select83 = linear_select([ + part824, + part825, +]); + +var all48 = all_match({ + processors: [ + part823, + select83, + ], + on_success: processor_chain([ + dup20, + dup21, + dup37, + dup22, + ]), +}); + +var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); + +var part826 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ + dup20, + dup21, + dup22, +])); + +var msg783 = msg("JUNOSROUTER_GENERIC:09", part826); + +var part827 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type}Interface Monitor failed %{fld1}", processor_chain([ + dup133, + dup22, + dup21, + setc("event_description","Interface Monitor failed "), + dup23, +])); + +var msg784 = msg("JUNOSROUTER_GENERIC:01", part827); + +var part828 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type}Interface Monitor failure recovered %{fld1}", processor_chain([ + dup133, + dup22, + dup21, + setc("event_description","Interface Monitor failure recovered"), + dup23, +])); + +var msg785 = msg("JUNOSROUTER_GENERIC:02", part828); + +var part829 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ + dup133, + dup22, + dup21, + dup23, +])); + +var msg786 = msg("JUNOSROUTER_GENERIC", part829); + +var select84 = linear_select([ + msg777, + msg778, + msg779, + msg780, + msg781, + msg782, + msg783, + msg784, + msg785, + msg786, +]); + +var chain1 = processor_chain([ + select5, + msgid_select({ + "(FPC": select81, + "/usr/libexec/telnetd": msg2, + "/usr/sbin/cron": msg734, + "/usr/sbin/sshd": msg1, + "AAMWD_NETWORK_CONNECT_FAILED": msg745, + "AAMW_ACTION_LOG": msg770, + "AAMW_HOST_INFECTED_EVENT_LOG": msg771, + "AAMW_MALWARE_EVENT_LOG": msg772, + "ACCT_ACCOUNTING_FERROR": msg114, + "ACCT_ACCOUNTING_FOPEN_ERROR": msg115, + "ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116, + "ACCT_BAD_RECORD_FORMAT": msg117, + "ACCT_CU_RTSLIB_error": msg118, + "ACCT_GETHOSTNAME_error": msg119, + "ACCT_MALLOC_FAILURE": msg120, + "ACCT_UNDEFINED_COUNTER_NAME": msg121, + "ACCT_XFER_FAILED": msg122, + "ACCT_XFER_POPEN_FAIL": msg123, + "APPQOS_LOG_EVENT": msg124, + "APPTRACK_SESSION_CLOSE": select30, + "APPTRACK_SESSION_CREATE": msg125, + "APPTRACK_SESSION_VOL_UPDATE": select31, + "BCHIP": msg106, + "BFDD_TRAP_STATE_DOWN": msg130, + "BFDD_TRAP_STATE_UP": msg131, + "BOOTPD_ARG_ERR": msg143, + "BOOTPD_BAD_ID": msg144, + "BOOTPD_BOOTSTRING": msg145, + "BOOTPD_CONFIG_ERR": msg146, + "BOOTPD_CONF_OPEN": msg147, + "BOOTPD_DUP_REV": msg148, + "BOOTPD_DUP_SLOT": msg149, + "BOOTPD_MODEL_CHK": msg150, + "BOOTPD_MODEL_ERR": msg151, + "BOOTPD_NEW_CONF": msg152, + "BOOTPD_NO_BOOTSTRING": msg153, + "BOOTPD_NO_CONFIG": msg154, + "BOOTPD_PARSE_ERR": msg155, + "BOOTPD_REPARSE": msg156, + "BOOTPD_SELECT_ERR": msg157, + "BOOTPD_TIMEOUT": msg158, + "BOOTPD_VERSION": msg159, + "CHASSISD": msg160, + "CHASSISD_ARGUMENT_ERROR": msg161, + "CHASSISD_BLOWERS_SPEED": msg162, + "CHASSISD_BLOWERS_SPEED_FULL": msg163, + "CHASSISD_CB_READ": msg164, + "CHASSISD_COMMAND_ACK_ERROR": msg165, + "CHASSISD_COMMAND_ACK_SF_ERROR": msg166, + "CHASSISD_CONCAT_MODE_ERROR": msg167, + "CHASSISD_CONFIG_INIT_ERROR": msg168, + "CHASSISD_CONFIG_WARNING": msg169, + "CHASSISD_EXISTS": msg170, + "CHASSISD_EXISTS_TERM_OTHER": msg171, + "CHASSISD_FILE_OPEN": msg172, + "CHASSISD_FILE_STAT": msg173, + "CHASSISD_FRU_EVENT": msg174, + "CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175, + "CHASSISD_FRU_STEP_ERROR": msg176, + "CHASSISD_GETTIMEOFDAY": msg177, + "CHASSISD_HIGH_TEMP_CONDITION": msg214, + "CHASSISD_HOST_TEMP_READ": msg178, + "CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179, + "CHASSISD_IFDEV_DETACH_FPC": msg180, + "CHASSISD_IFDEV_DETACH_PIC": msg181, + "CHASSISD_IFDEV_DETACH_PSEUDO": msg182, + "CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183, + "CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184, + "CHASSISD_IPC_MSG_QFULL_ERROR": msg185, + "CHASSISD_IPC_UNEXPECTED_RECV": msg186, + "CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187, + "CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188, + "CHASSISD_MAC_ADDRESS_ERROR": msg189, + "CHASSISD_MAC_DEFAULT": msg190, + "CHASSISD_MBUS_ERROR": msg191, + "CHASSISD_PARSE_COMPLETE": msg192, + "CHASSISD_PARSE_ERROR": msg193, + "CHASSISD_PARSE_INIT": msg194, + "CHASSISD_PIDFILE_OPEN": msg195, + "CHASSISD_PIPE_WRITE_ERROR": msg196, + "CHASSISD_POWER_CHECK": msg197, + "CHASSISD_RECONNECT_SUCCESSFUL": msg198, + "CHASSISD_RELEASE_MASTERSHIP": msg199, + "CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200, + "CHASSISD_ROOT_MOUNT_ERROR": msg201, + "CHASSISD_RTS_SEQ_ERROR": msg202, + "CHASSISD_SBOARD_VERSION_MISMATCH": msg203, + "CHASSISD_SERIAL_ID": msg204, + "CHASSISD_SMB_ERROR": msg205, + "CHASSISD_SNMP_TRAP10": msg208, + "CHASSISD_SNMP_TRAP6": msg206, + "CHASSISD_SNMP_TRAP7": msg207, + "CHASSISD_TERM_SIGNAL": msg209, + "CHASSISD_TRACE_PIC_OFFLINE": msg210, + "CHASSISD_UNEXPECTED_EXIT": msg211, + "CHASSISD_UNSUPPORTED_MODEL": msg212, + "CHASSISD_VERSION_MISMATCH": msg213, + "CM": msg107, + "CM_JAVA": msg216, + "COS": msg108, + "COSFPC": msg109, + "COSMAN": msg110, + "CRON": msg16, + "CROND": select11, + "Cmerror": msg17, + "DCD_AS_ROOT": msg217, + "DCD_FILTER_LIB_ERROR": msg218, + "DCD_MALLOC_FAILED_INIT": msg219, + "DCD_PARSE_EMERGENCY": msg220, + "DCD_PARSE_FILTER_EMERGENCY": msg221, + "DCD_PARSE_MINI_EMERGENCY": msg222, + "DCD_PARSE_STATE_EMERGENCY": msg223, + "DCD_POLICER_PARSE_EMERGENCY": msg224, + "DCD_PULL_LOG_FAILURE": msg225, + "DFWD_ARGUMENT_ERROR": msg226, + "DFWD_MALLOC_FAILED_INIT": msg227, + "DFWD_PARSE_FILTER_EMERGENCY": msg228, + "DFWD_PARSE_STATE_EMERGENCY": msg229, + "ECCD_DAEMONIZE_FAILED": msg230, + "ECCD_DUPLICATE": msg231, + "ECCD_LOOP_EXIT_FAILURE": msg232, + "ECCD_NOT_ROOT": msg233, + "ECCD_PCI_FILE_OPEN_FAILED": msg234, + "ECCD_PCI_READ_FAILED": msg235, + "ECCD_PCI_WRITE_FAILED": msg236, + "ECCD_PID_FILE_LOCK": msg237, + "ECCD_PID_FILE_UPDATE": msg238, + "ECCD_TRACE_FILE_OPEN_FAILED": msg239, + "ECCD_usage": msg240, + "EVENT": msg23, + "EVENTD_AUDIT_SHOW": msg241, + "FLOW_REASSEMBLE_FAIL": msg731, + "FLOW_REASSEMBLE_SUCCEED": msg242, + "FSAD_CHANGE_FILE_OWNER": msg243, + "FSAD_CONFIG_ERROR": msg244, + "FSAD_CONNTIMEDOUT": msg245, + "FSAD_FAILED": msg246, + "FSAD_FETCHTIMEDOUT": msg247, + "FSAD_FILE_FAILED": msg248, + "FSAD_FILE_REMOVE": msg249, + "FSAD_FILE_RENAME": msg250, + "FSAD_FILE_STAT": msg251, + "FSAD_FILE_SYNC": msg252, + "FSAD_MAXCONN": msg253, + "FSAD_MEMORYALLOC_FAILED": msg254, + "FSAD_NOT_ROOT": msg255, + "FSAD_PARENT_DIRECTORY": msg256, + "FSAD_PATH_IS_DIRECTORY": msg257, + "FSAD_PATH_IS_SPECIAL": msg258, + "FSAD_RECVERROR": msg259, + "FSAD_TERMINATED_CONNECTION": msg260, + "FSAD_TERMINATING_SIGNAL": msg261, + "FSAD_TRACEOPEN_FAILED": msg262, + "FSAD_USAGE": msg263, + "Failed": select25, + "GGSN_ALARM_TRAP_FAILED": msg264, + "GGSN_ALARM_TRAP_SEND": msg265, + "GGSN_TRAP_SEND": msg266, + "IDP_ATTACK_LOG_EVENT": msg773, + "JADE_AUTH_ERROR": msg267, + "JADE_EXEC_ERROR": msg268, + "JADE_NO_LOCAL_USER": msg269, + "JADE_PAM_ERROR": msg270, + "JADE_PAM_NO_LOCAL_USER": msg271, + "JSRPD_HA_CONTROL_LINK_UP": msg748, + "JUNOSROUTER_GENERIC": select84, + "KERN_ARP_ADDR_CHANGE": msg272, + "KMD_PM_SA_ESTABLISHED": msg273, + "L2CPD_TASK_REINIT": msg274, + "LACPD_TIMEOUT": msg749, + "LIBJNX_EXEC_EXITED": msg275, + "LIBJNX_EXEC_FAILED": msg276, + "LIBJNX_EXEC_PIPE": msg277, + "LIBJNX_EXEC_SIGNALED": msg278, + "LIBJNX_EXEC_WEXIT": msg279, + "LIBJNX_FILE_COPY_FAILED": msg280, + "LIBJNX_PRIV_LOWER_FAILED": msg281, + "LIBJNX_PRIV_RAISE_FAILED": msg282, + "LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283, + "LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284, + "LIBSERVICED_CLIENT_CONNECTION": msg285, + "LIBSERVICED_OUTBOUND_REQUEST": msg286, + "LIBSERVICED_SNMP_LOST_CONNECTION": msg287, + "LIBSERVICED_SOCKET_BIND": msg288, + "LIBSERVICED_SOCKET_PRIVATIZE": msg289, + "LICENSE_EXPIRED": msg290, + "LICENSE_EXPIRED_KEY_DELETED": msg291, + "LICENSE_NEARING_EXPIRY": msg292, + "LOGIN_ABORTED": msg293, + "LOGIN_FAILED": msg294, + "LOGIN_FAILED_INCORRECT_PASSWORD": msg295, + "LOGIN_FAILED_SET_CONTEXT": msg296, + "LOGIN_FAILED_SET_LOGIN": msg297, + "LOGIN_HOSTNAME_UNRESOLVED": msg298, + "LOGIN_INFORMATION": msg299, + "LOGIN_INVALID_LOCAL_USER": msg300, + "LOGIN_MALFORMED_USER": msg301, + "LOGIN_PAM_AUTHENTICATION_ERROR": msg302, + "LOGIN_PAM_ERROR": msg303, + "LOGIN_PAM_MAX_RETRIES": msg304, + "LOGIN_PAM_NONLOCAL_USER": msg305, + "LOGIN_PAM_STOP": msg306, + "LOGIN_PAM_USER_UNKNOWN": msg307, + "LOGIN_PASSWORD_EXPIRED": msg308, + "LOGIN_REFUSED": msg309, + "LOGIN_ROOT": msg310, + "LOGIN_TIMED_OUT": msg311, + "MIB2D_ATM_ERROR": msg312, + "MIB2D_CONFIG_CHECK_FAILED": msg313, + "MIB2D_FILE_OPEN_FAILURE": msg314, + "MIB2D_IFD_IFINDEX_FAILURE": msg315, + "MIB2D_IFL_IFINDEX_FAILURE": msg316, + "MIB2D_INIT_FAILURE": msg317, + "MIB2D_KVM_FAILURE": msg318, + "MIB2D_RTSLIB_READ_FAILURE": msg319, + "MIB2D_RTSLIB_SEQ_MISMATCH": msg320, + "MIB2D_SYSCTL_FAILURE": msg321, + "MIB2D_TRAP_HEADER_FAILURE": msg322, + "MIB2D_TRAP_SEND_FAILURE": msg323, + "MRVL-L2": msg56, + "Multiuser": msg324, + "NASD_AUTHENTICATION_CREATE_FAILED": msg325, + "NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326, + "NASD_CHAP_GETHOSTNAME_FAILED": msg327, + "NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328, + "NASD_CHAP_INVALID_OPCODE": msg329, + "NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330, + "NASD_CHAP_MESSAGE_UNEXPECTED": msg331, + "NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332, + "NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333, + "NASD_DAEMONIZE_FAILED": msg334, + "NASD_DB_ALLOC_FAILURE": msg335, + "NASD_DB_TABLE_CREATE_FAILURE": msg336, + "NASD_DUPLICATE": msg337, + "NASD_EVLIB_CREATE_FAILURE": msg338, + "NASD_EVLIB_EXIT_FAILURE": msg339, + "NASD_LOCAL_CREATE_FAILED": msg340, + "NASD_NOT_ROOT": msg341, + "NASD_PID_FILE_LOCK": msg342, + "NASD_PID_FILE_UPDATE": msg343, + "NASD_POST_CONFIGURE_EVENT_FAILED": msg344, + "NASD_PPP_READ_FAILURE": msg345, + "NASD_PPP_SEND_FAILURE": msg346, + "NASD_PPP_SEND_PARTIAL": msg347, + "NASD_PPP_UNRECOGNIZED": msg348, + "NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349, + "NASD_RADIUS_CONFIG_FAILED": msg350, + "NASD_RADIUS_CREATE_FAILED": msg351, + "NASD_RADIUS_CREATE_REQUEST_FAILED": msg352, + "NASD_RADIUS_GETHOSTNAME_FAILED": msg353, + "NASD_RADIUS_MESSAGE_UNEXPECTED": msg354, + "NASD_RADIUS_OPEN_FAILED": msg355, + "NASD_RADIUS_SELECT_FAILED": msg356, + "NASD_RADIUS_SET_TIMER_FAILED": msg357, + "NASD_TRACE_FILE_OPEN_FAILED": msg358, + "NASD_usage": msg359, + "NOTICE": msg360, + "PFEMAN": msg61, + "PFE_FW_SYSLOG_IP": select36, + "PFE_NH_RESOLVE_THROTTLED": msg363, + "PING_TEST_COMPLETED": msg364, + "PING_TEST_FAILED": msg365, + "PKID_UNABLE_TO_GET_CRL": msg746, + "PWC_EXIT": msg368, + "PWC_HOLD_RELEASE": msg369, + "PWC_INVALID_RUNS_ARGUMENT": msg370, + "PWC_INVALID_TIMEOUT_ARGUMENT": msg371, + "PWC_KILLED_BY_SIGNAL": msg372, + "PWC_KILL_EVENT": msg373, + "PWC_KILL_FAILED": msg374, + "PWC_KQUEUE_ERROR": msg375, + "PWC_KQUEUE_INIT": msg376, + "PWC_KQUEUE_REGISTER_FILTER": msg377, + "PWC_LOCKFILE_BAD_FORMAT": msg378, + "PWC_LOCKFILE_ERROR": msg379, + "PWC_LOCKFILE_MISSING": msg380, + "PWC_LOCKFILE_NOT_LOCKED": msg381, + "PWC_NO_PROCESS": msg382, + "PWC_PROCESS_EXIT": msg383, + "PWC_PROCESS_FORCED_HOLD": msg384, + "PWC_PROCESS_HOLD": msg385, + "PWC_PROCESS_HOLD_SKIPPED": msg386, + "PWC_PROCESS_OPEN": msg387, + "PWC_PROCESS_TIMED_HOLD": msg388, + "PWC_PROCESS_TIMEOUT": msg389, + "PWC_SIGNAL_INIT": msg390, + "PWC_SOCKET_CONNECT": msg391, + "PWC_SOCKET_CREATE": msg392, + "PWC_SOCKET_OPTION": msg393, + "PWC_STDOUT_WRITE": msg394, + "PWC_SYSTEM_CALL": msg395, + "PWC_UNKNOWN_KILL_OPTION": msg396, + "RDP": msg111, + "RMOPD_ADDRESS_MULTICAST_INVALID": msg397, + "RMOPD_ADDRESS_SOURCE_INVALID": msg398, + "RMOPD_ADDRESS_STRING_FAILURE": msg399, + "RMOPD_ADDRESS_TARGET_INVALID": msg400, + "RMOPD_DUPLICATE": msg401, + "RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402, + "RMOPD_ICMP_SENDMSG_FAILURE": msg403, + "RMOPD_IFINDEX_NOT_ACTIVE": msg404, + "RMOPD_IFINDEX_NO_INFO": msg405, + "RMOPD_IFNAME_NOT_ACTIVE": msg406, + "RMOPD_IFNAME_NO_INFO": msg407, + "RMOPD_NOT_ROOT": msg408, + "RMOPD_ROUTING_INSTANCE_NO_INFO": msg409, + "RMOPD_TRACEROUTE_ERROR": msg410, + "RMOPD_usage": msg411, + "RPD_ABORT": msg412, + "RPD_ACTIVE_TERMINATE": msg413, + "RPD_ASSERT": msg414, + "RPD_ASSERT_SOFT": msg415, + "RPD_EXIT": msg416, + "RPD_IFL_INDEXCOLLISION": msg417, + "RPD_IFL_NAMECOLLISION": msg418, + "RPD_ISIS_ADJDOWN": msg419, + "RPD_ISIS_ADJUP": msg420, + "RPD_ISIS_ADJUPNOIP": msg421, + "RPD_ISIS_LSPCKSUM": msg422, + "RPD_ISIS_OVERLOAD": msg423, + "RPD_KRT_AFUNSUPRT": msg424, + "RPD_KRT_CCC_IFL_MODIFY": msg425, + "RPD_KRT_DELETED_RTT": msg426, + "RPD_KRT_IFA_GENERATION": msg427, + "RPD_KRT_IFDCHANGE": msg428, + "RPD_KRT_IFDEST_GET": msg429, + "RPD_KRT_IFDGET": msg430, + "RPD_KRT_IFD_GENERATION": msg431, + "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432, + "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433, + "RPD_KRT_IFL_GENERATION": msg434, + "RPD_KRT_KERNEL_BAD_ROUTE": msg435, + "RPD_KRT_NEXTHOP_OVERFLOW": msg436, + "RPD_KRT_NOIFD": msg437, + "RPD_KRT_UNKNOWN_RTT": msg438, + "RPD_KRT_VERSION": msg439, + "RPD_KRT_VERSIONNONE": msg440, + "RPD_KRT_VERSIONOLD": msg441, + "RPD_LDP_INTF_BLOCKED": msg442, + "RPD_LDP_INTF_UNBLOCKED": msg443, + "RPD_LDP_NBRDOWN": msg444, + "RPD_LDP_NBRUP": msg445, + "RPD_LDP_SESSIONDOWN": msg446, + "RPD_LDP_SESSIONUP": msg447, + "RPD_LOCK_FLOCKED": msg448, + "RPD_LOCK_LOCKED": msg449, + "RPD_MPLS_LSP_CHANGE": msg450, + "RPD_MPLS_LSP_DOWN": msg451, + "RPD_MPLS_LSP_SWITCH": msg452, + "RPD_MPLS_LSP_UP": msg453, + "RPD_MSDP_PEER_DOWN": msg454, + "RPD_MSDP_PEER_UP": msg455, + "RPD_OSPF_NBRDOWN": msg456, + "RPD_OSPF_NBRUP": msg457, + "RPD_OS_MEMHIGH": msg458, + "RPD_PIM_NBRDOWN": msg459, + "RPD_PIM_NBRUP": msg460, + "RPD_RDISC_CKSUM": msg461, + "RPD_RDISC_NOMULTI": msg462, + "RPD_RDISC_NORECVIF": msg463, + "RPD_RDISC_SOLICITADDR": msg464, + "RPD_RDISC_SOLICITICMP": msg465, + "RPD_RDISC_SOLICITLEN": msg466, + "RPD_RIP_AUTH": msg467, + "RPD_RIP_JOIN_BROADCAST": msg468, + "RPD_RIP_JOIN_MULTICAST": msg469, + "RPD_RT_IFUP": msg470, + "RPD_SCHED_CALLBACK_LONGRUNTIME": msg471, + "RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472, + "RPD_SCHED_MODULE_LONGRUNTIME": msg473, + "RPD_SCHED_TASK_LONGRUNTIME": msg474, + "RPD_SIGNAL_TERMINATE": msg475, + "RPD_START": msg476, + "RPD_SYSTEM": msg477, + "RPD_TASK_BEGIN": msg478, + "RPD_TASK_CHILDKILLED": msg479, + "RPD_TASK_CHILDSTOPPED": msg480, + "RPD_TASK_FORK": msg481, + "RPD_TASK_GETWD": msg482, + "RPD_TASK_NOREINIT": msg483, + "RPD_TASK_PIDCLOSED": msg484, + "RPD_TASK_PIDFLOCK": msg485, + "RPD_TASK_PIDWRITE": msg486, + "RPD_TASK_REINIT": msg487, + "RPD_TASK_SIGNALIGNORE": msg488, + "RT_COS": msg489, + "RT_FLOW_SESSION_CLOSE": select51, + "RT_FLOW_SESSION_CREATE": select45, + "RT_FLOW_SESSION_DENY": select47, + "RT_SCREEN_ICMP": msg774, + "RT_SCREEN_IP": select52, + "RT_SCREEN_SESSION_LIMIT": msg504, + "RT_SCREEN_TCP": msg503, + "RT_SCREEN_UDP": msg505, + "Resolve": msg63, + "SECINTEL_ACTION_LOG": msg775, + "SECINTEL_ERROR_OTHERS": msg747, + "SECINTEL_NETWORK_CONNECT_FAILED": msg744, + "SERVICED_CLIENT_CONNECT": msg506, + "SERVICED_CLIENT_DISCONNECTED": msg507, + "SERVICED_CLIENT_ERROR": msg508, + "SERVICED_COMMAND_FAILED": msg509, + "SERVICED_COMMIT_FAILED": msg510, + "SERVICED_CONFIGURATION_FAILED": msg511, + "SERVICED_CONFIG_ERROR": msg512, + "SERVICED_CONFIG_FILE": msg513, + "SERVICED_CONNECTION_ERROR": msg514, + "SERVICED_DISABLED_GGSN": msg515, + "SERVICED_DUPLICATE": msg516, + "SERVICED_EVENT_FAILED": msg517, + "SERVICED_INIT_FAILED": msg518, + "SERVICED_MALLOC_FAILURE": msg519, + "SERVICED_NETWORK_FAILURE": msg520, + "SERVICED_NOT_ROOT": msg521, + "SERVICED_PID_FILE_LOCK": msg522, + "SERVICED_PID_FILE_UPDATE": msg523, + "SERVICED_RTSOCK_SEQUENCE": msg524, + "SERVICED_SIGNAL_HANDLER": msg525, + "SERVICED_SOCKET_CREATE": msg526, + "SERVICED_SOCKET_IO": msg527, + "SERVICED_SOCKET_OPTION": msg528, + "SERVICED_STDLIB_FAILURE": msg529, + "SERVICED_USAGE": msg530, + "SERVICED_WORK_INCONSISTENCY": msg531, + "SNMPD_ACCESS_GROUP_ERROR": msg537, + "SNMPD_AUTH_FAILURE": select53, + "SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542, + "SNMPD_AUTH_RESTRICTED_ADDRESS": msg543, + "SNMPD_AUTH_WRONG_PDU_TYPE": msg544, + "SNMPD_CONFIG_ERROR": msg545, + "SNMPD_CONTEXT_ERROR": msg546, + "SNMPD_ENGINE_FILE_FAILURE": msg547, + "SNMPD_ENGINE_PROCESS_ERROR": msg548, + "SNMPD_FILE_FAILURE": msg549, + "SNMPD_GROUP_ERROR": msg550, + "SNMPD_INIT_FAILED": msg551, + "SNMPD_LIBJUNIPER_FAILURE": msg552, + "SNMPD_LOOPBACK_ADDR_ERROR": msg553, + "SNMPD_MEMORY_FREED": msg554, + "SNMPD_RADIX_FAILURE": msg555, + "SNMPD_RECEIVE_FAILURE": msg556, + "SNMPD_RMONFILE_FAILURE": msg557, + "SNMPD_RMON_COOKIE": msg558, + "SNMPD_RMON_EVENTLOG": msg559, + "SNMPD_RMON_IOERROR": msg560, + "SNMPD_RMON_MIBERROR": msg561, + "SNMPD_RTSLIB_ASYNC_EVENT": msg562, + "SNMPD_SEND_FAILURE": select54, + "SNMPD_SOCKET_FAILURE": msg565, + "SNMPD_SUBAGENT_NO_BUFFERS": msg566, + "SNMPD_SUBAGENT_SEND_FAILED": msg567, + "SNMPD_SYSLIB_FAILURE": msg568, + "SNMPD_THROTTLE_QUEUE_DRAINED": msg569, + "SNMPD_TRAP_COLD_START": msg570, + "SNMPD_TRAP_GEN_FAILURE": msg571, + "SNMPD_TRAP_GEN_FAILURE2": msg572, + "SNMPD_TRAP_INVALID_DATA": msg573, + "SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574, + "SNMPD_TRAP_QUEUED": msg575, + "SNMPD_TRAP_QUEUE_DRAINED": msg576, + "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577, + "SNMPD_TRAP_QUEUE_MAX_SIZE": msg578, + "SNMPD_TRAP_THROTTLED": msg579, + "SNMPD_TRAP_TYPE_ERROR": msg580, + "SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581, + "SNMPD_TRAP_VERSION_ERROR": msg582, + "SNMPD_TRAP_WARM_START": msg583, + "SNMPD_USER_ERROR": msg584, + "SNMPD_VIEW_DELETE": msg585, + "SNMPD_VIEW_INSTALL_DEFAULT": msg586, + "SNMPD_VIEW_OID_PARSE": msg587, + "SNMP_GET_ERROR1": msg588, + "SNMP_GET_ERROR2": msg589, + "SNMP_GET_ERROR3": msg590, + "SNMP_GET_ERROR4": msg591, + "SNMP_NS_LOG_INFO": msg535, + "SNMP_RTSLIB_FAILURE": msg592, + "SNMP_SUBAGENT_IPC_REG_ROWS": msg536, + "SNMP_TRAP_LINK_DOWN": select55, + "SNMP_TRAP_LINK_UP": select56, + "SNMP_TRAP_PING_PROBE_FAILED": msg597, + "SNMP_TRAP_PING_TEST_COMPLETED": msg598, + "SNMP_TRAP_PING_TEST_FAILED": msg599, + "SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600, + "SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601, + "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602, + "SNTPD": msg112, + "SSB": msg113, + "SSHD_LOGIN_FAILED": select57, + "SSL_PROXY_SESSION_IGNORE": msg534, + "SSL_PROXY_SSL_SESSION_ALLOW": msg532, + "SSL_PROXY_SSL_SESSION_DROP": msg533, + "TASK_TASK_REINIT": msg606, + "TFTPD_AF_ERR": msg607, + "TFTPD_BIND_ERR": msg608, + "TFTPD_CONNECT_ERR": msg609, + "TFTPD_CONNECT_INFO": msg610, + "TFTPD_CREATE_ERR": msg611, + "TFTPD_FIO_ERR": msg612, + "TFTPD_FORK_ERR": msg613, + "TFTPD_NAK_ERR": msg614, + "TFTPD_OPEN_ERR": msg615, + "TFTPD_RECVCOMPLETE_INFO": msg616, + "TFTPD_RECVFROM_ERR": msg617, + "TFTPD_RECV_ERR": msg618, + "TFTPD_SENDCOMPLETE_INFO": msg619, + "TFTPD_SEND_ERR": msg620, + "TFTPD_SOCKET_ERR": msg621, + "TFTPD_STATFS_ERR": msg622, + "TNP": msg623, + "UI_AUTH_EVENT": msg628, + "UI_AUTH_INVALID_CHALLENGE": msg629, + "UI_BOOTTIME_FAILED": msg630, + "UI_CFG_AUDIT_NEW": select58, + "UI_CFG_AUDIT_OTHER": select60, + "UI_CFG_AUDIT_SET": select63, + "UI_CFG_AUDIT_SET_SECRET": select64, + "UI_CHILD_ARGS_EXCEEDED": msg645, + "UI_CHILD_CHANGE_USER": msg646, + "UI_CHILD_EXEC": msg647, + "UI_CHILD_EXITED": msg648, + "UI_CHILD_FOPEN": msg649, + "UI_CHILD_PIPE_FAILED": msg650, + "UI_CHILD_SIGNALED": msg651, + "UI_CHILD_START": msg653, + "UI_CHILD_STATUS": msg654, + "UI_CHILD_STOPPED": msg652, + "UI_CHILD_WAITPID": msg655, + "UI_CLI_IDLE_TIMEOUT": msg656, + "UI_CMDLINE_READ_LINE": msg657, + "UI_CMDSET_EXEC_FAILED": msg658, + "UI_CMDSET_FORK_FAILED": msg659, + "UI_CMDSET_PIPE_FAILED": msg660, + "UI_CMDSET_STOPPED": msg661, + "UI_CMDSET_WEXITED": msg662, + "UI_CMD_AUTH_REGEX_INVALID": msg663, + "UI_COMMIT": msg664, + "UI_COMMIT_AT": msg665, + "UI_COMMIT_AT_COMPLETED": msg666, + "UI_COMMIT_AT_FAILED": msg667, + "UI_COMMIT_COMPRESS_FAILED": msg668, + "UI_COMMIT_CONFIRMED": msg669, + "UI_COMMIT_CONFIRMED_REMINDER": msg670, + "UI_COMMIT_CONFIRMED_TIMED": msg671, + "UI_COMMIT_EMPTY_CONTAINER": msg672, + "UI_COMMIT_NOT_CONFIRMED": msg673, + "UI_COMMIT_PROGRESS": msg674, + "UI_COMMIT_QUIT": msg675, + "UI_COMMIT_ROLLBACK_FAILED": msg676, + "UI_COMMIT_SYNC": msg677, + "UI_COMMIT_SYNC_FORCE": msg678, + "UI_CONFIGURATION_ERROR": msg679, + "UI_DAEMON_ACCEPT_FAILED": msg680, + "UI_DAEMON_FORK_FAILED": msg681, + "UI_DAEMON_SELECT_FAILED": msg682, + "UI_DAEMON_SOCKET_FAILED": msg683, + "UI_DBASE_ACCESS_FAILED": msg684, + "UI_DBASE_CHECKOUT_FAILED": msg685, + "UI_DBASE_EXTEND_FAILED": msg686, + "UI_DBASE_LOGIN_EVENT": msg687, + "UI_DBASE_LOGOUT_EVENT": msg688, + "UI_DBASE_MISMATCH_EXTENT": msg689, + "UI_DBASE_MISMATCH_MAJOR": msg690, + "UI_DBASE_MISMATCH_MINOR": msg691, + "UI_DBASE_MISMATCH_SEQUENCE": msg692, + "UI_DBASE_MISMATCH_SIZE": msg693, + "UI_DBASE_OPEN_FAILED": msg694, + "UI_DBASE_REBUILD_FAILED": msg695, + "UI_DBASE_REBUILD_SCHEMA_FAILED": msg696, + "UI_DBASE_REBUILD_STARTED": msg697, + "UI_DBASE_RECREATE": msg698, + "UI_DBASE_REOPEN_FAILED": msg699, + "UI_DUPLICATE_UID": msg700, + "UI_JUNOSCRIPT_CMD": msg701, + "UI_JUNOSCRIPT_ERROR": msg702, + "UI_LOAD_EVENT": msg703, + "UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704, + "UI_LOGIN_EVENT": select71, + "UI_LOGOUT_EVENT": msg707, + "UI_LOST_CONN": msg708, + "UI_MASTERSHIP_EVENT": msg709, + "UI_MGD_TERMINATE": msg710, + "UI_NETCONF_CMD": msg711, + "UI_READ_FAILED": msg712, + "UI_READ_TIMEOUT": msg713, + "UI_REBOOT_EVENT": msg714, + "UI_RESTART_EVENT": msg715, + "UI_SCHEMA_CHECKOUT_FAILED": msg716, + "UI_SCHEMA_MISMATCH_MAJOR": msg717, + "UI_SCHEMA_MISMATCH_MINOR": msg718, + "UI_SCHEMA_MISMATCH_SEQUENCE": msg719, + "UI_SCHEMA_SEQUENCE_ERROR": msg720, + "UI_SYNC_OTHER_RE": msg721, + "UI_TACPLUS_ERROR": msg722, + "UI_VERSION_FAILED": msg723, + "UI_WRITE_RECONNECT": msg724, + "VRRPD_NEWMASTER_TRAP": msg725, + "Version": msg99, + "WEBFILTER_REQUEST_NOT_CHECKED": msg730, + "WEBFILTER_URL_BLOCKED": select75, + "WEBFILTER_URL_PERMITTED": select74, + "WEB_AUTH_FAIL": msg726, + "WEB_AUTH_SUCCESS": msg727, + "WEB_INTERFACE_UNAUTH": msg728, + "WEB_READ": msg729, + "alarmd": msg3, + "bgp_connect_start": msg132, + "bgp_event": msg133, + "bgp_listen_accept": msg134, + "bgp_listen_reset": msg135, + "bgp_nexthop_sanity": msg136, + "bgp_pp_recv": select33, + "bgp_process_caps": select32, + "bgp_send": msg141, + "bgp_traffic_timeout": msg142, + "bigd": select6, + "bigpipe": select7, + "bigstart": msg9, + "cgatool": msg10, + "chassisd": msg11, + "chassism": select73, + "checkd": select8, + "clean_process": msg215, + "cli": msg750, + "cosd": msg14, + "craftd": msg15, + "cron": msg18, + "crond": msg21, + "dcd": msg22, + "eswd": select72, + "ftpd": msg24, + "ha_rto_stats_handler": msg25, + "hostinit": msg26, + "idpinfo": msg752, + "ifinfo": select13, + "ifp_ifl_anydown_change_event": msg30, + "ifp_ifl_config_event": msg31, + "ifp_ifl_ext_chg": msg32, + "inetd": select14, + "init": select15, + "ipc_msg_write": msg40, + "kernel": select17, + "kmd": msg753, + "last": select28, + "login": select18, + "lsys_ssam_handler": msg53, + "mcsn": msg54, + "mgd": msg62, + "mrvl_dfw_log_effuse_status": msg55, + "node": select79, + "pfed": msg751, + "process_mode": select38, + "profile_ssam_handler": msg57, + "pst_nat_binding_set_profile": msg58, + "qsfp": msg776, + "respawn": msg64, + "root": msg65, + "rpd": select20, + "rshd": msg70, + "sfd": msg71, + "sshd": select21, + "syslogd": msg92, + "task_connect": msg605, + "task_reconfigure": msg59, + "tnetd": msg60, + "tnp.bootpd": msg769, + "trace_on": msg624, + "trace_rotate": msg625, + "transfer-file": msg626, + "ttloop": msg627, + "ucd-snmp": select26, + "usp_ipc_client_reconnect": msg95, + "usp_trace_ipc_disconnect": msg96, + "usp_trace_ipc_reconnect": msg97, + "uspinfo": msg98, + "xntpd": select27, + }), +]); + +var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); + +var part830 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); + +var part831 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); + +var part832 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); + +var part833 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); + +var part834 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); + +var part835 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); + +var part836 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); + +var part837 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); + +var part838 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); + +var part839 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); + +var part840 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); + +var part841 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid}[%{payload}"); + +var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + +var part842 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); + +var part843 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); + +var part844 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); + +var part845 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}"); + +var part846 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); + +var part847 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); + +var part848 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); + +var part849 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type}[junos@%{obj_name}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); + +var part850 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}"); + +var part851 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}"); + +var part852 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); + +var part853 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}"); + +var part854 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}"); + +var part855 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); + +var part856 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}"); + +var part857 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}"); + +var part858 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type}[junos@%{obj_name}reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); + +var part859 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); + +var part860 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); + +var part861 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}"); + +var part862 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}"); + +var part863 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); + +var part864 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "%{space->} "); + +var part865 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); + +var part866 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\""); + +var part867 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); + +var part868 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); + +var part869 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); + +var part870 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); + +var part871 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); + +var part872 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); + +var part873 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); + +var part874 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); + +var select85 = linear_select([ + dup12, + dup13, + dup14, + dup15, +]); + +var select86 = linear_select([ + dup39, + dup40, +]); + +var part875 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ + dup20, + dup21, + dup55, + dup22, +])); + +var part876 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ + dup50, + dup21, + dup63, + dup22, +])); + +var part877 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ + dup29, + dup21, + dup64, + dup22, +])); + +var part878 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ + dup29, + dup21, + dup65, + dup22, +])); + +var part879 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ + dup29, + dup21, + dup66, + dup22, +])); + +var part880 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ + dup29, + dup21, + dup67, + dup22, +])); + +var part881 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + dup70, + dup22, +])); + +var select87 = linear_select([ + dup75, + dup76, +]); + +var part882 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid}changed from %{dclass_counter1}to %{result}", processor_chain([ + dup29, + dup21, + dup78, + dup22, +])); + +var part883 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ + dup29, + dup21, + dup83, + dup22, +])); + +var part884 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ + dup29, + dup21, + dup84, + dup22, +])); + +var part885 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ + dup20, + dup21, + dup85, + dup22, +])); + +var select88 = linear_select([ + dup87, + dup88, +]); + +var select89 = linear_select([ + dup89, + dup90, +]); + +var select90 = linear_select([ + dup95, + dup96, +]); + +var select91 = linear_select([ + dup101, + dup102, +]); + +var part886 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type}[junos@%{obj_name}attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup29, + dup21, + dup51, +])); + +var part887 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type}[junos@%{obj_name}logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ + dup26, + dup21, + dup51, +])); + +var select92 = linear_select([ + dup117, + dup118, +]); + +var select93 = linear_select([ + dup122, + dup123, +]); + +var part888 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type}[junos@%{fld21}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3}CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}OBJ=%{fld7}USERNAME=%{fld8}ROLES=%{fld9}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var part889 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([ + dup47, + dup46, + dup22, + dup21, +])); diff --git a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml new file mode 100644 index 00000000000..64ad00379f7 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Juniper JUNOS + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/juniper/junos/manifest.yml b/x-pack/filebeat/module/juniper/junos/manifest.yml new file mode 100644 index 00000000000..ddc58972851 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["juniper.junos", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9513 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/kaspersky/README.md b/x-pack/filebeat/module/kaspersky/README.md new file mode 100644 index 00000000000..a7cdb6ac752 --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/README.md @@ -0,0 +1,7 @@ +# kaspersky module + +This is a module for Kaspersky Anti-Virus logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML kasperskyav version 127 +at 2020-07-07 18:10:46.758192 +0000 UTC. + diff --git a/x-pack/filebeat/module/kaspersky/_meta/config.yml b/x-pack/filebeat/module/kaspersky/_meta/config.yml new file mode 100644 index 00000000000..befc314eb68 --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/_meta/config.yml @@ -0,0 +1,19 @@ +- module: kaspersky + av: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9514 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/kaspersky/_meta/docs.asciidoc b/x-pack/filebeat/module/kaspersky/_meta/docs.asciidoc new file mode 100644 index 00000000000..0522311ff49 --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: kaspersky +:has-dashboards: false + +== Kaspersky module + +experimental[] + +This is a module for receiving Kaspersky Anti-Virus logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: av + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `av` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "kasperskyav" device revision 127. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9514` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/kaspersky/_meta/fields.yml b/x-pack/filebeat/module/kaspersky/_meta/fields.yml new file mode 100644 index 00000000000..9d6e927574d --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: kaspersky + title: Kaspersky Anti-Virus + description: > + kaspersky fields. + fields: diff --git a/x-pack/filebeat/module/kaspersky/av/_meta/fields.yml b/x-pack/filebeat/module/kaspersky/av/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/av/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/kaspersky/av/config/input.yml b/x-pack/filebeat/module/kaspersky/av/config/input.yml new file mode 100644 index 00000000000..5d86e5c695c --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/av/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Kaspersky" + product: "Kaspersky" + type: "Anti-Virus" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/kaspersky/av/config/liblogparser.js + - ${path.home}/module/kaspersky/av/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js b/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld12->} %{fld13->} %{protocol->} %{p0}"); + +var dup13 = match("MESSAGE#51:HTTP:Object_Infected/1_0", "nwparser.p0", "object %{p0}"); + +var dup14 = match("MESSAGE#51:HTTP:Object_Infected/1_1", "nwparser.p0", "Object %{p0}"); + +var dup15 = match("MESSAGE#51:HTTP:Object_Infected/3_0", "nwparser.p0", "Client's %{p0}"); + +var dup16 = match("MESSAGE#51:HTTP:Object_Infected/3_1", "nwparser.p0", "client's %{p0}"); + +var dup17 = match("MESSAGE#51:HTTP:Object_Infected/4", "nwparser.p0", "%{}address: %{hostip})"); + +var dup18 = setf("msg","$MSG"); + +var dup19 = date_time({ + dest: "event_time", + args: ["fld11","fld12","fld13"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dP], + ], +}); + +var dup20 = setf("obj_type","protocol"); + +var dup21 = setc("eventcategory","1601020000"); + +var dup22 = lookup({ + dest: "nwparser.severity", + map: map_getSeveritylevel, + key: dup3, +}); + +var dup23 = linear_select([ + dup13, + dup14, +]); + +var dup24 = linear_select([ + dup15, + dup16, +]); + +var dup25 = match("MESSAGE#0:KLSRV_EVENT_HOSTS_NEW_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var dup26 = match("MESSAGE#1:KLSRV_EVENT_HOSTS_NEW_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var dup27 = match("MESSAGE#11:KLAUD_EV_OBJECTMODIFY:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var dup28 = match("MESSAGE#12:KLAUD_EV_OBJECTMODIFY", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var dup29 = match("MESSAGE#31:GNRL_EV_OBJECT_CURED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([ + dup6, + dup2, + dup7, + dup22, +])); + +var dup30 = match("MESSAGE#42:KLEVP_GroupTaskSyncState:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var dup31 = match("MESSAGE#43:KLEVP_GroupTaskSyncState", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var dup32 = match("MESSAGE#46:KLSRV_EV_LICENSE_CHECK_90", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var dup33 = match("MESSAGE#58:000000ce", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup21, + dup2, + dup22, +])); + +var dup34 = match("MESSAGE#63:000000db", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup8, + dup2, + dup22, +])); + +var dup35 = match("MESSAGE#77:KLSRV_EV_LICENSE_SRV_LIMITED_MODE", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([ + dup1, + dup2, + dup22, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%kasperskyav: %{hfld1}^^%{hrecorded_time}^^%{messageid}^^%{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("^^"), + field("hrecorded_time"), + constant("^^"), + field("messageid"), + constant("^^"), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%kasperskyav-%{hlevel}: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, +]); + +var msg1 = msg("KLSRV_EVENT_HOSTS_NEW_DETECTED:01", dup25); + +var msg2 = msg("KLSRV_EVENT_HOSTS_NEW_DETECTED", dup26); + +var select2 = linear_select([ + msg1, + msg2, +]); + +var msg3 = msg("KLSRV_EVENT_HOSTS_NOT_VISIBLE", dup26); + +var msg4 = msg("KLSRV_HOST_STATUS_WARNING:01", dup25); + +var msg5 = msg("KLSRV_HOST_STATUS_WARNING", dup26); + +var select3 = linear_select([ + msg4, + msg5, +]); + +var part1 = match("MESSAGE#5:KLSRV_RUNTIME_ERROR", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup4, + dup2, + dup22, +])); + +var msg6 = msg("KLSRV_RUNTIME_ERROR", part1); + +var msg7 = msg("KLSRV_HOST_STATUS_CRITICAL:01", dup25); + +var msg8 = msg("KLSRV_HOST_STATUS_CRITICAL", dup26); + +var select4 = linear_select([ + msg7, + msg8, +]); + +var msg9 = msg("KLSRV_HOST_MOVED_WITH_RULE_EX", dup26); + +var msg10 = msg("KLSRV_HOST_OUT_CONTROL", dup26); + +var msg11 = msg("KLSRV_INVISIBLE_HOSTS_REMOVED", dup26); + +var msg12 = msg("KLAUD_EV_OBJECTMODIFY:01", dup27); + +var msg13 = msg("KLAUD_EV_OBJECTMODIFY", dup28); + +var select5 = linear_select([ + msg12, + msg13, +]); + +var msg14 = msg("KLAUD_EV_TASK_STATE_CHANGED:01", dup27); + +var msg15 = msg("KLAUD_EV_TASK_STATE_CHANGED", dup28); + +var select6 = linear_select([ + msg14, + msg15, +]); + +var msg16 = msg("KLAUD_EV_ADMGROUP_CHANGED:01", dup27); + +var msg17 = msg("KLAUD_EV_ADMGROUP_CHANGED", dup28); + +var select7 = linear_select([ + msg16, + msg17, +]); + +var msg18 = msg("KLAUD_EV_SERVERCONNECT:01", dup27); + +var msg19 = msg("KLAUD_EV_SERVERCONNECT", dup28); + +var select8 = linear_select([ + msg18, + msg19, +]); + +var msg20 = msg("00010009", dup26); + +var msg21 = msg("00010013", dup26); + +var msg22 = msg("00020006", dup26); + +var msg23 = msg("00020007", dup26); + +var msg24 = msg("00020008", dup26); + +var msg25 = msg("00030006", dup26); + +var msg26 = msg("00030015", dup26); + +var msg27 = msg("00040007", dup26); + +var msg28 = msg("00040008", dup26); + +var part2 = match("MESSAGE#28:GNRL_EV_SUSPICIOUS_OBJECT_FOUND:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{virusname}^^%{username}^^%{fld19}", processor_chain([ + dup6, + dup2, + dup7, + dup22, +])); + +var msg29 = msg("GNRL_EV_SUSPICIOUS_OBJECT_FOUND:01", part2); + +var part3 = match("MESSAGE#29:GNRL_EV_SUSPICIOUS_OBJECT_FOUND", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}", processor_chain([ + dup6, + dup2, + dup7, + dup22, +])); + +var msg30 = msg("GNRL_EV_SUSPICIOUS_OBJECT_FOUND", part3); + +var select9 = linear_select([ + msg29, + msg30, +]); + +var part4 = match("MESSAGE#30:GNRL_EV_OBJECT_CURED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}^^%{username}^^%{fld18}", processor_chain([ + dup6, + dup2, + dup7, + dup22, +])); + +var msg31 = msg("GNRL_EV_OBJECT_CURED:01", part4); + +var msg32 = msg("GNRL_EV_OBJECT_CURED", dup29); + +var select10 = linear_select([ + msg31, + msg32, +]); + +var part5 = match("MESSAGE#32:GNRL_EV_OBJECT_NOTCURED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup8, + dup2, + dup7, + dup22, +])); + +var msg33 = msg("GNRL_EV_OBJECT_NOTCURED:01", part5); + +var msg34 = msg("GNRL_EV_OBJECT_NOTCURED", dup29); + +var select11 = linear_select([ + msg33, + msg34, +]); + +var part6 = match("MESSAGE#34:GNRL_EV_OBJECT_DELETED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^^^%{virusname}^^%{username}^^%{fld18}", processor_chain([ + dup6, + dup2, + dup7, + dup22, +])); + +var msg35 = msg("GNRL_EV_OBJECT_DELETED:01", part6); + +var msg36 = msg("GNRL_EV_OBJECT_DELETED", dup29); + +var select12 = linear_select([ + msg35, + msg36, +]); + +var part7 = match("MESSAGE#36:GNRL_EV_VIRUS_FOUND:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Virus '%{fld7}' detected in message from '%{from}' to '%{to}'.^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([ + dup6, + dup2, + dup7, + dup22, + setc("event_description","Virus detected in email message"), +])); + +var msg37 = msg("GNRL_EV_VIRUS_FOUND:01", part7); + +var part8 = match("MESSAGE#37:GNRL_EV_VIRUS_FOUND:03", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{virusname}^^%{username}^^%{fld22}", processor_chain([ + dup8, + dup2, + dup7, + dup22, +])); + +var msg38 = msg("GNRL_EV_VIRUS_FOUND:03", part8); + +var msg39 = msg("GNRL_EV_VIRUS_FOUND:02", dup29); + +var select13 = linear_select([ + msg37, + msg38, + msg39, +]); + +var part9 = match("MESSAGE#39:GNRL_EV_VIRUS_OUTBREAK", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ + dup6, + dup2, + dup22, +])); + +var msg40 = msg("GNRL_EV_VIRUS_OUTBREAK", part9); + +var part10 = match("MESSAGE#40:GNRL_EV_ATTACK_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{threat_name}^^%{protocol}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup5, + dup9, + dup10, + dup11, + dup2, + dup22, +])); + +var msg41 = msg("GNRL_EV_ATTACK_DETECTED:01", part10); + +var part11 = match("MESSAGE#41:GNRL_EV_ATTACK_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ + dup6, + dup9, + dup10, + dup11, + dup2, + dup22, +])); + +var msg42 = msg("GNRL_EV_ATTACK_DETECTED", part11); + +var select14 = linear_select([ + msg41, + msg42, +]); + +var msg43 = msg("KLEVP_GroupTaskSyncState:01", dup30); + +var msg44 = msg("KLEVP_GroupTaskSyncState", dup31); + +var select15 = linear_select([ + msg43, + msg44, +]); + +var msg45 = msg("KLPRCI_TaskState:01", dup30); + +var msg46 = msg("KLPRCI_TaskState", dup31); + +var select16 = linear_select([ + msg45, + msg46, +]); + +var msg47 = msg("KLSRV_EV_LICENSE_CHECK_90", dup32); + +var msg48 = msg("KLNAG_EV_INV_APP_UNINSTALLED", dup32); + +var msg49 = msg("KLNAG_EV_DEVICE_ARRIVAL", dup32); + +var msg50 = msg("KLNAG_EV_DEVICE_REMOVE", dup32); + +var msg51 = msg("FSEE_AKPLUGIN_CRITICAL_PATCHES_AVAILABLE", dup31); + +var part12 = match("MESSAGE#51:HTTP:Object_Infected/2", "nwparser.p0", "%{}'%{obj_name}' is infected with '%{virusname}'(Database date: %{fld14}, %{p0}"); + +var all1 = all_match({ + processors: [ + dup12, + dup23, + part12, + dup24, + dup17, + ], + on_success: processor_chain([ + dup6, + dup18, + dup19, + dup20, + ]), +}); + +var msg52 = msg("HTTP:Object_Infected", all1); + +var part13 = match("MESSAGE#52:HTTP:Object_Scanning_Error/2", "nwparser.p0", "%{}'%{obj_name}' scanning resulted in an error (Database date: %{fld14}, %{p0}"); + +var all2 = all_match({ + processors: [ + dup12, + dup23, + part13, + dup24, + dup17, + ], + on_success: processor_chain([ + dup4, + dup18, + dup19, + dup20, + ]), +}); + +var msg53 = msg("HTTP:Object_Scanning_Error", all2); + +var part14 = match("MESSAGE#53:HTTP:Object_Scanned_And_Clean/2", "nwparser.p0", "%{}'%{obj_name}' has been scanned and flagged as clean(Database date: %{fld14}, %{p0}"); + +var all3 = all_match({ + processors: [ + dup12, + dup23, + part14, + dup24, + dup17, + ], + on_success: processor_chain([ + dup8, + dup18, + dup19, + dup20, + ]), +}); + +var msg54 = msg("HTTP:Object_Scanned_And_Clean", all3); + +var part15 = match("MESSAGE#54:HTTP:Object_Not_Scanned_01/2", "nwparser.p0", "%{}'%{obj_name}' has not been scanned as defined by the policy as %{policyname->} %{fld17}( %{p0}"); + +var all4 = all_match({ + processors: [ + dup12, + dup23, + part15, + dup24, + dup17, + ], + on_success: processor_chain([ + dup8, + dup18, + dup19, + dup20, + ]), +}); + +var msg55 = msg("HTTP:Object_Not_Scanned_01", all4); + +var part16 = match("MESSAGE#55:HTTP:Object_Not_Scanned_02/2", "nwparser.p0", "%{}'%{obj_name}' has not been scanned as defined by the policy ( %{p0}"); + +var all5 = all_match({ + processors: [ + dup12, + dup23, + part16, + dup24, + dup17, + ], + on_success: processor_chain([ + dup8, + dup18, + dup19, + dup20, + ]), +}); + +var msg56 = msg("HTTP:Object_Not_Scanned_02", all5); + +var part17 = match("MESSAGE#57:HTTP:01/2", "nwparser.p0", "%{}'%{obj_name}"); + +var all6 = all_match({ + processors: [ + dup12, + dup23, + part17, + ], + on_success: processor_chain([ + dup8, + dup18, + dup19, + dup20, + ]), +}); + +var msg57 = msg("HTTP:01", all6); + +var select17 = linear_select([ + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, +]); + +var msg58 = msg("KLSRV_EV_LICENSE_CHECK_MORE_110", dup30); + +var msg59 = msg("000000ce", dup33); + +var msg60 = msg("000000d4", dup33); + +var msg61 = msg("000000d5", dup25); + +var msg62 = msg("000000d8", dup25); + +var msg63 = msg("000000da", dup25); + +var msg64 = msg("000000db", dup34); + +var msg65 = msg("000000d6", dup25); + +var msg66 = msg("000000de", dup34); + +var part18 = match("MESSAGE#66:000000e1", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + setc("eventcategory","1606000000"), + dup2, + dup22, +])); + +var msg67 = msg("000000e1", part18); + +var msg68 = msg("0000012f", dup25); + +var msg69 = msg("00000134", dup34); + +var msg70 = msg("00000143", dup34); + +var msg71 = msg("00000141", dup25); + +var msg72 = msg("00000353", dup25); + +var msg73 = msg("00000354", dup25); + +var msg74 = msg("000003fb", dup34); + +var msg75 = msg("000003fd", dup25); + +var msg76 = msg("000000cc", dup25); + +var part19 = match("MESSAGE#76:000000e2", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld7}^^%{fld8}^^%{fld15}^^", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg77 = msg("000000e2", part19); + +var msg78 = msg("KLSRV_EV_LICENSE_SRV_LIMITED_MODE", dup35); + +var part20 = match("MESSAGE#78:KSNPROXY_STOPPED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([ + setc("eventcategory","1801030000"), + dup2, + dup22, +])); + +var msg79 = msg("KSNPROXY_STOPPED", part20); + +var part21 = match("MESSAGE#79:KLSRV_UPD_BASES_UPDATED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg80 = msg("KLSRV_UPD_BASES_UPDATED", part21); + +var part22 = match("MESSAGE#80:FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Object not scanned. Reason: %{event_description}Object name: %{filename}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg81 = msg("FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED", part22); + +var part23 = match("MESSAGE#81:KLNAG_EV_INV_APP_INSTALLED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{product}^^%{version}^^%{fld8}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg82 = msg("KLNAG_EV_INV_APP_INSTALLED", part23); + +var part24 = match("MESSAGE#82:GNRL_EV_LICENSE_EXPIRATION", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}User: %{username}Component: %{fld5}Result\\Description: %{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg83 = msg("GNRL_EV_LICENSE_EXPIRATION", part24); + +var part25 = match("MESSAGE#83:KSNPROXY_STARTED_CON_CHK_FAILED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([ + setc("eventcategory","1703000000"), + dup2, + dup22, +])); + +var msg84 = msg("KSNPROXY_STARTED_CON_CHK_FAILED", part25); + +var part26 = match("MESSAGE#84:000003f8", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type}Result: %{fld23}Object: %{obj_name}Object\\Path: %{url}User:%{username}Update ID: %{fld51}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg85 = msg("000003f8", part26); + +var msg86 = msg("FSEE_AKPLUGIN_AVBASES_CORRUPTED", dup35); + +var part27 = match("MESSAGE#86:GNRL_EV_OBJECT_BLOCKED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld19}^^%{virusname}^^%{username}^^%{fld18}", processor_chain([ + dup1, + dup2, + dup7, + dup22, +])); + +var msg87 = msg("GNRL_EV_OBJECT_BLOCKED", part27); + +var part28 = match("MESSAGE#87:0000014d", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg88 = msg("0000014d", part28); + +var part29 = match("MESSAGE#88:000003f7/0", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type}Result: %{result->} %{p0}"); + +var part30 = match("MESSAGE#88:000003f7/1_0", "nwparser.p0", "Object: %{obj_name->} Object\\Path: %{url->} User:%{username}(%{privilege})%{p0}"); + +var part31 = match("MESSAGE#88:000003f7/1_1", "nwparser.p0", "User:%{username}(%{privilege})%{p0}"); + +var select18 = linear_select([ + part30, + part31, +]); + +var part32 = match("MESSAGE#88:000003f7/2", "nwparser.p0", "%{}Release date: %{fld23}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}"); + +var all7 = all_match({ + processors: [ + part29, + select18, + part32, + ], + on_success: processor_chain([ + dup1, + dup2, + dup22, + ]), +}); + +var msg89 = msg("000003f7", all7); + +var part33 = match("MESSAGE#89:FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Object not quarantined. Reason: %{event_description}^^%{context}^^%{product}^^%{version}^^%{filename}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg90 = msg("FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED", part33); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "000000cc": msg76, + "000000ce": msg59, + "000000d4": msg60, + "000000d5": msg61, + "000000d6": msg65, + "000000d8": msg62, + "000000da": msg63, + "000000db": msg64, + "000000de": msg66, + "000000e1": msg67, + "000000e2": msg77, + "0000012f": msg68, + "00000134": msg69, + "00000141": msg71, + "00000143": msg70, + "0000014d": msg88, + "00000353": msg72, + "00000354": msg73, + "000003f7": msg89, + "000003f8": msg85, + "000003fb": msg74, + "000003fd": msg75, + "00010009": msg20, + "00010013": msg21, + "00020006": msg22, + "00020007": msg23, + "00020008": msg24, + "00030006": msg25, + "00030015": msg26, + "00040007": msg27, + "00040008": msg28, + "FSEE_AKPLUGIN_AVBASES_CORRUPTED": msg86, + "FSEE_AKPLUGIN_CRITICAL_PATCHES_AVAILABLE": msg51, + "FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED": msg90, + "FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED": msg81, + "GNRL_EV_ATTACK_DETECTED": select14, + "GNRL_EV_LICENSE_EXPIRATION": msg83, + "GNRL_EV_OBJECT_BLOCKED": msg87, + "GNRL_EV_OBJECT_CURED": select10, + "GNRL_EV_OBJECT_DELETED": select12, + "GNRL_EV_OBJECT_NOTCURED": select11, + "GNRL_EV_SUSPICIOUS_OBJECT_FOUND": select9, + "GNRL_EV_VIRUS_FOUND": select13, + "GNRL_EV_VIRUS_OUTBREAK": msg40, + "HTTP": select17, + "KLAUD_EV_ADMGROUP_CHANGED": select7, + "KLAUD_EV_OBJECTMODIFY": select5, + "KLAUD_EV_SERVERCONNECT": select8, + "KLAUD_EV_TASK_STATE_CHANGED": select6, + "KLEVP_GroupTaskSyncState": select15, + "KLNAG_EV_DEVICE_ARRIVAL": msg49, + "KLNAG_EV_DEVICE_REMOVE": msg50, + "KLNAG_EV_INV_APP_INSTALLED": msg82, + "KLNAG_EV_INV_APP_UNINSTALLED": msg48, + "KLPRCI_TaskState": select16, + "KLSRV_EVENT_HOSTS_NEW_DETECTED": select2, + "KLSRV_EVENT_HOSTS_NOT_VISIBLE": msg3, + "KLSRV_EV_LICENSE_CHECK_90": msg47, + "KLSRV_EV_LICENSE_CHECK_MORE_110": msg58, + "KLSRV_EV_LICENSE_SRV_LIMITED_MODE": msg78, + "KLSRV_HOST_MOVED_WITH_RULE_EX": msg9, + "KLSRV_HOST_OUT_CONTROL": msg10, + "KLSRV_HOST_STATUS_CRITICAL": select4, + "KLSRV_HOST_STATUS_WARNING": select3, + "KLSRV_INVISIBLE_HOSTS_REMOVED": msg11, + "KLSRV_RUNTIME_ERROR": msg6, + "KLSRV_UPD_BASES_UPDATED": msg80, + "KSNPROXY_STARTED_CON_CHK_FAILED": msg84, + "KSNPROXY_STOPPED": msg79, + }), +]); + +var part34 = match("MESSAGE#51:HTTP:Object_Infected/0", "nwparser.payload", "%{fld11->} %{fld12->} %{fld13->} %{protocol->} %{p0}"); + +var part35 = match("MESSAGE#51:HTTP:Object_Infected/1_0", "nwparser.p0", "object %{p0}"); + +var part36 = match("MESSAGE#51:HTTP:Object_Infected/1_1", "nwparser.p0", "Object %{p0}"); + +var part37 = match("MESSAGE#51:HTTP:Object_Infected/3_0", "nwparser.p0", "Client's %{p0}"); + +var part38 = match("MESSAGE#51:HTTP:Object_Infected/3_1", "nwparser.p0", "client's %{p0}"); + +var part39 = match("MESSAGE#51:HTTP:Object_Infected/4", "nwparser.p0", "%{}address: %{hostip})"); + +var select19 = linear_select([ + dup13, + dup14, +]); + +var select20 = linear_select([ + dup15, + dup16, +]); + +var part40 = match("MESSAGE#0:KLSRV_EVENT_HOSTS_NEW_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var part41 = match("MESSAGE#1:KLSRV_EVENT_HOSTS_NEW_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var part42 = match("MESSAGE#11:KLAUD_EV_OBJECTMODIFY:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var part43 = match("MESSAGE#12:KLAUD_EV_OBJECTMODIFY", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var part44 = match("MESSAGE#31:GNRL_EV_OBJECT_CURED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([ + dup6, + dup2, + dup7, + dup22, +])); + +var part45 = match("MESSAGE#42:KLEVP_GroupTaskSyncState:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var part46 = match("MESSAGE#43:KLEVP_GroupTaskSyncState", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var part47 = match("MESSAGE#46:KLSRV_EV_LICENSE_CHECK_90", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var part48 = match("MESSAGE#58:000000ce", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup21, + dup2, + dup22, +])); + +var part49 = match("MESSAGE#63:000000db", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup8, + dup2, + dup22, +])); + +var part50 = match("MESSAGE#77:KLSRV_EV_LICENSE_SRV_LIMITED_MODE", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([ + dup1, + dup2, + dup22, +])); diff --git a/x-pack/filebeat/module/kaspersky/av/ingest/pipeline.yml b/x-pack/filebeat/module/kaspersky/av/ingest/pipeline.yml new file mode 100644 index 00000000000..963dec7e275 --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/av/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Kaspersky Anti-Virus + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/kaspersky/av/manifest.yml b/x-pack/filebeat/module/kaspersky/av/manifest.yml new file mode 100644 index 00000000000..e0a8302ce70 --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/av/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["kaspersky.av", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9514 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/kaspersky/fields.go b/x-pack/filebeat/module/kaspersky/fields.go new file mode 100644 index 00000000000..a3b5dd3347e --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package kaspersky + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "kaspersky", asset.ModuleFieldsPri, AssetKaspersky); err != nil { + panic(err) + } +} + +// AssetKaspersky returns asset data. +// This is the base64 encoded gzipped contents of module/kaspersky. +func AssetKaspersky() string { + return "eJzsfV2T2ziS4Pv8Clw/XNsd7vK0+2NvfbNzUVtVPV03trvWZbs3LiaCAYEpCVMgwAZAqeRff4EvkiJBSQQpu713fnDYkhKZSACJzER+fIseYPcSPWBVglQPuz8hpKlm8BL9PXyELrmm336gslJ/QigHRSQtNRX8JfrrnxBCDTBaUmC5uvgT8v96ab83f75FHBfwEnHQWyEfLijXIJeYwIX5vP4ZQnpXwktD1FbIvPV5DktcMZ3ZgV+iJWYK9r7ukRX+vMEFILFEeg0BParRo+0aJNjvtMTLJSVojRVaAHAkFgrkBvKL3iykwj2SV1JU5ekEdxnUDG5p45jtTSKOIzZMM1ChVnufDzO3x8F3a6rM7xBVqFKQIy0QwaWuPK8k3qIClMIr83+sEREFKEO6MN93hkbolVihayAiBxkn1Y1Fu0QNExwgYQNcZ4b40aAe6WQeecYoyxkiuAauldlxlCuNuQ6IVJQKTYs4CTnW3S/6+KnDagZBWKPtmpI1wkiBUlRwtKZaIYzegP6Nag5KhVW46C1RPR21FhXLEYcNSLSAev1LLBWg16CxIQ2jpRRFC9WTV2Klnt9h8gBaPe0Nf00lEM12z5D2dGP0FtwBczuNt8i8iLKKwQZYlFdM8O5e3+PVNZQSCNYeVw5LyiFHgjOLWOMFA1TgMo63UKtsxNY8sE6v/Zm5vf4ObTCr/OmhOXBNl9TvIXjERCMmVo7nssdMSz81w/sVt78zLC2x1JRUDEsL7xfnYnB1e0MnrXZsdXsjD6/2INM3c3P9xf/n+mGuG6ypLJ92yMTin5kltcv4T4h/g+Pi5ezIJShRSZJ8F02fevpJm4ZbaayhAK4/D3pc5VRnhOHOefhkBADXcvd5UK+NJvB5UFM+hPq8N3k4Z59zxXPA8bN23qkvAfJxevLAjRqzB1o/DKaWwde7AXvX0zQts3MD9kY/omUO86ljlM7GJ96yRaMMcgzpTWQmBqEIj0YziMyjlFWc/l5Bo4TJeob+o92+4XIlODHCEmvxR7deBo79hk4VPG3+XZmB6JIS3D51xtC+MSYxureCDlU8B2lUVAleYPQmt6SPkCMF2gyyB7yPQw0rtIHNvbEnK7Q1m3tDj2J733OSYumnba4e5SNmPW6Wa6GS9aj23vpFKN0WVay7qxTwnPJV+FLFlr5lzX85HKTxTdL7eJB1t3ebHxDOc2lk1tCh7LKvNz8tvlT2bX6azsCf/t9loOHWHCe4e3qdS6Ptt8gRRiu6AV67K77cS9WwaMiCPa9WnX8eZejL8OIOGryi3GUSfk9ar/bThF0kO7PFzvLxxg2O7ux2f+a9fxqjd7sSEMH9k7wABFSvQaL3t1x/9xMSEv3MBNbfv0ALrOxOCI79JV1V0qpCR2YWV/C+4JnZR5YpRtEMtquBXol0Z8khuyyM/cUbr0JuscwnqDEt2dGaWJtXt3cf9jQcjCQw3F0WhNROaSj8leMJM6Otwe0n5dhj/i8kXVGOWYDZv72PzDRd4zjwwHl79+GnyCQ9gb25Tp9kTVGfj3NI8maz9VWlVEm+BpyDnOll7Bc7GLq9nvJC4yhqP9TYYdLeaf7QThhGshn8MDgoHreN4mE3u1G4rwRjQLSQX6IgNPw5y8u62TdUIeKYA7mhZU81eyW6lzw6wMo/oCVSkMWnU84KoWzwSCE4Wux6y4KQhN8rUNoMqGhRsp1fCfNjI3ARYLJGiuaAnvwZ6bWs0Isff3yKtlghBcBrLAfm+onUtRPmqkrBFZxvsuQPtLJEVFzX9mpVLJzwMQdORUdAT/BCbKA1Xcqj0UZBzCgtAReDu5z8gZb+MzMDclp1tZrTWPFVTJOqjVa6RFT/o3rx5+/+VTnh+by0oiqQ9Y8evf8wdsorvAOJXqAbTnCpKuZ83MbUGSVBY6NPdENHYpViWL5/gf7NTPcZ+v579G+ICGn0RzsLj/QZ+u9M/0/zQ6rQPlO+ii4SFzl8RhuMbyEjmLEFJg9TdT6HngttNzfWTlc2jACel4JybdVtDfHAPbvAGUgpkmNFGg1IlUAoZpYmS4vSQhptke/cLWy+2GBGc7d8MbQILUXFcyOtGVjyKF95ZeFoMND+vu2NPMfbid+0B1z0A3zeMYHzT3dneIRI0Y+ACtCSkoiu7E209o+tjeYuxyDuzCWJdaPDiWVYmAv0i9ga5vdtIcqRkMaE0AI9AJRH2PKJbo8vhC1SEFAq29A8y9PfoW6CBFgBB4m1PYq54VHLXtlQqSvMjLm45yPlEfOZFtQYfPYF0E7X0ekP5O01kkYuKmusW7ZguQJd/+zoXJVMDqn47HN10TCH5yoTHet9EXt7Hfxrb6EQGtC935VEgr2WFrshkWT+BKf3F+Dk9pgyVTI67UX2D20qKtpTZT9V2CD9mBY/1rbtrTz1OzLsjaBNe3H8X+PNxR3zJWVneVs04xql/e7q8s7rcwRzwwBalEJ2tThkL5Qv7oG2+lTG83sn9q2RZ83CmENs30ysGpDGGHT3vrX6LtCLH39CW8vZAjBHmLG4HWqdr1ZtaPwLaAsS3LBYIwZYaSR4J1h5n02fQDH6stkUOW9pD1meO78JmVvW2KgIIGsumFjtus8aSyp7mhlCPyKyxhIT7dhkjt7OUmidmxxV3EcMsD3f5mAGU0qymntinOayPfCeY3XdwqhOggenrcTbQflhpVhHWcLE6mHOI8y9zSoIqWQYUWnMcyxzxIUsMKMfY9F2QhZRDuT+BfYAE0S16InwUWxo6KrRPWd0CXZOEQNRARE8H1AMmyXLlJ5miR8gmXIiipKBji7ioLsLW8VTS9oROa28A6nPtt3uzejRTTe04fb3z+AmKQTX65NZ3WT1nP5q3kQz5Gdjzw3Pz8EcM+RHwadndB4QImb8oPy4kLR3XS71DvSE03GJNDxqv5HRBqRqBfvmh2I2Imt0fNF3gE8ntUmqIELmkE+R3v653AtXVY8Z7rfwZl7/sP0G15exUhQXdtTKJv4pAhxLKpziV1RM0281BYlwWbIQQd1kgheY41UsKQkhZh3TwWZwRDlaFaL6a4XEljuvvcZF2fW0eIoNNkNif59rhciaGv1X5KAu0OtKaatItwc1+x/rgXg0rGFwGQ4e9+XSULaBee5gu1BhSDd/CUuQwIlbVGyUr5xuaG7uVLum8WN/H479uw4D4tN4LKmccQ4N152f+tHsF6rZzk1HGRFhdAGD1m6jw/6iUUszaDA/M9KpPv0XvUHrAA1RjT/NRU8NOA5Tc2n8trM6xO8VVDMumtkpbr0aebHFClk0+cAKWfTfjZ/6qAtnb9pJ53RV6CTJvirS8JVZEroyS9NUynFHZB/sRQJc0o3XkjLnUn07am9UBvUE5iiZNHxgj523FNddI146GYgpxiImPbXnNEVFVWy6O3ZAOxSVJqKA5w5LrbLZaDax7K0V5n4ae6rvwFIZk5zqaaGvB0gP4/uEgJY/9JDhNzVVoVc7xUnqOhbXjGb9sSUQuqSNMhjXFpyTcyjv1+sec7xcR5hYuwNo3gR8BlM0987HKGVepZ+PkR/2bYS2hisk+vXehxRRFR6duhayxR+4PJT1oEqh6KhDeNIOsIYAz11VABuKGE7JYD53xXQ2JZF95LHmVQGSkrHnOkr9LBHtB0hvR7XXO9QdcXeSesRvgOdC+lCig7SLxT/PkiUdHhfE4p9A4jq+QT1HnlSPZUbeHEbtJN+0Wh1f9be+z2rzR9ZbwmtcR05xoRFGa5+VGQ8PYmKVhWfHMwm5sCFGC7l5sm/3JMXf7BO3re1mj2JcvROMkt30fXrgjN1ZFL7IHGe7ATlVsWmxW3EmvK0YWNRx8SK4hsfp+k6N8pY7y7upgITzXJm/7FWAWUAZSwc+cqWQNeYryDhsp5+rIec3bFsPN/Zy1FrSRaWhddr60XzKEWe0ubZIjx9DVeIRoqGePaMTSuAcmrhVyruvtg5dWzeImBI27tpMOhRNUc1budyAvED34BhbKZAXeAW21J2PmFsKGWjojR2GcXodsfDIwbcyIIVECym25rvwqddjnGo9WKvtNr/DUo835WvQ8Xak372ilxsx3+4VLK+VjnNtXlGCd1mn3yCXHGEGUtfvrrIZ1n/mXLP+KLaSzezzbEShyhEX/FsJJVht9dBrlFUc5xWypJLSbM1aJ7WrYXWE59T5f4Njs0f7luq1V6ac7EPXFuHCxodyJPi3K2H+fUAy2ssziyglk2aGW87o5xaFIUMskTlpmoK6QPfN+eyWyWzHJKfSdOWC2StlFFWX9OCeKHMvrDzzMCKsUjpsG/+fHqstCFVmNXxmjrcWjdpkvx2+ms9wK7udHreeXNL6FHXg62Pqs6Hj2uJBWClBqPXWGI5G9X7L9Ff0AV4ijMr1TlGCmTHzHp6hUtqKtM8QaPJ1XM3CEsezB0ZeXi5+VeICNEiFSqxsnQJlE/dcZhoRRWEkgth7vOmHrIImBxUNJz3Pp2u01uEMgtoJOyKKsuqfhSTWY7SlPBdbH3lDBCdQ6mf1q9jgdHsTWVaM7dDvFWbOaZOLAlPuzydvIWJiQJS3vTWnX+MHJmeUkVeUP0Duo2hDYBlW1l73Cqz55qsa+QXNDzGf9fL8JoqNdp1qZwJ2UQQCfr0/H+ZfS+8TQvf9VOf60QNkQbslqqc7f/yolh63Dw/rad+P1tOWlM1xXmqyf7bj1UdCQl4RQMEDDHEnggJJMcsiN8QEsXlvBw1KV1fmt4S6kamDNhiQBzWQCDaHP8qPb4T3Gqt1vduNyhGJZq+MhWlEU4gwrcPZr8JInVIFYgOyRnOhJDFQ9f/7WQnIyDeOqI0nqDhhgKX5yJbNaEjzYezeSyNDisBx/6QTFVU/V/0zy2giigXldeW4toj2CQhyhLzeUFmp+b0b7Tt049sP9JH7guvzPEdENu6VG9/VWRn28DgtfQbHW80C5+G6vUZv3Jl+4lPikKux75M8DPanh5xf5/EFtlxft9eWLT60uj6QfTtu33fughgckRduqc2p21IVNzU2ajetbuL+K4lPqnGX3EEfGndG0qxra9h3VQ+Nbq+P6kGn+ySO6EEG9QueN/rQBbpy0fq+WhBzXxzWhcwfIfd/8d1X3kGxqHQdxy90LZwrzkC5uQsnYLcCbbCkeMF6EeMuoY1yVDI8cOQUcDUxA3RvUdpqkBv7wpx6c2uGWHRq1ur++e1dVwNDvqSSs+2GsmUG2wicHBnf+GIdGeiWa3RPVxzbYzmwkUohp5Vv+ronC8xWugs6hbD1VOw/DarWqbF7IReR5X3z6ztEOWFVDkY0+MYsBvwCPbl5xEXJ4CW6c8anG9bKuou4DWo97Gd4Z7DGfCNq47ipejDqXBTziKDtlnPmjReVb6l6OPDAoSVdrUBOKVwfn/aHtqfRY7Gaz1qCWguWmzV2VtNAr46956hZrLj+e5SXYU/eupvxaZ1QeHsdD7A8+cXKmNbZ7G/zlrP+fd42M3E+DVUtvjUIBbcZBUtbrlfkFRnS073Kc7bYgTZttWwR0mZeGTkXKBioK49lvsXyXLEW/VqJRhZhL3oNmQNFup4YkYPRa0xCZa+44mSO88yarODfBuVHHj7RzmJIaIQkAauEmCilsa5OV6xqGxxTdkbV0gy/EI+I5s+Hpa6R+NU8NBic73ulsNy+MnjiGz1I38lV9Xsb5rpfTz9FCFMuqtPfDFqxm2qVsAONdBhnhvU8Oj+MBp1eBWSP+ZeMmdOKVEUIKLWsGLoxGBAROSjD/FCkKa7jUZ7D4+hJMKr0kP4w8TTZoa1iKwOaBUjr1S+wpMy+1Eb8A+5tiK8Qtoz41sBGaedJKx56651Nc/Hjoyd1pEoJUpU+IcGdqd60/RXSBMaFHOenA0HjzsTuS/Ppj46tNnKWeGcnu1+bLzHlCuWgMWUR02khKt2CGyBesDPEpASvDa7jBiymYRGuoSjZhFfby9BqMbQwaL0g+SgVo71sQDK8s2HKWnixjp5E9r75wloaHhqWIY/F+dyUprqypTpQlPRGS+snJR8/GCO9wi3bkuDx2JLOLhFFYfZm6oJdOXhEW+FEpRQbmjsLO9QViPVnrO8aQQ450Mfb0z9T1tz9pB2tEL92Hkv7yHwu+RXGP6/8+qdYDNqtyRP432LhXZbxnVrSKeWBrm1Qkluf+7tbdNu7cNuIJtTm8TGZh3GMCjyusxdWI1X8MTaxj6KKq1nuQGULkU+POe7FbXevrNAf1mAbuD7XKblTzo02S95Ny+Hi0zVcmE3tBaQrmtcuygFjvBivKfeSYE66GcZc1TV1ZTVNQIZuQ3fvXRZncIPax7FHIFXbRnHP1guIpRSEjN5DD2WzGFJRT1G+b1DV0fB4gynDfQcdqt1DyMbDL0HKgWqEbj/GPVzz+XW96lf4hGDnpO/7t0TYtxcDMoAW2aLK812CfUeLbGScaguyUjBUSOygLZoCI6kYlS3VCZjOVDVPsB1V7VgTV0vFNpys46SbnHOPM1YcvIk3dEercX0dnoZ7pR7Phc2MFsHVhxv0xEf6faiY0UsWlNkAQ/vSfPNYCmV++RR92zdjeNfL98DFlu8pjgpIZVPXNvujD3QNIHgWQ7sbAHIVMm3e+ADXV7DCZIfeDyqwjC4kPk/qjx96j02UowJTvjSW0cFHqhJL2+tjjoyqPRXhzg6M3ojcBRw1xQ1a79oRtOjI/WsfX8xU0zXK/bz6N7BFv1Tcqs+vRQ4MPaF8c/HNM0QFeYYW5i8wf2GO2U5RdfFN3I+sSZktGe51pxp/A+/rWld3yA5r7V0rVXahgLBYHkza0mIiLe7ThackJEwpkGZDRVFuirFyqIP7w+vfjP3+zoXcfPPNh9e/Xb69+eYbFwOzwRLTwb2xFfJhXELG0a38Wxiy7aMdNJMxH399+djOsbmBtYjDxIjAXZK6uBQSuKJk3IFqmZNJWIsUKyri2TodLNtiOqbTeBNyQETCktoNMz4hRVWL5G2gF7nScnwmi83dmKUb+LP5JGmI4JviOEgNTmxKAvcuJh8c2MQp+vhEM8SSDhqMYTITnBOpk4lmrkYm0g24jAuLA/UUxhs+hjyvTb3tj9uoJ6729pk2Qt7yLnlUB8k40xIGv/khCoSY5QF2j/8tbfuJriOfwsu1rcjx1JrPEev+mK8/lECi8/hMbTjsElNm+BUSDu/8+bu9bsf12uxpowJrWEUSh4bf4kNcT2au8ijFKcE9NqTHx3Qay6jiXVu1h58PpfFOxf8GHvXfIK6/1NjVkBYzFfs95vm/i7hntcGusabxUzYZf3/oPfSqUiUlVIyIj/hUtoWlb4sl77vaPj9xihdlJtKF0/2b13foV+fxaMIx4qh+n/n55f4/XqHfK5AD1VoqxjMJ3aofU598Wq6LHXobQmqjz7u1nkZGif82mBhfps2AlQPG4zE4HXGvngCZpxSiwwzLIokvBjDJeMHlqLD/GqzKR3QG2IMamwu8B5xj3b29j0MugJN1geXpYXE15K7EvVYOJ/ggMek9b54Ila0T+EpgOTaYsgZdrmwyaRKgWPwzCa7ECbX1XOZrwmJYp/9QT9nDkDZXuwBz3SYg5hkmtmxhShibgVZ8lIreAl2sys0P/FGvE6Ql4RnR0tgo4ypTteAN7JC37gTQDes1hD4JFviK8lGBu33gtJgSni0ztaWaJOxrni2Z2CpcpLwWtaG53kyBT/JjEZ5RPm2bU16CLBa7ESE5PeiSPKSC2+ZoSaBlVkqhRZbiirPwmx8ya7OmQLMJ+42JVTam9X8HNOUllPCswI+Z1qcrvPugZoUZJImFgvJkxJRPQVwylbEFy8Y7T/eg/zwJPKEeUAt6fJZ6G3p8RHQb+sdJ0PHG6qdC/8sk6P8xCfpfU6G1KBleQNpWr+FTVCWeFRWzl/dilyTPAnj5kCTHi4rRVVGm3t7m/sNsNf7RyMPSNCGu4HeSonvzTLkn0yReKUlStTMDmqqdqZ2qyqT62ITXYdaJyp0W2igY8Ji0tbXQRklKh7bqSSJ4xekjx1wo6LXNPAl+85OhPVksbH4SpV4DzpNMIFGUGWFJNrQBTXJpWEhp22SlwapE2LLKkvwTRFJNCWZJQV8qwyvgZDfqTakNzTHbfYR8kYZ7k9lk+ERYl8aTitk9ZyfCGwv5p1QLWWULqv81MfmQqGxsbdMOqBQJR1klbk4LB0SmxOIp5wkYUVeyBQp67bwBKcq3A7fXVSK4q30zJkOzBb2kDNJ0EZUt09hFl+MCkPdB0yStMkYwh0edJR4jYwPnSpe9Ij8nQytJEqFD57gkWLHKCsjpiGDMfWjKUzleiLxioIhIm7UHp6ukUyFKtcV6ZCeKFnwsJuBEUAkrqrTEKZp2A510U7lOiolTlhPmrGwdEZl8Ol1Ug1vyJHjbWDTpinNBR+mop1zO27WgKnN1nlPgd1jixAXPB8IqT4PduA4G4yGp0rjbrPUkQKUXlTy9kGiAA1dzLQ2uSsCXcg+HWNLxgLZqzzKlFPpwxPQhqBXO8/GrTvPxzrmQQJMkUWiRESlEkZh9Y0CTlCJaZKmPcD53J2265UNCslCpUlKZaalKSUeDMayprhLebRjlMCaVpIFTI2tx1ZA28DHFBGHCZTRnSyYShGMNnhQCYDS9hP1uwJL2utENk9AleG2ZWCUuJV8lbrtSyPGHo1hUq7StU1BF0rZroRIXMK36DAdtU18SIBNOsSsNMP5VysGNf1Di2+14XSExTqhu15AAmSDvhaSrLFKt7QTILQeZIlvKLLGDYJmNrCDdACa1cWjAk2ZpT9L4TeoBU9ppOqU/ASVWynyZkfXp8aw9YNeXczw8yGJl7OJeRvVpsNtE0BQx5/KX3r/vVPo8CVSKVYZVOarkRxt4TJeHACcBs7SbRwKx1Lps1WTwlMka2LEJui1YIfMkrCkmmkqyPpWzPpM8pQrGu0hdOd0kNULB7ynMjKXBjoBLUlwUXSUdTFWOt1uUJGkrL0mecNUqSWJZvieBjmrJ1IaqVELO5Ibw8UEI0Yqhx8FckmVC0/CVTlkEB5biNaorRo6H3JUJmatVvkh8ta4kS5JKlQKZ5XR8/GZiYZLgE0kjVpO0dvmbjHKl8TJJkm6o1GlX8abkSSkOWsiKn6VX62WlBXpbcdQbvPZCTyoQ9wEzmqMrCTnV6ArL3OeMHWhL4+tfTZrpUB1IO4xrumojZolgKBZSUnt7KZ8y+5uiZGIHvYJ4R3mwFNWI9PhT+/KuQ0sdW1tMwgoeUYG7obuNR4+vqm7ZlRnIYFTZAhthfNVupamq0pao76dKIrRdY42oRqVrzx8n+tBT6phSIfH27q7ieUCCKPeVDAYyuxnl0ytgt4gx47UpUUiLlW2yc9H83nWM6HGPwwZkXURJC1RiqQC9Bo1txWF3Kup+aejJK7FSz+9ccN9TdO3LeLn2JL3RbRrxW/DFYi3ZHL0B/RvVHFR8rfpbL5E9S1tOuN7Ndng3HQVYkvUF5XTA4JV4nmIIHWHjeusxyuE5wxW3tVNXVeHL0h8ohdCpfHCA6jlS5muq60R5X/F1QKU3zMzm7YXsem6ZgdE7eNR2dw4ZBWdtQN0UiTvSg9pm5U4qVWzzchXo0Bz4QOr8oXfv8bUhQivZZRjXSbCuhVe/ye6bRQ5rvzeIrWegXkbpH1fH+4TO2Tk83l6HQ2RHHyrZPvIheuR2qVs4uMf9Gh/q7dGamx7iXBTxumB0TZuQrmBDlBUIYYUUAN/rkxk3XiTmCpNZiq32ssTd4Nw3cKpba4duwQfIKkEW1F2E85HVDOoKt9ANZbAC38sDK0VX3DG/qcw90NYAL+bqVj+w5BbDgR23OGNricH2IbFt3qJoKLcwrdJNuC9pHtra1h2TbMPGgUOHUCQmp9baJAwESY1WIEOjsEbwhv5OBseACruVdMDRMyN+i2SgdOE551/3z+wR0HqA3IrO+3jK1YMZxSpbixm0u053TFsTpykDZTv6tAoexWOqkdughh7uW2xzoZFtlXlxyZQwpk2neYmtQv6Lh7hAl3xX/683urbWkeIa4fwidDSOC6ZE55chfYqy/FWXn7by4B5TqW/rbKyJdoXyMOt4I2G/Y7KxntVTDVa8A4n+pfYYqOcekUU/1L9kbNzW+fceb6ja230HeToYJnFMFnzdLYvjWtK9+fXdjZkdSHBGo/XI5FQRCSXmZGe0En/5s34vW8ODZ+jd65foluvvXzxDt2+ub/7zJXp/y/VPP6An2/UOcd+AkayF8mXchDTWq/3Vdz/9r//2NN77DvR6krzozthKoIsCx0sjqcl7ZOSB8pX4bwPa+GHKPzVZ7XN+hLbBhL+TL6YYRR3FptFBQ3PTV5dvouR8FBym2OFp6/d/BIeLOH8+jukD8AkuO0PqcVFj2fh57pUDvFxhDVt8lsLSdpfdoUvXPC/sthjC+johRTns/5/q17y9en3n5PBwr3g8Qy+/IVPa6TmhdentnUE2YNUbPgzWgpmFD2b0YT4EHSBzNcXmPmztXgu560iHWfNU0apEHpfdsy6TUd7tYRH+tFzvL1QPWRNbk6gznCqmMXrjabgTUtciqieEXO8Jy0Tfff6wJFKz889RTPkqiM9A+Osh5nGI6ffzeYk8fmuDYKUEobZovLWWe7crMnJKYr6Ci1o9JoIv6aqSkKPFzjf3d63uB7rTDKYU9AKFB7Sp6LDLpEwFNkq/a4dWJhhMEgqhIfMxQikvvylTzLnKcObCp5KASy1TwZdJ7F0mxWKztA2QnlFTJk0O51mwxqf169q3LQwtF93x2obMWbSFG2NYcdDo3a6EZ+h9EHOvrIn8PboLJnJPjvw6dKOG4lWzXBgDKn0gC4WunZix6IVRNj+0D/RY2tCBDUhtO89oERpcUY7e3w4eIWJDWiacwZS2sVxlokwqlGdAJajxcTQGMCnEz8nE8QFR1geVhNGVqckY8FVCzUeL11wDczuXbFMie71g1nIOckTsA46xon4WcotlHmsGdmnb1Fm/+50Uj/bVfQF6CzDQyXh0DvDYFwmhMWu7ex06ZAuZ2Nem3hx8EzQJ9iGooNocNV9UKD6JDcN8nneVE9wB4Vmt5RDoTWHfQdD4ADdGe15Z5XlfIqb4s4HYbIvNmDzS095QsNSUVAzL0MzNo3ly8/jylViJ5TJenxpIptcwd+Pbd2ZI372/oezGUGYIuqz0Grj2oVSDhM3Ve2z/ubKq2xrGiXuvQA6SJCpNxNzc8oMOk3TvOnAPUBV65Ey7ffcosphRaLhysPlrwH6G9snQocKcYusGVqXguW3pKqIqQA3Yb0q6T/dmTHbtwG2Akcuzt3FvjEJeU+ztrY5eQzlSVFcRiYJsgFzogudHXWOFcC5K2xVsDVQiseWdxkhI40fBRTEQ7RJq1Ge9cKQZLj+jhlGem7MspGra+7kuwpehPH5voqe4T3hNujsbg+FU9QzP9Hw0OMl7/4o07zwPNRFrTXVcVseEqbqogHsfVTj3XIeDQxZiWnxcZHoLWOMNFZXVbIxRJ0VBByIdYH70NxwvmA0bXqKrw9gp34zvfBYjo0vDnk6Doij2aBhZXiyBhAiGmoLpa9C6V5qdPbj8TQh7xXU3RDlF58tt8kdGJnTFtbeM7WROSSDMTssGDHQfe6heu17nkSqNyJNzQb67UFoOO8kD1fHE189G9YvDVPtr0eGaRHnUjKhNIk0L27TVaxoSShh0cnpOjkiNOspMm5I+kZXyxA0Qrwrz2TbA96dR/d3knuhR4r3j6NgcetTbOTVH74Rj90em/8VR+uXM/Hcbfhbq5XHuj6hJ8WmO6hGpVx/VP/Km+f44208vQPVp2H6arJEzn9U59/oJJ3XmTTMn9b0tUyuFuevSOVk3w5VeZwXotTiLNxXv+bmQQ+R/NrgwNntXiomW+gH/7lvBvK/JoDqwQ5Jty/+8+PHPf0ZPXl1f3j1F11RpylcVVWvIbWJOFBsTKzFDfuwhv7Zv0W0x+cWwPxx485Zisr/kUOy94X0MR703rc9vROnwMRuT2KC4OjOi5dKwWGPvFJjHiig17+SYnZ7F3yH1Lc5ppdwYSEikaEEZlu4wG0Fidiux91E8VNeeGUXn6YVb+yDbUWbvzXIFD0inrkVzYKZEEl7yQ+fGOj99fHjL/+RNZ/tNb8W8sQutwMM87mgRctqjWM91a9kl5Apz+vFArBOfsmCnMiyBW+2VH2DZkspoFH9y9uvPZkArH11SucvS3YtE+gUw02uCJaBSQi4KynE0xLp11O+wpsC1Ohp4xvC883mFP+t0XBEMKJO3l9nCXxshUGKpbdpvM5nDQmjWtF5/cE+RP0vIQWINeTYiDODAKto25GHM2tV9J8WG5nW6uv8dLkvm9Zze8vkUWSPI9zWigV7q9TRoPts86kF9HQe9G5hItNCzjSrZUPfmtO4qdgOFA2qFZlwp/bFaDTzau7wF1MoUiTX5dvqP1YawQkoL6eSjGa0AjS22r+2vLsyvvo7Pr6B5zmBOifHajniqzIgsUUuGJMmMUDxvrgnd+fFaObp8F148nqGSYcN2cyMJiYATuSuHvIg2eGUWq+CEeAlZWwi/CKXRa0zWlA+o7TlOPqNfdfn1ntvIvlKCOajmVndp9eoCvcpxiT7Y/7hbPRfc5QP8o39doDXegLnvGWDpWlgjW19ClYIrCHpAPGnAzCjrt72eIHt8bQQiqQZJQ5UO7iboKjIMUxKInoWYZpnf+iIyp9Ji64tOdRN091ooHLWXBmz0f3/VUIVkxSN93RHC6lktid1rjkumHojI9iNm3oqYg5kYbSnPxVYhVQKhS0rMN89iceM+/qi/Uc0EHEXNqy96IkPX81os22eGpy1+oIrbm+sVrDDZofdqv8hP/R5SdBMckqKWzCizmFYDd1hb3bbIbNS03QzmFujxrc5nimQx7WUI2DDbPhP2JzaHujZUbcgpb5E52TlEN4SHSZjOXPFSQ5PxkVPeuRckx42d3HCtlT69czkxaqfjPn+bEBrHyh6X4+lvx1NLbHDjuPLMgxHgdlI5LCn3vkB71G0tiAKXA8UoLP6BMOszYW/M3Y7qkSJIan/T9Bn4fOSB6iG1D01rTNbF7KXomnEtY1BPC26zLbGg5oLyMTV3Z91phmwb/j5V6EeObTsY1zLPldFqUpEi9ch7dE2V2UfoKrEMa2s+ftYQu13TXsEzZPahsSxciN5JE9AJFS9dKpyQ49ozdqb/F1Vi/tej+ZwB1X6ts6CkxUSqmdpfntvRj1B/xgu3R3eoinaY7sG1yoBrKcr4McxFtegZZCftNT+qsW7gSGijpWJkJ6cTqbgSRWkM0rDz7Qa3DU6c5rkBaURrZszm+IWE1cP0uN8jZ7Gj0wfcW5he2Wz5e/ob188VYzv0HxVmdEkhR9c2G8Y5L6LItrDIiBAP9GxPSr/BAjkMjU2C2ZBellBbp3nsKSvt2uAM1SM/fjbe1oP4WqrebeW8cxfo3a505DcWlZmg4/MwiyUss5HFcTqEGSzOBJNfq1ihnS66eZwFtYKxj995L0ohg2fPPq+8fTWwMK1s1dHLGuZTTq0Ye2A6ZuyjfrhAiBQi+Z7bR2tGMlxDJdZxBwfhGVbj3qNaoDK1g3ol2Sh2t+BGcadWwbNKju/3W9q+Z7Y5dArKBNG3DzwyRGMf2O+CpOMAjxq4vQRTFDYzwojVra/VtYTOA2XK7eaGmSeGfO9Ev7MD26vuuf/3lUfy3P/Dv/rGnF6YgYzHEHiCz/pa4shtP5ZYP0arIHOP4NyXTTbKIuVLkHLAR9+f2UyUt9Who+yLOj1mISNUD1q2WBnZvvYZQ0zevpFhZtwIN+61xWyAdzYuSLY/+jv0H6GHi93Tcg1yLqvG6Dn+zffJlS2o/hRdWQxx5CD1bImSA7y6AukL38NeTMeBEjsw8bGgxYzWsphhv1atuksH14N+HPYTjE+LjK8JuqcfB9J3HpLP4O3fbxCHldDUsblcYzVQn1aR+ZN3Wwx3ww8X9DYLMqE+be8BsLPWoeBXiPeMP9gpOrK54ml5wnUt8XeDbTXM2aNKVSmNoQ2sfdSdYj9P8/JZGkDKiZ6FHuva8uLGDI/u7ZPBodM60+tSXe/K+/af3NtwjsMitCUvhsgYLy8OUDEsNJRi2WbaXdJ1kXsnTtwll5ktgKuEYhoqHZQ+gLcGklOivmoKPLYFpZUXPyBlfbdCotv7y7+/vkN3Rn6iX/lARcqGnuS8jxR63m1FnB57LMkayINKaPbWCJapue2xItB1dZM69dwGaPjC3c25P6CrgKS98htnUVUcpjprb1B9s1TZFmvzicE2HRvMaO42RARN9+jPWF/q0NG3s36AneqKopP3WHIn9LXWpcqo7UaQCGxZmkY2Ob3l15S9R1c8xDsKSfXuyP4joigm5vKfSJnD5E3KeHrNlkpgXe06xYTbMsyzUX2ox4YkqNA04DdPc4iRjRvoNrkhKwWdJwQoRpLDgSwOizaue1nWkDXmvJeANj1R2Y9rUQ14ymcrv1SLPF+x+7dXl2+8zH3eQVCLOi1k1yuWsr1yqh6yjWBV+jQuQw8M7mtp1p1BQpOFilOt0BOHRj21uWs2mSB0QYj4iwaC0FiVfMJfeWrec6r9c8nFfjDaBqR9KVlWDBHBCZTamAD3jtcDKU5jOqlH6zpY5hljI7QQMaTY7m/C8OiXf7+MBZNEWZeyA4RcnSNEoRtatuf0WGCXvhdNYPzbza93t3foNX4sKM/r1iVx9hvqzxDIsFfoe4BwT2iP/kOE11dwPAQ7KSDIRWZn45p4/sETacKk5m605CXV7bWvx+PxHKSBzcnYz5zRE+ZU/BfIOaiDI3ne10ZSTpK1+Ma1lx6p2NTdvLT1Aztrt3CpAc+QqiJhUVihvygtBV/9dcEweWBUacj/8tx/9qz+lvIlkPhXSyphi1n0msUL1oJBmOdICTSwfSSsqNJyZ6yeeQ9mifXal6KrsaAulh4Zk9oP9glxiRIutpUI2areVWssNW3Atdz96f8GAAD//4/ysjQ=" +} diff --git a/x-pack/filebeat/module/microsoft/README.md b/x-pack/filebeat/module/microsoft/README.md new file mode 100644 index 00000000000..6019e83e77b --- /dev/null +++ b/x-pack/filebeat/module/microsoft/README.md @@ -0,0 +1,7 @@ +# microsoft module + +This is a module for Microsoft DHCP logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML msdhcp version 99 +at 2020-07-07 18:10:47.073225 +0000 UTC. + diff --git a/x-pack/filebeat/module/microsoft/_meta/config.yml b/x-pack/filebeat/module/microsoft/_meta/config.yml new file mode 100644 index 00000000000..ef13fce514e --- /dev/null +++ b/x-pack/filebeat/module/microsoft/_meta/config.yml @@ -0,0 +1,19 @@ +- module: microsoft + dhcp: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9515 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc new file mode 100644 index 00000000000..5819117e04b --- /dev/null +++ b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: microsoft +:has-dashboards: false + +== Microsoft module + +experimental[] + +This is a module for receiving Microsoft DHCP logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: dhcp + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `dhcp` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9515` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/microsoft/_meta/fields.yml b/x-pack/filebeat/module/microsoft/_meta/fields.yml new file mode 100644 index 00000000000..9b510450005 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: microsoft + title: Microsoft DHCP + description: > + microsoft fields. + fields: diff --git a/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml b/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml new file mode 100644 index 00000000000..e8e683f9022 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Microsoft" + product: "DHCP" + type: "Application" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/microsoft/dhcp/config/liblogparser.js + - ${path.home}/module/microsoft/dhcp/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} "); + +var dup2 = match("MESSAGE#0:00/1_1", "nwparser.p0", "%{smacaddr},%{username},%{fld2},%{fld3},%{fld4},%{fld5->} "); + +var dup3 = match("MESSAGE#0:00/1_2", "nwparser.p0", "%{smacaddr}, "); + +var dup4 = match("MESSAGE#0:00/1_3", "nwparser.p0", "%{smacaddr},%{fld6->} "); + +var dup5 = match("MESSAGE#0:00/1_4", "nwparser.p0", "%{smacaddr}"); + +var dup6 = setc("eventcategory","1605020000"); + +var dup7 = setc("ec_activity","Start"); + +var dup8 = setc("ec_theme","Communication"); + +var dup9 = setf("msg","$MSG"); + +var dup10 = date_time({ + dest: "event_time", + args: ["fld12","fld1"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dY,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup11 = setc("ec_activity","Stop"); + +var dup12 = setc("eventcategory","1605000000"); + +var dup13 = setc("eventcategory","1603040000"); + +var dup14 = setc("ec_activity","Delete"); + +var dup15 = setc("eventcategory","1603000000"); + +var dup16 = setc("ec_theme","Configuration"); + +var dup17 = setc("ec_outcome","Failure"); + +var dup18 = setc("ec_outcome","Success"); + +var dup19 = setc("eventcategory","1801010000"); + +var dup20 = setc("eventcategory","1302000000"); + +var dup21 = setc("ec_theme","AccessControl"); + +var dup22 = setc("eventcategory","1301000000"); + +var dup23 = setc("eventcategory","1611000000"); + +var dup24 = setc("ec_subject","Service"); + +var dup25 = linear_select([ + dup1, + dup2, + dup3, + dup4, + dup5, +]); + +var hdr1 = match("HEADER#0:0001", "message", "%MSDHCP-%{hlevel}- %{messageid}: %{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var select1 = linear_select([ + hdr1, +]); + +var part1 = match("MESSAGE#0:00/0", "nwparser.payload", "00,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all1 = all_match({ + processors: [ + part1, + dup25, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup9, + dup10, + ]), +}); + +var msg1 = msg("00", all1); + +var part2 = match("MESSAGE#1:01/0", "nwparser.payload", "01,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all2 = all_match({ + processors: [ + part2, + dup25, + ], + on_success: processor_chain([ + dup6, + dup11, + dup8, + dup9, + dup10, + ]), +}); + +var msg2 = msg("01", all2); + +var part3 = match("MESSAGE#2:02/0", "nwparser.payload", "02,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all3 = all_match({ + processors: [ + part3, + dup25, + ], + on_success: processor_chain([ + dup12, + dup9, + dup10, + ]), +}); + +var msg3 = msg("02", all3); + +var part4 = match("MESSAGE#3:10/0", "nwparser.payload", "10,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all4 = all_match({ + processors: [ + part4, + dup25, + ], + on_success: processor_chain([ + dup12, + dup9, + dup10, + ]), +}); + +var msg4 = msg("10", all4); + +var part5 = match("MESSAGE#4:11/0", "nwparser.payload", "11,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all5 = all_match({ + processors: [ + part5, + dup25, + ], + on_success: processor_chain([ + dup12, + setc("ec_activity","Restore"), + dup8, + dup9, + dup10, + ]), +}); + +var msg5 = msg("11", all5); + +var part6 = match("MESSAGE#5:12/0", "nwparser.payload", "12,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all6 = all_match({ + processors: [ + part6, + dup25, + ], + on_success: processor_chain([ + dup12, + dup9, + dup10, + ]), +}); + +var msg6 = msg("12", all6); + +var part7 = match("MESSAGE#6:13/0", "nwparser.payload", "13,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all7 = all_match({ + processors: [ + part7, + dup25, + ], + on_success: processor_chain([ + dup13, + dup9, + dup10, + ]), +}); + +var msg7 = msg("13", all7); + +var part8 = match("MESSAGE#7:14/0", "nwparser.payload", "14,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all8 = all_match({ + processors: [ + part8, + dup25, + ], + on_success: processor_chain([ + dup13, + dup9, + dup10, + ]), +}); + +var msg8 = msg("14", all8); + +var part9 = match("MESSAGE#8:15/0", "nwparser.payload", "15,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all9 = all_match({ + processors: [ + part9, + dup25, + ], + on_success: processor_chain([ + dup13, + dup9, + dup10, + ]), +}); + +var msg9 = msg("15", all9); + +var part10 = match("MESSAGE#9:16/0", "nwparser.payload", "16,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all10 = all_match({ + processors: [ + part10, + dup25, + ], + on_success: processor_chain([ + dup12, + dup14, + dup8, + dup9, + dup10, + ]), +}); + +var msg10 = msg("16", all10); + +var part11 = match("MESSAGE#10:17/0", "nwparser.payload", "17,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all11 = all_match({ + processors: [ + part11, + dup25, + ], + on_success: processor_chain([ + dup12, + dup9, + dup10, + ]), +}); + +var msg11 = msg("17", all11); + +var part12 = match("MESSAGE#11:18/0", "nwparser.payload", "18,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all12 = all_match({ + processors: [ + part12, + dup25, + ], + on_success: processor_chain([ + dup15, + dup9, + dup10, + ]), +}); + +var msg12 = msg("18", all12); + +var part13 = match("MESSAGE#12:20/0", "nwparser.payload", "20,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all13 = all_match({ + processors: [ + part13, + dup25, + ], + on_success: processor_chain([ + dup12, + dup9, + dup10, + ]), +}); + +var msg13 = msg("20", all13); + +var part14 = match("MESSAGE#13:21/0", "nwparser.payload", "21,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all14 = all_match({ + processors: [ + part14, + dup25, + ], + on_success: processor_chain([ + dup12, + dup9, + dup10, + ]), +}); + +var msg14 = msg("21", all14); + +var part15 = match("MESSAGE#14:22/0", "nwparser.payload", "22,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all15 = all_match({ + processors: [ + part15, + dup25, + ], + on_success: processor_chain([ + dup15, + dup9, + dup10, + ]), +}); + +var msg15 = msg("22", all15); + +var part16 = match("MESSAGE#15:23/0", "nwparser.payload", "23,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all16 = all_match({ + processors: [ + part16, + dup25, + ], + on_success: processor_chain([ + dup12, + dup9, + dup10, + ]), +}); + +var msg16 = msg("23", all16); + +var part17 = match("MESSAGE#16:24/0", "nwparser.payload", "24,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all17 = all_match({ + processors: [ + part17, + dup25, + ], + on_success: processor_chain([ + dup12, + dup9, + dup10, + ]), +}); + +var msg17 = msg("24", all17); + +var part18 = match("MESSAGE#17:25/0", "nwparser.payload", "25,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all18 = all_match({ + processors: [ + part18, + dup25, + ], + on_success: processor_chain([ + dup12, + dup9, + dup10, + ]), +}); + +var msg18 = msg("25", all18); + +var part19 = match("MESSAGE#18:30/0", "nwparser.payload", "30,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all19 = all_match({ + processors: [ + part19, + dup25, + ], + on_success: processor_chain([ + dup12, + dup16, + dup8, + dup9, + dup10, + ]), +}); + +var msg19 = msg("30", all19); + +var part20 = match("MESSAGE#19:31/0", "nwparser.payload", "31,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all20 = all_match({ + processors: [ + part20, + dup25, + ], + on_success: processor_chain([ + dup13, + dup16, + dup17, + dup9, + dup10, + ]), +}); + +var msg20 = msg("31", all20); + +var part21 = match("MESSAGE#20:32/0", "nwparser.payload", "32,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all21 = all_match({ + processors: [ + part21, + dup25, + ], + on_success: processor_chain([ + dup12, + dup16, + dup18, + dup9, + dup10, + ]), +}); + +var msg21 = msg("32", all21); + +var part22 = match("MESSAGE#21:33/0", "nwparser.payload", "33,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all22 = all_match({ + processors: [ + part22, + dup25, + ], + on_success: processor_chain([ + dup12, + dup16, + dup18, + dup9, + dup10, + ]), +}); + +var msg22 = msg("33", all22); + +var part23 = match("MESSAGE#22:36/0", "nwparser.payload", "36,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all23 = all_match({ + processors: [ + part23, + dup25, + ], + on_success: processor_chain([ + dup12, + dup9, + dup10, + ]), +}); + +var msg23 = msg("36", all23); + +var part24 = match("MESSAGE#23:50/0", "nwparser.payload", "50,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all24 = all_match({ + processors: [ + part24, + dup25, + ], + on_success: processor_chain([ + dup19, + dup9, + dup10, + ]), +}); + +var msg24 = msg("50", all24); + +var part25 = match("MESSAGE#24:51/0", "nwparser.payload", "51,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all25 = all_match({ + processors: [ + part25, + dup25, + ], + on_success: processor_chain([ + dup20, + dup21, + dup18, + dup9, + dup10, + ]), +}); + +var msg25 = msg("51", all25); + +var part26 = match("MESSAGE#25:52/0", "nwparser.payload", "52,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all26 = all_match({ + processors: [ + part26, + dup25, + ], + on_success: processor_chain([ + setc("eventcategory","1701070000"), + dup9, + dup10, + ]), +}); + +var msg26 = msg("52", all26); + +var part27 = match("MESSAGE#26:53/0", "nwparser.payload", "53,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all27 = all_match({ + processors: [ + part27, + dup25, + ], + on_success: processor_chain([ + setc("eventcategory","1304000000"), + dup9, + dup10, + ]), +}); + +var msg27 = msg("53", all27); + +var part28 = match("MESSAGE#27:54/0", "nwparser.payload", "54,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all28 = all_match({ + processors: [ + part28, + dup25, + ], + on_success: processor_chain([ + dup22, + dup21, + dup17, + dup9, + dup10, + ]), +}); + +var msg28 = msg("54", all28); + +var part29 = match("MESSAGE#28:55/0", "nwparser.payload", "55,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all29 = all_match({ + processors: [ + part29, + dup25, + ], + on_success: processor_chain([ + dup20, + dup9, + dup10, + ]), +}); + +var msg29 = msg("55", all29); + +var part30 = match("MESSAGE#29:56/0", "nwparser.payload", "56,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all30 = all_match({ + processors: [ + part30, + dup25, + ], + on_success: processor_chain([ + dup22, + dup21, + dup17, + dup9, + dup10, + ]), +}); + +var msg30 = msg("56", all30); + +var part31 = match("MESSAGE#30:57/0", "nwparser.payload", "57,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all31 = all_match({ + processors: [ + part31, + dup25, + ], + on_success: processor_chain([ + dup12, + dup9, + dup10, + ]), +}); + +var msg31 = msg("57", all31); + +var part32 = match("MESSAGE#31:58/0", "nwparser.payload", "58,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all32 = all_match({ + processors: [ + part32, + dup25, + ], + on_success: processor_chain([ + dup19, + dup8, + dup17, + dup9, + dup10, + ]), +}); + +var msg32 = msg("58", all32); + +var part33 = match("MESSAGE#32:59/0", "nwparser.payload", "59,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all33 = all_match({ + processors: [ + part33, + dup25, + ], + on_success: processor_chain([ + dup19, + dup8, + dup17, + dup9, + dup10, + ]), +}); + +var msg33 = msg("59", all33); + +var part34 = match("MESSAGE#33:60/0", "nwparser.payload", "60,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all34 = all_match({ + processors: [ + part34, + dup25, + ], + on_success: processor_chain([ + dup15, + dup9, + dup10, + ]), +}); + +var msg34 = msg("60", all34); + +var part35 = match("MESSAGE#34:61/0", "nwparser.payload", "61,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all35 = all_match({ + processors: [ + part35, + dup25, + ], + on_success: processor_chain([ + dup13, + dup9, + dup10, + ]), +}); + +var msg35 = msg("61", all35); + +var part36 = match("MESSAGE#35:62/0", "nwparser.payload", "62,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all36 = all_match({ + processors: [ + part36, + dup25, + ], + on_success: processor_chain([ + dup12, + dup9, + dup10, + ]), +}); + +var msg36 = msg("62", all36); + +var part37 = match("MESSAGE#36:63/0", "nwparser.payload", "63,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all37 = all_match({ + processors: [ + part37, + dup25, + ], + on_success: processor_chain([ + dup12, + dup9, + dup10, + ]), +}); + +var msg37 = msg("63", all37); + +var part38 = match("MESSAGE#37:64/0", "nwparser.payload", "64,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); + +var all38 = all_match({ + processors: [ + part38, + dup25, + ], + on_success: processor_chain([ + setc("eventcategory","1703000000"), + dup9, + dup10, + ]), +}); + +var msg38 = msg("64", all38); + +var part39 = match("MESSAGE#38:1103", "nwparser.payload", "1103,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg39 = msg("1103", part39); + +var part40 = match("MESSAGE#39:1098", "nwparser.payload", "1098,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup19, + dup8, + dup17, + dup9, + dup10, +])); + +var msg40 = msg("1098", part40); + +var part41 = match("MESSAGE#40:11000", "nwparser.payload", "11000,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg41 = msg("11000", part41); + +var part42 = match("MESSAGE#41:11001", "nwparser.payload", "11001,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg42 = msg("11001", part42); + +var part43 = match("MESSAGE#42:11002", "nwparser.payload", "11002,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg43 = msg("11002", part43); + +var part44 = match("MESSAGE#43:11003", "nwparser.payload", "11003,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg44 = msg("11003", part44); + +var part45 = match("MESSAGE#44:11004", "nwparser.payload", "11004,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg45 = msg("11004", part45); + +var part46 = match("MESSAGE#45:11005", "nwparser.payload", "11005,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg46 = msg("11005", part46); + +var part47 = match("MESSAGE#46:11006", "nwparser.payload", "11006,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg47 = msg("11006", part47); + +var part48 = match("MESSAGE#47:11007", "nwparser.payload", "11007,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg48 = msg("11007", part48); + +var part49 = match("MESSAGE#48:11008", "nwparser.payload", "11008,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg49 = msg("11008", part49); + +var part50 = match("MESSAGE#49:11009", "nwparser.payload", "11009,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup15, + dup9, + dup10, +])); + +var msg50 = msg("11009", part50); + +var part51 = match("MESSAGE#50:11010", "nwparser.payload", "11010,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup7, + dup8, + dup9, + dup10, +])); + +var msg51 = msg("11010", part51); + +var part52 = match("MESSAGE#51:11011", "nwparser.payload", "11011,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup23, + dup11, + dup8, + dup9, + dup10, +])); + +var msg52 = msg("11011", part52); + +var part53 = match("MESSAGE#52:11012", "nwparser.payload", "11012,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup23, + dup9, + dup10, +])); + +var msg53 = msg("11012", part53); + +var part54 = match("MESSAGE#53:11013", "nwparser.payload", "11013,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg54 = msg("11013", part54); + +var part55 = match("MESSAGE#54:11014", "nwparser.payload", "11014,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup15, + dup9, + dup10, +])); + +var msg55 = msg("11014", part55); + +var part56 = match("MESSAGE#55:11015", "nwparser.payload", "11015,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup15, + dup9, + dup10, +])); + +var msg56 = msg("11015", part56); + +var part57 = match("MESSAGE#56:11016", "nwparser.payload", "11016,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup15, + dup14, + dup16, + dup9, + dup10, +])); + +var msg57 = msg("11016", part57); + +var part58 = match("MESSAGE#57:11017", "nwparser.payload", "11017,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg58 = msg("11017", part58); + +var part59 = match("MESSAGE#58:11018", "nwparser.payload", "11018,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg59 = msg("11018", part59); + +var part60 = match("MESSAGE#59:11019", "nwparser.payload", "11019,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg60 = msg("11019", part60); + +var part61 = match("MESSAGE#60:11020", "nwparser.payload", "11020,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg61 = msg("11020", part61); + +var part62 = match("MESSAGE#61:11021", "nwparser.payload", "11021,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg62 = msg("11021", part62); + +var part63 = match("MESSAGE#62:11023", "nwparser.payload", "11023,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup15, + dup24, + dup21, + dup17, + dup9, + dup10, +])); + +var msg63 = msg("11023", part63); + +var part64 = match("MESSAGE#63:11024", "nwparser.payload", "11024,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup24, + dup21, + dup18, + dup9, + dup10, +])); + +var msg64 = msg("11024", part64); + +var part65 = match("MESSAGE#64:11025", "nwparser.payload", "11025,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg65 = msg("11025", part65); + +var part66 = match("MESSAGE#65:11030", "nwparser.payload", "11030,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{fld3},%{fld4},%{fld5},%{fld6}", processor_chain([ + dup12, + dup9, + dup10, +])); + +var msg66 = msg("11030", part66); + +var part67 = match("MESSAGE#66:ID", "nwparser.payload", "ID,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{smacaddr}", processor_chain([ + dup6, + dup9, + dup10, +])); + +var msg67 = msg("ID", part67); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "00": msg1, + "01": msg2, + "02": msg3, + "10": msg4, + "1098": msg40, + "11": msg5, + "11000": msg41, + "11001": msg42, + "11002": msg43, + "11003": msg44, + "11004": msg45, + "11005": msg46, + "11006": msg47, + "11007": msg48, + "11008": msg49, + "11009": msg50, + "11010": msg51, + "11011": msg52, + "11012": msg53, + "11013": msg54, + "11014": msg55, + "11015": msg56, + "11016": msg57, + "11017": msg58, + "11018": msg59, + "11019": msg60, + "11020": msg61, + "11021": msg62, + "11023": msg63, + "11024": msg64, + "11025": msg65, + "1103": msg39, + "11030": msg66, + "12": msg6, + "13": msg7, + "14": msg8, + "15": msg9, + "16": msg10, + "17": msg11, + "18": msg12, + "20": msg13, + "21": msg14, + "22": msg15, + "23": msg16, + "24": msg17, + "25": msg18, + "30": msg19, + "31": msg20, + "32": msg21, + "33": msg22, + "36": msg23, + "50": msg24, + "51": msg25, + "52": msg26, + "53": msg27, + "54": msg28, + "55": msg29, + "56": msg30, + "57": msg31, + "58": msg32, + "59": msg33, + "60": msg34, + "61": msg35, + "62": msg36, + "63": msg37, + "64": msg38, + "ID": msg67, + }), +]); + +var part68 = match("MESSAGE#0:00/1_0", "nwparser.p0", "%{smacaddr},%{username},%{sessionid},%{fld3},%{fld4},%{fld5},%{fld7},%{fld8},%{vendor_event_cat},%{fld10},%{fld11},%{fld13->} "); + +var part69 = match("MESSAGE#0:00/1_1", "nwparser.p0", "%{smacaddr},%{username},%{fld2},%{fld3},%{fld4},%{fld5->} "); + +var part70 = match("MESSAGE#0:00/1_2", "nwparser.p0", "%{smacaddr}, "); + +var part71 = match("MESSAGE#0:00/1_3", "nwparser.p0", "%{smacaddr},%{fld6->} "); + +var part72 = match("MESSAGE#0:00/1_4", "nwparser.p0", "%{smacaddr}"); + +var select2 = linear_select([ + dup1, + dup2, + dup3, + dup4, + dup5, +]); diff --git a/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml new file mode 100644 index 00000000000..184e6c3e4a9 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Microsoft DHCP + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/microsoft/dhcp/manifest.yml b/x-pack/filebeat/module/microsoft/dhcp/manifest.yml new file mode 100644 index 00000000000..55c069159b7 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/dhcp/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["microsoft.dhcp", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9515 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log new file mode 100644 index 00000000000..5bb7d2c44e5 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log @@ -0,0 +1,100 @@ +%MSDHCP-905- 50: 50,1/29/16,6:09:59,nnumqua,10.133.8.128,sse3269.invalid ,01:00:5e:ce:bf:42,ventore,ivelitse,ritin,uredolor,tatemac +%MSDHCP-4257- 11030: 11030,2/12/16,1:12:33,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer +%MSDHCP-5634- 62: 62,2/26/16,8:15:08,equepor,10.196.153.12,sequa6540.www5.localhost ,01:00:5e:3a:fe:e3,mest +%MSDHCP-363- 11015: 11015,3/12/16,3:17:42,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu +%MSDHCP-4880- 57: 57,3/26/16,10:20:16,quipexe,10.162.33.193,agn2581.www5.corp ,01:00:5e:ad:16:77, +%MSDHCP-6962- 57: 57,4/9/16,5:22:51,moenimi,10.156.15.206,enatus2114.mail.home ,01:00:5e:33:84:66 +%MSDHCP-5355- 60: 60,4/24/16,12:25:25,ntex,10.1.118.72,proident2802.home ,01:00:5e:69:9a:1a,eumiu +%MSDHCP-7417- 15: 15,5/8/16,7:27:59,orisn,10.70.235.184,ofdeF7240.www.home ,01:00:5e:a2:09:ea,tionulam,uameius,ratio,ptas,nevolu +%MSDHCP-5162- 59: 59,5/22/16,2:30:33,nci,10.86.118.154,amco5712.www5.localdomain ,01:00:5e:35:c0:09,con,uia,quiavo,issusci,mol,taspe,mvolu,radip,tNequ,gelit,tatno +%MSDHCP-4141- 10: 10,6/5/16,9:33:08,uam,10.5.62.63,llu4762.mail.localdomain ,01:00:5e:f5:8e:0d +%MSDHCP-5408- 15: 15,6/20/16,4:35:42,llumd,10.66.3.197,emaper2638.lan ,01:00:5e:0b:42:ab,uaerat,boreet,onev,tenima,laboreet +%MSDHCP-5738- 11008: 11008,7/4/16,11:38:16,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit +%MSDHCP-4243- 25: 25,7/18/16,6:40:50,antium,10.103.246.190,iusmodt2597.api.domain ,01:00:5e:8b:ba:06,ect,reetdolo,nrepreh,obeataev,lor +%MSDHCP-1579- 11011: 11011,8/2/16,1:43:25,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep +%MSDHCP-3971- 56: 56,8/16/16,8:45:59,lorem,10.150.193.226,uidolore6237.internal.local ,01:00:5e:42:6c:b4,suntinc,elits,llam,llamcorp,ari,eataevit,uptatev,uovol,dmi,olab,mquisnos +%MSDHCP-2933- 17: 17,8/30/16,3:48:33,tsed,10.111.61.181,incididu1896.example ,01:00:5e:c9:5b:b2, +%MSDHCP-5393- 11003: 11003,9/13/16,10:51:07,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB +%MSDHCP-4171- 16: 16,9/28/16,5:53:42,ntsuntin,10.153.112.62,imav3236.mail.domain ,01:00:5e:e7:c7:cb +%MSDHCP-7290- 32: 32,10/12/16,12:56:16,iam,10.98.34.185,ercit3947.api.local ,01:00:5e:a4:f5:60,olupta,turveli,toccae,tatno,nido +%MSDHCP-4125- 53: 53,10/26/16,7:58:50,itlabori,10.252.112.103,usan6343.www5.domain ,01:00:5e:10:76:60,ender +%MSDHCP-5368- 50: 50,11/10/16,3:01:24,atquovo,10.246.117.190,mquaera3924.www5.home ,01:00:5e:b9:7e:b1 +%MSDHCP-4173- 33: 33,11/24/16,10:03:59,undeo,10.82.52.233,atuse2703.localhost ,01:00:5e:fa:2b:37 +%MSDHCP-5883- 52: 52,12/8/16,5:06:33,ips,10.149.59.28,emporinc5075.internal.host ,01:00:5e:37:14:9d,tessec +%MSDHCP-6446- 36: 36,12/23/16,12:09:07,ist,10.169.144.147,onsequat2984.www5.domain ,01:00:5e:59:a3:48, +%MSDHCP-686- 12: 12,1/6/17,7:11:41,nsequu,10.66.168.154,omm4276.www.example ,01:00:5e:44:c4:69 +%MSDHCP-2230- 25: 25,1/20/17,2:14:16,torev,10.214.241.84,ctetura4886.www5.lan ,01:00:5e:3a:d0:86,ita,ipi,rsitamet,lupt,xea,qua,luptatev,admi,modocons,elaudant,tinvol +%MSDHCP-6103- 11018: 11018,2/3/17,9:16:50,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun +%MSDHCP-927- 58: 58,2/18/17,4:19:24,itaut,10.33.140.180,umdolo7781.api.home ,01:00:5e:24:f1:b2 +%MSDHCP-4632- 51: 51,3/4/17,11:21:59,fugi,10.119.185.63,imadmini2625.www5.localhost ,01:00:5e:31:b9:65,dtem +%MSDHCP-5377- 50: 50,3/18/17,6:24:33,stl,10.95.193.186,picia6119.mail.host ,01:00:5e:60:77:c7,tinvol +%MSDHCP-5524- 11019: 11019,4/2/17,1:27:07,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi +%MSDHCP-5841- 11021: 11021,4/16/17,8:29:41,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion +%MSDHCP-5705- 52: 52,4/30/17,3:32:16,uasia,10.64.70.5,ici3995.lan ,01:00:5e:4e:97:83,iscinge,atvol,umiur,imad,msequi +%MSDHCP-1559- 11020: 11020,5/14/17,10:34:50,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac +%MSDHCP-2228- 20: 20,5/29/17,5:37:24,eli,10.28.127.218,pida2286.internal.home ,01:00:5e:cc:0b:8f +%MSDHCP-7427- 11006: 11006,6/12/17,12:39:58,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme +%MSDHCP-2991- 16: 16,6/26/17,7:42:33,civeli,10.116.104.101,gnam2508.mail.example ,01:00:5e:e1:73:47,maccusa +%MSDHCP-3458- 11003: 11003,7/11/17,2:45:07,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta +%MSDHCP-2807- 53: 53,7/25/17,9:47:41,ihilm,10.219.84.37,ercit2385.internal.home ,01:00:5e:a0:cd:2f,iamquis +%MSDHCP-6972- 11012: 11012,8/8/17,4:50:15,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame +%MSDHCP-5040- 24: 24,8/22/17,11:52:50,utla,10.103.118.137,oei5200.www5.invalid ,01:00:5e:c7:b7:18 +%MSDHCP-2026- 02: 02,9/6/17,6:55:24,nnum,10.137.223.15,adol485.example ,01:00:5e:81:99:6f,dol +%MSDHCP-4977- 11019: 11019,9/20/17,1:57:58,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq +%MSDHCP-1180- 11010: 11010,10/4/17,9:00:32,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp +%MSDHCP-2628- 11013: 11013,10/19/17,4:03:07,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre +%MSDHCP-2949- 11: 11,11/2/17,11:05:41,uptat,10.64.199.102,tmo1835.test ,01:00:5e:35:a8:83,fugitse +%MSDHCP-3331- 54: 54,11/16/17,6:08:15,etMalor,10.196.143.87,quatD4191.local ,01:00:5e:3b:7a:f1,sperna +%MSDHCP-7576- 30: 30,12/1/17,1:10:49,tper,10.163.5.243,osqui3661.mail.domain ,01:00:5e:1e:d6:07,texp +%MSDHCP-5037- 11004: 11004,12/15/17,8:13:24,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam +%MSDHCP-6385- 1103: 1103,12/29/17,3:15:58,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno +%MSDHCP-1747- 11011: 11011,1/12/18,10:18:32,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium +%MSDHCP-6686- 57: 57,1/27/18,5:21:06,stlabo,10.134.192.241,catc6134.localdomain ,01:00:5e:5b:99:6c,magnid +%MSDHCP-7582- 17: 17,2/10/18,12:23:41,quiratio,10.62.191.18,tevelite245.mail.local ,01:00:5e:78:a7:55,gnido +%MSDHCP-6036- 50: 50,2/24/18,7:26:15,numqua,10.89.22.113,abo1637.mail.host ,01:00:5e:ed:c2:f7 +%MSDHCP-4949- 11020: 11020,3/11/18,2:28:49,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr +%MSDHCP-6418- 59: 59,3/25/18,9:31:24,nofdeFin,10.67.38.204,idex6952.www.localhost ,01:00:5e:69:58:0e,ecte,tinvolu,iurer,iciadese,quidolor,tessec,olupta,litse,icabo,itatio,uta +%MSDHCP-4824- 11010: 11010,4/8/18,4:33:58,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu +%MSDHCP-5368- 60: 60,4/22/18,11:36:32,mnisi,10.107.168.60,ehen7519.www5.lan ,01:00:5e:a7:ac:70,stquido,ommodico,ptas,pta,tetu +%MSDHCP-5740- 24: 24,5/7/18,6:39:06,Nequepo,10.207.201.9,boree513.www.corp ,01:00:5e:e2:17:79,reetdolo,smo,etcons,iusmodi,uamest +%MSDHCP-1842- 11023: 11023,5/21/18,1:41:41,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno +%MSDHCP-5263- 11007: 11007,6/4/18,8:44:15,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons +%MSDHCP-510- 20: 20,6/19/18,3:46:49,tae,10.14.81.228,aperiame1458.www5.local ,01:00:5e:7e:22:1b +%MSDHCP-4410- 11003: 11003,7/3/18,10:49:23,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov +%MSDHCP-4554- 01: 01,7/17/18,5:51:58,osquira,10.220.5.143,com5308.api.domain ,01:00:5e:55:ee:a4,reetdolo,norum,madmi,uidol,mporin +%MSDHCP-3253- ID: ID,8/1/18,12:54:32,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65 +%MSDHCP-1394- 11000: 11000,8/15/18,7:57:06,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag +%MSDHCP-5983- 56: 56,8/29/18,2:59:40,tquiin,10.174.176.36,ovol3674.www5.host ,01:00:5e:bb:1d:bf,str,idolore,pid,illoin,tanimid,umdo,natuse,gnamal,metMalo,ntexplic,archite +%MSDHCP-7829- 32: 32,9/12/18,10:02:15,asi,10.94.38.110,nisist2752.home ,01:00:5e:c1:3c:48,exercita +%MSDHCP-2516- 11007: 11007,9/27/18,5:04:49,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli +%MSDHCP-543- 11006: 11006,10/11/18,12:07:23,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui +%MSDHCP-6846- 11014: 11014,10/25/18,7:09:57,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun +%MSDHCP-7741- 1103: 1103,11/9/18,2:12:32,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo +%MSDHCP-18- 11005: 11005,11/23/18,9:15:06,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia +%MSDHCP-6789- 11015: 11015,12/7/18,4:17:40,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender +%MSDHCP-1540- 11014: 11014,12/21/18,11:20:14,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni +%MSDHCP-2244- 32: 32,1/5/19,6:22:49,stenatu,10.215.205.216,ratv5227.www.invalid ,01:00:5e:fd:3d:c2,nts +%MSDHCP-5663- 11025: 11025,1/19/19,1:25:23,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab +%MSDHCP-6672- 12: 12,2/2/19,8:27:57,enderi,10.236.150.115,umwrit5433.www5.domain ,01:00:5e:ba:09:4a,tpersp +%MSDHCP-6797- 01: 01,2/17/19,3:30:32,oeni,10.223.90.192,llamco7206.www.home ,01:00:5e:8f:35:71,orsit,asiar,ise,itau,apariat +%MSDHCP-4494- 51: 51,3/3/19,10:33:06,dolore,10.165.192.48,nBCSedut1502.www5.example ,01:00:5e:c7:c2:10,odoconse,emp,pisciv,lumdolor,nonp,labo,ulapar,aboreetd,hilm,llitanim,invo +%MSDHCP-7205- 50: 50,3/17/19,5:35:40,ama,10.80.152.108,texpli2782.mail.domain ,01:00:5e:27:0a:9d, +%MSDHCP-5224- 11011: 11011,4/1/19,12:38:14,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured +%MSDHCP-5608- 11019: 11019,4/15/19,7:40:49,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat +%MSDHCP-3051- 1098: 1098,4/29/19,2:43:23,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor +%MSDHCP-2315- 01: 01,5/13/19,9:45:57,amcorp,10.57.57.241,liqua6498.api.invalid ,01:00:5e:d8:53:15,iduntu,ccaeca,niamq,lapariat,remagn,mquae,consequa,moenimi,olupt,oconsequ,edquiac +%MSDHCP-2690- 14: 14,5/28/19,4:48:31,quamest,10.152.28.171,rsita2628.www5.local ,01:00:5e:7a:4c:6e,miu +%MSDHCP-6444- 11001: 11001,6/11/19,11:51:06,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide +%MSDHCP-7037- 11: 11,6/25/19,6:53:40,itesseq,10.125.134.213,tpersp2624.mail.example ,01:00:5e:0b:fb:4a +%MSDHCP-6392- 64: 64,7/10/19,1:56:14,mvolu,10.206.96.56,aincidu2687.mail.home ,01:00:5e:80:9d:2c, +%MSDHCP-5524- 1098: 1098,7/24/19,8:58:48,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem +%MSDHCP-1978- 11019: 11019,8/7/19,4:01:23,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation +%MSDHCP-5469- 11024: 11024,8/21/19,11:03:57,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori +%MSDHCP-2- 11004: 11004,9/5/19,6:06:31,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse +%MSDHCP-2859- 59: 59,9/19/19,1:09:05,inibu,10.106.93.26,isetquas3096.home ,01:00:5e:1b:92:a6 +%MSDHCP-4924- 11025: 11025,10/3/19,8:11:40,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa +%MSDHCP-1738- 25: 25,10/18/19,3:14:14,loi,10.24.111.229,volupt2952.api.local ,01:00:5e:64:62:d1,sequat,giatquov,tconsec,miurerep,toccaec,fugi,labo,nostrud,gnaal,qui,cupi +%MSDHCP-5282- 60: 60,11/1/19,10:16:48,lores,10.45.253.103,uii5923.internal.home ,01:00:5e:2f:ff:49,rcit,llamco,atu,untincul,ssecil +%MSDHCP-3023- 11023: 11023,11/15/19,5:19:22,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt +%MSDHCP-4890- 23: 23,11/30/19,12:21:57,dolore,10.84.32.178,vitaed4959.example ,01:00:5e:11:45:1e,itaedict +%MSDHCP-4271- 55: 55,12/14/19,7:24:31,ruredo,10.72.196.74,boreetdo1725.example ,01:00:5e:01:2f:7d diff --git a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json new file mode 100644 index 00000000000..aa2d6bc8124 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json @@ -0,0 +1,3042 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "event.code": "50", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-905- 50: 50,1/29/16,6:09:59,nnumqua,10.133.8.128,sse3269.invalid ,01:00:5e:ce:bf:42,ventore,ivelitse,ritin,uredolor,tatemac ", + "fileset.name": "dhcp", + "host.hostname": "sse3269.invalid", + "input.type": "log", + "log.offset": 0, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.133.8.128" + ], + "rsa.internal.event_desc": "nnumqua", + "rsa.internal.messageid": "50", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "service.type": "microsoft", + "source.address": "sse3269.invalid", + "source.ip": [ + "10.133.8.128" + ], + "source.mac": "01:00:5e:ce:bf:42,ventore,ivelitse,ritin,uredolor,tatemac", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-12T03:12:33.000Z", + "event.code": "11030", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4257- 11030: 11030,2/12/16,1:12:33,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer", + "fileset.name": "dhcp", + "host.hostname": "ciade5699.domain", + "input.type": "log", + "log.offset": 134, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.124.22.221" + ], + "rsa.internal.event_desc": "oremi", + "rsa.internal.messageid": "11030", + "rsa.time.event_time": "2016-02-12T03:12:33.000Z", + "service.type": "microsoft", + "source.address": "ciade5699.domain", + "source.ip": [ + "10.124.22.221" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-26T10:15:08.000Z", + "event.code": "62", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5634- 62: 62,2/26/16,8:15:08,equepor,10.196.153.12,sequa6540.www5.localhost ,01:00:5e:3a:fe:e3,mest ", + "fileset.name": "dhcp", + "host.hostname": "sequa6540.www5.localhost", + "input.type": "log", + "log.offset": 233, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.196.153.12" + ], + "rsa.internal.event_desc": "equepor", + "rsa.internal.messageid": "62", + "rsa.time.event_time": "2016-02-26T10:15:08.000Z", + "service.type": "microsoft", + "source.address": "sequa6540.www5.localhost", + "source.ip": [ + "10.196.153.12" + ], + "source.mac": "01:00:5e:3a:fe:e3,mest", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "event.code": "11015", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-363- 11015: 11015,3/12/16,3:17:42,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu", + "fileset.name": "dhcp", + "host.hostname": "orev6153.internal.domain", + "input.type": "log", + "log.offset": 343, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.103.162.55" + ], + "rsa.internal.event_desc": "nci", + "rsa.internal.messageid": "11015", + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "service.type": "microsoft", + "source.address": "orev6153.internal.domain", + "source.ip": [ + "10.103.162.55" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "event.code": "57", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4880- 57: 57,3/26/16,10:20:16,quipexe,10.162.33.193,agn2581.www5.corp ,01:00:5e:ad:16:77, ", + "fileset.name": "dhcp", + "host.hostname": "agn2581.www5.corp", + "input.type": "log", + "log.offset": 450, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.162.33.193" + ], + "rsa.internal.event_desc": "quipexe", + "rsa.internal.messageid": "57", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "service.type": "microsoft", + "source.address": "agn2581.www5.corp", + "source.ip": [ + "10.162.33.193" + ], + "source.mac": "01:00:5e:ad:16:77,", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-09T07:22:51.000Z", + "event.code": "57", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-6962- 57: 57,4/9/16,5:22:51,moenimi,10.156.15.206,enatus2114.mail.home ,01:00:5e:33:84:66", + "fileset.name": "dhcp", + "host.hostname": "enatus2114.mail.home", + "input.type": "log", + "log.offset": 550, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.156.15.206" + ], + "rsa.internal.event_desc": "moenimi", + "rsa.internal.messageid": "57", + "rsa.time.event_time": "2016-04-09T07:22:51.000Z", + "service.type": "microsoft", + "source.address": "enatus2114.mail.home", + "source.ip": [ + "10.156.15.206" + ], + "source.mac": "01:00:5e:33:84:66", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-24T14:25:25.000Z", + "event.code": "60", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5355- 60: 60,4/24/16,12:25:25,ntex,10.1.118.72,proident2802.home ,01:00:5e:69:9a:1a,eumiu ", + "fileset.name": "dhcp", + "host.hostname": "proident2802.home", + "input.type": "log", + "log.offset": 649, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.1.118.72" + ], + "rsa.internal.event_desc": "ntex", + "rsa.internal.messageid": "60", + "rsa.time.event_time": "2016-04-24T14:25:25.000Z", + "service.type": "microsoft", + "source.address": "proident2802.home", + "source.ip": [ + "10.1.118.72" + ], + "source.mac": "01:00:5e:69:9a:1a,eumiu", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "event.code": "15", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-7417- 15: 15,5/8/16,7:27:59,orisn,10.70.235.184,ofdeF7240.www.home ,01:00:5e:a2:09:ea,tionulam,uameius,ratio,ptas,nevolu ", + "fileset.name": "dhcp", + "host.hostname": "ofdeF7240.www.home", + "input.type": "log", + "log.offset": 749, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.70.235.184" + ], + "rsa.internal.event_desc": "orisn", + "rsa.internal.messageid": "15", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "service.type": "microsoft", + "source.address": "ofdeF7240.www.home", + "source.ip": [ + "10.70.235.184" + ], + "source.mac": "01:00:5e:a2:09:ea,tionulam,uameius,ratio,ptas,nevolu", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-22T04:30:33.000Z", + "event.code": "59", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5162- 59: 59,5/22/16,2:30:33,nci,10.86.118.154,amco5712.www5.localdomain ,01:00:5e:35:c0:09,con,uia,quiavo,issusci,mol,taspe,mvolu,radip,tNequ,gelit,tatno ", + "event.outcome": "Failure", + "fileset.name": "dhcp", + "host.hostname": "amco5712.www5.localdomain", + "input.type": "log", + "log.offset": 880, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.86.118.154" + ], + "rsa.internal.event_desc": "nci", + "rsa.internal.messageid": "59", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2016-05-22T04:30:33.000Z", + "service.type": "microsoft", + "source.address": "amco5712.www5.localdomain", + "source.ip": [ + "10.86.118.154" + ], + "source.mac": "01:00:5e:35:c0:09,con,uia,quiavo,issusci,mol,taspe,mvolu,radip,tNequ,gelit,tatno", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-05T11:33:08.000Z", + "event.code": "10", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4141- 10: 10,6/5/16,9:33:08,uam,10.5.62.63,llu4762.mail.localdomain ,01:00:5e:f5:8e:0d", + "fileset.name": "dhcp", + "host.hostname": "llu4762.mail.localdomain", + "input.type": "log", + "log.offset": 1045, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.5.62.63" + ], + "rsa.internal.event_desc": "uam", + "rsa.internal.messageid": "10", + "rsa.time.event_time": "2016-06-05T11:33:08.000Z", + "service.type": "microsoft", + "source.address": "llu4762.mail.localdomain", + "source.ip": [ + "10.5.62.63" + ], + "source.mac": "01:00:5e:f5:8e:0d", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "event.code": "15", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5408- 15: 15,6/20/16,4:35:42,llumd,10.66.3.197,emaper2638.lan ,01:00:5e:0b:42:ab,uaerat,boreet,onev,tenima,laboreet ", + "fileset.name": "dhcp", + "host.hostname": "emaper2638.lan", + "input.type": "log", + "log.offset": 1141, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.66.3.197" + ], + "rsa.internal.event_desc": "llumd", + "rsa.internal.messageid": "15", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "service.type": "microsoft", + "source.address": "emaper2638.lan", + "source.ip": [ + "10.66.3.197" + ], + "source.mac": "01:00:5e:0b:42:ab,uaerat,boreet,onev,tenima,laboreet", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "event.code": "11008", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5738- 11008: 11008,7/4/16,11:38:16,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit", + "fileset.name": "dhcp", + "host.hostname": "uatDuis2964.test", + "input.type": "log", + "log.offset": 1267, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.58.0.245" + ], + "rsa.internal.event_desc": "ccaecat", + "rsa.internal.messageid": "11008", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "service.type": "microsoft", + "source.address": "uatDuis2964.test", + "source.ip": [ + "10.58.0.245" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-18T08:40:50.000Z", + "event.code": "25", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4243- 25: 25,7/18/16,6:40:50,antium,10.103.246.190,iusmodt2597.api.domain ,01:00:5e:8b:ba:06,ect,reetdolo,nrepreh,obeataev,lor ", + "fileset.name": "dhcp", + "host.hostname": "iusmodt2597.api.domain", + "input.type": "log", + "log.offset": 1375, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.103.246.190" + ], + "rsa.internal.event_desc": "antium", + "rsa.internal.messageid": "25", + "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "service.type": "microsoft", + "source.address": "iusmodt2597.api.domain", + "source.ip": [ + "10.103.246.190" + ], + "source.mac": "01:00:5e:8b:ba:06,ect,reetdolo,nrepreh,obeataev,lor", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "event.code": "11011", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-1579- 11011: 11011,8/2/16,1:43:25,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep", + "fileset.name": "dhcp", + "host.hostname": "untNequ5075.www5.domain", + "input.type": "log", + "log.offset": 1512, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.163.217.10" + ], + "rsa.internal.event_desc": "natura", + "rsa.internal.messageid": "11011", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "service.type": "microsoft", + "source.address": "untNequ5075.www5.domain", + "source.ip": [ + "10.163.217.10" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "event.code": "56", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-3971- 56: 56,8/16/16,8:45:59,lorem,10.150.193.226,uidolore6237.internal.local ,01:00:5e:42:6c:b4,suntinc,elits,llam,llamcorp,ari,eataevit,uptatev,uovol,dmi,olab,mquisnos ", + "event.outcome": "Failure", + "fileset.name": "dhcp", + "host.hostname": "uidolore6237.internal.local", + "input.type": "log", + "log.offset": 1622, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.150.193.226" + ], + "rsa.internal.event_desc": "lorem", + "rsa.internal.messageid": "56", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "AccessControl", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "service.type": "microsoft", + "source.address": "uidolore6237.internal.local", + "source.ip": [ + "10.150.193.226" + ], + "source.mac": "01:00:5e:42:6c:b4,suntinc,elits,llam,llamcorp,ari,eataevit,uptatev,uovol,dmi,olab,mquisnos", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-30T05:48:33.000Z", + "event.code": "17", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-2933- 17: 17,8/30/16,3:48:33,tsed,10.111.61.181,incididu1896.example ,01:00:5e:c9:5b:b2, ", + "fileset.name": "dhcp", + "host.hostname": "incididu1896.example", + "input.type": "log", + "log.offset": 1802, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.111.61.181" + ], + "rsa.internal.event_desc": "tsed", + "rsa.internal.messageid": "17", + "rsa.time.event_time": "2016-08-30T05:48:33.000Z", + "service.type": "microsoft", + "source.address": "incididu1896.example", + "source.ip": [ + "10.111.61.181" + ], + "source.mac": "01:00:5e:c9:5b:b2,", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-13T12:51:07.000Z", + "event.code": "11003", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5393- 11003: 11003,9/13/16,10:51:07,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB", + "fileset.name": "dhcp", + "host.hostname": "idexea3181.www.local", + "input.type": "log", + "log.offset": 1901, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.111.27.193" + ], + "rsa.internal.event_desc": "temsequ", + "rsa.internal.messageid": "11003", + "rsa.time.event_time": "2016-09-13T12:51:07.000Z", + "service.type": "microsoft", + "source.address": "idexea3181.www.local", + "source.ip": [ + "10.111.27.193" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "event.code": "16", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4171- 16: 16,9/28/16,5:53:42,ntsuntin,10.153.112.62,imav3236.mail.domain ,01:00:5e:e7:c7:cb", + "fileset.name": "dhcp", + "host.hostname": "imav3236.mail.domain", + "input.type": "log", + "log.offset": 2010, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.153.112.62" + ], + "rsa.internal.event_desc": "ntsuntin", + "rsa.internal.messageid": "16", + "rsa.investigations.ec_activity": "Delete", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "service.type": "microsoft", + "source.address": "imav3236.mail.domain", + "source.ip": [ + "10.153.112.62" + ], + "source.mac": "01:00:5e:e7:c7:cb", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "event.code": "32", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-7290- 32: 32,10/12/16,12:56:16,iam,10.98.34.185,ercit3947.api.local ,01:00:5e:a4:f5:60,olupta,turveli,toccae,tatno,nido ", + "event.outcome": "Success", + "fileset.name": "dhcp", + "host.hostname": "ercit3947.api.local", + "input.type": "log", + "log.offset": 2111, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.98.34.185" + ], + "rsa.internal.event_desc": "iam", + "rsa.internal.messageid": "32", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_theme": "Configuration", + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "service.type": "microsoft", + "source.address": "ercit3947.api.local", + "source.ip": [ + "10.98.34.185" + ], + "source.mac": "01:00:5e:a4:f5:60,olupta,turveli,toccae,tatno,nido", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-26T09:58:50.000Z", + "event.code": "53", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4125- 53: 53,10/26/16,7:58:50,itlabori,10.252.112.103,usan6343.www5.domain ,01:00:5e:10:76:60,ender ", + "fileset.name": "dhcp", + "host.hostname": "usan6343.www5.domain", + "input.type": "log", + "log.offset": 2241, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.252.112.103" + ], + "rsa.internal.event_desc": "itlabori", + "rsa.internal.messageid": "53", + "rsa.time.event_time": "2016-10-26T09:58:50.000Z", + "service.type": "microsoft", + "source.address": "usan6343.www5.domain", + "source.ip": [ + "10.252.112.103" + ], + "source.mac": "01:00:5e:10:76:60,ender", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "event.code": "50", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5368- 50: 50,11/10/16,3:01:24,atquovo,10.246.117.190,mquaera3924.www5.home ,01:00:5e:b9:7e:b1", + "fileset.name": "dhcp", + "host.hostname": "mquaera3924.www5.home", + "input.type": "log", + "log.offset": 2351, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.246.117.190" + ], + "rsa.internal.event_desc": "atquovo", + "rsa.internal.messageid": "50", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "service.type": "microsoft", + "source.address": "mquaera3924.www5.home", + "source.ip": [ + "10.246.117.190" + ], + "source.mac": "01:00:5e:b9:7e:b1", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "event.code": "33", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4173- 33: 33,11/24/16,10:03:59,undeo,10.82.52.233,atuse2703.localhost ,01:00:5e:fa:2b:37", + "event.outcome": "Success", + "fileset.name": "dhcp", + "host.hostname": "atuse2703.localhost", + "input.type": "log", + "log.offset": 2454, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.82.52.233" + ], + "rsa.internal.event_desc": "undeo", + "rsa.internal.messageid": "33", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_theme": "Configuration", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "service.type": "microsoft", + "source.address": "atuse2703.localhost", + "source.ip": [ + "10.82.52.233" + ], + "source.mac": "01:00:5e:fa:2b:37", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-08T07:06:33.000Z", + "event.code": "52", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5883- 52: 52,12/8/16,5:06:33,ips,10.149.59.28,emporinc5075.internal.host ,01:00:5e:37:14:9d,tessec ", + "fileset.name": "dhcp", + "host.hostname": "emporinc5075.internal.host", + "input.type": "log", + "log.offset": 2552, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.149.59.28" + ], + "rsa.internal.event_desc": "ips", + "rsa.internal.messageid": "52", + "rsa.time.event_time": "2016-12-08T07:06:33.000Z", + "service.type": "microsoft", + "source.address": "emporinc5075.internal.host", + "source.ip": [ + "10.149.59.28" + ], + "source.mac": "01:00:5e:37:14:9d,tessec", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-23T14:09:07.000Z", + "event.code": "36", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-6446- 36: 36,12/23/16,12:09:07,ist,10.169.144.147,onsequat2984.www5.domain ,01:00:5e:59:a3:48, ", + "fileset.name": "dhcp", + "host.hostname": "onsequat2984.www5.domain", + "input.type": "log", + "log.offset": 2661, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.169.144.147" + ], + "rsa.internal.event_desc": "ist", + "rsa.internal.messageid": "36", + "rsa.time.event_time": "2016-12-23T14:09:07.000Z", + "service.type": "microsoft", + "source.address": "onsequat2984.www5.domain", + "source.ip": [ + "10.169.144.147" + ], + "source.mac": "01:00:5e:59:a3:48,", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "event.code": "12", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-686- 12: 12,1/6/17,7:11:41,nsequu,10.66.168.154,omm4276.www.example ,01:00:5e:44:c4:69", + "fileset.name": "dhcp", + "host.hostname": "omm4276.www.example", + "input.type": "log", + "log.offset": 2766, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.66.168.154" + ], + "rsa.internal.event_desc": "nsequu", + "rsa.internal.messageid": "12", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "service.type": "microsoft", + "source.address": "omm4276.www.example", + "source.ip": [ + "10.66.168.154" + ], + "source.mac": "01:00:5e:44:c4:69", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-20T04:14:16.000Z", + "event.code": "25", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-2230- 25: 25,1/20/17,2:14:16,torev,10.214.241.84,ctetura4886.www5.lan ,01:00:5e:3a:d0:86,ita,ipi,rsitamet,lupt,xea,qua,luptatev,admi,modocons,elaudant,tinvol ", + "fileset.name": "dhcp", + "host.hostname": "ctetura4886.www5.lan", + "input.type": "log", + "log.offset": 2862, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.214.241.84" + ], + "rsa.internal.event_desc": "torev", + "rsa.internal.messageid": "25", + "rsa.time.event_time": "2017-01-20T04:14:16.000Z", + "service.type": "microsoft", + "source.address": "ctetura4886.www5.lan", + "source.ip": [ + "10.214.241.84" + ], + "source.mac": "01:00:5e:3a:d0:86,ita,ipi,rsitamet,lupt,xea,qua,luptatev,admi,modocons,elaudant,tinvol", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-03T11:16:50.000Z", + "event.code": "11018", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-6103- 11018: 11018,2/3/17,9:16:50,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun", + "fileset.name": "dhcp", + "host.hostname": "etM953.api.domain", + "input.type": "log", + "log.offset": 3030, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.97.38.141" + ], + "rsa.internal.event_desc": "lapariat", + "rsa.internal.messageid": "11018", + "rsa.time.event_time": "2017-02-03T11:16:50.000Z", + "service.type": "microsoft", + "source.address": "etM953.api.domain", + "source.ip": [ + "10.97.38.141" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "event.code": "58", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-927- 58: 58,2/18/17,4:19:24,itaut,10.33.140.180,umdolo7781.api.home ,01:00:5e:24:f1:b2", + "event.outcome": "Failure", + "fileset.name": "dhcp", + "host.hostname": "umdolo7781.api.home", + "input.type": "log", + "log.offset": 3135, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.33.140.180" + ], + "rsa.internal.event_desc": "itaut", + "rsa.internal.messageid": "58", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "service.type": "microsoft", + "source.address": "umdolo7781.api.home", + "source.ip": [ + "10.33.140.180" + ], + "source.mac": "01:00:5e:24:f1:b2", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "event.code": "51", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4632- 51: 51,3/4/17,11:21:59,fugi,10.119.185.63,imadmini2625.www5.localhost ,01:00:5e:31:b9:65,dtem ", + "event.outcome": "Success", + "fileset.name": "dhcp", + "host.hostname": "imadmini2625.www5.localhost", + "input.type": "log", + "log.offset": 3231, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.119.185.63" + ], + "rsa.internal.event_desc": "fugi", + "rsa.internal.messageid": "51", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_theme": "AccessControl", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "service.type": "microsoft", + "source.address": "imadmini2625.www5.localhost", + "source.ip": [ + "10.119.185.63" + ], + "source.mac": "01:00:5e:31:b9:65,dtem", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-18T08:24:33.000Z", + "event.code": "50", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5377- 50: 50,3/18/17,6:24:33,stl,10.95.193.186,picia6119.mail.host ,01:00:5e:60:77:c7,tinvol ", + "fileset.name": "dhcp", + "host.hostname": "picia6119.mail.host", + "input.type": "log", + "log.offset": 3341, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.95.193.186" + ], + "rsa.internal.event_desc": "stl", + "rsa.internal.messageid": "50", + "rsa.time.event_time": "2017-03-18T08:24:33.000Z", + "service.type": "microsoft", + "source.address": "picia6119.mail.host", + "source.ip": [ + "10.95.193.186" + ], + "source.mac": "01:00:5e:60:77:c7,tinvol", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "event.code": "11019", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5524- 11019: 11019,4/2/17,1:27:07,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi", + "fileset.name": "dhcp", + "host.hostname": "inv5716.mail.invalid", + "input.type": "log", + "log.offset": 3444, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.17.21.125" + ], + "rsa.internal.event_desc": "moenimi", + "rsa.internal.messageid": "11019", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "service.type": "microsoft", + "source.address": "inv5716.mail.invalid", + "source.ip": [ + "10.17.21.125" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "event.code": "11021", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5841- 11021: 11021,4/16/17,8:29:41,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion", + "fileset.name": "dhcp", + "host.hostname": "uines6355.internal.localdomain", + "input.type": "log", + "log.offset": 3558, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.73.69.75" + ], + "rsa.internal.event_desc": "nofdeF", + "rsa.internal.messageid": "11021", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "service.type": "microsoft", + "source.address": "uines6355.internal.localdomain", + "source.ip": [ + "10.73.69.75" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-30T05:32:16.000Z", + "event.code": "52", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5705- 52: 52,4/30/17,3:32:16,uasia,10.64.70.5,ici3995.lan ,01:00:5e:4e:97:83,iscinge,atvol,umiur,imad,msequi ", + "fileset.name": "dhcp", + "host.hostname": "ici3995.lan", + "input.type": "log", + "log.offset": 3675, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.64.70.5" + ], + "rsa.internal.event_desc": "uasia", + "rsa.internal.messageid": "52", + "rsa.time.event_time": "2017-04-30T05:32:16.000Z", + "service.type": "microsoft", + "source.address": "ici3995.lan", + "source.ip": [ + "10.64.70.5" + ], + "source.mac": "01:00:5e:4e:97:83,iscinge,atvol,umiur,imad,msequi", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-14T12:34:50.000Z", + "event.code": "11020", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-1559- 11020: 11020,5/14/17,10:34:50,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac", + "fileset.name": "dhcp", + "host.hostname": "rehender4535.www5.test", + "input.type": "log", + "log.offset": 3794, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.45.25.68" + ], + "rsa.internal.event_desc": "deFinibu", + "rsa.internal.messageid": "11020", + "rsa.time.event_time": "2017-05-14T12:34:50.000Z", + "service.type": "microsoft", + "source.address": "rehender4535.www5.test", + "source.ip": [ + "10.45.25.68" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "event.code": "20", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-2228- 20: 20,5/29/17,5:37:24,eli,10.28.127.218,pida2286.internal.home ,01:00:5e:cc:0b:8f", + "fileset.name": "dhcp", + "host.hostname": "pida2286.internal.home", + "input.type": "log", + "log.offset": 3907, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.28.127.218" + ], + "rsa.internal.event_desc": "eli", + "rsa.internal.messageid": "20", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "service.type": "microsoft", + "source.address": "pida2286.internal.home", + "source.ip": [ + "10.28.127.218" + ], + "source.mac": "01:00:5e:cc:0b:8f", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "event.code": "11006", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-7427- 11006: 11006,6/12/17,12:39:58,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme", + "fileset.name": "dhcp", + "host.hostname": "mporain2624.www.localhost", + "input.type": "log", + "log.offset": 4005, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.68.93.6" + ], + "rsa.internal.event_desc": "psaquae", + "rsa.internal.messageid": "11006", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "service.type": "microsoft", + "source.address": "mporain2624.www.localhost", + "source.ip": [ + "10.68.93.6" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-26T09:42:33.000Z", + "event.code": "16", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-2991- 16: 16,6/26/17,7:42:33,civeli,10.116.104.101,gnam2508.mail.example ,01:00:5e:e1:73:47,maccusa ", + "fileset.name": "dhcp", + "host.hostname": "gnam2508.mail.example", + "input.type": "log", + "log.offset": 4119, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.116.104.101" + ], + "rsa.internal.event_desc": "civeli", + "rsa.internal.messageid": "16", + "rsa.investigations.ec_activity": "Delete", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2017-06-26T09:42:33.000Z", + "service.type": "microsoft", + "source.address": "gnam2508.mail.example", + "source.ip": [ + "10.116.104.101" + ], + "source.mac": "01:00:5e:e1:73:47,maccusa", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "event.code": "11003", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-3458- 11003: 11003,7/11/17,2:45:07,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta", + "fileset.name": "dhcp", + "host.hostname": "tutla2716.www.domain", + "input.type": "log", + "log.offset": 4229, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.192.110.182" + ], + "rsa.internal.event_desc": "idex", + "rsa.internal.messageid": "11003", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "service.type": "microsoft", + "source.address": "tutla2716.www.domain", + "source.ip": [ + "10.192.110.182" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "event.code": "53", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-2807- 53: 53,7/25/17,9:47:41,ihilm,10.219.84.37,ercit2385.internal.home ,01:00:5e:a0:cd:2f,iamquis ", + "fileset.name": "dhcp", + "host.hostname": "ercit2385.internal.home", + "input.type": "log", + "log.offset": 4340, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.219.84.37" + ], + "rsa.internal.event_desc": "ihilm", + "rsa.internal.messageid": "53", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "service.type": "microsoft", + "source.address": "ercit2385.internal.home", + "source.ip": [ + "10.219.84.37" + ], + "source.mac": "01:00:5e:a0:cd:2f,iamquis", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-08T06:50:15.000Z", + "event.code": "11012", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-6972- 11012: 11012,8/8/17,4:50:15,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame", + "fileset.name": "dhcp", + "host.hostname": "conseq557.mail.lan", + "input.type": "log", + "log.offset": 4449, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.148.153.201" + ], + "rsa.internal.event_desc": "ittenbyC", + "rsa.internal.messageid": "11012", + "rsa.time.event_time": "2017-08-08T06:50:15.000Z", + "service.type": "microsoft", + "source.address": "conseq557.mail.lan", + "source.ip": [ + "10.148.153.201" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-22T13:52:50.000Z", + "event.code": "24", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5040- 24: 24,8/22/17,11:52:50,utla,10.103.118.137,oei5200.www5.invalid ,01:00:5e:c7:b7:18", + "fileset.name": "dhcp", + "host.hostname": "oei5200.www5.invalid", + "input.type": "log", + "log.offset": 4562, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.103.118.137" + ], + "rsa.internal.event_desc": "utla", + "rsa.internal.messageid": "24", + "rsa.time.event_time": "2017-08-22T13:52:50.000Z", + "service.type": "microsoft", + "source.address": "oei5200.www5.invalid", + "source.ip": [ + "10.103.118.137" + ], + "source.mac": "01:00:5e:c7:b7:18", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "event.code": "02", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-2026- 02: 02,9/6/17,6:55:24,nnum,10.137.223.15,adol485.example ,01:00:5e:81:99:6f,dol ", + "fileset.name": "dhcp", + "host.hostname": "adol485.example", + "input.type": "log", + "log.offset": 4661, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.137.223.15" + ], + "rsa.internal.event_desc": "nnum", + "rsa.internal.messageid": "02", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "service.type": "microsoft", + "source.address": "adol485.example", + "source.ip": [ + "10.137.223.15" + ], + "source.mac": "01:00:5e:81:99:6f,dol", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-20T03:57:58.000Z", + "event.code": "11019", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4977- 11019: 11019,9/20/17,1:57:58,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq", + "fileset.name": "dhcp", + "host.hostname": "etconse7424.internal.lan", + "input.type": "log", + "log.offset": 4757, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.213.147.241" + ], + "rsa.internal.event_desc": "que", + "rsa.internal.messageid": "11019", + "rsa.time.event_time": "2017-09-20T03:57:58.000Z", + "service.type": "microsoft", + "source.address": "etconse7424.internal.lan", + "source.ip": [ + "10.213.147.241" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-04T11:00:32.000Z", + "event.code": "11010", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-1180- 11010: 11010,10/4/17,9:00:32,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp", + "fileset.name": "dhcp", + "host.hostname": "tMalor7410.www.localhost", + "input.type": "log", + "log.offset": 4863, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.183.233.5" + ], + "rsa.internal.event_desc": "serunt", + "rsa.internal.messageid": "11010", + "rsa.investigations.ec_activity": "Start", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2017-10-04T11:00:32.000Z", + "service.type": "microsoft", + "source.address": "tMalor7410.www.localhost", + "source.ip": [ + "10.183.233.5" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "event.code": "11013", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-2628- 11013: 11013,10/19/17,4:03:07,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre", + "fileset.name": "dhcp", + "host.hostname": "equat2243.www5.localdomain", + "input.type": "log", + "log.offset": 4974, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.52.186.29" + ], + "rsa.internal.event_desc": "tNequepo", + "rsa.internal.messageid": "11013", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "service.type": "microsoft", + "source.address": "equat2243.www5.localdomain", + "source.ip": [ + "10.52.186.29" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "event.code": "11", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-2949- 11: 11,11/2/17,11:05:41,uptat,10.64.199.102,tmo1835.test ,01:00:5e:35:a8:83,fugitse ", + "fileset.name": "dhcp", + "host.hostname": "tmo1835.test", + "input.type": "log", + "log.offset": 5094, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.64.199.102" + ], + "rsa.internal.event_desc": "uptat", + "rsa.internal.messageid": "11", + "rsa.investigations.ec_activity": "Restore", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "service.type": "microsoft", + "source.address": "tmo1835.test", + "source.ip": [ + "10.64.199.102" + ], + "source.mac": "01:00:5e:35:a8:83,fugitse", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-16T08:08:15.000Z", + "event.code": "54", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-3331- 54: 54,11/16/17,6:08:15,etMalor,10.196.143.87,quatD4191.local ,01:00:5e:3b:7a:f1,sperna ", + "event.outcome": "Failure", + "fileset.name": "dhcp", + "host.hostname": "quatD4191.local", + "input.type": "log", + "log.offset": 5194, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.196.143.87" + ], + "rsa.internal.event_desc": "etMalor", + "rsa.internal.messageid": "54", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "AccessControl", + "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "service.type": "microsoft", + "source.address": "quatD4191.local", + "source.ip": [ + "10.196.143.87" + ], + "source.mac": "01:00:5e:3b:7a:f1,sperna", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "event.code": "30", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-7576- 30: 30,12/1/17,1:10:49,tper,10.163.5.243,osqui3661.mail.domain ,01:00:5e:1e:d6:07,texp ", + "fileset.name": "dhcp", + "host.hostname": "osqui3661.mail.domain", + "input.type": "log", + "log.offset": 5298, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.163.5.243" + ], + "rsa.internal.event_desc": "tper", + "rsa.internal.messageid": "30", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "service.type": "microsoft", + "source.address": "osqui3661.mail.domain", + "source.ip": [ + "10.163.5.243" + ], + "source.mac": "01:00:5e:1e:d6:07,texp", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "event.code": "11004", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5037- 11004: 11004,12/15/17,8:13:24,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam", + "fileset.name": "dhcp", + "host.hostname": "ectio2175.www.localhost", + "input.type": "log", + "log.offset": 5401, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.194.114.58" + ], + "rsa.internal.event_desc": "uela", + "rsa.internal.messageid": "11004", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "service.type": "microsoft", + "source.address": "ectio2175.www.localhost", + "source.ip": [ + "10.194.114.58" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-29T05:15:58.000Z", + "event.code": "1103", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-6385- 1103: 1103,12/29/17,3:15:58,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno", + "fileset.name": "dhcp", + "host.hostname": "liqui6106.internal.home", + "input.type": "log", + "log.offset": 5513, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.212.42.224" + ], + "rsa.internal.event_desc": "ris", + "rsa.internal.messageid": "1103", + "rsa.time.event_time": "2017-12-29T05:15:58.000Z", + "service.type": "microsoft", + "source.address": "liqui6106.internal.home", + "source.ip": [ + "10.212.42.224" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-12T12:18:32.000Z", + "event.code": "11011", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-1747- 11011: 11011,1/12/18,10:18:32,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium", + "fileset.name": "dhcp", + "host.hostname": "eratv6205.internal.lan", + "input.type": "log", + "log.offset": 5625, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.244.144.198" + ], + "rsa.internal.event_desc": "aliquam", + "rsa.internal.messageid": "11011", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2018-01-12T12:18:32.000Z", + "service.type": "microsoft", + "source.address": "eratv6205.internal.lan", + "source.ip": [ + "10.244.144.198" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "event.code": "57", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-6686- 57: 57,1/27/18,5:21:06,stlabo,10.134.192.241,catc6134.localdomain ,01:00:5e:5b:99:6c,magnid ", + "fileset.name": "dhcp", + "host.hostname": "catc6134.localdomain", + "input.type": "log", + "log.offset": 5745, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.134.192.241" + ], + "rsa.internal.event_desc": "stlabo", + "rsa.internal.messageid": "57", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "service.type": "microsoft", + "source.address": "catc6134.localdomain", + "source.ip": [ + "10.134.192.241" + ], + "source.mac": "01:00:5e:5b:99:6c,magnid", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "event.code": "17", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-7582- 17: 17,2/10/18,12:23:41,quiratio,10.62.191.18,tevelite245.mail.local ,01:00:5e:78:a7:55,gnido ", + "fileset.name": "dhcp", + "host.hostname": "tevelite245.mail.local", + "input.type": "log", + "log.offset": 5853, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.62.191.18" + ], + "rsa.internal.event_desc": "quiratio", + "rsa.internal.messageid": "17", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "service.type": "microsoft", + "source.address": "tevelite245.mail.local", + "source.ip": [ + "10.62.191.18" + ], + "source.mac": "01:00:5e:78:a7:55,gnido", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-24T09:26:15.000Z", + "event.code": "50", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-6036- 50: 50,2/24/18,7:26:15,numqua,10.89.22.113,abo1637.mail.host ,01:00:5e:ed:c2:f7", + "fileset.name": "dhcp", + "host.hostname": "abo1637.mail.host", + "input.type": "log", + "log.offset": 5963, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.89.22.113" + ], + "rsa.internal.event_desc": "numqua", + "rsa.internal.messageid": "50", + "rsa.time.event_time": "2018-02-24T09:26:15.000Z", + "service.type": "microsoft", + "source.address": "abo1637.mail.host", + "source.ip": [ + "10.89.22.113" + ], + "source.mac": "01:00:5e:ed:c2:f7", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "event.code": "11020", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4949- 11020: 11020,3/11/18,2:28:49,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr", + "fileset.name": "dhcp", + "host.hostname": "piscin6866.internal.host", + "input.type": "log", + "log.offset": 6058, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.90.86.89" + ], + "rsa.internal.event_desc": "derit", + "rsa.internal.messageid": "11020", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "service.type": "microsoft", + "source.address": "piscin6866.internal.host", + "source.ip": [ + "10.90.86.89" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "event.code": "59", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-6418- 59: 59,3/25/18,9:31:24,nofdeFin,10.67.38.204,idex6952.www.localhost ,01:00:5e:69:58:0e,ecte,tinvolu,iurer,iciadese,quidolor,tessec,olupta,litse,icabo,itatio,uta ", + "event.outcome": "Failure", + "fileset.name": "dhcp", + "host.hostname": "idex6952.www.localhost", + "input.type": "log", + "log.offset": 6171, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.67.38.204" + ], + "rsa.internal.event_desc": "nofdeFin", + "rsa.internal.messageid": "59", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "service.type": "microsoft", + "source.address": "idex6952.www.localhost", + "source.ip": [ + "10.67.38.204" + ], + "source.mac": "01:00:5e:69:58:0e,ecte,tinvolu,iurer,iciadese,quidolor,tessec,olupta,litse,icabo,itatio,uta", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-08T06:33:58.000Z", + "event.code": "11010", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4824- 11010: 11010,4/8/18,4:33:58,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu", + "fileset.name": "dhcp", + "host.hostname": "riosamn7650.api.test", + "input.type": "log", + "log.offset": 6348, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.158.237.92" + ], + "rsa.internal.event_desc": "volupt", + "rsa.internal.messageid": "11010", + "rsa.investigations.ec_activity": "Start", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "service.type": "microsoft", + "source.address": "riosamn7650.api.test", + "source.ip": [ + "10.158.237.92" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-22T13:36:32.000Z", + "event.code": "60", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5368- 60: 60,4/22/18,11:36:32,mnisi,10.107.168.60,ehen7519.www5.lan ,01:00:5e:a7:ac:70,stquido,ommodico,ptas,pta,tetu ", + "fileset.name": "dhcp", + "host.hostname": "ehen7519.www5.lan", + "input.type": "log", + "log.offset": 6459, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.107.168.60" + ], + "rsa.internal.event_desc": "mnisi", + "rsa.internal.messageid": "60", + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "service.type": "microsoft", + "source.address": "ehen7519.www5.lan", + "source.ip": [ + "10.107.168.60" + ], + "source.mac": "01:00:5e:a7:ac:70,stquido,ommodico,ptas,pta,tetu", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "event.code": "24", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5740- 24: 24,5/7/18,6:39:06,Nequepo,10.207.201.9,boree513.www.corp ,01:00:5e:e2:17:79,reetdolo,smo,etcons,iusmodi,uamest ", + "fileset.name": "dhcp", + "host.hostname": "boree513.www.corp", + "input.type": "log", + "log.offset": 6587, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.207.201.9" + ], + "rsa.internal.event_desc": "Nequepo", + "rsa.internal.messageid": "24", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "service.type": "microsoft", + "source.address": "boree513.www.corp", + "source.ip": [ + "10.207.201.9" + ], + "source.mac": "01:00:5e:e2:17:79,reetdolo,smo,etcons,iusmodi,uamest", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-21T03:41:41.000Z", + "event.code": "11023", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-1842- 11023: 11023,5/21/18,1:41:41,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno", + "event.outcome": "Failure", + "fileset.name": "dhcp", + "host.hostname": "aper5651.test", + "input.type": "log", + "log.offset": 6718, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.20.147.134" + ], + "rsa.internal.event_desc": "epte", + "rsa.internal.messageid": "11023", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Service", + "rsa.investigations.ec_theme": "AccessControl", + "rsa.time.event_time": "2018-05-21T03:41:41.000Z", + "service.type": "microsoft", + "source.address": "aper5651.test", + "source.ip": [ + "10.20.147.134" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T10:44:15.000Z", + "event.code": "11007", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5263- 11007: 11007,6/4/18,8:44:15,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons", + "fileset.name": "dhcp", + "host.hostname": "inventor6088.www.invalid", + "input.type": "log", + "log.offset": 6815, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.213.145.202" + ], + "rsa.internal.event_desc": "saute", + "rsa.internal.messageid": "11007", + "rsa.time.event_time": "2018-06-04T10:44:15.000Z", + "service.type": "microsoft", + "source.address": "inventor6088.www.invalid", + "source.ip": [ + "10.213.145.202" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "event.code": "20", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-510- 20: 20,6/19/18,3:46:49,tae,10.14.81.228,aperiame1458.www5.local ,01:00:5e:7e:22:1b", + "fileset.name": "dhcp", + "host.hostname": "aperiame1458.www5.local", + "input.type": "log", + "log.offset": 6926, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.14.81.228" + ], + "rsa.internal.event_desc": "tae", + "rsa.internal.messageid": "20", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "service.type": "microsoft", + "source.address": "aperiame1458.www5.local", + "source.ip": [ + "10.14.81.228" + ], + "source.mac": "01:00:5e:7e:22:1b", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "event.code": "11003", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4410- 11003: 11003,7/3/18,10:49:23,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov", + "fileset.name": "dhcp", + "host.hostname": "cipitlab6201.www5.example", + "input.type": "log", + "log.offset": 7023, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.76.10.73" + ], + "rsa.internal.event_desc": "itinvol", + "rsa.internal.messageid": "11003", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "service.type": "microsoft", + "source.address": "cipitlab6201.www5.example", + "source.ip": [ + "10.76.10.73" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-17T07:51:58.000Z", + "event.code": "01", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4554- 01: 01,7/17/18,5:51:58,osquira,10.220.5.143,com5308.api.domain ,01:00:5e:55:ee:a4,reetdolo,norum,madmi,uidol,mporin ", + "fileset.name": "dhcp", + "host.hostname": "com5308.api.domain", + "input.type": "log", + "log.offset": 7133, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.220.5.143" + ], + "rsa.internal.event_desc": "osquira", + "rsa.internal.messageid": "01", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2018-07-17T07:51:58.000Z", + "service.type": "microsoft", + "source.address": "com5308.api.domain", + "source.ip": [ + "10.220.5.143" + ], + "source.mac": "01:00:5e:55:ee:a4,reetdolo,norum,madmi,uidol,mporin", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-01T14:54:32.000Z", + "event.code": "ID", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-3253- ID: ID,8/1/18,12:54:32,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65", + "fileset.name": "dhcp", + "host.hostname": "Nemoenim2039.api.localhost", + "input.type": "log", + "log.offset": 7265, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.226.199.190" + ], + "rsa.internal.event_desc": "roid", + "rsa.internal.messageid": "ID", + "rsa.time.event_time": "2018-08-01T14:54:32.000Z", + "service.type": "microsoft", + "source.address": "Nemoenim2039.api.localhost", + "source.ip": [ + "10.226.199.190" + ], + "source.mac": "01:00:5e:f6:ba:65", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "event.code": "11000", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-1394- 11000: 11000,8/15/18,7:57:06,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag", + "fileset.name": "dhcp", + "host.hostname": "iquipe2458.api.host", + "input.type": "log", + "log.offset": 7367, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.20.129.206" + ], + "rsa.internal.event_desc": "itessequ", + "rsa.internal.messageid": "11000", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "service.type": "microsoft", + "source.address": "iquipe2458.api.host", + "source.ip": [ + "10.20.129.206" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-29T04:59:40.000Z", + "event.code": "56", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5983- 56: 56,8/29/18,2:59:40,tquiin,10.174.176.36,ovol3674.www5.host ,01:00:5e:bb:1d:bf,str,idolore,pid,illoin,tanimid,umdo,natuse,gnamal,metMalo,ntexplic,archite ", + "event.outcome": "Failure", + "fileset.name": "dhcp", + "host.hostname": "ovol3674.www5.host", + "input.type": "log", + "log.offset": 7478, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.174.176.36" + ], + "rsa.internal.event_desc": "tquiin", + "rsa.internal.messageid": "56", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "AccessControl", + "rsa.time.event_time": "2018-08-29T04:59:40.000Z", + "service.type": "microsoft", + "source.address": "ovol3674.www5.host", + "source.ip": [ + "10.174.176.36" + ], + "source.mac": "01:00:5e:bb:1d:bf,str,idolore,pid,illoin,tanimid,umdo,natuse,gnamal,metMalo,ntexplic,archite", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-12T12:02:15.000Z", + "event.code": "32", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-7829- 32: 32,9/12/18,10:02:15,asi,10.94.38.110,nisist2752.home ,01:00:5e:c1:3c:48,exercita ", + "event.outcome": "Success", + "fileset.name": "dhcp", + "host.hostname": "nisist2752.home", + "input.type": "log", + "log.offset": 7651, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.94.38.110" + ], + "rsa.internal.event_desc": "asi", + "rsa.internal.messageid": "32", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_theme": "Configuration", + "rsa.time.event_time": "2018-09-12T12:02:15.000Z", + "service.type": "microsoft", + "source.address": "nisist2752.home", + "source.ip": [ + "10.94.38.110" + ], + "source.mac": "01:00:5e:c1:3c:48,exercita", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "event.code": "11007", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-2516- 11007: 11007,9/27/18,5:04:49,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli", + "fileset.name": "dhcp", + "host.hostname": "intoc1426.mail.lan", + "input.type": "log", + "log.offset": 7752, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.22.110.210" + ], + "rsa.internal.event_desc": "oremeu", + "rsa.internal.messageid": "11007", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "service.type": "microsoft", + "source.address": "intoc1426.mail.lan", + "source.ip": [ + "10.22.110.210" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "event.code": "11006", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-543- 11006: 11006,10/11/18,12:07:23,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui", + "fileset.name": "dhcp", + "host.hostname": "rsitvolu3751.mail.lan", + "input.type": "log", + "log.offset": 7861, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.218.87.174" + ], + "rsa.internal.event_desc": "eturadi", + "rsa.internal.messageid": "11006", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "service.type": "microsoft", + "source.address": "rsitvolu3751.mail.lan", + "source.ip": [ + "10.218.87.174" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-25T09:09:57.000Z", + "event.code": "11014", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-6846- 11014: 11014,10/25/18,7:09:57,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun", + "fileset.name": "dhcp", + "host.hostname": "tqu4367.www5.localhost", + "input.type": "log", + "log.offset": 7974, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.140.113.244" + ], + "rsa.internal.event_desc": "adeser", + "rsa.internal.messageid": "11014", + "rsa.time.event_time": "2018-10-25T09:09:57.000Z", + "service.type": "microsoft", + "source.address": "tqu4367.www5.localhost", + "source.ip": [ + "10.140.113.244" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "event.code": "1103", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-7741- 1103: 1103,11/9/18,2:12:32,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo", + "fileset.name": "dhcp", + "host.hostname": "inci5738.www5.invalid", + "input.type": "log", + "log.offset": 8087, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.159.181.29" + ], + "rsa.internal.event_desc": "dmin", + "rsa.internal.messageid": "1103", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "service.type": "microsoft", + "source.address": "inci5738.www5.invalid", + "source.ip": [ + "10.159.181.29" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "event.code": "11005", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-18- 11005: 11005,11/23/18,9:15:06,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia", + "fileset.name": "dhcp", + "host.hostname": "itecto1300.internal.corp", + "input.type": "log", + "log.offset": 8200, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.178.173.128" + ], + "rsa.internal.event_desc": "cusant", + "rsa.internal.messageid": "11005", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "service.type": "microsoft", + "source.address": "itecto1300.internal.corp", + "source.ip": [ + "10.178.173.128" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-07T06:17:40.000Z", + "event.code": "11015", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-6789- 11015: 11015,12/7/18,4:17:40,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender", + "fileset.name": "dhcp", + "host.hostname": "siut1579.www.domain", + "input.type": "log", + "log.offset": 8316, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.217.38.30" + ], + "rsa.internal.event_desc": "uia", + "rsa.internal.messageid": "11015", + "rsa.time.event_time": "2018-12-07T06:17:40.000Z", + "service.type": "microsoft", + "source.address": "siut1579.www.domain", + "source.ip": [ + "10.217.38.30" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-21T13:20:14.000Z", + "event.code": "11014", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-1540- 11014: 11014,12/21/18,11:20:14,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni", + "fileset.name": "dhcp", + "host.hostname": "ame6223.www5.localhost", + "input.type": "log", + "log.offset": 8415, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.178.49.161" + ], + "rsa.internal.event_desc": "edic", + "rsa.internal.messageid": "11014", + "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "service.type": "microsoft", + "source.address": "ame6223.www5.localhost", + "source.ip": [ + "10.178.49.161" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "event.code": "32", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-2244- 32: 32,1/5/19,6:22:49,stenatu,10.215.205.216,ratv5227.www.invalid ,01:00:5e:fd:3d:c2,nts ", + "event.outcome": "Success", + "fileset.name": "dhcp", + "host.hostname": "ratv5227.www.invalid", + "input.type": "log", + "log.offset": 8528, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.215.205.216" + ], + "rsa.internal.event_desc": "stenatu", + "rsa.internal.messageid": "32", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_theme": "Configuration", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "service.type": "microsoft", + "source.address": "ratv5227.www.invalid", + "source.ip": [ + "10.215.205.216" + ], + "source.mac": "01:00:5e:fd:3d:c2,nts", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-19T03:25:23.000Z", + "event.code": "11025", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5663- 11025: 11025,1/19/19,1:25:23,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab", + "fileset.name": "dhcp", + "host.hostname": "aturve1647.mail.localhost", + "input.type": "log", + "log.offset": 8633, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.175.103.215" + ], + "rsa.internal.event_desc": "ano", + "rsa.internal.messageid": "11025", + "rsa.time.event_time": "2019-01-19T03:25:23.000Z", + "service.type": "microsoft", + "source.address": "aturve1647.mail.localhost", + "source.ip": [ + "10.175.103.215" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-02T10:27:57.000Z", + "event.code": "12", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-6672- 12: 12,2/2/19,8:27:57,enderi,10.236.150.115,umwrit5433.www5.domain ,01:00:5e:ba:09:4a,tpersp ", + "fileset.name": "dhcp", + "host.hostname": "umwrit5433.www5.domain", + "input.type": "log", + "log.offset": 8745, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.236.150.115" + ], + "rsa.internal.event_desc": "enderi", + "rsa.internal.messageid": "12", + "rsa.time.event_time": "2019-02-02T10:27:57.000Z", + "service.type": "microsoft", + "source.address": "umwrit5433.www5.domain", + "source.ip": [ + "10.236.150.115" + ], + "source.mac": "01:00:5e:ba:09:4a,tpersp", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "event.code": "01", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-6797- 01: 01,2/17/19,3:30:32,oeni,10.223.90.192,llamco7206.www.home ,01:00:5e:8f:35:71,orsit,asiar,ise,itau,apariat ", + "fileset.name": "dhcp", + "host.hostname": "llamco7206.www.home", + "input.type": "log", + "log.offset": 8854, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.223.90.192" + ], + "rsa.internal.event_desc": "oeni", + "rsa.internal.messageid": "01", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "service.type": "microsoft", + "source.address": "llamco7206.www.home", + "source.ip": [ + "10.223.90.192" + ], + "source.mac": "01:00:5e:8f:35:71,orsit,asiar,ise,itau,apariat", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "event.code": "51", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4494- 51: 51,3/3/19,10:33:06,dolore,10.165.192.48,nBCSedut1502.www5.example ,01:00:5e:c7:c2:10,odoconse,emp,pisciv,lumdolor,nonp,labo,ulapar,aboreetd,hilm,llitanim,invo ", + "event.outcome": "Success", + "fileset.name": "dhcp", + "host.hostname": "nBCSedut1502.www5.example", + "input.type": "log", + "log.offset": 8980, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.165.192.48" + ], + "rsa.internal.event_desc": "dolore", + "rsa.internal.messageid": "51", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_theme": "AccessControl", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "service.type": "microsoft", + "source.address": "nBCSedut1502.www5.example", + "source.ip": [ + "10.165.192.48" + ], + "source.mac": "01:00:5e:c7:c2:10,odoconse,emp,pisciv,lumdolor,nonp,labo,ulapar,aboreetd,hilm,llitanim,invo", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-17T07:35:40.000Z", + "event.code": "50", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-7205- 50: 50,3/17/19,5:35:40,ama,10.80.152.108,texpli2782.mail.domain ,01:00:5e:27:0a:9d, ", + "fileset.name": "dhcp", + "host.hostname": "texpli2782.mail.domain", + "input.type": "log", + "log.offset": 9159, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.80.152.108" + ], + "rsa.internal.event_desc": "ama", + "rsa.internal.messageid": "50", + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "service.type": "microsoft", + "source.address": "texpli2782.mail.domain", + "source.ip": [ + "10.80.152.108" + ], + "source.mac": "01:00:5e:27:0a:9d,", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-01T14:38:14.000Z", + "event.code": "11011", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5224- 11011: 11011,4/1/19,12:38:14,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured", + "fileset.name": "dhcp", + "host.hostname": "aco6894.mail.home", + "input.type": "log", + "log.offset": 9259, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.192.21.74" + ], + "rsa.internal.event_desc": "liqua", + "rsa.internal.messageid": "11011", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2019-04-01T14:38:14.000Z", + "service.type": "microsoft", + "source.address": "aco6894.mail.home", + "source.ip": [ + "10.192.21.74" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "event.code": "11019", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5608- 11019: 11019,4/15/19,7:40:49,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat", + "fileset.name": "dhcp", + "host.hostname": "tetu2485.internal.invalid", + "input.type": "log", + "log.offset": 9369, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.142.25.100" + ], + "rsa.internal.event_desc": "bor", + "rsa.internal.messageid": "11019", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "service.type": "microsoft", + "source.address": "tetu2485.internal.invalid", + "source.ip": [ + "10.142.25.100" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-29T04:43:23.000Z", + "event.code": "1098", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-3051- 1098: 1098,4/29/19,2:43:23,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor", + "event.outcome": "Failure", + "fileset.name": "dhcp", + "host.hostname": "doloreme60.www5.localhost", + "input.type": "log", + "log.offset": 9477, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.162.114.217" + ], + "rsa.internal.event_desc": "ven", + "rsa.internal.messageid": "1098", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2019-04-29T04:43:23.000Z", + "service.type": "microsoft", + "source.address": "doloreme60.www5.localhost", + "source.ip": [ + "10.162.114.217" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-13T11:45:57.000Z", + "event.code": "01", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-2315- 01: 01,5/13/19,9:45:57,amcorp,10.57.57.241,liqua6498.api.invalid ,01:00:5e:d8:53:15,iduntu,ccaeca,niamq,lapariat,remagn,mquae,consequa,moenimi,olupt,oconsequ,edquiac ", + "fileset.name": "dhcp", + "host.hostname": "liqua6498.api.invalid", + "input.type": "log", + "log.offset": 9588, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.57.57.241" + ], + "rsa.internal.event_desc": "amcorp", + "rsa.internal.messageid": "01", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2019-05-13T11:45:57.000Z", + "service.type": "microsoft", + "source.address": "liqua6498.api.invalid", + "source.ip": [ + "10.57.57.241" + ], + "source.mac": "01:00:5e:d8:53:15,iduntu,ccaeca,niamq,lapariat,remagn,mquae,consequa,moenimi,olupt,oconsequ,edquiac", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "event.code": "14", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-2690- 14: 14,5/28/19,4:48:31,quamest,10.152.28.171,rsita2628.www5.local ,01:00:5e:7a:4c:6e,miu ", + "fileset.name": "dhcp", + "host.hostname": "rsita2628.www5.local", + "input.type": "log", + "log.offset": 9770, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.152.28.171" + ], + "rsa.internal.event_desc": "quamest", + "rsa.internal.messageid": "14", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "service.type": "microsoft", + "source.address": "rsita2628.www5.local", + "source.ip": [ + "10.152.28.171" + ], + "source.mac": "01:00:5e:7a:4c:6e,miu", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.code": "11001", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-6444- 11001: 11001,6/11/19,11:51:06,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide", + "fileset.name": "dhcp", + "host.hostname": "luptat7214.domain", + "input.type": "log", + "log.offset": 9875, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.0.132.176" + ], + "rsa.internal.event_desc": "mex", + "rsa.internal.messageid": "11001", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "service.type": "microsoft", + "source.address": "luptat7214.domain", + "source.ip": [ + "10.0.132.176" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-25T08:53:40.000Z", + "event.code": "11", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-7037- 11: 11,6/25/19,6:53:40,itesseq,10.125.134.213,tpersp2624.mail.example ,01:00:5e:0b:fb:4a", + "fileset.name": "dhcp", + "host.hostname": "tpersp2624.mail.example", + "input.type": "log", + "log.offset": 9982, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.125.134.213" + ], + "rsa.internal.event_desc": "itesseq", + "rsa.internal.messageid": "11", + "rsa.investigations.ec_activity": "Restore", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2019-06-25T08:53:40.000Z", + "service.type": "microsoft", + "source.address": "tpersp2624.mail.example", + "source.ip": [ + "10.125.134.213" + ], + "source.mac": "01:00:5e:0b:fb:4a", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.code": "64", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-6392- 64: 64,7/10/19,1:56:14,mvolu,10.206.96.56,aincidu2687.mail.home ,01:00:5e:80:9d:2c, ", + "fileset.name": "dhcp", + "host.hostname": "aincidu2687.mail.home", + "input.type": "log", + "log.offset": 10086, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.206.96.56" + ], + "rsa.internal.event_desc": "mvolu", + "rsa.internal.messageid": "64", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "service.type": "microsoft", + "source.address": "aincidu2687.mail.home", + "source.ip": [ + "10.206.96.56" + ], + "source.mac": "01:00:5e:80:9d:2c,", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.code": "1098", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5524- 1098: 1098,7/24/19,8:58:48,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem", + "event.outcome": "Failure", + "fileset.name": "dhcp", + "host.hostname": "amcor5091.internal.corp", + "input.type": "log", + "log.offset": 10186, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.22.187.69" + ], + "rsa.internal.event_desc": "lupta", + "rsa.internal.messageid": "1098", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "service.type": "microsoft", + "source.address": "amcor5091.internal.corp", + "source.ip": [ + "10.22.187.69" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-07T06:01:23.000Z", + "event.code": "11019", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-1978- 11019: 11019,8/7/19,4:01:23,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation", + "fileset.name": "dhcp", + "host.hostname": "ncidid5410.internal.domain", + "input.type": "log", + "log.offset": 10290, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.2.128.234" + ], + "rsa.internal.event_desc": "atisund", + "rsa.internal.messageid": "11019", + "rsa.time.event_time": "2019-08-07T06:01:23.000Z", + "service.type": "microsoft", + "source.address": "ncidid5410.internal.domain", + "source.ip": [ + "10.2.128.234" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-21T13:03:57.000Z", + "event.code": "11024", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5469- 11024: 11024,8/21/19,11:03:57,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori", + "event.outcome": "Success", + "fileset.name": "dhcp", + "host.hostname": "nofd988.api.example", + "input.type": "log", + "log.offset": 10412, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.223.160.140" + ], + "rsa.internal.event_desc": "porincid", + "rsa.internal.messageid": "11024", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "Service", + "rsa.investigations.ec_theme": "AccessControl", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "service.type": "microsoft", + "source.address": "nofd988.api.example", + "source.ip": [ + "10.223.160.140" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.code": "11004", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-2- 11004: 11004,9/5/19,6:06:31,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse", + "fileset.name": "dhcp", + "host.hostname": "borisnis6159.www5.localdomain", + "input.type": "log", + "log.offset": 10522, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.137.14.180" + ], + "rsa.internal.event_desc": "elit", + "rsa.internal.messageid": "11004", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "service.type": "microsoft", + "source.address": "borisnis6159.www5.localdomain", + "source.ip": [ + "10.137.14.180" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-19T03:09:05.000Z", + "event.code": "59", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-2859- 59: 59,9/19/19,1:09:05,inibu,10.106.93.26,isetquas3096.home ,01:00:5e:1b:92:a6", + "event.outcome": "Failure", + "fileset.name": "dhcp", + "host.hostname": "isetquas3096.home", + "input.type": "log", + "log.offset": 10637, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.106.93.26" + ], + "rsa.internal.event_desc": "inibu", + "rsa.internal.messageid": "59", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", + "rsa.time.event_time": "2019-09-19T03:09:05.000Z", + "service.type": "microsoft", + "source.address": "isetquas3096.home", + "source.ip": [ + "10.106.93.26" + ], + "source.mac": "01:00:5e:1b:92:a6", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-03T10:11:40.000Z", + "event.code": "11025", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4924- 11025: 11025,10/3/19,8:11:40,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa", + "fileset.name": "dhcp", + "host.hostname": "dminima4348.mail.home", + "input.type": "log", + "log.offset": 10731, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.192.182.230" + ], + "rsa.internal.event_desc": "periam", + "rsa.internal.messageid": "11025", + "rsa.time.event_time": "2019-10-03T10:11:40.000Z", + "service.type": "microsoft", + "source.address": "dminima4348.mail.home", + "source.ip": [ + "10.192.182.230" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "event.code": "25", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-1738- 25: 25,10/18/19,3:14:14,loi,10.24.111.229,volupt2952.api.local ,01:00:5e:64:62:d1,sequat,giatquov,tconsec,miurerep,toccaec,fugi,labo,nostrud,gnaal,qui,cupi ", + "fileset.name": "dhcp", + "host.hostname": "volupt2952.api.local", + "input.type": "log", + "log.offset": 10839, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.24.111.229" + ], + "rsa.internal.event_desc": "loi", + "rsa.internal.messageid": "25", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "service.type": "microsoft", + "source.address": "volupt2952.api.local", + "source.ip": [ + "10.24.111.229" + ], + "source.mac": "01:00:5e:64:62:d1,sequat,giatquov,tconsec,miurerep,toccaec,fugi,labo,nostrud,gnaal,qui,cupi", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.code": "60", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-5282- 60: 60,11/1/19,10:16:48,lores,10.45.253.103,uii5923.internal.home ,01:00:5e:2f:ff:49,rcit,llamco,atu,untincul,ssecil ", + "fileset.name": "dhcp", + "host.hostname": "uii5923.internal.home", + "input.type": "log", + "log.offset": 11011, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.45.253.103" + ], + "rsa.internal.event_desc": "lores", + "rsa.internal.messageid": "60", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "microsoft", + "source.address": "uii5923.internal.home", + "source.ip": [ + "10.45.253.103" + ], + "source.mac": "01:00:5e:2f:ff:49,rcit,llamco,atu,untincul,ssecil", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-15T07:19:22.000Z", + "event.code": "11023", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-3023- 11023: 11023,11/15/19,5:19:22,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt", + "event.outcome": "Failure", + "fileset.name": "dhcp", + "host.hostname": "oluptas6981.www5.localhost", + "input.type": "log", + "log.offset": 11144, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.95.241.28" + ], + "rsa.internal.event_desc": "atise", + "rsa.internal.messageid": "11023", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Service", + "rsa.investigations.ec_theme": "AccessControl", + "rsa.time.event_time": "2019-11-15T07:19:22.000Z", + "service.type": "microsoft", + "source.address": "oluptas6981.www5.localhost", + "source.ip": [ + "10.95.241.28" + ], + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-30T14:21:57.000Z", + "event.code": "23", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4890- 23: 23,11/30/19,12:21:57,dolore,10.84.32.178,vitaed4959.example ,01:00:5e:11:45:1e,itaedict ", + "fileset.name": "dhcp", + "host.hostname": "vitaed4959.example", + "input.type": "log", + "log.offset": 11259, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.84.32.178" + ], + "rsa.internal.event_desc": "dolore", + "rsa.internal.messageid": "23", + "rsa.time.event_time": "2019-11-30T14:21:57.000Z", + "service.type": "microsoft", + "source.address": "vitaed4959.example", + "source.ip": [ + "10.84.32.178" + ], + "source.mac": "01:00:5e:11:45:1e,itaedict", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "event.code": "55", + "event.dataset": "microsoft.dhcp", + "event.module": "microsoft", + "event.original": "%MSDHCP-4271- 55: 55,12/14/19,7:24:31,ruredo,10.72.196.74,boreetdo1725.example ,01:00:5e:01:2f:7d", + "fileset.name": "dhcp", + "host.hostname": "boreetdo1725.example", + "input.type": "log", + "log.offset": 11367, + "observer.product": "DHCP", + "observer.type": "Application", + "observer.vendor": "Microsoft", + "related.ip": [ + "10.72.196.74" + ], + "rsa.internal.event_desc": "ruredo", + "rsa.internal.messageid": "55", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "service.type": "microsoft", + "source.address": "boreetdo1725.example", + "source.ip": [ + "10.72.196.74" + ], + "source.mac": "01:00:5e:01:2f:7d", + "tags": [ + "microsoft.dhcp", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/microsoft/fields.go b/x-pack/filebeat/module/microsoft/fields.go new file mode 100644 index 00000000000..1e6b8e90a13 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package microsoft + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "microsoft", asset.ModuleFieldsPri, AssetMicrosoft); err != nil { + panic(err) + } +} + +// AssetMicrosoft returns asset data. +// This is the base64 encoded gzipped contents of module/microsoft. +func AssetMicrosoft() string { + return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIipAVJLENAooAyiy6V9/ga+qYhWKZKGKkrV3elBIJBOZSACJzER+fI0eYP8SFZRIocRK/wkhTTWDl+hN+Ahd/3R19yeEclBE0lJTwV+iv/4JIdSAoRUFlqvFn5D/10v7vfnzNeK4gJeIg94J+bCgXINcYQIL83n9M4T0voSXhpydkHnr8xxWuGI6swO/RCvMFBx83SMr/HmLC0BihfQGAnpUo0e7DUiw32mJVytK0AYrtATgSCwVyC3ki94spMI9ktdSVOX5BHcZ1AxuaeOYHUwijiM2TDNQodYHnw8zt8fB9xuqzO8QVahSkCMtEMGlrjyvJN6hApTCa/N/rBERBShDujDfd4ZG6LVYo2sgIgcZJ9WNRbtEDRMcIGELXGeG+NGgHulkHnnGKMsZIrgGrpXZcZQrjbkOiFSUCk2LOAk51t0v+vipw2oGQVij3YaSDcJIgVJUcLShWiGM3oL+lWoOSoVVWPSWqJ6O2oiK5YjDFiRaQr3+JZYK0BvQ2JCG0UqKooXqyWuxVs/vMHkArZ72hr+mEohm+2dIe7oxegfugLmdxltkLqKsYrAFFuUVE7y71w94dQ2lBIK1x5XDinLIkeDMItZ4yQAVuIzjLdQ6G7E1j6zTG39mbq+/QVvMKn96aA5c0xX1ewgeMdGIibXjuewx09JPzfB+xe3vDEtLLDUlFcPSwvvFWQyubm/opNWOrW5v5OHVHmT6dm6uv/j/XD/OdYM1leXTDplY/jOzpHYZ/xHxb3FcvFwcuQQlKkmS76LpU08/adNwK401FMD1p0GPq5zqjDDcOQ8fjQDgWu4/DeqN0QQ+DWrKh1Bf9iYP5+xTrngOOH7WLjv1FUA+Tk8euFFj9kDrh8HUMvh6N2DvepqmZXZuwN7oJ7TMYT51jNLZ+MRbtmiUQY4hvYnMxCAU4dFoBpF5lLKK098qaJQwWc/Qf7Q/NFyuBCdGWGIt/ujWy8Cx39KpgqfNvyszEF1RgtunzhjaN8YkRvdW0KGK5yCNiirBC4ze5Fb0EXKkQJtBDoAPcahhhTawuTf2ZIW2ZnNv6FFs73tOUiz9tM3Vo3zErMfNciNUsh7V3ls/CaXboop1d5UCnlO+Dl+q2NK3rPnPh4M0vkl6Hw+y7vZu+x3CeS6NzBo6lF329eanxefKvu0P0xn4w/+7DDTcmuMEd0+vc2m0/RY5wmhNt8Brd8Xne6kaFg1ZsJfVqvNPowx9Hl7cQYNXlPtMwm9J69V+mrCLZGe23Fs+3rjB0Z3d7s+8909j9H5fAiK4f5KXgIDqDUj04Zbrb35AQqIfmcD62xdoiZXdCcGxv6LrSlpV6MTM4greZzwz+8gyxSiawXY10GuR7iw5ZpeFsT9741XIHZb5BDWmJTtaE2vz6vbulwMNByMJDHeXBSG1VxoKf+V4wsxoG3D7STn2mP8LSdeUYxZgDm/vEzNN1ziOPHDe3v3yQ2SSnsDeXKdPsqaoz8c5JHmz2fqqUqok3wDOQc70MvaTHQzdXk95oXEUtR9q7DBp7zR/aCcMI9kMfhgcFI/bRvGwm90o3FeCMSBayM9REBr+XORl3ewbqhBxzIHc0HKgmr0W3UseHWHlH9ASKcjy4ylnhVA2eKQQHC33vWVBSMJvFShtBlS0KNner4T5sRG4CDDZIEVzQE/+jPRGVujF998/RTuskALgNZYjc/1I6toZc1Wl4AouN1nyB1pZIiqua3u1KpZO+JgDp6IjoCd4KbbQmi7l0WijIGaUloCLwV1O/kBL/4mZATmtulrNeaz4IqZJ1UYrXSGq/1G9+PM3/6qc8HxeWlEVyPpHj95/GDvlNd6DRC/QDSe4VBVzPm5j6oySoLHRJ7qhI7FKMSzfvkD/Zqb7DH37Lfo3RIQ0+qOdhUf6DP13pv+n+SFV6JApX0QXiYscPqENxneQEczYEpOHqTqfQ8+Ftpsba6crG0YAz0tBubbqtoZ44J5d4AykFMmxIo0GpEogFDNLk6VFaSGNtsj37hY2X2wxo7lbvhhahFai4rmR1gwseZSvvbJwMhjocN/2Rp7j7cRv2iMu+gE+75nA+ce7MzxCpOjvgArQkpKIruxNtPaPrY3mLscg7swliXWjw4lVWJgF+knsDPP7thDlSEhjQmiBHgDKE2z5SLfHZ8IWKQgolW1pnuXp71A3QQKsgYPE2h7F3PCoZa9sqdQVZsZcPPCR8oj5TAtqDD77Amin6+j0B/L2GkkjF5U11i1bsFyDrn92cq5KJodUfPK5umiY43OViY71voi9vQ7+tXdQCA3o3u9KIsFeS8v9kEgyf4LT+zNwcntMmSoZnfYi+4c2FRXtqbIfK2yQ/p4WP9a27a089Tsy7I2gTXtx/F/jzcUd8xVlF3lbNOMapf3u6tWd1+cI5oYBtCiF7GpxyF4on90DbfWxjOcPTuxbI8+ahTGH2KGZWDUgjTHo7n1r9S3Qi+9/QDvL2QIwR5ixuB1qna9WbWj8C2gHEtywWCMGWGkkeCdY+ZBNH0Ex+rzZFDlvaQ9Znju/Cplb1tioCCAbLphY77vPGisqe5oZQt8jssESE+3YZI7e3lJonZscVdxHDLAD3+ZgBlNKspp7Ypzmsj3ynmN13cKoToIHp63Eu0H5YaVYR1nCxOphziPMvc0qCKlkGFFpzHMsc8SFLDCjv8ei7YQsohzI/QvsESaIatkT4aPY0NBVo3vO6ArsnCIGogIieD6gGDZLlik9zRI/QjLlRBQlAx1dxEF3F7aKp5a0I3JaeQdSX2y73ZvRo5tuaMMd7p/BTVIIrjdns7rJ6jn/1byJZsgvxp4bnl+COWbI3wWfntF5RIiY8YPy40LS3ne51DvQE07HK6ThUfuNjLYgVSvYNz8WsxFZo9OLvgd8PqlNUgURMod8ivT2z+VeuKp6zHC/hTfz+oftN7i+jJWiWNhRK5v4pwhwLKlwil9RMU2/1hQkwmXJQgR1kwleYI7XsaQkhJh1TAebwRHlaFWI6i8VEjvuvPYaF2XX0+IpNtgMif19rhUiG2r0X5GDWqA3ldJWkW4PavY/1gPxaFjD4DIcPe6rlaFsC/PcwXahwpBu/hJWIIETt6jYKF853dLc3Kl2TePH/j4c+/cdBsSn8VhSOeMcGq47P/Wj2S9Us72bjjIiwugCBq3dRsf9RaOWZtBgfmakU336F71B6wANUY0/zUVPDTgNU3Np/LazOsRvFVQzLprZKW69GnmxwwpZNPnACln034yf+qgL52DaSed0Xegkyb4u0vCVWRK6MkvTVMpxR+QQ7EUCXNKN15Iyl1J9O2pvVAb1BOYomTR8YE+dtxTXXSNeOhmIKcYiJj215zxFRVVsujt2QDsUlSaigOcOS62y2Wg2seqtFeZ+Ggeq78BSGZOc6mmhr0dID+P7hICWP/SY4Tc1VaFXO8VJ6joW14xm/bElELqijTIY1xack3Mo79frHnO8XEeYWLsDaN4EfAZTNPfOxyhlXqWfj5G/HNoIbQ1XSPTzvQ8poio8OnUtZIs/cHko60GVQtFRh/CsHWANAZ67qgA2FDGcksF87orpbEoi+8hjzasCJCVjz3WU+lki2o+Q3o5qr3eoO+LuJPWI3wLPhfShREdpF8t/XiRLOjwuiOU/gcR1fIN6jjypHsuMvDmO2km+abU6vuhvfZ/V5o+st4Q3uI6c4kIjjDY+KzMeHsTEOgvPjhcScmFDjBZy82TfHkiKv9knblvbzR7FuHonGCX76fv0yBm7syh8kTnO9gNyqmLTYrfiTHhXMbCo4+JFcA2P0/WdGuUtd5Z3UwEJ57kyf9mrALOAMpYOfOJKIRvM15Bx2E0/V0POb9i1Hm7s5ai1pMtKQ+u09aP5lCPOaHNtkR4/hqrEI0RDPXtGJ5TAOTZxq5R3X20durZuEDElbNy1mXQomqKat3K5BblA9+AYWymQC7wGW+rOR8ythAw09MYOwzi9jlh45OBbGZBCoqUUO/Nd+NTrMU61HqzVdpvfYanHm/I16Hg70u9e0cuNmG/3CpbXSselNq8owbus02+QVxxhBlLX766yGdZ/5lyz/ii2ks3s82xEocoRF/xrCSVYbfXYa5RVHOcVsqSS0mzNWie1q2F1hOfU+X+DY7NH+47qjVemnOxD1xbh0saHciT412th/n1EMtrLM4soJZNmhlvO6OcWhSFDrJA5aZqCWqD75nx2y2S2Y5JTabpyweyVMoqqS3pwT5S5F1aeeRgRVikdto3/T4/VFoQqsxo+M8dbi0Ztst8OX80XuJXdTo9bTy5pfYo68OUp9dnQcW3xIKyUINR6awxHo3q/Zfpr+gAvEUblZq8owcyYeQ/PUCltRdpnCDT5Mq5mYYnj2QMjLy8XvypxARqkQiVWtk6Bsol7LjONiKIwEkEcPN70Q1ZBk6OKhpOel9M1WutwAUHthB0RRVn1z0IS6zHaUZ6LnY+8IYITKPWz+lVscLq9iawqxvbotwoz57TJRYEp9+eTtxAxMSDK296a86/xI5Mzyshryh8g91G0IbAMK2uvewXWfPNFjXxB82PMZ708v4lio12n2pmAXRSBgJ/vL4f559L7hNB9P9W5fvQAWdBuierpzh8/qqXH7cPjetq3o/W0FWVznJea7B/tePWRkJBXBFDwAEPciaBAUsyyyA0xQWze20GD0tWV+S2hbmTqoA0G5EENJILN4Y/y4xvhvcFqU+92o3JEotkrY2Ea0RQiTOtw9qswUqdUgdiCrNEslCQGqv5/PysBGfnGEbXxBBUnDLA0H9myGQ1pPozde2lkSBE47Z90oqLq56p/YhlNRLGkvK4c1xbRPgFBjpDXWyorNb93o32HWhTDXo65niMiG/fKje/qrAx7eJyWPoPjrWaB83DdXqO37kw/8SlxyNXY90keBvvTY86vy/gCW66v22vLFh9aXR/Ivh136Dt3QQyOyIVbanPqdlTFTY2t2k+rm3j4SuKTatwld9SHxp2RNOvaGvZd1UOj2+uTetD5PokTepBB/YLnjT60QFcuWt9XC2Lui+O6kPkj5OEvvvnCOyiWla7j+IWuhXPFGSg3d+EE7E6gLZYUL1kvYtwltFGOSoYHjpwCriZmgB4sSlsNcmMvzKk3t2aIRadmre6f3951NTDkSyo5224oW2awjcDZkfGNL9aRgW65Rvd0zbE9lgMbqRRyWvmmL3uywGylu6BTCFtPxf7ToGqdGrsXchFZ3rc/v0eUE1blYESDb8xiwBfoyc0jLkoGL9GdMz7dsFbWLeI2qPWwX+CdwRrzjaiN46bqwahzUcwjgrZbzpm3XlS+o+rhyAOHlnS9BjmlcH182r+0PY0ei9V8NhLURrDcrLGzmgZ6dRw8R81ixfXfo7wMe/LO3YxP64TC2+t4gOXZL1bGtM5mf5u3nPXv87aZifNpqGr5tUEouM0oWNlyvSKvyJCe7lWei8UOtGmrZYuQNvPKyLlAwUBdeSzzHZaXirXo10o0sgh70WvIHCjS9cSIHIzeYBIqe8UVJ3OcZ9ZkBf86KD/y+Il2FkNCIyQJWCXERCmNdXW+YlXb4JiyC6qWZvileEQ0fz4sdY3Er+ahweD80CuF5faVwRPf6EH6Tq6q39sw1/16+ilCmHJRnf9m0IrdVOuEHWikwzgzrOfR+W406PQqIAfMf8WYOa1IVYSAUquKoRuDARGRgzLMD0Wa4joe5Tk8jp4Eo0oP6Q8TT5Md2iq2MqBZgrRe/QJLyuxLbcQ/4N6G+Bphy4ivDWyUdp604qG33sU0Fz8+elJHqpQgVekTEtyZ6k3bXyFNYFzIcX46EDTuTOy+NJ/+6NhqI2eJd3ay+7X5ElOuUA4aUxYxnZai0i24AeIFu0BMSvDa4DpuwGIaFuEaipJNeLV9FVothhYGrRckH6VitJctSIb3NkxZCy/W0ZPI3jdfWEvDQ8Mq5LE4n5vSVFe2VAeKkt5oaf2k5NMHY6RXuGVbEjweW9LZJaIozN5MXbArB49oK5yolGJLc2dhh7oCsf6M9V0jyDEH+nh7+kfKmruftKMV4tfOY2kfmS8lv8L4l5Vf/xTLQbs1eQL/Wyy9yzK+U0s6pTzQtQ1Kcutzf3eLbnsXbhvRhNo8PibzOI5Rgcd19sJ6pIo/xib2UVRxNcsdqGwp8ukxx7247e6VFfrDGmwD1+cmJXfKudFmybtpOVx8uoYLs6m9gHRN89pFOWCMF+M15V4SzFk3w5iruqaurKYJyNBt6O6Dy+IMblD7OPYIpGrbKO7ZegmxlIKQ0XvsoWwWQyrqKcoPDao6Gh5vMWW476BDtXsI2Xj4FUg5UI3Q7ce4h2s+v65X/QqfEOyc9H3/lgj7djEgA2iRLas83yfYd7TIRsaptiArBUOFxI7aoikwkopR2VKdgOlMVfME21HVjjVxtVRsw8k6TrrJOfc4Y8XBm3hDd7Qa19fxabhX6vFc2M5oEVz9coOe+Ei/Xypm9JIlZTbA0L403zyWQplfPkVf980Y3vXyPXCx4weKowJS2dS17eHoA10DCJ7F0O4GgFyFTJu3PsD1Nawx2aMPgwoso0uJL5P644c+YBPlqMCUr4xldPSRqsTS9vqYI6PqQEW4swOjtyJ3AUdNcYPWu3YELTpx/9rHFzPVdI3yMK/+LezQTxW36vMbkQNDTyjfLr56hqggz9DS/AXmL8wx2yuqFl/F/cialNmK4V53qvE38KGudXWH7LDW3rVSZR8KCIvV0aQtLSbS4j5dekpCwpQCaTZUFOW2GCuHOrh/efOrsd/fu5Cbr7765c2vr97dfPWVi4HZYonp4N7YCfkwLiHj5Fb+NQzZ9tEOmsmYj7++fGzn2NzAWsRhYkTgPkldXAkJXFEy7kC1zMkkrEWKFRXxbJ0Plu0wHdNpvAk5ICJhSe2GGZ+Qoqpl8jbQy1xpOT6TxeZuzNIN/Nl8kjRE8E1xHKQGJzYlgXsXkw8ObOIUfXyiGWJFBw3GMJkJzonUyUQzVyMT6QZcxoXFkXoK4w0fQ57Xpt71x23UE1d7+0IbIW95lzyqo2RcaAmD3/wYBULM8gB7wP+Wtv1E15FP4eXaVuR4as3niHV/ytcfSiDReXymNhx2hSkz/AoJh3f+/N1et+N6bfa0UYE1rCOJQ8Nv8SGuJzNXeZTilOAeG9LjYzqNZVTxrq3aw8+H0nin4n8Lj/pvENdfauxqSIuZiv0e8/zfRdyz2mDXWNP4KZuMvz/0AXpVqZISKkbER3ws28LSt8OS911tn544xYsyE+nC6f7tmzv0s/N4NOEYcVS/zfz8cv8fr9FvFciBai0V45mEbtWPqU8+LdfFHr0LIbXR591aTyOjxH8bTIwv02bAygHj8RScjrhXz4DMUwrRYYZlkcQXA5hkvOByVNh/DVblIzoDHECNzQU+AM6x7t7epyGXwMmmwPL8sLgacl/iXiuHM3yQmPSeN8+EyjYJfCWwGhtMWYOu1jaZNAlQLP+ZBFfihNp6LvM1YTGs03+op+xxSJurXYC5bhMQ8wwTW7YwJYzNQCs+SkVvgS7X5fY7/qg3CdKS8IxoaWyUcZWpWvAGdshbdwbolvUaQp8FC3xN+ajA3T5wWkwJz1aZ2lFNEvY1z1ZM7BQuUl6L2tBcb6fAJ/mxCM8on7bNKS9BFsv9iJCcHnRJHlLBbXO0JNAyK6XQIktxxVn47XeZtVlToNmE/cbEOhvT+r8DmvISSnhW4MdM6/MV3kNQs8IMksRCQXkyYsqnIC6ZytiSZeOdpwfQf54EnlAPqAU9Pku9DT0+IroN/f0k6Hhj9XOh/2US9P+YBP2vqdBalAwvIW2r1/ApqhLPiorZy3u5T5JnAbx8SJLjRcXouihTb29z/2G2Hv9o5GFpmhBX8BtJ0b15ptyTaRKvlCSp2pkBTdXO1F5VZVJ9bMLrMOtE5U4LbRQMeEza2lpooySlQ1v1JBG84vSRYy4U9NpmngW//cHQniwWtj+IUm8A50kmkCjKjLAkG9qAJrk0LKS0bbLSYFUibFllSf4JIqmmBLOkoC+V4TVwsh/1ptSG5pjtf4d8mYZ7m9lk+ERYl8aTitk9ZyfCGwv5h1QLWWVLqv81MfmQqGxsbdMOqBQJR1klbk4LB0SmxOIp5wkYUVeyBQp647wBKcq3A7fXVSK4q30zJkOzBb2iDNJ0EZWt0thFV+MCkA9B0yStMkYwh0edJR4jYwPnSpe9Ij9nQytJEqFD57gkWLHOCsjpiGDMQ2jKUzleiLxioIhIm7UHp+ukUyFKtcN6ZCeKFnwsJuBMUAlrqrTEKZp2A510U7lOiolTlhPmrGwdEZl8Ol1Ug1vyJHjbWDTpinNBR+mop1zOu42gKnN1nlPg91jixAXPB8Iqz4Pdug4G4yGp0rjbrPUsQKWXlTy/kGiAA1dzLQ2uSsCXcg+HWNLxgLZqzyqlFPpwxPQxqDXO8/GrTvPxzrmQQJMkUWiRESlEkZh9Y0CTlCJaZKmPcD53J2265UNCslCpUlKZaalKSUeDMayprhLebRjlMCaVpIFTI2tx1ZA28DHFBGHCZTRnKyYShGMNnhQCYDS9hP1uwJL2utENk9AleG2ZWCcuJV8nbrtSyPGHo1hW67StU1BF0rZroRIXMK36DAdtU18SIBNOsSsNMP5VysGNf1Diu914XSExTqhu15AAmSDvhaTrLFKt7QzIHQeZIlvKLLGDYJmNrCDdACa1cWjAk2ZpT9L4TeoBU9ppOqU/ASVWynyZkc358aw9YNeXczw8yGJt7OJeRvV5sLtE0BQx5/KXPnzoVPo8C1SKdYZVOarkRxt4TJeHACcBs7SbRwKx1Lps1WTwlMka2LEJui1YIfMkrCkmmkqyPpWzPpM8pQrGu0hdOd0kNULBbynMjKXBjoBLUlwUXScdTFWOt1uUJGkrL0mecNUqSWJZvmeBjmrJ1IaqVELO5Jbw8UEI0Yqhp8FckmVC0/C1TlkEB5biNaorRo6H3JcJmatVvkx8ta4kS5JKlQKZ5XR8/GZiYZLgE0kjVpO0dvnbjHKl8SpJkm6p1GlX8bbkSSkOWsiKX6RX66tKC/Su4qg3eO2FnlQg7hfMaI6uJORUoyssc58zdqQtja9/NWmmQ3Ug7TCu6aqNmCWCoVhISe3tpXzK7G+Kkok99ArineTBSlQj0uPP7cu7CS11bG0xCWt4RAXuhu42Hj2+rrplV2Ygg1FlC2yE8VW7laaqSluivp8qidBugzWiGpWuPX+c6GNPqWNKhcTbu7uK5wEJotxXMhjI7GaUT6+A3SLGjNemRCEt1rbJzqL5vesY0eMehy3IuoiSFqjEUgF6AxrbisPuVNT90tCT12Ktnt+54L6n6NqX8XLtSXqj2zTid+CLxVqyOXoL+leqOaj4WvW3XiJ7VraccL2b7fBuOgqwJJsF5XTA4JV4nmIIHWHjeusxyuE5wxW3tVPXVeHL0h8phdCpfHCE6jlS5muq60R5X/F1QKU3zMzm7YXsem6ZgdF7eNR2dw4ZBRdtQN0UiTvRg9pm5U4qVWzzchXo0Bz4SOr8sXfv8bUhQivZVRjXSbCuhVe/yR6aRQ5rvzeIrWegXkbpH1fH+4zO2Tk83l6HQ2RHHyrZPvIheuR2qVs4uMf9Gh/q7dGamx7iUhTxumB0TZuQrmBDlBUIYYUUAD/okxk3XiTmCpNZiq32ssTd4Nw3cKpba4duwUfIKkEW1F2E85HVDOoKt9AtZbAG38sDK0XX3DG/qcw90NYAL+fqVj+w5BbDkR23vGBricH2IbFt3qJoKLcwrdJNuC9pHtra1h2TbMPGgUOHUCQmp9baJAwESY1WIEOjsEbwhv5OBseACruTdMDRMyN+i2SgdOEl51/3z+wR0HqA3InO+3jK1YMZxSrbiBm0u053TFsTpykDZTv6tAoexWOqkdughh7uW2xzoZFtlbl4xZQwpk2neYmtQv6Th1igV3xf/683urbWkeIa4XwROhrHBVOi88uQPkVZ/qLLT1t58ICp1Ld1NtZEu0J5mHW8kbDfMdlYz+q5Biveg0T/UnsM1HOPyKIf6l8yNm7r8nuPN1Qd7L6jPB0MkzglC77slsVxLene/vz+xswOJDij0XpkcqqIhBJzsjdaib/8Wb+XreHBM/T+zUt0y/W3L56h27fXN//5En245fqH79CT3WaPuG/ASDZC+TJuQhrr1f7qmx/+1397Gu99B3ozSV50Z2wl0KLA8dJIavIeGXmgfCX+24A2fpjyj01W+5yfoG0w4e/siylGUUexaXTQ0Nz09au3UXJ+Fxym2OFp6/d/BIdFnD+/j+kD8BEuO0PqaVFj2fhp7pUjvFxjDTt8kcLSdpfdoVeueV7YbTGE9XVCinLY/z/Vr3l79ebOyeHhXvF4hl5+Q6a003NC69LbO4NswKo3fBisBTMLH8zow3wIOkDmaorNfdjavRZy15EOs+apolWJPC67Z10mo7zbwyL8abk+XKgesia2JlFnOFdMY/TW03AnpK5FVE8Iud4Tlom++/xxSaRm55+jmPJ1EJ+B8DdDzOMQ0+/n8xJ5/NYGwUoJQm3ReGst925XZOSUxHwNi1o9JoKv6LqSkKPl3jf3d63uB7rTDKYU9AKFB7Sp6LCrpEwFNkq/a4dWJhhMEgqhIfMxQikvvylTzLnKcObCp5KASy1TwVdJ7F0lxWKztA2QnlFTJk0O51mwxqf16zq0LQwti+54bUPmItrCjTGsOGj0fl/CM/QhiLnX1kT+Ft0FE7knR34eulFD8apZLowBlT6QhULXTsxY9MIomx/aB3osbejAFqS2nWe0CA2uKEcfbgePELEhLRPOYErbWK4yUSYVyjOgEtT4OBoDmBTi52Ti+IAo64NKwujK1GQM+Dqh5qPFa66BuZ1LtimRvV4wazkHOSL2AcdYUT8KucMyjzUDe2Xb1Fm/+50Uj/bVfQl6BzDQyXh0DvDYFwmhMWu7ex06ZAuZ2Nem3hx8EzQJ9iGooNocNV9UKD6JLcN8nneVM9wB4Vmt5RDoTeHQQdD4ALdGe15b5flQIqb4s4HYbIvtmDzS895QsNSUVAzL0MzNo3ly8/jytViL1SpenxpIpjcwd+Pb92ZI372/oezGUGYIelXpDXDtQ6kGCZur99jhc2VVtzWME/dBgRwkSVSaiLm55QcdJunedeAeoCr0yJl2+x5QZDGj0HDlaPPXgP0C7ZOhQ4U5xdYNrErBc9vSVURVgBqw35T0kO7tmOzagdsAI5dnb+PeGIW8ptjbWx29hnKkqK4iEgXZALnQBc+PusEK4VyUtivYBqhEYsc7jZGQxo+Ci2Ig2iXUqM964UgzXH5GDaM8N2dZSNW093NdhF+F8vi9iZ7jPuE16e5sDIZT1TO80PPR4CTv/SvSvPM81kSsNdVxWR0TpuqiAu59VOHccx0ODlmKafFxkektYYO3VFRWszFGnRQFHYh0gPnR33C8ZDZseIWujmOnfDu+81mMjC4NBzoNiqI4oGFkebEEEiIYagqmr0HrXml29uDyNyHsFdfdEOUUnS+3yR8ZmdAV194ytpM5JYEwOy0bMNB97KF643qdR6o0Ik/OgnyzUFoOO8kD1fHE109G9YvjVPtr0eGaRHnUjKhNIk0L27TVaxoSShh0cnpOjkiNOslMm5I+kZXyzA0QrwrzyTbAt+dR/c3knuhR4r3j6NQcetTbOTVH74xj90em/8VJ+uXM/Hcbfhbq5Wnuj6hJ8XGO6gmpVx/VP/Km+fY0288vQPVx2H6erJEzn9U59/oZJ3XmTTMn9b0tUyuFuevSOVk3w5XeZAXojbiINxUf+LmQQ+R/NrgwNntXiomW+hH/7jvBvK/JoDqyQ5Jty/9cfP/nP6Mnr69f3T1F11RpytcVVRvIbWJOFBsTazFDfuwxv7Zv0W0x+cWwPxx485Zisr/kWOy94X0MR703rc9vROnwMRuT2KC4OjOi5dKwWGPvFJjHiig17+SYnZ/F3yH1Hc5ppdwYSEikaEEZlu4wG0Fidiux91E8VNeeGUXn6YVb+yDbUWYfzHIFD0inrkVzYKZEEr7ix86NdX76+PCW/8mbzvab3op5YxdagYd53NEi5LRHsZ7r1rJLyDXm9PcjsU58yoKdy7AEbrVXfoBlKyqjUfzJ2a8/mgGtfHRJ5S5L9yAS6SfATG8IloBKCbkoKMfREOvWUb/DmgLX6mTgGcPzzuc1/qTTcUUwoEzeXmYLf2mEQImltmm/zWSOC6FZ03r9wT1H/qwgB4k15NmIMIAjq2jbkIcxa1f3nRRbmtfp6v53uCyZ13N6y+dTZI0gP9SIBnqp19Og+WzzqAf1dRz0fmAi0ULPNqpkS92b06ar2A0UDqgVmnGl9MdqNfBo7/IWUCtTJNbk2+k/VhvCCiktpJOPZrQCNLbYvrS/WphffRmfX0HznMGcEuONHfFcmRFZopYMSZIZoXjeXBO68+O1cnT5Prx4PEMlw4bt5kYSEgEncl8OeRFt8MosVsEZ8RKythB+EkqjN5hsKB9Q23OcfEa/6PLrA7eRfaUEc1DNre7S6tUCvc5xiX6x/3G3ei64ywf4R/+6QBu8BXPfM8DStbBGtr6EKgVXEPSAeNKAmVHWb3s9Qfb42ghEUg2Shiod3E3QVWQYpiQQPQsxzTK/80VkzqXF1hed6ibo7rVQOOogDdjo//6qoQrJikf6uiOE1bNaErvXHJdMPRCR7UfMvBUxBzMx2lGei51CqgRCV5SYb57F4sZ9/FF/o5oJOIqaV1/0RIau57VYts8MT1v8QBW3N9drWGOyRx/UYZGf+j2k6CY4JEUtmVFmMa0G7rC2um2R2ahpuxnMLdDjW53PFMliOsgQsGG2fSYcTmwOdW2o2pBT3iJzsnOIbggPkzCdueKlhibjI6e8cy9Ijhs7ueFaK31653Ji1E7HQ/42ITSOlT0ux9PfTqeW2ODGceWZByPA7aRyWFHufYH2qNtaEAUuB4pRWPwDYdYXwt6Yux3VI0WQ1P6m6TPw+cgD1UNqH5rWmGyK2UvRNeNaxqCeFtxmW2JBzSXlY2ruzrrTDNk2/H2q0I8c23YwrmWeK6PVpCJF6pH36Joqs0/QVWIZ1tZ8/KwhdrehvYJnyOxDY1m4EL2zJqATKl66VDghx7Vn7Ez/L6rE/K8n8zkDqsNaZ0FJi4lUM7W/PLejn6D+ghduj+5QFe043YNrlQHXUpTxY5iLatkzyM7aa35UY93AidBGS8XITk5nUnElitIYpGHn2w1uG5w4zXML0ojWzJjN8QsJq4fpcb8nzmJHpw+4dzC9stnqt/Q3rh8rxvboPyrM6IpCjq5tNoxzXkSR7WCZESEe6MWelH6FJXIYGpsEsyG9LKG2TvPYU1batcEZqkd++my8qwfxtVS928p55xbo/b505DcWlZmg4/MwiyWsspHFcTqEGSzOBJNfqlihnS66eZwFtYJxiN95L0ohg2fPPq+8ez2wMK1s1dHLGuZTTq0Ye2Q6ZuyTfrhAiBQi+Z47RGtGMlxDJdZxBwfhGVbj3qNaoDK1g3ol2Sh2t+BGcadWwbNKju/3W9q+Z7Y5dArKBNF3CDwyROMQ2O+CpOMAjxq4vQRTFDYzwojVra/VjYTOA2XK7eaGmSeG/OBEv7cD26vuuf/3lUfy3P/Dv/rGnF6YgYzHEHiCL/pa4shtP5ZYP0arIHOP4NyXTTbKIuUrkHLAR9+f2UyUt9Whk+yLOj1mISNUD1q1WBnZvvYZQ0zevpFhZtwIN+61xWyA9zYuSLY/+jv0H6GHi93TcgNyLqvG6Dn+zffJlS2o/hRdWQxx5CD1bImSA7y6AukL38NBTMeREjsw8bGgxYzWsphhv1StuktH14P+PuwnGJ8WGV8TdE9/H0jfeUg+g7d/v0Ec1kJTx+Zyg9VAfVpF5k/ebTHcDT9c0NssyIT6tL0HwM5ah4JfId4z/mCn6MjmiuflCde1xN8PttUwZ48qVaU0hjaw9lF3iv08zctnaQApJ3oWeqxry4sbMzy6t08Gx07rTK9Ldb0r79t/cm/DOY6L0Ja8GCJjvLw4QsWw0FCKZdtpd0nXRe6dOHGXXGa2AK4SimmodFD6AN4aSE6J+qIp8NgWlFZefIeU9d0KiW7vX/39zR26M/IT/cwHKlI29CTnfaTQ834n4vTYY0k2QB5UQrO3RrBMzW2PFYGuq5vUqec2QMMX7m7O/RFdBSTtld+4iKriMNVZe4Pqm6XKtlibTwy26dhiRnO3ISJoukd/xvpSx46+nfUD7FVXFJ29x5I7oW+0LlVGbTeCRGDL0jSyyfktv6bsPbrmId5RSKr3J/YfEUUxMZf/TMocJm9SxtNrdlQC62rXKSbcjmGejepDPTYkQYWmAb96mkOMbNxAt8kNWSnoPCFAMZIcDmRxWLRx3cuyhmww570EtOmJyn5ci2rAUz5b+aVa5PmK3b++fvXWy9znHQS1qNNCdr1iKdsrp+oh2wpWpU/jVeiBwX0tzbozSGiyUHGqFXri0KinNnfNJhOELggRf9FAEBqrkk/4a0/NB061fy5ZHAajbUHal5JVxRARnECpjQlw73g9kOI0ppN6tK6DZZ4xNkILEUOK7f4mDI9++vdXsWCSKOtSdoCQ60uEKHRDyw6cHkvs0veiCYx/u/n57vYOvcGPBeV53bokzn5D/QUCGQ4KfQ8Q7gnt0X+M8PoKjodgJwUEucjsbFwTzz94Ik2Y1NyNlrykur329Xg8nqM0sDkZ+4kzesKciv8COQd1cCTP+9pIykmyFt+49tIjFZu6m5e2fmBn7RYuNeAZUlUkLAor9BelpeDrvy4ZJg+MKg35X577z57V31K+AhL/akUl7DCLXrN4yVowCPMcKYEGto+ENVVa7o3VM+/BLLHe+FJ0NRbUxdIjY1L7wT4hLlHCxbYSIVvVu2qNpaYNuJb7P/3fAAAA//+VVa9s" +} diff --git a/x-pack/filebeat/module/netscout/README.md b/x-pack/filebeat/module/netscout/README.md new file mode 100644 index 00000000000..051c6c232b6 --- /dev/null +++ b/x-pack/filebeat/module/netscout/README.md @@ -0,0 +1,7 @@ +# netscout module + +This is a module for Arbor Peakflow SP logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML arborpeakflowsp version 109 +at 2020-07-07 18:10:40.894044 +0000 UTC. + diff --git a/x-pack/filebeat/module/netscout/_meta/config.yml b/x-pack/filebeat/module/netscout/_meta/config.yml new file mode 100644 index 00000000000..168d7284a9f --- /dev/null +++ b/x-pack/filebeat/module/netscout/_meta/config.yml @@ -0,0 +1,19 @@ +- module: netscout + sightline: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9502 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/netscout/_meta/docs.asciidoc b/x-pack/filebeat/module/netscout/_meta/docs.asciidoc new file mode 100644 index 00000000000..8f773354af9 --- /dev/null +++ b/x-pack/filebeat/module/netscout/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: netscout +:has-dashboards: false + +== Netscout module + +experimental[] + +This is a module for receiving Arbor Peakflow SP logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: sightline + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `sightline` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "arborpeakflowsp" device revision 109. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9502` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/netscout/_meta/fields.yml b/x-pack/filebeat/module/netscout/_meta/fields.yml new file mode 100644 index 00000000000..19fcd1463f8 --- /dev/null +++ b/x-pack/filebeat/module/netscout/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: netscout + title: Arbor Peakflow SP + description: > + netscout fields. + fields: diff --git a/x-pack/filebeat/module/netscout/fields.go b/x-pack/filebeat/module/netscout/fields.go new file mode 100644 index 00000000000..c985492bd13 --- /dev/null +++ b/x-pack/filebeat/module/netscout/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package netscout + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "netscout", asset.ModuleFieldsPri, AssetNetscout); err != nil { + panic(err) + } +} + +// AssetNetscout returns asset data. +// This is the base64 encoded gzipped contents of module/netscout. +func AssetNetscout() string { + return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIirAqiSJaRRQBlBk07/+AgnUB6tQJAtVlKy904NCIpnIRAJIZCby42vyAPuXRIDRqSzNnwgxzHB4SV6ppVTkDujDissdub/7EyEZ6FSxwjApXpK//okQUgOSFQOe6cWfiP/XS/za/vmaCJoD4thJ9bBgwoBa0RQW9vP6Z4SYfQEvLT07qbLW5xmsaMlNggO/JCvKNRx83aOq+vOW5kDkipgNVOhJjZ7sNqAAvzOKrlYsJRuqyRJAELnUoLaQLXqzUJr2SF4rWRbnE9xlUDM40iYoP5hEGEdomGagXK8PPh9mbo+D7zdM298RpkmpISNGkpQWpvS8UnRHctCaru3/qSGpzEFb0qX9vjM0Ia/lmlxDKjNQYVLdWKxL1DDBFSRsQZjEEj8a1COdzCPPGI2cSaUwIIy2O44JbagwFSIdpMKwPExCRk33iz5+5rDaQQg1ZLdh6YZQokFrJgXZMKMJJW/B/MqMAK2rVVj0lqiejt7IkmdEwBYUWUK9/gVVGsgbMNSSRslKybyF6slrudbP72j6AEY/7Q1/zRSkhu+fEePppuQduAPmdppokbkIsorDFniQV1yK7l4/4NU1FApSajyuDFZMQEak4IjY0CUHktMijDfX62TE1jyyTm/8mbm9/oZsKS/96WEZCMNWzO8heKSpIVyuHc9Vj5lIP7PD+xXH31mWFlQZlpacKoT3i7MYXN3e0FGrHVrd3sjDqz3I9O3cXH/x/7l+nOsWayzLpx0yufxngqR2Gf8R8W9pWLxcHLkCLUuVRt9F06cef9Km4daGGshBmE+DnpYZM0nKaec8fDQCQBi1/zSoN1YT+DSomRhCfdmbvDpnn3LFM6Dhs3bZqa8AsnF68sCNGrIHWj+sTC2Lr3cD9q6naVpm5wbsjX5CyxzmU8conY1PomWLBhnkGNKbyEwMIgEejWZQOo9SVgr2WwmNEqbqGfqP9oeGy5UUqRWW1Mg/uvUycOy3bKrgafPvyg7EViyl7VNnDe0baxKTexR0pBQZKKuiKvACoze5FXuEjGgwdpAD4EMcelihrdjcG3uyQluzuTf0KLb3PScxln7c5upRPmLW42a5kTpaj2rvrZ+kNm1Rxbu7SoPImFhXX+rQ0res+c+Hgyy8SXofD7Lu9m77HaFZpqzMGjqUXfb15mfk58q+7Q/TGfjD/7sMtNya4wR3T69zabT9FhmhZM22IGp3xed7qVoWDVmwl9Wqs0+jDH0eXtxBg1cW+0TBb1Hr1X6awEXCmS33yMcbNzi5w+3+zHv/DCXv9wWQlPZP8hIIMLMBRT7cCvPND0Qq8iOX1Hz7giypxp1QOfZXbF0qVIVOzCys4H3GM8NHlilG0Qy2q4Vey3hnyTG7rBr7szdepdpRlU1QY1qyozWxNq9u73450HAoUcBpd1kI0XttIPdXjifMjrYBt5+0Y4/9v1RszQTlFczh7X1ipvEax5EHztu7X34ITNIT2Jvr9EnWFPX5OIckbzZbX1WKleQboBmomV7GfsLByO31lBcaR1H7oQaHiXun+UM7YXiazOCHoZXicdsoHrjZrcJ9JTmH1Ej1OQpCy5+LvKzbfcM0SR1zILO0HKhmr2X3kidHWPkHtETydPnxlLNcagweyaUgy31vWQhR8FsJ2tgBNcsLvvcrYX9sBS4Bmm6IZhmQJ38mZqNK8uL775+SHdVEA4gay5G5fiR17Yy56kIKDZebbPoHWtlUlsLU9mqZL53wsQdOB0cgT+hSbqE1XSaC0UaVmNFGAc0Hd3n6B1r6T8wMyFjZ1WrOY8UXIU2qNlrZijDzj/LFn7/5V+2E5/MCRVVF1j969P7D2imv6R4UeUFuREoLXXLn47amzigJGhp9ohs6EKsUwvLtC/JvdrrPyLffkn8jqVRWf8RZeKTPyH/n5n/aHzJNDpnyRXCRhMzgE9pgYgdJSjlf0vRhqs7n0AtpcHNT43RlywgQWSGZMKhuGwgH7uECJ6CUjI4VaTQgXUDKKEeakBZtpLLaoti7W9h+saWcZW75QmgJWclSZFZac0DymFh7ZeFkMNDhvu2NPMfbid+0R1z0A3zec0mzj3dneIREs9+B5GAUSwO6sjfR2j9GG81djpW4s5ckNY0OJ1fVwizIT3Jnmd+3hZggUlkTwkjyAFCcYMtHuj0+E7YomYLWyZZlSRb/DnVTSYA1CFDU4FHMLI9a9sqWKVNSbs3FAx+pCJjPLGfW4MMXQJyuo9MfyNtroqxc1GisI1uoWoOpf3ZyrlpFh1R88rm6aJjjc1WRjvW+iL29rvxr7yCXBsi935WpAryWlvshkWT/VE7vz8DJ7TEluuBs2ovsH9pU1Kynyn6ssEH2e1z8WNu2R3nqd2S1Nypt2ovj/xpvLu6Yrxi/yNuiHdcq7XdXr+68PpdSYRnA8kKqrhZH8EL57B5oy49lPH9wYh+NPDQLQw6xQzOxbEAaY9Dd+2j1LciL738gO+RsDlQQynnYDkXnK6oNjX+B7ECBG5YawoFqQ6ToBCsfsukjKEafN5sC5y3uIctz51epMmQNRkVAuhGSy/W++6yxYqqnmRHyPUk3VNHUODbZo7dHCtG5KUgpfMQAP/BtDmYwxSSruSfGaS7bI+85qOvmVnWSonLaKroblB8oxTrKEk1RD3MeYeFtVpmmpapG1IaKjKqMCKlyytnvoWg7qfIgBzL/AnuECbJc9kT4KDY0dNXonnO2ApxTwEDUkEqRDSiGzZIl2kyzxI+QzEQq84KDCS7ioLuLouJpFOuInFbegTIX2273dvTgphvacIf7Z3CT5FKYzdmsbrJ6zn81b6IZsoux50Zkl2COHfJ3KaZndB4RInb8SvlxIWnvu1zqHegJp+MVMfBo/EYmW1C6FeybHYvZCKzR6UXfAz2f1CapIpUqg2yK9PbP5V646nrM6n6r3szrH7bf4PoyVsl8gaOWmPinUxBUMekUv7zkhn1tGChCi4JXEdRNJnhOBV2HkpII4eiYrmwGR5SjVRNmvtRE7oTz2huaF11Pi6fYYrMk9ve50STdMKv/ygz0grwptUFFuj2o3f/UDMSjUQODy3D0uK9WlrItzHMH40JVQ7r5K1iBApG6RaVW+crYlmX2TsU1DR/7++rYv+8wIDyNx4KpGefQcN35qR/tfmGG7910tBURVhewaHEbHfcXjVqaQYP5mZVO9elf9AatAzRkOf405z014DRMzaXx2w51iN9KKGdcNLtT3Ho18mJHNUE02cAKIfpvxk991IVzMO2oc7rOTZRkX+dx+IokCl2RxGkqxbgjcgj2IgIu6sZrSZlLqb4dtTcog3oCc5RMGj6wp85bjOuuES+dDMQYY5GmPbXnPEVFl3y6O3ZAO5SlSWUOzx2WWmXDaDa56q0VFX4aB6rvwFJZk5yZaaGvR0ivxvcJAS1/6DHDb2qqQq92ipPUdSyuHQ39sQWkbMUaZTCsLTgn51Der9c95ni5DjCxdgewrAn4rEzRzDsfg5R5lX4+Rv5yaCO0NVypyM/3PqSI6erRqWshI/6Ky0NZD7qQmo06hGftADQEROaqAmAoYnVKBvO5S26SKYnsI4+1KHNQLB17roPUzxLRfoT0dlR7vUPdEXcnqUf8FkQmlQ8lOkq7XP7zIlnS1eOCXP4T0rCOb1HPkSfVY5mVN8dRO8k3rVbHF/2t77Pa/JH1lvCG1pFTQhpCycZnZYbDg7hcJ9Wz44WEXLUhRgu5ebJvDyTF3/CJG2u74VEMq3eSs3Q/fZ8eOWN3iMIXmRN8PyCnSj4tdivMhHclB0QdFi9SGHicru/UKG+Fs7ybCkg0y7T9C68CyiuUoXTgE1dKuqFiDYmA3fRzNeT8hl3r4QYvR2MUW5YGWqetH82nHXFWm2uL9PAx1AUdIRrq2XM2oQTOsYmjUt59tXXo2rpBwJTAuGs76apoim7eytUW1ILcg2NsqUEt6Bqw1J2PmFtJVdHQG7saxul1KcITB9/KgJSKLJXc2e+qT70e41TrwVptt9kdVWa8KV+Djrcj/e6VvdyI+Xav5FmtdFxq88oCvMs6/gZ5JQjloEz97qqaYf1nzjXrj2Ir2QyfZwMKVUaEFF8rKAC11WOvUag4zitk01IpuzVrnRRXA3WE58z5fyvHZo/2HTMbr0w52UeuEeES40MFkeLrtbT/PiIZ8fJMAkrJpJnRljP6OaKwZMgVsSfNMNALct+cz26ZzHZMcixNVy6YvdRWUXVJD+6JMvPCyjOPkpSX2lTbxv+nx2oEYdquhs/M8daiVZvw2+Gr+QK3stvpYevJJa1PUQe+PKU+WzquEQ+hWsuUobfGcjSo9yPTX7MHeEkoKTZ7zVLKrZn38IwUCivSPiNg0i/DahZVNJw9MPLycvGriuZgQGlSUI11CjQm7rnMtFTmuZUI8uDxph+yCiY9qmg46Xk5XaO1DhcQ1E7YpTIvyv5ZiGI9JTsmMrnzkTepFCkU5ln9KjY43d5EViXne/JbSblz2mQyp0z48ylaiLgcEOVtb8351/iRyVll5DUTD5D5KNoqsIxqtNe9Amu/+aJGvmDZMebzXp7fRLHRrlPtTMAuioqAn+8vh/nnwvuEyH0/1bl+9ACVs26J6unOHz8q0uP24XE97dvRetqK8TnOS032jzhefSQUZGUKpPIAQ9iJoEExypPADTFBbN7joJXS1ZX5LaFuZeqgDQbpgx5IBJvDH+XHt8J7Q/Wm3u1W5QhEs5fWwrSiqYowrcPZr6qROqUK5BZUjWahVWqh6v/3sxKIlW+CMIwnKEXKgSr7EZbNaEjzYezeS6OqFIHT/kknKsp+rvonltGpzJdM1JXj2iLaJyCoEfJ6y1Sp5/dutO9QRDHs5ZjrOSKwca/c+K7OyrCHx2npMzjeahY4D9ftNXnrzvQTnxJHXI19n+RhsT895vy6jC+w5fq6vUa2+NDq+kD27bhD37kLYnBELtxS21O3Yzpsamz1flrdxMNXEp9U4y65oz404YykWdfWsu+qHprcXp/Ug873SZzQgyzqFyJr9KEFuXLR+r5aEHdfHNeF7B+pDn/xzRfeQbEsTR3HL00tnEvBQbu5Sydgd5JsqWJ0yXsR4y6hjQlScDpw5DQIPTED9GBR2mqQG3thT729NatYdGbX6v757V1XAyO+pJKz7YayZQbbCJwdGd/4Yh0Z5FYYcs/WguKxHNhIhVTTyjd92ZMFdivdVTqFxHoq+E+LqnVqcC9kMrC8b39+T5hIeZmBFQ2+MYsFX5AnN480Lzi8JHfO+HTDoqxbhG1Q9LBf4J0BjflG1IZxM/1g1bkg5hFB2y3nzFsvKt8x/XDkgcMotl6DmlK4PjztX9qeRo8FNZ+NAr2RPLNr7KymgV4dB89Rs1hx/fcoL8OevHM349M6ofD2OhxgefaLlTWtk9nf5pGz/n0em5k4n4Yul19bhFJgRsEKy/XKrEyH9HSv8lwsdqBNWy1bpMLMKyvnKgoG6spTle2oulSsRb9WopVF1IteS+ZAka4nVuRQ8oamVWWvsOJkj/PMmqwUX1fKjzp+op3FENEISQHVETFR2lBTnq9Y1TY4ZfyCqqUdfikfCcueD0tdK/HLeWiwOD/0SmG5fWXxhDd6JX0nV9XvbZjrfj39GCHMhGvnNm5tiyTX64gdaKXDODOs59H5bjTo9CogB8x/xbk9rUSXaQpar0pObiwGksoMtGV+VaQprOMxkcHj6Elwps2Q/jDxNOHQqNiqCs0SFHr1c6oYx5fagH/AvQ2JNaHIiK8tbJB2EbXiVW+9i2kufnzypI5UKUDpwickuDPVm7a/QprAuCrH+elA0LgzsfvSfPqjY6uNHBLv7GT3a/slZUKTDAxlPGA6LWVpWnADxEt+gZiUymtD67gBxDQswg3kBZ/wavuqarVYtTBovSD5KBWrvWxBcbrHMGUjvVgnTwJ7336BloaHhlWVx+J8btowU2KpDhIkvdHS+knJpw/GSK9wy7ZM6XhsUWc3lXlu92bsgl05eMJa4USFkluWOQu7qisQ6s9Y3zUyPeZAH29P/8h4c/en7WiF8LXzWOAj86XkVzX+ZeXXP+Vy0G6NnsD/lkvvsgzv1IJNKQ90jUFJbn3u727Jbe/CbSOaUJvHx2QexzEq8LjOXliPVPHH2MQ+iiqsZrkDlSxlNj3muBe33b2yqv6wFtvA9bmJyZ1ybrRZ8m5aDhefruHCbGovIFuzrHZRDhjj+XhNuZcEc9bNMOaqrqkrymkCsuo2dPfBZXFWblB8HHuEtGzbKO7ZegmhlIIqo/fYQ9kshlTQU5QdGlR1NDzdUsZp30FHavcQwXj4FSg1UI3Q7cewh2s+v65X/XKfEOyc9H3/lqz27WJABrA8WZZZto+w71iejIxTbUGWGoYKiR21RWNgFJOjsqU6AdOJLucJtmO6HWviaqlgw8k6TrrJOfc4Q8XBm3hDd7Qa19fxabhX6vFc2M5oEVz9ckOe+Ei/X0pu9ZIl4xhgiC/NN4+F1PaXT8nXfTNGdL18D0LuxIHiqCEtMXVtezj6QNeAlM5iaHcDQK6qTJu3PsD1NaxpuicfBhVYzpaKXib1xw99wCYmSE6ZWFnL6OgjVUEV9vqYI6PqQEW4w4HJW5m5gKOmuEHrXTuAlpy4f/HxxU41XqM8zKt/CzvyUylQfX4jM+DkCRPbxVfPCJPpM7K0f4H9iwrK95rpxVdhP7JJi2TFaa871fgb+FDXurojOCzauyhV9lUBYbk6mrRl5ERa3KdLT0mVMKVB2Q0VRLnNx8qhDu5f3vxq7ff3LuTmq69+efPrq3c3X33lYmC2VFE2uDd2Uj2MS8g4uZV/rYZs+2gHzWQqxl9fPrZzbG5gLeJoakXgPkpdXEkFQrN03IFqmZNRWPMYKyrg2TofLNlRNqbTeBNykMqIJcUNMz4hRZfL6G1glpk2anwmC+ZuzNIN/Nl8krSK4JviOIgNTmxKAvcuJh8c2MQp+vhEO8SKDRqM1WQmOCdiJxPMXA1MpBtwGRYWR+opjDd8LHlem3rXH7dRT1zt7QtthKzlXfKojpJxoSWs/ObHKJBylgfYA/63tO0npo58ql6usSLHUzSfA9b9KV9/VQKJzeMzxXDYFWXc8qtKOLzz5+/2uh3Xi9nTVgU2sA4kDg2/xVdxPYm9yoMUxwT3YEiPj+m0llEpurZqD78YSuOdiv8tPJq/QVh/qbHrIS1mKvZ7KrJ/l2HPaoPdUMPCp2wy/v7QB+h1qQuWMjkiPuJj2RZI344q0Xe1fXritMiLRMYLp/u3b+7Iz87j0YRjhFH9NvPzy/1/vCa/laAGqrWUXCQKulU/pj75tFwXe/KuCqkNPu/Welo6Svy3weT4Mm0WrBgwHk/BmYB79QzILKYQHeVU5VF8sYBRxgstRoX912BlNqIzwAHU2FzgA+CMmu7tfRpyCSLd5FSdHxZXQ+4L2mvlcIYPkqa9580zoZJNBF9TWI0NpqxBV2tMJo0ClMt/RsEVNKK2nst8jVgMdPoP9ZQ9Dom52jnY6zYCsUhoimULY8LYLLQWo1T0FuhyXWy/E49mEyEtU5GkRlkbZVxlqha8hR3y1p0BuuW9htBnwYJYMzEqcLcPHBdTIpJVonfMpBH7WiQrLnea5jGvRW1oYbZT4KP8WKlImJi2zZkoQOXL/YiQnB50kT7EgmNztCjQIimUNDKJccUh/Pa7BG3WGGg+Yb9xuU7GtP7vgMa8hKYiyeljYsz5Cu8hqF1hDlFiIWciGjETUxAXXCd8yZPxztMD6D9PAo+oB9SCHp+l3oYeHxHdhv5+EnS4sfq50P8yCfp/TIL+11hoIwtOlxC31Wv4GFVJJHnJ8fJe7qPkWQVePETJ8bzkbJ0Xsbe3vf8oX49/NPKwLE6Ia/gtjdG9RaLdk2kUr7RKY7UzCxqrnem9Louo+tipqMOsI5U7I41VMOAxamsbaaySFA+N6kkkeCnYo6BCaui1zTwLfvuDpT1aLGx/kIXZAM2iTCCZF0nKo2xoCxrl0kBIhW2y4mB1JGxRJlH+iVQxw1LKo4K+dELXINL9qDelNrSgfP87ZMs43NsEk+EjYV0aTyxm95wdCW8t5B9iLWSdLJn518jkw1QnY2ubdkCVjDjKOnJzIhykKiYWTztPwIi6ki1QMBvnDYhRvh04XleR4K72zZgMzRb0inGI00V0sopjF1uNC0A+BI2TtNoawQIeTRJ5jKwNnGlT9Ir8nA2tVRoJXXWOi4KV6ySHjI0IxjyEZiKW47nMSg46lXGz9uBsHXUqZKF31IzsRNGCD8UEnAmqYM20UTRG026go24q10kxcspqwpw11hFR0afTRTW4JY+Cx8aiUVecCzqKRz3lct5tJNOJq/McA7+nikYueDYQVnke7NZ1MBgPybSh3WatZwFqsyzV+YVEKzhwNdfi4MoIfDH3cBVLOh4Qq/asYkqhD0dMH4Na0ywbv+osG++cqxJooiQKy5NUSZlHZt9Y0CiliOVJ7COcz92Jm27xEJEsVOiYVGZW6EKx0WCcGmbKiHcbzgSMSSVp4PTIWlw1JAY+xpggXLqM5mTFZYRwrMGjQgCsphex3y1Y1F63umEUugivLZfryKUU68htV0g1/nDky3Idt3VyptO47ZrryAWMqz4jwGDqSwRkxCl2pQHGv0o5uPEPSmK3G68rRMYJ1e0aIiAj5L1UbJ0EqrWdAbkToGJkS5FEdhAskpEVpBvAqDYODXjULPEkjd+kHjCmnaZT+iNQUq3tl0m6OT+etQfs+nKOhweVr61d3MuoPg92FwkaI+Zc/tKHD51Kn2eBKrlOqC5GlfxoA4/p8lDBKaA87uZRkCK1Lls1GjxmshZ2bIJuC1aqLAprjImmo6xP7azPKE+phvEuUldON0qN0PBbDDNDabAj4KIUF83WUQdTF+PtFq3SuJVXaRZx1WqVhrJ8zwId1ZKpDVXqiJzJbSrGByEEK4aeBnNJlhFNw9cmZhEcWIzXqK4YOR5yX0RkrpbZMvLVulQ8SiqVGlSSsfHxm5GFSSqfSByxJo1rl79NmNCGrqIk6ZYpE3cVbwsRleJgpCrFRXq1viqNJO9KQXqD117oSQXifqGcZeRKQcYMuaIq8zljR9rS+PpXk2Y6VAcSh3FNVzFiNpWchEJKam8vE1Nmf5MXXO6hVxDvJA9WshyRHn9uX95N1VIHa4spWMMjyWk3dLfx6Il12S27MgMZnGkssFGNr9utNHVZYIn6fqokIbsNNYQZUrj2/GGijz2ljikVEm7v7iqeV0gIE76SwUBmN2diegXsFjF2vDYlmhi5xiY7i+b3rmNEj3sCtqDqIkpGkoIqDeQNGIoVh92pqPulkSev5Vo/v3PBfU/JtS/j5dqT9EbHNOJ34IvFItmCvAXzKzMCdHit+lsvkj0rLCdc72Yc3k1HA1XpZsEEGzB4FZ2nGEJH2LjeepwJeM5pKbB26rrMfVn6I6UQOpUPjlA9R8p8TXWdKO8rvg6o9JaZyby9kF3PLTsweQ+PBnfnkFFw0QbUTZG4Ez2oMSt3UqlizMvVYKrmwEdS54+9e4+vDVG1kl1V4zoJ1rXw6jfZQ7PIYe33BsF6BvplkP5xdbzP6JydwePtdXWIcPShku0jH6JHbpe6hYN73K/xkd4erbnpIS5FkagLRte0SeUKNgRZQQjVRAOIgz6ZYeNFUaFpOkux1V6WuBtc+AZOdWvtqlvwEbIKUDlzF+F8ZDWDusItbMs4rMH38qBas7VwzG8qcw+0NaDLubrVDyw5Yjiy45YXbC0x2D4ktM1bFA3lFsZVuqnuS5ZVbW3rjknYsHHg0BESiMmptTYFA0FSoxXIqlFYI3ir/k4Wx4AKu1NswNEzI35EMlC68JLzr/tn9ghoPUDuZOd9PObqoZxRnWzkDNpdpzsm1sRpykBhR59WwaNwTDVxG9TSI3yLbSENwVaZi1dcS2vadJqXYBXynzzEgrwS+/p/vdENWkdaGEKzRdXROCyYIp1flvQpyvIXXX5i5cEDpjLf1tlaE+0K5dWsw42E/Y5JxnpWzzVY6R4U+ZfaY6Cfe0SIfqh/ydi4rcvvPdFQdbD7jvJ0MEzilCz4slsWx7Wke/vz+xs7O1DgjEb0yGRMpwoKKtK91Ur85c/7vWwtD56R929eklthvn3xjNy+vb75z5fkw60wP3xHnuw2eyJ8A8Z0I7Uv4yaVtV7xV9/88L/+29Nw7zswm0nyojtjlECLnIZLI+nJe2TkgfKV+G8rtOHDlH1sstrn/ARtgwl/Z19MIYo6ik2jg1bNTV+/ehsk53cpYIodHrd+/0cKWIT58/uYPgAf4bKzpJ4WNcjGT3OvHOHlmhrY0YsUlsZddkdeueZ51W4LIayvkzQvhv3/U/2at1dv7pwcHu4VT2fo5TdkSjs9p2pdentnkQ1Y9ZYPg7VgZuGDHX2YD5UOkLiaYnMftnavhcx1pKO8eapoVSIPy+5Zl8kq73hYpD8t14cL1UPWxNZE6gznimlK3noa7qQytYjqCSHXewKZ6LvPH5dEenb+OYqZWFfisyL8zRDzBIT0+/m8RB4/2iBUa5kyLBqP1nLvdiVWTikq1rCo1eNUihVblwoystz75v6u1f1Ad5rBlIJeoPCANhUcdhWVqcBH6Xft0MoIg0lBLg0kPkYo5uU3ZoqZ0AlNXPhUFHBhVCz4Koq9q6hYbB63AeIzaoqoydEsqazxaf26Dm0LS8uiO17bkLmItnBjDSsBhrzfF/CMfKjE3Gs0kb8ld5WJ3JMjPw/dqFXxqlkujAGVviKLVF07KefBC6NofogP9FRh6MAWlMHOM0ZWDa6YIB9uB49QiiEtE85gTNtYoRNZRBXKs6AK9Pg4GgsYFeLnZOL4gCj0QUVhdGVqEg5iHVHzEfHaa2Bu5xI2JcLrhfKWc1CQFB9wrBX1o1Q7qrJQM7BX2KYO/e53Sj7iq/sSzA5goJPx6BzgsS8S0lDedvc6dAQLmeBrU28OvgmaAnwIypmxR80XFQpPYsupmOdd5Qx3QPWs1nII9KZw6CBofIBbqz2vUXk+lIgx/mxIMdtiOyaP9Lw3FKoMS0tOVdXMzaN5cvP48rVcy9UqXJ8a0sRsYO7Gt+/tkL57f0PZjaXMEvSqNBsQxodSDRI2V++xw+fKsm5rGCbugwY1SJIsTSrn5pYfdJike9eBe4CqqkfOtNv3gCLETKqGK0ebv1bYL9A+GTpU2FOMbmBdSJFhS1cZVAFqwH5T0kO6t2OyawduA0pcnj3GvXEGWU2xt7c6eg0TRDNTBiQKwQC5qgueH3VDNaGZLLAr2AaYInInOo2RiKGPUsh8INqlqlGf9MKRZrj8rBrGRGbPslS6ae/nugi/qsrj9yZ6jvtE1KS7szEYTlXP8ELPR4OTvPevSPPO81gTsdZUx2V1TJiqiwq491GFc891ODhkKafFxwWmt4QN3TJZomZjjTolczYQ6QDzo78RdMkxbHhFro5jZ2I7vvNZiIwuDQc6DQmiOKBhZHmxCBICGGoKpq9B615pdvbg8jch7KUw3RDlGJ0vw+SPJJ3QFRdvGexkztKKMJwWBgx0H3uY2bhe54EqjcSTs0i/WWijhp3kFdXhxNdPRvWL41T7a9HhmkR50IyoTSLDcmza6jUNBQUMOjk9J0ekRp1kJqakT2SlOnMDhKvCfLIN8O15VH8zuSd6kHjvODo1hx71OKfm6J1x7P7I9L84Sb+amf9uw89CvTrN/RE1KT7OUT0h9eqj+kfeNN+eZvv5Bag+DtvPkzVq5rM6514/46TOvGnmpL63ZWqlMHNdOifrZrQ0myQHs5EX8abSAz8XcYj8zwYXBrN3lZxoqR/x776T3PuaLKojOyTatvzPxfd//jN58vr61d1Tcs20YWJdMr2BDBNzgti4XMsZ8mOP+bV9i27E5BcDfzjw5q3kZH/Jsdh7y/sQjnpvos9vROnwMRszxaC4OjOi5dJArKF3CipCRZSad3LKz8/i75D6jmas1G4MIhXRLGecKneYrSCxuzXF+ygcqotnRrN5euHWPsh2lNkHu1yVB6RT16I5MFMiCV+JY+cGnZ8+Przlf/KmM37TWzFv7EIr8DALO1qkmvYo1nPdIrukWlPBfj8S6ySmLNi5DIvgVnvlB1i2YioYxR+d/fqjHRDlo0sqd1m6B5FIPwHlZpNSBaRQkMmcCRoMsW4d9TtqGAijTwaecTrvfF7TTzodVwQDiujtZbfwl1YIFFQZTPttJnNcCM2a1usP7jnyZwUZKGogS0aEARxZRWxDXo1Zu7rvlNyyrE5X97+jRcG9ntNbPp8iawX5oUY00Eu9ngbLZptHPaiv42D2AxMJFnrGqJItc29Om65iN1A4oFZoxpXSH6vVwCPe5S2gVqZIqMm3039QG6KaaCOVk492tBwMRWxf4q8W9ldfhueXsyzjMKfEeIMjniszAkvUkiFRMqMqnjfXhO78eK0cXbGvXjyekYJTy3Z7I0lFQKRqXwx5ETF4ZRar4Ix4CVVbCD9Jbcgbmm6YGFDbMxp9Rr/o8uuDwMi+QoE9qPZWd2n1ekFeZ7Qgv+B/3K2eSeHyAf7Rvy7Ihm7B3vccqHItrAnWl9CFFBoqPSCcNGBnlPTbXk+QPb42QqqYAcWqKh3CTdBVZBimpCJ6FmKaZX7ni8icSwvWF53qJujutapw1EEasNX//VXDNFGlCPR1J4TqZ7Ukdq85Lpl6ICLbj5h4K2IOZlKyYyKTO010ASlbsdR+8ywUN+7jj/ob1U7AUdS8+pInqup6XotlfGZ42uIHKQXeXK9hTdM9+aAPi/zU7yF5N8EhKmrJjjKLaTVwh7XVbUSGUdO4Gewt0ONbnc8UyGI6yBDAMNs+Ew4nNoe6NlRtyClvgTnhHIIbwsNETGeueKmhyfjIKe/cqyTHDU5uuNZKn965nBi10/GQv00IjWNlj8vh9LfTqSUY3DiuPPNgBDhOKoMVE94XiEcda0HktBgoRoH4B8KsL4S9MXc7qkeMIKn9TdNn4PORB6qH1D40Y2i6yWcvRdeMi4whPS24zbbIgppLJsbU3J11p1myMfx9qtAPHNt2MC4yz5XRalKRAvXIe3RNldkn6CqoqtbWfvysIXa3Yb2CZ8TuQ2tZuBC9syZgIipeulQ4qca1Z+xM/y+6oOKvJ/M5K1SHtc4qJS0kUu3U/vIcRz9B/QUv3B7dVVW043QPrlUCwihZhI9hJstlzyA7a6/5Ua11AydCG5GKkZ2czqTiSuaFNUirnY8bHBucOM1zC8qK1sSazeELieqH6XG/J85iR6evcO9gemWz1W/xb1w/lpzvyX+UlLMVg4xcYzaMc14Eke1gmaRSPrCLPSn9CkviMDQ2CeVDellEbZ3msacojWuDM1SP/PTZeFcP4mupereV884tyPt94chvLCo7QcfnYRYrWCUji+N0CLNYnAmmvtShQjtddPM4C2oF4xC/814UUlWePXxeefd6YGFa2aqjl7WaTzG1YuyR6dixT/rhKkKUlNH33CFaO5LlGimoCTs4UpFQPe49qgWqYjuol4qPYncLbhR3ahU8KdX4fr8F9j3D5tAxKCNE3yHwyBCNQ2C/C6KOAzwaEHgJxihsdoQRq1tfqxsFnQfKmNvNDTNPDPnBiX6PA+NV99z/+8ojee7/4V99Q04vykGFYwg8wRd9LXHkth9L0I/RKsjcIzjzZZOtssjECpQa8NH3ZzYT5W116CT7gk6PWcioqgetWqwMbF98xpCTt29gmBk3wo17bbEb4D3GBan2R3+H/iP0cLF7VmxAzWXVWD3Hv/k+ucKC6k/JFWIIIwdlZkuUHODVFShf+B4OYjqOlNiBiY8FLWa0lsUO+6Vu1V06uh7s92E/wfi0yPCakHv2+0D6zkP0Gbz9+w0RsJaGOTYXG6oH6tPqdP7k3RbD3fDDBb3tgkyoT9t7AOysdVXwq4r3DD/YaTayueJ5ecJ1LfH3g2017NljWpcxjaEtLD7qTrGfp3n5kAZQaqJnoce6try4scOTe3wyOHZaZ3pdqutded/+k3sM5zguQlvyYoiM8fLiCBXDQkNrnmyn3SVdF7l34oRdcondArSMKKah40HZA3hrIDol6oumwGNbUKK8+I5o9N1KRW7vX/39zR25s/KT/CwGKlI29ETnfcTQ834nw/TgsUw3kD7oiGZvjWCZmtseKgJdVzepU88xQMMX7m7O/RFdBRTrld+4iKriMNVZe4PqG1KFLdbmE4NtOraUs8xtiACa7tGfsb7UsaOPs36Ave6KorP3WHQn9I0xhU4YdiOIBEaWxpGdnt/ya8reY2tRxTtKxcz+xP5LZZ5PzOU/kzKHyZuU4fSaHVPAu9p1jAm341Qko/pQjw1J0FXTgF89zVWMbNhAx+SGpJBsnhCgEEkOB0EciDaseyFr0g0VopeANj1R2Y+LqAY85bOVX6pFnq/Y/evrV2+9zH3eQVCLOiNV1ysWs70yph+SreRl/DReVT0whK+lWXcGqZoslIIZTZ44NPop5q5hMkHVBSHgLxoIQuNl9Al/7an5IJjxzyWLw2C0LSh8KVmVnKRSpFAYawLcO14PpDiN6aQerOuAzLPGRtVCxJKC3d+k5dFP//4qFEwSZF3MDpBqfYkQhW5o2YHTY0ld+l4wgfFvNz/f3d6RN/QxZyKrW5eE2W+pv0Agw0Gh7wHCPaE9+o8RXl/B4RDsqIAgF5mdjGvi+QdPpKkmNXejJS+pbq99PR6P5ygNfE7GfuKMnmpO+X+BnIM6OFJkfW0k5iShxTeuvfRIxabu5mXQD+ys3dylBjwjugyERVFN/qKNkmL91yWn6QNn2kD2l+f+s2f1t0ysIA1/tWIKdpQHr1m65C0YQkVGtCQD20fBmmmj9tbqmfdgFtRsfCm6GgvpYumRMan9YJ8QlyjhYltTqVrVu2qNpaYNhFH7P/3fAAAA//+MFK/H" +} diff --git a/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml b/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/netscout/sightline/config/input.yml b/x-pack/filebeat/module/netscout/sightline/config/input.yml new file mode 100644 index 00000000000..ec1e377e5cd --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Netscout" + product: "Arbor" + type: "DDOS" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/netscout/sightline/config/liblogparser.js + - ${path.home}/module/netscout/sightline/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hday->} %{htime->} %{hdata}: %{p0}"); + +var dup2 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}"); + +var dup3 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}"); + +var dup4 = call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_"), + field("msgIdPart2"), + ], +}); + +var dup5 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}"); + +var dup6 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}"); + +var dup7 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}"); + +var dup8 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}"); + +var dup9 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}"); + +var dup10 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}"); + +var dup11 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("payload"), + ], +}); + +var dup12 = setc("eventcategory","1801010000"); + +var dup13 = setf("msg","$MSG"); + +var dup14 = date_time({ + dest: "starttime", + args: ["fld15","fld16","fld17","fld18","fld19","fld20"], + fmts: [ + [dW,dM,dD,dH,dT,dS], + ], +}); + +var dup15 = setc("eventcategory","1801020000"); + +var dup16 = date_time({ + dest: "endtime", + args: ["fld15","fld16","fld17","fld18","fld19","fld20"], + fmts: [ + [dW,dM,dD,dH,dT,dS], + ], +}); + +var dup17 = setc("eventcategory","1607000000"); + +var dup18 = setc("eventcategory","1605000000"); + +var dup19 = setc("eventcategory","1701000000"); + +var dup20 = setc("eventcategory","1603010000"); + +var dup21 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}"); + +var dup22 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}"); + +var dup23 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}"); + +var dup24 = setc("eventcategory","1502020000"); + +var dup25 = setc("event_type","TMS mitigation"); + +var dup26 = setc("disposition","ongoing"); + +var dup27 = setc("disposition","done"); + +var dup28 = setc("event_type","Third party mitigation"); + +var dup29 = setc("event_type","Blackhole mitigation"); + +var dup30 = setc("event_type","Flowspec mitigation"); + +var dup31 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}"); + +var dup32 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}"); + +var dup33 = setc("eventcategory","1002000000"); + +var dup34 = setc("signame","Bandwidth"); + +var dup35 = date_time({ + dest: "starttime", + args: ["fld15","fld16","fld17","fld18","fld19","fld20"], + fmts: [ + [dW,dM,dD,dN,dU,dO], + ], +}); + +var dup36 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration}percent %{fld3}rate %{fld4}rateUnit %{fld5}protocol %{protocol}flags %{fld6}url %{url}"); + +var dup37 = date_time({ + dest: "starttime", + args: ["fld2","fld3"], + fmts: [ + [dW,dc("-"),dM,dc("-"),dF,dZ], + ], +}); + +var dup38 = linear_select([ + dup2, + dup3, +]); + +var dup39 = linear_select([ + dup6, + dup7, + dup8, + dup9, +]); + +var dup40 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol}down for router %{node}, leader %{parent_node}since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var dup41 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol}restored for router %{node}, leader %{parent_node}at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var dup42 = linear_select([ + dup21, + dup22, +]); + +var dup43 = linear_select([ + dup31, + dup32, +]); + +var part1 = match("HEADER#0:0001/1_0", "nwparser.p0", "TMS %{p0}"); + +var part2 = match("HEADER#0:0001/1_1", "nwparser.p0", "Third party %{p0}"); + +var part3 = match("HEADER#0:0001/1_2", "nwparser.p0", "Blackhole %{p0}"); + +var part4 = match("HEADER#0:0001/1_3", "nwparser.p0", "Flowspec %{p0}"); + +var select1 = linear_select([ + part1, + part2, + part3, + part4, +]); + +var part5 = match("HEADER#0:0001/2", "nwparser.p0", "%{} %{messageid->} %{payload}"); + +var all1 = all_match({ + processors: [ + dup1, + select1, + part5, + ], + on_success: processor_chain([ + setc("header_id","0001"), + ]), +}); + +var part6 = match("HEADER#1:0002/2", "nwparser.p0", "%{}interface %{msgIdPart1->} %{msgIdPart2->} %{payload}"); + +var all2 = all_match({ + processors: [ + dup1, + dup38, + part6, + ], + on_success: processor_chain([ + setc("header_id","0002"), + dup4, + ]), +}); + +var part7 = match("HEADER#2:0008/4", "nwparser.p0", "%{} %{msgIdPart1->} %{hfld1}for service %{payload}"); + +var all3 = all_match({ + processors: [ + dup1, + dup38, + dup5, + dup39, + part7, + ], + on_success: processor_chain([ + setc("header_id","0008"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + constant("usage_"), + field("msgIdPart1"), + ], + }), + ]), +}); + +var all4 = all_match({ + processors: [ + dup1, + dup38, + dup5, + dup39, + dup10, + ], + on_success: processor_chain([ + setc("header_id","0003"), + dup4, + ]), +}); + +var part8 = match("HEADER#4:0004/1_2", "nwparser.p0", "High %{p0}"); + +var select2 = linear_select([ + dup2, + dup3, + part8, +]); + +var all5 = all_match({ + processors: [ + dup1, + select2, + dup10, + ], + on_success: processor_chain([ + setc("header_id","0004"), + dup4, + ]), +}); + +var hdr1 = match("HEADER#5:0005", "message", "%{hmonth->} %{hday->} %{htime}pfsp: The %{messageid->} %{payload}", processor_chain([ + setc("header_id","0005"), + dup11, +])); + +var hdr2 = match("HEADER#6:0006", "message", "%{hmonth->} %{hday->} %{htime}pfsp: Alert %{messageid->} %{payload}", processor_chain([ + setc("header_id","0006"), + dup11, +])); + +var hdr3 = match("HEADER#7:0007", "message", "%{hmonth->} %{hday->} %{htime}pfsp: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0007"), + dup11, +])); + +var hdr4 = match("HEADER#8:0010", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1}: %{msgIdPart1->} %{msgIdPart2}: %{payload}", processor_chain([ + setc("header_id","0010"), + dup4, +])); + +var hdr5 = match("HEADER#9:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0009"), +])); + +var select3 = linear_select([ + all1, + all2, + all3, + all4, + all5, + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, +]); + +var part9 = match("MESSAGE#0:Flow:Down", "nwparser.payload", "Flow down for router %{node}, leader %{parent_node}since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var msg1 = msg("Flow:Down", part9); + +var part10 = match("MESSAGE#1:Flow:Restored", "nwparser.payload", "Flow restored for router %{node}, leader %{parent_node}at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var msg2 = msg("Flow:Restored", part10); + +var select4 = linear_select([ + msg1, + msg2, +]); + +var msg3 = msg("BGP:Down", dup40); + +var msg4 = msg("BGP:Restored", dup41); + +var part11 = match("MESSAGE#4:BGP:Instability", "nwparser.payload", "%{protocol}instability router %{node}threshold %{fld25}(%{fld1}) observed %{trigger_val}(%{fld2})", processor_chain([ + dup17, + dup13, +])); + +var msg5 = msg("BGP:Instability", part11); + +var part12 = match("MESSAGE#5:BGP:Instability_Ended", "nwparser.payload", "%{protocol}Instability for router %{node}ended", processor_chain([ + dup18, + dup13, +])); + +var msg6 = msg("BGP:Instability_Ended", part12); + +var part13 = match("MESSAGE#6:BGP:Hijack", "nwparser.payload", "%{protocol}Hijack local_prefix %{fld26}router %{node}bgp_prefix %{fld27}bgp_attributes %{event_description}", processor_chain([ + setc("eventcategory","1002050000"), + dup13, +])); + +var msg7 = msg("BGP:Hijack", part13); + +var part14 = match("MESSAGE#7:BGP:Hijack_Done", "nwparser.payload", "%{protocol}Hijack for prefix %{fld26}router %{node}done", processor_chain([ + dup18, + dup13, +])); + +var msg8 = msg("BGP:Hijack_Done", part14); + +var part15 = match("MESSAGE#8:BGP:Trap", "nwparser.payload", "%{protocol}Trap %{node}: Prefix %{fld5->} %{fld6->} %{event_description}", processor_chain([ + dup19, + dup13, +])); + +var msg9 = msg("BGP:Trap", part15); + +var select5 = linear_select([ + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, +]); + +var part16 = match("MESSAGE#9:Device:Unreachable", "nwparser.payload", "Device %{node}unreachable by controller %{parent_node}since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var msg10 = msg("Device:Unreachable", part16); + +var part17 = match("MESSAGE#10:Device:Reachable", "nwparser.payload", "Device %{node}reachable again by controller %{parent_node}at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var msg11 = msg("Device:Reachable", part17); + +var select6 = linear_select([ + msg10, + msg11, +]); + +var part18 = match("MESSAGE#11:Hardware:Failure", "nwparser.payload", "Hardware failure on %{node}since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}GMT: %{event_description}", processor_chain([ + dup20, + dup13, + dup14, +])); + +var msg12 = msg("Hardware:Failure", part18); + +var part19 = match("MESSAGE#12:Hardware:Failure_Done", "nwparser.payload", "Hardware failure on %{node}done at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}GMT: %{event_description}", processor_chain([ + dup18, + dup13, + dup16, +])); + +var msg13 = msg("Hardware:Failure_Done", part19); + +var select7 = linear_select([ + msg12, + msg13, +]); + +var msg14 = msg("SNMP:Down", dup40); + +var msg15 = msg("SNMP:Restored", dup41); + +var select8 = linear_select([ + msg14, + msg15, +]); + +var part20 = match("MESSAGE#15:configuration", "nwparser.payload", "configuration was changed on leader %{parent_node}to version %{version}by %{administrator}", processor_chain([ + dup19, + dup13, + setc("event_description","Configuration changed"), +])); + +var msg16 = msg("configuration", part20); + +var part21 = match("MESSAGE#16:Autoclassification", "nwparser.payload", "Autoclassification was restarted on %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}by %{administrator}", processor_chain([ + dup19, + dup13, + setc("event_description","Autoclassification restarted"), + dup14, +])); + +var msg17 = msg("Autoclassification", part21); + +var part22 = match("MESSAGE#17:GRE:Down", "nwparser.payload", "GRE tunnel down for destination %{daddr}, leader %{parent_node}since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var msg18 = msg("GRE:Down", part22); + +var part23 = match("MESSAGE#18:GRE:Restored", "nwparser.payload", "GRE tunnel restored for destination %{daddr}, leader %{parent_node}at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + setc("eventcategory","1801020100"), + dup13, + dup16, +])); + +var msg19 = msg("GRE:Restored", part23); + +var select9 = linear_select([ + msg18, + msg19, +]); + +var part24 = match("MESSAGE#19:mitigation:TMS_Start/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname}started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all6 = all_match({ + processors: [ + part24, + dup42, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup25, + dup26, + dup14, + ]), +}); + +var msg20 = msg("mitigation:TMS_Start", all6); + +var part25 = match("MESSAGE#20:mitigation:TMS_Stop/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname}stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all7 = all_match({ + processors: [ + part25, + dup42, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup25, + dup27, + dup16, + ]), +}); + +var msg21 = msg("mitigation:TMS_Stop", all7); + +var part26 = match("MESSAGE#21:mitigation:Thirdparty_Start/0", "nwparser.payload", "pfsp: Third party mitigation %{node}started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all8 = all_match({ + processors: [ + part26, + dup42, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup28, + dup26, + dup14, + ]), +}); + +var msg22 = msg("mitigation:Thirdparty_Start", all8); + +var part27 = match("MESSAGE#22:mitigation:Thirdparty_Stop/0", "nwparser.payload", "pfsp: Third party mitigation %{node}stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all9 = all_match({ + processors: [ + part27, + dup42, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup28, + dup27, + ]), +}); + +var msg23 = msg("mitigation:Thirdparty_Stop", all9); + +var part28 = match("MESSAGE#23:mitigation:Blackhole_Start/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node}started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all10 = all_match({ + processors: [ + part28, + dup42, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup29, + dup26, + dup14, + ]), +}); + +var msg24 = msg("mitigation:Blackhole_Start", all10); + +var part29 = match("MESSAGE#24:mitigation:Blackhole_Stop/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node}stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all11 = all_match({ + processors: [ + part29, + dup42, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup29, + dup27, + ]), +}); + +var msg25 = msg("mitigation:Blackhole_Stop", all11); + +var part30 = match("MESSAGE#25:mitigation:Flowspec_Start/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node}started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all12 = all_match({ + processors: [ + part30, + dup42, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup30, + dup26, + dup14, + ]), +}); + +var msg26 = msg("mitigation:Flowspec_Start", all12); + +var part31 = match("MESSAGE#26:mitigation:Flowspec_Stop/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node}stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all13 = all_match({ + processors: [ + part31, + dup42, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup30, + dup27, + ]), +}); + +var msg27 = msg("mitigation:Flowspec_Stop", all13); + +var select10 = linear_select([ + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, +]); + +var part32 = match("MESSAGE#27:TMS:Fault_Cleared", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node}cleared", processor_chain([ + dup18, + dup13, + setc("event_type","Fault Cleared"), +])); + +var msg28 = msg("TMS:Fault_Cleared", part32); + +var part33 = match("MESSAGE#28:TMS:Fault", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node}", processor_chain([ + dup20, + dup13, + setc("event_type","Fault Occured"), +])); + +var msg29 = msg("TMS:Fault", part33); + +var select11 = linear_select([ + msg28, + msg29, +]); + +var part34 = match("MESSAGE#29:usage_alert:Interface", "nwparser.payload", "pfsp: %{trigger_desc}interface usage alert %{fld1}for router %{node}interface \"%{interface}\" speed %{fld2}threshold %{fld25}observed %{trigger_val}pct %{fld3}", processor_chain([ + dup17, + dup13, +])); + +var msg30 = msg("usage_alert:Interface", part34); + +var part35 = match("MESSAGE#30:usage_alert:Interface_Done", "nwparser.payload", "pfsp: %{trigger_desc}interface usage alert %{fld1}done for router %{node}interface \"%{interface}\"", processor_chain([ + dup18, + dup13, +])); + +var msg31 = msg("usage_alert:Interface_Done", part35); + +var part36 = match("MESSAGE#31:usage_alert:Fingerprint_Threshold", "nwparser.payload", "pfsp: %{trigger_desc}usage alert %{fld1}for fingerprint %{policyname}threshold %{fld25}observed %{trigger_val}", processor_chain([ + dup17, + dup13, +])); + +var msg32 = msg("usage_alert:Fingerprint_Threshold", part36); + +var part37 = match("MESSAGE#32:usage_alert:Fingerprint_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc}usage alert %{fld1}for fingerprint %{policyname}done", processor_chain([ + dup18, + dup13, +])); + +var msg33 = msg("usage_alert:Fingerprint_Threshold_Done", part37); + +var part38 = match("MESSAGE#33:usage_alert:Service_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1}usage alert %{fld2}for service %{service}, %{application}threshold %{fld25}observed %{trigger_val}", processor_chain([ + dup17, + dup13, +])); + +var msg34 = msg("usage_alert:Service_Threshold", part38); + +var part39 = match("MESSAGE#34:usage_alert:Service_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1}alert %{fld2}for service %{service}done", processor_chain([ + dup18, + dup13, +])); + +var msg35 = msg("usage_alert:Service_Threshold_Done", part39); + +var part40 = match("MESSAGE#35:usage_alert:ManagedObject_Threshold", "nwparser.payload", "pfsp: %{trigger_desc}usage alert %{fld1}for %{category->} %{fld2}threshold %{fld25}observed %{trigger_val}", processor_chain([ + dup17, + dup13, +])); + +var msg36 = msg("usage_alert:ManagedObject_Threshold", part40); + +var part41 = match("MESSAGE#36:usage_alert:ManagedObject_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc}usage alert %{fld1}for %{fld3->} %{fld4}done", processor_chain([ + dup18, + dup13, +])); + +var msg37 = msg("usage_alert:ManagedObject_Threshold_Done", part41); + +var select12 = linear_select([ + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, +]); + +var part42 = match("MESSAGE#37:Test", "nwparser.payload", "Test syslog message%{}", processor_chain([ + dup18, + dup13, +])); + +var msg38 = msg("Test", part42); + +var part43 = match("MESSAGE#38:script/0", "nwparser.payload", "script %{node}ran at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all14 = all_match({ + processors: [ + part43, + dup42, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + setc("event_type","Script mitigation"), + dup26, + dup14, + ]), +}); + +var msg39 = msg("script", all14); + +var part44 = match("MESSAGE#39:anomaly:Resource_Info:01/0", "nwparser.payload", "anomaly Bandwidth id %{event_id}status %{disposition}severity %{severity}classification %{category}impact %{fld10}src %{daddr}/%{dport->} %{fld1}dst %{saddr}/%{sport->} %{fld2}start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var part45 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration}percent %{fld3}rate %{fld4}rateUnit %{fld5}protocol %{protocol}flags %{fld6}url %{url}, %{info}"); + +var all15 = all_match({ + processors: [ + part44, + dup43, + part45, + ], + on_success: processor_chain([ + dup33, + dup13, + dup34, + dup35, + ]), +}); + +var msg40 = msg("anomaly:Resource_Info:01", all15); + +var part46 = match("MESSAGE#40:anomaly:Resource_Info:02/0", "nwparser.payload", "anomaly Bandwidth id %{event_id}status %{disposition}severity %{severity}classification %{category}src %{daddr}/%{dport->} %{fld1}dst %{saddr}/%{sport->} %{fld2}start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all16 = all_match({ + processors: [ + part46, + dup43, + dup36, + ], + on_success: processor_chain([ + dup33, + dup13, + dup34, + dup35, + ]), +}); + +var msg41 = msg("anomaly:Resource_Info:02", all16); + +var part47 = match("MESSAGE#41:anomaly:Resource_Info:03/0", "nwparser.payload", "anomaly %{signame}id %{event_id}status %{disposition}severity %{severity}classification %{category}impact %{fld10}src %{daddr}/%{dport->} %{fld1}dst %{saddr}/%{sport->} %{fld2}start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var part48 = match("MESSAGE#41:anomaly:Resource_Info:03/2", "nwparser.p0", "%{} %{duration}percent %{fld3}rate %{fld4}rateUnit %{fld5}protocol %{protocol}flags %{fld6}url %{url}, %{info->} "); + +var all17 = all_match({ + processors: [ + part47, + dup43, + part48, + ], + on_success: processor_chain([ + dup33, + dup13, + dup35, + ]), +}); + +var msg42 = msg("anomaly:Resource_Info:03", all17); + +var part49 = match("MESSAGE#42:anomaly:Resource_Info:04/0", "nwparser.payload", "anomaly %{signame}id %{event_id}status %{disposition}severity %{severity}classification %{category}src %{daddr}/%{dport->} %{fld1}dst %{saddr}/%{sport->} %{fld2}start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all18 = all_match({ + processors: [ + part49, + dup43, + dup36, + ], + on_success: processor_chain([ + dup33, + dup13, + dup35, + ]), +}); + +var msg43 = msg("anomaly:Resource_Info:04", all18); + +var part50 = match("MESSAGE#43:anomaly:Router_Info:01", "nwparser.payload", "anomaly Bandwidth id %{sigid}status %{disposition}severity %{severity}classification %{category}router %{fld6}router_name %{node}interface %{fld4}interface_name \"%{interface}\" %{fld5}", processor_chain([ + dup33, + dup13, + dup34, +])); + +var msg44 = msg("anomaly:Router_Info:01", part50); + +var part51 = match("MESSAGE#44:anomaly:Router_Info:02", "nwparser.payload", "anomaly %{signame}id %{sigid}status %{disposition}severity %{severity}classification %{category}router %{fld6}router_name %{node}interface %{fld4}interface_name \"%{interface}\" %{fld5}", processor_chain([ + dup33, + dup13, +])); + +var msg45 = msg("anomaly:Router_Info:02", part51); + +var select13 = linear_select([ + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, +]); + +var part52 = match("MESSAGE#45:Peakflow:Unreachable", "nwparser.payload", "Peakflow device %{node}unreachable by %{parent_node}since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var msg46 = msg("Peakflow:Unreachable", part52); + +var part53 = match("MESSAGE#46:Peakflow:Reachable", "nwparser.payload", "Peakflow device %{node}reachable again by %{parent_node}at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var msg47 = msg("Peakflow:Reachable", part53); + +var select14 = linear_select([ + msg46, + msg47, +]); + +var part54 = match("MESSAGE#47:Host:Detection", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, stop %{fld5->} %{fld6->} %{fld7}, , importance %{severity}, managed_objects (%{fld8}), is now %{result}, (parent managed object %{fld9})", processor_chain([ + dup18, + dup13, + dup37, + date_time({ + dest: "endtime", + args: ["fld5","fld6"], + fmts: [ + [dW,dc("-"),dM,dc("-"),dF,dZ], + ], + }), +])); + +var msg48 = msg("Host:Detection", part54); + +var part55 = match("MESSAGE#48:Host:Detection:01", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, direction %{direction}, host %{saddr}, signatures (%{signame}), impact %{fld5}, importance %{severity}, managed_objects (%{fld6}), (parent managed object %{fld7})", processor_chain([ + dup18, + dup13, + dup37, +])); + +var msg49 = msg("Host:Detection:01", part55); + +var select15 = linear_select([ + msg48, + msg49, +]); + +var part56 = match("MESSAGE#49:Infrastructure", "nwparser.payload", "AIF license expiring cleared,URL: %{url}", processor_chain([ + dup18, + dup13, + setc("event_description","AIF license expiring cleared"), +])); + +var msg50 = msg("Infrastructure", part56); + +var part57 = match("MESSAGE#50:Infrastructure:02", "nwparser.payload", "Hardware sensor detected a critical state. System Fan%{fld1}:%{fld2}Triggering value:%{fld3},URL:%{url}", processor_chain([ + dup18, + dup13, + setc("event_description","Hardware sensor detected a critical state"), +])); + +var msg51 = msg("Infrastructure:02", part57); + +var part58 = match("MESSAGE#51:Infrastructure:01", "nwparser.payload", "AIF license expired cleared,URL: %{url}", processor_chain([ + dup18, + dup13, + setc("event_description","AIF license expired cleared"), +])); + +var msg52 = msg("Infrastructure:01", part58); + +var select16 = linear_select([ + msg50, + msg51, + msg52, +]); + +var part59 = match("MESSAGE#52:Blocked_Host", "nwparser.payload", "Blocked host%{saddr}at%{fld1}by Blocked Countries using%{protocol}destination%{daddr},URL:%{url}", processor_chain([ + setc("eventcategory","1803000000"), + dup13, +])); + +var msg53 = msg("Blocked_Host", part59); + +var part60 = match("MESSAGE#53:Change_Log", "nwparser.payload", "Username:%{username}, Subsystem:%{fld1}, Setting Type:%{fld2}, Message:%{fld3}", processor_chain([ + dup18, + dup13, +])); + +var msg54 = msg("Change_Log", part60); + +var part61 = match("MESSAGE#54:Protection_Mode", "nwparser.payload", "Changed protection mode to active for protection group%{group},URL:%{url}", processor_chain([ + dup18, + dup13, + setc("event_description","Changed protection mode to active for protection group"), +])); + +var msg55 = msg("Protection_Mode", part61); + +var chain1 = processor_chain([ + select3, + msgid_select({ + "Autoclassification": msg17, + "BGP": select5, + "Blocked_Host": msg53, + "Change_Log": msg54, + "Device": select6, + "Flow": select4, + "GRE": select9, + "Hardware": select7, + "Host": select15, + "Infrastructure": select16, + "Peakflow": select14, + "Protection_Mode": msg55, + "SNMP": select8, + "TMS": select11, + "Test": msg38, + "anomaly": select13, + "configuration": msg16, + "mitigation": select10, + "script": msg39, + "usage_alert": select12, + }), +]); + +var hdr6 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}"); + +var part62 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}"); + +var part63 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}"); + +var part64 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}"); + +var part65 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}"); + +var part66 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}"); + +var part67 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}"); + +var part68 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}"); + +var part69 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}"); + +var part70 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}"); + +var part71 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}"); + +var part72 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}"); + +var part73 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}"); + +var part74 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}"); + +var part75 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration}percent %{fld3}rate %{fld4}rateUnit %{fld5}protocol %{protocol}flags %{fld6}url %{url}"); + +var select17 = linear_select([ + dup2, + dup3, +]); + +var select18 = linear_select([ + dup6, + dup7, + dup8, + dup9, +]); + +var part76 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol}down for router %{node}, leader %{parent_node}since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var part77 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol}restored for router %{node}, leader %{parent_node}at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var select19 = linear_select([ + dup21, + dup22, +]); + +var select20 = linear_select([ + dup31, + dup32, +]); diff --git a/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml b/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml new file mode 100644 index 00000000000..66f9ab7bcc1 --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Arbor Peakflow SP + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/netscout/sightline/manifest.yml b/x-pack/filebeat/module/netscout/sightline/manifest.yml new file mode 100644 index 00000000000..6c3ae460110 --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["netscout.sightline", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9502 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log b/x-pack/filebeat/module/netscout/sightline/test/generated.log new file mode 100644 index 00000000000..404e018708f --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log @@ -0,0 +1,100 @@ +January 29 06:09:59 pfsp: The configuration was changed on leader olab to version 1.6078 by rci +February 12 13:12:33 pfsp: Alert Autoclassification was restarted on 2016-02-12 13:12:33 uredolor by tatemac +February 26 20:15:08 pfsp: Device ntium unreachable by controller psaq since 2016-02-26 20:15:08 +March 12 03:17:42 pfsp: low usage alert dolore usage alert sequa for service abo, squira threshold nostrud observed mest +March 26 10:20:16 nci: BGP: ipv6-icmp Hijack local_prefix litesse router orev bgp_prefix pisciv bgp_attributes uii +April 9 17:22:51 pfsp: Alert SNMP down for router olupt, leader volup since 2016-04-09 17:22:51 byCicer +April 24 00:25:25 pfsp: Flowspec usage_alert usage alert isiutal for moenimi mod threshold riosam observed anonnu +May 8 07:27:59 idolor: Blocked Host: Blocked host10.255.173.170ateiusby Blocked Countries usingipv6-icmpdestination10.139.108.194,URL:https://example.com/lupt/tia.txt?uame=quis#orisn +May 22 14:30:33 pfsp: low usage alert interface usage alert meumfug for router tetu interface "eth1133" speed com threshold eataevi observed byC pct tinculp +June 5 21:33:08 pfsp: The SNMP down for router minim, leader eFini since 2016-06-05 21:33:08 amco +June 20 04:35:42 pfsp: The SNMP restored for router mvolu, leader radip at 2016-06-20 04:35:42 tNequ +July 4 11:38:16 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap +July 18 18:40:50 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis +August 2 01:43:25 pfsp: high usage alert interface usage alert uian done for router tempo interface "eth4780" +August 16 08:45:59 Username: Flowspec Change_Log , Subsystem:omnis, Setting Type:antium, Message:Cice +August 30 15:48:33 pfsp: Alert Autoclassification was restarted on 2016-08-30 15:48:33 uidexea by anim +September 13 22:51:07 Username: high Change Log , Subsystem:ari, Setting Type:equun, Message:suntinc +September 28 05:53:42 pfsp: High usage alert interface usage alert llamcorp done for router ari interface "lo3856" +October 12 12:56:16 ele: Protection Mode: Changed protection mode to active for protection grouptenbyCic,URL:https://mail.example.net/ugits/temsequ.gif?ipit=idexea#riat +October 26 19:58:50 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name "lo4987" oluptate +November 10 03:01:24 pfsp: High usage alert usage alert orsitame for quiratio ite done +November 24 10:03:59 pfsp: Alert GRE tunnel down for destination 10.159.182.171, leader umdolore since 2016-11-24 10:03:59 eniam +December 8 17:06:33 pfsp: Autoclassification was restarted on 2016-12-08 17:06:33 olupta by turveli +December 23 00:09:07 onsequat: Protection Mode: Changed protection mode to active for protection groupsiuta,URL:https://api.example.net/rporis/end.txt?itaut=rveli#rsint +January 6 07:11:41 pfsp: Alert GRE tunnel down for destination 10.243.224.205, leader uradi since 2017-01-06 07:11:41 aborumSe +January 20 14:14:16 pfsp: The Peakflow device antiumto unreachable by strude since 2017-01-20 14:14:16 +February 3 21:16:50 pfsp: Autoclassification was restarted on 2017-02-03 21:16:50 aperi by lor +February 18 04:19:24 pfsp: The BGP Instability for router oin ended +March 4 11:21:59 Username: high Change Log , Subsystem:dolore, Setting Type:abor, Message:iqui +March 18 18:24:33 etM: Protection Mode: Changed protection mode to active for protection groupnimadmin,URL:https://www5.example.org/piscing/roq.txt?dun=onproide#luptat +April 2 01:27:07 Username: low Change Log , Subsystem:adm, Setting Type:umdolo, Message:onproide +April 16 08:29:41 pfsp: BGP Hijack local_prefix tcup router imadmini bgp_prefix ntutla bgp_attributes equa +April 30 15:32:16 pfsp: configuration was changed on leader sunt to version 1.1284 by ume +May 14 22:34:50 pfsp: The Autoclassification was restarted on 2017-05-14 22:34:50 picia by mUtenima +May 29 05:37:24 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-05-29 05:37:24 lumquido +June 12 12:39:58 Lor: Test: Test syslog message +June 26 19:42:33 pfsp: High usage alert interface usage alert ostrume for router molest interface "eth7336" speed uiineavo threshold tisetq observed irati pct ici +July 11 02:45:07 pfsp: The script vol ran at 2017-07-11 02:45:07 , leader riat +July 25 09:47:41 imad: Protection Mode: Changed protection mode to active for protection groupmsequi,URL:https://www5.example.org/iquaUten/santium.html?imidest=emagnama#eprehend +August 8 16:50:15 xeac: Blocked Host: Blocked host10.233.107.138attaliqby Blocked Countries usingrdpdestination10.28.127.218,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae +August 22 23:52:50 pfsp: Alert SNMP down for router idex, leader xerci since 2017-08-22 23:52:50 aqu +September 6 06:55:24 pfsp: Alert GRE tunnel restored for destination 10.32.143.134, leader serror at 2017-09-06 06:55:24 aliqu +September 20 13:57:58 pfsp: Host Detection alert atDu, start 2017-09-20 13:57:58 eav, duration 141.087000, direction usmodt, host 10.225.160.182, signatures (mque), impact uovolup, importance high, managed_objects (llu), (parent managed object licab) +October 4 21:00:32 pfsp: The Autoclassification was restarted on 2017-10-04 21:00:32 snostrud by nama +October 19 04:03:07 pfsp: configuration was changed on leader magni to version 1.2949 by uptat +November 2 11:05:41 pfsp: The Peakflow device sectetur unreachable by uioffi since 2017-11-02 11:05:41 +November 16 18:08:15 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-11-16 18:08:15 olor +December 1 01:10:49 pfsp: Alert Device xerc reachable again by controller iutali at 2017-12-01 01:10:49 fdeFi +December 15 08:13:24 pfsp: BGP down for router ati, leader tlabo since 2017-12-15 08:13:24 uames +December 29 15:15:58 pfsp: script offi ran at 2017-12-29 15:15:58 , leader giatnu +January 12 22:18:32 pfsp: Alert anomaly ncidid id 6f3fd2c5 status uamei severity very-high classification aera src 10.128.31.83/2346 nimid dst 10.97.164.220/6205 uptasn start 2018-01-12 10:18:32 duration 50.929000 percent issus rate osamn rateUnit isnisiu protocol udp flags pre url https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata +January 27 05:21:06 Utenimad: Change Log: Username:orpor, Subsystem:tlabo, Setting Type:ipis, Message:emvel +February 10 12:23:41 atcu: Protection Mode: Changed protection mode to active for protection grouplabor,URL:https://internal.example.net/uptatema/intocc.gif?orema=invento#qua +February 24 19:26:15 utlabor: Change Log: Username:rau, Subsystem:idex, Setting Type:mfugiat, Message:nisiuta +March 11 02:28:49 pfsp: Alert Flow down for router tessec, leader olupta since 2018-03-11 02:28:49 litse +March 25 09:31:24 pfsp: Alert Host Detection alert sperna, start 2018-03-25 09:31:24 sintocc, duration 24.633000, stop 2018-03-25 09:31:24 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius) +April 8 16:33:58 Username: low pps Change Log , Subsystem:smo, Setting Type:etcons, Message:iusmodi +April 22 23:36:32 Username: high jitter Change Log , Subsystem:uae, Setting Type:officiad, Message:itam +May 7 06:39:06 pfsp: The Host Detection alert tur, start 2018-05-7 06:39:06 roi, duration 8.266000, direction ariatu, host 10.52.12.167, signatures (atno), impact tani, importance medium, managed_objects (ntocca), (parent managed object ostru) +May 21 13:41:41 pfsp: low usage alert usage alert quamni for fingerprint iatisu done +June 4 20:44:15 pfsp: low usage alert usage alert sBon for orro tae threshold ccaec observed ten +June 19 03:46:49 exe: Change Log: Username:imadmini, Subsystem:sauteiru, Setting Type:mod, Message:hilm +July 3 10:49:23 Username: high bps Change Log , Subsystem:remag, Setting Type:uredol, Message:ccaecat +July 17 17:51:58 pfsp: Alert Device taedicta reachable again by controller itam at 2018-07-17 17:51:58 str +August 1 00:54:32 pfsp: The anomaly molli id 3cfa4982 status aturauto severity high classification gitsedqu impact borios src 10.135.82.97/1790 sumdolor dst 10.239.19.5/967 mquelau start 2018-08-01 12:54:32 duration 164.296000 percent boNem rate ess rateUnit ipisci protocol udp flags mvenia url https://www5.example.org/fugitsed/quam.html?luptate=persp#entsunt, ihilm +August 15 07:57:06 pfsp: Autoclassification was restarted on 2018-08-15 07:57:06 fugi by quia +August 29 14:59:40 pfsp: script temUt ran at 2018-08-29 14:59:40 , leader avol +September 12 22:02:15 pfsp: The Autoclassification was restarted on 2018-09-12 22:02:15 str by iat +September 27 05:04:49 pfsp: SNMP restored for router naal, leader borios at 2018-09-27 05:04:49 tut +October 11 12:07:23 Username: low loss Change Log , Subsystem:emquia, Setting Type:inesci, Message:isnisi +October 25 19:09:57 pfsp: Alert Test syslog message +November 9 02:12:32 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name "lo4293" labo +November 23 09:15:06 pfsp: High usage alert usage alert tvol for velitess naali done +December 7 16:17:40 pfsp: Alert Autoclassification was restarted on 2018-12-07 16:17:40 temUte by sit +December 21 23:20:14 pfsp: Device elitse unreachable by controller ima since 2018-12-21 23:20:14 +January 5 06:22:49 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla) +January 19 13:25:23 pfsp: Alert BGP Instability for router oremagna ended +February 2 20:27:57 pisciv: Blocked Host: Blocked host10.193.30.192atrumetby Blocked Countries usingrdpdestination10.237.45.67,URL:https://www.example.net/par/lorin.txt?hit=urv#ama +February 17 03:30:32 pfsp: Alert configuration was changed on leader litani to version 1.6412 by psumqu +March 3 10:33:06 iquidexe: TMS: TMS 'diconse' fault for resource 'elitse' on TMS reseo +March 17 17:35:40 ipsamvo: Change Log: Username:onula, Subsystem:miu, Setting Type:rationev, Message:rem +April 1 00:38:14 pfsp: Alert Test syslog message +April 15 07:40:49 lillum: Change Log: Username:remips, Subsystem:uisaute, Setting Type:imide, Message:poriss +April 29 14:43:23 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt +May 13 21:45:57 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation +May 28 04:48:31 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt +June 11 11:51:06 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo +June 25 18:53:40 pfsp: High usage alert tame alert atione for service lores done +July 10 01:56:14 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo +July 24 08:58:48 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor +August 7 16:01:23 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed) +August 21 23:03:57 pfsp: high pps usage alert usage alert turadip for tatevel boreetdo done +September 5 06:06:31 pfsp: low usage alert uov alert itlab for service urmag done +September 19 13:09:05 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex +October 3 20:11:40 Username: low Change Log , Subsystem:nimveni, Setting Type:idi, Message:ore +October 18 03:14:14 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu +November 1 10:16:48 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done +November 15 17:19:22 pfsp: Host Detection alert col, start 2019-11-15 17:19:22 mve, duration 177.586000, stop 2019-11-15 17:19:22 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq) +November 30 00:21:57 pfsp: script remipsum ran at 2019-11-30 00:21:57 , leader tempor +December 14 07:24:31 pfsp: low bps usage alert interface usage alert dex for router ccae interface "eth7168" speed elitsed threshold labore observed uela pct ntexplic diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json new file mode 100644 index 00000000000..b6ca99fb779 --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -0,0 +1,2487 @@ +[ + { + "@timestamp": "2020-01-29T08:09:59.000Z", + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 29 06:09:59 pfsp: The configuration was changed on leader olab to version 1.6078 by rci", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 0, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.6078", + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "olab", + "rsa.misc.version": "1.6078", + "rsa.time.event_time": "2020-01-29T08:09:59.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "rci" + ] + }, + { + "@timestamp": "2020-02-12T15:12:33.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 12 13:12:33 pfsp: Alert Autoclassification was restarted on 2016-02-12 13:12:33 uredolor by tatemac", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 96, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2020-02-12T15:12:33.000Z", + "rsa.time.starttime": "2016-02-12T15:12:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "tatemac" + ] + }, + { + "@timestamp": "2020-02-26T22:15:08.000Z", + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 26 20:15:08 pfsp: Device ntium unreachable by controller psaq since 2016-02-26 20:15:08", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 205, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "ntium", + "rsa.misc.parent_node": "psaq", + "rsa.time.event_time": "2020-02-26T22:15:08.000Z", + "rsa.time.starttime": "2016-02-26T22:15:08.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-12T05:17:42.000Z", + "event.code": "", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 12 03:17:42 pfsp: low usage alert dolore usage alert sequa for service abo, squira threshold nostrud observed mest", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 302, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "", + "rsa.time.event_time": "2020-03-12T05:17:42.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-26T12:20:16.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 26 10:20:16 nci: BGP: ipv6-icmp Hijack local_prefix litesse router orev bgp_prefix pisciv bgp_attributes uii", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 426, + "network.protocol": "ipv6-icmp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "uii", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "orev", + "rsa.time.event_time": "2020-03-26T12:20:16.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-09T19:22:51.000Z", + "event.code": "SNMP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 9 17:22:51 pfsp: Alert SNMP down for router olupt, leader volup since 2016-04-09 17:22:51 byCicer", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 541, + "network.protocol": "SNMP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "SNMP", + "rsa.misc.node": "olupt", + "rsa.misc.parent_node": "volup", + "rsa.time.event_time": "2020-04-09T19:22:51.000Z", + "rsa.time.starttime": "2016-04-09T19:22:51.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-24T02:25:25.000Z", + "event.code": "", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 24 00:25:25 pfsp: Flowspec usage_alert usage alert isiutal for moenimi mod threshold riosam observed anonnu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 646, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "", + "rsa.time.event_time": "2020-04-24T02:25:25.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-08T09:27:59.000Z", + "destination.ip": [ + "10.139.108.194" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 8 07:27:59 idolor: Blocked Host: Blocked host10.255.173.170ateiusby Blocked Countries usingipv6-icmpdestination10.139.108.194,URL:https://example.com/lupt/tia.txt?uame=quis#orisn", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 763, + "network.protocol": "ipv6-icmp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.255.173.170", + "10.139.108.194" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2020-05-08T09:27:59.000Z", + "service.type": "netscout", + "source.ip": [ + "10.255.173.170" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://example.com/lupt/tia.txt?uame=quis#orisn" + }, + { + "@timestamp": "2020-05-22T16:30:33.000Z", + "event.code": "", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 22 14:30:33 pfsp: low usage alert interface usage alert meumfug for router tetu interface \"eth1133\" speed com threshold eataevi observed byC pct tinculp", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 946, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "", + "rsa.time.event_time": "2020-05-22T16:30:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-05T23:33:08.000Z", + "event.code": "SNMP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 5 21:33:08 pfsp: The SNMP down for router minim, leader eFini since 2016-06-05 21:33:08 amco", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1106, + "network.protocol": "SNMP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "SNMP", + "rsa.misc.node": "minim", + "rsa.misc.parent_node": "eFini", + "rsa.time.event_time": "2020-06-05T23:33:08.000Z", + "rsa.time.starttime": "2016-06-05T23:33:08.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-20T06:35:42.000Z", + "event.code": "SNMP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 20 04:35:42 pfsp: The SNMP restored for router mvolu, leader radip at 2016-06-20 04:35:42 tNequ", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1205, + "network.protocol": "SNMP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "SNMP", + "rsa.misc.node": "mvolu", + "rsa.misc.parent_node": "radip", + "rsa.time.endtime": "2016-06-20T06:35:42.000Z", + "rsa.time.event_time": "2020-06-20T06:35:42.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-04T13:38:16.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 4 11:38:16 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1307, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "dquiac", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2020-07-04T13:38:16.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap" + }, + { + "@timestamp": "2019-07-18T20:40:50.000Z", + "destination.ip": [ + "10.155.162.162" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 18 18:40:50 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1473, + "network.protocol": "udp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.155.162.162", + "10.66.171.247" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2019-07-18T20:40:50.000Z", + "service.type": "netscout", + "source.ip": [ + "10.66.171.247" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis" + }, + { + "@timestamp": "2019-08-02T03:43:25.000Z", + "event.code": "", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 2 01:43:25 pfsp: high usage alert interface usage alert uian done for router tempo interface \"eth4780\"", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1656, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "", + "rsa.time.event_time": "2019-08-02T03:43:25.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-16T10:45:59.000Z", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 16 08:45:59 Username: Flowspec Change_Log , Subsystem:omnis, Setting Type:antium, Message:Cice", + "fileset.name": "sightline", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1769, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.time.event_time": "2019-08-16T10:45:59.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-30T17:48:33.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 30 15:48:33 pfsp: Alert Autoclassification was restarted on 2016-08-30 15:48:33 uidexea by anim", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1873, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2019-08-30T17:48:33.000Z", + "rsa.time.starttime": "2016-08-30T17:48:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "anim" + ] + }, + { + "@timestamp": "2019-09-14T00:51:07.000Z", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 13 22:51:07 Username: high Change Log , Subsystem:ari, Setting Type:equun, Message:suntinc", + "fileset.name": "sightline", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1976, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.time.event_time": "2019-09-14T00:51:07.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-28T07:53:42.000Z", + "event.code": "", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 28 05:53:42 pfsp: High usage alert interface usage alert llamcorp done for router ari interface \"lo3856\"", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2079, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "", + "rsa.time.event_time": "2019-09-28T07:53:42.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-12T14:56:16.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 12 12:56:16 ele: Protection Mode: Changed protection mode to active for protection grouptenbyCic,URL:https://mail.example.net/ugits/temsequ.gif?ipit=idexea#riat", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2197, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "tenbyCic", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2019-10-12T14:56:16.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://mail.example.net/ugits/temsequ.gif?ipit=idexea#riat" + }, + { + "@timestamp": "2019-10-26T21:58:50.000Z", + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 26 19:58:50 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name \"lo4987\" oluptate", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "high", + "log.offset": 2366, + "network.interface.name": "lo4987", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "deomni", + "rsa.misc.disposition": "inim", + "rsa.misc.node": "ntsuntin", + "rsa.misc.policy_name": "Bandwidth", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 2902, + "rsa.network.interface": "lo4987", + "rsa.time.event_time": "2019-10-26T21:58:50.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-10T05:01:24.000Z", + "event.code": "", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 10 03:01:24 pfsp: High usage alert usage alert orsitame for quiratio ite done", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2563, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "", + "rsa.time.event_time": "2019-11-10T05:01:24.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-24T12:03:59.000Z", + "destination.ip": [ + "10.159.182.171" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 24 10:03:59 pfsp: Alert GRE tunnel down for destination 10.159.182.171, leader umdolore since 2016-11-24 10:03:59 eniam", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2653, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.159.182.171" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "umdolore", + "rsa.time.event_time": "2019-11-24T12:03:59.000Z", + "rsa.time.starttime": "2016-11-24T12:03:59.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-08T19:06:33.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 8 17:06:33 pfsp: Autoclassification was restarted on 2016-12-08 17:06:33 olupta by turveli", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2782, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2019-12-08T19:06:33.000Z", + "rsa.time.starttime": "2016-12-08T19:06:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "turveli" + ] + }, + { + "@timestamp": "2019-12-23T02:09:07.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 23 00:09:07 onsequat: Protection Mode: Changed protection mode to active for protection groupsiuta,URL:https://api.example.net/rporis/end.txt?itaut=rveli#rsint", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2882, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "siuta", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2019-12-23T02:09:07.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://api.example.net/rporis/end.txt?itaut=rveli#rsint" + }, + { + "@timestamp": "2020-01-06T09:11:41.000Z", + "destination.ip": [ + "10.243.224.205" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 6 07:11:41 pfsp: Alert GRE tunnel down for destination 10.243.224.205, leader uradi since 2017-01-06 07:11:41 aborumSe", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3051, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.243.224.205" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "uradi", + "rsa.time.event_time": "2020-01-06T09:11:41.000Z", + "rsa.time.starttime": "2017-01-06T09:11:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-20T16:14:16.000Z", + "event.code": "Peakflow", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 20 14:14:16 pfsp: The Peakflow device antiumto unreachable by strude since 2017-01-20 14:14:16", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3178, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Peakflow", + "rsa.misc.node": "antiumto", + "rsa.misc.parent_node": "strude", + "rsa.time.event_time": "2020-01-20T16:14:16.000Z", + "rsa.time.starttime": "2017-01-20T16:14:16.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-03T23:16:50.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 3 21:16:50 pfsp: Autoclassification was restarted on 2017-02-03 21:16:50 aperi by lor", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3281, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2020-02-03T23:16:50.000Z", + "rsa.time.starttime": "2017-02-03T23:16:50.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "lor" + ] + }, + { + "@timestamp": "2020-02-18T06:19:24.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 18 04:19:24 pfsp: The BGP Instability for router oin ended", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3376, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "oin", + "rsa.time.event_time": "2020-02-18T06:19:24.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-04T13:21:59.000Z", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 4 11:21:59 Username: high Change Log , Subsystem:dolore, Setting Type:abor, Message:iqui", + "fileset.name": "sightline", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3445, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.time.event_time": "2020-03-04T13:21:59.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-18T20:24:33.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 18 18:24:33 etM: Protection Mode: Changed protection mode to active for protection groupnimadmin,URL:https://www5.example.org/piscing/roq.txt?dun=onproide#luptat", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3542, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "nimadmin", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2020-03-18T20:24:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www5.example.org/piscing/roq.txt?dun=onproide#luptat" + }, + { + "@timestamp": "2020-04-02T03:27:07.000Z", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 2 01:27:07 Username: low Change Log , Subsystem:adm, Setting Type:umdolo, Message:onproide", + "fileset.name": "sightline", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3710, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.time.event_time": "2020-04-02T03:27:07.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-16T10:29:41.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 16 08:29:41 pfsp: BGP Hijack local_prefix tcup router imadmini bgp_prefix ntutla bgp_attributes equa", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3809, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "equa", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "imadmini", + "rsa.time.event_time": "2020-04-16T10:29:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-30T17:32:16.000Z", + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 30 15:32:16 pfsp: configuration was changed on leader sunt to version 1.1284 by ume", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3917, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.1284", + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "sunt", + "rsa.misc.version": "1.1284", + "rsa.time.event_time": "2020-04-30T17:32:16.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "ume" + ] + }, + { + "@timestamp": "2020-05-15T00:34:50.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 14 22:34:50 pfsp: The Autoclassification was restarted on 2017-05-14 22:34:50 picia by mUtenima", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4007, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2020-05-15T00:34:50.000Z", + "rsa.time.starttime": "2017-05-15T00:34:50.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "mUtenima" + ] + }, + { + "@timestamp": "2020-05-29T07:37:24.000Z", + "destination.ip": [ + "10.60.185.151" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 29 05:37:24 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-05-29 05:37:24 lumquido", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4107, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.60.185.151" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "uidolo", + "rsa.time.event_time": "2020-05-29T07:37:24.000Z", + "rsa.time.starttime": "2017-05-29T07:37:24.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-12T14:39:58.000Z", + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 12 12:39:58 Lor: Test: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4229, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2020-06-12T14:39:58.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-26T21:42:33.000Z", + "event.code": "", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 26 19:42:33 pfsp: High usage alert interface usage alert ostrume for router molest interface \"eth7336\" speed uiineavo threshold tisetq observed irati pct ici", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4277, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "", + "rsa.time.event_time": "2020-06-26T21:42:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-11T04:45:07.000Z", + "event.category": "Script mitigation", + "event.code": "script", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 11 02:45:07 pfsp: The script vol ran at 2017-07-11 02:45:07 , leader riat", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4443, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "vol", + "rsa.misc.parent_node": "riat", + "rsa.time.event_time": "2019-07-11T04:45:07.000Z", + "rsa.time.starttime": "2017-07-11T04:45:07.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-25T11:47:41.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 25 09:47:41 imad: Protection Mode: Changed protection mode to active for protection groupmsequi,URL:https://www5.example.org/iquaUten/santium.html?imidest=emagnama#eprehend", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4524, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "msequi", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2019-07-25T11:47:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www5.example.org/iquaUten/santium.html?imidest=emagnama#eprehend" + }, + { + "@timestamp": "2019-08-08T18:50:15.000Z", + "destination.ip": [ + "10.28.127.218" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 8 16:50:15 xeac: Blocked Host: Blocked host10.233.107.138attaliqby Blocked Countries usingrdpdestination10.28.127.218,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4702, + "network.protocol": "rdp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.28.127.218", + "10.233.107.138" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2019-08-08T18:50:15.000Z", + "service.type": "netscout", + "source.ip": [ + "10.233.107.138" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae" + }, + { + "@timestamp": "2019-08-23T01:52:50.000Z", + "event.code": "SNMP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 22 23:52:50 pfsp: Alert SNMP down for router idex, leader xerci since 2017-08-22 23:52:50 aqu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4887, + "network.protocol": "SNMP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "SNMP", + "rsa.misc.node": "idex", + "rsa.misc.parent_node": "xerci", + "rsa.time.event_time": "2019-08-23T01:52:50.000Z", + "rsa.time.starttime": "2017-08-23T01:52:50.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-06T08:55:24.000Z", + "destination.ip": [ + "10.32.143.134" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 6 06:55:24 pfsp: Alert GRE tunnel restored for destination 10.32.143.134, leader serror at 2017-09-06 06:55:24 aliqu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4989, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.32.143.134" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "serror", + "rsa.time.endtime": "2017-09-06T08:55:24.000Z", + "rsa.time.event_time": "2019-09-06T08:55:24.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-20T15:57:58.000Z", + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 20 13:57:58 pfsp: Host Detection alert atDu, start 2017-09-20 13:57:58 eav, duration 141.087000, direction usmodt, host 10.225.160.182, signatures (mque), impact uovolup, importance high, managed_objects (llu), (parent managed object licab)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "high", + "log.offset": 5116, + "network.direction": "usmodt", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.225.160.182" + ], + "rsa.internal.messageid": "Host", + "rsa.misc.policy_name": "mque", + "rsa.misc.severity": "high", + "rsa.time.duration_time": 141.087, + "rsa.time.event_time": "2019-09-20T15:57:58.000Z", + "rsa.time.starttime": "2017-09-20T15:57:58.000Z", + "service.type": "netscout", + "source.ip": [ + "10.225.160.182" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-04T23:00:32.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 4 21:00:32 pfsp: The Autoclassification was restarted on 2017-10-04 21:00:32 snostrud by nama", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5367, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2019-10-04T23:00:32.000Z", + "rsa.time.starttime": "2017-10-04T23:00:32.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "nama" + ] + }, + { + "@timestamp": "2019-10-19T06:03:07.000Z", + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 19 04:03:07 pfsp: configuration was changed on leader magni to version 1.2949 by uptat", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5469, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.2949", + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "magni", + "rsa.misc.version": "1.2949", + "rsa.time.event_time": "2019-10-19T06:03:07.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "uptat" + ] + }, + { + "@timestamp": "2019-11-02T13:05:41.000Z", + "event.code": "Peakflow", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 2 11:05:41 pfsp: The Peakflow device sectetur unreachable by uioffi since 2017-11-02 11:05:41", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5564, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Peakflow", + "rsa.misc.node": "sectetur", + "rsa.misc.parent_node": "uioffi", + "rsa.time.event_time": "2019-11-02T13:05:41.000Z", + "rsa.time.starttime": "2017-11-02T13:05:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-16T20:08:15.000Z", + "destination.ip": [ + "10.209.182.237" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 16 18:08:15 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-11-16 18:08:15 olor", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5667, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.209.182.237" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "tper", + "rsa.time.endtime": "2017-11-16T20:08:15.000Z", + "rsa.time.event_time": "2019-11-16T20:08:15.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-01T03:10:49.000Z", + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 1 01:10:49 pfsp: Alert Device xerc reachable again by controller iutali at 2017-12-01 01:10:49 fdeFi", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5786, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "xerc", + "rsa.misc.parent_node": "iutali", + "rsa.time.endtime": "2017-12-01T03:10:49.000Z", + "rsa.time.event_time": "2019-12-01T03:10:49.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-15T10:13:24.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 15 08:13:24 pfsp: BGP down for router ati, leader tlabo since 2017-12-15 08:13:24 uames", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5896, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "ati", + "rsa.misc.parent_node": "tlabo", + "rsa.time.event_time": "2019-12-15T10:13:24.000Z", + "rsa.time.starttime": "2017-12-15T10:13:24.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-29T17:15:58.000Z", + "event.category": "Script mitigation", + "event.code": "script", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 29 15:15:58 pfsp: script offi ran at 2017-12-29 15:15:58 , leader giatnu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5994, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "offi", + "rsa.misc.parent_node": "giatnu", + "rsa.time.event_time": "2019-12-29T17:15:58.000Z", + "rsa.time.starttime": "2017-12-29T17:15:58.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-13T00:18:32.000Z", + "destination.ip": [ + "10.128.31.83" + ], + "destination.port": 2346, + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 12 22:18:32 pfsp: Alert anomaly ncidid id 6f3fd2c5 status uamei severity very-high classification aera src 10.128.31.83/2346 nimid dst 10.97.164.220/6205 uptasn start 2018-01-12 10:18:32 duration 50.929000 percent issus rate osamn rateUnit isnisiu protocol udp flags pre url https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "very-high", + "log.offset": 6078, + "network.protocol": "udp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.128.31.83", + "10.97.164.220" + ], + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "aera", + "rsa.misc.disposition": "uamei", + "rsa.misc.event_id": "id 6f3fd2c5", + "rsa.misc.policy_name": "ncid", + "rsa.misc.severity": "very-high", + "rsa.time.duration_time": 50.929, + "rsa.time.event_time": "2020-01-13T00:18:32.000Z", + "rsa.time.starttime": "2018-01-12T12:18:32.000Z", + "service.type": "netscout", + "source.ip": [ + "10.97.164.220" + ], + "source.port": 6205, + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata" + }, + { + "@timestamp": "2020-01-27T07:21:06.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 27 05:21:06 Utenimad: Change Log: Username:orpor, Subsystem:tlabo, Setting Type:ipis, Message:emvel", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6428, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2020-01-27T07:21:06.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "orpor" + ] + }, + { + "@timestamp": "2020-02-10T14:23:41.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 10 12:23:41 atcu: Protection Mode: Changed protection mode to active for protection grouplabor,URL:https://internal.example.net/uptatema/intocc.gif?orema=invento#qua", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6536, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "labor", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2020-02-10T14:23:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://internal.example.net/uptatema/intocc.gif?orema=invento#qua" + }, + { + "@timestamp": "2020-02-24T21:26:15.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 24 19:26:15 utlabor: Change Log: Username:rau, Subsystem:idex, Setting Type:mfugiat, Message:nisiuta", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6711, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2020-02-24T21:26:15.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "rau" + ] + }, + { + "@timestamp": "2020-03-11T04:28:49.000Z", + "event.code": "Flow", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 11 02:28:49 pfsp: Alert Flow down for router tessec, leader olupta since 2018-03-11 02:28:49 litse", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6821, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Flow", + "rsa.misc.node": "tessec", + "rsa.misc.parent_node": "olupta", + "rsa.time.event_time": "2020-03-11T04:28:49.000Z", + "rsa.time.starttime": "2018-03-11T04:28:49.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-25T11:31:24.000Z", + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 25 09:31:24 pfsp: Alert Host Detection alert sperna, start 2018-03-25 09:31:24 sintocc, duration 24.633000, stop 2018-03-25 09:31:24 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "medium", + "log.offset": 6926, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Host", + "rsa.misc.result": "success", + "rsa.misc.severity": "medium", + "rsa.time.duration_time": 24.633, + "rsa.time.endtime": "2018-03-25T11:31:24.000Z", + "rsa.time.event_time": "2020-03-25T11:31:24.000Z", + "rsa.time.starttime": "2018-03-25T11:31:24.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-08T18:33:58.000Z", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 8 16:33:58 Username: low pps Change Log , Subsystem:smo, Setting Type:etcons, Message:iusmodi", + "fileset.name": "sightline", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 7169, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.time.event_time": "2020-04-08T18:33:58.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-23T01:36:32.000Z", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 22 23:36:32 Username: high jitter Change Log , Subsystem:uae, Setting Type:officiad, Message:itam", + "fileset.name": "sightline", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 7273, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.time.event_time": "2020-04-23T01:36:32.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-07T08:39:06.000Z", + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 7 06:39:06 pfsp: The Host Detection alert tur, start 2018-05-7 06:39:06 roi, duration 8.266000, direction ariatu, host 10.52.12.167, signatures (atno), impact tani, importance medium, managed_objects (ntocca), (parent managed object ostru)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "medium", + "log.offset": 7381, + "network.direction": "ariatu", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.52.12.167" + ], + "rsa.internal.messageid": "Host", + "rsa.misc.policy_name": "atno", + "rsa.misc.severity": "medium", + "rsa.time.duration_time": 8.266, + "rsa.time.event_time": "2020-05-07T08:39:06.000Z", + "rsa.time.starttime": "2018-05-07T08:39:06.000Z", + "service.type": "netscout", + "source.ip": [ + "10.52.12.167" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-21T15:41:41.000Z", + "event.code": "", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 21 13:41:41 pfsp: low usage alert usage alert quamni for fingerprint iatisu done", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 7625, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "", + "rsa.time.event_time": "2020-05-21T15:41:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-04T22:44:15.000Z", + "event.code": "", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 4 20:44:15 pfsp: low usage alert usage alert sBon for orro tae threshold ccaec observed ten", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 7713, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "", + "rsa.time.event_time": "2020-06-04T22:44:15.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-19T05:46:49.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 19 03:46:49 exe: Change Log: Username:imadmini, Subsystem:sauteiru, Setting Type:mod, Message:hilm", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 7813, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2020-06-19T05:46:49.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "imadmini" + ] + }, + { + "@timestamp": "2020-07-03T12:49:23.000Z", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 3 10:49:23 Username: high bps Change Log , Subsystem:remag, Setting Type:uredol, Message:ccaecat", + "fileset.name": "sightline", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 7917, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.time.event_time": "2020-07-03T12:49:23.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-17T19:51:58.000Z", + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 17 17:51:58 pfsp: Alert Device taedicta reachable again by controller itam at 2018-07-17 17:51:58 str", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8023, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "taedicta", + "rsa.misc.parent_node": "itam", + "rsa.time.endtime": "2018-07-17T19:51:58.000Z", + "rsa.time.event_time": "2019-07-17T19:51:58.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-01T02:54:32.000Z", + "destination.ip": [ + "10.135.82.97" + ], + "destination.port": 1790, + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 1 00:54:32 pfsp: The anomaly molli id 3cfa4982 status aturauto severity high classification gitsedqu impact borios src 10.135.82.97/1790 sumdolor dst 10.239.19.5/967 mquelau start 2018-08-01 12:54:32 duration 164.296000 percent boNem rate ess rateUnit ipisci protocol udp flags mvenia url https://www5.example.org/fugitsed/quam.html?luptate=persp#entsunt, ihilm ", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "high", + "log.offset": 8130, + "network.protocol": "udp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.239.19.5", + "10.135.82.97" + ], + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "gitsedqu impact borios", + "rsa.misc.disposition": "aturauto", + "rsa.misc.event_id": "3cfa4982", + "rsa.misc.policy_name": "molli", + "rsa.misc.severity": "high", + "rsa.time.duration_time": 164.296, + "rsa.time.event_time": "2019-08-01T02:54:32.000Z", + "rsa.time.starttime": "2018-08-01T14:54:32.000Z", + "service.type": "netscout", + "source.ip": [ + "10.239.19.5" + ], + "source.port": 967, + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www5.example.org/fugitsed/quam.html?luptate=persp#entsunt, ihilm" + }, + { + "@timestamp": "2019-08-15T09:57:06.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 15 07:57:06 pfsp: Autoclassification was restarted on 2018-08-15 07:57:06 fugi by quia", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8503, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2019-08-15T09:57:06.000Z", + "rsa.time.starttime": "2018-08-15T09:57:06.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "quia" + ] + }, + { + "@timestamp": "2019-08-29T16:59:40.000Z", + "event.category": "Script mitigation", + "event.code": "script", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 29 14:59:40 pfsp: script temUt ran at 2018-08-29 14:59:40 , leader avol", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8597, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "temUt", + "rsa.misc.parent_node": "avol", + "rsa.time.event_time": "2019-08-29T16:59:40.000Z", + "rsa.time.starttime": "2018-08-29T16:59:40.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-13T00:02:15.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 12 22:02:15 pfsp: The Autoclassification was restarted on 2018-09-12 22:02:15 str by iat", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8678, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2019-09-13T00:02:15.000Z", + "rsa.time.starttime": "2018-09-13T00:02:15.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "iat" + ] + }, + { + "@timestamp": "2019-09-27T07:04:49.000Z", + "event.code": "SNMP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 27 05:04:49 pfsp: SNMP restored for router naal, leader borios at 2018-09-27 05:04:49 tut", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8777, + "network.protocol": "SNMP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "SNMP", + "rsa.misc.node": "naal", + "rsa.misc.parent_node": "borios", + "rsa.time.endtime": "2018-09-27T07:04:49.000Z", + "rsa.time.event_time": "2019-09-27T07:04:49.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-11T14:07:23.000Z", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 11 12:07:23 Username: low loss Change Log , Subsystem:emquia, Setting Type:inesci, Message:isnisi", + "fileset.name": "sightline", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 8878, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.time.event_time": "2019-10-11T14:07:23.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-25T21:09:57.000Z", + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 25 19:09:57 pfsp: Alert Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8988, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2019-10-25T21:09:57.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-09T04:12:32.000Z", + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 9 02:12:32 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name \"lo4293\" labo", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "medium", + "log.offset": 9040, + "network.interface.name": "lo4293", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "tutlab", + "rsa.misc.disposition": "commodo", + "rsa.misc.node": "atevelit", + "rsa.misc.policy_name": "Bandwidth", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 5089, + "rsa.network.interface": "lo4293", + "rsa.time.event_time": "2019-11-09T04:12:32.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-23T11:15:06.000Z", + "event.code": "", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 23 09:15:06 pfsp: High usage alert usage alert tvol for velitess naali done", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9222, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "", + "rsa.time.event_time": "2019-11-23T11:15:06.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-07T18:17:40.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 7 16:17:40 pfsp: Alert Autoclassification was restarted on 2018-12-07 16:17:40 temUte by sit", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9310, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2019-12-07T18:17:40.000Z", + "rsa.time.starttime": "2018-12-07T18:17:40.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "sit" + ] + }, + { + "@timestamp": "2019-12-22T01:20:14.000Z", + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 21 23:20:14 pfsp: Device elitse unreachable by controller ima since 2018-12-21 23:20:14", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9412, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "elitse", + "rsa.misc.parent_node": "ima", + "rsa.time.event_time": "2019-12-22T01:20:14.000Z", + "rsa.time.starttime": "2018-12-22T01:20:14.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-05T08:22:49.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 5 06:22:49 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla)", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9509, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "uptate", + "rsa.misc.trigger_val": "tpersp", + "rsa.time.event_time": "2020-01-05T08:22:49.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-19T15:25:23.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 19 13:25:23 pfsp: Alert BGP Instability for router oremagna ended", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9615, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "oremagna", + "rsa.time.event_time": "2020-01-19T15:25:23.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-02T22:27:57.000Z", + "destination.ip": [ + "10.237.45.67" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 2 20:27:57 pisciv: Blocked Host: Blocked host10.193.30.192atrumetby Blocked Countries usingrdpdestination10.237.45.67,URL:https://www.example.net/par/lorin.txt?hit=urv#ama", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9690, + "network.protocol": "rdp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.193.30.192", + "10.237.45.67" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2020-02-02T22:27:57.000Z", + "service.type": "netscout", + "source.ip": [ + "10.193.30.192" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www.example.net/par/lorin.txt?hit=urv#ama" + }, + { + "@timestamp": "2020-02-17T05:30:32.000Z", + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 17 03:30:32 pfsp: Alert configuration was changed on leader litani to version 1.6412 by psumqu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9871, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.6412", + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "litani", + "rsa.misc.version": "1.6412", + "rsa.time.event_time": "2020-02-17T05:30:32.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "psumqu" + ] + }, + { + "@timestamp": "2020-03-03T12:33:06.000Z", + "event.category": "Fault Occured", + "event.code": "TMS", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 3 10:33:06 iquidexe: TMS: TMS 'diconse' fault for resource 'elitse' on TMS reseo", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9975, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "diconse", + "rsa.internal.messageid": "TMS", + "rsa.internal.resource": "elitse", + "rsa.misc.event_type": "Fault Occured", + "rsa.misc.node": "reseo", + "rsa.time.event_time": "2020-03-03T12:33:06.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-17T19:35:40.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 17 17:35:40 ipsamvo: Change Log: Username:onula, Subsystem:miu, Setting Type:rationev, Message:rem", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10062, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2020-03-17T19:35:40.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "onula" + ] + }, + { + "@timestamp": "2020-04-01T02:38:14.000Z", + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 1 00:38:14 pfsp: Alert Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10167, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2020-04-01T02:38:14.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-15T09:40:49.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 15 07:40:49 lillum: Change Log: Username:remips, Subsystem:uisaute, Setting Type:imide, Message:poriss", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10216, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2020-04-15T09:40:49.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "remips" + ] + }, + { + "@timestamp": "2020-04-29T16:43:23.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 29 14:43:23 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10325, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "amcor", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2020-04-29T16:43:23.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt" + }, + { + "@timestamp": "2020-05-13T23:45:57.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 13 21:45:57 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10494, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "equepor", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2020-05-13T23:45:57.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation" + }, + { + "@timestamp": "2020-05-28T06:48:31.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 28 04:48:31 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10672, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "isciv", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2020-05-28T06:48:31.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt" + }, + { + "@timestamp": "2020-06-11T13:51:06.000Z", + "destination.ip": [ + "10.98.209.10" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 11 11:51:06 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10835, + "network.protocol": "ggp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.98.209.10", + "10.31.177.226" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2020-06-11T13:51:06.000Z", + "service.type": "netscout", + "source.ip": [ + "10.31.177.226" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo" + }, + { + "@timestamp": "2020-06-25T20:53:40.000Z", + "event.code": "", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 25 18:53:40 pfsp: High usage alert tame alert atione for service lores done", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 11029, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "", + "rsa.time.event_time": "2020-06-25T20:53:40.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "destination.ip": [ + "10.179.210.218" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 10 01:56:14 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 11113, + "network.protocol": "igmp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.44.47.27", + "10.179.210.218" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "service.type": "netscout", + "source.ip": [ + "10.44.47.27" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo" + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 24 08:58:48 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 11311, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.2883", + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "emvele", + "rsa.misc.version": "1.2883", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "lor" + ] + }, + { + "@timestamp": "2019-08-07T18:01:23.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 7 16:01:23 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed)", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 11408, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "iquamqua", + "rsa.misc.trigger_val": "ita", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-22T01:03:57.000Z", + "event.code": "", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 21 23:03:57 pfsp: high pps usage alert usage alert turadip for tatevel boreetdo done", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 11517, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.code": "", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 5 06:06:31 pfsp: low usage alert uov alert itlab for service urmag done", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 11614, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-19T15:09:05.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 19 13:09:05 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 11699, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "tMal" + ] + }, + { + "@timestamp": "2019-10-03T22:11:40.000Z", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 3 20:11:40 Username: low Change Log , Subsystem:nimveni, Setting Type:idi, Message:ore", + "fileset.name": "sightline", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 11808, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 18 03:14:14 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 11905, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.2552", + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "maveni", + "rsa.misc.version": "1.2552", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": [ + "onu" + ] + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 1 10:16:48 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 12005, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "norumet", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-15T19:19:22.000Z", + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 15 17:19:22 pfsp: Host Detection alert col, start 2019-11-15 17:19:22 mve, duration 177.586000, stop 2019-11-15 17:19:22 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "very-high", + "log.offset": 12089, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Host", + "rsa.misc.result": "failure", + "rsa.misc.severity": "very-high", + "rsa.time.duration_time": 177.586, + "rsa.time.endtime": "2019-11-15T19:19:22.000Z", + "rsa.time.event_time": "2019-11-15T19:19:22.000Z", + "rsa.time.starttime": "2019-11-15T19:19:22.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-30T02:21:57.000Z", + "event.category": "Script mitigation", + "event.code": "script", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 30 00:21:57 pfsp: script remipsum ran at 2019-11-30 00:21:57 , leader tempor", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 12325, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "remipsum", + "rsa.misc.parent_node": "tempor", + "rsa.time.event_time": "2019-11-30T02:21:57.000Z", + "rsa.time.starttime": "2019-11-30T02:21:57.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "event.code": "", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 14 07:24:31 pfsp: low bps usage alert interface usage alert dex for router ccae interface \"eth7168\" speed elitsed threshold labore observed uela pct ntexplic", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 12413, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/radware/README.md b/x-pack/filebeat/module/radware/README.md new file mode 100644 index 00000000000..084a7844034 --- /dev/null +++ b/x-pack/filebeat/module/radware/README.md @@ -0,0 +1,7 @@ +# radware module + +This is a module for Radware DefensePro logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML radwaredp version 114 +at 2020-07-07 18:10:49.209357 +0000 UTC. + diff --git a/x-pack/filebeat/module/radware/_meta/config.yml b/x-pack/filebeat/module/radware/_meta/config.yml new file mode 100644 index 00000000000..dc134fbe59f --- /dev/null +++ b/x-pack/filebeat/module/radware/_meta/config.yml @@ -0,0 +1,19 @@ +- module: radware + defensepro: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9518 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/radware/_meta/docs.asciidoc b/x-pack/filebeat/module/radware/_meta/docs.asciidoc new file mode 100644 index 00000000000..7335cb86eab --- /dev/null +++ b/x-pack/filebeat/module/radware/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: radware +:has-dashboards: false + +== Radware module + +experimental[] + +This is a module for receiving Radware DefensePro logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: defensepro + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `defensepro` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "radwaredp" device revision 114. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9518` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/radware/_meta/fields.yml b/x-pack/filebeat/module/radware/_meta/fields.yml new file mode 100644 index 00000000000..394601bc000 --- /dev/null +++ b/x-pack/filebeat/module/radware/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: radware + title: Radware DefensePro + description: > + radware fields. + fields: diff --git a/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml b/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/radware/defensepro/config/input.yml b/x-pack/filebeat/module/radware/defensepro/config/input.yml new file mode 100644 index 00000000000..24f226db8f3 --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Radware" + product: "DefensePro" + type: "IDS" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/radware/defensepro/config/liblogparser.js + - ${path.home}/module/radware/defensepro/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{severity->} %{id->} %{category}\"%{event_type}\" %{protocol->} %{p0}"); + +var dup2 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + +var dup3 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{sport->} %{p0}"); + +var dup4 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport->} %{p0}"); + +var dup5 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}"); + +var dup6 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context}\"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); + +var dup7 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}"); + +var dup8 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}"); + +var dup9 = setc("eventcategory","1001000000"); + +var dup10 = setc("ec_theme","TEV"); + +var dup11 = setf("msg","$MSG"); + +var dup12 = date_time({ + dest: "event_time", + args: ["fld1","fld2"], + fmts: [ + [dF,dc("-"),dG,dc("-"),dW,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup13 = setc("dclass_counter1_string","Bandwidth in Kbps"); + +var dup14 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category}\\\"%{event_type}\\\" %{protocol->} %{p0}"); + +var dup15 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context}\\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); + +var dup16 = setc("eventcategory","1002000000"); + +var dup17 = setc("ec_subject","NetworkComm"); + +var dup18 = setc("ec_activity","Scan"); + +var dup19 = setc("eventcategory","1401000000"); + +var dup20 = setc("ec_subject","User"); + +var dup21 = setc("ec_theme","ALM"); + +var dup22 = setc("ec_activity","Modify"); + +var dup23 = setc("ec_theme","Configuration"); + +var dup24 = setc("eventcategory","1612000000"); + +var dup25 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}"); + +var dup26 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}"); + +var dup27 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username}via %{network_service}(IP: %{saddr})%{p0}"); + +var dup28 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}"); + +var dup29 = match("MESSAGE#22:Login:04/3_1", "nwparser.p0", "%{result}"); + +var dup30 = setc("eventcategory","1401030000"); + +var dup31 = setc("ec_activity","Logon"); + +var dup32 = setc("ec_theme","Authentication"); + +var dup33 = setc("ec_outcome","Failure"); + +var dup34 = setc("event_description","Login Failed"); + +var dup35 = setc("ec_outcome","Error"); + +var dup36 = setc("eventcategory","1603000000"); + +var dup37 = setc("ec_theme","AccessControl"); + +var dup38 = setc("eventcategory","1401060000"); + +var dup39 = setc("ec_outcome","Success"); + +var dup40 = setc("event_description","User logged in"); + +var dup41 = linear_select([ + dup2, + dup3, +]); + +var dup42 = linear_select([ + dup4, + dup5, +]); + +var dup43 = linear_select([ + dup7, + dup8, +]); + +var dup44 = linear_select([ + dup25, + dup26, +]); + +var dup45 = linear_select([ + dup28, + dup29, +]); + +var dup46 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup9, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var dup47 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup9, + dup10, + dup11, + dup13, + ]), +}); + +var dup48 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup16, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var dup49 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup16, + dup10, + dup11, + dup13, + ]), +}); + +var hdr1 = match("HEADER#0:0001", "message", "%DefensePro %{hfld1->} %{hfld2->} %{hfld3->} %{messageid}\\\"%{hfld4}\\\" %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld3"), + constant(" "), + field("messageid"), + constant("\\\""), + field("hfld4"), + constant("\\\" "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%DefensePro %{messageid->} %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0003", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}\"%{hfld3}\" %{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant("\""), + field("hfld3"), + constant("\" "), + field("payload"), + ], + }), +])); + +var hdr4 = match("HEADER#3:0004", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, +]); + +var msg1 = msg("Intrusions:01", dup46); + +var msg2 = msg("Intrusions:02", dup47); + +var select2 = linear_select([ + msg1, + msg2, +]); + +var msg3 = msg("SynFlood:01", dup48); + +var msg4 = msg("Behavioral-DoS:01", dup48); + +var msg5 = msg("Behavioral-DoS:02", dup49); + +var select3 = linear_select([ + msg4, + msg5, +]); + +var all1 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup9, + dup17, + dup18, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var msg6 = msg("Anti-Scanning:01", all1); + +var all2 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup9, + dup17, + dup18, + dup10, + dup11, + dup13, + ]), +}); + +var msg7 = msg("Anti-Scanning:02", all2); + +var select4 = linear_select([ + msg6, + msg7, +]); + +var msg8 = msg("DoS:01", dup48); + +var all3 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup16, + dup17, + dup18, + dup10, + dup11, + dup13, + ]), +}); + +var msg9 = msg("DoS:02", all3); + +var select5 = linear_select([ + msg8, + msg9, +]); + +var msg10 = msg("Cracking-Protection:01", dup46); + +var msg11 = msg("Cracking-Protection:02", dup47); + +var select6 = linear_select([ + msg10, + msg11, +]); + +var msg12 = msg("Anomalies:01", dup48); + +var msg13 = msg("Anomalies:02", dup49); + +var select7 = linear_select([ + msg12, + msg13, +]); + +var msg14 = msg("HttpFlood:01", dup48); + +var msg15 = msg("HttpFlood:02", dup49); + +var select8 = linear_select([ + msg14, + msg15, +]); + +var part1 = match("MESSAGE#15:COMMAND:", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}COMMAND: \"%{action}\" by user %{username}via %{network_service}, source IP %{saddr}", processor_chain([ + dup19, + dup20, + setc("ec_activity","Execute"), + dup21, + dup11, + dup12, +])); + +var msg16 = msg("COMMAND:", part1); + +var part2 = match("MESSAGE#16:Configuration:01", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description}set %{change_new}, Old Values: %{change_old}, ACTION: %{action}by user %{username}via %{network_service}source IP %{saddr}", processor_chain([ + dup19, + dup20, + dup22, + dup23, + dup11, + dup12, +])); + +var msg17 = msg("Configuration:01", part2); + +var part3 = match("MESSAGE#17:Configuration:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description}, ACTION: %{action}by user %{username}via %{network_service}source IP %{saddr}", processor_chain([ + dup19, + dup20, + dup23, + dup11, + dup12, +])); + +var msg18 = msg("Configuration:02", part3); + +var part4 = match("MESSAGE#18:Configuration:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Configuration File downloaded from device by user %{username}via %{network_service}, source IP %{saddr}", processor_chain([ + dup19, + dup20, + dup23, + dup11, + setc("event_description","Configuration File downloaded"), + dup12, +])); + +var msg19 = msg("Configuration:03", part4); + +var part5 = match("MESSAGE#19:Configuration:04", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Configuration Upload has been completed", processor_chain([ + dup24, + dup23, + dup11, + setc("event_description","Configuration Upload has been completed"), + dup12, +])); + +var msg20 = msg("Configuration:04", part5); + +var part6 = match("MESSAGE#20:Configuration:05", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Configuration Download has been completed", processor_chain([ + dup24, + dup23, + dup11, + setc("event_description","Configuration Download has been completed"), + dup12, +])); + +var msg21 = msg("Configuration:05", part6); + +var part7 = match("MESSAGE#21:Configuration:06", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Configuration file has been modified. Device may fail to load configuration file!", processor_chain([ + dup24, + dup22, + dup23, + dup11, + setc("event_description","Configuration file has been modified. Device may fail to load configuration file!"), + dup12, +])); + +var msg22 = msg("Configuration:06", part7); + +var select9 = linear_select([ + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, +]); + +var part8 = match("MESSAGE#22:Login:04/0", "nwparser.payload", "Login failed %{p0}"); + +var all4 = all_match({ + processors: [ + part8, + dup44, + dup27, + dup45, + ], + on_success: processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup33, + dup11, + dup34, + ]), +}); + +var msg23 = msg("Login:04", all4); + +var part9 = match("MESSAGE#23:Login:05", "nwparser.payload", "Login locked user %{username}(IP: %{saddr}): %{result}", processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup35, + dup11, + setc("event_description","Login Locked"), +])); + +var msg24 = msg("Login:05", part9); + +var part10 = match("MESSAGE#24:Login:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Login failed %{p0}"); + +var all5 = all_match({ + processors: [ + part10, + dup44, + dup27, + dup45, + ], + on_success: processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup33, + dup11, + dup34, + dup12, + ]), +}); + +var msg25 = msg("Login:01", all5); + +var part11 = match("MESSAGE#25:Login:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Login failed via %{network_service}(IP: %{saddr}): %{result}", processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup33, + dup11, + dup34, + dup12, +])); + +var msg26 = msg("Login:02", part11); + +var part12 = match("MESSAGE#26:Login:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Login locked user %{username}(IP: %{saddr}): %{result}", processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup35, + dup11, + dup34, + dup12, +])); + +var msg27 = msg("Login:03", part12); + +var select10 = linear_select([ + msg23, + msg24, + msg25, + msg26, + msg27, +]); + +var part13 = match("MESSAGE#27:Connection", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Connection to NTP server timed out", processor_chain([ + dup36, + dup21, + dup11, + setc("event_description","Connection to NTP server timed out"), + dup12, +])); + +var msg28 = msg("Connection", part13); + +var part14 = match("MESSAGE#28:Device", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Device was rebooted by user %{username}via %{network_service}, source IP %{saddr}", processor_chain([ + dup19, + dup20, + dup21, + dup11, + setc("event_description","Device was rebooted"), + dup12, +])); + +var msg29 = msg("Device", part14); + +var part15 = match("MESSAGE#29:Power", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Power supply fully operational", processor_chain([ + dup24, + dup21, + dup11, + setc("event_description","Power supply fully operational"), + dup12, +])); + +var msg30 = msg("Power", part15); + +var part16 = match("MESSAGE#30:Cold", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Cold Start", processor_chain([ + dup24, + setc("ec_activity","Start"), + dup21, + dup11, + setc("event_description","Cold Start"), + dup12, +])); + +var msg31 = msg("Cold", part16); + +var part17 = match("MESSAGE#31:Port/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Port %{interface->} %{p0}"); + +var part18 = match("MESSAGE#31:Port/1_0", "nwparser.p0", "Down%{}"); + +var part19 = match("MESSAGE#31:Port/1_1", "nwparser.p0", "Up %{}"); + +var select11 = linear_select([ + part18, + part19, +]); + +var all6 = all_match({ + processors: [ + part17, + select11, + ], + on_success: processor_chain([ + dup24, + dup21, + dup11, + setc("event_description","Port Status Change"), + dup12, + ]), +}); + +var msg32 = msg("Port", all6); + +var part20 = match("MESSAGE#32:DefensePro", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}DefensePro was powered off", processor_chain([ + dup24, + dup21, + dup11, + setc("event_description","DefensePro Powered off"), + dup12, +])); + +var msg33 = msg("DefensePro", part20); + +var part21 = match("MESSAGE#33:Access:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category}\"%{event_type}\" %{protocol->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{interface->} %{context}\"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); + +var all7 = all_match({ + processors: [ + part21, + dup43, + ], + on_success: processor_chain([ + dup36, + dup37, + dup11, + dup12, + ]), +}); + +var msg34 = msg("Access:01", all7); + +var part22 = match("MESSAGE#34:Access", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Access attempted by unauthorized NMS, Community: %{fld3}, IP: \"%{saddr}\"", processor_chain([ + dup36, + dup37, + dup11, + setc("event_description","Access attempted by unauthorized NMS"), + dup12, +])); + +var msg35 = msg("Access", part22); + +var select12 = linear_select([ + msg34, + msg35, +]); + +var part23 = match("MESSAGE#35:Please", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Please reboot the device for the latest changes to take effect", processor_chain([ + dup19, + dup21, + dup11, + setc("event_description","Reboot required for latest changes"), + dup12, +])); + +var msg36 = msg("Please", part23); + +var part24 = match("MESSAGE#36:User:01", "nwparser.payload", "User %{username}logged in via %{network_service}(IP: %{saddr})", processor_chain([ + dup38, + dup20, + dup31, + dup32, + dup39, + dup11, + dup40, +])); + +var msg37 = msg("User:01", part24); + +var part25 = match("MESSAGE#37:User", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}User %{username}logged in via %{network_service}(IP: %{saddr})", processor_chain([ + dup38, + dup20, + dup31, + dup32, + dup39, + dup11, + dup40, + dup12, +])); + +var msg38 = msg("User", part25); + +var select13 = linear_select([ + msg37, + msg38, +]); + +var part26 = match("MESSAGE#38:Certificate", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Certificate named %{fld3}expired on %{fld4->} %{fld5}", processor_chain([ + dup19, + dup11, + setc("event_description","Certificate expired"), + dup12, + date_time({ + dest: "endtime", + args: ["fld5"], + fmts: [ + [dB,dF,dH,dc(":"),dU,dc(":"),dO,dW], + ], + }), +])); + +var msg39 = msg("Certificate", part26); + +var part27 = match("MESSAGE#39:Vision", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Vision %{event_description}by user %{username}via %{network_service}, source IP %{saddr}", processor_chain([ + dup19, + dup11, + dup12, +])); + +var msg40 = msg("Vision", part27); + +var part28 = match("MESSAGE#40:Updating", "nwparser.payload", "Updating policy database%{fld1}", processor_chain([ + dup24, + dup21, + dup11, + setc("event_description","Updating policy database"), +])); + +var msg41 = msg("Updating", part28); + +var part29 = match("MESSAGE#41:Policy", "nwparser.payload", "Policy database updated successfully.%{}", processor_chain([ + dup24, + dup23, + dup39, + dup11, + setc("event_description","Policy database updated successfully"), +])); + +var msg42 = msg("Policy", part29); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "Access": select12, + "Anomalies": select7, + "Anti-Scanning": select4, + "Behavioral-DoS": select3, + "COMMAND:": msg16, + "Certificate": msg39, + "Cold": msg31, + "Configuration": select9, + "Connection": msg28, + "Cracking-Protection": select6, + "DefensePro": msg33, + "Device": msg29, + "DoS": select5, + "HttpFlood": select8, + "Intrusions": select2, + "Login": select10, + "Please": msg36, + "Policy": msg42, + "Port": msg32, + "Power": msg30, + "SynFlood": msg3, + "Updating": msg41, + "User": select13, + "Vision": msg40, + }), +]); + +var part30 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category}\"%{event_type}\" %{protocol->} %{p0}"); + +var part31 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + +var part32 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{sport->} %{p0}"); + +var part33 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport->} %{p0}"); + +var part34 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}"); + +var part35 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context}\"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); + +var part36 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}"); + +var part37 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}"); + +var part38 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category}\\\"%{event_type}\\\" %{protocol->} %{p0}"); + +var part39 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context}\\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); + +var part40 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}"); + +var part41 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}"); + +var part42 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username}via %{network_service}(IP: %{saddr})%{p0}"); + +var part43 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}"); + +var part44 = match("MESSAGE#22:Login:04/3_1", "nwparser.p0", "%{result}"); + +var select14 = linear_select([ + dup2, + dup3, +]); + +var select15 = linear_select([ + dup4, + dup5, +]); + +var select16 = linear_select([ + dup7, + dup8, +]); + +var select17 = linear_select([ + dup25, + dup26, +]); + +var select18 = linear_select([ + dup28, + dup29, +]); + +var all8 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup9, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var all9 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup9, + dup10, + dup11, + dup13, + ]), +}); + +var all10 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup16, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var all11 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup16, + dup10, + dup11, + dup13, + ]), +}); diff --git a/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml b/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml new file mode 100644 index 00000000000..9b916ed8805 --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Radware DefensePro + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/radware/defensepro/manifest.yml b/x-pack/filebeat/module/radware/defensepro/manifest.yml new file mode 100644 index 00000000000..e2037dea3c3 --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["radware.defensepro", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9518 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/radware/fields.go b/x-pack/filebeat/module/radware/fields.go new file mode 100644 index 00000000000..529f2700cde --- /dev/null +++ b/x-pack/filebeat/module/radware/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package radware + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "radware", asset.ModuleFieldsPri, AssetRadware); err != nil { + panic(err) + } +} + +// AssetRadware returns asset data. +// This is the base64 encoded gzipped contents of module/radware. +func AssetRadware() string { + return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIirAqiSJaRRQBlBk07/+AgnUB6tQJAtVlKy904NCIpnIRAJIZCby42vyAPuXRNFsRxX8iRDDDIeX5J37gFzDCoSGOyX/REgGOlWsMEyKl+SvfyKEVIBkxYBnevEn4v/1Er+1f74mgubwkggwO6keFkwYUCuawsJ+Xv+MELMv4KUlZydV1vo8gxUtuUlw4JdkRbmGg697RFV/3tIciFwRs4EKPanRk90GFOB3RtHViqVkQzVZAggilxrUFrJFbxZK0x7JayXL4nyCuwxqBkfaBOUHkwjjCA3TDJTr9cHnw8ztcfD9hmn7O8I0KTVkxEiS0sKUnleK7kgOWtO1/T81JJU5aEu6tN93hibktVyTa0hlBipMqhuLdYkaJriChC0Ik1jiR4N6pJN55BmjkTOpFAaE0XbHMaENFaZCpINUGJaHScio6X7Rx88cVjsIoYbsNizdEEo0aM2kIBtmNKHkLZhfmRGgdbUKi94S1dPRG1nyjAjYgiJLqNe/oEoDeQOGWtIoWSmZt1A9eS3X+vkdTR/A6Ke94a+ZgtTw/TNiPN2UvAN3wNxOEy0yF0FWcdgCD/KKS9Hd6we8uoZCQUqNx5XBignIiBQcERu65EByWoTx5nqdjNiaR9bpjT8zt9ffkC3lpT89LANh2Ir5PQSPNDWEy7XjueoxE+lndni/4vg7y9KCKsPSklOF8H5xFoOr2xs6arVDq9sbeXi1B5m+nZvrL/4/149z3WKNZfm0QyaX/0yQ1C7jPyL+LQ2Ll4sjV6BlqdLou2j61ONP2jTc2lADOQjzadDTMmMmSTntnIePRgAIo/afBvXGagKfBjUTQ6gve5NX5+xTrngGNHzWLjv1FUA2Tk8euFFD9kDrh5WpZfH1bsDe9TRNy+zcgL3RT2iZw3zqGKWz8Um0bNEggxxDehOZiUEkwKPRDErnUcpKwX4roVHCVD1D/9H+0HC5kiK1wpIa+Ue3XgaO/ZZNFTxt/l3ZgdiKpbR96qyhfWNNYnKPgo6UIgNlVVQFXmD0Jrdij5ARDcYOcgB8iEMPK7QVm3tjT1Zoazb3hh7F9r7nJMbSj9tcPcpHzHrcLDdSR+tR7b31k9SmLap4d1dpEBkT6+pLHVr6ljX/+XCQhTdJ7+NB1t3ebb8jNMuUlVlDh7LLvt78jPxc2bf9YToDf/h/l4GWW3Oc4O7pdS6Ntt8iI5Ss2RZE7a74fC9Vy6IhC/ayWnX2aZShz8OLO2jwymKfKPgtar3aTxO4SDiz5R75eOMGJ3e43Z9575+h5P2+AJLS/kleAgFmNqDIh1thvvmBSEV+5JKab1+QJdW4EyrH/oqtS4Wq0ImZhRW8z3hm+MgyxSiawXa10GsZ7yw5ZpdVY3/2xqtUO6qyCWpMS3a0Jtbm1e3dLwcaDiUKOO0uCyF6rw3k/srxhNnRNuD2k3bssf+Xiq2ZoLyCOby9T8w0XuM48sB5e/fLD4FJegJ7c50+yZqiPh/nkOTNZuurSrGSfAM0AzXTy9hPOBi5vZ7yQuMoaj/U4DBx7zR/aCcMT5MZ/DC0UjxuG8UDN7tVuK8k55AaqT5HQWj5c5GXdbtvmCapYw5klpYD1ey17F7y5Agr/4CWSJ4uP55ylkuNwSO5FGS57y0LIQp+K0EbO6BmecH3fiXsj63AJUDTDdEsA/Lkz8RsVElefP/9U7KjmmgAUWM5MtePpK6dMVddSKHhcpNN/0Arm8pSmNpeLfOlEz72wOngCOQJXcottKbLRDDaqBIz2iig+eAuT/9AS/+JmQEZK7tazXms+CKkSdVGK1sRZv5RvvjzN/+qnfB8XqCoqsj6R4/ef1g75TXdgyIvyI1IaaFL7nzc1tQZJUFDo090QwdilUJYvn1B/s1O9xn59lvybySVyuqPOAuP9Bn579z8T/tDpskhU74ILpKQGXxCG0zsIEkp50uaPkzV+Rx6IQ1ubmqcrmwZASIrJBMG1W0D4cA9XOAElJLRsSKNBqQLSBnlSBPSoo1UVlsUe3cL2y+2lLPMLV8ILSErWYrMSmsOSB4Ta68snAwGOty3vZHneDvxm/aIi36Az3suafbx7gyPkGj2O5AcjGJpQFf2Jlr7x2ijucuxEnf2kqSm0eHkqlqYBflJ7izz+7YQE0Qqa0IYSR4AihNs+Ui3x2fCFiVT0DrZsizJ4t+hbioJsAYBiho8ipnlUcte2TJlSsqtuXjgIxUB85nlzBp8+AKI03V0+gN5e02UlYsajXVkC1VrMPXPTs5Vq+iQik8+VxcNc3yuKtKx3hext9eVf+0d5NIAufe7MlWA19JyPySS7J/K6f0ZOLk9pkQXnE17kf1Dm4qa9VTZjxU2yH6Pix9r2/YoT/2OrPZGpU17cfxf483FHfMV4xd5W7TjWqX97urVndfnUiosA1heSNXV4gheKJ/dA235sYznD07so5GHZmHIIXZoJpYNSGMMunsfrb4FefH9D2SHnM2BCkI5D9uh6HxFtaHxL5AdKHDDUkM4UG2IFJ1g5UM2fQTF6PNmU+C8xT1kee78KlWGrMGoCEg3QnK53nefNVZM9TQzQr4n6YYqmhrHJnv09kghOjcFKYWPGOAHvs3BDKaYZDX3xDjNZXvkPQd13dyqTlJUTltFd4PyA6VYR1miKephziMsvM0q07RU1YjaUJFRlREhVU45+z0UbSdVHuRA5l9gjzBBlsueCB/FhoauGt1zzlaAcwoYiBpSKbIBxbBZskSbaZb4EZKZSGVecDDBRRx0d1FUPI1iHZHTyjtQ5mLb7d6OHtx0QxvucP8MbpJcCrM5m9VNVs/5r+ZNNEN2MfbciOwSzLFD/i7F9IzOI0LEjl8pPy4k7X2XS70DPeF0vCIGHo3fyGQLSreCfbNjMRuBNTq96Hug55PaJFWkUmWQTZHe/rncC1ddj1ndb9Wbef3D9htcX8YqmS9w1BIT/3QKgiomneKXl9ywrw0DRWhR8CqCuskEz6mg61BSEiEcHdOVzeCIcrRqwsyXmsidcF57Q/Oi62nxFFtslsT+PjeapBtm9V+ZgV6QN6U2qEi3B7X7n5qBeDRqYHAZjh731cpStoV57mBcqGpIN38FK1AgUreo1CpfGduyzN6puKbhY39fHfv3HQaEp/FYMDXjHBquOz/1o90vzPC9m462IsLqAhYtbqPj/qJRSzNoMD+z0qk+/YveoHWAhizHn+a8pwachqm5NH7boQ7xWwnljItmd4pbr0Ze7KgmiCYbWCFE/834qY+6cA6mHXVO17mJkuzrPA5fkUShK5I4TaUYd0QOwV5EwEXdeC0pcynVt6P2BmVQT2COkknDB/bUeYtx3TXipZOBGGMs0rSn9pynqOiST3fHDmiHsjSpzOG5w1KrbBjNJle9taLCT+NA9R1YKmuSMzMt9PUI6dX4PiGg5Q89ZvhNTVXo1U5xkrqOxbWjoT+2gJStWKMMhrUF5+Qcyvv1usccL9cBJtbuAJY1AZ+VKZp552OQMq/Sz8fIXw5thLaGKxX5+d6HFDFdPTp1LWTEX3F5KOtBF1KzUYfwrB2AhoDIXFUADEWsTslgPnfJTTIlkX3ksRZlDoqlY891kPpZItqPkN6Oaq93qDvi7iT1iN+CyKTyoURHaZfLf14kS7p6XJDLf0Ia1vEt6jnypHoss/LmOGon+abV6viiv/V9Vps/st4S3tA6ckpIQyjZ+KzMcHgQl+ukena8kJCrNsRoITdP9u2BpPgbPnFjbTc8imH1TnKW7qfv0yNn7A5R+CJzgu8H5FTJp8VuhZnwruSAqMPiRQoDj9P1nRrlrXCWd1MBiWaZtn/hVUB5hTKUDnziSkk3VKwhEbCbfq6GnN+waz3c4OVojGLL0kDrtPWj+bQjzmpzbZEePoa6oCNEQz17ziaUwDk2cVTKu6+2Dl1bNwiYEhh3bSddFU3RzVu52oJakHtwjC01qAVdA5a68xFzK6kqGnpjV8M4vS5FeOLgWxmQUpGlkjv7XfWp12Ocaj1Yq+02u6PKjDfla9DxdqTfvbKXGzHf7pU8q5WOS21eWYB3WcffIK8EoRyUqd9dVTOs/8y5Zv1RbCWb4fNsQKHKiJDiawUFoLZ67DUKFcd5hWxaKmW3Zq2T4mqgjvCcOf9v5djs0b5jZuOVKSf7yDUiXGJ8qCBSfL2W9t9HJCNenklAKZk0M9pyRj9HFJYMuSL2pBkGekHum/PZLZPZjkmOpenKBbOX2iqqLunBPVFmXlh55lGS8lKbatv4//RYjSBM29XwmTneWrRqE347fDVf4FZ2Oz1sPbmk9SnqwJen1GdLxzXiIVRrmTL01liOBvV+ZPpr9gAvCSXFZq9ZSrk18x6ekUJhRdpnBEz6ZVjNooqGswdGXl4uflXRHAwoTQqqsU6BxsQ9l5mWyjy3EkEePN70Q1bBpEcVDSc9L6drtNbhAoLaCbtU5kXZPwtRrKdkx0Qmdz7yJpUihcI8q1/FBqfbm8iq5HxPfispd06bTOaUCX8+RQsRlwOivO2tOf8aPzI5q4y8ZuIBMh9FWwWWUY32uldg7Tdf1MgXLDvGfN7L85soNtp1qp0J2EVREfDz/eUw/1x4nxC576c6148eoHLWLVE93fnjR0V63D48rqd9O1pPWzE+x3mpyf4Rx6uPhIKsTIFUHmAIOxE0KEZ5ErghJojNexy0Urq6Mr8l1K1MHbTBIH3QA4lgc/ij/PhWeG+o3tS73aocgWj20lqYVjRVEaZ1OPtVNVKnVIHcgqrRLLRKLVT9/35WArHyTRCG8QSlSDlQZT/CshkNaT6M3XtpVJUicNo/6URF2c9V/8QyOpX5kom6clxbRPsEBDVCXm+ZKvX83o32HYoohr0ccz1HBDbulRvf1VkZ9vA4LX0Gx1vNAufhur0mb92ZfuJT4oirse+TPCz2p8ecX5fxBbZcX7fXyBYfWl0fyL4dd+g7d0EMjsiFW2p76nZMh02Nrd5Pq5t4+Erik2rcJXfUhyackTTr2lr2XdVDk9vrk3rQ+T6JE3qQRf1CZI0+tCBXLlrfVwvi7ovjupD9I9XhL775wjsolqWp4/ilqYVzKThoN3fpBOxOki1VjC55L2LcJbQxQQpOB46cBqEnZoAeLEpbDXJjL+ypt7dmFYvO7FrdP7+962pgxJdUcrbdULbMYBuBsyPjG1+sI4PcCkPu2VpQPJYDG6mQalr5pi97ssBupbtKp5BYTwX/aVG1Tg3uhUwGlvftz+8JEykvM7CiwTdmseAL8uTmkeYFh5fkzhmfbliUdYuwDYoe9gu8M6Ax34jaMG6mH6w6F8Q8Imi75Zx560XlO6YfjjxwGMXWa1BTCteHp/1L29PosaDms1GgN5Jndo2d1TTQq+PgOWoWK67/HuVl2JN37mZ8WicU3l6HAyzPfrGypnUy+9s8cta/z2MzE+fT0OXya4tQCswoWGG5XpmV6ZCe7lWei8UOtGmrZYtUmHll5VxFwUBdeaqwHdSFVI9+rUQri6gXvZbMgSJdT6zIoeQNTavKXmHFyR7nmTVZKb6ulB91/EQ7iyGiEZICqiNiorShpjxfsaptcMr4BVVLO/xSPhKWPR+Wulbil/PQYHF+6JXCcvvK4glv9Er6Tq6q39sw1/16+jFCmAlZnv9m0Ird1OuIHWilwzgzrOfR+W406PQqIAfMf8W5Pa1El2kKWq9KTm4sBpLKDLRlflWkKazjMZHB4+hJcKbNkP4w8TTh0KjYqgrNEhR69XOqGMeX2oB/wL0NiTWhyIivLWyQdhG14lVvvYtpLn588qSOVClA6cInJLgz1Zu2v0KawLgqx/npQNC4M7H70nz6o2OrjRwS7+xk92v7JWVCkwwMZTxgOi1laVpwA8RLfoGYlMprQ+u4AcQ0LMIN5AWf8Gr7qmq1WLUwaL0g+SgVq71sQXG6xzBlI71YJ08Ce99+gZaGh4ZVlcfifG7aMFNiqQ4SJL3R0vpJyacPxkivcMu2TOl4bFFnN5V5bvdm7IJdOXjCWuFEhZJbljkLu6orEOrPWN81Mj3mQB9vT//IeHP3p+1ohfC181jgI/Ol5Fc1/mXl1z/lctBujZ7A/5ZL77IM79SCTSkPdI1BSW597u9uyW3vwm0jmlCbx8dkHscxKvC4zl5Yj1Txx9jEPooqrGa5A5UsZTY95rgXt929sqr+sBbbwPW5icmdcm60WfJuWg4Xn67hwmxqLyBbs6x2UQ4Y4/l4TbmXBHPWzTDmqq6pK8ppArLqNnT3wWVxVm5QfBx7hLRs2yju2XoJoZSCKqP32EPZLIZU0FOUHRpUdTQ83VLGad9BR2r3EMF4+BUoNVCN0O3HsIdrPr+uV/1ynxDsnPR9/5as9u1iQAawPFmWWbaPsO9YnoyMU21BlhqGCokdtUVjYBSTo7KlOgHTiS7nCbZjuh1r4mqpYMPJOk66yTn3OEPFwZt4Q3e0GtfX8Wm4V+rxXNjOaBFc/XJDnvhIv19KbvWSJeMYYIgvzTePhdT2l0/J130zRnS9fA9C7sSB4qghLTF1bXs4+kDXgJTOYmh3A0Cuqkybtz7A9TWsabonHwYVWM6Wil4m9ccPfcAmJkhOmVhZy+joI1VBFfb6mCOj6kBFuMOByVuZuYCjprhB6107gJacuH/x8cVONV6jPMyrfws78lMpUH1+IzPg5AkT28VXzwiT6TOytH+B/YsKyvea6cVXYT+ySYtkxWmvO9X4G/hQ17q6Izgs2rsoVfZVAWG5Opq0ZeREWtynS09JlTClQdkNFUS5zcfKoQ7uX978au339y7k5quvfnnz66t3N1995WJgtlRRNrg3dlI9jEvIOLmVf62GbPtoB81kKsZfXz62c2xuYC3iaGpF4D5KXVxJBUKzdNyBapmTUVjzGCsq4Nk6HyzZUTam03gTcpDKiCXFDTM+IUWXy+htYJaZNmp8JgvmbszSDfzZfJK0iuCb4jiIDU5sSgL3LiYfHNjEKfr4RDvEig0ajNVkJjgnYicTzFwNTKQbcBkWFkfqKYw3fCx5Xpt61x+3UU9c7e0LbYSs5V3yqI6ScaElrPzmxyiQcpYH2AP+t7TtJ6aOfKperrEix1M0nwPW/Slff1UCic3jM8Vw2BVl3PKrSji88+fv9rod14vZ01YFNrAOJA4Nv8VXcT2JvcqDFMcE92BIj4/ptJZRKbq2ag+/GErjnYr/LTyav0FYf6mx6yEtZir2eyqyf5dhz2qD3VDDwqdsMv7+0AfodakLljI5Ij7iY9kWSN+OKtF3tX164rTIi0TGC6f7t2/uyM/O49GEY4RR/Tbz88v9f7wmv5WgBqq1lFwkCrpVP6Y++bRcF3vyrgqpDT7v1npaOkr8t8Hk+DJtFqwYMB5PwZmAe/UMyCymEB3lVOVRfLGAUcYLLUaF/ddgZTaiM8AB1Nhc4APgjJru7X0acgki3eRUnR8WV0PuC9pr5XCGD5KmvefNM6GSTQRfU1iNDaasQVdrTCaNApTLf0bBFTSitp7LfI1YDHT6D/WUPQ6Judo52Os2ArFIaIplC2PC2Cy0FqNU9Bbocl1svxOPZhMhLVORpEZZG2VcZaoWvIUd8tadAbrlvYbQZ8GCWDMxKnC3DxwXUyKSVaJ3zKQR+1okKy53muYxr0VtaGG2U+Cj/FipSJiYts2ZKEDly/2IkJwedJE+xIJjc7Qo0CIplDQyiXHFIfz2uwRt1hhoPmG/cblOxrT+74DGvISmIsnpY2LM+QrvIahdYQ5RYiFnIhoxE1MQF1wnfMmT8c7TA+g/TwKPqAfUgh6fpd6GHh8R3Yb+fhJ0uLH6udD/Mgn6f0yC/tdYaCMLTpcQt9Vr+BhVSSR5yfHyXu6j5FkFXjxEyfG85GydF7G3t73/KF+PfzTysCxOiGv4LY3RvUWi3ZNpFK+0SmO1Mwsaq53pvS6LqPrYqajDrCOVOyONVTDgMWprG2mskhQPjepJJHgp2KOgQmrotc08C377g6U9Wixsf5CF2QDNokwgmRdJyqNsaAsa5dJASIVtsuJgdSRsUSZR/olUMcNSyqOCvnRC1yDS/ag3pTa0oHz/O2TLONzbBJPhI2FdGk8sZvecHQlvLeQfYi1knSyZ+dfI5MNUJ2Nrm3ZAlYw4yjpycyIcpComFk87T8CIupItUDAb5w2IUb4dOF5XkeCu9s2YDM0W9IpxiNNFdLKKYxdbjQtAPgSNk7TaGsECHk0SeYysDZxpU/SK/JwNrVUaCV11jouCleskh4yNCMY8hGYiluO5zEoOOpVxs/bgbB11KmShd9SM7ETRgg/FBJwJqmDNtFE0RtNuoKNuKtdJMXLKasKcNdYRUdGn00U1uCWPgsfGolFXnAs6ikc95XLebSTTiavzHAO/p4pGLng2EFZ5HuzWdTAYD8m0od1mrWcBarMs1fmFRCs4cDXX4uDKCHwx93AVSzoeEKv2rGJKoQ9HTB+DWtMsG7/qLBvvnKsSaKIkCsuTVEmZR2bfWNAopYjlSewjnM/diZtu8RCRLFTomFRmVuhCsdFgnBpmyoh3G84EjEklaeD0yFpcNSQGPsaYIFy6jOZkxWWEcKzBo0IArKYXsd8tWNRet7phFLoIry2X68ilFOvIbVdINf5w5MtyHbd1cqbTuO2a68gFjKs+I8Bg6ksEZMQpdqUBxr9KObjxD0pitxuvK0TGCdXtGiIgI+S9VGydBKq1nQG5E6BiZEuRRHYQLJKRFaQbwKg2Dg141CzxJI3fpB4wpp2mU/ojUFKt7ZdJujk/nrUH7PpyjocHla+tXdzLqD4PdhcJGiPmXP7Shw+dSp9ngSq5TqguRpX8aAOP6fJQwSmgPO7mUZAitS5bNRo8ZrIWdmyCbgtWqiwKa4yJpqOsT+2szyhPqYbxLlJXTjdKjdDwWwwzQ2mwI+CiFBfN1lEHUxfj7Rat0riVV2kWcdVqlYayfM8CHdWSqQ1V6oicyW0qxgchBCuGngZzSZYRTcPXJmYRHFiM16iuGDkecl9EZK6W2TLy1bpUPEoqlRpUkrHx8ZuRhUkqn0gcsSaNa5e/TZjQhq6iJOmWKRN3FW8LEZXiYKQqxUV6tb4qjSTvSkF6g9de6EkF4n6hnGXkSkHGDLmiKvM5Y0fa0vj6V5NmOlQHEodxTVcxYjaVnIRCSmpvLxNTZn+TF1zuoVcQ7yQPVrIckR5/bl/eTdVSB2uLKVjDI8lpN3S38eiJddktuzIDGZxpLLBRja/brTR1WWCJ+n6qJCG7DTWEGVK49vxhoo89pY4pFRJu7+4qnldICBO+ksFAZjdnYnoF7BYxdrw2JZoYucYmO4vm965jRI97Arag6iJKRpKCKg3kDRiKFYfdqaj7pZEnr+VaP79zwX1PybUv4+Xak/RGxzTid+CLxSLZgrwF8yszAnR4rfpbL5I9KywnXO9mHN5NRwNV6WbBBBsweBWdpxhCR9i43nqcCXjOaSmwduq6zH1Z+iOlEDqVD45QPUfKfE11nSjvK74OqPSWmcm8vZBdzy07MHkPjwZ355BRcNEG1E2RuBM9qDErd1KpYszL1WCq5sBHUuePvXuPrw1RtZJdVeM6Cda18Oo32UOzyGHt9wbBegb6ZZD+cXW8z+icncHj7XV1iHD0oZLtIx+iR26XuoWDe9yv8ZHeHq256SEuRZGoC0bXtEnlCjYEWUEI1UQDiIM+mWHjRVGhaTpLsdVelrgbXPgGTnVr7apb8BGyClA5cxfhfGQ1g7rCLWzLOKzB9/KgWrO1cMxvKnMPtDWgy7m61Q8sOWI4suOWF2wtMdg+JLTNWxQN5RbGVbqp7kuWVW1t645J2LBx4NAREojJqbU2BQNBUqMVyKpRWCN4q/5OFseACrtTbMDRMyN+RDJQuvCS86/7Z/YIaD1A7mTnfTzm6qGcUZ1s5AzaXac7JtbEacpAYUefVsGjcEw1cRvU0iN8i20hDcFWmYtXXEtr2nSal2AV8p88xIK8Evv6f73RDVpHWhhCs0XV0TgsmCKdX5b0KcryF11+YuXBA6Yy39bZWhPtCuXVrMONhP2OScZ6Vs81WOkeFPmX2mOgn3tEiH6of8nYuK3L7z3RUHWw+47ydDBM4pQs+LJbFse1pHv78/sbOztQ4IxG9MhkTKcKCirSvdVK/OXP+71sLQ+ekfdvXpJbYb598Yzcvr2++c+X5MOtMD98R57sNnsifAPGdCO1L+MmlbVe8Vff/PC//tvTcO87MJtJ8qI7Y5RAi5yGSyPpyXtk5IHylfhvK7Thw5R9bLLa5/wEbYMJf2dfTCGKOopNo4NWzU1fv3obJOd3KWCKHR63fv9HCliE+fP7mD4AH+Gys6SeFjXIxk9zrxzh5Zoa2NGLFJbGXXZHXrnmedVuCyGsr5M0L4b9/1P9mrdXb+6cHB7uFU9n6OU3ZEo7PadqXXp7Z5ENWPWWD4O1YGbhgx19mA+VDpC4mmJzH7Z2r4XMdaSjvHmqaFUiD8vuWZfJKu94WKQ/LdeHC9VD1sTWROoM54ppSt56Gu6kMrWI6gkh13sCmei7zx+XRHp2/jmKmVhX4rMi/M0Q8wSE9Pv5vEQeP9ogVGuZMiwaj9Zy73YlVk4pKtawqNXjVIoVW5cKMrLc++b+rtX9QHeawZSCXqDwgDYVHHYVlanAR+l37dDKCINJQS4NJD5GKOblN2aKmdAJTVz4VBRwYVQs+CqKvauoWGwetwHiM2qKqMnRLKms8Wn9ug5tC0vLojte25C5iLZwYw0rAYa83xfwjHyoxNxrNJG/JXeVidyTIz8P3ahV8apZLowBlb4ii1RdOynnwQujaH6ID/RUYejAFpTBzjNGVg2umCAfbgePUIohLRPOYEzbWKETWUQVyrOgCvT4OBoLGBXi52Ti+IAo9EFFYXRlahIOYh1R8xHx2mtgbucSNiXC64XylnNQkBQfcKwV9aNUO6qyUDOwV9imDv3ud0o+4qv7EswOYKCT8egc4LEvEtJQ3nb3OnQEC5nga1NvDr4JmgJ8CMqZsUfNFxUKT2LLqZjnXeUMd0D1rNZyCPSmcOggaHyAW6s9r1F5PpSIMf5sSDHbYjsmj/S8NxSqDEtLTlXVzM2jeXLz+PK1XMvVKlyfGtLEbGDuxrfv7ZC+e39D2Y2lzBL0qjQbEMaHUg0SNlfvscPnyrJuaxgm7oMGNUiSLE0q5+aWH3SYpHvXgXuAqqpHzrTb94AixEyqhitHm79W2C/QPhk6VNhTjG5gXUiRYUtXGVQBasB+U9JDurdjsmsHbgNKXJ49xr1xBllNsbe3OnoNE0QzUwYkCsEAuaoLnh91QzWhmSywK9gGmCJyJzqNkYihj1LIfCDapapRn/TCkWa4/KwaxkRmz7JUumnv57oIv6rK4/cmeo77RNSku7MxGE5Vz/BCz0eDk7z3r0jzzvNYE7HWVMdldUyYqosKuPdRhXPPdTg4ZCmnxccFpreEDd0yWaJmY406JXM2EOkA86O/EXTJMWx4Ra6OY2diO77zWYiMLg0HOg0JojigYWR5sQgSAhhqCqavQeteaXb24PI3IeylMN0Q5RidL8PkjySd0BUXbxnsZM7SijCcFgYMdB97mNm4XueBKo3Ek7NIv1loo4ad5BXV4cTXT0b1i+NU+2vR4ZpEedCMqE0iw3Js2uo1DQUFDDo5PSdHpEadZCampE9kpTpzA4SrwnyyDfDteVR/M7knepB47zg6NYce9Tin5uidcez+yPS/OEm/mpn/bsPPQr06zf0RNSk+zlE9IfXqo/pH3jTfnmb7+QWoPg7bz5M1auazOudeP+Okzrxp5qS+t2VqpTBzXTon62a0NJskB7ORF/Gm0gM/F3GI/M8GFwazd5WcaKkf8e++k9z7miyqIzsk2rb8z8X3f/4zefL6+tXdU3LNtGFiXTK9gQwTc4LYuFzLGfJjj/m1fYtuxOQXA3848Oat5GR/ybHYe8v7EI56b6LPb0Tp8DEbM8WguDozouXSQKyhdwoqQkWUmndyys/P4u+Q+o5mrNRuDCIV0SxnnCp3mK0gsbs1xfsoHKqLZ0azeXrh1j7IdpTZB7tclQekU9eiOTBTIglfiWPnBp2fPj685X/ypjN+01sxb+xCK/AwCztapJr2KNZz3SK7pFpTwX4/EuskpizYuQyL4FZ75QdYtmIqGMUfnf36ox0Q5aNLKndZugeRSD8B5WaTUgWkUJDJnAkaDLFuHfU7ahgIo08GnnE673xe0086HVcEA4ro7WW38JdWCBRUGUz7bSZzXAjNmtbrD+458mcFGShqIEtGhAEcWUVsQ16NWbu675TcsqxOV/e/o0XBvZ7TWz6fImsF+aFGNNBLvZ4Gy2abRz2or+Ng9gMTCRZ6xqiSLXNvTpuuYjdQOKBWaMaV0h+r1cAj3uUtoFamSKjJt9N/UBuimmgjlZOPdrQcDEVsX+KvFvZXX4bnl7Ms4zCnxHiDI54rMwJL1JIhUTKjKp4314Tu/HitHF2xr148npGCU8t2eyNJRUCkal8MeRExeGUWq+CMeAlVWwg/SW3IG5pumBhQ2zMafUa/6PLrg8DIvkKBPaj2Vndp9XpBXme0IL/gf9ytnknh8gH+0b8uyIZuwd73HKhyLawJ1pfQhRQaKj0gnDRgZ5T0215PkD2+NkKqmAHFqiodwk3QVWQYpqQiehZimmV+54vInEsL1hed6ibo7rWqcNRBGrDV//1VwzRRpQj0dSeE6me1JHavOS6ZeiAi24+YeCtiDmZSsmMikztNdAEpW7HUfvMsFDfu44/6G9VOwFHUvPqSJ6rqel6LZXxmeNriBykF3lyvYU3TPfmgD4v81O8heTfBISpqyY4yi2k1cIe11W1EhlHTuBnsLdDjW53PFMhiOsgQwDDbPhMOJzaHujZUbcgpb4E54RyCG8LDRExnrnipocn4yCnv3Kskxw1ObrjWSp/euZwYtdPxkL9NCI1jZY/L4fS306klGNw4rjzzYAQ4TiqDFRPeF4hHHWtB5LQYKEaB+AfCrC+EvTF3O6pHjCCp/U3TZ+DzkQeqh9Q+NGNouslnL0XXjIuMIT0tuM22yIKaSybG1NyddadZsjH8farQDxzbdjAuMs+V0WpSkQL1yHt0TZXZJ+gqqKrW1n78rCF2t2G9gmfE7kNrWbgQvbMmYCIqXrpUOKnGtWfsTP8vuqDiryfzOStUh7XOKiUtJFLt1P7yHEc/Qf0FL9we3VVVtON0D65VAsIoWYSPYSbLZc8gO2uv+VGtdQMnQhuRipGdnM6k4krmhTVIq52PGxwbnDjNcwvKitbEms3hC4nqh+lxvyfOYkenr3DvYHpls9Vv8W9cP5ac78l/lJSzFYOMXGM2jHNeBJHtYJmkUj6wiz0p/QpL4jA0NgnlQ3pZRG2d5rGnKI1rgzNUj/z02XhXD+JrqXq3lfPOLcj7feHIbywqO0HH52EWK1glI4vjdAizWJwJpr7UoUI7XXTzOAtqBeMQv/NeFFJVnj18Xnn3emBhWtmqo5e1mk8xtWLskenYsU/64SpClJTR99whWjuS5RopqAk7OFKRUD3uPaoFqmI7qJeKj2J3C24Ud2oVPCnV+H6/BfY9w+bQMSgjRN8h8MgQjUNgvwuijgM8GhB4CcYobHaEEatbX6sbBZ0HypjbzQ0zTwz5wYl+jwPjVffc//vKI3nu/+FffUNOL8pBhWMIPMEXfS1x5LYfS9CP0SrI3CM482WTrbLIxAqUGvDR92c2E+Vtdegk+4JOj1nIqKoHrVqsDGxffMaQk7dvYJgZN8KNe22xG+A9xgWp9kd/h/4j9HCxe1ZsQM1l1Vg9x7/5PrnCgupPyRViCCMHZWZLlBzg1RUoX/geDmI6jpTYgYmPBS1mtJbFDvulbtVdOroe7PdhP8H4tMjwmpB79vtA+s5D9Bm8/fsNEbCWhjk2FxuqB+rT6nT+5N0Ww93wwwW97YJMqE/bewDsrHVV8KuK9ww/2Gk2srnieXnCdS3x94NtNezZY1qXMY2hLSw+6k6xn6d5+ZAGUGqiZ6HHura8uLHDk3t8Mjh2Wmd6XarrXXnf/pN7DOc4LkJb8mKIjPHy4ggVw0JDa55sp90lXRe5d+KEXXKJ3QK0jCimoeNB2QN4ayA6JeqLpsBjW1CivPiOaPTdSkVu71/9/c0dubPyk/wsBipSNvRE533E0PN+J8P04LFMN5A+6Ihmb41gmZrbHioCXVc3qVPPMUDDF+5uzv0RXQUU65XfuIiq4jDVWXuD6htShS3W5hODbTq2lLPMbYgAmu7Rn7G+1LGjj7N+gL3uiqKz91h0J/SNMYVOGHYjiARGlsaRnZ7f8mvK3mNrUcU7SsXM/sT+S2WeT8zlP5Myh8mblOH0mh1TwLvadYwJt+NUJKP6UI8NSdBV04BfPc1VjGzYQMfkhqSQbJ4QoBBJDgdBHIg2rHsha9INFaKXgDY9UdmPi6gGPOWzlV+qRZ6v2P3r61dvvcx93kFQizojVdcrFrO9MqYfkq3kZfw0XlU9MISvpVl3BqmaLJSCGU2eODT6KeauYTJB1QUh4C8aCELjZfQJf+2p+SCY8c8li8NgtC0ofClZlZykUqRQGGsC3DteD6Q4jemkHqzrgMyzxkbVQsSSgt3fpOXRT//+KhRMEmRdzA6Qan2JEIVuaNmB02NJXfpeMIHxbzc/393ekTf0MWciq1uXhNlvqb9AIMNBoe8Bwj2hPfqPEV5fweEQ7KiAIBeZnYxr4vkHT6SpJjV3oyUvqW6vfT0ej+coDXxOxn7ijJ5qTvl/gZyDOjhSZH1tJOYkocU3rr30SMWm7uZl0A/srN3cpQY8I7oMhEVRTf6ijZJi/dclp+kDZ9pA9pfn/rNn9bdMrCANf7ViCnaUB69ZuuQtGEJFRrQkA9tHwZppo/bW6pn3YBbUbHwpuhoL6WLpkTGp/WCfEJco4WJbU6la1btqjaWmDYRR+z/93wAAAP//qwqvaA==" +} diff --git a/x-pack/filebeat/module/rapid7/README.md b/x-pack/filebeat/module/rapid7/README.md new file mode 100644 index 00000000000..7c81a41e8b9 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/README.md @@ -0,0 +1,7 @@ +# rapid7 module + +This is a module for Rapid7 NeXpose logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML nexpose version 134 +at 2020-07-07 18:10:48.598687 +0000 UTC. + diff --git a/x-pack/filebeat/module/rapid7/_meta/config.yml b/x-pack/filebeat/module/rapid7/_meta/config.yml new file mode 100644 index 00000000000..1e9d383ffe5 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/_meta/config.yml @@ -0,0 +1,19 @@ +- module: rapid7 + nexpose: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9517 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/rapid7/_meta/docs.asciidoc b/x-pack/filebeat/module/rapid7/_meta/docs.asciidoc new file mode 100644 index 00000000000..c17f8e05826 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: rapid7 +:has-dashboards: false + +== Rapid7 module + +experimental[] + +This is a module for receiving Rapid7 NeXpose logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nexpose + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nexpose` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "nexpose" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9517` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/rapid7/_meta/fields.yml b/x-pack/filebeat/module/rapid7/_meta/fields.yml new file mode 100644 index 00000000000..7e68584af5e --- /dev/null +++ b/x-pack/filebeat/module/rapid7/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: rapid7 + title: Rapid7 NeXpose + description: > + rapid7 fields. + fields: diff --git a/x-pack/filebeat/module/rapid7/fields.go b/x-pack/filebeat/module/rapid7/fields.go new file mode 100644 index 00000000000..827f8f64897 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package rapid7 + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "rapid7", asset.ModuleFieldsPri, AssetRapid7); err != nil { + panic(err) + } +} + +// AssetRapid7 returns asset data. +// This is the base64 encoded gzipped contents of module/rapid7. +func AssetRapid7() string { + return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZvdC290e940k96ole+JiIirAqiSJaRRQBlBk07/+AgnUB6tQJAtVlKy984NDTTKRiQSQyEzkx9fkAfYviaIFy/7lT4QYZji8JO/wb/IW/l5IDX8iJAOdKlYYJsVL8u9/IoR4GLJiwDO9+BPx/3qJX9r/viaC5vCSCDA7qR4WTBhQK5rCwn5e/4wQsy/gpSVkJ1XW+jyDFS25SXDgl2RFuYaDr3s0Vf+9pTkQuSJmAxV6UqMnuw0owO+MoqsVS8mGarIEEEQuNagtZIveLJSmPZLXSpbF+QR3GdQMjrQJyg8mEcYRGqYZKNfrg8+Hmdvj4PsN0/Z3hGlSasiIkSSlhSk9rxTdkRy0pmv7NzUklTloS7q033eGJuS1XJNrSGUGKkyqG4t1iRomuIKELQiTWOJHg3qkk3nkGaORM6kUBoTRdscxoQ0VpkKkg1QYlodJyKjpftHHzxxWOwihhuw2LN0QSjRozaQgG2Y0oeQtmF+ZEaB1tQqL3hLV09EbWfKMCNiCIkuo17+gSgN5A4Za0ihZKZm3UD15Ldf6+R1NH8Dop73hr5mC1PD9M2I83ZS8A3fA3E4TLTIXQVZx2AIP8opL0d3rB7y6hkJBSo3HlcGKCciIFBwRG7rkQHJahPHmep2M2JpH1umNPzO319+QLeWlPz0sA2HYivk9BI80NYTLteO56jET6Wd2eL/i+DvL0oIqw9KSU4XwfnEWg6vbGzpqtUOr2xt5eLUHmb6dm+sv/j/Xj3PdYo1l+bRDJpf/TJDULuM/Iv4tDYuXiyNXoGWp0ui7aPrU40/aNNzaUAM5CPNp0NMyYyZJOe2ch49GAAij9p8G9cZqAp8GNRNDqC97k1fn7FOueAY0fNYuO/UVQDZOTx64UUP2QOuHlall8fVuwN71NE3L7NyAvdFPaJnDfOoYpbPxSbRs0SCDHEN6E5mJQSTAo9EMSudRykrBfiuhUcJUPUP/0f7QcLmSIrXCkhr5R7deBo79lk0VPG3+XdmB2IqltH3qrKF9Y01ico+CjpQiA2VVVAVeYPQmt2KPkBENxg5yAHyIQw8rtBWbe2NPVmhrNveGHsX2vuckxtKP21w9ykfMetwsN1JH61HtvfWT1KYtqnh3V2kQGRPr6ksdWvqWNf/5cJCFN0nv40HW3d5tvyM0y5SVWUOHssu+3vyM/FzZt/1hOgN/+H+XgZZbc5zg7ul1Lo223yIjlKzZFkTtrvh8L1XLoiEL9rJadfZplKHPw4s7aPDKYp8o+C1qvdpPE7hIOLPlHvl44wYnd7jdn3nvn6Hk/b4AktL+SV4CAWY2oMiHW2G++YFIRX7kkppvX5Al1bgTKsf+iq1LharQiZmFFbzPeGb4yDLFKJrBdrXQaxnvLDlml1Vjf/bGq1Q7qrIJakxLdrQm1ubV7d0vBxoOJQo47S4LIXqvDeT+yvGE2dE24PaTduyxf0vF1kxQXsEc3t4nZhqvcRx54Ly9++WHwCQ9gb25Tp9kTVGfj3NI8maz9VWlWEm+AZqBmull7CccjNxeT3mhcRS1H2pwmLh3mj+0E4anyQx+GFopHreN4oGb3SrcV5JzSI1Un6MgtPy5yMu63TdMk9QxBzJLy4Fq9lp2L3lyhJV/QEskT5cfTznLpcbgkVwKstz3loUQBb+VoI0dULO84Hu/EvbHVuASoOmGaJYBefJnYjaqJC++//4p2VFNNICosRyZ60dS186Yqy6k0HC5yaZ/oJVNZSlMba+W+dIJH3vgdHAE8oQu5RZa02UiGG1UiRltFNB8cJenf6Cl/8TMgIyVXa3mPFZ8EdKkaqOVrQgz/yhf/Pmbf9VOeD4vUFRVZP2jR+8/rJ3ymu5BkRfkRqS00CV3Pm5r6oySoKHRJ7qhA7FKISzfviD/Zqf7jHz7Lfk3kkpl9UechUf6jPx3bv6n/SHT5JApXwQXScgMPqENJnaQpJTzJU0fpup8Dr2QBjc3NU5XtowAkRWSCYPqtoFw4B4ucAJKyehYkUYD0gWkjHKkCWnRRiqrLYq9u4XtF1vKWeaWL4SWkJUsRWalNQckj4m1VxZOBgMd7tveyHO8nfhNe8RFP8DnPZc0+3h3hkdINPsdSA5GsTSgK3sTrf1jtNHc5ViJO3tJUtPocHJVLcyC/CR3lvl9W4gJIpU1IYwkDwDFCbZ8pNvjM2GLkilonWxZlmTx71A3lQRYgwBFDR7FzPKoZa9smTIl5dZcPPCRioD5zHJmDT58AcTpOjr9gby9JsrKRY3GOrKFqjWY+mcn56pVdEjFJ5+ri4Y5PlcV6Vjvi9jb68q/9g5yaYDc+12ZKsBrabkfEkn2v8rp/Rk4uT2mRBecTXuR/UObipr1VNmPFTbIfo+LH2vb9ihP/Y6s9kalTXtx/F/jzcUd8xXjF3lbtONapf3u6tWd1+dSKiwDWF5I1dXiCF4on90DbfmxjOcPTuyjkYdmYcghdmgmlg1IYwy6ex+tvgV58f0PZIeczYEKQjkP26HofEW1ofEvkB0ocMNSQzhQbYgUnWDlQzZ9BMXo82ZT4LzFPWR57vwqVYaswagISDdCcrned581Vkz1NDNCvifphiqaGscme/T2SCE6NwUphY8Y4Ae+zcEMpphkNffEOM1le+Q9B3Xd3KpOUlROW0V3g/IDpVhHWaIp6mHOIyy8zSrTtFTViNpQkVGVESFVTjn7PRRtJ1Ue5EDmX2CPMEGWy54IH8WGhq4a3XPOVoBzChiIGlIpsgHFsFmyRJtplvgRkplIZV5wMMFFHHR3UVQ8jWIdkdPKO1DmYtvt3o4e3HRDG+5w/wxuklwKszmb1U1Wz/mv5k00Q3Yx9tyI7BLMsUP+LsX0jM4jQsSOXyk/LiTtfZdLvQM94XS8IgYejd/IZAtKt4J9s2MxG4E1Or3oe6Dnk9okVaRSZZBNkd7+udwLV12PWd1v1Zt5/cP2G1xfxiqZL3DUEhP/dAqCKiad4peX3LCvDQNFaFHwKoK6yQTPqaDrUFISIRwd05XN4IhytGrCzJeayJ1wXntD86LrafEUW2yWxP4+N5qkG2b1X5mBXpA3pTaoSLcHtfufmoF4NGpgcBmOHvfVylK2hXnuYFyoakg3fwUrUCBSt6jUKl8Z27LM3qm4puFjf18d+/cdBoSn8VgwNeMcGq47P/Wj3S/M8L2bjrYiwuoCFi1uo+P+olFLM2gwP7PSqT79i96gdYCGLMef5rynBpyGqbk0ftuhDvFbCeWMi2Z3iluvRl7sqCaIJhtYIUT/zfipj7pwDqYddU7XuYmS7Os8Dl+RRKErkjhNpRh3RA7BXkTARd14LSlzKdW3o/YGZVBPYI6SScMH9tR5i3HdNeKlk4EYYyzStKf2nKeo6JJPd8cOaIeyNKnM4bnDUqtsGM0mV721osJP40D1HVgqa5IzMy309Qjp1fg+IaDlDz1m+E1NVejVTnGSuo7FtaOhP7aAlK1YowyGtQXn5BzK+/W6xxwv1wEm1u4AljUBn5UpmnnnY5Ayr9LPx8hfDm2EtoYrFfn53ocUMV09OnUtZMRfcXko60EXUrNRh/CsHYCGgMhcVQAMRaxOyWA+d8lNMiWRfeSxFmUOiqVjz3WQ+lki2o+Q3o5qr3eoO+LuJPWI34LIpPKhREdpl8t/XiRLunpckMt/QhrW8S3qOfKkeiyz8uY4aif5ptXq+KK/9X1Wmz+y3hLe0DpySkhDKNn4rMxweBCX66R6dryQkKs2xGghN0/27YGk+Cs+cWNtNzyKYfVOcpbup+/TI2fsDlH4InOC7wfkVMmnxW6FmfCu5ICow+JFCgOP0/WdGuWtcJZ3UwGJZpm2/8OrgPIKZSgd+MSVkm6oWEMiYDf9XA05v2HXerjBy9EYxZalgdZp60fzaUec1ebaIj18DHVBR4iGevacTSiBc2ziqJR3X20durZuEDAlMO7aTroqmqKbt3K1BbUg9+AYW2pQC7oGLHXnI+ZWUlU09MauhnF6XYrwxMG3MiClIksld/a76lOvxzjVerBW2212R5UZb8rXoOPtSL97ZS83Yr7dK3lWKx2X2ryyAO+yjr9BXglCOShTv7uqZlj/mXPN+qPYSjbD59mAQpURIcXXCgpAbfXYaxQqjvMK2bRUym7NWifF1UAd4Tlz/t/KsdmjfcfMxitTTvaRa0S4xPhQQaT4ei3tv49IRrw8k4BSMmlmtOWMfo4oLBlyRexJMwz0gtw357NbJrMdkxxL05ULZi+1VVRd0oN7osy8sPLMoyTlpTbVtvF/9FiNIEzb1fCZOd5atGoTfjt8NV/gVnY7PWw9uaT1KerAl6fUZ0vHNeIhVGuZMvTWWI4G9X5k+mv2AC8JJcVmr1lKuTXzHp6RQmFF2mcETPplWM2iioazB0ZeXi5+VdEcDChNCqqxToHGxD2XmZbKPLcSQR483vRDVsGkRxUNJz0vp2u01uECgtoJu1TmRdk/C1Gsp2THRCZ3PvImlSKFwjyrX8UGp9ubyKrkfE9+Kyl3TptM5pQJfz5FCxGXA6K87a05/xo/MjmrjLxm4gEyH0VbBZZRjfa6V2DtN1/UyBcsO8Z83svzmyg22nWqnQnYRVER8PP95TD/XHifELnvpzrXjx6gctYtUT3d+eNHRXrcPjyup307Wk9bMT7HeanJ/hHHq4+EgqxMgVQeYAg7ETQoRnkSuCEmiM17HLRSuroyvyXUrUwdtMEgfdADiWBz+KP8+FZ4b6je1LvdqhyBaPbSWphWNFURpnU4+1U1UqdUgdyCqtEstEotVP13PyuBWPkmCMN4glKkHKiyH2HZjIY0H8buvTSqShE47Z90oqLs56p/YhmdynzJRF05ri2ifQKCGiGvt0yVen7vRvsORRTDXo65niMCG/fKje/qrAx7eJyWPoPjrWaB83DdXpO37kw/8SlxxNXY90keFvvTY86vy/gCW66v22tkiw+trg9k34479J27IAZH5MIttT11O6bDpsZW76fVTTx8JfFJNe6SO+pDE85ImnVtLfuu6qHJ7fVJPeh8n8QJPciifiGyRh9akCsXre+rBXH3xXFdyP4n1eEvvvnCOyiWpanj+KWphXMpOGg3d+kE7E6SLVWMLnkvYtwltDFBCk4HjpwGoSdmgB4sSlsNcmMv7Km3t2YVi87sWt0/v73ramDEl1Rytt1QtsxgG4GzI+MbX6wjg9wKQ+7ZWlA8lgMbqZBqWvmmL3uywG6lu0qnkFhPBf9pUbVODe6FTAaW9+3P7wkTKS8zsKLBN2ax4Avy5OaR5gWHl+TOGZ9uWJR1i7ANih72C7wzoDHfiNowbqYfrDoXxDwiaLvlnHnrReU7ph+OPHAYxdZrUFMK14en/Uvb0+ixoOazUaA3kmd2jZ3VNNCr4+A5ahYrrv8e5WXYk3fuZnxaJxTeXocDLM9+sbKmdTL72zxy1r/PYzMT59PQ5fJri1AKzChYYblemZXpkJ7uVZ6LxQ60aatli1SYeWXlXEXBQF15qrIdVZeKtejXSrSyiHrRa8kcKNL1xIocSt7QtKrsFVac7HGeWZOV4utK+VHHT7SzGCIaISmgOiImShtqyvMVq9oGp4xfULW0wy/lI2HZ82GpayV+OQ8NFueHXikst68snvBGr6Tv5Kr6vQ1z3a+nHyOEmZDl+W8GrdhNvY7YgVY6jDPDeh6d70aDTq8CcsD8V5zb00p0maag9ark5MZiIKnMQFvmV0WawjoeExk8jp4EZ9oM6Q8TTxMOjYqtqtAsQaFXP6eKcXypDfgH3NuQWBOKjPjawgZpF1ErXvXWu5jm4scnT+pIlQKULnxCgjtTvWn7K6QJjKtynJ8OBI07E7svzac/OrbayCHxzk52v7ZfUiY0ycBQxgOm01KWpgU3QLzkF4hJqbw2tI4bQEzDItxAXvAJr7avqlaLVQuD1guSj1Kx2ssWFKd7DFM20ot18iSw9+0XaGl4aFhVeSzO56YNMyWW6iBB0hstrZ+UfPpgjPQKt2zLlI7HFnV2U5nndm/GLtiVgyesFU5UKLllmbOwq7oCof6M9V0j02MO9PH29I+MN3d/2o5WCF87jwU+Ml9KflXjX1Z+/VMuB+3W6An8b7n0LsvwTi3YlPJA1xiU5Nbn/u6W3PYu3DaiCbV5fEzmcRyjAo/r7IX1SBV/jE3so6jCapY7UMlSZtNjjntx290rq+oPa7ENXJ+bmNwp50abJe+m5XDx6RouzKb2ArI1y2oX5YAxno/XlHtJMGfdDGOu6pq6opwmIKtuQ3cfXBZn5QbFx7FHSMu2jeKerZcQSimoMnqPPZTNYkgFPUXZoUFVR8PTLWWc9h10pHYPEYyHX4FSA9UI3X4Me7jm8+t61S/3CcHOSd/3b8lq3y4GZADLk2WZZfsI+47lycg41RZkqWGokNhRWzQGRjE5KluqEzCd6HKeYDum27EmrpYKNpys46SbnHOPM1QcvIk3dEercX0dn4Z7pR7Phe2MFsHVLzfkiY/0+6XkVi9ZMo4BhvjSfPNYSG1/+ZR83TdjRNfL9yDkThwojhrSElPXtoejD3QNSOkshnY3AOSqyrR56wNcX8OapnvyYVCB5Wyp6GVSf/zQB2xiguSUiZW1jI4+UhVUYa+POTKqDlSEOxyYvJWZCzhqihu03rUDaMmJ+xcfX+xU4zXKw7z6t7AjP5UC1ec3MgNOnjCxXXz1jDCZPiNL+z+w/6OC8r1mevFV2I9s0iJZcdrrTjX+Bj7Uta7uCA6L9i5KlX1VQFiujiZtGTmRFvfp0lNSJUxpUHZDBVFu87FyqIP7lze/Wvv9vQu5+eqrX978+urdzVdfuRiYLVWUDe6NnVQP4xIyTm7lX6sh2z7aQTOZivHXl4/tHJsbWIs4mloRuI9SF1dSgdAsHXegWuZkFNY8xooKeLbOB0t2lI3pNN6EHKQyYklxw4xPSNHlMnobmGWmjRqfyYK5G7N0A382nyStIvimOA5igxObksC9i8kHBzZxij4+0Q6xYoMGYzWZCc6J2MkEM1cDE+kGXIaFxZF6CuMNH0ue16be9cdt1BNXe/tCGyFreZc8qqNkXGgJK7/5MQqknOUB9oD/LW37iakjn6qXa6zI8RTN54B1f8rXX5VAYvP4TDEcdkUZt/yqEg7v/Pm7vW7H9WL2tFWBDawDiUPDb/FVXE9ir/IgxTHBPRjS42M6rWVUiq6t2sMvhtJ4p+J/C4/mrxDWX2rsekiLmYr9norsP2TYs9pgN9Sw8CmbjL8/9AF6XeqCpUyOiI/4WLYF0rejSvRdbZ+eOC3yIpHxwun+7Zs78rPzeDThGGFUv838/HL/n6/JbyWogWotJReJgm7Vj6lPPi3XxZ68q0Jqg8+7tZ6WjhL/bTA5vkybBSsGjMdTcCbgXj0DMospREc5VXkUXyxglPFCi1Fh/zVYmY3oDHAANTYX+AA4o6Z7e5+GXIJINzlV54fF1ZD7gvZaOZzhg6Rp73nzTKhkE8HXFFZjgylr0NUak0mjAOXyn1FwBY2orecyXyMWA53+Qz1lj0NirnYO9rqNQCwSmmLZwpgwNgutxSgVvQW6XBfb78Sj2URIy1QkqVHWRhlXmaoFb2GHvHVngG55ryH0WbAg1kyMCtztA8fFlIhklegdM2nEvhbJisudpnnMa1EbWpjtFPgoP1YqEiambXMmClD5cj8iJKcHXaQPseDYHC0KtEgKJY1MYlxxCL/9LkGbNQaaT9hvXK6TMa3/O6AxL6GpSHL6mBhzvsJ7CGpXmEOUWMiZiEbMxBTEBdcJX/JkvPP0APrPk8Aj6gG1oMdnqbehx0dEt6G/nwQdbqx+LvS/TIL+H5Og/zUW2siC0yXEbfUaPkZVEklecry8l/soeVaBFw9RcjwvOVvnReztbe8/ytfjH408LIsT4hp+S2N0b5Fo92QaxSut0ljtzILGamd6r8siqj52Kuow60jlzkhjFQx4jNraRhqrJMVDo3oSCV4K9iiokBp6bTPPgt/+YGmPFgvbH2RhNkCzKBNI5kWS8igb2oJGuTQQUmGbrDhYHQlblEmUfyJVzLCU8qigL53QNYh0P+pNqQ0tKN//DtkyDvc2wWT4SFiXxhOL2T1nR8JbC/mHWAtZJ0tm/jUy+TDVydjaph1QJSOOso7cnAgHqYqJxdPOEzCirmQLFMzGeQNilG8HjtdVJLirfTMmQ7MFvWIc4nQRnazi2MVW4wKQD0HjJK22RrCAR5NEHiNrA2faFL0iP2dDa5VGQled46Jg5TrJIWMjgjEPoZmI5Xgus5KDTmXcrD04W0edClnoHTUjO1G04EMxAWeCKlgzbRSN0bQb6KibynVSjJyymjBnjXVEVPTpdFENbsmj4LGxaNQV54KO4lFPuZx3G8l04uo8x8DvqaKRC54NhFWeB7t1HQzGQzJtaLdZ61mA2ixLdX4h0QoOXM21OLgyAl/MPVzFko4HxKo9q5hS6MMR08eg1jTLxq86y8Y756oEmiiJwvIkVVLmkdk3FjRKKWJ5EvsI53N34qZbPEQkCxU6JpWZFbpQbDQYp4aZMuLdhjMBY1JJGjg9shZXDYmBjzEmCJcuozlZcRkhHGvwqBAAq+lF7HcLFrXXrW4YhS7Ca8vlOnIpxTpy2xVSjT8c+bJcx22dnOk0brvmOnIB46rPCDCY+hIBGXGKXWmA8a9SDm78g5LY7cbrCpFxQnW7hgjICHkvFVsngWptZ0DuBKgY2VIkkR0Ei2RkBekGMKqNQwMeNUs8SeM3qQeMaafplP4IlFRr+2WSbs6PZ+0Bu76c4+FB5WtrF/cyqs+D3UWCxog5l7/04UOn0udZoEquE6qLUSU/2sBjujxUcAooj7t5FKRIrctWjQaPmayFHZug24KVKovCGmOi6SjrUzvrM8pTqmG8i9SV041SIzT8FsPMUBrsCLgoxUWzddTB1MV4u0WrNG7lVZpFXLVapaEs37NAR7VkakOVOiJncpuK8UEIwYqhp8FckmVE0/C1iVkEBxbjNaorRo6H3BcRmatltox8tS4Vj5JKpQaVZGx8/GZkYZLKJxJHrEnj2uVvEya0oasoSbplysRdxdtCRKU4GKlKcZFera9KI8m7UpDe4LUXelKBuF8oZxm5UpAxQ66oynzO2JG2NL7+1aSZDtWBxGFc01WMmE0lJ6GQktrby8SU2d/kBZd76BXEO8mDlSxHpMef25d3U7XUwdpiCtbwSHLaDd1tPHpiXXbLrsxABmcaC2xU4+t2K01dFliivp8qSchuQw1hhhSuPX+Y6GNPqWNKhYTbu7uK5xUSwoSvZDCQ2c2ZmF4Bu0WMHa9NiSZGrrHJzqL5vesY0eOegC2ouoiSkaSgSgN5A4ZixWF3Kup+aeTJa7nWz+9ccN9Tcu3LeLn2JL3RMY34HfhisUi2IG/B/MqMAB1eq/7Wi2TPCssJ17sZh3fT0UBVulkwwQYMXkXnKYbQETautx5nAp5zWgqsnbouc1+W/kgphE7lgyNUz5EyX1NdJ8r7iq8DKr1lZjJvL2TXc8sOTN7Do8HdOWQUXLQBdVMk7kQPaszKnVSqGPNyNZiqOfCR1Plj797ja0NUrWRX1bhOgnUtvPpN9tAsclj7vUGwnoF+GaR/XB3vMzpnZ/B4e10dIhx9qGT7yIfokdulbuHgHvdrfKS3R2tueohLUSTqgtE1bVK5gg1BVhBCNdEA4qBPZth4UVRoms5SbLWXJe4GF76BU91au+oWfISsAlTO3EU4H1nNoK5wC9syDmvwvTyo1mwtHPObytwDbQ3ocq5u9QNLjhiO7LjlBVtLDLYPCW3zFkVDuYVxlW6q+5JlVVvbumMSNmwcOHSEBGJyaq1NwUCQ1GgFsmoU1gjeqr+TxTGgwu4UG3D0zIgfkQyULrzk/Ov+mT0CWg+QO9l5H4+5eihnVCcbOYN21+mOiTVxmjJQ2NGnVfAoHFNN3Aa19AjfYltIQ7BV5uIV19KaNp3mJViF/CcPsSCvxL7+qze6QetIC0Notqg6GocFU6Tzy5I+RVn+ostPrDx4wFTm2zpba6JdobyadbiRsN8xyVjP6rkGK92DIv9Sewz0c48I0Q/1Lxkbt3X5vScaqg5231GeDoZJnJIFX3bL4riWdG9/fn9jZwcKnNGIHpmM6VRBQUW6t1qJv/x5v5et5cEz8v7NS3IrzLcvnpHbt9c3f39JPtwK88N35MlusyfCN2BMN1L7Mm5SWesVf/XND//rvz0N974Ds5kkL7ozRgm0yGm4NJKevEdGHihfif+2Qhs+TNnHJqt9zk/QNpjwd/bFFKKoo9g0OmjV3PT1q7dBcn6XAqbY4XHr93+kgEWYP7+P6QPwES47S+ppUYNs/DT3yhFerqmBHb1IYWncZXfklWueV+22EML6OknzYtj/P9WveXv15s7J4eFe8XSGXn5DprTTc6rWpbd3FtmAVW/5MFgLZhY+2NGH+VDpAImrKTb3YWv3WshcRzrKm6eKViXysOyedZms8o6HRfrTcn24UD1kTWxNpM5wrpim5K2n4U4qU4uonhByvSeQib77/HFJpGfnn6OYiXUlPivC3wwxT0BIv5/PS+Txow1CtZYpw6LxaC33bldi5ZSiYg2LWj1OpVixdakgI8u9b+7vWt0PdKcZTCnoBQoPaFPBYVdRmQp8lH7XDq2MMJgU5NJA4mOEYl5+Y6aYCZ3QxIVPRQEXRsWCr6LYu4qKxeZxGyA+o6aImhzNksoan9av69C2sLQsuuO1DZmLaAs31rASYMj7fQHPyIdKzL1GE/lbcleZyD058vPQjVoVr5rlwhhQ6SuySNW1k3IevDCK5of4QE8Vhg5sQRnsPGNk1eCKCfLhdvAIpRjSMuEMxrSNFTqRRVShPAuqQI+Po7GAUSF+TiaOD4hCH1QURlemJuEg1hE1HxGvvQbmdi5hUyK8XihvOQcFSfEBx1pRP0q1oyoLNQN7hW3q0O9+p+QjvrovwewABjoZj84BHvsiIQ3lbXevQ0ewkAm+NvXm4JugKcCHoJwZe9R8UaHwJLacinneVc5wB1TPai2HQG8Khw6Cxge4tdrzGpXnQ4kY48+GFLMttmPySM97Q6HKsLTkVFXN3DyaJzePL1/LtVytwvWpIU3MBuZufPveDum79zeU3VjKLEGvSrMBYXwo1SBhc/UeO3yuLOu2hmHiPmhQgyTJ0qRybm75QYdJuncduAeoqnrkTLt9DyhCzKRquHK0+WuF/QLtk6FDhT3F6AbWhRQZtnSVQRWgBuw3JT2kezsmu3bgNqDE5dlj3BtnkNUUe3uro9cwQTQzZUCiEAyQq7rg+VE3VBOayQK7gm2AKSJ3otMYiRj6KIXMB6Jdqhr1SS8caYbLz6phTGT2LEulm/Z+rovwq6o8fm+i57hPRE26OxuD4VT1DC/0fDQ4yXv/ijTvPI81EWtNdVxWx4SpuqiAex9VOPdch4NDlnJafFxgekvY0C2TJWo21qhTMmcDkQ4wP/obQZccw4ZX5Oo4dia24zufhcjo0nCg05AgigMaRpYXiyAhgKGmYPoatO6VZmcPLn8Twl4K0w1RjtH5Mkz+SNIJXXHxlsFO5iytCMNpYcBA97GHmY3rdR6o0kg8OYv0m4U2athJXlEdTnz9ZFS/OE61vxYdrkmUB82I2iQyLMemrV7TUFDAoJPTc3JEatRJZmJK+kRWqjM3QLgqzCfbAN+eR/U3k3uiB4n3jqNTc+hRj3Nqjt4Zx+6PTP+Lk/SrmfnvNvws1KvT3B9Rk+LjHNUTUq8+qn/kTfPtabafX4Dq47D9PFmjZj6rc+71M07qzJtmTup7W6ZWCjPXpXOybkZLs0lyMBt5EW8qPfBzEYfI/2xwYTB7V8mJlvoR/+47yb2vyaI6skOibcu/L77/85/Jk9fXr+6ekmumDRPrkukNZJiYE8TG5VrOkB97zK/tW3QjJr8Y+MOBN28lJ/tLjsXeW96HcNR7E31+I0qHj9mYKQbF1ZkRLZcGYg29U1ARKqLUvJNTfn4Wf4fUdzRjpXZjEKmIZjnjVLnDbAWJ3a0p3kfhUF08M5rN0wu39kG2o8w+2OWqPCCduhbNgZkSSfhKHDs36Pz08eEt/5M3nfGb3op5YxdagYdZ2NEi1bRHsZ7rFtkl1ZoK9vuRWCcxZcHOZVgEt9orP8CyFVPBKP7o7Ncf7YAoH11SucvSPYhE+gkoN5uUKiCFgkzmTNBgiHXrqN9Rw0AYfTLwjNN55/OaftLpuCIYUERvL7uFv7RCoKDKYNpvM5njQmjWtF5/cM+RPyvIQFEDWTIiDODIKmIb8mrM2tV9p+SWZXW6uv8dLQru9Zze8vkUWSvIDzWigV7q9TRYNts86kF9HQezH5hIsNAzRpVsmXtz2nQVu4HCAbVCM66U/litBh7xLm8BtTJFQk2+nf6D2hDVRBupnHy0o+VgKGL7En+1sL/6Mjy/nGUZhzklxhsc8VyZEViilgyJkhlV8by5JnTnx2vl6Ip99eLxjBScWrbbG0kqAiJV+2LIi4jBK7NYBWfES6jaQvhJakPe0HTDxIDantHoM/pFl18fBEb2FQrsQbW3ukur1wvyOqMF+QX/cLd6JoXLB/hH/7ogG7oFe99zoMq1sCZYX0IXUmio9IBw0oCdUdJvez1B9vjaCKliBhSrqnQIN0FXkWGYkoroWYhplvmdLyJzLi1YX3Sqm6C716rCUQdpwFb/91cN00SVItDXnRCqn9WS2L3muGTqgYhsP2LirYg5mEnJjolM7jTRBaRsxVL7zbNQ3LiPP+pvVDsBR1Hz6kueqKrreS2W8ZnhaYsfpBR4c72GNU335IM+LPJTv4fk3QSHqKglO8osptXAHdZWtxEZRk3jZrC3QI9vdT5TIIvpIEMAw2z7TDic2Bzq2lC1Iae8BeaEcwhuCA8TMZ254qWGJuMjp7xzr5IcNzi54VorfXrncmLUTsdD/jYhNI6VPS6H099Op5ZgcOO48syDEeA4qQxWTHhfIB51rAWR02KgGAXiHwizvhD2xtztqB4xgqT2N02fgc9HHqgeUvvQjKHpJp+9FF0zLjKG9LTgNtsiC2oumRhTc3fWnWbJxvD3qUI/cGzbwbjIPFdGq0lFCtQj79E1VWafoKugqlpb+/GzhtjdhvUKnhG7D61l4UL0zpqAiah46VLhpBrXnrEz/b/ogop/P5nPWaE6rHVWKWkhkWqn9pfnOPoJ6i944fborqqiHad7cK0SEEbJInwMM1kuewbZWXvNj2qtGzgR2ohUjOzkdCYVVzIvrEFa7Xzc4NjgxGmeW1BWtCbWbA5fSFQ/TI/7PXEWOzp9hXsH0yubrX6Lf+P6seR8T/6zpJytGGTkGrNhnPMiiGwHyySV8oFd7EnpV1gSh6GxSSgf0ssiaus0jz1FaVwbnKF65KfPxrt6EF9L1butnHduQd7vC0d+Y1HZCTo+D7NYwSoZWRynQ5jF4kww9aUOFdrpopvHWVArGIf4nfeikKry7OHzyrvXAwvTylYdvazVfIqpFWOPTMeOfdIPVxGipIy+5w7R2pEs10hBTdjBkYqE6nHvUS1QFdtBvVR8FLtbcKO4U6vgSanG9/stsO8ZNoeOQRkh+g6BR4ZoHAL7XRB1HODRgMBLMEZhsyOMWN36Wt0o6DxQxtxubph5YsgPTvR7HBivuuf+31ceyXP/D//qG3J6UQ4qHEPgCb7oa4kjt/1Ygn6MVkHmHsGZL5tslUUmVqDUgI++P7OZKG+rQyfZF3R6zEJGVT1o1WJlYPviM4acvH0Dw8y4EW7ca4vdAO8xLki1P/ob9B+hh4vds2IDai6rxuo5/s33yRUWVH9KrhBDGDkoM1ui5ACvrkD5wvdwENNxpMQOTHwsaDGjtSx22C91q+7S0fVgvw/7CcanRYbXhNyz3wfSdx6iz+Dt326IgLU0zLG52FA9UJ9Wp/Mn77YY7oYfLuhtF2RCfdreA2BnrauCX1W8Z/jBTrORzRXPyxOua4m/H2yrYc8e07qMaQxtYfFRd4r9PM3LhzSAUhM9Cz3WteXFjR2e3OOTwbHTOtPrUl3vyvv2n9xjOMdxEdqSF0NkjJcXR6gYFhpa82Q77S7pusi9EyfskkvsFqBlRDENHQ/KHsBbA9EpUV80BR7bghLlxXdEo+9WKnJ7/+pvb+7InZWf5GcxUJGyoSc67yOGnvc7GaYHj2W6gfRBRzR7awTL1Nz2UBHourpJnXqOARq+cHdz7o/oKqBYr/zGRVQVh6nO2htU35AqbLE2nxhs07GlnGVuQwTQdI/+jPWljh19nPUD7HVXFJ29x6I7oW+MKXTCsBtBJDCyNI7s9PyWX1P2HluLKt5RKmb2J/ZfKvN8Yi7/mZQ5TN6kDKfX7JgC3tWuY0y4HaciGdWHemxIgq6aBvzqaa5iZMMGOiY3JIVk84QAhUhyOAjiQLRh3QtZk26oEL0EtOmJyn5cRDXgKZ+t/FIt8nzF7l9fv3rrZe7zDoJa1Bmpul6xmO2VMf2QbCUv46fxquqBIXwtzbozSNVkoRTMaPLEodFPMXcNkwmqLggBf9FAEBovo0/4a0/NB8GMfy5ZHAajbUHhS8mq5CSVIoXCWBPg3vF6IMVpTCf1YF0HZJ41NqoWIpYU7P4mLY9++o9XoWCSIOtidoBU60uEKHRDyw6cHkvq0veCCYx/vfn57vaOvKGPORNZ3bokzH5L/QUCGQ4KfQ8Q7gnt0X+M8PoKDodgRwUEucjsZFwTzz94Ik01qbkbLXlJdXvt6/F4PEdp4HMy9hNn9FRzyv8L5BzUwZEi62sjMScJLb5x7aVHKjZ1Ny+DfmBn7eYuNeAZ0WUgLIpq8hdtlBTrf19ymj5wpg1kf3nuP3tWf8vECtLwVyumYEd58JqlS96CIVRkREsysH0UrJk2am+tnnkPZkHNxpeiq7GQLpYeGZPaD/YJcYkSLrY1lapVvavWWGraQBi1/9P/DQAA//+CVqxi" +} diff --git a/x-pack/filebeat/module/rapid7/nexpose/_meta/fields.yml b/x-pack/filebeat/module/rapid7/nexpose/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/nexpose/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/rapid7/nexpose/config/input.yml b/x-pack/filebeat/module/rapid7/nexpose/config/input.yml new file mode 100644 index 00000000000..40fb8a664b9 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/nexpose/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Rapid7" + product: "Nexpose" + type: "Vulnerability" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/rapid7/nexpose/config/liblogparser.js + - ${path.home}/module/rapid7/nexpose/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js b/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{p0}"); + +var dup42 = match("MESSAGE#52:Scan:06/1_1", "nwparser.p0", "%{saddr->} %{p0}"); + +var dup43 = setc("ec_outcome","Unknown"); + +var dup44 = setc("eventcategory","1701000000"); + +var dup45 = setc("ec_subject","User"); + +var dup46 = setc("ec_activity","Logon"); + +var dup47 = setc("ec_theme","Authentication"); + +var dup48 = setc("eventcategory","1401030000"); + +var dup49 = setc("ec_subject","NetworkComm"); + +var dup50 = setc("ec_subject","Group"); + +var dup51 = setc("ec_activity","Detect"); + +var dup52 = setc("ec_theme","Configuration"); + +var dup53 = setc("eventcategory","1801010000"); + +var dup54 = setf("obj_type","messageid"); + +var dup55 = setc("event_description","Cannot preload incremental pool with a connection"); + +var dup56 = setc("eventcategory","1605030000"); + +var dup57 = setc("ec_activity","Modify"); + +var dup58 = setc("action","Replaced conf values"); + +var dup59 = setc("service","fld1"); + +var dup60 = linear_select([ + dup7, + dup8, +]); + +var dup61 = match("MESSAGE#416:Nexpose:12", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var dup62 = match("MESSAGE#46:SPIDER", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, +])); + +var dup63 = linear_select([ + dup41, + dup42, +]); + +var dup64 = match("MESSAGE#93:Attempting", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var dup65 = match("MESSAGE#120:path", "nwparser.payload", "%{info}", processor_chain([ + dup20, + dup15, +])); + +var dup66 = match("MESSAGE#318:Loaded:01", "nwparser.payload", "%{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var dup67 = match("MESSAGE#236:Finished:03", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup15, +])); + +var dup68 = match("MESSAGE#418:Mobile", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup25, +])); + +var dup69 = match("MESSAGE#435:ConsoleProductInfoProvider", "nwparser.payload", "%{fld1->} %{action}", processor_chain([ + dup20, + dup14, + dup15, + dup59, +])); + +var hdr1 = match("HEADER#0:0031", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] %{hfld39}[Thread: %{messageid}] [Started: %{hfld40}] [Duration: %{hfld41}] %{payload}", processor_chain([ + setc("header_id","0031"), +])); + +var part1 = match("HEADER#1:0022/1_0", "nwparser.p0", "%{hpriority}] %{hfld39}[%{p0}"); + +var select1 = linear_select([ + part1, + dup2, + dup3, +]); + +var part2 = match("HEADER#1:0022/2", "nwparser.p0", "Thread: %{hfld17}] %{messageid->} %{payload}"); + +var all1 = all_match({ + processors: [ + dup1, + select1, + part2, + ], + on_success: processor_chain([ + setc("header_id","0022"), + ]), +}); + +var hdr2 = match("HEADER#2:0028", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid}: %{payload}", processor_chain([ + setc("header_id","0028"), + dup4, +])); + +var hdr3 = match("HEADER#3:0017", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0017"), + dup5, +])); + +var hdr4 = match("HEADER#4:0024", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{hfld41->} %{messageid}completed %{payload}", processor_chain([ + setc("header_id","0024"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("completed "), + field("payload"), + ], + }), +])); + +var hdr5 = match("HEADER#5:0018", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0018"), + dup5, +])); + +var hdr6 = match("HEADER#6:0029", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Silo ID: %{hfld22}] [Site: %{hsite}] [Site ID: %{hinfo}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0029"), + dup5, +])); + +var hdr7 = match("HEADER#7:0019", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0019"), + dup5, +])); + +var hdr8 = match("HEADER#8:0020", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0020"), + dup5, +])); + +var hdr9 = match("HEADER#9:0021", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0021"), + dup5, +])); + +var hdr10 = match("HEADER#10:0023", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}]: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0023"), + dup5, +])); + +var hdr11 = match("HEADER#11:0036", "message", "%NEXPOSE-%{hfld49}: %{hfld1}: %{messageid->} %{hfld2->} %{payload}", processor_chain([ + setc("header_id","0036"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("hfld2"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr12 = match("HEADER#12:0001", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hdate}T%{htime}[%{hobj_name}] %{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr13 = match("HEADER#13:0037", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hfld1}'%{hfld2}' - %{hfld1->} %{payload}", processor_chain([ + setc("header_id","0037"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("hfld1"), + constant("'"), + field("hfld2"), + constant("' - "), + field("hfld1"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr14 = match("HEADER#14:0002", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hdate}T%{htime->} %{payload}", processor_chain([ + setc("header_id","0002"), +])); + +var hdr15 = match("HEADER#15:0003", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] (%{hfld41}) %{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup5, +])); + +var hdr16 = match("HEADER#16:0030", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] %{messageid}: %{payload}", processor_chain([ + setc("header_id","0030"), + dup4, +])); + +var hdr17 = match("HEADER#17:0040", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Principal: %{username}] [%{messageid}: %{payload}", processor_chain([ + setc("header_id","0040"), +])); + +var part3 = match("HEADER#18:0034/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] [%{hfld19}] %{messageid->} %{hfld21->} %{payload}"); + +var all2 = all_match({ + processors: [ + dup6, + dup60, + part3, + ], + on_success: processor_chain([ + setc("header_id","0034"), + ]), +}); + +var part4 = match("HEADER#19:0035/1_0", "nwparser.p0", "%{hpriority}] [%{p0}"); + +var select2 = linear_select([ + part4, + dup2, + dup3, +]); + +var part5 = match("HEADER#19:0035/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] %{messageid->} %{hfld21->} %{payload}"); + +var all3 = all_match({ + processors: [ + dup1, + select2, + part5, + ], + on_success: processor_chain([ + setc("header_id","0035"), + ]), +}); + +var hdr18 = match("HEADER#20:0004", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + dup5, +])); + +var part6 = match("HEADER#21:0032/2", "nwparser.p0", "Thread: %{hfld17}] [Silo ID: %{hfld18}] [Report: %{hobj_name}] [%{messageid}Config ID: %{hfld19}] %{payload}"); + +var all4 = all_match({ + processors: [ + dup6, + dup60, + part6, + ], + on_success: processor_chain([ + setc("header_id","0032"), + ]), +}); + +var hdr19 = match("HEADER#22:0038", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{messageid}: %{hfld1->} %{payload}", processor_chain([ + setc("header_id","0038"), + dup9, +])); + +var hdr20 = match("HEADER#23:0039", "message", "%NEXPOSE-%{hfld49}: %{messageid}: %{hfld1->} %{payload}", processor_chain([ + setc("header_id","0039"), + dup9, +])); + +var hdr21 = match("HEADER#24:0005", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{hfld48->} %{hfld41->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0005"), + dup5, +])); + +var hdr22 = match("HEADER#25:0006", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] [%{messageid}] %{payload}", processor_chain([ + setc("header_id","0006"), +])); + +var part7 = match("HEADER#26:0033/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] [%{hfld19}] [%{p0}"); + +var part8 = match("HEADER#26:0033/3_0", "nwparser.p0", "%{hfld20}] [%{hfld21}] [%{hfld22}] [%{hfld23}]%{p0}"); + +var part9 = match("HEADER#26:0033/3_1", "nwparser.p0", "%{hfld20}] [%{hfld21}]%{p0}"); + +var part10 = match("HEADER#26:0033/3_2", "nwparser.p0", "%{hfld20}]%{p0}"); + +var select3 = linear_select([ + part8, + part9, + part10, +]); + +var part11 = match("HEADER#26:0033/4", "nwparser.p0", "%{} %{messageid->} %{hfld24->} %{payload}"); + +var all5 = all_match({ + processors: [ + dup6, + dup60, + part7, + select3, + part11, + ], + on_success: processor_chain([ + setc("header_id","0033"), + ]), +}); + +var hdr23 = match("HEADER#27:0007", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0007"), + dup5, +])); + +var hdr24 = match("HEADER#28:0008", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] (%{messageid}) %{payload}", processor_chain([ + setc("header_id","0008"), +])); + +var hdr25 = match("HEADER#29:0009", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{fld41->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0009"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("fld41"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr26 = match("HEADER#30:0010", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{messageid}: %{payload}", processor_chain([ + setc("header_id","0010"), + dup4, +])); + +var hdr27 = match("HEADER#31:0011", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{messageid}(%{hobj_name}): %{payload}", processor_chain([ + setc("header_id","0011"), +])); + +var hdr28 = match("HEADER#32:0012", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{hfld41->} %{hfld42->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0012"), + dup5, +])); + +var hdr29 = match("HEADER#33:0013", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{hfld45}(%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{payload}", processor_chain([ + setc("header_id","0013"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_"), + field("msgIdPart2"), + constant("_"), + field("msgIdPart3"), + ], + }), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld45"), + constant("("), + field("hfld46"), + constant(") - "), + field("msgIdPart1"), + constant(" "), + field("msgIdPart2"), + constant(" "), + field("msgIdPart3"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr30 = match("HEADER#34:0014", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{hfld45}(%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{payload}", processor_chain([ + setc("header_id","0014"), + dup10, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld45"), + constant("("), + field("hfld46"), + constant(") - "), + field("msgIdPart1"), + constant(" "), + field("msgIdPart2"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr31 = match("HEADER#35:0015", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{hfld45}(%{hfld46}) - %{messageid->} %{payload}", processor_chain([ + setc("header_id","0015"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld45"), + constant("("), + field("hfld46"), + constant(") - "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr32 = match("HEADER#36:0016", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{hfld45}(%{hfld46}) - %{msgIdPart1->} %{msgIdPart2}(U) %{payload}", processor_chain([ + setc("header_id","0016"), + dup10, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld45"), + constant("("), + field("hfld46"), + constant(") - "), + field("msgIdPart1"), + constant(" "), + field("msgIdPart2"), + constant("(U) "), + field("payload"), + ], + }), +])); + +var hdr33 = match("HEADER#37:0026", "message", "%NEXPOSE-%{hfld49}: %{messageid}Constructor threw %{payload}", processor_chain([ + setc("header_id","0026"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("Constructor threw "), + field("payload"), + ], + }), +])); + +var hdr34 = match("HEADER#38:0027", "message", "%NEXPOSE-%{hfld49}: %{messageid}Called method %{payload}", processor_chain([ + setc("header_id","0027"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("Called method "), + field("payload"), + ], + }), +])); + +var hdr35 = match("HEADER#39:0025", "message", "%NEXPOSE-%{hfld49}: %{hfld41->} %{hfld42->} %{messageid}frames %{payload}", processor_chain([ + setc("header_id","0025"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("frames "), + field("payload"), + ], + }), +])); + +var hdr36 = match("HEADER#40:9999", "message", "%NEXPOSE-%{hfld49}: %{payload}", processor_chain([ + setc("header_id","9999"), + setc("messageid","NEXPOSE_GENERIC"), +])); + +var select4 = linear_select([ + hdr1, + all1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + hdr13, + hdr14, + hdr15, + hdr16, + hdr17, + all2, + all3, + hdr18, + all4, + hdr19, + hdr20, + hdr21, + hdr22, + all5, + hdr23, + hdr24, + hdr25, + hdr26, + hdr27, + hdr28, + hdr29, + hdr30, + hdr31, + hdr32, + hdr33, + hdr34, + hdr35, + hdr36, +]); + +var part12 = match("MESSAGE#0:NOT_VULNERABLE_VERSION", "nwparser.payload", "%{signame}- NOT VULNERABLE VERSION .", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg1 = msg("NOT_VULNERABLE_VERSION", part12); + +var part13 = match("MESSAGE#1:VULNERABLE_VERSION", "nwparser.payload", "%{signame}- VULNERABLE VERSION .", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg2 = msg("VULNERABLE_VERSION", part13); + +var part14 = match("MESSAGE#2:NOT_VULNERABLE", "nwparser.payload", "%{signame}- NOT VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg3 = msg("NOT_VULNERABLE", part14); + +var part15 = match("MESSAGE#3:NOT_VULNERABLE:01", "nwparser.payload", "%{signame}- NOT VULNERABLE(U) [UNIQUE ID: %{fld45}]", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg4 = msg("NOT_VULNERABLE:01", part15); + +var part16 = match("MESSAGE#4:NOT_VULNERABLE:02", "nwparser.payload", "%{signame}- NOT VULNERABLE .", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg5 = msg("NOT_VULNERABLE:02", part16); + +var select5 = linear_select([ + msg3, + msg4, + msg5, +]); + +var part17 = match("MESSAGE#5:VULNERABLE", "nwparser.payload", "%{signame}- VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg6 = msg("VULNERABLE", part17); + +var part18 = match("MESSAGE#6:VULNERABLE:01", "nwparser.payload", "%{signame}- VULNERABLE .", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg7 = msg("VULNERABLE:01", part18); + +var select6 = linear_select([ + msg6, + msg7, +]); + +var part19 = match("MESSAGE#7:ERROR", "nwparser.payload", "%{signame}- ERROR [UNIQUE ID: %{fld45}] - %{context}", processor_chain([ + dup18, + dup12, + dup13, + dup19, + dup14, + dup15, + dup16, + dup17, +])); + +var msg8 = msg("ERROR", part19); + +var part20 = match("MESSAGE#8:ERROR:01", "nwparser.payload", "%{signame}- ERROR - %{context}", processor_chain([ + dup18, + dup12, + dup13, + dup19, + dup14, + dup15, + dup16, + dup17, +])); + +var msg9 = msg("ERROR:01", part20); + +var select7 = linear_select([ + msg8, + msg9, +]); + +var part21 = match("MESSAGE#9:ExtMgr", "nwparser.payload", "Initialization successful.%{}", processor_chain([ + dup20, + dup21, + dup13, + dup22, + dup14, + dup15, + setc("event_description","Initialization successful"), +])); + +var msg10 = msg("ExtMgr", part21); + +var part22 = match("MESSAGE#10:ExtMgr:01", "nwparser.payload", "initializing...%{}", processor_chain([ + dup20, + dup21, + dup13, + dup14, + dup15, + setc("event_description","initializing"), +])); + +var msg11 = msg("ExtMgr:01", part22); + +var part23 = match("MESSAGE#11:ExtMgr:02", "nwparser.payload", "Shutdown successful.%{}", processor_chain([ + dup23, + dup24, + dup13, + dup22, + dup14, + dup15, + setc("event_description","Shutdown successful."), +])); + +var msg12 = msg("ExtMgr:02", part23); + +var part24 = match("MESSAGE#12:ExtMgr:03", "nwparser.payload", "Shutting down...%{}", processor_chain([ + dup23, + dup24, + dup13, + dup14, + dup15, + dup25, +])); + +var msg13 = msg("ExtMgr:03", part24); + +var select8 = linear_select([ + msg10, + msg11, + msg12, + msg13, +]); + +var part25 = match("MESSAGE#13:ScanMgr", "nwparser.payload", "Shutting down %{info}", processor_chain([ + dup20, + dup24, + dup13, + dup14, + dup15, + dup25, +])); + +var msg14 = msg("ScanMgr", part25); + +var part26 = match("MESSAGE#14:ScanMgr:01", "nwparser.payload", "shutting down...%{}", processor_chain([ + dup23, + dup24, + dup13, + dup14, + dup15, + dup26, +])); + +var msg15 = msg("ScanMgr:01", part26); + +var part27 = match("MESSAGE#15:ScanMgr:02", "nwparser.payload", "Scan %{fld30}is being stopped.", processor_chain([ + dup20, + dup12, + dup13, + dup27, + dup14, + dup15, +])); + +var msg16 = msg("ScanMgr:02", part27); + +var select9 = linear_select([ + msg14, + msg15, + msg16, +]); + +var part28 = match("MESSAGE#16:NSE", "nwparser.payload", "Logging initialized %{fld30}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Logging initialized"), +])); + +var msg17 = msg("NSE", part28); + +var part29 = match("MESSAGE#17:NSE:01/1_0", "nwparser.p0", "Initializing %{p0}"); + +var part30 = match("MESSAGE#17:NSE:01/1_1", "nwparser.p0", "initializing %{p0}"); + +var select10 = linear_select([ + part29, + part30, +]); + +var part31 = match("MESSAGE#17:NSE:01/2", "nwparser.p0", "%{} %{fld30}"); + +var all6 = all_match({ + processors: [ + dup28, + select10, + part31, + ], + on_success: processor_chain([ + dup20, + dup14, + dup15, + setc("action","Initializing"), + ]), +}); + +var msg18 = msg("NSE:01", all6); + +var part32 = match("MESSAGE#18:NSE:02", "nwparser.payload", "shutting down %{fld30}", processor_chain([ + dup20, + dup14, + dup15, + dup26, +])); + +var msg19 = msg("NSE:02", part32); + +var part33 = match("MESSAGE#19:NSE:03", "nwparser.payload", "NeXpose scan engine initialization completed.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","NeXpose scan engine initialization completed."), +])); + +var msg20 = msg("NSE:03", part33); + +var part34 = match("MESSAGE#20:NSE:04", "nwparser.payload", "disabling promiscuous on all devices...%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","disabling promiscuous on all devices"), +])); + +var msg21 = msg("NSE:04", part34); + +var part35 = match("MESSAGE#213:NSE:05", "nwparser.payload", "NSE connection failure%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg22 = msg("NSE:05", part35); + +var part36 = match("MESSAGE#328:NSE:07", "nwparser.payload", "NSE DN is %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg23 = msg("NSE:07", part36); + +var select11 = linear_select([ + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, +]); + +var part37 = match("MESSAGE#21:Console", "nwparser.payload", "NSE Name: %{fld30}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg24 = msg("Console", part37); + +var part38 = match("MESSAGE#22:Console:01", "nwparser.payload", "NSE Identifier: %{fld30}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg25 = msg("Console:01", part38); + +var part39 = match("MESSAGE#23:Console:02", "nwparser.payload", "NSE version: %{fld30}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg26 = msg("Console:02", part39); + +var part40 = match("MESSAGE#24:Console:03", "nwparser.payload", "Last update: %{fld30}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg27 = msg("Console:03", part40); + +var part41 = match("MESSAGE#25:Console:04", "nwparser.payload", "VM version: %{fld30}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg28 = msg("Console:04", part41); + +var part42 = match("MESSAGE#26:Console:05", "nwparser.payload", "log rotation completed%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","log rotation completed"), +])); + +var msg29 = msg("Console:05", part42); + +var part43 = match("MESSAGE#27:Console:06", "nwparser.payload", "rotating logs...%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","rotating logs"), +])); + +var msg30 = msg("Console:06", part43); + +var select12 = linear_select([ + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, +]); + +var part44 = match("MESSAGE#28:ProtocolFper", "nwparser.payload", "Loaded %{fld30}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Loaded"), +])); + +var msg31 = msg("ProtocolFper", part44); + +var part45 = match("MESSAGE#29:Nexpose", "nwparser.payload", "Closing service: %{fld30}", processor_chain([ + dup20, + dup35, + dup24, + dup14, + dup15, + dup16, + dup17, + setc("action","Closing service"), +])); + +var msg32 = msg("Nexpose", part45); + +var part46 = match("MESSAGE#30:Nexpose:01", "nwparser.payload", "Freeing %{fld30}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, + setc("action","Freeing"), +])); + +var msg33 = msg("Nexpose:01", part46); + +var part47 = match("MESSAGE#31:Nexpose:02", "nwparser.payload", "starting %{fld30}", processor_chain([ + dup11, + dup12, + dup13, + dup22, + dup14, + dup15, + dup16, + dup17, + setc("action","starting"), +])); + +var msg34 = msg("Nexpose:02", part47); + +var part48 = match("MESSAGE#32:Nexpose:03", "nwparser.payload", "%{fld31}nodes completed, %{fld32}active, %{fld33}pending.", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg35 = msg("Nexpose:03", part48); + +var part49 = match("MESSAGE#373:Backup_completed", "nwparser.payload", "Nexpose system backup completed successfully in %{info}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Backup completed"), +])); + +var msg36 = msg("Backup_completed", part49); + +var part50 = match("MESSAGE#408:Nexpose:04", "nwparser.payload", "Nexpose is changing the database port number from %{change_old}to %{change_new}. DONE.", processor_chain([ + dup20, + dup14, + dup15, + dup36, + dup37, +])); + +var msg37 = msg("Nexpose:04", part50); + +var part51 = match("MESSAGE#409:Nexpose:05", "nwparser.payload", "Nexpose is changing the database port number from %{change_old}to %{change_new}.", processor_chain([ + dup20, + dup14, + dup15, + dup36, +])); + +var msg38 = msg("Nexpose:05", part51); + +var part52 = match("MESSAGE#410:Nexpose:06", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old}to %{change_new}DONE.", processor_chain([ + dup20, + dup14, + dup15, + dup38, + dup37, +])); + +var msg39 = msg("Nexpose:06", part52); + +var part53 = match("MESSAGE#411:Nexpose:07", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old}to %{change_new}", processor_chain([ + dup20, + dup14, + dup15, + dup38, +])); + +var msg40 = msg("Nexpose:07", part53); + +var part54 = match("MESSAGE#412:Nexpose:08", "nwparser.payload", "Nexpose is installing the %{db_name}database. DONE.", processor_chain([ + dup20, + dup14, + dup15, + dup39, + dup37, +])); + +var msg41 = msg("Nexpose:08", part54); + +var part55 = match("MESSAGE#413:Nexpose:09", "nwparser.payload", "Nexpose is installing the %{db_name}database to %{directory}using PostgreSQL binaries from package %{filename}.%{fld1}.", processor_chain([ + dup20, + dup14, + dup15, + dup39, +])); + +var msg42 = msg("Nexpose:09", part55); + +var part56 = match("MESSAGE#414:Nexpose:10", "nwparser.payload", "Nexpose is moving %{change_old}to %{change_new}.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Nexpose is moving a directory"), +])); + +var msg43 = msg("Nexpose:10", part56); + +var part57 = match("MESSAGE#415:Nexpose:11", "nwparser.payload", "%{event_description}DONE.", processor_chain([ + dup20, + dup14, + dup15, + dup37, +])); + +var msg44 = msg("Nexpose:11", part57); + +var msg45 = msg("Nexpose:12", dup61); + +var select13 = linear_select([ + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, +]); + +var part58 = match("MESSAGE#33:Shutting", "nwparser.payload", "Shutting down %{fld30}", processor_chain([ + dup23, + dup14, + dup15, + dup16, + dup17, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + dup25, +])); + +var msg46 = msg("Shutting", part58); + +var part59 = match("MESSAGE#34:shutting:01", "nwparser.payload", "Interrupted, %{event_description}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg47 = msg("shutting:01", part59); + +var part60 = match("MESSAGE#35:shutting", "nwparser.payload", "shutting down %{fld30}", processor_chain([ + dup23, + dup14, + dup15, + dup16, + dup17, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + dup26, +])); + +var msg48 = msg("shutting", part60); + +var part61 = match("MESSAGE#36:Shutdown", "nwparser.payload", "Shutdown successful.%{}", processor_chain([ + dup23, + dup14, + dup15, + dup16, + dup17, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + dup25, +])); + +var msg49 = msg("Shutdown", part61); + +var part62 = match("MESSAGE#37:Security", "nwparser.payload", "Security Console shutting down.%{}", processor_chain([ + dup23, + dup14, + dup15, + dup29, + dup25, +])); + +var msg50 = msg("Security", part62); + +var part63 = match("MESSAGE#261:Security:02", "nwparser.payload", "Security Console restarting from an auto-update%{}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg51 = msg("Security:02", part63); + +var part64 = match("MESSAGE#296:Security:06", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Security Console started", processor_chain([ + dup20, + dup15, +])); + +var msg52 = msg("Security:06", part64); + +var part65 = match("MESSAGE#297:Security:03/0", "nwparser.payload", "%{}Security Console %{p0}"); + +var part66 = match("MESSAGE#297:Security:03/1_0", "nwparser.p0", "started %{}"); + +var part67 = match("MESSAGE#297:Security:03/1_1", "nwparser.p0", "web interface ready. %{info->} "); + +var select14 = linear_select([ + part66, + part67, +]); + +var all7 = all_match({ + processors: [ + part65, + select14, + ], + on_success: processor_chain([ + dup20, + dup15, + ]), +}); + +var msg53 = msg("Security:03", all7); + +var part68 = match("MESSAGE#426:Security:04", "nwparser.payload", "Security Console is launching in Maintenance Mode. %{action}.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Security Console is launching in Maintenance Mode"), +])); + +var msg54 = msg("Security:04", part68); + +var part69 = match("MESSAGE#427:Security:05", "nwparser.payload", "Security Console update failed.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Security Console update failed"), +])); + +var msg55 = msg("Security:05", part69); + +var select15 = linear_select([ + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, +]); + +var part70 = match("MESSAGE#38:Web", "nwparser.payload", "Web server stopped%{}", processor_chain([ + dup23, + dup14, + dup15, + dup16, + dup17, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("action","Stopped"), +])); + +var msg56 = msg("Web", part70); + +var part71 = match("MESSAGE#304:Web:02", "nwparser.payload", "Web %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg57 = msg("Web:02", part71); + +var select16 = linear_select([ + msg56, + msg57, +]); + +var part72 = match("MESSAGE#39:Done", "nwparser.payload", "Done shutting down.%{}", processor_chain([ + dup23, + dup14, + dup15, + dup16, + dup17, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + dup26, +])); + +var msg58 = msg("Done", part72); + +var part73 = match("MESSAGE#282:Done:02", "nwparser.payload", "Done with statistics generation [Started: %{fld1}] [Duration: %{fld2}]. ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg59 = msg("Done:02", part73); + +var select17 = linear_select([ + msg58, + msg59, +]); + +var part74 = match("MESSAGE#40:Queueing:01", "nwparser.payload", "Queueing %{protocol}port scan", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg60 = msg("Queueing:01", part74); + +var part75 = match("MESSAGE#41:Queueing", "nwparser.payload", "Queueing %{fld30}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, + setc("action","Queueing"), +])); + +var msg61 = msg("Queueing", part75); + +var select18 = linear_select([ + msg60, + msg61, +]); + +var part76 = match("MESSAGE#42:Performing/0", "nwparser.payload", "Performing %{p0}"); + +var part77 = match("MESSAGE#42:Performing/1_0", "nwparser.p0", "form %{p0}"); + +var part78 = match("MESSAGE#42:Performing/1_1", "nwparser.p0", "query %{p0}"); + +var select19 = linear_select([ + part77, + part78, +]); + +var part79 = match("MESSAGE#42:Performing/2", "nwparser.p0", "%{}injection against %{info}"); + +var all8 = all_match({ + processors: [ + part76, + select19, + part79, + ], + on_success: processor_chain([ + dup20, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, + setc("action","Performing injection"), + ]), +}); + +var msg62 = msg("Performing", all8); + +var part80 = match("MESSAGE#43:Performing:01", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg63 = msg("Performing:01", part80); + +var select20 = linear_select([ + msg62, + msg63, +]); + +var part81 = match("MESSAGE#44:Trying", "nwparser.payload", "Trying %{fld30}injection %{fld31}", processor_chain([ + dup20, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, + setc("action","Trying injection"), +])); + +var msg64 = msg("Trying", part81); + +var part82 = match("MESSAGE#45:Rewrote", "nwparser.payload", "Rewrote to %{url}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, +])); + +var msg65 = msg("Rewrote", part82); + +var msg66 = msg("SPIDER", dup62); + +var msg67 = msg("Preparing", dup62); + +var part83 = match("MESSAGE#48:Scan", "nwparser.payload", "Scan started by: \"%{username}\" %{fld34}", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + setc("action","scan started"), +])); + +var msg68 = msg("Scan", part83); + +var part84 = match("MESSAGE#49:Scan:01", "nwparser.payload", "Scan [%{fld35}] completed in %{fld36}", processor_chain([ + dup11, + dup12, + dup13, + dup22, + dup14, + dup15, + setc("action","scan completed"), +])); + +var msg69 = msg("Scan:01", part84); + +var part85 = match("MESSAGE#50:Scan:03", "nwparser.payload", "Scan for site %{fld11}started by Schedule[%{info}].", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg70 = msg("Scan:03", part85); + +var part86 = match("MESSAGE#51:Scan:04", "nwparser.payload", "Scan startup took %{fld24}seconds", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg71 = msg("Scan:04", part86); + +var part87 = match("MESSAGE#52:Scan:06/2", "nwparser.p0", "] %{fld12}(%{info}) - VULNERABLE VERSION"); + +var all9 = all_match({ + processors: [ + dup40, + dup63, + part87, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + ]), +}); + +var msg72 = msg("Scan:06", all9); + +var part88 = match("MESSAGE#53:Scan:05/2", "nwparser.p0", "] %{fld12}(%{info}) - VULNERABLE"); + +var all10 = all_match({ + processors: [ + dup40, + dup63, + part88, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + ]), +}); + +var msg73 = msg("Scan:05", all10); + +var part89 = match("MESSAGE#54:Scan:07/2", "nwparser.p0", "] %{fld12}(%{info}) - NOT VULNERABLE VERSION"); + +var all11 = all_match({ + processors: [ + dup40, + dup63, + part89, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + ]), +}); + +var msg74 = msg("Scan:07", all11); + +var part90 = match("MESSAGE#55:Scan:09/2", "nwparser.p0", "] %{fld12}(%{info}) - NOT VULNERABLE [UNIQUE ID: %{fld13}]"); + +var all12 = all_match({ + processors: [ + dup40, + dup63, + part90, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + ]), +}); + +var msg75 = msg("Scan:09", all12); + +var part91 = match("MESSAGE#56:Scan:08/2", "nwparser.p0", "] %{fld12}(%{info}) - NOT VULNERABLE"); + +var all13 = all_match({ + processors: [ + dup40, + dup63, + part91, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + ]), +}); + +var msg76 = msg("Scan:08", all13); + +var part92 = match("MESSAGE#57:Scan:10", "nwparser.payload", "Scan for site %{fld12}started by \"%{username}\".", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg77 = msg("Scan:10", part92); + +var part93 = match("MESSAGE#58:Scan:11", "nwparser.payload", "Scan stopped: \"%{username}\"", processor_chain([ + dup18, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg78 = msg("Scan:11", part93); + +var part94 = match("MESSAGE#59:Scan:12", "nwparser.payload", "Scan Engine shutting down...%{}", processor_chain([ + dup23, + dup12, + dup13, + dup19, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg79 = msg("Scan:12", part94); + +var part95 = match("MESSAGE#60:Scan:13", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Scan synopsis inconsistency resolved.", processor_chain([ + dup11, + dup12, + dup13, + dup22, + dup14, + dup15, + setc("event_description","Scan synopsis inconsistency resolved"), +])); + +var msg80 = msg("Scan:13", part95); + +var part96 = match("MESSAGE#62:Scan:15/0", "nwparser.payload", "Silo ID: %{fld1}] [Scan ID: %{fld2}] Scan for site %{audit_object}- %{p0}"); + +var part97 = match("MESSAGE#62:Scan:15/1_0", "nwparser.p0", "Non-Windows Systems Audit%{p0}"); + +var part98 = match("MESSAGE#62:Scan:15/1_1", "nwparser.p0", "Audit%{p0}"); + +var select21 = linear_select([ + part97, + part98, +]); + +var part99 = match("MESSAGE#62:Scan:15/2", "nwparser.p0", "%{}restored. %{info}"); + +var all14 = all_match({ + processors: [ + part96, + select21, + part99, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup22, + dup14, + dup15, + setc("event_description","Scan for site restored"), + ]), +}); + +var msg81 = msg("Scan:15", all14); + +var part100 = match("MESSAGE#63:Scan:02", "nwparser.payload", "%{event_description}", processor_chain([ + dup11, + dup12, + dup13, + dup22, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg82 = msg("Scan:02", part100); + +var select22 = linear_select([ + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, +]); + +var part101 = match("MESSAGE#61:Scan:14", "nwparser.payload", "Scan ID: %{fld1}] Inconsistency discovered for scan. %{info}", processor_chain([ + dup18, + dup12, + dup13, + dup43, + dup14, + dup15, + setc("event_description","Inconsistency discovered for scan"), +])); + +var msg83 = msg("Scan:14", part101); + +var part102 = match("MESSAGE#64:Site", "nwparser.payload", "Site saved.%{}", processor_chain([ + dup44, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg84 = msg("Site", part102); + +var part103 = match("MESSAGE#65:Authenticated", "nwparser.payload", "Authenticated: %{username}", processor_chain([ + setc("eventcategory","1401060000"), + dup45, + dup46, + dup47, + dup22, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg85 = msg("Authenticated", part103); + +var part104 = match("MESSAGE#66:Authentication", "nwparser.payload", "Authentication failed. Login information is missing.%{}", processor_chain([ + dup48, + dup45, + dup46, + dup47, + dup27, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg86 = msg("Authentication", part104); + +var part105 = match("MESSAGE#67:Authentication:01", "nwparser.payload", "Authentication failed for %{username}: Access denied.", processor_chain([ + dup48, + dup45, + dup46, + dup47, + dup27, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg87 = msg("Authentication:01", part105); + +var part106 = match("MESSAGE#68:Authentication:02", "nwparser.payload", "Authentication failed. User account may be invalid or disabled.%{}", processor_chain([ + dup48, + dup45, + dup46, + dup47, + dup27, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg88 = msg("Authentication:02", part106); + +var part107 = match("MESSAGE#69:Authentication:03", "nwparser.payload", "%{info}", processor_chain([ + setc("eventcategory","1304000000"), + dup45, + dup46, + dup47, + dup14, + dup15, + dup16, + dup29, +])); + +var msg89 = msg("Authentication:03", part107); + +var select23 = linear_select([ + msg86, + msg87, + msg88, + msg89, +]); + +var part108 = match("MESSAGE#70:User", "nwparser.payload", "User (%{username}) is over the limit (%{fld12}) for failed login attempts.", processor_chain([ + dup48, + dup45, + dup46, + dup47, + dup27, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg90 = msg("User", part108); + +var part109 = match("MESSAGE#265:User:04", "nwparser.payload", "User name: %{username}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg91 = msg("User:04", part109); + +var select24 = linear_select([ + msg90, + msg91, +]); + +var msg92 = msg("persistent-xss", dup61); + +var part110 = match("MESSAGE#72:Adding:01", "nwparser.payload", "Adding user to datastore: %{username}", processor_chain([ + setc("eventcategory","1402020200"), + dup45, + setc("ec_activity","Create"), + dup47, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("obj_type","User"), +])); + +var msg93 = msg("Adding:01", part110); + +var msg94 = msg("Adding", dup62); + +var select25 = linear_select([ + msg93, + msg94, +]); + +var msg95 = msg("credentials", dup62); + +var msg96 = msg("SPIDER-XSS", dup62); + +var msg97 = msg("Processing", dup62); + +var msg98 = msg("but", dup62); + +var msg99 = msg("j_password", dup62); + +var msg100 = msg("j_username", dup62); + +var msg101 = msg("osspi_defaultTargetLocation", dup62); + +var part111 = match("MESSAGE#81:spider-parse-robot-exclusions", "nwparser.payload", "spider-parse-robot-exclusions: %{fld40}Malformed HTTP %{fld41}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, +])); + +var msg102 = msg("spider-parse-robot-exclusions", part111); + +var msg103 = msg("Cataloged", dup62); + +var msg104 = msg("Dumping", dup62); + +var msg105 = msg("Form", dup62); + +var msg106 = msg("Relaunching", dup62); + +var msg107 = msg("main", dup62); + +var msg108 = msg("SystemFingerprint", dup62); + +var part112 = match("MESSAGE#88:Searching", "nwparser.payload", "Searching for %{service}domain %{fld11}...", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg109 = msg("Searching", part112); + +var msg110 = msg("TCPSocket", dup62); + +var part113 = match("MESSAGE#90:connected", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup49, + dup14, + dup15, + dup16, + dup17, +])); + +var msg111 = msg("connected", part113); + +var part114 = match("MESSAGE#91:Failed", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup49, + dup27, + dup14, + dup15, +])); + +var msg112 = msg("Failed", part114); + +var part115 = match("MESSAGE#92:Attempting:01", "nwparser.payload", "Attempting to authenticate user %{username}from %{saddr}.", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg113 = msg("Attempting:01", part115); + +var msg114 = msg("Attempting", dup64); + +var select26 = linear_select([ + msg113, + msg114, +]); + +var part116 = match("MESSAGE#94:Recursively:01", "nwparser.payload", "Recursively listing files on %{service}[%{info}]", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg115 = msg("Recursively:01", part116); + +var msg116 = msg("Recursively", dup62); + +var select27 = linear_select([ + msg115, + msg116, +]); + +var msg117 = msg("building", dup62); + +var msg118 = msg("Sending", dup62); + +var msg119 = msg("sending", dup64); + +var part117 = match("MESSAGE#99:creating", "nwparser.payload", "creating new connection to %{obj_name}", processor_chain([ + dup20, + dup49, + dup14, + dup15, + dup17, +])); + +var msg120 = msg("creating", part117); + +var part118 = match("MESSAGE#100:Trusted", "nwparser.payload", "Trusted MAC address checking is disabled%{}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg121 = msg("Trusted", part118); + +var part119 = match("MESSAGE#101:signon_type", "nwparser.payload", "signon_type: %{fld40}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, +])); + +var msg122 = msg("signon_type", part119); + +var msg123 = msg("list-user-directory", dup62); + +var msg124 = msg("dcerpc-get-ms-blaster-codes", dup62); + +var msg125 = msg("Could", dup62); + +var part120 = match("MESSAGE#105:Asserting", "nwparser.payload", "Asserting software fingerprint name=%{obj_name}, version=%{version}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("obj_type","Software Fingerprint"), +])); + +var msg126 = msg("Asserting", part120); + +var part121 = match("MESSAGE#106:Asserting:01", "nwparser.payload", "Asserting run entry: %{service}: %{filename}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg127 = msg("Asserting:01", part121); + +var part122 = match("MESSAGE#107:Asserting:02", "nwparser.payload", "Asserting network interface: %{sinterface}with IP: %{saddr}and netmask: %{fld12}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg128 = msg("Asserting:02", part122); + +var part123 = match("MESSAGE#108:Asserting:03", "nwparser.payload", "Asserting highest MDAC version of %{version}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg129 = msg("Asserting:03", part123); + +var msg130 = msg("Asserting:04", dup62); + +var select28 = linear_select([ + msg126, + msg127, + msg128, + msg129, + msg130, +]); + +var part124 = match("MESSAGE#110:Determining:01", "nwparser.payload", "Determining version of file %{filename}(%{application})", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg131 = msg("Determining:01", part124); + +var msg132 = msg("Determining", dup62); + +var select29 = linear_select([ + msg131, + msg132, +]); + +var part125 = match("MESSAGE#112:Webmin", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup35, + dup27, + dup14, + dup15, + dup16, + dup17, +])); + +var msg133 = msg("Webmin", part125); + +var part126 = match("MESSAGE#113:Running:02", "nwparser.payload", "Running unresolved %{service}", processor_chain([ + dup20, + dup35, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg134 = msg("Running:02", part126); + +var part127 = match("MESSAGE#114:Running:01", "nwparser.payload", "Running %{protocol}service %{service}", processor_chain([ + dup20, + dup35, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg135 = msg("Running:01", part127); + +var part128 = match("MESSAGE#115:Running", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup35, + dup14, + dup15, + dup16, + dup17, +])); + +var msg136 = msg("Running", part128); + +var select30 = linear_select([ + msg134, + msg135, + msg136, +]); + +var part129 = match("MESSAGE#116:path:/0_0", "nwparser.payload", "Service path:%{p0}"); + +var part130 = match("MESSAGE#116:path:/0_1", "nwparser.payload", "path:%{p0}"); + +var select31 = linear_select([ + part129, + part130, +]); + +var part131 = match("MESSAGE#116:path:/1", "nwparser.p0", "%{} %{filename}"); + +var all15 = all_match({ + processors: [ + select31, + part131, + ], + on_success: processor_chain([ + dup20, + dup15, + ]), +}); + +var msg137 = msg("path:", all15); + +var part132 = match("MESSAGE#117:path:01", "nwparser.payload", "Service path is insecure.%{}", processor_chain([ + dup20, + dup15, + setc("info","Service path is insecure."), +])); + +var msg138 = msg("path:01", part132); + +var part133 = match("MESSAGE#118:Service", "nwparser.payload", "Service %{service->} %{action}on Provider: %{fld2}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg139 = msg("Service", part133); + +var part134 = match("MESSAGE#119:ServiceFingerprint", "nwparser.payload", "Service running: %{event_description}", processor_chain([ + dup20, + dup35, + dup14, + dup15, + dup16, + dup17, +])); + +var msg140 = msg("ServiceFingerprint", part134); + +var msg141 = msg("path", dup65); + +var select32 = linear_select([ + msg137, + msg138, + msg139, + msg140, + msg141, +]); + +var msg142 = msg("using", dup61); + +var part135 = match("MESSAGE#122:Found:01", "nwparser.payload", "Found group: CIFS Group %{group}", processor_chain([ + dup20, + dup50, + dup51, + dup13, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg143 = msg("Found:01", part135); + +var part136 = match("MESSAGE#123:Found:02", "nwparser.payload", "Found user: CIFS User %{username}", processor_chain([ + dup20, + dup45, + dup51, + dup13, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg144 = msg("Found:02", part136); + +var part137 = match("MESSAGE#124:Found:03", "nwparser.payload", "Found user %{username}", processor_chain([ + dup20, + dup45, + dup51, + dup13, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg145 = msg("Found:03", part137); + +var part138 = match("MESSAGE#125:Found:04", "nwparser.payload", "Found interface %{sinterface}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg146 = msg("Found:04", part138); + +var part139 = match("MESSAGE#126:Found:05", "nwparser.payload", "Found DHCP-assigned WINS server: %{saddr}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg147 = msg("Found:05", part139); + +var msg148 = msg("Found", dup62); + +var select33 = linear_select([ + msg143, + msg144, + msg145, + msg146, + msg147, + msg148, +]); + +var part140 = match("MESSAGE#128:FTP", "nwparser.payload", "FTP name: %{fld40}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, +])); + +var msg149 = msg("FTP", part140); + +var part141 = match("MESSAGE#129:Starting:02", "nwparser.payload", "Starting Office fingerprinting with dir %{directory}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg150 = msg("Starting:02", part141); + +var part142 = match("MESSAGE#130:Starting:01", "nwparser.payload", "Starting scan against %{fld11}(%{fld12}) with scan template: %{fld13}.", processor_chain([ + dup20, + dup12, + dup13, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg151 = msg("Starting:01", part142); + +var msg152 = msg("Starting", dup62); + +var select34 = linear_select([ + msg150, + msg151, + msg152, +]); + +var msg153 = msg("loading", dup61); + +var part143 = match("MESSAGE#133:trying", "nwparser.payload", "trying the next key: %{fld11}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg154 = msg("trying", part143); + +var msg155 = msg("Retrieving", dup64); + +var part144 = match("MESSAGE#135:Got", "nwparser.payload", "Got version: %{version}", processor_chain([ + dup20, + dup14, + dup15, + dup16, +])); + +var msg156 = msg("Got", part144); + +var msg157 = msg("unexpected", dup64); + +var part145 = match("MESSAGE#137:checking:03", "nwparser.payload", "checking version of '%{directory}'", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg158 = msg("checking:03", part145); + +var part146 = match("MESSAGE#138:No", "nwparser.payload", "No closed UDP ports, IP fingerprinting may be less accurate%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg159 = msg("No", part146); + +var part147 = match("MESSAGE#139:No:01", "nwparser.payload", "No credentials available%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg160 = msg("No:01", part147); + +var part148 = match("MESSAGE#140:No:02", "nwparser.payload", "No access to %{directory}with %{service}[%{info}]", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg161 = msg("No:02", part148); + +var part149 = match("MESSAGE#141:No:03", "nwparser.payload", "No approved updates found for processing.%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg162 = msg("No:03", part149); + +var msg163 = msg("No:04", dup61); + +var select35 = linear_select([ + msg159, + msg160, + msg161, + msg162, + msg163, +]); + +var part150 = match("MESSAGE#142:Applying", "nwparser.payload", "Applying update ID %{fld12}.", processor_chain([ + dup44, + dup52, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg164 = msg("Applying", part150); + +var part151 = match("MESSAGE#143:Update", "nwparser.payload", "Update ID %{fld12}applied successfully.", processor_chain([ + dup44, + dup52, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg165 = msg("Update", part151); + +var part152 = match("MESSAGE#227:Update:02", "nwparser.payload", "Update ID %{fld1}, for product ID %{id}, %{event_description}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg166 = msg("Update:02", part152); + +var msg167 = msg("Update:03", dup61); + +var select36 = linear_select([ + msg165, + msg166, + msg167, +]); + +var part153 = match("MESSAGE#144:Installing", "nwparser.payload", "Installing directory %{directory}.", processor_chain([ + dup20, + dup52, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg168 = msg("Installing", part153); + +var part154 = match("MESSAGE#145:Installing:01", "nwparser.payload", "Installing file, %{filename}.", processor_chain([ + dup20, + dup52, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg169 = msg("Installing:01", part154); + +var part155 = match("MESSAGE#405:Installing:02", "nwparser.payload", "Installing Postgres files into %{directory}from %{info}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Installing Postgres files"), +])); + +var msg170 = msg("Installing:02", part155); + +var select37 = linear_select([ + msg168, + msg169, + msg170, +]); + +var part156 = match("MESSAGE#146:Resolving", "nwparser.payload", "Resolving additional DNS records%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg171 = msg("Resolving", part156); + +var part157 = match("MESSAGE#147:DNS", "nwparser.payload", "DNS name: %{obj_name}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("obj_type","DNS"), +])); + +var msg172 = msg("DNS", part157); + +var part158 = match("MESSAGE#148:Scanning", "nwparser.payload", "Scanning %{fld23->} %{protocol}ports", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg173 = msg("Scanning", part158); + +var msg174 = msg("param:", dup64); + +var part159 = match("MESSAGE#150:Windows", "nwparser.payload", "Windows %{obj_name}dir is: '%{directory}'", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg175 = msg("Windows", part159); + +var part160 = match("MESSAGE#151:Windows:01", "nwparser.payload", "Windows Media Player version: %{version}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg176 = msg("Windows:01", part160); + +var msg177 = msg("Windows:02", dup61); + +var select38 = linear_select([ + msg175, + msg176, + msg177, +]); + +var msg178 = msg("Parsed", dup64); + +var part161 = match("MESSAGE#153:JRE", "nwparser.payload", "JRE version %{version}is installed", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg179 = msg("JRE", part161); + +var msg180 = msg("Microsoft", dup64); + +var part162 = match("MESSAGE#155:MDAC", "nwparser.payload", "MDAC version: %{version}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg181 = msg("MDAC", part162); + +var part163 = match("MESSAGE#156:Name", "nwparser.payload", "Name Server: %{saddr}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg182 = msg("Name", part163); + +var msg183 = msg("Flash", dup64); + +var msg184 = msg("Skipping", dup64); + +var part164 = match("MESSAGE#159:Closing", "nwparser.payload", "Closing service: %{service}(source: %{info})", processor_chain([ + dup20, + dup35, + dup24, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg185 = msg("Closing", part164); + +var part165 = match("MESSAGE#238:Closing:03", "nwparser.payload", "Engine: %{fld1}] [Engine ID: %{fld3}] Closing connection to scan engine.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Closing connection to scan engine"), +])); + +var msg186 = msg("Closing:03", part165); + +var msg187 = msg("Closing:02", dup61); + +var select39 = linear_select([ + msg185, + msg186, + msg187, +]); + +var part166 = match("MESSAGE#160:key", "nwparser.payload", "key does not exist: %{fld11}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg188 = msg("key", part166); + +var part167 = match("MESSAGE#161:Listing", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup50, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg189 = msg("Listing", part167); + +var msg190 = msg("Getting", dup64); + +var part168 = match("MESSAGE#163:Version:", "nwparser.payload", "Version: %{version}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg191 = msg("Version:", part168); + +var msg192 = msg("IE", dup64); + +var part169 = match("MESSAGE#165:Completed", "nwparser.payload", "Completed %{protocol}port scan (%{dclass_counter1}open ports): %{fld11}seconds", processor_chain([ + dup20, + dup12, + dup13, + dup22, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","No. of Open ports"), +])); + +var msg193 = msg("Completed", part169); + +var part170 = match("MESSAGE#291:Completed:01", "nwparser.payload", "Completed %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg194 = msg("Completed:01", part170); + +var part171 = match("MESSAGE#344:Completed:02", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed computation of asset group synopses.", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","Completed computation of asset group synopses"), +])); + +var msg195 = msg("Completed:02", part171); + +var part172 = match("MESSAGE#345:Completed:03", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed computation of site synopsis.", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","Completed computation of site synopsis"), +])); + +var msg196 = msg("Completed:03", part172); + +var part173 = match("MESSAGE#346:Completed:04", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed recomputation of synopsis data.", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","Completed recomputation of synopsis data"), +])); + +var msg197 = msg("Completed:04", part173); + +var part174 = match("MESSAGE#347:Completed:05", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([ + dup18, + dup12, + dup13, + dup43, + dup14, + dup15, +])); + +var msg198 = msg("Completed:05", part174); + +var part175 = match("MESSAGE#348:Completed:06", "nwparser.payload", "Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([ + dup18, + dup12, + dup13, + dup43, + dup14, + dup15, +])); + +var msg199 = msg("Completed:06", part175); + +var part176 = match("MESSAGE#460:Completed:07", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] [%{fld4}] [Started: %{fld5}T%{fld6}] [Duration: %{fld7}] Completed purging sub-scan results.", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","Completed purging sub-scan results"), +])); + +var msg200 = msg("Completed:07", part176); + +var part177 = match("MESSAGE#461:Completed:08", "nwparser.payload", "SiteID: %{fld1}] [Scan ID: %{fld2}] [Started: %{fld3}T%{fld4}] [Duration: %{fld5}] Completed computation of synopsis.", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","Completed computation of synopsis"), +])); + +var msg201 = msg("Completed:08", part177); + +var select40 = linear_select([ + msg193, + msg194, + msg195, + msg196, + msg197, + msg198, + msg199, + msg200, + msg201, +]); + +var part178 = match("MESSAGE#166:Retrieved", "nwparser.payload", "Retrieved XML version %{version}for file %{filename}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg202 = msg("Retrieved", part178); + +var part179 = match("MESSAGE#167:CIFS", "nwparser.payload", "CIFS Name Service name: %{service}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg203 = msg("CIFS", part179); + +var msg204 = msg("Cached:", dup64); + +var msg205 = msg("Enumerating", dup64); + +var part180 = match("MESSAGE#170:Checking:01", "nwparser.payload", "Checking for approved updates.%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg206 = msg("Checking:01", part180); + +var msg207 = msg("Checking:02", dup64); + +var select41 = linear_select([ + msg206, + msg207, +]); + +var part181 = match("MESSAGE#172:CSIDL_SYSTEMX86", "nwparser.payload", "CSIDL_SYSTEMX86 dir is: '%{directory}'", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg208 = msg("CSIDL_SYSTEMX86", part181); + +var part182 = match("MESSAGE#173:CSIDL_SYSTEM", "nwparser.payload", "CSIDL_SYSTEM dir is: '%{directory}'", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg209 = msg("CSIDL_SYSTEM", part182); + +var part183 = match("MESSAGE#174:office", "nwparser.payload", "office root dir is: '%{directory}'", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg210 = msg("office", part183); + +var part184 = match("MESSAGE#175:Exchange", "nwparser.payload", "Exchange root dir is: '%{directory}'", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg211 = msg("Exchange", part184); + +var part185 = match("MESSAGE#176:SQL", "nwparser.payload", "SQL Server root dir is: '%{directory}'", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg212 = msg("SQL", part185); + +var part186 = match("MESSAGE#177:starting", "nwparser.payload", "starting %{service}", processor_chain([ + dup20, + dup12, + dup13, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg213 = msg("starting", part186); + +var part187 = match("MESSAGE#178:Host", "nwparser.payload", "Host type (from MAC %{smacaddr}): %{fld11}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg214 = msg("Host", part187); + +var part188 = match("MESSAGE#268:Host:01", "nwparser.payload", "Host Address: %{saddr}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg215 = msg("Host:01", part188); + +var part189 = match("MESSAGE#269:Host:02", "nwparser.payload", "Host FQDN: %{fqdn}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg216 = msg("Host:02", part189); + +var select42 = linear_select([ + msg214, + msg215, + msg216, +]); + +var part190 = match("MESSAGE#179:Advertising", "nwparser.payload", "Advertising %{service}service", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg217 = msg("Advertising", part190); + +var part191 = match("MESSAGE#180:IP", "nwparser.payload", "IP fingerprint:%{fld11}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg218 = msg("IP", part191); + +var part192 = match("MESSAGE#181:Updating:01", "nwparser.payload", "Updating file, %{filename}.", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg219 = msg("Updating:01", part192); + +var part193 = match("MESSAGE#182:Updating", "nwparser.payload", "Updating %{info}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg220 = msg("Updating", part193); + +var select43 = linear_select([ + msg219, + msg220, +]); + +var part194 = match("MESSAGE#183:Updated", "nwparser.payload", "Updated risk scores for %{dclass_counter1}vulnerabilities in %{fld12}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","Number of vulnerabilities"), +])); + +var msg221 = msg("Updated", part194); + +var part195 = match("MESSAGE#184:Updated:01", "nwparser.payload", "Updated risk scores for %{dclass_counter1}assets in %{fld12}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","Number of assets"), +])); + +var msg222 = msg("Updated:01", part195); + +var part196 = match("MESSAGE#185:Updated:02", "nwparser.payload", "Updated risk scores for %{dclass_counter1}sites in %{fld12}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","Number of sites"), +])); + +var msg223 = msg("Updated:02", part196); + +var part197 = match("MESSAGE#186:Updated:03", "nwparser.payload", "Updated risk scores for %{dclass_counter1}groups in %{fld12}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","Number of groups"), +])); + +var msg224 = msg("Updated:03", part197); + +var part198 = match("MESSAGE#260:Updated:04/0", "nwparser.payload", "Started: %{fld2}] [Duration: %{fld3}] Updated risk scores for %{fld1->} %{p0}"); + +var part199 = match("MESSAGE#260:Updated:04/1_0", "nwparser.p0", "vulnerabilities.%{}"); + +var part200 = match("MESSAGE#260:Updated:04/1_1", "nwparser.p0", "assets.%{}"); + +var part201 = match("MESSAGE#260:Updated:04/1_2", "nwparser.p0", "sites.%{}"); + +var part202 = match("MESSAGE#260:Updated:04/1_3", "nwparser.p0", "groups.%{}"); + +var select44 = linear_select([ + part199, + part200, + part201, + part202, +]); + +var all16 = all_match({ + processors: [ + part198, + select44, + ], + on_success: processor_chain([ + dup20, + dup15, + ]), +}); + +var msg225 = msg("Updated:04", all16); + +var part203 = match("MESSAGE#311:Updated:06/0", "nwparser.payload", "%{fld1}] [Started: %{fld2}] [Duration: %{fld3}] Updated %{p0}"); + +var part204 = match("MESSAGE#311:Updated:06/1_0", "nwparser.p0", "scan risk scores%{p0}"); + +var part205 = match("MESSAGE#311:Updated:06/1_1", "nwparser.p0", "risk scores for site%{p0}"); + +var select45 = linear_select([ + part204, + part205, +]); + +var part206 = match("MESSAGE#311:Updated:06/2", "nwparser.p0", ".%{}"); + +var all17 = all_match({ + processors: [ + part203, + select45, + part206, + ], + on_success: processor_chain([ + dup11, + dup14, + dup15, + setc("event_description","Updated risk scores"), + ]), +}); + +var msg226 = msg("Updated:06", all17); + +var msg227 = msg("Updated:05", dup65); + +var select46 = linear_select([ + msg221, + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, +]); + +var part207 = match("MESSAGE#187:Started", "nwparser.payload", "Started auto-update.%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg228 = msg("Started", part207); + +var msg229 = msg("Started:02", dup61); + +var select47 = linear_select([ + msg228, + msg229, +]); + +var part208 = match("MESSAGE#188:Executing", "nwparser.payload", "Executing job JobID[%{info}] Risk and daily history updater for silo %{fld12}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg230 = msg("Executing", part208); + +var part209 = match("MESSAGE#189:Executing:01", "nwparser.payload", "Executing job JobID[%{info}] Auto-update retriever", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg231 = msg("Executing:01", part209); + +var part210 = match("MESSAGE#190:Executing:02", "nwparser.payload", "Executing job JobID[%{info}] %{fld1}retention updater-default", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg232 = msg("Executing:02", part210); + +var part211 = match("MESSAGE#191:Executing:04", "nwparser.payload", "Executing job JobID[%{info}] %{obj_type}: %{obj_name}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg233 = msg("Executing:04", part211); + +var part212 = match("MESSAGE#326:Executing:03", "nwparser.payload", "Executing SQL: %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg234 = msg("Executing:03", part212); + +var select48 = linear_select([ + msg230, + msg231, + msg232, + msg233, + msg234, +]); + +var part213 = match("MESSAGE#192:A", "nwparser.payload", "A set of SSH administrative credentials have failed verification.%{}", processor_chain([ + dup48, + dup45, + dup46, + dup47, + dup27, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg235 = msg("A", part213); + +var part214 = match("MESSAGE#193:Administrative:01", "nwparser.payload", "Administrative credentials failed (access denied).%{}", processor_chain([ + dup48, + dup45, + dup46, + dup47, + dup27, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg236 = msg("Administrative:01", part214); + +var part215 = match("MESSAGE#194:Administrative", "nwparser.payload", "Administrative credentials for %{service}will be used.", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg237 = msg("Administrative", part215); + +var select49 = linear_select([ + msg236, + msg237, +]); + +var part216 = match("MESSAGE#195:Initializing:01", "nwparser.payload", "Engine: %{fld1}] [Engine ID: %{fld2}] Initializing remote scan engine (%{dhost}).", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Initializing remote scan engine"), +])); + +var msg238 = msg("Initializing:01", part216); + +var part217 = match("MESSAGE#196:Initializing/1_0", "nwparser.p0", "Initializing %{service}."); + +var part218 = match("MESSAGE#196:Initializing/1_1", "nwparser.p0", "Initializing JDBC drivers %{}"); + +var part219 = match("MESSAGE#196:Initializing/1_2", "nwparser.p0", "%{event_description}"); + +var select50 = linear_select([ + part217, + part218, + part219, +]); + +var all18 = all_match({ + processors: [ + dup28, + select50, + ], + on_success: processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + ]), +}); + +var msg239 = msg("Initializing", all18); + +var select51 = linear_select([ + msg238, + msg239, +]); + +var msg240 = msg("Creating", dup64); + +var msg241 = msg("Loading", dup64); + +var part220 = match("MESSAGE#199:Loaded", "nwparser.payload", "Loaded %{dclass_counter1}policy checks for scan.", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","No. of policies"), +])); + +var msg242 = msg("Loaded", part220); + +var msg243 = msg("Loaded:01", dup66); + +var select52 = linear_select([ + msg242, + msg243, +]); + +var part221 = match("MESSAGE#200:Finished", "nwparser.payload", "Finished locating %{dclass_counter1}live nodes. [Started: %{fld11}] [Duration: %{fld12}]", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","No. of live nodes"), +])); + +var msg244 = msg("Finished", part221); + +var part222 = match("MESSAGE#201:Finished:01", "nwparser.payload", "Finished loading %{service}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg245 = msg("Finished:01", part222); + +var part223 = match("MESSAGE#202:Finished:02", "nwparser.payload", "Finished resolving DNS records%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg246 = msg("Finished:02", part223); + +var msg247 = msg("Finished:03", dup67); + +var select53 = linear_select([ + msg244, + msg245, + msg246, + msg247, +]); + +var msg248 = msg("CheckProcessor:", dup64); + +var msg249 = msg("Locating", dup64); + +var part224 = match("MESSAGE#205:TCP", "nwparser.payload", "TCP port scanner is using: %{fld11}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg250 = msg("TCP", part224); + +var part225 = match("MESSAGE#206:UDP", "nwparser.payload", "UDP port scanner is using: %{fld11}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg251 = msg("UDP", part225); + +var part226 = match("MESSAGE#207:Queued", "nwparser.payload", "Queued live nodes for scanning: %{dclass_counter1}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","Live nodes"), +])); + +var msg252 = msg("Queued", part226); + +var msg253 = msg("Reading", dup64); + +var msg254 = msg("Registering", dup64); + +var part227 = match("MESSAGE#210:Registered", "nwparser.payload", "Registered session [%{fld12}] for IP [%{saddr}]", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg255 = msg("Registered", part227); + +var part228 = match("MESSAGE#219:Registered:02", "nwparser.payload", "Registered session for principal name [%{username}] for IP [%{saddr}]", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg256 = msg("Registered:02", part228); + +var select54 = linear_select([ + msg255, + msg256, +]); + +var part229 = match("MESSAGE#211:Seeing", "nwparser.payload", "Seeing if %{saddr}is a valid network node", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg257 = msg("Seeing", part229); + +var part230 = match("MESSAGE#212:Logging", "nwparser.payload", "Logging initialized. [Name = %{obj_name}] [Level = %{fld11}] [Timezone = %{fld12}]", processor_chain([ + dup20, + dup14, + dup15, + dup16, +])); + +var msg258 = msg("Logging", part230); + +var msg259 = msg("Firefox", dup64); + +var msg260 = msg("nodes", dup64); + +var msg261 = msg("common", dup67); + +var msg262 = msg("jess.JessException:", dup67); + +var part231 = match("MESSAGE#218:Successfully", "nwparser.payload", "Successfully %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg263 = msg("Successfully", part231); + +var msg264 = msg("Establishing", dup61); + +var msg265 = msg("Response", dup61); + +var msg266 = msg("Auto-update", dup61); + +var msg267 = msg("Approved:03", dup61); + +var msg268 = msg("HHH000436:", dup61); + +var msg269 = msg("Staged", dup61); + +var msg270 = msg("Refreshing", dup61); + +var msg271 = msg("Activation", dup61); + +var msg272 = msg("Acknowledging", dup61); + +var msg273 = msg("Acknowledged", dup61); + +var msg274 = msg("Validating", dup61); + +var msg275 = msg("Patching", dup61); + +var msg276 = msg("JAR", dup61); + +var msg277 = msg("Destroying", dup61); + +var msg278 = msg("Invocation", dup61); + +var msg279 = msg("Using", dup61); + +var part232 = match("MESSAGE#243:Route:01", "nwparser.payload", "Route: %{fld1}shutdown complete, %{event_description->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg280 = msg("Route:01", part232); + +var part233 = match("MESSAGE#244:Route:02", "nwparser.payload", "Route: %{fld1}started and consuming from: %{event_description->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg281 = msg("Route:02", part233); + +var select55 = linear_select([ + msg280, + msg281, +]); + +var msg282 = msg("Deploying", dup61); + +var msg283 = msg("Generating", dup61); + +var msg284 = msg("Staging", dup61); + +var msg285 = msg("Removing", dup61); + +var msg286 = msg("At", dup61); + +var msg287 = msg("An", dup61); + +var msg288 = msg("The", dup61); + +var msg289 = msg("Downloading", dup61); + +var msg290 = msg("Downloaded", dup61); + +var msg291 = msg("Restarting", dup61); + +var msg292 = msg("Requested", dup61); + +var part234 = match("MESSAGE#257:Freeing", "nwparser.payload", "Freeing session for principal name [%{username}]", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg293 = msg("Freeing", part234); + +var part235 = match("MESSAGE#258:Freeing:01", "nwparser.payload", "Freeing %{dclass_counter1}current sessions.", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg294 = msg("Freeing:01", part235); + +var select56 = linear_select([ + msg293, + msg294, +]); + +var part236 = match("MESSAGE#259:Kill", "nwparser.payload", "Kill session for principal name [%{username}]", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg295 = msg("Kill", part236); + +var part237 = match("MESSAGE#262:Created:01", "nwparser.payload", "Created temporary directory %{filename}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg296 = msg("Created:01", part237); + +var part238 = match("MESSAGE#331:Created:02", "nwparser.payload", "Created %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg297 = msg("Created:02", part238); + +var select57 = linear_select([ + msg296, + msg297, +]); + +var part239 = match("MESSAGE#263:Product", "nwparser.payload", "Product Version: %{version}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg298 = msg("Product", part239); + +var part240 = match("MESSAGE#264:Current", "nwparser.payload", "Current directory: %{filename}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg299 = msg("Current", part240); + +var part241 = match("MESSAGE#308:Current:01", "nwparser.payload", "Current DB_VERSION = %{version->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg300 = msg("Current:01", part241); + +var select58 = linear_select([ + msg299, + msg300, +]); + +var part242 = match("MESSAGE#266:Super", "nwparser.payload", "Super user: %{result}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg301 = msg("Super", part242); + +var part243 = match("MESSAGE#267:Computer", "nwparser.payload", "Computer name: %{hostname}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg302 = msg("Computer", part243); + +var part244 = match("MESSAGE#270:Operating", "nwparser.payload", "Operating system: %{os}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg303 = msg("Operating", part244); + +var part245 = match("MESSAGE#271:CPU", "nwparser.payload", "CPU speed: %{fld1}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg304 = msg("CPU", part245); + +var part246 = match("MESSAGE#272:Number", "nwparser.payload", "Number of CPUs: %{dclass_counter1}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg305 = msg("Number", part246); + +var part247 = match("MESSAGE#273:Total", "nwparser.payload", "Total %{fld1}: %{fld2}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg306 = msg("Total", part247); + +var part248 = match("MESSAGE#320:Total:02", "nwparser.payload", "Total %{dclass_counter1}routes, of which %{dclass_counter2}is started.", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg307 = msg("Total:02", part248); + +var select59 = linear_select([ + msg306, + msg307, +]); + +var part249 = match("MESSAGE#274:Available", "nwparser.payload", "Available %{fld1}: %{fld2}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg308 = msg("Available", part249); + +var part250 = match("MESSAGE#275:Disk", "nwparser.payload", "Disk space used by %{fld1}: %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg309 = msg("Disk", part250); + +var part251 = match("MESSAGE#276:JVM", "nwparser.payload", "JVM %{fld1}: %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg310 = msg("JVM", part251); + +var part252 = match("MESSAGE#277:Pausing", "nwparser.payload", "Pausing ProtocolHandler [%{info}]", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg311 = msg("Pausing", part252); + +var part253 = match("MESSAGE#278:Policy", "nwparser.payload", "Policy %{policyname}replaces %{fld1}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg312 = msg("Policy", part253); + +var part254 = match("MESSAGE#420:Policy:01", "nwparser.payload", "Policy benchmark %{policyname}in %{info}with hash %{fld1}is not valid builtin content and will not load.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Policy benchmark is not valid builtin content and will not load"), +])); + +var msg313 = msg("Policy:01", part254); + +var select60 = linear_select([ + msg312, + msg313, +]); + +var part255 = match("MESSAGE#279:Bulk", "nwparser.payload", "Bulk %{action->} %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg314 = msg("Bulk", part255); + +var part256 = match("MESSAGE#280:Importing", "nwparser.payload", "%{action->} %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg315 = msg("Importing", part256); + +var part257 = match("MESSAGE#281:Imported", "nwparser.payload", "%{action->} %{dclass_counter1}new categories, categorized %{fld1}vulnerabilities and %{fld2}tags.", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg316 = msg("Imported", part257); + +var msg317 = msg("Imported:01", dup65); + +var select61 = linear_select([ + msg316, + msg317, +]); + +var part258 = match("MESSAGE#283:Compiling", "nwparser.payload", "Compiling %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg318 = msg("Compiling", part258); + +var part259 = match("MESSAGE#284:Vulnerability", "nwparser.payload", "Vulnerability %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg319 = msg("Vulnerability", part259); + +var part260 = match("MESSAGE#285:Truncating", "nwparser.payload", "Truncating %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg320 = msg("Truncating", part260); + +var part261 = match("MESSAGE#286:Synchronizing", "nwparser.payload", "Synchronizing %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg321 = msg("Synchronizing", part261); + +var part262 = match("MESSAGE#287:Parsing", "nwparser.payload", "Parsing %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg322 = msg("Parsing", part262); + +var part263 = match("MESSAGE#288:Remapping", "nwparser.payload", "Remapping %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg323 = msg("Remapping", part263); + +var part264 = match("MESSAGE#289:Remapped", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Remapped %{info->} ", processor_chain([ + dup20, + dup15, +])); + +var msg324 = msg("Remapped", part264); + +var part265 = match("MESSAGE#290:Database", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Database %{info->} ", processor_chain([ + dup20, + dup15, +])); + +var msg325 = msg("Database", part265); + +var part266 = match("MESSAGE#428:Database:01", "nwparser.payload", "Database %{info->} ", processor_chain([ + dup20, + dup15, +])); + +var msg326 = msg("Database:01", part266); + +var select62 = linear_select([ + msg325, + msg326, +]); + +var part267 = match("MESSAGE#292:Accepting", "nwparser.payload", "Accepting %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg327 = msg("Accepting", part267); + +var part268 = match("MESSAGE#293:VERSION:03", "nwparser.payload", "VERSION %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg328 = msg("VERSION:03", part268); + +var part269 = match("MESSAGE#294:Detected", "nwparser.payload", "Detected %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg329 = msg("Detected", part269); + +var part270 = match("MESSAGE#295:Telling", "nwparser.payload", "Telling %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg330 = msg("Telling", part270); + +var part271 = match("MESSAGE#298:Stopping", "nwparser.payload", "Stopping %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg331 = msg("Stopping", part271); + +var part272 = match("MESSAGE#299:removing", "nwparser.payload", "removing %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg332 = msg("removing", part272); + +var part273 = match("MESSAGE#300:Enabling", "nwparser.payload", "Enabling %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg333 = msg("Enabling", part273); + +var part274 = match("MESSAGE#301:Granting", "nwparser.payload", "Granting %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg334 = msg("Granting", part274); + +var part275 = match("MESSAGE#302:Version", "nwparser.payload", "Version %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg335 = msg("Version", part275); + +var part276 = match("MESSAGE#303:Configuring", "nwparser.payload", "Configuring %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg336 = msg("Configuring", part276); + +var part277 = match("MESSAGE#305:Scheduler", "nwparser.payload", "Scheduler %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg337 = msg("Scheduler", part277); + +var part278 = match("MESSAGE#341:Scheduler:01", "nwparser.payload", "Silo: %{fld1}] [Started: %{fld2}] [Duration: %{fld3}] Scheduler started.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Scheduler started"), +])); + +var msg338 = msg("Scheduler:01", part278); + +var part279 = match("MESSAGE#429:Scheduler:02", "nwparser.payload", "%{fld1}: %{fld2}] Scheduler %{info->} ", processor_chain([ + dup20, + dup15, +])); + +var msg339 = msg("Scheduler:02", part279); + +var select63 = linear_select([ + msg337, + msg338, + msg339, +]); + +var part280 = match("MESSAGE#306:PostgreSQL", "nwparser.payload", "PostgreSQL %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg340 = msg("PostgreSQL", part280); + +var part281 = match("MESSAGE#307:Cleaning", "nwparser.payload", "Cleaning %{info->} ", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg341 = msg("Cleaning", part281); + +var part282 = match("MESSAGE#462:Cleaning:01", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] [%{fld4}] Cleaning up sub-scan results.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Cleaning up sub-scan results"), +])); + +var msg342 = msg("Cleaning:01", part282); + +var select64 = linear_select([ + msg341, + msg342, +]); + +var part283 = match("MESSAGE#309:Installed:01/0", "nwparser.payload", "Installed DB%{p0}"); + +var part284 = match("MESSAGE#309:Installed:01/1_0", "nwparser.p0", "_VERSION after upgrade%{p0}"); + +var part285 = match("MESSAGE#309:Installed:01/1_1", "nwparser.p0", " VERSION %{p0}"); + +var select65 = linear_select([ + part284, + part285, +]); + +var part286 = match("MESSAGE#309:Installed:01/2", "nwparser.p0", "%{}= %{version}"); + +var all19 = all_match({ + processors: [ + part283, + select65, + part286, + ], + on_success: processor_chain([ + dup20, + dup14, + dup15, + ]), +}); + +var msg343 = msg("Installed:01", all19); + +var part287 = match("MESSAGE#310:Inserted", "nwparser.payload", "Inserted %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg344 = msg("Inserted", part287); + +var part288 = match("MESSAGE#313:Deleted", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Deleted %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg345 = msg("Deleted", part288); + +var msg346 = msg("Default", dup66); + +var msg347 = msg("Apache", dup66); + +var msg348 = msg("JMX", dup66); + +var msg349 = msg("AllowUseOriginalMessage", dup66); + +var part289 = match("MESSAGE#321:Initialized", "nwparser.payload", "Initialized PolicyCheckService with %{dclass_counter1}benchmarks, containing %{fld1}policies. The total check count is %{dclass_counter2}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg350 = msg("Initialized", part289); + +var part290 = match("MESSAGE#322:Initialized:01", "nwparser.payload", "Initialized %{dclass_counter1}policy benchmarks in total.", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg351 = msg("Initialized:01", part290); + +var part291 = match("MESSAGE#379:Initialized_Scheduler", "nwparser.payload", "Initialized Scheduler Signaller of type: %{obj_type->} %{obj_name}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Initialized Scheduler Signaller"), +])); + +var msg352 = msg("Initialized_Scheduler", part291); + +var select66 = linear_select([ + msg350, + msg351, + msg352, +]); + +var msg353 = msg("Error", dup66); + +var part292 = match("MESSAGE#324:Graceful", "nwparser.payload", "Graceful shutdown of %{dclass_counter1}routes completed in %{dclass_counter2}seconds", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg354 = msg("Graceful", part292); + +var msg355 = msg("StreamCaching", dup61); + +var msg356 = msg("Local", dup66); + +var part293 = match("MESSAGE#329:DB_VERSION", "nwparser.payload", "DB_VERSION = %{version}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg357 = msg("DB_VERSION", part293); + +var part294 = match("MESSAGE#330:Populating", "nwparser.payload", "Populating %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg358 = msg("Populating", part294); + +var part295 = match("MESSAGE#332:EventLog", "nwparser.payload", "EventLog %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg359 = msg("EventLog", part295); + +var part296 = match("MESSAGE#333:Making", "nwparser.payload", "Making %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg360 = msg("Making", part296); + +var part297 = match("MESSAGE#334:Setting", "nwparser.payload", "Setting %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg361 = msg("Setting", part297); + +var part298 = match("MESSAGE#335:initdb", "nwparser.payload", "initdb %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg362 = msg("initdb", part298); + +var part299 = match("MESSAGE#336:Verifying", "nwparser.payload", "Verifying %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg363 = msg("Verifying", part299); + +var msg364 = msg("OS", dup66); + +var part300 = match("MESSAGE#338:Benchmark", "nwparser.payload", "Benchmark %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg365 = msg("Benchmark", part300); + +var part301 = match("MESSAGE#339:Report:01", "nwparser.payload", "Report Config ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup29, + dup54, + dup16, +])); + +var msg366 = msg("Report:01", part301); + +var part302 = match("MESSAGE#340:Report", "nwparser.payload", "Report Config ID: %{fld1}] %{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup29, + dup54, + dup16, +])); + +var msg367 = msg("Report", part302); + +var select67 = linear_select([ + msg366, + msg367, +]); + +var part303 = match("MESSAGE#342:Cannot_preload", "nwparser.payload", "Engine ID: %{fld1}] [Engine Name: %{fld2}] Cannot preload incremental pool with a connection %{fld3}", processor_chain([ + dup53, + dup14, + dup15, + dup55, +])); + +var msg368 = msg("Cannot_preload", part303); + +var part304 = match("MESSAGE#343:Cannot_preload:01", "nwparser.payload", "Cannot preload incremental pool with a connection%{fld3}", processor_chain([ + dup53, + dup14, + dup15, + dup55, +])); + +var msg369 = msg("Cannot_preload:01", part304); + +var select68 = linear_select([ + msg368, + msg369, +]); + +var part305 = match("MESSAGE#349:ERROR:02", "nwparser.payload", "ERROR: syntax error at or near \"%{fld1}\"", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","Syntax error"), +])); + +var msg370 = msg("ERROR:02", part305); + +var part306 = match("MESSAGE#350:QuartzRepeaterBuilder", "nwparser.payload", "QuartzRepeaterBuilder failed to add schedule to ScanConfig: null%{}", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","QuartzRepeaterBuilder failed to add schedule"), +])); + +var msg371 = msg("QuartzRepeaterBuilder", part306); + +var part307 = match("MESSAGE#351:Backing_up", "nwparser.payload", "Backing up %{event_source}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Backing up"), +])); + +var msg372 = msg("Backing_up", part307); + +var part308 = match("MESSAGE#352:Not_configured", "nwparser.payload", "com.rapid.nexpose.scanpool.stateInterval is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid.nexpose.scanpool.stateInterval is not configured"), +])); + +var msg373 = msg("Not_configured", part308); + +var part309 = match("MESSAGE#353:Not_configured:01", "nwparser.payload", "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured"), +])); + +var msg374 = msg("Not_configured:01", part309); + +var part310 = match("MESSAGE#354:Not_configured:02", "nwparser.payload", "com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout is not configured"), +])); + +var msg375 = msg("Not_configured:02", part310); + +var part311 = match("MESSAGE#355:Not_configured:03", "nwparser.payload", "com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured"), +])); + +var msg376 = msg("Not_configured:03", part311); + +var part312 = match("MESSAGE#356:Not_configured:04", "nwparser.payload", "com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout is not configured"), +])); + +var msg377 = msg("Not_configured:04", part312); + +var part313 = match("MESSAGE#357:Not_configured:05", "nwparser.payload", "com.rapid7.nexpose.nsc.dbcc is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.dbcc is not configured"), +])); + +var msg378 = msg("Not_configured:05", part313); + +var part314 = match("MESSAGE#358:Not_configured:06", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize is not configured"), +])); + +var msg379 = msg("Not_configured:06", part314); + +var part315 = match("MESSAGE#359:Not_configured:07", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured"), +])); + +var msg380 = msg("Not_configured:07", part315); + +var part316 = match("MESSAGE#360:Not_configured:08", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation is not configured"), +])); + +var msg381 = msg("Not_configured:08", part316); + +var part317 = match("MESSAGE#361:Not_configured:09", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled is not configured"), +])); + +var msg382 = msg("Not_configured:09", part317); + +var part318 = match("MESSAGE#362:Not_configured:10", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval is not configured"), +])); + +var msg383 = msg("Not_configured:10", part318); + +var part319 = match("MESSAGE#363:Not_configured:11", "nwparser.payload", "com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured"), +])); + +var msg384 = msg("Not_configured:11", part319); + +var part320 = match("MESSAGE#364:Not_configured:12", "nwparser.payload", "com.rapid7.nexpose.nse.nscClient.readTimeout is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nse.nscClient.readTimeout is not configured"), +])); + +var msg385 = msg("Not_configured:12", part320); + +var part321 = match("MESSAGE#365:Not_configured:13", "nwparser.payload", "com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout is not configured"), +])); + +var msg386 = msg("Not_configured:13", part321); + +var part322 = match("MESSAGE#366:Not_configured:14", "nwparser.payload", "com.rapid7.nexpose.scan.consolidation.delay is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.scan.consolidation.delay is not configured"), +])); + +var msg387 = msg("Not_configured:14", part322); + +var part323 = match("MESSAGE#367:Not_configured:15", "nwparser.payload", "com.rapid7.nexpose.scan.lifecyclemonitor.delay is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.scan.lifecyclemonitor.delay is not configured"), +])); + +var msg388 = msg("Not_configured:15", part323); + +var part324 = match("MESSAGE#368:Not_configured:16", "nwparser.payload", "com.rapid7.nexpose.scan.usescanpool is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.scan.usescanpool is not configured"), +])); + +var msg389 = msg("Not_configured:16", part324); + +var part325 = match("MESSAGE#369:Not_configured:17", "nwparser.payload", "com.rapid7.nsc.workflow.timeout is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nsc.workflow.timeout is not configured"), +])); + +var msg390 = msg("Not_configured:17", part325); + +var part326 = match("MESSAGE#370:Delivered", "nwparser.payload", "Delivered mail to %{to}: %{fld1->} %{fld2->} %{mail_id}[InternalId=%{fld3}] Queued mail for delivery", processor_chain([ + dup56, + dup14, + dup15, + setc("action","Queued mail for delivery"), +])); + +var msg391 = msg("Delivered", part326); + +var part327 = match("MESSAGE#371:Engine_update", "nwparser.payload", "Engine update thread pool shutting down.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Engine update thread pool shutting down"), +])); + +var msg392 = msg("Engine_update", part327); + +var part328 = match("MESSAGE#372:Freed_triggers", "nwparser.payload", "Freed %{fld1}triggers from 'acquired' / 'blocked' state.", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Freed triggers from 'acquired' / 'blocked' state"), +])); + +var msg393 = msg("Freed_triggers", part328); + +var part329 = match("MESSAGE#374:Upgrade_completed", "nwparser.payload", "PG Upgrade has completed succesfully%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Upgrade has completed succesfully"), +])); + +var msg394 = msg("Upgrade_completed", part329); + +var part330 = match("MESSAGE#375:PG", "nwparser.payload", "%{fld1}: %{process->} %{param}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg395 = msg("PG", part330); + +var select69 = linear_select([ + msg394, + msg395, +]); + +var part331 = match("MESSAGE#376:DEFAULT_SCHEDULER", "nwparser.payload", "DEFAULT SCHEDULER: %{obj_name}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","DEFAULT SCHEDULER"), +])); + +var msg396 = msg("DEFAULT_SCHEDULER", part331); + +var part332 = match("MESSAGE#377:Context_loader", "nwparser.payload", "Context loader config file is jar:file:%{filename}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Context loader config file"), +])); + +var msg397 = msg("Context_loader", part332); + +var part333 = match("MESSAGE#378:Copied_file", "nwparser.payload", "Copied %{filename}file from %{directory}to %{info}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Copied file"), +])); + +var msg398 = msg("Copied_file", part333); + +var part334 = match("MESSAGE#380:Java", "nwparser.payload", "Java HotSpot(TM) %{info}", processor_chain([ + dup20, + dup15, + setc("event_description","Console VM version"), +])); + +var msg399 = msg("Java", part334); + +var part335 = match("MESSAGE#381:Changing", "nwparser.payload", "Changing permissions of %{obj_type}'%{obj_name}' to %{change_new}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Changing permissions"), +])); + +var msg400 = msg("Changing", part335); + +var part336 = match("MESSAGE#382:Changing:01", "nwparser.payload", "Changing the new database AUTH method to %{change_new}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Changing new database AUTH method"), +])); + +var msg401 = msg("Changing:01", part336); + +var select70 = linear_select([ + msg400, + msg401, +]); + +var part337 = match("MESSAGE#383:Job_execution", "nwparser.payload", "Job execution threads will use class loader of thread: %{info}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Job execution threads will use class loader"), +])); + +var msg402 = msg("Job_execution", part337); + +var part338 = match("MESSAGE#384:Initialized:02", "nwparser.payload", "JobStoreCMT initialized.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","JobStoreCMT initialized"), +])); + +var msg403 = msg("Initialized:02", part338); + +var part339 = match("MESSAGE#385:Initialized:03", "nwparser.payload", "Quartz scheduler '%{obj_name}' %{event_description}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Quartz scheduler initialized"), +])); + +var msg404 = msg("Initialized:03", part339); + +var part340 = match("MESSAGE#386:Created:03", "nwparser.payload", "Quartz Scheduler %{version}created.", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Quartz Scheduler created."), +])); + +var msg405 = msg("Created:03", part340); + +var part341 = match("MESSAGE#387:Scheduler_version", "nwparser.payload", "Quartz scheduler version: %{version}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg406 = msg("Scheduler_version", part341); + +var select71 = linear_select([ + msg404, + msg405, + msg406, +]); + +var part342 = match("MESSAGE#388:Recovering", "nwparser.payload", "Recovering %{fld1->} %{event_description}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Recovering jobs"), +])); + +var msg407 = msg("Recovering", part342); + +var part343 = match("MESSAGE#389:Recovery", "nwparser.payload", "Recovery complete.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Recovery"), + setc("disposition","Complete"), +])); + +var msg408 = msg("Recovery", part343); + +var part344 = match("MESSAGE#390:Removed", "nwparser.payload", "Removed %{fld1}'complete' triggers.", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Removed triggers"), +])); + +var msg409 = msg("Removed", part344); + +var part345 = match("MESSAGE#391:Removed:01", "nwparser.payload", "Removed %{fld1}stale fired job entries.", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Removed job entries"), +])); + +var msg410 = msg("Removed:01", part345); + +var select72 = linear_select([ + msg409, + msg410, +]); + +var part346 = match("MESSAGE#392:Restoring", "nwparser.payload", "%{action}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg411 = msg("Restoring", part346); + +var part347 = match("MESSAGE#393:Upgrading", "nwparser.payload", "Upgrading database%{fld1}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Upgrading database"), +])); + +var msg412 = msg("Upgrading", part347); + +var part348 = match("MESSAGE#394:Exploits", "nwparser.payload", "Exploits are up to date.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Exploits are up to date"), +])); + +var msg413 = msg("Exploits", part348); + +var part349 = match("MESSAGE#395:Failure", "nwparser.payload", "Failure communicating with NSE @ %{dhost}:%{dport}.", processor_chain([ + dup53, + dup49, + dup27, + dup14, + dup15, + setc("event_description","Failure communicating with NSE"), +])); + +var msg414 = msg("Failure", part349); + +var part350 = match("MESSAGE#396:Renamed", "nwparser.payload", "Renamed %{filename}to %{info}", processor_chain([ + dup20, + dup57, + dup22, + dup14, + dup15, +])); + +var msg415 = msg("Renamed", part350); + +var part351 = match("MESSAGE#397:Reinitializing", "nwparser.payload", "Reinitializing web server for maintenance mode...%{}", processor_chain([ + dup20, + dup57, + dup22, + dup14, + dup15, + setc("event_description","Reinitializing web server for maintenance mode"), +])); + +var msg416 = msg("Reinitializing", part351); + +var part352 = match("MESSAGE#398:Replaced", "nwparser.payload", "Replaced %{change_old}values from %{filename}file with new auth method: %{change_new}.", processor_chain([ + dup20, + dup57, + dup22, + dup14, + dup15, + dup58, +])); + +var msg417 = msg("Replaced", part352); + +var part353 = match("MESSAGE#399:Replaced:01", "nwparser.payload", "Replaced %{change_old}values from %{filename}with new setting values", processor_chain([ + dup20, + dup57, + dup22, + dup14, + dup15, + dup58, +])); + +var msg418 = msg("Replaced:01", part353); + +var select73 = linear_select([ + msg417, + msg418, +]); + +var part354 = match("MESSAGE#400:System", "nwparser.payload", "System is running low on memory: %{fld1}MB total (%{fld2}MB free)", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","System is running low on memory"), +])); + +var msg419 = msg("System", part354); + +var part355 = match("MESSAGE#401:System:01", "nwparser.payload", "%{info}", processor_chain([ + dup20, + dup14, + dup15, + dup30, + dup31, + dup32, + dup33, +])); + +var msg420 = msg("System:01", part355); + +var select74 = linear_select([ + msg419, + msg420, +]); + +var part356 = match("MESSAGE#402:Analyzing", "nwparser.payload", "Analyzing the database.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Analyzing the database"), +])); + +var msg421 = msg("Analyzing", part356); + +var part357 = match("MESSAGE#403:Connection", "nwparser.payload", "Connection to the new database was successful. %{action}.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Connection to the new database was successful"), +])); + +var msg422 = msg("Connection", part357); + +var part358 = match("MESSAGE#404:Handling", "nwparser.payload", "Handling %{fld1}trigger(s) that missed their scheduled fire-time.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Handling trigger(s) that missed their scheduled fire-time"), +])); + +var msg423 = msg("Handling", part358); + +var part359 = match("MESSAGE#406:LDAP", "nwparser.payload", "LDAP authentication requires resolution%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","LDAP authentication requires resolution"), +])); + +var msg424 = msg("LDAP", part359); + +var part360 = match("MESSAGE#407:Maintenance", "nwparser.payload", "Maintenance Task Started%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Maintenance Task Started"), +])); + +var msg425 = msg("Maintenance", part360); + +var msg426 = msg("Migration", dup61); + +var msg427 = msg("Mobile", dup68); + +var msg428 = msg("ConsoleScanImporter", dup68); + +var part361 = match("MESSAGE#421:Postgres:01", "nwparser.payload", "%{event_description}. Cleaning up. %{directory}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Cleaning up"), +])); + +var msg429 = msg("Postgres:01", part361); + +var part362 = match("MESSAGE#422:Succesfully", "nwparser.payload", "Succesfully %{event_description}to %{dport}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg430 = msg("Succesfully", part362); + +var part363 = match("MESSAGE#423:Unzipped", "nwparser.payload", "%{action->} %{fld1}bytes into %{directory}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg431 = msg("Unzipped", part363); + +var part364 = match("MESSAGE#424:vacuumdb", "nwparser.payload", "%{process}executed with a return value of %{resultcode}.", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg432 = msg("vacuumdb", part364); + +var part365 = match("MESSAGE#425:Processed_vuln", "nwparser.payload", "Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Processed vuln check types for %{fld5}vuln checks.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Processed vuln check types"), +])); + +var msg433 = msg("Processed_vuln", part365); + +var part366 = match("MESSAGE#430:Reflections", "nwparser.payload", "Reflections %{event_description}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg434 = msg("Reflections", part366); + +var part367 = match("MESSAGE#431:CorrelationAttributes", "nwparser.payload", "0.16: %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg435 = msg("CorrelationAttributes", part367); + +var part368 = match("MESSAGE#432:CorrelationAttributes:01", "nwparser.payload", "0.49: %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg436 = msg("CorrelationAttributes:01", part368); + +var part369 = match("MESSAGE#433:CorrelationAttributes:02", "nwparser.payload", "0.245: %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg437 = msg("CorrelationAttributes:02", part369); + +var part370 = match("MESSAGE#434:CorrelationAttributes:03", "nwparser.payload", "0.325: %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg438 = msg("CorrelationAttributes:03", part370); + +var msg439 = msg("ConsoleProductInfoProvider", dup69); + +var msg440 = msg("NSXAssetEventHandler", dup69); + +var msg441 = msg("ProductNotificationService", dup69); + +var msg442 = msg("AssetEventHandler", dup69); + +var msg443 = msg("SiteEventHandler", dup69); + +var msg444 = msg("UserEventHandler", dup69); + +var msg445 = msg("VulnerabilityExceptionEventHandler", dup69); + +var msg446 = msg("TagEventHandler", dup69); + +var msg447 = msg("AssetGroupEventHandler", dup69); + +var msg448 = msg("ScanEventHandler", dup69); + +var part371 = match("MESSAGE#445:Not_configured:18", "nwparser.payload", "com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size is not configured"), +])); + +var msg449 = msg("Not_configured:18", part371); + +var part372 = match("MESSAGE#446:Not_configured:19", "nwparser.payload", "com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond is not configured"), +])); + +var msg450 = msg("Not_configured:19", part372); + +var part373 = match("MESSAGE#447:Not_configured:20", "nwparser.payload", "com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration is not configured"), +])); + +var msg451 = msg("Not_configured:20", part373); + +var part374 = match("MESSAGE#448:Not_configured:21", "nwparser.payload", "com.rapid7.nexpose.nse.excludedFileSystems is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nse.excludedFileSystems is not configured"), +])); + +var msg452 = msg("Not_configured:21", part374); + +var part375 = match("MESSAGE#449:Not_configured:22", "nwparser.payload", "com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable is not configured"), +])); + +var msg453 = msg("Not_configured:22", part375); + +var part376 = match("MESSAGE#450:Not_configured:23", "nwparser.payload", "com.rapid7.nexpose.scan.logMemory.interval is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.scan.logMemory.interval is not configured"), +])); + +var msg454 = msg("Not_configured:23", part376); + +var part377 = match("MESSAGE#451:Not_configured:24", "nwparser.payload", "com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations is not configured"), +])); + +var msg455 = msg("Not_configured:24", part377); + +var part378 = match("MESSAGE#452:Not_configured:25", "nwparser.payload", "com.rapid7.scan.perTestDurationLogging is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.scan.perTestDurationLogging is not configured"), +])); + +var msg456 = msg("Not_configured:25", part378); + +var part379 = match("MESSAGE#453:Not_configured:26", "nwparser.payload", "com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured"), +])); + +var msg457 = msg("Not_configured:26", part379); + +var part380 = match("MESSAGE#454:Not_configured:27", "nwparser.payload", "com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size is not configured"), +])); + +var msg458 = msg("Not_configured:27", part380); + +var part381 = match("MESSAGE#455:Spring", "nwparser.payload", "%{process}detected on classpath: [%{fld2}]", processor_chain([ + dup20, + dup14, + dup15, + setc("action","detected"), +])); + +var msg459 = msg("Spring", part381); + +var part382 = match("MESSAGE#456:Storing", "nwparser.payload", "%{fld1}] [%{fld2}] Storing scan details for %{event_type}.", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Storing scan details"), +])); + +var msg460 = msg("Storing", part382); + +var part383 = match("MESSAGE#457:Clearing", "nwparser.payload", "Clearing object tracker after %{dclass_counter1}hits and %{dclass_counter2}misses.", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Clearing object tracker"), +])); + +var msg461 = msg("Clearing", part383); + +var part384 = match("MESSAGE#458:All", "nwparser.payload", "%{fld1}] [%{fld2}] All scan engines are up to date.", processor_chain([ + dup20, + dup14, + dup15, + setc("result","All scan engines are up to date"), +])); + +var msg462 = msg("All", part384); + +var part385 = match("MESSAGE#459:New", "nwparser.payload", "New Provider %{audit_object}discovered.", processor_chain([ + dup20, + dup14, + dup15, + setc("action","New Provider discovered"), +])); + +var msg463 = msg("New", part385); + +var part386 = match("MESSAGE#463:Session", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] Session created.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Session created"), +])); + +var msg464 = msg("Session", part386); + +var part387 = match("MESSAGE#464:Debug", "nwparser.payload", "Debug logging is not enabled for this scan.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Debug logging is not enabled"), +])); + +var msg465 = msg("Debug", part387); + +var msg466 = msg("Debug:01", dup61); + +var select75 = linear_select([ + msg465, + msg466, +]); + +var part388 = match("MESSAGE#466:ACES", "nwparser.payload", "ACES logging is not enabled.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","ACES logging is not enabled"), +])); + +var msg467 = msg("ACES", part388); + +var msg468 = msg("ACES:01", dup61); + +var select76 = linear_select([ + msg467, + msg468, +]); + +var part389 = match("MESSAGE#468:Invulnerable", "nwparser.payload", "Invulnerable Data Storage is on.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Invulnerable Data Storage is on"), +])); + +var msg469 = msg("Invulnerable", part389); + +var part390 = match("MESSAGE#469:Nmap", "nwparser.payload", "Nmap ARP Ping for local networks%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Nmap ARP Ping for local networks"), +])); + +var msg470 = msg("Nmap", part390); + +var part391 = match("MESSAGE#470:Nmap:01", "nwparser.payload", "%{event_description}", processor_chain([ + setc("eventcategory","1801000000"), + dup14, + dup15, +])); + +var msg471 = msg("Nmap:01", part391); + +var select77 = linear_select([ + msg470, + msg471, +]); + +var part392 = match("MESSAGE#471:Cause/0_0", "nwparser.payload", "Authentication %{result->} for principal %{fld}] %{info}"); + +var part393 = match("MESSAGE#471:Cause/0_1", "nwparser.payload", " %{result}] %{info}"); + +var select78 = linear_select([ + part392, + part393, +]); + +var all20 = all_match({ + processors: [ + select78, + ], + on_success: processor_chain([ + setc("eventcategory","1301000000"), + dup14, + dup15, + ]), +}); + +var msg472 = msg("Cause", all20); + +var part394 = match("MESSAGE#472:NEXPOSE_GENERIC", "nwparser.payload", "%{fld1}", processor_chain([ + setc("eventcategory","1901000000"), + dup15, +])); + +var msg473 = msg("NEXPOSE_GENERIC", part394); + +var chain1 = processor_chain([ + select4, + msgid_select({ + "0.16": msg435, + "0.245": msg437, + "0.325": msg438, + "0.49": msg436, + "A": msg235, + "ACES": select76, + "Accepting": msg327, + "Acknowledged": msg273, + "Acknowledging": msg272, + "Activation": msg271, + "Adding": select25, + "Administrative": select49, + "Advertising": msg217, + "All": msg462, + "AllowUseOriginalMessage": msg349, + "An": msg287, + "Analyzing": msg421, + "Apache": msg347, + "Applying": msg164, + "Approved": msg267, + "Asserting": select28, + "AssetEventHandler": msg442, + "AssetGroupEventHandler": msg447, + "At": msg286, + "Attempting": select26, + "Authenticated": msg85, + "Authentication": select23, + "Auto-update": msg266, + "Available": msg308, + "Backing": msg372, + "Benchmark": msg365, + "Bulk": msg314, + "CIFS": msg203, + "CPU": msg304, + "CSIDL_SYSTEM": msg209, + "CSIDL_SYSTEMX86": msg208, + "Cached:": msg204, + "Cannot": select68, + "Cataloged": msg103, + "Cause": msg472, + "Changing": select70, + "CheckProcessor:": msg248, + "Checking": select41, + "Cleaning": select64, + "Clearing": msg461, + "Closing": select39, + "Compiling": msg318, + "Completed": select40, + "Computer": msg302, + "Configuring": msg336, + "Connection": msg422, + "Console": select12, + "ConsoleProductInfoProvider": msg439, + "ConsoleScanImporter": msg428, + "Context": msg397, + "Copied": msg398, + "Could": msg125, + "Created": select57, + "Creating": msg240, + "Current": select58, + "DB_VERSION": msg357, + "DEFAULT": msg396, + "DNS": msg172, + "Database": select62, + "Debug": select75, + "Default": msg346, + "Deleted": msg345, + "Delivered": msg391, + "Deploying": msg282, + "Destroying": msg277, + "Detected": msg329, + "Determining": select29, + "Disk": msg309, + "Done": select17, + "Downloaded": msg290, + "Downloading": msg289, + "Dumping": msg104, + "ERROR": select7, + "ERROR:": msg370, + "Enabling": msg333, + "Engine": msg392, + "Enumerating": msg205, + "Error": msg353, + "Establishing": msg264, + "EventLog": msg359, + "Exchange": msg211, + "Executing": select48, + "Exploits": msg413, + "ExtMgr": select8, + "FTP": msg149, + "Failed": msg112, + "Failure": msg414, + "Finished": select53, + "Firefox": msg259, + "Flash": msg183, + "Form": msg105, + "Found": select33, + "Freed": msg393, + "Freeing": select56, + "Generating": msg283, + "Getting": msg190, + "Got": msg156, + "Graceful": msg354, + "Granting": msg334, + "HHH000436:": msg268, + "Handling": msg423, + "Host": select42, + "IE": msg192, + "IP": msg218, + "Imported": select61, + "Importing": msg315, + "Inconsistency": msg83, + "Initialized": select66, + "Initializing": select51, + "Inserted": msg344, + "Installed": msg343, + "Installing": select37, + "Interrupted,": msg47, + "Invocation": msg278, + "Invulnerable": msg469, + "JAR": msg276, + "JMX": msg348, + "JRE": msg179, + "JVM": msg310, + "Java": msg399, + "Job": msg402, + "JobStoreCMT": msg403, + "Kill": msg295, + "LDAP": msg424, + "Listing": msg189, + "Loaded": select52, + "Loading": msg241, + "Local": msg356, + "Locating": msg249, + "Logging": msg258, + "MDAC": msg181, + "Maintenance": msg425, + "Making": msg360, + "Microsoft": msg180, + "Migration": msg426, + "Mobile": msg427, + "NEXPOSE_GENERIC": msg473, + "NOT_VULNERABLE": select5, + "NOT_VULNERABLE_VERSION": msg1, + "NSE": select11, + "NSXAssetEventHandler": msg440, + "Name": msg182, + "New": msg463, + "Nexpose": select13, + "Nmap": select77, + "No": select35, + "Number": msg305, + "OS": msg364, + "Operating": msg303, + "PG": select69, + "Parsed": msg178, + "Parsing": msg322, + "Patching": msg275, + "Pausing": msg311, + "Performing": select20, + "Policy": select60, + "Populating": msg358, + "PostgreSQL": msg340, + "Postgres": msg429, + "Preparing": msg67, + "Processed": msg433, + "Processing": msg97, + "Product": msg298, + "ProductNotificationService": msg441, + "ProtocolFper": msg31, + "Quartz": select71, + "QuartzRepeaterBuilder": msg371, + "Queued": msg252, + "Queueing": select18, + "Reading": msg253, + "Recovering": msg407, + "Recovery": msg408, + "Recursively": select27, + "Reflections": msg434, + "Refreshing": msg270, + "Registered": select54, + "Registering": msg254, + "Reinitializing": msg416, + "Relaunching": msg106, + "Remapped": msg324, + "Remapping": msg323, + "Removed": select72, + "Removing": msg285, + "Renamed": msg415, + "Replaced": select73, + "Report": select67, + "Requested": msg292, + "Resolving": msg171, + "Response": msg265, + "Restarting": msg291, + "Restoring": msg411, + "Retrieved": msg202, + "Retrieving": msg155, + "Rewrote": msg65, + "Route:": select55, + "Running": select30, + "SPIDER": msg66, + "SPIDER-XSS": msg96, + "SQL": msg212, + "Scan": select22, + "ScanEventHandler": msg448, + "ScanMgr": select9, + "Scanning": msg173, + "Scheduler": select63, + "Searching": msg109, + "Security": select15, + "Seeing": msg257, + "Sending": msg118, + "Service": select32, + "Session": msg464, + "Setting": msg361, + "Shutdown": msg49, + "Shutting": msg46, + "Site": msg84, + "SiteEventHandler": msg443, + "Skipping": msg184, + "Spring": msg459, + "Staged": msg269, + "Staging": msg284, + "Started": select47, + "Starting": select34, + "Stopping": msg331, + "Storing": msg460, + "StreamCaching": msg355, + "Succesfully": msg430, + "Successfully": msg263, + "Super": msg301, + "Synchronizing": msg321, + "System": select74, + "SystemFingerprint": msg108, + "TCP": msg250, + "TCPSocket": msg110, + "TagEventHandler": msg446, + "Telling": msg330, + "The": msg288, + "Total": select59, + "Truncating": msg320, + "Trusted": msg121, + "Trying": msg64, + "UDP": msg251, + "Unzipped": msg431, + "Update": select36, + "Updated": select46, + "Updating": select43, + "Upgrading": msg412, + "User": select24, + "UserEventHandler": msg444, + "Using": msg279, + "VERSION": msg328, + "VULNERABLE": select6, + "VULNERABLE_VERSION": msg2, + "Validating": msg274, + "Verifying": msg363, + "Version": msg335, + "Version:": msg191, + "Vulnerability": msg319, + "VulnerabilityExceptionEventHandler": msg445, + "Web": select16, + "Webmin": msg133, + "Windows": select38, + "building": msg117, + "but": msg98, + "checking": msg158, + "com.rapid.nexpose.scanpool.stateInterval": msg373, + "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout": msg374, + "com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout": msg375, + "com.rapid7.nexpose.datastore.connection.evictionThreadTime": msg376, + "com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout": msg377, + "com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size": msg449, + "com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size": msg458, + "com.rapid7.nexpose.nsc.dbcc": msg378, + "com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond": msg450, + "com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration": msg451, + "com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize": msg379, + "com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize": msg380, + "com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation": msg381, + "com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled": msg382, + "com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval": msg383, + "com.rapid7.nexpose.nse.excludedFileSystems": msg452, + "com.rapid7.nexpose.nse.nscClient.connectTimeout": msg384, + "com.rapid7.nexpose.nse.nscClient.readTimeout": msg385, + "com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout": msg386, + "com.rapid7.nexpose.scan.consolidation.delay": msg387, + "com.rapid7.nexpose.scan.lifecyclemonitor.delay": msg388, + "com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable": msg453, + "com.rapid7.nexpose.scan.logMemory.interval": msg454, + "com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations": msg455, + "com.rapid7.nexpose.scan.usescanpool": msg389, + "com.rapid7.nsc.workflow.timeout": msg390, + "com.rapid7.scan.perTestDurationLogging": msg456, + "com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism": msg457, + "common": msg261, + "connected": msg111, + "creating": msg120, + "credentials": msg95, + "dcerpc-get-ms-blaster-codes": msg124, + "initdb": msg362, + "j_password": msg99, + "j_username": msg100, + "jess.JessException:": msg262, + "key": msg188, + "list-user-directory": msg123, + "loading": msg153, + "main": msg107, + "nodes": msg260, + "office": msg210, + "osspi_defaultTargetLocation": msg101, + "param:": msg174, + "persistent-xss": msg92, + "removing": msg332, + "sending": msg119, + "shutting": msg48, + "signon_type": msg122, + "spider-parse-robot-exclusions": msg102, + "starting": msg213, + "trying": msg154, + "unexpected": msg157, + "using": msg142, + "vacuumdb": msg432, + }), +]); + +var hdr37 = match("HEADER#1:0022/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{p0}"); + +var part395 = match("HEADER#1:0022/1_1", "nwparser.p0", "%{hpriority}][%{p0}"); + +var part396 = match("HEADER#1:0022/1_2", "nwparser.p0", "%{hpriority}[%{p0}"); + +var hdr38 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}]%{p0}"); + +var part397 = match("HEADER#18:0034/1_0", "nwparser.p0", " [%{p0}"); + +var part398 = match("HEADER#18:0034/1_1", "nwparser.p0", "[%{p0}"); + +var part399 = match("MESSAGE#17:NSE:01/0", "nwparser.payload", "%{} %{p0}"); + +var part400 = match("MESSAGE#52:Scan:06/0", "nwparser.payload", "Scan: [ %{p0}"); + +var part401 = match("MESSAGE#52:Scan:06/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + +var part402 = match("MESSAGE#52:Scan:06/1_1", "nwparser.p0", "%{saddr->} %{p0}"); + +var select79 = linear_select([ + dup7, + dup8, +]); + +var part403 = match("MESSAGE#416:Nexpose:12", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var part404 = match("MESSAGE#46:SPIDER", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, +])); + +var select80 = linear_select([ + dup41, + dup42, +]); + +var part405 = match("MESSAGE#93:Attempting", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var part406 = match("MESSAGE#120:path", "nwparser.payload", "%{info}", processor_chain([ + dup20, + dup15, +])); + +var part407 = match("MESSAGE#318:Loaded:01", "nwparser.payload", "%{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var part408 = match("MESSAGE#236:Finished:03", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup15, +])); + +var part409 = match("MESSAGE#418:Mobile", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup25, +])); + +var part410 = match("MESSAGE#435:ConsoleProductInfoProvider", "nwparser.payload", "%{fld1->} %{action}", processor_chain([ + dup20, + dup14, + dup15, + dup59, +])); diff --git a/x-pack/filebeat/module/rapid7/nexpose/ingest/pipeline.yml b/x-pack/filebeat/module/rapid7/nexpose/ingest/pipeline.yml new file mode 100644 index 00000000000..d558e7071ea --- /dev/null +++ b/x-pack/filebeat/module/rapid7/nexpose/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Rapid7 NeXpose + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/rapid7/nexpose/manifest.yml b/x-pack/filebeat/module/rapid7/nexpose/manifest.yml new file mode 100644 index 00000000000..a011a93d869 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/nexpose/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["rapid7.nexpose", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9517 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log new file mode 100644 index 00000000000..fac7f43da68 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log @@ -0,0 +1,100 @@ +%NEXPOSE-nci: SiteEventHandler deny +%NEXPOSE-iin: persistent-xss +%NEXPOSE-tenima: Telling laboreet +%NEXPOSE-giatq: SPIDER-XSS +%NEXPOSE-lupt: 2016-3-26T10:20:16 [xea] [Thread: qua] [Site: luptatev] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value admi. +%NEXPOSE-isaute: tcup +%NEXPOSE-ofdeFini: Using +%NEXPOSE-emulla: mpori +%NEXPOSE-nisiuta: 2016-5-22T2:30:33 [tvolu] ecte[Thread: Migration] [Started: tinvolu] [Duration: iurer] iciadese +%NEXPOSE-iumtotam: Invocation: +%NEXPOSE-tectobe: Nequepo ConsoleScanImporter: +%NEXPOSE-tur: roi credentials: +%NEXPOSE-equatu: upta +%NEXPOSE-itam: str Approved: +%NEXPOSE-ionemu: eetdolo +%NEXPOSE-amcol: 2016-8-30T3:48:33 [adeser] [Thread: oin] [Site: mvenia] com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value madminim. +%NEXPOSE-siutaliq: dutp +%NEXPOSE-isau: HHH000436: +%NEXPOSE-rumwrit: Skipping +%NEXPOSE-eri: 2016-10-26T7:58:50 [quunt] [Thread: olori] [Site: mquae] Freed eriti triggers from 'acquired' / 'blocked' state. +%NEXPOSE-ssecil: nodes: +%NEXPOSE-dquia: 2016-11-24T10:03:59 [temporin] [Thread: dol] [Site: tatione] SiteEventHandler deny +%NEXPOSE-nsec: quidolor j_password: +%NEXPOSE-edquian: loremeu Form: +%NEXPOSE-uela: 2017-1-6T7:11:41 [ntexplic] uto[Thread: Accepting] [Started: iuntNequ] [Duration: esseq] Accepting aincidun +%NEXPOSE-nse: 2017/01/20T14:14:16 [modoc] [Thread: boNem] [Site: iumt] Database tsed +%NEXPOSE-enim: 2017-2-3T9:16:50 [Finibus] radi[Thread: Migration] [Started: xeacom] [Duration: des] atnulapa +%NEXPOSE-msequ: uat +%NEXPOSE-ataevita: oremqu +%NEXPOSE-oremi: ugitsedq +%NEXPOSE-ipsaqu: TagEventHandler cancel +%NEXPOSE-tiaecon: Acknowledged: +%NEXPOSE-itametc: ProductNotificationService: allow +%NEXPOSE-olori: ido +%NEXPOSE-lpaquiof: Activation 2017-5-29T5:37:24 oloreeu +%NEXPOSE-umfugi: 2017-6-12T12:39:58 [stquidol] [Thread: Nemoenim] [Site: imadmini] Populating ide +%NEXPOSE-olu: 2017-6-26T7:42:33 [iameaque] identsun[Thread: Error] [Started: ender] [Duration: inc] tect +%NEXPOSE-magnam: 2017-7-11T2:45:07 [uinesc] cid[Thread: Upgrading] [Started: emi] [Duration: Bonorum] Upgrading databaselesti +%NEXPOSE-assi: 2017-7-25T9:47:41 [eserun] [Thread: rvelill] [Site: lupta] Default +%NEXPOSE-tatevel: midestl +%NEXPOSE-ufugi: An 2017-8-22T11:52:50 cin +%NEXPOSE-onofdeF: 2017-9-6T6:55:24 [ibusBo] orin[Thread: PostgreSQL] [Started: enia] [Duration: iavol] PostgreSQL natuserr +%NEXPOSE-orsitam: 2017-9-20T1:57:58 [iquaUten] [Thread: prehende] [Site: lup] com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value tpers. +%NEXPOSE-aea: 2017/10/04T21:00:32 [tvolu] dutper[Thread: Remapped] [Started: tlaboru] [Duration: aeabillo] Started: ciad] [Duration: ugiatqu] Remapped eruntmo +%NEXPOSE-uatu: Shutting down ' +%NEXPOSE-ende: DEFAULT SCHEDULER: ' +%NEXPOSE-mexerci: 2017-11-16T6:08:15 [urEx] [Thread: ditaut] [Site: ctetur] Storing ] [mvolupta] Storing scan details for squame. +%NEXPOSE-exe: Reading +%NEXPOSE-eddoei: Benchmark lorumw +%NEXPOSE-ctionofd: j_password: +%NEXPOSE-boreetd: tNe +%NEXPOSE-ntocca: 2018-1-27T5:21:06 [trudex] tvol[Thread: com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout] [Started: lup] [Duration: mipsamv] com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value exeacomm. +%NEXPOSE-iadeseru: Adding +%NEXPOSE-eosqui: iatquo +%NEXPOSE-iqu: Establishing 2018-3-11T2:28:49 quamqua +%NEXPOSE-diduntut: 2018/03/25T09:31:24 [rroq] olore[Thread: Deleted] [Started: eratvolu] [Duration: oconsequ] Started: roqui] [Duration: oluptate] Deleted ntut +%NEXPOSE-aturve: Error 2018-4-8T4:33:58 edqui +%NEXPOSE-Loremip: Requested: +%NEXPOSE-nge: 2018/05/07T06:39:06 [psum] tate[Thread: 0.16] [Started: dtempo] [Duration: lumqu] 0.16: moen +%NEXPOSE-tur: The: +%NEXPOSE-mipsa: 2018-6-4T8:44:15 [uas] iat[Thread: Renamed] [Started: hite] [Duration: adipis] Renamed abo to suntex +%NEXPOSE-exerc: Retrieving +%NEXPOSE-uaturQ: but: +%NEXPOSE-dolor: 2018-7-17T5:51:58 [equunt] [Thread: mto] [Site: iae] Invocation +%NEXPOSE-magnido: mcolab +%NEXPOSE-tiumd: Dumping +%NEXPOSE-orisnis: umq +%NEXPOSE-intoc: 2018-9-12T10:02:15 [obeataev] [Thread: rrorsit] [Site: aincid] Populating umquid +%NEXPOSE-uisno: enat +%NEXPOSE-oriss: imadmin suntexpl JVM frames : urve +%NEXPOSE-lupta: utla +%NEXPOSE-ntore: 2018-11-9T2:12:32 [tect] ion[Thread: AssetGroupEventHandler] [Started: tutl] [Duration: niam] oru accept +%NEXPOSE-ostr: amcorp 0.49: iadolo +%NEXPOSE-mali: 2018-12-7T4:17:40 [amestqu] qui[Thread: loading] [Started: nemullam] [Duration: modoco] maveni +%NEXPOSE-upt: 2018-12-21T11:20:14 [giatquo] toccaec[Thread: Closing] [Started: nihilmo] [Duration: atquo] Engine: umetMa] [Engine ID: ngelitse] Closing connection to scan engine. +%NEXPOSE-eosqu: reetdolo +%NEXPOSE-ten: 2019-1-19T1:25:23 [Utenim] [Thread: itationu] [Site: eprehen] NSXAssetEventHandler cancel +%NEXPOSE-Neq: rcita +%NEXPOSE-quatD: 2019-2-17T3:30:32 [nevol] lumquid[Thread: removing] [Started: Sectio] [Duration: tiumdol] removing laud +%NEXPOSE-atquo: 2019-3-3T10:33:06 [estl] [Thread: ern] [Site: ationula] Recovering abilloin emape +%NEXPOSE-Malor: 2019-3-17T5:35:40 [amn] [Thread: nre] [Site: sintoc] com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value unknown. +%NEXPOSE-pta: 2019-4-1T12:38:14 [ididunt] tlaboree[Thread: Setting] [Started: sequa] [Duration: erc] Setting isq +%NEXPOSE-ptate: oloreeu credentials: +%NEXPOSE-iscinge: Populating ora +%NEXPOSE-orincidi: ScanEventHandler: cancel +%NEXPOSE-mSecti: Updating ius +%NEXPOSE-aturExc: 2019-6-11T11:51:06 [rsit] intocca[Thread: No] [Started: equuntu] [Duration: ntutlab] eaq +%NEXPOSE-ipis: 2019-6-25T6:53:40 [nsecte] [Thread: miurere] [Site: tat] persistent-xss +%NEXPOSE-olupta: 2019-7-10T1:56:14 [ape] amestqu[Thread: Activation] [Started: luptas] [Duration: ariatu] psumqui +%NEXPOSE-uunturm: 2019-7-24T8:58:48 [nonnumq] tqu[Thread: AssetGroupEventHandler] [Started: ntocca] [Duration: emquelau] adolorsi allow +%NEXPOSE-agn: Stopping eritinvo +%NEXPOSE-uisaut: 2019-8-21T11:03:57 [apar] ulpaq[Thread: ConsoleScanImporter] [Started: reeuf] [Duration: orinrepr] tinvo +%NEXPOSE-ctobeat: common +%NEXPOSE-olab: remagnam Destroying: +%NEXPOSE-adipi: idid Destroying: +%NEXPOSE-lore: 2019-10-18T3:14:14 [uisautem] olorsi[Thread: Job] [Started: everitat] [Duration: tetu] Job execution threads will use class loader of thread: stlaboru +%NEXPOSE-mco: 2019-11-1T10:16:48 [nofdeF] itvolupt[Thread: com.rapid7.nexpose.datastore.connection.evictionThreadTime] [Started: uradip] [Duration: perspi] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value uaer. +%NEXPOSE-tenim: 2019-11-15T5:19:22 [osqu] cti[Thread: Restarting] [Started: orsitvo] [Duration: elit] iono +%NEXPOSE-tempori: sedquian +%NEXPOSE-umfu: No diff --git a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json new file mode 100644 index 00000000000..8dd35489c83 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json @@ -0,0 +1,1901 @@ +[ + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-nci: SiteEventHandler deny", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 0, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-iin: persistent-xss ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 36, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tenima: Telling laboreet ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 66, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-giatq: SPIDER-XSS ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 101, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-lupt: 2016-3-26T10:20:16 [xea] [Thread: qua] [Site: luptatev] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value admi.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 129, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-isaute: tcup", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 309, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ofdeFini: Using ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 331, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-emulla: mpori", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 357, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Migration", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-nisiuta: 2016-5-22T2:30:33 [tvolu] ecte[Thread: Migration] [Started: tinvolu] [Duration: iurer] iciadese", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 380, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "iciadese", + "rsa.internal.messageid": "Migration", + "rsa.time.event_time": "2016-05-22T04:30:33.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-iumtotam: Invocation: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 494, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tectobe: Nequepo ConsoleScanImporter: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 526, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tur: roi credentials: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 574, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-equatu: upta", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 606, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-itam: str Approved: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 628, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ionemu: eetdolo", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 658, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-amcol: 2016-8-30T3:48:33 [adeser] [Thread: oin] [Site: mvenia] com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value madminim.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 683, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2016-08-30T05:48:33.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-siutaliq: dutp", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 857, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-isau: HHH000436: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 881, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-rumwrit: Skipping ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 908, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-eri: 2016-10-26T7:58:50 [quunt] [Thread: olori] [Site: mquae] Freed eriti triggers from 'acquired' / 'blocked' state.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 936, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2016-10-26T09:58:50.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ssecil: nodes: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1063, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-dquia: 2016-11-24T10:03:59 [temporin] [Thread: dol] [Site: tatione] SiteEventHandler deny", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1088, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-nsec: quidolor j_password: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1188, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-edquian: loremeu Form: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1225, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Accepting", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-uela: 2017-1-6T7:11:41 [ntexplic] uto[Thread: Accepting] [Started: iuntNequ] [Duration: esseq] Accepting aincidun ", + "fileset.name": "nexpose", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1258, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "Accepting", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-nse: 2017/01/20T14:14:16 [modoc] [Thread: boNem] [Site: iumt] Database tsed ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1382, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2017-01-20T16:14:16.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Migration", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-enim: 2017-2-3T9:16:50 [Finibus] radi[Thread: Migration] [Started: xeacom] [Duration: des] atnulapa", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1468, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "atnulapa", + "rsa.internal.messageid": "Migration", + "rsa.time.event_time": "2017-02-03T11:16:50.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-msequ: uat", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1577, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ataevita: oremqu", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1597, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-oremi: ugitsedq", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1623, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ipsaqu: TagEventHandler cancel", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1648, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tiaecon: Acknowledged: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1688, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-itametc: ProductNotificationService: allow", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1721, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-olori: ido", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1773, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Activation", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-lpaquiof: Activation 2017-5-29T5:37:24 oloreeu", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1793, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "oloreeu", + "rsa.internal.messageid": "Activation", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-umfugi: 2017-6-12T12:39:58 [stquidol] [Thread: Nemoenim] [Site: imadmini] Populating ide", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1849, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Error", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-olu: 2017-6-26T7:42:33 [iameaque] identsun[Thread: Error] [Started: ender] [Duration: inc] tect", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1947, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "tect", + "rsa.internal.messageid": "Error", + "rsa.time.event_time": "2017-06-26T09:42:33.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.action": "Upgrading database", + "event.code": "Upgrading", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-magnam: 2017-7-11T2:45:07 [uinesc] cid[Thread: Upgrading] [Started: emi] [Duration: Bonorum] Upgrading databaselesti", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2052, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "Upgrading", + "rsa.misc.action": [ + "Upgrading database" + ], + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-assi: 2017-7-25T9:47:41 [eserun] [Thread: rvelill] [Site: lupta] Default ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2178, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tatevel: midestl", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2261, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "An", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ufugi: An 2017-8-22T11:52:50 cin", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2287, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "cin", + "rsa.internal.messageid": "An", + "rsa.time.event_time": "2017-08-22T13:52:50.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "PostgreSQL", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-onofdeF: 2017-9-6T6:55:24 [ibusBo] orin[Thread: PostgreSQL] [Started: enia] [Duration: iavol] PostgreSQL natuserr ", + "fileset.name": "nexpose", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2329, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "PostgreSQL", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-orsitam: 2017-9-20T1:57:58 [iquaUten] [Thread: prehende] [Site: lup] com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value tpers.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2453, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2017-09-20T03:57:58.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Remapped", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-aea: 2017/10/04T21:00:32 [tvolu] dutper[Thread: Remapped] [Started: tlaboru] [Duration: aeabillo] Started: ciad] [Duration: ugiatqu] Remapped eruntmo ", + "fileset.name": "nexpose", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2645, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "Remapped", + "rsa.time.event_time": "2017-10-04T23:00:32.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-uatu: Shutting down '", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2805, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ende: DEFAULT SCHEDULER: '", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2836, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-mexerci: 2017-11-16T6:08:15 [urEx] [Thread: ditaut] [Site: ctetur] Storing ] [mvolupta] Storing scan details for squame.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2872, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-exe: Reading ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3002, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-eddoei: Benchmark lorumw", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3025, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ctionofd: j_password: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3059, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-boreetd: tNe", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3091, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ntocca: 2018-1-27T5:21:06 [trudex] tvol[Thread: com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout] [Started: lup] [Duration: mipsamv] com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value exeacomm.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3113, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured", + "rsa.internal.messageid": "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout", + "rsa.misc.result_code": "exeacomm", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-iadeseru: Adding ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3392, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-eosqui: iatquo", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3419, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Establishing", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-iqu: Establishing 2018-3-11T2:28:49 quamqua", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3443, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "quamqua", + "rsa.internal.messageid": "Establishing", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Deleted", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-diduntut: 2018/03/25T09:31:24 [rroq] olore[Thread: Deleted] [Started: eratvolu] [Duration: oconsequ] Started: roqui] [Duration: oluptate] Deleted ntut", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3496, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "ntut", + "rsa.internal.messageid": "Deleted", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Error", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-aturve: Error 2018-4-8T4:33:58 edqui", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3656, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "edqui", + "rsa.internal.messageid": "Error", + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-Loremip: Requested: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3702, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "0.16", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-nge: 2018/05/07T06:39:06 [psum] tate[Thread: 0.16] [Started: dtempo] [Duration: lumqu] 0.16: moen", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3732, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "moen", + "rsa.internal.messageid": "0.16", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tur: The: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3839, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Renamed", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-mipsa: 2018-6-4T8:44:15 [uas] iat[Thread: Renamed] [Started: hite] [Duration: adipis] Renamed abo to suntex", + "event.outcome": "Success", + "file.name": "abo", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3859, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "suntex", + "rsa.internal.messageid": "Renamed", + "rsa.investigations.ec_activity": "Modify", + "rsa.investigations.ec_outcome": "Success", + "rsa.time.event_time": "2018-06-04T10:44:15.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-exerc: Retrieving ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3976, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-uaturQ: but: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4004, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-dolor: 2018-7-17T5:51:58 [equunt] [Thread: mto] [Site: iae] Invocation ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4027, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2018-07-17T07:51:58.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-magnido: mcolab", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4108, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tiumd: Dumping ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4133, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-orisnis: umq", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4158, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-intoc: 2018-9-12T10:02:15 [obeataev] [Thread: rrorsit] [Site: aincid] Populating umquid", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4180, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2018-09-12T12:02:15.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-uisno: enat", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4277, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "suntexpl JVM frames", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-oriss: imadmin suntexpl JVM frames : urve", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4298, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "suntexpl JVM frames", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-lupta: utla", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4372, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "AssetGroupEventHandler", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ntore: 2018-11-9T2:12:32 [tect] ion[Thread: AssetGroupEventHandler] [Started: tutl] [Duration: niam] oru accept", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4393, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "AssetGroupEventHandler", + "rsa.misc.action": [ + "accept" + ], + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "service.name": "fld1", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ostr: amcorp 0.49: iadolo", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4514, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "loading", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-mali: 2018-12-7T4:17:40 [amestqu] qui[Thread: loading] [Started: nemullam] [Duration: modoco] maveni", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4549, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "maveni", + "rsa.internal.messageid": "loading", + "rsa.time.event_time": "2018-12-07T06:17:40.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Closing", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-upt: 2018-12-21T11:20:14 [giatquo] toccaec[Thread: Closing] [Started: nihilmo] [Duration: atquo] Engine: umetMa] [Engine ID: ngelitse] Closing connection to scan engine.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4659, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "Closing connection to scan engine", + "rsa.internal.messageid": "Closing", + "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-eosqu: reetdolo", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4838, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ten: 2019-1-19T1:25:23 [Utenim] [Thread: itationu] [Site: eprehen] NSXAssetEventHandler cancel", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4863, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2019-01-19T03:25:23.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-Neq: rcita", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4968, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "removing", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-quatD: 2019-2-17T3:30:32 [nevol] lumquid[Thread: removing] [Started: Sectio] [Duration: tiumdol] removing laud ", + "fileset.name": "nexpose", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4988, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "removing", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-atquo: 2019-3-3T10:33:06 [estl] [Thread: ern] [Site: ationula] Recovering abilloin emape", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5109, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-Malor: 2019-3-17T5:35:40 [amn] [Thread: nre] [Site: sintoc] com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value unknown.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5207, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Setting", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-pta: 2019-4-1T12:38:14 [ididunt] tlaboree[Thread: Setting] [Started: sequa] [Duration: erc] Setting isq", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5391, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "isq", + "rsa.internal.messageid": "Setting", + "rsa.time.event_time": "2019-04-01T14:38:14.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ptate: oloreeu credentials: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5504, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-iscinge: Populating ora", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5542, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-orincidi: ScanEventHandler: cancel", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5575, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-mSecti: Updating ius", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5619, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "No", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-aturExc: 2019-6-11T11:51:06 [rsit] intocca[Thread: No] [Started: equuntu] [Duration: ntutlab] eaq", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5649, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "eaq", + "rsa.internal.messageid": "No", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ipis: 2019-6-25T6:53:40 [nsecte] [Thread: miurere] [Site: tat] persistent-xss ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5756, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "rsa.time.event_time": "2019-06-25T08:53:40.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Activation", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-olupta: 2019-7-10T1:56:14 [ape] amestqu[Thread: Activation] [Started: luptas] [Duration: ariatu] psumqui", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5844, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "psumqui", + "rsa.internal.messageid": "Activation", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "AssetGroupEventHandler", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-uunturm: 2019-7-24T8:58:48 [nonnumq] tqu[Thread: AssetGroupEventHandler] [Started: ntocca] [Duration: emquelau] adolorsi allow", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5958, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "AssetGroupEventHandler", + "rsa.misc.action": [ + "allow" + ], + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "service.name": "fld1", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-agn: Stopping eritinvo ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6094, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.action": "Shutting down", + "event.code": "ConsoleScanImporter", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-uisaut: 2019-8-21T11:03:57 [apar] ulpaq[Thread: ConsoleScanImporter] [Started: reeuf] [Duration: orinrepr] tinvo", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6127, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "tinvo", + "rsa.internal.messageid": "ConsoleScanImporter", + "rsa.misc.action": [ + "Shutting down" + ], + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ctobeat: common ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6249, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-olab: remagnam Destroying: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6275, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-adipi: idid Destroying: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6312, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Job", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-lore: 2019-10-18T3:14:14 [uisautem] olorsi[Thread: Job] [Started: everitat] [Duration: tetu] Job execution threads will use class loader of thread: stlaboru", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6346, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "stlaboru", + "rsa.internal.event_desc": "Job execution threads will use class loader", + "rsa.internal.messageid": "Job", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "com.rapid7.nexpose.datastore.connection.evictionThreadTime", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-mco: 2019-11-1T10:16:48 [nofdeF] itvolupt[Thread: com.rapid7.nexpose.datastore.connection.evictionThreadTime] [Started: uradip] [Duration: perspi] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value uaer.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6512, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured", + "rsa.internal.messageid": "com.rapid7.nexpose.datastore.connection.evictionThreadTime", + "rsa.misc.result_code": "uaer", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Restarting", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tenim: 2019-11-15T5:19:22 [osqu] cti[Thread: Restarting] [Started: orsitvo] [Duration: elit] iono", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6777, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "iono", + "rsa.internal.messageid": "Restarting", + "rsa.time.event_time": "2019-11-15T07:19:22.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tempori: sedquian", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6884, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-umfu: No ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6911, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sonicwall/README.md b/x-pack/filebeat/module/sonicwall/README.md new file mode 100644 index 00000000000..3f5a6faf1be --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/README.md @@ -0,0 +1,7 @@ +# sonicwall module + +This is a module for Sonicwall-FW logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML sonicwall version 124 +at 2020-07-07 18:10:49.816563 +0000 UTC. + diff --git a/x-pack/filebeat/module/sonicwall/_meta/config.yml b/x-pack/filebeat/module/sonicwall/_meta/config.yml new file mode 100644 index 00000000000..fcc2abefb79 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/_meta/config.yml @@ -0,0 +1,19 @@ +- module: sonicwall + firewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9519 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc new file mode 100644 index 00000000000..6b882920797 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: sonicwall +:has-dashboards: false + +== Sonicwall module + +experimental[] + +This is a module for receiving Sonicwall-FW logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "sonicwall" device revision 124. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9519` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/sonicwall/_meta/fields.yml b/x-pack/filebeat/module/sonicwall/_meta/fields.yml new file mode 100644 index 00000000000..13a72000b12 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: sonicwall + title: Sonicwall-FW + description: > + sonicwall fields. + fields: diff --git a/x-pack/filebeat/module/sonicwall/fields.go b/x-pack/filebeat/module/sonicwall/fields.go new file mode 100644 index 00000000000..bfbbb4b0c3d --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package sonicwall + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "sonicwall", asset.ModuleFieldsPri, AssetSonicwall); err != nil { + panic(err) + } +} + +// AssetSonicwall returns asset data. +// This is the base64 encoded gzipped contents of module/sonicwall. +func AssetSonicwall() string { + return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIipAVJLENAooAyiy6V9/ga+qYhWKZKGKkrV3elBIJBOZSACJzER+fI0eYP8SKcEp2WHG/oSQpprBS3QfPvr6x1//hFAOikhaair4S/TXPyGEGiC0osBytfgT8v96ab83f75GHBfwEnHQOyEfFpRrkCtMYGE+r3+GkN6X8NIQsxMyb32ewwpXTGd24JdohZmCg697ZIU/b3EBSKyQ3kBAj2r0aLcBCfY7LfFqRQnaYIWWAByJpQK5hXzRm4VUuEfyWoqqPJ/gLoOawS1tHLODScRxxIZpBirU+uDzYeb2OPh+Q5X5HaIKVQpypAUiuNSV55XEO1SAUnht/o81IqIAZUgX5vvO0Ai9Fmt0DUTkIOOkurFol6hhggMkbIHrzBA/GtQjncwjzxhlOUME18C1MjuOcqUx1wGRilKhaREnIce6+0UfP3VYzSAIa7TbULJBGClQigqONlQrhNFb0L9SzUGpsAqL3hLV01EbUbEccdiCREuo17/EUgF6Axob0jBaSVG0UD15Ldbq+R0mD6DV097w11QC0Wz/DGlPN0bvwB0wt9N4i8xFlFUMtsCivGKCd/f6Aa+uoZRAsPa4clhRDjkSnFnEGi8ZoAKXcbyFWmcjtuaRdXrjz8zt9Tdoi1nlTw/NgWu6on4PwSMmGjGxdjyXPWZa+qkZ3q+4/Z1haYmlpqRiWFp4vziLwdXtDZ202rHV7Y08vNqDTN/OzfUX/5/rx7lusKayfNohE8t/ZpbULuM/Iv4tjouXiyOXoEQlSfJdNH3q6SdtGm6lsYYCuP406HGVU50Rhjvn4aMRAFzL/adBvTGawKdBTfkQ6sve5OGcfcoVzwHHz9plp74CyMfpyQM3asweaP0wmFoGX+8G7F1P07TMzg3YG/2EljnMp45ROhufeMsWjTLIMaQ3kZkYhCI8Gs0gMo9SVnH6WwWNEibrGfqP9oeGy5XgxAhLrMUf3XoZOPZbOlXwtPl3ZQaiK0pw+9QZQ/vGmMTo3go6VPEcpFFRJXiB0Zvcij5CjhRoM8gB8CEONazQBjb3xp6s0NZs7g09iu19z0mKpZ+2uXqUj5j1uFluhErWo9p76yehdFtUse6uUsBzytfhSxVb+pY1//lwkMY3Se/jQdbd3m2/QzjPpZFZQ4eyy77e/LT4XNm3/WE6A3/4f5eBhltznODu6XUujbbfIkcYrekWeO2u+HwvVcOiIQv2slp1/mmUoc/Dizto8Ipyn0n4LWm92k8TdpHszJZ7y8cbNzi6s9v9mff+aYze70tABPdP8hIQUL0BiT7ccv3ND0hI9CMTWH/7Ai2xsjshOPZXdF1JqwqdmFlcwfuMZ2YfWaYYRTPYrgZ6LdKdJcfssjD2Z2+8CrnDMp+gxrRkR2tibV7d3v1yoOFgJIHh7rIgpPZKQ+GvHE+YGW0Dbj8pxx7zfyHpmnLMAszh7X1ipukax5EHztu7X36ITNIT2Jvr9EnWFPX5OIckbzZbX1VKleQbwDnImV7GfrKDodvrKS80jqL2Q40dJu2d5g/thGEkm8EPg4PicdsoHnazG4X7SjAGRAv5OQpCw5+LvKybfUMVIo45kBtaDlSz16J7yaMjrPwDWiIFWX485awQygaPFIKj5b63LAhJ+K0Cpc2AihYl2/uVMD82AhcBJhukaA7oyZ+R3sgKvfj++6dohxVSALzGcmSuH0ldO2OuqhRcweUmS/5AK0tExXVtr1bF0gkfc+BUdAT0BC/FFlrTpTwabRTEjNIScDG4y8kfaOk/MTMgp1VXqzmPFV/ENKnaaKUrRPU/qhd//uZflROez0srqgJZ/+jR+w9jp7zGe5DoBbrhBJeqYs7HbUydURI0NvpEN3QkVimG5dsX6N/MdJ+hb79F/4aIkEZ/tLPwSJ+h/870/zQ/pAodMuWL6CJxkcMntMH4DjKCGVti8jBV53PoudB2c2PtdGXDCOB5KSjXVt3WEA/cswucgZQiOVak0YBUCYRiZmmytCgtpNEW+d7dwuaLLWY0d8sXQ4vQSlQ8N9KagSWP8rVXFk4GAx3u297Ic7yd+E17xEU/wOc9Ezj/eHeGR4gU/R1QAVpSEtGVvYnW/rG10dzlGMSduSSxbnQ4sQoLs0A/iZ1hft8WohwJaUwILdADQHmCLR/p9vhM2CIFAaWyLc2zPP0d6iZIgDVwkFjbo5gbHrXslS2VusLMmIsHPlIeMZ9pQY3BZ18A7XQdnf5A3l4jaeSissa6ZQuWa9D1z07OVcnkkIpPPlcXDXN8rjLRsd4XsbfXwb/2DgqhAd37XUkk2GtpuR8SSeZPcHp/Bk5ujylTJaPTXmT/0Kaioj1V9mOFDdLf0+LH2ra9lad+R4a9EbRpL47/a7y5uGO+ouwib4tmXKO03129uvP6HMHcMIAWpZBdLQ7ZC+Wze6CtPpbx/MGJfWvkWbMw5hA7NBOrBqQxBt29b62+BXrx/Q9oZzlbAOYIMxa3Q63z1aoNjX8B7UCCGxZrxAArjQTvBCsfsukjKEafN5si5y3tIctz51chc8saGxUBZMMFE+t991ljRWVPM0Poe0Q2WGKiHZvM0dtbCq1zk6OK+4gBduDbHMxgSklWc0+M01y2R95zrK5bGNVJ8OC0lXg3KD+sFOsoS5hYPcx5hLm3WQUhlQwjKo15jmWOuJAFZvT3WLSdkEWUA7l/gT3CBFEteyJ8FBsaump0zxldgZ1TxEBUQATPBxTDZskypadZ4kdIppyIomSgo4s46O7CVvHUknZETivvQOqLbbd7M3p00w1tuMP9M7hJCsH15mxWN1k957+aN9EM+cXYc8PzSzDHDPm74NMzOo8IETN+UH5cSNr7Lpd6B3rC6XiFNDxqv5HRFqRqBfvmx2I2Imt0etH3gM8ntUmqIELmkE+R3v653AtXVY8Z7rfwZl7/sP0G15exUhQLO2plE/8UAY4lFU7xKyqm6deagkS4LFmIoG4ywQvM8TqWlIQQs47pYDM4ohytClH9pUJix53XXuOi7HpaPMUGmyGxv8+1QmRDjf4rclAL9KZS2irS7UHN/sd6IB4NaxhchqPHfbUylG1hnjvYLlQY0s1fwgokcOIWFRvlK6dbmps71a5p/Njfh2P/vsOA+DQeSypnnEPDdeenfjT7hWq2d9NRRkQYXcCgtdvouL9o1NIMGszPjHSqT/+iN2gdoCGq8ae56KkBp2FqLo3fdlaH+K2CasZFMzvFrVcjL3ZYIYsmH1ghi/6b8VMfdeEcTDvpnK4LnSTZ10UavjJLQldmaZpKOe6IHIK9SIBLuvFaUuZSqm9H7Y3KoJ7AHCWThg/sqfOW4rprxEsnAzHFWMSkp/acp6ioik13xw5oh6LSRBTw3GGpVTYbzSZWvbXC3E/jQPUdWCpjklM9LfT1COlhfJ8Q0PKHHjP8pqYq9GqnOEldx+Ka0aw/tgRCV7RRBuPagnNyDuX9et1jjpfrCBNrdwDNm4DPYIrm3vkYpcyr9PMx8pdDG6Gt4QqJfr73IUVUhUenroVs8QcuD2U9qFIoOuoQnrUDrCHAc1cVwIYihlMymM9dMZ1NSWQfeax5VYCkZOy5jlI/S0T7EdLbUe31DnVH3J2kHvFb4LmQPpToKO1i+c+LZEmHxwWx/CeQuI5vUM+RJ9VjmZE3x1E7yTetVscX/a3vs9r8kfWW8AbXkVNcaITRxmdlxsODmFhn4dnxQkIubIjRQm6e7NsDSfE3+8Rta7vZoxhX7wSjZD99nx45Y3cWhS8yx9l+QE5VbFrsVpwJ7yoGFnVcvAiu4XG6vlOjvOXO8m4qIOE8V+YvexVgFlDG0oFPXClkg/kaMg676edqyPkNu9bDjb0ctZZ0WWlonbZ+NJ9yxBltri3S48dQlXiEaKhnz+iEEjjHJm6V8u6rrUPX1g0ipoSNuzaTDkVTVPNWLrcgF+geHGMrBXKB12BL3fmIuZWQgYbe2GEYp9cRC48cfCsDUki0lGJnvgufej3GqdaDtdpu8zss9XhTvgYdb0f63St6uRHz7V7B8lrpuNTmFSV4l3X6DfKKI8xA6vrdVTbD+s+ca9YfxVaymX2ejShUOeKCfy2hBKutHnuNsorjvEKWVFKarVnrpHY1rI7wnDr/b3Bs9mjfUb3xypSTfejaIlza+FCOBP96Lcy/j0hGe3lmEaVk0sxwyxn93KIwZIgVMidNU1ALdN+cz26ZzHZMcipNVy6YvVJGUXVJD+6JMvfCyjMPI8IqpcO28f/psdqCUGVWw2fmeGvRqE322+Gr+QK3stvpcevJJa1PUQe+PKU+GzquLR6ElRKEWm+N4WhU77dMf00f4CXCqNzsFSWYGTPv4Rkqpa1I+wyBJl/G1SwscTx7YOTl5eJXJS5Ag1SoxMrWKVA2cc9lphFRFEYiiIPHm37IKmhyVNFw0vNyukZrHS4gqJ2wI6Ioq/5ZSGI9RjvKc7HzkTdEcAKlfla/ig1OtzeRVcXYHv1WYeacNrkoMOX+fPIWIiYGRHnbW3P+NX5kckYZeU35A+Q+ijYElmFl7XWvwJpvvqiRL2h+jPmsl+c3UWy061Q7E7CLIhDw8/3lMP9cep8Quu+nOtePHiAL2i1RPd3540e19Lh9eFxP+3a0nraibI7zUpP9ox2vPhIS8ooACh5giDsRFEiKWRa5ISaIzXs7aFC6ujK/JdSNTB20wYA8qIFEsDn8UX58I7w3WG3q3W5Ujkg0e2UsTCOaQoRpHc5+FUbqlCoQW5A1moWSxEDV/+9nJSAj3ziiNp6g4oQBluYjWzajIc2HsXsvjQwpAqf9k05UVP1c9U8so4kolpTXlePaItonIMgR8npLZaXm926071CLYtjLMddzRGTjXrnxXZ2VYQ+P09JncLzVLHAerttr9Nad6Sc+JQ65Gvs+ycNgf3rM+XUZX2DL9XV7bdniQ6vrA9m34w595y6IwRG5cEttTt2OqripsVX7aXUTD19JfFKNu+SO+tC4M5JmXVvDvqt6aHR7fVIPOt8ncUIPMqhf8LzRhxboykXr+2pBzH1xXBcyf4Q8/MU3X3gHxbLSdRy/0LVwrjgD5eYunIDdCbTFkuIl60WMu4Q2ylHJ8MCRU8DVxAzQg0Vpq0Fu7IU59ebWDLHo1KzV/fPbu64GhnxJJWfbDWXLDLYRODsyvvHFOjLQLdfonq45tsdyYCOVQk4r3/RlTxaYrXQXdAph66nYfxpUrVNj90IuIsv79uf3iHLCqhyMaPCNWQz4Aj25ecRFyeAlunPGpxvWyrpF3Aa1HvYLvDNYY74RtXHcVD0YdS6KeUTQdss589aLyndUPRx54NCSrtcgpxSuj0/7l7an0WOxms9GgtoIlps1dlbTQK+Og+eoWay4/nuUl2FP3rmb8WmdUHh7HQ+wPPvFypjW2exv85az/n3eNjNxPg1VLb82CAW3GQUrW65X5BUZ0tO9ynOx2IE2bbVsEdJmXhk5FygYqCuPZb7D8lKxFv1aiUYWYS96DZkDRbqeGJGD0RtMQmWvuOJkjvPMmqzgXwflRx4/0c5iSGiEJAGrhJgopbGuzlesahscU3ZB1dIMvxSPiObPh6WukfjVPDQYnB96pbDcvjJ44hs9SN/JVfV7G+a6X08/RQhTLqrz3wxasZtqnbADjXQYZ4b1PDrfjQadXgXkgPmvGDOnFamKEFBqVTF0YzAgInJQhvmhSFNcx6M8h8fRk2BU6SH9YeJpskNbxVYGNEuQ1qtfYEmZfamN+Afc2xBfI2wZ8bWBjdLOk1Y89Na7mObix0dP6kiVEqQqfUKCO1O9afsrpAmMCznOTweCxp2J3Zfm0x8dW23kLPHOTna/Nl9iyhXKQWPKIqbTUlS6BTdAvGAXiEkJXhtcxw1YTMMiXENRsgmvtq9Cq8XQwqD1guSjVIz2sgXJ8N6GKWvhxTp6Etn75gtraXhoWIU8FudzU5rqypbqQFHSGy2tn5R8+mCM9Aq3bEuCx2NLOrtEFIXZm6kLduXgEW2FE5VSbGnuLOxQVyDWn7G+awQ55kAfb0//SFlz95N2tEL82nks7SPzpeRXGP+y8uufYjlotyZP4H+LpXdZxndqSaeUB7q2QUlufe7vbtFt78JtI5pQm8fHZB7HMSrwuM5eWI9U8cfYxD6KKq5muQOVLUU+Pea4F7fdvbJCf1iDbeD63KTkTjk32ix5Ny2Hi0/XcGE2tReQrmleuygHjPFivKbcS4I562YYc1XX1JXVNAEZug3dfXBZnMENah/HHoFUbRvFPVsvIZZSEDJ6jz2UzWJIRT1F+aFBVUfD4y2mDPcddKh2DyEbD78CKQeqEbr9GPdwzefX9apf4ROCnZO+798SYd8uBmQALbJllef7BPuOFtnIONUWZKVgqJDYUVs0BUZSMSpbqhMwnalqnmA7qtqxJq6Wim04WcdJNznnHmesOHgTb+iOVuP6Oj4N90o9ngvbGS2Cq19u0BMf6fdLxYxesqTMBhjal+abx1Io88un6Ou+GcO7Xr4HLnb8QHFUQCqburY9HH2gawDBsxja3QCQq5Bp89YHuL6GNSZ79GFQgWV0KfFlUn/80AdsohwVmPKVsYyOPlKVWNpeH3NkVB2oCHd2YPRW5C7gqClu0HrXjqBFJ+5f+/hippquUR7m1b+FHfqp4lZ9fiNyYOgJ5dvFV88QFeQZWpq/wPyFOWZ7RdXiq7gfWZMyWzHc6041/gY+1LWu7pAd1tq7VqrsQwFhsTqatKXFRFrcp0tPSUiYUiDNhoqi3BZj5VAH9y9vfjX2+3sXcvPVV7+8+fXVu5uvvnIxMFssMR3cGzshH8YlZJzcyr+GIds+2kEzGfPx15eP7RybG1iLOEyMCNwnqYsrIYErSsYdqJY5mYS1SLGiIp6t88GyHaZjOo03IQdEJCyp3TDjE1JUtUzeBnqZKy3HZ7LY3I1ZuoE/m0+Shgi+KY6D1ODEpiRw72LywYFNnKKPTzRDrOigwRgmM8E5kTqZaOZqZCLdgMu4sDhST2G84WPI89rUu/64jXriam9faCPkLe+SR3WUjAstYfCbH6NAiFkeYA/439K2n+g68im8XNuKHE+t+Ryx7k/5+kMJJDqPz9SGw64wZYZfIeHwzp+/2+t2XK/NnjYqsIZ1JHFo+C0+xPVk5iqPUpwS3GNDenxMp7GMKt61VXv4+VAa71T8b+FR/w3i+kuNXQ1pMVOx32Oe/7uIe1Yb7BprGj9lk/H3hz5ArypVUkLFiPiIj2VbWPp2WPK+q+3TE6d4UWYiXTjdv31zh352Ho8mHCOO6reZn1/u/+M1+q0COVCtpWI8k9Ct+jH1yaflutijdyGkNvq8W+tpZJT4b4OJ8WXaDFg5YDyegtMR9+oZkHlKITrMsCyS+GIAk4wXXI4K+6/BqnxEZ4ADqLG5wAfAOdbd2/s05BI42RRYnh8WV0PuS9xr5XCGDxKT3vPmmVDZJoGvBFZjgylr0NXaJpMmAYrlP5PgSpxQW89lviYshnX6D/WUPQ5pc7ULMNdtAmKeYWLLFqaEsRloxUep6C3Q5brcfscf9SZBWhKeES2NjTKuMlUL3sAOeevOAN2yXkPos2CBrykfFbjbB06LKeHZKlM7qknCvubZiomdwkXKa1EbmuvtFPgkPxbhGeXTtjnlJchiuR8RktODLslDKrhtjpYEWmalFFpkKa44C7/9LrM2awo0m7DfmFhnY1r/d0BTXkIJzwr8mGl9vsJ7CGpWmEGSWCgoT0ZM+RTEJVMZW7JsvPP0APrPk8AT6gG1oMdnqbehx0dEt6G/nwQdb6x+LvS/TIL+H5Og/zUVWouS4SWkbfUaPkVV4llRMXt5L/dJ8iyAlw9JcryoGF0XZertbe4/zNbjH408LE0T4gp+Iym6N8+UezJN4pWSJFU7M6Cp2pnaq6pMqo9NeB1mnajcaaGNggGPSVtbC22UpHRoq54kglecPnLMhYJe28yz4Lc/GNqTxcL2B1HqDeA8yQQSRZkRlmRDG9Akl4aFlLZNVhqsSoQtqyzJP0Ek1ZRglhT0pTK8Bk72o96U2tAcs/3vkC/TcG8zmwyfCOvSeFIxu+fsRHhjIf+QaiGrbEn1vyYmHxKVja1t2gGVIuEoq8TNaeGAyJRYPOU8ASPqSrZAQW+cNyBF+Xbg9rpKBHe1b8ZkaLagV5RBmi6islUau+hqXADyIWiapFXGCObwqLPEY2Rs4Fzpslfk52xoJUkidOgclwQr1lkBOR0RjHkITXkqxwuRVwwUEWmz9uB0nXQqRKl2WI/sRNGCj8UEnAkqYU2VljhF026gk24q10kxccpywpyVrSMik0+ni2pwS54EbxuLJl1xLugoHfWUy3m3EVRlrs5zCvweS5y44PlAWOV5sFvXwWA8JFUad5u1ngWo9LKS5xcSDXDgaq6lwVUJ+FLu4RBLOh7QVu1ZpZRCH46YPga1xnk+ftVpPt45FxJokiQKLTIihSgSs28MaJJSRIss9RHO5+6kTbd8SEgWKlVKKjMtVSnpaDCGNdVVwrsNoxzGpJI0cGpkLa4a0gY+ppggTLiM5mzFRIJwrMGTQgCMppew3w1Y0l43umESugSvLRPrxKXk68RtVwo5/nAUy2qdtnUKqkjadi1U4gKmVZ/hoG3qSwJkwil2pQHGv0o5uPEPSny3G68rJMYJ1e0aEiAT5L2QdJ1FqrWdAbnjIFNkS5kldhAss5EVpBvApDYODXjSLO1JGr9JPWBKO02n9CegxEqZLzOyOT+etQfs+nKOhwdZrI1d3MuoPg92lwiaIuZc/tKHD51Kn2eBSrHOsCpHlfxoA4/p8hDgJGCWdvNIIJZal62aDJ4yWQM7NkG3BStknoQ1xURTSdanctZnkqdUwXgXqSunm6RGKPgthZmxNNgRcEmKi6LrpIOpyvF2i5IkbeUlyROuWiVJLMv3LNBRLZnaUJVKyJncEj4+CCFaMfQ0mEuyTGgavtYpi+DAUrxGdcXI8ZD7MiFztcqXia/WlWRJUqlSILOcjo/fTCxMEnwiacRqktYuf5tRrjReJUnSLZU67SreljwpxUELWfGL9Gp9VWmB3lUc9QavvdCTCsT9ghnN0ZWEnGp0hWXuc8aOtKXx9a8mzXSoDqQdxjVdtRGzRDAUCympvb2UT5n9TVEysYdeQbyTPFiJakR6/Ll9eTehpY6tLSZhDY+owN3Q3cajx9dVt+zKDGQwqmyBjTC+arfSVFVpS9T3UyUR2m2wRlSj0rXnjxN97Cl1TKmQeHt3V/E8IEGU+0oGA5ndjPLpFbBbxJjx2pQopMXaNtlZNL93HSN63OOwBVkXUdIClVgqQG9AY1tx2J2Kul8aevJarNXzOxfc9xRd+zJerj1Jb3SbRvwOfLFYSzZHb0H/SjUHFV+r/tZLZM/KlhOud7Md3k1HAZZks6CcDhi8Es9TDKEjbFxvPUY5PGe44rZ26roqfFn6I6UQOpUPjlA9R8p8TXWdKO8rvg6o9IaZ2by9kF3PLTMweg+P2u7OIaPgog2omyJxJ3pQ26zcSaWKbV6uAh2aAx9JnT/27j2+NkRoJbsK4zoJ1rXw6jfZQ7PIYe33BrH1DNTLKP3j6nif0Tk7h8fb63CI7OhDJdtHPkSP3C51Cwf3uF/jQ709WnPTQ1yKIl4XjK5pE9IVbIiyAiGskALgB30y48aLxFxhMkux1V6WuBuc+wZOdWvt0C34CFklyIK6i3A+sppBXeEWuqUM1uB7eWCl6Jo75jeVuQfaGuDlXN3qB5bcYjiy45YXbC0x2D4kts1bFA3lFqZVugn3Jc1DW9u6Y5Jt2Dhw6BCKxOTUWpuEgSCp0QpkaBTWCN7Q38ngGFBhd5IOOHpmxG+RDJQuvOT86/6ZPQJaD5A70XkfT7l6MKNYZRsxg3bX6Y5pa+I0ZaBsR59WwaN4TDVyG9TQw32LbS40sq0yF6+YEsa06TQvsVXIf/IQC/SK7+v/9UbX1jpSXCOcL0JH47hgSnR+GdKnKMtfdPlpKw8eMJX6ts7GmmhXKA+zjjcS9jsmG+tZPddgxXuQ6F9qj4F67hFZ9EP9S8bGbV1+7/GGqoPdd5Sng2ESp2TBl92yOK4l3duf39+Y2YEEZzRaj0xOFZFQYk72Rivxlz/r97I1PHiG3r95iW65/vbFM3T79vrmP1+iD7dc//AderLb7BH3DRjJRihfxk1IY73aX33zw//6b0/jve9AbybJi+6MrQRaFDheGklN3iMjD5SvxH8b0MYPU/6xyWqf8xO0DSb8nX0xxSjqKDaNDhqam75+9TZKzu+CwxQ7PG39/o/gsIjz5/cxfQA+wmVnSD0taiwbP829coSXa6xhhy9SWNrusjv0yjXPC7sthrC+TkhRDvv/p/o1b6/e3Dk5PNwrHs/Qy2/IlHZ6TmhdentnkA1Y9YYPg7VgZuGDGX2YD0EHyFxNsbkPW7vXQu460mHWPFW0KpHHZfesy2SUd3tYhD8t14cL1UPWxNYk6gznimmM3noa7oTUtYjqCSHXe8Iy0XefPy6J1Oz8cxRTvg7iMxD+Zoh5HGL6/XxeIo/f2iBYKUGoLRpvreXe7YqMnJKYr2FRq8dE8BVdVxJytNz75v6u1f1Ad5rBlIJeoPCANhUddpWUqcBG6Xft0MoEg0lCITRkPkYo5eU3ZYo5VxnOXPhUEnCpZSr4Kom9q6RYbJa2AdIzasqkyeE8C9b4tH5dh7aFoWXRHa9tyFxEW7gxhhUHjd7vS3iGPgQx99qayN+iu2Ai9+TIz0M3aiheNcuFMaDSB7JQ6NqJGYteGGXzQ/tAj6UNHdiC1LbzjBahwRXl6MPt4BEiNqRlwhlMaRvLVSbKpEJ5BlSCGh9HYwCTQvycTBwfEGV9UEkYXZmajAFfJ9R8tHjNNTC3c8k2JbLXC2Yt5yBHxD7gGCvqRyF3WOaxZmCvbJs663e/k+LRvrovQe8ABjoZj84BHvsiITRmbXevQ4dsIRP72tSbg2+CJsE+BBVUm6PmiwrFJ7FlmM/zrnKGOyA8q7UcAr0pHDoIGh/g1mjPa6s8H0rEFH82EJttsR2TR3reGwqWmpKKYRmauXk0T24eX74Wa7FaxetTA8n0BuZufPveDOm79zeU3RjKDEGvKr0Brn0o1SBhc/UeO3yurOq2hnHiPiiQgySJShMxN7f8oMMk3bsO3ANUhR45027fA4osZhQarhxt/hqwX6B9MnSoMKfYuoFVKXhuW7qKqApQA/abkh7SvR2TXTtwG2Dk8uxt3BujkNcUe3uro9dQjhTVVUSiIBsgF7rg+VE3WCGci9J2BdsAlUjseKcxEtL4UXBRDES7hBr1WS8caYbLz6hhlOfmLAupmvZ+rovwq1AevzfRc9wnvCbdnY3BcKp6hhd6Phqc5L1/RZp3nseaiLWmOi6rY8JUXVTAvY8qnHuuw8EhSzEtPi4yvSVs8JaKymo2xqiToqADkQ4wP/objpfMhg2v0NVx7JRvx3c+i5HRpeFAp0FRFAc0jCwvlkBCBENNwfQ1aN0rzc4eXP4mhL3iuhuinKLz5Tb5IyMTuuLaW8Z2MqckEGanZQMGuo89VG9cr/NIlUbkyVmQbxZKy2EneaA6nvj6yah+cZxqfy06XJMoj5oRtUmkaWGbtnpNQ0IJg05Oz8kRqVEnmWlT0ieyUp65AeJVYT7ZBvj2PKq/mdwTPUq8dxydmkOPejun5uidcez+yPS/OEm/nJn/bsPPQr08zf0RNSk+zlE9IfXqo/pH3jTfnmb7+QWoPg7bz5M1cuazOudeP+Okzrxp5qS+t2VqpTB3XTon62a40pusAL0RF/Gm4gM/F3KI/M8GF8Zm70ox0VI/4t99J5j3NRlUR3ZIsm35n4vv//xn9OT19au7p+iaKk35uqJqA7lNzIliY2ItZsiPPebX9i26LSa/GPaHA2/eUkz2lxyLvTe8j+Go96b1+Y0oHT5mYxIbFFdnRrRcGhZr7J0C81gRpeadHLPzs/g7pL7DOa2UGwMJiRQtKMPSHWYjSMxuJfY+iofq2jOj6Dy9cGsfZDvK7INZruAB6dS1aA7MlEjCV/zYubHOTx8f3vI/edPZftNbMW/sQivwMI87WoSc9ijWc91adgm5xpz+fiTWiU9ZsHMZlsCt9soPsGxFZTSKPzn79UczoJWPLqncZekeRCL9BJjpDcESUCkhFwXlOBpi3Trqd1hT4FqdDDxjeN75vMafdDquCAaUydvLbOEvjRAosdQ27beZzHEhNGtarz+458ifFeQgsYY8GxEGcGQVbRvyMGbt6r6TYkvzOl3d/w6XJfN6Tm/5fIqsEeSHGtFAL/V6GjSfbR71oL6Og94PTCRa6NlGlWype3PadBW7gcIBtUIzrpT+WK0GHu1d3gJqZYrEmnw7/cdqQ1ghpYV08tGMVoDGFtuX9lcL86sv4/MraJ4zmFNivLEjniszIkvUkiFJMiMUz5trQnd+vFaOLt+HF49nqGTYsN3cSEIi4ETuyyEvog1emcUqOCNeQtYWwk9CafQGkw3lA2p7jpPP6Bddfn3gNrKvlGAOqrnVXVq9WqDXOS7RL/Y/7lbPBXf5AP/oXxdog7dg7nsGWLoW1sjWl1Cl4AqCHhBPGjAzyvptryfIHl8bgUiqQdJQpYO7CbqKDMOUBKJnIaZZ5ne+iMy5tNj6olPdBN29FgpHHaQBG/3fXzVUIVnxSF93hLB6Vkti95rjkqkHIrL9iJm3IuZgJkY7ynOxU0iVQOiKEvPNs1jcuI8/6m9UMwFHUfPqi57I0PW8Fsv2meFpix+o4vbmeg1rTPbogzos8lO/hxTdBIekqCUzyiym1cAd1la3LTIbNW03g7kFenyr85kiWUwHGQI2zLbPhMOJzaGuDVUbcspbZE52DtEN4WESpjNXvNTQZHzklHfuBclxYyc3XGulT+9cToza6XjI3yaExrGyx+V4+tvp1BIb3DiuPPNgBLidVA4ryr0v0B51WwuiwOVAMQqLfyDM+kLYG3O3o3qkCJLa3zR9Bj4feaB6SO1D0xqTTTF7KbpmXMsY1NOC22xLLKi5pHxMzd1Zd5oh24a/TxX6kWPbDsa1zHNltJpUpEg98h5dU2X2CbpKLMPamo+fNcTuNrRX8AyZfWgsCxeid9YEdELFS5cKJ+S49oyd6f9FlZj/9WQ+Z0B1WOssKGkxkWqm9pfndvQT1F/wwu3RHaqiHad7cK0y4FqKMn4Mc1EtewbZWXvNj2qsGzgR2mipGNnJ6UwqrkRRGoM07Hy7wW2DE6d5bkEa0ZoZszl+IWH1MD3u98RZ7Oj0AfcOplc2W/2W/sb1Y8XYHv1HhRldUcjRtc2Gcc6LKLIdLDMixAO92JPSr7BEDkNjk2A2pJcl1NZpHnvKSrs2OEP1yE+fjXf1IL6WqndbOe/cAr3fl478xqIyE3R8HmaxhFU2sjhOhzCDxZlg8ksVK7TTRTePs6BWMA7xO+9FKWTw7NnnlXevBxamla06elnDfMqpFWOPTMeMfdIPFwiRQiTfc4dozUiGa6jEOu7gIDzDatx7VAtUpnZQryQbxe4W3Cju1Cp4Vsnx/X5L2/fMNodOQZkg+g6BR4ZoHAL7XZB0HOBRA7eXYIrCZkYYsbr1tbqR0HmgTLnd3DDzxJAfnOj3dmB71T33/77ySJ77f/hX35jTCzOQ8RgCT/BFX0scue3HEuvHaBVk7hGc+7LJRlmkfAVSDvjo+zObifK2OnSSfVGnxyxkhOpBqxYrI9vXPmOIyds3MsyMG+HGvbaYDfDexgXJ9kd/h/4j9HCxe1puQM5l1Rg9x7/5PrmyBdWfoiuLIY4cpJ4tUXKAV1cgfeF7OIjpOFJiByY+FrSY0VoWM+yXqlV36eh60N+H/QTj0yLja4Lu6e8D6TsPyWfw9u83iMNaaOrYXG6wGqhPq8j8ybsthrvhhwt6mwWZUJ+29wDYWetQ8CvEe8Yf7BQd2VzxvDzhupb4+8G2GubsUaWqlMbQBtY+6k6xn6d5+SwNIOVEz0KPdW15cWOGR/f2yeDYaZ3pdamud+V9+0/ubTjHcRHakhdDZIyXF0eoGBYaSrFsO+0u6brIvRMn7pLLzBbAVUIxDZUOSh/AWwPJKVFfNAUe24LSyovvkLK+WyHR7f2rv7+5Q3dGfqKf+UBFyoae5LyPFHre70ScHnssyQbIg0po9tYIlqm57bEi0HV1kzr13AZo+MLdzbk/oquApL3yGxdRVRymOmtvUH2zVNkWa/OJwTYdW8xo7jZEBE336M9YX+rY0bezfoC96oqis/dYcif0jdalyqjtRpAIbFmaRjY5v+XXlL1H1zzEOwpJ9f7E/iOiKCbm8p9JmcPkTcp4es2OSmBd7TrFhNsxzLNRfajHhiSo0DTgV09ziJGNG+g2uSErBZ0nBChGksOBLA6LNq57WdaQDea8l4A2PVHZj2tRDXjKZyu/VIs8X7H719ev3nqZ+7yDoBZ1WsiuVyxle+VUPWRbwar0abwKPTC4r6VZdwYJTRYqTrVCTxwa9dTmrtlkgtAFIeIvGghCY1XyCX/tqfnAqfbPJYvDYLQtSPtSsqoYIoITKLUxAe4drwdSnMZ0Uo/WdbDMM8ZGaCFiSLHd34Th0U///ioWTBJlXcoOEHJ9iRCFbmjZgdNjiV36XjSB8W83P9/d3qE3+LGgPK9bl8TZb6i/QCDDQaHvAcI9oT36jxFeX8HxEOykgCAXmZ2Na+L5B0+kCZOau9GSl1S3174ej8dzlAY2J2M/cUZPmFPxXyDnoA6O5HlfG0k5SdbiG9deeqRiU3fz0tYP7KzdwqUGPEOqioRFYYX+orQUfP3XJcPkgVGlIf/Lc//Zs/pbyldA4l+tqIQdZtFrFi9ZCwZhniMl0MD2kbCmSsu9sXrmPZgl1htfiq7GgrpYemRMaj/YJ8QlSrjYViJkq3pXrbHUtAHXcv+n/xsAAP//s5eu2Q==" +} diff --git a/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml b/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml new file mode 100644 index 00000000000..91bbc2d960f --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Sonicwall" + product: "Firewalls" + type: "Firewall" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/sonicwall/firewall/config/liblogparser.js + - ${path.home}/module/sonicwall/firewall/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} dst= %{p0}"); + +var dup10 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var dup11 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}"); + +var dup12 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup13 = setc("eventcategory","1502010000"); + +var dup14 = setc("eventcategory","1502020000"); + +var dup15 = setc("eventcategory","1002010000"); + +var dup16 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + +var dup17 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + +var dup18 = setf("hostip","hhostip"); + +var dup19 = setf("id","hid"); + +var dup20 = setf("serial_number","hserial_number"); + +var dup21 = setf("category","hcategory"); + +var dup22 = setf("severity","hseverity"); + +var dup23 = setc("eventcategory","1805010000"); + +var dup24 = call({ + dest: "nwparser.msg", + fn: RMQ, + args: [ + field("msg"), + ], +}); + +var dup25 = setc("eventcategory","1302000000"); + +var dup26 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var dup27 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + +var dup28 = match("MESSAGE#38:29:01/4", "nwparser.p0", "%{} "); + +var dup29 = setc("eventcategory","1401050100"); + +var dup30 = setc("eventcategory","1401030000"); + +var dup31 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld}src=%{p0}"); + +var dup32 = setc("eventcategory","1301020000"); + +var dup33 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{p0}"); + +var dup34 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + +var dup35 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}"); + +var dup36 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}"); + +var dup37 = date_time({ + dest: "event_time", + args: ["date","time"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup38 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src= %{p0}"); + +var dup39 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + +var dup40 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}"); + +var dup41 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + +var dup42 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + +var dup43 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol}npcs=%{info}"); + +var dup44 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src= %{p0}"); + +var dup45 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} "); + +var dup46 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}"); + +var dup47 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}"); + +var dup48 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}"); + +var dup49 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + +var dup50 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + +var dup51 = setc("ec_subject","NetworkComm"); + +var dup52 = setc("ec_activity","Deny"); + +var dup53 = setc("ec_theme","Communication"); + +var dup54 = setf("msg","$MSG"); + +var dup55 = setc("action","dropped"); + +var dup56 = setc("eventcategory","1608010000"); + +var dup57 = setc("eventcategory","1302010000"); + +var dup58 = setc("eventcategory","1301000000"); + +var dup59 = setc("eventcategory","1001000000"); + +var dup60 = setc("eventcategory","1003030000"); + +var dup61 = setc("eventcategory","1003050000"); + +var dup62 = setc("eventcategory","1103000000"); + +var dup63 = setc("eventcategory","1603110000"); + +var dup64 = setc("eventcategory","1605020000"); + +var dup65 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1}src= %{p0}"); + +var dup66 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} "); + +var dup67 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1}n=%{fld2}src= %{p0}"); + +var dup68 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); + +var dup69 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var dup70 = setc("eventcategory","1801000000"); + +var dup71 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + +var dup72 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + +var dup73 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + +var dup74 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); + +var dup75 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}"); + +var dup76 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}"); + +var dup77 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + +var dup78 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + +var dup79 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}"); + +var dup80 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{p0}"); + +var dup81 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var dup82 = setf("id","hfld1"); + +var dup83 = setc("eventcategory","1001020309"); + +var dup84 = setc("eventcategory","1303000000"); + +var dup85 = match("MESSAGE#202:139:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + +var dup86 = match("MESSAGE#202:139:01/3_1", "nwparser.p0", "%{daddr->} "); + +var dup87 = setc("eventcategory","1801010100"); + +var dup88 = setc("eventcategory","1604010000"); + +var dup89 = setc("eventcategory","1002020000"); + +var dup90 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); + +var dup91 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); + +var dup92 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); + +var dup93 = setc("eventcategory","1001010000"); + +var dup94 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); + +var dup95 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); + +var dup96 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); + +var dup97 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}sport=%{sport}dport=%{dport->} %{p0}"); + +var dup98 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); + +var dup99 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); + +var dup100 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + +var dup101 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); + +var dup102 = setc("eventcategory","1401060000"); + +var dup103 = setc("eventcategory","1804000000"); + +var dup104 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}usr=%{username}src=%{p0}"); + +var dup105 = setc("eventcategory","1401070000"); + +var dup106 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld}src=%{p0}"); + +var dup107 = setc("eventcategory","1801030000"); + +var dup108 = setc("eventcategory","1402020300"); + +var dup109 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr->} %{p0}"); + +var dup110 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); + +var dup111 = setc("eventcategory","1402000000"); + +var dup112 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + +var dup113 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + +var dup114 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + +var dup115 = setc("eventcategory","1803020000"); + +var dup116 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol}npcs=%{info}"); + +var dup117 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); + +var dup118 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1}n=%{fld2}src= %{p0}"); + +var dup119 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + +var dup120 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + +var dup121 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); + +var dup122 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); + +var dup123 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + +var dup124 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); + +var dup125 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); + +var dup126 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + +var dup127 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); + +var dup128 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + +var dup129 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); + +var dup130 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); + +var dup131 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + +var dup132 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); + +var dup133 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); + +var dup134 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); + +var dup135 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1}n=%{fld2}src= %{p0}"); + +var dup136 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + +var dup137 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); + +var dup138 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); + +var dup139 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); + +var dup140 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var dup141 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + +var dup142 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); + +var dup143 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); + +var dup144 = setc("event_description","Connection Closed"); + +var dup145 = setc("eventcategory","1801020000"); + +var dup146 = setc("ec_activity","Permit"); + +var dup147 = setc("action","allowed"); + +var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg}sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst= %{p0}"); + +var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var dup150 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); + +var dup151 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); + +var dup152 = setc("eventcategory","1001030500"); + +var dup153 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + +var dup154 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); + +var dup155 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}"); + +var dup156 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var dup157 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + +var dup158 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + +var dup159 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + +var dup160 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); + +var dup161 = setc("eventcategory","1801010000"); + +var dup162 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{p0}"); + +var dup163 = setc("eventcategory","1003010000"); + +var dup164 = setc("eventcategory","1609000000"); + +var dup165 = setc("eventcategory","1204000000"); + +var dup166 = setc("eventcategory","1602000000"); + +var dup167 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface}npcs=%{info}"); + +var dup168 = setc("eventcategory","1803000000"); + +var dup169 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1}n=%{fld2}src=%{p0}"); + +var dup170 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); + +var dup171 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); + +var dup172 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + +var dup173 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + +var dup174 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + +var dup175 = linear_select([ + dup9, + dup10, +]); + +var dup176 = linear_select([ + dup16, + dup17, +]); + +var dup177 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, +])); + +var dup178 = linear_select([ + dup26, + dup27, +]); + +var dup179 = linear_select([ + dup34, + dup35, +]); + +var dup180 = linear_select([ + dup26, + dup39, +]); + +var dup181 = linear_select([ + dup41, + dup42, +]); + +var dup182 = linear_select([ + dup46, + dup47, +]); + +var dup183 = linear_select([ + dup49, + dup50, +]); + +var dup184 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup62, +])); + +var dup185 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, +])); + +var dup186 = linear_select([ + dup71, + dup75, + dup76, +]); + +var dup187 = linear_select([ + dup9, + dup26, +]); + +var dup188 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}dstname=%{shost}", processor_chain([ + dup1, +])); + +var dup189 = linear_select([ + dup85, + dup86, +]); + +var dup190 = linear_select([ + dup90, + dup91, +]); + +var dup191 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ + dup5, +])); + +var dup192 = linear_select([ + dup94, + dup95, +]); + +var dup193 = linear_select([ + dup98, + dup99, +]); + +var dup194 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}", processor_chain([ + dup89, +])); + +var dup195 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}", processor_chain([ + dup89, +])); + +var dup196 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}", processor_chain([ + dup1, +])); + +var dup197 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ + dup1, +])); + +var dup198 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, +])); + +var dup199 = linear_select([ + dup66, + dup110, +]); + +var dup200 = linear_select([ + dup112, + dup113, +]); + +var dup201 = linear_select([ + dup117, + dup45, +]); + +var dup202 = linear_select([ + dup9, + dup27, +]); + +var dup203 = linear_select([ + dup9, + dup26, + dup39, +]); + +var dup204 = linear_select([ + dup71, + dup16, + dup17, +]); + +var dup205 = linear_select([ + dup123, + dup124, +]); + +var dup206 = linear_select([ + dup68, + dup69, + dup74, +]); + +var dup207 = linear_select([ + dup129, + dup130, +]); + +var dup208 = linear_select([ + dup41, + dup42, + dup136, +]); + +var dup209 = linear_select([ + dup137, + dup138, +]); + +var dup210 = linear_select([ + dup140, + dup141, +]); + +var dup211 = linear_select([ + dup142, + dup143, +]); + +var dup212 = linear_select([ + dup49, + dup150, +]); + +var dup213 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}", processor_chain([ + dup152, +])); + +var dup214 = linear_select([ + dup154, + dup40, +]); + +var dup215 = linear_select([ + dup156, + dup157, +]); + +var dup216 = linear_select([ + dup158, + dup159, +]); + +var dup217 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ + dup5, +])); + +var dup218 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{ntype->} ", processor_chain([ + dup5, +])); + +var dup219 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}:%{sinterface}:%{host}dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup24, +])); + +var dup220 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}usr=%{username}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, +])); + +var dup221 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space}n=%{fld1}", processor_chain([ + dup1, + dup24, +])); + +var dup222 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}fw_action=\"%{action}\"", processor_chain([ + dup164, + dup37, +])); + +var dup223 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}", processor_chain([ + dup1, +])); + +var dup224 = linear_select([ + dup170, + dup171, +]); + +var dup225 = linear_select([ + dup173, + dup174, +]); + +var dup226 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}fw_action=\"%{action}\"", processor_chain([ + dup1, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, +])); + +var dup227 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup176, + dup28, + ], + on_success: processor_chain([ + dup30, + ]), +}); + +var dup228 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup87, + ]), +}); + +var dup229 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var dup230 = all_match({ + processors: [ + dup97, + dup193, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var dup231 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup102, + ]), +}); + +var dup232 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup30, + ]), +}); + +var dup233 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var dup234 = all_match({ + processors: [ + dup104, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var dup235 = all_match({ + processors: [ + dup106, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup108, + ]), +}); + +var dup236 = all_match({ + processors: [ + dup109, + dup199, + ], + on_success: processor_chain([ + dup89, + ]), +}); + +var dup237 = all_match({ + processors: [ + dup106, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup111, + ]), +}); + +var dup238 = all_match({ + processors: [ + dup44, + dup179, + dup36, + dup189, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var dup239 = all_match({ + processors: [ + dup80, + dup178, + dup11, + dup176, + dup79, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var dup240 = all_match({ + processors: [ + dup153, + dup214, + dup155, + dup215, + dup216, + dup160, + ], + on_success: processor_chain([ + dup152, + dup51, + dup52, + dup53, + dup54, + dup37, + dup55, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), +}); + +var dup241 = all_match({ + processors: [ + dup8, + dup175, + dup11, + dup192, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var dup242 = all_match({ + processors: [ + dup8, + dup175, + dup11, + dup190, + dup92, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1}sn=%{hserial_number}time=\"%{date->} %{time}\" fw=%{hhostip}pri=%{hseverity}c=%{hcategory}m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1}sn=%{hserial_number}time=\"%{date->} %{time}\" fw=%{hhostip}pri=%{hseverity->} %{messageid}= %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("= "), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1}sn=%{hserial_number}time=\"%{hdate->} %{htime}\" fw=%{hhostip}pri=%{hseverity}c=%{hcategory}m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), +])); + +var hdr4 = match("HEADER#3:0004", "message", "%{hfld20}id=%{hfld1}sn=%{hserial_number}time=\"%{hdate->} %{htime}\" fw=%{hhostip}pri=%{hseverity}c=%{hcategory}m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, +]); + +var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([ + dup1, +])); + +var msg1 = msg("4", part1); + +var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([ + dup1, +])); + +var msg2 = msg("5", part2); + +var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup1, +])); + +var msg3 = msg("5:01", part3); + +var select2 = linear_select([ + msg2, + msg3, +]); + +var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([ + dup1, +])); + +var msg4 = msg("6", part4); + +var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([ + dup1, +])); + +var msg5 = msg("6:01", part5); + +var select3 = linear_select([ + msg4, + msg5, +]); + +var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([ + dup2, +])); + +var msg6 = msg("7", part6); + +var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([ + dup3, +])); + +var msg7 = msg("8", part7); + +var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([ + dup4, +])); + +var msg8 = msg("9", part8); + +var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([ + dup4, +])); + +var msg9 = msg("10", part9); + +var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([ + dup4, +])); + +var msg10 = msg("11", part10); + +var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([ + dup5, +])); + +var msg11 = msg("12", part11); + +var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup5, +])); + +var msg12 = msg("12:01", part12); + +var select4 = linear_select([ + msg11, + msg12, +]); + +var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([ + dup1, +])); + +var msg13 = msg("13", part13); + +var part14 = match("MESSAGE#13:14/1_0", "nwparser.p0", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode->} "); + +var part15 = match("MESSAGE#13:14/1_1", "nwparser.p0", "Web site blocked %{}"); + +var select5 = linear_select([ + part14, + part15, +]); + +var all1 = all_match({ + processors: [ + dup6, + select5, + ], + on_success: processor_chain([ + dup7, + setc("action","Web site access denied"), + ]), +}); + +var msg14 = msg("14", all1); + +var part16 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} code= %{p0}"); + +var part17 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} code= %{p0}"); + +var select6 = linear_select([ + part16, + part17, +]); + +var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{} %{fld3}Category=%{fld4}npcs=%{info}"); + +var all2 = all_match({ + processors: [ + dup8, + dup175, + dup11, + select6, + part18, + ], + on_success: processor_chain([ + dup7, + ]), +}); + +var msg15 = msg("14:01", all2); + +var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{name}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup7, + dup12, +])); + +var msg16 = msg("14:02", part19); + +var part20 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup7, + dup12, +])); + +var msg17 = msg("14:03", part20); + +var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{name}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup7, + dup12, +])); + +var msg18 = msg("14:04", part21); + +var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup7, + dup12, +])); + +var msg19 = msg("14:05", part22); + +var select7 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, +]); + +var part23 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ + dup13, +])); + +var msg20 = msg("15", part23); + +var part24 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ + dup14, +])); + +var msg21 = msg("16", part24); + +var part25 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ + dup14, +])); + +var msg22 = msg("17", part25); + +var part26 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ + dup13, +])); + +var msg23 = msg("18", part26); + +var part27 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ + dup13, +])); + +var msg24 = msg("19", part27); + +var part28 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ + dup13, +])); + +var msg25 = msg("20", part28); + +var part29 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ + dup1, +])); + +var msg26 = msg("21", part29); + +var part30 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ + dup15, +])); + +var msg27 = msg("22", part30); + +var part31 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ + dup15, +])); + +var msg28 = msg("23", part31); + +var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst= %{p0}"); + +var part33 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); + +var part34 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); + +var select8 = linear_select([ + part33, + part34, +]); + +var part35 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{} %{smacaddr}"); + +var all3 = all_match({ + processors: [ + part32, + dup176, + dup11, + select8, + part35, + ], + on_success: processor_chain([ + dup15, + ]), +}); + +var msg29 = msg("23:01", all3); + +var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}- MAC address: %{smacaddr}", processor_chain([ + dup15, +])); + +var msg30 = msg("23:02", part36); + +var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst= %{p0}"); + +var part38 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac= %{p0}"); + +var part39 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac= %{p0}"); + +var select9 = linear_select([ + part38, + part39, +]); + +var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{} %{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}"); + +var all4 = all_match({ + processors: [ + part37, + select9, + part40, + ], + on_success: processor_chain([ + dup15, + dup12, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), +}); + +var msg31 = msg("23:03", all4); + +var select10 = linear_select([ + msg28, + msg29, + msg30, + msg31, +]); + +var part41 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ + dup23, +])); + +var msg32 = msg("24", part41); + +var msg33 = msg("24:01", dup177); + +var select11 = linear_select([ + msg32, + msg33, +]); + +var part42 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ + dup15, +])); + +var msg34 = msg("25", part42); + +var part43 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ + dup15, +])); + +var msg35 = msg("26", part43); + +var part44 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ + dup15, +])); + +var msg36 = msg("27", part44); + +var part45 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ + dup15, +])); + +var msg37 = msg("28", part45); + +var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}", processor_chain([ + dup15, +])); + +var msg38 = msg("28:01", part46); + +var select12 = linear_select([ + msg37, + msg38, +]); + +var part47 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ + dup25, +])); + +var msg39 = msg("29", part47); + +var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}usr=%{username}src=%{p0}"); + +var all5 = all_match({ + processors: [ + part48, + dup178, + dup11, + dup176, + dup28, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var msg40 = msg("29:01", all5); + +var select13 = linear_select([ + msg39, + msg40, +]); + +var part49 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ + dup30, +])); + +var msg41 = msg("30", part49); + +var msg42 = msg("30:01", dup227); + +var select14 = linear_select([ + msg41, + msg42, +]); + +var part50 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ + dup25, +])); + +var msg43 = msg("31", part50); + +var all6 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup176, + dup28, + ], + on_success: processor_chain([ + dup25, + ]), +}); + +var msg44 = msg("31:01", all6); + +var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup12, +])); + +var msg45 = msg("31:02", part51); + +var part52 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup12, +])); + +var msg46 = msg("31:03", part52); + +var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup12, +])); + +var msg47 = msg("31:04", part53); + +var select15 = linear_select([ + msg43, + msg44, + msg45, + msg46, + msg47, +]); + +var part54 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ + dup30, +])); + +var msg48 = msg("32", part54); + +var msg49 = msg("32:01", dup227); + +var select16 = linear_select([ + msg48, + msg49, +]); + +var part55 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ + dup32, +])); + +var msg50 = msg("33", part55); + +var all7 = all_match({ + processors: [ + dup33, + dup178, + dup11, + dup176, + dup28, + ], + on_success: processor_chain([ + dup30, + ]), +}); + +var msg51 = msg("33:01", all7); + +var select17 = linear_select([ + msg50, + msg51, +]); + +var part56 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ + dup5, +])); + +var msg52 = msg("34", part56); + +var part57 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ + setc("eventcategory","1401040000"), +])); + +var msg53 = msg("35", part57); + +var all8 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup176, + dup28, + ], + on_success: processor_chain([ + setc("eventcategory","1401050200"), + ]), +}); + +var msg54 = msg("35:01", all8); + +var select18 = linear_select([ + msg53, + msg54, +]); + +var part58 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ + dup5, +])); + +var msg55 = msg("36", part58); + +var part59 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); + +var part60 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src= %{p0}"); + +var part61 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{fld1->} src= %{p0}"); + +var select19 = linear_select([ + part60, + part61, +]); + +var part62 = match("MESSAGE#54:36:01/6_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" "); + +var part63 = match("MESSAGE#54:36:01/6_1", "nwparser.p0", " rule=%{rule->} "); + +var part64 = match("MESSAGE#54:36:01/6_2", "nwparser.p0", " proto=%{protocol->} "); + +var select20 = linear_select([ + part62, + part63, + part64, +]); + +var all9 = all_match({ + processors: [ + part59, + select19, + dup179, + dup36, + dup176, + dup11, + select20, + ], + on_success: processor_chain([ + dup5, + dup37, + ]), +}); + +var msg56 = msg("36:01", all9); + +var part65 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} %{p0}"); + +var part66 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} %{p0}"); + +var select21 = linear_select([ + part65, + part66, +]); + +var part67 = match("MESSAGE#55:36:02/6", "nwparser.p0", "%{}npcs=%{info}"); + +var all10 = all_match({ + processors: [ + dup38, + dup180, + dup11, + dup176, + dup11, + select21, + part67, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg57 = msg("36:02", all10); + +var select22 = linear_select([ + msg55, + msg56, + msg57, +]); + +var part68 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ + dup5, +])); + +var msg58 = msg("37", part68); + +var part69 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); + +var part70 = match("MESSAGE#57:37:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); + +var select23 = linear_select([ + part70, + dup40, +]); + +var part71 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{p0}"); + +var part72 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}"); + +var part73 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}"); + +var part74 = match("MESSAGE#57:37:01/3_2", "nwparser.p0", "%{dport}:%{dinterface->} %{p0}"); + +var select24 = linear_select([ + part72, + part73, + part74, +]); + +var part75 = match("MESSAGE#57:37:01/4_0", "nwparser.p0", "proto=%{protocol->} fw_action=\"%{fld3}\" "); + +var part76 = match("MESSAGE#57:37:01/4_1", "nwparser.p0", " rule=%{rule}"); + +var select25 = linear_select([ + part75, + part76, +]); + +var all11 = all_match({ + processors: [ + part69, + select23, + part71, + select24, + select25, + ], + on_success: processor_chain([ + dup5, + dup37, + ]), +}); + +var msg59 = msg("37:01", all11); + +var part77 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}rule=%{rule}", processor_chain([ + dup5, +])); + +var msg60 = msg("37:02", part77); + +var all12 = all_match({ + processors: [ + dup8, + dup175, + dup11, + dup181, + dup43, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg61 = msg("37:03", all12); + +var part78 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ + dup5, + dup12, +])); + +var msg62 = msg("37:04", part78); + +var select26 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, +]); + +var part79 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ + dup5, +])); + +var msg63 = msg("38", part79); + +var part80 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code->} "); + +var select27 = linear_select([ + part80, + dup45, +]); + +var all13 = all_match({ + processors: [ + dup44, + dup179, + dup36, + dup176, + dup11, + select27, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg64 = msg("38:01", all13); + +var part81 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{} %{fld3}icmpCode=%{fld4}npcs=%{info}"); + +var all14 = all_match({ + processors: [ + dup8, + dup175, + dup11, + dup182, + part81, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg65 = msg("38:02", all14); + +var part82 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", "%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}"); + +var part83 = match("MESSAGE#64:38:03/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); + +var select28 = linear_select([ + part82, + part83, +]); + +var part84 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var part85 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}type=%{icmptype}icmpCode=%{icmpcode}fw_action=\"%{action}\""); + +var all15 = all_match({ + processors: [ + dup48, + select28, + part84, + dup183, + part85, + ], + on_success: processor_chain([ + dup5, + dup12, + dup19, + dup20, + dup21, + dup22, + ]), +}); + +var msg66 = msg("38:03", all15); + +var select29 = linear_select([ + msg63, + msg64, + msg65, + msg66, +]); + +var part86 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ + dup5, +])); + +var msg67 = msg("39", part86); + +var part87 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ + dup5, +])); + +var msg68 = msg("40", part87); + +var part88 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{fld2}dst=%{daddr}:%{dport}:%{dinterface}:%{fld3}note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ + dup5, + dup51, + dup52, + dup53, + dup54, + dup12, + dup55, + dup18, + dup19, + dup20, + dup21, + dup22, +])); + +var msg69 = msg("41:01", part88); + +var part89 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}:%{sinterface}dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ + dup5, +])); + +var msg70 = msg("41:02", part89); + +var part90 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ + dup5, +])); + +var msg71 = msg("41:03", part90); + +var select30 = linear_select([ + msg69, + msg70, + msg71, +]); + +var part91 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ + dup5, +])); + +var msg72 = msg("42", part91); + +var part92 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ + dup5, +])); + +var msg73 = msg("43", part92); + +var part93 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ + dup5, +])); + +var msg74 = msg("44", part93); + +var part94 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ + dup5, +])); + +var msg75 = msg("45", part94); + +var part95 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1}src=%{saddr}dst=%{daddr}", processor_chain([ + dup5, +])); + +var msg76 = msg("45:01", part95); + +var part96 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{saddr}dst=%{daddr}npcs=%{info}", processor_chain([ + dup5, +])); + +var msg77 = msg("45:02", part96); + +var select31 = linear_select([ + msg75, + msg76, + msg77, +]); + +var part97 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{fld2}dst=%{daddr}:%{dport}:%{dinterface}:%{fld3}proto=%{protocol}/%{fld4}", processor_chain([ + dup5, + dup51, + dup52, + dup53, + dup54, + dup12, + dup55, + dup18, + dup19, + dup20, + dup21, + dup22, +])); + +var msg78 = msg("46:01", part97); + +var part98 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}", processor_chain([ + dup5, +])); + +var msg79 = msg("46:02", part98); + +var part99 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ + dup5, +])); + +var msg80 = msg("46", part99); + +var part100 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1}n=%{fld2}src=%{p0}"); + +var all16 = all_match({ + processors: [ + part100, + dup175, + dup11, + dup181, + dup43, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg81 = msg("46:03", all16); + +var select32 = linear_select([ + msg78, + msg79, + msg80, + msg81, +]); + +var part101 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ + dup5, +])); + +var msg82 = msg("47", part101); + +var part102 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ + dup5, +])); + +var msg83 = msg("48", part102); + +var part103 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ + dup5, +])); + +var msg84 = msg("49", part103); + +var part104 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ + dup5, +])); + +var msg85 = msg("50", part104); + +var part105 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ + dup5, +])); + +var msg86 = msg("51", part105); + +var part106 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ + dup5, +])); + +var msg87 = msg("52", part106); + +var part107 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ + dup2, +])); + +var msg88 = msg("53", part107); + +var part108 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ + dup56, +])); + +var msg89 = msg("58", part108); + +var part109 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ + dup13, +])); + +var msg90 = msg("60", part109); + +var part110 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ + dup1, +])); + +var msg91 = msg("61", part110); + +var part111 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ + dup57, +])); + +var msg92 = msg("62", part111); + +var part112 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ + dup58, +])); + +var msg93 = msg("63", part112); + +var part113 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}", processor_chain([ + dup58, +])); + +var msg94 = msg("63:01", part113); + +var select33 = linear_select([ + msg93, + msg94, +]); + +var part114 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ + dup1, +])); + +var msg95 = msg("64", part114); + +var part115 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ + dup58, +])); + +var msg96 = msg("65", part115); + +var part116 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ + dup58, +])); + +var msg97 = msg("66", part116); + +var part117 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ + dup58, +])); + +var msg98 = msg("67", part117); + +var all17 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup176, + dup28, + ], + on_success: processor_chain([ + dup58, + ]), +}); + +var msg99 = msg("67:01", all17); + +var select34 = linear_select([ + msg98, + msg99, +]); + +var part118 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ + dup58, +])); + +var msg100 = msg("68", part118); + +var part119 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ + dup58, +])); + +var msg101 = msg("69", part119); + +var part120 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ + dup58, +])); + +var msg102 = msg("70", part120); + +var part121 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr->} %{p0}"); + +var part122 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "dst=%{daddr->} "); + +var part123 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", " dstname=%{name}"); + +var select35 = linear_select([ + part122, + part123, +]); + +var all18 = all_match({ + processors: [ + part121, + select35, + ], + on_success: processor_chain([ + dup58, + ]), +}); + +var msg103 = msg("70:01", all18); + +var select36 = linear_select([ + msg102, + msg103, +]); + +var part124 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg104 = msg("72", part124); + +var part125 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup59, +])); + +var msg105 = msg("72:01", part125); + +var select37 = linear_select([ + msg104, + msg105, +]); + +var part126 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ + dup60, +])); + +var msg106 = msg("73", part126); + +var part127 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ + dup61, +])); + +var msg107 = msg("74", part127); + +var part128 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ + dup60, +])); + +var msg108 = msg("75", part128); + +var part129 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg109 = msg("76", part129); + +var part130 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg110 = msg("77", part130); + +var part131 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ + dup61, +])); + +var msg111 = msg("78", part131); + +var part132 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg112 = msg("79", part132); + +var part133 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg113 = msg("80", part133); + +var part134 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ + dup15, +])); + +var msg114 = msg("81", part134); + +var part135 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ + dup62, +])); + +var msg115 = msg("82", part135); + +var part136 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}note=\"%{info}\"", processor_chain([ + dup62, +])); + +var msg116 = msg("82:02", part136); + +var part137 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup62, +])); + +var msg117 = msg("82:03", part137); + +var msg118 = msg("82:01", dup184); + +var select38 = linear_select([ + msg115, + msg116, + msg117, + msg118, +]); + +var part138 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ + dup62, +])); + +var msg119 = msg("83", part138); + +var msg120 = msg("83:01", dup185); + +var part139 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup5, +])); + +var msg121 = msg("83:02", part139); + +var select39 = linear_select([ + msg119, + msg120, + msg121, +]); + +var part140 = match("MESSAGE#120:84/1_0", "nwparser.p0", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost->} "); + +var part141 = match("MESSAGE#120:84/1_1", "nwparser.p0", " Failed to resolve name %{}"); + +var select40 = linear_select([ + part140, + part141, +]); + +var all19 = all_match({ + processors: [ + dup6, + select40, + ], + on_success: processor_chain([ + dup63, + setc("action","Failed to resolve name"), + ]), +}); + +var msg122 = msg("84", all19); + +var part142 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ + dup64, +])); + +var msg123 = msg("87", part142); + +var part143 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}", processor_chain([ + dup64, +])); + +var msg124 = msg("87:01", part143); + +var select41 = linear_select([ + msg123, + msg124, +]); + +var part144 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ + dup58, +])); + +var msg125 = msg("88", part144); + +var part145 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld}src=%{saddr}dst=%{daddr}", processor_chain([ + dup58, +])); + +var msg126 = msg("88:01", part145); + +var select42 = linear_select([ + msg125, + msg126, +]); + +var part146 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ + dup64, +])); + +var msg127 = msg("89", part146); + +var part147 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} %{p0}"); + +var part148 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "src=%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface->} "); + +var part149 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", " src=%{saddr->} dst=%{daddr->} dstname=%{name}"); + +var select43 = linear_select([ + part148, + part149, +]); + +var all20 = all_match({ + processors: [ + part147, + select43, + ], + on_success: processor_chain([ + dup64, + ]), +}); + +var msg128 = msg("89:01", all20); + +var select44 = linear_select([ + msg127, + msg128, +]); + +var part150 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ + dup64, +])); + +var msg129 = msg("90", part150); + +var part151 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ + dup64, +])); + +var msg130 = msg("91", part151); + +var part152 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ + dup64, +])); + +var msg131 = msg("92", part152); + +var part153 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ + dup1, +])); + +var msg132 = msg("93", part153); + +var part154 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ + dup1, +])); + +var msg133 = msg("94", part154); + +var part155 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ + dup1, +])); + +var msg134 = msg("95", part155); + +var part156 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ + dup1, +])); + +var msg135 = msg("96", part156); + +var part157 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ + dup1, +])); + +var msg136 = msg("97", part157); + +var part158 = match("MESSAGE#135:97:01/4", "nwparser.p0", "%{}proto=%{protocol}op=%{fld->} %{p0}"); + +var part159 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); + +var part160 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); + +var select45 = linear_select([ + part159, + part160, +]); + +var part161 = match("MESSAGE#135:97:01/7_0", "nwparser.p0", "result=%{result->} dstname=%{name->} "); + +var select46 = linear_select([ + part161, + dup66, +]); + +var all21 = all_match({ + processors: [ + dup65, + dup179, + dup36, + dup176, + part158, + select45, + dup11, + select46, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg137 = msg("97:01", all21); + +var part162 = match("MESSAGE#136:97:02/4", "nwparser.p0", "%{}proto=%{protocol}op=%{fld}result=%{result}"); + +var all22 = all_match({ + processors: [ + dup65, + dup179, + dup36, + dup176, + part162, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg138 = msg("97:02", all22); + +var part163 = match("MESSAGE#137:97:03/4", "nwparser.p0", "%{}proto=%{protocol}op=%{fld3}sent=%{sbytes}rcvd=%{rbytes->} %{p0}"); + +var part164 = match("MESSAGE#137:97:03/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} %{p0}"); + +var part165 = match("MESSAGE#137:97:03/5_1", "nwparser.p0", "dstname=%{name->} %{p0}"); + +var select47 = linear_select([ + part164, + part165, +]); + +var part166 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{}arg=%{fld4}code=%{fld5}Category=\"%{category}\" npcs=%{info}"); + +var all23 = all_match({ + processors: [ + dup67, + dup179, + dup36, + dup176, + part163, + select47, + part166, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg139 = msg("97:03", all23); + +var part167 = match("MESSAGE#138:97:04/4", "nwparser.p0", "%{}proto=%{protocol}op=%{fld3->} %{p0}"); + +var part168 = match("MESSAGE#138:97:04/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} arg= %{p0}"); + +var part169 = match("MESSAGE#138:97:04/5_1", "nwparser.p0", "dstname=%{name->} arg= %{p0}"); + +var select48 = linear_select([ + part168, + part169, +]); + +var part170 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{} %{fld4}code=%{fld5}Category=\"%{category}\" npcs=%{info}"); + +var all24 = all_match({ + processors: [ + dup67, + dup179, + dup36, + dup176, + part167, + select48, + part170, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg140 = msg("97:04", all24); + +var part171 = match("MESSAGE#139:97:05/4", "nwparser.p0", "%{}proto=%{protocol}op=%{fld2}dstname=%{name}arg=%{fld3}code=%{fld4}Category=%{category}"); + +var all25 = all_match({ + processors: [ + dup65, + dup179, + dup36, + dup176, + part171, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg141 = msg("97:05", all25); + +var part172 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{p0}"); + +var select49 = linear_select([ + dup68, + dup69, +]); + +var part173 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + +var all26 = all_match({ + processors: [ + part172, + select49, + part173, + ], + on_success: processor_chain([ + dup70, + dup12, + ]), +}); + +var msg142 = msg("97:06", all26); + +var part174 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); + +var part175 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{fld3->} srcMac=%{p0}"); + +var select50 = linear_select([ + part175, + dup49, +]); + +var part176 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + +var all27 = all_match({ + processors: [ + part174, + select50, + part176, + ], + on_success: processor_chain([ + dup70, + dup12, + ]), +}); + +var msg143 = msg("97:07", all27); + +var part177 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup70, + dup12, +])); + +var msg144 = msg("97:08", part177); + +var part178 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup70, + dup12, +])); + +var msg145 = msg("97:09", part178); + +var part179 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup70, + dup12, +])); + +var msg146 = msg("97:10", part179); + +var select51 = linear_select([ + msg136, + msg137, + msg138, + msg139, + msg140, + msg141, + msg142, + msg143, + msg144, + msg145, + msg146, +]); + +var part180 = match("MESSAGE#145:98/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}"); + +var part181 = match("MESSAGE#145:98/0_1", "nwparser.payload", " msg=\"%{event_description}\"%{p0}"); + +var select52 = linear_select([ + part180, + part181, +]); + +var part182 = match("MESSAGE#145:98/1", "nwparser.p0", "%{}n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); + +var part183 = match("MESSAGE#145:98/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} %{p0}"); + +var select53 = linear_select([ + part183, + dup71, +]); + +var part184 = match("MESSAGE#145:98/3_1", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} "); + +var part185 = match("MESSAGE#145:98/3_2", "nwparser.p0", " proto=%{protocol}"); + +var select54 = linear_select([ + dup72, + part184, + part185, +]); + +var all28 = all_match({ + processors: [ + select52, + part182, + select53, + select54, + ], + on_success: processor_chain([ + dup70, + dup51, + setc("ec_activity","Stop"), + dup53, + dup54, + dup12, + setc("action","Opened"), + dup18, + dup19, + dup20, + dup21, + dup22, + ]), +}); + +var msg147 = msg("98", all28); + +var part186 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}dstMac=%{dmacaddr}proto=%{protocol}/%{fld4}sent=%{sbytes}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup12, + dup18, + dup19, + dup20, + dup21, + dup22, +])); + +var msg148 = msg("98:07", part186); + +var part187 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", "%{msg}\" app=%{fld2->} sess=\"%{fld3}\"%{p0}"); + +var part188 = match("MESSAGE#147:98:01/1_1", "nwparser.p0", "%{msg}\"%{p0}"); + +var select55 = linear_select([ + part187, + part188, +]); + +var part189 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); + +var part190 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); + +var part191 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); + +var select56 = linear_select([ + part190, + part191, +]); + +var select57 = linear_select([ + dup73, + dup69, + dup74, +]); + +var part192 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + +var part193 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} "); + +var part194 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + +var part195 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", " proto=%{protocol->} sent=%{sbytes}"); + +var part196 = match("MESSAGE#147:98:01/7_5", "nwparser.p0", "proto=%{protocol}"); + +var select58 = linear_select([ + part192, + part193, + part194, + dup72, + part195, + part196, +]); + +var all29 = all_match({ + processors: [ + dup48, + select55, + part189, + select56, + select57, + dup11, + dup186, + select58, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg149 = msg("98:01", all29); + +var part197 = match("MESSAGE#148:98:06/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\" %{p0}"); + +var part198 = match("MESSAGE#148:98:06/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} %{p0}"); + +var part199 = match("MESSAGE#148:98:06/0_2", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} %{p0}"); + +var select59 = linear_select([ + part197, + part198, + part199, +]); + +var part200 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "n=%{fld1->} usr=%{username->} %{p0}"); + +var part201 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", " n=%{fld1->} %{p0}"); + +var select60 = linear_select([ + part200, + part201, +]); + +var part202 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{}src= %{p0}"); + +var part203 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var part204 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var select61 = linear_select([ + part203, + part204, + dup77, + dup78, +]); + +var part205 = match("MESSAGE#148:98:06/6", "nwparser.p0", "%{protocol->} %{p0}"); + +var part206 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + +var part207 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); + +var part208 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); + +var part209 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "sent=%{sbytes}"); + +var part210 = match("MESSAGE#148:98:06/7_4", "nwparser.p0", "fw_action=\"%{action}\""); + +var select62 = linear_select([ + part206, + part207, + part208, + part209, + part210, +]); + +var all30 = all_match({ + processors: [ + select59, + select60, + part202, + dup187, + dup11, + select61, + part205, + select62, + ], + on_success: processor_chain([ + dup70, + dup12, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), +}); + +var msg150 = msg("98:06", all30); + +var part211 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}usr=%{username}src=%{p0}"); + +var all31 = all_match({ + processors: [ + part211, + dup178, + dup11, + dup176, + dup79, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg151 = msg("98:02", all31); + +var part212 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection %{}"); + +var part213 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", " msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} "); + +var select63 = linear_select([ + part212, + part213, +]); + +var all32 = all_match({ + processors: [ + select63, + ], + on_success: processor_chain([ + dup1, + dup37, + ]), +}); + +var msg152 = msg("98:03", all32); + +var part214 = match("MESSAGE#151:98:04/4", "nwparser.p0", "%{}proto=%{protocol}sent=%{sbytes}vpnpolicy=\"%{policyname}\" npcs=%{info}"); + +var all33 = all_match({ + processors: [ + dup8, + dup178, + dup11, + dup176, + part214, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg153 = msg("98:04", all33); + +var part215 = match("MESSAGE#152:98:05/4", "nwparser.p0", "%{}proto=%{protocol}sent=%{sbytes}npcs=%{info}"); + +var all34 = all_match({ + processors: [ + dup8, + dup178, + dup11, + dup176, + part215, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg154 = msg("98:05", all34); + +var select64 = linear_select([ + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, +]); + +var part216 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup30, + dup12, +])); + +var msg155 = msg("986", part216); + +var part217 = match("MESSAGE#154:427/4", "nwparser.p0", "%{}note=\"%{event_description}\""); + +var all35 = all_match({ + processors: [ + dup80, + dup178, + dup11, + dup176, + part217, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg156 = msg("427", all35); + +var part218 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); + +var all36 = all_match({ + processors: [ + dup81, + dup183, + part218, + ], + on_success: processor_chain([ + dup23, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg157 = msg("428", all36); + +var part219 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ + dup64, +])); + +var msg158 = msg("99", part219); + +var part220 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ + dup64, +])); + +var msg159 = msg("100", part220); + +var part221 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ + dup64, +])); + +var msg160 = msg("101", part221); + +var part222 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup64, +])); + +var msg161 = msg("102", part222); + +var part223 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup64, +])); + +var msg162 = msg("103", part223); + +var part224 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ + dup64, +])); + +var msg163 = msg("104", part224); + +var part225 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ + dup64, +])); + +var msg164 = msg("105", part225); + +var part226 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ + dup63, +])); + +var msg165 = msg("106", part226); + +var part227 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ + dup64, +])); + +var msg166 = msg("107", part227); + +var part228 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ + dup64, +])); + +var msg167 = msg("108", part228); + +var part229 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ + dup63, +])); + +var msg168 = msg("109", part229); + +var part230 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ + dup64, +])); + +var msg169 = msg("110", part230); + +var msg170 = msg("111:01", dup188); + +var part231 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ + dup64, +])); + +var msg171 = msg("111", part231); + +var select65 = linear_select([ + msg170, + msg171, +]); + +var part232 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ + dup64, +])); + +var msg172 = msg("112", part232); + +var part233 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ + dup64, +])); + +var msg173 = msg("113", part233); + +var part234 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ + dup64, +])); + +var msg174 = msg("114", part234); + +var msg175 = msg("115:01", dup188); + +var part235 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ + dup64, +])); + +var msg176 = msg("115", part235); + +var select66 = linear_select([ + msg175, + msg176, +]); + +var part236 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup64, +])); + +var msg177 = msg("116", part236); + +var part237 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup64, +])); + +var msg178 = msg("117", part237); + +var part238 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ + dup64, +])); + +var msg179 = msg("118", part238); + +var part239 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ + dup63, +])); + +var msg180 = msg("119", part239); + +var part240 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ + dup63, +])); + +var msg181 = msg("120", part240); + +var part241 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ + dup64, +])); + +var msg182 = msg("121", part241); + +var part242 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ + dup63, +])); + +var msg183 = msg("122", part242); + +var part243 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ + dup63, +])); + +var msg184 = msg("123", part243); + +var part244 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ + dup64, +])); + +var msg185 = msg("124", part244); + +var part245 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ + dup64, +])); + +var msg186 = msg("125", part245); + +var part246 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}srcV6=%{saddr_v6}src=%{saddr}:%{sport}:%{sinterface}dstV6=%{daddr_v6}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}type=%{icmptype}icmpCode=%{icmpcode}fw_action=\"%{action}\"", processor_chain([ + dup83, + dup12, +])); + +var msg187 = msg("1254", part246); + +var part247 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}srcV6=%{saddr_v6}src=%{saddr}:%{sport}:%{sinterface}dstV6=%{daddr_v6}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}type=%{icmptype}icmpCode=%{icmpcode}fw_action=\"%{action}\"", processor_chain([ + dup70, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, +])); + +var msg188 = msg("1256", part247); + +var part248 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}srcV6=%{saddr_v6}src=%{saddr}:%{sport}:%{sinterface}dstV6=%{daddr_v6}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}type=%{icmptype}icmpCode=%{icmpcode}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup83, + dup12, +])); + +var msg189 = msg("1257", part248); + +var part249 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ + dup64, +])); + +var msg190 = msg("126", part249); + +var part250 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ + dup64, +])); + +var msg191 = msg("127", part250); + +var part251 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ + dup5, +])); + +var msg192 = msg("128", part251); + +var part252 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ + dup5, +])); + +var msg193 = msg("129", part252); + +var part253 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ + dup1, +])); + +var msg194 = msg("130", part253); + +var part254 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ + dup1, +])); + +var msg195 = msg("131", part254); + +var part255 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ + dup1, +])); + +var msg196 = msg("132", part255); + +var part256 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ + dup1, +])); + +var msg197 = msg("133", part256); + +var part257 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ + dup1, +])); + +var msg198 = msg("134", part257); + +var part258 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ + dup84, +])); + +var msg199 = msg("135", part258); + +var part259 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ + dup84, +])); + +var msg200 = msg("136", part259); + +var part260 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ + dup3, +])); + +var msg201 = msg("137", part260); + +var part261 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ + dup3, +])); + +var msg202 = msg("138", part261); + +var part262 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ + dup5, +])); + +var msg203 = msg("139", part262); + +var all37 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + setc("eventcategory","1801020100"), + ]), +}); + +var msg204 = msg("139:01", all37); + +var select67 = linear_select([ + msg203, + msg204, +]); + +var msg205 = msg("140", dup228); + +var msg206 = msg("141", dup228); + +var part263 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ + dup1, +])); + +var msg207 = msg("142", part263); + +var part264 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ + dup1, +])); + +var msg208 = msg("143", part264); + +var part265 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}srcV6=%{saddr_v6}src=::%{sinterface}dstV6=%{daddr_v6}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}type=%{icmptype}icmpCode=%{icmpcode}fw_action=\"%{action}\"", processor_chain([ + dup70, + dup12, +])); + +var msg209 = msg("1431", part265); + +var part266 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ + dup1, +])); + +var msg210 = msg("144", part266); + +var part267 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ + dup1, +])); + +var msg211 = msg("145", part267); + +var part268 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ + dup88, +])); + +var msg212 = msg("146", part268); + +var part269 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ + dup88, +])); + +var msg213 = msg("147", part269); + +var part270 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ + dup1, +])); + +var msg214 = msg("148", part270); + +var part271 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + setc("eventcategory","1204010000"), + dup12, +])); + +var msg215 = msg("1480", part271); + +var part272 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ + dup1, +])); + +var msg216 = msg("149", part272); + +var part273 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ + dup1, +])); + +var msg217 = msg("150", part273); + +var part274 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ + dup1, +])); + +var msg218 = msg("151", part274); + +var part275 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ + dup1, +])); + +var msg219 = msg("152", part275); + +var part276 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ + setc("eventcategory","1603010000"), +])); + +var msg220 = msg("153", part276); + +var part277 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ + dup56, +])); + +var msg221 = msg("154", part277); + +var part278 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ + dup88, +])); + +var msg222 = msg("155", part278); + +var part279 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ + dup88, +])); + +var msg223 = msg("156", part279); + +var part280 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ + dup1, +])); + +var msg224 = msg("157:01", part280); + +var part281 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ + dup5, +])); + +var msg225 = msg("157", part281); + +var select68 = linear_select([ + msg224, + msg225, +]); + +var part282 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ + dup88, +])); + +var msg226 = msg("158", part282); + +var part283 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ + dup5, +])); + +var msg227 = msg("159", part283); + +var part284 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ + setc("eventcategory","1203000000"), +])); + +var msg228 = msg("160", part284); + +var part285 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ + dup57, +])); + +var msg229 = msg("161", part285); + +var part286 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ + dup32, +])); + +var msg230 = msg("162", part286); + +var part287 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ + dup5, +])); + +var msg231 = msg("163", part287); + +var part288 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ + dup5, +])); + +var msg232 = msg("164", part288); + +var part289 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ + dup1, +])); + +var msg233 = msg("165", part289); + +var part290 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ + dup13, +])); + +var msg234 = msg("166", part290); + +var part291 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ + dup13, +])); + +var msg235 = msg("167", part291); + +var part292 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ + dup13, +])); + +var msg236 = msg("168", part292); + +var part293 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ + dup1, +])); + +var msg237 = msg("169", part293); + +var part294 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ + dup1, +])); + +var msg238 = msg("170", part294); + +var part295 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ + dup62, +])); + +var msg239 = msg("171", part295); + +var part296 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}", processor_chain([ + dup89, +])); + +var msg240 = msg("171:01", part296); + +var part297 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}:%{dport}", processor_chain([ + dup89, +])); + +var msg241 = msg("171:02", part297); + +var part298 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2}n=%{fld3}src=%{p0}"); + +var all38 = all_match({ + processors: [ + part298, + dup175, + dup11, + dup190, + dup92, + ], + on_success: processor_chain([ + dup89, + ]), +}); + +var msg242 = msg("171:03", all38); + +var select69 = linear_select([ + msg239, + msg240, + msg241, + msg242, +]); + +var part299 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ + dup62, +])); + +var msg243 = msg("172", part299); + +var part300 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup62, +])); + +var msg244 = msg("172:01", part300); + +var select70 = linear_select([ + msg243, + msg244, +]); + +var part301 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ + dup62, +])); + +var msg245 = msg("173", part301); + +var part302 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ + dup59, +])); + +var msg246 = msg("174", part302); + +var all39 = all_match({ + processors: [ + dup80, + dup178, + dup11, + dup176, + dup79, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var msg247 = msg("174:01", all39); + +var all40 = all_match({ + processors: [ + dup44, + dup179, + dup36, + dup189, + ], + on_success: processor_chain([ + dup13, + ]), +}); + +var msg248 = msg("174:02", all40); + +var all41 = all_match({ + processors: [ + dup8, + dup175, + dup11, + dup181, + dup43, + ], + on_success: processor_chain([ + dup13, + ]), +}); + +var msg249 = msg("174:03", all41); + +var select71 = linear_select([ + msg246, + msg247, + msg248, + msg249, +]); + +var part303 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ + dup59, +])); + +var msg250 = msg("175", part303); + +var part304 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1}src=%{saddr}dst=%{daddr}type=%{type}", processor_chain([ + dup59, +])); + +var msg251 = msg("175:01", part304); + +var part305 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{saddr}dst=%{daddr}type=%{type}icmpCode=%{fld3}npcs=%{info}", processor_chain([ + dup59, +])); + +var msg252 = msg("175:02", part305); + +var select72 = linear_select([ + msg250, + msg251, + msg252, +]); + +var part306 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ + dup89, +])); + +var msg253 = msg("176", part306); + +var msg254 = msg("177", dup185); + +var msg255 = msg("178", dup191); + +var msg256 = msg("179", dup185); + +var all42 = all_match({ + processors: [ + dup33, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup93, + ]), +}); + +var msg257 = msg("180", all42); + +var all43 = all_match({ + processors: [ + dup8, + dup175, + dup11, + dup192, + dup96, + ], + on_success: processor_chain([ + dup93, + ]), +}); + +var msg258 = msg("180:01", all43); + +var select73 = linear_select([ + msg257, + msg258, +]); + +var msg259 = msg("181", dup184); + +var all44 = all_match({ + processors: [ + dup8, + dup175, + dup11, + dup190, + dup92, + ], + on_success: processor_chain([ + dup62, + ]), +}); + +var msg260 = msg("181:01", all44); + +var select74 = linear_select([ + msg259, + msg260, +]); + +var msg261 = msg("193", dup229); + +var msg262 = msg("194", dup230); + +var msg263 = msg("195", dup230); + +var part307 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{fld2}dst=%{daddr}:%{fld3}sport=%{sport}dport=%{dport->} %{p0}"); + +var part308 = match("MESSAGE#262:196/1_1", "nwparser.p0", " rcvd=%{rbytes->} cmd=%{p0}"); + +var select75 = linear_select([ + dup100, + part308, +]); + +var all45 = all_match({ + processors: [ + part307, + select75, + dup101, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg264 = msg("196", all45); + +var part309 = match("MESSAGE#263:196:01/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + +var select76 = linear_select([ + dup100, + part309, +]); + +var all46 = all_match({ + processors: [ + dup97, + select76, + dup101, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg265 = msg("196:01", all46); + +var select77 = linear_select([ + msg264, + msg265, +]); + +var msg266 = msg("199", dup231); + +var msg267 = msg("200", dup232); + +var part310 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld}usr=%{username}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}", processor_chain([ + dup29, +])); + +var msg268 = msg("235:02", part310); + +var part311 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld}usr=%{username}src=%{p0}"); + +var all47 = all_match({ + processors: [ + part311, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var msg269 = msg("235", all47); + +var msg270 = msg("235:01", dup233); + +var select78 = linear_select([ + msg268, + msg269, + msg270, +]); + +var msg271 = msg("236", dup233); + +var msg272 = msg("237", dup231); + +var msg273 = msg("238", dup231); + +var part312 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}dst=%{dtransaddr}", processor_chain([ + dup103, +])); + +var msg274 = msg("239", part312); + +var part313 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}dst=%{dtransaddr}", processor_chain([ + dup103, +])); + +var msg275 = msg("240", part313); + +var part314 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup70, +])); + +var msg276 = msg("241", part314); + +var part315 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}", processor_chain([ + dup70, +])); + +var msg277 = msg("241:01", part315); + +var select79 = linear_select([ + msg276, + msg277, +]); + +var part316 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); + +var part317 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + +var select80 = linear_select([ + part316, + part317, + dup35, +]); + +var part318 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}:: "); + +var part319 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport->} "); + +var select81 = linear_select([ + part318, + part319, + dup86, +]); + +var all48 = all_match({ + processors: [ + dup44, + select80, + dup36, + select81, + ], + on_success: processor_chain([ + dup70, + ]), +}); + +var msg278 = msg("242", all48); + +var msg279 = msg("252", dup194); + +var msg280 = msg("255", dup194); + +var msg281 = msg("257", dup194); + +var msg282 = msg("261:01", dup234); + +var msg283 = msg("261", dup194); + +var select82 = linear_select([ + msg282, + msg283, +]); + +var msg284 = msg("262", dup234); + +var all49 = all_match({ + processors: [ + dup106, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup107, + ]), +}); + +var msg285 = msg("273", all49); + +var msg286 = msg("328", dup235); + +var msg287 = msg("329", dup232); + +var msg288 = msg("346", dup194); + +var msg289 = msg("350", dup194); + +var msg290 = msg("351", dup194); + +var msg291 = msg("352", dup194); + +var part320 = match("MESSAGE#290:353:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, +])); + +var msg292 = msg("353:01", part320); + +var part321 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}dst=%{dtransaddr}dstname=%{shost}lifeSeconds=%{misc}\"", processor_chain([ + dup5, +])); + +var msg293 = msg("353", part321); + +var select83 = linear_select([ + msg292, + msg293, +]); + +var part322 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}dstname=\"%{shost}lifeSeconds=%{misc}\"", processor_chain([ + dup1, +])); + +var msg294 = msg("354", part322); + +var msg295 = msg("355", dup195); + +var msg296 = msg("355:01", dup194); + +var select84 = linear_select([ + msg295, + msg296, +]); + +var msg297 = msg("356", dup196); + +var part323 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}dstname=%{name->} ", processor_chain([ + dup89, +])); + +var msg298 = msg("357", part323); + +var part324 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}dst=%{daddr}", processor_chain([ + dup89, +])); + +var msg299 = msg("357:01", part324); + +var select85 = linear_select([ + msg298, + msg299, +]); + +var msg300 = msg("358", dup197); + +var part325 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}dst=%{dtransaddr}dstname=%{shost}", processor_chain([ + setc("eventcategory","1503000000"), +])); + +var msg301 = msg("371", part325); + +var msg302 = msg("371:01", dup198); + +var select86 = linear_select([ + msg301, + msg302, +]); + +var msg303 = msg("372", dup194); + +var msg304 = msg("373", dup196); + +var msg305 = msg("401", dup236); + +var msg306 = msg("402", dup236); + +var msg307 = msg("406", dup197); + +var part326 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, +])); + +var msg308 = msg("413", part326); + +var msg309 = msg("414", dup194); + +var msg310 = msg("438", dup237); + +var msg311 = msg("439", dup237); + +var all50 = all_match({ + processors: [ + dup106, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + setc("eventcategory","1501020000"), + ]), +}); + +var msg312 = msg("440", all50); + +var all51 = all_match({ + processors: [ + dup106, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + setc("eventcategory","1502050000"), + ]), +}); + +var msg313 = msg("441", all51); + +var part327 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + setc("eventcategory","1001020000"), +])); + +var msg314 = msg("441:01", part327); + +var select87 = linear_select([ + msg313, + msg314, +]); + +var all52 = all_match({ + processors: [ + dup106, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + setc("eventcategory","1501030000"), + ]), +}); + +var msg315 = msg("442", all52); + +var part328 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); + +var part329 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); + +var part330 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); + +var select88 = linear_select([ + part329, + part330, +]); + +var part331 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); + +var all53 = all_match({ + processors: [ + part328, + select88, + part331, + dup200, + dup114, + ], + on_success: processor_chain([ + dup59, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg316 = msg("446", all53); + +var part332 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}note=\"MAC=%{smacaddr}HostName:%{hostname}\"", processor_chain([ + dup115, + dup51, + dup52, + dup53, + dup54, + dup12, + dup55, + dup18, + dup19, + dup20, + dup21, + dup22, +])); + +var msg317 = msg("477", part332); + +var all54 = all_match({ + processors: [ + dup80, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var msg318 = msg("509", all54); + +var all55 = all_match({ + processors: [ + dup106, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg319 = msg("520", all55); + +var msg320 = msg("522", dup238); + +var part333 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}srcV6=%{saddr_v6}src= %{p0}"); + +var part334 = match("MESSAGE#318:522:01/2", "nwparser.p0", "%{}dstV6=%{daddr_v6}dst= %{p0}"); + +var all56 = all_match({ + processors: [ + part333, + dup179, + part334, + dup176, + dup116, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg321 = msg("522:01", all56); + +var part335 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); + +var select89 = linear_select([ + part335, + dup39, +]); + +var all57 = all_match({ + processors: [ + dup38, + select89, + dup11, + dup176, + dup116, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg322 = msg("522:02", all57); + +var select90 = linear_select([ + msg320, + msg321, + msg322, +]); + +var msg323 = msg("523", dup238); + +var all58 = all_match({ + processors: [ + dup80, + dup178, + dup11, + dup176, + dup11, + dup201, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg324 = msg("524", all58); + +var part336 = match("MESSAGE#322:524:01/5_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); + +var part337 = match("MESSAGE#322:524:01/5_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); + +var select91 = linear_select([ + part336, + part337, +]); + +var all59 = all_match({ + processors: [ + dup8, + dup178, + dup11, + dup176, + dup11, + select91, + dup92, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg325 = msg("524:01", all59); + +var part338 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{p0}"); + +var part339 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", "%{rule}\" note=\"%{rulename}\"%{p0}"); + +var part340 = match("MESSAGE#323:524:02/1_1", "nwparser.p0", "%{rule}\"%{p0}"); + +var select92 = linear_select([ + part339, + part340, +]); + +var part341 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); + +var all60 = all_match({ + processors: [ + part338, + select92, + part341, + ], + on_success: processor_chain([ + dup7, + dup12, + ]), +}); + +var msg326 = msg("524:02", all60); + +var select93 = linear_select([ + msg324, + msg325, + msg326, +]); + +var msg327 = msg("526", dup239); + +var part342 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); + +var select94 = linear_select([ + dup26, + part342, + dup39, +]); + +var part343 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", " %{daddr->} "); + +var select95 = linear_select([ + dup85, + part343, +]); + +var all61 = all_match({ + processors: [ + dup80, + select94, + dup11, + select95, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg328 = msg("526:01", all61); + +var all62 = all_match({ + processors: [ + dup8, + dup202, + dup11, + dup176, + dup116, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg329 = msg("526:02", all62); + +var part344 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup12, +])); + +var msg330 = msg("526:03", part344); + +var part345 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup12, +])); + +var msg331 = msg("526:04", part345); + +var part346 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup12, +])); + +var msg332 = msg("526:05", part346); + +var select96 = linear_select([ + msg327, + msg328, + msg329, + msg330, + msg331, + msg332, +]); + +var part347 = match("MESSAGE#330:537:01/4", "nwparser.p0", "%{}proto=%{protocol}sent=%{sbytes}rcvd=%{p0}"); + +var part348 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3->} "); + +var part349 = match("MESSAGE#330:537:01/5_1", "nwparser.p0", "%{rbytes->} "); + +var select97 = linear_select([ + part348, + part349, +]); + +var all63 = all_match({ + processors: [ + dup118, + dup203, + dup11, + dup204, + part347, + select97, + ], + on_success: processor_chain([ + dup107, + ]), +}); + +var msg333 = msg("537:01", all63); + +var part350 = match("MESSAGE#331:537:02/4", "nwparser.p0", "%{}proto=%{protocol}sent=%{sbytes}"); + +var all64 = all_match({ + processors: [ + dup118, + dup203, + dup11, + dup204, + part350, + ], + on_success: processor_chain([ + dup107, + ]), +}); + +var msg334 = msg("537:02", all64); + +var select98 = linear_select([ + dup119, + dup120, + dup121, + dup122, +]); + +var part351 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + +var part352 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", " %{daddr}srcMac=%{p0}"); + +var select99 = linear_select([ + dup125, + part351, + part352, +]); + +var part353 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); + +var select100 = linear_select([ + dup126, + dup127, +]); + +var part354 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + +var part355 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + +var select101 = linear_select([ + part354, + part355, +]); + +var part356 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\" "); + +var part357 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); + +var part358 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\" "); + +var part359 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7->} "); + +var part360 = match("MESSAGE#332:537:08/7_4", "nwparser.p0", "%{fld3}"); + +var select102 = linear_select([ + part356, + part357, + part358, + part359, + part360, +]); + +var all65 = all_match({ + processors: [ + select98, + dup205, + dup206, + select99, + part353, + select100, + select101, + select102, + ], + on_success: processor_chain([ + dup107, + dup12, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), +}); + +var msg335 = msg("537:08", all65); + +var select103 = linear_select([ + dup120, + dup119, + dup121, + dup122, +]); + +var part361 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + +var part362 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", " %{daddr}dstMac=%{p0}"); + +var select104 = linear_select([ + dup128, + part361, + part362, +]); + +var part363 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr}proto=%{protocol}sent=%{p0}"); + +var select105 = linear_select([ + dup131, + dup132, + dup133, + dup134, +]); + +var all66 = all_match({ + processors: [ + select103, + dup205, + dup206, + select104, + part363, + dup207, + select105, + ], + on_success: processor_chain([ + dup107, + dup12, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), +}); + +var msg336 = msg("537:09", all66); + +var part364 = match("MESSAGE#334:537:07/0_1", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + +var select106 = linear_select([ + dup119, + part364, + dup121, + dup122, +]); + +var part365 = match("MESSAGE#334:537:07/4_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + +var part366 = match("MESSAGE#334:537:07/4_1", "nwparser.p0", " srcMac=%{smacaddr->} proto=%{protocol->} sent=%{p0}"); + +var select107 = linear_select([ + part365, + part366, + dup126, + dup127, +]); + +var part367 = match("MESSAGE#334:537:07/6_3", "nwparser.p0", " spkt=%{fld3->} fw_action=\"%{action}\""); + +var select108 = linear_select([ + dup131, + dup132, + dup133, + part367, + dup134, +]); + +var all67 = all_match({ + processors: [ + select106, + dup205, + dup206, + dup186, + select107, + dup207, + select108, + ], + on_success: processor_chain([ + dup107, + dup12, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), +}); + +var msg337 = msg("537:07", all67); + +var part368 = match("MESSAGE#335:537/1_0", "nwparser.p0", "%{action}\" app=%{fld51->} appName=\"%{application}\"%{p0}"); + +var part369 = match("MESSAGE#335:537/1_1", "nwparser.p0", "%{action}\"%{p0}"); + +var select109 = linear_select([ + part368, + part369, +]); + +var part370 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1}src= %{p0}"); + +var part371 = match("MESSAGE#335:537/4_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} sent=%{p0}"); + +var part372 = match("MESSAGE#335:537/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}: proto=%{protocol->} sent=%{p0}"); + +var part373 = match("MESSAGE#335:537/4_2", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} sent=%{p0}"); + +var part374 = match("MESSAGE#335:537/4_3", "nwparser.p0", " %{daddr->} proto=%{protocol->} sent=%{p0}"); + +var select110 = linear_select([ + part371, + part372, + part373, + part374, +]); + +var part375 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); + +var part376 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); + +var part377 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); + +var part378 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); + +var part379 = match("MESSAGE#335:537/5_4", "nwparser.p0", "%{sbytes}"); + +var select111 = linear_select([ + part375, + part376, + part377, + part378, + part379, +]); + +var all68 = all_match({ + processors: [ + dup48, + select109, + part370, + dup203, + select110, + select111, + ], + on_success: processor_chain([ + dup107, + ]), +}); + +var msg338 = msg("537", all68); + +var part380 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{} %{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}cdur=%{fld5}npcs=%{info}"); + +var all69 = all_match({ + processors: [ + dup135, + dup180, + dup11, + dup208, + part380, + ], + on_success: processor_chain([ + dup107, + ]), +}); + +var msg339 = msg("537:04", all69); + +var part381 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{} %{protocol}sent=%{sbytes}spkt=%{fld3}cdur=%{p0}"); + +var part382 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "%{fld4->} appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); + +var part383 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "%{fld4->} npcs= %{p0}"); + +var select112 = linear_select([ + part382, + part383, +]); + +var all70 = all_match({ + processors: [ + dup135, + dup180, + dup11, + dup208, + part381, + select112, + dup92, + ], + on_success: processor_chain([ + dup107, + ]), +}); + +var msg340 = msg("537:05", all70); + +var part384 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1}n=%{p0}"); + +var part385 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + +var part386 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); + +var select113 = linear_select([ + dup128, + part385, + part386, +]); + +var part387 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld10}rpkt=%{fld11->} %{p0}"); + +var all71 = all_match({ + processors: [ + part384, + dup209, + dup139, + dup210, + select113, + part387, + dup211, + ], + on_success: processor_chain([ + dup107, + dup12, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), +}); + +var msg341 = msg("537:10", all71); + +var part388 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1}n=%{p0}"); + +var part389 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + +var part390 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); + +var select114 = linear_select([ + dup77, + part389, + part390, +]); + +var part391 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld10}rpkt=%{fld11->} %{p0}"); + +var all72 = all_match({ + processors: [ + part388, + dup209, + dup139, + dup210, + select114, + part391, + dup211, + ], + on_success: processor_chain([ + dup107, + ]), +}); + +var msg342 = msg("537:03", all72); + +var part392 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{} %{protocol}sent=%{sbytes}spkt=%{fld3}npcs=%{info}"); + +var all73 = all_match({ + processors: [ + dup135, + dup180, + dup11, + dup208, + part392, + ], + on_success: processor_chain([ + dup107, + ]), +}); + +var msg343 = msg("537:06", all73); + +var part393 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup107, + dup54, + dup12, + dup144, +])); + +var msg344 = msg("537:11", part393); + +var part394 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup107, + dup54, + dup12, + dup144, +])); + +var msg345 = msg("537:12", part394); + +var select115 = linear_select([ + msg333, + msg334, + msg335, + msg336, + msg337, + msg338, + msg339, + msg340, + msg341, + msg342, + msg343, + msg344, + msg345, +]); + +var msg346 = msg("538", dup229); + +var msg347 = msg("549", dup232); + +var msg348 = msg("557", dup232); + +var all74 = all_match({ + processors: [ + dup106, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + setc("eventcategory","1402020200"), + ]), +}); + +var msg349 = msg("558", all74); + +var msg350 = msg("561", dup235); + +var msg351 = msg("562", dup235); + +var msg352 = msg("563", dup235); + +var all75 = all_match({ + processors: [ + dup106, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + setc("eventcategory","1402020400"), + ]), +}); + +var msg353 = msg("583", all75); + +var part395 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}type=%{icmptype}code=%{icmpcode}", processor_chain([ + dup145, + dup51, + dup146, + dup53, + dup54, + dup12, + dup147, + dup18, + dup19, + dup20, + dup21, + dup22, +])); + +var msg354 = msg("597:01", part395); + +var part396 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg}n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}type=%{icmptype}code=%{icmpcode}", processor_chain([ + dup1, +])); + +var msg355 = msg("597:02", part396); + +var part397 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg}sess=%{fld1}n=%{fld2}src= %{p0}"); + +var all76 = all_match({ + processors: [ + part397, + dup187, + dup11, + dup190, + dup92, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg356 = msg("597:03", all76); + +var select116 = linear_select([ + msg354, + msg355, + msg356, +]); + +var part398 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg}n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}type=%{type}code=%{code}", processor_chain([ + dup1, +])); + +var msg357 = msg("598", part398); + +var part399 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{} %{type}npcs=%{info}"); + +var all77 = all_match({ + processors: [ + dup148, + dup182, + part399, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg358 = msg("598:01", all77); + +var all78 = all_match({ + processors: [ + dup148, + dup190, + dup92, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg359 = msg("598:02", all78); + +var select117 = linear_select([ + msg357, + msg358, + msg359, +]); + +var part400 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{fld2}dst=%{daddr}:%{dport}:%{dinterface}:%{fld3}proto=%{protocol}/%{fld4}", processor_chain([ + dup145, + dup51, + dup146, + dup53, + dup54, + dup12, + dup147, + dup18, + dup19, + dup20, + dup21, + dup22, +])); + +var msg360 = msg("602:01", part400); + +var msg361 = msg("602:02", dup239); + +var all79 = all_match({ + processors: [ + dup8, + dup178, + dup11, + dup176, + dup79, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg362 = msg("602:03", all79); + +var select118 = linear_select([ + msg360, + msg361, + msg362, +]); + +var msg363 = msg("605", dup197); + +var all80 = all_match({ + processors: [ + dup149, + dup212, + dup151, + dup200, + dup114, + ], + on_success: processor_chain([ + dup89, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg364 = msg("606", all80); + +var part401 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid}ipscat=%{ipscat}ipspri=%{p0}"); + +var part402 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); + +var part403 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); + +var select119 = linear_select([ + part402, + part403, +]); + +var part404 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1}src=%{saddr}:%{p0}"); + +var part405 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); + +var part406 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); + +var select120 = linear_select([ + part405, + part406, +]); + +var part407 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + +var part408 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); + +var part409 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + +var part410 = match("MESSAGE#362:608/5_2", "nwparser.p0", "%{dport}"); + +var select121 = linear_select([ + part408, + part409, + part410, +]); + +var all81 = all_match({ + processors: [ + part401, + select119, + part404, + select120, + part407, + select121, + ], + on_success: processor_chain([ + dup1, + dup37, + ]), +}); + +var msg365 = msg("608", all81); + +var msg366 = msg("616", dup195); + +var msg367 = msg("658", dup191); + +var msg368 = msg("710", dup213); + +var msg369 = msg("712:02", dup240); + +var msg370 = msg("712", dup213); + +var all82 = all_match({ + processors: [ + dup8, + dup175, + dup11, + dup192, + dup96, + ], + on_success: processor_chain([ + dup152, + ]), +}); + +var msg371 = msg("712:01", all82); + +var select122 = linear_select([ + msg369, + msg370, + msg371, +]); + +var part411 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{fld2}dst=%{daddr}:%{dport}:%{dinterface}:%{fld3}note=%{info}", processor_chain([ + dup5, + dup51, + dup52, + dup53, + dup54, + dup12, + dup55, + dup18, + dup19, + dup20, + dup21, + dup22, +])); + +var msg372 = msg("713:01", part411); + +var msg373 = msg("713:04", dup240); + +var msg374 = msg("713:02", dup213); + +var part412 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}note=\"%{action}\" npcs=%{info}", processor_chain([ + dup5, + dup51, + dup52, + dup53, + dup54, + dup12, + dup55, + dup18, + dup19, + dup20, + dup21, + dup22, +])); + +var msg375 = msg("713:03", part412); + +var select123 = linear_select([ + msg372, + msg373, + msg374, + msg375, +]); + +var part413 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}note=%{info}", processor_chain([ + dup115, + dup51, + dup52, + dup53, + dup54, + dup12, + dup55, + dup18, + dup19, + dup20, + dup21, + dup22, +])); + +var msg376 = msg("760", part413); + +var part414 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1}n=%{fld2}src=%{p0}"); + +var part415 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{} %{action}npcs=%{info}"); + +var all83 = all_match({ + processors: [ + part414, + dup175, + dup11, + dup192, + part415, + ], + on_success: processor_chain([ + dup115, + dup51, + dup52, + dup53, + dup54, + dup12, + dup55, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), +}); + +var msg377 = msg("760:01", all83); + +var select124 = linear_select([ + msg376, + msg377, +]); + +var msg378 = msg("766", dup217); + +var msg379 = msg("860", dup217); + +var msg380 = msg("860:01", dup218); + +var select125 = linear_select([ + msg379, + msg380, +]); + +var part416 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); + +var part417 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" "); + +var part418 = match("MESSAGE#378:866/1_1", "nwparser.p0", "%{ntype->} "); + +var select126 = linear_select([ + part417, + part418, +]); + +var all84 = all_match({ + processors: [ + part416, + select126, + ], + on_success: processor_chain([ + dup5, + dup37, + ]), +}); + +var msg381 = msg("866", all84); + +var msg382 = msg("866:01", dup218); + +var select127 = linear_select([ + msg381, + msg382, +]); + +var msg383 = msg("867", dup217); + +var msg384 = msg("867:01", dup218); + +var select128 = linear_select([ + msg383, + msg384, +]); + +var part419 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}", processor_chain([ + dup1, +])); + +var msg385 = msg("882", part419); + +var part420 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}npcs=%{info}", processor_chain([ + dup1, +])); + +var msg386 = msg("882:01", part420); + +var select129 = linear_select([ + msg385, + msg386, +]); + +var part421 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup161, +])); + +var msg387 = msg("888", part421); + +var part422 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}note=%{fld3}npcs=%{info}", processor_chain([ + dup161, +])); + +var msg388 = msg("888:01", part422); + +var select130 = linear_select([ + msg387, + msg388, +]); + +var all85 = all_match({ + processors: [ + dup8, + dup175, + dup11, + dup190, + dup92, + ], + on_success: processor_chain([ + dup161, + ]), +}); + +var msg389 = msg("892", all85); + +var msg390 = msg("904", dup217); + +var msg391 = msg("905", dup217); + +var msg392 = msg("906", dup217); + +var msg393 = msg("907", dup217); + +var select131 = linear_select([ + dup73, + dup140, +]); + +var all86 = all_match({ + processors: [ + dup162, + select131, + dup11, + dup212, + dup151, + dup200, + dup114, + ], + on_success: processor_chain([ + dup70, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg394 = msg("908", all86); + +var msg395 = msg("909", dup217); + +var msg396 = msg("914", dup219); + +var part423 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ + dup64, +])); + +var msg397 = msg("931", part423); + +var msg398 = msg("657", dup219); + +var all87 = all_match({ + processors: [ + dup8, + dup175, + dup11, + dup190, + dup92, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg399 = msg("657:01", all87); + +var select132 = linear_select([ + msg398, + msg399, +]); + +var msg400 = msg("403", dup198); + +var msg401 = msg("534", dup177); + +var msg402 = msg("994", dup220); + +var part424 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}usr=%{username}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}proto=%{protocol}", processor_chain([ + dup1, + dup24, +])); + +var msg403 = msg("243", part424); + +var msg404 = msg("995", dup177); + +var part425 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3}dst=%{daddr}:%{dport}:%{dinterface}:%{fld4}note=\"%{info}\"", processor_chain([ + dup1, + dup51, + dup53, + dup54, + dup12, + dup18, + dup19, + dup20, + dup21, + dup22, +])); + +var msg405 = msg("997", part425); + +var msg406 = msg("998", dup220); + +var part426 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration}n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup107, + dup12, +])); + +var msg407 = msg("998:01", part426); + +var select133 = linear_select([ + msg406, + msg407, +]); + +var msg408 = msg("1110", dup221); + +var msg409 = msg("565", dup221); + +var part427 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}note=\"%{event_description}\"", processor_chain([ + dup1, + dup54, +])); + +var msg410 = msg("404", part427); + +var select134 = linear_select([ + dup150, + dup50, +]); + +var part428 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}note=\"%{fld3}\" fw_action=\"%{action}\""); + +var all88 = all_match({ + processors: [ + dup81, + select134, + part428, + ], + on_success: processor_chain([ + dup107, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg411 = msg("267:01", all88); + +var part429 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}", processor_chain([ + dup1, + dup54, +])); + +var msg412 = msg("267", part429); + +var select135 = linear_select([ + msg411, + msg412, +]); + +var part430 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}proto=%{protocol}", processor_chain([ + dup1, + dup24, +])); + +var msg413 = msg("263", part430); + +var part431 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration}n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}fw_action=\"%{action}\"", processor_chain([ + dup105, + dup12, +])); + +var msg414 = msg("264", part431); + +var msg415 = msg("412", dup198); + +var part432 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1}af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6}src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost}dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup24, +])); + +var msg416 = msg("793", part432); + +var part433 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}if=%{fld2}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ + dup1, + dup24, +])); + +var msg417 = msg("805", part433); + +var part434 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}fw_action=\"%{action}\"", processor_chain([ + dup163, + dup12, +])); + +var msg418 = msg("809", part434); + +var part435 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}fw_action=\"%{action}\"", processor_chain([ + dup163, + dup12, +])); + +var msg419 = msg("809:01", part435); + +var select136 = linear_select([ + msg418, + msg419, +]); + +var msg420 = msg("935", dup219); + +var msg421 = msg("614", dup222); + +var part436 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration}n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{p0}"); + +var all89 = all_match({ + processors: [ + part436, + dup200, + dup114, + ], + on_success: processor_chain([ + dup58, + dup37, + ]), +}); + +var msg422 = msg("748", all89); + +var part437 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid}spycat=%{fld1}spypri=%{fld2}pktdatId=%{fld3}n=%{fld4}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{p0}"); + +var part438 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); + +var select137 = linear_select([ + part438, + dup113, +]); + +var all90 = all_match({ + processors: [ + part437, + select137, + dup114, + ], + on_success: processor_chain([ + dup164, + dup37, + ]), +}); + +var msg423 = msg("794", all90); + +var msg424 = msg("1086", dup222); + +var part439 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}srcV6=%{saddr_v6}src=%{saddr}:%{sport}:%{sinterface}dstV6=%{daddr_v6}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ + dup164, + dup37, +])); + +var msg425 = msg("1430", part439); + +var msg426 = msg("1149", dup222); + +var msg427 = msg("1159", dup222); + +var part440 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1}fw_action=\"%{action}\"", processor_chain([ + dup164, + dup37, +])); + +var msg428 = msg("1195", part440); + +var part441 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ + dup164, + dup37, +])); + +var msg429 = msg("1195:01", part441); + +var select138 = linear_select([ + msg428, + msg429, +]); + +var part442 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}fw_action=\"%{action}\"", processor_chain([ + dup5, + dup37, +])); + +var msg430 = msg("1226", part442); + +var part443 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup37, +])); + +var msg431 = msg("1222", part443); + +var part444 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid}appcat=%{fld1}appid=%{fld2}n=%{fld3}src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost}dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup24, +])); + +var msg432 = msg("1154", part444); + +var part445 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid}appcat=%{fld1}appid=%{fld2}n=%{fld3}src=%{p0}"); + +var all91 = all_match({ + processors: [ + part445, + dup175, + dup11, + dup190, + dup92, + ], + on_success: processor_chain([ + dup1, + dup24, + ]), +}); + +var msg433 = msg("1154:01", all91); + +var part446 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid}appcat=\"%{fld1}\" appid%{fld2}catid=%{fld3}sess=\"%{fld4}\" n=%{fld5}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup165, + dup12, +])); + +var msg434 = msg("1154:02", part446); + +var part447 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid}appcat=\"%{fld1}\" appid=%{fld2}catid=%{fld3}n=%{fld4}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var select139 = linear_select([ + dup125, + dup49, +]); + +var part448 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\""); + +var all92 = all_match({ + processors: [ + part447, + select139, + part448, + ], + on_success: processor_chain([ + dup165, + dup12, + ]), +}); + +var msg435 = msg("1154:03", all92); + +var select140 = linear_select([ + msg432, + msg433, + msg434, + msg435, +]); + +var part449 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr}dst=%{dtransaddr->} %{result}", processor_chain([ + dup166, +])); + +var msg436 = msg("msg", part449); + +var part450 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr}dst=%{dtransaddr->} %{msg}", processor_chain([ + dup166, +])); + +var msg437 = msg("src", part450); + +var all93 = all_match({ + processors: [ + dup8, + dup178, + dup11, + dup176, + dup11, + dup201, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg438 = msg("1235", all93); + +var part451 = match("MESSAGE#438:1197/4", "nwparser.p0", "%{}\"%{fld3}Protocol:%{protocol}\" npcs=%{info}"); + +var all94 = all_match({ + processors: [ + dup8, + dup178, + dup11, + dup192, + part451, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg439 = msg("1197", all94); + +var part452 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}sess=%{fld1}n=%{fld2}src=%{p0}"); + +var all95 = all_match({ + processors: [ + part452, + dup178, + dup167, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg440 = msg("1199", all95); + +var part453 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup168, + dup12, +])); + +var msg441 = msg("1199:01", part453); + +var part454 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup168, + dup12, +])); + +var msg442 = msg("1199:02", part454); + +var select141 = linear_select([ + msg440, + msg441, + msg442, +]); + +var part455 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid}appcat=%{fld1}appid=%{fld2}catid=%{fld3}sess=%{fld4}n=%{fld5}src=%{p0}"); + +var all96 = all_match({ + processors: [ + part455, + dup175, + dup11, + dup190, + dup92, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg443 = msg("1155", all96); + +var part456 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid}appcat=%{fld1}appid=%{fld2}n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup107, +])); + +var msg444 = msg("1155:01", part456); + +var select142 = linear_select([ + msg443, + msg444, +]); + +var all97 = all_match({ + processors: [ + dup169, + dup202, + dup167, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg445 = msg("1198", all97); + +var all98 = all_match({ + processors: [ + dup8, + dup178, + dup167, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg446 = msg("714", all98); + +var msg447 = msg("709", dup241); + +var msg448 = msg("1005", dup241); + +var msg449 = msg("1003", dup241); + +var msg450 = msg("1007", dup242); + +var part457 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration}n=%{fld2}usr=\"%{username}\" src=%{saddr}::%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup105, + dup12, +])); + +var msg451 = msg("1008", part457); + +var msg452 = msg("708", dup242); + +var all99 = all_match({ + processors: [ + dup169, + dup175, + dup11, + dup190, + dup92, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg453 = msg("1201", all99); + +var msg454 = msg("1201:01", dup242); + +var select143 = linear_select([ + msg453, + msg454, +]); + +var msg455 = msg("654", dup223); + +var msg456 = msg("670", dup223); + +var msg457 = msg("884", dup242); + +var part458 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}proto=%{protocol}rcvd=%{rbytes}note=\"%{info}\"", processor_chain([ + dup1, +])); + +var msg458 = msg("1153", part458); + +var part459 = match("MESSAGE#458:1153:01/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} sess=%{fld2->} n=%{p0}"); + +var part460 = match("MESSAGE#458:1153:01/0_1", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} n=%{p0}"); + +var part461 = match("MESSAGE#458:1153:01/0_2", "nwparser.payload", " msg=\"%{event_description}\" n=%{p0}"); + +var select144 = linear_select([ + part459, + part460, + part461, +]); + +var part462 = match("MESSAGE#458:1153:01/1", "nwparser.p0", "%{fld3}usr=\"%{username}\" src=%{p0}"); + +var part463 = match("MESSAGE#458:1153:01/2_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + +var select145 = linear_select([ + part463, + dup26, +]); + +var part464 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); + +var part465 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); + +var part466 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); + +var select146 = linear_select([ + part464, + part465, + part466, +]); + +var part467 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{} %{smacaddr}dstMac=%{dmacaddr}proto=%{protocol->} %{p0}"); + +var part468 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{rbytes->} "); + +var part469 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{rbytes->} "); + +var part470 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{rbytes->} "); + +var select147 = linear_select([ + part468, + part469, + part470, +]); + +var all100 = all_match({ + processors: [ + select144, + part462, + select145, + dup11, + select146, + part467, + select147, + ], + on_success: processor_chain([ + dup1, + dup12, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), +}); + +var msg459 = msg("1153:01", all100); + +var part471 = match("MESSAGE#459:1153:02/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + +var part472 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); + +var part473 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", " n=%{fld2->} src=%{p0}"); + +var select148 = linear_select([ + part472, + part473, +]); + +var part474 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes->} "); + +var all101 = all_match({ + processors: [ + part471, + select148, + part474, + ], + on_success: processor_chain([ + dup1, + dup12, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), +}); + +var msg460 = msg("1153:02", all101); + +var select149 = linear_select([ + msg458, + msg459, + msg460, +]); + +var part475 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ + dup1, +])); + +var msg461 = msg("1107", part475); + +var part476 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); + +var part477 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var part478 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst=%{p0}"); + +var select150 = linear_select([ + part477, + part478, +]); + +var all102 = all_match({ + processors: [ + part476, + select150, + dup11, + dup224, + dup172, + ], + on_success: processor_chain([ + dup161, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg462 = msg("1220", all102); + +var all103 = all_match({ + processors: [ + dup149, + dup224, + dup172, + ], + on_success: processor_chain([ + dup161, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg463 = msg("1230", all103); + +var part479 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}note=\"%{info}\"", processor_chain([ + dup1, +])); + +var msg464 = msg("1231", part479); + +var part480 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}srcV6=%{saddr_v6}src=%{saddr}:%{sport}:%{sinterface}dstV6=%{daddr_v6}dst=%{daddr}:%{dport}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ + dup168, + dup12, +])); + +var msg465 = msg("1233", part480); + +var part481 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); + +var part482 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); + +var part483 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); + +var select151 = linear_select([ + part482, + part483, +]); + +var part484 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); + +var part485 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{fld1}"); + +var part486 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{fld1->} "); + +var part487 = match("MESSAGE#465:1079/3_2", "nwparser.p0", "n=%{fld1}"); + +var select152 = linear_select([ + part485, + part486, + part487, +]); + +var all104 = all_match({ + processors: [ + part481, + select151, + part484, + select152, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg466 = msg("1079", all104); + +var part488 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space}n=%{fld1}", processor_chain([ + dup1, +])); + +var msg467 = msg("1079:01", part488); + +var part489 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr}is not allowed by access control\" n=%{fld2}", processor_chain([ + dup1, + dup12, + setc("event_description","destination is not allowed by access control"), + dup18, + dup19, + dup20, + dup21, + dup22, +])); + +var msg468 = msg("1079:02", part489); + +var part490 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username}matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ + dup1, + dup12, + setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), + dup18, + dup19, + dup20, + dup21, + dup22, +])); + +var msg469 = msg("1079:03", part490); + +var select153 = linear_select([ + msg466, + msg467, + msg468, + msg469, +]); + +var part491 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}usr=\"%{username}\" src= %{p0}"); + +var part492 = match("MESSAGE#469:1080/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var select154 = linear_select([ + dup73, + part492, +]); + +var select155 = linear_select([ + dup77, + dup78, +]); + +var part493 = match("MESSAGE#469:1080/4", "nwparser.p0", "%{} %{protocol}"); + +var all105 = all_match({ + processors: [ + part491, + select154, + dup11, + select155, + part493, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg470 = msg("1080", all105); + +var part494 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, +])); + +var msg471 = msg("580", part494); + +var part495 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); + +var all106 = all_match({ + processors: [ + part495, + dup225, + dup114, + ], + on_success: processor_chain([ + dup70, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg472 = msg("1369", all106); + +var all107 = all_match({ + processors: [ + dup149, + dup212, + dup151, + dup225, + dup114, + ], + on_success: processor_chain([ + dup70, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg473 = msg("1370", all107); + +var all108 = all_match({ + processors: [ + dup149, + dup212, + dup151, + dup200, + dup114, + ], + on_success: processor_chain([ + dup70, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg474 = msg("1371", all108); + +var part496 = match("MESSAGE#474:1387/1_1", "nwparser.p0", "%{saddr}:%{sport}: dst=%{p0}"); + +var select156 = linear_select([ + dup140, + part496, +]); + +var all109 = all_match({ + processors: [ + dup162, + select156, + dup11, + dup212, + dup151, + dup200, + dup114, + ], + on_success: processor_chain([ + dup161, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg475 = msg("1387", all109); + +var part497 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{p0}"); + +var part498 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{saddr}:%{sport}dst=%{p0}"); + +var select157 = linear_select([ + dup69, + part498, +]); + +var part499 = match("MESSAGE#475:1391/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}"); + +var part500 = match("MESSAGE#475:1391/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + +var part501 = match("MESSAGE#475:1391/2_2", "nwparser.p0", "%{daddr}:%{dport}"); + +var select158 = linear_select([ + part499, + part500, + part501, +]); + +var all110 = all_match({ + processors: [ + part497, + select157, + select158, + ], + on_success: processor_chain([ + dup1, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg476 = msg("1391", all110); + +var part502 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ + dup5, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, +])); + +var msg477 = msg("1253", part502); + +var part503 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, +])); + +var msg478 = msg("1009", part503); + +var part504 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var part505 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{p0}"); + +var part506 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}"); + +var select159 = linear_select([ + part505, + part506, +]); + +var part507 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); + +var all111 = all_match({ + processors: [ + part504, + select159, + part507, + ], + on_success: processor_chain([ + dup5, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg479 = msg("910", all111); + +var part508 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ + dup1, + dup54, + dup18, + dup82, + dup20, + dup22, + dup37, +])); + +var msg480 = msg("m:01", part508); + +var part509 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, +])); + +var msg481 = msg("1011", part509); + +var part510 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid}ipscat=\"%{fld3}\" ipspri=%{fld4}pktdatId=%{fld5}n=%{fld6}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ + dup165, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, +])); + +var msg482 = msg("609", part510); + +var msg483 = msg("796", dup226); + +var part511 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup70, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, +])); + +var msg484 = msg("880", part511); + +var part512 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}fw_action=\"%{action}\"", processor_chain([ + dup161, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, +])); + +var msg485 = msg("1309", part512); + +var msg486 = msg("1310", dup226); + +var part513 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"%{p0}"); + +var part514 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=\"%{p0}"); + +var select160 = linear_select([ + part513, + part514, +]); + +var part515 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); + +var all112 = all_match({ + processors: [ + dup81, + select160, + part515, + ], + on_success: processor_chain([ + dup1, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg487 = msg("1232", all112); + +var part516 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}srcV6=%{saddr_v6}src=%{saddr}:%{sport}:%{sinterface}dstV6=%{daddr_v6}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); + +var all113 = all_match({ + processors: [ + part516, + dup200, + dup114, + ], + on_success: processor_chain([ + dup161, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, + ]), +}); + +var msg488 = msg("1447", all113); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "10": msg9, + "100": msg159, + "1003": msg449, + "1005": msg448, + "1007": msg450, + "1008": msg451, + "1009": msg478, + "101": msg160, + "1011": msg481, + "102": msg161, + "103": msg162, + "104": msg163, + "105": msg164, + "106": msg165, + "107": msg166, + "1079": select153, + "108": msg167, + "1080": msg470, + "1086": msg424, + "109": msg168, + "11": msg10, + "110": msg169, + "1107": msg461, + "111": select65, + "1110": msg408, + "112": msg172, + "113": msg173, + "114": msg174, + "1149": msg426, + "115": select66, + "1153": select149, + "1154": select140, + "1155": select142, + "1159": msg427, + "116": msg177, + "117": msg178, + "118": msg179, + "119": msg180, + "1195": select138, + "1197": msg439, + "1198": msg445, + "1199": select141, + "12": select4, + "120": msg181, + "1201": select143, + "121": msg182, + "122": msg183, + "1220": msg462, + "1222": msg431, + "1226": msg430, + "123": msg184, + "1230": msg463, + "1231": msg464, + "1232": msg487, + "1233": msg465, + "1235": msg438, + "124": msg185, + "125": msg186, + "1253": msg477, + "1254": msg187, + "1256": msg188, + "1257": msg189, + "126": msg190, + "127": msg191, + "128": msg192, + "129": msg193, + "13": msg13, + "130": msg194, + "1309": msg485, + "131": msg195, + "1310": msg486, + "132": msg196, + "133": msg197, + "134": msg198, + "135": msg199, + "136": msg200, + "1369": msg472, + "137": msg201, + "1370": msg473, + "1371": msg474, + "138": msg202, + "1387": msg475, + "139": select67, + "1391": msg476, + "14": select7, + "140": msg205, + "141": msg206, + "142": msg207, + "143": msg208, + "1430": msg425, + "1431": msg209, + "144": msg210, + "1447": msg488, + "145": msg211, + "146": msg212, + "147": msg213, + "148": msg214, + "1480": msg215, + "149": msg216, + "15": msg20, + "150": msg217, + "151": msg218, + "152": msg219, + "153": msg220, + "154": msg221, + "155": msg222, + "156": msg223, + "157": select68, + "158": msg226, + "159": msg227, + "16": msg21, + "160": msg228, + "161": msg229, + "162": msg230, + "163": msg231, + "164": msg232, + "165": msg233, + "166": msg234, + "167": msg235, + "168": msg236, + "169": msg237, + "17": msg22, + "170": msg238, + "171": select69, + "172": select70, + "173": msg245, + "174": select71, + "175": select72, + "176": msg253, + "177": msg254, + "178": msg255, + "179": msg256, + "18": msg23, + "180": select73, + "181": select74, + "19": msg24, + "193": msg261, + "194": msg262, + "195": msg263, + "196": select77, + "199": msg266, + "20": msg25, + "200": msg267, + "21": msg26, + "22": msg27, + "23": select10, + "235": select78, + "236": msg271, + "237": msg272, + "238": msg273, + "239": msg274, + "24": select11, + "240": msg275, + "241": select79, + "242": msg278, + "243": msg403, + "25": msg34, + "252": msg279, + "255": msg280, + "257": msg281, + "26": msg35, + "261": select82, + "262": msg284, + "263": msg413, + "264": msg414, + "267": select135, + "27": msg36, + "273": msg285, + "28": select12, + "29": select13, + "30": select14, + "31": select15, + "32": select16, + "328": msg286, + "329": msg287, + "33": select17, + "34": msg52, + "346": msg288, + "35": select18, + "350": msg289, + "351": msg290, + "352": msg291, + "353": select83, + "354": msg294, + "355": select84, + "356": msg297, + "357": select85, + "358": msg300, + "36": select22, + "37": select26, + "371": select86, + "372": msg303, + "373": msg304, + "38": select29, + "39": msg67, + "4": msg1, + "40": msg68, + "401": msg305, + "402": msg306, + "403": msg400, + "404": msg410, + "406": msg307, + "41": select30, + "412": msg415, + "413": msg308, + "414": msg309, + "42": msg72, + "427": msg156, + "428": msg157, + "43": msg73, + "438": msg310, + "439": msg311, + "44": msg74, + "440": msg312, + "441": select87, + "442": msg315, + "446": msg316, + "45": select31, + "46": select32, + "47": msg82, + "477": msg317, + "48": msg83, + "49": msg84, + "5": select2, + "50": msg85, + "509": msg318, + "51": msg86, + "52": msg87, + "520": msg319, + "522": select90, + "523": msg323, + "524": select93, + "526": select96, + "53": msg88, + "534": msg401, + "537": select115, + "538": msg346, + "549": msg347, + "557": msg348, + "558": msg349, + "561": msg350, + "562": msg351, + "563": msg352, + "565": msg409, + "58": msg89, + "580": msg471, + "583": msg353, + "597": select116, + "598": select117, + "6": select3, + "60": msg90, + "602": select118, + "605": msg363, + "606": msg364, + "608": msg365, + "609": msg482, + "61": msg91, + "614": msg421, + "616": msg366, + "62": msg92, + "63": select33, + "64": msg95, + "65": msg96, + "654": msg455, + "657": select132, + "658": msg367, + "66": msg97, + "67": select34, + "670": msg456, + "68": msg100, + "69": msg101, + "7": msg6, + "70": select36, + "708": msg452, + "709": msg447, + "710": msg368, + "712": select122, + "713": select123, + "714": msg446, + "72": select37, + "73": msg106, + "74": msg107, + "748": msg422, + "75": msg108, + "76": msg109, + "760": select124, + "766": msg378, + "77": msg110, + "78": msg111, + "79": msg112, + "793": msg416, + "794": msg423, + "796": msg483, + "8": msg7, + "80": msg113, + "805": msg417, + "809": select136, + "81": msg114, + "82": select38, + "83": select39, + "84": msg122, + "860": select125, + "866": select127, + "867": select128, + "87": select41, + "88": select42, + "880": msg484, + "882": select129, + "884": msg457, + "888": select130, + "89": select44, + "892": msg389, + "9": msg8, + "90": msg129, + "904": msg390, + "905": msg391, + "906": msg392, + "907": msg393, + "908": msg394, + "909": msg395, + "91": msg130, + "910": msg479, + "914": msg396, + "92": msg131, + "93": msg132, + "931": msg397, + "935": msg420, + "94": msg133, + "95": msg134, + "96": msg135, + "97": select51, + "98": select64, + "986": msg155, + "99": msg158, + "994": msg402, + "995": msg404, + "997": msg405, + "998": select133, + "m": msg480, + "msg": msg436, + "src": msg437, + }), +]); + +var part517 = match("MESSAGE#13:14/0", "nwparser.payload", "%{} %{p0}"); + +var part518 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{p0}"); + +var part519 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + +var part520 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var part521 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}"); + +var part522 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + +var part523 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + +var part524 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var part525 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + +var part526 = match("MESSAGE#38:29:01/4", "nwparser.p0", "%{} "); + +var part527 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld}src=%{p0}"); + +var part528 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{p0}"); + +var part529 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + +var part530 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}"); + +var part531 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}"); + +var part532 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src= %{p0}"); + +var part533 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + +var part534 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}"); + +var part535 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + +var part536 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + +var part537 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol}npcs=%{info}"); + +var part538 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src= %{p0}"); + +var part539 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} "); + +var part540 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}"); + +var part541 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}"); + +var part542 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}"); + +var part543 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + +var part544 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + +var part545 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1}src= %{p0}"); + +var part546 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} "); + +var part547 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1}n=%{fld2}src= %{p0}"); + +var part548 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); + +var part549 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var part550 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + +var part551 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + +var part552 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + +var part553 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); + +var part554 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}"); + +var part555 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}"); + +var part556 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + +var part557 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + +var part558 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}"); + +var part559 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{p0}"); + +var part560 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var part561 = match("MESSAGE#202:139:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + +var part562 = match("MESSAGE#202:139:01/3_1", "nwparser.p0", "%{daddr->} "); + +var part563 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); + +var part564 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); + +var part565 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); + +var part566 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); + +var part567 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); + +var part568 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); + +var part569 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}sport=%{sport}dport=%{dport->} %{p0}"); + +var part570 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); + +var part571 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); + +var part572 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + +var part573 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); + +var part574 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}usr=%{username}src=%{p0}"); + +var part575 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld}src=%{p0}"); + +var part576 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr->} %{p0}"); + +var part577 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); + +var part578 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + +var part579 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + +var part580 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + +var part581 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol}npcs=%{info}"); + +var part582 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); + +var part583 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1}n=%{fld2}src= %{p0}"); + +var part584 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + +var part585 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + +var part586 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); + +var part587 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); + +var part588 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + +var part589 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); + +var part590 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); + +var part591 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + +var part592 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); + +var part593 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + +var part594 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); + +var part595 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); + +var part596 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + +var part597 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); + +var part598 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); + +var part599 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); + +var part600 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1}n=%{fld2}src= %{p0}"); + +var part601 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + +var part602 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); + +var part603 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); + +var part604 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); + +var part605 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var part606 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + +var part607 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); + +var part608 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); + +var part609 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg}sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst= %{p0}"); + +var part610 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var part611 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); + +var part612 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); + +var part613 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + +var part614 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); + +var part615 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}"); + +var part616 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var part617 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + +var part618 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + +var part619 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + +var part620 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); + +var part621 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{p0}"); + +var part622 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface}npcs=%{info}"); + +var part623 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1}n=%{fld2}src=%{p0}"); + +var part624 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); + +var part625 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); + +var part626 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + +var part627 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + +var part628 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + +var select161 = linear_select([ + dup9, + dup10, +]); + +var select162 = linear_select([ + dup16, + dup17, +]); + +var part629 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, +])); + +var select163 = linear_select([ + dup26, + dup27, +]); + +var select164 = linear_select([ + dup34, + dup35, +]); + +var select165 = linear_select([ + dup26, + dup39, +]); + +var select166 = linear_select([ + dup41, + dup42, +]); + +var select167 = linear_select([ + dup46, + dup47, +]); + +var select168 = linear_select([ + dup49, + dup50, +]); + +var part630 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup62, +])); + +var part631 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, +])); + +var select169 = linear_select([ + dup71, + dup75, + dup76, +]); + +var select170 = linear_select([ + dup9, + dup26, +]); + +var part632 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}dstname=%{shost}", processor_chain([ + dup1, +])); + +var select171 = linear_select([ + dup85, + dup86, +]); + +var select172 = linear_select([ + dup90, + dup91, +]); + +var part633 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ + dup5, +])); + +var select173 = linear_select([ + dup94, + dup95, +]); + +var select174 = linear_select([ + dup98, + dup99, +]); + +var part634 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}", processor_chain([ + dup89, +])); + +var part635 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}", processor_chain([ + dup89, +])); + +var part636 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}", processor_chain([ + dup1, +])); + +var part637 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ + dup1, +])); + +var part638 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, +])); + +var select175 = linear_select([ + dup66, + dup110, +]); + +var select176 = linear_select([ + dup112, + dup113, +]); + +var select177 = linear_select([ + dup117, + dup45, +]); + +var select178 = linear_select([ + dup9, + dup27, +]); + +var select179 = linear_select([ + dup9, + dup26, + dup39, +]); + +var select180 = linear_select([ + dup71, + dup16, + dup17, +]); + +var select181 = linear_select([ + dup123, + dup124, +]); + +var select182 = linear_select([ + dup68, + dup69, + dup74, +]); + +var select183 = linear_select([ + dup129, + dup130, +]); + +var select184 = linear_select([ + dup41, + dup42, + dup136, +]); + +var select185 = linear_select([ + dup137, + dup138, +]); + +var select186 = linear_select([ + dup140, + dup141, +]); + +var select187 = linear_select([ + dup142, + dup143, +]); + +var select188 = linear_select([ + dup49, + dup150, +]); + +var part639 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}", processor_chain([ + dup152, +])); + +var select189 = linear_select([ + dup154, + dup40, +]); + +var select190 = linear_select([ + dup156, + dup157, +]); + +var select191 = linear_select([ + dup158, + dup159, +]); + +var part640 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ + dup5, +])); + +var part641 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{ntype->} ", processor_chain([ + dup5, +])); + +var part642 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}:%{sinterface}:%{host}dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup24, +])); + +var part643 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}usr=%{username}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, +])); + +var part644 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space}n=%{fld1}", processor_chain([ + dup1, + dup24, +])); + +var part645 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}fw_action=\"%{action}\"", processor_chain([ + dup164, + dup37, +])); + +var part646 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}", processor_chain([ + dup1, +])); + +var select192 = linear_select([ + dup170, + dup171, +]); + +var select193 = linear_select([ + dup173, + dup174, +]); + +var part647 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}fw_action=\"%{action}\"", processor_chain([ + dup1, + dup54, + dup18, + dup82, + dup20, + dup21, + dup22, + dup37, +])); + +var all114 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup176, + dup28, + ], + on_success: processor_chain([ + dup30, + ]), +}); + +var all115 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup87, + ]), +}); + +var all116 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var all117 = all_match({ + processors: [ + dup97, + dup193, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var all118 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup102, + ]), +}); + +var all119 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup30, + ]), +}); + +var all120 = all_match({ + processors: [ + dup31, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var all121 = all_match({ + processors: [ + dup104, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var all122 = all_match({ + processors: [ + dup106, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup108, + ]), +}); + +var all123 = all_match({ + processors: [ + dup109, + dup199, + ], + on_success: processor_chain([ + dup89, + ]), +}); + +var all124 = all_match({ + processors: [ + dup106, + dup178, + dup11, + dup189, + ], + on_success: processor_chain([ + dup111, + ]), +}); + +var all125 = all_match({ + processors: [ + dup44, + dup179, + dup36, + dup189, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var all126 = all_match({ + processors: [ + dup80, + dup178, + dup11, + dup176, + dup79, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var all127 = all_match({ + processors: [ + dup153, + dup214, + dup155, + dup215, + dup216, + dup160, + ], + on_success: processor_chain([ + dup152, + dup51, + dup52, + dup53, + dup54, + dup37, + dup55, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), +}); + +var all128 = all_match({ + processors: [ + dup8, + dup175, + dup11, + dup192, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var all129 = all_match({ + processors: [ + dup8, + dup175, + dup11, + dup190, + dup92, + ], + on_success: processor_chain([ + dup1, + ]), +}); diff --git a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml new file mode 100644 index 00000000000..75670b6f441 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Sonicwall-FW + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml new file mode 100644 index 00000000000..18e06e5fd2e --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["sonicwall.firewall", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9519 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log b/x-pack/filebeat/module/sonicwall/firewall/test/general.log new file mode 100644 index 00000000000..41f778c72f3 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log @@ -0,0 +1,21 @@ +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23420 src=2.2.2.2:36702:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 +Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242 +Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:08" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy="name" +Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy="name" +Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152 +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23421 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=8 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:11" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23422 src=2.2.2.2:36704:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 +Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.1.1.1 pri=5 c=256 m=38 msg="ICMP packet dropped" n=22070 src=219.89.19.223:1026:WAN dst=1.1.1.1:6822:WAN type=3 code=3 +Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568000 src=219.89.19.223:1026:WAN dst=1.1.1.1:0:WAN proto=udp/0 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=16 m=346 msg="IKE Initiator: Start Quick Mode (Phase 2)." n=171872 src=2.2.2.2:500 dst=1.1.1.1:500 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23423 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=4 c=16 m=483 msg="Received notify: INVALID_ID_INFO" n=171625 src=2.2.2.2:500 dst=1.1.1.1:500 +Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns +Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:17" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445 +Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:18" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568001 src=2.2.2.2:36699:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 sent=1557 rcvd=957 +Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy="name" +Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582 +Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:21" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json new file mode 100644 index 00000000000..f806cdb4c6f --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json @@ -0,0 +1,639 @@ +[ + { + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:06\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 0, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "2.2.2.2" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:06.000Z", + "service.type": "sonicwall", + "source.as.number": 3215, + "source.as.organization.name": "Orange", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": [ + "2.2.2.2" + ], + "source.port": 36701, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.action": "Administrator login denied due to bad credentials", + "event.code": "30", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 203, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "30", + "rsa.misc.action": [ + "Administrator login denied due to bad credentials" + ], + "rsa.time.event_time": "2007-01-03T16:48:07.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23420 src=2.2.2.2:36702:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 414, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "2.2.2.2" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:07.000Z", + "service.type": "sonicwall", + "source.as.number": 3215, + "source.as.organization.name": "Orange", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": [ + "2.2.2.2" + ], + "source.port": 36702, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 617, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:07.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:08\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy=\"name\"", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 843, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:08.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy=\"name\"", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1092, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:10.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1345, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:10.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23421 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1560, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "2.2.2.2" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:10.000Z", + "service.type": "sonicwall", + "source.as.number": 3215, + "source.as.organization.name": "Orange", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": [ + "2.2.2.2" + ], + "source.port": 36703, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.action": "Administrator login denied due to bad credentials", + "event.code": "30", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=8 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1763, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "30", + "rsa.misc.action": [ + "Administrator login denied due to bad credentials" + ], + "rsa.time.event_time": "2007-01-03T16:48:10.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:11\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23422 src=2.2.2.2:36704:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1974, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "2.2.2.2" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:11.000Z", + "service.type": "sonicwall", + "source.as.number": 3215, + "source.as.organization.name": "Orange", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": [ + "2.2.2.2" + ], + "source.port": 36704, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "38", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.1.1.1 pri=5 c=256 m=38 msg=\"ICMP packet dropped\" n=22070 src=219.89.19.223:1026:WAN dst=1.1.1.1:6822:WAN type=3 code=3", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2177, + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "219.89.19.223" + ], + "rsa.internal.event_desc": "ICMP packet dropped", + "rsa.internal.messageid": "38", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:14.000Z", + "service.type": "sonicwall", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "NZ", + "source.geo.location.lat": -41.0, + "source.geo.location.lon": 174.0, + "source.ip": [ + "219.89.19.223" + ], + "source.port": 1026, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568000 src=219.89.19.223:1026:WAN dst=1.1.1.1:0:WAN proto=udp/0", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2382, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:14.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "346", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=16 m=346 msg=\"IKE Initiator: Start Quick Mode (Phase 2).\" n=171872 src=2.2.2.2:500 dst=1.1.1.1:500", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2582, + "log.original": "IKE Initiator: Start Quick Mode (Phase 2).", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "346", + "rsa.internal.msg": "IKE Initiator: Start Quick Mode (Phase 2).", + "rsa.time.event_time": "2007-01-03T16:48:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23423 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2780, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "1.1.1.1" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:15.000Z", + "service.type": "sonicwall", + "source.as.number": 13335, + "source.as.organization.name": "Cloudflare, Inc.", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "1.1.1.1" + ], + "source.port": 500, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "483", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=4 c=16 m=483 msg=\"Received notify: INVALID_ID_INFO\" n=171625 src=2.2.2.2:500 dst=1.1.1.1:500", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2977, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "483", + "rsa.time.event_time": "2007-01-03T16:48:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3165, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "192.168.115.10" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:15.000Z", + "service.type": "sonicwall", + "source.ip": [ + "192.168.115.10" + ], + "source.port": 11549, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:17\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3375, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "LAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "192.168.5.64" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "LAN", + "rsa.time.event_time": "2007-01-03T16:48:17.000Z", + "service.type": "sonicwall", + "source.ip": [ + "192.168.5.64" + ], + "source.port": 3182, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:18\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568001 src=2.2.2.2:36699:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 sent=1557 rcvd=957", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3584, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:18.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy=\"name\"", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3806, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:20.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4049, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "192.168.125.75" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:20.000Z", + "service.type": "sonicwall", + "source.ip": [ + "192.168.125.75" + ], + "source.port": 524, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:21\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4260, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "192.168.6.10" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:21.000Z", + "service.type": "sonicwall", + "source.ip": [ + "192.168.6.10" + ], + "source.port": 28503, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log new file mode 100644 index 00000000000..0a21480cb6a --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log @@ -0,0 +1,100 @@ +idi id=pexe sn=nes time="2016/01/29 06:09:59" fw=10.254.41.82 pri=low c=Ute m=914 msg="lupt" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp +id=umexe sn=estlabo time="2016/02/12 13:12:33" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed +id=alo sn=eosquir time="2016-2-26 8:15:08" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg="ctetur" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action="allow" +emape id=aer sn=lupt time="2016/03/12 03:17:42" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up +id=consec sn=taliquip time="2016/03/26 10:20:16" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway +id=tconsec sn=nsequat time="2016/04/09 17:22:51" fw=10.137.246.137 pri=medium c=oluptas m=372 msg="llu" n=uptassi src=10.95.245.65 dst=10.13.70.213 +llamcorp id=ari sn=eataevit time="2016/04/24 00:25:25" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked +mquisnos id=loremagn sn=iciade time="2016/05/08 07:27:59" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure +id=aali sn=ametcons time="2016/05/22 14:30:33" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal +orsitame id=quiratio sn=ite time="2016/06/05 21:33:08" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked +id=usan sn=aper time="2016/06/20 04:35:42" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host +id=atquovo sn=iumto time="2016/07/04 11:38:16" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated +id=undeo sn=loremip time="2016-7-18 6:40:50" fw=10.134.0.141 pri=very-high c=uis m=1149 msg="idolore" n=onse fw_action="cancel" +id=rveli sn=rsint time="2016/08/02 01:43:25" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped +id=qua sn=luptatev time="2016/08/16 08:45:59" fw=10.123.104.59 pri=low c=elaudant m=1110 msg="tinvol" n=lores +id=tatiset sn=eprehen time="2016/08/30 15:48:33" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings +id=aliq sn=rsitam time="2016/09/13 22:51:07" fw=10.79.33.129 pri=high c=umdolo m=353 msg="onproide" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini" +id=itecto sn=erc time="2016/09/28 05:53:42" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed +id=tat sn=tion time="2016/10/12 12:56:16" fw=10.53.150.119 pri=medium c=uasia m=24 msg="emp" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note="taut" +id=nidolo sn=tatn time="2016/10/26 19:58:50" fw=10.18.109.121 pri=very-high c=dolo m=87 msg="Loremip" n=idolor src=10.204.11.20 dst=10.239.201.234 +id=idex sn=xerci time="2016/11/10 03:01:24" fw=10.84.206.79 pri=high c=uipe m=401 msg="inesci" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib +id=ari sn=exercit time="2016/11/24 10:03:59" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active +id=serunt sn=aquaeabi time="2016/12/08 17:06:33" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying). +id=veniamq sn=one time="2016/12/23 00:09:07" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source +id=tin sn=tenima time="2017/01/06 07:11:41" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete +id=equat sn=derit time="2017/01/20 14:14:16" fw=10.90.86.89 pri=medium c=labor m=867 msg="didunt" sess=uptatema n=intocc +eporr id=xeacomm sn=mveleu time="2017/02/03 21:16:50" fw=10.149.128.155 pri=high c=temvel m=129 PPPoE terminated +id=nisi sn=dant time="2017/02/18 04:19:24" fw=10.14.211.43 pri=high c=eiu m=113 DHCP Client sending REQUEST and going to REBIND state. +id=quidolor sn=tessec time="2017/03/04 11:21:59" fw=10.135.160.125 pri=low c=icabo m=882 msg="itatio" n=uta src=10.135.187.104:7557:enp0s6614 dst=10.237.163.139:4402:eth1612 proto=igmp +id=Nequepor sn=ali time="2017/03/18 18:24:33" fw=10.252.74.209 pri=low c=sintocc m=139 XAUTH Failed +id=ehen sn=tate time="2017/04/02 01:27:07" fw=10.140.167.6 pri=low c=stquido m=372 msg="ommodico" n=ptas src=10.60.129.15 dst=10.248.101.25 +id=Nequepo sn=ipsumd time="2017/04/16 08:29:41" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed +id=reetdolo sn=smo time="2017/04/30 15:32:16" fw=10.107.31.179 pri=high c=uamest m=1079 msg="Clienttcois assigned IP:10.14.111.221" n=itam +santiumd id=turadip sn=uatD time="2017/05/14 22:34:50" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped +id=volu sn=nonn time="2017/05/29 05:37:24" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login +id=sBon sn=orro time="2017/06/12 12:39:58" fw=10.34.194.149 pri=medium c=ten m=196 msg="vita" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD +amvo id=qui sn=tasn time="2017/06/26 19:42:33" fw=10.243.138.88 pri=high c=Sedutp m=998 msg="utp" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note="quin" +id=tvolupt sn=eufugi time="2017/07/11 02:45:07" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available +temqu id=ovol sn=ptasn time="2017/07/25 09:47:41" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped +id=pid sn=illoin time="2017/08/08 16:50:15" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout +id=mestq sn=temUt time="2017/08/22 23:52:50" fw=10.233.239.112 pri=high c=pexe m=147 Backup missed heartbeats from Active Primary: Backup going Active +id=adeser sn=oin time="2017/09/06 06:55:24" fw=10.95.66.217 pri=very-high c=fugitsed m=441 msg="quam" n=quid src=10.1.36.97:3628:enp0s3962 dst= 10.107.251.87:6337:lo3319 +reetdol id=totamre sn=isnostr time="2017/09/20 13:57:58" fw=10.203.153.38 pri=very-high c=adipisc m=34 Login screen timed out +psaquaea id=taevita sn=ameiusm time="2017/10/04 21:00:32" fw=10.227.15.253 pri=high c=piscinge m=402 msg="tvol" n=velitess src=10.54.14.189 dst=10.216.125.252 dstname=sit +elitse id=ima sn=quasia time="2017/10/19 04:03:07" fw=10.150.107.25 pri=low c=uptate m=1154 msg="mac" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local +id=asiarc sn=ian time="2017/11/02 11:05:41" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed +id=intocc sn=amcorp time="2017/11/16 18:08:15" fw=10.57.57.241 pri=low c=litani m=83 msg="utodita" sess=aec n=fdeF src=10.187.201.250:5504:eth2003 dst=10.64.229.79:3620:eth41 note="tiaec" npcs=rumwrit +id=gna sn=con time="2017/12/01 01:10:49" fw=10.11.44.250 pri=high c=etMal m=931 msg="qua" n=rsita src=10.108.249.60:7150 dst=10.76.110.144:2497 +rem id=asper sn=idunt time="2017/12/15 08:13:24" fw=10.65.232.27 pri=low c=plicab m=11 Problem loading the Filter list; check your DNS server +id=uisaute sn=imide time="2017/12/29 15:15:58" fw=10.77.226.215 pri=medium c=itesseq m=88 IKE Responder: IPSec proposal not acceptable +id=ilmol sn=eri time="2018/01/12 22:18:32" fw=10.154.53.249 pri=low c=mquae m=243 msg="eriti" n=atcupi usr=corpori src=10.147.88.219:7595 dst=10.31.190.145:3333 proto=icmp +id=emvele sn=isnost time="2018/01/27 05:21:06" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped +sit id=rumSect sn=ita time="2018/02/10 12:23:41" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E +oremag id=illu sn=ruredo time="2018/02/24 19:26:15" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg="its" n=lore +id=onu sn=liquaUte time="2018/03/11 02:28:49" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication +id=mveniamq sn=taedict time="2018-3-25 9:31:24" fw=10.206.69.135 pri=high c=aturve m=880 msg="utfug" n=aturQu note="aaliq" fw_action="allow" +id=uiinea sn=mnisiut time="2018/04/08 16:33:58" fw=10.208.228.129 pri=low c=olup m=441 msg="labor" n=dol src= 10.240.54.28 dst= 10.115.38.80 +id=mve sn=uia time="2018/04/22 23:36:32" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout +id=doei sn=cipitl time="2018/05/07 06:39:06" fw=10.53.127.17 pri=very-high c=strumex m=252 msg="eprehend" n=asnu src=10.102.166.19 dst=10.104.49.142 +ipsa id=asuntexp sn=adminim time="2018/05/21 13:41:41" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable +id=iumt sn=tsed time="2018/06/04 20:44:15" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out +id=loremag sn=tcu time="2018/06/19 03:46:49" fw=10.84.251.253 pri=high c=erspi m=195 msg="rorsit" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629 +elillum id=upt sn=rnat time="2018/07/03 10:49:23" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped +doeiu id=deF sn=itempo time="2018/07/17 17:51:58" fw=10.200.237.196 pri=medium c=ecillum m=995 msg="isci" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note="equep" +BCS id=qui sn=ugiatquo time="2018/08/01 00:54:32" fw=10.204.133.116 pri=medium c=autemv m=909 msg="emq" n=plicaboN +id=vol sn=admi time="2018/08/15 07:57:06" fw=10.77.229.168 pri=high c=aquiof m=178 msg="ende" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693 +id=olorem sn=gitse time="2018/08/29 14:59:40" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg="sci" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note="mquisno" +id=gna sn=isiutali time="2018/09/12 22:02:15" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed +id=uaturve sn=amquisno time="2018/09/27 05:04:49" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg="CSe" n=lors src=10.135.70.159 dst=10.195.223.82 +id=atu sn=iusm time="2018/10/11 12:07:23" fw=10.20.81.176 pri=low c=stquido m=261 msg="rsitvolu" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 +id=oin sn=itseddoe time="2018/10/25 19:09:57" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry. +id=giatquov sn=olu time="2018/11/09 02:12:32" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER. +emagn id=emulla sn=mips time="2018/11/23 09:15:06" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out +id=itametc sn=ori time="2018/12/07 16:17:40" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle +id=doconse sn=etdol time="2018/12/21 23:20:14" fw=10.156.88.51 pri=high c=tura m=658 msg="osquirat" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543 +id=min sn=oluptat time="2019/01/05 06:22:49" fw=10.162.129.196 pri=medium c=snisi m=195 msg="magnaal" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416 +id=eacommo sn=ueip time="2019/01/19 13:25:23" fw=10.243.252.157 pri=low c=minim m=867 msg="scipi" sess=tur n=acon +usm id=labori sn=porai time="2019/02/02 20:27:57" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked +id=lup sn=upta time="2019-2-17 3:30:32" fw=10.247.88.138 pri=very-high c=orissu m=794 msg="fic" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action="allow" +id=mmod sn=iti time="2019/03/03 10:33:06" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked +id=mag sn=gelitse time="2019/03/17 17:35:40" fw=10.195.58.44 pri=high c=radip m=413 msg="upta" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606 +id=nostrud sn=cteturad time="2019/04/01 00:38:14" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F +oluptate id=lit sn=santi time="2019/04/15 07:40:49" fw=10.211.112.194 pri=low c=uis m=1079 msg="Clientamcis assigned IP:10.221.220.148" n=apar +id=vol sn=psumd time="2019/04/29 14:43:23" fw=10.103.29.178 pri=low c=rios m=355 msg="labo" n=lpaquiof src=10.78.29.246 dst=10.125.85.128 +enbyCi id=reetdo sn=tat time="2019/05/13 21:45:57" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing). +id=iamqui sn=tassita time="2019/05/28 04:48:31" fw=10.7.47.118 pri=medium c=piscing m=712 msg="allow" n=isn src=10.203.146.137:4213 dst=10.29.120.226:1129 +inesciu id=quid sn=atcupid time="2019/06/11 11:51:06" fw=10.29.5.115 pri=very-high c=ate m=670 msg="con" sess=tqu n=eirur +hite id=ianonnum sn=nofdeFi time="2019/06/25 18:53:40" fw=10.217.253.76 pri=very-high c=unt m=151 Primary firewall preempting Backup +id=arch sn=lite time="2019/07/10 01:56:14" fw=10.25.118.123 pri=high c=borumSec m=931 msg="aecatcup" n=snisiut src=10.245.216.15:7800 dst=10.110.208.170:6374 +id=rumSecti sn=Utenima time="2019-7-24 8:58:48" fw=10.74.166.70 pri=very-high c=olor m=1086 msg="radip" n=rchitect fw_action="deny" +id=amquisno sn=modoc time="2019/08/07 16:01:23" fw=10.125.120.97 pri=high c=cid m=8 New Filter list loaded +id=Bonorum sn=lesti time="2019/08/21 23:03:57" fw=10.121.58.27 pri=low c=itamet m=60 Access to Proxy Server Blocked +uuntur id=tsedquia sn=its time="2019/09/05 06:06:31" fw=10.158.54.131 pri=medium c=assi m=47 No ICMP redirect sent +id=tatevel sn=midestl time="2019/09/19 13:09:05" fw=10.222.197.130 pri=medium c=ulapa m=713 msg="block" n=meiusm src=10.143.0.78:3113 dst=10.250.149.166:6342 +id=hilmole sn=sequ time="2019/10/03 20:11:40" fw=10.74.29.48 pri=high c=tionula m=91 Deleting IPSec SA for destination +umtota id=etdolore sn=magnaa time="2019/10/18 03:14:14" fw=10.209.34.197 pri=very-high c=tes m=766 msg="equam" n=isi +id=rep sn=remap time="2019/11/01 10:16:48" fw=10.7.120.36 pri=very-high c=involu m=58 License exceeded: Connection dropped because too many IP addresses are in use on your LAN +id=nesciun sn=amcolab time="2019/11/15 17:19:22" fw=10.142.7.145 pri=low c=iuta m=373 msg="deny" n=secil src=10.179.3.247:3445 dst=10.219.228.115:745 +onorumet id=ptatema sn=eavolup time="2019/11/30 00:21:57" fw=10.57.41.35 pri=medium c=tno m=76 Ripper Attack Dropped +id=taspe sn=lum time="2019/12/14 07:24:31" fw=10.15.234.228 pri=very-high c=msequ m=msg msg="nvol" src=10.83.134.38 dst=10.204.178.19 success diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json new file mode 100644 index 00000000000..e63bdc32b2f --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -0,0 +1,2261 @@ +[ + { + "destination.nat.ip": "10.49.111.67", + "destination.nat.port": 884, + "event.code": "914", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "idi id=pexe sn=nes time=\"2016/01/29 06:09:59\" fw=10.254.41.82 pri=low c=Ute m=914 msg=\"lupt\" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp", + "fileset.name": "firewall", + "host.hostname": "oreetdol1714.internal.corp", + "host.name": "nostrud4819.mail.test", + "input.type": "log", + "log.offset": 0, + "log.original": "lupt", + "observer.egress.interface.name": "eth3598", + "observer.ingress.interface.name": "eth7178", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.92.136.230", + "10.49.111.67" + ], + "rsa.internal.messageid": "914", + "rsa.internal.msg": "lupt", + "rsa.network.dinterface": "eth3598", + "rsa.network.sinterface": "eth7178", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "service.type": "sonicwall", + "source.address": "oreetdol1714.internal.corp", + "source.nat.ip": "10.92.136.230", + "source.nat.port": 6437, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=umexe sn=estlabo time=\"2016/02/12 13:12:33\" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 212, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.227.15.1" + ], + "destination.mac": "01:00:5e:f7:a9:ff", + "destination.port": 410, + "event.action": "allow", + "event.code": "alo", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=alo sn=eosquir time=\"2016-2-26 8:15:08\" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg=\"ctetur\" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action=\"allow\"", + "fileset.name": "firewall", + "host.ip": "10.149.203.46", + "input.type": "log", + "log.level": "medium", + "log.offset": 319, + "network.protocol": "rdp", + "observer.egress.interface.name": "eth1977", + "observer.ingress.interface.name": "eth6183", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.227.15.1", + "10.149.203.46", + "10.150.156.22" + ], + "rsa.internal.event_desc": "ctetur", + "rsa.internal.messageid": "1369", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "mwritten", + "rsa.misc.reference_id": "alo", + "rsa.misc.serial_number": "eosquir", + "rsa.misc.severity": "medium", + "rsa.network.dinterface": "eth1977", + "rsa.network.sinterface": "eth6183", + "rsa.time.date": "2016-2-26", + "rsa.time.event_time": "2016-02-26T10:15:08.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.150.156.22" + ], + "source.mac": "01:00:5e:84:66:6c", + "source.port": 6378, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "127", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "emape id=aer sn=lupt time=\"2016/03/12 03:17:42\" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 566, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "127", + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "170", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=consec sn=taliquip time=\"2016/03/26 10:20:16\" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 674, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "170", + "rsa.time.date": "2016/03/26", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tconsec sn=nsequat time=\"2016/04/09 17:22:51\" fw=10.137.246.137 pri=medium c=oluptas m=372 msg=\"llu\" n=uptassi src=10.95.245.65 dst=10.13.70.213", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 815, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "176", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "llamcorp id=ari sn=eataevit time=\"2016/04/24 00:25:25\" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 965, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "176", + "rsa.time.event_time": "2016-04-24T02:25:25.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "50", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "mquisnos id=loremagn sn=iciade time=\"2016/05/08 07:27:59\" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1105, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "50", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=aali sn=ametcons time=\"2016/05/22 14:30:33\" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1228, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "15", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "orsitame id=quiratio sn=ite time=\"2016/06/05 21:33:08\" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1355, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "15", + "rsa.time.event_time": "2016-06-05T23:33:08.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "70", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=usan sn=aper time=\"2016/06/20 04:35:42\" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1472, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "70", + "rsa.time.date": "2016/06/20", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "129", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=atquovo sn=iumto time=\"2016/07/04 11:38:16\" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1584, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "129", + "rsa.time.date": "2016/07/04", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "1149", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=undeo sn=loremip time=\"2016-7-18 6:40:50\" fw=10.134.0.141 pri=very-high c=uis m=1149 msg=\"idolore\" n=onse fw_action=\"cancel\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1690, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.event_desc": "idolore", + "rsa.internal.messageid": "1149", + "rsa.misc.action": [ + "cancel" + ], + "rsa.time.date": "2016-7-18", + "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=rveli sn=rsint time=\"2016/08/02 01:43:25\" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1818, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=qua sn=luptatev time=\"2016/08/16 08:45:59\" fw=10.123.104.59 pri=low c=elaudant m=1110 msg=\"tinvol\" n=lores", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1947, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tatiset sn=eprehen time=\"2016/08/30 15:48:33\" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2061, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=aliq sn=rsitam time=\"2016/09/13 22:51:07\" fw=10.79.33.129 pri=high c=umdolo m=353 msg=\"onproide\" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini\"", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2206, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=itecto sn=erc time=\"2016/09/28 05:53:42\" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2401, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tat sn=tion time=\"2016/10/12 12:56:16\" fw=10.53.150.119 pri=medium c=uasia m=24 msg=\"emp\" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note=\"taut\"", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2508, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.239.201.234" + ], + "event.code": "87", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=nidolo sn=tatn time=\"2016/10/26 19:58:50\" fw=10.18.109.121 pri=very-high c=dolo m=87 msg=\"Loremip\" n=idolor src=10.204.11.20 dst=10.239.201.234", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2670, + "log.original": "Loremip", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.204.11.20", + "10.239.201.234" + ], + "rsa.internal.messageid": "87", + "rsa.internal.msg": "Loremip", + "rsa.time.date": "2016/10/26", + "rsa.time.event_time": "2016-10-26T21:58:50.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.204.11.20" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=idex sn=xerci time=\"2016/11/10 03:01:24\" fw=10.84.206.79 pri=high c=uipe m=401 msg=\"inesci\" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2817, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=ari sn=exercit time=\"2016/11/24 10:03:59\" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2976, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "104", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=serunt sn=aquaeabi time=\"2016/12/08 17:06:33\" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying).", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3109, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "104", + "rsa.time.date": "2016/12/08", + "rsa.time.event_time": "2016-12-08T19:06:33.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "156", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=veniamq sn=one time=\"2016/12/23 00:09:07\" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3238, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "156", + "rsa.time.date": "2016/12/23", + "rsa.time.event_time": "2016-12-23T02:09:07.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tin sn=tenima time=\"2017/01/06 07:11:41\" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3371, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=equat sn=derit time=\"2017/01/20 14:14:16\" fw=10.90.86.89 pri=medium c=labor m=867 msg=\"didunt\" sess=uptatema n=intocc ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3494, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "129", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "eporr id=xeacomm sn=mveleu time=\"2017/02/03 21:16:50\" fw=10.149.128.155 pri=high c=temvel m=129 PPPoE terminated", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3618, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "129", + "rsa.time.event_time": "2017-02-03T23:16:50.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "113", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=nisi sn=dant time=\"2017/02/18 04:19:24\" fw=10.14.211.43 pri=high c=eiu m=113 DHCP Client sending REQUEST and going to REBIND state.", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3733, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "113", + "rsa.time.date": "2017/02/18", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.237.163.139" + ], + "destination.port": 4402, + "event.code": "882", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=quidolor sn=tessec time=\"2017/03/04 11:21:59\" fw=10.135.160.125 pri=low c=icabo m=882 msg=\"itatio\" n=uta src=10.135.187.104:7557:enp0s6614 dst=10.237.163.139:4402:eth1612 proto=igmp", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3868, + "log.original": "itatio", + "network.protocol": "igmp", + "observer.egress.interface.name": "eth1612", + "observer.ingress.interface.name": "enp0s6614", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.135.187.104", + "10.237.163.139" + ], + "rsa.internal.messageid": "882", + "rsa.internal.msg": "itatio", + "rsa.network.dinterface": "eth1612", + "rsa.network.sinterface": "enp0s6614", + "rsa.time.date": "2017/03/04", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.135.187.104" + ], + "source.port": 7557, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=Nequepor sn=ali time=\"2017/03/18 18:24:33\" fw=10.252.74.209 pri=low c=sintocc m=139 XAUTH Failed", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4053, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.248.101.25" + ], + "event.code": "372", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=ehen sn=tate time=\"2017/04/02 01:27:07\" fw=10.140.167.6 pri=low c=stquido m=372 msg=\"ommodico\" n=ptas src=10.60.129.15 dst=10.248.101.25", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4155, + "log.original": "ommodico", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.248.101.25", + "10.60.129.15" + ], + "rsa.internal.messageid": "372", + "rsa.internal.msg": "ommodico", + "rsa.time.date": "2017/04/02", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.60.129.15" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=Nequepo sn=ipsumd time=\"2017/04/16 08:29:41\" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4295, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=reetdolo sn=smo time=\"2017/04/30 15:32:16\" fw=10.107.31.179 pri=high c=uamest m=1079 msg=\"Clienttcois assigned IP:10.14.111.221\" n=itam", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4418, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "76", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "santiumd id=turadip sn=uatD time=\"2017/05/14 22:34:50\" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4563, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "76", + "rsa.time.event_time": "2017-05-15T00:34:50.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=volu sn=nonn time=\"2017/05/29 05:37:24\" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4676, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=sBon sn=orro time=\"2017/06/12 12:39:58\" fw=10.34.194.149 pri=medium c=ten m=196 msg=\"vita\" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4796, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.nat.ip": "10.101.74.44", + "destination.nat.port": 2134, + "event.code": "998", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "amvo id=qui sn=tasn time=\"2017/06/26 19:42:33\" fw=10.243.138.88 pri=high c=Sedutp m=998 msg=\"utp\" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note=\"quin\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4977, + "log.original": "utp", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.251.20.13", + "10.101.74.44" + ], + "rsa.internal.event_desc": "quin", + "rsa.internal.messageid": "998", + "rsa.internal.msg": "utp", + "rsa.time.event_time": "2017-06-26T21:42:33.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.251.20.13", + "source.nat.port": 264, + "tags": [ + "sonicwall.firewall", + "forwarded" + ], + "user.name": [ + "rsitv" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tvolupt sn=eufugi time=\"2017/07/11 02:45:07\" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5148, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "40", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "temqu id=ovol sn=ptasn time=\"2017/07/25 09:47:41\" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5264, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "40", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "163", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=pid sn=illoin time=\"2017/08/08 16:50:15\" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5379, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "163", + "rsa.time.date": "2017/08/08", + "rsa.time.event_time": "2017-08-08T18:50:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "147", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mestq sn=temUt time=\"2017/08/22 23:52:50\" fw=10.233.239.112 pri=high c=pexe m=147 Backup missed heartbeats from Active Primary: Backup going Active", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5506, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "147", + "rsa.time.date": "2017/08/22", + "rsa.time.event_time": "2017-08-23T01:52:50.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=adeser sn=oin time=\"2017/09/06 06:55:24\" fw=10.95.66.217 pri=very-high c=fugitsed m=441 msg=\"quam\" n=quid src=10.1.36.97:3628:enp0s3962 dst= 10.107.251.87:6337:lo3319 ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5657, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "34", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "reetdol id=totamre sn=isnostr time=\"2017/09/20 13:57:58\" fw=10.203.153.38 pri=very-high c=adipisc m=34 Login screen timed out", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5832, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "34", + "rsa.time.event_time": "2017-09-20T15:57:58.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.216.125.252" + ], + "event.code": "402", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "psaquaea id=taevita sn=ameiusm time=\"2017/10/04 21:00:32\" fw=10.227.15.253 pri=high c=piscinge m=402 msg=\"tvol\" n=velitess src=10.54.14.189 dst=10.216.125.252 dstname=sit ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5959, + "log.original": "tvol", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.54.14.189", + "10.216.125.252" + ], + "rsa.internal.messageid": "402", + "rsa.internal.msg": "tvol", + "rsa.time.event_time": "2017-10-04T23:00:32.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.54.14.189" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.address": "ise5905.www.local", + "destination.nat.ip": "10.53.113.23", + "destination.nat.port": 4027, + "event.code": "1154", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "elitse id=ima sn=quasia time=\"2017/10/19 04:03:07\" fw=10.150.107.25 pri=low c=uptate m=1154 msg=\"mac\" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local", + "fileset.name": "firewall", + "host.hostname": "tiaec5551.www.local", + "input.type": "log", + "log.offset": 6132, + "log.original": "mac", + "observer.egress.interface.name": "lo1918", + "observer.ingress.interface.name": "eth5313", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.53.113.23", + "10.97.124.211" + ], + "rsa.identity.user_sid_dst": "iumdol", + "rsa.internal.messageid": "1154", + "rsa.internal.msg": "mac", + "rsa.network.dinterface": "lo1918", + "rsa.network.host_dst": "ise5905.www.local", + "rsa.network.sinterface": "eth5313", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "service.type": "sonicwall", + "source.address": "tiaec5551.www.local", + "source.nat.ip": "10.97.124.211", + "source.nat.port": 6198, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=asiarc sn=ian time=\"2017/11/02 11:05:41\" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6380, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.64.229.79" + ], + "destination.port": 3620, + "event.code": "83", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=intocc sn=amcorp time=\"2017/11/16 18:08:15\" fw=10.57.57.241 pri=low c=litani m=83 msg=\"utodita\" sess=aec n=fdeF src=10.187.201.250:5504:eth2003 dst=10.64.229.79:3620:eth41 note=\"tiaec\" npcs=rumwrit", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 6504, + "log.original": "utodita", + "observer.egress.interface.name": "eth41", + "observer.ingress.interface.name": "eth2003", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.64.229.79", + "10.187.201.250" + ], + "rsa.db.index": "rumwrit", + "rsa.internal.messageid": "83", + "rsa.internal.msg": "utodita", + "rsa.network.dinterface": "eth41", + "rsa.network.sinterface": "eth2003", + "rsa.time.date": "2017/11/16", + "rsa.time.event_time": "2017-11-16T20:08:15.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.187.201.250" + ], + "source.port": 5504, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=gna sn=con time=\"2017/12/01 01:10:49\" fw=10.11.44.250 pri=high c=etMal m=931 msg=\"qua\" n=rsita src=10.108.249.60:7150 dst=10.76.110.144:2497 ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6705, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "11", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "rem id=asper sn=idunt time=\"2017/12/15 08:13:24\" fw=10.65.232.27 pri=low c=plicab m=11 Problem loading the Filter list; check your DNS server", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 6852, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "11", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=uisaute sn=imide time=\"2017/12/29 15:15:58\" fw=10.77.226.215 pri=medium c=itesseq m=88 IKE Responder: IPSec proposal not acceptable", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6995, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.nat.ip": "10.31.190.145", + "destination.nat.port": 3333, + "event.code": "243", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=ilmol sn=eri time=\"2018/01/12 22:18:32\" fw=10.154.53.249 pri=low c=mquae m=243 msg=\"eriti\" n=atcupi usr=corpori src=10.147.88.219:7595 dst=10.31.190.145:3333 proto=icmp", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7132, + "log.original": "eriti", + "network.protocol": "icmp", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.31.190.145", + "10.147.88.219" + ], + "rsa.internal.messageid": "243", + "rsa.internal.msg": "eriti", + "rsa.time.date": "2018/01/12", + "rsa.time.event_time": "2018-01-13T00:18:32.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.147.88.219", + "source.nat.port": 7595, + "tags": [ + "sonicwall.firewall", + "forwarded" + ], + "user.name": [ + "corpori" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=emvele sn=isnost time=\"2018/01/27 05:21:06\" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 7305, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "61", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "sit id=rumSect sn=ita time=\"2018/02/10 12:23:41\" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7420, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "61", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "906", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "oremag id=illu sn=ruredo time=\"2018/02/24 19:26:15\" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg=\"its\" n=lore ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 7525, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "906", + "rsa.time.event_time": "2018-02-24T21:26:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "134", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=onu sn=liquaUte time=\"2018/03/11 02:28:49\" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7643, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "134", + "rsa.time.date": "2018/03/11", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "mveniamq", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mveniamq sn=taedict time=\"2018-3-25 9:31:24\" fw=10.206.69.135 pri=high c=aturve m=880 msg=\"utfug\" n=aturQu note=\"aaliq\" fw_action=\"allow\"", + "fileset.name": "firewall", + "host.ip": "10.206.69.135", + "input.type": "log", + "log.level": "high", + "log.offset": 7765, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.206.69.135" + ], + "rsa.db.index": "aaliq", + "rsa.internal.event_desc": "utfug", + "rsa.internal.messageid": "880", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "aturve", + "rsa.misc.reference_id": "mveniamq", + "rsa.misc.serial_number": "taedict", + "rsa.misc.severity": "high", + "rsa.time.date": "2018-3-25", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=uiinea sn=mnisiut time=\"2018/04/08 16:33:58\" fw=10.208.228.129 pri=low c=olup m=441 msg=\"labor\" n=dol src= 10.240.54.28 dst= 10.115.38.80 ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 7906, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "163", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mve sn=uia time=\"2018/04/22 23:36:32\" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8052, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "163", + "rsa.time.date": "2018/04/22", + "rsa.time.event_time": "2018-04-23T01:36:32.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=doei sn=cipitl time=\"2018/05/07 06:39:06\" fw=10.53.127.17 pri=very-high c=strumex m=252 msg=\"eprehend\" n=asnu src=10.102.166.19 dst=10.104.49.142", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 8178, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "88", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "ipsa id=asuntexp sn=adminim time=\"2018/05/21 13:41:41\" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8329, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "88", + "rsa.time.event_time": "2018-05-21T15:41:41.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=iumt sn=tsed time=\"2018/06/04 20:44:15\" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 8469, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=loremag sn=tcu time=\"2018/06/19 03:46:49\" fw=10.84.251.253 pri=high c=erspi m=195 msg=\"rorsit\" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 8578, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "48", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "elillum id=upt sn=rnat time=\"2018/07/03 10:49:23\" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8755, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "48", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.nat.ip": "10.191.242.168", + "destination.nat.port": 5251, + "event.code": "995", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "doeiu id=deF sn=itempo time=\"2018/07/17 17:51:58\" fw=10.200.237.196 pri=medium c=ecillum m=995 msg=\"isci\" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note=\"equep\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8878, + "log.original": "isci", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.191.242.168", + "10.165.48.224" + ], + "rsa.internal.event_desc": "equep", + "rsa.internal.messageid": "995", + "rsa.internal.msg": "isci", + "rsa.time.event_time": "2018-07-17T19:51:58.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.165.48.224", + "source.nat.port": 5386, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "909", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "BCS id=qui sn=ugiatquo time=\"2018/08/01 00:54:32\" fw=10.204.133.116 pri=medium c=autemv m=909 msg=\"emq\" n=plicaboN ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 9053, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "909", + "rsa.time.event_time": "2018-08-01T02:54:32.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=vol sn=admi time=\"2018/08/15 07:57:06\" fw=10.77.229.168 pri=high c=aquiof m=178 msg=\"ende\" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693 ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 9170, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=olorem sn=gitse time=\"2018/08/29 14:59:40\" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg=\"sci\" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note=\"mquisno\"", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 9318, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "137", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=gna sn=isiutali time=\"2018/09/12 22:02:15\" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9490, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "137", + "rsa.time.date": "2018/09/12", + "rsa.time.event_time": "2018-09-13T00:02:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.195.223.82" + ], + "event.code": "351", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=uaturve sn=amquisno time=\"2018/09/27 05:04:49\" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg=\"CSe\" n=lors src=10.135.70.159 dst=10.195.223.82", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9595, + "log.original": "CSe", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.135.70.159", + "10.195.223.82" + ], + "rsa.internal.messageid": "351", + "rsa.internal.msg": "CSe", + "rsa.time.date": "2018/09/27", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.135.70.159" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "261", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=atu sn=iusm time=\"2018/10/11 12:07:23\" fw=10.20.81.176 pri=low c=stquido m=261 msg=\"rsitvolu\" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 ", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9743, + "log.original": "rsitvolu", + "observer.ingress.interface.name": "eth3249", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.22.244.71" + ], + "rsa.internal.messageid": "261", + "rsa.internal.msg": "rsitvolu", + "rsa.network.sinterface": "eth3249", + "rsa.time.date": "2018/10/11", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.22.244.71" + ], + "source.port": 1865, + "tags": [ + "sonicwall.firewall", + "forwarded" + ], + "user.name": [ + "usmo" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=oin sn=itseddoe time=\"2018/10/25 19:09:57\" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry.", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 9910, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=giatquov sn=olu time=\"2018/11/09 02:12:32\" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER.", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 10016, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "34", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "emagn id=emulla sn=mips time=\"2018/11/23 09:15:06\" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10130, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "34", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=itametc sn=ori time=\"2018/12/07 16:17:40\" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 10250, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "658", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=doconse sn=etdol time=\"2018/12/21 23:20:14\" fw=10.156.88.51 pri=high c=tura m=658 msg=\"osquirat\" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543 ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 10375, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "658", + "rsa.time.date": "2018/12/21", + "rsa.time.event_time": "2018-12-22T01:20:14.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.117.63.181" + ], + "destination.port": 6863, + "event.code": "195", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=min sn=oluptat time=\"2019/01/05 06:22:49\" fw=10.162.129.196 pri=medium c=snisi m=195 msg=\"magnaal\" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 10527, + "log.original": "magnaal", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.222.169.140", + "10.117.63.181" + ], + "rsa.internal.messageid": "195", + "rsa.internal.msg": "magnaal", + "rsa.time.date": "2019/01/05", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.222.169.140" + ], + "source.port": 5299, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=eacommo sn=ueip time=\"2019/01/19 13:25:23\" fw=10.243.252.157 pri=low c=minim m=867 msg=\"scipi\" sess=tur n=acon ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 10707, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "60", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "usm id=labori sn=porai time=\"2019/02/02 20:27:57\" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10824, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "60", + "rsa.time.event_time": "2019-02-02T22:27:57.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.200.122.184" + ], + "destination.port": 1176, + "event.action": "allow", + "event.code": "794", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=lup sn=upta time=\"2019-2-17 3:30:32\" fw=10.247.88.138 pri=very-high c=orissu m=794 msg=\"fic\" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action=\"allow\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10943, + "network.protocol": "rdp", + "observer.egress.interface.name": "eth5397", + "observer.ingress.interface.name": "lo1325", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.57.255.4", + "10.200.122.184" + ], + "rsa.identity.user_sid_dst": "sBon", + "rsa.internal.event_desc": "fic", + "rsa.internal.messageid": "794", + "rsa.misc.action": [ + "allow" + ], + "rsa.network.dinterface": "eth5397", + "rsa.network.sinterface": "lo1325", + "rsa.time.date": "2019-2-17", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.57.255.4" + ], + "source.port": 239, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "19", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mmod sn=iti time=\"2019/03/03 10:33:06\" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11195, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "19", + "rsa.time.date": "2019/03/03", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mag sn=gelitse time=\"2019/03/17 17:35:40\" fw=10.195.58.44 pri=high c=radip m=413 msg=\"upta\" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 11287, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "159", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=nostrud sn=cteturad time=\"2019/04/01 00:38:14\" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11440, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "159", + "rsa.time.date": "2019/04/01", + "rsa.time.event_time": "2019-04-01T02:38:14.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "1079", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "oluptate id=lit sn=santi time=\"2019/04/15 07:40:49\" fw=10.211.112.194 pri=low c=uis m=1079 msg=\"Clientamcis assigned IP:10.221.220.148\" n=apar", + "fileset.name": "firewall", + "host.ip": "10.221.220.148", + "input.type": "log", + "log.offset": 11550, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.221.220.148" + ], + "rsa.internal.messageid": "1079", + "rsa.misc.space": "", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ], + "user.name": [ + "amc" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=vol sn=psumd time=\"2019/04/29 14:43:23\" fw=10.103.29.178 pri=low c=rios m=355 msg=\"labo\" n=lpaquiof src=10.78.29.246 dst=10.125.85.128", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 11698, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "101", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "enbyCi id=reetdo sn=tat time=\"2019/05/13 21:45:57\" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing).", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11838, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "101", + "rsa.time.event_time": "2019-05-13T23:45:57.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.29.120.226" + ], + "destination.port": 1129, + "event.action": "allow", + "event.code": "712", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=iamqui sn=tassita time=\"2019/05/28 04:48:31\" fw=10.7.47.118 pri=medium c=piscing m=712 msg=\"allow\" n=isn src=10.203.146.137:4213 dst=10.29.120.226:1129", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11967, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.203.146.137", + "10.29.120.226" + ], + "rsa.internal.messageid": "712", + "rsa.misc.action": [ + "allow" + ], + "rsa.time.date": "2019/05/28", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.203.146.137" + ], + "source.port": 4213, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "670", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "inesciu id=quid sn=atcupid time=\"2019/06/11 11:51:06\" fw=10.29.5.115 pri=very-high c=ate m=670 msg=\"con\" sess=tqu n=eirur", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12122, + "log.original": "con", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "670", + "rsa.internal.msg": "con", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "151", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "hite id=ianonnum sn=nofdeFi time=\"2019/06/25 18:53:40\" fw=10.217.253.76 pri=very-high c=unt m=151 Primary firewall preempting Backup", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12245, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "151", + "rsa.time.event_time": "2019-06-25T20:53:40.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=arch sn=lite time=\"2019/07/10 01:56:14\" fw=10.25.118.123 pri=high c=borumSec m=931 msg=\"aecatcup\" n=snisiut src=10.245.216.15:7800 dst=10.110.208.170:6374 ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 12379, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "1086", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=rumSecti sn=Utenima time=\"2019-7-24 8:58:48\" fw=10.74.166.70 pri=very-high c=olor m=1086 msg=\"radip\" n=rchitect fw_action=\"deny\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12540, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.event_desc": "radip", + "rsa.internal.messageid": "1086", + "rsa.misc.action": [ + "deny" + ], + "rsa.time.date": "2019-7-24", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "8", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=amquisno sn=modoc time=\"2019/08/07 16:01:23\" fw=10.125.120.97 pri=high c=cid m=8 New Filter list loaded", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12672, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "8", + "rsa.time.date": "2019/08/07", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "60", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=Bonorum sn=lesti time=\"2019/08/21 23:03:57\" fw=10.121.58.27 pri=low c=itamet m=60 Access to Proxy Server Blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12779, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "60", + "rsa.time.date": "2019/08/21", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "47", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "uuntur id=tsedquia sn=its time=\"2019/09/05 06:06:31\" fw=10.158.54.131 pri=medium c=assi m=47 No ICMP redirect sent", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12895, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "47", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tatevel sn=midestl time=\"2019/09/19 13:09:05\" fw=10.222.197.130 pri=medium c=ulapa m=713 msg=\"block\" n=meiusm src=10.143.0.78:3113 dst=10.250.149.166:6342", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 13011, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "91", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=hilmole sn=sequ time=\"2019/10/03 20:11:40\" fw=10.74.29.48 pri=high c=tionula m=91 Deleting IPSec SA for destination", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13171, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "91", + "rsa.time.date": "2019/10/03", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "766", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "umtota id=etdolore sn=magnaa time=\"2019/10/18 03:14:14\" fw=10.209.34.197 pri=very-high c=tes m=766 msg=\"equam\" n=isi ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 13290, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "766", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=rep sn=remap time=\"2019/11/01 10:16:48\" fw=10.7.120.36 pri=very-high c=involu m=58 License exceeded: Connection dropped because too many IP addresses are in use on your LAN", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 13409, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=nesciun sn=amcolab time=\"2019/11/15 17:19:22\" fw=10.142.7.145 pri=low c=iuta m=373 msg=\"deny\" n=secil src=10.179.3.247:3445 dst=10.219.228.115:745", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 13587, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "event.code": "76", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "onorumet id=ptatema sn=eavolup time=\"2019/11/30 00:21:57\" fw=10.57.41.35 pri=medium c=tno m=76 Ripper Attack Dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13739, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "76", + "rsa.time.event_time": "2019-11-30T02:21:57.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "destination.nat.ip": "10.204.178.19", + "event.code": "msg", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=taspe sn=lum time=\"2019/12/14 07:24:31\" fw=10.15.234.228 pri=very-high c=msequ m=msg msg=\"nvol\" src=10.83.134.38 dst=10.204.178.19 success", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13857, + "log.original": "nvol", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.204.178.19", + "10.83.134.38" + ], + "rsa.internal.messageid": "msg", + "rsa.internal.msg": "nvol", + "rsa.misc.result": "success", + "rsa.time.date": "2019/12/14", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.83.134.38", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/squid/README.md b/x-pack/filebeat/module/squid/README.md new file mode 100644 index 00000000000..030a795e97b --- /dev/null +++ b/x-pack/filebeat/module/squid/README.md @@ -0,0 +1,7 @@ +# squid module + +This is a module for Squid logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML squid version 112 +at 2020-07-07 18:10:50.306455 +0000 UTC. + diff --git a/x-pack/filebeat/module/squid/_meta/config.yml b/x-pack/filebeat/module/squid/_meta/config.yml new file mode 100644 index 00000000000..e3d681dac2a --- /dev/null +++ b/x-pack/filebeat/module/squid/_meta/config.yml @@ -0,0 +1,19 @@ +- module: squid + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9520 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/squid/_meta/docs.asciidoc b/x-pack/filebeat/module/squid/_meta/docs.asciidoc new file mode 100644 index 00000000000..798af71b303 --- /dev/null +++ b/x-pack/filebeat/module/squid/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: squid +:has-dashboards: false + +== Squid module + +experimental[] + +This is a module for receiving Squid logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "squid" device revision 112. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9520` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/squid/_meta/fields.yml b/x-pack/filebeat/module/squid/_meta/fields.yml new file mode 100644 index 00000000000..6268a29d8d9 --- /dev/null +++ b/x-pack/filebeat/module/squid/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: squid + title: Squid + description: > + squid fields. + fields: diff --git a/x-pack/filebeat/module/squid/fields.go b/x-pack/filebeat/module/squid/fields.go new file mode 100644 index 00000000000..fec01b372a7 --- /dev/null +++ b/x-pack/filebeat/module/squid/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package squid + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "squid", asset.ModuleFieldsPri, AssetSquid); err != nil { + panic(err) + } +} + +// AssetSquid returns asset data. +// This is the base64 encoded gzipped contents of module/squid. +func AssetSquid() string { + return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIirAqiSJaRRQBlBk07/+AgnUB6tQJAtVlKy984NDTTKRiQSQyEzkx9fkAfYvif6tZNmfCDHMcHhJ7v2fGehUscIwKV6Sv/6JEOJ+SVYMeKYXfyL+Xy/xO/vf10TQHF4SAWYn1cOCCQNqRVNY2M/rnxFi9gW8tNh3UmWtzzNY0ZKbBAd+SVaUazj4ukdS9d9bmgORK2I2UKEnNXqy24AC/M4oulqxlGyoJksAQeRSg9pCtujNQmnaI3mtZFmcT3CXQc3gSJug/GASYRyhYZqBcr0++HyYuT0Ovt8wbX9HmCalhowYSVJamNLzStEdyUFrurZ/U0NSmYO2pEv7fWdoQl7LNbmGVGagwqS6sViXqGGCK0jYgjCJJX40qEc6mUeeMRo5k0phQBhtdxwT2lBhKkQ6SIVheZiEjJruF338zGG1gxBqyG7D0g2hRIPWTAqyYUYTSt6C+ZUZAVpXq7DoLVE9Hb2RJc+IgC0osoR6/QuqNJA3YKgljZKVknkL1ZPXcq2f39H0AYx+2hv+milIDd8/I8bTTck7cAfM7TTRInMRZBWHLfAgr7gU3b1+wKtrKBSk1HhcGayYgIxIwRGxoUsOJKdFGG+u18mIrXlknd74M3N7/Q3ZUl7608MyEIatmN9D8EhTQ7hcO56rHjORfmaH9yuOv7MsLagyLC05VQjvF2cxuLq9oaNWO7S6vZGHV3uQ6du5uf7i/3P9ONct1liWTztkcvnPBEntMv4j4t/SsHi5OHIFWpYqjb6Lpk89/qRNw60NNZCDMJ8GPS0zZpKU0855+GgEgDBq/2lQb6wm8GlQMzGE+rI3eXXOPuWKZ0DDZ+2yU18BZOP05IEbNWQPtH5YmVoWX+8G7F1P07TMzg3YG/2EljnMp45ROhufRMsWDTLIMaQ3kZkYRAI8Gs2gdB6lrBTstxIaJUzVM/Qf7Q8NlyspUissqZF/dOtl4Nhv2VTB0+bflR2IrVhK26fOGto31iQm9yjoSCkyUFZFVeAFRm9yK/YIGdFg7CAHwIc49LBCW7G5N/ZkhbZmc2/oUWzve05iLP24zdWjfMSsx81yI3W0HtXeWz9Jbdqiind3lQaRMbGuvtShpW9Z858PB1l4k/Q+HmTd7d32O0KzTFmZNXQou+zrzc/Iz5V92x+mM/CH/3cZaLk1xwnunl7n0mj7LTJCyZptQdTuis/3UrUsGrJgL6tVZ59GGfo8vLiDBq8s9omC36LWq/00gYuEM1vukY83bnByh9v9mff+GUre7wsgKe2f5CUQYGYDiny4FeabH4hU5Ecuqfn2BVlSjTuhcuyv2LpUqAqdmFlYwfuMZ4aPLFOMohlsVwu9lvHOkmN2WTX2Z2+8SrWjKpugxrRkR2tibV7d3v1yoOFQooDT7rIQovfaQO6vHE+YHW0Dbj9pxx77t1RszQTlFczh7X1ipvEax5EHztu7X34ITNIT2Jvr9EnWFPX5OIckbzZbX1WKleQboBmomV7GfsLByO31lBcaR1H7oQaHiXun+UM7YXiazOCHoZXicdsoHrjZrcJ9JTmH1Ej1OQpCy5+LvKzbfcM0SR1zILO0HKhmr2X3kidHWPkHtETydPnxlLNcagweyaUgy31vWQhR8FsJ2tgBNcsLvvcrYX9sBS4Bmm6IZhmQJ38mZqNK8uL775+SHdVEA4gay5G5fiR17Yy56kIKDZebbPoHWtlUlsLU9mqZL53wsQdOB0cgT+hSbqE1XSaC0UaVmNFGAc0Hd3n6B1r6T8wMyFjZ1WrOY8UXIU2qNlrZijDzj/LFn7/5V+2E5/MCRVVF1j969P7D2imv6R4UeUFuREoLXXLn47amzigJGhp9ohs6EKsUwvLtC/JvdrrPyLffkn8jqVRWf8RZeKTPyH/n5n/aHzJNDpnyRXCRhMzgE9pgYgdJSjlf0vRhqs7n0AtpcHNT43RlywgQWSGZMKhuGwgH7uECJ6CUjI4VaTQgXUDKKEeakBZtpLLaoti7W9h+saWcZW75QmgJWclSZFZac0DymFh7ZeFkMNDhvu2NPMfbid+0R1z0A3zec0mzj3dneIREs9+B5GAUSwO6sjfR2j9GG81djpW4s5ckNY0OJ1fVwizIT3Jnmd+3hZggUlkTwkjyAFCcYMtHuj0+E7YomYLWyZZlSRb/DnVTSYA1CFDU4FHMLI9a9sqWKVNSbs3FAx+pCJjPLGfW4MMXQJyuo9MfyNtroqxc1GisI1uoWoOpf3ZyrlpFh1R88rm6aJjjc1WRjvW+iL29rvxr7yCXBsi935WpAryWlvshkWT/q5zen4GT22NKdMHZtBfZP7SpqFlPlf1YYYPs97j4sbZtj/LU78hqb1TatBfH/zXeXNwxXzF+kbdFO65V2u+uXt15fS6lwjKA5YVUXS2O4IXy2T3Qlh/LeP7gxD4aeWgWhhxih2Zi2YA0xqC799HqW5AX3/9AdsjZHKgglPOwHYrOV1QbGv8C2YECNyw1hAPVhkjRCVY+ZNNHUIw+bzYFzlvcQ5bnzq9SZcgajIqAdCMkl+t991ljxVRPMyPke5JuqKKpcWyyR2+PFKJzU5BS+IgBfuDbHMxgiklWc0+M01y2R95zUNfNreokReW0VXQ3KD9QinWUJZqiHuY8wsLbrDJNS1WNqA0VGVUZEVLllLPfQ9F2UuVBDmT+BfYIE2S57InwUWxo6KrRPedsBTingIGoIZUiG1AMmyVLtJlmiR8hmYlU5gUHE1zEQXcXRcXTKNYROa28A2Uutt3u7ejBTTe04Q73z+AmyaUwm7NZ3WT1nP9q3kQzZBdjz43ILsEcO+TvUkzP6DwiROz4lfLjQtLed7nUO9ATTscrYuDR+I1MtqB0K9g3OxazEVij04u+B3o+qU1SRSpVBtkU6e2fy71w1fWY1f1WvZnXP2y/wfVlrJL5AkctMfFPpyCoYtIpfnnJDfvaMFCEFgWvIqibTPCcCroOJSURwtExXdkMjihHqybMfKmJ3AnntTc0L7qeFk+xxWZJ7O9zo0m6YVb/lRnoBXlTaoOKdHtQu/+pGYhHowYGl+HocV+tLGVbmOcOxoWqhnTzV7ACBSJ1i0qt8pWxLcvsnYprGj7299Wxf99hQHgajwVTM86h4brzUz/a/cIM37vpaCsirC5g0eI2Ou4vGrU0gwbzMyud6tO/6A1aB2jIcvxpzntqwGmYmkvjtx3qEL+VUM64aHanuPVq5MWOaoJosoEVQvTfjJ/6qAvnYNpR53SdmyjJvs7j8BVJFLoiidNUinFH5BDsRQRc1I3XkjKXUn07am9QBvUE5iiZNHxgT523GNddI146GYgxxiJNe2rPeYqKLvl0d+yAdihLk8ocnjsstcqG0Wxy1VsrKvw0DlTfgaWyJjkz00Jfj5Beje8TAlr+0GOG39RUhV7tFCep61hcOxr6YwtI2Yo1ymBYW3BOzqG8X697zPFyHWBi7Q5gWRPwWZmimXc+BinzKv18jPzl0EZoa7hSkZ/vfUgR09WjU9dCRvwVl4eyHnQhNRt1CM/aAWgIiMxVBcBQxOqUDOZzl9wkUxLZRx5rUeagWDr2XAepnyWi/Qjp7aj2eoe6I+5OUo/4LYhMKh9KdJR2ufznRbKkq8cFufwnpGEd36KeI0+qxzIrb46jdpJvWq2OL/pb32e1+SPrLeENrSOnhDSEko3PygyHB3G5TqpnxwsJuWpDjBZy82TfHkiKv+ETN9Z2w6MYVu8kZ+l++j49csbuEIUvMif4fkBOlXxa7FaYCe9KDog6LF6kMPA4Xd+pUd4KZ3k3FZBolmn7P7wKKK9QhtKBT1wp6YaKNSQCdtPP1ZDzG3athxu8HI1RbFkaaJ22fjSfdsRZba4t0sPHUBd0hGioZ8/ZhBI4xyaOSnn31daha+sGAVMC467tpKuiKbp5K1dbUAtyD46xpQa1oGvAUnc+Ym4lVUVDb+xqGKfXpQhPHHwrA1IqslRyZ7+rPvV6jFOtB2u13WZ3VJnxpnwNOt6O9LtX9nIj5tu9kme10nGpzSsL8C7r+BvklSCUgzL1u6tqhvWfOdesP4qtZDN8ng0oVBkRUnytoADUVo+9RqHiOK+QTUul7NasdVJcDdQRnjPn/60cmz3ad8xsvDLlZB+5RoRLjA8VRIqv19L++4hkxMszCSglk2ZGW87o54jCkiFXxJ40w0AvyH1zPrtlMtsxybE0Xblg9lJbRdUlPbgnyswLK888SlJealNtG/9Hj9UIwrRdDZ+Z461Fqzbht8NX8wVuZbfTw9aTS1qfog58eUp9tnRcIx5CtZYpQ2+N5WhQ70emv2YP8JJQUmz2mqWUWzPv4RkpFFakfUbApF+G1SyqaDh7YOTl5eJXFc3BgNKkoBrrFGhM3HOZaanMcysR5MHjTT9kFUx6VNFw0vNyukZrHS4gqJ2wS2VelP2zEMV6SnZMZHLnI29SKVIozLP6VWxwur2JrErO9+S3knLntMlkTpnw51O0EHE5IMrb3przr/Ejk7PKyGsmHiDzUbRVYBnVaK97BdZ+80WNfMGyY8znvTy/iWKjXafamYBdFBUBP99fDvPPhfcJkft+qnP96AEqZ90S1dOdP35UpMftw+N62rej9bQV43Ocl5rsH3G8+kgoyMoUSOUBhrATQYNilCeBG2KC2LzHQSulqyvzW0LdytRBGwzSBz2QCDaHP8qPb4X3hupNvdutyhGIZi+thWlFUxVhWoezX1UjdUoVyC2oGs1Cq9RC1X/3sxKIlW+CMIwnKEXKgSr7EZbNaEjzYezeS6OqFIHT/kknKsp+rvonltGpzJdM1JXj2iLaJyCoEfJ6y1Sp5/dutO9QRDHs5ZjrOSKwca/c+K7OyrCHx2npMzjeahY4D9ftNXnrzvQTnxJHXI19n+RhsT895vy6jC+w5fq6vUa2+NDq+kD27bhD37kLYnBELtxS21O3Yzpsamz1flrdxMNXEp9U4y65oz404YykWdfWsu+qHprcXp/Ug873SZzQgyzqFyJr9KEFuXLR+r5aEHdfHNeF7H9SHf7imy+8g2JZmjqOX5paOJeCg3Zzl07A7iTZUsXokvcixl1CGxOk4HTgyGkQemIG6MGitNUgN/bCnnp7a1ax6Myu1f3z27uuBkZ8SSVn2w1lywy2ETg7Mr7xxToyyK0w5J6tBcVjObCRCqmmlW/6sicL7Fa6q3QKifVU8J8WVevU4F7IZGB53/78njCR8jIDKxp8YxYLviBPbh5pXnB4Se6c8emGRVm3CNug6GG/wDsDGvONqA3jZvrBqnNBzCOCtlvOmbdeVL5j+uHIA4dRbL0GNaVwfXjav7Q9jR4Laj4bBXojeWbX2FlNA706Dp6jZrHi+u9RXoY9eeduxqd1QuHtdTjA8uwXK2taJ7O/zSNn/fs8NjNxPg1dLr+2CKXAjIIVluuVWZkO6ele5blY7ECbtlq2SIWZV1bOVRQM1JWnKttRdalYi36tRCuLqBe9lsyBIl1PrMih5A1Nq8peYcXJHueZNVkpvq6UH3X8RDuLIaIRkgKqI2KitKGmPF+xqm1wyvgFVUs7/FI+EpY9H5a6VuKX89BgcX7olcJy+8riCW/0SvpOrqrf2zDX/Xr6MUKYCVme/2bQit3U64gdaKXDODOs59H5bjTo9CogB8x/xbk9rUSXaQpar0pObiwGksoMtGV+VaQprOMxkcHj6Elwps2Q/jDxNOHQqNiqCs0SFHr1c6oYx5fagH/AvQ2JNaHIiK8tbJB2EbXiVW+9i2kufnzypI5UKUDpwickuDPVm7a/QprAuCrH+elA0LgzsfvSfPqjY6uNHBLv7GT3a/slZUKTDAxlPGA6LWVpWnADxEt+gZiUymtD67gBxDQswg3kBZ/wavuqarVYtTBovSD5KBWrvWxBcbrHMGUjvVgnTwJ7336BloaHhlWVx+J8btowU2KpDhIkvdHS+knJpw/GSK9wy7ZM6XhsUWc3lXlu92bsgl05eMJa4USFkluWOQu7qisQ6s9Y3zUyPeZAH29P/8h4c/en7WiF8LXzWOAj86XkVzX+ZeXXP+Vy0G6NnsD/lkvvsgzv1IJNKQ90jUFJbn3u727Jbe/CbSOaUJvHx2QexzEq8LjOXliPVPHH2MQ+iiqsZrkDlSxlNj3muBe33b2yqv6wFtvA9bmJyZ1ybrRZ8m5aDhefruHCbGovIFuzrHZRDhjj+XhNuZcEc9bNMOaqrqkrymkCsuo2dPfBZXFWblB8HHuEtGzbKO7ZegmhlIIqo/fYQ9kshlTQU5QdGlR1NDzdUsZp30FHavcQwXj4FSg1UI3Q7cewh2s+v65X/XKfEOyc9H3/lqz27WJABrA8WZZZto+w71iejIxTbUGWGoYKiR21RWNgFJOjsqU6AdOJLucJtmO6HWviaqlgw8k6TrrJOfc4Q8XBm3hDd7Qa19fxabhX6vFc2M5oEVz9ckOe+Ei/X0pu9ZIl4xhgiC/NN4+F1PaXT8nXfTNGdL18D0LuxIHiqCEtMXVtezj6QNeAlM5iaHcDQK6qTJu3PsD1NaxpuicfBhVYzpaKXib1xw99wCYmSE6ZWFnL6OgjVUEV9vqYI6PqQEW4w4HJW5m5gKOmuEHrXTuAlpy4f/HxxU41XqM8zKt/CzvyUylQfX4jM+DkCRPbxVfPCJPpM7K0/wP7Pyoo32umF1+F/cgmLZIVp73uVONv4ENd6+qO4LBo76JU2VcFhOXqaNKWkRNpcZ8uPSVVwpQGZTdUEOU2HyuHOrh/efOrtd/fu5Cbr7765c2vr97dfPWVi4HZUkXZ4N7YSfUwLiHj5Fb+tRqy7aMdNJOpGH99+djOsbmBtYijqRWB+yh1cSUVCM3ScQeqZU5GYc1jrKiAZ+t8sGRH2ZhO403IQSojlhQ3zPiEFF0uo7eBWWbaqPGZLJi7MUs38GfzSdIqgm+K4yA2OLEpCdy7mHxwYBOn6OMT7RArNmgwVpOZ4JyInUwwczUwkW7AZVhYHKmnMN7wseR5bepdf9xGPXG1ty+0EbKWd8mjOkrGhZaw8psfo0DKWR5gD/jf0rafmDryqXq5xoocT9F8Dlj3p3z9VQkkNo/PFMNhV5Rxy68q4fDOn7/b63ZcL2ZPWxXYwDqQODT8Fl/F9ST2Kg9SHBPcgyE9PqbTWkal6NqqPfxiKI13Kv638Gj+BmH9pcauh7SYqdjvqcj+XYY9qw12Qw0Ln7LJ+PtDH6DXpS5YyuSI+IiPZVsgfTuqRN/V9umJ0yIvEhkvnO7fvrkjPzuPRxOOEUb128zPL/f/8Zr8VoIaqNZScpEo6Fb9mPrk03Jd7Mm7KqQ2+Lxb62npKPHfBpPjy7RZsGLAeDwFZwLu1TMgs5hCdJRTlUfxxQJGGS+0GBX2X4OV2YjOAAdQY3OBD4Azarq392nIJYh0k1N1flhcDbkvaK+Vwxk+SJr2njfPhEo2EXxNYTU2mLIGXa0xmTQKUC7/GQVX0Ijaei7zNWIx0Ok/1FP2OCTmaudgr9sIxCKhKZYtjAljs9BajFLRW6DLdbH9TjyaTYS0TEWSGmVtlHGVqVrwFnbIW3cG6Jb3GkKfBQtizcSowN0+cFxMiUhWid4xk0bsa5GsuNxpmse8FrWhhdlOgY/yY6UiYWLaNmeiAJUv9yNCcnrQRfoQC47N0aJAi6RQ0sgkxhWH8NvvErRZY6D5hP3G5ToZ0/q/AxrzEpqKJKePiTHnK7yHoHaFOUSJhZyJaMRMTEFccJ3wJU/GO08PoP88CTyiHlALenyWeht6fER0G/r7SdDhxurnQv/LJOj/MQn6X2OhjSw4XULcVq/hY1QlkeQlx8t7uY+SZxV48RAlx/OSs3VexN7e9v6jfD3+0cjDsjghruG3NEb3Fol2T6ZRvNIqjdXOLGisdqb3uiyi6mOnog6zjlTujDRWwYDHqK1tpLFKUjw0qieR4KVgj4IKqaHXNvMs+O0PlvZosbD9QRZmAzSLMoFkXiQpj7KhLWiUSwMhFbbJioPVkbBFmUT5J1LFDEspjwr60gldg0j3o96U2tCC8v3vkC3jcG8TTIaPhHVpPLGY3XN2JLy1kH+ItZB1smTmXyOTD1OdjK1t2gFVMuIo68jNiXCQqphYPO08ASPqSrZAwWycNyBG+XbgeF1FgrvaN2MyNFvQK8YhThfRySqOXWw1LgD5EDRO0mprBAt4NEnkMbI2cKZN0Svycza0VmkkdNU5LgpWrpMcMjYiGPMQmolYjucyKznoVMbN2oOzddSpkIXeUTOyE0ULPhQTcCaogjXTRtEYTbuBjrqpXCfFyCmrCXPWWEdERZ9OF9XgljwKHhuLRl1xLugoHvWUy3m3kUwnrs5zDPyeKhq54NlAWOV5sFvXwWA8JNOGdpu1ngWozbJU5xcSreDA1VyLgysj8MXcw1Us6XhArNqziimFPhwxfQxqTbNs/KqzbLxzrkqgiZIoLE9SJWUemX1jQaOUIpYnsY9wPncnbrrFQ0SyUKFjUplZoQvFRoNxapgpI95tOBMwJpWkgdMja3HVkBj4GGOCcOkympMVlxHCsQaPCgGwml7EfrdgUXvd6oZR6CK8tlyuI5dSrCO3XSHV+MORL8t13NbJmU7jtmuuIxcwrvqMAIOpLxGQEafYlQYY/yrl4MY/KIndbryuEBknVLdriICMkPdSsXUSqNZ2BuROgIqRLUUS2UGwSEZWkG4Ao9o4NOBRs8STNH6TesCYdppO6Y9ASbW2Xybp5vx41h6w68s5Hh5UvrZ2cS+j+jzYXSRojJhz+UsfPnQqfZ4FquQ6oboYVfKjDTymy0MFp4DyuJtHQYrUumzVaPCYyVrYsQm6LVipsiisMSaajrI+tbM+ozylGsa7SF053Sg1QsNvMcwMpcGOgItSXDRbRx1MXYy3W7RK41ZepVnEVatVGsryPQt0VEumNlSpI3Imt6kYH4QQrBh6GswlWUY0DV+bmEVwYDFeo7pi5HjIfRGRuVpmy8hX61LxKKlUalBJxsbHb0YWJql8InHEmjSuXf42YUIbuoqSpFumTNxVvC1EVIqDkaoUF+nV+qo0krwrBekNXnuhJxWI+4VylpErBRkz5IqqzOeMHWlL4+tfTZrpUB1IHMY1XcWI2VRyEgopqb29TEyZ/U1ecLmHXkG8kzxYyXJEevy5fXk3VUsdrC2mYA2PJKfd0N3GoyfWZbfsygxkcKaxwEY1vm630tRlgSXq+6mShOw21BBmSOHa84eJPvaUOqZUSLi9u6t4XiEhTPhKBgOZ3ZyJ6RWwW8TY8dqUaGLkGpvsLJrfu44RPe4J2IKqiygZSQqqNJA3YChWHHanou6XRp68lmv9/M4F9z0l176Ml2tP0hsd04jfgS8Wi2QL8hbMr8wI0OG16m+9SPassJxwvZtxeDcdDVSlmwUTbMDgVXSeYggdYeN663Em4DmnpcDaqesy92Xpj5RC6FQ+OEL1HCnzNdV1oryv+Dqg0ltmJvP2QnY9t+zA5D08GtydQ0bBRRtQN0XiTvSgxqzcSaWKMS9Xg6maAx9JnT/27j2+NkTVSnZVjeskWNfCq99kD80ih7XfGwTrGeiXQfrH1fE+o3N2Bo+319UhwtGHSraPfIgeuV3qFg7ucb/GR3p7tOamh7gURaIuGF3TJpUr2BBkBSFUEw0gDvpkho0XRYWm6SzFVntZ4m5w4Rs41a21q27BR8gqQOXMXYTzkdUM6gq3sC3jsAbfy4NqzdbCMb+pzD3Q1oAu5+pWP7DkiOHIjltesLXEYPuQ0DZvUTSUWxhX6aa6L1lWtbWtOyZhw8aBQ0dIICan1toUDARJjVYgq0ZhjeCt+jtZHAMq7E6xAUfPjPgRyUDpwkvOv+6f2SOg9QC5k5338Zirh3JGdbKRM2h3ne6YWBOnKQOFHX1aBY/CMdXEbVBLj/AttoU0BFtlLl5xLa1p02leglXIf/IQC/JK7Ou/eqMbtI60MIRmi6qjcVgwRTq/LOlTlOUvuvzEyoMHTGW+rbO1JtoVyqtZhxsJ+x2TjPWsnmuw0j0o8i+1x0A/94gQ/VD/krFxW5ffe6Kh6mD3HeXpYJjEKVnwZbcsjmtJ9/bn9zd2dqDAGY3okcmYThUUVKR7q5X4y5/3e9laHjwj79+8JLfCfPviGbl9e33zny/Jh1thfviOPNlt9kT4BozpRmpfxk0qa73ir7754X/9t6fh3ndgNpPkRXfGKIEWOQ2XRtKT98jIA+Ur8d9WaMOHKfvYZLXP+QnaBhP+zr6YQhR1FJtGB62am75+9TZIzu9SwBQ7PG79/o8UsAjz5/cxfQA+wmVnST0tapCNn+ZeOcLLNTWwoxcpLI277I68cs3zqt0WQlhfJ2leDPv/p/o1b6/e3Dk5PNwrns7Qy2/IlHZ6TtW69PbOIhuw6i0fBmvBzMIHO/owHyodIHE1xeY+bO1eC5nrSEd581TRqkQelt2zLpNV3vGwSH9arg8Xqoesia2J1BnOFdOUvPU03EllahHVE0Ku9wQy0XefPy6J9Oz8cxQzsa7EZ0X4myHmCQjp9/N5iTx+tEGo1jJlWDQereXe7UqsnFJUrGFRq8epFCu2LhVkZLn3zf1dq/uB7jSDKQW9QOEBbSo47CoqU4GP0u/aoZURBpOCXBpIfIxQzMtvzBQzoROauPCpKODCqFjwVRR7V1Gx2DxuA8Rn1BRRk6NZUlnj0/p1HdoWlpZFd7y2IXMRbeHGGlYCDHm/L+AZ+VCJuddoIn9L7ioTuSdHfh66UaviVbNcGAMqfUUWqbp2Us6DF0bR/BAf6KnC0IEtKIOdZ4ysGlwxQT7cDh6hFENaJpzBmLaxQieyiCqUZ0EV6PFxNBYwKsTPycTxAVHog4rC6MrUJBzEOqLmI+K118DcziVsSoTXC+Ut56AgKT7gWCvqR6l2VGWhZmCvsE0d+t3vlHzEV/clmB3AQCfj0TnAY18kpKG87e516AgWMsHXpt4cfBM0BfgQlDNjj5ovKhSexJZTMc+7yhnugOpZreUQ6E3h0EHQ+AC3Vnteo/J8KBFj/NmQYrbFdkwe6XlvKFQZlpacqqqZm0fz5Obx5Wu5lqtVuD41pInZwNyNb9/bIX33/oayG0uZJehVaTYgjA+lGiRsrt5jh8+VZd3WMEzcBw1qkCRZmlTOzS0/6DBJ964D9wBVVY+cabfvAUWImVQNV442f62wX6B9MnSosKcY3cC6kCLDlq4yqALUgP2mpId0b8dk1w7cBpS4PHuMe+MMsppib2919BomiGamDEgUggFyVRc8P+qGakIzWWBXsA0wReROdBojEUMfpZD5QLRLVaM+6YUjzXD5WTWMicyeZal0097PdRF+VZXH7030HPeJqEl3Z2MwnKqe4YWejwYnee9fkead57EmYq2pjsvqmDBVFxVw76MK557rcHDIUk6LjwtMbwkbumWyRM3GGnVK5mwg0gHmR38j6JJj2PCKXB3HzsR2fOezEBldGg50GhJEcUDDyPJiESQEMNQUTF+D1r3S7OzB5W9C2EthuiHKMTpfhskfSTqhKy7eMtjJnKUVYTgtDBjoPvYws3G9zgNVGoknZ5F+s9BGDTvJK6rDia+fjOoXx6n216LDNYnyoBlRm0SG5di01WsaCgoYdHJ6To5IjTrJTExJn8hKdeYGCFeF+WQb4NvzqP5mck/0IPHecXRqDj3qcU7N0Tvj2P2R6X9xkn41M//dhp+FenWa+yNqUnyco3pC6tVH9Y+8ab49zfbzC1B9HLafJ2vUzGd1zr1+xkmdedPMSX1vy9RKYea6dE7WzWhpNkkOZiMv4k2lB34u4hD5nw0uDGbvKjnRUj/i330nufc1WVRHdki0bfmfi+///Gfy5PX1q7un5Jppw8S6ZHoDGSbmBLFxuZYz5Mce82v7Ft2IyS8G/nDgzVvJyf6SY7H3lvchHPXeRJ/fiNLhYzZmikFxdWZEy6WBWEPvFFSEiig17+SUn5/F3yH1Hc1Yqd0YRCqiWc44Ve4wW0Fid2uK91E4VBfPjGbz9MKtfZDtKLMPdrkqD0inrkVzYKZEEr4Sx84NOj99fHjL/+RNZ/ymt2Le2IVW4GEWdrRINe1RrOe6RXZJtaaC/X4k1klMWbBzGRbBrfbKD7BsxVQwij86+/VHOyDKR5dU7rJ0DyKRfgLKzSalCkihIJM5EzQYYt066nfUMBBGnww843Te+bymn3Q6rggGFNHby27hL60QKKgymPbbTOa4EJo1rdcf3HPkzwoyUNRAlowIAziyitiGvBqzdnXfKbllWZ2u7n9Hi4J7Pae3fD5F1gryQ41ooJd6PQ2WzTaPelBfx8HsByYSLPSMUSVb5t6cNl3FbqBwQK3QjCulP1argUe8y1tArUyRUJNvp/+gNkQ10UYqJx/taDkYiti+xF8t7K++DM8vZ1nGYU6J8QZHPFdmBJaoJUOiZEZVPG+uCd358Vo5umJfvXg8IwWnlu32RpKKgEjVvhjyImLwyixWwRnxEqq2EH6S2pA3NN0wMaC2ZzT6jH7R5dcHgZF9hQJ7UO2t7tLq9YK8zmhBfsE/3K2eSeHyAf7Rvy7Ihm7B3vccqHItrAnWl9CFFBoqPSCcNGBnlPTbXk+QPb42QqqYAcWqKh3CTdBVZBimpCJ6FmKaZX7ni8icSwvWF53qJujutapw1EEasNX//VXDNFGlCPR1J4TqZ7Ukdq85Lpl6ICLbj5h4K2IOZlKyYyKTO010ASlbsdR+8ywUN+7jj/ob1U7AUdS8+pInqup6XotlfGZ42uIHKQXeXK9hTdM9+aAPi/zU7yF5N8EhKmrJjjKLaTVwh7XVbUSGUdO4Gewt0ONbnc8UyGI6yBDAMNs+Ew4nNoe6NlRtyClvgTnhHIIbwsNETGeueKmhyfjIKe/cqyTHDU5uuNZKn965nBi10/GQv00IjWNlj8vh9LfTqSUY3DiuPPNgBDhOKoMVE94XiEcda0HktBgoRoH4B8KsL4S9MXc7qkeMIKn9TdNn4PORB6qH1D40Y2i6yWcvRdeMi4whPS24zbbIgppLJsbU3J11p1myMfx9qtAPHNt2MC4yz5XRalKRAvXIe3RNldkn6CqoqtbWfvysIXa3Yb2CZ8TuQ2tZuBC9syZgIipeulQ4qca1Z+xM/y+6oOKvJ/M5K1SHtc4qJS0kUu3U/vIcRz9B/QUv3B7dVVW043QPrlUCwihZhI9hJstlzyA7a6/5Ua11AydCG5GKkZ2czqTiSuaFNUirnY8bHBucOM1zC8qK1sSazeELieqH6XG/J85iR6evcO9gemWz1W/xb1w/lpzvyX+UlLMVg4xcYzaMc14Eke1gmaRSPrCLPSn9CkviMDQ2CeVDellEbZ3msacojWuDM1SP/PTZeFcP4mupereV884tyPt94chvLCo7QcfnYRYrWCUji+N0CLNYnAmmvtShQjtddPM4C2oF4xC/814UUlWePXxeefd6YGFa2aqjl7WaTzG1YuyR6dixT/rhKkKUlNH33CFaO5LlGimoCTs4UpFQPe49qgWqYjuol4qPYncLbhR3ahU8KdX4fr8F9j3D5tAxKCNE3yHwyBCNQ2C/C6KOAzwaEHgJxihsdoQRq1tfqxsFnQfKmNvNDTNPDPnBiX6PA+NV99z/+8ojee7/4V99Q04vykGFYwg8wRd9LXHkth9L0I/RKsjcIzjzZZOtssjECpQa8NH3ZzYT5W116CT7gk6PWcioqgetWqwMbF98xpCTt29gmBk3wo17bbEb4D3GBan2R3+H/iP0cLF7VmxAzWXVWD3Hv/k+ucKC6k/JFWIIIwdlZkuUHODVFShf+B4OYjqOlNiBiY8FLWa0lsUO+6Vu1V06uh7s92E/wfi0yPCakHv2+0D6zkP0Gbz9+w0RsJaGOTYXG6oH6tPqdP7k3RbD3fDDBb3tgkyoT9t7AOysdVXwq4r3DD/YaTayueJ5ecJ1LfH3g2017NljWpcxjaEtLD7qTrGfp3n5kAZQaqJnoce6try4scOTe3wyOHZaZ3pdqutded/+k3sM5zguQlvyYoiM8fLiCBXDQkNrnmyn3SVdF7l34oRdcondArSMKKah40HZA3hrIDol6oumwGNbUKK8+I5o9N1KRW7vX/39zR25s/KT/CwGKlI29ETnfcTQ834nw/TgsUw3kD7oiGZvjWCZmtseKgJdVzepU88xQMMX7m7O/RFdBRTrld+4iKriMNVZe4PqG1KFLdbmE4NtOraUs8xtiACa7tGfsb7UsaOPs36Ave6KorP3WHQn9I0xhU4YdiOIBEaWxpGdnt/ya8reY2tRxTtKxcz+xP5LZZ5PzOU/kzKHyZuU4fSaHVPAu9p1jAm341Qko/pQjw1J0FXTgF89zVWMbNhAx+SGpJBsnhCgEEkOB0EciDaseyFr0g0VopeANj1R2Y+LqAY85bOVX6pFnq/Y/evrV2+9zH3eQVCLOiNV1ysWs70yph+SreRl/DReVT0whK+lWXcGqZoslIIZTZ44NPop5q5hMkHVBSHgLxoIQuNl9Al/7an5IJjxzyWLw2C0LSh8KVmVnKRSpFAYawLcO14PpDiN6aQerOuAzLPGRtVCxJKC3d+k5dFP//4qFEwSZF3MDpBqfYkQhW5o2YHTY0ld+l4wgfFvNz/f3d6RN/QxZyKrW5eE2W+pv0Agw0Gh7wHCPaE9+o8RXl/B4RDsqIAgF5mdjGvi+QdPpKkmNXejJS+pbq99PR6P5ygNfE7GfuKMnmpO+X+BnIM6OFJkfW0k5iShxTeuvfRIxabu5mXQD+ys3dylBjwjugyERVFN/qKNkmL91yWn6QNn2kD2l+f+s2f1t0ysIA1/tWIKdpQHr1m65C0YQkVGtCQD20fBmmmj9tbqmfdgFtRsfCm6GgvpYumRMan9YJ8QlyjhYltTqVrVu2qNpaYNhFH7P/3fAAAA///C26kd" +} diff --git a/x-pack/filebeat/module/squid/log/_meta/fields.yml b/x-pack/filebeat/module/squid/log/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/squid/log/config/input.yml b/x-pack/filebeat/module/squid/log/config/input.yml new file mode 100644 index 00000000000..ac392325320 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Squid" + product: "Proxy" + type: "Proxies" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/squid/log/config/liblogparser.js + - ${path.home}/module/squid/log/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/squid/log/config/liblogparser.js b/x-pack/filebeat/module/squid/log/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{sport}[%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username}\"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes}\"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var dup16 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var dup17 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport}[%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username}\"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes}\"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var dup18 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup2, + dup4, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var dup19 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport}[%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username}\"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes}\"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var dup20 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport}[%{fld20->} %{fld21}] \"%{messageid->} %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hsaddr"), + constant(" "), + field("hsport"), + constant("["), + field("fld20"), + constant(" "), + field("fld21"), + constant("] \""), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{hevent_time_string->} %{hduration->} %{hsaddr->} %{haction}/%{hresultcode->} %{hsbytes->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hevent_time_string"), + constant(" "), + field("hduration"), + constant(" "), + field("hsaddr"), + constant(" "), + field("haction"), + constant("/"), + field("hresultcode"), + constant(" "), + field("hsbytes"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, +]); + +var msg1 = msg("GET", dup15); + +var part1 = match("MESSAGE#18:GET:02", "nwparser.payload", "%{saddr->} %{sport}[%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{resultcode->} %{sbytes}\"%{web_referer}\" \"%{user_agent}\" %{action->} %{daddr->} %{content_type->} %{duration}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var msg2 = msg("GET:02", part1); + +var msg3 = msg("GET:01", dup16); + +var select2 = linear_select([ + msg1, + msg2, + msg3, +]); + +var msg4 = msg("HEAD", dup15); + +var msg5 = msg("HEAD:01", dup16); + +var select3 = linear_select([ + msg4, + msg5, +]); + +var msg6 = msg("POST", dup17); + +var msg7 = msg("POST:01", dup18); + +var select4 = linear_select([ + msg6, + msg7, +]); + +var msg8 = msg("PUT", dup19); + +var msg9 = msg("PUT:01", dup20); + +var select5 = linear_select([ + msg8, + msg9, +]); + +var msg10 = msg("DELETE", dup19); + +var msg11 = msg("DELETE:01", dup20); + +var select6 = linear_select([ + msg10, + msg11, +]); + +var msg12 = msg("TRACE", dup19); + +var msg13 = msg("TRACE:01", dup20); + +var select7 = linear_select([ + msg12, + msg13, +]); + +var msg14 = msg("OPTIONS", dup19); + +var msg15 = msg("OPTIONS:01", dup20); + +var select8 = linear_select([ + msg14, + msg15, +]); + +var msg16 = msg("CONNECT", dup17); + +var msg17 = msg("CONNECT:01", dup18); + +var select9 = linear_select([ + msg16, + msg17, +]); + +var msg18 = msg("ICP_QUERY", dup19); + +var msg19 = msg("ICP_QUERY:01", dup20); + +var select10 = linear_select([ + msg18, + msg19, +]); + +var msg20 = msg("PURGE", dup19); + +var msg21 = msg("PURGE:01", dup20); + +var select11 = linear_select([ + msg20, + msg21, +]); + +var msg22 = msg("PROPFIND", dup19); + +var msg23 = msg("PROPFIND:01", dup20); + +var select12 = linear_select([ + msg22, + msg23, +]); + +var msg24 = msg("PROPATCH", dup19); + +var msg25 = msg("PROPATCH:01", dup20); + +var select13 = linear_select([ + msg24, + msg25, +]); + +var msg26 = msg("MKOL", dup19); + +var msg27 = msg("MKOL:01", dup20); + +var select14 = linear_select([ + msg26, + msg27, +]); + +var msg28 = msg("COPY", dup19); + +var msg29 = msg("COPY:01", dup20); + +var select15 = linear_select([ + msg28, + msg29, +]); + +var msg30 = msg("MOVE", dup19); + +var msg31 = msg("MOVE:01", dup20); + +var select16 = linear_select([ + msg30, + msg31, +]); + +var msg32 = msg("LOCK", dup19); + +var msg33 = msg("LOCK:01", dup20); + +var select17 = linear_select([ + msg32, + msg33, +]); + +var msg34 = msg("UNLOCK", dup19); + +var msg35 = msg("UNLOCK:01", dup20); + +var select18 = linear_select([ + msg34, + msg35, +]); + +var msg36 = msg("NONE", dup19); + +var msg37 = msg("NONE:01", dup20); + +var select19 = linear_select([ + msg36, + msg37, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "CONNECT": select9, + "COPY": select15, + "DELETE": select6, + "GET": select2, + "HEAD": select3, + "ICP_QUERY": select10, + "LOCK": select17, + "MKOL": select14, + "MOVE": select16, + "NONE": select19, + "OPTIONS": select8, + "POST": select4, + "PROPATCH": select13, + "PROPFIND": select12, + "PURGE": select11, + "PUT": select5, + "TRACE": select7, + "UNLOCK": select18, + }), +]); + +var part2 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport}[%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username}\"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes}\"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var part3 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var part4 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport}[%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username}\"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes}\"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var part5 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup2, + dup4, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var part6 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport}[%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username}\"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes}\"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var part7 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); diff --git a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml new file mode 100644 index 00000000000..caeba41fcbc --- /dev/null +++ b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Squid + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/squid/log/manifest.yml b/x-pack/filebeat/module/squid/log/manifest.yml new file mode 100644 index 00000000000..8ae24b8f147 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["squid.log", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9520 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/squid/log/test/access1.log b/x-pack/filebeat/module/squid/log/test/access1.log new file mode 100644 index 00000000000..cb21bd0fc0b --- /dev/null +++ b/x-pack/filebeat/module/squid/log/test/access1.log @@ -0,0 +1,100 @@ +1157689312.049 5006 10.105.21.199 TCP_MISS/200 19763 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 - +1157689320.327 2864 10.105.21.199 TCP_MISS/200 10182 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html +1157689320.343 1357 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/styles.css badeyek DIRECT/207.58.145.61 - +1157689321.315 1 10.105.21.199 TCP_HIT/200 1464 GET http://www.goonernews.com/styles.css badeyek NONE/- text/css +1157689322.780 1464 10.105.21.199 TCP_HIT/200 5626 GET http://www.google-analytics.com/urchin.js badeyek NONE/- text/javascript +1157689323.718 3856 10.105.21.199 TCP_MISS/200 30169 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html +1157689324.156 1372 10.105.21.199 TCP_MISS/200 399 GET http://www.google-analytics.com/__utm.gif? badeyek DIRECT/66.102.9.147 image/gif +1157689324.266 1457 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/graphics/newslogo.gif badeyek DIRECT/207.58.145.61 - +1157689324.281 1465 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/shop/arsenal_shop_ad.jpg badeyek DIRECT/207.58.145.61 - +1157689325.734 1452 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FUS.gif badeyek DIRECT/207.58.145.61 - +1157689325.736 2 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FGB.gif badeyek NONE/- image/gif +1157689325.953 2603 10.105.21.199 TCP_MISS/200 1013 GET http://as.casalemedia.com/s? badeyek DIRECT/209.85.16.38 text/html +1157689326.703 4459 10.105.21.199 TCP_MISS/200 1845 CONNECT us.bc.yahoo.com:443 badeyek DIRECT/68.142.213.132 - +1157689327.312 1356 10.105.21.199 TCP_MISS/302 729 GET http://impgb.tradedoubler.com/imp/img/16349696/992098 badeyek DIRECT/217.212.240.172 text/html +1157689327.751 3484 10.105.21.199 TCP_MISS/200 1577 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/206.169.136.22 text/html +1157689327.803 9 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FFR.gif badeyek NONE/- image/gif +1157689329.234 1431 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FAU.gif badeyek DIRECT/207.58.145.61 - +1157689329.280 1414 10.105.21.199 TCP_REFRESH_HIT/304 213 GET http://www.goonernews.com/graphics/spacer.gif badeyek DIRECT/207.58.145.61 - +1157689330.920 1686 10.105.21.199 TCP_MISS/200 1784 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/64.127.126.178 text/html +1157689331.313 3997 10.105.21.199 TCP_MISS/302 851 GET http://ff.connextra.com/Ladbrokes/selector/image? badeyek DIRECT/213.160.98.161 - +1157689335.275 3962 10.105.21.199 TCP_MISS/200 30904 GET http://dd.connextra.com/servlet/controller? badeyek DIRECT/213.160.98.160 image/gif +1157689337.481 4 10.105.47.218 TCP_DENIED/407 1661 GET http://hi5.com/ - NONE/- text/html +1157689342.757 3657 10.105.21.199 TCP_MISS/200 12569 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 - +1157689343.106 1 10.105.33.214 TCP_DENIED/407 1752 GET http://update.messenger.yahoo.com/msgrcli7.html - NONE/- text/html +1157689343.782 1371 10.105.33.214 TCP_MISS/200 484 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689344.736 4969 10.105.47.218 TCP_MISS/200 29359 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html +1157689344.798 1631 10.105.47.218 TCP_MISS/200 5930 GET http://hi5.com/friend/styles/homepage.css nazsoau DIRECT/204.13.51.238 text/css +1157689345.641 1810 10.105.33.214 TCP_MISS/200 1645 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689346.267 880 10.105.37.58 TCP_DENIED/407 1812 GET http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml - NONE/- text/html +1157689347.190 10 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/styles/style.css nazsoau NONE/- text/css +1157689347.307 116 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/friend/styles/buttons_en_us.css nazsoau NONE/- text/css +1157689347.751 6160 10.105.47.218 TCP_MISS/200 27799 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html +1157689349.064 1758 10.105.47.218 TCP_MISS/200 4470 GET http://hi5.com/friend/styles/headernav.css nazsoau DIRECT/204.13.51.238 text/css +1157689350.829 1393 10.105.33.214 TCP_MISS/200 382 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689353.439 3667 10.105.33.214 TCP_MISS/200 24095 GET http://insider.msg.yahoo.com/? adeolaegbedokun DIRECT/68.142.194.14 text/html +1157689353.939 4899 10.105.33.214 TCP_MISS/200 22964 GET http://radio.launch.yahoo.com/radio/play/playmessenger.asp adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689354.877 1349 10.105.33.214 TCP_MISS/200 646 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689355.517 1578 10.105.33.214 TCP_MISS/200 699 GET http://address.yahoo.com/yab/us? adeolaegbedokun DIRECT/209.191.93.51 text/xml +1157689356.907 6741 10.105.21.199 TCP_MISS/302 734 GET http://fxfeeds.mozilla.org/rss20.xml badeyek DIRECT/63.245.209.21 text/html +1157689357.267 6424 10.105.33.214 TCP_MISS/200 31400 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.231.252 text/xml +1157689357.720 2831 10.105.33.214 TCP_MISS/200 21152 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.194.14 text/xml +1157689358.173 1 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html +1157689358.174 0 10.105.37.17 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html +1157689358.174 0 10.105.37.17 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html +1157689358.226 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html +1157689358.486 711 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689358.683 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html +1157689359.199 713 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689359.269 1982 10.105.33.214 TCP_MISS/200 362 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689359.924 725 10.105.33.214 TCP_REFRESH_HIT/304 511 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689360.611 687 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689360.980 1 10.105.47.191 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html +1157689361.188 1 10.105.47.191 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html +1157689361.393 783 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689361.564 2242 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689362.220 827 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689362.315 751 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689362.318 3 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif adeolaegbedokun NONE/- image/gif +1157689362.332 13 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif adeolaegbedokun NONE/- image/gif +1157689362.341 8 10.105.33.214 TCP_HIT/200 2263 GET http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif adeolaegbedokun NONE/- image/gif +1157689363.423 6517 10.105.21.199 TCP_REFRESH_MISS/200 17396 GET http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml badeyek DIRECT/212.58.226.33 application/xml +1157689364.361 2140 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php adeolaegbedokun DIRECT/68.142.231.252 image/gif +1157689364.402 7 10.105.33.214 TCP_IMS_HIT/304 219 GET http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg adeolaegbedokun NONE/- image/jpeg +1157689364.411 8 10.105.33.214 TCP_HIT/200 10593 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg adeolaegbedokun NONE/- image/jpeg +1157689365.312 2420 10.105.33.214 TCP_MISS/302 1270 POST http://radio.launch.yahoo.com/radio/play/authplay.asp adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689366.377 1966 10.105.33.214 TCP_MISS/200 10519 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg +1157689368.080 1703 10.105.33.214 TCP_MISS/200 515 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml +1157689368.370 3057 10.105.33.214 TCP_MISS/200 14411 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml +1157689368.889 808 10.105.33.214 TCP_MISS/200 1627 GET http://radio.launch.yahoo.com/radio/play/authplay.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689369.097 1226 10.105.37.65 TCP_DENIED/407 1728 GET http://natrocket.kmip.net:5288/iesocks? - NONE/- text/html +1157689369.702 0 10.105.37.65 TCP_DENIED/407 1725 GET http://natrocket.kmip.net:5288/return? - NONE/- text/html +1157689370.125 1202 10.105.33.214 TCP_MISS/200 13124 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg +1157689370.862 736 10.105.33.214 TCP_MISS/302 912 GET http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689371.690 828 10.105.33.214 TCP_MISS/200 1450 GET http://radio.launch.yahoo.com/radio/player/default.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689371.987 3617 10.105.33.214 TCP_MISS/200 30432 GET http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf? adeolaegbedokun DIRECT/213.160.98.152 application/x-shockwave-flash +1157689373.315 1626 10.105.33.214 TCP_MISS/200 14643 GET http://radio.launch.yahoo.com/radio/player/stickwall.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689374.065 2078 10.105.33.214 TCP_MISS/200 425 GET http://us.bc.yahoo.com/b? adeolaegbedokun DIRECT/68.142.213.132 image/gif +1157689376.221 2130 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw? adeolaegbedokun DIRECT/68.142.194.14 image/gif +1157689377.171 3412 10.105.33.214 TCP_MISS/200 1476 CONNECT pclick.internal.yahoo.com:443 adeolaegbedokun DIRECT/216.109.124.55 - +1157689377.191 11 10.105.33.214 TCP_IMS_HIT/304 233 GET http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js adeolaegbedokun NONE/- application/x-javascript +1157689377.424 1159 10.105.33.214 TCP_MISS/304 236 GET http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css adeolaegbedokun DIRECT/213.160.98.159 text/css +1157689378.221 797 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif +1157689378.473 3288 10.105.21.199 TCP_MISS/200 2681 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 - +1157689378.909 1405 10.105.33.214 TCP_MISS/304 136 GET http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif adeolaegbedokun DIRECT/213.160.98.167 - +1157689378.924 702 10.105.33.214 TCP_MISS/304 237 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif +1157689378.929 4 10.105.33.214 TCP_IMS_HIT/304 218 GET http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun NONE/- image/gif +1157689379.472 563 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif +1157689379.488 560 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif +1157689380.159 685 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif +1157689381.267 1 10.105.37.180 TCP_DENIED/407 1728 GET http://www.google.com/supported_domains - NONE/- text/html +1157689381.659 0 10.105.47.191 TCP_DENIED/407 1782 GET http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp? - NONE/- text/html +1157689381.660 2171 10.105.33.214 TCP_MISS/200 449 GET http://launch.adserver.yahoo.com/l? adeolaegbedokun DIRECT/216.109.125.112 image/gif +1157689382.173 3700 10.105.21.199 TCP_MISS/200 11746 GET http://uk.f250.mail.yahoo.com/dc/launch? badeyek DIRECT/217.12.10.96 text/html +1157689382.622 1 10.105.37.180 TCP_DENIED/407 1670 CONNECT login.live.com:443 - NONE/- text/html +1157689384.316 2828 10.105.21.199 TCP_SWAPFAIL_MISS/200 633 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js badeyek DIRECT/213.160.98.169 application/x-javascript +1157689385.714 1397 10.105.21.199 TCP_HIT/200 1742 GET http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css badeyek NONE/- text/css +1157689387.690 1977 10.105.21.199 TCP_MISS/200 14561 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js badeyek DIRECT/213.160.98.169 application/x-javascript +1157689387.771 80 10.105.21.199 TCP_HIT/200 68733 GET http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js badeyek NONE/- application/x-javascript +1157689387.830 1 10.105.21.199 TCP_HIT/200 898 GET http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js badeyek NONE/- application/x-javascript +1157689387.832 60 10.105.21.199 TCP_HIT/200 26803 GET http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif badeyek NONE/- image/gif diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json new file mode 100644 index 00000000000..180c68da6ae --- /dev/null +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -0,0 +1,5610 @@ +[ + { + "@timestamp": "2006-09-08T04:21:52.000Z", + "destination.as.number": 36752, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "209.73.177.115" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689312.049 5006 10.105.21.199 TCP_MISS/200 19763 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 0, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "209.73.177.115" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "login.yahoo.com", + "rsa.time.duration_time": 5006, + "rsa.time.event_time": "2006-09-08T04:21:52.000Z", + "rsa.time.event_time_str": "1157689312", + "rsa.web.alias_host": "login.yahoo.com", + "server.domain": "login.yahoo.com", + "service.type": "squid", + "source.bytes": 19763, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "login.yahoo.com", + "url.original": "login.yahoo.com:443", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:00.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689320.327 2864 10.105.21.199 TCP_MISS/200 10182 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 115, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "207.58.145.61", + "10.105.21.199" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 2864, + "rsa.time.event_time": "2006-09-08T04:22:00.000Z", + "rsa.time.event_time_str": "1157689320", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 10182, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:00.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689320.343 1357 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/styles.css badeyek DIRECT/207.58.145.61 -", + "fileset.name": "log", + "http.response.body.content": "styles.css", + "input.type": "log", + "log.offset": 240, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "207.58.145.61", + "10.105.21.199" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1357, + "rsa.time.event_time": "2006-09-08T04:22:00.000Z", + "rsa.time.event_time_str": "1157689320", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 214, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/styles.css", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:01.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689321.315 1 10.105.21.199 TCP_HIT/200 1464 GET http://www.goonernews.com/styles.css badeyek NONE/- text/css", + "fileset.name": "log", + "http.response.body.content": "styles.css", + "input.type": "log", + "log.offset": 372, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_HIT" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:01.000Z", + "rsa.time.event_time_str": "1157689321", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 1464, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/styles.css", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:02.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689322.780 1464 10.105.21.199 TCP_HIT/200 5626 GET http://www.google-analytics.com/urchin.js badeyek NONE/- text/javascript", + "fileset.name": "log", + "http.response.body.content": "urchin.js", + "input.type": "log", + "log.offset": 490, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "text/javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google-analytics.com", + "rsa.time.duration_time": 1464, + "rsa.time.event_time": "2006-09-08T04:22:02.000Z", + "rsa.time.event_time_str": "1157689322", + "rsa.web.alias_host": "www.google-analytics.com", + "server.domain": "www.google-analytics.com", + "service.type": "squid", + "source.bytes": 5626, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google-analytics.com", + "url.original": "http://www.google-analytics.com/urchin.js", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:03.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689323.718 3856 10.105.21.199 TCP_MISS/200 30169 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 620, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "207.58.145.61", + "10.105.21.199" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 3856, + "rsa.time.event_time": "2006-09-08T04:22:03.000Z", + "rsa.time.event_time_str": "1157689323", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 30169, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:04.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "66.102.9.147" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689324.156 1372 10.105.21.199 TCP_MISS/200 399 GET http://www.google-analytics.com/__utm.gif? badeyek DIRECT/66.102.9.147 image/gif", + "fileset.name": "log", + "http.response.body.content": "__utm.gif", + "input.type": "log", + "log.offset": 745, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "66.102.9.147", + "10.105.21.199" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google-analytics.com", + "rsa.time.duration_time": 1372, + "rsa.time.event_time": "2006-09-08T04:22:04.000Z", + "rsa.time.event_time_str": "1157689324", + "rsa.web.alias_host": "www.google-analytics.com", + "server.domain": "www.google-analytics.com", + "service.type": "squid", + "source.bytes": 399, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google-analytics.com", + "url.original": "http://www.google-analytics.com/__utm.gif?", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:04.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689324.266 1457 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/graphics/newslogo.gif badeyek DIRECT/207.58.145.61 -", + "fileset.name": "log", + "http.response.body.content": "newslogo.gif", + "input.type": "log", + "log.offset": 883, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "207.58.145.61", + "10.105.21.199" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1457, + "rsa.time.event_time": "2006-09-08T04:22:04.000Z", + "rsa.time.event_time_str": "1157689324", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 215, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/graphics/newslogo.gif", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:04.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689324.281 1465 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/shop/arsenal_shop_ad.jpg badeyek DIRECT/207.58.145.61 -", + "fileset.name": "log", + "http.response.body.content": "arsenal_shop_ad.jpg", + "input.type": "log", + "log.offset": 1026, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "207.58.145.61" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1465, + "rsa.time.event_time": "2006-09-08T04:22:04.000Z", + "rsa.time.event_time_str": "1157689324", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 215, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/shop/arsenal_shop_ad.jpg", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:05.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689325.734 1452 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FUS.gif badeyek DIRECT/207.58.145.61 -", + "fileset.name": "log", + "http.response.body.content": "FUS.gif", + "input.type": "log", + "log.offset": 1172, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "207.58.145.61", + "10.105.21.199" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1452, + "rsa.time.event_time": "2006-09-08T04:22:05.000Z", + "rsa.time.event_time_str": "1157689325", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 214, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/flags/FUS.gif", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:05.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689325.736 2 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FGB.gif badeyek NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "FGB.gif", + "input.type": "log", + "log.offset": 1307, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 2, + "rsa.time.event_time": "2006-09-08T04:22:05.000Z", + "rsa.time.event_time_str": "1157689325", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 1353, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/flags/FGB.gif", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:05.000Z", + "destination.as.number": 36351, + "destination.as.organization.name": "SoftLayer Technologies Inc.", + "destination.geo.city_name": "Dallas", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 32.9379, + "destination.geo.location.lon": -96.8384, + "destination.geo.region_iso_code": "US-TX", + "destination.geo.region_name": "Texas", + "destination.ip": [ + "209.85.16.38" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689325.953 2603 10.105.21.199 TCP_MISS/200 1013 GET http://as.casalemedia.com/s? badeyek DIRECT/209.85.16.38 text/html", + "fileset.name": "log", + "http.response.body.content": "s", + "input.type": "log", + "log.offset": 1429, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "209.85.16.38" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "as.casalemedia.com", + "rsa.time.duration_time": 2603, + "rsa.time.event_time": "2006-09-08T04:22:05.000Z", + "rsa.time.event_time_str": "1157689325", + "rsa.web.alias_host": "as.casalemedia.com", + "server.domain": "as.casalemedia.com", + "service.type": "squid", + "source.bytes": 1013, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "as.casalemedia.com", + "url.original": "http://as.casalemedia.com/s?", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:06.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.213.132" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689326.703 4459 10.105.21.199 TCP_MISS/200 1845 CONNECT us.bc.yahoo.com:443 badeyek DIRECT/68.142.213.132 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1554, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "68.142.213.132" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.bc.yahoo.com", + "rsa.time.duration_time": 4459, + "rsa.time.event_time": "2006-09-08T04:22:06.000Z", + "rsa.time.event_time_str": "1157689326", + "rsa.web.alias_host": "us.bc.yahoo.com", + "server.domain": "us.bc.yahoo.com", + "service.type": "squid", + "source.bytes": 1845, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.bc.yahoo.com", + "url.original": "us.bc.yahoo.com:443", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:07.000Z", + "destination.as.number": 1299, + "destination.as.organization.name": "Telia Company AB", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SE", + "destination.geo.location.lat": 59.3247, + "destination.geo.location.lon": 18.056, + "destination.ip": [ + "217.212.240.172" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689327.312 1356 10.105.21.199 TCP_MISS/302 729 GET http://impgb.tradedoubler.com/imp/img/16349696/992098 badeyek DIRECT/217.212.240.172 text/html", + "fileset.name": "log", + "http.response.body.content": "992098", + "input.type": "log", + "log.offset": 1668, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "217.212.240.172", + "10.105.21.199" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "impgb.tradedoubler.com", + "rsa.time.duration_time": 1356, + "rsa.time.event_time": "2006-09-08T04:22:07.000Z", + "rsa.time.event_time_str": "1157689327", + "rsa.web.alias_host": "impgb.tradedoubler.com", + "server.domain": "impgb.tradedoubler.com", + "service.type": "squid", + "source.bytes": 729, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "impgb.tradedoubler.com", + "url.original": "http://impgb.tradedoubler.com/imp/img/16349696/992098", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:07.000Z", + "destination.as.number": 3549, + "destination.as.organization.name": "Level 3 Parent, LLC", + "destination.geo.city_name": "Los Angeles", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 34.0675, + "destination.geo.location.lon": -118.3521, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "206.169.136.22" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689327.751 3484 10.105.21.199 TCP_MISS/200 1577 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/206.169.136.22 text/html", + "fileset.name": "log", + "http.response.body.content": "text_group.php", + "input.type": "log", + "log.offset": 1820, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "206.169.136.22" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "4.adbrite.com", + "rsa.time.duration_time": 3484, + "rsa.time.event_time": "2006-09-08T04:22:07.000Z", + "rsa.time.event_time_str": "1157689327", + "rsa.web.alias_host": "4.adbrite.com", + "server.domain": "4.adbrite.com", + "service.type": "squid", + "source.bytes": 1577, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "4.adbrite.com", + "url.original": "http://4.adbrite.com/mb/text_group.php?", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:07.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689327.803 9 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FFR.gif badeyek NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "FFR.gif", + "input.type": "log", + "log.offset": 1958, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 9, + "rsa.time.event_time": "2006-09-08T04:22:07.000Z", + "rsa.time.event_time_str": "1157689327", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 1353, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/flags/FFR.gif", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:09.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689329.234 1431 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FAU.gif badeyek DIRECT/207.58.145.61 -", + "fileset.name": "log", + "http.response.body.content": "FAU.gif", + "input.type": "log", + "log.offset": 2080, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "207.58.145.61" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1431, + "rsa.time.event_time": "2006-09-08T04:22:09.000Z", + "rsa.time.event_time_str": "1157689329", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 214, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/flags/FAU.gif", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:09.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689329.280 1414 10.105.21.199 TCP_REFRESH_HIT/304 213 GET http://www.goonernews.com/graphics/spacer.gif badeyek DIRECT/207.58.145.61 -", + "fileset.name": "log", + "http.response.body.content": "spacer.gif", + "input.type": "log", + "log.offset": 2215, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "207.58.145.61", + "10.105.21.199" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1414, + "rsa.time.event_time": "2006-09-08T04:22:09.000Z", + "rsa.time.event_time_str": "1157689329", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 213, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/graphics/spacer.gif", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:10.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "64.127.126.178" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689330.920 1686 10.105.21.199 TCP_MISS/200 1784 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/64.127.126.178 text/html", + "fileset.name": "log", + "http.response.body.content": "text_group.php", + "input.type": "log", + "log.offset": 2356, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "64.127.126.178", + "10.105.21.199" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "4.adbrite.com", + "rsa.time.duration_time": 1686, + "rsa.time.event_time": "2006-09-08T04:22:10.000Z", + "rsa.time.event_time_str": "1157689330", + "rsa.web.alias_host": "4.adbrite.com", + "server.domain": "4.adbrite.com", + "service.type": "squid", + "source.bytes": 1784, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "4.adbrite.com", + "url.original": "http://4.adbrite.com/mb/text_group.php?", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:11.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.161" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689331.313 3997 10.105.21.199 TCP_MISS/302 851 GET http://ff.connextra.com/Ladbrokes/selector/image? badeyek DIRECT/213.160.98.161 -", + "fileset.name": "log", + "http.response.body.content": "image", + "input.type": "log", + "log.offset": 2494, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "213.160.98.161" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "302", + "rsa.network.domain": "ff.connextra.com", + "rsa.time.duration_time": 3997, + "rsa.time.event_time": "2006-09-08T04:22:11.000Z", + "rsa.time.event_time_str": "1157689331", + "rsa.web.alias_host": "ff.connextra.com", + "server.domain": "ff.connextra.com", + "service.type": "squid", + "source.bytes": 851, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "ff.connextra.com", + "url.original": "http://ff.connextra.com/Ladbrokes/selector/image?", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:15.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.160" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689335.275 3962 10.105.21.199 TCP_MISS/200 30904 GET http://dd.connextra.com/servlet/controller? badeyek DIRECT/213.160.98.160 image/gif", + "fileset.name": "log", + "http.response.body.content": "controller", + "input.type": "log", + "log.offset": 2633, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "213.160.98.160" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "dd.connextra.com", + "rsa.time.duration_time": 3962, + "rsa.time.event_time": "2006-09-08T04:22:15.000Z", + "rsa.time.event_time_str": "1157689335", + "rsa.web.alias_host": "dd.connextra.com", + "server.domain": "dd.connextra.com", + "service.type": "squid", + "source.bytes": 30904, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "dd.connextra.com", + "url.original": "http://dd.connextra.com/servlet/controller?", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:17.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689337.481 4 10.105.47.218 TCP_DENIED/407 1661 GET http://hi5.com/ - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2776, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.218" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 4, + "rsa.time.event_time": "2006-09-08T04:22:17.000Z", + "rsa.time.event_time_str": "1157689337", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 1661, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:22:22.000Z", + "destination.as.number": 36752, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "209.73.177.115" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689342.757 3657 10.105.21.199 TCP_MISS/200 12569 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2871, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "209.73.177.115" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "login.yahoo.com", + "rsa.time.duration_time": 3657, + "rsa.time.event_time": "2006-09-08T04:22:22.000Z", + "rsa.time.event_time_str": "1157689342", + "rsa.web.alias_host": "login.yahoo.com", + "server.domain": "login.yahoo.com", + "service.type": "squid", + "source.bytes": 12569, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "login.yahoo.com", + "url.original": "login.yahoo.com:443", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:23.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689343.106 1 10.105.33.214 TCP_DENIED/407 1752 GET http://update.messenger.yahoo.com/msgrcli7.html - NONE/- text/html", + "fileset.name": "log", + "http.response.body.content": "msgrcli7.html", + "input.type": "log", + "log.offset": 2986, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "update.messenger.yahoo.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:23.000Z", + "rsa.time.event_time_str": "1157689343", + "rsa.web.alias_host": "update.messenger.yahoo.com", + "server.domain": "update.messenger.yahoo.com", + "service.type": "squid", + "source.bytes": 1752, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "update.messenger.yahoo.com", + "url.original": "http://update.messenger.yahoo.com/msgrcli7.html", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:22:23.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689343.782 1371 10.105.33.214 TCP_MISS/200 484 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3113, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "216.155.194.239" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1371, + "rsa.time.event_time": "2006-09-08T04:22:23.000Z", + "rsa.time.event_time_str": "1157689343", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 484, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:24.000Z", + "destination.as.number": 36077, + "destination.as.organization.name": "Dynamic ASP Inc.", + "destination.geo.city_name": "Victoria", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "CA", + "destination.geo.location.lat": 48.4267, + "destination.geo.location.lon": -123.3655, + "destination.geo.region_iso_code": "CA-BC", + "destination.geo.region_name": "British Columbia", + "destination.ip": [ + "204.13.51.238" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689344.736 4969 10.105.47.218 TCP_MISS/200 29359 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3256, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "204.13.51.238", + "10.105.47.218" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 4969, + "rsa.time.event_time": "2006-09-08T04:22:24.000Z", + "rsa.time.event_time_str": "1157689344", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 29359, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/", + "user.name": [ + "nazsoau" + ] + }, + { + "@timestamp": "2006-09-08T04:22:24.000Z", + "destination.as.number": 36077, + "destination.as.organization.name": "Dynamic ASP Inc.", + "destination.geo.city_name": "Victoria", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "CA", + "destination.geo.location.lat": 48.4267, + "destination.geo.location.lon": -123.3655, + "destination.geo.region_iso_code": "CA-BC", + "destination.geo.region_name": "British Columbia", + "destination.ip": [ + "204.13.51.238" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689344.798 1631 10.105.47.218 TCP_MISS/200 5930 GET http://hi5.com/friend/styles/homepage.css nazsoau DIRECT/204.13.51.238 text/css", + "fileset.name": "log", + "http.response.body.content": "homepage.css", + "input.type": "log", + "log.offset": 3370, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "204.13.51.238", + "10.105.47.218" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "200", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 1631, + "rsa.time.event_time": "2006-09-08T04:22:24.000Z", + "rsa.time.event_time_str": "1157689344", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 5930, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/friend/styles/homepage.css", + "user.name": [ + "nazsoau" + ] + }, + { + "@timestamp": "2006-09-08T04:22:25.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689345.641 1810 10.105.33.214 TCP_MISS/200 1645 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3508, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "216.155.194.239" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1810, + "rsa.time.event_time": "2006-09-08T04:22:25.000Z", + "rsa.time.event_time_str": "1157689345", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 1645, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:26.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689346.267 880 10.105.37.58 TCP_DENIED/407 1812 GET http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml - NONE/- text/html", + "fileset.name": "log", + "http.response.body.content": "read0600win_ENUadbe0000.xml", + "input.type": "log", + "log.offset": 3652, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.58" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "rms.adobe.com", + "rsa.time.duration_time": 880, + "rsa.time.event_time": "2006-09-08T04:22:26.000Z", + "rsa.time.event_time_str": "1157689346", + "rsa.web.alias_host": "rms.adobe.com", + "server.domain": "rms.adobe.com", + "service.type": "squid", + "source.bytes": 1812, + "source.ip": [ + "10.105.37.58" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "rms.adobe.com", + "url.original": "http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:22:27.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689347.190 10 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/styles/style.css nazsoau NONE/- text/css", + "fileset.name": "log", + "http.response.body.content": "style.css", + "input.type": "log", + "log.offset": 3798, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.218" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "304", + "rsa.network.domain": "images.hi5.com", + "rsa.time.duration_time": 10, + "rsa.time.event_time": "2006-09-08T04:22:27.000Z", + "rsa.time.event_time_str": "1157689347", + "rsa.web.alias_host": "images.hi5.com", + "server.domain": "images.hi5.com", + "service.type": "squid", + "source.bytes": 217, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "images.hi5.com", + "url.original": "http://images.hi5.com/styles/style.css", + "user.name": [ + "nazsoau" + ] + }, + { + "@timestamp": "2006-09-08T04:22:27.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689347.307 116 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/friend/styles/buttons_en_us.css nazsoau NONE/- text/css", + "fileset.name": "log", + "http.response.body.content": "buttons_en_us.css", + "input.type": "log", + "log.offset": 3921, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.218" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_IMS_HIT", + "GET" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "304", + "rsa.network.domain": "images.hi5.com", + "rsa.time.duration_time": 116, + "rsa.time.event_time": "2006-09-08T04:22:27.000Z", + "rsa.time.event_time_str": "1157689347", + "rsa.web.alias_host": "images.hi5.com", + "server.domain": "images.hi5.com", + "service.type": "squid", + "source.bytes": 217, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "images.hi5.com", + "url.original": "http://images.hi5.com/friend/styles/buttons_en_us.css", + "user.name": [ + "nazsoau" + ] + }, + { + "@timestamp": "2006-09-08T04:22:27.000Z", + "destination.as.number": 36077, + "destination.as.organization.name": "Dynamic ASP Inc.", + "destination.geo.city_name": "Victoria", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "CA", + "destination.geo.location.lat": 48.4267, + "destination.geo.location.lon": -123.3655, + "destination.geo.region_iso_code": "CA-BC", + "destination.geo.region_name": "British Columbia", + "destination.ip": [ + "204.13.51.238" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689347.751 6160 10.105.47.218 TCP_MISS/200 27799 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4059, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "204.13.51.238", + "10.105.47.218" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 6160, + "rsa.time.event_time": "2006-09-08T04:22:27.000Z", + "rsa.time.event_time_str": "1157689347", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 27799, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/", + "user.name": [ + "nazsoau" + ] + }, + { + "@timestamp": "2006-09-08T04:22:29.000Z", + "destination.as.number": 36077, + "destination.as.organization.name": "Dynamic ASP Inc.", + "destination.geo.city_name": "Victoria", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "CA", + "destination.geo.location.lat": 48.4267, + "destination.geo.location.lon": -123.3655, + "destination.geo.region_iso_code": "CA-BC", + "destination.geo.region_name": "British Columbia", + "destination.ip": [ + "204.13.51.238" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689349.064 1758 10.105.47.218 TCP_MISS/200 4470 GET http://hi5.com/friend/styles/headernav.css nazsoau DIRECT/204.13.51.238 text/css", + "fileset.name": "log", + "http.response.body.content": "headernav.css", + "input.type": "log", + "log.offset": 4173, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "204.13.51.238", + "10.105.47.218" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "200", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 1758, + "rsa.time.event_time": "2006-09-08T04:22:29.000Z", + "rsa.time.event_time_str": "1157689349", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 4470, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/friend/styles/headernav.css", + "user.name": [ + "nazsoau" + ] + }, + { + "@timestamp": "2006-09-08T04:22:30.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689350.829 1393 10.105.33.214 TCP_MISS/200 382 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4312, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.155.194.239", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1393, + "rsa.time.event_time": "2006-09-08T04:22:30.000Z", + "rsa.time.event_time_str": "1157689350", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 382, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:33.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.194.14" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689353.439 3667 10.105.33.214 TCP_MISS/200 24095 GET http://insider.msg.yahoo.com/? adeolaegbedokun DIRECT/68.142.194.14 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4455, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.194.14", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 3667, + "rsa.time.event_time": "2006-09-08T04:22:33.000Z", + "rsa.time.event_time_str": "1157689353", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 24095, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/?", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:33.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689353.939 4899 10.105.33.214 TCP_MISS/200 22964 GET http://radio.launch.yahoo.com/radio/play/playmessenger.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", + "fileset.name": "log", + "http.response.body.content": "playmessenger.asp", + "input.type": "log", + "log.offset": 4592, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 4899, + "rsa.time.event_time": "2006-09-08T04:22:33.000Z", + "rsa.time.event_time_str": "1157689353", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 22964, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/play/playmessenger.asp", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:34.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689354.877 1349 10.105.33.214 TCP_MISS/200 646 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4758, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.155.194.239", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1349, + "rsa.time.event_time": "2006-09-08T04:22:34.000Z", + "rsa.time.event_time_str": "1157689354", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 646, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:35.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "209.191.93.51" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689355.517 1578 10.105.33.214 TCP_MISS/200 699 GET http://address.yahoo.com/yab/us? adeolaegbedokun DIRECT/209.191.93.51 text/xml", + "fileset.name": "log", + "http.response.body.content": "us", + "input.type": "log", + "log.offset": 4901, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "209.191.93.51" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "address.yahoo.com", + "rsa.time.duration_time": 1578, + "rsa.time.event_time": "2006-09-08T04:22:35.000Z", + "rsa.time.event_time_str": "1157689355", + "rsa.web.alias_host": "address.yahoo.com", + "server.domain": "address.yahoo.com", + "service.type": "squid", + "source.bytes": 699, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "address.yahoo.com", + "url.original": "http://address.yahoo.com/yab/us?", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:36.000Z", + "destination.as.number": 36856, + "destination.as.organization.name": "Mozilla Corporation", + "destination.geo.city_name": "Sacramento", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.6415, + "destination.geo.location.lon": -121.5114, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "63.245.209.21" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689356.907 6741 10.105.21.199 TCP_MISS/302 734 GET http://fxfeeds.mozilla.org/rss20.xml badeyek DIRECT/63.245.209.21 text/html", + "fileset.name": "log", + "http.response.body.content": "rss20.xml", + "input.type": "log", + "log.offset": 5037, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "63.245.209.21", + "10.105.21.199" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "fxfeeds.mozilla.org", + "rsa.time.duration_time": 6741, + "rsa.time.event_time": "2006-09-08T04:22:36.000Z", + "rsa.time.event_time_str": "1157689356", + "rsa.web.alias_host": "fxfeeds.mozilla.org", + "server.domain": "fxfeeds.mozilla.org", + "service.type": "squid", + "source.bytes": 734, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "fxfeeds.mozilla.org", + "url.original": "http://fxfeeds.mozilla.org/rss20.xml", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:37.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.231.252" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689357.267 6424 10.105.33.214 TCP_MISS/200 31400 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.231.252 text/xml", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5170, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.231.252" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 6424, + "rsa.time.event_time": "2006-09-08T04:22:37.000Z", + "rsa.time.event_time_str": "1157689357", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 31400, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/ycontent/?", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:37.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.194.14" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689357.720 2831 10.105.33.214 TCP_MISS/200 21152 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.194.14 text/xml", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5316, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.194.14", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 2831, + "rsa.time.event_time": "2006-09-08T04:22:37.000Z", + "rsa.time.event_time_str": "1157689357", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 21152, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/ycontent/?", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.173 1 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5461, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1667, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "us.mcafee.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", + "fileset.name": "log", + "http.response.body.content": "appinstru.asp", + "input.type": "log", + "log.offset": 5561, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1767, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/submgr/appinstru.asp", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", + "fileset.name": "log", + "http.response.body.content": "appsync.asp", + "input.type": "log", + "log.offset": 5693, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1761, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/submgr/appsync.asp", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.226 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5823, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1667, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "us.mcafee.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.486 711 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "fileset.name": "log", + "http.response.body.content": "btn_stations.gif", + "input.type": "log", + "log.offset": 5923, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 711, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.683 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6102, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1667, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "us.mcafee.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:22:39.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689359.199 713 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "fileset.name": "log", + "http.response.body.content": "btn_stations_over.gif", + "input.type": "log", + "log.offset": 6202, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 713, + "rsa.time.event_time": "2006-09-08T04:22:39.000Z", + "rsa.time.event_time_str": "1157689359", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:39.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689359.269 1982 10.105.33.214 TCP_MISS/200 362 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6386, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.155.194.239", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1982, + "rsa.time.event_time": "2006-09-08T04:22:39.000Z", + "rsa.time.event_time_str": "1157689359", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 362, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:39.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689359.924 725 10.105.33.214 TCP_REFRESH_HIT/304 511 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "fileset.name": "log", + "http.response.body.content": "bg_left.gif", + "input.type": "log", + "log.offset": 6529, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 725, + "rsa.time.event_time": "2006-09-08T04:22:39.000Z", + "rsa.time.event_time_str": "1157689359", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 511, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:40.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689360.611 687 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "fileset.name": "log", + "http.response.body.content": "launchcast_radio.gif", + "input.type": "log", + "log.offset": 6711, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 687, + "rsa.time.event_time": "2006-09-08T04:22:40.000Z", + "rsa.time.event_time_str": "1157689360", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:40.000Z", + "event.action": "TCP_DENIED", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689360.980 1 10.105.47.191 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", + "fileset.name": "log", + "http.response.body.content": "appinstru.asp", + "input.type": "log", + "log.offset": 6894, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.191" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:40.000Z", + "rsa.time.event_time_str": "1157689360", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1767, + "source.ip": [ + "10.105.47.191" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/submgr/appinstru.asp", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:22:41.000Z", + "event.action": "TCP_DENIED", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689361.188 1 10.105.47.191 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", + "fileset.name": "log", + "http.response.body.content": "appsync.asp", + "input.type": "log", + "log.offset": 7027, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.191" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:41.000Z", + "rsa.time.event_time_str": "1157689361", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1761, + "source.ip": [ + "10.105.47.191" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/submgr/appsync.asp", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:22:41.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689361.393 783 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "fileset.name": "log", + "http.response.body.content": "bg_right.gif", + "input.type": "log", + "log.offset": 7158, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 783, + "rsa.time.event_time": "2006-09-08T04:22:41.000Z", + "rsa.time.event_time_str": "1157689361", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:41.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689361.564 2242 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "fileset.name": "log", + "http.response.body.content": "bg_center.gif", + "input.type": "log", + "log.offset": 7341, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 2242, + "rsa.time.event_time": "2006-09-08T04:22:41.000Z", + "rsa.time.event_time_str": "1157689361", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.220 827 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "fileset.name": "log", + "http.response.body.content": "bg_controls_off.gif", + "input.type": "log", + "log.offset": 7525, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 827, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.315 751 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "fileset.name": "log", + "http.response.body.content": "t.gif", + "input.type": "log", + "log.offset": 7715, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 751, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.318 3 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif adeolaegbedokun NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "btn_off_state_station.gif", + "input.type": "log", + "log.offset": 7891, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_IMS_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 3, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 218, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.332 13 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif adeolaegbedokun NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "bg_controls_fill.gif", + "input.type": "log", + "log.offset": 8068, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_IMS_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 13, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 218, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.341 8 10.105.33.214 TCP_HIT/200 2263 GET http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif adeolaegbedokun NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "toolbar50x50.gif", + "input.type": "log", + "log.offset": 8248, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.i1.yimg.com", + "rsa.time.duration_time": 8, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "us.i1.yimg.com", + "server.domain": "us.i1.yimg.com", + "service.type": "squid", + "source.bytes": 2263, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.i1.yimg.com", + "url.original": "http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:43.000Z", + "destination.as.number": 2818, + "destination.as.organization.name": "BBC", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.4964, + "destination.geo.location.lon": -0.1224, + "destination.ip": [ + "212.58.226.33" + ], + "event.action": "TCP_REFRESH_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689363.423 6517 10.105.21.199 TCP_REFRESH_MISS/200 17396 GET http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml badeyek DIRECT/212.58.226.33 application/xml", + "fileset.name": "log", + "http.response.body.content": "rss.xml", + "input.type": "log", + "log.offset": 8394, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "212.58.226.33", + "10.105.21.199" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_MISS" + ], + "rsa.misc.content_type": "application/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "newsrss.bbc.co.uk", + "rsa.time.duration_time": 6517, + "rsa.time.event_time": "2006-09-08T04:22:43.000Z", + "rsa.time.event_time_str": "1157689363", + "rsa.web.alias_host": "newsrss.bbc.co.uk", + "server.domain": "newsrss.bbc.co.uk", + "service.type": "squid", + "source.bytes": 17396, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "newsrss.bbc.co.uk", + "url.original": "http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:44.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.231.252" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689364.361 2140 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php adeolaegbedokun DIRECT/68.142.231.252 image/gif", + "fileset.name": "log", + "http.response.body.content": "beacon.php", + "input.type": "log", + "log.offset": 8579, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.231.252" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 2140, + "rsa.time.event_time": "2006-09-08T04:22:44.000Z", + "rsa.time.event_time_str": "1157689364", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 407, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/ycontent/beacon.php", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:44.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689364.402 7 10.105.33.214 TCP_IMS_HIT/304 219 GET http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg adeolaegbedokun NONE/- image/jpeg", + "fileset.name": "log", + "http.response.body.content": "32457654.jpg", + "input.type": "log", + "log.offset": 8733, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "304", + "rsa.network.domain": "us.ent1.yimg.com", + "rsa.time.duration_time": 7, + "rsa.time.event_time": "2006-09-08T04:22:44.000Z", + "rsa.time.event_time_str": "1157689364", + "rsa.web.alias_host": "us.ent1.yimg.com", + "server.domain": "us.ent1.yimg.com", + "service.type": "squid", + "source.bytes": 219, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.ent1.yimg.com", + "url.original": "http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:44.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689364.411 8 10.105.33.214 TCP_HIT/200 10593 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg adeolaegbedokun NONE/- image/jpeg", + "fileset.name": "log", + "http.response.body.content": "thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", + "input.type": "log", + "log.offset": 8900, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.news1.yimg.com", + "rsa.time.duration_time": 8, + "rsa.time.event_time": "2006-09-08T04:22:44.000Z", + "rsa.time.event_time_str": "1157689364", + "rsa.web.alias_host": "us.news1.yimg.com", + "server.domain": "us.news1.yimg.com", + "service.type": "squid", + "source.bytes": 10593, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.news1.yimg.com", + "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:45.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689365.312 2420 10.105.33.214 TCP_MISS/302 1270 POST http://radio.launch.yahoo.com/radio/play/authplay.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", + "fileset.name": "log", + "http.response.body.content": "authplay.asp", + "input.type": "log", + "log.offset": 9113, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 2420, + "rsa.time.event_time": "2006-09-08T04:22:45.000Z", + "rsa.time.event_time_str": "1157689365", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 1270, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/play/authplay.asp", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:46.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689366.377 1966 10.105.33.214 TCP_MISS/200 10519 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", + "fileset.name": "log", + "http.response.body.content": "thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", + "input.type": "log", + "log.offset": 9274, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "213.160.98.159" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.news1.yimg.com", + "rsa.time.duration_time": 1966, + "rsa.time.event_time": "2006-09-08T04:22:46.000Z", + "rsa.time.event_time_str": "1157689366", + "rsa.web.alias_host": "us.news1.yimg.com", + "server.domain": "us.news1.yimg.com", + "service.type": "squid", + "source.bytes": 10519, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.news1.yimg.com", + "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:48.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689368.080 1703 10.105.33.214 TCP_MISS/200 515 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", + "fileset.name": "log", + "http.response.body.content": "initstationfeed.asp", + "input.type": "log", + "log.offset": 9504, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.music.yahoo.com", + "rsa.time.duration_time": 1703, + "rsa.time.event_time": "2006-09-08T04:22:48.000Z", + "rsa.time.event_time_str": "1157689368", + "rsa.web.alias_host": "radio.music.yahoo.com", + "server.domain": "radio.music.yahoo.com", + "service.type": "squid", + "source.bytes": 515, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.music.yahoo.com", + "url.original": "http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp?", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:48.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689368.370 3057 10.105.33.214 TCP_MISS/200 14411 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", + "fileset.name": "log", + "http.response.body.content": "initstationfeed.asp", + "input.type": "log", + "log.offset": 9677, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.music.yahoo.com", + "rsa.time.duration_time": 3057, + "rsa.time.event_time": "2006-09-08T04:22:48.000Z", + "rsa.time.event_time_str": "1157689368", + "rsa.web.alias_host": "radio.music.yahoo.com", + "server.domain": "radio.music.yahoo.com", + "service.type": "squid", + "source.bytes": 14411, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.music.yahoo.com", + "url.original": "http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp?", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:48.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689368.889 808 10.105.33.214 TCP_MISS/200 1627 GET http://radio.launch.yahoo.com/radio/play/authplay.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "fileset.name": "log", + "http.response.body.content": "authplay.asp", + "input.type": "log", + "log.offset": 9852, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 808, + "rsa.time.event_time": "2006-09-08T04:22:48.000Z", + "rsa.time.event_time_str": "1157689368", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 1627, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/play/authplay.asp?", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:49.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689369.097 1226 10.105.37.65 TCP_DENIED/407 1728 GET http://natrocket.kmip.net:5288/iesocks? - NONE/- text/html", + "fileset.name": "log", + "http.response.body.content": "iesocks", + "input.type": "log", + "log.offset": 10013, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.65" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "natrocket.kmip.net", + "rsa.time.duration_time": 1226, + "rsa.time.event_time": "2006-09-08T04:22:49.000Z", + "rsa.time.event_time_str": "1157689369", + "rsa.web.alias_host": "natrocket.kmip.net", + "server.domain": "natrocket.kmip.net", + "service.type": "squid", + "source.bytes": 1728, + "source.ip": [ + "10.105.37.65" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "natrocket.kmip.net", + "url.original": "http://natrocket.kmip.net:5288/iesocks?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:22:49.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689369.702 0 10.105.37.65 TCP_DENIED/407 1725 GET http://natrocket.kmip.net:5288/return? - NONE/- text/html", + "fileset.name": "log", + "http.response.body.content": "return", + "input.type": "log", + "log.offset": 10131, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.65" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "natrocket.kmip.net", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:49.000Z", + "rsa.time.event_time_str": "1157689369", + "rsa.web.alias_host": "natrocket.kmip.net", + "server.domain": "natrocket.kmip.net", + "service.type": "squid", + "source.bytes": 1725, + "source.ip": [ + "10.105.37.65" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "natrocket.kmip.net", + "url.original": "http://natrocket.kmip.net:5288/return?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:22:50.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689370.125 1202 10.105.33.214 TCP_MISS/200 13124 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", + "fileset.name": "log", + "http.response.body.content": "thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", + "input.type": "log", + "log.offset": 10248, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.159", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.news1.yimg.com", + "rsa.time.duration_time": 1202, + "rsa.time.event_time": "2006-09-08T04:22:50.000Z", + "rsa.time.event_time_str": "1157689370", + "rsa.web.alias_host": "us.news1.yimg.com", + "server.domain": "us.news1.yimg.com", + "service.type": "squid", + "source.bytes": 13124, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.news1.yimg.com", + "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:50.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689370.862 736 10.105.33.214 TCP_MISS/302 912 GET http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "fileset.name": "log", + "http.response.body.content": "starter.asp", + "input.type": "log", + "log.offset": 10482, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 736, + "rsa.time.event_time": "2006-09-08T04:22:50.000Z", + "rsa.time.event_time_str": "1157689370", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 912, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp?", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:51.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689371.690 828 10.105.33.214 TCP_MISS/200 1450 GET http://radio.launch.yahoo.com/radio/player/default.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "fileset.name": "log", + "http.response.body.content": "default.asp", + "input.type": "log", + "log.offset": 10651, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 828, + "rsa.time.event_time": "2006-09-08T04:22:51.000Z", + "rsa.time.event_time_str": "1157689371", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 1450, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/player/default.asp?", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:51.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.152" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689371.987 3617 10.105.33.214 TCP_MISS/200 30432 GET http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf? adeolaegbedokun DIRECT/213.160.98.152 application/x-shockwave-flash", + "fileset.name": "log", + "http.response.body.content": "081106_lrec_msgr_interophitchhiker.swf", + "input.type": "log", + "log.offset": 10813, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.152", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "application/x-shockwave-flash", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.a2.yimg.com", + "rsa.time.duration_time": 3617, + "rsa.time.event_time": "2006-09-08T04:22:51.000Z", + "rsa.time.event_time_str": "1157689371", + "rsa.web.alias_host": "us.a2.yimg.com", + "server.domain": "us.a2.yimg.com", + "service.type": "squid", + "source.bytes": 30432, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.a2.yimg.com", + "url.original": "http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf?", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:53.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689373.315 1626 10.105.33.214 TCP_MISS/200 14643 GET http://radio.launch.yahoo.com/radio/player/stickwall.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "fileset.name": "log", + "http.response.body.content": "stickwall.asp", + "input.type": "log", + "log.offset": 11035, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 1626, + "rsa.time.event_time": "2006-09-08T04:22:53.000Z", + "rsa.time.event_time_str": "1157689373", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 14643, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/player/stickwall.asp?", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:54.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.213.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689374.065 2078 10.105.33.214 TCP_MISS/200 425 GET http://us.bc.yahoo.com/b? adeolaegbedokun DIRECT/68.142.213.132 image/gif", + "fileset.name": "log", + "http.response.body.content": "b", + "input.type": "log", + "log.offset": 11200, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.213.132" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.bc.yahoo.com", + "rsa.time.duration_time": 2078, + "rsa.time.event_time": "2006-09-08T04:22:54.000Z", + "rsa.time.event_time_str": "1157689374", + "rsa.web.alias_host": "us.bc.yahoo.com", + "server.domain": "us.bc.yahoo.com", + "service.type": "squid", + "source.bytes": 425, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.bc.yahoo.com", + "url.original": "http://us.bc.yahoo.com/b?", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:56.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.194.14" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689376.221 2130 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw? adeolaegbedokun DIRECT/68.142.194.14 image/gif", + "fileset.name": "log", + "http.response.body.content": "beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw", + "input.type": "log", + "log.offset": 11331, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.194.14", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 2130, + "rsa.time.event_time": "2006-09-08T04:22:56.000Z", + "rsa.time.event_time_str": "1157689376", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 407, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw?", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:57.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.109.124.55" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689377.171 3412 10.105.33.214 TCP_MISS/200 1476 CONNECT pclick.internal.yahoo.com:443 adeolaegbedokun DIRECT/216.109.124.55 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11551, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "216.109.124.55" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "pclick.internal.yahoo.com", + "rsa.time.duration_time": 3412, + "rsa.time.event_time": "2006-09-08T04:22:57.000Z", + "rsa.time.event_time_str": "1157689377", + "rsa.web.alias_host": "pclick.internal.yahoo.com", + "server.domain": "pclick.internal.yahoo.com", + "service.type": "squid", + "source.bytes": 1476, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "pclick.internal.yahoo.com", + "url.original": "pclick.internal.yahoo.com:443", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:57.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689377.191 11 10.105.33.214 TCP_IMS_HIT/304 233 GET http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js adeolaegbedokun NONE/- application/x-javascript", + "fileset.name": "log", + "http.response.body.content": "rapiBridge_1_4.js", + "input.type": "log", + "log.offset": 11683, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 11, + "rsa.time.event_time": "2006-09-08T04:22:57.000Z", + "rsa.time.event_time_str": "1157689377", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 233, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:57.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689377.424 1159 10.105.33.214 TCP_MISS/304 236 GET http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css adeolaegbedokun DIRECT/213.160.98.159 text/css", + "fileset.name": "log", + "http.response.body.content": "other.css", + "input.type": "log", + "log.offset": 11922, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "213.160.98.159" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 1159, + "rsa.time.event_time": "2006-09-08T04:22:57.000Z", + "rsa.time.event_time_str": "1157689377", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 236, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.221 797 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "fileset.name": "log", + "http.response.body.content": "bg_left.gif", + "input.type": "log", + "log.offset": 12133, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.159", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 797, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 238, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "destination.as.number": 36752, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "209.73.177.115" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.473 3288 10.105.21.199 TCP_MISS/200 2681 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12362, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "209.73.177.115", + "10.105.21.199" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "login.yahoo.com", + "rsa.time.duration_time": 3288, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "login.yahoo.com", + "server.domain": "login.yahoo.com", + "service.type": "squid", + "source.bytes": 2681, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "login.yahoo.com", + "url.original": "login.yahoo.com:443", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.167" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.909 1405 10.105.33.214 TCP_MISS/304 136 GET http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif adeolaegbedokun DIRECT/213.160.98.167 -", + "fileset.name": "log", + "http.response.body.content": "noaccess_msgr_uk.gif", + "input.type": "log", + "log.offset": 12476, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.167", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 1405, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 136, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.924 702 10.105.33.214 TCP_MISS/304 237 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "fileset.name": "log", + "http.response.body.content": "bg_right.gif", + "input.type": "log", + "log.offset": 12706, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.159", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 702, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 237, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.929 4 10.105.33.214 TCP_IMS_HIT/304 218 GET http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "t.gif", + "input.type": "log", + "log.offset": 12936, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_IMS_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 4, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 218, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:59.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.167" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689379.472 563 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", + "fileset.name": "log", + "http.response.body.content": "bg_controls_off.gif", + "input.type": "log", + "log.offset": 13147, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.167", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 563, + "rsa.time.event_time": "2006-09-08T04:22:59.000Z", + "rsa.time.event_time_str": "1157689379", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 238, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:22:59.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689379.488 560 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "fileset.name": "log", + "http.response.body.content": "bg_center.gif", + "input.type": "log", + "log.offset": 13384, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "213.160.98.159" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 560, + "rsa.time.event_time": "2006-09-08T04:22:59.000Z", + "rsa.time.event_time_str": "1157689379", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 238, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:23:00.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.167" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689380.159 685 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", + "fileset.name": "log", + "http.response.body.content": "bg_controls_fill.gif", + "input.type": "log", + "log.offset": 13615, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.167", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 685, + "rsa.time.event_time": "2006-09-08T04:23:00.000Z", + "rsa.time.event_time_str": "1157689380", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 238, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:23:01.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689381.267 1 10.105.37.180 TCP_DENIED/407 1728 GET http://www.google.com/supported_domains - NONE/- text/html", + "fileset.name": "log", + "http.response.body.content": "supported_domains", + "input.type": "log", + "log.offset": 13853, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.180" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:23:01.000Z", + "rsa.time.event_time_str": "1157689381", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 1728, + "source.ip": [ + "10.105.37.180" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/supported_domains", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:23:01.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689381.659 0 10.105.47.191 TCP_DENIED/407 1782 GET http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp? - NONE/- text/html", + "fileset.name": "log", + "http.response.body.content": "chknews.asp", + "input.type": "log", + "log.offset": 13972, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.191" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:23:01.000Z", + "rsa.time.event_time_str": "1157689381", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1782, + "source.ip": [ + "10.105.47.191" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:23:01.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.109.125.112" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689381.660 2171 10.105.33.214 TCP_MISS/200 449 GET http://launch.adserver.yahoo.com/l? adeolaegbedokun DIRECT/216.109.125.112 image/gif", + "fileset.name": "log", + "http.response.body.content": "l", + "input.type": "log", + "log.offset": 14109, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.109.125.112", + "10.105.33.214" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "launch.adserver.yahoo.com", + "rsa.time.duration_time": 2171, + "rsa.time.event_time": "2006-09-08T04:23:01.000Z", + "rsa.time.event_time_str": "1157689381", + "rsa.web.alias_host": "launch.adserver.yahoo.com", + "server.domain": "launch.adserver.yahoo.com", + "service.type": "squid", + "source.bytes": 449, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "launch.adserver.yahoo.com", + "url.original": "http://launch.adserver.yahoo.com/l?", + "user.name": [ + "adeolaegbedokun" + ] + }, + { + "@timestamp": "2006-09-08T04:23:02.000Z", + "destination.as.number": 34010, + "destination.as.organization.name": "Yahoo! UK Services Limited", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.4964, + "destination.geo.location.lon": -0.1224, + "destination.ip": [ + "217.12.10.96" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689382.173 3700 10.105.21.199 TCP_MISS/200 11746 GET http://uk.f250.mail.yahoo.com/dc/launch? badeyek DIRECT/217.12.10.96 text/html", + "fileset.name": "log", + "http.response.body.content": "launch", + "input.type": "log", + "log.offset": 14251, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "217.12.10.96", + "10.105.21.199" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "uk.f250.mail.yahoo.com", + "rsa.time.duration_time": 3700, + "rsa.time.event_time": "2006-09-08T04:23:02.000Z", + "rsa.time.event_time_str": "1157689382", + "rsa.web.alias_host": "uk.f250.mail.yahoo.com", + "server.domain": "uk.f250.mail.yahoo.com", + "service.type": "squid", + "source.bytes": 11746, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "uk.f250.mail.yahoo.com", + "url.original": "http://uk.f250.mail.yahoo.com/dc/launch?", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:23:02.000Z", + "event.action": "TCP_DENIED", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689382.622 1 10.105.37.180 TCP_DENIED/407 1670 CONNECT login.live.com:443 - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14389, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.180" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "login.live.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:23:02.000Z", + "rsa.time.event_time_str": "1157689382", + "rsa.web.alias_host": "login.live.com", + "server.domain": "login.live.com", + "service.type": "squid", + "source.bytes": 1670, + "source.ip": [ + "10.105.37.180" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "login.live.com", + "url.original": "login.live.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2006-09-08T04:23:04.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.169" + ], + "event.action": "TCP_SWAPFAIL_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689384.316 2828 10.105.21.199 TCP_SWAPFAIL_MISS/200 633 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", + "fileset.name": "log", + "http.response.body.content": "77cf3e56414f974dfd8616f56f0f632c_1.js", + "input.type": "log", + "log.offset": 14491, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "213.160.98.169" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_SWAPFAIL_MISS", + "GET" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js2.yimg.com", + "rsa.time.duration_time": 2828, + "rsa.time.event_time": "2006-09-08T04:23:04.000Z", + "rsa.time.event_time_str": "1157689384", + "rsa.web.alias_host": "us.js2.yimg.com", + "server.domain": "us.js2.yimg.com", + "service.type": "squid", + "source.bytes": 633, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js2.yimg.com", + "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:23:05.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689385.714 1397 10.105.21.199 TCP_HIT/200 1742 GET http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css badeyek NONE/- text/css", + "fileset.name": "log", + "http.response.body.content": "ygma5.css", + "input.type": "log", + "log.offset": 14714, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_HIT" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js1.yimg.com", + "rsa.time.duration_time": 1397, + "rsa.time.event_time": "2006-09-08T04:23:05.000Z", + "rsa.time.event_time_str": "1157689385", + "rsa.web.alias_host": "us.js1.yimg.com", + "server.domain": "us.js1.yimg.com", + "service.type": "squid", + "source.bytes": 1742, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js1.yimg.com", + "url.original": "http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:23:07.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.169" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689387.690 1977 10.105.21.199 TCP_MISS/200 14561 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", + "fileset.name": "log", + "http.response.body.content": "f7fc76100697c9c2d25dd0ec35e563b0_1.js", + "input.type": "log", + "log.offset": 14848, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.169", + "10.105.21.199" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js2.yimg.com", + "rsa.time.duration_time": 1977, + "rsa.time.event_time": "2006-09-08T04:23:07.000Z", + "rsa.time.event_time_str": "1157689387", + "rsa.web.alias_host": "us.js2.yimg.com", + "server.domain": "us.js2.yimg.com", + "service.type": "squid", + "source.bytes": 14561, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js2.yimg.com", + "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:23:07.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689387.771 80 10.105.21.199 TCP_HIT/200 68733 GET http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js badeyek NONE/- application/x-javascript", + "fileset.name": "log", + "http.response.body.content": "ac.js", + "input.type": "log", + "log.offset": 15064, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js1.yimg.com", + "rsa.time.duration_time": 80, + "rsa.time.event_time": "2006-09-08T04:23:07.000Z", + "rsa.time.event_time_str": "1157689387", + "rsa.web.alias_host": "us.js1.yimg.com", + "server.domain": "us.js1.yimg.com", + "service.type": "squid", + "source.bytes": 68733, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js1.yimg.com", + "url.original": "http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:23:07.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689387.830 1 10.105.21.199 TCP_HIT/200 898 GET http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js badeyek NONE/- application/x-javascript", + "fileset.name": "log", + "http.response.body.content": "yahoo_2.0.0-b4.js", + "input.type": "log", + "log.offset": 15231, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_HIT" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js2.yimg.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:23:07.000Z", + "rsa.time.event_time_str": "1157689387", + "rsa.web.alias_host": "us.js2.yimg.com", + "server.domain": "us.js2.yimg.com", + "service.type": "squid", + "source.bytes": 898, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js2.yimg.com", + "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js", + "user.name": [ + "badeyek" + ] + }, + { + "@timestamp": "2006-09-08T04:23:07.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689387.832 60 10.105.21.199 TCP_HIT/200 26803 GET http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif badeyek NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "liam_ball_1.gif", + "input.type": "log", + "log.offset": 15402, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.i1.yimg.com", + "rsa.time.duration_time": 60, + "rsa.time.event_time": "2006-09-08T04:23:07.000Z", + "rsa.time.event_time_str": "1157689387", + "rsa.web.alias_host": "us.i1.yimg.com", + "server.domain": "us.i1.yimg.com", + "service.type": "squid", + "source.bytes": 26803, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.i1.yimg.com", + "url.original": "http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif", + "user.name": [ + "badeyek" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/squid/log/test/access2.log b/x-pack/filebeat/module/squid/log/test/access2.log new file mode 100644 index 00000000000..de787cfea17 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/test/access2.log @@ -0,0 +1,100 @@ +1035368729.430 371 210.8.79.228 TCP_MISS/200 2136 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r3_c6.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg +1035368730.746 297 210.8.79.228 TCP_MISS/200 1467 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg +1035368731.283 344 210.8.79.228 TCP_MISS/200 1330 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg +1035368732.162 2 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/anglais/produit4.html - NONE/- text/html +1035368732.391 6 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/produits-ang.gif - NONE/- image/gif +1035368732.456 6 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/cale.gif - NONE/- image/gif +1035368732.512 3 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/fond2.gif - NONE/- image/gif +1035368732.545 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/logo_orange.gif - NONE/- image/gif +1035368732.599 19 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/chat.gif - NONE/- image/gif +1035368732.675 115 210.8.79.192 TCP_REFRESH_MISS/200 2111 GET http://www.call-kelly.com/horizontal.js - PARENT_HIT/proxy1.syd.connect.com.au application/x-javascript +1035368732.701 11 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/icone_notice.gif - NONE/- image/gif +1035368732.775 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium1.gif - NONE/- image/gif +1035368732.830 1 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium2.gif - NONE/- image/gif +1035368732.877 3 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium3.gif - NONE/- image/gif +1035368732.913 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/speleniumgold.gif - NONE/- image/gif +1035368732.962 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/antipode.gif - NONE/- image/gif +1035368733.035 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/logospelenium.gif - NONE/- image/gif +1035368733.087 7 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium1.gif - NONE/- image/gif +1035368733.096 307 210.8.79.228 TCP_MISS/200 1623 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg +1035368733.151 1 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium2.gif - NONE/- image/gif +1035368733.194 5 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium3.gif - NONE/- image/gif +1035368733.342 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0antipode.gif - NONE/- image/gif +1035368733.387 7 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium4.gif - NONE/- image/gif +1035368733.758 299 210.8.79.228 TCP_MISS/200 1448 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg +1035368733.821 302 210.8.79.228 TCP_MISS/200 1365 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c7.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg +1035368733.822 2382 210.8.79.192 TCP_MISS/200 24756 GET http://www.call-kelly.com/ - FIRST_PARENT_MISS/proxy1.syd.connect.com.au text/html +1035368733.894 104 210.8.79.192 TCP_REFRESH_HIT/200 1214 GET http://www.call-kelly.com/vertical.js - PARENT_HIT/proxy1.syd.connect.com.au application/x-javascript +1035368734.169 320 210.8.79.228 TCP_MISS/200 1466 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c9.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg +1035368734.580 330 210.8.79.228 TCP_MISS/200 1321 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c10.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg +1035368734.883 333 210.8.79.228 TCP_MISS/200 824 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c11.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg +1035368735.255 386 210.8.79.228 TCP_MISS/200 1969 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r5_c1.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg +1035368735.749 630 210.8.79.228 TCP_MISS/200 15187 GET http://www.fas.harvard.edu/~hpcws/journalCWS2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg +1035368735.884 625 210.8.79.192 TCP_MISS/200 8623 GET http://counter11.sextracker.com/c4/id/0/259914 - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368736.258 299 210.8.79.228 TCP_MISS/200 609 GET http://www.fas.harvard.edu/~hpcws/vertbar.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif +1035368736.295 64 210.8.79.192 TCP_REFRESH_HIT/200 6080 GET http://66.181.163.170/pics/12.jpg - PARENT_HIT/proxy1.syd.connect.com.au image/jpeg +1035368736.750 570 210.8.79.192 TCP_REFRESH_HIT/200 5935 GET http://66.181.163.170/pics/tease.jpg - PARENT_HIT/proxy1.syd.connect.com.au image/jpeg +1035368736.989 319 210.8.79.228 TCP_MISS/200 2135 GET http://www.fas.harvard.edu/~hpcws/getacro.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif +1035368737.286 2056 210.8.79.228 TCP_MISS/200 3677 GET http://www.fas.harvard.edu/~hpcws/journaltitle.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif +1035368738.516 598 210.8.79.192 TCP_REFRESH_HIT/200 8851 GET http://66.181.163.170/pics/5.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg +1035368739.275 346 210.8.79.228 TCP_MISS/200 3719 GET http://www.fas.harvard.edu/~hpcws/msbutton.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368739.396 1056 210.8.79.228 TCP_MISS/200 3693 GET http://www.fas.harvard.edu/~hpcws/msbutton_f2.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif +1035368740.659 639 210.8.79.192 TCP_REFRESH_HIT/200 7652 GET http://66.181.163.170/pics/8.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg +1035368741.676 306 210.8.79.228 TCP_MISS/200 2671 GET http://www.fas.harvard.edu/~hpcws/subsbutton_f2.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368742.029 300 210.8.79.228 TCP_MISS/200 2690 GET http://www.fas.harvard.edu/~hpcws/subsbutton.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif +1035368742.102 123 210.8.79.192 TCP_REFRESH_HIT/200 4530 GET http://66.181.163.170/pics/17.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg +1035368742.150 321 210.8.79.228 TCP_MISS/200 483 GET http://www.fas.harvard.edu/~hpcws/shim.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif +1035368742.474 104 210.8.79.192 TCP_REFRESH_HIT/200 9437 GET http://www.penis-enlargement-product.com/banners/ban2.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif +1035368743.319 330 210.8.79.228 TCP_MISS/200 1664 GET http://www.fas.harvard.edu/~hpcws/jcwspanel_r1_c1.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368747.045 15 210.8.79.199 TCP_IMS_HIT/304 269 GET http://www.bealplanet.com/produits/img/fond2.gif - NONE/- image/gif +1035368747.103 1424 210.8.79.199 TCP_MISS/200 13119 GET http://www.bealplanet.com/notices/speleo-ang.html - FIRST_PARENT_MISS/proxy2.syd.connect.com.au text/html +1035368747.266 5 210.8.79.199 TCP_IMS_HIT/304 269 GET http://www.bealplanet.com/produits/img/cale.gif - NONE/- image/gif +1035368747.556 416 210.8.79.199 TCP_MISS/200 1973 GET http://www.bealplanet.com/notices/img/titre_speleo.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368747.990 3690 210.8.79.192 TCP_REFRESH_HIT/200 22832 GET http://botw.topbucks.com/mx_vertical_04_ani.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif +1035368748.012 442 210.8.79.199 TCP_MISS/200 958 GET http://www.bealplanet.com/notices/img/francais.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368748.601 722 210.8.79.199 TCP_MISS/200 948 GET http://www.bealplanet.com/notices/img/anglais_bis.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368748.823 753 210.8.79.199 TCP_MISS/200 952 GET http://www.bealplanet.com/notices/img/deutsch.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif +1035368748.883 403 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/espanol.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368749.090 381 210.8.79.199 TCP_MISS/200 936 GET http://www.bealplanet.com/notices/img/italiano.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368749.346 407 210.8.79.199 TCP_MISS/200 993 GET http://www.bealplanet.com/notices/img/nederlands.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif +1035368749.763 402 210.8.79.199 TCP_MISS/200 980 GET http://www.bealplanet.com/notices/img/portuges.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368749.879 709 210.8.79.199 TCP_MISS/200 954 GET http://www.bealplanet.com/notices/img/japanese.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif +1035368749.955 405 210.8.79.199 TCP_MISS/200 4039 GET http://www.bealplanet.com/notices/img/logobeal.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368750.213 394 210.8.79.199 TCP_MISS/200 2014 GET http://www.bealplanet.com/notices/img/spelenium1.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368750.666 436 210.8.79.199 TCP_MISS/200 1783 GET http://www.bealplanet.com/notices/img/bout1_ang.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368750.847 397 210.8.79.199 TCP_MISS/200 1991 GET http://www.bealplanet.com/notices/img/bout2_ang.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368751.598 398 210.8.79.199 TCP_MISS/200 758 GET http://www.bealplanet.com/notices/img/attention.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368752.992 402 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/francais_bis.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif +1035368753.137 487 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/deutsch_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368753.141 486 210.8.79.199 TCP_MISS/200 958 GET http://www.bealplanet.com/notices/img/espanol_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368753.496 787 210.8.79.199 TCP_MISS/200 951 GET http://www.bealplanet.com/notices/img/italiano_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368753.728 388 210.8.79.199 TCP_MISS/200 999 GET http://www.bealplanet.com/notices/img/nederlands_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368753.905 375 210.8.79.199 TCP_MISS/200 965 GET http://www.bealplanet.com/notices/img/japanese_bis.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif +1035368754.163 424 210.8.79.199 TCP_MISS/200 974 GET http://www.bealplanet.com/notices/img/portuges_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif +1035368754.200 4246 210.8.79.192 TCP_MISS/200 15594 GET http://cybercatinc.com/banners/July/logo16.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif +1035368754.332 393 210.8.79.199 TCP_MISS/200 1661 GET http://www.bealplanet.com/notices/img/bout1bis_ang.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif +1035368757.241 3100 210.8.79.199 TCP_MISS/200 1866 GET http://www.bealplanet.com/notices/img/bout2bis_ang.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif +1035368757.301 0 210.8.79.199 TCP_MEM_HIT/200 1872 GET http://www.bealplanet.com/notices/img/bout2bis_ang.gif - NONE/- image/gif +1035368758.063 134 210.8.79.192 TCP_MISS/200 7436 GET http://www.frenchcum.com/ - PARENT_HIT/proxy1.syd.connect.com.au text/html +1035368759.420 5831 210.8.79.192 TCP_REFRESH_HIT/200 18075 GET http://www.cyberhairy.com/advertisingbanners/468x60-CFF-01.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif +1035368761.410 15150 210.8.79.192 TCP_REFRESH_HIT/200 22445 GET http://www.girls-home-alone.com/banners/call-kelly.gif - PARENT_HIT/proxy1.syd.connect.com.au image/gif +1035368761.607 637 210.8.79.192 TCP_REFRESH_HIT/200 14489 GET http://cybercatinc.com/banners/July/npban_adult.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif +1035368769.137 467 210.8.79.192 TCP_MISS/302 449 GET http://c2.xxxcounter.com/c2/id/2/148582/0/ - FIRST_PARENT_MISS/proxy2.syd.connect.com.au text/html +1035368773.118 87 210.8.79.192 TCP_REFRESH_HIT/200 1762 GET http://www.frenchcum.com/eclair.gif - PARENT_HIT/proxy1.syd.connect.com.au image/gif +1035368773.734 3183 210.8.79.192 TCP_REFRESH_HIT/200 3257 GET http://www.frenchcum.com/frenchcumnew.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif +1035368773.875 3915 210.8.79.192 TCP_MISS/200 1388 GET http://www.usaminutes.tv/iframe_pix/index_3.php? - DIRECT/80.69.64.224 text/html +1035368774.928 1157 210.8.79.192 TCP_REFRESH_MISS/200 3600 GET http://www.frenchcum.com/oki02.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif +1035368775.066 2886 210.8.79.192 TCP_MISS/302 666 GET http://rr3.xxxcounter.com/c2/id/2/148582/0/ - FIRST_PARENT_MISS/proxy2.syd.connect.com.au text/html +1035368775.140 43001 210.8.79.228 TCP_MISS/000 0 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3.jpg - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au - +1035368775.441 619 210.8.79.192 TCP_MISS/200 6681 GET http://counter4.sextracker.com/c7/id/0/315043 - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif +1035368775.871 570 210.8.79.228 TCP_MISS/200 1352 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r2_c6_f2.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg +1035368775.957 586 210.8.79.228 TCP_MISS/200 1630 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg +1035368776.160 580 210.8.79.228 TCP_MISS/200 1487 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2_f2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg +1035368776.779 1559 210.8.79.228 TCP_MISS/200 23518 GET http://www.fas.harvard.edu/~hpcws/carafano.pdf - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au application/pdf +1035368776.928 317 210.8.79.228 TCP_MISS/200 1390 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg +1035368777.082 1031 210.8.79.192 TCP_REFRESH_HIT/200 12995 GET http://www.usaminutes.tv/iframe_pix/7.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg +1035368777.709 4 202.67.67.124 TCP_DENIED/403 1119 GET http://rmapup.real.com/fcgi-bin/upgrade.fcgi? - NONE/- - +1035368777.800 309 210.8.79.228 TCP_MISS/200 1859 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg +1035368777.845 955 210.8.79.228 TCP_MISS/200 22446 GET http://www.fas.harvard.edu/~hpcws/carafano.pdf - FIRST_PARENT_MISS/proxy2.syd.connect.com.au application/pdf +1035368778.102 452 210.8.79.192 TCP_MISS/302 450 GET http://c1.xxxcounter.com/c2/id/16/190203/0/ - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au text/html +1035368778.117 317 210.8.79.228 TCP_MISS/200 1629 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5_f2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg diff --git a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json new file mode 100644 index 00000000000..53c5e82e5a3 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json @@ -0,0 +1,5510 @@ +[ + { + "@timestamp": "2002-10-23T10:25:29.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368729.430 371 210.8.79.228 TCP_MISS/200 2136 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r3_c6.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r3_c6.jpg", + "input.type": "log", + "log.offset": 0, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 371, + "rsa.time.event_time": "2002-10-23T10:25:29.000Z", + "rsa.time.event_time_str": "1035368729", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 2136, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r3_c6.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:30.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368730.746 297 210.8.79.228 TCP_MISS/200 1467 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r4_c1.jpg", + "input.type": "log", + "log.offset": 169, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 297, + "rsa.time.event_time": "2002-10-23T10:25:30.000Z", + "rsa.time.event_time_str": "1035368730", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1467, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:31.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368731.283 344 210.8.79.228 TCP_MISS/200 1330 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r4_c2.jpg", + "input.type": "log", + "log.offset": 338, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 344, + "rsa.time.event_time": "2002-10-23T10:25:31.000Z", + "rsa.time.event_time_str": "1035368731", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1330, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:32.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368732.162 2 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/anglais/produit4.html - NONE/- text/html", + "fileset.name": "log", + "http.response.body.content": "produit4.html", + "input.type": "log", + "log.offset": 515, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 2, + "rsa.time.event_time": "2002-10-23T10:25:32.000Z", + "rsa.time.event_time_str": "1035368732", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/anglais/produit4.html", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:32.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368732.391 6 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/produits-ang.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "produits-ang.gif", + "input.type": "log", + "log.offset": 650, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 6, + "rsa.time.event_time": "2002-10-23T10:25:32.000Z", + "rsa.time.event_time_str": "1035368732", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/produits-ang.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:32.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368732.456 6 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/cale.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "cale.gif", + "input.type": "log", + "log.offset": 784, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_IMS_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 6, + "rsa.time.event_time": "2002-10-23T10:25:32.000Z", + "rsa.time.event_time_str": "1035368732", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/cale.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:32.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368732.512 3 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/fond2.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "fond2.gif", + "input.type": "log", + "log.offset": 910, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_IMS_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 3, + "rsa.time.event_time": "2002-10-23T10:25:32.000Z", + "rsa.time.event_time_str": "1035368732", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/fond2.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:32.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368732.545 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/logo_orange.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "logo_orange.gif", + "input.type": "log", + "log.offset": 1037, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_IMS_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 15, + "rsa.time.event_time": "2002-10-23T10:25:32.000Z", + "rsa.time.event_time_str": "1035368732", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/logo_orange.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:32.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368732.599 19 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/chat.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "chat.gif", + "input.type": "log", + "log.offset": 1170, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_IMS_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 19, + "rsa.time.event_time": "2002-10-23T10:25:32.000Z", + "rsa.time.event_time_str": "1035368732", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/chat.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:32.000Z", + "event.action": "TCP_REFRESH_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368732.675 115 210.8.79.192 TCP_REFRESH_MISS/200 2111 GET http://www.call-kelly.com/horizontal.js - PARENT_HIT/proxy1.syd.connect.com.au application/x-javascript", + "fileset.name": "log", + "http.response.body.content": "horizontal.js", + "input.type": "log", + "log.offset": 1296, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_MISS" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.call-kelly.com", + "rsa.time.duration_time": 115, + "rsa.time.event_time": "2002-10-23T10:25:32.000Z", + "rsa.time.event_time_str": "1035368732", + "rsa.web.alias_host": "www.call-kelly.com", + "server.domain": "www.call-kelly.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 2111, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.call-kelly.com", + "url.original": "http://www.call-kelly.com/horizontal.js", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:32.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368732.701 11 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/icone_notice.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "icone_notice.gif", + "input.type": "log", + "log.offset": 1465, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 11, + "rsa.time.event_time": "2002-10-23T10:25:32.000Z", + "rsa.time.event_time_str": "1035368732", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/icone_notice.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:32.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368732.775 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium1.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "spelenium1.gif", + "input.type": "log", + "log.offset": 1599, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 15, + "rsa.time.event_time": "2002-10-23T10:25:32.000Z", + "rsa.time.event_time_str": "1035368732", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/spelenium1.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:32.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368732.830 1 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium2.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "spelenium2.gif", + "input.type": "log", + "log.offset": 1731, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2002-10-23T10:25:32.000Z", + "rsa.time.event_time_str": "1035368732", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/spelenium2.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:32.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368732.877 3 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium3.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "spelenium3.gif", + "input.type": "log", + "log.offset": 1863, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 3, + "rsa.time.event_time": "2002-10-23T10:25:32.000Z", + "rsa.time.event_time_str": "1035368732", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/spelenium3.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:32.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368732.913 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/speleniumgold.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "speleniumgold.gif", + "input.type": "log", + "log.offset": 1995, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_IMS_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 12, + "rsa.time.event_time": "2002-10-23T10:25:32.000Z", + "rsa.time.event_time_str": "1035368732", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/speleniumgold.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:32.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368732.962 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/antipode.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "antipode.gif", + "input.type": "log", + "log.offset": 2130, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 12, + "rsa.time.event_time": "2002-10-23T10:25:32.000Z", + "rsa.time.event_time_str": "1035368732", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/antipode.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:33.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368733.035 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/logospelenium.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "logospelenium.gif", + "input.type": "log", + "log.offset": 2260, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 15, + "rsa.time.event_time": "2002-10-23T10:25:33.000Z", + "rsa.time.event_time_str": "1035368733", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/logospelenium.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:33.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368733.087 7 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium1.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "0spelenium1.gif", + "input.type": "log", + "log.offset": 2395, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_IMS_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 7, + "rsa.time.event_time": "2002-10-23T10:25:33.000Z", + "rsa.time.event_time_str": "1035368733", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/0spelenium1.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:33.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368733.096 307 210.8.79.228 TCP_MISS/200 1623 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r4_c4.jpg", + "input.type": "log", + "log.offset": 2528, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 307, + "rsa.time.event_time": "2002-10-23T10:25:33.000Z", + "rsa.time.event_time_str": "1035368733", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1623, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:33.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368733.151 1 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium2.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "0spelenium2.gif", + "input.type": "log", + "log.offset": 2697, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2002-10-23T10:25:33.000Z", + "rsa.time.event_time_str": "1035368733", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/0spelenium2.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:33.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368733.194 5 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium3.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "0spelenium3.gif", + "input.type": "log", + "log.offset": 2830, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 5, + "rsa.time.event_time": "2002-10-23T10:25:33.000Z", + "rsa.time.event_time_str": "1035368733", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/0spelenium3.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:33.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368733.342 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0antipode.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "0antipode.gif", + "input.type": "log", + "log.offset": 2963, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_IMS_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 12, + "rsa.time.event_time": "2002-10-23T10:25:33.000Z", + "rsa.time.event_time_str": "1035368733", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/0antipode.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:33.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368733.387 7 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium4.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "0spelenium4.gif", + "input.type": "log", + "log.offset": 3094, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 7, + "rsa.time.event_time": "2002-10-23T10:25:33.000Z", + "rsa.time.event_time_str": "1035368733", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 268, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/0spelenium4.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:33.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368733.758 299 210.8.79.228 TCP_MISS/200 1448 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r4_c5.jpg", + "input.type": "log", + "log.offset": 3227, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 299, + "rsa.time.event_time": "2002-10-23T10:25:33.000Z", + "rsa.time.event_time_str": "1035368733", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1448, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:33.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368733.821 302 210.8.79.228 TCP_MISS/200 1365 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c7.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r4_c7.jpg", + "input.type": "log", + "log.offset": 3404, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 302, + "rsa.time.event_time": "2002-10-23T10:25:33.000Z", + "rsa.time.event_time_str": "1035368733", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1365, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c7.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:33.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368733.822 2382 210.8.79.192 TCP_MISS/200 24756 GET http://www.call-kelly.com/ - FIRST_PARENT_MISS/proxy1.syd.connect.com.au text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3573, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.call-kelly.com", + "rsa.time.duration_time": 2382, + "rsa.time.event_time": "2002-10-23T10:25:33.000Z", + "rsa.time.event_time_str": "1035368733", + "rsa.web.alias_host": "www.call-kelly.com", + "server.domain": "www.call-kelly.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 24756, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.call-kelly.com", + "url.original": "http://www.call-kelly.com/", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:33.000Z", + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368733.894 104 210.8.79.192 TCP_REFRESH_HIT/200 1214 GET http://www.call-kelly.com/vertical.js - PARENT_HIT/proxy1.syd.connect.com.au application/x-javascript", + "fileset.name": "log", + "http.response.body.content": "vertical.js", + "input.type": "log", + "log.offset": 3714, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.call-kelly.com", + "rsa.time.duration_time": 104, + "rsa.time.event_time": "2002-10-23T10:25:33.000Z", + "rsa.time.event_time_str": "1035368733", + "rsa.web.alias_host": "www.call-kelly.com", + "server.domain": "www.call-kelly.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1214, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.call-kelly.com", + "url.original": "http://www.call-kelly.com/vertical.js", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:34.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368734.169 320 210.8.79.228 TCP_MISS/200 1466 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c9.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r4_c9.jpg", + "input.type": "log", + "log.offset": 3880, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 320, + "rsa.time.event_time": "2002-10-23T10:25:34.000Z", + "rsa.time.event_time_str": "1035368734", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1466, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c9.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:34.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368734.580 330 210.8.79.228 TCP_MISS/200 1321 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c10.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r4_c10.jpg", + "input.type": "log", + "log.offset": 4049, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 330, + "rsa.time.event_time": "2002-10-23T10:25:34.000Z", + "rsa.time.event_time_str": "1035368734", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1321, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c10.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:34.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368734.883 333 210.8.79.228 TCP_MISS/200 824 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c11.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r4_c11.jpg", + "input.type": "log", + "log.offset": 4227, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 333, + "rsa.time.event_time": "2002-10-23T10:25:34.000Z", + "rsa.time.event_time_str": "1035368734", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 824, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c11.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:35.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368735.255 386 210.8.79.228 TCP_MISS/200 1969 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r5_c1.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r5_c1.jpg", + "input.type": "log", + "log.offset": 4404, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 386, + "rsa.time.event_time": "2002-10-23T10:25:35.000Z", + "rsa.time.event_time_str": "1035368735", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1969, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r5_c1.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:35.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368735.749 630 210.8.79.228 TCP_MISS/200 15187 GET http://www.fas.harvard.edu/~hpcws/journalCWS2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "journalCWS2.jpg", + "input.type": "log", + "log.offset": 4573, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 630, + "rsa.time.event_time": "2002-10-23T10:25:35.000Z", + "rsa.time.event_time_str": "1035368735", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 15187, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/journalCWS2.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:35.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368735.884 625 210.8.79.192 TCP_MISS/200 8623 GET http://counter11.sextracker.com/c4/id/0/259914 - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "259914", + "input.type": "log", + "log.offset": 4738, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "counter11.sextracker.com", + "rsa.time.duration_time": 625, + "rsa.time.event_time": "2002-10-23T10:25:35.000Z", + "rsa.time.event_time_str": "1035368735", + "rsa.web.alias_host": "counter11.sextracker.com", + "server.domain": "counter11.sextracker.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 8623, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "counter11.sextracker.com", + "url.original": "http://counter11.sextracker.com/c4/id/0/259914", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:36.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368736.258 299 210.8.79.228 TCP_MISS/200 609 GET http://www.fas.harvard.edu/~hpcws/vertbar.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "vertbar.gif", + "input.type": "log", + "log.offset": 4898, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 299, + "rsa.time.event_time": "2002-10-23T10:25:36.000Z", + "rsa.time.event_time_str": "1035368736", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 609, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/vertbar.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:36.000Z", + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368736.295 64 210.8.79.192 TCP_REFRESH_HIT/200 6080 GET http://66.181.163.170/pics/12.jpg - PARENT_HIT/proxy1.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "12.jpg", + "input.type": "log", + "log.offset": 5056, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "66.181.163.170", + "rsa.time.duration_time": 64, + "rsa.time.event_time": "2002-10-23T10:25:36.000Z", + "rsa.time.event_time_str": "1035368736", + "rsa.web.alias_host": "66.181.163.170", + "server.domain": "66.181.163.170", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 6080, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "66.181.163.170", + "url.original": "http://66.181.163.170/pics/12.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:36.000Z", + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368736.750 570 210.8.79.192 TCP_REFRESH_HIT/200 5935 GET http://66.181.163.170/pics/tease.jpg - PARENT_HIT/proxy1.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "tease.jpg", + "input.type": "log", + "log.offset": 5204, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "66.181.163.170", + "rsa.time.duration_time": 570, + "rsa.time.event_time": "2002-10-23T10:25:36.000Z", + "rsa.time.event_time_str": "1035368736", + "rsa.web.alias_host": "66.181.163.170", + "server.domain": "66.181.163.170", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 5935, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "66.181.163.170", + "url.original": "http://66.181.163.170/pics/tease.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:36.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368736.989 319 210.8.79.228 TCP_MISS/200 2135 GET http://www.fas.harvard.edu/~hpcws/getacro.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "getacro.gif", + "input.type": "log", + "log.offset": 5355, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 319, + "rsa.time.event_time": "2002-10-23T10:25:36.000Z", + "rsa.time.event_time_str": "1035368736", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 2135, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/getacro.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:37.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368737.286 2056 210.8.79.228 TCP_MISS/200 3677 GET http://www.fas.harvard.edu/~hpcws/journaltitle.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "journaltitle.gif", + "input.type": "log", + "log.offset": 5514, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "TIMEOUT_DEFAULT_PARENT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 2056, + "rsa.time.event_time": "2002-10-23T10:25:37.000Z", + "rsa.time.event_time_str": "1035368737", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 3677, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/journaltitle.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:38.000Z", + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368738.516 598 210.8.79.192 TCP_REFRESH_HIT/200 8851 GET http://66.181.163.170/pics/5.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "5.jpg", + "input.type": "log", + "log.offset": 5682, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "66.181.163.170", + "rsa.time.duration_time": 598, + "rsa.time.event_time": "2002-10-23T10:25:38.000Z", + "rsa.time.event_time_str": "1035368738", + "rsa.web.alias_host": "66.181.163.170", + "server.domain": "66.181.163.170", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 8851, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "66.181.163.170", + "url.original": "http://66.181.163.170/pics/5.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:39.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368739.275 346 210.8.79.228 TCP_MISS/200 3719 GET http://www.fas.harvard.edu/~hpcws/msbutton.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "msbutton.gif", + "input.type": "log", + "log.offset": 5829, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 346, + "rsa.time.event_time": "2002-10-23T10:25:39.000Z", + "rsa.time.event_time_str": "1035368739", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 3719, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/msbutton.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:39.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368739.396 1056 210.8.79.228 TCP_MISS/200 3693 GET http://www.fas.harvard.edu/~hpcws/msbutton_f2.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "msbutton_f2.gif", + "input.type": "log", + "log.offset": 5989, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "TIMEOUT_DEFAULT_PARENT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 1056, + "rsa.time.event_time": "2002-10-23T10:25:39.000Z", + "rsa.time.event_time_str": "1035368739", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 3693, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/msbutton_f2.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:40.000Z", + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368740.659 639 210.8.79.192 TCP_REFRESH_HIT/200 7652 GET http://66.181.163.170/pics/8.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "8.jpg", + "input.type": "log", + "log.offset": 6156, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "66.181.163.170", + "rsa.time.duration_time": 639, + "rsa.time.event_time": "2002-10-23T10:25:40.000Z", + "rsa.time.event_time_str": "1035368740", + "rsa.web.alias_host": "66.181.163.170", + "server.domain": "66.181.163.170", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 7652, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "66.181.163.170", + "url.original": "http://66.181.163.170/pics/8.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:41.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368741.676 306 210.8.79.228 TCP_MISS/200 2671 GET http://www.fas.harvard.edu/~hpcws/subsbutton_f2.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "subsbutton_f2.gif", + "input.type": "log", + "log.offset": 6303, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 306, + "rsa.time.event_time": "2002-10-23T10:25:41.000Z", + "rsa.time.event_time_str": "1035368741", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 2671, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/subsbutton_f2.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:42.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368742.029 300 210.8.79.228 TCP_MISS/200 2690 GET http://www.fas.harvard.edu/~hpcws/subsbutton.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "subsbutton.gif", + "input.type": "log", + "log.offset": 6468, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 300, + "rsa.time.event_time": "2002-10-23T10:25:42.000Z", + "rsa.time.event_time_str": "1035368742", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 2690, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/subsbutton.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:42.000Z", + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368742.102 123 210.8.79.192 TCP_REFRESH_HIT/200 4530 GET http://66.181.163.170/pics/17.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "17.jpg", + "input.type": "log", + "log.offset": 6638, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "66.181.163.170", + "rsa.time.duration_time": 123, + "rsa.time.event_time": "2002-10-23T10:25:42.000Z", + "rsa.time.event_time_str": "1035368742", + "rsa.web.alias_host": "66.181.163.170", + "server.domain": "66.181.163.170", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 4530, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "66.181.163.170", + "url.original": "http://66.181.163.170/pics/17.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:42.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368742.150 321 210.8.79.228 TCP_MISS/200 483 GET http://www.fas.harvard.edu/~hpcws/shim.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "shim.gif", + "input.type": "log", + "log.offset": 6786, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 321, + "rsa.time.event_time": "2002-10-23T10:25:42.000Z", + "rsa.time.event_time_str": "1035368742", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 483, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/shim.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:42.000Z", + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368742.474 104 210.8.79.192 TCP_REFRESH_HIT/200 9437 GET http://www.penis-enlargement-product.com/banners/ban2.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "ban2.gif", + "input.type": "log", + "log.offset": 6949, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.penis-enlargement-product.com", + "rsa.time.duration_time": 104, + "rsa.time.event_time": "2002-10-23T10:25:42.000Z", + "rsa.time.event_time_str": "1035368742", + "rsa.web.alias_host": "www.penis-enlargement-product.com", + "server.domain": "www.penis-enlargement-product.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 9437, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.penis-enlargement-product.com", + "url.original": "http://www.penis-enlargement-product.com/banners/ban2.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:43.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368743.319 330 210.8.79.228 TCP_MISS/200 1664 GET http://www.fas.harvard.edu/~hpcws/jcwspanel_r1_c1.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "jcwspanel_r1_c1.gif", + "input.type": "log", + "log.offset": 7120, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 330, + "rsa.time.event_time": "2002-10-23T10:25:43.000Z", + "rsa.time.event_time_str": "1035368743", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1664, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/jcwspanel_r1_c1.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:47.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368747.045 15 210.8.79.199 TCP_IMS_HIT/304 269 GET http://www.bealplanet.com/produits/img/fond2.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "fond2.gif", + "input.type": "log", + "log.offset": 7295, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 15, + "rsa.time.event_time": "2002-10-23T10:25:47.000Z", + "rsa.time.event_time_str": "1035368747", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 269, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/fond2.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:47.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368747.103 1424 210.8.79.199 TCP_MISS/200 13119 GET http://www.bealplanet.com/notices/speleo-ang.html - FIRST_PARENT_MISS/proxy2.syd.connect.com.au text/html", + "fileset.name": "log", + "http.response.body.content": "speleo-ang.html", + "input.type": "log", + "log.offset": 7422, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 1424, + "rsa.time.event_time": "2002-10-23T10:25:47.000Z", + "rsa.time.event_time_str": "1035368747", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 13119, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/speleo-ang.html", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:47.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368747.266 5 210.8.79.199 TCP_IMS_HIT/304 269 GET http://www.bealplanet.com/produits/img/cale.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "cale.gif", + "input.type": "log", + "log.offset": 7586, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 5, + "rsa.time.event_time": "2002-10-23T10:25:47.000Z", + "rsa.time.event_time_str": "1035368747", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 269, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/produits/img/cale.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:47.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368747.556 416 210.8.79.199 TCP_MISS/200 1973 GET http://www.bealplanet.com/notices/img/titre_speleo.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "titre_speleo.gif", + "input.type": "log", + "log.offset": 7712, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 416, + "rsa.time.event_time": "2002-10-23T10:25:47.000Z", + "rsa.time.event_time_str": "1035368747", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1973, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/titre_speleo.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:47.000Z", + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368747.990 3690 210.8.79.192 TCP_REFRESH_HIT/200 22832 GET http://botw.topbucks.com/mx_vertical_04_ani.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "mx_vertical_04_ani.gif", + "input.type": "log", + "log.offset": 7888, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "botw.topbucks.com", + "rsa.time.duration_time": 3690, + "rsa.time.event_time": "2002-10-23T10:25:47.000Z", + "rsa.time.event_time_str": "1035368747", + "rsa.web.alias_host": "botw.topbucks.com", + "server.domain": "botw.topbucks.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 22832, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "botw.topbucks.com", + "url.original": "http://botw.topbucks.com/mx_vertical_04_ani.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:48.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368748.012 442 210.8.79.199 TCP_MISS/200 958 GET http://www.bealplanet.com/notices/img/francais.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "francais.gif", + "input.type": "log", + "log.offset": 8050, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 442, + "rsa.time.event_time": "2002-10-23T10:25:48.000Z", + "rsa.time.event_time_str": "1035368748", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 958, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/francais.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:48.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368748.601 722 210.8.79.199 TCP_MISS/200 948 GET http://www.bealplanet.com/notices/img/anglais_bis.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "anglais_bis.gif", + "input.type": "log", + "log.offset": 8221, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 722, + "rsa.time.event_time": "2002-10-23T10:25:48.000Z", + "rsa.time.event_time_str": "1035368748", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 948, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/anglais_bis.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:48.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368748.823 753 210.8.79.199 TCP_MISS/200 952 GET http://www.bealplanet.com/notices/img/deutsch.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "deutsch.gif", + "input.type": "log", + "log.offset": 8395, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 753, + "rsa.time.event_time": "2002-10-23T10:25:48.000Z", + "rsa.time.event_time_str": "1035368748", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 952, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/deutsch.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:48.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368748.883 403 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/espanol.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "espanol.gif", + "input.type": "log", + "log.offset": 8565, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 403, + "rsa.time.event_time": "2002-10-23T10:25:48.000Z", + "rsa.time.event_time_str": "1035368748", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 957, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/espanol.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:49.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368749.090 381 210.8.79.199 TCP_MISS/200 936 GET http://www.bealplanet.com/notices/img/italiano.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "italiano.gif", + "input.type": "log", + "log.offset": 8735, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 381, + "rsa.time.event_time": "2002-10-23T10:25:49.000Z", + "rsa.time.event_time_str": "1035368749", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 936, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/italiano.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:49.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368749.346 407 210.8.79.199 TCP_MISS/200 993 GET http://www.bealplanet.com/notices/img/nederlands.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "nederlands.gif", + "input.type": "log", + "log.offset": 8898, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 407, + "rsa.time.event_time": "2002-10-23T10:25:49.000Z", + "rsa.time.event_time_str": "1035368749", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 993, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/nederlands.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:49.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368749.763 402 210.8.79.199 TCP_MISS/200 980 GET http://www.bealplanet.com/notices/img/portuges.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "portuges.gif", + "input.type": "log", + "log.offset": 9063, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 402, + "rsa.time.event_time": "2002-10-23T10:25:49.000Z", + "rsa.time.event_time_str": "1035368749", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 980, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/portuges.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:49.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368749.879 709 210.8.79.199 TCP_MISS/200 954 GET http://www.bealplanet.com/notices/img/japanese.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "japanese.gif", + "input.type": "log", + "log.offset": 9234, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 709, + "rsa.time.event_time": "2002-10-23T10:25:49.000Z", + "rsa.time.event_time_str": "1035368749", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 954, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/japanese.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:49.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368749.955 405 210.8.79.199 TCP_MISS/200 4039 GET http://www.bealplanet.com/notices/img/logobeal.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "logobeal.gif", + "input.type": "log", + "log.offset": 9397, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 405, + "rsa.time.event_time": "2002-10-23T10:25:49.000Z", + "rsa.time.event_time_str": "1035368749", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 4039, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/logobeal.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:50.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368750.213 394 210.8.79.199 TCP_MISS/200 2014 GET http://www.bealplanet.com/notices/img/spelenium1.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "spelenium1.gif", + "input.type": "log", + "log.offset": 9569, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 394, + "rsa.time.event_time": "2002-10-23T10:25:50.000Z", + "rsa.time.event_time_str": "1035368750", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 2014, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/spelenium1.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:50.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368750.666 436 210.8.79.199 TCP_MISS/200 1783 GET http://www.bealplanet.com/notices/img/bout1_ang.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "bout1_ang.gif", + "input.type": "log", + "log.offset": 9735, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 436, + "rsa.time.event_time": "2002-10-23T10:25:50.000Z", + "rsa.time.event_time_str": "1035368750", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1783, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/bout1_ang.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:50.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368750.847 397 210.8.79.199 TCP_MISS/200 1991 GET http://www.bealplanet.com/notices/img/bout2_ang.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "bout2_ang.gif", + "input.type": "log", + "log.offset": 9900, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 397, + "rsa.time.event_time": "2002-10-23T10:25:50.000Z", + "rsa.time.event_time_str": "1035368750", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1991, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/bout2_ang.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:51.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368751.598 398 210.8.79.199 TCP_MISS/200 758 GET http://www.bealplanet.com/notices/img/attention.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "attention.gif", + "input.type": "log", + "log.offset": 10065, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 398, + "rsa.time.event_time": "2002-10-23T10:25:51.000Z", + "rsa.time.event_time_str": "1035368751", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 758, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/attention.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:52.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368752.992 402 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/francais_bis.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "francais_bis.gif", + "input.type": "log", + "log.offset": 10229, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 402, + "rsa.time.event_time": "2002-10-23T10:25:52.000Z", + "rsa.time.event_time_str": "1035368752", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 957, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/francais_bis.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:53.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368753.137 487 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/deutsch_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "deutsch_bis.gif", + "input.type": "log", + "log.offset": 10404, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 487, + "rsa.time.event_time": "2002-10-23T10:25:53.000Z", + "rsa.time.event_time_str": "1035368753", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 957, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/deutsch_bis.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:53.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368753.141 486 210.8.79.199 TCP_MISS/200 958 GET http://www.bealplanet.com/notices/img/espanol_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "espanol_bis.gif", + "input.type": "log", + "log.offset": 10570, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 486, + "rsa.time.event_time": "2002-10-23T10:25:53.000Z", + "rsa.time.event_time_str": "1035368753", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 958, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/espanol_bis.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:53.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368753.496 787 210.8.79.199 TCP_MISS/200 951 GET http://www.bealplanet.com/notices/img/italiano_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "italiano_bis.gif", + "input.type": "log", + "log.offset": 10736, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 787, + "rsa.time.event_time": "2002-10-23T10:25:53.000Z", + "rsa.time.event_time_str": "1035368753", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 951, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/italiano_bis.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:53.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368753.728 388 210.8.79.199 TCP_MISS/200 999 GET http://www.bealplanet.com/notices/img/nederlands_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "nederlands_bis.gif", + "input.type": "log", + "log.offset": 10903, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 388, + "rsa.time.event_time": "2002-10-23T10:25:53.000Z", + "rsa.time.event_time_str": "1035368753", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 999, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/nederlands_bis.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:53.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368753.905 375 210.8.79.199 TCP_MISS/200 965 GET http://www.bealplanet.com/notices/img/japanese_bis.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "japanese_bis.gif", + "input.type": "log", + "log.offset": 11072, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 375, + "rsa.time.event_time": "2002-10-23T10:25:53.000Z", + "rsa.time.event_time_str": "1035368753", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 965, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/japanese_bis.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:54.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368754.163 424 210.8.79.199 TCP_MISS/200 974 GET http://www.bealplanet.com/notices/img/portuges_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "portuges_bis.gif", + "input.type": "log", + "log.offset": 11239, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 424, + "rsa.time.event_time": "2002-10-23T10:25:54.000Z", + "rsa.time.event_time_str": "1035368754", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 974, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/portuges_bis.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:54.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368754.200 4246 210.8.79.192 TCP_MISS/200 15594 GET http://cybercatinc.com/banners/July/logo16.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "logo16.gif", + "input.type": "log", + "log.offset": 11406, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "cybercatinc.com", + "rsa.time.duration_time": 4246, + "rsa.time.event_time": "2002-10-23T10:25:54.000Z", + "rsa.time.event_time_str": "1035368754", + "rsa.web.alias_host": "cybercatinc.com", + "server.domain": "cybercatinc.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 15594, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "cybercatinc.com", + "url.original": "http://cybercatinc.com/banners/July/logo16.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:54.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368754.332 393 210.8.79.199 TCP_MISS/200 1661 GET http://www.bealplanet.com/notices/img/bout1bis_ang.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "bout1bis_ang.gif", + "input.type": "log", + "log.offset": 11560, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 393, + "rsa.time.event_time": "2002-10-23T10:25:54.000Z", + "rsa.time.event_time_str": "1035368754", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1661, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/bout1bis_ang.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:57.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368757.241 3100 210.8.79.199 TCP_MISS/200 1866 GET http://www.bealplanet.com/notices/img/bout2bis_ang.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "bout2bis_ang.gif", + "input.type": "log", + "log.offset": 11728, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "TIMEOUT_DEFAULT_PARENT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 3100, + "rsa.time.event_time": "2002-10-23T10:25:57.000Z", + "rsa.time.event_time_str": "1035368757", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1866, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/bout2bis_ang.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:57.000Z", + "event.action": "TCP_MEM_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368757.301 0 210.8.79.199 TCP_MEM_HIT/200 1872 GET http://www.bealplanet.com/notices/img/bout2bis_ang.gif - NONE/- image/gif", + "fileset.name": "log", + "http.response.body.content": "bout2bis_ang.gif", + "input.type": "log", + "log.offset": 11900, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.199" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MEM_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.bealplanet.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2002-10-23T10:25:57.000Z", + "rsa.time.event_time_str": "1035368757", + "rsa.web.alias_host": "www.bealplanet.com", + "server.domain": "www.bealplanet.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1872, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.bealplanet.com", + "url.original": "http://www.bealplanet.com/notices/img/bout2bis_ang.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:58.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368758.063 134 210.8.79.192 TCP_MISS/200 7436 GET http://www.frenchcum.com/ - PARENT_HIT/proxy1.syd.connect.com.au text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12034, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.frenchcum.com", + "rsa.time.duration_time": 134, + "rsa.time.event_time": "2002-10-23T10:25:58.000Z", + "rsa.time.event_time_str": "1035368758", + "rsa.web.alias_host": "www.frenchcum.com", + "server.domain": "www.frenchcum.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 7436, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.frenchcum.com", + "url.original": "http://www.frenchcum.com/", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:25:59.000Z", + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368759.420 5831 210.8.79.192 TCP_REFRESH_HIT/200 18075 GET http://www.cyberhairy.com/advertisingbanners/468x60-CFF-01.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "468x60-CFF-01.gif", + "input.type": "log", + "log.offset": 12166, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.cyberhairy.com", + "rsa.time.duration_time": 5831, + "rsa.time.event_time": "2002-10-23T10:25:59.000Z", + "rsa.time.event_time_str": "1035368759", + "rsa.web.alias_host": "www.cyberhairy.com", + "server.domain": "www.cyberhairy.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 18075, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.cyberhairy.com", + "url.original": "http://www.cyberhairy.com/advertisingbanners/468x60-CFF-01.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:01.000Z", + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368761.410 15150 210.8.79.192 TCP_REFRESH_HIT/200 22445 GET http://www.girls-home-alone.com/banners/call-kelly.gif - PARENT_HIT/proxy1.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "call-kelly.gif", + "input.type": "log", + "log.offset": 12343, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.girls-home-alone.com", + "rsa.time.duration_time": 15150, + "rsa.time.event_time": "2002-10-23T10:26:01.000Z", + "rsa.time.event_time_str": "1035368761", + "rsa.web.alias_host": "www.girls-home-alone.com", + "server.domain": "www.girls-home-alone.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 22445, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.girls-home-alone.com", + "url.original": "http://www.girls-home-alone.com/banners/call-kelly.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:01.000Z", + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368761.607 637 210.8.79.192 TCP_REFRESH_HIT/200 14489 GET http://cybercatinc.com/banners/July/npban_adult.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "npban_adult.gif", + "input.type": "log", + "log.offset": 12512, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "cybercatinc.com", + "rsa.time.duration_time": 637, + "rsa.time.event_time": "2002-10-23T10:26:01.000Z", + "rsa.time.event_time_str": "1035368761", + "rsa.web.alias_host": "cybercatinc.com", + "server.domain": "cybercatinc.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 14489, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "cybercatinc.com", + "url.original": "http://cybercatinc.com/banners/July/npban_adult.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:09.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368769.137 467 210.8.79.192 TCP_MISS/302 449 GET http://c2.xxxcounter.com/c2/id/2/148582/0/ - FIRST_PARENT_MISS/proxy2.syd.connect.com.au text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12678, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "c2.xxxcounter.com", + "rsa.time.duration_time": 467, + "rsa.time.event_time": "2002-10-23T10:26:09.000Z", + "rsa.time.event_time_str": "1035368769", + "rsa.web.alias_host": "c2.xxxcounter.com", + "server.domain": "c2.xxxcounter.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 449, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "c2.xxxcounter.com", + "url.original": "http://c2.xxxcounter.com/c2/id/2/148582/0/", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:13.000Z", + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368773.118 87 210.8.79.192 TCP_REFRESH_HIT/200 1762 GET http://www.frenchcum.com/eclair.gif - PARENT_HIT/proxy1.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "eclair.gif", + "input.type": "log", + "log.offset": 12833, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.frenchcum.com", + "rsa.time.duration_time": 87, + "rsa.time.event_time": "2002-10-23T10:26:13.000Z", + "rsa.time.event_time_str": "1035368773", + "rsa.web.alias_host": "www.frenchcum.com", + "server.domain": "www.frenchcum.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1762, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.frenchcum.com", + "url.original": "http://www.frenchcum.com/eclair.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:13.000Z", + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368773.734 3183 210.8.79.192 TCP_REFRESH_HIT/200 3257 GET http://www.frenchcum.com/frenchcumnew.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "frenchcumnew.gif", + "input.type": "log", + "log.offset": 12982, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.frenchcum.com", + "rsa.time.duration_time": 3183, + "rsa.time.event_time": "2002-10-23T10:26:13.000Z", + "rsa.time.event_time_str": "1035368773", + "rsa.web.alias_host": "www.frenchcum.com", + "server.domain": "www.frenchcum.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 3257, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.frenchcum.com", + "url.original": "http://www.frenchcum.com/frenchcumnew.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:13.000Z", + "destination.as.number": 20857, + "destination.as.organization.name": "Transip B.V.", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "NL", + "destination.geo.location.lat": 52.3824, + "destination.geo.location.lon": 4.8995, + "destination.ip": [ + "80.69.64.224" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368773.875 3915 210.8.79.192 TCP_MISS/200 1388 GET http://www.usaminutes.tv/iframe_pix/index_3.php? - DIRECT/80.69.64.224 text/html", + "fileset.name": "log", + "http.response.body.content": "index_3.php", + "input.type": "log", + "log.offset": 13137, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "80.69.64.224", + "210.8.79.192" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.usaminutes.tv", + "rsa.time.duration_time": 3915, + "rsa.time.event_time": "2002-10-23T10:26:13.000Z", + "rsa.time.event_time_str": "1035368773", + "rsa.web.alias_host": "www.usaminutes.tv", + "server.domain": "www.usaminutes.tv", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1388, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.usaminutes.tv", + "url.original": "http://www.usaminutes.tv/iframe_pix/index_3.php?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:14.000Z", + "event.action": "TCP_REFRESH_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368774.928 1157 210.8.79.192 TCP_REFRESH_MISS/200 3600 GET http://www.frenchcum.com/oki02.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "oki02.gif", + "input.type": "log", + "log.offset": 13275, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.frenchcum.com", + "rsa.time.duration_time": 1157, + "rsa.time.event_time": "2002-10-23T10:26:14.000Z", + "rsa.time.event_time_str": "1035368774", + "rsa.web.alias_host": "www.frenchcum.com", + "server.domain": "www.frenchcum.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 3600, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.frenchcum.com", + "url.original": "http://www.frenchcum.com/oki02.gif", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:15.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368775.066 2886 210.8.79.192 TCP_MISS/302 666 GET http://rr3.xxxcounter.com/c2/id/2/148582/0/ - FIRST_PARENT_MISS/proxy2.syd.connect.com.au text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13424, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "rr3.xxxcounter.com", + "rsa.time.duration_time": 2886, + "rsa.time.event_time": "2002-10-23T10:26:15.000Z", + "rsa.time.event_time_str": "1035368775", + "rsa.web.alias_host": "rr3.xxxcounter.com", + "server.domain": "rr3.xxxcounter.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 666, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "rr3.xxxcounter.com", + "url.original": "http://rr3.xxxcounter.com/c2/id/2/148582/0/", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:15.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368775.140 43001 210.8.79.228 TCP_MISS/000 0 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3.jpg - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au -", + "fileset.name": "log", + "http.response.body.content": "navbar_r4_c3.jpg", + "input.type": "log", + "log.offset": 13580, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "TIMEOUT_DEFAULT_PARENT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "000", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 43001, + "rsa.time.event_time": "2002-10-23T10:26:15.000Z", + "rsa.time.event_time_str": "1035368775", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 0, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:15.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368775.441 619 210.8.79.192 TCP_MISS/200 6681 GET http://counter4.sextracker.com/c7/id/0/315043 - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "fileset.name": "log", + "http.response.body.content": "315043", + "input.type": "log", + "log.offset": 13741, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "counter4.sextracker.com", + "rsa.time.duration_time": 619, + "rsa.time.event_time": "2002-10-23T10:26:15.000Z", + "rsa.time.event_time_str": "1035368775", + "rsa.web.alias_host": "counter4.sextracker.com", + "server.domain": "counter4.sextracker.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 6681, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "counter4.sextracker.com", + "url.original": "http://counter4.sextracker.com/c7/id/0/315043", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:15.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368775.871 570 210.8.79.228 TCP_MISS/200 1352 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r2_c6_f2.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r2_c6_f2.jpg", + "input.type": "log", + "log.offset": 13900, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 570, + "rsa.time.event_time": "2002-10-23T10:26:15.000Z", + "rsa.time.event_time_str": "1035368775", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1352, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r2_c6_f2.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:15.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368775.957 586 210.8.79.228 TCP_MISS/200 1630 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r4_c1_f2.jpg", + "input.type": "log", + "log.offset": 14072, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 586, + "rsa.time.event_time": "2002-10-23T10:26:15.000Z", + "rsa.time.event_time_str": "1035368775", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1630, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1_f2.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:16.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368776.160 580 210.8.79.228 TCP_MISS/200 1487 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2_f2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r4_c2_f2.jpg", + "input.type": "log", + "log.offset": 14252, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 580, + "rsa.time.event_time": "2002-10-23T10:26:16.000Z", + "rsa.time.event_time_str": "1035368776", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1487, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2_f2.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:16.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368776.779 1559 210.8.79.228 TCP_MISS/200 23518 GET http://www.fas.harvard.edu/~hpcws/carafano.pdf - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au application/pdf", + "fileset.name": "log", + "http.response.body.content": "carafano.pdf", + "input.type": "log", + "log.offset": 14424, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "application/pdf", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 1559, + "rsa.time.event_time": "2002-10-23T10:26:16.000Z", + "rsa.time.event_time_str": "1035368776", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 23518, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/carafano.pdf", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:16.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368776.928 317 210.8.79.228 TCP_MISS/200 1390 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r4_c3_f2.jpg", + "input.type": "log", + "log.offset": 14599, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 317, + "rsa.time.event_time": "2002-10-23T10:26:16.000Z", + "rsa.time.event_time_str": "1035368776", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1390, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3_f2.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:17.000Z", + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368777.082 1031 210.8.79.192 TCP_REFRESH_HIT/200 12995 GET http://www.usaminutes.tv/iframe_pix/7.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "7.jpg", + "input.type": "log", + "log.offset": 14779, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "PARENT_HIT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.usaminutes.tv", + "rsa.time.duration_time": 1031, + "rsa.time.event_time": "2002-10-23T10:26:17.000Z", + "rsa.time.event_time_str": "1035368777", + "rsa.web.alias_host": "www.usaminutes.tv", + "server.domain": "www.usaminutes.tv", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 12995, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.usaminutes.tv", + "url.original": "http://www.usaminutes.tv/iframe_pix/7.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:17.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368777.709 4 202.67.67.124 TCP_DENIED/403 1119 GET http://rmapup.real.com/fcgi-bin/upgrade.fcgi? - NONE/- -", + "fileset.name": "log", + "http.response.body.content": "upgrade.fcgi", + "input.type": "log", + "log.offset": 14936, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "202.67.67.124" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_DENIED" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "403", + "rsa.network.domain": "rmapup.real.com", + "rsa.time.duration_time": 4, + "rsa.time.event_time": "2002-10-23T10:26:17.000Z", + "rsa.time.event_time_str": "1035368777", + "rsa.web.alias_host": "rmapup.real.com", + "server.domain": "rmapup.real.com", + "service.type": "squid", + "source.as.number": 9443, + "source.as.organization.name": "Primus Telecommunications", + "source.bytes": 1119, + "source.geo.city_name": "Toongabbie", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.7908, + "source.geo.location.lon": 150.9469, + "source.geo.region_iso_code": "AU-NSW", + "source.geo.region_name": "New South Wales", + "source.ip": [ + "202.67.67.124" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "rmapup.real.com", + "url.original": "http://rmapup.real.com/fcgi-bin/upgrade.fcgi?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:17.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368777.800 309 210.8.79.228 TCP_MISS/200 1859 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r4_c4_f2.jpg", + "input.type": "log", + "log.offset": 15053, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 309, + "rsa.time.event_time": "2002-10-23T10:26:17.000Z", + "rsa.time.event_time_str": "1035368777", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1859, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4_f2.jpg", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:17.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368777.845 955 210.8.79.228 TCP_MISS/200 22446 GET http://www.fas.harvard.edu/~hpcws/carafano.pdf - FIRST_PARENT_MISS/proxy2.syd.connect.com.au application/pdf", + "fileset.name": "log", + "http.response.body.content": "carafano.pdf", + "input.type": "log", + "log.offset": 15233, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "application/pdf", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 955, + "rsa.time.event_time": "2002-10-23T10:26:17.000Z", + "rsa.time.event_time_str": "1035368777", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 22446, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/carafano.pdf", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:18.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368778.102 452 210.8.79.192 TCP_MISS/302 450 GET http://c1.xxxcounter.com/c2/id/16/190203/0/ - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 15400, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.192" + ], + "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "c1.xxxcounter.com", + "rsa.time.duration_time": 452, + "rsa.time.event_time": "2002-10-23T10:26:18.000Z", + "rsa.time.event_time_str": "1035368778", + "rsa.web.alias_host": "c1.xxxcounter.com", + "server.domain": "c1.xxxcounter.com", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 450, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.192" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "c1.xxxcounter.com", + "url.original": "http://c1.xxxcounter.com/c2/id/16/190203/0/", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2002-10-23T10:26:18.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1035368778.117 317 210.8.79.228 TCP_MISS/200 1629 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5_f2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "fileset.name": "log", + "http.response.body.content": "navbar_r4_c5_f2.jpg", + "input.type": "log", + "log.offset": 15564, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "210.8.79.228" + ], + "rsa.internal.hcode": "FIRST_PARENT_MISS", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.fas.harvard.edu", + "rsa.time.duration_time": 317, + "rsa.time.event_time": "2002-10-23T10:26:18.000Z", + "rsa.time.event_time_str": "1035368778", + "rsa.web.alias_host": "www.fas.harvard.edu", + "server.domain": "www.fas.harvard.edu", + "service.type": "squid", + "source.as.number": 2764, + "source.as.organization.name": "AAPT Limited", + "source.bytes": 1629, + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "210.8.79.228" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.fas.harvard.edu", + "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5_f2.jpg", + "user.name": [ + "-" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/squid/log/test/access3.log b/x-pack/filebeat/module/squid/log/test/access3.log new file mode 100644 index 00000000000..66c9fb45ddf --- /dev/null +++ b/x-pack/filebeat/module/squid/log/test/access3.log @@ -0,0 +1,100 @@ +1348870295.249 59723 192.168.0.35 TCP_MISS/503 0 CONNECT safebrowsing.google.com:443 - DIRECT/- - +1348870298.072 59140 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- - +1348870316.251 60022 192.168.0.35 TCP_MISS/503 0 CONNECT clients4.google.com:443 - DIRECT/- - +1348870321.251 60143 192.168.0.35 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/- - +1348870325.850 9 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - +1348870326.168 95 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - +1348870326.810 124 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - +1348870327.186 169 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - +1348870327.634 71 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - +1348870327.842 1 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - +1348870327.958 67795 192.168.0.35 TCP_MISS/000 0 GET http://www.amazon.com/ - DIRECT/www.amazon.com - +1348870346.253 60022 192.168.0.35 TCP_MISS/503 0 CONNECT clients4.google.com:443 - DIRECT/- - +1348870404.068 0 192.168.0.35 TCP_MISS/404 0 CONNECT clients3.google.com:443 - DIRECT/- - +1348870563.266 60119 192.168.0.35 TCP_MISS/503 0 CONNECT safebrowsing.google.com:443 - DIRECT/- - +1348870584.268 60142 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- - +1348870653.273 60096 192.168.0.35 TCP_MISS/503 0 CONNECT safebrowsing.google.com:443 - DIRECT/- - +1348870689.175 0 192.168.0.35 TCP_MISS/404 0 CONNECT clients3.google.com:443 - DIRECT/- - +1348870772.279 155623 192.168.0.35 TCP_MISS/503 3310 GET http://clients2.google.com/service/update2/crx? - DIRECT/clients2.google.com text/html +1348870869.283 60063 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- - +1348870947.061 39 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - +1348870947.797 268 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - +1348870949.342 163 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - +1348870949.733 191 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - +1348870950.054 120 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - +1348870974.291 0 192.168.0.35 TCP_MISS/404 0 CONNECT clients3.google.com:443 - DIRECT/- - +1348871088.713 137787 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/ - DIRECT/www.google.com - +1348871102.295 13511 192.168.0.35 TCP_MISS/503 4436 GET http://www.google.com/ - DIRECT/www.google.com text/html +1348871159.296 59931 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- - +1348871160.382 3 192.168.0.35 TCP_MISS/503 4244 GET http://www.google.com/ - NONE/- text/html +1348871190.265 174 192.168.0.35 TCP_MISS/200 28149 GET http://www.google.com/ - DIRECT/74.125.131.147 text/html +1348871190.364 26 192.168.0.35 TCP_MISS/304 290 GET http://www.google.com/images/srpr/logo3w.png - DIRECT/74.125.131.147 - +1348871190.477 136 192.168.0.35 TCP_MISS/200 166258 GET http://www.google.com/xjs/_/js/s/s,jsa,c,sb,hv,wta,cr,cdos,nos,tbpr,tbui,rsn,ob,cb,mb,lc,du,ada,amcl,klc,kat,aut,esp,bihu,ifl,kp,lu,m,rtis,shb,sfa,tng,hsm,j,p,pcc,csi/rt=j/ver=P7Lew-MRiXo.en_US./d=1/sv=1/rs=AItRSTNwfvJBHcoKbi4wjkZ-Mr1w-Pv9LA - DIRECT/74.125.131.147 text/javascript +1348871190.671 50 192.168.0.35 TCP_MISS/200 20129 GET http://www.google.com/extern_chrome/359533f6f71ee9c1.js - DIRECT/74.125.131.147 text/javascript +1348871190.763 36 192.168.0.35 TCP_MISS/204 369 GET http://www.google.com/csi? - DIRECT/74.125.131.147 image/gif +1348871195.222 58 192.168.0.35 TCP_MISS/200 2831 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 - +1348871195.223 62 192.168.0.35 TCP_MISS/200 2536 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 - +1348871195.223 62 192.168.0.35 TCP_MISS/200 2536 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 - +1348871203.841 9011 192.168.0.35 TCP_MISS/200 11085 CONNECT apis.google.com:443 - DIRECT/74.125.228.6 - +1348871203.843 8681 192.168.0.35 TCP_MISS/200 63315 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 - +1348871203.843 8682 192.168.0.35 TCP_MISS/200 404199 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 - +1348871203.849 9482 192.168.0.35 TCP_MISS/200 192122 CONNECT play.google.com:443 - DIRECT/74.125.228.14 - +1348871203.851 8989 192.168.0.35 TCP_MISS/200 8875 CONNECT www.google.com:443 - DIRECT/74.125.131.147 - +1348871203.852 8685 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 - +1348871203.853 8686 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 - +1348871203.853 8685 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 - +1348871203.854 8686 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 - +1348871203.854 8688 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 - +1349057385.253 170 192.168.0.35 TCP_MISS/200 574 GET http://clients1.google.com/tools/swg2/update? - DIRECT/74.125.228.97 text/plain +1349057413.337 170 192.168.0.35 TCP_MISS/200 8577 CONNECT configuration.apple.com:443 - DIRECT/23.11.236.224 - +1349057425.626 147 192.168.0.35 TCP_MISS/200 8577 CONNECT configuration.apple.com:443 - DIRECT/23.11.236.224 - +1349057446.149 1715 192.168.0.35 TCP_MISS/200 2921 CONNECT docs.google.com:443 - DIRECT/74.125.228.100 - +1349057446.149 417 192.168.0.35 TCP_MISS/200 4161 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 - +1349057446.974 119 192.168.0.35 TCP_MISS/200 4153 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 - +1349057451.693 4784 192.168.0.35 TCP_MISS/200 2201 CONNECT www.google.com:443 - DIRECT/173.194.73.104 - +1349057451.694 652 192.168.0.35 TCP_MISS/200 12807 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 - +1349057451.719 4875 192.168.0.35 TCP_MISS/200 4132 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 - +1349057452.613 815 192.168.0.35 TCP_MISS/200 3481 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 - +1349057466.259 467 192.168.0.35 TCP_MISS/200 161462 GET http://swcatalog.apple.com/content/catalogs/others/index-windows-1.sucatalog - DIRECT/208.44.23.184 application/x-apple-plist +1349057469.784 470 192.168.0.35 TCP_MISS/200 6546 GET http://swcdn.apple.com/content/downloads/61/34/061-8153/WgWXrHyJVmFn9KrXRg3w2XPXNFXxhnZFS6/061-8153.English.dist - DIRECT/208.44.23.185 text/xml +1349057470.770 334 192.168.0.35 TCP_MISS/200 31622 GET http://swcdn.apple.com/content/downloads/02/58/061-3418/n6BBhLszLr6SN3XDXWT9N3YgpfHChbQTgb/061-3418.English.dist - DIRECT/208.44.23.185 text/plain +1349057470.907 109 192.168.0.35 TCP_MISS/200 3798 GET http://swcdn.apple.com/content/downloads/25/60/061-6867/WjSJ6JqjV34mZLtS944ndrx9RYQZJX6qHY/061-6867.English.dist - DIRECT/208.44.23.185 text/xml +1349057472.794 219 192.168.0.35 TCP_MISS/200 7217 GET http://swcdn.apple.com/content/downloads/21/23/061-4512/BKYTZyKmtNr5wpxQCTy9f8xDSYPZ5MTGf4/061-4512.English.dist - DIRECT/208.44.23.185 text/plain +1349057472.980 109 192.168.0.35 TCP_MISS/200 7370 GET http://swcdn.apple.com/content/downloads/20/63/061-7511/XJqPCzWtXgkNgSZXp6DTn7gjNvHQVMZ4dP/061-7511.English.dist - DIRECT/208.44.23.185 text/xml +1349057473.173 110 192.168.0.35 TCP_MISS/200 6939 GET http://swcdn.apple.com/content/downloads/27/49/061-4514/Tcfqf4NdtQTpYj7Pn8qwLgWgj6kYcy26Zf/061-4514.English.dist - DIRECT/208.44.23.185 text/xml +1349057473.340 111 192.168.0.35 TCP_MISS/200 5451 GET http://swcdn.apple.com/content/downloads/57/25/061-7340/TJXt7nNzc4cS57fvwx8zg3GScrcLBWtdpR/061-7340.English.dist - DIRECT/208.44.23.185 text/plain +1349057473.825 330 192.168.0.35 TCP_MISS/200 18008 GET http://swcdn.apple.com/content/downloads/56/25/041-3097/SrjbZVKzSxP5VNSHnnDMQrb78YZz66DYww/041-3097.English.dist - DIRECT/208.44.23.185 text/plain +1349057474.139 221 192.168.0.35 TCP_MISS/200 6992 GET http://swcdn.apple.com/content/downloads/51/48/061-9539/XzrZsqWRT9FLLVN6tBfk4mjVmtqvNDHwC7/061-9539.English.dist - DIRECT/208.44.23.185 text/xml +1349057474.330 112 192.168.0.35 TCP_MISS/200 4197 GET http://swcdn.apple.com/content/downloads/51/08/zzz061-3452/5bxNyT8NCFYPz9qff69kBjH4y3zxqSFt5B/061-3452.English.dist - DIRECT/208.44.23.185 text/xml +1349057474.842 329 192.168.0.35 TCP_MISS/200 19447 GET http://swcdn.apple.com/content/downloads/28/51/041-0517/cvDMxJL5q6TQ2t8899HH8mvzjdHkDFwr99/041-0517.English.dist - DIRECT/208.44.23.185 text/xml +1349057475.092 221 192.168.0.35 TCP_MISS/200 7370 GET http://swcdn.apple.com/content/downloads/28/43/061-7509/P7wtsjhJPsT9FM8Zff4FKg6FYM4W2yGP5B/061-7509.English.dist - DIRECT/208.44.23.185 text/xml +1349057475.582 434 192.168.0.35 TCP_MISS/200 5297 GET http://swcdn.apple.com/content/downloads/01/21/041-1673/s6XjZyFGmdTf5YHq6C8CPWjJ4sWz9pz3vX/041-1673.English.dist - DIRECT/208.44.23.185 text/xml +1349057475.860 217 192.168.0.35 TCP_MISS/200 6480 GET http://swcdn.apple.com/content/downloads/12/45/061-4249/7ck27nGQBsHQNcnMMjtmLbDJm2zPbRxj4h/061-4249.English.dist - DIRECT/208.44.23.185 text/xml +1349057476.242 331 192.168.0.35 TCP_MISS/200 18211 GET http://swcdn.apple.com/content/downloads/54/37/061-5790/mxbPrKRvB9G6cvrjY2QPNVQPYj3nrjwbgX/061-5790.English.dist - DIRECT/208.44.23.185 text/xml +1349057476.800 543 192.168.0.35 TCP_MISS/200 6525 GET http://swcdn.apple.com/content/downloads/26/11/061-8155/wdTHYKkFWMCC8dDLHkycj3BLMxvq2wjwYD/061-8155.English.dist - DIRECT/208.44.23.185 text/plain +1349057477.417 552 192.168.0.35 TCP_MISS/200 19458 GET http://swcdn.apple.com/content/downloads/59/27/041-0516/rRmQxLKryPBcF33yFvzhw7SYLDRntjXj9K/041-0516.English.dist - DIRECT/208.44.23.185 text/plain +1349057478.304 870 192.168.0.35 TCP_MISS/200 18041 GET http://swcdn.apple.com/content/downloads/50/36/061-9848/kJvM5Qq2gBCSHSrxsdNfyn7NPjVYNHX7ZR/061-9848.English.dist - DIRECT/208.44.23.185 text/xml +1349057478.759 437 192.168.0.35 TCP_MISS/200 17576 GET http://swcdn.apple.com/content/downloads/45/03/041-1676/ZMjp6WLTqS9GDRdnzdLqHXgS838bwRNVn6/041-1676.English.dist - DIRECT/208.44.23.185 text/plain +1349057478.905 111 192.168.0.35 TCP_MISS/200 6991 GET http://swcdn.apple.com/content/downloads/03/00/061-9537/xkqVg9ZybxffPsFvSjqgxnHK7HGJ4b9zLy/061-9537.English.dist - DIRECT/208.44.23.185 text/xml +1349057479.343 332 192.168.0.35 TCP_MISS/200 25935 GET http://swcdn.apple.com/content/downloads/41/25/041-4336/M2r89dmfRR9jmgt2Gr4ZB7wftMfHSmhpnX/041-4336.English.dist - DIRECT/208.44.23.185 text/xml +1349057479.593 223 192.168.0.35 TCP_MISS/200 18205 GET http://swcdn.apple.com/content/downloads/10/51/061-5850/6T9D3ShR4mRKT3YgFK7JG5sDytGYDYCJ3L/061-5850.English.dist - DIRECT/208.44.23.185 text/xml +1349057479.728 110 192.168.0.35 TCP_MISS/200 7326 GET http://swcdn.apple.com/content/downloads/10/26/061-4513/nY7s8PkHbJYHKKDtjh7FJQr7JYBTzHvnr2/061-4513.English.dist - DIRECT/208.44.23.185 text/plain +1349057479.893 111 192.168.0.35 TCP_MISS/200 6973 GET http://swcdn.apple.com/content/downloads/29/33/061-7306/hwpP4sYb2wmfHdYHjsQ23VrSbXXGKCK378/061-7306.English.dist - DIRECT/208.44.23.185 text/xml +1349057480.599 679 192.168.0.35 TCP_MISS/200 6748 GET http://swcdn.apple.com/content/downloads/07/44/061-4200/3DtF5LrT3BL2b86P57Kyrs5dH9NTs9ctNV/061-4200.English.dist - DIRECT/208.44.23.185 text/xml +1349057481.530 889 192.168.0.35 TCP_MISS/200 19858 GET http://swcdn.apple.com/content/downloads/37/12/041-0255/lfinb0xmk5ten4ojrimcebpl6561xez6xk/041-0255.English.dist - DIRECT/208.44.23.185 text/xml +1349057482.097 550 192.168.0.35 TCP_MISS/200 19848 GET http://swcdn.apple.com/content/downloads/06/39/041-0256/orwba7zrt5npsr5wvhsljprdyd1jtt62oz/041-0256.English.dist - DIRECT/208.44.23.185 text/xml +1349057483.427 771 192.168.0.35 TCP_MISS/200 38188 GET http://swcdn.apple.com/content/downloads/32/19/041-6756/gntu51zjuiyzu4l94ezxy3g1tb3jfpaoit/041-6756.English.dist - DIRECT/208.44.23.185 text/xml +1349057483.787 320 192.168.0.35 TCP_MISS/200 8913 GET http://swcdn.apple.com/content/downloads/40/54/041-6905/v0fukt9lmfcv18d4wczh49ap9z6r5p5c0c/041-6905.English.dist - DIRECT/208.44.23.185 text/xml +1349057484.139 222 192.168.0.35 TCP_MISS/200 8113 GET http://swcdn.apple.com/content/downloads/23/10/041-6906/nr0v270bqzt428sd57s1slz78hgkzg38tc/041-6906.English.dist - DIRECT/208.44.23.185 text/xml +1349057486.034 1694 192.168.0.35 TCP_MISS/200 31969 GET http://swcdn.apple.com/content/downloads/00/31/041-1612/xqbjtqo1qzy7cz1v2yflklj5kg1v2tlncj/041-1612.English.dist - DIRECT/208.44.23.185 text/xml +1349057486.672 550 192.168.0.35 TCP_MISS/200 31972 GET http://swcdn.apple.com/content/downloads/30/32/041-1613/nysxhnpjpllehg0d54krf0yr8fa17jymjf/041-1613.English.dist - DIRECT/208.44.23.185 text/xml +1349057487.172 436 192.168.0.35 TCP_MISS/200 23087 GET http://swcdn.apple.com/content/downloads/01/20/041-5328/74a52anhihangc837n25490jxt30a59gid/041-5328.English.dist - DIRECT/208.44.23.185 text/xml +1349057583.918 101348 192.168.0.35 TCP_MISS/200 2488 CONNECT www.google.com:443 - DIRECT/173.194.73.104 - +1349057583.929 100999 192.168.0.35 TCP_MISS/200 2974 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 - +1349057583.929 105631 192.168.0.35 TCP_MISS/200 2969 CONNECT clients4.google.com:443 - DIRECT/74.125.228.96 - +1349057583.929 43683 192.168.0.35 TCP_MISS/200 662274 CONNECT safebrowsing-cache.google.com:443 - DIRECT/74.125.228.101 - +1349057583.930 44106 192.168.0.35 TCP_MISS/200 6152 CONNECT safebrowsing.google.com:443 - DIRECT/74.125.228.102 - +1349057715.339 267 192.168.0.35 TCP_MISS/302 379 GET http://www.facebook.com/ - DIRECT/69.171.228.74 text/html +1349057718.031 2684 192.168.0.35 TCP_MISS/200 1871 CONNECT s-static.ak.facebook.com:443 - DIRECT/23.62.194.110 - +1349057718.398 3047 192.168.0.35 TCP_MISS/200 87179 CONNECT www.facebook.com:443 - DIRECT/69.171.228.74 - +1349057719.228 3879 192.168.0.35 TCP_MISS/200 2894 CONNECT www.facebook.com:443 - DIRECT/69.171.228.74 - diff --git a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json new file mode 100644 index 00000000000..7a040eec325 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json @@ -0,0 +1,5520 @@ +[ + { + "@timestamp": "2012-09-28T22:11:35.000Z", + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870295.249 59723 192.168.0.35 TCP_MISS/503 0 CONNECT safebrowsing.google.com:443 - DIRECT/- -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 0, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "503", + "rsa.network.domain": "safebrowsing.google.com", + "rsa.time.duration_time": 59723, + "rsa.time.event_time": "2012-09-28T22:11:35.000Z", + "rsa.time.event_time_str": "1348870295", + "rsa.web.alias_host": "safebrowsing.google.com", + "server.domain": "safebrowsing.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "safebrowsing.google.com", + "url.original": "safebrowsing.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:11:38.000Z", + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870298.072 59140 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 99, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "503", + "rsa.network.domain": "clients3.google.com", + "rsa.time.duration_time": 59140, + "rsa.time.event_time": "2012-09-28T22:11:38.000Z", + "rsa.time.event_time_str": "1348870298", + "rsa.web.alias_host": "clients3.google.com", + "server.domain": "clients3.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients3.google.com", + "url.original": "clients3.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:11:56.000Z", + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870316.251 60022 192.168.0.35 TCP_MISS/503 0 CONNECT clients4.google.com:443 - DIRECT/- -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 194, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "503", + "rsa.network.domain": "clients4.google.com", + "rsa.time.duration_time": 60022, + "rsa.time.event_time": "2012-09-28T22:11:56.000Z", + "rsa.time.event_time_str": "1348870316", + "rsa.web.alias_host": "clients4.google.com", + "server.domain": "clients4.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients4.google.com", + "url.original": "clients4.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:12:01.000Z", + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870321.251 60143 192.168.0.35 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/- -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 289, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "503", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 60143, + "rsa.time.event_time": "2012-09-28T22:12:01.000Z", + "rsa.time.event_time_str": "1348870321", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "www.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:12:05.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870325.850 9 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "fileset.name": "log", + "http.response.body.content": "search", + "input.type": "log", + "log.offset": 379, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "000", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 9, + "rsa.time.event_time": "2012-09-28T22:12:05.000Z", + "rsa.time.event_time_str": "1348870325", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/complete/search?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:12:06.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870326.168 95 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "fileset.name": "log", + "http.response.body.content": "search", + "input.type": "log", + "log.offset": 498, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "000", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 95, + "rsa.time.event_time": "2012-09-28T22:12:06.000Z", + "rsa.time.event_time_str": "1348870326", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/complete/search?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:12:06.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870326.810 124 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "fileset.name": "log", + "http.response.body.content": "search", + "input.type": "log", + "log.offset": 617, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "000", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 124, + "rsa.time.event_time": "2012-09-28T22:12:06.000Z", + "rsa.time.event_time_str": "1348870326", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/complete/search?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:12:07.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870327.186 169 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "fileset.name": "log", + "http.response.body.content": "search", + "input.type": "log", + "log.offset": 736, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "000", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 169, + "rsa.time.event_time": "2012-09-28T22:12:07.000Z", + "rsa.time.event_time_str": "1348870327", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/complete/search?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:12:07.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870327.634 71 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "fileset.name": "log", + "http.response.body.content": "search", + "input.type": "log", + "log.offset": 855, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "000", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 71, + "rsa.time.event_time": "2012-09-28T22:12:07.000Z", + "rsa.time.event_time_str": "1348870327", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/complete/search?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:12:07.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870327.842 1 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "fileset.name": "log", + "http.response.body.content": "search", + "input.type": "log", + "log.offset": 974, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "000", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2012-09-28T22:12:07.000Z", + "rsa.time.event_time_str": "1348870327", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/complete/search?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:12:07.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870327.958 67795 192.168.0.35 TCP_MISS/000 0 GET http://www.amazon.com/ - DIRECT/www.amazon.com -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1093, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "000", + "rsa.network.domain": "www.amazon.com", + "rsa.time.duration_time": 67795, + "rsa.time.event_time": "2012-09-28T22:12:07.000Z", + "rsa.time.event_time_str": "1348870327", + "rsa.web.alias_host": "www.amazon.com", + "server.domain": "www.amazon.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.amazon.com", + "url.original": "http://www.amazon.com/", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:12:26.000Z", + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870346.253 60022 192.168.0.35 TCP_MISS/503 0 CONNECT clients4.google.com:443 - DIRECT/- -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1196, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "503", + "rsa.network.domain": "clients4.google.com", + "rsa.time.duration_time": 60022, + "rsa.time.event_time": "2012-09-28T22:12:26.000Z", + "rsa.time.event_time_str": "1348870346", + "rsa.web.alias_host": "clients4.google.com", + "server.domain": "clients4.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients4.google.com", + "url.original": "clients4.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:13:24.000Z", + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870404.068 0 192.168.0.35 TCP_MISS/404 0 CONNECT clients3.google.com:443 - DIRECT/- -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1291, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "404", + "rsa.network.domain": "clients3.google.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2012-09-28T22:13:24.000Z", + "rsa.time.event_time_str": "1348870404", + "rsa.web.alias_host": "clients3.google.com", + "server.domain": "clients3.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients3.google.com", + "url.original": "clients3.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:16:03.000Z", + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870563.266 60119 192.168.0.35 TCP_MISS/503 0 CONNECT safebrowsing.google.com:443 - DIRECT/- -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1386, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "503", + "rsa.network.domain": "safebrowsing.google.com", + "rsa.time.duration_time": 60119, + "rsa.time.event_time": "2012-09-28T22:16:03.000Z", + "rsa.time.event_time_str": "1348870563", + "rsa.web.alias_host": "safebrowsing.google.com", + "server.domain": "safebrowsing.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "safebrowsing.google.com", + "url.original": "safebrowsing.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:16:24.000Z", + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870584.268 60142 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1485, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "503", + "rsa.network.domain": "clients3.google.com", + "rsa.time.duration_time": 60142, + "rsa.time.event_time": "2012-09-28T22:16:24.000Z", + "rsa.time.event_time_str": "1348870584", + "rsa.web.alias_host": "clients3.google.com", + "server.domain": "clients3.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients3.google.com", + "url.original": "clients3.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:17:33.000Z", + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870653.273 60096 192.168.0.35 TCP_MISS/503 0 CONNECT safebrowsing.google.com:443 - DIRECT/- -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1580, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "503", + "rsa.network.domain": "safebrowsing.google.com", + "rsa.time.duration_time": 60096, + "rsa.time.event_time": "2012-09-28T22:17:33.000Z", + "rsa.time.event_time_str": "1348870653", + "rsa.web.alias_host": "safebrowsing.google.com", + "server.domain": "safebrowsing.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "safebrowsing.google.com", + "url.original": "safebrowsing.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:18:09.000Z", + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870689.175 0 192.168.0.35 TCP_MISS/404 0 CONNECT clients3.google.com:443 - DIRECT/- -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1679, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "404", + "rsa.network.domain": "clients3.google.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2012-09-28T22:18:09.000Z", + "rsa.time.event_time_str": "1348870689", + "rsa.web.alias_host": "clients3.google.com", + "server.domain": "clients3.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients3.google.com", + "url.original": "clients3.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:19:32.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870772.279 155623 192.168.0.35 TCP_MISS/503 3310 GET http://clients2.google.com/service/update2/crx? - DIRECT/clients2.google.com text/html", + "fileset.name": "log", + "http.response.body.content": "crx", + "input.type": "log", + "log.offset": 1774, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "503", + "rsa.network.domain": "clients2.google.com", + "rsa.time.duration_time": 155623, + "rsa.time.event_time": "2012-09-28T22:19:32.000Z", + "rsa.time.event_time_str": "1348870772", + "rsa.web.alias_host": "clients2.google.com", + "server.domain": "clients2.google.com", + "service.type": "squid", + "source.bytes": 3310, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients2.google.com", + "url.original": "http://clients2.google.com/service/update2/crx?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:21:09.000Z", + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870869.283 60063 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1918, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "503", + "rsa.network.domain": "clients3.google.com", + "rsa.time.duration_time": 60063, + "rsa.time.event_time": "2012-09-28T22:21:09.000Z", + "rsa.time.event_time_str": "1348870869", + "rsa.web.alias_host": "clients3.google.com", + "server.domain": "clients3.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients3.google.com", + "url.original": "clients3.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:22:27.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870947.061 39 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "fileset.name": "log", + "http.response.body.content": "search", + "input.type": "log", + "log.offset": 2013, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "000", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 39, + "rsa.time.event_time": "2012-09-28T22:22:27.000Z", + "rsa.time.event_time_str": "1348870947", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/complete/search?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:22:27.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870947.797 268 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "fileset.name": "log", + "http.response.body.content": "search", + "input.type": "log", + "log.offset": 2132, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "000", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 268, + "rsa.time.event_time": "2012-09-28T22:22:27.000Z", + "rsa.time.event_time_str": "1348870947", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/complete/search?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:22:29.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870949.342 163 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "fileset.name": "log", + "http.response.body.content": "search", + "input.type": "log", + "log.offset": 2251, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "000", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 163, + "rsa.time.event_time": "2012-09-28T22:22:29.000Z", + "rsa.time.event_time_str": "1348870949", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/complete/search?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:22:29.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870949.733 191 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "fileset.name": "log", + "http.response.body.content": "search", + "input.type": "log", + "log.offset": 2370, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "000", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 191, + "rsa.time.event_time": "2012-09-28T22:22:29.000Z", + "rsa.time.event_time_str": "1348870949", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/complete/search?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:22:30.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870950.054 120 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "fileset.name": "log", + "http.response.body.content": "search", + "input.type": "log", + "log.offset": 2489, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "000", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 120, + "rsa.time.event_time": "2012-09-28T22:22:30.000Z", + "rsa.time.event_time_str": "1348870950", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/complete/search?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:22:54.000Z", + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348870974.291 0 192.168.0.35 TCP_MISS/404 0 CONNECT clients3.google.com:443 - DIRECT/- -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2608, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "404", + "rsa.network.domain": "clients3.google.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2012-09-28T22:22:54.000Z", + "rsa.time.event_time_str": "1348870974", + "rsa.web.alias_host": "clients3.google.com", + "server.domain": "clients3.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients3.google.com", + "url.original": "clients3.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:24:48.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871088.713 137787 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/ - DIRECT/www.google.com -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2703, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "000", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 137787, + "rsa.time.event_time": "2012-09-28T22:24:48.000Z", + "rsa.time.event_time_str": "1348871088", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:25:02.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871102.295 13511 192.168.0.35 TCP_MISS/503 4436 GET http://www.google.com/ - DIRECT/www.google.com text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2806, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "503", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 13511, + "rsa.time.event_time": "2012-09-28T22:25:02.000Z", + "rsa.time.event_time_str": "1348871102", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 4436, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:25:59.000Z", + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871159.296 59931 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2920, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "503", + "rsa.network.domain": "clients3.google.com", + "rsa.time.duration_time": 59931, + "rsa.time.event_time": "2012-09-28T22:25:59.000Z", + "rsa.time.event_time_str": "1348871159", + "rsa.web.alias_host": "clients3.google.com", + "server.domain": "clients3.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients3.google.com", + "url.original": "clients3.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:00.000Z", + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871160.382 3 192.168.0.35 TCP_MISS/503 4244 GET http://www.google.com/ - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3015, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "503", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 3, + "rsa.time.event_time": "2012-09-28T22:26:00.000Z", + "rsa.time.event_time_str": "1348871160", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 4244, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:30.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.131.147" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871190.265 174 192.168.0.35 TCP_MISS/200 28149 GET http://www.google.com/ - DIRECT/74.125.131.147 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3114, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.131.147" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 174, + "rsa.time.event_time": "2012-09-28T22:26:30.000Z", + "rsa.time.event_time_str": "1348871190", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 28149, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:30.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.131.147" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871190.364 26 192.168.0.35 TCP_MISS/304 290 GET http://www.google.com/images/srpr/logo3w.png - DIRECT/74.125.131.147 -", + "fileset.name": "log", + "http.response.body.content": "logo3w.png", + "input.type": "log", + "log.offset": 3229, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.131.147", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 26, + "rsa.time.event_time": "2012-09-28T22:26:30.000Z", + "rsa.time.event_time_str": "1348871190", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 290, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/images/srpr/logo3w.png", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:30.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.131.147" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871190.477 136 192.168.0.35 TCP_MISS/200 166258 GET http://www.google.com/xjs/_/js/s/s,jsa,c,sb,hv,wta,cr,cdos,nos,tbpr,tbui,rsn,ob,cb,mb,lc,du,ada,amcl,klc,kat,aut,esp,bihu,ifl,kp,lu,m,rtis,shb,sfa,tng,hsm,j,p,pcc,csi/rt=j/ver=P7Lew-MRiXo.en_US./d=1/sv=1/rs=AItRSTNwfvJBHcoKbi4wjkZ-Mr1w-Pv9LA - DIRECT/74.125.131.147 text/javascript", + "fileset.name": "log", + "http.response.body.content": "rs=AItRSTNwfvJBHcoKbi4wjkZ-Mr1w-Pv9LA", + "input.type": "log", + "log.offset": 3356, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.131.147", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 136, + "rsa.time.event_time": "2012-09-28T22:26:30.000Z", + "rsa.time.event_time_str": "1348871190", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 166258, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/xjs/_/js/s/s,jsa,c,sb,hv,wta,cr,cdos,nos,tbpr,tbui,rsn,ob,cb,mb,lc,du,ada,amcl,klc,kat,aut,esp,bihu,ifl,kp,lu,m,rtis,shb,sfa,tng,hsm,j,p,pcc,csi/rt=j/ver=P7Lew-MRiXo.en_US./d=1/sv=1/rs=AItRSTNwfvJBHcoKbi4wjkZ-Mr1w-Pv9LA", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:30.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.131.147" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871190.671 50 192.168.0.35 TCP_MISS/200 20129 GET http://www.google.com/extern_chrome/359533f6f71ee9c1.js - DIRECT/74.125.131.147 text/javascript", + "fileset.name": "log", + "http.response.body.content": "359533f6f71ee9c1.js", + "input.type": "log", + "log.offset": 3697, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.131.147", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 50, + "rsa.time.event_time": "2012-09-28T22:26:30.000Z", + "rsa.time.event_time_str": "1348871190", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 20129, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/extern_chrome/359533f6f71ee9c1.js", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:30.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.131.147" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871190.763 36 192.168.0.35 TCP_MISS/204 369 GET http://www.google.com/csi? - DIRECT/74.125.131.147 image/gif", + "fileset.name": "log", + "http.response.body.content": "csi", + "input.type": "log", + "log.offset": 3851, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.131.147" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "204", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 36, + "rsa.time.event_time": "2012-09-28T22:26:30.000Z", + "rsa.time.event_time_str": "1348871190", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 369, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/csi?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:35.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.3" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871195.222 58 192.168.0.35 TCP_MISS/200 2831 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3968, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.228.3" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "encrypted.google.com", + "rsa.time.duration_time": 58, + "rsa.time.event_time": "2012-09-28T22:26:35.000Z", + "rsa.time.event_time_str": "1348871195", + "rsa.web.alias_host": "encrypted.google.com", + "server.domain": "encrypted.google.com", + "service.type": "squid", + "source.bytes": 2831, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "encrypted.google.com", + "url.original": "encrypted.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:35.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.3" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871195.223 62 192.168.0.35 TCP_MISS/200 2536 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4078, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.228.3", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "encrypted.google.com", + "rsa.time.duration_time": 62, + "rsa.time.event_time": "2012-09-28T22:26:35.000Z", + "rsa.time.event_time_str": "1348871195", + "rsa.web.alias_host": "encrypted.google.com", + "server.domain": "encrypted.google.com", + "service.type": "squid", + "source.bytes": 2536, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "encrypted.google.com", + "url.original": "encrypted.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:35.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.3" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871195.223 62 192.168.0.35 TCP_MISS/200 2536 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4188, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.228.3", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "encrypted.google.com", + "rsa.time.duration_time": 62, + "rsa.time.event_time": "2012-09-28T22:26:35.000Z", + "rsa.time.event_time_str": "1348871195", + "rsa.web.alias_host": "encrypted.google.com", + "server.domain": "encrypted.google.com", + "service.type": "squid", + "source.bytes": 2536, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "encrypted.google.com", + "url.original": "encrypted.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:43.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.6" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871203.841 9011 192.168.0.35 TCP_MISS/200 11085 CONNECT apis.google.com:443 - DIRECT/74.125.228.6 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4298, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.228.6" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "apis.google.com", + "rsa.time.duration_time": 9011, + "rsa.time.event_time": "2012-09-28T22:26:43.000Z", + "rsa.time.event_time_str": "1348871203", + "rsa.web.alias_host": "apis.google.com", + "server.domain": "apis.google.com", + "service.type": "squid", + "source.bytes": 11085, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "apis.google.com", + "url.original": "apis.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:43.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.3" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871203.843 8681 192.168.0.35 TCP_MISS/200 63315 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4404, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.228.3", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "encrypted.google.com", + "rsa.time.duration_time": 8681, + "rsa.time.event_time": "2012-09-28T22:26:43.000Z", + "rsa.time.event_time_str": "1348871203", + "rsa.web.alias_host": "encrypted.google.com", + "server.domain": "encrypted.google.com", + "service.type": "squid", + "source.bytes": 63315, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "encrypted.google.com", + "url.original": "encrypted.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:43.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.14" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871203.843 8682 192.168.0.35 TCP_MISS/200 404199 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4515, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.228.14", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 8682, + "rsa.time.event_time": "2012-09-28T22:26:43.000Z", + "rsa.time.event_time_str": "1348871203", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 404199, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:43.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.14" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871203.849 9482 192.168.0.35 TCP_MISS/200 192122 CONNECT play.google.com:443 - DIRECT/74.125.228.14 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4619, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.228.14", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "play.google.com", + "rsa.time.duration_time": 9482, + "rsa.time.event_time": "2012-09-28T22:26:43.000Z", + "rsa.time.event_time_str": "1348871203", + "rsa.web.alias_host": "play.google.com", + "server.domain": "play.google.com", + "service.type": "squid", + "source.bytes": 192122, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "play.google.com", + "url.original": "play.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:43.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.131.147" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871203.851 8989 192.168.0.35 TCP_MISS/200 8875 CONNECT www.google.com:443 - DIRECT/74.125.131.147 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4727, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.131.147" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 8989, + "rsa.time.event_time": "2012-09-28T22:26:43.000Z", + "rsa.time.event_time_str": "1348871203", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 8875, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "www.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:43.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.14" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871203.852 8685 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4833, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.228.14" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 8685, + "rsa.time.event_time": "2012-09-28T22:26:43.000Z", + "rsa.time.event_time_str": "1348871203", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 2815, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:43.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.14" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871203.853 8686 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4935, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.228.14" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 8686, + "rsa.time.event_time": "2012-09-28T22:26:43.000Z", + "rsa.time.event_time_str": "1348871203", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 2815, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:43.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.14" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871203.853 8685 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5037, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.228.14", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 8685, + "rsa.time.event_time": "2012-09-28T22:26:43.000Z", + "rsa.time.event_time_str": "1348871203", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 2815, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:43.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.14" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871203.854 8686 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5139, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.228.14" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 8686, + "rsa.time.event_time": "2012-09-28T22:26:43.000Z", + "rsa.time.event_time_str": "1348871203", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 2815, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-09-28T22:26:43.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.14" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1348871203.854 8688 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5241, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.228.14" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 8688, + "rsa.time.event_time": "2012-09-28T22:26:43.000Z", + "rsa.time.event_time_str": "1348871203", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 2815, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:09:45.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.97" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057385.253 170 192.168.0.35 TCP_MISS/200 574 GET http://clients1.google.com/tools/swg2/update? - DIRECT/74.125.228.97 text/plain", + "fileset.name": "log", + "http.response.body.content": "update", + "input.type": "log", + "log.offset": 5343, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.228.97" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients1.google.com", + "rsa.time.duration_time": 170, + "rsa.time.event_time": "2012-10-01T02:09:45.000Z", + "rsa.time.event_time_str": "1349057385", + "rsa.web.alias_host": "clients1.google.com", + "server.domain": "clients1.google.com", + "service.type": "squid", + "source.bytes": 574, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients1.google.com", + "url.original": "http://clients1.google.com/tools/swg2/update?", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:10:13.000Z", + "destination.as.number": 16625, + "destination.as.organization.name": "Akamai Technologies, Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "23.11.236.224" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057413.337 170 192.168.0.35 TCP_MISS/200 8577 CONNECT configuration.apple.com:443 - DIRECT/23.11.236.224 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5479, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "23.11.236.224", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "configuration.apple.com", + "rsa.time.duration_time": 170, + "rsa.time.event_time": "2012-10-01T02:10:13.000Z", + "rsa.time.event_time_str": "1349057413", + "rsa.web.alias_host": "configuration.apple.com", + "server.domain": "configuration.apple.com", + "service.type": "squid", + "source.bytes": 8577, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "configuration.apple.com", + "url.original": "configuration.apple.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:10:25.000Z", + "destination.as.number": 16625, + "destination.as.organization.name": "Akamai Technologies, Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "23.11.236.224" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057425.626 147 192.168.0.35 TCP_MISS/200 8577 CONNECT configuration.apple.com:443 - DIRECT/23.11.236.224 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5593, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "23.11.236.224", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "configuration.apple.com", + "rsa.time.duration_time": 147, + "rsa.time.event_time": "2012-10-01T02:10:25.000Z", + "rsa.time.event_time_str": "1349057425", + "rsa.web.alias_host": "configuration.apple.com", + "server.domain": "configuration.apple.com", + "service.type": "squid", + "source.bytes": 8577, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "configuration.apple.com", + "url.original": "configuration.apple.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:10:46.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.100" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057446.149 1715 192.168.0.35 TCP_MISS/200 2921 CONNECT docs.google.com:443 - DIRECT/74.125.228.100 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5707, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.228.100" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "docs.google.com", + "rsa.time.duration_time": 1715, + "rsa.time.event_time": "2012-10-01T02:10:46.000Z", + "rsa.time.event_time_str": "1349057446", + "rsa.web.alias_host": "docs.google.com", + "server.domain": "docs.google.com", + "service.type": "squid", + "source.bytes": 2921, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "docs.google.com", + "url.original": "docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:10:46.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.100" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057446.149 417 192.168.0.35 TCP_MISS/200 4161 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5814, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.228.100", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients3.google.com", + "rsa.time.duration_time": 417, + "rsa.time.event_time": "2012-10-01T02:10:46.000Z", + "rsa.time.event_time_str": "1349057446", + "rsa.web.alias_host": "clients3.google.com", + "server.domain": "clients3.google.com", + "service.type": "squid", + "source.bytes": 4161, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients3.google.com", + "url.original": "clients3.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:10:46.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.100" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057446.974 119 192.168.0.35 TCP_MISS/200 4153 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5925, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.228.100" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients3.google.com", + "rsa.time.duration_time": 119, + "rsa.time.event_time": "2012-10-01T02:10:46.000Z", + "rsa.time.event_time_str": "1349057446", + "rsa.web.alias_host": "clients3.google.com", + "server.domain": "clients3.google.com", + "service.type": "squid", + "source.bytes": 4153, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients3.google.com", + "url.original": "clients3.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:10:51.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.73.104" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057451.693 4784 192.168.0.35 TCP_MISS/200 2201 CONNECT www.google.com:443 - DIRECT/173.194.73.104 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6036, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "173.194.73.104" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 4784, + "rsa.time.event_time": "2012-10-01T02:10:51.000Z", + "rsa.time.event_time_str": "1349057451", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 2201, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "www.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:10:51.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.100" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057451.694 652 192.168.0.35 TCP_MISS/200 12807 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6142, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.228.100" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients3.google.com", + "rsa.time.duration_time": 652, + "rsa.time.event_time": "2012-10-01T02:10:51.000Z", + "rsa.time.event_time_str": "1349057451", + "rsa.web.alias_host": "clients3.google.com", + "server.domain": "clients3.google.com", + "service.type": "squid", + "source.bytes": 12807, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients3.google.com", + "url.original": "clients3.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:10:51.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.100" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057451.719 4875 192.168.0.35 TCP_MISS/200 4132 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6254, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.228.100", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients3.google.com", + "rsa.time.duration_time": 4875, + "rsa.time.event_time": "2012-10-01T02:10:51.000Z", + "rsa.time.event_time_str": "1349057451", + "rsa.web.alias_host": "clients3.google.com", + "server.domain": "clients3.google.com", + "service.type": "squid", + "source.bytes": 4132, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients3.google.com", + "url.original": "clients3.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:10:52.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.100" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057452.613 815 192.168.0.35 TCP_MISS/200 3481 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6365, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.228.100" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients3.google.com", + "rsa.time.duration_time": 815, + "rsa.time.event_time": "2012-10-01T02:10:52.000Z", + "rsa.time.event_time_str": "1349057452", + "rsa.web.alias_host": "clients3.google.com", + "server.domain": "clients3.google.com", + "service.type": "squid", + "source.bytes": 3481, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients3.google.com", + "url.original": "clients3.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:06.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.184" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057466.259 467 192.168.0.35 TCP_MISS/200 161462 GET http://swcatalog.apple.com/content/catalogs/others/index-windows-1.sucatalog - DIRECT/208.44.23.184 application/x-apple-plist", + "fileset.name": "log", + "http.response.body.content": "index-windows-1.sucatalog", + "input.type": "log", + "log.offset": 6476, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.184", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "application/x-apple-plist", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcatalog.apple.com", + "rsa.time.duration_time": 467, + "rsa.time.event_time": "2012-10-01T02:11:06.000Z", + "rsa.time.event_time_str": "1349057466", + "rsa.web.alias_host": "swcatalog.apple.com", + "server.domain": "swcatalog.apple.com", + "service.type": "squid", + "source.bytes": 161462, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcatalog.apple.com", + "url.original": "http://swcatalog.apple.com/content/catalogs/others/index-windows-1.sucatalog", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:09.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057469.784 470 192.168.0.35 TCP_MISS/200 6546 GET http://swcdn.apple.com/content/downloads/61/34/061-8153/WgWXrHyJVmFn9KrXRg3w2XPXNFXxhnZFS6/061-8153.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "061-8153.English.dist", + "input.type": "log", + "log.offset": 6661, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 470, + "rsa.time.event_time": "2012-10-01T02:11:09.000Z", + "rsa.time.event_time_str": "1349057469", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 6546, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/61/34/061-8153/WgWXrHyJVmFn9KrXRg3w2XPXNFXxhnZFS6/061-8153.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:10.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057470.770 334 192.168.0.35 TCP_MISS/200 31622 GET http://swcdn.apple.com/content/downloads/02/58/061-3418/n6BBhLszLr6SN3XDXWT9N3YgpfHChbQTgb/061-3418.English.dist - DIRECT/208.44.23.185 text/plain", + "fileset.name": "log", + "http.response.body.content": "061-3418.English.dist", + "input.type": "log", + "log.offset": 6863, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 334, + "rsa.time.event_time": "2012-10-01T02:11:10.000Z", + "rsa.time.event_time_str": "1349057470", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 31622, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/02/58/061-3418/n6BBhLszLr6SN3XDXWT9N3YgpfHChbQTgb/061-3418.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:10.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057470.907 109 192.168.0.35 TCP_MISS/200 3798 GET http://swcdn.apple.com/content/downloads/25/60/061-6867/WjSJ6JqjV34mZLtS944ndrx9RYQZJX6qHY/061-6867.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "061-6867.English.dist", + "input.type": "log", + "log.offset": 7068, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 109, + "rsa.time.event_time": "2012-10-01T02:11:10.000Z", + "rsa.time.event_time_str": "1349057470", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 3798, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/25/60/061-6867/WjSJ6JqjV34mZLtS944ndrx9RYQZJX6qHY/061-6867.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:12.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057472.794 219 192.168.0.35 TCP_MISS/200 7217 GET http://swcdn.apple.com/content/downloads/21/23/061-4512/BKYTZyKmtNr5wpxQCTy9f8xDSYPZ5MTGf4/061-4512.English.dist - DIRECT/208.44.23.185 text/plain", + "fileset.name": "log", + "http.response.body.content": "061-4512.English.dist", + "input.type": "log", + "log.offset": 7270, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 219, + "rsa.time.event_time": "2012-10-01T02:11:12.000Z", + "rsa.time.event_time_str": "1349057472", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 7217, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/21/23/061-4512/BKYTZyKmtNr5wpxQCTy9f8xDSYPZ5MTGf4/061-4512.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:12.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057472.980 109 192.168.0.35 TCP_MISS/200 7370 GET http://swcdn.apple.com/content/downloads/20/63/061-7511/XJqPCzWtXgkNgSZXp6DTn7gjNvHQVMZ4dP/061-7511.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "061-7511.English.dist", + "input.type": "log", + "log.offset": 7474, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 109, + "rsa.time.event_time": "2012-10-01T02:11:12.000Z", + "rsa.time.event_time_str": "1349057472", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 7370, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/20/63/061-7511/XJqPCzWtXgkNgSZXp6DTn7gjNvHQVMZ4dP/061-7511.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:13.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057473.173 110 192.168.0.35 TCP_MISS/200 6939 GET http://swcdn.apple.com/content/downloads/27/49/061-4514/Tcfqf4NdtQTpYj7Pn8qwLgWgj6kYcy26Zf/061-4514.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "061-4514.English.dist", + "input.type": "log", + "log.offset": 7676, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 110, + "rsa.time.event_time": "2012-10-01T02:11:13.000Z", + "rsa.time.event_time_str": "1349057473", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 6939, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/27/49/061-4514/Tcfqf4NdtQTpYj7Pn8qwLgWgj6kYcy26Zf/061-4514.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:13.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057473.340 111 192.168.0.35 TCP_MISS/200 5451 GET http://swcdn.apple.com/content/downloads/57/25/061-7340/TJXt7nNzc4cS57fvwx8zg3GScrcLBWtdpR/061-7340.English.dist - DIRECT/208.44.23.185 text/plain", + "fileset.name": "log", + "http.response.body.content": "061-7340.English.dist", + "input.type": "log", + "log.offset": 7878, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 111, + "rsa.time.event_time": "2012-10-01T02:11:13.000Z", + "rsa.time.event_time_str": "1349057473", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 5451, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/57/25/061-7340/TJXt7nNzc4cS57fvwx8zg3GScrcLBWtdpR/061-7340.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:13.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057473.825 330 192.168.0.35 TCP_MISS/200 18008 GET http://swcdn.apple.com/content/downloads/56/25/041-3097/SrjbZVKzSxP5VNSHnnDMQrb78YZz66DYww/041-3097.English.dist - DIRECT/208.44.23.185 text/plain", + "fileset.name": "log", + "http.response.body.content": "041-3097.English.dist", + "input.type": "log", + "log.offset": 8082, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 330, + "rsa.time.event_time": "2012-10-01T02:11:13.000Z", + "rsa.time.event_time_str": "1349057473", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 18008, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/56/25/041-3097/SrjbZVKzSxP5VNSHnnDMQrb78YZz66DYww/041-3097.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:14.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057474.139 221 192.168.0.35 TCP_MISS/200 6992 GET http://swcdn.apple.com/content/downloads/51/48/061-9539/XzrZsqWRT9FLLVN6tBfk4mjVmtqvNDHwC7/061-9539.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "061-9539.English.dist", + "input.type": "log", + "log.offset": 8287, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 221, + "rsa.time.event_time": "2012-10-01T02:11:14.000Z", + "rsa.time.event_time_str": "1349057474", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 6992, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/51/48/061-9539/XzrZsqWRT9FLLVN6tBfk4mjVmtqvNDHwC7/061-9539.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:14.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057474.330 112 192.168.0.35 TCP_MISS/200 4197 GET http://swcdn.apple.com/content/downloads/51/08/zzz061-3452/5bxNyT8NCFYPz9qff69kBjH4y3zxqSFt5B/061-3452.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "061-3452.English.dist", + "input.type": "log", + "log.offset": 8489, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 112, + "rsa.time.event_time": "2012-10-01T02:11:14.000Z", + "rsa.time.event_time_str": "1349057474", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 4197, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/51/08/zzz061-3452/5bxNyT8NCFYPz9qff69kBjH4y3zxqSFt5B/061-3452.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:14.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057474.842 329 192.168.0.35 TCP_MISS/200 19447 GET http://swcdn.apple.com/content/downloads/28/51/041-0517/cvDMxJL5q6TQ2t8899HH8mvzjdHkDFwr99/041-0517.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "041-0517.English.dist", + "input.type": "log", + "log.offset": 8694, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 329, + "rsa.time.event_time": "2012-10-01T02:11:14.000Z", + "rsa.time.event_time_str": "1349057474", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 19447, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/28/51/041-0517/cvDMxJL5q6TQ2t8899HH8mvzjdHkDFwr99/041-0517.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:15.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057475.092 221 192.168.0.35 TCP_MISS/200 7370 GET http://swcdn.apple.com/content/downloads/28/43/061-7509/P7wtsjhJPsT9FM8Zff4FKg6FYM4W2yGP5B/061-7509.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "061-7509.English.dist", + "input.type": "log", + "log.offset": 8897, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 221, + "rsa.time.event_time": "2012-10-01T02:11:15.000Z", + "rsa.time.event_time_str": "1349057475", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 7370, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/28/43/061-7509/P7wtsjhJPsT9FM8Zff4FKg6FYM4W2yGP5B/061-7509.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:15.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057475.582 434 192.168.0.35 TCP_MISS/200 5297 GET http://swcdn.apple.com/content/downloads/01/21/041-1673/s6XjZyFGmdTf5YHq6C8CPWjJ4sWz9pz3vX/041-1673.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "041-1673.English.dist", + "input.type": "log", + "log.offset": 9099, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 434, + "rsa.time.event_time": "2012-10-01T02:11:15.000Z", + "rsa.time.event_time_str": "1349057475", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 5297, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/01/21/041-1673/s6XjZyFGmdTf5YHq6C8CPWjJ4sWz9pz3vX/041-1673.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:15.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057475.860 217 192.168.0.35 TCP_MISS/200 6480 GET http://swcdn.apple.com/content/downloads/12/45/061-4249/7ck27nGQBsHQNcnMMjtmLbDJm2zPbRxj4h/061-4249.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "061-4249.English.dist", + "input.type": "log", + "log.offset": 9301, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 217, + "rsa.time.event_time": "2012-10-01T02:11:15.000Z", + "rsa.time.event_time_str": "1349057475", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 6480, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/12/45/061-4249/7ck27nGQBsHQNcnMMjtmLbDJm2zPbRxj4h/061-4249.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:16.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057476.242 331 192.168.0.35 TCP_MISS/200 18211 GET http://swcdn.apple.com/content/downloads/54/37/061-5790/mxbPrKRvB9G6cvrjY2QPNVQPYj3nrjwbgX/061-5790.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "061-5790.English.dist", + "input.type": "log", + "log.offset": 9503, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 331, + "rsa.time.event_time": "2012-10-01T02:11:16.000Z", + "rsa.time.event_time_str": "1349057476", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 18211, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/54/37/061-5790/mxbPrKRvB9G6cvrjY2QPNVQPYj3nrjwbgX/061-5790.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:16.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057476.800 543 192.168.0.35 TCP_MISS/200 6525 GET http://swcdn.apple.com/content/downloads/26/11/061-8155/wdTHYKkFWMCC8dDLHkycj3BLMxvq2wjwYD/061-8155.English.dist - DIRECT/208.44.23.185 text/plain", + "fileset.name": "log", + "http.response.body.content": "061-8155.English.dist", + "input.type": "log", + "log.offset": 9706, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 543, + "rsa.time.event_time": "2012-10-01T02:11:16.000Z", + "rsa.time.event_time_str": "1349057476", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 6525, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/26/11/061-8155/wdTHYKkFWMCC8dDLHkycj3BLMxvq2wjwYD/061-8155.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:17.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057477.417 552 192.168.0.35 TCP_MISS/200 19458 GET http://swcdn.apple.com/content/downloads/59/27/041-0516/rRmQxLKryPBcF33yFvzhw7SYLDRntjXj9K/041-0516.English.dist - DIRECT/208.44.23.185 text/plain", + "fileset.name": "log", + "http.response.body.content": "041-0516.English.dist", + "input.type": "log", + "log.offset": 9910, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 552, + "rsa.time.event_time": "2012-10-01T02:11:17.000Z", + "rsa.time.event_time_str": "1349057477", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 19458, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/59/27/041-0516/rRmQxLKryPBcF33yFvzhw7SYLDRntjXj9K/041-0516.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:18.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057478.304 870 192.168.0.35 TCP_MISS/200 18041 GET http://swcdn.apple.com/content/downloads/50/36/061-9848/kJvM5Qq2gBCSHSrxsdNfyn7NPjVYNHX7ZR/061-9848.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "061-9848.English.dist", + "input.type": "log", + "log.offset": 10115, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 870, + "rsa.time.event_time": "2012-10-01T02:11:18.000Z", + "rsa.time.event_time_str": "1349057478", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 18041, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/50/36/061-9848/kJvM5Qq2gBCSHSrxsdNfyn7NPjVYNHX7ZR/061-9848.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:18.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057478.759 437 192.168.0.35 TCP_MISS/200 17576 GET http://swcdn.apple.com/content/downloads/45/03/041-1676/ZMjp6WLTqS9GDRdnzdLqHXgS838bwRNVn6/041-1676.English.dist - DIRECT/208.44.23.185 text/plain", + "fileset.name": "log", + "http.response.body.content": "041-1676.English.dist", + "input.type": "log", + "log.offset": 10318, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 437, + "rsa.time.event_time": "2012-10-01T02:11:18.000Z", + "rsa.time.event_time_str": "1349057478", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 17576, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/45/03/041-1676/ZMjp6WLTqS9GDRdnzdLqHXgS838bwRNVn6/041-1676.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:18.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057478.905 111 192.168.0.35 TCP_MISS/200 6991 GET http://swcdn.apple.com/content/downloads/03/00/061-9537/xkqVg9ZybxffPsFvSjqgxnHK7HGJ4b9zLy/061-9537.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "061-9537.English.dist", + "input.type": "log", + "log.offset": 10523, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 111, + "rsa.time.event_time": "2012-10-01T02:11:18.000Z", + "rsa.time.event_time_str": "1349057478", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 6991, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/03/00/061-9537/xkqVg9ZybxffPsFvSjqgxnHK7HGJ4b9zLy/061-9537.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:19.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057479.343 332 192.168.0.35 TCP_MISS/200 25935 GET http://swcdn.apple.com/content/downloads/41/25/041-4336/M2r89dmfRR9jmgt2Gr4ZB7wftMfHSmhpnX/041-4336.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "041-4336.English.dist", + "input.type": "log", + "log.offset": 10725, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 332, + "rsa.time.event_time": "2012-10-01T02:11:19.000Z", + "rsa.time.event_time_str": "1349057479", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 25935, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/41/25/041-4336/M2r89dmfRR9jmgt2Gr4ZB7wftMfHSmhpnX/041-4336.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:19.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057479.593 223 192.168.0.35 TCP_MISS/200 18205 GET http://swcdn.apple.com/content/downloads/10/51/061-5850/6T9D3ShR4mRKT3YgFK7JG5sDytGYDYCJ3L/061-5850.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "061-5850.English.dist", + "input.type": "log", + "log.offset": 10928, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 223, + "rsa.time.event_time": "2012-10-01T02:11:19.000Z", + "rsa.time.event_time_str": "1349057479", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 18205, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/10/51/061-5850/6T9D3ShR4mRKT3YgFK7JG5sDytGYDYCJ3L/061-5850.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:19.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057479.728 110 192.168.0.35 TCP_MISS/200 7326 GET http://swcdn.apple.com/content/downloads/10/26/061-4513/nY7s8PkHbJYHKKDtjh7FJQr7JYBTzHvnr2/061-4513.English.dist - DIRECT/208.44.23.185 text/plain", + "fileset.name": "log", + "http.response.body.content": "061-4513.English.dist", + "input.type": "log", + "log.offset": 11131, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 110, + "rsa.time.event_time": "2012-10-01T02:11:19.000Z", + "rsa.time.event_time_str": "1349057479", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 7326, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/10/26/061-4513/nY7s8PkHbJYHKKDtjh7FJQr7JYBTzHvnr2/061-4513.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:19.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057479.893 111 192.168.0.35 TCP_MISS/200 6973 GET http://swcdn.apple.com/content/downloads/29/33/061-7306/hwpP4sYb2wmfHdYHjsQ23VrSbXXGKCK378/061-7306.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "061-7306.English.dist", + "input.type": "log", + "log.offset": 11335, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 111, + "rsa.time.event_time": "2012-10-01T02:11:19.000Z", + "rsa.time.event_time_str": "1349057479", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 6973, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/29/33/061-7306/hwpP4sYb2wmfHdYHjsQ23VrSbXXGKCK378/061-7306.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:20.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057480.599 679 192.168.0.35 TCP_MISS/200 6748 GET http://swcdn.apple.com/content/downloads/07/44/061-4200/3DtF5LrT3BL2b86P57Kyrs5dH9NTs9ctNV/061-4200.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "061-4200.English.dist", + "input.type": "log", + "log.offset": 11537, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 679, + "rsa.time.event_time": "2012-10-01T02:11:20.000Z", + "rsa.time.event_time_str": "1349057480", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 6748, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/07/44/061-4200/3DtF5LrT3BL2b86P57Kyrs5dH9NTs9ctNV/061-4200.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:21.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057481.530 889 192.168.0.35 TCP_MISS/200 19858 GET http://swcdn.apple.com/content/downloads/37/12/041-0255/lfinb0xmk5ten4ojrimcebpl6561xez6xk/041-0255.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "041-0255.English.dist", + "input.type": "log", + "log.offset": 11739, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 889, + "rsa.time.event_time": "2012-10-01T02:11:21.000Z", + "rsa.time.event_time_str": "1349057481", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 19858, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/37/12/041-0255/lfinb0xmk5ten4ojrimcebpl6561xez6xk/041-0255.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:22.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057482.097 550 192.168.0.35 TCP_MISS/200 19848 GET http://swcdn.apple.com/content/downloads/06/39/041-0256/orwba7zrt5npsr5wvhsljprdyd1jtt62oz/041-0256.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "041-0256.English.dist", + "input.type": "log", + "log.offset": 11942, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 550, + "rsa.time.event_time": "2012-10-01T02:11:22.000Z", + "rsa.time.event_time_str": "1349057482", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 19848, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/06/39/041-0256/orwba7zrt5npsr5wvhsljprdyd1jtt62oz/041-0256.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:23.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057483.427 771 192.168.0.35 TCP_MISS/200 38188 GET http://swcdn.apple.com/content/downloads/32/19/041-6756/gntu51zjuiyzu4l94ezxy3g1tb3jfpaoit/041-6756.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "041-6756.English.dist", + "input.type": "log", + "log.offset": 12145, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 771, + "rsa.time.event_time": "2012-10-01T02:11:23.000Z", + "rsa.time.event_time_str": "1349057483", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 38188, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/32/19/041-6756/gntu51zjuiyzu4l94ezxy3g1tb3jfpaoit/041-6756.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:23.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057483.787 320 192.168.0.35 TCP_MISS/200 8913 GET http://swcdn.apple.com/content/downloads/40/54/041-6905/v0fukt9lmfcv18d4wczh49ap9z6r5p5c0c/041-6905.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "041-6905.English.dist", + "input.type": "log", + "log.offset": 12348, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 320, + "rsa.time.event_time": "2012-10-01T02:11:23.000Z", + "rsa.time.event_time_str": "1349057483", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 8913, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/40/54/041-6905/v0fukt9lmfcv18d4wczh49ap9z6r5p5c0c/041-6905.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:24.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057484.139 222 192.168.0.35 TCP_MISS/200 8113 GET http://swcdn.apple.com/content/downloads/23/10/041-6906/nr0v270bqzt428sd57s1slz78hgkzg38tc/041-6906.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "041-6906.English.dist", + "input.type": "log", + "log.offset": 12550, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 222, + "rsa.time.event_time": "2012-10-01T02:11:24.000Z", + "rsa.time.event_time_str": "1349057484", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 8113, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/23/10/041-6906/nr0v270bqzt428sd57s1slz78hgkzg38tc/041-6906.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:26.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057486.034 1694 192.168.0.35 TCP_MISS/200 31969 GET http://swcdn.apple.com/content/downloads/00/31/041-1612/xqbjtqo1qzy7cz1v2yflklj5kg1v2tlncj/041-1612.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "041-1612.English.dist", + "input.type": "log", + "log.offset": 12752, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 1694, + "rsa.time.event_time": "2012-10-01T02:11:26.000Z", + "rsa.time.event_time_str": "1349057486", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 31969, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/00/31/041-1612/xqbjtqo1qzy7cz1v2yflklj5kg1v2tlncj/041-1612.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:26.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057486.672 550 192.168.0.35 TCP_MISS/200 31972 GET http://swcdn.apple.com/content/downloads/30/32/041-1613/nysxhnpjpllehg0d54krf0yr8fa17jymjf/041-1613.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "041-1613.English.dist", + "input.type": "log", + "log.offset": 12955, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "208.44.23.185", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 550, + "rsa.time.event_time": "2012-10-01T02:11:26.000Z", + "rsa.time.event_time_str": "1349057486", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 31972, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/30/32/041-1613/nysxhnpjpllehg0d54krf0yr8fa17jymjf/041-1613.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:11:27.000Z", + "destination.as.number": 209, + "destination.as.organization.name": "CenturyLink Communications, LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "208.44.23.185" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057487.172 436 192.168.0.35 TCP_MISS/200 23087 GET http://swcdn.apple.com/content/downloads/01/20/041-5328/74a52anhihangc837n25490jxt30a59gid/041-5328.English.dist - DIRECT/208.44.23.185 text/xml", + "fileset.name": "log", + "http.response.body.content": "041-5328.English.dist", + "input.type": "log", + "log.offset": 13158, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "swcdn.apple.com", + "rsa.time.duration_time": 436, + "rsa.time.event_time": "2012-10-01T02:11:27.000Z", + "rsa.time.event_time_str": "1349057487", + "rsa.web.alias_host": "swcdn.apple.com", + "server.domain": "swcdn.apple.com", + "service.type": "squid", + "source.bytes": 23087, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "swcdn.apple.com", + "url.original": "http://swcdn.apple.com/content/downloads/01/20/041-5328/74a52anhihangc837n25490jxt30a59gid/041-5328.English.dist", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:13:03.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.73.104" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057583.918 101348 192.168.0.35 TCP_MISS/200 2488 CONNECT www.google.com:443 - DIRECT/173.194.73.104 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13361, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "173.194.73.104" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 101348, + "rsa.time.event_time": "2012-10-01T02:13:03.000Z", + "rsa.time.event_time_str": "1349057583", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 2488, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "www.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:13:03.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.100" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057583.929 100999 192.168.0.35 TCP_MISS/200 2974 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13467, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.228.100" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients3.google.com", + "rsa.time.duration_time": 100999, + "rsa.time.event_time": "2012-10-01T02:13:03.000Z", + "rsa.time.event_time_str": "1349057583", + "rsa.web.alias_host": "clients3.google.com", + "server.domain": "clients3.google.com", + "service.type": "squid", + "source.bytes": 2974, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients3.google.com", + "url.original": "clients3.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:13:03.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.96" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057583.929 105631 192.168.0.35 TCP_MISS/200 2969 CONNECT clients4.google.com:443 - DIRECT/74.125.228.96 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13578, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.228.96", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients4.google.com", + "rsa.time.duration_time": 105631, + "rsa.time.event_time": "2012-10-01T02:13:03.000Z", + "rsa.time.event_time_str": "1349057583", + "rsa.web.alias_host": "clients4.google.com", + "server.domain": "clients4.google.com", + "service.type": "squid", + "source.bytes": 2969, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients4.google.com", + "url.original": "clients4.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:13:03.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.101" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057583.929 43683 192.168.0.35 TCP_MISS/200 662274 CONNECT safebrowsing-cache.google.com:443 - DIRECT/74.125.228.101 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13688, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.228.101", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "safebrowsing-cache.google.com", + "rsa.time.duration_time": 43683, + "rsa.time.event_time": "2012-10-01T02:13:03.000Z", + "rsa.time.event_time_str": "1349057583", + "rsa.web.alias_host": "safebrowsing-cache.google.com", + "server.domain": "safebrowsing-cache.google.com", + "service.type": "squid", + "source.bytes": 662274, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "safebrowsing-cache.google.com", + "url.original": "safebrowsing-cache.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:13:03.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.228.102" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057583.930 44106 192.168.0.35 TCP_MISS/200 6152 CONNECT safebrowsing.google.com:443 - DIRECT/74.125.228.102 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13811, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "74.125.228.102" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "safebrowsing.google.com", + "rsa.time.duration_time": 44106, + "rsa.time.event_time": "2012-10-01T02:13:03.000Z", + "rsa.time.event_time_str": "1349057583", + "rsa.web.alias_host": "safebrowsing.google.com", + "server.domain": "safebrowsing.google.com", + "service.type": "squid", + "source.bytes": 6152, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "safebrowsing.google.com", + "url.original": "safebrowsing.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:15:15.000Z", + "destination.as.number": 32934, + "destination.as.organization.name": "Facebook, Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "69.171.228.74" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057715.339 267 192.168.0.35 TCP_MISS/302 379 GET http://www.facebook.com/ - DIRECT/69.171.228.74 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13926, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "69.171.228.74", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "www.facebook.com", + "rsa.time.duration_time": 267, + "rsa.time.event_time": "2012-10-01T02:15:15.000Z", + "rsa.time.event_time_str": "1349057715", + "rsa.web.alias_host": "www.facebook.com", + "server.domain": "www.facebook.com", + "service.type": "squid", + "source.bytes": 379, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.facebook.com", + "url.original": "http://www.facebook.com/", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:15:18.000Z", + "destination.as.number": 16625, + "destination.as.organization.name": "Akamai Technologies, Inc.", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "NL", + "destination.geo.location.lat": 52.3824, + "destination.geo.location.lon": 4.8995, + "destination.ip": [ + "23.62.194.110" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057718.031 2684 192.168.0.35 TCP_MISS/200 1871 CONNECT s-static.ak.facebook.com:443 - DIRECT/23.62.194.110 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14040, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "23.62.194.110", + "192.168.0.35" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "s-static.ak.facebook.com", + "rsa.time.duration_time": 2684, + "rsa.time.event_time": "2012-10-01T02:15:18.000Z", + "rsa.time.event_time_str": "1349057718", + "rsa.web.alias_host": "s-static.ak.facebook.com", + "server.domain": "s-static.ak.facebook.com", + "service.type": "squid", + "source.bytes": 1871, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "s-static.ak.facebook.com", + "url.original": "s-static.ak.facebook.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:15:18.000Z", + "destination.as.number": 32934, + "destination.as.organization.name": "Facebook, Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "69.171.228.74" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057718.398 3047 192.168.0.35 TCP_MISS/200 87179 CONNECT www.facebook.com:443 - DIRECT/69.171.228.74 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14155, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "69.171.228.74" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.facebook.com", + "rsa.time.duration_time": 3047, + "rsa.time.event_time": "2012-10-01T02:15:18.000Z", + "rsa.time.event_time_str": "1349057718", + "rsa.web.alias_host": "www.facebook.com", + "server.domain": "www.facebook.com", + "service.type": "squid", + "source.bytes": 87179, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.facebook.com", + "url.original": "www.facebook.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2012-10-01T02:15:19.000Z", + "destination.as.number": 32934, + "destination.as.organization.name": "Facebook, Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "69.171.228.74" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1349057719.228 3879 192.168.0.35 TCP_MISS/200 2894 CONNECT www.facebook.com:443 - DIRECT/69.171.228.74 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14263, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "192.168.0.35", + "69.171.228.74" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.facebook.com", + "rsa.time.duration_time": 3879, + "rsa.time.event_time": "2012-10-01T02:15:19.000Z", + "rsa.time.event_time_str": "1349057719", + "rsa.web.alias_host": "www.facebook.com", + "server.domain": "www.facebook.com", + "service.type": "squid", + "source.bytes": 2894, + "source.ip": [ + "192.168.0.35" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.facebook.com", + "url.original": "www.facebook.com:443", + "user.name": [ + "-" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/squid/log/test/access4.log b/x-pack/filebeat/module/squid/log/test/access4.log new file mode 100644 index 00000000000..c8e40013cb5 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/test/access4.log @@ -0,0 +1,100 @@ +1431966856.793 48016 ::1 TCP_MISS/200 16674 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431966858.959 118352 ::1 TCP_MISS/200 1384 CONNECT 0.client-channel.google.com:443 - DIRECT/173.194.206.189 - +1431966860.960 141516 ::1 TCP_MISS/200 29012 CONNECT clients4.google.com:443 - DIRECT/173.194.123.102 - +1431966862.972 179667 ::1 TCP_MISS/200 1551 CONNECT clients6.google.com:443 - DIRECT/173.194.123.102 - +1431966888.037 226448 ::1 TCP_MISS/200 907245 CONNECT drive.google.com:443 - DIRECT/173.194.123.97 - +1431966902.944 46063 ::1 TCP_MISS/200 6663 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431966907.045 230072 ::1 TCP_MISS/200 4784 CONNECT clients2.google.com:443 - DIRECT/173.194.123.102 - +1431966916.065 117889 ::1 TCP_MISS/200 865 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 - +1431966917.064 118888 ::1 TCP_MISS/200 1262 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 - +1431966927.088 128911 ::1 TCP_MISS/200 2485 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 - +1431966929.071 117252 ::1 TCP_MISS/200 1270 CONNECT accounts.google.com:443 - DIRECT/216.58.219.237 - +1431966934.075 254028 ::1 TCP_MISS/200 200095 CONNECT apis.google.com:443 - DIRECT/173.194.123.68 - +1431966934.076 250120 ::1 TCP_MISS/200 14577 CONNECT clients6.google.com:443 - DIRECT/173.194.123.102 - +1431966950.318 47289 ::1 TCP_MISS/200 1391 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431966958.711 276 ::1 TCP_MISS/200 934 POST http://clients1.google.com/ocsp - DIRECT/173.194.123.105 application/ocsp-response +1431967010.962 212785 ::1 TCP_MISS/200 313787 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 - +1431967010.962 60560 ::1 TCP_MISS/200 2323 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967067.416 56361 ::1 TCP_MISS/200 940 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967094.510 350082 ::1 TCP_MISS/200 952006 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 - +1431967104.597 146762 ::1 TCP_MISS/200 6013 CONNECT drive.google.com:443 - DIRECT/173.194.123.71 - +1431967119.333 51829 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967171.526 52115 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967221.312 49708 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967273.790 52393 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967328.486 54590 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967385.358 56797 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967440.782 55339 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967498.549 57685 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967553.286 54658 ::1 TCP_MISS/200 774 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967611.006 57645 ::1 TCP_MISS/200 774 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967667.705 56621 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967671.980 115965 ::1 TCP_MISS/200 937 CONNECT docs.google.com:443 - DIRECT/173.194.123.67 - +1431967721.078 53297 ::1 TCP_MISS/200 870 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967773.775 52610 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967827.637 53774 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967881.971 54254 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967935.923 53860 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431967989.089 53080 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431968041.539 52374 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431968099.212 57477 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431968156.648 57347 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431968210.299 53575 ::1 TCP_MISS/200 774 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431968265.132 54585 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431968273.671 116138 ::1 TCP_MISS/200 1093 CONNECT docs.google.com:443 - DIRECT/173.194.123.101 - +1431968319.296 54086 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431968372.410 52982 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1431968374.119 8177 ::1 TCP_MISS/200 2705 CONNECT docs.google.com:443 - DIRECT/173.194.123.99 - +1431968374.150 1601 ::1 TCP_MISS/200 844 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - +1432789884.994 297 ::1 TCP_MISS/302 696 GET http://www.google.com/ - DIRECT/74.125.226.83 text/html +1432789885.671 220 ::1 TCP_MISS/200 934 POST http://clients1.google.com/ocsp - DIRECT/173.194.123.40 application/ocsp-response +1432789950.885 59335 ::1 TCP_MISS/200 55721 CONNECT apis.google.com:443 - DIRECT/173.194.123.41 - +1432789952.891 67776 ::1 TCP_MISS/200 254589 CONNECT www.google.com:443 - DIRECT/74.125.226.83 - +1445267990.313 759 ::1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.174 application/ocsp-response +1445268003.557 192 ::1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.174 application/ocsp-response +1445268029.709 59991 ::1 TCP_MISS/200 5188 CONNECT mail.google.com:443 - DIRECT/216.58.219.165 - +1445268062.046 66005 ::1 TCP_MISS/200 5310 CONNECT clients6.google.com:443 - DIRECT/216.58.219.174 - +1445268064.055 73369 ::1 TCP_MISS/200 6975 CONNECT clients6.google.com:443 - DIRECT/216.58.219.174 - +1445268069.665 59549 ::1 TCP_MISS/200 4871 CONNECT play.google.com:443 - DIRECT/216.58.219.174 - +1445268140.447 180 ::1 TCP_MISS/200 0 CONNECT www.google.com:443 - DIRECT/216.58.219.132 - +1445268140.539 74 ::1 TCP_MISS/200 0 CONNECT www.google.com:443 - DIRECT/216.58.219.132 - +1445268140.703 112 ::1 TCP_MISS/200 0 CONNECT www.google.com:443 - DIRECT/216.58.219.132 - +1445268152.177 264 ::1 TCP_MISS/200 0 CONNECT plus.google.com:443 - DIRECT/216.58.219.142 - +1445268187.113 59699 ::1 TCP_MISS/200 5020 CONNECT docs.google.com:443 - DIRECT/216.58.219.142 - +1445268224.938 70176 ::1 TCP_MISS/200 14737 CONNECT plus.google.com:443 - DIRECT/216.58.219.142 - +1445268261.980 121174 ::1 TCP_MISS/200 528022 CONNECT www.google.com:443 - DIRECT/216.58.219.132 - +1445268314.711 361370 ::1 TCP_MISS/200 6518 CONNECT 0.docs.google.com:443 - DIRECT/74.125.141.189 - +1445268314.711 355919 ::1 TCP_MISS/200 9695 CONNECT 0.talkgadget.google.com:443 - DIRECT/74.125.141.189 - +1445268314.711 257778 ::1 TCP_MISS/200 6024 CONNECT 0.client-channel.google.com:443 - DIRECT/74.125.141.189 - +1445268314.711 43887 ::1 TCP_MISS/200 1833 CONNECT mail.google.com:443 - DIRECT/216.58.219.133 - +1454336396.005 63622 10.100.0.1 TCP_MISS/200 272954 CONNECT www.google.com:443 - DIRECT/216.58.219.228 - +1454336398.988 59761 10.100.0.1 TCP_MISS/200 54752 CONNECT apis.google.com:443 - DIRECT/216.58.219.238 - +1462898750.708 288 10.100.0.1 TCP_MISS/301 695 GET http://google.com/ - DIRECT/173.194.205.113 text/html +1483547243.947 153 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response +1483547244.218 110 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response +1483809788.490 217 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.238 application/ocsp-response +1483809788.504 224 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.238 application/ocsp-response +1492721605.095 1894 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response +1514415283.110 3338 10.100.2.85 TCP_MISS/200 25103 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 - +1514415285.181 5317 10.100.2.85 TCP_MISS/200 30037 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 - +1514415287.601 7719 10.100.2.85 TCP_MISS/200 31365 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 - +1514415293.832 11122 10.100.2.85 TCP_MISS/200 4120 CONNECT play.google.com:443 - DIRECT/172.217.12.174 - +1514415295.359 15462 10.100.2.85 TCP_MISS/200 135019 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 - +1514415297.207 17318 10.100.2.85 TCP_MISS/200 193786 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 - +1514415468.723 195307 10.100.2.85 TCP_MISS/200 207119 CONNECT news.google.com:443 - DIRECT/172.217.12.174 - +1514415469.795 189952 10.100.2.85 TCP_MISS/200 372304 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 - +1514415470.873 171312 10.100.2.85 TCP_MISS/200 3517 CONNECT stats.g.doubleclick.net:443 - DIRECT/173.194.204.156 - +1514415471.953 170700 10.100.2.85 TCP_MISS/200 5679 CONNECT play.google.com:443 - DIRECT/172.217.12.174 - +1521148405.505 170531 10.100.0.1 TCP_MISS/200 5650 CONNECT news.google.com:443 - DIRECT/172.217.12.174 - +1521148583.607 171280 10.100.0.1 TCP_MISS/200 5549 CONNECT play.google.com:443 - DIRECT/172.217.12.174 - +1521148701.183 232347 10.100.0.1 TCP_MISS/200 947 CONNECT news.google.com:443 - DIRECT/172.217.12.174 - +1521148880.382 170896 10.100.0.1 TCP_MISS/200 785 CONNECT news.google.com:443 - DIRECT/172.217.12.174 - +1521149008.672 59245 10.100.0.1 TCP_MISS/200 1723 CONNECT news.google.com:443 - DIRECT/172.217.12.174 - +1521149028.248 14405 10.100.0.1 TCP_MISS/200 28315 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 - +1521149028.574 15142 10.100.0.1 TCP_MISS/200 32424 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 - +1521149029.151 15722 10.100.0.1 TCP_MISS/200 31526 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 - +1521149029.888 16453 10.100.0.1 TCP_MISS/200 45630 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 - +1521149030.562 17135 10.100.0.1 TCP_MISS/200 26443 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 - +1521149041.120 24645 10.100.0.1 TCP_MISS/200 52379 CONNECT apis.google.com:443 - DIRECT/172.217.12.174 - +1521149041.124 27963 10.100.0.1 TCP_MISS/200 510095 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 - +1521149041.125 32394 10.100.0.1 TCP_MISS/200 235026 CONNECT news.google.com:443 - DIRECT/172.217.12.174 - diff --git a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json new file mode 100644 index 00000000000..b061737d2c7 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json @@ -0,0 +1,5788 @@ +[ + { + "@timestamp": "2015-05-18T16:34:16.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966856.793 48016 ::1 TCP_MISS/200 16674 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 0, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 48016, + "rsa.time.event_time": "2015-05-18T16:34:16.000Z", + "rsa.time.event_time_str": "1431966856", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 16674, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:34:18.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966858.959 118352 ::1 TCP_MISS/200 1384 CONNECT 0.client-channel.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 102, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.client-channel.google.com", + "rsa.time.duration_time": 118352, + "rsa.time.event_time": "2015-05-18T16:34:18.000Z", + "rsa.time.event_time_str": "1431966858", + "rsa.web.alias_host": "0.client-channel.google.com", + "server.domain": "0.client-channel.google.com", + "service.type": "squid", + "source.bytes": 1384, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.client-channel.google.com", + "url.original": "0.client-channel.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:34:20.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.102" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966860.960 141516 ::1 TCP_MISS/200 29012 CONNECT clients4.google.com:443 - DIRECT/173.194.123.102 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 213, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.123.102", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients4.google.com", + "rsa.time.duration_time": 141516, + "rsa.time.event_time": "2015-05-18T16:34:20.000Z", + "rsa.time.event_time_str": "1431966860", + "rsa.web.alias_host": "clients4.google.com", + "server.domain": "clients4.google.com", + "service.type": "squid", + "source.bytes": 29012, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients4.google.com", + "url.original": "clients4.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:34:22.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.102" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966862.972 179667 ::1 TCP_MISS/200 1551 CONNECT clients6.google.com:443 - DIRECT/173.194.123.102 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 317, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.123.102", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients6.google.com", + "rsa.time.duration_time": 179667, + "rsa.time.event_time": "2015-05-18T16:34:22.000Z", + "rsa.time.event_time_str": "1431966862", + "rsa.web.alias_host": "clients6.google.com", + "server.domain": "clients6.google.com", + "service.type": "squid", + "source.bytes": 1551, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients6.google.com", + "url.original": "clients6.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:34:48.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.97" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966888.037 226448 ::1 TCP_MISS/200 907245 CONNECT drive.google.com:443 - DIRECT/173.194.123.97 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 420, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.123.97" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "drive.google.com", + "rsa.time.duration_time": 226448, + "rsa.time.event_time": "2015-05-18T16:34:48.000Z", + "rsa.time.event_time_str": "1431966888", + "rsa.web.alias_host": "drive.google.com", + "server.domain": "drive.google.com", + "service.type": "squid", + "source.bytes": 907245, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "drive.google.com", + "url.original": "drive.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:35:02.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966902.944 46063 ::1 TCP_MISS/200 6663 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 521, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 46063, + "rsa.time.event_time": "2015-05-18T16:35:02.000Z", + "rsa.time.event_time_str": "1431966902", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 6663, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:35:07.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.102" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966907.045 230072 ::1 TCP_MISS/200 4784 CONNECT clients2.google.com:443 - DIRECT/173.194.123.102 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 622, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.123.102" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients2.google.com", + "rsa.time.duration_time": 230072, + "rsa.time.event_time": "2015-05-18T16:35:07.000Z", + "rsa.time.event_time_str": "1431966907", + "rsa.web.alias_host": "clients2.google.com", + "server.domain": "clients2.google.com", + "service.type": "squid", + "source.bytes": 4784, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients2.google.com", + "url.original": "clients2.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:35:16.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.96" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966916.065 117889 ::1 TCP_MISS/200 865 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 725, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.123.96", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "docs.google.com", + "rsa.time.duration_time": 117889, + "rsa.time.event_time": "2015-05-18T16:35:16.000Z", + "rsa.time.event_time_str": "1431966916", + "rsa.web.alias_host": "docs.google.com", + "server.domain": "docs.google.com", + "service.type": "squid", + "source.bytes": 865, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "docs.google.com", + "url.original": "docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:35:17.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.96" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966917.064 118888 ::1 TCP_MISS/200 1262 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 822, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.123.96" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "docs.google.com", + "rsa.time.duration_time": 118888, + "rsa.time.event_time": "2015-05-18T16:35:17.000Z", + "rsa.time.event_time_str": "1431966917", + "rsa.web.alias_host": "docs.google.com", + "server.domain": "docs.google.com", + "service.type": "squid", + "source.bytes": 1262, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "docs.google.com", + "url.original": "docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:35:27.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.96" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966927.088 128911 ::1 TCP_MISS/200 2485 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 920, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.123.96" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "docs.google.com", + "rsa.time.duration_time": 128911, + "rsa.time.event_time": "2015-05-18T16:35:27.000Z", + "rsa.time.event_time_str": "1431966927", + "rsa.web.alias_host": "docs.google.com", + "server.domain": "docs.google.com", + "service.type": "squid", + "source.bytes": 2485, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "docs.google.com", + "url.original": "docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:35:29.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Bluffdale", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 40.4953, + "destination.geo.location.lon": -111.9439, + "destination.geo.region_iso_code": "US-UT", + "destination.geo.region_name": "Utah", + "destination.ip": [ + "216.58.219.237" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966929.071 117252 ::1 TCP_MISS/200 1270 CONNECT accounts.google.com:443 - DIRECT/216.58.219.237 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1018, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.58.219.237", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "accounts.google.com", + "rsa.time.duration_time": 117252, + "rsa.time.event_time": "2015-05-18T16:35:29.000Z", + "rsa.time.event_time_str": "1431966929", + "rsa.web.alias_host": "accounts.google.com", + "server.domain": "accounts.google.com", + "service.type": "squid", + "source.bytes": 1270, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "accounts.google.com", + "url.original": "accounts.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:35:34.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.68" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966934.075 254028 ::1 TCP_MISS/200 200095 CONNECT apis.google.com:443 - DIRECT/173.194.123.68 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1120, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.123.68" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "apis.google.com", + "rsa.time.duration_time": 254028, + "rsa.time.event_time": "2015-05-18T16:35:34.000Z", + "rsa.time.event_time_str": "1431966934", + "rsa.web.alias_host": "apis.google.com", + "server.domain": "apis.google.com", + "service.type": "squid", + "source.bytes": 200095, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "apis.google.com", + "url.original": "apis.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:35:34.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.102" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966934.076 250120 ::1 TCP_MISS/200 14577 CONNECT clients6.google.com:443 - DIRECT/173.194.123.102 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1220, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.123.102" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients6.google.com", + "rsa.time.duration_time": 250120, + "rsa.time.event_time": "2015-05-18T16:35:34.000Z", + "rsa.time.event_time_str": "1431966934", + "rsa.web.alias_host": "clients6.google.com", + "server.domain": "clients6.google.com", + "service.type": "squid", + "source.bytes": 14577, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients6.google.com", + "url.original": "clients6.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:35:50.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966950.318 47289 ::1 TCP_MISS/200 1391 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1324, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 47289, + "rsa.time.event_time": "2015-05-18T16:35:50.000Z", + "rsa.time.event_time_str": "1431966950", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 1391, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:35:58.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.105" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431966958.711 276 ::1 TCP_MISS/200 934 POST http://clients1.google.com/ocsp - DIRECT/173.194.123.105 application/ocsp-response", + "fileset.name": "log", + "http.response.body.content": "ocsp", + "input.type": "log", + "log.offset": 1425, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.123.105" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "application/ocsp-response", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients1.google.com", + "rsa.time.duration_time": 276, + "rsa.time.event_time": "2015-05-18T16:35:58.000Z", + "rsa.time.event_time_str": "1431966958", + "rsa.web.alias_host": "clients1.google.com", + "server.domain": "clients1.google.com", + "service.type": "squid", + "source.bytes": 934, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients1.google.com", + "url.original": "http://clients1.google.com/ocsp", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:36:50.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.96" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967010.962 212785 ::1 TCP_MISS/200 313787 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1556, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.123.96", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "docs.google.com", + "rsa.time.duration_time": 212785, + "rsa.time.event_time": "2015-05-18T16:36:50.000Z", + "rsa.time.event_time_str": "1431967010", + "rsa.web.alias_host": "docs.google.com", + "server.domain": "docs.google.com", + "service.type": "squid", + "source.bytes": 313787, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "docs.google.com", + "url.original": "docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:36:50.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967010.962 60560 ::1 TCP_MISS/200 2323 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1656, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 60560, + "rsa.time.event_time": "2015-05-18T16:36:50.000Z", + "rsa.time.event_time_str": "1431967010", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 2323, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:37:47.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967067.416 56361 ::1 TCP_MISS/200 940 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1757, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 56361, + "rsa.time.event_time": "2015-05-18T16:37:47.000Z", + "rsa.time.event_time_str": "1431967067", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 940, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:38:14.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.96" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967094.510 350082 ::1 TCP_MISS/200 952006 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1857, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.123.96", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "docs.google.com", + "rsa.time.duration_time": 350082, + "rsa.time.event_time": "2015-05-18T16:38:14.000Z", + "rsa.time.event_time_str": "1431967094", + "rsa.web.alias_host": "docs.google.com", + "server.domain": "docs.google.com", + "service.type": "squid", + "source.bytes": 952006, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "docs.google.com", + "url.original": "docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:38:24.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.71" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967104.597 146762 ::1 TCP_MISS/200 6013 CONNECT drive.google.com:443 - DIRECT/173.194.123.71 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1957, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.123.71" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "drive.google.com", + "rsa.time.duration_time": 146762, + "rsa.time.event_time": "2015-05-18T16:38:24.000Z", + "rsa.time.event_time_str": "1431967104", + "rsa.web.alias_host": "drive.google.com", + "server.domain": "drive.google.com", + "service.type": "squid", + "source.bytes": 6013, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "drive.google.com", + "url.original": "drive.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:38:39.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967119.333 51829 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2056, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 51829, + "rsa.time.event_time": "2015-05-18T16:38:39.000Z", + "rsa.time.event_time_str": "1431967119", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 716, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:39:31.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967171.526 52115 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2156, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 52115, + "rsa.time.event_time": "2015-05-18T16:39:31.000Z", + "rsa.time.event_time_str": "1431967171", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 745, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:40:21.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967221.312 49708 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2256, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 49708, + "rsa.time.event_time": "2015-05-18T16:40:21.000Z", + "rsa.time.event_time_str": "1431967221", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 745, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:41:13.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967273.790 52393 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2356, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 52393, + "rsa.time.event_time": "2015-05-18T16:41:13.000Z", + "rsa.time.event_time_str": "1431967273", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 716, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:42:08.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967328.486 54590 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2456, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 54590, + "rsa.time.event_time": "2015-05-18T16:42:08.000Z", + "rsa.time.event_time_str": "1431967328", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 745, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:43:05.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967385.358 56797 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2556, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 56797, + "rsa.time.event_time": "2015-05-18T16:43:05.000Z", + "rsa.time.event_time_str": "1431967385", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 716, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:44:00.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967440.782 55339 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2656, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 55339, + "rsa.time.event_time": "2015-05-18T16:44:00.000Z", + "rsa.time.event_time_str": "1431967440", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 716, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:44:58.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967498.549 57685 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2756, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 57685, + "rsa.time.event_time": "2015-05-18T16:44:58.000Z", + "rsa.time.event_time_str": "1431967498", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 716, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:45:53.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967553.286 54658 ::1 TCP_MISS/200 774 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2856, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 54658, + "rsa.time.event_time": "2015-05-18T16:45:53.000Z", + "rsa.time.event_time_str": "1431967553", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 774, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:46:51.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967611.006 57645 ::1 TCP_MISS/200 774 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2956, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 57645, + "rsa.time.event_time": "2015-05-18T16:46:51.000Z", + "rsa.time.event_time_str": "1431967611", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 774, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:47:47.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967667.705 56621 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3056, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 56621, + "rsa.time.event_time": "2015-05-18T16:47:47.000Z", + "rsa.time.event_time_str": "1431967667", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 716, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:47:51.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.67" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967671.980 115965 ::1 TCP_MISS/200 937 CONNECT docs.google.com:443 - DIRECT/173.194.123.67 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3156, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.123.67" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "docs.google.com", + "rsa.time.duration_time": 115965, + "rsa.time.event_time": "2015-05-18T16:47:51.000Z", + "rsa.time.event_time_str": "1431967671", + "rsa.web.alias_host": "docs.google.com", + "server.domain": "docs.google.com", + "service.type": "squid", + "source.bytes": 937, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "docs.google.com", + "url.original": "docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:48:41.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967721.078 53297 ::1 TCP_MISS/200 870 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3253, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 53297, + "rsa.time.event_time": "2015-05-18T16:48:41.000Z", + "rsa.time.event_time_str": "1431967721", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 870, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:49:33.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967773.775 52610 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3353, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 52610, + "rsa.time.event_time": "2015-05-18T16:49:33.000Z", + "rsa.time.event_time_str": "1431967773", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 745, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:50:27.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967827.637 53774 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3453, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 53774, + "rsa.time.event_time": "2015-05-18T16:50:27.000Z", + "rsa.time.event_time_str": "1431967827", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 745, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:51:21.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967881.971 54254 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3553, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 54254, + "rsa.time.event_time": "2015-05-18T16:51:21.000Z", + "rsa.time.event_time_str": "1431967881", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 716, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:52:15.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967935.923 53860 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3653, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 53860, + "rsa.time.event_time": "2015-05-18T16:52:15.000Z", + "rsa.time.event_time_str": "1431967935", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 716, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:53:09.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431967989.089 53080 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3753, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 53080, + "rsa.time.event_time": "2015-05-18T16:53:09.000Z", + "rsa.time.event_time_str": "1431967989", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 745, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:54:01.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431968041.539 52374 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3853, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 52374, + "rsa.time.event_time": "2015-05-18T16:54:01.000Z", + "rsa.time.event_time_str": "1431968041", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 745, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:54:59.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431968099.212 57477 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3953, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 57477, + "rsa.time.event_time": "2015-05-18T16:54:59.000Z", + "rsa.time.event_time_str": "1431968099", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 745, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:55:56.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431968156.648 57347 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4053, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 57347, + "rsa.time.event_time": "2015-05-18T16:55:56.000Z", + "rsa.time.event_time_str": "1431968156", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 716, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:56:50.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431968210.299 53575 ::1 TCP_MISS/200 774 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4153, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 53575, + "rsa.time.event_time": "2015-05-18T16:56:50.000Z", + "rsa.time.event_time_str": "1431968210", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 774, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:57:45.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431968265.132 54585 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4253, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 54585, + "rsa.time.event_time": "2015-05-18T16:57:45.000Z", + "rsa.time.event_time_str": "1431968265", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 716, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:57:53.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.101" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431968273.671 116138 ::1 TCP_MISS/200 1093 CONNECT docs.google.com:443 - DIRECT/173.194.123.101 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4353, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.123.101" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "docs.google.com", + "rsa.time.duration_time": 116138, + "rsa.time.event_time": "2015-05-18T16:57:53.000Z", + "rsa.time.event_time_str": "1431968273", + "rsa.web.alias_host": "docs.google.com", + "server.domain": "docs.google.com", + "service.type": "squid", + "source.bytes": 1093, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "docs.google.com", + "url.original": "docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:58:39.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431968319.296 54086 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4452, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 54086, + "rsa.time.event_time": "2015-05-18T16:58:39.000Z", + "rsa.time.event_time_str": "1431968319", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 745, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:59:32.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431968372.410 52982 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4552, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.206.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 52982, + "rsa.time.event_time": "2015-05-18T16:59:32.000Z", + "rsa.time.event_time_str": "1431968372", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 745, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:59:34.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.99" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431968374.119 8177 ::1 TCP_MISS/200 2705 CONNECT docs.google.com:443 - DIRECT/173.194.123.99 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4652, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.123.99" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "docs.google.com", + "rsa.time.duration_time": 8177, + "rsa.time.event_time": "2015-05-18T16:59:34.000Z", + "rsa.time.event_time_str": "1431968374", + "rsa.web.alias_host": "docs.google.com", + "server.domain": "docs.google.com", + "service.type": "squid", + "source.bytes": 2705, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "docs.google.com", + "url.original": "docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-18T16:59:34.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.206.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1431968374.150 1601 ::1 TCP_MISS/200 844 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4750, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.206.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 1601, + "rsa.time.event_time": "2015-05-18T16:59:34.000Z", + "rsa.time.event_time_str": "1431968374", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 844, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-28T05:11:24.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.226.83" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1432789884.994 297 ::1 TCP_MISS/302 696 GET http://www.google.com/ - DIRECT/74.125.226.83 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4850, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "74.125.226.83" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 297, + "rsa.time.event_time": "2015-05-28T05:11:24.000Z", + "rsa.time.event_time_str": "1432789884", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 696, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-28T05:11:25.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.40" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1432789885.671 220 ::1 TCP_MISS/200 934 POST http://clients1.google.com/ocsp - DIRECT/173.194.123.40 application/ocsp-response", + "fileset.name": "log", + "http.response.body.content": "ocsp", + "input.type": "log", + "log.offset": 4953, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "173.194.123.40" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "application/ocsp-response", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients1.google.com", + "rsa.time.duration_time": 220, + "rsa.time.event_time": "2015-05-28T05:11:25.000Z", + "rsa.time.event_time_str": "1432789885", + "rsa.web.alias_host": "clients1.google.com", + "server.domain": "clients1.google.com", + "service.type": "squid", + "source.bytes": 934, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients1.google.com", + "url.original": "http://clients1.google.com/ocsp", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-28T05:12:30.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.123.41" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1432789950.885 59335 ::1 TCP_MISS/200 55721 CONNECT apis.google.com:443 - DIRECT/173.194.123.41 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5083, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "173.194.123.41", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "apis.google.com", + "rsa.time.duration_time": 59335, + "rsa.time.event_time": "2015-05-28T05:12:30.000Z", + "rsa.time.event_time_str": "1432789950", + "rsa.web.alias_host": "apis.google.com", + "server.domain": "apis.google.com", + "service.type": "squid", + "source.bytes": 55721, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "apis.google.com", + "url.original": "apis.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-05-28T05:12:32.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.226.83" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1432789952.891 67776 ::1 TCP_MISS/200 254589 CONNECT www.google.com:443 - DIRECT/74.125.226.83 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5182, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "74.125.226.83" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 67776, + "rsa.time.event_time": "2015-05-28T05:12:32.000Z", + "rsa.time.event_time_str": "1432789952", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 254589, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "www.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:19:50.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "216.58.219.174" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445267990.313 759 ::1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.174 application/ocsp-response", + "fileset.name": "log", + "http.response.body.content": "ocsp", + "input.type": "log", + "log.offset": 5280, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "216.58.219.174" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "application/ocsp-response", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients1.google.com", + "rsa.time.duration_time": 759, + "rsa.time.event_time": "2015-10-19T15:19:50.000Z", + "rsa.time.event_time_str": "1445267990", + "rsa.web.alias_host": "clients1.google.com", + "server.domain": "clients1.google.com", + "service.type": "squid", + "source.bytes": 901, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients1.google.com", + "url.original": "http://clients1.google.com/ocsp", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:20:03.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "216.58.219.174" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268003.557 192 ::1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.174 application/ocsp-response", + "fileset.name": "log", + "http.response.body.content": "ocsp", + "input.type": "log", + "log.offset": 5410, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "216.58.219.174" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_MISS" + ], + "rsa.misc.content_type": "application/ocsp-response", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients1.google.com", + "rsa.time.duration_time": 192, + "rsa.time.event_time": "2015-10-19T15:20:03.000Z", + "rsa.time.event_time_str": "1445268003", + "rsa.web.alias_host": "clients1.google.com", + "server.domain": "clients1.google.com", + "service.type": "squid", + "source.bytes": 901, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients1.google.com", + "url.original": "http://clients1.google.com/ocsp", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:20:29.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "216.58.219.165" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268029.709 59991 ::1 TCP_MISS/200 5188 CONNECT mail.google.com:443 - DIRECT/216.58.219.165 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5540, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "216.58.219.165" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "mail.google.com", + "rsa.time.duration_time": 59991, + "rsa.time.event_time": "2015-10-19T15:20:29.000Z", + "rsa.time.event_time_str": "1445268029", + "rsa.web.alias_host": "mail.google.com", + "server.domain": "mail.google.com", + "service.type": "squid", + "source.bytes": 5188, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "mail.google.com", + "url.original": "mail.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:21:02.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "216.58.219.174" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268062.046 66005 ::1 TCP_MISS/200 5310 CONNECT clients6.google.com:443 - DIRECT/216.58.219.174 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5638, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.58.219.174", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients6.google.com", + "rsa.time.duration_time": 66005, + "rsa.time.event_time": "2015-10-19T15:21:02.000Z", + "rsa.time.event_time_str": "1445268062", + "rsa.web.alias_host": "clients6.google.com", + "server.domain": "clients6.google.com", + "service.type": "squid", + "source.bytes": 5310, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients6.google.com", + "url.original": "clients6.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:21:04.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "216.58.219.174" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268064.055 73369 ::1 TCP_MISS/200 6975 CONNECT clients6.google.com:443 - DIRECT/216.58.219.174 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5740, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.58.219.174", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients6.google.com", + "rsa.time.duration_time": 73369, + "rsa.time.event_time": "2015-10-19T15:21:04.000Z", + "rsa.time.event_time_str": "1445268064", + "rsa.web.alias_host": "clients6.google.com", + "server.domain": "clients6.google.com", + "service.type": "squid", + "source.bytes": 6975, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients6.google.com", + "url.original": "clients6.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:21:09.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "216.58.219.174" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268069.665 59549 ::1 TCP_MISS/200 4871 CONNECT play.google.com:443 - DIRECT/216.58.219.174 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5842, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "216.58.219.174" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "play.google.com", + "rsa.time.duration_time": 59549, + "rsa.time.event_time": "2015-10-19T15:21:09.000Z", + "rsa.time.event_time_str": "1445268069", + "rsa.web.alias_host": "play.google.com", + "server.domain": "play.google.com", + "service.type": "squid", + "source.bytes": 4871, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "play.google.com", + "url.original": "play.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:22:20.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "216.58.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268140.447 180 ::1 TCP_MISS/200 0 CONNECT www.google.com:443 - DIRECT/216.58.219.132 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5940, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "216.58.219.132" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 180, + "rsa.time.event_time": "2015-10-19T15:22:20.000Z", + "rsa.time.event_time_str": "1445268140", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "www.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:22:20.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "216.58.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268140.539 74 ::1 TCP_MISS/200 0 CONNECT www.google.com:443 - DIRECT/216.58.219.132 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6034, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.58.219.132", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 74, + "rsa.time.event_time": "2015-10-19T15:22:20.000Z", + "rsa.time.event_time_str": "1445268140", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "www.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:22:20.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "216.58.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268140.703 112 ::1 TCP_MISS/200 0 CONNECT www.google.com:443 - DIRECT/216.58.219.132 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6128, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "216.58.219.132" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 112, + "rsa.time.event_time": "2015-10-19T15:22:20.000Z", + "rsa.time.event_time_str": "1445268140", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "www.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:22:32.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "216.58.219.142" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268152.177 264 ::1 TCP_MISS/200 0 CONNECT plus.google.com:443 - DIRECT/216.58.219.142 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6222, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "216.58.219.142" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "plus.google.com", + "rsa.time.duration_time": 264, + "rsa.time.event_time": "2015-10-19T15:22:32.000Z", + "rsa.time.event_time_str": "1445268152", + "rsa.web.alias_host": "plus.google.com", + "server.domain": "plus.google.com", + "service.type": "squid", + "source.bytes": 0, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "plus.google.com", + "url.original": "plus.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:23:07.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "216.58.219.142" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268187.113 59699 ::1 TCP_MISS/200 5020 CONNECT docs.google.com:443 - DIRECT/216.58.219.142 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6317, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.58.219.142", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "docs.google.com", + "rsa.time.duration_time": 59699, + "rsa.time.event_time": "2015-10-19T15:23:07.000Z", + "rsa.time.event_time_str": "1445268187", + "rsa.web.alias_host": "docs.google.com", + "server.domain": "docs.google.com", + "service.type": "squid", + "source.bytes": 5020, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "docs.google.com", + "url.original": "docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:23:44.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "216.58.219.142" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268224.938 70176 ::1 TCP_MISS/200 14737 CONNECT plus.google.com:443 - DIRECT/216.58.219.142 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6415, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "216.58.219.142" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "plus.google.com", + "rsa.time.duration_time": 70176, + "rsa.time.event_time": "2015-10-19T15:23:44.000Z", + "rsa.time.event_time_str": "1445268224", + "rsa.web.alias_host": "plus.google.com", + "server.domain": "plus.google.com", + "service.type": "squid", + "source.bytes": 14737, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "plus.google.com", + "url.original": "plus.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:24:21.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "216.58.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268261.980 121174 ::1 TCP_MISS/200 528022 CONNECT www.google.com:443 - DIRECT/216.58.219.132 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6514, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.58.219.132", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 121174, + "rsa.time.event_time": "2015-10-19T15:24:21.000Z", + "rsa.time.event_time_str": "1445268261", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 528022, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "www.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:25:14.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.141.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268314.711 361370 ::1 TCP_MISS/200 6518 CONNECT 0.docs.google.com:443 - DIRECT/74.125.141.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6613, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.141.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.docs.google.com", + "rsa.time.duration_time": 361370, + "rsa.time.event_time": "2015-10-19T15:25:14.000Z", + "rsa.time.event_time_str": "1445268314", + "rsa.web.alias_host": "0.docs.google.com", + "server.domain": "0.docs.google.com", + "service.type": "squid", + "source.bytes": 6518, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.docs.google.com", + "url.original": "0.docs.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:25:14.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.141.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268314.711 355919 ::1 TCP_MISS/200 9695 CONNECT 0.talkgadget.google.com:443 - DIRECT/74.125.141.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6713, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "::1", + "74.125.141.189" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.talkgadget.google.com", + "rsa.time.duration_time": 355919, + "rsa.time.event_time": "2015-10-19T15:25:14.000Z", + "rsa.time.event_time_str": "1445268314", + "rsa.web.alias_host": "0.talkgadget.google.com", + "server.domain": "0.talkgadget.google.com", + "service.type": "squid", + "source.bytes": 9695, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.talkgadget.google.com", + "url.original": "0.talkgadget.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:25:14.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "74.125.141.189" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268314.711 257778 ::1 TCP_MISS/200 6024 CONNECT 0.client-channel.google.com:443 - DIRECT/74.125.141.189 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6819, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "74.125.141.189", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "0.client-channel.google.com", + "rsa.time.duration_time": 257778, + "rsa.time.event_time": "2015-10-19T15:25:14.000Z", + "rsa.time.event_time_str": "1445268314", + "rsa.web.alias_host": "0.client-channel.google.com", + "server.domain": "0.client-channel.google.com", + "service.type": "squid", + "source.bytes": 6024, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "0.client-channel.google.com", + "url.original": "0.client-channel.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2015-10-19T15:25:14.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "216.58.219.133" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1445268314.711 43887 ::1 TCP_MISS/200 1833 CONNECT mail.google.com:443 - DIRECT/216.58.219.133 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6929, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.58.219.133", + "::1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "mail.google.com", + "rsa.time.duration_time": 43887, + "rsa.time.event_time": "2015-10-19T15:25:14.000Z", + "rsa.time.event_time_str": "1445268314", + "rsa.web.alias_host": "mail.google.com", + "server.domain": "mail.google.com", + "service.type": "squid", + "source.bytes": 1833, + "source.ip": [ + "::1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "mail.google.com", + "url.original": "mail.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2016-02-01T14:19:56.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Bluffdale", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 40.4953, + "destination.geo.location.lon": -111.9439, + "destination.geo.region_iso_code": "US-UT", + "destination.geo.region_name": "Utah", + "destination.ip": [ + "216.58.219.228" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1454336396.005 63622 10.100.0.1 TCP_MISS/200 272954 CONNECT www.google.com:443 - DIRECT/216.58.219.228 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7027, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.0.1", + "216.58.219.228" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 63622, + "rsa.time.event_time": "2016-02-01T14:19:56.000Z", + "rsa.time.event_time_str": "1454336396", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 272954, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "www.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2016-02-01T14:19:58.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Bluffdale", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 40.4953, + "destination.geo.location.lon": -111.9439, + "destination.geo.region_iso_code": "US-UT", + "destination.geo.region_name": "Utah", + "destination.ip": [ + "216.58.219.238" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1454336398.988 59761 10.100.0.1 TCP_MISS/200 54752 CONNECT apis.google.com:443 - DIRECT/216.58.219.238 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7133, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.58.219.238", + "10.100.0.1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "apis.google.com", + "rsa.time.duration_time": 59761, + "rsa.time.event_time": "2016-02-01T14:19:58.000Z", + "rsa.time.event_time_str": "1454336398", + "rsa.web.alias_host": "apis.google.com", + "server.domain": "apis.google.com", + "service.type": "squid", + "source.bytes": 54752, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "apis.google.com", + "url.original": "apis.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2016-05-10T16:45:50.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.205.113" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1462898750.708 288 10.100.0.1 TCP_MISS/301 695 GET http://google.com/ - DIRECT/173.194.205.113 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7239, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.0.1", + "173.194.205.113" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "301", + "rsa.network.domain": "google.com", + "rsa.time.duration_time": 288, + "rsa.time.event_time": "2016-05-10T16:45:50.000Z", + "rsa.time.event_time_str": "1462898750", + "rsa.web.alias_host": "google.com", + "server.domain": "google.com", + "service.type": "squid", + "source.bytes": 695, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "google.com", + "url.original": "http://google.com/", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-01-04T16:27:23.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.6.238" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1483547243.947 153 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response", + "fileset.name": "log", + "http.response.body.content": "ocsp", + "input.type": "log", + "log.offset": 7347, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.0.1", + "172.217.6.238" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "application/ocsp-response", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients1.google.com", + "rsa.time.duration_time": 153, + "rsa.time.event_time": "2017-01-04T16:27:23.000Z", + "rsa.time.event_time_str": "1483547243", + "rsa.web.alias_host": "clients1.google.com", + "server.domain": "clients1.google.com", + "service.type": "squid", + "source.bytes": 901, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients1.google.com", + "url.original": "http://clients1.google.com/ocsp", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-01-04T16:27:24.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.6.238" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1483547244.218 110 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response", + "fileset.name": "log", + "http.response.body.content": "ocsp", + "input.type": "log", + "log.offset": 7483, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.0.1", + "172.217.6.238" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "application/ocsp-response", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients1.google.com", + "rsa.time.duration_time": 110, + "rsa.time.event_time": "2017-01-04T16:27:24.000Z", + "rsa.time.event_time_str": "1483547244", + "rsa.web.alias_host": "clients1.google.com", + "server.domain": "clients1.google.com", + "service.type": "squid", + "source.bytes": 901, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients1.google.com", + "url.original": "http://clients1.google.com/ocsp", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-01-07T17:23:08.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Bluffdale", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 40.4953, + "destination.geo.location.lon": -111.9439, + "destination.geo.region_iso_code": "US-UT", + "destination.geo.region_name": "Utah", + "destination.ip": [ + "216.58.219.238" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1483809788.490 217 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.238 application/ocsp-response", + "fileset.name": "log", + "http.response.body.content": "ocsp", + "input.type": "log", + "log.offset": 7619, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.0.1", + "216.58.219.238" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "application/ocsp-response", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients1.google.com", + "rsa.time.duration_time": 217, + "rsa.time.event_time": "2017-01-07T17:23:08.000Z", + "rsa.time.event_time_str": "1483809788", + "rsa.web.alias_host": "clients1.google.com", + "server.domain": "clients1.google.com", + "service.type": "squid", + "source.bytes": 901, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients1.google.com", + "url.original": "http://clients1.google.com/ocsp", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-01-07T17:23:08.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Bluffdale", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 40.4953, + "destination.geo.location.lon": -111.9439, + "destination.geo.region_iso_code": "US-UT", + "destination.geo.region_name": "Utah", + "destination.ip": [ + "216.58.219.238" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1483809788.504 224 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.238 application/ocsp-response", + "fileset.name": "log", + "http.response.body.content": "ocsp", + "input.type": "log", + "log.offset": 7756, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.58.219.238", + "10.100.0.1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_MISS" + ], + "rsa.misc.content_type": "application/ocsp-response", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients1.google.com", + "rsa.time.duration_time": 224, + "rsa.time.event_time": "2017-01-07T17:23:08.000Z", + "rsa.time.event_time_str": "1483809788", + "rsa.web.alias_host": "clients1.google.com", + "server.domain": "clients1.google.com", + "service.type": "squid", + "source.bytes": 901, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients1.google.com", + "url.original": "http://clients1.google.com/ocsp", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-04-20T20:53:25.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.6.238" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1492721605.095 1894 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response", + "fileset.name": "log", + "http.response.body.content": "ocsp", + "input.type": "log", + "log.offset": 7893, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "172.217.6.238", + "10.100.0.1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_MISS" + ], + "rsa.misc.content_type": "application/ocsp-response", + "rsa.misc.result_code": "200", + "rsa.network.domain": "clients1.google.com", + "rsa.time.duration_time": 1894, + "rsa.time.event_time": "2017-04-20T20:53:25.000Z", + "rsa.time.event_time_str": "1492721605", + "rsa.web.alias_host": "clients1.google.com", + "server.domain": "clients1.google.com", + "service.type": "squid", + "source.bytes": 901, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "clients1.google.com", + "url.original": "http://clients1.google.com/ocsp", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-12-27T22:54:43.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.10.14" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1514415283.110 3338 10.100.2.85 TCP_MISS/200 25103 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8029, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.2.85", + "172.217.10.14" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 3338, + "rsa.time.event_time": "2017-12-27T22:54:43.000Z", + "rsa.time.event_time_str": "1514415283", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 25103, + "source.ip": [ + "10.100.2.85" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-12-27T22:54:45.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.10.14" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1514415285.181 5317 10.100.2.85 TCP_MISS/200 30037 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8131, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "172.217.10.14", + "10.100.2.85" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 5317, + "rsa.time.event_time": "2017-12-27T22:54:45.000Z", + "rsa.time.event_time_str": "1514415285", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 30037, + "source.ip": [ + "10.100.2.85" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-12-27T22:54:47.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.10.14" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1514415287.601 7719 10.100.2.85 TCP_MISS/200 31365 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8233, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "172.217.10.14", + "10.100.2.85" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 7719, + "rsa.time.event_time": "2017-12-27T22:54:47.000Z", + "rsa.time.event_time_str": "1514415287", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 31365, + "source.ip": [ + "10.100.2.85" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-12-27T22:54:53.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.12.174" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1514415293.832 11122 10.100.2.85 TCP_MISS/200 4120 CONNECT play.google.com:443 - DIRECT/172.217.12.174 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8335, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.2.85", + "172.217.12.174" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "play.google.com", + "rsa.time.duration_time": 11122, + "rsa.time.event_time": "2017-12-27T22:54:53.000Z", + "rsa.time.event_time_str": "1514415293", + "rsa.web.alias_host": "play.google.com", + "server.domain": "play.google.com", + "service.type": "squid", + "source.bytes": 4120, + "source.ip": [ + "10.100.2.85" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "play.google.com", + "url.original": "play.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-12-27T22:54:55.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.10.14" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1514415295.359 15462 10.100.2.85 TCP_MISS/200 135019 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8441, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "172.217.10.14", + "10.100.2.85" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 15462, + "rsa.time.event_time": "2017-12-27T22:54:55.000Z", + "rsa.time.event_time_str": "1514415295", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 135019, + "source.ip": [ + "10.100.2.85" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-12-27T22:54:57.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.10.14" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1514415297.207 17318 10.100.2.85 TCP_MISS/200 193786 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8544, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "172.217.10.14", + "10.100.2.85" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 17318, + "rsa.time.event_time": "2017-12-27T22:54:57.000Z", + "rsa.time.event_time_str": "1514415297", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 193786, + "source.ip": [ + "10.100.2.85" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-12-27T22:57:48.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.12.174" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1514415468.723 195307 10.100.2.85 TCP_MISS/200 207119 CONNECT news.google.com:443 - DIRECT/172.217.12.174 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8647, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "172.217.12.174", + "10.100.2.85" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "news.google.com", + "rsa.time.duration_time": 195307, + "rsa.time.event_time": "2017-12-27T22:57:48.000Z", + "rsa.time.event_time_str": "1514415468", + "rsa.web.alias_host": "news.google.com", + "server.domain": "news.google.com", + "service.type": "squid", + "source.bytes": 207119, + "source.ip": [ + "10.100.2.85" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "news.google.com", + "url.original": "news.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-12-27T22:57:49.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.10.14" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1514415469.795 189952 10.100.2.85 TCP_MISS/200 372304 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8755, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "172.217.10.14", + "10.100.2.85" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 189952, + "rsa.time.event_time": "2017-12-27T22:57:49.000Z", + "rsa.time.event_time_str": "1514415469", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 372304, + "source.ip": [ + "10.100.2.85" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-12-27T22:57:50.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "173.194.204.156" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1514415470.873 171312 10.100.2.85 TCP_MISS/200 3517 CONNECT stats.g.doubleclick.net:443 - DIRECT/173.194.204.156 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8858, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.2.85", + "173.194.204.156" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "stats.g.doubleclick.net", + "rsa.time.duration_time": 171312, + "rsa.time.event_time": "2017-12-27T22:57:50.000Z", + "rsa.time.event_time_str": "1514415470", + "rsa.web.alias_host": "stats.g.doubleclick.net", + "server.domain": "stats.g.doubleclick.net", + "service.type": "squid", + "source.bytes": 3517, + "source.ip": [ + "10.100.2.85" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "stats.g.doubleclick.net", + "url.original": "stats.g.doubleclick.net:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2017-12-27T22:57:51.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.12.174" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1514415471.953 170700 10.100.2.85 TCP_MISS/200 5679 CONNECT play.google.com:443 - DIRECT/172.217.12.174 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8973, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "172.217.12.174", + "10.100.2.85" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "play.google.com", + "rsa.time.duration_time": 170700, + "rsa.time.event_time": "2017-12-27T22:57:51.000Z", + "rsa.time.event_time_str": "1514415471", + "rsa.web.alias_host": "play.google.com", + "server.domain": "play.google.com", + "service.type": "squid", + "source.bytes": 5679, + "source.ip": [ + "10.100.2.85" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "play.google.com", + "url.original": "play.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2018-03-15T21:13:25.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.12.174" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1521148405.505 170531 10.100.0.1 TCP_MISS/200 5650 CONNECT news.google.com:443 - DIRECT/172.217.12.174 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9079, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "172.217.12.174", + "10.100.0.1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "news.google.com", + "rsa.time.duration_time": 170531, + "rsa.time.event_time": "2018-03-15T21:13:25.000Z", + "rsa.time.event_time_str": "1521148405", + "rsa.web.alias_host": "news.google.com", + "server.domain": "news.google.com", + "service.type": "squid", + "source.bytes": 5650, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "news.google.com", + "url.original": "news.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2018-03-15T21:16:23.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.12.174" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1521148583.607 171280 10.100.0.1 TCP_MISS/200 5549 CONNECT play.google.com:443 - DIRECT/172.217.12.174 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9184, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.0.1", + "172.217.12.174" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "play.google.com", + "rsa.time.duration_time": 171280, + "rsa.time.event_time": "2018-03-15T21:16:23.000Z", + "rsa.time.event_time_str": "1521148583", + "rsa.web.alias_host": "play.google.com", + "server.domain": "play.google.com", + "service.type": "squid", + "source.bytes": 5549, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "play.google.com", + "url.original": "play.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2018-03-15T21:18:21.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.12.174" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1521148701.183 232347 10.100.0.1 TCP_MISS/200 947 CONNECT news.google.com:443 - DIRECT/172.217.12.174 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9289, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "172.217.12.174", + "10.100.0.1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "news.google.com", + "rsa.time.duration_time": 232347, + "rsa.time.event_time": "2018-03-15T21:18:21.000Z", + "rsa.time.event_time_str": "1521148701", + "rsa.web.alias_host": "news.google.com", + "server.domain": "news.google.com", + "service.type": "squid", + "source.bytes": 947, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "news.google.com", + "url.original": "news.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2018-03-15T21:21:20.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.12.174" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1521148880.382 170896 10.100.0.1 TCP_MISS/200 785 CONNECT news.google.com:443 - DIRECT/172.217.12.174 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9393, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.0.1", + "172.217.12.174" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "news.google.com", + "rsa.time.duration_time": 170896, + "rsa.time.event_time": "2018-03-15T21:21:20.000Z", + "rsa.time.event_time_str": "1521148880", + "rsa.web.alias_host": "news.google.com", + "server.domain": "news.google.com", + "service.type": "squid", + "source.bytes": 785, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "news.google.com", + "url.original": "news.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2018-03-15T21:23:28.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.12.174" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1521149008.672 59245 10.100.0.1 TCP_MISS/200 1723 CONNECT news.google.com:443 - DIRECT/172.217.12.174 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9497, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "172.217.12.174", + "10.100.0.1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "news.google.com", + "rsa.time.duration_time": 59245, + "rsa.time.event_time": "2018-03-15T21:23:28.000Z", + "rsa.time.event_time_str": "1521149008", + "rsa.web.alias_host": "news.google.com", + "server.domain": "news.google.com", + "service.type": "squid", + "source.bytes": 1723, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "news.google.com", + "url.original": "news.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2018-03-15T21:23:48.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Bluffdale", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 40.4953, + "destination.geo.location.lon": -111.9439, + "destination.geo.region_iso_code": "US-UT", + "destination.geo.region_name": "Utah", + "destination.ip": [ + "216.58.219.206" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1521149028.248 14405 10.100.0.1 TCP_MISS/200 28315 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9602, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.0.1", + "216.58.219.206" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 14405, + "rsa.time.event_time": "2018-03-15T21:23:48.000Z", + "rsa.time.event_time_str": "1521149028", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 28315, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2018-03-15T21:23:48.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Bluffdale", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 40.4953, + "destination.geo.location.lon": -111.9439, + "destination.geo.region_iso_code": "US-UT", + "destination.geo.region_name": "Utah", + "destination.ip": [ + "216.58.219.206" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1521149028.574 15142 10.100.0.1 TCP_MISS/200 32424 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9704, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.0.1", + "216.58.219.206" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 15142, + "rsa.time.event_time": "2018-03-15T21:23:48.000Z", + "rsa.time.event_time_str": "1521149028", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 32424, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2018-03-15T21:23:49.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Bluffdale", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 40.4953, + "destination.geo.location.lon": -111.9439, + "destination.geo.region_iso_code": "US-UT", + "destination.geo.region_name": "Utah", + "destination.ip": [ + "216.58.219.206" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1521149029.151 15722 10.100.0.1 TCP_MISS/200 31526 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9806, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.58.219.206", + "10.100.0.1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 15722, + "rsa.time.event_time": "2018-03-15T21:23:49.000Z", + "rsa.time.event_time_str": "1521149029", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 31526, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2018-03-15T21:23:49.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Bluffdale", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 40.4953, + "destination.geo.location.lon": -111.9439, + "destination.geo.region_iso_code": "US-UT", + "destination.geo.region_name": "Utah", + "destination.ip": [ + "216.58.219.206" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1521149029.888 16453 10.100.0.1 TCP_MISS/200 45630 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9908, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.58.219.206", + "10.100.0.1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 16453, + "rsa.time.event_time": "2018-03-15T21:23:49.000Z", + "rsa.time.event_time_str": "1521149029", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 45630, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2018-03-15T21:23:50.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Bluffdale", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 40.4953, + "destination.geo.location.lon": -111.9439, + "destination.geo.region_iso_code": "US-UT", + "destination.geo.region_name": "Utah", + "destination.ip": [ + "216.58.219.206" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1521149030.562 17135 10.100.0.1 TCP_MISS/200 26443 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10010, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.0.1", + "216.58.219.206" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 17135, + "rsa.time.event_time": "2018-03-15T21:23:50.000Z", + "rsa.time.event_time_str": "1521149030", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 26443, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2018-03-15T21:24:01.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.12.174" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1521149041.120 24645 10.100.0.1 TCP_MISS/200 52379 CONNECT apis.google.com:443 - DIRECT/172.217.12.174 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10112, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "172.217.12.174", + "10.100.0.1" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "apis.google.com", + "rsa.time.duration_time": 24645, + "rsa.time.event_time": "2018-03-15T21:24:01.000Z", + "rsa.time.event_time_str": "1521149041", + "rsa.web.alias_host": "apis.google.com", + "server.domain": "apis.google.com", + "service.type": "squid", + "source.bytes": 52379, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "apis.google.com", + "url.original": "apis.google.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2018-03-15T21:24:01.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Bluffdale", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 40.4953, + "destination.geo.location.lon": -111.9439, + "destination.geo.region_iso_code": "US-UT", + "destination.geo.region_name": "Utah", + "destination.ip": [ + "216.58.219.206" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1521149041.124 27963 10.100.0.1 TCP_MISS/200 510095 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10218, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.0.1", + "216.58.219.206" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "i.ytimg.com", + "rsa.time.duration_time": 27963, + "rsa.time.event_time": "2018-03-15T21:24:01.000Z", + "rsa.time.event_time_str": "1521149041", + "rsa.web.alias_host": "i.ytimg.com", + "server.domain": "i.ytimg.com", + "service.type": "squid", + "source.bytes": 510095, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "i.ytimg.com", + "url.original": "i.ytimg.com:443", + "user.name": [ + "-" + ] + }, + { + "@timestamp": "2018-03-15T21:24:01.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "172.217.12.174" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1521149041.125 32394 10.100.0.1 TCP_MISS/200 235026 CONNECT news.google.com:443 - DIRECT/172.217.12.174 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10321, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.100.0.1", + "172.217.12.174" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "news.google.com", + "rsa.time.duration_time": 32394, + "rsa.time.event_time": "2018-03-15T21:24:01.000Z", + "rsa.time.event_time_str": "1521149041", + "rsa.web.alias_host": "news.google.com", + "server.domain": "news.google.com", + "service.type": "squid", + "source.bytes": 235026, + "source.ip": [ + "10.100.0.1" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "news.google.com", + "url.original": "news.google.com:443", + "user.name": [ + "-" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/tenable/README.md b/x-pack/filebeat/module/tenable/README.md new file mode 100644 index 00000000000..4e23a7d0fdc --- /dev/null +++ b/x-pack/filebeat/module/tenable/README.md @@ -0,0 +1,7 @@ +# tenable module + +This is a module for Tenable Network Security Nessus logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML nessusvs version 0 +at 2020-07-07 18:10:47.316331 +0000 UTC. + diff --git a/x-pack/filebeat/module/tenable/_meta/config.yml b/x-pack/filebeat/module/tenable/_meta/config.yml new file mode 100644 index 00000000000..5d4527eb47b --- /dev/null +++ b/x-pack/filebeat/module/tenable/_meta/config.yml @@ -0,0 +1,19 @@ +- module: tenable + nessus_security: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9516 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/tenable/_meta/docs.asciidoc b/x-pack/filebeat/module/tenable/_meta/docs.asciidoc new file mode 100644 index 00000000000..a0b811750cb --- /dev/null +++ b/x-pack/filebeat/module/tenable/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: tenable +:has-dashboards: false + +== Tenable module + +experimental[] + +This is a module for receiving Tenable Network Security Nessus logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nessus_security + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nessus_security` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "nessusvs" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9516` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/tenable/_meta/fields.yml b/x-pack/filebeat/module/tenable/_meta/fields.yml new file mode 100644 index 00000000000..1c69ddd4b1f --- /dev/null +++ b/x-pack/filebeat/module/tenable/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: tenable + title: Tenable Network Security Nessus + description: > + tenable fields. + fields: diff --git a/x-pack/filebeat/module/tenable/fields.go b/x-pack/filebeat/module/tenable/fields.go new file mode 100644 index 00000000000..e655ed3897c --- /dev/null +++ b/x-pack/filebeat/module/tenable/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package tenable + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "tenable", asset.ModuleFieldsPri, AssetTenable); err != nil { + panic(err) + } +} + +// AssetTenable returns asset data. +// This is the base64 encoded gzipped contents of module/tenable. +func AssetTenable() string { + return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIipAVJLENAooAyiy6V9/ga+qYhWKZKGKkrV3elBIJBOZSACJzER+fI0eYP8SaeB4yeBPCGmqGbxE790H6C3onZAP6B5IJaneo7egVKX+hFAOikhaair4S/TXPyGEwihoRYHlavEn5P/10n5r/nyNOC7gJeJu2AXlGuQKE1iYz+ufIaT3Jbw0tO2EzFuf57DCFdOZHfglWmGm4ODrHlHhz1tcABIrpDcQ0KMaPdptQIL9Tku8WlGCNlihJQBHYqlAbiFf9GYhFe6RvJaiKs8nuMugZnBLG8fsYBJxHLFhmoEKtT74fJi5PQ6+31BlfoeoQpWCHGmBCC515Xkl8Q4VoBRem/9jjYgoQBnShfm+MzRCr8UaXQMROcg4qW4s2iVqmOAACVvgOjPEjwb1SCfzyDNGWc4QwTVwrcyOo1xpzHVApKJUaFrEScix7n7Rx08dVjMIwhrtNpRsEEYKlKKCow3VCmFzmH+lmoNSYRUWvSWqp6M2omI54rAFiZZQr3+JpQL0BjQ2pGG0kqJooXryWqzV8ztMHkCrp73hr6kEotn+GdKebozegTtgbqfxFpmLKKsYbIFFecUE7+71A15dQymBYO1x5bCiHHIkOLOItZVeBS7jeAu1zkZszSPr9Mafmdvrb9AWs8qfHpoD13RF/R6CR0w0YmLteC57zLT0UzO8X3H7O8PSEktNScWwtPB+cRaDq9sbOmm1Y6vbG3l4tQeZvp2b6y/+P9ePc91gTWX5tEMmlv/MLKldxn9E/FscFy8XRy5BiUqS5Lto+tTTT9o03EpjDQVw/WnQ4yqnOiMMd87DRyMAuJb7T4N6YzSBT4Oa8iHUl73Jwzn7lCueA46ftctOfQWQj9OTB27UmD3Q+mEwtQy+3g3Yu56maZmdG7A3+gktc5hPHaN0Nj7xli0aZZBjSG8iMzEIRXg0mkFkHqWs4vS3CholTNYz9B/tDw2XK8GJEZZYiz+69TJw7Ld0quBp8+/KDERXlOD2qTOG9o0xidG9FXSo4jlIo6JK8AKjN7kVfYQcKdBmkAPgQxxqWKENbO6NPVmhrdncG3oU2/uekxRLP21z9SgfMetxs9wIlaxHtffWT0Lptqhi3V2lgOeUr8OXKrb0LWv+8+EgjW+S3seDrLu9236HcJ5LI7OGDmWXfb35afG5sm/7w3QG/vD/LgMNt+Y4wd3T61wabb9FjjBa0y3w2l3x+V6qhkVDFuxlter80yhDn4cXd9DgFeU+k/Bb0nq1nybsItmZLfeWjzducHRnt/sz7/3TGL3fl4AI7p/kJSCgegMSfbjl+psfkJDoRyaw/vYFWmJld0Jw7K/oupJWFToxs7iC9xnPzD6yTDGKZrBdDfRapDtLjtllYezP3ngVcodlPkGNacmO1sTavLq9++VAw8FIAsPdZUFI7ZWGwl85njAz2gbcflKOPeb/QtI15ZgFmMPb+8RM0zWOIw+ct3e//BCZpCewN9fpk6wp6vNxDknebLa+qpQqyTeAc5AzvYz9ZAdDt9dTXmgcRe2HGjtM2jvNH9oJw0g2gx8GB8XjtlE87GY3CveVYAyIFvJzFISGPxd5WTf7hipEHHMgN7QcqGavRfeSR0dY+Qe0RAqy/HjKWSGUDR4pBEfLfW9ZEJLwWwVKmwEVLUq29ythfmwELgJMNkjRHNCTPyO9kRV68f33T9EOK6QAeI3lyFw/krp2xlxVKbiCy02W/IFWloiK69perYqlEz7mwKnoCOgJXoottKZLeTTaKIgZpSXgYnCXkz/Q0n9iZkBOq65Wcx4rvohpUrXRSleI6n9UL/78zb8qJzyfl1ZUBbL+0aP3H8ZOeY33INELdMMJLlXFnI/bmDqjJGhs9Ilu6EisUgzLty/Qv5npPkPffov+DREhjf5oZ+GRPkP/nen/aX5IFTpkyhfRReIih09og/EdZAQztsTkYarO59Bzoe3mxtrpyoYRwPNSUK6tuq0hHrhnFzgDKUVyrEijAakSCMXM0mRpUVpIoy3yvbuFzRdbzGjuli+GFqGVqHhupDUDSx7la68snAwGOty3vZHneDvxm/aIi36Az3smcP7x7gyPECn6O6ACtKQkoit7E639Y2ujucsxiDtzSWLd6HBiFRZmgX4SO8P8vi1EORLSmBBaoAeA8gRbPtLt8ZmwRQoCSmVbmmd5+jvUTZAAa+AgsbZHMTc8atkrWyp1hZkxFw98pDxiPtOCGoPPvgDa6To6/YG8vUbSyEVljXXLFizXoOufnZyrkskhFZ98ri4a5vhcZaJjvS9ib6+Df+0dFEIDuve7kkiw19JyPySSzJ/g9P4MnNweU6ZKRqe9yP6hTUVFe6rsxwobpL+nxY+1bXsrT/2ODHsjaNNeHP/XeHNxx3xF2UXeFs24Rmm/u3p15/U5grlhAC1KIbtaHLIXymf3QFt9LOP5gxP71sizZmHMIXZoJlYNSGMMunvfWn0L9OL7H9DOcrYAzBFmLG6HWuerVRsa/wLagQQ3LNaIAVYaCd4JVj5k00dQjD5vNkXOW9pDlufOr0LmljU2KgLIhgsm1vvus8aKyp5mhtD3iGywxEQ7Npmjt7cUWucmRxX3EQPswLc5mMGUkqzmnhinuWyPvOdYXbcwqpPgwWkr8W5Qflgp1lGWMLF6mPMIc2+zCkIqGUZUGvMcyxxxIQvM6O+xaDshiygHcv8Ce4QJolr2RPgoNjR01eieM7oCO6eIgaiACJ4PKIbNkmVKT7PEj5BMORFFyUBHF3HQ3YWt4qkl7YicVt6B1Bfbbvdm9OimG9pwh/tncJMUguvN2axusnrOfzVvohnyi7HnhueXYI4Z8nfBp2d0HhEiZvyg/LiQtPddLvUO9ITT8QppeNR+I6MtSNUK9s2PxWxE1uj0ou8Bn09qk1RBhMwhnyK9/XO5F66qHjPcb+HNvP5h+w2uL2OlKBZ21Mom/ikCHEsqnOJXVEzTrzUFiXBZshBB3WSCF5jjdSwpCSFmHdPBZnBEOVoVovpLhcSOO6+9xkXZ9bR4ig02Q2J/n2uFyIYa/VfkoBboTaW0VaTbg5r9j/VAPBrWMLgMR4/7amUo28I8d7BdqDCkm7+EFUjgxC0qNspXTrc0N3eqXdP4sb8Px/59hwHxaTyWVM44h4brzk/9aPYL1WzvpqOMiDC6gEFrt9Fxf9GopRk0mJ8Z6VSf/kVv0DpAQ1TjT3PRUwNOw9RcGr/trA7xWwXVjItmdopbr0Ze7LBCFk0+sEIW/Tfjpz7qwjmYdtI5XRc6SbKvizR8ZZaErszSNJVy3BE5BHuRAJd047WkzKVU347aG5VBPYE5SiYNH9hT5y3FddeIl04GYoqxiElP7TlPUVEVm+6OHdAORaWJKOC5w1KrbDaaTax6a4W5n8aB6juwVMYkp3pa6OsR0sP4PiGg5Q89ZvhNTVXo1U5xkrqOxTWjWX9sCYSuaKMMxrUF5+Qcyvv1usccL9cRJtbuAJo3AZ/BFM298zFKmVfp52PkL4c2QlvDFRL9fO9DiqgKj05dC9niD1weynpQpVB01CE8awdYQ4DnriqADUUMp2Qwn7tiOpuSyD7yWPOqAEnJ2HMdpX6WiPYjpLej2usd6o64O0k94rfAcyF9KNFR2sXynxfJkg6PC2L5TyBxHd+gniNPqscyI2+Oo3aSb1qtji/6W99ntfkj6y3hDa4jp7jQCKONz8qMhwcxsc7Cs+OFhFzYEKOF3DzZtweS4m/2idvWdrNHMa7eCUbJfvo+PXLG7iwKX2SOs/2AnKrYtNitOBPeVQws6rh4EVzD43R9p0Z5y53l3VRAwnmuzF/2KsAsoIylA5+4UsgG8zVkHHbTz9WQ8xt2rYcbezlqLemy0tA6bf1oPuWIM9pcW6THj6Eq8QjRUM+e0QklcI5N3Crl3Vdbh66tG0RMCRt3bSYdiqao5q1cbkEu0D04xlYK5AKvwZa68xFzKyEDDb2xwzBOryMWHjn4VgakkGgpxc58Fz71eoxTrQdrtd3md1jq8aZ8DTrejvS7V/RyI+bbvYLltdJxqc0rSvAu6/Qb5BVHmIHU9burbIb1nznXrD+KrWQz+zwbUahyxAX/WkIJVls99hplFcd5hSyppDRbs9ZJ7WpYHeE5df7f4Njs0b6jeuOVKSf70LVFuLTxoRwJ/vVamH8fkYz28swiSsmkmeGWM/q5RWHIECtkTpqmoBbovjmf3TKZ7ZjkVJquXDB7pYyi6pIe3BNl7oWVZx5GhFVKh23j/9NjtQWhyqyGz8zx1qJRm+y3w1fzBW5lt9Pj1pNLWp+iDnx5Sn02dFxbPAgrJQi13hrD0ajeb5n+mj7AS4RRudkrSjAzZt7DM1RKW5H2GQJNvoyrWVjiePbAyMvLxa9KXIAGqVCJla1ToGzinstMI6IojEQQB483/ZBV0OSoouGk5+V0jdY6XEBQO2FHRFFW/bOQxHqMdpTnYucjb4jgBEr9rH4VG5xubyKrirE9+q3CzDltclFgyv355C1ETAyI8ra35vxr/MjkjDLymvIHyH0UbQgsw8ra616BNd98USNf0PwY81kvz2+i2GjXqXYmYBdFIODn+8th/rn0PiF03091rh89QBa0W6J6uvPHj2rpcfvwuJ727Wg9bUXZHOelJvtHO159JCTkFQEUPMAQdyIokBSzLHJDTBCb93bQoHR1ZX5LqBuZOmiDAXlQA4lgc/ij/PhGeG+w2tS73agckWj2yliYRjSFCNM6nP0qjNQpVSC2IGs0CyWJgar/389KQEa+cURtPEHFCQMszUe2bEZDmg9j914aGVIETvsnnaio+rnqn1hGE1EsKa8rx7VFtE9AkCPk9ZbKSs3v3WjfoRbFsJdjrueIyMa9cuO7OivDHh6npc/geKtZ4Dxct9forTvTT3xKHHI19n2Sh8H+9Jjz6zK+wJbr6/bassWHVtcHsm/HHfrOXRCDI3Lhltqcuh1VcVNjq/bT6iYevpL4pBp3yR31oXFnJM26toZ9V/XQ6Pb6pB50vk/ihB5kUL/geaMPLdCVi9b31YKY++K4LmT+CHn4i2++8A6KZaXrOH6ha+FccQbKzV04AbsTaIslxUvWixh3CW2Uo5LhgSOngKuJGaAHi9JWg9zYC3Pqza0ZYtGpWav757d3XQ0M+ZJKzrYbypYZbCNwdmR844t1ZKBbrtE9XXNsj+XARiqFnFa+6cueLDBb6S7oFMLWU7H/NKhap8buhVxElvftz+8R5YRVORjR4BuzGPAFenLziIuSwUt054xPN6yVdYu4DWo97Bd4Z7DGfCNq47ipejDqXBTziKDtlnPmrReV76h6OPLAoSVdr0FOKVwfn/YvbU+jx2I1n40EtREsN2vsrKaBXh0Hz1GzWHH99ygvw568czfj0zqh8PY6HmB59ouVMa2z2d/mLWf9+7xtZuJ8Gqpafm0QCm4zCla2XK/IKzKkp3uV52KxA23aatkipM28MnIuUDBQVx7LfIflpWIt+rUSjSzCXvQaMgeKdD0xIgejN5iEyl5xxckc55k1WcG/DsqPPH6incWQ0AhJAlYJMVFKY12dr1jVNjim7IKqpRl+KR4RzZ8PS10j8at5aDA4P/RKYbl9ZfDEN3qQvpOr6vc2zHW/nn6KEKZcVOe/GbRiN9U6YQca6TDODOt5dL4bDTq9CsgB818xZk4rUhUhoNSqYujGYEBE5KAM80ORpriOR3kOj6MnwajSQ/rDxNNkh7aKrQxoliCtV7/AkjL7UhvxD7i3Ib5G2DLiawMbpZ0nrXjorXcxzcWPj57UkSolSFX6hAR3pnrT9ldIExgXcpyfDgSNOxO7L82nPzq22shZ4p2d7H5tvsSUK5SDxpRFTKelqHQLboB4wS4QkxK8NriOG7CYhkW4hqJkE15tX4VWi6GFQesFyUepGO1lC5LhvQ1T1sKLdfQksvfNF9bS8NCwCnkszuemNNWVLdWBoqQ3Wlo/Kfn0wRjpFW7ZlgSPx5Z0dokoCrM3UxfsysEj2gonKqXY0txZ2KGuQKw/Y33XCHLMgT7env6RsubuJ+1ohfi181jaR+ZLya8w/mXl1z/FctBuTZ7A/xZL77KM79SSTikPdG2Dktz63N/dotvehdtGNKE2j4/JPI5jVOBxnb2wHqnij7GJfRRVXM1yBypbinx6zHEvbrt7ZYX+sAbbwPW5Scmdcm60WfJuWg4Xn67hwmxqLyBd07x2UQ4Y48V4TbmXBHPWzTDmqq6pK6tpAjJ0G7r74LI4gxvUPo49AqnaNop7tl5CLKUgZPQeeyibxZCKeoryQ4OqjobHW0wZ7jvoUO0eQjYefgVSDlQjdPsx7uGaz6/rVb/CJwQ7J33fvyXCvl0MyABaZMsqz/cJ9h0tspFxqi3ISsFQIbGjtmgKjKRiVLZUJ2A6U9U8wXZUtWNNXC0V23CyjpNucs49zlhx8Cbe0B2txvV1fBrulXo8F7YzWgRXv9ygJz7S75eKGb1kSZkNMLQvzTePpVDml0/R130zhne9fA9c7PiB4qhCf/rt4egDXQMInsXQ7gaAXIVMm7c+wPU1rDHZow+DCiyjS4kvk/rjhz5gE+WowJSvjGV09JGqxNL2+pgjo+pARbizA6O3IncBR01xg9a7dgQtOnH/2scXM9V0jfIwr/4t7NBPFbfq8xuRA0NPKN8uvnqGqCDP0NL8BeYvzDHbK6oWX8X9yJqU2YrhXneq8Tfwoa51dYfssNbetVJlHwoIi9XRpC0tJtLiPl16SkLClAJpNlQU5bYYK4c6uH9586ux39+7kJuvvvrlza+v3t189ZWLgdliieng3tgJ+TAuIePkVv41DNn20Q6ayZiPv758bOfY3MBaxGFiROA+SV1cCQlcUTLuQLXMySSsRYoVFfFsnQ+W7TAd02m8CTkgImFJ7YYZn5CiqmXyNtDLXGk5PpPF5m7M0g382XySNETwTXEcpAYnNiWBexeTDw5s4hR9fKIZYkUHDcYwmQnOidTJRDNXIxPpBlzGhcWRegrjDR9Dntem3vXHbdQTV3v7Qhshb3mXPKqjZFxoCYPf/BgFQszyAHvA/5a2/UTXkU/h5dpW5HhqzeeIdX/K1x9KINF5fKY2HHaFKTP8CgmHd/783V6343pt9rRRgTWsI4lDw2/xIa4nM1d5lOKU4B4b0uNjOo1lVPGurdrDz4fSeKfifwuP+m8Q119q7GpIi5mK/R7z/N9F3LPaYNdY0/gpm4y/P/QBelWpkhIqRsRHfCzbwtK3w5L3XW2fnjjFizIT6cLp/u2bO/Sz83g04RhxVL/N/Pxy/x+v0W8VyIFqLRXjmYRu1Y+pTz4t18UevQshtdHn3VpPI6PEfxtMjC/TZsDKAePxFJyOuFfPgMxTCtFhhmWRxBcDmGS84HJU2H8NVuUjOgMcQI3NBT4AzrHu3t6nIZfAyabA8vywuBpyX+JeK4czfJCY9J43z4TKNgl8JbAaG0xZg67WNpk0CVAs/5kEV+KE2nou8zVhMazTf6in7HFIm6tdgLluExDzDBNbtjAljM1AKz5KRW+BLtfl9jv+qDcJ0pLwjGhpbJRxlala8AZ2yFt3BuiW9RpCnwULfE35qMDdPnBaTAnPVpnaUU0S9jXPVkzsFC5SXova0Fxvp8An+bEIzyifts0pL0EWy/2IkJwedEkeUsFtc7Qk0DIrpdAiS3HFWfjtd5m1WVOg2YT9xsQ6G9P6vwOa8hJKeFbgx0zr8xXeQ1CzwgySxEJBeTJiyqcgLpnK2JJl452nB9B/ngSeUA+oBT0+S70NPT4iug39/SToeGP1c6H/ZRL0/5gE/a+p0FqUDC8hbavX8CmqEs+KitnLe7lPkmcBvHxIkuNFxei6KFNvb3P/YbYe/2jkYWmaEFfwG0nRvXmm3JNpEq+UJKnamQFN1c7UXlVlUn1swusw60TlTgttFAx4TNraWmijJKVDW/UkEbzi9JFjLhT02maeBb/9wdCeLBa2P4hSbwDnSSaQKMqMsCQb2oAmuTQspLRtstJgVSJsWWVJ/gkiqaYEs6SgL5XhNXCyH/Wm1IbmmO1/h3yZhnub2WT4RFiXxpOK2T1nJ8IbC/mHVAtZZUuq/zUx+ZCobGxt0w6oFAlHWSVuTgsHRKbE4innCRhRV7IFCnrjvAEpyrcDt9dVIrirfTMmQ7MFvaIM0nQRla3S2EVX4wKQD0HTJK0yRjCHR50lHiNjA+dKl70iP2dDK0kSoUPnuCRYsc4KyOmIYMxDaMpTOV6IvGKgiEibtQen66RTIUq1w3pkJ4oWfCwm4ExQCWuqtMQpmnYDnXRTuU6KiVOWE+asbB0RmXw6XVSDW/IkeNtYNOmKc0FH6ainXM67jaAqc3WeU+D3WOLEBc8HwirPg926DgbjIanSuNus9SxApZeVPL+QaIADV3MtDa5KwJdyD4dY0vGAtmrPKqUU+nDE9DGoNc7z8atO8/HOuZBAkyRRaJERKUSRmH1jQJOUIlpkqY9wPncnbbrlQ0KyUKlSUplpqUpJR4MxrKmuEt5tGOUwJpWkgVMja3HVkDbwMcUEYcJlNGcrJhKEYw2eFAJgNL2E/W7Akva60Q2T0CV4bZlYJy4lXyduu1LI8YejWFbrtK1TUEXStmuhEhcwrfoMB21TXxIgE06xKw0w/lXKwY1/UOK73XhdITFOqG7XkACZIO+FpOssUq3tDMgdB5kiW8ossYNgmY2sIN0AJrVxaMCTZmlP0vhN6gFT2mk6pT8BJVbKfJmRzfnxrD1g15dzPDzIYm3s4l5G9Xmwu0TQFDHn8pc+fOhU+jwLVIp1hlU5quRHG3hMl4cAJwGztJtHArHUumzVZPCUyRrYsQm6LVgh8ySsKSaaSrI+lbM+kzylCsa7SF053SQ1QsFvKcyMpcGOgEtSXBRdJx1MVY63W5QkaSsvSZ5w1SpJYlm+Z4GOasnUhqpUQs7klvDxQQjRiqGnwVySZULT8LVOWQQHluI1qitGjofclwmZq1W+THy1riRLkkqVApnldHz8ZmJhkuATSSNWk7R2+duMcqXxKkmSbqnUaVfxtuRJKQ5ayIpfpFfrq0oL9K7iqDd47YWeVCDuF8xojq4k5FSjKyxznzN2pC2Nr381aaZDdSDtMK7pqo2YJYKhWEhJ7e2lfMrsb4qSiT30CuKd5MFKVCPS48/ty7sJLXVsbTEJa3hEBe6G7jYePb6uumVXZiCDUWULbITxVbuVpqpKW6K+nyqJ0G6DNaIala49f5zoY0+pY0qFxNu7u4rnAQmi3FcyGMjsZpRPr4DdIsaM16ZEIS3WtsnOovm96xjR4x6HLci6iJIWqMRSAXoDGtuKw+5U1P3S0JPXYq2e37ngvqfo2pfxcu1JeqPbNOJ34IvFWrI5egv6V6o5qPha9bdeIntWtpxwvZvt8G46CrAkmwXldMDglXieYggdYeN66zHK4TnDFbe1U9dV4cvSHymF0Kl8cITqOVLma6rrRHlf8XVApTfMzObthex6bpmB0Xt41HZ3DhkFF21A3RSJO9GD2mblTipVbPNyFejQHPhI6vyxd+/xtSFCK9lVGNdJsK6FV7/JHppFDmu/N4itZ6BeRukfV8f7jM7ZOTzeXodDZEcfKtk+8iF65HapWzi4x/0aH+rt0ZqbHuJSFPG6YHRNm5CuYEOUFQhhhRQAP+iTGTdeJOYKk1mKrfayxN3g3Ddwqltrh27BR8gqQRbUXYTzkdUM6gq30C1lsAbfywMrRdfcMb+pzD3Q1gAv5+pWP7DkFsORHbe8YGuJwfYhsW3eomgotzCt0k24L2ke2trWHZNsw8aBQ4dQJCan1tokDARJjVYgQ6OwRvCG/k4Gx4AKu5N0wNEzI36LZKB04SXnX/fP7BHQeoDcic77eMrVgxnFKtuIGbS7TndMWxOnKQNlO/q0Ch7FY6qR26CGHu5bbHOhkW2VuXjFlDCmTad5ia1C/pOHWKBXfF//rze6ttaR4hrhfBE6GscFU6Lzy5A+RVn+ostPW3nwgKnUt3U21kS7QnmYdbyRsN8x2VjP6rkGK96DRP9SewzUc4/Ioh/qXzI2buvye483VB3svqM8HQyTOCULvuyWxXEt6d7+/P7GzA4kOKPRemRyqoiEEnOyN1qJv/xZv5et4cEz9P7NS3TL9bcvnqHbt9c3//kSfbjl+ofv0JPdZo+4b8BINkL5Mm5CGuvV/uqbH/7Xf3sa730HejNJXnRnbCXQosDx0khq8h4ZeaB8Jf7bgDZ+mPKPTVb7nJ+gbTDh7+yLKUZRR7FpdNDQ3PT1q7dRcn4XHKbY4Wnr938Eh0WcP7+P6QPwES47Q+ppUWPZ+GnulSO8XGMNO3yRwtJ2l92hV655XthtMYT1dUKKctj/P9WveXv15s7J4eFe8XiGXn5DprTTc0Lr0ts7g2zAqjd8GKwFMwsfzOjDfAg6QOZqis192Nq9FnLXkQ6z5qmiVYk8LrtnXSajvNvDIvxpuT5cqB6yJrYmUWc4V0xj9NbTcCekrkVUTwi53hOWib77/HFJpGbnn6OY8nUQn4HwN0PM4xDT7+fzEnn81gbBSglCbdF4ay33bldk5JTEfA2LWj0mgq/oupKQo+XeN/d3re4HutMMphT0AoUHtKnosKukTAU2Sr9rh1YmGEwSCqEh8zFCKS+/KVPMucpw5sKnkoBLLVPBV0nsXSXFYrO0DZCeUVMmTQ7nWbDGp/XrOrQtDC2L7nhtQ+Yi2sKNMaw4aPR+X8Iz9CGIudfWRP4W3QUTuSdHfh66UUPxqlkujAGVPpCFQtdOzFj0wiibH9oHeixt6MAWpLadZ7QIDa4oRx9uB48QsSEtE85gSttYrjJRJhXKM6AS1Pg4GgOYFOLnZOL4gCjrg0rC6MrUZAz4OqHmo8VrroG5nUu2KZG9XjBrOQc5IvYBx1hRPwq5wzKPNQN7ZdvUWb/7nRSP9tV9CXoHMNDJeHQO8NgXCaExa7t7HTpkC5nY16beHHwTNAn2Iaig2hw1X1QoPoktw3yed5Uz3AHhWa3lEOhN4dBB0PgAt0Z7Xlvl+VAipvizgdhsi+2YPNLz3lCw1JRUDMvQzM2jeXLz+PK1WIvVKl6fGkimNzB349v3Zkjfvb+h7MZQZgh6VekNcO1DqQYJm6v32OFzZVW3NYwT90GBHCRJVJqIubnlBx0m6d514B6gKvTImXb7HlBkMaPQcOVo89eA/QLtk6FDhTnF1g2sSsFz29JVRFWAGrDflPSQ7u2Y7NqB2wAjl2dv494Yhbym2NtbHb2GcqSoriISBdkAudAFz4+6wQrhXJS2K9gGqERixzuNkZDGj4KLYiDaJdSoz3rhSDNcfkYNozw3Z1lI1bT3c12EX4Xy+L2JnuM+4TXp7mwMhlPVM7zQ89HgJO/9K9K88zzWRKw11XFZHROm6qIC7n1U4dxzHQ4OWYpp8XGR6S1hg7dUVFazMUadFAUdiHSA+dHfcLxkNmx4ha6OY6d8O77zWYyMLg0HOg2KojigYWR5sQQSIhhqCqavQeteaXb24PI3IewV190Q5RSdL7fJHxmZ0BXX3jK2kzklgTA7LRsw0H3soXrjep1HqjQiT86CfLNQWg47yQPV8cTXT0b1i+NU+2vR4ZpEedSMqE0iTQvbtNVrGhJKGHRyek6OSI06yUybkj6RlfLMDRCvCvPJNsC351H9zeSe6FHivePo1Bx61Ns5NUfvjGP3R6b/xUn65cz8dxt+Furlae6PqEnxcY7qCalXH9U/8qb59jTbzy9A9XHYfp6skTOf1Tn3+hkndeZNMyf1vS1TK4W569I5WTfDld5kBeiNuIg3FR/4uZBD5H82uDA2e1eKiZb6Ef/uO8G8r8mgOrJDkm3L/1x8/+c/oyevr1/dPUXXVGnK1xVVG8htYk4UGxNrMUN+7DG/tm/RbTH5xbA/HHjzlmKyv+RY7L3hfQxHvTetz29E6fAxG5PYoLg6M6Ll0rBYY+8UmMeKKDXv5Jidn8XfIfUdzmml3BhISKRoQRmW7jAbQWJ2K7H3UTxU154ZRefphVv7INtRZh/McgUPSKeuRXNgpkQSvuLHzo11fvr48Jb/yZvO9pveinljF1qBh3nc0SLktEexnuvWskvINeb09yOxTnzKgp3LsARutVd+gGUrKqNR/MnZrz+aAa18dEnlLkv3IBLpJ8BMbwiWgEoJuSgox9EQ69ZRv8OaAtfqZOAZw/PO5zX+pNNxRTCgTN5eZgt/aYRAiaW2ab/NZI4LoVnTev3BPUf+rCAHiTXk2YgwgCOraNuQhzFrV/edFFua1+nq/ne4LJnXc3rL51NkjSA/1IgGeqnX06D5bPOoB/V1HPR+YCLRQs82qmRL3ZvTpqvYDRQOqBWacaX0x2o18Gjv8hZQK1Mk1uTb6T9WG8IKKS2kk49mtAI0tti+tL9amF99GZ9fQfOcwZwS440d8VyZEVmilgxJkhmheN5cE7rz47VydPk+vHg8QyXDhu3mRhISASdyXw55EW3wyixWwRnxErK2EH4SSqM3mGwoH1Dbc5x8Rr/o8usDt5F9pQRzUM2t7tLq1QK9znGJfrH/cbd6LrjLB/hH/7pAG7wFc98zwNK1sEa2voQqBVcQ9IB40oCZUdZvez1B9vjaCERSDZKGKh3cTdBVZBimJBA9CzHNMr/zRWTOpcXWF53qJujutVA46iAN2Oj//qqhCsmKR/q6I4TVs1oSu9ccl0w9EJHtR8y8FTEHMzHaUZ6LnUKqBEJXlJhvnsXixn38UX+jmgk4ippXX/REhq7ntVi2zwxPW/xAFbc312tYY7JHH9RhkZ/6PaToJjgkRS2ZUWYxrQbusLa6bZHZqGm7Gcwt0ONbnc8UyWI6yBCwYbZ9JhxObA51bajakFPeInOyc4huCA+TMJ254qWGJuMjp7xzL0iOGzu54VorfXrncmLUTsdD/jYhNI6VPS7H099Op5bY4MZx5ZkHI8DtpHJYUe59gfao21oQBS4HilFY/ANh1hfC3pi7HdUjRZDU/qbpM/D5yAPVQ2ofmtaYbIrZS9E141rGoJ4W3GZbYkHNJeVjau7OutMM2Tb8farQjxzbdjCuZZ4ro9WkIkXqkffomiqzT9BVYhnW1nz8rCF2t6G9gmfI7ENjWbgQvbMmoBMqXrpUOCHHtWfsTP8vqsT8ryfzOQOqw1pnQUmLiVQztb88t6OfoP6CF26P7lAV7Tjdg2uVAddSlPFjmItq2TPIztprflRj3cCJ0EZLxchOTmdScSWK0hikYefbDW4bnDjNcwvSiNbMmM3xCwmrh+lxvyfOYkenD7h3ML2y2eq39DeuHyvG9ug/KszoikKOrm02jHNeRJHtYJkRIR7oxZ6UfoUlchgamwSzIb0sobZO89hTVtq1wRmqR376bLyrB/G1VL3bynnnFuj9vnTkNxaVmaDj8zCLJayykcVxOoQZLM4Ek1+qWKGdLrp5nAW1gnGI33kvSiGDZ88+r7x7PbAwrWzV0csa5lNOrRh7ZDpm7JN+uECIFCL5njtEa0YyXEMl1nEHB+EZVuPeo1qgMrWDeiXZKHa34EZxp1bBs0qO7/db2r5ntjl0CsoE0XcIPDJE4xDY74Kk4wCPGri9BFMUNjPCiNWtr9WNhM4DZcrt5oaZJ4b84ES/twPbq+65//eVR/Lc/8O/+sacXpiBjMcQeIIv+lriyG0/llg/Rqsgc4/g3JdNNsoi5SuQcsBH35/ZTJS31aGT7Is6PWYhI1QPWrVYGdm+9hlDTN6+kWFm3Ag37rXFbID3Ni5Itj/6O/QfoYeL3dNyA3Iuq8boOf7N98mVLaj+FF1ZDHHkIPVsiZIDvLoC6Qvfw0FMx5ESOzDxsaDFjNaymGG/VK26S0fXg/4+7CcYnxYZXxN0T38fSN95SD6Dt3+/QRzWQlPH5nKD1UB9WkXmT95tMdwNP1zQ2yzIhPq0vQfAzlqHgl8h3jP+YKfoyOaK5+UJ17XE3w+21TBnjypVpTSGNrD2UXeK/TzNy2dpACknehZ6rGvLixszPLq3TwbHTutMr0t1vSvv239yb8M5jovQlrwYImO8vDhCxbDQUIpl22l3SddF7p04cZdcZrYArhKKaah0UPoA3hpITon6oinw2BaUVl58h5T13QqJbu9f/f3NHboz8hP9zAcqUjb0JOd9pNDzfifi9NhjSTZAHlRCs7dGsEzNbY8Vga6rm9Sp5zZAwxfubs79EV0FJO2V37iIquIw1Vl7g+qbpcq2WJtPDLbp2GJGc7chImi6R3/G+lLHjr6d9QPsVVcUnb3Hkjuhb7QuVUZtN4JEYMvSNLLJ+S2/puw9uuYh3lFIqvcn9h8RRTExl/9Myhwmb1LG02t2VALratcpJtyOYZ6N6kM9NiRBhaYBv3qaQ4xs3EC3yQ1ZKeg8IUAxkhwOZHFYtHHdy7KGbDDnvQS06YnKflyLasBTPlv5pVrk+Yrdv75+9dbL3OcdBLWo00J2vWIp2yun6iHbClalT+NV6IHBfS3NujNIaLJQcaoVeuLQqKc2d80mE4QuCBF/0UAQGquST/hrT80HTrV/LlkcBqNtQdqXklXFEBGcQKmNCXDveD2Q4jSmk3q0roNlnjE2QgsRQ4rt/iYMj37691exYJIo61J2gJDrS4QodEPLDpweS+zS96IJjH+7+fnu9g69wY8F5XnduiTOfkP9BQIZDgp9DxDuCe3Rf4zw+gqOh2AnBQS5yOxsXBPPP3giTZjU3I2WvKS6vfb1eDyeozSwORn7iTN6wpyK/wI5B3VwJM/72kjKSbIW37j20iMVm7qbl7Z+YGftFi414BlSVSQsCiv0F6Wl4Ou/LhkmD4wqDflfnvvPntXfUr4CEv9qRSXsMItes3jJWjAI8xwpgQa2j4Q1VVrujdUz78Essd74UnQ1FtTF0iNjUvvBPiEuUcLFthIhW9W7ao2lpg24lvs//d8AAAD//5LptF8=" +} diff --git a/x-pack/filebeat/module/tenable/nessus_security/_meta/fields.yml b/x-pack/filebeat/module/tenable/nessus_security/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/tenable/nessus_security/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/tenable/nessus_security/config/input.yml b/x-pack/filebeat/module/tenable/nessus_security/config/input.yml new file mode 100644 index 00000000000..b91f14239e9 --- /dev/null +++ b/x-pack/filebeat/module/tenable/nessus_security/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Tenable" + product: "Nessus" + type: "Vulnerability" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/tenable/nessus_security/config/liblogparser.js + - ${path.home}/module/tenable/nessus_security/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js b/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0003", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant(": "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr4 = match("HEADER#3:0004", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4}: %{hfld5->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant(": "), + field("hfld5"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr5 = match("HEADER#4:0005", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0005"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr6 = match("HEADER#5:0006", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4}(%{messageid->} %{hfld5}) %{hfld6->} %{payload}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant("("), + field("messageid"), + constant(" "), + field("hfld5"), + constant(") "), + field("hfld6"), + constant(" "), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, +]); + +var part1 = match("MESSAGE#0:REPORTITEM", "nwparser.payload", "%{fld1}:Hostname=%{hostname}^^Host_ip=%{hostip}^^FQDN=%{fqdn}^^Port=%{network_port}^^OS=%{os}^^MAC_address=%{macaddr}^^Host_start=%{fld30}^^Host_end=%{fld31}^^Severity=%{severity}^^Risk_factor=%{risk}^^Service_name=%{service}^^Protocol=%{protocol}^^Vulnerability_refs=%{vuln_ref}^^CVSS_base_score=%{risk_num}^^CVSS_vector=%{fld32}^^PluginID=%{rule}^^Plugin_name=%{rulename}^^Plugin Family=%{rule_group}^^Synopsis=%{event_description}", processor_chain([ + dup1, + dup2, +])); + +var msg1 = msg("REPORTITEM", part1); + +var part2 = match("MESSAGE#1:REPORTITEM:01", "nwparser.payload", "%{fld1}:Hostname=%{hostname}^^Host_ip=%{hostip}^^FQDN=%{fqdn}^^Port=%{network_port}^^OS=%{os}^^MAC_address=%{macaddr}^^%{event_description}", processor_chain([ + dup1, + dup2, +])); + +var msg2 = msg("REPORTITEM:01", part2); + +var select2 = linear_select([ + msg1, + msg2, +]); + +var part3 = match("MESSAGE#2:connection", "nwparser.payload", "connection from %{hostip}", processor_chain([ + dup3, + dup2, + dup4, + setc("action","connecting"), +])); + +var msg3 = msg("connection", part3); + +var part4 = match("MESSAGE#3:Deleting", "nwparser.payload", "Deleting user %{username}", processor_chain([ + dup3, + setc("ec_subject","User"), + setc("ec_activity","Delete"), + dup2, + dup4, + setc("action","Deleting"), +])); + +var msg4 = msg("Deleting", part4); + +var part5 = match("MESSAGE#4:Finished", "nwparser.payload", "Finished testing %{hostip}. %{fld5}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","Finished testing"), +])); + +var msg5 = msg("Finished", part5); + +var part6 = match("MESSAGE#5:Finished:01", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","Finished"), +])); + +var msg6 = msg("Finished:01", part6); + +var select3 = linear_select([ + msg5, + msg6, +]); + +var part7 = match("MESSAGE#6:finished", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","finished"), +])); + +var msg7 = msg("finished", part7); + +var part8 = match("MESSAGE#7:user", "nwparser.payload", "user %{username}: test complete", processor_chain([ + dup1, + dup2, + dup4, + setc("action","Test Complete"), +])); + +var msg8 = msg("user", part8); + +var part9 = match("MESSAGE#8:user:01", "nwparser.payload", "user %{username}: testing %{hostname}(%{hostip}) %{fld1}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","testing"), +])); + +var msg9 = msg("user:01", part9); + +var part10 = match("MESSAGE#21:user:02", "nwparser.payload", "user %{username}starts a new scan. Target(s) : %{hostname}, %{info}", processor_chain([ + dup5, + dup2, + dup4, + dup6, +])); + +var msg10 = msg("user:02", part10); + +var part11 = match("MESSAGE#26:user_launching", "nwparser.payload", "user %{username}: launching %{rulename}against %{url}[%{process_id}]", processor_chain([ + setc("eventcategory","1401000000"), + dup2, + dup4, + setc("event_description","User launched rule scan"), +])); + +var msg11 = msg("user_launching", part11); + +var part12 = match("MESSAGE#27:user_not_launching", "nwparser.payload", "user %{username}: Not launching %{rulename}against %{url->} %{reason}", processor_chain([ + dup7, + dup2, + dup4, +])); + +var msg12 = msg("user_not_launching", part12); + +var select4 = linear_select([ + msg8, + msg9, + msg10, + msg11, + msg12, +]); + +var part13 = match("MESSAGE#9:Scan", "nwparser.payload", "Scan done: %{info}", processor_chain([ + dup5, + dup2, + dup4, + setc("action","Scan complete"), +])); + +var msg13 = msg("Scan", part13); + +var msg14 = msg("Total", dup14); + +var msg15 = msg("Task", dup14); + +var msg16 = msg("started", dup15); + +var part14 = match("MESSAGE#13:failed", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","failed"), +])); + +var msg17 = msg("failed", part14); + +var part15 = match("MESSAGE#14:Nessus", "nwparser.payload", "%{event_description}(pid=%{process_id})", processor_chain([ + dup1, + dup2, + dup4, +])); + +var msg18 = msg("Nessus", part15); + +var part16 = match("MESSAGE#15:Reloading", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","Reloading"), +])); + +var msg19 = msg("Reloading", part16); + +var part17 = match("MESSAGE#16:New", "nwparser.payload", "New connection timeout -- closing the socket%{}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","connection timeout"), +])); + +var msg20 = msg("New", part17); + +var part18 = match("MESSAGE#17:Invalid", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","Invalid"), +])); + +var msg21 = msg("Invalid", part18); + +var msg22 = msg("Client", dup14); + +var msg23 = msg("auth_check_user", dup14); + +var part19 = match("MESSAGE#20:bad", "nwparser.payload", "bad login attempt from %{hostip}", processor_chain([ + dup9, + dup2, + dup4, + dup10, +])); + +var msg24 = msg("bad", part19); + +var msg25 = msg("Reducing", dup14); + +var msg26 = msg("Redirecting", dup14); + +var msg27 = msg("Missing", dup14); + +var part20 = match("MESSAGE#25:User", "nwparser.payload", "User '%{username}' %{event_description}", processor_chain([ + setc("eventcategory","1401060000"), + dup2, + dup4, +])); + +var msg28 = msg("User", part20); + +var part21 = match("MESSAGE#32:User:01", "nwparser.payload", "User %{username}starts a new scan (%{fld25})", processor_chain([ + dup5, + dup2, + dup4, + dup6, +])); + +var msg29 = msg("User:01", part21); + +var select5 = linear_select([ + msg28, + msg29, +]); + +var part22 = match("MESSAGE#28:Plugins", "nwparser.payload", "%{event_description}, as %{reason->} ", processor_chain([ + dup1, + dup11, + dup2, + dup4, +])); + +var msg30 = msg("Plugins", part22); + +var part23 = match("MESSAGE#29:process_finished", "nwparser.payload", "%{rulename}(process %{process_id}) finished its job in %{duration}seconds ", processor_chain([ + dup1, + dup12, + setc("ec_outcome","Success"), + dup2, + dup4, + setc("event_description","Rule scan finished"), +])); + +var msg31 = msg("process_finished", part23); + +var part24 = match("MESSAGE#30:process_notfinished_killed", "nwparser.payload", "%{rulename}(pid %{process_id}) is slow to finish - killing it ", processor_chain([ + dup7, + dup12, + dup11, + dup2, + dup4, + setc("event_description","Rule scan killed due to slow response"), +])); + +var msg32 = msg("process_notfinished_killed", part24); + +var part25 = match("MESSAGE#31:TCP", "nwparser.payload", "%{fld1}TCP sessions in parallel", processor_chain([ + dup1, + dup2, + dup4, + setc("event_description","TCP sessions in parallel"), +])); + +var msg33 = msg("TCP", part25); + +var msg34 = msg("nessusd", dup14); + +var msg35 = msg("installation", dup14); + +var msg36 = msg("Running", dup14); + +var msg37 = msg("started.", dup15); + +var msg38 = msg("scanner", dup14); + +var part26 = match("MESSAGE#38:Another", "nwparser.payload", "%{event_description}(pid %{process_id})", processor_chain([ + dup1, + dup2, + dup4, +])); + +var msg39 = msg("Another", part26); + +var part27 = match("MESSAGE#39:Bad", "nwparser.payload", "Bad login attempt for user '%{username}' %{info}", processor_chain([ + dup9, + dup2, + dup4, + dup10, +])); + +var msg40 = msg("Bad", part27); + +var msg41 = msg("Full", dup14); + +var msg42 = msg("System", dup14); + +var msg43 = msg("Initial", dup14); + +var part28 = match("MESSAGE#43:Adding", "nwparser.payload", "Adding new user '%{username}'", processor_chain([ + setc("eventcategory","1402020200"), + dup2, + dup4, +])); + +var msg44 = msg("Adding", part28); + +var part29 = match("MESSAGE#44:Granting", "nwparser.payload", "Granting admin privileges to user '%{username}'", processor_chain([ + setc("eventcategory","1402030000"), + dup2, + dup4, +])); + +var msg45 = msg("Granting", part29); + +var msg46 = msg("Could", dup16); + +var msg47 = msg("depends", dup16); + +var msg48 = msg("Converting", dup14); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "Adding": msg44, + "Another": msg39, + "Bad": msg40, + "Client": msg22, + "Converting": msg48, + "Could": msg46, + "Deleting": msg4, + "Finished": select3, + "Full": msg41, + "Granting": msg45, + "Initial": msg43, + "Invalid": msg21, + "Missing": msg27, + "Nessus": msg18, + "New": msg20, + "Plugins": msg30, + "REPORTITEM": select2, + "Redirecting": msg26, + "Reducing": msg25, + "Reloading": msg19, + "Running": msg36, + "Scan": msg13, + "System": msg42, + "TCP": msg33, + "Task": msg15, + "Total": msg14, + "User": select5, + "auth_check_user": msg23, + "bad": msg24, + "connection": msg3, + "depends": msg47, + "failed": msg17, + "finished": msg7, + "installation": msg35, + "nessusd": msg34, + "pid": msg32, + "process": msg31, + "scanner": msg38, + "started": msg16, + "started.": msg37, + "user": select4, + }), +]); + +var part30 = match("MESSAGE#10:Total", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup4, +])); + +var part31 = match("MESSAGE#12:started", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup4, + dup8, +])); + +var part32 = match("MESSAGE#45:Could", "nwparser.payload", "%{event_description}", processor_chain([ + dup13, + dup2, + dup4, +])); diff --git a/x-pack/filebeat/module/tenable/nessus_security/ingest/pipeline.yml b/x-pack/filebeat/module/tenable/nessus_security/ingest/pipeline.yml new file mode 100644 index 00000000000..7482d9c4c9d --- /dev/null +++ b/x-pack/filebeat/module/tenable/nessus_security/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Tenable Network Security Nessus + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/tenable/nessus_security/manifest.yml b/x-pack/filebeat/module/tenable/nessus_security/manifest.yml new file mode 100644 index 00000000000..eeaa83f86c5 --- /dev/null +++ b/x-pack/filebeat/module/tenable/nessus_security/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["tenable.nessus_security", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9516 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/tomcat/README.md b/x-pack/filebeat/module/tomcat/README.md new file mode 100644 index 00000000000..d0cfba14689 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/README.md @@ -0,0 +1,7 @@ +# tomcat module + +This is a module for Apache Tomcat logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML apachetomcat version 105 +at 2020-07-07 18:10:40.660733 +0000 UTC. + diff --git a/x-pack/filebeat/module/tomcat/_meta/config.yml b/x-pack/filebeat/module/tomcat/_meta/config.yml new file mode 100644 index 00000000000..25592f0ad30 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/_meta/config.yml @@ -0,0 +1,19 @@ +- module: tomcat + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9501 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc b/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc new file mode 100644 index 00000000000..c68f663b190 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: tomcat +:has-dashboards: false + +== Tomcat module + +experimental[] + +This is a module for receiving Apache Tomcat logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "apachetomcat" device revision 105. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9501` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/tomcat/_meta/fields.yml b/x-pack/filebeat/module/tomcat/_meta/fields.yml new file mode 100644 index 00000000000..4c67d0156af --- /dev/null +++ b/x-pack/filebeat/module/tomcat/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: tomcat + title: Apache Tomcat + description: > + tomcat fields. + fields: diff --git a/x-pack/filebeat/module/tomcat/fields.go b/x-pack/filebeat/module/tomcat/fields.go new file mode 100644 index 00000000000..53b856d7d27 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package tomcat + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "tomcat", asset.ModuleFieldsPri, AssetTomcat); err != nil { + panic(err) + } +} + +// AssetTomcat returns asset data. +// This is the base64 encoded gzipped contents of module/tomcat. +func AssetTomcat() string { + return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIipAVJLENAooAyiy6V9/ga+qYhWKZKGKkrV3elBIJBOZSACJzER+fI0eYP8SaVEQrP+EkKaawUv0qsRkA+h9+DgHRSQtNRX8JfrrnxBCHgStKLBcLf6E/L9e2i/Nn68RxwW8RBz0TsiHBeUa5AoTWJjP658hpPclvDR07ITMW5/nsMIV05kd+CVaYabg4OseTeHPW1wAEiukNxDQoxo92m1Agv1OS7xaUYI2WKElAEdiqUBuIV/0ZiEV7pG8lqIqzye4y6BmcEsbx+xgEnEcsWGagQq1Pvh8mLk9Dr7fUGV+h6hClYIcaYEILnXleSXxDhWgFF6b/2ONiChAGdKF+b4zNEKvxRpdAxE5yDipbizaJWqY4AAJW+A6M8SPBvVIJ/PIM0ZZzhDBNXCtzI6jXGnMdUCkolRoWsRJyLHuftHHTx1WMwjCGu02lGwQRgqUooKjDdUKYfQW9K9Uc1AqrMKit0T1dNRGVCxHHLYg0RLq9S+xVIDegMaGNIxWUhQtVE9ei7V6fofJA2j1tDf8NZVANNs/Q9rTjdE7cAfM7TTeInMRZRWDLbAor5jg3b1+wKtrKCUQrD2uHFaUQ44EZxaxxksGqMBlHG+h1tmIrXlknd74M3N7/Q3aYlb500Nz4JquqN9D8IiJRkysHc9lj5mWfmqG9ytuf2dYWmKpKakYlhbeL85icHV7Qyetdmx1eyMPr/Yg07dzc/3F/+f6ca4brKksn3bIxPKfmSW1y/iPiH+L4+Ll4sglKFFJknwXTZ96+kmbhltprKEArj8NelzlVGeE4c55+GgEANdy/2lQb4wm8GlQUz6E+rI3eThnn3LFc8Dxs3bZqa8A8nF68sCNGrMHWj8MppbB17sBe9fTNC2zcwP2Rj+hZQ7zqWOUzsYn3rJFowxyDOlNZCYGoQiPRjOIzKOUVZz+VkGjhMl6hv6j/aHhciU4McISa/FHt14Gjv2WThU8bf5dmYHoihLcPnXG0L4xJjG6t4IOVTwHaVRUCV5g9Ca3oo+QIwXaDHIAfIhDDSu0gc29sScrtDWbe0OPYnvfc5Ji6adtrh7lI2Y9bpYboZL1qPbe+kko3RZVrLurFPCc8nX4UsWWvmXNfz4cpPFN0vt4kHW3d9vvEM5zaWTW0KHssq83Py0+V/Ztf5jOwB/+32Wg4dYcJ7h7ep1Lo+23yBFGa7oFXrsrPt9L1bBoyIK9rFadfxpl6PPw4g4avKLcZxJ+S1qv9tOEXSQ7s+Xe8vHGDY7u7HZ/5r1/GqP3+xIQwf2TvAQEVG9Aog+3XH/zAxIS/cgE1t++QEus7E4Ijv0VXVfSqkInZhZX8D7jmdlHlilG0Qy2q4Fei3RnyTG7LIz92RuvQu6wzCeoMS3Z0ZpYm1e3d78caDgYSWC4uywIqb3SUPgrxxNmRtuA20/Kscf8X0i6phyzAHN4e5+YabrGceSB8/bulx8ik/QE9uY6fZI1RX0+ziHJm83WV5VSJfkGcA5yppexn+xg6PZ6yguNo6j9UGOHSXun+UM7YRjJZvDD4KB43DaKh93sRuG+EowB0UJ+joLQ8OciL+tm31CFiGMO5IaWA9Xstehe8ugIK/+AlkhBlh9POSuEssEjheBoue8tC0ISfqtAaTOgokXJ9n4lzI+NwEWAyQYpmgN68mekN7JCL77//inaYYUUAK+xHJnrR1LXzpirKgVXcLnJkj/QyhJRcV3bq1WxdMLHHDgVHQE9wUuxhdZ0KY9GGwUxo7QEXAzucvIHWvpPzAzIadXVas5jxRcxTao2WukKUf2P6sWfv/lX5YTn89KKqkDWP3r0/sPYKa/xHiR6gW44waWqmPNxG1NnlASNjT7RDR2JVYph+fYF+jcz3Wfo22/RvyEipNEf7Sw80mfovzP9P80PqUKHTPkiukhc5PAJbTC+g4xgxpaYPEzV+Rx6LrTd3Fg7XdkwAnheCsq1Vbc1xAP37AJnIKVIjhVpNCBVAqGYWZosLUoLabRFvne3sPliixnN3fLF0CK0EhXPjbRmYMmjfO2VhZPBQIf7tjfyHG8nftMecdEP8HnPBM4/3p3hESJFfwdUgJaURHRlb6K1f2xtNHc5BnFnLkmsGx1OrMLCLNBPYmeY37eFKEdCGhNCC/QAUJ5gy0e6PT4TtkhBQKlsS/MsT3+HugkSYA0cJNb2KOaGRy17ZUulrjAz5uKBj5RHzGdaUGPw2RdAO11Hpz+Qt9dIGrmorLFu2YLlGnT9s5NzVTI5pOKTz9VFwxyfq0x0rPdF7O118K+9g0JoQPd+VxIJ9lpa7odEkvkTnN6fgZPbY8pUyei0F9k/tKmoaE+V/Vhhg/T3tPixtm1v5anfkWFvBG3ai+P/Gm8u7pivKLvI26IZ1yjtd1ev7rw+RzA3DKBFKWRXi0P2QvnsHmirj2U8f3Bi3xp51iyMOcQOzcSqAWmMQXfvW6tvgV58/wPaWc4WgDnCjMXtUOt8tWpD419AO5DghsUaMcBKI8E7wcqHbPoIitHnzabIeUt7yPLc+VXI3LLGRkUA2XDBxHrffdZYUdnTzBD6HpENlphoxyZz9PaWQuvc5KjiPmKAHfg2BzOYUpLV3BPjNJftkfccq+sWRnUSPDhtJd4Nyg8rxTrKEiZWD3MeYe5tVkFIJcOISmOeY5kjLmSBGf09Fm0nZBHlQO5fYI8wQVTLnggfxYaGrhrdc0ZXYOcUMRAVEMHzAcWwWbJM6WmW+BGSKSeiKBno6CIOuruwVTy1pB2R08o7kPpi2+3ejB7ddEMb7nD/DG6SQnC9OZvVTVbP+a/mTTRDfjH23PD8EswxQ/4u+PSMziNCxIwflB8Xkva+y6XegZ5wOl4hDY/ab2S0Balawb75sZiNyBqdXvQ94PNJbZIqiJA55FOkt38u98JV1WOG+y28mdc/bL/B9WWsFMXCjlrZxD9FgGNJhVP8iopp+rWmIBEuSxYiqJtM8AJzvI4lJSHErGM62AyOKEerQlR/qZDYcee117gou54WT7HBZkjs73OtENlQo/+KHNQCvamUtop0e1Cz/7EeiEfDGgaX4ehxX60MZVuY5w62CxWGdPOXsAIJnLhFxUb5yumW5uZOtWsaP/b34di/7zAgPo3HksoZ59Bw3fmpH81+oZrt3XSUERFGFzBo7TY67i8atTSDBvMzI53q07/oDVoHaIhq/GkuemrAaZiaS+O3ndUhfqugmnHRzE5x69XIix1WyKLJB1bIov9m/NRHXTgH0046p+tCJ0n2dZGGr8yS0JVZmqZSjjsih2AvEuCSbryWlLmU6ttRe6MyqCcwR8mk4QN76ryluO4a8dLJQEwxFjHpqT3nKSqqYtPdsQPaoag0EQU8d1hqlc1Gs4lVb60w99M4UH0HlsqY5FRPC309QnoY3ycEtPyhxwy/qakKvdopTlLXsbhmNOuPLYHQFW2Uwbi24JycQ3m/XveY4+U6wsTaHUDzJuAzmKK5dz5GKfMq/XyM/OXQRmhruEKin+99SBFV4dGpayFb/IHLQ1kPqhSKjjqEZ+0Aawjw3FUFsKGI4ZQM5nNXTGdTEtlHHmteFSApGXuuo9TPEtF+hPR2VHu9Q90RdyepR/wWeC6kDyU6SrtY/vMiWdLhcUEs/wkkruMb1HPkSfVYZuTNcdRO8k2r1fFFf+v7rDZ/ZL0lvMF15BQXGmG08VmZ8fAgJtZZeHa8kJALG2K0kJsn+/ZAUvzNPnHb2m72KMbVO8Eo2U/fp0fO2J1F4YvMcbYfkFMVmxa7FWfCu4qBRR0XL4JreJyu79Qob7mzvJsKSDjPlfnLXgWYBZSxdOATVwrZYL6GjMNu+rkacn7DrvVwYy9HrSVdVhpap60fzacccUaba4v0+DFUJR4hGurZMzqhBM6xiVulvPtq69C1dYOIKWHjrs2kQ9EU1byVyy3IBboHx9hKgVzgNdhSdz5ibiVkoKE3dhjG6XXEwiMH38qAFBItpdiZ78KnXo9xqvVgrbbb/A5LPd6Ur0HH25F+94pebsR8u1ewvFY6LrV5RQneZZ1+g7ziCDOQun53lc2w/jPnmvVHsZVsZp9nIwpVjrjgX0sowWqrx16jrOI4r5AllZRma9Y6qV0NqyM8p87/GxybPdp3VG+8MuVkH7q2CJc2PpQjwb9eC/PvI5LRXp5ZRCmZNDPcckY/tygMGWKFzEnTFNQC3Tfns1smsx2TnErTlQtmr5RRVF3Sg3uizL2w8szDiLBK6bBt/H96rLYgVJnV8Jk53lo0apP9dvhqvsCt7HZ63HpySetT1IEvT6nPho5riwdhpQSh1ltjOBrV+y3TX9MHeIkwKjd7RQlmxsx7eIZKaSvSPkOgyZdxNQtLHM8eGHl5ufhViQvQIBUqsbJ1CpRN3HOZaUQUhZEI4uDxph+yCpocVTSc9LycrtFahwsIaifsiCjKqn8WkliP0Y7yXOx85A0RnECpn9WvYoPT7U1kVTG2R79VmDmnTS4KTLk/n7yFiIkBUd721px/jR+ZnFFGXlP+ALmPog2BZVhZe90rsOabL2rkC5ofYz7r5flNFBvtOtXOBOyiCAT8fH85zD+X3ieE7vupzvWjB8iCdktUT3f++FEtPW4fHtfTvh2tp60om+O81GT/aMerj4SEvCKAggcY4k4EBZJilkVuiAli894OGpSursxvCXUjUwdtMCAPaiARbA5/lB/fCO8NVpt6txuVIxLNXhkL04imEGFah7NfhZE6pQrEFmSNZqEkMVD1//tZCcjIN46ojSeoOGGApfnIls1oSPNh7N5LI0OKwGn/pBMVVT9X/RPLaCKKJeV15bi2iPYJCHKEvN5SWan5vRvtO9SiGPZyzPUcEdm4V258V2dl2MPjtPQZHG81C5yH6/YavXVn+olPiUOuxr5P8jDYnx5zfl3GF9hyfd1eW7b40Or6QPbtuEPfuQticEQu3FKbU7ejKm5qbNV+Wt3Ew1cSn1TjLrmjPjTujKRZ19aw76oeGt1en9SDzvdJnNCDDOoXPG/0oQW6ctH6vloQc18c14XMHyEPf/HNF95Bsax0HccvdC2cK85AubkLJ2B3Am2xpHjJehHjLqGNclQyPHDkFHA1MQP0YFHaapAbe2FOvbk1Qyw6NWt1//z2rquBIV9Sydl2Q9kyg20Ezo6Mb3yxjgx0yzW6p2uO7bEc2EilkNPKN33ZkwVmK90FnULYeir2nwZV69TYvZCLyPK+/fk9opywKgcjGnxjFgO+QE9uHnFRMniJ7pzx6Ya1sm4Rt0Gth/0C7wzWmG9EbRw3VQ9GnYtiHhG03XLOvPWi8h1VD0ceOLSk6zXIKYXr49P+pe1p9Fis5rORoDaC5WaNndU00Kvj4DlqFiuu/x7lZdiTd+5mfFonFN5exwMsz36xMqZ1NvvbvOWsf5+3zUycT0NVy68NQsFtRsHKlusVeUWG9HSv8lwsdqBNWy1bhLSZV0bOBQoG6spjme+wvFSsRb9WopFF2IteQ+ZAka4nRuRg9AaTUNkrrjiZ4zyzJiv410H5kcdPtLMYEhohScAqISZKaayr8xWr2gbHlF1QtTTDL8UjovnzYalrJH41Dw0G54deKSy3rwye+EYP0ndyVf3ehrnu19NPEcKUi+r8N4NW7KZaJ+xAIx3GmWE9j853o0GnVwE5YP4rxsxpRaoiBJRaVQzdGAyIiByUYX4o0hTX8SjP4XH0JBhVekh/mHia7NBWsZUBzRKk9eoXWFJmX2oj/gH3NsTXCFtGfG1go7TzpBUPvfUuprn48dGTOlKlBKlKn5DgzlRv2v4KaQLjQo7z04GgcWdi96X59EfHVhs5S7yzk92vzZeYcoVy0JiyiOm0FJVuwQ0QL9gFYlKC1wbXcQMW07AI11CUbMKr7avQajG0MGi9IPkoFaO9bEEyvLdhylp4sY6eRPa++cJaGh4aViGPxfnclKa6sqU6UJT0RkvrJyWfPhgjvcIt25Lg8diSzi4RRWH2ZuqCXTl4RFvhRKUUW5o7CzvUFYj1Z6zvGkGOOdDH29M/Utbc/aQdrRC/dh5L+8h8KfkVxr+s/PqnWA7arckT+N9i6V2W8Z1a0inlga5tUJJbn/u7W3Tbu3DbiCbU5vExmcdxjAo8rrMX1iNV/DE2sY+iiqtZ7kBlS5FPjznuxW13r6zQH9ZgG7g+Nym5U86NNkveTcvh4tM1XJhN7QWka5rXLsoBY7wYryn3kmDOuhnGXNU1dWU1TUCGbkN3H1wWZ3CD2sexRyBV20Zxz9ZLiKUUhIzeYw9lsxhSUU9RfmhQ1dHweIspw30HHardQ8jGw69AyoFqhG4/xj1c8/l1vepX+IRg56Tv+7dE2LeLARlAi2xZ5fk+wb6jRTYyTrUFWSkYKiR21BZNgZFUjMqW6gRMZ6qaJ9iOqnasiaulYhtO1nHSTc65xxkrDt7EG7qj1bi+jk/DvVKP58J2Rovg6pcb9MRH+v1SMaOXLCmzAYb2pfnmsRTK/PIp+rpvxvCul++Bix0/UBwVkMqmrm0PRx/oGkDwLIZ2NwDkKmTavPUBrq9hjckefRhUYBldSnyZ1B8/9AGbKEcFpnxlLKOjj1QllrbXxxwZVQcqwp0dGL0VuQs4aoobtN61I2jRifvXPr6YqaZrlId59W9hh36quFWf34gcGHpC+Xbx1TNEBXmGluYvMH9hjtleUbX4Ku5H1qTMVgz3ulONv4EPda2rO2SHtfaulSr7UEBYrI4mbWkxkRb36dJTEhKmFEizoaIot8VYOdTB/cubX439/t6F3Hz11S9vfn317uarr1wMzBZLTAf3xk7Ih3EJGSe38q9hyLaPdtBMxnz89eVjO8fmBtYiDhMjAvdJ6uJKSOCKknEHqmVOJmEtUqyoiGfrfLBsh+mYTuNNyAERCUtqN8z4hBRVLZO3gV7mSsvxmSw2d2OWbuDP5pOkIYJviuMgNTixKQncu5h8cGATp+jjE80QKzpoMIbJTHBOpE4mmrkamUg34DIuLI7UUxhv+BjyvDb1rj9uo5642tsX2gh5y7vkUR0l40JLGPzmxygQYpYH2AP+t7TtJ7qOfAov17Yix1NrPkes+1O+/lACic7jM7XhsCtMmeFXSDi88+fv9rod12uzp40KrGEdSRwafosPcT2ZucqjFKcE99iQHh/TaSyjindt1R5+PpTGOxX/W3jUf4O4/lJjV0NazFTs95jn/y7intUGu8aaxk/ZZPz9oQ/Qq0qVlFAxIj7iY9kWlr4dlrzvavv0xClelJlIF073b9/coZ+dx6MJx4ij+m3m55f7/3iNfqtADlRrqRjPJHSrfkx98mm5LvboXQipjT7v1noaGSX+22BifJk2A1YOGI+n4HTEvXoGZJ5SiA4zLIskvhjAJOMFl6PC/muwKh/RGeAAamwu8AFwjnX39j4NuQRONgWW54fF1ZD7EvdaOZzhg8Sk97x5JlS2SeArgdXYYMoadLW2yaRJgGL5zyS4EifU1nOZrwmLYZ3+Qz1lj0PaXO0CzHWbgJhnmNiyhSlhbAZa8VEqegt0uS633/FHvUmQloRnREtjo4yrTNWCN7BD3rozQLes1xD6LFjga8pHBe72gdNiSni2ytSOapKwr3m2YmKncJHyWtSG5no7BT7Jj0V4Rvm0bU55CbJY7keE5PSgS/KQCm6boyWBllkphRZZiivOwm+/y6zNmgLNJuw3JtbZmNb/HdCUl1DCswI/Zlqfr/AegpoVZpAkFgrKkxFTPgVxyVTGliwb7zw9gP7zJPCEekAt6PFZ6m3o8RHRbejvJ0HHG6ufC/0vk6D/xyTof02F1qJkeAlpW72GT1GVeFZUzF7ey32SPAvg5UOSHC8qRtdFmXp7m/sPs/X4RyMPS9OEuILfSIruzTPlnkyTeKUkSdXODGiqdqb2qiqT6mMTXodZJyp3WmijYMBj0tbWQhslKR3aqieJ4BWnjxxzoaDXNvMs+O0PhvZksbD9QZR6AzhPMoFEUWaEJdnQBjTJpWEhpW2TlQarEmHLKkvyTxBJNSWYJQV9qQyvgZP9qDelNjTHbP875Ms03NvMJsMnwro0nlTM7jk7Ed5YyD+kWsgqW1L9r4nJh0RlY2ubdkClSDjKKnFzWjggMiUWTzlPwIi6ki1Q0BvnDUhRvh24va4SwV3tmzEZmi3oFWWQpouobJXGLroaF4B8CJomaZUxgjk86izxGBkbOFe67BX5ORtaSZIIHTrHJcGKdVZATkcEYx5CU57K8ULkFQNFRNqsPThdJ50KUaod1iM7UbTgYzEBZ4JKWFOlJU7RtBvopJvKdVJMnLKcMGdl64jI5NPpohrckifB28aiSVecCzpKRz3lct5tBFWZq/OcAr/HEicueD4QVnke7NZ1MBgPSZXG3WatZwEqvazk+YVEAxy4mmtpcFUCvpR7OMSSjge0VXtWKaXQhyOmj0GtcZ6PX3Waj3fOhQSaJIlCi4xIIYrE7BsDmqQU0SJLfYTzuTtp0y0fEpKFSpWSykxLVUo6GoxhTXWV8G7DKIcxqSQNnBpZi6uGtIGPKSYIEy6jOVsxkSAca/CkEACj6SXsdwOWtNeNbpiELsFry8Q6cSn5OnHblUKOPxzFslqnbZ2CKpK2XQuVuIBp1Wc4aJv6kgCZcIpdaYDxr1IObvyDEt/txusKiXFCdbuGBMgEeS8kXWeRam1nQO44yBTZUmaJHQTLbGQF6QYwqY1DA540S3uSxm9SD5jSTtMp/QkosVLmy4xszo9n7QG7vpzj4UEWa2MX9zKqz4PdJYKmiDmXv/ThQ6fS51mgUqwzrMpRJT/awGO6PAQ4CZil3TwSiKXWZasmg6dM1sCOTdBtwQqZJ2FNMdFUkvWpnPWZ5ClVMN5F6srpJqkRCn5LYWYsDXYEXJLioug66WCqcrzdoiRJW3lJ8oSrVkkSy/I9C3RUS6Y2VKUScia3hI8PQohWDD0N5pIsE5qGr3XKIjiwFK9RXTFyPOS+TMhcrfJl4qt1JVmSVKoUyCyn4+M3EwuTBJ9IGrGapLXL32aUK41XSZJ0S6VOu4q3JU9KcdBCVvwivVpfVVqgdxVHvcFrL/SkAnG/YEZzdCUhpxpdYZn7nLEjbWl8/atJMx2qA2mHcU1XbcQsEQzFQkpqby/lU2Z/U5RM7KFXEO8kD1aiGpEef25f3k1oqWNri0lYwyMqcDd0t/Ho8XXVLbsyAxmMKltgI4yv2q00VVXaEvX9VEmEdhusEdWodO3540Qfe0odUyok3t7dVTwPSBDlvpLBQGY3o3x6BewWMWa8NiUKabG2TXYWze9dx4ge9zhsQdZFlLRAJZYK0BvQ2FYcdqei7peGnrwWa/X8zgX3PUXXvoyXa0/SG92mEb8DXyzWks3RW9C/Us1Bxdeqv/US2bOy5YTr3WyHd9NRgCXZLCinAwavxPMUQ+gIG9dbj1EOzxmuuK2duq4KX5b+SCmETuWDI1TPkTJfU10nyvuKrwMqvWFmNm8vZNdzywyM3sOjtrtzyCi4aAPqpkjciR7UNit3Uqlim5erQIfmwEdS54+9e4+vDRFaya7CuE6CdS28+k320CxyWPu9QWw9A/UySv+4Ot5ndM7O4fH2OhwiO/pQyfaRD9Ejt0vdwsE97tf4UG+P1tz0EJeiiNcFo2vahHQFG6KsQAgrpAD4QZ/MuPEiMVeYzFJstZcl7gbnvoFT3Vo7dAs+QlYJsqDuIpyPrGZQV7iFbimDNfheHlgpuuaO+U1l7oG2Bng5V7f6gSW3GI7suOUFW0sMtg+JbfMWRUO5hWmVbsJ9SfPQ1rbumGQbNg4cOoQiMTm11iZhIEhqtAIZGoU1gjf0dzI4BlTYnaQDjp4Z8VskA6ULLzn/un9mj4DWA+ROdN7HU64ezChW2UbMoN11umPamjhNGSjb0adV8CgeU43cBjX0cN9imwuNbKvMxSumhDFtOs1LbBXynzzEAr3i+/p/vdG1tY4U1wjni9DROC6YEp1fhvQpyvIXXX7ayoMHTKW+rbOxJtoVysOs442E/Y7JxnpWzzVY8R4k+pfaY6Cee0QW/VD/krFxW5ffe7yh6mD3HeXpYJjEKVnwZbcsjmtJ9/bn9zdmdiDBGY3WI5NTRSSUmJO90Ur85c/6vWwND56h929eoluuv33xDN2+vb75z5fowy3XP3yHnuw2e8R9A0ayEcqXcRPSWK/2V9/88L/+29N47zvQm0nyojtjK4EWBY6XRlKT98jIA+Ur8d8GtPHDlH9sstrn/ARtgwl/Z19MMYo6ik2jg4bmpq9fvY2S87vgMMUOT1u//yM4LOL8+X1MH4CPcNkZUk+LGsvGT3OvHOHlGmvY4YsUlra77A69cs3zwm6LIayvE1KUw/7/qX7N26s3d04OD/eKxzP08hsypZ2eE1qX3t4ZZANWveHDYC2YWfhgRh/mQ9ABMldTbO7D1u61kLuOdJg1TxWtSuRx2T3rMhnl3R4W4U/L9eFC9ZA1sTWJOsO5Yhqjt56GOyF1LaJ6Qsj1nrBM9N3nj0siNTv/HMWUr4P4DIS/GWIeh5h+P5+XyOO3NghWShBqi8Zba7l3uyIjpyTma1jU6jERfEXXlYQcLfe+ub9rdT/QnWYwpaAXKDygTUWHXSVlKrBR+l07tDLBYJJQCA2ZjxFKeflNmWLOVYYzFz6VBFxqmQq+SmLvKikWm6VtgPSMmjJpcjjPgjU+rV/XoW1haFl0x2sbMhfRFm6MYcVBo/f7Ep6hD0HMvbYm8rfoLpjIPTny89CNGopXzXJhDKj0gSwUunZixqIXRtn80D7QY2lDB7Ygte08o0VocEU5+nA7eISIDWmZcAZT2sZylYkyqVCeAZWgxsfRGMCkED8nE8cHRFkfVBJGV6YmY8DXCTUfLV5zDcztXLJNiez1glnLOcgRsQ84xor6UcgdlnmsGdgr26bO+t3vpHi0r+5L0DuAgU7Go3OAx75ICI1Z293r0CFbyMS+NvXm4JugSbAPQQXV5qj5okLxSWwZ5vO8q5zhDgjPai2HQG8Khw6Cxge4Ndrz2irPhxIxxZ8NxGZbbMfkkZ73hoKlpqRiWIZmbh7Nk5vHl6/FWqxW8frUQDK9gbkb3743Q/ru/Q1lN4YyQ9CrSm+Aax9KNUjYXL3HDp8rq7qtYZy4DwrkIEmi0kTMzS0/6DBJ964D9wBVoUfOtNv3gCKLGYWGK0ebvwbsF2ifDB0qzCm2bmBVCp7blq4iqgLUgP2mpId0b8dk1w7cBhi5PHsb98Yo5DXF3t7q6DWUI0V1FZEoyAbIhS54ftQNVgjnorRdwTZAJRI73mmMhDR+FFwUA9EuoUZ91gtHmuHyM2oY5bk5y0Kqpr2f6yL8KpTH7030HPcJr0l3Z2MwnKqe4YWejwYnee9fkead57EmYq2pjsvqmDBVFxVw76MK557rcHDIUkyLj4tMbwkbvKWispqNMeqkKOhApAPMj/6G4yWzYcMrdHUcO+Xb8Z3PYmR0aTjQaVAUxQENI8uLJZAQwVBTMH0NWvdKs7MHl78JYa+47oYop+h8uU3+yMiErrj2lrGdzCkJhNlp2YCB7mMP1RvX6zxSpRF5chbkm4XScthJHqiOJ75+MqpfHKfaX4sO1yTKo2ZEbRJpWtimrV7TkFDCoJPTc3JEatRJZtqU9ImslGdugHhVmE+2Ab49j+pvJvdEjxLvHUen5tCj3s6pOXpnHLs/Mv0vTtIvZ+a/2/CzUC9Pc39ETYqPc1RPSL36qP6RN823p9l+fgGqj8P282SNnPmszrnXzzipM2+aOanvbZlaKcxdl87Juhmu9CYrQG/ERbyp+MDPhRwi/7PBhbHZu1JMtNSP+HffCeZ9TQbVkR2SbFv+5+L7P/8ZPXl9/eruKbqmSlO+rqjaQG4Tc6LYmFiLGfJjj/m1fYtui8kvhv3hwJu3FJP9Jcdi7w3vYzjqvWl9fiNKh4/ZmMQGxdWZES2XhsUae6fAPFZEqXknx+z8LP4Oqe9wTivlxkBCIkULyrB0h9kIErNbib2P4qG69swoOk8v3NoH2Y4y+2CWK3hAOnUtmgMzJZLwFT92bqzz08eHt/xP3nS23/RWzBu70Ao8zOOOFiGnPYr1XLeWXUKuMae/H4l14lMW7FyGJXCrvfIDLFtRGY3iT85+/dEMaOWjSyp3WboHkUg/AWZ6Q7AEVErIRUE5joZYt476HdYUuFYnA88Ynnc+r/EnnY4rggFl8vYyW/hLIwRKLLVN+20mc1wIzZrW6w/uOfJnBTlIrCHPRoQBHFlF24Y8jFm7uu+k2NK8Tlf3v8Nlybye01s+nyJrBPmhRjTQS72eBs1nm0c9qK/joPcDE4kWerZRJVvq3pw2XcVuoHBArdCMK6U/VquBR3uXt4BamSKxJt9O/7HaEFZIaSGdfDSjFaCxxfal/dXC/OrL+PwKmucM5pQYb+yI58qMyBK1ZEiSzAjF8+aa0J0fr5Wjy/fhxeMZKhk2bDc3kpAIOJH7csiLaINXZrEKzoiXkLWF8JNQGr3BZEP5gNqe4+Qz+kWXXx+4jewrJZiDam51l1avFuh1jkv0i/2Pu9VzwV0+wD/61wXa4C2Y+54Blq6FNbL1JVQpuIKgB8STBsyMsn7b6wmyx9dGIJJqkDRU6eBugq4iwzAlgehZiGmW+Z0vInMuLba+6FQ3QXevhcJRB2nARv/3Vw1VSFY80tcdIaye1ZLYvea4ZOqBiGw/YuatiDmYidGO8lzsFFIlELqixHzzLBY37uOP+hvVTMBR1Lz6oicydD2vxbJ9Znja4gequL25XsMakz36oA6L/NTvIUU3wSEpasmMMotpNXCHtdVti8xGTdvNYG6BHt/qfKZIFtNBhoANs+0z4XBic6hrQ9WGnPIWmZOdQ3RDeJiE6cwVLzU0GR855Z17QXLc2MkN11rp0zuXE6N2Oh7ytwmhcazscTme/nY6tcQGN44rzzwYAW4nlcOKcu8LtEfd1oIocDlQjMLiHwizvhD2xtztqB4pgqT2N02fgc9HHqgeUvvQtMZkU8xeiq4Z1zIG9bTgNtsSC2ouKR9Tc3fWnWbItuHvU4V+5Ni2g3Et81wZrSYVKVKPvEfXVJl9gq4Sy7C25uNnDbG7De0VPENmHxrLwoXonTUBnVDx0qXCCTmuPWNn+n9RJeZ/PZnPGVAd1joLSlpMpJqp/eW5Hf0E9Re8cHt0h6pox+keXKsMuJaijB/DXFTLnkF21l7zoxrrBk6ENloqRnZyOpOKK1GUxiANO99ucNvgxGmeW5BGtGbGbI5fSFg9TI/7PXEWOzp9wL2D6ZXNVr+lv3H9WDG2R/9RYUZXFHJ0bbNhnPMiimwHy4wI8UAv9qT0KyyRw9DYJJgN6WUJtXWax56y0q4NzlA98tNn4109iK+l6t1Wzju3QO/3pSO/sajMBB2fh1ksYZWNLI7TIcxgcSaY/FLFCu100c3jLKgVjEP8zntRChk8e/Z55d3rgYVpZauOXtYwn3Jqxdgj0zFjn/TDBUKkEMn33CFaM5LhGiqxjjs4CM+wGvce1QKVqR3UK8lGsbsFN4o7tQqeVXJ8v9/S9j2zzaFTUCaIvkPgkSEah8B+FyQdB3jUwO0lmKKwmRFGrG59rW4kdB4oU243N8w8MeQHJ/q9Hdhedc/9v688kuf+H/7VN+b0wgxkPIbAE3zR1xJHbvuxxPoxWgWZewTnvmyyURYpX4GUAz76/sxmorytDp1kX9TpMQsZoXrQqsXKyPa1zxhi8vaNDDPjRrhxry1mA7y3cUGy/dHfof8IPVzsnpYbkHNZNUbP8W++T65sQfWn6MpiiCMHqWdLlBzg1RVIX/geDmI6jpTYgYmPBS1mtJbFDPulatVdOroe9PdhP8H4tMj4mqB7+vtA+s5D8hm8/fsN4rAWmjo2lxusBurTKjJ/8m6L4W744YLeZkEm1KftPQB21joU/ArxnvEHO0VHNlc8L0+4riX+frCthjl7VKkqpTG0gbWPulPs52lePksDSDnRs9BjXVte3Jjh0b19Mjh2Wmd6XarrXXnf/pN7G85xXIS25MUQGePlxREqhoWGUizbTrtLui5y78SJu+QyswVwlVBMQ6WD0gfw1kByStQXTYHHtqC08uI7pKzvVkh0e//q72/u0J2Rn+hnPlCRsqEnOe8jhZ73OxGnxx5LsgHyoBKavTWCZWpue6wIdF3dpE49twEavnB3c+6P6Cogaa/8xkVUFYepztobVN8sVbbF2nxisE3HFjOauw0RQdM9+jPWlzp29O2sH2CvuqLo7D2W3Al9o3WpMmq7ESQCW5amkU3Ob/k1Ze/RNQ/xjkJSvT+x/4goiom5/GdS5jB5kzKeXrOjElhXu04x4XYM82xUH+qxIQkqNA341dMcYmTjBrpNbshKQecJAYqR5HAgi8OijeteljVkgznvJaBNT1T241pUA57y2cov1SLPV+z+9fWrt17mPu8gqEWdFrLrFUvZXjlVD9lWsCp9Gq9CDwzua2nWnUFCk4WKU63QE4dGPbW5azaZIHRBiPiLBoLQWJV8wl97aj5wqv1zyeIwGG0L0r6UrCqGiOAESm1MgHvH64EUpzGd1KN1HSzzjLERWogYUmz3N2F49NO/v4oFk0RZl7IDhFxfIkShG1p24PRYYpe+F01g/NvNz3e3d+gNfiwoz+vWJXH2G+ovEMhwUOh7gHBPaI/+Y4TXV3A8BDspIMhFZmfjmnj+wRNpwqTmbrTkJdXtta/H4/EcpYHNydhPnNET5lT8F8g5qIMjed7XRlJOkrX4xrWXHqnY1N28tPUDO2u3cKkBz5CqImFRWKG/KC0FX/91yTB5YFRpyP/y3H/2rP6W8hWQ+FcrKmGHWfSaxUvWgkGY50gJNLB9JKyp0nJvrJ55D2aJ9caXoquxoC6WHhmT2g/2CXGJEi62lQjZqt5Vayw1bcC13P/p/wYAAP//252spQ==" +} diff --git a/x-pack/filebeat/module/tomcat/log/_meta/fields.yml b/x-pack/filebeat/module/tomcat/log/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/tomcat/log/config/input.yml b/x-pack/filebeat/module/tomcat/log/config/input.yml new file mode 100644 index 00000000000..256f657133f --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Apache" + product: "TomCat" + type: "Web" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/tomcat/log/config/liblogparser.js + - ${path.home}/module/tomcat/log/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%APACHETOMCAT-%{level}-%{messageid}: %{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname}%APACHETOMCAT- %{messageid}: %{payload}", processor_chain([ + setc("header_id","0002"), +])); + +var select1 = linear_select([ + hdr1, + hdr2, +]); + +var msg1 = msg("ABCD", dup7); + +var msg2 = msg("BADMETHOD", dup7); + +var msg3 = msg("BADMTHD", dup7); + +var msg4 = msg("BDMTHD", dup7); + +var msg5 = msg("INDEX", dup7); + +var msg6 = msg("CFYZ", dup7); + +var msg7 = msg("CONNECT", dup7); + +var msg8 = msg("DELETE", dup7); + +var msg9 = msg("DETECT_METHOD_TYPE", dup7); + +var msg10 = msg("FGET", dup7); + +var msg11 = msg("GET", dup7); + +var msg12 = msg("get", dup7); + +var msg13 = msg("HEAD", dup7); + +var msg14 = msg("id", dup7); + +var msg15 = msg("LOCK", dup7); + +var msg16 = msg("MKCOL", dup7); + +var msg17 = msg("NCIRCLE", dup7); + +var msg18 = msg("OPTIONS", dup7); + +var msg19 = msg("POST", dup7); + +var msg20 = msg("PRONECT", dup7); + +var msg21 = msg("PROPFIND", dup7); + +var msg22 = msg("PUT", dup7); + +var msg23 = msg("QUALYS", dup7); + +var msg24 = msg("SEARCH", dup7); + +var msg25 = msg("TRACK", dup7); + +var msg26 = msg("TRACE", dup7); + +var msg27 = msg("uGET", dup7); + +var msg28 = msg("null", dup7); + +var msg29 = msg("rndmmtd", dup7); + +var msg30 = msg("RNDMMTD", dup7); + +var msg31 = msg("asdf", dup7); + +var msg32 = msg("DEBUG", dup7); + +var msg33 = msg("COOK", dup7); + +var msg34 = msg("nGET", dup7); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "ABCD": msg1, + "BADMETHOD": msg2, + "BADMTHD": msg3, + "BDMTHD": msg4, + "CFYZ": msg6, + "CONNECT": msg7, + "COOK": msg33, + "DEBUG": msg32, + "DELETE": msg8, + "DETECT_METHOD_TYPE": msg9, + "FGET": msg10, + "GET": msg11, + "HEAD": msg13, + "INDEX": msg5, + "LOCK": msg15, + "MKCOL": msg16, + "NCIRCLE": msg17, + "OPTIONS": msg18, + "POST": msg19, + "PRONECT": msg20, + "PROPFIND": msg21, + "PUT": msg22, + "QUALYS": msg23, + "RNDMMTD": msg30, + "SEARCH": msg24, + "TRACE": msg26, + "TRACK": msg25, + "asdf": msg31, + "get": msg12, + "id": msg14, + "nGET": msg34, + "null": msg28, + "rndmmtd": msg29, + "uGET": msg27, + }), +]); + +var part1 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, +])); diff --git a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml new file mode 100644 index 00000000000..e5cd87682ea --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Apache Tomcat + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/tomcat/log/manifest.yml b/x-pack/filebeat/module/tomcat/log/manifest.yml new file mode 100644 index 00000000000..22d091842cf --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["tomcat.log", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9501 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log b/x-pack/filebeat/module/tomcat/log/test/generated.log new file mode 100644 index 00000000000..6d52ed9cd2e --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log @@ -0,0 +1,100 @@ +%APACHETOMCAT-1516-asdf: 10.251.224.219||eacommod||rci||[29/Jan/2016:6:09:59 OMST]||exercita||https://example.com/illumqui/ventore.html?min=ite#utl||vol||amremap||oremi||ntsunti||5293||https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aliqu +%APACHETOMCAT-259-CFYZ: 10.196.153.12||sequa||abo||[12/Feb/2016:1:12:33 PST]||umqui||https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev||pisciv||uii||umexe||estlabo||5222||https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nulapari +February 26 20:15:08 ctetur5806.api.home %APACHETOMCAT- COOK: 10.156.194.38||gnaali||enatus||[26/Feb/2016:8:15:08 PT]||incid||https://internal.example.com/tetur/idolor.html?ntex=eius#luptat||emape||aer||lupt||tia||7019||https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||nul +%APACHETOMCAT-1060-INDEX: 10.196.118.192||tinculp||tur||[12/Mar/2016:3:17:42 CT]||equat||https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu||ionofde||con||uia||quiavo||1156||https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tconsec +%APACHETOMCAT-4141-BADMTHD: 10.246.209.145||oluptas||llu||[26/Mar/2016:10:20:16 GMT+02:00]||ommod||https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn||equuntu||eos||enimad||rmagni||1998||https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||fug +%APACHETOMCAT-2964-BADMETHOD: 10.114.191.225||uian||tempo||[09/Apr/2016:5:22:51 PST]||exercit||https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu||pori||occ||ect||reetdolo||2770||https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||tanimi +April 24 00:25:25 erep2696.www.home %APACHETOMCAT- INDEX: 10.38.77.13||aquaeab||liqu||[24/Apr/2016:12:25:25 PT]||ehend||https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat||loremagn||ipis||gelits||tatevel||3856||https://api.example.com/uovol/dmi.txt?quunt=ptat#ore||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||tsed +May 8 07:27:59 mUt2398.invalid %APACHETOMCAT- DEBUG: 10.11.201.109||boree||ugits||[08/May/2016:7:27:59 CEST]||iinea||https://www.example.org/idexea/riat.txt?tvol=moll#tatione||inB||deomni||tquovol||ntsuntin||3341||https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||iam +%APACHETOMCAT-3097-BADMTHD: 10.182.166.181||apariat||mol||[22/May/2016:2:30:33 CT]||olupta||https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan||iqu||ollit||usan||aper||5529||https://example.org/uaera/sitas.txt?aedic=atquovo#iumto||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||mquaera +%APACHETOMCAT-6283-null: 10.185.126.247||vel||quu||[05/Jun/2016:9:33:08 OMST]||avol||https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq||metcon||smo||litessec||emporinc||5075||https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||caecatc +June 20 04:35:42 siuta2896.www.localhost %APACHETOMCAT- SEARCH: 10.72.114.23||enia||nsequu||[20/Jun/2016:4:35:42 PST]||rsint||https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf||antiumto||strude||ctetura||usmod||1640||https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||orain +July 4 11:38:16 oin6316.www5.host %APACHETOMCAT- TRACE: 10.129.241.147||lores||lapariat||[04/Jul/2016:11:38:16 PST]||etc||https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun||onproide||luptat||itaut||imaven||152||https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||inculpaq +July 18 18:40:50 tionemu7691.www.local %APACHETOMCAT- BDMTHD: 10.185.101.76||errorsi||des||[18/Jul/2016:6:40:50 GMT+02:00]||stl||https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol||tectobe||colabor||iusmodt||etdolo||3768||https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||itecto +%APACHETOMCAT-3217-GET: 10.57.170.140||nsec||onse||[02/Aug/2016:1:43:25 OMST]||inibusBo||https://example.net/tion/eataev.htm?uiineavo=tisetq#irati||ici||giatquov||eritquii||dexeac||3088||https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||iadese +%APACHETOMCAT-1109-PUT: 10.33.153.47||hil||atquovo||[16/Aug/2016:8:45:59 GMT+02:00]||iineavo||https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip||idolor||emeumfu||CSed||lupt||6136||https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||tio +August 30 15:48:33 conse2991.internal.lan %APACHETOMCAT- FGET: 10.116.104.101||gnam||tat||[30/Aug/2016:3:48:33 CET]||lumqui||https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla||olorema||iades||siarchi||datatn||5076||https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||remagn +%APACHETOMCAT-3361-null: 10.202.194.67||samvolu||ittenbyC||[13/Sep/2016:10:51:07 ET]||eirure||https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame||iadese||nsectet||utla||utei||2716||https://example.com/tlabori/oin.jpg?quisnos=ite#ationul||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||eritqu +September 28 05:53:42 wri2784.api.domain %APACHETOMCAT- PUT: 10.153.111.103||itquiin||modocon||[28/Sep/2016:5:53:42 PST]||taevit||https://www5.example.com/etconse/tincu.txt?lit=asun#estia||eaq||occae||ctetura||labore||4621||https://www.example.com/adeseru/emoe.html?atur=itanimi#itame||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||rehender +%APACHETOMCAT-1637-DETECT_METHOD_TYPE: 10.52.186.29||equat||doloreme||[12/Oct/2016:12:56:16 GMT+02:00]||ione||https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex||radipisc||tmo||fficiade||uscipit||4168||https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mcolab +October 26 19:58:50 oquisqu2937.mail.domain %APACHETOMCAT- BDMTHD: 10.209.182.237||tper||olor||[26/Oct/2016:7:58:50 GMT-07:00]||osqui||https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela||boN||eprehend||aevit||aboN||3423||https://example.net/tlabo/uames.gif?mpo=offi#giatnu||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||lor +November 10 03:01:24 dolore1287.internal.lan %APACHETOMCAT- CFYZ: 10.63.194.87||quisno||sin||[10/Nov/2016:3:01:24 CT]||aliquam||https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn||isnisiu||bore||tsu||tcons||3128||https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||dol +%APACHETOMCAT-4307-TRACE: 10.62.191.18||tevelite||orporiss||[24/Nov/2016:10:03:59 OMST]||tlabo||https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli||eroi||dtemp||aliquide||ofde||4940||https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||udan +%APACHETOMCAT-6040-CFYZ: 10.238.164.29||aturQui||utlabor||[08/Dec/2016:5:06:33 ET]||temvel||https://example.net/nisi/dant.txt?ecte=tinvolu#iurer||iciadese||quidolor||tessec||olupta||2660||https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat||Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||uiinea +%APACHETOMCAT-1612-SEARCH: 10.155.230.17||eni||ionevo||[23/Dec/2016:12:09:07 CT]||Ute||https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius||ipsumdol||tet||etdo||urerepr||4674||https://example.com/tetu/stru.htm?tlabore=Exc#pora||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uteirure +January 6 07:11:41 ide2767.www5.local %APACHETOMCAT- RNDMMTD: 10.102.229.102||nnum||tenbyCi||[06/Jan/2017:7:11:41 PST]||tco||https://example.net/officiad/itam.html?madmi=tur#roi||niamqui||orem||sno||atno||5263||https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||sec +January 20 14:14:16 sBon1759.invalid %APACHETOMCAT- HEAD: 10.194.14.7||ten||vita||[20/Jan/2017:2:14:16 OMST]||ullamcor||https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon||etconsec||ios||evolu||ersp||3536||https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||orain +%APACHETOMCAT-6113-get: 10.99.0.226||madmi||uidol||[03/Feb/2017:9:16:50 ET]||quameius||https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp||utp||ema||rsitv||iciade||5649||https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi||Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36||uredol +%APACHETOMCAT-6945-DETECT_METHOD_TYPE: 10.107.174.213||tenimad||minimav||[18/Feb/2017:4:19:24 OMST]||taedicta||https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut||uamni||ctet||ati||uine||2438||https://api.example.org/loreme/untu.htm?ven=con#nisist||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||ium +March 4 11:21:59 idunt4707.host %APACHETOMCAT- ABCD: 10.84.25.23||laudant||isnost||[04/Mar/2017:11:21:59 CET]||rQuisau||https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem||gitsedqu||borios||rsitvolu||quam||5315||https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||gitsed +%APACHETOMCAT-4367-uGET: 10.193.143.108||idolo||luptate||[18/Mar/2017:6:24:33 PT]||atisun||https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab||rnatur||ofdeFin||essequam||acommo||3105||https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ercita +April 2 01:27:07 emquia1497.www5.lan %APACHETOMCAT- INDEX: 10.190.51.22||uamei||siut||[02/Apr/2017:1:27:07 CT]||uisa||https://example.com/mexe/its.htm?ice=oles#edic||seq||tutlab||sau||atevelit||2450||https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||orumSe +April 16 08:29:41 riat3854.www5.home %APACHETOMCAT- BADMETHOD: 10.194.90.130||siut||tconsect||[16/Apr/2017:8:29:41 PT]||piscinge||https://www.example.com/velitess/naali.htm?nre=veli#volupta||rnatu||elitse||ima||quasia||2382||https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla||mobmail android 2.1.3.3150||sequamni +%APACHETOMCAT-6198-BDMTHD: 10.10.213.83||nea||psum||[30/Apr/2017:3:32:16 OMST]||ncididun||https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita||dolore||uptate||quidexea||ect||23||https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||labo +May 14 22:34:50 aboreetd5461.host %APACHETOMCAT- uGET: 10.52.125.9||hit||urv||[14/May/2017:10:34:50 ET]||nimid||https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon||liqua||mvele||isis||uasiar||2552||https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||rauto +%APACHETOMCAT-5770-RNDMMTD: 10.19.17.202||nby||mve||[29/May/2017:5:37:24 PT]||isau||https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun||reprehe||tincu||suntin||itse||814||https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aec +June 12 12:39:58 iquidexe304.mail.test %APACHETOMCAT- RNDMMTD: 10.195.64.5||oreetd||uat||[12/Jun/2017:12:39:58 PT]||moenimi||https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal||qua||rsita||ate||ipsamvo||344||https://api.example.com/tdol/upt.htm?asper=idunt#luptat||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||ica +June 26 19:42:33 remips4828.www5.host %APACHETOMCAT- POST: 10.209.77.194||tvolup||itesseq||[26/Jun/2017:7:42:33 OMST]||snost||https://internal.example.com/llamc/nte.htm?utali=porinc#tetur||xce||dat||aincidu||nimadmin||4843||https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||elites +%APACHETOMCAT-1952-MKCOL: 10.168.6.90||rem||amvolupt||[11/Jul/2017:2:45:07 GMT+02:00]||atisund||https://example.net/ites/isetq.gif?nisiut=tur#avolupt||ariatur||rer||iconseq||porincid||6941||https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||tae +%APACHETOMCAT-7717-rndmmtd: 10.89.137.238||plica||ore||[25/Jul/2017:9:47:41 OMST]||emqu||https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu||est||uptatemU||leumiu||tla||4765||https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||erun +%APACHETOMCAT-4574-OPTIONS: 10.246.61.213||ntutlabo||iusmodte||[08/Aug/2017:4:50:15 CT]||loi||https://example.org/Nequepor/eirure.htm?idid=tesse#sequat||giatquov||tconsec||miurerep||toccaec||7645||https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||orroq +August 22 23:52:50 orin5238.host %APACHETOMCAT- MKCOL: 10.117.44.138||orem||rcit||[22/Aug/2017:11:52:50 PST]||enderit||https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo||oluptas||emvele||isnost||olorem||2760||https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||aliq +%APACHETOMCAT-4801-PRONECT: 10.69.30.196||tore||elits||[06/Sep/2017:6:55:24 OMST]||ruredo||https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov||itlab||urmag||omm||equ||4808||https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nimveni +%APACHETOMCAT-7668-BADMTHD: 10.135.91.88||ercit||eporroq||[20/Sep/2017:1:57:58 CT]||ugiatn||https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq||tate||urExce||asi||ectiono||2241||https://example.org/onu/liquaUte.txt?velillu=ria#atDu||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||emq +October 4 21:00:32 agnaaliq1829.mail.test %APACHETOMCAT- ABCD: 10.81.45.174||tin||fugitse||[04/Oct/2017:9:00:32 CEST]||liquide||https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor||estl||erun||iruredol||incidid||7699||https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mipsamvo +%APACHETOMCAT-3517-rndmmtd: 10.87.179.233||mnisiut||avolu||[19/Oct/2017:4:03:07 PST]||eum||https://www.example.org/umetMal/asper.htm?metcons=itasper#uae||mve||uia||iciad||lorem||6137||https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||dexerc +%APACHETOMCAT-2669-COOK: 10.198.57.130||hitec||henderit||[02/Nov/2017:11:05:41 OMST]||perspici||https://api.example.net/mquisn/queips.gif?emUte=molestia#quir||eavolup||emip||ver||erc||294||https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ||Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90||emo +%APACHETOMCAT-494-GET: 10.218.0.197||dolor||econs||[16/Nov/2017:6:08:15 ET]||eritin||https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu||iscive||quasiar||aeab||teur||609||https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||eetd +December 1 01:10:49 iatqu7310.api.home %APACHETOMCAT- get: 10.123.199.198||irured||illumqui||[01/Dec/2017:1:10:49 PST]||tionula||https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem||turvel||eratv||ipsa||asuntexp||1390||https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||mpo +December 15 08:13:24 uamnihil6127.api.domain %APACHETOMCAT- POST: 10.29.119.245||tatnon||leumiur||[15/Dec/2017:8:13:24 ET]||ore||https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu||rsi||taliqui||mides||ciun||39||https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex||Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36||anim +December 29 15:15:58 uov1629.internal.invalid %APACHETOMCAT- DETECT_METHOD_TYPE: 10.130.175.17||quide||quaU||[29/Dec/2017:3:15:58 PT]||inimav||https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom||des||atnulapa||billo||rroqu||2170||https://www.example.org/taedi/tquido.html?etconsec=elillum#upt||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||onsectet +%APACHETOMCAT-5752-PROPFIND: 10.166.90.130||mdolore||eosquira||[12/Jan/2018:10:18:32 CET]||lloinven||https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat||lupta||npr||etconsec||caboNem||1043||https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||deF +January 27 05:21:06 orumw5960.www5.home %APACHETOMCAT- GET: 10.248.111.207||dolor||tiumto||[27/Jan/2018:5:21:06 GMT-07:00]||quiavol||https://api.example.org/ratv/alorum.jpg?tali=BCS#qui||ugiatquo||incidid||quin||autemv||6174||https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atatnon +%APACHETOMCAT-2940-asdf: 10.185.37.32||ame||tesseq||[10/Feb/2018:12:23:41 GMT+02:00]||tem||https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore||red||sinto||tatev||luptas||3286||https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ptatem +%APACHETOMCAT-4927-SEARCH: 10.5.194.202||onproide||ntmo||[24/Feb/2018:7:26:15 CET]||riosa||https://example.org/pisc/urEx.html?rautod=olest#eataev||atcupi||atem||qui||otamr||7278||https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||iqua +March 11 02:28:49 deriti6952.mail.domain %APACHETOMCAT- PRONECT: 10.183.34.1||boree||isn||[11/Mar/2018:2:28:49 CEST]||der||https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation||veleum||piciatis||nes||lmolesti||1559||https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||ntmoll +%APACHETOMCAT-4472-CFYZ: 10.101.163.40||abor||nBCSe||[25/Mar/2018:9:31:24 CEST]||remips||https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema||odi||ptatems||runtmo||ore||3512||https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||liq +April 8 16:33:58 nse3421.mail.localhost %APACHETOMCAT- uGET: 10.216.188.152||oremi||ugitsedq||[08/Apr/2018:4:33:58 ET]||atDuis||https://www5.example.com/mUteni/quira.htm?ore=tation#loinve||tatevel||iumdolo||untu||ict||2699||https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||Nequepo +%APACHETOMCAT-1033-nGET: 10.94.140.77||veniam||isnisiu||[22/Apr/2018:11:36:32 OMST]||dol||https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna||isiutali||lumqu||onulamco||ons||5050||https://mail.example.net/unt/tass.html?tla=mquiad#CSe||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||psa +%APACHETOMCAT-4133-PUT: 10.223.205.204||lor||ccaec||[07/May/2018:6:39:06 PST]||ommo||https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo||iamea||imaveni||uiacon||iam||7526||https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||tutla +May 21 13:41:41 tautfug689.localdomain %APACHETOMCAT- PUT: 10.85.137.156||atiset||serror||[21/May/2018:1:41:41 CEST]||isiut||https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula||ditautf||itametc||ori||uamqu||2804||https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||Except +June 4 20:44:15 totam6886.api.localhost %APACHETOMCAT- QUALYS: 10.12.54.142||trudex||liquam||[04/Jun/2018:8:44:15 PST]||lor||https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS||iciadese||riatur||oeni||dol||3000||https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aer +%APACHETOMCAT-3864-RNDMMTD: 10.158.6.52||dolorem||sed||[19/Jun/2018:3:46:49 OMST]||Nemoenim||https://example.net/labori/porai.gif?utali=sed#xeac||umdolors||lumdo||acom||eFini||4262||https://internal.example.org/uovol/prehend.html?eque=eufug#est||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||ntincul +July 3 10:49:23 tquo854.api.domain %APACHETOMCAT- MKCOL: 10.195.160.182||ine||urerepre||[03/Jul/2018:10:49:23 CT]||itessequ||https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni||atnul||umfugi||stquidol||Nemoenim||1325||https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isau +%APACHETOMCAT-6084-CONNECT: 10.20.68.117||rQuisaut||quas||[17/Jul/2018:5:51:58 ET]||metco||https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat||udan||archi||iutaliq||urQuis||1742||https://example.net/orum/Bonoru.txt?agnamal=quei#quio||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lamcola +August 1 00:54:32 venia6656.api.domain %APACHETOMCAT- CONNECT: 10.94.136.235||mmod||iti||[01/Aug/2018:12:54:32 PST]||amqu||https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex||radip||upta||tetura||rumet||6923||https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||ore +August 15 07:57:06 veniam1216.www5.invalid %APACHETOMCAT- NCIRCLE: 10.152.11.26||expli||ugiat||[15/Aug/2018:7:57:06 GMT+02:00]||oinBCSed||https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol||elillum||veleumi||nsequatu||nula||2783||https://example.com/santi/ritati.gif?turadip=dip#idolo||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||aco +August 29 14:59:40 runtm5729.invalid %APACHETOMCAT- PRONECT: 10.82.118.95||bore||ptate||[29/Aug/2018:2:59:40 GMT+02:00]||labo||https://www5.example.com/quu/xeac.htm?abor=oreverit#scip||Finibus||Utenimad||olupta||tau||5211||https://www5.example.com/itametco/vel.htm?rere=pta#nonn||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||met +%APACHETOMCAT-4322-id: 10.187.152.213||conse||ventor||[12/Sep/2018:10:02:15 CEST]||mag||https://www.example.net/mini/Loremip.html?tur=atnonpr#ita||amquaer||aqui||enby||lpa||3948||https://www5.example.net/iat/ffic.htm?cte=aparia#CSe||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||ugitsedq +September 27 05:04:49 pta6012.www.local %APACHETOMCAT- uGET: 10.98.71.45||destla||fugitse||[27/Sep/2018:5:04:49 GMT+02:00]||eirur||https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo||ever||civelits||eos||ipitlabo||5440||https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||unt +%APACHETOMCAT-5971-uGET: 10.86.123.33||ugia||meum||[11/Oct/2018:12:07:23 OMST]||doei||https://www5.example.net/tev/nre.html?occaeca=eturadip#ent||rumSecti||Utenima||olore||orumS||757||https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||yCiceroi +%APACHETOMCAT-2852-FGET: 10.6.112.183||deom||oluptat||[25/Oct/2018:7:09:57 GMT-07:00]||eni||https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi||tam||oremip||eufugi||dunt||6169||https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||idatat +November 9 02:12:32 orsi2109.internal.home %APACHETOMCAT- LOCK: 10.227.156.143||sis||idolo||[09/Nov/2018:2:12:32 CEST]||tsedquia||https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu||inimav||tatevel||midestl||nci||6587||https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||seq +November 23 09:15:06 quaeabil2539.www5.lan %APACHETOMCAT- get: 10.124.129.248||iamqui||quide||[23/Nov/2018:9:15:06 CT]||cididun||https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu||eprehen||hilmole||sequ||sectetu||7182||https://example.net/dolor/lorumwri.htm?mquis=lab#uido||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mwrit +December 7 16:17:40 aal1598.mail.host %APACHETOMCAT- CONNECT: 10.173.125.112||quiavolu||upta||[07/Dec/2018:4:17:40 OMST]||umtota||https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa||eaqueip||itaedict||olorema||rep||3380||https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isnisiut +%APACHETOMCAT-5227-GET: 10.37.156.140||uisnos||olores||[21/Dec/2018:11:20:14 PST]||epo||https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit||tno||iss||taspe||lum||5911||https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||idolorem +%APACHETOMCAT-5776-PRONECT: 10.121.225.135||ufugi||cin||[05/Jan/2019:6:22:49 ET]||byC||https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex||nse||miurere||evit||uatu||2448||https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tnulapa +%APACHETOMCAT-7708-DEBUG: 10.123.68.56||expl||olore||[19/Jan/2019:1:25:23 CEST]||dentsunt||https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN||ipis||itautfu||nesci||tam||1206||https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||ntor +February 2 20:27:57 oid218.api.invalid %APACHETOMCAT- RNDMMTD: 10.63.56.164||iquid||evo||[02/Feb/2019:8:27:57 GMT-07:00]||avolu||https://api.example.net/itesse/expl.html?prehende=lup#tpers||orsitv||temseq||uisaute||uun||4638||https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||umd +February 17 03:30:32 sectetur2674.www5.test %APACHETOMCAT- HEAD: 10.62.10.137||eeufugi||deomnisi||[17/Feb/2019:3:30:32 ET]||issus||https://example.net/deritinv/evelite.html?iav=odico#rsint||itl||ttenb||olor||quiav||6648||https://example.com/eumfu/lors.gif?upidata=ici#usant||Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10||con +March 3 10:33:06 sequatD4487.internal.localhost %APACHETOMCAT- INDEX: 10.89.154.115||oeiusmo||nimv||[03/Mar/2019:10:33:06 GMT+02:00]||tconse||https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB||umqui||citation||temsequi||mquia||1119||https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||cti +%APACHETOMCAT-4758-TRACE: 10.122.252.130||tuser||mmo||[17/Mar/2019:5:35:40 PST]||tlaboru||https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus||boreet||luptasnu||ento||snostr||3904||https://api.example.org/xerc/Nequep.htm?ria=beat#rro||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||uisau +%APACHETOMCAT-2573-id: 10.195.152.53||ueporroq||ute||[01/Apr/2019:12:38:14 GMT-07:00]||tationu||https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun||tesse||olupta||isno||oluptas||5560||https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut||mobmail android 2.1.3.3150||paq +April 15 07:40:49 nul5107.www5.domain %APACHETOMCAT- ABCD: 10.9.255.204||illoin||emUtenim||[15/Apr/2019:7:40:49 CT]||uid||https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa||mexerci||urEx||ditaut||ctetur||3089||https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||iaeconse +April 29 14:43:23 nimadmin5630.localdomain %APACHETOMCAT- RNDMMTD: 10.214.235.133||equ||nulapari||[29/Apr/2019:2:43:23 GMT-07:00]||tsunt||https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor||boriosa||cillumdo||ditau||moenimip||5930||https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||evel +May 13 21:45:57 sequuntu3563.internal.test %APACHETOMCAT- TRACE: 10.5.134.204||apari||iarchit||[13/May/2019:9:45:57 PT]||orum||https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu||lors||eumfu||docons||tur||3197||https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||taevit +%APACHETOMCAT-6820-SEARCH: 10.144.111.42||sumquia||vento||[28/May/2019:4:48:31 CEST]||asnu||https://example.org/rep/mveni.txt?utpers=num#ctetura||quaerat||tDuisau||aturve||ptateve||7615||https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||lorumw +%APACHETOMCAT-3071-FGET: 10.122.0.80||olupt||ola||[11/Jun/2019:11:51:06 CT]||etquasia||https://example.net/adm/snostr.jpg?tec=itaspe#con||illumdo||antium||remaper||eseosq||2945||https://www.example.com/uae/ata.htm?snulap=cidu#hilmol||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||quamq +June 25 18:53:40 tdolo2150.www.example %APACHETOMCAT- ABCD: 10.165.33.19||uamqu||iusmodi||[25/Jun/2019:6:53:40 ET]||aparia||https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec||dit||namaliqu||yCic||tetura||1569||https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lapari +July 10 01:56:14 cinge6032.api.local %APACHETOMCAT- BADMTHD: 10.87.92.17||utlabore||tamr||[10/Jul/2019:1:56:14 CT]||iutaliq||https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa||quiav||ctionofd||elit||sam||6211||https://internal.example.org/unt/isni.htm?ecillum=olor#amei||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||quid +%APACHETOMCAT-7615-BADMETHOD: 10.51.52.203||wri||itame||[24/Jul/2019:8:58:48 ET]||dictasun||https://example.com/lorese/olupta.jpg?onsec=idestl#litani||emp||arch||non||mollit||5823||https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mqu +August 7 16:01:23 ende6053.local %APACHETOMCAT- rndmmtd: 10.0.211.86||rsp||imipsa||[07/Aug/2019:4:01:23 CEST]||int||https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN||utfugi||ursintoc||tio||mmodicon||6776||https://internal.example.net/tvol/lup.gif?ollita=qua#ionula||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||cusa +%APACHETOMCAT-264-OPTIONS: 10.106.34.244||eumiu||nim||[21/Aug/2019:11:03:57 PST]||rehen||https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet||leumiur||ssequamn||ave||taliqui||3714||https://example.net/undeomn/ape.jpg?amco=ons#onsecte||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atquo +%APACHETOMCAT-2943-nGET: 10.191.210.188||inculpa||ruredol||[05/Sep/2019:6:06:31 OMST]||ipit||https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu||onorume||abill||ametcon||ofdeFini||7052||https://example.net/tionev/uasiarch.html?qui=ehender#equa||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||nimides +%APACHETOMCAT-6165-BDMTHD: 10.2.38.49||asiarc||lor||[19/Sep/2019:1:09:05 GMT+02:00]||snula||https://www.example.com/bori/dipi.gif?utf=dolor#dexe||nemul||Duis||lupt||quatur||5775||https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira||mobmail android 2.1.3.3150||aea +October 3 20:11:40 didun1193.example %APACHETOMCAT- id: 10.66.92.90||orumwri||atisu||[03/Oct/2019:8:11:40 PST]||tse||https://example.com/iat/tqui.gif?utaliqui=emse#emqui||cipitla||tlab||vel||ionevo||4580||https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||samvol +October 18 03:14:14 apari2660.www5.lan %APACHETOMCAT- BADMTHD: 10.97.108.108||fficiad||teirured||[18/Oct/2019:3:14:14 PST]||sistena||https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost||sequines||olor||sequa||lorum||7649||https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||toditau +November 1 10:16:48 nvolupta238.www.host %APACHETOMCAT- COOK: 10.147.147.248||onpr||uira||[01/Nov/2019:10:16:48 CET]||ptatev||https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni||econ||aborio||rve||catcup||177||https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||lupta +November 15 17:19:22 icer123.mail.example %APACHETOMCAT- NCIRCLE: 10.152.190.61||imvenia||culp||[15/Nov/2019:5:19:22 GMT-07:00]||nesciu||https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed||sedd||atione||tvolup||oremeu||6708||https://api.example.com/dan/pta.html?oNem=itaedict#eroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uptateve +November 30 00:21:57 lumqui6488.api.example %APACHETOMCAT- DETECT_METHOD_TYPE: 10.129.232.105||des||deFini||[30/Nov/2019:12:21:57 GMT-07:00]||aliquaU||https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti||edictasu||eturadi||umS||noru||5321||https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||quamqua +%APACHETOMCAT-5473-TRACE: 10.12.173.112||Excepteu||mco||[14/Dec/2019:7:24:31 PT]||undeom||https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui||litsedd||nidol||inBC||hite||423||https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||emeumfu diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json new file mode 100644 index 00000000000..3f1c739f050 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json @@ -0,0 +1,5422 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "event.code": "asdf", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1516-asdf: 10.251.224.219||eacommod||rci||[29/Jan/2016:6:09:59 OMST]||exercita||https://example.com/illumqui/ventore.html?min=ite#utl||vol||amremap||oremi||ntsunti||5293||https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aliqu", + "event.timezone": "OMST", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer", + "http.response.body.content": "vol", + "input.type": "log", + "log.offset": 0, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.251.224.219" + ], + "rsa.internal.level": 1516, + "rsa.internal.messageid": "asdf", + "rsa.misc.action": [ + "exercita" + ], + "rsa.misc.result_code": "ntsunti", + "rsa.network.network_service": "oremi", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://example.com/illumqui/ventore.html?min=ite#utl", + "rsa.web.fqdn": "https://example.com/illumqui/ventore.html?min=ite#utl", + "rsa.web.web_cookie": "aliqu", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 5293, + "source.ip": [ + "10.251.224.219" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "amremap", + "user.name": [ + "rci" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-02-12T03:12:33.000Z", + "event.code": "CFYZ", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-259-CFYZ: 10.196.153.12||sequa||abo||[12/Feb/2016:1:12:33 PST]||umqui||https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev||pisciv||uii||umexe||estlabo||5222||https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nulapari", + "event.timezone": "PST", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn", + "http.response.body.content": "pisciv", + "input.type": "log", + "log.offset": 369, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.196.153.12" + ], + "rsa.internal.level": 259, + "rsa.internal.messageid": "CFYZ", + "rsa.misc.action": [ + "umqui" + ], + "rsa.misc.result_code": "estlabo", + "rsa.network.network_service": "umexe", + "rsa.time.event_time": "2016-02-12T03:12:33.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev", + "rsa.web.fqdn": "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev", + "rsa.web.web_cookie": "nulapari", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 5222, + "source.ip": [ + "10.196.153.12" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.query": "uii", + "user.name": [ + "abo" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2016-02-26T10:15:08.000Z", + "event.code": "COOK", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "February 26 20:15:08 ctetur5806.api.home %APACHETOMCAT- COOK: 10.156.194.38||gnaali||enatus||[26/Feb/2016:8:15:08 PT]||incid||https://internal.example.com/tetur/idolor.html?ntex=eius#luptat||emape||aer||lupt||tia||7019||https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||nul", + "event.timezone": "PT", + "fileset.name": "log", + "host.name": "ctetur5806.api.home", + "http.request.referrer": "https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons", + "http.response.body.content": "emape", + "input.type": "log", + "log.offset": 708, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.156.194.38" + ], + "rsa.internal.messageid": "COOK", + "rsa.misc.action": [ + "incid" + ], + "rsa.misc.result_code": "tia", + "rsa.network.alias_host": [ + "ctetur5806.api.home" + ], + "rsa.network.network_service": "lupt", + "rsa.time.event_time": "2016-02-26T10:15:08.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", + "rsa.web.fqdn": "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", + "rsa.web.web_cookie": "nul", + "rsa.web.web_ref_domain": "www.example.com", + "service.type": "tomcat", + "source.bytes": 7019, + "source.ip": [ + "10.156.194.38" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "aer", + "user.name": [ + "enatus" + ], + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "event.code": "INDEX", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1060-INDEX: 10.196.118.192||tinculp||tur||[12/Mar/2016:3:17:42 CT]||equat||https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu||ionofde||con||uia||quiavo||1156||https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tconsec", + "event.timezone": "CT", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit", + "http.response.body.content": "ionofde", + "input.type": "log", + "log.offset": 1166, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.196.118.192" + ], + "rsa.internal.level": 1060, + "rsa.internal.messageid": "INDEX", + "rsa.misc.action": [ + "equat" + ], + "rsa.misc.result_code": "quiavo", + "rsa.network.network_service": "uia", + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu", + "rsa.web.fqdn": "https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu", + "rsa.web.web_cookie": "tconsec", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 1156, + "source.ip": [ + "10.196.118.192" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "con", + "user.name": [ + "tur" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4141-BADMTHD: 10.246.209.145||oluptas||llu||[26/Mar/2016:10:20:16 GMT+02:00]||ommod||https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn||equuntu||eos||enimad||rmagni||1998||https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||fug", + "event.timezone": "GMT+02:00", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat", + "http.response.body.content": "equuntu", + "input.type": "log", + "log.offset": 1603, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.246.209.145" + ], + "rsa.internal.level": 4141, + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "ommod" + ], + "rsa.misc.result_code": "rmagni", + "rsa.network.network_service": "enimad", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn", + "rsa.web.fqdn": "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn", + "rsa.web.web_cookie": "fug", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 1998, + "source.ip": [ + "10.246.209.145" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "eos", + "user.name": [ + "llu" + ], + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-04-09T07:22:51.000Z", + "event.code": "BADMETHOD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2964-BADMETHOD: 10.114.191.225||uian||tempo||[09/Apr/2016:5:22:51 PST]||exercit||https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu||pori||occ||ect||reetdolo||2770||https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||tanimi", + "event.timezone": "PST", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu", + "http.response.body.content": "pori", + "input.type": "log", + "log.offset": 1997, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.114.191.225" + ], + "rsa.internal.level": 2964, + "rsa.internal.messageid": "BADMETHOD", + "rsa.misc.action": [ + "exercit" + ], + "rsa.misc.result_code": "reetdolo", + "rsa.network.network_service": "ect", + "rsa.time.event_time": "2016-04-09T07:22:51.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", + "rsa.web.fqdn": "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", + "rsa.web.web_cookie": "tanimi", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 2770, + "source.ip": [ + "10.114.191.225" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "occ", + "user.name": [ + "tempo" + ], + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2016-04-24T14:25:25.000Z", + "event.code": "INDEX", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 24 00:25:25 erep2696.www.home %APACHETOMCAT- INDEX: 10.38.77.13||aquaeab||liqu||[24/Apr/2016:12:25:25 PT]||ehend||https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat||loremagn||ipis||gelits||tatevel||3856||https://api.example.com/uovol/dmi.txt?quunt=ptat#ore||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||tsed", + "event.timezone": "PT", + "fileset.name": "log", + "host.name": "erep2696.www.home", + "http.request.referrer": "https://api.example.com/uovol/dmi.txt?quunt=ptat#ore", + "http.response.body.content": "loremagn", + "input.type": "log", + "log.offset": 2400, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.38.77.13" + ], + "rsa.internal.messageid": "INDEX", + "rsa.misc.action": [ + "ehend" + ], + "rsa.misc.result_code": "tatevel", + "rsa.network.alias_host": [ + "erep2696.www.home" + ], + "rsa.network.network_service": "gelits", + "rsa.time.event_time": "2016-04-24T14:25:25.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", + "rsa.web.fqdn": "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", + "rsa.web.web_cookie": "tsed", + "rsa.web.web_ref_domain": "api.example.com", + "service.type": "tomcat", + "source.bytes": 3856, + "source.ip": [ + "10.38.77.13" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.query": "ipis", + "user.name": [ + "liqu" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "event.code": "DEBUG", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "May 8 07:27:59 mUt2398.invalid %APACHETOMCAT- DEBUG: 10.11.201.109||boree||ugits||[08/May/2016:7:27:59 CEST]||iinea||https://www.example.org/idexea/riat.txt?tvol=moll#tatione||inB||deomni||tquovol||ntsuntin||3341||https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||iam", + "event.timezone": "CEST", + "fileset.name": "log", + "host.name": "mUt2398.invalid", + "http.request.referrer": "https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio", + "http.response.body.content": "inB", + "input.type": "log", + "log.offset": 2830, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.11.201.109" + ], + "rsa.internal.messageid": "DEBUG", + "rsa.misc.action": [ + "iinea" + ], + "rsa.misc.result_code": "ntsuntin", + "rsa.network.alias_host": [ + "mUt2398.invalid" + ], + "rsa.network.network_service": "tquovol", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", + "rsa.web.fqdn": "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", + "rsa.web.web_cookie": "iam", + "rsa.web.web_ref_domain": "mail.example.org", + "service.type": "tomcat", + "source.bytes": 3341, + "source.ip": [ + "10.11.201.109" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "deomni", + "user.name": [ + "ugits" + ], + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2016-05-22T04:30:33.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3097-BADMTHD: 10.182.166.181||apariat||mol||[22/May/2016:2:30:33 CT]||olupta||https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan||iqu||ollit||usan||aper||5529||https://example.org/uaera/sitas.txt?aedic=atquovo#iumto||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||mquaera", + "event.timezone": "CT", + "fileset.name": "log", + "http.request.referrer": "https://example.org/uaera/sitas.txt?aedic=atquovo#iumto", + "http.response.body.content": "iqu", + "input.type": "log", + "log.offset": 3299, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.182.166.181" + ], + "rsa.internal.level": 3097, + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "olupta" + ], + "rsa.misc.result_code": "aper", + "rsa.network.network_service": "usan", + "rsa.time.event_time": "2016-05-22T04:30:33.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan", + "rsa.web.fqdn": "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan", + "rsa.web.web_cookie": "mquaera", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 5529, + "source.ip": [ + "10.182.166.181" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.query": "ollit", + "user.name": [ + "mol" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-06-05T11:33:08.000Z", + "event.code": "null", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6283-null: 10.185.126.247||vel||quu||[05/Jun/2016:9:33:08 OMST]||avol||https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq||metcon||smo||litessec||emporinc||5075||https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||caecatc", + "event.timezone": "OMST", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist", + "http.response.body.content": "metcon", + "input.type": "log", + "log.offset": 3696, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.185.126.247" + ], + "rsa.internal.level": 6283, + "rsa.internal.messageid": "null", + "rsa.misc.action": [ + "avol" + ], + "rsa.misc.result_code": "emporinc", + "rsa.network.network_service": "litessec", + "rsa.time.event_time": "2016-06-05T11:33:08.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", + "rsa.web.fqdn": "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", + "rsa.web.web_cookie": "caecatc", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 5075, + "source.ip": [ + "10.185.126.247" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "smo", + "user.name": [ + "quu" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "event.code": "SEARCH", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 20 04:35:42 siuta2896.www.localhost %APACHETOMCAT- SEARCH: 10.72.114.23||enia||nsequu||[20/Jun/2016:4:35:42 PST]||rsint||https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf||antiumto||strude||ctetura||usmod||1640||https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||orain", + "event.timezone": "PST", + "fileset.name": "log", + "host.name": "siuta2896.www.localhost", + "http.request.referrer": "https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea", + "http.response.body.content": "antiumto", + "input.type": "log", + "log.offset": 4044, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.72.114.23" + ], + "rsa.internal.messageid": "SEARCH", + "rsa.misc.action": [ + "rsint" + ], + "rsa.misc.result_code": "usmod", + "rsa.network.alias_host": [ + "siuta2896.www.localhost" + ], + "rsa.network.network_service": "ctetura", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", + "rsa.web.fqdn": "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", + "rsa.web.web_cookie": "orain", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 1640, + "source.ip": [ + "10.72.114.23" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "strude", + "user.name": [ + "nsequu" + ], + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "July 4 11:38:16 oin6316.www5.host %APACHETOMCAT- TRACE: 10.129.241.147||lores||lapariat||[04/Jul/2016:11:38:16 PST]||etc||https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun||onproide||luptat||itaut||imaven||152||https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||inculpaq", + "event.timezone": "PST", + "fileset.name": "log", + "host.name": "oin6316.www5.host", + "http.request.referrer": "https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE", + "http.response.body.content": "onproide", + "input.type": "log", + "log.offset": 4460, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.129.241.147" + ], + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "etc" + ], + "rsa.misc.result_code": "imaven", + "rsa.network.alias_host": [ + "oin6316.www5.host" + ], + "rsa.network.network_service": "itaut", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", + "rsa.web.fqdn": "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", + "rsa.web.web_cookie": "inculpaq", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 152, + "source.ip": [ + "10.129.241.147" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "luptat", + "user.name": [ + "lapariat" + ], + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2016-07-18T08:40:50.000Z", + "event.code": "BDMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "July 18 18:40:50 tionemu7691.www.local %APACHETOMCAT- BDMTHD: 10.185.101.76||errorsi||des||[18/Jul/2016:6:40:50 GMT+02:00]||stl||https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol||tectobe||colabor||iusmodt||etdolo||3768||https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||itecto", + "event.timezone": "GMT+02:00", + "fileset.name": "log", + "host.name": "tionemu7691.www.local", + "http.request.referrer": "https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu", + "http.response.body.content": "tectobe", + "input.type": "log", + "log.offset": 4878, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.185.101.76" + ], + "rsa.internal.messageid": "BDMTHD", + "rsa.misc.action": [ + "stl" + ], + "rsa.misc.result_code": "etdolo", + "rsa.network.alias_host": [ + "tionemu7691.www.local" + ], + "rsa.network.network_service": "iusmodt", + "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", + "rsa.web.fqdn": "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", + "rsa.web.web_cookie": "itecto", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 3768, + "source.ip": [ + "10.185.101.76" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "colabor", + "user.name": [ + "des" + ], + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "event.code": "GET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3217-GET: 10.57.170.140||nsec||onse||[02/Aug/2016:1:43:25 OMST]||inibusBo||https://example.net/tion/eataev.htm?uiineavo=tisetq#irati||ici||giatquov||eritquii||dexeac||3088||https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||iadese", + "event.timezone": "OMST", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten", + "http.response.body.content": "ici", + "input.type": "log", + "log.offset": 5364, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.57.170.140" + ], + "rsa.internal.level": 3217, + "rsa.internal.messageid": "GET", + "rsa.misc.action": [ + "inibusBo" + ], + "rsa.misc.result_code": "dexeac", + "rsa.network.network_service": "eritquii", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", + "rsa.web.fqdn": "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", + "rsa.web.web_cookie": "iadese", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 3088, + "source.ip": [ + "10.57.170.140" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "giatquov", + "user.name": [ + "onse" + ], + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "event.code": "PUT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1109-PUT: 10.33.153.47||hil||atquovo||[16/Aug/2016:8:45:59 GMT+02:00]||iineavo||https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip||idolor||emeumfu||CSed||lupt||6136||https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||tio", + "event.timezone": "GMT+02:00", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu", + "http.response.body.content": "idolor", + "input.type": "log", + "log.offset": 5761, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.33.153.47" + ], + "rsa.internal.level": 1109, + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "iineavo" + ], + "rsa.misc.result_code": "lupt", + "rsa.network.network_service": "CSed", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip", + "rsa.web.fqdn": "https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip", + "rsa.web.web_cookie": "tio", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 6136, + "source.ip": [ + "10.33.153.47" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "emeumfu", + "user.name": [ + "atquovo" + ], + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-08-30T05:48:33.000Z", + "event.code": "FGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 30 15:48:33 conse2991.internal.lan %APACHETOMCAT- FGET: 10.116.104.101||gnam||tat||[30/Aug/2016:3:48:33 CET]||lumqui||https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla||olorema||iades||siarchi||datatn||5076||https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||remagn", + "event.timezone": "CET", + "fileset.name": "log", + "host.name": "conse2991.internal.lan", + "http.request.referrer": "https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit", + "http.response.body.content": "olorema", + "input.type": "log", + "log.offset": 6206, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.116.104.101" + ], + "rsa.internal.messageid": "FGET", + "rsa.misc.action": [ + "lumqui" + ], + "rsa.misc.result_code": "datatn", + "rsa.network.alias_host": [ + "conse2991.internal.lan" + ], + "rsa.network.network_service": "siarchi", + "rsa.time.event_time": "2016-08-30T05:48:33.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla", + "rsa.web.fqdn": "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla", + "rsa.web.web_cookie": "remagn", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 5076, + "source.ip": [ + "10.116.104.101" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.query": "iades", + "user.name": [ + "tat" + ], + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-09-13T12:51:07.000Z", + "event.code": "null", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3361-null: 10.202.194.67||samvolu||ittenbyC||[13/Sep/2016:10:51:07 ET]||eirure||https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame||iadese||nsectet||utla||utei||2716||https://example.com/tlabori/oin.jpg?quisnos=ite#ationul||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||eritqu", + "event.timezone": "ET", + "fileset.name": "log", + "http.request.referrer": "https://example.com/tlabori/oin.jpg?quisnos=ite#ationul", + "http.response.body.content": "iadese", + "input.type": "log", + "log.offset": 6628, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.202.194.67" + ], + "rsa.internal.level": 3361, + "rsa.internal.messageid": "null", + "rsa.misc.action": [ + "eirure" + ], + "rsa.misc.result_code": "utei", + "rsa.network.network_service": "utla", + "rsa.time.event_time": "2016-09-13T12:51:07.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", + "rsa.web.fqdn": "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", + "rsa.web.web_cookie": "eritqu", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 2716, + "source.ip": [ + "10.202.194.67" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "nsectet", + "user.name": [ + "ittenbyC" + ], + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "event.code": "PUT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "September 28 05:53:42 wri2784.api.domain %APACHETOMCAT- PUT: 10.153.111.103||itquiin||modocon||[28/Sep/2016:5:53:42 PST]||taevit||https://www5.example.com/etconse/tincu.txt?lit=asun#estia||eaq||occae||ctetura||labore||4621||https://www.example.com/adeseru/emoe.html?atur=itanimi#itame||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||rehender", + "event.timezone": "PST", + "fileset.name": "log", + "host.name": "wri2784.api.domain", + "http.request.referrer": "https://www.example.com/adeseru/emoe.html?atur=itanimi#itame", + "http.response.body.content": "eaq", + "input.type": "log", + "log.offset": 7086, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.153.111.103" + ], + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "taevit" + ], + "rsa.misc.result_code": "labore", + "rsa.network.alias_host": [ + "wri2784.api.domain" + ], + "rsa.network.network_service": "ctetura", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", + "rsa.web.fqdn": "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", + "rsa.web.web_cookie": "rehender", + "rsa.web.web_ref_domain": "www.example.com", + "service.type": "tomcat", + "source.bytes": 4621, + "source.ip": [ + "10.153.111.103" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "occae", + "user.name": [ + "modocon" + ], + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "event.code": "DETECT_METHOD_TYPE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1637-DETECT_METHOD_TYPE: 10.52.186.29||equat||doloreme||[12/Oct/2016:12:56:16 GMT+02:00]||ione||https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex||radipisc||tmo||fficiade||uscipit||4168||https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mcolab", + "event.timezone": "GMT+02:00", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos", + "http.response.body.content": "radipisc", + "input.type": "log", + "log.offset": 7515, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.52.186.29" + ], + "rsa.internal.level": 1637, + "rsa.internal.messageid": "DETECT_METHOD_TYPE", + "rsa.misc.action": [ + "ione" + ], + "rsa.misc.result_code": "uscipit", + "rsa.network.network_service": "fficiade", + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex", + "rsa.web.fqdn": "https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex", + "rsa.web.web_cookie": "mcolab", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 4168, + "source.ip": [ + "10.52.186.29" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "tmo", + "user.name": [ + "doloreme" + ], + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-10-26T09:58:50.000Z", + "event.code": "BDMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "October 26 19:58:50 oquisqu2937.mail.domain %APACHETOMCAT- BDMTHD: 10.209.182.237||tper||olor||[26/Oct/2016:7:58:50 GMT-07:00]||osqui||https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela||boN||eprehend||aevit||aboN||3423||https://example.net/tlabo/uames.gif?mpo=offi#giatnu||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||lor", + "event.timezone": "GMT-07:00", + "fileset.name": "log", + "host.name": "oquisqu2937.mail.domain", + "http.request.referrer": "https://example.net/tlabo/uames.gif?mpo=offi#giatnu", + "http.response.body.content": "boN", + "input.type": "log", + "log.offset": 7922, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.209.182.237" + ], + "rsa.internal.messageid": "BDMTHD", + "rsa.misc.action": [ + "osqui" + ], + "rsa.misc.result_code": "aboN", + "rsa.network.alias_host": [ + "oquisqu2937.mail.domain" + ], + "rsa.network.network_service": "aevit", + "rsa.time.event_time": "2016-10-26T09:58:50.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", + "rsa.web.fqdn": "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", + "rsa.web.web_cookie": "lor", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 3423, + "source.ip": [ + "10.209.182.237" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "eprehend", + "user.name": [ + "olor" + ], + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "event.code": "CFYZ", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 10 03:01:24 dolore1287.internal.lan %APACHETOMCAT- CFYZ: 10.63.194.87||quisno||sin||[10/Nov/2016:3:01:24 CT]||aliquam||https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn||isnisiu||bore||tsu||tcons||3128||https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||dol", + "event.timezone": "CT", + "fileset.name": "log", + "host.name": "dolore1287.internal.lan", + "http.request.referrer": "https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid", + "http.response.body.content": "isnisiu", + "input.type": "log", + "log.offset": 8486, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.63.194.87" + ], + "rsa.internal.messageid": "CFYZ", + "rsa.misc.action": [ + "aliquam" + ], + "rsa.misc.result_code": "tcons", + "rsa.network.alias_host": [ + "dolore1287.internal.lan" + ], + "rsa.network.network_service": "tsu", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", + "rsa.web.fqdn": "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", + "rsa.web.web_cookie": "dol", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 3128, + "source.ip": [ + "10.63.194.87" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "bore", + "user.name": [ + "sin" + ], + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4307-TRACE: 10.62.191.18||tevelite||orporiss||[24/Nov/2016:10:03:59 OMST]||tlabo||https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli||eroi||dtemp||aliquide||ofde||4940||https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||udan", + "event.timezone": "OMST", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema", + "http.response.body.content": "eroi", + "input.type": "log", + "log.offset": 8961, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.62.191.18" + ], + "rsa.internal.level": 4307, + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "tlabo" + ], + "rsa.misc.result_code": "ofde", + "rsa.network.network_service": "aliquide", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", + "rsa.web.fqdn": "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", + "rsa.web.web_cookie": "udan", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 4940, + "source.ip": [ + "10.62.191.18" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "dtemp", + "user.name": [ + "orporiss" + ], + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-12-08T07:06:33.000Z", + "event.code": "CFYZ", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6040-CFYZ: 10.238.164.29||aturQui||utlabor||[08/Dec/2016:5:06:33 ET]||temvel||https://example.net/nisi/dant.txt?ecte=tinvolu#iurer||iciadese||quidolor||tessec||olupta||2660||https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat||Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||uiinea", + "event.timezone": "ET", + "fileset.name": "log", + "http.request.referrer": "https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat", + "http.response.body.content": "iciadese", + "input.type": "log", + "log.offset": 9407, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.238.164.29" + ], + "rsa.internal.level": 6040, + "rsa.internal.messageid": "CFYZ", + "rsa.misc.action": [ + "temvel" + ], + "rsa.misc.result_code": "olupta", + "rsa.network.network_service": "tessec", + "rsa.time.event_time": "2016-12-08T07:06:33.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer", + "rsa.web.fqdn": "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer", + "rsa.web.web_cookie": "uiinea", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 2660, + "source.ip": [ + "10.238.164.29" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "quidolor", + "user.name": [ + "utlabor" + ], + "user_agent.device.name": "Meizu M6", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "77.0.3865.120" + }, + { + "@timestamp": "2016-12-23T14:09:07.000Z", + "event.code": "SEARCH", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1612-SEARCH: 10.155.230.17||eni||ionevo||[23/Dec/2016:12:09:07 CT]||Ute||https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius||ipsumdol||tet||etdo||urerepr||4674||https://example.com/tetu/stru.htm?tlabore=Exc#pora||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uteirure", + "event.timezone": "CT", + "fileset.name": "log", + "http.request.referrer": "https://example.com/tetu/stru.htm?tlabore=Exc#pora", + "http.response.body.content": "ipsumdol", + "input.type": "log", + "log.offset": 9841, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.155.230.17" + ], + "rsa.internal.level": 1612, + "rsa.internal.messageid": "SEARCH", + "rsa.misc.action": [ + "Ute" + ], + "rsa.misc.result_code": "urerepr", + "rsa.network.network_service": "etdo", + "rsa.time.event_time": "2016-12-23T14:09:07.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius", + "rsa.web.fqdn": "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius", + "rsa.web.web_cookie": "uteirure", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 4674, + "source.ip": [ + "10.155.230.17" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "tet", + "user.name": [ + "ionevo" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "January 6 07:11:41 ide2767.www5.local %APACHETOMCAT- RNDMMTD: 10.102.229.102||nnum||tenbyCi||[06/Jan/2017:7:11:41 PST]||tco||https://example.net/officiad/itam.html?madmi=tur#roi||niamqui||orem||sno||atno||5263||https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||sec", + "event.timezone": "PST", + "fileset.name": "log", + "host.name": "ide2767.www5.local", + "http.request.referrer": "https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav", + "http.response.body.content": "niamqui", + "input.type": "log", + "log.offset": 10224, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.102.229.102" + ], + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "tco" + ], + "rsa.misc.result_code": "atno", + "rsa.network.alias_host": [ + "ide2767.www5.local" + ], + "rsa.network.network_service": "sno", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.net/officiad/itam.html?madmi=tur#roi", + "rsa.web.fqdn": "https://example.net/officiad/itam.html?madmi=tur#roi", + "rsa.web.web_cookie": "sec", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 5263, + "source.ip": [ + "10.102.229.102" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "orem", + "user.name": [ + "tenbyCi" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-01-20T04:14:16.000Z", + "event.code": "HEAD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "January 20 14:14:16 sBon1759.invalid %APACHETOMCAT- HEAD: 10.194.14.7||ten||vita||[20/Jan/2017:2:14:16 OMST]||ullamcor||https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon||etconsec||ios||evolu||ersp||3536||https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||orain", + "event.timezone": "OMST", + "fileset.name": "log", + "host.name": "sBon1759.invalid", + "http.request.referrer": "https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol", + "http.response.body.content": "etconsec", + "input.type": "log", + "log.offset": 10625, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.194.14.7" + ], + "rsa.internal.messageid": "HEAD", + "rsa.misc.action": [ + "ullamcor" + ], + "rsa.misc.result_code": "ersp", + "rsa.network.alias_host": [ + "sBon1759.invalid" + ], + "rsa.network.network_service": "evolu", + "rsa.time.event_time": "2017-01-20T04:14:16.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon", + "rsa.web.fqdn": "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon", + "rsa.web.web_cookie": "orain", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 3536, + "source.ip": [ + "10.194.14.7" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "ios", + "user.name": [ + "vita" + ], + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2017-02-03T11:16:50.000Z", + "event.code": "get", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6113-get: 10.99.0.226||madmi||uidol||[03/Feb/2017:9:16:50 ET]||quameius||https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp||utp||ema||rsitv||iciade||5649||https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi||Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36||uredol", + "event.timezone": "ET", + "fileset.name": "log", + "http.request.referrer": "https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi", + "http.response.body.content": "utp", + "input.type": "log", + "log.offset": 11083, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.99.0.226" + ], + "rsa.internal.level": 6113, + "rsa.internal.messageid": "get", + "rsa.misc.action": [ + "quameius" + ], + "rsa.misc.result_code": "iciade", + "rsa.network.network_service": "rsitv", + "rsa.time.event_time": "2017-02-03T11:16:50.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp", + "rsa.web.fqdn": "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp", + "rsa.web.web_cookie": "uredol", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 5649, + "source.ip": [ + "10.99.0.226" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "ema", + "user.name": [ + "uidol" + ], + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "event.code": "DETECT_METHOD_TYPE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6945-DETECT_METHOD_TYPE: 10.107.174.213||tenimad||minimav||[18/Feb/2017:4:19:24 OMST]||taedicta||https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut||uamni||ctet||ati||uine||2438||https://api.example.org/loreme/untu.htm?ven=con#nisist||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||ium", + "event.timezone": "OMST", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/loreme/untu.htm?ven=con#nisist", + "http.response.body.content": "uamni", + "input.type": "log", + "log.offset": 11478, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.107.174.213" + ], + "rsa.internal.level": 6945, + "rsa.internal.messageid": "DETECT_METHOD_TYPE", + "rsa.misc.action": [ + "taedicta" + ], + "rsa.misc.result_code": "uine", + "rsa.network.network_service": "ati", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", + "rsa.web.fqdn": "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", + "rsa.web.web_cookie": "ium", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 2438, + "source.ip": [ + "10.107.174.213" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "ctet", + "user.name": [ + "minimav" + ], + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "event.code": "ABCD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "March 4 11:21:59 idunt4707.host %APACHETOMCAT- ABCD: 10.84.25.23||laudant||isnost||[04/Mar/2017:11:21:59 CET]||rQuisau||https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem||gitsedqu||borios||rsitvolu||quam||5315||https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||gitsed", + "event.timezone": "CET", + "fileset.name": "log", + "host.name": "idunt4707.host", + "http.request.referrer": "https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser", + "http.response.body.content": "gitsedqu", + "input.type": "log", + "log.offset": 11878, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.84.25.23" + ], + "rsa.internal.messageid": "ABCD", + "rsa.misc.action": [ + "rQuisau" + ], + "rsa.misc.result_code": "quam", + "rsa.network.alias_host": [ + "idunt4707.host" + ], + "rsa.network.network_service": "rsitvolu", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", + "rsa.web.fqdn": "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", + "rsa.web.web_cookie": "gitsed", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 5315, + "source.ip": [ + "10.84.25.23" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "borios", + "user.name": [ + "isnost" + ], + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2017-03-18T08:24:33.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4367-uGET: 10.193.143.108||idolo||luptate||[18/Mar/2017:6:24:33 PT]||atisun||https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab||rnatur||ofdeFin||essequam||acommo||3105||https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ercita", + "event.timezone": "PT", + "fileset.name": "log", + "http.request.referrer": "https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre", + "http.response.body.content": "rnatur", + "input.type": "log", + "log.offset": 12362, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.193.143.108" + ], + "rsa.internal.level": 4367, + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "atisun" + ], + "rsa.misc.result_code": "acommo", + "rsa.network.network_service": "essequam", + "rsa.time.event_time": "2017-03-18T08:24:33.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab", + "rsa.web.fqdn": "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab", + "rsa.web.web_cookie": "ercita", + "rsa.web.web_ref_domain": "api.example.com", + "service.type": "tomcat", + "source.bytes": 3105, + "source.ip": [ + "10.193.143.108" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "ofdeFin", + "user.name": [ + "luptate" + ], + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "event.code": "INDEX", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 2 01:27:07 emquia1497.www5.lan %APACHETOMCAT- INDEX: 10.190.51.22||uamei||siut||[02/Apr/2017:1:27:07 CT]||uisa||https://example.com/mexe/its.htm?ice=oles#edic||seq||tutlab||sau||atevelit||2450||https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||orumSe", + "event.timezone": "CT", + "fileset.name": "log", + "host.name": "emquia1497.www5.lan", + "http.request.referrer": "https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu", + "http.response.body.content": "seq", + "input.type": "log", + "log.offset": 12826, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.190.51.22" + ], + "rsa.internal.messageid": "INDEX", + "rsa.misc.action": [ + "uisa" + ], + "rsa.misc.result_code": "atevelit", + "rsa.network.alias_host": [ + "emquia1497.www5.lan" + ], + "rsa.network.network_service": "sau", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://example.com/mexe/its.htm?ice=oles#edic", + "rsa.web.fqdn": "https://example.com/mexe/its.htm?ice=oles#edic", + "rsa.web.web_cookie": "orumSe", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 2450, + "source.ip": [ + "10.190.51.22" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "tutlab", + "user.name": [ + "siut" + ], + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "event.code": "BADMETHOD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 16 08:29:41 riat3854.www5.home %APACHETOMCAT- BADMETHOD: 10.194.90.130||siut||tconsect||[16/Apr/2017:8:29:41 PT]||piscinge||https://www.example.com/velitess/naali.htm?nre=veli#volupta||rnatu||elitse||ima||quasia||2382||https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla||mobmail android 2.1.3.3150||sequamni", + "event.timezone": "PT", + "fileset.name": "log", + "host.name": "riat3854.www5.home", + "http.request.referrer": "https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla", + "http.response.body.content": "rnatu", + "input.type": "log", + "log.offset": 13211, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.194.90.130" + ], + "rsa.internal.messageid": "BADMETHOD", + "rsa.misc.action": [ + "piscinge" + ], + "rsa.misc.result_code": "quasia", + "rsa.network.alias_host": [ + "riat3854.www5.home" + ], + "rsa.network.network_service": "ima", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://www.example.com/velitess/naali.htm?nre=veli#volupta", + "rsa.web.fqdn": "https://www.example.com/velitess/naali.htm?nre=veli#volupta", + "rsa.web.web_cookie": "sequamni", + "rsa.web.web_ref_domain": "www5.example.com", + "service.type": "tomcat", + "source.bytes": 2382, + "source.ip": [ + "10.194.90.130" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.com", + "url.query": "elitse", + "user.name": [ + "tconsect" + ], + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2017-04-30T05:32:16.000Z", + "event.code": "BDMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6198-BDMTHD: 10.10.213.83||nea||psum||[30/Apr/2017:3:32:16 OMST]||ncididun||https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita||dolore||uptate||quidexea||ect||23||https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||labo", + "event.timezone": "OMST", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim", + "http.response.body.content": "dolore", + "input.type": "log", + "log.offset": 13540, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.10.213.83" + ], + "rsa.internal.level": 6198, + "rsa.internal.messageid": "BDMTHD", + "rsa.misc.action": [ + "ncididun" + ], + "rsa.misc.result_code": "ect", + "rsa.network.network_service": "quidexea", + "rsa.time.event_time": "2017-04-30T05:32:16.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita", + "rsa.web.fqdn": "https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita", + "rsa.web.web_cookie": "labo", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 23, + "source.ip": [ + "10.10.213.83" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "uptate", + "user.name": [ + "psum" + ], + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2017-05-14T12:34:50.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "May 14 22:34:50 aboreetd5461.host %APACHETOMCAT- uGET: 10.52.125.9||hit||urv||[14/May/2017:10:34:50 ET]||nimid||https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon||liqua||mvele||isis||uasiar||2552||https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||rauto", + "event.timezone": "ET", + "fileset.name": "log", + "host.name": "aboreetd5461.host", + "http.request.referrer": "https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem", + "http.response.body.content": "liqua", + "input.type": "log", + "log.offset": 14078, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.52.125.9" + ], + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "nimid" + ], + "rsa.misc.result_code": "uasiar", + "rsa.network.alias_host": [ + "aboreetd5461.host" + ], + "rsa.network.network_service": "isis", + "rsa.time.event_time": "2017-05-14T12:34:50.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", + "rsa.web.fqdn": "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", + "rsa.web.web_cookie": "rauto", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 2552, + "source.ip": [ + "10.52.125.9" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.query": "mvele", + "user.name": [ + "urv" + ], + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5770-RNDMMTD: 10.19.17.202||nby||mve||[29/May/2017:5:37:24 PT]||isau||https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun||reprehe||tincu||suntin||itse||814||https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aec", + "event.timezone": "PT", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo", + "http.response.body.content": "reprehe", + "input.type": "log", + "log.offset": 14644, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.19.17.202" + ], + "rsa.internal.level": 5770, + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "isau" + ], + "rsa.misc.result_code": "itse", + "rsa.network.network_service": "suntin", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun", + "rsa.web.fqdn": "https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun", + "rsa.web.web_cookie": "aec", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 814, + "source.ip": [ + "10.19.17.202" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "tincu", + "user.name": [ + "mve" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 12 12:39:58 iquidexe304.mail.test %APACHETOMCAT- RNDMMTD: 10.195.64.5||oreetd||uat||[12/Jun/2017:12:39:58 PT]||moenimi||https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal||qua||rsita||ate||ipsamvo||344||https://api.example.com/tdol/upt.htm?asper=idunt#luptat||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||ica", + "event.timezone": "PT", + "fileset.name": "log", + "host.name": "iquidexe304.mail.test", + "http.request.referrer": "https://api.example.com/tdol/upt.htm?asper=idunt#luptat", + "http.response.body.content": "qua", + "input.type": "log", + "log.offset": 15012, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.195.64.5" + ], + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "moenimi" + ], + "rsa.misc.result_code": "ipsamvo", + "rsa.network.alias_host": [ + "iquidexe304.mail.test" + ], + "rsa.network.network_service": "ate", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", + "rsa.web.fqdn": "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", + "rsa.web.web_cookie": "ica", + "rsa.web.web_ref_domain": "api.example.com", + "service.type": "tomcat", + "source.bytes": 344, + "source.ip": [ + "10.195.64.5" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "rsita", + "user.name": [ + "uat" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-06-26T09:42:33.000Z", + "event.code": "POST", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 26 19:42:33 remips4828.www5.host %APACHETOMCAT- POST: 10.209.77.194||tvolup||itesseq||[26/Jun/2017:7:42:33 OMST]||snost||https://internal.example.com/llamc/nte.htm?utali=porinc#tetur||xce||dat||aincidu||nimadmin||4843||https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||elites", + "event.timezone": "OMST", + "fileset.name": "log", + "host.name": "remips4828.www5.host", + "http.request.referrer": "https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor", + "http.response.body.content": "xce", + "input.type": "log", + "log.offset": 15419, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.209.77.194" + ], + "rsa.internal.messageid": "POST", + "rsa.misc.action": [ + "snost" + ], + "rsa.misc.result_code": "nimadmin", + "rsa.network.alias_host": [ + "remips4828.www5.host" + ], + "rsa.network.network_service": "aincidu", + "rsa.time.event_time": "2017-06-26T09:42:33.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", + "rsa.web.fqdn": "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", + "rsa.web.web_cookie": "elites", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 4843, + "source.ip": [ + "10.209.77.194" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "dat", + "user.name": [ + "itesseq" + ], + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "event.code": "MKCOL", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1952-MKCOL: 10.168.6.90||rem||amvolupt||[11/Jul/2017:2:45:07 GMT+02:00]||atisund||https://example.net/ites/isetq.gif?nisiut=tur#avolupt||ariatur||rer||iconseq||porincid||6941||https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||tae", + "event.timezone": "GMT+02:00", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", + "http.response.body.content": "ariatur", + "input.type": "log", + "log.offset": 15838, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.168.6.90" + ], + "rsa.internal.level": 1952, + "rsa.internal.messageid": "MKCOL", + "rsa.misc.action": [ + "atisund" + ], + "rsa.misc.result_code": "porincid", + "rsa.network.network_service": "iconseq", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://example.net/ites/isetq.gif?nisiut=tur#avolupt", + "rsa.web.fqdn": "https://example.net/ites/isetq.gif?nisiut=tur#avolupt", + "rsa.web.web_cookie": "tae", + "rsa.web.web_ref_domain": "mail.example.org", + "service.type": "tomcat", + "source.bytes": 6941, + "source.ip": [ + "10.168.6.90" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "rer", + "user.name": [ + "amvolupt" + ], + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "event.code": "rndmmtd", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-7717-rndmmtd: 10.89.137.238||plica||ore||[25/Jul/2017:9:47:41 OMST]||emqu||https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu||est||uptatemU||leumiu||tla||4765||https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||erun", + "event.timezone": "OMST", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc", + "http.response.body.content": "est", + "input.type": "log", + "log.offset": 16270, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.89.137.238" + ], + "rsa.internal.level": 7717, + "rsa.internal.messageid": "rndmmtd", + "rsa.misc.action": [ + "emqu" + ], + "rsa.misc.result_code": "tla", + "rsa.network.network_service": "leumiu", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu", + "rsa.web.fqdn": "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu", + "rsa.web.web_cookie": "erun", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 4765, + "source.ip": [ + "10.89.137.238" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "uptatemU", + "user.name": [ + "ore" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2017-08-08T06:50:15.000Z", + "event.code": "OPTIONS", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4574-OPTIONS: 10.246.61.213||ntutlabo||iusmodte||[08/Aug/2017:4:50:15 CT]||loi||https://example.org/Nequepor/eirure.htm?idid=tesse#sequat||giatquov||tconsec||miurerep||toccaec||7645||https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||orroq", + "event.timezone": "CT", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame", + "http.response.body.content": "giatquov", + "input.type": "log", + "log.offset": 16704, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.246.61.213" + ], + "rsa.internal.level": 4574, + "rsa.internal.messageid": "OPTIONS", + "rsa.misc.action": [ + "loi" + ], + "rsa.misc.result_code": "toccaec", + "rsa.network.network_service": "miurerep", + "rsa.time.event_time": "2017-08-08T06:50:15.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat", + "rsa.web.fqdn": "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat", + "rsa.web.web_cookie": "orroq", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 7645, + "source.ip": [ + "10.246.61.213" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "tconsec", + "user.name": [ + "iusmodte" + ], + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-08-22T13:52:50.000Z", + "event.code": "MKCOL", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 22 23:52:50 orin5238.host %APACHETOMCAT- MKCOL: 10.117.44.138||orem||rcit||[22/Aug/2017:11:52:50 PST]||enderit||https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo||oluptas||emvele||isnost||olorem||2760||https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||aliq", + "event.timezone": "PST", + "fileset.name": "log", + "host.name": "orin5238.host", + "http.request.referrer": "https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita", + "http.response.body.content": "oluptas", + "input.type": "log", + "log.offset": 17094, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.117.44.138" + ], + "rsa.internal.messageid": "MKCOL", + "rsa.misc.action": [ + "enderit" + ], + "rsa.misc.result_code": "olorem", + "rsa.network.alias_host": [ + "orin5238.host" + ], + "rsa.network.network_service": "isnost", + "rsa.time.event_time": "2017-08-22T13:52:50.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "rsa.web.fqdn": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "rsa.web.web_cookie": "aliq", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 2760, + "source.ip": [ + "10.117.44.138" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "emvele", + "user.name": [ + "rcit" + ], + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "event.code": "PRONECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4801-PRONECT: 10.69.30.196||tore||elits||[06/Sep/2017:6:55:24 OMST]||ruredo||https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov||itlab||urmag||omm||equ||4808||https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nimveni", + "event.timezone": "OMST", + "fileset.name": "log", + "http.request.referrer": "https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve", + "http.response.body.content": "itlab", + "input.type": "log", + "log.offset": 17515, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.69.30.196" + ], + "rsa.internal.level": 4801, + "rsa.internal.messageid": "PRONECT", + "rsa.misc.action": [ + "ruredo" + ], + "rsa.misc.result_code": "equ", + "rsa.network.network_service": "omm", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov", + "rsa.web.fqdn": "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov", + "rsa.web.web_cookie": "nimveni", + "rsa.web.web_ref_domain": "www.example.net", + "service.type": "tomcat", + "source.bytes": 4808, + "source.ip": [ + "10.69.30.196" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "urmag", + "user.name": [ + "elits" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2017-09-20T03:57:58.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-7668-BADMTHD: 10.135.91.88||ercit||eporroq||[20/Sep/2017:1:57:58 CT]||ugiatn||https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq||tate||urExce||asi||ectiono||2241||https://example.org/onu/liquaUte.txt?velillu=ria#atDu||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||emq", + "event.timezone": "CT", + "fileset.name": "log", + "http.request.referrer": "https://example.org/onu/liquaUte.txt?velillu=ria#atDu", + "http.response.body.content": "tate", + "input.type": "log", + "log.offset": 17856, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.135.91.88" + ], + "rsa.internal.level": 7668, + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "ugiatn" + ], + "rsa.misc.result_code": "ectiono", + "rsa.network.network_service": "asi", + "rsa.time.event_time": "2017-09-20T03:57:58.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq", + "rsa.web.fqdn": "https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq", + "rsa.web.web_cookie": "emq", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 2241, + "source.ip": [ + "10.135.91.88" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.query": "urExce", + "user.name": [ + "eporroq" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-10-04T11:00:32.000Z", + "event.code": "ABCD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "October 4 21:00:32 agnaaliq1829.mail.test %APACHETOMCAT- ABCD: 10.81.45.174||tin||fugitse||[04/Oct/2017:9:00:32 CEST]||liquide||https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor||estl||erun||iruredol||incidid||7699||https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mipsamvo", + "event.timezone": "CEST", + "fileset.name": "log", + "host.name": "agnaaliq1829.mail.test", + "http.request.referrer": "https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl", + "http.response.body.content": "estl", + "input.type": "log", + "log.offset": 18224, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.81.45.174" + ], + "rsa.internal.messageid": "ABCD", + "rsa.misc.action": [ + "liquide" + ], + "rsa.misc.result_code": "incidid", + "rsa.network.alias_host": [ + "agnaaliq1829.mail.test" + ], + "rsa.network.network_service": "iruredol", + "rsa.time.event_time": "2017-10-04T11:00:32.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor", + "rsa.web.fqdn": "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor", + "rsa.web.web_cookie": "mipsamvo", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 7699, + "source.ip": [ + "10.81.45.174" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "erun", + "user.name": [ + "fugitse" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "event.code": "rndmmtd", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3517-rndmmtd: 10.87.179.233||mnisiut||avolu||[19/Oct/2017:4:03:07 PST]||eum||https://www.example.org/umetMal/asper.htm?metcons=itasper#uae||mve||uia||iciad||lorem||6137||https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||dexerc", + "event.timezone": "PST", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut", + "http.response.body.content": "mve", + "input.type": "log", + "log.offset": 18644, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.87.179.233" + ], + "rsa.internal.level": 3517, + "rsa.internal.messageid": "rndmmtd", + "rsa.misc.action": [ + "eum" + ], + "rsa.misc.result_code": "lorem", + "rsa.network.network_service": "iciad", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae", + "rsa.web.fqdn": "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae", + "rsa.web.web_cookie": "dexerc", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 6137, + "source.ip": [ + "10.87.179.233" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "uia", + "user.name": [ + "avolu" + ], + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "event.code": "COOK", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2669-COOK: 10.198.57.130||hitec||henderit||[02/Nov/2017:11:05:41 OMST]||perspici||https://api.example.net/mquisn/queips.gif?emUte=molestia#quir||eavolup||emip||ver||erc||294||https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ||Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90||emo", + "event.timezone": "OMST", + "fileset.name": "log", + "http.request.referrer": "https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ", + "http.response.body.content": "eavolup", + "input.type": "log", + "log.offset": 19027, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.198.57.130" + ], + "rsa.internal.level": 2669, + "rsa.internal.messageid": "COOK", + "rsa.misc.action": [ + "perspici" + ], + "rsa.misc.result_code": "erc", + "rsa.network.network_service": "ver", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir", + "rsa.web.fqdn": "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir", + "rsa.web.web_cookie": "emo", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 294, + "source.ip": [ + "10.198.57.130" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "emip", + "user.name": [ + "henderit" + ], + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2017-11-16T08:08:15.000Z", + "event.code": "GET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-494-GET: 10.218.0.197||dolor||econs||[16/Nov/2017:6:08:15 ET]||eritin||https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu||iscive||quasiar||aeab||teur||609||https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||eetd", + "event.timezone": "ET", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea", + "http.response.body.content": "iscive", + "input.type": "log", + "log.offset": 19452, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.218.0.197" + ], + "rsa.internal.level": 494, + "rsa.internal.messageid": "GET", + "rsa.misc.action": [ + "eritin" + ], + "rsa.misc.result_code": "teur", + "rsa.network.network_service": "aeab", + "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu", + "rsa.web.fqdn": "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu", + "rsa.web.web_cookie": "eetd", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 609, + "source.ip": [ + "10.218.0.197" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "quasiar", + "user.name": [ + "econs" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "event.code": "get", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "December 1 01:10:49 iatqu7310.api.home %APACHETOMCAT- get: 10.123.199.198||irured||illumqui||[01/Dec/2017:1:10:49 PST]||tionula||https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem||turvel||eratv||ipsa||asuntexp||1390||https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||mpo", + "event.timezone": "PST", + "fileset.name": "log", + "host.name": "iatqu7310.api.home", + "http.request.referrer": "https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed", + "http.response.body.content": "turvel", + "input.type": "log", + "log.offset": 19817, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.123.199.198" + ], + "rsa.internal.messageid": "get", + "rsa.misc.action": [ + "tionula" + ], + "rsa.misc.result_code": "asuntexp", + "rsa.network.alias_host": [ + "iatqu7310.api.home" + ], + "rsa.network.network_service": "ipsa", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", + "rsa.web.fqdn": "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", + "rsa.web.web_cookie": "mpo", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 1390, + "source.ip": [ + "10.123.199.198" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "eratv", + "user.name": [ + "illumqui" + ], + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "event.code": "POST", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "December 15 08:13:24 uamnihil6127.api.domain %APACHETOMCAT- POST: 10.29.119.245||tatnon||leumiur||[15/Dec/2017:8:13:24 ET]||ore||https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu||rsi||taliqui||mides||ciun||39||https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex||Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36||anim", + "event.timezone": "ET", + "fileset.name": "log", + "host.name": "uamnihil6127.api.domain", + "http.request.referrer": "https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex", + "http.response.body.content": "rsi", + "input.type": "log", + "log.offset": 20237, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.29.119.245" + ], + "rsa.internal.messageid": "POST", + "rsa.misc.action": [ + "ore" + ], + "rsa.misc.result_code": "ciun", + "rsa.network.alias_host": [ + "uamnihil6127.api.domain" + ], + "rsa.network.network_service": "mides", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", + "rsa.web.fqdn": "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", + "rsa.web.web_cookie": "anim", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 39, + "source.ip": [ + "10.29.119.245" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.query": "taliqui", + "user.name": [ + "leumiur" + ], + "user_agent.device.name": "Other", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2017-12-29T05:15:58.000Z", + "event.code": "DETECT_METHOD_TYPE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "December 29 15:15:58 uov1629.internal.invalid %APACHETOMCAT- DETECT_METHOD_TYPE: 10.130.175.17||quide||quaU||[29/Dec/2017:3:15:58 PT]||inimav||https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom||des||atnulapa||billo||rroqu||2170||https://www.example.org/taedi/tquido.html?etconsec=elillum#upt||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||onsectet", + "event.timezone": "PT", + "fileset.name": "log", + "host.name": "uov1629.internal.invalid", + "http.request.referrer": "https://www.example.org/taedi/tquido.html?etconsec=elillum#upt", + "http.response.body.content": "des", + "input.type": "log", + "log.offset": 20688, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.130.175.17" + ], + "rsa.internal.messageid": "DETECT_METHOD_TYPE", + "rsa.misc.action": [ + "inimav" + ], + "rsa.misc.result_code": "rroqu", + "rsa.network.alias_host": [ + "uov1629.internal.invalid" + ], + "rsa.network.network_service": "billo", + "rsa.time.event_time": "2017-12-29T05:15:58.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom", + "rsa.web.fqdn": "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom", + "rsa.web.web_cookie": "onsectet", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 2170, + "source.ip": [ + "10.130.175.17" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "atnulapa", + "user.name": [ + "quaU" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-01-12T12:18:32.000Z", + "event.code": "PROPFIND", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5752-PROPFIND: 10.166.90.130||mdolore||eosquira||[12/Jan/2018:10:18:32 CET]||lloinven||https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat||lupta||npr||etconsec||caboNem||1043||https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||deF", + "event.timezone": "CET", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih", + "http.response.body.content": "lupta", + "input.type": "log", + "log.offset": 21121, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.166.90.130" + ], + "rsa.internal.level": 5752, + "rsa.internal.messageid": "PROPFIND", + "rsa.misc.action": [ + "lloinven" + ], + "rsa.misc.result_code": "caboNem", + "rsa.network.network_service": "etconsec", + "rsa.time.event_time": "2018-01-12T12:18:32.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat", + "rsa.web.fqdn": "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat", + "rsa.web.web_cookie": "deF", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 1043, + "source.ip": [ + "10.166.90.130" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "npr", + "user.name": [ + "eosquira" + ], + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "event.code": "GET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "January 27 05:21:06 orumw5960.www5.home %APACHETOMCAT- GET: 10.248.111.207||dolor||tiumto||[27/Jan/2018:5:21:06 GMT-07:00]||quiavol||https://api.example.org/ratv/alorum.jpg?tali=BCS#qui||ugiatquo||incidid||quin||autemv||6174||https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atatnon", + "event.timezone": "GMT-07:00", + "fileset.name": "log", + "host.name": "orumw5960.www5.home", + "http.request.referrer": "https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema", + "http.response.body.content": "ugiatquo", + "input.type": "log", + "log.offset": 21574, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.248.111.207" + ], + "rsa.internal.messageid": "GET", + "rsa.misc.action": [ + "quiavol" + ], + "rsa.misc.result_code": "autemv", + "rsa.network.alias_host": [ + "orumw5960.www5.home" + ], + "rsa.network.network_service": "quin", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui", + "rsa.web.fqdn": "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui", + "rsa.web.web_cookie": "atatnon", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 6174, + "source.ip": [ + "10.248.111.207" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.query": "incidid", + "user.name": [ + "tiumto" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "event.code": "asdf", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2940-asdf: 10.185.37.32||ame||tesseq||[10/Feb/2018:12:23:41 GMT+02:00]||tem||https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore||red||sinto||tatev||luptas||3286||https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ptatem", + "event.timezone": "GMT+02:00", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad", + "http.response.body.content": "red", + "input.type": "log", + "log.offset": 21994, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.185.37.32" + ], + "rsa.internal.level": 2940, + "rsa.internal.messageid": "asdf", + "rsa.misc.action": [ + "tem" + ], + "rsa.misc.result_code": "luptas", + "rsa.network.network_service": "tatev", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore", + "rsa.web.fqdn": "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore", + "rsa.web.web_cookie": "ptatem", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 3286, + "source.ip": [ + "10.185.37.32" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.query": "sinto", + "user.name": [ + "tesseq" + ], + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-02-24T09:26:15.000Z", + "event.code": "SEARCH", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4927-SEARCH: 10.5.194.202||onproide||ntmo||[24/Feb/2018:7:26:15 CET]||riosa||https://example.org/pisc/urEx.html?rautod=olest#eataev||atcupi||atem||qui||otamr||7278||https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||iqua", + "event.timezone": "CET", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa", + "http.response.body.content": "atcupi", + "input.type": "log", + "log.offset": 22449, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.5.194.202" + ], + "rsa.internal.level": 4927, + "rsa.internal.messageid": "SEARCH", + "rsa.misc.action": [ + "riosa" + ], + "rsa.misc.result_code": "otamr", + "rsa.network.network_service": "qui", + "rsa.time.event_time": "2018-02-24T09:26:15.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://example.org/pisc/urEx.html?rautod=olest#eataev", + "rsa.web.fqdn": "https://example.org/pisc/urEx.html?rautod=olest#eataev", + "rsa.web.web_cookie": "iqua", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 7278, + "source.ip": [ + "10.5.194.202" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "atem", + "user.name": [ + "ntmo" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "event.code": "PRONECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "March 11 02:28:49 deriti6952.mail.domain %APACHETOMCAT- PRONECT: 10.183.34.1||boree||isn||[11/Mar/2018:2:28:49 CEST]||der||https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation||veleum||piciatis||nes||lmolesti||1559||https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||ntmoll", + "event.timezone": "CEST", + "fileset.name": "log", + "host.name": "deriti6952.mail.domain", + "http.request.referrer": "https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio", + "http.response.body.content": "veleum", + "input.type": "log", + "log.offset": 22822, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.183.34.1" + ], + "rsa.internal.messageid": "PRONECT", + "rsa.misc.action": [ + "der" + ], + "rsa.misc.result_code": "lmolesti", + "rsa.network.alias_host": [ + "deriti6952.mail.domain" + ], + "rsa.network.network_service": "nes", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", + "rsa.web.fqdn": "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", + "rsa.web.web_cookie": "ntmoll", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 1559, + "source.ip": [ + "10.183.34.1" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "piciatis", + "user.name": [ + "isn" + ], + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "event.code": "CFYZ", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4472-CFYZ: 10.101.163.40||abor||nBCSe||[25/Mar/2018:9:31:24 CEST]||remips||https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema||odi||ptatems||runtmo||ore||3512||https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||liq", + "event.timezone": "CEST", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab", + "http.response.body.content": "odi", + "input.type": "log", + "log.offset": 23258, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.101.163.40" + ], + "rsa.internal.level": 4472, + "rsa.internal.messageid": "CFYZ", + "rsa.misc.action": [ + "remips" + ], + "rsa.misc.result_code": "ore", + "rsa.network.network_service": "runtmo", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema", + "rsa.web.fqdn": "https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema", + "rsa.web.web_cookie": "liq", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 3512, + "source.ip": [ + "10.101.163.40" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "ptatems", + "user.name": [ + "nBCSe" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2018-04-08T06:33:58.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 8 16:33:58 nse3421.mail.localhost %APACHETOMCAT- uGET: 10.216.188.152||oremi||ugitsedq||[08/Apr/2018:4:33:58 ET]||atDuis||https://www5.example.com/mUteni/quira.htm?ore=tation#loinve||tatevel||iumdolo||untu||ict||2699||https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||Nequepo", + "event.timezone": "ET", + "fileset.name": "log", + "host.name": "nse3421.mail.localhost", + "http.request.referrer": "https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui", + "http.response.body.content": "tatevel", + "input.type": "log", + "log.offset": 23666, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.216.188.152" + ], + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "atDuis" + ], + "rsa.misc.result_code": "ict", + "rsa.network.alias_host": [ + "nse3421.mail.localhost" + ], + "rsa.network.network_service": "untu", + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve", + "rsa.web.fqdn": "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve", + "rsa.web.web_cookie": "Nequepo", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 2699, + "source.ip": [ + "10.216.188.152" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "iumdolo", + "user.name": [ + "ugitsedq" + ], + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-04-22T13:36:32.000Z", + "event.code": "nGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1033-nGET: 10.94.140.77||veniam||isnisiu||[22/Apr/2018:11:36:32 OMST]||dol||https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna||isiutali||lumqu||onulamco||ons||5050||https://mail.example.net/unt/tass.html?tla=mquiad#CSe||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||psa", + "event.timezone": "OMST", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.net/unt/tass.html?tla=mquiad#CSe", + "http.response.body.content": "isiutali", + "input.type": "log", + "log.offset": 24141, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.94.140.77" + ], + "rsa.internal.level": 1033, + "rsa.internal.messageid": "nGET", + "rsa.misc.action": [ + "dol" + ], + "rsa.misc.result_code": "ons", + "rsa.network.network_service": "onulamco", + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna", + "rsa.web.fqdn": "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna", + "rsa.web.web_cookie": "psa", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 5050, + "source.ip": [ + "10.94.140.77" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "lumqu", + "user.name": [ + "isnisiu" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "event.code": "PUT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4133-PUT: 10.223.205.204||lor||ccaec||[07/May/2018:6:39:06 PST]||ommo||https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo||iamea||imaveni||uiacon||iam||7526||https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||tutla", + "event.timezone": "PST", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto", + "http.response.body.content": "iamea", + "input.type": "log", + "log.offset": 24484, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.223.205.204" + ], + "rsa.internal.level": 4133, + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "ommo" + ], + "rsa.misc.result_code": "iam", + "rsa.network.network_service": "uiacon", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo", + "rsa.web.fqdn": "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo", + "rsa.web.web_cookie": "tutla", + "rsa.web.web_ref_domain": "mail.example.org", + "service.type": "tomcat", + "source.bytes": 7526, + "source.ip": [ + "10.223.205.204" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.com", + "url.query": "imaveni", + "user.name": [ + "ccaec" + ], + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-05-21T03:41:41.000Z", + "event.code": "PUT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "May 21 13:41:41 tautfug689.localdomain %APACHETOMCAT- PUT: 10.85.137.156||atiset||serror||[21/May/2018:1:41:41 CEST]||isiut||https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula||ditautf||itametc||ori||uamqu||2804||https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||Except", + "event.timezone": "CEST", + "fileset.name": "log", + "host.name": "tautfug689.localdomain", + "http.request.referrer": "https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag", + "http.response.body.content": "ditautf", + "input.type": "log", + "log.offset": 24917, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.85.137.156" + ], + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "isiut" + ], + "rsa.misc.result_code": "uamqu", + "rsa.network.alias_host": [ + "tautfug689.localdomain" + ], + "rsa.network.network_service": "ori", + "rsa.time.event_time": "2018-05-21T03:41:41.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", + "rsa.web.fqdn": "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", + "rsa.web.web_cookie": "Except", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 2804, + "source.ip": [ + "10.85.137.156" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "itametc", + "user.name": [ + "serror" + ], + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-06-04T10:44:15.000Z", + "event.code": "QUALYS", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 4 20:44:15 totam6886.api.localhost %APACHETOMCAT- QUALYS: 10.12.54.142||trudex||liquam||[04/Jun/2018:8:44:15 PST]||lor||https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS||iciadese||riatur||oeni||dol||3000||https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aer", + "event.timezone": "PST", + "fileset.name": "log", + "host.name": "totam6886.api.localhost", + "http.request.referrer": "https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo", + "http.response.body.content": "iciadese", + "input.type": "log", + "log.offset": 25326, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.12.54.142" + ], + "rsa.internal.messageid": "QUALYS", + "rsa.misc.action": [ + "lor" + ], + "rsa.misc.result_code": "dol", + "rsa.network.alias_host": [ + "totam6886.api.localhost" + ], + "rsa.network.network_service": "oeni", + "rsa.time.event_time": "2018-06-04T10:44:15.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", + "rsa.web.fqdn": "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", + "rsa.web.web_cookie": "aer", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 3000, + "source.ip": [ + "10.12.54.142" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "riatur", + "user.name": [ + "liquam" + ], + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3864-RNDMMTD: 10.158.6.52||dolorem||sed||[19/Jun/2018:3:46:49 OMST]||Nemoenim||https://example.net/labori/porai.gif?utali=sed#xeac||umdolors||lumdo||acom||eFini||4262||https://internal.example.org/uovol/prehend.html?eque=eufug#est||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||ntincul", + "event.timezone": "OMST", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.org/uovol/prehend.html?eque=eufug#est", + "http.response.body.content": "umdolors", + "input.type": "log", + "log.offset": 25746, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.158.6.52" + ], + "rsa.internal.level": 3864, + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "Nemoenim" + ], + "rsa.misc.result_code": "eFini", + "rsa.network.network_service": "acom", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://example.net/labori/porai.gif?utali=sed#xeac", + "rsa.web.fqdn": "https://example.net/labori/porai.gif?utali=sed#xeac", + "rsa.web.web_cookie": "ntincul", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 4262, + "source.ip": [ + "10.158.6.52" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "lumdo", + "user.name": [ + "sed" + ], + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "event.code": "MKCOL", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "July 3 10:49:23 tquo854.api.domain %APACHETOMCAT- MKCOL: 10.195.160.182||ine||urerepre||[03/Jul/2018:10:49:23 CT]||itessequ||https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni||atnul||umfugi||stquidol||Nemoenim||1325||https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isau", + "event.timezone": "CT", + "fileset.name": "log", + "host.name": "tquo854.api.domain", + "http.request.referrer": "https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl", + "http.response.body.content": "atnul", + "input.type": "log", + "log.offset": 26190, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.195.160.182" + ], + "rsa.internal.messageid": "MKCOL", + "rsa.misc.action": [ + "itessequ" + ], + "rsa.misc.result_code": "Nemoenim", + "rsa.network.alias_host": [ + "tquo854.api.domain" + ], + "rsa.network.network_service": "stquidol", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni", + "rsa.web.fqdn": "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni", + "rsa.web.web_cookie": "isau", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 1325, + "source.ip": [ + "10.195.160.182" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "umfugi", + "user.name": [ + "urerepre" + ], + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-07-17T07:51:58.000Z", + "event.code": "CONNECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6084-CONNECT: 10.20.68.117||rQuisaut||quas||[17/Jul/2018:5:51:58 ET]||metco||https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat||udan||archi||iutaliq||urQuis||1742||https://example.net/orum/Bonoru.txt?agnamal=quei#quio||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lamcola", + "event.timezone": "ET", + "fileset.name": "log", + "http.request.referrer": "https://example.net/orum/Bonoru.txt?agnamal=quei#quio", + "http.response.body.content": "udan", + "input.type": "log", + "log.offset": 26601, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.20.68.117" + ], + "rsa.internal.level": 6084, + "rsa.internal.messageid": "CONNECT", + "rsa.misc.action": [ + "metco" + ], + "rsa.misc.result_code": "urQuis", + "rsa.network.network_service": "iutaliq", + "rsa.time.event_time": "2018-07-17T07:51:58.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat", + "rsa.web.fqdn": "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat", + "rsa.web.web_cookie": "lamcola", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 1742, + "source.ip": [ + "10.20.68.117" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "archi", + "user.name": [ + "quas" + ], + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-08-01T14:54:32.000Z", + "event.code": "CONNECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 1 00:54:32 venia6656.api.domain %APACHETOMCAT- CONNECT: 10.94.136.235||mmod||iti||[01/Aug/2018:12:54:32 PST]||amqu||https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex||radip||upta||tetura||rumet||6923||https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||ore", + "event.timezone": "PST", + "fileset.name": "log", + "host.name": "venia6656.api.domain", + "http.request.referrer": "https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica", + "http.response.body.content": "radip", + "input.type": "log", + "log.offset": 26982, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.94.136.235" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.misc.action": [ + "amqu" + ], + "rsa.misc.result_code": "rumet", + "rsa.network.alias_host": [ + "venia6656.api.domain" + ], + "rsa.network.network_service": "tetura", + "rsa.time.event_time": "2018-08-01T14:54:32.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex", + "rsa.web.fqdn": "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex", + "rsa.web.web_cookie": "ore", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 6923, + "source.ip": [ + "10.94.136.235" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "upta", + "user.name": [ + "iti" + ], + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "event.code": "NCIRCLE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 15 07:57:06 veniam1216.www5.invalid %APACHETOMCAT- NCIRCLE: 10.152.11.26||expli||ugiat||[15/Aug/2018:7:57:06 GMT+02:00]||oinBCSed||https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol||elillum||veleumi||nsequatu||nula||2783||https://example.com/santi/ritati.gif?turadip=dip#idolo||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||aco", + "event.timezone": "GMT+02:00", + "fileset.name": "log", + "host.name": "veniam1216.www5.invalid", + "http.request.referrer": "https://example.com/santi/ritati.gif?turadip=dip#idolo", + "http.response.body.content": "elillum", + "input.type": "log", + "log.offset": 27454, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.152.11.26" + ], + "rsa.internal.messageid": "NCIRCLE", + "rsa.misc.action": [ + "oinBCSed" + ], + "rsa.misc.result_code": "nula", + "rsa.network.alias_host": [ + "veniam1216.www5.invalid" + ], + "rsa.network.network_service": "nsequatu", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", + "rsa.web.fqdn": "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", + "rsa.web.web_cookie": "aco", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 2783, + "source.ip": [ + "10.152.11.26" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "veleumi", + "user.name": [ + "ugiat" + ], + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2018-08-29T04:59:40.000Z", + "event.code": "PRONECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 29 14:59:40 runtm5729.invalid %APACHETOMCAT- PRONECT: 10.82.118.95||bore||ptate||[29/Aug/2018:2:59:40 GMT+02:00]||labo||https://www5.example.com/quu/xeac.htm?abor=oreverit#scip||Finibus||Utenimad||olupta||tau||5211||https://www5.example.com/itametco/vel.htm?rere=pta#nonn||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||met", + "event.timezone": "GMT+02:00", + "fileset.name": "log", + "host.name": "runtm5729.invalid", + "http.request.referrer": "https://www5.example.com/itametco/vel.htm?rere=pta#nonn", + "http.response.body.content": "Finibus", + "input.type": "log", + "log.offset": 27908, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.82.118.95" + ], + "rsa.internal.messageid": "PRONECT", + "rsa.misc.action": [ + "labo" + ], + "rsa.misc.result_code": "tau", + "rsa.network.alias_host": [ + "runtm5729.invalid" + ], + "rsa.network.network_service": "olupta", + "rsa.time.event_time": "2018-08-29T04:59:40.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip", + "rsa.web.fqdn": "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip", + "rsa.web.web_cookie": "met", + "rsa.web.web_ref_domain": "www5.example.com", + "service.type": "tomcat", + "source.bytes": 5211, + "source.ip": [ + "10.82.118.95" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "Utenimad", + "user.name": [ + "ptate" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-09-12T12:02:15.000Z", + "event.code": "id", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4322-id: 10.187.152.213||conse||ventor||[12/Sep/2018:10:02:15 CEST]||mag||https://www.example.net/mini/Loremip.html?tur=atnonpr#ita||amquaer||aqui||enby||lpa||3948||https://www5.example.net/iat/ffic.htm?cte=aparia#CSe||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||ugitsedq", + "event.timezone": "CEST", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.net/iat/ffic.htm?cte=aparia#CSe", + "http.response.body.content": "amquaer", + "input.type": "log", + "log.offset": 28378, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.187.152.213" + ], + "rsa.internal.level": 4322, + "rsa.internal.messageid": "id", + "rsa.misc.action": [ + "mag" + ], + "rsa.misc.result_code": "lpa", + "rsa.network.network_service": "enby", + "rsa.time.event_time": "2018-09-12T12:02:15.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://www.example.net/mini/Loremip.html?tur=atnonpr#ita", + "rsa.web.fqdn": "https://www.example.net/mini/Loremip.html?tur=atnonpr#ita", + "rsa.web.web_cookie": "ugitsedq", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 3948, + "source.ip": [ + "10.187.152.213" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "aqui", + "user.name": [ + "ventor" + ], + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "September 27 05:04:49 pta6012.www.local %APACHETOMCAT- uGET: 10.98.71.45||destla||fugitse||[27/Sep/2018:5:04:49 GMT+02:00]||eirur||https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo||ever||civelits||eos||ipitlabo||5440||https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||unt", + "event.timezone": "GMT+02:00", + "fileset.name": "log", + "host.name": "pta6012.www.local", + "http.request.referrer": "https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei", + "http.response.body.content": "ever", + "input.type": "log", + "log.offset": 28738, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.98.71.45" + ], + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "eirur" + ], + "rsa.misc.result_code": "ipitlabo", + "rsa.network.alias_host": [ + "pta6012.www.local" + ], + "rsa.network.network_service": "eos", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", + "rsa.web.fqdn": "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", + "rsa.web.web_cookie": "unt", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 5440, + "source.ip": [ + "10.98.71.45" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "civelits", + "user.name": [ + "fugitse" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5971-uGET: 10.86.123.33||ugia||meum||[11/Oct/2018:12:07:23 OMST]||doei||https://www5.example.net/tev/nre.html?occaeca=eturadip#ent||rumSecti||Utenima||olore||orumS||757||https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||yCiceroi", + "event.timezone": "OMST", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu", + "http.response.body.content": "rumSecti", + "input.type": "log", + "log.offset": 29180, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.86.123.33" + ], + "rsa.internal.level": 5971, + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "doei" + ], + "rsa.misc.result_code": "orumS", + "rsa.network.network_service": "olore", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www5.example.net/tev/nre.html?occaeca=eturadip#ent", + "rsa.web.fqdn": "https://www5.example.net/tev/nre.html?occaeca=eturadip#ent", + "rsa.web.web_cookie": "yCiceroi", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 757, + "source.ip": [ + "10.86.123.33" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.query": "Utenima", + "user.name": [ + "meum" + ], + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2018-10-25T09:09:57.000Z", + "event.code": "FGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2852-FGET: 10.6.112.183||deom||oluptat||[25/Oct/2018:7:09:57 GMT-07:00]||eni||https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi||tam||oremip||eufugi||dunt||6169||https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||idatat", + "event.timezone": "GMT-07:00", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc", + "http.response.body.content": "tam", + "input.type": "log", + "log.offset": 29627, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.6.112.183" + ], + "rsa.internal.level": 2852, + "rsa.internal.messageid": "FGET", + "rsa.misc.action": [ + "eni" + ], + "rsa.misc.result_code": "dunt", + "rsa.network.network_service": "eufugi", + "rsa.time.event_time": "2018-10-25T09:09:57.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi", + "rsa.web.fqdn": "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi", + "rsa.web.web_cookie": "idatat", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 6169, + "source.ip": [ + "10.6.112.183" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.query": "oremip", + "user.name": [ + "oluptat" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "event.code": "LOCK", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 9 02:12:32 orsi2109.internal.home %APACHETOMCAT- LOCK: 10.227.156.143||sis||idolo||[09/Nov/2018:2:12:32 CEST]||tsedquia||https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu||inimav||tatevel||midestl||nci||6587||https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||seq", + "event.timezone": "CEST", + "fileset.name": "log", + "host.name": "orsi2109.internal.home", + "http.request.referrer": "https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev", + "http.response.body.content": "inimav", + "input.type": "log", + "log.offset": 30008, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.227.156.143" + ], + "rsa.internal.messageid": "LOCK", + "rsa.misc.action": [ + "tsedquia" + ], + "rsa.misc.result_code": "nci", + "rsa.network.alias_host": [ + "orsi2109.internal.home" + ], + "rsa.network.network_service": "midestl", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu", + "rsa.web.fqdn": "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu", + "rsa.web.web_cookie": "seq", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 6587, + "source.ip": [ + "10.227.156.143" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "tatevel", + "user.name": [ + "idolo" + ], + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "event.code": "get", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 23 09:15:06 quaeabil2539.www5.lan %APACHETOMCAT- get: 10.124.129.248||iamqui||quide||[23/Nov/2018:9:15:06 CT]||cididun||https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu||eprehen||hilmole||sequ||sectetu||7182||https://example.net/dolor/lorumwri.htm?mquis=lab#uido||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mwrit", + "event.timezone": "CT", + "fileset.name": "log", + "host.name": "quaeabil2539.www5.lan", + "http.request.referrer": "https://example.net/dolor/lorumwri.htm?mquis=lab#uido", + "http.response.body.content": "eprehen", + "input.type": "log", + "log.offset": 30458, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.124.129.248" + ], + "rsa.internal.messageid": "get", + "rsa.misc.action": [ + "cididun" + ], + "rsa.misc.result_code": "sectetu", + "rsa.network.alias_host": [ + "quaeabil2539.www5.lan" + ], + "rsa.network.network_service": "sequ", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", + "rsa.web.fqdn": "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", + "rsa.web.web_cookie": "mwrit", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 7182, + "source.ip": [ + "10.124.129.248" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "hilmole", + "user.name": [ + "quide" + ], + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-12-07T06:17:40.000Z", + "event.code": "CONNECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "December 7 16:17:40 aal1598.mail.host %APACHETOMCAT- CONNECT: 10.173.125.112||quiavolu||upta||[07/Dec/2018:4:17:40 OMST]||umtota||https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa||eaqueip||itaedict||olorema||rep||3380||https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isnisiut", + "event.timezone": "OMST", + "fileset.name": "log", + "host.name": "aal1598.mail.host", + "http.request.referrer": "https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab", + "http.response.body.content": "eaqueip", + "input.type": "log", + "log.offset": 30879, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.173.125.112" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.misc.action": [ + "umtota" + ], + "rsa.misc.result_code": "rep", + "rsa.network.alias_host": [ + "aal1598.mail.host" + ], + "rsa.network.network_service": "olorema", + "rsa.time.event_time": "2018-12-07T06:17:40.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", + "rsa.web.fqdn": "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", + "rsa.web.web_cookie": "isnisiut", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 3380, + "source.ip": [ + "10.173.125.112" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "itaedict", + "user.name": [ + "upta" + ], + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-12-21T13:20:14.000Z", + "event.code": "GET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5227-GET: 10.37.156.140||uisnos||olores||[21/Dec/2018:11:20:14 PST]||epo||https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit||tno||iss||taspe||lum||5911||https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||idolorem", + "event.timezone": "PST", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa", + "http.response.body.content": "tno", + "input.type": "log", + "log.offset": 31317, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.37.156.140" + ], + "rsa.internal.level": 5227, + "rsa.internal.messageid": "GET", + "rsa.misc.action": [ + "epo" + ], + "rsa.misc.result_code": "lum", + "rsa.network.network_service": "taspe", + "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit", + "rsa.web.fqdn": "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit", + "rsa.web.web_cookie": "idolorem", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 5911, + "source.ip": [ + "10.37.156.140" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "iss", + "user.name": [ + "olores" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "event.code": "PRONECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5776-PRONECT: 10.121.225.135||ufugi||cin||[05/Jan/2019:6:22:49 ET]||byC||https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex||nse||miurere||evit||uatu||2448||https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tnulapa", + "event.timezone": "ET", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq", + "http.response.body.content": "nse", + "input.type": "log", + "log.offset": 31660, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.121.225.135" + ], + "rsa.internal.level": 5776, + "rsa.internal.messageid": "PRONECT", + "rsa.misc.action": [ + "byC" + ], + "rsa.misc.result_code": "uatu", + "rsa.network.network_service": "evit", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", + "rsa.web.fqdn": "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", + "rsa.web.web_cookie": "tnulapa", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 2448, + "source.ip": [ + "10.121.225.135" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "miurere", + "user.name": [ + "cin" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2019-01-19T03:25:23.000Z", + "event.code": "DEBUG", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-7708-DEBUG: 10.123.68.56||expl||olore||[19/Jan/2019:1:25:23 CEST]||dentsunt||https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN||ipis||itautfu||nesci||tam||1206||https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||ntor", + "event.timezone": "CEST", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam", + "http.response.body.content": "ipis", + "input.type": "log", + "log.offset": 32096, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.123.68.56" + ], + "rsa.internal.level": 7708, + "rsa.internal.messageid": "DEBUG", + "rsa.misc.action": [ + "dentsunt" + ], + "rsa.misc.result_code": "tam", + "rsa.network.network_service": "nesci", + "rsa.time.event_time": "2019-01-19T03:25:23.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", + "rsa.web.fqdn": "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", + "rsa.web.web_cookie": "ntor", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 1206, + "source.ip": [ + "10.123.68.56" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "itautfu", + "user.name": [ + "olore" + ], + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2019-02-02T10:27:57.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "February 2 20:27:57 oid218.api.invalid %APACHETOMCAT- RNDMMTD: 10.63.56.164||iquid||evo||[02/Feb/2019:8:27:57 GMT-07:00]||avolu||https://api.example.net/itesse/expl.html?prehende=lup#tpers||orsitv||temseq||uisaute||uun||4638||https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||umd", + "event.timezone": "GMT-07:00", + "fileset.name": "log", + "host.name": "oid218.api.invalid", + "http.request.referrer": "https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi", + "http.response.body.content": "orsitv", + "input.type": "log", + "log.offset": 32480, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.63.56.164" + ], + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "avolu" + ], + "rsa.misc.result_code": "uun", + "rsa.network.alias_host": [ + "oid218.api.invalid" + ], + "rsa.network.network_service": "uisaute", + "rsa.time.event_time": "2019-02-02T10:27:57.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://api.example.net/itesse/expl.html?prehende=lup#tpers", + "rsa.web.fqdn": "https://api.example.net/itesse/expl.html?prehende=lup#tpers", + "rsa.web.web_cookie": "umd", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 4638, + "source.ip": [ + "10.63.56.164" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "temseq", + "user.name": [ + "evo" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "event.code": "HEAD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "February 17 03:30:32 sectetur2674.www5.test %APACHETOMCAT- HEAD: 10.62.10.137||eeufugi||deomnisi||[17/Feb/2019:3:30:32 ET]||issus||https://example.net/deritinv/evelite.html?iav=odico#rsint||itl||ttenb||olor||quiav||6648||https://example.com/eumfu/lors.gif?upidata=ici#usant||Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10||con", + "event.timezone": "ET", + "fileset.name": "log", + "host.name": "sectetur2674.www5.test", + "http.request.referrer": "https://example.com/eumfu/lors.gif?upidata=ici#usant", + "http.response.body.content": "itl", + "input.type": "log", + "log.offset": 32919, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.62.10.137" + ], + "rsa.internal.messageid": "HEAD", + "rsa.misc.action": [ + "issus" + ], + "rsa.misc.result_code": "quiav", + "rsa.network.alias_host": [ + "sectetur2674.www5.test" + ], + "rsa.network.network_service": "olor", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://example.net/deritinv/evelite.html?iav=odico#rsint", + "rsa.web.fqdn": "https://example.net/deritinv/evelite.html?iav=odico#rsint", + "rsa.web.web_cookie": "con", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 6648, + "source.ip": [ + "10.62.10.137" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "ttenb", + "user.name": [ + "deomnisi" + ], + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "event.code": "INDEX", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "March 3 10:33:06 sequatD4487.internal.localhost %APACHETOMCAT- INDEX: 10.89.154.115||oeiusmo||nimv||[03/Mar/2019:10:33:06 GMT+02:00]||tconse||https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB||umqui||citation||temsequi||mquia||1119||https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||cti", + "event.timezone": "GMT+02:00", + "fileset.name": "log", + "host.name": "sequatD4487.internal.localhost", + "http.request.referrer": "https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi", + "http.response.body.content": "umqui", + "input.type": "log", + "log.offset": 33403, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.89.154.115" + ], + "rsa.internal.messageid": "INDEX", + "rsa.misc.action": [ + "tconse" + ], + "rsa.misc.result_code": "mquia", + "rsa.network.alias_host": [ + "sequatD4487.internal.localhost" + ], + "rsa.network.network_service": "temsequi", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", + "rsa.web.fqdn": "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", + "rsa.web.web_cookie": "cti", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 1119, + "source.ip": [ + "10.89.154.115" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "citation", + "user.name": [ + "nimv" + ], + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-03-17T07:35:40.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4758-TRACE: 10.122.252.130||tuser||mmo||[17/Mar/2019:5:35:40 PST]||tlaboru||https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus||boreet||luptasnu||ento||snostr||3904||https://api.example.org/xerc/Nequep.htm?ria=beat#rro||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||uisau", + "event.timezone": "PST", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/xerc/Nequep.htm?ria=beat#rro", + "http.response.body.content": "boreet", + "input.type": "log", + "log.offset": 33846, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.122.252.130" + ], + "rsa.internal.level": 4758, + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "tlaboru" + ], + "rsa.misc.result_code": "snostr", + "rsa.network.network_service": "ento", + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus", + "rsa.web.fqdn": "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus", + "rsa.web.web_cookie": "uisau", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 3904, + "source.ip": [ + "10.122.252.130" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "luptasnu", + "user.name": [ + "mmo" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2019-04-01T14:38:14.000Z", + "event.code": "id", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2573-id: 10.195.152.53||ueporroq||ute||[01/Apr/2019:12:38:14 GMT-07:00]||tationu||https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun||tesse||olupta||isno||oluptas||5560||https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut||mobmail android 2.1.3.3150||paq", + "event.timezone": "GMT-07:00", + "fileset.name": "log", + "http.request.referrer": "https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut", + "http.response.body.content": "tesse", + "input.type": "log", + "log.offset": 34283, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.195.152.53" + ], + "rsa.internal.level": 2573, + "rsa.internal.messageid": "id", + "rsa.misc.action": [ + "tationu" + ], + "rsa.misc.result_code": "oluptas", + "rsa.network.network_service": "isno", + "rsa.time.event_time": "2019-04-01T14:38:14.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun", + "rsa.web.fqdn": "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun", + "rsa.web.web_cookie": "paq", + "rsa.web.web_ref_domain": "www.example.net", + "service.type": "tomcat", + "source.bytes": 5560, + "source.ip": [ + "10.195.152.53" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.query": "olupta", + "user.name": [ + "ute" + ], + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "event.code": "ABCD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 15 07:40:49 nul5107.www5.domain %APACHETOMCAT- ABCD: 10.9.255.204||illoin||emUtenim||[15/Apr/2019:7:40:49 CT]||uid||https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa||mexerci||urEx||ditaut||ctetur||3089||https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||iaeconse", + "event.timezone": "CT", + "fileset.name": "log", + "host.name": "nul5107.www5.domain", + "http.request.referrer": "https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi", + "http.response.body.content": "mexerci", + "input.type": "log", + "log.offset": 34572, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.9.255.204" + ], + "rsa.internal.messageid": "ABCD", + "rsa.misc.action": [ + "uid" + ], + "rsa.misc.result_code": "ctetur", + "rsa.network.alias_host": [ + "nul5107.www5.domain" + ], + "rsa.network.network_service": "ditaut", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa", + "rsa.web.fqdn": "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa", + "rsa.web.web_cookie": "iaeconse", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 3089, + "source.ip": [ + "10.9.255.204" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "urEx", + "user.name": [ + "emUtenim" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2019-04-29T04:43:23.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 29 14:43:23 nimadmin5630.localdomain %APACHETOMCAT- RNDMMTD: 10.214.235.133||equ||nulapari||[29/Apr/2019:2:43:23 GMT-07:00]||tsunt||https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor||boriosa||cillumdo||ditau||moenimip||5930||https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||evel", + "event.timezone": "GMT-07:00", + "fileset.name": "log", + "host.name": "nimadmin5630.localdomain", + "http.request.referrer": "https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost", + "http.response.body.content": "boriosa", + "input.type": "log", + "log.offset": 35009, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.214.235.133" + ], + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "tsunt" + ], + "rsa.misc.result_code": "moenimip", + "rsa.network.alias_host": [ + "nimadmin5630.localdomain" + ], + "rsa.network.network_service": "ditau", + "rsa.time.event_time": "2019-04-29T04:43:23.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", + "rsa.web.fqdn": "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", + "rsa.web.web_cookie": "evel", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 5930, + "source.ip": [ + "10.214.235.133" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "cillumdo", + "user.name": [ + "nulapari" + ], + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-05-13T11:45:57.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "May 13 21:45:57 sequuntu3563.internal.test %APACHETOMCAT- TRACE: 10.5.134.204||apari||iarchit||[13/May/2019:9:45:57 PT]||orum||https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu||lors||eumfu||docons||tur||3197||https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||taevit", + "event.timezone": "PT", + "fileset.name": "log", + "host.name": "sequuntu3563.internal.test", + "http.request.referrer": "https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi", + "http.response.body.content": "lors", + "input.type": "log", + "log.offset": 35444, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.5.134.204" + ], + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "orum" + ], + "rsa.misc.result_code": "tur", + "rsa.network.alias_host": [ + "sequuntu3563.internal.test" + ], + "rsa.network.network_service": "docons", + "rsa.time.event_time": "2019-05-13T11:45:57.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", + "rsa.web.fqdn": "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", + "rsa.web.web_cookie": "taevit", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 3197, + "source.ip": [ + "10.5.134.204" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.query": "eumfu", + "user.name": [ + "iarchit" + ], + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "event.code": "SEARCH", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6820-SEARCH: 10.144.111.42||sumquia||vento||[28/May/2019:4:48:31 CEST]||asnu||https://example.org/rep/mveni.txt?utpers=num#ctetura||quaerat||tDuisau||aturve||ptateve||7615||https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||lorumw", + "event.timezone": "CEST", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi", + "http.response.body.content": "quaerat", + "input.type": "log", + "log.offset": 35912, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.144.111.42" + ], + "rsa.internal.level": 6820, + "rsa.internal.messageid": "SEARCH", + "rsa.misc.action": [ + "asnu" + ], + "rsa.misc.result_code": "ptateve", + "rsa.network.network_service": "aturve", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://example.org/rep/mveni.txt?utpers=num#ctetura", + "rsa.web.fqdn": "https://example.org/rep/mveni.txt?utpers=num#ctetura", + "rsa.web.web_cookie": "lorumw", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 7615, + "source.ip": [ + "10.144.111.42" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "tDuisau", + "user.name": [ + "vento" + ], + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.code": "FGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3071-FGET: 10.122.0.80||olupt||ola||[11/Jun/2019:11:51:06 CT]||etquasia||https://example.net/adm/snostr.jpg?tec=itaspe#con||illumdo||antium||remaper||eseosq||2945||https://www.example.com/uae/ata.htm?snulap=cidu#hilmol||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||quamq", + "event.timezone": "CT", + "fileset.name": "log", + "http.request.referrer": "https://www.example.com/uae/ata.htm?snulap=cidu#hilmol", + "http.response.body.content": "illumdo", + "input.type": "log", + "log.offset": 36349, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.122.0.80" + ], + "rsa.internal.level": 3071, + "rsa.internal.messageid": "FGET", + "rsa.misc.action": [ + "etquasia" + ], + "rsa.misc.result_code": "eseosq", + "rsa.network.network_service": "remaper", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://example.net/adm/snostr.jpg?tec=itaspe#con", + "rsa.web.fqdn": "https://example.net/adm/snostr.jpg?tec=itaspe#con", + "rsa.web.web_cookie": "quamq", + "rsa.web.web_ref_domain": "www.example.com", + "service.type": "tomcat", + "source.bytes": 2945, + "source.ip": [ + "10.122.0.80" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "antium", + "user.name": [ + "ola" + ], + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2019-06-25T08:53:40.000Z", + "event.code": "ABCD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 25 18:53:40 tdolo2150.www.example %APACHETOMCAT- ABCD: 10.165.33.19||uamqu||iusmodi||[25/Jun/2019:6:53:40 ET]||aparia||https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec||dit||namaliqu||yCic||tetura||1569||https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lapari", + "event.timezone": "ET", + "fileset.name": "log", + "host.name": "tdolo2150.www.example", + "http.request.referrer": "https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug", + "http.response.body.content": "dit", + "input.type": "log", + "log.offset": 36779, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.165.33.19" + ], + "rsa.internal.messageid": "ABCD", + "rsa.misc.action": [ + "aparia" + ], + "rsa.misc.result_code": "tetura", + "rsa.network.alias_host": [ + "tdolo2150.www.example" + ], + "rsa.network.network_service": "yCic", + "rsa.time.event_time": "2019-06-25T08:53:40.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", + "rsa.web.fqdn": "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", + "rsa.web.web_cookie": "lapari", + "rsa.web.web_ref_domain": "www.example.net", + "service.type": "tomcat", + "source.bytes": 1569, + "source.ip": [ + "10.165.33.19" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "namaliqu", + "user.name": [ + "iusmodi" + ], + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "July 10 01:56:14 cinge6032.api.local %APACHETOMCAT- BADMTHD: 10.87.92.17||utlabore||tamr||[10/Jul/2019:1:56:14 CT]||iutaliq||https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa||quiav||ctionofd||elit||sam||6211||https://internal.example.org/unt/isni.htm?ecillum=olor#amei||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||quid", + "event.timezone": "CT", + "fileset.name": "log", + "host.name": "cinge6032.api.local", + "http.request.referrer": "https://internal.example.org/unt/isni.htm?ecillum=olor#amei", + "http.response.body.content": "quiav", + "input.type": "log", + "log.offset": 37193, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.87.92.17" + ], + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "iutaliq" + ], + "rsa.misc.result_code": "sam", + "rsa.network.alias_host": [ + "cinge6032.api.local" + ], + "rsa.network.network_service": "elit", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", + "rsa.web.fqdn": "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", + "rsa.web.web_cookie": "quid", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 6211, + "source.ip": [ + "10.87.92.17" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "ctionofd", + "user.name": [ + "tamr" + ], + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.code": "BADMETHOD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-7615-BADMETHOD: 10.51.52.203||wri||itame||[24/Jul/2019:8:58:48 ET]||dictasun||https://example.com/lorese/olupta.jpg?onsec=idestl#litani||emp||arch||non||mollit||5823||https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mqu", + "event.timezone": "ET", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat", + "http.response.body.content": "emp", + "input.type": "log", + "log.offset": 37607, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.51.52.203" + ], + "rsa.internal.level": 7615, + "rsa.internal.messageid": "BADMETHOD", + "rsa.misc.action": [ + "dictasun" + ], + "rsa.misc.result_code": "mollit", + "rsa.network.network_service": "non", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", + "rsa.web.fqdn": "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", + "rsa.web.web_cookie": "mqu", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 5823, + "source.ip": [ + "10.51.52.203" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "arch", + "user.name": [ + "itame" + ], + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-08-07T06:01:23.000Z", + "event.code": "rndmmtd", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 7 16:01:23 ende6053.local %APACHETOMCAT- rndmmtd: 10.0.211.86||rsp||imipsa||[07/Aug/2019:4:01:23 CEST]||int||https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN||utfugi||ursintoc||tio||mmodicon||6776||https://internal.example.net/tvol/lup.gif?ollita=qua#ionula||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||cusa", + "event.timezone": "CEST", + "fileset.name": "log", + "host.name": "ende6053.local", + "http.request.referrer": "https://internal.example.net/tvol/lup.gif?ollita=qua#ionula", + "http.response.body.content": "utfugi", + "input.type": "log", + "log.offset": 37977, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.0.211.86" + ], + "rsa.internal.messageid": "rndmmtd", + "rsa.misc.action": [ + "int" + ], + "rsa.misc.result_code": "mmodicon", + "rsa.network.alias_host": [ + "ende6053.local" + ], + "rsa.network.network_service": "tio", + "rsa.time.event_time": "2019-08-07T06:01:23.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", + "rsa.web.fqdn": "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", + "rsa.web.web_cookie": "cusa", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 6776, + "source.ip": [ + "10.0.211.86" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.query": "ursintoc", + "user.name": [ + "imipsa" + ], + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-08-21T13:03:57.000Z", + "event.code": "OPTIONS", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-264-OPTIONS: 10.106.34.244||eumiu||nim||[21/Aug/2019:11:03:57 PST]||rehen||https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet||leumiur||ssequamn||ave||taliqui||3714||https://example.net/undeomn/ape.jpg?amco=ons#onsecte||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atquo", + "event.timezone": "PST", + "fileset.name": "log", + "http.request.referrer": "https://example.net/undeomn/ape.jpg?amco=ons#onsecte", + "http.response.body.content": "leumiur", + "input.type": "log", + "log.offset": 38442, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.106.34.244" + ], + "rsa.internal.level": 264, + "rsa.internal.messageid": "OPTIONS", + "rsa.misc.action": [ + "rehen" + ], + "rsa.misc.result_code": "taliqui", + "rsa.network.network_service": "ave", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet", + "rsa.web.fqdn": "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet", + "rsa.web.web_cookie": "atquo", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 3714, + "source.ip": [ + "10.106.34.244" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "ssequamn", + "user.name": [ + "nim" + ], + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.code": "nGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2943-nGET: 10.191.210.188||inculpa||ruredol||[05/Sep/2019:6:06:31 OMST]||ipit||https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu||onorume||abill||ametcon||ofdeFini||7052||https://example.net/tionev/uasiarch.html?qui=ehender#equa||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||nimides", + "event.timezone": "OMST", + "fileset.name": "log", + "http.request.referrer": "https://example.net/tionev/uasiarch.html?qui=ehender#equa", + "http.response.body.content": "onorume", + "input.type": "log", + "log.offset": 38823, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.191.210.188" + ], + "rsa.internal.level": 2943, + "rsa.internal.messageid": "nGET", + "rsa.misc.action": [ + "ipit" + ], + "rsa.misc.result_code": "ofdeFini", + "rsa.network.network_service": "ametcon", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu", + "rsa.web.fqdn": "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu", + "rsa.web.web_cookie": "nimides", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 7052, + "source.ip": [ + "10.191.210.188" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "abill", + "user.name": [ + "ruredol" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2019-09-19T03:09:05.000Z", + "event.code": "BDMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6165-BDMTHD: 10.2.38.49||asiarc||lor||[19/Sep/2019:1:09:05 GMT+02:00]||snula||https://www.example.com/bori/dipi.gif?utf=dolor#dexe||nemul||Duis||lupt||quatur||5775||https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira||mobmail android 2.1.3.3150||aea", + "event.timezone": "GMT+02:00", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira", + "http.response.body.content": "nemul", + "input.type": "log", + "log.offset": 39233, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.2.38.49" + ], + "rsa.internal.level": 6165, + "rsa.internal.messageid": "BDMTHD", + "rsa.misc.action": [ + "snula" + ], + "rsa.misc.result_code": "quatur", + "rsa.network.network_service": "lupt", + "rsa.time.event_time": "2019-09-19T03:09:05.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www.example.com/bori/dipi.gif?utf=dolor#dexe", + "rsa.web.fqdn": "https://www.example.com/bori/dipi.gif?utf=dolor#dexe", + "rsa.web.web_cookie": "aea", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 5775, + "source.ip": [ + "10.2.38.49" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.com", + "url.query": "Duis", + "user.name": [ + "lor" + ], + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2019-10-03T10:11:40.000Z", + "event.code": "id", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "October 3 20:11:40 didun1193.example %APACHETOMCAT- id: 10.66.92.90||orumwri||atisu||[03/Oct/2019:8:11:40 PST]||tse||https://example.com/iat/tqui.gif?utaliqui=emse#emqui||cipitla||tlab||vel||ionevo||4580||https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||samvol", + "event.timezone": "PST", + "fileset.name": "log", + "host.name": "didun1193.example", + "http.request.referrer": "https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo", + "http.response.body.content": "cipitla", + "input.type": "log", + "log.offset": 39505, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.66.92.90" + ], + "rsa.internal.messageid": "id", + "rsa.misc.action": [ + "tse" + ], + "rsa.misc.result_code": "ionevo", + "rsa.network.alias_host": [ + "didun1193.example" + ], + "rsa.network.network_service": "vel", + "rsa.time.event_time": "2019-10-03T10:11:40.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", + "rsa.web.fqdn": "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", + "rsa.web.web_cookie": "samvol", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 4580, + "source.ip": [ + "10.66.92.90" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "tlab", + "user.name": [ + "atisu" + ], + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "October 18 03:14:14 apari2660.www5.lan %APACHETOMCAT- BADMTHD: 10.97.108.108||fficiad||teirured||[18/Oct/2019:3:14:14 PST]||sistena||https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost||sequines||olor||sequa||lorum||7649||https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||toditau", + "event.timezone": "PST", + "fileset.name": "log", + "host.name": "apari2660.www5.lan", + "http.request.referrer": "https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve", + "http.response.body.content": "sequines", + "input.type": "log", + "log.offset": 39956, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.97.108.108" + ], + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "sistena" + ], + "rsa.misc.result_code": "lorum", + "rsa.network.alias_host": [ + "apari2660.www5.lan" + ], + "rsa.network.network_service": "sequa", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", + "rsa.web.fqdn": "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", + "rsa.web.web_cookie": "toditau", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 7649, + "source.ip": [ + "10.97.108.108" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "olor", + "user.name": [ + "teirured" + ], + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.code": "COOK", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 1 10:16:48 nvolupta238.www.host %APACHETOMCAT- COOK: 10.147.147.248||onpr||uira||[01/Nov/2019:10:16:48 CET]||ptatev||https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni||econ||aborio||rve||catcup||177||https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||lupta", + "event.timezone": "CET", + "fileset.name": "log", + "host.name": "nvolupta238.www.host", + "http.request.referrer": "https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons", + "http.response.body.content": "econ", + "input.type": "log", + "log.offset": 40457, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.147.147.248" + ], + "rsa.internal.messageid": "COOK", + "rsa.misc.action": [ + "ptatev" + ], + "rsa.misc.result_code": "catcup", + "rsa.network.alias_host": [ + "nvolupta238.www.host" + ], + "rsa.network.network_service": "rve", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni", + "rsa.web.fqdn": "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni", + "rsa.web.web_cookie": "lupta", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 177, + "source.ip": [ + "10.147.147.248" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "aborio", + "user.name": [ + "uira" + ], + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-11-15T07:19:22.000Z", + "event.code": "NCIRCLE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 15 17:19:22 icer123.mail.example %APACHETOMCAT- NCIRCLE: 10.152.190.61||imvenia||culp||[15/Nov/2019:5:19:22 GMT-07:00]||nesciu||https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed||sedd||atione||tvolup||oremeu||6708||https://api.example.com/dan/pta.html?oNem=itaedict#eroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uptateve", + "event.timezone": "GMT-07:00", + "fileset.name": "log", + "host.name": "icer123.mail.example", + "http.request.referrer": "https://api.example.com/dan/pta.html?oNem=itaedict#eroi", + "http.response.body.content": "sedd", + "input.type": "log", + "log.offset": 40863, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.152.190.61" + ], + "rsa.internal.messageid": "NCIRCLE", + "rsa.misc.action": [ + "nesciu" + ], + "rsa.misc.result_code": "oremeu", + "rsa.network.alias_host": [ + "icer123.mail.example" + ], + "rsa.network.network_service": "tvolup", + "rsa.time.event_time": "2019-11-15T07:19:22.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", + "rsa.web.fqdn": "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", + "rsa.web.web_cookie": "uptateve", + "rsa.web.web_ref_domain": "api.example.com", + "service.type": "tomcat", + "source.bytes": 6708, + "source.ip": [ + "10.152.190.61" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "atione", + "user.name": [ + "culp" + ], + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-11-30T14:21:57.000Z", + "event.code": "DETECT_METHOD_TYPE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 30 00:21:57 lumqui6488.api.example %APACHETOMCAT- DETECT_METHOD_TYPE: 10.129.232.105||des||deFini||[30/Nov/2019:12:21:57 GMT-07:00]||aliquaU||https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti||edictasu||eturadi||umS||noru||5321||https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||quamqua", + "event.timezone": "GMT-07:00", + "fileset.name": "log", + "host.name": "lumqui6488.api.example", + "http.request.referrer": "https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe", + "http.response.body.content": "edictasu", + "input.type": "log", + "log.offset": 41290, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.129.232.105" + ], + "rsa.internal.messageid": "DETECT_METHOD_TYPE", + "rsa.misc.action": [ + "aliquaU" + ], + "rsa.misc.result_code": "noru", + "rsa.network.alias_host": [ + "lumqui6488.api.example" + ], + "rsa.network.network_service": "umS", + "rsa.time.event_time": "2019-11-30T14:21:57.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", + "rsa.web.fqdn": "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", + "rsa.web.web_cookie": "quamqua", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 5321, + "source.ip": [ + "10.129.232.105" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "eturadi", + "user.name": [ + "deFini" + ], + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5473-TRACE: 10.12.173.112||Excepteu||mco||[14/Dec/2019:7:24:31 PT]||undeom||https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui||litsedd||nidol||inBC||hite||423||https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||emeumfu", + "event.timezone": "PT", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse", + "http.response.body.content": "litsedd", + "input.type": "log", + "log.offset": 41781, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.12.173.112" + ], + "rsa.internal.level": 5473, + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "undeom" + ], + "rsa.misc.result_code": "hite", + "rsa.network.network_service": "inBC", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui", + "rsa.web.fqdn": "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui", + "rsa.web.web_cookie": "emeumfu", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 423, + "source.ip": [ + "10.12.173.112" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.org", + "url.query": "nidol", + "user.name": [ + "mco" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zscaler/README.md b/x-pack/filebeat/module/zscaler/README.md new file mode 100644 index 00000000000..c130342f206 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/README.md @@ -0,0 +1,7 @@ +# zscaler module + +This is a module for Zscaler NSS logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML zscalernss version 108 +at 2020-07-07 18:10:50.651632 +0000 UTC. + diff --git a/x-pack/filebeat/module/zscaler/_meta/config.yml b/x-pack/filebeat/module/zscaler/_meta/config.yml new file mode 100644 index 00000000000..9afb8712afb --- /dev/null +++ b/x-pack/filebeat/module/zscaler/_meta/config.yml @@ -0,0 +1,19 @@ +- module: zscaler + zia: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9521 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc b/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc new file mode 100644 index 00000000000..48199b9c7f3 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: zscaler +:has-dashboards: false + +== Zscaler module + +experimental[] + +This is a module for receiving Zscaler NSS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: zia + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `zia` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "zscalernss" device revision 108. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9521` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/zscaler/_meta/fields.yml b/x-pack/filebeat/module/zscaler/_meta/fields.yml new file mode 100644 index 00000000000..d8e04d3db90 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: zscaler + title: Zscaler NSS + description: > + zscaler fields. + fields: diff --git a/x-pack/filebeat/module/zscaler/fields.go b/x-pack/filebeat/module/zscaler/fields.go new file mode 100644 index 00000000000..bc9b6632312 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package zscaler + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "zscaler", asset.ModuleFieldsPri, AssetZscaler); err != nil { + panic(err) + } +} + +// AssetZscaler returns asset data. +// This is the base64 encoded gzipped contents of module/zscaler. +func AssetZscaler() string { + return "eJzsfV2TGzeS4Pv8CpwfzpJDbo3lj73Rzc5Fb3d73DeS3KuW7I2NiagAq5Ik3CigDKDIpn79BRKoD1ahSBaqKFl7qweFRDKRiQSQyEzkx9fkAXYvyQedUg7qT4QYZji8JP/pPiBv7u//REgGOlWsMEyKl+RvfyKEVBBkyYBn+uJPxP/rJX5r/3xNBM3hJRFgtlI9XDBhQC1pChf28/pnhJhdAS8tHVupstbnGSxpyU2CA78kS8o17H3dI6r684bmQOSSmDVU6EmNnmzXoAC/M4oulywla6rJAkAQudCgNpBd9GahNO2RvFKyLE4nuMugZnCkTVC+N4kwjtAwzUC5Xu19PszcHgffrZm2vyNMk1JDRowkKS1M6Xml6JbkoDVd2f9TQ1KZg7akS/t9Z2hCXskVuYZUZritAqS6sViXqGGCK0jYgDCJJX40qEc6mUeeMRo5k0phQBhtdxwT2lBhKkQ6SIVheZiEjJruF338zGG1gxBqyHbN0jWhRIPWTAqyZkYTSt6A+ZUZAVpXq3DRW6J6OnotS54RARtQZAH1+hdUaSCvwVBLGiVLJfMWqiev5Eo/v6PpAxj9tDf8NVOQGr57Roynm5K34A6Y22miReZFkFUcNsCDvOJSdPf6Hq+uoVCQUuNxZbBkAjIiBUfEhi44kJwWYby5XiUjtuaBdXrtz8zt9TdkQ3npTw/LQBi2ZH4PwSNNDeFy5XiuesxE+pkd3q84/s6ytKDKsLTkVCG8X5yLwdXtDR212qHV7Y08vNqDTN/MzfUX/831w1y3WGNZPu2QycVvCZLaZfxHxL+hYfFyduQKtCxVGn0XTZ96/EmbhlsbaiAHYT4NelpmzCQpp53z8NEIAGHU7tOgXltN4NOgZmII9Xlv8uqcfcoVz4CGz9p5p74EyMbpyQM3asgeaP2wMrUsvt4N2LuepmmZnRuwN/oRLXOYTx2jdDY+iZYtGmSQY0hvIjMxiAR4NJpB6TxKWSnY7yU0SpiqZ+g/2u0bLldSpFZYUiP/6NbLwLHfsKmCp82/KzsQW7KUtk+dNbRvrElM7lHQkVJkoKyKqsALjN7kluwRMqLB2EH2gPdx6GGFtmJzb+zJCm3N5t7Qo9je95zEWPpxm6tH+YhZj5vlWupoPaq9t36S2rRFFe/uKg0iY2JVfalDS9+y5j8fDrLwJul9PMi627vNd4RmmbIya+hQdtnXm5+Rnyv7Nj9MZ+AP//8y0HJrjhPcPb3OpdH2W2SEkhXbgKjdFZ/vpWpZNGTBnlerzj6NMvR5eHEHDV5Z7BIFv0etV/tpAhcJZ7bYIR9v3ODkDrf7M+/9M5S82xVAUto/yQsgwMwaFHl/K8w3PxCpyI9cUvPtC7KgGndC5dhfslWpUBU6MrOwgvcZzwwfWaYYRTPYrhZ6JeOdJYfssmrsz954lWpLVTZBjWnJjtbE2ry6vftlT8OhRAGn3WUhRO+0gdxfOZ4wO9oa3H7Sjj32/1KxFROUVzD7t/eRmcZrHAceOG/vfvkhMElPYG+u0ydZU9Tn4xySvNlsfVUpVpKvgWagZnoZ+wkHI7fXU15oHEXthxocJu6d5g/thOFpMoMfhlaKx22jeOBmtwr3leQcUiPV5ygILX/O8rJu9w3TJHXMgczSsqeavZLdS54cYOUf0BLJ08XHU85yqTF4JJeCLHa9ZSFEwe8laGMH1Cwv+M6vhP2xFbgEaLommmVAnvyZmLUqyYvvv39KtlQTDSBqLAfm+pHUtRPmqgspNJxvsukfaGVTWQpT26tlvnDCxx44HRyBPKELuYHWdJkIRhtVYkYbBTQf3OXpH2jpPzEzIGNlV6s5jRVfhDSp2mhlS8LMP8sXf/7mL9oJz+cFiqqKrH/26P2ntVNe0R0o8oLciJQWuuTOx21NnVESNDT6RDd0IFYphOXbF+Rf7XSfkW+/Jf9KUqms/oiz8Eifkf/Jzf+2P2Sa7DPli+AiCZnBJ7TBxBaSlHK+oOnDVJ3PoRfS4OamxunKlhEgskIyYVDdNhAO3MMFTkApGR0r0mhAuoCUUY40IS3aSGW1RbFzt7D9YkM5y9zyhdASspSlyKy05oDkMbHyysLRYKD9fdsbeY63E79pD7joB/i845JmH+/O8AiJZh+A5GAUSwO6sjfR2j9GG81djpW4s5ckNY0OJ5fVwlyQn+TWMr9vCzFBpLImhJHkAaA4wpaPdHt8JmxRMgWtkw3Lkiz+HeqmkgArEKCowaOYWR617JUNU6ak3JqLez5SETCfWc6swYcvgDhdR6c/kLfXRFm5qNFYR7ZQtQJT/+zoXLWKDqn45HN10TCH56oiHet9EXt7XfnX3kIuDZB7vytTBXgtLXZDIsn+qZzen4GT22NKdMHZtBfZP7SpqFlPlf1YYYPsQ1z8WNu2R3nqd2S1Nypt2ovj/xpvLu6YLxk/y9uiHdcq7XdXl3den0upsAxgeSFVV4sjeKF8dg+05ccynt87sY9GHpqFIYfYvplYNiCNMejufbT6LsiL738gW+RsDlQQynnYDkXnK6oNjX+BbEGBG5YawoFqQ6ToBCvvs+kjKEafN5sC5y3uIctz51epMmQNRkVAuhaSy9Wu+6yxZKqnmRHyPUnXVNHUODbZo7dDCtG5KUgpfMQA3/NtDmYwxSSruSfGaS7bA+85qOvmVnWSonLaKrodlB8oxTrKEk1RD3MeYeFtVpmmpapG1IaKjKqMCKlyytmHULSdVHmQA5l/gT3ABFkueiJ8FBsaump0zzlbAs4pYCBqSKXIBhTDZskSbaZZ4gdIZiKVecHBBBdx0N1FUfE0inVETivvQJmzbbd7O3pw0w1tuP39M7hJcinM+mRWN1k9p7+aN9EM2dnYcyOyczDHDvlBiukZnQeEiB2/Un5cSNq7Lpd6B3rC6bgkBh6N38hkA0q3gn2zQzEbgTU6vug7oKeT2iRVpFJlkE2R3v653AtXXY9Z3W/Vm3n9w/YbXF/GKplf4KglJv7pFARVTDrFLy+5YV8bBorQouBVBHWTCZ5TQVehpCRCODqmK5vBEeVo1YSZLzWRW+G89obmRdfT4im22CyJ/X1uNEnXzOq/MgN9QV6X2qAi3R7U7n9qBuLRqIHBZTh43JdLS9kG5rmDcaGqId38FSxBgUjdolKrfGVswzJ7p+Kaho/9fXXs33UYEJ7GY8HUjHNouO781I92vzDDd2462ooIqwtYtLiNDvuLRi3NoMH8zEqn+vRf9AatAzRkOf405z014DhMzaXx2w51iN9LKGdcNLtT3Ho18mJLNUE02cAKIfpvxk991IWzN+2oc7rKTZRkX+Vx+IokCl2RxGkqxbgjsg/2IgIu6sZrSZlzqb4dtTcog3oCc5RMGj6wx85bjOuuES+dDMQYY5GmPbXnNEVFl3y6O3ZAO5SlSWUOzx2WWmXDaDa57K0VFX4ae6rvwFJZk5yZaaGvB0ivxvcJAS1/6CHDb2qqQq92ipPUdSyuHQ39sQWkbMkaZTCsLTgn51Der9c95ni5DjCxdgewrAn4rEzRzDsfg5R5lX4+Rv6ybyO0NVypyM/3PqSI6erRqWshI/6Ky0NZD7qQmo06hCftADQEROaqAmAoYnVKBvO5S26SKYnsI4+1KHNQLB17roPUzxLRfoD0dlR7vUPdEXcnqUf8BkQmlQ8lOki7XPx2lizp6nFBLn6DNKzjW9Rz5En1WGblzWHUTvJNq9XxRX/r+6w2f2S9JbymdeSUkIZQsvZZmeHwIC5XSfXseCYhV22I0UJunuzbPUnxd3zixtpueBTD6p3kLN1N36cHztgdovBF5gTfDcipkk+L3Qoz4W3JAVGHxYsUBh6n6zs1ylvhLO+mAhLNMm3/wquA8gplKB34yJWSrqlYQSJgO/1cDTm/Ydt6uMHL0RjFFqWB1mnrR/NpR5zV5toiPXwMdUFHiIZ69pxNKIFzaOKolHdfbR26tm4QMCUw7tpOuiqaopu3crUBdUHuwTG21KAu6Aqw1J2PmFtKVdHQG7saxul1KcITB9/KgJSKLJTc2u+qT70e41TrwVptt9kdVWa8KV+Djrcj/e6VvdyI+Xav5FmtdJxr88oCvMs6/ga5FIRyUKZ+d1XNsP4z55r1R7GVbIbPswGFKiNCiq8VFIDa6qHXKFQc5xWyaamU3Zq1ToqrgTrCc+b8v5Vjs0f7lpm1V6ac7CPXiHCB8aGCSPH1Stp/H5CMeHkmAaVk0sxoyxn9HFFYMuSS2JNmGOgLct+cz26ZzHZMcixNVy6YvdRWUXVJD+6JMvPCyjOPkpSX2lTbxv+nx2oEYdquhs/M8daiVZvw2+Gr+Qy3stvpYevJJa1PUQe+PKY+WzquEQ+hWsuUobfGcjSo9yPTX7EHeEkoKdY7zVLKrZn38IwUCivSPiNg0i/DahZVNJw9MPLycvGriuZgQGlSUI11CjQm7rnMtFTmuZUIcu/xph+yCiY9qGg46Xk+XaO1DmcQ1E7YpTIvyv5ZiGI9JVsmMrn1kTepFCkU5ln9KjY43d5EliXnO/J7Sblz2mQyp0z48ylaiLgcEOVtb83p1/iByVll5BUTD5D5KNoqsIxqtNe9Amu/+aJGfsGyQ8znvTy/iWKjXafamYBdFBUBP9+fD/PPhfcJkft+qnP96AEqZ90S1dOdP35UpMftw8N62rej9bQl43Ocl5rsH3G8+kgoyMoUSOUBhrATQYNilCeBG2KC2LzHQSulqyvzW0LdytRBGwzSBz2QCDaHP8qPb4X3mup1vdutyhGIZi+thWlFUxVhWoezX1UjdUoVyA2oGs2FVqmFqv/fz0ogVr4JwjCeoBQpB6rsR1g2oyHNh7F7L42qUgSO+yedqCj7ueqfWEanMl8wUVeOa4ton4CgRsjrDVOlnt+70b5DEcWwl2Ou54jAxr1y47s6K8MeHqelz+B4q1ngPFy31+SNO9NPfEoccTX2fZKHxf70kPPrPL7Aluvr9hrZ4kOr6wPZt+P2fecuiMEReeGW2p66LdNhU2Ojd9PqJu6/kvikGnfJHfShCWckzbq2ln1X9dDk9vqoHnS6T+KIHmRRvxBZow9dkCsXre+rBXH3xWFdyP6Rav8X33zhHRSL0tRx/NLUwrkUHLSbu3QCdivJhipGF7wXMe4S2pggBacDR06D0BMzQPcWpa0GubEv7Km3t2YVi87sWt0/v73ramDEl1Rytt1QtsxgG4GTI+MbX6wjg9wKQ+7ZSlA8lgMbqZBqWvmmL3uywG6lu0qnkFhPBf9pUbVODe6FTAaW983P7wgTKS8zsKLBN2ax4Bfkyc0jzQsOL8mdMz7dsCjrLsI2KHrYz/DOgMZ8I2rDuJl+sOpcEPOIoO2Wc+aNF5VvmX448MBhFFutQE0pXB+e9i9tT6PHgprPWoFeS57ZNXZW00Cvjr3nqFmsuP57lJdhT966m/FpnVB4ex0OsDz5xcqa1snsb/PIWf8+j81MnE9Dl4uvLUIpMKNgieV6ZVamQ3q6V3nOFjvQpq2WLVJh5pWVcxUFA3Xlqcq2VJ0r1qJfK9HKIupFryVzoEjXEytyKHlN06qyV1hxssd5Zk1Wiq8r5UcdPtHOYohohKSA6oiYKG2oKU9XrGobnDJ+RtXSDr+Qj4Rlz4elrpX45Tw0WJzve6Ww3L6yeMIbvZK+k6vq9zbMdb+efowQZkKWp78ZtGI39SpiB1rpMM4M63l0vhsNOr0KyB7zLzm3p5XoMk1B62XJyY3FQFKZgbbMr4o0hXU8JjJ4HD0JzrQZ0h8mniYcGhVbVaFZgEKvfk4V4/hSG/APuLchsSIUGfG1hQ3SLqJWvOqtdzbNxY9PntSRKgUoXfiEBHemetP2V0gTGFflOD8dCBp3JnZfmk9/dGy1kUPinZ3sfm2/pExokoGhjAdMp4UsTQtugHjJzxCTUnltaB03gJiGRbiBvOATXm0vq1aLVQuD1guSj1Kx2ssGFKc7DFM20ot18iSw9+0XaGl4aFhWeSzO56YNMyWW6iBB0hstrZ+UfPxgjPQKt2zLlI7HFnV2U5nndm/GLtiVgyesFU5UKLlhmbOwq7oCof6M9V0j00MO9PH29I+MN3d/2o5WCF87jwU+Mp9LflXjn1d+/SYXg3Zr9AT+r1x4l2V4pxZsSnmgawxKcutzf3dLbnsXbhvRhNo8PibzMI5Rgcd19sJqpIo/xib2UVRhNcsdqGQhs+kxx7247e6VVfWHtdgGrs91TO6Uc6PNknfTcrj4dA0XZlN7AdmKZbWLcsAYz8dryr0kmJNuhjFXdU1dUU4TkFW3obv3LouzcoPi49gjpGXbRnHP1gsIpRRUGb2HHspmMaSCnqJs36Cqo+HphjJO+w46UruHCMbDL0GpgWqEbj+GPVzz+XW96pf7hGDnpO/7t2S1by8GZADLk0WZZbsI+47lycg41RZkqWGokNhBWzQGRjE5KluqEzCd6HKeYDum27EmrpYKNpys46SbnHOPM1QcvIk3dEercX0dnoZ7pR7Phc2MFsHVLzfkiY/0+6XkVi9ZMI4BhvjSfPNYSG1/+ZR83TdjRNfL9yDkVuwpjhrSElPXNvujD3QNSOkshnY3AOSqyrR54wNcX8GKpjvyflCB5Wyh6HlSf/zQe2xiguSUiaW1jA4+UhVUYa+POTKq9lSEOxyYvJGZCzhqihu03rUDaMmR+xcfX+xU4zXK/bz6N7AlP5UC1efXMgNOnjCxufjqGWEyfUYW9i+wf1FB+U4zffFV2I9s0iJZctrrTjX+Bt7Xta7uCA6L9i5KlV1VQFguDyZtGTmRFvfpwlNSJUxpUHZDBVFu8rFyqIP7l9e/Wvv9nQu5+eqrX17/evn25quvXAzMhirKBvfGVqqHcQkZR7fyr9WQbR/toJlMxfjry8d2js0NrEUcTa0I3EWpi0upQGiWjjtQLXMyCmseY0UFPFungyVbysZ0Gm9CDlIZsaS4YcYnpOhyEb0NzCLTRo3PZMHcjVm6gT+bT5JWEXxTHAexwYlNSeDexeSDA5s4RR+faIdYskGDsZrMBOdE7GSCmauBiXQDLsPC4kA9hfGGjyXPa1Nv++M26omrvX2mjZC1vEse1UEyzrSEld/8EAVSzvIAu8f/lrb9xNSRT9XLNVbkeIrmc8C6P+brr0ogsXl8phgOu6SMW35VCYd3/vzdXrfjejF72qrABlaBxKHht/gqriexV3mQ4pjgHgzp8TGd1jIqRddW7eEXQ2m8U/G/gUfzdwjrLzV2PaTFTMV+T0X2bzLsWW2wG2pY+JRNxt8feg+9LnXBUiZHxEd8LNsC6dtSJfqutk9PnBZ5kch44XT/5vUd+dl5PJpwjDCq32d+frn/91fk9xLUQLWWkotEQbfqx9Qnn5brYkfeViG1wefdWk9LR4n/NpgcX6bNghUDxuMxOBNwr54AmcUUoqOcqjyKLxYwynihxaiw/xqszEZ0BtiDGpsLvAecUdO9vY9DLkCk65yq08PiashdQXutHE7wQdK097x5IlSyjuBrCsuxwZQ16HKFyaRRgHLxWxRcQSNq67nM14jFQKf/UE/Zw5CYq52DvW4jEIuEpli2MCaMzUJrMUpFb4EuVsXmO/Fo1hHSMhVJapS1UcZVpmrBW9ghb90JoBveawh9EiyIFROjAnf7wHExJSJZJnrLTBqxr0Wy5HKraR7zWtSGFmYzBT7Kj5WKhIlp25yJAlS+2I0IyelBF+lDLDg2R4sCLZJCSSOTGFccwm++S9BmjYHmE/Ybl6tkTOv/DmjMS2gqkpw+JsacrvDug9oV5hAlFnImohEzMQVxwXXCFzwZ7zzdg/7zJPCIekAt6PFZ6m3o8RHRbejvJ0GHG6ufCv0vk6D/1yTov8RCG1lwuoC4rV7Dx6hKIslLjpf3Yhclzyrw4iFKjuclZ6u8iL297f1H+Wr8o5GHZXFCXMPvaYzuLRLtnkyjeKVVGqudWdBY7UzvdFlE1cdORR1mHancGWmsggGPUVvbSGOVpHhoVE8iwUvBHgUVUkOvbeZJ8JsfLO3RYmHzgyzMGmgWZQLJvEhSHmVDW9AolwZCKmyTFQerI2GLMonyT6SKGZZSHhX0pRO6ApHuRr0ptaEF5bsPkC3icG8STIaPhHVpPLGY3XN2JLy1kH+ItZB1smDmL5HJh6lOxtY27YAqGXGUdeTmRDhIVUwsnnaegBF1JVugYNbOGxCjfDtwvK4iwV3tmzEZmi3oJeMQp4voZBnHLrYcF4C8DxonabU1ggU8miTyGFkbONOm6BX5ORlaqzQSuuocFwUrV0kOGRsRjLkPzUQsx3OZlRx0KuNm7cHZKupUyEJvqRnZiaIFH4oJOBFUwYppo2iMpt1AR91UrpNi5JTVhDlrrCOiok+ni2pwSx4Fj41Fo644F3QUj3rK5bxdS6YTV+c5Bn5HFY1c8GwgrPI02I3rYDAekmlDu81aTwLUZlGq0wuJVnDgaq7FwZUR+GLu4SqWdDwgVu1ZxpRCH46YPgS1olk2ftVZNt45VyXQREkUliepkjKPzL6xoFFKEcuT2Ec4n7sTN93iISJZqNAxqcys0IVio8E4NcyUEe82nAkYk0rSwOmRtbhqSAx8jDFBuHQZzcmSywjhWINHhQBYTS9iv1uwqL1udcModBFeWy5XkUspVpHbrpBq/OHIF+UqbuvkTKdx2zXXkQsYV31GgMHUlwjIiFPsSgOMf5VycOMflMR2O15XiIwTqts1REBGyHup2CoJVGs7AXIrQMXIliKJ7CBYJCMrSDeAUW0cGvCoWeJJGr9JPWBMO02n9EegpFrbL5N0fXo8aw/Y9eUcDw8qX1m7uJdRfRrsNhI0Rsy5/KX37zuVPk8CVXKVUF2MKvnRBh7T5aGCU0B53M2jIEVqXbZqNHjMZC3s2ATdFqxUWRTWGBNNR1mf2lmfUZ5SDeNdpK6cbpQaoeH3GGaG0mBHwEUpLpqtog6mLsbbLVqlcSuv0iziqtUqDWX5ngQ6qiVTG6rUETmTm1SMD0IIVgw9DuaSLCOahq9MzCI4sBivUV0xcjzkrojIXC2zReSrdal4lFQqNagkY+PjNyMLk1Q+kThiTRrXLn+TMKENXUZJ0g1TJu4q3hQiKsXBSFWKs/RqvSyNJG9LQXqD117oSQXifqGcZeRKQcYMuaIq8zljB9rS+PpXk2Y6VAcSh3FNVzFiNpWchEJKam8vE1Nmf5MXXO6gVxDvKA+WshyRHn9qX9511VIHa4spWMEjyWk3dLfx6IlV2S27MgMZnGkssFGNr9utNHVZYIn6fqokIds1NYQZUrj2/GGiDz2ljikVEm7v7iqeV0gIE76SwUBmN2diegXsFjF2vDYlmhi5wiY7F83vXceIHvcEbEDVRZSMJAVVGshrMBQrDrtTUfdLI09eyZV+fueC+56Sa1/Gy7Un6Y2OacRvwReLRbIFeQPmV2YE6PBa9bdeJHuWWE643s04vJuOBqrS9QUTbMDgVXSeYggdYeN663Em4DmnpcDaqasy92XpD5RC6FQ+OED1HCnzNdV1oryv+Dqg0ltmJvP2QnY9t+zA5B08GtydQ0bBWRtQN0XijvSgxqzcSaWKMS9Xg6maAx9InT/07j2+NkTVSnZZjeskWNfCq99k980ih7XfGwTrGeiXQfrH1fE+oXN2Bo+319UhwtGHSraPfIgeuV3qFg7ucb/GR3p7tOamhzgXRaIuGF3TJpUr2BBkBSFUEw0g9vpkho0XRYWm6SzFVntZ4m5w4Rs41a21q27BB8gqQOXMXYTzkdUM6gq3sA3jsALfy4NqzVbCMb+pzD3Q1oAu5upWP7DkiOHAjlucsbXEYPuQ0DZvUTSUWxhX6aa6L1lWtbWtOyZhw8aBQ0dIICan1toUDARJjVYgq0ZhjeCt+jtZHAMq7FaxAUfPjPgRyUDpwnPOv+6f2SOg9QC5lZ338Zirh3JGdbKWM2h3ne6YWBOnKQOFHX1aBY/CMdXEbVBLj/AttoU0BFtlXlxyLa1p02leglXIf/IQF+RS7Or/9UY3aB1pYQjNLqqOxmHBFOn8sqRPUZa/6PITKw/uMZX5ts7WmmhXKK9mHW4k7HdMMtazeqrBSnegyL/UHgP93CNC9EP9S8bGbZ1/74mGqr3dd5Cng2ESx2TBl92yOK4l3Zuf393Y2YECZzSiRyZjOlVQUJHurFbiL3/e72VrefCMvHv9ktwK8+2LZ+T2zfXNf7wk72+F+eE78mS73hHhGzCma6l9GTeprPWKv/rmh//zP56Ge9+BWU+SF90ZowS6yGm4NJKevEdGHihfif+2Qhs+TNnHJqt9zo/QNpjwd/LFFKKoo9g0OmjV3PTV5ZsgOR+kgCl2eNz6/acUcBHmz4cxfQA+wmVnST0uapCNn+ZeOcDLFTWwpWcpLI277I5cuuZ51W4LIayvkzQvhv3/U/2at1ev75wcHu4VT2fo5TdkSjs9p2pdentnkQ1Y9ZYPg7VgZuGDHX2YD5UOkLiaYnMftnavhcx1pKO8eapoVSIPy+5Zl8kq73hYpD8t1/sL1UPWxNZE6gynimlK3nga7qQytYjqCSHXewKZ6LvPH5ZEenb+OYqZWFXisyL89RDzBIT0+/m8RB4/2iBUa5kyLBqP1nLvdiVWTikqVnBRq8epFEu2KhVkZLHzzf1dq/uB7jSDKQW9QOEBbSo47DIqU4GP0u/aoZURBpOCXBpIfIxQzMtvzBQzoROauPCpKODCqFjwZRR7l1Gx2DxuA8Rn1BRRk6NZUlnj0/p17dsWlpaL7nhtQ+Ys2sKNNawEGPJuV8Az8r4Sc6/QRP6W3FUmck+O/Dx0o1bFq2a5MAZU+oosUnXtpJwHL4yi+SE+0FOFoQMbUAY7zxhZNbhigry/HTxCKYa0TDiDMW1jhU5kEVUoz4Iq0OPjaCxgVIifk4njA6LQBxWF0ZWpSTiIVUTNR8Rrr4G5nUvYlAivF8pbzkFBUnzAsVbUj1JtqcpCzcAusU0d+t3vlHzEV/cFmC3AQCfj0TnAY18kpKG87e516AgWMsHXpt4cfBM0BfgQlDNjj5ovKhSexIZTMc+7ygnugOpZreUQ6E1h30HQ+AA3VnteofK8LxFj/NmQYrbFZkwe6WlvKFQZlpacqqqZm0fz5Obx5Su5kstluD41pIlZw9yNb9/ZIX33/oayG0uZJeiyNGsQxodSDRI2V++x/efKsm5rGCbuvQY1SJIsTSrn5pYfdJike9eBe4CqqkfOtNt3jyLETKqGKwebv1bYz9A+GTpU2FOMbmBdSJFhS1cZVAFqwH5T0n26N2OyawduA0pcnj3GvXEGWU2xt7c6eg0TRDNTBiQKwQC5qgueH3VNNaGZLLAr2BqYInIrOo2RiKGPUsh8INqlqlGf9MKRZrj8rBrGRGbPslS6ae/nughfVuXxexM9xX0iatLd2RgMp6pneKbno8FJ3vtXpHnneaiJWGuq47I6JkzVRQXc+6jCuec6HByykNPi4wLTW8CabpgsUbOxRp2SORuIdID50d8IuuAYNrwkV4exM7EZ3/ksREaXhj2dhgRR7NEwsrxYBAkBDDUF09egda80O3tw+ZsQ9lKYbohyjM6XYfJHkk7oiou3DHYyZ2lFGE4LAwa6jz3MrF2v80CVRuLJuUi/udBGDTvJK6rDia+fjOoXh6n216LDNYnyoBlRm0SG5di01WsaCgoYdHJ6To5IjTrKTExJn8hKdeIGCFeF+WQb4NvTqP5mck/0IPHecXRsDj3qcU7N0Tvh2P2R6X9xlH41M//dhp+FenWc+yNqUnyco3pE6tVH9Y+8ab49zvbTC1B9HLafJmvUzGd1zr1+wkmdedPMSX1vy9RKYea6dE7WzWhp1kkOZi3P4k2le34u4hD5nw0uDGbvKjnRUj/g330rufc1WVQHdki0bfkfF9//+c/kyavry7un5Jppw8SqZHoNGSbmBLFxuZIz5Mce8mv7Ft2IyS8G/nDgzVvJyf6SQ7H3lvchHPXeRJ/fiNLhYzZmikFxdWZEy6WBWEPvFFSEiig17+SUn57F3yH1Lc1Yqd0YRCqiWc44Ve4wW0Fid2uK91E4VBfPjGbz9MKtfZDtKLP3drkqD0inrkVzYKZEEl6KQ+cGnZ8+Przlf/KmM37TWzFv7EIr8DALO1qkmvYo1nPdIrukWlHBPhyIdRJTFuxUhkVwq73yAyxbMhWM4o/Ofv3RDojy0SWVuyzdvUikn4Bys06pAlIoyGTOBA2GWLeO+h01DITRRwPPOJ13Pq/oJ52OK4IBRfT2slv4SysECqoMpv02kzkshGZN6/UH9xT5s4QMFDWQJSPCAA6sIrYhr8asXd13Sm5YVqer+9/RouBez+ktn0+RtYJ8XyMa6KVeT4Nls82jHtTXcTC7gYkECz1jVMmGuTendVexGygcUCs040rpj9Vq4BHv8hZQK1Mk1OTb6T+oDVFNtJHKyUc7Wg6GIrYv8VcX9ldfhueXsyzjMKfEeI0jniozAkvUkiFRMqMqnjfXhO78eK0cXbGrXjyekYJTy3Z7I0lFQKRqVwx5ETF4ZRar4IR4CVVbCD9Jbchrmq6ZGFDbMxp9Rr/o8uu9wMi+QoE9qPZWd2n1+oK8ymhBfsH/uFs9k8LlA/yzf12QNd2Ave85UOVaWBOsL6ELKTRUekA4acDOKOm3vZ4ge3xthFQxA4pVVTqEm6CryDBMSUX0LMQ0y/zWF5E5lRasLzrVTdDda1XhqL00YKv/+6uGaaJKEejrTgjVz2pJ7F5zXDL1QES2HzHxVsQczKRky0Qmt5roAlK2ZKn95lkobtzHH/U3qp2Ao6h59SVPVNX1vBbL+MzwtMUPUgq8uV7BiqY78l7vF/mp30PyboJDVNSSHWUW02rgDmur24gMo6ZxM9hboMe3Op8pkMW0lyGAYbZ9JuxPbA51bajakFPeAnPCOQQ3hIeJmM5c8VJDk/GRU965V0mOG5zccK2VPr1zOTFqp+M+f5sQGsfKHpfD6W/HU0swuHFceebBCHCcVAZLJrwvEI861oLIaTFQjALxD4RZnwl7Y+52VI8YQVL7m6bPwOcjD1QPqX1oxtB0nc9eiq4ZFxlDelpwm22RBTUXTIypuTvrTrNkY/j7VKEfOLbtYFxkniuj1aQiBeqR9+iaKrOP0FVQVa2t/fhZQ+x2zXoFz4jdh9aycCF6J03ARFS8dKlwUo1rz9iZ/l91QcXfjuZzVqj2a51VSlpIpNqp/fU5jn6E+jNeuD26q6poh+keXKsEhFGyCB/DTJaLnkF20l7zo1rrBo6ENiIVIzs5nUjFlcwLa5BWOx83ODY4cZrnBpQVrYk1m8MXEtUP0+N+j5zFjk5f4d7C9Mpmy9/j37h+LDnfkX8vKWdLBhm5xmwY57wIItvCIkmlfGBne1L6FRbEYWhsEsqH9LKI2jrNY09RGtcGZ6ge+fGz8bYexNdS9W4r5527IO92hSO/sajsBB2fh1msYJmMLI7TIcxicSaY+lKHCu100c3jLKgVjH38zntRSFV59vB55e2rgYVpZauOXtZqPsXUirEHpmPHPuqHqwhRUkbfc/to7UiWa6SgJuzgSEVC9bj3qBaoiu2gXio+it0tuFHcqVXwpFTj+/0W2PcMm0PHoIwQffvAI0M09oH9Log6DvBoQOAlGKOw2RFGrG59ra4VdB4oY243N8w8MeR7J/odDoxX3XP/7yuP5Ln/h3/1DTm9KAcVjiHwBJ/1tcSR234sQT9GqyBzj+DMl022yiITS1BqwEffn9lMlLfVoaPsCzo9ZiGjqh60bLEysH3xGUNO3r6BYWbcCDfutcVugHcYF6TaH/0D+o/Qw8XuWbEGNZdVY/Uc/+b75AoLqj8lV4ghjByUmS1RcoBXV6B84XvYi+k4UGIHJj4WtJjRWhY77Je6VXfp4HqwD8N+gvFpkeE1Iffsw0D6zkP0Gbz9xw0RsJKGOTYXa6oH6tPqdP7k3RbD3fDDBb3tgkyoT9t7AOysdVXwq4r3DD/YaTayueJpecJ1LfF3g2017NljWpcxjaEtLD7qTrGfp3n5kAZQaqJnoce6try4scOTe3wyOHRaZ3pdqutded/+k3sM5zgsQlvyYoiM8fLiABXDQkNrnmym3SVdF7l34oRdcondArSMKKah40HZA3hrIDol6oumwGNbUKK8+I5o9N1KRW7vL//x+o7cWflJfhYDFSkbeqLzPmLoebeVYXrwWKZrSB90RLO3RrBMzW0PFYGuq5vUqecYoOELdzfn/oCuAor1ym+cRVVxmOqsvUH1DanCFmvzicE2HRvKWeY2RABN9+jPWF/q0NHHWT/ATndF0cl7LLoT+tqYQicMuxFEAiNL48hOT2/5NWXvsZWo4h2lYmZ3ZP+lMs8n5vKfSJnD5E3KcHrNlingXe06xoTbciqSUX2ox4Yk6KppwK+e5ipGNmygY3JDUkg2TwhQiCSHgyAORBvWvZA16ZoK0UtAm56o7MdFVAOe8tnKL9Uiz1fs/vXV5Rsvc593ENSizkjV9YrFbK+M6YdkI3kZP43LqgeG8LU0684gVZOFUjCjyROHRj/F3DVMJqi6IAT8RQNBaLyMPuGvPDXvBTP+ueRiPxhtAwpfSpYlJ6kUKRTGmgD3jtcDKU5jOqkH6zog86yxUbUQsaRg9zdpefTTv12GgkmCrIvZAVKtzhGi0A0t23N6LKhL3wsmMP795ue72zvymj7mTGR165Iw+y31Zwhk2Cv0PUC4J7RH/yHC6ys4HIIdFRDkIrOTcU08/+CJNNWk5m605CXV7bWvx+PxHKSBz8nYT5zRU80p/y+Qc1AHR4qsr43EnCS0+Ma1lx6p2NTdvAz6gZ21m7vUgGdEl4GwKKrJX7VRUqz+tuA0feBMG8j++tx/9qz+loklpOGvlkzBlvLgNUsXvAVDqMiIlmRg+yhYMW3Uzlo98x7Mgpq1L0VXYyFdLD0yJrUf7BPiEiVcbGsqVat6V62x1LSBMGr3p/8XAAD//4/xrJs=" +} diff --git a/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml b/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml new file mode 100644 index 00000000000..3d395874c03 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml @@ -0,0 +1,1945 @@ +- name: network.interface.name + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + type: group + default_field: false + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database + server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/zscaler/zia/config/input.yml b/x-pack/filebeat/module/zscaler/zia/config/input.yml new file mode 100644 index 00000000000..05e5f5c886e --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Zscaler" + product: "Internet" + type: "Configuration" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/zscaler/zia/config/liblogparser.js + - ${path.home}/module/zscaler/zia/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js new file mode 100644 index 00000000000..80ba6449c63 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js @@ -0,0 +1,2327 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_set}]}, + "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, + "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "user.name", setter: fld_append}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "user.name", setter: fld_append}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "user.name", setter: fld_append}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "user.name", setter: fld_append}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hyear}^^timezone=%{timezone}^^%{payload}", processor_chain([ + setc("header_id","0001"), + setc("messageid","ZSCALERNSS_1"), +])); + +var select1 = linear_select([ + hdr1, +]); + +var part1 = match("MESSAGE#0:ZSCALERNSS_1", "nwparser.payload", "action=%{action}^^reason=%{result}^^hostname=%{hostname}^^protocol=%{protocol}^^serverip=%{daddr}^^url=%{url}^^urlcategory=%{filter}^^urlclass=%{info}^^dlpdictionaries=%{fld3}^^dlpengine=%{fld4}^^filetype=%{filetype}^^threatcategory=%{category}^^threatclass=%{vendor_event_cat}^^pagerisk=%{fld8}^^threatname=%{threat_name}^^clientpublicIP=%{fld9}^^ClientIP=%{saddr}^^location=%{fld11}^^refererURL=%{web_referer}^^useragent=%{user_agent}^^department=%{user_dept}^^user=%{username}^^event_id=%{id}^^clienttranstime=%{fld17}^^requestmethod=%{web_method}^^requestsize=%{sbytes}^^requestversion=%{fld20}^^status=%{resultcode}^^responsesize=%{rbytes}^^responseversion=%{fld23}^^transactionsize=%{bytes}", processor_chain([ + setc("eventcategory","1605000000"), + setf("fqdn","hostname"), + setf("msg","$MSG"), + date_time({ + dest: "event_time", + args: ["hmonth","hday","hyear","hhour","hmin","hsec"], + fmts: [ + [dB,dF,dW,dN,dU,dO], + ], + }), + lookup({ + dest: "nwparser.ec_activity", + map: map_getEventCategoryActivity, + key: field("action"), + }), + setc("ec_theme","Communication"), + setc("ec_subject","User"), +])); + +var msg1 = msg("ZSCALERNSS_1", part1); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "ZSCALERNSS_1": msg1, + }), +]); diff --git a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml new file mode 100644 index 00000000000..3354fb0674a --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Zscaler NSS + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/zscaler/zia/manifest.yml b/x-pack/filebeat/module/zscaler/zia/manifest.yml new file mode 100644 index 00000000000..471000ba66f --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["zscaler.zia", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9521 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log b/x-pack/filebeat/module/zscaler/zia/test/generated.log new file mode 100644 index 00000000000..328281d72ba --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log @@ -0,0 +1,100 @@ +iusm ZSCALERNSS: time=modtempo Jan 29 6:09:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=rci737.www5.example^^protocol=tcp^^serverip=10.206.191.17^^url=https://api.example.com/ivelitse/ritin.htm?utl=vol#amremap^^urlcategory=oremi^^urlclass=ntsunti^^dlpdictionaries=nseq^^dlpengine=itinvol^^filetype=psa^^threatcategory=umq^^threatclass=ntium^^pagerisk=psaq^^threatname=cer^^clientpublicIP=reveri^^ClientIP=10.176.10.114^^location=lupt^^refererURL=https://internal.example.org/sequa/abo.gif?umqui=reeufugi#mdolo^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=sperna^^user=sumdo^^event_id=litesse^^clienttranstime=orev^^requestmethod=pisciv^^requestsize=1884^^requestversion=deF^^status=sist^^responsesize=1803^^responseversion=doeiu^^transactionsize=3942 +olupt ZSCALERNSS: time=volup Feb 12 1:12:33 2016^^timezone=CT^^action=Allowed^^reason=failure^^hostname=eosquir5191.www.example^^protocol=rdp^^serverip=10.173.22.152^^url=https://internal.example.net/isiutal/moenimi.jpg?gnaali=enatus#mquia^^urlcategory=ameaqu^^urlclass=aqu^^dlpdictionaries=utper^^dlpengine=squame^^filetype=ntex^^threatcategory=eius^^threatclass=luptat^^pagerisk=emape^^threatname=aer^^clientpublicIP=lupt^^ClientIP=10.26.46.95^^location=uame^^refererURL=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=com^^user=eataevi^^event_id=byC^^clienttranstime=tinculp^^requestmethod=tur^^requestsize=2977^^requestversion=equat^^status=atemsequ^^responsesize=2004^^responseversion=minim^^transactionsize=7868 +amco ZSCALERNSS: time=exe Feb 26 8:15:08 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=orsitame3262.domain^^protocol=igmp^^serverip=10.204.86.149^^url=https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte^^urlcategory=tconsec^^urlclass=nsequat^^dlpdictionaries=taev^^dlpengine=roidents^^filetype=oluptas^^threatcategory=llu^^threatclass=uptassi^^pagerisk=tamremap^^threatname=tur^^clientpublicIP=aperi^^ClientIP=10.254.146.57^^location=estqui^^refererURL=https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=onev^^user=tenima^^event_id=laboreet^^clienttranstime=aquaeabi^^requestmethod=giatq^^requestsize=2935^^requestversion=veleumi^^status=tia^^responsesize=1837^^responseversion=ude^^transactionsize=6905 +uian ZSCALERNSS: time=tempo Mar 12 3:17:42 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=tempor4496.www.localdomain^^protocol=ipv6^^serverip=10.103.246.190^^url=https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid^^urlcategory=atatnonp^^urlclass=uiano^^dlpdictionaries=mrema^^dlpengine=autfu^^filetype=natura^^threatcategory=aboris^^threatclass=ima^^pagerisk=tanimi^^threatname=nimadmin^^clientpublicIP=erep^^ClientIP=10.252.125.53^^location=ugiatqu^^refererURL=https://internal.example.net/Utenimad/nibusBon.html?emq=isiu#nimadmi^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ari^^user=equun^^event_id=suntinc^^clienttranstime=elits^^requestmethod=llam^^requestsize=3077^^requestversion=gelits^^status=tatevel^^responsesize=3856^^responseversion=uptatev^^transactionsize=4292 +dmi ZSCALERNSS: time=olab Mar 26 10:20:16 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=ore2933.www.test^^protocol=ipv6-icmp^^serverip=10.61.78.108^^url=https://api.example.com/ele/tenbyCic.gif?porainc=amquisno#iinea^^urlcategory=ipit^^urlclass=idexea^^dlpdictionaries=riat^^dlpengine=luptatem^^filetype=umdolor^^threatcategory=osquir^^threatclass=inim^^pagerisk=ema^^threatname=roinBCSe^^clientpublicIP=onse^^ClientIP=10.136.153.149^^location=animi^^refererURL=https://www5.example.org/ofdeF/tion.htm?emqu=lit#iam^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ciati^^user=ercit^^event_id=umdolore^^clienttranstime=eniam^^requestmethod=reetdolo^^requestsize=2451^^requestversion=onse^^status=rumet^^responsesize=5772^^responseversion=tatno^^transactionsize=6787 +llam ZSCALERNSS: time=aspern Apr 9 5:22:51 2016^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=ollit4105.mail.localdomain^^protocol=ipv6-icmp^^serverip=10.183.16.166^^url=https://mail.example.org/sitas/ehenderi.jpg?atquovo=iumto#aboreetd^^urlcategory=sun^^urlclass=essecill^^dlpdictionaries=Duisau^^dlpengine=psum^^filetype=eriame^^threatcategory=lorema^^threatclass=avol^^pagerisk=labor^^threatname=atuse^^clientpublicIP=ddoeiu^^ClientIP=10.66.250.92^^location=onse^^refererURL=https://example.com/metcon/smo.jpg?upta=omn#ipsumq^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=ons^^user=tessec^^event_id=remipsum^^clienttranstime=liq^^requestmethod=ist^^requestsize=571^^requestversion=caecatc^^status=onsequat^^responsesize=2984^^responseversion=edquiano^^transactionsize=6061 +ema ZSCALERNSS: time=par Apr 24 12:25:25 2016^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=cup1793.local^^protocol=ipv6^^serverip=10.243.224.205^^url=https://mail.example.net/aborumSe/luptat.txt?antiumto=strude#ctetura^^urlcategory=usmod^^urlclass=edqui^^dlpdictionaries=mquidol^^dlpengine=ita^^filetype=ipi^^threatcategory=rsitamet^^threatclass=lupt^^pagerisk=xea^^threatname=qua^^clientpublicIP=luptatev^^ClientIP=10.123.104.59^^location=uisquam^^refererURL=https://api.example.com/loremq/lores.txt?iqui=etc#etM^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=eprehen^^user=xercitat^^event_id=lpa^^clienttranstime=entsu^^requestmethod=dun^^requestsize=941^^requestversion=aliq^^status=rsitam^^responsesize=2053^^responseversion=imaven^^transactionsize=152 +tema ZSCALERNSS: time=ritatis May 8 7:27:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=icab4668.local^^protocol=udp^^serverip=10.119.185.63^^url=https://www5.example.net/ntutla/equa.jpg?civeli=errorsi#des^^urlcategory=rehe^^urlclass=ume^^dlpdictionaries=incidi^^dlpengine=picia^^filetype=mUtenima^^threatcategory=emaperi^^threatclass=tame^^pagerisk=tinvol^^threatname=tectobe^^clientpublicIP=colabor^^ClientIP=10.74.17.5^^location=untut^^refererURL=https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=itecto^^user=erc^^event_id=amqu^^clienttranstime=uines^^requestmethod=nsec^^requestsize=6907^^requestversion=estqu^^status=inibusBo^^responsesize=6888^^responseversion=ostrume^^transactionsize=6051 +upt ZSCALERNSS: time=uiineavo May 22 2:30:33 2016^^timezone=CET^^action=Allowed^^reason=unknown^^hostname=aperia4409.www5.invalid^^protocol=rdp^^serverip=10.78.151.178^^url=https://api.example.net/atvol/umiur.txt?tati=utaliqu#oriosamn^^urlcategory=deFinibu^^urlclass=iadese^^dlpdictionaries=imidest^^dlpengine=emagnama^^filetype=eprehend^^threatcategory=hil^^threatclass=atquovo^^pagerisk=suntinc^^threatname=xeac^^clientpublicIP=nidolo^^ClientIP=10.25.192.202^^location=intoccae^^refererURL=https://www.example.net/pida/nse.html?emeumfu=CSed#lupt^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ecillu^^user=quip^^event_id=mporain^^clienttranstime=icons^^requestmethod=amvolup^^requestsize=7700^^requestversion=temveleu^^status=colabo^^responsesize=6354^^responseversion=orinrepr^^transactionsize=6578 +rumetM ZSCALERNSS: time=equi Jun 5 9:33:08 2016^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=sitvolup368.internal.host^^protocol=igmp^^serverip=10.71.170.37^^url=https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe^^urlcategory=inesci^^urlclass=serror^^dlpdictionaries=aliqu^^dlpengine=olupta^^filetype=mipsumd^^threatcategory=eFinib^^threatclass=ihilm^^pagerisk=atDu^^threatname=eav^^clientpublicIP=ionevo^^ClientIP=10.135.225.244^^location=orev^^refererURL=https://api.example.net/quirat/llu.jpg?isc=aturve#emulla^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atiset^^user=atu^^event_id=umexerci^^clienttranstime=ern^^requestmethod=psaquae^^requestsize=7355^^requestversion=nsectet^^status=utla^^responsesize=5269^^responseversion=sci^^transactionsize=2526 +tlabori ZSCALERNSS: time=oin Jun 20 4:35:42 2016^^timezone=ET^^action=Allowed^^reason=success^^hostname=ite2026.www.invalid^^protocol=udp^^serverip=10.223.247.86^^url=https://example.org/bor/occa.htm?dol=leumiu#namali^^urlcategory=taevit^^urlclass=rinrepre^^dlpdictionaries=etconse^^dlpengine=tincu^^filetype=ari^^threatcategory=exercit^^threatclass=sci^^pagerisk=quamnih^^threatname=oluptate^^clientpublicIP=onseq^^ClientIP=10.19.145.131^^location=texp^^refererURL=https://internal.example.net/acc/amc.txt?amest=corp#modtemp^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=oluptas^^user=tNequepo^^event_id=lup^^clienttranstime=nula^^requestmethod=emseq^^requestsize=821^^requestversion=ento^^status=pic^^responsesize=752^^responseversion=eriamea^^transactionsize=7741 +rsita ZSCALERNSS: time=niamqui Jul 4 11:38:16 2016^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=radipisc7020.home^^protocol=ipv6^^serverip=10.2.53.125^^url=https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos^^urlcategory=pariatu^^urlclass=tin^^dlpdictionaries=tenima^^dlpengine=tsedqu^^filetype=agnid^^threatcategory=proide^^threatclass=dolorem^^pagerisk=tlab^^threatname=volupt^^clientpublicIP=osqui^^ClientIP=10.181.80.139^^location=hitecto^^refererURL=https://www.example.net/liquide/etdol.jpg?uun=sequine#ectio^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=aboN^^user=ihilmo^^event_id=radi^^clienttranstime=gel^^requestmethod=lorsitam^^requestsize=6408^^requestversion=veniam^^status=ris^^responsesize=3314^^responseversion=ulapa^^transactionsize=7298 +quioffi ZSCALERNSS: time=uptate Jul 18 6:40:50 2016^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=uamei2493.www.test^^protocol=tcp^^serverip=10.31.240.6^^url=https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn^^urlcategory=isnisiu^^urlclass=bore^^dlpdictionaries=tsu^^dlpengine=tcons^^filetype=sciun^^threatcategory=sBono^^threatclass=catc^^pagerisk=nsect^^threatname=idata^^clientpublicIP=rumwritt^^ClientIP=10.167.98.76^^location=dol^^refererURL=https://api.example.org/citation/tisetq.html?Utenimad=orpor#tlabo^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=gnido^^user=ratvolu^^event_id=olup^^clienttranstime=numqua^^requestmethod=veni^^requestsize=3140^^requestversion=abo^^status=veniamqu^^responsesize=2742^^responseversion=aliquide^^transactionsize=3073 +equat ZSCALERNSS: time=derit Aug 2 1:43:25 2016^^timezone=PT^^action=Allowed^^reason=success^^hostname=piscin6866.internal.host^^protocol=udp^^serverip=10.0.55.9^^url=https://www.example.org/eporr/xeacomm.html?aturQui=utlabor#rau^^urlcategory=idex^^urlclass=mfugiat^^dlpdictionaries=nisiuta^^dlpengine=tvolu^^filetype=ecte^^threatcategory=tinvolu^^threatclass=iurer^^pagerisk=iciadese^^threatname=quidolor^^clientpublicIP=tessec^^ClientIP=10.135.160.125^^location=mve^^refererURL=https://internal.example.com/uisau/eleum.htm?nre=ercitat#inim^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=Utenima^^user=volupta^^event_id=rcitati^^clienttranstime=eni^^requestmethod=ionevo^^requestsize=3616^^requestversion=Ute^^status=sperna^^responsesize=5368^^responseversion=mnisi^^transactionsize=509 +tDuisaut ZSCALERNSS: time=oinBC Aug 16 8:45:59 2016^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=spi3544.www.host^^protocol=ggp^^serverip=10.63.250.128^^url=https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc^^urlcategory=uteirure^^urlclass=nevo^^dlpdictionaries=ide^^dlpengine=aali^^filetype=adip^^threatcategory=tium^^threatclass=nnum^^pagerisk=tenbyCi^^threatname=ate^^clientpublicIP=uiac^^ClientIP=10.111.187.12^^location=itam^^refererURL=https://www.example.org/santiumd/turadip.gif?niamqui=orem#sno^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tev^^user=saute^^event_id=ntocca^^clienttranstime=ostru^^requestmethod=ntoccae^^requestsize=1705^^requestversion=rrorsi^^status=temquiav^^responsesize=6027^^responseversion=sec^^transactionsize=1927 +sBon ZSCALERNSS: time=orro Aug 30 3:48:33 2016^^timezone=PST^^action=Allowed^^reason=unknown^^hostname=tlab5981.www.host^^protocol=igmp^^serverip=10.5.126.127^^url=https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd^^urlcategory=antiu^^urlclass=uirati^^dlpdictionaries=oin^^dlpengine=exe^^filetype=imadmini^^threatcategory=sauteiru^^threatclass=mod^^pagerisk=hilm^^threatname=ataevi^^clientpublicIP=com^^ClientIP=10.252.124.150^^location=trud^^refererURL=https://mail.example.org/litessec/itas.htm?uidol=mporin#mwrit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=roid^^user=inibusB^^event_id=eprehen^^clienttranstime=entor^^requestmethod=xeacomm^^requestsize=1940^^requestversion=utp^^status=ema^^responsesize=1394^^responseversion=itessequ^^transactionsize=7688 +ine ZSCALERNSS: time=lup Sep 13 10:51:07 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=upida508.example^^protocol=tcp^^serverip=10.201.171.120^^url=https://api.example.net/tquiin/tse.jpg?ovol=ptasn#taedicta^^urlcategory=itam^^urlclass=str^^dlpdictionaries=idolore^^dlpengine=pid^^filetype=illoin^^threatcategory=tanimid^^threatclass=umdo^^pagerisk=natuse^^threatname=gnamal^^clientpublicIP=metMalo^^ClientIP=10.91.126.231^^location=reprehen^^refererURL=https://example.net/psumquia/ven.html?siutali=amnih#ium^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=tau^^user=exercita^^event_id=ris^^clienttranstime=eumiu^^requestmethod=orumSe^^requestsize=728^^requestversion=isnost^^status=queips^^responsesize=248^^responseversion=itess^^transactionsize=52 +ofdeFini ZSCALERNSS: time=irat Sep 28 5:53:42 2016^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=oditem5255.api.localdomain^^protocol=tcp^^serverip=10.135.82.97^^url=https://mail.example.org/olor/ineavo.gif?mquelau=iadolor#amcol^^urlcategory=adeser^^urlclass=oin^^dlpdictionaries=mvenia^^dlpengine=madminim^^filetype=fugitsed^^threatcategory=quam^^threatclass=quid^^pagerisk=fugiat^^threatname=atisun^^clientpublicIP=esci^^ClientIP=10.107.251.87^^location=fugi^^refererURL=https://www.example.net/iduntu/idestlab.htm?avol=icero#xer^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=nturma^^user=str^^event_id=iat^^clienttranstime=etur^^requestmethod=itecto^^requestsize=1300^^requestversion=borios^^status=tut^^responsesize=2703^^responseversion=umqu^^transactionsize=301 +adipisc ZSCALERNSS: time=uscipitl Oct 12 12:56:16 2016^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=uamei2389.internal.example^^protocol=ipv6-icmp^^serverip=10.31.198.58^^url=https://www.example.com/its/ender.gif?oles=edic#seq^^urlcategory=tutlab^^urlclass=sau^^dlpdictionaries=atevelit^^dlpengine=meius^^filetype=billo^^threatcategory=labo^^threatclass=oNemoeni^^pagerisk=ttenby^^threatname=boris^^clientpublicIP=stenatu^^ClientIP=10.215.205.216^^location=ratv^^refererURL=https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano^^useragent=Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=boreetdo^^user=aturve^^event_id=ditemp^^clienttranstime=edqui^^requestmethod=nre^^requestsize=7231^^requestversion=sit^^status=olab^^responsesize=100^^responseversion=elitse^^transactionsize=6672 +quasia ZSCALERNSS: time=adi Oct 26 7:58:50 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=eacommod1930.internal.lan^^protocol=igmp^^serverip=10.29.155.171^^url=https://www5.example.org/oeni/tdol.gif?llamco=nea#psum^^urlcategory=tasnulap^^urlclass=orsit^^dlpdictionaries=asiar^^dlpengine=ise^^filetype=itau^^threatcategory=apariat^^threatclass=vitaedi^^pagerisk=lorsita^^threatname=dolore^^clientpublicIP=uptate^^ClientIP=10.229.83.165^^location=ugiat^^refererURL=https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=labo^^user=ulapar^^event_id=aboreetd^^clienttranstime=hilm^^requestmethod=llitanim^^requestsize=5047^^requestversion=pitl^^status=por^^responsesize=7205^^responseversion=ama^^transactionsize=332 +adminimv ZSCALERNSS: time=odi Nov 10 3:01:24 2016^^timezone=GMT-07:00^^action=Blocked^^reason=success^^hostname=tem6984.www5.domain^^protocol=ipv6^^serverip=10.129.192.145^^url=https://www.example.com/uasiar/utlab.htm?loremqu=dantium#lor^^urlcategory=velillu^^urlclass=cteturad^^dlpdictionaries=bor^^dlpengine=rauto^^filetype=ationev^^threatcategory=umdolor^^threatclass=uaUten^^pagerisk=nby^^threatname=mve^^clientpublicIP=osqui^^ClientIP=10.161.148.64^^location=ibusBon^^refererURL=https://example.com/rQu/mco.jpg?dun=reprehe#tincu^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=dex^^user=lor^^event_id=oraincid^^clienttranstime=intocc^^requestmethod=amcorp^^requestsize=1275^^requestversion=ssecillu^^status=liqua^^responsesize=6498^^responseversion=utodita^^transactionsize=4014 +fdeF ZSCALERNSS: time=iquidexe Nov 24 10:03:59 2016^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=lapariat7287.internal.host^^protocol=ggp^^serverip=10.7.200.140^^url=https://api.example.org/icabo/gna.html?urerepr=eseru#quamest^^urlcategory=mac^^urlclass=qui^^dlpdictionaries=ritin^^dlpengine=temporin^^filetype=equatur^^threatcategory=adeseru^^threatclass=tdol^^pagerisk=upt^^threatname=mex^^clientpublicIP=tatem^^ClientIP=10.203.65.161^^location=eveli^^refererURL=https://internal.example.com/oremq/dicta.htm?imide=poriss#tvolup^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=siu^^user=snost^^event_id=tpersp^^clienttranstime=llamc^^requestmethod=nte^^requestsize=3571^^requestversion=utali^^status=porinc^^responsesize=6392^^responseversion=mvolu^^transactionsize=1664 +ipi ZSCALERNSS: time=imveniam Dec 8 5:06:33 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=licabo1493.api.corp^^protocol=icmp^^serverip=10.86.22.67^^url=https://api.example.org/oremi/elites.html?iosa=boNemoe#onsequ^^urlcategory=equinesc^^urlclass=cab^^dlpdictionaries=atisund^^dlpengine=xea^^filetype=ites^^threatcategory=isetq^^threatclass=iutali^^pagerisk=velite^^threatname=teturad^^clientpublicIP=perspici^^ClientIP=10.218.98.29^^location=iconseq^^refererURL=https://www5.example.org/atisetqu/issuscip.jpg?dipisci=spernatu#admi^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=quunt^^user=olori^^event_id=mquae^^clienttranstime=eriti^^requestmethod=atcupi^^requestsize=2332^^requestversion=plica^^status=ore^^responsesize=7595^^responseversion=emqu^^transactionsize=2846 +acommod ZSCALERNSS: time=itsedd Dec 23 12:09:07 2016^^timezone=CT^^action=Allowed^^reason=success^^hostname=stenatu4844.www.invalid^^protocol=rdp^^serverip=10.39.31.115^^url=https://example.com/luptatem/uaeratv.gif?dat=periam#dqu^^urlcategory=pid^^urlclass=rExc^^dlpdictionaries=iusmo^^dlpengine=tame^^filetype=naaliq^^threatcategory=nte^^threatclass=ulpa^^pagerisk=sitam^^threatname=rad^^clientpublicIP=loi^^ClientIP=10.24.111.229^^location=volupt^^refererURL=https://example.net/idid/tesse.txt?boru=ptateve#enderi^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=toccaec^^user=fugi^^event_id=labo^^clienttranstime=nostrud^^requestmethod=gnaal^^requestsize=7224^^requestversion=proident^^status=maliquam^^responsesize=2147^^responseversion=atione^^transactionsize=5702 +ritati ZSCALERNSS: time=orisni Jan 6 7:11:41 2017^^timezone=PST^^action=Blocked^^reason=failure^^hostname=sitam5077.internal.host^^protocol=igmp^^serverip=10.179.210.218^^url=https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo^^urlcategory=oluptas^^urlclass=emvele^^dlpdictionaries=isnost^^dlpengine=olorem^^filetype=ido^^threatcategory=emqu^^threatclass=riss^^pagerisk=iquamqua^^threatname=sit^^clientpublicIP=rumSect^^ClientIP=10.32.39.220^^location=aliq^^refererURL=https://example.net/mven/olorsit.gif?oremag=illu#ruredo^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=tatevel^^user=boreetdo^^event_id=undeom^^clienttranstime=uamnihi^^requestmethod=risnis^^requestsize=1140^^requestversion=scingeli^^status=isn^^responsesize=4814^^responseversion=omm^^transactionsize=696 +quunt ZSCALERNSS: time=numquam Jan 20 2:14:16 2017^^timezone=CT^^action=Blocked^^reason=failure^^hostname=dquia107.www.test^^protocol=ipv6^^serverip=10.128.173.19^^url=https://api.example.com/ori/tconsect.html?ercit=eporroq#ulla^^urlcategory=iqu^^urlclass=oin^^dlpdictionaries=hil^^dlpengine=cingel^^filetype=modocon^^threatcategory=ipsu^^threatclass=ntNeq^^pagerisk=tate^^threatname=urExce^^clientpublicIP=asi^^ClientIP=10.88.172.34^^location=atv^^refererURL=https://example.org/liquaUte/alorum.txt?ria=atDu#nsec^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=maperi^^user=agnaaliq^^event_id=tlaboree^^clienttranstime=norumet^^requestmethod=dtempo^^requestsize=7680^^requestversion=col^^status=mve^^responsesize=3916^^responseversion=tinvolup^^transactionsize=2365 +inv ZSCALERNSS: time=rroq Feb 3 9:16:50 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=lloin4019.www.localhost^^protocol=igmp^^serverip=10.130.241.232^^url=https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug^^urlcategory=aturQu^^urlclass=aaliq^^dlpdictionaries=mipsamvo^^dlpengine=eiusmod^^filetype=emoe^^threatcategory=uiinea^^threatclass=mnisiut^^pagerisk=avolu^^threatname=Except^^clientpublicIP=olup^^ClientIP=10.238.224.49^^location=asper^^refererURL=https://example.net/naal/equun.gif?mve=uia#iciad^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mad^^user=onse^^event_id=redol^^clienttranstime=gnaa^^requestmethod=mod^^requestsize=5107^^requestversion=dtempori^^status=toditaut^^responsesize=7889^^responseversion=dexerc^^transactionsize=2302 +eprehend ZSCALERNSS: time=asnu Feb 18 4:19:24 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=tamet6317.www.host^^protocol=igmp^^serverip=10.115.53.31^^url=https://example.com/emUte/molestia.htm?orroqu=elitsed#labore^^urlcategory=uela^^urlclass=ntexplic^^dlpdictionaries=uto^^dlpengine=iuntNequ^^filetype=esseq^^threatcategory=aincidun^^threatclass=quatD^^pagerisk=isqua^^threatname=uta^^clientpublicIP=emo^^ClientIP=10.2.67.127^^location=licaboN^^refererURL=https://mail.example.org/cupi/strude.htm?dunt=litsedq#nderiti^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mdolore^^user=Cic^^event_id=olorema^^clienttranstime=mollita^^requestmethod=tatem^^requestsize=6156^^requestversion=aeab^^status=teur^^responsesize=609^^responseversion=inBC^^transactionsize=2622 +tur ZSCALERNSS: time=ictas Mar 4 11:21:59 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=saquaea6344.www.invalid^^protocol=igmp^^serverip=10.204.214.251^^url=https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula^^urlcategory=ritqu^^urlclass=ecatcupi^^dlpdictionaries=uamei^^dlpengine=undeomni^^filetype=tas^^threatcategory=autfugi^^threatclass=tasun^^pagerisk=duntutla^^threatname=ntium^^clientpublicIP=iration^^ClientIP=10.101.38.213^^location=orisni^^refererURL=https://example.org/modoc/boNem.gif?ssusci=animid#mpo^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atuse^^user=ueipsa^^event_id=scipitl^^clienttranstime=eumi^^requestmethod=quasiarc^^requestsize=3487^^requestversion=leumiur^^status=tetura^^responsesize=5328^^responseversion=offici^^transactionsize=501 +roquisqu ZSCALERNSS: time=edolorin Mar 18 6:24:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=utaliqu4248.www.localhost^^protocol=igmp^^serverip=10.18.226.72^^url=https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema^^urlcategory=suntex^^urlclass=iacons^^dlpdictionaries=occaec^^dlpengine=acommodi^^filetype=essecill^^threatcategory=billoi^^threatclass=moles^^pagerisk=dipiscin^^threatname=olup^^clientpublicIP=aco^^ClientIP=10.101.85.169^^location=natu^^refererURL=https://internal.example.net/enim/Finibus.htm?mporainc=xea#taed^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=billo^^user=rroqu^^event_id=dquiaco^^clienttranstime=nibus^^requestmethod=vitaed^^requestsize=2352^^requestversion=ptasnula^^status=oru^^responsesize=2118^^responseversion=upt^^transactionsize=7879 +eprehend ZSCALERNSS: time=rem Apr 2 1:27:07 2017^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=mdolore473.internal.test^^protocol=igmp^^serverip=10.87.100.240^^url=https://www5.example.com/apariatu/lorsita.gif?msequ=uat#lupta^^urlcategory=npr^^urlclass=etconsec^^dlpdictionaries=caboNem^^dlpengine=urExcept^^filetype=rumetMal^^threatcategory=oconse^^threatclass=mag^^pagerisk=tob^^threatname=dolores^^clientpublicIP=equamnih^^ClientIP=10.242.182.193^^location=itempo^^refererURL=https://mail.example.com/redol/ecillum.html?radipis=ctetu#orinrep^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=nder^^user=stenatus^^event_id=equep^^clienttranstime=ever^^requestmethod=tali^^requestsize=2124^^requestversion=erspi^^status=iqu^^responsesize=7509^^responseversion=incidid^^transactionsize=2617 +autemv ZSCALERNSS: time=emq Apr 16 8:29:41 2017^^timezone=GMT-07:00^^action=Blocked^^reason=failure^^hostname=tatio6513.www.invalid^^protocol=rdp^^serverip=10.229.242.223^^url=https://internal.example.net/ende/abor.jpg?riameaqu=ame#tesseq^^urlcategory=niam^^urlclass=pernat^^dlpdictionaries=rerepre^^dlpengine=nculpaq^^filetype=culpaqui^^threatcategory=tvolup^^threatclass=tdolore^^pagerisk=ventore^^threatname=red^^clientpublicIP=sinto^^ClientIP=10.80.57.247^^location=est^^refererURL=https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=ptatem^^user=itasp^^event_id=dexe^^clienttranstime=tat^^requestmethod=onproide^^requestsize=2737^^requestversion=cillumd^^status=riosa^^responsesize=204^^responseversion=aspernat^^transactionsize=2460 +caecat ZSCALERNSS: time=rautod Apr 30 3:32:16 2017^^timezone=PT^^action=Allowed^^reason=failure^^hostname=lapar1599.www.lan^^protocol=ipv6^^serverip=10.193.66.155^^url=https://example.com/ame/amvolu.txt?equaturv=lamc#mvolupta^^urlcategory=Utenima^^urlclass=iqua^^dlpdictionaries=luptat^^dlpengine=deriti^^filetype=sintocc^^threatcategory=cididu^^threatclass=uteir^^pagerisk=boree^^threatname=isn^^clientpublicIP=ulla^^ClientIP=10.106.77.138^^location=aconse^^refererURL=https://mail.example.net/tnonproi/squira.html?itation=veleum#piciatis^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=henderi^^user=iusmodt^^event_id=enim^^clienttranstime=emaperia^^requestmethod=Section^^requestsize=4329^^requestversion=iame^^status=orroquis^^responsesize=6146^^responseversion=tiumd^^transactionsize=6099 +mexer ZSCALERNSS: time=estla May 14 10:34:50 2017^^timezone=ET^^action=Allowed^^reason=success^^hostname=aquioff3853.www.localdomain^^protocol=udp^^serverip=10.236.230.136^^url=https://mail.example.org/uisnostr/reetdol.txt?ugi=niamquis#nisi^^urlcategory=emveleum^^urlclass=olup^^dlpdictionaries=nde^^dlpengine=abillo^^filetype=undeom^^threatcategory=emullamc^^threatclass=tec^^pagerisk=Nemo^^threatname=tutlabo^^clientpublicIP=mveleum^^ClientIP=10.54.159.1^^location=sBonorum^^refererURL=https://mail.example.net/quira/tassita.gif?oremi=ugitsedq#turmag^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=asnulapa^^user=mUteni^^event_id=quira^^clienttranstime=rror^^requestmethod=tatema^^requestsize=2446^^requestversion=loinve^^status=tatevel^^responsesize=3862^^responseversion=equu^^transactionsize=5373 +atae ZSCALERNSS: time=tetura May 29 5:37:24 2017^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ura675.mail.localdomain^^protocol=ggp^^serverip=10.49.242.174^^url=https://api.example.com/radipis/cive.gif?orumSec=nisiuta#stiaecon^^urlcategory=dol^^urlclass=sumquiad^^dlpdictionaries=setquas^^dlpengine=minim^^filetype=oeni^^threatcategory=untutlab^^threatclass=tvolup^^pagerisk=consecte^^threatname=pteurs^^clientpublicIP=catcupi^^ClientIP=10.131.246.134^^location=tiaecon^^refererURL=https://api.example.com/amquisno/uido.gif?queporro=uid#snostrum^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=aconsequ^^user=umdolo^^event_id=rroqui^^clienttranstime=ursin^^requestmethod=utemvel^^requestsize=5325^^requestversion=atu^^status=iusm^^responsesize=4968^^responseversion=laudanti^^transactionsize=16 +rere ZSCALERNSS: time=cta Jun 12 12:39:58 2017^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=iamea478.www5.host^^protocol=ipv6-icmp^^serverip=10.142.120.198^^url=https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto^^urlcategory=litesse^^urlclass=fugiatn^^dlpdictionaries=uaeabi^^dlpengine=aaliq^^filetype=nat^^threatcategory=uovolupt^^threatclass=ende^^pagerisk=orumSe^^threatname=dolor^^clientpublicIP=isiut^^ClientIP=10.166.10.42^^location=emulla^^refererURL=https://www.example.com/itae/dtempo.html?etMaloru=lmo#iquidex^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=uamqu^^user=olori^^event_id=ido^^clienttranstime=mcorpor^^requestmethod=doconse^^requestsize=2522^^requestversion=emUte^^status=iusmodi^^responsesize=1046^^responseversion=tura^^transactionsize=6695 +equat ZSCALERNSS: time=aliquid Jun 26 7:42:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=eaque6543.api.domain^^protocol=udp^^serverip=10.138.188.201^^url=https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS^^urlcategory=iciadese^^urlclass=riatur^^dlpdictionaries=oeni^^dlpengine=dol^^filetype=dol^^threatcategory=atur^^threatclass=issu^^pagerisk=identsu^^threatname=piscivel^^clientpublicIP=hend^^ClientIP=10.128.184.241^^location=aer^^refererURL=https://api.example.net/umd/sciveli.htm?tur=acon#Nemoenim^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=urau^^user=etur^^event_id=rsitvol^^clienttranstime=utali^^requestmethod=sed^^requestsize=6793^^requestversion=sec^^status=uid^^responsesize=3520^^responseversion=acom^^transactionsize=1142 +ectob ZSCALERNSS: time=mrema Jul 11 2:45:07 2017^^timezone=CET^^action=Allowed^^reason=failure^^hostname=eufug1756.mail.corp^^protocol=ggp^^serverip=10.53.101.131^^url=https://example.net/snulap/enimadm.html?writte=sitvo#ine^^urlcategory=urerepre^^urlclass=asnulap^^dlpdictionaries=ipi^^dlpengine=idolorem^^filetype=exerci^^threatcategory=idata^^threatclass=ese^^pagerisk=mmodoco^^threatname=amni^^clientpublicIP=atnul^^ClientIP=10.213.57.165^^location=illumq^^refererURL=https://www5.example.org/ite/tasnul.txt?evitae=amvo#tnul^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ectetura^^user=isau^^event_id=itinvol^^clienttranstime=ten^^requestmethod=litanim^^requestsize=2135^^requestversion=orsitam^^status=modico^^responsesize=2990^^responseversion=itatio^^transactionsize=6735 +riame ZSCALERNSS: time=riat Jul 25 9:47:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=orp5697.www.invalid^^protocol=ggp^^serverip=10.243.6.41^^url=https://internal.example.org/etcon/onsequu.gif?Bonoru=madminim#ents^^urlcategory=emacc^^urlclass=emp^^dlpdictionaries=lamcola^^dlpengine=veli^^filetype=venia^^threatcategory=risni^^threatclass=idolores^^pagerisk=paria^^threatname=mmod^^clientpublicIP=iti^^ClientIP=10.55.81.14^^location=lorsitam^^refererURL=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenim^^user=eiusmo^^event_id=ainc^^clienttranstime=miurerep^^requestmethod=lestia^^requestsize=3606^^requestversion=iduntu^^status=pisci^^responsesize=3601^^responseversion=nostrud^^transactionsize=203 +ore ZSCALERNSS: time=esse Aug 8 4:50:15 2017^^timezone=PST^^action=Blocked^^reason=success^^hostname=pariatur7238.www5.invalid^^protocol=tcp^^serverip=10.33.144.10^^url=https://www.example.org/rur/itse.gif?pisciv=fugiatqu#seos^^urlcategory=exercita^^urlclass=edolori^^dlpdictionaries=eve^^dlpengine=tco^^filetype=tvol^^threatcategory=oluptate^^threatclass=lit^^pagerisk=santi^^threatname=ritati^^clientpublicIP=iciade^^ClientIP=10.202.224.79^^location=idolo^^refererURL=https://example.com/ptassita/caecatcu.txt?eturadip=olorsi#itseddo^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=seos^^user=rios^^event_id=labo^^clienttranstime=lpaquiof^^requestmethod=quu^^requestsize=2203^^requestversion=ntexpl^^status=abor^^responsesize=4241^^responseversion=enbyCi^^transactionsize=3813 +tat ZSCALERNSS: time=eufugia Aug 22 11:52:50 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=fficia2304.www5.home^^protocol=icmp^^serverip=10.158.18.51^^url=https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex^^urlcategory=uisnos^^urlclass=quamqua^^dlpdictionaries=ntut^^dlpengine=mag^^filetype=meum^^threatcategory=mini^^threatclass=Loremip^^pagerisk=oreeu^^threatname=nvo^^clientpublicIP=iamqui^^ClientIP=10.20.124.138^^location=aqui^^refererURL=https://www.example.net/lpa/isn.htm?iat=ffic#siuta^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aparia^^user=CSe^^event_id=exerci^^clienttranstime=inesciu^^requestmethod=quid^^requestsize=5452^^requestversion=emu^^status=orem^^responsesize=6317^^responseversion=ate^^transactionsize=4386 +tqu ZSCALERNSS: time=eirur Sep 6 6:55:24 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=mquisnos7453.home^^protocol=igmp^^serverip=10.134.128.27^^url=https://api.example.net/lup/iumtotam.html?ipitlabo=userror#eacommo^^urlcategory=nderi^^urlclass=liqua^^dlpdictionaries=ariatur^^dlpengine=labo^^filetype=sautei^^threatcategory=ataevita^^threatclass=voluptas^^pagerisk=velill^^threatname=rspic^^clientpublicIP=orinrepr^^ClientIP=10.118.177.136^^location=borumSec^^refererURL=https://www5.example.org/snisiut/siar.txt?inB=orp#ender^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=rumSecti^^user=Utenima^^event_id=olore^^clienttranstime=orumS^^requestmethod=olor^^requestsize=6908^^requestversion=eursint^^status=orio^^responsesize=1044^^responseversion=iameaqu^^transactionsize=2429 +olu ZSCALERNSS: time=iameaque Sep 20 1:57:58 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=aquio748.www.localhost^^protocol=igmp^^serverip=10.68.8.143^^url=https://example.org/onproide/uamnih.htm?tatisetq=uidolo#umdolore^^urlcategory=dmi^^urlclass=tam^^dlpdictionaries=oremip^^dlpengine=eufugi^^filetype=dunt^^threatcategory=ames^^threatclass=amni^^pagerisk=tatio^^threatname=amquisno^^clientpublicIP=modoc^^ClientIP=10.125.120.97^^location=uid^^refererURL=https://internal.example.com/onev/orsi.txt?oreseo=reprehen#itamet^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=idolo^^user=reet^^event_id=lorem^^clienttranstime=texplic^^requestmethod=edutp^^requestsize=911^^requestversion=assi^^status=eserun^^responsesize=3034^^responseversion=eniamqu^^transactionsize=1185 +tatevel ZSCALERNSS: time=midestl Oct 4 9:00:32 2017^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=remagnam796.mail.corp^^protocol=rdp^^serverip=10.143.0.78^^url=https://www5.example.org/obeataev/umf.htm?moll=quaeabil#emip^^urlcategory=aturQu^^urlclass=itesse^^dlpdictionaries=iamqui^^dlpengine=quide^^filetype=aria^^threatcategory=inim^^threatclass=etdol^^pagerisk=Sed^^threatname=oremeumf^^clientpublicIP=lesti^^ClientIP=10.137.164.122^^location=enima^^refererURL=https://www5.example.net/ico/giatquo.htm?evi=tionula#accus^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=amnihil^^user=orissus^^event_id=atems^^clienttranstime=nimaveni^^requestmethod=mwrit^^requestsize=2923^^requestversion=itse^^status=officiad^^responsesize=4982^^responseversion=nimadmin^^transactionsize=5577 +quiavolu ZSCALERNSS: time=upta Oct 19 4:03:07 2017^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=etdolore4227.internal.corp^^protocol=icmp^^serverip=10.30.87.51^^url=https://mail.example.org/consequa/eaqueip.gif?aevitaed=byCic#leumiur^^urlcategory=ptatemse^^urlclass=siarc^^dlpdictionaries=fdeFin^^dlpengine=eleumi^^filetype=edic^^threatcategory=udexerc^^threatclass=tatno^^pagerisk=isnisiut^^threatname=atatnon^^clientpublicIP=lica^^ClientIP=10.156.177.53^^location=Nequ^^refererURL=https://www.example.com/epo/rsit.txt?onorumet=ptatema#eavolup^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=rmagnido^^user=psaquaea^^event_id=rchit^^clienttranstime=psumq^^requestmethod=ptatev^^requestsize=6552^^requestversion=xerc^^status=ctetura^^responsesize=7556^^responseversion=tDuis^^transactionsize=3281 +tat ZSCALERNSS: time=equ Nov 2 11:05:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=rors1935.api.domain^^protocol=udp^^serverip=10.83.138.34^^url=https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul^^urlcategory=aliqui^^urlclass=datatnon^^dlpdictionaries=aedict^^dlpengine=niamqui^^filetype=usmodite^^threatcategory=tlabo^^threatclass=tatemse^^pagerisk=ntoccaec^^threatname=uamestqu^^clientpublicIP=mpor^^ClientIP=10.111.249.184^^location=ptatemU^^refererURL=https://example.org/rumSe/tatnonp.jpg?tlabore=idunt#expl^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=onsectet^^user=dentsunt^^event_id=inea^^clienttranstime=animid^^requestmethod=upta^^requestsize=313^^requestversion=onnumqua^^status=quioff^^responsesize=470^^responseversion=upt^^transactionsize=6017 +nvol ZSCALERNSS: time=dtemp Nov 16 6:08:15 2017^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=idexeac1655.internal.test^^protocol=ipv6^^serverip=10.141.195.13^^url=https://mail.example.com/orsitvol/ntor.htm?itqu=minimav#smodtem^^urlcategory=roquisqu^^urlclass=ariat^^dlpdictionaries=midestl^^dlpengine=quatu^^filetype=avolu^^threatcategory=teturad^^threatclass=itesse^^pagerisk=expl^^threatname=essecill^^clientpublicIP=totamre^^ClientIP=10.180.150.47^^location=orsitv^^refererURL=https://internal.example.net/uisaute/uun.jpg?olupt=nemulla#asp^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=ncul^^user=taliq^^event_id=tautfugi^^clienttranstime=fdeFinib^^requestmethod=uip^^requestsize=3940^^requestversion=sectetur^^status=edquian^^responsesize=7810^^responseversion=turQuis^^transactionsize=4046 +uames ZSCALERNSS: time=tconsec Dec 1 1:10:49 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=laboree3880.api.invalid^^protocol=rdp^^serverip=10.166.195.20^^url=https://internal.example.org/rumexe/xerci.gif?olor=quiav#gna^^urlcategory=Nem^^urlclass=tdolorem^^dlpdictionaries=eacomm^^dlpengine=upidata^^filetype=ici^^threatcategory=usant^^threatclass=mipsumq^^pagerisk=ident^^threatname=nimide^^clientpublicIP=quelaud^^ClientIP=10.255.40.12^^location=rro^^refererURL=https://api.example.com/nimv/emeu.htm?rem=tseddoei#teursint^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=remagnaa^^user=lamcolab^^event_id=ceroinB^^clienttranstime=umqui^^requestmethod=citation^^requestsize=7073^^requestversion=mcorpori^^status=orisn^^responsesize=2266^^responseversion=etMalor^^transactionsize=7800 +cta ZSCALERNSS: time=ercitat Dec 15 8:13:24 2017^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=tecto708.www5.example^^protocol=rdp^^serverip=10.22.122.43^^url=https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu^^urlcategory=quamni^^urlclass=turveli^^dlpdictionaries=isciv^^dlpengine=natus^^filetype=boreet^^threatcategory=luptasnu^^threatclass=ento^^pagerisk=snostr^^threatname=udexerc^^clientpublicIP=ovolupta^^ClientIP=10.100.143.226^^location=ametcon^^refererURL=https://internal.example.net/ecillu/quovol.html?ctasu=irat#sitame^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=ueporroq^^user=ute^^event_id=mexer^^clienttranstime=iam^^requestmethod=Bonoru^^requestsize=1396^^requestversion=ntutlab^^status=rumSecti^^responsesize=5091^^responseversion=gnama^^transactionsize=7815 +tesse ZSCALERNSS: time=olupta Dec 29 3:15:58 2017^^timezone=GMT+02:00^^action=Blocked^^reason=success^^hostname=ine3181.www.invalid^^protocol=ipv6-icmp^^serverip=10.119.53.68^^url=https://www.example.com/uiavo/uisaut.htm?paq=uianon#nul^^urlcategory=onse^^urlclass=sitam^^dlpdictionaries=inibusBo^^dlpengine=illoin^^filetype=emUtenim^^threatcategory=ende^^threatclass=dexea^^pagerisk=aco^^threatname=sse^^clientpublicIP=ihilm^^ClientIP=10.121.9.5^^location=uptas^^refererURL=https://www5.example.net/ons/unt.txt?ctetur=mvolupta#squame^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=mea^^user=ssec^^event_id=illum^^clienttranstime=eprehe^^requestmethod=tinvolup^^requestsize=497^^requestversion=tvol^^status=ptat^^responsesize=7456^^responseversion=tdolo^^transactionsize=1882 +eleumi ZSCALERNSS: time=equ Jan 12 10:18:32 2018^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=tsunt3403.www5.test^^protocol=udp^^serverip=10.237.0.173^^url=https://mail.example.com/uasiarch/Malor.jpg?iinea=snos#upt^^urlcategory=oremipsu^^urlclass=tMalor^^dlpdictionaries=oreetd^^dlpengine=lor^^filetype=oreeu^^threatcategory=taspe^^threatclass=eritqui^^pagerisk=atquovol^^threatname=evel^^clientpublicIP=edol^^ClientIP=10.31.153.177^^location=maccus^^refererURL=https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tiset^^user=sci^^event_id=periam^^clienttranstime=fugiatnu^^requestmethod=dolor^^requestsize=4350^^requestversion=eumfu^^status=docons^^responsesize=1428^^responseversion=eumf^^transactionsize=6826 +uasi ZSCALERNSS: time=maveniam Jan 27 5:21:06 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=pitl6126.www.localdomain^^protocol=ipv6-icmp^^serverip=10.243.182.229^^url=https://api.example.org/ntiumt/sumquia.jpg?lam=asnu#com^^urlcategory=rep^^urlclass=mveni^^dlpdictionaries=aquae^^dlpengine=olo^^filetype=edolori^^threatcategory=iaturE^^threatclass=epor^^pagerisk=umexer^^threatname=amnih^^clientpublicIP=tper^^ClientIP=10.229.102.140^^location=nulamc^^refererURL=https://www.example.org/etcon/ctobeat.txt?eddoei=lorumw#eca^^useragent=mobmail android 2.1.3.3150^^department=nimve^^user=duntut^^event_id=emporin^^clienttranstime=oreseosq^^requestmethod=etquasia^^requestsize=1800^^requestversion=tium^^status=nimip^^responsesize=7612^^responseversion=squamest^^transactionsize=3914 +pteu ZSCALERNSS: time=uatD Feb 10 12:23:41 2018^^timezone=CEST^^action=Blocked^^reason=unknown^^hostname=remaper3297.internal.test^^protocol=ipv6-icmp^^serverip=10.39.46.155^^url=https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi^^urlcategory=emvel^^urlclass=pta^^dlpdictionaries=dolo^^dlpengine=itaedi^^filetype=hend^^threatcategory=remagna^^threatclass=adipisc^^pagerisk=aparia^^threatname=maliq^^clientpublicIP=ccusant^^ClientIP=10.120.138.109^^location=oidentsu^^refererURL=https://internal.example.org/onsec/dit.gif?lup=aeca#isau^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=sciveli^^user=picia^^event_id=BCSe^^clienttranstime=rem^^requestmethod=exer^^requestsize=447^^requestversion=remips^^status=lapari^^responsesize=5763^^responseversion=radipis^^transactionsize=3991 +luptate ZSCALERNSS: time=eritqu Feb 24 7:26:15 2018^^timezone=ET^^action=Blocked^^reason=failure^^hostname=tamr1693.api.home^^protocol=ipv6^^serverip=10.53.191.49^^url=https://api.example.org/remeum/etur.html?Quisa=quiav#ctionofd^^urlcategory=elit^^urlclass=sam^^dlpdictionaries=tMal^^dlpengine=porin^^filetype=metMal^^threatcategory=ciati^^threatclass=ecillum^^pagerisk=olor^^threatname=amei^^clientpublicIP=doconseq^^ClientIP=10.133.102.57^^location=CSed^^refererURL=https://example.net/wri/itame.html?dictasun=psa#lorese^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=ctobeat^^user=onsec^^event_id=idestl^^clienttranstime=litani^^requestmethod=emp^^requestsize=6397^^requestversion=onoru^^status=data^^responsesize=6740^^responseversion=eosqui^^transactionsize=5993 +uam ZSCALERNSS: time=quis Mar 11 2:28:49 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=cia5990.api.localdomain^^protocol=icmp^^serverip=10.91.2.225^^url=https://internal.example.org/ree/itten.gif?rsp=imipsa#nostrum^^urlcategory=autodita^^urlclass=ntut^^dlpdictionaries=temveleu^^dlpengine=itametco^^filetype=etcons^^threatcategory=etco^^threatclass=iuntN^^pagerisk=utfugi^^threatname=ursintoc^^clientpublicIP=tio^^ClientIP=10.89.41.97^^location=trudex^^refererURL=https://www.example.net/lup/mipsamv.htm?qua=ionula#pexeaco^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=nderi^^user=tem^^event_id=tcu^^clienttranstime=eumiu^^requestmethod=nim^^requestsize=141^^requestversion=rehen^^status=uaeab^^responsesize=5521^^responseversion=serro^^transactionsize=1078 +eturadip ZSCALERNSS: time=amquaera Mar 25 9:31:24 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=riatu2467.lan^^protocol=tcp^^serverip=10.221.20.165^^url=https://www.example.net/ritquiin/reseo.jpg?ari=umtot#onemulla^^urlcategory=atquo^^urlclass=borio^^dlpdictionaries=equatD^^dlpengine=uidol^^filetype=inculpa^^threatcategory=ruredol^^threatclass=iadeseru^^pagerisk=loremagn^^threatname=acons^^clientpublicIP=nimadmi^^ClientIP=10.7.18.226^^location=umiurer^^refererURL=https://internal.example.com/oluptass/uidol.txt?ametcon=ofdeFini#tasnu^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=tionev^^user=uasiarch^^event_id=velites^^clienttranstime=uredolor^^requestmethod=epreh^^requestsize=5810^^requestversion=edquiaco^^status=sequatD^^responsesize=4211^^responseversion=naaliq^^transactionsize=4508 +asiarc ZSCALERNSS: time=lor Apr 8 4:33:58 2018^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=pici1525.www5.corp^^protocol=ipv6^^serverip=10.178.148.188^^url=https://mail.example.com/dexe/nemul.jpg?yCicero=inimave#eavolupt^^urlcategory=uipe^^urlclass=ipsa^^dlpdictionaries=con^^dlpengine=eirured^^filetype=sequamn^^threatcategory=perspici^^threatclass=inimve^^pagerisk=aea^^threatname=emipsumd^^clientpublicIP=didun^^ClientIP=10.155.252.123^^location=asiarch^^refererURL=https://www5.example.net/utla/deomni.gif?fugi=nse#nesciu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ssequ^^user=inrepreh^^event_id=rit^^clienttranstime=velitess^^requestmethod=niam^^requestsize=6665^^requestversion=vel^^status=ionevo^^responsesize=4580^^responseversion=ptate^^transactionsize=52 +umfu ZSCALERNSS: time=utla Apr 22 11:36:32 2018^^timezone=CET^^action=Blocked^^reason=failure^^hostname=dolo6418.internal.host^^protocol=ipv6-icmp^^serverip=10.190.42.245^^url=https://mail.example.org/caecat/uel.html?enim=umq#sistena^^urlcategory=qui^^urlclass=caboN^^dlpdictionaries=imipsam^^dlpengine=eumiu^^filetype=tatevel^^threatcategory=quela^^threatclass=uamquaer^^pagerisk=texplica^^threatname=enimi^^clientpublicIP=illum^^ClientIP=10.220.1.249^^location=iqu^^refererURL=https://api.example.org/eumfugia/reeufugi.gif?uredol=uptat#toditau^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=quuntur^^user=olup^^event_id=aeab^^clienttranstime=uradipis^^requestmethod=aerat^^requestsize=2910^^requestversion=uira^^status=eosqui^^responsesize=3723^^responseversion=quinesc^^transactionsize=4724 +aliqu ZSCALERNSS: time=sequine May 7 6:39:06 2018^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=imveni193.www5.host^^protocol=udp^^serverip=10.112.190.154^^url=https://mail.example.com/runtmoll/busBon.txt?ionev=vitaedi#rna^^urlcategory=cons^^urlclass=Except^^dlpdictionaries=lestiae^^dlpengine=iav^^filetype=umiure^^threatcategory=isiut^^threatclass=tin^^pagerisk=rporiss^^threatname=billoinv^^clientpublicIP=etconse^^ClientIP=10.55.38.153^^location=quido^^refererURL=https://example.org/uames/tla.gif?rch=psa#nreprehe^^useragent=Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g^^department=tvolup^^user=oremeu^^event_id=lab^^clienttranstime=lla^^requestmethod=urau^^requestsize=6127^^requestversion=upt^^status=equamni^^responsesize=363^^responseversion=eroi^^transactionsize=916 +mdo ZSCALERNSS: time=labore May 21 1:41:41 2018^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ionu3320.api.localhost^^protocol=igmp^^serverip=10.195.153.42^^url=https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam^^urlcategory=deriti^^urlclass=edictasu^^dlpdictionaries=eturadi^^dlpengine=umS^^filetype=noru^^threatcategory=aliquide^^threatclass=tDuisaut^^pagerisk=uel^^threatname=dexerc^^clientpublicIP=vol^^ClientIP=10.250.48.82^^location=iqu^^refererURL=https://api.example.com/quuntur/nihi.gif?oremagna=aqu#utemvele^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serrorsi^^user=tsedquia^^event_id=rsit^^clienttranstime=quis^^requestmethod=upidatat^^requestsize=2982^^requestversion=nihilmo^^status=reetdo^^responsesize=6578^^responseversion=nidol^^transactionsize=4345 +hite ZSCALERNSS: time=umfugi Jun 4 8:44:15 2018^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=remips1499.www.local^^protocol=ipv6^^serverip=10.252.164.230^^url=https://mail.example.net/loremi/queporro.jpg?ade=nihilmol#nder^^urlcategory=ano^^urlclass=rumexer^^dlpdictionaries=eab^^dlpengine=iaconseq^^filetype=tseddo^^threatcategory=diduntut^^threatclass=rroq^^pagerisk=olore^^threatname=eratvolu^^clientpublicIP=oconsequ^^ClientIP=10.60.52.219^^location=untNeq^^refererURL=https://internal.example.org/scipit/litess.jpg?ide=quunturm#quovo^^useragent=mobmail android 2.1.3.3150^^department=usan^^user=gnamali^^event_id=iumtota^^clienttranstime=issusci^^requestmethod=fdeFin^^requestsize=2871^^requestversion=psu^^status=strud^^responsesize=501^^responseversion=saute^^transactionsize=7421 +iumto ZSCALERNSS: time=sequatu Jun 19 3:46:49 2018^^timezone=CT^^action=Allowed^^reason=success^^hostname=mdoloree96.domain^^protocol=ggp^^serverip=10.187.16.73^^url=https://api.example.com/nge/psum.gif?exerci=isnostru#iad^^urlcategory=ngelits^^urlclass=volupt^^dlpdictionaries=billoi^^dlpengine=reseo^^filetype=quam^^threatcategory=ulpaquio^^threatclass=dipisc^^pagerisk=litsed^^threatname=lumd^^clientpublicIP=tiaec^^ClientIP=10.122.102.156^^location=totamr^^refererURL=https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=metMa^^user=emoen^^event_id=ptate^^clienttranstime=mipsumqu^^requestmethod=turad^^requestsize=1704^^requestversion=billo^^status=doloremi^^responsesize=3365^^responseversion=iciatis^^transactionsize=2052 +cul ZSCALERNSS: time=tate Jul 3 10:49:23 2018^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=iatnulap7662.internal.local^^protocol=igmp^^serverip=10.120.215.174^^url=https://internal.example.org/ddoeiusm/apa.txt?uptatemU=rem#onorumet^^urlcategory=iscivel^^urlclass=rinci^^dlpdictionaries=eacomm^^dlpengine=aboNem^^filetype=mull^^threatcategory=ent^^threatclass=rema^^pagerisk=mcol^^threatname=tion^^clientpublicIP=umquia^^ClientIP=10.248.108.55^^location=itation^^refererURL=https://internal.example.org/tat/uredo.html?essequam=imav#mtot^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tionemu^^user=prehend^^event_id=ntexplic^^clienttranstime=rvelillu^^requestmethod=uatDu^^requestsize=4620^^requestversion=isu^^status=moll^^responsesize=2104^^responseversion=ota^^transactionsize=4562 +eniamq ZSCALERNSS: time=aloru Jul 17 5:51:58 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=sBonoru1929.example^^protocol=ggp^^serverip=10.51.161.245^^url=https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam^^urlcategory=saute^^urlclass=umdol^^dlpdictionaries=rerepr^^dlpengine=ipiscin^^filetype=trudexe^^threatcategory=qua^^threatclass=modit^^pagerisk=tatione^^threatname=aedicta^^clientpublicIP=squamest^^ClientIP=10.15.254.181^^location=emipsum^^refererURL=https://example.com/eFini/atDuisa.jpg?mips=dolo#reeufu^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=adipis^^user=abo^^event_id=suntex^^clienttranstime=uptatema^^requestmethod=uteiru^^requestsize=4600^^requestversion=Cicero^^status=ven^^responsesize=5410^^responseversion=ficia^^transactionsize=7526 +deFinibu ZSCALERNSS: time=iaecons Aug 1 12:54:32 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=onorumet4871.lan^^protocol=ipv6^^serverip=10.7.152.238^^url=https://api.example.com/itinvolu/adeserun.txt?tinv=Utenima#nse^^urlcategory=umq^^urlclass=enim^^dlpdictionaries=oreve^^dlpengine=metco^^filetype=xercita^^threatcategory=atev^^threatclass=vento^^pagerisk=litsed^^threatname=ciun^^clientpublicIP=rehender^^ClientIP=10.129.66.196^^location=mmodicon^^refererURL=https://api.example.com/tqu/emips.gif?tinvolu=ptat#amquisn^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=dol^^user=equamn^^event_id=scipi^^clienttranstime=rem^^requestmethod=reh^^requestsize=3604^^requestversion=gnama^^status=ursintoc^^responsesize=6628^^responseversion=ction^^transactionsize=491 +siuta ZSCALERNSS: time=atcu Aug 15 7:57:06 2018^^timezone=PST^^action=Blocked^^reason=success^^hostname=onproi4354.www5.invalid^^protocol=ggp^^serverip=10.29.162.157^^url=https://www.example.org/sci/isquames.gif?tlabor=itecto#loreeuf^^urlcategory=orainci^^urlclass=orese^^dlpdictionaries=aev^^dlpengine=uelaudan^^filetype=lab^^threatcategory=sequa^^threatclass=orinrep^^pagerisk=pta^^threatname=uradi^^clientpublicIP=sequu^^ClientIP=10.185.107.27^^location=susc^^refererURL=https://www.example.org/eatae/siutali.html?quelauda=rcit#dolo^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=orese^^user=evelite^^event_id=remquela^^clienttranstime=toreve^^requestmethod=squirat^^requestsize=2977^^requestversion=equunt^^status=mto^^responsesize=4116^^responseversion=atio^^transactionsize=6258 +rem ZSCALERNSS: time=consecte Aug 29 2:59:40 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=beataevi7552.api.test^^protocol=ipv6^^serverip=10.215.63.248^^url=https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod^^urlcategory=ine^^urlclass=qui^^dlpdictionaries=itse^^dlpengine=lapari^^filetype=Bonor^^threatcategory=ipex^^threatclass=odita^^pagerisk=metc^^threatname=aincidu^^clientpublicIP=reprehe^^ClientIP=10.138.0.214^^location=uisaut^^refererURL=https://internal.example.org/ommodic/mmodic.txt?esse=nihi#xeaco^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=uianonn^^user=eavolupt^^event_id=dantium^^clienttranstime=ors^^requestmethod=dqu^^requestsize=6682^^requestversion=edi^^status=eumiure^^responsesize=1926^^responseversion=eacomm^^transactionsize=2676 +pre ZSCALERNSS: time=aute Sep 12 10:02:15 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=rvelill1981.www.invalid^^protocol=udp^^serverip=10.26.115.88^^url=https://mail.example.net/tvol/ostru.htm?oei=iquipex#byCice^^urlcategory=deritq^^urlclass=boreetdo^^dlpdictionaries=teni^^dlpengine=iin^^filetype=nostr^^threatcategory=luptatem^^threatclass=tNequepo^^pagerisk=liq^^threatname=eleumiu^^clientpublicIP=etdol^^ClientIP=10.12.130.224^^location=magnido^^refererURL=https://www.example.org/dolor/ing.jpg?umdo=aer#quela^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=itatis^^user=Nequepo^^event_id=edictas^^clienttranstime=emac^^requestmethod=rmagnido^^requestsize=6135^^requestversion=elitsedd^^status=hitecto^^responsesize=6315^^responseversion=repreh^^transactionsize=1238 +usan ZSCALERNSS: time=ugiatn Sep 27 5:04:49 2018^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=quia7214.example^^protocol=igmp^^serverip=10.193.152.42^^url=https://mail.example.org/pariatur/cita.html?equuntur=rve#atemacc^^urlcategory=labore^^urlclass=iqua^^dlpdictionaries=ciunt^^dlpengine=exea^^filetype=ostrumex^^threatcategory=eruntmol^^threatclass=plicab^^pagerisk=imide^^threatname=uiineav^^clientpublicIP=nder^^ClientIP=10.91.20.27^^location=asia^^refererURL=https://api.example.com/psamvolu/teturad.jpg?iavol=psumdol#urautodi^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=modtempo^^user=edict^^event_id=nost^^clienttranstime=orisnis^^requestmethod=umq^^requestsize=2801^^requestversion=quatur^^status=isiutali^^responsesize=1508^^responseversion=emquel^^transactionsize=365 +iavol ZSCALERNSS: time=utemvel Oct 11 12:07:23 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=aturExc7343.invalid^^protocol=ipv6^^serverip=10.146.69.38^^url=https://example.org/aturE/aaliqu.gif?nvol=doloreeu#elillumq^^urlcategory=loremeum^^urlclass=luptatem^^dlpdictionaries=ing^^dlpengine=hen^^filetype=riameaqu^^threatcategory=etd^^threatclass=omnisi^^pagerisk=dolor^^threatname=rsp^^clientpublicIP=quir^^ClientIP=10.55.192.102^^location=tsuntinc^^refererURL=https://example.org/onproid/ciduntut.html?xer=iat#orain^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=uame^^user=quia^^event_id=Exce^^clienttranstime=nim^^requestmethod=userro^^requestsize=1008^^requestversion=uta^^status=tsun^^responsesize=7120^^responseversion=gni^^transactionsize=5280 +tione ZSCALERNSS: time=nibus Oct 25 7:09:57 2018^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=olo7317.www5.localhost^^protocol=udp^^serverip=10.249.1.143^^url=https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese^^urlcategory=ptasn^^urlclass=liqui^^dlpdictionaries=ectetur^^dlpengine=eacomm^^filetype=temqu^^threatcategory=tdolore^^threatclass=Utenim^^pagerisk=quisno^^threatname=quaUten^^clientpublicIP=eufugia^^ClientIP=10.124.177.226^^location=iarc^^refererURL=https://www5.example.org/ncidunt/uiac.jpg?luptat=ehend#involupt^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=tincul^^user=isciveli^^event_id=ntutlab^^clienttranstime=sitamet^^requestmethod=onevo^^requestsize=3736^^requestversion=nsequ^^status=ing^^responsesize=3291^^responseversion=vitaed^^transactionsize=7672 +modit ZSCALERNSS: time=quamnih Nov 9 2:12:32 2018^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=uiin1342.mail.invalid^^protocol=rdp^^serverip=10.167.176.220^^url=https://example.org/vel/preh.html?sequamni=edutpers#deo^^urlcategory=eni^^urlclass=quipe^^dlpdictionaries=oluptat^^dlpengine=stenatus^^filetype=eabillo^^threatcategory=iaecon^^threatclass=ect^^pagerisk=tquid^^threatname=seru^^clientpublicIP=oriss^^ClientIP=10.146.228.249^^location=psumdolo^^refererURL=https://example.net/bor/magnido.html?emagnaal=nih#ncididu^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=gitsed^^user=estla^^event_id=ione^^clienttranstime=ecillum^^requestmethod=maccu^^requestsize=5298^^requestversion=quisquam^^status=boreet^^responsesize=620^^responseversion=Malorumw^^transactionsize=5212 +issu ZSCALERNSS: time=tconsect Nov 23 9:15:06 2018^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=agna5654.www.corp^^protocol=tcp^^serverip=10.200.74.101^^url=https://example.com/nonproi/dolor.jpg?molli=oeiusm#aUtenim^^urlcategory=ntincul^^urlclass=nnumquam^^dlpdictionaries=etdol^^dlpengine=sed^^filetype=uep^^threatcategory=ametco^^threatclass=nde^^pagerisk=reprehe^^threatname=umdolo^^clientpublicIP=duntutl^^ClientIP=10.203.47.23^^location=empor^^refererURL=https://mail.example.net/teveli/utperspi.html?luptate=aturvel#ostrumex^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=sedquia^^user=litesse^^event_id=ntmo^^clienttranstime=aliqu^^requestmethod=iqu^^requestsize=4429^^requestversion=ationula^^status=doconse^^responsesize=4822^^responseversion=oreeufug^^transactionsize=5020 +tenima ZSCALERNSS: time=emagnam Dec 7 4:17:40 2018^^timezone=CT^^action=Blocked^^reason=success^^hostname=ites5711.internal.host^^protocol=ggp^^serverip=10.162.78.48^^url=https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor^^urlcategory=umSecti^^urlclass=eabil^^dlpdictionaries=ibusB^^dlpengine=rporis^^filetype=etco^^threatcategory=mip^^threatclass=ereprehe^^pagerisk=olu^^threatname=nofdeF^^clientpublicIP=riaturEx^^ClientIP=10.24.23.209^^location=itautfu^^refererURL=https://internal.example.org/ole/odi.txt?mporain=ectetur#adipisc^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=iumd^^user=ntore^^event_id=tect^^clienttranstime=ion^^requestmethod=tutl^^requestsize=3811^^requestversion=bor^^status=ameaquei^^responsesize=4147^^responseversion=uelaud^^transactionsize=1306 +ngelit ZSCALERNSS: time=quiano Dec 21 11:20:14 2018^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=oluptat2848.api.home^^protocol=igmp^^serverip=10.55.151.53^^url=https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest^^urlcategory=oeiusmod^^urlclass=uidolore^^dlpdictionaries=iacon^^dlpengine=ncu^^filetype=quaturve^^threatcategory=ciad^^threatclass=diconseq^^pagerisk=utod^^threatname=ostr^^clientpublicIP=amcorp^^ClientIP=10.211.66.68^^location=uptatem^^refererURL=https://mail.example.org/nproide/mali.htm?siutali=mfugi#ceroinBC^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=maveni^^user=squir^^event_id=commod^^clienttranstime=umqu^^requestmethod=umet^^requestsize=5891^^requestversion=amestqu^^status=aliqua^^responsesize=1782^^responseversion=teirure^^transactionsize=1210 +dipisciv ZSCALERNSS: time=nsequun Jan 5 6:22:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=ngelitse7535.internal.lan^^protocol=rdp^^serverip=10.110.16.169^^url=https://example.org/eius/evo.jpg?iarchit=volupt#ipis^^urlcategory=usBonor^^urlclass=mide^^dlpdictionaries=sten^^dlpengine=enderi^^filetype=labore^^threatcategory=uasiarch^^threatclass=iamquisn^^pagerisk=magnama^^threatname=reprehe^^clientpublicIP=citatio^^ClientIP=10.209.203.156^^location=esciunt^^refererURL=https://www.example.com/liquide/BCSedut.htm?litani=temse#samvo^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=roinBCSe^^user=mes^^event_id=labori^^clienttranstime=ditau^^requestmethod=lupta^^requestsize=6650^^requestversion=tam^^status=olu^^responsesize=409^^responseversion=iut^^transactionsize=3808 +deser ZSCALERNSS: time=boris Jan 19 1:25:23 2019^^timezone=PST^^action=Allowed^^reason=success^^hostname=tiumtot3611.internal.localdomain^^protocol=udp^^serverip=10.84.9.150^^url=https://www5.example.net/equun/veli.gif?tem=iadeseru#uiineavo^^urlcategory=enimadmi^^urlclass=qui^^dlpdictionaries=ita^^dlpengine=lamco^^filetype=natuser^^threatcategory=Excepteu^^threatclass=omnis^^pagerisk=tati^^threatname=orinc^^clientpublicIP=teursi^^ClientIP=10.107.68.114^^location=nofdeFin^^refererURL=https://internal.example.org/ollit/umfug.htm?lumquid=Sectio#tiumdol^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ocons^^user=sequatDu^^event_id=nsecte^^clienttranstime=pta^^requestmethod=uianonnu^^requestsize=5724^^requestversion=veleumi^^status=volupt^^responsesize=6822^^responseversion=itatise^^transactionsize=3714 +userro ZSCALERNSS: time=oree Feb 2 8:27:57 2019^^timezone=CEST^^action=Blocked^^reason=failure^^hostname=gnaa4656.api.example^^protocol=igmp^^serverip=10.26.222.144^^url=https://internal.example.com/ecatcu/tMalo.txt?nse=rauto#rese^^urlcategory=nonproi^^urlclass=doconse^^dlpdictionaries=henderi^^dlpengine=tisunde^^filetype=ende^^threatcategory=quidolor^^threatclass=lloin^^pagerisk=eomnis^^threatname=proiden^^clientpublicIP=moenimip^^ClientIP=10.124.119.48^^location=atquo^^refererURL=https://www.example.com/ern/ationula.jpg?nsequun=ateveli#aqua^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=amn^^user=nre^^event_id=sintoc^^clienttranstime=rinci^^requestmethod=ici^^requestsize=7328^^requestversion=Nequepor^^status=aUten^^responsesize=4127^^responseversion=tatnon^^transactionsize=977 +mnisis ZSCALERNSS: time=onsequa Feb 17 3:30:32 2019^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=psaqu6066.www5.localhost^^protocol=ipv6-icmp^^serverip=10.164.190.2^^url=https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol^^urlcategory=itvo^^urlclass=asi^^dlpdictionaries=tobe^^dlpengine=ssequa^^filetype=emp^^threatcategory=emoeni^^threatclass=officiad^^pagerisk=veniam^^threatname=labo^^clientpublicIP=ssecill^^ClientIP=10.223.11.164^^location=tate^^refererURL=https://internal.example.net/ali/ionu.txt?cte=ariatu#ess^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=risnisiu^^user=ten^^event_id=datatno^^clienttranstime=equepor^^requestmethod=antium^^requestsize=5241^^requestversion=texp^^status=mvolup^^responsesize=4382^^responseversion=ema^^transactionsize=6673 +nsec ZSCALERNSS: time=iaeco Mar 3 10:33:06 2019^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=iavol5202.api.example^^protocol=udp^^serverip=10.14.37.8^^url=https://www.example.org/ugitsed/ritatis.jpg?xplic=stenat#mquis^^urlcategory=rume^^urlclass=samnisiu^^dlpdictionaries=yCiceroi^^dlpengine=evolupta^^filetype=citat^^threatcategory=prehende^^threatclass=vitaedic^^pagerisk=remip^^threatname=rsita^^clientpublicIP=rehe^^ClientIP=10.121.181.243^^location=midest^^refererURL=https://example.org/olupta/modi.txt?rnatur=tseddo#utaliq^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=errorsi^^user=umwr^^event_id=olor^^clienttranstime=cupida^^requestmethod=rinc^^requestsize=7719^^requestversion=roqu^^status=dquia^^responsesize=1460^^responseversion=strude^^transactionsize=6667 +ptate ZSCALERNSS: time=oloreeu Mar 17 5:35:40 2019^^timezone=ET^^action=Blocked^^reason=success^^hostname=uame1361.api.local^^protocol=udp^^serverip=10.90.20.202^^url=https://mail.example.com/aute/dictasu.gif?ptas=iadolo#cidu^^urlcategory=nonp^^urlclass=abillo^^dlpdictionaries=tinv^^dlpengine=iar^^filetype=nse^^threatcategory=turQuis^^threatclass=tat^^pagerisk=pta^^threatname=henderi^^clientpublicIP=onsec^^ClientIP=10.10.93.133^^location=tau^^refererURL=https://www.example.net/urad/upt.gif?sitamet=xerc#mcolabor^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=quipe^^user=evita^^event_id=ostrude^^clienttranstime=itsed^^requestmethod=nia^^requestsize=7548^^requestversion=rehe^^status=eseosqu^^responsesize=3488^^responseversion=sundeo^^transactionsize=3076 +laud ZSCALERNSS: time=uido Apr 1 12:38:14 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=rsitame4049.internal.corp^^protocol=tcp^^serverip=10.34.98.144^^url=https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu^^urlcategory=itsedqui^^urlclass=oreve^^dlpdictionaries=omn^^dlpengine=onevol^^filetype=ese^^threatcategory=reprehen^^threatclass=Exce^^pagerisk=tocca^^threatname=tinvolu^^clientpublicIP=ecatc^^ClientIP=10.77.102.206^^location=quin^^refererURL=https://api.example.com/sedqui/ueporroq.htm?eetdol=tia#lup^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=inBCSed^^user=tectobe^^event_id=pariatu^^clienttranstime=uiacons^^requestmethod=ulapa^^requestsize=4143^^requestversion=henderit^^status=ident^^responsesize=4610^^responseversion=mquae^^transactionsize=1789 +lit ZSCALERNSS: time=uiine Apr 15 7:40:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=elit912.www5.test^^protocol=udp^^serverip=10.176.233.249^^url=https://example.org/olu/mqua.txt?mdolore=ita#aeratvol^^urlcategory=odite^^urlclass=atn^^dlpdictionaries=sectet^^dlpengine=boreetd^^filetype=ueporro^^threatcategory=cto^^threatclass=essequa^^pagerisk=gnidolor^^threatname=itlabori^^clientpublicIP=amestqui^^ClientIP=10.75.144.118^^location=qua^^refererURL=https://api.example.com/pteurs/intocc.gif?veni=turmag#dutper^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aconseq^^user=isnos^^event_id=ntin^^clienttranstime=tenatus^^requestmethod=odic^^requestsize=3588^^requestversion=intocca^^status=equuntu^^responsesize=3976^^responseversion=ine^^transactionsize=3409 +rcit ZSCALERNSS: time=secte Apr 29 2:43:23 2019^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=tat6671.www.local^^protocol=udp^^serverip=10.149.6.107^^url=https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa^^urlcategory=ndeomni^^urlclass=chite^^dlpdictionaries=obeatae^^dlpengine=rehen^^filetype=uam^^threatcategory=vitaedi^^threatclass=uis^^pagerisk=emagnaal^^threatname=uunturm^^clientpublicIP=nonnumq^^ClientIP=10.236.55.236^^location=aerat^^refererURL=https://www.example.org/eata/maliquam.jpg?gnamali=olabor#ionem^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=eseosqu^^user=redolo^^event_id=mveleu^^clienttranstime=cillumdo^^requestmethod=mvele^^requestsize=4686^^requestversion=isnost^^status=lumdolor^^responsesize=559^^responseversion=aspe^^transactionsize=4318 +erita ZSCALERNSS: time=eursint May 13 9:45:57 2019^^timezone=CET^^action=Blocked^^reason=failure^^hostname=uis5050.www.local^^protocol=igmp^^serverip=10.97.202.149^^url=https://api.example.net/uamestq/eetdol.html?ctionofd=uianonnu#ntNeque^^urlcategory=magnidol^^urlclass=meumfug^^dlpdictionaries=irat^^dlpengine=uatu^^filetype=gel^^threatcategory=modt^^threatclass=atcupi^^pagerisk=xeacomm^^threatname=tla^^clientpublicIP=itaspe^^ClientIP=10.13.125.101^^location=uisautei^^refererURL=https://mail.example.net/ihilmol/scinge.jpg?str=yCiceroi#loremeu^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=velitess^^user=colab^^event_id=itte^^clienttranstime=niamquis^^requestmethod=uaUten^^requestsize=7772^^requestversion=exeacomm^^status=uptat^^responsesize=982^^responseversion=ore^^transactionsize=7330 +poriss ZSCALERNSS: time=enatus May 28 4:48:31 2019^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=ficiad1312.api.host^^protocol=igmp^^serverip=10.141.66.163^^url=https://mail.example.net/ius/msequ.jpg?ptat=tionula#gnido^^urlcategory=usmo^^urlclass=squirati^^dlpdictionaries=uasi^^dlpengine=quaeabi^^filetype=sequ^^threatcategory=gna^^threatclass=itautf^^pagerisk=aev^^threatname=uovolup^^clientpublicIP=tMaloru^^ClientIP=10.230.61.102^^location=rautod^^refererURL=https://example.net/minimav/uovo.html?orinrep=tNequ#eca^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serr^^user=umdolo^^event_id=iduntut^^clienttranstime=admini^^requestmethod=mini^^requestsize=3181^^requestversion=cididun^^status=iamqu^^responsesize=1324^^responseversion=iunt^^transactionsize=2218 +uisaut ZSCALERNSS: time=apar Jun 11 11:51:06 2019^^timezone=OMST^^action=Blocked^^reason=unknown^^hostname=itaspe921.mail.invalid^^protocol=tcp^^serverip=10.10.25.145^^url=https://www.example.org/iat/acom.html?umdolo=oluptass#umqu^^urlcategory=rsitam^^urlclass=aliqui^^dlpdictionaries=uipexea^^dlpengine=sauteiru^^filetype=nibusB^^threatcategory=eetdolo^^threatclass=issuscip^^pagerisk=iduntu^^threatname=nde^^clientpublicIP=naturau^^ClientIP=10.224.249.228^^location=odit^^refererURL=https://www5.example.net/lapa/enia.jpg?deserun=ugia#isiuta^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ugiatq^^user=mnisiuta^^event_id=nrepre^^clienttranstime=eumfu^^requestmethod=remap^^requestsize=1954^^requestversion=yCicero^^status=dqui^^responsesize=6666^^responseversion=oin^^transactionsize=3838 +eiusm ZSCALERNSS: time=assit Jun 25 6:53:40 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=archite4407.mail.invalid^^protocol=ipv6-icmp^^serverip=10.234.34.40^^url=https://www.example.com/onorum/umiure.gif?lites=admini#trumexer^^urlcategory=maveniam^^urlclass=ctobeat^^dlpdictionaries=emoenim^^dlpengine=oqui^^filetype=olab^^threatcategory=remagnam^^threatclass=neavolu^^pagerisk=adipi^^threatname=idid^^clientpublicIP=ela^^ClientIP=10.247.255.107^^location=lore^^refererURL=https://www5.example.org/olorsi/everitat.htm?iamq=ercitat#velillu^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=elitsed^^user=aeabillo^^event_id=dolori^^clienttranstime=mco^^requestmethod=nofdeF^^requestsize=245^^requestversion=writt^^status=ent^^responsesize=3750^^responseversion=uaer^^transactionsize=2304 +tectobe ZSCALERNSS: time=ain Jul 10 1:56:14 2019^^timezone=OMST^^action=Blocked^^reason=success^^hostname=aria1424.mail.home^^protocol=igmp^^serverip=10.124.81.20^^url=https://mail.example.org/veni/rspi.htm?ntium=imadmi#dquiac^^urlcategory=liquide^^urlclass=uatD^^dlpdictionaries=reh^^dlpengine=uel^^filetype=tmollit^^threatcategory=ametco^^threatclass=ilmoles^^pagerisk=xeaco^^threatname=texpl^^clientpublicIP=tqua^^ClientIP=10.250.102.42^^location=totamr^^refererURL=https://internal.example.com/iciat/uira.htm?cti=orsitvo#elit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenby^^user=tNequ^^event_id=piciatis^^clienttranstime=ritten^^requestmethod=tatisetq^^requestsize=2753^^requestversion=madmi^^status=icia^^responsesize=412^^responseversion=eroi^^transactionsize=2077 +riatur ZSCALERNSS: time=amrema Jul 24 8:58:48 2019^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=Bonoru7444.www5.example^^protocol=rdp^^serverip=10.166.205.159^^url=https://www.example.com/tem/litsedq.htm?ium=utfugit#beat^^urlcategory=odita^^urlclass=borisn^^dlpdictionaries=itanimid^^dlpengine=ianonnum^^filetype=cte^^threatcategory=iratio^^threatclass=proid^^pagerisk=inculp^^threatname=atnu^^clientpublicIP=ntmo^^ClientIP=10.154.188.132^^location=atevelit^^refererURL=https://internal.example.com/iconsequ/adipisci.txt?gnido=iamq#Utenim^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=uisa^^user=uptat^^event_id=siutal^^clienttranstime=umetMalo^^requestmethod=onevolu^^requestsize=4181^^requestversion=sedquian^^status=involu^^responsesize=5294^^responseversion=nsequatD^^transactionsize=7089 +liquid ZSCALERNSS: time=uamq Aug 7 4:01:23 2019^^timezone=CEST^^action=Allowed^^reason=success^^hostname=icero1297.internal.domain^^protocol=ipv6-icmp^^serverip=10.46.71.46^^url=https://www.example.com/amcola/eumiurer.gif?stiaeco=equu#laborisn^^urlcategory=atisetq^^urlclass=mSectio^^dlpdictionaries=rsinto^^dlpengine=nonnumqu^^filetype=atis^^threatcategory=todit^^threatclass=upta^^pagerisk=fug^^threatname=ulpaq^^clientpublicIP=rured^^ClientIP=10.138.193.38^^location=udex^^refererURL=https://api.example.com/uin/isci.htm?nsectetu=spici#untutl^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=tate^^user=sintocca^^event_id=ugiat^^clienttranstime=asuntex^^requestmethod=uovolup^^requestsize=745^^requestversion=amali^^status=uiav^^responsesize=274^^responseversion=mullamco^^transactionsize=7843 +ons ZSCALERNSS: time=radip Aug 21 11:03:57 2019^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=oloremeu5047.www5.invalid^^protocol=tcp^^serverip=10.254.119.31^^url=https://api.example.net/sedquian/lamcorpo.html?sequatD=Nequepo#veleum^^urlcategory=eturad^^urlclass=tor^^dlpdictionaries=hender^^dlpengine=moditemp^^filetype=pitlab^^threatcategory=tutlabor^^threatclass=imadmi^^pagerisk=nculp^^threatname=quamnihi^^clientpublicIP=nimadmi^^ClientIP=10.172.159.251^^location=nima^^refererURL=https://mail.example.org/tur/tlaboru.htm?tutlabo=incid#der^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=tconsect^^user=usm^^event_id=uunturma^^clienttranstime=namaliqu^^requestmethod=tatemacc^^requestsize=2324^^requestversion=nor^^status=saut^^responsesize=2804^^responseversion=stiaeco^^transactionsize=1508 +osam ZSCALERNSS: time=ncid Sep 5 6:06:31 2019^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=edutpe1255.internal.lan^^protocol=ipv6-icmp^^serverip=10.195.62.230^^url=https://www5.example.com/ictasun/iumto.txt?erro=admin#uisnostr^^urlcategory=nemul^^urlclass=amqua^^dlpdictionaries=isnost^^dlpengine=eaco^^filetype=oremeu^^threatcategory=uis^^threatclass=isnost^^pagerisk=itvolu^^threatname=citation^^clientpublicIP=spernatu^^ClientIP=10.98.126.206^^location=tion^^refererURL=https://internal.example.org/uidolore/uatDuisa.htm?uipe=alo#ufugia^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=atatnonp^^user=ptassit^^event_id=sequat^^clienttranstime=Uteni^^requestmethod=oriosa^^requestsize=7244^^requestversion=temporai^^status=totamrem^^responsesize=4957^^responseversion=dminimve^^transactionsize=1182 +idolo ZSCALERNSS: time=citat Sep 19 1:09:05 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=nderit1171.www5.domain^^protocol=rdp^^serverip=10.144.93.186^^url=https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi^^urlcategory=umquia^^urlclass=evolu^^dlpdictionaries=quidolo^^dlpengine=utlabore^^filetype=texplica^^threatcategory=boru^^threatclass=ntut^^pagerisk=elaud^^threatname=acomm^^clientpublicIP=edquia^^ClientIP=10.84.140.5^^location=laboris^^refererURL=https://www.example.org/lpaquiof/isisten.txt?culp=Ciceroin#aeco^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=mull^^user=eroi^^event_id=adminim^^clienttranstime=naturau^^requestmethod=nima^^requestsize=4943^^requestversion=sed^^status=mUten^^responsesize=6658^^responseversion=tfugitse^^transactionsize=6480 +uianon ZSCALERNSS: time=iutal Oct 3 8:11:40 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=nos4114.api.lan^^protocol=rdp^^serverip=10.31.58.6^^url=https://mail.example.net/tseddoei/byCi.gif?assitas=nul#ame^^urlcategory=lites^^urlclass=sec^^dlpdictionaries=aqua^^dlpengine=meumf^^filetype=olu^^threatcategory=ectet^^threatclass=tquovo^^pagerisk=orev^^threatname=lapa^^clientpublicIP=xeacom^^ClientIP=10.198.84.190^^location=henderi^^refererURL=https://mail.example.com/dminim/sse.gif?equ=turvelil#lor^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ern^^user=unt^^event_id=volu^^clienttranstime=iineavo^^requestmethod=qua^^requestsize=6831^^requestversion=tenbyC^^status=xeacomm^^responsesize=6855^^responseversion=psu^^transactionsize=5856 +ept ZSCALERNSS: time=nem Oct 18 3:14:14 2019^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=oremeum4231.internal.host^^protocol=ipv6^^serverip=10.139.90.218^^url=https://www5.example.org/liquipe/rehe.gif?niamqu=uioffi#suntin^^urlcategory=consequa^^urlclass=tionu^^dlpdictionaries=umqua^^dlpengine=ommod^^filetype=ione^^threatcategory=mnihi^^threatclass=rrorsi^^pagerisk=icons^^threatname=voluptat^^clientpublicIP=volu^^ClientIP=10.131.81.172^^location=llamcor^^refererURL=https://mail.example.com/veri/run.txt?enimadm=empo#apa^^useragent=Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30^^department=icons^^user=hende^^event_id=umdol^^clienttranstime=Sedutper^^requestmethod=exe^^requestsize=6188^^requestversion=preh^^status=dol^^responsesize=3128^^responseversion=gnamal^^transactionsize=6119 +utodit ZSCALERNSS: time=cer Nov 1 10:16:48 2019^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=ueip6097.api.host^^protocol=tcp^^serverip=10.128.43.71^^url=https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta^^urlcategory=amnihil^^urlclass=nderit^^dlpdictionaries=ficia^^dlpengine=tru^^filetype=tionu^^threatcategory=natuser^^threatclass=olupt^^pagerisk=eprehe^^threatname=eetd^^clientpublicIP=tiumdo^^ClientIP=10.152.217.174^^location=litse^^refererURL=https://internal.example.com/nde/tNequepo.txt?end=ineavolu#ptate^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=nderitin^^user=mquiado^^event_id=ssequa^^clienttranstime=nisist^^requestmethod=temvele^^requestsize=7350^^requestversion=xeaco^^status=urm^^responsesize=114^^responseversion=porincid^^transactionsize=1150 +pici ZSCALERNSS: time=erit Nov 15 5:19:22 2019^^timezone=PT^^action=Blocked^^reason=success^^hostname=fugiatqu7793.www.localdomain^^protocol=ipv6-icmp^^serverip=10.26.149.221^^url=https://mail.example.org/maven/tectob.jpg?litsedd=mnis#ainci^^urlcategory=aturve^^urlclass=tiumdol^^dlpdictionaries=mporain^^dlpengine=secte^^filetype=dut^^threatcategory=aecons^^threatclass=tionemu^^pagerisk=edictasu^^threatname=quipexea^^clientpublicIP=orsit^^ClientIP=10.217.193.148^^location=tametco^^refererURL=https://api.example.com/lit/laborio.gif?mfug=acommod#mid^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=oloremag^^user=uisa^^event_id=umquidol^^clienttranstime=isiutali^^requestmethod=rehe^^requestsize=3382^^requestversion=adminima^^status=ipex^^responsesize=1046^^responseversion=sitvolup^^transactionsize=387 +agnamali ZSCALERNSS: time=ali Nov 30 12:21:57 2019^^timezone=CET^^action=Blocked^^reason=unknown^^hostname=onsequ3168.www.corp^^protocol=icmp^^serverip=10.109.192.53^^url=https://www.example.com/siarch/oloremi.htm?one=iduntutl#tNe^^urlcategory=scive^^urlclass=tcupi^^dlpdictionaries=essequam^^dlpengine=destla^^filetype=oluptat^^threatcategory=ita^^threatclass=temUte^^pagerisk=idest^^threatname=ostru^^clientpublicIP=ptassit^^ClientIP=10.172.17.6^^location=samvolup^^refererURL=https://www5.example.org/taspe/empori.txt?emporain=ovo#aeabillo^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=boriosa^^user=eprehen^^event_id=rehen^^clienttranstime=sitasp^^requestmethod=tassit^^requestsize=212^^requestversion=teir^^status=suntin^^responsesize=4053^^responseversion=upta^^transactionsize=1487 +onevol ZSCALERNSS: time=llamco Dec 14 7:24:31 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=oremquel3120.internal.localhost^^protocol=ggp^^serverip=10.119.106.108^^url=https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota^^urlcategory=ssecil^^urlclass=xplic^^dlpdictionaries=isn^^dlpengine=quepor^^filetype=Lor^^threatcategory=ten^^threatclass=exeacomm^^pagerisk=cusan^^threatname=oquisq^^clientpublicIP=olli^^ClientIP=10.135.38.213^^location=tiset^^refererURL=https://mail.example.net/erspici/xercitat.jpg?Exce=uae#tut^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=ser^^user=ore^^event_id=iatisund^^clienttranstime=ritquii^^requestmethod=volup^^requestsize=1902^^requestversion=orsi^^status=ull^^responsesize=391^^responseversion=dolorsi^^transactionsize=7745 diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json new file mode 100644 index 00000000000..002367714d0 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -0,0 +1,7176 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "destination.bytes": 1803, + "destination.ip": [ + "10.206.191.17" + ], + "event.action": "Blocked", + "event.code": "litesse", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "iusm ZSCALERNSS: time=modtempo Jan 29 6:09:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=rci737.www5.example^^protocol=tcp^^serverip=10.206.191.17^^url=https://api.example.com/ivelitse/ritin.htm?utl=vol#amremap^^urlcategory=oremi^^urlclass=ntsunti^^dlpdictionaries=nseq^^dlpengine=itinvol^^filetype=psa^^threatcategory=umq^^threatclass=ntium^^pagerisk=psaq^^threatname=cer^^clientpublicIP=reveri^^ClientIP=10.176.10.114^^location=lupt^^refererURL=https://internal.example.org/sequa/abo.gif?umqui=reeufugi#mdolo^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=sperna^^user=sumdo^^event_id=litesse^^clienttranstime=orev^^requestmethod=pisciv^^requestsize=1884^^requestversion=deF^^status=sist^^responsesize=1803^^responseversion=doeiu^^transactionsize=3942", + "event.timezone": "GMT+02:00", + "file.type": "psa", + "fileset.name": "zia", + "host.name": "rci737.www5.example", + "http.request.referrer": "https://internal.example.org/sequa/abo.gif?umqui=reeufugi#mdolo", + "input.type": "log", + "log.offset": 0, + "network.bytes": 3942, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.176.10.114", + "10.206.191.17" + ], + "rsa.db.index": "ntsunti", + "rsa.identity.user_dept": "sperna", + "rsa.internal.data": "iusm", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ntium", + "rsa.misc.action": [ + "pisciv", + "Blocked" + ], + "rsa.misc.category": "umq", + "rsa.misc.filter": "oremi", + "rsa.misc.reference_id": "litesse", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "sist", + "rsa.network.alias_host": [ + "rci737.www5.example" + ], + "rsa.threat.threat_category": "cer", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "rci737.www5.example", + "service.type": "zscaler", + "source.bytes": 1884, + "source.ip": [ + "10.176.10.114" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/ivelitse/ritin.htm?utl=vol#amremap", + "user.name": [ + "sumdo" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2016-02-12T03:12:33.000Z", + "destination.bytes": 2004, + "destination.ip": [ + "10.173.22.152" + ], + "event.action": "Allowed", + "event.code": "byC", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "olupt ZSCALERNSS: time=volup Feb 12 1:12:33 2016^^timezone=CT^^action=Allowed^^reason=failure^^hostname=eosquir5191.www.example^^protocol=rdp^^serverip=10.173.22.152^^url=https://internal.example.net/isiutal/moenimi.jpg?gnaali=enatus#mquia^^urlcategory=ameaqu^^urlclass=aqu^^dlpdictionaries=utper^^dlpengine=squame^^filetype=ntex^^threatcategory=eius^^threatclass=luptat^^pagerisk=emape^^threatname=aer^^clientpublicIP=lupt^^ClientIP=10.26.46.95^^location=uame^^refererURL=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=com^^user=eataevi^^event_id=byC^^clienttranstime=tinculp^^requestmethod=tur^^requestsize=2977^^requestversion=equat^^status=atemsequ^^responsesize=2004^^responseversion=minim^^transactionsize=7868", + "event.timezone": "CT", + "file.type": "ntex", + "fileset.name": "zia", + "host.name": "eosquir5191.www.example", + "http.request.referrer": "https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS", + "input.type": "log", + "log.offset": 844, + "network.bytes": 7868, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.173.22.152", + "10.26.46.95" + ], + "rsa.db.index": "aqu", + "rsa.identity.user_dept": "com", + "rsa.internal.data": "olupt", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "luptat", + "rsa.misc.action": [ + "tur", + "Allowed" + ], + "rsa.misc.category": "eius", + "rsa.misc.filter": "ameaqu", + "rsa.misc.reference_id": "byC", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "atemsequ", + "rsa.network.alias_host": [ + "eosquir5191.www.example" + ], + "rsa.threat.threat_category": "aer", + "rsa.time.event_time": "2016-02-12T03:12:33.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "eosquir5191.www.example", + "service.type": "zscaler", + "source.bytes": 2977, + "source.ip": [ + "10.26.46.95" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.net/isiutal/moenimi.jpg?gnaali=enatus#mquia", + "user.name": [ + "eataevi" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-02-26T10:15:08.000Z", + "destination.bytes": 1837, + "destination.ip": [ + "10.204.86.149" + ], + "event.action": "Blocked", + "event.code": "laboreet", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "amco ZSCALERNSS: time=exe Feb 26 8:15:08 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=orsitame3262.domain^^protocol=igmp^^serverip=10.204.86.149^^url=https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte^^urlcategory=tconsec^^urlclass=nsequat^^dlpdictionaries=taev^^dlpengine=roidents^^filetype=oluptas^^threatcategory=llu^^threatclass=uptassi^^pagerisk=tamremap^^threatname=tur^^clientpublicIP=aperi^^ClientIP=10.254.146.57^^location=estqui^^refererURL=https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=onev^^user=tenima^^event_id=laboreet^^clienttranstime=aquaeabi^^requestmethod=giatq^^requestsize=2935^^requestversion=veleumi^^status=tia^^responsesize=1837^^responseversion=ude^^transactionsize=6905", + "event.timezone": "CT", + "file.type": "oluptas", + "fileset.name": "zia", + "host.name": "orsitame3262.domain", + "http.request.referrer": "https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit", + "input.type": "log", + "log.offset": 1742, + "network.bytes": 6905, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.254.146.57", + "10.204.86.149" + ], + "rsa.db.index": "nsequat", + "rsa.identity.user_dept": "onev", + "rsa.internal.data": "amco", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uptassi", + "rsa.misc.action": [ + "giatq", + "Blocked" + ], + "rsa.misc.category": "llu", + "rsa.misc.filter": "tconsec", + "rsa.misc.reference_id": "laboreet", + "rsa.misc.result": "success", + "rsa.misc.result_code": "tia", + "rsa.network.alias_host": [ + "orsitame3262.domain" + ], + "rsa.threat.threat_category": "tur", + "rsa.time.event_time": "2016-02-26T10:15:08.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "orsitame3262.domain", + "service.type": "zscaler", + "source.bytes": 2935, + "source.ip": [ + "10.254.146.57" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte", + "user.name": [ + "tenima" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "destination.bytes": 3856, + "destination.ip": [ + "10.103.246.190" + ], + "event.action": "Allowed", + "event.code": "suntinc", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uian ZSCALERNSS: time=tempo Mar 12 3:17:42 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=tempor4496.www.localdomain^^protocol=ipv6^^serverip=10.103.246.190^^url=https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid^^urlcategory=atatnonp^^urlclass=uiano^^dlpdictionaries=mrema^^dlpengine=autfu^^filetype=natura^^threatcategory=aboris^^threatclass=ima^^pagerisk=tanimi^^threatname=nimadmin^^clientpublicIP=erep^^ClientIP=10.252.125.53^^location=ugiatqu^^refererURL=https://internal.example.net/Utenimad/nibusBon.html?emq=isiu#nimadmi^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ari^^user=equun^^event_id=suntinc^^clienttranstime=elits^^requestmethod=llam^^requestsize=3077^^requestversion=gelits^^status=tatevel^^responsesize=3856^^responseversion=uptatev^^transactionsize=4292", + "event.timezone": "PST", + "file.type": "natura", + "fileset.name": "zia", + "host.name": "tempor4496.www.localdomain", + "http.request.referrer": "https://internal.example.net/Utenimad/nibusBon.html?emq=isiu#nimadmi", + "input.type": "log", + "log.offset": 2617, + "network.bytes": 4292, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.252.125.53", + "10.103.246.190" + ], + "rsa.db.index": "uiano", + "rsa.identity.user_dept": "ari", + "rsa.internal.data": "uian", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ima", + "rsa.misc.action": [ + "Allowed", + "llam" + ], + "rsa.misc.category": "aboris", + "rsa.misc.filter": "atatnonp", + "rsa.misc.reference_id": "suntinc", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "tatevel", + "rsa.network.alias_host": [ + "tempor4496.www.localdomain" + ], + "rsa.threat.threat_category": "nimadmin", + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "tempor4496.www.localdomain", + "service.type": "zscaler", + "source.bytes": 3077, + "source.ip": [ + "10.252.125.53" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid", + "user.name": [ + "equun" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "destination.bytes": 5772, + "destination.ip": [ + "10.61.78.108" + ], + "event.action": "Blocked", + "event.code": "umdolore", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "dmi ZSCALERNSS: time=olab Mar 26 10:20:16 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=ore2933.www.test^^protocol=ipv6-icmp^^serverip=10.61.78.108^^url=https://api.example.com/ele/tenbyCic.gif?porainc=amquisno#iinea^^urlcategory=ipit^^urlclass=idexea^^dlpdictionaries=riat^^dlpengine=luptatem^^filetype=umdolor^^threatcategory=osquir^^threatclass=inim^^pagerisk=ema^^threatname=roinBCSe^^clientpublicIP=onse^^ClientIP=10.136.153.149^^location=animi^^refererURL=https://www5.example.org/ofdeF/tion.htm?emqu=lit#iam^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ciati^^user=ercit^^event_id=umdolore^^clienttranstime=eniam^^requestmethod=reetdolo^^requestsize=2451^^requestversion=onse^^status=rumet^^responsesize=5772^^responseversion=tatno^^transactionsize=6787", + "event.timezone": "GMT-07:00", + "file.type": "umdolor", + "fileset.name": "zia", + "host.name": "ore2933.www.test", + "http.request.referrer": "https://www5.example.org/ofdeF/tion.htm?emqu=lit#iam", + "input.type": "log", + "log.offset": 3507, + "network.bytes": 6787, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.61.78.108", + "10.136.153.149" + ], + "rsa.db.index": "idexea", + "rsa.identity.user_dept": "ciati", + "rsa.internal.data": "dmi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "inim", + "rsa.misc.action": [ + "reetdolo", + "Blocked" + ], + "rsa.misc.category": "osquir", + "rsa.misc.filter": "ipit", + "rsa.misc.reference_id": "umdolore", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "rumet", + "rsa.network.alias_host": [ + "ore2933.www.test" + ], + "rsa.threat.threat_category": "roinBCSe", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "ore2933.www.test", + "service.type": "zscaler", + "source.bytes": 2451, + "source.ip": [ + "10.136.153.149" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/ele/tenbyCic.gif?porainc=amquisno#iinea", + "user.name": [ + "ercit" + ], + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-04-09T07:22:51.000Z", + "destination.bytes": 2984, + "destination.ip": [ + "10.183.16.166" + ], + "event.action": "Allowed", + "event.code": "remipsum", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "llam ZSCALERNSS: time=aspern Apr 9 5:22:51 2016^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=ollit4105.mail.localdomain^^protocol=ipv6-icmp^^serverip=10.183.16.166^^url=https://mail.example.org/sitas/ehenderi.jpg?atquovo=iumto#aboreetd^^urlcategory=sun^^urlclass=essecill^^dlpdictionaries=Duisau^^dlpengine=psum^^filetype=eriame^^threatcategory=lorema^^threatclass=avol^^pagerisk=labor^^threatname=atuse^^clientpublicIP=ddoeiu^^ClientIP=10.66.250.92^^location=onse^^refererURL=https://example.com/metcon/smo.jpg?upta=omn#ipsumq^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=ons^^user=tessec^^event_id=remipsum^^clienttranstime=liq^^requestmethod=ist^^requestsize=571^^requestversion=caecatc^^status=onsequat^^responsesize=2984^^responseversion=edquiano^^transactionsize=6061", + "event.timezone": "GMT-07:00", + "file.type": "eriame", + "fileset.name": "zia", + "host.name": "ollit4105.mail.localdomain", + "http.request.referrer": "https://example.com/metcon/smo.jpg?upta=omn#ipsumq", + "input.type": "log", + "log.offset": 4394, + "network.bytes": 6061, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.183.16.166", + "10.66.250.92" + ], + "rsa.db.index": "essecill", + "rsa.identity.user_dept": "ons", + "rsa.internal.data": "llam", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "avol", + "rsa.misc.action": [ + "Allowed", + "ist" + ], + "rsa.misc.category": "lorema", + "rsa.misc.filter": "sun", + "rsa.misc.reference_id": "remipsum", + "rsa.misc.result": "success", + "rsa.misc.result_code": "onsequat", + "rsa.network.alias_host": [ + "ollit4105.mail.localdomain" + ], + "rsa.threat.threat_category": "atuse", + "rsa.time.event_time": "2016-04-09T07:22:51.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "ollit4105.mail.localdomain", + "service.type": "zscaler", + "source.bytes": 571, + "source.ip": [ + "10.66.250.92" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/sitas/ehenderi.jpg?atquovo=iumto#aboreetd", + "user.name": [ + "tessec" + ], + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-04-24T14:25:25.000Z", + "destination.bytes": 2053, + "destination.ip": [ + "10.243.224.205" + ], + "event.action": "Blocked", + "event.code": "lpa", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ema ZSCALERNSS: time=par Apr 24 12:25:25 2016^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=cup1793.local^^protocol=ipv6^^serverip=10.243.224.205^^url=https://mail.example.net/aborumSe/luptat.txt?antiumto=strude#ctetura^^urlcategory=usmod^^urlclass=edqui^^dlpdictionaries=mquidol^^dlpengine=ita^^filetype=ipi^^threatcategory=rsitamet^^threatclass=lupt^^pagerisk=xea^^threatname=qua^^clientpublicIP=luptatev^^ClientIP=10.123.104.59^^location=uisquam^^refererURL=https://api.example.com/loremq/lores.txt?iqui=etc#etM^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=eprehen^^user=xercitat^^event_id=lpa^^clienttranstime=entsu^^requestmethod=dun^^requestsize=941^^requestversion=aliq^^status=rsitam^^responsesize=2053^^responseversion=imaven^^transactionsize=152", + "event.timezone": "PT", + "file.type": "ipi", + "fileset.name": "zia", + "host.name": "cup1793.local", + "http.request.referrer": "https://api.example.com/loremq/lores.txt?iqui=etc#etM", + "input.type": "log", + "log.offset": 5306, + "network.bytes": 152, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.123.104.59", + "10.243.224.205" + ], + "rsa.db.index": "edqui", + "rsa.identity.user_dept": "eprehen", + "rsa.internal.data": "ema", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "lupt", + "rsa.misc.action": [ + "Blocked", + "dun" + ], + "rsa.misc.category": "rsitamet", + "rsa.misc.filter": "usmod", + "rsa.misc.reference_id": "lpa", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "rsitam", + "rsa.network.alias_host": [ + "cup1793.local" + ], + "rsa.threat.threat_category": "qua", + "rsa.time.event_time": "2016-04-24T14:25:25.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "cup1793.local", + "service.type": "zscaler", + "source.bytes": 941, + "source.ip": [ + "10.123.104.59" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/aborumSe/luptat.txt?antiumto=strude#ctetura", + "user.name": [ + "xercitat" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "destination.bytes": 6888, + "destination.ip": [ + "10.119.185.63" + ], + "event.action": "Blocked", + "event.code": "amqu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tema ZSCALERNSS: time=ritatis May 8 7:27:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=icab4668.local^^protocol=udp^^serverip=10.119.185.63^^url=https://www5.example.net/ntutla/equa.jpg?civeli=errorsi#des^^urlcategory=rehe^^urlclass=ume^^dlpdictionaries=incidi^^dlpengine=picia^^filetype=mUtenima^^threatcategory=emaperi^^threatclass=tame^^pagerisk=tinvol^^threatname=tectobe^^clientpublicIP=colabor^^ClientIP=10.74.17.5^^location=untut^^refererURL=https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=itecto^^user=erc^^event_id=amqu^^clienttranstime=uines^^requestmethod=nsec^^requestsize=6907^^requestversion=estqu^^status=inibusBo^^responsesize=6888^^responseversion=ostrume^^transactionsize=6051", + "event.timezone": "GMT+02:00", + "file.type": "mUtenima", + "fileset.name": "zia", + "host.name": "icab4668.local", + "http.request.referrer": "https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu", + "input.type": "log", + "log.offset": 6194, + "network.bytes": 6051, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.74.17.5", + "10.119.185.63" + ], + "rsa.db.index": "ume", + "rsa.identity.user_dept": "itecto", + "rsa.internal.data": "tema", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tame", + "rsa.misc.action": [ + "Blocked", + "nsec" + ], + "rsa.misc.category": "emaperi", + "rsa.misc.filter": "rehe", + "rsa.misc.reference_id": "amqu", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "inibusBo", + "rsa.network.alias_host": [ + "icab4668.local" + ], + "rsa.threat.threat_category": "tectobe", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "icab4668.local", + "service.type": "zscaler", + "source.bytes": 6907, + "source.ip": [ + "10.74.17.5" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.net/ntutla/equa.jpg?civeli=errorsi#des", + "user.name": [ + "erc" + ], + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-05-22T04:30:33.000Z", + "destination.bytes": 6354, + "destination.ip": [ + "10.78.151.178" + ], + "event.action": "Allowed", + "event.code": "mporain", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "upt ZSCALERNSS: time=uiineavo May 22 2:30:33 2016^^timezone=CET^^action=Allowed^^reason=unknown^^hostname=aperia4409.www5.invalid^^protocol=rdp^^serverip=10.78.151.178^^url=https://api.example.net/atvol/umiur.txt?tati=utaliqu#oriosamn^^urlcategory=deFinibu^^urlclass=iadese^^dlpdictionaries=imidest^^dlpengine=emagnama^^filetype=eprehend^^threatcategory=hil^^threatclass=atquovo^^pagerisk=suntinc^^threatname=xeac^^clientpublicIP=nidolo^^ClientIP=10.25.192.202^^location=intoccae^^refererURL=https://www.example.net/pida/nse.html?emeumfu=CSed#lupt^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ecillu^^user=quip^^event_id=mporain^^clienttranstime=icons^^requestmethod=amvolup^^requestsize=7700^^requestversion=temveleu^^status=colabo^^responsesize=6354^^responseversion=orinrepr^^transactionsize=6578", + "event.timezone": "CET", + "file.type": "eprehend", + "fileset.name": "zia", + "host.name": "aperia4409.www5.invalid", + "http.request.referrer": "https://www.example.net/pida/nse.html?emeumfu=CSed#lupt", + "input.type": "log", + "log.offset": 7136, + "network.bytes": 6578, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.25.192.202", + "10.78.151.178" + ], + "rsa.db.index": "iadese", + "rsa.identity.user_dept": "ecillu", + "rsa.internal.data": "upt", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "atquovo", + "rsa.misc.action": [ + "Allowed", + "amvolup" + ], + "rsa.misc.category": "hil", + "rsa.misc.filter": "deFinibu", + "rsa.misc.reference_id": "mporain", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "colabo", + "rsa.network.alias_host": [ + "aperia4409.www5.invalid" + ], + "rsa.threat.threat_category": "xeac", + "rsa.time.event_time": "2016-05-22T04:30:33.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "aperia4409.www5.invalid", + "service.type": "zscaler", + "source.bytes": 7700, + "source.ip": [ + "10.25.192.202" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/atvol/umiur.txt?tati=utaliqu#oriosamn", + "user.name": [ + "quip" + ], + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-06-05T11:33:08.000Z", + "destination.bytes": 5269, + "destination.ip": [ + "10.71.170.37" + ], + "event.action": "Allowed", + "event.code": "umexerci", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rumetM ZSCALERNSS: time=equi Jun 5 9:33:08 2016^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=sitvolup368.internal.host^^protocol=igmp^^serverip=10.71.170.37^^url=https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe^^urlcategory=inesci^^urlclass=serror^^dlpdictionaries=aliqu^^dlpengine=olupta^^filetype=mipsumd^^threatcategory=eFinib^^threatclass=ihilm^^pagerisk=atDu^^threatname=eav^^clientpublicIP=ionevo^^ClientIP=10.135.225.244^^location=orev^^refererURL=https://api.example.net/quirat/llu.jpg?isc=aturve#emulla^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atiset^^user=atu^^event_id=umexerci^^clienttranstime=ern^^requestmethod=psaquae^^requestsize=7355^^requestversion=nsectet^^status=utla^^responsesize=5269^^responseversion=sci^^transactionsize=2526", + "event.timezone": "GMT+02:00", + "file.type": "mipsumd", + "fileset.name": "zia", + "host.name": "sitvolup368.internal.host", + "http.request.referrer": "https://api.example.net/quirat/llu.jpg?isc=aturve#emulla", + "input.type": "log", + "log.offset": 8036, + "network.bytes": 2526, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.135.225.244", + "10.71.170.37" + ], + "rsa.db.index": "serror", + "rsa.identity.user_dept": "atiset", + "rsa.internal.data": "rumetM", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ihilm", + "rsa.misc.action": [ + "psaquae", + "Allowed" + ], + "rsa.misc.category": "eFinib", + "rsa.misc.filter": "inesci", + "rsa.misc.reference_id": "umexerci", + "rsa.misc.result": "success", + "rsa.misc.result_code": "utla", + "rsa.network.alias_host": [ + "sitvolup368.internal.host" + ], + "rsa.threat.threat_category": "eav", + "rsa.time.event_time": "2016-06-05T11:33:08.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "sitvolup368.internal.host", + "service.type": "zscaler", + "source.bytes": 7355, + "source.ip": [ + "10.135.225.244" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe", + "user.name": [ + "atu" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "destination.bytes": 752, + "destination.ip": [ + "10.223.247.86" + ], + "event.action": "Allowed", + "event.code": "lup", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tlabori ZSCALERNSS: time=oin Jun 20 4:35:42 2016^^timezone=ET^^action=Allowed^^reason=success^^hostname=ite2026.www.invalid^^protocol=udp^^serverip=10.223.247.86^^url=https://example.org/bor/occa.htm?dol=leumiu#namali^^urlcategory=taevit^^urlclass=rinrepre^^dlpdictionaries=etconse^^dlpengine=tincu^^filetype=ari^^threatcategory=exercit^^threatclass=sci^^pagerisk=quamnih^^threatname=oluptate^^clientpublicIP=onseq^^ClientIP=10.19.145.131^^location=texp^^refererURL=https://internal.example.net/acc/amc.txt?amest=corp#modtemp^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=oluptas^^user=tNequepo^^event_id=lup^^clienttranstime=nula^^requestmethod=emseq^^requestsize=821^^requestversion=ento^^status=pic^^responsesize=752^^responseversion=eriamea^^transactionsize=7741", + "event.timezone": "ET", + "file.type": "ari", + "fileset.name": "zia", + "host.name": "ite2026.www.invalid", + "http.request.referrer": "https://internal.example.net/acc/amc.txt?amest=corp#modtemp", + "input.type": "log", + "log.offset": 8916, + "network.bytes": 7741, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.19.145.131", + "10.223.247.86" + ], + "rsa.db.index": "rinrepre", + "rsa.identity.user_dept": "oluptas", + "rsa.internal.data": "tlabori", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "sci", + "rsa.misc.action": [ + "emseq", + "Allowed" + ], + "rsa.misc.category": "exercit", + "rsa.misc.filter": "taevit", + "rsa.misc.reference_id": "lup", + "rsa.misc.result": "success", + "rsa.misc.result_code": "pic", + "rsa.network.alias_host": [ + "ite2026.www.invalid" + ], + "rsa.threat.threat_category": "oluptate", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "ite2026.www.invalid", + "service.type": "zscaler", + "source.bytes": 821, + "source.ip": [ + "10.19.145.131" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/bor/occa.htm?dol=leumiu#namali", + "user.name": [ + "tNequepo" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "destination.bytes": 3314, + "destination.ip": [ + "10.2.53.125" + ], + "event.action": "Allowed", + "event.code": "radi", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rsita ZSCALERNSS: time=niamqui Jul 4 11:38:16 2016^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=radipisc7020.home^^protocol=ipv6^^serverip=10.2.53.125^^url=https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos^^urlcategory=pariatu^^urlclass=tin^^dlpdictionaries=tenima^^dlpengine=tsedqu^^filetype=agnid^^threatcategory=proide^^threatclass=dolorem^^pagerisk=tlab^^threatname=volupt^^clientpublicIP=osqui^^ClientIP=10.181.80.139^^location=hitecto^^refererURL=https://www.example.net/liquide/etdol.jpg?uun=sequine#ectio^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=aboN^^user=ihilmo^^event_id=radi^^clienttranstime=gel^^requestmethod=lorsitam^^requestsize=6408^^requestversion=veniam^^status=ris^^responsesize=3314^^responseversion=ulapa^^transactionsize=7298", + "event.timezone": "GMT-07:00", + "file.type": "agnid", + "fileset.name": "zia", + "host.name": "radipisc7020.home", + "http.request.referrer": "https://www.example.net/liquide/etdol.jpg?uun=sequine#ectio", + "input.type": "log", + "log.offset": 9805, + "network.bytes": 7298, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.181.80.139", + "10.2.53.125" + ], + "rsa.db.index": "tin", + "rsa.identity.user_dept": "aboN", + "rsa.internal.data": "rsita", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "dolorem", + "rsa.misc.action": [ + "lorsitam", + "Allowed" + ], + "rsa.misc.category": "proide", + "rsa.misc.filter": "pariatu", + "rsa.misc.reference_id": "radi", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "ris", + "rsa.network.alias_host": [ + "radipisc7020.home" + ], + "rsa.threat.threat_category": "volupt", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "radipisc7020.home", + "service.type": "zscaler", + "source.bytes": 6408, + "source.ip": [ + "10.181.80.139" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos", + "user.name": [ + "ihilmo" + ], + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-07-18T08:40:50.000Z", + "destination.bytes": 2742, + "destination.ip": [ + "10.31.240.6" + ], + "event.action": "Allowed", + "event.code": "olup", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "quioffi ZSCALERNSS: time=uptate Jul 18 6:40:50 2016^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=uamei2493.www.test^^protocol=tcp^^serverip=10.31.240.6^^url=https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn^^urlcategory=isnisiu^^urlclass=bore^^dlpdictionaries=tsu^^dlpengine=tcons^^filetype=sciun^^threatcategory=sBono^^threatclass=catc^^pagerisk=nsect^^threatname=idata^^clientpublicIP=rumwritt^^ClientIP=10.167.98.76^^location=dol^^refererURL=https://api.example.org/citation/tisetq.html?Utenimad=orpor#tlabo^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=gnido^^user=ratvolu^^event_id=olup^^clienttranstime=numqua^^requestmethod=veni^^requestsize=3140^^requestversion=abo^^status=veniamqu^^responsesize=2742^^responseversion=aliquide^^transactionsize=3073", + "event.timezone": "ET", + "file.type": "sciun", + "fileset.name": "zia", + "host.name": "uamei2493.www.test", + "http.request.referrer": "https://api.example.org/citation/tisetq.html?Utenimad=orpor#tlabo", + "input.type": "log", + "log.offset": 10682, + "network.bytes": 3073, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.31.240.6", + "10.167.98.76" + ], + "rsa.db.index": "bore", + "rsa.identity.user_dept": "gnido", + "rsa.internal.data": "quioffi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "catc", + "rsa.misc.action": [ + "Allowed", + "veni" + ], + "rsa.misc.category": "sBono", + "rsa.misc.filter": "isnisiu", + "rsa.misc.reference_id": "olup", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "veniamqu", + "rsa.network.alias_host": [ + "uamei2493.www.test" + ], + "rsa.threat.threat_category": "idata", + "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "uamei2493.www.test", + "service.type": "zscaler", + "source.bytes": 3140, + "source.ip": [ + "10.167.98.76" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", + "user.name": [ + "ratvolu" + ], + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "destination.bytes": 5368, + "destination.ip": [ + "10.0.55.9" + ], + "event.action": "Allowed", + "event.code": "rcitati", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "equat ZSCALERNSS: time=derit Aug 2 1:43:25 2016^^timezone=PT^^action=Allowed^^reason=success^^hostname=piscin6866.internal.host^^protocol=udp^^serverip=10.0.55.9^^url=https://www.example.org/eporr/xeacomm.html?aturQui=utlabor#rau^^urlcategory=idex^^urlclass=mfugiat^^dlpdictionaries=nisiuta^^dlpengine=tvolu^^filetype=ecte^^threatcategory=tinvolu^^threatclass=iurer^^pagerisk=iciadese^^threatname=quidolor^^clientpublicIP=tessec^^ClientIP=10.135.160.125^^location=mve^^refererURL=https://internal.example.com/uisau/eleum.htm?nre=ercitat#inim^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=Utenima^^user=volupta^^event_id=rcitati^^clienttranstime=eni^^requestmethod=ionevo^^requestsize=3616^^requestversion=Ute^^status=sperna^^responsesize=5368^^responseversion=mnisi^^transactionsize=509", + "event.timezone": "PT", + "file.type": "ecte", + "fileset.name": "zia", + "host.name": "piscin6866.internal.host", + "http.request.referrer": "https://internal.example.com/uisau/eleum.htm?nre=ercitat#inim", + "input.type": "log", + "log.offset": 11586, + "network.bytes": 509, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.0.55.9", + "10.135.160.125" + ], + "rsa.db.index": "mfugiat", + "rsa.identity.user_dept": "Utenima", + "rsa.internal.data": "equat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iurer", + "rsa.misc.action": [ + "ionevo", + "Allowed" + ], + "rsa.misc.category": "tinvolu", + "rsa.misc.filter": "idex", + "rsa.misc.reference_id": "rcitati", + "rsa.misc.result": "success", + "rsa.misc.result_code": "sperna", + "rsa.network.alias_host": [ + "piscin6866.internal.host" + ], + "rsa.threat.threat_category": "quidolor", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "piscin6866.internal.host", + "service.type": "zscaler", + "source.bytes": 3616, + "source.ip": [ + "10.135.160.125" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/eporr/xeacomm.html?aturQui=utlabor#rau", + "user.name": [ + "volupta" + ], + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "destination.bytes": 6027, + "destination.ip": [ + "10.63.250.128" + ], + "event.action": "Allowed", + "event.code": "ntocca", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tDuisaut ZSCALERNSS: time=oinBC Aug 16 8:45:59 2016^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=spi3544.www.host^^protocol=ggp^^serverip=10.63.250.128^^url=https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc^^urlcategory=uteirure^^urlclass=nevo^^dlpdictionaries=ide^^dlpengine=aali^^filetype=adip^^threatcategory=tium^^threatclass=nnum^^pagerisk=tenbyCi^^threatname=ate^^clientpublicIP=uiac^^ClientIP=10.111.187.12^^location=itam^^refererURL=https://www.example.org/santiumd/turadip.gif?niamqui=orem#sno^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tev^^user=saute^^event_id=ntocca^^clienttranstime=ostru^^requestmethod=ntoccae^^requestsize=1705^^requestversion=rrorsi^^status=temquiav^^responsesize=6027^^responseversion=sec^^transactionsize=1927", + "event.timezone": "OMST", + "file.type": "adip", + "fileset.name": "zia", + "host.name": "spi3544.www.host", + "http.request.referrer": "https://www.example.org/santiumd/turadip.gif?niamqui=orem#sno", + "input.type": "log", + "log.offset": 12524, + "network.bytes": 1927, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.63.250.128", + "10.111.187.12" + ], + "rsa.db.index": "nevo", + "rsa.identity.user_dept": "tev", + "rsa.internal.data": "tDuisaut", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "nnum", + "rsa.misc.action": [ + "ntoccae", + "Allowed" + ], + "rsa.misc.category": "tium", + "rsa.misc.filter": "uteirure", + "rsa.misc.reference_id": "ntocca", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "temquiav", + "rsa.network.alias_host": [ + "spi3544.www.host" + ], + "rsa.threat.threat_category": "ate", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "spi3544.www.host", + "service.type": "zscaler", + "source.bytes": 1705, + "source.ip": [ + "10.111.187.12" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc", + "user.name": [ + "saute" + ], + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-08-30T05:48:33.000Z", + "destination.bytes": 1394, + "destination.ip": [ + "10.5.126.127" + ], + "event.action": "Allowed", + "event.code": "eprehen", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "sBon ZSCALERNSS: time=orro Aug 30 3:48:33 2016^^timezone=PST^^action=Allowed^^reason=unknown^^hostname=tlab5981.www.host^^protocol=igmp^^serverip=10.5.126.127^^url=https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd^^urlcategory=antiu^^urlclass=uirati^^dlpdictionaries=oin^^dlpengine=exe^^filetype=imadmini^^threatcategory=sauteiru^^threatclass=mod^^pagerisk=hilm^^threatname=ataevi^^clientpublicIP=com^^ClientIP=10.252.124.150^^location=trud^^refererURL=https://mail.example.org/litessec/itas.htm?uidol=mporin#mwrit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=roid^^user=inibusB^^event_id=eprehen^^clienttranstime=entor^^requestmethod=xeacomm^^requestsize=1940^^requestversion=utp^^status=ema^^responsesize=1394^^responseversion=itessequ^^transactionsize=7688", + "event.timezone": "PST", + "file.type": "imadmini", + "fileset.name": "zia", + "host.name": "tlab5981.www.host", + "http.request.referrer": "https://mail.example.org/litessec/itas.htm?uidol=mporin#mwrit", + "input.type": "log", + "log.offset": 13426, + "network.bytes": 7688, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.252.124.150", + "10.5.126.127" + ], + "rsa.db.index": "uirati", + "rsa.identity.user_dept": "roid", + "rsa.internal.data": "sBon", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "mod", + "rsa.misc.action": [ + "Allowed", + "xeacomm" + ], + "rsa.misc.category": "sauteiru", + "rsa.misc.filter": "antiu", + "rsa.misc.reference_id": "eprehen", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ema", + "rsa.network.alias_host": [ + "tlab5981.www.host" + ], + "rsa.threat.threat_category": "ataevi", + "rsa.time.event_time": "2016-08-30T05:48:33.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "tlab5981.www.host", + "service.type": "zscaler", + "source.bytes": 1940, + "source.ip": [ + "10.252.124.150" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd", + "user.name": [ + "inibusB" + ], + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-09-13T12:51:07.000Z", + "destination.bytes": 248, + "destination.ip": [ + "10.201.171.120" + ], + "event.action": "Blocked", + "event.code": "ris", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ine ZSCALERNSS: time=lup Sep 13 10:51:07 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=upida508.example^^protocol=tcp^^serverip=10.201.171.120^^url=https://api.example.net/tquiin/tse.jpg?ovol=ptasn#taedicta^^urlcategory=itam^^urlclass=str^^dlpdictionaries=idolore^^dlpengine=pid^^filetype=illoin^^threatcategory=tanimid^^threatclass=umdo^^pagerisk=natuse^^threatname=gnamal^^clientpublicIP=metMalo^^ClientIP=10.91.126.231^^location=reprehen^^refererURL=https://example.net/psumquia/ven.html?siutali=amnih#ium^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=tau^^user=exercita^^event_id=ris^^clienttranstime=eumiu^^requestmethod=orumSe^^requestsize=728^^requestversion=isnost^^status=queips^^responsesize=248^^responseversion=itess^^transactionsize=52", + "event.timezone": "CT", + "file.type": "illoin", + "fileset.name": "zia", + "host.name": "upida508.example", + "http.request.referrer": "https://example.net/psumquia/ven.html?siutali=amnih#ium", + "input.type": "log", + "log.offset": 14325, + "network.bytes": 52, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.91.126.231", + "10.201.171.120" + ], + "rsa.db.index": "str", + "rsa.identity.user_dept": "tau", + "rsa.internal.data": "ine", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "umdo", + "rsa.misc.action": [ + "Blocked", + "orumSe" + ], + "rsa.misc.category": "tanimid", + "rsa.misc.filter": "itam", + "rsa.misc.reference_id": "ris", + "rsa.misc.result": "success", + "rsa.misc.result_code": "queips", + "rsa.network.alias_host": [ + "upida508.example" + ], + "rsa.threat.threat_category": "gnamal", + "rsa.time.event_time": "2016-09-13T12:51:07.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "upida508.example", + "service.type": "zscaler", + "source.bytes": 728, + "source.ip": [ + "10.91.126.231" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/tquiin/tse.jpg?ovol=ptasn#taedicta", + "user.name": [ + "exercita" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "destination.bytes": 2703, + "destination.ip": [ + "10.135.82.97" + ], + "event.action": "Allowed", + "event.code": "iat", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ofdeFini ZSCALERNSS: time=irat Sep 28 5:53:42 2016^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=oditem5255.api.localdomain^^protocol=tcp^^serverip=10.135.82.97^^url=https://mail.example.org/olor/ineavo.gif?mquelau=iadolor#amcol^^urlcategory=adeser^^urlclass=oin^^dlpdictionaries=mvenia^^dlpengine=madminim^^filetype=fugitsed^^threatcategory=quam^^threatclass=quid^^pagerisk=fugiat^^threatname=atisun^^clientpublicIP=esci^^ClientIP=10.107.251.87^^location=fugi^^refererURL=https://www.example.net/iduntu/idestlab.htm?avol=icero#xer^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=nturma^^user=str^^event_id=iat^^clienttranstime=etur^^requestmethod=itecto^^requestsize=1300^^requestversion=borios^^status=tut^^responsesize=2703^^responseversion=umqu^^transactionsize=301", + "event.timezone": "GMT+02:00", + "file.type": "fugitsed", + "fileset.name": "zia", + "host.name": "oditem5255.api.localdomain", + "http.request.referrer": "https://www.example.net/iduntu/idestlab.htm?avol=icero#xer", + "input.type": "log", + "log.offset": 15210, + "network.bytes": 301, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.107.251.87", + "10.135.82.97" + ], + "rsa.db.index": "oin", + "rsa.identity.user_dept": "nturma", + "rsa.internal.data": "ofdeFini", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "quid", + "rsa.misc.action": [ + "itecto", + "Allowed" + ], + "rsa.misc.category": "quam", + "rsa.misc.filter": "adeser", + "rsa.misc.reference_id": "iat", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "tut", + "rsa.network.alias_host": [ + "oditem5255.api.localdomain" + ], + "rsa.threat.threat_category": "atisun", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "oditem5255.api.localdomain", + "service.type": "zscaler", + "source.bytes": 1300, + "source.ip": [ + "10.107.251.87" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/olor/ineavo.gif?mquelau=iadolor#amcol", + "user.name": [ + "str" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "destination.bytes": 100, + "destination.ip": [ + "10.31.198.58" + ], + "event.action": "Blocked", + "event.code": "ditemp", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "adipisc ZSCALERNSS: time=uscipitl Oct 12 12:56:16 2016^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=uamei2389.internal.example^^protocol=ipv6-icmp^^serverip=10.31.198.58^^url=https://www.example.com/its/ender.gif?oles=edic#seq^^urlcategory=tutlab^^urlclass=sau^^dlpdictionaries=atevelit^^dlpengine=meius^^filetype=billo^^threatcategory=labo^^threatclass=oNemoeni^^pagerisk=ttenby^^threatname=boris^^clientpublicIP=stenatu^^ClientIP=10.215.205.216^^location=ratv^^refererURL=https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano^^useragent=Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=boreetdo^^user=aturve^^event_id=ditemp^^clienttranstime=edqui^^requestmethod=nre^^requestsize=7231^^requestversion=sit^^status=olab^^responsesize=100^^responseversion=elitse^^transactionsize=6672", + "event.timezone": "PST", + "file.type": "billo", + "fileset.name": "zia", + "host.name": "uamei2389.internal.example", + "http.request.referrer": "https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano", + "input.type": "log", + "log.offset": 16116, + "network.bytes": 6672, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.31.198.58", + "10.215.205.216" + ], + "rsa.db.index": "sau", + "rsa.identity.user_dept": "boreetdo", + "rsa.internal.data": "adipisc", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "oNemoeni", + "rsa.misc.action": [ + "Blocked", + "nre" + ], + "rsa.misc.category": "labo", + "rsa.misc.filter": "tutlab", + "rsa.misc.reference_id": "ditemp", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "olab", + "rsa.network.alias_host": [ + "uamei2389.internal.example" + ], + "rsa.threat.threat_category": "boris", + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "uamei2389.internal.example", + "service.type": "zscaler", + "source.bytes": 7231, + "source.ip": [ + "10.215.205.216" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/its/ender.gif?oles=edic#seq", + "user.name": [ + "aturve" + ], + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-10-26T09:58:50.000Z", + "destination.bytes": 7205, + "destination.ip": [ + "10.29.155.171" + ], + "event.action": "Allowed", + "event.code": "aboreetd", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "quasia ZSCALERNSS: time=adi Oct 26 7:58:50 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=eacommod1930.internal.lan^^protocol=igmp^^serverip=10.29.155.171^^url=https://www5.example.org/oeni/tdol.gif?llamco=nea#psum^^urlcategory=tasnulap^^urlclass=orsit^^dlpdictionaries=asiar^^dlpengine=ise^^filetype=itau^^threatcategory=apariat^^threatclass=vitaedi^^pagerisk=lorsita^^threatname=dolore^^clientpublicIP=uptate^^ClientIP=10.229.83.165^^location=ugiat^^refererURL=https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=labo^^user=ulapar^^event_id=aboreetd^^clienttranstime=hilm^^requestmethod=llitanim^^requestsize=5047^^requestversion=pitl^^status=por^^responsesize=7205^^responseversion=ama^^transactionsize=332", + "event.timezone": "PST", + "file.type": "itau", + "fileset.name": "zia", + "host.name": "eacommod1930.internal.lan", + "http.request.referrer": "https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim", + "input.type": "log", + "log.offset": 17002, + "network.bytes": 332, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.229.83.165", + "10.29.155.171" + ], + "rsa.db.index": "orsit", + "rsa.identity.user_dept": "labo", + "rsa.internal.data": "quasia", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "vitaedi", + "rsa.misc.action": [ + "llitanim", + "Allowed" + ], + "rsa.misc.category": "apariat", + "rsa.misc.filter": "tasnulap", + "rsa.misc.reference_id": "aboreetd", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "por", + "rsa.network.alias_host": [ + "eacommod1930.internal.lan" + ], + "rsa.threat.threat_category": "dolore", + "rsa.time.event_time": "2016-10-26T09:58:50.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "eacommod1930.internal.lan", + "service.type": "zscaler", + "source.bytes": 5047, + "source.ip": [ + "10.229.83.165" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.org/oeni/tdol.gif?llamco=nea#psum", + "user.name": [ + "ulapar" + ], + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "destination.bytes": 6498, + "destination.ip": [ + "10.129.192.145" + ], + "event.action": "Blocked", + "event.code": "oraincid", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "adminimv ZSCALERNSS: time=odi Nov 10 3:01:24 2016^^timezone=GMT-07:00^^action=Blocked^^reason=success^^hostname=tem6984.www5.domain^^protocol=ipv6^^serverip=10.129.192.145^^url=https://www.example.com/uasiar/utlab.htm?loremqu=dantium#lor^^urlcategory=velillu^^urlclass=cteturad^^dlpdictionaries=bor^^dlpengine=rauto^^filetype=ationev^^threatcategory=umdolor^^threatclass=uaUten^^pagerisk=nby^^threatname=mve^^clientpublicIP=osqui^^ClientIP=10.161.148.64^^location=ibusBon^^refererURL=https://example.com/rQu/mco.jpg?dun=reprehe#tincu^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=dex^^user=lor^^event_id=oraincid^^clienttranstime=intocc^^requestmethod=amcorp^^requestsize=1275^^requestversion=ssecillu^^status=liqua^^responsesize=6498^^responseversion=utodita^^transactionsize=4014", + "event.timezone": "GMT-07:00", + "file.type": "ationev", + "fileset.name": "zia", + "host.name": "tem6984.www5.domain", + "http.request.referrer": "https://example.com/rQu/mco.jpg?dun=reprehe#tincu", + "input.type": "log", + "log.offset": 18036, + "network.bytes": 4014, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.129.192.145", + "10.161.148.64" + ], + "rsa.db.index": "cteturad", + "rsa.identity.user_dept": "dex", + "rsa.internal.data": "adminimv", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uaUten", + "rsa.misc.action": [ + "amcorp", + "Blocked" + ], + "rsa.misc.category": "umdolor", + "rsa.misc.filter": "velillu", + "rsa.misc.reference_id": "oraincid", + "rsa.misc.result": "success", + "rsa.misc.result_code": "liqua", + "rsa.network.alias_host": [ + "tem6984.www5.domain" + ], + "rsa.threat.threat_category": "mve", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "tem6984.www5.domain", + "service.type": "zscaler", + "source.bytes": 1275, + "source.ip": [ + "10.161.148.64" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/uasiar/utlab.htm?loremqu=dantium#lor", + "user.name": [ + "lor" + ], + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "destination.bytes": 6392, + "destination.ip": [ + "10.7.200.140" + ], + "event.action": "Allowed", + "event.code": "tpersp", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "fdeF ZSCALERNSS: time=iquidexe Nov 24 10:03:59 2016^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=lapariat7287.internal.host^^protocol=ggp^^serverip=10.7.200.140^^url=https://api.example.org/icabo/gna.html?urerepr=eseru#quamest^^urlcategory=mac^^urlclass=qui^^dlpdictionaries=ritin^^dlpengine=temporin^^filetype=equatur^^threatcategory=adeseru^^threatclass=tdol^^pagerisk=upt^^threatname=mex^^clientpublicIP=tatem^^ClientIP=10.203.65.161^^location=eveli^^refererURL=https://internal.example.com/oremq/dicta.htm?imide=poriss#tvolup^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=siu^^user=snost^^event_id=tpersp^^clienttranstime=llamc^^requestmethod=nte^^requestsize=3571^^requestversion=utali^^status=porinc^^responsesize=6392^^responseversion=mvolu^^transactionsize=1664", + "event.timezone": "CEST", + "file.type": "equatur", + "fileset.name": "zia", + "host.name": "lapariat7287.internal.host", + "http.request.referrer": "https://internal.example.com/oremq/dicta.htm?imide=poriss#tvolup", + "input.type": "log", + "log.offset": 18921, + "network.bytes": 1664, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.7.200.140", + "10.203.65.161" + ], + "rsa.db.index": "qui", + "rsa.identity.user_dept": "siu", + "rsa.internal.data": "fdeF", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tdol", + "rsa.misc.action": [ + "nte", + "Allowed" + ], + "rsa.misc.category": "adeseru", + "rsa.misc.filter": "mac", + "rsa.misc.reference_id": "tpersp", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "porinc", + "rsa.network.alias_host": [ + "lapariat7287.internal.host" + ], + "rsa.threat.threat_category": "mex", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "lapariat7287.internal.host", + "service.type": "zscaler", + "source.bytes": 3571, + "source.ip": [ + "10.203.65.161" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/icabo/gna.html?urerepr=eseru#quamest", + "user.name": [ + "snost" + ], + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-12-08T07:06:33.000Z", + "destination.bytes": 7595, + "destination.ip": [ + "10.86.22.67" + ], + "event.action": "Blocked", + "event.code": "mquae", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ipi ZSCALERNSS: time=imveniam Dec 8 5:06:33 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=licabo1493.api.corp^^protocol=icmp^^serverip=10.86.22.67^^url=https://api.example.org/oremi/elites.html?iosa=boNemoe#onsequ^^urlcategory=equinesc^^urlclass=cab^^dlpdictionaries=atisund^^dlpengine=xea^^filetype=ites^^threatcategory=isetq^^threatclass=iutali^^pagerisk=velite^^threatname=teturad^^clientpublicIP=perspici^^ClientIP=10.218.98.29^^location=iconseq^^refererURL=https://www5.example.org/atisetqu/issuscip.jpg?dipisci=spernatu#admi^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=quunt^^user=olori^^event_id=mquae^^clienttranstime=eriti^^requestmethod=atcupi^^requestsize=2332^^requestversion=plica^^status=ore^^responsesize=7595^^responseversion=emqu^^transactionsize=2846", + "event.timezone": "GMT-07:00", + "file.type": "ites", + "fileset.name": "zia", + "host.name": "licabo1493.api.corp", + "http.request.referrer": "https://www5.example.org/atisetqu/issuscip.jpg?dipisci=spernatu#admi", + "input.type": "log", + "log.offset": 19875, + "network.bytes": 2846, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.86.22.67", + "10.218.98.29" + ], + "rsa.db.index": "cab", + "rsa.identity.user_dept": "quunt", + "rsa.internal.data": "ipi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iutali", + "rsa.misc.action": [ + "atcupi", + "Blocked" + ], + "rsa.misc.category": "isetq", + "rsa.misc.filter": "equinesc", + "rsa.misc.reference_id": "mquae", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ore", + "rsa.network.alias_host": [ + "licabo1493.api.corp" + ], + "rsa.threat.threat_category": "teturad", + "rsa.time.event_time": "2016-12-08T07:06:33.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "licabo1493.api.corp", + "service.type": "zscaler", + "source.bytes": 2332, + "source.ip": [ + "10.218.98.29" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/oremi/elites.html?iosa=boNemoe#onsequ", + "user.name": [ + "olori" + ], + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-12-23T14:09:07.000Z", + "destination.bytes": 2147, + "destination.ip": [ + "10.39.31.115" + ], + "event.action": "Allowed", + "event.code": "labo", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "acommod ZSCALERNSS: time=itsedd Dec 23 12:09:07 2016^^timezone=CT^^action=Allowed^^reason=success^^hostname=stenatu4844.www.invalid^^protocol=rdp^^serverip=10.39.31.115^^url=https://example.com/luptatem/uaeratv.gif?dat=periam#dqu^^urlcategory=pid^^urlclass=rExc^^dlpdictionaries=iusmo^^dlpengine=tame^^filetype=naaliq^^threatcategory=nte^^threatclass=ulpa^^pagerisk=sitam^^threatname=rad^^clientpublicIP=loi^^ClientIP=10.24.111.229^^location=volupt^^refererURL=https://example.net/idid/tesse.txt?boru=ptateve#enderi^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=toccaec^^user=fugi^^event_id=labo^^clienttranstime=nostrud^^requestmethod=gnaal^^requestsize=7224^^requestversion=proident^^status=maliquam^^responsesize=2147^^responseversion=atione^^transactionsize=5702", + "event.timezone": "CT", + "file.type": "naaliq", + "fileset.name": "zia", + "host.name": "stenatu4844.www.invalid", + "http.request.referrer": "https://example.net/idid/tesse.txt?boru=ptateve#enderi", + "input.type": "log", + "log.offset": 20787, + "network.bytes": 5702, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.39.31.115", + "10.24.111.229" + ], + "rsa.db.index": "rExc", + "rsa.identity.user_dept": "toccaec", + "rsa.internal.data": "acommod", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ulpa", + "rsa.misc.action": [ + "gnaal", + "Allowed" + ], + "rsa.misc.category": "nte", + "rsa.misc.filter": "pid", + "rsa.misc.reference_id": "labo", + "rsa.misc.result": "success", + "rsa.misc.result_code": "maliquam", + "rsa.network.alias_host": [ + "stenatu4844.www.invalid" + ], + "rsa.threat.threat_category": "rad", + "rsa.time.event_time": "2016-12-23T14:09:07.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "stenatu4844.www.invalid", + "service.type": "zscaler", + "source.bytes": 7224, + "source.ip": [ + "10.24.111.229" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/luptatem/uaeratv.gif?dat=periam#dqu", + "user.name": [ + "fugi" + ], + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "destination.bytes": 4814, + "destination.ip": [ + "10.179.210.218" + ], + "event.action": "Blocked", + "event.code": "undeom", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ritati ZSCALERNSS: time=orisni Jan 6 7:11:41 2017^^timezone=PST^^action=Blocked^^reason=failure^^hostname=sitam5077.internal.host^^protocol=igmp^^serverip=10.179.210.218^^url=https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo^^urlcategory=oluptas^^urlclass=emvele^^dlpdictionaries=isnost^^dlpengine=olorem^^filetype=ido^^threatcategory=emqu^^threatclass=riss^^pagerisk=iquamqua^^threatname=sit^^clientpublicIP=rumSect^^ClientIP=10.32.39.220^^location=aliq^^refererURL=https://example.net/mven/olorsit.gif?oremag=illu#ruredo^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=tatevel^^user=boreetdo^^event_id=undeom^^clienttranstime=uamnihi^^requestmethod=risnis^^requestsize=1140^^requestversion=scingeli^^status=isn^^responsesize=4814^^responseversion=omm^^transactionsize=696", + "event.timezone": "PST", + "file.type": "ido", + "fileset.name": "zia", + "host.name": "sitam5077.internal.host", + "http.request.referrer": "https://example.net/mven/olorsit.gif?oremag=illu#ruredo", + "input.type": "log", + "log.offset": 21648, + "network.bytes": 696, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.32.39.220", + "10.179.210.218" + ], + "rsa.db.index": "emvele", + "rsa.identity.user_dept": "tatevel", + "rsa.internal.data": "ritati", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "riss", + "rsa.misc.action": [ + "Blocked", + "risnis" + ], + "rsa.misc.category": "emqu", + "rsa.misc.filter": "oluptas", + "rsa.misc.reference_id": "undeom", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "isn", + "rsa.network.alias_host": [ + "sitam5077.internal.host" + ], + "rsa.threat.threat_category": "sit", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "sitam5077.internal.host", + "service.type": "zscaler", + "source.bytes": 1140, + "source.ip": [ + "10.32.39.220" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "user.name": [ + "boreetdo" + ], + "user_agent.device.name": "Samsung SM-A715F", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2017-01-20T04:14:16.000Z", + "destination.bytes": 3916, + "destination.ip": [ + "10.128.173.19" + ], + "event.action": "Blocked", + "event.code": "tlaboree", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "quunt ZSCALERNSS: time=numquam Jan 20 2:14:16 2017^^timezone=CT^^action=Blocked^^reason=failure^^hostname=dquia107.www.test^^protocol=ipv6^^serverip=10.128.173.19^^url=https://api.example.com/ori/tconsect.html?ercit=eporroq#ulla^^urlcategory=iqu^^urlclass=oin^^dlpdictionaries=hil^^dlpengine=cingel^^filetype=modocon^^threatcategory=ipsu^^threatclass=ntNeq^^pagerisk=tate^^threatname=urExce^^clientpublicIP=asi^^ClientIP=10.88.172.34^^location=atv^^refererURL=https://example.org/liquaUte/alorum.txt?ria=atDu#nsec^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=maperi^^user=agnaaliq^^event_id=tlaboree^^clienttranstime=norumet^^requestmethod=dtempo^^requestsize=7680^^requestversion=col^^status=mve^^responsesize=3916^^responseversion=tinvolup^^transactionsize=2365", + "event.timezone": "CT", + "file.type": "modocon", + "fileset.name": "zia", + "host.name": "dquia107.www.test", + "http.request.referrer": "https://example.org/liquaUte/alorum.txt?ria=atDu#nsec", + "input.type": "log", + "log.offset": 22620, + "network.bytes": 2365, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.88.172.34", + "10.128.173.19" + ], + "rsa.db.index": "oin", + "rsa.identity.user_dept": "maperi", + "rsa.internal.data": "quunt", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ntNeq", + "rsa.misc.action": [ + "Blocked", + "dtempo" + ], + "rsa.misc.category": "ipsu", + "rsa.misc.filter": "iqu", + "rsa.misc.reference_id": "tlaboree", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "mve", + "rsa.network.alias_host": [ + "dquia107.www.test" + ], + "rsa.threat.threat_category": "urExce", + "rsa.time.event_time": "2017-01-20T04:14:16.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "dquia107.www.test", + "service.type": "zscaler", + "source.bytes": 7680, + "source.ip": [ + "10.88.172.34" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/ori/tconsect.html?ercit=eporroq#ulla", + "user.name": [ + "agnaaliq" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2017-02-03T11:16:50.000Z", + "destination.bytes": 7889, + "destination.ip": [ + "10.130.241.232" + ], + "event.action": "Allowed", + "event.code": "redol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "inv ZSCALERNSS: time=rroq Feb 3 9:16:50 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=lloin4019.www.localhost^^protocol=igmp^^serverip=10.130.241.232^^url=https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug^^urlcategory=aturQu^^urlclass=aaliq^^dlpdictionaries=mipsamvo^^dlpengine=eiusmod^^filetype=emoe^^threatcategory=uiinea^^threatclass=mnisiut^^pagerisk=avolu^^threatname=Except^^clientpublicIP=olup^^ClientIP=10.238.224.49^^location=asper^^refererURL=https://example.net/naal/equun.gif?mve=uia#iciad^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mad^^user=onse^^event_id=redol^^clienttranstime=gnaa^^requestmethod=mod^^requestsize=5107^^requestversion=dtempori^^status=toditaut^^responsesize=7889^^responseversion=dexerc^^transactionsize=2302", + "event.timezone": "CT", + "file.type": "emoe", + "fileset.name": "zia", + "host.name": "lloin4019.www.localhost", + "http.request.referrer": "https://example.net/naal/equun.gif?mve=uia#iciad", + "input.type": "log", + "log.offset": 23507, + "network.bytes": 2302, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.130.241.232", + "10.238.224.49" + ], + "rsa.db.index": "aaliq", + "rsa.identity.user_dept": "mad", + "rsa.internal.data": "inv", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "mnisiut", + "rsa.misc.action": [ + "Allowed", + "mod" + ], + "rsa.misc.category": "uiinea", + "rsa.misc.filter": "aturQu", + "rsa.misc.reference_id": "redol", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "toditaut", + "rsa.network.alias_host": [ + "lloin4019.www.localhost" + ], + "rsa.threat.threat_category": "Except", + "rsa.time.event_time": "2017-02-03T11:16:50.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "lloin4019.www.localhost", + "service.type": "zscaler", + "source.bytes": 5107, + "source.ip": [ + "10.238.224.49" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug", + "user.name": [ + "onse" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "destination.bytes": 609, + "destination.ip": [ + "10.115.53.31" + ], + "event.action": "Allowed", + "event.code": "olorema", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eprehend ZSCALERNSS: time=asnu Feb 18 4:19:24 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=tamet6317.www.host^^protocol=igmp^^serverip=10.115.53.31^^url=https://example.com/emUte/molestia.htm?orroqu=elitsed#labore^^urlcategory=uela^^urlclass=ntexplic^^dlpdictionaries=uto^^dlpengine=iuntNequ^^filetype=esseq^^threatcategory=aincidun^^threatclass=quatD^^pagerisk=isqua^^threatname=uta^^clientpublicIP=emo^^ClientIP=10.2.67.127^^location=licaboN^^refererURL=https://mail.example.org/cupi/strude.htm?dunt=litsedq#nderiti^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mdolore^^user=Cic^^event_id=olorema^^clienttranstime=mollita^^requestmethod=tatem^^requestsize=6156^^requestversion=aeab^^status=teur^^responsesize=609^^responseversion=inBC^^transactionsize=2622", + "event.timezone": "OMST", + "file.type": "esseq", + "fileset.name": "zia", + "host.name": "tamet6317.www.host", + "http.request.referrer": "https://mail.example.org/cupi/strude.htm?dunt=litsedq#nderiti", + "input.type": "log", + "log.offset": 24381, + "network.bytes": 2622, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.2.67.127", + "10.115.53.31" + ], + "rsa.db.index": "ntexplic", + "rsa.identity.user_dept": "mdolore", + "rsa.internal.data": "eprehend", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "quatD", + "rsa.misc.action": [ + "Allowed", + "tatem" + ], + "rsa.misc.category": "aincidun", + "rsa.misc.filter": "uela", + "rsa.misc.reference_id": "olorema", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "teur", + "rsa.network.alias_host": [ + "tamet6317.www.host" + ], + "rsa.threat.threat_category": "uta", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "tamet6317.www.host", + "service.type": "zscaler", + "source.bytes": 6156, + "source.ip": [ + "10.2.67.127" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/emUte/molestia.htm?orroqu=elitsed#labore", + "user.name": [ + "Cic" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "destination.bytes": 5328, + "destination.ip": [ + "10.204.214.251" + ], + "event.action": "Allowed", + "event.code": "scipitl", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tur ZSCALERNSS: time=ictas Mar 4 11:21:59 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=saquaea6344.www.invalid^^protocol=igmp^^serverip=10.204.214.251^^url=https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula^^urlcategory=ritqu^^urlclass=ecatcupi^^dlpdictionaries=uamei^^dlpengine=undeomni^^filetype=tas^^threatcategory=autfugi^^threatclass=tasun^^pagerisk=duntutla^^threatname=ntium^^clientpublicIP=iration^^ClientIP=10.101.38.213^^location=orisni^^refererURL=https://example.org/modoc/boNem.gif?ssusci=animid#mpo^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atuse^^user=ueipsa^^event_id=scipitl^^clienttranstime=eumi^^requestmethod=quasiarc^^requestsize=3487^^requestversion=leumiur^^status=tetura^^responsesize=5328^^responseversion=offici^^transactionsize=501", + "event.timezone": "OMST", + "file.type": "tas", + "fileset.name": "zia", + "host.name": "saquaea6344.www.invalid", + "http.request.referrer": "https://example.org/modoc/boNem.gif?ssusci=animid#mpo", + "input.type": "log", + "log.offset": 25254, + "network.bytes": 501, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.101.38.213", + "10.204.214.251" + ], + "rsa.db.index": "ecatcupi", + "rsa.identity.user_dept": "atuse", + "rsa.internal.data": "tur", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tasun", + "rsa.misc.action": [ + "quasiarc", + "Allowed" + ], + "rsa.misc.category": "autfugi", + "rsa.misc.filter": "ritqu", + "rsa.misc.reference_id": "scipitl", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "tetura", + "rsa.network.alias_host": [ + "saquaea6344.www.invalid" + ], + "rsa.threat.threat_category": "ntium", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "saquaea6344.www.invalid", + "service.type": "zscaler", + "source.bytes": 3487, + "source.ip": [ + "10.101.38.213" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula", + "user.name": [ + "ueipsa" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-03-18T08:24:33.000Z", + "destination.bytes": 2118, + "destination.ip": [ + "10.18.226.72" + ], + "event.action": "Allowed", + "event.code": "dquiaco", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "roquisqu ZSCALERNSS: time=edolorin Mar 18 6:24:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=utaliqu4248.www.localhost^^protocol=igmp^^serverip=10.18.226.72^^url=https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema^^urlcategory=suntex^^urlclass=iacons^^dlpdictionaries=occaec^^dlpengine=acommodi^^filetype=essecill^^threatcategory=billoi^^threatclass=moles^^pagerisk=dipiscin^^threatname=olup^^clientpublicIP=aco^^ClientIP=10.101.85.169^^location=natu^^refererURL=https://internal.example.net/enim/Finibus.htm?mporainc=xea#taed^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=billo^^user=rroqu^^event_id=dquiaco^^clienttranstime=nibus^^requestmethod=vitaed^^requestsize=2352^^requestversion=ptasnula^^status=oru^^responsesize=2118^^responseversion=upt^^transactionsize=7879", + "event.timezone": "GMT+02:00", + "file.type": "essecill", + "fileset.name": "zia", + "host.name": "utaliqu4248.www.localhost", + "http.request.referrer": "https://internal.example.net/enim/Finibus.htm?mporainc=xea#taed", + "input.type": "log", + "log.offset": 26141, + "network.bytes": 7879, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.18.226.72", + "10.101.85.169" + ], + "rsa.db.index": "iacons", + "rsa.identity.user_dept": "billo", + "rsa.internal.data": "roquisqu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "moles", + "rsa.misc.action": [ + "vitaed", + "Allowed" + ], + "rsa.misc.category": "billoi", + "rsa.misc.filter": "suntex", + "rsa.misc.reference_id": "dquiaco", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "oru", + "rsa.network.alias_host": [ + "utaliqu4248.www.localhost" + ], + "rsa.threat.threat_category": "olup", + "rsa.time.event_time": "2017-03-18T08:24:33.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "utaliqu4248.www.localhost", + "service.type": "zscaler", + "source.bytes": 2352, + "source.ip": [ + "10.101.85.169" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema", + "user.name": [ + "rroqu" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "destination.bytes": 7509, + "destination.ip": [ + "10.87.100.240" + ], + "event.action": "Allowed", + "event.code": "equep", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eprehend ZSCALERNSS: time=rem Apr 2 1:27:07 2017^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=mdolore473.internal.test^^protocol=igmp^^serverip=10.87.100.240^^url=https://www5.example.com/apariatu/lorsita.gif?msequ=uat#lupta^^urlcategory=npr^^urlclass=etconsec^^dlpdictionaries=caboNem^^dlpengine=urExcept^^filetype=rumetMal^^threatcategory=oconse^^threatclass=mag^^pagerisk=tob^^threatname=dolores^^clientpublicIP=equamnih^^ClientIP=10.242.182.193^^location=itempo^^refererURL=https://mail.example.com/redol/ecillum.html?radipis=ctetu#orinrep^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=nder^^user=stenatus^^event_id=equep^^clienttranstime=ever^^requestmethod=tali^^requestsize=2124^^requestversion=erspi^^status=iqu^^responsesize=7509^^responseversion=incidid^^transactionsize=2617", + "event.timezone": "GMT-07:00", + "file.type": "rumetMal", + "fileset.name": "zia", + "host.name": "mdolore473.internal.test", + "http.request.referrer": "https://mail.example.com/redol/ecillum.html?radipis=ctetu#orinrep", + "input.type": "log", + "log.offset": 27035, + "network.bytes": 2617, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.87.100.240", + "10.242.182.193" + ], + "rsa.db.index": "etconsec", + "rsa.identity.user_dept": "nder", + "rsa.internal.data": "eprehend", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "mag", + "rsa.misc.action": [ + "Allowed", + "tali" + ], + "rsa.misc.category": "oconse", + "rsa.misc.filter": "npr", + "rsa.misc.reference_id": "equep", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "iqu", + "rsa.network.alias_host": [ + "mdolore473.internal.test" + ], + "rsa.threat.threat_category": "dolores", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "mdolore473.internal.test", + "service.type": "zscaler", + "source.bytes": 2124, + "source.ip": [ + "10.242.182.193" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.com/apariatu/lorsita.gif?msequ=uat#lupta", + "user.name": [ + "stenatus" + ], + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "destination.bytes": 204, + "destination.ip": [ + "10.229.242.223" + ], + "event.action": "Blocked", + "event.code": "dexe", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "autemv ZSCALERNSS: time=emq Apr 16 8:29:41 2017^^timezone=GMT-07:00^^action=Blocked^^reason=failure^^hostname=tatio6513.www.invalid^^protocol=rdp^^serverip=10.229.242.223^^url=https://internal.example.net/ende/abor.jpg?riameaqu=ame#tesseq^^urlcategory=niam^^urlclass=pernat^^dlpdictionaries=rerepre^^dlpengine=nculpaq^^filetype=culpaqui^^threatcategory=tvolup^^threatclass=tdolore^^pagerisk=ventore^^threatname=red^^clientpublicIP=sinto^^ClientIP=10.80.57.247^^location=est^^refererURL=https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=ptatem^^user=itasp^^event_id=dexe^^clienttranstime=tat^^requestmethod=onproide^^requestsize=2737^^requestversion=cillumd^^status=riosa^^responsesize=204^^responseversion=aspernat^^transactionsize=2460", + "event.timezone": "GMT-07:00", + "file.type": "culpaqui", + "fileset.name": "zia", + "host.name": "tatio6513.www.invalid", + "http.request.referrer": "https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad", + "input.type": "log", + "log.offset": 27937, + "network.bytes": 2460, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.229.242.223", + "10.80.57.247" + ], + "rsa.db.index": "pernat", + "rsa.identity.user_dept": "ptatem", + "rsa.internal.data": "autemv", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tdolore", + "rsa.misc.action": [ + "Blocked", + "onproide" + ], + "rsa.misc.category": "tvolup", + "rsa.misc.filter": "niam", + "rsa.misc.reference_id": "dexe", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "riosa", + "rsa.network.alias_host": [ + "tatio6513.www.invalid" + ], + "rsa.threat.threat_category": "red", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "tatio6513.www.invalid", + "service.type": "zscaler", + "source.bytes": 2737, + "source.ip": [ + "10.80.57.247" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.net/ende/abor.jpg?riameaqu=ame#tesseq", + "user.name": [ + "itasp" + ], + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2017-04-30T05:32:16.000Z", + "destination.bytes": 6146, + "destination.ip": [ + "10.193.66.155" + ], + "event.action": "Allowed", + "event.code": "enim", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "caecat ZSCALERNSS: time=rautod Apr 30 3:32:16 2017^^timezone=PT^^action=Allowed^^reason=failure^^hostname=lapar1599.www.lan^^protocol=ipv6^^serverip=10.193.66.155^^url=https://example.com/ame/amvolu.txt?equaturv=lamc#mvolupta^^urlcategory=Utenima^^urlclass=iqua^^dlpdictionaries=luptat^^dlpengine=deriti^^filetype=sintocc^^threatcategory=cididu^^threatclass=uteir^^pagerisk=boree^^threatname=isn^^clientpublicIP=ulla^^ClientIP=10.106.77.138^^location=aconse^^refererURL=https://mail.example.net/tnonproi/squira.html?itation=veleum#piciatis^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=henderi^^user=iusmodt^^event_id=enim^^clienttranstime=emaperia^^requestmethod=Section^^requestsize=4329^^requestversion=iame^^status=orroquis^^responsesize=6146^^responseversion=tiumd^^transactionsize=6099", + "event.timezone": "PT", + "file.type": "sintocc", + "fileset.name": "zia", + "host.name": "lapar1599.www.lan", + "http.request.referrer": "https://mail.example.net/tnonproi/squira.html?itation=veleum#piciatis", + "input.type": "log", + "log.offset": 28899, + "network.bytes": 6099, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.193.66.155", + "10.106.77.138" + ], + "rsa.db.index": "iqua", + "rsa.identity.user_dept": "henderi", + "rsa.internal.data": "caecat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uteir", + "rsa.misc.action": [ + "Section", + "Allowed" + ], + "rsa.misc.category": "cididu", + "rsa.misc.filter": "Utenima", + "rsa.misc.reference_id": "enim", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "orroquis", + "rsa.network.alias_host": [ + "lapar1599.www.lan" + ], + "rsa.threat.threat_category": "isn", + "rsa.time.event_time": "2017-04-30T05:32:16.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "lapar1599.www.lan", + "service.type": "zscaler", + "source.bytes": 4329, + "source.ip": [ + "10.106.77.138" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/ame/amvolu.txt?equaturv=lamc#mvolupta", + "user.name": [ + "iusmodt" + ], + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2017-05-14T12:34:50.000Z", + "destination.bytes": 3862, + "destination.ip": [ + "10.236.230.136" + ], + "event.action": "Allowed", + "event.code": "quira", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "mexer ZSCALERNSS: time=estla May 14 10:34:50 2017^^timezone=ET^^action=Allowed^^reason=success^^hostname=aquioff3853.www.localdomain^^protocol=udp^^serverip=10.236.230.136^^url=https://mail.example.org/uisnostr/reetdol.txt?ugi=niamquis#nisi^^urlcategory=emveleum^^urlclass=olup^^dlpdictionaries=nde^^dlpengine=abillo^^filetype=undeom^^threatcategory=emullamc^^threatclass=tec^^pagerisk=Nemo^^threatname=tutlabo^^clientpublicIP=mveleum^^ClientIP=10.54.159.1^^location=sBonorum^^refererURL=https://mail.example.net/quira/tassita.gif?oremi=ugitsedq#turmag^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=asnulapa^^user=mUteni^^event_id=quira^^clienttranstime=rror^^requestmethod=tatema^^requestsize=2446^^requestversion=loinve^^status=tatevel^^responsesize=3862^^responseversion=equu^^transactionsize=5373", + "event.timezone": "ET", + "file.type": "undeom", + "fileset.name": "zia", + "host.name": "aquioff3853.www.localdomain", + "http.request.referrer": "https://mail.example.net/quira/tassita.gif?oremi=ugitsedq#turmag", + "input.type": "log", + "log.offset": 29854, + "network.bytes": 5373, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.54.159.1", + "10.236.230.136" + ], + "rsa.db.index": "olup", + "rsa.identity.user_dept": "asnulapa", + "rsa.internal.data": "mexer", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tec", + "rsa.misc.action": [ + "Allowed", + "tatema" + ], + "rsa.misc.category": "emullamc", + "rsa.misc.filter": "emveleum", + "rsa.misc.reference_id": "quira", + "rsa.misc.result": "success", + "rsa.misc.result_code": "tatevel", + "rsa.network.alias_host": [ + "aquioff3853.www.localdomain" + ], + "rsa.threat.threat_category": "tutlabo", + "rsa.time.event_time": "2017-05-14T12:34:50.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "aquioff3853.www.localdomain", + "service.type": "zscaler", + "source.bytes": 2446, + "source.ip": [ + "10.54.159.1" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/uisnostr/reetdol.txt?ugi=niamquis#nisi", + "user.name": [ + "mUteni" + ], + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "destination.bytes": 4968, + "destination.ip": [ + "10.49.242.174" + ], + "event.action": "Allowed", + "event.code": "rroqui", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "atae ZSCALERNSS: time=tetura May 29 5:37:24 2017^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ura675.mail.localdomain^^protocol=ggp^^serverip=10.49.242.174^^url=https://api.example.com/radipis/cive.gif?orumSec=nisiuta#stiaecon^^urlcategory=dol^^urlclass=sumquiad^^dlpdictionaries=setquas^^dlpengine=minim^^filetype=oeni^^threatcategory=untutlab^^threatclass=tvolup^^pagerisk=consecte^^threatname=pteurs^^clientpublicIP=catcupi^^ClientIP=10.131.246.134^^location=tiaecon^^refererURL=https://api.example.com/amquisno/uido.gif?queporro=uid#snostrum^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=aconsequ^^user=umdolo^^event_id=rroqui^^clienttranstime=ursin^^requestmethod=utemvel^^requestsize=5325^^requestversion=atu^^status=iusm^^responsesize=4968^^responseversion=laudanti^^transactionsize=16", + "event.timezone": "OMST", + "file.type": "oeni", + "fileset.name": "zia", + "host.name": "ura675.mail.localdomain", + "http.request.referrer": "https://api.example.com/amquisno/uido.gif?queporro=uid#snostrum", + "input.type": "log", + "log.offset": 30815, + "network.bytes": 16, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.49.242.174", + "10.131.246.134" + ], + "rsa.db.index": "sumquiad", + "rsa.identity.user_dept": "aconsequ", + "rsa.internal.data": "atae", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tvolup", + "rsa.misc.action": [ + "utemvel", + "Allowed" + ], + "rsa.misc.category": "untutlab", + "rsa.misc.filter": "dol", + "rsa.misc.reference_id": "rroqui", + "rsa.misc.result": "success", + "rsa.misc.result_code": "iusm", + "rsa.network.alias_host": [ + "ura675.mail.localdomain" + ], + "rsa.threat.threat_category": "pteurs", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "ura675.mail.localdomain", + "service.type": "zscaler", + "source.bytes": 5325, + "source.ip": [ + "10.131.246.134" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/radipis/cive.gif?orumSec=nisiuta#stiaecon", + "user.name": [ + "umdolo" + ], + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "destination.bytes": 1046, + "destination.ip": [ + "10.142.120.198" + ], + "event.action": "Blocked", + "event.code": "ido", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rere ZSCALERNSS: time=cta Jun 12 12:39:58 2017^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=iamea478.www5.host^^protocol=ipv6-icmp^^serverip=10.142.120.198^^url=https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto^^urlcategory=litesse^^urlclass=fugiatn^^dlpdictionaries=uaeabi^^dlpengine=aaliq^^filetype=nat^^threatcategory=uovolupt^^threatclass=ende^^pagerisk=orumSe^^threatname=dolor^^clientpublicIP=isiut^^ClientIP=10.166.10.42^^location=emulla^^refererURL=https://www.example.com/itae/dtempo.html?etMaloru=lmo#iquidex^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=uamqu^^user=olori^^event_id=ido^^clienttranstime=mcorpor^^requestmethod=doconse^^requestsize=2522^^requestversion=emUte^^status=iusmodi^^responsesize=1046^^responseversion=tura^^transactionsize=6695", + "event.timezone": "CT", + "file.type": "nat", + "fileset.name": "zia", + "host.name": "iamea478.www5.host", + "http.request.referrer": "https://www.example.com/itae/dtempo.html?etMaloru=lmo#iquidex", + "input.type": "log", + "log.offset": 31783, + "network.bytes": 6695, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.142.120.198", + "10.166.10.42" + ], + "rsa.db.index": "fugiatn", + "rsa.identity.user_dept": "uamqu", + "rsa.internal.data": "rere", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ende", + "rsa.misc.action": [ + "Blocked", + "doconse" + ], + "rsa.misc.category": "uovolupt", + "rsa.misc.filter": "litesse", + "rsa.misc.reference_id": "ido", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "iusmodi", + "rsa.network.alias_host": [ + "iamea478.www5.host" + ], + "rsa.threat.threat_category": "dolor", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "iamea478.www5.host", + "service.type": "zscaler", + "source.bytes": 2522, + "source.ip": [ + "10.166.10.42" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto", + "user.name": [ + "olori" + ], + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-06-26T09:42:33.000Z", + "destination.bytes": 3520, + "destination.ip": [ + "10.138.188.201" + ], + "event.action": "Allowed", + "event.code": "rsitvol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "equat ZSCALERNSS: time=aliquid Jun 26 7:42:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=eaque6543.api.domain^^protocol=udp^^serverip=10.138.188.201^^url=https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS^^urlcategory=iciadese^^urlclass=riatur^^dlpdictionaries=oeni^^dlpengine=dol^^filetype=dol^^threatcategory=atur^^threatclass=issu^^pagerisk=identsu^^threatname=piscivel^^clientpublicIP=hend^^ClientIP=10.128.184.241^^location=aer^^refererURL=https://api.example.net/umd/sciveli.htm?tur=acon#Nemoenim^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=urau^^user=etur^^event_id=rsitvol^^clienttranstime=utali^^requestmethod=sed^^requestsize=6793^^requestversion=sec^^status=uid^^responsesize=3520^^responseversion=acom^^transactionsize=1142", + "event.timezone": "GMT+02:00", + "file.type": "dol", + "fileset.name": "zia", + "host.name": "eaque6543.api.domain", + "http.request.referrer": "https://api.example.net/umd/sciveli.htm?tur=acon#Nemoenim", + "input.type": "log", + "log.offset": 32670, + "network.bytes": 1142, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.128.184.241", + "10.138.188.201" + ], + "rsa.db.index": "riatur", + "rsa.identity.user_dept": "urau", + "rsa.internal.data": "equat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "issu", + "rsa.misc.action": [ + "Allowed", + "sed" + ], + "rsa.misc.category": "atur", + "rsa.misc.filter": "iciadese", + "rsa.misc.reference_id": "rsitvol", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "uid", + "rsa.network.alias_host": [ + "eaque6543.api.domain" + ], + "rsa.threat.threat_category": "piscivel", + "rsa.time.event_time": "2017-06-26T09:42:33.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "eaque6543.api.domain", + "service.type": "zscaler", + "source.bytes": 6793, + "source.ip": [ + "10.128.184.241" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", + "user.name": [ + "etur" + ], + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "destination.bytes": 2990, + "destination.ip": [ + "10.53.101.131" + ], + "event.action": "Allowed", + "event.code": "itinvol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ectob ZSCALERNSS: time=mrema Jul 11 2:45:07 2017^^timezone=CET^^action=Allowed^^reason=failure^^hostname=eufug1756.mail.corp^^protocol=ggp^^serverip=10.53.101.131^^url=https://example.net/snulap/enimadm.html?writte=sitvo#ine^^urlcategory=urerepre^^urlclass=asnulap^^dlpdictionaries=ipi^^dlpengine=idolorem^^filetype=exerci^^threatcategory=idata^^threatclass=ese^^pagerisk=mmodoco^^threatname=amni^^clientpublicIP=atnul^^ClientIP=10.213.57.165^^location=illumq^^refererURL=https://www5.example.org/ite/tasnul.txt?evitae=amvo#tnul^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ectetura^^user=isau^^event_id=itinvol^^clienttranstime=ten^^requestmethod=litanim^^requestsize=2135^^requestversion=orsitam^^status=modico^^responsesize=2990^^responseversion=itatio^^transactionsize=6735", + "event.timezone": "CET", + "file.type": "exerci", + "fileset.name": "zia", + "host.name": "eufug1756.mail.corp", + "http.request.referrer": "https://www5.example.org/ite/tasnul.txt?evitae=amvo#tnul", + "input.type": "log", + "log.offset": 33551, + "network.bytes": 6735, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.213.57.165", + "10.53.101.131" + ], + "rsa.db.index": "asnulap", + "rsa.identity.user_dept": "ectetura", + "rsa.internal.data": "ectob", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ese", + "rsa.misc.action": [ + "Allowed", + "litanim" + ], + "rsa.misc.category": "idata", + "rsa.misc.filter": "urerepre", + "rsa.misc.reference_id": "itinvol", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "modico", + "rsa.network.alias_host": [ + "eufug1756.mail.corp" + ], + "rsa.threat.threat_category": "amni", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "eufug1756.mail.corp", + "service.type": "zscaler", + "source.bytes": 2135, + "source.ip": [ + "10.213.57.165" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.net/snulap/enimadm.html?writte=sitvo#ine", + "user.name": [ + "isau" + ], + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "destination.bytes": 3601, + "destination.ip": [ + "10.243.6.41" + ], + "event.action": "Blocked", + "event.code": "ainc", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "riame ZSCALERNSS: time=riat Jul 25 9:47:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=orp5697.www.invalid^^protocol=ggp^^serverip=10.243.6.41^^url=https://internal.example.org/etcon/onsequu.gif?Bonoru=madminim#ents^^urlcategory=emacc^^urlclass=emp^^dlpdictionaries=lamcola^^dlpengine=veli^^filetype=venia^^threatcategory=risni^^threatclass=idolores^^pagerisk=paria^^threatname=mmod^^clientpublicIP=iti^^ClientIP=10.55.81.14^^location=lorsitam^^refererURL=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenim^^user=eiusmo^^event_id=ainc^^clienttranstime=miurerep^^requestmethod=lestia^^requestsize=3606^^requestversion=iduntu^^status=pisci^^responsesize=3601^^responseversion=nostrud^^transactionsize=203", + "event.timezone": "GMT+02:00", + "file.type": "venia", + "fileset.name": "zia", + "host.name": "orp5697.www.invalid", + "http.request.referrer": "https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip", + "input.type": "log", + "log.offset": 34428, + "network.bytes": 203, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.55.81.14", + "10.243.6.41" + ], + "rsa.db.index": "emp", + "rsa.identity.user_dept": "tenim", + "rsa.internal.data": "riame", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "idolores", + "rsa.misc.action": [ + "Blocked", + "lestia" + ], + "rsa.misc.category": "risni", + "rsa.misc.filter": "emacc", + "rsa.misc.reference_id": "ainc", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "pisci", + "rsa.network.alias_host": [ + "orp5697.www.invalid" + ], + "rsa.threat.threat_category": "mmod", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "orp5697.www.invalid", + "service.type": "zscaler", + "source.bytes": 3606, + "source.ip": [ + "10.55.81.14" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/etcon/onsequu.gif?Bonoru=madminim#ents", + "user.name": [ + "eiusmo" + ], + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2017-08-08T06:50:15.000Z", + "destination.bytes": 4241, + "destination.ip": [ + "10.33.144.10" + ], + "event.action": "Blocked", + "event.code": "labo", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ore ZSCALERNSS: time=esse Aug 8 4:50:15 2017^^timezone=PST^^action=Blocked^^reason=success^^hostname=pariatur7238.www5.invalid^^protocol=tcp^^serverip=10.33.144.10^^url=https://www.example.org/rur/itse.gif?pisciv=fugiatqu#seos^^urlcategory=exercita^^urlclass=edolori^^dlpdictionaries=eve^^dlpengine=tco^^filetype=tvol^^threatcategory=oluptate^^threatclass=lit^^pagerisk=santi^^threatname=ritati^^clientpublicIP=iciade^^ClientIP=10.202.224.79^^location=idolo^^refererURL=https://example.com/ptassita/caecatcu.txt?eturadip=olorsi#itseddo^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=seos^^user=rios^^event_id=labo^^clienttranstime=lpaquiof^^requestmethod=quu^^requestsize=2203^^requestversion=ntexpl^^status=abor^^responsesize=4241^^responseversion=enbyCi^^transactionsize=3813", + "event.timezone": "PST", + "file.type": "tvol", + "fileset.name": "zia", + "host.name": "pariatur7238.www5.invalid", + "http.request.referrer": "https://example.com/ptassita/caecatcu.txt?eturadip=olorsi#itseddo", + "input.type": "log", + "log.offset": 35335, + "network.bytes": 3813, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.33.144.10", + "10.202.224.79" + ], + "rsa.db.index": "edolori", + "rsa.identity.user_dept": "seos", + "rsa.internal.data": "ore", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "lit", + "rsa.misc.action": [ + "Blocked", + "quu" + ], + "rsa.misc.category": "oluptate", + "rsa.misc.filter": "exercita", + "rsa.misc.reference_id": "labo", + "rsa.misc.result": "success", + "rsa.misc.result_code": "abor", + "rsa.network.alias_host": [ + "pariatur7238.www5.invalid" + ], + "rsa.threat.threat_category": "ritati", + "rsa.time.event_time": "2017-08-08T06:50:15.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "pariatur7238.www5.invalid", + "service.type": "zscaler", + "source.bytes": 2203, + "source.ip": [ + "10.202.224.79" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/rur/itse.gif?pisciv=fugiatqu#seos", + "user.name": [ + "rios" + ], + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-08-22T13:52:50.000Z", + "destination.bytes": 6317, + "destination.ip": [ + "10.158.18.51" + ], + "event.action": "Allowed", + "event.code": "exerci", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tat ZSCALERNSS: time=eufugia Aug 22 11:52:50 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=fficia2304.www5.home^^protocol=icmp^^serverip=10.158.18.51^^url=https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex^^urlcategory=uisnos^^urlclass=quamqua^^dlpdictionaries=ntut^^dlpengine=mag^^filetype=meum^^threatcategory=mini^^threatclass=Loremip^^pagerisk=oreeu^^threatname=nvo^^clientpublicIP=iamqui^^ClientIP=10.20.124.138^^location=aqui^^refererURL=https://www.example.net/lpa/isn.htm?iat=ffic#siuta^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aparia^^user=CSe^^event_id=exerci^^clienttranstime=inesciu^^requestmethod=quid^^requestsize=5452^^requestversion=emu^^status=orem^^responsesize=6317^^responseversion=ate^^transactionsize=4386", + "event.timezone": "GMT-07:00", + "file.type": "meum", + "fileset.name": "zia", + "host.name": "fficia2304.www5.home", + "http.request.referrer": "https://www.example.net/lpa/isn.htm?iat=ffic#siuta", + "input.type": "log", + "log.offset": 36210, + "network.bytes": 4386, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.158.18.51", + "10.20.124.138" + ], + "rsa.db.index": "quamqua", + "rsa.identity.user_dept": "aparia", + "rsa.internal.data": "tat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "Loremip", + "rsa.misc.action": [ + "quid", + "Allowed" + ], + "rsa.misc.category": "mini", + "rsa.misc.filter": "uisnos", + "rsa.misc.reference_id": "exerci", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "orem", + "rsa.network.alias_host": [ + "fficia2304.www5.home" + ], + "rsa.threat.threat_category": "nvo", + "rsa.time.event_time": "2017-08-22T13:52:50.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "fficia2304.www5.home", + "service.type": "zscaler", + "source.bytes": 5452, + "source.ip": [ + "10.20.124.138" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex", + "user.name": [ + "CSe" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "destination.bytes": 1044, + "destination.ip": [ + "10.134.128.27" + ], + "event.action": "Allowed", + "event.code": "olore", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tqu ZSCALERNSS: time=eirur Sep 6 6:55:24 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=mquisnos7453.home^^protocol=igmp^^serverip=10.134.128.27^^url=https://api.example.net/lup/iumtotam.html?ipitlabo=userror#eacommo^^urlcategory=nderi^^urlclass=liqua^^dlpdictionaries=ariatur^^dlpengine=labo^^filetype=sautei^^threatcategory=ataevita^^threatclass=voluptas^^pagerisk=velill^^threatname=rspic^^clientpublicIP=orinrepr^^ClientIP=10.118.177.136^^location=borumSec^^refererURL=https://www5.example.org/snisiut/siar.txt?inB=orp#ender^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=rumSecti^^user=Utenima^^event_id=olore^^clienttranstime=orumS^^requestmethod=olor^^requestsize=6908^^requestversion=eursint^^status=orio^^responsesize=1044^^responseversion=iameaqu^^transactionsize=2429", + "event.timezone": "CT", + "file.type": "sautei", + "fileset.name": "zia", + "host.name": "mquisnos7453.home", + "http.request.referrer": "https://www5.example.org/snisiut/siar.txt?inB=orp#ender", + "input.type": "log", + "log.offset": 37074, + "network.bytes": 2429, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.134.128.27", + "10.118.177.136" + ], + "rsa.db.index": "liqua", + "rsa.identity.user_dept": "rumSecti", + "rsa.internal.data": "tqu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "voluptas", + "rsa.misc.action": [ + "Allowed", + "olor" + ], + "rsa.misc.category": "ataevita", + "rsa.misc.filter": "nderi", + "rsa.misc.reference_id": "olore", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "orio", + "rsa.network.alias_host": [ + "mquisnos7453.home" + ], + "rsa.threat.threat_category": "rspic", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "mquisnos7453.home", + "service.type": "zscaler", + "source.bytes": 6908, + "source.ip": [ + "10.118.177.136" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/lup/iumtotam.html?ipitlabo=userror#eacommo", + "user.name": [ + "Utenima" + ], + "user_agent.device.name": "Meizu M6", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "77.0.3865.120" + }, + { + "@timestamp": "2017-09-20T03:57:58.000Z", + "destination.bytes": 3034, + "destination.ip": [ + "10.68.8.143" + ], + "event.action": "Allowed", + "event.code": "lorem", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "olu ZSCALERNSS: time=iameaque Sep 20 1:57:58 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=aquio748.www.localhost^^protocol=igmp^^serverip=10.68.8.143^^url=https://example.org/onproide/uamnih.htm?tatisetq=uidolo#umdolore^^urlcategory=dmi^^urlclass=tam^^dlpdictionaries=oremip^^dlpengine=eufugi^^filetype=dunt^^threatcategory=ames^^threatclass=amni^^pagerisk=tatio^^threatname=amquisno^^clientpublicIP=modoc^^ClientIP=10.125.120.97^^location=uid^^refererURL=https://internal.example.com/onev/orsi.txt?oreseo=reprehen#itamet^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=idolo^^user=reet^^event_id=lorem^^clienttranstime=texplic^^requestmethod=edutp^^requestsize=911^^requestversion=assi^^status=eserun^^responsesize=3034^^responseversion=eniamqu^^transactionsize=1185", + "event.timezone": "OMST", + "file.type": "dunt", + "fileset.name": "zia", + "host.name": "aquio748.www.localhost", + "http.request.referrer": "https://internal.example.com/onev/orsi.txt?oreseo=reprehen#itamet", + "input.type": "log", + "log.offset": 38021, + "network.bytes": 1185, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.68.8.143", + "10.125.120.97" + ], + "rsa.db.index": "tam", + "rsa.identity.user_dept": "idolo", + "rsa.internal.data": "olu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "amni", + "rsa.misc.action": [ + "Allowed", + "edutp" + ], + "rsa.misc.category": "ames", + "rsa.misc.filter": "dmi", + "rsa.misc.reference_id": "lorem", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "eserun", + "rsa.network.alias_host": [ + "aquio748.www.localhost" + ], + "rsa.threat.threat_category": "amquisno", + "rsa.time.event_time": "2017-09-20T03:57:58.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "aquio748.www.localhost", + "service.type": "zscaler", + "source.bytes": 911, + "source.ip": [ + "10.125.120.97" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/onproide/uamnih.htm?tatisetq=uidolo#umdolore", + "user.name": [ + "reet" + ], + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2017-10-04T11:00:32.000Z", + "destination.bytes": 4982, + "destination.ip": [ + "10.143.0.78" + ], + "event.action": "Blocked", + "event.code": "atems", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tatevel ZSCALERNSS: time=midestl Oct 4 9:00:32 2017^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=remagnam796.mail.corp^^protocol=rdp^^serverip=10.143.0.78^^url=https://www5.example.org/obeataev/umf.htm?moll=quaeabil#emip^^urlcategory=aturQu^^urlclass=itesse^^dlpdictionaries=iamqui^^dlpengine=quide^^filetype=aria^^threatcategory=inim^^threatclass=etdol^^pagerisk=Sed^^threatname=oremeumf^^clientpublicIP=lesti^^ClientIP=10.137.164.122^^location=enima^^refererURL=https://www5.example.net/ico/giatquo.htm?evi=tionula#accus^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=amnihil^^user=orissus^^event_id=atems^^clienttranstime=nimaveni^^requestmethod=mwrit^^requestsize=2923^^requestversion=itse^^status=officiad^^responsesize=4982^^responseversion=nimadmin^^transactionsize=5577", + "event.timezone": "PST", + "file.type": "aria", + "fileset.name": "zia", + "host.name": "remagnam796.mail.corp", + "http.request.referrer": "https://www5.example.net/ico/giatquo.htm?evi=tionula#accus", + "input.type": "log", + "log.offset": 38924, + "network.bytes": 5577, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.143.0.78", + "10.137.164.122" + ], + "rsa.db.index": "itesse", + "rsa.identity.user_dept": "amnihil", + "rsa.internal.data": "tatevel", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "etdol", + "rsa.misc.action": [ + "Blocked", + "mwrit" + ], + "rsa.misc.category": "inim", + "rsa.misc.filter": "aturQu", + "rsa.misc.reference_id": "atems", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "officiad", + "rsa.network.alias_host": [ + "remagnam796.mail.corp" + ], + "rsa.threat.threat_category": "oremeumf", + "rsa.time.event_time": "2017-10-04T11:00:32.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "remagnam796.mail.corp", + "service.type": "zscaler", + "source.bytes": 2923, + "source.ip": [ + "10.137.164.122" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.org/obeataev/umf.htm?moll=quaeabil#emip", + "user.name": [ + "orissus" + ], + "user_agent.device.name": "Meizu M6", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "77.0.3865.120" + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "destination.bytes": 7556, + "destination.ip": [ + "10.30.87.51" + ], + "event.action": "Blocked", + "event.code": "rchit", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "quiavolu ZSCALERNSS: time=upta Oct 19 4:03:07 2017^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=etdolore4227.internal.corp^^protocol=icmp^^serverip=10.30.87.51^^url=https://mail.example.org/consequa/eaqueip.gif?aevitaed=byCic#leumiur^^urlcategory=ptatemse^^urlclass=siarc^^dlpdictionaries=fdeFin^^dlpengine=eleumi^^filetype=edic^^threatcategory=udexerc^^threatclass=tatno^^pagerisk=isnisiut^^threatname=atatnon^^clientpublicIP=lica^^ClientIP=10.156.177.53^^location=Nequ^^refererURL=https://www.example.com/epo/rsit.txt?onorumet=ptatema#eavolup^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=rmagnido^^user=psaquaea^^event_id=rchit^^clienttranstime=psumq^^requestmethod=ptatev^^requestsize=6552^^requestversion=xerc^^status=ctetura^^responsesize=7556^^responseversion=tDuis^^transactionsize=3281", + "event.timezone": "OMST", + "file.type": "edic", + "fileset.name": "zia", + "host.name": "etdolore4227.internal.corp", + "http.request.referrer": "https://www.example.com/epo/rsit.txt?onorumet=ptatema#eavolup", + "input.type": "log", + "log.offset": 39868, + "network.bytes": 3281, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.30.87.51", + "10.156.177.53" + ], + "rsa.db.index": "siarc", + "rsa.identity.user_dept": "rmagnido", + "rsa.internal.data": "quiavolu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tatno", + "rsa.misc.action": [ + "ptatev", + "Blocked" + ], + "rsa.misc.category": "udexerc", + "rsa.misc.filter": "ptatemse", + "rsa.misc.reference_id": "rchit", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "ctetura", + "rsa.network.alias_host": [ + "etdolore4227.internal.corp" + ], + "rsa.threat.threat_category": "atatnon", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "etdolore4227.internal.corp", + "service.type": "zscaler", + "source.bytes": 6552, + "source.ip": [ + "10.156.177.53" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/consequa/eaqueip.gif?aevitaed=byCic#leumiur", + "user.name": [ + "psaquaea" + ], + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "destination.bytes": 470, + "destination.ip": [ + "10.83.138.34" + ], + "event.action": "Blocked", + "event.code": "inea", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tat ZSCALERNSS: time=equ Nov 2 11:05:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=rors1935.api.domain^^protocol=udp^^serverip=10.83.138.34^^url=https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul^^urlcategory=aliqui^^urlclass=datatnon^^dlpdictionaries=aedict^^dlpengine=niamqui^^filetype=usmodite^^threatcategory=tlabo^^threatclass=tatemse^^pagerisk=ntoccaec^^threatname=uamestqu^^clientpublicIP=mpor^^ClientIP=10.111.249.184^^location=ptatemU^^refererURL=https://example.org/rumSe/tatnonp.jpg?tlabore=idunt#expl^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=onsectet^^user=dentsunt^^event_id=inea^^clienttranstime=animid^^requestmethod=upta^^requestsize=313^^requestversion=onnumqua^^status=quioff^^responsesize=470^^responseversion=upt^^transactionsize=6017", + "event.timezone": "GMT+02:00", + "file.type": "usmodite", + "fileset.name": "zia", + "host.name": "rors1935.api.domain", + "http.request.referrer": "https://example.org/rumSe/tatnonp.jpg?tlabore=idunt#expl", + "input.type": "log", + "log.offset": 40778, + "network.bytes": 6017, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.111.249.184", + "10.83.138.34" + ], + "rsa.db.index": "datatnon", + "rsa.identity.user_dept": "onsectet", + "rsa.internal.data": "tat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tatemse", + "rsa.misc.action": [ + "Blocked", + "upta" + ], + "rsa.misc.category": "tlabo", + "rsa.misc.filter": "aliqui", + "rsa.misc.reference_id": "inea", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "quioff", + "rsa.network.alias_host": [ + "rors1935.api.domain" + ], + "rsa.threat.threat_category": "uamestqu", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "rors1935.api.domain", + "service.type": "zscaler", + "source.bytes": 313, + "source.ip": [ + "10.111.249.184" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul", + "user.name": [ + "dentsunt" + ], + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2017-11-16T08:08:15.000Z", + "destination.bytes": 7810, + "destination.ip": [ + "10.141.195.13" + ], + "event.action": "Allowed", + "event.code": "tautfugi", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "nvol ZSCALERNSS: time=dtemp Nov 16 6:08:15 2017^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=idexeac1655.internal.test^^protocol=ipv6^^serverip=10.141.195.13^^url=https://mail.example.com/orsitvol/ntor.htm?itqu=minimav#smodtem^^urlcategory=roquisqu^^urlclass=ariat^^dlpdictionaries=midestl^^dlpengine=quatu^^filetype=avolu^^threatcategory=teturad^^threatclass=itesse^^pagerisk=expl^^threatname=essecill^^clientpublicIP=totamre^^ClientIP=10.180.150.47^^location=orsitv^^refererURL=https://internal.example.net/uisaute/uun.jpg?olupt=nemulla#asp^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=ncul^^user=taliq^^event_id=tautfugi^^clienttranstime=fdeFinib^^requestmethod=uip^^requestsize=3940^^requestversion=sectetur^^status=edquian^^responsesize=7810^^responseversion=turQuis^^transactionsize=4046", + "event.timezone": "PT", + "file.type": "avolu", + "fileset.name": "zia", + "host.name": "idexeac1655.internal.test", + "http.request.referrer": "https://internal.example.net/uisaute/uun.jpg?olupt=nemulla#asp", + "input.type": "log", + "log.offset": 41820, + "network.bytes": 4046, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.180.150.47", + "10.141.195.13" + ], + "rsa.db.index": "ariat", + "rsa.identity.user_dept": "ncul", + "rsa.internal.data": "nvol", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "itesse", + "rsa.misc.action": [ + "uip", + "Allowed" + ], + "rsa.misc.category": "teturad", + "rsa.misc.filter": "roquisqu", + "rsa.misc.reference_id": "tautfugi", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "edquian", + "rsa.network.alias_host": [ + "idexeac1655.internal.test" + ], + "rsa.threat.threat_category": "essecill", + "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "idexeac1655.internal.test", + "service.type": "zscaler", + "source.bytes": 3940, + "source.ip": [ + "10.180.150.47" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/orsitvol/ntor.htm?itqu=minimav#smodtem", + "user.name": [ + "taliq" + ], + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "destination.bytes": 2266, + "destination.ip": [ + "10.166.195.20" + ], + "event.action": "Allowed", + "event.code": "ceroinB", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uames ZSCALERNSS: time=tconsec Dec 1 1:10:49 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=laboree3880.api.invalid^^protocol=rdp^^serverip=10.166.195.20^^url=https://internal.example.org/rumexe/xerci.gif?olor=quiav#gna^^urlcategory=Nem^^urlclass=tdolorem^^dlpdictionaries=eacomm^^dlpengine=upidata^^filetype=ici^^threatcategory=usant^^threatclass=mipsumq^^pagerisk=ident^^threatname=nimide^^clientpublicIP=quelaud^^ClientIP=10.255.40.12^^location=rro^^refererURL=https://api.example.com/nimv/emeu.htm?rem=tseddoei#teursint^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=remagnaa^^user=lamcolab^^event_id=ceroinB^^clienttranstime=umqui^^requestmethod=citation^^requestsize=7073^^requestversion=mcorpori^^status=orisn^^responsesize=2266^^responseversion=etMalor^^transactionsize=7800", + "event.timezone": "GMT-07:00", + "file.type": "ici", + "fileset.name": "zia", + "host.name": "laboree3880.api.invalid", + "http.request.referrer": "https://api.example.com/nimv/emeu.htm?rem=tseddoei#teursint", + "input.type": "log", + "log.offset": 42776, + "network.bytes": 7800, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.255.40.12", + "10.166.195.20" + ], + "rsa.db.index": "tdolorem", + "rsa.identity.user_dept": "remagnaa", + "rsa.internal.data": "uames", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "mipsumq", + "rsa.misc.action": [ + "Allowed", + "citation" + ], + "rsa.misc.category": "usant", + "rsa.misc.filter": "Nem", + "rsa.misc.reference_id": "ceroinB", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "orisn", + "rsa.network.alias_host": [ + "laboree3880.api.invalid" + ], + "rsa.threat.threat_category": "nimide", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "laboree3880.api.invalid", + "service.type": "zscaler", + "source.bytes": 7073, + "source.ip": [ + "10.255.40.12" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/rumexe/xerci.gif?olor=quiav#gna", + "user.name": [ + "lamcolab" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "destination.bytes": 5091, + "destination.ip": [ + "10.22.122.43" + ], + "event.action": "Blocked", + "event.code": "mexer", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "cta ZSCALERNSS: time=ercitat Dec 15 8:13:24 2017^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=tecto708.www5.example^^protocol=rdp^^serverip=10.22.122.43^^url=https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu^^urlcategory=quamni^^urlclass=turveli^^dlpdictionaries=isciv^^dlpengine=natus^^filetype=boreet^^threatcategory=luptasnu^^threatclass=ento^^pagerisk=snostr^^threatname=udexerc^^clientpublicIP=ovolupta^^ClientIP=10.100.143.226^^location=ametcon^^refererURL=https://internal.example.net/ecillu/quovol.html?ctasu=irat#sitame^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=ueporroq^^user=ute^^event_id=mexer^^clienttranstime=iam^^requestmethod=Bonoru^^requestsize=1396^^requestversion=ntutlab^^status=rumSecti^^responsesize=5091^^responseversion=gnama^^transactionsize=7815", + "event.timezone": "PT", + "file.type": "boreet", + "fileset.name": "zia", + "host.name": "tecto708.www5.example", + "http.request.referrer": "https://internal.example.net/ecillu/quovol.html?ctasu=irat#sitame", + "input.type": "log", + "log.offset": 43645, + "network.bytes": 7815, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.22.122.43", + "10.100.143.226" + ], + "rsa.db.index": "turveli", + "rsa.identity.user_dept": "ueporroq", + "rsa.internal.data": "cta", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ento", + "rsa.misc.action": [ + "Blocked", + "Bonoru" + ], + "rsa.misc.category": "luptasnu", + "rsa.misc.filter": "quamni", + "rsa.misc.reference_id": "mexer", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "rumSecti", + "rsa.network.alias_host": [ + "tecto708.www5.example" + ], + "rsa.threat.threat_category": "udexerc", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "tecto708.www5.example", + "service.type": "zscaler", + "source.bytes": 1396, + "source.ip": [ + "10.100.143.226" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu", + "user.name": [ + "ute" + ], + "user_agent.device.name": "Other", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2017-12-29T05:15:58.000Z", + "destination.bytes": 7456, + "destination.ip": [ + "10.119.53.68" + ], + "event.action": "Blocked", + "event.code": "illum", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tesse ZSCALERNSS: time=olupta Dec 29 3:15:58 2017^^timezone=GMT+02:00^^action=Blocked^^reason=success^^hostname=ine3181.www.invalid^^protocol=ipv6-icmp^^serverip=10.119.53.68^^url=https://www.example.com/uiavo/uisaut.htm?paq=uianon#nul^^urlcategory=onse^^urlclass=sitam^^dlpdictionaries=inibusBo^^dlpengine=illoin^^filetype=emUtenim^^threatcategory=ende^^threatclass=dexea^^pagerisk=aco^^threatname=sse^^clientpublicIP=ihilm^^ClientIP=10.121.9.5^^location=uptas^^refererURL=https://www5.example.net/ons/unt.txt?ctetur=mvolupta#squame^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=mea^^user=ssec^^event_id=illum^^clienttranstime=eprehe^^requestmethod=tinvolup^^requestsize=497^^requestversion=tvol^^status=ptat^^responsesize=7456^^responseversion=tdolo^^transactionsize=1882", + "event.timezone": "GMT+02:00", + "file.type": "emUtenim", + "fileset.name": "zia", + "host.name": "ine3181.www.invalid", + "http.request.referrer": "https://www5.example.net/ons/unt.txt?ctetur=mvolupta#squame", + "input.type": "log", + "log.offset": 44575, + "network.bytes": 1882, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.121.9.5", + "10.119.53.68" + ], + "rsa.db.index": "sitam", + "rsa.identity.user_dept": "mea", + "rsa.internal.data": "tesse", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "dexea", + "rsa.misc.action": [ + "tinvolup", + "Blocked" + ], + "rsa.misc.category": "ende", + "rsa.misc.filter": "onse", + "rsa.misc.reference_id": "illum", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ptat", + "rsa.network.alias_host": [ + "ine3181.www.invalid" + ], + "rsa.threat.threat_category": "sse", + "rsa.time.event_time": "2017-12-29T05:15:58.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "ine3181.www.invalid", + "service.type": "zscaler", + "source.bytes": 497, + "source.ip": [ + "10.121.9.5" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/uiavo/uisaut.htm?paq=uianon#nul", + "user.name": [ + "ssec" + ], + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2018-01-12T12:18:32.000Z", + "destination.bytes": 1428, + "destination.ip": [ + "10.237.0.173" + ], + "event.action": "Blocked", + "event.code": "periam", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eleumi ZSCALERNSS: time=equ Jan 12 10:18:32 2018^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=tsunt3403.www5.test^^protocol=udp^^serverip=10.237.0.173^^url=https://mail.example.com/uasiarch/Malor.jpg?iinea=snos#upt^^urlcategory=oremipsu^^urlclass=tMalor^^dlpdictionaries=oreetd^^dlpengine=lor^^filetype=oreeu^^threatcategory=taspe^^threatclass=eritqui^^pagerisk=atquovol^^threatname=evel^^clientpublicIP=edol^^ClientIP=10.31.153.177^^location=maccus^^refererURL=https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tiset^^user=sci^^event_id=periam^^clienttranstime=fugiatnu^^requestmethod=dolor^^requestsize=4350^^requestversion=eumfu^^status=docons^^responsesize=1428^^responseversion=eumf^^transactionsize=6826", + "event.timezone": "GMT-07:00", + "file.type": "oreeu", + "fileset.name": "zia", + "host.name": "tsunt3403.www5.test", + "http.request.referrer": "https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor", + "input.type": "log", + "log.offset": 45512, + "network.bytes": 6826, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.237.0.173", + "10.31.153.177" + ], + "rsa.db.index": "tMalor", + "rsa.identity.user_dept": "tiset", + "rsa.internal.data": "eleumi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "eritqui", + "rsa.misc.action": [ + "dolor", + "Blocked" + ], + "rsa.misc.category": "taspe", + "rsa.misc.filter": "oremipsu", + "rsa.misc.reference_id": "periam", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "docons", + "rsa.network.alias_host": [ + "tsunt3403.www5.test" + ], + "rsa.threat.threat_category": "evel", + "rsa.time.event_time": "2018-01-12T12:18:32.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "tsunt3403.www5.test", + "service.type": "zscaler", + "source.bytes": 4350, + "source.ip": [ + "10.31.153.177" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/uasiarch/Malor.jpg?iinea=snos#upt", + "user.name": [ + "sci" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "destination.bytes": 7612, + "destination.ip": [ + "10.243.182.229" + ], + "event.action": "Allowed", + "event.code": "emporin", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uasi ZSCALERNSS: time=maveniam Jan 27 5:21:06 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=pitl6126.www.localdomain^^protocol=ipv6-icmp^^serverip=10.243.182.229^^url=https://api.example.org/ntiumt/sumquia.jpg?lam=asnu#com^^urlcategory=rep^^urlclass=mveni^^dlpdictionaries=aquae^^dlpengine=olo^^filetype=edolori^^threatcategory=iaturE^^threatclass=epor^^pagerisk=umexer^^threatname=amnih^^clientpublicIP=tper^^ClientIP=10.229.102.140^^location=nulamc^^refererURL=https://www.example.org/etcon/ctobeat.txt?eddoei=lorumw#eca^^useragent=mobmail android 2.1.3.3150^^department=nimve^^user=duntut^^event_id=emporin^^clienttranstime=oreseosq^^requestmethod=etquasia^^requestsize=1800^^requestversion=tium^^status=nimip^^responsesize=7612^^responseversion=squamest^^transactionsize=3914", + "event.timezone": "PST", + "file.type": "edolori", + "fileset.name": "zia", + "host.name": "pitl6126.www.localdomain", + "http.request.referrer": "https://www.example.org/etcon/ctobeat.txt?eddoei=lorumw#eca", + "input.type": "log", + "log.offset": 46366, + "network.bytes": 3914, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.229.102.140", + "10.243.182.229" + ], + "rsa.db.index": "mveni", + "rsa.identity.user_dept": "nimve", + "rsa.internal.data": "uasi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "epor", + "rsa.misc.action": [ + "Allowed", + "etquasia" + ], + "rsa.misc.category": "iaturE", + "rsa.misc.filter": "rep", + "rsa.misc.reference_id": "emporin", + "rsa.misc.result": "success", + "rsa.misc.result_code": "nimip", + "rsa.network.alias_host": [ + "pitl6126.www.localdomain" + ], + "rsa.threat.threat_category": "amnih", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "pitl6126.www.localdomain", + "service.type": "zscaler", + "source.bytes": 1800, + "source.ip": [ + "10.229.102.140" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/ntiumt/sumquia.jpg?lam=asnu#com", + "user.name": [ + "duntut" + ], + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "destination.bytes": 5763, + "destination.ip": [ + "10.39.46.155" + ], + "event.action": "Blocked", + "event.code": "BCSe", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "pteu ZSCALERNSS: time=uatD Feb 10 12:23:41 2018^^timezone=CEST^^action=Blocked^^reason=unknown^^hostname=remaper3297.internal.test^^protocol=ipv6-icmp^^serverip=10.39.46.155^^url=https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi^^urlcategory=emvel^^urlclass=pta^^dlpdictionaries=dolo^^dlpengine=itaedi^^filetype=hend^^threatcategory=remagna^^threatclass=adipisc^^pagerisk=aparia^^threatname=maliq^^clientpublicIP=ccusant^^ClientIP=10.120.138.109^^location=oidentsu^^refererURL=https://internal.example.org/onsec/dit.gif?lup=aeca#isau^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=sciveli^^user=picia^^event_id=BCSe^^clienttranstime=rem^^requestmethod=exer^^requestsize=447^^requestversion=remips^^status=lapari^^responsesize=5763^^responseversion=radipis^^transactionsize=3991", + "event.timezone": "CEST", + "file.type": "hend", + "fileset.name": "zia", + "host.name": "remaper3297.internal.test", + "http.request.referrer": "https://internal.example.org/onsec/dit.gif?lup=aeca#isau", + "input.type": "log", + "log.offset": 47161, + "network.bytes": 3991, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.39.46.155", + "10.120.138.109" + ], + "rsa.db.index": "pta", + "rsa.identity.user_dept": "sciveli", + "rsa.internal.data": "pteu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "adipisc", + "rsa.misc.action": [ + "Blocked", + "exer" + ], + "rsa.misc.category": "remagna", + "rsa.misc.filter": "emvel", + "rsa.misc.reference_id": "BCSe", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "lapari", + "rsa.network.alias_host": [ + "remaper3297.internal.test" + ], + "rsa.threat.threat_category": "maliq", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "remaper3297.internal.test", + "service.type": "zscaler", + "source.bytes": 447, + "source.ip": [ + "10.120.138.109" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi", + "user.name": [ + "picia" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-02-24T09:26:15.000Z", + "destination.bytes": 6740, + "destination.ip": [ + "10.53.191.49" + ], + "event.action": "Blocked", + "event.code": "idestl", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "luptate ZSCALERNSS: time=eritqu Feb 24 7:26:15 2018^^timezone=ET^^action=Blocked^^reason=failure^^hostname=tamr1693.api.home^^protocol=ipv6^^serverip=10.53.191.49^^url=https://api.example.org/remeum/etur.html?Quisa=quiav#ctionofd^^urlcategory=elit^^urlclass=sam^^dlpdictionaries=tMal^^dlpengine=porin^^filetype=metMal^^threatcategory=ciati^^threatclass=ecillum^^pagerisk=olor^^threatname=amei^^clientpublicIP=doconseq^^ClientIP=10.133.102.57^^location=CSed^^refererURL=https://example.net/wri/itame.html?dictasun=psa#lorese^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=ctobeat^^user=onsec^^event_id=idestl^^clienttranstime=litani^^requestmethod=emp^^requestsize=6397^^requestversion=onoru^^status=data^^responsesize=6740^^responseversion=eosqui^^transactionsize=5993", + "event.timezone": "ET", + "file.type": "metMal", + "fileset.name": "zia", + "host.name": "tamr1693.api.home", + "http.request.referrer": "https://example.net/wri/itame.html?dictasun=psa#lorese", + "input.type": "log", + "log.offset": 48041, + "network.bytes": 5993, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.53.191.49", + "10.133.102.57" + ], + "rsa.db.index": "sam", + "rsa.identity.user_dept": "ctobeat", + "rsa.internal.data": "luptate", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ecillum", + "rsa.misc.action": [ + "emp", + "Blocked" + ], + "rsa.misc.category": "ciati", + "rsa.misc.filter": "elit", + "rsa.misc.reference_id": "idestl", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "data", + "rsa.network.alias_host": [ + "tamr1693.api.home" + ], + "rsa.threat.threat_category": "amei", + "rsa.time.event_time": "2018-02-24T09:26:15.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "tamr1693.api.home", + "service.type": "zscaler", + "source.bytes": 6397, + "source.ip": [ + "10.133.102.57" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/remeum/etur.html?Quisa=quiav#ctionofd", + "user.name": [ + "onsec" + ], + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "destination.bytes": 5521, + "destination.ip": [ + "10.91.2.225" + ], + "event.action": "Allowed", + "event.code": "tcu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uam ZSCALERNSS: time=quis Mar 11 2:28:49 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=cia5990.api.localdomain^^protocol=icmp^^serverip=10.91.2.225^^url=https://internal.example.org/ree/itten.gif?rsp=imipsa#nostrum^^urlcategory=autodita^^urlclass=ntut^^dlpdictionaries=temveleu^^dlpengine=itametco^^filetype=etcons^^threatcategory=etco^^threatclass=iuntN^^pagerisk=utfugi^^threatname=ursintoc^^clientpublicIP=tio^^ClientIP=10.89.41.97^^location=trudex^^refererURL=https://www.example.net/lup/mipsamv.htm?qua=ionula#pexeaco^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=nderi^^user=tem^^event_id=tcu^^clienttranstime=eumiu^^requestmethod=nim^^requestsize=141^^requestversion=rehen^^status=uaeab^^responsesize=5521^^responseversion=serro^^transactionsize=1078", + "event.timezone": "PST", + "file.type": "etcons", + "fileset.name": "zia", + "host.name": "cia5990.api.localdomain", + "http.request.referrer": "https://www.example.net/lup/mipsamv.htm?qua=ionula#pexeaco", + "input.type": "log", + "log.offset": 48912, + "network.bytes": 1078, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.91.2.225", + "10.89.41.97" + ], + "rsa.db.index": "ntut", + "rsa.identity.user_dept": "nderi", + "rsa.internal.data": "uam", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iuntN", + "rsa.misc.action": [ + "Allowed", + "nim" + ], + "rsa.misc.category": "etco", + "rsa.misc.filter": "autodita", + "rsa.misc.reference_id": "tcu", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "uaeab", + "rsa.network.alias_host": [ + "cia5990.api.localdomain" + ], + "rsa.threat.threat_category": "ursintoc", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "cia5990.api.localdomain", + "service.type": "zscaler", + "source.bytes": 141, + "source.ip": [ + "10.89.41.97" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/ree/itten.gif?rsp=imipsa#nostrum", + "user.name": [ + "tem" + ], + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "destination.bytes": 4211, + "destination.ip": [ + "10.221.20.165" + ], + "event.action": "Allowed", + "event.code": "velites", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eturadip ZSCALERNSS: time=amquaera Mar 25 9:31:24 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=riatu2467.lan^^protocol=tcp^^serverip=10.221.20.165^^url=https://www.example.net/ritquiin/reseo.jpg?ari=umtot#onemulla^^urlcategory=atquo^^urlclass=borio^^dlpdictionaries=equatD^^dlpengine=uidol^^filetype=inculpa^^threatcategory=ruredol^^threatclass=iadeseru^^pagerisk=loremagn^^threatname=acons^^clientpublicIP=nimadmi^^ClientIP=10.7.18.226^^location=umiurer^^refererURL=https://internal.example.com/oluptass/uidol.txt?ametcon=ofdeFini#tasnu^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=tionev^^user=uasiarch^^event_id=velites^^clienttranstime=uredolor^^requestmethod=epreh^^requestsize=5810^^requestversion=edquiaco^^status=sequatD^^responsesize=4211^^responseversion=naaliq^^transactionsize=4508", + "event.timezone": "PT", + "file.type": "inculpa", + "fileset.name": "zia", + "host.name": "riatu2467.lan", + "http.request.referrer": "https://internal.example.com/oluptass/uidol.txt?ametcon=ofdeFini#tasnu", + "input.type": "log", + "log.offset": 49836, + "network.bytes": 4508, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.7.18.226", + "10.221.20.165" + ], + "rsa.db.index": "borio", + "rsa.identity.user_dept": "tionev", + "rsa.internal.data": "eturadip", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iadeseru", + "rsa.misc.action": [ + "Allowed", + "epreh" + ], + "rsa.misc.category": "ruredol", + "rsa.misc.filter": "atquo", + "rsa.misc.reference_id": "velites", + "rsa.misc.result": "success", + "rsa.misc.result_code": "sequatD", + "rsa.network.alias_host": [ + "riatu2467.lan" + ], + "rsa.threat.threat_category": "acons", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "riatu2467.lan", + "service.type": "zscaler", + "source.bytes": 5810, + "source.ip": [ + "10.7.18.226" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.net/ritquiin/reseo.jpg?ari=umtot#onemulla", + "user.name": [ + "uasiarch" + ], + "user_agent.device.name": "Meizu M6", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "77.0.3865.120" + }, + { + "@timestamp": "2018-04-08T06:33:58.000Z", + "destination.bytes": 4580, + "destination.ip": [ + "10.178.148.188" + ], + "event.action": "Allowed", + "event.code": "rit", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "asiarc ZSCALERNSS: time=lor Apr 8 4:33:58 2018^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=pici1525.www5.corp^^protocol=ipv6^^serverip=10.178.148.188^^url=https://mail.example.com/dexe/nemul.jpg?yCicero=inimave#eavolupt^^urlcategory=uipe^^urlclass=ipsa^^dlpdictionaries=con^^dlpengine=eirured^^filetype=sequamn^^threatcategory=perspici^^threatclass=inimve^^pagerisk=aea^^threatname=emipsumd^^clientpublicIP=didun^^ClientIP=10.155.252.123^^location=asiarch^^refererURL=https://www5.example.net/utla/deomni.gif?fugi=nse#nesciu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ssequ^^user=inrepreh^^event_id=rit^^clienttranstime=velitess^^requestmethod=niam^^requestsize=6665^^requestversion=vel^^status=ionevo^^responsesize=4580^^responseversion=ptate^^transactionsize=52", + "event.timezone": "GMT+02:00", + "file.type": "sequamn", + "fileset.name": "zia", + "host.name": "pici1525.www5.corp", + "http.request.referrer": "https://www5.example.net/utla/deomni.gif?fugi=nse#nesciu", + "input.type": "log", + "log.offset": 50802, + "network.bytes": 52, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.155.252.123", + "10.178.148.188" + ], + "rsa.db.index": "ipsa", + "rsa.identity.user_dept": "ssequ", + "rsa.internal.data": "asiarc", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "inimve", + "rsa.misc.action": [ + "Allowed", + "niam" + ], + "rsa.misc.category": "perspici", + "rsa.misc.filter": "uipe", + "rsa.misc.reference_id": "rit", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ionevo", + "rsa.network.alias_host": [ + "pici1525.www5.corp" + ], + "rsa.threat.threat_category": "emipsumd", + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "pici1525.www5.corp", + "service.type": "zscaler", + "source.bytes": 6665, + "source.ip": [ + "10.155.252.123" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/dexe/nemul.jpg?yCicero=inimave#eavolupt", + "user.name": [ + "inrepreh" + ], + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-04-22T13:36:32.000Z", + "destination.bytes": 3723, + "destination.ip": [ + "10.190.42.245" + ], + "event.action": "Blocked", + "event.code": "aeab", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "umfu ZSCALERNSS: time=utla Apr 22 11:36:32 2018^^timezone=CET^^action=Blocked^^reason=failure^^hostname=dolo6418.internal.host^^protocol=ipv6-icmp^^serverip=10.190.42.245^^url=https://mail.example.org/caecat/uel.html?enim=umq#sistena^^urlcategory=qui^^urlclass=caboN^^dlpdictionaries=imipsam^^dlpengine=eumiu^^filetype=tatevel^^threatcategory=quela^^threatclass=uamquaer^^pagerisk=texplica^^threatname=enimi^^clientpublicIP=illum^^ClientIP=10.220.1.249^^location=iqu^^refererURL=https://api.example.org/eumfugia/reeufugi.gif?uredol=uptat#toditau^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=quuntur^^user=olup^^event_id=aeab^^clienttranstime=uradipis^^requestmethod=aerat^^requestsize=2910^^requestversion=uira^^status=eosqui^^responsesize=3723^^responseversion=quinesc^^transactionsize=4724", + "event.timezone": "CET", + "file.type": "tatevel", + "fileset.name": "zia", + "host.name": "dolo6418.internal.host", + "http.request.referrer": "https://api.example.org/eumfugia/reeufugi.gif?uredol=uptat#toditau", + "input.type": "log", + "log.offset": 51742, + "network.bytes": 4724, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.220.1.249", + "10.190.42.245" + ], + "rsa.db.index": "caboN", + "rsa.identity.user_dept": "quuntur", + "rsa.internal.data": "umfu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uamquaer", + "rsa.misc.action": [ + "Blocked", + "aerat" + ], + "rsa.misc.category": "quela", + "rsa.misc.filter": "qui", + "rsa.misc.reference_id": "aeab", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "eosqui", + "rsa.network.alias_host": [ + "dolo6418.internal.host" + ], + "rsa.threat.threat_category": "enimi", + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "dolo6418.internal.host", + "service.type": "zscaler", + "source.bytes": 2910, + "source.ip": [ + "10.220.1.249" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/caecat/uel.html?enim=umq#sistena", + "user.name": [ + "olup" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "destination.bytes": 363, + "destination.ip": [ + "10.112.190.154" + ], + "event.action": "Allowed", + "event.code": "lab", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "aliqu ZSCALERNSS: time=sequine May 7 6:39:06 2018^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=imveni193.www5.host^^protocol=udp^^serverip=10.112.190.154^^url=https://mail.example.com/runtmoll/busBon.txt?ionev=vitaedi#rna^^urlcategory=cons^^urlclass=Except^^dlpdictionaries=lestiae^^dlpengine=iav^^filetype=umiure^^threatcategory=isiut^^threatclass=tin^^pagerisk=rporiss^^threatname=billoinv^^clientpublicIP=etconse^^ClientIP=10.55.38.153^^location=quido^^refererURL=https://example.org/uames/tla.gif?rch=psa#nreprehe^^useragent=Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g^^department=tvolup^^user=oremeu^^event_id=lab^^clienttranstime=lla^^requestmethod=urau^^requestsize=6127^^requestversion=upt^^status=equamni^^responsesize=363^^responseversion=eroi^^transactionsize=916", + "event.timezone": "GMT-07:00", + "file.type": "umiure", + "fileset.name": "zia", + "host.name": "imveni193.www5.host", + "http.request.referrer": "https://example.org/uames/tla.gif?rch=psa#nreprehe", + "input.type": "log", + "log.offset": 52602, + "network.bytes": 916, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.112.190.154", + "10.55.38.153" + ], + "rsa.db.index": "Except", + "rsa.identity.user_dept": "tvolup", + "rsa.internal.data": "aliqu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tin", + "rsa.misc.action": [ + "urau", + "Allowed" + ], + "rsa.misc.category": "isiut", + "rsa.misc.filter": "cons", + "rsa.misc.reference_id": "lab", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "equamni", + "rsa.network.alias_host": [ + "imveni193.www5.host" + ], + "rsa.threat.threat_category": "billoinv", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "imveni193.www5.host", + "service.type": "zscaler", + "source.bytes": 6127, + "source.ip": [ + "10.55.38.153" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/runtmoll/busBon.txt?ionev=vitaedi#rna", + "user.name": [ + "oremeu" + ], + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2018-05-21T03:41:41.000Z", + "destination.bytes": 6578, + "destination.ip": [ + "10.195.153.42" + ], + "event.action": "Allowed", + "event.code": "rsit", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "mdo ZSCALERNSS: time=labore May 21 1:41:41 2018^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ionu3320.api.localhost^^protocol=igmp^^serverip=10.195.153.42^^url=https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam^^urlcategory=deriti^^urlclass=edictasu^^dlpdictionaries=eturadi^^dlpengine=umS^^filetype=noru^^threatcategory=aliquide^^threatclass=tDuisaut^^pagerisk=uel^^threatname=dexerc^^clientpublicIP=vol^^ClientIP=10.250.48.82^^location=iqu^^refererURL=https://api.example.com/quuntur/nihi.gif?oremagna=aqu#utemvele^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serrorsi^^user=tsedquia^^event_id=rsit^^clienttranstime=quis^^requestmethod=upidatat^^requestsize=2982^^requestversion=nihilmo^^status=reetdo^^responsesize=6578^^responseversion=nidol^^transactionsize=4345", + "event.timezone": "OMST", + "file.type": "noru", + "fileset.name": "zia", + "host.name": "ionu3320.api.localhost", + "http.request.referrer": "https://api.example.com/quuntur/nihi.gif?oremagna=aqu#utemvele", + "input.type": "log", + "log.offset": 53539, + "network.bytes": 4345, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.195.153.42", + "10.250.48.82" + ], + "rsa.db.index": "edictasu", + "rsa.identity.user_dept": "serrorsi", + "rsa.internal.data": "mdo", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tDuisaut", + "rsa.misc.action": [ + "Allowed", + "upidatat" + ], + "rsa.misc.category": "aliquide", + "rsa.misc.filter": "deriti", + "rsa.misc.reference_id": "rsit", + "rsa.misc.result": "success", + "rsa.misc.result_code": "reetdo", + "rsa.network.alias_host": [ + "ionu3320.api.localhost" + ], + "rsa.threat.threat_category": "dexerc", + "rsa.time.event_time": "2018-05-21T03:41:41.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "ionu3320.api.localhost", + "service.type": "zscaler", + "source.bytes": 2982, + "source.ip": [ + "10.250.48.82" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam", + "user.name": [ + "tsedquia" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-06-04T10:44:15.000Z", + "destination.bytes": 501, + "destination.ip": [ + "10.252.164.230" + ], + "event.action": "Blocked", + "event.code": "iumtota", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "hite ZSCALERNSS: time=umfugi Jun 4 8:44:15 2018^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=remips1499.www.local^^protocol=ipv6^^serverip=10.252.164.230^^url=https://mail.example.net/loremi/queporro.jpg?ade=nihilmol#nder^^urlcategory=ano^^urlclass=rumexer^^dlpdictionaries=eab^^dlpengine=iaconseq^^filetype=tseddo^^threatcategory=diduntut^^threatclass=rroq^^pagerisk=olore^^threatname=eratvolu^^clientpublicIP=oconsequ^^ClientIP=10.60.52.219^^location=untNeq^^refererURL=https://internal.example.org/scipit/litess.jpg?ide=quunturm#quovo^^useragent=mobmail android 2.1.3.3150^^department=usan^^user=gnamali^^event_id=iumtota^^clienttranstime=issusci^^requestmethod=fdeFin^^requestsize=2871^^requestversion=psu^^status=strud^^responsesize=501^^responseversion=saute^^transactionsize=7421", + "event.timezone": "CT", + "file.type": "tseddo", + "fileset.name": "zia", + "host.name": "remips1499.www.local", + "http.request.referrer": "https://internal.example.org/scipit/litess.jpg?ide=quunturm#quovo", + "input.type": "log", + "log.offset": 54422, + "network.bytes": 7421, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.60.52.219", + "10.252.164.230" + ], + "rsa.db.index": "rumexer", + "rsa.identity.user_dept": "usan", + "rsa.internal.data": "hite", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "rroq", + "rsa.misc.action": [ + "Blocked", + "fdeFin" + ], + "rsa.misc.category": "diduntut", + "rsa.misc.filter": "ano", + "rsa.misc.reference_id": "iumtota", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "strud", + "rsa.network.alias_host": [ + "remips1499.www.local" + ], + "rsa.threat.threat_category": "eratvolu", + "rsa.time.event_time": "2018-06-04T10:44:15.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "remips1499.www.local", + "service.type": "zscaler", + "source.bytes": 2871, + "source.ip": [ + "10.60.52.219" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/loremi/queporro.jpg?ade=nihilmol#nder", + "user.name": [ + "gnamali" + ], + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "destination.bytes": 3365, + "destination.ip": [ + "10.187.16.73" + ], + "event.action": "Allowed", + "event.code": "ptate", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "iumto ZSCALERNSS: time=sequatu Jun 19 3:46:49 2018^^timezone=CT^^action=Allowed^^reason=success^^hostname=mdoloree96.domain^^protocol=ggp^^serverip=10.187.16.73^^url=https://api.example.com/nge/psum.gif?exerci=isnostru#iad^^urlcategory=ngelits^^urlclass=volupt^^dlpdictionaries=billoi^^dlpengine=reseo^^filetype=quam^^threatcategory=ulpaquio^^threatclass=dipisc^^pagerisk=litsed^^threatname=lumd^^clientpublicIP=tiaec^^ClientIP=10.122.102.156^^location=totamr^^refererURL=https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=metMa^^user=emoen^^event_id=ptate^^clienttranstime=mipsumqu^^requestmethod=turad^^requestsize=1704^^requestversion=billo^^status=doloremi^^responsesize=3365^^responseversion=iciatis^^transactionsize=2052", + "event.timezone": "CT", + "file.type": "quam", + "fileset.name": "zia", + "host.name": "mdoloree96.domain", + "http.request.referrer": "https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve", + "input.type": "log", + "log.offset": 55219, + "network.bytes": 2052, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.187.16.73", + "10.122.102.156" + ], + "rsa.db.index": "volupt", + "rsa.identity.user_dept": "metMa", + "rsa.internal.data": "iumto", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "dipisc", + "rsa.misc.action": [ + "turad", + "Allowed" + ], + "rsa.misc.category": "ulpaquio", + "rsa.misc.filter": "ngelits", + "rsa.misc.reference_id": "ptate", + "rsa.misc.result": "success", + "rsa.misc.result_code": "doloremi", + "rsa.network.alias_host": [ + "mdoloree96.domain" + ], + "rsa.threat.threat_category": "lumd", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "mdoloree96.domain", + "service.type": "zscaler", + "source.bytes": 1704, + "source.ip": [ + "10.122.102.156" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/nge/psum.gif?exerci=isnostru#iad", + "user.name": [ + "emoen" + ], + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "destination.bytes": 2104, + "destination.ip": [ + "10.120.215.174" + ], + "event.action": "Allowed", + "event.code": "ntexplic", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "cul ZSCALERNSS: time=tate Jul 3 10:49:23 2018^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=iatnulap7662.internal.local^^protocol=igmp^^serverip=10.120.215.174^^url=https://internal.example.org/ddoeiusm/apa.txt?uptatemU=rem#onorumet^^urlcategory=iscivel^^urlclass=rinci^^dlpdictionaries=eacomm^^dlpengine=aboNem^^filetype=mull^^threatcategory=ent^^threatclass=rema^^pagerisk=mcol^^threatname=tion^^clientpublicIP=umquia^^ClientIP=10.248.108.55^^location=itation^^refererURL=https://internal.example.org/tat/uredo.html?essequam=imav#mtot^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tionemu^^user=prehend^^event_id=ntexplic^^clienttranstime=rvelillu^^requestmethod=uatDu^^requestsize=4620^^requestversion=isu^^status=moll^^responsesize=2104^^responseversion=ota^^transactionsize=4562", + "event.timezone": "CEST", + "file.type": "mull", + "fileset.name": "zia", + "host.name": "iatnulap7662.internal.local", + "http.request.referrer": "https://internal.example.org/tat/uredo.html?essequam=imav#mtot", + "input.type": "log", + "log.offset": 56107, + "network.bytes": 4562, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.120.215.174", + "10.248.108.55" + ], + "rsa.db.index": "rinci", + "rsa.identity.user_dept": "tionemu", + "rsa.internal.data": "cul", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "rema", + "rsa.misc.action": [ + "Allowed", + "uatDu" + ], + "rsa.misc.category": "ent", + "rsa.misc.filter": "iscivel", + "rsa.misc.reference_id": "ntexplic", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "moll", + "rsa.network.alias_host": [ + "iatnulap7662.internal.local" + ], + "rsa.threat.threat_category": "tion", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "iatnulap7662.internal.local", + "service.type": "zscaler", + "source.bytes": 4620, + "source.ip": [ + "10.248.108.55" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/ddoeiusm/apa.txt?uptatemU=rem#onorumet", + "user.name": [ + "prehend" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2018-07-17T07:51:58.000Z", + "destination.bytes": 5410, + "destination.ip": [ + "10.51.161.245" + ], + "event.action": "Allowed", + "event.code": "suntex", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eniamq ZSCALERNSS: time=aloru Jul 17 5:51:58 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=sBonoru1929.example^^protocol=ggp^^serverip=10.51.161.245^^url=https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam^^urlcategory=saute^^urlclass=umdol^^dlpdictionaries=rerepr^^dlpengine=ipiscin^^filetype=trudexe^^threatcategory=qua^^threatclass=modit^^pagerisk=tatione^^threatname=aedicta^^clientpublicIP=squamest^^ClientIP=10.15.254.181^^location=emipsum^^refererURL=https://example.com/eFini/atDuisa.jpg?mips=dolo#reeufu^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=adipis^^user=abo^^event_id=suntex^^clienttranstime=uptatema^^requestmethod=uteiru^^requestsize=4600^^requestversion=Cicero^^status=ven^^responsesize=5410^^responseversion=ficia^^transactionsize=7526", + "event.timezone": "PT", + "file.type": "trudexe", + "fileset.name": "zia", + "host.name": "sBonoru1929.example", + "http.request.referrer": "https://example.com/eFini/atDuisa.jpg?mips=dolo#reeufu", + "input.type": "log", + "log.offset": 56969, + "network.bytes": 7526, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.51.161.245", + "10.15.254.181" + ], + "rsa.db.index": "umdol", + "rsa.identity.user_dept": "adipis", + "rsa.internal.data": "eniamq", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "modit", + "rsa.misc.action": [ + "Allowed", + "uteiru" + ], + "rsa.misc.category": "qua", + "rsa.misc.filter": "saute", + "rsa.misc.reference_id": "suntex", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ven", + "rsa.network.alias_host": [ + "sBonoru1929.example" + ], + "rsa.threat.threat_category": "aedicta", + "rsa.time.event_time": "2018-07-17T07:51:58.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "sBonoru1929.example", + "service.type": "zscaler", + "source.bytes": 4600, + "source.ip": [ + "10.15.254.181" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam", + "user.name": [ + "abo" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-08-01T14:54:32.000Z", + "destination.bytes": 6628, + "destination.ip": [ + "10.7.152.238" + ], + "event.action": "Blocked", + "event.code": "scipi", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "deFinibu ZSCALERNSS: time=iaecons Aug 1 12:54:32 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=onorumet4871.lan^^protocol=ipv6^^serverip=10.7.152.238^^url=https://api.example.com/itinvolu/adeserun.txt?tinv=Utenima#nse^^urlcategory=umq^^urlclass=enim^^dlpdictionaries=oreve^^dlpengine=metco^^filetype=xercita^^threatcategory=atev^^threatclass=vento^^pagerisk=litsed^^threatname=ciun^^clientpublicIP=rehender^^ClientIP=10.129.66.196^^location=mmodicon^^refererURL=https://api.example.com/tqu/emips.gif?tinvolu=ptat#amquisn^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=dol^^user=equamn^^event_id=scipi^^clienttranstime=rem^^requestmethod=reh^^requestsize=3604^^requestversion=gnama^^status=ursintoc^^responsesize=6628^^responseversion=ction^^transactionsize=491", + "event.timezone": "ET", + "file.type": "xercita", + "fileset.name": "zia", + "host.name": "onorumet4871.lan", + "http.request.referrer": "https://api.example.com/tqu/emips.gif?tinvolu=ptat#amquisn", + "input.type": "log", + "log.offset": 57916, + "network.bytes": 491, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.129.66.196", + "10.7.152.238" + ], + "rsa.db.index": "enim", + "rsa.identity.user_dept": "dol", + "rsa.internal.data": "deFinibu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "vento", + "rsa.misc.action": [ + "reh", + "Blocked" + ], + "rsa.misc.category": "atev", + "rsa.misc.filter": "umq", + "rsa.misc.reference_id": "scipi", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ursintoc", + "rsa.network.alias_host": [ + "onorumet4871.lan" + ], + "rsa.threat.threat_category": "ciun", + "rsa.time.event_time": "2018-08-01T14:54:32.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "onorumet4871.lan", + "service.type": "zscaler", + "source.bytes": 3604, + "source.ip": [ + "10.129.66.196" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/itinvolu/adeserun.txt?tinv=Utenima#nse", + "user.name": [ + "equamn" + ], + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "destination.bytes": 4116, + "destination.ip": [ + "10.29.162.157" + ], + "event.action": "Blocked", + "event.code": "remquela", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "siuta ZSCALERNSS: time=atcu Aug 15 7:57:06 2018^^timezone=PST^^action=Blocked^^reason=success^^hostname=onproi4354.www5.invalid^^protocol=ggp^^serverip=10.29.162.157^^url=https://www.example.org/sci/isquames.gif?tlabor=itecto#loreeuf^^urlcategory=orainci^^urlclass=orese^^dlpdictionaries=aev^^dlpengine=uelaudan^^filetype=lab^^threatcategory=sequa^^threatclass=orinrep^^pagerisk=pta^^threatname=uradi^^clientpublicIP=sequu^^ClientIP=10.185.107.27^^location=susc^^refererURL=https://www.example.org/eatae/siutali.html?quelauda=rcit#dolo^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=orese^^user=evelite^^event_id=remquela^^clienttranstime=toreve^^requestmethod=squirat^^requestsize=2977^^requestversion=equunt^^status=mto^^responsesize=4116^^responseversion=atio^^transactionsize=6258", + "event.timezone": "PST", + "file.type": "lab", + "fileset.name": "zia", + "host.name": "onproi4354.www5.invalid", + "http.request.referrer": "https://www.example.org/eatae/siutali.html?quelauda=rcit#dolo", + "input.type": "log", + "log.offset": 58862, + "network.bytes": 6258, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.185.107.27", + "10.29.162.157" + ], + "rsa.db.index": "orese", + "rsa.identity.user_dept": "orese", + "rsa.internal.data": "siuta", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "orinrep", + "rsa.misc.action": [ + "Blocked", + "squirat" + ], + "rsa.misc.category": "sequa", + "rsa.misc.filter": "orainci", + "rsa.misc.reference_id": "remquela", + "rsa.misc.result": "success", + "rsa.misc.result_code": "mto", + "rsa.network.alias_host": [ + "onproi4354.www5.invalid" + ], + "rsa.threat.threat_category": "uradi", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "onproi4354.www5.invalid", + "service.type": "zscaler", + "source.bytes": 2977, + "source.ip": [ + "10.185.107.27" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/sci/isquames.gif?tlabor=itecto#loreeuf", + "user.name": [ + "evelite" + ], + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2018-08-29T04:59:40.000Z", + "destination.bytes": 1926, + "destination.ip": [ + "10.215.63.248" + ], + "event.action": "Blocked", + "event.code": "dantium", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rem ZSCALERNSS: time=consecte Aug 29 2:59:40 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=beataevi7552.api.test^^protocol=ipv6^^serverip=10.215.63.248^^url=https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod^^urlcategory=ine^^urlclass=qui^^dlpdictionaries=itse^^dlpengine=lapari^^filetype=Bonor^^threatcategory=ipex^^threatclass=odita^^pagerisk=metc^^threatname=aincidu^^clientpublicIP=reprehe^^ClientIP=10.138.0.214^^location=uisaut^^refererURL=https://internal.example.org/ommodic/mmodic.txt?esse=nihi#xeaco^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=uianonn^^user=eavolupt^^event_id=dantium^^clienttranstime=ors^^requestmethod=dqu^^requestsize=6682^^requestversion=edi^^status=eumiure^^responsesize=1926^^responseversion=eacomm^^transactionsize=2676", + "event.timezone": "ET", + "file.type": "Bonor", + "fileset.name": "zia", + "host.name": "beataevi7552.api.test", + "http.request.referrer": "https://internal.example.org/ommodic/mmodic.txt?esse=nihi#xeaco", + "input.type": "log", + "log.offset": 59899, + "network.bytes": 2676, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.215.63.248", + "10.138.0.214" + ], + "rsa.db.index": "qui", + "rsa.identity.user_dept": "uianonn", + "rsa.internal.data": "rem", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "odita", + "rsa.misc.action": [ + "Blocked", + "dqu" + ], + "rsa.misc.category": "ipex", + "rsa.misc.filter": "ine", + "rsa.misc.reference_id": "dantium", + "rsa.misc.result": "success", + "rsa.misc.result_code": "eumiure", + "rsa.network.alias_host": [ + "beataevi7552.api.test" + ], + "rsa.threat.threat_category": "aincidu", + "rsa.time.event_time": "2018-08-29T04:59:40.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "beataevi7552.api.test", + "service.type": "zscaler", + "source.bytes": 6682, + "source.ip": [ + "10.138.0.214" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod", + "user.name": [ + "eavolupt" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-09-12T12:02:15.000Z", + "destination.bytes": 6315, + "destination.ip": [ + "10.26.115.88" + ], + "event.action": "Allowed", + "event.code": "edictas", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "pre ZSCALERNSS: time=aute Sep 12 10:02:15 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=rvelill1981.www.invalid^^protocol=udp^^serverip=10.26.115.88^^url=https://mail.example.net/tvol/ostru.htm?oei=iquipex#byCice^^urlcategory=deritq^^urlclass=boreetdo^^dlpdictionaries=teni^^dlpengine=iin^^filetype=nostr^^threatcategory=luptatem^^threatclass=tNequepo^^pagerisk=liq^^threatname=eleumiu^^clientpublicIP=etdol^^ClientIP=10.12.130.224^^location=magnido^^refererURL=https://www.example.org/dolor/ing.jpg?umdo=aer#quela^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=itatis^^user=Nequepo^^event_id=edictas^^clienttranstime=emac^^requestmethod=rmagnido^^requestsize=6135^^requestversion=elitsedd^^status=hitecto^^responsesize=6315^^responseversion=repreh^^transactionsize=1238", + "event.timezone": "PST", + "file.type": "nostr", + "fileset.name": "zia", + "host.name": "rvelill1981.www.invalid", + "http.request.referrer": "https://www.example.org/dolor/ing.jpg?umdo=aer#quela", + "input.type": "log", + "log.offset": 60840, + "network.bytes": 1238, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.12.130.224", + "10.26.115.88" + ], + "rsa.db.index": "boreetdo", + "rsa.identity.user_dept": "itatis", + "rsa.internal.data": "pre", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tNequepo", + "rsa.misc.action": [ + "Allowed", + "rmagnido" + ], + "rsa.misc.category": "luptatem", + "rsa.misc.filter": "deritq", + "rsa.misc.reference_id": "edictas", + "rsa.misc.result": "success", + "rsa.misc.result_code": "hitecto", + "rsa.network.alias_host": [ + "rvelill1981.www.invalid" + ], + "rsa.threat.threat_category": "eleumiu", + "rsa.time.event_time": "2018-09-12T12:02:15.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "rvelill1981.www.invalid", + "service.type": "zscaler", + "source.bytes": 6135, + "source.ip": [ + "10.12.130.224" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/tvol/ostru.htm?oei=iquipex#byCice", + "user.name": [ + "Nequepo" + ], + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "destination.bytes": 1508, + "destination.ip": [ + "10.193.152.42" + ], + "event.action": "Blocked", + "event.code": "nost", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "usan ZSCALERNSS: time=ugiatn Sep 27 5:04:49 2018^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=quia7214.example^^protocol=igmp^^serverip=10.193.152.42^^url=https://mail.example.org/pariatur/cita.html?equuntur=rve#atemacc^^urlcategory=labore^^urlclass=iqua^^dlpdictionaries=ciunt^^dlpengine=exea^^filetype=ostrumex^^threatcategory=eruntmol^^threatclass=plicab^^pagerisk=imide^^threatname=uiineav^^clientpublicIP=nder^^ClientIP=10.91.20.27^^location=asia^^refererURL=https://api.example.com/psamvolu/teturad.jpg?iavol=psumdol#urautodi^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=modtempo^^user=edict^^event_id=nost^^clienttranstime=orisnis^^requestmethod=umq^^requestsize=2801^^requestversion=quatur^^status=isiutali^^responsesize=1508^^responseversion=emquel^^transactionsize=365", + "event.timezone": "GMT+02:00", + "file.type": "ostrumex", + "fileset.name": "zia", + "host.name": "quia7214.example", + "http.request.referrer": "https://api.example.com/psamvolu/teturad.jpg?iavol=psumdol#urautodi", + "input.type": "log", + "log.offset": 61785, + "network.bytes": 365, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.91.20.27", + "10.193.152.42" + ], + "rsa.db.index": "iqua", + "rsa.identity.user_dept": "modtempo", + "rsa.internal.data": "usan", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "plicab", + "rsa.misc.action": [ + "umq", + "Blocked" + ], + "rsa.misc.category": "eruntmol", + "rsa.misc.filter": "labore", + "rsa.misc.reference_id": "nost", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "isiutali", + "rsa.network.alias_host": [ + "quia7214.example" + ], + "rsa.threat.threat_category": "uiineav", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "quia7214.example", + "service.type": "zscaler", + "source.bytes": 2801, + "source.ip": [ + "10.91.20.27" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/pariatur/cita.html?equuntur=rve#atemacc", + "user.name": [ + "edict" + ], + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "destination.bytes": 7120, + "destination.ip": [ + "10.146.69.38" + ], + "event.action": "Allowed", + "event.code": "Exce", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "iavol ZSCALERNSS: time=utemvel Oct 11 12:07:23 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=aturExc7343.invalid^^protocol=ipv6^^serverip=10.146.69.38^^url=https://example.org/aturE/aaliqu.gif?nvol=doloreeu#elillumq^^urlcategory=loremeum^^urlclass=luptatem^^dlpdictionaries=ing^^dlpengine=hen^^filetype=riameaqu^^threatcategory=etd^^threatclass=omnisi^^pagerisk=dolor^^threatname=rsp^^clientpublicIP=quir^^ClientIP=10.55.192.102^^location=tsuntinc^^refererURL=https://example.org/onproid/ciduntut.html?xer=iat#orain^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=uame^^user=quia^^event_id=Exce^^clienttranstime=nim^^requestmethod=userro^^requestsize=1008^^requestversion=uta^^status=tsun^^responsesize=7120^^responseversion=gni^^transactionsize=5280", + "event.timezone": "PST", + "file.type": "riameaqu", + "fileset.name": "zia", + "host.name": "aturExc7343.invalid", + "http.request.referrer": "https://example.org/onproid/ciduntut.html?xer=iat#orain", + "input.type": "log", + "log.offset": 62693, + "network.bytes": 5280, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.55.192.102", + "10.146.69.38" + ], + "rsa.db.index": "luptatem", + "rsa.identity.user_dept": "uame", + "rsa.internal.data": "iavol", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "omnisi", + "rsa.misc.action": [ + "userro", + "Allowed" + ], + "rsa.misc.category": "etd", + "rsa.misc.filter": "loremeum", + "rsa.misc.reference_id": "Exce", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "tsun", + "rsa.network.alias_host": [ + "aturExc7343.invalid" + ], + "rsa.threat.threat_category": "rsp", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "aturExc7343.invalid", + "service.type": "zscaler", + "source.bytes": 1008, + "source.ip": [ + "10.55.192.102" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/aturE/aaliqu.gif?nvol=doloreeu#elillumq", + "user.name": [ + "quia" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2018-10-25T09:09:57.000Z", + "destination.bytes": 3291, + "destination.ip": [ + "10.249.1.143" + ], + "event.action": "Allowed", + "event.code": "ntutlab", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tione ZSCALERNSS: time=nibus Oct 25 7:09:57 2018^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=olo7317.www5.localhost^^protocol=udp^^serverip=10.249.1.143^^url=https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese^^urlcategory=ptasn^^urlclass=liqui^^dlpdictionaries=ectetur^^dlpengine=eacomm^^filetype=temqu^^threatcategory=tdolore^^threatclass=Utenim^^pagerisk=quisno^^threatname=quaUten^^clientpublicIP=eufugia^^ClientIP=10.124.177.226^^location=iarc^^refererURL=https://www5.example.org/ncidunt/uiac.jpg?luptat=ehend#involupt^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=tincul^^user=isciveli^^event_id=ntutlab^^clienttranstime=sitamet^^requestmethod=onevo^^requestsize=3736^^requestversion=nsequ^^status=ing^^responsesize=3291^^responseversion=vitaed^^transactionsize=7672", + "event.timezone": "GMT-07:00", + "file.type": "temqu", + "fileset.name": "zia", + "host.name": "olo7317.www5.localhost", + "http.request.referrer": "https://www5.example.org/ncidunt/uiac.jpg?luptat=ehend#involupt", + "input.type": "log", + "log.offset": 63579, + "network.bytes": 7672, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.124.177.226", + "10.249.1.143" + ], + "rsa.db.index": "liqui", + "rsa.identity.user_dept": "tincul", + "rsa.internal.data": "tione", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "Utenim", + "rsa.misc.action": [ + "onevo", + "Allowed" + ], + "rsa.misc.category": "tdolore", + "rsa.misc.filter": "ptasn", + "rsa.misc.reference_id": "ntutlab", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ing", + "rsa.network.alias_host": [ + "olo7317.www5.localhost" + ], + "rsa.threat.threat_category": "quaUten", + "rsa.time.event_time": "2018-10-25T09:09:57.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "olo7317.www5.localhost", + "service.type": "zscaler", + "source.bytes": 3736, + "source.ip": [ + "10.124.177.226" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese", + "user.name": [ + "isciveli" + ], + "user_agent.device.name": "Other", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "destination.bytes": 620, + "destination.ip": [ + "10.167.176.220" + ], + "event.action": "Blocked", + "event.code": "ione", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "modit ZSCALERNSS: time=quamnih Nov 9 2:12:32 2018^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=uiin1342.mail.invalid^^protocol=rdp^^serverip=10.167.176.220^^url=https://example.org/vel/preh.html?sequamni=edutpers#deo^^urlcategory=eni^^urlclass=quipe^^dlpdictionaries=oluptat^^dlpengine=stenatus^^filetype=eabillo^^threatcategory=iaecon^^threatclass=ect^^pagerisk=tquid^^threatname=seru^^clientpublicIP=oriss^^ClientIP=10.146.228.249^^location=psumdolo^^refererURL=https://example.net/bor/magnido.html?emagnaal=nih#ncididu^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=gitsed^^user=estla^^event_id=ione^^clienttranstime=ecillum^^requestmethod=maccu^^requestsize=5298^^requestversion=quisquam^^status=boreet^^responsesize=620^^responseversion=Malorumw^^transactionsize=5212", + "event.timezone": "OMST", + "file.type": "eabillo", + "fileset.name": "zia", + "host.name": "uiin1342.mail.invalid", + "http.request.referrer": "https://example.net/bor/magnido.html?emagnaal=nih#ncididu", + "input.type": "log", + "log.offset": 64523, + "network.bytes": 5212, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.146.228.249", + "10.167.176.220" + ], + "rsa.db.index": "quipe", + "rsa.identity.user_dept": "gitsed", + "rsa.internal.data": "modit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ect", + "rsa.misc.action": [ + "maccu", + "Blocked" + ], + "rsa.misc.category": "iaecon", + "rsa.misc.filter": "eni", + "rsa.misc.reference_id": "ione", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "boreet", + "rsa.network.alias_host": [ + "uiin1342.mail.invalid" + ], + "rsa.threat.threat_category": "seru", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "uiin1342.mail.invalid", + "service.type": "zscaler", + "source.bytes": 5298, + "source.ip": [ + "10.146.228.249" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/vel/preh.html?sequamni=edutpers#deo", + "user.name": [ + "estla" + ], + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "destination.bytes": 4822, + "destination.ip": [ + "10.200.74.101" + ], + "event.action": "Allowed", + "event.code": "ntmo", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "issu ZSCALERNSS: time=tconsect Nov 23 9:15:06 2018^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=agna5654.www.corp^^protocol=tcp^^serverip=10.200.74.101^^url=https://example.com/nonproi/dolor.jpg?molli=oeiusm#aUtenim^^urlcategory=ntincul^^urlclass=nnumquam^^dlpdictionaries=etdol^^dlpengine=sed^^filetype=uep^^threatcategory=ametco^^threatclass=nde^^pagerisk=reprehe^^threatname=umdolo^^clientpublicIP=duntutl^^ClientIP=10.203.47.23^^location=empor^^refererURL=https://mail.example.net/teveli/utperspi.html?luptate=aturvel#ostrumex^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=sedquia^^user=litesse^^event_id=ntmo^^clienttranstime=aliqu^^requestmethod=iqu^^requestsize=4429^^requestversion=ationula^^status=doconse^^responsesize=4822^^responseversion=oreeufug^^transactionsize=5020", + "event.timezone": "OMST", + "file.type": "uep", + "fileset.name": "zia", + "host.name": "agna5654.www.corp", + "http.request.referrer": "https://mail.example.net/teveli/utperspi.html?luptate=aturvel#ostrumex", + "input.type": "log", + "log.offset": 65560, + "network.bytes": 5020, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.203.47.23", + "10.200.74.101" + ], + "rsa.db.index": "nnumquam", + "rsa.identity.user_dept": "sedquia", + "rsa.internal.data": "issu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "nde", + "rsa.misc.action": [ + "iqu", + "Allowed" + ], + "rsa.misc.category": "ametco", + "rsa.misc.filter": "ntincul", + "rsa.misc.reference_id": "ntmo", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "doconse", + "rsa.network.alias_host": [ + "agna5654.www.corp" + ], + "rsa.threat.threat_category": "umdolo", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "agna5654.www.corp", + "service.type": "zscaler", + "source.bytes": 4429, + "source.ip": [ + "10.203.47.23" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/nonproi/dolor.jpg?molli=oeiusm#aUtenim", + "user.name": [ + "litesse" + ], + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2018-12-07T06:17:40.000Z", + "destination.bytes": 4147, + "destination.ip": [ + "10.162.78.48" + ], + "event.action": "Blocked", + "event.code": "tect", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tenima ZSCALERNSS: time=emagnam Dec 7 4:17:40 2018^^timezone=CT^^action=Blocked^^reason=success^^hostname=ites5711.internal.host^^protocol=ggp^^serverip=10.162.78.48^^url=https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor^^urlcategory=umSecti^^urlclass=eabil^^dlpdictionaries=ibusB^^dlpengine=rporis^^filetype=etco^^threatcategory=mip^^threatclass=ereprehe^^pagerisk=olu^^threatname=nofdeF^^clientpublicIP=riaturEx^^ClientIP=10.24.23.209^^location=itautfu^^refererURL=https://internal.example.org/ole/odi.txt?mporain=ectetur#adipisc^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=iumd^^user=ntore^^event_id=tect^^clienttranstime=ion^^requestmethod=tutl^^requestsize=3811^^requestversion=bor^^status=ameaquei^^responsesize=4147^^responseversion=uelaud^^transactionsize=1306", + "event.timezone": "CT", + "file.type": "etco", + "fileset.name": "zia", + "host.name": "ites5711.internal.host", + "http.request.referrer": "https://internal.example.org/ole/odi.txt?mporain=ectetur#adipisc", + "input.type": "log", + "log.offset": 66535, + "network.bytes": 1306, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.162.78.48", + "10.24.23.209" + ], + "rsa.db.index": "eabil", + "rsa.identity.user_dept": "iumd", + "rsa.internal.data": "tenima", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ereprehe", + "rsa.misc.action": [ + "tutl", + "Blocked" + ], + "rsa.misc.category": "mip", + "rsa.misc.filter": "umSecti", + "rsa.misc.reference_id": "tect", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ameaquei", + "rsa.network.alias_host": [ + "ites5711.internal.host" + ], + "rsa.threat.threat_category": "nofdeF", + "rsa.time.event_time": "2018-12-07T06:17:40.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "ites5711.internal.host", + "service.type": "zscaler", + "source.bytes": 3811, + "source.ip": [ + "10.24.23.209" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor", + "user.name": [ + "ntore" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-12-21T13:20:14.000Z", + "destination.bytes": 1782, + "destination.ip": [ + "10.55.151.53" + ], + "event.action": "Allowed", + "event.code": "commod", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ngelit ZSCALERNSS: time=quiano Dec 21 11:20:14 2018^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=oluptat2848.api.home^^protocol=igmp^^serverip=10.55.151.53^^url=https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest^^urlcategory=oeiusmod^^urlclass=uidolore^^dlpdictionaries=iacon^^dlpengine=ncu^^filetype=quaturve^^threatcategory=ciad^^threatclass=diconseq^^pagerisk=utod^^threatname=ostr^^clientpublicIP=amcorp^^ClientIP=10.211.66.68^^location=uptatem^^refererURL=https://mail.example.org/nproide/mali.htm?siutali=mfugi#ceroinBC^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=maveni^^user=squir^^event_id=commod^^clienttranstime=umqu^^requestmethod=umet^^requestsize=5891^^requestversion=amestqu^^status=aliqua^^responsesize=1782^^responseversion=teirure^^transactionsize=1210", + "event.timezone": "GMT+02:00", + "file.type": "quaturve", + "fileset.name": "zia", + "host.name": "oluptat2848.api.home", + "http.request.referrer": "https://mail.example.org/nproide/mali.htm?siutali=mfugi#ceroinBC", + "input.type": "log", + "log.offset": 67408, + "network.bytes": 1210, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.55.151.53", + "10.211.66.68" + ], + "rsa.db.index": "uidolore", + "rsa.identity.user_dept": "maveni", + "rsa.internal.data": "ngelit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "diconseq", + "rsa.misc.action": [ + "Allowed", + "umet" + ], + "rsa.misc.category": "ciad", + "rsa.misc.filter": "oeiusmod", + "rsa.misc.reference_id": "commod", + "rsa.misc.result": "success", + "rsa.misc.result_code": "aliqua", + "rsa.network.alias_host": [ + "oluptat2848.api.home" + ], + "rsa.threat.threat_category": "ostr", + "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "oluptat2848.api.home", + "service.type": "zscaler", + "source.bytes": 5891, + "source.ip": [ + "10.211.66.68" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest", + "user.name": [ + "squir" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "destination.bytes": 409, + "destination.ip": [ + "10.110.16.169" + ], + "event.action": "Blocked", + "event.code": "labori", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "dipisciv ZSCALERNSS: time=nsequun Jan 5 6:22:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=ngelitse7535.internal.lan^^protocol=rdp^^serverip=10.110.16.169^^url=https://example.org/eius/evo.jpg?iarchit=volupt#ipis^^urlcategory=usBonor^^urlclass=mide^^dlpdictionaries=sten^^dlpengine=enderi^^filetype=labore^^threatcategory=uasiarch^^threatclass=iamquisn^^pagerisk=magnama^^threatname=reprehe^^clientpublicIP=citatio^^ClientIP=10.209.203.156^^location=esciunt^^refererURL=https://www.example.com/liquide/BCSedut.htm?litani=temse#samvo^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=roinBCSe^^user=mes^^event_id=labori^^clienttranstime=ditau^^requestmethod=lupta^^requestsize=6650^^requestversion=tam^^status=olu^^responsesize=409^^responseversion=iut^^transactionsize=3808", + "event.timezone": "ET", + "file.type": "labore", + "fileset.name": "zia", + "host.name": "ngelitse7535.internal.lan", + "http.request.referrer": "https://www.example.com/liquide/BCSedut.htm?litani=temse#samvo", + "input.type": "log", + "log.offset": 68307, + "network.bytes": 3808, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.209.203.156", + "10.110.16.169" + ], + "rsa.db.index": "mide", + "rsa.identity.user_dept": "roinBCSe", + "rsa.internal.data": "dipisciv", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iamquisn", + "rsa.misc.action": [ + "Blocked", + "lupta" + ], + "rsa.misc.category": "uasiarch", + "rsa.misc.filter": "usBonor", + "rsa.misc.reference_id": "labori", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "olu", + "rsa.network.alias_host": [ + "ngelitse7535.internal.lan" + ], + "rsa.threat.threat_category": "reprehe", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "ngelitse7535.internal.lan", + "service.type": "zscaler", + "source.bytes": 6650, + "source.ip": [ + "10.209.203.156" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/eius/evo.jpg?iarchit=volupt#ipis", + "user.name": [ + "mes" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-01-19T03:25:23.000Z", + "destination.bytes": 6822, + "destination.ip": [ + "10.84.9.150" + ], + "event.action": "Allowed", + "event.code": "nsecte", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "deser ZSCALERNSS: time=boris Jan 19 1:25:23 2019^^timezone=PST^^action=Allowed^^reason=success^^hostname=tiumtot3611.internal.localdomain^^protocol=udp^^serverip=10.84.9.150^^url=https://www5.example.net/equun/veli.gif?tem=iadeseru#uiineavo^^urlcategory=enimadmi^^urlclass=qui^^dlpdictionaries=ita^^dlpengine=lamco^^filetype=natuser^^threatcategory=Excepteu^^threatclass=omnis^^pagerisk=tati^^threatname=orinc^^clientpublicIP=teursi^^ClientIP=10.107.68.114^^location=nofdeFin^^refererURL=https://internal.example.org/ollit/umfug.htm?lumquid=Sectio#tiumdol^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ocons^^user=sequatDu^^event_id=nsecte^^clienttranstime=pta^^requestmethod=uianonnu^^requestsize=5724^^requestversion=veleumi^^status=volupt^^responsesize=6822^^responseversion=itatise^^transactionsize=3714", + "event.timezone": "PST", + "file.type": "natuser", + "fileset.name": "zia", + "host.name": "tiumtot3611.internal.localdomain", + "http.request.referrer": "https://internal.example.org/ollit/umfug.htm?lumquid=Sectio#tiumdol", + "input.type": "log", + "log.offset": 69189, + "network.bytes": 3714, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.107.68.114", + "10.84.9.150" + ], + "rsa.db.index": "qui", + "rsa.identity.user_dept": "ocons", + "rsa.internal.data": "deser", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "omnis", + "rsa.misc.action": [ + "uianonnu", + "Allowed" + ], + "rsa.misc.category": "Excepteu", + "rsa.misc.filter": "enimadmi", + "rsa.misc.reference_id": "nsecte", + "rsa.misc.result": "success", + "rsa.misc.result_code": "volupt", + "rsa.network.alias_host": [ + "tiumtot3611.internal.localdomain" + ], + "rsa.threat.threat_category": "orinc", + "rsa.time.event_time": "2019-01-19T03:25:23.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "tiumtot3611.internal.localdomain", + "service.type": "zscaler", + "source.bytes": 5724, + "source.ip": [ + "10.107.68.114" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.net/equun/veli.gif?tem=iadeseru#uiineavo", + "user.name": [ + "sequatDu" + ], + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-02-02T10:27:57.000Z", + "destination.bytes": 4127, + "destination.ip": [ + "10.26.222.144" + ], + "event.action": "Blocked", + "event.code": "sintoc", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "userro ZSCALERNSS: time=oree Feb 2 8:27:57 2019^^timezone=CEST^^action=Blocked^^reason=failure^^hostname=gnaa4656.api.example^^protocol=igmp^^serverip=10.26.222.144^^url=https://internal.example.com/ecatcu/tMalo.txt?nse=rauto#rese^^urlcategory=nonproi^^urlclass=doconse^^dlpdictionaries=henderi^^dlpengine=tisunde^^filetype=ende^^threatcategory=quidolor^^threatclass=lloin^^pagerisk=eomnis^^threatname=proiden^^clientpublicIP=moenimip^^ClientIP=10.124.119.48^^location=atquo^^refererURL=https://www.example.com/ern/ationula.jpg?nsequun=ateveli#aqua^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=amn^^user=nre^^event_id=sintoc^^clienttranstime=rinci^^requestmethod=ici^^requestsize=7328^^requestversion=Nequepor^^status=aUten^^responsesize=4127^^responseversion=tatnon^^transactionsize=977", + "event.timezone": "CEST", + "file.type": "ende", + "fileset.name": "zia", + "host.name": "gnaa4656.api.example", + "http.request.referrer": "https://www.example.com/ern/ationula.jpg?nsequun=ateveli#aqua", + "input.type": "log", + "log.offset": 70095, + "network.bytes": 977, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.124.119.48", + "10.26.222.144" + ], + "rsa.db.index": "doconse", + "rsa.identity.user_dept": "amn", + "rsa.internal.data": "userro", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "lloin", + "rsa.misc.action": [ + "Blocked", + "ici" + ], + "rsa.misc.category": "quidolor", + "rsa.misc.filter": "nonproi", + "rsa.misc.reference_id": "sintoc", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "aUten", + "rsa.network.alias_host": [ + "gnaa4656.api.example" + ], + "rsa.threat.threat_category": "proiden", + "rsa.time.event_time": "2019-02-02T10:27:57.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "gnaa4656.api.example", + "service.type": "zscaler", + "source.bytes": 7328, + "source.ip": [ + "10.124.119.48" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.com/ecatcu/tMalo.txt?nse=rauto#rese", + "user.name": [ + "nre" + ], + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "destination.bytes": 4382, + "destination.ip": [ + "10.164.190.2" + ], + "event.action": "Allowed", + "event.code": "datatno", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "mnisis ZSCALERNSS: time=onsequa Feb 17 3:30:32 2019^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=psaqu6066.www5.localhost^^protocol=ipv6-icmp^^serverip=10.164.190.2^^url=https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol^^urlcategory=itvo^^urlclass=asi^^dlpdictionaries=tobe^^dlpengine=ssequa^^filetype=emp^^threatcategory=emoeni^^threatclass=officiad^^pagerisk=veniam^^threatname=labo^^clientpublicIP=ssecill^^ClientIP=10.223.11.164^^location=tate^^refererURL=https://internal.example.net/ali/ionu.txt?cte=ariatu#ess^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=risnisiu^^user=ten^^event_id=datatno^^clienttranstime=equepor^^requestmethod=antium^^requestsize=5241^^requestversion=texp^^status=mvolup^^responsesize=4382^^responseversion=ema^^transactionsize=6673", + "event.timezone": "GMT+02:00", + "file.type": "emp", + "fileset.name": "zia", + "host.name": "psaqu6066.www5.localhost", + "http.request.referrer": "https://internal.example.net/ali/ionu.txt?cte=ariatu#ess", + "input.type": "log", + "log.offset": 71065, + "network.bytes": 6673, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.164.190.2", + "10.223.11.164" + ], + "rsa.db.index": "asi", + "rsa.identity.user_dept": "risnisiu", + "rsa.internal.data": "mnisis", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "officiad", + "rsa.misc.action": [ + "Allowed", + "antium" + ], + "rsa.misc.category": "emoeni", + "rsa.misc.filter": "itvo", + "rsa.misc.reference_id": "datatno", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "mvolup", + "rsa.network.alias_host": [ + "psaqu6066.www5.localhost" + ], + "rsa.threat.threat_category": "labo", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "psaqu6066.www5.localhost", + "service.type": "zscaler", + "source.bytes": 5241, + "source.ip": [ + "10.223.11.164" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol", + "user.name": [ + "ten" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "destination.bytes": 1460, + "destination.ip": [ + "10.14.37.8" + ], + "event.action": "Blocked", + "event.code": "olor", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "nsec ZSCALERNSS: time=iaeco Mar 3 10:33:06 2019^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=iavol5202.api.example^^protocol=udp^^serverip=10.14.37.8^^url=https://www.example.org/ugitsed/ritatis.jpg?xplic=stenat#mquis^^urlcategory=rume^^urlclass=samnisiu^^dlpdictionaries=yCiceroi^^dlpengine=evolupta^^filetype=citat^^threatcategory=prehende^^threatclass=vitaedic^^pagerisk=remip^^threatname=rsita^^clientpublicIP=rehe^^ClientIP=10.121.181.243^^location=midest^^refererURL=https://example.org/olupta/modi.txt?rnatur=tseddo#utaliq^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=errorsi^^user=umwr^^event_id=olor^^clienttranstime=cupida^^requestmethod=rinc^^requestsize=7719^^requestversion=roqu^^status=dquia^^responsesize=1460^^responseversion=strude^^transactionsize=6667", + "event.timezone": "OMST", + "file.type": "citat", + "fileset.name": "zia", + "host.name": "iavol5202.api.example", + "http.request.referrer": "https://example.org/olupta/modi.txt?rnatur=tseddo#utaliq", + "input.type": "log", + "log.offset": 71963, + "network.bytes": 6667, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.14.37.8", + "10.121.181.243" + ], + "rsa.db.index": "samnisiu", + "rsa.identity.user_dept": "errorsi", + "rsa.internal.data": "nsec", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "vitaedic", + "rsa.misc.action": [ + "Blocked", + "rinc" + ], + "rsa.misc.category": "prehende", + "rsa.misc.filter": "rume", + "rsa.misc.reference_id": "olor", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "dquia", + "rsa.network.alias_host": [ + "iavol5202.api.example" + ], + "rsa.threat.threat_category": "rsita", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "iavol5202.api.example", + "service.type": "zscaler", + "source.bytes": 7719, + "source.ip": [ + "10.121.181.243" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/ugitsed/ritatis.jpg?xplic=stenat#mquis", + "user.name": [ + "umwr" + ], + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2019-03-17T07:35:40.000Z", + "destination.bytes": 3488, + "destination.ip": [ + "10.90.20.202" + ], + "event.action": "Blocked", + "event.code": "ostrude", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ptate ZSCALERNSS: time=oloreeu Mar 17 5:35:40 2019^^timezone=ET^^action=Blocked^^reason=success^^hostname=uame1361.api.local^^protocol=udp^^serverip=10.90.20.202^^url=https://mail.example.com/aute/dictasu.gif?ptas=iadolo#cidu^^urlcategory=nonp^^urlclass=abillo^^dlpdictionaries=tinv^^dlpengine=iar^^filetype=nse^^threatcategory=turQuis^^threatclass=tat^^pagerisk=pta^^threatname=henderi^^clientpublicIP=onsec^^ClientIP=10.10.93.133^^location=tau^^refererURL=https://www.example.net/urad/upt.gif?sitamet=xerc#mcolabor^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=quipe^^user=evita^^event_id=ostrude^^clienttranstime=itsed^^requestmethod=nia^^requestsize=7548^^requestversion=rehe^^status=eseosqu^^responsesize=3488^^responseversion=sundeo^^transactionsize=3076", + "event.timezone": "ET", + "file.type": "nse", + "fileset.name": "zia", + "host.name": "uame1361.api.local", + "http.request.referrer": "https://www.example.net/urad/upt.gif?sitamet=xerc#mcolabor", + "input.type": "log", + "log.offset": 72910, + "network.bytes": 3076, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.10.93.133", + "10.90.20.202" + ], + "rsa.db.index": "abillo", + "rsa.identity.user_dept": "quipe", + "rsa.internal.data": "ptate", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tat", + "rsa.misc.action": [ + "Blocked", + "nia" + ], + "rsa.misc.category": "turQuis", + "rsa.misc.filter": "nonp", + "rsa.misc.reference_id": "ostrude", + "rsa.misc.result": "success", + "rsa.misc.result_code": "eseosqu", + "rsa.network.alias_host": [ + "uame1361.api.local" + ], + "rsa.threat.threat_category": "henderi", + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "uame1361.api.local", + "service.type": "zscaler", + "source.bytes": 7548, + "source.ip": [ + "10.10.93.133" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/aute/dictasu.gif?ptas=iadolo#cidu", + "user.name": [ + "evita" + ], + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-04-01T14:38:14.000Z", + "destination.bytes": 4610, + "destination.ip": [ + "10.34.98.144" + ], + "event.action": "Allowed", + "event.code": "pariatu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "laud ZSCALERNSS: time=uido Apr 1 12:38:14 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=rsitame4049.internal.corp^^protocol=tcp^^serverip=10.34.98.144^^url=https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu^^urlcategory=itsedqui^^urlclass=oreve^^dlpdictionaries=omn^^dlpengine=onevol^^filetype=ese^^threatcategory=reprehen^^threatclass=Exce^^pagerisk=tocca^^threatname=tinvolu^^clientpublicIP=ecatc^^ClientIP=10.77.102.206^^location=quin^^refererURL=https://api.example.com/sedqui/ueporroq.htm?eetdol=tia#lup^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=inBCSed^^user=tectobe^^event_id=pariatu^^clienttranstime=uiacons^^requestmethod=ulapa^^requestsize=4143^^requestversion=henderit^^status=ident^^responsesize=4610^^responseversion=mquae^^transactionsize=1789", + "event.timezone": "ET", + "file.type": "ese", + "fileset.name": "zia", + "host.name": "rsitame4049.internal.corp", + "http.request.referrer": "https://api.example.com/sedqui/ueporroq.htm?eetdol=tia#lup", + "input.type": "log", + "log.offset": 73843, + "network.bytes": 1789, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.77.102.206", + "10.34.98.144" + ], + "rsa.db.index": "oreve", + "rsa.identity.user_dept": "inBCSed", + "rsa.internal.data": "laud", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "Exce", + "rsa.misc.action": [ + "ulapa", + "Allowed" + ], + "rsa.misc.category": "reprehen", + "rsa.misc.filter": "itsedqui", + "rsa.misc.reference_id": "pariatu", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ident", + "rsa.network.alias_host": [ + "rsitame4049.internal.corp" + ], + "rsa.threat.threat_category": "tinvolu", + "rsa.time.event_time": "2019-04-01T14:38:14.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "rsitame4049.internal.corp", + "service.type": "zscaler", + "source.bytes": 4143, + "source.ip": [ + "10.77.102.206" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu", + "user.name": [ + "tectobe" + ], + "user_agent.device.name": "Other", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "destination.bytes": 3976, + "destination.ip": [ + "10.176.233.249" + ], + "event.action": "Blocked", + "event.code": "ntin", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "lit ZSCALERNSS: time=uiine Apr 15 7:40:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=elit912.www5.test^^protocol=udp^^serverip=10.176.233.249^^url=https://example.org/olu/mqua.txt?mdolore=ita#aeratvol^^urlcategory=odite^^urlclass=atn^^dlpdictionaries=sectet^^dlpengine=boreetd^^filetype=ueporro^^threatcategory=cto^^threatclass=essequa^^pagerisk=gnidolor^^threatname=itlabori^^clientpublicIP=amestqui^^ClientIP=10.75.144.118^^location=qua^^refererURL=https://api.example.com/pteurs/intocc.gif?veni=turmag#dutper^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aconseq^^user=isnos^^event_id=ntin^^clienttranstime=tenatus^^requestmethod=odic^^requestsize=3588^^requestversion=intocca^^status=equuntu^^responsesize=3976^^responseversion=ine^^transactionsize=3409", + "event.timezone": "ET", + "file.type": "ueporro", + "fileset.name": "zia", + "host.name": "elit912.www5.test", + "http.request.referrer": "https://api.example.com/pteurs/intocc.gif?veni=turmag#dutper", + "input.type": "log", + "log.offset": 74765, + "network.bytes": 3409, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.75.144.118", + "10.176.233.249" + ], + "rsa.db.index": "atn", + "rsa.identity.user_dept": "aconseq", + "rsa.internal.data": "lit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "essequa", + "rsa.misc.action": [ + "Blocked", + "odic" + ], + "rsa.misc.category": "cto", + "rsa.misc.filter": "odite", + "rsa.misc.reference_id": "ntin", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "equuntu", + "rsa.network.alias_host": [ + "elit912.www5.test" + ], + "rsa.threat.threat_category": "itlabori", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "elit912.www5.test", + "service.type": "zscaler", + "source.bytes": 3588, + "source.ip": [ + "10.75.144.118" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/olu/mqua.txt?mdolore=ita#aeratvol", + "user.name": [ + "isnos" + ], + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-04-29T04:43:23.000Z", + "destination.bytes": 559, + "destination.ip": [ + "10.149.6.107" + ], + "event.action": "Allowed", + "event.code": "mveleu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rcit ZSCALERNSS: time=secte Apr 29 2:43:23 2019^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=tat6671.www.local^^protocol=udp^^serverip=10.149.6.107^^url=https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa^^urlcategory=ndeomni^^urlclass=chite^^dlpdictionaries=obeatae^^dlpengine=rehen^^filetype=uam^^threatcategory=vitaedi^^threatclass=uis^^pagerisk=emagnaal^^threatname=uunturm^^clientpublicIP=nonnumq^^ClientIP=10.236.55.236^^location=aerat^^refererURL=https://www.example.org/eata/maliquam.jpg?gnamali=olabor#ionem^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=eseosqu^^user=redolo^^event_id=mveleu^^clienttranstime=cillumdo^^requestmethod=mvele^^requestsize=4686^^requestversion=isnost^^status=lumdolor^^responsesize=559^^responseversion=aspe^^transactionsize=4318", + "event.timezone": "GMT-07:00", + "file.type": "uam", + "fileset.name": "zia", + "host.name": "tat6671.www.local", + "http.request.referrer": "https://www.example.org/eata/maliquam.jpg?gnamali=olabor#ionem", + "input.type": "log", + "log.offset": 75639, + "network.bytes": 4318, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.236.55.236", + "10.149.6.107" + ], + "rsa.db.index": "chite", + "rsa.identity.user_dept": "eseosqu", + "rsa.internal.data": "rcit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uis", + "rsa.misc.action": [ + "Allowed", + "mvele" + ], + "rsa.misc.category": "vitaedi", + "rsa.misc.filter": "ndeomni", + "rsa.misc.reference_id": "mveleu", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "lumdolor", + "rsa.network.alias_host": [ + "tat6671.www.local" + ], + "rsa.threat.threat_category": "uunturm", + "rsa.time.event_time": "2019-04-29T04:43:23.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "tat6671.www.local", + "service.type": "zscaler", + "source.bytes": 4686, + "source.ip": [ + "10.236.55.236" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa", + "user.name": [ + "redolo" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-05-13T11:45:57.000Z", + "destination.bytes": 982, + "destination.ip": [ + "10.97.202.149" + ], + "event.action": "Blocked", + "event.code": "itte", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "erita ZSCALERNSS: time=eursint May 13 9:45:57 2019^^timezone=CET^^action=Blocked^^reason=failure^^hostname=uis5050.www.local^^protocol=igmp^^serverip=10.97.202.149^^url=https://api.example.net/uamestq/eetdol.html?ctionofd=uianonnu#ntNeque^^urlcategory=magnidol^^urlclass=meumfug^^dlpdictionaries=irat^^dlpengine=uatu^^filetype=gel^^threatcategory=modt^^threatclass=atcupi^^pagerisk=xeacomm^^threatname=tla^^clientpublicIP=itaspe^^ClientIP=10.13.125.101^^location=uisautei^^refererURL=https://mail.example.net/ihilmol/scinge.jpg?str=yCiceroi#loremeu^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=velitess^^user=colab^^event_id=itte^^clienttranstime=niamquis^^requestmethod=uaUten^^requestsize=7772^^requestversion=exeacomm^^status=uptat^^responsesize=982^^responseversion=ore^^transactionsize=7330", + "event.timezone": "CET", + "file.type": "gel", + "fileset.name": "zia", + "host.name": "uis5050.www.local", + "http.request.referrer": "https://mail.example.net/ihilmol/scinge.jpg?str=yCiceroi#loremeu", + "input.type": "log", + "log.offset": 76532, + "network.bytes": 7330, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.97.202.149", + "10.13.125.101" + ], + "rsa.db.index": "meumfug", + "rsa.identity.user_dept": "velitess", + "rsa.internal.data": "erita", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "atcupi", + "rsa.misc.action": [ + "uaUten", + "Blocked" + ], + "rsa.misc.category": "modt", + "rsa.misc.filter": "magnidol", + "rsa.misc.reference_id": "itte", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "uptat", + "rsa.network.alias_host": [ + "uis5050.www.local" + ], + "rsa.threat.threat_category": "tla", + "rsa.time.event_time": "2019-05-13T11:45:57.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "uis5050.www.local", + "service.type": "zscaler", + "source.bytes": 7772, + "source.ip": [ + "10.13.125.101" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/uamestq/eetdol.html?ctionofd=uianonnu#ntNeque", + "user.name": [ + "colab" + ], + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "destination.bytes": 1324, + "destination.ip": [ + "10.141.66.163" + ], + "event.action": "Blocked", + "event.code": "iduntut", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "poriss ZSCALERNSS: time=enatus May 28 4:48:31 2019^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=ficiad1312.api.host^^protocol=igmp^^serverip=10.141.66.163^^url=https://mail.example.net/ius/msequ.jpg?ptat=tionula#gnido^^urlcategory=usmo^^urlclass=squirati^^dlpdictionaries=uasi^^dlpengine=quaeabi^^filetype=sequ^^threatcategory=gna^^threatclass=itautf^^pagerisk=aev^^threatname=uovolup^^clientpublicIP=tMaloru^^ClientIP=10.230.61.102^^location=rautod^^refererURL=https://example.net/minimav/uovo.html?orinrep=tNequ#eca^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serr^^user=umdolo^^event_id=iduntut^^clienttranstime=admini^^requestmethod=mini^^requestsize=3181^^requestversion=cididun^^status=iamqu^^responsesize=1324^^responseversion=iunt^^transactionsize=2218", + "event.timezone": "GMT+02:00", + "file.type": "sequ", + "fileset.name": "zia", + "host.name": "ficiad1312.api.host", + "http.request.referrer": "https://example.net/minimav/uovo.html?orinrep=tNequ#eca", + "input.type": "log", + "log.offset": 77451, + "network.bytes": 2218, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.141.66.163", + "10.230.61.102" + ], + "rsa.db.index": "squirati", + "rsa.identity.user_dept": "serr", + "rsa.internal.data": "poriss", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "itautf", + "rsa.misc.action": [ + "Blocked", + "mini" + ], + "rsa.misc.category": "gna", + "rsa.misc.filter": "usmo", + "rsa.misc.reference_id": "iduntut", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "iamqu", + "rsa.network.alias_host": [ + "ficiad1312.api.host" + ], + "rsa.threat.threat_category": "uovolup", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "ficiad1312.api.host", + "service.type": "zscaler", + "source.bytes": 3181, + "source.ip": [ + "10.230.61.102" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/ius/msequ.jpg?ptat=tionula#gnido", + "user.name": [ + "umdolo" + ], + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "destination.bytes": 6666, + "destination.ip": [ + "10.10.25.145" + ], + "event.action": "Blocked", + "event.code": "nrepre", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uisaut ZSCALERNSS: time=apar Jun 11 11:51:06 2019^^timezone=OMST^^action=Blocked^^reason=unknown^^hostname=itaspe921.mail.invalid^^protocol=tcp^^serverip=10.10.25.145^^url=https://www.example.org/iat/acom.html?umdolo=oluptass#umqu^^urlcategory=rsitam^^urlclass=aliqui^^dlpdictionaries=uipexea^^dlpengine=sauteiru^^filetype=nibusB^^threatcategory=eetdolo^^threatclass=issuscip^^pagerisk=iduntu^^threatname=nde^^clientpublicIP=naturau^^ClientIP=10.224.249.228^^location=odit^^refererURL=https://www5.example.net/lapa/enia.jpg?deserun=ugia#isiuta^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ugiatq^^user=mnisiuta^^event_id=nrepre^^clienttranstime=eumfu^^requestmethod=remap^^requestsize=1954^^requestversion=yCicero^^status=dqui^^responsesize=6666^^responseversion=oin^^transactionsize=3838", + "event.timezone": "OMST", + "file.type": "nibusB", + "fileset.name": "zia", + "host.name": "itaspe921.mail.invalid", + "http.request.referrer": "https://www5.example.net/lapa/enia.jpg?deserun=ugia#isiuta", + "input.type": "log", + "log.offset": 78335, + "network.bytes": 3838, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.224.249.228", + "10.10.25.145" + ], + "rsa.db.index": "aliqui", + "rsa.identity.user_dept": "ugiatq", + "rsa.internal.data": "uisaut", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "issuscip", + "rsa.misc.action": [ + "Blocked", + "remap" + ], + "rsa.misc.category": "eetdolo", + "rsa.misc.filter": "rsitam", + "rsa.misc.reference_id": "nrepre", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "dqui", + "rsa.network.alias_host": [ + "itaspe921.mail.invalid" + ], + "rsa.threat.threat_category": "nde", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "itaspe921.mail.invalid", + "service.type": "zscaler", + "source.bytes": 1954, + "source.ip": [ + "10.224.249.228" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/iat/acom.html?umdolo=oluptass#umqu", + "user.name": [ + "mnisiuta" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-06-25T08:53:40.000Z", + "destination.bytes": 3750, + "destination.ip": [ + "10.234.34.40" + ], + "event.action": "Blocked", + "event.code": "dolori", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eiusm ZSCALERNSS: time=assit Jun 25 6:53:40 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=archite4407.mail.invalid^^protocol=ipv6-icmp^^serverip=10.234.34.40^^url=https://www.example.com/onorum/umiure.gif?lites=admini#trumexer^^urlcategory=maveniam^^urlclass=ctobeat^^dlpdictionaries=emoenim^^dlpengine=oqui^^filetype=olab^^threatcategory=remagnam^^threatclass=neavolu^^pagerisk=adipi^^threatname=idid^^clientpublicIP=ela^^ClientIP=10.247.255.107^^location=lore^^refererURL=https://www5.example.org/olorsi/everitat.htm?iamq=ercitat#velillu^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=elitsed^^user=aeabillo^^event_id=dolori^^clienttranstime=mco^^requestmethod=nofdeF^^requestsize=245^^requestversion=writt^^status=ent^^responsesize=3750^^responseversion=uaer^^transactionsize=2304", + "event.timezone": "PT", + "file.type": "olab", + "fileset.name": "zia", + "host.name": "archite4407.mail.invalid", + "http.request.referrer": "https://www5.example.org/olorsi/everitat.htm?iamq=ercitat#velillu", + "input.type": "log", + "log.offset": 79223, + "network.bytes": 2304, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.247.255.107", + "10.234.34.40" + ], + "rsa.db.index": "ctobeat", + "rsa.identity.user_dept": "elitsed", + "rsa.internal.data": "eiusm", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "neavolu", + "rsa.misc.action": [ + "Blocked", + "nofdeF" + ], + "rsa.misc.category": "remagnam", + "rsa.misc.filter": "maveniam", + "rsa.misc.reference_id": "dolori", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ent", + "rsa.network.alias_host": [ + "archite4407.mail.invalid" + ], + "rsa.threat.threat_category": "idid", + "rsa.time.event_time": "2019-06-25T08:53:40.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "archite4407.mail.invalid", + "service.type": "zscaler", + "source.bytes": 245, + "source.ip": [ + "10.247.255.107" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/onorum/umiure.gif?lites=admini#trumexer", + "user.name": [ + "aeabillo" + ], + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "destination.bytes": 412, + "destination.ip": [ + "10.124.81.20" + ], + "event.action": "Blocked", + "event.code": "piciatis", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tectobe ZSCALERNSS: time=ain Jul 10 1:56:14 2019^^timezone=OMST^^action=Blocked^^reason=success^^hostname=aria1424.mail.home^^protocol=igmp^^serverip=10.124.81.20^^url=https://mail.example.org/veni/rspi.htm?ntium=imadmi#dquiac^^urlcategory=liquide^^urlclass=uatD^^dlpdictionaries=reh^^dlpengine=uel^^filetype=tmollit^^threatcategory=ametco^^threatclass=ilmoles^^pagerisk=xeaco^^threatname=texpl^^clientpublicIP=tqua^^ClientIP=10.250.102.42^^location=totamr^^refererURL=https://internal.example.com/iciat/uira.htm?cti=orsitvo#elit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenby^^user=tNequ^^event_id=piciatis^^clienttranstime=ritten^^requestmethod=tatisetq^^requestsize=2753^^requestversion=madmi^^status=icia^^responsesize=412^^responseversion=eroi^^transactionsize=2077", + "event.timezone": "OMST", + "file.type": "tmollit", + "fileset.name": "zia", + "host.name": "aria1424.mail.home", + "http.request.referrer": "https://internal.example.com/iciat/uira.htm?cti=orsitvo#elit", + "input.type": "log", + "log.offset": 80114, + "network.bytes": 2077, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.124.81.20", + "10.250.102.42" + ], + "rsa.db.index": "uatD", + "rsa.identity.user_dept": "tenby", + "rsa.internal.data": "tectobe", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ilmoles", + "rsa.misc.action": [ + "Blocked", + "tatisetq" + ], + "rsa.misc.category": "ametco", + "rsa.misc.filter": "liquide", + "rsa.misc.reference_id": "piciatis", + "rsa.misc.result": "success", + "rsa.misc.result_code": "icia", + "rsa.network.alias_host": [ + "aria1424.mail.home" + ], + "rsa.threat.threat_category": "texpl", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "aria1424.mail.home", + "service.type": "zscaler", + "source.bytes": 2753, + "source.ip": [ + "10.250.102.42" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/veni/rspi.htm?ntium=imadmi#dquiac", + "user.name": [ + "tNequ" + ], + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "destination.bytes": 5294, + "destination.ip": [ + "10.166.205.159" + ], + "event.action": "Allowed", + "event.code": "siutal", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "riatur ZSCALERNSS: time=amrema Jul 24 8:58:48 2019^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=Bonoru7444.www5.example^^protocol=rdp^^serverip=10.166.205.159^^url=https://www.example.com/tem/litsedq.htm?ium=utfugit#beat^^urlcategory=odita^^urlclass=borisn^^dlpdictionaries=itanimid^^dlpengine=ianonnum^^filetype=cte^^threatcategory=iratio^^threatclass=proid^^pagerisk=inculp^^threatname=atnu^^clientpublicIP=ntmo^^ClientIP=10.154.188.132^^location=atevelit^^refererURL=https://internal.example.com/iconsequ/adipisci.txt?gnido=iamq#Utenim^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=uisa^^user=uptat^^event_id=siutal^^clienttranstime=umetMalo^^requestmethod=onevolu^^requestsize=4181^^requestversion=sedquian^^status=involu^^responsesize=5294^^responseversion=nsequatD^^transactionsize=7089", + "event.timezone": "OMST", + "file.type": "cte", + "fileset.name": "zia", + "host.name": "Bonoru7444.www5.example", + "http.request.referrer": "https://internal.example.com/iconsequ/adipisci.txt?gnido=iamq#Utenim", + "input.type": "log", + "log.offset": 81010, + "network.bytes": 7089, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.154.188.132", + "10.166.205.159" + ], + "rsa.db.index": "borisn", + "rsa.identity.user_dept": "uisa", + "rsa.internal.data": "riatur", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "proid", + "rsa.misc.action": [ + "onevolu", + "Allowed" + ], + "rsa.misc.category": "iratio", + "rsa.misc.filter": "odita", + "rsa.misc.reference_id": "siutal", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "involu", + "rsa.network.alias_host": [ + "Bonoru7444.www5.example" + ], + "rsa.threat.threat_category": "atnu", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "Bonoru7444.www5.example", + "service.type": "zscaler", + "source.bytes": 4181, + "source.ip": [ + "10.154.188.132" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/tem/litsedq.htm?ium=utfugit#beat", + "user.name": [ + "uptat" + ], + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2019-08-07T06:01:23.000Z", + "destination.bytes": 274, + "destination.ip": [ + "10.46.71.46" + ], + "event.action": "Allowed", + "event.code": "ugiat", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "liquid ZSCALERNSS: time=uamq Aug 7 4:01:23 2019^^timezone=CEST^^action=Allowed^^reason=success^^hostname=icero1297.internal.domain^^protocol=ipv6-icmp^^serverip=10.46.71.46^^url=https://www.example.com/amcola/eumiurer.gif?stiaeco=equu#laborisn^^urlcategory=atisetq^^urlclass=mSectio^^dlpdictionaries=rsinto^^dlpengine=nonnumqu^^filetype=atis^^threatcategory=todit^^threatclass=upta^^pagerisk=fug^^threatname=ulpaq^^clientpublicIP=rured^^ClientIP=10.138.193.38^^location=udex^^refererURL=https://api.example.com/uin/isci.htm?nsectetu=spici#untutl^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=tate^^user=sintocca^^event_id=ugiat^^clienttranstime=asuntex^^requestmethod=uovolup^^requestsize=745^^requestversion=amali^^status=uiav^^responsesize=274^^responseversion=mullamco^^transactionsize=7843", + "event.timezone": "CEST", + "file.type": "atis", + "fileset.name": "zia", + "host.name": "icero1297.internal.domain", + "http.request.referrer": "https://api.example.com/uin/isci.htm?nsectetu=spici#untutl", + "input.type": "log", + "log.offset": 81941, + "network.bytes": 7843, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.46.71.46", + "10.138.193.38" + ], + "rsa.db.index": "mSectio", + "rsa.identity.user_dept": "tate", + "rsa.internal.data": "liquid", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "upta", + "rsa.misc.action": [ + "Allowed", + "uovolup" + ], + "rsa.misc.category": "todit", + "rsa.misc.filter": "atisetq", + "rsa.misc.reference_id": "ugiat", + "rsa.misc.result": "success", + "rsa.misc.result_code": "uiav", + "rsa.network.alias_host": [ + "icero1297.internal.domain" + ], + "rsa.threat.threat_category": "ulpaq", + "rsa.time.event_time": "2019-08-07T06:01:23.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "icero1297.internal.domain", + "service.type": "zscaler", + "source.bytes": 745, + "source.ip": [ + "10.138.193.38" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/amcola/eumiurer.gif?stiaeco=equu#laborisn", + "user.name": [ + "sintocca" + ], + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2019-08-21T13:03:57.000Z", + "destination.bytes": 2804, + "destination.ip": [ + "10.254.119.31" + ], + "event.action": "Blocked", + "event.code": "uunturma", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ons ZSCALERNSS: time=radip Aug 21 11:03:57 2019^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=oloremeu5047.www5.invalid^^protocol=tcp^^serverip=10.254.119.31^^url=https://api.example.net/sedquian/lamcorpo.html?sequatD=Nequepo#veleum^^urlcategory=eturad^^urlclass=tor^^dlpdictionaries=hender^^dlpengine=moditemp^^filetype=pitlab^^threatcategory=tutlabor^^threatclass=imadmi^^pagerisk=nculp^^threatname=quamnihi^^clientpublicIP=nimadmi^^ClientIP=10.172.159.251^^location=nima^^refererURL=https://mail.example.org/tur/tlaboru.htm?tutlabo=incid#der^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=tconsect^^user=usm^^event_id=uunturma^^clienttranstime=namaliqu^^requestmethod=tatemacc^^requestsize=2324^^requestversion=nor^^status=saut^^responsesize=2804^^responseversion=stiaeco^^transactionsize=1508", + "event.timezone": "CT", + "file.type": "pitlab", + "fileset.name": "zia", + "host.name": "oloremeu5047.www5.invalid", + "http.request.referrer": "https://mail.example.org/tur/tlaboru.htm?tutlabo=incid#der", + "input.type": "log", + "log.offset": 82861, + "network.bytes": 1508, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.172.159.251", + "10.254.119.31" + ], + "rsa.db.index": "tor", + "rsa.identity.user_dept": "tconsect", + "rsa.internal.data": "ons", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "imadmi", + "rsa.misc.action": [ + "Blocked", + "tatemacc" + ], + "rsa.misc.category": "tutlabor", + "rsa.misc.filter": "eturad", + "rsa.misc.reference_id": "uunturma", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "saut", + "rsa.network.alias_host": [ + "oloremeu5047.www5.invalid" + ], + "rsa.threat.threat_category": "quamnihi", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "oloremeu5047.www5.invalid", + "service.type": "zscaler", + "source.bytes": 2324, + "source.ip": [ + "10.172.159.251" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/sedquian/lamcorpo.html?sequatD=Nequepo#veleum", + "user.name": [ + "usm" + ], + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "destination.bytes": 4957, + "destination.ip": [ + "10.195.62.230" + ], + "event.action": "Allowed", + "event.code": "sequat", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "osam ZSCALERNSS: time=ncid Sep 5 6:06:31 2019^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=edutpe1255.internal.lan^^protocol=ipv6-icmp^^serverip=10.195.62.230^^url=https://www5.example.com/ictasun/iumto.txt?erro=admin#uisnostr^^urlcategory=nemul^^urlclass=amqua^^dlpdictionaries=isnost^^dlpengine=eaco^^filetype=oremeu^^threatcategory=uis^^threatclass=isnost^^pagerisk=itvolu^^threatname=citation^^clientpublicIP=spernatu^^ClientIP=10.98.126.206^^location=tion^^refererURL=https://internal.example.org/uidolore/uatDuisa.htm?uipe=alo#ufugia^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=atatnonp^^user=ptassit^^event_id=sequat^^clienttranstime=Uteni^^requestmethod=oriosa^^requestsize=7244^^requestversion=temporai^^status=totamrem^^responsesize=4957^^responseversion=dminimve^^transactionsize=1182", + "event.timezone": "PT", + "file.type": "oremeu", + "fileset.name": "zia", + "host.name": "edutpe1255.internal.lan", + "http.request.referrer": "https://internal.example.org/uidolore/uatDuisa.htm?uipe=alo#ufugia", + "input.type": "log", + "log.offset": 83817, + "network.bytes": 1182, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.98.126.206", + "10.195.62.230" + ], + "rsa.db.index": "amqua", + "rsa.identity.user_dept": "atatnonp", + "rsa.internal.data": "osam", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "isnost", + "rsa.misc.action": [ + "Allowed", + "oriosa" + ], + "rsa.misc.category": "uis", + "rsa.misc.filter": "nemul", + "rsa.misc.reference_id": "sequat", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "totamrem", + "rsa.network.alias_host": [ + "edutpe1255.internal.lan" + ], + "rsa.threat.threat_category": "citation", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "edutpe1255.internal.lan", + "service.type": "zscaler", + "source.bytes": 7244, + "source.ip": [ + "10.98.126.206" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.com/ictasun/iumto.txt?erro=admin#uisnostr", + "user.name": [ + "ptassit" + ], + "user_agent.device.name": "Samsung SM-A715F", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2019-09-19T03:09:05.000Z", + "destination.bytes": 6658, + "destination.ip": [ + "10.144.93.186" + ], + "event.action": "Blocked", + "event.code": "adminim", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "idolo ZSCALERNSS: time=citat Sep 19 1:09:05 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=nderit1171.www5.domain^^protocol=rdp^^serverip=10.144.93.186^^url=https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi^^urlcategory=umquia^^urlclass=evolu^^dlpdictionaries=quidolo^^dlpengine=utlabore^^filetype=texplica^^threatcategory=boru^^threatclass=ntut^^pagerisk=elaud^^threatname=acomm^^clientpublicIP=edquia^^ClientIP=10.84.140.5^^location=laboris^^refererURL=https://www.example.org/lpaquiof/isisten.txt?culp=Ciceroin#aeco^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=mull^^user=eroi^^event_id=adminim^^clienttranstime=naturau^^requestmethod=nima^^requestsize=4943^^requestversion=sed^^status=mUten^^responsesize=6658^^responseversion=tfugitse^^transactionsize=6480", + "event.timezone": "PT", + "file.type": "texplica", + "fileset.name": "zia", + "host.name": "nderit1171.www5.domain", + "http.request.referrer": "https://www.example.org/lpaquiof/isisten.txt?culp=Ciceroin#aeco", + "input.type": "log", + "log.offset": 84805, + "network.bytes": 6480, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.144.93.186", + "10.84.140.5" + ], + "rsa.db.index": "evolu", + "rsa.identity.user_dept": "mull", + "rsa.internal.data": "idolo", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ntut", + "rsa.misc.action": [ + "nima", + "Blocked" + ], + "rsa.misc.category": "boru", + "rsa.misc.filter": "umquia", + "rsa.misc.reference_id": "adminim", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "mUten", + "rsa.network.alias_host": [ + "nderit1171.www5.domain" + ], + "rsa.threat.threat_category": "acomm", + "rsa.time.event_time": "2019-09-19T03:09:05.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "nderit1171.www5.domain", + "service.type": "zscaler", + "source.bytes": 4943, + "source.ip": [ + "10.84.140.5" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi", + "user.name": [ + "eroi" + ], + "user_agent.device.name": "Other", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2019-10-03T10:11:40.000Z", + "destination.bytes": 6855, + "destination.ip": [ + "10.31.58.6" + ], + "event.action": "Allowed", + "event.code": "volu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uianon ZSCALERNSS: time=iutal Oct 3 8:11:40 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=nos4114.api.lan^^protocol=rdp^^serverip=10.31.58.6^^url=https://mail.example.net/tseddoei/byCi.gif?assitas=nul#ame^^urlcategory=lites^^urlclass=sec^^dlpdictionaries=aqua^^dlpengine=meumf^^filetype=olu^^threatcategory=ectet^^threatclass=tquovo^^pagerisk=orev^^threatname=lapa^^clientpublicIP=xeacom^^ClientIP=10.198.84.190^^location=henderi^^refererURL=https://mail.example.com/dminim/sse.gif?equ=turvelil#lor^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ern^^user=unt^^event_id=volu^^clienttranstime=iineavo^^requestmethod=qua^^requestsize=6831^^requestversion=tenbyC^^status=xeacomm^^responsesize=6855^^responseversion=psu^^transactionsize=5856", + "event.timezone": "ET", + "file.type": "olu", + "fileset.name": "zia", + "host.name": "nos4114.api.lan", + "http.request.referrer": "https://mail.example.com/dminim/sse.gif?equ=turvelil#lor", + "input.type": "log", + "log.offset": 85726, + "network.bytes": 5856, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.198.84.190", + "10.31.58.6" + ], + "rsa.db.index": "sec", + "rsa.identity.user_dept": "ern", + "rsa.internal.data": "uianon", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tquovo", + "rsa.misc.action": [ + "qua", + "Allowed" + ], + "rsa.misc.category": "ectet", + "rsa.misc.filter": "lites", + "rsa.misc.reference_id": "volu", + "rsa.misc.result": "success", + "rsa.misc.result_code": "xeacomm", + "rsa.network.alias_host": [ + "nos4114.api.lan" + ], + "rsa.threat.threat_category": "lapa", + "rsa.time.event_time": "2019-10-03T10:11:40.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "nos4114.api.lan", + "service.type": "zscaler", + "source.bytes": 6831, + "source.ip": [ + "10.198.84.190" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/tseddoei/byCi.gif?assitas=nul#ame", + "user.name": [ + "unt" + ], + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "destination.bytes": 3128, + "destination.ip": [ + "10.139.90.218" + ], + "event.action": "Allowed", + "event.code": "umdol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ept ZSCALERNSS: time=nem Oct 18 3:14:14 2019^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=oremeum4231.internal.host^^protocol=ipv6^^serverip=10.139.90.218^^url=https://www5.example.org/liquipe/rehe.gif?niamqu=uioffi#suntin^^urlcategory=consequa^^urlclass=tionu^^dlpdictionaries=umqua^^dlpengine=ommod^^filetype=ione^^threatcategory=mnihi^^threatclass=rrorsi^^pagerisk=icons^^threatname=voluptat^^clientpublicIP=volu^^ClientIP=10.131.81.172^^location=llamcor^^refererURL=https://mail.example.com/veri/run.txt?enimadm=empo#apa^^useragent=Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30^^department=icons^^user=hende^^event_id=umdol^^clienttranstime=Sedutper^^requestmethod=exe^^requestsize=6188^^requestversion=preh^^status=dol^^responsesize=3128^^responseversion=gnamal^^transactionsize=6119", + "event.timezone": "ET", + "file.type": "ione", + "fileset.name": "zia", + "host.name": "oremeum4231.internal.host", + "http.request.referrer": "https://mail.example.com/veri/run.txt?enimadm=empo#apa", + "input.type": "log", + "log.offset": 86632, + "network.bytes": 6119, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.131.81.172", + "10.139.90.218" + ], + "rsa.db.index": "tionu", + "rsa.identity.user_dept": "icons", + "rsa.internal.data": "ept", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "rrorsi", + "rsa.misc.action": [ + "Allowed", + "exe" + ], + "rsa.misc.category": "mnihi", + "rsa.misc.filter": "consequa", + "rsa.misc.reference_id": "umdol", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "dol", + "rsa.network.alias_host": [ + "oremeum4231.internal.host" + ], + "rsa.threat.threat_category": "voluptat", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "oremeum4231.internal.host", + "service.type": "zscaler", + "source.bytes": 6188, + "source.ip": [ + "10.131.81.172" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.org/liquipe/rehe.gif?niamqu=uioffi#suntin", + "user.name": [ + "hende" + ], + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "destination.bytes": 114, + "destination.ip": [ + "10.128.43.71" + ], + "event.action": "Blocked", + "event.code": "ssequa", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "utodit ZSCALERNSS: time=cer Nov 1 10:16:48 2019^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=ueip6097.api.host^^protocol=tcp^^serverip=10.128.43.71^^url=https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta^^urlcategory=amnihil^^urlclass=nderit^^dlpdictionaries=ficia^^dlpengine=tru^^filetype=tionu^^threatcategory=natuser^^threatclass=olupt^^pagerisk=eprehe^^threatname=eetd^^clientpublicIP=tiumdo^^ClientIP=10.152.217.174^^location=litse^^refererURL=https://internal.example.com/nde/tNequepo.txt?end=ineavolu#ptate^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=nderitin^^user=mquiado^^event_id=ssequa^^clienttranstime=nisist^^requestmethod=temvele^^requestsize=7350^^requestversion=xeaco^^status=urm^^responsesize=114^^responseversion=porincid^^transactionsize=1150", + "event.timezone": "PST", + "file.type": "tionu", + "fileset.name": "zia", + "host.name": "ueip6097.api.host", + "http.request.referrer": "https://internal.example.com/nde/tNequepo.txt?end=ineavolu#ptate", + "input.type": "log", + "log.offset": 87518, + "network.bytes": 1150, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.152.217.174", + "10.128.43.71" + ], + "rsa.db.index": "nderit", + "rsa.identity.user_dept": "nderitin", + "rsa.internal.data": "utodit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "olupt", + "rsa.misc.action": [ + "temvele", + "Blocked" + ], + "rsa.misc.category": "natuser", + "rsa.misc.filter": "amnihil", + "rsa.misc.reference_id": "ssequa", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "urm", + "rsa.network.alias_host": [ + "ueip6097.api.host" + ], + "rsa.threat.threat_category": "eetd", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "ueip6097.api.host", + "service.type": "zscaler", + "source.bytes": 7350, + "source.ip": [ + "10.152.217.174" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta", + "user.name": [ + "mquiado" + ], + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-11-15T07:19:22.000Z", + "destination.bytes": 1046, + "destination.ip": [ + "10.26.149.221" + ], + "event.action": "Blocked", + "event.code": "umquidol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "pici ZSCALERNSS: time=erit Nov 15 5:19:22 2019^^timezone=PT^^action=Blocked^^reason=success^^hostname=fugiatqu7793.www.localdomain^^protocol=ipv6-icmp^^serverip=10.26.149.221^^url=https://mail.example.org/maven/tectob.jpg?litsedd=mnis#ainci^^urlcategory=aturve^^urlclass=tiumdol^^dlpdictionaries=mporain^^dlpengine=secte^^filetype=dut^^threatcategory=aecons^^threatclass=tionemu^^pagerisk=edictasu^^threatname=quipexea^^clientpublicIP=orsit^^ClientIP=10.217.193.148^^location=tametco^^refererURL=https://api.example.com/lit/laborio.gif?mfug=acommod#mid^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=oloremag^^user=uisa^^event_id=umquidol^^clienttranstime=isiutali^^requestmethod=rehe^^requestsize=3382^^requestversion=adminima^^status=ipex^^responsesize=1046^^responseversion=sitvolup^^transactionsize=387", + "event.timezone": "PT", + "file.type": "dut", + "fileset.name": "zia", + "host.name": "fugiatqu7793.www.localdomain", + "http.request.referrer": "https://api.example.com/lit/laborio.gif?mfug=acommod#mid", + "input.type": "log", + "log.offset": 88400, + "network.bytes": 387, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.217.193.148", + "10.26.149.221" + ], + "rsa.db.index": "tiumdol", + "rsa.identity.user_dept": "oloremag", + "rsa.internal.data": "pici", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tionemu", + "rsa.misc.action": [ + "Blocked", + "rehe" + ], + "rsa.misc.category": "aecons", + "rsa.misc.filter": "aturve", + "rsa.misc.reference_id": "umquidol", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ipex", + "rsa.network.alias_host": [ + "fugiatqu7793.www.localdomain" + ], + "rsa.threat.threat_category": "quipexea", + "rsa.time.event_time": "2019-11-15T07:19:22.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "fugiatqu7793.www.localdomain", + "service.type": "zscaler", + "source.bytes": 3382, + "source.ip": [ + "10.217.193.148" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/maven/tectob.jpg?litsedd=mnis#ainci", + "user.name": [ + "uisa" + ], + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2019-11-30T14:21:57.000Z", + "destination.bytes": 4053, + "destination.ip": [ + "10.109.192.53" + ], + "event.action": "Blocked", + "event.code": "rehen", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "agnamali ZSCALERNSS: time=ali Nov 30 12:21:57 2019^^timezone=CET^^action=Blocked^^reason=unknown^^hostname=onsequ3168.www.corp^^protocol=icmp^^serverip=10.109.192.53^^url=https://www.example.com/siarch/oloremi.htm?one=iduntutl#tNe^^urlcategory=scive^^urlclass=tcupi^^dlpdictionaries=essequam^^dlpengine=destla^^filetype=oluptat^^threatcategory=ita^^threatclass=temUte^^pagerisk=idest^^threatname=ostru^^clientpublicIP=ptassit^^ClientIP=10.172.17.6^^location=samvolup^^refererURL=https://www5.example.org/taspe/empori.txt?emporain=ovo#aeabillo^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=boriosa^^user=eprehen^^event_id=rehen^^clienttranstime=sitasp^^requestmethod=tassit^^requestsize=212^^requestversion=teir^^status=suntin^^responsesize=4053^^responseversion=upta^^transactionsize=1487", + "event.timezone": "CET", + "file.type": "oluptat", + "fileset.name": "zia", + "host.name": "onsequ3168.www.corp", + "http.request.referrer": "https://www5.example.org/taspe/empori.txt?emporain=ovo#aeabillo", + "input.type": "log", + "log.offset": 89317, + "network.bytes": 1487, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.109.192.53", + "10.172.17.6" + ], + "rsa.db.index": "tcupi", + "rsa.identity.user_dept": "boriosa", + "rsa.internal.data": "agnamali", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "temUte", + "rsa.misc.action": [ + "Blocked", + "tassit" + ], + "rsa.misc.category": "ita", + "rsa.misc.filter": "scive", + "rsa.misc.reference_id": "rehen", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "suntin", + "rsa.network.alias_host": [ + "onsequ3168.www.corp" + ], + "rsa.threat.threat_category": "ostru", + "rsa.time.event_time": "2019-11-30T14:21:57.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "onsequ3168.www.corp", + "service.type": "zscaler", + "source.bytes": 212, + "source.ip": [ + "10.172.17.6" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/siarch/oloremi.htm?one=iduntutl#tNe", + "user.name": [ + "eprehen" + ], + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "destination.bytes": 391, + "destination.ip": [ + "10.119.106.108" + ], + "event.action": "Blocked", + "event.code": "iatisund", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "onevol ZSCALERNSS: time=llamco Dec 14 7:24:31 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=oremquel3120.internal.localhost^^protocol=ggp^^serverip=10.119.106.108^^url=https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota^^urlcategory=ssecil^^urlclass=xplic^^dlpdictionaries=isn^^dlpengine=quepor^^filetype=Lor^^threatcategory=ten^^threatclass=exeacomm^^pagerisk=cusan^^threatname=oquisq^^clientpublicIP=olli^^ClientIP=10.135.38.213^^location=tiset^^refererURL=https://mail.example.net/erspici/xercitat.jpg?Exce=uae#tut^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=ser^^user=ore^^event_id=iatisund^^clienttranstime=ritquii^^requestmethod=volup^^requestsize=1902^^requestversion=orsi^^status=ull^^responsesize=391^^responseversion=dolorsi^^transactionsize=7745", + "event.timezone": "PT", + "file.type": "Lor", + "fileset.name": "zia", + "host.name": "oremquel3120.internal.localhost", + "http.request.referrer": "https://mail.example.net/erspici/xercitat.jpg?Exce=uae#tut", + "input.type": "log", + "log.offset": 90257, + "network.bytes": 7745, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.119.106.108", + "10.135.38.213" + ], + "rsa.db.index": "xplic", + "rsa.identity.user_dept": "ser", + "rsa.internal.data": "onevol", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "exeacomm", + "rsa.misc.action": [ + "volup", + "Blocked" + ], + "rsa.misc.category": "ten", + "rsa.misc.filter": "ssecil", + "rsa.misc.reference_id": "iatisund", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ull", + "rsa.network.alias_host": [ + "oremquel3120.internal.localhost" + ], + "rsa.threat.threat_category": "oquisq", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "oremquel3120.internal.localhost", + "service.type": "zscaler", + "source.bytes": 1902, + "source.ip": [ + "10.135.38.213" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota", + "user.name": [ + "ore" + ], + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log b/x-pack/filebeat/module/zscaler/zia/test/test.log new file mode 100644 index 00000000000..f1502e48309 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log @@ -0,0 +1 @@ +hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=^^reason=^^hostname=^^protocol=^^serverip=^^url=^^urlcategory=^^urlclass=^^dlpdictionaries=^^dlpengine=^^filetype=^^threatcategory=^^threatclass=^^pagerisk=^^threatname=^^clientpublicIP=^^ClientIP=^^location=^^refererURL=^^useragent=^^department=^^user=^^event_id=^^clienttranstime=^^requestmethod=^^requestsize=^^requestversion=^^status=^^responsesize=^^responseversion=^^transactionsize= diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json new file mode 100644 index 00000000000..78cf4898f9f --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -0,0 +1,56 @@ +[ + { + "@timestamp": "2017-06-23T17:16:42.000Z", + "event.action": "", + "event.code": "", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=^^reason=^^hostname=^^protocol=^^serverip=^^url=^^urlcategory=^^urlclass=^^dlpdictionaries=^^dlpengine=^^filetype=^^threatcategory=^^threatclass=^^pagerisk=^^threatname=^^clientpublicIP=^^ClientIP=^^location=^^refererURL=^^useragent=^^department=^^user=^^event_id=^^clienttranstime=^^requestmethod=^^requestsize=^^requestversion=^^status=^^responsesize=^^responseversion=^^transactionsize=", + "event.timezone": "CEST", + "file.type": "", + "fileset.name": "zia", + "host.name": "", + "http.request.referrer": "", + "input.type": "log", + "log.offset": 0, + "network.protocol": "", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "rsa.db.index": "", + "rsa.identity.user_dept": "", + "rsa.internal.data": "hello", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "", + "rsa.misc.action": [ + "", + "" + ], + "rsa.misc.category": "", + "rsa.misc.filter": "", + "rsa.misc.reference_id": "", + "rsa.misc.result": "", + "rsa.misc.result_code": "", + "rsa.network.alias_host": [ + "" + ], + "rsa.threat.threat_category": "", + "rsa.time.event_time": "2017-06-23T17:16:42.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "", + "service.type": "zscaler", + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "", + "user.name": [ + "" + ], + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/barracuda.yml.disabled b/x-pack/filebeat/modules.d/barracuda.yml.disabled new file mode 100644 index 00000000000..a10208c0533 --- /dev/null +++ b/x-pack/filebeat/modules.d/barracuda.yml.disabled @@ -0,0 +1,22 @@ +# Module: barracuda +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-barracuda.html + +- module: barracuda + waf: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9503 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/bluecoat.yml.disabled b/x-pack/filebeat/modules.d/bluecoat.yml.disabled new file mode 100644 index 00000000000..df71bb8ab04 --- /dev/null +++ b/x-pack/filebeat/modules.d/bluecoat.yml.disabled @@ -0,0 +1,22 @@ +# Module: bluecoat +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-bluecoat.html + +- module: bluecoat + director: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9505 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index 2b2ea2461cc..4f398958101 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -54,3 +54,22 @@ # Set custom paths for the log files when using file input. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + nexus: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9506 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/citrix.yml.disabled b/x-pack/filebeat/modules.d/citrix.yml.disabled new file mode 100644 index 00000000000..9356b52952c --- /dev/null +++ b/x-pack/filebeat/modules.d/citrix.yml.disabled @@ -0,0 +1,22 @@ +# Module: citrix +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-citrix.html + +- module: citrix + virtualapps: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9507 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/cylance.yml.disabled b/x-pack/filebeat/modules.d/cylance.yml.disabled new file mode 100644 index 00000000000..8f16f29ca5b --- /dev/null +++ b/x-pack/filebeat/modules.d/cylance.yml.disabled @@ -0,0 +1,22 @@ +# Module: cylance +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-cylance.html + +- module: cylance + protect: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9508 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/f5.yml.disabled b/x-pack/filebeat/modules.d/f5.yml.disabled new file mode 100644 index 00000000000..633a0c5636a --- /dev/null +++ b/x-pack/filebeat/modules.d/f5.yml.disabled @@ -0,0 +1,41 @@ +# Module: f5 +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-f5.html + +- module: f5 + bigipapm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9504 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + firepass: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9509 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/fortinet.yml.disabled b/x-pack/filebeat/modules.d/fortinet.yml.disabled index b892d7dd855..a1197485d81 100644 --- a/x-pack/filebeat/modules.d/fortinet.yml.disabled +++ b/x-pack/filebeat/modules.d/fortinet.yml.disabled @@ -14,3 +14,22 @@ # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9004 + + clientendpoint: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9510 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/imperva.yml.disabled b/x-pack/filebeat/modules.d/imperva.yml.disabled new file mode 100644 index 00000000000..f5e69959cf9 --- /dev/null +++ b/x-pack/filebeat/modules.d/imperva.yml.disabled @@ -0,0 +1,22 @@ +# Module: imperva +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-imperva.html + +- module: imperva + securesphere: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9511 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/infoblox.yml.disabled b/x-pack/filebeat/modules.d/infoblox.yml.disabled new file mode 100644 index 00000000000..ec5385c6df7 --- /dev/null +++ b/x-pack/filebeat/modules.d/infoblox.yml.disabled @@ -0,0 +1,22 @@ +# Module: infoblox +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-infoblox.html + +- module: infoblox + nios: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9512 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/juniper.yml.disabled b/x-pack/filebeat/modules.d/juniper.yml.disabled new file mode 100644 index 00000000000..3118b60ac28 --- /dev/null +++ b/x-pack/filebeat/modules.d/juniper.yml.disabled @@ -0,0 +1,22 @@ +# Module: juniper +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-juniper.html + +- module: juniper + junos: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9513 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/kaspersky.yml.disabled b/x-pack/filebeat/modules.d/kaspersky.yml.disabled new file mode 100644 index 00000000000..5a0db0982e9 --- /dev/null +++ b/x-pack/filebeat/modules.d/kaspersky.yml.disabled @@ -0,0 +1,22 @@ +# Module: kaspersky +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-kaspersky.html + +- module: kaspersky + av: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9514 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/microsoft.yml.disabled b/x-pack/filebeat/modules.d/microsoft.yml.disabled new file mode 100644 index 00000000000..9ea082817cf --- /dev/null +++ b/x-pack/filebeat/modules.d/microsoft.yml.disabled @@ -0,0 +1,22 @@ +# Module: microsoft +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-microsoft.html + +- module: microsoft + dhcp: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9515 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/netscout.yml.disabled b/x-pack/filebeat/modules.d/netscout.yml.disabled new file mode 100644 index 00000000000..988f1b98899 --- /dev/null +++ b/x-pack/filebeat/modules.d/netscout.yml.disabled @@ -0,0 +1,22 @@ +# Module: netscout +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-netscout.html + +- module: netscout + sightline: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9502 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/radware.yml.disabled b/x-pack/filebeat/modules.d/radware.yml.disabled new file mode 100644 index 00000000000..ad17e4fcd7d --- /dev/null +++ b/x-pack/filebeat/modules.d/radware.yml.disabled @@ -0,0 +1,22 @@ +# Module: radware +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-radware.html + +- module: radware + defensepro: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9518 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/rapid7.yml.disabled b/x-pack/filebeat/modules.d/rapid7.yml.disabled new file mode 100644 index 00000000000..8d24b0bce82 --- /dev/null +++ b/x-pack/filebeat/modules.d/rapid7.yml.disabled @@ -0,0 +1,22 @@ +# Module: rapid7 +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-rapid7.html + +- module: rapid7 + nexpose: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9517 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/sonicwall.yml.disabled b/x-pack/filebeat/modules.d/sonicwall.yml.disabled new file mode 100644 index 00000000000..975b4577c13 --- /dev/null +++ b/x-pack/filebeat/modules.d/sonicwall.yml.disabled @@ -0,0 +1,22 @@ +# Module: sonicwall +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-sonicwall.html + +- module: sonicwall + firewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9519 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/squid.yml.disabled b/x-pack/filebeat/modules.d/squid.yml.disabled new file mode 100644 index 00000000000..3656c1b8eed --- /dev/null +++ b/x-pack/filebeat/modules.d/squid.yml.disabled @@ -0,0 +1,22 @@ +# Module: squid +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-squid.html + +- module: squid + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9520 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/tenable.yml.disabled b/x-pack/filebeat/modules.d/tenable.yml.disabled new file mode 100644 index 00000000000..57ef8ee2536 --- /dev/null +++ b/x-pack/filebeat/modules.d/tenable.yml.disabled @@ -0,0 +1,22 @@ +# Module: tenable +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-tenable.html + +- module: tenable + nessus_security: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9516 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/tomcat.yml.disabled b/x-pack/filebeat/modules.d/tomcat.yml.disabled new file mode 100644 index 00000000000..f0b415606b2 --- /dev/null +++ b/x-pack/filebeat/modules.d/tomcat.yml.disabled @@ -0,0 +1,22 @@ +# Module: tomcat +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-tomcat.html + +- module: tomcat + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9501 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/zscaler.yml.disabled b/x-pack/filebeat/modules.d/zscaler.yml.disabled new file mode 100644 index 00000000000..2c8f03ebcc3 --- /dev/null +++ b/x-pack/filebeat/modules.d/zscaler.yml.disabled @@ -0,0 +1,22 @@ +# Module: zscaler +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-zscaler.html + +- module: zscaler + zia: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9521 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local From 30f929bcc419f109467d5a45324b33c6669412c4 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 8 Jul 2020 15:50:31 +0200 Subject: [PATCH 07/19] Fix fortnet/clientendpoint parsing. --- x-pack/filebeat/module/barracuda/README.md | 2 +- .../module/barracuda/waf/config/pipeline.js | 172 +- x-pack/filebeat/module/bluecoat/README.md | 2 +- .../bluecoat/director/config/pipeline.js | 36 +- .../module/cisco/nexus/config/pipeline.js | 396 +- x-pack/filebeat/module/citrix/README.md | 2 +- x-pack/filebeat/module/cylance/README.md | 2 +- .../module/cylance/protect/config/pipeline.js | 236 +- .../protect/test/generated.log-expected.json | 30 +- x-pack/filebeat/module/f5/README.md | 2 +- .../module/f5/bigipapm/config/pipeline.js | 68 +- .../module/f5/firepass/config/pipeline.js | 48 +- .../firepass/test/generated.log-expected.json | 6 +- .../clientendpoint/config/pipeline.js | 38 +- .../clientendpoint/test/generated.log | 200 +- .../test/generated.log-expected.json | 4700 ++++++++++++++--- x-pack/filebeat/module/imperva/README.md | 2 +- .../test/generated.log-expected.json | 436 +- x-pack/filebeat/module/infoblox/README.md | 2 +- .../module/infoblox/nios/config/pipeline.js | 232 +- .../nios/test/generated.log-expected.json | 2 +- x-pack/filebeat/module/juniper/README.md | 2 +- .../module/juniper/junos/config/pipeline.js | 550 +- x-pack/filebeat/module/kaspersky/README.md | 2 +- .../module/kaspersky/av/config/pipeline.js | 10 +- x-pack/filebeat/module/microsoft/README.md | 2 +- .../module/microsoft/dhcp/config/pipeline.js | 76 +- x-pack/filebeat/module/netscout/README.md | 2 +- .../netscout/sightline/config/pipeline.js | 106 +- .../test/generated.log-expected.json | 20 +- x-pack/filebeat/module/radware/README.md | 2 +- .../radware/defensepro/config/pipeline.js | 76 +- x-pack/filebeat/module/rapid7/README.md | 2 +- .../module/rapid7/nexpose/config/pipeline.js | 254 +- x-pack/filebeat/module/sonicwall/README.md | 2 +- .../sonicwall/firewall/config/pipeline.js | 1320 ++--- .../firewall/test/generated.log-expected.json | 44 +- x-pack/filebeat/module/squid/README.md | 2 +- .../module/squid/log/config/pipeline.js | 18 +- .../squid/log/test/access1.log-expected.json | 284 +- .../squid/log/test/access2.log-expected.json | 204 +- .../squid/log/test/access3.log-expected.json | 304 +- .../squid/log/test/access4.log-expected.json | 384 +- x-pack/filebeat/module/tenable/README.md | 2 +- .../nessus_security/config/pipeline.js | 28 +- x-pack/filebeat/module/tomcat/README.md | 2 +- .../module/tomcat/log/config/pipeline.js | 2 +- x-pack/filebeat/module/zscaler/README.md | 2 +- .../module/zscaler/zia/config/pipeline.js | 2 +- .../zia/test/generated.log-expected.json | 380 +- .../zscaler/zia/test/test.log-expected.json | 4 +- 51 files changed, 7005 insertions(+), 3697 deletions(-) diff --git a/x-pack/filebeat/module/barracuda/README.md b/x-pack/filebeat/module/barracuda/README.md index 1abdf86578e..0d6e0ec9079 100644 --- a/x-pack/filebeat/module/barracuda/README.md +++ b/x-pack/filebeat/module/barracuda/README.md @@ -3,5 +3,5 @@ This is a module for Barracuda Web Application Firewall logs. Autogenerated from RSA NetWitness log parser 2.0 XML barracudawaf version 132 -at 2020-07-07 18:10:41.17065 +0000 UTC. +at 2020-07-08 13:58:31.276421 +0000 UTC. diff --git a/x-pack/filebeat/module/barracuda/waf/config/pipeline.js b/x-pack/filebeat/module/barracuda/waf/config/pipeline.js index 1e1aa23e584..2610bacf6d0 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/pipeline.js +++ b/x-pack/filebeat/module/barracuda/waf/config/pipeline.js @@ -71,9 +71,9 @@ var dup13 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{r var dup14 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); -var dup15 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol}- %{stransaddr->} %{stransport->} %{web_referer}"); +var dup15 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); -var dup16 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol}\"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); +var dup16 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); var dup17 = setc("eventcategory","1204000000"); @@ -92,7 +92,7 @@ var dup23 = linear_select([ dup14, ]); -var dup24 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context}[%{result}] %{web_method->} %{url->} %{protocol}\"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ +var dup24 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ dup17, dup8, ])); @@ -139,7 +139,7 @@ var hdr1 = match("HEADER#0:0001", "message", "%{messageid}:%{payload}", processo }), ])); -var hdr2 = match("HEADER#1:0005", "message", "time=%{hfld1->} %{hfld2->} %{timezone}Unit=%{messageid->} %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0005", "message", "time=%{hfld1->} %{hfld2->} %{timezone->} Unit=%{messageid->} %{payload}", processor_chain([ setc("header_id","0005"), ])); @@ -153,7 +153,7 @@ var hdr4 = match("HEADER#3:0002", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{h dup1, ])); -var hdr5 = match("HEADER#4:0009", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3}TR %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ +var hdr5 = match("HEADER#4:0009", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} TR %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ setc("header_id","0009"), dup2, call({ @@ -167,7 +167,7 @@ var hdr5 = match("HEADER#4:0009", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{h field("hfld2"), constant(" "), field("hfld3"), - constant("TR "), + constant(" TR "), field("hfld5"), constant(" "), field("hfld6"), @@ -179,7 +179,7 @@ var hdr5 = match("HEADER#4:0009", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{h }), ])); -var hdr6 = match("HEADER#5:0007", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3}AUDIT %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ +var hdr6 = match("HEADER#5:0007", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} AUDIT %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ setc("header_id","0007"), dup2, call({ @@ -193,7 +193,7 @@ var hdr6 = match("HEADER#5:0007", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{h field("hfld2"), constant(" "), field("hfld3"), - constant("AUDIT "), + constant(" AUDIT "), field("hfld5"), constant(" "), field("hfld6"), @@ -205,7 +205,7 @@ var hdr6 = match("HEADER#5:0007", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{h }), ])); -var hdr7 = match("HEADER#6:0008", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3}WF %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ +var hdr7 = match("HEADER#6:0008", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} WF %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ setc("header_id","0008"), dup2, call({ @@ -219,7 +219,7 @@ var hdr7 = match("HEADER#6:0008", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{h field("hfld2"), constant(" "), field("hfld3"), - constant("WF "), + constant(" WF "), field("hfld5"), constant(" "), field("hfld6"), @@ -231,7 +231,7 @@ var hdr7 = match("HEADER#6:0008", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{h }), ])); -var hdr8 = match("HEADER#7:0006", "message", "%{hmonth->} %{hday->} %{htime}BARRACUDAWAF %{hhost->} %{hdate->} %{htime->} %{htimezone->} %{messageid->} %{payload}", processor_chain([ +var hdr8 = match("HEADER#7:0006", "message", "%{hmonth->} %{hday->} %{htime->} BARRACUDAWAF %{hhost->} %{hdate->} %{htime->} %{htimezone->} %{messageid->} %{payload}", processor_chain([ setc("header_id","0006"), call({ dest: "nwparser.payload", @@ -283,112 +283,112 @@ var select1 = linear_select([ hdr9, ]); -var part1 = match("MESSAGE#0:UPDATE", "nwparser.payload", "UPDATE: [ALERT:%{fld3}] New attack definition version %{version}is available", processor_chain([ +var part1 = match("MESSAGE#0:UPDATE", "nwparser.payload", "UPDATE: [ALERT:%{fld3}] New attack definition version %{version->} is available", processor_chain([ setc("eventcategory","1502030000"), setc("event_description","UPDATE: ALERT New attack definition version is available"), ])); var msg1 = msg("UPDATE", part1); -var part2 = match("MESSAGE#1:STM:01", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}[ALERT:%{id}] Server %{daddr}:%{dport}is disabled by out of band monitor ( new mode out_of_service_all ) Reason:%{result}", processor_chain([ +var part2 = match("MESSAGE#1:STM:01", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} [ALERT:%{id}] Server %{daddr}:%{dport->} is disabled by out of band monitor ( new mode out_of_service_all ) Reason:%{result}", processor_chain([ setc("eventcategory","1603000000"), setc("event_description","STM: LB Server disabled by out of band monitor"), ])); var msg2 = msg("STM:01", part2); -var part3 = match("MESSAGE#2:STM:02", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}Server %{saddr}is created.", processor_chain([ +var part3 = match("MESSAGE#2:STM:02", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} Server %{saddr->} is created.", processor_chain([ dup3, setc("event_description","STM: LB Server created."), ])); var msg3 = msg("STM:02", part3); -var part4 = match("MESSAGE#3:STM:03", "nwparser.payload", "STM: SSKey-%{fld1->} %{fld2}Cookie Encryption Key has already expired", processor_chain([ +var part4 = match("MESSAGE#3:STM:03", "nwparser.payload", "STM: SSKey-%{fld1->} %{fld2->} Cookie Encryption Key has already expired", processor_chain([ setc("eventcategory","1613030100"), setc("event_description","STM: SSKEY Cookie Encryption Key has already expired."), ])); var msg4 = msg("STM:03", part4); -var part5 = match("MESSAGE#4:STM:04", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2}Module CookieKey registered with Stateful Failover module.", processor_chain([ +var part5 = match("MESSAGE#4:STM:04", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2->} Module CookieKey registered with Stateful Failover module.", processor_chain([ dup4, setc("event_description","STM:FAILOVE Module CookieKey registered with Stateful Failover module."), ])); var msg5 = msg("STM:04", part5); -var part6 = match("MESSAGE#5:STM:05", "nwparser.payload", "STM: FEHCMON-%{fld1->} %{fld2}FEHC Monitor Module initialized.", processor_chain([ +var part6 = match("MESSAGE#5:STM:05", "nwparser.payload", "STM: FEHCMON-%{fld1->} %{fld2->} FEHC Monitor Module initialized.", processor_chain([ dup3, setc("event_description","STM:FECHMON FEHC Monitor Module initialized."), ])); var msg6 = msg("STM:05", part6); -var part7 = match("MESSAGE#6:STM:06", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2}Stateful Failover Module initialized.", processor_chain([ +var part7 = match("MESSAGE#6:STM:06", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2->} Stateful Failover Module initialized.", processor_chain([ dup3, setc("event_description","STM: FAILOVE Stateful Failover Module initialized."), ])); var msg7 = msg("STM:06", part7); -var part8 = match("MESSAGE#7:STM:07", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld3}[%{fld2}] New Service (ID %{fld4}) Created at %{saddr}:%{sport}", processor_chain([ +var part8 = match("MESSAGE#7:STM:07", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld3->} [%{fld2}] New Service (ID %{fld4}) Created at %{saddr}:%{sport}", processor_chain([ dup3, setc("event_description","STM: SERVICE New Service created."), ])); var msg8 = msg("STM:07", part8); -var part9 = match("MESSAGE#8:STM:08", "nwparser.payload", "STM: SSL-%{fld1->} %{fld2}Ssl Initialization", processor_chain([ +var part9 = match("MESSAGE#8:STM:08", "nwparser.payload", "STM: SSL-%{fld1->} %{fld2->} Ssl Initialization", processor_chain([ dup4, setc("event_description","STM: SSL Initialization."), ])); var msg9 = msg("STM:08", part9); -var part10 = match("MESSAGE#9:STM:09", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}LookupServerCtx = %{fld3}", processor_chain([ +var part10 = match("MESSAGE#9:STM:09", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} LookupServerCtx = %{fld3}", processor_chain([ dup3, setc("event_description","STM: LB-LookupServerCtx."), ])); var msg10 = msg("STM:09", part10); -var part11 = match("MESSAGE#10:STM:10", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}ParamProtectionClonePatterns: Old:%{change_old}, New:%{change_new}, PatternsNode:%{fld4}", processor_chain([ +var part11 = match("MESSAGE#10:STM:10", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} ParamProtectionClonePatterns: Old:%{change_old}, New:%{change_new}, PatternsNode:%{fld4}", processor_chain([ dup3, setc("event_description","STM: aps ParamProtectionClonePatterns values changed."), ])); var msg11 = msg("STM:10", part11); -var part12 = match("MESSAGE#11:STM:11", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} %{obj_name}SapCtx %{fld3}, SapId %{fld4}", processor_chain([ +var part12 = match("MESSAGE#11:STM:11", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} %{obj_name->} SapCtx %{fld3}, SapId %{fld4}", processor_chain([ dup3, setc("event_description","STM: aps SapCtx log."), ])); var msg12 = msg("STM:11", part12); -var part13 = match("MESSAGE#12:STM:12", "nwparser.payload", "STM: CACHE-%{fld1->} %{fld2->} %{obj_name}SapCtx %{fld3}, SapId %{fld4}, Return Code %{result}", processor_chain([ +var part13 = match("MESSAGE#12:STM:12", "nwparser.payload", "STM: CACHE-%{fld1->} %{fld2->} %{obj_name->} SapCtx %{fld3}, SapId %{fld4}, Return Code %{result}", processor_chain([ dup3, setc("event_description","STM: CACHE SapCtx log."), ])); var msg13 = msg("STM:12", part13); -var part14 = match("MESSAGE#13:STM:13", "nwparser.payload", "STM: FTPSVC-%{fld1->} %{fld2}Ftp proxy initialized %{info}", processor_chain([ +var part14 = match("MESSAGE#13:STM:13", "nwparser.payload", "STM: FTPSVC-%{fld1->} %{fld2->} Ftp proxy initialized %{info}", processor_chain([ dup3, setc("event_description","STM: FTPSVC Ftp proxy initialized."), ])); var msg14 = msg("STM:13", part14); -var part15 = match("MESSAGE#14:STM:14", "nwparser.payload", "STM: STM-%{fld1->} %{fld2}Secure Traffic Manager Initialization complete: %{info}", processor_chain([ +var part15 = match("MESSAGE#14:STM:14", "nwparser.payload", "STM: STM-%{fld1->} %{fld2->} Secure Traffic Manager Initialization complete: %{info}", processor_chain([ dup3, setc("event_description","STM: STM Secure Traffic Manager Initialization complete."), ])); var msg15 = msg("STM:14", part15); -var part16 = match("MESSAGE#15:STM:15", "nwparser.payload", "STM: COOKIE-%{fld1->} %{fld2->} %{obj_name}= %{info}", processor_chain([ +var part16 = match("MESSAGE#15:STM:15", "nwparser.payload", "STM: COOKIE-%{fld1->} %{fld2->} %{obj_name->} = %{info}", processor_chain([ dup3, setc("event_description","STM: COOKIE Cookie parameters set."), ])); @@ -402,189 +402,189 @@ var part17 = match("MESSAGE#16:STM:16", "nwparser.payload", "STM: WebLog-%{fld1- var msg17 = msg("STM:16", part17); -var part18 = match("MESSAGE#17:STM:17", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}AddIpsPatternGroup SapCtx : %{fld3}, grp_id : %{fld4}, type : %{fld5}grp: %{info}", processor_chain([ +var part18 = match("MESSAGE#17:STM:17", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddIpsPatternGroup SapCtx : %{fld3}, grp_id : %{fld4}, type : %{fld5->} grp: %{info}", processor_chain([ dup3, setc("event_description","STM: aps Set AddIpsPatternGroup."), ])); var msg18 = msg("STM:17", part18); -var part19 = match("MESSAGE#18:STM:18", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}AddPCInfoKeyWordMeta: Info:%{fld3}, Table:%{fld4}", processor_chain([ +var part19 = match("MESSAGE#18:STM:18", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddPCInfoKeyWordMeta: Info:%{fld3}, Table:%{fld4}", processor_chain([ dup3, setc("event_description","STM: aps AddPCInfoKeyWordMeta."), ])); var msg19 = msg("STM:18", part19); -var part20 = match("MESSAGE#19:STM:19", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}AddParamClass: %{fld3}: KeyWords:%{fld4}", processor_chain([ +var part20 = match("MESSAGE#19:STM:19", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddParamClass: %{fld3}: KeyWords:%{fld4}", processor_chain([ dup3, setc("event_description","STM: aps AddParamClass."), ])); var msg20 = msg("STM:19", part20); -var part21 = match("MESSAGE#20:STM:20", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}SetParamClassPatternsAndDFA: Ctx:%{fld3}, type:%{fld4}, dfaId %{fld5}", processor_chain([ +var part21 = match("MESSAGE#20:STM:20", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetParamClassPatternsAndDFA: Ctx:%{fld3}, type:%{fld4}, dfaId %{fld5}", processor_chain([ dup3, setc("event_description","STM: aps AddParamClassPatternsAndDFA."), ])); var msg21 = msg("STM:20", part21); -var part22 = match("MESSAGE#21:STM:21", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}ParamClassClonePatternsInfo: Old:%{fld3}, New:%{fld4}, PatternsNode:%{fld5}", processor_chain([ +var part22 = match("MESSAGE#21:STM:21", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} ParamClassClonePatternsInfo: Old:%{fld3}, New:%{fld4}, PatternsNode:%{fld5}", processor_chain([ dup3, setc("event_description","STM: aps AddParamClassClonePatternsInfo."), ])); var msg22 = msg("STM:21", part22); -var part23 = match("MESSAGE#22:STM:22", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}SetIpsLogIntrusionOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ +var part23 = match("MESSAGE#22:STM:22", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLogIntrusionOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ dup3, setc("event_description","STM: aps SetIpsLogIntrusionOn."), ])); var msg23 = msg("STM:22", part23); -var part24 = match("MESSAGE#23:STM:23", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}AddIpsCloakFilterRespHeader [%{fld3}] Ret %{fld4}, SapCtx %{fld5}, sapId %{fld6}", processor_chain([ +var part24 = match("MESSAGE#23:STM:23", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddIpsCloakFilterRespHeader [%{fld3}] Ret %{fld4}, SapCtx %{fld5}, sapId %{fld6}", processor_chain([ dup3, setc("event_description","STM: aps AddIpsCloakFilterRespHeader."), ])); var msg24 = msg("STM:23", part24); -var part25 = match("MESSAGE#24:STM:24", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}SetIpsTheftPolicy SapCtx %{fld3}, Policy %{fld4}, Return %{fld5}", processor_chain([ +var part25 = match("MESSAGE#24:STM:24", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsTheftPolicy SapCtx %{fld3}, Policy %{fld4}, Return %{fld5}", processor_chain([ dup3, setc("event_description","STM: aps SetIpsTheftPolicy."), ])); var msg25 = msg("STM:24", part25); -var part26 = match("MESSAGE#25:STM:25", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}SetIpsTheftPolicyDfa SapCtx %{fld3}, Policy %{fld4}, mode %{fld5}, bytes %{fld6}, Return %{fld7}", processor_chain([ +var part26 = match("MESSAGE#25:STM:25", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsTheftPolicyDfa SapCtx %{fld3}, Policy %{fld4}, mode %{fld5}, bytes %{fld6}, Return %{fld7}", processor_chain([ dup3, setc("event_description","STM: aps SetIpsTheftPolicyDfa."), ])); var msg26 = msg("STM:25", part26); -var part27 = match("MESSAGE#26:STM:26", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}SetIpsLimitPolicy Return Code %{fld3}", processor_chain([ +var part27 = match("MESSAGE#26:STM:26", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLimitPolicy Return Code %{fld3}", processor_chain([ dup3, dup5, ])); var msg27 = msg("STM:26", part27); -var part28 = match("MESSAGE#27:STM:27", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}CreateRC: RC Add policy Success", processor_chain([ +var part28 = match("MESSAGE#27:STM:27", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} CreateRC: RC Add policy Success", processor_chain([ dup3, setc("event_description","STM: aps CreateRC: RC Add policy Success."), ])); var msg28 = msg("STM:27", part28); -var part29 = match("MESSAGE#28:STM:28", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}SetSap%{info}=%{fld3}", processor_chain([ +var part29 = match("MESSAGE#28:STM:28", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} SetSap%{info}=%{fld3}", processor_chain([ dup3, setc("event_description","STM: LB Set Sap command."), ])); var msg29 = msg("STM:28", part29); -var part30 = match("MESSAGE#29:STM:29", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}SetServer%{info}=%{fld3}", processor_chain([ +var part30 = match("MESSAGE#29:STM:29", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} SetServer%{info}=%{fld3}", processor_chain([ dup3, setc("event_description","STM: LB Set Server command."), ])); var msg30 = msg("STM:29", part30); -var part31 = match("MESSAGE#30:STM:30", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}AddServer%{info}=%{fld3}", processor_chain([ +var part31 = match("MESSAGE#30:STM:30", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} AddServer%{info}=%{fld3}", processor_chain([ dup3, setc("event_description","STM: LB Add Server command."), ])); var msg31 = msg("STM:30", part31); -var part32 = match("MESSAGE#31:STM:31", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}CreateServer =%{fld3}", processor_chain([ +var part32 = match("MESSAGE#31:STM:31", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} CreateServer =%{fld3}", processor_chain([ dup3, setc("event_description","STM: LB Create Server command."), ])); var msg32 = msg("STM:31", part32); -var part33 = match("MESSAGE#32:STM:32", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}EnableServer =%{fld3}", processor_chain([ +var part33 = match("MESSAGE#32:STM:32", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} EnableServer =%{fld3}", processor_chain([ dup3, setc("event_description","STM: LB Enable Server command."), ])); var msg33 = msg("STM:32", part33); -var part34 = match("MESSAGE#33:STM:33", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}ActiveServerOutOfBandMonitorAttr =%{fld3}", processor_chain([ +var part34 = match("MESSAGE#33:STM:33", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} ActiveServerOutOfBandMonitorAttr =%{fld3}", processor_chain([ dup3, setc("event_description","STM: LB ActiveServerOutOfBandMonitorAttr command."), ])); var msg34 = msg("STM:33", part34); -var part35 = match("MESSAGE#34:STM:34", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}BindServerToSap =%{fld3}", processor_chain([ +var part35 = match("MESSAGE#34:STM:34", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} BindServerToSap =%{fld3}", processor_chain([ dup3, setc("event_description","STM: LB BindServerToSap command."), ])); var msg35 = msg("STM:34", part35); -var part36 = match("MESSAGE#35:STM:35", "nwparser.payload", "STM: LB-%{fld1->} %{fld2}[ALERT:%{fld3}] Server %{saddr}:%{sport}is enabled by out of band monitor. Reason:out of band monitor", processor_chain([ +var part36 = match("MESSAGE#35:STM:35", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} [ALERT:%{fld3}] Server %{saddr}:%{sport->} is enabled by out of band monitor. Reason:out of band monitor", processor_chain([ dup3, setc("event_description","STM: LB Server is enabled by out of band monitor Reason out of band monitor"), ])); var msg36 = msg("STM:35", part36); -var part37 = match("MESSAGE#36:STM:36", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld2}[%{saddr}:%{sport}] Service Started %{fld3}:%{fld4}", processor_chain([ +var part37 = match("MESSAGE#36:STM:36", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld2->} [%{saddr}:%{sport}] Service Started %{fld3}:%{fld4}", processor_chain([ dup3, setc("event_description","STM: SERVICE Server service started command."), ])); var msg37 = msg("STM:36", part37); -var part38 = match("MESSAGE#37:STM:37", "nwparser.payload", "STM: RespPage-%{fld1->} %{fld2}CreateRP: Response Page %{fld3}created successfully", processor_chain([ +var part38 = match("MESSAGE#37:STM:37", "nwparser.payload", "STM: RespPage-%{fld1->} %{fld2->} CreateRP: Response Page %{fld3->} created successfully", processor_chain([ dup3, setc("event_description","STM: RespPage Response Page created successfully."), ])); var msg38 = msg("STM:37", part38); -var part39 = match("MESSAGE#38:STM:38", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2}AddWATReqRewriteRule AclName [%{fld3}] Ret %{fld4}SapCtx %{fld5}, SapId %{fld6}", processor_chain([ +var part39 = match("MESSAGE#38:STM:38", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} AddWATReqRewriteRule AclName [%{fld3}] Ret %{fld4->} SapCtx %{fld5}, SapId %{fld6}", processor_chain([ dup3, setc("event_description","STM: AddWATReqRewriteRule AclName."), ])); var msg39 = msg("STM:38", part39); -var part40 = match("MESSAGE#39:STM:39", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2}SetWATReqRewriteRuleNameWithKe AclName [%{fld3}] Ret %{fld4}SapCtx %{fld5}, SapId %{fld6}", processor_chain([ +var part40 = match("MESSAGE#39:STM:39", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATReqRewriteRuleNameWithKe AclName [%{fld3}] Ret %{fld4->} SapCtx %{fld5}, SapId %{fld6}", processor_chain([ dup3, setc("event_description","STM: SetWATReqRewriteRuleNameWithKe AclName."), ])); var msg40 = msg("STM:39", part40); -var part41 = match("MESSAGE#40:STM:40", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2}SetWATReqRewritePolicyOn - %{fld6}Ret %{fld3}SapCtx %{fld4}, SapId %{fld5}", processor_chain([ +var part41 = match("MESSAGE#40:STM:40", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATReqRewritePolicyOn - %{fld6->} Ret %{fld3->} SapCtx %{fld4}, SapId %{fld5}", processor_chain([ dup3, setc("event_description","STM: SetWATReqRewritePolicyOn."), ])); var msg41 = msg("STM:40", part41); -var part42 = match("MESSAGE#41:STM:41", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}SetIpsOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ +var part42 = match("MESSAGE#41:STM:41", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ dup3, setc("event_description","STM: aps SetIpsOn."), ])); var msg42 = msg("STM:41", part42); -var part43 = match("MESSAGE#42:STM:42", "nwparser.payload", "STM: aps-%{fld1->} %{fld2}SetIpsLimitPolicyOn Return Code %{fld3}", processor_chain([ +var part43 = match("MESSAGE#42:STM:42", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLimitPolicyOn Return Code %{fld3}", processor_chain([ dup3, dup5, ])); var msg43 = msg("STM:42", part43); -var part44 = match("MESSAGE#43:STM:43", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2}SetWATRespRewritePolicyOn - %{fld6}Ret %{fld3}SapCtx %{fld4}, SapId %{fld5}", processor_chain([ +var part44 = match("MESSAGE#43:STM:43", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATRespRewritePolicyOn - %{fld6->} Ret %{fld3->} SapCtx %{fld4}, SapId %{fld5}", processor_chain([ dup3, setc("event_description","STM: SetWATRespRewritePolicyOn."), ])); @@ -644,7 +644,7 @@ var part45 = match("MESSAGE#44:STM_WRAPPER:01", "nwparser.payload", "STM_WRAPPER var msg45 = msg("STM_WRAPPER:01", part45); -var part46 = match("MESSAGE#45:STM_WRAPPER:02", "nwparser.payload", "STM_WRAPPER: [ALERT:%{fld1}] Configuration size is %{fld2}which exceeds the %{fld3}safe limit. Please check your configuration.", processor_chain([ +var part46 = match("MESSAGE#45:STM_WRAPPER:02", "nwparser.payload", "STM_WRAPPER: [ALERT:%{fld1}] Configuration size is %{fld2->} which exceeds the %{fld3->} safe limit. Please check your configuration.", processor_chain([ dup6, setc("event_description","STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit."), ])); @@ -696,42 +696,42 @@ var select3 = linear_select([ msg51, ]); -var part52 = match("MESSAGE#51:CONFIG_AGENT:01", "nwparser.payload", "CONFIG_AGENT: %{fld1}RPC Name =%{fld2}, RPC Result: %{fld3}", processor_chain([ +var part52 = match("MESSAGE#51:CONFIG_AGENT:01", "nwparser.payload", "CONFIG_AGENT: %{fld1->} RPC Name =%{fld2}, RPC Result: %{fld3}", processor_chain([ dup3, setc("event_description","CONFIG_AGENT: RPC information."), ])); var msg52 = msg("CONFIG_AGENT:01", part52); -var part53 = match("MESSAGE#52:CONFIG_AGENT:02", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2}Received put-tree command ", processor_chain([ +var part53 = match("MESSAGE#52:CONFIG_AGENT:02", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Received put-tree command ", processor_chain([ dup3, setc("event_description","CONFIG_AGENT:Received put-tree command."), ])); var msg53 = msg("CONFIG_AGENT:02", part53); -var part54 = match("MESSAGE#53:CONFIG_AGENT:03", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2}It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., %{fld3->} ", processor_chain([ +var part54 = match("MESSAGE#53:CONFIG_AGENT:03", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., %{fld3->} ", processor_chain([ dup4, setc("event_description","It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time."), ])); var msg54 = msg("CONFIG_AGENT:03", part54); -var part55 = match("MESSAGE#54:CONFIG_AGENT:04", "nwparser.payload", "CONFIG_AGENT: %{fld1}Initiating config_agent database commit phase.", processor_chain([ +var part55 = match("MESSAGE#54:CONFIG_AGENT:04", "nwparser.payload", "CONFIG_AGENT: %{fld1->} Initiating config_agent database commit phase.", processor_chain([ dup3, setc("event_description","CONFIG_AGENT:Initiating config_agent database commit phase."), ])); var msg55 = msg("CONFIG_AGENT:04", part55); -var part56 = match("MESSAGE#55:CONFIG_AGENT:05", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2}Update succeeded", processor_chain([ +var part56 = match("MESSAGE#55:CONFIG_AGENT:05", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Update succeeded", processor_chain([ dup3, setc("event_description","CONFIG_AGENT:Update succeded."), ])); var msg56 = msg("CONFIG_AGENT:05", part56); -var part57 = match("MESSAGE#56:CONFIG_AGENT:06", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2}No rules, %{fld3->} ", processor_chain([ +var part57 = match("MESSAGE#56:CONFIG_AGENT:06", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} No rules, %{fld3->} ", processor_chain([ dup3, setc("event_description","CONFIG_AGENT:No rules."), ])); @@ -833,14 +833,14 @@ var select6 = linear_select([ msg67, ]); -var part68 = match("MESSAGE#67:INSTALL:01", "nwparser.payload", "INSTALL: Migrating configuration from %{fld2}to %{fld3}", processor_chain([ +var part68 = match("MESSAGE#67:INSTALL:01", "nwparser.payload", "INSTALL: Migrating configuration from %{fld2->} to %{fld3}", processor_chain([ dup3, setc("event_description"," INSTALL: migrating configuration."), ])); var msg68 = msg("INSTALL:01", part68); -var part69 = match("MESSAGE#68:INSTALL:02", "nwparser.payload", "INSTALL: Loading the snapshot for %{fld2}release.", processor_chain([ +var part69 = match("MESSAGE#68:INSTALL:02", "nwparser.payload", "INSTALL: Loading the snapshot for %{fld2->} release.", processor_chain([ dup3, setc("event_description"," INSTALL: Loading snapshot from previous version."), ])); @@ -871,7 +871,7 @@ var select8 = linear_select([ msg71, ]); -var part72 = match("MESSAGE#71:CONFIG", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ +var part72 = match("MESSAGE#71:CONFIG", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ dup7, setc("event_description"," Configuration changes made."), dup8, @@ -879,7 +879,7 @@ var part72 = match("MESSAGE#71:CONFIG", "nwparser.payload", "%{fld88->} %{fld89- var msg72 = msg("CONFIG", part72); -var part73 = match("MESSAGE#72:LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ +var part73 = match("MESSAGE#72:LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ setc("eventcategory","1401060000"), setc("event_description"," Login."), dup8, @@ -887,7 +887,7 @@ var part73 = match("MESSAGE#72:LOGIN", "nwparser.payload", "%{fld88->} %{fld89-> var msg73 = msg("LOGIN", part73); -var part74 = match("MESSAGE#73:SESSION_TIMEOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ +var part74 = match("MESSAGE#73:SESSION_TIMEOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ dup9, setc("event_description"," Session timeout."), dup8, @@ -895,7 +895,7 @@ var part74 = match("MESSAGE#73:SESSION_TIMEOUT", "nwparser.payload", "%{fld88->} var msg74 = msg("SESSION_TIMEOUT", part74); -var part75 = match("MESSAGE#74:LOGOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ +var part75 = match("MESSAGE#74:LOGOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ dup9, setc("ec_subject","User"), setc("ec_activity","Logoff"), @@ -907,7 +907,7 @@ var part75 = match("MESSAGE#74:LOGOUT", "nwparser.payload", "%{fld88->} %{fld89- var msg75 = msg("LOGOUT", part75); -var part76 = match("MESSAGE#75:UNSUCCESSFUL_LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ +var part76 = match("MESSAGE#75:UNSUCCESSFUL_LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ setc("eventcategory","1401030000"), setc("event_description"," Unsuccessful login."), dup8, @@ -915,7 +915,7 @@ var part76 = match("MESSAGE#75:UNSUCCESSFUL_LOGIN", "nwparser.payload", "%{fld88 var msg76 = msg("UNSUCCESSFUL_LOGIN", part76); -var part77 = match("MESSAGE#76:TRANSPARENT_MODE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ +var part77 = match("MESSAGE#76:TRANSPARENT_MODE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ dup10, setc("event_description"," Operating in Transport Mode"), dup8, @@ -923,7 +923,7 @@ var part77 = match("MESSAGE#76:TRANSPARENT_MODE", "nwparser.payload", "%{fld88-> var msg77 = msg("TRANSPARENT_MODE", part77); -var part78 = match("MESSAGE#77:SUPPORT_TUNNEL_OPEN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ +var part78 = match("MESSAGE#77:SUPPORT_TUNNEL_OPEN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ dup10, setc("event_description"," Support Tunnel Opened"), dup8, @@ -931,7 +931,7 @@ var part78 = match("MESSAGE#77:SUPPORT_TUNNEL_OPEN", "nwparser.payload", "%{fld8 var msg78 = msg("SUPPORT_TUNNEL_OPEN", part78); -var part79 = match("MESSAGE#78:FIRMWARE_UPDATE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ +var part79 = match("MESSAGE#78:FIRMWARE_UPDATE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ dup10, setc("event_description"," Firmware Update"), dup8, @@ -939,7 +939,7 @@ var part79 = match("MESSAGE#78:FIRMWARE_UPDATE", "nwparser.payload", "%{fld88->} var msg79 = msg("FIRMWARE_UPDATE", part79); -var part80 = match("MESSAGE#79:FIRMWARE_REVERT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ +var part80 = match("MESSAGE#79:FIRMWARE_REVERT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ dup10, setc("event_description"," Firmware Revert."), dup8, @@ -947,7 +947,7 @@ var part80 = match("MESSAGE#79:FIRMWARE_REVERT", "nwparser.payload", "%{fld88->} var msg80 = msg("FIRMWARE_REVERT", part80); -var part81 = match("MESSAGE#80:REBOOT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ +var part81 = match("MESSAGE#80:REBOOT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ dup10, setc("event_description"," System Reboot."), dup8, @@ -955,7 +955,7 @@ var part81 = match("MESSAGE#80:REBOOT", "nwparser.payload", "%{fld88->} %{fld89- var msg81 = msg("REBOOT", part81); -var part82 = match("MESSAGE#81:ROLLBACK", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ +var part82 = match("MESSAGE#81:ROLLBACK", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ dup10, setc("event_description"," System ROLLBACK."), dup8, @@ -963,14 +963,14 @@ var part82 = match("MESSAGE#81:ROLLBACK", "nwparser.payload", "%{fld88->} %{fld8 var msg82 = msg("ROLLBACK", part82); -var part83 = match("MESSAGE#82:HEADER_COUNT_EXCEEDED:01", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context}\"[%{result}]\" %{web_method->} %{url->} %{protocol}\"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ +var part83 = match("MESSAGE#82:HEADER_COUNT_EXCEEDED:01", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} \"[%{result}]\" %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ dup11, dup8, ])); var msg83 = msg("HEADER_COUNT_EXCEEDED:01", part83); -var part84 = match("MESSAGE#83:HEADER_COUNT_EXCEEDED:02", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context}[%{result}] %{web_method->} %{url->} %{protocol}\"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ +var part84 = match("MESSAGE#83:HEADER_COUNT_EXCEEDED:02", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ dup11, dup8, ])); @@ -1131,7 +1131,7 @@ var part86 = match("MESSAGE#114:SYS", "nwparser.payload", "%{fld9->} %{fld10->} var msg115 = msg("SYS", part86); -var part87 = match("MESSAGE#115:BARRACUDAWAF", "nwparser.payload", "Log=%{event_log}Severity=%{severity}Protocol=%{protocol}SourceIP=%{saddr}SourcePort=%{sport}DestIP=%{daddr}DestPort=%{dport}Action=%{action}AdminName=%{administrator}Details=%{info}", processor_chain([ +var part87 = match("MESSAGE#115:BARRACUDAWAF", "nwparser.payload", "Log=%{event_log->} Severity=%{severity->} Protocol=%{protocol->} SourceIP=%{saddr->} SourcePort=%{sport->} DestIP=%{daddr->} DestPort=%{dport->} Action=%{action->} AdminName=%{administrator->} Details=%{info}", processor_chain([ dup17, date_time({ dest: "event_time", @@ -1144,7 +1144,7 @@ var part87 = match("MESSAGE#115:BARRACUDAWAF", "nwparser.payload", "Log=%{event_ var msg116 = msg("BARRACUDAWAF", part87); -var part88 = match("MESSAGE#116:Audit_Logs", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone}AUDIT %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name}\"%{change_old}\" \"%{change_new}\"", processor_chain([ +var part88 = match("MESSAGE#116:Audit_Logs", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} AUDIT %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ dup7, dup8, setc("category","AUDIT"), @@ -1153,7 +1153,7 @@ var part88 = match("MESSAGE#116:Audit_Logs", "nwparser.payload", "%{fld88->} %{f var msg117 = msg("Audit_Logs", part88); -var part89 = match("MESSAGE#117:WF", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone}WF %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context}[%{result}] %{web_method->} %{url->} %{protocol}\"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ +var part89 = match("MESSAGE#117:WF", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} WF %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ dup17, dup8, setc("category","WF"), @@ -1162,7 +1162,7 @@ var part89 = match("MESSAGE#117:WF", "nwparser.payload", "%{fld88->} %{fld89->} var msg118 = msg("WF", part89); -var part90 = match("MESSAGE#118:TR_Logs:01/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone}TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes}\"-\" \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); +var part90 = match("MESSAGE#118:TR_Logs:01/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} \"-\" \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); var all2 = all_match({ processors: [ @@ -1180,7 +1180,7 @@ var all2 = all_match({ var msg119 = msg("TR_Logs:01", all2); -var part91 = match("MESSAGE#119:TR_Logs:02/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone}TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query}\"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); +var part91 = match("MESSAGE#119:TR_Logs:02/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); var all3 = all_match({ processors: [ @@ -1198,7 +1198,7 @@ var all3 = all_match({ var msg120 = msg("TR_Logs:02", all3); -var part92 = match("MESSAGE#120:TR_Logs:03/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone}TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes}\"-\" %{web_cookie}\"%{user_agent}\" %{stransaddr->} %{p0}"); +var part92 = match("MESSAGE#120:TR_Logs:03/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} \"-\" %{web_cookie->} \"%{user_agent}\" %{stransaddr->} %{p0}"); var all4 = all_match({ processors: [ @@ -1216,7 +1216,7 @@ var all4 = all_match({ var msg121 = msg("TR_Logs:03", all4); -var part93 = match("MESSAGE#121:TR_Logs/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone}TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} %{web_cookie}\"%{user_agent}\" %{stransaddr->} %{p0}"); +var part93 = match("MESSAGE#121:TR_Logs/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} %{web_cookie->} \"%{user_agent}\" %{stransaddr->} %{p0}"); var all5 = all_match({ processors: [ @@ -1296,9 +1296,9 @@ var part95 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{ var part96 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); -var part97 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol}- %{stransaddr->} %{stransport->} %{web_referer}"); +var part97 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); -var part98 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol}\"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); +var part98 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); var part99 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type->} "); @@ -1309,7 +1309,7 @@ var select23 = linear_select([ dup14, ]); -var part101 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context}[%{result}] %{web_method->} %{url->} %{protocol}\"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ +var part101 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ dup17, dup8, ])); diff --git a/x-pack/filebeat/module/bluecoat/README.md b/x-pack/filebeat/module/bluecoat/README.md index b47b2262762..cb18aa4847a 100644 --- a/x-pack/filebeat/module/bluecoat/README.md +++ b/x-pack/filebeat/module/bluecoat/README.md @@ -3,5 +3,5 @@ This is a module for Blue Coat Director logs. Autogenerated from RSA NetWitness log parser 2.0 XML bluecoatdirector version 0 -at 2020-07-07 18:10:42.748595 +0000 UTC. +at 2020-07-08 13:58:33.045176 +0000 UTC. diff --git a/x-pack/filebeat/module/bluecoat/director/config/pipeline.js b/x-pack/filebeat/module/bluecoat/director/config/pipeline.js index 1f3a2a57e49..e000b6702d9 100644 --- a/x-pack/filebeat/module/bluecoat/director/config/pipeline.js +++ b/x-pack/filebeat/module/bluecoat/director/config/pipeline.js @@ -314,7 +314,7 @@ var part13 = match("MESSAGE#13:configd:Rotating", "nwparser.payload", "%{agent}: var msg14 = msg("configd:Rotating", part13); -var part14 = match("MESSAGE#14:configd:Deleting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Deleting backup %{filename}from device \"%{hostname}\"", processor_chain([ +var part14 = match("MESSAGE#14:configd:Deleting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Deleting backup %{filename->} from device \"%{hostname}\"", processor_chain([ dup5, dup6, ])); @@ -342,7 +342,7 @@ var part17 = match("MESSAGE#17:configd:11", "nwparser.payload", "%{agent}: \u003 var msg18 = msg("configd:11", part17); -var part18 = match("MESSAGE#18:file", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action};; CPL generated by Visual Policy Manager: %{fld10};%{fld11}; %{fld12}; %{info}", processor_chain([ +var part18 = match("MESSAGE#18:file", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ dup5, dup6, dup8, @@ -402,7 +402,7 @@ var part25 = match("MESSAGE#25:Inputting", "nwparser.payload", "%{agent}: \u003c var msg26 = msg("Inputting", part25); -var part26 = match("MESSAGE#26:Saved", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Saved %{info}to %{filename}", processor_chain([ +var part26 = match("MESSAGE#26:Saved", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Saved %{info->} to %{filename}", processor_chain([ dup5, dup6, ])); @@ -476,7 +476,7 @@ var part35 = match("MESSAGE#35:Device", "nwparser.payload", "%{agent}: \u003c\u0 var msg36 = msg("Device", part35); -var part36 = match("MESSAGE#36:Output", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: %{fld9}Output for device \"%{hostname}\" %{fld10}", processor_chain([ +var part36 = match("MESSAGE#36:Output", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: %{fld9->} Output for device \"%{hostname}\" %{fld10}", processor_chain([ dup5, dup6, ])); @@ -514,7 +514,7 @@ var part40 = match("MESSAGE#40:configd:backup", "nwparser.payload", "%{agent}: \ var msg41 = msg("configd:backup", part40); -var part41 = match("MESSAGE#41:file:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) %{action};; CPL generated by Visual Policy Manager: %{fld10};%{fld11}; %{fld12}; %{info}", processor_chain([ +var part41 = match("MESSAGE#41:file:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ dup5, dup6, dup8, @@ -530,7 +530,7 @@ var part42 = match("MESSAGE#42:configd:connection", "nwparser.payload", "%{agent var msg43 = msg("configd:connection", part42); -var part43 = match("MESSAGE#43:configd:failed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{info}failed", processor_chain([ +var part43 = match("MESSAGE#43:configd:failed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{info->} failed", processor_chain([ dup5, dup6, setc("event_description","cd session read failed"), @@ -635,7 +635,7 @@ var select5 = linear_select([ msg51, ]); -var part51 = match("MESSAGE#51:runner", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6}command %{fld7}: \"%{action}\". Output %{fld9}: %{result}", processor_chain([ +var part51 = match("MESSAGE#51:runner", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} command %{fld7}: \"%{action}\". Output %{fld9}: %{result}", processor_chain([ dup5, dup6, ])); @@ -649,7 +649,7 @@ var part52 = match("MESSAGE#52:runner:01", "nwparser.payload", "%{agent}[%{proce var msg53 = msg("runner:01", part52); -var part53 = match("MESSAGE#53:runner:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6}finished running.", processor_chain([ +var part53 = match("MESSAGE#53:runner:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} finished running.", processor_chain([ dup5, dup6, ])); @@ -679,7 +679,7 @@ var select6 = linear_select([ msg56, ]); -var part56 = match("MESSAGE#56:ccd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: attempting connection using %{fld6}on port: %{fld7}", processor_chain([ +var part56 = match("MESSAGE#56:ccd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: attempting connection using %{fld6->} on port: %{fld7}", processor_chain([ dup5, dup6, ])); @@ -715,7 +715,7 @@ var part60 = match("MESSAGE#60:ccd:02", "nwparser.payload", "%{agent}: \u003c\u0 var msg61 = msg("ccd:02", part60); -var part61 = match("MESSAGE#61:ccd:05", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> write to %{fld1}pipe : %{info}", processor_chain([ +var part61 = match("MESSAGE#61:ccd:05", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> write to %{fld1->} pipe : %{info}", processor_chain([ dup5, dup6, setc("event_description","write to ssh pipe"), @@ -759,7 +759,7 @@ var select7 = linear_select([ msg65, ]); -var part65 = match("MESSAGE#65:sshd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> error: Bind to port %{fld10}on %{fld5}failed: %{result}", processor_chain([ +var part65 = match("MESSAGE#65:sshd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> error: Bind to port %{fld10->} on %{fld5->} failed: %{result}", processor_chain([ dup9, dup6, ])); @@ -790,7 +790,7 @@ var part68 = match("MESSAGE#68:sshd:03", "nwparser.payload", "%{agent}[%{process var msg69 = msg("sshd:03", part68); -var part69 = match("MESSAGE#69:sshd:04", "nwparser.payload", "%{agent}[%{process_id}]: PAM %{fld1}more authentication failure; %{info}", processor_chain([ +var part69 = match("MESSAGE#69:sshd:04", "nwparser.payload", "%{agent}[%{process_id}]: PAM %{fld1->} more authentication failure; %{info}", processor_chain([ dup5, dup6, dup10, @@ -809,7 +809,7 @@ var select8 = linear_select([ msg71, ]); -var part70 = match("MESSAGE#71:dmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> inserted device id = %{hostname}and serial number = %{fld6}into DB", processor_chain([ +var part70 = match("MESSAGE#71:dmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> inserted device id = %{hostname->} and serial number = %{fld6->} into DB", processor_chain([ dup5, dup6, ])); @@ -922,7 +922,7 @@ var part82 = match("MESSAGE#83:pm:02", "nwparser.payload", "%{agent}[%{process_i var msg84 = msg("pm:02", part82); -var part83 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info}started", processor_chain([ +var part83 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} started", processor_chain([ dup5, dup6, setc("event_description","service started"), @@ -930,7 +930,7 @@ var part83 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_i var msg85 = msg("pm:03", part83); -var part84 = match("MESSAGE#85:pm:04", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info}will start in %{fld1}", processor_chain([ +var part84 = match("MESSAGE#85:pm:04", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} will start in %{fld1}", processor_chain([ dup5, dup6, setc("event_description","service will start"), @@ -964,7 +964,7 @@ var select11 = linear_select([ msg88, ]); -var part87 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process_id}]: Updated timestamp for job %{info}to %{fld1}", processor_chain([ +var part87 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process_id}]: Updated timestamp for job %{info->} to %{fld1}", processor_chain([ dup5, dup6, setc("event_description","updated timestamp"), @@ -972,7 +972,7 @@ var part87 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process var msg89 = msg("anacron", part87); -var part88 = match("MESSAGE#89:anacron:01", "nwparser.payload", "%{agent}[%{process_id}]: Anacron %{version}started on %{fld1}", processor_chain([ +var part88 = match("MESSAGE#89:anacron:01", "nwparser.payload", "%{agent}[%{process_id}]: Anacron %{version->} started on %{fld1}", processor_chain([ dup5, dup6, setc("event_description","anacron started"), @@ -1029,7 +1029,7 @@ var part93 = match("MESSAGE#94:xinetd", "nwparser.payload", "%{agent}[%{process_ var msg95 = msg("xinetd", part93); -var part94 = match("MESSAGE#95:xinetd:01", "nwparser.payload", "%{agent}[%{process_id}]: Started working: %{fld1}available services", processor_chain([ +var part94 = match("MESSAGE#95:xinetd:01", "nwparser.payload", "%{agent}[%{process_id}]: Started working: %{fld1->} available services", processor_chain([ dup5, dup6, ])); diff --git a/x-pack/filebeat/module/cisco/nexus/config/pipeline.js b/x-pack/filebeat/module/cisco/nexus/config/pipeline.js index e26249440cd..610b33684ca 100644 --- a/x-pack/filebeat/module/cisco/nexus/config/pipeline.js +++ b/x-pack/filebeat/module/cisco/nexus/config/pipeline.js @@ -139,7 +139,7 @@ var dup58 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Proto var dup59 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); -var dup60 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "%{}\"%{protocol}\"(%{protocol_detail}),%{space}Hit-count = %{dclass_counter1}"); +var dup60 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "%{}\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); var dup61 = setc("dclass_counter1_string","Hit Count"); @@ -207,28 +207,28 @@ var dup88 = match("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "%{ dup4, ])); -var dup89 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ +var dup89 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup24, dup2, dup3, dup4, ])); -var dup90 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43}Interface %{interface}is down (%{result})", processor_chain([ +var dup90 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ dup24, dup2, dup3, dup4, ])); -var dup91 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ +var dup91 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup15, dup2, dup3, dup4, ])); -var dup92 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ +var dup92 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup25, dup2, dup3, @@ -254,14 +254,14 @@ var dup95 = match("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "%{even dup4, ])); -var dup96 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43}Interface %{interface}is down (%{result}) ", processor_chain([ +var dup96 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result}) ", processor_chain([ dup15, dup2, dup3, dup4, ])); -var dup97 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52}Interface %{interface}is down (%{result})", processor_chain([ +var dup97 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ dup24, dup35, dup36, @@ -322,7 +322,7 @@ var dup106 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface dup4, ])); -var dup107 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43}Interface %{interface}is down%{info}", processor_chain([ +var dup107 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ dup24, dup2, dup3, @@ -349,7 +349,7 @@ var hdr2 = match("HEADER#1:0007", "message", "%{hfld14->} %{hfld15->} %{hfld16-> setc("header_id","0007"), ])); -var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7->} : %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ setc("header_id","0005"), ])); @@ -406,7 +406,7 @@ var select1 = linear_select([ var msg1 = msg("LOG-7-SYSTEM_MSG", dup87); -var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username}from %{saddr}- %{agent}[%{process_id}] ", processor_chain([ +var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}] ", processor_chain([ dup5, dup2, dup3, @@ -416,7 +416,7 @@ var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authe var msg2 = msg("SYSTEM_MSG", part1); -var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username}from %{shost}", processor_chain([ +var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{shost}", processor_chain([ dup5, dup2, dup3, @@ -426,7 +426,7 @@ var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Au var msg3 = msg("SYSTEM_MSG:12", part2); -var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username}from %{saddr}- %{agent}[%{process_id}] ", processor_chain([ +var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}] ", processor_chain([ dup5, dup2, dup3, @@ -436,7 +436,7 @@ var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Au var msg4 = msg("SYSTEM_MSG:01", part3); -var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username}from %{shost->} ", processor_chain([ +var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost->} ", processor_chain([ dup5, dup2, dup3, @@ -457,7 +457,7 @@ var select2 = linear_select([ part7, ]); -var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr}port %{sport->} %{protocol}- %{agent}[%{process_id}]"); +var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol->} - %{agent}[%{process_id}]"); var all1 = all_match({ processors: [ @@ -493,7 +493,7 @@ var select3 = linear_select([ part11, ]); -var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20}uid=%{fld21}euid=%{fld22}tty=%{terminal}ruser=%{fld24}rhost=%{p0}"); +var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20->} uid=%{fld21->} euid=%{fld22->} tty=%{terminal->} ruser=%{fld24->} rhost=%{p0}"); var part13 = match("MESSAGE#7:SYSTEM_MSG:03/2_0", "nwparser.p0", "%{fld25->} user=%{username->} - %{p0}"); @@ -543,7 +543,7 @@ var select5 = linear_select([ part19, ]); -var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr}- %{agent}[%{process_id}]"); +var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr->} - %{agent}[%{process_id}]"); var all3 = all_match({ processors: [ @@ -561,7 +561,7 @@ var all3 = all_match({ var msg10 = msg("SYSTEM_MSG:05", all3); -var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21}FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ +var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21->} FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ dup5, dup2, dup3, @@ -579,7 +579,7 @@ var part22 = match("MESSAGE#11:SYSTEM_MSG:07", "nwparser.payload", "fatal:%{even var msg12 = msg("SYSTEM_MSG:07", part22); -var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname}- kernel", processor_chain([ +var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname->} - kernel", processor_chain([ dup9, dup2, dup3, @@ -597,7 +597,7 @@ var part24 = match("MESSAGE#13:SYSTEM_MSG:10", "nwparser.payload", "Unauthorized var msg14 = msg("SYSTEM_MSG:10", part24); -var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43}: SNMP UDP authentication failed for %{saddr}.", processor_chain([ +var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43->} : SNMP UDP authentication failed for %{saddr}.", processor_chain([ dup5, dup2, dup3, @@ -606,7 +606,7 @@ var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43}: SN var msg15 = msg("SYSTEM_MSG:13", part25); -var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43}: Subsequent authentication success for user (%{username}) failed.", processor_chain([ +var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43->} : Subsequent authentication success for user (%{username}) failed.", processor_chain([ dup5, dup2, dup3, @@ -615,7 +615,7 @@ var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43}: Su var msg16 = msg("SYSTEM_MSG:14", part26); -var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1}: TTY=%{terminal}; PWD=%{directory}; USER=%{username}; COMMAND=%{param}", processor_chain([ +var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1->} : TTY=%{terminal->} ; PWD=%{directory->} ; USER=%{username->} ; COMMAND=%{param}", processor_chain([ dup10, dup2, dup3, @@ -626,7 +626,7 @@ var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1}: TTY var msg17 = msg("SYSTEM_MSG:15", part27); -var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username}- %{agent}[%{process_id}]", processor_chain([ +var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username->} - %{agent}[%{process_id}]", processor_chain([ dup5, dup2, dup3, @@ -668,7 +668,7 @@ var all4 = all_match({ var msg19 = msg("SYSTEM_MSG:17", all4); -var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username}- %{agent}", processor_chain([ +var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ dup10, dup2, dup3, @@ -678,7 +678,7 @@ var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user add var msg20 = msg("SYSTEM_MSG:20", part33); -var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username}- %{agent}", processor_chain([ +var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username->} - %{agent}", processor_chain([ dup10, dup2, dup3, @@ -691,7 +691,7 @@ var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{f var msg21 = msg("SYSTEM_MSG:21", part34); -var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username}- %{agent}", processor_chain([ +var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username->} - %{agent}", processor_chain([ dup10, dup2, dup3, @@ -701,7 +701,7 @@ var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{f var msg22 = msg("SYSTEM_MSG:22", part35); -var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2}- %{agent}[%{process_id}]", processor_chain([ +var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2->} - %{agent}[%{process_id}]", processor_chain([ dup18, dup2, dup3, @@ -792,7 +792,7 @@ var select9 = linear_select([ msg25, ]); -var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1}hostname changed to %{hostname}", processor_chain([ +var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1->} hostname changed to %{hostname}", processor_chain([ dup15, dup2, dup3, @@ -801,7 +801,7 @@ var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1 var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); -var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname}is activated by profile %{username}", processor_chain([ +var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is activated by profile %{username}", processor_chain([ dup23, dup2, dup3, @@ -821,7 +821,7 @@ var part44 = match("MESSAGE#27:POLICY_COMMIT_EVENT", "nwparser.payload", "Commit var msg28 = msg("POLICY_COMMIT_EVENT", part44); -var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname}is de-activated by last referring profile %{username}", processor_chain([ +var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is de-activated by last referring profile %{username}", processor_chain([ setc("eventcategory","1701070000"), dup2, dup3, @@ -832,7 +832,7 @@ var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Po var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); -var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname}rule=%{rulename}action=%{action}direction=%{direction}src.net.ip-address=%{saddr}src.net.port=%{sport}dst.net.ip-address=%{daddr}dst.net.port=%{dport}net.protocol=%{protocol}net.ethertype=%{fld2}dst.zone.name=%{dst_zone}src.zone.name=%{src_zone->} ", processor_chain([ +var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone->} ", processor_chain([ dup15, dup2, dup3, @@ -841,7 +841,7 @@ var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "pol var msg30 = msg("POLICY_LOOKUP_EVENT:01", part46); -var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname}rule=%{rulename}action=%{action}direction=%{direction}src.net.ip-address=%{saddr}src.net.port=%{sport}dst.net.ip-address=%{daddr}dst.net.port=%{dport}net.protocol=%{protocol}net.ethertype=%{fld2}", processor_chain([ +var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2}", processor_chain([ dup15, dup2, dup3, @@ -850,7 +850,7 @@ var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy var msg31 = msg("POLICY_LOOKUP_EVENT", part47); -var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname}rule=%{rulename}action=%{action}direction=%{direction}net.ethertype=%{fld2}", processor_chain([ +var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} net.ethertype=%{fld2}", processor_chain([ dup15, dup2, dup3, @@ -869,7 +869,7 @@ var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup88); var msg34 = msg("MTSERROR", dup87); -var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface}is down (Error disabled. Reason:%{result})", processor_chain([ +var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface->} is down (Error disabled. Reason:%{result})", processor_chain([ dup24, dup2, dup3, @@ -891,7 +891,7 @@ var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup91); var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup92); -var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ +var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup24, dup2, dup3, @@ -969,7 +969,7 @@ var all8 = all_match({ var msg47 = msg("IF_TX_FLOW_CONTROL", all8); -var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43}Interface %{sinterface}is up in mode %{result}", processor_chain([ +var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43->} Interface %{sinterface->} is up in mode %{result}", processor_chain([ dup15, dup2, dup3, @@ -979,7 +979,7 @@ var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43}Interface %{ var msg48 = msg("IF_UP", part55); -var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface}is up", processor_chain([ +var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface->} is up", processor_chain([ dup15, dup2, dup3, @@ -1004,7 +1004,7 @@ var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interfac var msg50 = msg("SPEED", part57); -var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object}created", processor_chain([ +var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} created", processor_chain([ dup30, dup2, dup3, @@ -1013,7 +1013,7 @@ var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object}cre var msg51 = msg("CREATED", part58); -var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old}to %{change_new}", processor_chain([ +var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old->} to %{change_new}", processor_chain([ dup31, dup2, dup3, @@ -1022,7 +1022,7 @@ var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object var msg52 = msg("FOP_CHANGED", part59); -var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface}is down", processor_chain([ +var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface->} is down", processor_chain([ dup24, dup2, dup3, @@ -1031,7 +1031,7 @@ var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: var msg53 = msg("PORT_DOWN", part60); -var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface}is up", processor_chain([ +var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface->} is up", processor_chain([ dup15, dup2, dup3, @@ -1040,7 +1040,7 @@ var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: % var msg54 = msg("PORT_UP", part61); -var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface}is added to %{group_object}with subgroup id %{fld20}", processor_chain([ +var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface->} is added to %{group_object->} with subgroup id %{fld20}", processor_chain([ dup30, dup2, dup3, @@ -1049,7 +1049,7 @@ var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Int var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); -var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface}is removed from %{group_object}with subgroup id %{fld20}", processor_chain([ +var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface->} is removed from %{group_object->} with subgroup id %{fld20}", processor_chain([ dup25, dup2, dup3, @@ -1085,7 +1085,7 @@ var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); var msg66 = msg("MSM_CRIT", dup94); -var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost}(%{result})", processor_chain([ +var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost->} (%{result})", processor_chain([ dup5, dup2, dup3, @@ -1097,7 +1097,7 @@ var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup88); -var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20}(serial: %{serial_number}) failed", processor_chain([ +var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20->} (serial: %{serial_number}) failed", processor_chain([ dup33, dup2, dup3, @@ -1106,7 +1106,7 @@ var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of var msg69 = msg("MOD_FAIL", part66); -var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20}(serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ +var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ dup34, dup2, dup3, @@ -1115,7 +1115,7 @@ var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{f var msg70 = msg("MOD_MAJORSWFAIL", part67); -var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20}(serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ +var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ dup15, dup2, dup3, @@ -1124,7 +1124,7 @@ var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Mod var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); -var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20}(serial: %{serial_number}) reported warnings on %{info}due to %{result}in device %{fld23}(device error %{fld22})", processor_chain([ +var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warnings on %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ dup33, dup2, dup3, @@ -1133,7 +1133,7 @@ var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fl var msg72 = msg("MOD_WARNING:01", part69); -var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20}(serial: %{serial_number}) reported warning %{info}due to %{result}in device %{fld23}(device error %{fld22})", processor_chain([ +var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warning %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ dup33, dup2, dup3, @@ -1147,7 +1147,7 @@ var select14 = linear_select([ msg73, ]); -var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20}is active (serial: %{serial_number})", processor_chain([ +var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20->} is active (serial: %{serial_number})", processor_chain([ dup15, dup2, dup3, @@ -1156,7 +1156,7 @@ var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor % var msg74 = msg("ACTIVE_SUP_OK", part71); -var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20}is online (serial: %{serial_number})", processor_chain([ +var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20->} is online (serial: %{serial_number})", processor_chain([ dup15, dup2, dup3, @@ -1165,7 +1165,7 @@ var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20}is o var msg75 = msg("MOD_OK", part72); -var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20}is restarting after image download", processor_chain([ +var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20->} is restarting after image download", processor_chain([ dup15, dup2, dup3, @@ -1174,7 +1174,7 @@ var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20 var msg76 = msg("MOD_RESTART", part73); -var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname}on %{vlan}", processor_chain([ +var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname->} on %{vlan}", processor_chain([ dup8, dup2, dup3, @@ -1184,7 +1184,7 @@ var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute re var msg77 = msg("DISPUTE_CLEARED", part74); -var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname}on %{vlan}", processor_chain([ +var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname->} on %{vlan}", processor_chain([ dup8, dup2, dup3, @@ -1202,7 +1202,7 @@ var msg81 = msg("CHASSIS_CLKSRC", dup88); var msg82 = msg("FAN_OK", dup88); -var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19}detected (Serial number %{serial_number}) Module-Type %{fld20}Model %{fld21}", processor_chain([ +var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19->} detected (Serial number %{serial_number}) Module-Type %{fld20->} Model %{fld21}", processor_chain([ dup15, dup2, dup3, @@ -1211,7 +1211,7 @@ var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19} var msg83 = msg("MOD_DETECT", part76); -var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19}powered down (Serial number %{serial_number})", processor_chain([ +var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19->} powered down (Serial number %{serial_number})", processor_chain([ dup15, dup2, dup3, @@ -1220,7 +1220,7 @@ var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19}p var msg84 = msg("MOD_PWRDN", part77); -var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19}powered up (Serial number %{serial_number})", processor_chain([ +var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19->} powered up (Serial number %{serial_number})", processor_chain([ dup15, dup2, dup3, @@ -1229,7 +1229,7 @@ var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19}p var msg85 = msg("MOD_PWRUP", part78); -var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19}removed (Serial number %{serial_number})", processor_chain([ +var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19->} removed (Serial number %{serial_number})", processor_chain([ dup25, dup2, dup3, @@ -1254,7 +1254,7 @@ var msg93 = msg("PFM_VEM_UNLICENSED", dup88); var msg94 = msg("PS_FANOK", dup88); -var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19}ok (Serial number %{serial_number})", processor_chain([ +var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19->} ok (Serial number %{serial_number})", processor_chain([ dup15, dup2, dup3, @@ -1272,7 +1272,7 @@ var part81 = match("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "%{ var msg96 = msg("MOD_BRINGUP_MULTI_LIMIT", part81); -var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19}(Serial number %{serial_number}) %{fld20}detected", processor_chain([ +var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19->} (Serial number %{serial_number}) %{fld20->} detected", processor_chain([ dup15, dup2, dup3, @@ -1283,7 +1283,7 @@ var msg97 = msg("FAN_DETECT", part82); var msg98 = msg("MOD_STATUS", dup88); -var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name}configured vlans changed", processor_chain([ +var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name->} configured vlans changed", processor_chain([ dup15, dup2, dup3, @@ -1293,7 +1293,7 @@ var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", var msg99 = msg("PEER_VPC_CFGD_VLANS_CHANGED", part83); -var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name}deleted", processor_chain([ +var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name->} deleted", processor_chain([ dup15, dup2, dup3, @@ -1304,7 +1304,7 @@ var msg100 = msg("PEER_VPC_DELETED", part84); var msg101 = msg("PFM_VEM_DETECTED", dup88); -var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19}found (Serial number %{serial_number})", processor_chain([ +var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19->} found (Serial number %{serial_number})", processor_chain([ dup15, dup2, dup3, @@ -1335,7 +1335,7 @@ var all9 = all_match({ var msg103 = msg("PS_STATUS", all9); -var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1}changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ +var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1->} changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ dup15, dup2, dup3, @@ -1360,7 +1360,7 @@ var select17 = linear_select([ msg107, ]); -var part88 = match("MESSAGE#107:IF_DOWN_INITIALIZING", "nwparser.payload", "Interface %{interface}is down (%{result}) ", processor_chain([ +var part88 = match("MESSAGE#107:IF_DOWN_INITIALIZING", "nwparser.payload", "Interface %{interface->} is down (%{result}) ", processor_chain([ dup15, dup2, dup3, @@ -1376,7 +1376,7 @@ var select18 = linear_select([ msg109, ]); -var part89 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ +var part89 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup24, dup35, dup36, @@ -1408,7 +1408,7 @@ var msg114 = msg("IF_DOWN_OFFLINE", dup89); var msg115 = msg("IF_DOWN_OLS_RCVD", dup89); -var part90 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ +var part90 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup32, dup2, dup3, @@ -1419,7 +1419,7 @@ var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part90); var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup91); -var part91 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20}is down (%{info}) ", processor_chain([ +var part91 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info}) ", processor_chain([ dup24, dup2, dup3, @@ -1428,7 +1428,7 @@ var part91 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface % var msg118 = msg("IF_TRUNK_DOWN", part91); -var part92 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan}down", processor_chain([ +var part92 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ dup24, dup2, dup3, @@ -1437,7 +1437,7 @@ var part92 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interfac var msg119 = msg("IF_TRUNK_DOWN:01", part92); -var part93 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43}Interface %{interface}, vsan %{vlan}is down %{info}", processor_chain([ +var part93 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ dup24, dup2, dup3, @@ -1452,7 +1452,7 @@ var select21 = linear_select([ msg120, ]); -var part94 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20}is up", processor_chain([ +var part94 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ dup15, dup2, dup3, @@ -1461,7 +1461,7 @@ var part94 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{i var msg121 = msg("IF_TRUNK_UP", part94); -var part95 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan}up", processor_chain([ +var part95 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ dup24, dup2, dup3, @@ -1470,7 +1470,7 @@ var part95 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface var msg122 = msg("IF_TRUNK_UP:01", part95); -var part96 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43}Interface %{interface}, vsan %{vlan}is up %{info}", processor_chain([ +var part96 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ dup24, dup2, dup3, @@ -1487,7 +1487,7 @@ var select22 = linear_select([ var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup98); -var part97 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface}is inheriting port-profile %{fld20}", processor_chain([ +var part97 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ dup15, dup2, dup3, @@ -1498,7 +1498,7 @@ var msg125 = msg("IF_PORTPROFILE_ATTACHED", part97); var msg126 = msg("STANDBY_SUP_OK", dup88); -var part98 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname}and %{info}vlan %{vlan}- %{result}", processor_chain([ +var part98 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ dup15, dup2, dup3, @@ -1581,7 +1581,7 @@ var msg138 = msg("IF_ATTACHED", dup88); var msg139 = msg("IF_DELETE_AUTO", dup95); -var part105 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface}is detached", processor_chain([ +var part105 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ dup25, dup2, dup3, @@ -1596,7 +1596,7 @@ var msg142 = msg("IF_DOWN_INACTIVE", dup89); var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup89); -var part106 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface}is down", processor_chain([ +var part106 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ dup24, dup2, dup3, @@ -1605,7 +1605,7 @@ var part106 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "I var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part106); -var part107 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname}connected to the vCenter Server.", processor_chain([ +var part107 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ dup37, dup2, dup3, @@ -1614,7 +1614,7 @@ var part107 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection var msg145 = msg("CONN_CONNECT", part107); -var part108 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname}disconnected from the vCenter Server.", processor_chain([ +var part108 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ setc("eventcategory","1801030000"), dup2, dup3, @@ -1623,7 +1623,7 @@ var part108 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connecti var msg146 = msg("CONN_DISCONNECT", part108); -var part109 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info}on the vCenter Server.", processor_chain([ +var part109 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ dup30, dup2, dup3, @@ -1632,7 +1632,7 @@ var part109 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port var msg147 = msg("DVPG_CREATE", part109); -var part110 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info}from the vCenter Server.", processor_chain([ +var part110 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ dup25, dup2, dup3, @@ -1643,7 +1643,7 @@ var msg148 = msg("DVPG_DELETE", part110); var msg149 = msg("DVS_HOSTMEMBER_INFO", dup88); -var part111 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info}on the vCenter Server.", processor_chain([ +var part111 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ dup15, dup2, dup3, @@ -1654,7 +1654,7 @@ var msg150 = msg("DVS_NAME_CHANGE", part111); var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup88); -var part112 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name}is deleted", processor_chain([ +var part112 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ dup15, dup2, dup3, @@ -1663,7 +1663,7 @@ var part112 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_na var msg152 = msg("VPC_DELETED", part112); -var part113 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name}is up", processor_chain([ +var part113 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ dup8, dup2, dup3, @@ -1673,7 +1673,7 @@ var part113 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name}is var msg153 = msg("VPC_UP", part113); -var part114 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username}on %{p0}"); +var part114 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); var part115 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); @@ -1713,7 +1713,7 @@ var select25 = linear_select([ msg155, ]); -var part118 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol}(%{result})", processor_chain([ +var part118 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ dup24, dup2, dup3, @@ -1791,7 +1791,7 @@ var part125 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part125); -var part126 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost}address:%{daddr}:%{dport}) deleted", processor_chain([ +var part126 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ dup15, dup2, dup3, @@ -1800,7 +1800,7 @@ var part126 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part126); -var part127 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost}address:%{daddr}:%{dport}timeout:%{fld44}retry:%{fld45}tagList:trap params:%{fld46}) added", processor_chain([ +var part127 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ dup15, dup2, dup3, @@ -1809,7 +1809,7 @@ var part127 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part127); -var part128 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface}state updated to up", processor_chain([ +var part128 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ dup15, dup2, dup3, @@ -1818,7 +1818,7 @@ var part128 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part128); -var part129 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface}state updated to down", processor_chain([ +var part129 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ dup15, dup2, dup3, @@ -1836,7 +1836,7 @@ var part130 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part130); -var part131 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1}(%{result}) ", processor_chain([ +var part131 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result}) ", processor_chain([ dup15, dup2, dup3, @@ -1855,7 +1855,7 @@ var part132 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part132); -var part133 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1}(%{result})", processor_chain([ +var part133 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ dup15, dup2, dup3, @@ -1917,7 +1917,7 @@ var all13 = all_match({ var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); -var part138 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}(%{result})", processor_chain([ +var part138 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ dup15, dup2, dup3, @@ -2105,7 +2105,7 @@ var all14 = all_match({ var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); -var part151 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3}reached for number of flows", processor_chain([ +var part151 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ dup15, dup2, dup3, @@ -2142,7 +2142,7 @@ var all15 = all_match({ var msg189 = msg("ACLLOG_NEW_FLOW", all15); -var part152 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process}[%{process_id}] Source address of packet received from %{smacaddr}on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ +var part152 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ dup1, dup2, dup3, @@ -2152,7 +2152,7 @@ var part152 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{proce var msg190 = msg("DUP_VADDR_SRC_IP", part152); -var part153 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan}on Interface %{sinterface}are removed from suspended state.", processor_chain([ +var part153 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ dup15, dup2, dup3, @@ -2161,7 +2161,7 @@ var part153 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "V var msg191 = msg("IF_ERROR_VLANS_REMOVED", part153); -var part154 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan}on Interface %{sinterface}are being suspended. (Reason: %{info})", processor_chain([ +var part154 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ dup15, dup2, dup3, @@ -2170,7 +2170,7 @@ var part154 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part154); -var part155 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface}is down(%{result})", processor_chain([ +var part155 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ dup15, dup2, dup3, @@ -2188,7 +2188,7 @@ var part156 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock s var msg194 = msg("PFM_CLOCK_CHANGE", part156); -var part157 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3}causing standby to reset.", processor_chain([ +var part157 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ dup15, dup2, dup3, @@ -2231,7 +2231,7 @@ var msg198 = msg("CFGWRITE_USER_ABORT", part160); var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup96); -var part161 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1}time ", processor_chain([ +var part161 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time ", processor_chain([ dup15, dup2, dup3, @@ -2242,7 +2242,7 @@ var part161 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{ var msg200 = msg("last", part161); -var part162 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service}(PID %{parent_pid}) hasn't caught signal %{fld43}(%{result}).", processor_chain([ +var part162 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ dup33, dup2, dup3, @@ -2251,7 +2251,7 @@ var part162 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service var msg201 = msg("SERVICE_CRASHED", part162); -var part163 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service}lost on WCCP Client %{saddr}", processor_chain([ +var part163 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ dup62, dup2, dup3, @@ -2261,7 +2261,7 @@ var part163 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{se var msg202 = msg("SERVICELOST", part163); -var part164 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface}is allowed to come up even with SFP checksum error", processor_chain([ +var part164 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ dup24, dup2, dup3, @@ -2270,7 +2270,7 @@ var part164 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparse var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part164); -var part165 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43}failed or shut%{p0}"); +var part165 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); var part166 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); @@ -2312,7 +2312,7 @@ var part169 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Nat var msg207 = msg("NATIVE_VLAN_MISMATCH", part169); -var part170 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22}discovered of type %{fld23}with port %{fld24}on incoming port %{interface}with ip addr %{fld25}and mgmt ip %{hostip}", processor_chain([ +var part170 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ dup30, dup2, dup3, @@ -2321,7 +2321,7 @@ var part170 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{ var msg208 = msg("NEIGHBOR_ADDED", part170); -var part171 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22}on port %{interface}has been removed", processor_chain([ +var part171 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ dup25, dup2, dup3, @@ -2339,7 +2339,7 @@ var part172 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Inte var msg210 = msg("IF_BANDWIDTH_CHANGE", part172); -var part173 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface}is down (Parent interface down)", processor_chain([ +var part173 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ dup24, dup2, dup3, @@ -2348,7 +2348,7 @@ var part173 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part173); -var part174 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface}is down", processor_chain([ +var part174 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ dup24, dup2, dup3, @@ -2357,7 +2357,7 @@ var part174 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "ind var msg212 = msg("PORT_INDIVIDUAL_DOWN", part174); -var part175 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface}is suspended", processor_chain([ +var part175 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ dup24, dup2, dup3, @@ -2366,7 +2366,7 @@ var part175 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: var msg213 = msg("PORT_SUSPENDED", part175); -var part176 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22}of Fex %{fld23}that is connected with %{interface}changed its status from %{change_old}to %{change_new}", processor_chain([ +var part176 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ dup15, dup2, dup3, @@ -2382,7 +2382,7 @@ var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup88); var msg217 = msg("ADJCHANGE", dup88); -var part177 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan}with role %{fld22}, state %{disposition}, %{info}", processor_chain([ +var part177 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ dup30, dup2, dup3, @@ -2400,7 +2400,7 @@ var part178 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface % var msg219 = msg("PORT_DELETED", part178); -var part179 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface}instance VLAN%{vlan}role changed to %{fld22}", processor_chain([ +var part179 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ dup63, dup2, dup3, @@ -2409,7 +2409,7 @@ var part179 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interfa var msg220 = msg("PORT_ROLE", part179); -var part180 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface}instance VLAN%{vlan}moving from %{change_old}to %{change_new}", processor_chain([ +var part180 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ dup15, dup2, dup3, @@ -2419,7 +2419,7 @@ var part180 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interf var msg221 = msg("PORT_STATE", part180); -var part181 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol}(%{result}) %{info}", processor_chain([ +var part181 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ dup24, dup2, dup3, @@ -2442,7 +2442,7 @@ var part182 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payloa var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part182); -var part183 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface}(%{result})%{info}", processor_chain([ +var part183 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ dup64, dup2, dup4, @@ -2478,7 +2478,7 @@ var all17 = all_match({ var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); -var part188 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string}(%{result})%{info}", processor_chain([ +var part188 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ dup64, dup2, dup4, @@ -2555,7 +2555,7 @@ var msg234 = msg("IF_DOWN_PEER_CLOSE", dup107); var msg235 = msg("IF_DOWN_PEER_RESET", dup107); -var part192 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name}configuration is not consistent (%{result})", processor_chain([ +var part192 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ dup15, dup2, dup3, @@ -2565,7 +2565,7 @@ var part192 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", " var msg236 = msg("INTF_CONSISTENCY_FAILED", part192); -var part193 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name}configuration is consistent", processor_chain([ +var part193 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ dup8, dup2, dup3, @@ -2714,7 +2714,7 @@ var all23 = all_match({ var msg254 = msg("SOHMS_DIAG_ERROR", all23); -var part202 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device}System minor alarm on power supply %{fld42}: %{result->} ", processor_chain([ +var part202 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result->} ", processor_chain([ dup62, dup39, dup73, @@ -2743,7 +2743,7 @@ var select37 = linear_select([ msg256, ]); -var part204 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device}for group: %{fld1}, (%{fld2}(%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ +var part204 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ dup74, dup35, dup39, @@ -2769,7 +2769,7 @@ var part205 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part205); -var part206 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface}is admin up", processor_chain([ +var part206 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ dup31, dup35, dup39, @@ -2782,7 +2782,7 @@ var part206 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{ var msg259 = msg("IF_ADMIN_UP", part206); -var part207 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name}is configured", processor_chain([ +var part207 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ dup31, dup35, dup39, @@ -2820,7 +2820,7 @@ var part209 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", " var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part209); -var part210 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name}is down ()", processor_chain([ +var part210 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ dup78, dup35, dup39, @@ -2946,7 +2946,7 @@ var part222 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "I var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part222); -var part223 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47}has changed, %{info}", processor_chain([ +var part223 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ dup31, dup16, dup39, @@ -2958,7 +2958,7 @@ var part223 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Eje var msg270 = msg("EJECTOR_STAT_CHANGED", part223); -var part224 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41}detected (Serial number %{fld42})", processor_chain([ +var part224 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ dup30, setc("ec_activity","Detect"), dup39, @@ -2970,7 +2970,7 @@ var part224 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41 var msg271 = msg("XBAR_DETECT", part224); -var part225 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41}powered up (Serial number %{fld42})", processor_chain([ +var part225 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ dup15, dup76, dup77, @@ -2982,7 +2982,7 @@ var part225 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41} var msg272 = msg("XBAR_PWRUP", part225); -var part226 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41}powered down (Serial number %{fld42})", processor_chain([ +var part226 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ dup15, dup76, setc("ec_activity","Stop"), @@ -2994,7 +2994,7 @@ var part226 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41} var msg273 = msg("XBAR_PWRDN", part226); -var part227 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41}is online (serial: %{fld42})", processor_chain([ +var part227 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ dup15, dup2, dup3, @@ -3024,7 +3024,7 @@ var part229 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC sw var msg276 = msg("VPC_ISSU_END", part229); -var part230 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name}interface=%{interface}mst=%{fld42}", processor_chain([ +var part230 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ dup63, dup2, dup3, @@ -3034,7 +3034,7 @@ var part230 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role var msg277 = msg("PORT_RANGE_ROLE", part230); -var part231 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name}interface=%{interface}mst=%{fld42}", processor_chain([ +var part231 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ dup63, dup2, dup3, @@ -3044,7 +3044,7 @@ var part231 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_sta var msg278 = msg("PORT_RANGE_STATE", part231); -var part232 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface}removed from mst=%{fld42}", processor_chain([ +var part232 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ dup25, dup35, dup20, @@ -3057,7 +3057,7 @@ var part232 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Inter var msg279 = msg("PORT_RANGE_DELETED", part232); -var part233 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface}added to mst=%{fld42}with %{info}", processor_chain([ +var part233 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ dup30, dup35, dup81, @@ -3070,7 +3070,7 @@ var part233 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interfa var msg280 = msg("PORT_RANGE_ADDED", part233); -var part234 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname}removed as MST Boundary port", processor_chain([ +var part234 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ dup25, dup35, dup20, @@ -3093,7 +3093,7 @@ var part235 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.paylo var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part235); -var part236 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface}is %{obj_name}in vdc %{fld43->} ", processor_chain([ +var part236 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43->} ", processor_chain([ dup8, dup2, dup3, @@ -3103,7 +3103,7 @@ var part236 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interfac var msg283 = msg("IM_INTF_STATE", part236); -var part237 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43}state changed to %{obj_name->} ", processor_chain([ +var part237 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name->} ", processor_chain([ dup63, dup35, dup16, @@ -3140,7 +3140,7 @@ var part239 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process var msg286 = msg("VDC_MODULETYPE", part239); -var part240 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44}for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ +var part240 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ dup78, dup35, dup36, @@ -3191,7 +3191,7 @@ var part243 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part243); -var part244 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id}Port ID %{fld45}management address %{fld46}discovered on local port %{portname}in vlan %{vlan->} %{info}", processor_chain([ +var part244 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ dup30, dup81, dup39, @@ -3203,7 +3203,7 @@ var part244 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with var msg291 = msg("SERVER_ADDED", part244); -var part245 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id}Port ID %{fld45}on local port %{portname}has been removed", processor_chain([ +var part245 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ dup25, dup20, dup39, @@ -3215,7 +3215,7 @@ var part245 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server wi var msg292 = msg("SERVER_REMOVED", part245); -var part246 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface}is down %{info}", processor_chain([ +var part246 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ dup24, dup35, dup73, @@ -3227,7 +3227,7 @@ var part246 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload" var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part246); -var part247 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname}is operationally individual", processor_chain([ +var part247 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ dup8, dup2, dup3, @@ -3237,7 +3237,7 @@ var part247 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{p var msg294 = msg("PORT_INDIVIDUAL", part247); -var part248 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface}is down %{info}", processor_chain([ +var part248 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ dup24, dup35, dup39, @@ -3250,7 +3250,7 @@ var part248 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload" var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part248); -var part249 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface}is being recovered from error disabled state %{info}", processor_chain([ +var part249 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ dup23, dup2, dup3, @@ -3260,7 +3260,7 @@ var part249 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Inter var msg296 = msg("IF_ERRDIS_RECOVERY", part249); -var part250 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface}is detected", processor_chain([ +var part250 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ dup31, dup2, dup3, @@ -3270,7 +3270,7 @@ var part250 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part250); -var part251 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47}is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ +var part251 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ dup31, dup2, dup3, @@ -3292,7 +3292,7 @@ var part252 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configu var msg299 = msg("READCONF_STARTED", part252); -var part253 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47}is running with less memory than active supervisor in slot %{fld48}", processor_chain([ +var part253 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ dup31, dup2, dup3, @@ -3346,7 +3346,7 @@ var part257 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload" var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part257); -var part258 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49}started", processor_chain([ +var part258 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ dup31, dup16, dup39, @@ -3358,7 +3358,7 @@ var part258 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", var msg305 = msg("LCM_MODULE_UPGRADE_START", part258); -var part259 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49}ended", processor_chain([ +var part259 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ dup31, dup2, dup3, @@ -3381,7 +3381,7 @@ var part260 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recie var msg307 = msg("FIPS_POST_INFO_MSG", part260); -var part261 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name}is configured", processor_chain([ +var part261 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ dup31, dup35, dup39, @@ -3408,7 +3408,7 @@ var part262 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: var msg309 = msg("SYN_COLL_DIS_EN", part262); -var part263 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device}Off-line (Serial Number %{fld42})", processor_chain([ +var part263 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ dup31, dup2, dup3, @@ -3418,7 +3418,7 @@ var part263 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{ var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part263); -var part264 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device}On-line", processor_chain([ +var part264 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ dup31, dup2, dup3, @@ -3428,7 +3428,7 @@ var part264 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{d var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part264); -var part265 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device}is online", processor_chain([ +var part265 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ dup31, dup2, dup3, @@ -3438,7 +3438,7 @@ var part265 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{devi var msg312 = msg("FEX_STATUS_online", part265); -var part266 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device}is offline", processor_chain([ +var part266 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ dup31, dup2, dup3, @@ -3453,7 +3453,7 @@ var select40 = linear_select([ msg313, ]); -var part267 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41}present but all AC/DC inputs are not connected, power redundancy might be affected ", processor_chain([ +var part267 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected ", processor_chain([ dup74, dup39, dup73, @@ -3478,7 +3478,7 @@ var part268 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Pow var msg315 = msg("PS_RED_MODE_RESTORED", part268); -var part269 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41}will not be powered up (Serial number %{fld42})", processor_chain([ +var part269 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ dup1, dup2, dup3, @@ -3488,7 +3488,7 @@ var part269 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part269); -var part270 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device}pinning information is changed", processor_chain([ +var part270 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ dup31, dup16, dup39, @@ -3500,7 +3500,7 @@ var part270 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device var msg317 = msg("PINNING_CHANGED", part270); -var part271 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device}Module %{fld41}: Cold boot", processor_chain([ +var part271 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ dup31, dup2, dup3, @@ -3510,7 +3510,7 @@ var part271 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device}Module var msg318 = msg("SATCTRL", part271); -var part272 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51}[%{fld52}] Client %{fld43}register more than once with same pid%{info}", processor_chain([ +var part272 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ dup1, dup2, dup3, @@ -3520,7 +3520,7 @@ var part272 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51}[%{ var msg319 = msg("DUP_REGISTER", part272); -var part273 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51}[%{fld52}] Unknown mtype: %{info}", processor_chain([ +var part273 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ dup1, dup2, dup3, @@ -3541,7 +3541,7 @@ var part274 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} var msg321 = msg("SATCTRL_IMAGE", part274); -var part275 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51}[%{fld52}] %{event_description}", processor_chain([ +var part275 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ dup1, setc("ec_subject","Process"), dup14, @@ -3561,7 +3561,7 @@ var part276 = match("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "%{event_desc var msg323 = msg("SENSOR_MSG1", part276); -var part277 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51}[%{fld52}] %{event_description}", processor_chain([ +var part277 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ dup31, dup2, dup3, @@ -3570,7 +3570,7 @@ var part277 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld var msg324 = msg("API_INIT_SEM_CLEAR", part277); -var part278 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51}has come online", processor_chain([ +var part278 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ dup31, dup2, dup3, @@ -3580,7 +3580,7 @@ var part278 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51}h var msg325 = msg("VDC_ONLINE", part278); -var part279 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname}of port-channel %{interface}not receiving any LACP BPDUs %{result}", processor_chain([ +var part279 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ dup78, dup35, dup79, @@ -3603,7 +3603,7 @@ var part280 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{inf var msg327 = msg("dstats", part280); -var part281 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52}[VSAN %{fld51}, Interface %{interface}: %{fld53}Nx Port %{portname}logged OUT.", processor_chain([ +var part281 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ dup78, dup35, setc("ec_activity","Logoff"), @@ -3615,7 +3615,7 @@ var part281 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fl var msg328 = msg("MSG_PORT_LOGGED_OUT", part281); -var part282 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52}[VSAN %{fld51}, Interface %{interface}: %{fld53}Nx Port %{portname}with FCID %{fld54}logged IN.", processor_chain([ +var part282 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ dup78, dup35, dup13, @@ -3629,7 +3629,7 @@ var msg329 = msg("MSG_PORT_LOGGED_IN", part282); var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup97); -var part283 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52}Zone merge failure, isolating interface %{interface}reason: %{result}:[%{resultcode}]", processor_chain([ +var part283 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ dup24, dup35, dup36, @@ -3643,7 +3643,7 @@ var msg331 = msg("ZS_MERGE_FAILED", part283); var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup97); -var part284 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname}in vlan %{vlan}is flapping between port %{change_old}and port %{change_new->} ", processor_chain([ +var part284 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new->} ", processor_chain([ dup24, dup35, dup36, @@ -3676,7 +3676,7 @@ var part286 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_descriptio var msg335 = msg("ERROR", part286); -var part287 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent}[%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr}on %{interface}", processor_chain([ +var part287 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ dup78, dup35, dup79, @@ -3689,7 +3689,7 @@ var part287 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent}[%{proc var msg336 = msg("INVAL_IP", part287); -var part288 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1}times in last %{duration}", processor_chain([ +var part288 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ dup1, dup2, dup3, @@ -3802,7 +3802,7 @@ var part298 = match("MESSAGE#340:PFM_ALERT", "nwparser.payload", "%{event_descri var msg347 = msg("PFM_ALERT", part298); -var part299 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service}acquired on WCCP Client %{saddr}", processor_chain([ +var part299 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ dup62, dup2, dup3, @@ -3812,7 +3812,7 @@ var part299 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{s var msg348 = msg("SERVICEFOUND", part299); -var part300 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service}acquired on WCCP Router %{saddr}", processor_chain([ +var part300 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ dup62, dup2, dup3, @@ -3822,7 +3822,7 @@ var part300 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{se var msg349 = msg("ROUTERFOUND", part300); -var part301 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost}- %{agent}", processor_chain([ +var part301 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ dup5, dup2, dup3, @@ -3832,7 +3832,7 @@ var part301 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "p var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part301); -var part302 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username}- %{agent}", processor_chain([ +var part302 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ dup18, dup2, dup12, @@ -3843,7 +3843,7 @@ var part302 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "N var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part302); -var part303 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service}pid=%{process_id}from=::ffff:%{saddr}- %{agent}", processor_chain([ +var part303 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ dup10, dup2, dup12, @@ -3853,7 +3853,7 @@ var part303 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part303); -var part304 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username}by (uid=%{uid}) - %{agent}", processor_chain([ +var part304 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ dup10, dup2, dup12, @@ -3878,7 +3878,7 @@ var part305 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error var msg354 = msg("%USER-3-SYSTEM_MSG", part305); -var part306 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username}from %{saddr}- %{agent}", processor_chain([ +var part306 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ dup5, dup2, dup3, @@ -3888,7 +3888,7 @@ var part306 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Inval var msg355 = msg("%USER-6-SYSTEM_MSG", part306); -var part307 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username}- %{agent}", processor_chain([ +var part307 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ dup5, dup2, dup3, @@ -3898,7 +3898,7 @@ var part307 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "in var msg356 = msg("%USER-6-SYSTEM_MSG:01", part307); -var part308 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username}from %{saddr}port %{sport->} %{protocol}- %{agent}", processor_chain([ +var part308 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ dup5, dup2, dup3, @@ -3908,7 +3908,7 @@ var part308 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Fa var msg357 = msg("%USER-6-SYSTEM_MSG:02", part308); -var part309 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username}from %{saddr}port %{sport->} %{protocol}- %{agent}", processor_chain([ +var part309 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ dup84, dup2, dup3, @@ -3928,7 +3928,7 @@ var part310 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "la var msg359 = msg("%USER-6-SYSTEM_MSG:04", part310); -var part311 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type}- %{agent}", processor_chain([ +var part311 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ dup84, dup2, dup3, @@ -3938,7 +3938,7 @@ var part311 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Co var msg360 = msg("%USER-6-SYSTEM_MSG:05", part311); -var part312 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description}- %{agent}", processor_chain([ +var part312 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ dup84, dup2, dup3, @@ -3957,7 +3957,7 @@ var select43 = linear_select([ msg361, ]); -var part313 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan}for %{duration}s due to too many mac moves", processor_chain([ +var part313 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ dup31, dup2, dup4, @@ -3975,7 +3975,7 @@ var part314 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.paylo var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part314); -var part315 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1}is %{disposition}, ps-redundancy might be affected", processor_chain([ +var part315 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ dup1, dup2, dup4, @@ -3983,7 +3983,7 @@ var part315 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply % var msg364 = msg("PS_ABSENT", part315); -var part316 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1}detected but %{disposition}(Serial number %{serial_number})", processor_chain([ +var part316 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ dup1, dup2, dup4, @@ -3991,7 +3991,7 @@ var part316 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply % var msg365 = msg("PS_DETECT", part316); -var part317 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result}(%{resultcode}).", processor_chain([ +var part317 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ dup1, dup2, dup4, @@ -3999,7 +3999,7 @@ var part317 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"Sys var msg366 = msg("SUBPROC_TERMINATED", part317); -var part318 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result}(%{resultcode}).", processor_chain([ +var part318 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ dup15, dup2, dup4, @@ -4017,7 +4017,7 @@ var part319 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on var msg368 = msg("UPDOWN", part319); -var part320 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr}in vlan %{vlan}has moved between %{change_old}to %{change_new}", processor_chain([ +var part320 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ dup31, dup2, dup4, @@ -4044,7 +4044,7 @@ var part322 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power su var msg371 = msg("PS_RED_MODE_CHG", part322); -var part323 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent}[%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr}on %{vlan}", processor_chain([ +var part323 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ dup64, dup2, dup4, @@ -4052,7 +4052,7 @@ var part323 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent}[%{pro var msg372 = msg("INVAL_MAC", part323); -var part324 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old}to %{change_new}in vdc %{fld1}.", processor_chain([ +var part324 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ dup15, dup2, dup4, @@ -4069,7 +4069,7 @@ var part325 = match("MESSAGE#367:INFO", "nwparser.payload", "%{event_description var msg374 = msg("INFO", part325); -var part326 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1}started with PID(%{process_id}).", processor_chain([ +var part326 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ dup15, dup2, dup4, @@ -4080,7 +4080,7 @@ var part326 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service var msg375 = msg("SERVICE_STARTED", part326); -var part327 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process}[%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr}on %{vlan}with destination set to our local Virtual ip, %{saddr}", processor_chain([ +var part327 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ dup8, dup2, dup3, @@ -4090,7 +4090,7 @@ var part327 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{ var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part327); -var part328 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process}[%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr}on %{vlan}with destination set to our local ip, %{saddr}", processor_chain([ +var part328 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ dup8, dup2, dup3, @@ -4431,7 +4431,7 @@ var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Pro var part349 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); -var part350 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "%{}\"%{protocol}\"(%{protocol_detail}),%{space}Hit-count = %{dclass_counter1}"); +var part350 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "%{}\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); @@ -4463,28 +4463,28 @@ var part360 = match("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", " dup4, ])); -var part361 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ +var part361 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup24, dup2, dup3, dup4, ])); -var part362 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43}Interface %{interface}is down (%{result})", processor_chain([ +var part362 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ dup24, dup2, dup3, dup4, ])); -var part363 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ +var part363 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup15, dup2, dup3, dup4, ])); -var part364 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface}is down (%{result})", processor_chain([ +var part364 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup25, dup2, dup3, @@ -4510,14 +4510,14 @@ var part366 = match("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "%{ev dup4, ])); -var part367 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43}Interface %{interface}is down (%{result}) ", processor_chain([ +var part367 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result}) ", processor_chain([ dup15, dup2, dup3, dup4, ])); -var part368 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52}Interface %{interface}is down (%{result})", processor_chain([ +var part368 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ dup24, dup35, dup36, @@ -4578,7 +4578,7 @@ var part371 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface dup4, ])); -var part372 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43}Interface %{interface}is down%{info}", processor_chain([ +var part372 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ dup24, dup2, dup3, diff --git a/x-pack/filebeat/module/citrix/README.md b/x-pack/filebeat/module/citrix/README.md index 55d5668065d..a07643c8325 100644 --- a/x-pack/filebeat/module/citrix/README.md +++ b/x-pack/filebeat/module/citrix/README.md @@ -3,5 +3,5 @@ This is a module for Citrix XenApp logs. Autogenerated from RSA NetWitness log parser 2.0 XML citrixxa version 79 -at 2020-07-07 18:10:43.76927 +0000 UTC. +at 2020-07-08 13:58:34.055884 +0000 UTC. diff --git a/x-pack/filebeat/module/cylance/README.md b/x-pack/filebeat/module/cylance/README.md index a225855204f..06867780bbc 100644 --- a/x-pack/filebeat/module/cylance/README.md +++ b/x-pack/filebeat/module/cylance/README.md @@ -3,5 +3,5 @@ This is a module for CylanceProtect logs. Autogenerated from RSA NetWitness log parser 2.0 XML cylance version 127 -at 2020-07-07 18:10:44.005162 +0000 UTC. +at 2020-07-08 13:58:34.305443 +0000 UTC. diff --git a/x-pack/filebeat/module/cylance/protect/config/pipeline.js b/x-pack/filebeat/module/cylance/protect/config/pipeline.js index d5ad15e9e1f..710049b61d0 100644 --- a/x-pack/filebeat/module/cylance/protect/config/pipeline.js +++ b/x-pack/filebeat/module/cylance/protect/config/pipeline.js @@ -63,7 +63,7 @@ var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Ev var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}"); -var dup5 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname}(%{mail_id})"); +var dup5 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); var dup6 = setc("eventcategory","1901000000"); @@ -150,22 +150,22 @@ var dup30 = linear_select([ dup14, ]); -var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2}\u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname}CylancePROTECT %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2->} \u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ setc("header_id","0001"), dup1, ])); -var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname}CylancePROTECT %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ setc("header_id","0002"), dup1, ])); -var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname}CylancePROTECT %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ setc("header_id","0004"), dup1, ])); -var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost}CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([ +var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([ setc("header_id","0003"), dup1, ])); @@ -269,7 +269,7 @@ var select6 = linear_select([ part13, ]); -var part14 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname}(%{mail_id})"); +var part14 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})"); var all3 = all_match({ processors: [ @@ -290,7 +290,7 @@ var all3 = all_match({ var msg3 = msg("CylancePROTECT:03", all3); -var part15 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname}(%{mail_id})"); +var part15 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); var all4 = all_match({ processors: [ @@ -340,7 +340,7 @@ var all5 = all_match({ var msg5 = msg("CylancePROTECT:05", all5); -var part19 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node}was auto assigned to the Zone: IP Address: %{p0}"); +var part19 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}"); var part20 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); @@ -353,11 +353,9 @@ var select8 = linear_select([ var part22 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", " (%{mail_id})"); -var part23 = match("MESSAGE#5:CylancePROTECT:06/4_1", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); - var select9 = linear_select([ part22, - part23, + dup5, ]); var all6 = all_match({ @@ -379,22 +377,22 @@ var all6 = all_match({ var msg6 = msg("CylancePROTECT:06", all6); -var part24 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); +var part23 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); -var part25 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", " %{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); +var part24 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", " %{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); var select10 = linear_select([ + part23, part24, - part25, ]); -var part26 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); +var part25 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); var all7 = all_match({ processors: [ dup2, select10, - part26, + part25, ], on_success: processor_chain([ dup6, @@ -407,22 +405,22 @@ var all7 = all_match({ var msg7 = msg("CylancePROTECT:07", all7); -var part27 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); +var part26 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); -var part28 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", " %{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); +var part27 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", " %{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); var select11 = linear_select([ + part26, part27, - part28, ]); -var part29 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); +var part28 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); var all8 = all_match({ processors: [ dup2, select11, - part29, + part28, ], on_success: processor_chain([ dup6, @@ -435,12 +433,12 @@ var all8 = all_match({ var msg8 = msg("CylancePROTECT:08", all8); -var part30 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}(%{fld3}), Zone Names: %{p0}"); +var part29 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}"); -var part31 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); +var part30 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); var select12 = linear_select([ - part31, + part30, dup14, ]); @@ -448,7 +446,7 @@ var all9 = all_match({ processors: [ dup2, dup27, - part30, + part29, select12, ], on_success: processor_chain([ @@ -462,22 +460,22 @@ var all9 = all_match({ var msg9 = msg("CylancePROTECT:09", all9); -var part32 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); +var part31 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); -var part33 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", " %{fld4->} Event Type: Threat, Event Name: %{p0}"); +var part32 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", " %{fld4->} Event Type: Threat, Event Name: %{p0}"); var select13 = linear_select([ + part31, part32, - part33, ]); -var part34 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype->} "); +var part33 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype->} "); var all10 = all_match({ processors: [ dup2, select13, - part34, + part33, ], on_success: processor_chain([ dup6, @@ -490,22 +488,22 @@ var all10 = all_match({ var msg10 = msg("CylancePROTECT:10", all10); -var part35 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); +var part34 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); -var part36 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", " %{fld5->} Event Type: AppControl, Event Name: %{p0}"); +var part35 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", " %{fld5->} Event Type: AppControl, Event Name: %{p0}"); var select14 = linear_select([ + part34, part35, - part36, ]); -var part37 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); +var part36 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); var all11 = all_match({ processors: [ dup2, select14, - part37, + part36, ], on_success: processor_chain([ dup6, @@ -517,13 +515,13 @@ var all11 = all_match({ var msg11 = msg("CylancePROTECT:11", all11); -var part38 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); +var part37 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); var all12 = all_match({ processors: [ dup2, dup28, - part38, + part37, ], on_success: processor_chain([ dup6, @@ -535,13 +533,13 @@ var all12 = all_match({ var msg12 = msg("CylancePROTECT:15", all12); -var part39 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname}(%{mail_id})"); +var part38 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); var all13 = all_match({ processors: [ dup2, dup28, - part39, + part38, ], on_success: processor_chain([ dup6, @@ -553,13 +551,13 @@ var all13 = all_match({ var msg13 = msg("CylancePROTECT:14", all13); -var part40 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); +var part39 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); var all14 = all_match({ processors: [ dup2, dup28, - part40, + part39, dup29, ], on_success: processor_chain([ @@ -572,13 +570,13 @@ var all14 = all_match({ var msg14 = msg("CylancePROTECT:13", all14); -var part41 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); +var part40 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); var all15 = all_match({ processors: [ dup2, dup28, - part41, + part40, dup29, ], on_success: processor_chain([ @@ -591,13 +589,13 @@ var all15 = all_match({ var msg15 = msg("CylancePROTECT:16", all15); -var part42 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); +var part41 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); var all16 = all_match({ processors: [ dup2, dup27, - part42, + part41, ], on_success: processor_chain([ dup6, @@ -609,25 +607,25 @@ var all16 = all_match({ var msg16 = msg("CylancePROTECT:25", all16); -var part43 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); +var part42 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); -var part44 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); +var part43 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); -var part45 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); +var part44 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); -var part46 = match("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "%{fld1}"); +var part45 = match("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "%{fld1}"); var select15 = linear_select([ + part43, part44, part45, - part46, ]); var all17 = all_match({ processors: [ dup2, dup28, - part43, + part42, select15, ], on_success: processor_chain([ @@ -640,20 +638,20 @@ var all17 = all_match({ var msg17 = msg("CylancePROTECT:12", all17); -var part47 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); +var part46 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); -var part48 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); +var part47 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); -var part49 = match("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "%{username}"); +var part48 = match("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "%{username}"); var select16 = linear_select([ + part47, part48, - part49, ]); var all18 = all_match({ processors: [ - part47, + part46, select16, ], on_success: processor_chain([ @@ -666,27 +664,27 @@ var all18 = all_match({ var msg18 = msg("CylancePROTECT:17", all18); -var part50 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ +var part49 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ dup6, dup19, dup25, dup26, ])); -var msg19 = msg("CylancePROTECT:18", part50); +var msg19 = msg("CylancePROTECT:18", part49); -var part51 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); +var part50 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); -var part52 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname->} "); +var part51 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname->} "); var select17 = linear_select([ - part52, + part51, dup14, ]); var all19 = all_match({ processors: [ - part51, + part50, select17, ], on_success: processor_chain([ @@ -699,37 +697,37 @@ var all19 = all_match({ var msg20 = msg("CylancePROTECT:19", all19); -var part53 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); +var part52 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); -var part54 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); +var part53 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); -var part55 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); +var part54 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); var select18 = linear_select([ + part53, part54, - part55, ]); -var part56 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned %{p0}"); +var part55 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned %{p0}"); -var part57 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", "to the%{p0}"); +var part56 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", "to the%{p0}"); -var part58 = match("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", " to%{p0}"); +var part57 = match("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", " to%{p0}"); var select19 = linear_select([ + part56, part57, - part58, ]); -var part59 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); +var part58 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); var all20 = all_match({ processors: [ - part53, + part52, select18, - part56, + part55, select19, - part59, + part58, ], on_success: processor_chain([ dup6, @@ -741,7 +739,7 @@ var all20 = all_match({ var msg21 = msg("CylancePROTECT:20", all20); -var part60 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ +var part59 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ dup6, dup19, dup25, @@ -755,22 +753,22 @@ var part60 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Na }), ])); -var msg22 = msg("CylancePROTECT:21", part60); +var msg22 = msg("CylancePROTECT:21", part59); -var part61 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); +var part60 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); -var part62 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); +var part61 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); -var part63 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); +var part62 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); var select20 = linear_select([ + part61, part62, - part63, ]); var all21 = all_match({ processors: [ - part61, + part60, select20, dup30, ], @@ -784,29 +782,29 @@ var all21 = all_match({ var msg23 = msg("CylancePROTECT:22", all21); -var part64 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ +var part63 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ dup6, dup19, dup25, dup26, ])); -var msg24 = msg("CylancePROTECT:23", part64); +var msg24 = msg("CylancePROTECT:23", part63); -var part65 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname}(%{p0}"); +var part64 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{p0}"); -var part66 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "%{mail_id})#015"); +var part65 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "%{mail_id})#015"); -var part67 = match("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", "%{mail_id})"); +var part66 = match("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", "%{mail_id})"); var select21 = linear_select([ + part65, part66, - part67, ]); var all22 = all_match({ processors: [ - part65, + part64, select21, ], on_success: processor_chain([ @@ -819,11 +817,11 @@ var all22 = all_match({ var msg25 = msg("CylancePROTECT:24", all22); -var part68 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4}to '%{policyname}', User: %{user_fname->} %{user_lname}(%{mail_id}), Zone Names:%{p0}"); +var part67 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); var all23 = all_match({ processors: [ - part68, + part67, dup30, ], on_success: processor_chain([ @@ -836,31 +834,31 @@ var all23 = all_match({ var msg26 = msg("CylancePROTECT:26", all23); -var part69 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); +var part68 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); -var part70 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); +var part69 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); -var part71 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); +var part70 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); var select22 = linear_select([ + part69, part70, - part71, ]); -var part72 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname}(%{mail_id}), Zone Names:%{p0}"); +var part71 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); -var part73 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); +var part72 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); var select23 = linear_select([ - part73, + part72, dup14, ]); var all24 = all_match({ processors: [ - part69, + part68, select22, - part72, + part71, select23, ], on_success: processor_chain([ @@ -873,24 +871,24 @@ var all24 = all_match({ var msg27 = msg("CylancePROTECT:27", all24); -var part74 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); +var part73 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); -var part75 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); +var part74 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); -var part76 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); +var part75 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); var select24 = linear_select([ + part74, part75, - part76, ]); -var part77 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "%{}Zone Names: %{info}Device Id: %{fld3}"); +var part76 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "%{}Zone Names: %{info->} Device Id: %{fld3}"); var all25 = all_match({ processors: [ - part74, + part73, select24, - part77, + part76, ], on_success: processor_chain([ dup6, @@ -940,31 +938,31 @@ var chain1 = processor_chain([ }), ]); -var part78 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); +var part77 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); -var part79 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); +var part78 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); -var part80 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}"); +var part79 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}"); -var part81 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname}(%{mail_id})"); +var part80 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); -var part82 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); +var part81 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); -var part83 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); +var part82 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); -var part84 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); +var part83 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); -var part85 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}"); +var part84 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}"); -var part86 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); +var part85 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); -var part87 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}"); +var part86 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}"); -var part88 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); +var part87 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); -var part89 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}"); +var part88 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}"); -var part90 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); +var part89 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); var select26 = linear_select([ dup3, diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json index e4101954f32..8ed14fe22c2 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -1886,14 +1886,12 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "rsa.db.index": "The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices", - "rsa.identity.firstname": "", - "rsa.identity.lastname": "", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", + "rsa.investigations.event_vcat": "AuditLog", "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.mail_id": "ever", + "rsa.misc.node": "reetdo", "rsa.network.alias_host": [ "serrorsi1096.www5.localdomain" ], @@ -2895,20 +2893,24 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.ip": [ + "10.59.232.97" + ], "rsa.db.index": "The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97", - "rsa.identity.firstname": "", - "rsa.identity.lastname": "", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", + "rsa.investigations.event_vcat": "AuditLog", "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.mail_id": "niam", + "rsa.misc.node": "dolor", "rsa.network.alias_host": [ "dolo6230.mail.invalid" ], "rsa.time.event_time": "2019-05-13T11:45:57.000Z", "service.type": "cylance", + "source.ip": [ + "10.59.232.97" + ], "tags": [ "cylance.protect", "forwarded" @@ -3396,20 +3398,24 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.ip": [ + "10.138.85.233" + ], "rsa.db.index": "The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233", - "rsa.identity.firstname": "", - "rsa.identity.lastname": "", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1502000000, "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": " AuditLog", + "rsa.investigations.event_vcat": "AuditLog", "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.mail_id": "orisnis", + "rsa.misc.node": "datatno", "rsa.network.alias_host": [ "perna6751.internal.home" ], "rsa.time.event_time": "2019-11-30T14:21:57.000Z", "service.type": "cylance", + "source.ip": [ + "10.138.85.233" + ], "tags": [ "cylance.protect", "forwarded" diff --git a/x-pack/filebeat/module/f5/README.md b/x-pack/filebeat/module/f5/README.md index 9c5a174994d..7a6b15bbc30 100644 --- a/x-pack/filebeat/module/f5/README.md +++ b/x-pack/filebeat/module/f5/README.md @@ -3,5 +3,5 @@ This is a module for Big-IP Access Policy Manager logs. Autogenerated from RSA NetWitness log parser 2.0 XML bigipapm version 113 -at 2020-07-07 18:10:42.301446 +0000 UTC. +at 2020-07-08 13:58:32.565997 +0000 UTC. diff --git a/x-pack/filebeat/module/f5/bigipapm/config/pipeline.js b/x-pack/filebeat/module/f5/bigipapm/config/pipeline.js index d7d30e2ffe8..d30cd35fc67 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/pipeline.js +++ b/x-pack/filebeat/module/f5/bigipapm/config/pipeline.js @@ -201,7 +201,7 @@ var hdr5 = match("HEADER#4:0005", "message", "%{hmonth->} %{hdate->} %{htime->} }), ])); -var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid}/%{payload}", processor_chain([ +var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid->} /%{payload}", processor_chain([ setc("header_id","0006"), call({ dest: "nwparser.payload", @@ -222,7 +222,7 @@ var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} field("hfld4"), constant("]: "), field("messageid"), - constant("/"), + constant(" /"), field("payload"), ], }), @@ -351,21 +351,21 @@ var part14 = match("MESSAGE#12:01490102", "nwparser.payload", "%{fld1->} %{fld2- var msg13 = msg("01490102", part14); -var part15 = match("MESSAGE#13:01490000:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{authmethod}authentication for user %{username}using config %{fld8}", processor_chain([ +var part15 = match("MESSAGE#13:01490000:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{authmethod->} authentication for user %{username->} using config %{fld8}", processor_chain([ dup5, dup2, ])); var msg14 = msg("01490000:02", part15); -var part16 = match("MESSAGE#14:01490000:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: found HTTP %{resultcode}in response header", processor_chain([ +var part16 = match("MESSAGE#14:01490000:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: found HTTP %{resultcode->} in response header", processor_chain([ dup6, dup2, ])); var msg15 = msg("01490000:01", part16); -var part17 = match("MESSAGE#15:01490000", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{filename}func: \"%{action}\" line: %{fld8}Msg: %{result}", processor_chain([ +var part17 = match("MESSAGE#15:01490000", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{filename->} func: \"%{action}\" line: %{fld8->} Msg: %{result}", processor_chain([ dup5, dup2, ])); @@ -402,7 +402,7 @@ var select5 = linear_select([ part21, ]); -var part22 = match("MESSAGE#18:01490500/2", "nwparser.p0", "%{saddr}(ST=%{location_state}/CC=%{location_country}/C=%{location_city}) at VIP %{p0}"); +var part22 = match("MESSAGE#18:01490500/2", "nwparser.p0", "%{saddr->} (ST=%{location_state}/CC=%{location_country}/C=%{location_city}) at VIP %{p0}"); var part23 = match("MESSAGE#18:01490500/3_0", "nwparser.p0", "%{daddr->} Listener %{fld8->} (Reputation=%{category})"); @@ -431,14 +431,14 @@ var all2 = all_match({ var msg19 = msg("01490500", all2); -var part26 = match("MESSAGE#19:01490005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8}from item %{fld9}to ending %{fld10}", processor_chain([ +var part26 = match("MESSAGE#19:01490005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item %{fld9->} to ending %{fld10}", processor_chain([ dup7, dup2, ])); var msg20 = msg("01490005", part26); -var part27 = match("MESSAGE#20:01490006", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8}from item '%{fld9}' to item '%{fld10}'", processor_chain([ +var part27 = match("MESSAGE#20:01490006", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item '%{fld9}' to item '%{fld10}'", processor_chain([ dup7, dup2, ])); @@ -452,7 +452,7 @@ var part28 = match("MESSAGE#21:01490007", "nwparser.payload", "%{fld1->} %{fld2- var msg22 = msg("01490007", part28); -var part29 = match("MESSAGE#22:01490008", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Connectivity resource %{application}assigned", processor_chain([ +var part29 = match("MESSAGE#22:01490008", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Connectivity resource %{application->} assigned", processor_chain([ dup3, dup2, ])); @@ -484,7 +484,7 @@ var part32 = match("MESSAGE#27:01490142", "nwparser.payload", "%{fld1->} %{fld2- var msg28 = msg("01490142", part32); -var part33 = match("MESSAGE#28:01490504", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{fqdn}can not be resolved.", processor_chain([ +var part33 = match("MESSAGE#28:01490504", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{fqdn->} can not be resolved.", processor_chain([ dup8, dup2, ])); @@ -564,14 +564,14 @@ var select9 = linear_select([ msg35, ]); -var part43 = match("MESSAGE#35:01490128", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Webtop %{application}assigned", processor_chain([ +var part43 = match("MESSAGE#35:01490128", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Webtop %{application->} assigned", processor_chain([ dup5, dup2, ])); var msg36 = msg("01490128", part43); -var part44 = match("MESSAGE#36:01490101", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access profile: %{fld8}configuration has been applied. Newly active generation count is: %{dclass_counter1}", processor_chain([ +var part44 = match("MESSAGE#36:01490101", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access profile: %{fld8->} configuration has been applied. Newly active generation count is: %{dclass_counter1}", processor_chain([ dup10, dup2, setc("dclass_counter1_string","Newly active generation count"), @@ -586,7 +586,7 @@ var part45 = match("MESSAGE#37:01490103", "nwparser.payload", "%{fld1->} %{fld2- var msg38 = msg("01490103", part45); -var part46 = match("MESSAGE#38:01490115", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{rulename}from item %{fld9}to terminalout %{fld10}", processor_chain([ +var part46 = match("MESSAGE#38:01490115", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{rulename->} from item %{fld9->} to terminalout %{fld10}", processor_chain([ dup7, dup2, ])); @@ -638,7 +638,7 @@ var part51 = match("MESSAGE#43:01490544", "nwparser.payload", "%{fld1->} %{fld2- var msg44 = msg("01490544", part51); -var part52 = match("MESSAGE#44:01490511", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Initializing Access profile %{fld8}with max concurrent user sessions limit: %{dclass_counter1}", processor_chain([ +var part52 = match("MESSAGE#44:01490511", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Initializing Access profile %{fld8->} with max concurrent user sessions limit: %{dclass_counter1}", processor_chain([ dup7, dup2, setc("dclass_counter1_string"," Max Concurrent User Sessions Limit"), @@ -646,7 +646,7 @@ var part52 = match("MESSAGE#44:01490511", "nwparser.payload", "%{fld1->} %{fld2- var msg45 = msg("01490511", part52); -var part53 = match("MESSAGE#45:014d0002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon succeeded, config %{fld8}form %{fld9}", processor_chain([ +var part53 = match("MESSAGE#45:014d0002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon succeeded, config %{fld8->} form %{fld9}", processor_chain([ dup7, dup2, setc("disposition","Succeeded"), @@ -654,7 +654,7 @@ var part53 = match("MESSAGE#45:014d0002", "nwparser.payload", "%{fld1->} %{fld2- var msg46 = msg("014d0002", part53); -var part54 = match("MESSAGE#46:014d0002:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon failed, config %{fld8}form %{fld9}", processor_chain([ +var part54 = match("MESSAGE#46:014d0002:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon failed, config %{fld8->} form %{fld9}", processor_chain([ dup7, dup2, setc("disposition","Failed"), @@ -674,49 +674,49 @@ var part55 = match("MESSAGE#47:01490079", "nwparser.payload", "%{fld1->} %{fld2- var msg48 = msg("01490079", part55); -var part56 = match("MESSAGE#48:01490165", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Access profile: %{fld8}initialized with configuration snapshot catalog: %{fld9}", processor_chain([ +var part56 = match("MESSAGE#48:01490165", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Access profile: %{fld8->} initialized with configuration snapshot catalog: %{fld9}", processor_chain([ dup7, dup2, ])); var msg49 = msg("01490165", part56); -var part57 = match("MESSAGE#49:01490166", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8}retrieved from session db for access profile: %{fld9}", processor_chain([ +var part57 = match("MESSAGE#49:01490166", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} retrieved from session db for access profile: %{fld9}", processor_chain([ dup7, dup2, ])); var msg50 = msg("01490166", part57); -var part58 = match("MESSAGE#50:01490167", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8}updated inside session db for access profile: %{fld9}", processor_chain([ +var part58 = match("MESSAGE#50:01490167", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} updated inside session db for access profile: %{fld9}", processor_chain([ dup7, dup2, ])); var msg51 = msg("01490167", part58); -var part59 = match("MESSAGE#51:01490169", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Snapshot catalog entry: %{fld8}added for access profile: %{fld9}", processor_chain([ +var part59 = match("MESSAGE#51:01490169", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Snapshot catalog entry: %{fld8->} added for access profile: %{fld9}", processor_chain([ dup7, dup2, ])); var msg52 = msg("01490169", part59); -var part60 = match("MESSAGE#52:0149016a", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Initiating snapshot creation: %{fld8}for access profile: %{fld9}", processor_chain([ +var part60 = match("MESSAGE#52:0149016a", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Initiating snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([ dup7, dup2, ])); var msg53 = msg("0149016a", part60); -var part61 = match("MESSAGE#53:0149016b", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Completed snapshot creation: %{fld8}for access profile: %{fld9}", processor_chain([ +var part61 = match("MESSAGE#53:0149016b", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Completed snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([ dup7, dup2, ])); var msg54 = msg("0149016b", part61); -var part62 = match("MESSAGE#54:ssl_acc/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}] %{saddr}- %{p0}"); +var part62 = match("MESSAGE#54:ssl_acc/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}] %{saddr->} - %{p0}"); var part63 = match("MESSAGE#54:ssl_acc/1_0", "nwparser.p0", "- %{p0}"); @@ -744,7 +744,7 @@ var all4 = all_match({ var msg55 = msg("ssl_acc", all4); -var part66 = match("MESSAGE#55:ssl_req", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] %{saddr->} %{protocol->} %{encryption_type}\"%{url}\" %{rbytes}", processor_chain([ +var part66 = match("MESSAGE#55:ssl_req", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] %{saddr->} %{protocol->} %{encryption_type->} \"%{url}\" %{rbytes}", processor_chain([ dup13, dup14, dup2, @@ -752,7 +752,7 @@ var part66 = match("MESSAGE#55:ssl_req", "nwparser.payload", "%{fld1->} %{fld2-> var msg56 = msg("ssl_req", part66); -var part67 = match("MESSAGE#56:acc", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] \"%{web_method->} %{url->} %{version}\" %{resultcode->} %{rbytes}\"%{fld7}\" \"%{user_agent}\"", processor_chain([ +var part67 = match("MESSAGE#56:acc", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] \"%{web_method->} %{url->} %{version}\" %{resultcode->} %{rbytes->} \"%{fld7}\" \"%{user_agent}\"", processor_chain([ dup13, dup14, dup2, @@ -789,7 +789,7 @@ var part70 = match("MESSAGE#60:sSMTP", "nwparser.payload", "%{fld1->} %{fld2->} var msg61 = msg("sSMTP", part70); -var part71 = match("MESSAGE#61:01420002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{fld5}: AUDIT - pid=%{parent_pid}user=%{username}folder=%{directory}module=%{fld6}status=%{result}cmd_data=%{info->} ", processor_chain([ +var part71 = match("MESSAGE#61:01420002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{fld5}: AUDIT - pid=%{parent_pid->} user=%{username->} folder=%{directory->} module=%{fld6->} status=%{result->} cmd_data=%{info->} ", processor_chain([ dup16, dup2, ])); @@ -822,7 +822,7 @@ var part74 = match("MESSAGE#64:auditd", "nwparser.payload", "%{fld1->} %{fld2->} var msg65 = msg("auditd", part74); -var part75 = match("MESSAGE#65:014d0001", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ssoMethod: %{authmethod}usernameSource: %{fld9}passwordSource: %{fld10}ntlmdomain: %{c_domain}", processor_chain([ +var part75 = match("MESSAGE#65:014d0001", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ssoMethod: %{authmethod->} usernameSource: %{fld9->} passwordSource: %{fld10->} ntlmdomain: %{c_domain}", processor_chain([ dup5, dup2, ])); @@ -866,7 +866,7 @@ var select16 = linear_select([ var msg69 = msg("014d0044", dup20); -var part80 = match("MESSAGE#69:01490549/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Assigned PPP Dynamic IPv4: %{stransaddr}Tunnel Type: %{group->} %{fld8}Resource: %{rulename}Client IP: %{p0}"); +var part80 = match("MESSAGE#69:01490549/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Assigned PPP Dynamic IPv4: %{stransaddr->} Tunnel Type: %{group->} %{fld8->} Resource: %{rulename->} Client IP: %{p0}"); var part81 = match("MESSAGE#69:01490549/1_0", "nwparser.p0", "%{saddr->} - %{fld9->} "); @@ -890,7 +890,7 @@ var all6 = all_match({ var msg70 = msg("01490549", all6); -var part83 = match("MESSAGE#70:01490547", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: Access Profile %{rulename}: %{result}for %{saddr}", processor_chain([ +var part83 = match("MESSAGE#70:01490547", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: Access Profile %{rulename}: %{result->} for %{saddr}", processor_chain([ dup3, dup2, ])); @@ -904,14 +904,14 @@ var part84 = match("MESSAGE#71:01490517", "nwparser.payload", "%{fld1->} %{fld2- var msg72 = msg("01490517", part84); -var part85 = match("MESSAGE#72:011f0005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{result}(Client side: vip=%{url}profile=%{protocol}pool=%{fld8}client_ip=%{saddr})", processor_chain([ +var part85 = match("MESSAGE#72:011f0005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{result->} (Client side: vip=%{url->} profile=%{protocol->} pool=%{fld8->} client_ip=%{saddr})", processor_chain([ dup3, dup2, ])); var msg73 = msg("011f0005", part85); -var part86 = match("MESSAGE#73:014d0048", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7->} %{rulename}\u003c\u003c%{event_description}>: APM_EVENT=%{action}| %{username}| %{fld8}***%{result}***", processor_chain([ +var part86 = match("MESSAGE#73:014d0048", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7->} %{rulename->} \u003c\u003c%{event_description}>: APM_EVENT=%{action->} | %{username->} | %{fld8->} ***%{result}***", processor_chain([ dup3, dup2, ])); @@ -934,7 +934,7 @@ var part88 = match("MESSAGE#76:01260009", "nwparser.payload", "%{fld1->} %{fld2- var msg77 = msg("01260009", part88); -var part89 = match("MESSAGE#77:apmd:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4}/Common/home_agent_tca:Common:%{fld5}: %{fld6}- Hostname: %{shost}Type: %{fld7}Version: %{version}Platform: %{os}CPU: %{fld8}Mode:%{fld9}", processor_chain([ +var part89 = match("MESSAGE#77:apmd:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: %{fld6->} - Hostname: %{shost->} Type: %{fld7->} Version: %{version->} Platform: %{os->} CPU: %{fld8->} Mode:%{fld9}", processor_chain([ dup15, dup2, dup17, @@ -942,7 +942,7 @@ var part89 = match("MESSAGE#77:apmd:04", "nwparser.payload", "%{fld1->} %{fld2-> var msg78 = msg("apmd:04", part89); -var part90 = match("MESSAGE#78:apmd:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4}/Common/home_agent_tca:Common:%{fld5}: RADIUS module: parseResponse(): Access-Reject packet from host %{saddr}:%{sport->} %{fld7}", processor_chain([ +var part90 = match("MESSAGE#78:apmd:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: parseResponse(): Access-Reject packet from host %{saddr}:%{sport->} %{fld7}", processor_chain([ dup9, dup2, dup17, @@ -950,7 +950,7 @@ var part90 = match("MESSAGE#78:apmd:03", "nwparser.payload", "%{fld1->} %{fld2-> var msg79 = msg("apmd:03", part90); -var part91 = match("MESSAGE#79:apmd:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4}/Common/home_agent_tca:Common:%{fld5}: RADIUS module: authentication with '%{username}' failed: %{p0}"); +var part91 = match("MESSAGE#79:apmd:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: authentication with '%{username}' failed: %{p0}"); var part92 = match("MESSAGE#79:apmd:02/1_0", "nwparser.p0", "%{fld6->} from host %{saddr}:%{sport->} %{fld7}"); diff --git a/x-pack/filebeat/module/f5/firepass/config/pipeline.js b/x-pack/filebeat/module/f5/firepass/config/pipeline.js index e96a881c686..0a598f79266 100644 --- a/x-pack/filebeat/module/f5/firepass/config/pipeline.js +++ b/x-pack/filebeat/module/f5/firepass/config/pipeline.js @@ -134,7 +134,7 @@ var part3 = match("MESSAGE#2:firepass:03", "nwparser.payload", "Finished using % var msg3 = msg("firepass:03", part3); -var part4 = match("MESSAGE#3:firepass:04", "nwparser.payload", "Open %{fld2}to Remote Host:%{dhost}", processor_chain([ +var part4 = match("MESSAGE#3:firepass:04", "nwparser.payload", "Open %{fld2->} to Remote Host:%{dhost}", processor_chain([ dup7, dup3, dup4, @@ -142,7 +142,7 @@ var part4 = match("MESSAGE#3:firepass:04", "nwparser.payload", "Open %{fld2}to R var msg4 = msg("firepass:04", part4); -var part5 = match("MESSAGE#4:firepass:05", "nwparser.payload", "param %{fld1}= %{fld2}", processor_chain([ +var part5 = match("MESSAGE#4:firepass:05", "nwparser.payload", "param %{fld1->} = %{fld2}", processor_chain([ setc("eventcategory","1701020000"), dup3, dup4, @@ -252,7 +252,7 @@ var part16 = match("MESSAGE#15:GarbageCollection:04", "nwparser.payload", "apach var msg16 = msg("GarbageCollection:04", part16); -var part17 = match("MESSAGE#16:GarbageCollection:05", "nwparser.payload", "%{fld2}already started with pid %{process_id}", processor_chain([ +var part17 = match("MESSAGE#16:GarbageCollection:05", "nwparser.payload", "%{fld2->} already started with pid %{process_id}", processor_chain([ dup8, dup3, ])); @@ -288,7 +288,7 @@ var part21 = match("MESSAGE#20:GarbageCollection:09", "nwparser.payload", "can n var msg21 = msg("GarbageCollection:09", part21); -var part22 = match("MESSAGE#21:GarbageCollection:10", "nwparser.payload", "timeout happened. restarting %{fld1}services", processor_chain([ +var part22 = match("MESSAGE#21:GarbageCollection:10", "nwparser.payload", "timeout happened. restarting %{fld1->} services", processor_chain([ dup11, dup3, setc("event_description","timeout happened. restarting services"), @@ -309,7 +309,7 @@ var select3 = linear_select([ msg22, ]); -var part23 = match("MESSAGE#22:maintenance:01", "nwparser.payload", "Failed to upload backup file %{filename}. %{info}Server returned:%{result}", processor_chain([ +var part23 = match("MESSAGE#22:maintenance:01", "nwparser.payload", "Failed to upload backup file %{filename}. %{info->} Server returned:%{result}", processor_chain([ dup11, dup3, dup4, @@ -336,7 +336,7 @@ var part25 = match("MESSAGE#24:maintenance:03", "nwparser.payload", "Network Acc var msg25 = msg("maintenance:03", part25); -var part26 = match("MESSAGE#25:maintenance:04", "nwparser.payload", "Trying connect to %{fld2}on %{fqdn}:%{network_port->} ", processor_chain([ +var part26 = match("MESSAGE#25:maintenance:04", "nwparser.payload", "Trying connect to %{fld2->} on %{fqdn}:%{network_port->} ", processor_chain([ dup11, dup3, dup4, @@ -396,7 +396,7 @@ var select5 = linear_select([ msg30, ]); -var part31 = match("MESSAGE#30:security:01/0", "nwparser.payload", "User %{username}logged on from %{p0}"); +var part31 = match("MESSAGE#30:security:01/0", "nwparser.payload", "User %{username->} logged on from %{p0}"); var part32 = match("MESSAGE#30:security:01/1_0", "nwparser.p0", "%{saddr->} to %{daddr->} Sid = %{sessionid->} "); @@ -437,7 +437,7 @@ var select7 = linear_select([ part37, ]); -var part38 = match("MESSAGE#31:security:02/2", "nwparser.p0", "%{}user %{username}failed to log on from %{saddr}"); +var part38 = match("MESSAGE#31:security:02/2", "nwparser.p0", "%{}user %{username->} failed to log on from %{saddr}"); var all2 = all_match({ processors: [ @@ -467,7 +467,7 @@ var part39 = match("MESSAGE#32:security:03", "nwparser.payload", "Successful pas var msg33 = msg("security:03", part39); -var part40 = match("MESSAGE#33:security:04", "nwparser.payload", "Possible intrusion attempt! %{fld1}consecutive authentication failures happened within %{fld2}min. Last Source IP Address: %{saddr->} %{info}", processor_chain([ +var part40 = match("MESSAGE#33:security:04", "nwparser.payload", "Possible intrusion attempt! %{fld1->} consecutive authentication failures happened within %{fld2->} min. Last Source IP Address: %{saddr->} %{info}", processor_chain([ dup16, dup14, dup15, @@ -488,7 +488,7 @@ var part41 = match("MESSAGE#34:security:05", "nwparser.payload", "User [%{action var msg35 = msg("security:05", part41); -var part42 = match("MESSAGE#35:security:06", "nwparser.payload", "Non-administrator account %{username}attempted to access admin account", processor_chain([ +var part42 = match("MESSAGE#35:security:06", "nwparser.payload", "Non-administrator account %{username->} attempted to access admin account", processor_chain([ dup18, dup5, dup14, @@ -499,7 +499,7 @@ var part42 = match("MESSAGE#35:security:06", "nwparser.payload", "Non-administra var msg36 = msg("security:06", part42); -var part43 = match("MESSAGE#36:security:07", "nwparser.payload", "User %{username}exceeded the allowed number of concurrent logons", processor_chain([ +var part43 = match("MESSAGE#36:security:07", "nwparser.payload", "User %{username->} exceeded the allowed number of concurrent logons", processor_chain([ dup16, dup5, dup14, @@ -511,7 +511,7 @@ var part43 = match("MESSAGE#36:security:07", "nwparser.payload", "User %{usernam var msg37 = msg("security:07", part43); -var part44 = match("MESSAGE#37:security:08", "nwparser.payload", "User %{username}from %{saddr}presented with challenge", processor_chain([ +var part44 = match("MESSAGE#37:security:08", "nwparser.payload", "User %{username->} from %{saddr->} presented with challenge", processor_chain([ dup19, dup5, dup3, @@ -520,7 +520,7 @@ var part44 = match("MESSAGE#37:security:08", "nwparser.payload", "User %{usernam var msg38 = msg("security:08", part44); -var part45 = match("MESSAGE#38:security:09", "nwparser.payload", "Possible intrusion attempt detected against account %{fld1}from source IP address %{saddr}for URI=[%{fld2}]%{info}", processor_chain([ +var part45 = match("MESSAGE#38:security:09", "nwparser.payload", "Possible intrusion attempt detected against account %{fld1->} from source IP address %{saddr->} for URI=[%{fld2}]%{info}", processor_chain([ dup19, dup5, dup3, @@ -549,7 +549,7 @@ var part46 = match("MESSAGE#39:httpd", "nwparser.payload", "scr_monitor: %{fld1} var msg40 = msg("httpd", part46); -var part47 = match("MESSAGE#40:Miscellaneous:01", "nwparser.payload", "Purge logs: not started. Next purge scheduled time %{fld1}is not exceeded", processor_chain([ +var part47 = match("MESSAGE#40:Miscellaneous:01", "nwparser.payload", "Purge logs: not started. Next purge scheduled time %{fld1->} is not exceeded", processor_chain([ dup8, dup3, dup4, @@ -557,7 +557,7 @@ var part47 = match("MESSAGE#40:Miscellaneous:01", "nwparser.payload", "Purge log var msg41 = msg("Miscellaneous:01", part47); -var part48 = match("MESSAGE#41:Miscellaneous:02", "nwparser.payload", "Purge logs: finished. Deleted %{fld1}logon records", processor_chain([ +var part48 = match("MESSAGE#41:Miscellaneous:02", "nwparser.payload", "Purge logs: finished. Deleted %{fld1->} logon records", processor_chain([ dup8, dup3, dup4, @@ -597,7 +597,7 @@ var select9 = linear_select([ msg45, ]); -var part52 = match("MESSAGE#45:kernel:07", "nwparser.payload", "kernel: Marketing_resource:%{fld1}SRC=%{saddr}DST=%{daddr->} %{info}PROTO=%{protocol}SPT=%{sport}DPT=%{dport->} %{fld3}", processor_chain([ +var part52 = match("MESSAGE#45:kernel:07", "nwparser.payload", "kernel: Marketing_resource:%{fld1->} SRC=%{saddr->} DST=%{daddr->} %{info->} PROTO=%{protocol->} SPT=%{sport->} DPT=%{dport->} %{fld3}", processor_chain([ dup8, dup3, ])); @@ -632,7 +632,7 @@ var part56 = match("MESSAGE#49:kernel:04", "nwparser.payload", "kernel: cdrom: o var msg50 = msg("kernel:04", part56); -var part57 = match("MESSAGE#50:kernel:06", "nwparser.payload", "kernel: GlobalFilter:%{fld1}SRC=%{saddr}DST=%{daddr->} %{info}PROTO=%{protocol}SPT=%{sport}DPT=%{dport->} %{fld3->} ", processor_chain([ +var part57 = match("MESSAGE#50:kernel:06", "nwparser.payload", "kernel: GlobalFilter:%{fld1->} SRC=%{saddr->} DST=%{daddr->} %{info->} PROTO=%{protocol->} SPT=%{sport->} DPT=%{dport->} %{fld3->} ", processor_chain([ dup8, dup3, ])); @@ -656,14 +656,14 @@ var select10 = linear_select([ msg52, ]); -var part59 = match("MESSAGE#52:sshd", "nwparser.payload", "Accepted publickey for %{username}from %{saddr}port %{sport->} %{fld2}", processor_chain([ +var part59 = match("MESSAGE#52:sshd", "nwparser.payload", "Accepted publickey for %{username->} from %{saddr->} port %{sport->} %{fld2}", processor_chain([ setc("eventcategory","1401050100"), dup3, ])); var msg53 = msg("sshd", part59); -var part60 = match("MESSAGE#53:ntpd:01", "nwparser.payload", "frequency initialized %{fld1}PPM from %{fld2}", processor_chain([ +var part60 = match("MESSAGE#53:ntpd:01", "nwparser.payload", "frequency initialized %{fld1->} PPM from %{fld2}", processor_chain([ dup8, dup3, ])); @@ -706,7 +706,7 @@ var select11 = linear_select([ msg58, ]); -var part65 = match("MESSAGE#58:AppTunnel:01", "nwparser.payload", "\u003c\u003c%{sessionid}> %{fld2}connection to %{dhost}(%{daddr}):%{dport}terminated", processor_chain([ +var part65 = match("MESSAGE#58:AppTunnel:01", "nwparser.payload", "\u003c\u003c%{sessionid}> %{fld2->} connection to %{dhost}(%{daddr}):%{dport->} terminated", processor_chain([ dup10, dup12, dup13, @@ -716,7 +716,7 @@ var part65 = match("MESSAGE#58:AppTunnel:01", "nwparser.payload", "\u003c\u003c% var msg59 = msg("AppTunnel:01", part65); -var part66 = match("MESSAGE#59:AppTunnel:02", "nwparser.payload", "\u003c\u003c%{sessionid}> %{fld2}connection to %{dhost}(%{daddr}):%{dport}", processor_chain([ +var part66 = match("MESSAGE#59:AppTunnel:02", "nwparser.payload", "\u003c\u003c%{sessionid}> %{fld2->} connection to %{dhost}(%{daddr}):%{dport}", processor_chain([ dup7, dup12, dup13, @@ -737,7 +737,7 @@ var part67 = match("MESSAGE#60:AppTunnel:03", "nwparser.payload", "\u003c\u003c% var msg61 = msg("AppTunnel:03", part67); -var part68 = match("MESSAGE#61:AppTunnel:04", "nwparser.payload", "Connection to %{daddr}port %{dport}failed", processor_chain([ +var part68 = match("MESSAGE#61:AppTunnel:04", "nwparser.payload", "Connection to %{daddr->} port %{dport->} failed", processor_chain([ dup7, dup12, dup13, @@ -765,7 +765,7 @@ var select12 = linear_select([ msg63, ]); -var part70 = match("MESSAGE#63:run-crons", "nwparser.payload", "%{fld2}returned %{resultcode}", processor_chain([ +var part70 = match("MESSAGE#63:run-crons", "nwparser.payload", "%{fld2->} returned %{resultcode}", processor_chain([ dup8, dup3, ])); @@ -779,7 +779,7 @@ var part71 = match("MESSAGE#64:/USR/SBIN/CRON", "nwparser.payload", "(%{username var msg65 = msg("/USR/SBIN/CRON", part71); -var part72 = match("MESSAGE#65:ntpdate", "nwparser.payload", "adjust time server %{daddr}offset %{duration_string}", processor_chain([ +var part72 = match("MESSAGE#65:ntpdate", "nwparser.payload", "adjust time server %{daddr->} offset %{duration_string}", processor_chain([ setc("eventcategory","1605030000"), dup3, ])); diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json index 8ba18eb4858..5a3b305c8d7 100644 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json @@ -830,8 +830,8 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.117.146.33", - "10.46.158.31" + "10.46.158.31", + "10.117.146.33" ], "rsa.db.index": "dun", "rsa.internal.messageid": "kernel", @@ -2031,7 +2031,7 @@ "rsa.network.alias_host": [ "eufugi2923.internal.host" ], - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.time.event_time": "2020-07-10T03:56:14.000Z", "service.type": "f5", "tags": [ "f5.firepass", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/pipeline.js b/x-pack/filebeat/module/fortinet/clientendpoint/config/pipeline.js index f651cab3c91..713b1829de4 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/pipeline.js +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/pipeline.js @@ -31,7 +31,7 @@ var dup7 = setc("action","deny"); var dup8 = setc("dclass_counter1_string","block_count"); -var dup9 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname}proto=%{protocol}service=%{network_service}status=deny src=%{saddr}dst=%{daddr}src_port=%{sport}dst_port=%{dport}server_app=%{fld12}pid=%{process_id}app_name=%{fld14}traff_direct=%{direction}block_count=%{dclass_counter1}logon_user=%{username}@%{domain}msg=%{result}", processor_chain([ +var dup9 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ dup3, dup4, dup5, @@ -41,7 +41,7 @@ var dup9 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld dup8, ])); -var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{hdate->} %{hhostname}proto=%{hprotocol}service=%{messageid}status=%{haction}src=%{hsaddr}dst=%{hdaddr}src_port=%{hsport}dst_port=%{hdport->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{payload}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -51,22 +51,22 @@ var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{hdate->} % constant(" "), field("hday"), constant(" "), - field("hdate"), + field("htime"), constant(" "), field("hhostname"), - constant("proto="), + constant(" proto="), field("hprotocol"), - constant("service="), + constant(" service="), field("messageid"), - constant("status="), + constant(" status="), field("haction"), - constant("src="), + constant(" src="), field("hsaddr"), - constant("dst="), + constant(" dst="), field("hdaddr"), - constant("src_port="), + constant(" src_port="), field("hsport"), - constant("dst_port="), + constant(" dst_port="), field("hdport"), constant(" "), field("payload"), @@ -74,7 +74,7 @@ var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{hdate->} % }), ])); -var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{hdate->} %{hhostname}(%{messageid->} %{hfld5}times in last %{hfld6}) %{hfld7->} %{hfld8}::%{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{payload}", processor_chain([ setc("header_id","0003"), call({ dest: "nwparser.payload", @@ -84,14 +84,14 @@ var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{hdate->} % constant(" "), field("hday"), constant(" "), - field("hdate"), + field("htime"), constant(" "), field("hhostname"), - constant("("), + constant(" ("), field("messageid"), constant(" "), field("hfld5"), - constant("times in last "), + constant(" times in last "), field("hfld6"), constant(") "), field("hfld7"), @@ -103,7 +103,7 @@ var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{hdate->} % }), ])); -var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{hdate->} %{hhostname->} %{messageid->} %{hfld5}::%{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{payload}", processor_chain([ setc("header_id","0002"), call({ dest: "nwparser.payload", @@ -113,7 +113,7 @@ var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{hdate->} % constant(" "), field("hday"), constant(" "), - field("hdate"), + field("htime"), constant(" "), field("hhostname"), constant(" "), @@ -132,14 +132,14 @@ var select1 = linear_select([ hdr3, ]); -var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname}enter %{info}", processor_chain([ +var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ dup1, dup2, ])); var msg1 = msg("enter", part1); -var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname}(repeated %{fld5}times in last %{fld6}) enter %{info}", processor_chain([ +var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ dup1, dup2, ])); @@ -169,7 +169,7 @@ var chain1 = processor_chain([ }), ]); -var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname}proto=%{protocol}service=%{network_service}status=deny src=%{saddr}dst=%{daddr}src_port=%{sport}dst_port=%{dport}server_app=%{fld12}pid=%{process_id}app_name=%{fld14}traff_direct=%{direction}block_count=%{dclass_counter1}logon_user=%{username}@%{domain}msg=%{result}", processor_chain([ +var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ dup3, dup4, dup5, diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log index 565e8412547..d001b33300f 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log @@ -1,100 +1,100 @@ -January 29 2016/01/29 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=sperna block_count=884 logon_user=billoi@oreetdol1714.internal.corp msg=failure -February 12 2016/02/12 agn2581.www5.corp proto=rdp service=smtp status=deny src=10.22.119.124 dst=10.102.218.31 src_port=4402 dst_port=3376 server_app=mod pid=6183 app_name=enatus traff_direct=mquia block_count=873 logon_user=itamet@tetur6657.internal.domain msg=success -February 26 2016/02/26 iin6287.mail.domain proto=ggp service=https status=deny src=10.135.105.231 dst=10.26.46.95 src_port=1327 dst_port=7599 server_app=quis pid=1130 app_name=serror traff_direct=anti block_count=4454 logon_user=meumfug@tetu5280.www5.invalid msg=unknown -March 12 2016/03/12 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=onsect block_count=101 logon_user=con@uia351.api.localhost msg=unknown -March 26 2016/03/26 aqui4726.mail.localhost proto=icmp service=https status=deny src=10.85.66.161 dst=10.131.115.96 src_port=2638 dst_port=1890 server_app=eum pid=654 app_name=rmagni traff_direct=sit block_count=5509 logon_user=onev@tenima1073.local msg=success -April 9 2016/04/09 uatDuis2964.test proto=udp service=http status=deny src=10.183.202.41 dst=10.11.200.161 src_port=4470 dst_port=4665 server_app=inimve pid=4243 app_name=antium traff_direct=Cice block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown -April 24 2016/04/24 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=nimadmin block_count=6499 logon_user=uam@temq1198.internal.example msg=success -May 8 2016/05/08 ari1508.api.localdomain proto=tcp service=pop3 status=deny src=10.64.155.245 dst=10.233.127.83 src_port=4512 dst_port=3676 server_app=eataevit pid=3904 app_name=iam traff_direct=mqua block_count=3391 logon_user=olab@mquisnos5771.example msg=unknown -May 22 2016/05/22 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=luptatem block_count=5812 logon_user=moll@tatione2046.home msg=unknown -June 5 2016/06/05 turveli6399.host proto=ipv6 service=smtp status=deny src=10.197.5.210 dst=10.10.65.154 src_port=689 dst_port=7572 server_app=Ciceroi pid=3592 app_name=usan traff_direct=aper block_count=5529 logon_user=olo@uaera6620.www5.domain msg=unknown -June 20 2016/06/20 tquiinea7522.test proto=igmp service=http status=deny src=10.89.185.38 dst=10.177.124.147 src_port=6024 dst_port=4173 server_app=undeo pid=5794 app_name=labor traff_direct=atuse block_count=2703 logon_user=uis@idolore1057.www5.domain msg=failure -July 4 2016/07/04 litessec3743.domain proto=ipv6-icmp service=http status=deny src=10.212.55.143 dst=10.157.213.15 src_port=3539 dst_port=600 server_app=liq pid=3480 app_name=ntutl traff_direct=caecatc block_count=2399 logon_user=nibus@edquiano6061.internal.invalid msg=failure -July 18 2016/07/18 ctetura4886.www5.lan proto=icmp service=smtp status=deny src=10.208.134.60 dst=10.124.100.32 src_port=7385 dst_port=7699 server_app=lupt pid=5376 app_name=remeum traff_direct=orain block_count=4111 logon_user=admi@modocons6461.api.home msg=failure -August 2 2016/08/02 urE6771.www5.example proto=udp service=http status=deny src=10.75.148.116 dst=10.55.77.49 src_port=3653 dst_port=4683 server_app=dtem pid=1577 app_name=des traff_direct=rehe block_count=2460 logon_user=tdolorem@ono4861.www5.test msg=success -August 16 2016/08/16 sumquiad2872.api.domain proto=ggp service=http status=deny src=10.210.74.24 dst=10.21.92.218 src_port=4125 dst_port=5716 server_app=ommod pid=3671 app_name=inima traff_direct=tlabo block_count=6088 logon_user=nihi@Lor5841.internal.example msg=success -August 30 2016/08/30 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=isnostru block_count=1559 logon_user=deFinibu@iadese6958.www5.local msg=unknown -September 13 2016/09/13 tatn2376.www5.corp proto=ipv6-icmp service=ms-wbt-server status=deny src=10.47.241.218 dst=10.76.229.163 src_port=2890 dst_port=6387 server_app=CSed pid=2857 app_name=utlabore traff_direct=ecillu block_count=391 logon_user=mnisist@sedd3727.api.home msg=unknown -September 28 2016/09/28 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=maccusa block_count=5126 logon_user=rQuisau@idex2012.localdomain msg=unknown -October 12 2016/10/12 uipe5643.api.home proto=rdp service=smtp status=deny src=10.118.80.140 dst=10.252.122.195 src_port=6003 dst_port=2807 server_app=ihilm pid=1669 app_name=saute traff_direct=ercit block_count=2385 logon_user=remagn@run3361.api.test msg=failure -October 26 2016/10/26 aturve2031.www5.test proto=rdp service=ms-wbt-server status=deny src=10.195.36.51 dst=10.31.95.218 src_port=2883 dst_port=7042 server_app=iadese pid=2374 app_name=ice traff_direct=estiae block_count=3750 logon_user=laborum@tionof7613.domain msg=failure -November 10 2016/11/10 ationul2530.internal.example proto=ipv6-icmp service=http status=deny src=10.197.250.10 dst=10.170.148.40 src_port=261 dst_port=6371 server_app=dol pid=753 app_name=modocon traff_direct=que block_count=651 logon_user=rinrepre@etconse7424.internal.lan msg=failure -November 24 2016/11/24 quamnih5993.mail.corp proto=ipv6 service=https status=deny src=10.19.145.131 dst=10.233.171.118 src_port=4798 dst_port=7410 server_app=emoe pid=6540 app_name=atur traff_direct=itanimi block_count=2924 logon_user=modtemp@rehender2628.www5.localdomain msg=failure -December 8 2016/12/08 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=sectetur block_count=1713 logon_user=fugitse@veniamq1608.www.localdomain msg=unknown -December 23 2016/12/23 reseos556.internal.example proto=rdp service=https status=deny src=10.59.122.242 dst=10.177.238.183 src_port=4821 dst_port=6458 server_app=dolorem pid=5251 app_name=olor traff_direct=Neque block_count=4129 logon_user=xerc@iutali2138.www.localdomain msg=success -January 6 2017/01/06 radi1512.mail.example proto=rdp service=http status=deny src=10.74.33.75 dst=10.10.27.73 src_port=3410 dst_port=2574 server_app=liqui pid=6106 app_name=dolore traff_direct=amvolu block_count=766 logon_user=quaturve@sequa2851.home msg=success -January 20 2017/01/20 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=nsect block_count=7400 logon_user=asia@econs4164.api.corp msg=unknown -February 3 2017/02/03 tevelite245.mail.local proto=tcp service=pop3 status=deny src=10.167.85.181 dst=10.14.36.202 src_port=6409 dst_port=6036 server_app=numqua pid=1411 app_name=inculpa traff_direct=abo block_count=1637 logon_user=dtemp@aliquide3073.www5.domain msg=unknown -February 18 2017/02/18 uptatema6843.www.host proto=icmp service=ms-wbt-server status=deny src=10.104.64.94 dst=10.164.39.248 src_port=3221 dst_port=5194 server_app=sequam pid=3609 app_name=idex traff_direct=mfugiat block_count=3370 logon_user=dant@rroquis6074.api.host msg=unknown -March 4 2017/03/04 rem3420.mail.localhost proto=udp service=http status=deny src=10.208.14.185 dst=10.135.187.104 src_port=7557 dst_port=4708 server_app=siste pid=5919 app_name=riosamn traff_direct=ept block_count=1871 logon_user=rcitati@eni465.home msg=failure -March 18 2017/03/18 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=boree block_count=513 logon_user=nevo@ide2767.www5.local msg=failure -April 2 2017/04/02 edquiac2646.www.invalid proto=ipv6-icmp service=https status=deny src=10.46.49.26 dst=10.145.26.181 src_port=634 dst_port=6088 server_app=autf pid=3471 app_name=temquiav traff_direct=equatu block_count=1399 logon_user=cons@sBon1759.invalid msg=success -April 16 2017/04/16 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=antiu block_count=6129 logon_user=evolu@ersp3536.www5.lan msg=unknown -April 30 2017/04/30 ntiumt699.corp proto=icmp service=ms-wbt-server status=deny src=10.151.58.196 dst=10.201.238.90 src_port=2715 dst_port=7130 server_app=pici pid=55 app_name=ccaecat traff_direct=tquiin block_count=7440 logon_user=temqu@ovol3674.www5.host msg=success -May 14 2017/05/14 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=ven block_count=660 logon_user=siutali@amnih2718.internal.example msg=failure -May 29 2017/05/29 laudant6813.mail.home proto=icmp service=https status=deny src=10.184.18.202 dst=10.226.83.168 src_port=5780 dst_port=4153 server_app=molli pid=4306 app_name=aturauto traff_direct=eturadi block_count=2512 logon_user=borios@rsitvolu3751.mail.lan msg=success -June 12 2017/06/12 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=luptate block_count=2612 logon_user=atisun@esci7741.www.host msg=success -June 26 2017/06/26 nturma18.internal.example proto=icmp service=https status=deny src=10.173.136.186 dst=10.43.226.231 src_port=7222 dst_port=2778 server_app=isnostr pid=829 app_name=ciadeser traff_direct=emquia block_count=1497 logon_user=uscipitl@uia5567.mail.lan msg=success -July 11 2017/07/11 uisa5736.internal.local proto=udp service=pop3 status=deny src=10.58.64.108 dst=10.54.37.86 src_port=1540 dst_port=5089 server_app=commodo pid=6867 app_name=tutlab traff_direct=sau block_count=1865 logon_user=dolorsit@sau4293.www.corp msg=unknown -July 25 2017/07/25 uptate2244.api.lan proto=ipv6-icmp service=https status=deny src=10.205.228.138 dst=10.159.119.34 src_port=3854 dst_port=6197 server_app=tsed pid=7536 app_name=ameiusm traff_direct=proide block_count=3714 logon_user=aquae@boreetdo7005.www5.home msg=unknown -August 8 2017/08/08 veli2530.www.host proto=ggp service=http status=deny src=10.163.93.20 dst=10.29.133.28 src_port=2382 dst_port=1085 server_app=umwrit pid=5433 app_name=eacommod traff_direct=ctetura block_count=2486 logon_user=tpersp@stla1871.www5.local msg=unknown -August 22 2017/08/22 tiaec5551.www.local proto=rdp service=pop3 status=deny src=10.113.30.163 dst=10.50.0.61 src_port=6110 dst_port=5905 server_app=itla pid=658 app_name=vitaedi traff_direct=lorsita block_count=2019 logon_user=dolore@onsecte587.localdomain msg=unknown -September 6 2017/09/06 ate7247.www5.local proto=ggp service=ms-wbt-server status=deny src=10.39.145.136 dst=10.30.47.165 src_port=631 dst_port=3801 server_app=ulapar pid=6827 app_name=etdo traff_direct=par block_count=992 logon_user=invo@hit3912.www5.localhost msg=unknown -September 20 2017/09/20 proiden887.mail.example proto=rdp service=https status=deny src=10.30.25.84 dst=10.36.112.145 src_port=238 dst_port=7122 server_app=dantium pid=246 app_name=teirured traff_direct=onemulla block_count=5608 logon_user=bor@rauto112.www.host msg=success -October 4 2017/10/04 osqui2751.api.home proto=tcp service=pop3 status=deny src=10.97.96.177 dst=10.162.114.217 src_port=1859 dst_port=7503 server_app=dun pid=1276 app_name=evitaed traff_direct=inimveni block_count=2826 logon_user=itse@umexerc5717.internal.host msg=failure -October 19 2017/10/19 ccaeca5504.internal.example proto=tcp service=smtp status=deny src=10.229.71.175 dst=10.140.7.83 src_port=3856 dst_port=3298 server_app=olupt pid=2189 app_name=gna traff_direct=con block_count=4969 logon_user=eseru@quamest2520.localdomain msg=unknown -November 2 2017/11/02 mex2054.mail.corp proto=udp service=pop3 status=deny src=10.232.254.65 dst=10.149.13.76 src_port=7809 dst_port=2000 server_app=uisaute pid=1478 app_name=ritt traff_direct=iaeco block_count=7037 logon_user=itesseq@dictasun2399.internal.example msg=unknown -November 16 2017/11/16 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=xeaco block_count=4762 logon_user=amcor@rcitat364.mail.lan msg=unknown -December 1 2017/12/01 tur4900.www5.lan proto=icmp service=smtp status=deny src=10.98.194.212 dst=10.243.237.151 src_port=6941 dst_port=6296 server_app=issuscip pid=4003 app_name=dipisci traff_direct=spernatu block_count=5539 logon_user=eri@quunt2072.home msg=success -December 15 2017/12/15 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=leumiu block_count=3030 logon_user=luptatem@uaeratv3432.invalid msg=failure -December 29 2017/12/29 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=maliquam block_count=2147 logon_user=atione@lores627.www.invalid msg=failure -January 12 2018/01/12 mmodoc4947.internal.test proto=ggp service=ms-wbt-server status=deny src=10.107.45.175 dst=10.201.237.233 src_port=4593 dst_port=3023 server_app=atise pid=3421 app_name=umetMalo traff_direct=oluptas block_count=6981 logon_user=aeconseq@lor4040.localhost msg=success -January 27 2018/01/27 itaedict7233.mail.localdomain proto=ipv6-icmp service=smtp status=deny src=10.239.80.120 dst=10.196.206.130 src_port=2741 dst_port=1725 server_app=its pid=7867 app_name=risnis traff_direct=uov block_count=3896 logon_user=isn@sBono898.localdomain msg=unknown -February 10 2018/02/10 ore1441.home proto=ipv6 service=ms-wbt-server status=deny src=10.234.222.214 dst=10.47.24.77 src_port=4614 dst_port=1919 server_app=hil pid=6717 app_name=squ traff_direct=uiadol block_count=6068 logon_user=ntNeq@tate6291.mail.invalid msg=unknown -February 24 2018/02/24 onevo3446.www5.host proto=udp service=http status=deny src=10.202.7.89 dst=10.139.127.232 src_port=2179 dst_port=1812 server_app=quidolor pid=4116 app_name=agnaaliq traff_direct=tlaboree block_count=6412 logon_user=osquir@mod4104.api.localdomain msg=success -March 11 2018/03/11 lloin4019.www.localhost proto=igmp service=smtp status=deny src=10.130.241.232 dst=10.40.35.49 src_port=3112 dst_port=3071 server_app=edquian pid=3178 app_name=qua traff_direct=volupta block_count=3552 logon_user=aturQu@aaliq221.mail.localdomain msg=success -March 25 2018/03/25 iciad7874.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.157.196.101 dst=10.167.252.183 src_port=2003 dst_port=5107 server_app=dtempori pid=5735 app_name=caboNemo traff_direct=dexerc block_count=2302 logon_user=tatem@metcons6200.mail.corp msg=unknown -April 8 2018/04/08 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=quames block_count=3665 logon_user=esseq@aincidun2168.api.invalid msg=failure -April 22 2018/04/22 itq494.api.lan proto=ggp service=pop3 status=deny src=10.28.105.124 dst=10.151.129.181 src_port=3889 dst_port=5773 server_app=litsedq pid=5026 app_name=nder traff_direct=mdolore block_count=2604 logon_user=nesciun@saqu6897.mail.lan msg=failure -May 7 2018/05/07 autfugi4010.internal.invalid proto=tcp service=pop3 status=deny src=10.128.63.143 dst=10.145.101.26 src_port=7596 dst_port=2559 server_app=oremquel pid=3992 app_name=modoc traff_direct=boNem block_count=5137 logon_user=ssusci@animid1644.www5.lan msg=unknown -May 21 2018/05/21 roquisqu1205.api.domain proto=ipv6 service=pop3 status=deny src=10.2.244.159 dst=10.62.229.89 src_port=951 dst_port=5348 server_app=isnis pid=5140 app_name=olupta traff_direct=tsuntinc block_count=2159 logon_user=inBCSedu@erspi5757.local msg=failure -June 4 2018/06/04 quaeab2653.mail.localdomain proto=rdp service=ms-wbt-server status=deny src=10.250.19.146 dst=10.54.83.119 src_port=5283 dst_port=338 server_app=natu pid=315 app_name=itat traff_direct=stlaboru block_count=7074 logon_user=radi@xeacom7662.www.test msg=failure -June 19 2018/06/19 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=uptate block_count=1049 logon_user=snos@orsi7617.www5.corp msg=success -July 3 2018/07/03 msequ4308.api.localdomain proto=ipv6 service=https status=deny src=10.126.87.182 dst=10.94.114.83 src_port=1043 dst_port=4803 server_app=rumetMal pid=3411 app_name=atcupida traff_direct=tessequa block_count=291 logon_user=dolores@equamnih6028.localdomain msg=failure -July 17 2018/07/17 dolorema2984.www.home proto=ipv6 service=smtp status=deny src=10.206.165.83 dst=10.38.28.151 src_port=3736 dst_port=347 server_app=ratv pid=2649 app_name=ever traff_direct=tali block_count=2124 logon_user=erspi@iqu7509.api.corp msg=success -August 1 2018/08/01 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=magnid block_count=3343 logon_user=ame@tesseq7693.localdomain msg=failure -August 15 2018/08/15 tdolore388.localdomain proto=igmp service=smtp status=deny src=10.42.252.243 dst=10.57.85.98 src_port=3286 dst_port=1444 server_app=oinv pid=5493 app_name=inrepr traff_direct=mol block_count=4145 logon_user=nisiu@imad4450.internal.example msg=unknown -August 29 2018/08/29 olest5343.mail.corp proto=rdp service=https status=deny src=10.7.43.184 dst=10.193.66.155 src_port=7278 dst_port=4965 server_app=ame pid=2913 app_name=uid traff_direct=equaturv block_count=1129 logon_user=tobeatae@maccusa7248.www.home msg=failure -September 12 2018/09/12 uradi3827.mail.localhost proto=icmp service=ms-wbt-server status=deny src=10.196.96.162 dst=10.81.234.34 src_port=7349 dst_port=1710 server_app=aconse pid=1526 app_name=quameiu traff_direct=diduntu block_count=4798 logon_user=aliqui@ess3889.www5.localhost msg=failure -September 27 2018/09/27 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=niamquis block_count=1471 logon_user=ptatems@runtmo438.invalid msg=failure -October 11 2018/10/11 tas6029.lan proto=rdp service=smtp status=deny src=10.118.82.34 dst=10.108.45.59 src_port=5129 dst_port=7229 server_app=sBonorum pid=2162 app_name=aali traff_direct=edictasu block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure -October 25 2018/10/25 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=cive block_count=2292 logon_user=orumSec@nisiuta905.www5.home msg=failure -November 9 2018/11/09 tiaecon5380.lan proto=udp service=pop3 status=deny src=10.123.74.66 dst=10.83.119.181 src_port=6984 dst_port=5693 server_app=lors pid=7553 app_name=nculpaq traff_direct=reseosqu block_count=1629 logon_user=ursin@utemvel5325.host msg=success -November 23 2018/11/23 iam7526.mail.test proto=icmp service=smtp status=deny src=10.225.255.211 dst=10.141.143.56 src_port=4076 dst_port=2442 server_app=eursinto pid=3628 app_name=tutla traff_direct=licaboNe block_count=5104 logon_user=aaliq@nat4367.www5.example msg=failure -December 7 2018/12/07 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=itametc block_count=3006 logon_user=olup@remipsu2220.corp msg=success -December 21 2018/12/21 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=emp block_count=2563 logon_user=roquisq@temporai6835.www5.host msg=failure -January 5 2019/01/05 urerepre1960.www5.localhost proto=ipv6-icmp service=https status=deny src=10.179.147.45 dst=10.202.132.214 src_port=2208 dst_port=3392 server_app=mmodoco pid=2581 app_name=rumexerc traff_direct=isiutali block_count=3575 logon_user=stquidol@Nemoenim1325.lan msg=failure -January 19 2019/01/19 evitae7333.www.lan proto=ggp service=ms-wbt-server status=deny src=10.51.221.217 dst=10.169.98.165 src_port=6833 dst_port=6084 server_app=saquaea pid=2280 app_name=rQuisaut traff_direct=quas block_count=3630 logon_user=metco@cillu7822.mail.localhost msg=success -February 2 2019/02/02 orp5697.www.invalid proto=ggp service=ms-wbt-server status=deny src=10.243.6.41 dst=10.85.104.146 src_port=780 dst_port=4438 server_app=orum pid=4887 app_name=qua traff_direct=agnamal block_count=73 logon_user=emacc@emp1636.www.invalid msg=unknown -February 17 2019/02/17 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=esse block_count=3795 logon_user=osqu@pariatur7238.www5.invalid msg=unknown -March 3 2019/03/03 orum5045.domain proto=igmp service=https status=deny src=10.37.174.58 dst=10.167.9.200 src_port=4003 dst_port=4568 server_app=exercita pid=2068 app_name=elillum traff_direct=veleumi block_count=4337 logon_user=tvol@oluptate6978.localdomain msg=failure -March 17 2019/03/17 iciade3900.example proto=ggp service=ms-wbt-server status=deny src=10.221.220.148 dst=10.251.29.244 src_port=98 dst_port=919 server_app=eturadip pid=6261 app_name=psumd traff_direct=oloree block_count=355 logon_user=ptate@teir7585.www5.localdomain msg=failure -April 1 2019/04/01 texpli7157.mail.invalid proto=ggp service=ms-wbt-server status=deny src=10.198.143.216 dst=10.189.82.19 src_port=4267 dst_port=4057 server_app=mini pid=1816 app_name=tur traff_direct=tur block_count=5914 logon_user=iamqui@tassita6539.www.lan msg=success -April 15 2019/04/15 CSe7575.www5.example proto=rdp service=smtp status=deny src=10.141.216.14 dst=10.70.29.203 src_port=5994 dst_port=6317 server_app=ate pid=4386 app_name=fugitse traff_direct=minimve block_count=2465 logon_user=dese@duntutla4724.www.host msg=success -April 29 2019/04/29 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=uinesc block_count=4248 logon_user=idatat@onev595.mail.domain msg=failure -May 13 2019/05/13 sis3986.internal.lan proto=rdp service=https status=deny src=10.10.86.55 dst=10.158.54.131 src_port=911 dst_port=1585 server_app=mmodi pid=7353 app_name=rvelill traff_direct=lupta block_count=7608 logon_user=tatevel@midestl7500.www.home msg=unknown -May 28 2019/05/28 oremeumf32.www.lan proto=ggp service=http status=deny src=10.105.136.146 dst=10.187.170.23 src_port=541 dst_port=3220 server_app=sectetu pid=7182 app_name=its traff_direct=dolor block_count=5957 logon_user=uatu@mquis5526.mail.test msg=unknown -June 11 2019/06/11 ice6331.invalid proto=ipv6 service=https status=deny src=10.114.211.238 dst=10.125.166.198 src_port=3824 dst_port=6301 server_app=tinculpa pid=6537 app_name=cti traff_direct=rumSecti block_count=111 logon_user=sumquiad@iusmodt3432.mail.localdomain msg=unknown -June 25 2019/06/25 aevitaed1082.localdomain proto=tcp service=ms-wbt-server status=deny src=10.29.7.142 dst=10.209.239.122 src_port=4053 dst_port=1450 server_app=edic pid=2758 app_name=amcolab traff_direct=olabori block_count=3307 logon_user=atatnon@lica2780.www5.home msg=success -July 10 2019/07/10 lloinve551.internal.local proto=ipv6-icmp service=http status=deny src=10.144.109.148 dst=10.146.57.23 src_port=4855 dst_port=5483 server_app=tno pid=5772 app_name=psumq traff_direct=ptatev block_count=6552 logon_user=xerc@ctetura7556.mail.corp msg=unknown -July 24 2019/07/24 tmo508.example proto=rdp service=smtp status=deny src=10.69.230.223 dst=10.11.2.200 src_port=6071 dst_port=7541 server_app=ostrudex pid=4542 app_name=niamqui traff_direct=usmodite block_count=7154 logon_user=uatu@uto2438.www5.corp msg=success -August 7 2019/08/07 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=iduntutl block_count=4047 logon_user=orsitvol@ntor5561.www.local msg=success -August 21 2019/08/21 velites4233.internal.home proto=ggp service=http status=deny src=10.153.166.133 dst=10.90.50.149 src_port=1936 dst_port=7260 server_app=asp pid=4025 app_name=ncul traff_direct=taliq block_count=5213 logon_user=porissu@umd3889.api.localhost msg=failure -September 5 2019/09/05 eeufugi6539.api.local proto=tcp service=ms-wbt-server status=deny src=10.230.130.3 dst=10.117.190.234 src_port=3485 dst_port=7475 server_app=iav pid=5792 app_name=usBono traff_direct=rumexe block_count=5360 logon_user=ttenb@olor5978.www.local msg=failure -September 19 2019/09/19 rem3131.home proto=igmp service=https status=deny src=10.55.103.200 dst=10.203.117.6 src_port=4894 dst_port=2510 server_app=uredol pid=3142 app_name=temsequi traff_direct=mquia block_count=1119 logon_user=enbyCic@iveli3387.host msg=success -October 3 2019/10/03 ommodoc4758.host proto=tcp service=https status=deny src=10.244.52.142 dst=10.75.122.228 src_port=2129 dst_port=5 server_app=scipit pid=730 app_name=ugiatqu traff_direct=eruntmo block_count=2894 logon_user=isciv@natus4803.mail.localhost msg=failure -October 18 2019/10/18 udexerc4535.www.home proto=ipv6-icmp service=http status=deny src=10.7.142.212 dst=10.119.143.168 src_port=2952 dst_port=4131 server_app=tuser pid=6944 app_name=qua traff_direct=iarchite block_count=1612 logon_user=oinven@natu1957.mail.corp msg=failure -November 1 2019/11/01 adipi2840.mail.domain proto=udp service=pop3 status=deny src=10.116.105.31 dst=10.252.146.103 src_port=3181 dst_port=5995 server_app=rinrepr pid=7279 app_name=consequu traff_direct=modo block_count=3194 logon_user=rsint@rsi5358.www.domain msg=failure -November 15 2019/11/15 onse3998.internal.invalid proto=udp service=ms-wbt-server status=deny src=10.163.239.13 dst=10.213.41.210 src_port=3650 dst_port=3626 server_app=aco pid=7260 app_name=adese traff_direct=olorsi block_count=4955 logon_user=aedictas@rumetMa2554.domain msg=failure -November 30 2019/11/30 mvolupta225.mail.invalid proto=icmp service=https status=deny src=10.184.109.84 dst=10.190.36.112 src_port=6960 dst_port=4829 server_app=reprehen pid=3793 app_name=uisa traff_direct=nimadmin block_count=5630 logon_user=uat@eniamqu985.test msg=unknown -December 14 2019/12/14 officiad6348.mail.lan proto=icmp service=http status=deny src=10.175.181.138 dst=10.19.21.239 src_port=1495 dst_port=6995 server_app=velite pid=5985 app_name=litse traff_direct=san block_count=3326 logon_user=aliqu@taedict4891.api.host msg=failure +January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=sperna block_count=884 logon_user=billoi@oreetdol1714.internal.corp msg=failure +February 12 13:12:33 agn2581.www5.corp proto=rdp service=smtp status=deny src=10.22.119.124 dst=10.102.218.31 src_port=4402 dst_port=3376 server_app=mod pid=6183 app_name=enatus traff_direct=mquia block_count=873 logon_user=itamet@tetur6657.internal.domain msg=success +February 26 20:15:08 iin6287.mail.domain proto=ggp service=https status=deny src=10.135.105.231 dst=10.26.46.95 src_port=1327 dst_port=7599 server_app=quis pid=1130 app_name=serror traff_direct=anti block_count=4454 logon_user=meumfug@tetu5280.www5.invalid msg=unknown +March 12 03:17:42 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=onsect block_count=101 logon_user=con@uia351.api.localhost msg=unknown +March 26 10:20:16 aqui4726.mail.localhost proto=icmp service=https status=deny src=10.85.66.161 dst=10.131.115.96 src_port=2638 dst_port=1890 server_app=eum pid=654 app_name=rmagni traff_direct=sit block_count=5509 logon_user=onev@tenima1073.local msg=success +April 9 17:22:51 uatDuis2964.test proto=udp service=http status=deny src=10.183.202.41 dst=10.11.200.161 src_port=4470 dst_port=4665 server_app=inimve pid=4243 app_name=antium traff_direct=Cice block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown +April 24 00:25:25 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=nimadmin block_count=6499 logon_user=uam@temq1198.internal.example msg=success +May 8 07:27:59 ari1508.api.localdomain proto=tcp service=pop3 status=deny src=10.64.155.245 dst=10.233.127.83 src_port=4512 dst_port=3676 server_app=eataevit pid=3904 app_name=iam traff_direct=mqua block_count=3391 logon_user=olab@mquisnos5771.example msg=unknown +May 22 14:30:33 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=luptatem block_count=5812 logon_user=moll@tatione2046.home msg=unknown +June 5 21:33:08 turveli6399.host proto=ipv6 service=smtp status=deny src=10.197.5.210 dst=10.10.65.154 src_port=689 dst_port=7572 server_app=Ciceroi pid=3592 app_name=usan traff_direct=aper block_count=5529 logon_user=olo@uaera6620.www5.domain msg=unknown +June 20 04:35:42 tquiinea7522.test proto=igmp service=http status=deny src=10.89.185.38 dst=10.177.124.147 src_port=6024 dst_port=4173 server_app=undeo pid=5794 app_name=labor traff_direct=atuse block_count=2703 logon_user=uis@idolore1057.www5.domain msg=failure +July 4 11:38:16 litessec3743.domain proto=ipv6-icmp service=http status=deny src=10.212.55.143 dst=10.157.213.15 src_port=3539 dst_port=600 server_app=liq pid=3480 app_name=ntutl traff_direct=caecatc block_count=2399 logon_user=nibus@edquiano6061.internal.invalid msg=failure +July 18 18:40:50 ctetura4886.www5.lan proto=icmp service=smtp status=deny src=10.208.134.60 dst=10.124.100.32 src_port=7385 dst_port=7699 server_app=lupt pid=5376 app_name=remeum traff_direct=orain block_count=4111 logon_user=admi@modocons6461.api.home msg=failure +August 2 01:43:25 urE6771.www5.example proto=udp service=http status=deny src=10.75.148.116 dst=10.55.77.49 src_port=3653 dst_port=4683 server_app=dtem pid=1577 app_name=des traff_direct=rehe block_count=2460 logon_user=tdolorem@ono4861.www5.test msg=success +August 16 08:45:59 sumquiad2872.api.domain proto=ggp service=http status=deny src=10.210.74.24 dst=10.21.92.218 src_port=4125 dst_port=5716 server_app=ommod pid=3671 app_name=inima traff_direct=tlabo block_count=6088 logon_user=nihi@Lor5841.internal.example msg=success +August 30 15:48:33 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=isnostru block_count=1559 logon_user=deFinibu@iadese6958.www5.local msg=unknown +September 13 22:51:07 tatn2376.www5.corp proto=ipv6-icmp service=ms-wbt-server status=deny src=10.47.241.218 dst=10.76.229.163 src_port=2890 dst_port=6387 server_app=CSed pid=2857 app_name=utlabore traff_direct=ecillu block_count=391 logon_user=mnisist@sedd3727.api.home msg=unknown +September 28 05:53:42 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=maccusa block_count=5126 logon_user=rQuisau@idex2012.localdomain msg=unknown +October 12 12:56:16 uipe5643.api.home proto=rdp service=smtp status=deny src=10.118.80.140 dst=10.252.122.195 src_port=6003 dst_port=2807 server_app=ihilm pid=1669 app_name=saute traff_direct=ercit block_count=2385 logon_user=remagn@run3361.api.test msg=failure +October 26 19:58:50 aturve2031.www5.test proto=rdp service=ms-wbt-server status=deny src=10.195.36.51 dst=10.31.95.218 src_port=2883 dst_port=7042 server_app=iadese pid=2374 app_name=ice traff_direct=estiae block_count=3750 logon_user=laborum@tionof7613.domain msg=failure +November 10 03:01:24 ationul2530.internal.example proto=ipv6-icmp service=http status=deny src=10.197.250.10 dst=10.170.148.40 src_port=261 dst_port=6371 server_app=dol pid=753 app_name=modocon traff_direct=que block_count=651 logon_user=rinrepre@etconse7424.internal.lan msg=failure +November 24 10:03:59 quamnih5993.mail.corp proto=ipv6 service=https status=deny src=10.19.145.131 dst=10.233.171.118 src_port=4798 dst_port=7410 server_app=emoe pid=6540 app_name=atur traff_direct=itanimi block_count=2924 logon_user=modtemp@rehender2628.www5.localdomain msg=failure +December 8 17:06:33 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=sectetur block_count=1713 logon_user=fugitse@veniamq1608.www.localdomain msg=unknown +December 23 00:09:07 reseos556.internal.example proto=rdp service=https status=deny src=10.59.122.242 dst=10.177.238.183 src_port=4821 dst_port=6458 server_app=dolorem pid=5251 app_name=olor traff_direct=Neque block_count=4129 logon_user=xerc@iutali2138.www.localdomain msg=success +January 6 07:11:41 radi1512.mail.example proto=rdp service=http status=deny src=10.74.33.75 dst=10.10.27.73 src_port=3410 dst_port=2574 server_app=liqui pid=6106 app_name=dolore traff_direct=amvolu block_count=766 logon_user=quaturve@sequa2851.home msg=success +January 20 14:14:16 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=nsect block_count=7400 logon_user=asia@econs4164.api.corp msg=unknown +February 3 21:16:50 tevelite245.mail.local proto=tcp service=pop3 status=deny src=10.167.85.181 dst=10.14.36.202 src_port=6409 dst_port=6036 server_app=numqua pid=1411 app_name=inculpa traff_direct=abo block_count=1637 logon_user=dtemp@aliquide3073.www5.domain msg=unknown +February 18 04:19:24 uptatema6843.www.host proto=icmp service=ms-wbt-server status=deny src=10.104.64.94 dst=10.164.39.248 src_port=3221 dst_port=5194 server_app=sequam pid=3609 app_name=idex traff_direct=mfugiat block_count=3370 logon_user=dant@rroquis6074.api.host msg=unknown +March 4 11:21:59 rem3420.mail.localhost proto=udp service=http status=deny src=10.208.14.185 dst=10.135.187.104 src_port=7557 dst_port=4708 server_app=siste pid=5919 app_name=riosamn traff_direct=ept block_count=1871 logon_user=rcitati@eni465.home msg=failure +March 18 18:24:33 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=boree block_count=513 logon_user=nevo@ide2767.www5.local msg=failure +April 2 01:27:07 edquiac2646.www.invalid proto=ipv6-icmp service=https status=deny src=10.46.49.26 dst=10.145.26.181 src_port=634 dst_port=6088 server_app=autf pid=3471 app_name=temquiav traff_direct=equatu block_count=1399 logon_user=cons@sBon1759.invalid msg=success +April 16 08:29:41 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=antiu block_count=6129 logon_user=evolu@ersp3536.www5.lan msg=unknown +April 30 15:32:16 ntiumt699.corp proto=icmp service=ms-wbt-server status=deny src=10.151.58.196 dst=10.201.238.90 src_port=2715 dst_port=7130 server_app=pici pid=55 app_name=ccaecat traff_direct=tquiin block_count=7440 logon_user=temqu@ovol3674.www5.host msg=success +May 14 22:34:50 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=ven block_count=660 logon_user=siutali@amnih2718.internal.example msg=failure +May 29 05:37:24 laudant6813.mail.home proto=icmp service=https status=deny src=10.184.18.202 dst=10.226.83.168 src_port=5780 dst_port=4153 server_app=molli pid=4306 app_name=aturauto traff_direct=eturadi block_count=2512 logon_user=borios@rsitvolu3751.mail.lan msg=success +June 12 12:39:58 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=luptate block_count=2612 logon_user=atisun@esci7741.www.host msg=success +June 26 19:42:33 nturma18.internal.example proto=icmp service=https status=deny src=10.173.136.186 dst=10.43.226.231 src_port=7222 dst_port=2778 server_app=isnostr pid=829 app_name=ciadeser traff_direct=emquia block_count=1497 logon_user=uscipitl@uia5567.mail.lan msg=success +July 11 02:45:07 uisa5736.internal.local proto=udp service=pop3 status=deny src=10.58.64.108 dst=10.54.37.86 src_port=1540 dst_port=5089 server_app=commodo pid=6867 app_name=tutlab traff_direct=sau block_count=1865 logon_user=dolorsit@sau4293.www.corp msg=unknown +July 25 09:47:41 uptate2244.api.lan proto=ipv6-icmp service=https status=deny src=10.205.228.138 dst=10.159.119.34 src_port=3854 dst_port=6197 server_app=tsed pid=7536 app_name=ameiusm traff_direct=proide block_count=3714 logon_user=aquae@boreetdo7005.www5.home msg=unknown +August 8 16:50:15 veli2530.www.host proto=ggp service=http status=deny src=10.163.93.20 dst=10.29.133.28 src_port=2382 dst_port=1085 server_app=umwrit pid=5433 app_name=eacommod traff_direct=ctetura block_count=2486 logon_user=tpersp@stla1871.www5.local msg=unknown +August 22 23:52:50 tiaec5551.www.local proto=rdp service=pop3 status=deny src=10.113.30.163 dst=10.50.0.61 src_port=6110 dst_port=5905 server_app=itla pid=658 app_name=vitaedi traff_direct=lorsita block_count=2019 logon_user=dolore@onsecte587.localdomain msg=unknown +September 6 06:55:24 ate7247.www5.local proto=ggp service=ms-wbt-server status=deny src=10.39.145.136 dst=10.30.47.165 src_port=631 dst_port=3801 server_app=ulapar pid=6827 app_name=etdo traff_direct=par block_count=992 logon_user=invo@hit3912.www5.localhost msg=unknown +September 20 13:57:58 proiden887.mail.example proto=rdp service=https status=deny src=10.30.25.84 dst=10.36.112.145 src_port=238 dst_port=7122 server_app=dantium pid=246 app_name=teirured traff_direct=onemulla block_count=5608 logon_user=bor@rauto112.www.host msg=success +October 4 21:00:32 osqui2751.api.home proto=tcp service=pop3 status=deny src=10.97.96.177 dst=10.162.114.217 src_port=1859 dst_port=7503 server_app=dun pid=1276 app_name=evitaed traff_direct=inimveni block_count=2826 logon_user=itse@umexerc5717.internal.host msg=failure +October 19 04:03:07 ccaeca5504.internal.example proto=tcp service=smtp status=deny src=10.229.71.175 dst=10.140.7.83 src_port=3856 dst_port=3298 server_app=olupt pid=2189 app_name=gna traff_direct=con block_count=4969 logon_user=eseru@quamest2520.localdomain msg=unknown +November 2 11:05:41 mex2054.mail.corp proto=udp service=pop3 status=deny src=10.232.254.65 dst=10.149.13.76 src_port=7809 dst_port=2000 server_app=uisaute pid=1478 app_name=ritt traff_direct=iaeco block_count=7037 logon_user=itesseq@dictasun2399.internal.example msg=unknown +November 16 18:08:15 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=xeaco block_count=4762 logon_user=amcor@rcitat364.mail.lan msg=unknown +December 1 01:10:49 tur4900.www5.lan proto=icmp service=smtp status=deny src=10.98.194.212 dst=10.243.237.151 src_port=6941 dst_port=6296 server_app=issuscip pid=4003 app_name=dipisci traff_direct=spernatu block_count=5539 logon_user=eri@quunt2072.home msg=success +December 15 08:13:24 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=leumiu block_count=3030 logon_user=luptatem@uaeratv3432.invalid msg=failure +December 29 15:15:58 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=maliquam block_count=2147 logon_user=atione@lores627.www.invalid msg=failure +January 12 22:18:32 mmodoc4947.internal.test proto=ggp service=ms-wbt-server status=deny src=10.107.45.175 dst=10.201.237.233 src_port=4593 dst_port=3023 server_app=atise pid=3421 app_name=umetMalo traff_direct=oluptas block_count=6981 logon_user=aeconseq@lor4040.localhost msg=success +January 27 05:21:06 itaedict7233.mail.localdomain proto=ipv6-icmp service=smtp status=deny src=10.239.80.120 dst=10.196.206.130 src_port=2741 dst_port=1725 server_app=its pid=7867 app_name=risnis traff_direct=uov block_count=3896 logon_user=isn@sBono898.localdomain msg=unknown +February 10 12:23:41 ore1441.home proto=ipv6 service=ms-wbt-server status=deny src=10.234.222.214 dst=10.47.24.77 src_port=4614 dst_port=1919 server_app=hil pid=6717 app_name=squ traff_direct=uiadol block_count=6068 logon_user=ntNeq@tate6291.mail.invalid msg=unknown +February 24 19:26:15 onevo3446.www5.host proto=udp service=http status=deny src=10.202.7.89 dst=10.139.127.232 src_port=2179 dst_port=1812 server_app=quidolor pid=4116 app_name=agnaaliq traff_direct=tlaboree block_count=6412 logon_user=osquir@mod4104.api.localdomain msg=success +March 11 02:28:49 lloin4019.www.localhost proto=igmp service=smtp status=deny src=10.130.241.232 dst=10.40.35.49 src_port=3112 dst_port=3071 server_app=edquian pid=3178 app_name=qua traff_direct=volupta block_count=3552 logon_user=aturQu@aaliq221.mail.localdomain msg=success +March 25 09:31:24 iciad7874.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.157.196.101 dst=10.167.252.183 src_port=2003 dst_port=5107 server_app=dtempori pid=5735 app_name=caboNemo traff_direct=dexerc block_count=2302 logon_user=tatem@metcons6200.mail.corp msg=unknown +April 8 16:33:58 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=quames block_count=3665 logon_user=esseq@aincidun2168.api.invalid msg=failure +April 22 23:36:32 itq494.api.lan proto=ggp service=pop3 status=deny src=10.28.105.124 dst=10.151.129.181 src_port=3889 dst_port=5773 server_app=litsedq pid=5026 app_name=nder traff_direct=mdolore block_count=2604 logon_user=nesciun@saqu6897.mail.lan msg=failure +May 7 06:39:06 autfugi4010.internal.invalid proto=tcp service=pop3 status=deny src=10.128.63.143 dst=10.145.101.26 src_port=7596 dst_port=2559 server_app=oremquel pid=3992 app_name=modoc traff_direct=boNem block_count=5137 logon_user=ssusci@animid1644.www5.lan msg=unknown +May 21 13:41:41 roquisqu1205.api.domain proto=ipv6 service=pop3 status=deny src=10.2.244.159 dst=10.62.229.89 src_port=951 dst_port=5348 server_app=isnis pid=5140 app_name=olupta traff_direct=tsuntinc block_count=2159 logon_user=inBCSedu@erspi5757.local msg=failure +June 4 20:44:15 quaeab2653.mail.localdomain proto=rdp service=ms-wbt-server status=deny src=10.250.19.146 dst=10.54.83.119 src_port=5283 dst_port=338 server_app=natu pid=315 app_name=itat traff_direct=stlaboru block_count=7074 logon_user=radi@xeacom7662.www.test msg=failure +June 19 03:46:49 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=uptate block_count=1049 logon_user=snos@orsi7617.www5.corp msg=success +July 3 10:49:23 msequ4308.api.localdomain proto=ipv6 service=https status=deny src=10.126.87.182 dst=10.94.114.83 src_port=1043 dst_port=4803 server_app=rumetMal pid=3411 app_name=atcupida traff_direct=tessequa block_count=291 logon_user=dolores@equamnih6028.localdomain msg=failure +July 17 17:51:58 dolorema2984.www.home proto=ipv6 service=smtp status=deny src=10.206.165.83 dst=10.38.28.151 src_port=3736 dst_port=347 server_app=ratv pid=2649 app_name=ever traff_direct=tali block_count=2124 logon_user=erspi@iqu7509.api.corp msg=success +August 1 00:54:32 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=magnid block_count=3343 logon_user=ame@tesseq7693.localdomain msg=failure +August 15 07:57:06 tdolore388.localdomain proto=igmp service=smtp status=deny src=10.42.252.243 dst=10.57.85.98 src_port=3286 dst_port=1444 server_app=oinv pid=5493 app_name=inrepr traff_direct=mol block_count=4145 logon_user=nisiu@imad4450.internal.example msg=unknown +August 29 14:59:40 olest5343.mail.corp proto=rdp service=https status=deny src=10.7.43.184 dst=10.193.66.155 src_port=7278 dst_port=4965 server_app=ame pid=2913 app_name=uid traff_direct=equaturv block_count=1129 logon_user=tobeatae@maccusa7248.www.home msg=failure +September 12 22:02:15 uradi3827.mail.localhost proto=icmp service=ms-wbt-server status=deny src=10.196.96.162 dst=10.81.234.34 src_port=7349 dst_port=1710 server_app=aconse pid=1526 app_name=quameiu traff_direct=diduntu block_count=4798 logon_user=aliqui@ess3889.www5.localhost msg=failure +September 27 05:04:49 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=niamquis block_count=1471 logon_user=ptatems@runtmo438.invalid msg=failure +October 11 12:07:23 tas6029.lan proto=rdp service=smtp status=deny src=10.118.82.34 dst=10.108.45.59 src_port=5129 dst_port=7229 server_app=sBonorum pid=2162 app_name=aali traff_direct=edictasu block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure +October 25 19:09:57 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=cive block_count=2292 logon_user=orumSec@nisiuta905.www5.home msg=failure +November 9 02:12:32 tiaecon5380.lan proto=udp service=pop3 status=deny src=10.123.74.66 dst=10.83.119.181 src_port=6984 dst_port=5693 server_app=lors pid=7553 app_name=nculpaq traff_direct=reseosqu block_count=1629 logon_user=ursin@utemvel5325.host msg=success +November 23 09:15:06 iam7526.mail.test proto=icmp service=smtp status=deny src=10.225.255.211 dst=10.141.143.56 src_port=4076 dst_port=2442 server_app=eursinto pid=3628 app_name=tutla traff_direct=licaboNe block_count=5104 logon_user=aaliq@nat4367.www5.example msg=failure +December 7 16:17:40 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=itametc block_count=3006 logon_user=olup@remipsu2220.corp msg=success +December 21 23:20:14 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=emp block_count=2563 logon_user=roquisq@temporai6835.www5.host msg=failure +January 5 06:22:49 urerepre1960.www5.localhost proto=ipv6-icmp service=https status=deny src=10.179.147.45 dst=10.202.132.214 src_port=2208 dst_port=3392 server_app=mmodoco pid=2581 app_name=rumexerc traff_direct=isiutali block_count=3575 logon_user=stquidol@Nemoenim1325.lan msg=failure +January 19 13:25:23 evitae7333.www.lan proto=ggp service=ms-wbt-server status=deny src=10.51.221.217 dst=10.169.98.165 src_port=6833 dst_port=6084 server_app=saquaea pid=2280 app_name=rQuisaut traff_direct=quas block_count=3630 logon_user=metco@cillu7822.mail.localhost msg=success +February 2 20:27:57 orp5697.www.invalid proto=ggp service=ms-wbt-server status=deny src=10.243.6.41 dst=10.85.104.146 src_port=780 dst_port=4438 server_app=orum pid=4887 app_name=qua traff_direct=agnamal block_count=73 logon_user=emacc@emp1636.www.invalid msg=unknown +February 17 03:30:32 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=esse block_count=3795 logon_user=osqu@pariatur7238.www5.invalid msg=unknown +March 3 10:33:06 orum5045.domain proto=igmp service=https status=deny src=10.37.174.58 dst=10.167.9.200 src_port=4003 dst_port=4568 server_app=exercita pid=2068 app_name=elillum traff_direct=veleumi block_count=4337 logon_user=tvol@oluptate6978.localdomain msg=failure +March 17 17:35:40 iciade3900.example proto=ggp service=ms-wbt-server status=deny src=10.221.220.148 dst=10.251.29.244 src_port=98 dst_port=919 server_app=eturadip pid=6261 app_name=psumd traff_direct=oloree block_count=355 logon_user=ptate@teir7585.www5.localdomain msg=failure +April 1 00:38:14 texpli7157.mail.invalid proto=ggp service=ms-wbt-server status=deny src=10.198.143.216 dst=10.189.82.19 src_port=4267 dst_port=4057 server_app=mini pid=1816 app_name=tur traff_direct=tur block_count=5914 logon_user=iamqui@tassita6539.www.lan msg=success +April 15 07:40:49 CSe7575.www5.example proto=rdp service=smtp status=deny src=10.141.216.14 dst=10.70.29.203 src_port=5994 dst_port=6317 server_app=ate pid=4386 app_name=fugitse traff_direct=minimve block_count=2465 logon_user=dese@duntutla4724.www.host msg=success +April 29 14:43:23 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=uinesc block_count=4248 logon_user=idatat@onev595.mail.domain msg=failure +May 13 21:45:57 sis3986.internal.lan proto=rdp service=https status=deny src=10.10.86.55 dst=10.158.54.131 src_port=911 dst_port=1585 server_app=mmodi pid=7353 app_name=rvelill traff_direct=lupta block_count=7608 logon_user=tatevel@midestl7500.www.home msg=unknown +May 28 04:48:31 oremeumf32.www.lan proto=ggp service=http status=deny src=10.105.136.146 dst=10.187.170.23 src_port=541 dst_port=3220 server_app=sectetu pid=7182 app_name=its traff_direct=dolor block_count=5957 logon_user=uatu@mquis5526.mail.test msg=unknown +June 11 11:51:06 ice6331.invalid proto=ipv6 service=https status=deny src=10.114.211.238 dst=10.125.166.198 src_port=3824 dst_port=6301 server_app=tinculpa pid=6537 app_name=cti traff_direct=rumSecti block_count=111 logon_user=sumquiad@iusmodt3432.mail.localdomain msg=unknown +June 25 18:53:40 aevitaed1082.localdomain proto=tcp service=ms-wbt-server status=deny src=10.29.7.142 dst=10.209.239.122 src_port=4053 dst_port=1450 server_app=edic pid=2758 app_name=amcolab traff_direct=olabori block_count=3307 logon_user=atatnon@lica2780.www5.home msg=success +July 10 01:56:14 lloinve551.internal.local proto=ipv6-icmp service=http status=deny src=10.144.109.148 dst=10.146.57.23 src_port=4855 dst_port=5483 server_app=tno pid=5772 app_name=psumq traff_direct=ptatev block_count=6552 logon_user=xerc@ctetura7556.mail.corp msg=unknown +July 24 08:58:48 tmo508.example proto=rdp service=smtp status=deny src=10.69.230.223 dst=10.11.2.200 src_port=6071 dst_port=7541 server_app=ostrudex pid=4542 app_name=niamqui traff_direct=usmodite block_count=7154 logon_user=uatu@uto2438.www5.corp msg=success +August 7 16:01:23 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=iduntutl block_count=4047 logon_user=orsitvol@ntor5561.www.local msg=success +August 21 23:03:57 velites4233.internal.home proto=ggp service=http status=deny src=10.153.166.133 dst=10.90.50.149 src_port=1936 dst_port=7260 server_app=asp pid=4025 app_name=ncul traff_direct=taliq block_count=5213 logon_user=porissu@umd3889.api.localhost msg=failure +September 5 06:06:31 eeufugi6539.api.local proto=tcp service=ms-wbt-server status=deny src=10.230.130.3 dst=10.117.190.234 src_port=3485 dst_port=7475 server_app=iav pid=5792 app_name=usBono traff_direct=rumexe block_count=5360 logon_user=ttenb@olor5978.www.local msg=failure +September 19 13:09:05 rem3131.home proto=igmp service=https status=deny src=10.55.103.200 dst=10.203.117.6 src_port=4894 dst_port=2510 server_app=uredol pid=3142 app_name=temsequi traff_direct=mquia block_count=1119 logon_user=enbyCic@iveli3387.host msg=success +October 3 20:11:40 ommodoc4758.host proto=tcp service=https status=deny src=10.244.52.142 dst=10.75.122.228 src_port=2129 dst_port=5 server_app=scipit pid=730 app_name=ugiatqu traff_direct=eruntmo block_count=2894 logon_user=isciv@natus4803.mail.localhost msg=failure +October 18 03:14:14 udexerc4535.www.home proto=ipv6-icmp service=http status=deny src=10.7.142.212 dst=10.119.143.168 src_port=2952 dst_port=4131 server_app=tuser pid=6944 app_name=qua traff_direct=iarchite block_count=1612 logon_user=oinven@natu1957.mail.corp msg=failure +November 1 10:16:48 adipi2840.mail.domain proto=udp service=pop3 status=deny src=10.116.105.31 dst=10.252.146.103 src_port=3181 dst_port=5995 server_app=rinrepr pid=7279 app_name=consequu traff_direct=modo block_count=3194 logon_user=rsint@rsi5358.www.domain msg=failure +November 15 17:19:22 onse3998.internal.invalid proto=udp service=ms-wbt-server status=deny src=10.163.239.13 dst=10.213.41.210 src_port=3650 dst_port=3626 server_app=aco pid=7260 app_name=adese traff_direct=olorsi block_count=4955 logon_user=aedictas@rumetMa2554.domain msg=failure +November 30 00:21:57 mvolupta225.mail.invalid proto=icmp service=https status=deny src=10.184.109.84 dst=10.190.36.112 src_port=6960 dst_port=4829 server_app=reprehen pid=3793 app_name=uisa traff_direct=nimadmin block_count=5630 logon_user=uat@eniamqu985.test msg=unknown +December 14 07:24:31 officiad6348.mail.lan proto=icmp service=http status=deny src=10.175.181.138 dst=10.19.21.239 src_port=1495 dst_port=6995 server_app=velite pid=5985 app_name=litse traff_direct=san block_count=3326 logon_user=aliqu@taedict4891.api.host msg=failure diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index 967a60d6404..d29598b7b88 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -1,2302 +1,5602 @@ [ { - "@timestamp": "2016-01-29T02:00:00.000Z", + "@timestamp": "2020-01-29T08:09:59.000Z", + "destination.ip": [ + "10.102.123.34" + ], + "destination.port": 3994, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "January 29 2016/01/29 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=sperna block_count=884 logon_user=billoi@oreetdol1714.internal.corp msg=failure", + "event.original": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=sperna block_count=884 logon_user=billoi@oreetdol1714.internal.corp msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "boNemoe4402.www.invalid", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], "log.offset": 0, + "network.direction": "sperna", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 7880, + "related.ip": [ + "10.150.92.220", + "10.102.123.34" + ], + "rsa.counters.dclass_c1": 884, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2016-01-29T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "boNemoe4402.www.invalid" + ], + "rsa.network.domain": "oreetdol1714.internal.corp", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-01-29T08:09:59.000Z", + "server.domain": "oreetdol1714.internal.corp", "service.type": "fortinet", + "source.ip": [ + "10.150.92.220" + ], + "source.port": 7178, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "billoi" ] }, { - "@timestamp": "2016-02-12T02:00:00.000Z", + "@timestamp": "2020-02-12T15:12:33.000Z", + "destination.ip": [ + "10.102.218.31" + ], + "destination.port": 3376, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 12 2016/02/12 agn2581.www5.corp proto=rdp service=smtp status=deny src=10.22.119.124 dst=10.102.218.31 src_port=4402 dst_port=3376 server_app=mod pid=6183 app_name=enatus traff_direct=mquia block_count=873 logon_user=itamet@tetur6657.internal.domain msg=success", + "event.original": "February 12 13:12:33 agn2581.www5.corp proto=rdp service=smtp status=deny src=10.22.119.124 dst=10.102.218.31 src_port=4402 dst_port=3376 server_app=mod pid=6183 app_name=enatus traff_direct=mquia block_count=873 logon_user=itamet@tetur6657.internal.domain msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "agn2581.www5.corp", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 285, + "log.offset": 283, + "network.direction": "mquia", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 6183, + "related.ip": [ + "10.22.119.124", + "10.102.218.31" + ], + "rsa.counters.dclass_c1": 873, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2016-02-12T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "agn2581.www5.corp" + ], + "rsa.network.domain": "tetur6657.internal.domain", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2020-02-12T15:12:33.000Z", + "server.domain": "tetur6657.internal.domain", "service.type": "fortinet", + "source.ip": [ + "10.22.119.124" + ], + "source.port": 4402, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "itamet" ] }, { - "@timestamp": "2016-02-26T02:00:00.000Z", + "@timestamp": "2020-02-26T22:15:08.000Z", + "destination.ip": [ + "10.26.46.95" + ], + "destination.port": 7599, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 26 2016/02/26 iin6287.mail.domain proto=ggp service=https status=deny src=10.135.105.231 dst=10.26.46.95 src_port=1327 dst_port=7599 server_app=quis pid=1130 app_name=serror traff_direct=anti block_count=4454 logon_user=meumfug@tetu5280.www5.invalid msg=unknown", + "event.original": "February 26 20:15:08 iin6287.mail.domain proto=ggp service=https status=deny src=10.135.105.231 dst=10.26.46.95 src_port=1327 dst_port=7599 server_app=quis pid=1130 app_name=serror traff_direct=anti block_count=4454 logon_user=meumfug@tetu5280.www5.invalid msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "iin6287.mail.domain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 556, + "log.offset": 552, + "network.direction": "anti", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 1130, + "related.ip": [ + "10.135.105.231", + "10.26.46.95" + ], + "rsa.counters.dclass_c1": 4454, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2016-02-26T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "iin6287.mail.domain" + ], + "rsa.network.domain": "tetu5280.www5.invalid", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-02-26T22:15:08.000Z", + "server.domain": "tetu5280.www5.invalid", "service.type": "fortinet", + "source.ip": [ + "10.135.105.231" + ], + "source.port": 1327, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "meumfug" ] }, { - "@timestamp": "2016-03-12T02:00:00.000Z", + "@timestamp": "2020-03-12T05:17:42.000Z", + "destination.ip": [ + "10.202.204.154" + ], + "destination.port": 3587, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 12 2016/03/12 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=onsect block_count=101 logon_user=con@uia351.api.localhost msg=unknown", + "event.original": "March 12 03:17:42 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=onsect block_count=101 logon_user=con@uia351.api.localhost msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "tinculp2940.internal.local", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 827, + "log.offset": 821, + "network.direction": "onsect", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5712, + "related.ip": [ + "10.134.137.177", + "10.202.204.154" + ], + "rsa.counters.dclass_c1": 101, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2016-03-12T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "tinculp2940.internal.local" + ], + "rsa.network.domain": "uia351.api.localhost", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-03-12T05:17:42.000Z", + "server.domain": "uia351.api.localhost", "service.type": "fortinet", + "source.ip": [ + "10.134.137.177" + ], + "source.port": 7868, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "con" ] }, { - "@timestamp": "2016-03-26T02:00:00.000Z", + "@timestamp": "2020-03-26T12:20:16.000Z", + "destination.ip": [ + "10.131.115.96" + ], + "destination.port": 1890, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 26 2016/03/26 aqui4726.mail.localhost proto=icmp service=https status=deny src=10.85.66.161 dst=10.131.115.96 src_port=2638 dst_port=1890 server_app=eum pid=654 app_name=rmagni traff_direct=sit block_count=5509 logon_user=onev@tenima1073.local msg=success", + "event.original": "March 26 10:20:16 aqui4726.mail.localhost proto=icmp service=https status=deny src=10.85.66.161 dst=10.131.115.96 src_port=2638 dst_port=1890 server_app=eum pid=654 app_name=rmagni traff_direct=sit block_count=5509 logon_user=onev@tenima1073.local msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "aqui4726.mail.localhost", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1103, + "log.offset": 1095, + "network.direction": "sit", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 654, + "related.ip": [ + "10.85.66.161", + "10.131.115.96" + ], + "rsa.counters.dclass_c1": 5509, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2016-03-26T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "aqui4726.mail.localhost" + ], + "rsa.network.domain": "tenima1073.local", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-03-26T12:20:16.000Z", + "server.domain": "tenima1073.local", "service.type": "fortinet", + "source.ip": [ + "10.85.66.161" + ], + "source.port": 2638, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "onev" ] }, { - "@timestamp": "2016-04-09T02:00:00.000Z", + "@timestamp": "2020-04-09T19:22:51.000Z", + "destination.ip": [ + "10.11.200.161" + ], + "destination.port": 4665, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 9 2016/04/09 uatDuis2964.test proto=udp service=http status=deny src=10.183.202.41 dst=10.11.200.161 src_port=4470 dst_port=4665 server_app=inimve pid=4243 app_name=antium traff_direct=Cice block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown", + "event.original": "April 9 17:22:51 uatDuis2964.test proto=udp service=http status=deny src=10.183.202.41 dst=10.11.200.161 src_port=4470 dst_port=4665 server_app=inimve pid=4243 app_name=antium traff_direct=Cice block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "uatDuis2964.test", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1365, + "log.offset": 1355, + "network.direction": "Cice", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 4243, + "related.ip": [ + "10.183.202.41", + "10.11.200.161" + ], + "rsa.counters.dclass_c1": 513, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2016-04-09T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "uatDuis2964.test" + ], + "rsa.network.domain": "doloreeu3553.www5.home", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-04-09T19:22:51.000Z", + "server.domain": "doloreeu3553.www5.home", "service.type": "fortinet", + "source.ip": [ + "10.183.202.41" + ], + "source.port": 4470, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "iusmodt" ] }, { - "@timestamp": "2016-04-24T02:00:00.000Z", + "@timestamp": "2020-04-24T02:25:25.000Z", + "destination.ip": [ + "10.214.225.125" + ], + "destination.port": 2121, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 24 2016/04/24 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=nimadmin block_count=6499 logon_user=uam@temq1198.internal.example msg=success", + "event.original": "April 24 00:25:25 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=nimadmin block_count=6499 logon_user=uam@temq1198.internal.example msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "reetdolo2770.www5.local", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1631, + "log.offset": 1619, + "network.direction": "nimadmin", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5722, + "related.ip": [ + "10.214.225.125", + "10.12.44.169" + ], + "rsa.counters.dclass_c1": 6499, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2016-04-24T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "reetdolo2770.www5.local" + ], + "rsa.network.domain": "temq1198.internal.example", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-04-24T02:25:25.000Z", + "server.domain": "temq1198.internal.example", "service.type": "fortinet", + "source.ip": [ + "10.12.44.169" + ], + "source.port": 5710, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "uam" ] }, { - "@timestamp": "2016-05-08T02:00:00.000Z", + "@timestamp": "2020-05-08T09:27:59.000Z", + "destination.ip": [ + "10.233.127.83" + ], + "destination.port": 3676, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 8 2016/05/08 ari1508.api.localdomain proto=tcp service=pop3 status=deny src=10.64.155.245 dst=10.233.127.83 src_port=4512 dst_port=3676 server_app=eataevit pid=3904 app_name=iam traff_direct=mqua block_count=3391 logon_user=olab@mquisnos5771.example msg=unknown", + "event.original": "May 8 07:27:59 ari1508.api.localdomain proto=tcp service=pop3 status=deny src=10.64.155.245 dst=10.233.127.83 src_port=4512 dst_port=3676 server_app=eataevit pid=3904 app_name=iam traff_direct=mqua block_count=3391 logon_user=olab@mquisnos5771.example msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "ari1508.api.localdomain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1911, + "log.offset": 1897, + "network.direction": "mqua", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3904, + "related.ip": [ + "10.233.127.83", + "10.64.155.245" + ], + "rsa.counters.dclass_c1": 3391, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2016-05-08T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ari1508.api.localdomain" + ], + "rsa.network.domain": "mquisnos5771.example", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-05-08T09:27:59.000Z", + "server.domain": "mquisnos5771.example", "service.type": "fortinet", + "source.ip": [ + "10.64.155.245" + ], + "source.port": 4512, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "olab" ] }, { - "@timestamp": "2016-05-22T02:00:00.000Z", + "@timestamp": "2020-05-22T16:30:33.000Z", + "destination.ip": [ + "10.69.20.77" + ], + "destination.port": 7579, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 22 2016/05/22 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=luptatem block_count=5812 logon_user=moll@tatione2046.home msg=unknown", + "event.original": "May 22 14:30:33 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=luptatem block_count=5812 logon_user=moll@tatione2046.home msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "usmodte1296.www.corp", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2177, + "log.offset": 2161, + "network.direction": "luptatem", + "network.protocol": "igmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 776, + "related.ip": [ + "10.69.20.77", + "10.178.244.31" + ], + "rsa.counters.dclass_c1": 5812, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2016-05-22T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "usmodte1296.www.corp" + ], + "rsa.network.domain": "tatione2046.home", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-05-22T16:30:33.000Z", + "server.domain": "tatione2046.home", "service.type": "fortinet", + "source.ip": [ + "10.178.244.31" + ], + "source.port": 3857, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "moll" ] }, { - "@timestamp": "2016-06-05T02:00:00.000Z", + "@timestamp": "2020-06-05T23:33:08.000Z", + "destination.ip": [ + "10.10.65.154" + ], + "destination.port": 7572, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 5 2016/06/05 turveli6399.host proto=ipv6 service=smtp status=deny src=10.197.5.210 dst=10.10.65.154 src_port=689 dst_port=7572 server_app=Ciceroi pid=3592 app_name=usan traff_direct=aper block_count=5529 logon_user=olo@uaera6620.www5.domain msg=unknown", + "event.original": "June 5 21:33:08 turveli6399.host proto=ipv6 service=smtp status=deny src=10.197.5.210 dst=10.10.65.154 src_port=689 dst_port=7572 server_app=Ciceroi pid=3592 app_name=usan traff_direct=aper block_count=5529 logon_user=olo@uaera6620.www5.domain msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "turveli6399.host", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2446, + "log.offset": 2428, + "network.direction": "aper", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3592, + "related.ip": [ + "10.197.5.210", + "10.10.65.154" + ], + "rsa.counters.dclass_c1": 5529, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2016-06-05T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "turveli6399.host" + ], + "rsa.network.domain": "uaera6620.www5.domain", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2020-06-05T23:33:08.000Z", + "server.domain": "uaera6620.www5.domain", "service.type": "fortinet", + "source.ip": [ + "10.197.5.210" + ], + "source.port": 689, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "olo" ] }, { - "@timestamp": "2016-06-20T02:00:00.000Z", + "@timestamp": "2020-06-20T06:35:42.000Z", + "destination.ip": [ + "10.177.124.147" + ], + "destination.port": 4173, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 20 2016/06/20 tquiinea7522.test proto=igmp service=http status=deny src=10.89.185.38 dst=10.177.124.147 src_port=6024 dst_port=4173 server_app=undeo pid=5794 app_name=labor traff_direct=atuse block_count=2703 logon_user=uis@idolore1057.www5.domain msg=failure", + "event.original": "June 20 04:35:42 tquiinea7522.test proto=igmp service=http status=deny src=10.89.185.38 dst=10.177.124.147 src_port=6024 dst_port=4173 server_app=undeo pid=5794 app_name=labor traff_direct=atuse block_count=2703 logon_user=uis@idolore1057.www5.domain msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "tquiinea7522.test", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2704, + "log.offset": 2684, + "network.direction": "atuse", + "network.protocol": "igmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5794, + "related.ip": [ + "10.177.124.147", + "10.89.185.38" + ], + "rsa.counters.dclass_c1": 2703, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2016-06-20T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "tquiinea7522.test" + ], + "rsa.network.domain": "idolore1057.www5.domain", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-06-20T06:35:42.000Z", + "server.domain": "idolore1057.www5.domain", "service.type": "fortinet", + "source.ip": [ + "10.89.185.38" + ], + "source.port": 6024, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "uis" ] }, { - "@timestamp": "2016-07-04T02:00:00.000Z", + "@timestamp": "2020-07-04T13:38:16.000Z", + "destination.ip": [ + "10.157.213.15" + ], + "destination.port": 600, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 4 2016/07/04 litessec3743.domain proto=ipv6-icmp service=http status=deny src=10.212.55.143 dst=10.157.213.15 src_port=3539 dst_port=600 server_app=liq pid=3480 app_name=ntutl traff_direct=caecatc block_count=2399 logon_user=nibus@edquiano6061.internal.invalid msg=failure", + "event.original": "July 4 11:38:16 litessec3743.domain proto=ipv6-icmp service=http status=deny src=10.212.55.143 dst=10.157.213.15 src_port=3539 dst_port=600 server_app=liq pid=3480 app_name=ntutl traff_direct=caecatc block_count=2399 logon_user=nibus@edquiano6061.internal.invalid msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "litessec3743.domain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2969, + "log.offset": 2947, + "network.direction": "caecatc", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3480, + "related.ip": [ + "10.157.213.15", + "10.212.55.143" + ], + "rsa.counters.dclass_c1": 2399, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2016-07-04T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "litessec3743.domain" + ], + "rsa.network.domain": "edquiano6061.internal.invalid", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-07-04T13:38:16.000Z", + "server.domain": "edquiano6061.internal.invalid", "service.type": "fortinet", + "source.ip": [ + "10.212.55.143" + ], + "source.port": 3539, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "nibus" ] }, { - "@timestamp": "2016-07-18T02:00:00.000Z", + "@timestamp": "2019-07-18T20:40:50.000Z", + "destination.ip": [ + "10.124.100.32" + ], + "destination.port": 7699, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 18 2016/07/18 ctetura4886.www5.lan proto=icmp service=smtp status=deny src=10.208.134.60 dst=10.124.100.32 src_port=7385 dst_port=7699 server_app=lupt pid=5376 app_name=remeum traff_direct=orain block_count=4111 logon_user=admi@modocons6461.api.home msg=failure", + "event.original": "July 18 18:40:50 ctetura4886.www5.lan proto=icmp service=smtp status=deny src=10.208.134.60 dst=10.124.100.32 src_port=7385 dst_port=7699 server_app=lupt pid=5376 app_name=remeum traff_direct=orain block_count=4111 logon_user=admi@modocons6461.api.home msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "ctetura4886.www5.lan", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3247, + "log.offset": 3223, + "network.direction": "orain", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5376, + "related.ip": [ + "10.208.134.60", + "10.124.100.32" + ], + "rsa.counters.dclass_c1": 4111, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2016-07-18T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "ctetura4886.www5.lan" + ], + "rsa.network.domain": "modocons6461.api.home", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-07-18T20:40:50.000Z", + "server.domain": "modocons6461.api.home", "service.type": "fortinet", + "source.ip": [ + "10.208.134.60" + ], + "source.port": 7385, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "admi" ] }, { - "@timestamp": "2016-08-02T02:00:00.000Z", + "@timestamp": "2019-08-02T03:43:25.000Z", + "destination.ip": [ + "10.55.77.49" + ], + "destination.port": 4683, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 2 2016/08/02 urE6771.www5.example proto=udp service=http status=deny src=10.75.148.116 dst=10.55.77.49 src_port=3653 dst_port=4683 server_app=dtem pid=1577 app_name=des traff_direct=rehe block_count=2460 logon_user=tdolorem@ono4861.www5.test msg=success", + "event.original": "August 2 01:43:25 urE6771.www5.example proto=udp service=http status=deny src=10.75.148.116 dst=10.55.77.49 src_port=3653 dst_port=4683 server_app=dtem pid=1577 app_name=des traff_direct=rehe block_count=2460 logon_user=tdolorem@ono4861.www5.test msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "urE6771.www5.example", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3514, + "log.offset": 3488, + "network.direction": "rehe", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 1577, + "related.ip": [ + "10.75.148.116", + "10.55.77.49" + ], + "rsa.counters.dclass_c1": 2460, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2016-08-02T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "urE6771.www5.example" + ], + "rsa.network.domain": "ono4861.www5.test", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-08-02T03:43:25.000Z", + "server.domain": "ono4861.www5.test", "service.type": "fortinet", + "source.ip": [ + "10.75.148.116" + ], + "source.port": 3653, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "tdolorem" ] }, { - "@timestamp": "2016-08-16T02:00:00.000Z", + "@timestamp": "2019-08-16T10:45:59.000Z", + "destination.ip": [ + "10.21.92.218" + ], + "destination.port": 5716, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 16 2016/08/16 sumquiad2872.api.domain proto=ggp service=http status=deny src=10.210.74.24 dst=10.21.92.218 src_port=4125 dst_port=5716 server_app=ommod pid=3671 app_name=inima traff_direct=tlabo block_count=6088 logon_user=nihi@Lor5841.internal.example msg=success", + "event.original": "August 16 08:45:59 sumquiad2872.api.domain proto=ggp service=http status=deny src=10.210.74.24 dst=10.21.92.218 src_port=4125 dst_port=5716 server_app=ommod pid=3671 app_name=inima traff_direct=tlabo block_count=6088 logon_user=nihi@Lor5841.internal.example msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "sumquiad2872.api.domain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3775, + "log.offset": 3747, + "network.direction": "tlabo", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3671, + "related.ip": [ + "10.21.92.218", + "10.210.74.24" + ], + "rsa.counters.dclass_c1": 6088, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2016-08-16T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "sumquiad2872.api.domain" + ], + "rsa.network.domain": "Lor5841.internal.example", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-08-16T10:45:59.000Z", + "server.domain": "Lor5841.internal.example", "service.type": "fortinet", + "source.ip": [ + "10.210.74.24" + ], + "source.port": 4125, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "nihi" ] }, { - "@timestamp": "2016-08-30T02:00:00.000Z", + "@timestamp": "2019-08-30T17:48:33.000Z", + "destination.ip": [ + "10.84.105.75" + ], + "destination.port": 98, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 30 2016/08/30 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=isnostru block_count=1559 logon_user=deFinibu@iadese6958.www5.local msg=unknown", + "event.original": "August 30 15:48:33 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=isnostru block_count=1559 logon_user=deFinibu@iadese6958.www5.local msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "aperia4409.www5.invalid", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4047, + "log.offset": 4017, + "network.direction": "isnostru", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 499, + "related.ip": [ + "10.84.105.75", + "10.78.151.178" + ], + "rsa.counters.dclass_c1": 1559, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2016-08-30T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "aperia4409.www5.invalid" + ], + "rsa.network.domain": "iadese6958.www5.local", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-08-30T17:48:33.000Z", + "server.domain": "iadese6958.www5.local", "service.type": "fortinet", + "source.ip": [ + "10.78.151.178" + ], + "source.port": 1846, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "deFinibu" ] }, { - "@timestamp": "2016-09-13T02:00:00.000Z", + "@timestamp": "2019-09-14T00:51:07.000Z", + "destination.ip": [ + "10.76.229.163" + ], + "destination.port": 6387, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 13 2016/09/13 tatn2376.www5.corp proto=ipv6-icmp service=ms-wbt-server status=deny src=10.47.241.218 dst=10.76.229.163 src_port=2890 dst_port=6387 server_app=CSed pid=2857 app_name=utlabore traff_direct=ecillu block_count=391 logon_user=mnisist@sedd3727.api.home msg=unknown", + "event.original": "September 13 22:51:07 tatn2376.www5.corp proto=ipv6-icmp service=ms-wbt-server status=deny src=10.47.241.218 dst=10.76.229.163 src_port=2890 dst_port=6387 server_app=CSed pid=2857 app_name=utlabore traff_direct=ecillu block_count=391 logon_user=mnisist@sedd3727.api.home msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "tatn2376.www5.corp", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4331, + "log.offset": 4299, + "network.direction": "ecillu", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 2857, + "related.ip": [ + "10.76.229.163", + "10.47.241.218" + ], + "rsa.counters.dclass_c1": 391, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2016-09-13T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "tatn2376.www5.corp" + ], + "rsa.network.domain": "sedd3727.api.home", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-09-14T00:51:07.000Z", + "server.domain": "sedd3727.api.home", "service.type": "fortinet", + "source.ip": [ + "10.47.241.218" + ], + "source.port": 2890, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "mnisist" ] }, { - "@timestamp": "2016-09-28T02:00:00.000Z", + "@timestamp": "2019-09-28T07:53:42.000Z", + "destination.ip": [ + "10.104.134.200" + ], + "destination.port": 2508, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 28 2016/09/28 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=maccusa block_count=5126 logon_user=rQuisau@idex2012.localdomain msg=unknown", + "event.original": "September 28 05:53:42 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=maccusa block_count=5126 logon_user=rQuisau@idex2012.localdomain msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "eme6710.mail.invalid", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4616, + "log.offset": 4582, + "network.direction": "maccusa", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 6051, + "related.ip": [ + "10.104.134.200", + "10.121.219.204" + ], + "rsa.counters.dclass_c1": 5126, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2016-09-28T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "eme6710.mail.invalid" + ], + "rsa.network.domain": "idex2012.localdomain", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-09-28T07:53:42.000Z", + "server.domain": "idex2012.localdomain", "service.type": "fortinet", + "source.ip": [ + "10.121.219.204" + ], + "source.port": 3611, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "rQuisau" ] }, { - "@timestamp": "2016-10-12T02:00:00.000Z", + "@timestamp": "2019-10-12T14:56:16.000Z", + "destination.ip": [ + "10.252.122.195" + ], + "destination.port": 2807, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 12 2016/10/12 uipe5643.api.home proto=rdp service=smtp status=deny src=10.118.80.140 dst=10.252.122.195 src_port=6003 dst_port=2807 server_app=ihilm pid=1669 app_name=saute traff_direct=ercit block_count=2385 logon_user=remagn@run3361.api.test msg=failure", + "event.original": "October 12 12:56:16 uipe5643.api.home proto=rdp service=smtp status=deny src=10.118.80.140 dst=10.252.122.195 src_port=6003 dst_port=2807 server_app=ihilm pid=1669 app_name=saute traff_direct=ercit block_count=2385 logon_user=remagn@run3361.api.test msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "uipe5643.api.home", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4893, + "log.offset": 4857, + "network.direction": "ercit", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 1669, + "related.ip": [ + "10.252.122.195", + "10.118.80.140" + ], + "rsa.counters.dclass_c1": 2385, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2016-10-12T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "uipe5643.api.home" + ], + "rsa.network.domain": "run3361.api.test", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-10-12T14:56:16.000Z", + "server.domain": "run3361.api.test", "service.type": "fortinet", + "source.ip": [ + "10.118.80.140" + ], + "source.port": 6003, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "remagn" ] }, { - "@timestamp": "2016-10-26T02:00:00.000Z", + "@timestamp": "2019-10-26T21:58:50.000Z", + "destination.ip": [ + "10.31.95.218" + ], + "destination.port": 7042, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 26 2016/10/26 aturve2031.www5.test proto=rdp service=ms-wbt-server status=deny src=10.195.36.51 dst=10.31.95.218 src_port=2883 dst_port=7042 server_app=iadese pid=2374 app_name=ice traff_direct=estiae block_count=3750 logon_user=laborum@tionof7613.domain msg=failure", + "event.original": "October 26 19:58:50 aturve2031.www5.test proto=rdp service=ms-wbt-server status=deny src=10.195.36.51 dst=10.31.95.218 src_port=2883 dst_port=7042 server_app=iadese pid=2374 app_name=ice traff_direct=estiae block_count=3750 logon_user=laborum@tionof7613.domain msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "aturve2031.www5.test", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 5157, + "log.offset": 5119, + "network.direction": "estiae", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 2374, + "related.ip": [ + "10.195.36.51", + "10.31.95.218" + ], + "rsa.counters.dclass_c1": 3750, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2016-10-26T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "aturve2031.www5.test" + ], + "rsa.network.domain": "tionof7613.domain", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-10-26T21:58:50.000Z", + "server.domain": "tionof7613.domain", "service.type": "fortinet", + "source.ip": [ + "10.195.36.51" + ], + "source.port": 2883, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "laborum" ] }, { - "@timestamp": "2016-11-10T02:00:00.000Z", + "@timestamp": "2019-11-10T05:01:24.000Z", + "destination.ip": [ + "10.170.148.40" + ], + "destination.port": 6371, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 10 2016/11/10 ationul2530.internal.example proto=ipv6-icmp service=http status=deny src=10.197.250.10 dst=10.170.148.40 src_port=261 dst_port=6371 server_app=dol pid=753 app_name=modocon traff_direct=que block_count=651 logon_user=rinrepre@etconse7424.internal.lan msg=failure", + "event.original": "November 10 03:01:24 ationul2530.internal.example proto=ipv6-icmp service=http status=deny src=10.197.250.10 dst=10.170.148.40 src_port=261 dst_port=6371 server_app=dol pid=753 app_name=modocon traff_direct=que block_count=651 logon_user=rinrepre@etconse7424.internal.lan msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "ationul2530.internal.example", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 5432, + "log.offset": 5392, + "network.direction": "que", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 753, + "related.ip": [ + "10.197.250.10", + "10.170.148.40" + ], + "rsa.counters.dclass_c1": 651, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2016-11-10T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "ationul2530.internal.example" + ], + "rsa.network.domain": "etconse7424.internal.lan", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-11-10T05:01:24.000Z", + "server.domain": "etconse7424.internal.lan", "service.type": "fortinet", + "source.ip": [ + "10.197.250.10" + ], + "source.port": 261, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "rinrepre" ] }, { - "@timestamp": "2016-11-24T02:00:00.000Z", + "@timestamp": "2019-11-24T12:03:59.000Z", + "destination.ip": [ + "10.233.171.118" + ], + "destination.port": 7410, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 24 2016/11/24 quamnih5993.mail.corp proto=ipv6 service=https status=deny src=10.19.145.131 dst=10.233.171.118 src_port=4798 dst_port=7410 server_app=emoe pid=6540 app_name=atur traff_direct=itanimi block_count=2924 logon_user=modtemp@rehender2628.www5.localdomain msg=failure", + "event.original": "November 24 10:03:59 quamnih5993.mail.corp proto=ipv6 service=https status=deny src=10.19.145.131 dst=10.233.171.118 src_port=4798 dst_port=7410 server_app=emoe pid=6540 app_name=atur traff_direct=itanimi block_count=2924 logon_user=modtemp@rehender2628.www5.localdomain msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "quamnih5993.mail.corp", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 5718, + "log.offset": 5676, + "network.direction": "itanimi", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 6540, + "related.ip": [ + "10.19.145.131", + "10.233.171.118" + ], + "rsa.counters.dclass_c1": 2924, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2016-11-24T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "quamnih5993.mail.corp" + ], + "rsa.network.domain": "rehender2628.www5.localdomain", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-11-24T12:03:59.000Z", + "server.domain": "rehender2628.www5.localdomain", "service.type": "fortinet", + "source.ip": [ + "10.19.145.131" + ], + "source.port": 4798, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "modtemp" ] }, { - "@timestamp": "2016-12-08T02:00:00.000Z", + "@timestamp": "2019-12-08T19:06:33.000Z", + "destination.ip": [ + "10.134.148.219" + ], + "destination.port": 4430, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 8 2016/12/08 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=sectetur block_count=1713 logon_user=fugitse@veniamq1608.www.localdomain msg=unknown", + "event.original": "December 8 17:06:33 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=sectetur block_count=1713 logon_user=fugitse@veniamq1608.www.localdomain msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "evita5008.www.localdomain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 6003, + "log.offset": 5959, + "network.direction": "sectetur", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 1835, + "related.ip": [ + "10.248.204.182", + "10.134.148.219" + ], + "rsa.counters.dclass_c1": 1713, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2016-12-08T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "evita5008.www.localdomain" + ], + "rsa.network.domain": "veniamq1608.www.localdomain", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-12-08T19:06:33.000Z", + "server.domain": "veniamq1608.www.localdomain", "service.type": "fortinet", + "source.ip": [ + "10.248.204.182" + ], + "source.port": 1331, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "fugitse" ] }, { - "@timestamp": "2016-12-23T02:00:00.000Z", + "@timestamp": "2019-12-23T02:09:07.000Z", + "destination.ip": [ + "10.177.238.183" + ], + "destination.port": 6458, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 23 2016/12/23 reseos556.internal.example proto=rdp service=https status=deny src=10.59.122.242 dst=10.177.238.183 src_port=4821 dst_port=6458 server_app=dolorem pid=5251 app_name=olor traff_direct=Neque block_count=4129 logon_user=xerc@iutali2138.www.localdomain msg=success", + "event.original": "December 23 00:09:07 reseos556.internal.example proto=rdp service=https status=deny src=10.59.122.242 dst=10.177.238.183 src_port=4821 dst_port=6458 server_app=dolorem pid=5251 app_name=olor traff_direct=Neque block_count=4129 logon_user=xerc@iutali2138.www.localdomain msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "reseos556.internal.example", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 6287, + "log.offset": 6241, + "network.direction": "Neque", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5251, + "related.ip": [ + "10.177.238.183", + "10.59.122.242" + ], + "rsa.counters.dclass_c1": 4129, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2016-12-23T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "reseos556.internal.example" + ], + "rsa.network.domain": "iutali2138.www.localdomain", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-12-23T02:09:07.000Z", + "server.domain": "iutali2138.www.localdomain", "service.type": "fortinet", + "source.ip": [ + "10.59.122.242" + ], + "source.port": 4821, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "xerc" ] }, { - "@timestamp": "2017-01-06T02:00:00.000Z", + "@timestamp": "2020-01-06T09:11:41.000Z", + "destination.ip": [ + "10.10.27.73" + ], + "destination.port": 2574, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "January 6 2017/01/06 radi1512.mail.example proto=rdp service=http status=deny src=10.74.33.75 dst=10.10.27.73 src_port=3410 dst_port=2574 server_app=liqui pid=6106 app_name=dolore traff_direct=amvolu block_count=766 logon_user=quaturve@sequa2851.home msg=success", + "event.original": "January 6 07:11:41 radi1512.mail.example proto=rdp service=http status=deny src=10.74.33.75 dst=10.10.27.73 src_port=3410 dst_port=2574 server_app=liqui pid=6106 app_name=dolore traff_direct=amvolu block_count=766 logon_user=quaturve@sequa2851.home msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "radi1512.mail.example", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 6571, + "log.offset": 6523, + "network.direction": "amvolu", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 6106, + "related.ip": [ + "10.74.33.75", + "10.10.27.73" + ], + "rsa.counters.dclass_c1": 766, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2017-01-06T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "radi1512.mail.example" + ], + "rsa.network.domain": "sequa2851.home", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-01-06T09:11:41.000Z", + "server.domain": "sequa2851.home", "service.type": "fortinet", + "source.ip": [ + "10.74.33.75" + ], + "source.port": 3410, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "quaturve" ] }, { - "@timestamp": "2017-01-20T02:00:00.000Z", + "@timestamp": "2020-01-20T16:14:16.000Z", + "destination.ip": [ + "10.32.239.1" + ], + "destination.port": 3128, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "January 20 2017/01/20 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=nsect block_count=7400 logon_user=asia@econs4164.api.corp msg=unknown", + "event.original": "January 20 14:14:16 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=nsect block_count=7400 logon_user=asia@econs4164.api.corp msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "reme622.mail.example", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 6834, + "log.offset": 6784, + "network.direction": "nsect", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3022, + "related.ip": [ + "10.241.65.49", + "10.32.239.1" + ], + "rsa.counters.dclass_c1": 7400, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2017-01-20T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "reme622.mail.example" + ], + "rsa.network.domain": "econs4164.api.corp", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-01-20T16:14:16.000Z", + "server.domain": "econs4164.api.corp", "service.type": "fortinet", + "source.ip": [ + "10.241.65.49" + ], + "source.port": 3027, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "asia" ] }, { - "@timestamp": "2017-02-03T02:00:00.000Z", + "@timestamp": "2020-02-03T23:16:50.000Z", + "destination.ip": [ + "10.14.36.202" + ], + "destination.port": 6036, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 3 2017/02/03 tevelite245.mail.local proto=tcp service=pop3 status=deny src=10.167.85.181 dst=10.14.36.202 src_port=6409 dst_port=6036 server_app=numqua pid=1411 app_name=inculpa traff_direct=abo block_count=1637 logon_user=dtemp@aliquide3073.www5.domain msg=unknown", + "event.original": "February 3 21:16:50 tevelite245.mail.local proto=tcp service=pop3 status=deny src=10.167.85.181 dst=10.14.36.202 src_port=6409 dst_port=6036 server_app=numqua pid=1411 app_name=inculpa traff_direct=abo block_count=1637 logon_user=dtemp@aliquide3073.www5.domain msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "tevelite245.mail.local", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 7108, + "log.offset": 7056, + "network.direction": "abo", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 1411, + "related.ip": [ + "10.167.85.181", + "10.14.36.202" + ], + "rsa.counters.dclass_c1": 1637, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2017-02-03T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "tevelite245.mail.local" + ], + "rsa.network.domain": "aliquide3073.www5.domain", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-02-03T23:16:50.000Z", + "server.domain": "aliquide3073.www5.domain", "service.type": "fortinet", + "source.ip": [ + "10.167.85.181" + ], + "source.port": 6409, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "dtemp" ] }, { - "@timestamp": "2017-02-18T02:00:00.000Z", + "@timestamp": "2020-02-18T06:19:24.000Z", + "destination.ip": [ + "10.164.39.248" + ], + "destination.port": 5194, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 18 2017/02/18 uptatema6843.www.host proto=icmp service=ms-wbt-server status=deny src=10.104.64.94 dst=10.164.39.248 src_port=3221 dst_port=5194 server_app=sequam pid=3609 app_name=idex traff_direct=mfugiat block_count=3370 logon_user=dant@rroquis6074.api.host msg=unknown", + "event.original": "February 18 04:19:24 uptatema6843.www.host proto=icmp service=ms-wbt-server status=deny src=10.104.64.94 dst=10.164.39.248 src_port=3221 dst_port=5194 server_app=sequam pid=3609 app_name=idex traff_direct=mfugiat block_count=3370 logon_user=dant@rroquis6074.api.host msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "uptatema6843.www.host", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 7383, + "log.offset": 7329, + "network.direction": "mfugiat", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3609, + "related.ip": [ + "10.104.64.94", + "10.164.39.248" + ], + "rsa.counters.dclass_c1": 3370, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2017-02-18T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "uptatema6843.www.host" + ], + "rsa.network.domain": "rroquis6074.api.host", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-02-18T06:19:24.000Z", + "server.domain": "rroquis6074.api.host", "service.type": "fortinet", + "source.ip": [ + "10.104.64.94" + ], + "source.port": 3221, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "dant" ] }, { - "@timestamp": "2017-03-04T02:00:00.000Z", + "@timestamp": "2020-03-04T13:21:59.000Z", + "destination.ip": [ + "10.135.187.104" + ], + "destination.port": 4708, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 4 2017/03/04 rem3420.mail.localhost proto=udp service=http status=deny src=10.208.14.185 dst=10.135.187.104 src_port=7557 dst_port=4708 server_app=siste pid=5919 app_name=riosamn traff_direct=ept block_count=1871 logon_user=rcitati@eni465.home msg=failure", + "event.original": "March 4 11:21:59 rem3420.mail.localhost proto=udp service=http status=deny src=10.208.14.185 dst=10.135.187.104 src_port=7557 dst_port=4708 server_app=siste pid=5919 app_name=riosamn traff_direct=ept block_count=1871 logon_user=rcitati@eni465.home msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "rem3420.mail.localhost", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 7664, + "log.offset": 7608, + "network.direction": "ept", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5919, + "related.ip": [ + "10.135.187.104", + "10.208.14.185" + ], + "rsa.counters.dclass_c1": 1871, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2017-03-04T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "rem3420.mail.localhost" + ], + "rsa.network.domain": "eni465.home", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-03-04T13:21:59.000Z", + "server.domain": "eni465.home", "service.type": "fortinet", + "source.ip": [ + "10.208.14.185" + ], + "source.port": 7557, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "rcitati" ] }, { - "@timestamp": "2017-03-18T02:00:00.000Z", + "@timestamp": "2020-03-18T20:24:33.000Z", + "destination.ip": [ + "10.248.101.25" + ], + "destination.port": 5740, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 18 2017/03/18 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=boree block_count=513 logon_user=nevo@ide2767.www5.local msg=failure", + "event.original": "March 18 18:24:33 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=boree block_count=513 logon_user=nevo@ide2767.www5.local msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "stquido5705.api.host", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 7926, + "log.offset": 7868, + "network.direction": "boree", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 6003, + "related.ip": [ + "10.60.129.15", + "10.248.101.25" + ], + "rsa.counters.dclass_c1": 513, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2017-03-18T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "stquido5705.api.host" + ], + "rsa.network.domain": "ide2767.www5.local", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-03-18T20:24:33.000Z", + "server.domain": "ide2767.www5.local", "service.type": "fortinet", + "source.ip": [ + "10.60.129.15" + ], + "source.port": 106, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "nevo" ] }, { - "@timestamp": "2017-04-02T02:00:00.000Z", + "@timestamp": "2020-04-02T03:27:07.000Z", + "destination.ip": [ + "10.145.26.181" + ], + "destination.port": 6088, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 2 2017/04/02 edquiac2646.www.invalid proto=ipv6-icmp service=https status=deny src=10.46.49.26 dst=10.145.26.181 src_port=634 dst_port=6088 server_app=autf pid=3471 app_name=temquiav traff_direct=equatu block_count=1399 logon_user=cons@sBon1759.invalid msg=success", + "event.original": "April 2 01:27:07 edquiac2646.www.invalid proto=ipv6-icmp service=https status=deny src=10.46.49.26 dst=10.145.26.181 src_port=634 dst_port=6088 server_app=autf pid=3471 app_name=temquiav traff_direct=equatu block_count=1399 logon_user=cons@sBon1759.invalid msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "edquiac2646.www.invalid", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 8189, + "log.offset": 8129, + "network.direction": "equatu", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3471, + "related.ip": [ + "10.145.26.181", + "10.46.49.26" + ], + "rsa.counters.dclass_c1": 1399, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2017-04-02T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "edquiac2646.www.invalid" + ], + "rsa.network.domain": "sBon1759.invalid", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-04-02T03:27:07.000Z", + "server.domain": "sBon1759.invalid", "service.type": "fortinet", + "source.ip": [ + "10.46.49.26" + ], + "source.port": 634, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "cons" ] }, { - "@timestamp": "2017-04-16T02:00:00.000Z", + "@timestamp": "2020-04-16T10:29:41.000Z", + "destination.ip": [ + "10.66.2.232" + ], + "destination.port": 5764, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 16 2017/04/16 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=antiu block_count=6129 logon_user=evolu@ersp3536.www5.lan msg=unknown", + "event.original": "April 16 08:29:41 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=antiu block_count=6129 logon_user=evolu@ersp3536.www5.lan msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "vita2681.www5.local", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 8460, + "log.offset": 8398, + "network.direction": "antiu", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3470, + "related.ip": [ + "10.27.14.168", + "10.66.2.232" + ], + "rsa.counters.dclass_c1": 6129, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2017-04-16T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "vita2681.www5.local" + ], + "rsa.network.domain": "ersp3536.www5.lan", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-04-16T10:29:41.000Z", + "server.domain": "ersp3536.www5.lan", "service.type": "fortinet", + "source.ip": [ + "10.27.14.168" + ], + "source.port": 2224, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "evolu" ] }, { - "@timestamp": "2017-04-30T02:00:00.000Z", + "@timestamp": "2020-04-30T17:32:16.000Z", + "destination.ip": [ + "10.201.238.90" + ], + "destination.port": 7130, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 30 2017/04/30 ntiumt699.corp proto=icmp service=ms-wbt-server status=deny src=10.151.58.196 dst=10.201.238.90 src_port=2715 dst_port=7130 server_app=pici pid=55 app_name=ccaecat traff_direct=tquiin block_count=7440 logon_user=temqu@ovol3674.www5.host msg=success", + "event.original": "April 30 15:32:16 ntiumt699.corp proto=icmp service=ms-wbt-server status=deny src=10.151.58.196 dst=10.201.238.90 src_port=2715 dst_port=7130 server_app=pici pid=55 app_name=ccaecat traff_direct=tquiin block_count=7440 logon_user=temqu@ovol3674.www5.host msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "ntiumt699.corp", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 8733, + "log.offset": 8669, + "network.direction": "tquiin", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 55, + "related.ip": [ + "10.151.58.196", + "10.201.238.90" + ], + "rsa.counters.dclass_c1": 7440, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2017-04-30T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "ntiumt699.corp" + ], + "rsa.network.domain": "ovol3674.www5.host", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-04-30T17:32:16.000Z", + "server.domain": "ovol3674.www5.host", "service.type": "fortinet", + "source.ip": [ + "10.151.58.196" + ], + "source.port": 2715, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "temqu" ] }, { - "@timestamp": "2017-05-14T02:00:00.000Z", + "@timestamp": "2020-05-15T00:34:50.000Z", + "destination.ip": [ + "10.105.91.31" + ], + "destination.port": 5987, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 14 2017/05/14 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=ven block_count=660 logon_user=siutali@amnih2718.internal.example msg=failure", + "event.original": "May 14 22:34:50 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=ven block_count=660 logon_user=siutali@amnih2718.internal.example msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "tanimid3337.mail.corp", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 9002, + "log.offset": 8936, + "network.direction": "ven", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 853, + "related.ip": [ + "10.217.150.196", + "10.105.91.31" + ], + "rsa.counters.dclass_c1": 660, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2017-05-14T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "tanimid3337.mail.corp" + ], + "rsa.network.domain": "amnih2718.internal.example", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-05-15T00:34:50.000Z", + "server.domain": "amnih2718.internal.example", "service.type": "fortinet", + "source.ip": [ + "10.217.150.196" + ], + "source.port": 2056, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "siutali" ] }, { - "@timestamp": "2017-05-29T02:00:00.000Z", + "@timestamp": "2020-05-29T07:37:24.000Z", + "destination.ip": [ + "10.226.83.168" + ], + "destination.port": 4153, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 29 2017/05/29 laudant6813.mail.home proto=icmp service=https status=deny src=10.184.18.202 dst=10.226.83.168 src_port=5780 dst_port=4153 server_app=molli pid=4306 app_name=aturauto traff_direct=eturadi block_count=2512 logon_user=borios@rsitvolu3751.mail.lan msg=success", + "event.original": "May 29 05:37:24 laudant6813.mail.home proto=icmp service=https status=deny src=10.184.18.202 dst=10.226.83.168 src_port=5780 dst_port=4153 server_app=molli pid=4306 app_name=aturauto traff_direct=eturadi block_count=2512 logon_user=borios@rsitvolu3751.mail.lan msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "laudant6813.mail.home", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 9282, + "log.offset": 9214, + "network.direction": "eturadi", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 4306, + "related.ip": [ + "10.226.83.168", + "10.184.18.202" + ], + "rsa.counters.dclass_c1": 2512, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2017-05-29T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "laudant6813.mail.home" + ], + "rsa.network.domain": "rsitvolu3751.mail.lan", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-05-29T07:37:24.000Z", + "server.domain": "rsitvolu3751.mail.lan", "service.type": "fortinet", + "source.ip": [ + "10.184.18.202" + ], + "source.port": 5780, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "borios" ] }, { - "@timestamp": "2017-06-12T02:00:00.000Z", + "@timestamp": "2020-06-12T14:39:58.000Z", + "destination.ip": [ + "10.113.95.59" + ], + "destination.port": 4367, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 12 2017/06/12 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=luptate block_count=2612 logon_user=atisun@esci7741.www.host msg=success", + "event.original": "June 12 12:39:58 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=luptate block_count=2612 logon_user=atisun@esci7741.www.host msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "mquelau5326.mail.lan", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 9557, + "log.offset": 9487, + "network.direction": "luptate", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 1693, + "related.ip": [ + "10.113.95.59", + "10.255.39.252" + ], + "rsa.counters.dclass_c1": 2612, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2017-06-12T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "mquelau5326.mail.lan" + ], + "rsa.network.domain": "esci7741.www.host", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-06-12T14:39:58.000Z", + "server.domain": "esci7741.www.host", "service.type": "fortinet", + "source.ip": [ + "10.255.39.252" + ], + "source.port": 863, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "atisun" ] }, { - "@timestamp": "2017-06-26T02:00:00.000Z", + "@timestamp": "2020-06-26T21:42:33.000Z", + "destination.ip": [ + "10.43.226.231" + ], + "destination.port": 2778, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 26 2017/06/26 nturma18.internal.example proto=icmp service=https status=deny src=10.173.136.186 dst=10.43.226.231 src_port=7222 dst_port=2778 server_app=isnostr pid=829 app_name=ciadeser traff_direct=emquia block_count=1497 logon_user=uscipitl@uia5567.mail.lan msg=success", + "event.original": "June 26 19:42:33 nturma18.internal.example proto=icmp service=https status=deny src=10.173.136.186 dst=10.43.226.231 src_port=7222 dst_port=2778 server_app=isnostr pid=829 app_name=ciadeser traff_direct=emquia block_count=1497 logon_user=uscipitl@uia5567.mail.lan msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "nturma18.internal.example", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 9826, + "log.offset": 9754, + "network.direction": "emquia", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 829, + "related.ip": [ + "10.173.136.186", + "10.43.226.231" + ], + "rsa.counters.dclass_c1": 1497, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2017-06-26T02:00:00.000Z", - "service.type": "fortinet", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "nturma18.internal.example" + ], + "rsa.network.domain": "uia5567.mail.lan", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-06-26T21:42:33.000Z", + "server.domain": "uia5567.mail.lan", + "service.type": "fortinet", + "source.ip": [ + "10.173.136.186" + ], + "source.port": 7222, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "uscipitl" ] }, { - "@timestamp": "2017-07-11T02:00:00.000Z", + "@timestamp": "2019-07-11T04:45:07.000Z", + "destination.ip": [ + "10.54.37.86" + ], + "destination.port": 5089, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 11 2017/07/11 uisa5736.internal.local proto=udp service=pop3 status=deny src=10.58.64.108 dst=10.54.37.86 src_port=1540 dst_port=5089 server_app=commodo pid=6867 app_name=tutlab traff_direct=sau block_count=1865 logon_user=dolorsit@sau4293.www.corp msg=unknown", + "event.original": "July 11 02:45:07 uisa5736.internal.local proto=udp service=pop3 status=deny src=10.58.64.108 dst=10.54.37.86 src_port=1540 dst_port=5089 server_app=commodo pid=6867 app_name=tutlab traff_direct=sau block_count=1865 logon_user=dolorsit@sau4293.www.corp msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "uisa5736.internal.local", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 10104, + "log.offset": 10030, + "network.direction": "sau", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 6867, + "related.ip": [ + "10.54.37.86", + "10.58.64.108" + ], + "rsa.counters.dclass_c1": 1865, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2017-07-11T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "uisa5736.internal.local" + ], + "rsa.network.domain": "sau4293.www.corp", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-07-11T04:45:07.000Z", + "server.domain": "sau4293.www.corp", "service.type": "fortinet", + "source.ip": [ + "10.58.64.108" + ], + "source.port": 1540, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "dolorsit" ] }, { - "@timestamp": "2017-07-25T02:00:00.000Z", + "@timestamp": "2019-07-25T11:47:41.000Z", + "destination.ip": [ + "10.159.119.34" + ], + "destination.port": 6197, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 25 2017/07/25 uptate2244.api.lan proto=ipv6-icmp service=https status=deny src=10.205.228.138 dst=10.159.119.34 src_port=3854 dst_port=6197 server_app=tsed pid=7536 app_name=ameiusm traff_direct=proide block_count=3714 logon_user=aquae@boreetdo7005.www5.home msg=unknown", + "event.original": "July 25 09:47:41 uptate2244.api.lan proto=ipv6-icmp service=https status=deny src=10.205.228.138 dst=10.159.119.34 src_port=3854 dst_port=6197 server_app=tsed pid=7536 app_name=ameiusm traff_direct=proide block_count=3714 logon_user=aquae@boreetdo7005.www5.home msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "uptate2244.api.lan", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 10370, + "log.offset": 10294, + "network.direction": "proide", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 7536, + "related.ip": [ + "10.159.119.34", + "10.205.228.138" + ], + "rsa.counters.dclass_c1": 3714, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2017-07-25T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "uptate2244.api.lan" + ], + "rsa.network.domain": "boreetdo7005.www5.home", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-07-25T11:47:41.000Z", + "server.domain": "boreetdo7005.www5.home", "service.type": "fortinet", + "source.ip": [ + "10.205.228.138" + ], + "source.port": 3854, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "aquae" ] }, { - "@timestamp": "2017-08-08T02:00:00.000Z", + "@timestamp": "2019-08-08T18:50:15.000Z", + "destination.ip": [ + "10.29.133.28" + ], + "destination.port": 1085, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 8 2017/08/08 veli2530.www.host proto=ggp service=http status=deny src=10.163.93.20 dst=10.29.133.28 src_port=2382 dst_port=1085 server_app=umwrit pid=5433 app_name=eacommod traff_direct=ctetura block_count=2486 logon_user=tpersp@stla1871.www5.local msg=unknown", + "event.original": "August 8 16:50:15 veli2530.www.host proto=ggp service=http status=deny src=10.163.93.20 dst=10.29.133.28 src_port=2382 dst_port=1085 server_app=umwrit pid=5433 app_name=eacommod traff_direct=ctetura block_count=2486 logon_user=tpersp@stla1871.www5.local msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "veli2530.www.host", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 10646, + "log.offset": 10568, + "network.direction": "ctetura", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5433, + "related.ip": [ + "10.163.93.20", + "10.29.133.28" + ], + "rsa.counters.dclass_c1": 2486, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2017-08-08T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "veli2530.www.host" + ], + "rsa.network.domain": "stla1871.www5.local", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-08-08T18:50:15.000Z", + "server.domain": "stla1871.www5.local", "service.type": "fortinet", + "source.ip": [ + "10.163.93.20" + ], + "source.port": 2382, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "tpersp" ] }, { - "@timestamp": "2017-08-22T02:00:00.000Z", + "@timestamp": "2019-08-23T01:52:50.000Z", + "destination.ip": [ + "10.50.0.61" + ], + "destination.port": 5905, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 22 2017/08/22 tiaec5551.www.local proto=rdp service=pop3 status=deny src=10.113.30.163 dst=10.50.0.61 src_port=6110 dst_port=5905 server_app=itla pid=658 app_name=vitaedi traff_direct=lorsita block_count=2019 logon_user=dolore@onsecte587.localdomain msg=unknown", + "event.original": "August 22 23:52:50 tiaec5551.www.local proto=rdp service=pop3 status=deny src=10.113.30.163 dst=10.50.0.61 src_port=6110 dst_port=5905 server_app=itla pid=658 app_name=vitaedi traff_direct=lorsita block_count=2019 logon_user=dolore@onsecte587.localdomain msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "tiaec5551.www.local", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 10914, + "log.offset": 10834, + "network.direction": "lorsita", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 658, + "related.ip": [ + "10.113.30.163", + "10.50.0.61" + ], + "rsa.counters.dclass_c1": 2019, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2017-08-22T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "tiaec5551.www.local" + ], + "rsa.network.domain": "onsecte587.localdomain", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-08-23T01:52:50.000Z", + "server.domain": "onsecte587.localdomain", "service.type": "fortinet", + "source.ip": [ + "10.113.30.163" + ], + "source.port": 6110, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "dolore" ] }, { - "@timestamp": "2017-09-06T02:00:00.000Z", + "@timestamp": "2019-09-06T08:55:24.000Z", + "destination.ip": [ + "10.30.47.165" + ], + "destination.port": 3801, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 6 2017/09/06 ate7247.www5.local proto=ggp service=ms-wbt-server status=deny src=10.39.145.136 dst=10.30.47.165 src_port=631 dst_port=3801 server_app=ulapar pid=6827 app_name=etdo traff_direct=par block_count=992 logon_user=invo@hit3912.www5.localhost msg=unknown", + "event.original": "September 6 06:55:24 ate7247.www5.local proto=ggp service=ms-wbt-server status=deny src=10.39.145.136 dst=10.30.47.165 src_port=631 dst_port=3801 server_app=ulapar pid=6827 app_name=etdo traff_direct=par block_count=992 logon_user=invo@hit3912.www5.localhost msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "ate7247.www5.local", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 11183, + "log.offset": 11101, + "network.direction": "par", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 6827, + "related.ip": [ + "10.39.145.136", + "10.30.47.165" + ], + "rsa.counters.dclass_c1": 992, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2017-09-06T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ate7247.www5.local" + ], + "rsa.network.domain": "hit3912.www5.localhost", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-09-06T08:55:24.000Z", + "server.domain": "hit3912.www5.localhost", "service.type": "fortinet", + "source.ip": [ + "10.39.145.136" + ], + "source.port": 631, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "invo" ] }, { - "@timestamp": "2017-09-20T02:00:00.000Z", + "@timestamp": "2019-09-20T15:57:58.000Z", + "destination.ip": [ + "10.36.112.145" + ], + "destination.port": 7122, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 20 2017/09/20 proiden887.mail.example proto=rdp service=https status=deny src=10.30.25.84 dst=10.36.112.145 src_port=238 dst_port=7122 server_app=dantium pid=246 app_name=teirured traff_direct=onemulla block_count=5608 logon_user=bor@rauto112.www.host msg=success", + "event.original": "September 20 13:57:58 proiden887.mail.example proto=rdp service=https status=deny src=10.30.25.84 dst=10.36.112.145 src_port=238 dst_port=7122 server_app=dantium pid=246 app_name=teirured traff_direct=onemulla block_count=5608 logon_user=bor@rauto112.www.host msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "proiden887.mail.example", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 11456, + "log.offset": 11372, + "network.direction": "onemulla", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 246, + "related.ip": [ + "10.36.112.145", + "10.30.25.84" + ], + "rsa.counters.dclass_c1": 5608, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2017-09-20T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "proiden887.mail.example" + ], + "rsa.network.domain": "rauto112.www.host", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-09-20T15:57:58.000Z", + "server.domain": "rauto112.www.host", "service.type": "fortinet", + "source.ip": [ + "10.30.25.84" + ], + "source.port": 238, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "bor" ] }, { - "@timestamp": "2017-10-04T02:00:00.000Z", + "@timestamp": "2019-10-04T23:00:32.000Z", + "destination.ip": [ + "10.162.114.217" + ], + "destination.port": 7503, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 4 2017/10/04 osqui2751.api.home proto=tcp service=pop3 status=deny src=10.97.96.177 dst=10.162.114.217 src_port=1859 dst_port=7503 server_app=dun pid=1276 app_name=evitaed traff_direct=inimveni block_count=2826 logon_user=itse@umexerc5717.internal.host msg=failure", + "event.original": "October 4 21:00:32 osqui2751.api.home proto=tcp service=pop3 status=deny src=10.97.96.177 dst=10.162.114.217 src_port=1859 dst_port=7503 server_app=dun pid=1276 app_name=evitaed traff_direct=inimveni block_count=2826 logon_user=itse@umexerc5717.internal.host msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "osqui2751.api.home", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 11730, + "log.offset": 11644, + "network.direction": "inimveni", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 1276, + "related.ip": [ + "10.97.96.177", + "10.162.114.217" + ], + "rsa.counters.dclass_c1": 2826, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2017-10-04T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "osqui2751.api.home" + ], + "rsa.network.domain": "umexerc5717.internal.host", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-10-04T23:00:32.000Z", + "server.domain": "umexerc5717.internal.host", "service.type": "fortinet", + "source.ip": [ + "10.97.96.177" + ], + "source.port": 1859, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "itse" ] }, { - "@timestamp": "2017-10-19T02:00:00.000Z", + "@timestamp": "2019-10-19T06:03:07.000Z", + "destination.ip": [ + "10.140.7.83" + ], + "destination.port": 3298, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 19 2017/10/19 ccaeca5504.internal.example proto=tcp service=smtp status=deny src=10.229.71.175 dst=10.140.7.83 src_port=3856 dst_port=3298 server_app=olupt pid=2189 app_name=gna traff_direct=con block_count=4969 logon_user=eseru@quamest2520.localdomain msg=unknown", + "event.original": "October 19 04:03:07 ccaeca5504.internal.example proto=tcp service=smtp status=deny src=10.229.71.175 dst=10.140.7.83 src_port=3856 dst_port=3298 server_app=olupt pid=2189 app_name=gna traff_direct=con block_count=4969 logon_user=eseru@quamest2520.localdomain msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "ccaeca5504.internal.example", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 12003, + "log.offset": 11915, + "network.direction": "con", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 2189, + "related.ip": [ + "10.140.7.83", + "10.229.71.175" + ], + "rsa.counters.dclass_c1": 4969, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2017-10-19T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ccaeca5504.internal.example" + ], + "rsa.network.domain": "quamest2520.localdomain", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-10-19T06:03:07.000Z", + "server.domain": "quamest2520.localdomain", "service.type": "fortinet", + "source.ip": [ + "10.229.71.175" + ], + "source.port": 3856, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "eseru" ] }, { - "@timestamp": "2017-11-02T02:00:00.000Z", + "@timestamp": "2019-11-02T13:05:41.000Z", + "destination.ip": [ + "10.149.13.76" + ], + "destination.port": 2000, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 2 2017/11/02 mex2054.mail.corp proto=udp service=pop3 status=deny src=10.232.254.65 dst=10.149.13.76 src_port=7809 dst_port=2000 server_app=uisaute pid=1478 app_name=ritt traff_direct=iaeco block_count=7037 logon_user=itesseq@dictasun2399.internal.example msg=unknown", + "event.original": "November 2 11:05:41 mex2054.mail.corp proto=udp service=pop3 status=deny src=10.232.254.65 dst=10.149.13.76 src_port=7809 dst_port=2000 server_app=uisaute pid=1478 app_name=ritt traff_direct=iaeco block_count=7037 logon_user=itesseq@dictasun2399.internal.example msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "mex2054.mail.corp", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 12276, + "log.offset": 12186, + "network.direction": "iaeco", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 1478, + "related.ip": [ + "10.149.13.76", + "10.232.254.65" + ], + "rsa.counters.dclass_c1": 7037, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2017-11-02T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "mex2054.mail.corp" + ], + "rsa.network.domain": "dictasun2399.internal.example", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-11-02T13:05:41.000Z", + "server.domain": "dictasun2399.internal.example", "service.type": "fortinet", + "source.ip": [ + "10.232.254.65" + ], + "source.port": 7809, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "itesseq" ] }, { - "@timestamp": "2017-11-16T02:00:00.000Z", + "@timestamp": "2019-11-16T20:08:15.000Z", + "destination.ip": [ + "10.90.33.138" + ], + "destination.port": 7876, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 16 2017/11/16 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=xeaco block_count=4762 logon_user=amcor@rcitat364.mail.lan msg=unknown", + "event.original": "November 16 18:08:15 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=xeaco block_count=4762 logon_user=amcor@rcitat364.mail.lan msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "tetur2694.mail.local", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 12553, + "log.offset": 12461, + "network.direction": "xeaco", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5524, + "related.ip": [ + "10.40.251.202", + "10.90.33.138" + ], + "rsa.counters.dclass_c1": 4762, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2017-11-16T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "tetur2694.mail.local" + ], + "rsa.network.domain": "rcitat364.mail.lan", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-11-16T20:08:15.000Z", + "server.domain": "rcitat364.mail.lan", "service.type": "fortinet", + "source.ip": [ + "10.40.251.202" + ], + "source.port": 5733, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "amcor" ] }, { - "@timestamp": "2017-12-01T02:00:00.000Z", + "@timestamp": "2019-12-01T03:10:49.000Z", + "destination.ip": [ + "10.243.237.151" + ], + "destination.port": 6296, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 1 2017/12/01 tur4900.www5.lan proto=icmp service=smtp status=deny src=10.98.194.212 dst=10.243.237.151 src_port=6941 dst_port=6296 server_app=issuscip pid=4003 app_name=dipisci traff_direct=spernatu block_count=5539 logon_user=eri@quunt2072.home msg=success", + "event.original": "December 1 01:10:49 tur4900.www5.lan proto=icmp service=smtp status=deny src=10.98.194.212 dst=10.243.237.151 src_port=6941 dst_port=6296 server_app=issuscip pid=4003 app_name=dipisci traff_direct=spernatu block_count=5539 logon_user=eri@quunt2072.home msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "tur4900.www5.lan", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 12823, + "log.offset": 12729, + "network.direction": "spernatu", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 4003, + "related.ip": [ + "10.98.194.212", + "10.243.237.151" + ], + "rsa.counters.dclass_c1": 5539, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2017-12-01T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tur4900.www5.lan" + ], + "rsa.network.domain": "quunt2072.home", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-12-01T03:10:49.000Z", + "server.domain": "quunt2072.home", "service.type": "fortinet", + "source.ip": [ + "10.98.194.212" + ], + "source.port": 6941, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "eri" ] }, { - "@timestamp": "2017-12-15T02:00:00.000Z", + "@timestamp": "2019-12-15T10:13:24.000Z", + "destination.ip": [ + "10.28.84.106" + ], + "destination.port": 4844, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 15 2017/12/15 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=leumiu block_count=3030 logon_user=luptatem@uaeratv3432.invalid msg=failure", + "event.original": "December 15 08:13:24 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=leumiu block_count=3030 logon_user=luptatem@uaeratv3432.invalid msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "emqu2846.internal.home", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 13090, + "log.offset": 12994, + "network.direction": "leumiu", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 1609, + "related.ip": [ + "10.28.84.106", + "10.193.233.229" + ], + "rsa.counters.dclass_c1": 3030, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2017-12-15T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "emqu2846.internal.home" + ], + "rsa.network.domain": "uaeratv3432.invalid", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-12-15T10:13:24.000Z", + "server.domain": "uaeratv3432.invalid", "service.type": "fortinet", + "source.ip": [ + "10.193.233.229" + ], + "source.port": 2859, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "luptatem" ] }, { - "@timestamp": "2017-12-29T02:00:00.000Z", + "@timestamp": "2019-12-29T17:15:58.000Z", + "destination.ip": [ + "10.85.185.13" + ], + "destination.port": 7793, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 29 2017/12/29 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=maliquam block_count=2147 logon_user=atione@lores627.www.invalid msg=failure", + "event.original": "December 29 15:15:58 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=maliquam block_count=2147 logon_user=atione@lores627.www.invalid msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "giatquov1918.internal.example", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 13368, + "log.offset": 13270, + "network.direction": "maliquam", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 7224, + "related.ip": [ + "10.180.195.43", + "10.85.185.13" + ], + "rsa.counters.dclass_c1": 2147, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2017-12-29T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "giatquov1918.internal.example" + ], + "rsa.network.domain": "lores627.www.invalid", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-12-29T17:15:58.000Z", + "server.domain": "lores627.www.invalid", "service.type": "fortinet", + "source.ip": [ + "10.180.195.43" + ], + "source.port": 4540, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "atione" ] }, { - "@timestamp": "2018-01-12T02:00:00.000Z", + "@timestamp": "2020-01-13T00:18:32.000Z", + "destination.ip": [ + "10.201.237.233" + ], + "destination.port": 3023, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "January 12 2018/01/12 mmodoc4947.internal.test proto=ggp service=ms-wbt-server status=deny src=10.107.45.175 dst=10.201.237.233 src_port=4593 dst_port=3023 server_app=atise pid=3421 app_name=umetMalo traff_direct=oluptas block_count=6981 logon_user=aeconseq@lor4040.localhost msg=success", + "event.original": "January 12 22:18:32 mmodoc4947.internal.test proto=ggp service=ms-wbt-server status=deny src=10.107.45.175 dst=10.201.237.233 src_port=4593 dst_port=3023 server_app=atise pid=3421 app_name=umetMalo traff_direct=oluptas block_count=6981 logon_user=aeconseq@lor4040.localhost msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "mmodoc4947.internal.test", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 13662, + "log.offset": 13562, + "network.direction": "oluptas", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3421, + "related.ip": [ + "10.107.45.175", + "10.201.237.233" + ], + "rsa.counters.dclass_c1": 6981, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2018-01-12T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "mmodoc4947.internal.test" + ], + "rsa.network.domain": "lor4040.localhost", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-01-13T00:18:32.000Z", + "server.domain": "lor4040.localhost", "service.type": "fortinet", + "source.ip": [ + "10.107.45.175" + ], + "source.port": 4593, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "aeconseq" ] }, { - "@timestamp": "2018-01-27T02:00:00.000Z", + "@timestamp": "2020-01-27T07:21:06.000Z", + "destination.ip": [ + "10.196.206.130" + ], + "destination.port": 1725, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "January 27 2018/01/27 itaedict7233.mail.localdomain proto=ipv6-icmp service=smtp status=deny src=10.239.80.120 dst=10.196.206.130 src_port=2741 dst_port=1725 server_app=its pid=7867 app_name=risnis traff_direct=uov block_count=3896 logon_user=isn@sBono898.localdomain msg=unknown", + "event.original": "January 27 05:21:06 itaedict7233.mail.localdomain proto=ipv6-icmp service=smtp status=deny src=10.239.80.120 dst=10.196.206.130 src_port=2741 dst_port=1725 server_app=its pid=7867 app_name=risnis traff_direct=uov block_count=3896 logon_user=isn@sBono898.localdomain msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "itaedict7233.mail.localdomain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 13950, + "log.offset": 13848, + "network.direction": "uov", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 7867, + "related.ip": [ + "10.239.80.120", + "10.196.206.130" + ], + "rsa.counters.dclass_c1": 3896, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2018-01-27T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "itaedict7233.mail.localdomain" + ], + "rsa.network.domain": "sBono898.localdomain", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2020-01-27T07:21:06.000Z", + "server.domain": "sBono898.localdomain", "service.type": "fortinet", + "source.ip": [ + "10.239.80.120" + ], + "source.port": 2741, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "isn" ] }, { - "@timestamp": "2018-02-10T02:00:00.000Z", + "@timestamp": "2020-02-10T14:23:41.000Z", + "destination.ip": [ + "10.47.24.77" + ], + "destination.port": 1919, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 10 2018/02/10 ore1441.home proto=ipv6 service=ms-wbt-server status=deny src=10.234.222.214 dst=10.47.24.77 src_port=4614 dst_port=1919 server_app=hil pid=6717 app_name=squ traff_direct=uiadol block_count=6068 logon_user=ntNeq@tate6291.mail.invalid msg=unknown", + "event.original": "February 10 12:23:41 ore1441.home proto=ipv6 service=ms-wbt-server status=deny src=10.234.222.214 dst=10.47.24.77 src_port=4614 dst_port=1919 server_app=hil pid=6717 app_name=squ traff_direct=uiadol block_count=6068 logon_user=ntNeq@tate6291.mail.invalid msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "ore1441.home", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 14230, + "log.offset": 14126, + "network.direction": "uiadol", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 6717, + "related.ip": [ + "10.234.222.214", + "10.47.24.77" + ], + "rsa.counters.dclass_c1": 6068, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2018-02-10T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ore1441.home" + ], + "rsa.network.domain": "tate6291.mail.invalid", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-02-10T14:23:41.000Z", + "server.domain": "tate6291.mail.invalid", "service.type": "fortinet", + "source.ip": [ + "10.234.222.214" + ], + "source.port": 4614, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "ntNeq" ] }, { - "@timestamp": "2018-02-24T02:00:00.000Z", + "@timestamp": "2020-02-24T21:26:15.000Z", + "destination.ip": [ + "10.139.127.232" + ], + "destination.port": 1812, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 24 2018/02/24 onevo3446.www5.host proto=udp service=http status=deny src=10.202.7.89 dst=10.139.127.232 src_port=2179 dst_port=1812 server_app=quidolor pid=4116 app_name=agnaaliq traff_direct=tlaboree block_count=6412 logon_user=osquir@mod4104.api.localdomain msg=success", + "event.original": "February 24 19:26:15 onevo3446.www5.host proto=udp service=http status=deny src=10.202.7.89 dst=10.139.127.232 src_port=2179 dst_port=1812 server_app=quidolor pid=4116 app_name=agnaaliq traff_direct=tlaboree block_count=6412 logon_user=osquir@mod4104.api.localdomain msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "onevo3446.www5.host", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 14499, + "log.offset": 14393, + "network.direction": "tlaboree", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 4116, + "related.ip": [ + "10.139.127.232", + "10.202.7.89" + ], + "rsa.counters.dclass_c1": 6412, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2018-02-24T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "onevo3446.www5.host" + ], + "rsa.network.domain": "mod4104.api.localdomain", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-02-24T21:26:15.000Z", + "server.domain": "mod4104.api.localdomain", "service.type": "fortinet", + "source.ip": [ + "10.202.7.89" + ], + "source.port": 2179, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "osquir" ] }, { - "@timestamp": "2018-03-11T02:00:00.000Z", + "@timestamp": "2020-03-11T04:28:49.000Z", + "destination.ip": [ + "10.40.35.49" + ], + "destination.port": 3071, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 11 2018/03/11 lloin4019.www.localhost proto=igmp service=smtp status=deny src=10.130.241.232 dst=10.40.35.49 src_port=3112 dst_port=3071 server_app=edquian pid=3178 app_name=qua traff_direct=volupta block_count=3552 logon_user=aturQu@aaliq221.mail.localdomain msg=success", + "event.original": "March 11 02:28:49 lloin4019.www.localhost proto=igmp service=smtp status=deny src=10.130.241.232 dst=10.40.35.49 src_port=3112 dst_port=3071 server_app=edquian pid=3178 app_name=qua traff_direct=volupta block_count=3552 logon_user=aturQu@aaliq221.mail.localdomain msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "lloin4019.www.localhost", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 14780, + "log.offset": 14672, + "network.direction": "volupta", + "network.protocol": "igmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3178, + "related.ip": [ + "10.130.241.232", + "10.40.35.49" + ], + "rsa.counters.dclass_c1": 3552, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2018-03-11T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "lloin4019.www.localhost" + ], + "rsa.network.domain": "aaliq221.mail.localdomain", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2020-03-11T04:28:49.000Z", + "server.domain": "aaliq221.mail.localdomain", "service.type": "fortinet", + "source.ip": [ + "10.130.241.232" + ], + "source.port": 3112, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "aturQu" ] }, { - "@timestamp": "2018-03-25T02:00:00.000Z", + "@timestamp": "2020-03-25T11:31:24.000Z", + "destination.ip": [ + "10.167.252.183" + ], + "destination.port": 5107, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 25 2018/03/25 iciad7874.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.157.196.101 dst=10.167.252.183 src_port=2003 dst_port=5107 server_app=dtempori pid=5735 app_name=caboNemo traff_direct=dexerc block_count=2302 logon_user=tatem@metcons6200.mail.corp msg=unknown", + "event.original": "March 25 09:31:24 iciad7874.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.157.196.101 dst=10.167.252.183 src_port=2003 dst_port=5107 server_app=dtempori pid=5735 app_name=caboNemo traff_direct=dexerc block_count=2302 logon_user=tatem@metcons6200.mail.corp msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "iciad7874.localdomain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 15058, + "log.offset": 14948, + "network.direction": "dexerc", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5735, + "related.ip": [ + "10.167.252.183", + "10.157.196.101" + ], + "rsa.counters.dclass_c1": 2302, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2018-03-25T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "iciad7874.localdomain" + ], + "rsa.network.domain": "metcons6200.mail.corp", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-03-25T11:31:24.000Z", + "server.domain": "metcons6200.mail.corp", "service.type": "fortinet", + "source.ip": [ + "10.157.196.101" + ], + "source.port": 2003, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "tatem" ] }, { - "@timestamp": "2018-04-08T02:00:00.000Z", + "@timestamp": "2020-04-08T18:33:58.000Z", + "destination.ip": [ + "10.46.56.204" + ], + "destination.port": 5070, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 8 2018/04/08 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=quames block_count=3665 logon_user=esseq@aincidun2168.api.invalid msg=failure", + "event.original": "April 8 16:33:58 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=quames block_count=3665 logon_user=esseq@aincidun2168.api.invalid msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "queips4947.mail.example", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 15342, + "log.offset": 15230, + "network.direction": "quames", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 7079, + "related.ip": [ + "10.46.56.204", + "10.97.149.97" + ], + "rsa.counters.dclass_c1": 3665, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2018-04-08T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "queips4947.mail.example" + ], + "rsa.network.domain": "aincidun2168.api.invalid", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2020-04-08T18:33:58.000Z", + "server.domain": "aincidun2168.api.invalid", "service.type": "fortinet", + "source.ip": [ + "10.97.149.97" + ], + "source.port": 2463, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "esseq" ] }, { - "@timestamp": "2018-04-22T02:00:00.000Z", + "@timestamp": "2020-04-23T01:36:32.000Z", + "destination.ip": [ + "10.151.129.181" + ], + "destination.port": 5773, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 22 2018/04/22 itq494.api.lan proto=ggp service=pop3 status=deny src=10.28.105.124 dst=10.151.129.181 src_port=3889 dst_port=5773 server_app=litsedq pid=5026 app_name=nder traff_direct=mdolore block_count=2604 logon_user=nesciun@saqu6897.mail.lan msg=failure", + "event.original": "April 22 23:36:32 itq494.api.lan proto=ggp service=pop3 status=deny src=10.28.105.124 dst=10.151.129.181 src_port=3889 dst_port=5773 server_app=litsedq pid=5026 app_name=nder traff_direct=mdolore block_count=2604 logon_user=nesciun@saqu6897.mail.lan msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "itq494.api.lan", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 15611, + "log.offset": 15497, + "network.direction": "mdolore", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5026, + "related.ip": [ + "10.151.129.181", + "10.28.105.124" + ], + "rsa.counters.dclass_c1": 2604, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2018-04-22T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "itq494.api.lan" + ], + "rsa.network.domain": "saqu6897.mail.lan", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-04-23T01:36:32.000Z", + "server.domain": "saqu6897.mail.lan", "service.type": "fortinet", + "source.ip": [ + "10.28.105.124" + ], + "source.port": 3889, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "nesciun" ] }, { - "@timestamp": "2018-05-07T02:00:00.000Z", + "@timestamp": "2020-05-07T08:39:06.000Z", + "destination.ip": [ + "10.145.101.26" + ], + "destination.port": 2559, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 7 2018/05/07 autfugi4010.internal.invalid proto=tcp service=pop3 status=deny src=10.128.63.143 dst=10.145.101.26 src_port=7596 dst_port=2559 server_app=oremquel pid=3992 app_name=modoc traff_direct=boNem block_count=5137 logon_user=ssusci@animid1644.www5.lan msg=unknown", + "event.original": "May 7 06:39:06 autfugi4010.internal.invalid proto=tcp service=pop3 status=deny src=10.128.63.143 dst=10.145.101.26 src_port=7596 dst_port=2559 server_app=oremquel pid=3992 app_name=modoc traff_direct=boNem block_count=5137 logon_user=ssusci@animid1644.www5.lan msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "autfugi4010.internal.invalid", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 15875, + "log.offset": 15759, + "network.direction": "boNem", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3992, + "related.ip": [ + "10.128.63.143", + "10.145.101.26" + ], + "rsa.counters.dclass_c1": 5137, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2018-05-07T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "autfugi4010.internal.invalid" + ], + "rsa.network.domain": "animid1644.www5.lan", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-05-07T08:39:06.000Z", + "server.domain": "animid1644.www5.lan", "service.type": "fortinet", + "source.ip": [ + "10.128.63.143" + ], + "source.port": 7596, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "ssusci" ] }, { - "@timestamp": "2018-05-21T02:00:00.000Z", + "@timestamp": "2020-05-21T15:41:41.000Z", + "destination.ip": [ + "10.62.229.89" + ], + "destination.port": 5348, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 21 2018/05/21 roquisqu1205.api.domain proto=ipv6 service=pop3 status=deny src=10.2.244.159 dst=10.62.229.89 src_port=951 dst_port=5348 server_app=isnis pid=5140 app_name=olupta traff_direct=tsuntinc block_count=2159 logon_user=inBCSedu@erspi5757.local msg=failure", + "event.original": "May 21 13:41:41 roquisqu1205.api.domain proto=ipv6 service=pop3 status=deny src=10.2.244.159 dst=10.62.229.89 src_port=951 dst_port=5348 server_app=isnis pid=5140 app_name=olupta traff_direct=tsuntinc block_count=2159 logon_user=inBCSedu@erspi5757.local msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "roquisqu1205.api.domain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 16150, + "log.offset": 16032, + "network.direction": "tsuntinc", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5140, + "related.ip": [ + "10.62.229.89", + "10.2.244.159" + ], + "rsa.counters.dclass_c1": 2159, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2018-05-21T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "roquisqu1205.api.domain" + ], + "rsa.network.domain": "erspi5757.local", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-05-21T15:41:41.000Z", + "server.domain": "erspi5757.local", "service.type": "fortinet", + "source.ip": [ + "10.2.244.159" + ], + "source.port": 951, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "inBCSedu" ] }, { - "@timestamp": "2018-06-04T02:00:00.000Z", + "@timestamp": "2020-06-04T22:44:15.000Z", + "destination.ip": [ + "10.54.83.119" + ], + "destination.port": 338, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 4 2018/06/04 quaeab2653.mail.localdomain proto=rdp service=ms-wbt-server status=deny src=10.250.19.146 dst=10.54.83.119 src_port=5283 dst_port=338 server_app=natu pid=315 app_name=itat traff_direct=stlaboru block_count=7074 logon_user=radi@xeacom7662.www.test msg=failure", + "event.original": "June 4 20:44:15 quaeab2653.mail.localdomain proto=rdp service=ms-wbt-server status=deny src=10.250.19.146 dst=10.54.83.119 src_port=5283 dst_port=338 server_app=natu pid=315 app_name=itat traff_direct=stlaboru block_count=7074 logon_user=radi@xeacom7662.www.test msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "quaeab2653.mail.localdomain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 16418, + "log.offset": 16298, + "network.direction": "stlaboru", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 315, + "related.ip": [ + "10.54.83.119", + "10.250.19.146" + ], + "rsa.counters.dclass_c1": 7074, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2018-06-04T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "quaeab2653.mail.localdomain" + ], + "rsa.network.domain": "xeacom7662.www.test", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-06-04T22:44:15.000Z", + "server.domain": "xeacom7662.www.test", "service.type": "fortinet", + "source.ip": [ + "10.250.19.146" + ], + "source.port": 5283, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "radi" ] }, { - "@timestamp": "2018-06-19T02:00:00.000Z", + "@timestamp": "2020-06-19T05:46:49.000Z", + "destination.ip": [ + "10.1.96.93" + ], + "destination.port": 428, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 19 2018/06/19 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=uptate block_count=1049 logon_user=snos@orsi7617.www5.corp msg=success", + "event.original": "June 19 03:46:49 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=uptate block_count=1049 logon_user=snos@orsi7617.www5.corp msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "ptasnula6576.api.invalid", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 16695, + "log.offset": 16573, + "network.direction": "uptate", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5398, + "related.ip": [ + "10.1.96.93", + "10.54.73.158" + ], + "rsa.counters.dclass_c1": 1049, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2018-06-19T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "ptasnula6576.api.invalid" + ], + "rsa.network.domain": "orsi7617.www5.corp", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-06-19T05:46:49.000Z", + "server.domain": "orsi7617.www5.corp", "service.type": "fortinet", + "source.ip": [ + "10.54.73.158" + ], + "source.port": 5752, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "snos" ] }, { - "@timestamp": "2018-07-03T02:00:00.000Z", + "@timestamp": "2020-07-03T12:49:23.000Z", + "destination.ip": [ + "10.94.114.83" + ], + "destination.port": 4803, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 3 2018/07/03 msequ4308.api.localdomain proto=ipv6 service=https status=deny src=10.126.87.182 dst=10.94.114.83 src_port=1043 dst_port=4803 server_app=rumetMal pid=3411 app_name=atcupida traff_direct=tessequa block_count=291 logon_user=dolores@equamnih6028.localdomain msg=failure", + "event.original": "July 3 10:49:23 msequ4308.api.localdomain proto=ipv6 service=https status=deny src=10.126.87.182 dst=10.94.114.83 src_port=1043 dst_port=4803 server_app=rumetMal pid=3411 app_name=atcupida traff_direct=tessequa block_count=291 logon_user=dolores@equamnih6028.localdomain msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "msequ4308.api.localdomain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 16967, + "log.offset": 16843, + "network.direction": "tessequa", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3411, + "related.ip": [ + "10.94.114.83", + "10.126.87.182" + ], + "rsa.counters.dclass_c1": 291, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2018-07-03T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "msequ4308.api.localdomain" + ], + "rsa.network.domain": "equamnih6028.localdomain", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-07-03T12:49:23.000Z", + "server.domain": "equamnih6028.localdomain", "service.type": "fortinet", + "source.ip": [ + "10.126.87.182" + ], + "source.port": 1043, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "dolores" ] }, { - "@timestamp": "2018-07-17T02:00:00.000Z", + "@timestamp": "2019-07-17T19:51:58.000Z", + "destination.ip": [ + "10.38.28.151" + ], + "destination.port": 347, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 17 2018/07/17 dolorema2984.www.home proto=ipv6 service=smtp status=deny src=10.206.165.83 dst=10.38.28.151 src_port=3736 dst_port=347 server_app=ratv pid=2649 app_name=ever traff_direct=tali block_count=2124 logon_user=erspi@iqu7509.api.corp msg=success", + "event.original": "July 17 17:51:58 dolorema2984.www.home proto=ipv6 service=smtp status=deny src=10.206.165.83 dst=10.38.28.151 src_port=3736 dst_port=347 server_app=ratv pid=2649 app_name=ever traff_direct=tali block_count=2124 logon_user=erspi@iqu7509.api.corp msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "dolorema2984.www.home", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 17252, + "log.offset": 17126, + "network.direction": "tali", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 2649, + "related.ip": [ + "10.206.165.83", + "10.38.28.151" + ], + "rsa.counters.dclass_c1": 2124, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2018-07-17T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "dolorema2984.www.home" + ], + "rsa.network.domain": "iqu7509.api.corp", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-07-17T19:51:58.000Z", + "server.domain": "iqu7509.api.corp", "service.type": "fortinet", + "source.ip": [ + "10.206.165.83" + ], + "source.port": 3736, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "erspi" ] }, { - "@timestamp": "2018-08-01T02:00:00.000Z", + "@timestamp": "2019-08-01T02:54:32.000Z", + "destination.ip": [ + "10.77.229.168" + ], + "destination.port": 3777, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 1 2018/08/01 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=magnid block_count=3343 logon_user=ame@tesseq7693.localdomain msg=failure", + "event.original": "August 1 00:54:32 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=magnid block_count=3343 logon_user=ame@tesseq7693.localdomain msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "fugits1163.host", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 17511, + "log.offset": 17383, + "network.direction": "magnid", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 6064, + "related.ip": [ + "10.77.229.168", + "10.181.247.224" + ], + "rsa.counters.dclass_c1": 3343, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2018-08-01T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "fugits1163.host" + ], + "rsa.network.domain": "tesseq7693.localdomain", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-08-01T02:54:32.000Z", + "server.domain": "tesseq7693.localdomain", "service.type": "fortinet", + "source.ip": [ + "10.181.247.224" + ], + "source.port": 260, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "ame" ] }, { - "@timestamp": "2018-08-15T02:00:00.000Z", + "@timestamp": "2019-08-15T09:57:06.000Z", + "destination.ip": [ + "10.57.85.98" + ], + "destination.port": 1444, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 15 2018/08/15 tdolore388.localdomain proto=igmp service=smtp status=deny src=10.42.252.243 dst=10.57.85.98 src_port=3286 dst_port=1444 server_app=oinv pid=5493 app_name=inrepr traff_direct=mol block_count=4145 logon_user=nisiu@imad4450.internal.example msg=unknown", + "event.original": "August 15 07:57:06 tdolore388.localdomain proto=igmp service=smtp status=deny src=10.42.252.243 dst=10.57.85.98 src_port=3286 dst_port=1444 server_app=oinv pid=5493 app_name=inrepr traff_direct=mol block_count=4145 logon_user=nisiu@imad4450.internal.example msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "tdolore388.localdomain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 17776, + "log.offset": 17646, + "network.direction": "mol", + "network.protocol": "igmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5493, + "related.ip": [ + "10.42.252.243", + "10.57.85.98" + ], + "rsa.counters.dclass_c1": 4145, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2018-08-15T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "tdolore388.localdomain" + ], + "rsa.network.domain": "imad4450.internal.example", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-08-15T09:57:06.000Z", + "server.domain": "imad4450.internal.example", "service.type": "fortinet", + "source.ip": [ + "10.42.252.243" + ], + "source.port": 3286, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "nisiu" ] }, { - "@timestamp": "2018-08-29T02:00:00.000Z", + "@timestamp": "2019-08-29T16:59:40.000Z", + "destination.ip": [ + "10.193.66.155" + ], + "destination.port": 4965, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 29 2018/08/29 olest5343.mail.corp proto=rdp service=https status=deny src=10.7.43.184 dst=10.193.66.155 src_port=7278 dst_port=4965 server_app=ame pid=2913 app_name=uid traff_direct=equaturv block_count=1129 logon_user=tobeatae@maccusa7248.www.home msg=failure", + "event.original": "August 29 14:59:40 olest5343.mail.corp proto=rdp service=https status=deny src=10.7.43.184 dst=10.193.66.155 src_port=7278 dst_port=4965 server_app=ame pid=2913 app_name=uid traff_direct=equaturv block_count=1129 logon_user=tobeatae@maccusa7248.www.home msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "olest5343.mail.corp", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 18048, + "log.offset": 17916, + "network.direction": "equaturv", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 2913, + "related.ip": [ + "10.193.66.155", + "10.7.43.184" + ], + "rsa.counters.dclass_c1": 1129, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2018-08-29T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "olest5343.mail.corp" + ], + "rsa.network.domain": "maccusa7248.www.home", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-08-29T16:59:40.000Z", + "server.domain": "maccusa7248.www.home", "service.type": "fortinet", + "source.ip": [ + "10.7.43.184" + ], + "source.port": 7278, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "tobeatae" ] }, { - "@timestamp": "2018-09-12T02:00:00.000Z", + "@timestamp": "2019-09-13T00:02:15.000Z", + "destination.ip": [ + "10.81.234.34" + ], + "destination.port": 1710, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 12 2018/09/12 uradi3827.mail.localhost proto=icmp service=ms-wbt-server status=deny src=10.196.96.162 dst=10.81.234.34 src_port=7349 dst_port=1710 server_app=aconse pid=1526 app_name=quameiu traff_direct=diduntu block_count=4798 logon_user=aliqui@ess3889.www5.localhost msg=failure", + "event.original": "September 12 22:02:15 uradi3827.mail.localhost proto=icmp service=ms-wbt-server status=deny src=10.196.96.162 dst=10.81.234.34 src_port=7349 dst_port=1710 server_app=aconse pid=1526 app_name=quameiu traff_direct=diduntu block_count=4798 logon_user=aliqui@ess3889.www5.localhost msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "uradi3827.mail.localhost", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 18316, + "log.offset": 18182, + "network.direction": "diduntu", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 1526, + "related.ip": [ + "10.196.96.162", + "10.81.234.34" + ], + "rsa.counters.dclass_c1": 4798, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2018-09-12T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "uradi3827.mail.localhost" + ], + "rsa.network.domain": "ess3889.www5.localhost", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-09-13T00:02:15.000Z", + "server.domain": "ess3889.www5.localhost", "service.type": "fortinet", + "source.ip": [ + "10.196.96.162" + ], + "source.port": 7349, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "aliqui" ] }, { - "@timestamp": "2018-09-27T02:00:00.000Z", + "@timestamp": "2019-09-27T07:04:49.000Z", + "destination.ip": [ + "10.77.78.180" + ], + "destination.port": 5380, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 27 2018/09/27 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=niamquis block_count=1471 logon_user=ptatems@runtmo438.invalid msg=failure", + "event.original": "September 27 05:04:49 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=niamquis block_count=1471 logon_user=ptatems@runtmo438.invalid msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "abor1370.www.domain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 18608, + "log.offset": 18472, + "network.direction": "niamquis", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 4984, + "related.ip": [ + "10.97.236.123", + "10.77.78.180" + ], + "rsa.counters.dclass_c1": 1471, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2018-09-27T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "abor1370.www.domain" + ], + "rsa.network.domain": "runtmo438.invalid", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-09-27T07:04:49.000Z", + "server.domain": "runtmo438.invalid", "service.type": "fortinet", + "source.ip": [ + "10.97.236.123" + ], + "source.port": 5159, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "ptatems" ] }, { - "@timestamp": "2018-10-11T02:00:00.000Z", + "@timestamp": "2019-10-11T14:07:23.000Z", + "destination.ip": [ + "10.108.45.59" + ], + "destination.port": 7229, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 11 2018/10/11 tas6029.lan proto=rdp service=smtp status=deny src=10.118.82.34 dst=10.108.45.59 src_port=5129 dst_port=7229 server_app=sBonorum pid=2162 app_name=aali traff_direct=edictasu block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure", + "event.original": "October 11 12:07:23 tas6029.lan proto=rdp service=smtp status=deny src=10.118.82.34 dst=10.108.45.59 src_port=5129 dst_port=7229 server_app=sBonorum pid=2162 app_name=aali traff_direct=edictasu block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "tas6029.lan", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 18886, + "log.offset": 18748, + "network.direction": "edictasu", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 2162, + "related.ip": [ + "10.118.82.34", + "10.108.45.59" + ], + "rsa.counters.dclass_c1": 5362, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2018-10-11T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "tas6029.lan" + ], + "rsa.network.domain": "sedquiac6517.internal.localhost", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-10-11T14:07:23.000Z", + "server.domain": "sedquiac6517.internal.localhost", "service.type": "fortinet", + "source.ip": [ + "10.118.82.34" + ], + "source.port": 5129, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "olorem" ] }, { - "@timestamp": "2018-10-25T02:00:00.000Z", + "@timestamp": "2019-10-25T21:09:57.000Z", + "destination.ip": [ + "10.170.252.219" + ], + "destination.port": 2454, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 25 2018/10/25 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=cive block_count=2292 logon_user=orumSec@nisiuta905.www5.home msg=failure", + "event.original": "October 25 19:09:57 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=cive block_count=2292 logon_user=orumSec@nisiuta905.www5.home msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "squirati7050.www5.lan", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 19161, + "log.offset": 19021, + "network.direction": "cive", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 4020, + "related.ip": [ + "10.170.252.219", + "10.180.180.230" + ], + "rsa.counters.dclass_c1": 2292, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2018-10-25T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "squirati7050.www5.lan" + ], + "rsa.network.domain": "nisiuta905.www5.home", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-10-25T21:09:57.000Z", + "server.domain": "nisiuta905.www5.home", "service.type": "fortinet", + "source.ip": [ + "10.180.180.230" + ], + "source.port": 4147, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "orumSec" ] }, { - "@timestamp": "2018-11-09T02:00:00.000Z", + "@timestamp": "2019-11-09T04:12:32.000Z", + "destination.ip": [ + "10.83.119.181" + ], + "destination.port": 5693, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 9 2018/11/09 tiaecon5380.lan proto=udp service=pop3 status=deny src=10.123.74.66 dst=10.83.119.181 src_port=6984 dst_port=5693 server_app=lors pid=7553 app_name=nculpaq traff_direct=reseosqu block_count=1629 logon_user=ursin@utemvel5325.host msg=success", + "event.original": "November 9 02:12:32 tiaecon5380.lan proto=udp service=pop3 status=deny src=10.123.74.66 dst=10.83.119.181 src_port=6984 dst_port=5693 server_app=lors pid=7553 app_name=nculpaq traff_direct=reseosqu block_count=1629 logon_user=ursin@utemvel5325.host msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "tiaecon5380.lan", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 19438, + "log.offset": 19296, + "network.direction": "reseosqu", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 7553, + "related.ip": [ + "10.123.74.66", + "10.83.119.181" + ], + "rsa.counters.dclass_c1": 1629, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2018-11-09T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tiaecon5380.lan" + ], + "rsa.network.domain": "utemvel5325.host", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-11-09T04:12:32.000Z", + "server.domain": "utemvel5325.host", "service.type": "fortinet", + "source.ip": [ + "10.123.74.66" + ], + "source.port": 6984, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "ursin" ] }, { - "@timestamp": "2018-11-23T02:00:00.000Z", + "@timestamp": "2019-11-23T11:15:06.000Z", + "destination.ip": [ + "10.141.143.56" + ], + "destination.port": 2442, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 23 2018/11/23 iam7526.mail.test proto=icmp service=smtp status=deny src=10.225.255.211 dst=10.141.143.56 src_port=4076 dst_port=2442 server_app=eursinto pid=3628 app_name=tutla traff_direct=licaboNe block_count=5104 logon_user=aaliq@nat4367.www5.example msg=failure", + "event.original": "November 23 09:15:06 iam7526.mail.test proto=icmp service=smtp status=deny src=10.225.255.211 dst=10.141.143.56 src_port=4076 dst_port=2442 server_app=eursinto pid=3628 app_name=tutla traff_direct=licaboNe block_count=5104 logon_user=aaliq@nat4367.www5.example msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "iam7526.mail.test", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 19701, + "log.offset": 19557, + "network.direction": "licaboNe", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3628, + "related.ip": [ + "10.141.143.56", + "10.225.255.211" + ], + "rsa.counters.dclass_c1": 5104, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2018-11-23T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "iam7526.mail.test" + ], + "rsa.network.domain": "nat4367.www5.example", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-11-23T11:15:06.000Z", + "server.domain": "nat4367.www5.example", "service.type": "fortinet", + "source.ip": [ + "10.225.255.211" + ], + "source.port": 4076, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "aaliq" ] }, { - "@timestamp": "2018-12-07T02:00:00.000Z", + "@timestamp": "2019-12-07T18:17:40.000Z", + "destination.ip": [ + "10.219.1.151" + ], + "destination.port": 4323, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 7 2018/12/07 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=itametc block_count=3006 logon_user=olup@remipsu2220.corp msg=success", + "event.original": "December 7 16:17:40 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=itametc block_count=3006 logon_user=olup@remipsu2220.corp msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "dolor7082.internal.localhost", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 19976, + "log.offset": 19830, + "network.direction": "itametc", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 6311, + "related.ip": [ + "10.219.1.151", + "10.250.81.189" + ], + "rsa.counters.dclass_c1": 3006, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2018-12-07T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "dolor7082.internal.localhost" + ], + "rsa.network.domain": "remipsu2220.corp", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-12-07T18:17:40.000Z", + "server.domain": "remipsu2220.corp", "service.type": "fortinet", + "source.ip": [ + "10.250.81.189" + ], + "source.port": 5404, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "olup" ] }, { - "@timestamp": "2018-12-21T02:00:00.000Z", + "@timestamp": "2019-12-22T01:20:14.000Z", + "destination.ip": [ + "10.189.42.62" + ], + "destination.port": 4262, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 21 2018/12/21 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=emp block_count=2563 logon_user=roquisq@temporai6835.www5.host msg=failure", + "event.original": "December 21 23:20:14 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=emp block_count=2563 logon_user=roquisq@temporai6835.www5.host msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "laborum5749.www.example", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 20251, + "log.offset": 20103, + "network.direction": "emp", + "network.protocol": "igmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 2780, + "related.ip": [ + "10.189.42.62", + "10.36.110.69" + ], + "rsa.counters.dclass_c1": 2563, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2018-12-21T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "laborum5749.www.example" + ], + "rsa.network.domain": "temporai6835.www5.host", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-12-22T01:20:14.000Z", + "server.domain": "temporai6835.www5.host", "service.type": "fortinet", + "source.ip": [ + "10.36.110.69" + ], + "source.port": 4187, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "roquisq" ] }, { - "@timestamp": "2019-01-05T02:00:00.000Z", + "@timestamp": "2020-01-05T08:22:49.000Z", + "destination.ip": [ + "10.202.132.214" + ], + "destination.port": 3392, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "January 5 2019/01/05 urerepre1960.www5.localhost proto=ipv6-icmp service=https status=deny src=10.179.147.45 dst=10.202.132.214 src_port=2208 dst_port=3392 server_app=mmodoco pid=2581 app_name=rumexerc traff_direct=isiutali block_count=3575 logon_user=stquidol@Nemoenim1325.lan msg=failure", + "event.original": "January 5 06:22:49 urerepre1960.www5.localhost proto=ipv6-icmp service=https status=deny src=10.179.147.45 dst=10.202.132.214 src_port=2208 dst_port=3392 server_app=mmodoco pid=2581 app_name=rumexerc traff_direct=isiutali block_count=3575 logon_user=stquidol@Nemoenim1325.lan msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "urerepre1960.www5.localhost", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 20527, + "log.offset": 20377, + "network.direction": "isiutali", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 2581, + "related.ip": [ + "10.179.147.45", + "10.202.132.214" + ], + "rsa.counters.dclass_c1": 3575, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2019-01-05T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "urerepre1960.www5.localhost" + ], + "rsa.network.domain": "Nemoenim1325.lan", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-01-05T08:22:49.000Z", + "server.domain": "Nemoenim1325.lan", "service.type": "fortinet", + "source.ip": [ + "10.179.147.45" + ], + "source.port": 2208, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "stquidol" ] }, { - "@timestamp": "2019-01-19T02:00:00.000Z", + "@timestamp": "2020-01-19T15:25:23.000Z", + "destination.ip": [ + "10.169.98.165" + ], + "destination.port": 6084, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "January 19 2019/01/19 evitae7333.www.lan proto=ggp service=ms-wbt-server status=deny src=10.51.221.217 dst=10.169.98.165 src_port=6833 dst_port=6084 server_app=saquaea pid=2280 app_name=rQuisaut traff_direct=quas block_count=3630 logon_user=metco@cillu7822.mail.localhost msg=success", + "event.original": "January 19 13:25:23 evitae7333.www.lan proto=ggp service=ms-wbt-server status=deny src=10.51.221.217 dst=10.169.98.165 src_port=6833 dst_port=6084 server_app=saquaea pid=2280 app_name=rQuisaut traff_direct=quas block_count=3630 logon_user=metco@cillu7822.mail.localhost msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "evitae7333.www.lan", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 20817, + "log.offset": 20665, + "network.direction": "quas", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 2280, + "related.ip": [ + "10.51.221.217", + "10.169.98.165" + ], + "rsa.counters.dclass_c1": 3630, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2019-01-19T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "evitae7333.www.lan" + ], + "rsa.network.domain": "cillu7822.mail.localhost", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-01-19T15:25:23.000Z", + "server.domain": "cillu7822.mail.localhost", "service.type": "fortinet", + "source.ip": [ + "10.51.221.217" + ], + "source.port": 6833, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "metco" ] }, { - "@timestamp": "2019-02-02T02:00:00.000Z", + "@timestamp": "2020-02-02T22:27:57.000Z", + "destination.ip": [ + "10.85.104.146" + ], + "destination.port": 4438, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 2 2019/02/02 orp5697.www.invalid proto=ggp service=ms-wbt-server status=deny src=10.243.6.41 dst=10.85.104.146 src_port=780 dst_port=4438 server_app=orum pid=4887 app_name=qua traff_direct=agnamal block_count=73 logon_user=emacc@emp1636.www.invalid msg=unknown", + "event.original": "February 2 20:27:57 orp5697.www.invalid proto=ggp service=ms-wbt-server status=deny src=10.243.6.41 dst=10.85.104.146 src_port=780 dst_port=4438 server_app=orum pid=4887 app_name=qua traff_direct=agnamal block_count=73 logon_user=emacc@emp1636.www.invalid msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "orp5697.www.invalid", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 21101, + "log.offset": 20947, + "network.direction": "agnamal", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 4887, + "related.ip": [ + "10.243.6.41", + "10.85.104.146" + ], + "rsa.counters.dclass_c1": 73, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2019-02-02T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "orp5697.www.invalid" + ], + "rsa.network.domain": "emp1636.www.invalid", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-02-02T22:27:57.000Z", + "server.domain": "emp1636.www.invalid", "service.type": "fortinet", + "source.ip": [ + "10.243.6.41" + ], + "source.port": 780, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "emacc" ] }, { - "@timestamp": "2019-02-17T02:00:00.000Z", + "@timestamp": "2020-02-17T05:30:32.000Z", + "destination.ip": [ + "10.30.246.132" + ], + "destination.port": 388, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 17 2019/02/17 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=esse block_count=3795 logon_user=osqu@pariatur7238.www5.invalid msg=unknown", + "event.original": "February 17 03:30:32 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=esse block_count=3795 logon_user=osqu@pariatur7238.www5.invalid msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "rumet6923.www5.lan", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 21371, + "log.offset": 21215, + "network.direction": "esse", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3990, + "related.ip": [ + "10.208.18.210", + "10.30.246.132" + ], + "rsa.counters.dclass_c1": 3795, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2019-02-17T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "rumet6923.www5.lan" + ], + "rsa.network.domain": "pariatur7238.www5.invalid", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-02-17T05:30:32.000Z", + "server.domain": "pariatur7238.www5.invalid", "service.type": "fortinet", + "source.ip": [ + "10.208.18.210" + ], + "source.port": 3601, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "osqu" ] }, { - "@timestamp": "2019-03-03T02:00:00.000Z", + "@timestamp": "2020-03-03T12:33:06.000Z", + "destination.ip": [ + "10.167.9.200" + ], + "destination.port": 4568, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 3 2019/03/03 orum5045.domain proto=igmp service=https status=deny src=10.37.174.58 dst=10.167.9.200 src_port=4003 dst_port=4568 server_app=exercita pid=2068 app_name=elillum traff_direct=veleumi block_count=4337 logon_user=tvol@oluptate6978.localdomain msg=failure", + "event.original": "March 3 10:33:06 orum5045.domain proto=igmp service=https status=deny src=10.37.174.58 dst=10.167.9.200 src_port=4003 dst_port=4568 server_app=exercita pid=2068 app_name=elillum traff_direct=veleumi block_count=4337 logon_user=tvol@oluptate6978.localdomain msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "orum5045.domain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 21643, + "log.offset": 21485, + "network.direction": "veleumi", + "network.protocol": "igmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 2068, + "related.ip": [ + "10.167.9.200", + "10.37.174.58" + ], + "rsa.counters.dclass_c1": 4337, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2019-03-03T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "orum5045.domain" + ], + "rsa.network.domain": "oluptate6978.localdomain", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-03-03T12:33:06.000Z", + "server.domain": "oluptate6978.localdomain", "service.type": "fortinet", + "source.ip": [ + "10.37.174.58" + ], + "source.port": 4003, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "tvol" ] }, { - "@timestamp": "2019-03-17T02:00:00.000Z", + "@timestamp": "2020-03-17T19:35:40.000Z", + "destination.ip": [ + "10.251.29.244" + ], + "destination.port": 919, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 17 2019/03/17 iciade3900.example proto=ggp service=ms-wbt-server status=deny src=10.221.220.148 dst=10.251.29.244 src_port=98 dst_port=919 server_app=eturadip pid=6261 app_name=psumd traff_direct=oloree block_count=355 logon_user=ptate@teir7585.www5.localdomain msg=failure", + "event.original": "March 17 17:35:40 iciade3900.example proto=ggp service=ms-wbt-server status=deny src=10.221.220.148 dst=10.251.29.244 src_port=98 dst_port=919 server_app=eturadip pid=6261 app_name=psumd traff_direct=oloree block_count=355 logon_user=ptate@teir7585.www5.localdomain msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "iciade3900.example", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 21914, + "log.offset": 21754, + "network.direction": "oloree", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 6261, + "related.ip": [ + "10.251.29.244", + "10.221.220.148" + ], + "rsa.counters.dclass_c1": 355, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2019-03-17T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "iciade3900.example" + ], + "rsa.network.domain": "teir7585.www5.localdomain", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-03-17T19:35:40.000Z", + "server.domain": "teir7585.www5.localdomain", "service.type": "fortinet", + "source.ip": [ + "10.221.220.148" + ], + "source.port": 98, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "ptate" ] }, { - "@timestamp": "2019-04-01T02:00:00.000Z", + "@timestamp": "2020-04-01T02:38:14.000Z", + "destination.ip": [ + "10.189.82.19" + ], + "destination.port": 4057, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 1 2019/04/01 texpli7157.mail.invalid proto=ggp service=ms-wbt-server status=deny src=10.198.143.216 dst=10.189.82.19 src_port=4267 dst_port=4057 server_app=mini pid=1816 app_name=tur traff_direct=tur block_count=5914 logon_user=iamqui@tassita6539.www.lan msg=success", + "event.original": "April 1 00:38:14 texpli7157.mail.invalid proto=ggp service=ms-wbt-server status=deny src=10.198.143.216 dst=10.189.82.19 src_port=4267 dst_port=4057 server_app=mini pid=1816 app_name=tur traff_direct=tur block_count=5914 logon_user=iamqui@tassita6539.www.lan msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "texpli7157.mail.invalid", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 22194, + "log.offset": 22032, + "network.direction": "tur", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 1816, + "related.ip": [ + "10.189.82.19", + "10.198.143.216" + ], + "rsa.counters.dclass_c1": 5914, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2019-04-01T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "texpli7157.mail.invalid" + ], + "rsa.network.domain": "tassita6539.www.lan", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-04-01T02:38:14.000Z", + "server.domain": "tassita6539.www.lan", "service.type": "fortinet", + "source.ip": [ + "10.198.143.216" + ], + "source.port": 4267, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "iamqui" ] }, { - "@timestamp": "2019-04-15T02:00:00.000Z", + "@timestamp": "2020-04-15T09:40:49.000Z", + "destination.ip": [ + "10.70.29.203" + ], + "destination.port": 6317, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 15 2019/04/15 CSe7575.www5.example proto=rdp service=smtp status=deny src=10.141.216.14 dst=10.70.29.203 src_port=5994 dst_port=6317 server_app=ate pid=4386 app_name=fugitse traff_direct=minimve block_count=2465 logon_user=dese@duntutla4724.www.host msg=success", + "event.original": "April 15 07:40:49 CSe7575.www5.example proto=rdp service=smtp status=deny src=10.141.216.14 dst=10.70.29.203 src_port=5994 dst_port=6317 server_app=ate pid=4386 app_name=fugitse traff_direct=minimve block_count=2465 logon_user=dese@duntutla4724.www.host msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "CSe7575.www5.example", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 22467, + "log.offset": 22303, + "network.direction": "minimve", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 4386, + "related.ip": [ + "10.141.216.14", + "10.70.29.203" + ], + "rsa.counters.dclass_c1": 2465, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2019-04-15T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "CSe7575.www5.example" + ], + "rsa.network.domain": "duntutla4724.www.host", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2020-04-15T09:40:49.000Z", + "server.domain": "duntutla4724.www.host", "service.type": "fortinet", + "source.ip": [ + "10.141.216.14" + ], + "source.port": 5994, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "dese" ] }, { - "@timestamp": "2019-04-29T02:00:00.000Z", + "@timestamp": "2020-04-29T16:43:23.000Z", + "destination.ip": [ + "10.137.85.123" + ], + "destination.port": 7073, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 29 2019/04/29 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=uinesc block_count=4248 logon_user=idatat@onev595.mail.domain msg=failure", + "event.original": "April 29 14:43:23 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=uinesc block_count=4248 logon_user=idatat@onev595.mail.domain msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "abori7686.internal.host", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 22735, + "log.offset": 22569, + "network.direction": "uinesc", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 2313, + "related.ip": [ + "10.183.243.246", + "10.137.85.123" + ], + "rsa.counters.dclass_c1": 4248, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2019-04-29T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "abori7686.internal.host" + ], + "rsa.network.domain": "onev595.mail.domain", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-04-29T16:43:23.000Z", + "server.domain": "onev595.mail.domain", "service.type": "fortinet", + "source.ip": [ + "10.183.243.246" + ], + "source.port": 218, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "idatat" ] }, { - "@timestamp": "2019-05-13T02:00:00.000Z", + "@timestamp": "2020-05-13T23:45:57.000Z", + "destination.ip": [ + "10.158.54.131" + ], + "destination.port": 1585, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 13 2019/05/13 sis3986.internal.lan proto=rdp service=https status=deny src=10.10.86.55 dst=10.158.54.131 src_port=911 dst_port=1585 server_app=mmodi pid=7353 app_name=rvelill traff_direct=lupta block_count=7608 logon_user=tatevel@midestl7500.www.home msg=unknown", + "event.original": "May 13 21:45:57 sis3986.internal.lan proto=rdp service=https status=deny src=10.10.86.55 dst=10.158.54.131 src_port=911 dst_port=1585 server_app=mmodi pid=7353 app_name=rvelill traff_direct=lupta block_count=7608 logon_user=tatevel@midestl7500.www.home msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "sis3986.internal.lan", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 23010, + "log.offset": 22842, + "network.direction": "lupta", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 7353, + "related.ip": [ + "10.158.54.131", + "10.10.86.55" + ], + "rsa.counters.dclass_c1": 7608, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2019-05-13T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "sis3986.internal.lan" + ], + "rsa.network.domain": "midestl7500.www.home", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-05-13T23:45:57.000Z", + "server.domain": "midestl7500.www.home", "service.type": "fortinet", + "source.ip": [ + "10.10.86.55" + ], + "source.port": 911, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "tatevel" ] }, { - "@timestamp": "2019-05-28T02:00:00.000Z", + "@timestamp": "2020-05-28T06:48:31.000Z", + "destination.ip": [ + "10.187.170.23" + ], + "destination.port": 3220, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 28 2019/05/28 oremeumf32.www.lan proto=ggp service=http status=deny src=10.105.136.146 dst=10.187.170.23 src_port=541 dst_port=3220 server_app=sectetu pid=7182 app_name=its traff_direct=dolor block_count=5957 logon_user=uatu@mquis5526.mail.test msg=unknown", + "event.original": "May 28 04:48:31 oremeumf32.www.lan proto=ggp service=http status=deny src=10.105.136.146 dst=10.187.170.23 src_port=541 dst_port=3220 server_app=sectetu pid=7182 app_name=its traff_direct=dolor block_count=5957 logon_user=uatu@mquis5526.mail.test msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "oremeumf32.www.lan", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 23277, + "log.offset": 23107, + "network.direction": "dolor", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 7182, + "related.ip": [ + "10.187.170.23", + "10.105.136.146" + ], + "rsa.counters.dclass_c1": 5957, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2019-05-28T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "oremeumf32.www.lan" + ], + "rsa.network.domain": "mquis5526.mail.test", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-05-28T06:48:31.000Z", + "server.domain": "mquis5526.mail.test", "service.type": "fortinet", + "source.ip": [ + "10.105.136.146" + ], + "source.port": 541, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "uatu" ] }, { - "@timestamp": "2019-06-11T02:00:00.000Z", + "@timestamp": "2020-06-11T13:51:06.000Z", + "destination.ip": [ + "10.125.166.198" + ], + "destination.port": 6301, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 11 2019/06/11 ice6331.invalid proto=ipv6 service=https status=deny src=10.114.211.238 dst=10.125.166.198 src_port=3824 dst_port=6301 server_app=tinculpa pid=6537 app_name=cti traff_direct=rumSecti block_count=111 logon_user=sumquiad@iusmodt3432.mail.localdomain msg=unknown", + "event.original": "June 11 11:51:06 ice6331.invalid proto=ipv6 service=https status=deny src=10.114.211.238 dst=10.125.166.198 src_port=3824 dst_port=6301 server_app=tinculpa pid=6537 app_name=cti traff_direct=rumSecti block_count=111 logon_user=sumquiad@iusmodt3432.mail.localdomain msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "ice6331.invalid", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 23538, + "log.offset": 23366, + "network.direction": "rumSecti", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 6537, + "related.ip": [ + "10.125.166.198", + "10.114.211.238" + ], + "rsa.counters.dclass_c1": 111, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2019-06-11T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ice6331.invalid" + ], + "rsa.network.domain": "iusmodt3432.mail.localdomain", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-06-11T13:51:06.000Z", + "server.domain": "iusmodt3432.mail.localdomain", "service.type": "fortinet", + "source.ip": [ + "10.114.211.238" + ], + "source.port": 3824, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "sumquiad" ] }, { - "@timestamp": "2019-06-25T02:00:00.000Z", + "@timestamp": "2020-06-25T20:53:40.000Z", + "destination.ip": [ + "10.209.239.122" + ], + "destination.port": 1450, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 25 2019/06/25 aevitaed1082.localdomain proto=tcp service=ms-wbt-server status=deny src=10.29.7.142 dst=10.209.239.122 src_port=4053 dst_port=1450 server_app=edic pid=2758 app_name=amcolab traff_direct=olabori block_count=3307 logon_user=atatnon@lica2780.www5.home msg=success", + "event.original": "June 25 18:53:40 aevitaed1082.localdomain proto=tcp service=ms-wbt-server status=deny src=10.29.7.142 dst=10.209.239.122 src_port=4053 dst_port=1450 server_app=edic pid=2758 app_name=amcolab traff_direct=olabori block_count=3307 logon_user=atatnon@lica2780.www5.home msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "aevitaed1082.localdomain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 23817, + "log.offset": 23643, + "network.direction": "olabori", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 2758, + "related.ip": [ + "10.209.239.122", + "10.29.7.142" + ], + "rsa.counters.dclass_c1": 3307, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2019-06-25T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "aevitaed1082.localdomain" + ], + "rsa.network.domain": "lica2780.www5.home", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-06-25T20:53:40.000Z", + "server.domain": "lica2780.www5.home", "service.type": "fortinet", + "source.ip": [ + "10.29.7.142" + ], + "source.port": 4053, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "atatnon" ] }, { - "@timestamp": "2019-07-10T02:00:00.000Z", + "@timestamp": "2020-07-10T03:56:14.000Z", + "destination.ip": [ + "10.146.57.23" + ], + "destination.port": 5483, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 10 2019/07/10 lloinve551.internal.local proto=ipv6-icmp service=http status=deny src=10.144.109.148 dst=10.146.57.23 src_port=4855 dst_port=5483 server_app=tno pid=5772 app_name=psumq traff_direct=ptatev block_count=6552 logon_user=xerc@ctetura7556.mail.corp msg=unknown", + "event.original": "July 10 01:56:14 lloinve551.internal.local proto=ipv6-icmp service=http status=deny src=10.144.109.148 dst=10.146.57.23 src_port=4855 dst_port=5483 server_app=tno pid=5772 app_name=psumq traff_direct=ptatev block_count=6552 logon_user=xerc@ctetura7556.mail.corp msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "lloinve551.internal.local", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 24098, + "log.offset": 23922, + "network.direction": "ptatev", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5772, + "related.ip": [ + "10.146.57.23", + "10.144.109.148" + ], + "rsa.counters.dclass_c1": 6552, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2019-07-10T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "lloinve551.internal.local" + ], + "rsa.network.domain": "ctetura7556.mail.corp", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-07-10T03:56:14.000Z", + "server.domain": "ctetura7556.mail.corp", "service.type": "fortinet", + "source.ip": [ + "10.144.109.148" + ], + "source.port": 4855, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "xerc" ] }, { - "@timestamp": "2019-07-24T02:00:00.000Z", + "@timestamp": "2019-07-24T10:58:48.000Z", + "destination.ip": [ + "10.11.2.200" + ], + "destination.port": 7541, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 24 2019/07/24 tmo508.example proto=rdp service=smtp status=deny src=10.69.230.223 dst=10.11.2.200 src_port=6071 dst_port=7541 server_app=ostrudex pid=4542 app_name=niamqui traff_direct=usmodite block_count=7154 logon_user=uatu@uto2438.www5.corp msg=success", + "event.original": "July 24 08:58:48 tmo508.example proto=rdp service=smtp status=deny src=10.69.230.223 dst=10.11.2.200 src_port=6071 dst_port=7541 server_app=ostrudex pid=4542 app_name=niamqui traff_direct=usmodite block_count=7154 logon_user=uatu@uto2438.www5.corp msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "tmo508.example", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 24374, + "log.offset": 24196, + "network.direction": "usmodite", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 4542, + "related.ip": [ + "10.69.230.223", + "10.11.2.200" + ], + "rsa.counters.dclass_c1": 7154, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2019-07-24T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tmo508.example" + ], + "rsa.network.domain": "uto2438.www5.corp", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "server.domain": "uto2438.www5.corp", "service.type": "fortinet", + "source.ip": [ + "10.69.230.223" + ], + "source.port": 6071, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "uatu" ] }, { - "@timestamp": "2019-08-07T02:00:00.000Z", + "@timestamp": "2019-08-07T18:01:23.000Z", + "destination.ip": [ + "10.120.148.241" + ], + "destination.port": 1655, + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 7 2019/08/07 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=iduntutl block_count=4047 logon_user=orsitvol@ntor5561.www.local msg=success", + "event.original": "August 7 16:01:23 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=iduntutl block_count=4047 logon_user=orsitvol@ntor5561.www.local msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "upt6017.api.localdomain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 24636, + "log.offset": 24456, + "network.direction": "iduntutl", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 6094, + "related.ip": [ + "10.120.148.241", + "10.100.154.220" + ], + "rsa.counters.dclass_c1": 4047, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", - "rsa.time.event_time": "2019-08-07T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "upt6017.api.localdomain" + ], + "rsa.network.domain": "ntor5561.www.local", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "server.domain": "ntor5561.www.local", "service.type": "fortinet", + "source.ip": [ + "10.100.154.220" + ], + "source.port": 5535, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "orsitvol" ] }, { - "@timestamp": "2019-08-21T02:00:00.000Z", + "@timestamp": "2019-08-22T01:03:57.000Z", + "destination.ip": [ + "10.90.50.149" + ], + "destination.port": 7260, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 21 2019/08/21 velites4233.internal.home proto=ggp service=http status=deny src=10.153.166.133 dst=10.90.50.149 src_port=1936 dst_port=7260 server_app=asp pid=4025 app_name=ncul traff_direct=taliq block_count=5213 logon_user=porissu@umd3889.api.localhost msg=failure", + "event.original": "August 21 23:03:57 velites4233.internal.home proto=ggp service=http status=deny src=10.153.166.133 dst=10.90.50.149 src_port=1936 dst_port=7260 server_app=asp pid=4025 app_name=ncul traff_direct=taliq block_count=5213 logon_user=porissu@umd3889.api.localhost msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "velites4233.internal.home", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 24912, + "log.offset": 24730, + "network.direction": "taliq", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 4025, + "related.ip": [ + "10.90.50.149", + "10.153.166.133" + ], + "rsa.counters.dclass_c1": 5213, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2019-08-21T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "velites4233.internal.home" + ], + "rsa.network.domain": "umd3889.api.localhost", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "server.domain": "umd3889.api.localhost", "service.type": "fortinet", + "source.ip": [ + "10.153.166.133" + ], + "source.port": 1936, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "porissu" ] }, { - "@timestamp": "2019-09-05T02:00:00.000Z", + "@timestamp": "2019-09-05T08:06:31.000Z", + "destination.ip": [ + "10.117.190.234" + ], + "destination.port": 7475, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 5 2019/09/05 eeufugi6539.api.local proto=tcp service=ms-wbt-server status=deny src=10.230.130.3 dst=10.117.190.234 src_port=3485 dst_port=7475 server_app=iav pid=5792 app_name=usBono traff_direct=rumexe block_count=5360 logon_user=ttenb@olor5978.www.local msg=failure", + "event.original": "September 5 06:06:31 eeufugi6539.api.local proto=tcp service=ms-wbt-server status=deny src=10.230.130.3 dst=10.117.190.234 src_port=3485 dst_port=7475 server_app=iav pid=5792 app_name=usBono traff_direct=rumexe block_count=5360 logon_user=ttenb@olor5978.www.local msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "eeufugi6539.api.local", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 25185, + "log.offset": 25001, + "network.direction": "rumexe", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5792, + "related.ip": [ + "10.230.130.3", + "10.117.190.234" + ], + "rsa.counters.dclass_c1": 5360, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2019-09-05T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "eeufugi6539.api.local" + ], + "rsa.network.domain": "olor5978.www.local", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "server.domain": "olor5978.www.local", "service.type": "fortinet", + "source.ip": [ + "10.230.130.3" + ], + "source.port": 3485, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "ttenb" ] }, { - "@timestamp": "2019-09-19T02:00:00.000Z", + "@timestamp": "2019-09-19T15:09:05.000Z", + "destination.ip": [ + "10.203.117.6" + ], + "destination.port": 2510, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 19 2019/09/19 rem3131.home proto=igmp service=https status=deny src=10.55.103.200 dst=10.203.117.6 src_port=4894 dst_port=2510 server_app=uredol pid=3142 app_name=temsequi traff_direct=mquia block_count=1119 logon_user=enbyCic@iveli3387.host msg=success", + "event.original": "September 19 13:09:05 rem3131.home proto=igmp service=https status=deny src=10.55.103.200 dst=10.203.117.6 src_port=4894 dst_port=2510 server_app=uredol pid=3142 app_name=temsequi traff_direct=mquia block_count=1119 logon_user=enbyCic@iveli3387.host msg=success", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "rem3131.home", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 25463, + "log.offset": 25277, + "network.direction": "mquia", + "network.protocol": "igmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3142, + "related.ip": [ + "10.55.103.200", + "10.203.117.6" + ], + "rsa.counters.dclass_c1": 1119, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2019-09-19T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "rem3131.home" + ], + "rsa.network.domain": "iveli3387.host", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "server.domain": "iveli3387.host", "service.type": "fortinet", + "source.ip": [ + "10.55.103.200" + ], + "source.port": 4894, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "enbyCic" ] }, { - "@timestamp": "2019-10-03T02:00:00.000Z", + "@timestamp": "2019-10-03T22:11:40.000Z", + "destination.ip": [ + "10.75.122.228" + ], + "destination.port": 5, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 3 2019/10/03 ommodoc4758.host proto=tcp service=https status=deny src=10.244.52.142 dst=10.75.122.228 src_port=2129 dst_port=5 server_app=scipit pid=730 app_name=ugiatqu traff_direct=eruntmo block_count=2894 logon_user=isciv@natus4803.mail.localhost msg=failure", + "event.original": "October 3 20:11:40 ommodoc4758.host proto=tcp service=https status=deny src=10.244.52.142 dst=10.75.122.228 src_port=2129 dst_port=5 server_app=scipit pid=730 app_name=ugiatqu traff_direct=eruntmo block_count=2894 logon_user=isciv@natus4803.mail.localhost msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "ommodoc4758.host", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 25727, + "log.offset": 25539, + "network.direction": "eruntmo", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 730, + "related.ip": [ + "10.75.122.228", + "10.244.52.142" + ], + "rsa.counters.dclass_c1": 2894, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2019-10-03T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "ommodoc4758.host" + ], + "rsa.network.domain": "natus4803.mail.localhost", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "server.domain": "natus4803.mail.localhost", "service.type": "fortinet", + "source.ip": [ + "10.244.52.142" + ], + "source.port": 2129, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "isciv" ] }, { - "@timestamp": "2019-10-18T02:00:00.000Z", + "@timestamp": "2019-10-18T05:14:14.000Z", + "destination.ip": [ + "10.119.143.168" + ], + "destination.port": 4131, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 18 2019/10/18 udexerc4535.www.home proto=ipv6-icmp service=http status=deny src=10.7.142.212 dst=10.119.143.168 src_port=2952 dst_port=4131 server_app=tuser pid=6944 app_name=qua traff_direct=iarchite block_count=1612 logon_user=oinven@natu1957.mail.corp msg=failure", + "event.original": "October 18 03:14:14 udexerc4535.www.home proto=ipv6-icmp service=http status=deny src=10.7.142.212 dst=10.119.143.168 src_port=2952 dst_port=4131 server_app=tuser pid=6944 app_name=qua traff_direct=iarchite block_count=1612 logon_user=oinven@natu1957.mail.corp msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "udexerc4535.www.home", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 25997, + "log.offset": 25807, + "network.direction": "iarchite", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 6944, + "related.ip": [ + "10.7.142.212", + "10.119.143.168" + ], + "rsa.counters.dclass_c1": 1612, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2019-10-18T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "udexerc4535.www.home" + ], + "rsa.network.domain": "natu1957.mail.corp", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "server.domain": "natu1957.mail.corp", "service.type": "fortinet", + "source.ip": [ + "10.7.142.212" + ], + "source.port": 2952, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "oinven" ] }, { - "@timestamp": "2019-11-01T02:00:00.000Z", + "@timestamp": "2019-11-01T12:16:48.000Z", + "destination.ip": [ + "10.252.146.103" + ], + "destination.port": 5995, + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 1 2019/11/01 adipi2840.mail.domain proto=udp service=pop3 status=deny src=10.116.105.31 dst=10.252.146.103 src_port=3181 dst_port=5995 server_app=rinrepr pid=7279 app_name=consequu traff_direct=modo block_count=3194 logon_user=rsint@rsi5358.www.domain msg=failure", + "event.original": "November 1 10:16:48 adipi2840.mail.domain proto=udp service=pop3 status=deny src=10.116.105.31 dst=10.252.146.103 src_port=3181 dst_port=5995 server_app=rinrepr pid=7279 app_name=consequu traff_direct=modo block_count=3194 logon_user=rsint@rsi5358.www.domain msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "adipi2840.mail.domain", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 26272, + "log.offset": 26080, + "network.direction": "modo", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 7279, + "related.ip": [ + "10.116.105.31", + "10.252.146.103" + ], + "rsa.counters.dclass_c1": 3194, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", - "rsa.time.event_time": "2019-11-01T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "adipi2840.mail.domain" + ], + "rsa.network.domain": "rsi5358.www.domain", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "server.domain": "rsi5358.www.domain", "service.type": "fortinet", + "source.ip": [ + "10.116.105.31" + ], + "source.port": 3181, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "rsint" ] }, { - "@timestamp": "2019-11-15T02:00:00.000Z", + "@timestamp": "2019-11-15T19:19:22.000Z", + "destination.ip": [ + "10.213.41.210" + ], + "destination.port": 3626, + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 15 2019/11/15 onse3998.internal.invalid proto=udp service=ms-wbt-server status=deny src=10.163.239.13 dst=10.213.41.210 src_port=3650 dst_port=3626 server_app=aco pid=7260 app_name=adese traff_direct=olorsi block_count=4955 logon_user=aedictas@rumetMa2554.domain msg=failure", + "event.original": "November 15 17:19:22 onse3998.internal.invalid proto=udp service=ms-wbt-server status=deny src=10.163.239.13 dst=10.213.41.210 src_port=3650 dst_port=3626 server_app=aco pid=7260 app_name=adese traff_direct=olorsi block_count=4955 logon_user=aedictas@rumetMa2554.domain msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "onse3998.internal.invalid", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 26545, + "log.offset": 26351, + "network.direction": "olorsi", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 7260, + "related.ip": [ + "10.213.41.210", + "10.163.239.13" + ], + "rsa.counters.dclass_c1": 4955, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", - "rsa.time.event_time": "2019-11-15T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "onse3998.internal.invalid" + ], + "rsa.network.domain": "rumetMa2554.domain", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-11-15T19:19:22.000Z", + "server.domain": "rumetMa2554.domain", "service.type": "fortinet", + "source.ip": [ + "10.163.239.13" + ], + "source.port": 3650, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "aedictas" ] }, { - "@timestamp": "2019-11-30T02:00:00.000Z", + "@timestamp": "2019-11-30T02:21:57.000Z", + "destination.ip": [ + "10.190.36.112" + ], + "destination.port": 4829, + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 30 2019/11/30 mvolupta225.mail.invalid proto=icmp service=https status=deny src=10.184.109.84 dst=10.190.36.112 src_port=6960 dst_port=4829 server_app=reprehen pid=3793 app_name=uisa traff_direct=nimadmin block_count=5630 logon_user=uat@eniamqu985.test msg=unknown", + "event.original": "November 30 00:21:57 mvolupta225.mail.invalid proto=icmp service=https status=deny src=10.184.109.84 dst=10.190.36.112 src_port=6960 dst_port=4829 server_app=reprehen pid=3793 app_name=uisa traff_direct=nimadmin block_count=5630 logon_user=uat@eniamqu985.test msg=unknown", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "mvolupta225.mail.invalid", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 26829, + "log.offset": 26633, + "network.direction": "nimadmin", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 3793, + "related.ip": [ + "10.190.36.112", + "10.184.109.84" + ], + "rsa.counters.dclass_c1": 5630, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", - "rsa.time.event_time": "2019-11-30T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "mvolupta225.mail.invalid" + ], + "rsa.network.domain": "eniamqu985.test", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-11-30T02:21:57.000Z", + "server.domain": "eniamqu985.test", "service.type": "fortinet", + "source.ip": [ + "10.184.109.84" + ], + "source.port": 6960, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "uat" ] }, { - "@timestamp": "2019-12-14T02:00:00.000Z", + "@timestamp": "2019-12-14T09:24:31.000Z", + "destination.ip": [ + "10.19.21.239" + ], + "destination.port": 6995, + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 14 2019/12/14 officiad6348.mail.lan proto=icmp service=http status=deny src=10.175.181.138 dst=10.19.21.239 src_port=1495 dst_port=6995 server_app=velite pid=5985 app_name=litse traff_direct=san block_count=3326 logon_user=aliqu@taedict4891.api.host msg=failure", + "event.original": "December 14 07:24:31 officiad6348.mail.lan proto=icmp service=http status=deny src=10.175.181.138 dst=10.19.21.239 src_port=1495 dst_port=6995 server_app=velite pid=5985 app_name=litse traff_direct=san block_count=3326 logon_user=aliqu@taedict4891.api.host msg=failure", + "event.outcome": "Failure", "fileset.name": "clientendpoint", + "host.name": "officiad6348.mail.lan", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 27103, + "log.offset": 26905, + "network.direction": "san", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", + "process.pid": 5985, + "related.ip": [ + "10.175.181.138", + "10.19.21.239" + ], + "rsa.counters.dclass_c1": 3326, + "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", - "rsa.time.event_time": "2019-12-14T02:00:00.000Z", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "officiad6348.mail.lan" + ], + "rsa.network.domain": "taedict4891.api.host", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "server.domain": "taedict4891.api.host", "service.type": "fortinet", + "source.ip": [ + "10.175.181.138" + ], + "source.port": 1495, "tags": [ "fortinet.clientendpoint", "forwarded" + ], + "user.name": [ + "aliqu" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/imperva/README.md b/x-pack/filebeat/module/imperva/README.md index 25eedf31517..69d5d4b245a 100644 --- a/x-pack/filebeat/module/imperva/README.md +++ b/x-pack/filebeat/module/imperva/README.md @@ -3,5 +3,5 @@ This is a module for Imperva SecureSphere logs. Autogenerated from RSA NetWitness log parser 2.0 XML impervawaf version 117 -at 2020-07-07 18:10:44.77203 +0000 UTC. +at 2020-07-08 13:58:35.210281 +0000 UTC. diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index b7c73a47650..916d33eca85 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -52,8 +52,8 @@ "forwarded" ], "user.name": [ - "aqui", "tatno", + "aqui", "magn" ] }, @@ -104,8 +104,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.159.182.171", - "10.58.116.231" + "10.58.116.231", + "10.159.182.171" ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -160,16 +160,16 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.64.70.5", - "10.157.161.103" + "10.157.161.103", + "10.64.70.5" ], "rsa.counters.event_counter": 3561, "rsa.db.database": "lupt", "rsa.internal.event_desc": "tat", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "taut" + "taut", + "deny" ], "rsa.misc.category": "tion", "rsa.misc.disposition": "eataev", @@ -198,9 +198,9 @@ "url.original": "https://api.example.org/uames/tati.jpg?isnostru=iquaUten#santium", "url.query": "iciatisu", "user.name": [ - "CSed", "tem", - "emeumfu" + "emeumfu", + "CSed" ] }, { @@ -234,8 +234,8 @@ "rsa.internal.event_desc": "atDu", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "emulla", - "accept" + "accept", + "emulla" ], "rsa.misc.category": "eav", "rsa.misc.disposition": "ionevo", @@ -289,8 +289,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.10.38.139", - "10.32.67.231" + "10.32.67.231", + "10.10.38.139" ], "rsa.counters.dclass_c1": 2628, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -321,9 +321,9 @@ "forwarded" ], "user.name": [ - "itame", + "ari", "adeseru", - "ari" + "itame" ] }, { @@ -346,8 +346,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.206.97.204", - "10.133.189.215" + "10.133.189.215", + "10.206.97.204" ], "rsa.counters.dclass_c1": 4842, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -374,8 +374,8 @@ "forwarded" ], "user.name": [ - "ommodico", "fugitse", + "ommodico", "evita" ] }, @@ -432,9 +432,9 @@ "forwarded" ], "user.name": [ - "tium", "uae", - "tectobe" + "tectobe", + "tium" ] }, { @@ -458,8 +458,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.77.52.83", - "10.7.46.36" + "10.7.46.36", + "10.77.52.83" ], "rsa.counters.dclass_c1": 1458, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -548,9 +548,9 @@ "forwarded" ], "user.name": [ - "ritatise", "rinre", - "eFi" + "eFi", + "ritatise" ] }, { @@ -606,9 +606,9 @@ "forwarded" ], "user.name": [ - "atevelit", "orsitam", - "nts" + "nts", + "atevelit" ] }, { @@ -664,8 +664,8 @@ "forwarded" ], "user.name": [ - "ctetura", "sit", + "ctetura", "oeni" ] }, @@ -700,8 +700,8 @@ "rsa.internal.event_desc": "ian", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "nonp" + "nonp", + "cancel" ], "rsa.misc.category": "dolore", "rsa.misc.disposition": "onsecte", @@ -730,9 +730,9 @@ "url.original": "https://www.example.com/ulapar/aboreetd.htm?par=lorin#pitl", "url.query": "por", "user.name": [ - "texpli", + "rum", "emUteni", - "rum" + "texpli" ] }, { @@ -788,9 +788,9 @@ "forwarded" ], "user.name": [ + "upt", "imide", - "snost", - "upt" + "snost" ] }, { @@ -814,8 +814,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.230.206.60", - "10.111.90.75" + "10.111.90.75", + "10.230.206.60" ], "rsa.counters.dclass_c1": 1264, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -846,9 +846,9 @@ "forwarded" ], "user.name": [ + "aincidu", "rcitat", - "rem", - "aincidu" + "rem" ] }, { @@ -882,8 +882,8 @@ "rsa.internal.event_desc": "porincid", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "atcupi", - "accept" + "accept", + "atcupi" ], "rsa.misc.category": "atisetqu", "rsa.misc.disposition": "issuscip", @@ -911,9 +911,9 @@ "url.original": "https://api.example.org/borisnis/exeaco.html?inven=eufugi#accusant", "url.query": "onse", "user.name": [ - "est", + "dutpers", "erun", - "dutpers" + "est" ] }, { @@ -969,9 +969,9 @@ "forwarded" ], "user.name": [ - "miurerep", + "ullamcor", "sequa", - "ullamcor" + "miurerep" ] }, { @@ -1005,8 +1005,8 @@ "rsa.internal.event_desc": "llamco", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "olorem" + "olorem", + "accept" ], "rsa.misc.category": "atu", "rsa.misc.disposition": "untincul", @@ -1035,9 +1035,9 @@ "url.original": "https://example.org/emqu/riss.gif?sitvol=dolore#nsequat", "url.query": "olorsi", "user.name": [ - "isn", "scingeli", - "olorsit" + "olorsit", + "isn" ] }, { @@ -1061,8 +1061,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.79.147.101", - "10.105.46.101" + "10.105.46.101", + "10.79.147.101" ], "rsa.counters.dclass_c1": 6068, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1093,9 +1093,9 @@ "forwarded" ], "user.name": [ - "ddoeius", + "uptat", "cingel", - "uptat" + "ddoeius" ] }, { @@ -1121,8 +1121,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.102.166.19", - "10.49.71.118" + "10.49.71.118", + "10.102.166.19" ], "rsa.counters.event_counter": 7731, "rsa.db.database": "yCic", @@ -1159,9 +1159,9 @@ "url.original": "https://mail.example.com/molestia/quir.jpg?elitsed=labore#uela", "url.query": "ntexplic", "user.name": [ - "aincidun", "eritin", - "udan" + "udan", + "aincidun" ] }, { @@ -1212,8 +1212,8 @@ "forwarded" ], "user.name": [ - "amali", "tas", + "amali", "rsita" ] }, @@ -1270,9 +1270,9 @@ "forwarded" ], "user.name": [ - "rumetMal", + "imadmini", "oditempo", - "imadmini" + "rumetMal" ] }, { @@ -1306,8 +1306,8 @@ "rsa.internal.event_desc": "equep", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "amc", - "block" + "block", + "amc" ], "rsa.misc.category": "ever", "rsa.misc.disposition": "tali", @@ -1337,8 +1337,8 @@ "url.query": "isa", "user.name": [ "niam", - "est", - "agnaaliq" + "agnaaliq", + "est" ] }, { @@ -1364,16 +1364,16 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.7.81.204", - "10.131.82.68" + "10.131.82.68", + "10.7.81.204" ], "rsa.counters.event_counter": 1710, "rsa.db.database": "nrepreh", "rsa.internal.event_desc": "nimad", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "prehe" + "prehe", + "accept" ], "rsa.misc.category": "ataevita", "rsa.misc.disposition": "oremqu", @@ -1401,9 +1401,9 @@ "url.original": "https://www5.example.net/squira/aliqui.gif?veleum=piciatis#nes", "url.query": "lmolesti", "user.name": [ - "amnisi", "ulap", - "ersp" + "ersp", + "amnisi" ] }, { @@ -1427,8 +1427,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.114.193.232", - "10.94.132.21" + "10.94.132.21", + "10.114.193.232" ], "rsa.counters.dclass_c1": 6784, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1460,8 +1460,8 @@ ], "user.name": [ "nse", - "odi", - "eetdo" + "eetdo", + "odi" ] }, { @@ -1517,9 +1517,9 @@ "forwarded" ], "user.name": [ + "autf", "reseosq", - "nse", - "autf" + "nse" ] }, { @@ -1543,8 +1543,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.48.209.115", - "10.33.195.166" + "10.33.195.166", + "10.48.209.115" ], "rsa.counters.dclass_c1": 3249, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1575,8 +1575,8 @@ "forwarded" ], "user.name": [ - "iamea", "umiurer", + "iamea", "aconsequ" ] }, @@ -1658,8 +1658,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.45.215.202", - "10.238.245.236" + "10.238.245.236", + "10.45.215.202" ], "rsa.counters.dclass_c1": 7822, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1686,9 +1686,9 @@ "forwarded" ], "user.name": [ + "ihilmole", "stquidol", - "gia", - "ihilmole" + "gia" ] }, { @@ -1744,9 +1744,9 @@ "forwarded" ], "user.name": [ + "etdolor", "emp", - "essequam", - "etdolor" + "essequam" ] }, { @@ -1855,9 +1855,9 @@ "forwarded" ], "user.name": [ - "itseddo", + "ptassita", "veleumi", - "ptassita" + "itseddo" ] }, { @@ -1913,9 +1913,9 @@ "forwarded" ], "user.name": [ + "isci", "eirur", - "exerci", - "isci" + "exerci" ] }, { @@ -1971,9 +1971,9 @@ "forwarded" ], "user.name": [ - "roinBCSe", + "ender", "olor", - "ender" + "roinBCSe" ] }, { @@ -1997,8 +1997,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.182.181.162", - "10.123.56.46" + "10.123.56.46", + "10.182.181.162" ], "rsa.counters.dclass_c1": 6438, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2029,9 +2029,9 @@ "forwarded" ], "user.name": [ - "sit", + "uid", "oreseo", - "uid" + "sit" ] }, { @@ -2198,9 +2198,9 @@ "forwarded" ], "user.name": [ - "nvol", + "rsit", "ptatev", - "rsit" + "nvol" ] }, { @@ -2264,9 +2264,9 @@ "url.original": "https://www.example.net/orem/eniamqui.gif?seq=rumSe#tatnonp", "url.query": "ommo", "user.name": [ - "nesci", + "tam", "onsectet", - "tam" + "nesci" ] }, { @@ -2290,8 +2290,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.168.225.209", - "10.90.50.149" + "10.90.50.149", + "10.168.225.209" ], "rsa.counters.dclass_c1": 1127, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2322,9 +2322,9 @@ "forwarded" ], "user.name": [ + "aUtenima", "olu", - "olupta", - "aUtenima" + "olupta" ] }, { @@ -2380,9 +2380,9 @@ "forwarded" ], "user.name": [ - "mtota", + "qua", "luptat", - "qua" + "mtota" ] }, { @@ -2465,8 +2465,8 @@ "forwarded" ], "user.name": [ - "secte", "upta", + "secte", "ciati" ] }, @@ -2530,9 +2530,9 @@ "url.original": "https://api.example.org/eumiu/tatevel.htm?quisnost=sequines#olor", "url.query": "sequa", "user.name": [ - "onpr", + "iquamqu", "idolor", - "iquamqu" + "onpr" ] }, { @@ -2588,9 +2588,9 @@ "forwarded" ], "user.name": [ - "tvolup", "assi", - "tin" + "tin", + "tvolup" ] }, { @@ -2613,8 +2613,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.223.71.185", - "10.33.181.176" + "10.33.181.176", + "10.223.71.185" ], "rsa.counters.dclass_c1": 3804, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2641,9 +2641,9 @@ "forwarded" ], "user.name": [ - "uptateve", + "atisetqu", "loremips", - "atisetqu" + "uptateve" ] }, { @@ -2700,8 +2700,8 @@ ], "user.name": [ "olore", - "iamea", - "iatn" + "iatn", + "iamea" ] }, { @@ -2757,9 +2757,9 @@ "forwarded" ], "user.name": [ + "icaboNe", "billoi", - "umq", - "icaboNe" + "umq" ] }, { @@ -2816,8 +2816,8 @@ ], "user.name": [ "billo", - "lumdol", - "cul" + "cul", + "lumdol" ] }, { @@ -2872,9 +2872,9 @@ "forwarded" ], "user.name": [ - "seq", + "ueporr", "mull", - "ueporr" + "seq" ] }, { @@ -2898,8 +2898,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.229.190.11", - "10.93.246.218" + "10.93.246.218", + "10.229.190.11" ], "rsa.counters.dclass_c1": 1929, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2930,8 +2930,8 @@ "forwarded" ], "user.name": [ - "roinBCS", "cteturad", + "roinBCS", "mtot" ] }, @@ -2956,8 +2956,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.178.183.11", - "10.89.16.162" + "10.89.16.162", + "10.178.183.11" ], "rsa.counters.dclass_c1": 1449, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2988,8 +2988,8 @@ "forwarded" ], "user.name": [ - "atvol", "taevitae", + "atvol", "modit" ] }, @@ -3024,8 +3024,8 @@ "rsa.internal.event_desc": "meaquei", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "tqu", - "deny" + "deny", + "tqu" ], "rsa.misc.category": "snisiu", "rsa.misc.disposition": "atem", @@ -3080,8 +3080,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.52.221.103", - "10.20.158.236" + "10.20.158.236", + "10.52.221.103" ], "rsa.counters.dclass_c1": 6386, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3112,9 +3112,9 @@ "forwarded" ], "user.name": [ + "dantium", "oinve", - "aute", - "dantium" + "aute" ] }, { @@ -3138,8 +3138,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.250.231.196", - "10.199.46.88" + "10.199.46.88", + "10.250.231.196" ], "rsa.counters.dclass_c1": 2867, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3228,9 +3228,9 @@ "forwarded" ], "user.name": [ - "suntincu", + "fugia", "nim", - "fugia" + "suntincu" ] }, { @@ -3286,9 +3286,9 @@ "forwarded" ], "user.name": [ + "itaed", "eritquii", - "uptatem", - "itaed" + "uptatem" ] }, { @@ -3312,8 +3312,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.184.199.84", - "10.138.191.99" + "10.138.191.99", + "10.184.199.84" ], "rsa.counters.dclass_c1": 3291, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3344,9 +3344,9 @@ "forwarded" ], "user.name": [ - "upt", "ationem", - "cid" + "cid", + "upt" ] }, { @@ -3380,8 +3380,8 @@ "rsa.internal.event_desc": "iatisun", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "uep" + "uep", + "cancel" ], "rsa.misc.category": "cto", "rsa.misc.disposition": "orumSect", @@ -3410,9 +3410,9 @@ "url.original": "https://internal.example.com/nde/reprehe.html?enimipsa=mquisno#eaco", "url.query": "empor", "user.name": [ + "remeum", "volupta", - "doconse", - "remeum" + "doconse" ] }, { @@ -3438,16 +3438,16 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.86.147.37", - "10.106.63.42" + "10.106.63.42", + "10.86.147.37" ], "rsa.counters.event_counter": 2211, "rsa.db.database": "ameiu", "rsa.internal.event_desc": "por", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "mip", - "allow" + "allow", + "mip" ], "rsa.misc.category": "stiae", "rsa.misc.disposition": "icta", @@ -3502,8 +3502,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.112.132.76", - "10.110.240.8" + "10.110.240.8", + "10.112.132.76" ], "rsa.counters.dclass_c1": 5784, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3592,9 +3592,9 @@ "forwarded" ], "user.name": [ + "natuser", "labor", - "niamq", - "natuser" + "niamq" ] }, { @@ -3650,9 +3650,9 @@ "forwarded" ], "user.name": [ + "epteurs", "urautod", - "equ", - "epteurs" + "equ" ] }, { @@ -3703,8 +3703,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.209.129.155", - "10.128.118.157" + "10.128.118.157", + "10.209.129.155" ], "rsa.counters.dclass_c1": 2931, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3735,9 +3735,9 @@ "forwarded" ], "user.name": [ + "essequa", "xerci", - "mdolore", - "essequa" + "mdolore" ] }, { @@ -3801,9 +3801,9 @@ "url.original": "https://www.example.org/uatu/gel.gif?itsed=mvolu#agn", "url.query": "eritinvo", "user.name": [ - "orumS", "tesseq", - "labor" + "labor", + "orumS" ] }, { @@ -3826,8 +3826,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.209.39.25", - "10.67.163.107" + "10.67.163.107", + "10.209.39.25" ], "rsa.counters.dclass_c1": 3469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3880,8 +3880,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.61.247.113", - "10.120.66.172" + "10.120.66.172", + "10.61.247.113" ], "rsa.counters.dclass_c1": 2218, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3912,9 +3912,9 @@ "forwarded" ], "user.name": [ + "iamqu", "tur", - "iduntut", - "iamqu" + "iduntut" ] }, { @@ -3948,8 +3948,8 @@ "rsa.internal.event_desc": "liquaUt", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "issuscip", - "deny" + "deny", + "issuscip" ], "rsa.misc.category": "tdolorem", "rsa.misc.disposition": "umdolo", @@ -3977,9 +3977,9 @@ "url.original": "https://internal.example.com/nde/naturau.txt?sBonor=odit#ercitati", "url.query": "lapa", "user.name": [ + "atem", "cit", - "amcorpor", - "atem" + "amcorpor" ] }, { @@ -4063,8 +4063,8 @@ ], "user.name": [ "trumexer", - "uisautem", - "idid" + "idid", + "uisautem" ] }, { @@ -4098,8 +4098,8 @@ "rsa.internal.event_desc": "doloremi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "sequatD", - "cancel" + "cancel", + "sequatD" ], "rsa.misc.category": "uisno", "rsa.misc.disposition": "atevel", @@ -4185,8 +4185,8 @@ "forwarded" ], "user.name": [ - "asia", "ciun", + "asia", "olest" ] }, @@ -4385,8 +4385,8 @@ "forwarded" ], "user.name": [ - "exe", "iutaliqu", + "exe", "colab" ] }, @@ -4503,9 +4503,9 @@ "url.original": "https://www5.example.org/onsequ/Bon.txt?remap=mUt#admi", "url.query": "siarch", "user.name": [ + "olo", "ptassit", - "ncidid", - "olo" + "ncidid" ] }, { @@ -4529,8 +4529,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.190.18.213", - "10.177.60.55" + "10.177.60.55", + "10.190.18.213" ], "rsa.counters.dclass_c1": 7327, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4561,9 +4561,9 @@ "forwarded" ], "user.name": [ + "etdolore", "tametcon", - "rror", - "etdolore" + "rror" ] }, { @@ -4620,8 +4620,8 @@ ], "user.name": [ "orumet", - "oinB", - "utod" + "utod", + "oinB" ] }, { @@ -4730,8 +4730,8 @@ "forwarded" ], "user.name": [ - "xercitat", "litesse", + "xercitat", "xeacomm" ] }, @@ -4836,8 +4836,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.185.248.253", - "10.76.165.58" + "10.76.165.58", + "10.185.248.253" ], "rsa.counters.dclass_c1": 4963, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4868,8 +4868,8 @@ "forwarded" ], "user.name": [ - "amqua", "nisi", + "amqua", "ugitse" ] }, @@ -4933,8 +4933,8 @@ "url.original": "https://www5.example.com/tcu/mmodo.jpg?stlabo=atema#sunt", "url.query": "orporiss", "user.name": [ - "avolu", "eFini", + "avolu", "ept" ] }, @@ -5049,9 +5049,9 @@ "forwarded" ], "user.name": [ - "ataev", + "asp", "ptatemU", - "asp" + "ataev" ] }, { @@ -5075,8 +5075,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.248.16.82", - "10.44.179.66" + "10.44.179.66", + "10.248.16.82" ], "rsa.counters.dclass_c1": 2353, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5107,9 +5107,9 @@ "forwarded" ], "user.name": [ - "proiden", + "loinv", "xercita", - "loinv" + "proiden" ] }, { @@ -5135,16 +5135,16 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.55.166.205", - "10.88.53.149" + "10.88.53.149", + "10.55.166.205" ], "rsa.counters.event_counter": 6219, "rsa.db.database": "atus", "rsa.internal.event_desc": "ntiumtot", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "allow", - "ionulamc" + "ionulamc", + "allow" ], "rsa.misc.category": "aeab", "rsa.misc.disposition": "idolo", @@ -5173,9 +5173,9 @@ "url.original": "https://www.example.net/umSecti/emaccu.html?atu=ddo#veli", "url.query": "ata", "user.name": [ - "tqui", "strumex", - "reseosqu" + "reseosqu", + "tqui" ] }, { @@ -5209,8 +5209,8 @@ "rsa.internal.event_desc": "rsitvo", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "ectet" + "ectet", + "cancel" ], "rsa.misc.category": "esciuntN", "rsa.misc.disposition": "ritatis", @@ -5239,8 +5239,8 @@ "url.query": "nrep", "user.name": [ "pidatatn", - "ciun", - "iof" + "iof", + "ciun" ] }, { @@ -5296,8 +5296,8 @@ "forwarded" ], "user.name": [ - "ommod", "imidest", + "ommod", "ptate" ] }, @@ -5420,9 +5420,9 @@ "forwarded" ], "user.name": [ - "tasnul", "sequamn", - "res" + "res", + "tasnul" ] }, { @@ -5541,8 +5541,8 @@ "rsa.internal.event_desc": "unt", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "pidatatn", - "cancel" + "cancel", + "pidatatn" ], "rsa.misc.category": "emUt", "rsa.misc.disposition": "eiru", @@ -5570,8 +5570,8 @@ "url.original": "https://internal.example.net/fdeFin/ursi.txt?lapariat=red#rinre", "url.query": "upta", "user.name": [ - "uisaute", "min", + "uisaute", "itsedq" ] }, @@ -5596,8 +5596,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.120.18.135", - "10.9.248.95" + "10.9.248.95", + "10.120.18.135" ], "rsa.counters.dclass_c1": 6969, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5628,9 +5628,9 @@ "forwarded" ], "user.name": [ - "iatquovo", + "ratvolup", "ero", - "ratvolup" + "iatquovo" ] }, { @@ -5685,8 +5685,8 @@ "forwarded" ], "user.name": [ - "atio", "xercita", + "atio", "uis" ] } diff --git a/x-pack/filebeat/module/infoblox/README.md b/x-pack/filebeat/module/infoblox/README.md index 931a3bf4d4d..93ba5e0bb41 100644 --- a/x-pack/filebeat/module/infoblox/README.md +++ b/x-pack/filebeat/module/infoblox/README.md @@ -3,5 +3,5 @@ This is a module for Infoblox NIOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML infobloxnios version 134 -at 2020-07-07 18:10:45.174185 +0000 UTC. +at 2020-07-08 13:58:35.632218 +0000 UTC. diff --git a/x-pack/filebeat/module/infoblox/nios/config/pipeline.js b/x-pack/filebeat/module/infoblox/nios/config/pipeline.js index 74a44861ec5..0d3d50cdc8a 100644 --- a/x-pack/filebeat/module/infoblox/nios/config/pipeline.js +++ b/x-pack/filebeat/module/infoblox/nios/config/pipeline.js @@ -67,7 +67,7 @@ var dup22 = setc("action","DHCPRELEASE"); var dup23 = setc("action","DHCPDISCOVER"); -var dup24 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr}from %{p0}"); +var dup24 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}"); var dup25 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}"); @@ -87,7 +87,7 @@ var dup30 = date_time({ ], }); -var dup31 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface}relay %{fld1}lease-duration %{duration}"); +var dup31 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}"); var dup32 = setc("action","DHCPACK"); @@ -139,7 +139,7 @@ var dup55 = setf("dns_querytype","event_description"); var dup56 = setc("eventcategory","1901000000"); -var dup57 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport}(%{p0}"); +var dup57 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}"); var dup58 = setc("eventcategory","1801000000"); @@ -221,7 +221,7 @@ var dup74 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_des dup8, ])); -var dup75 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action}: %{event_description}(code=%{resultcode})", processor_chain([ +var dup75 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ dup15, dup6, dup8, @@ -304,7 +304,7 @@ var hdr6 = match("HEADER#5:0004", "message", "%{messageid}: %{payload}", process setc("header_id","0004"), ])); -var hdr7 = match("HEADER#6:0005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{fld1}|%{messageid}|%{payload}", processor_chain([ +var hdr7 = match("HEADER#6:0005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{fld1->} |%{messageid->} |%{payload}", processor_chain([ setc("header_id","0005"), ])); @@ -318,7 +318,7 @@ var select3 = linear_select([ hdr7, ]); -var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}[%{username}]: Logout - - ip=%{saddr}group=%{group}trigger_event=%{event_description}", processor_chain([ +var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Logout - - ip=%{saddr->} group=%{group->} trigger_event=%{event_description}", processor_chain([ dup1, dup2, dup3, @@ -331,7 +331,7 @@ var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fl var msg1 = msg("httpd", part7); -var part8 = match("MESSAGE#1:httpd:01", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}[%{username}]: Login_Allowed - - to=%{fld4}ip=%{saddr}auth=%{authmethod}group=%{group}apparently_via=%{info}", processor_chain([ +var part8 = match("MESSAGE#1:httpd:01", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{fld4->} ip=%{saddr->} auth=%{authmethod->} group=%{group->} apparently_via=%{info}", processor_chain([ dup9, dup2, dup3, @@ -344,7 +344,7 @@ var part8 = match("MESSAGE#1:httpd:01", "nwparser.payload", "%{fld1->} %{fld2}.% var msg2 = msg("httpd:01", part8); -var part9 = match("MESSAGE#2:httpd:02", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}[%{username}]: Called - %{action}message=%{info}", processor_chain([ +var part9 = match("MESSAGE#2:httpd:02", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{action->} message=%{info}", processor_chain([ dup11, dup6, dup7, @@ -353,7 +353,7 @@ var part9 = match("MESSAGE#2:httpd:02", "nwparser.payload", "%{fld1->} %{fld2}.% var msg3 = msg("httpd:02", part9); -var part10 = match("MESSAGE#3:httpd:03", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}[%{username}]: Created HostAddress %{hostip}: Set address=\"%{saddr}\",configure_for_dhcp=%{fld10},match_option=\"%{info}\",parent=%{context}", processor_chain([ +var part10 = match("MESSAGE#3:httpd:03", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Created HostAddress %{hostip}: Set address=\"%{saddr}\",configure_for_dhcp=%{fld10},match_option=\"%{info}\",parent=%{context}", processor_chain([ dup11, dup6, dup7, @@ -362,7 +362,7 @@ var part10 = match("MESSAGE#3:httpd:03", "nwparser.payload", "%{fld1->} %{fld2}. var msg4 = msg("httpd:03", part10); -var part11 = match("MESSAGE#4:httpd:04", "nwparser.payload", "%{shost}: %{fld1}authentication for user %{username}failed", processor_chain([ +var part11 = match("MESSAGE#4:httpd:04", "nwparser.payload", "%{shost}: %{fld1->} authentication for user %{username->} failed", processor_chain([ dup12, dup6, dup8, @@ -370,7 +370,7 @@ var part11 = match("MESSAGE#4:httpd:04", "nwparser.payload", "%{shost}: %{fld1}a var msg5 = msg("httpd:04", part11); -var part12 = match("MESSAGE#5:httpd:05", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}[%{username}]: Called - %{event_description}", processor_chain([ +var part12 = match("MESSAGE#5:httpd:05", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{event_description}", processor_chain([ dup12, dup6, dup7, @@ -379,7 +379,7 @@ var part12 = match("MESSAGE#5:httpd:05", "nwparser.payload", "%{fld1->} %{fld2}. var msg6 = msg("httpd:05", part12); -var part13 = match("MESSAGE#6:httpd:07", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}[%{username}]: Login_Denied - - to=%{terminal}ip=%{saddr}info=%{info}", processor_chain([ +var part13 = match("MESSAGE#6:httpd:07", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Denied - - to=%{terminal->} ip=%{saddr->} info=%{info}", processor_chain([ dup13, dup2, dup3, @@ -405,7 +405,7 @@ var select4 = linear_select([ msg8, ]); -var part14 = match("MESSAGE#8:in.tftpd:01", "nwparser.payload", "RRQ from %{saddr}filename %{filename}", processor_chain([ +var part14 = match("MESSAGE#8:in.tftpd:01", "nwparser.payload", "RRQ from %{saddr->} filename %{filename}", processor_chain([ dup12, dup6, dup8, @@ -437,7 +437,7 @@ var select5 = linear_select([ msg11, ]); -var part17 = match("MESSAGE#11:dhcpd:12/0", "nwparser.payload", "%{event_type}: received a REQUEST DHCP packet from relay-agent %{interface}with a circuit-id of \"%{id}\" and remote-id of \"%{smacaddr}\" for %{hostip}(%{dmacaddr}) lease time is %{p0}"); +var part17 = match("MESSAGE#11:dhcpd:12/0", "nwparser.payload", "%{event_type}: received a REQUEST DHCP packet from relay-agent %{interface->} with a circuit-id of \"%{id}\" and remote-id of \"%{smacaddr}\" for %{hostip->} (%{dmacaddr}) lease time is %{p0}"); var part18 = match("MESSAGE#11:dhcpd:12/1_0", "nwparser.p0", "undefined %{p0}"); @@ -466,7 +466,7 @@ var all3 = all_match({ var msg12 = msg("dhcpd:12", all3); -var part21 = match("MESSAGE#12:dhcpd:21", "nwparser.payload", "bind update on %{hostip}from %{hostname}(%{fld1}) rejected: %{result}", processor_chain([ +var part21 = match("MESSAGE#12:dhcpd:21", "nwparser.payload", "bind update on %{hostip->} from %{hostname}(%{fld1}) rejected: %{result}", processor_chain([ dup15, dup6, dup8, @@ -484,7 +484,7 @@ var part22 = match("MESSAGE#13:dhcpd:10", "nwparser.payload", "Unable to add for var msg14 = msg("dhcpd:10", part22); -var part23 = match("MESSAGE#14:dhcpd:13", "nwparser.payload", "Average %{fld1}dynamic DNS update latency: %{result}micro seconds", processor_chain([ +var part23 = match("MESSAGE#14:dhcpd:13", "nwparser.payload", "Average %{fld1->} dynamic DNS update latency: %{result->} micro seconds", processor_chain([ dup12, dup6, dup8, @@ -493,7 +493,7 @@ var part23 = match("MESSAGE#14:dhcpd:13", "nwparser.payload", "Average %{fld1}dy var msg15 = msg("dhcpd:13", part23); -var part24 = match("MESSAGE#15:dhcpd:15", "nwparser.payload", "Dynamic DNS update timeout count in last %{info}minutes: %{result}", processor_chain([ +var part24 = match("MESSAGE#15:dhcpd:15", "nwparser.payload", "Dynamic DNS update timeout count in last %{info->} minutes: %{result}", processor_chain([ dup12, dup6, dup8, @@ -583,7 +583,7 @@ var part31 = match("MESSAGE#22:dhcpd:30", "nwparser.payload", "Abandoning IP add var msg23 = msg("dhcpd:30", part31); -var part32 = match("MESSAGE#23:dhcpd:01", "nwparser.payload", "DHCPDECLINE of %{saddr}from %{smacaddr}(%{shost}) via %{interface}: %{info}", processor_chain([ +var part32 = match("MESSAGE#23:dhcpd:01", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} (%{shost}) via %{interface}: %{info}", processor_chain([ dup15, dup6, dup8, @@ -592,7 +592,7 @@ var part32 = match("MESSAGE#23:dhcpd:01", "nwparser.payload", "DHCPDECLINE of %{ var msg24 = msg("dhcpd:01", part32); -var part33 = match("MESSAGE#24:dhcpd:02", "nwparser.payload", "DHCPDECLINE of %{saddr}from %{smacaddr}via %{interface}: %{info}", processor_chain([ +var part33 = match("MESSAGE#24:dhcpd:02", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} via %{interface}: %{info}", processor_chain([ dup15, dup6, dup8, @@ -601,9 +601,9 @@ var part33 = match("MESSAGE#24:dhcpd:02", "nwparser.payload", "DHCPDECLINE of %{ var msg25 = msg("dhcpd:02", part33); -var part34 = match("MESSAGE#25:dhcpd:03/0", "nwparser.payload", "DHCPRELEASE of %{saddr}from %{p0}"); +var part34 = match("MESSAGE#25:dhcpd:03/0", "nwparser.payload", "DHCPRELEASE of %{saddr->} from %{p0}"); -var part35 = match("MESSAGE#25:dhcpd:03/2", "nwparser.p0", "%{} %{interface}(%{info})"); +var part35 = match("MESSAGE#25:dhcpd:03/2", "nwparser.p0", "%{} %{interface->} (%{info})"); var all6 = all_match({ processors: [ @@ -621,7 +621,7 @@ var all6 = all_match({ var msg26 = msg("dhcpd:03", all6); -var part36 = match("MESSAGE#26:dhcpd:04", "nwparser.payload", "DHCPDISCOVER from %{smacaddr}via %{interface}: network %{mask}: %{info}", processor_chain([ +var part36 = match("MESSAGE#26:dhcpd:04", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} via %{interface}: network %{mask}: %{info}", processor_chain([ dup12, dup6, dup8, @@ -641,7 +641,7 @@ var select7 = linear_select([ part39, ]); -var part40 = match("MESSAGE#27:dhcpd:07/2", "nwparser.p0", "%{} %{smacaddr}(%{hostname}) via %{interface}: ignored (%{result})"); +var part40 = match("MESSAGE#27:dhcpd:07/2", "nwparser.p0", "%{} %{smacaddr->} (%{hostname}) via %{interface}: ignored (%{result})"); var all7 = all_match({ processors: [ @@ -678,7 +678,7 @@ var all8 = all_match({ var msg29 = msg("dhcpd:09", all8); -var part42 = match("MESSAGE#29:dhcpd:26/2", "nwparser.p0", "%{} %{interface}: lease %{hostip}unavailable"); +var part42 = match("MESSAGE#29:dhcpd:26/2", "nwparser.p0", "%{} %{interface}: lease %{hostip->} unavailable"); var all9 = all_match({ processors: [ @@ -697,7 +697,7 @@ var all9 = all_match({ var msg30 = msg("dhcpd:26", all9); -var part43 = match("MESSAGE#30:dhcpd:08", "nwparser.payload", "DHCPREQUEST for %{saddr}(%{shost}) from %{smacaddr}(%{hostname}) via %{interface}", processor_chain([ +var part43 = match("MESSAGE#30:dhcpd:08", "nwparser.payload", "DHCPREQUEST for %{saddr->} (%{shost}) from %{smacaddr->} (%{hostname}) via %{interface}", processor_chain([ dup12, dup6, dup8, @@ -722,7 +722,7 @@ var all10 = all_match({ var msg32 = msg("dhcpd:11", all10); -var part44 = match("MESSAGE#32:dhcpd:31", "nwparser.payload", "DHCPRELEASE from %{smacaddr}via %{saddr}: unknown network segment", processor_chain([ +var part44 = match("MESSAGE#32:dhcpd:31", "nwparser.payload", "DHCPRELEASE from %{smacaddr->} via %{saddr}: unknown network segment", processor_chain([ dup12, dup6, dup8, @@ -732,7 +732,7 @@ var part44 = match("MESSAGE#32:dhcpd:31", "nwparser.payload", "DHCPRELEASE from var msg33 = msg("dhcpd:31", part44); -var part45 = match("MESSAGE#33:dhcpd:32", "nwparser.payload", "BOOTREQUEST from %{smacaddr}via %{saddr}: %{event_description}", processor_chain([ +var part45 = match("MESSAGE#33:dhcpd:32", "nwparser.payload", "BOOTREQUEST from %{smacaddr->} via %{saddr}: %{event_description}", processor_chain([ dup12, dup6, dup8, @@ -762,7 +762,7 @@ var select8 = linear_select([ part49, ]); -var part50 = match("MESSAGE#35:dhcpd:34/2", "nwparser.p0", "%{}pool %{fld1->} %{saddr}/%{sport}total %{fld2}free %{fld3}backup %{fld4}lts %{fld5}max-%{fld6->} %{p0}"); +var part50 = match("MESSAGE#35:dhcpd:34/2", "nwparser.p0", "%{}pool %{fld1->} %{saddr}/%{sport->} total %{fld2->} free %{fld3->} backup %{fld4->} lts %{fld5->} max-%{fld6->} %{p0}"); var part51 = match("MESSAGE#35:dhcpd:34/3_0", "nwparser.p0", "(+/-)%{fld7}(%{info})"); @@ -793,7 +793,7 @@ var all11 = all_match({ var msg36 = msg("dhcpd:34", all11); -var part54 = match("MESSAGE#36:dhcpd:35", "nwparser.payload", "Unable to add reverse map from %{shost}to %{dhost}: REFUSED", processor_chain([ +var part54 = match("MESSAGE#36:dhcpd:35", "nwparser.payload", "Unable to add reverse map from %{shost->} to %{dhost}: REFUSED", processor_chain([ dup12, dup6, dup8, @@ -802,7 +802,7 @@ var part54 = match("MESSAGE#36:dhcpd:35", "nwparser.payload", "Unable to add rev var msg37 = msg("dhcpd:35", part54); -var part55 = match("MESSAGE#37:dhcpd:36", "nwparser.payload", "Forward map from %{shost->} %{fld2}to %{daddr}FAILED: %{fld1}", processor_chain([ +var part55 = match("MESSAGE#37:dhcpd:36", "nwparser.payload", "Forward map from %{shost->} %{fld2}to %{daddr->} FAILED: %{fld1}", processor_chain([ dup12, dup6, dup8, @@ -811,7 +811,7 @@ var part55 = match("MESSAGE#37:dhcpd:36", "nwparser.payload", "Forward map from var msg38 = msg("dhcpd:36", part55); -var part56 = match("MESSAGE#38:dhcpd:14/0", "nwparser.payload", "DHCPACK on %{saddr}to %{p0}"); +var part56 = match("MESSAGE#38:dhcpd:14/0", "nwparser.payload", "DHCPACK on %{saddr->} to %{p0}"); var all12 = all_match({ processors: [ @@ -829,7 +829,7 @@ var all12 = all_match({ var msg39 = msg("dhcpd:14", all12); -var part57 = match("MESSAGE#39:dhcpd:24/0", "nwparser.payload", "DHCPOFFER on %{saddr}to %{p0}"); +var part57 = match("MESSAGE#39:dhcpd:24/0", "nwparser.payload", "DHCPOFFER on %{saddr->} to %{p0}"); var part58 = match("MESSAGE#39:dhcpd:24/1_0", "nwparser.p0", "\"%{dmacaddr}\" (%{dhost}) via %{p0}"); @@ -855,7 +855,7 @@ var all13 = all_match({ var msg40 = msg("dhcpd:24", all13); -var part59 = match("MESSAGE#40:dhcpd:17", "nwparser.payload", "DHCPNAK on %{saddr}to %{dmacaddr}via %{interface}", processor_chain([ +var part59 = match("MESSAGE#40:dhcpd:17", "nwparser.payload", "DHCPNAK on %{saddr->} to %{dmacaddr->} via %{interface}", processor_chain([ dup12, dup6, dup8, @@ -882,7 +882,7 @@ var all14 = all_match({ var msg42 = msg("dhcpd:05", all14); -var part61 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{daddr}(%{dmacaddr}) via %{interface}", processor_chain([ +var part61 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{daddr->} (%{dmacaddr}) via %{interface}", processor_chain([ dup12, dup6, dup8, @@ -891,7 +891,7 @@ var part61 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{dadd var msg43 = msg("dhcpd:16", part61); -var part62 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from %{saddr}via %{interface}", processor_chain([ +var part62 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from %{saddr->} via %{interface}", processor_chain([ dup12, dup6, dup8, @@ -900,7 +900,7 @@ var part62 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from % var msg44 = msg("dhcpd:20", part62); -var part63 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{saddr}to %{dmacaddr}", processor_chain([ +var part63 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{saddr->} to %{dmacaddr}", processor_chain([ dup12, dup6, dup8, @@ -909,7 +909,7 @@ var part63 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{s var msg45 = msg("dhcpd:23", part63); -var part64 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hostip}for client %{smacaddr}is duplicate on %{mask}", processor_chain([ +var part64 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hostip->} for client %{smacaddr->} is duplicate on %{mask}", processor_chain([ dup12, dup6, dup8, @@ -917,7 +917,7 @@ var part64 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hosti var msg46 = msg("dhcpd:28", part64); -var part65 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add forward map \"%{shost}\" (and reverse map \"%{dhost}\") for %{saddr}abandoned because of non-retryable failure: %{result}", processor_chain([ +var part65 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add forward map \"%{shost}\" (and reverse map \"%{dhost}\") for %{saddr->} abandoned because of non-retryable failure: %{result}", processor_chain([ dup12, dup6, dup8, @@ -925,7 +925,7 @@ var part65 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add fo var msg47 = msg("dhcpd:29", part65); -var part66 = match("MESSAGE#191:dhcpd:39", "nwparser.payload", "NOT FREE/BACKUP lease%{hostip}End Time%{fld1}Bind-State %{change_old}Next-Bind-State %{change_new}", processor_chain([ +var part66 = match("MESSAGE#191:dhcpd:39", "nwparser.payload", "NOT FREE/BACKUP lease%{hostip}End Time%{fld1->} Bind-State %{change_old->} Next-Bind-State %{change_new}", processor_chain([ dup12, dup6, dup8, @@ -1026,7 +1026,7 @@ var part76 = match("MESSAGE#199:dhcpd:48", "nwparser.payload", "Lease conflict a var msg56 = msg("dhcpd:48", part76); -var part77 = match("MESSAGE#200:dhcpd:49", "nwparser.payload", "ICMP Echo reply while lease %{hostip}valid.", processor_chain([ +var part77 = match("MESSAGE#200:dhcpd:49", "nwparser.payload", "ICMP Echo reply while lease %{hostip->} valid.", processor_chain([ dup12, dup6, dup8, @@ -1065,7 +1065,7 @@ var select13 = linear_select([ part83, ]); -var part84 = match("MESSAGE#202:dhcpd:51/3", "nwparser.p0", "%{}map for %{hostip}deferred"); +var part84 = match("MESSAGE#202:dhcpd:51/3", "nwparser.p0", "%{}map for %{hostip->} deferred"); var all16 = all_match({ processors: [ @@ -1158,7 +1158,7 @@ var part86 = match("MESSAGE#47:ntpd:05", "nwparser.payload", "system event '%{ev var msg62 = msg("ntpd:05", part86); -var part87 = match("MESSAGE#48:ntpd:04", "nwparser.payload", "frequency initialized %{result}from %{filename}", processor_chain([ +var part87 = match("MESSAGE#48:ntpd:04", "nwparser.payload", "frequency initialized %{result->} from %{filename}", processor_chain([ dup12, dup6, dup8, @@ -1185,7 +1185,7 @@ var part89 = match("MESSAGE#50:ntpd", "nwparser.payload", "time slew %{result}", var msg65 = msg("ntpd", part89); -var part90 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal %{dclass_counter1}had flags %{result}", processor_chain([ +var part90 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal %{dclass_counter1->} had flags %{result}", processor_chain([ dup12, dup6, dup8, @@ -1330,7 +1330,7 @@ var select19 = linear_select([ part103, ]); -var part104 = match("MESSAGE#58:named:18/2", "nwparser.p0", "%{} %{info}at '%{hostname}'"); +var part104 = match("MESSAGE#58:named:18/2", "nwparser.p0", "%{} %{info->} at '%{hostname}'"); var all22 = all_match({ processors: [ @@ -1437,7 +1437,7 @@ var part114 = match("MESSAGE#63:named:13", "nwparser.payload", "zone %{zone}: no var msg78 = msg("named:13", part114); -var part115 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: refresh: retry limit for master %{saddr}#%{sport}exceeded (%{action})", processor_chain([ +var part115 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: refresh: retry limit for master %{saddr}#%{sport->} exceeded (%{action})", processor_chain([ dup12, dup6, dup8, @@ -1445,7 +1445,7 @@ var part115 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: re var msg79 = msg("named:14", part115); -var part116 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: refresh: failure trying master %{saddr}#%{sport}(source ::#0): %{action}", processor_chain([ +var part116 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: refresh: failure trying master %{saddr}#%{sport->} (source ::#0): %{action}", processor_chain([ dup12, dup6, dup8, @@ -1453,7 +1453,7 @@ var part116 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: re var msg80 = msg("named:15", part116); -var part117 = match("MESSAGE#66:named:25/0", "nwparser.payload", "DNS format error from %{saddr}#%{sport}resolving %{domain}/%{dns_querytype}for client %{daddr}#%{dport}: %{p0}"); +var part117 = match("MESSAGE#66:named:25/0", "nwparser.payload", "DNS format error from %{saddr}#%{sport->} resolving %{domain}/%{dns_querytype->} for client %{daddr}#%{dport}: %{p0}"); var part118 = match("MESSAGE#66:named:25/1_0", "nwparser.p0", "%{error}--%{result}"); @@ -1482,7 +1482,7 @@ var all25 = all_match({ var msg81 = msg("named:25", all25); -var part120 = match("MESSAGE#67:named:63/2", "nwparser.p0", "%{sport}(#%{fld5}): query: %{domain->} %{fld4}(%{daddr})"); +var part120 = match("MESSAGE#67:named:63/2", "nwparser.p0", "%{sport->} (#%{fld5}): query: %{domain->} %{fld4->} (%{daddr})"); var all26 = all_match({ processors: [ @@ -1500,7 +1500,7 @@ var all26 = all_match({ var msg82 = msg("named:63", all26); -var part121 = match("MESSAGE#68:named:72/0", "nwparser.payload", "client %{saddr}#%{sport}(%{fld1}): %{p0}"); +var part121 = match("MESSAGE#68:named:72/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{fld1}): %{p0}"); var part122 = match("MESSAGE#68:named:72/1_0", "nwparser.p0", "view%{fld3}: query:%{p0}"); @@ -1511,7 +1511,7 @@ var select24 = linear_select([ part123, ]); -var part124 = match("MESSAGE#68:named:72/2", "nwparser.p0", "%{} %{domain->} %{fld2->} %{dns_querytype->} %{context}(%{daddr})"); +var part124 = match("MESSAGE#68:named:72/2", "nwparser.p0", "%{} %{domain->} %{fld2->} %{dns_querytype->} %{context->} (%{daddr})"); var all27 = all_match({ processors: [ @@ -1529,7 +1529,7 @@ var all27 = all_match({ var msg83 = msg("named:72", all27); -var part125 = match("MESSAGE#69:named:28", "nwparser.payload", "%{action}(%{saddr}#%{sport}) %{event_description}", processor_chain([ +var part125 = match("MESSAGE#69:named:28", "nwparser.payload", "%{action->} (%{saddr}#%{sport}) %{event_description}", processor_chain([ dup12, dup6, dup8, @@ -1588,7 +1588,7 @@ var all29 = all_match({ var msg86 = msg("named:70", all29); -var part131 = match("MESSAGE#72:named:40/0", "nwparser.payload", "%{fld1}client %{saddr}#%{sport}: %{p0}"); +var part131 = match("MESSAGE#72:named:40/0", "nwparser.payload", "%{fld1->} client %{saddr}#%{sport}: %{p0}"); var part132 = match("MESSAGE#72:named:40/1_0", "nwparser.p0", "view %{fld2}: %{protocol}: query: %{p0}"); @@ -1599,7 +1599,7 @@ var select27 = linear_select([ part133, ]); -var part134 = match("MESSAGE#72:named:40/2", "nwparser.p0", "%{domain->} %{fld3->} %{dns_querytype}response:%{result->} %{p0}"); +var part134 = match("MESSAGE#72:named:40/2", "nwparser.p0", "%{domain->} %{fld3->} %{dns_querytype->} response:%{result->} %{p0}"); var part135 = match("MESSAGE#72:named:40/3_0", "nwparser.p0", "%{context->} %{dns.resptext}"); @@ -1648,7 +1648,7 @@ var select29 = linear_select([ dup53, ]); -var part141 = match("MESSAGE#74:named:10/2", "nwparser.p0", "%{}query: %{domain->} %{info}(%{daddr})"); +var part141 = match("MESSAGE#74:named:10/2", "nwparser.p0", "%{}query: %{domain->} %{info->} (%{daddr})"); var all31 = all_match({ processors: [ @@ -1732,7 +1732,7 @@ var all32 = all_match({ var msg93 = msg("named:76", all32); -var part151 = match("MESSAGE#79:named:75", "nwparser.payload", "zone %{zone}: ZRQ applied %{action}for '%{fld1}': %{fld2->} %{fld3->} %{dns_querytype->} %{info}", processor_chain([ +var part151 = match("MESSAGE#79:named:75", "nwparser.payload", "zone %{zone}: ZRQ applied %{action->} for '%{fld1}': %{fld2->} %{fld3->} %{dns_querytype->} %{info}", processor_chain([ dup12, dup6, dup8, @@ -1941,7 +1941,7 @@ var part174 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2 var msg102 = msg("named:39", part174); -var part175 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5}(data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([ +var part175 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5->} (data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([ dup12, dup6, dup8, @@ -1949,7 +1949,7 @@ var part175 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_descript var msg103 = msg("named:46", part175); -var part176 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info}at %{hostname->} %{dns_querytype}", processor_chain([ +var part176 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ dup12, dup6, dup8, @@ -1958,7 +1958,7 @@ var part176 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}# var msg104 = msg("named:64", part176); -var part177 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info}at %{hostname->} %{dns_querytype}", processor_chain([ +var part177 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ dup12, dup6, dup8, @@ -2008,7 +2008,7 @@ var all39 = all_match({ var msg106 = msg("named:44", all39); -var part185 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport}(%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([ +var part185 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([ dup12, dup6, dup8, @@ -2017,7 +2017,7 @@ var part185 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}# var msg107 = msg("named:43", part185); -var part186 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result}resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ +var part186 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result->} resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ dup12, dup6, dup8, @@ -2042,7 +2042,7 @@ var part188 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}# var msg110 = msg("named:47", part188); -var part189 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport}(%{hostname}): query '%{zone}' %{result}", processor_chain([ +var part189 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): query '%{zone}' %{result}", processor_chain([ dup56, dup6, dup8, @@ -2051,7 +2051,7 @@ var part189 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}# var msg111 = msg("named:48", part189); -var part190 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}(%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ +var part190 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ dup12, dup6, dup8, @@ -2060,7 +2060,7 @@ var part190 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}# var msg112 = msg("named:62", part190); -var part191 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport}(%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ +var part191 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ dup12, dup6, dup8, @@ -2068,7 +2068,7 @@ var part191 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}# var msg113 = msg("named:53", part191); -var part192 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport}(%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype}at %{filename}:%{fld2->} ", processor_chain([ +var part192 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype->} at %{filename}:%{fld2->} ", processor_chain([ dup48, dup6, dup8, @@ -2077,7 +2077,7 @@ var part192 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}# var msg114 = msg("named:77", part192); -var part193 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport}(%{hostname}): %{info}", processor_chain([ +var part193 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): %{info}", processor_chain([ dup58, dup6, dup8, @@ -2086,7 +2086,7 @@ var part193 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr} var msg115 = msg("named:52", part193); -var part194 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype}(%{saddr}) %{info}", processor_chain([ +var part194 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype->} (%{saddr}) %{info}", processor_chain([ dup58, dup6, dup8, @@ -2167,7 +2167,7 @@ var part201 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolvi var msg121 = msg("named:57", part201); -var part202 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action}on %{p0}"); +var part202 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action->} on %{p0}"); var part203 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}"); @@ -2382,7 +2382,7 @@ var select46 = linear_select([ var msg134 = msg("syslog-ng", dup64); -var part217 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version}(%{from}) (%{fld1}) %{fld2}", processor_chain([ +var part217 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version->} (%{from}) (%{fld1}) %{fld2}", processor_chain([ dup12, dup6, dup8, @@ -2399,7 +2399,7 @@ var select47 = linear_select([ var msg137 = msg("radiusd", dup69); -var part218 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent}start", processor_chain([ +var part218 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent->} start", processor_chain([ dup12, dup6, dup8, @@ -2424,7 +2424,7 @@ var select48 = linear_select([ msg141, ]); -var part220 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration}secs", processor_chain([ +var part220 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration->} secs", processor_chain([ dup12, dup6, dup8, @@ -2448,7 +2448,7 @@ var part222 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{f var msg144 = msg("watchdog:02", part222); -var part223 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename}could not be opened, errno = %{resultcode}", processor_chain([ +var part223 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename->} could not be opened, errno = %{resultcode}", processor_chain([ dup15, dup6, dup8, @@ -2468,7 +2468,7 @@ var select49 = linear_select([ var msg147 = msg("init", dup64); -var part224 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask}to %{interface}", processor_chain([ +var part224 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask->} to %{interface}", processor_chain([ dup12, dup6, dup8, @@ -2483,7 +2483,7 @@ var select50 = linear_select([ msg149, ]); -var part225 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol}[%{info}] %{event_description}(code=%{resultcode})", processor_chain([ +var part225 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol->} [%{info}] %{event_description->} (code=%{resultcode})", processor_chain([ dup15, dup6, dup8, @@ -2501,7 +2501,7 @@ var part226 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Option var msg152 = msg("openvpn-member:02", part226); -var part227 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version}[%{protocol}] [%{fld2}] %{info}", processor_chain([ +var part227 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld2}] %{info}", processor_chain([ dup12, dup6, dup8, @@ -2522,7 +2522,7 @@ var select51 = linear_select([ msg155, ]); -var part228 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip}port %{network_port}.", processor_chain([ +var part228 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip->} port %{network_port}.", processor_chain([ dup12, dup6, dup8, @@ -2541,7 +2541,7 @@ var select52 = linear_select([ part231, ]); -var part232 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr}port %{sport->} %{protocol}"); +var part232 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol}"); var all43 = all_match({ processors: [ @@ -2566,7 +2566,7 @@ var part233 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection close var msg158 = msg("sshd:02", part233); -var part234 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port}on %{hostip->} %{result}: %{event_description}", processor_chain([ +var part234 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port->} on %{hostip->} %{result}: %{event_description}", processor_chain([ dup15, dup6, dup8, @@ -2612,7 +2612,7 @@ var part238 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds var msg163 = msg("sshd:07", part238); -var part239 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod}authentication succeeded for user %{username}", processor_chain([ +var part239 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} authentication succeeded for user %{username}", processor_chain([ setc("eventcategory","1302010300"), dup6, setc("event_description","authentication succeeded"), @@ -2656,7 +2656,7 @@ var select53 = linear_select([ msg166, ]); -var part242 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version}[%{protocol}] [%{fld1}] %{info}", processor_chain([ +var part242 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld1}] %{info}", processor_chain([ dup12, dup6, dup8, @@ -2664,7 +2664,7 @@ var part242 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN % var msg167 = msg("openvpn-master", part242); -var part243 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol}[%{info}]: %{event_description}(code=%{resultcode})", processor_chain([ +var part243 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol->} [%{info}]: %{event_description->} (code=%{resultcode})", processor_chain([ dup15, dup6, dup8, @@ -2674,7 +2674,7 @@ var msg168 = msg("openvpn-master:01", part243); var msg169 = msg("openvpn-master:02", dup75); -var part244 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport}TLS Error: TLS handshake failed", processor_chain([ +var part244 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport->} TLS Error: TLS handshake failed", processor_chain([ dup15, dup6, dup8, @@ -2682,7 +2682,7 @@ var part244 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{sadd var msg170 = msg("openvpn-master:03", part244); -var part245 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport}[%{fld2}] %{event_description}", processor_chain([ +var part245 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport->} [%{fld2}] %{event_description}", processor_chain([ dup12, dup6, dup8, @@ -2690,7 +2690,7 @@ var part245 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1 var msg171 = msg("openvpn-master:04", part245); -var part246 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport}[%{fld1}] %{event_description->} ", processor_chain([ +var part246 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport->} [%{fld1}] %{event_description->} ", processor_chain([ dup12, dup6, dup8, @@ -2770,7 +2770,7 @@ var select56 = linear_select([ msg178, ]); -var part253 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr}is online.", processor_chain([ +var part253 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr->} is online.", processor_chain([ dup12, dup6, dup8, @@ -2820,7 +2820,7 @@ var select58 = linear_select([ msg180, ]); -var part261 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to}(%{fld1}) %{p0}"); +var part261 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to->} (%{fld1}) %{p0}"); var part262 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes->} "); @@ -2870,7 +2870,7 @@ var select60 = linear_select([ msg184, ]); -var part266 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device}was successful - Backup file %{filename}", processor_chain([ +var part266 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device->} was successful - Backup file %{filename}", processor_chain([ dup12, dup6, dup8, @@ -2878,7 +2878,7 @@ var part266 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup var msg185 = msg("scheduled_backups", part266); -var part267 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device}was successful - Backup file %{filename}", processor_chain([ +var part267 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ dup12, dup6, dup8, @@ -2887,7 +2887,7 @@ var part267 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Sc var msg186 = msg("scheduled_ftp_backups", part267); -var part268 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device}failed - %{result}.", processor_chain([ +var part268 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} failed - %{result}.", processor_chain([ dup15, dup6, dup8, @@ -2901,7 +2901,7 @@ var select61 = linear_select([ msg187, ]); -var part269 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device}was successful - Backup file %{filename}", processor_chain([ +var part269 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ dup12, dup6, dup8, @@ -2910,7 +2910,7 @@ var part269 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Sc var msg188 = msg("scheduled_scp_backups", part269); -var part270 = match("MESSAGE#171:python", "nwparser.payload", "%{action}even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([ +var part270 = match("MESSAGE#171:python", "nwparser.payload", "%{action->} even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([ dup12, dup6, dup8, @@ -2918,7 +2918,7 @@ var part270 = match("MESSAGE#171:python", "nwparser.payload", "%{action}even tho var msg189 = msg("python", part270); -var part271 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action}(algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([ +var part271 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action->} (algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([ dup12, dup6, dup8, @@ -2950,7 +2950,7 @@ var part274 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQD var msg193 = msg("python:04", part274); -var part275 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3}[%{username}]: Populated %{zone->} %{hostname}DnsView=%{fld4}", processor_chain([ +var part275 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3->} [%{username}]: Populated %{zone->} %{hostname->} DnsView=%{fld4}", processor_chain([ dup12, dup6, dup8, @@ -2986,7 +2986,7 @@ var part277 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP versi var msg197 = msg("snmptrapd", part277); -var part278 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1}sleeps more than %{duration}milliseconds in %{fld2}", processor_chain([ +var part278 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1->} sleeps more than %{duration->} milliseconds in %{fld2}", processor_chain([ dup12, dup6, dup8, @@ -3002,7 +3002,7 @@ var select63 = linear_select([ msg199, ]); -var part279 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr}offset %{duration}sec", processor_chain([ +var part279 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr->} offset %{duration->} sec", processor_chain([ dup12, dup6, dup8, @@ -3027,7 +3027,7 @@ var part280 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Sc var msg203 = msg("purge_scheduled_tasks", part280); -var part281 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22}[%{domain}]: Login_Denied - - to=%{terminal}apparently_via=%{info}ip=%{saddr}error=%{result}", processor_chain([ +var part281 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22->} [%{domain}]: Login_Denied - - to=%{terminal->} apparently_via=%{info->} ip=%{saddr->} error=%{result}", processor_chain([ dup13, dup2, dup3, @@ -3060,7 +3060,7 @@ var part282 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No aut var msg205 = msg("serial_console:03", part282); -var part283 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}[%{username}]: Login_Allowed - - to=%{terminal}apparently_via=%{info}auth=%{authmethod}group=%{group}", processor_chain([ +var part283 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{terminal->} apparently_via=%{info->} auth=%{authmethod->} group=%{group}", processor_chain([ dup9, dup2, dup3, @@ -3095,7 +3095,7 @@ var part285 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User g var msg208 = msg("serial_console:02", part285); -var part286 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1}[%{username}]: rebooted the system", processor_chain([ +var part286 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1->} [%{username}]: rebooted the system", processor_chain([ dup12, dup6, dup8, @@ -3190,7 +3190,7 @@ var part293 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup faile var msg221 = msg("rsyncd", part293); -var part294 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost}(%{saddr})", processor_chain([ +var part294 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost->} (%{saddr})", processor_chain([ dup12, dup6, dup8, @@ -3198,7 +3198,7 @@ var part294 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from % var msg222 = msg("rsyncd:01", part294); -var part295 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename}from %{shost}(%{saddr})", processor_chain([ +var part295 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename->} from %{shost->} (%{saddr})", processor_chain([ dup12, dup6, dup8, @@ -3206,7 +3206,7 @@ var part295 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{fil var msg223 = msg("rsyncd:02", part295); -var part296 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes}bytes received %{rbytes}bytes total size %{fld1}", processor_chain([ +var part296 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes->} bytes received %{rbytes->} bytes total size %{fld1}", processor_chain([ dup12, dup6, dup8, @@ -3253,7 +3253,7 @@ var part299 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agen var msg229 = msg("netauto_discovery", part299); -var part300 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version}device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([ +var part300 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version->} device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([ dup58, dup6, dup8, @@ -3333,7 +3333,7 @@ var part306 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Dev var msg236 = msg("DIS", part306); -var part307 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip}on %{fld4}, using session ID", processor_chain([ +var part307 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip->} on %{fld4}, using session ID", processor_chain([ dup58, dup6, dup8, @@ -3356,7 +3356,7 @@ var part308 = match("MESSAGE#237:ErrorMsg", "nwparser.payload", "%{result}", pro var msg238 = msg("ErrorMsg", part308); -var part309 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr}port %{dport}: %{event_description}", processor_chain([ +var part309 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr->} port %{dport}: %{event_description}", processor_chain([ dup12, dup6, dup8, @@ -3375,7 +3375,7 @@ var part310 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: var msg240 = msg("tacacs_acct:01", part310); -var part311 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2}bytes from server %{daddr}port %{dport}, expecting %{fld3}", processor_chain([ +var part311 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2->} bytes from server %{daddr->} port %{dport}, expecting %{fld3}", processor_chain([ dup12, dup6, dup8, @@ -3390,7 +3390,7 @@ var select71 = linear_select([ msg241, ]); -var part312 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6}port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([ +var part312 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6->} port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([ dup12, dup6, dup8, @@ -3400,7 +3400,7 @@ var part312 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward me var msg242 = msg("dhcpdv6", part312); -var part313 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6}port %{sport}from client DUID %{fld1}, transaction ID %{id}", processor_chain([ +var part313 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ dup12, dup6, dup8, @@ -3420,7 +3420,7 @@ var part314 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1 var msg244 = msg("dhcpdv6:02", part314); -var part315 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6}port %{sport}", processor_chain([ +var part315 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6->} port %{sport}", processor_chain([ dup12, dup6, dup8, @@ -3430,7 +3430,7 @@ var part315 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating var msg245 = msg("dhcpdv6:03", part315); -var part316 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6}port %{sport}", processor_chain([ +var part316 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6->} port %{sport}", processor_chain([ dup12, dup6, dup8, @@ -3440,7 +3440,7 @@ var part316 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay var msg246 = msg("dhcpdv6:04", part316); -var part317 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6}port %{sport}, transaction ID %{id}", processor_chain([ +var part317 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6->} port %{sport}, transaction ID %{id}", processor_chain([ dup12, dup6, dup8, @@ -3450,7 +3450,7 @@ var part317 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated var msg247 = msg("dhcpdv6:05", part317); -var part318 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6}port %{sport}", processor_chain([ +var part318 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6->} port %{sport}", processor_chain([ dup12, dup6, dup8, @@ -3460,7 +3460,7 @@ var part318 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating var msg248 = msg("dhcpdv6:06", part318); -var part319 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6}port %{sport}from client DUID %{fld1}, transaction ID %{id}", processor_chain([ +var part319 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ dup12, dup6, dup8, @@ -3470,7 +3470,7 @@ var part319 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated var msg249 = msg("dhcpdv6:07", part319); -var part320 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6}to client with duid %{fld1}iaid = %{fld2}static", processor_chain([ +var part320 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6->} to client with duid %{fld1->} iaid = %{fld2->} static", processor_chain([ dup12, dup6, dup8, @@ -3576,7 +3576,7 @@ var part325 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "%{dmacaddr->} (%{ var part326 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}"); -var part327 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr}from %{p0}"); +var part327 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}"); var part328 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}"); @@ -3584,7 +3584,7 @@ var part329 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via var part330 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}"); -var part331 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface}relay %{fld1}lease-duration %{duration}"); +var part331 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}"); var part332 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}"); @@ -3618,7 +3618,7 @@ var part346 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}") var part347 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); -var part348 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport}(%{p0}"); +var part348 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}"); var part349 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([ dup12, @@ -3682,7 +3682,7 @@ var part352 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_d dup8, ])); -var part353 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action}: %{event_description}(code=%{resultcode})", processor_chain([ +var part353 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ dup15, dup6, dup8, diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json index 1cfcd745f62..618594ef609 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -2202,7 +2202,7 @@ "rsa.misc.event_source": "der7349.invalid", "rsa.misc.event_state": "diduntu", "rsa.time.day": "10", - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.time.event_time": "2020-07-10T03:56:14.000Z", "rsa.time.month": "July", "service.type": "infoblox", "tags": [ diff --git a/x-pack/filebeat/module/juniper/README.md b/x-pack/filebeat/module/juniper/README.md index 7a95241606a..196053d41eb 100644 --- a/x-pack/filebeat/module/juniper/README.md +++ b/x-pack/filebeat/module/juniper/README.md @@ -3,5 +3,5 @@ This is a module for Juniper JUNOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML junosrouter version 134 -at 2020-07-07 18:10:45.850265 +0000 UTC. +at 2020-07-08 13:58:36.353701 +0000 UTC. diff --git a/x-pack/filebeat/module/juniper/junos/config/pipeline.js b/x-pack/filebeat/module/juniper/junos/config/pipeline.js index dea43f8e359..5598d7f2e02 100644 --- a/x-pack/filebeat/module/juniper/junos/config/pipeline.js +++ b/x-pack/filebeat/module/juniper/junos/config/pipeline.js @@ -75,7 +75,7 @@ var dup14 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}" var dup15 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); -var dup16 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid}[%{payload}"); +var dup16 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}"); var dup17 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); @@ -243,7 +243,7 @@ var dup84 = setc("event_description","excessive runtime time during action of mo var dup85 = setc("event_description","Reinitializing"); -var dup86 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type}[junos@%{obj_name}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); +var dup86 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}"); @@ -267,7 +267,7 @@ var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", var dup97 = setc("event_description","session denied"); -var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type}[junos@%{obj_name}reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); +var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); @@ -405,7 +405,7 @@ var dup143 = linear_select([ dup76, ]); -var dup144 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid}changed from %{dclass_counter1}to %{result}", processor_chain([ +var dup144 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ dup29, dup21, dup78, @@ -453,13 +453,13 @@ var dup151 = linear_select([ dup102, ]); -var dup152 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type}[junos@%{obj_name}attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ +var dup152 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ dup29, dup21, dup51, ])); -var dup153 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type}[junos@%{obj_name}logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ +var dup153 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ dup26, dup21, dup51, @@ -475,7 +475,7 @@ var dup155 = linear_select([ dup123, ]); -var dup156 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type}[junos@%{fld21}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3}CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}OBJ=%{fld7}USERNAME=%{fld8}ROLES=%{fld9}", processor_chain([ +var dup156 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ dup29, dup21, dup51, @@ -501,20 +501,20 @@ var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{me }), ])); -var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid}message repeated %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{payload}", processor_chain([ setc("header_id","0002"), call({ dest: "nwparser.payload", fn: STRCAT, args: [ field("messageid"), - constant("message repeated "), + constant(" message repeated "), field("payload"), ], }), ])); -var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time}ssb %{messageid}(%{hfld1}): %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{payload}", processor_chain([ setc("header_id","0003"), call({ dest: "nwparser.payload", @@ -622,14 +622,14 @@ var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hf }), ])); -var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}IFP trace> %{messageid}: %{payload}", processor_chain([ +var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{payload}", processor_chain([ setc("header_id","0009"), call({ dest: "nwparser.payload", fn: STRCAT, args: [ field("hfld2"), - constant("IFP trace> "), + constant(" IFP trace> "), field("messageid"), constant(": "), field("payload"), @@ -657,7 +657,7 @@ var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{ dup9, ])); -var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname}RT_FLOW: %{messageid}: %{payload}", processor_chain([ +var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{payload}", processor_chain([ setc("header_id","0027"), dup11, ])); @@ -667,14 +667,14 @@ var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{ dup11, ])); -var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname}RT_FLOW - %{messageid}[%{payload}", processor_chain([ +var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{payload}", processor_chain([ setc("header_id","0013"), call({ dest: "nwparser.payload", fn: STRCAT, args: [ field("messageid"), - constant("["), + constant(" ["), field("payload"), ], }), @@ -786,7 +786,7 @@ var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{ dup18, ])); -var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time}/%{messageid}: %{payload}", processor_chain([ +var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{payload}", processor_chain([ setc("header_id","0021"), dup11, ])); @@ -834,7 +834,7 @@ var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{ }), ])); -var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip}(%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{payload}", processor_chain([ +var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{payload}", processor_chain([ setc("header_id","0032"), dup18, ])); @@ -889,7 +889,7 @@ var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{ setc("header_id","3338"), ])); -var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost}node%{p0}"); +var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{p0}"); var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld1}.fpc%{hfld2}.pic%{hfld3->} %{p0}"); @@ -954,7 +954,7 @@ var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{ }), ])); -var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1}qsfp %{payload}", processor_chain([ +var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{payload}", processor_chain([ setc("header_id","9994"), setc("messageid","qsfp"), call({ @@ -964,7 +964,7 @@ var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{ field("hfld2"), constant(" "), field("hfld1"), - constant("qsfp "), + constant(" qsfp "), field("payload"), ], }), @@ -1115,7 +1115,7 @@ var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begi var msg7 = msg("bigpipe:01", part18); -var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action}User: %{username}", processor_chain([ +var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ dup20, dup21, setc("event_description","Audit"), @@ -1157,7 +1157,7 @@ var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{p var msg11 = msg("chassisd:01", part22); -var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action}User: %{username}", processor_chain([ +var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ dup20, dup21, dup24, @@ -1180,7 +1180,7 @@ var select8 = linear_select([ msg13, ]); -var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1}for intf %{interface}", processor_chain([ +var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([ dup20, dup21, setc("event_description","link protection for interface"), @@ -1246,7 +1246,7 @@ var all9 = all_match({ var msg17 = msg("Cmerror", all9); -var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action}(%{filename})", processor_chain([ +var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([ dup20, dup21, setc("event_description","cron RELOAD"), @@ -1278,7 +1278,7 @@ var select11 = linear_select([ msg20, ]); -var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username}by (uid=%{uid})", processor_chain([ +var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([ dup27, dup21, dup22, @@ -1287,7 +1287,7 @@ var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{proc var msg21 = msg("crond:01", part35); -var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result}Setting ignored, %{info}", processor_chain([ +var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([ dup20, dup21, setc("event_description","Setting ignored"), @@ -1296,7 +1296,7 @@ var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_i var msg22 = msg("dcd", part36); -var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface}index %{resultcode->} %{p0}"); +var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}"); var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{result}> "); @@ -1322,7 +1322,7 @@ var all10 = all_match({ var msg23 = msg("EVENT", all10); -var part40 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr}(%{shost})", processor_chain([ +var part40 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ setc("eventcategory","1802000000"), dup21, setc("event_description","ftpd connection"), @@ -1339,7 +1339,7 @@ var part41 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hos var msg25 = msg("ha_rto_stats_handler", part41); -var part42 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name}-- LDAP Connection not bound correctly. %{info}", processor_chain([ +var part42 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ dup20, dup21, setc("event_description","LDAP Connection not bound correctly"), @@ -1399,7 +1399,7 @@ var part47 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{nod var msg31 = msg("ifp_ifl_config_event", part47); -var part48 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid}zone_id %{zone}", processor_chain([ +var part48 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ dup20, dup21, setc("event_description","ifp_ifl_ext_chg"), @@ -1408,7 +1408,7 @@ var part48 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} var msg32 = msg("ifp_ifl_ext_chg", part48); -var part49 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol}from %{saddr}exceeded counts/min (%{result})", processor_chain([ +var part49 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ dup29, dup21, setc("event_description","connection exceeded count limit"), @@ -1431,7 +1431,7 @@ var select14 = linear_select([ msg34, ]); -var part51 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type}current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ +var part51 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ dup20, dup21, dup30, @@ -1440,7 +1440,7 @@ var part51 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{even var msg35 = msg("init:04", part51); -var part52 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type}mode=%{protocol}cmd=%{action}master_mode=%{result}", processor_chain([ +var part52 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ dup20, dup21, dup30, @@ -1467,7 +1467,7 @@ var part54 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (P var msg38 = msg("init:02", part54); -var part55 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info}model %{dclass_counter1}", processor_chain([ +var part55 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ dup20, dup21, setc("event_description","product mask and model info"), @@ -1484,7 +1484,7 @@ var select15 = linear_select([ msg39, ]); -var part56 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode}exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ +var part56 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ dup29, dup21, setc("event_description","IPC message exceeds MTU"), @@ -1493,7 +1493,7 @@ var part56 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{ var msg40 = msg("ipc_msg_write", part56); -var part57 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1}tnpaddr=%{dclass_counter2}", processor_chain([ +var part57 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ dup27, dup21, setc("event_description","listener connection established"), @@ -1537,7 +1537,7 @@ var part61 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{inter var msg43 = msg("kernel", part61); -var part62 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface}down: %{result}.", processor_chain([ +var part62 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ dup20, dup21, setc("event_description","interface down"), @@ -1564,7 +1564,7 @@ var part64 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{se var msg46 = msg("kernel:03", part64); -var part65 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service}!VALID(state 4)->%{result}", processor_chain([ +var part65 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ dup20, dup21, setc("event_description","pfe_peer_alloc state 4"), @@ -1573,7 +1573,7 @@ var part65 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{se var msg47 = msg("kernel:04", part65); -var part66 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip}(%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ +var part66 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ dup20, dup21, dup31, @@ -1603,7 +1603,7 @@ var select17 = linear_select([ msg49, ]); -var part68 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr}on %{interface}as %{username}", processor_chain([ +var part68 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ dup32, dup33, dup34, @@ -1616,7 +1616,7 @@ var part68 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process var msg50 = msg("successful_login", part68); -var part69 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username}from host %{hostip}", processor_chain([ +var part69 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ dup32, dup33, dup34, @@ -1628,7 +1628,7 @@ var part69 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: var msg51 = msg("login_attempt", part69); -var part70 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1}returned: %{space}[%{resultcode}]%{result}", processor_chain([ +var part70 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ dup32, dup33, dup36, @@ -1758,7 +1758,7 @@ var part82 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request ca var msg63 = msg("Resolve", part82); -var part83 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service}exited with status = %{resultcode}", processor_chain([ +var part83 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ dup20, dup21, setc("event_description","service exited with status"), @@ -1776,7 +1776,7 @@ var part84 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: var msg65 = msg("root", part84); -var part85 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result}for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ +var part85 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ dup20, dup21, setc("event_description","Received data for interface"), @@ -1785,7 +1785,7 @@ var part85 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_i var msg66 = msg("rpd", part85); -var part86 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr}up on interface %{interface}", processor_chain([ +var part86 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ dup20, dup21, setc("event_description","RSVP neighbor up on interface "), @@ -1794,7 +1794,7 @@ var part86 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{proces var msg67 = msg("rpd:01", part86); -var part87 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr}(%{shost}): reseting pending active connection", processor_chain([ +var part87 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ dup20, dup21, setc("event_description","reseting pending active connection"), @@ -1819,7 +1819,7 @@ var select20 = linear_select([ msg69, ]); -var part89 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username}as root: cmd='%{action}' ", processor_chain([ +var part89 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}' ", processor_chain([ dup20, dup21, setc("event_description","user issuing command as root"), @@ -1837,7 +1837,7 @@ var part90 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on var msg71 = msg("sfd", part90); -var part91 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username}from %{saddr}port %{sport->} %{protocol}", processor_chain([ +var part91 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ dup32, dup33, dup34, @@ -1926,7 +1926,7 @@ var all14 = all_match({ var msg78 = msg("sshd:07", all14); -var part98 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space}[%{resultcode}]authentication error", processor_chain([ +var part98 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ setc("eventcategory","1301020000"), dup33, dup42, @@ -1946,7 +1946,7 @@ var part99 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{proce var msg80 = msg("sshd:09", part99); -var part100 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1}returned: %{space}[%{resultcode}]%{result}", processor_chain([ +var part100 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ dup43, dup33, dup42, @@ -2004,7 +2004,7 @@ var part105 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Movin var msg86 = msg("sshd:15", part105); -var part106 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1}sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ +var part106 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ dup43, dup33, dup42, @@ -2046,7 +2046,7 @@ var select22 = linear_select([ dup44, ]); -var part110 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{} %{username}from %{saddr}port %{sport->} %{protocol}"); +var part110 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{} %{username->} from %{saddr->} port %{sport->} %{protocol}"); var all15 = all_match({ processors: [ @@ -2144,7 +2144,7 @@ var part118 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: resta var msg92 = msg("syslogd", part118); -var part119 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action}User: %{username}", processor_chain([ +var part119 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ dup20, dup21, dup24, @@ -2167,7 +2167,7 @@ var select26 = linear_select([ msg94, ]); -var part121 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result}(%{resultcode})", processor_chain([ +var part121 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ dup26, dup21, setc("event_description","failed to connect to the server"), @@ -2203,7 +2203,7 @@ var part124 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_ var msg98 = msg("uspinfo", part124); -var part125 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version}by builder on %{event_time_string}", processor_chain([ +var part125 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ dup20, dup21, setc("event_description","Version build date"), @@ -2212,7 +2212,7 @@ var part125 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version var msg99 = msg("Version", part125); -var part126 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result}from %{filename}", processor_chain([ +var part126 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ dup20, dup21, setc("event_description","frequency initialized from file"), @@ -2221,7 +2221,7 @@ var part126 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{proces var msg100 = msg("xntpd", part126); -var part127 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string}(%{resultcode})", processor_chain([ +var part127 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ dup20, dup21, setc("event_description","nptd version build"), @@ -2255,7 +2255,7 @@ var select27 = linear_select([ msg103, ]); -var part130 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1}times", processor_chain([ +var part130 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ dup20, dup21, setc("event_description","last message repeated"), @@ -2264,7 +2264,7 @@ var part130 = match("MESSAGE#100:last", "nwparser.payload", "last message repeat var msg104 = msg("last", part130); -var part131 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1}times", processor_chain([ +var part131 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ dup47, dup46, dup22, @@ -2351,7 +2351,7 @@ var part139 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): var msg113 = msg("SSB", part139); -var part140 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result}from file %{filename}", processor_chain([ +var part140 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ dup29, dup21, setc("event_description","Unexpected error"), @@ -2369,7 +2369,7 @@ var part141 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part141); -var part142 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename}size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ +var part142 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ dup48, dup21, setc("event_description","File size mismatch"), @@ -2387,7 +2387,7 @@ var part143 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "% var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part143); -var part144 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}getting class usage statistics for interface %{interface}: %{result}", processor_chain([ +var part144 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ dup48, dup21, setc("event_description","Class usage statistics error for interface"), @@ -2432,7 +2432,7 @@ var part148 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{pr var msg120 = msg("ACCT_MALLOC_FAILURE", part148); -var part149 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}in accounting profile %{dclass_counter1}is not defined in a firewall using this filter profile", processor_chain([ +var part149 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ dup29, dup21, setc("event_description","Accounting profile counter not defined in firewall"), @@ -2459,7 +2459,7 @@ var part151 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{p var msg123 = msg("ACCT_XFER_POPEN_FAIL", part151); -var part152 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{obj_name}timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ +var part152 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ dup27, dup21, dup51, @@ -2478,7 +2478,7 @@ var part153 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", " var msg125 = msg("APPTRACK_SESSION_CREATE", part153); -var part154 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type}[junos@%{obj_name}reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ +var part154 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ dup27, dup52, dup54, @@ -2503,7 +2503,7 @@ var select30 = linear_select([ msg127, ]); -var part156 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type}[junos@%{obj_name}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ +var part156 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ dup27, dup52, dup21, @@ -2530,7 +2530,7 @@ var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup136); var msg131 = msg("BFDD_TRAP_STATE_UP", dup136); -var part158 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr}(%{shost}): %{result->} ", processor_chain([ +var part158 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result->} ", processor_chain([ dup20, dup21, setc("event_description","bgp connect error"), @@ -2539,7 +2539,7 @@ var part158 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{proc var msg132 = msg("bgp_connect_start", part158); -var part159 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr}(%{dhost}) old state %{change_old}event %{action}new state %{change_new->} ", processor_chain([ +var part159 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new->} ", processor_chain([ dup20, dup21, setc("event_description","bgp peer state change"), @@ -2566,7 +2566,7 @@ var part161 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{proce var msg135 = msg("bgp_listen_reset", part161); -var part162 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr}(%{dhost}) next hop %{saddr}local, %{result}", processor_chain([ +var part162 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ dup20, dup21, setc("event_description","peer next hop local"), @@ -2575,7 +2575,7 @@ var part162 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{pro var msg136 = msg("bgp_nexthop_sanity", part162); -var part163 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr}(%{dhost}): code %{severity}(%{action}) subcode %{version}(%{result}) value %{disposition}", processor_chain([ +var part163 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ dup29, dup21, setc("event_description","code RED error NOTIFICATION sent"), @@ -2584,7 +2584,7 @@ var part163 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{proce var msg137 = msg("bgp_process_caps", part163); -var part164 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip}(%{hostname}): peer: %{daddr}us: %{saddr}", processor_chain([ +var part164 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ dup29, dup21, dup56, @@ -2598,7 +2598,7 @@ var select32 = linear_select([ msg138, ]); -var part165 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr}(%{dhost}), %{info}(%{protocol})", processor_chain([ +var part165 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ dup29, dup21, setc("event_description","connection collision"), @@ -2608,7 +2608,7 @@ var part165 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[% var msg139 = msg("bgp_pp_recv", part165); -var part166 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr}(%{dhost}): received unexpected EOF", processor_chain([ +var part166 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ dup29, dup21, setc("event_description","peer received unexpected EOF"), @@ -2622,7 +2622,7 @@ var select33 = linear_select([ msg140, ]); -var part167 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes}bytes to %{daddr}(%{dhost}) blocked (%{disposition}): %{result->} ", processor_chain([ +var part167 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result->} ", processor_chain([ dup29, dup21, setc("event_description","bgp send blocked error"), @@ -2631,7 +2631,7 @@ var part167 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{pr var msg141 = msg("bgp_send", part167); -var part168 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr}(%{dhost}): code %{resultcode}(%{action}), Reason: %{result->} ", processor_chain([ +var part168 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result->} ", processor_chain([ dup29, dup21, setc("event_description","bgp timeout NOTIFICATION sent"), @@ -2703,7 +2703,7 @@ var part175 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{proces var msg149 = msg("BOOTPD_DUP_SLOT", part175); -var part176 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id}for model %{dclass_counter1}", processor_chain([ +var part176 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ dup29, dup21, setc("event_description","Unexpected ID for model"), @@ -2775,7 +2775,7 @@ var part183 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{proc var msg157 = msg("BOOTPD_SELECT_ERR", part183); -var part184 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result}unreasonable", processor_chain([ +var part184 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ dup29, dup21, setc("event_description","timeout unreasonable"), @@ -2784,7 +2784,7 @@ var part184 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process var msg158 = msg("BOOTPD_TIMEOUT", part184); -var part185 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version}built by builder on %{event_time_string->} ", processor_chain([ +var part185 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string->} ", processor_chain([ dup20, dup21, setc("event_description","boot version built"), @@ -2793,7 +2793,7 @@ var part185 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process var msg159 = msg("BOOTPD_VERSION", part185); -var part186 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version}built by builder on %{event_time_string}", processor_chain([ +var part186 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ dup57, dup21, setc("event_description","CHASSISD release built"), @@ -2829,7 +2829,7 @@ var part189 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part189); -var part190 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ +var part190 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ dup20, dup21, setc("event_description","reading midplane ID EEPROM"), @@ -2838,7 +2838,7 @@ var part190 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{proce var msg164 = msg("CHASSISD_CB_READ", part190); -var part191 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device}online ack code %{dclass_counter1}- - %{result}, %{interface}", processor_chain([ +var part191 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ dup29, dup21, setc("event_description","CHASSISD COMMAND ACK ERROR"), @@ -2847,7 +2847,7 @@ var part191 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload" var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part191); -var part192 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition}- %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ +var part192 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ dup29, dup21, setc("event_description","CHASSISD COMMAND ACK SF ERROR"), @@ -2856,7 +2856,7 @@ var part192 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.paylo var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part192); -var part193 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2}PIC %{dclass_counter1}", processor_chain([ +var part193 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ dup29, dup21, setc("event_description","Cannot set no-concatenated mode for FPC"), @@ -2901,7 +2901,7 @@ var part197 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload" var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part197); -var part198 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode}- - %{dclass_counter1}", processor_chain([ +var part198 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ dup29, dup21, setc("event_description","file open error"), @@ -2910,7 +2910,7 @@ var part198 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{pro var msg172 = msg("CHASSISD_FILE_OPEN", part198); -var part199 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode}- - %{dclass_counter1}", processor_chain([ +var part199 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ dup29, dup21, setc("event_description","CHASSISD file statistics error"), @@ -2928,7 +2928,7 @@ var part200 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{pro var msg174 = msg("CHASSISD_FRU_EVENT", part200); -var part201 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ +var part201 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ dup29, dup21, setc("event_description","CHASSISD restart WRITE_ERROR"), @@ -2937,7 +2937,7 @@ var part201 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.pa var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part201); -var part202 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode}at step %{dclass_counter1}", processor_chain([ +var part202 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ dup29, dup21, setc("event_description","CHASSISD FRU STEP ERROR"), @@ -2946,7 +2946,7 @@ var part202 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", " var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part202); -var part203 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode}- %{dclass_counter1}", processor_chain([ +var part203 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ dup29, dup21, setc("event_description","Unexpected error from gettimeofday"), @@ -2955,7 +2955,7 @@ var part203 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{ var msg177 = msg("CHASSISD_GETTIMEOFDAY", part203); -var part204 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}reading host temperature sensor", processor_chain([ +var part204 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ dup20, dup21, setc("event_description","reading host temperature sensor"), @@ -3009,7 +3009,7 @@ var part209 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.pay var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part209); -var part210 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode}- %{dclass_counter1}", processor_chain([ +var part210 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ dup29, dup21, setc("event_description","rtslib_ifdm_get_by_index failed"), @@ -3126,7 +3126,7 @@ var part222 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part222); -var part223 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1}not powering up", processor_chain([ +var part223 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ dup58, dup21, setc("event_description","device not powering up"), @@ -3171,7 +3171,7 @@ var part227 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part227); -var part228 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode}- - %{dclass_counter1}", processor_chain([ +var part228 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ dup29, dup21, setc("event_description","ifmsg sequence gap"), @@ -3189,7 +3189,7 @@ var part229 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.pa var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part229); -var part230 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode}- - %{dclass_counter1}", processor_chain([ +var part230 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ dup29, dup21, setc("event_description","Serial ID read error"), @@ -3207,7 +3207,7 @@ var part231 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{pro var msg205 = msg("CHASSISD_SMB_ERROR", part231); -var part232 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result}(%{info})", processor_chain([ +var part232 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ dup57, dup21, setc("event_description","SNMP Trap6 generated"), @@ -3252,7 +3252,7 @@ var part236 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload" var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part236); -var part237 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}returned %{resultcode}: %{dclass_counter1}", processor_chain([ +var part237 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ dup29, dup21, setc("event_description","UNEXPECTED EXIT"), @@ -3261,7 +3261,7 @@ var part237 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part237); -var part238 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1}unsupported with this version of chassisd", processor_chain([ +var part238 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ dup58, dup21, setc("event_description","Model number unsupported with this version of chassisd"), @@ -3279,7 +3279,7 @@ var part239 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", var msg213 = msg("CHASSISD_VERSION_MISMATCH", part239); -var part240 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type}[junos@%{obj_name}temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ +var part240 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ dup58, dup21, setc("event_description","CHASSISD HIGH TEMP CONDITION"), @@ -3289,7 +3289,7 @@ var part240 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payloa var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part240); -var part241 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent}RESTART mode %{event_state}new master=%{obj_name}old failover=%{change_old}new failover = %{change_new}", processor_chain([ +var part241 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ dup20, dup21, setc("event_description","process RESTART mode"), @@ -3298,7 +3298,7 @@ var part241 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process} var msg215 = msg("clean_process", part241); -var part242 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group}Linklocal MAC:%{macaddr}", processor_chain([ +var part242 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ dup20, dup21, setc("event_description","Chassis Linklocal to MAC"), @@ -3372,7 +3372,7 @@ var part249 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part249); -var part250 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename}after %{dclass_counter1}retries last error=%{resultcode}", processor_chain([ +var part250 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ dup29, dup21, setc("event_description","Failed to pull file"), @@ -3392,7 +3392,7 @@ var msg226 = msg("DFWD_ARGUMENT_ERROR", part251); var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup137); -var part252 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}encountered errors while parsing filter index file", processor_chain([ +var part252 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ dup29, dup21, setc("event_description","errors encountered while parsing filter index file"), @@ -3401,7 +3401,7 @@ var part252 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part252); -var part253 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}encountered unhandled state while parsing interface", processor_chain([ +var part253 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ dup29, dup21, setc("event_description","encountered unhandled state while parsing interface"), @@ -3481,7 +3481,7 @@ var part260 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{ var msg240 = msg("ECCD_usage", part260); -var part261 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username}viewed security audit log with arguments: %{param}", processor_chain([ +var part261 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ dup20, dup21, setc("event_description","User viewed security audit log with arguments"), @@ -3490,7 +3490,7 @@ var part261 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{proc var msg241 = msg("EVENTD_AUDIT_SHOW", part261); -var part262 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr}destination %{daddr}ipid %{fld11}succeed", processor_chain([ +var part262 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ dup20, dup21, dup22, @@ -3534,7 +3534,7 @@ var part266 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[% var msg246 = msg("FSAD_FAILED", part266); -var part267 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname}for file `%{filename}' timed out", processor_chain([ +var part267 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ dup29, dup21, setc("event_description","Fetch to server to get file timed out"), @@ -3570,7 +3570,7 @@ var part270 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{proce var msg250 = msg("FSAD_FILE_RENAME", part270); -var part271 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}failed for file pathname %{filename}: %{result}", processor_chain([ +var part271 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ dup29, dup21, setc("event_description","stat failed for file"), @@ -3597,7 +3597,7 @@ var part273 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[ var msg253 = msg("FSAD_MAXCONN", part273); -var part274 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}failed in the function %{action}(%{resultcode})", processor_chain([ +var part274 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ dup50, dup21, setc("event_description","FSAD MEMORYALLOC FAILED"), @@ -3642,7 +3642,7 @@ var part278 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{p var msg258 = msg("FSAD_PATH_IS_SPECIAL", part278); -var part279 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type}at (%{saddr}, %{sport})", processor_chain([ +var part279 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ dup29, dup21, setc("event_description","fsad received error message from client"), @@ -3735,7 +3735,7 @@ var part288 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{proces var msg268 = msg("JADE_EXEC_ERROR", part288); -var part289 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username}does not exist", processor_chain([ +var part289 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ dup29, dup21, setc("event_description","Local user does not exist"), @@ -3762,7 +3762,7 @@ var part291 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "% var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part291); -var part292 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr}from %{smacaddr}to %{dmacaddr}", processor_chain([ +var part292 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ dup29, dup21, setc("event_description","arp info overwritten"), @@ -3864,7 +3864,7 @@ var part302 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.pa var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part302); -var part303 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1}-f %{action}: %{result}", processor_chain([ +var part303 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ dup72, dup21, setc("event_description","ROTATE COMPRESS EXEC FAILED"), @@ -3909,7 +3909,7 @@ var part307 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", " var msg288 = msg("LIBSERVICED_SOCKET_BIND", part307); -var part308 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid}to management routing instance: %{result}", processor_chain([ +var part308 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ dup29, dup21, setc("event_description","Unable to attach socket to management routing instance"), @@ -3954,7 +3954,7 @@ var part312 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process} var msg293 = msg("LOGIN_ABORTED", part312); -var part313 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username}from host %{dhost}", processor_chain([ +var part313 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ dup43, dup33, dup34, @@ -4025,7 +4025,7 @@ var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part317); var part318 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{} %{event_type}: %{p0}"); -var part319 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{} %{username}logged in from host %{dhost}on %{p0}"); +var part319 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{} %{username->} logged in from host %{dhost->} on %{p0}"); var part320 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); @@ -4148,7 +4148,7 @@ var part328 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{ var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part328); -var part329 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username}authenticated but has no local login ID", processor_chain([ +var part329 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ dup43, dup33, dup34, @@ -4201,7 +4201,7 @@ var part332 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "% var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part332); -var part333 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username}from host %{shost}on %{terminal}was refused: %{info}", processor_chain([ +var part333 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ dup43, dup33, dup34, @@ -4215,7 +4215,7 @@ var part333 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process} var msg309 = msg("LOGIN_REFUSED", part333); -var part334 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username}logged in as root from host %{shost}on %{terminal}", processor_chain([ +var part334 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ dup32, dup33, dup34, @@ -4229,7 +4229,7 @@ var part334 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{ var msg310 = msg("LOGIN_ROOT", part334); -var part335 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1}seconds", processor_chain([ +var part335 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ dup43, dup33, dup35, @@ -4291,7 +4291,7 @@ var part340 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{proc var msg318 = msg("MIB2D_KVM_FAILURE", part340); -var part341 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2}index (%{result})", processor_chain([ +var part341 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ dup29, dup21, setc("event_description","MIB2D RTSLIB READ FAILURE"), @@ -4336,7 +4336,7 @@ var part345 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", " var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part345); -var part346 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new}sighupped=%{result}", processor_chain([ +var part346 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ dup20, dup21, setc("event_description","user sighupped"), @@ -4374,7 +4374,7 @@ var part349 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payloa var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part349); -var part350 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}expected CHAP ID: %{resultcode}", processor_chain([ +var part350 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ dup29, dup21, setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), @@ -4450,7 +4450,7 @@ var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part357); var msg337 = msg("NASD_DUPLICATE", dup139); -var part358 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}with: %{result}", processor_chain([ +var part358 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ dup29, dup21, setc("event_description","EVLIB CREATE FAILURE"), @@ -4459,7 +4459,7 @@ var part358 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part358); -var part359 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}value: %{result}, error: %{resultcode}", processor_chain([ +var part359 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ dup29, dup21, setc("event_description","EVLIB EXIT FAILURE"), @@ -4535,7 +4535,7 @@ var part366 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{ var msg348 = msg("NASD_PPP_UNRECOGNIZED", part366); -var part367 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}when allocating password for RADIUS: %{result}", processor_chain([ +var part367 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ dup29, dup21, setc("event_description","RADIUS password allocation failure"), @@ -4642,7 +4642,7 @@ var part378 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event var msg360 = msg("NOTICE", part378); -var part379 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport}(%{packets}packets) ", processor_chain([ +var part379 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets) ", processor_chain([ dup20, dup21, dup81, @@ -4651,7 +4651,7 @@ var part379 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{proce var msg361 = msg("PFE_FW_SYSLOG_IP", part379); -var part380 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport}(%{packets}packets) ", processor_chain([ +var part380 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets) ", processor_chain([ dup20, dup21, dup81, @@ -4665,7 +4665,7 @@ var select36 = linear_select([ msg362, ]); -var part381 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface}throttled", processor_chain([ +var part381 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ dup20, dup21, setc("event_description","Next-hop resolution requests throttled"), @@ -4703,7 +4703,7 @@ var select37 = linear_select([ part386, ]); -var part387 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "%{}mode=%{protocol}cmd=%{action}master_mode=%{result}"); +var part387 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "%{}mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); var all21 = all_match({ processors: [ @@ -4737,7 +4737,7 @@ var select38 = linear_select([ msg367, ]); -var part389 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent}exiting with status %{result}", processor_chain([ +var part389 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ dup20, dup21, setc("event_description","process exit with status"), @@ -4746,7 +4746,7 @@ var part389 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{pr var msg368 = msg("PWC_EXIT", part389); -var part390 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent}released child %{child_pid}from %{dclass_counter1}state", processor_chain([ +var part390 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ dup20, dup21, setc("event_description","Process released child from state"), @@ -4773,7 +4773,7 @@ var part392 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payloa var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part392); -var part393 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent}received terminating signal", processor_chain([ +var part393 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ dup20, dup21, setc("event_description","pwc process received terminating signal"), @@ -4782,7 +4782,7 @@ var part393 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{p var msg372 = msg("PWC_KILLED_BY_SIGNAL", part393); -var part394 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode}to child %{child_pid}", processor_chain([ +var part394 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ dup29, dup21, setc("event_description","pwc is sending kill event to child"), @@ -4818,7 +4818,7 @@ var part397 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{proces var msg376 = msg("PWC_KQUEUE_INIT", part397); -var part398 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent}for purpose: %{result}", processor_chain([ +var part398 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ dup29, dup21, setc("event_description","Failed to register kqueue filter"), @@ -4872,7 +4872,7 @@ var part403 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process var msg382 = msg("PWC_NO_PROCESS", part403); -var part404 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent}child %{child_pid}exited with status %{result}", processor_chain([ +var part404 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ dup20, dup21, setc("event_description","pwc process exited with status"), @@ -4881,7 +4881,7 @@ var part404 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{proce var msg383 = msg("PWC_PROCESS_EXIT", part404); -var part405 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent}forcing hold down of child %{child_pid}until signal", processor_chain([ +var part405 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ dup20, dup21, setc("event_description","Process forcing hold down of child until signalled"), @@ -4890,7 +4890,7 @@ var part405 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", " var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part405); -var part406 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent}holding down child %{child_pid}until signal", processor_chain([ +var part406 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ dup20, dup21, setc("event_description","Process holding down child until signalled"), @@ -4899,7 +4899,7 @@ var part406 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{proce var msg385 = msg("PWC_PROCESS_HOLD", part406); -var part407 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent}will not down child %{child_pid}because of %{result}", processor_chain([ +var part407 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ dup29, dup21, setc("event_description","Process not holding down child"), @@ -4917,7 +4917,7 @@ var part408 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{proce var msg387 = msg("PWC_PROCESS_OPEN", part408); -var part409 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent}holding down child %{child_pid->} %{result}", processor_chain([ +var part409 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ dup20, dup21, setc("event_description","Process holding down child"), @@ -5126,7 +5126,7 @@ var part431 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[% var msg411 = msg("RMOPD_usage", part431); -var part432 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}version built by builder on %{dclass_counter1}: %{result}", processor_chain([ +var part432 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ dup29, dup21, setc("event_description","RPD ABORT"), @@ -5162,7 +5162,7 @@ var part435 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{proces var msg415 = msg("RPD_ASSERT_SOFT", part435); -var part436 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}version built by builder on %{dclass_counter1}", processor_chain([ +var part436 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ dup20, dup21, setc("event_description","RPD EXIT"), @@ -5175,7 +5175,7 @@ var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup145); var msg418 = msg("RPD_IFL_NAMECOLLISION", dup145); -var part437 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1}adjacency to %{dclass_counter2}on %{interface}, %{result}", processor_chain([ +var part437 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ dup29, dup21, setc("event_description","IS-IS lost adjacency"), @@ -5184,7 +5184,7 @@ var part437 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{proce var msg419 = msg("RPD_ISIS_ADJDOWN", part437); -var part438 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1}adjacency to %{dclass_counter2->} %{interface}", processor_chain([ +var part438 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ dup20, dup21, setc("event_description","IS-IS new adjacency"), @@ -5193,7 +5193,7 @@ var part438 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process var msg420 = msg("RPD_ISIS_ADJUP", part438); -var part439 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1}adjacency to %{dclass_counter2->} %{interface}without an address", processor_chain([ +var part439 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ dup29, dup21, setc("event_description","IS-IS new adjacency without an address"), @@ -5202,7 +5202,7 @@ var part439 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{pro var msg421 = msg("RPD_ISIS_ADJUPNOIP", part439); -var part440 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1}LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ +var part440 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ dup29, dup21, setc("event_description","IS-IS LSP checksum error on iterface"), @@ -5220,7 +5220,7 @@ var part441 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{proc var msg423 = msg("RPD_ISIS_OVERLOAD", part441); -var part442 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent}message with unsupported address family %{dclass_counter1}", processor_chain([ +var part442 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ dup29, dup21, setc("event_description","message with unsupported address family received"), @@ -5238,7 +5238,7 @@ var part443 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "% var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part443); -var part444 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1}table ID %{dclass_counter2}", processor_chain([ +var part444 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ dup29, dup21, setc("event_description","received deleted routing table from kernel"), @@ -5256,7 +5256,7 @@ var part445 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "% var msg427 = msg("RPD_KRT_IFA_GENERATION", part445); -var part446 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}CHANGE for ifd %{interface}failed, error \"%{result}\"", processor_chain([ +var part446 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ dup29, dup21, setc("event_description","CHANGE for ifd failed"), @@ -5265,7 +5265,7 @@ var part446 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{proc var msg428 = msg("RPD_KRT_IFDCHANGE", part446); -var part447 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}SERVICE: %{service}for ifd %{interface}failed, error \"%{result}\"", processor_chain([ +var part447 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ dup29, dup21, setc("event_description","GET SERVICE failure on interface"), @@ -5274,7 +5274,7 @@ var part447 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{pro var msg429 = msg("RPD_KRT_IFDEST_GET", part447); -var part448 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}GET index for ifd interface failed, error \"%{result}\"", processor_chain([ +var part448 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ dup29, dup21, setc("event_description","GET index for ifd interface failed"), @@ -5283,7 +5283,7 @@ var part448 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process var msg430 = msg("RPD_KRT_IFDGET", part448); -var part449 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1}generation mismatch -- %{result}", processor_chain([ +var part449 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ dup29, dup21, setc("event_description","ifd generation mismatch"), @@ -5310,7 +5310,7 @@ var part451 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwpa var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part451); -var part452 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface}generation mismatch -- %{result}", processor_chain([ +var part452 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ dup29, dup21, setc("event_description","ifl generation mismatch"), @@ -5319,7 +5319,7 @@ var part452 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "% var msg434 = msg("RPD_KRT_IFL_GENERATION", part452); -var part453 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1}for route %{dclass_counter2}", processor_chain([ +var part453 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ dup29, dup21, setc("event_description","lost interface for route"), @@ -5337,7 +5337,7 @@ var part454 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part454); -var part455 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1}for interface %{interface}", processor_chain([ +var part455 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ dup29, dup21, setc("event_description","No device for interface"), @@ -5364,7 +5364,7 @@ var part457 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{proces var msg439 = msg("RPD_KRT_VERSION", part457); -var part458 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info}-- %{result}", processor_chain([ +var part458 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ dup29, dup21, setc("event_description","Routing socket message type not supported by kernel"), @@ -5391,7 +5391,7 @@ var part460 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{p var msg442 = msg("RPD_LDP_INTF_BLOCKED", part460); -var part461 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface}is now %{result}", processor_chain([ +var part461 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ dup20, dup21, setc("event_description","LDP interface now unblocked"), @@ -5400,7 +5400,7 @@ var part461 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "% var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part461); -var part462 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr}(%{interface}) is %{result}", processor_chain([ +var part462 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ setc("eventcategory","1603030000"), dup21, setc("event_description","LDP neighbor down"), @@ -5409,7 +5409,7 @@ var part462 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{proces var msg444 = msg("RPD_LDP_NBRDOWN", part462); -var part463 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr}(%{interface}) is %{result}", processor_chain([ +var part463 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ dup20, dup21, setc("event_description","LDP neighbor up"), @@ -5418,7 +5418,7 @@ var part463 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process} var msg445 = msg("RPD_LDP_NBRUP", part463); -var part464 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr}is down, %{result}", processor_chain([ +var part464 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ dup29, dup21, setc("event_description","LDP session down"), @@ -5427,7 +5427,7 @@ var part464 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{pr var msg446 = msg("RPD_LDP_SESSIONDOWN", part464); -var part465 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr}is up", processor_chain([ +var part465 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ dup20, dup21, setc("event_description","LDP session up"), @@ -5454,7 +5454,7 @@ var part467 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{proces var msg449 = msg("RPD_LOCK_LOCKED", part467); -var part468 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}Route %{info}", processor_chain([ +var part468 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ dup20, dup21, setc("event_description","MPLS LSP CHANGE"), @@ -5481,7 +5481,7 @@ var part470 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{pr var msg452 = msg("RPD_MPLS_LSP_SWITCH", part470); -var part471 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}Route %{info->} ", processor_chain([ +var part471 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info->} ", processor_chain([ dup20, dup21, setc("event_description","MPLS LSP UP"), @@ -5508,7 +5508,7 @@ var part473 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{proce var msg455 = msg("RPD_MSDP_PEER_UP", part473); -var part474 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr}(%{interface}) %{disposition}due to %{result}", processor_chain([ +var part474 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ dup29, dup21, setc("event_description","OSPF neighbor down"), @@ -5517,7 +5517,7 @@ var part474 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{proce var msg456 = msg("RPD_OSPF_NBRDOWN", part474); -var part475 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr}(%{interface}) %{disposition}due to %{result}", processor_chain([ +var part475 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ dup20, dup21, setc("event_description","OSPF neighbor up"), @@ -5526,7 +5526,7 @@ var part475 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process var msg457 = msg("RPD_OSPF_NBRUP", part475); -var part476 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1}KB of memory, %{info}", processor_chain([ +var part476 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ dup50, dup21, setc("event_description","OS MEMHIGH"), @@ -5535,7 +5535,7 @@ var part476 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process var msg458 = msg("RPD_OS_MEMHIGH", part476); -var part477 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr}timeout interface %{interface}", processor_chain([ +var part477 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ dup29, dup21, setc("event_description","PIM neighbor down"), @@ -5545,7 +5545,7 @@ var part477 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{proces var msg459 = msg("RPD_PIM_NBRDOWN", part477); -var part478 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr}interface %{interface}", processor_chain([ +var part478 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ dup20, dup21, setc("event_description","PIM neighbor up"), @@ -5554,7 +5554,7 @@ var part478 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process} var msg460 = msg("RPD_PIM_NBRUP", part478); -var part479 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr}to %{daddr}", processor_chain([ +var part479 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ dup29, dup21, setc("event_description","Bad checksum for router solicitation"), @@ -5563,7 +5563,7 @@ var part479 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{proces var msg461 = msg("RPD_RDISC_CKSUM", part479); -var part480 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1}on %{interface}-- %{result}", processor_chain([ +var part480 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ dup29, dup21, setc("event_description","Ignoring interface"), @@ -5572,7 +5572,7 @@ var part480 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{proc var msg462 = msg("RPD_RDISC_NOMULTI", part480); -var part481 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr}to %{daddr}", processor_chain([ +var part481 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ dup29, dup21, setc("event_description","Unable to locate interface for router"), @@ -5581,7 +5581,7 @@ var part481 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{pro var msg463 = msg("RPD_RDISC_NORECVIF", part481); -var part482 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr}to %{daddr}", processor_chain([ +var part482 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ dup29, dup21, setc("event_description","Expected multicast for router solicitation"), @@ -5590,7 +5590,7 @@ var part482 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{ var msg464 = msg("RPD_RDISC_SOLICITADDR", part482); -var part483 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr}to %{daddr}", processor_chain([ +var part483 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ dup29, dup21, setc("event_description","Nonzero ICMP code for router solicitation"), @@ -5599,7 +5599,7 @@ var part483 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{ var msg465 = msg("RPD_RDISC_SOLICITICMP", part483); -var part484 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr}to %{daddr}", processor_chain([ +var part484 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ dup29, dup21, setc("event_description","Insufficient length for router solicitation"), @@ -5608,7 +5608,7 @@ var part484 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{p var msg466 = msg("RPD_RDISC_SOLICITLEN", part484); -var part485 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr}(%{interface})", processor_chain([ +var part485 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ dup29, dup21, setc("event_description","RIP update with invalid authentication"), @@ -5635,7 +5635,7 @@ var part487 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "% var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part487); -var part488 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface}index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ +var part488 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ dup20, dup21, setc("event_description","RIP interface up"), @@ -5657,7 +5657,7 @@ var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part489); var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup146); -var part490 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ +var part490 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ dup29, dup21, setc("event_description","task extended runtime"), @@ -5666,7 +5666,7 @@ var part490 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload" var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part490); -var part491 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}termination signal received", processor_chain([ +var part491 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ dup29, dup21, setc("event_description","termination signal received for service"), @@ -5675,7 +5675,7 @@ var part491 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{p var msg475 = msg("RPD_SIGNAL_TERMINATE", part491); -var part492 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1}version version built %{dclass_counter2}", processor_chain([ +var part492 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ dup20, dup21, setc("event_description","version built"), @@ -5693,7 +5693,7 @@ var part493 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{ var msg477 = msg("RPD_SYSTEM", part493); -var part494 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2}by builder", processor_chain([ +var part494 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ dup20, dup21, setc("event_description","Commencing routing updates"), @@ -5785,7 +5785,7 @@ var part503 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{ var msg488 = msg("RPD_TASK_SIGNALIGNORE", part503); -var part504 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1}(%{agent}) failed, err %{resultcode}(%{result})", processor_chain([ +var part504 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ dup29, dup21, setc("event_description","COS IPC op failed"), @@ -5956,7 +5956,7 @@ var all25 = all_match({ var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); -var part525 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type}[junos@%{obj_name}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ +var part525 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ dup93, dup52, dup94, @@ -5966,7 +5966,7 @@ var part525 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{e var msg494 = msg("RT_FLOW_SESSION_DENY", part525); -var part526 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}HTTP %{info}"); +var part526 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); var all26 = all_match({ processors: [ @@ -6046,7 +6046,7 @@ var all28 = all_match({ var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); -var part531 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type}[junos@%{obj_name}reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ +var part531 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ dup26, dup52, dup54, @@ -6141,7 +6141,7 @@ var part540 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: var msg501 = msg("RT_SCREEN_IP", part540); -var part541 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type}[junos@%{obj_name}attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ +var part541 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ dup29, dup21, dup51, @@ -6156,7 +6156,7 @@ var select52 = linear_select([ var msg503 = msg("RT_SCREEN_TCP", dup152); -var part542 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type}[junos@%{obj_name}attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ +var part542 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ dup29, dup21, dup51, @@ -6229,7 +6229,7 @@ var part549 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{ var msg512 = msg("SERVICED_CONFIG_ERROR", part549); -var part550 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2}failed to read path with error: %{result}", processor_chain([ +var part550 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ dup29, dup21, setc("event_description","service failed to read path"), @@ -6258,7 +6258,7 @@ var msg515 = msg("SERVICED_DISABLED_GGSN", part552); var msg516 = msg("SERVICED_DUPLICATE", dup139); -var part553 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2}failed with error: %{result}", processor_chain([ +var part553 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ dup29, dup21, setc("event_description","event function failed"), @@ -6276,7 +6276,7 @@ var part554 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{p var msg518 = msg("SERVICED_INIT_FAILED", part554); -var part555 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1}bytes %{bytes}]: %{result}", processor_chain([ +var part555 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ dup29, dup21, setc("event_description","memory allocation failure"), @@ -6285,7 +6285,7 @@ var part555 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", " var msg519 = msg("SERVICED_MALLOC_FAILURE", part555); -var part556 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2}had error: %{result}", processor_chain([ +var part556 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ dup29, dup21, setc("event_description","NETWORK FAILURE"), @@ -6334,7 +6334,7 @@ var part560 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "% var msg526 = msg("SERVICED_SOCKET_CREATE", part560); -var part561 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2}failed with error: %{result}", processor_chain([ +var part561 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ dup29, dup21, setc("event_description","socket function failed"), @@ -6352,7 +6352,7 @@ var part562 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "% var msg528 = msg("SERVICED_SOCKET_OPTION", part562); -var part563 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2}had error: %{result}", processor_chain([ +var part563 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ dup29, dup21, setc("event_description","STDLIB FAILURE"), @@ -6385,7 +6385,7 @@ var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup153); var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup153); -var part566 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version}AgentX subagent connected", processor_chain([ +var part566 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ dup20, dup21, setc("event_description","AgentX subagent connected"), @@ -6395,7 +6395,7 @@ var part566 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{proce var msg535 = msg("SNMP_NS_LOG_INFO", part566); -var part567 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1}rows", processor_chain([ +var part567 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ dup20, dup21, setc("event_description","ns_subagent registering rows"), @@ -6405,7 +6405,7 @@ var part567 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload" var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part567); -var part568 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}in %{dclass_counter1}access group %{group}", processor_chain([ +var part568 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ dup29, dup21, setc("event_description","SNMPD ACCESS GROUP ERROR"), @@ -6414,7 +6414,7 @@ var part568 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part568); -var part569 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr}to unknown community name (%{pool_name})", processor_chain([ +var part569 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ dup29, dup21, dup104, @@ -6424,7 +6424,7 @@ var part569 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{pro var msg538 = msg("SNMPD_AUTH_FAILURE", part569); -var part570 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr}to unknown (%{pool_name})", processor_chain([ +var part570 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ dup29, dup21, dup104, @@ -6434,7 +6434,7 @@ var part570 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{ var msg539 = msg("SNMPD_AUTH_FAILURE:01", part570); -var part571 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr}to %{saddr}(%{pool_name})", processor_chain([ +var part571 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ dup29, dup21, dup104, @@ -6444,7 +6444,7 @@ var part571 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{ var msg540 = msg("SNMPD_AUTH_FAILURE:02", part571); -var part572 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type}[junos@%{obj_name}function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ +var part572 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ dup29, dup21, dup104, @@ -6470,7 +6470,7 @@ var part573 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payl var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part573); -var part574 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr}not allowed", processor_chain([ +var part574 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ dup47, dup21, setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), @@ -6498,7 +6498,7 @@ var part576 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{pro var msg545 = msg("SNMPD_CONFIG_ERROR", part576); -var part577 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}in %{dclass_counter1}context %{dclass_counter2}", processor_chain([ +var part577 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ dup29, dup21, setc("event_description","SNMPD CONTEXT ERROR"), @@ -6534,7 +6534,7 @@ var part580 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{pro var msg549 = msg("SNMPD_FILE_FAILURE", part580); -var part581 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}in %{dclass_counter1}group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ +var part581 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ dup29, dup21, setc("event_description","SNMPD GROUP ERROR"), @@ -6588,7 +6588,7 @@ var part586 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{pr var msg555 = msg("SNMPD_RADIX_FAILURE", part586); -var part587 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1}failure: %{result}", processor_chain([ +var part587 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ dup29, dup21, setc("event_description","SNMPD RECEIVE FAILURE"), @@ -6728,7 +6728,7 @@ var part601 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{ var msg570 = msg("SNMPD_TRAP_COLD_START", part601); -var part602 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode}(%{result})", processor_chain([ +var part602 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ dup29, dup21, dup106, @@ -6746,7 +6746,7 @@ var part603 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", " var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part603); -var part604 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result}(%{dclass_counter2}) received", processor_chain([ +var part604 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ dup29, dup21, setc("event_description","SNMPD TRAP INVALID DATA"), @@ -6755,7 +6755,7 @@ var part604 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", " var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part604); -var part605 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info}(%{result})", processor_chain([ +var part605 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ dup29, dup21, setc("event_description","SNMPD TRAP ERROR"), @@ -6764,7 +6764,7 @@ var part605 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payl var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part605); -var part606 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2}to %{obj_name}queue, %{dclass_counter1}traps in queue", processor_chain([ +var part606 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ dup20, dup21, setc("event_description","Adding trap to queue"), @@ -6773,7 +6773,7 @@ var part606 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{proc var msg575 = msg("SNMPD_TRAP_QUEUED", part606); -var part607 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name}sent successfully", processor_chain([ +var part607 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ dup20, dup21, setc("event_description","traps queued - sent successfully"), @@ -6782,7 +6782,7 @@ var part607 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part607); -var part608 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1}attempts, deleting %{dclass_counter2}traps queued to %{obj_name}", processor_chain([ +var part608 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ dup29, dup21, setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), @@ -6791,7 +6791,7 @@ var part608 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.paylo var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part608); -var part609 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2}from %{obj_name}queue", processor_chain([ +var part609 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ dup20, dup21, setc("event_description","SNMP TRAP maximum queue size exceeded"), @@ -6800,7 +6800,7 @@ var part609 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part609); -var part610 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1}traps", processor_chain([ +var part610 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ dup20, dup21, setc("event_description","SNMP traps throttled"), @@ -6809,7 +6809,7 @@ var part610 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{p var msg579 = msg("SNMPD_TRAP_THROTTLED", part610); -var part611 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type})", processor_chain([ +var part611 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ dup29, dup21, setc("event_description","unknown SNMP trap type requested"), @@ -6818,7 +6818,7 @@ var part611 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{ var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part611); -var part612 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1}varbind to be VT_NUMBER (%{resultcode})", processor_chain([ +var part612 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ dup29, dup21, setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), @@ -6845,7 +6845,7 @@ var part614 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{ var msg583 = msg("SNMPD_TRAP_WARM_START", part614); -var part615 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}in %{dclass_counter1}user '%{username}' %{dclass_counter2}", processor_chain([ +var part615 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ dup29, dup21, setc("event_description","SNMPD USER ERROR"), @@ -6863,7 +6863,7 @@ var part616 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{proc var msg585 = msg("SNMPD_VIEW_DELETE", part616); -var part617 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}installing default %{dclass_counter1}view %{dclass_counter2}", processor_chain([ +var part617 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ dup20, dup21, setc("event_description","installing default SNMP view"), @@ -6872,7 +6872,7 @@ var part617 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload" var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part617); -var part618 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2}oid %{result}", processor_chain([ +var part618 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ dup29, dup21, setc("event_description","oid parsing failed for SNMP view"), @@ -6881,7 +6881,7 @@ var part618 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{p var msg587 = msg("SNMPD_VIEW_OID_PARSE", part618); -var part619 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1}failed for %{dclass_counter2}: %{result}", processor_chain([ +var part619 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ dup29, dup21, setc("event_description","SNMP_GET_ERROR 1"), @@ -6890,7 +6890,7 @@ var part619 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{proces var msg588 = msg("SNMP_GET_ERROR1", part619); -var part620 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1}failed for %{dclass_counter2}: %{result}", processor_chain([ +var part620 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ dup29, dup21, setc("event_description","SNMP GET ERROR 2"), @@ -6899,7 +6899,7 @@ var part620 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{proces var msg589 = msg("SNMP_GET_ERROR2", part620); -var part621 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1}failed for %{dclass_counter2}: %{result}", processor_chain([ +var part621 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ dup29, dup21, setc("event_description","SNMP GET ERROR 3"), @@ -6908,7 +6908,7 @@ var part621 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{proces var msg590 = msg("SNMP_GET_ERROR3", part621); -var part622 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1}failed for %{dclass_counter2}: %{result}", processor_chain([ +var part622 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ dup29, dup21, setc("event_description","SNMP GET ERROR 4"), @@ -6935,7 +6935,7 @@ var part624 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{pr var msg593 = msg("SNMP_TRAP_LINK_DOWN", part624); -var part625 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type}[junos@%{obj_name}snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ +var part625 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ dup29, dup21, dup107, @@ -6959,7 +6959,7 @@ var part626 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{proc var msg595 = msg("SNMP_TRAP_LINK_UP", part626); -var part627 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type}[junos@%{obj_name}snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ +var part627 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ dup20, dup21, dup108, @@ -7041,7 +7041,7 @@ var part634 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{proc var msg603 = msg("SSHD_LOGIN_FAILED", part634); -var part635 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type}[junos@%{obj_name}username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ +var part635 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ dup43, dup33, dup34, @@ -7061,7 +7061,7 @@ var select57 = linear_select([ msg604, ]); -var part636 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent}addr %{daddr}+%{dport}: %{result}", processor_chain([ +var part636 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ dup29, dup21, setc("event_description","task connect failure"), @@ -7099,7 +7099,7 @@ var part639 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{proc var msg609 = msg("TFTPD_CONNECT_ERR", part639); -var part640 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol}from address %{daddr}port %{dport}file %{filename}", processor_chain([ +var part640 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ dup20, dup21, setc("event_description","TFTPD CONNECT INFO"), @@ -7153,7 +7153,7 @@ var part645 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process var msg615 = msg("TFTPD_OPEN_ERR", part645); -var part646 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1}blocks of %{dclass_counter2}size for file '%{filename}'", processor_chain([ +var part646 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ dup20, dup21, setc("event_description","TFTPD RECVCOMPLETE INFO"), @@ -7180,7 +7180,7 @@ var part648 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process var msg618 = msg("TFTPD_RECV_ERR", part648); -var part649 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1}blocks of %{dclass_counter2}and %{info}for file '%{filename}'", processor_chain([ +var part649 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ dup20, dup21, setc("event_description","TFTPD SENDCOMPLETE INFO"), @@ -7216,7 +7216,7 @@ var part652 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{proce var msg622 = msg("TFTPD_STATFS_ERR", part652); -var part653 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1}to interface %{interface}", processor_chain([ +var part653 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ dup20, dup21, setc("event_description","adding neighbor to interface"), @@ -7225,7 +7225,7 @@ var part653 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_ var msg623 = msg("TNP", part653); -var part654 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33}started", processor_chain([ +var part654 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ dup20, dup21, setc("event_description","tracing to file"), @@ -7298,7 +7298,7 @@ var part660 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{pro var msg630 = msg("UI_BOOTTIME_FAILED", part660); -var part661 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2}path unknown", processor_chain([ +var part661 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ dup29, dup21, setc("event_description","user path unknown"), @@ -7307,7 +7307,7 @@ var part661 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{proce var msg631 = msg("UI_CFG_AUDIT_NEW", part661); -var part662 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename}security policies %{policyname}] %{info}", processor_chain([ +var part662 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ dup41, dup21, setc("event_description"," user Inserted Security Policies in config"), @@ -7362,7 +7362,7 @@ var all31 = all_match({ var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); -var part666 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename}applications %{info}]", processor_chain([ +var part666 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ dup20, dup21, setc("event_description","User config replace"), @@ -7447,7 +7447,7 @@ var all33 = all_match({ var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); -var part671 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename}applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ +var part671 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ dup20, dup21, setc("event_description","User replace config application(s)"), @@ -7462,7 +7462,7 @@ var select63 = linear_select([ msg641, ]); -var part672 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info}secret]"); +var part672 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); var all34 = all_match({ processors: [ @@ -7577,7 +7577,7 @@ var part681 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{proc var msg651 = msg("UI_CHILD_SIGNALED", part681); -var part682 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode}command='%{action}')", processor_chain([ +var part682 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ dup20, dup21, setc("event_description","Child stopped"), @@ -8070,7 +8070,7 @@ var part732 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{p var msg694 = msg("UI_DBASE_OPEN_FAILED", part732); -var part733 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username}Automatic rebuild of the database '%{filename}' failed", processor_chain([ +var part733 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ dup29, dup21, setc("event_description","DBASE REBUILD FAILED"), @@ -8095,7 +8095,7 @@ var select70 = linear_select([ part735, ]); -var part736 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{} %{username}rebuild/rollback of the database '%{filename}' started"); +var part736 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{} %{username->} rebuild/rollback of the database '%{filename}' started"); var all43 = all_match({ processors: [ @@ -8131,7 +8131,7 @@ var part738 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "% var msg699 = msg("UI_DBASE_REOPEN_FAILED", part738); -var part739 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username}have the same UID %{uid}", processor_chain([ +var part739 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ dup29, dup21, setc("event_description","Users have the same UID"), @@ -8176,7 +8176,7 @@ var part743 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.pa var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part743); -var part744 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info}'%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ +var part744 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ dup32, dup33, dup34, @@ -8230,7 +8230,7 @@ var part747 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[ var msg708 = msg("UI_LOST_CONN", part747); -var part748 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}by '%{username}'", processor_chain([ +var part748 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ dup20, dup21, setc("event_description","MASTERSHIP EVENT"), @@ -8275,7 +8275,7 @@ var part752 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{proces var msg713 = msg("UI_READ_TIMEOUT", part752); -var part753 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action}by '%{username}'", processor_chain([ +var part753 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ dup59, dup21, setc("event_description","System reboot or halt"), @@ -8374,7 +8374,7 @@ var part763 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{pro var msg724 = msg("UI_WRITE_RECONNECT", part763); -var part764 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface}(local addr: %{saddr}) is now master for %{username}", processor_chain([ +var part764 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ dup20, dup21, setc("event_description","Interface new master for User"), @@ -8383,7 +8383,7 @@ var part764 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{p var msg725 = msg("VRRPD_NEWMASTER_TRAP", part764); -var part765 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name}(username %{c_username})", processor_chain([ +var part765 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ dup68, dup33, dup34, @@ -8395,7 +8395,7 @@ var part765 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process} var msg726 = msg("WEB_AUTH_FAIL", part765); -var part766 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent}client (username %{c_username})", processor_chain([ +var part766 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ dup79, dup33, dup34, @@ -8434,7 +8434,7 @@ var part769 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.paylo var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part769); -var part770 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type}[junos@%{obj_name}source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ +var part770 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ dup73, dup52, dup42, @@ -8453,7 +8453,7 @@ var part771 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{proces var msg732 = msg("eswd", part771); -var part772 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface}context id %{id}changed from %{fld3}", processor_chain([ +var part772 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ dup28, dup21, setc("event_description","ESWD STP State Change Info"), @@ -8511,7 +8511,7 @@ var select73 = linear_select([ var msg738 = msg("WEBFILTER_URL_PERMITTED", dup156); -var part777 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type}[junos@%{fld21}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3}CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}OBJ=%{fld7}", processor_chain([ +var part777 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ dup29, dup21, dup51, @@ -8519,7 +8519,7 @@ var part777 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload" var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part777); -var part778 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type}[junos@%{fld21}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3}CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ +var part778 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ dup29, dup21, dup51, @@ -8527,7 +8527,7 @@ var part778 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload" var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part778); -var part779 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type}[junos@%{fld21}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ +var part779 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ dup29, dup21, dup51, @@ -8544,7 +8544,7 @@ var select74 = linear_select([ var msg742 = msg("WEBFILTER_URL_BLOCKED", dup156); -var part780 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type}[junos@%{fld21}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3}CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ +var part780 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ dup29, dup21, dup51, @@ -8557,7 +8557,7 @@ var select75 = linear_select([ msg743, ]); -var part781 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url}on port %{network_port}failed\u003c\u003c%{result}>.", processor_chain([ +var part781 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ dup45, dup46, dup22, @@ -8567,7 +8567,7 @@ var part781 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.pay var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part781); -var part782 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname}on ip %{hostip}port %{network_port->} %{result}.", processor_chain([ +var part782 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ dup45, dup46, dup22, @@ -8623,7 +8623,7 @@ var msg752 = msg("idpinfo", dup157); var msg753 = msg("kmd", dup157); -var part787 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node}Next-hop resolution requests from interface %{interface}throttled", processor_chain([ +var part787 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ dup20, dup22, dup21, @@ -8647,7 +8647,7 @@ var part789 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{ var msg756 = msg("node:03", part789); -var part790 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1}key %{fld2->} %{fld3}port priority %{fld6->} %{fld4}port %{portname->} %{fld5}state %{resultcode}", processor_chain([ +var part790 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ dup20, dup22, dup21, @@ -8709,7 +8709,7 @@ var all45 = all_match({ var msg759 = msg("node:06", all45); -var part795 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface}trigger reth_scan", processor_chain([ +var part795 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ dup20, dup22, dup21, @@ -8745,7 +8745,7 @@ var select79 = linear_select([ msg762, ]); -var part798 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node}kernel: %{event_type}: deleting active remote neighbor entry %{fld2}from interface %{interface}.", processor_chain([ +var part798 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ dup20, dup22, dup21, @@ -8754,7 +8754,7 @@ var part798 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node} var msg763 = msg("(FPC:01", part798); -var part799 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node}kernel: %{event_type}deleting nb %{fld2}on ifd %{interface}for cid %{fld3}from active neighbor table", processor_chain([ +var part799 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ dup20, dup22, dup21, @@ -8763,7 +8763,7 @@ var part799 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node} var msg764 = msg("(FPC:02", part799); -var part800 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node}kernel: %{event_type}: M%{p0}"); +var part800 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); var part801 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); @@ -8792,7 +8792,7 @@ var all46 = all_match({ var msg765 = msg("(FPC:03", all46); -var part804 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node}kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ +var part804 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ dup20, dup22, dup21, @@ -8801,7 +8801,7 @@ var part804 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node} var msg766 = msg("(FPC:04", part804); -var part805 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node}kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2}dest %{fld4}:%{fld5}", processor_chain([ +var part805 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ dup20, dup22, dup21, @@ -8837,7 +8837,7 @@ var part807 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{ var msg769 = msg("tnp.bootpd", part807); -var part808 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32}hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ +var part808 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ dup47, dup51, dup21, @@ -8846,7 +8846,7 @@ var part808 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_ var msg770 = msg("AAMW_ACTION_LOG", part808); -var part809 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32}timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ +var part809 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ dup132, dup51, dup21, @@ -8855,7 +8855,7 @@ var part809 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payloa var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part809); -var part810 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32}timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ +var part810 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ dup132, dup51, dup21, @@ -8863,7 +8863,7 @@ var part810 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "% var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part810); -var part811 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32}epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8}inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ +var part811 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ dup80, dup51, dup21, @@ -8872,7 +8872,7 @@ var part811 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{e var msg773 = msg("IDP_ATTACK_LOG_EVENT", part811); -var part812 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32}attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ +var part812 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ dup80, dup51, dup21, @@ -8881,7 +8881,7 @@ var part812 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_t var msg774 = msg("RT_SCREEN_ICMP", part812); -var part813 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32}category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ +var part813 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ dup45, dup51, dup21, @@ -8949,7 +8949,7 @@ var part820 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "% var msg779 = msg("JUNOSROUTER_GENERIC:05", part820); -var part821 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip}(%{hostname}): peer: %{daddr}us: %{saddr}", processor_chain([ +var part821 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ dup29, dup21, dup56, @@ -8958,7 +8958,7 @@ var part821 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "% var msg780 = msg("JUNOSROUTER_GENERIC:06", part821); -var part822 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr}(%{dhost}): code %{resultcode}(%{action}), Reason: %{result->} ", processor_chain([ +var part822 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result->} ", processor_chain([ dup20, dup21, dup37, @@ -9001,7 +9001,7 @@ var part826 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "% var msg783 = msg("JUNOSROUTER_GENERIC:09", part826); -var part827 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type}Interface Monitor failed %{fld1}", processor_chain([ +var part827 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ dup133, dup22, dup21, @@ -9011,7 +9011,7 @@ var part827 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "% var msg784 = msg("JUNOSROUTER_GENERIC:01", part827); -var part828 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type}Interface Monitor failure recovered %{fld1}", processor_chain([ +var part828 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ dup133, dup22, dup21, @@ -9749,7 +9749,7 @@ var part839 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0 var part840 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); -var part841 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid}[%{payload}"); +var part841 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}"); var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); @@ -9767,7 +9767,7 @@ var part847 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{ var part848 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); -var part849 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type}[junos@%{obj_name}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); +var part849 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); var part850 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}"); @@ -9785,7 +9785,7 @@ var part856 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload var part857 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}"); -var part858 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type}[junos@%{obj_name}reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); +var part858 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); var part859 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); @@ -9885,7 +9885,7 @@ var select87 = linear_select([ dup76, ]); -var part882 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid}changed from %{dclass_counter1}to %{result}", processor_chain([ +var part882 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ dup29, dup21, dup78, @@ -9933,13 +9933,13 @@ var select91 = linear_select([ dup102, ]); -var part886 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type}[junos@%{obj_name}attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ +var part886 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ dup29, dup21, dup51, ])); -var part887 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type}[junos@%{obj_name}logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ +var part887 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ dup26, dup21, dup51, @@ -9955,7 +9955,7 @@ var select93 = linear_select([ dup123, ]); -var part888 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type}[junos@%{fld21}source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3}CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}OBJ=%{fld7}USERNAME=%{fld8}ROLES=%{fld9}", processor_chain([ +var part888 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ dup29, dup21, dup51, diff --git a/x-pack/filebeat/module/kaspersky/README.md b/x-pack/filebeat/module/kaspersky/README.md index a7cdb6ac752..985bc1bc652 100644 --- a/x-pack/filebeat/module/kaspersky/README.md +++ b/x-pack/filebeat/module/kaspersky/README.md @@ -3,5 +3,5 @@ This is a module for Kaspersky Anti-Virus logs. Autogenerated from RSA NetWitness log parser 2.0 XML kasperskyav version 127 -at 2020-07-07 18:10:46.758192 +0000 UTC. +at 2020-07-08 13:58:37.288234 +0000 UTC. diff --git a/x-pack/filebeat/module/kaspersky/av/config/pipeline.js b/x-pack/filebeat/module/kaspersky/av/config/pipeline.js index 7d1d98740de..58bdd0e0c23 100644 --- a/x-pack/filebeat/module/kaspersky/av/config/pipeline.js +++ b/x-pack/filebeat/module/kaspersky/av/config/pipeline.js @@ -520,7 +520,7 @@ var all3 = all_match({ var msg54 = msg("HTTP:Object_Scanned_And_Clean", all3); -var part15 = match("MESSAGE#54:HTTP:Object_Not_Scanned_01/2", "nwparser.p0", "%{}'%{obj_name}' has not been scanned as defined by the policy as %{policyname->} %{fld17}( %{p0}"); +var part15 = match("MESSAGE#54:HTTP:Object_Not_Scanned_01/2", "nwparser.p0", "%{}'%{obj_name}' has not been scanned as defined by the policy as %{policyname->} %{fld17->} ( %{p0}"); var all4 = all_match({ processors: [ @@ -657,7 +657,7 @@ var part21 = match("MESSAGE#79:KLSRV_UPD_BASES_UPDATED", "nwparser.payload", "%{ var msg80 = msg("KLSRV_UPD_BASES_UPDATED", part21); -var part22 = match("MESSAGE#80:FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Object not scanned. Reason: %{event_description}Object name: %{filename}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([ +var part22 = match("MESSAGE#80:FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Object not scanned. Reason: %{event_description->} Object name: %{filename}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([ dup1, dup2, dup22, @@ -673,7 +673,7 @@ var part23 = match("MESSAGE#81:KLNAG_EV_INV_APP_INSTALLED", "nwparser.payload", var msg82 = msg("KLNAG_EV_INV_APP_INSTALLED", part23); -var part24 = match("MESSAGE#82:GNRL_EV_LICENSE_EXPIRATION", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}User: %{username}Component: %{fld5}Result\\Description: %{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([ +var part24 = match("MESSAGE#82:GNRL_EV_LICENSE_EXPIRATION", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info->} User: %{username->} Component: %{fld5}Result\\Description: %{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([ dup1, dup2, dup22, @@ -689,7 +689,7 @@ var part25 = match("MESSAGE#83:KSNPROXY_STARTED_CON_CHK_FAILED", "nwparser.paylo var msg84 = msg("KSNPROXY_STARTED_CON_CHK_FAILED", part25); -var part26 = match("MESSAGE#84:000003f8", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type}Result: %{fld23}Object: %{obj_name}Object\\Path: %{url}User:%{username}Update ID: %{fld51}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ +var part26 = match("MESSAGE#84:000003f8", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type->} Result: %{fld23->} Object: %{obj_name->} Object\\Path: %{url->} User:%{username->} Update ID: %{fld51}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ dup1, dup2, dup22, @@ -716,7 +716,7 @@ var part28 = match("MESSAGE#87:0000014d", "nwparser.payload", "%{fld1}^^%{fld2-> var msg88 = msg("0000014d", part28); -var part29 = match("MESSAGE#88:000003f7/0", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type}Result: %{result->} %{p0}"); +var part29 = match("MESSAGE#88:000003f7/0", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type->} Result: %{result->} %{p0}"); var part30 = match("MESSAGE#88:000003f7/1_0", "nwparser.p0", "Object: %{obj_name->} Object\\Path: %{url->} User:%{username}(%{privilege})%{p0}"); diff --git a/x-pack/filebeat/module/microsoft/README.md b/x-pack/filebeat/module/microsoft/README.md index 6019e83e77b..17bf9e96619 100644 --- a/x-pack/filebeat/module/microsoft/README.md +++ b/x-pack/filebeat/module/microsoft/README.md @@ -3,5 +3,5 @@ This is a module for Microsoft DHCP logs. Autogenerated from RSA NetWitness log parser 2.0 XML msdhcp version 99 -at 2020-07-07 18:10:47.073225 +0000 UTC. +at 2020-07-08 13:58:37.610632 +0000 UTC. diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js b/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js index 4aa76c4b6a9..f19a6d77861 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js +++ b/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js @@ -85,7 +85,7 @@ var select1 = linear_select([ hdr1, ]); -var part1 = match("MESSAGE#0:00/0", "nwparser.payload", "00,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part1 = match("MESSAGE#0:00/0", "nwparser.payload", "00,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all1 = all_match({ processors: [ @@ -103,7 +103,7 @@ var all1 = all_match({ var msg1 = msg("00", all1); -var part2 = match("MESSAGE#1:01/0", "nwparser.payload", "01,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part2 = match("MESSAGE#1:01/0", "nwparser.payload", "01,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all2 = all_match({ processors: [ @@ -121,7 +121,7 @@ var all2 = all_match({ var msg2 = msg("01", all2); -var part3 = match("MESSAGE#2:02/0", "nwparser.payload", "02,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part3 = match("MESSAGE#2:02/0", "nwparser.payload", "02,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all3 = all_match({ processors: [ @@ -137,7 +137,7 @@ var all3 = all_match({ var msg3 = msg("02", all3); -var part4 = match("MESSAGE#3:10/0", "nwparser.payload", "10,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part4 = match("MESSAGE#3:10/0", "nwparser.payload", "10,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all4 = all_match({ processors: [ @@ -153,7 +153,7 @@ var all4 = all_match({ var msg4 = msg("10", all4); -var part5 = match("MESSAGE#4:11/0", "nwparser.payload", "11,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part5 = match("MESSAGE#4:11/0", "nwparser.payload", "11,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all5 = all_match({ processors: [ @@ -171,7 +171,7 @@ var all5 = all_match({ var msg5 = msg("11", all5); -var part6 = match("MESSAGE#5:12/0", "nwparser.payload", "12,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part6 = match("MESSAGE#5:12/0", "nwparser.payload", "12,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all6 = all_match({ processors: [ @@ -187,7 +187,7 @@ var all6 = all_match({ var msg6 = msg("12", all6); -var part7 = match("MESSAGE#6:13/0", "nwparser.payload", "13,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part7 = match("MESSAGE#6:13/0", "nwparser.payload", "13,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all7 = all_match({ processors: [ @@ -203,7 +203,7 @@ var all7 = all_match({ var msg7 = msg("13", all7); -var part8 = match("MESSAGE#7:14/0", "nwparser.payload", "14,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part8 = match("MESSAGE#7:14/0", "nwparser.payload", "14,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all8 = all_match({ processors: [ @@ -219,7 +219,7 @@ var all8 = all_match({ var msg8 = msg("14", all8); -var part9 = match("MESSAGE#8:15/0", "nwparser.payload", "15,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part9 = match("MESSAGE#8:15/0", "nwparser.payload", "15,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all9 = all_match({ processors: [ @@ -235,7 +235,7 @@ var all9 = all_match({ var msg9 = msg("15", all9); -var part10 = match("MESSAGE#9:16/0", "nwparser.payload", "16,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part10 = match("MESSAGE#9:16/0", "nwparser.payload", "16,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all10 = all_match({ processors: [ @@ -253,7 +253,7 @@ var all10 = all_match({ var msg10 = msg("16", all10); -var part11 = match("MESSAGE#10:17/0", "nwparser.payload", "17,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part11 = match("MESSAGE#10:17/0", "nwparser.payload", "17,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all11 = all_match({ processors: [ @@ -269,7 +269,7 @@ var all11 = all_match({ var msg11 = msg("17", all11); -var part12 = match("MESSAGE#11:18/0", "nwparser.payload", "18,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part12 = match("MESSAGE#11:18/0", "nwparser.payload", "18,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all12 = all_match({ processors: [ @@ -285,7 +285,7 @@ var all12 = all_match({ var msg12 = msg("18", all12); -var part13 = match("MESSAGE#12:20/0", "nwparser.payload", "20,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part13 = match("MESSAGE#12:20/0", "nwparser.payload", "20,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all13 = all_match({ processors: [ @@ -301,7 +301,7 @@ var all13 = all_match({ var msg13 = msg("20", all13); -var part14 = match("MESSAGE#13:21/0", "nwparser.payload", "21,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part14 = match("MESSAGE#13:21/0", "nwparser.payload", "21,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all14 = all_match({ processors: [ @@ -317,7 +317,7 @@ var all14 = all_match({ var msg14 = msg("21", all14); -var part15 = match("MESSAGE#14:22/0", "nwparser.payload", "22,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part15 = match("MESSAGE#14:22/0", "nwparser.payload", "22,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all15 = all_match({ processors: [ @@ -333,7 +333,7 @@ var all15 = all_match({ var msg15 = msg("22", all15); -var part16 = match("MESSAGE#15:23/0", "nwparser.payload", "23,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part16 = match("MESSAGE#15:23/0", "nwparser.payload", "23,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all16 = all_match({ processors: [ @@ -349,7 +349,7 @@ var all16 = all_match({ var msg16 = msg("23", all16); -var part17 = match("MESSAGE#16:24/0", "nwparser.payload", "24,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part17 = match("MESSAGE#16:24/0", "nwparser.payload", "24,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all17 = all_match({ processors: [ @@ -365,7 +365,7 @@ var all17 = all_match({ var msg17 = msg("24", all17); -var part18 = match("MESSAGE#17:25/0", "nwparser.payload", "25,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part18 = match("MESSAGE#17:25/0", "nwparser.payload", "25,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all18 = all_match({ processors: [ @@ -381,7 +381,7 @@ var all18 = all_match({ var msg18 = msg("25", all18); -var part19 = match("MESSAGE#18:30/0", "nwparser.payload", "30,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part19 = match("MESSAGE#18:30/0", "nwparser.payload", "30,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all19 = all_match({ processors: [ @@ -399,7 +399,7 @@ var all19 = all_match({ var msg19 = msg("30", all19); -var part20 = match("MESSAGE#19:31/0", "nwparser.payload", "31,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part20 = match("MESSAGE#19:31/0", "nwparser.payload", "31,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all20 = all_match({ processors: [ @@ -417,7 +417,7 @@ var all20 = all_match({ var msg20 = msg("31", all20); -var part21 = match("MESSAGE#20:32/0", "nwparser.payload", "32,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part21 = match("MESSAGE#20:32/0", "nwparser.payload", "32,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all21 = all_match({ processors: [ @@ -435,7 +435,7 @@ var all21 = all_match({ var msg21 = msg("32", all21); -var part22 = match("MESSAGE#21:33/0", "nwparser.payload", "33,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part22 = match("MESSAGE#21:33/0", "nwparser.payload", "33,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all22 = all_match({ processors: [ @@ -453,7 +453,7 @@ var all22 = all_match({ var msg22 = msg("33", all22); -var part23 = match("MESSAGE#22:36/0", "nwparser.payload", "36,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part23 = match("MESSAGE#22:36/0", "nwparser.payload", "36,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all23 = all_match({ processors: [ @@ -469,7 +469,7 @@ var all23 = all_match({ var msg23 = msg("36", all23); -var part24 = match("MESSAGE#23:50/0", "nwparser.payload", "50,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part24 = match("MESSAGE#23:50/0", "nwparser.payload", "50,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all24 = all_match({ processors: [ @@ -485,7 +485,7 @@ var all24 = all_match({ var msg24 = msg("50", all24); -var part25 = match("MESSAGE#24:51/0", "nwparser.payload", "51,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part25 = match("MESSAGE#24:51/0", "nwparser.payload", "51,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all25 = all_match({ processors: [ @@ -503,7 +503,7 @@ var all25 = all_match({ var msg25 = msg("51", all25); -var part26 = match("MESSAGE#25:52/0", "nwparser.payload", "52,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part26 = match("MESSAGE#25:52/0", "nwparser.payload", "52,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all26 = all_match({ processors: [ @@ -519,7 +519,7 @@ var all26 = all_match({ var msg26 = msg("52", all26); -var part27 = match("MESSAGE#26:53/0", "nwparser.payload", "53,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part27 = match("MESSAGE#26:53/0", "nwparser.payload", "53,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all27 = all_match({ processors: [ @@ -535,7 +535,7 @@ var all27 = all_match({ var msg27 = msg("53", all27); -var part28 = match("MESSAGE#27:54/0", "nwparser.payload", "54,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part28 = match("MESSAGE#27:54/0", "nwparser.payload", "54,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all28 = all_match({ processors: [ @@ -553,7 +553,7 @@ var all28 = all_match({ var msg28 = msg("54", all28); -var part29 = match("MESSAGE#28:55/0", "nwparser.payload", "55,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part29 = match("MESSAGE#28:55/0", "nwparser.payload", "55,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all29 = all_match({ processors: [ @@ -569,7 +569,7 @@ var all29 = all_match({ var msg29 = msg("55", all29); -var part30 = match("MESSAGE#29:56/0", "nwparser.payload", "56,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part30 = match("MESSAGE#29:56/0", "nwparser.payload", "56,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all30 = all_match({ processors: [ @@ -587,7 +587,7 @@ var all30 = all_match({ var msg30 = msg("56", all30); -var part31 = match("MESSAGE#30:57/0", "nwparser.payload", "57,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part31 = match("MESSAGE#30:57/0", "nwparser.payload", "57,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all31 = all_match({ processors: [ @@ -603,7 +603,7 @@ var all31 = all_match({ var msg31 = msg("57", all31); -var part32 = match("MESSAGE#31:58/0", "nwparser.payload", "58,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part32 = match("MESSAGE#31:58/0", "nwparser.payload", "58,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all32 = all_match({ processors: [ @@ -621,7 +621,7 @@ var all32 = all_match({ var msg32 = msg("58", all32); -var part33 = match("MESSAGE#32:59/0", "nwparser.payload", "59,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part33 = match("MESSAGE#32:59/0", "nwparser.payload", "59,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all33 = all_match({ processors: [ @@ -639,7 +639,7 @@ var all33 = all_match({ var msg33 = msg("59", all33); -var part34 = match("MESSAGE#33:60/0", "nwparser.payload", "60,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part34 = match("MESSAGE#33:60/0", "nwparser.payload", "60,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all34 = all_match({ processors: [ @@ -655,7 +655,7 @@ var all34 = all_match({ var msg34 = msg("60", all34); -var part35 = match("MESSAGE#34:61/0", "nwparser.payload", "61,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part35 = match("MESSAGE#34:61/0", "nwparser.payload", "61,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all35 = all_match({ processors: [ @@ -671,7 +671,7 @@ var all35 = all_match({ var msg35 = msg("61", all35); -var part36 = match("MESSAGE#35:62/0", "nwparser.payload", "62,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part36 = match("MESSAGE#35:62/0", "nwparser.payload", "62,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all36 = all_match({ processors: [ @@ -687,7 +687,7 @@ var all36 = all_match({ var msg36 = msg("62", all36); -var part37 = match("MESSAGE#36:63/0", "nwparser.payload", "63,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part37 = match("MESSAGE#36:63/0", "nwparser.payload", "63,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all37 = all_match({ processors: [ @@ -703,7 +703,7 @@ var all37 = all_match({ var msg37 = msg("63", all37); -var part38 = match("MESSAGE#37:64/0", "nwparser.payload", "64,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); +var part38 = match("MESSAGE#37:64/0", "nwparser.payload", "64,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); var all38 = all_match({ processors: [ diff --git a/x-pack/filebeat/module/netscout/README.md b/x-pack/filebeat/module/netscout/README.md index 051c6c232b6..42bc1e12a7d 100644 --- a/x-pack/filebeat/module/netscout/README.md +++ b/x-pack/filebeat/module/netscout/README.md @@ -3,5 +3,5 @@ This is a module for Arbor Peakflow SP logs. Autogenerated from RSA NetWitness log parser 2.0 XML arborpeakflowsp version 109 -at 2020-07-07 18:10:40.894044 +0000 UTC. +at 2020-07-08 13:58:30.892131 +0000 UTC. diff --git a/x-pack/filebeat/module/netscout/sightline/config/pipeline.js b/x-pack/filebeat/module/netscout/sightline/config/pipeline.js index 168de2227c9..6658c4a5c29 100644 --- a/x-pack/filebeat/module/netscout/sightline/config/pipeline.js +++ b/x-pack/filebeat/module/netscout/sightline/config/pipeline.js @@ -119,7 +119,7 @@ var dup35 = date_time({ ], }); -var dup36 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration}percent %{fld3}rate %{fld4}rateUnit %{fld5}protocol %{protocol}flags %{fld6}url %{url}"); +var dup36 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); var dup37 = date_time({ dest: "starttime", @@ -141,13 +141,13 @@ var dup39 = linear_select([ dup9, ]); -var dup40 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol}down for router %{node}, leader %{parent_node}since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var dup40 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup12, dup13, dup14, ])); -var dup41 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol}restored for router %{node}, leader %{parent_node}at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var dup41 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup15, dup13, dup16, @@ -205,7 +205,7 @@ var all2 = all_match({ ]), }); -var part7 = match("HEADER#2:0008/4", "nwparser.p0", "%{} %{msgIdPart1->} %{hfld1}for service %{payload}"); +var part7 = match("HEADER#2:0008/4", "nwparser.p0", "%{} %{msgIdPart1->} %{hfld1->} for service %{payload}"); var all3 = all_match({ processors: [ @@ -262,17 +262,17 @@ var all5 = all_match({ ]), }); -var hdr1 = match("HEADER#5:0005", "message", "%{hmonth->} %{hday->} %{htime}pfsp: The %{messageid->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#5:0005", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: The %{messageid->} %{payload}", processor_chain([ setc("header_id","0005"), dup11, ])); -var hdr2 = match("HEADER#6:0006", "message", "%{hmonth->} %{hday->} %{htime}pfsp: Alert %{messageid->} %{payload}", processor_chain([ +var hdr2 = match("HEADER#6:0006", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: Alert %{messageid->} %{payload}", processor_chain([ setc("header_id","0006"), dup11, ])); -var hdr3 = match("HEADER#7:0007", "message", "%{hmonth->} %{hday->} %{htime}pfsp: %{messageid->} %{payload}", processor_chain([ +var hdr3 = match("HEADER#7:0007", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: %{messageid->} %{payload}", processor_chain([ setc("header_id","0007"), dup11, ])); @@ -299,7 +299,7 @@ var select3 = linear_select([ hdr5, ]); -var part9 = match("MESSAGE#0:Flow:Down", "nwparser.payload", "Flow down for router %{node}, leader %{parent_node}since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var part9 = match("MESSAGE#0:Flow:Down", "nwparser.payload", "Flow down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup12, dup13, dup14, @@ -307,7 +307,7 @@ var part9 = match("MESSAGE#0:Flow:Down", "nwparser.payload", "Flow down for rout var msg1 = msg("Flow:Down", part9); -var part10 = match("MESSAGE#1:Flow:Restored", "nwparser.payload", "Flow restored for router %{node}, leader %{parent_node}at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var part10 = match("MESSAGE#1:Flow:Restored", "nwparser.payload", "Flow restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup15, dup13, dup16, @@ -324,35 +324,35 @@ var msg3 = msg("BGP:Down", dup40); var msg4 = msg("BGP:Restored", dup41); -var part11 = match("MESSAGE#4:BGP:Instability", "nwparser.payload", "%{protocol}instability router %{node}threshold %{fld25}(%{fld1}) observed %{trigger_val}(%{fld2})", processor_chain([ +var part11 = match("MESSAGE#4:BGP:Instability", "nwparser.payload", "%{protocol->} instability router %{node->} threshold %{fld25->} (%{fld1}) observed %{trigger_val->} (%{fld2})", processor_chain([ dup17, dup13, ])); var msg5 = msg("BGP:Instability", part11); -var part12 = match("MESSAGE#5:BGP:Instability_Ended", "nwparser.payload", "%{protocol}Instability for router %{node}ended", processor_chain([ +var part12 = match("MESSAGE#5:BGP:Instability_Ended", "nwparser.payload", "%{protocol->} Instability for router %{node->} ended", processor_chain([ dup18, dup13, ])); var msg6 = msg("BGP:Instability_Ended", part12); -var part13 = match("MESSAGE#6:BGP:Hijack", "nwparser.payload", "%{protocol}Hijack local_prefix %{fld26}router %{node}bgp_prefix %{fld27}bgp_attributes %{event_description}", processor_chain([ +var part13 = match("MESSAGE#6:BGP:Hijack", "nwparser.payload", "%{protocol->} Hijack local_prefix %{fld26->} router %{node->} bgp_prefix %{fld27->} bgp_attributes %{event_description}", processor_chain([ setc("eventcategory","1002050000"), dup13, ])); var msg7 = msg("BGP:Hijack", part13); -var part14 = match("MESSAGE#7:BGP:Hijack_Done", "nwparser.payload", "%{protocol}Hijack for prefix %{fld26}router %{node}done", processor_chain([ +var part14 = match("MESSAGE#7:BGP:Hijack_Done", "nwparser.payload", "%{protocol->} Hijack for prefix %{fld26->} router %{node->} done", processor_chain([ dup18, dup13, ])); var msg8 = msg("BGP:Hijack_Done", part14); -var part15 = match("MESSAGE#8:BGP:Trap", "nwparser.payload", "%{protocol}Trap %{node}: Prefix %{fld5->} %{fld6->} %{event_description}", processor_chain([ +var part15 = match("MESSAGE#8:BGP:Trap", "nwparser.payload", "%{protocol->} Trap %{node}: Prefix %{fld5->} %{fld6->} %{event_description}", processor_chain([ dup19, dup13, ])); @@ -369,7 +369,7 @@ var select5 = linear_select([ msg9, ]); -var part16 = match("MESSAGE#9:Device:Unreachable", "nwparser.payload", "Device %{node}unreachable by controller %{parent_node}since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([ +var part16 = match("MESSAGE#9:Device:Unreachable", "nwparser.payload", "Device %{node->} unreachable by controller %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([ dup12, dup13, dup14, @@ -377,7 +377,7 @@ var part16 = match("MESSAGE#9:Device:Unreachable", "nwparser.payload", "Device % var msg10 = msg("Device:Unreachable", part16); -var part17 = match("MESSAGE#10:Device:Reachable", "nwparser.payload", "Device %{node}reachable again by controller %{parent_node}at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var part17 = match("MESSAGE#10:Device:Reachable", "nwparser.payload", "Device %{node->} reachable again by controller %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup15, dup13, dup16, @@ -390,7 +390,7 @@ var select6 = linear_select([ msg11, ]); -var part18 = match("MESSAGE#11:Hardware:Failure", "nwparser.payload", "Hardware failure on %{node}since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}GMT: %{event_description}", processor_chain([ +var part18 = match("MESSAGE#11:Hardware:Failure", "nwparser.payload", "Hardware failure on %{node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} GMT: %{event_description}", processor_chain([ dup20, dup13, dup14, @@ -398,7 +398,7 @@ var part18 = match("MESSAGE#11:Hardware:Failure", "nwparser.payload", "Hardware var msg12 = msg("Hardware:Failure", part18); -var part19 = match("MESSAGE#12:Hardware:Failure_Done", "nwparser.payload", "Hardware failure on %{node}done at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}GMT: %{event_description}", processor_chain([ +var part19 = match("MESSAGE#12:Hardware:Failure_Done", "nwparser.payload", "Hardware failure on %{node->} done at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21->} GMT: %{event_description}", processor_chain([ dup18, dup13, dup16, @@ -420,7 +420,7 @@ var select8 = linear_select([ msg15, ]); -var part20 = match("MESSAGE#15:configuration", "nwparser.payload", "configuration was changed on leader %{parent_node}to version %{version}by %{administrator}", processor_chain([ +var part20 = match("MESSAGE#15:configuration", "nwparser.payload", "configuration was changed on leader %{parent_node->} to version %{version->} by %{administrator}", processor_chain([ dup19, dup13, setc("event_description","Configuration changed"), @@ -428,7 +428,7 @@ var part20 = match("MESSAGE#15:configuration", "nwparser.payload", "configuratio var msg16 = msg("configuration", part20); -var part21 = match("MESSAGE#16:Autoclassification", "nwparser.payload", "Autoclassification was restarted on %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}by %{administrator}", processor_chain([ +var part21 = match("MESSAGE#16:Autoclassification", "nwparser.payload", "Autoclassification was restarted on %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21->} by %{administrator}", processor_chain([ dup19, dup13, setc("event_description","Autoclassification restarted"), @@ -437,7 +437,7 @@ var part21 = match("MESSAGE#16:Autoclassification", "nwparser.payload", "Autocla var msg17 = msg("Autoclassification", part21); -var part22 = match("MESSAGE#17:GRE:Down", "nwparser.payload", "GRE tunnel down for destination %{daddr}, leader %{parent_node}since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var part22 = match("MESSAGE#17:GRE:Down", "nwparser.payload", "GRE tunnel down for destination %{daddr}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup12, dup13, dup14, @@ -445,7 +445,7 @@ var part22 = match("MESSAGE#17:GRE:Down", "nwparser.payload", "GRE tunnel down f var msg18 = msg("GRE:Down", part22); -var part23 = match("MESSAGE#18:GRE:Restored", "nwparser.payload", "GRE tunnel restored for destination %{daddr}, leader %{parent_node}at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var part23 = match("MESSAGE#18:GRE:Restored", "nwparser.payload", "GRE tunnel restored for destination %{daddr}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ setc("eventcategory","1801020100"), dup13, dup16, @@ -458,7 +458,7 @@ var select9 = linear_select([ msg19, ]); -var part24 = match("MESSAGE#19:mitigation:TMS_Start/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname}started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part24 = match("MESSAGE#19:mitigation:TMS_Start/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); var all6 = all_match({ processors: [ @@ -477,7 +477,7 @@ var all6 = all_match({ var msg20 = msg("mitigation:TMS_Start", all6); -var part25 = match("MESSAGE#20:mitigation:TMS_Stop/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname}stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part25 = match("MESSAGE#20:mitigation:TMS_Stop/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); var all7 = all_match({ processors: [ @@ -496,7 +496,7 @@ var all7 = all_match({ var msg21 = msg("mitigation:TMS_Stop", all7); -var part26 = match("MESSAGE#21:mitigation:Thirdparty_Start/0", "nwparser.payload", "pfsp: Third party mitigation %{node}started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part26 = match("MESSAGE#21:mitigation:Thirdparty_Start/0", "nwparser.payload", "pfsp: Third party mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); var all8 = all_match({ processors: [ @@ -515,7 +515,7 @@ var all8 = all_match({ var msg22 = msg("mitigation:Thirdparty_Start", all8); -var part27 = match("MESSAGE#22:mitigation:Thirdparty_Stop/0", "nwparser.payload", "pfsp: Third party mitigation %{node}stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part27 = match("MESSAGE#22:mitigation:Thirdparty_Stop/0", "nwparser.payload", "pfsp: Third party mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); var all9 = all_match({ processors: [ @@ -533,7 +533,7 @@ var all9 = all_match({ var msg23 = msg("mitigation:Thirdparty_Stop", all9); -var part28 = match("MESSAGE#23:mitigation:Blackhole_Start/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node}started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part28 = match("MESSAGE#23:mitigation:Blackhole_Start/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); var all10 = all_match({ processors: [ @@ -552,7 +552,7 @@ var all10 = all_match({ var msg24 = msg("mitigation:Blackhole_Start", all10); -var part29 = match("MESSAGE#24:mitigation:Blackhole_Stop/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node}stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part29 = match("MESSAGE#24:mitigation:Blackhole_Stop/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); var all11 = all_match({ processors: [ @@ -570,7 +570,7 @@ var all11 = all_match({ var msg25 = msg("mitigation:Blackhole_Stop", all11); -var part30 = match("MESSAGE#25:mitigation:Flowspec_Start/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node}started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part30 = match("MESSAGE#25:mitigation:Flowspec_Start/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); var all12 = all_match({ processors: [ @@ -589,7 +589,7 @@ var all12 = all_match({ var msg26 = msg("mitigation:Flowspec_Start", all12); -var part31 = match("MESSAGE#26:mitigation:Flowspec_Stop/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node}stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part31 = match("MESSAGE#26:mitigation:Flowspec_Stop/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); var all13 = all_match({ processors: [ @@ -618,7 +618,7 @@ var select10 = linear_select([ msg27, ]); -var part32 = match("MESSAGE#27:TMS:Fault_Cleared", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node}cleared", processor_chain([ +var part32 = match("MESSAGE#27:TMS:Fault_Cleared", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node->} cleared", processor_chain([ dup18, dup13, setc("event_type","Fault Cleared"), @@ -639,56 +639,56 @@ var select11 = linear_select([ msg29, ]); -var part34 = match("MESSAGE#29:usage_alert:Interface", "nwparser.payload", "pfsp: %{trigger_desc}interface usage alert %{fld1}for router %{node}interface \"%{interface}\" speed %{fld2}threshold %{fld25}observed %{trigger_val}pct %{fld3}", processor_chain([ +var part34 = match("MESSAGE#29:usage_alert:Interface", "nwparser.payload", "pfsp: %{trigger_desc->} interface usage alert %{fld1->} for router %{node->} interface \"%{interface}\" speed %{fld2->} threshold %{fld25->} observed %{trigger_val->} pct %{fld3}", processor_chain([ dup17, dup13, ])); var msg30 = msg("usage_alert:Interface", part34); -var part35 = match("MESSAGE#30:usage_alert:Interface_Done", "nwparser.payload", "pfsp: %{trigger_desc}interface usage alert %{fld1}done for router %{node}interface \"%{interface}\"", processor_chain([ +var part35 = match("MESSAGE#30:usage_alert:Interface_Done", "nwparser.payload", "pfsp: %{trigger_desc->} interface usage alert %{fld1->} done for router %{node->} interface \"%{interface}\"", processor_chain([ dup18, dup13, ])); var msg31 = msg("usage_alert:Interface_Done", part35); -var part36 = match("MESSAGE#31:usage_alert:Fingerprint_Threshold", "nwparser.payload", "pfsp: %{trigger_desc}usage alert %{fld1}for fingerprint %{policyname}threshold %{fld25}observed %{trigger_val}", processor_chain([ +var part36 = match("MESSAGE#31:usage_alert:Fingerprint_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for fingerprint %{policyname->} threshold %{fld25->} observed %{trigger_val}", processor_chain([ dup17, dup13, ])); var msg32 = msg("usage_alert:Fingerprint_Threshold", part36); -var part37 = match("MESSAGE#32:usage_alert:Fingerprint_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc}usage alert %{fld1}for fingerprint %{policyname}done", processor_chain([ +var part37 = match("MESSAGE#32:usage_alert:Fingerprint_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for fingerprint %{policyname->} done", processor_chain([ dup18, dup13, ])); var msg33 = msg("usage_alert:Fingerprint_Threshold_Done", part37); -var part38 = match("MESSAGE#33:usage_alert:Service_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1}usage alert %{fld2}for service %{service}, %{application}threshold %{fld25}observed %{trigger_val}", processor_chain([ +var part38 = match("MESSAGE#33:usage_alert:Service_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1->} usage alert %{fld2->} for service %{service}, %{application->} threshold %{fld25->} observed %{trigger_val}", processor_chain([ dup17, dup13, ])); var msg34 = msg("usage_alert:Service_Threshold", part38); -var part39 = match("MESSAGE#34:usage_alert:Service_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1}alert %{fld2}for service %{service}done", processor_chain([ +var part39 = match("MESSAGE#34:usage_alert:Service_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1->} alert %{fld2->} for service %{service->} done", processor_chain([ dup18, dup13, ])); var msg35 = msg("usage_alert:Service_Threshold_Done", part39); -var part40 = match("MESSAGE#35:usage_alert:ManagedObject_Threshold", "nwparser.payload", "pfsp: %{trigger_desc}usage alert %{fld1}for %{category->} %{fld2}threshold %{fld25}observed %{trigger_val}", processor_chain([ +var part40 = match("MESSAGE#35:usage_alert:ManagedObject_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for %{category->} %{fld2->} threshold %{fld25->} observed %{trigger_val}", processor_chain([ dup17, dup13, ])); var msg36 = msg("usage_alert:ManagedObject_Threshold", part40); -var part41 = match("MESSAGE#36:usage_alert:ManagedObject_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc}usage alert %{fld1}for %{fld3->} %{fld4}done", processor_chain([ +var part41 = match("MESSAGE#36:usage_alert:ManagedObject_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for %{fld3->} %{fld4->} done", processor_chain([ dup18, dup13, ])); @@ -713,7 +713,7 @@ var part42 = match("MESSAGE#37:Test", "nwparser.payload", "Test syslog message%{ var msg38 = msg("Test", part42); -var part43 = match("MESSAGE#38:script/0", "nwparser.payload", "script %{node}ran at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part43 = match("MESSAGE#38:script/0", "nwparser.payload", "script %{node->} ran at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); var all14 = all_match({ processors: [ @@ -732,9 +732,9 @@ var all14 = all_match({ var msg39 = msg("script", all14); -var part44 = match("MESSAGE#39:anomaly:Resource_Info:01/0", "nwparser.payload", "anomaly Bandwidth id %{event_id}status %{disposition}severity %{severity}classification %{category}impact %{fld10}src %{daddr}/%{dport->} %{fld1}dst %{saddr}/%{sport->} %{fld2}start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part44 = match("MESSAGE#39:anomaly:Resource_Info:01/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); -var part45 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration}percent %{fld3}rate %{fld4}rateUnit %{fld5}protocol %{protocol}flags %{fld6}url %{url}, %{info}"); +var part45 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}"); var all15 = all_match({ processors: [ @@ -752,7 +752,7 @@ var all15 = all_match({ var msg40 = msg("anomaly:Resource_Info:01", all15); -var part46 = match("MESSAGE#40:anomaly:Resource_Info:02/0", "nwparser.payload", "anomaly Bandwidth id %{event_id}status %{disposition}severity %{severity}classification %{category}src %{daddr}/%{dport->} %{fld1}dst %{saddr}/%{sport->} %{fld2}start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part46 = match("MESSAGE#40:anomaly:Resource_Info:02/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); var all16 = all_match({ processors: [ @@ -770,9 +770,9 @@ var all16 = all_match({ var msg41 = msg("anomaly:Resource_Info:02", all16); -var part47 = match("MESSAGE#41:anomaly:Resource_Info:03/0", "nwparser.payload", "anomaly %{signame}id %{event_id}status %{disposition}severity %{severity}classification %{category}impact %{fld10}src %{daddr}/%{dport->} %{fld1}dst %{saddr}/%{sport->} %{fld2}start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part47 = match("MESSAGE#41:anomaly:Resource_Info:03/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); -var part48 = match("MESSAGE#41:anomaly:Resource_Info:03/2", "nwparser.p0", "%{} %{duration}percent %{fld3}rate %{fld4}rateUnit %{fld5}protocol %{protocol}flags %{fld6}url %{url}, %{info->} "); +var part48 = match("MESSAGE#41:anomaly:Resource_Info:03/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info->} "); var all17 = all_match({ processors: [ @@ -789,7 +789,7 @@ var all17 = all_match({ var msg42 = msg("anomaly:Resource_Info:03", all17); -var part49 = match("MESSAGE#42:anomaly:Resource_Info:04/0", "nwparser.payload", "anomaly %{signame}id %{event_id}status %{disposition}severity %{severity}classification %{category}src %{daddr}/%{dport->} %{fld1}dst %{saddr}/%{sport->} %{fld2}start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part49 = match("MESSAGE#42:anomaly:Resource_Info:04/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); var all18 = all_match({ processors: [ @@ -806,7 +806,7 @@ var all18 = all_match({ var msg43 = msg("anomaly:Resource_Info:04", all18); -var part50 = match("MESSAGE#43:anomaly:Router_Info:01", "nwparser.payload", "anomaly Bandwidth id %{sigid}status %{disposition}severity %{severity}classification %{category}router %{fld6}router_name %{node}interface %{fld4}interface_name \"%{interface}\" %{fld5}", processor_chain([ +var part50 = match("MESSAGE#43:anomaly:Router_Info:01", "nwparser.payload", "anomaly Bandwidth id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([ dup33, dup13, dup34, @@ -814,7 +814,7 @@ var part50 = match("MESSAGE#43:anomaly:Router_Info:01", "nwparser.payload", "ano var msg44 = msg("anomaly:Router_Info:01", part50); -var part51 = match("MESSAGE#44:anomaly:Router_Info:02", "nwparser.payload", "anomaly %{signame}id %{sigid}status %{disposition}severity %{severity}classification %{category}router %{fld6}router_name %{node}interface %{fld4}interface_name \"%{interface}\" %{fld5}", processor_chain([ +var part51 = match("MESSAGE#44:anomaly:Router_Info:02", "nwparser.payload", "anomaly %{signame->} id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([ dup33, dup13, ])); @@ -830,7 +830,7 @@ var select13 = linear_select([ msg45, ]); -var part52 = match("MESSAGE#45:Peakflow:Unreachable", "nwparser.payload", "Peakflow device %{node}unreachable by %{parent_node}since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([ +var part52 = match("MESSAGE#45:Peakflow:Unreachable", "nwparser.payload", "Peakflow device %{node->} unreachable by %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([ dup12, dup13, dup14, @@ -838,7 +838,7 @@ var part52 = match("MESSAGE#45:Peakflow:Unreachable", "nwparser.payload", "Peakf var msg46 = msg("Peakflow:Unreachable", part52); -var part53 = match("MESSAGE#46:Peakflow:Reachable", "nwparser.payload", "Peakflow device %{node}reachable again by %{parent_node}at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var part53 = match("MESSAGE#46:Peakflow:Reachable", "nwparser.payload", "Peakflow device %{node->} reachable again by %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup15, dup13, dup16, @@ -985,7 +985,7 @@ var part73 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{ var part74 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}"); -var part75 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration}percent %{fld3}rate %{fld4}rateUnit %{fld5}protocol %{protocol}flags %{fld6}url %{url}"); +var part75 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); var select17 = linear_select([ dup2, @@ -999,13 +999,13 @@ var select18 = linear_select([ dup9, ]); -var part76 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol}down for router %{node}, leader %{parent_node}since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var part76 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup12, dup13, dup14, ])); -var part77 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol}restored for router %{node}, leader %{parent_node}at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var part77 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup15, dup13, dup16, diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index b6ca99fb779..48f447990ac 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -178,8 +178,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.255.173.170", - "10.139.108.194" + "10.139.108.194", + "10.255.173.170" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1259,8 +1259,8 @@ "rsa.internal.messageid": "anomaly", "rsa.misc.category": "aera", "rsa.misc.disposition": "uamei", - "rsa.misc.event_id": "id 6f3fd2c5", - "rsa.misc.policy_name": "ncid", + "rsa.misc.event_id": "6f3fd2c5", + "rsa.misc.policy_name": "ncidid", "rsa.misc.severity": "very-high", "rsa.time.duration_time": 50.929, "rsa.time.event_time": "2020-01-13T00:18:32.000Z", @@ -1602,8 +1602,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.239.19.5", - "10.135.82.97" + "10.135.82.97", + "10.239.19.5" ], "rsa.internal.messageid": "anomaly", "rsa.misc.category": "gitsedqu impact borios", @@ -1925,8 +1925,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.193.30.192", - "10.237.45.67" + "10.237.45.67", + "10.193.30.192" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2194,7 +2194,7 @@ ] }, { - "@timestamp": "2019-07-10T03:56:14.000Z", + "@timestamp": "2020-07-10T03:56:14.000Z", "destination.ip": [ "10.179.210.218" ], @@ -2216,7 +2216,7 @@ "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.time.event_time": "2020-07-10T03:56:14.000Z", "service.type": "netscout", "source.ip": [ "10.44.47.27" diff --git a/x-pack/filebeat/module/radware/README.md b/x-pack/filebeat/module/radware/README.md index 084a7844034..92a5d9c051e 100644 --- a/x-pack/filebeat/module/radware/README.md +++ b/x-pack/filebeat/module/radware/README.md @@ -3,5 +3,5 @@ This is a module for Radware DefensePro logs. Autogenerated from RSA NetWitness log parser 2.0 XML radwaredp version 114 -at 2020-07-07 18:10:49.209357 +0000 UTC. +at 2020-07-08 13:58:39.870976 +0000 UTC. diff --git a/x-pack/filebeat/module/radware/defensepro/config/pipeline.js b/x-pack/filebeat/module/radware/defensepro/config/pipeline.js index 26e069714f1..e8ec2256338 100644 --- a/x-pack/filebeat/module/radware/defensepro/config/pipeline.js +++ b/x-pack/filebeat/module/radware/defensepro/config/pipeline.js @@ -15,7 +15,7 @@ function DeviceProcessor() { } } -var dup1 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category}\"%{event_type}\" %{protocol->} %{p0}"); +var dup1 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}"); var dup2 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); @@ -25,7 +25,7 @@ var dup4 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport var dup5 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}"); -var dup6 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context}\"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); +var dup6 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); var dup7 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}"); @@ -47,9 +47,9 @@ var dup12 = date_time({ var dup13 = setc("dclass_counter1_string","Bandwidth in Kbps"); -var dup14 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category}\\\"%{event_type}\\\" %{protocol->} %{p0}"); +var dup14 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}"); -var dup15 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context}\\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); +var dup15 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); var dup16 = setc("eventcategory","1002000000"); @@ -73,7 +73,7 @@ var dup25 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}"); var dup26 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}"); -var dup27 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username}via %{network_service}(IP: %{saddr})%{p0}"); +var dup27 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}"); var dup28 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}"); @@ -190,7 +190,7 @@ var dup49 = all_match({ ]), }); -var hdr1 = match("HEADER#0:0001", "message", "%DefensePro %{hfld1->} %{hfld2->} %{hfld3->} %{messageid}\\\"%{hfld4}\\\" %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%DefensePro %{hfld1->} %{hfld2->} %{hfld3->} %{messageid->} \\\"%{hfld4}\\\" %{payload}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -199,7 +199,7 @@ var hdr1 = match("HEADER#0:0001", "message", "%DefensePro %{hfld1->} %{hfld2->} field("hfld3"), constant(" "), field("messageid"), - constant("\\\""), + constant(" \\\""), field("hfld4"), constant("\\\" "), field("payload"), @@ -220,7 +220,7 @@ var hdr2 = match("HEADER#1:0002", "message", "%DefensePro %{messageid->} %{paylo }), ])); -var hdr3 = match("HEADER#2:0003", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}\"%{hfld3}\" %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid->} \"%{hfld3}\" %{payload}", processor_chain([ setc("header_id","0003"), call({ dest: "nwparser.payload", @@ -235,7 +235,7 @@ var hdr3 = match("HEADER#2:0003", "message", "DefensePro: %{hdate->} %{htime->} field("hfld2"), constant(" "), field("messageid"), - constant("\""), + constant(" \""), field("hfld3"), constant("\" "), field("payload"), @@ -387,7 +387,7 @@ var select8 = linear_select([ msg15, ]); -var part1 = match("MESSAGE#15:COMMAND:", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}COMMAND: \"%{action}\" by user %{username}via %{network_service}, source IP %{saddr}", processor_chain([ +var part1 = match("MESSAGE#15:COMMAND:", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} COMMAND: \"%{action}\" by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ dup19, dup20, setc("ec_activity","Execute"), @@ -398,7 +398,7 @@ var part1 = match("MESSAGE#15:COMMAND:", "nwparser.payload", "%{fld1->} %{fld2-> var msg16 = msg("COMMAND:", part1); -var part2 = match("MESSAGE#16:Configuration:01", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description}set %{change_new}, Old Values: %{change_old}, ACTION: %{action}by user %{username}via %{network_service}source IP %{saddr}", processor_chain([ +var part2 = match("MESSAGE#16:Configuration:01", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description->} set %{change_new}, Old Values: %{change_old}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([ dup19, dup20, dup22, @@ -409,7 +409,7 @@ var part2 = match("MESSAGE#16:Configuration:01", "nwparser.payload", "%{fld1->} var msg17 = msg("Configuration:01", part2); -var part3 = match("MESSAGE#17:Configuration:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description}, ACTION: %{action}by user %{username}via %{network_service}source IP %{saddr}", processor_chain([ +var part3 = match("MESSAGE#17:Configuration:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([ dup19, dup20, dup23, @@ -419,7 +419,7 @@ var part3 = match("MESSAGE#17:Configuration:02", "nwparser.payload", "%{fld1->} var msg18 = msg("Configuration:02", part3); -var part4 = match("MESSAGE#18:Configuration:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Configuration File downloaded from device by user %{username}via %{network_service}, source IP %{saddr}", processor_chain([ +var part4 = match("MESSAGE#18:Configuration:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration File downloaded from device by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ dup19, dup20, dup23, @@ -430,7 +430,7 @@ var part4 = match("MESSAGE#18:Configuration:03", "nwparser.payload", "%{fld1->} var msg19 = msg("Configuration:03", part4); -var part5 = match("MESSAGE#19:Configuration:04", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Configuration Upload has been completed", processor_chain([ +var part5 = match("MESSAGE#19:Configuration:04", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Upload has been completed", processor_chain([ dup24, dup23, dup11, @@ -440,7 +440,7 @@ var part5 = match("MESSAGE#19:Configuration:04", "nwparser.payload", "%{fld1->} var msg20 = msg("Configuration:04", part5); -var part6 = match("MESSAGE#20:Configuration:05", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Configuration Download has been completed", processor_chain([ +var part6 = match("MESSAGE#20:Configuration:05", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Download has been completed", processor_chain([ dup24, dup23, dup11, @@ -450,7 +450,7 @@ var part6 = match("MESSAGE#20:Configuration:05", "nwparser.payload", "%{fld1->} var msg21 = msg("Configuration:05", part6); -var part7 = match("MESSAGE#21:Configuration:06", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Configuration file has been modified. Device may fail to load configuration file!", processor_chain([ +var part7 = match("MESSAGE#21:Configuration:06", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration file has been modified. Device may fail to load configuration file!", processor_chain([ dup24, dup22, dup23, @@ -492,7 +492,7 @@ var all4 = all_match({ var msg23 = msg("Login:04", all4); -var part9 = match("MESSAGE#23:Login:05", "nwparser.payload", "Login locked user %{username}(IP: %{saddr}): %{result}", processor_chain([ +var part9 = match("MESSAGE#23:Login:05", "nwparser.payload", "Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([ dup30, dup20, dup31, @@ -504,7 +504,7 @@ var part9 = match("MESSAGE#23:Login:05", "nwparser.payload", "Login locked user var msg24 = msg("Login:05", part9); -var part10 = match("MESSAGE#24:Login:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Login failed %{p0}"); +var part10 = match("MESSAGE#24:Login:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed %{p0}"); var all5 = all_match({ processors: [ @@ -527,7 +527,7 @@ var all5 = all_match({ var msg25 = msg("Login:01", all5); -var part11 = match("MESSAGE#25:Login:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Login failed via %{network_service}(IP: %{saddr}): %{result}", processor_chain([ +var part11 = match("MESSAGE#25:Login:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed via %{network_service->} (IP: %{saddr}): %{result}", processor_chain([ dup30, dup20, dup31, @@ -540,7 +540,7 @@ var part11 = match("MESSAGE#25:Login:02", "nwparser.payload", "%{fld1->} %{fld2- var msg26 = msg("Login:02", part11); -var part12 = match("MESSAGE#26:Login:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Login locked user %{username}(IP: %{saddr}): %{result}", processor_chain([ +var part12 = match("MESSAGE#26:Login:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([ dup30, dup20, dup31, @@ -561,7 +561,7 @@ var select10 = linear_select([ msg27, ]); -var part13 = match("MESSAGE#27:Connection", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Connection to NTP server timed out", processor_chain([ +var part13 = match("MESSAGE#27:Connection", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Connection to NTP server timed out", processor_chain([ dup36, dup21, dup11, @@ -571,7 +571,7 @@ var part13 = match("MESSAGE#27:Connection", "nwparser.payload", "%{fld1->} %{fld var msg28 = msg("Connection", part13); -var part14 = match("MESSAGE#28:Device", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Device was rebooted by user %{username}via %{network_service}, source IP %{saddr}", processor_chain([ +var part14 = match("MESSAGE#28:Device", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Device was rebooted by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ dup19, dup20, dup21, @@ -582,7 +582,7 @@ var part14 = match("MESSAGE#28:Device", "nwparser.payload", "%{fld1->} %{fld2->} var msg29 = msg("Device", part14); -var part15 = match("MESSAGE#29:Power", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Power supply fully operational", processor_chain([ +var part15 = match("MESSAGE#29:Power", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Power supply fully operational", processor_chain([ dup24, dup21, dup11, @@ -592,7 +592,7 @@ var part15 = match("MESSAGE#29:Power", "nwparser.payload", "%{fld1->} %{fld2->} var msg30 = msg("Power", part15); -var part16 = match("MESSAGE#30:Cold", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Cold Start", processor_chain([ +var part16 = match("MESSAGE#30:Cold", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Cold Start", processor_chain([ dup24, setc("ec_activity","Start"), dup21, @@ -603,7 +603,7 @@ var part16 = match("MESSAGE#30:Cold", "nwparser.payload", "%{fld1->} %{fld2->} % var msg31 = msg("Cold", part16); -var part17 = match("MESSAGE#31:Port/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Port %{interface->} %{p0}"); +var part17 = match("MESSAGE#31:Port/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Port %{interface->} %{p0}"); var part18 = match("MESSAGE#31:Port/1_0", "nwparser.p0", "Down%{}"); @@ -630,7 +630,7 @@ var all6 = all_match({ var msg32 = msg("Port", all6); -var part20 = match("MESSAGE#32:DefensePro", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}DefensePro was powered off", processor_chain([ +var part20 = match("MESSAGE#32:DefensePro", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} DefensePro was powered off", processor_chain([ dup24, dup21, dup11, @@ -640,7 +640,7 @@ var part20 = match("MESSAGE#32:DefensePro", "nwparser.payload", "%{fld1->} %{fld var msg33 = msg("DefensePro", part20); -var part21 = match("MESSAGE#33:Access:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category}\"%{event_type}\" %{protocol->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{interface->} %{context}\"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); +var part21 = match("MESSAGE#33:Access:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); var all7 = all_match({ processors: [ @@ -657,7 +657,7 @@ var all7 = all_match({ var msg34 = msg("Access:01", all7); -var part22 = match("MESSAGE#34:Access", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Access attempted by unauthorized NMS, Community: %{fld3}, IP: \"%{saddr}\"", processor_chain([ +var part22 = match("MESSAGE#34:Access", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Access attempted by unauthorized NMS, Community: %{fld3}, IP: \"%{saddr}\"", processor_chain([ dup36, dup37, dup11, @@ -672,7 +672,7 @@ var select12 = linear_select([ msg35, ]); -var part23 = match("MESSAGE#35:Please", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Please reboot the device for the latest changes to take effect", processor_chain([ +var part23 = match("MESSAGE#35:Please", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Please reboot the device for the latest changes to take effect", processor_chain([ dup19, dup21, dup11, @@ -682,7 +682,7 @@ var part23 = match("MESSAGE#35:Please", "nwparser.payload", "%{fld1->} %{fld2->} var msg36 = msg("Please", part23); -var part24 = match("MESSAGE#36:User:01", "nwparser.payload", "User %{username}logged in via %{network_service}(IP: %{saddr})", processor_chain([ +var part24 = match("MESSAGE#36:User:01", "nwparser.payload", "User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([ dup38, dup20, dup31, @@ -694,7 +694,7 @@ var part24 = match("MESSAGE#36:User:01", "nwparser.payload", "User %{username}lo var msg37 = msg("User:01", part24); -var part25 = match("MESSAGE#37:User", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}User %{username}logged in via %{network_service}(IP: %{saddr})", processor_chain([ +var part25 = match("MESSAGE#37:User", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([ dup38, dup20, dup31, @@ -712,7 +712,7 @@ var select13 = linear_select([ msg38, ]); -var part26 = match("MESSAGE#38:Certificate", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Certificate named %{fld3}expired on %{fld4->} %{fld5}", processor_chain([ +var part26 = match("MESSAGE#38:Certificate", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Certificate named %{fld3->} expired on %{fld4->} %{fld5}", processor_chain([ dup19, dup11, setc("event_description","Certificate expired"), @@ -728,7 +728,7 @@ var part26 = match("MESSAGE#38:Certificate", "nwparser.payload", "%{fld1->} %{fl var msg39 = msg("Certificate", part26); -var part27 = match("MESSAGE#39:Vision", "nwparser.payload", "%{fld1->} %{fld2->} %{severity}Vision %{event_description}by user %{username}via %{network_service}, source IP %{saddr}", processor_chain([ +var part27 = match("MESSAGE#39:Vision", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Vision %{event_description->} by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ dup19, dup11, dup12, @@ -785,7 +785,7 @@ var chain1 = processor_chain([ }), ]); -var part30 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category}\"%{event_type}\" %{protocol->} %{p0}"); +var part30 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}"); var part31 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); @@ -795,21 +795,21 @@ var part33 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dpo var part34 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}"); -var part35 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context}\"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); +var part35 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); var part36 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}"); var part37 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}"); -var part38 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category}\\\"%{event_type}\\\" %{protocol->} %{p0}"); +var part38 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}"); -var part39 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context}\\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); +var part39 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); var part40 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}"); var part41 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}"); -var part42 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username}via %{network_service}(IP: %{saddr})%{p0}"); +var part42 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}"); var part43 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}"); diff --git a/x-pack/filebeat/module/rapid7/README.md b/x-pack/filebeat/module/rapid7/README.md index 7c81a41e8b9..82ca96047df 100644 --- a/x-pack/filebeat/module/rapid7/README.md +++ b/x-pack/filebeat/module/rapid7/README.md @@ -3,5 +3,5 @@ This is a module for Rapid7 NeXpose logs. Autogenerated from RSA NetWitness log parser 2.0 XML nexpose version 134 -at 2020-07-07 18:10:48.598687 +0000 UTC. +at 2020-07-08 13:58:39.221612 +0000 UTC. diff --git a/x-pack/filebeat/module/rapid7/nexpose/config/pipeline.js b/x-pack/filebeat/module/rapid7/nexpose/config/pipeline.js index 44fae3cf4a6..966c00a7421 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/config/pipeline.js +++ b/x-pack/filebeat/module/rapid7/nexpose/config/pipeline.js @@ -15,7 +15,7 @@ function DeviceProcessor() { } } -var dup1 = match("HEADER#1:0022/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{p0}"); +var dup1 = match("HEADER#1:0022/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{p0}"); var dup2 = match("HEADER#1:0022/1_1", "nwparser.p0", "%{hpriority}][%{p0}"); @@ -41,7 +41,7 @@ var dup5 = call({ ], }); -var dup6 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}]%{p0}"); +var dup6 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}]%{p0}"); var dup7 = match("HEADER#18:0034/1_0", "nwparser.p0", " [%{p0}"); @@ -240,7 +240,7 @@ var dup69 = match("MESSAGE#435:ConsoleProductInfoProvider", "nwparser.payload", dup59, ])); -var hdr1 = match("HEADER#0:0031", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] %{hfld39}[Thread: %{messageid}] [Started: %{hfld40}] [Duration: %{hfld41}] %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0031", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] %{hfld39}[Thread: %{messageid}] [Started: %{hfld40}] [Duration: %{hfld41}] %{payload}", processor_chain([ setc("header_id","0031"), ])); @@ -265,55 +265,55 @@ var all1 = all_match({ ]), }); -var hdr2 = match("HEADER#2:0028", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid}: %{payload}", processor_chain([ +var hdr2 = match("HEADER#2:0028", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid}: %{payload}", processor_chain([ setc("header_id","0028"), dup4, ])); -var hdr3 = match("HEADER#3:0017", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid->} %{payload}", processor_chain([ +var hdr3 = match("HEADER#3:0017", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid->} %{payload}", processor_chain([ setc("header_id","0017"), dup5, ])); -var hdr4 = match("HEADER#4:0024", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{hfld41->} %{messageid}completed %{payload}", processor_chain([ +var hdr4 = match("HEADER#4:0024", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{hfld41->} %{messageid->} completed %{payload}", processor_chain([ setc("header_id","0024"), call({ dest: "nwparser.payload", fn: STRCAT, args: [ field("messageid"), - constant("completed "), + constant(" completed "), field("payload"), ], }), ])); -var hdr5 = match("HEADER#5:0018", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] %{messageid->} %{payload}", processor_chain([ +var hdr5 = match("HEADER#5:0018", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] %{messageid->} %{payload}", processor_chain([ setc("header_id","0018"), dup5, ])); -var hdr6 = match("HEADER#6:0029", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Silo ID: %{hfld22}] [Site: %{hsite}] [Site ID: %{hinfo}] %{messageid->} %{payload}", processor_chain([ +var hdr6 = match("HEADER#6:0029", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Silo ID: %{hfld22}] [Site: %{hsite}] [Site ID: %{hinfo}] %{messageid->} %{payload}", processor_chain([ setc("header_id","0029"), dup5, ])); -var hdr7 = match("HEADER#7:0019", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] %{messageid->} %{payload}", processor_chain([ +var hdr7 = match("HEADER#7:0019", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] %{messageid->} %{payload}", processor_chain([ setc("header_id","0019"), dup5, ])); -var hdr8 = match("HEADER#8:0020", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([ +var hdr8 = match("HEADER#8:0020", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([ setc("header_id","0020"), dup5, ])); -var hdr9 = match("HEADER#9:0021", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([ +var hdr9 = match("HEADER#9:0021", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([ setc("header_id","0021"), dup5, ])); -var hdr10 = match("HEADER#10:0023", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}]: %{messageid->} %{payload}", processor_chain([ +var hdr10 = match("HEADER#10:0023", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}]: %{messageid->} %{payload}", processor_chain([ setc("header_id","0023"), dup5, ])); @@ -333,11 +333,11 @@ var hdr11 = match("HEADER#11:0036", "message", "%NEXPOSE-%{hfld49}: %{hfld1}: %{ }), ])); -var hdr12 = match("HEADER#12:0001", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hdate}T%{htime}[%{hobj_name}] %{payload}", processor_chain([ +var hdr12 = match("HEADER#12:0001", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hdate}T%{htime->} [%{hobj_name}] %{payload}", processor_chain([ setc("header_id","0001"), ])); -var hdr13 = match("HEADER#13:0037", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hfld1}'%{hfld2}' - %{hfld1->} %{payload}", processor_chain([ +var hdr13 = match("HEADER#13:0037", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hfld1->} '%{hfld2}' - %{hfld1->} %{payload}", processor_chain([ setc("header_id","0037"), call({ dest: "nwparser.payload", @@ -346,7 +346,7 @@ var hdr13 = match("HEADER#13:0037", "message", "%NEXPOSE-%{hfld49}: %{messageid- field("messageid"), constant(" "), field("hfld1"), - constant("'"), + constant(" '"), field("hfld2"), constant("' - "), field("hfld1"), @@ -360,17 +360,17 @@ var hdr14 = match("HEADER#14:0002", "message", "%NEXPOSE-%{hfld49}: %{messageid- setc("header_id","0002"), ])); -var hdr15 = match("HEADER#15:0003", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] (%{hfld41}) %{messageid->} %{payload}", processor_chain([ +var hdr15 = match("HEADER#15:0003", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] (%{hfld41}) %{messageid->} %{payload}", processor_chain([ setc("header_id","0003"), dup5, ])); -var hdr16 = match("HEADER#16:0030", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] %{messageid}: %{payload}", processor_chain([ +var hdr16 = match("HEADER#16:0030", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] %{messageid}: %{payload}", processor_chain([ setc("header_id","0030"), dup4, ])); -var hdr17 = match("HEADER#17:0040", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}] [Thread: %{hfld17}] [Principal: %{username}] [%{messageid}: %{payload}", processor_chain([ +var hdr17 = match("HEADER#17:0040", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Principal: %{username}] [%{messageid}: %{payload}", processor_chain([ setc("header_id","0040"), ])); @@ -408,12 +408,12 @@ var all3 = all_match({ ]), }); -var hdr18 = match("HEADER#20:0004", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{messageid->} %{payload}", processor_chain([ +var hdr18 = match("HEADER#20:0004", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{messageid->} %{payload}", processor_chain([ setc("header_id","0004"), dup5, ])); -var part6 = match("HEADER#21:0032/2", "nwparser.p0", "Thread: %{hfld17}] [Silo ID: %{hfld18}] [Report: %{hobj_name}] [%{messageid}Config ID: %{hfld19}] %{payload}"); +var part6 = match("HEADER#21:0032/2", "nwparser.p0", "Thread: %{hfld17}] [Silo ID: %{hfld18}] [Report: %{hobj_name}] [%{messageid->} Config ID: %{hfld19}] %{payload}"); var all4 = all_match({ processors: [ @@ -436,12 +436,12 @@ var hdr20 = match("HEADER#23:0039", "message", "%NEXPOSE-%{hfld49}: %{messageid} dup9, ])); -var hdr21 = match("HEADER#24:0005", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{hfld48->} %{hfld41->} %{messageid->} %{payload}", processor_chain([ +var hdr21 = match("HEADER#24:0005", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld48->} %{hfld41->} %{messageid->} %{payload}", processor_chain([ setc("header_id","0005"), dup5, ])); -var hdr22 = match("HEADER#25:0006", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] [%{messageid}] %{payload}", processor_chain([ +var hdr22 = match("HEADER#25:0006", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] [%{messageid}] %{payload}", processor_chain([ setc("header_id","0006"), ])); @@ -479,11 +479,11 @@ var hdr23 = match("HEADER#27:0007", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} dup5, ])); -var hdr24 = match("HEADER#28:0008", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] (%{messageid}) %{payload}", processor_chain([ +var hdr24 = match("HEADER#28:0008", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] (%{messageid}) %{payload}", processor_chain([ setc("header_id","0008"), ])); -var hdr25 = match("HEADER#29:0009", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{fld41->} %{messageid->} %{payload}", processor_chain([ +var hdr25 = match("HEADER#29:0009", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{fld41->} %{messageid->} %{payload}", processor_chain([ setc("header_id","0009"), call({ dest: "nwparser.payload", @@ -498,7 +498,7 @@ var hdr25 = match("HEADER#29:0009", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} }), ])); -var hdr26 = match("HEADER#30:0010", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{messageid}: %{payload}", processor_chain([ +var hdr26 = match("HEADER#30:0010", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{messageid}: %{payload}", processor_chain([ setc("header_id","0010"), dup4, ])); @@ -512,7 +512,7 @@ var hdr28 = match("HEADER#32:0012", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} dup5, ])); -var hdr29 = match("HEADER#33:0013", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{hfld45}(%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{payload}", processor_chain([ +var hdr29 = match("HEADER#33:0013", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{payload}", processor_chain([ setc("header_id","0013"), call({ dest: "nwparser.messageid", @@ -530,7 +530,7 @@ var hdr29 = match("HEADER#33:0013", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} fn: STRCAT, args: [ field("hfld45"), - constant("("), + constant(" ("), field("hfld46"), constant(") - "), field("msgIdPart1"), @@ -544,7 +544,7 @@ var hdr29 = match("HEADER#33:0013", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} }), ])); -var hdr30 = match("HEADER#34:0014", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{hfld45}(%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{payload}", processor_chain([ +var hdr30 = match("HEADER#34:0014", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{payload}", processor_chain([ setc("header_id","0014"), dup10, call({ @@ -552,7 +552,7 @@ var hdr30 = match("HEADER#34:0014", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} fn: STRCAT, args: [ field("hfld45"), - constant("("), + constant(" ("), field("hfld46"), constant(") - "), field("msgIdPart1"), @@ -564,14 +564,14 @@ var hdr30 = match("HEADER#34:0014", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} }), ])); -var hdr31 = match("HEADER#35:0015", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{hfld45}(%{hfld46}) - %{messageid->} %{payload}", processor_chain([ +var hdr31 = match("HEADER#35:0015", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{messageid->} %{payload}", processor_chain([ setc("header_id","0015"), call({ dest: "nwparser.payload", fn: STRCAT, args: [ field("hfld45"), - constant("("), + constant(" ("), field("hfld46"), constant(") - "), field("messageid"), @@ -581,7 +581,7 @@ var hdr31 = match("HEADER#35:0015", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} }), ])); -var hdr32 = match("HEADER#36:0016", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime}[%{hobj_name}] %{hfld45}(%{hfld46}) - %{msgIdPart1->} %{msgIdPart2}(U) %{payload}", processor_chain([ +var hdr32 = match("HEADER#36:0016", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2}(U) %{payload}", processor_chain([ setc("header_id","0016"), dup10, call({ @@ -589,7 +589,7 @@ var hdr32 = match("HEADER#36:0016", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} fn: STRCAT, args: [ field("hfld45"), - constant("("), + constant(" ("), field("hfld46"), constant(") - "), field("msgIdPart1"), @@ -601,40 +601,40 @@ var hdr32 = match("HEADER#36:0016", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} }), ])); -var hdr33 = match("HEADER#37:0026", "message", "%NEXPOSE-%{hfld49}: %{messageid}Constructor threw %{payload}", processor_chain([ +var hdr33 = match("HEADER#37:0026", "message", "%NEXPOSE-%{hfld49}: %{messageid->} Constructor threw %{payload}", processor_chain([ setc("header_id","0026"), call({ dest: "nwparser.payload", fn: STRCAT, args: [ field("messageid"), - constant("Constructor threw "), + constant(" Constructor threw "), field("payload"), ], }), ])); -var hdr34 = match("HEADER#38:0027", "message", "%NEXPOSE-%{hfld49}: %{messageid}Called method %{payload}", processor_chain([ +var hdr34 = match("HEADER#38:0027", "message", "%NEXPOSE-%{hfld49}: %{messageid->} Called method %{payload}", processor_chain([ setc("header_id","0027"), call({ dest: "nwparser.payload", fn: STRCAT, args: [ field("messageid"), - constant("Called method "), + constant(" Called method "), field("payload"), ], }), ])); -var hdr35 = match("HEADER#39:0025", "message", "%NEXPOSE-%{hfld49}: %{hfld41->} %{hfld42->} %{messageid}frames %{payload}", processor_chain([ +var hdr35 = match("HEADER#39:0025", "message", "%NEXPOSE-%{hfld49}: %{hfld41->} %{hfld42->} %{messageid->} frames %{payload}", processor_chain([ setc("header_id","0025"), call({ dest: "nwparser.payload", fn: STRCAT, args: [ field("messageid"), - constant("frames "), + constant(" frames "), field("payload"), ], }), @@ -689,7 +689,7 @@ var select4 = linear_select([ hdr36, ]); -var part12 = match("MESSAGE#0:NOT_VULNERABLE_VERSION", "nwparser.payload", "%{signame}- NOT VULNERABLE VERSION .", processor_chain([ +var part12 = match("MESSAGE#0:NOT_VULNERABLE_VERSION", "nwparser.payload", "%{signame->} - NOT VULNERABLE VERSION .", processor_chain([ dup11, dup12, dup13, @@ -701,7 +701,7 @@ var part12 = match("MESSAGE#0:NOT_VULNERABLE_VERSION", "nwparser.payload", "%{si var msg1 = msg("NOT_VULNERABLE_VERSION", part12); -var part13 = match("MESSAGE#1:VULNERABLE_VERSION", "nwparser.payload", "%{signame}- VULNERABLE VERSION .", processor_chain([ +var part13 = match("MESSAGE#1:VULNERABLE_VERSION", "nwparser.payload", "%{signame->} - VULNERABLE VERSION .", processor_chain([ dup11, dup12, dup13, @@ -713,7 +713,7 @@ var part13 = match("MESSAGE#1:VULNERABLE_VERSION", "nwparser.payload", "%{signam var msg2 = msg("VULNERABLE_VERSION", part13); -var part14 = match("MESSAGE#2:NOT_VULNERABLE", "nwparser.payload", "%{signame}- NOT VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([ +var part14 = match("MESSAGE#2:NOT_VULNERABLE", "nwparser.payload", "%{signame->} - NOT VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([ dup11, dup12, dup13, @@ -725,7 +725,7 @@ var part14 = match("MESSAGE#2:NOT_VULNERABLE", "nwparser.payload", "%{signame}- var msg3 = msg("NOT_VULNERABLE", part14); -var part15 = match("MESSAGE#3:NOT_VULNERABLE:01", "nwparser.payload", "%{signame}- NOT VULNERABLE(U) [UNIQUE ID: %{fld45}]", processor_chain([ +var part15 = match("MESSAGE#3:NOT_VULNERABLE:01", "nwparser.payload", "%{signame->} - NOT VULNERABLE(U) [UNIQUE ID: %{fld45}]", processor_chain([ dup11, dup12, dup13, @@ -737,7 +737,7 @@ var part15 = match("MESSAGE#3:NOT_VULNERABLE:01", "nwparser.payload", "%{signame var msg4 = msg("NOT_VULNERABLE:01", part15); -var part16 = match("MESSAGE#4:NOT_VULNERABLE:02", "nwparser.payload", "%{signame}- NOT VULNERABLE .", processor_chain([ +var part16 = match("MESSAGE#4:NOT_VULNERABLE:02", "nwparser.payload", "%{signame->} - NOT VULNERABLE .", processor_chain([ dup11, dup12, dup13, @@ -755,7 +755,7 @@ var select5 = linear_select([ msg5, ]); -var part17 = match("MESSAGE#5:VULNERABLE", "nwparser.payload", "%{signame}- VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([ +var part17 = match("MESSAGE#5:VULNERABLE", "nwparser.payload", "%{signame->} - VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([ dup11, dup12, dup13, @@ -767,7 +767,7 @@ var part17 = match("MESSAGE#5:VULNERABLE", "nwparser.payload", "%{signame}- VULN var msg6 = msg("VULNERABLE", part17); -var part18 = match("MESSAGE#6:VULNERABLE:01", "nwparser.payload", "%{signame}- VULNERABLE .", processor_chain([ +var part18 = match("MESSAGE#6:VULNERABLE:01", "nwparser.payload", "%{signame->} - VULNERABLE .", processor_chain([ dup11, dup12, dup13, @@ -784,7 +784,7 @@ var select6 = linear_select([ msg7, ]); -var part19 = match("MESSAGE#7:ERROR", "nwparser.payload", "%{signame}- ERROR [UNIQUE ID: %{fld45}] - %{context}", processor_chain([ +var part19 = match("MESSAGE#7:ERROR", "nwparser.payload", "%{signame->} - ERROR [UNIQUE ID: %{fld45}] - %{context}", processor_chain([ dup18, dup12, dup13, @@ -797,7 +797,7 @@ var part19 = match("MESSAGE#7:ERROR", "nwparser.payload", "%{signame}- ERROR [UN var msg8 = msg("ERROR", part19); -var part20 = match("MESSAGE#8:ERROR:01", "nwparser.payload", "%{signame}- ERROR - %{context}", processor_chain([ +var part20 = match("MESSAGE#8:ERROR:01", "nwparser.payload", "%{signame->} - ERROR - %{context}", processor_chain([ dup18, dup12, dup13, @@ -890,7 +890,7 @@ var part26 = match("MESSAGE#14:ScanMgr:01", "nwparser.payload", "shutting down.. var msg15 = msg("ScanMgr:01", part26); -var part27 = match("MESSAGE#15:ScanMgr:02", "nwparser.payload", "Scan %{fld30}is being stopped.", processor_chain([ +var part27 = match("MESSAGE#15:ScanMgr:02", "nwparser.payload", "Scan %{fld30->} is being stopped.", processor_chain([ dup20, dup12, dup13, @@ -1118,7 +1118,7 @@ var part47 = match("MESSAGE#31:Nexpose:02", "nwparser.payload", "starting %{fld3 var msg34 = msg("Nexpose:02", part47); -var part48 = match("MESSAGE#32:Nexpose:03", "nwparser.payload", "%{fld31}nodes completed, %{fld32}active, %{fld33}pending.", processor_chain([ +var part48 = match("MESSAGE#32:Nexpose:03", "nwparser.payload", "%{fld31->} nodes completed, %{fld32->} active, %{fld33->} pending.", processor_chain([ dup20, dup14, dup15, @@ -1135,7 +1135,7 @@ var part49 = match("MESSAGE#373:Backup_completed", "nwparser.payload", "Nexpose var msg36 = msg("Backup_completed", part49); -var part50 = match("MESSAGE#408:Nexpose:04", "nwparser.payload", "Nexpose is changing the database port number from %{change_old}to %{change_new}. DONE.", processor_chain([ +var part50 = match("MESSAGE#408:Nexpose:04", "nwparser.payload", "Nexpose is changing the database port number from %{change_old->} to %{change_new}. DONE.", processor_chain([ dup20, dup14, dup15, @@ -1145,7 +1145,7 @@ var part50 = match("MESSAGE#408:Nexpose:04", "nwparser.payload", "Nexpose is cha var msg37 = msg("Nexpose:04", part50); -var part51 = match("MESSAGE#409:Nexpose:05", "nwparser.payload", "Nexpose is changing the database port number from %{change_old}to %{change_new}.", processor_chain([ +var part51 = match("MESSAGE#409:Nexpose:05", "nwparser.payload", "Nexpose is changing the database port number from %{change_old->} to %{change_new}.", processor_chain([ dup20, dup14, dup15, @@ -1154,7 +1154,7 @@ var part51 = match("MESSAGE#409:Nexpose:05", "nwparser.payload", "Nexpose is cha var msg38 = msg("Nexpose:05", part51); -var part52 = match("MESSAGE#410:Nexpose:06", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old}to %{change_new}DONE.", processor_chain([ +var part52 = match("MESSAGE#410:Nexpose:06", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old->} to %{change_new->} DONE.", processor_chain([ dup20, dup14, dup15, @@ -1164,7 +1164,7 @@ var part52 = match("MESSAGE#410:Nexpose:06", "nwparser.payload", "Nexpose is exe var msg39 = msg("Nexpose:06", part52); -var part53 = match("MESSAGE#411:Nexpose:07", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old}to %{change_new}", processor_chain([ +var part53 = match("MESSAGE#411:Nexpose:07", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old->} to %{change_new}", processor_chain([ dup20, dup14, dup15, @@ -1173,7 +1173,7 @@ var part53 = match("MESSAGE#411:Nexpose:07", "nwparser.payload", "Nexpose is exe var msg40 = msg("Nexpose:07", part53); -var part54 = match("MESSAGE#412:Nexpose:08", "nwparser.payload", "Nexpose is installing the %{db_name}database. DONE.", processor_chain([ +var part54 = match("MESSAGE#412:Nexpose:08", "nwparser.payload", "Nexpose is installing the %{db_name->} database. DONE.", processor_chain([ dup20, dup14, dup15, @@ -1183,7 +1183,7 @@ var part54 = match("MESSAGE#412:Nexpose:08", "nwparser.payload", "Nexpose is ins var msg41 = msg("Nexpose:08", part54); -var part55 = match("MESSAGE#413:Nexpose:09", "nwparser.payload", "Nexpose is installing the %{db_name}database to %{directory}using PostgreSQL binaries from package %{filename}.%{fld1}.", processor_chain([ +var part55 = match("MESSAGE#413:Nexpose:09", "nwparser.payload", "Nexpose is installing the %{db_name->} database to %{directory->} using PostgreSQL binaries from package %{filename}.%{fld1}.", processor_chain([ dup20, dup14, dup15, @@ -1192,7 +1192,7 @@ var part55 = match("MESSAGE#413:Nexpose:09", "nwparser.payload", "Nexpose is ins var msg42 = msg("Nexpose:09", part55); -var part56 = match("MESSAGE#414:Nexpose:10", "nwparser.payload", "Nexpose is moving %{change_old}to %{change_new}.", processor_chain([ +var part56 = match("MESSAGE#414:Nexpose:10", "nwparser.payload", "Nexpose is moving %{change_old->} to %{change_new}.", processor_chain([ dup20, dup14, dup15, @@ -1201,7 +1201,7 @@ var part56 = match("MESSAGE#414:Nexpose:10", "nwparser.payload", "Nexpose is mov var msg43 = msg("Nexpose:10", part56); -var part57 = match("MESSAGE#415:Nexpose:11", "nwparser.payload", "%{event_description}DONE.", processor_chain([ +var part57 = match("MESSAGE#415:Nexpose:11", "nwparser.payload", "%{event_description->} DONE.", processor_chain([ dup20, dup14, dup15, @@ -1424,7 +1424,7 @@ var select17 = linear_select([ msg59, ]); -var part74 = match("MESSAGE#40:Queueing:01", "nwparser.payload", "Queueing %{protocol}port scan", processor_chain([ +var part74 = match("MESSAGE#40:Queueing:01", "nwparser.payload", "Queueing %{protocol->} port scan", processor_chain([ dup20, dup14, dup15, @@ -1505,7 +1505,7 @@ var select20 = linear_select([ msg63, ]); -var part81 = match("MESSAGE#44:Trying", "nwparser.payload", "Trying %{fld30}injection %{fld31}", processor_chain([ +var part81 = match("MESSAGE#44:Trying", "nwparser.payload", "Trying %{fld30->} injection %{fld31}", processor_chain([ dup20, dup12, dup13, @@ -1555,7 +1555,7 @@ var part84 = match("MESSAGE#49:Scan:01", "nwparser.payload", "Scan [%{fld35}] co var msg69 = msg("Scan:01", part84); -var part85 = match("MESSAGE#50:Scan:03", "nwparser.payload", "Scan for site %{fld11}started by Schedule[%{info}].", processor_chain([ +var part85 = match("MESSAGE#50:Scan:03", "nwparser.payload", "Scan for site %{fld11->} started by Schedule[%{info}].", processor_chain([ dup11, dup12, dup13, @@ -1571,7 +1571,7 @@ var part85 = match("MESSAGE#50:Scan:03", "nwparser.payload", "Scan for site %{fl var msg70 = msg("Scan:03", part85); -var part86 = match("MESSAGE#51:Scan:04", "nwparser.payload", "Scan startup took %{fld24}seconds", processor_chain([ +var part86 = match("MESSAGE#51:Scan:04", "nwparser.payload", "Scan startup took %{fld24->} seconds", processor_chain([ dup11, dup12, dup13, @@ -1587,7 +1587,7 @@ var part86 = match("MESSAGE#51:Scan:04", "nwparser.payload", "Scan startup took var msg71 = msg("Scan:04", part86); -var part87 = match("MESSAGE#52:Scan:06/2", "nwparser.p0", "] %{fld12}(%{info}) - VULNERABLE VERSION"); +var part87 = match("MESSAGE#52:Scan:06/2", "nwparser.p0", "] %{fld12->} (%{info}) - VULNERABLE VERSION"); var all9 = all_match({ processors: [ @@ -1612,7 +1612,7 @@ var all9 = all_match({ var msg72 = msg("Scan:06", all9); -var part88 = match("MESSAGE#53:Scan:05/2", "nwparser.p0", "] %{fld12}(%{info}) - VULNERABLE"); +var part88 = match("MESSAGE#53:Scan:05/2", "nwparser.p0", "] %{fld12->} (%{info}) - VULNERABLE"); var all10 = all_match({ processors: [ @@ -1637,7 +1637,7 @@ var all10 = all_match({ var msg73 = msg("Scan:05", all10); -var part89 = match("MESSAGE#54:Scan:07/2", "nwparser.p0", "] %{fld12}(%{info}) - NOT VULNERABLE VERSION"); +var part89 = match("MESSAGE#54:Scan:07/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE VERSION"); var all11 = all_match({ processors: [ @@ -1662,7 +1662,7 @@ var all11 = all_match({ var msg74 = msg("Scan:07", all11); -var part90 = match("MESSAGE#55:Scan:09/2", "nwparser.p0", "] %{fld12}(%{info}) - NOT VULNERABLE [UNIQUE ID: %{fld13}]"); +var part90 = match("MESSAGE#55:Scan:09/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE [UNIQUE ID: %{fld13}]"); var all12 = all_match({ processors: [ @@ -1687,7 +1687,7 @@ var all12 = all_match({ var msg75 = msg("Scan:09", all12); -var part91 = match("MESSAGE#56:Scan:08/2", "nwparser.p0", "] %{fld12}(%{info}) - NOT VULNERABLE"); +var part91 = match("MESSAGE#56:Scan:08/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE"); var all13 = all_match({ processors: [ @@ -1712,7 +1712,7 @@ var all13 = all_match({ var msg76 = msg("Scan:08", all13); -var part92 = match("MESSAGE#57:Scan:10", "nwparser.payload", "Scan for site %{fld12}started by \"%{username}\".", processor_chain([ +var part92 = match("MESSAGE#57:Scan:10", "nwparser.payload", "Scan for site %{fld12->} started by \"%{username}\".", processor_chain([ dup11, dup12, dup13, @@ -1774,7 +1774,7 @@ var part95 = match("MESSAGE#60:Scan:13", "nwparser.payload", "Scan ID: %{fld1}] var msg80 = msg("Scan:13", part95); -var part96 = match("MESSAGE#62:Scan:15/0", "nwparser.payload", "Silo ID: %{fld1}] [Scan ID: %{fld2}] Scan for site %{audit_object}- %{p0}"); +var part96 = match("MESSAGE#62:Scan:15/0", "nwparser.payload", "Silo ID: %{fld1}] [Scan ID: %{fld2}] Scan for site %{audit_object->} - %{p0}"); var part97 = match("MESSAGE#62:Scan:15/1_0", "nwparser.p0", "Non-Windows Systems Audit%{p0}"); @@ -2039,7 +2039,7 @@ var msg100 = msg("j_username", dup62); var msg101 = msg("osspi_defaultTargetLocation", dup62); -var part111 = match("MESSAGE#81:spider-parse-robot-exclusions", "nwparser.payload", "spider-parse-robot-exclusions: %{fld40}Malformed HTTP %{fld41}", processor_chain([ +var part111 = match("MESSAGE#81:spider-parse-robot-exclusions", "nwparser.payload", "spider-parse-robot-exclusions: %{fld40->} Malformed HTTP %{fld41}", processor_chain([ dup20, dup14, dup15, @@ -2061,7 +2061,7 @@ var msg107 = msg("main", dup62); var msg108 = msg("SystemFingerprint", dup62); -var part112 = match("MESSAGE#88:Searching", "nwparser.payload", "Searching for %{service}domain %{fld11}...", processor_chain([ +var part112 = match("MESSAGE#88:Searching", "nwparser.payload", "Searching for %{service->} domain %{fld11}...", processor_chain([ dup20, dup14, dup15, @@ -2099,7 +2099,7 @@ var part114 = match("MESSAGE#91:Failed", "nwparser.payload", "%{event_descriptio var msg112 = msg("Failed", part114); -var part115 = match("MESSAGE#92:Attempting:01", "nwparser.payload", "Attempting to authenticate user %{username}from %{saddr}.", processor_chain([ +var part115 = match("MESSAGE#92:Attempting:01", "nwparser.payload", "Attempting to authenticate user %{username->} from %{saddr}.", processor_chain([ dup20, dup14, dup15, @@ -2214,7 +2214,7 @@ var part121 = match("MESSAGE#106:Asserting:01", "nwparser.payload", "Asserting r var msg127 = msg("Asserting:01", part121); -var part122 = match("MESSAGE#107:Asserting:02", "nwparser.payload", "Asserting network interface: %{sinterface}with IP: %{saddr}and netmask: %{fld12}", processor_chain([ +var part122 = match("MESSAGE#107:Asserting:02", "nwparser.payload", "Asserting network interface: %{sinterface->} with IP: %{saddr->} and netmask: %{fld12}", processor_chain([ dup20, dup14, dup15, @@ -2254,7 +2254,7 @@ var select28 = linear_select([ msg130, ]); -var part124 = match("MESSAGE#110:Determining:01", "nwparser.payload", "Determining version of file %{filename}(%{application})", processor_chain([ +var part124 = match("MESSAGE#110:Determining:01", "nwparser.payload", "Determining version of file %{filename->} (%{application})", processor_chain([ dup20, dup14, dup15, @@ -2304,7 +2304,7 @@ var part126 = match("MESSAGE#113:Running:02", "nwparser.payload", "Running unres var msg134 = msg("Running:02", part126); -var part127 = match("MESSAGE#114:Running:01", "nwparser.payload", "Running %{protocol}service %{service}", processor_chain([ +var part127 = match("MESSAGE#114:Running:01", "nwparser.payload", "Running %{protocol->} service %{service}", processor_chain([ dup20, dup35, dup14, @@ -2369,7 +2369,7 @@ var part132 = match("MESSAGE#117:path:01", "nwparser.payload", "Service path is var msg138 = msg("path:01", part132); -var part133 = match("MESSAGE#118:Service", "nwparser.payload", "Service %{service->} %{action}on Provider: %{fld2}", processor_chain([ +var part133 = match("MESSAGE#118:Service", "nwparser.payload", "Service %{service->} %{action->} on Provider: %{fld2}", processor_chain([ dup20, dup14, dup15, @@ -2520,7 +2520,7 @@ var part141 = match("MESSAGE#129:Starting:02", "nwparser.payload", "Starting Off var msg150 = msg("Starting:02", part141); -var part142 = match("MESSAGE#130:Starting:01", "nwparser.payload", "Starting scan against %{fld11}(%{fld12}) with scan template: %{fld13}.", processor_chain([ +var part142 = match("MESSAGE#130:Starting:01", "nwparser.payload", "Starting scan against %{fld11->} (%{fld12}) with scan template: %{fld13}.", processor_chain([ dup20, dup12, dup13, @@ -2620,7 +2620,7 @@ var part147 = match("MESSAGE#139:No:01", "nwparser.payload", "No credentials ava var msg160 = msg("No:01", part147); -var part148 = match("MESSAGE#140:No:02", "nwparser.payload", "No access to %{directory}with %{service}[%{info}]", processor_chain([ +var part148 = match("MESSAGE#140:No:02", "nwparser.payload", "No access to %{directory->} with %{service}[%{info}]", processor_chain([ dup20, dup14, dup15, @@ -2676,7 +2676,7 @@ var part150 = match("MESSAGE#142:Applying", "nwparser.payload", "Applying update var msg164 = msg("Applying", part150); -var part151 = match("MESSAGE#143:Update", "nwparser.payload", "Update ID %{fld12}applied successfully.", processor_chain([ +var part151 = match("MESSAGE#143:Update", "nwparser.payload", "Update ID %{fld12->} applied successfully.", processor_chain([ dup44, dup52, dup14, @@ -2740,7 +2740,7 @@ var part154 = match("MESSAGE#145:Installing:01", "nwparser.payload", "Installing var msg169 = msg("Installing:01", part154); -var part155 = match("MESSAGE#405:Installing:02", "nwparser.payload", "Installing Postgres files into %{directory}from %{info}", processor_chain([ +var part155 = match("MESSAGE#405:Installing:02", "nwparser.payload", "Installing Postgres files into %{directory->} from %{info}", processor_chain([ dup20, dup14, dup15, @@ -2786,7 +2786,7 @@ var part157 = match("MESSAGE#147:DNS", "nwparser.payload", "DNS name: %{obj_name var msg172 = msg("DNS", part157); -var part158 = match("MESSAGE#148:Scanning", "nwparser.payload", "Scanning %{fld23->} %{protocol}ports", processor_chain([ +var part158 = match("MESSAGE#148:Scanning", "nwparser.payload", "Scanning %{fld23->} %{protocol->} ports", processor_chain([ dup11, dup12, dup13, @@ -2805,7 +2805,7 @@ var msg173 = msg("Scanning", part158); var msg174 = msg("param:", dup64); -var part159 = match("MESSAGE#150:Windows", "nwparser.payload", "Windows %{obj_name}dir is: '%{directory}'", processor_chain([ +var part159 = match("MESSAGE#150:Windows", "nwparser.payload", "Windows %{obj_name->} dir is: '%{directory}'", processor_chain([ dup20, dup14, dup15, @@ -2845,7 +2845,7 @@ var select38 = linear_select([ var msg178 = msg("Parsed", dup64); -var part161 = match("MESSAGE#153:JRE", "nwparser.payload", "JRE version %{version}is installed", processor_chain([ +var part161 = match("MESSAGE#153:JRE", "nwparser.payload", "JRE version %{version->} is installed", processor_chain([ dup20, dup14, dup15, @@ -2896,7 +2896,7 @@ var msg183 = msg("Flash", dup64); var msg184 = msg("Skipping", dup64); -var part164 = match("MESSAGE#159:Closing", "nwparser.payload", "Closing service: %{service}(source: %{info})", processor_chain([ +var part164 = match("MESSAGE#159:Closing", "nwparser.payload", "Closing service: %{service->} (source: %{info})", processor_chain([ dup20, dup35, dup24, @@ -2980,7 +2980,7 @@ var msg191 = msg("Version:", part168); var msg192 = msg("IE", dup64); -var part169 = match("MESSAGE#165:Completed", "nwparser.payload", "Completed %{protocol}port scan (%{dclass_counter1}open ports): %{fld11}seconds", processor_chain([ +var part169 = match("MESSAGE#165:Completed", "nwparser.payload", "Completed %{protocol->} port scan (%{dclass_counter1->} open ports): %{fld11->} seconds", processor_chain([ dup20, dup12, dup13, @@ -3086,7 +3086,7 @@ var select40 = linear_select([ msg201, ]); -var part178 = match("MESSAGE#166:Retrieved", "nwparser.payload", "Retrieved XML version %{version}for file %{filename}", processor_chain([ +var part178 = match("MESSAGE#166:Retrieved", "nwparser.payload", "Retrieved XML version %{version->} for file %{filename}", processor_chain([ dup20, dup14, dup15, @@ -3271,7 +3271,7 @@ var select42 = linear_select([ msg216, ]); -var part190 = match("MESSAGE#179:Advertising", "nwparser.payload", "Advertising %{service}service", processor_chain([ +var part190 = match("MESSAGE#179:Advertising", "nwparser.payload", "Advertising %{service->} service", processor_chain([ dup20, dup14, dup15, @@ -3336,7 +3336,7 @@ var select43 = linear_select([ msg220, ]); -var part194 = match("MESSAGE#183:Updated", "nwparser.payload", "Updated risk scores for %{dclass_counter1}vulnerabilities in %{fld12}", processor_chain([ +var part194 = match("MESSAGE#183:Updated", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} vulnerabilities in %{fld12}", processor_chain([ dup20, dup14, dup15, @@ -3352,7 +3352,7 @@ var part194 = match("MESSAGE#183:Updated", "nwparser.payload", "Updated risk sco var msg221 = msg("Updated", part194); -var part195 = match("MESSAGE#184:Updated:01", "nwparser.payload", "Updated risk scores for %{dclass_counter1}assets in %{fld12}", processor_chain([ +var part195 = match("MESSAGE#184:Updated:01", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} assets in %{fld12}", processor_chain([ dup20, dup14, dup15, @@ -3368,7 +3368,7 @@ var part195 = match("MESSAGE#184:Updated:01", "nwparser.payload", "Updated risk var msg222 = msg("Updated:01", part195); -var part196 = match("MESSAGE#185:Updated:02", "nwparser.payload", "Updated risk scores for %{dclass_counter1}sites in %{fld12}", processor_chain([ +var part196 = match("MESSAGE#185:Updated:02", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} sites in %{fld12}", processor_chain([ dup20, dup14, dup15, @@ -3384,7 +3384,7 @@ var part196 = match("MESSAGE#185:Updated:02", "nwparser.payload", "Updated risk var msg223 = msg("Updated:02", part196); -var part197 = match("MESSAGE#186:Updated:03", "nwparser.payload", "Updated risk scores for %{dclass_counter1}groups in %{fld12}", processor_chain([ +var part197 = match("MESSAGE#186:Updated:03", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} groups in %{fld12}", processor_chain([ dup20, dup14, dup15, @@ -3523,7 +3523,7 @@ var part209 = match("MESSAGE#189:Executing:01", "nwparser.payload", "Executing j var msg231 = msg("Executing:01", part209); -var part210 = match("MESSAGE#190:Executing:02", "nwparser.payload", "Executing job JobID[%{info}] %{fld1}retention updater-default", processor_chain([ +var part210 = match("MESSAGE#190:Executing:02", "nwparser.payload", "Executing job JobID[%{info}] %{fld1->} retention updater-default", processor_chain([ dup20, dup14, dup15, @@ -3593,7 +3593,7 @@ var part214 = match("MESSAGE#193:Administrative:01", "nwparser.payload", "Admini var msg236 = msg("Administrative:01", part214); -var part215 = match("MESSAGE#194:Administrative", "nwparser.payload", "Administrative credentials for %{service}will be used.", processor_chain([ +var part215 = match("MESSAGE#194:Administrative", "nwparser.payload", "Administrative credentials for %{service->} will be used.", processor_chain([ dup20, dup14, dup15, @@ -3664,7 +3664,7 @@ var msg240 = msg("Creating", dup64); var msg241 = msg("Loading", dup64); -var part220 = match("MESSAGE#199:Loaded", "nwparser.payload", "Loaded %{dclass_counter1}policy checks for scan.", processor_chain([ +var part220 = match("MESSAGE#199:Loaded", "nwparser.payload", "Loaded %{dclass_counter1->} policy checks for scan.", processor_chain([ dup20, dup14, dup15, @@ -3687,7 +3687,7 @@ var select52 = linear_select([ msg243, ]); -var part221 = match("MESSAGE#200:Finished", "nwparser.payload", "Finished locating %{dclass_counter1}live nodes. [Started: %{fld11}] [Duration: %{fld12}]", processor_chain([ +var part221 = match("MESSAGE#200:Finished", "nwparser.payload", "Finished locating %{dclass_counter1->} live nodes. [Started: %{fld11}] [Duration: %{fld12}]", processor_chain([ dup20, dup14, dup15, @@ -3824,7 +3824,7 @@ var select54 = linear_select([ msg256, ]); -var part229 = match("MESSAGE#211:Seeing", "nwparser.payload", "Seeing if %{saddr}is a valid network node", processor_chain([ +var part229 = match("MESSAGE#211:Seeing", "nwparser.payload", "Seeing if %{saddr->} is a valid network node", processor_chain([ dup20, dup14, dup15, @@ -3896,7 +3896,7 @@ var msg278 = msg("Invocation", dup61); var msg279 = msg("Using", dup61); -var part232 = match("MESSAGE#243:Route:01", "nwparser.payload", "Route: %{fld1}shutdown complete, %{event_description->} ", processor_chain([ +var part232 = match("MESSAGE#243:Route:01", "nwparser.payload", "Route: %{fld1->} shutdown complete, %{event_description->} ", processor_chain([ dup20, dup14, dup15, @@ -3904,7 +3904,7 @@ var part232 = match("MESSAGE#243:Route:01", "nwparser.payload", "Route: %{fld1}s var msg280 = msg("Route:01", part232); -var part233 = match("MESSAGE#244:Route:02", "nwparser.payload", "Route: %{fld1}started and consuming from: %{event_description->} ", processor_chain([ +var part233 = match("MESSAGE#244:Route:02", "nwparser.payload", "Route: %{fld1->} started and consuming from: %{event_description->} ", processor_chain([ dup20, dup14, dup15, @@ -3947,7 +3947,7 @@ var part234 = match("MESSAGE#257:Freeing", "nwparser.payload", "Freeing session var msg293 = msg("Freeing", part234); -var part235 = match("MESSAGE#258:Freeing:01", "nwparser.payload", "Freeing %{dclass_counter1}current sessions.", processor_chain([ +var part235 = match("MESSAGE#258:Freeing:01", "nwparser.payload", "Freeing %{dclass_counter1->} current sessions.", processor_chain([ dup20, dup14, dup15, @@ -4066,7 +4066,7 @@ var part247 = match("MESSAGE#273:Total", "nwparser.payload", "Total %{fld1}: %{f var msg306 = msg("Total", part247); -var part248 = match("MESSAGE#320:Total:02", "nwparser.payload", "Total %{dclass_counter1}routes, of which %{dclass_counter2}is started.", processor_chain([ +var part248 = match("MESSAGE#320:Total:02", "nwparser.payload", "Total %{dclass_counter1->} routes, of which %{dclass_counter2->} is started.", processor_chain([ dup20, dup14, dup15, @@ -4110,7 +4110,7 @@ var part252 = match("MESSAGE#277:Pausing", "nwparser.payload", "Pausing Protocol var msg311 = msg("Pausing", part252); -var part253 = match("MESSAGE#278:Policy", "nwparser.payload", "Policy %{policyname}replaces %{fld1}", processor_chain([ +var part253 = match("MESSAGE#278:Policy", "nwparser.payload", "Policy %{policyname->} replaces %{fld1}", processor_chain([ dup20, dup14, dup15, @@ -4118,7 +4118,7 @@ var part253 = match("MESSAGE#278:Policy", "nwparser.payload", "Policy %{policyna var msg312 = msg("Policy", part253); -var part254 = match("MESSAGE#420:Policy:01", "nwparser.payload", "Policy benchmark %{policyname}in %{info}with hash %{fld1}is not valid builtin content and will not load.", processor_chain([ +var part254 = match("MESSAGE#420:Policy:01", "nwparser.payload", "Policy benchmark %{policyname->} in %{info->} with hash %{fld1->} is not valid builtin content and will not load.", processor_chain([ dup20, dup14, dup15, @@ -4148,7 +4148,7 @@ var part256 = match("MESSAGE#280:Importing", "nwparser.payload", "%{action->} %{ var msg315 = msg("Importing", part256); -var part257 = match("MESSAGE#281:Imported", "nwparser.payload", "%{action->} %{dclass_counter1}new categories, categorized %{fld1}vulnerabilities and %{fld2}tags.", processor_chain([ +var part257 = match("MESSAGE#281:Imported", "nwparser.payload", "%{action->} %{dclass_counter1->} new categories, categorized %{fld1->} vulnerabilities and %{fld2->} tags.", processor_chain([ dup20, dup14, dup15, @@ -4428,7 +4428,7 @@ var msg348 = msg("JMX", dup66); var msg349 = msg("AllowUseOriginalMessage", dup66); -var part289 = match("MESSAGE#321:Initialized", "nwparser.payload", "Initialized PolicyCheckService with %{dclass_counter1}benchmarks, containing %{fld1}policies. The total check count is %{dclass_counter2}", processor_chain([ +var part289 = match("MESSAGE#321:Initialized", "nwparser.payload", "Initialized PolicyCheckService with %{dclass_counter1->} benchmarks, containing %{fld1->} policies. The total check count is %{dclass_counter2}", processor_chain([ dup20, dup14, dup15, @@ -4436,7 +4436,7 @@ var part289 = match("MESSAGE#321:Initialized", "nwparser.payload", "Initialized var msg350 = msg("Initialized", part289); -var part290 = match("MESSAGE#322:Initialized:01", "nwparser.payload", "Initialized %{dclass_counter1}policy benchmarks in total.", processor_chain([ +var part290 = match("MESSAGE#322:Initialized:01", "nwparser.payload", "Initialized %{dclass_counter1->} policy benchmarks in total.", processor_chain([ dup20, dup14, dup15, @@ -4461,7 +4461,7 @@ var select66 = linear_select([ var msg353 = msg("Error", dup66); -var part292 = match("MESSAGE#324:Graceful", "nwparser.payload", "Graceful shutdown of %{dclass_counter1}routes completed in %{dclass_counter2}seconds", processor_chain([ +var part292 = match("MESSAGE#324:Graceful", "nwparser.payload", "Graceful shutdown of %{dclass_counter1->} routes completed in %{dclass_counter2->} seconds", processor_chain([ dup20, dup14, dup15, @@ -4778,7 +4778,7 @@ var part325 = match("MESSAGE#369:Not_configured:17", "nwparser.payload", "com.ra var msg390 = msg("Not_configured:17", part325); -var part326 = match("MESSAGE#370:Delivered", "nwparser.payload", "Delivered mail to %{to}: %{fld1->} %{fld2->} %{mail_id}[InternalId=%{fld3}] Queued mail for delivery", processor_chain([ +var part326 = match("MESSAGE#370:Delivered", "nwparser.payload", "Delivered mail to %{to}: %{fld1->} %{fld2->} %{mail_id->} [InternalId=%{fld3}] Queued mail for delivery", processor_chain([ dup56, dup14, dup15, @@ -4796,7 +4796,7 @@ var part327 = match("MESSAGE#371:Engine_update", "nwparser.payload", "Engine upd var msg392 = msg("Engine_update", part327); -var part328 = match("MESSAGE#372:Freed_triggers", "nwparser.payload", "Freed %{fld1}triggers from 'acquired' / 'blocked' state.", processor_chain([ +var part328 = match("MESSAGE#372:Freed_triggers", "nwparser.payload", "Freed %{fld1->} triggers from 'acquired' / 'blocked' state.", processor_chain([ dup20, dup14, dup15, @@ -4845,7 +4845,7 @@ var part332 = match("MESSAGE#377:Context_loader", "nwparser.payload", "Context l var msg397 = msg("Context_loader", part332); -var part333 = match("MESSAGE#378:Copied_file", "nwparser.payload", "Copied %{filename}file from %{directory}to %{info}", processor_chain([ +var part333 = match("MESSAGE#378:Copied_file", "nwparser.payload", "Copied %{filename->} file from %{directory->} to %{info}", processor_chain([ dup20, dup14, dup15, @@ -4862,7 +4862,7 @@ var part334 = match("MESSAGE#380:Java", "nwparser.payload", "Java HotSpot(TM) %{ var msg399 = msg("Java", part334); -var part335 = match("MESSAGE#381:Changing", "nwparser.payload", "Changing permissions of %{obj_type}'%{obj_name}' to %{change_new}", processor_chain([ +var part335 = match("MESSAGE#381:Changing", "nwparser.payload", "Changing permissions of %{obj_type->} '%{obj_name}' to %{change_new}", processor_chain([ dup20, dup14, dup15, @@ -4912,7 +4912,7 @@ var part339 = match("MESSAGE#385:Initialized:03", "nwparser.payload", "Quartz sc var msg404 = msg("Initialized:03", part339); -var part340 = match("MESSAGE#386:Created:03", "nwparser.payload", "Quartz Scheduler %{version}created.", processor_chain([ +var part340 = match("MESSAGE#386:Created:03", "nwparser.payload", "Quartz Scheduler %{version->} created.", processor_chain([ dup20, dup14, dup15, @@ -4954,7 +4954,7 @@ var part343 = match("MESSAGE#389:Recovery", "nwparser.payload", "Recovery comple var msg408 = msg("Recovery", part343); -var part344 = match("MESSAGE#390:Removed", "nwparser.payload", "Removed %{fld1}'complete' triggers.", processor_chain([ +var part344 = match("MESSAGE#390:Removed", "nwparser.payload", "Removed %{fld1->} 'complete' triggers.", processor_chain([ dup20, dup14, dup15, @@ -4963,7 +4963,7 @@ var part344 = match("MESSAGE#390:Removed", "nwparser.payload", "Removed %{fld1}' var msg409 = msg("Removed", part344); -var part345 = match("MESSAGE#391:Removed:01", "nwparser.payload", "Removed %{fld1}stale fired job entries.", processor_chain([ +var part345 = match("MESSAGE#391:Removed:01", "nwparser.payload", "Removed %{fld1->} stale fired job entries.", processor_chain([ dup20, dup14, dup15, @@ -5014,7 +5014,7 @@ var part349 = match("MESSAGE#395:Failure", "nwparser.payload", "Failure communic var msg414 = msg("Failure", part349); -var part350 = match("MESSAGE#396:Renamed", "nwparser.payload", "Renamed %{filename}to %{info}", processor_chain([ +var part350 = match("MESSAGE#396:Renamed", "nwparser.payload", "Renamed %{filename->} to %{info}", processor_chain([ dup20, dup57, dup22, @@ -5035,7 +5035,7 @@ var part351 = match("MESSAGE#397:Reinitializing", "nwparser.payload", "Reinitial var msg416 = msg("Reinitializing", part351); -var part352 = match("MESSAGE#398:Replaced", "nwparser.payload", "Replaced %{change_old}values from %{filename}file with new auth method: %{change_new}.", processor_chain([ +var part352 = match("MESSAGE#398:Replaced", "nwparser.payload", "Replaced %{change_old->} values from %{filename->} file with new auth method: %{change_new}.", processor_chain([ dup20, dup57, dup22, @@ -5046,7 +5046,7 @@ var part352 = match("MESSAGE#398:Replaced", "nwparser.payload", "Replaced %{chan var msg417 = msg("Replaced", part352); -var part353 = match("MESSAGE#399:Replaced:01", "nwparser.payload", "Replaced %{change_old}values from %{filename}with new setting values", processor_chain([ +var part353 = match("MESSAGE#399:Replaced:01", "nwparser.payload", "Replaced %{change_old->} values from %{filename->} with new setting values", processor_chain([ dup20, dup57, dup22, @@ -5106,7 +5106,7 @@ var part357 = match("MESSAGE#403:Connection", "nwparser.payload", "Connection to var msg422 = msg("Connection", part357); -var part358 = match("MESSAGE#404:Handling", "nwparser.payload", "Handling %{fld1}trigger(s) that missed their scheduled fire-time.", processor_chain([ +var part358 = match("MESSAGE#404:Handling", "nwparser.payload", "Handling %{fld1->} trigger(s) that missed their scheduled fire-time.", processor_chain([ dup20, dup14, dup15, @@ -5148,7 +5148,7 @@ var part361 = match("MESSAGE#421:Postgres:01", "nwparser.payload", "%{event_desc var msg429 = msg("Postgres:01", part361); -var part362 = match("MESSAGE#422:Succesfully", "nwparser.payload", "Succesfully %{event_description}to %{dport}", processor_chain([ +var part362 = match("MESSAGE#422:Succesfully", "nwparser.payload", "Succesfully %{event_description->} to %{dport}", processor_chain([ dup20, dup14, dup15, @@ -5156,7 +5156,7 @@ var part362 = match("MESSAGE#422:Succesfully", "nwparser.payload", "Succesfully var msg430 = msg("Succesfully", part362); -var part363 = match("MESSAGE#423:Unzipped", "nwparser.payload", "%{action->} %{fld1}bytes into %{directory}", processor_chain([ +var part363 = match("MESSAGE#423:Unzipped", "nwparser.payload", "%{action->} %{fld1->} bytes into %{directory}", processor_chain([ dup20, dup14, dup15, @@ -5164,7 +5164,7 @@ var part363 = match("MESSAGE#423:Unzipped", "nwparser.payload", "%{action->} %{f var msg431 = msg("Unzipped", part363); -var part364 = match("MESSAGE#424:vacuumdb", "nwparser.payload", "%{process}executed with a return value of %{resultcode}.", processor_chain([ +var part364 = match("MESSAGE#424:vacuumdb", "nwparser.payload", "%{process->} executed with a return value of %{resultcode}.", processor_chain([ dup20, dup14, dup15, @@ -5172,7 +5172,7 @@ var part364 = match("MESSAGE#424:vacuumdb", "nwparser.payload", "%{process}execu var msg432 = msg("vacuumdb", part364); -var part365 = match("MESSAGE#425:Processed_vuln", "nwparser.payload", "Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Processed vuln check types for %{fld5}vuln checks.", processor_chain([ +var part365 = match("MESSAGE#425:Processed_vuln", "nwparser.payload", "Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Processed vuln check types for %{fld5->} vuln checks.", processor_chain([ dup20, dup14, dup15, @@ -5327,7 +5327,7 @@ var part380 = match("MESSAGE#454:Not_configured:27", "nwparser.payload", "com.ra var msg458 = msg("Not_configured:27", part380); -var part381 = match("MESSAGE#455:Spring", "nwparser.payload", "%{process}detected on classpath: [%{fld2}]", processor_chain([ +var part381 = match("MESSAGE#455:Spring", "nwparser.payload", "%{process->} detected on classpath: [%{fld2}]", processor_chain([ dup20, dup14, dup15, @@ -5345,7 +5345,7 @@ var part382 = match("MESSAGE#456:Storing", "nwparser.payload", "%{fld1}] [%{fld2 var msg460 = msg("Storing", part382); -var part383 = match("MESSAGE#457:Clearing", "nwparser.payload", "Clearing object tracker after %{dclass_counter1}hits and %{dclass_counter2}misses.", processor_chain([ +var part383 = match("MESSAGE#457:Clearing", "nwparser.payload", "Clearing object tracker after %{dclass_counter1->} hits and %{dclass_counter2->} misses.", processor_chain([ dup20, dup14, dup15, @@ -5363,7 +5363,7 @@ var part384 = match("MESSAGE#458:All", "nwparser.payload", "%{fld1}] [%{fld2}] A var msg462 = msg("All", part384); -var part385 = match("MESSAGE#459:New", "nwparser.payload", "New Provider %{audit_object}discovered.", processor_chain([ +var part385 = match("MESSAGE#459:New", "nwparser.payload", "New Provider %{audit_object->} discovered.", processor_chain([ dup20, dup14, dup15, @@ -5803,13 +5803,13 @@ var chain1 = processor_chain([ }), ]); -var hdr37 = match("HEADER#1:0022/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{p0}"); +var hdr37 = match("HEADER#1:0022/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{p0}"); var part395 = match("HEADER#1:0022/1_1", "nwparser.p0", "%{hpriority}][%{p0}"); var part396 = match("HEADER#1:0022/1_2", "nwparser.p0", "%{hpriority}[%{p0}"); -var hdr38 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime}[%{hpriority}]%{p0}"); +var hdr38 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}]%{p0}"); var part397 = match("HEADER#18:0034/1_0", "nwparser.p0", " [%{p0}"); diff --git a/x-pack/filebeat/module/sonicwall/README.md b/x-pack/filebeat/module/sonicwall/README.md index 3f5a6faf1be..34adc35872c 100644 --- a/x-pack/filebeat/module/sonicwall/README.md +++ b/x-pack/filebeat/module/sonicwall/README.md @@ -3,5 +3,5 @@ This is a module for Sonicwall-FW logs. Autogenerated from RSA NetWitness log parser 2.0 XML sonicwall version 124 -at 2020-07-07 18:10:49.816563 +0000 UTC. +at 2020-07-08 13:58:40.504624 +0000 UTC. diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/pipeline.js b/x-pack/filebeat/module/sonicwall/firewall/config/pipeline.js index b81a5f38946..3a6ebd15478 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/pipeline.js +++ b/x-pack/filebeat/module/sonicwall/firewall/config/pipeline.js @@ -29,7 +29,7 @@ var dup6 = match("MESSAGE#13:14/0", "nwparser.payload", "%{} %{p0}"); var dup7 = setc("eventcategory","1204020000"); -var dup8 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{p0}"); +var dup8 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); var dup9 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); @@ -87,11 +87,11 @@ var dup29 = setc("eventcategory","1401050100"); var dup30 = setc("eventcategory","1401030000"); -var dup31 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld}src=%{p0}"); +var dup31 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); var dup32 = setc("eventcategory","1301020000"); -var dup33 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{p0}"); +var dup33 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); var dup34 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); @@ -107,7 +107,7 @@ var dup37 = date_time({ ], }); -var dup38 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src= %{p0}"); +var dup38 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); var dup39 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); @@ -117,9 +117,9 @@ var dup41 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{di var dup42 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); -var dup43 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol}npcs=%{info}"); +var dup43 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}"); -var dup44 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src= %{p0}"); +var dup44 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); var dup45 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} "); @@ -161,11 +161,11 @@ var dup63 = setc("eventcategory","1603110000"); var dup64 = setc("eventcategory","1605020000"); -var dup65 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1}src= %{p0}"); +var dup65 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); var dup66 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} "); -var dup67 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1}n=%{fld2}src= %{p0}"); +var dup67 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); var dup68 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); @@ -191,9 +191,9 @@ var dup78 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{ var dup79 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}"); -var dup80 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{p0}"); +var dup80 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); -var dup81 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); +var dup81 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); var dup82 = setf("id","hfld1"); @@ -225,7 +225,7 @@ var dup95 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{ var dup96 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); -var dup97 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}sport=%{sport}dport=%{dport->} %{p0}"); +var dup97 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); var dup98 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); @@ -239,17 +239,17 @@ var dup102 = setc("eventcategory","1401060000"); var dup103 = setc("eventcategory","1804000000"); -var dup104 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}usr=%{username}src=%{p0}"); +var dup104 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); var dup105 = setc("eventcategory","1401070000"); -var dup106 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld}src=%{p0}"); +var dup106 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); var dup107 = setc("eventcategory","1801030000"); var dup108 = setc("eventcategory","1402020300"); -var dup109 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr->} %{p0}"); +var dup109 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); var dup110 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); @@ -263,11 +263,11 @@ var dup114 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); var dup115 = setc("eventcategory","1803020000"); -var dup116 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol}npcs=%{info}"); +var dup116 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); var dup117 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); -var dup118 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1}n=%{fld2}src= %{p0}"); +var dup118 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); var dup119 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); @@ -301,7 +301,7 @@ var dup133 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur var dup134 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); -var dup135 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1}n=%{fld2}src= %{p0}"); +var dup135 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); var dup136 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); @@ -327,13 +327,13 @@ var dup146 = setc("ec_activity","Permit"); var dup147 = setc("action","allowed"); -var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg}sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst= %{p0}"); +var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); +var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); var dup150 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); -var dup151 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); +var dup151 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); var dup152 = setc("eventcategory","1001030500"); @@ -341,7 +341,7 @@ var dup153 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\ var dup154 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); -var dup155 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}"); +var dup155 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); var dup156 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); @@ -355,281 +355,283 @@ var dup160 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); var dup161 = setc("eventcategory","1801010000"); -var dup162 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{p0}"); +var dup162 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); -var dup163 = setc("eventcategory","1003010000"); +var dup163 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); -var dup164 = setc("eventcategory","1609000000"); +var dup164 = setc("eventcategory","1003010000"); -var dup165 = setc("eventcategory","1204000000"); +var dup165 = setc("eventcategory","1609000000"); -var dup166 = setc("eventcategory","1602000000"); +var dup166 = setc("eventcategory","1204000000"); -var dup167 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface}npcs=%{info}"); +var dup167 = setc("eventcategory","1602000000"); -var dup168 = setc("eventcategory","1803000000"); +var dup168 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); -var dup169 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1}n=%{fld2}src=%{p0}"); +var dup169 = setc("eventcategory","1803000000"); -var dup170 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); +var dup170 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); -var dup171 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); +var dup171 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); -var dup172 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); +var dup172 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); -var dup173 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); +var dup173 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); -var dup174 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); +var dup174 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); -var dup175 = linear_select([ +var dup175 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + +var dup176 = linear_select([ dup9, dup10, ]); -var dup176 = linear_select([ +var dup177 = linear_select([ dup16, dup17, ]); -var dup177 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}note=\"%{event_description}\"", processor_chain([ +var dup178 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, dup24, ])); -var dup178 = linear_select([ +var dup179 = linear_select([ dup26, dup27, ]); -var dup179 = linear_select([ +var dup180 = linear_select([ dup34, dup35, ]); -var dup180 = linear_select([ +var dup181 = linear_select([ dup26, dup39, ]); -var dup181 = linear_select([ +var dup182 = linear_select([ dup41, dup42, ]); -var dup182 = linear_select([ +var dup183 = linear_select([ dup46, dup47, ]); -var dup183 = linear_select([ +var dup184 = linear_select([ dup49, dup50, ]); -var dup184 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ +var dup185 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ dup62, ])); -var dup185 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ +var dup186 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ dup5, ])); -var dup186 = linear_select([ +var dup187 = linear_select([ dup71, dup75, dup76, ]); -var dup187 = linear_select([ +var dup188 = linear_select([ dup9, dup26, ]); -var dup188 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}dstname=%{shost}", processor_chain([ +var dup189 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ dup1, ])); -var dup189 = linear_select([ +var dup190 = linear_select([ dup85, dup86, ]); -var dup190 = linear_select([ +var dup191 = linear_select([ dup90, dup91, ]); -var dup191 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var dup192 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ dup5, ])); -var dup192 = linear_select([ +var dup193 = linear_select([ dup94, dup95, ]); -var dup193 = linear_select([ +var dup194 = linear_select([ dup98, dup99, ]); -var dup194 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}", processor_chain([ +var dup195 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ dup89, ])); -var dup195 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}", processor_chain([ +var dup196 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ dup89, ])); -var dup196 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}", processor_chain([ +var dup197 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ dup1, ])); -var dup197 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var dup198 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ dup1, ])); -var dup198 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}note=\"%{event_description}\"", processor_chain([ +var dup199 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ dup1, dup24, ])); -var dup199 = linear_select([ +var dup200 = linear_select([ dup66, dup110, ]); -var dup200 = linear_select([ +var dup201 = linear_select([ dup112, dup113, ]); -var dup201 = linear_select([ +var dup202 = linear_select([ dup117, dup45, ]); -var dup202 = linear_select([ +var dup203 = linear_select([ dup9, dup27, ]); -var dup203 = linear_select([ +var dup204 = linear_select([ dup9, dup26, dup39, ]); -var dup204 = linear_select([ +var dup205 = linear_select([ dup71, dup16, dup17, ]); -var dup205 = linear_select([ +var dup206 = linear_select([ dup123, dup124, ]); -var dup206 = linear_select([ +var dup207 = linear_select([ dup68, dup69, dup74, ]); -var dup207 = linear_select([ +var dup208 = linear_select([ dup129, dup130, ]); -var dup208 = linear_select([ +var dup209 = linear_select([ dup41, dup42, dup136, ]); -var dup209 = linear_select([ +var dup210 = linear_select([ dup137, dup138, ]); -var dup210 = linear_select([ +var dup211 = linear_select([ dup140, dup141, ]); -var dup211 = linear_select([ +var dup212 = linear_select([ dup142, dup143, ]); -var dup212 = linear_select([ +var dup213 = linear_select([ dup49, dup150, ]); -var dup213 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}", processor_chain([ +var dup214 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ dup152, ])); -var dup214 = linear_select([ +var dup215 = linear_select([ dup154, dup40, ]); -var dup215 = linear_select([ +var dup216 = linear_select([ dup156, dup157, ]); -var dup216 = linear_select([ +var dup217 = linear_select([ dup158, dup159, ]); -var dup217 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ +var dup218 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ dup5, ])); -var dup218 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{ntype->} ", processor_chain([ +var dup219 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype->} ", processor_chain([ dup5, ])); -var dup219 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}:%{sinterface}:%{host}dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ +var dup220 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ dup5, dup24, ])); -var dup220 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}usr=%{username}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}note=\"%{event_description}\"", processor_chain([ +var dup221 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, dup24, ])); -var dup221 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space}n=%{fld1}", processor_chain([ +var dup222 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ dup1, dup24, ])); -var dup222 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}fw_action=\"%{action}\"", processor_chain([ - dup164, +var dup223 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup165, dup37, ])); -var dup223 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}", processor_chain([ +var dup224 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ dup1, ])); -var dup224 = linear_select([ - dup170, +var dup225 = linear_select([ dup171, + dup172, ]); -var dup225 = linear_select([ - dup173, +var dup226 = linear_select([ dup174, + dup175, ]); -var dup226 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}fw_action=\"%{action}\"", processor_chain([ +var dup227 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ dup1, dup54, dup18, @@ -640,12 +642,12 @@ var dup226 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_descrip dup37, ])); -var dup227 = all_match({ +var dup228 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup176, + dup177, dup28, ], on_success: processor_chain([ @@ -653,140 +655,140 @@ var dup227 = all_match({ ]), }); -var dup228 = all_match({ +var dup229 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup87, ]), }); -var dup229 = all_match({ +var dup230 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup59, ]), }); -var dup230 = all_match({ +var dup231 = all_match({ processors: [ dup97, - dup193, + dup194, ], on_success: processor_chain([ dup59, ]), }); -var dup231 = all_match({ +var dup232 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup102, ]), }); -var dup232 = all_match({ +var dup233 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup30, ]), }); -var dup233 = all_match({ +var dup234 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup29, ]), }); -var dup234 = all_match({ +var dup235 = all_match({ processors: [ dup104, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup105, ]), }); -var dup235 = all_match({ +var dup236 = all_match({ processors: [ dup106, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup108, ]), }); -var dup236 = all_match({ +var dup237 = all_match({ processors: [ dup109, - dup199, + dup200, ], on_success: processor_chain([ dup89, ]), }); -var dup237 = all_match({ +var dup238 = all_match({ processors: [ dup106, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup111, ]), }); -var dup238 = all_match({ +var dup239 = all_match({ processors: [ dup44, - dup179, + dup180, dup36, - dup189, + dup190, ], on_success: processor_chain([ dup5, ]), }); -var dup239 = all_match({ +var dup240 = all_match({ processors: [ dup80, - dup178, + dup179, dup11, - dup176, + dup177, dup79, ], on_success: processor_chain([ @@ -794,13 +796,13 @@ var dup239 = all_match({ ]), }); -var dup240 = all_match({ +var dup241 = all_match({ processors: [ dup153, - dup214, - dup155, dup215, + dup155, dup216, + dup217, dup160, ], on_success: processor_chain([ @@ -819,12 +821,12 @@ var dup240 = all_match({ ]), }); -var dup241 = all_match({ +var dup242 = all_match({ processors: [ dup8, - dup175, + dup176, dup11, - dup192, + dup193, dup96, ], on_success: processor_chain([ @@ -832,12 +834,12 @@ var dup241 = all_match({ ]), }); -var dup242 = all_match({ +var dup243 = all_match({ processors: [ dup8, - dup175, + dup176, dup11, - dup190, + dup191, dup92, ], on_success: processor_chain([ @@ -845,11 +847,11 @@ var dup242 = all_match({ ]), }); -var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1}sn=%{hserial_number}time=\"%{date->} %{time}\" fw=%{hhostip}pri=%{hseverity}c=%{hcategory}m=%{messageid->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ setc("header_id","0001"), ])); -var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1}sn=%{hserial_number}time=\"%{date->} %{time}\" fw=%{hhostip}pri=%{hseverity->} %{messageid}= %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{payload}", processor_chain([ setc("header_id","0002"), call({ dest: "nwparser.payload", @@ -862,11 +864,11 @@ var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1}sn=%{hserial_number}tim }), ])); -var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1}sn=%{hserial_number}time=\"%{hdate->} %{htime}\" fw=%{hhostip}pri=%{hseverity}c=%{hcategory}m=%{messageid->} %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ setc("header_id","0003"), ])); -var hdr4 = match("HEADER#3:0004", "message", "%{hfld20}id=%{hfld1}sn=%{hserial_number}time=\"%{hdate->} %{htime}\" fw=%{hhostip}pri=%{hseverity}c=%{hcategory}m=%{messageid->} %{payload}", processor_chain([ +var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ setc("header_id","0004"), ])); @@ -1001,12 +1003,12 @@ var select6 = linear_select([ part17, ]); -var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{} %{fld3}Category=%{fld4}npcs=%{info}"); +var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{} %{fld3->} Category=%{fld4->} npcs=%{info}"); var all2 = all_match({ processors: [ dup8, - dup175, + dup176, dup11, select6, part18, @@ -1018,7 +1020,7 @@ var all2 = all_match({ var msg15 = msg("14:01", all2); -var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{name}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup7, dup12, ])); @@ -1032,14 +1034,14 @@ var part20 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=% var msg17 = msg("14:03", part20); -var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{name}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup7, dup12, ])); var msg18 = msg("14:04", part21); -var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup7, dup12, ])); @@ -1109,7 +1111,7 @@ var part31 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", var msg28 = msg("23", part31); -var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst= %{p0}"); +var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); var part33 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); @@ -1125,7 +1127,7 @@ var part35 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{} %{smacaddr}"); var all3 = all_match({ processors: [ part32, - dup176, + dup177, dup11, select8, part35, @@ -1137,13 +1139,13 @@ var all3 = all_match({ var msg29 = msg("23:01", all3); -var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}- MAC address: %{smacaddr}", processor_chain([ +var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ dup15, ])); var msg30 = msg("23:02", part36); -var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst= %{p0}"); +var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); var part38 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac= %{p0}"); @@ -1154,7 +1156,7 @@ var select9 = linear_select([ part39, ]); -var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{} %{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}"); +var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); var all4 = all_match({ processors: [ @@ -1188,7 +1190,7 @@ var part41 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in var msg32 = msg("24", part41); -var msg33 = msg("24:01", dup177); +var msg33 = msg("24:01", dup178); var select11 = linear_select([ msg32, @@ -1219,7 +1221,7 @@ var part45 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropp var msg37 = msg("28", part45); -var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}", processor_chain([ +var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ dup15, ])); @@ -1236,14 +1238,14 @@ var part47 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrato var msg39 = msg("29", part47); -var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}usr=%{username}src=%{p0}"); +var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); var all5 = all_match({ processors: [ part48, - dup178, + dup179, dup11, - dup176, + dup177, dup28, ], on_success: processor_chain([ @@ -1264,7 +1266,7 @@ var part49 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login fai var msg41 = msg("30", part49); -var msg42 = msg("30:01", dup227); +var msg42 = msg("30:01", dup228); var select14 = linear_select([ msg41, @@ -1280,9 +1282,9 @@ var msg43 = msg("31", part50); var all6 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup176, + dup177, dup28, ], on_success: processor_chain([ @@ -1292,7 +1294,7 @@ var all6 = all_match({ var msg44 = msg("31:01", all6); -var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ +var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ dup25, dup12, ])); @@ -1306,7 +1308,7 @@ var part52 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=% var msg46 = msg("31:03", part52); -var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ +var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ dup25, dup12, ])); @@ -1327,7 +1329,7 @@ var part54 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - inc var msg48 = msg("32", part54); -var msg49 = msg("32:01", dup227); +var msg49 = msg("32:01", dup228); var select16 = linear_select([ msg48, @@ -1343,9 +1345,9 @@ var msg50 = msg("33", part55); var all7 = all_match({ processors: [ dup33, - dup178, + dup179, dup11, - dup176, + dup177, dup28, ], on_success: processor_chain([ @@ -1375,9 +1377,9 @@ var msg53 = msg("35", part57); var all8 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup176, + dup177, dup28, ], on_success: processor_chain([ @@ -1425,9 +1427,9 @@ var all9 = all_match({ processors: [ part59, select19, - dup179, + dup180, dup36, - dup176, + dup177, dup11, select20, ], @@ -1453,9 +1455,9 @@ var part67 = match("MESSAGE#55:36:02/6", "nwparser.p0", "%{}npcs=%{info}"); var all10 = all_match({ processors: [ dup38, - dup180, + dup181, dup11, - dup176, + dup177, dup11, select21, part67, @@ -1488,7 +1490,7 @@ var select23 = linear_select([ dup40, ]); -var part71 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{p0}"); +var part71 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); var part72 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}"); @@ -1527,7 +1529,7 @@ var all11 = all_match({ var msg59 = msg("37:01", all11); -var part77 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}rule=%{rule}", processor_chain([ +var part77 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ dup5, ])); @@ -1536,9 +1538,9 @@ var msg60 = msg("37:02", part77); var all12 = all_match({ processors: [ dup8, - dup175, + dup176, dup11, - dup181, + dup182, dup43, ], on_success: processor_chain([ @@ -1548,7 +1550,7 @@ var all12 = all_match({ var msg61 = msg("37:03", all12); -var part78 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ +var part78 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ dup5, dup12, ])); @@ -1579,9 +1581,9 @@ var select27 = linear_select([ var all13 = all_match({ processors: [ dup44, - dup179, + dup180, dup36, - dup176, + dup177, dup11, select27, ], @@ -1592,14 +1594,14 @@ var all13 = all_match({ var msg64 = msg("38:01", all13); -var part81 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{} %{fld3}icmpCode=%{fld4}npcs=%{info}"); +var part81 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{} %{fld3->} icmpCode=%{fld4->} npcs=%{info}"); var all14 = all_match({ processors: [ dup8, - dup175, + dup176, dup11, - dup182, + dup183, part81, ], on_success: processor_chain([ @@ -1618,16 +1620,16 @@ var select28 = linear_select([ part83, ]); -var part84 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); +var part84 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var part85 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}type=%{icmptype}icmpCode=%{icmpcode}fw_action=\"%{action}\""); +var part85 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); var all15 = all_match({ processors: [ dup48, select28, part84, - dup183, + dup184, part85, ], on_success: processor_chain([ @@ -1661,7 +1663,7 @@ var part87 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{} var msg68 = msg("40", part87); -var part88 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{fld2}dst=%{daddr}:%{dport}:%{dinterface}:%{fld3}note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ +var part88 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ dup5, dup51, dup52, @@ -1678,7 +1680,7 @@ var part88 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_descri var msg69 = msg("41:01", part88); -var part89 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}:%{sinterface}dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ +var part89 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ dup5, ])); @@ -1720,13 +1722,13 @@ var part94 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", proces var msg75 = msg("45", part94); -var part95 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1}src=%{saddr}dst=%{daddr}", processor_chain([ +var part95 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ dup5, ])); var msg76 = msg("45:01", part95); -var part96 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{saddr}dst=%{daddr}npcs=%{info}", processor_chain([ +var part96 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ dup5, ])); @@ -1738,7 +1740,7 @@ var select31 = linear_select([ msg77, ]); -var part97 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{fld2}dst=%{daddr}:%{dport}:%{dinterface}:%{fld3}proto=%{protocol}/%{fld4}", processor_chain([ +var part97 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ dup5, dup51, dup52, @@ -1755,7 +1757,7 @@ var part97 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_descri var msg78 = msg("46:01", part97); -var part98 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}", processor_chain([ +var part98 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ dup5, ])); @@ -1767,14 +1769,14 @@ var part99 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet droppe var msg80 = msg("46", part99); -var part100 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1}n=%{fld2}src=%{p0}"); +var part100 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); var all16 = all_match({ processors: [ part100, - dup175, + dup176, dup11, - dup181, + dup182, dup43, ], on_success: processor_chain([ @@ -1863,7 +1865,7 @@ var part112 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{ var msg93 = msg("63", part112); -var part113 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}", processor_chain([ +var part113 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ dup58, ])); @@ -1901,9 +1903,9 @@ var msg98 = msg("67", part117); var all17 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup176, + dup177, dup28, ], on_success: processor_chain([ @@ -1936,7 +1938,7 @@ var part120 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from ill var msg102 = msg("70", part120); -var part121 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr->} %{p0}"); +var part121 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} %{p0}"); var part122 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "dst=%{daddr->} "); @@ -1970,7 +1972,7 @@ var part124 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped var msg104 = msg("72", part124); -var part125 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ +var part125 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ dup59, ])); @@ -2041,19 +2043,19 @@ var part135 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{} var msg115 = msg("82", part135); -var part136 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}note=\"%{info}\"", processor_chain([ +var part136 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ dup62, ])); var msg116 = msg("82:02", part136); -var part137 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}note=\"%{fld3}\" npcs=%{info}", processor_chain([ +var part137 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ dup62, ])); var msg117 = msg("82:03", part137); -var msg118 = msg("82:01", dup184); +var msg118 = msg("82:01", dup185); var select38 = linear_select([ msg115, @@ -2068,9 +2070,9 @@ var part138 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{} var msg119 = msg("83", part138); -var msg120 = msg("83:01", dup185); +var msg120 = msg("83:01", dup186); -var part139 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}note=\"%{fld3}\" npcs=%{info}", processor_chain([ +var part139 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ dup5, ])); @@ -2110,7 +2112,7 @@ var part142 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accept var msg123 = msg("87", part142); -var part143 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}", processor_chain([ +var part143 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ dup64, ])); @@ -2127,7 +2129,7 @@ var part144 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec var msg125 = msg("88", part144); -var part145 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld}src=%{saddr}dst=%{daddr}", processor_chain([ +var part145 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ dup58, ])); @@ -2220,7 +2222,7 @@ var part157 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", pro var msg136 = msg("97", part157); -var part158 = match("MESSAGE#135:97:01/4", "nwparser.p0", "%{}proto=%{protocol}op=%{fld->} %{p0}"); +var part158 = match("MESSAGE#135:97:01/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} %{p0}"); var part159 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); @@ -2241,9 +2243,9 @@ var select46 = linear_select([ var all21 = all_match({ processors: [ dup65, - dup179, + dup180, dup36, - dup176, + dup177, part158, select45, dup11, @@ -2256,14 +2258,14 @@ var all21 = all_match({ var msg137 = msg("97:01", all21); -var part162 = match("MESSAGE#136:97:02/4", "nwparser.p0", "%{}proto=%{protocol}op=%{fld}result=%{result}"); +var part162 = match("MESSAGE#136:97:02/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} result=%{result}"); var all22 = all_match({ processors: [ dup65, - dup179, + dup180, dup36, - dup176, + dup177, part162, ], on_success: processor_chain([ @@ -2273,7 +2275,7 @@ var all22 = all_match({ var msg138 = msg("97:02", all22); -var part163 = match("MESSAGE#137:97:03/4", "nwparser.p0", "%{}proto=%{protocol}op=%{fld3}sent=%{sbytes}rcvd=%{rbytes->} %{p0}"); +var part163 = match("MESSAGE#137:97:03/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); var part164 = match("MESSAGE#137:97:03/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} %{p0}"); @@ -2284,14 +2286,14 @@ var select47 = linear_select([ part165, ]); -var part166 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{}arg=%{fld4}code=%{fld5}Category=\"%{category}\" npcs=%{info}"); +var part166 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); var all23 = all_match({ processors: [ dup67, - dup179, + dup180, dup36, - dup176, + dup177, part163, select47, part166, @@ -2303,7 +2305,7 @@ var all23 = all_match({ var msg139 = msg("97:03", all23); -var part167 = match("MESSAGE#138:97:04/4", "nwparser.p0", "%{}proto=%{protocol}op=%{fld3->} %{p0}"); +var part167 = match("MESSAGE#138:97:04/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} %{p0}"); var part168 = match("MESSAGE#138:97:04/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} arg= %{p0}"); @@ -2314,14 +2316,14 @@ var select48 = linear_select([ part169, ]); -var part170 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{} %{fld4}code=%{fld5}Category=\"%{category}\" npcs=%{info}"); +var part170 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{} %{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); var all24 = all_match({ processors: [ dup67, - dup179, + dup180, dup36, - dup176, + dup177, part167, select48, part170, @@ -2333,14 +2335,14 @@ var all24 = all_match({ var msg140 = msg("97:04", all24); -var part171 = match("MESSAGE#139:97:05/4", "nwparser.p0", "%{}proto=%{protocol}op=%{fld2}dstname=%{name}arg=%{fld3}code=%{fld4}Category=%{category}"); +var part171 = match("MESSAGE#139:97:05/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); var all25 = all_match({ processors: [ dup65, - dup179, + dup180, dup36, - dup176, + dup177, part171, ], on_success: processor_chain([ @@ -2373,7 +2375,7 @@ var all26 = all_match({ var msg142 = msg("97:06", all26); -var part174 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); +var part174 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); var part175 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{fld3->} srcMac=%{p0}"); @@ -2382,7 +2384,7 @@ var select50 = linear_select([ dup49, ]); -var part176 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); +var part176 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); var all27 = all_match({ processors: [ @@ -2405,7 +2407,7 @@ var part177 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\" var msg144 = msg("97:08", part177); -var part178 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part178 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup70, dup12, ])); @@ -2442,7 +2444,7 @@ var select52 = linear_select([ part181, ]); -var part182 = match("MESSAGE#145:98/1", "nwparser.p0", "%{}n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); +var part182 = match("MESSAGE#145:98/1", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); var part183 = match("MESSAGE#145:98/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} %{p0}"); @@ -2486,7 +2488,7 @@ var all28 = all_match({ var msg147 = msg("98", all28); -var part186 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}dstMac=%{dmacaddr}proto=%{protocol}/%{fld4}sent=%{sbytes}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part186 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup1, dup12, dup18, @@ -2551,7 +2553,7 @@ var all29 = all_match({ select56, select57, dup11, - dup186, + dup187, select58, ], on_success: processor_chain([ @@ -2620,7 +2622,7 @@ var all30 = all_match({ select59, select60, part202, - dup187, + dup188, dup11, select61, part205, @@ -2639,14 +2641,14 @@ var all30 = all_match({ var msg150 = msg("98:06", all30); -var part211 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}usr=%{username}src=%{p0}"); +var part211 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); var all31 = all_match({ processors: [ part211, - dup178, + dup179, dup11, - dup176, + dup177, dup79, ], on_success: processor_chain([ @@ -2677,14 +2679,14 @@ var all32 = all_match({ var msg152 = msg("98:03", all32); -var part214 = match("MESSAGE#151:98:04/4", "nwparser.p0", "%{}proto=%{protocol}sent=%{sbytes}vpnpolicy=\"%{policyname}\" npcs=%{info}"); +var part214 = match("MESSAGE#151:98:04/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); var all33 = all_match({ processors: [ dup8, - dup178, + dup179, dup11, - dup176, + dup177, part214, ], on_success: processor_chain([ @@ -2694,14 +2696,14 @@ var all33 = all_match({ var msg153 = msg("98:04", all33); -var part215 = match("MESSAGE#152:98:05/4", "nwparser.p0", "%{}proto=%{protocol}sent=%{sbytes}npcs=%{info}"); +var part215 = match("MESSAGE#152:98:05/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); var all34 = all_match({ processors: [ dup8, - dup178, + dup179, dup11, - dup176, + dup177, part215, ], on_success: processor_chain([ @@ -2722,7 +2724,7 @@ var select64 = linear_select([ msg154, ]); -var part216 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ +var part216 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ dup30, dup12, ])); @@ -2734,9 +2736,9 @@ var part217 = match("MESSAGE#154:427/4", "nwparser.p0", "%{}note=\"%{event_descr var all35 = all_match({ processors: [ dup80, - dup178, + dup179, dup11, - dup176, + dup177, part217, ], on_success: processor_chain([ @@ -2746,12 +2748,12 @@ var all35 = all_match({ var msg156 = msg("427", all35); -var part218 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); +var part218 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); var all36 = all_match({ processors: [ dup81, - dup183, + dup184, part218, ], on_success: processor_chain([ @@ -2840,7 +2842,7 @@ var part230 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK var msg169 = msg("110", part230); -var msg170 = msg("111:01", dup188); +var msg170 = msg("111:01", dup189); var part231 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ dup64, @@ -2871,7 +2873,7 @@ var part234 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending var msg174 = msg("114", part234); -var msg175 = msg("115:01", dup188); +var msg175 = msg("115:01", dup189); var part235 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ dup64, @@ -2944,14 +2946,14 @@ var part245 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry. var msg186 = msg("125", part245); -var part246 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}srcV6=%{saddr_v6}src=%{saddr}:%{sport}:%{sinterface}dstV6=%{daddr_v6}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}type=%{icmptype}icmpCode=%{icmpcode}fw_action=\"%{action}\"", processor_chain([ +var part246 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ dup83, dup12, ])); var msg187 = msg("1254", part246); -var part247 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}srcV6=%{saddr_v6}src=%{saddr}:%{sport}:%{sinterface}dstV6=%{daddr_v6}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}type=%{icmptype}icmpCode=%{icmpcode}fw_action=\"%{action}\"", processor_chain([ +var part247 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ dup70, dup54, dup18, @@ -2964,7 +2966,7 @@ var part247 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_descr var msg188 = msg("1256", part247); -var part248 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}srcV6=%{saddr_v6}src=%{saddr}:%{sport}:%{sinterface}dstV6=%{daddr_v6}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}type=%{icmptype}icmpCode=%{icmpcode}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ +var part248 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ dup83, dup12, ])); @@ -3058,9 +3060,9 @@ var msg203 = msg("139", part262); var all37 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ setc("eventcategory","1801020100"), @@ -3074,9 +3076,9 @@ var select67 = linear_select([ msg204, ]); -var msg205 = msg("140", dup228); +var msg205 = msg("140", dup229); -var msg206 = msg("141", dup228); +var msg206 = msg("141", dup229); var part263 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ dup1, @@ -3090,7 +3092,7 @@ var part264 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has var msg208 = msg("143", part264); -var part265 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}srcV6=%{saddr_v6}src=::%{sinterface}dstV6=%{daddr_v6}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}type=%{icmptype}icmpCode=%{icmpcode}fw_action=\"%{action}\"", processor_chain([ +var part265 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ dup70, dup12, ])); @@ -3127,7 +3129,7 @@ var part270 = match("MESSAGE#212:148", "nwparser.payload", "Primary received err var msg214 = msg("148", part270); -var part271 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ +var part271 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ setc("eventcategory","1204010000"), dup12, ])); @@ -3283,26 +3285,26 @@ var part295 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN sca var msg239 = msg("171", part295); -var part296 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}", processor_chain([ +var part296 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ dup89, ])); var msg240 = msg("171:01", part296); -var part297 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}:%{dport}", processor_chain([ +var part297 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ dup89, ])); var msg241 = msg("171:02", part297); -var part298 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2}n=%{fld3}src=%{p0}"); +var part298 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); var all38 = all_match({ processors: [ part298, - dup175, + dup176, dup11, - dup190, + dup191, dup92, ], on_success: processor_chain([ @@ -3351,9 +3353,9 @@ var msg246 = msg("174", part302); var all39 = all_match({ processors: [ dup80, - dup178, + dup179, dup11, - dup176, + dup177, dup79, ], on_success: processor_chain([ @@ -3366,9 +3368,9 @@ var msg247 = msg("174:01", all39); var all40 = all_match({ processors: [ dup44, - dup179, + dup180, dup36, - dup189, + dup190, ], on_success: processor_chain([ dup13, @@ -3380,9 +3382,9 @@ var msg248 = msg("174:02", all40); var all41 = all_match({ processors: [ dup8, - dup175, + dup176, dup11, - dup181, + dup182, dup43, ], on_success: processor_chain([ @@ -3405,13 +3407,13 @@ var part303 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropp var msg250 = msg("175", part303); -var part304 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1}src=%{saddr}dst=%{daddr}type=%{type}", processor_chain([ +var part304 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ dup59, ])); var msg251 = msg("175:01", part304); -var part305 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{saddr}dst=%{daddr}type=%{type}icmpCode=%{fld3}npcs=%{info}", processor_chain([ +var part305 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ dup59, ])); @@ -3429,18 +3431,18 @@ var part306 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft var msg253 = msg("176", part306); -var msg254 = msg("177", dup185); +var msg254 = msg("177", dup186); -var msg255 = msg("178", dup191); +var msg255 = msg("178", dup192); -var msg256 = msg("179", dup185); +var msg256 = msg("179", dup186); var all42 = all_match({ processors: [ dup33, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup93, @@ -3452,9 +3454,9 @@ var msg257 = msg("180", all42); var all43 = all_match({ processors: [ dup8, - dup175, + dup176, dup11, - dup192, + dup193, dup96, ], on_success: processor_chain([ @@ -3469,14 +3471,14 @@ var select73 = linear_select([ msg258, ]); -var msg259 = msg("181", dup184); +var msg259 = msg("181", dup185); var all44 = all_match({ processors: [ dup8, - dup175, + dup176, dup11, - dup190, + dup191, dup92, ], on_success: processor_chain([ @@ -3491,13 +3493,13 @@ var select74 = linear_select([ msg260, ]); -var msg261 = msg("193", dup229); +var msg261 = msg("193", dup230); -var msg262 = msg("194", dup230); +var msg262 = msg("194", dup231); -var msg263 = msg("195", dup230); +var msg263 = msg("195", dup231); -var part307 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{fld2}dst=%{daddr}:%{fld3}sport=%{sport}dport=%{dport->} %{p0}"); +var part307 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); var part308 = match("MESSAGE#262:196/1_1", "nwparser.p0", " rcvd=%{rbytes->} cmd=%{p0}"); @@ -3544,24 +3546,24 @@ var select77 = linear_select([ msg265, ]); -var msg266 = msg("199", dup231); +var msg266 = msg("199", dup232); -var msg267 = msg("200", dup232); +var msg267 = msg("200", dup233); -var part310 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld}usr=%{username}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}", processor_chain([ +var part310 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ dup29, ])); var msg268 = msg("235:02", part310); -var part311 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld}usr=%{username}src=%{p0}"); +var part311 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); var all47 = all_match({ processors: [ part311, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup29, @@ -3570,7 +3572,7 @@ var all47 = all_match({ var msg269 = msg("235", all47); -var msg270 = msg("235:01", dup233); +var msg270 = msg("235:01", dup234); var select78 = linear_select([ msg268, @@ -3578,31 +3580,31 @@ var select78 = linear_select([ msg270, ]); -var msg271 = msg("236", dup233); +var msg271 = msg("236", dup234); -var msg272 = msg("237", dup231); +var msg272 = msg("237", dup232); -var msg273 = msg("238", dup231); +var msg273 = msg("238", dup232); -var part312 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}dst=%{dtransaddr}", processor_chain([ +var part312 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ dup103, ])); var msg274 = msg("239", part312); -var part313 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}dst=%{dtransaddr}", processor_chain([ +var part313 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ dup103, ])); var msg275 = msg("240", part313); -var part314 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}", processor_chain([ +var part314 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup70, ])); var msg276 = msg("241", part314); -var part315 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}", processor_chain([ +var part315 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ dup70, ])); @@ -3647,29 +3649,29 @@ var all48 = all_match({ var msg278 = msg("242", all48); -var msg279 = msg("252", dup194); +var msg279 = msg("252", dup195); -var msg280 = msg("255", dup194); +var msg280 = msg("255", dup195); -var msg281 = msg("257", dup194); +var msg281 = msg("257", dup195); -var msg282 = msg("261:01", dup234); +var msg282 = msg("261:01", dup235); -var msg283 = msg("261", dup194); +var msg283 = msg("261", dup195); var select82 = linear_select([ msg282, msg283, ]); -var msg284 = msg("262", dup234); +var msg284 = msg("262", dup235); var all49 = all_match({ processors: [ dup106, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup107, @@ -3678,25 +3680,25 @@ var all49 = all_match({ var msg285 = msg("273", all49); -var msg286 = msg("328", dup235); +var msg286 = msg("328", dup236); -var msg287 = msg("329", dup232); +var msg287 = msg("329", dup233); -var msg288 = msg("346", dup194); +var msg288 = msg("346", dup195); -var msg289 = msg("350", dup194); +var msg289 = msg("350", dup195); -var msg290 = msg("351", dup194); +var msg290 = msg("351", dup195); -var msg291 = msg("352", dup194); +var msg291 = msg("352", dup195); -var part320 = match("MESSAGE#290:353:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}", processor_chain([ +var part320 = match("MESSAGE#290:353:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup5, ])); var msg292 = msg("353:01", part320); -var part321 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}dst=%{dtransaddr}dstname=%{shost}lifeSeconds=%{misc}\"", processor_chain([ +var part321 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ dup5, ])); @@ -3707,30 +3709,30 @@ var select83 = linear_select([ msg293, ]); -var part322 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}dstname=\"%{shost}lifeSeconds=%{misc}\"", processor_chain([ +var part322 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ dup1, ])); var msg294 = msg("354", part322); -var msg295 = msg("355", dup195); +var msg295 = msg("355", dup196); -var msg296 = msg("355:01", dup194); +var msg296 = msg("355:01", dup195); var select84 = linear_select([ msg295, msg296, ]); -var msg297 = msg("356", dup196); +var msg297 = msg("356", dup197); -var part323 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}dstname=%{name->} ", processor_chain([ +var part323 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name->} ", processor_chain([ dup89, ])); var msg298 = msg("357", part323); -var part324 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}dst=%{daddr}", processor_chain([ +var part324 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ dup89, ])); @@ -3741,49 +3743,49 @@ var select85 = linear_select([ msg299, ]); -var msg300 = msg("358", dup197); +var msg300 = msg("358", dup198); -var part325 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}dst=%{dtransaddr}dstname=%{shost}", processor_chain([ +var part325 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ setc("eventcategory","1503000000"), ])); var msg301 = msg("371", part325); -var msg302 = msg("371:01", dup198); +var msg302 = msg("371:01", dup199); var select86 = linear_select([ msg301, msg302, ]); -var msg303 = msg("372", dup194); +var msg303 = msg("372", dup195); -var msg304 = msg("373", dup196); +var msg304 = msg("373", dup197); -var msg305 = msg("401", dup236); +var msg305 = msg("401", dup237); -var msg306 = msg("402", dup236); +var msg306 = msg("402", dup237); -var msg307 = msg("406", dup197); +var msg307 = msg("406", dup198); -var part326 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}", processor_chain([ +var part326 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup1, ])); var msg308 = msg("413", part326); -var msg309 = msg("414", dup194); +var msg309 = msg("414", dup195); -var msg310 = msg("438", dup237); +var msg310 = msg("438", dup238); -var msg311 = msg("439", dup237); +var msg311 = msg("439", dup238); var all50 = all_match({ processors: [ dup106, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ setc("eventcategory","1501020000"), @@ -3795,9 +3797,9 @@ var msg312 = msg("440", all50); var all51 = all_match({ processors: [ dup106, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ setc("eventcategory","1502050000"), @@ -3820,9 +3822,9 @@ var select87 = linear_select([ var all52 = all_match({ processors: [ dup106, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ setc("eventcategory","1501030000"), @@ -3842,14 +3844,14 @@ var select88 = linear_select([ part330, ]); -var part331 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); +var part331 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); var all53 = all_match({ processors: [ part328, select88, part331, - dup200, + dup201, dup114, ], on_success: processor_chain([ @@ -3866,7 +3868,7 @@ var all53 = all_match({ var msg316 = msg("446", all53); -var part332 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}note=\"MAC=%{smacaddr}HostName:%{hostname}\"", processor_chain([ +var part332 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ dup115, dup51, dup52, @@ -3886,9 +3888,9 @@ var msg317 = msg("477", part332); var all54 = all_match({ processors: [ dup80, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup29, @@ -3900,9 +3902,9 @@ var msg318 = msg("509", all54); var all55 = all_match({ processors: [ dup106, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup105, @@ -3911,18 +3913,18 @@ var all55 = all_match({ var msg319 = msg("520", all55); -var msg320 = msg("522", dup238); +var msg320 = msg("522", dup239); -var part333 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}srcV6=%{saddr_v6}src= %{p0}"); +var part333 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); -var part334 = match("MESSAGE#318:522:01/2", "nwparser.p0", "%{}dstV6=%{daddr_v6}dst= %{p0}"); +var part334 = match("MESSAGE#318:522:01/2", "nwparser.p0", "%{}dstV6=%{daddr_v6->} dst= %{p0}"); var all56 = all_match({ processors: [ part333, - dup179, + dup180, part334, - dup176, + dup177, dup116, ], on_success: processor_chain([ @@ -3944,7 +3946,7 @@ var all57 = all_match({ dup38, select89, dup11, - dup176, + dup177, dup116, ], on_success: processor_chain([ @@ -3960,16 +3962,16 @@ var select90 = linear_select([ msg322, ]); -var msg323 = msg("523", dup238); +var msg323 = msg("523", dup239); var all58 = all_match({ processors: [ dup80, - dup178, + dup179, dup11, - dup176, + dup177, dup11, - dup201, + dup202, ], on_success: processor_chain([ dup1, @@ -3990,9 +3992,9 @@ var select91 = linear_select([ var all59 = all_match({ processors: [ dup8, - dup178, + dup179, dup11, - dup176, + dup177, dup11, select91, dup92, @@ -4004,7 +4006,7 @@ var all59 = all_match({ var msg325 = msg("524:01", all59); -var part338 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{p0}"); +var part338 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{p0}"); var part339 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", "%{rule}\" note=\"%{rulename}\"%{p0}"); @@ -4037,7 +4039,7 @@ var select93 = linear_select([ msg326, ]); -var msg327 = msg("526", dup239); +var msg327 = msg("526", dup240); var part342 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); @@ -4071,9 +4073,9 @@ var msg328 = msg("526:01", all61); var all62 = all_match({ processors: [ dup8, - dup202, + dup203, dup11, - dup176, + dup177, dup116, ], on_success: processor_chain([ @@ -4083,7 +4085,7 @@ var all62 = all_match({ var msg329 = msg("526:02", all62); -var part344 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part344 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup1, dup12, ])); @@ -4113,7 +4115,7 @@ var select96 = linear_select([ msg332, ]); -var part347 = match("MESSAGE#330:537:01/4", "nwparser.p0", "%{}proto=%{protocol}sent=%{sbytes}rcvd=%{p0}"); +var part347 = match("MESSAGE#330:537:01/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); var part348 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3->} "); @@ -4127,9 +4129,9 @@ var select97 = linear_select([ var all63 = all_match({ processors: [ dup118, - dup203, - dup11, dup204, + dup11, + dup205, part347, select97, ], @@ -4140,14 +4142,14 @@ var all63 = all_match({ var msg333 = msg("537:01", all63); -var part350 = match("MESSAGE#331:537:02/4", "nwparser.p0", "%{}proto=%{protocol}sent=%{sbytes}"); +var part350 = match("MESSAGE#331:537:02/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes}"); var all64 = all_match({ processors: [ dup118, - dup203, - dup11, dup204, + dup11, + dup205, part350, ], on_success: processor_chain([ @@ -4211,8 +4213,8 @@ var select102 = linear_select([ var all65 = all_match({ processors: [ select98, - dup205, dup206, + dup207, select99, part353, select100, @@ -4249,7 +4251,7 @@ var select104 = linear_select([ part362, ]); -var part363 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr}proto=%{protocol}sent=%{p0}"); +var part363 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); var select105 = linear_select([ dup131, @@ -4261,11 +4263,11 @@ var select105 = linear_select([ var all66 = all_match({ processors: [ select103, - dup205, dup206, + dup207, select104, part363, - dup207, + dup208, select105, ], on_success: processor_chain([ @@ -4314,11 +4316,11 @@ var select108 = linear_select([ var all67 = all_match({ processors: [ select106, - dup205, dup206, - dup186, - select107, dup207, + dup187, + select107, + dup208, select108, ], on_success: processor_chain([ @@ -4343,7 +4345,7 @@ var select109 = linear_select([ part369, ]); -var part370 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1}src= %{p0}"); +var part370 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); var part371 = match("MESSAGE#335:537/4_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} sent=%{p0}"); @@ -4383,7 +4385,7 @@ var all68 = all_match({ dup48, select109, part370, - dup203, + dup204, select110, select111, ], @@ -4394,14 +4396,14 @@ var all68 = all_match({ var msg338 = msg("537", all68); -var part380 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{} %{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}cdur=%{fld5}npcs=%{info}"); +var part380 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); var all69 = all_match({ processors: [ dup135, - dup180, + dup181, dup11, - dup208, + dup209, part380, ], on_success: processor_chain([ @@ -4411,7 +4413,7 @@ var all69 = all_match({ var msg339 = msg("537:04", all69); -var part381 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{} %{protocol}sent=%{sbytes}spkt=%{fld3}cdur=%{p0}"); +var part381 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{p0}"); var part382 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "%{fld4->} appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); @@ -4425,9 +4427,9 @@ var select112 = linear_select([ var all70 = all_match({ processors: [ dup135, - dup180, + dup181, dup11, - dup208, + dup209, part381, select112, dup92, @@ -4439,7 +4441,7 @@ var all70 = all_match({ var msg340 = msg("537:05", all70); -var part384 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1}n=%{p0}"); +var part384 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{p0}"); var part385 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); @@ -4451,17 +4453,17 @@ var select113 = linear_select([ part386, ]); -var part387 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld10}rpkt=%{fld11->} %{p0}"); +var part387 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); var all71 = all_match({ processors: [ part384, - dup209, - dup139, dup210, + dup139, + dup211, select113, part387, - dup211, + dup212, ], on_success: processor_chain([ dup107, @@ -4476,7 +4478,7 @@ var all71 = all_match({ var msg341 = msg("537:10", all71); -var part388 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1}n=%{p0}"); +var part388 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{p0}"); var part389 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); @@ -4488,17 +4490,17 @@ var select114 = linear_select([ part390, ]); -var part391 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld10}rpkt=%{fld11->} %{p0}"); +var part391 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); var all72 = all_match({ processors: [ part388, - dup209, - dup139, dup210, + dup139, + dup211, select114, part391, - dup211, + dup212, ], on_success: processor_chain([ dup107, @@ -4507,14 +4509,14 @@ var all72 = all_match({ var msg342 = msg("537:03", all72); -var part392 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{} %{protocol}sent=%{sbytes}spkt=%{fld3}npcs=%{info}"); +var part392 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); var all73 = all_match({ processors: [ dup135, - dup180, + dup181, dup11, - dup208, + dup209, part392, ], on_success: processor_chain([ @@ -4533,7 +4535,7 @@ var part393 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_des var msg344 = msg("537:11", part393); -var part394 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part394 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup107, dup54, dup12, @@ -4558,18 +4560,18 @@ var select115 = linear_select([ msg345, ]); -var msg346 = msg("538", dup229); +var msg346 = msg("538", dup230); -var msg347 = msg("549", dup232); +var msg347 = msg("549", dup233); -var msg348 = msg("557", dup232); +var msg348 = msg("557", dup233); var all74 = all_match({ processors: [ dup106, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ setc("eventcategory","1402020200"), @@ -4578,18 +4580,18 @@ var all74 = all_match({ var msg349 = msg("558", all74); -var msg350 = msg("561", dup235); +var msg350 = msg("561", dup236); -var msg351 = msg("562", dup235); +var msg351 = msg("562", dup236); -var msg352 = msg("563", dup235); +var msg352 = msg("563", dup236); var all75 = all_match({ processors: [ dup106, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ setc("eventcategory","1402020400"), @@ -4598,7 +4600,7 @@ var all75 = all_match({ var msg353 = msg("583", all75); -var part395 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}type=%{icmptype}code=%{icmpcode}", processor_chain([ +var part395 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ dup145, dup51, dup146, @@ -4615,20 +4617,20 @@ var part395 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_des var msg354 = msg("597:01", part395); -var part396 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg}n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}type=%{icmptype}code=%{icmpcode}", processor_chain([ +var part396 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ dup1, ])); var msg355 = msg("597:02", part396); -var part397 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg}sess=%{fld1}n=%{fld2}src= %{p0}"); +var part397 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{p0}"); var all76 = all_match({ processors: [ part397, - dup187, + dup188, dup11, - dup190, + dup191, dup92, ], on_success: processor_chain([ @@ -4644,18 +4646,18 @@ var select116 = linear_select([ msg356, ]); -var part398 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg}n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}type=%{type}code=%{code}", processor_chain([ +var part398 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ dup1, ])); var msg357 = msg("598", part398); -var part399 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{} %{type}npcs=%{info}"); +var part399 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{} %{type->} npcs=%{info}"); var all77 = all_match({ processors: [ dup148, - dup182, + dup183, part399, ], on_success: processor_chain([ @@ -4668,7 +4670,7 @@ var msg358 = msg("598:01", all77); var all78 = all_match({ processors: [ dup148, - dup190, + dup191, dup92, ], on_success: processor_chain([ @@ -4684,7 +4686,7 @@ var select117 = linear_select([ msg359, ]); -var part400 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{fld2}dst=%{daddr}:%{dport}:%{dinterface}:%{fld3}proto=%{protocol}/%{fld4}", processor_chain([ +var part400 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ dup145, dup51, dup146, @@ -4701,14 +4703,14 @@ var part400 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_des var msg360 = msg("602:01", part400); -var msg361 = msg("602:02", dup239); +var msg361 = msg("602:02", dup240); var all79 = all_match({ processors: [ dup8, - dup178, + dup179, dup11, - dup176, + dup177, dup79, ], on_success: processor_chain([ @@ -4724,14 +4726,14 @@ var select118 = linear_select([ msg362, ]); -var msg363 = msg("605", dup197); +var msg363 = msg("605", dup198); var all80 = all_match({ processors: [ dup149, - dup212, + dup213, dup151, - dup200, + dup201, dup114, ], on_success: processor_chain([ @@ -4748,7 +4750,7 @@ var all80 = all_match({ var msg364 = msg("606", all80); -var part401 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid}ipscat=%{ipscat}ipspri=%{p0}"); +var part401 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); var part402 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); @@ -4759,7 +4761,7 @@ var select119 = linear_select([ part403, ]); -var part404 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1}src=%{saddr}:%{p0}"); +var part404 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); var part405 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); @@ -4801,22 +4803,22 @@ var all81 = all_match({ var msg365 = msg("608", all81); -var msg366 = msg("616", dup195); +var msg366 = msg("616", dup196); -var msg367 = msg("658", dup191); +var msg367 = msg("658", dup192); -var msg368 = msg("710", dup213); +var msg368 = msg("710", dup214); -var msg369 = msg("712:02", dup240); +var msg369 = msg("712:02", dup241); -var msg370 = msg("712", dup213); +var msg370 = msg("712", dup214); var all82 = all_match({ processors: [ dup8, - dup175, + dup176, dup11, - dup192, + dup193, dup96, ], on_success: processor_chain([ @@ -4832,7 +4834,7 @@ var select122 = linear_select([ msg371, ]); -var part411 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{fld2}dst=%{daddr}:%{dport}:%{dinterface}:%{fld3}note=%{info}", processor_chain([ +var part411 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ dup5, dup51, dup52, @@ -4849,11 +4851,11 @@ var part411 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_des var msg372 = msg("713:01", part411); -var msg373 = msg("713:04", dup240); +var msg373 = msg("713:04", dup241); -var msg374 = msg("713:02", dup213); +var msg374 = msg("713:02", dup214); -var part412 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}note=\"%{action}\" npcs=%{info}", processor_chain([ +var part412 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ dup5, dup51, dup52, @@ -4877,7 +4879,7 @@ var select123 = linear_select([ msg375, ]); -var part413 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}note=%{info}", processor_chain([ +var part413 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ dup115, dup51, dup52, @@ -4894,16 +4896,16 @@ var part413 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_descri var msg376 = msg("760", part413); -var part414 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1}n=%{fld2}src=%{p0}"); +var part414 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); -var part415 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{} %{action}npcs=%{info}"); +var part415 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{} %{action->} npcs=%{info}"); var all83 = all_match({ processors: [ part414, - dup175, + dup176, dup11, - dup192, + dup193, part415, ], on_success: processor_chain([ @@ -4929,11 +4931,11 @@ var select124 = linear_select([ msg377, ]); -var msg378 = msg("766", dup217); +var msg378 = msg("766", dup218); -var msg379 = msg("860", dup217); +var msg379 = msg("860", dup218); -var msg380 = msg("860:01", dup218); +var msg380 = msg("860:01", dup219); var select125 = linear_select([ msg379, @@ -4964,29 +4966,29 @@ var all84 = all_match({ var msg381 = msg("866", all84); -var msg382 = msg("866:01", dup218); +var msg382 = msg("866:01", dup219); var select127 = linear_select([ msg381, msg382, ]); -var msg383 = msg("867", dup217); +var msg383 = msg("867", dup218); -var msg384 = msg("867:01", dup218); +var msg384 = msg("867:01", dup219); var select128 = linear_select([ msg383, msg384, ]); -var part419 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}", processor_chain([ +var part419 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ dup1, ])); var msg385 = msg("882", part419); -var part420 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}npcs=%{info}", processor_chain([ +var part420 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ dup1, ])); @@ -4997,13 +4999,13 @@ var select129 = linear_select([ msg386, ]); -var part421 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ +var part421 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ dup161, ])); var msg387 = msg("888", part421); -var part422 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}note=%{fld3}npcs=%{info}", processor_chain([ +var part422 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ dup161, ])); @@ -5017,9 +5019,9 @@ var select130 = linear_select([ var all85 = all_match({ processors: [ dup8, - dup175, + dup176, dup11, - dup190, + dup191, dup92, ], on_success: processor_chain([ @@ -5029,13 +5031,13 @@ var all85 = all_match({ var msg389 = msg("892", all85); -var msg390 = msg("904", dup217); +var msg390 = msg("904", dup218); -var msg391 = msg("905", dup217); +var msg391 = msg("905", dup218); -var msg392 = msg("906", dup217); +var msg392 = msg("906", dup218); -var msg393 = msg("907", dup217); +var msg393 = msg("907", dup218); var select131 = linear_select([ dup73, @@ -5047,9 +5049,9 @@ var all86 = all_match({ dup162, select131, dup11, - dup212, - dup151, - dup200, + dup213, + dup163, + dup201, dup114, ], on_success: processor_chain([ @@ -5066,24 +5068,24 @@ var all86 = all_match({ var msg394 = msg("908", all86); -var msg395 = msg("909", dup217); +var msg395 = msg("909", dup218); -var msg396 = msg("914", dup219); +var msg396 = msg("914", dup220); -var part423 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var part423 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ dup64, ])); var msg397 = msg("931", part423); -var msg398 = msg("657", dup219); +var msg398 = msg("657", dup220); var all87 = all_match({ processors: [ dup8, - dup175, + dup176, dup11, - dup190, + dup191, dup92, ], on_success: processor_chain([ @@ -5098,22 +5100,22 @@ var select132 = linear_select([ msg399, ]); -var msg400 = msg("403", dup198); +var msg400 = msg("403", dup199); -var msg401 = msg("534", dup177); +var msg401 = msg("534", dup178); -var msg402 = msg("994", dup220); +var msg402 = msg("994", dup221); -var part424 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}usr=%{username}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}proto=%{protocol}", processor_chain([ +var part424 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ dup1, dup24, ])); var msg403 = msg("243", part424); -var msg404 = msg("995", dup177); +var msg404 = msg("995", dup178); -var part425 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3}dst=%{daddr}:%{dport}:%{dinterface}:%{fld4}note=\"%{info}\"", processor_chain([ +var part425 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ dup1, dup51, dup53, @@ -5128,9 +5130,9 @@ var part425 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_descri var msg405 = msg("997", part425); -var msg406 = msg("998", dup220); +var msg406 = msg("998", dup221); -var part426 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration}n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ +var part426 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ dup107, dup12, ])); @@ -5142,11 +5144,11 @@ var select133 = linear_select([ msg407, ]); -var msg408 = msg("1110", dup221); +var msg408 = msg("1110", dup222); -var msg409 = msg("565", dup221); +var msg409 = msg("565", dup222); -var part427 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}note=\"%{event_description}\"", processor_chain([ +var part427 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ dup1, dup54, ])); @@ -5158,7 +5160,7 @@ var select134 = linear_select([ dup50, ]); -var part428 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}note=\"%{fld3}\" fw_action=\"%{action}\""); +var part428 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); var all88 = all_match({ processors: [ @@ -5180,7 +5182,7 @@ var all88 = all_match({ var msg411 = msg("267:01", all88); -var part429 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}", processor_chain([ +var part429 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ dup1, dup54, ])); @@ -5192,45 +5194,45 @@ var select135 = linear_select([ msg412, ]); -var part430 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}proto=%{protocol}", processor_chain([ +var part430 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ dup1, dup24, ])); var msg413 = msg("263", part430); -var part431 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration}n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}fw_action=\"%{action}\"", processor_chain([ +var part431 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ dup105, dup12, ])); var msg414 = msg("264", part431); -var msg415 = msg("412", dup198); +var msg415 = msg("412", dup199); -var part432 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1}af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6}src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost}dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ +var part432 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ dup1, dup24, ])); var msg416 = msg("793", part432); -var part433 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}if=%{fld2}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ +var part433 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ dup1, dup24, ])); var msg417 = msg("805", part433); -var part434 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}fw_action=\"%{action}\"", processor_chain([ - dup163, +var part434 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup164, dup12, ])); var msg418 = msg("809", part434); -var part435 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}fw_action=\"%{action}\"", processor_chain([ - dup163, +var part435 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup164, dup12, ])); @@ -5241,16 +5243,16 @@ var select136 = linear_select([ msg419, ]); -var msg420 = msg("935", dup219); +var msg420 = msg("935", dup220); -var msg421 = msg("614", dup222); +var msg421 = msg("614", dup223); -var part436 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration}n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{p0}"); +var part436 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); var all89 = all_match({ processors: [ part436, - dup200, + dup201, dup114, ], on_success: processor_chain([ @@ -5261,7 +5263,7 @@ var all89 = all_match({ var msg422 = msg("748", all89); -var part437 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid}spycat=%{fld1}spypri=%{fld2}pktdatId=%{fld3}n=%{fld4}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{p0}"); +var part437 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); var part438 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); @@ -5277,35 +5279,35 @@ var all90 = all_match({ dup114, ], on_success: processor_chain([ - dup164, + dup165, dup37, ]), }); var msg423 = msg("794", all90); -var msg424 = msg("1086", dup222); +var msg424 = msg("1086", dup223); -var part439 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}srcV6=%{saddr_v6}src=%{saddr}:%{sport}:%{sinterface}dstV6=%{daddr_v6}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ - dup164, +var part439 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup165, dup37, ])); var msg425 = msg("1430", part439); -var msg426 = msg("1149", dup222); +var msg426 = msg("1149", dup223); -var msg427 = msg("1159", dup222); +var msg427 = msg("1159", dup223); -var part440 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1}fw_action=\"%{action}\"", processor_chain([ - dup164, +var part440 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup165, dup37, ])); var msg428 = msg("1195", part440); var part441 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ - dup164, + dup165, dup37, ])); @@ -5316,35 +5318,35 @@ var select138 = linear_select([ msg429, ]); -var part442 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}fw_action=\"%{action}\"", processor_chain([ +var part442 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ dup5, dup37, ])); var msg430 = msg("1226", part442); -var part443 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ +var part443 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ dup5, dup37, ])); var msg431 = msg("1222", part443); -var part444 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid}appcat=%{fld1}appid=%{fld2}n=%{fld3}src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost}dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ +var part444 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ dup1, dup24, ])); var msg432 = msg("1154", part444); -var part445 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid}appcat=%{fld1}appid=%{fld2}n=%{fld3}src=%{p0}"); +var part445 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); var all91 = all_match({ processors: [ part445, - dup175, + dup176, dup11, - dup190, + dup191, dup92, ], on_success: processor_chain([ @@ -5355,21 +5357,21 @@ var all91 = all_match({ var msg433 = msg("1154:01", all91); -var part446 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid}appcat=\"%{fld1}\" appid%{fld2}catid=%{fld3}sess=\"%{fld4}\" n=%{fld5}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup165, +var part446 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup166, dup12, ])); var msg434 = msg("1154:02", part446); -var part447 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid}appcat=\"%{fld1}\" appid=%{fld2}catid=%{fld3}n=%{fld4}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); +var part447 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); var select139 = linear_select([ dup125, dup49, ]); -var part448 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\""); +var part448 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); var all92 = all_match({ processors: [ @@ -5378,7 +5380,7 @@ var all92 = all_match({ part448, ], on_success: processor_chain([ - dup165, + dup166, dup12, ]), }); @@ -5392,14 +5394,14 @@ var select140 = linear_select([ msg435, ]); -var part449 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr}dst=%{dtransaddr->} %{result}", processor_chain([ - dup166, +var part449 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ + dup167, ])); var msg436 = msg("msg", part449); -var part450 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr}dst=%{dtransaddr->} %{msg}", processor_chain([ - dup166, +var part450 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ + dup167, ])); var msg437 = msg("src", part450); @@ -5407,11 +5409,11 @@ var msg437 = msg("src", part450); var all93 = all_match({ processors: [ dup8, - dup178, + dup179, dup11, - dup176, + dup177, dup11, - dup201, + dup202, ], on_success: processor_chain([ dup1, @@ -5420,14 +5422,14 @@ var all93 = all_match({ var msg438 = msg("1235", all93); -var part451 = match("MESSAGE#438:1197/4", "nwparser.p0", "%{}\"%{fld3}Protocol:%{protocol}\" npcs=%{info}"); +var part451 = match("MESSAGE#438:1197/4", "nwparser.p0", "%{}\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); var all94 = all_match({ processors: [ dup8, - dup178, + dup179, dup11, - dup192, + dup193, part451, ], on_success: processor_chain([ @@ -5437,13 +5439,13 @@ var all94 = all_match({ var msg439 = msg("1197", all94); -var part452 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}sess=%{fld1}n=%{fld2}src=%{p0}"); +var part452 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); var all95 = all_match({ processors: [ part452, - dup178, - dup167, + dup179, + dup168, ], on_success: processor_chain([ dup1, @@ -5453,14 +5455,14 @@ var all95 = all_match({ var msg440 = msg("1199", all95); var part453 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup168, + dup169, dup12, ])); var msg441 = msg("1199:01", part453); var part454 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup168, + dup169, dup12, ])); @@ -5472,14 +5474,14 @@ var select141 = linear_select([ msg442, ]); -var part455 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid}appcat=%{fld1}appid=%{fld2}catid=%{fld3}sess=%{fld4}n=%{fld5}src=%{p0}"); +var part455 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); var all96 = all_match({ processors: [ part455, - dup175, + dup176, dup11, - dup190, + dup191, dup92, ], on_success: processor_chain([ @@ -5489,7 +5491,7 @@ var all96 = all_match({ var msg443 = msg("1155", all96); -var part456 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid}appcat=%{fld1}appid=%{fld2}n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ +var part456 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ dup107, ])); @@ -5502,9 +5504,9 @@ var select142 = linear_select([ var all97 = all_match({ processors: [ - dup169, - dup202, - dup167, + dup170, + dup203, + dup168, ], on_success: processor_chain([ dup1, @@ -5516,8 +5518,8 @@ var msg445 = msg("1198", all97); var all98 = all_match({ processors: [ dup8, - dup178, - dup167, + dup179, + dup168, ], on_success: processor_chain([ dup1, @@ -5526,29 +5528,29 @@ var all98 = all_match({ var msg446 = msg("714", all98); -var msg447 = msg("709", dup241); +var msg447 = msg("709", dup242); -var msg448 = msg("1005", dup241); +var msg448 = msg("1005", dup242); -var msg449 = msg("1003", dup241); +var msg449 = msg("1003", dup242); -var msg450 = msg("1007", dup242); +var msg450 = msg("1007", dup243); -var part457 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration}n=%{fld2}usr=\"%{username}\" src=%{saddr}::%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ +var part457 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ dup105, dup12, ])); var msg451 = msg("1008", part457); -var msg452 = msg("708", dup242); +var msg452 = msg("708", dup243); var all99 = all_match({ processors: [ - dup169, - dup175, + dup170, + dup176, dup11, - dup190, + dup191, dup92, ], on_success: processor_chain([ @@ -5558,20 +5560,20 @@ var all99 = all_match({ var msg453 = msg("1201", all99); -var msg454 = msg("1201:01", dup242); +var msg454 = msg("1201:01", dup243); var select143 = linear_select([ msg453, msg454, ]); -var msg455 = msg("654", dup223); +var msg455 = msg("654", dup224); -var msg456 = msg("670", dup223); +var msg456 = msg("670", dup224); -var msg457 = msg("884", dup242); +var msg457 = msg("884", dup243); -var part458 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}proto=%{protocol}rcvd=%{rbytes}note=\"%{info}\"", processor_chain([ +var part458 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ dup1, ])); @@ -5589,7 +5591,7 @@ var select144 = linear_select([ part461, ]); -var part462 = match("MESSAGE#458:1153:01/1", "nwparser.p0", "%{fld3}usr=\"%{username}\" src=%{p0}"); +var part462 = match("MESSAGE#458:1153:01/1", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); var part463 = match("MESSAGE#458:1153:01/2_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); @@ -5610,7 +5612,7 @@ var select146 = linear_select([ part466, ]); -var part467 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{} %{smacaddr}dstMac=%{dmacaddr}proto=%{protocol->} %{p0}"); +var part467 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); var part468 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{rbytes->} "); @@ -5658,7 +5660,7 @@ var select148 = linear_select([ part473, ]); -var part474 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes->} "); +var part474 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} "); var all101 = all_match({ processors: [ @@ -5707,8 +5709,8 @@ var all102 = all_match({ part476, select150, dup11, - dup224, - dup172, + dup225, + dup173, ], on_success: processor_chain([ dup161, @@ -5727,8 +5729,8 @@ var msg462 = msg("1220", all102); var all103 = all_match({ processors: [ dup149, - dup224, - dup172, + dup225, + dup173, ], on_success: processor_chain([ dup161, @@ -5744,14 +5746,14 @@ var all103 = all_match({ var msg463 = msg("1230", all103); -var part479 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}note=\"%{info}\"", processor_chain([ +var part479 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ dup1, ])); var msg464 = msg("1231", part479); -var part480 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}srcV6=%{saddr_v6}src=%{saddr}:%{sport}:%{sinterface}dstV6=%{daddr_v6}dst=%{daddr}:%{dport}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ - dup168, +var part480 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup169, dup12, ])); @@ -5796,13 +5798,13 @@ var all104 = all_match({ var msg466 = msg("1079", all104); -var part488 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space}n=%{fld1}", processor_chain([ +var part488 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ dup1, ])); var msg467 = msg("1079:01", part488); -var part489 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr}is not allowed by access control\" n=%{fld2}", processor_chain([ +var part489 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ dup1, dup12, setc("event_description","destination is not allowed by access control"), @@ -5815,7 +5817,7 @@ var part489 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destinatio var msg468 = msg("1079:02", part489); -var part490 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username}matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ +var part490 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ dup1, dup12, setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), @@ -5835,7 +5837,7 @@ var select153 = linear_select([ msg469, ]); -var part491 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}usr=\"%{username}\" src= %{p0}"); +var part491 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); var part492 = match("MESSAGE#469:1080/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); @@ -5866,7 +5868,7 @@ var all105 = all_match({ var msg470 = msg("1080", all105); -var part494 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ +var part494 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ dup5, dup54, dup18, @@ -5884,7 +5886,7 @@ var part495 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_des var all106 = all_match({ processors: [ part495, - dup225, + dup226, dup114, ], on_success: processor_chain([ @@ -5904,9 +5906,9 @@ var msg472 = msg("1369", all106); var all107 = all_match({ processors: [ dup149, - dup212, + dup213, dup151, - dup225, + dup226, dup114, ], on_success: processor_chain([ @@ -5926,9 +5928,9 @@ var msg473 = msg("1370", all107); var all108 = all_match({ processors: [ dup149, - dup212, - dup151, - dup200, + dup213, + dup163, + dup201, dup114, ], on_success: processor_chain([ @@ -5957,9 +5959,9 @@ var all109 = all_match({ dup162, select156, dup11, - dup212, - dup151, - dup200, + dup213, + dup163, + dup201, dup114, ], on_success: processor_chain([ @@ -6101,8 +6103,8 @@ var part509 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_descr var msg481 = msg("1011", part509); -var part510 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid}ipscat=\"%{fld3}\" ipspri=%{fld4}pktdatId=%{fld5}n=%{fld6}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ - dup165, +var part510 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup166, dup54, dup18, dup82, @@ -6114,9 +6116,9 @@ var part510 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_descri var msg482 = msg("609", part510); -var msg483 = msg("796", dup226); +var msg483 = msg("796", dup227); -var part511 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ +var part511 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ dup70, dup54, dup18, @@ -6129,7 +6131,7 @@ var part511 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_descri var msg484 = msg("880", part511); -var part512 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}fw_action=\"%{action}\"", processor_chain([ +var part512 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ dup161, dup54, dup18, @@ -6142,7 +6144,7 @@ var part512 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_descr var msg485 = msg("1309", part512); -var msg486 = msg("1310", dup226); +var msg486 = msg("1310", dup227); var part513 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"%{p0}"); @@ -6175,12 +6177,12 @@ var all112 = all_match({ var msg487 = msg("1232", all112); -var part516 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}srcV6=%{saddr_v6}src=%{saddr}:%{sport}:%{sinterface}dstV6=%{daddr_v6}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); +var part516 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); var all113 = all_match({ processors: [ part516, - dup200, + dup201, dup114, ], on_success: processor_chain([ @@ -6546,7 +6548,7 @@ var chain1 = processor_chain([ var part517 = match("MESSAGE#13:14/0", "nwparser.payload", "%{} %{p0}"); -var part518 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src=%{p0}"); +var part518 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); var part519 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); @@ -6564,9 +6566,9 @@ var part525 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p var part526 = match("MESSAGE#38:29:01/4", "nwparser.p0", "%{} "); -var part527 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld}src=%{p0}"); +var part527 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); -var part528 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{p0}"); +var part528 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); var part529 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); @@ -6574,7 +6576,7 @@ var part530 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}"); var part531 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}"); -var part532 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}src= %{p0}"); +var part532 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); var part533 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); @@ -6584,9 +6586,9 @@ var part535 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{ var part536 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); -var part537 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol}npcs=%{info}"); +var part537 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}"); -var part538 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src= %{p0}"); +var part538 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); var part539 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} "); @@ -6600,11 +6602,11 @@ var part543 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{ var part544 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); -var part545 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1}src= %{p0}"); +var part545 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); var part546 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} "); -var part547 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1}n=%{fld2}src= %{p0}"); +var part547 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); var part548 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); @@ -6628,9 +6630,9 @@ var part557 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}: var part558 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}"); -var part559 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{p0}"); +var part559 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); -var part560 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); +var part560 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); var part561 = match("MESSAGE#202:139:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); @@ -6648,7 +6650,7 @@ var part567 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}: var part568 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); -var part569 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}sport=%{sport}dport=%{dport->} %{p0}"); +var part569 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); var part570 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); @@ -6658,11 +6660,11 @@ var part572 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd= var part573 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); -var part574 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}usr=%{username}src=%{p0}"); +var part574 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); -var part575 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld}src=%{p0}"); +var part575 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); -var part576 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr->} %{p0}"); +var part576 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); var part577 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); @@ -6672,11 +6674,11 @@ var part579 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_acti var part580 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); -var part581 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol}npcs=%{info}"); +var part581 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); var part582 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); -var part583 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1}n=%{fld2}src= %{p0}"); +var part583 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); var part584 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); @@ -6710,7 +6712,7 @@ var part598 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdu var part599 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); -var part600 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1}n=%{fld2}src= %{p0}"); +var part600 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); var part601 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); @@ -6728,19 +6730,19 @@ var part607 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); var part608 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); -var part609 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg}sess=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst= %{p0}"); +var part609 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var part610 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); +var part610 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); var part611 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); -var part612 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); +var part612 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); var part613 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); var part614 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); -var part615 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}"); +var part615 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); var part616 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); @@ -6752,21 +6754,23 @@ var part619 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_a var part620 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); -var part621 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{p0}"); +var part621 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); -var part622 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface}npcs=%{info}"); +var part622 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); -var part623 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1}n=%{fld2}src=%{p0}"); +var part623 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); -var part624 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); +var part624 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); -var part625 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); +var part625 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); -var part626 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); +var part626 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); -var part627 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); +var part627 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); -var part628 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); +var part628 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + +var part629 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); var select161 = linear_select([ dup9, @@ -6778,7 +6782,7 @@ var select162 = linear_select([ dup17, ]); -var part629 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}note=\"%{event_description}\"", processor_chain([ +var part630 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, dup24, ])); @@ -6813,11 +6817,11 @@ var select168 = linear_select([ dup50, ]); -var part630 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ +var part631 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ dup62, ])); -var part631 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ +var part632 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ dup5, ])); @@ -6832,7 +6836,7 @@ var select170 = linear_select([ dup26, ]); -var part632 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}dstname=%{shost}", processor_chain([ +var part633 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ dup1, ])); @@ -6846,7 +6850,7 @@ var select172 = linear_select([ dup91, ]); -var part633 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var part634 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ dup5, ])); @@ -6860,23 +6864,23 @@ var select174 = linear_select([ dup99, ]); -var part634 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{saddr}dst=%{daddr}", processor_chain([ +var part635 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ dup89, ])); -var part635 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}", processor_chain([ +var part636 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ dup89, ])); -var part636 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}", processor_chain([ +var part637 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ dup1, ])); -var part637 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var part638 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ dup1, ])); -var part638 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}note=\"%{event_description}\"", processor_chain([ +var part639 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ dup1, dup24, ])); @@ -6955,7 +6959,7 @@ var select188 = linear_select([ dup150, ]); -var part639 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1}src=%{saddr}:%{sport}dst=%{daddr}:%{dport}", processor_chain([ +var part640 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ dup152, ])); @@ -6974,49 +6978,49 @@ var select191 = linear_select([ dup159, ]); -var part640 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ +var part641 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ dup5, ])); -var part641 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{ntype->} ", processor_chain([ +var part642 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype->} ", processor_chain([ dup5, ])); -var part642 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}src=%{stransaddr}:%{stransport}:%{sinterface}:%{host}dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ +var part643 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ dup5, dup24, ])); -var part643 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}usr=%{username}src=%{stransaddr}:%{stransport}dst=%{dtransaddr}:%{dtransport}note=\"%{event_description}\"", processor_chain([ +var part644 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, dup24, ])); -var part644 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space}n=%{fld1}", processor_chain([ +var part645 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ dup1, dup24, ])); -var part645 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}fw_action=\"%{action}\"", processor_chain([ - dup164, +var part646 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup165, dup37, ])); -var part646 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1}n=%{fld2}", processor_chain([ +var part647 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ dup1, ])); var select192 = linear_select([ - dup170, dup171, + dup172, ]); var select193 = linear_select([ - dup173, dup174, + dup175, ]); -var part647 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}fw_action=\"%{action}\"", processor_chain([ +var part648 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ dup1, dup54, dup18, @@ -7030,9 +7034,9 @@ var part647 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_descri var all114 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup176, + dup177, dup28, ], on_success: processor_chain([ @@ -7043,9 +7047,9 @@ var all114 = all_match({ var all115 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup87, @@ -7055,9 +7059,9 @@ var all115 = all_match({ var all116 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup59, @@ -7067,7 +7071,7 @@ var all116 = all_match({ var all117 = all_match({ processors: [ dup97, - dup193, + dup194, ], on_success: processor_chain([ dup59, @@ -7077,9 +7081,9 @@ var all117 = all_match({ var all118 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup102, @@ -7089,9 +7093,9 @@ var all118 = all_match({ var all119 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup30, @@ -7101,9 +7105,9 @@ var all119 = all_match({ var all120 = all_match({ processors: [ dup31, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup29, @@ -7113,9 +7117,9 @@ var all120 = all_match({ var all121 = all_match({ processors: [ dup104, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup105, @@ -7125,9 +7129,9 @@ var all121 = all_match({ var all122 = all_match({ processors: [ dup106, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup108, @@ -7137,7 +7141,7 @@ var all122 = all_match({ var all123 = all_match({ processors: [ dup109, - dup199, + dup200, ], on_success: processor_chain([ dup89, @@ -7147,9 +7151,9 @@ var all123 = all_match({ var all124 = all_match({ processors: [ dup106, - dup178, + dup179, dup11, - dup189, + dup190, ], on_success: processor_chain([ dup111, @@ -7159,9 +7163,9 @@ var all124 = all_match({ var all125 = all_match({ processors: [ dup44, - dup179, + dup180, dup36, - dup189, + dup190, ], on_success: processor_chain([ dup5, @@ -7171,9 +7175,9 @@ var all125 = all_match({ var all126 = all_match({ processors: [ dup80, - dup178, + dup179, dup11, - dup176, + dup177, dup79, ], on_success: processor_chain([ @@ -7184,10 +7188,10 @@ var all126 = all_match({ var all127 = all_match({ processors: [ dup153, - dup214, - dup155, dup215, + dup155, dup216, + dup217, dup160, ], on_success: processor_chain([ @@ -7209,9 +7213,9 @@ var all127 = all_match({ var all128 = all_match({ processors: [ dup8, - dup175, + dup176, dup11, - dup192, + dup193, dup96, ], on_success: processor_chain([ @@ -7222,9 +7226,9 @@ var all128 = all_match({ var all129 = all_match({ processors: [ dup8, - dup175, + dup176, dup11, - dup190, + dup191, dup92, ], on_success: processor_chain([ diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index e63bdc32b2f..77967c9c765 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -18,8 +18,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.92.136.230", - "10.49.111.67" + "10.49.111.67", + "10.92.136.230" ], "rsa.internal.messageid": "914", "rsa.internal.msg": "lupt", @@ -77,9 +77,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.227.15.1", "10.149.203.46", - "10.150.156.22" + "10.150.156.22", + "10.227.15.1" ], "rsa.internal.event_desc": "ctetur", "rsa.internal.messageid": "1369", @@ -437,8 +437,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.204.11.20", - "10.239.201.234" + "10.239.201.234", + "10.204.11.20" ], "rsa.internal.messageid": "87", "rsa.internal.msg": "Loremip", @@ -685,8 +685,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.248.101.25", - "10.60.129.15" + "10.60.129.15", + "10.248.101.25" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "ommodico", @@ -964,8 +964,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.54.14.189", - "10.216.125.252" + "10.216.125.252", + "10.54.14.189" ], "rsa.internal.messageid": "402", "rsa.internal.msg": "tvol", @@ -998,8 +998,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.53.113.23", - "10.97.124.211" + "10.97.124.211", + "10.53.113.23" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1055,8 +1055,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.64.229.79", - "10.187.201.250" + "10.187.201.250", + "10.64.229.79" ], "rsa.db.index": "rumwrit", "rsa.internal.messageid": "83", @@ -1148,8 +1148,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.31.190.145", - "10.147.88.219" + "10.147.88.219", + "10.31.190.145" ], "rsa.internal.messageid": "243", "rsa.internal.msg": "eriti", @@ -1710,8 +1710,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.222.169.140", - "10.117.63.181" + "10.117.63.181", + "10.222.169.140" ], "rsa.internal.messageid": "195", "rsa.internal.msg": "magnaal", @@ -1949,8 +1949,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.203.146.137", - "10.29.120.226" + "10.29.120.226", + "10.203.146.137" ], "rsa.internal.messageid": "712", "rsa.misc.action": [ @@ -2243,8 +2243,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.204.178.19", - "10.83.134.38" + "10.83.134.38", + "10.204.178.19" ], "rsa.internal.messageid": "msg", "rsa.internal.msg": "nvol", diff --git a/x-pack/filebeat/module/squid/README.md b/x-pack/filebeat/module/squid/README.md index 030a795e97b..7dbcd092c22 100644 --- a/x-pack/filebeat/module/squid/README.md +++ b/x-pack/filebeat/module/squid/README.md @@ -3,5 +3,5 @@ This is a module for Squid logs. Autogenerated from RSA NetWitness log parser 2.0 XML squid version 112 -at 2020-07-07 18:10:50.306455 +0000 UTC. +at 2020-07-08 13:58:41.022244 +0000 UTC. diff --git a/x-pack/filebeat/module/squid/log/config/pipeline.js b/x-pack/filebeat/module/squid/log/config/pipeline.js index 2b5e72fa2bb..52efb91440b 100644 --- a/x-pack/filebeat/module/squid/log/config/pipeline.js +++ b/x-pack/filebeat/module/squid/log/config/pipeline.js @@ -55,7 +55,7 @@ var dup13 = date_time({ var dup14 = page("webpage","url"); -var dup15 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport}[%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username}\"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes}\"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ +var dup15 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ dup1, dup2, dup3, @@ -83,7 +83,7 @@ var dup16 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string} dup12, ])); -var dup17 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport}[%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username}\"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes}\"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ +var dup17 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ dup1, dup2, dup4, @@ -109,7 +109,7 @@ var dup18 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string dup12, ])); -var dup19 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport}[%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username}\"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes}\"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ +var dup19 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ dup1, dup5, dup6, @@ -131,7 +131,7 @@ var dup20 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string} dup12, ])); -var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport}[%{fld20->} %{fld21}] \"%{messageid->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport->} [%{fld20->} %{fld21}] \"%{messageid->} %{payload}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -140,7 +140,7 @@ var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport}[%{fld20->} % field("hsaddr"), constant(" "), field("hsport"), - constant("["), + constant(" ["), field("fld20"), constant(" "), field("fld21"), @@ -184,7 +184,7 @@ var select1 = linear_select([ var msg1 = msg("GET", dup15); -var part1 = match("MESSAGE#18:GET:02", "nwparser.payload", "%{saddr->} %{sport}[%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{resultcode->} %{sbytes}\"%{web_referer}\" \"%{user_agent}\" %{action->} %{daddr->} %{content_type->} %{duration}", processor_chain([ +var part1 = match("MESSAGE#18:GET:02", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{resultcode->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action->} %{daddr->} %{content_type->} %{duration}", processor_chain([ dup1, dup2, dup3, @@ -386,7 +386,7 @@ var chain1 = processor_chain([ }), ]); -var part2 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport}[%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username}\"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes}\"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ +var part2 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ dup1, dup2, dup3, @@ -414,7 +414,7 @@ var part3 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string} dup12, ])); -var part4 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport}[%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username}\"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes}\"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ +var part4 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ dup1, dup2, dup4, @@ -440,7 +440,7 @@ var part5 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string dup12, ])); -var part6 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport}[%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username}\"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes}\"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ +var part6 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ dup1, dup5, dup6, diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 180c68da6ae..81f0dfea8de 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -22,16 +22,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -144,8 +144,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -153,8 +153,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -202,8 +202,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -606,8 +606,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -659,8 +659,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.85.16.38" + "209.85.16.38", + "10.105.21.199" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -782,8 +782,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -835,8 +835,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "206.169.136.22" + "206.169.136.22", + "10.105.21.199" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -844,8 +844,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -893,8 +893,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1127,8 +1127,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "213.160.98.161" + "213.160.98.161", + "10.105.21.199" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1136,8 +1136,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "302", @@ -1295,8 +1295,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1352,8 +1352,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1409,8 +1409,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1470,8 +1470,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1523,8 +1523,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1532,8 +1532,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1589,8 +1589,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1638,8 +1638,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1687,8 +1687,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1788,8 +1788,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1963,8 +1963,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1972,8 +1972,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2022,8 +2022,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2031,8 +2031,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2145,8 +2145,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2198,8 +2198,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "63.245.209.21", - "10.105.21.199" + "10.105.21.199", + "63.245.209.21" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2207,8 +2207,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -2256,8 +2256,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.231.252" + "68.142.231.252", + "10.105.33.214" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2265,8 +2265,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2312,8 +2312,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2368,8 +2368,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2617,8 +2617,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2667,8 +2667,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2676,8 +2676,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2783,8 +2783,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2899,8 +2899,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2947,8 +2947,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3006,8 +3006,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3056,8 +3056,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3065,8 +3065,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3124,8 +3124,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3174,8 +3174,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3183,8 +3183,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3281,8 +3281,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3330,8 +3330,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3380,8 +3380,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "212.58.226.33", - "10.105.21.199" + "10.105.21.199", + "212.58.226.33" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3439,8 +3439,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.231.252" + "68.142.231.252", + "10.105.33.214" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3448,8 +3448,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3596,8 +3596,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", @@ -3657,8 +3657,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3666,8 +3666,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -3941,8 +3941,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4003,8 +4003,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -4053,8 +4053,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4183,8 +4183,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/x-shockwave-flash", "rsa.misc.result_code": "200", @@ -4299,8 +4299,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4356,8 +4356,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4403,8 +4403,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.109.124.55" + "216.109.124.55", + "10.105.33.214" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -4575,8 +4575,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4694,8 +4694,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4876,8 +4876,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4991,8 +4991,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -5049,8 +5049,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5098,8 +5098,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5146,8 +5146,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.109.125.112", - "10.105.33.214" + "10.105.33.214", + "216.109.125.112" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -5372,8 +5372,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -5425,8 +5425,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.169", - "10.105.21.199" + "10.105.21.199", + "213.160.98.169" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -5581,8 +5581,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json index 53c5e82e5a3..fe0d45700ea 100644 --- a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json @@ -22,8 +22,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -77,8 +77,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -132,8 +132,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -352,8 +352,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -462,8 +462,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -517,8 +517,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_MISS" + "TCP_REFRESH_MISS", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -572,8 +572,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -627,8 +627,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -737,8 +737,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -902,8 +902,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -957,8 +957,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1012,8 +1012,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1067,8 +1067,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1122,8 +1122,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1177,8 +1177,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1451,8 +1451,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -1616,8 +1616,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1671,8 +1671,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1726,8 +1726,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1781,8 +1781,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1836,8 +1836,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1946,8 +1946,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2001,8 +2001,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2551,8 +2551,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2881,8 +2881,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2936,8 +2936,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2991,8 +2991,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3046,8 +3046,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3101,8 +3101,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3156,8 +3156,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3211,8 +3211,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3266,8 +3266,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3541,8 +3541,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3706,8 +3706,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3816,8 +3816,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3981,8 +3981,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4091,8 +4091,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4146,8 +4146,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4310,8 +4310,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4365,8 +4365,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4529,8 +4529,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4704,8 +4704,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_MISS", - "GET" + "GET", + "TCP_REFRESH_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4758,8 +4758,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4813,8 +4813,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -4868,8 +4868,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4923,8 +4923,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5033,8 +5033,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5088,8 +5088,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/pdf", "rsa.misc.result_code": "200", @@ -5143,8 +5143,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5198,8 +5198,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5253,8 +5253,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "403", diff --git a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json index 7a040eec325..7386434950f 100644 --- a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json @@ -20,8 +20,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -67,8 +67,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -259,8 +259,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -455,8 +455,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -550,8 +550,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -644,8 +644,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -691,8 +691,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -834,8 +834,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "503", @@ -1028,8 +1028,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1173,8 +1173,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "404", @@ -1269,8 +1269,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "503", @@ -1413,8 +1413,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1422,8 +1422,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1590,8 +1590,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.131.147", - "192.168.0.35" + "192.168.0.35", + "74.125.131.147" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1658,8 +1658,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "204", @@ -1715,8 +1715,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1764,8 +1764,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.3", - "192.168.0.35" + "192.168.0.35", + "74.125.228.3" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1821,8 +1821,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.3", - "192.168.0.35" + "192.168.0.35", + "74.125.228.3" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1878,8 +1878,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.6" + "74.125.228.6", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1943,8 +1943,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2049,16 +2049,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2106,16 +2106,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2228,8 +2228,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2334,16 +2334,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2507,16 +2507,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "23.11.236.224", - "192.168.0.35" + "192.168.0.35", + "23.11.236.224" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2564,16 +2564,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "23.11.236.224", - "192.168.0.35" + "192.168.0.35", + "23.11.236.224" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2629,8 +2629,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2686,8 +2686,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2735,16 +2735,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2857,8 +2857,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2906,16 +2906,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.100", - "192.168.0.35" + "192.168.0.35", + "74.125.228.100" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2971,8 +2971,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3080,8 +3080,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3139,8 +3139,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3257,8 +3257,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3266,8 +3266,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3316,8 +3316,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3443,8 +3443,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3493,8 +3493,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3552,8 +3552,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3611,8 +3611,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3738,8 +3738,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3856,8 +3856,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3906,8 +3906,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4083,8 +4083,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4092,8 +4092,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4151,8 +4151,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4319,8 +4319,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4387,8 +4387,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4437,8 +4437,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4555,8 +4555,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4564,8 +4564,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4614,8 +4614,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4673,8 +4673,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4682,8 +4682,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4732,8 +4732,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4800,8 +4800,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4850,8 +4850,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4909,8 +4909,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4918,8 +4918,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4968,8 +4968,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -5034,8 +5034,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5083,16 +5083,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5140,8 +5140,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.96", - "192.168.0.35" + "192.168.0.35", + "74.125.228.96" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5197,8 +5197,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.101", - "192.168.0.35" + "192.168.0.35", + "74.125.228.101" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5311,8 +5311,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "69.171.228.74", - "192.168.0.35" + "192.168.0.35", + "69.171.228.74" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -5377,8 +5377,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5491,8 +5491,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json index b061737d2c7..e6a3118e79e 100644 --- a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json @@ -22,16 +22,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -250,16 +250,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.97" + "173.194.123.97", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -307,8 +307,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -364,8 +364,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.102" + "173.194.123.102", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -478,16 +478,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.96" + "173.194.123.96", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -535,8 +535,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.96" + "173.194.123.96", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -595,16 +595,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.237", - "::1" + "::1", + "216.58.219.237" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -652,16 +652,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.68" + "173.194.123.68", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -717,8 +717,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -766,16 +766,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -824,8 +824,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.105" + "173.194.123.105", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", @@ -881,8 +881,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -946,8 +946,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1003,8 +1003,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1052,16 +1052,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1117,8 +1117,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1223,16 +1223,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1280,16 +1280,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1337,8 +1337,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1451,8 +1451,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1565,8 +1565,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1622,8 +1622,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1736,16 +1736,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1801,8 +1801,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1850,16 +1850,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1907,8 +1907,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2135,8 +2135,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2200,8 +2200,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2428,8 +2428,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2534,8 +2534,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2591,16 +2591,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2656,8 +2656,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2771,8 +2771,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -2829,8 +2829,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -2996,8 +2996,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.174" + "216.58.219.174", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", @@ -3065,8 +3065,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -3125,8 +3125,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3185,8 +3185,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3245,8 +3245,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3305,8 +3305,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3365,8 +3365,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3417,8 +3417,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.132", - "::1" + "::1", + "216.58.219.132" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -3477,8 +3477,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.132" + "216.58.219.132", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -3545,8 +3545,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3597,16 +3597,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.142", - "::1" + "::1", + "216.58.219.142" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3665,8 +3665,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3774,16 +3774,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.141.189", - "::1" + "::1", + "74.125.141.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3831,8 +3831,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.141.189" + "74.125.141.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -3896,8 +3896,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3948,16 +3948,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.133", - "::1" + "::1", + "216.58.219.133" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4076,8 +4076,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4125,8 +4125,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "173.194.205.113" + "173.194.205.113", + "10.100.0.1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4250,8 +4250,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4303,8 +4303,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.238" + "216.58.219.238", + "10.100.0.1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", @@ -4372,8 +4372,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4422,8 +4422,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.6.238", - "10.100.0.1" + "10.100.0.1", + "172.217.6.238" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", @@ -4544,8 +4544,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4593,16 +4593,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4650,16 +4650,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.12.174" + "172.217.12.174", + "10.100.2.85" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4707,16 +4707,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4764,16 +4764,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4829,8 +4829,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4878,8 +4878,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -4935,16 +4935,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "173.194.204.156" + "173.194.204.156", + "10.100.2.85" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4992,8 +4992,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.2.85" + "10.100.2.85", + "172.217.12.174" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5057,8 +5057,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5114,8 +5114,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5220,16 +5220,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.12.174" + "172.217.12.174", + "10.100.0.1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5277,8 +5277,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.0.1" + "10.100.0.1", + "172.217.12.174" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5405,8 +5405,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5525,8 +5525,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5577,16 +5577,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.206" + "216.58.219.206", + "10.100.0.1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5634,8 +5634,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.0.1" + "10.100.0.1", + "172.217.12.174" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5759,8 +5759,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/tenable/README.md b/x-pack/filebeat/module/tenable/README.md index 4e23a7d0fdc..095866c9ea4 100644 --- a/x-pack/filebeat/module/tenable/README.md +++ b/x-pack/filebeat/module/tenable/README.md @@ -3,5 +3,5 @@ This is a module for Tenable Network Security Nessus logs. Autogenerated from RSA NetWitness log parser 2.0 XML nessusvs version 0 -at 2020-07-07 18:10:47.316331 +0000 UTC. +at 2020-07-08 13:58:37.854984 +0000 UTC. diff --git a/x-pack/filebeat/module/tenable/nessus_security/config/pipeline.js b/x-pack/filebeat/module/tenable/nessus_security/config/pipeline.js index 1ceefc0cbac..563060a85fe 100644 --- a/x-pack/filebeat/module/tenable/nessus_security/config/pipeline.js +++ b/x-pack/filebeat/module/tenable/nessus_security/config/pipeline.js @@ -66,7 +66,7 @@ var dup16 = match("MESSAGE#45:Could", "nwparser.payload", "%{event_description}" dup4, ])); -var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}%NESSUSVS-%{messageid}: %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hfld1->} %NESSUSVS-%{messageid}: %{payload}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -139,14 +139,14 @@ var hdr5 = match("HEADER#4:0005", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} }), ])); -var hdr6 = match("HEADER#5:0006", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4}(%{messageid->} %{hfld5}) %{hfld6->} %{payload}", processor_chain([ +var hdr6 = match("HEADER#5:0006", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4->} (%{messageid->} %{hfld5}) %{hfld6->} %{payload}", processor_chain([ setc("header_id","0006"), call({ dest: "nwparser.payload", fn: STRCAT, args: [ field("hfld4"), - constant("("), + constant(" ("), field("messageid"), constant(" "), field("hfld5"), @@ -238,7 +238,7 @@ var part7 = match("MESSAGE#6:finished", "nwparser.payload", "%{event_description var msg7 = msg("finished", part7); -var part8 = match("MESSAGE#7:user", "nwparser.payload", "user %{username}: test complete", processor_chain([ +var part8 = match("MESSAGE#7:user", "nwparser.payload", "user %{username->} : test complete", processor_chain([ dup1, dup2, dup4, @@ -247,7 +247,7 @@ var part8 = match("MESSAGE#7:user", "nwparser.payload", "user %{username}: test var msg8 = msg("user", part8); -var part9 = match("MESSAGE#8:user:01", "nwparser.payload", "user %{username}: testing %{hostname}(%{hostip}) %{fld1}", processor_chain([ +var part9 = match("MESSAGE#8:user:01", "nwparser.payload", "user %{username->} : testing %{hostname->} (%{hostip}) %{fld1}", processor_chain([ dup1, dup2, dup4, @@ -256,7 +256,7 @@ var part9 = match("MESSAGE#8:user:01", "nwparser.payload", "user %{username}: te var msg9 = msg("user:01", part9); -var part10 = match("MESSAGE#21:user:02", "nwparser.payload", "user %{username}starts a new scan. Target(s) : %{hostname}, %{info}", processor_chain([ +var part10 = match("MESSAGE#21:user:02", "nwparser.payload", "user %{username->} starts a new scan. Target(s) : %{hostname}, %{info}", processor_chain([ dup5, dup2, dup4, @@ -265,7 +265,7 @@ var part10 = match("MESSAGE#21:user:02", "nwparser.payload", "user %{username}st var msg10 = msg("user:02", part10); -var part11 = match("MESSAGE#26:user_launching", "nwparser.payload", "user %{username}: launching %{rulename}against %{url}[%{process_id}]", processor_chain([ +var part11 = match("MESSAGE#26:user_launching", "nwparser.payload", "user %{username->} : launching %{rulename->} against %{url->} [%{process_id}]", processor_chain([ setc("eventcategory","1401000000"), dup2, dup4, @@ -274,7 +274,7 @@ var part11 = match("MESSAGE#26:user_launching", "nwparser.payload", "user %{user var msg11 = msg("user_launching", part11); -var part12 = match("MESSAGE#27:user_not_launching", "nwparser.payload", "user %{username}: Not launching %{rulename}against %{url->} %{reason}", processor_chain([ +var part12 = match("MESSAGE#27:user_not_launching", "nwparser.payload", "user %{username->} : Not launching %{rulename->} against %{url->} %{reason}", processor_chain([ dup7, dup2, dup4, @@ -314,7 +314,7 @@ var part14 = match("MESSAGE#13:failed", "nwparser.payload", "%{event_description var msg17 = msg("failed", part14); -var part15 = match("MESSAGE#14:Nessus", "nwparser.payload", "%{event_description}(pid=%{process_id})", processor_chain([ +var part15 = match("MESSAGE#14:Nessus", "nwparser.payload", "%{event_description->} (pid=%{process_id})", processor_chain([ dup1, dup2, dup4, @@ -376,7 +376,7 @@ var part20 = match("MESSAGE#25:User", "nwparser.payload", "User '%{username}' %{ var msg28 = msg("User", part20); -var part21 = match("MESSAGE#32:User:01", "nwparser.payload", "User %{username}starts a new scan (%{fld25})", processor_chain([ +var part21 = match("MESSAGE#32:User:01", "nwparser.payload", "User %{username->} starts a new scan (%{fld25})", processor_chain([ dup5, dup2, dup4, @@ -399,7 +399,7 @@ var part22 = match("MESSAGE#28:Plugins", "nwparser.payload", "%{event_descriptio var msg30 = msg("Plugins", part22); -var part23 = match("MESSAGE#29:process_finished", "nwparser.payload", "%{rulename}(process %{process_id}) finished its job in %{duration}seconds ", processor_chain([ +var part23 = match("MESSAGE#29:process_finished", "nwparser.payload", "%{rulename->} (process %{process_id}) finished its job in %{duration->} seconds ", processor_chain([ dup1, dup12, setc("ec_outcome","Success"), @@ -410,7 +410,7 @@ var part23 = match("MESSAGE#29:process_finished", "nwparser.payload", "%{rulenam var msg31 = msg("process_finished", part23); -var part24 = match("MESSAGE#30:process_notfinished_killed", "nwparser.payload", "%{rulename}(pid %{process_id}) is slow to finish - killing it ", processor_chain([ +var part24 = match("MESSAGE#30:process_notfinished_killed", "nwparser.payload", "%{rulename->} (pid %{process_id}) is slow to finish - killing it ", processor_chain([ dup7, dup12, dup11, @@ -421,7 +421,7 @@ var part24 = match("MESSAGE#30:process_notfinished_killed", "nwparser.payload", var msg32 = msg("process_notfinished_killed", part24); -var part25 = match("MESSAGE#31:TCP", "nwparser.payload", "%{fld1}TCP sessions in parallel", processor_chain([ +var part25 = match("MESSAGE#31:TCP", "nwparser.payload", "%{fld1->} TCP sessions in parallel", processor_chain([ dup1, dup2, dup4, @@ -440,7 +440,7 @@ var msg37 = msg("started.", dup15); var msg38 = msg("scanner", dup14); -var part26 = match("MESSAGE#38:Another", "nwparser.payload", "%{event_description}(pid %{process_id})", processor_chain([ +var part26 = match("MESSAGE#38:Another", "nwparser.payload", "%{event_description->} (pid %{process_id})", processor_chain([ dup1, dup2, dup4, diff --git a/x-pack/filebeat/module/tomcat/README.md b/x-pack/filebeat/module/tomcat/README.md index d0cfba14689..f7c5bc2aec9 100644 --- a/x-pack/filebeat/module/tomcat/README.md +++ b/x-pack/filebeat/module/tomcat/README.md @@ -3,5 +3,5 @@ This is a module for Apache Tomcat logs. Autogenerated from RSA NetWitness log parser 2.0 XML apachetomcat version 105 -at 2020-07-07 18:10:40.660733 +0000 UTC. +at 2020-07-08 13:58:30.620889 +0000 UTC. diff --git a/x-pack/filebeat/module/tomcat/log/config/pipeline.js b/x-pack/filebeat/module/tomcat/log/config/pipeline.js index 4d4afa2b0da..8ec7051768c 100644 --- a/x-pack/filebeat/module/tomcat/log/config/pipeline.js +++ b/x-pack/filebeat/module/tomcat/log/config/pipeline.js @@ -46,7 +46,7 @@ var hdr1 = match("HEADER#0:0001", "message", "%APACHETOMCAT-%{level}-%{messageid setc("header_id","0001"), ])); -var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname}%APACHETOMCAT- %{messageid}: %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %APACHETOMCAT- %{messageid}: %{payload}", processor_chain([ setc("header_id","0002"), ])); diff --git a/x-pack/filebeat/module/zscaler/README.md b/x-pack/filebeat/module/zscaler/README.md index c130342f206..afb91cef38f 100644 --- a/x-pack/filebeat/module/zscaler/README.md +++ b/x-pack/filebeat/module/zscaler/README.md @@ -3,5 +3,5 @@ This is a module for Zscaler NSS logs. Autogenerated from RSA NetWitness log parser 2.0 XML zscalernss version 108 -at 2020-07-07 18:10:50.651632 +0000 UTC. +at 2020-07-08 13:58:41.398811 +0000 UTC. diff --git a/x-pack/filebeat/module/zscaler/zia/config/pipeline.js b/x-pack/filebeat/module/zscaler/zia/config/pipeline.js index bd986a1315c..288afbeec27 100644 --- a/x-pack/filebeat/module/zscaler/zia/config/pipeline.js +++ b/x-pack/filebeat/module/zscaler/zia/config/pipeline.js @@ -22,7 +22,7 @@ var map_getEventCategoryActivity = { }, }; -var hdr1 = match("HEADER#0:0001", "message", "%{data}ZSCALERNSS: time=%{hfld2->} %{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hyear}^^timezone=%{timezone}^^%{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{data->} ZSCALERNSS: time=%{hfld2->} %{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hyear}^^timezone=%{timezone}^^%{payload}", processor_chain([ setc("header_id","0001"), setc("messageid","ZSCALERNSS_1"), ])); diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index 002367714d0..20f16a2865d 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -165,8 +165,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.254.146.57", - "10.204.86.149" + "10.204.86.149", + "10.254.146.57" ], "rsa.db.index": "nsequat", "rsa.identity.user_dept": "onev", @@ -237,8 +237,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.252.125.53", - "10.103.246.190" + "10.103.246.190", + "10.252.125.53" ], "rsa.db.index": "uiano", "rsa.identity.user_dept": "ari", @@ -381,8 +381,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.183.16.166", - "10.66.250.92" + "10.66.250.92", + "10.183.16.166" ], "rsa.db.index": "essecill", "rsa.identity.user_dept": "ons", @@ -393,8 +393,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "avol", "rsa.misc.action": [ - "Allowed", - "ist" + "ist", + "Allowed" ], "rsa.misc.category": "lorema", "rsa.misc.filter": "sun", @@ -525,8 +525,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.74.17.5", - "10.119.185.63" + "10.119.185.63", + "10.74.17.5" ], "rsa.db.index": "ume", "rsa.identity.user_dept": "itecto", @@ -537,8 +537,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tame", "rsa.misc.action": [ - "Blocked", - "nsec" + "nsec", + "Blocked" ], "rsa.misc.category": "emaperi", "rsa.misc.filter": "rehe", @@ -609,8 +609,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atquovo", "rsa.misc.action": [ - "Allowed", - "amvolup" + "amvolup", + "Allowed" ], "rsa.misc.category": "hil", "rsa.misc.filter": "deFinibu", @@ -681,8 +681,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ihilm", "rsa.misc.action": [ - "psaquae", - "Allowed" + "Allowed", + "psaquae" ], "rsa.misc.category": "eFinib", "rsa.misc.filter": "inesci", @@ -885,8 +885,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.31.240.6", - "10.167.98.76" + "10.167.98.76", + "10.31.240.6" ], "rsa.db.index": "bore", "rsa.identity.user_dept": "gnido", @@ -897,8 +897,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "catc", "rsa.misc.action": [ - "Allowed", - "veni" + "veni", + "Allowed" ], "rsa.misc.category": "sBono", "rsa.misc.filter": "isnisiu", @@ -957,8 +957,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.0.55.9", - "10.135.160.125" + "10.135.160.125", + "10.0.55.9" ], "rsa.db.index": "mfugiat", "rsa.identity.user_dept": "Utenima", @@ -1029,8 +1029,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.63.250.128", - "10.111.187.12" + "10.111.187.12", + "10.63.250.128" ], "rsa.db.index": "nevo", "rsa.identity.user_dept": "tev", @@ -1041,8 +1041,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nnum", "rsa.misc.action": [ - "ntoccae", - "Allowed" + "Allowed", + "ntoccae" ], "rsa.misc.category": "tium", "rsa.misc.filter": "uteirure", @@ -1113,8 +1113,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mod", "rsa.misc.action": [ - "Allowed", - "xeacomm" + "xeacomm", + "Allowed" ], "rsa.misc.category": "sauteiru", "rsa.misc.filter": "antiu", @@ -1173,8 +1173,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.91.126.231", - "10.201.171.120" + "10.201.171.120", + "10.91.126.231" ], "rsa.db.index": "str", "rsa.identity.user_dept": "tau", @@ -1185,8 +1185,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "umdo", "rsa.misc.action": [ - "Blocked", - "orumSe" + "orumSe", + "Blocked" ], "rsa.misc.category": "tanimid", "rsa.misc.filter": "itam", @@ -1245,8 +1245,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.107.251.87", - "10.135.82.97" + "10.135.82.97", + "10.107.251.87" ], "rsa.db.index": "oin", "rsa.identity.user_dept": "nturma", @@ -1257,8 +1257,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quid", "rsa.misc.action": [ - "itecto", - "Allowed" + "Allowed", + "itecto" ], "rsa.misc.category": "quam", "rsa.misc.filter": "adeser", @@ -1317,8 +1317,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.31.198.58", - "10.215.205.216" + "10.215.205.216", + "10.31.198.58" ], "rsa.db.index": "sau", "rsa.identity.user_dept": "boreetdo", @@ -1473,8 +1473,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uaUten", "rsa.misc.action": [ - "amcorp", - "Blocked" + "Blocked", + "amcorp" ], "rsa.misc.category": "umdolor", "rsa.misc.filter": "velillu", @@ -1605,8 +1605,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.86.22.67", - "10.218.98.29" + "10.218.98.29", + "10.86.22.67" ], "rsa.db.index": "cab", "rsa.identity.user_dept": "quunt", @@ -1749,8 +1749,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.32.39.220", - "10.179.210.218" + "10.179.210.218", + "10.32.39.220" ], "rsa.db.index": "emvele", "rsa.identity.user_dept": "tatevel", @@ -1965,8 +1965,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.2.67.127", - "10.115.53.31" + "10.115.53.31", + "10.2.67.127" ], "rsa.db.index": "ntexplic", "rsa.identity.user_dept": "mdolore", @@ -1977,8 +1977,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quatD", "rsa.misc.action": [ - "Allowed", - "tatem" + "tatem", + "Allowed" ], "rsa.misc.category": "aincidun", "rsa.misc.filter": "uela", @@ -2049,8 +2049,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tasun", "rsa.misc.action": [ - "quasiarc", - "Allowed" + "Allowed", + "quasiarc" ], "rsa.misc.category": "autfugi", "rsa.misc.filter": "ritqu", @@ -2109,8 +2109,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.18.226.72", - "10.101.85.169" + "10.101.85.169", + "10.18.226.72" ], "rsa.db.index": "iacons", "rsa.identity.user_dept": "billo", @@ -2181,8 +2181,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.87.100.240", - "10.242.182.193" + "10.242.182.193", + "10.87.100.240" ], "rsa.db.index": "etconsec", "rsa.identity.user_dept": "nder", @@ -2265,8 +2265,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdolore", "rsa.misc.action": [ - "Blocked", - "onproide" + "onproide", + "Blocked" ], "rsa.misc.category": "tvolup", "rsa.misc.filter": "niam", @@ -2325,8 +2325,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.193.66.155", - "10.106.77.138" + "10.106.77.138", + "10.193.66.155" ], "rsa.db.index": "iqua", "rsa.identity.user_dept": "henderi", @@ -2337,8 +2337,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Section", - "Allowed" + "Allowed", + "Section" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2409,8 +2409,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tec", "rsa.misc.action": [ - "Allowed", - "tatema" + "tatema", + "Allowed" ], "rsa.misc.category": "emullamc", "rsa.misc.filter": "emveleum", @@ -2469,8 +2469,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.49.242.174", - "10.131.246.134" + "10.131.246.134", + "10.49.242.174" ], "rsa.db.index": "sumquiad", "rsa.identity.user_dept": "aconsequ", @@ -2541,8 +2541,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.142.120.198", - "10.166.10.42" + "10.166.10.42", + "10.142.120.198" ], "rsa.db.index": "fugiatn", "rsa.identity.user_dept": "uamqu", @@ -2553,8 +2553,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ende", "rsa.misc.action": [ - "Blocked", - "doconse" + "doconse", + "Blocked" ], "rsa.misc.category": "uovolupt", "rsa.misc.filter": "litesse", @@ -2685,8 +2685,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.213.57.165", - "10.53.101.131" + "10.53.101.131", + "10.213.57.165" ], "rsa.db.index": "asnulap", "rsa.identity.user_dept": "ectetura", @@ -2697,8 +2697,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ese", "rsa.misc.action": [ - "Allowed", - "litanim" + "litanim", + "Allowed" ], "rsa.misc.category": "idata", "rsa.misc.filter": "urerepre", @@ -2769,8 +2769,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "Blocked", - "lestia" + "lestia", + "Blocked" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2841,8 +2841,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lit", "rsa.misc.action": [ - "Blocked", - "quu" + "quu", + "Blocked" ], "rsa.misc.category": "oluptate", "rsa.misc.filter": "exercita", @@ -2913,8 +2913,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Loremip", "rsa.misc.action": [ - "quid", - "Allowed" + "Allowed", + "quid" ], "rsa.misc.category": "mini", "rsa.misc.filter": "uisnos", @@ -3129,8 +3129,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "etdol", "rsa.misc.action": [ - "Blocked", - "mwrit" + "mwrit", + "Blocked" ], "rsa.misc.category": "inim", "rsa.misc.filter": "aturQu", @@ -3189,8 +3189,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.30.87.51", - "10.156.177.53" + "10.156.177.53", + "10.30.87.51" ], "rsa.db.index": "siarc", "rsa.identity.user_dept": "rmagnido", @@ -3201,8 +3201,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatno", "rsa.misc.action": [ - "ptatev", - "Blocked" + "Blocked", + "ptatev" ], "rsa.misc.category": "udexerc", "rsa.misc.filter": "ptatemse", @@ -3345,8 +3345,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itesse", "rsa.misc.action": [ - "uip", - "Allowed" + "Allowed", + "uip" ], "rsa.misc.category": "teturad", "rsa.misc.filter": "roquisqu", @@ -3417,8 +3417,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mipsumq", "rsa.misc.action": [ - "Allowed", - "citation" + "citation", + "Allowed" ], "rsa.misc.category": "usant", "rsa.misc.filter": "Nem", @@ -3547,8 +3547,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.121.9.5", - "10.119.53.68" + "10.119.53.68", + "10.121.9.5" ], "rsa.db.index": "sitam", "rsa.identity.user_dept": "mea", @@ -3559,8 +3559,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dexea", "rsa.misc.action": [ - "tinvolup", - "Blocked" + "Blocked", + "tinvolup" ], "rsa.misc.category": "ende", "rsa.misc.filter": "onse", @@ -3689,8 +3689,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.229.102.140", - "10.243.182.229" + "10.243.182.229", + "10.229.102.140" ], "rsa.db.index": "mveni", "rsa.identity.user_dept": "nimve", @@ -3701,8 +3701,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "epor", "rsa.misc.action": [ - "Allowed", - "etquasia" + "etquasia", + "Allowed" ], "rsa.misc.category": "iaturE", "rsa.misc.filter": "rep", @@ -3769,8 +3769,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "adipisc", "rsa.misc.action": [ - "Blocked", - "exer" + "exer", + "Blocked" ], "rsa.misc.category": "remagna", "rsa.misc.filter": "emvel", @@ -3829,8 +3829,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.53.191.49", - "10.133.102.57" + "10.133.102.57", + "10.53.191.49" ], "rsa.db.index": "sam", "rsa.identity.user_dept": "ctobeat", @@ -3841,8 +3841,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ecillum", "rsa.misc.action": [ - "emp", - "Blocked" + "Blocked", + "emp" ], "rsa.misc.category": "ciati", "rsa.misc.filter": "elit", @@ -3973,8 +3973,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.7.18.226", - "10.221.20.165" + "10.221.20.165", + "10.7.18.226" ], "rsa.db.index": "borio", "rsa.identity.user_dept": "tionev", @@ -3985,8 +3985,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iadeseru", "rsa.misc.action": [ - "Allowed", - "epreh" + "epreh", + "Allowed" ], "rsa.misc.category": "ruredol", "rsa.misc.filter": "atquo", @@ -4045,8 +4045,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.155.252.123", - "10.178.148.188" + "10.178.148.188", + "10.155.252.123" ], "rsa.db.index": "ipsa", "rsa.identity.user_dept": "ssequ", @@ -4057,8 +4057,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inimve", "rsa.misc.action": [ - "Allowed", - "niam" + "niam", + "Allowed" ], "rsa.misc.category": "perspici", "rsa.misc.filter": "uipe", @@ -4117,8 +4117,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.220.1.249", - "10.190.42.245" + "10.190.42.245", + "10.220.1.249" ], "rsa.db.index": "caboN", "rsa.identity.user_dept": "quuntur", @@ -4129,8 +4129,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uamquaer", "rsa.misc.action": [ - "Blocked", - "aerat" + "aerat", + "Blocked" ], "rsa.misc.category": "quela", "rsa.misc.filter": "qui", @@ -4199,8 +4199,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tin", "rsa.misc.action": [ - "urau", - "Allowed" + "Allowed", + "urau" ], "rsa.misc.category": "isiut", "rsa.misc.filter": "cons", @@ -4259,8 +4259,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.195.153.42", - "10.250.48.82" + "10.250.48.82", + "10.195.153.42" ], "rsa.db.index": "edictasu", "rsa.identity.user_dept": "serrorsi", @@ -4411,8 +4411,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dipisc", "rsa.misc.action": [ - "turad", - "Allowed" + "Allowed", + "turad" ], "rsa.misc.category": "ulpaquio", "rsa.misc.filter": "ngelits", @@ -4553,8 +4553,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "modit", "rsa.misc.action": [ - "Allowed", - "uteiru" + "uteiru", + "Allowed" ], "rsa.misc.category": "qua", "rsa.misc.filter": "saute", @@ -4685,8 +4685,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.185.107.27", - "10.29.162.157" + "10.29.162.157", + "10.185.107.27" ], "rsa.db.index": "orese", "rsa.identity.user_dept": "orese", @@ -4913,8 +4913,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "plicab", "rsa.misc.action": [ - "umq", - "Blocked" + "Blocked", + "umq" ], "rsa.misc.category": "eruntmol", "rsa.misc.filter": "labore", @@ -4985,8 +4985,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnisi", "rsa.misc.action": [ - "userro", - "Allowed" + "Allowed", + "userro" ], "rsa.misc.category": "etd", "rsa.misc.filter": "loremeum", @@ -5045,8 +5045,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.124.177.226", - "10.249.1.143" + "10.249.1.143", + "10.124.177.226" ], "rsa.db.index": "liqui", "rsa.identity.user_dept": "tincul", @@ -5117,8 +5117,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.146.228.249", - "10.167.176.220" + "10.167.176.220", + "10.146.228.249" ], "rsa.db.index": "quipe", "rsa.identity.user_dept": "gitsed", @@ -5129,8 +5129,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ect", "rsa.misc.action": [ - "maccu", - "Blocked" + "Blocked", + "maccu" ], "rsa.misc.category": "iaecon", "rsa.misc.filter": "eni", @@ -5261,8 +5261,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.162.78.48", - "10.24.23.209" + "10.24.23.209", + "10.162.78.48" ], "rsa.db.index": "eabil", "rsa.identity.user_dept": "iumd", @@ -5273,8 +5273,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ereprehe", "rsa.misc.action": [ - "tutl", - "Blocked" + "Blocked", + "tutl" ], "rsa.misc.category": "mip", "rsa.misc.filter": "umSecti", @@ -5333,8 +5333,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.55.151.53", - "10.211.66.68" + "10.211.66.68", + "10.55.151.53" ], "rsa.db.index": "uidolore", "rsa.identity.user_dept": "maveni", @@ -5477,8 +5477,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.107.68.114", - "10.84.9.150" + "10.84.9.150", + "10.107.68.114" ], "rsa.db.index": "qui", "rsa.identity.user_dept": "ocons", @@ -5549,8 +5549,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.124.119.48", - "10.26.222.144" + "10.26.222.144", + "10.124.119.48" ], "rsa.db.index": "doconse", "rsa.identity.user_dept": "amn", @@ -5561,8 +5561,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lloin", "rsa.misc.action": [ - "Blocked", - "ici" + "ici", + "Blocked" ], "rsa.misc.category": "quidolor", "rsa.misc.filter": "nonproi", @@ -5705,8 +5705,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedic", "rsa.misc.action": [ - "Blocked", - "rinc" + "rinc", + "Blocked" ], "rsa.misc.category": "prehende", "rsa.misc.filter": "rume", @@ -5837,8 +5837,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.77.102.206", - "10.34.98.144" + "10.34.98.144", + "10.77.102.206" ], "rsa.db.index": "oreve", "rsa.identity.user_dept": "inBCSed", @@ -5909,8 +5909,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.75.144.118", - "10.176.233.249" + "10.176.233.249", + "10.75.144.118" ], "rsa.db.index": "atn", "rsa.identity.user_dept": "aconseq", @@ -5921,8 +5921,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "essequa", "rsa.misc.action": [ - "Blocked", - "odic" + "odic", + "Blocked" ], "rsa.misc.category": "cto", "rsa.misc.filter": "odite", @@ -5981,8 +5981,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.236.55.236", - "10.149.6.107" + "10.149.6.107", + "10.236.55.236" ], "rsa.db.index": "chite", "rsa.identity.user_dept": "eseosqu", @@ -5993,8 +5993,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uis", "rsa.misc.action": [ - "Allowed", - "mvele" + "mvele", + "Allowed" ], "rsa.misc.category": "vitaedi", "rsa.misc.filter": "ndeomni", @@ -6065,8 +6065,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atcupi", "rsa.misc.action": [ - "uaUten", - "Blocked" + "Blocked", + "uaUten" ], "rsa.misc.category": "modt", "rsa.misc.filter": "magnidol", @@ -6197,8 +6197,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.224.249.228", - "10.10.25.145" + "10.10.25.145", + "10.224.249.228" ], "rsa.db.index": "aliqui", "rsa.identity.user_dept": "ugiatq", @@ -6209,8 +6209,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issuscip", "rsa.misc.action": [ - "Blocked", - "remap" + "remap", + "Blocked" ], "rsa.misc.category": "eetdolo", "rsa.misc.filter": "rsitam", @@ -6281,8 +6281,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "neavolu", "rsa.misc.action": [ - "Blocked", - "nofdeF" + "nofdeF", + "Blocked" ], "rsa.misc.category": "remagnam", "rsa.misc.filter": "maveniam", @@ -6353,8 +6353,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "Blocked", - "tatisetq" + "tatisetq", + "Blocked" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6481,8 +6481,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.46.71.46", - "10.138.193.38" + "10.138.193.38", + "10.46.71.46" ], "rsa.db.index": "mSectio", "rsa.identity.user_dept": "tate", @@ -6493,8 +6493,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "upta", "rsa.misc.action": [ - "Allowed", - "uovolup" + "uovolup", + "Allowed" ], "rsa.misc.category": "todit", "rsa.misc.filter": "atisetq", @@ -6549,8 +6549,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.172.159.251", - "10.254.119.31" + "10.254.119.31", + "10.172.159.251" ], "rsa.db.index": "tor", "rsa.identity.user_dept": "tconsect", @@ -6561,8 +6561,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "imadmi", "rsa.misc.action": [ - "Blocked", - "tatemacc" + "tatemacc", + "Blocked" ], "rsa.misc.category": "tutlabor", "rsa.misc.filter": "eturad", @@ -6693,8 +6693,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.144.93.186", - "10.84.140.5" + "10.84.140.5", + "10.144.93.186" ], "rsa.db.index": "evolu", "rsa.identity.user_dept": "mull", @@ -6849,8 +6849,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rrorsi", "rsa.misc.action": [ - "Allowed", - "exe" + "exe", + "Allowed" ], "rsa.misc.category": "mnihi", "rsa.misc.filter": "consequa", @@ -6909,8 +6909,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.152.217.174", - "10.128.43.71" + "10.128.43.71", + "10.152.217.174" ], "rsa.db.index": "nderit", "rsa.identity.user_dept": "nderitin", @@ -6981,8 +6981,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.217.193.148", - "10.26.149.221" + "10.26.149.221", + "10.217.193.148" ], "rsa.db.index": "tiumdol", "rsa.identity.user_dept": "oloremag", @@ -6993,8 +6993,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tionemu", "rsa.misc.action": [ - "Blocked", - "rehe" + "rehe", + "Blocked" ], "rsa.misc.category": "aecons", "rsa.misc.filter": "aturve", @@ -7053,8 +7053,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.109.192.53", - "10.172.17.6" + "10.172.17.6", + "10.109.192.53" ], "rsa.db.index": "tcupi", "rsa.identity.user_dept": "boriosa", @@ -7137,8 +7137,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "exeacomm", "rsa.misc.action": [ - "volup", - "Blocked" + "Blocked", + "volup" ], "rsa.misc.category": "ten", "rsa.misc.filter": "ssecil", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index 78cf4898f9f..c1cdc030ae9 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -25,8 +25,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "", "rsa.misc.action": [ - "", - "" + "", + "" ], "rsa.misc.category": "", "rsa.misc.filter": "", From 6e00df1399aa34f4b3b29a5b43b7c2774a468925 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 8 Jul 2020 17:18:41 +0200 Subject: [PATCH 08/19] Fixes for sonicwall parsing --- x-pack/filebeat/module/barracuda/README.md | 2 +- .../barracuda/waf/config/liblogparser.js | 4 - .../module/barracuda/waf/test/generated.log | 134 +- .../waf/test/generated.log-expected.json | 1046 ++-- x-pack/filebeat/module/bluecoat/README.md | 2 +- .../bluecoat/director/config/liblogparser.js | 4 - .../module/cisco/nexus/config/liblogparser.js | 4 - x-pack/filebeat/module/citrix/README.md | 2 +- .../citrix/virtualapps/config/liblogparser.js | 4 - x-pack/filebeat/module/cylance/README.md | 2 +- .../cylance/protect/config/liblogparser.js | 4 - .../module/cylance/protect/test/generated.log | 198 +- .../protect/test/generated.log-expected.json | 2917 +++++----- x-pack/filebeat/module/f5/README.md | 2 +- .../module/f5/bigipapm/config/liblogparser.js | 4 - .../module/f5/bigipapm/test/generated.log | 2 +- .../bigipapm/test/generated.log-expected.json | 146 +- .../module/f5/firepass/config/liblogparser.js | 4 - .../module/f5/firepass/test/generated.log | 120 +- .../firepass/test/generated.log-expected.json | 762 +-- .../clientendpoint/config/liblogparser.js | 4 - .../test/generated.log-expected.json | 212 +- x-pack/filebeat/module/imperva/README.md | 2 +- .../securesphere/config/liblogparser.js | 4 - .../test/generated.log-expected.json | 476 +- x-pack/filebeat/module/infoblox/README.md | 2 +- .../infoblox/nios/config/liblogparser.js | 4 - .../module/infoblox/nios/test/generated.log | 170 +- .../nios/test/generated.log-expected.json | 1296 ++--- x-pack/filebeat/module/juniper/README.md | 2 +- .../juniper/junos/config/liblogparser.js | 4 - x-pack/filebeat/module/kaspersky/README.md | 2 +- .../kaspersky/av/config/liblogparser.js | 4 - x-pack/filebeat/module/microsoft/README.md | 2 +- .../microsoft/dhcp/config/liblogparser.js | 4 - x-pack/filebeat/module/netscout/README.md | 2 +- .../netscout/sightline/config/liblogparser.js | 4 - .../netscout/sightline/test/generated.log | 196 +- .../test/generated.log-expected.json | 1817 +++--- x-pack/filebeat/module/radware/README.md | 2 +- .../radware/defensepro/config/liblogparser.js | 4 - x-pack/filebeat/module/rapid7/README.md | 2 +- .../rapid7/nexpose/config/liblogparser.js | 4 - .../module/rapid7/nexpose/test/generated.log | 16 +- .../nexpose/test/generated.log-expected.json | 144 +- x-pack/filebeat/module/sonicwall/README.md | 2 +- .../sonicwall/firewall/config/liblogparser.js | 4 - .../sonicwall/firewall/config/pipeline.js | 4999 +++++++++-------- .../firewall/test/general.log-expected.json | 21 + .../sonicwall/firewall/test/generated.log | 200 +- .../firewall/test/generated.log-expected.json | 1984 ++++--- x-pack/filebeat/module/squid/README.md | 2 +- .../module/squid/log/config/liblogparser.js | 4 - .../squid/log/test/access1.log-expected.json | 336 +- .../squid/log/test/access2.log-expected.json | 188 +- .../squid/log/test/access3.log-expected.json | 332 +- .../squid/log/test/access4.log-expected.json | 416 +- x-pack/filebeat/module/tenable/README.md | 2 +- .../nessus_security/config/liblogparser.js | 4 - x-pack/filebeat/module/tomcat/README.md | 2 +- .../module/tomcat/log/config/liblogparser.js | 4 - x-pack/filebeat/module/zscaler/README.md | 2 +- .../module/zscaler/zia/config/liblogparser.js | 4 - .../zia/test/generated.log-expected.json | 404 +- .../zscaler/zia/test/test.log-expected.json | 4 +- 65 files changed, 9575 insertions(+), 9081 deletions(-) diff --git a/x-pack/filebeat/module/barracuda/README.md b/x-pack/filebeat/module/barracuda/README.md index 0d6e0ec9079..b19121a13d7 100644 --- a/x-pack/filebeat/module/barracuda/README.md +++ b/x-pack/filebeat/module/barracuda/README.md @@ -3,5 +3,5 @@ This is a module for Barracuda Web Application Firewall logs. Autogenerated from RSA NetWitness log parser 2.0 XML barracudawaf version 132 -at 2020-07-08 13:58:31.276421 +0000 UTC. +at 2020-07-08 15:21:15.720395 +0000 UTC. diff --git a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js index 80ba6449c63..560f07e7e5d 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js +++ b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js @@ -1901,13 +1901,9 @@ function alternate_datetime(evt) { for (var f=0; fabo 2016-1-29T6:09:59.squira nostrud4819.mail.test CylancePROTECT mqui nci [billoi] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:orev; Devices: pisciv , User: uii umexe (estlabo) -2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol, User: luptat isiutal (moenimi) -26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: lupt tia (oloremqu), Zone Names: temvel Device Id: iatu -2016-3-12T3:17:42.ceroinBC ratvolup497.www.corp CylancePROTECT ionofde con [uia] Event Type: AuditLog, Event Name: SystemSecurity, Message: ommodic, User: mipsu consec (taliquip) -2016-3-26T10:20:16.gelit tatno5625.api.local CylancePROTECT taev roidents [oluptas] Event Type: AuditLog, Event Name: Alert, Message: Source: taliqu; SHA256: ommod; Reason: failure, User: tur aperi (iveli) -uatDuis 2016-4-9T5:22:51.ude maveniam1399.mail.lan CylancePROTECT siutaliq exercit [tempor] Event Type: omnis, Event Name: SystemSecurity, Device Name: eip, Agent Version: lupta, IP Address: (10.124.61.119), MAC Address: (01:00:5e:dc:bb:8b), Logged On Users: (occ), OS: ect Zone Names: reetdolo -24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: urerep aquaeab (liqu), Zone Names: lorem Device Id: emq -ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: dmi olab (mquisnos) -2016-5-22T2:30:33.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan -2016-6-5T9:33:08.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc -20-Jun-2016 4:35:42 high fugit7668.www5.invalid lupt <qua 20T04:35:42.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu -2016-7-4T11:38:16.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute -July 2016/07/18 18:40:50 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc -olupt 2016-8-2T1:43:25.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend -2016-8-16T8:45:59.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd -ipitla 2016-8-30T3:48:33.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib -13-Sep-2016 10:51:07 low eav3687.internal.local siar <iamquis 13T22:51:07.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae -Sep 28 5:53:42 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit -12-October-2016 12:56:16 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-10-12T12:56:16.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat -ommodico 2016-10-26T7:58:50.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi -Nov 10 3:01:24 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam -24-Nov-2016 10:03:59 very-high reme622.mail.example isnisiu <tsu 24T10:03:59.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: idata rumwritt (magnid), Zone Names: enderit Device Id: untex -8-Dec-2016 5:06:33 medium tvolu3997.mail.home eiu <autfu 8T17:06:33.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum -Dec 23 12:09:07 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur -6-January-2017 07:11:41 very-high orem6702.invalid tev <ntocca 2017-1-6T7:11:41.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame -20-Jan-2017 2:14:16 high tobea2364.internal.localhost itinvol <fugiatn 20T14:14:16.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame -2017-2-3T9:16:50.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi) -uamni 2017-2-18T4:19:24.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte) -2017-3-4T11:21:59.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser (oin) -2017-3-18T6:24:33.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat) -uat 2017-4-2T1:27:07.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu -Apr 16 8:29:41 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015 -30-April-2017 15:32:16 high isiu5733.api.domain etdolor <xeaco 2017-4-30T3:32:16.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites) -14-May-2017 10:34:50 high nvol6269.internal.local tla <nimid 14T22:34:50.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq -iuntNe 2017-5-29T5:37:24.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom -2017-6-12T12:39:58.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte -2017-6-26T7:42:33.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: dol sciun (metcons) -11-July-2017 02:45:07 low oloreseo5039.test derit <dolor 2017-7-11T2:45:07.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid -25-Jul-2017 9:47:41 very-high idolor3916.www5.home tas <tasun 25T09:47:41.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo -8-August-2017 16:50:15 medium taliqui5348.mail.localdomain loremag <iatqu 2017-8-8T4:50:15.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni -Aug 22 11:52:50 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu -September 2017/09/06 06:55:24 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute -2017-9-20T1:57:58.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea -4-Oct-2017 9:00:32 high uptatem4483.localhost inrepr <umdolors 4T21:00:32.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide -nde 2017-10-19T4:03:07.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita -Nov 2 11:05:41 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema -16-November-2017 18:08:15 high oeni179.api.localhost gna <lumqu 2017-11-16T6:08:15.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm -1-Dec-2017 1:10:49 very-high trudex4443.www5.localhost lor <eseruntm 1T01:10:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau -hend 2017-12-15T8:13:24.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai -ostr 2017-12-29T3:15:58.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici -Jan 12 10:18:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud -Jan 27 5:21:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat -bore 2018-2-10T12:23:41.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad) -Feb 24 7:26:15 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse -Mar 11 2:28:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: nvo iamqui (tassita), Zone Names: colabori Device Id: imidestl -2018-3-25T9:31:24.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: (ever) -quiav 2018-4-8T4:33:58.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum -2018-4-22T11:36:32.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev) -hilmole 2018-5-7T6:39:06.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido -2018-5-21T1:41:41.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad) -2018-6-4T8:44:15.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun -2018-6-19T3:46:49.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui -3-July-2018 10:49:23 low sumd3215.test aUtenima <taevi 2018-7-3T10:49:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati -17-July-2018 17:51:58 high taspe1205.mail.domain cti <nse 2018-7-17T5:51:58.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu) -edqu 2018-8-1T12:54:32.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine -15-Aug-2018 7:57:06 low ditaut33.mail.localhost iumdo <mea 15T07:57:06.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo -29-August-2018 14:59:40 low iaturE3103.api.domain aturve <iatu 2018/08/29T14:59:40.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia -2018-9-12T10:02:15.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug) -2018-9-27T5:04:49.data ugits5961.www5.local CylancePROTECT uam quis [exe] Event Type: naa, Event Name: SyslogSettingsSave, Device Name: idolo, Agent Version: mqu, IP Address: (10.91.2.225, rcitat), MAC Address: (01:00:5e:42:41:00, ionofdeF), Logged On Users: (rsp), OS: imipsa Zone Names: nostrum -2018-10-11T12:07:23.onsecte prehende5460.mail.localdomain CylancePROTECT equatD uidol [inculpa] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: uido, IP Address: (10.191.99.14), Action: block, Process ID: 601, Process Name: nimadmi.exe, User Name: lapa, Violation Type: emoenimi, Zone Names: iquipex -25-Oct-2018 7:09:57 high abill5290.lan mini <tionev 25T19:09:57.uasiarch velites1745.api.corp CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: psaqu Agent Self Protection Level Changed: 'nimides' to 'olorsit', User: naaliq plica (asiarc), Zone Names: lor Device Id: nvolupt -9-Nov-2018 2:12:32 high bori319.api.localdomain utf <dexe 9T02:12:32.nemul Duis583.api.local CylancePROTECT Event Name:LoginSuccess, Threat Class:dminim, Threat Subclass:ptatevel, SHA256:aperiame, MD5:stenat -inrepreh 2018-11-23T9:15:06.rit velitess2401.www.lan CylancePROTECT vel ionevo [ntsun] Event Type: ScriptControl, Event Name: DeviceEdit, Device Name: volupta, File Path: umfu, Interpreter: utla, Interpreter Version: 1.2478 (tDuisaut), Zone Names: dolo -2018-12-7T4:17:40.quisnost sequines3991.mail.local CylancePROTECT illum ore [spici] Event Type: AuditLog, Event Name: pechange, Message: Policy: iquamqu; SHA256: eumfugia; Category: reeufugi, User: sequines minimve (texplica) -21-December-2018 23:20:14 very-high olup3841.mail.invalid idolor <uira 2018-12-21T11:20:14.eosqui iatquo2815.mail.host CylancePROTECT aliqu sequine [utaliqui] Event Type: Threat, Event Name: pechange, Device Name: imveni, IP Address: (10.181.215.164), File Name: itationu, Path: setquas, Drive Type: nbyCi, SHA256: runtmoll, MD5: busBon, Status: norumetM, Cylance Score: 38.593000, Found Date: vitaedi, File Type: rna, Is Running: cons, Auto Run: Except, Detected By: lestiae, Zone Names: iav, Is Malware: umiure, Is Unique To Cylance: isiut, Threat Classification: tin -Jan 5 6:22:49 reetdo6578.mail.domain CylancePROTECT Event Type:inBC, Event Name:Device Policy Assigned, Device Message: Device: atevelit; Zones Removed: ugitsed; Zones Added: dminimve, User: remips laboreet (uptate), Zone Names:tot Device Id: reme -19-Jan-2019 1:25:23 very-high ide4421.api.localdomain isautem <gnamali 19T13:25:23.iumtota issusci7005.mail.host CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: ore Agent Self Protection Level Changed: 'lors' to 'saute', User: ecillumd iumto (sequatu), Zone Names: tiumtot Device Id: tate -inBCSed 2019/02/02T20:27:57.cteturad umq7428.invalid CylancePROTECT psum tate [dtempo] Event Type: AppControl, Event Name: SyslogSettingsSave, Device Name: iad, IP Address: (10.164.59.219), Action: accept, Action Type: billoi, File Path: reseo, SHA256: quam, Zone Names: ulpaquio -Feb 17 3:30:32 iconsequ5445.local CylancePROTECT Event Type:archite, Event Name:PolicyAdd, Device Message: Device: rem User: onorumet iscivel (rinci), Zone Names: eacomm Device Id: aboNem -odit 2019/03/03T10:33:06.vol epteurs5503.www5.home CylancePROTECT modi cip [tla] Event Type: AppControl, Event Name: threat_found, Device Name: iscive, IP Address: (10.1.193.187), Action: block, Action Type: nproiden, File Path: ionem, SHA256: taevitae, Zone Names: dminimv -Mar 17 5:35:40 rep6417.internal.test CylancePROTECT Event Type:ipiscin, Event Name:DeviceRemove, Device Message: Device: orinr; Policy Changed: ineavol to 'umdo', User: tass ugi (riat), Zone Names:atvol, Device Id: emipsum -1-Apr-2019 12:38:14 medium atDuisa4718.www.domain dolo <umexe 1T00:38:14.xce omnisis5339.www5.local CylancePROTECT Event Name:DeviceEdit, Device Name:stiaec, External Device Type:Cicero, External Device Vendor ID:ven, External Device Name:ipsaqua, External Device Product ID:uel, External Device Serial Number:mqui, Zone Names:deom, Device Id: tiumdo, Policy Name: rautod -15-April-2019 07:40:49 medium mvol3890.localhost reh <tcons 2019-4-15T7:40:49.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill; User: imveniam sunte (exerc) -isquames 2019-4-29T2:43:23.mvolupta undeom7847.api.corp CylancePROTECT orainci orese [aev] Event Type: uelaudan, Event Name: Alert, Device Name: teiru, Agent Version: mquamei, IP Address: (10.146.228.234, uradi), MAC Address: (01:00:5e:9a:f3:b9, iusmod), Logged On Users: (susc), OS: taed Zone Names: eatae -2019-5-13T9:45:57.rcit dolo6230.mail.invalid CylancePROTECT evelite remquela [toreve] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97, User: (niam) -2019-5-28T4:48:31.uisaut nvolup6280.api.home CylancePROTECT eomn esse [nihi] Event Type: xeaco, Event Name: SyslogSettingsSave, Device Names: (uianonn), Policy Name: eavolupt, User: dantium ors (dqu) -11-June-2019 11:51:06 high asia5842.localhost rit <iavol 2019-6-11T11:51:06.psumdol urautodi3892.www5.example CylancePROTECT edict nost [orisnis] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: nibu; Policy: quatur; Value: isiutali, User: mdolo nof (usantiu) -Jun 25 6:53:40 litess7754.www5.invalid CylancePROTECT Event Type:itempo, Event Name: Alert, Device Name: isciveli, IP Address: (10.36.18.24), Action: allow, Process ID: 452, Process Name: lab.exe, User Name: nsequ, Violation Type: ing, Zone Names:ollita -10-July-2019 01:56:14 low ptat5268.www5.localdomain emq <untur 2019-7-10T1:56:14.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: ExploitAttempt, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Process ID: 4608, Process Name: oluptat.exe, User Name: stenatus, Violation Type: eabillo, Zone Names: iaecon -24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam -Aug 7 4:01:23 ncu3839.www.localhost CylancePROTECT Event Type:snos, Event Name:threat_changed, Device Message: Device: utod; Zones Removed: ostr; Zones Added: amcorp, User: iadolo ecatcup (orinrep), Zone Names:uamnihil Device Id: nisi -21-August-2019 23:03:57 high mfugi4289.internal.home maveni <commod 2019-8-21T11:03:57.umqu umet5891.api.localdomain CylancePROTECT aliqua upt [giatquo] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: dipisciv, IP Address: (10.8.150.213), Action: deny, Process ID: 4190, Process Name: ngelitse.exe, User Name: ugiatnul, Violation Type: mips, Zone Names: hil -5-Sep-2019 6:06:31 medium ncidid126.localhost aecatcu <eosqu 5T06:06:31.reetdolo umquam5574.internal.test CylancePROTECT Event Name:DeviceEdit, Message: Provider:itationu, Source IP:10.108.59.10, User: magnama reprehe (citatio)#015 -19-September-2019 13:09:05 medium ocons2813.mail.lan natu <acomm 2019-9-19T1:09:05.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did) -Oct 3 8:11:40 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod -Oct 18 3:14:14 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit -rinci 2019-11-1T10:16:48.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta -15-Nov-2019 5:19:22 low ntutlabo6923.localhost eacommo <tionevol 15T17:19:22.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni, User: officiad veniam (labo), Zone Names:ssecill Device Id: umquam -ali 2019-11-30T12:21:57.ionu perna6751.internal.home CylancePROTECT ess ria [ationevo] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233, User: (orisnis) -14-December-2019 07:24:31 medium olor874.internal.lan mquis <samnisiu 2019-12-14T7:24:31.yCiceroi evolupta7790.internal.local CylancePROTECT equamnih isetqua [turExce] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: rehe; Policy: aper; Value: gnaa, User: tam deser (int) +2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol,luptatUser: isiutal moenimi (mod) +Feb 26 8:15:08 mquia873.internal.invalid CylancePROTECT Event Type:tetur, Event Name:DeviceEdit, Device Name:squame, External Device Type:ntex, External Device Vendor ID:eius, External Device Name:luptat, External Device Product ID:emape, External Device Serial Number:aer, Zone Names:lupt +2016-3-12T3:17:42.minim eFini859.www5.example CylancePROTECT psumquia onsect [orsitame] Event Type: reprehe, Event Name: SystemSecurity, Device Name: quiavo, Agent Version: issusci, IP Address: (10.164.119.63, taliquip), MAC Address: (01:00:5e:86:ac:4a, tNequ), Logged On Users: (gelit), OS: tatno Zone Names: dquiac +26-March-2016 10:20:16 medium oluptas2358.internal.host ommod <aqui 2016-3-26T10:20:16.radipis isetq3627.api.domain CylancePROTECT magn equuntu [eos] Event Type: enimad, Event Name: SystemSecurity, Device Name: uaerat, Agent Version: boreet, IP Address: (10.155.162.162, mcolabor), MAC Address: (01:00:5e:2c:f3:52, giatq), Logged On Users: (quid), OS: fug +9-Apr-2016 5:22:51 high maveniam1399.mail.lan siutaliq <tempor 9T17:22:51.omnis antium1279.mail.test CylancePROTECT Event Name:ThreatUpdated, Device Name:rsitvolu, External Device Type:tcupida, External Device Vendor ID:niamquis, External Device Name:itati, External Device Product ID:mfu, External Device Serial Number:uid, Zone Names:atatnonp, Device Id: uiano, Policy Name: mrema +Apr 24 12:25:25 iat1852.api.localdomain CylancePROTECT Event Type:elits, Event Name:Device Policy Assigned, Device Message: Device: ipis; Policy Changed: gelits to 'tatevel', User: abilloi iam (mqua), Zone Names:atat, Device Id: quunt +8-May-2016 07:27:59 high avol7616.api.test isqu <idolore 2016-5-8T7:27:59.onse liq5883.localdomain CylancePROTECT emeumfug upta [omn] Event Type: ipsumq, Event Name: Registration, Device Name: ons, Agent Version: tessec, IP Address: (10.215.110.141, nsect), MAC Address: (01:00:5e:58:a9:90, ionul), Logged On Users: (nibus), OS: edquiano +22-May-2016 2:30:33 low aperi5160.host ipi <lupt 22T14:30:33.xea qua2945.www.local CylancePROTECT Event Name:PolicyAdd, Threat Class:modocons, Threat Subclass:elaudant, SHA256:tinvol, MD5:dolore +liquide 2016-6-5T9:33:08.uasia emp4209.host CylancePROTECT giatquov eritquii [dexeac] Event Type: Threat, Event Name: threat_found, Device Name: taut, IP Address: (10.114.138.121), File Name: imad, Path: msequi, Drive Type: isnostru, SHA256: iquaUten, MD5: santium, Status: iciatisu, Cylance Score: 0.803000, Found Date: emagnama, File Type: eprehend, Is Running: hil, Auto Run: atquovo, Detected By: suntinc, Zone Names: xeac, Is Malware: nidolo, Is Unique To Cylance: tatn, Threat Classification: eli +reetd 2016-6-20T4:35:42.lumqui itinvo7084.mail.corp CylancePROTECT equep iavolu [den] Event Type: Threat, Event Name: SyslogSettingsSave, Device Name: rpo, IP Address: (10.133.32.68), File Name: siarchi, Path: datatn, Drive Type: mqu, SHA256: apariat, MD5: tlabore, Status: untmolli, Cylance Score: 62.683000, Found Date: atDu, File Type: eav, Is Running: ionevo, Auto Run: remagn, Detected By: run, Zone Names: mque, Is Malware: uovolup, Is Unique To Cylance: samvolu, Threat Classification: ittenbyC +2016-7-4T11:38:16.iquipex commod3331.host CylancePROTECT bor occa [stquidol] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: leumiu, File Path: namali, Interpreter: taevit, Interpreter Version: 1.3365 (nsecte), Zone Names: itame +2016-7-18T6:40:50.rehender iae1637.local CylancePROTECT nula emseq [olestiae] Event Type: ione, Event Name: LoginSuccess, Device Names: (evita), Policy Name: suntexp, User: duntut magni (pisciv) +2-August-2016 01:43:25 medium eratv6205.internal.lan reme <uaUteni 2016-8-2T1:43:25.udantium pre2433.mail.domain CylancePROTECT sciun sBono [catc] Event Type: AuditLog, Event Name: pechange, Message: Device: edo;asiaUser: econs uir (dol) +16-Aug-2016 8:45:59 medium non3341.mail.invalid derit <atcu 16T08:45:59.labor didunt1355.corp CylancePROTECT Event Name:Device Policy Assigned, Device Name:liqu, Agent Version:eporr, IP Address: (10.238.164.29), MAC Address: (01:00:5e:32:95:80), Logged On Users: (sequam), OS:temvel, Zone Names:ris +Aug 30 3:48:33 rroquis6074.api.host CylancePROTECT Event Type:iurer, Event Name:ZoneAdd, Message: Device:autfuwas auto assigned to thegnaaliqZone:mni, User:rem +13-Sep-2016 10:51:07 low uta4901.internal.local volupt <uiinea 13T22:51:07.Utenima volupta5074.internal.localhost CylancePROTECT Event Name:LoginSuccess, Message: Device:ionevowas auto assigned tougiatnuZone:ciati, User:nto +Sep 28 5:53:42 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned tomadmiZone:tur, User:roi +imadmini 2016/10/12T12:56:16.sauteiru mod7387.host CylancePROTECT mquame nihilmol [xercita] Event Type: AppControl, Event Name: fullaccess, Device Name: tiumt, IP Address: (10.75.99.127), Action: accept, Action Type: madmi, File Path: uidol, SHA256: mporin, Zone Names: mwrit +eprehen 2016-10-26T7:58:50.entor xeacomm1940.localhost CylancePROTECT ema rsitv [iciade] Event Type: AuditLog, Event Name: threat_changed, Message: Device: ine; SHA256: lup, User: tatemUt modtemp (quovol)nve +2016-11-10T3:01:24.siutali amnih2718.internal.example CylancePROTECT tau exercita [ris] Event Type: eumiu, Event Name: SystemSecurity, Device Name: laudant, Zone Names:isnost +itess 2016/11/24T10:03:59.iscinge ofdeFini4153.mail.localhost CylancePROTECT velitse oditem [gitsedqu] Event Type: AppControl, Event Name: DeviceEdit, Device Name: oremi, IP Address: (10.82.173.5), Action: block, Action Type: olor, File Path: ineavo, SHA256: pexe, Zone Names: niamqui +8-December-2016 17:06:33 low gitsed4374.www5.home fugitsed <quid 2016-12-8T5:06:33.fugiat atisun6373.mail.localhost CylancePROTECT dmin fugi [quia] Event Type: AuditLog, Event Name: SystemSecurity, Message: SHA256: atatn; Reason: unknown, User: rnatur ofdeFin (essequam) +inesci 2016-12-23T12:09:07.isnisi ritatise4412.mail.localdomain CylancePROTECT quatur uisa [eFi] Event Type: ScriptControl, Event Name: Registration, Device Name: cusant, File Path: rpori, Interpreter: ice, Interpreter Version: 1.1645, Zone Names: entorev, User Name: commodo +sau 2017-1-6T7:11:41.atevelit meius3932.internal.example CylancePROTECT ccaeca umdolo [uptate] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: stenatu; Policy: isiuta; Value: orsitam, User: siutaliq dutp (psaquaea) +2017-1-20T2:14:16.proide ano1049.www5.localdomain CylancePROTECT aturve ditemp [edqui] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: temUte;sitUser: olab eumiure (ersp) +umwrit 2017-2-3T9:16:50.uptate mac765.mail.invalid CylancePROTECT elit seosqui [sequamni] Event Type: AuditLog, Event Name: pechange, Message: Device: tdol; SHA256: sit, User: tiaec nisi (oremagna)ncididun +ise 2017/02/18T04:19:24.itau apariat1702.internal.local CylancePROTECT ian dolore [onsecte] Event Type: AppControl, Event Name: LoginSuccess, Device Name: ect, IP Address: (10.41.123.102), Action: deny, Action Type: fugia, File Path: oditautf, SHA256: quatu, Zone Names: veli +2017-3-4T11:21:59.labo ulapar6827.www.local CylancePROTECT par lorin [pitl] Event Type: AuditLog, Event Name: Alert, Message: Zone: urv; Policy: ama; Value: uatur, User: adminimv odi (ptass) +2017-3-18T6:24:33.mdol itation6137.home CylancePROTECT osqui sequat [sund] Event Type: AuditLog, Event Name: DeviceEdit, Message: Policy: ven; SHA256: rQu; Category: mco, User: cipitl onemulla (evitaed)inimveni +2017-4-2T1:27:07.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat)remagn +16-Apr-2017 8:29:41 medium volupt2952.api.local esseq <boru 16T08:29:41.ptateve enderi6555.api.host CylancePROTECT Event Name:Device Policy Assigned, Threat Class:tenatuse, Threat Subclass:psaqua, SHA256:ullamcor, MD5:itationu +Apr 30 3:32:16 estl2233.api.corp CylancePROTECT Event Type:oluptat, Event Name:ZoneAdd, Device Message: Device: rure; Zones Removed: asiarchi,eaqueipsUser: qua volupta (dmi), Zone Names:untexpl +2017-5-14T10:34:50.licaboN atquo4897.mail.lan CylancePROTECT ntexpl dunt [litsedq] Event Type: DeviceControl, Event Name: threat_found, Device Name: nder, External Device Type: mdolore, External Device Vendor ID: Cic, External Device Name: olorema, External Device Product ID: mollita, External Device Serial Number: tatem, Zone Names: iae +29-May-2017 05:37:24 medium taliqui5348.mail.localdomain loremag <iatqu 2017-5-29T5:37:24.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni +Jun 12 12:39:58 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium,uptateUser: lloinven econs (lmolesti), Zone Names:apariatu Device Id: lorsita +26-June-2017 19:42:33 high lupta7560.www5.localdomain ncidi <laudan 2017-6-26T7:42:33.litesseq atcupida7685.local CylancePROTECT dolores equamnih [taliqui] Event Type: AuditLog, Event Name: PolicyAdd, Message: Devices: itempo,orumwUser: redol ecillum (isci) +mquisno 2017-7-11T2:45:07.aev inrepr72.internal.home CylancePROTECT nisiu imad [oriosam] Event Type: ExploitAttempt, Event Name: Device Policy Assigned, Device Name: itasp, IP Address: (10.169.5.162), Action: allow, Process ID: 2957, Process Name: odt.exe, User Name: cillumd, Violation Type: riosa, Zone Names: tNe +2017/07/25T09:47:41.ntmoll mexer4472.www5.invalid CylancePROTECT nofdeFi aquioff [saqu] Event Type: AppControl, Event Name: SystemSecurity, Device Name: amnisi, IP Address: (10.230.77.49), Action: cancel, Action Type: uisnostr, File Path: reetdol, SHA256: uelauda, Zone Names: ema +2017-8-8T4:50:15.uei Nequepo1858.mail.local CylancePROTECT uam orumSec [nisiuta] Event Type: stiaecon, Event Name: PolicyAdd, Device Name: sse +22-August-2017 23:52:50 high ici7102.www.localdomain itae <atnula 2017-8-22T11:52:50.ditautf itametc3006.www.test CylancePROTECT remipsu tan [quiac] Event Type: DeviceControl, Event Name: Registration, Device Name: doconse, External Device Type: etdol, External Device Vendor ID: dolorsi, External Device Name: nturmag, External Device Product ID: tura, External Device Serial Number: osquirat, Zone Names: equat +6-September-2017 06:55:24 low idunt4633.internal.host liquam <oluptat 2017/09/06T06:55:24.odt rspici1916.api.localhost CylancePROTECT olor etquasia [nula] Event Type: AppControl, Event Name: threat_quarantined, Device Name: riatur, IP Address: (10.99.209.40), Action: accept, Action Type: dol, File Path: atur, SHA256: issu, Zone Names: identsu +Sep 20 1:57:58 hend1600.api.host CylancePROTECT Event Type:aer, Event Name:DeviceRemove, Device Name:iati, Agent Version:minim, IP Address: (10.14.74.218), MAC Address: (01:00:5e:bc:a3:48), Logged On Users: (Nemoenim), OS:usm, Zone Names:labori +4-Oct-2017 9:00:32 high isiutali3575.www5.invalid Nemoenim <ide 4T21:00:32.edq evitae7333.www.lan CylancePROTECT Event Name:ThreatUpdated, Device Message: Device: expl User: ess quiad (ihilmole),saquaeaZone Names: ons Device Id: orsitam +2017-10-19T4:03:07.idex radip163.mail.invalid CylancePROTECT eiusmo ainc [miurerep] Event Type: AuditLog, Event Name: DeviceEdit, Message: Zone: ecill; Policy: iduntu; Value: pisci, User: sunt texplica (oco) +itametco 2017-11-2T11:05:41.vel quunt3116.localhost CylancePROTECT nonn dents [itsedd] Event Type: Threat, Event Name: threat_changed, Device Name: ptate, IP Address: (10.152.185.155), File Name: quamqua, Path: ntut, Drive Type: mag, SHA256: meum, MD5: mini, Status: Loremip, Cylance Score: 58.130000, Found Date: tur, File Type: atnonpr, Is Running: ita, Auto Run: amquaer, Detected By: aqui, Zone Names: enby, Is Malware: lpa, Is Unique To Cylance: isn, Threat Classification: smod +16-Nov-2017 6:08:15 low cte4809.mail.lan uunturma <eserun 16T18:08:15.pta emu5311.localdomain CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: destla User: fugitse minimve (serrorsi),tametcoZone Names: mquisnos Device Id: lore +Dec 1 1:10:49 isn1684.www.invalid CylancePROTECT Event Type:civelits, Event Name:PolicyAdd, Device Name:quiav, External Device Type:mse, External Device Vendor ID:prehen, External Device Name:nonn, External Device Product ID:hite, External Device Serial Number:ianonnum, Zone Names:nofdeFi, Device Id: henderit, Policy Name: remq +15-Dec-2017 8:13:24 medium arch2905.www5.home ror <doei 15T08:13:24.nvolupta tev2820.www.home CylancePROTECT Event Name:threat_found, Device Name:orp, External Device Type:ender, External Device Vendor ID:dico, External Device Name:uptatem, External Device Product ID:upt, External Device Serial Number:ulamc, Zone Names:cept, Device Id: aedictas, Policy Name: eursint +2017-12-29T3:15:58.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev) +hilmole 2018-1-12T10:18:32.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido +2018-1-27T5:21:06.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota;etdoloreUser: magnaa sumquiad (iusmodt) +Feb 10 12:23:41 umd3889.api.localhost CylancePROTECT Event Type:dat, Event Name:threat_quarantined, Message: Provider:saquaea, Source IP:10.10.178.151, User: uames tconsec (issus) +2018/02/24T19:26:15.caecat cusanti5019.api.home CylancePROTECT quisn rem [ulamcola] Event Type: AppControl, Event Name: ZoneAdd, Device Name: llita, IP Address: (10.117.150.156), Action: block, Action Type: uredol, File Path: maliqua, SHA256: mcorpori, Zone Names: orisn +11-March-2018 02:28:49 very-high cta5536.mail.localdomain atem <cti 2018-3-11T2:28:49.ommodoc nse3544.local CylancePROTECT tvolu dutper [tlaboru] Event Type: aeabillo, Event Name: fullaccess, Device Name: equuntu, Agent Version: quamni, IP Address: (10.186.8.127), MAC Address: (01:00:5e:bf:58:62), Logged On Users: (boreet), OS: luptasnu Zone Names: ento +Mar 25 9:31:24 ovolupta1238.internal.localdomain CylancePROTECT Event Type:ametcon, Event Name: SystemSecurity, Device Name: beat, IP Address: (10.202.89.144), Action: block, Process ID: 6944, Process Name: qua.exe, User Name: iarchite, Violation Type: emsequi, Zone Names:ueporroq, Device Id: ute +8-April-2018 16:33:58 high Bonoru1396.api.invalid rumSecti <adipi 2018-4-8T4:33:58.mquis ratvo1100.www.home CylancePROTECT oluptas nderiti [uatu] Event Type: olupta, Event Name: ZoneAdd, Device Names: (orem), Policy Name: giatqu, User: rsint rsi (paq) +onse 2018-4-22T11:36:32.sitam inibusBo1209.www.example CylancePROTECT ddoe uid [amnis] Event Type: AuditLog, Event Name: DeviceEdit, Message: sse, User: ihilm incidi (aedictas) +7-May-2018 06:39:06 low urEx4545.local abore <oreeu 2018-5-7T6:39:06.mea ssec5390.api.example CylancePROTECT emi reprehen [tvol] Event Type: ptat, Event Name: threat_found, Threat Class: tdolo, Threat Subclass: sequatD, SHA256: eleumi, MD5: equ +etc 2018-5-21T1:41:41.eturadip nost5395.www.localhost CylancePROTECT edol sequuntu [quameius] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Policy: nima; SHA256: totamrem; Category: aliqu, User: taedict orum (nsequat)orsitam +2018-6-4T8:44:15.oidentsu oditau3188.internal.home CylancePROTECT temqui lup [aeca] Event Type: AuditLog, Event Name: Registration, Message: Provider: autemv, Source IP: 10.16.200.216, User: eirure boreetd (tNe) +19-June-2018 03:46:49 low asper311.www.corp inibus <ctobeat 2018-6-19T3:46:49.onsec idestl1167.domain CylancePROTECT itanimi onoru [data] Event Type: ScriptControl, Event Name: pechange, Device Name: eosqui, File Path: dipisciv, Interpreter: uam, Interpreter Version: 1.2575 (llum), Zone Names: mwr +3-July-2018 10:49:23 low pitlabo3498.www.localdomain ntmollit <ionofdeF 2018-7-3T10:49:23.rsp imipsa5374.corp CylancePROTECT ionevo llitani [uscipit] Event Type: luptat, Event Name: threat_changed, Device Name: etco +17-July-2018 17:51:58 medium eumiu5172.internal.domain rehen <ptat 2018-7-17T5:51:58.mipsu velillu827.www5.domain CylancePROTECT rsitamet leumiur [ssequamn] Event Type: ExploitAttempt, Event Name: ZoneAddDevice, Device Name: olesti, IP Address: (10.221.20.165), Action: accept, Process ID: 7294, Process Name: ritquiin.exe, User Name: reseo, Violation Type: amco, Zone Names: ons +2018-8-1T12:54:32.epreh psaqu5224.api.home CylancePROTECT temporin uam [rudexerc] Event Type: ScriptControl, Event Name: SyslogSettingsSave, Device Name: lor, File Path: nvolupt, Interpreter: dquia, Interpreter Version: 1.5334, Zone Names: bori, User Name: dipi +2018-8-15T7:57:06.ite itse1458.www.example CylancePROTECT lupt quatur [dminim] Event Type: ScriptControl, Event Name: threat_quarantined, Device Name: ipsa, File Path: con, Interpreter: eirured, Interpreter Version: 1.3772 (tatiset), Zone Names: quira, User Name: ciatisun +29-Aug-2018 2:59:40 very-high audant5631.www5.local minimve <entorev 29T14:59:40.quuntur olup3841.mail.invalid CylancePROTECT Event Name: threat_changed, Device Name: aerat, IP Address: (10.152.213.228), Action: deny, Process ID: 2571, Process Name: iatquo.exe, User Name: temp, Violation Type: oinvento, Zone Names:ali, Device Id: udexerci +emullam 2018-9-12T10:02:15.quido llo1106.internal.localhost CylancePROTECT assi rch [psa] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: atione,tvolupUser: oremeu lab (lla) +oeiusm 2018-9-27T5:04:49.Excepteu mco6956.internal.test CylancePROTECT lorese teturadi [radipi] Event Type: ScriptControl, Event Name: ZoneAdd, Device Name: upidatat, File Path: mod, Interpreter: niamqui, Interpreter Version: 1.7696, Zone Names: xeaco, User Name: taliqu +2018-10-11T12:07:23.usan gnamali226.internal.test CylancePROTECT edqui tvolu [psu] Event Type: strud, Event Name: SystemSecurity, saute +2018-10-25T7:09:57.atcupi eriti7637.domain CylancePROTECT rema mcol [tion] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: mquis; SHA256: tur, User: itation utlabo (tat)uredo +9-Nov-2018 2:12:32 medium dminimv2485.internal.host rep <docons 9T02:12:32.emipsumq orinr5248.mail.home CylancePROTECT Event Name: DeviceRemove, Device Name: tass, IP Address: (10.94.129.251), Action: accept, Process ID: 782, Process Name: umquiad.exe, User Name: porinc, Violation Type: uameiu, Zone Names:quiado +23-November-2018 09:15:06 medium mvol3890.localhost reh <tcons 2018-11-23T9:15:06.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill;imveniamUser: sunte exerc (tasu) +Dec 7 4:17:40 rcit7003.www5.host CylancePROTECT Event Type:orese, Event Name:threat_found, Device Name:eiusm, Agent Version:oremipsu, IP Address: (10.205.246.104), MAC Address: (01:00:5e:55:3b:e8), Logged On Users: (mto), OS:iae, Zone Names:dent +2018-12-21T11:20:14.itse lapari2702.www.test CylancePROTECT exeaco upta [ivel] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:reprehe; Devices: deFinib , User: edqui oreseosq (corporis) +5-Jan-2019 6:22:49 very-high byCice3357.mail.localhost cin <amestq 5T06:22:49.emvele tNeq5705.home CylancePROTECT Event Name:ThreatUpdated, Device Message: Device: sper Agent Self Protection Level Changed: 'dic' to 'mfugiat', User: magnido liqu (dolor),ingZone Names: amal Device Id: aliq +19-Jan-2019 1:25:23 high conse3977.www.lan giatqu <roid 19T13:25:23.lorum iin1665.api.localdomain CylancePROTECT Event Name:threat_quarantined, Device Message: Device: iat; Policy Changed: orain to 'equaturQ', User: llu quaUt (labor), Zone Names:oris, Device Id: tatemse +2-Feb-2019 8:27:57 medium tincul407.corp amq <lab 2T20:27:57.nsequ ing3291.internal.localhost CylancePROTECT Event Name:threat_found, Message: Device:amnisiuwas auto assigned to theptatZone:epr, User:itanimid +untur 2019/02/17T03:30:32.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: AppControl, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Action Type: ula, File Path: itsed, SHA256: rad, Zone Names: olupta +2019-3-3T10:33:06.sequi uiacon6640.api.localhost CylancePROTECT suntexpl urve [sBonoru] Event Type: ScriptControl, Event Name: Device Updated, Device Name: magnido, File Path: lupta, Interpreter: utla, Interpreter Version: 1.4566 (ncididu), Zone Names: itati, User Name: nostrude +ecillum 2019-3-17T5:35:40.maccu ame226.internal.domain CylancePROTECT urExc autfugit [deomnis] Event Type: Threat, Event Name: SyslogSettingsSave, Device Name: tconsect, IP Address: (10.111.204.45), File Name: agna, Path: dmini, Drive Type: tquid, SHA256: giatquo, MD5: iatisun, Status: cto, Cylance Score: 144.899000, Found Date: dolor, File Type: imadmini, Is Running: iatisund, Auto Run: rnatu, Detected By: atnonpro, Zone Names: isu, Is Malware: ute, Is Unique To Cylance: tdolore, Threat Classification: madminim +Apr 1 12:38:14 prehen4320.api.home CylancePROTECT Event Type:umdolo, Event Name:DeviceRemove, Threat Class:mquisno, Threat Subclass:eaco, SHA256:empor, MD5:mvele +Apr 15 7:40:49 remeum5787.api.example CylancePROTECT Event Type:ostrumex, Event Name:threat_found, Device Message: Device: sedquia; Zones Removed: litesse,ntmoUser: aliqu iqu (onse), Zone Names:paqu +2019-4-29T2:43:23.ptatem mporain5332.mail.host CylancePROTECT commod iumd [ntore] Event Type: ExploitAttempt, Event Name: Registration, Device Name: onproid, IP Address: (10.59.33.174), Action: allow, Process ID: 3114, Process Name: oru.exe, User Name: mcorp, Violation Type: uelaud, Zone Names: aperiam +May 13 9:45:57 quiano3025.api.localhost CylancePROTECT Event Type:oluptat, Event Name:DeviceRemove, Threat Class:equepor, Threat Subclass:iosamn, SHA256:erspicia, MD5:neavolup +ecatcup 2019-5-28T4:48:31.orinrep uamnihil1525.www.lan CylancePROTECT amestqu qui [nemullam] Event Type: DeviceControl, Event Name: threat_changed, Device Name: lorumw, External Device Type: dit, External Device Vendor ID: qui, External Device Name: iaecon, External Device Product ID: dminima, External Device Serial Number: ons, Zone Names: amestqu +2019-6-11T11:51:06.str eius6126.invalid CylancePROTECT iarchit volupt [ipis] Event Type: usBonor, Event Name: fullaccess, Device Names: (umquam), Policy Name: ten, User: Utenim itationu (eprehen) +tatevel 2019-6-25T6:53:40.itin tam942.api.host CylancePROTECT iut leumiur [deser] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Zone: evolupt; Policy: pre; Value: tiumtot, User: ulamcola epr (ptass) +veli 2019-7-10T1:56:14.uptas aali1541.www5.local CylancePROTECT enimadmi qui [ita] Event Type: AuditLog, Event Name: pechange, Message: The Device: sedq was auto assigned to the Zone: IP Address: Fake Devices, User: (olo) +24-July-2019 08:58:48 medium ocons2813.mail.lan natu <acomm 2019-7-24T8:58:48.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did)lamcol +olupta 2019-8-7T4:01:23.emveleum modtempo3314.www5.test CylancePROTECT sequa erc [isq] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: epteurs was auto assigned to the Zone: IP Address: 10.171.165.221, User: (itvo) +21-Aug-2019 11:03:57 low ssequa930.domain eritquii <ecatcu 21T23:03:57.entoreve ion3339.www.localdomain CylancePROTECT Event Name:Alert, Message: Provider:tionev, Source IP:10.198.44.231, User: eni cte (ariatu) +2019-9-5T6:06:31.risnisiu ten5320.test CylancePROTECT siar orisnis [texp] Event Type: ScriptControl, Event Name: threat_changed, Device Name: hend, File Path: ema, Interpreter: ents, Interpreter Version: 1.1903, Zone Names: aliqua, User Name: officiad +onsecte 2019-9-19T1:09:05.inibusBo tqui99.mail.example CylancePROTECT prehende vitaedic [remip] Event Type: AuditLog, Event Name: Device Updated, Message: Device: sauteir; SHA256: CSe, User: olorsita midest (uta)olupta +3-October-2019 20:11:40 low tali7426.invalid reprehen <tocca 2019-10-3T8:11:40.tinvolu ecatc3925.lan CylancePROTECT quin adipisc [sedqui] Event Type: ueporroq, Event Name: fullaccess, Device Names: (eetdol), Policy Name: tia, User: lup inimav (dolor) +18-October-2019 03:14:14 medium dex4759.mail.local uredo <untutla 2019-10-18T3:14:14.iame rrorsi3220.lan CylancePROTECT amestqu luptas [ariatu] Event Type: psumqui, Event Name: SyslogSettingsSave, Device Name: empor, Agent Version: ate, IP Address: (10.234.254.96), MAC Address: (01:00:5e:e8:80:20), Logged On Users: (orem), OS: dquian Zone Names: isaute +1-November-2019 10:16:48 high ula5189.host ntocca <adolorsi 2019-11-1T10:16:48.lupt uis6796.mail.example CylancePROTECT aecatc taevita [eseosqu] Event Type: redolo, Event Name: threat_changed, Threat Class: ivelit, Threat Subclass: lumqu, SHA256: dolore, MD5: isnost +uianonnu 2019-11-15T5:19:22.ntNeque magnidol1024.api.test CylancePROTECT aaliq tDui [ernatur] Event Type: DeviceControl, Event Name: SyslogSettingsSave, Device Name: atcupi, External Device Type: xeacomm, External Device Vendor ID: tla, External Device Name: itaspe, External Device Product ID: xerc, External Device Serial Number: uaeabill, Zone Names: uioffici +30-November-2019 00:21:57 very-high tesseq6251.mail.host adipisci <ptatema 2019-11-30T12:21:57.poriss enatus6421.internal.home CylancePROTECT ficiad saquaea [archi] Event Type: AuditLog, Event Name: SystemSecurity, Message: Policy: imadm; SHA256: ugiat; Category: ius, User: msequ ciatisun (Ute)eddoe +2019-12-14T7:24:31.uasi quaeabi5701.host CylancePROTECT mave essecill [eprehe] Event Type: AuditLog, Event Name: DeviceEdit, Message: Policy: tMaloru; SHA256: rum; Category: utoditau, User: ptassita ionemul (orema)its diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json index 8ed14fe22c2..3470886bbe5 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -39,7 +39,7 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol, User: luptat isiutal (moenimi)", + "event.original": "2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol,luptatUser: isiutal moenimi (mod)", "fileset.name": "protect", "host.name": "volup208.invalid", "input.type": "log", @@ -47,14 +47,14 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "luptat", - "rsa.identity.lastname": "isiutal", + "rsa.identity.firstname": "isiutal", + "rsa.identity.lastname": "moenimi", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1401060000, "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", "rsa.investigations.event_vcat": " AuditLog", "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.mail_id": "moenimi", + "rsa.misc.mail_id": "mod", "rsa.misc.node": "vol", "rsa.network.alias_host": [ "volup208.invalid" @@ -68,30 +68,26 @@ }, { "@timestamp": "2020-02-26T10:15:08.000Z", - "event.category": "Alert", + "event.category": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: lupt tia (oloremqu), Zone Names: temvel Device Id: iatu", + "event.original": "Feb 26 8:15:08 mquia873.internal.invalid CylancePROTECT Event Type:tetur, Event Name:DeviceEdit, Device Name:squame, External Device Type:ntex, External Device Vendor ID:eius, External Device Name:luptat, External Device Product ID:emape, External Device Serial Number:aer, Zone Names:lupt", "fileset.name": "protect", - "host.name": "eius6159.www5.localhost", "input.type": "log", - "log.offset": 453, + "log.offset": 455, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "temvel", - "rsa.identity.firstname": "lupt", - "rsa.identity.lastname": "tia", + "rsa.db.index": "lupt", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.misc.device_name": "aer", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "oloremqu", - "rsa.network.alias_host": [ - "eius6159.www5.localhost" - ], + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "tetur", + "rsa.misc.device_name": "ntex", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "squame", + "rsa.misc.serial_number": "aer", "rsa.time.event_time": "2020-02-26T10:15:08.000Z", "service.type": "cylance", "tags": [ @@ -105,107 +101,113 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-3-12T3:17:42.ceroinBC ratvolup497.www.corp CylancePROTECT ionofde con [uia] Event Type: AuditLog, Event Name: SystemSecurity, Message: ommodic, User: mipsu consec (taliquip)", + "event.original": "2016-3-12T3:17:42.minim eFini859.www5.example CylancePROTECT psumquia onsect [orsitame] Event Type: reprehe, Event Name: SystemSecurity, Device Name: quiavo, Agent Version: issusci, IP Address: (10.164.119.63, taliquip), MAC Address: (01:00:5e:86:ac:4a, tNequ), Logged On Users: (gelit), OS: tatno Zone Names: dquiac", "fileset.name": "protect", - "host.name": "ratvolup497.www.corp", + "host.name": "eFini859.www5.example", "input.type": "log", - "log.offset": 690, + "log.offset": 745, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "ommodic", - "rsa.identity.firstname": "mipsu", - "rsa.identity.lastname": "consec", + "related.ip": [ + "10.164.119.63" + ], + "rsa.db.index": "dquiac", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1600000000, "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AuditLog", + "rsa.investigations.event_vcat": "reprehe", + "rsa.misc.OS": "tatno", "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.mail_id": "taliquip", + "rsa.misc.node": "quiavo", "rsa.network.alias_host": [ - "ratvolup497.www.corp" + "eFini859.www5.example" ], + "rsa.network.eth_host": "01:00:5e:86:ac:4a", "rsa.time.event_time": "2016-03-12T05:17:42.000Z", "service.type": "cylance", + "source.ip": [ + "10.164.119.63" + ], "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "gelit" ] }, { "@timestamp": "2016-03-26T12:20:16.000Z", - "event.category": "Alert", + "event.category": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-3-26T10:20:16.gelit tatno5625.api.local CylancePROTECT taev roidents [oluptas] Event Type: AuditLog, Event Name: Alert, Message: Source: taliqu; SHA256: ommod; Reason: failure, User: tur aperi (iveli)", + "event.original": "26-March-2016 10:20:16 medium oluptas2358.internal.host ommod <aqui 2016-3-26T10:20:16.radipis isetq3627.api.domain CylancePROTECT magn equuntu [eos] Event Type: enimad, Event Name: SystemSecurity, Device Name: uaerat, Agent Version: boreet, IP Address: (10.155.162.162, mcolabor), MAC Address: (01:00:5e:2c:f3:52, giatq), Logged On Users: (quid), OS: fug", "fileset.name": "protect", - "host.name": "tatno5625.api.local", + "host.name": "isetq3627.api.domain", "input.type": "log", - "log.offset": 869, - "observer.product": "taliqu", + "log.offset": 1062, + "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "tur", - "rsa.identity.lastname": "aperi", + "related.ip": [ + "10.155.162.162" + ], "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "ommod", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "iveli", - "rsa.misc.result": "failure", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": "enimad", + "rsa.misc.OS": "fug", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "uaerat", "rsa.network.alias_host": [ - "tatno5625.api.local" + "isetq3627.api.domain" ], + "rsa.network.eth_host": "01:00:5e:2c:f3:52", "rsa.time.event_time": "2016-03-26T12:20:16.000Z", "service.type": "cylance", + "source.ip": [ + "10.155.162.162" + ], "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "quid" ] }, { - "@timestamp": "2016-04-09T07:22:51.000Z", - "event.category": "SystemSecurity", + "@timestamp": "2020-04-09T07:22:51.000Z", + "event.category": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "uatDuis 2016-4-9T5:22:51.ude maveniam1399.mail.lan CylancePROTECT siutaliq exercit [tempor] Event Type: omnis, Event Name: SystemSecurity, Device Name: eip, Agent Version: lupta, IP Address: (10.124.61.119), MAC Address: (01:00:5e:dc:bb:8b), Logged On Users: (occ), OS: ect Zone Names: reetdolo", + "event.original": "9-Apr-2016 5:22:51 high maveniam1399.mail.lan siutaliq <tempor 9T17:22:51.omnis antium1279.mail.test CylancePROTECT Event Name:ThreatUpdated, Device Name:rsitvolu, External Device Type:tcupida, External Device Vendor ID:niamquis, External Device Name:itati, External Device Product ID:mfu, External Device Serial Number:uid, Zone Names:atatnonp, Device Id: uiano, Policy Name: mrema ", "fileset.name": "protect", - "host.name": "maveniam1399.mail.lan", + "host.name": "antium1279.mail.test", "input.type": "log", - "log.offset": 1075, + "log.offset": 1426, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.124.61.119" - ], - "rsa.db.index": "reetdolo", + "rsa.db.index": "atatnonp, Device Id: uiano, Policy Name: mrema", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": "omnis", - "rsa.misc.OS": "ect", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "eip", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.device_name": "tcupida", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "rsitvolu", + "rsa.misc.serial_number": "uid", "rsa.network.alias_host": [ - "maveniam1399.mail.lan" + "antium1279.mail.test" ], - "rsa.network.eth_host": "01:00:5e:dc:bb:8b", - "rsa.time.event_time": "2016-04-09T07:22:51.000Z", + "rsa.time.event_time": "2020-04-09T07:22:51.000Z", "service.type": "cylance", - "source.ip": [ - "10.124.61.119" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "occ" ] }, { @@ -214,26 +216,24 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: urerep aquaeab (liqu), Zone Names: lorem Device Id: emq", + "event.original": "Apr 24 12:25:25 iat1852.api.localdomain CylancePROTECT Event Type:elits, Event Name:Device Policy Assigned, Device Message: Device: ipis; Policy Changed: gelits to 'tatevel', User: abilloi iam (mqua), Zone Names:atat, Device Id: quunt", "fileset.name": "protect", - "host.name": "nimadmin6499.local", "input.type": "log", - "log.offset": 1370, + "log.offset": 1819, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "lorem", - "rsa.identity.firstname": "urerep", - "rsa.identity.lastname": "aquaeab", + "rsa.db.index": "atat", + "rsa.identity.firstname": "abilloi", + "rsa.identity.lastname": "iam", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1502000000, "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.misc.device_name": "dexe", + "rsa.investigations.event_vcat": "elits", + "rsa.misc.device_name": "ipis", "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.mail_id": "liqu", - "rsa.network.alias_host": [ - "nimadmin6499.local" - ], + "rsa.misc.mail_id": "mqua", + "rsa.misc.policy_name": "tatevel", "rsa.time.event_time": "2020-04-24T14:25:25.000Z", "service.type": "cylance", "tags": [ @@ -243,96 +243,98 @@ }, { "@timestamp": "2016-05-08T09:27:59.000Z", - "event.category": "ThreatUpdated", + "event.category": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: dmi olab (mquisnos) ", + "event.original": "8-May-2016 07:27:59 high avol7616.api.test isqu <idolore 2016-5-8T7:27:59.onse liq5883.localdomain CylancePROTECT emeumfug upta [omn] Event Type: ipsumq, Event Name: Registration, Device Name: ons, Agent Version: tessec, IP Address: (10.215.110.141, nsect), MAC Address: (01:00:5e:58:a9:90, ionul), Logged On Users: (nibus), OS: edquiano", "fileset.name": "protect", - "host.name": "suntinc4934.www5.test", + "host.name": "liq5883.localdomain", "input.type": "log", - "log.offset": 1612, + "log.offset": 2054, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "dmi", - "rsa.identity.lastname": "olab", + "related.ip": [ + "10.215.110.141" + ], "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "uovol", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.mail_id": "mquisnos", - "rsa.misc.policy_name": "uptatev; SHA256: uovol", + "rsa.investigations.event_vcat": "ipsumq", + "rsa.misc.OS": "edquiano", + "rsa.misc.event_type": "Registration", + "rsa.misc.node": "ons", "rsa.network.alias_host": [ - "suntinc4934.www5.test" + "liq5883.localdomain" ], + "rsa.network.eth_host": "01:00:5e:58:a9:90", "rsa.time.event_time": "2016-05-08T09:27:59.000Z", "service.type": "cylance", + "source.ip": [ + "10.215.110.141" + ], "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "nibus" ] }, { - "@timestamp": "2016-05-22T04:30:33.000Z", - "event.category": "SystemSecurity", + "@timestamp": "2020-05-22T04:30:33.000Z", + "event.category": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-5-22T2:30:33.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan", - "file.directory": "aspern", + "event.original": "22-May-2016 2:30:33 low aperi5160.host ipi <lupt 22T14:30:33.xea qua2945.www.local CylancePROTECT Event Name:PolicyAdd, Threat Class:modocons, Threat Subclass:elaudant, SHA256:tinvol, MD5:dolore", "fileset.name": "protect", - "host.name": "reetdolo2451.www.example", + "host.name": "qua2945.www.local", "input.type": "log", - "log.offset": 1815, - "network.application": "itlabori", + "log.offset": 2397, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.2344", - "rsa.db.index": "ollit", + "rsa.crypto.sig_type": "modocons", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "llam", - "rsa.misc.version": "1.2344", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.misc.checksum": "tinvol", + "rsa.misc.event_type": "PolicyAdd", "rsa.network.alias_host": [ - "reetdolo2451.www.example" + "qua2945.www.local" ], - "rsa.time.event_time": "2016-05-22T04:30:33.000Z", + "rsa.time.event_time": "2020-05-22T04:30:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "usan" ] }, { "@timestamp": "2016-06-05T11:33:08.000Z", - "event.category": "Registration", + "event.category": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-6-5T9:33:08.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc", + "event.original": "liquide 2016-6-5T9:33:08.uasia emp4209.host CylancePROTECT giatquov eritquii [dexeac] Event Type: Threat, Event Name: threat_found, Device Name: taut, IP Address: (10.114.138.121), File Name: imad, Path: msequi, Drive Type: isnostru, SHA256: iquaUten, MD5: santium, Status: iciatisu, Cylance Score: 0.803000, Found Date: emagnama, File Type: eprehend, Is Running: hil, Auto Run: atquovo, Detected By: suntinc, Zone Names: xeac, Is Malware: nidolo, Is Unique To Cylance: tatn, Threat Classification: eli ", "fileset.name": "protect", - "host.name": "uis7612.www5.domain", + "host.name": "emp4209.host", "input.type": "log", - "log.offset": 2075, + "log.offset": 2602, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "rsa.db.index": " xeac, Is Malware: nidolo, Is Unique To Cylance: tatn, Threat Classification: eli", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "emeumfug", - "rsa.misc.event_type": "Registration", + "rsa.investigations.event_vcat": "Threat", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "taut, IP Address: (10.114.138.121), File Name: imad, Path: msequi, Drive Type: isnostru, SHA256: iquaUten, MD5: santium, Status: iciatisu, Cylance Score: 0.803000, Found Date: emagnama, File Type: eprehend, Is Running: hil, Auto Run: atquovo, Detected By: suntinc", "rsa.network.alias_host": [ - "uis7612.www5.domain" + "emp4209.host" ], "rsa.time.event_time": "2016-06-05T11:33:08.000Z", "service.type": "cylance", @@ -342,32 +344,30 @@ ] }, { - "@timestamp": "2020-06-20T06:35:42.000Z", - "event.category": "DeviceRemove", + "@timestamp": "2016-06-20T06:35:42.000Z", + "event.category": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "20-Jun-2016 4:35:42 high fugit7668.www5.invalid lupt <qua 20T04:35:42.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu", + "event.original": "reetd 2016-6-20T4:35:42.lumqui itinvo7084.mail.corp CylancePROTECT equep iavolu [den] Event Type: Threat, Event Name: SyslogSettingsSave, Device Name: rpo, IP Address: (10.133.32.68), File Name: siarchi, Path: datatn, Drive Type: mqu, SHA256: apariat, MD5: tlabore, Status: untmolli, Cylance Score: 62.683000, Found Date: atDu, File Type: eav, Is Running: ionevo, Auto Run: remagn, Detected By: run, Zone Names: mque, Is Malware: uovolup, Is Unique To Cylance: samvolu, Threat Classification: ittenbyC ", "fileset.name": "protect", - "host.name": "admi3749.api.lan", + "host.name": "itinvo7084.mail.corp", "input.type": "log", - "log.offset": 2211, + "log.offset": 3106, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "nimadmin", - "rsa.identity.firstname": "iqui", - "rsa.identity.lastname": "etc", + "rsa.db.index": " mque, Is Malware: uovolup, Is Unique To Cylance: samvolu, Threat Classification: ittenbyC", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.misc.device_name": "tinvol", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.mail_id": "etM", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "Threat", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "rpo, IP Address: (10.133.32.68), File Name: siarchi, Path: datatn, Drive Type: mqu, SHA256: apariat, MD5: tlabore, Status: untmolli, Cylance Score: 62.683000, Found Date: atDu, File Type: eav, Is Running: ionevo, Auto Run: remagn, Detected By: run", "rsa.network.alias_host": [ - "admi3749.api.lan" + "itinvo7084.mail.corp" ], - "rsa.time.event_time": "2020-06-20T06:35:42.000Z", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -376,76 +376,68 @@ }, { "@timestamp": "2016-07-04T13:38:16.000Z", - "event.category": "fullaccess", + "event.category": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-7-4T11:38:16.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute", - "file.directory": "Nemoen", + "event.original": "2016-7-4T11:38:16.iquipex commod3331.host CylancePROTECT bor occa [stquidol] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: leumiu, File Path: namali, Interpreter: taevit, Interpreter Version: 1.3365 (nsecte), Zone Names: itame", + "file.directory": "namali", "fileset.name": "protect", - "host.name": "rudexerc703.internal.host", + "host.name": "commod3331.host", "input.type": "log", - "log.offset": 2488, - "network.application": "tfug", + "log.offset": 3609, + "network.application": "taevit", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.5383", - "rsa.db.index": "urE", + "observer.version": "1.3365", + "rsa.db.index": "itame", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", "rsa.investigations.event_vcat": " ScriptControl", - "rsa.misc.event_type": "fullaccess", - "rsa.misc.node": "onproide", - "rsa.misc.version": "1.5383", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "leumiu", + "rsa.misc.version": "1.3365", "rsa.network.alias_host": [ - "rudexerc703.internal.host" + "commod3331.host" ], "rsa.time.event_time": "2016-07-04T13:38:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "isaute" ] }, { - "@timestamp": "2016-07-18T20:40:00.000Z", - "event.action": "cancel", - "event.category": "threat_found", + "@timestamp": "2016-07-18T08:40:50.000Z", + "event.category": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "July 2016/07/18 18:40:50 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc", - "file.directory": "Lor", + "event.original": "2016-7-18T6:40:50.rehender iae1637.local CylancePROTECT nula emseq [olestiae] Event Type: ione, Event Name: LoginSuccess, Device Names: (evita), Policy Name: suntexp, User: duntut magni (pisciv)", "fileset.name": "protect", + "host.name": "iae1637.local", "input.type": "log", - "log.offset": 2755, + "log.offset": 3856, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.199.98.186" - ], - "rsa.db.index": "erc", + "rsa.identity.firstname": "duntut", + "rsa.identity.lastname": "magni", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "cancel" + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": "ione", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.mail_id": "pisciv", + "rsa.misc.node": "evita", + "rsa.misc.policy_name": "suntexp", + "rsa.network.alias_host": [ + "iae1637.local" ], - "rsa.misc.checksum": "itecto", - "rsa.misc.event_type": "threat_found", - "rsa.misc.node": "sequatur", - "rsa.time.event_time": "2016-07-18T20:40:00.000Z", + "rsa.time.event_time": "2016-07-18T08:40:50.000Z", "service.type": "cylance", - "source.ip": [ - "10.199.98.186" - ], "tags": [ "cylance.protect", "forwarded" @@ -453,27 +445,29 @@ }, { "@timestamp": "2016-08-02T03:43:25.000Z", - "event.category": "LoginSuccess", + "event.category": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "olupt 2016-8-2T1:43:25.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend ", + "event.original": "2-August-2016 01:43:25 medium eratv6205.internal.lan reme <uaUteni 2016-8-2T1:43:25.udantium pre2433.mail.domain CylancePROTECT sciun sBono [catc] Event Type: AuditLog, Event Name: pechange, Message: Device: edo;asiaUser: econs uir (dol)", "fileset.name": "protect", - "host.name": "estqu1709.internal.example", + "host.name": "pre2433.mail.domain", "input.type": "log", - "log.offset": 3048, + "log.offset": 4051, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": " iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend", + "rsa.identity.firstname": "econs", + "rsa.identity.lastname": "uir", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": "Threat", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "pechange", + "rsa.misc.mail_id": "dol", + "rsa.misc.node": "edo", "rsa.network.alias_host": [ - "estqu1709.internal.example" + "pre2433.mail.domain" ], "rsa.time.event_time": "2016-08-02T03:43:25.000Z", "service.type": "cylance", @@ -483,119 +477,98 @@ ] }, { - "@timestamp": "2016-08-16T10:45:59.000Z", - "event.category": "Alert", + "@timestamp": "2019-08-16T10:45:59.000Z", + "event.category": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-8-16T8:45:59.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd", + "event.original": "16-Aug-2016 8:45:59 medium non3341.mail.invalid derit <atcu 16T08:45:59.labor didunt1355.corp CylancePROTECT Event Name:Device Policy Assigned, Device Name:liqu, Agent Version:eporr, IP Address: (10.238.164.29), MAC Address: (01:00:5e:32:95:80), Logged On Users: (sequam), OS:temvel, Zone Names:ris", "fileset.name": "protect", - "host.name": "xeac7155.www.localdomain", + "host.name": "didunt1355.corp", "input.type": "log", - "log.offset": 3565, + "log.offset": 4298, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.ip": [ - "10.143.239.210" + "10.238.164.29" ], - "rsa.db.index": "sedd", + "rsa.db.index": "ris", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": "pida", - "rsa.misc.OS": "mnisist", - "rsa.misc.event_type": "Alert", - "rsa.misc.node": "idolor", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.misc.OS": "temvel", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "liqu", "rsa.network.alias_host": [ - "xeac7155.www.localdomain" + "didunt1355.corp" ], - "rsa.network.eth_host": "01:00:5e:93:1c:9f", - "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "rsa.network.eth_host": "01:00:5e:32:95:80", + "rsa.time.event_time": "2019-08-16T10:45:59.000Z", "service.type": "cylance", "source.ip": [ - "10.143.239.210" + "10.238.164.29" ], "tags": [ "cylance.protect", "forwarded" ], "user.name": [ - "oinBCSe" + "sequam" ] }, { - "@timestamp": "2016-08-30T05:48:33.000Z", - "event.action": "accept", - "event.category": "Alert", + "@timestamp": "2019-08-30T05:48:33.000Z", + "event.category": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ipitla 2016-8-30T3:48:33.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib", + "event.original": "Aug 30 3:48:33 rroquis6074.api.host CylancePROTECT Event Type:iurer, Event Name:ZoneAdd, Message: Device:autfuwas auto assigned to thegnaaliqZone:mni, User:rem", "fileset.name": "protect", - "host.name": "maccusa5126.api.domain", "input.type": "log", - "log.offset": 3856, + "log.offset": 4604, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "aliqu.exe", - "process.pid": 2289, - "related.ip": [ - "10.32.143.134" - ], - "rsa.db.index": "eFinib", + "rsa.identity.firstname": "rem", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "Alert", - "rsa.misc.node": "olorema", - "rsa.misc.policy_name": "mipsumd", - "rsa.network.alias_host": [ - "maccusa5126.api.domain" - ], - "rsa.time.event_time": "2016-08-30T05:48:33.000Z", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "iurer", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.node": "autfu", + "rsa.network.zone": "mni", + "rsa.time.event_time": "2019-08-30T05:48:33.000Z", "service.type": "cylance", - "source.ip": [ - "10.32.143.134" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "olupta" ] }, { "@timestamp": "2019-09-13T12:51:07.000Z", - "event.category": "DeviceEdit", + "event.category": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "13-Sep-2016 10:51:07 low eav3687.internal.local siar <iamquis 13T22:51:07.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae", + "event.original": "13-Sep-2016 10:51:07 low uta4901.internal.local volupt <uiinea 13T22:51:07.Utenima volupta5074.internal.localhost CylancePROTECT Event Name:LoginSuccess, Message: Device:ionevowas auto assigned tougiatnuZone:ciati, User:nto", "fileset.name": "protect", - "host.name": "llu4718.localhost", + "host.name": "volupta5074.internal.localhost", "input.type": "log", - "log.offset": 4161, + "log.offset": 4764, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "psaquae", + "rsa.identity.firstname": "nto", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.device_name": "oidentsu", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.node": "conseq", - "rsa.misc.serial_number": "ern", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "ionevo", "rsa.network.alias_host": [ - "llu4718.localhost" + "volupta5074.internal.localhost" ], + "rsa.network.zone": "ciati", "rsa.time.event_time": "2019-09-13T12:51:07.000Z", "service.type": "cylance", "tags": [ @@ -605,28 +578,25 @@ }, { "@timestamp": "2019-09-28T07:53:42.000Z", - "event.category": "DeviceRemove", + "event.category": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Sep 28 5:53:42 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit", + "event.original": "Sep 28 5:53:42 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned tomadmiZone:tur, User:roi", "fileset.name": "protect", "input.type": "log", - "log.offset": 4506, + "log.offset": 4996, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "ari", - "rsa.identity.firstname": "rinrepre", - "rsa.identity.lastname": "etconse", + "rsa.identity.firstname": "roi", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": "stquidol", - "rsa.misc.device_name": "leumiu", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.mail_id": "tincu", - "rsa.misc.policy_name": "taevit", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "officiad", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "quinesc", + "rsa.network.zone": "tur", "rsa.time.event_time": "2019-09-28T07:53:42.000Z", "service.type": "cylance", "tags": [ @@ -636,30 +606,42 @@ }, { "@timestamp": "2016-10-12T14:56:16.000Z", - "event.category": "ZoneAddDevice", + "event.action": "accept", + "event.category": "fullaccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "12-October-2016 12:56:16 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-10-12T12:56:16.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat", + "event.original": "imadmini 2016/10/12T12:56:16.sauteiru mod7387.host CylancePROTECT mquame nihilmol [xercita] Event Type: AppControl, Event Name: fullaccess, Device Name: tiumt, IP Address: (10.75.99.127), Action: accept, Action Type: madmi, File Path: uidol, SHA256: mporin, Zone Names: mwrit", + "file.directory": "uidol", "fileset.name": "protect", - "host.name": "eaq908.api.home", + "host.name": "mod7387.host", "input.type": "log", - "log.offset": 4739, + "log.offset": 5174, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "equat", + "related.ip": [ + "10.75.99.127" + ], + "rsa.db.index": "mwrit", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "tNequepo", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.node": "luptasn", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.checksum": "mporin", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.node": "tiumt", "rsa.network.alias_host": [ - "eaq908.api.home" + "mod7387.host" ], "rsa.time.event_time": "2016-10-12T14:56:16.000Z", "service.type": "cylance", + "source.ip": [ + "10.75.99.127" + ], "tags": [ "cylance.protect", "forwarded" @@ -667,137 +649,140 @@ }, { "@timestamp": "2016-10-26T09:58:50.000Z", - "event.category": "DeviceRemove", + "event.category": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ommodico 2016-10-26T7:58:50.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi", - "file.directory": "olor", + "event.original": "eprehen 2016-10-26T7:58:50.entor xeacomm1940.localhost CylancePROTECT ema rsitv [iciade] Event Type: AuditLog, Event Name: threat_changed, Message: Device: ine; SHA256: lup, User: tatemUt modtemp (quovol)nve ", "fileset.name": "protect", - "host.name": "mcolab379.internal.home", + "host.name": "xeacomm1940.localhost", "input.type": "log", - "log.offset": 4993, - "network.application": "Neque", + "log.offset": 5450, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.4129", - "rsa.db.index": "iutali", + "rsa.identity.firstname": "tatemUt", + "rsa.identity.lastname": "modtemp", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": " ScriptControl", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "tper", - "rsa.misc.version": "1.4129", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "lup", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.mail_id": "quovol", + "rsa.misc.node": "ine", "rsa.network.alias_host": [ - "mcolab379.internal.home" + "xeacomm1940.localhost" ], "rsa.time.event_time": "2016-10-26T09:58:50.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "fdeFi" ] }, { - "@timestamp": "2019-11-10T05:01:24.000Z", - "event.category": "threat_quarantined", + "@timestamp": "2016-11-10T05:01:24.000Z", + "event.category": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Nov 10 3:01:24 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam", + "event.original": "2016-11-10T3:01:24.siutali amnih2718.internal.example CylancePROTECT tau exercita [ris] Event Type: eumiu, Event Name: SystemSecurity, Device Name: laudant, Zone Names:isnost", "fileset.name": "protect", + "host.name": "amnih2718.internal.example", "input.type": "log", - "log.offset": 5270, + "log.offset": 5659, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.237.205.140" - ], - "rsa.db.index": "veniam", + "rsa.db.index": "isnost", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "boN", - "rsa.misc.OS": "iduntu", - "rsa.misc.event_type": "threat_quarantined", - "rsa.misc.node": "ectio", - "rsa.network.eth_host": "01:00:5e:3f:c4:6c", - "rsa.time.event_time": "2019-11-10T05:01:24.000Z", - "service.type": "cylance", - "source.ip": [ - "10.237.205.140" + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": "eumiu", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "laudant", + "rsa.network.alias_host": [ + "amnih2718.internal.example" ], + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "uames" ] }, { - "@timestamp": "2019-11-24T12:03:59.000Z", - "event.category": "LoginSuccess", + "@timestamp": "2016-11-24T12:03:59.000Z", + "event.action": "block", + "event.category": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "24-Nov-2016 10:03:59 very-high reme622.mail.example isnisiu <tsu 24T10:03:59.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: idata rumwritt (magnid), Zone Names: enderit Device Id: untex", + "event.original": "itess 2016/11/24T10:03:59.iscinge ofdeFini4153.mail.localhost CylancePROTECT velitse oditem [gitsedqu] Event Type: AppControl, Event Name: DeviceEdit, Device Name: oremi, IP Address: (10.82.173.5), Action: block, Action Type: olor, File Path: ineavo, SHA256: pexe, Zone Names: niamqui", + "file.directory": "ineavo", "fileset.name": "protect", - "host.name": "sciun4694.api.lan", + "host.name": "ofdeFini4153.mail.localhost", "input.type": "log", - "log.offset": 5529, + "log.offset": 5834, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "enderit", - "rsa.identity.firstname": "idata", - "rsa.identity.lastname": "rumwritt", + "related.ip": [ + "10.82.173.5" + ], + "rsa.db.index": "niamqui", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.misc.device_name": "nsect", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.mail_id": "magnid", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.checksum": "pexe", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "oremi", "rsa.network.alias_host": [ - "sciun4694.api.lan" + "ofdeFini4153.mail.localhost" ], - "rsa.time.event_time": "2019-11-24T12:03:59.000Z", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", "service.type": "cylance", + "source.ip": [ + "10.82.173.5" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2019-12-08T07:06:33.000Z", - "event.category": "pechange", + "@timestamp": "2016-12-08T07:06:33.000Z", + "event.category": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "8-Dec-2016 5:06:33 medium tvolu3997.mail.home eiu <autfu 8T17:06:33.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum", + "event.original": "8-December-2016 17:06:33 low gitsed4374.www5.home fugitsed <quid 2016-12-8T5:06:33.fugiat atisun6373.mail.localhost CylancePROTECT dmin fugi [quia] Event Type: AuditLog, Event Name: SystemSecurity, Message: SHA256: atatn; Reason: unknown, User: rnatur ofdeFin (essequam)", "fileset.name": "protect", - "host.name": "mni7200.mail.localdomain", + "host.name": "atisun6373.mail.localhost", "input.type": "log", - "log.offset": 5774, + "log.offset": 6119, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "uisau", + "rsa.identity.firstname": "rnatur", + "rsa.identity.lastname": "ofdeFin", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "pechange", - "rsa.misc.node": "idolor", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "atatn", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "essequam", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "mni7200.mail.localdomain" + "atisun6373.mail.localhost" ], - "rsa.time.event_time": "2019-12-08T07:06:33.000Z", + "rsa.time.event_time": "2016-12-08T07:06:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -805,96 +790,103 @@ ] }, { - "@timestamp": "2019-12-23T14:09:07.000Z", - "event.category": "Device Policy Assigned", + "@timestamp": "2016-12-23T14:09:07.000Z", + "event.category": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Dec 23 12:09:07 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur", + "event.original": "inesci 2016-12-23T12:09:07.isnisi ritatise4412.mail.localdomain CylancePROTECT quatur uisa [eFi] Event Type: ScriptControl, Event Name: Registration, Device Name: cusant, File Path: rpori, Interpreter: ice, Interpreter Version: 1.1645, Zone Names: entorev, User Name: commodo", + "file.directory": "rpori", "fileset.name": "protect", + "host.name": "ritatise4412.mail.localdomain", "input.type": "log", - "log.offset": 5975, + "log.offset": 6396, + "network.application": "ice", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "tur", + "observer.version": "1.1645", + "rsa.db.index": "entorev", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "officiad", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "quinesc", - "rsa.network.zone": "madmi", - "rsa.time.event_time": "2019-12-23T14:09:07.000Z", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "Registration", + "rsa.misc.node": "cusant", + "rsa.misc.version": "1.1645", + "rsa.network.alias_host": [ + "ritatise4412.mail.localdomain" + ], + "rsa.time.event_time": "2016-12-23T14:09:07.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "commodo" ] }, { "@timestamp": "2017-01-06T09:11:41.000Z", - "event.category": "Alert", + "event.category": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "6-January-2017 07:11:41 very-high orem6702.invalid tev <ntocca 2017-1-6T7:11:41.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame", - "file.directory": "orro", + "event.original": "sau 2017-1-6T7:11:41.atevelit meius3932.internal.example CylancePROTECT ccaeca umdolo [uptate] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: stenatu; Policy: isiuta; Value: orsitam, User: siutaliq dutp (psaquaea)", "fileset.name": "protect", - "host.name": "ntoccae1705.internal.invalid", + "host.name": "meius3932.internal.example", "input.type": "log", - "log.offset": 6152, - "network.application": "tae", + "log.offset": 6672, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.3212", - "rsa.db.index": "tlab", + "rsa.db.index": "stenatu", + "rsa.identity.firstname": "siutaliq", + "rsa.identity.lastname": "dutp", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.misc.event_type": "Alert", - "rsa.misc.node": "sBon", - "rsa.misc.version": "1.3212", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "psaquaea", + "rsa.misc.policy_name": "isiuta", "rsa.network.alias_host": [ - "ntoccae1705.internal.invalid" + "meius3932.internal.example" ], "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "aperiame" ] }, { - "@timestamp": "2020-01-20T04:14:16.000Z", - "event.category": "PolicyAdd", + "@timestamp": "2017-01-20T04:14:16.000Z", + "event.category": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "20-Jan-2017 2:14:16 high tobea2364.internal.localhost itinvol <fugiatn 20T14:14:16.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame", + "event.original": "2017-1-20T2:14:16.proide ano1049.www5.localdomain CylancePROTECT aturve ditemp [edqui] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: temUte;sitUser: olab eumiure (ersp)", "fileset.name": "protect", - "host.name": "etconsec6708.internal.invalid", + "host.name": "ano1049.www5.localdomain", "input.type": "log", - "log.offset": 6479, + "log.offset": 6899, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "mquame", + "rsa.identity.firstname": "olab", + "rsa.identity.lastname": "eumiure", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.misc.device_name": "tquov", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.node": "ersp", - "rsa.misc.serial_number": "tes", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "ersp", + "rsa.misc.node": "temUte", "rsa.network.alias_host": [ - "etconsec6708.internal.invalid" + "ano1049.www5.localdomain" ], - "rsa.time.event_time": "2020-01-20T04:14:16.000Z", + "rsa.time.event_time": "2017-01-20T04:14:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -903,30 +895,30 @@ }, { "@timestamp": "2017-02-03T11:16:50.000Z", - "event.category": "PolicyAdd", + "event.category": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-2-3T9:16:50.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi)", + "event.original": "umwrit 2017-2-3T9:16:50.uptate mac765.mail.invalid CylancePROTECT elit seosqui [sequamni] Event Type: AuditLog, Event Name: pechange, Message: Device: tdol; SHA256: sit, User: tiaec nisi (oremagna)ncididun ", "fileset.name": "protect", - "host.name": "Sedutp7428.internal.home", + "host.name": "mac765.mail.invalid", "input.type": "log", - "log.offset": 6843, + "log.offset": 7088, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "iquipe", - "rsa.identity.firstname": "upida", - "rsa.identity.lastname": "tvolupt", + "rsa.identity.firstname": "tiaec", + "rsa.identity.lastname": "nisi", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.mail_id": "eufugi", - "rsa.misc.policy_name": "itempor", + "rsa.misc.checksum": "sit", + "rsa.misc.event_type": "pechange", + "rsa.misc.mail_id": "oremagna", + "rsa.misc.node": "tdol", "rsa.network.alias_host": [ - "Sedutp7428.internal.home" + "mac765.mail.invalid" ], "rsa.time.event_time": "2017-02-03T11:16:50.000Z", "service.type": "cylance", @@ -937,32 +929,42 @@ }, { "@timestamp": "2017-02-18T06:19:24.000Z", - "event.category": "Alert", + "event.action": "deny", + "event.category": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "uamni 2017-2-18T4:19:24.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte)", + "event.original": "ise 2017/02/18T04:19:24.itau apariat1702.internal.local CylancePROTECT ian dolore [onsecte] Event Type: AppControl, Event Name: LoginSuccess, Device Name: ect, IP Address: (10.41.123.102), Action: deny, Action Type: fugia, File Path: oditautf, SHA256: quatu, Zone Names: veli", + "file.directory": "oditautf", "fileset.name": "protect", - "host.name": "ati4639.www5.home", + "host.name": "apariat1702.internal.local", "input.type": "log", - "log.offset": 7061, + "log.offset": 7295, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "con", - "rsa.identity.lastname": "nisist", + "related.ip": [ + "10.41.123.102" + ], + "rsa.db.index": "veli", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "usmodte", - "rsa.misc.node": "ven", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.checksum": "quatu", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "ect", "rsa.network.alias_host": [ - "ati4639.www5.home" + "apariat1702.internal.local" ], "rsa.time.event_time": "2017-02-18T06:19:24.000Z", "service.type": "cylance", + "source.ip": [ + "10.41.123.102" + ], "tags": [ "cylance.protect", "forwarded" @@ -970,29 +972,30 @@ }, { "@timestamp": "2017-03-04T13:21:59.000Z", - "event.category": "PolicyAdd", + "event.category": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-3-4T11:21:59.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser (oin)", + "event.original": "2017-3-4T11:21:59.labo ulapar6827.www.local CylancePROTECT par lorin [pitl] Event Type: AuditLog, Event Name: Alert, Message: Zone: urv; Policy: ama; Value: uatur, User: adminimv odi (ptass)", "fileset.name": "protect", - "host.name": "torever662.www5.home", + "host.name": "ulapar6827.www.local", "input.type": "log", - "log.offset": 7235, + "log.offset": 7571, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240", - "rsa.identity.firstname": "amcol", - "rsa.identity.lastname": "adeser", + "rsa.db.index": "urv", + "rsa.identity.firstname": "adminimv", + "rsa.identity.lastname": "odi", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.mail_id": "oin", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "ptass", + "rsa.misc.policy_name": "ama", "rsa.network.alias_host": [ - "torever662.www5.home" + "ulapar6827.www.local" ], "rsa.time.event_time": "2017-03-04T13:21:59.000Z", "service.type": "cylance", @@ -1003,30 +1006,31 @@ }, { "@timestamp": "2017-03-18T08:24:33.000Z", - "event.category": "Alert", + "event.category": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-3-18T6:24:33.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat) ", + "event.original": "2017-3-18T6:24:33.mdol itation6137.home CylancePROTECT osqui sequat [sund] Event Type: AuditLog, Event Name: DeviceEdit, Message: Policy: ven; SHA256: rQu; Category: mco, User: cipitl onemulla (evitaed)inimveni ", "fileset.name": "protect", - "host.name": "emeumfug4387.internal.lan", + "host.name": "itation6137.home", "input.type": "log", - "log.offset": 7476, + "log.offset": 7762, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "ccaeca", - "rsa.identity.lastname": "niamq", + "rsa.identity.firstname": "cipitl", + "rsa.identity.lastname": "onemulla", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "iduntu", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "lapariat", - "rsa.misc.node": "untincul", + "rsa.misc.category": "mco", + "rsa.misc.checksum": "rQu", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.mail_id": "evitaed", + "rsa.misc.policy_name": "ven; SHA256: rQu; Category: mco", "rsa.network.alias_host": [ - "emeumfug4387.internal.lan" + "itation6137.home" ], "rsa.time.event_time": "2017-03-18T08:24:33.000Z", "service.type": "cylance", @@ -1037,28 +1041,30 @@ }, { "@timestamp": "2017-04-02T03:27:07.000Z", - "event.category": "DeviceRemove", + "event.category": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "uat 2017-4-2T1:27:07.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu", + "event.original": "2017-4-2T1:27:07.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat)remagn ", "fileset.name": "protect", - "host.name": "rumwrit764.www5.local", + "host.name": "emeumfug4387.internal.lan", "input.type": "log", - "log.offset": 7682, + "log.offset": 7974, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "miu", + "rsa.identity.firstname": "ccaeca", + "rsa.identity.lastname": "niamq", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "etMal", - "rsa.misc.serial_number": "onula", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "iduntu", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "lapariat", + "rsa.misc.node": "untincul", "rsa.network.alias_host": [ - "rumwrit764.www5.local" + "emeumfug4387.internal.lan" ], "rsa.time.event_time": "2017-04-02T03:27:07.000Z", "service.type": "cylance", @@ -1069,66 +1075,58 @@ }, { "@timestamp": "2020-04-16T10:29:41.000Z", - "event.category": "SyslogSettingsSave", + "event.category": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Apr 16 8:29:41 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015", + "event.original": "16-Apr-2017 8:29:41 medium volupt2952.api.local esseq <boru 16T08:29:41.ptateve enderi6555.api.host CylancePROTECT Event Name:Device Policy Assigned, Threat Class:tenatuse, Threat Subclass:psaqua, SHA256:ullamcor, MD5:itationu", "fileset.name": "protect", + "host.name": "enderi6555.api.host", "input.type": "log", - "log.offset": 8022, + "log.offset": 8185, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.13.66.97" - ], - "rsa.identity.firstname": "dicta", - "rsa.identity.lastname": "taedicta", + "rsa.crypto.sig_type": "tenatuse", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "luptat", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.mail_id": "ritt", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.misc.checksum": "ullamcor", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.network.alias_host": [ + "enderi6555.api.host" + ], "rsa.time.event_time": "2020-04-16T10:29:41.000Z", "service.type": "cylance", - "source.ip": [ - "10.13.66.97" - ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2017-04-30T05:32:16.000Z", - "event.category": "threat_quarantined", + "@timestamp": "2020-04-30T05:32:16.000Z", + "event.category": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "30-April-2017 15:32:16 high isiu5733.api.domain etdolor <xeaco 2017-4-30T3:32:16.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites)", + "event.original": "Apr 30 3:32:16 estl2233.api.corp CylancePROTECT Event Type:oluptat, Event Name:ZoneAdd, Device Message: Device: rure; Zones Removed: asiarchi,eaqueipsUser: qua volupta (dmi), Zone Names:untexpl", "fileset.name": "protect", - "host.name": "oremi1485.api.localhost", "input.type": "log", - "log.offset": 8198, + "log.offset": 8422, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "atisund", - "rsa.identity.lastname": "xea", + "rsa.db.index": "untexpl", + "rsa.identity.firstname": "qua", + "rsa.identity.lastname": "volupta", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "amvolupt", - "rsa.misc.event_type": "threat_quarantined", - "rsa.misc.mail_id": "ites", - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "oremi1485.api.localhost" - ], - "rsa.time.event_time": "2017-04-30T05:32:16.000Z", + "rsa.investigations.event_vcat": "oluptat", + "rsa.misc.device_name": "rure", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "dmi", + "rsa.time.event_time": "2020-04-30T05:32:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1136,29 +1134,31 @@ ] }, { - "@timestamp": "2020-05-14T12:34:50.000Z", + "@timestamp": "2017-05-14T12:34:50.000Z", "event.category": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "14-May-2017 10:34:50 high nvol6269.internal.local tla <nimid 14T22:34:50.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq", + "event.original": "2017-5-14T10:34:50.licaboN atquo4897.mail.lan CylancePROTECT ntexpl dunt [litsedq] Event Type: DeviceControl, Event Name: threat_found, Device Name: nder, External Device Type: mdolore, External Device Vendor ID: Cic, External Device Name: olorema, External Device Product ID: mollita, External Device Serial Number: tatem, Zone Names: iae", "fileset.name": "protect", - "host.name": "periam126.api.host", + "host.name": "atquo4897.mail.lan", "input.type": "log", - "log.offset": 8478, + "log.offset": 8616, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "rExc", + "rsa.db.index": "iae", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.checksum": "tame", + "rsa.investigations.event_vcat": " DeviceControl", "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "nder", + "rsa.misc.serial_number": "tatem", "rsa.network.alias_host": [ - "periam126.api.host" + "atquo4897.mail.lan" ], - "rsa.time.event_time": "2020-05-14T12:34:50.000Z", + "rsa.time.event_time": "2017-05-14T12:34:50.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1167,27 +1167,28 @@ }, { "@timestamp": "2017-05-29T07:37:24.000Z", - "event.category": "PolicyAdd", + "event.category": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "iuntNe 2017-5-29T5:37:24.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom ", + "event.original": "29-May-2017 05:37:24 medium taliqui5348.mail.localdomain loremag <iatqu 2017-5-29T5:37:24.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni", "fileset.name": "protect", - "host.name": "tate6578.api.localdomain", + "host.name": "erspi5757.local", "input.type": "log", - "log.offset": 8686, + "log.offset": 8956, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": " turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom", + "rsa.db.index": "undeomni", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": "Threat", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.node": "yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "uov", + "rsa.misc.serial_number": "quaU", "rsa.network.alias_host": [ - "tate6578.api.localdomain" + "erspi5757.local" ], "rsa.time.event_time": "2017-05-29T07:37:24.000Z", "service.type": "cylance", @@ -1197,72 +1198,60 @@ ] }, { - "@timestamp": "2017-06-12T14:39:58.000Z", - "event.category": "Device Policy Assigned", + "@timestamp": "2020-06-12T14:39:58.000Z", + "event.category": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-6-12T12:39:58.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte", + "event.original": "Jun 12 12:39:58 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium,uptateUser: lloinven econs (lmolesti), Zone Names:apariatu Device Id: lorsita", "fileset.name": "protect", - "host.name": "midestl1919.host", "input.type": "log", - "log.offset": 9198, + "log.offset": 9369, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.124.88.222" - ], + "rsa.db.index": "apariatu", + "rsa.identity.firstname": "lloinven", + "rsa.identity.lastname": "econs", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "ntNeq", - "rsa.misc.OS": "liquaUte", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "aUt", - "rsa.network.alias_host": [ - "midestl1919.host" - ], - "rsa.network.eth_host": "01:00:5e:f9:78:c2", - "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "idolo", + "rsa.misc.device_name": "edolo", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "lmolesti", + "rsa.time.event_time": "2020-06-12T14:39:58.000Z", "service.type": "cylance", - "source.ip": [ - "10.124.88.222" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "onu" ] }, { "@timestamp": "2017-06-26T09:42:33.000Z", - "event.category": "ZoneAddDevice", + "event.category": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-6-26T7:42:33.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: dol sciun (metcons) ", + "event.original": "26-June-2017 19:42:33 high lupta7560.www5.localdomain ncidi <laudan 2017-6-26T7:42:33.litesseq atcupida7685.local CylancePROTECT dolores equamnih [taliqui] Event Type: AuditLog, Event Name: PolicyAdd, Message: Devices: itempo,orumwUser: redol ecillum (isci)", "fileset.name": "protect", - "host.name": "eiusmod3517.internal.invalid", + "host.name": "atcupida7685.local", "input.type": "log", - "log.offset": 9473, + "log.offset": 9617, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "dol", - "rsa.identity.lastname": "sciun", + "rsa.identity.firstname": "redol", + "rsa.identity.lastname": "ecillum", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "labor", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.mail_id": "metcons", - "rsa.misc.node": "olup", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "isci", + "rsa.misc.node": "itempo", "rsa.network.alias_host": [ - "eiusmod3517.internal.invalid" + "atcupida7685.local" ], "rsa.time.event_time": "2017-06-26T09:42:33.000Z", "service.type": "cylance", @@ -1273,111 +1262,116 @@ }, { "@timestamp": "2017-07-11T04:45:07.000Z", - "event.category": "DeviceRemove", + "event.action": "allow", + "event.category": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "11-July-2017 02:45:07 low oloreseo5039.test derit <dolor 2017-7-11T2:45:07.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid", + "event.original": "mquisno 2017-7-11T2:45:07.aev inrepr72.internal.home CylancePROTECT nisiu imad [oriosam] Event Type: ExploitAttempt, Event Name: Device Policy Assigned, Device Name: itasp, IP Address: (10.169.5.162), Action: allow, Process ID: 2957, Process Name: odt.exe, User Name: cillumd, Violation Type: riosa, Zone Names: tNe", "fileset.name": "protect", - "host.name": "ntexpl3889.www.home", + "host.name": "inrepr72.internal.home", "input.type": "log", - "log.offset": 9683, + "log.offset": 9884, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "process.name": "odt.exe", + "process.pid": 2957, "related.ip": [ - "10.156.34.19" + "10.169.5.162" ], - "rsa.db.index": "stquid", + "rsa.db.index": "tNe", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": "Cic", - "rsa.misc.OS": "ariaturE", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "saqu", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "itasp", + "rsa.misc.policy_name": "riosa", "rsa.network.alias_host": [ - "ntexpl3889.www.home" + "inrepr72.internal.home" ], - "rsa.network.eth_host": "01:00:5e:54:ab:3f", "rsa.time.event_time": "2017-07-11T04:45:07.000Z", "service.type": "cylance", "source.ip": [ - "10.156.34.19" + "10.169.5.162" ], "tags": [ "cylance.protect", "forwarded" ], "user.name": [ - "imveni" + "cillumd" ] }, { - "@timestamp": "2019-07-25T11:47:41.000Z", - "event.category": "DeviceRemove", + "@timestamp": "2017-07-25T11:47:41.000Z", + "event.action": "cancel", + "event.category": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "25-Jul-2017 9:47:41 very-high idolor3916.www5.home tas <tasun 25T09:47:41.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo", + "event.original": "2017/07/25T09:47:41.ntmoll mexer4472.www5.invalid CylancePROTECT nofdeFi aquioff [saqu] Event Type: AppControl, Event Name: SystemSecurity, Device Name: amnisi, IP Address: (10.230.77.49), Action: cancel, Action Type: uisnostr, File Path: reetdol, SHA256: uelauda, Zone Names: ema", + "file.directory": "reetdol", "fileset.name": "protect", - "host.name": "ntium4450.www5.localdomain", + "host.name": "mexer4472.www5.invalid", "input.type": "log", - "log.offset": 10032, + "log.offset": 10200, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.ip": [ - "10.22.94.10" + "10.230.77.49" ], - "rsa.db.index": "mpo", + "rsa.db.index": "ema", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.misc.OS": "animid", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "vol", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.checksum": "uelauda", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "amnisi", "rsa.network.alias_host": [ - "ntium4450.www5.localdomain" + "mexer4472.www5.invalid" ], - "rsa.network.eth_host": "01:00:5e:ee:e8:77", - "rsa.time.event_time": "2019-07-25T11:47:41.000Z", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", "service.type": "cylance", "source.ip": [ - "10.22.94.10" + "10.230.77.49" ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "ssusci" ] }, { "@timestamp": "2017-08-08T06:50:15.000Z", - "event.category": "LoginSuccess", + "event.category": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "8-August-2017 16:50:15 medium taliqui5348.mail.localdomain loremag <iatqu 2017-8-8T4:50:15.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni", + "event.original": "2017-8-8T4:50:15.uei Nequepo1858.mail.local CylancePROTECT uam orumSec [nisiuta] Event Type: stiaecon, Event Name: PolicyAdd, Device Name: sse", "fileset.name": "protect", - "host.name": "erspi5757.local", + "host.name": "Nequepo1858.mail.local", "input.type": "log", - "log.offset": 10346, + "log.offset": 10481, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "undeomni", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "uov", - "rsa.misc.serial_number": "quaU", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": "stiaecon", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "sse", "rsa.network.alias_host": [ - "erspi5757.local" + "Nequepo1858.mail.local" ], "rsa.time.event_time": "2017-08-08T06:50:15.000Z", "service.type": "cylance", @@ -1387,29 +1381,31 @@ ] }, { - "@timestamp": "2019-08-22T13:52:50.000Z", - "event.category": "threat_found", + "@timestamp": "2017-08-22T13:52:50.000Z", + "event.category": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Aug 22 11:52:50 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu", + "event.original": "22-August-2017 23:52:50 high ici7102.www.localdomain itae <atnula 2017-8-22T11:52:50.ditautf itametc3006.www.test CylancePROTECT remipsu tan [quiac] Event Type: DeviceControl, Event Name: Registration, Device Name: doconse, External Device Type: etdol, External Device Vendor ID: dolorsi, External Device Name: nturmag, External Device Product ID: tura, External Device Serial Number: osquirat, Zone Names: equat", "fileset.name": "protect", + "host.name": "itametc3006.www.test", "input.type": "log", - "log.offset": 10760, + "log.offset": 10624, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "lmolesti", - "rsa.identity.firstname": "uptate", - "rsa.identity.lastname": "lloinven", + "rsa.db.index": "equat", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "idolo", - "rsa.misc.device_name": "edolo", - "rsa.misc.event_type": "threat_found", - "rsa.misc.mail_id": "econs", - "rsa.time.event_time": "2019-08-22T13:52:50.000Z", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "Registration", + "rsa.misc.node": "doconse", + "rsa.misc.serial_number": "osquirat", + "rsa.network.alias_host": [ + "itametc3006.www.test" + ], + "rsa.time.event_time": "2017-08-22T13:52:50.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1417,38 +1413,42 @@ ] }, { - "@timestamp": "2017-09-06T08:55:00.000Z", - "event.action": "allow", - "event.category": "PolicyAdd", + "@timestamp": "2017-09-06T08:55:24.000Z", + "event.action": "accept", + "event.category": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "September 2017/09/06 06:55:24 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute", - "file.directory": "isi", + "event.original": "6-September-2017 06:55:24 low idunt4633.internal.host liquam <oluptat 2017/09/06T06:55:24.odt rspici1916.api.localhost CylancePROTECT olor etquasia [nula] Event Type: AppControl, Event Name: threat_quarantined, Device Name: riatur, IP Address: (10.99.209.40), Action: accept, Action Type: dol, File Path: atur, SHA256: issu, Zone Names: identsu", + "file.directory": "atur", "fileset.name": "protect", + "host.name": "rspici1916.api.localhost", "input.type": "log", - "log.offset": 11002, + "log.offset": 11045, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.ip": [ - "10.153.34.43" + "10.99.209.40" ], - "rsa.db.index": "saute", + "rsa.db.index": "identsu", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AppControl", "rsa.misc.action": [ - "allow" + "accept" ], - "rsa.misc.checksum": "culpaq", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.node": "fugits", - "rsa.time.event_time": "2017-09-06T08:55:00.000Z", + "rsa.misc.checksum": "issu", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.node": "riatur", + "rsa.network.alias_host": [ + "rspici1916.api.localhost" + ], + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", "service.type": "cylance", "source.ip": [ - "10.153.34.43" + "10.99.209.40" ], "tags": [ "cylance.protect", @@ -1456,35 +1456,41 @@ ] }, { - "@timestamp": "2017-09-20T03:57:58.000Z", - "event.category": "threat_found", + "@timestamp": "2019-09-20T03:57:58.000Z", + "event.category": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-9-20T1:57:58.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea", + "event.original": "Sep 20 1:57:58 hend1600.api.host CylancePROTECT Event Type:aer, Event Name:DeviceRemove, Device Name:iati, Agent Version:minim, IP Address: (10.14.74.218), MAC Address: (01:00:5e:bc:a3:48), Logged On Users: (Nemoenim), OS:usm, Zone Names:labori", "fileset.name": "protect", - "host.name": "magnid3343.home", "input.type": "log", - "log.offset": 11295, + "log.offset": 11395, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "obea", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "threat_found", - "rsa.misc.node": "gitse", - "rsa.misc.serial_number": "col", - "rsa.network.alias_host": [ - "magnid3343.home" + "related.ip": [ + "10.14.74.218" ], - "rsa.time.event_time": "2017-09-20T03:57:58.000Z", + "rsa.db.index": "labori", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "aer", + "rsa.misc.OS": "usm", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "iati", + "rsa.network.eth_host": "01:00:5e:bc:a3:48", + "rsa.time.event_time": "2019-09-20T03:57:58.000Z", "service.type": "cylance", + "source.ip": [ + "10.14.74.218" + ], "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "Nemoenim" ] }, { @@ -1493,24 +1499,26 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "4-Oct-2017 9:00:32 high uptatem4483.localhost inrepr <umdolors 4T21:00:32.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide", + "event.original": "4-Oct-2017 9:00:32 high isiutali3575.www5.invalid Nemoenim <ide 4T21:00:32.edq evitae7333.www.lan CylancePROTECT Event Name:ThreatUpdated, Device Message: Device: expl User: ess quiad (ihilmole),saquaeaZone Names: ons Device Id: orsitam", "fileset.name": "protect", - "host.name": "asperna7623.www.home", + "host.name": "evitae7333.www.lan", "input.type": "log", - "log.offset": 11628, + "log.offset": 11640, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "onproide", + "rsa.db.index": "ons", + "rsa.identity.firstname": "ess", + "rsa.identity.lastname": "quiad", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.device_name": "expl", "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "dexe", + "rsa.misc.mail_id": "ihilmole", "rsa.network.alias_host": [ - "asperna7623.www.home" + "evitae7333.www.lan" ], - "rsa.network.zone": "tat", "rsa.time.event_time": "2019-10-04T11:00:32.000Z", "service.type": "cylance", "tags": [ @@ -1520,63 +1528,63 @@ }, { "@timestamp": "2017-10-19T06:03:07.000Z", - "event.category": "LoginSuccess", + "event.category": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "nde 2017-10-19T4:03:07.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita", - "file.directory": "seddoeiu", + "event.original": "2017-10-19T4:03:07.idex radip163.mail.invalid CylancePROTECT eiusmo ainc [miurerep] Event Type: AuditLog, Event Name: DeviceEdit, Message: Zone: ecill; Policy: iduntu; Value: pisci, User: sunt texplica (oco)", "fileset.name": "protect", - "host.name": "undeom845.www5.example", + "host.name": "radip163.mail.invalid", "input.type": "log", - "log.offset": 11842, - "network.application": "nse", + "log.offset": 11887, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.3421", - "rsa.db.index": "quira", + "rsa.db.index": "ecill", + "rsa.identity.firstname": "sunt", + "rsa.identity.lastname": "texplica", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "liq", - "rsa.misc.version": "1.3421", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.mail_id": "oco", + "rsa.misc.policy_name": "iduntu", "rsa.network.alias_host": [ - "undeom845.www5.example" + "radip163.mail.invalid" ], "rsa.time.event_time": "2017-10-19T06:03:07.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "tassita" ] }, { - "@timestamp": "2019-11-02T13:05:41.000Z", + "@timestamp": "2017-11-02T13:05:41.000Z", "event.category": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Nov 2 11:05:41 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema", + "event.original": "itametco 2017-11-2T11:05:41.vel quunt3116.localhost CylancePROTECT nonn dents [itsedd] Event Type: Threat, Event Name: threat_changed, Device Name: ptate, IP Address: (10.152.185.155), File Name: quamqua, Path: ntut, Drive Type: mag, SHA256: meum, MD5: mini, Status: Loremip, Cylance Score: 58.130000, Found Date: tur, File Type: atnonpr, Is Running: ita, Auto Run: amquaer, Detected By: aqui, Zone Names: enby, Is Malware: lpa, Is Unique To Cylance: isn, Threat Classification: smod ", "fileset.name": "protect", + "host.name": "quunt3116.localhost", "input.type": "log", - "log.offset": 12106, + "log.offset": 12095, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "tatema", + "rsa.db.index": " enby, Is Malware: lpa, Is Unique To Cylance: isn, Threat Classification: smod", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "nisiut", + "rsa.investigations.event_vcat": "Threat", "rsa.misc.event_type": "threat_changed", - "rsa.misc.node": "quira", - "rsa.network.zone": "rror", - "rsa.time.event_time": "2019-11-02T13:05:41.000Z", + "rsa.misc.node": "ptate, IP Address: (10.152.185.155), File Name: quamqua, Path: ntut, Drive Type: mag, SHA256: meum, MD5: mini, Status: Loremip, Cylance Score: 58.130000, Found Date: tur, File Type: atnonpr, Is Running: ita, Auto Run: amquaer, Detected By: aqui", + "rsa.network.alias_host": [ + "quunt3116.localhost" + ], + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1584,30 +1592,32 @@ ] }, { - "@timestamp": "2017-11-16T08:08:15.000Z", - "event.category": "threat_quarantined", + "@timestamp": "2019-11-16T08:08:15.000Z", + "event.category": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "16-November-2017 18:08:15 high oeni179.api.localhost gna <lumqu 2017-11-16T6:08:15.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm ", + "event.original": "16-Nov-2017 6:08:15 low cte4809.mail.lan uunturma <eserun 16T18:08:15.pta emu5311.localdomain CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: destla User: fugitse minimve (serrorsi),tametcoZone Names: mquisnos Device Id: lore", "fileset.name": "protect", - "host.name": "ons5050.mail.test", + "host.name": "emu5311.localdomain", "input.type": "log", - "log.offset": 12274, + "log.offset": 12580, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": " cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm", + "rsa.db.index": "mquisnos", + "rsa.identity.firstname": "fugitse", + "rsa.identity.lastname": "minimve", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "Threat", - "rsa.misc.event_type": "threat_quarantined", - "rsa.misc.node": "mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere", + "rsa.misc.device_name": "destla", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "serrorsi", "rsa.network.alias_host": [ - "ons5050.mail.test" + "emu5311.localdomain" ], - "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "rsa.time.event_time": "2019-11-16T08:08:15.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1620,66 +1630,55 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "1-Dec-2017 1:10:49 very-high trudex4443.www5.localhost lor <eseruntm 1T01:10:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau", + "event.original": "Dec 1 1:10:49 isn1684.www.invalid CylancePROTECT Event Type:civelits, Event Name:PolicyAdd, Device Name:quiav, External Device Type:mse, External Device Vendor ID:prehen, External Device Name:nonn, External Device Product ID:hite, External Device Serial Number:ianonnum, Zone Names:nofdeFi, Device Id: henderit, Policy Name: remq ", "fileset.name": "protect", - "host.name": "oloreeu7597.mail.home", "input.type": "log", - "log.offset": 12840, + "log.offset": 12833, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.7.99.47" - ], - "rsa.db.index": "ditau", + "rsa.db.index": "nofdeFi, Device Id: henderit, Policy Name: remq", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1502030000, "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.misc.OS": "teturadi", + "rsa.investigations.event_vcat": "civelits", + "rsa.misc.device_name": "mse", "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.node": "nula", - "rsa.network.alias_host": [ - "oloreeu7597.mail.home" - ], - "rsa.network.eth_host": "01:00:5e:e8:41:ae", + "rsa.misc.node": "quiav", + "rsa.misc.serial_number": "ianonnum", "rsa.time.event_time": "2019-12-01T03:10:49.000Z", "service.type": "cylance", - "source.ip": [ - "10.7.99.47" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "evolupta" ] }, { - "@timestamp": "2017-12-15T10:13:24.000Z", - "event.category": "Device Updated", + "@timestamp": "2019-12-15T10:13:24.000Z", + "event.category": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "hend 2017-12-15T8:13:24.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai", + "event.original": "15-Dec-2017 8:13:24 medium arch2905.www5.home ror <doei 15T08:13:24.nvolupta tev2820.www.home CylancePROTECT Event Name:threat_found, Device Name:orp, External Device Type:ender, External Device Vendor ID:dico, External Device Name:uptatem, External Device Product ID:upt, External Device Serial Number:ulamc, Zone Names:cept, Device Id: aedictas, Policy Name: eursint ", "fileset.name": "protect", - "host.name": "ueip5847.api.test", + "host.name": "tev2820.www.home", "input.type": "log", - "log.offset": 13156, + "log.offset": 13164, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "Nemoenim", + "rsa.db.index": "cept, Device Id: aedictas, Policy Name: eursint", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804010000, - "rsa.investigations.event_cat_name": "Network.Devices.Additions", - "rsa.investigations.event_vcat": "sed", - "rsa.misc.checksum": "labori", - "rsa.misc.event_type": "Device Updated", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.device_name": "ender", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "orp", + "rsa.misc.serial_number": "ulamc", "rsa.network.alias_host": [ - "ueip5847.api.test" + "tev2820.www.home" ], - "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "rsa.time.event_time": "2019-12-15T10:13:24.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1688,63 +1687,61 @@ }, { "@timestamp": "2017-12-29T05:15:58.000Z", - "event.category": "SystemSecurity", + "event.category": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ostr 2017-12-29T3:15:58.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici", - "file.directory": "eufug", + "event.original": "2017-12-29T3:15:58.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev)", "fileset.name": "protect", - "host.name": "uid3520.www.home", + "host.name": "sit1400.www.lan", "input.type": "log", - "log.offset": 13361, - "network.application": "roquisq", + "log.offset": 13543, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.989", - "rsa.db.index": "civelits", + "rsa.db.index": "ntsunti", + "rsa.identity.firstname": "uid", + "rsa.identity.lastname": "idatat", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " ScriptControl", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "prehend", - "rsa.misc.version": "1.989", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "onev", + "rsa.misc.policy_name": "borios", "rsa.network.alias_host": [ - "uid3520.www.home" + "sit1400.www.lan" ], "rsa.time.event_time": "2017-12-29T05:15:58.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "ici" ] }, { - "@timestamp": "2020-01-12T12:18:32.000Z", - "event.category": "SyslogSettingsSave", + "@timestamp": "2018-01-12T12:18:32.000Z", + "event.category": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Jan 12 10:18:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud", + "event.original": "hilmole 2018-1-12T10:18:32.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido", "fileset.name": "protect", + "host.name": "sectetu7182.localdomain", "input.type": "log", - "log.offset": 13629, + "log.offset": 13736, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "nostrud", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "iduntu", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "inibusB", - "rsa.time.event_time": "2020-01-12T12:18:32.000Z", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_vcat": "orissus", + "rsa.misc.event_type": "Device Updated", + "rsa.network.alias_host": [ + "sectetu7182.localdomain" + ], + "rsa.time.event_time": "2018-01-12T12:18:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1752,27 +1749,32 @@ ] }, { - "@timestamp": "2020-01-27T07:21:06.000Z", - "event.category": "SyslogSettingsSave", + "@timestamp": "2018-01-27T07:21:06.000Z", + "event.category": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Jan 27 5:21:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat", + "event.original": "2018-1-27T5:21:06.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota;etdoloreUser: magnaa sumquiad (iusmodt)", "fileset.name": "protect", + "host.name": "officiad4982.www5.domain", "input.type": "log", - "log.offset": 13778, + "log.offset": 13886, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "ugiat", + "rsa.identity.firstname": "magnaa", + "rsa.identity.lastname": "sumquiad", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "pariatur", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "imavenia", - "rsa.network.zone": "expli", - "rsa.time.event_time": "2020-01-27T07:21:06.000Z", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "iusmodt", + "rsa.misc.node": "umtota", + "rsa.network.alias_host": [ + "officiad4982.www5.domain" + ], + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1780,152 +1782,193 @@ ] }, { - "@timestamp": "2018-02-10T14:23:41.000Z", - "event.category": "SystemSecurity", + "@timestamp": "2020-02-10T14:23:41.000Z", + "event.category": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "bore 2018-2-10T12:23:41.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad)", + "event.original": "Feb 10 12:23:41 umd3889.api.localhost CylancePROTECT Event Type:dat, Event Name:threat_quarantined, Message: Provider:saquaea, Source IP:10.10.178.151, User: uames tconsec (issus)", "fileset.name": "protect", - "host.name": "teir7585.www5.localdomain", "input.type": "log", - "log.offset": 13951, + "log.offset": 14079, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "scip", - "rsa.identity.lastname": "Finibus", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.mail_id": "Utenimad", - "rsa.misc.node": "oreverit", - "rsa.network.alias_host": [ - "teir7585.www5.localdomain" + "related.ip": [ + "10.10.178.151" ], - "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "rsa.identity.firstname": "uames", + "rsa.identity.lastname": "tconsec", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "dat", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.mail_id": "issus", + "rsa.time.event_time": "2020-02-10T14:23:41.000Z", "service.type": "cylance", + "source.ip": [ + "10.10.178.151" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2020-02-24T09:26:15.000Z", - "event.category": "SyslogSettingsSave", + "@timestamp": "2018-02-24T21:26:15.000Z", + "event.action": "block", + "event.category": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Feb 24 7:26:15 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse ", + "event.original": "2018/02/24T19:26:15.caecat cusanti5019.api.home CylancePROTECT quisn rem [ulamcola] Event Type: AppControl, Event Name: ZoneAdd, Device Name: llita, IP Address: (10.117.150.156), Action: block, Action Type: uredol, File Path: maliqua, SHA256: mcorpori, Zone Names: orisn", + "file.directory": "maliqua", "fileset.name": "protect", + "host.name": "cusanti5019.api.home", "input.type": "log", - "log.offset": 14150, + "log.offset": 14259, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "ptate, Device Id: entsu, Policy Name: conse", + "related.ip": [ + "10.117.150.156" + ], + "rsa.db.index": "orisn", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "ali", - "rsa.misc.device_name": "itasp", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "quunt", - "rsa.misc.serial_number": "volup", - "rsa.time.event_time": "2020-02-24T09:26:15.000Z", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.checksum": "mcorpori", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.node": "llita", + "rsa.network.alias_host": [ + "cusanti5019.api.home" + ], + "rsa.time.event_time": "2018-02-24T21:26:15.000Z", "service.type": "cylance", + "source.ip": [ + "10.117.150.156" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2020-03-11T04:28:49.000Z", - "event.category": "Alert", + "@timestamp": "2018-03-11T04:28:49.000Z", + "event.category": "fullaccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Mar 11 2:28:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: nvo iamqui (tassita), Zone Names: colabori Device Id: imidestl", + "event.original": "11-March-2018 02:28:49 very-high cta5536.mail.localdomain atem <cti 2018-3-11T2:28:49.ommodoc nse3544.local CylancePROTECT tvolu dutper [tlaboru] Event Type: aeabillo, Event Name: fullaccess, Device Name: equuntu, Agent Version: quamni, IP Address: (10.186.8.127), MAC Address: (01:00:5e:bf:58:62), Logged On Users: (boreet), OS: luptasnu Zone Names: ento", "fileset.name": "protect", + "host.name": "nse3544.local", "input.type": "log", - "log.offset": 14477, + "log.offset": 14530, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "colabori", - "rsa.identity.firstname": "nvo", - "rsa.identity.lastname": "iamqui", + "related.ip": [ + "10.186.8.127" + ], + "rsa.db.index": "ento", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": "atura", - "rsa.misc.device_name": "oreeu", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "tassita", - "rsa.time.event_time": "2020-03-11T04:28:49.000Z", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "aeabillo", + "rsa.misc.OS": "luptasnu", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.node": "equuntu", + "rsa.network.alias_host": [ + "nse3544.local" + ], + "rsa.network.eth_host": "01:00:5e:bf:58:62", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", "service.type": "cylance", + "source.ip": [ + "10.186.8.127" + ], "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "boreet" ] }, { - "@timestamp": "2018-03-25T11:31:24.000Z", - "event.category": "ZoneAddDevice", + "@timestamp": "2020-03-25T11:31:24.000Z", + "event.action": "block", + "event.category": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-3-25T9:31:24.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: (ever)", + "event.original": "Mar 25 9:31:24 ovolupta1238.internal.localdomain CylancePROTECT Event Type:ametcon, Event Name: SystemSecurity, Device Name: beat, IP Address: (10.202.89.144), Action: block, Process ID: 6944, Process Name: qua.exe, User Name: iarchite, Violation Type: emsequi, Zone Names:ueporroq, Device Id: ute", "fileset.name": "protect", - "host.name": "serrorsi1096.www5.localdomain", "input.type": "log", - "log.offset": 14659, + "log.offset": 14893, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices", + "process.name": "qua.exe", + "process.pid": 6944, + "related.ip": [ + "10.202.89.144" + ], + "rsa.db.index": "ueporroq", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "AuditLog", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.node": "reetdo", - "rsa.network.alias_host": [ - "serrorsi1096.www5.localdomain" + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": "ametcon", + "rsa.misc.action": [ + "block" ], - "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rsa.misc.device_name": "beat", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.policy_name": "emsequi", + "rsa.time.event_time": "2020-03-25T11:31:24.000Z", "service.type": "cylance", + "source.ip": [ + "10.202.89.144" + ], "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "iarchite" ] }, { "@timestamp": "2018-04-08T06:33:58.000Z", - "event.category": "SystemSecurity", + "event.category": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "quiav 2018-4-8T4:33:58.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum", + "event.original": "8-April-2018 16:33:58 high Bonoru1396.api.invalid rumSecti <adipi 2018-4-8T4:33:58.mquis ratvo1100.www.home CylancePROTECT oluptas nderiti [uatu] Event Type: olupta, Event Name: ZoneAdd, Device Names: (orem), Policy Name: giatqu, User: rsint rsi (paq)", "fileset.name": "protect", - "host.name": "prehen4807.mail.invalid", + "host.name": "ratvo1100.www.home", "input.type": "log", - "log.offset": 14896, + "log.offset": 15191, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "meum", + "rsa.identity.firstname": "rsint", + "rsa.identity.lastname": "rsi", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "remq", - "rsa.misc.serial_number": "ugia", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "olupta", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "paq", + "rsa.misc.node": "orem", + "rsa.misc.policy_name": "giatqu", "rsa.network.alias_host": [ - "prehen4807.mail.invalid" + "ratvo1100.www.home" ], "rsa.time.event_time": "2018-04-08T06:33:58.000Z", "service.type": "cylance", @@ -1936,30 +1979,29 @@ }, { "@timestamp": "2018-04-22T13:36:32.000Z", - "event.category": "ZoneAdd", + "event.category": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-4-22T11:36:32.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev)", + "event.original": "onse 2018-4-22T11:36:32.sitam inibusBo1209.www.example CylancePROTECT ddoe uid [amnis] Event Type: AuditLog, Event Name: DeviceEdit, Message: sse, User: ihilm incidi (aedictas)", "fileset.name": "protect", - "host.name": "sit1400.www.lan", + "host.name": "inibusBo1209.www.example", "input.type": "log", - "log.offset": 15232, + "log.offset": 15451, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "ntsunti", - "rsa.identity.firstname": "uid", - "rsa.identity.lastname": "idatat", + "rsa.db.index": "sse", + "rsa.identity.firstname": "ihilm", + "rsa.identity.lastname": "incidi", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.mail_id": "onev", - "rsa.misc.policy_name": "borios", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.mail_id": "aedictas", "rsa.network.alias_host": [ - "sit1400.www.lan" + "inibusBo1209.www.example" ], "rsa.time.event_time": "2018-04-22T13:36:32.000Z", "service.type": "cylance", @@ -1970,25 +2012,27 @@ }, { "@timestamp": "2018-05-07T08:39:06.000Z", - "event.category": "Device Updated", + "event.category": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "hilmole 2018-5-7T6:39:06.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido", + "event.original": "7-May-2018 06:39:06 low urEx4545.local abore <oreeu 2018-5-7T6:39:06.mea ssec5390.api.example CylancePROTECT emi reprehen [tvol] Event Type: ptat, Event Name: threat_found, Threat Class: tdolo, Threat Subclass: sequatD, SHA256: eleumi, MD5: equ", "fileset.name": "protect", - "host.name": "sectetu7182.localdomain", + "host.name": "ssec5390.api.example", "input.type": "log", - "log.offset": 15425, + "log.offset": 15628, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "tdolo", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804010000, - "rsa.investigations.event_cat_name": "Network.Devices.Additions", - "rsa.investigations.event_vcat": "orissus", - "rsa.misc.event_type": "Device Updated", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ptat", + "rsa.misc.checksum": "eleumi", + "rsa.misc.event_type": "threat_found", "rsa.network.alias_host": [ - "sectetu7182.localdomain" + "ssec5390.api.example" ], "rsa.time.event_time": "2018-05-07T08:39:06.000Z", "service.type": "cylance", @@ -1999,29 +2043,31 @@ }, { "@timestamp": "2018-05-21T03:41:41.000Z", - "event.category": "ZoneAdd", + "event.category": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-5-21T1:41:41.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad)", + "event.original": "etc 2018-5-21T1:41:41.eturadip nost5395.www.localhost CylancePROTECT edol sequuntu [quameius] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Policy: nima; SHA256: totamrem; Category: aliqu, User: taedict orum (nsequat)orsitam ", "fileset.name": "protect", - "host.name": "officiad4982.www5.domain", + "host.name": "nost5395.www.localhost", "input.type": "log", - "log.offset": 15573, + "log.offset": 15880, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "etdolore", - "rsa.identity.lastname": "magnaa", + "rsa.identity.firstname": "taedict", + "rsa.identity.lastname": "orum", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.mail_id": "sumquiad", - "rsa.misc.node": "umtota", + "rsa.misc.category": "aliqu", + "rsa.misc.checksum": "totamrem", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.mail_id": "nsequat", + "rsa.misc.policy_name": "nima; SHA256: totamrem; Category: aliqu", "rsa.network.alias_host": [ - "officiad4982.www5.domain" + "nost5395.www.localhost" ], "rsa.time.event_time": "2018-05-21T03:41:41.000Z", "service.type": "cylance", @@ -2032,30 +2078,37 @@ }, { "@timestamp": "2018-06-04T10:44:15.000Z", - "event.category": "pechange", + "event.category": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-6-4T8:44:15.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun", + "event.original": "2018-6-4T8:44:15.oidentsu oditau3188.internal.home CylancePROTECT temqui lup [aeca] Event Type: AuditLog, Event Name: Registration, Message: Provider: autemv, Source IP: 10.16.200.216, User: eirure boreetd (tNe)", "fileset.name": "protect", - "host.name": "consequa1486.internal.localdomain", + "host.name": "oditau3188.internal.home", "input.type": "log", - "log.offset": 15760, - "observer.product": "Protect", + "log.offset": 16123, + "observer.product": "autemv", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "quaeratv", + "related.ip": [ + "10.16.200.216" + ], + "rsa.identity.firstname": "eirure", + "rsa.identity.lastname": "boreetd", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "ptatemse", - "rsa.misc.checksum": "tobeata", - "rsa.misc.event_type": "pechange", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "Registration", + "rsa.misc.mail_id": "tNe", "rsa.network.alias_host": [ - "consequa1486.internal.localdomain" + "oditau3188.internal.home" ], "rsa.time.event_time": "2018-06-04T10:44:15.000Z", "service.type": "cylance", + "source.ip": [ + "10.16.200.216" + ], "tags": [ "cylance.protect", "forwarded" @@ -2063,68 +2116,61 @@ }, { "@timestamp": "2018-06-19T05:46:49.000Z", - "event.category": "fullaccess", + "event.category": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-6-19T3:46:49.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui", + "event.original": "19-June-2018 03:46:49 low asper311.www.corp inibus <ctobeat 2018-6-19T3:46:49.onsec idestl1167.domain CylancePROTECT itanimi onoru [data] Event Type: ScriptControl, Event Name: pechange, Device Name: eosqui, File Path: dipisciv, Interpreter: uam, Interpreter Version: 1.2575 (llum), Zone Names: mwr", + "file.directory": "dipisciv", "fileset.name": "protect", - "host.name": "its6443.mail.example", + "host.name": "idestl1167.domain", "input.type": "log", - "log.offset": 15980, + "log.offset": 16336, + "network.application": "uam", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.139.80.71" - ], + "observer.version": "1.2575", + "rsa.db.index": "mwr", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "miurere", - "rsa.misc.OS": "eniamqui", - "rsa.misc.event_type": "fullaccess", - "rsa.misc.node": "tlabo", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "pechange", + "rsa.misc.node": "eosqui", + "rsa.misc.version": "1.2575", "rsa.network.alias_host": [ - "its6443.mail.example" + "idestl1167.domain" ], - "rsa.network.eth_host": "01:00:5e:bc:c1:21", "rsa.time.event_time": "2018-06-19T05:46:49.000Z", "service.type": "cylance", - "source.ip": [ - "10.139.80.71" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "orem" ] }, { "@timestamp": "2018-07-03T12:49:23.000Z", - "event.category": "Alert", + "event.category": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "3-July-2018 10:49:23 low sumd3215.test aUtenima <taevi 2018-7-3T10:49:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati ", + "event.original": "3-July-2018 10:49:23 low pitlabo3498.www.localdomain ntmollit <ionofdeF 2018-7-3T10:49:23.rsp imipsa5374.corp CylancePROTECT ionevo llitani [uscipit] Event Type: luptat, Event Name: threat_changed, Device Name: etco", "fileset.name": "protect", - "host.name": "tconsec7604.corp", + "host.name": "imipsa5374.corp", "input.type": "log", - "log.offset": 16254, + "log.offset": 16642, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": " con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": "Threat", - "rsa.misc.event_type": "Alert", - "rsa.misc.node": "stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "luptat", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.node": "etco", "rsa.network.alias_host": [ - "tconsec7604.corp" + "imipsa5374.corp" ], "rsa.time.event_time": "2018-07-03T12:49:23.000Z", "service.type": "cylance", @@ -2135,168 +2181,197 @@ }, { "@timestamp": "2018-07-17T07:51:58.000Z", - "event.category": "threat_found", + "event.action": "accept", + "event.category": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "17-July-2018 17:51:58 high taspe1205.mail.domain cti <nse 2018-7-17T5:51:58.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu)", + "event.original": "17-July-2018 17:51:58 medium eumiu5172.internal.domain rehen <ptat 2018-7-17T5:51:58.mipsu velillu827.www5.domain CylancePROTECT rsitamet leumiur [ssequamn] Event Type: ExploitAttempt, Event Name: ZoneAddDevice, Device Name: olesti, IP Address: (10.221.20.165), Action: accept, Process ID: 7294, Process Name: ritquiin.exe, User Name: reseo, Violation Type: amco, Zone Names: ons", "fileset.name": "protect", - "host.name": "tuser2694.internal.invalid", + "host.name": "velillu827.www5.domain", "input.type": "log", - "log.offset": 16795, + "log.offset": 16864, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "natus", - "rsa.identity.lastname": "boreet", + "process.name": "ritquiin.exe", + "process.pid": 7294, + "related.ip": [ + "10.221.20.165" + ], + "rsa.db.index": "ons", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "ugiatqu", - "rsa.misc.event_type": "threat_found", - "rsa.misc.mail_id": "luptasnu", - "rsa.misc.node": "turveli", - "rsa.misc.policy_name": "isciv", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.node": "olesti", + "rsa.misc.policy_name": "amco", "rsa.network.alias_host": [ - "tuser2694.internal.invalid" + "velillu827.www5.domain" ], "rsa.time.event_time": "2018-07-17T07:51:58.000Z", "service.type": "cylance", + "source.ip": [ + "10.221.20.165" + ], "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "reseo" ] }, { "@timestamp": "2018-08-01T14:54:32.000Z", - "event.category": "pechange", + "event.category": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "edqu 2018-8-1T12:54:32.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine", + "event.original": "2018-8-1T12:54:32.epreh psaqu5224.api.home CylancePROTECT temporin uam [rudexerc] Event Type: ScriptControl, Event Name: SyslogSettingsSave, Device Name: lor, File Path: nvolupt, Interpreter: dquia, Interpreter Version: 1.5334, Zone Names: bori, User Name: dipi", + "file.directory": "nvolupt", "fileset.name": "protect", - "host.name": "gnaaliq5240.api.test", + "host.name": "psaqu5224.api.home", "input.type": "log", - "log.offset": 17076, + "log.offset": 17251, + "network.application": "dquia", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "ratvo", + "observer.version": "1.5334", + "rsa.db.index": "bori", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "esciun", - "rsa.misc.checksum": "volupt", - "rsa.misc.event_type": "pechange", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "lor", + "rsa.misc.version": "1.5334", "rsa.network.alias_host": [ - "gnaaliq5240.api.test" + "psaqu5224.api.home" ], "rsa.time.event_time": "2018-08-01T14:54:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "dipi" ] }, { - "@timestamp": "2019-08-15T09:57:06.000Z", - "event.category": "LoginSuccess", + "@timestamp": "2018-08-15T09:57:06.000Z", + "event.category": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "15-Aug-2018 7:57:06 low ditaut33.mail.localhost iumdo <mea 15T07:57:06.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo", + "event.original": "2018-8-15T7:57:06.ite itse1458.www.example CylancePROTECT lupt quatur [dminim] Event Type: ScriptControl, Event Name: threat_quarantined, Device Name: ipsa, File Path: con, Interpreter: eirured, Interpreter Version: 1.3772 (tatiset), Zone Names: quira, User Name: ciatisun", + "file.directory": "con", "fileset.name": "protect", - "host.name": "illum2625.test", + "host.name": "itse1458.www.example", "input.type": "log", - "log.offset": 17277, + "log.offset": 17513, + "network.application": "eirured", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "iaeconse", + "observer.version": "1.3772", + "rsa.db.index": "quira", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.misc.checksum": "nimadmin", - "rsa.misc.event_type": "LoginSuccess", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.node": "ipsa", + "rsa.misc.version": "1.3772", "rsa.network.alias_host": [ - "illum2625.test" + "itse1458.www.example" ], - "rsa.time.event_time": "2019-08-15T09:57:06.000Z", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "ciatisun" ] }, { - "@timestamp": "2018-08-29T16:59:40.000Z", + "@timestamp": "2019-08-29T04:59:40.000Z", "event.action": "deny", - "event.category": "SystemSecurity", + "event.category": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "29-August-2018 14:59:40 low iaturE3103.api.domain aturve <iatu 2018/08/29T14:59:40.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia", - "file.directory": "emporin", + "event.original": "29-Aug-2018 2:59:40 very-high audant5631.www5.local minimve <entorev 29T14:59:40.quuntur olup3841.mail.invalid CylancePROTECT Event Name: threat_changed, Device Name: aerat, IP Address: (10.152.213.228), Action: deny, Process ID: 2571, Process Name: iatquo.exe, User Name: temp, Violation Type: oinvento, Zone Names:ali, Device Id: udexerci", "fileset.name": "protect", - "host.name": "nulamc5617.mail.host", + "host.name": "olup3841.mail.invalid", "input.type": "log", - "log.offset": 17487, + "log.offset": 17786, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "process.name": "iatquo.exe", + "process.pid": 2571, "related.ip": [ - "10.134.137.205" + "10.152.213.228" ], - "rsa.db.index": "etquasia", + "rsa.db.index": "ali", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AppControl", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ "deny" ], - "rsa.misc.checksum": "oreseosq", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "ntu", + "rsa.misc.device_name": "aerat", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.policy_name": "oinvento", "rsa.network.alias_host": [ - "nulamc5617.mail.host" + "olup3841.mail.invalid" ], - "rsa.time.event_time": "2018-08-29T16:59:40.000Z", + "rsa.time.event_time": "2019-08-29T04:59:40.000Z", "service.type": "cylance", "source.ip": [ - "10.134.137.205" + "10.152.213.228" ], "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "temp" ] }, { "@timestamp": "2018-09-12T12:02:15.000Z", - "event.category": "threat_found", + "event.category": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-9-12T10:02:15.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug)", + "event.original": "emullam 2018-9-12T10:02:15.quido llo1106.internal.localhost CylancePROTECT assi rch [psa] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: atione,tvolupUser: oremeu lab (lla)", "fileset.name": "protect", - "host.name": "tatem4713.internal.host", + "host.name": "llo1106.internal.localhost", "input.type": "log", - "log.offset": 17834, + "log.offset": 18137, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "usci", - "rsa.identity.firstname": "lupta", - "rsa.identity.lastname": "ura", + "rsa.identity.firstname": "oremeu", + "rsa.identity.lastname": "lab", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "threat_found", - "rsa.misc.mail_id": "oreeufug", - "rsa.misc.policy_name": "unturmag", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.mail_id": "lla", + "rsa.misc.node": "atione", "rsa.network.alias_host": [ - "tatem4713.internal.host" + "llo1106.internal.localhost" ], "rsa.time.event_time": "2018-09-12T12:02:15.000Z", "service.type": "cylance", @@ -2307,122 +2382,98 @@ }, { "@timestamp": "2018-09-27T07:04:49.000Z", - "event.category": "SyslogSettingsSave", + "event.category": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-9-27T5:04:49.data ugits5961.www5.local CylancePROTECT uam quis [exe] Event Type: naa, Event Name: SyslogSettingsSave, Device Name: idolo, Agent Version: mqu, IP Address: (10.91.2.225, rcitat), MAC Address: (01:00:5e:42:41:00, ionofdeF), Logged On Users: (rsp), OS: imipsa Zone Names: nostrum", + "event.original": "oeiusm 2018-9-27T5:04:49.Excepteu mco6956.internal.test CylancePROTECT lorese teturadi [radipi] Event Type: ScriptControl, Event Name: ZoneAdd, Device Name: upidatat, File Path: mod, Interpreter: niamqui, Interpreter Version: 1.7696, Zone Names: xeaco, User Name: taliqu", + "file.directory": "mod", "fileset.name": "protect", - "host.name": "ugits5961.www5.local", + "host.name": "mco6956.internal.test", "input.type": "log", - "log.offset": 18050, + "log.offset": 18329, + "network.application": "niamqui", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.91.2.225" - ], - "rsa.db.index": "nostrum", + "observer.version": "1.7696", + "rsa.db.index": "xeaco", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "naa", - "rsa.misc.OS": "imipsa", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "idolo", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.node": "upidatat", + "rsa.misc.version": "1.7696", "rsa.network.alias_host": [ - "ugits5961.www5.local" + "mco6956.internal.test" ], - "rsa.network.eth_host": "01:00:5e:42:41:00", "rsa.time.event_time": "2018-09-27T07:04:49.000Z", "service.type": "cylance", - "source.ip": [ - "10.91.2.225" - ], "tags": [ "cylance.protect", "forwarded" ], "user.name": [ - "rsp" + "taliqu" ] }, { "@timestamp": "2018-10-11T14:07:23.000Z", - "event.action": "block", - "event.category": "ThreatUpdated", + "event.category": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-10-11T12:07:23.onsecte prehende5460.mail.localdomain CylancePROTECT equatD uidol [inculpa] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: uido, IP Address: (10.191.99.14), Action: block, Process ID: 601, Process Name: nimadmi.exe, User Name: lapa, Violation Type: emoenimi, Zone Names: iquipex", + "event.original": "2018-10-11T12:07:23.usan gnamali226.internal.test CylancePROTECT edqui tvolu [psu] Event Type: strud, Event Name: SystemSecurity, saute", "fileset.name": "protect", - "host.name": "prehende5460.mail.localdomain", + "host.name": "gnamali226.internal.test", "input.type": "log", - "log.offset": 18347, + "log.offset": 18600, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "nimadmi.exe", - "process.pid": 601, - "related.ip": [ - "10.191.99.14" - ], - "rsa.db.index": "iquipex", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "uido", - "rsa.misc.policy_name": "emoenimi", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": "strud", + "rsa.misc.event_type": "SystemSecurity", "rsa.network.alias_host": [ - "prehende5460.mail.localdomain" + "gnamali226.internal.test" ], "rsa.time.event_time": "2018-10-11T14:07:23.000Z", "service.type": "cylance", - "source.ip": [ - "10.191.99.14" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "lapa" ] }, { - "@timestamp": "2019-10-25T09:09:57.000Z", - "event.category": "Device Policy Assigned", + "@timestamp": "2018-10-25T09:09:57.000Z", + "event.category": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "25-Oct-2018 7:09:57 high abill5290.lan mini <tionev 25T19:09:57.uasiarch velites1745.api.corp CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: psaqu Agent Self Protection Level Changed: 'nimides' to 'olorsit', User: naaliq plica (asiarc), Zone Names: lor Device Id: nvolupt", + "event.original": "2018-10-25T7:09:57.atcupi eriti7637.domain CylancePROTECT rema mcol [tion] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: mquis; SHA256: tur, User: itation utlabo (tat)uredo ", "fileset.name": "protect", - "host.name": "velites1745.api.corp", + "host.name": "eriti7637.domain", "input.type": "log", - "log.offset": 18667, + "log.offset": 18736, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "lor", - "rsa.identity.firstname": "naaliq", - "rsa.identity.lastname": "plica", + "rsa.identity.firstname": "itation", + "rsa.identity.lastname": "utlabo", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.misc.change_new": "olorsit", - "rsa.misc.change_old": "nimides", - "rsa.misc.device_name": "psaqu", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.mail_id": "asiarc", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "tur", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "tat", + "rsa.misc.node": "mquis", "rsa.network.alias_host": [ - "velites1745.api.corp" + "eriti7637.domain" ], - "rsa.time.event_time": "2019-10-25T09:09:57.000Z", + "rsa.time.event_time": "2018-10-25T09:09:57.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2431,61 +2482,75 @@ }, { "@timestamp": "2019-11-09T04:12:32.000Z", - "event.category": "LoginSuccess", + "event.action": "accept", + "event.category": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "9-Nov-2018 2:12:32 high bori319.api.localdomain utf <dexe 9T02:12:32.nemul Duis583.api.local CylancePROTECT Event Name:LoginSuccess, Threat Class:dminim, Threat Subclass:ptatevel, SHA256:aperiame, MD5:stenat", + "event.original": "9-Nov-2018 2:12:32 medium dminimv2485.internal.host rep <docons 9T02:12:32.emipsumq orinr5248.mail.home CylancePROTECT Event Name: DeviceRemove, Device Name: tass, IP Address: (10.94.129.251), Action: accept, Process ID: 782, Process Name: umquiad.exe, User Name: porinc, Violation Type: uameiu, Zone Names:quiado", "fileset.name": "protect", - "host.name": "Duis583.api.local", + "host.name": "orinr5248.mail.home", "input.type": "log", - "log.offset": 18971, + "log.offset": 18931, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "dminim", + "process.name": "umquiad.exe", + "process.pid": 782, + "related.ip": [ + "10.94.129.251" + ], + "rsa.db.index": "quiado", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.misc.checksum": "aperiame", - "rsa.misc.event_type": "LoginSuccess", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.device_name": "tass", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.policy_name": "uameiu", "rsa.network.alias_host": [ - "Duis583.api.local" + "orinr5248.mail.home" ], "rsa.time.event_time": "2019-11-09T04:12:32.000Z", "service.type": "cylance", + "source.ip": [ + "10.94.129.251" + ], "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "porinc" ] }, { "@timestamp": "2018-11-23T11:15:06.000Z", - "event.category": "DeviceEdit", + "event.category": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "inrepreh 2018-11-23T9:15:06.rit velitess2401.www.lan CylancePROTECT vel ionevo [ntsun] Event Type: ScriptControl, Event Name: DeviceEdit, Device Name: volupta, File Path: umfu, Interpreter: utla, Interpreter Version: 1.2478 (tDuisaut), Zone Names: dolo", - "file.directory": "umfu", + "event.original": "23-November-2018 09:15:06 medium mvol3890.localhost reh <tcons 2018-11-23T9:15:06.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill;imveniamUser: sunte exerc (tasu)", "fileset.name": "protect", - "host.name": "velitess2401.www.lan", + "host.name": "ction491.www5.local", "input.type": "log", - "log.offset": 19186, - "network.application": "utla", + "log.offset": 19253, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.2478", - "rsa.db.index": "dolo", + "rsa.identity.firstname": "sunte", + "rsa.identity.lastname": "exerc", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ScriptControl", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.node": "volupta", - "rsa.misc.version": "1.2478", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "tasu", + "rsa.misc.node": "ill", "rsa.network.alias_host": [ - "velitess2401.www.lan" + "ction491.www5.local" ], "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "cylance", @@ -2495,63 +2560,69 @@ ] }, { - "@timestamp": "2018-12-07T06:17:40.000Z", - "event.category": "pechange", + "@timestamp": "2019-12-07T06:17:40.000Z", + "event.category": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-12-7T4:17:40.quisnost sequines3991.mail.local CylancePROTECT illum ore [spici] Event Type: AuditLog, Event Name: pechange, Message: Policy: iquamqu; SHA256: eumfugia; Category: reeufugi, User: sequines minimve (texplica) ", + "event.original": "Dec 7 4:17:40 rcit7003.www5.host CylancePROTECT Event Type:orese, Event Name:threat_found, Device Name:eiusm, Agent Version:oremipsu, IP Address: (10.205.246.104), MAC Address: (01:00:5e:55:3b:e8), Logged On Users: (mto), OS:iae, Zone Names:dent", "fileset.name": "protect", - "host.name": "sequines3991.mail.local", "input.type": "log", - "log.offset": 19439, + "log.offset": 19511, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "sequines", - "rsa.identity.lastname": "minimve", + "related.ip": [ + "10.205.246.104" + ], + "rsa.db.index": "dent", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.category": "reeufugi", - "rsa.misc.checksum": "eumfugia", - "rsa.misc.event_type": "pechange", - "rsa.misc.mail_id": "texplica", - "rsa.misc.policy_name": "iquamqu; SHA256: eumfugia; Category: reeufugi", - "rsa.network.alias_host": [ - "sequines3991.mail.local" - ], - "rsa.time.event_time": "2018-12-07T06:17:40.000Z", + "rsa.investigations.event_vcat": "orese", + "rsa.misc.OS": "iae", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "eiusm", + "rsa.network.eth_host": "01:00:5e:55:3b:e8", + "rsa.time.event_time": "2019-12-07T06:17:40.000Z", "service.type": "cylance", + "source.ip": [ + "10.205.246.104" + ], "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "mto" ] }, { "@timestamp": "2018-12-21T13:20:14.000Z", - "event.category": "pechange", + "event.category": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "21-December-2018 23:20:14 very-high olup3841.mail.invalid idolor <uira 2018-12-21T11:20:14.eosqui iatquo2815.mail.host CylancePROTECT aliqu sequine [utaliqui] Event Type: Threat, Event Name: pechange, Device Name: imveni, IP Address: (10.181.215.164), File Name: itationu, Path: setquas, Drive Type: nbyCi, SHA256: runtmoll, MD5: busBon, Status: norumetM, Cylance Score: 38.593000, Found Date: vitaedi, File Type: rna, Is Running: cons, Auto Run: Except, Detected By: lestiae, Zone Names: iav, Is Malware: umiure, Is Unique To Cylance: isiut, Threat Classification: tin ", + "event.original": "2018-12-21T11:20:14.itse lapari2702.www.test CylancePROTECT exeaco upta [ivel] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:reprehe; Devices: deFinib , User: edqui oreseosq (corporis)", "fileset.name": "protect", - "host.name": "iatquo2815.mail.host", + "host.name": "lapari2702.www.test", "input.type": "log", - "log.offset": 19666, + "log.offset": 19757, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": " iav, Is Malware: umiure, Is Unique To Cylance: isiut, Threat Classification: tin", + "rsa.identity.firstname": "edqui", + "rsa.identity.lastname": "oreseosq", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "Threat", - "rsa.misc.event_type": "pechange", - "rsa.misc.node": "imveni, IP Address: (10.181.215.164), File Name: itationu, Path: setquas, Drive Type: nbyCi, SHA256: runtmoll, MD5: busBon, Status: norumetM, Cylance Score: 38.593000, Found Date: vitaedi, File Type: rna, Is Running: cons, Auto Run: Except, Detected By: lestiae", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "corporis", + "rsa.misc.node": "deFinib", + "rsa.misc.policy_name": "reprehe", "rsa.network.alias_host": [ - "iatquo2815.mail.host" + "lapari2702.www.test" ], "rsa.time.event_time": "2018-12-21T13:20:14.000Z", "service.type": "cylance", @@ -2562,27 +2633,32 @@ }, { "@timestamp": "2020-01-05T08:22:49.000Z", - "event.category": "Device Policy Assigned", + "event.category": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Jan 5 6:22:49 reetdo6578.mail.domain CylancePROTECT Event Type:inBC, Event Name:Device Policy Assigned, Device Message: Device: atevelit; Zones Removed: ugitsed; Zones Added: dminimve, User: remips laboreet (uptate), Zone Names:tot Device Id: reme", + "event.original": "5-Jan-2019 6:22:49 very-high byCice3357.mail.localhost cin <amestq 5T06:22:49.emvele tNeq5705.home CylancePROTECT Event Name:ThreatUpdated, Device Message: Device: sper Agent Self Protection Level Changed: 'dic' to 'mfugiat', User: magnido liqu (dolor),ingZone Names: amal Device Id: aliq", "fileset.name": "protect", + "host.name": "tNeq5705.home", "input.type": "log", - "log.offset": 20243, + "log.offset": 19964, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "tot", - "rsa.identity.firstname": "remips", - "rsa.identity.lastname": "laboreet", + "rsa.db.index": "amal", + "rsa.identity.firstname": "magnido", + "rsa.identity.lastname": "liqu", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "inBC", - "rsa.misc.device_name": "atevelit", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.mail_id": "uptate", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.change_new": "mfugiat", + "rsa.misc.change_old": "dic", + "rsa.misc.device_name": "sper", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "dolor", + "rsa.network.alias_host": [ + "tNeq5705.home" + ], "rsa.time.event_time": "2020-01-05T08:22:49.000Z", "service.type": "cylance", "tags": [ @@ -2592,31 +2668,30 @@ }, { "@timestamp": "2020-01-19T03:25:23.000Z", - "event.category": "ZoneAddDevice", + "event.category": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "19-Jan-2019 1:25:23 very-high ide4421.api.localdomain isautem <gnamali 19T13:25:23.iumtota issusci7005.mail.host CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: ore Agent Self Protection Level Changed: 'lors' to 'saute', User: ecillumd iumto (sequatu), Zone Names: tiumtot Device Id: tate", + "event.original": "19-Jan-2019 1:25:23 high conse3977.www.lan giatqu <roid 19T13:25:23.lorum iin1665.api.localdomain CylancePROTECT Event Name:threat_quarantined, Device Message: Device: iat; Policy Changed: orain to 'equaturQ', User: llu quaUt (labor), Zone Names:oris, Device Id: tatemse", "fileset.name": "protect", - "host.name": "issusci7005.mail.host", + "host.name": "iin1665.api.localdomain", "input.type": "log", - "log.offset": 20491, + "log.offset": 20259, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "tiumtot", - "rsa.identity.firstname": "ecillumd", - "rsa.identity.lastname": "iumto", + "rsa.db.index": "oris", + "rsa.identity.firstname": "llu", + "rsa.identity.lastname": "quaUt", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.change_new": "saute", - "rsa.misc.change_old": "lors", - "rsa.misc.device_name": "ore", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.mail_id": "sequatu", + "rsa.misc.device_name": "iat", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.mail_id": "labor", + "rsa.misc.policy_name": "equaturQ", "rsa.network.alias_host": [ - "issusci7005.mail.host" + "iin1665.api.localdomain" ], "rsa.time.event_time": "2020-01-19T03:25:23.000Z", "service.type": "cylance", @@ -2626,73 +2701,74 @@ ] }, { - "@timestamp": "2019-02-02T22:27:57.000Z", - "event.action": "accept", - "event.category": "SyslogSettingsSave", + "@timestamp": "2020-02-02T10:27:57.000Z", + "event.category": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "inBCSed 2019/02/02T20:27:57.cteturad umq7428.invalid CylancePROTECT psum tate [dtempo] Event Type: AppControl, Event Name: SyslogSettingsSave, Device Name: iad, IP Address: (10.164.59.219), Action: accept, Action Type: billoi, File Path: reseo, SHA256: quam, Zone Names: ulpaquio", - "file.directory": "reseo", + "event.original": "2-Feb-2019 8:27:57 medium tincul407.corp amq <lab 2T20:27:57.nsequ ing3291.internal.localhost CylancePROTECT Event Name:threat_found, Message: Device:amnisiuwas auto assigned to theptatZone:epr, User:itanimid", "fileset.name": "protect", - "host.name": "umq7428.invalid", + "host.name": "ing3291.internal.localhost", "input.type": "log", - "log.offset": 20803, + "log.offset": 20537, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.164.59.219" - ], - "rsa.db.index": "ulpaquio", + "rsa.identity.firstname": "itanimid", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.checksum": "quam", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "iad", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "amnisiu", "rsa.network.alias_host": [ - "umq7428.invalid" + "ing3291.internal.localhost" ], - "rsa.time.event_time": "2019-02-02T22:27:57.000Z", + "rsa.network.zone": "epr", + "rsa.time.event_time": "2020-02-02T10:27:57.000Z", "service.type": "cylance", - "source.ip": [ - "10.164.59.219" - ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2020-02-17T05:30:32.000Z", - "event.category": "PolicyAdd", + "@timestamp": "2019-02-17T05:30:32.000Z", + "event.action": "block", + "event.category": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Feb 17 3:30:32 iconsequ5445.local CylancePROTECT Event Type:archite, Event Name:PolicyAdd, Device Message: Device: rem User: onorumet iscivel (rinci), Zone Names: eacomm Device Id: aboNem", + "event.original": "untur 2019/02/17T03:30:32.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: AppControl, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Action Type: ula, File Path: itsed, SHA256: rad, Zone Names: olupta", + "file.directory": "itsed", "fileset.name": "protect", + "host.name": "uraut3756.www5.test", "input.type": "log", - "log.offset": 21083, + "log.offset": 20754, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "eacomm", - "rsa.identity.firstname": "onorumet", - "rsa.identity.lastname": "iscivel", + "related.ip": [ + "10.127.30.119" + ], + "rsa.db.index": "olupta", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": "archite", - "rsa.misc.device_name": "rem", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.mail_id": "rinci", - "rsa.time.event_time": "2020-02-17T05:30:32.000Z", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.checksum": "rad", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "ollita", + "rsa.network.alias_host": [ + "uraut3756.www5.test" + ], + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", "service.type": "cylance", + "source.ip": [ + "10.127.30.119" + ], "tags": [ "cylance.protect", "forwarded" @@ -2700,72 +2776,67 @@ }, { "@timestamp": "2019-03-03T12:33:06.000Z", - "event.action": "block", - "event.category": "threat_found", + "event.category": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "odit 2019/03/03T10:33:06.vol epteurs5503.www5.home CylancePROTECT modi cip [tla] Event Type: AppControl, Event Name: threat_found, Device Name: iscive, IP Address: (10.1.193.187), Action: block, Action Type: nproiden, File Path: ionem, SHA256: taevitae, Zone Names: dminimv", - "file.directory": "ionem", + "event.original": "2019-3-3T10:33:06.sequi uiacon6640.api.localhost CylancePROTECT suntexpl urve [sBonoru] Event Type: ScriptControl, Event Name: Device Updated, Device Name: magnido, File Path: lupta, Interpreter: utla, Interpreter Version: 1.4566 (ncididu), Zone Names: itati, User Name: nostrude", + "file.directory": "lupta", "fileset.name": "protect", - "host.name": "epteurs5503.www5.home", + "host.name": "uiacon6640.api.localhost", "input.type": "log", - "log.offset": 21271, + "log.offset": 21030, + "network.application": "utla", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.1.193.187" - ], - "rsa.db.index": "dminimv", + "observer.version": "1.4566", + "rsa.db.index": "itati", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.checksum": "taevitae", - "rsa.misc.event_type": "threat_found", - "rsa.misc.node": "iscive", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "Device Updated", + "rsa.misc.node": "magnido", + "rsa.misc.version": "1.4566", "rsa.network.alias_host": [ - "epteurs5503.www5.home" + "uiacon6640.api.localhost" ], "rsa.time.event_time": "2019-03-03T12:33:06.000Z", "service.type": "cylance", - "source.ip": [ - "10.1.193.187" - ], "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "nostrude" ] }, { - "@timestamp": "2020-03-17T07:35:40.000Z", - "event.category": "DeviceRemove", + "@timestamp": "2019-03-17T07:35:40.000Z", + "event.category": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Mar 17 5:35:40 rep6417.internal.test CylancePROTECT Event Type:ipiscin, Event Name:DeviceRemove, Device Message: Device: orinr; Policy Changed: ineavol to 'umdo', User: tass ugi (riat), Zone Names:atvol, Device Id: emipsum", + "event.original": "ecillum 2019-3-17T5:35:40.maccu ame226.internal.domain CylancePROTECT urExc autfugit [deomnis] Event Type: Threat, Event Name: SyslogSettingsSave, Device Name: tconsect, IP Address: (10.111.204.45), File Name: agna, Path: dmini, Drive Type: tquid, SHA256: giatquo, MD5: iatisun, Status: cto, Cylance Score: 144.899000, Found Date: dolor, File Type: imadmini, Is Running: iatisund, Auto Run: rnatu, Detected By: atnonpro, Zone Names: isu, Is Malware: ute, Is Unique To Cylance: tdolore, Threat Classification: madminim ", "fileset.name": "protect", + "host.name": "ame226.internal.domain", "input.type": "log", - "log.offset": 21545, + "log.offset": 21310, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "atvol", - "rsa.identity.firstname": "tass", - "rsa.identity.lastname": "ugi", + "rsa.db.index": " isu, Is Malware: ute, Is Unique To Cylance: tdolore, Threat Classification: madminim", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": "ipiscin", - "rsa.misc.device_name": "orinr", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.mail_id": "riat", - "rsa.misc.policy_name": "umdo", - "rsa.time.event_time": "2020-03-17T07:35:40.000Z", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "Threat", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "tconsect, IP Address: (10.111.204.45), File Name: agna, Path: dmini, Drive Type: tquid, SHA256: giatquo, MD5: iatisun, Status: cto, Cylance Score: 144.899000, Found Date: dolor, File Type: imadmini, Is Running: iatisund, Auto Run: rnatu, Detected By: atnonpro", + "rsa.network.alias_host": [ + "ame226.internal.domain" + ], + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2774,29 +2845,24 @@ }, { "@timestamp": "2020-04-01T14:38:14.000Z", - "event.category": "DeviceEdit", + "event.category": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "1-Apr-2019 12:38:14 medium atDuisa4718.www.domain dolo <umexe 1T00:38:14.xce omnisis5339.www5.local CylancePROTECT Event Name:DeviceEdit, Device Name:stiaec, External Device Type:Cicero, External Device Vendor ID:ven, External Device Name:ipsaqua, External Device Product ID:uel, External Device Serial Number:mqui, Zone Names:deom, Device Id: tiumdo, Policy Name: rautod ", + "event.original": "Apr 1 12:38:14 prehen4320.api.home CylancePROTECT Event Type:umdolo, Event Name:DeviceRemove, Threat Class:mquisno, Threat Subclass:eaco, SHA256:empor, MD5:mvele", "fileset.name": "protect", - "host.name": "omnisis5339.www5.local", "input.type": "log", - "log.offset": 21768, + "log.offset": 21829, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "deom, Device Id: tiumdo, Policy Name: rautod", + "rsa.crypto.sig_type": "mquisno", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.device_name": "Cicero", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.node": "stiaec", - "rsa.misc.serial_number": "mqui", - "rsa.network.alias_host": [ - "omnisis5339.www5.local" - ], + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "umdolo", + "rsa.misc.checksum": "empor", + "rsa.misc.event_type": "DeviceRemove", "rsa.time.event_time": "2020-04-01T14:38:14.000Z", "service.type": "cylance", "tags": [ @@ -2805,32 +2871,29 @@ ] }, { - "@timestamp": "2019-04-15T09:40:49.000Z", - "event.category": "SystemSecurity", + "@timestamp": "2020-04-15T09:40:49.000Z", + "event.category": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "15-April-2019 07:40:49 medium mvol3890.localhost reh <tcons 2019-4-15T7:40:49.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill; User: imveniam sunte (exerc)", + "event.original": "Apr 15 7:40:49 remeum5787.api.example CylancePROTECT Event Type:ostrumex, Event Name:threat_found, Device Message: Device: sedquia; Zones Removed: litesse,ntmoUser: aliqu iqu (onse), Zone Names:paqu", "fileset.name": "protect", - "host.name": "ction491.www5.local", "input.type": "log", - "log.offset": 22149, + "log.offset": 21991, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "imveniam", - "rsa.identity.lastname": "sunte", + "rsa.db.index": "paqu", + "rsa.identity.firstname": "aliqu", + "rsa.identity.lastname": "iqu", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.mail_id": "exerc", - "rsa.misc.node": "ill", - "rsa.network.alias_host": [ - "ction491.www5.local" - ], - "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ostrumex", + "rsa.misc.device_name": "sedquia", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "onse", + "rsa.time.event_time": "2020-04-15T09:40:49.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2839,78 +2902,73 @@ }, { "@timestamp": "2019-04-29T04:43:23.000Z", - "event.category": "Alert", + "event.action": "allow", + "event.category": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "isquames 2019-4-29T2:43:23.mvolupta undeom7847.api.corp CylancePROTECT orainci orese [aev] Event Type: uelaudan, Event Name: Alert, Device Name: teiru, Agent Version: mquamei, IP Address: (10.146.228.234, uradi), MAC Address: (01:00:5e:9a:f3:b9, iusmod), Logged On Users: (susc), OS: taed Zone Names: eatae", + "event.original": "2019-4-29T2:43:23.ptatem mporain5332.mail.host CylancePROTECT commod iumd [ntore] Event Type: ExploitAttempt, Event Name: Registration, Device Name: onproid, IP Address: (10.59.33.174), Action: allow, Process ID: 3114, Process Name: oru.exe, User Name: mcorp, Violation Type: uelaud, Zone Names: aperiam", "fileset.name": "protect", - "host.name": "undeom7847.api.corp", + "host.name": "mporain5332.mail.host", "input.type": "log", - "log.offset": 22400, + "log.offset": 22190, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "process.name": "oru.exe", + "process.pid": 3114, "related.ip": [ - "10.146.228.234" + "10.59.33.174" ], - "rsa.db.index": "eatae", + "rsa.db.index": "aperiam", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": "uelaudan", - "rsa.misc.OS": "taed", - "rsa.misc.event_type": "Alert", - "rsa.misc.node": "teiru", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Registration", + "rsa.misc.node": "onproid", + "rsa.misc.policy_name": "uelaud", "rsa.network.alias_host": [ - "undeom7847.api.corp" + "mporain5332.mail.host" ], - "rsa.network.eth_host": "01:00:5e:9a:f3:b9", "rsa.time.event_time": "2019-04-29T04:43:23.000Z", "service.type": "cylance", "source.ip": [ - "10.146.228.234" + "10.59.33.174" ], "tags": [ "cylance.protect", "forwarded" ], "user.name": [ - "susc" + "mcorp" ] }, { - "@timestamp": "2019-05-13T11:45:57.000Z", - "event.category": "ThreatUpdated", + "@timestamp": "2020-05-13T11:45:57.000Z", + "event.category": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2019-5-13T9:45:57.rcit dolo6230.mail.invalid CylancePROTECT evelite remquela [toreve] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97, User: (niam)", + "event.original": "May 13 9:45:57 quiano3025.api.localhost CylancePROTECT Event Type:oluptat, Event Name:DeviceRemove, Threat Class:equepor, Threat Subclass:iosamn, SHA256:erspicia, MD5:neavolup", "fileset.name": "protect", - "host.name": "dolo6230.mail.invalid", "input.type": "log", - "log.offset": 22707, + "log.offset": 22494, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.59.232.97" - ], - "rsa.db.index": "The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97", + "rsa.crypto.sig_type": "equepor", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "AuditLog", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "dolor", - "rsa.network.alias_host": [ - "dolo6230.mail.invalid" - ], - "rsa.time.event_time": "2019-05-13T11:45:57.000Z", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "oluptat", + "rsa.misc.checksum": "erspicia", + "rsa.misc.event_type": "DeviceRemove", + "rsa.time.event_time": "2020-05-13T11:45:57.000Z", "service.type": "cylance", - "source.ip": [ - "10.59.232.97" - ], "tags": [ "cylance.protect", "forwarded" @@ -2918,30 +2976,28 @@ }, { "@timestamp": "2019-05-28T06:48:31.000Z", - "event.category": "SyslogSettingsSave", + "event.category": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2019-5-28T4:48:31.uisaut nvolup6280.api.home CylancePROTECT eomn esse [nihi] Event Type: xeaco, Event Name: SyslogSettingsSave, Device Names: (uianonn), Policy Name: eavolupt, User: dantium ors (dqu)", + "event.original": "ecatcup 2019-5-28T4:48:31.orinrep uamnihil1525.www.lan CylancePROTECT amestqu qui [nemullam] Event Type: DeviceControl, Event Name: threat_changed, Device Name: lorumw, External Device Type: dit, External Device Vendor ID: qui, External Device Name: iaecon, External Device Product ID: dminima, External Device Serial Number: ons, Zone Names: amestqu", "fileset.name": "protect", - "host.name": "nvolup6280.api.home", + "host.name": "uamnihil1525.www.lan", "input.type": "log", - "log.offset": 22941, + "log.offset": 22670, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "dantium", - "rsa.identity.lastname": "ors", + "rsa.db.index": "amestqu", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "xeaco", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.mail_id": "dqu", - "rsa.misc.node": "uianonn", - "rsa.misc.policy_name": "eavolupt", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.node": "lorumw", + "rsa.misc.serial_number": "ons", "rsa.network.alias_host": [ - "nvolup6280.api.home" + "uamnihil1525.www.lan" ], "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.type": "cylance", @@ -2952,30 +3008,30 @@ }, { "@timestamp": "2019-06-11T13:51:06.000Z", - "event.category": "PolicyAdd", + "event.category": "fullaccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "11-June-2019 11:51:06 high asia5842.localhost rit <iavol 2019-6-11T11:51:06.psumdol urautodi3892.www5.example CylancePROTECT edict nost [orisnis] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: nibu; Policy: quatur; Value: isiutali, User: mdolo nof (usantiu)", + "event.original": "2019-6-11T11:51:06.str eius6126.invalid CylancePROTECT iarchit volupt [ipis] Event Type: usBonor, Event Name: fullaccess, Device Names: (umquam), Policy Name: ten, User: Utenim itationu (eprehen)", "fileset.name": "protect", - "host.name": "urautodi3892.www5.example", + "host.name": "eius6126.invalid", "input.type": "log", - "log.offset": 23141, + "log.offset": 23021, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "nibu", - "rsa.identity.firstname": "mdolo", - "rsa.identity.lastname": "nof", + "rsa.identity.firstname": "Utenim", + "rsa.identity.lastname": "itationu", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.mail_id": "usantiu", - "rsa.misc.policy_name": "quatur", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "usBonor", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.mail_id": "eprehen", + "rsa.misc.node": "umquam", + "rsa.misc.policy_name": "ten", "rsa.network.alias_host": [ - "urautodi3892.www5.example" + "eius6126.invalid" ], "rsa.time.event_time": "2019-06-11T13:51:06.000Z", "service.type": "cylance", @@ -2985,120 +3041,97 @@ ] }, { - "@timestamp": "2020-06-25T08:53:40.000Z", - "event.action": "allow", - "event.category": "Alert", + "@timestamp": "2019-06-25T08:53:40.000Z", + "event.category": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Jun 25 6:53:40 litess7754.www5.invalid CylancePROTECT Event Type:itempo, Event Name: Alert, Device Name: isciveli, IP Address: (10.36.18.24), Action: allow, Process ID: 452, Process Name: lab.exe, User Name: nsequ, Violation Type: ing, Zone Names:ollita", + "event.original": "tatevel 2019-6-25T6:53:40.itin tam942.api.host CylancePROTECT iut leumiur [deser] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Zone: evolupt; Policy: pre; Value: tiumtot, User: ulamcola epr (ptass)", "fileset.name": "protect", + "host.name": "tam942.api.host", "input.type": "log", - "log.offset": 23421, + "log.offset": 23217, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "lab.exe", - "process.pid": 452, - "related.ip": [ - "10.36.18.24" - ], - "rsa.db.index": "ollita", + "rsa.db.index": "evolupt", + "rsa.identity.firstname": "ulamcola", + "rsa.identity.lastname": "epr", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": "itempo", - "rsa.misc.action": [ - "allow" + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.mail_id": "ptass", + "rsa.misc.policy_name": "pre", + "rsa.network.alias_host": [ + "tam942.api.host" ], - "rsa.misc.device_name": "isciveli", - "rsa.misc.event_type": "Alert", - "rsa.misc.policy_name": "ing", - "rsa.time.event_time": "2020-06-25T08:53:40.000Z", + "rsa.time.event_time": "2019-06-25T08:53:40.000Z", "service.type": "cylance", - "source.ip": [ - "10.36.18.24" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "nsequ" ] }, { "@timestamp": "2019-07-10T03:56:14.000Z", - "event.action": "block", - "event.category": "LoginSuccess", + "event.category": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "10-July-2019 01:56:14 low ptat5268.www5.localdomain emq <untur 2019-7-10T1:56:14.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: ExploitAttempt, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Process ID: 4608, Process Name: oluptat.exe, User Name: stenatus, Violation Type: eabillo, Zone Names: iaecon", + "event.original": "veli 2019-7-10T1:56:14.uptas aali1541.www5.local CylancePROTECT enimadmi qui [ita] Event Type: AuditLog, Event Name: pechange, Message: The Device: sedq was auto assigned to the Zone: IP Address: Fake Devices, User: (olo)", "fileset.name": "protect", - "host.name": "uraut3756.www5.test", + "host.name": "aali1541.www5.local", "input.type": "log", - "log.offset": 23675, + "log.offset": 23433, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "oluptat.exe", - "process.pid": 4608, - "related.ip": [ - "10.127.30.119" - ], - "rsa.db.index": "iaecon", + "rsa.db.index": "The Device: sedq was auto assigned to the Zone: IP Address: Fake Devices", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "ollita", - "rsa.misc.policy_name": "eabillo", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "AuditLog", + "rsa.misc.event_type": "pechange", + "rsa.misc.node": "sedq", "rsa.network.alias_host": [ - "uraut3756.www5.test" + "aali1541.www5.local" ], "rsa.time.event_time": "2019-07-10T03:56:14.000Z", "service.type": "cylance", - "source.ip": [ - "10.127.30.119" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "stenatus" ] }, { "@timestamp": "2019-07-24T10:58:48.000Z", - "event.category": "Alert", + "event.category": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam", + "event.original": "24-July-2019 08:58:48 medium ocons2813.mail.lan natu <acomm 2019-7-24T8:58:48.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did)lamcol ", "fileset.name": "protect", - "host.name": "squ2213.www.test", + "host.name": "volupt6822.api.invalid", "input.type": "log", - "log.offset": 24057, + "log.offset": 23657, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "rExce", - "rsa.identity.firstname": "rinc", - "rsa.identity.lastname": "tno", + "rsa.identity.firstname": "qui", + "rsa.identity.lastname": "epteurs", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.misc.device_name": "ncididu", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "meumf", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.category": "tio", + "rsa.misc.checksum": "gnaa", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "did", + "rsa.misc.node": "xcepte", "rsa.network.alias_host": [ - "squ2213.www.test" + "volupt6822.api.invalid" ], "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "cylance", @@ -3109,29 +3142,36 @@ }, { "@timestamp": "2019-08-07T06:01:23.000Z", - "event.category": "threat_changed", + "event.category": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Aug 7 4:01:23 ncu3839.www.localhost CylancePROTECT Event Type:snos, Event Name:threat_changed, Device Message: Device: utod; Zones Removed: ostr; Zones Added: amcorp, User: iadolo ecatcup (orinrep), Zone Names:uamnihil Device Id: nisi", + "event.original": "olupta 2019-8-7T4:01:23.emveleum modtempo3314.www5.test CylancePROTECT sequa erc [isq] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: epteurs was auto assigned to the Zone: IP Address: 10.171.165.221, User: (itvo)", "fileset.name": "protect", + "host.name": "modtempo3314.www5.test", "input.type": "log", - "log.offset": 24343, + "log.offset": 23939, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "uamnihil", - "rsa.identity.firstname": "iadolo", - "rsa.identity.lastname": "ecatcup", + "related.ip": [ + "10.171.165.221" + ], + "rsa.db.index": "The Device: epteurs was auto assigned to the Zone: IP Address: 10.171.165.221", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "snos", - "rsa.misc.device_name": "utod", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.mail_id": "orinrep", + "rsa.investigations.event_vcat": "AuditLog", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "epteurs", + "rsa.network.alias_host": [ + "modtempo3314.www5.test" + ], "rsa.time.event_time": "2019-08-07T06:01:23.000Z", "service.type": "cylance", + "source.ip": [ + "10.171.165.221" + ], "tags": [ "cylance.protect", "forwarded" @@ -3139,115 +3179,104 @@ }, { "@timestamp": "2019-08-21T13:03:57.000Z", - "event.action": "deny", - "event.category": "ThreatUpdated", + "event.category": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "21-August-2019 23:03:57 high mfugi4289.internal.home maveni <commod 2019-8-21T11:03:57.umqu umet5891.api.localdomain CylancePROTECT aliqua upt [giatquo] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: dipisciv, IP Address: (10.8.150.213), Action: deny, Process ID: 4190, Process Name: ngelitse.exe, User Name: ugiatnul, Violation Type: mips, Zone Names: hil", + "event.original": "21-Aug-2019 11:03:57 low ssequa930.domain eritquii <ecatcu 21T23:03:57.entoreve ion3339.www.localdomain CylancePROTECT Event Name:Alert, Message: Provider:tionev, Source IP:10.198.44.231, User: eni cte (ariatu)", "fileset.name": "protect", - "host.name": "umet5891.api.localdomain", + "host.name": "ion3339.www.localdomain", "input.type": "log", - "log.offset": 24578, + "log.offset": 24178, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "ngelitse.exe", - "process.pid": 4190, "related.ip": [ - "10.8.150.213" + "10.198.44.231" ], - "rsa.db.index": "hil", + "rsa.identity.firstname": "eni", + "rsa.identity.lastname": "cte", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "dipisciv", - "rsa.misc.policy_name": "mips", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "ariatu", "rsa.network.alias_host": [ - "umet5891.api.localdomain" + "ion3339.www.localdomain" ], "rsa.time.event_time": "2019-08-21T13:03:57.000Z", "service.type": "cylance", "source.ip": [ - "10.8.150.213" + "10.198.44.231" ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "ugiatnul" ] }, { "@timestamp": "2019-09-05T08:06:31.000Z", - "event.category": "DeviceEdit", + "event.category": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "5-Sep-2019 6:06:31 medium ncidid126.localhost aecatcu <eosqu 5T06:06:31.reetdolo umquam5574.internal.test CylancePROTECT Event Name:DeviceEdit, Message: Provider:itationu, Source IP:10.108.59.10, User: magnama reprehe (citatio)#015", + "event.original": "2019-9-5T6:06:31.risnisiu ten5320.test CylancePROTECT siar orisnis [texp] Event Type: ScriptControl, Event Name: threat_changed, Device Name: hend, File Path: ema, Interpreter: ents, Interpreter Version: 1.1903, Zone Names: aliqua, User Name: officiad", + "file.directory": "ema", "fileset.name": "protect", - "host.name": "umquam5574.internal.test", + "host.name": "ten5320.test", "input.type": "log", - "log.offset": 24963, + "log.offset": 24398, + "network.application": "ents", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.108.59.10" - ], - "rsa.identity.firstname": "magnama", - "rsa.identity.lastname": "reprehe", + "observer.version": "1.1903", + "rsa.db.index": "aliqua", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.mail_id": "citatio", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.node": "hend", + "rsa.misc.version": "1.1903", "rsa.network.alias_host": [ - "umquam5574.internal.test" + "ten5320.test" ], "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "cylance", - "source.ip": [ - "10.108.59.10" - ], "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "officiad" ] }, { "@timestamp": "2019-09-19T03:09:05.000Z", - "event.category": "ThreatUpdated", + "event.category": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "19-September-2019 13:09:05 medium ocons2813.mail.lan natu <acomm 2019-9-19T1:09:05.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did) ", + "event.original": "onsecte 2019-9-19T1:09:05.inibusBo tqui99.mail.example CylancePROTECT prehende vitaedic [remip] Event Type: AuditLog, Event Name: Device Updated, Message: Device: sauteir; SHA256: CSe, User: olorsita midest (uta)olupta ", "fileset.name": "protect", - "host.name": "volupt6822.api.invalid", + "host.name": "tqui99.mail.example", "input.type": "log", - "log.offset": 25200, + "log.offset": 24650, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "qui", - "rsa.identity.lastname": "epteurs", + "rsa.identity.firstname": "olorsita", + "rsa.identity.lastname": "midest", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.category": "tio", - "rsa.misc.checksum": "gnaa", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.mail_id": "did", - "rsa.misc.node": "xcepte", + "rsa.misc.checksum": "CSe", + "rsa.misc.event_type": "Device Updated", + "rsa.misc.mail_id": "uta", + "rsa.misc.node": "sauteir", "rsa.network.alias_host": [ - "volupt6822.api.invalid" + "tqui99.mail.example" ], "rsa.time.event_time": "2019-09-19T03:09:05.000Z", "service.type": "cylance", @@ -3258,26 +3287,31 @@ }, { "@timestamp": "2019-10-03T10:11:40.000Z", - "event.category": "Device Policy Assigned", + "event.category": "fullaccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Oct 3 8:11:40 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod", + "event.original": "3-October-2019 20:11:40 low tali7426.invalid reprehen <tocca 2019-10-3T8:11:40.tinvolu ecatc3925.lan CylancePROTECT quin adipisc [sedqui] Event Type: ueporroq, Event Name: fullaccess, Device Names: (eetdol), Policy Name: tia, User: lup inimav (dolor)", "fileset.name": "protect", + "host.name": "ecatc3925.lan", "input.type": "log", - "log.offset": 25481, + "log.offset": 24870, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "commod", + "rsa.identity.firstname": "lup", + "rsa.identity.lastname": "inimav", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "rauto", - "rsa.misc.device_name": "rissusci", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "stl", - "rsa.misc.serial_number": "eumfugi", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ueporroq", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.mail_id": "dolor", + "rsa.misc.node": "eetdol", + "rsa.misc.policy_name": "tia", + "rsa.network.alias_host": [ + "ecatc3925.lan" + ], "rsa.time.event_time": "2019-10-03T10:11:40.000Z", "service.type": "cylance", "tags": [ @@ -3291,91 +3325,97 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Oct 18 3:14:14 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit ", + "event.original": "18-October-2019 03:14:14 medium dex4759.mail.local uredo <untutla 2019-10-18T3:14:14.iame rrorsi3220.lan CylancePROTECT amestqu luptas [ariatu] Event Type: psumqui, Event Name: SyslogSettingsSave, Device Name: empor, Agent Version: ate, IP Address: (10.234.254.96), MAC Address: (01:00:5e:e8:80:20), Logged On Users: (orem), OS: dquian Zone Names: isaute", "fileset.name": "protect", + "host.name": "rrorsi3220.lan", "input.type": "log", - "log.offset": 25783, + "log.offset": 25127, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "aqua, Device Id: edquiac, Policy Name: sit", + "related.ip": [ + "10.234.254.96" + ], + "rsa.db.index": "isaute", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "incidi", - "rsa.misc.device_name": "nto", + "rsa.investigations.event_vcat": "psumqui", + "rsa.misc.OS": "dquian", "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "tutlabo", - "rsa.misc.serial_number": "ateveli", + "rsa.misc.node": "empor", + "rsa.network.alias_host": [ + "rrorsi3220.lan" + ], + "rsa.network.eth_host": "01:00:5e:e8:80:20", "rsa.time.event_time": "2019-10-18T05:14:14.000Z", "service.type": "cylance", + "source.ip": [ + "10.234.254.96" + ], "tags": [ "cylance.protect", "forwarded" + ], + "user.name": [ + "orem" ] }, { "@timestamp": "2019-11-01T12:16:48.000Z", - "event.category": "ThreatUpdated", + "event.category": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "rinci 2019-11-1T10:16:48.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta", - "file.directory": "sunt", + "event.original": "1-November-2019 10:16:48 high ula5189.host ntocca <adolorsi 2019-11-1T10:16:48.lupt uis6796.mail.example CylancePROTECT aecatc taevita [eseosqu] Event Type: redolo, Event Name: threat_changed, Threat Class: ivelit, Threat Subclass: lumqu, SHA256: dolore, MD5: isnost", "fileset.name": "protect", - "host.name": "amvol4075.mail.localhost", + "host.name": "uis6796.mail.example", "input.type": "log", - "log.offset": 26120, - "network.application": "orumSe", + "log.offset": 25492, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.3237", - "rsa.db.index": "psa", + "rsa.crypto.sig_type": "ivelit", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "onsequa", - "rsa.misc.version": "1.3237", + "rsa.investigations.event_vcat": "redolo", + "rsa.misc.checksum": "dolore", + "rsa.misc.event_type": "threat_changed", "rsa.network.alias_host": [ - "amvol4075.mail.localhost" + "uis6796.mail.example" ], "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ], - "user.name": [ - "pta" ] }, { "@timestamp": "2019-11-15T07:19:22.000Z", - "event.category": "Registration", + "event.category": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "15-Nov-2019 5:19:22 low ntutlabo6923.localhost eacommo <tionevol 15T17:19:22.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni, User: officiad veniam (labo), Zone Names:ssecill Device Id: umquam", + "event.original": "uianonnu 2019-11-15T5:19:22.ntNeque magnidol1024.api.test CylancePROTECT aaliq tDui [ernatur] Event Type: DeviceControl, Event Name: SyslogSettingsSave, Device Name: atcupi, External Device Type: xeacomm, External Device Vendor ID: tla, External Device Name: itaspe, External Device Product ID: xerc, External Device Serial Number: uaeabill, Zone Names: uioffici", "fileset.name": "protect", - "host.name": "asi4651.api.test", + "host.name": "magnidol1024.api.test", "input.type": "log", - "log.offset": 26390, + "log.offset": 25769, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "ssecill", - "rsa.identity.firstname": "officiad", - "rsa.identity.lastname": "veniam", + "rsa.db.index": "uioffici", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.device_name": "emp", - "rsa.misc.event_type": "Registration", - "rsa.misc.mail_id": "labo", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "atcupi", + "rsa.misc.serial_number": "uaeabill", "rsa.network.alias_host": [ - "asi4651.api.test" + "magnidol1024.api.test" ], "rsa.time.event_time": "2019-11-15T07:19:22.000Z", "service.type": "cylance", @@ -3386,36 +3426,34 @@ }, { "@timestamp": "2019-11-30T14:21:57.000Z", - "event.category": "Device Policy Assigned", + "event.category": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ali 2019-11-30T12:21:57.ionu perna6751.internal.home CylancePROTECT ess ria [ationevo] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233, User: (orisnis)", + "event.original": "30-November-2019 00:21:57 very-high tesseq6251.mail.host adipisci <ptatema 2019-11-30T12:21:57.poriss enatus6421.internal.home CylancePROTECT ficiad saquaea [archi] Event Type: AuditLog, Event Name: SystemSecurity, Message: Policy: imadm; SHA256: ugiat; Category: ius, User: msequ ciatisun (Ute)eddoe ", "fileset.name": "protect", - "host.name": "perna6751.internal.home", + "host.name": "enatus6421.internal.home", "input.type": "log", - "log.offset": 26655, + "log.offset": 26132, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.138.85.233" - ], - "rsa.db.index": "The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233", + "rsa.identity.firstname": "msequ", + "rsa.identity.lastname": "ciatisun", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "AuditLog", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "datatno", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.category": "ius", + "rsa.misc.checksum": "ugiat", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "Ute", + "rsa.misc.policy_name": "imadm; SHA256: ugiat; Category: ius", "rsa.network.alias_host": [ - "perna6751.internal.home" + "enatus6421.internal.home" ], "rsa.time.event_time": "2019-11-30T14:21:57.000Z", "service.type": "cylance", - "source.ip": [ - "10.138.85.233" - ], "tags": [ "cylance.protect", "forwarded" @@ -3423,30 +3461,31 @@ }, { "@timestamp": "2019-12-14T09:24:31.000Z", - "event.category": "ThreatUpdated", + "event.category": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "14-December-2019 07:24:31 medium olor874.internal.lan mquis <samnisiu 2019-12-14T7:24:31.yCiceroi evolupta7790.internal.local CylancePROTECT equamnih isetqua [turExce] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: rehe; Policy: aper; Value: gnaa, User: tam deser (int)", + "event.original": "2019-12-14T7:24:31.uasi quaeabi5701.host CylancePROTECT mave essecill [eprehe] Event Type: AuditLog, Event Name: DeviceEdit, Message: Policy: tMaloru; SHA256: rum; Category: utoditau, User: ptassita ionemul (orema)its ", "fileset.name": "protect", - "host.name": "evolupta7790.internal.local", + "host.name": "quaeabi5701.host", "input.type": "log", - "log.offset": 26905, + "log.offset": 26439, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "rehe", - "rsa.identity.firstname": "tam", - "rsa.identity.lastname": "deser", + "rsa.identity.firstname": "ptassita", + "rsa.identity.lastname": "ionemul", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.mail_id": "int", - "rsa.misc.policy_name": "aper", + "rsa.misc.category": "utoditau", + "rsa.misc.checksum": "rum", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.mail_id": "orema", + "rsa.misc.policy_name": "tMaloru; SHA256: rum; Category: utoditau", "rsa.network.alias_host": [ - "evolupta7790.internal.local" + "quaeabi5701.host" ], "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "cylance", diff --git a/x-pack/filebeat/module/f5/README.md b/x-pack/filebeat/module/f5/README.md index 7a6b15bbc30..f3f1956e80b 100644 --- a/x-pack/filebeat/module/f5/README.md +++ b/x-pack/filebeat/module/f5/README.md @@ -3,5 +3,5 @@ This is a module for Big-IP Access Policy Manager logs. Autogenerated from RSA NetWitness log parser 2.0 XML bigipapm version 113 -at 2020-07-08 13:58:32.565997 +0000 UTC. +at 2020-07-08 15:21:16.886509 +0000 UTC. diff --git a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js index 80ba6449c63..560f07e7e5d 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js +++ b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js @@ -1901,13 +1901,9 @@ function alternate_datetime(evt) { for (var f=0; f Open Network Access Connection using remote IP address 10.192.18.42 +September 20 13:57:58 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42 heartbeat[dolo]: [Loremip] [idolor] info: emeumfu -November 16 18:08:15 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio -EndpointSecurity[rumetM]: [equi] id[agnaali]: "gnam - Connected from 10.26.236.35 lumqui" -httpd[rpo]: [uipe] [inesci] scr_monitor: serror -ntpd[apariat]: kernel time sync status tlabore -January 12 22:18:32 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny) +October 19 04:03:07 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio +EndpointSecurity[rumetM]: [equi] id[agnaali]: "gnam - Connectedtatfrom 10.145.225.93 itinvo" +November 16 18:08:15 rQuisau6637.internal.domain run-crons[den]: [tutla] [olorema] iades returned siarchi +httpd[mqu]: [apariat] scr_monitor: tlabore +December 15 08:13:24 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny) snmp[ationemu]: [ice] estiae -February 10 12:23:41 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect +January 12 22:18:32 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect maintenance[etconse]: [tincu] ari -March 11 02:28:49 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp +February 10 12:23:41 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded -EndpointSecurity[rehender]: [iae] id[dantiumt]: "luptasn - Connected from 10.164.6.207 olestiae" -/USR/SBIN/CRON[ihilmole]: [eriamea] (amre) CMD (allow) -May 7 06:39:06 pisciv7108.lan mailer[boris]: [nti] [abi] Failed to send \'sectetur\' to \'uioffi\' -May 21 13:41:41 temqu3331.api.host mailer[ipi]: Failed to send \'reseos\' to \'pariatu\' -June 4 20:44:15 tenima5685.internal.example heartbeat[eabilloi]: [estia] [tper] info: olor -June 19 03:46:49 orem2138.internal.lan run-crons[fdeFi]: texp returned tasuntex -/USR/SBIN/CRON[sequine]: [ectio] [dutper] (lamcolab) CMD (deny) +EndpointSecurity[rehender]: [iae] id[dantiumt]: "luptasn - Connectedequatfrom 10.77.137.72 ione" +EndpointSecurity[amre]: [rsita] id[niamqui]: "uptat - Connecteduamfrom 10.140.136.44 fficiade" +April 8 16:33:58 vitaedi1318.corp sshd[temqu]: Accepted publickey for edol from 10.26.196.144 port 4677 quatD +April 22 23:36:32 eabilloi6458.api.lan run-crons[tlab]: [volupt] osqui returned xerc +snmp[ents]: [liquide] SNMP handler started +security[uun]: [sequine] [ectio] User dutper from 10.237.205.140 presented with challenge run-crons: returned gel -August 1 00:54:32 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate -August 15 07:57:06 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started +June 19 03:46:49 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate +July 3 10:49:23 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started mailer[itatione]: [isnis] [uptasn] Failed to send \'reme\' to \'acommod\' mailer[udantium]: Failed to send \'pre\' to \'xeacom\' httpd[dictasu]: [lorinre] scr_monitor: olorsita ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide -October 25 19:09:57 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc +September 12 22:02:15 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc ntpd[aturQui]: frequency initialized utlabor PPM from rau firepass[nisi]: [dant] shutting down for system reboot AppTunnel[tinvolu]: < Error - Invalid session id -December 21 23:20:14 quidolor5025.home run-crons: returned rem +November 9 02:12:32 quidolor5025.home run-crons: returned rem run-crons[idolor]: [uisau] [eleum] sintoc returned volupt heartbeat[uiinea]: info: Utenima -February 2 20:27:57 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese -February 17 03:30:32 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc +December 21 23:20:14 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese +January 5 06:22:49 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc kernel: ionofdeF -March 17 17:35:40 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte +February 2 20:27:57 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id /USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny) -April 29 14:43:23 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980 +March 17 17:35:40 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980 heartbeat[exe]: [imadmini] [sauteiru] info: mod /USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny) httpd[eriti]: [litessec] scr_monitor: itas -June 25 18:53:40 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor -July 10 01:56:14 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host +May 13 21:45:57 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor +May 28 04:48:31 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host mailer[untut]: [uamni] Failed to send \'ctet\' to \'ati\' -August 7 16:01:23 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist -August 21 23:03:57 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel) +June 25 18:53:40 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist +July 10 01:56:14 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel) kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm -September 19 13:09:05 velitse543.api.example heartbeat[torever]: info: oremi -October 3 20:11:40 temUt631.www5.example heartbeat[npr]: info: mquelau -October 18 03:14:14 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo -November 1 10:16:48 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account +August 7 16:01:23 velitse543.api.example heartbeat[torever]: info: oremi +August 21 23:03:57 temUt631.www5.example heartbeat[npr]: info: mquelau +September 5 06:06:31 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo +September 19 13:09:05 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account heartbeat[iduntu]: [idestlab] info: rnatur run-crons[essequam]: acommo returned nturma -December 14 07:24:31 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut +November 1 10:16:48 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut +kernel[rpori]: [ice] kernel: cdrom: open failed. +November 30 00:21:57 commodo6867.internal.example snmp: +snmp[odoconse]: [quamqua] SNMP handler started diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json index 5a3b305c8d7..1bf98ee456c 100644 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json @@ -220,7 +220,7 @@ "event.code": "EndpointSecurity", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: \"con - Connected from 10.38.189.242 ommodic\"", + "event.original": "June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: \"con - Connecteduiafrom 10.171.204.166 mipsu\"", "fileset.name": "firepass", "input.type": "log", "log.offset": 869, @@ -228,15 +228,15 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.38.189.242" + "10.171.204.166" ], - "rsa.db.index": "ommodic", + "rsa.db.index": "mipsu", "rsa.internal.messageid": "EndpointSecurity", "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2020-06-05T23:33:08.000Z", "service.type": "f5", "source.ip": [ - "10.38.189.242" + "10.171.204.166" ], "tags": [ "f5.firepass", @@ -244,131 +244,130 @@ ] }, { - "event.code": "/USR/SBIN/CRON", + "event.code": "sshd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "/USR/SBIN/CRON[consec]: [taliquip] [psumq] (atcup) CMD (accept) ", + "event.original": "sshd[untutl]: Accepted publickey for rad from 10.37.126.205 port 3179 scivel", "fileset.name": "firepass", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 996, + "log.offset": 997, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.messageid": "/USR/SBIN/CRON", + "related.ip": [ + "10.37.126.205" + ], + "rsa.internal.messageid": "sshd", "service.type": "f5", + "source.ip": [ + "10.37.126.205" + ], + "source.port": 3179, "tags": [ "f5.firepass", "forwarded" + ], + "user.name": [ + "rad" ] }, { - "event.code": "/USR/SBIN/CRON", + "event.code": "httpd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "/USR/SBIN/CRON[llu]: (uptassi) CMD (accept) ", + "event.original": "httpd[radipis]: [isetq] scr_monitor: estqui", "fileset.name": "firepass", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1061, + "log.offset": 1074, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.internal.messageid": "httpd", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" + ], + "user.name": [ + "isetq" ] }, { - "event.code": "/USR/SBIN/CRON", + "event.code": "firepass", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "/USR/SBIN/CRON[aqui]: [radipis] (isetq) CMD (deny) ", + "event.original": "July 18 18:40:50 enimad2283.internal.domain firepass[boreet]: [onev] [tenima] Accessing https://www5.example.com/aquaeabi/giatq.html?veleumi=tia#enim", "fileset.name": "firepass", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1106, + "log.offset": 1118, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.internal.messageid": "firepass", + "rsa.time.event_time": "2019-07-18T20:40:50.000Z", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" + ], + "url.original": "https://www5.example.com/aquaeabi/giatq.html?veleumi=tia#enim", + "user.name": [ + "onev" ] }, { - "event.code": "sshd", + "event.code": "heartbeat", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "August 2 01:43:25 magn2890.api.localhost sshd[eum]: Accepted publickey for sum from 10.175.6.112 port 5509 onev", + "event.original": "August 2 01:43:25 antium1279.mail.test heartbeat[iusmodt]: info: doloreeu", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1158, + "log.offset": 1268, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "related.ip": [ - "10.175.6.112" - ], - "rsa.internal.messageid": "sshd", + "rsa.db.index": "doloreeu", + "rsa.internal.messageid": "heartbeat", "rsa.time.event_time": "2019-08-02T03:43:25.000Z", "service.type": "f5", - "source.ip": [ - "10.175.6.112" - ], - "source.port": 5509, "tags": [ "f5.firepass", "forwarded" - ], - "user.name": [ - "sum" ] }, { - "event.code": "maintenance", + "event.code": "httpd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "maintenance[giatq]: [quid] [fug] uatDuis ", + "event.original": "httpd[uidexea]: [anim] [autfugi] scr_monitor: inBCSedu", "fileset.name": "firepass", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1270, + "log.offset": 1342, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.messageid": "maintenance", + "rsa.internal.messageid": "httpd", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" + ], + "user.name": [ + "anim" ] }, { - "event.code": "firepass", + "event.code": "kernel", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "firepass[veri]: [rsita] [siutaliq] exercit", + "event.original": "kernel[nimadmin]: kernel: cdrom: open failed.", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1312, + "log.offset": 1397, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.event_desc": "exercit", - "rsa.internal.messageid": "firepass", + "rsa.internal.messageid": "kernel", "service.type": "f5", "tags": [ "f5.firepass", @@ -376,33 +375,19 @@ ] }, { - "destination.ip": [ - "10.230.12.79" - ], - "destination.port": 340, - "event.code": "kernel", + "event.code": "ntpd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "September 13 22:51:07 Cice513.api.local kernel[doloreeu]: [pori] kernel: Marketing_resource:occ SRC=10.18.220.102 DST=10.230.12.79 obeataev PROTO=ggp SPT=5000 DPT=340 autfu", + "event.original": "ntpd[temq]: [ugiatqu] kernel time sync status eacomm", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1355, - "network.protocol": "ggp", + "log.offset": 1443, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "related.ip": [ - "10.230.12.79", - "10.18.220.102" - ], - "rsa.db.index": "obeataev", - "rsa.internal.messageid": "kernel", - "rsa.time.event_time": "2019-09-14T00:51:07.000Z", + "rsa.internal.messageid": "ntpd", + "rsa.misc.result_code": "eacomm", "service.type": "f5", - "source.ip": [ - "10.18.220.102" - ], - "source.port": 5000, "tags": [ "f5.firepass", "forwarded" @@ -412,122 +397,68 @@ "event.code": "mailer", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "September 28 05:53:42 aboris2946.api.host mailer[ssitaspe]: [gitsedqu] Failed to send \\'uam\\' to \\'temq\\'", + "event.original": "mailer[uptatev]: [uovol] Failed to send \\'dmi\\' to \\'olab\\'", "event.outcome": "Failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1528, + "log.offset": 1496, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.email.email_dst": "temq", - "rsa.email.subject": "uam", + "rsa.email.email_dst": "olab", + "rsa.email.subject": "dmi", "rsa.internal.messageid": "mailer", "rsa.investigations.ec_activity": "Send", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "Message", "rsa.investigations.ec_theme": "Communication", - "rsa.time.event_time": "2019-09-28T07:53:42.000Z", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" ] }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "October 12 12:56:16 nsequat6875.www.lan EndpointSecurity[llamcorp]: id[ari]: \"eataevit - Connected from 10.50.112.141 mqua\"", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1634, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.50.112.141" - ], - "rsa.db.index": "mqua", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "rsa.time.event_time": "2019-10-12T14:56:16.000Z", - "service.type": "f5", - "source.ip": [ - "10.50.112.141" - ], - "tags": [ - "f5.firepass", - "forwarded" - ] - }, { "event.code": "sshd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "sshd[ptat]: [ore] [etconsec] Accepted publickey for err from 10.61.78.108 port 2398 eci", + "event.original": "October 12 12:56:16 temsequ3857.www.localdomain sshd[idexea]: Accepted publickey for riat from 10.37.79.163 port 457 osquir", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1758, + "log.offset": 1556, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.61.78.108" + "10.37.79.163" ], "rsa.internal.messageid": "sshd", + "rsa.time.event_time": "2019-10-12T14:56:16.000Z", "service.type": "f5", "source.ip": [ - "10.61.78.108" + "10.37.79.163" ], - "source.port": 2398, + "source.port": 457, "tags": [ "f5.firepass", "forwarded" ], "user.name": [ - "err" + "riat" ] }, { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "November 10 03:01:24 ugits4426.mail.corp mailer[ipit]: Failed to send \\'idexea\\' to \\'riat\\'", - "event.outcome": "Failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1846, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "riat", - "rsa.email.subject": "idexea", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "rsa.time.event_time": "2019-11-10T05:01:24.000Z", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", + "event.code": "ntpd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "heartbeat[umdolor]: [osquir] info: inim", + "event.original": "ntpd[deomni]: [tquovol] frequency initialized ntsuntin PPM from aecatcup", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1939, + "log.offset": 1680, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.db.index": "inim", - "rsa.internal.messageid": "heartbeat", + "rsa.internal.messageid": "ntpd", "service.type": "f5", "tags": [ "f5.firepass", @@ -535,19 +466,24 @@ ] }, { - "event.code": "GarbageCollection", + "destination.ip": [ + "10.52.54.178" + ], + "event.code": "ntpdate", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "December 8 17:06:33 tquovol3689.lan GarbageCollection[tatno]: timeout happened. restarting imav services", + "event.original": "ntpdate[oluptate]: adjust time server 10.52.54.178 offset turQuisa", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1979, + "log.offset": 1753, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.event_desc": "timeout happened. restarting services", - "rsa.internal.messageid": "GarbageCollection", - "rsa.time.event_time": "2019-12-08T19:06:33.000Z", + "related.ip": [ + "10.52.54.178" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.time.duration_str": "turQuisa", "service.type": "f5", "tags": [ "f5.firepass", @@ -555,65 +491,74 @@ ] }, { - "event.code": "EndpointSecurity", + "event.code": "sshd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "December 23 00:09:07 turQuisa1567.www5.domain EndpointSecurity[ite]: [ntN] [ciati] id[ercit]: \"Connected from 10.243.206.225 mol\"", + "event.original": "sshd[lit]: [iam] Accepted publickey for qua from 10.159.182.171 port 3947 apariat", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2084, + "log.offset": 1820, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.243.206.225" + "10.159.182.171" ], - "rsa.db.index": "mol", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "rsa.time.event_time": "2019-12-23T02:09:07.000Z", + "rsa.internal.messageid": "sshd", "service.type": "f5", "source.ip": [ - "10.243.206.225" + "10.159.182.171" ], + "source.port": 3947, "tags": [ "f5.firepass", "forwarded" + ], + "user.name": [ + "qua" ] }, { - "event.code": "kernel", + "event.code": "sshd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "January 6 07:11:41 turveli6399.host kernel[erc]: [taliqu] [temUten] kernel: ccusan", + "event.original": "sshd[pteursi]: [onse] [rumet] Accepted publickey for oll from 10.206.197.113 port 4075 temUten", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2214, + "log.offset": 1902, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.db.index": "ccusan", - "rsa.internal.messageid": "kernel", - "rsa.time.event_time": "2020-01-06T09:11:41.000Z", + "related.ip": [ + "10.206.197.113" + ], + "rsa.internal.messageid": "sshd", "service.type": "f5", + "source.ip": [ + "10.206.197.113" + ], + "source.port": 4075, "tags": [ "f5.firepass", "forwarded" + ], + "user.name": [ + "oll" ] }, { "event.code": "Miscellaneous", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "January 20 14:14:16 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records", + "event.original": "December 23 00:09:07 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2297, + "log.offset": 1997, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.internal.messageid": "Miscellaneous", - "rsa.time.event_time": "2020-01-20T16:14:16.000Z", + "rsa.time.event_time": "2019-12-23T02:09:07.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -631,7 +576,7 @@ "event.original": "snmp[gni]: [tquiinea] [mquaera] SNMP handler started", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2430, + "log.offset": 2131, "network.protocol": "SNMP", "observer.product": "FirePass", "observer.type": "VPN", @@ -651,10 +596,10 @@ "event.code": "sshd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "February 18 04:19:24 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb", + "event.original": "January 20 14:14:16 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2483, + "log.offset": 2184, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -662,7 +607,7 @@ "10.0.3.58" ], "rsa.internal.messageid": "sshd", - "rsa.time.event_time": "2020-02-18T06:19:24.000Z", + "rsa.time.event_time": "2020-01-20T16:14:16.000Z", "service.type": "f5", "source.ip": [ "10.0.3.58" @@ -680,15 +625,15 @@ "event.code": "GarbageCollection", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "March 4 11:21:59 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it", + "event.original": "February 3 21:16:50 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2609, + "log.offset": 2309, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.internal.messageid": "GarbageCollection", - "rsa.time.event_time": "2020-03-04T13:21:59.000Z", + "rsa.time.event_time": "2020-02-03T23:16:50.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -702,7 +647,7 @@ "event.original": "sshd[tessec]: [remipsum] [liq] Accepted publickey for ist from 10.169.144.147 port 2399 nibus", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2736, + "log.offset": 2439, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -727,16 +672,16 @@ "event.code": "kernel", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "April 2 01:27:07 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm", + "event.original": "March 4 11:21:59 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2830, + "log.offset": 2533, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.db.index": "omm", "rsa.internal.messageid": "kernel", - "rsa.time.event_time": "2020-04-02T03:27:07.000Z", + "rsa.time.event_time": "2020-03-04T13:21:59.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -753,7 +698,7 @@ "event.original": "ntpdate[Nemoeni]: adjust time server 10.196.105.137 offset lup", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2925, + "log.offset": 2628, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -772,11 +717,11 @@ "event.code": "mailer", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "April 30 15:32:16 lor3224.host mailer[rsitamet]: Failed to send \\'lupt\\' to \\'xea\\'", + "event.original": "April 2 01:27:07 lor3224.host mailer[rsitamet]: Failed to send \\'lupt\\' to \\'xea\\'", "event.outcome": "Failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2988, + "log.offset": 2691, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -787,7 +732,7 @@ "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "Message", "rsa.investigations.ec_theme": "Communication", - "rsa.time.event_time": "2020-04-30T17:32:16.000Z", + "rsa.time.event_time": "2020-04-02T03:27:07.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -801,7 +746,7 @@ "event.original": "run-crons[luptatev]: admi returned modocons", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3072, + "log.offset": 2774, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -821,21 +766,21 @@ "event.code": "kernel", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "May 29 05:37:24 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam", + "event.original": "April 30 15:32:16 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3116, + "log.offset": 2818, "network.protocol": "rdp", "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.46.158.31", - "10.117.146.33" + "10.117.146.33", + "10.46.158.31" ], "rsa.db.index": "dun", "rsa.internal.messageid": "kernel", - "rsa.time.event_time": "2020-05-29T07:37:24.000Z", + "rsa.time.event_time": "2020-04-30T17:32:16.000Z", "service.type": "f5", "source.ip": [ "10.117.146.33" @@ -851,11 +796,11 @@ "event.code": "security", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "June 12 12:39:58 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214", + "event.original": "May 14 22:34:50 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214", "event.outcome": "Error", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3291, + "log.offset": 2995, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -870,7 +815,7 @@ "rsa.misc.action": [ "block" ], - "rsa.time.event_time": "2020-06-12T14:39:58.000Z", + "rsa.time.event_time": "2020-05-15T00:34:50.000Z", "service.type": "f5", "source.ip": [ "10.196.136.214" @@ -884,16 +829,16 @@ "event.code": "maintenance", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "June 26 19:42:33 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem ", + "event.original": "May 29 05:37:24 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem ", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3389, + "log.offset": 3092, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.db.index": "Logged", "rsa.internal.messageid": "maintenance", - "rsa.time.event_time": "2020-06-26T21:42:33.000Z", + "rsa.time.event_time": "2020-05-29T07:37:24.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -910,7 +855,7 @@ "event.original": "firepass[rehe]: [ume] Logged out", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3482, + "log.offset": 3184, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -930,18 +875,18 @@ "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "July 25 09:47:41 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel) ", + "event.original": "June 26 19:42:33 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel) ", "fileset.name": "firepass", "input.type": "log", "log.flags": [ "dissect_parsing_error" ], - "log.offset": 3515, + "log.offset": 3217, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.time.event_time": "2019-07-25T11:47:41.000Z", + "rsa.time.event_time": "2020-06-26T21:42:33.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -952,16 +897,16 @@ "event.code": "snmp", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "August 8 16:50:15 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc", + "event.original": "July 11 02:45:07 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3608, + "log.offset": 3310, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.internal.event_desc": "erc", "rsa.internal.messageid": "snmp", - "rsa.time.event_time": "2019-08-08T18:50:15.000Z", + "rsa.time.event_time": "2019-07-11T04:45:07.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -975,7 +920,7 @@ "event.original": "kernel[olupt]: [modoco] kernel: cdrom: open failed.", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3676, + "log.offset": 3377, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -990,17 +935,17 @@ "event.code": "EndpointSecurity", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "September 6 06:55:24 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia", + "event.original": "August 8 16:50:15 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3728, + "log.offset": 3429, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.internal.event_desc": "uasia", "rsa.internal.messageid": "EndpointSecurity", "rsa.investigations.ec_theme": "Communication", - "rsa.time.event_time": "2019-09-06T08:55:24.000Z", + "rsa.time.event_time": "2019-08-08T18:50:15.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1011,17 +956,17 @@ "event.code": "EndpointSecurity", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "September 20 13:57:58 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames", + "event.original": "August 22 23:52:50 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3814, + "log.offset": 3512, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.internal.event_desc": "uames", "rsa.internal.messageid": "EndpointSecurity", "rsa.investigations.ec_theme": "Communication", - "rsa.time.event_time": "2019-09-20T15:57:58.000Z", + "rsa.time.event_time": "2019-08-23T01:52:50.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1035,7 +980,7 @@ "event.original": "Miscellaneous[iciatisu]: [rehender] Purge logs: auto started", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3904, + "log.offset": 3599, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1056,10 +1001,10 @@ "event.code": "NetworkAccess", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "October 19 04:03:07 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42", + "event.original": "September 20 13:57:58 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3965, + "log.offset": 3660, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1070,7 +1015,7 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "Communication", "rsa.misc.log_session_id": "isno", - "rsa.time.event_time": "2019-10-19T06:03:07.000Z", + "rsa.time.event_time": "2019-09-20T15:57:58.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1087,7 +1032,7 @@ "event.original": "heartbeat[dolo]: [Loremip] [idolor] info: emeumfu", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4109, + "log.offset": 3806, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1103,10 +1048,10 @@ "event.code": "sshd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "November 16 18:08:15 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio", + "event.original": "October 19 04:03:07 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4159, + "log.offset": 3856, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1114,7 +1059,7 @@ "10.86.63.253" ], "rsa.internal.messageid": "sshd", - "rsa.time.event_time": "2019-11-16T20:08:15.000Z", + "rsa.time.event_time": "2019-10-19T06:03:07.000Z", "service.type": "f5", "source.ip": [ "10.86.63.253" @@ -1132,22 +1077,22 @@ "event.code": "EndpointSecurity", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "EndpointSecurity[rumetM]: [equi] id[agnaali]: \"gnam - Connected from 10.26.236.35 lumqui\"", + "event.original": "EndpointSecurity[rumetM]: [equi] id[agnaali]: \"gnam - Connectedtatfrom 10.145.225.93 itinvo\"", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4294, + "log.offset": 3990, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.26.236.35" + "10.145.225.93" ], - "rsa.db.index": "lumqui", + "rsa.db.index": "itinvo", "rsa.internal.messageid": "EndpointSecurity", "rsa.investigations.ec_theme": "Communication", "service.type": "f5", "source.ip": [ - "10.26.236.35" + "10.145.225.93" ], "tags": [ "f5.firepass", @@ -1155,61 +1100,62 @@ ] }, { - "event.code": "httpd", + "event.code": "run-crons", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "httpd[rpo]: [uipe] [inesci] scr_monitor: serror", + "event.original": "November 16 18:08:15 rQuisau6637.internal.domain run-crons[den]: [tutla] [olorema] iades returned siarchi", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4384, + "log.offset": 4083, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.messageid": "httpd", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "siarchi", + "rsa.time.event_time": "2019-11-16T20:08:15.000Z", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" - ], - "user.name": [ - "uipe" ] }, { - "event.code": "ntpd", + "event.code": "httpd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "ntpd[apariat]: kernel time sync status tlabore", + "event.original": "httpd[mqu]: [apariat] scr_monitor: tlabore", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4432, + "log.offset": 4189, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.messageid": "ntpd", - "rsa.misc.result_code": "tlabore", + "rsa.internal.messageid": "httpd", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" + ], + "user.name": [ + "apariat" ] }, { "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "January 12 22:18:32 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny) ", + "event.original": "December 15 08:13:24 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny) ", "fileset.name": "firepass", "input.type": "log", "log.flags": [ "dissect_parsing_error" ], - "log.offset": 4479, + "log.offset": 4232, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.time.event_time": "2020-01-13T00:18:32.000Z", + "rsa.time.event_time": "2019-12-15T10:13:24.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1223,7 +1169,7 @@ "event.original": "snmp[ationemu]: [ice] estiae", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4576, + "log.offset": 4330, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1242,10 +1188,10 @@ "event.code": "ntpdate", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "February 10 12:23:41 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect", + "event.original": "January 12 22:18:32 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4605, + "log.offset": 4359, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1254,7 +1200,7 @@ ], "rsa.internal.messageid": "ntpdate", "rsa.time.duration_str": "hitect", - "rsa.time.event_time": "2020-02-10T14:23:41.000Z", + "rsa.time.event_time": "2020-01-13T00:18:32.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1271,7 +1217,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 4713, + "log.offset": 4466, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1286,16 +1232,16 @@ "event.code": "heartbeat", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "March 11 02:28:49 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp", + "event.original": "February 10 12:23:41 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4748, + "log.offset": 4501, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.db.index": "texp", "rsa.internal.messageid": "heartbeat", - "rsa.time.event_time": "2020-03-11T04:28:49.000Z", + "rsa.time.event_time": "2020-02-10T14:23:41.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1309,7 +1255,7 @@ "event.original": "Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4827, + "log.offset": 4583, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1327,22 +1273,22 @@ "event.code": "EndpointSecurity", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "EndpointSecurity[rehender]: [iae] id[dantiumt]: \"luptasn - Connected from 10.164.6.207 olestiae\"", + "event.original": "EndpointSecurity[rehender]: [iae] id[dantiumt]: \"luptasn - Connectedequatfrom 10.77.137.72 ione\"", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4927, + "log.offset": 4683, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.164.6.207" + "10.77.137.72" ], - "rsa.db.index": "olestiae", + "rsa.db.index": "ione", "rsa.internal.messageid": "EndpointSecurity", "rsa.investigations.ec_theme": "Communication", "service.type": "f5", "source.ip": [ - "10.164.6.207" + "10.77.137.72" ], "tags": [ "f5.firepass", @@ -1350,92 +1296,74 @@ ] }, { - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[ihilmole]: [eriamea] (amre) CMD (allow) ", - "fileset.name": "firepass", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 5024, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "/USR/SBIN/CRON", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "mailer", + "event.code": "EndpointSecurity", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "May 7 06:39:06 pisciv7108.lan mailer[boris]: [nti] [abi] Failed to send \\'sectetur\\' to \\'uioffi\\'", - "event.outcome": "Failure", + "event.original": "EndpointSecurity[amre]: [rsita] id[niamqui]: \"uptat - Connecteduamfrom 10.140.136.44 fficiade\"", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5080, + "log.offset": 4780, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.email.email_dst": "uioffi", - "rsa.email.subject": "sectetur", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", + "related.ip": [ + "10.140.136.44" + ], + "rsa.db.index": "fficiade", + "rsa.internal.messageid": "EndpointSecurity", "rsa.investigations.ec_theme": "Communication", - "rsa.time.event_time": "2020-05-07T08:39:06.000Z", "service.type": "f5", + "source.ip": [ + "10.140.136.44" + ], "tags": [ "f5.firepass", "forwarded" ] }, { - "event.code": "mailer", + "event.code": "sshd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "May 21 13:41:41 temqu3331.api.host mailer[ipi]: Failed to send \\'reseos\\' to \\'pariatu\\'", - "event.outcome": "Failure", + "event.original": "April 8 16:33:58 vitaedi1318.corp sshd[temqu]: Accepted publickey for edol from 10.26.196.144 port 4677 quatD", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5179, + "log.offset": 4875, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.email.email_dst": "pariatu", - "rsa.email.subject": "reseos", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "rsa.time.event_time": "2020-05-21T15:41:41.000Z", + "related.ip": [ + "10.26.196.144" + ], + "rsa.internal.messageid": "sshd", + "rsa.time.event_time": "2020-04-08T18:33:58.000Z", "service.type": "f5", + "source.ip": [ + "10.26.196.144" + ], + "source.port": 4677, "tags": [ "f5.firepass", "forwarded" + ], + "user.name": [ + "edol" ] }, { - "event.code": "heartbeat", + "event.code": "run-crons", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "June 4 20:44:15 tenima5685.internal.example heartbeat[eabilloi]: [estia] [tper] info: olor", + "event.original": "April 22 23:36:32 eabilloi6458.api.lan run-crons[tlab]: [volupt] osqui returned xerc", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5268, + "log.offset": 4985, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.db.index": "olor", - "rsa.internal.messageid": "heartbeat", - "rsa.time.event_time": "2020-06-04T22:44:15.000Z", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "xerc", + "rsa.time.event_time": "2020-04-23T01:36:32.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1443,19 +1371,23 @@ ] }, { - "event.code": "run-crons", + "event.action": "started", + "event.code": "snmp", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "June 19 03:46:49 orem2138.internal.lan run-crons[fdeFi]: texp returned tasuntex", + "event.original": "snmp[ents]: [liquide] SNMP handler started", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5359, + "log.offset": 5070, + "network.protocol": "SNMP", "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "tasuntex", - "rsa.time.event_time": "2020-06-19T05:46:49.000Z", + "rsa.internal.event_desc": "SNMP handler started", + "rsa.internal.messageid": "snmp", + "rsa.misc.action": [ + "started" + ], "service.type": "f5", "tags": [ "f5.firepass", @@ -1463,24 +1395,32 @@ ] }, { - "event.code": "/USR/SBIN/CRON", + "event.code": "security", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "/USR/SBIN/CRON[sequine]: [ectio] [dutper] (lamcolab) CMD (deny) ", + "event.original": "security[uun]: [sequine] [ectio] User dutper from 10.237.205.140 presented with challenge", "fileset.name": "firepass", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 5439, + "log.offset": 5113, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.messageid": "/USR/SBIN/CRON", + "related.ip": [ + "10.237.205.140" + ], + "rsa.internal.event_desc": "user presented with challenge", + "rsa.internal.messageid": "security", + "rsa.investigations.ec_subject": "User", "service.type": "f5", + "source.ip": [ + "10.237.205.140" + ], "tags": [ "f5.firepass", "forwarded" + ], + "user.name": [ + "dutper" ] }, { @@ -1490,7 +1430,7 @@ "event.original": "run-crons: returned gel", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5504, + "log.offset": 5203, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1506,16 +1446,16 @@ "event.code": "heartbeat", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "August 1 00:54:32 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate", + "event.original": "June 19 03:46:49 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5529, + "log.offset": 5228, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.db.index": "uptate", "rsa.internal.messageid": "heartbeat", - "rsa.time.event_time": "2019-08-01T02:54:32.000Z", + "rsa.time.event_time": "2020-06-19T05:46:49.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1526,15 +1466,15 @@ "event.code": "Miscellaneous", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "August 15 07:57:06 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started", + "event.original": "July 3 10:49:23 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5609, + "log.offset": 5307, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.internal.messageid": "Miscellaneous", - "rsa.time.event_time": "2019-08-15T09:57:06.000Z", + "rsa.time.event_time": "2020-07-03T12:49:23.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1552,7 +1492,7 @@ "event.outcome": "Failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5702, + "log.offset": 5397, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1577,7 +1517,7 @@ "event.outcome": "Failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5776, + "log.offset": 5471, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1601,7 +1541,7 @@ "event.original": "httpd[dictasu]: [lorinre] scr_monitor: olorsita", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5831, + "log.offset": 5526, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1625,7 +1565,7 @@ "event.original": "ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5879, + "log.offset": 5574, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1644,16 +1584,16 @@ "event.code": "run-crons", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "October 25 19:09:57 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc", + "event.original": "September 12 22:02:15 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5952, + "log.offset": 5647, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.internal.messageid": "run-crons", "rsa.misc.result_code": "intocc", - "rsa.time.event_time": "2019-10-25T21:09:57.000Z", + "rsa.time.event_time": "2019-09-13T00:02:15.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1667,7 +1607,7 @@ "event.original": "ntpd[aturQui]: frequency initialized utlabor PPM from rau", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6046, + "log.offset": 5743, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1685,7 +1625,7 @@ "event.original": "firepass[nisi]: [dant] shutting down for system reboot", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6104, + "log.offset": 5801, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1704,7 +1644,7 @@ "event.original": "AppTunnel[tinvolu]: < Error - Invalid session id", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6159, + "log.offset": 5856, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1722,16 +1662,16 @@ "event.code": "run-crons", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "December 21 23:20:14 quidolor5025.home run-crons: returned rem", + "event.original": "November 9 02:12:32 quidolor5025.home run-crons: returned rem", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6215, + "log.offset": 5912, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.internal.messageid": "run-crons", "rsa.misc.result_code": "rem", - "rsa.time.event_time": "2019-12-22T01:20:14.000Z", + "rsa.time.event_time": "2019-11-09T04:12:32.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1745,7 +1685,7 @@ "event.original": "run-crons[idolor]: [uisau] [eleum] sintoc returned volupt", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6279, + "log.offset": 5975, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1764,7 +1704,7 @@ "event.original": "heartbeat[uiinea]: info: Utenima", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6337, + "log.offset": 6033, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1783,10 +1723,10 @@ "event.code": "ntpdate", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "February 2 20:27:57 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese", + "event.original": "December 21 23:20:14 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6370, + "log.offset": 6066, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1795,7 +1735,7 @@ ], "rsa.internal.messageid": "ntpdate", "rsa.time.duration_str": "ese", - "rsa.time.event_time": "2020-02-02T22:27:57.000Z", + "rsa.time.event_time": "2019-12-22T01:20:14.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1806,16 +1746,16 @@ "event.code": "heartbeat", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "February 17 03:30:32 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc", + "event.original": "January 5 06:22:49 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6476, + "log.offset": 6173, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.db.index": "ntocc", "rsa.internal.messageid": "heartbeat", - "rsa.time.event_time": "2020-02-17T05:30:32.000Z", + "rsa.time.event_time": "2020-01-05T08:22:49.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1829,7 +1769,7 @@ "event.original": "kernel: ionofdeF", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6557, + "log.offset": 6252, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1845,16 +1785,16 @@ "event.code": "ntpd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "March 17 17:35:40 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte", + "event.original": "February 2 20:27:57 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6574, + "log.offset": 6269, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.internal.messageid": "ntpd", "rsa.time.duration_str": "epte", - "rsa.time.event_time": "2020-03-17T19:35:40.000Z", + "rsa.time.event_time": "2020-02-02T22:27:57.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1868,7 +1808,7 @@ "event.original": "AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6646, + "log.offset": 6343, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1892,7 +1832,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 6719, + "log.offset": 6416, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1907,16 +1847,16 @@ "event.code": "maintenance", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "April 29 14:43:23 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980 ", + "event.original": "March 17 17:35:40 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980 ", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6775, + "log.offset": 6472, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.db.index": "Trying", "rsa.internal.messageid": "maintenance", - "rsa.time.event_time": "2020-04-29T16:43:23.000Z", + "rsa.time.event_time": "2020-03-17T19:35:40.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1933,7 +1873,7 @@ "event.original": "heartbeat[exe]: [imadmini] [sauteiru] info: mod", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6898, + "log.offset": 6595, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1955,7 +1895,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 6946, + "log.offset": 6643, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1973,7 +1913,7 @@ "event.original": "httpd[eriti]: [litessec] scr_monitor: itas", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6998, + "log.offset": 6695, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1994,10 +1934,10 @@ "event.code": "ntpdate", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "June 25 18:53:40 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor", + "event.original": "May 13 21:45:57 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7041, + "log.offset": 6738, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2006,7 +1946,7 @@ ], "rsa.internal.messageid": "ntpdate", "rsa.time.duration_str": "utlabor", - "rsa.time.event_time": "2020-06-25T20:53:40.000Z", + "rsa.time.event_time": "2020-05-13T23:45:57.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2017,11 +1957,11 @@ "event.code": "firepass", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "July 10 01:56:14 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host", + "event.original": "May 28 04:48:31 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host", "fileset.name": "firepass", "host.name": "eufugi2923.internal.host", "input.type": "log", - "log.offset": 7164, + "log.offset": 6860, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2031,7 +1971,7 @@ "rsa.network.alias_host": [ "eufugi2923.internal.host" ], - "rsa.time.event_time": "2020-07-10T03:56:14.000Z", + "rsa.time.event_time": "2020-05-28T06:48:31.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2049,7 +1989,7 @@ "event.outcome": "Failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7283, + "log.offset": 6978, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2070,10 +2010,10 @@ "event.code": "NetworkAccess", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "August 7 16:01:23 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist", + "event.original": "June 25 18:53:40 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7341, + "log.offset": 7036, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2082,7 +2022,7 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "Communication", "rsa.misc.log_session_id": "con", - "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "rsa.time.event_time": "2020-06-25T20:53:40.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2096,18 +2036,18 @@ "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "August 21 23:03:57 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel) ", + "event.original": "July 10 01:56:14 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel) ", "fileset.name": "firepass", "input.type": "log", "log.flags": [ "dissect_parsing_error" ], - "log.offset": 7429, + "log.offset": 7123, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "rsa.time.event_time": "2020-07-10T03:56:14.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2121,7 +2061,7 @@ "event.original": "kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7532, + "log.offset": 7224, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2137,16 +2077,16 @@ "event.code": "heartbeat", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "September 19 13:09:05 velitse543.api.example heartbeat[torever]: info: oremi", + "event.original": "August 7 16:01:23 velitse543.api.example heartbeat[torever]: info: oremi", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7583, + "log.offset": 7275, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.db.index": "oremi", "rsa.internal.messageid": "heartbeat", - "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2157,16 +2097,16 @@ "event.code": "heartbeat", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "October 3 20:11:40 temUt631.www5.example heartbeat[npr]: info: mquelau", + "event.original": "August 21 23:03:57 temUt631.www5.example heartbeat[npr]: info: mquelau", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7660, + "log.offset": 7348, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.db.index": "mquelau", "rsa.internal.messageid": "heartbeat", - "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2177,16 +2117,16 @@ "event.code": "run-crons", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "October 18 03:14:14 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo", + "event.original": "September 5 06:06:31 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7731, + "log.offset": 7419, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.internal.messageid": "run-crons", "rsa.misc.result_code": "idolo", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2197,11 +2137,11 @@ "event.code": "security", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "November 1 10:16:48 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account", + "event.original": "September 19 13:09:05 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account", "event.outcome": "Failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7835, + "log.offset": 7524, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2210,7 +2150,7 @@ "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Policy", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2227,7 +2167,7 @@ "event.original": "heartbeat[iduntu]: [idestlab] info: rnatur", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7962, + "log.offset": 7653, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2246,7 +2186,7 @@ "event.original": "run-crons[essequam]: acommo returned nturma", "fileset.name": "firepass", "input.type": "log", - "log.offset": 8005, + "log.offset": 7696, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2262,16 +2202,78 @@ "event.code": "kernel", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "December 14 07:24:31 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut ", + "event.original": "November 1 10:16:48 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut ", "fileset.name": "firepass", "input.type": "log", - "log.offset": 8049, + "log.offset": 7740, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "rsa.db.index": "GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut", "rsa.internal.messageid": "kernel", - "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "kernel[rpori]: [ice] kernel: cdrom: open failed.", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7924, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "kernel", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "snmp", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "November 30 00:21:57 commodo6867.internal.example snmp: ", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7973, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "snmp:", + "rsa.internal.messageid": "snmp", + "rsa.time.event_time": "2019-11-30T02:21:57.000Z", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.action": "started", + "event.code": "snmp", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "snmp[odoconse]: [quamqua] SNMP handler started", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 8030, + "network.protocol": "SNMP", + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "SNMP handler started", + "rsa.internal.messageid": "snmp", + "rsa.misc.action": [ + "started" + ], "service.type": "f5", "tags": [ "f5.firepass", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js index 80ba6449c63..560f07e7e5d 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js @@ -1901,13 +1901,9 @@ function alternate_datetime(evt) { for (var f=0; f} n=%{fld2->} src=%{p0}"); -var dup8 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); -var dup9 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); +var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var dup10 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}"); -var dup11 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}"); - -var dup12 = date_time({ +var dup11 = date_time({ dest: "event_time", args: ["hdate","htime"], fmts: [ @@ -45,29 +43,29 @@ var dup12 = date_time({ ], }); -var dup13 = setc("eventcategory","1502010000"); +var dup12 = setc("eventcategory","1502010000"); -var dup14 = setc("eventcategory","1502020000"); +var dup13 = setc("eventcategory","1502020000"); -var dup15 = setc("eventcategory","1002010000"); +var dup14 = setc("eventcategory","1002010000"); -var dup16 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); +var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); -var dup17 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); +var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); -var dup18 = setf("hostip","hhostip"); +var dup17 = setf("hostip","hhostip"); -var dup19 = setf("id","hid"); +var dup18 = setf("id","hid"); -var dup20 = setf("serial_number","hserial_number"); +var dup19 = setf("serial_number","hserial_number"); -var dup21 = setf("category","hcategory"); +var dup20 = setf("category","hcategory"); -var dup22 = setf("severity","hseverity"); +var dup21 = setf("severity","hseverity"); -var dup23 = setc("eventcategory","1805010000"); +var dup22 = setc("eventcategory","1805010000"); -var dup24 = call({ +var dup23 = call({ dest: "nwparser.msg", fn: RMQ, args: [ @@ -75,23 +73,25 @@ var dup24 = call({ ], }); -var dup25 = setc("eventcategory","1302000000"); +var dup24 = setc("eventcategory","1302000000"); + +var dup25 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var dup26 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var dup26 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); -var dup27 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); +var dup27 = match("MESSAGE#38:29:01/4", "nwparser.p0", "%{} "); -var dup28 = match("MESSAGE#38:29:01/4", "nwparser.p0", "%{} "); +var dup28 = setc("eventcategory","1401050100"); -var dup29 = setc("eventcategory","1401050100"); +var dup29 = setc("eventcategory","1401030000"); -var dup30 = setc("eventcategory","1401030000"); +var dup30 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); -var dup31 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); +var dup31 = setc("eventcategory","1301020000"); -var dup32 = setc("eventcategory","1301020000"); +var dup32 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); -var dup33 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); +var dup33 = match("MESSAGE#52:35:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); var dup34 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); @@ -201,478 +201,486 @@ var dup83 = setc("eventcategory","1001020309"); var dup84 = setc("eventcategory","1303000000"); -var dup85 = match("MESSAGE#202:139:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); +var dup85 = match("MESSAGE#202:139:01/3_1", "nwparser.p0", "%{daddr->} "); -var dup86 = match("MESSAGE#202:139:01/3_1", "nwparser.p0", "%{daddr->} "); +var dup86 = setc("eventcategory","1801010100"); -var dup87 = setc("eventcategory","1801010100"); +var dup87 = setc("eventcategory","1604010000"); -var dup88 = setc("eventcategory","1604010000"); +var dup88 = setc("eventcategory","1002020000"); -var dup89 = setc("eventcategory","1002020000"); +var dup89 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); -var dup90 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); +var dup90 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); -var dup91 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); +var dup91 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); -var dup92 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); +var dup92 = setc("eventcategory","1001010000"); -var dup93 = setc("eventcategory","1001010000"); +var dup93 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); -var dup94 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); +var dup94 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); -var dup95 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); +var dup95 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); -var dup96 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); +var dup96 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); -var dup97 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); +var dup97 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); -var dup98 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); +var dup98 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); -var dup99 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); +var dup99 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); -var dup100 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); +var dup100 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); -var dup101 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); +var dup101 = setc("eventcategory","1401060000"); -var dup102 = setc("eventcategory","1401060000"); +var dup102 = setc("eventcategory","1804000000"); -var dup103 = setc("eventcategory","1804000000"); +var dup103 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); -var dup104 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); +var dup104 = setc("eventcategory","1401070000"); -var dup105 = setc("eventcategory","1401070000"); +var dup105 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); -var dup106 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); +var dup106 = setc("eventcategory","1801030000"); -var dup107 = setc("eventcategory","1801030000"); +var dup107 = setc("eventcategory","1402020300"); -var dup108 = setc("eventcategory","1402020300"); +var dup108 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); -var dup109 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); +var dup109 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); -var dup110 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); +var dup110 = setc("eventcategory","1402000000"); -var dup111 = setc("eventcategory","1402000000"); +var dup111 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); -var dup112 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); +var dup112 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); -var dup113 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); +var dup113 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); -var dup114 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); +var dup114 = setc("eventcategory","1803020000"); -var dup115 = setc("eventcategory","1803020000"); +var dup115 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); -var dup116 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); +var dup116 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); -var dup117 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); +var dup117 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); -var dup118 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); +var dup118 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); -var dup119 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); +var dup119 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); -var dup120 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); +var dup120 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); -var dup121 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); +var dup121 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); -var dup122 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); +var dup122 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); -var dup123 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); +var dup123 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); -var dup124 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); +var dup124 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); -var dup125 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); +var dup125 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); -var dup126 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); +var dup126 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); -var dup127 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); +var dup127 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); -var dup128 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); +var dup128 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); -var dup129 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); +var dup129 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); -var dup130 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); +var dup130 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); -var dup131 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); +var dup131 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); -var dup132 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); +var dup132 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); -var dup133 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); +var dup133 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); -var dup134 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); +var dup134 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); -var dup135 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var dup135 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); -var dup136 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); +var dup136 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); -var dup137 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); +var dup137 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); -var dup138 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); +var dup138 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); -var dup139 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); +var dup139 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var dup140 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var dup140 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); -var dup141 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); +var dup141 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); -var dup142 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); +var dup142 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); -var dup143 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); +var dup143 = setc("event_description","Connection Closed"); -var dup144 = setc("event_description","Connection Closed"); +var dup144 = setc("eventcategory","1801020000"); -var dup145 = setc("eventcategory","1801020000"); +var dup145 = setc("ec_activity","Permit"); -var dup146 = setc("ec_activity","Permit"); +var dup146 = setc("action","allowed"); -var dup147 = setc("action","allowed"); +var dup147 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var dup148 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var dup149 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); -var dup150 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); +var dup150 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); -var dup151 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); +var dup151 = setc("eventcategory","1001030500"); -var dup152 = setc("eventcategory","1001030500"); +var dup152 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); -var dup153 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); +var dup153 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); -var dup154 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); +var dup154 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); -var dup155 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); +var dup155 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); -var dup156 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var dup156 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); -var dup157 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); +var dup157 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); -var dup158 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); +var dup158 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); -var dup159 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); +var dup159 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); -var dup160 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); +var dup160 = setc("eventcategory","1801010000"); -var dup161 = setc("eventcategory","1801010000"); +var dup161 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); -var dup162 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); +var dup162 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); -var dup163 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var dup163 = setc("eventcategory","1003010000"); -var dup164 = setc("eventcategory","1003010000"); +var dup164 = setc("eventcategory","1609000000"); -var dup165 = setc("eventcategory","1609000000"); +var dup165 = setc("eventcategory","1204000000"); -var dup166 = setc("eventcategory","1204000000"); +var dup166 = setc("eventcategory","1602000000"); -var dup167 = setc("eventcategory","1602000000"); +var dup167 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); -var dup168 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); +var dup168 = setc("eventcategory","1803000000"); -var dup169 = setc("eventcategory","1803000000"); +var dup169 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); -var dup170 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var dup170 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); -var dup171 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); +var dup171 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); -var dup172 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); +var dup172 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); -var dup173 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); +var dup173 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); -var dup174 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); +var dup174 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); -var dup175 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); - -var dup176 = linear_select([ +var dup175 = linear_select([ + dup8, dup9, - dup10, ]); -var dup177 = linear_select([ +var dup176 = linear_select([ + dup15, dup16, - dup17, ]); -var dup178 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ +var dup177 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, - dup24, + dup23, ])); -var dup179 = linear_select([ +var dup178 = linear_select([ + dup25, dup26, - dup27, ]); -var dup180 = linear_select([ +var dup179 = linear_select([ dup34, dup35, ]); -var dup181 = linear_select([ - dup26, +var dup180 = linear_select([ + dup25, dup39, ]); -var dup182 = linear_select([ +var dup181 = linear_select([ dup41, dup42, ]); -var dup183 = linear_select([ +var dup182 = linear_select([ dup46, dup47, ]); -var dup184 = linear_select([ +var dup183 = linear_select([ dup49, dup50, ]); -var dup185 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ +var dup184 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ dup62, ])); -var dup186 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ +var dup185 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ dup5, ])); -var dup187 = linear_select([ +var dup186 = linear_select([ dup71, dup75, dup76, ]); -var dup188 = linear_select([ - dup9, - dup26, +var dup187 = linear_select([ + dup8, + dup25, ]); -var dup189 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ +var dup188 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ dup1, ])); -var dup190 = linear_select([ +var dup189 = linear_select([ + dup33, dup85, - dup86, ]); -var dup191 = linear_select([ +var dup190 = linear_select([ + dup89, dup90, - dup91, ]); -var dup192 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var dup191 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ dup5, ])); -var dup193 = linear_select([ +var dup192 = linear_select([ + dup93, dup94, - dup95, ]); -var dup194 = linear_select([ +var dup193 = linear_select([ + dup97, dup98, - dup99, ]); -var dup195 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup89, +var dup194 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup88, ])); -var dup196 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup89, +var dup195 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup88, ])); -var dup197 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ +var dup196 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ dup1, ])); -var dup198 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var dup197 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ dup1, ])); -var dup199 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ +var dup198 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ dup1, - dup24, + dup23, ])); -var dup200 = linear_select([ +var dup199 = linear_select([ dup66, - dup110, + dup109, ]); -var dup201 = linear_select([ +var dup200 = linear_select([ + dup111, dup112, - dup113, ]); -var dup202 = linear_select([ - dup117, +var dup201 = linear_select([ + dup116, dup45, ]); -var dup203 = linear_select([ - dup9, - dup27, +var dup202 = linear_select([ + dup8, + dup26, ]); -var dup204 = linear_select([ - dup9, - dup26, +var dup203 = linear_select([ + dup8, + dup25, dup39, ]); -var dup205 = linear_select([ +var dup204 = linear_select([ dup71, + dup15, dup16, - dup17, ]); -var dup206 = linear_select([ +var dup205 = linear_select([ + dup122, dup123, - dup124, ]); -var dup207 = linear_select([ +var dup206 = linear_select([ dup68, dup69, dup74, ]); -var dup208 = linear_select([ +var dup207 = linear_select([ + dup128, dup129, - dup130, ]); -var dup209 = linear_select([ +var dup208 = linear_select([ dup41, dup42, - dup136, + dup135, ]); -var dup210 = linear_select([ +var dup209 = linear_select([ + dup136, dup137, - dup138, ]); -var dup211 = linear_select([ +var dup210 = linear_select([ + dup139, dup140, - dup141, ]); -var dup212 = linear_select([ +var dup211 = linear_select([ + dup141, dup142, - dup143, ]); -var dup213 = linear_select([ +var dup212 = linear_select([ dup49, - dup150, + dup149, ]); -var dup214 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup152, +var dup213 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup151, ])); -var dup215 = linear_select([ - dup154, +var dup214 = linear_select([ + dup153, dup40, ]); -var dup216 = linear_select([ +var dup215 = linear_select([ + dup155, dup156, - dup157, ]); -var dup217 = linear_select([ +var dup216 = linear_select([ + dup157, dup158, - dup159, ]); -var dup218 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ +var dup217 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ dup5, ])); -var dup219 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype->} ", processor_chain([ +var dup218 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype->} ", processor_chain([ dup5, ])); -var dup220 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ +var dup219 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ dup5, - dup24, + dup23, ])); -var dup221 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ +var dup220 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, - dup24, + dup23, ])); -var dup222 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ +var dup221 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ dup1, - dup24, + dup23, ])); -var dup223 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup165, +var dup222 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup164, dup37, ])); -var dup224 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ +var dup223 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ dup1, ])); -var dup225 = linear_select([ +var dup224 = linear_select([ + dup170, dup171, - dup172, ]); -var dup226 = linear_select([ +var dup225 = linear_select([ + dup173, dup174, - dup175, ]); -var dup227 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ +var dup226 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ dup1, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ])); -var dup228 = all_match({ +var dup227 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup177, - dup28, + dup30, + dup178, + dup10, + dup176, + dup27, ], on_success: processor_chain([ + dup29, + ]), +}); + +var dup228 = all_match({ + processors: [ dup30, + dup178, + dup10, + dup189, + ], + on_success: processor_chain([ + dup86, ]), }); var dup229 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup190, + dup30, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup87, + dup59, ]), }); var dup230 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup190, + dup96, + dup193, ], on_success: processor_chain([ dup59, @@ -681,114 +689,104 @@ var dup230 = all_match({ var dup231 = all_match({ processors: [ - dup97, - dup194, + dup30, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup59, + dup101, ]), }); var dup232 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup190, + dup30, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup102, + dup29, ]), }); var dup233 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup190, + dup30, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup30, + dup28, ]), }); var dup234 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup190, + dup103, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup29, + dup104, ]), }); var dup235 = all_match({ processors: [ - dup104, - dup179, - dup11, - dup190, + dup105, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup105, + dup107, ]), }); var dup236 = all_match({ processors: [ - dup106, - dup179, - dup11, - dup190, + dup108, + dup199, ], on_success: processor_chain([ - dup108, + dup88, ]), }); var dup237 = all_match({ processors: [ - dup109, - dup200, + dup105, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup89, + dup110, ]), }); var dup238 = all_match({ - processors: [ - dup106, - dup179, - dup11, - dup190, - ], - on_success: processor_chain([ - dup111, - ]), -}); - -var dup239 = all_match({ processors: [ dup44, - dup180, + dup179, dup36, - dup190, + dup189, ], on_success: processor_chain([ dup5, ]), }); -var dup240 = all_match({ +var dup239 = all_match({ processors: [ dup80, - dup179, - dup11, - dup177, + dup178, + dup10, + dup176, dup79, ], on_success: processor_chain([ @@ -796,51 +794,51 @@ var dup240 = all_match({ ]), }); -var dup241 = all_match({ +var dup240 = all_match({ processors: [ - dup153, + dup152, + dup214, + dup154, dup215, - dup155, dup216, - dup217, - dup160, + dup159, ], on_success: processor_chain([ - dup152, + dup151, dup51, dup52, dup53, dup54, dup37, dup55, + dup17, dup18, dup19, dup20, dup21, - dup22, ]), }); -var dup242 = all_match({ +var dup241 = all_match({ processors: [ - dup8, - dup176, - dup11, - dup193, - dup96, + dup7, + dup175, + dup10, + dup192, + dup95, ], on_success: processor_chain([ dup1, ]), }); -var dup243 = all_match({ +var dup242 = all_match({ processors: [ - dup8, - dup176, - dup11, - dup191, - dup92, + dup7, + dup175, + dup10, + dup190, + dup91, ], on_success: processor_chain([ dup1, @@ -972,81 +970,83 @@ var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; d var msg13 = msg("13", part13); -var part14 = match("MESSAGE#13:14/1_0", "nwparser.p0", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode->} "); +var part14 = match("MESSAGE#13:14/0", "nwparser.payload", "%{} %{p0}"); -var part15 = match("MESSAGE#13:14/1_1", "nwparser.p0", "Web site blocked %{}"); +var part15 = match("MESSAGE#13:14/1_0", "nwparser.p0", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode->} "); + +var part16 = match("MESSAGE#13:14/1_1", "nwparser.p0", "Web site blocked %{}"); var select5 = linear_select([ - part14, part15, + part16, ]); var all1 = all_match({ processors: [ - dup6, + part14, select5, ], on_success: processor_chain([ - dup7, + dup6, setc("action","Web site access denied"), ]), }); var msg14 = msg("14", all1); -var part16 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} code= %{p0}"); +var part17 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} code= %{p0}"); -var part17 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} code= %{p0}"); +var part18 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} code= %{p0}"); var select6 = linear_select([ - part16, part17, + part18, ]); -var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{} %{fld3->} Category=%{fld4->} npcs=%{info}"); +var part19 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{} %{fld3->} Category=%{fld4->} npcs=%{info}"); var all2 = all_match({ processors: [ - dup8, - dup176, - dup11, + dup7, + dup175, + dup10, select6, - part18, + part19, ], on_success: processor_chain([ - dup7, + dup6, ]), }); var msg15 = msg("14:01", all2); -var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup7, - dup12, +var part20 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, ])); -var msg16 = msg("14:02", part19); +var msg16 = msg("14:02", part20); -var part20 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup7, - dup12, +var part21 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, ])); -var msg17 = msg("14:03", part20); +var msg17 = msg("14:03", part21); -var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup7, - dup12, +var part22 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, ])); -var msg18 = msg("14:04", part21); +var msg18 = msg("14:04", part22); -var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup7, - dup12, +var part23 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, ])); -var msg19 = msg("14:05", part22); +var msg19 = msg("14:05", part23); var select7 = linear_select([ msg14, @@ -1057,121 +1057,121 @@ var select7 = linear_select([ msg19, ]); -var part23 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ - dup13, +var part24 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ + dup12, ])); -var msg20 = msg("15", part23); +var msg20 = msg("15", part24); -var part24 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ - dup14, +var part25 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ + dup13, ])); -var msg21 = msg("16", part24); +var msg21 = msg("16", part25); -var part25 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ - dup14, +var part26 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ + dup13, ])); -var msg22 = msg("17", part25); +var msg22 = msg("17", part26); -var part26 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ - dup13, +var part27 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ + dup12, ])); -var msg23 = msg("18", part26); +var msg23 = msg("18", part27); -var part27 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ - dup13, +var part28 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ + dup12, ])); -var msg24 = msg("19", part27); +var msg24 = msg("19", part28); -var part28 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ - dup13, +var part29 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ + dup12, ])); -var msg25 = msg("20", part28); +var msg25 = msg("20", part29); -var part29 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ +var part30 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ dup1, ])); -var msg26 = msg("21", part29); +var msg26 = msg("21", part30); -var part30 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ - dup15, +var part31 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ + dup14, ])); -var msg27 = msg("22", part30); +var msg27 = msg("22", part31); -var part31 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ - dup15, +var part32 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ + dup14, ])); -var msg28 = msg("23", part31); +var msg28 = msg("23", part32); -var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var part33 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var part33 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); +var part34 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); -var part34 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); +var part35 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); var select8 = linear_select([ - part33, part34, + part35, ]); -var part35 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{} %{smacaddr}"); +var part36 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{} %{smacaddr}"); var all3 = all_match({ processors: [ - part32, - dup177, - dup11, + part33, + dup176, + dup10, select8, - part35, + part36, ], on_success: processor_chain([ - dup15, + dup14, ]), }); var msg29 = msg("23:01", all3); -var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ - dup15, +var part37 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ + dup14, ])); -var msg30 = msg("23:02", part36); +var msg30 = msg("23:02", part37); -var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var part38 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var part38 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac= %{p0}"); +var part39 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac= %{p0}"); -var part39 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac= %{p0}"); +var part40 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac= %{p0}"); var select9 = linear_select([ - part38, part39, + part40, ]); -var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); +var part41 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); var all4 = all_match({ processors: [ - part37, + part38, select9, - part40, + part41, ], on_success: processor_chain([ - dup15, - dup12, + dup14, + dup11, + dup17, dup18, dup19, dup20, dup21, - dup22, ]), }); @@ -1184,72 +1184,72 @@ var select10 = linear_select([ msg31, ]); -var part41 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ - dup23, +var part42 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ + dup22, ])); -var msg32 = msg("24", part41); +var msg32 = msg("24", part42); -var msg33 = msg("24:01", dup178); +var msg33 = msg("24:01", dup177); var select11 = linear_select([ msg32, msg33, ]); -var part42 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ - dup15, +var part43 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ + dup14, ])); -var msg34 = msg("25", part42); +var msg34 = msg("25", part43); -var part43 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ - dup15, +var part44 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ + dup14, ])); -var msg35 = msg("26", part43); +var msg35 = msg("26", part44); -var part44 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ - dup15, +var part45 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ + dup14, ])); -var msg36 = msg("27", part44); +var msg36 = msg("27", part45); -var part45 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ - dup15, +var part46 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ + dup14, ])); -var msg37 = msg("28", part45); +var msg37 = msg("28", part46); -var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup15, +var part47 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup14, ])); -var msg38 = msg("28:01", part46); +var msg38 = msg("28:01", part47); var select12 = linear_select([ msg37, msg38, ]); -var part47 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ - dup25, +var part48 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ + dup24, ])); -var msg39 = msg("29", part47); +var msg39 = msg("29", part48); -var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); +var part49 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); var all5 = all_match({ processors: [ - part48, - dup179, - dup11, - dup177, - dup28, + part49, + dup178, + dup10, + dup176, + dup27, ], on_success: processor_chain([ - dup29, + dup28, ]), }); @@ -1260,60 +1260,60 @@ var select13 = linear_select([ msg40, ]); -var part49 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ - dup30, +var part50 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ + dup29, ])); -var msg41 = msg("30", part49); +var msg41 = msg("30", part50); -var msg42 = msg("30:01", dup228); +var msg42 = msg("30:01", dup227); var select14 = linear_select([ msg41, msg42, ]); -var part50 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ - dup25, +var part51 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ + dup24, ])); -var msg43 = msg("31", part50); +var msg43 = msg("31", part51); var all6 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup177, - dup28, + dup30, + dup178, + dup10, + dup176, + dup27, ], on_success: processor_chain([ - dup25, + dup24, ]), }); var msg44 = msg("31:01", all6); -var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup12, +var part52 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup24, + dup11, ])); -var msg45 = msg("31:02", part51); +var msg45 = msg("31:02", part52); -var part52 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup12, +var part53 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup24, + dup11, ])); -var msg46 = msg("31:03", part52); +var msg46 = msg("31:03", part53); -var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup12, +var part54 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup24, + dup11, ])); -var msg47 = msg("31:04", part53); +var msg47 = msg("31:04", part54); var select15 = linear_select([ msg43, @@ -1323,35 +1323,35 @@ var select15 = linear_select([ msg47, ]); -var part54 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ - dup30, +var part55 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ + dup29, ])); -var msg48 = msg("32", part54); +var msg48 = msg("32", part55); -var msg49 = msg("32:01", dup228); +var msg49 = msg("32:01", dup227); var select16 = linear_select([ msg48, msg49, ]); -var part55 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ - dup32, +var part56 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ + dup31, ])); -var msg50 = msg("33", part55); +var msg50 = msg("33", part56); var all7 = all_match({ processors: [ - dup33, - dup179, - dup11, - dup177, - dup28, + dup32, + dup178, + dup10, + dup176, + dup27, ], on_success: processor_chain([ - dup30, + dup29, ]), }); @@ -1362,25 +1362,31 @@ var select17 = linear_select([ msg51, ]); -var part56 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ +var part57 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ dup5, ])); -var msg52 = msg("34", part56); +var msg52 = msg("34", part57); -var part57 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ +var part58 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ setc("eventcategory","1401040000"), ])); -var msg53 = msg("35", part57); +var msg53 = msg("35", part58); + +var part59 = match("MESSAGE#52:35:01/3_1", "nwparser.p0", "%{daddr}"); + +var select18 = linear_select([ + dup33, + part59, +]); var all8 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup177, - dup28, + dup30, + dup178, + dup10, + select18, ], on_success: processor_chain([ setc("eventcategory","1401050200"), @@ -1389,49 +1395,49 @@ var all8 = all_match({ var msg54 = msg("35:01", all8); -var select18 = linear_select([ +var select19 = linear_select([ msg53, msg54, ]); -var part58 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ +var part60 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ dup5, ])); -var msg55 = msg("36", part58); +var msg55 = msg("36", part60); -var part59 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); +var part61 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); -var part60 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src= %{p0}"); +var part62 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src= %{p0}"); -var part61 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{fld1->} src= %{p0}"); +var part63 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{fld1->} src= %{p0}"); -var select19 = linear_select([ - part60, - part61, +var select20 = linear_select([ + part62, + part63, ]); -var part62 = match("MESSAGE#54:36:01/6_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" "); +var part64 = match("MESSAGE#54:36:01/6_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" "); -var part63 = match("MESSAGE#54:36:01/6_1", "nwparser.p0", " rule=%{rule->} "); +var part65 = match("MESSAGE#54:36:01/6_1", "nwparser.p0", " rule=%{rule->} "); -var part64 = match("MESSAGE#54:36:01/6_2", "nwparser.p0", " proto=%{protocol->} "); +var part66 = match("MESSAGE#54:36:01/6_2", "nwparser.p0", " proto=%{protocol->} "); -var select20 = linear_select([ - part62, - part63, +var select21 = linear_select([ part64, + part65, + part66, ]); var all9 = all_match({ processors: [ - part59, - select19, - dup180, - dup36, - dup177, - dup11, + part61, select20, + dup179, + dup36, + dup176, + dup10, + select21, ], on_success: processor_chain([ dup5, @@ -1441,26 +1447,26 @@ var all9 = all_match({ var msg56 = msg("36:01", all9); -var part65 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} %{p0}"); +var part67 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} %{p0}"); -var part66 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} %{p0}"); +var part68 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} %{p0}"); -var select21 = linear_select([ - part65, - part66, +var select22 = linear_select([ + part67, + part68, ]); -var part67 = match("MESSAGE#55:36:02/6", "nwparser.p0", "%{}npcs=%{info}"); +var part69 = match("MESSAGE#55:36:02/6", "nwparser.p0", "%{}npcs=%{info}"); var all10 = all_match({ processors: [ dup38, - dup181, - dup11, - dup177, - dup11, - select21, - part67, + dup180, + dup10, + dup176, + dup10, + select22, + part69, ], on_success: processor_chain([ dup5, @@ -1469,57 +1475,57 @@ var all10 = all_match({ var msg57 = msg("36:02", all10); -var select22 = linear_select([ +var select23 = linear_select([ msg55, msg56, msg57, ]); -var part68 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ +var part70 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ dup5, ])); -var msg58 = msg("37", part68); +var msg58 = msg("37", part70); -var part69 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); +var part71 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); -var part70 = match("MESSAGE#57:37:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); +var part72 = match("MESSAGE#57:37:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); -var select23 = linear_select([ - part70, +var select24 = linear_select([ + part72, dup40, ]); -var part71 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); +var part73 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); -var part72 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}"); +var part74 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}"); -var part73 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}"); +var part75 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}"); -var part74 = match("MESSAGE#57:37:01/3_2", "nwparser.p0", "%{dport}:%{dinterface->} %{p0}"); +var part76 = match("MESSAGE#57:37:01/3_2", "nwparser.p0", "%{dport}:%{dinterface->} %{p0}"); -var select24 = linear_select([ - part72, - part73, +var select25 = linear_select([ part74, + part75, + part76, ]); -var part75 = match("MESSAGE#57:37:01/4_0", "nwparser.p0", "proto=%{protocol->} fw_action=\"%{fld3}\" "); +var part77 = match("MESSAGE#57:37:01/4_0", "nwparser.p0", "proto=%{protocol->} fw_action=\"%{fld3}\" "); -var part76 = match("MESSAGE#57:37:01/4_1", "nwparser.p0", " rule=%{rule}"); +var part78 = match("MESSAGE#57:37:01/4_1", "nwparser.p0", " rule=%{rule}"); -var select25 = linear_select([ - part75, - part76, +var select26 = linear_select([ + part77, + part78, ]); var all11 = all_match({ processors: [ - part69, - select23, part71, select24, + part73, select25, + select26, ], on_success: processor_chain([ dup5, @@ -1529,18 +1535,18 @@ var all11 = all_match({ var msg59 = msg("37:01", all11); -var part77 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ +var part79 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ dup5, ])); -var msg60 = msg("37:02", part77); +var msg60 = msg("37:02", part79); var all12 = all_match({ processors: [ - dup8, - dup176, - dup11, - dup182, + dup7, + dup175, + dup10, + dup181, dup43, ], on_success: processor_chain([ @@ -1550,14 +1556,14 @@ var all12 = all_match({ var msg61 = msg("37:03", all12); -var part78 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ +var part80 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ dup5, - dup12, + dup11, ])); -var msg62 = msg("37:04", part78); +var msg62 = msg("37:04", part80); -var select26 = linear_select([ +var select27 = linear_select([ msg58, msg59, msg60, @@ -1565,27 +1571,27 @@ var select26 = linear_select([ msg62, ]); -var part79 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ +var part81 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ dup5, ])); -var msg63 = msg("38", part79); +var msg63 = msg("38", part81); -var part80 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code->} "); +var part82 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code->} "); -var select27 = linear_select([ - part80, +var select28 = linear_select([ + part82, dup45, ]); var all13 = all_match({ processors: [ dup44, - dup180, + dup179, dup36, - dup177, - dup11, - select27, + dup176, + dup10, + select28, ], on_success: processor_chain([ dup5, @@ -1594,15 +1600,15 @@ var all13 = all_match({ var msg64 = msg("38:01", all13); -var part81 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{} %{fld3->} icmpCode=%{fld4->} npcs=%{info}"); +var part83 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{} %{fld3->} icmpCode=%{fld4->} npcs=%{info}"); var all14 = all_match({ processors: [ - dup8, - dup176, - dup11, - dup183, - part81, + dup7, + dup175, + dup10, + dup182, + part83, ], on_success: processor_chain([ dup5, @@ -1611,172 +1617,172 @@ var all14 = all_match({ var msg65 = msg("38:02", all14); -var part82 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", "%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}"); +var part84 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", "%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}"); -var part83 = match("MESSAGE#64:38:03/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); +var part85 = match("MESSAGE#64:38:03/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); -var select28 = linear_select([ - part82, - part83, +var select29 = linear_select([ + part84, + part85, ]); -var part84 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part86 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var part85 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); +var part87 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); var all15 = all_match({ processors: [ dup48, - select28, - part84, - dup184, - part85, + select29, + part86, + dup183, + part87, ], on_success: processor_chain([ dup5, - dup12, + dup11, + dup18, dup19, dup20, dup21, - dup22, ]), }); var msg66 = msg("38:03", all15); -var select29 = linear_select([ +var select30 = linear_select([ msg63, msg64, msg65, msg66, ]); -var part86 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ +var part88 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ dup5, ])); -var msg67 = msg("39", part86); +var msg67 = msg("39", part88); -var part87 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ +var part89 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ dup5, ])); -var msg68 = msg("40", part87); +var msg68 = msg("40", part89); -var part88 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ +var part90 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ dup5, dup51, dup52, dup53, dup54, - dup12, + dup11, dup55, + dup17, dup18, dup19, dup20, dup21, - dup22, ])); -var msg69 = msg("41:01", part88); +var msg69 = msg("41:01", part90); -var part89 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ +var part91 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ dup5, ])); -var msg70 = msg("41:02", part89); +var msg70 = msg("41:02", part91); -var part90 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ +var part92 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ dup5, ])); -var msg71 = msg("41:03", part90); +var msg71 = msg("41:03", part92); -var select30 = linear_select([ +var select31 = linear_select([ msg69, msg70, msg71, ]); -var part91 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ +var part93 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ dup5, ])); -var msg72 = msg("42", part91); +var msg72 = msg("42", part93); -var part92 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ +var part94 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ dup5, ])); -var msg73 = msg("43", part92); +var msg73 = msg("43", part94); -var part93 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ +var part95 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ dup5, ])); -var msg74 = msg("44", part93); +var msg74 = msg("44", part95); -var part94 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ +var part96 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ dup5, ])); -var msg75 = msg("45", part94); +var msg75 = msg("45", part96); -var part95 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ +var part97 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ dup5, ])); -var msg76 = msg("45:01", part95); +var msg76 = msg("45:01", part97); -var part96 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ +var part98 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ dup5, ])); -var msg77 = msg("45:02", part96); +var msg77 = msg("45:02", part98); -var select31 = linear_select([ +var select32 = linear_select([ msg75, msg76, msg77, ]); -var part97 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ +var part99 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ dup5, dup51, dup52, dup53, dup54, - dup12, + dup11, dup55, + dup17, dup18, dup19, dup20, dup21, - dup22, ])); -var msg78 = msg("46:01", part97); +var msg78 = msg("46:01", part99); -var part98 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ +var part100 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ dup5, ])); -var msg79 = msg("46:02", part98); +var msg79 = msg("46:02", part100); -var part99 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ +var part101 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ dup5, ])); -var msg80 = msg("46", part99); +var msg80 = msg("46", part101); -var part100 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var part102 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); var all16 = all_match({ processors: [ - part100, - dup176, - dup11, - dup182, + part102, + dup175, + dup10, + dup181, dup43, ], on_success: processor_chain([ @@ -1786,127 +1792,127 @@ var all16 = all_match({ var msg81 = msg("46:03", all16); -var select32 = linear_select([ +var select33 = linear_select([ msg78, msg79, msg80, msg81, ]); -var part101 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ +var part103 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ dup5, ])); -var msg82 = msg("47", part101); +var msg82 = msg("47", part103); -var part102 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ +var part104 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ dup5, ])); -var msg83 = msg("48", part102); +var msg83 = msg("48", part104); -var part103 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ +var part105 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ dup5, ])); -var msg84 = msg("49", part103); +var msg84 = msg("49", part105); -var part104 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ +var part106 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ dup5, ])); -var msg85 = msg("50", part104); +var msg85 = msg("50", part106); -var part105 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ +var part107 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ dup5, ])); -var msg86 = msg("51", part105); +var msg86 = msg("51", part107); -var part106 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ +var part108 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ dup5, ])); -var msg87 = msg("52", part106); +var msg87 = msg("52", part108); -var part107 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ +var part109 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ dup2, ])); -var msg88 = msg("53", part107); +var msg88 = msg("53", part109); -var part108 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ +var part110 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ dup56, ])); -var msg89 = msg("58", part108); +var msg89 = msg("58", part110); -var part109 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ - dup13, +var part111 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ + dup12, ])); -var msg90 = msg("60", part109); +var msg90 = msg("60", part111); -var part110 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ +var part112 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ dup1, ])); -var msg91 = msg("61", part110); +var msg91 = msg("61", part112); -var part111 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ +var part113 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ dup57, ])); -var msg92 = msg("62", part111); +var msg92 = msg("62", part113); -var part112 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ +var part114 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ dup58, ])); -var msg93 = msg("63", part112); +var msg93 = msg("63", part114); -var part113 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ +var part115 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ dup58, ])); -var msg94 = msg("63:01", part113); +var msg94 = msg("63:01", part115); -var select33 = linear_select([ +var select34 = linear_select([ msg93, msg94, ]); -var part114 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ +var part116 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ dup1, ])); -var msg95 = msg("64", part114); +var msg95 = msg("64", part116); -var part115 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ +var part117 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ dup58, ])); -var msg96 = msg("65", part115); +var msg96 = msg("65", part117); -var part116 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ +var part118 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ dup58, ])); -var msg97 = msg("66", part116); +var msg97 = msg("66", part118); -var part117 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ +var part119 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ dup58, ])); -var msg98 = msg("67", part117); +var msg98 = msg("67", part119); var all17 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup177, - dup28, + dup30, + dup178, + dup10, + dup176, + dup27, ], on_success: processor_chain([ dup58, @@ -1915,44 +1921,44 @@ var all17 = all_match({ var msg99 = msg("67:01", all17); -var select34 = linear_select([ +var select35 = linear_select([ msg98, msg99, ]); -var part118 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ +var part120 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ dup58, ])); -var msg100 = msg("68", part118); +var msg100 = msg("68", part120); -var part119 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ +var part121 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ dup58, ])); -var msg101 = msg("69", part119); +var msg101 = msg("69", part121); -var part120 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ +var part122 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ dup58, ])); -var msg102 = msg("70", part120); +var msg102 = msg("70", part122); -var part121 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} %{p0}"); +var part123 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} %{p0}"); -var part122 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "dst=%{daddr->} "); +var part124 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "dst=%{daddr->} "); -var part123 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", " dstname=%{name}"); +var part125 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", " dstname=%{name}"); -var select35 = linear_select([ - part122, - part123, +var select36 = linear_select([ + part124, + part125, ]); var all18 = all_match({ processors: [ - part121, - select35, + part123, + select36, ], on_success: processor_chain([ dup58, @@ -1961,142 +1967,141 @@ var all18 = all_match({ var msg103 = msg("70:01", all18); -var select36 = linear_select([ +var select37 = linear_select([ msg102, msg103, ]); -var part124 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ +var part126 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ dup59, ])); -var msg104 = msg("72", part124); +var msg104 = msg("72", part126); -var part125 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ +var part127 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ dup59, ])); -var msg105 = msg("72:01", part125); +var msg105 = msg("72:01", part127); -var select37 = linear_select([ +var select38 = linear_select([ msg104, msg105, ]); -var part126 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ +var part128 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ dup60, ])); -var msg106 = msg("73", part126); +var msg106 = msg("73", part128); -var part127 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ +var part129 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ dup61, ])); -var msg107 = msg("74", part127); +var msg107 = msg("74", part129); -var part128 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ +var part130 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ dup60, ])); -var msg108 = msg("75", part128); +var msg108 = msg("75", part130); -var part129 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ +var part131 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ dup59, ])); -var msg109 = msg("76", part129); +var msg109 = msg("76", part131); -var part130 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ +var part132 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ dup59, ])); -var msg110 = msg("77", part130); +var msg110 = msg("77", part132); -var part131 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ +var part133 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ dup61, ])); -var msg111 = msg("78", part131); +var msg111 = msg("78", part133); -var part132 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ +var part134 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ dup59, ])); -var msg112 = msg("79", part132); +var msg112 = msg("79", part134); -var part133 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ +var part135 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ dup59, ])); -var msg113 = msg("80", part133); +var msg113 = msg("80", part135); -var part134 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ - dup15, +var part136 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ + dup14, ])); -var msg114 = msg("81", part134); +var msg114 = msg("81", part136); -var part135 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ +var part137 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ dup62, ])); -var msg115 = msg("82", part135); +var msg115 = msg("82", part137); -var part136 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ +var part138 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ dup62, ])); -var msg116 = msg("82:02", part136); +var msg116 = msg("82:02", part138); -var part137 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ +var part139 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ dup62, ])); -var msg117 = msg("82:03", part137); +var msg117 = msg("82:03", part139); -var msg118 = msg("82:01", dup185); +var msg118 = msg("82:01", dup184); -var select38 = linear_select([ +var select39 = linear_select([ msg115, msg116, msg117, msg118, ]); -var part138 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ +var part140 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ dup62, ])); -var msg119 = msg("83", part138); +var msg119 = msg("83", part140); -var msg120 = msg("83:01", dup186); +var msg120 = msg("83:01", dup185); -var part139 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ +var part141 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ dup5, ])); -var msg121 = msg("83:02", part139); +var msg121 = msg("83:02", part141); -var select39 = linear_select([ +var select40 = linear_select([ msg119, msg120, msg121, ]); -var part140 = match("MESSAGE#120:84/1_0", "nwparser.p0", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost->} "); +var part142 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); -var part141 = match("MESSAGE#120:84/1_1", "nwparser.p0", " Failed to resolve name %{}"); +var part143 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); -var select40 = linear_select([ - part140, - part141, +var select41 = linear_select([ + part142, + part143, ]); var all19 = all_match({ processors: [ - dup6, - select40, + select41, ], on_success: processor_chain([ dup63, @@ -2106,61 +2111,61 @@ var all19 = all_match({ var msg122 = msg("84", all19); -var part142 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ +var part144 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ dup64, ])); -var msg123 = msg("87", part142); +var msg123 = msg("87", part144); -var part143 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ +var part145 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ dup64, ])); -var msg124 = msg("87:01", part143); +var msg124 = msg("87:01", part145); -var select41 = linear_select([ +var select42 = linear_select([ msg123, msg124, ]); -var part144 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ +var part146 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ dup58, ])); -var msg125 = msg("88", part144); +var msg125 = msg("88", part146); -var part145 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ +var part147 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ dup58, ])); -var msg126 = msg("88:01", part145); +var msg126 = msg("88:01", part147); -var select42 = linear_select([ +var select43 = linear_select([ msg125, msg126, ]); -var part146 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ +var part148 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ dup64, ])); -var msg127 = msg("89", part146); +var msg127 = msg("89", part148); -var part147 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} %{p0}"); +var part149 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} %{p0}"); -var part148 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "src=%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface->} "); +var part150 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "src=%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface->} "); -var part149 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", " src=%{saddr->} dst=%{daddr->} dstname=%{name}"); +var part151 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", " src=%{saddr->} dst=%{daddr->} dstname=%{name}"); -var select43 = linear_select([ - part148, - part149, +var select44 = linear_select([ + part150, + part151, ]); var all20 = all_match({ processors: [ - part147, - select43, + part149, + select44, ], on_success: processor_chain([ dup64, @@ -2169,87 +2174,87 @@ var all20 = all_match({ var msg128 = msg("89:01", all20); -var select44 = linear_select([ +var select45 = linear_select([ msg127, msg128, ]); -var part150 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ +var part152 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ dup64, ])); -var msg129 = msg("90", part150); +var msg129 = msg("90", part152); -var part151 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ +var part153 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ dup64, ])); -var msg130 = msg("91", part151); +var msg130 = msg("91", part153); -var part152 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ +var part154 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ dup64, ])); -var msg131 = msg("92", part152); +var msg131 = msg("92", part154); -var part153 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ +var part155 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ dup1, ])); -var msg132 = msg("93", part153); +var msg132 = msg("93", part155); -var part154 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ +var part156 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ dup1, ])); -var msg133 = msg("94", part154); +var msg133 = msg("94", part156); -var part155 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ +var part157 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ dup1, ])); -var msg134 = msg("95", part155); +var msg134 = msg("95", part157); -var part156 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ +var part158 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ dup1, ])); -var msg135 = msg("96", part156); +var msg135 = msg("96", part158); -var part157 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ +var part159 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ dup1, ])); -var msg136 = msg("97", part157); +var msg136 = msg("97", part159); -var part158 = match("MESSAGE#135:97:01/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} %{p0}"); +var part160 = match("MESSAGE#135:97:01/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} %{p0}"); -var part159 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); +var part161 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); -var part160 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); +var part162 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); -var select45 = linear_select([ - part159, - part160, +var select46 = linear_select([ + part161, + part162, ]); -var part161 = match("MESSAGE#135:97:01/7_0", "nwparser.p0", "result=%{result->} dstname=%{name->} "); +var part163 = match("MESSAGE#135:97:01/7_0", "nwparser.p0", "result=%{result->} dstname=%{name->} "); -var select46 = linear_select([ - part161, +var select47 = linear_select([ + part163, dup66, ]); var all21 = all_match({ processors: [ dup65, - dup180, + dup179, dup36, - dup177, - part158, - select45, - dup11, + dup176, + part160, select46, + dup10, + select47, ], on_success: processor_chain([ dup1, @@ -2258,15 +2263,15 @@ var all21 = all_match({ var msg137 = msg("97:01", all21); -var part162 = match("MESSAGE#136:97:02/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} result=%{result}"); +var part164 = match("MESSAGE#136:97:02/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} result=%{result}"); var all22 = all_match({ processors: [ dup65, - dup180, + dup179, dup36, - dup177, - part162, + dup176, + part164, ], on_success: processor_chain([ dup1, @@ -2275,28 +2280,28 @@ var all22 = all_match({ var msg138 = msg("97:02", all22); -var part163 = match("MESSAGE#137:97:03/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); +var part165 = match("MESSAGE#137:97:03/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); -var part164 = match("MESSAGE#137:97:03/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} %{p0}"); +var part166 = match("MESSAGE#137:97:03/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} %{p0}"); -var part165 = match("MESSAGE#137:97:03/5_1", "nwparser.p0", "dstname=%{name->} %{p0}"); +var part167 = match("MESSAGE#137:97:03/5_1", "nwparser.p0", "dstname=%{name->} %{p0}"); -var select47 = linear_select([ - part164, - part165, +var select48 = linear_select([ + part166, + part167, ]); -var part166 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); +var part168 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); var all23 = all_match({ processors: [ dup67, - dup180, + dup179, dup36, - dup177, - part163, - select47, - part166, + dup176, + part165, + select48, + part168, ], on_success: processor_chain([ dup1, @@ -2305,28 +2310,28 @@ var all23 = all_match({ var msg139 = msg("97:03", all23); -var part167 = match("MESSAGE#138:97:04/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} %{p0}"); +var part169 = match("MESSAGE#138:97:04/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} %{p0}"); -var part168 = match("MESSAGE#138:97:04/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} arg= %{p0}"); +var part170 = match("MESSAGE#138:97:04/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} arg= %{p0}"); -var part169 = match("MESSAGE#138:97:04/5_1", "nwparser.p0", "dstname=%{name->} arg= %{p0}"); +var part171 = match("MESSAGE#138:97:04/5_1", "nwparser.p0", "dstname=%{name->} arg= %{p0}"); -var select48 = linear_select([ - part168, - part169, +var select49 = linear_select([ + part170, + part171, ]); -var part170 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{} %{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); +var part172 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{} %{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); var all24 = all_match({ processors: [ dup67, - dup180, + dup179, dup36, - dup177, - part167, - select48, - part170, + dup176, + part169, + select49, + part172, ], on_success: processor_chain([ dup1, @@ -2335,15 +2340,15 @@ var all24 = all_match({ var msg140 = msg("97:04", all24); -var part171 = match("MESSAGE#139:97:05/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); +var part173 = match("MESSAGE#139:97:05/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); var all25 = all_match({ processors: [ dup65, - dup180, + dup179, dup36, - dup177, - part171, + dup176, + part173, ], on_success: processor_chain([ dup1, @@ -2352,76 +2357,76 @@ var all25 = all_match({ var msg141 = msg("97:05", all25); -var part172 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{p0}"); +var part174 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{p0}"); -var select49 = linear_select([ +var select50 = linear_select([ dup68, dup69, ]); -var part173 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); +var part175 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); var all26 = all_match({ processors: [ - part172, - select49, - part173, + part174, + select50, + part175, ], on_success: processor_chain([ dup70, - dup12, + dup11, ]), }); var msg142 = msg("97:06", all26); -var part174 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); +var part176 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); -var part175 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{fld3->} srcMac=%{p0}"); +var part177 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{fld3->} srcMac=%{p0}"); -var select50 = linear_select([ - part175, +var select51 = linear_select([ + part177, dup49, ]); -var part176 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); +var part178 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); var all27 = all_match({ processors: [ - part174, - select50, part176, + select51, + part178, ], on_success: processor_chain([ dup70, - dup12, + dup11, ]), }); var msg143 = msg("97:07", all27); -var part177 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part179 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup70, - dup12, + dup11, ])); -var msg144 = msg("97:08", part177); +var msg144 = msg("97:08", part179); -var part178 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part180 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup70, - dup12, + dup11, ])); -var msg145 = msg("97:09", part178); +var msg145 = msg("97:09", part180); -var part179 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part181 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup70, - dup12, + dup11, ])); -var msg146 = msg("97:10", part179); +var msg146 = msg("97:10", part181); -var select51 = linear_select([ +var select52 = linear_select([ msg136, msg137, msg138, @@ -2435,40 +2440,40 @@ var select51 = linear_select([ msg146, ]); -var part180 = match("MESSAGE#145:98/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}"); +var part182 = match("MESSAGE#145:98/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}"); -var part181 = match("MESSAGE#145:98/0_1", "nwparser.payload", " msg=\"%{event_description}\"%{p0}"); +var part183 = match("MESSAGE#145:98/0_1", "nwparser.payload", " msg=\"%{event_description}\"%{p0}"); -var select52 = linear_select([ - part180, - part181, +var select53 = linear_select([ + part182, + part183, ]); -var part182 = match("MESSAGE#145:98/1", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); +var part184 = match("MESSAGE#145:98/1", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); -var part183 = match("MESSAGE#145:98/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} %{p0}"); +var part185 = match("MESSAGE#145:98/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} %{p0}"); -var select53 = linear_select([ - part183, +var select54 = linear_select([ + part185, dup71, ]); -var part184 = match("MESSAGE#145:98/3_1", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} "); +var part186 = match("MESSAGE#145:98/3_1", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} "); -var part185 = match("MESSAGE#145:98/3_2", "nwparser.p0", " proto=%{protocol}"); +var part187 = match("MESSAGE#145:98/3_2", "nwparser.p0", " proto=%{protocol}"); -var select54 = linear_select([ +var select55 = linear_select([ dup72, - part184, - part185, + part186, + part187, ]); var all28 = all_match({ processors: [ - select52, - part182, select53, + part184, select54, + select55, ], on_success: processor_chain([ dup70, @@ -2476,85 +2481,85 @@ var all28 = all_match({ setc("ec_activity","Stop"), dup53, dup54, - dup12, + dup11, setc("action","Opened"), + dup17, dup18, dup19, dup20, dup21, - dup22, ]), }); var msg147 = msg("98", all28); -var part186 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part188 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup1, - dup12, + dup11, + dup17, dup18, dup19, dup20, dup21, - dup22, ])); -var msg148 = msg("98:07", part186); +var msg148 = msg("98:07", part188); -var part187 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", "%{msg}\" app=%{fld2->} sess=\"%{fld3}\"%{p0}"); +var part189 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", "%{msg}\" app=%{fld2->} sess=\"%{fld3}\"%{p0}"); -var part188 = match("MESSAGE#147:98:01/1_1", "nwparser.p0", "%{msg}\"%{p0}"); +var part190 = match("MESSAGE#147:98:01/1_1", "nwparser.p0", "%{msg}\"%{p0}"); -var select55 = linear_select([ - part187, - part188, +var select56 = linear_select([ + part189, + part190, ]); -var part189 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); +var part191 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); -var part190 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); +var part192 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); -var part191 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); +var part193 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); -var select56 = linear_select([ - part190, - part191, +var select57 = linear_select([ + part192, + part193, ]); -var select57 = linear_select([ +var select58 = linear_select([ dup73, dup69, dup74, ]); -var part192 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); +var part194 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); -var part193 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} "); +var part195 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} "); -var part194 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); +var part196 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); -var part195 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", " proto=%{protocol->} sent=%{sbytes}"); +var part197 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", " proto=%{protocol->} sent=%{sbytes}"); -var part196 = match("MESSAGE#147:98:01/7_5", "nwparser.p0", "proto=%{protocol}"); +var part198 = match("MESSAGE#147:98:01/7_5", "nwparser.p0", "proto=%{protocol}"); -var select58 = linear_select([ - part192, - part193, +var select59 = linear_select([ part194, - dup72, part195, part196, + dup72, + part197, + part198, ]); var all29 = all_match({ processors: [ dup48, - select55, - part189, select56, + part191, select57, - dup11, - dup187, select58, + dup10, + dup186, + select59, ], on_success: processor_chain([ dup1, @@ -2563,92 +2568,92 @@ var all29 = all_match({ var msg149 = msg("98:01", all29); -var part197 = match("MESSAGE#148:98:06/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\" %{p0}"); +var part199 = match("MESSAGE#148:98:06/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\" %{p0}"); -var part198 = match("MESSAGE#148:98:06/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} %{p0}"); +var part200 = match("MESSAGE#148:98:06/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} %{p0}"); -var part199 = match("MESSAGE#148:98:06/0_2", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} %{p0}"); +var part201 = match("MESSAGE#148:98:06/0_2", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} %{p0}"); -var select59 = linear_select([ - part197, - part198, +var select60 = linear_select([ part199, + part200, + part201, ]); -var part200 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "n=%{fld1->} usr=%{username->} %{p0}"); +var part202 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "n=%{fld1->} usr=%{username->} %{p0}"); -var part201 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", " n=%{fld1->} %{p0}"); +var part203 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", " n=%{fld1->} %{p0}"); -var select60 = linear_select([ - part200, - part201, +var select61 = linear_select([ + part202, + part203, ]); -var part202 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{}src= %{p0}"); +var part204 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{}src= %{p0}"); -var part203 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part205 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); -var part204 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part206 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); -var select61 = linear_select([ - part203, - part204, +var select62 = linear_select([ + part205, + part206, dup77, dup78, ]); -var part205 = match("MESSAGE#148:98:06/6", "nwparser.p0", "%{protocol->} %{p0}"); +var part207 = match("MESSAGE#148:98:06/6", "nwparser.p0", "%{protocol->} %{p0}"); -var part206 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); +var part208 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); -var part207 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); +var part209 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); -var part208 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); +var part210 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); -var part209 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "sent=%{sbytes}"); +var part211 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "sent=%{sbytes}"); -var part210 = match("MESSAGE#148:98:06/7_4", "nwparser.p0", "fw_action=\"%{action}\""); +var part212 = match("MESSAGE#148:98:06/7_4", "nwparser.p0", "fw_action=\"%{action}\""); -var select62 = linear_select([ - part206, - part207, +var select63 = linear_select([ part208, part209, part210, + part211, + part212, ]); var all30 = all_match({ processors: [ - select59, select60, - part202, - dup188, - dup11, select61, - part205, + part204, + dup187, + dup10, select62, + part207, + select63, ], on_success: processor_chain([ dup70, - dup12, + dup11, + dup17, dup18, dup19, dup20, dup21, - dup22, ]), }); var msg150 = msg("98:06", all30); -var part211 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); +var part213 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); var all31 = all_match({ processors: [ - part211, - dup179, - dup11, - dup177, + part213, + dup178, + dup10, + dup176, dup79, ], on_success: processor_chain([ @@ -2658,18 +2663,18 @@ var all31 = all_match({ var msg151 = msg("98:02", all31); -var part212 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection %{}"); +var part214 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection %{}"); -var part213 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", " msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} "); +var part215 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", " msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} "); -var select63 = linear_select([ - part212, - part213, +var select64 = linear_select([ + part214, + part215, ]); var all32 = all_match({ processors: [ - select63, + select64, ], on_success: processor_chain([ dup1, @@ -2679,15 +2684,15 @@ var all32 = all_match({ var msg152 = msg("98:03", all32); -var part214 = match("MESSAGE#151:98:04/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); +var part216 = match("MESSAGE#151:98:04/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); var all33 = all_match({ processors: [ - dup8, - dup179, - dup11, - dup177, - part214, + dup7, + dup178, + dup10, + dup176, + part216, ], on_success: processor_chain([ dup1, @@ -2696,15 +2701,15 @@ var all33 = all_match({ var msg153 = msg("98:04", all33); -var part215 = match("MESSAGE#152:98:05/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); +var part217 = match("MESSAGE#152:98:05/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); var all34 = all_match({ processors: [ - dup8, - dup179, - dup11, - dup177, - part215, + dup7, + dup178, + dup10, + dup176, + part217, ], on_success: processor_chain([ dup1, @@ -2713,7 +2718,7 @@ var all34 = all_match({ var msg154 = msg("98:05", all34); -var select64 = linear_select([ +var select65 = linear_select([ msg147, msg148, msg149, @@ -2724,22 +2729,22 @@ var select64 = linear_select([ msg154, ]); -var part216 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup30, - dup12, +var part218 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup29, + dup11, ])); -var msg155 = msg("986", part216); +var msg155 = msg("986", part218); -var part217 = match("MESSAGE#154:427/4", "nwparser.p0", "%{}note=\"%{event_description}\""); +var part219 = match("MESSAGE#154:427/4", "nwparser.p0", "%{}note=\"%{event_description}\""); var all35 = all_match({ processors: [ dup80, - dup179, - dup11, - dup177, - part217, + dup178, + dup10, + dup176, + part219, ], on_success: processor_chain([ dup1, @@ -2748,321 +2753,321 @@ var all35 = all_match({ var msg156 = msg("427", all35); -var part218 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); +var part220 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); var all36 = all_match({ processors: [ dup81, - dup184, - part218, + dup183, + part220, ], on_success: processor_chain([ - dup23, + dup22, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); var msg157 = msg("428", all36); -var part219 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ +var part221 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ dup64, ])); -var msg158 = msg("99", part219); +var msg158 = msg("99", part221); -var part220 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ +var part222 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ dup64, ])); -var msg159 = msg("100", part220); +var msg159 = msg("100", part222); -var part221 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ +var part223 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ dup64, ])); -var msg160 = msg("101", part221); +var msg160 = msg("101", part223); -var part222 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ +var part224 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ dup64, ])); -var msg161 = msg("102", part222); +var msg161 = msg("102", part224); -var part223 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ +var part225 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ dup64, ])); -var msg162 = msg("103", part223); +var msg162 = msg("103", part225); -var part224 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ +var part226 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ dup64, ])); -var msg163 = msg("104", part224); +var msg163 = msg("104", part226); -var part225 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ +var part227 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ dup64, ])); -var msg164 = msg("105", part225); +var msg164 = msg("105", part227); -var part226 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ +var part228 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ dup63, ])); -var msg165 = msg("106", part226); +var msg165 = msg("106", part228); -var part227 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ +var part229 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ dup64, ])); -var msg166 = msg("107", part227); +var msg166 = msg("107", part229); -var part228 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ +var part230 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ dup64, ])); -var msg167 = msg("108", part228); +var msg167 = msg("108", part230); -var part229 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ +var part231 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ dup63, ])); -var msg168 = msg("109", part229); +var msg168 = msg("109", part231); -var part230 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ +var part232 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ dup64, ])); -var msg169 = msg("110", part230); +var msg169 = msg("110", part232); -var msg170 = msg("111:01", dup189); +var msg170 = msg("111:01", dup188); -var part231 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ +var part233 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ dup64, ])); -var msg171 = msg("111", part231); +var msg171 = msg("111", part233); -var select65 = linear_select([ +var select66 = linear_select([ msg170, msg171, ]); -var part232 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ +var part234 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ dup64, ])); -var msg172 = msg("112", part232); +var msg172 = msg("112", part234); -var part233 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ +var part235 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ dup64, ])); -var msg173 = msg("113", part233); +var msg173 = msg("113", part235); -var part234 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ +var part236 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ dup64, ])); -var msg174 = msg("114", part234); +var msg174 = msg("114", part236); -var msg175 = msg("115:01", dup189); +var msg175 = msg("115:01", dup188); -var part235 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ +var part237 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ dup64, ])); -var msg176 = msg("115", part235); +var msg176 = msg("115", part237); -var select66 = linear_select([ +var select67 = linear_select([ msg175, msg176, ]); -var part236 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ +var part238 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ dup64, ])); -var msg177 = msg("116", part236); +var msg177 = msg("116", part238); -var part237 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ +var part239 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ dup64, ])); -var msg178 = msg("117", part237); +var msg178 = msg("117", part239); -var part238 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ +var part240 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ dup64, ])); -var msg179 = msg("118", part238); +var msg179 = msg("118", part240); -var part239 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ +var part241 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ dup63, ])); -var msg180 = msg("119", part239); +var msg180 = msg("119", part241); -var part240 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ +var part242 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ dup63, ])); -var msg181 = msg("120", part240); +var msg181 = msg("120", part242); -var part241 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ +var part243 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ dup64, ])); -var msg182 = msg("121", part241); +var msg182 = msg("121", part243); -var part242 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ +var part244 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ dup63, ])); -var msg183 = msg("122", part242); +var msg183 = msg("122", part244); -var part243 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ +var part245 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ dup63, ])); -var msg184 = msg("123", part243); +var msg184 = msg("123", part245); -var part244 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ +var part246 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ dup64, ])); -var msg185 = msg("124", part244); +var msg185 = msg("124", part246); -var part245 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ +var part247 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ dup64, ])); -var msg186 = msg("125", part245); +var msg186 = msg("125", part247); -var part246 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ +var part248 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ dup83, - dup12, + dup11, ])); -var msg187 = msg("1254", part246); +var msg187 = msg("1254", part248); -var part247 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ +var part249 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ dup70, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ])); -var msg188 = msg("1256", part247); +var msg188 = msg("1256", part249); -var part248 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ +var part250 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ dup83, - dup12, + dup11, ])); -var msg189 = msg("1257", part248); +var msg189 = msg("1257", part250); -var part249 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ +var part251 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ dup64, ])); -var msg190 = msg("126", part249); +var msg190 = msg("126", part251); -var part250 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ +var part252 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ dup64, ])); -var msg191 = msg("127", part250); +var msg191 = msg("127", part252); -var part251 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ +var part253 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ dup5, ])); -var msg192 = msg("128", part251); +var msg192 = msg("128", part253); -var part252 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ +var part254 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ dup5, ])); -var msg193 = msg("129", part252); +var msg193 = msg("129", part254); -var part253 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ +var part255 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ dup1, ])); -var msg194 = msg("130", part253); +var msg194 = msg("130", part255); -var part254 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ +var part256 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ dup1, ])); -var msg195 = msg("131", part254); +var msg195 = msg("131", part256); -var part255 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ +var part257 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ dup1, ])); -var msg196 = msg("132", part255); +var msg196 = msg("132", part257); -var part256 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ +var part258 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ dup1, ])); -var msg197 = msg("133", part256); +var msg197 = msg("133", part258); -var part257 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ +var part259 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ dup1, ])); -var msg198 = msg("134", part257); +var msg198 = msg("134", part259); -var part258 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ +var part260 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ dup84, ])); -var msg199 = msg("135", part258); +var msg199 = msg("135", part260); -var part259 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ +var part261 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ dup84, ])); -var msg200 = msg("136", part259); +var msg200 = msg("136", part261); -var part260 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ +var part262 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ dup3, ])); -var msg201 = msg("137", part260); +var msg201 = msg("137", part262); -var part261 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ +var part263 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ dup3, ])); -var msg202 = msg("138", part261); +var msg202 = msg("138", part263); -var part262 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ +var part264 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ dup5, ])); -var msg203 = msg("139", part262); +var msg203 = msg("139", part264); var all37 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup190, + dup30, + dup178, + dup10, + dup189, ], on_success: processor_chain([ setc("eventcategory","1801020100"), @@ -3071,291 +3076,291 @@ var all37 = all_match({ var msg204 = msg("139:01", all37); -var select67 = linear_select([ +var select68 = linear_select([ msg203, msg204, ]); -var msg205 = msg("140", dup229); +var msg205 = msg("140", dup228); -var msg206 = msg("141", dup229); +var msg206 = msg("141", dup228); -var part263 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ +var part265 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ dup1, ])); -var msg207 = msg("142", part263); +var msg207 = msg("142", part265); -var part264 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ +var part266 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ dup1, ])); -var msg208 = msg("143", part264); +var msg208 = msg("143", part266); -var part265 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ +var part267 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ dup70, - dup12, + dup11, ])); -var msg209 = msg("1431", part265); +var msg209 = msg("1431", part267); -var part266 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ +var part268 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ dup1, ])); -var msg210 = msg("144", part266); +var msg210 = msg("144", part268); -var part267 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ +var part269 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ dup1, ])); -var msg211 = msg("145", part267); +var msg211 = msg("145", part269); -var part268 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ - dup88, +var part270 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ + dup87, ])); -var msg212 = msg("146", part268); +var msg212 = msg("146", part270); -var part269 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ - dup88, +var part271 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ + dup87, ])); -var msg213 = msg("147", part269); +var msg213 = msg("147", part271); -var part270 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ +var part272 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ dup1, ])); -var msg214 = msg("148", part270); +var msg214 = msg("148", part272); -var part271 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ +var part273 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ setc("eventcategory","1204010000"), - dup12, + dup11, ])); -var msg215 = msg("1480", part271); +var msg215 = msg("1480", part273); -var part272 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ +var part274 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ dup1, ])); -var msg216 = msg("149", part272); +var msg216 = msg("149", part274); -var part273 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ +var part275 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ dup1, ])); -var msg217 = msg("150", part273); +var msg217 = msg("150", part275); -var part274 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ +var part276 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ dup1, ])); -var msg218 = msg("151", part274); +var msg218 = msg("151", part276); -var part275 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ +var part277 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ dup1, ])); -var msg219 = msg("152", part275); +var msg219 = msg("152", part277); -var part276 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ +var part278 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ setc("eventcategory","1603010000"), ])); -var msg220 = msg("153", part276); +var msg220 = msg("153", part278); -var part277 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ +var part279 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ dup56, ])); -var msg221 = msg("154", part277); +var msg221 = msg("154", part279); -var part278 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ - dup88, +var part280 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ + dup87, ])); -var msg222 = msg("155", part278); +var msg222 = msg("155", part280); -var part279 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ - dup88, +var part281 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ + dup87, ])); -var msg223 = msg("156", part279); +var msg223 = msg("156", part281); -var part280 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ +var part282 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ dup1, ])); -var msg224 = msg("157:01", part280); +var msg224 = msg("157:01", part282); -var part281 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ +var part283 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ dup5, ])); -var msg225 = msg("157", part281); +var msg225 = msg("157", part283); -var select68 = linear_select([ +var select69 = linear_select([ msg224, msg225, ]); -var part282 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ - dup88, +var part284 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ + dup87, ])); -var msg226 = msg("158", part282); +var msg226 = msg("158", part284); -var part283 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ +var part285 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ dup5, ])); -var msg227 = msg("159", part283); +var msg227 = msg("159", part285); -var part284 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ +var part286 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ setc("eventcategory","1203000000"), ])); -var msg228 = msg("160", part284); +var msg228 = msg("160", part286); -var part285 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ +var part287 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ dup57, ])); -var msg229 = msg("161", part285); +var msg229 = msg("161", part287); -var part286 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ - dup32, +var part288 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ + dup31, ])); -var msg230 = msg("162", part286); +var msg230 = msg("162", part288); -var part287 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ +var part289 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ dup5, ])); -var msg231 = msg("163", part287); +var msg231 = msg("163", part289); -var part288 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ +var part290 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ dup5, ])); -var msg232 = msg("164", part288); +var msg232 = msg("164", part290); -var part289 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ +var part291 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ dup1, ])); -var msg233 = msg("165", part289); +var msg233 = msg("165", part291); -var part290 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ - dup13, +var part292 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ + dup12, ])); -var msg234 = msg("166", part290); +var msg234 = msg("166", part292); -var part291 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ - dup13, +var part293 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ + dup12, ])); -var msg235 = msg("167", part291); +var msg235 = msg("167", part293); -var part292 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ - dup13, +var part294 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ + dup12, ])); -var msg236 = msg("168", part292); +var msg236 = msg("168", part294); -var part293 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ +var part295 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ dup1, ])); -var msg237 = msg("169", part293); +var msg237 = msg("169", part295); -var part294 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ +var part296 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ dup1, ])); -var msg238 = msg("170", part294); +var msg238 = msg("170", part296); -var part295 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ +var part297 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ dup62, ])); -var msg239 = msg("171", part295); +var msg239 = msg("171", part297); -var part296 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup89, +var part298 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup88, ])); -var msg240 = msg("171:01", part296); +var msg240 = msg("171:01", part298); -var part297 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ - dup89, +var part299 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ + dup88, ])); -var msg241 = msg("171:02", part297); +var msg241 = msg("171:02", part299); -var part298 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); +var part300 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); var all38 = all_match({ processors: [ - part298, - dup176, - dup11, - dup191, - dup92, + part300, + dup175, + dup10, + dup190, + dup91, ], on_success: processor_chain([ - dup89, + dup88, ]), }); var msg242 = msg("171:03", all38); -var select69 = linear_select([ +var select70 = linear_select([ msg239, msg240, msg241, msg242, ]); -var part299 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ +var part301 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ dup62, ])); -var msg243 = msg("172", part299); +var msg243 = msg("172", part301); -var part300 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ +var part302 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ dup62, ])); -var msg244 = msg("172:01", part300); +var msg244 = msg("172:01", part302); -var select70 = linear_select([ +var select71 = linear_select([ msg243, msg244, ]); -var part301 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ +var part303 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ dup62, ])); -var msg245 = msg("173", part301); +var msg245 = msg("173", part303); -var part302 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ +var part304 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ dup59, ])); -var msg246 = msg("174", part302); +var msg246 = msg("174", part304); var all39 = all_match({ processors: [ dup80, - dup179, - dup11, - dup177, + dup178, + dup10, + dup176, dup79, ], on_success: processor_chain([ @@ -3368,12 +3373,12 @@ var msg247 = msg("174:01", all39); var all40 = all_match({ processors: [ dup44, - dup180, + dup179, dup36, - dup190, + dup189, ], on_success: processor_chain([ - dup13, + dup12, ]), }); @@ -3381,71 +3386,71 @@ var msg248 = msg("174:02", all40); var all41 = all_match({ processors: [ - dup8, - dup176, - dup11, - dup182, + dup7, + dup175, + dup10, + dup181, dup43, ], on_success: processor_chain([ - dup13, + dup12, ]), }); var msg249 = msg("174:03", all41); -var select71 = linear_select([ +var select72 = linear_select([ msg246, msg247, msg248, msg249, ]); -var part303 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ +var part305 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ dup59, ])); -var msg250 = msg("175", part303); +var msg250 = msg("175", part305); -var part304 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ +var part306 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ dup59, ])); -var msg251 = msg("175:01", part304); +var msg251 = msg("175:01", part306); -var part305 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ +var part307 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ dup59, ])); -var msg252 = msg("175:02", part305); +var msg252 = msg("175:02", part307); -var select72 = linear_select([ +var select73 = linear_select([ msg250, msg251, msg252, ]); -var part306 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ - dup89, +var part308 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ + dup88, ])); -var msg253 = msg("176", part306); +var msg253 = msg("176", part308); -var msg254 = msg("177", dup186); +var msg254 = msg("177", dup185); -var msg255 = msg("178", dup192); +var msg255 = msg("178", dup191); -var msg256 = msg("179", dup186); +var msg256 = msg("179", dup185); var all42 = all_match({ processors: [ - dup33, - dup179, - dup11, - dup190, + dup32, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup93, + dup92, ]), }); @@ -3453,33 +3458,33 @@ var msg257 = msg("180", all42); var all43 = all_match({ processors: [ - dup8, - dup176, - dup11, - dup193, - dup96, + dup7, + dup175, + dup10, + dup192, + dup95, ], on_success: processor_chain([ - dup93, + dup92, ]), }); var msg258 = msg("180:01", all43); -var select73 = linear_select([ +var select74 = linear_select([ msg257, msg258, ]); -var msg259 = msg("181", dup185); +var msg259 = msg("181", dup184); var all44 = all_match({ processors: [ - dup8, - dup176, - dup11, - dup191, - dup92, + dup7, + dup175, + dup10, + dup190, + dup91, ], on_success: processor_chain([ dup62, @@ -3488,31 +3493,31 @@ var all44 = all_match({ var msg260 = msg("181:01", all44); -var select74 = linear_select([ +var select75 = linear_select([ msg259, msg260, ]); -var msg261 = msg("193", dup230); +var msg261 = msg("193", dup229); -var msg262 = msg("194", dup231); +var msg262 = msg("194", dup230); -var msg263 = msg("195", dup231); +var msg263 = msg("195", dup230); -var part307 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); +var part309 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); -var part308 = match("MESSAGE#262:196/1_1", "nwparser.p0", " rcvd=%{rbytes->} cmd=%{p0}"); +var part310 = match("MESSAGE#262:196/1_1", "nwparser.p0", " rcvd=%{rbytes->} cmd=%{p0}"); -var select75 = linear_select([ - dup100, - part308, +var select76 = linear_select([ + dup99, + part310, ]); var all45 = all_match({ processors: [ - part307, - select75, - dup101, + part309, + select76, + dup100, ], on_success: processor_chain([ dup1, @@ -3521,18 +3526,18 @@ var all45 = all_match({ var msg264 = msg("196", all45); -var part309 = match("MESSAGE#263:196:01/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); +var part311 = match("MESSAGE#263:196:01/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); -var select76 = linear_select([ - dup100, - part309, +var select77 = linear_select([ + dup99, + part311, ]); var all46 = all_match({ processors: [ - dup97, - select76, - dup101, + dup96, + select77, + dup100, ], on_success: processor_chain([ dup1, @@ -3541,106 +3546,106 @@ var all46 = all_match({ var msg265 = msg("196:01", all46); -var select77 = linear_select([ +var select78 = linear_select([ msg264, msg265, ]); -var msg266 = msg("199", dup232); +var msg266 = msg("199", dup231); -var msg267 = msg("200", dup233); +var msg267 = msg("200", dup232); -var part310 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup29, +var part312 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup28, ])); -var msg268 = msg("235:02", part310); +var msg268 = msg("235:02", part312); -var part311 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); +var part313 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); var all47 = all_match({ processors: [ - part311, - dup179, - dup11, - dup190, + part313, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup29, + dup28, ]), }); var msg269 = msg("235", all47); -var msg270 = msg("235:01", dup234); +var msg270 = msg("235:01", dup233); -var select78 = linear_select([ +var select79 = linear_select([ msg268, msg269, msg270, ]); -var msg271 = msg("236", dup234); +var msg271 = msg("236", dup233); -var msg272 = msg("237", dup232); +var msg272 = msg("237", dup231); -var msg273 = msg("238", dup232); +var msg273 = msg("238", dup231); -var part312 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ - dup103, +var part314 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup102, ])); -var msg274 = msg("239", part312); +var msg274 = msg("239", part314); -var part313 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ - dup103, +var part315 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup102, ])); -var msg275 = msg("240", part313); +var msg275 = msg("240", part315); -var part314 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ +var part316 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup70, ])); -var msg276 = msg("241", part314); +var msg276 = msg("241", part316); -var part315 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ +var part317 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ dup70, ])); -var msg277 = msg("241:01", part315); +var msg277 = msg("241:01", part317); -var select79 = linear_select([ +var select80 = linear_select([ msg276, msg277, ]); -var part316 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); +var part318 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); -var part317 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); +var part319 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); -var select80 = linear_select([ - part316, - part317, +var select81 = linear_select([ + part318, + part319, dup35, ]); -var part318 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}:: "); +var part320 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}:: "); -var part319 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport->} "); +var part321 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport->} "); -var select81 = linear_select([ - part318, - part319, - dup86, +var select82 = linear_select([ + part320, + part321, + dup85, ]); var all48 = all_match({ processors: [ dup44, - select80, - dup36, select81, + dup36, + select82, ], on_success: processor_chain([ dup70, @@ -3649,143 +3654,143 @@ var all48 = all_match({ var msg278 = msg("242", all48); -var msg279 = msg("252", dup195); +var msg279 = msg("252", dup194); -var msg280 = msg("255", dup195); +var msg280 = msg("255", dup194); -var msg281 = msg("257", dup195); +var msg281 = msg("257", dup194); -var msg282 = msg("261:01", dup235); +var msg282 = msg("261:01", dup234); -var msg283 = msg("261", dup195); +var msg283 = msg("261", dup194); -var select82 = linear_select([ +var select83 = linear_select([ msg282, msg283, ]); -var msg284 = msg("262", dup235); +var msg284 = msg("262", dup234); var all49 = all_match({ processors: [ - dup106, - dup179, - dup11, - dup190, + dup105, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup107, + dup106, ]), }); var msg285 = msg("273", all49); -var msg286 = msg("328", dup236); +var msg286 = msg("328", dup235); -var msg287 = msg("329", dup233); +var msg287 = msg("329", dup232); -var msg288 = msg("346", dup195); +var msg288 = msg("346", dup194); -var msg289 = msg("350", dup195); +var msg289 = msg("350", dup194); -var msg290 = msg("351", dup195); +var msg290 = msg("351", dup194); -var msg291 = msg("352", dup195); +var msg291 = msg("352", dup194); -var part320 = match("MESSAGE#290:353:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ +var part322 = match("MESSAGE#290:353:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup5, ])); -var msg292 = msg("353:01", part320); +var msg292 = msg("353:01", part322); -var part321 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ +var part323 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ dup5, ])); -var msg293 = msg("353", part321); +var msg293 = msg("353", part323); -var select83 = linear_select([ +var select84 = linear_select([ msg292, msg293, ]); -var part322 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ +var part324 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ dup1, ])); -var msg294 = msg("354", part322); +var msg294 = msg("354", part324); -var msg295 = msg("355", dup196); +var msg295 = msg("355", dup195); -var msg296 = msg("355:01", dup195); +var msg296 = msg("355:01", dup194); -var select84 = linear_select([ +var select85 = linear_select([ msg295, msg296, ]); -var msg297 = msg("356", dup197); +var msg297 = msg("356", dup196); -var part323 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name->} ", processor_chain([ - dup89, +var part325 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name->} ", processor_chain([ + dup88, ])); -var msg298 = msg("357", part323); +var msg298 = msg("357", part325); -var part324 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup89, +var part326 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup88, ])); -var msg299 = msg("357:01", part324); +var msg299 = msg("357:01", part326); -var select85 = linear_select([ +var select86 = linear_select([ msg298, msg299, ]); -var msg300 = msg("358", dup198); +var msg300 = msg("358", dup197); -var part325 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ +var part327 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ setc("eventcategory","1503000000"), ])); -var msg301 = msg("371", part325); +var msg301 = msg("371", part327); -var msg302 = msg("371:01", dup199); +var msg302 = msg("371:01", dup198); -var select86 = linear_select([ +var select87 = linear_select([ msg301, msg302, ]); -var msg303 = msg("372", dup195); +var msg303 = msg("372", dup194); -var msg304 = msg("373", dup197); +var msg304 = msg("373", dup196); -var msg305 = msg("401", dup237); +var msg305 = msg("401", dup236); -var msg306 = msg("402", dup237); +var msg306 = msg("402", dup236); -var msg307 = msg("406", dup198); +var msg307 = msg("406", dup197); -var part326 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ +var part328 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup1, ])); -var msg308 = msg("413", part326); +var msg308 = msg("413", part328); -var msg309 = msg("414", dup195); +var msg309 = msg("414", dup194); -var msg310 = msg("438", dup238); +var msg310 = msg("438", dup237); -var msg311 = msg("439", dup238); +var msg311 = msg("439", dup237); var all50 = all_match({ processors: [ - dup106, - dup179, - dup11, - dup190, + dup105, + dup178, + dup10, + dup189, ], on_success: processor_chain([ setc("eventcategory","1501020000"), @@ -3796,10 +3801,10 @@ var msg312 = msg("440", all50); var all51 = all_match({ processors: [ - dup106, - dup179, - dup11, - dup190, + dup105, + dup178, + dup10, + dup189, ], on_success: processor_chain([ setc("eventcategory","1502050000"), @@ -3808,23 +3813,23 @@ var all51 = all_match({ var msg313 = msg("441", all51); -var part327 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ +var part329 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ setc("eventcategory","1001020000"), ])); -var msg314 = msg("441:01", part327); +var msg314 = msg("441:01", part329); -var select87 = linear_select([ +var select88 = linear_select([ msg313, msg314, ]); var all52 = all_match({ processors: [ - dup106, - dup179, - dup11, - dup190, + dup105, + dup178, + dup10, + dup189, ], on_success: processor_chain([ setc("eventcategory","1501030000"), @@ -3833,67 +3838,67 @@ var all52 = all_match({ var msg315 = msg("442", all52); -var part328 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); +var part330 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); -var part329 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); +var part331 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); -var part330 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); +var part332 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); -var select88 = linear_select([ - part329, - part330, +var select89 = linear_select([ + part331, + part332, ]); -var part331 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part333 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); var all53 = all_match({ processors: [ - part328, - select88, - part331, - dup201, - dup114, + part330, + select89, + part333, + dup200, + dup113, ], on_success: processor_chain([ dup59, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); var msg316 = msg("446", all53); -var part332 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ - dup115, +var part334 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ + dup114, dup51, dup52, dup53, dup54, - dup12, + dup11, dup55, + dup17, dup18, dup19, dup20, dup21, - dup22, ])); -var msg317 = msg("477", part332); +var msg317 = msg("477", part334); var all54 = all_match({ processors: [ dup80, - dup179, - dup11, - dup190, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup29, + dup28, ]), }); @@ -3901,31 +3906,31 @@ var msg318 = msg("509", all54); var all55 = all_match({ processors: [ - dup106, - dup179, - dup11, - dup190, + dup105, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup105, + dup104, ]), }); var msg319 = msg("520", all55); -var msg320 = msg("522", dup239); +var msg320 = msg("522", dup238); -var part333 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); +var part335 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); -var part334 = match("MESSAGE#318:522:01/2", "nwparser.p0", "%{}dstV6=%{daddr_v6->} dst= %{p0}"); +var part336 = match("MESSAGE#318:522:01/2", "nwparser.p0", "%{}dstV6=%{daddr_v6->} dst= %{p0}"); var all56 = all_match({ processors: [ - part333, - dup180, - part334, - dup177, - dup116, + part335, + dup179, + part336, + dup176, + dup115, ], on_success: processor_chain([ dup5, @@ -3934,20 +3939,20 @@ var all56 = all_match({ var msg321 = msg("522:01", all56); -var part335 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); +var part337 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); -var select89 = linear_select([ - part335, +var select90 = linear_select([ + part337, dup39, ]); var all57 = all_match({ processors: [ dup38, - select89, - dup11, - dup177, - dup116, + select90, + dup10, + dup176, + dup115, ], on_success: processor_chain([ dup5, @@ -3956,22 +3961,22 @@ var all57 = all_match({ var msg322 = msg("522:02", all57); -var select90 = linear_select([ +var select91 = linear_select([ msg320, msg321, msg322, ]); -var msg323 = msg("523", dup239); +var msg323 = msg("523", dup238); var all58 = all_match({ processors: [ dup80, - dup179, - dup11, - dup177, - dup11, - dup202, + dup178, + dup10, + dup176, + dup10, + dup201, ], on_success: processor_chain([ dup1, @@ -3980,24 +3985,24 @@ var all58 = all_match({ var msg324 = msg("524", all58); -var part336 = match("MESSAGE#322:524:01/5_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); +var part338 = match("MESSAGE#322:524:01/5_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); -var part337 = match("MESSAGE#322:524:01/5_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); +var part339 = match("MESSAGE#322:524:01/5_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); -var select91 = linear_select([ - part336, - part337, +var select92 = linear_select([ + part338, + part339, ]); var all59 = all_match({ processors: [ - dup8, - dup179, - dup11, - dup177, - dup11, - select91, - dup92, + dup7, + dup178, + dup10, + dup176, + dup10, + select92, + dup91, ], on_success: processor_chain([ dup1, @@ -4006,62 +4011,62 @@ var all59 = all_match({ var msg325 = msg("524:01", all59); -var part338 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{p0}"); +var part340 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{p0}"); -var part339 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", "%{rule}\" note=\"%{rulename}\"%{p0}"); +var part341 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", "%{rule}\" note=\"%{rulename}\"%{p0}"); -var part340 = match("MESSAGE#323:524:02/1_1", "nwparser.p0", "%{rule}\"%{p0}"); +var part342 = match("MESSAGE#323:524:02/1_1", "nwparser.p0", "%{rule}\"%{p0}"); -var select92 = linear_select([ - part339, - part340, +var select93 = linear_select([ + part341, + part342, ]); -var part341 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); +var part343 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); var all60 = all_match({ processors: [ - part338, - select92, - part341, + part340, + select93, + part343, ], on_success: processor_chain([ - dup7, - dup12, + dup6, + dup11, ]), }); var msg326 = msg("524:02", all60); -var select93 = linear_select([ +var select94 = linear_select([ msg324, msg325, msg326, ]); -var msg327 = msg("526", dup240); +var msg327 = msg("526", dup239); -var part342 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); +var part344 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); -var select94 = linear_select([ - dup26, - part342, +var select95 = linear_select([ + dup25, + part344, dup39, ]); -var part343 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", " %{daddr->} "); +var part345 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", " %{daddr->} "); -var select95 = linear_select([ - dup85, - part343, +var select96 = linear_select([ + dup33, + part345, ]); var all61 = all_match({ processors: [ dup80, - select94, - dup11, select95, + dup10, + select96, ], on_success: processor_chain([ dup1, @@ -4072,11 +4077,11 @@ var msg328 = msg("526:01", all61); var all62 = all_match({ processors: [ - dup8, - dup203, - dup11, - dup177, - dup116, + dup7, + dup202, + dup10, + dup176, + dup115, ], on_success: processor_chain([ dup1, @@ -4085,28 +4090,28 @@ var all62 = all_match({ var msg329 = msg("526:02", all62); -var part344 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part346 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup1, - dup12, + dup11, ])); -var msg330 = msg("526:03", part344); +var msg330 = msg("526:03", part346); -var part345 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part347 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup1, - dup12, + dup11, ])); -var msg331 = msg("526:04", part345); +var msg331 = msg("526:04", part347); -var part346 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part348 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup1, - dup12, + dup11, ])); -var msg332 = msg("526:05", part346); +var msg332 = msg("526:05", part348); -var select96 = linear_select([ +var select97 = linear_select([ msg327, msg328, msg329, @@ -4115,436 +4120,436 @@ var select96 = linear_select([ msg332, ]); -var part347 = match("MESSAGE#330:537:01/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); +var part349 = match("MESSAGE#330:537:01/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); -var part348 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3->} "); +var part350 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3->} "); -var part349 = match("MESSAGE#330:537:01/5_1", "nwparser.p0", "%{rbytes->} "); +var part351 = match("MESSAGE#330:537:01/5_1", "nwparser.p0", "%{rbytes->} "); -var select97 = linear_select([ - part348, - part349, +var select98 = linear_select([ + part350, + part351, ]); var all63 = all_match({ processors: [ - dup118, + dup117, + dup203, + dup10, dup204, - dup11, - dup205, - part347, - select97, + part349, + select98, ], on_success: processor_chain([ - dup107, + dup106, ]), }); var msg333 = msg("537:01", all63); -var part350 = match("MESSAGE#331:537:02/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes}"); +var part352 = match("MESSAGE#331:537:02/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes}"); var all64 = all_match({ processors: [ - dup118, + dup117, + dup203, + dup10, dup204, - dup11, - dup205, - part350, + part352, ], on_success: processor_chain([ - dup107, + dup106, ]), }); var msg334 = msg("537:02", all64); -var select98 = linear_select([ +var select99 = linear_select([ + dup118, dup119, dup120, dup121, - dup122, ]); -var part351 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); +var part353 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); -var part352 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", " %{daddr}srcMac=%{p0}"); +var part354 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", " %{daddr}srcMac=%{p0}"); -var select99 = linear_select([ - dup125, - part351, - part352, +var select100 = linear_select([ + dup124, + part353, + part354, ]); -var part353 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); +var part355 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); -var select100 = linear_select([ +var select101 = linear_select([ + dup125, dup126, - dup127, ]); -var part354 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); +var part356 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); -var part355 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); +var part357 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); -var select101 = linear_select([ - part354, - part355, +var select102 = linear_select([ + part356, + part357, ]); -var part356 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\" "); +var part358 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\" "); -var part357 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); +var part359 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); -var part358 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\" "); +var part360 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\" "); -var part359 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7->} "); +var part361 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7->} "); -var part360 = match("MESSAGE#332:537:08/7_4", "nwparser.p0", "%{fld3}"); +var part362 = match("MESSAGE#332:537:08/7_4", "nwparser.p0", "%{fld3}"); -var select102 = linear_select([ - part356, - part357, +var select103 = linear_select([ part358, part359, part360, + part361, + part362, ]); var all65 = all_match({ processors: [ - select98, - dup206, - dup207, select99, - part353, + dup205, + dup206, select100, + part355, select101, select102, + select103, ], on_success: processor_chain([ - dup107, - dup12, + dup106, + dup11, + dup17, dup18, dup19, dup20, dup21, - dup22, ]), }); var msg335 = msg("537:08", all65); -var select103 = linear_select([ - dup120, +var select104 = linear_select([ dup119, + dup118, + dup120, dup121, - dup122, ]); -var part361 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); +var part363 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); -var part362 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", " %{daddr}dstMac=%{p0}"); +var part364 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", " %{daddr}dstMac=%{p0}"); -var select104 = linear_select([ - dup128, - part361, - part362, +var select105 = linear_select([ + dup127, + part363, + part364, ]); -var part363 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); +var part365 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); -var select105 = linear_select([ +var select106 = linear_select([ + dup130, dup131, dup132, dup133, - dup134, ]); var all66 = all_match({ processors: [ - select103, - dup206, - dup207, select104, - part363, - dup208, + dup205, + dup206, select105, + part365, + dup207, + select106, ], on_success: processor_chain([ - dup107, - dup12, + dup106, + dup11, + dup17, dup18, dup19, dup20, dup21, - dup22, ]), }); var msg336 = msg("537:09", all66); -var part364 = match("MESSAGE#334:537:07/0_1", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); +var part366 = match("MESSAGE#334:537:07/0_1", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); -var select106 = linear_select([ - dup119, - part364, +var select107 = linear_select([ + dup118, + part366, + dup120, dup121, - dup122, ]); -var part365 = match("MESSAGE#334:537:07/4_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); +var part367 = match("MESSAGE#334:537:07/4_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); -var part366 = match("MESSAGE#334:537:07/4_1", "nwparser.p0", " srcMac=%{smacaddr->} proto=%{protocol->} sent=%{p0}"); +var part368 = match("MESSAGE#334:537:07/4_1", "nwparser.p0", " srcMac=%{smacaddr->} proto=%{protocol->} sent=%{p0}"); -var select107 = linear_select([ - part365, - part366, +var select108 = linear_select([ + part367, + part368, + dup125, dup126, - dup127, ]); -var part367 = match("MESSAGE#334:537:07/6_3", "nwparser.p0", " spkt=%{fld3->} fw_action=\"%{action}\""); +var part369 = match("MESSAGE#334:537:07/6_3", "nwparser.p0", " spkt=%{fld3->} fw_action=\"%{action}\""); -var select108 = linear_select([ +var select109 = linear_select([ + dup130, dup131, dup132, + part369, dup133, - part367, - dup134, ]); var all67 = all_match({ processors: [ - select106, - dup206, - dup207, - dup187, select107, - dup208, + dup205, + dup206, + dup186, select108, + dup207, + select109, ], on_success: processor_chain([ - dup107, - dup12, + dup106, + dup11, + dup17, dup18, dup19, dup20, dup21, - dup22, ]), }); var msg337 = msg("537:07", all67); -var part368 = match("MESSAGE#335:537/1_0", "nwparser.p0", "%{action}\" app=%{fld51->} appName=\"%{application}\"%{p0}"); +var part370 = match("MESSAGE#335:537/1_0", "nwparser.p0", "%{action}\" app=%{fld51->} appName=\"%{application}\"%{p0}"); -var part369 = match("MESSAGE#335:537/1_1", "nwparser.p0", "%{action}\"%{p0}"); +var part371 = match("MESSAGE#335:537/1_1", "nwparser.p0", "%{action}\"%{p0}"); -var select109 = linear_select([ - part368, - part369, +var select110 = linear_select([ + part370, + part371, ]); -var part370 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); +var part372 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); -var part371 = match("MESSAGE#335:537/4_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} sent=%{p0}"); +var part373 = match("MESSAGE#335:537/4_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} sent=%{p0}"); -var part372 = match("MESSAGE#335:537/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}: proto=%{protocol->} sent=%{p0}"); +var part374 = match("MESSAGE#335:537/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}: proto=%{protocol->} sent=%{p0}"); -var part373 = match("MESSAGE#335:537/4_2", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} sent=%{p0}"); +var part375 = match("MESSAGE#335:537/4_2", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} sent=%{p0}"); -var part374 = match("MESSAGE#335:537/4_3", "nwparser.p0", " %{daddr->} proto=%{protocol->} sent=%{p0}"); +var part376 = match("MESSAGE#335:537/4_3", "nwparser.p0", " %{daddr->} proto=%{protocol->} sent=%{p0}"); -var select110 = linear_select([ - part371, - part372, +var select111 = linear_select([ part373, part374, + part375, + part376, ]); -var part375 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); +var part377 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); -var part376 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); +var part378 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); -var part377 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); +var part379 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); -var part378 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); +var part380 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); -var part379 = match("MESSAGE#335:537/5_4", "nwparser.p0", "%{sbytes}"); +var part381 = match("MESSAGE#335:537/5_4", "nwparser.p0", "%{sbytes}"); -var select111 = linear_select([ - part375, - part376, +var select112 = linear_select([ part377, part378, part379, + part380, + part381, ]); var all68 = all_match({ processors: [ dup48, - select109, - part370, - dup204, select110, + part372, + dup203, select111, + select112, ], on_success: processor_chain([ - dup107, + dup106, ]), }); var msg338 = msg("537", all68); -var part380 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); +var part382 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); var all69 = all_match({ processors: [ - dup135, - dup181, - dup11, - dup209, - part380, + dup134, + dup180, + dup10, + dup208, + part382, ], on_success: processor_chain([ - dup107, + dup106, ]), }); var msg339 = msg("537:04", all69); -var part381 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{p0}"); +var part383 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{p0}"); -var part382 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "%{fld4->} appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); +var part384 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "%{fld4->} appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); -var part383 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "%{fld4->} npcs= %{p0}"); +var part385 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "%{fld4->} npcs= %{p0}"); -var select112 = linear_select([ - part382, - part383, +var select113 = linear_select([ + part384, + part385, ]); var all70 = all_match({ processors: [ - dup135, - dup181, - dup11, - dup209, - part381, - select112, - dup92, + dup134, + dup180, + dup10, + dup208, + part383, + select113, + dup91, ], on_success: processor_chain([ - dup107, + dup106, ]), }); var msg340 = msg("537:05", all70); -var part384 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{p0}"); +var part386 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{p0}"); -var part385 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); +var part387 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); -var part386 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); +var part388 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); -var select113 = linear_select([ - dup128, - part385, - part386, +var select114 = linear_select([ + dup127, + part387, + part388, ]); -var part387 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); +var part389 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); var all71 = all_match({ processors: [ - part384, + part386, + dup209, + dup138, dup210, - dup139, + select114, + part389, dup211, - select113, - part387, - dup212, ], on_success: processor_chain([ - dup107, - dup12, + dup106, + dup11, + dup17, dup18, dup19, dup20, dup21, - dup22, ]), }); var msg341 = msg("537:10", all71); -var part388 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{p0}"); +var part390 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{p0}"); -var part389 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); +var part391 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); -var part390 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); +var part392 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); -var select114 = linear_select([ +var select115 = linear_select([ dup77, - part389, - part390, + part391, + part392, ]); -var part391 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); +var part393 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); var all72 = all_match({ processors: [ - part388, + part390, + dup209, + dup138, dup210, - dup139, + select115, + part393, dup211, - select114, - part391, - dup212, ], on_success: processor_chain([ - dup107, + dup106, ]), }); var msg342 = msg("537:03", all72); -var part392 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); +var part394 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); var all73 = all_match({ processors: [ - dup135, - dup181, - dup11, - dup209, - part392, + dup134, + dup180, + dup10, + dup208, + part394, ], on_success: processor_chain([ - dup107, + dup106, ]), }); var msg343 = msg("537:06", all73); -var part393 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup107, +var part395 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup106, dup54, - dup12, - dup144, + dup11, + dup143, ])); -var msg344 = msg("537:11", part393); +var msg344 = msg("537:11", part395); -var part394 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup107, +var part396 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup106, dup54, - dup12, - dup144, + dup11, + dup143, ])); -var msg345 = msg("537:12", part394); +var msg345 = msg("537:12", part396); -var select115 = linear_select([ +var select116 = linear_select([ msg333, msg334, msg335, @@ -4560,18 +4565,18 @@ var select115 = linear_select([ msg345, ]); -var msg346 = msg("538", dup230); +var msg346 = msg("538", dup229); -var msg347 = msg("549", dup233); +var msg347 = msg("549", dup232); -var msg348 = msg("557", dup233); +var msg348 = msg("557", dup232); var all74 = all_match({ processors: [ - dup106, - dup179, - dup11, - dup190, + dup105, + dup178, + dup10, + dup189, ], on_success: processor_chain([ setc("eventcategory","1402020200"), @@ -4580,18 +4585,18 @@ var all74 = all_match({ var msg349 = msg("558", all74); -var msg350 = msg("561", dup236); +var msg350 = msg("561", dup235); -var msg351 = msg("562", dup236); +var msg351 = msg("562", dup235); -var msg352 = msg("563", dup236); +var msg352 = msg("563", dup235); var all75 = all_match({ processors: [ - dup106, - dup179, - dup11, - dup190, + dup105, + dup178, + dup10, + dup189, ], on_success: processor_chain([ setc("eventcategory","1402020400"), @@ -4600,38 +4605,38 @@ var all75 = all_match({ var msg353 = msg("583", all75); -var part395 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ - dup145, +var part397 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup144, dup51, - dup146, + dup145, dup53, dup54, - dup12, - dup147, + dup11, + dup146, + dup17, dup18, dup19, dup20, dup21, - dup22, ])); -var msg354 = msg("597:01", part395); +var msg354 = msg("597:01", part397); -var part396 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ +var part398 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ dup1, ])); -var msg355 = msg("597:02", part396); +var msg355 = msg("597:02", part398); -var part397 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var part399 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{p0}"); var all76 = all_match({ processors: [ - part397, - dup188, - dup11, - dup191, - dup92, + part399, + dup187, + dup10, + dup190, + dup91, ], on_success: processor_chain([ dup1, @@ -4640,25 +4645,25 @@ var all76 = all_match({ var msg356 = msg("597:03", all76); -var select116 = linear_select([ +var select117 = linear_select([ msg354, msg355, msg356, ]); -var part398 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ +var part400 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ dup1, ])); -var msg357 = msg("598", part398); +var msg357 = msg("598", part400); -var part399 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{} %{type->} npcs=%{info}"); +var part401 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{} %{type->} npcs=%{info}"); var all77 = all_match({ processors: [ - dup148, - dup183, - part399, + dup147, + dup182, + part401, ], on_success: processor_chain([ dup1, @@ -4669,9 +4674,9 @@ var msg358 = msg("598:01", all77); var all78 = all_match({ processors: [ - dup148, - dup191, - dup92, + dup147, + dup190, + dup91, ], on_success: processor_chain([ dup1, @@ -4680,37 +4685,37 @@ var all78 = all_match({ var msg359 = msg("598:02", all78); -var select117 = linear_select([ +var select118 = linear_select([ msg357, msg358, msg359, ]); -var part400 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ - dup145, +var part402 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup144, dup51, - dup146, + dup145, dup53, dup54, - dup12, - dup147, + dup11, + dup146, + dup17, dup18, dup19, dup20, dup21, - dup22, ])); -var msg360 = msg("602:01", part400); +var msg360 = msg("602:01", part402); -var msg361 = msg("602:02", dup240); +var msg361 = msg("602:02", dup239); var all79 = all_match({ processors: [ - dup8, - dup179, - dup11, - dup177, + dup7, + dup178, + dup10, + dup176, dup79, ], on_success: processor_chain([ @@ -4720,80 +4725,80 @@ var all79 = all_match({ var msg362 = msg("602:03", all79); -var select118 = linear_select([ +var select119 = linear_select([ msg360, msg361, msg362, ]); -var msg363 = msg("605", dup198); +var msg363 = msg("605", dup197); var all80 = all_match({ processors: [ - dup149, - dup213, - dup151, - dup201, - dup114, + dup148, + dup212, + dup150, + dup200, + dup113, ], on_success: processor_chain([ - dup89, + dup88, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); var msg364 = msg("606", all80); -var part401 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); +var part403 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); -var part402 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); +var part404 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); -var part403 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); +var part405 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); -var select119 = linear_select([ - part402, - part403, +var select120 = linear_select([ + part404, + part405, ]); -var part404 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); +var part406 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); -var part405 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); +var part407 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); -var part406 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); +var part408 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); -var select120 = linear_select([ - part405, - part406, +var select121 = linear_select([ + part407, + part408, ]); -var part407 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); +var part409 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); -var part408 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); +var part410 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); -var part409 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); +var part411 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); -var part410 = match("MESSAGE#362:608/5_2", "nwparser.p0", "%{dport}"); +var part412 = match("MESSAGE#362:608/5_2", "nwparser.p0", "%{dport}"); -var select121 = linear_select([ - part408, - part409, +var select122 = linear_select([ part410, + part411, + part412, ]); var all81 = all_match({ processors: [ - part401, - select119, - part404, + part403, select120, - part407, + part406, select121, + part409, + select122, ], on_success: processor_chain([ dup1, @@ -4803,160 +4808,160 @@ var all81 = all_match({ var msg365 = msg("608", all81); -var msg366 = msg("616", dup196); +var msg366 = msg("616", dup195); -var msg367 = msg("658", dup192); +var msg367 = msg("658", dup191); -var msg368 = msg("710", dup214); +var msg368 = msg("710", dup213); -var msg369 = msg("712:02", dup241); +var msg369 = msg("712:02", dup240); -var msg370 = msg("712", dup214); +var msg370 = msg("712", dup213); var all82 = all_match({ processors: [ - dup8, - dup176, - dup11, - dup193, - dup96, + dup7, + dup175, + dup10, + dup192, + dup95, ], on_success: processor_chain([ - dup152, + dup151, ]), }); var msg371 = msg("712:01", all82); -var select122 = linear_select([ +var select123 = linear_select([ msg369, msg370, msg371, ]); -var part411 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ +var part413 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ dup5, dup51, dup52, dup53, dup54, - dup12, + dup11, dup55, + dup17, dup18, dup19, dup20, dup21, - dup22, ])); -var msg372 = msg("713:01", part411); +var msg372 = msg("713:01", part413); -var msg373 = msg("713:04", dup241); +var msg373 = msg("713:04", dup240); -var msg374 = msg("713:02", dup214); +var msg374 = msg("713:02", dup213); -var part412 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ +var part414 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ dup5, dup51, dup52, dup53, dup54, - dup12, + dup11, dup55, + dup17, dup18, dup19, dup20, dup21, - dup22, ])); -var msg375 = msg("713:03", part412); +var msg375 = msg("713:03", part414); -var select123 = linear_select([ +var select124 = linear_select([ msg372, msg373, msg374, msg375, ]); -var part413 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ - dup115, +var part415 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ + dup114, dup51, dup52, dup53, dup54, - dup12, + dup11, dup55, + dup17, dup18, dup19, dup20, dup21, - dup22, ])); -var msg376 = msg("760", part413); +var msg376 = msg("760", part415); -var part414 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var part416 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); -var part415 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{} %{action->} npcs=%{info}"); +var part417 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{} %{action->} npcs=%{info}"); var all83 = all_match({ processors: [ - part414, - dup176, - dup11, - dup193, - part415, + part416, + dup175, + dup10, + dup192, + part417, ], on_success: processor_chain([ - dup115, + dup114, dup51, dup52, dup53, dup54, - dup12, + dup11, dup55, + dup17, dup18, dup19, dup20, dup21, - dup22, ]), }); var msg377 = msg("760:01", all83); -var select124 = linear_select([ +var select125 = linear_select([ msg376, msg377, ]); -var msg378 = msg("766", dup218); +var msg378 = msg("766", dup217); -var msg379 = msg("860", dup218); +var msg379 = msg("860", dup217); -var msg380 = msg("860:01", dup219); +var msg380 = msg("860:01", dup218); -var select125 = linear_select([ +var select126 = linear_select([ msg379, msg380, ]); -var part416 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); +var part418 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); -var part417 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" "); +var part419 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" "); -var part418 = match("MESSAGE#378:866/1_1", "nwparser.p0", "%{ntype->} "); +var part420 = match("MESSAGE#378:866/1_1", "nwparser.p0", "%{ntype->} "); -var select126 = linear_select([ - part417, - part418, +var select127 = linear_select([ + part419, + part420, ]); var all84 = all_match({ processors: [ - part416, - select126, + part418, + select127, ], on_success: processor_chain([ dup5, @@ -4966,127 +4971,127 @@ var all84 = all_match({ var msg381 = msg("866", all84); -var msg382 = msg("866:01", dup219); +var msg382 = msg("866:01", dup218); -var select127 = linear_select([ +var select128 = linear_select([ msg381, msg382, ]); -var msg383 = msg("867", dup218); +var msg383 = msg("867", dup217); -var msg384 = msg("867:01", dup219); +var msg384 = msg("867:01", dup218); -var select128 = linear_select([ +var select129 = linear_select([ msg383, msg384, ]); -var part419 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ +var part421 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ dup1, ])); -var msg385 = msg("882", part419); +var msg385 = msg("882", part421); -var part420 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ +var part422 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ dup1, ])); -var msg386 = msg("882:01", part420); +var msg386 = msg("882:01", part422); -var select129 = linear_select([ +var select130 = linear_select([ msg385, msg386, ]); -var part421 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ - dup161, +var part423 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup160, ])); -var msg387 = msg("888", part421); +var msg387 = msg("888", part423); -var part422 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ - dup161, +var part424 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ + dup160, ])); -var msg388 = msg("888:01", part422); +var msg388 = msg("888:01", part424); -var select130 = linear_select([ +var select131 = linear_select([ msg387, msg388, ]); var all85 = all_match({ processors: [ - dup8, - dup176, - dup11, - dup191, - dup92, + dup7, + dup175, + dup10, + dup190, + dup91, ], on_success: processor_chain([ - dup161, + dup160, ]), }); var msg389 = msg("892", all85); -var msg390 = msg("904", dup218); +var msg390 = msg("904", dup217); -var msg391 = msg("905", dup218); +var msg391 = msg("905", dup217); -var msg392 = msg("906", dup218); +var msg392 = msg("906", dup217); -var msg393 = msg("907", dup218); +var msg393 = msg("907", dup217); -var select131 = linear_select([ +var select132 = linear_select([ dup73, - dup140, + dup139, ]); var all86 = all_match({ processors: [ + dup161, + select132, + dup10, + dup212, dup162, - select131, - dup11, - dup213, - dup163, - dup201, - dup114, + dup200, + dup113, ], on_success: processor_chain([ dup70, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); var msg394 = msg("908", all86); -var msg395 = msg("909", dup218); +var msg395 = msg("909", dup217); -var msg396 = msg("914", dup220); +var msg396 = msg("914", dup219); -var part423 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var part425 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ dup64, ])); -var msg397 = msg("931", part423); +var msg397 = msg("931", part425); -var msg398 = msg("657", dup220); +var msg398 = msg("657", dup219); var all87 = all_match({ processors: [ - dup8, - dup176, - dup11, - dup191, - dup92, + dup7, + dup175, + dup10, + dup190, + dup91, ], on_success: processor_chain([ dup5, @@ -5095,165 +5100,165 @@ var all87 = all_match({ var msg399 = msg("657:01", all87); -var select132 = linear_select([ +var select133 = linear_select([ msg398, msg399, ]); -var msg400 = msg("403", dup199); +var msg400 = msg("403", dup198); -var msg401 = msg("534", dup178); +var msg401 = msg("534", dup177); -var msg402 = msg("994", dup221); +var msg402 = msg("994", dup220); -var part424 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ +var part426 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ dup1, - dup24, + dup23, ])); -var msg403 = msg("243", part424); +var msg403 = msg("243", part426); -var msg404 = msg("995", dup178); +var msg404 = msg("995", dup177); -var part425 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ +var part427 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ dup1, dup51, dup53, dup54, - dup12, + dup11, + dup17, dup18, dup19, dup20, dup21, - dup22, ])); -var msg405 = msg("997", part425); +var msg405 = msg("997", part427); -var msg406 = msg("998", dup221); +var msg406 = msg("998", dup220); -var part426 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup107, - dup12, +var part428 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup106, + dup11, ])); -var msg407 = msg("998:01", part426); +var msg407 = msg("998:01", part428); -var select133 = linear_select([ +var select134 = linear_select([ msg406, msg407, ]); -var msg408 = msg("1110", dup222); +var msg408 = msg("1110", dup221); -var msg409 = msg("565", dup222); +var msg409 = msg("565", dup221); -var part427 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ +var part429 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ dup1, dup54, ])); -var msg410 = msg("404", part427); +var msg410 = msg("404", part429); -var select134 = linear_select([ - dup150, +var select135 = linear_select([ + dup149, dup50, ]); -var part428 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); +var part430 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); var all88 = all_match({ processors: [ dup81, - select134, - part428, + select135, + part430, ], on_success: processor_chain([ - dup107, + dup106, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); var msg411 = msg("267:01", all88); -var part429 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ +var part431 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ dup1, dup54, ])); -var msg412 = msg("267", part429); +var msg412 = msg("267", part431); -var select135 = linear_select([ +var select136 = linear_select([ msg411, msg412, ]); -var part430 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ +var part432 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ dup1, - dup24, + dup23, ])); -var msg413 = msg("263", part430); +var msg413 = msg("263", part432); -var part431 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup105, - dup12, +var part433 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup104, + dup11, ])); -var msg414 = msg("264", part431); +var msg414 = msg("264", part433); -var msg415 = msg("412", dup199); +var msg415 = msg("412", dup198); -var part432 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ +var part434 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ dup1, - dup24, + dup23, ])); -var msg416 = msg("793", part432); +var msg416 = msg("793", part434); -var part433 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ +var part435 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ dup1, - dup24, + dup23, ])); -var msg417 = msg("805", part433); +var msg417 = msg("805", part435); -var part434 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup164, - dup12, +var part436 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup163, + dup11, ])); -var msg418 = msg("809", part434); +var msg418 = msg("809", part436); -var part435 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup164, - dup12, +var part437 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup163, + dup11, ])); -var msg419 = msg("809:01", part435); +var msg419 = msg("809:01", part437); -var select136 = linear_select([ +var select137 = linear_select([ msg418, msg419, ]); -var msg420 = msg("935", dup220); +var msg420 = msg("935", dup219); -var msg421 = msg("614", dup223); +var msg421 = msg("614", dup222); -var part436 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); +var part438 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); var all89 = all_match({ processors: [ - part436, - dup201, - dup114, + part438, + dup200, + dup113, ], on_success: processor_chain([ dup58, @@ -5263,157 +5268,157 @@ var all89 = all_match({ var msg422 = msg("748", all89); -var part437 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); +var part439 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); -var part438 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); +var part440 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); -var select137 = linear_select([ - part438, - dup113, +var select138 = linear_select([ + part440, + dup112, ]); var all90 = all_match({ processors: [ - part437, - select137, - dup114, + part439, + select138, + dup113, ], on_success: processor_chain([ - dup165, + dup164, dup37, ]), }); var msg423 = msg("794", all90); -var msg424 = msg("1086", dup223); +var msg424 = msg("1086", dup222); -var part439 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup165, +var part441 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup164, dup37, ])); -var msg425 = msg("1430", part439); +var msg425 = msg("1430", part441); -var msg426 = msg("1149", dup223); +var msg426 = msg("1149", dup222); -var msg427 = msg("1159", dup223); +var msg427 = msg("1159", dup222); -var part440 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup165, +var part442 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup164, dup37, ])); -var msg428 = msg("1195", part440); +var msg428 = msg("1195", part442); -var part441 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ - dup165, +var part443 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ + dup164, dup37, ])); -var msg429 = msg("1195:01", part441); +var msg429 = msg("1195:01", part443); -var select138 = linear_select([ +var select139 = linear_select([ msg428, msg429, ]); -var part442 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ +var part444 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ dup5, dup37, ])); -var msg430 = msg("1226", part442); +var msg430 = msg("1226", part444); -var part443 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ +var part445 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ dup5, dup37, ])); -var msg431 = msg("1222", part443); +var msg431 = msg("1222", part445); -var part444 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ +var part446 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ dup1, - dup24, + dup23, ])); -var msg432 = msg("1154", part444); +var msg432 = msg("1154", part446); -var part445 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); +var part447 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); var all91 = all_match({ processors: [ - part445, - dup176, - dup11, - dup191, - dup92, + part447, + dup175, + dup10, + dup190, + dup91, ], on_success: processor_chain([ dup1, - dup24, + dup23, ]), }); var msg433 = msg("1154:01", all91); -var part446 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup166, - dup12, +var part448 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup165, + dup11, ])); -var msg434 = msg("1154:02", part446); +var msg434 = msg("1154:02", part448); -var part447 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part449 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var select139 = linear_select([ - dup125, +var select140 = linear_select([ + dup124, dup49, ]); -var part448 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); +var part450 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); var all92 = all_match({ processors: [ - part447, - select139, - part448, + part449, + select140, + part450, ], on_success: processor_chain([ - dup166, - dup12, + dup165, + dup11, ]), }); var msg435 = msg("1154:03", all92); -var select140 = linear_select([ +var select141 = linear_select([ msg432, msg433, msg434, msg435, ]); -var part449 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ - dup167, +var part451 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ + dup166, ])); -var msg436 = msg("msg", part449); +var msg436 = msg("msg", part451); -var part450 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ - dup167, +var part452 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ + dup166, ])); -var msg437 = msg("src", part450); +var msg437 = msg("src", part452); var all93 = all_match({ processors: [ - dup8, - dup179, - dup11, - dup177, - dup11, - dup202, + dup7, + dup178, + dup10, + dup176, + dup10, + dup201, ], on_success: processor_chain([ dup1, @@ -5422,15 +5427,15 @@ var all93 = all_match({ var msg438 = msg("1235", all93); -var part451 = match("MESSAGE#438:1197/4", "nwparser.p0", "%{}\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); +var part453 = match("MESSAGE#438:1197/4", "nwparser.p0", "%{}\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); var all94 = all_match({ processors: [ - dup8, - dup179, - dup11, - dup193, - part451, + dup7, + dup178, + dup10, + dup192, + part453, ], on_success: processor_chain([ dup1, @@ -5439,13 +5444,13 @@ var all94 = all_match({ var msg439 = msg("1197", all94); -var part452 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var part454 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); var all95 = all_match({ processors: [ - part452, - dup179, - dup168, + part454, + dup178, + dup167, ], on_success: processor_chain([ dup1, @@ -5454,35 +5459,35 @@ var all95 = all_match({ var msg440 = msg("1199", all95); -var part453 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup169, - dup12, +var part455 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup168, + dup11, ])); -var msg441 = msg("1199:01", part453); +var msg441 = msg("1199:01", part455); -var part454 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup169, - dup12, +var part456 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup168, + dup11, ])); -var msg442 = msg("1199:02", part454); +var msg442 = msg("1199:02", part456); -var select141 = linear_select([ +var select142 = linear_select([ msg440, msg441, msg442, ]); -var part455 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); +var part457 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); var all96 = all_match({ processors: [ - part455, - dup176, - dup11, - dup191, - dup92, + part457, + dup175, + dup10, + dup190, + dup91, ], on_success: processor_chain([ dup1, @@ -5491,22 +5496,22 @@ var all96 = all_match({ var msg443 = msg("1155", all96); -var part456 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ - dup107, +var part458 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup106, ])); -var msg444 = msg("1155:01", part456); +var msg444 = msg("1155:01", part458); -var select142 = linear_select([ +var select143 = linear_select([ msg443, msg444, ]); var all97 = all_match({ processors: [ - dup170, - dup203, - dup168, + dup169, + dup202, + dup167, ], on_success: processor_chain([ dup1, @@ -5517,9 +5522,9 @@ var msg445 = msg("1198", all97); var all98 = all_match({ processors: [ - dup8, - dup179, - dup168, + dup7, + dup178, + dup167, ], on_success: processor_chain([ dup1, @@ -5528,30 +5533,30 @@ var all98 = all_match({ var msg446 = msg("714", all98); -var msg447 = msg("709", dup242); +var msg447 = msg("709", dup241); -var msg448 = msg("1005", dup242); +var msg448 = msg("1005", dup241); -var msg449 = msg("1003", dup242); +var msg449 = msg("1003", dup241); -var msg450 = msg("1007", dup243); +var msg450 = msg("1007", dup242); -var part457 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup105, - dup12, +var part459 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup104, + dup11, ])); -var msg451 = msg("1008", part457); +var msg451 = msg("1008", part459); -var msg452 = msg("708", dup243); +var msg452 = msg("708", dup242); var all99 = all_match({ processors: [ - dup170, - dup176, - dup11, - dup191, - dup92, + dup169, + dup175, + dup10, + dup190, + dup91, ], on_success: processor_chain([ dup1, @@ -5560,166 +5565,166 @@ var all99 = all_match({ var msg453 = msg("1201", all99); -var msg454 = msg("1201:01", dup243); +var msg454 = msg("1201:01", dup242); -var select143 = linear_select([ +var select144 = linear_select([ msg453, msg454, ]); -var msg455 = msg("654", dup224); +var msg455 = msg("654", dup223); -var msg456 = msg("670", dup224); +var msg456 = msg("670", dup223); -var msg457 = msg("884", dup243); +var msg457 = msg("884", dup242); -var part458 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ +var part460 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ dup1, ])); -var msg458 = msg("1153", part458); +var msg458 = msg("1153", part460); -var part459 = match("MESSAGE#458:1153:01/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} sess=%{fld2->} n=%{p0}"); +var part461 = match("MESSAGE#458:1153:01/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} sess=%{fld2->} n=%{p0}"); -var part460 = match("MESSAGE#458:1153:01/0_1", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} n=%{p0}"); +var part462 = match("MESSAGE#458:1153:01/0_1", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} n=%{p0}"); -var part461 = match("MESSAGE#458:1153:01/0_2", "nwparser.payload", " msg=\"%{event_description}\" n=%{p0}"); +var part463 = match("MESSAGE#458:1153:01/0_2", "nwparser.payload", " msg=\"%{event_description}\" n=%{p0}"); -var select144 = linear_select([ - part459, - part460, +var select145 = linear_select([ part461, + part462, + part463, ]); -var part462 = match("MESSAGE#458:1153:01/1", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); +var part464 = match("MESSAGE#458:1153:01/1", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); -var part463 = match("MESSAGE#458:1153:01/2_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); +var part465 = match("MESSAGE#458:1153:01/2_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); -var select145 = linear_select([ - part463, - dup26, +var select146 = linear_select([ + part465, + dup25, ]); -var part464 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); +var part466 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); -var part465 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); +var part467 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); -var part466 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); +var part468 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); -var select146 = linear_select([ - part464, - part465, +var select147 = linear_select([ part466, + part467, + part468, ]); -var part467 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); +var part469 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); -var part468 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{rbytes->} "); +var part470 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{rbytes->} "); -var part469 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{rbytes->} "); +var part471 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{rbytes->} "); -var part470 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{rbytes->} "); +var part472 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{rbytes->} "); -var select147 = linear_select([ - part468, - part469, +var select148 = linear_select([ part470, + part471, + part472, ]); var all100 = all_match({ processors: [ - select144, - part462, select145, - dup11, + part464, select146, - part467, + dup10, select147, + part469, + select148, ], on_success: processor_chain([ dup1, - dup12, + dup11, + dup17, dup18, dup19, dup20, dup21, - dup22, ]), }); var msg459 = msg("1153:01", all100); -var part471 = match("MESSAGE#459:1153:02/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); +var part473 = match("MESSAGE#459:1153:02/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); -var part472 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); +var part474 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); -var part473 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", " n=%{fld2->} src=%{p0}"); +var part475 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", " n=%{fld2->} src=%{p0}"); -var select148 = linear_select([ - part472, - part473, +var select149 = linear_select([ + part474, + part475, ]); -var part474 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} "); +var part476 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} "); var all101 = all_match({ processors: [ - part471, - select148, - part474, + part473, + select149, + part476, ], on_success: processor_chain([ dup1, - dup12, + dup11, + dup17, dup18, dup19, dup20, dup21, - dup22, ]), }); var msg460 = msg("1153:02", all101); -var select149 = linear_select([ +var select150 = linear_select([ msg458, msg459, msg460, ]); -var part475 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ +var part477 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ dup1, ])); -var msg461 = msg("1107", part475); +var msg461 = msg("1107", part477); -var part476 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); +var part478 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); -var part477 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part479 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var part478 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst=%{p0}"); +var part480 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst=%{p0}"); -var select150 = linear_select([ - part477, - part478, +var select151 = linear_select([ + part479, + part480, ]); var all102 = all_match({ processors: [ - part476, - select150, - dup11, - dup225, - dup173, + part478, + select151, + dup10, + dup224, + dup172, ], on_success: processor_chain([ - dup161, + dup160, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); @@ -5728,68 +5733,68 @@ var msg462 = msg("1220", all102); var all103 = all_match({ processors: [ - dup149, - dup225, - dup173, + dup148, + dup224, + dup172, ], on_success: processor_chain([ - dup161, + dup160, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); var msg463 = msg("1230", all103); -var part479 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ +var part481 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ dup1, ])); -var msg464 = msg("1231", part479); +var msg464 = msg("1231", part481); -var part480 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup169, - dup12, +var part482 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup168, + dup11, ])); -var msg465 = msg("1233", part480); +var msg465 = msg("1233", part482); -var part481 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); +var part483 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); -var part482 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); +var part484 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); -var part483 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); +var part485 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); -var select151 = linear_select([ - part482, - part483, +var select152 = linear_select([ + part484, + part485, ]); -var part484 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); +var part486 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); -var part485 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{fld1}"); +var part487 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{fld1}"); -var part486 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{fld1->} "); +var part488 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{fld1->} "); -var part487 = match("MESSAGE#465:1079/3_2", "nwparser.p0", "n=%{fld1}"); +var part489 = match("MESSAGE#465:1079/3_2", "nwparser.p0", "n=%{fld1}"); -var select152 = linear_select([ - part485, - part486, +var select153 = linear_select([ part487, + part488, + part489, ]); var all104 = all_match({ processors: [ - part481, - select151, - part484, + part483, select152, + part486, + select153, ], on_success: processor_chain([ dup1, @@ -5798,68 +5803,68 @@ var all104 = all_match({ var msg466 = msg("1079", all104); -var part488 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ +var part490 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ dup1, ])); -var msg467 = msg("1079:01", part488); +var msg467 = msg("1079:01", part490); -var part489 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ +var part491 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ dup1, - dup12, + dup11, setc("event_description","destination is not allowed by access control"), + dup17, dup18, dup19, dup20, dup21, - dup22, ])); -var msg468 = msg("1079:02", part489); +var msg468 = msg("1079:02", part491); -var part490 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ +var part492 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ dup1, - dup12, + dup11, setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), + dup17, dup18, dup19, dup20, dup21, - dup22, ])); -var msg469 = msg("1079:03", part490); +var msg469 = msg("1079:03", part492); -var select153 = linear_select([ +var select154 = linear_select([ msg466, msg467, msg468, msg469, ]); -var part491 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); +var part493 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); -var part492 = match("MESSAGE#469:1080/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part494 = match("MESSAGE#469:1080/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var select154 = linear_select([ +var select155 = linear_select([ dup73, - part492, + part494, ]); -var select155 = linear_select([ +var select156 = linear_select([ dup77, dup78, ]); -var part493 = match("MESSAGE#469:1080/4", "nwparser.p0", "%{} %{protocol}"); +var part495 = match("MESSAGE#469:1080/4", "nwparser.p0", "%{} %{protocol}"); var all105 = all_match({ processors: [ - part491, - select154, - dup11, - select155, part493, + select155, + dup10, + select156, + part495, ], on_success: processor_chain([ dup1, @@ -5868,35 +5873,35 @@ var all105 = all_match({ var msg470 = msg("1080", all105); -var part494 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ +var part496 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ dup5, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ])); -var msg471 = msg("580", part494); +var msg471 = msg("580", part496); -var part495 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); +var part497 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); var all106 = all_match({ processors: [ - part495, - dup226, - dup114, + part497, + dup225, + dup113, ], on_success: processor_chain([ dup70, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); @@ -5905,20 +5910,20 @@ var msg472 = msg("1369", all106); var all107 = all_match({ processors: [ - dup149, - dup213, - dup151, - dup226, - dup114, + dup148, + dup212, + dup150, + dup225, + dup113, ], on_success: processor_chain([ dup70, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); @@ -5927,272 +5932,272 @@ var msg473 = msg("1370", all107); var all108 = all_match({ processors: [ - dup149, - dup213, - dup163, - dup201, - dup114, + dup148, + dup212, + dup162, + dup200, + dup113, ], on_success: processor_chain([ dup70, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); var msg474 = msg("1371", all108); -var part496 = match("MESSAGE#474:1387/1_1", "nwparser.p0", "%{saddr}:%{sport}: dst=%{p0}"); +var part498 = match("MESSAGE#474:1387/1_1", "nwparser.p0", "%{saddr}:%{sport}: dst=%{p0}"); -var select156 = linear_select([ - dup140, - part496, +var select157 = linear_select([ + dup139, + part498, ]); var all109 = all_match({ processors: [ + dup161, + select157, + dup10, + dup212, dup162, - select156, - dup11, - dup213, - dup163, - dup201, - dup114, + dup200, + dup113, ], on_success: processor_chain([ - dup161, + dup160, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); var msg475 = msg("1387", all109); -var part497 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{p0}"); +var part499 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{p0}"); -var part498 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{saddr}:%{sport}dst=%{p0}"); +var part500 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{saddr}:%{sport}dst=%{p0}"); -var select157 = linear_select([ +var select158 = linear_select([ dup69, - part498, + part500, ]); -var part499 = match("MESSAGE#475:1391/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}"); +var part501 = match("MESSAGE#475:1391/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}"); -var part500 = match("MESSAGE#475:1391/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); +var part502 = match("MESSAGE#475:1391/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); -var part501 = match("MESSAGE#475:1391/2_2", "nwparser.p0", "%{daddr}:%{dport}"); +var part503 = match("MESSAGE#475:1391/2_2", "nwparser.p0", "%{daddr}:%{dport}"); -var select158 = linear_select([ - part499, - part500, +var select159 = linear_select([ part501, + part502, + part503, ]); var all110 = all_match({ processors: [ - part497, - select157, + part499, select158, + select159, ], on_success: processor_chain([ dup1, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); var msg476 = msg("1391", all110); -var part502 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ +var part504 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ dup5, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ])); -var msg477 = msg("1253", part502); +var msg477 = msg("1253", part504); -var part503 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ +var part505 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ dup5, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ])); -var msg478 = msg("1009", part503); +var msg478 = msg("1009", part505); -var part504 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); +var part506 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); -var part505 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{p0}"); +var part507 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{p0}"); -var part506 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}"); +var part508 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}"); -var select159 = linear_select([ - part505, - part506, +var select160 = linear_select([ + part507, + part508, ]); -var part507 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); +var part509 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); var all111 = all_match({ processors: [ - part504, - select159, - part507, + part506, + select160, + part509, ], on_success: processor_chain([ dup5, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); var msg479 = msg("910", all111); -var part508 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ +var part510 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ dup1, dup54, - dup18, + dup17, dup82, - dup20, - dup22, + dup19, + dup21, dup37, ])); -var msg480 = msg("m:01", part508); +var msg480 = msg("m:01", part510); -var part509 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ +var part511 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ dup1, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ])); -var msg481 = msg("1011", part509); +var msg481 = msg("1011", part511); -var part510 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup166, +var part512 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup165, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ])); -var msg482 = msg("609", part510); +var msg482 = msg("609", part512); -var msg483 = msg("796", dup227); +var msg483 = msg("796", dup226); -var part511 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ +var part513 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ dup70, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ])); -var msg484 = msg("880", part511); +var msg484 = msg("880", part513); -var part512 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup161, +var part514 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup160, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ])); -var msg485 = msg("1309", part512); +var msg485 = msg("1309", part514); -var msg486 = msg("1310", dup227); +var msg486 = msg("1310", dup226); -var part513 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"%{p0}"); +var part515 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"%{p0}"); -var part514 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=\"%{p0}"); +var part516 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=\"%{p0}"); -var select160 = linear_select([ - part513, - part514, +var select161 = linear_select([ + part515, + part516, ]); -var part515 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); +var part517 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); var all112 = all_match({ processors: [ dup81, - select160, - part515, + select161, + part517, ], on_success: processor_chain([ dup1, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); var msg487 = msg("1232", all112); -var part516 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part518 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); var all113 = all_match({ processors: [ - part516, - dup201, - dup114, + part518, + dup200, + dup113, ], on_success: processor_chain([ - dup161, + dup160, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ]), }); @@ -6217,7 +6222,7 @@ var chain1 = processor_chain([ "105": msg164, "106": msg165, "107": msg166, - "1079": select153, + "1079": select154, "108": msg167, "1080": msg470, "1086": msg424, @@ -6225,28 +6230,28 @@ var chain1 = processor_chain([ "11": msg10, "110": msg169, "1107": msg461, - "111": select65, + "111": select66, "1110": msg408, "112": msg172, "113": msg173, "114": msg174, "1149": msg426, - "115": select66, - "1153": select149, - "1154": select140, - "1155": select142, + "115": select67, + "1153": select150, + "1154": select141, + "1155": select143, "1159": msg427, "116": msg177, "117": msg178, "118": msg179, "119": msg180, - "1195": select138, + "1195": select139, "1197": msg439, "1198": msg445, - "1199": select141, + "1199": select142, "12": select4, "120": msg181, - "1201": select143, + "1201": select144, "121": msg182, "122": msg183, "1220": msg462, @@ -6284,7 +6289,7 @@ var chain1 = processor_chain([ "1371": msg474, "138": msg202, "1387": msg475, - "139": select67, + "139": select68, "1391": msg476, "14": select7, "140": msg205, @@ -6309,7 +6314,7 @@ var chain1 = processor_chain([ "154": msg221, "155": msg222, "156": msg223, - "157": select68, + "157": select69, "158": msg226, "159": msg227, "16": msg21, @@ -6325,37 +6330,37 @@ var chain1 = processor_chain([ "169": msg237, "17": msg22, "170": msg238, - "171": select69, - "172": select70, + "171": select70, + "172": select71, "173": msg245, - "174": select71, - "175": select72, + "174": select72, + "175": select73, "176": msg253, "177": msg254, "178": msg255, "179": msg256, "18": msg23, - "180": select73, - "181": select74, + "180": select74, + "181": select75, "19": msg24, "193": msg261, "194": msg262, "195": msg263, - "196": select77, + "196": select78, "199": msg266, "20": msg25, "200": msg267, "21": msg26, "22": msg27, "23": select10, - "235": select78, + "235": select79, "236": msg271, "237": msg272, "238": msg273, "239": msg274, "24": select11, "240": msg275, - "241": select79, + "241": select80, "242": msg278, "243": msg403, "25": msg34, @@ -6363,11 +6368,11 @@ var chain1 = processor_chain([ "255": msg280, "257": msg281, "26": msg35, - "261": select82, + "261": select83, "262": msg284, "263": msg413, "264": msg414, - "267": select135, + "267": select136, "27": msg36, "273": msg285, "28": select12, @@ -6380,22 +6385,22 @@ var chain1 = processor_chain([ "33": select17, "34": msg52, "346": msg288, - "35": select18, + "35": select19, "350": msg289, "351": msg290, "352": msg291, - "353": select83, + "353": select84, "354": msg294, - "355": select84, + "355": select85, "356": msg297, - "357": select85, + "357": select86, "358": msg300, - "36": select22, - "37": select26, - "371": select86, + "36": select23, + "37": select27, + "371": select87, "372": msg303, "373": msg304, - "38": select29, + "38": select30, "39": msg67, "4": msg1, "40": msg68, @@ -6404,7 +6409,7 @@ var chain1 = processor_chain([ "403": msg400, "404": msg410, "406": msg307, - "41": select30, + "41": select31, "412": msg415, "413": msg308, "414": msg309, @@ -6416,11 +6421,11 @@ var chain1 = processor_chain([ "439": msg311, "44": msg74, "440": msg312, - "441": select87, + "441": select88, "442": msg315, "446": msg316, - "45": select31, - "46": select32, + "45": select32, + "46": select33, "47": msg82, "477": msg317, "48": msg83, @@ -6431,13 +6436,13 @@ var chain1 = processor_chain([ "51": msg86, "52": msg87, "520": msg319, - "522": select90, + "522": select91, "523": msg323, - "524": select93, - "526": select96, + "524": select94, + "526": select97, "53": msg88, "534": msg401, - "537": select115, + "537": select116, "538": msg346, "549": msg347, "557": msg348, @@ -6449,11 +6454,11 @@ var chain1 = processor_chain([ "58": msg89, "580": msg471, "583": msg353, - "597": select116, - "598": select117, + "597": select117, + "598": select118, "6": select3, "60": msg90, - "602": select118, + "602": select119, "605": msg363, "606": msg364, "608": msg365, @@ -6462,32 +6467,32 @@ var chain1 = processor_chain([ "614": msg421, "616": msg366, "62": msg92, - "63": select33, + "63": select34, "64": msg95, "65": msg96, "654": msg455, - "657": select132, + "657": select133, "658": msg367, "66": msg97, - "67": select34, + "67": select35, "670": msg456, "68": msg100, "69": msg101, "7": msg6, - "70": select36, + "70": select37, "708": msg452, "709": msg447, "710": msg368, - "712": select122, - "713": select123, + "712": select123, + "713": select124, "714": msg446, - "72": select37, + "72": select38, "73": msg106, "74": msg107, "748": msg422, "75": msg108, "76": msg109, - "760": select124, + "760": select125, "766": msg378, "77": msg110, "78": msg111, @@ -6498,21 +6503,21 @@ var chain1 = processor_chain([ "8": msg7, "80": msg113, "805": msg417, - "809": select136, + "809": select137, "81": msg114, - "82": select38, - "83": select39, + "82": select39, + "83": select40, "84": msg122, - "860": select125, - "866": select127, - "867": select128, - "87": select41, - "88": select42, + "860": select126, + "866": select128, + "867": select129, + "87": select42, + "88": select43, "880": msg484, - "882": select129, + "882": select130, "884": msg457, - "888": select130, - "89": select44, + "888": select131, + "89": select45, "892": msg389, "9": msg8, "90": msg129, @@ -6532,536 +6537,534 @@ var chain1 = processor_chain([ "94": msg133, "95": msg134, "96": msg135, - "97": select51, - "98": select64, + "97": select52, + "98": select65, "986": msg155, "99": msg158, "994": msg402, "995": msg404, "997": msg405, - "998": select133, + "998": select134, "m": msg480, "msg": msg436, "src": msg437, }), ]); -var part517 = match("MESSAGE#13:14/0", "nwparser.payload", "%{} %{p0}"); - -var part518 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var part519 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); -var part519 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); +var part520 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); -var part520 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var part521 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var part521 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}"); +var part522 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}"); -var part522 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); +var part523 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); -var part523 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); +var part524 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); -var part524 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var part525 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var part525 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); +var part526 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); -var part526 = match("MESSAGE#38:29:01/4", "nwparser.p0", "%{} "); +var part527 = match("MESSAGE#38:29:01/4", "nwparser.p0", "%{} "); -var part527 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); +var part528 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); -var part528 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); +var part529 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); -var part529 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); +var part530 = match("MESSAGE#52:35:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); -var part530 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}"); +var part531 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); -var part531 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}"); +var part532 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}"); -var part532 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var part533 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}"); -var part533 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); +var part534 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); -var part534 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}"); +var part535 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); -var part535 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); +var part536 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}"); -var part536 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); +var part537 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); -var part537 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}"); +var part538 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); -var part538 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); +var part539 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}"); -var part539 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} "); +var part540 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); -var part540 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}"); +var part541 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} "); -var part541 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}"); +var part542 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}"); -var part542 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}"); +var part543 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}"); -var part543 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); +var part544 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}"); -var part544 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); +var part545 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); -var part545 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); +var part546 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); -var part546 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} "); +var part547 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); -var part547 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var part548 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} "); -var part548 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); +var part549 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); -var part549 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); +var part550 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); -var part550 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); +var part551 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); -var part551 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); +var part552 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); -var part552 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); +var part553 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); -var part553 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); +var part554 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); -var part554 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}"); +var part555 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); -var part555 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}"); +var part556 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}"); -var part556 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); +var part557 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}"); -var part557 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); +var part558 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); -var part558 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}"); +var part559 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); -var part559 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); +var part560 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}"); -var part560 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part561 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); -var part561 = match("MESSAGE#202:139:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); +var part562 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var part562 = match("MESSAGE#202:139:01/3_1", "nwparser.p0", "%{daddr->} "); +var part563 = match("MESSAGE#202:139:01/3_1", "nwparser.p0", "%{daddr->} "); -var part563 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); +var part564 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); -var part564 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); +var part565 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); -var part565 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); +var part566 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); -var part566 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); +var part567 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); -var part567 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); +var part568 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); -var part568 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); +var part569 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); -var part569 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); +var part570 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); -var part570 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); +var part571 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); -var part571 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); +var part572 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); -var part572 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); +var part573 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); -var part573 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); +var part574 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); -var part574 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); +var part575 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); -var part575 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); +var part576 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); -var part576 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); +var part577 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); -var part577 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); +var part578 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); -var part578 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); +var part579 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); -var part579 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); +var part580 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); -var part580 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); +var part581 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); -var part581 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); +var part582 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); -var part582 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); +var part583 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); -var part583 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); +var part584 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); -var part584 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); +var part585 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); -var part585 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); +var part586 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); -var part586 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); +var part587 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); -var part587 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); +var part588 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); -var part588 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); +var part589 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); -var part589 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); +var part590 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); -var part590 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); +var part591 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); -var part591 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); +var part592 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); -var part592 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); +var part593 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); -var part593 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); +var part594 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); -var part594 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); +var part595 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); -var part595 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); +var part596 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); -var part596 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); +var part597 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); -var part597 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); +var part598 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); -var part598 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); +var part599 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); -var part599 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); +var part600 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); -var part600 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var part601 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); -var part601 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); +var part602 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); -var part602 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); +var part603 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); -var part603 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); +var part604 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); -var part604 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); +var part605 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); -var part605 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part606 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var part606 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); +var part607 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); -var part607 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); +var part608 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); -var part608 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); +var part609 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); -var part609 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var part610 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var part610 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part611 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var part611 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); +var part612 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); -var part612 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); +var part613 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); -var part613 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); +var part614 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); -var part614 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); +var part615 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); -var part615 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); +var part616 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); -var part616 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part617 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); -var part617 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); +var part618 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); -var part618 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); +var part619 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); -var part619 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); +var part620 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); -var part620 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); +var part621 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); -var part621 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); +var part622 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); -var part622 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part623 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); -var part623 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); +var part624 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); -var part624 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var part625 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); -var part625 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); +var part626 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); -var part626 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); +var part627 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); -var part627 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); +var part628 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); -var part628 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); +var part629 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); -var part629 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); +var part630 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); -var select161 = linear_select([ +var select162 = linear_select([ + dup8, dup9, - dup10, ]); -var select162 = linear_select([ +var select163 = linear_select([ + dup15, dup16, - dup17, ]); -var part630 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ +var part631 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, - dup24, + dup23, ])); -var select163 = linear_select([ +var select164 = linear_select([ + dup25, dup26, - dup27, ]); -var select164 = linear_select([ +var select165 = linear_select([ dup34, dup35, ]); -var select165 = linear_select([ - dup26, +var select166 = linear_select([ + dup25, dup39, ]); -var select166 = linear_select([ +var select167 = linear_select([ dup41, dup42, ]); -var select167 = linear_select([ +var select168 = linear_select([ dup46, dup47, ]); -var select168 = linear_select([ +var select169 = linear_select([ dup49, dup50, ]); -var part631 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ +var part632 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ dup62, ])); -var part632 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ +var part633 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ dup5, ])); -var select169 = linear_select([ +var select170 = linear_select([ dup71, dup75, dup76, ]); -var select170 = linear_select([ - dup9, - dup26, +var select171 = linear_select([ + dup8, + dup25, ]); -var part633 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ +var part634 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ dup1, ])); -var select171 = linear_select([ +var select172 = linear_select([ + dup33, dup85, - dup86, ]); -var select172 = linear_select([ +var select173 = linear_select([ + dup89, dup90, - dup91, ]); -var part634 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var part635 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ dup5, ])); -var select173 = linear_select([ +var select174 = linear_select([ + dup93, dup94, - dup95, ]); -var select174 = linear_select([ +var select175 = linear_select([ + dup97, dup98, - dup99, ]); -var part635 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup89, +var part636 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup88, ])); -var part636 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup89, +var part637 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup88, ])); -var part637 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ +var part638 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ dup1, ])); -var part638 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var part639 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ dup1, ])); -var part639 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ +var part640 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ dup1, - dup24, + dup23, ])); -var select175 = linear_select([ - dup66, - dup110, -]); - var select176 = linear_select([ - dup112, - dup113, + dup66, + dup109, ]); var select177 = linear_select([ - dup117, - dup45, + dup111, + dup112, ]); var select178 = linear_select([ - dup9, - dup27, + dup116, + dup45, ]); var select179 = linear_select([ - dup9, + dup8, dup26, - dup39, ]); var select180 = linear_select([ + dup8, + dup25, + dup39, +]); + +var select181 = linear_select([ dup71, + dup15, dup16, - dup17, ]); -var select181 = linear_select([ +var select182 = linear_select([ + dup122, dup123, - dup124, ]); -var select182 = linear_select([ +var select183 = linear_select([ dup68, dup69, dup74, ]); -var select183 = linear_select([ +var select184 = linear_select([ + dup128, dup129, - dup130, ]); -var select184 = linear_select([ +var select185 = linear_select([ dup41, dup42, - dup136, + dup135, ]); -var select185 = linear_select([ +var select186 = linear_select([ + dup136, dup137, - dup138, ]); -var select186 = linear_select([ +var select187 = linear_select([ + dup139, dup140, - dup141, ]); -var select187 = linear_select([ +var select188 = linear_select([ + dup141, dup142, - dup143, ]); -var select188 = linear_select([ +var select189 = linear_select([ dup49, - dup150, + dup149, ]); -var part640 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup152, +var part641 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup151, ])); -var select189 = linear_select([ - dup154, +var select190 = linear_select([ + dup153, dup40, ]); -var select190 = linear_select([ +var select191 = linear_select([ + dup155, dup156, - dup157, ]); -var select191 = linear_select([ +var select192 = linear_select([ + dup157, dup158, - dup159, ]); -var part641 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ +var part642 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ dup5, ])); -var part642 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype->} ", processor_chain([ +var part643 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype->} ", processor_chain([ dup5, ])); -var part643 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ +var part644 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ dup5, - dup24, + dup23, ])); -var part644 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ +var part645 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, - dup24, + dup23, ])); -var part645 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ +var part646 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ dup1, - dup24, + dup23, ])); -var part646 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup165, +var part647 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup164, dup37, ])); -var part647 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ +var part648 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ dup1, ])); -var select192 = linear_select([ +var select193 = linear_select([ + dup170, dup171, - dup172, ]); -var select193 = linear_select([ +var select194 = linear_select([ + dup173, dup174, - dup175, ]); -var part648 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ +var part649 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ dup1, dup54, - dup18, + dup17, dup82, + dup19, dup20, dup21, - dup22, dup37, ])); var all114 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup177, - dup28, + dup30, + dup178, + dup10, + dup176, + dup27, ], on_success: processor_chain([ - dup30, + dup29, ]), }); var all115 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup190, + dup30, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup87, + dup86, ]), }); var all116 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup190, + dup30, + dup178, + dup10, + dup189, ], on_success: processor_chain([ dup59, @@ -7070,8 +7073,8 @@ var all116 = all_match({ var all117 = all_match({ processors: [ - dup97, - dup194, + dup96, + dup193, ], on_success: processor_chain([ dup59, @@ -7080,92 +7083,92 @@ var all117 = all_match({ var all118 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup190, + dup30, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup102, + dup101, ]), }); var all119 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup190, + dup30, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup30, + dup29, ]), }); var all120 = all_match({ processors: [ - dup31, - dup179, - dup11, - dup190, + dup30, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup29, + dup28, ]), }); var all121 = all_match({ processors: [ - dup104, - dup179, - dup11, - dup190, + dup103, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup105, + dup104, ]), }); var all122 = all_match({ processors: [ - dup106, - dup179, - dup11, - dup190, + dup105, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup108, + dup107, ]), }); var all123 = all_match({ processors: [ - dup109, - dup200, + dup108, + dup199, ], on_success: processor_chain([ - dup89, + dup88, ]), }); var all124 = all_match({ processors: [ - dup106, - dup179, - dup11, - dup190, + dup105, + dup178, + dup10, + dup189, ], on_success: processor_chain([ - dup111, + dup110, ]), }); var all125 = all_match({ processors: [ dup44, - dup180, + dup179, dup36, - dup190, + dup189, ], on_success: processor_chain([ dup5, @@ -7175,9 +7178,9 @@ var all125 = all_match({ var all126 = all_match({ processors: [ dup80, - dup179, - dup11, - dup177, + dup178, + dup10, + dup176, dup79, ], on_success: processor_chain([ @@ -7187,36 +7190,36 @@ var all126 = all_match({ var all127 = all_match({ processors: [ - dup153, + dup152, + dup214, + dup154, dup215, - dup155, dup216, - dup217, - dup160, + dup159, ], on_success: processor_chain([ - dup152, + dup151, dup51, dup52, dup53, dup54, dup37, dup55, + dup17, dup18, dup19, dup20, dup21, - dup22, ]), }); var all128 = all_match({ processors: [ - dup8, - dup176, - dup11, - dup193, - dup96, + dup7, + dup175, + dup10, + dup192, + dup95, ], on_success: processor_chain([ dup1, @@ -7225,11 +7228,11 @@ var all128 = all_match({ var all129 = all_match({ processors: [ - dup8, - dup176, - dup11, - dup191, - dup92, + dup7, + dup175, + dup10, + dup190, + dup91, ], on_success: processor_chain([ dup1, diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json index f806cdb4c6f..9f972c2e6fc 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2007-01-03T16:48:06.000Z", "event.code": "98", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -39,6 +40,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:07.000Z", "event.action": "Administrator login denied due to bad credentials", "event.code": "30", "event.dataset": "sonicwall.firewall", @@ -65,6 +67,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:07.000Z", "event.code": "98", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -104,6 +107,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:07.000Z", "event.action": "Connection Closed", "event.code": "537", "event.dataset": "sonicwall.firewall", @@ -130,6 +134,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:08.000Z", "event.action": "Connection Closed", "event.code": "537", "event.dataset": "sonicwall.firewall", @@ -156,6 +161,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:10.000Z", "event.action": "Connection Closed", "event.code": "537", "event.dataset": "sonicwall.firewall", @@ -182,6 +188,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:10.000Z", "event.action": "Connection Closed", "event.code": "537", "event.dataset": "sonicwall.firewall", @@ -208,6 +215,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:10.000Z", "event.code": "98", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -247,6 +255,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:10.000Z", "event.action": "Administrator login denied due to bad credentials", "event.code": "30", "event.dataset": "sonicwall.firewall", @@ -273,6 +282,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:11.000Z", "event.code": "98", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -312,6 +322,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:14.000Z", "event.code": "38", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -348,6 +359,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:14.000Z", "event.action": "Connection Closed", "event.code": "537", "event.dataset": "sonicwall.firewall", @@ -374,6 +386,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:15.000Z", "event.code": "346", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -395,6 +408,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:15.000Z", "event.code": "98", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -434,6 +448,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:15.000Z", "event.code": "483", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -453,6 +468,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:15.000Z", "event.code": "98", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -486,6 +502,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:17.000Z", "event.code": "98", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -519,6 +536,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:18.000Z", "event.action": "Connection Closed", "event.code": "537", "event.dataset": "sonicwall.firewall", @@ -545,6 +563,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:20.000Z", "event.action": "Connection Closed", "event.code": "537", "event.dataset": "sonicwall.firewall", @@ -571,6 +590,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:20.000Z", "event.code": "98", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -604,6 +624,7 @@ ] }, { + "@timestamp": "2007-01-03T16:48:21.000Z", "event.code": "98", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log index 0a21480cb6a..4175d2ffc93 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log @@ -1,100 +1,100 @@ -idi id=pexe sn=nes time="2016/01/29 06:09:59" fw=10.254.41.82 pri=low c=Ute m=914 msg="lupt" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp -id=umexe sn=estlabo time="2016/02/12 13:12:33" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed -id=alo sn=eosquir time="2016-2-26 8:15:08" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg="ctetur" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action="allow" -emape id=aer sn=lupt time="2016/03/12 03:17:42" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up -id=consec sn=taliquip time="2016/03/26 10:20:16" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway -id=tconsec sn=nsequat time="2016/04/09 17:22:51" fw=10.137.246.137 pri=medium c=oluptas m=372 msg="llu" n=uptassi src=10.95.245.65 dst=10.13.70.213 -llamcorp id=ari sn=eataevit time="2016/04/24 00:25:25" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked -mquisnos id=loremagn sn=iciade time="2016/05/08 07:27:59" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure -id=aali sn=ametcons time="2016/05/22 14:30:33" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal -orsitame id=quiratio sn=ite time="2016/06/05 21:33:08" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked -id=usan sn=aper time="2016/06/20 04:35:42" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host -id=atquovo sn=iumto time="2016/07/04 11:38:16" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated -id=undeo sn=loremip time="2016-7-18 6:40:50" fw=10.134.0.141 pri=very-high c=uis m=1149 msg="idolore" n=onse fw_action="cancel" -id=rveli sn=rsint time="2016/08/02 01:43:25" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped -id=qua sn=luptatev time="2016/08/16 08:45:59" fw=10.123.104.59 pri=low c=elaudant m=1110 msg="tinvol" n=lores -id=tatiset sn=eprehen time="2016/08/30 15:48:33" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings -id=aliq sn=rsitam time="2016/09/13 22:51:07" fw=10.79.33.129 pri=high c=umdolo m=353 msg="onproide" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini" -id=itecto sn=erc time="2016/09/28 05:53:42" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed -id=tat sn=tion time="2016/10/12 12:56:16" fw=10.53.150.119 pri=medium c=uasia m=24 msg="emp" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note="taut" -id=nidolo sn=tatn time="2016/10/26 19:58:50" fw=10.18.109.121 pri=very-high c=dolo m=87 msg="Loremip" n=idolor src=10.204.11.20 dst=10.239.201.234 -id=idex sn=xerci time="2016/11/10 03:01:24" fw=10.84.206.79 pri=high c=uipe m=401 msg="inesci" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib -id=ari sn=exercit time="2016/11/24 10:03:59" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active -id=serunt sn=aquaeabi time="2016/12/08 17:06:33" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying). -id=veniamq sn=one time="2016/12/23 00:09:07" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source -id=tin sn=tenima time="2017/01/06 07:11:41" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete -id=equat sn=derit time="2017/01/20 14:14:16" fw=10.90.86.89 pri=medium c=labor m=867 msg="didunt" sess=uptatema n=intocc -eporr id=xeacomm sn=mveleu time="2017/02/03 21:16:50" fw=10.149.128.155 pri=high c=temvel m=129 PPPoE terminated -id=nisi sn=dant time="2017/02/18 04:19:24" fw=10.14.211.43 pri=high c=eiu m=113 DHCP Client sending REQUEST and going to REBIND state. -id=quidolor sn=tessec time="2017/03/04 11:21:59" fw=10.135.160.125 pri=low c=icabo m=882 msg="itatio" n=uta src=10.135.187.104:7557:enp0s6614 dst=10.237.163.139:4402:eth1612 proto=igmp -id=Nequepor sn=ali time="2017/03/18 18:24:33" fw=10.252.74.209 pri=low c=sintocc m=139 XAUTH Failed -id=ehen sn=tate time="2017/04/02 01:27:07" fw=10.140.167.6 pri=low c=stquido m=372 msg="ommodico" n=ptas src=10.60.129.15 dst=10.248.101.25 -id=Nequepo sn=ipsumd time="2017/04/16 08:29:41" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed -id=reetdolo sn=smo time="2017/04/30 15:32:16" fw=10.107.31.179 pri=high c=uamest m=1079 msg="Clienttcois assigned IP:10.14.111.221" n=itam -santiumd id=turadip sn=uatD time="2017/05/14 22:34:50" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped -id=volu sn=nonn time="2017/05/29 05:37:24" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login -id=sBon sn=orro time="2017/06/12 12:39:58" fw=10.34.194.149 pri=medium c=ten m=196 msg="vita" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD -amvo id=qui sn=tasn time="2017/06/26 19:42:33" fw=10.243.138.88 pri=high c=Sedutp m=998 msg="utp" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note="quin" -id=tvolupt sn=eufugi time="2017/07/11 02:45:07" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available -temqu id=ovol sn=ptasn time="2017/07/25 09:47:41" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped -id=pid sn=illoin time="2017/08/08 16:50:15" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout -id=mestq sn=temUt time="2017/08/22 23:52:50" fw=10.233.239.112 pri=high c=pexe m=147 Backup missed heartbeats from Active Primary: Backup going Active -id=adeser sn=oin time="2017/09/06 06:55:24" fw=10.95.66.217 pri=very-high c=fugitsed m=441 msg="quam" n=quid src=10.1.36.97:3628:enp0s3962 dst= 10.107.251.87:6337:lo3319 -reetdol id=totamre sn=isnostr time="2017/09/20 13:57:58" fw=10.203.153.38 pri=very-high c=adipisc m=34 Login screen timed out -psaquaea id=taevita sn=ameiusm time="2017/10/04 21:00:32" fw=10.227.15.253 pri=high c=piscinge m=402 msg="tvol" n=velitess src=10.54.14.189 dst=10.216.125.252 dstname=sit -elitse id=ima sn=quasia time="2017/10/19 04:03:07" fw=10.150.107.25 pri=low c=uptate m=1154 msg="mac" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local -id=asiarc sn=ian time="2017/11/02 11:05:41" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed -id=intocc sn=amcorp time="2017/11/16 18:08:15" fw=10.57.57.241 pri=low c=litani m=83 msg="utodita" sess=aec n=fdeF src=10.187.201.250:5504:eth2003 dst=10.64.229.79:3620:eth41 note="tiaec" npcs=rumwrit -id=gna sn=con time="2017/12/01 01:10:49" fw=10.11.44.250 pri=high c=etMal m=931 msg="qua" n=rsita src=10.108.249.60:7150 dst=10.76.110.144:2497 -rem id=asper sn=idunt time="2017/12/15 08:13:24" fw=10.65.232.27 pri=low c=plicab m=11 Problem loading the Filter list; check your DNS server -id=uisaute sn=imide time="2017/12/29 15:15:58" fw=10.77.226.215 pri=medium c=itesseq m=88 IKE Responder: IPSec proposal not acceptable -id=ilmol sn=eri time="2018/01/12 22:18:32" fw=10.154.53.249 pri=low c=mquae m=243 msg="eriti" n=atcupi usr=corpori src=10.147.88.219:7595 dst=10.31.190.145:3333 proto=icmp -id=emvele sn=isnost time="2018/01/27 05:21:06" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped -sit id=rumSect sn=ita time="2018/02/10 12:23:41" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E -oremag id=illu sn=ruredo time="2018/02/24 19:26:15" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg="its" n=lore -id=onu sn=liquaUte time="2018/03/11 02:28:49" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication -id=mveniamq sn=taedict time="2018-3-25 9:31:24" fw=10.206.69.135 pri=high c=aturve m=880 msg="utfug" n=aturQu note="aaliq" fw_action="allow" -id=uiinea sn=mnisiut time="2018/04/08 16:33:58" fw=10.208.228.129 pri=low c=olup m=441 msg="labor" n=dol src= 10.240.54.28 dst= 10.115.38.80 -id=mve sn=uia time="2018/04/22 23:36:32" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout -id=doei sn=cipitl time="2018/05/07 06:39:06" fw=10.53.127.17 pri=very-high c=strumex m=252 msg="eprehend" n=asnu src=10.102.166.19 dst=10.104.49.142 -ipsa id=asuntexp sn=adminim time="2018/05/21 13:41:41" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable -id=iumt sn=tsed time="2018/06/04 20:44:15" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out -id=loremag sn=tcu time="2018/06/19 03:46:49" fw=10.84.251.253 pri=high c=erspi m=195 msg="rorsit" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629 -elillum id=upt sn=rnat time="2018/07/03 10:49:23" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped -doeiu id=deF sn=itempo time="2018/07/17 17:51:58" fw=10.200.237.196 pri=medium c=ecillum m=995 msg="isci" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note="equep" -BCS id=qui sn=ugiatquo time="2018/08/01 00:54:32" fw=10.204.133.116 pri=medium c=autemv m=909 msg="emq" n=plicaboN -id=vol sn=admi time="2018/08/15 07:57:06" fw=10.77.229.168 pri=high c=aquiof m=178 msg="ende" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693 -id=olorem sn=gitse time="2018/08/29 14:59:40" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg="sci" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note="mquisno" -id=gna sn=isiutali time="2018/09/12 22:02:15" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed -id=uaturve sn=amquisno time="2018/09/27 05:04:49" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg="CSe" n=lors src=10.135.70.159 dst=10.195.223.82 -id=atu sn=iusm time="2018/10/11 12:07:23" fw=10.20.81.176 pri=low c=stquido m=261 msg="rsitvolu" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 -id=oin sn=itseddoe time="2018/10/25 19:09:57" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry. -id=giatquov sn=olu time="2018/11/09 02:12:32" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER. -emagn id=emulla sn=mips time="2018/11/23 09:15:06" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out -id=itametc sn=ori time="2018/12/07 16:17:40" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle -id=doconse sn=etdol time="2018/12/21 23:20:14" fw=10.156.88.51 pri=high c=tura m=658 msg="osquirat" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543 -id=min sn=oluptat time="2019/01/05 06:22:49" fw=10.162.129.196 pri=medium c=snisi m=195 msg="magnaal" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416 -id=eacommo sn=ueip time="2019/01/19 13:25:23" fw=10.243.252.157 pri=low c=minim m=867 msg="scipi" sess=tur n=acon -usm id=labori sn=porai time="2019/02/02 20:27:57" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked -id=lup sn=upta time="2019-2-17 3:30:32" fw=10.247.88.138 pri=very-high c=orissu m=794 msg="fic" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action="allow" -id=mmod sn=iti time="2019/03/03 10:33:06" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked -id=mag sn=gelitse time="2019/03/17 17:35:40" fw=10.195.58.44 pri=high c=radip m=413 msg="upta" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606 -id=nostrud sn=cteturad time="2019/04/01 00:38:14" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F -oluptate id=lit sn=santi time="2019/04/15 07:40:49" fw=10.211.112.194 pri=low c=uis m=1079 msg="Clientamcis assigned IP:10.221.220.148" n=apar -id=vol sn=psumd time="2019/04/29 14:43:23" fw=10.103.29.178 pri=low c=rios m=355 msg="labo" n=lpaquiof src=10.78.29.246 dst=10.125.85.128 -enbyCi id=reetdo sn=tat time="2019/05/13 21:45:57" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing). -id=iamqui sn=tassita time="2019/05/28 04:48:31" fw=10.7.47.118 pri=medium c=piscing m=712 msg="allow" n=isn src=10.203.146.137:4213 dst=10.29.120.226:1129 -inesciu id=quid sn=atcupid time="2019/06/11 11:51:06" fw=10.29.5.115 pri=very-high c=ate m=670 msg="con" sess=tqu n=eirur -hite id=ianonnum sn=nofdeFi time="2019/06/25 18:53:40" fw=10.217.253.76 pri=very-high c=unt m=151 Primary firewall preempting Backup -id=arch sn=lite time="2019/07/10 01:56:14" fw=10.25.118.123 pri=high c=borumSec m=931 msg="aecatcup" n=snisiut src=10.245.216.15:7800 dst=10.110.208.170:6374 -id=rumSecti sn=Utenima time="2019-7-24 8:58:48" fw=10.74.166.70 pri=very-high c=olor m=1086 msg="radip" n=rchitect fw_action="deny" -id=amquisno sn=modoc time="2019/08/07 16:01:23" fw=10.125.120.97 pri=high c=cid m=8 New Filter list loaded -id=Bonorum sn=lesti time="2019/08/21 23:03:57" fw=10.121.58.27 pri=low c=itamet m=60 Access to Proxy Server Blocked -uuntur id=tsedquia sn=its time="2019/09/05 06:06:31" fw=10.158.54.131 pri=medium c=assi m=47 No ICMP redirect sent -id=tatevel sn=midestl time="2019/09/19 13:09:05" fw=10.222.197.130 pri=medium c=ulapa m=713 msg="block" n=meiusm src=10.143.0.78:3113 dst=10.250.149.166:6342 -id=hilmole sn=sequ time="2019/10/03 20:11:40" fw=10.74.29.48 pri=high c=tionula m=91 Deleting IPSec SA for destination -umtota id=etdolore sn=magnaa time="2019/10/18 03:14:14" fw=10.209.34.197 pri=very-high c=tes m=766 msg="equam" n=isi -id=rep sn=remap time="2019/11/01 10:16:48" fw=10.7.120.36 pri=very-high c=involu m=58 License exceeded: Connection dropped because too many IP addresses are in use on your LAN -id=nesciun sn=amcolab time="2019/11/15 17:19:22" fw=10.142.7.145 pri=low c=iuta m=373 msg="deny" n=secil src=10.179.3.247:3445 dst=10.219.228.115:745 -onorumet id=ptatema sn=eavolup time="2019/11/30 00:21:57" fw=10.57.41.35 pri=medium c=tno m=76 Ripper Attack Dropped -id=taspe sn=lum time="2019/12/14 07:24:31" fw=10.15.234.228 pri=very-high c=msequ m=msg msg="nvol" src=10.83.134.38 dst=10.204.178.19 success +id=consec sn=taliquip time="2016/01/29 06:09:59" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway +id=tconsec sn=nsequat time="2016/02/12 13:12:33" fw=10.137.246.137 pri=medium c=oluptas m=372 msg="llu" n=uptassi src=10.95.245.65 dst=10.13.70.213 +id=tempor sn=omnis time="2016/02/26 20:15:08" fw=10.245.94.130 pri=high c=inesci m=128 PPPoE LCP Link Down +id=niamquis sn=itati time="2016/03/12 03:17:42" fw=10.220.19.19 pri=low c=atatnonp m=413 msg="uiano" n=mrema src=10.214.225.125:5710 dst=10.163.217.10:5722 +gitsedqu id=uam sn=temq time="2016-3-26 10:20:16" fw=10.38.77.13 pri=low c=Utenimad m=14 msg="nibusBon" app=ehend sess="ueipsaqu" n=uidolore usr="niamqu" src=10.202.66.28:1852:enp0s5098 dst=10.64.155.245:6613:lo5037 srcMac=01:00:5e:4c:ae:05dstMac=01:00:5e:56:32:70 proto=icmp dstname=mqua3391.www.local arg=mquisnos code=loremagn Category="iciade" rule="tsed" fw_action="allow" +id=oll sn=erc time="2016/04/09 17:22:51" fw=10.5.195.236 pri=medium c=ccusan m=145 Backup firewall has transitioned to Idle +id=aveniam sn=uradi time="2016/04/24 00:25:25" fw=10.151.183.33 pri=high c=uaera m=174 IPSEC Replay Detected +id=ehenderi sn=pidatat time="2016/05/08 07:27:59" fw=10.80.246.230 pri=medium c=mquaera m=src src=10.216.179.229 dst=10.185.126.247 vel +id=undeo sn=loremip time="2016-5-22 2:30:33" fw=10.134.0.141 pri=very-high c=uis m=1149 msg="idolore" n=onse fw_action="cancel" +id=omm sn=idestla time="2016/06/05 21:33:08" fw=10.224.68.213 pri=medium c=aborumSe m=654 msg="luptat" sess=torev n=urExc +id=mquidol sn=ita time="2016/06/20 04:35:42" fw=10.100.76.221 pri=very-high c=lupt m=79 Priority Attack Dropped +id=qua sn=luptatev time="2016/07/04 11:38:16" fw=10.123.104.59 pri=low c=elaudant m=1110 msg="tinvol" n=lores +id=tatiset sn=eprehen time="2016/07/18 18:40:50" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings +id=aliq sn=rsitam time="2016/08/02 01:43:25" fw=10.79.33.129 pri=high c=umdolo m=353 msg="onproide" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini" +prehen id=olupt sn=modoco time="2016/08/16 08:45:59" fw=10.10.110.174 pri=very-high c=tat m=441 msg="tion" n=eataev src= 10.220.85.181 dst= tisetq 10.70.61.205 +id=riat sn=taut time="2016/08/30 15:48:33" fw=10.114.138.121 pri=very-high c=tati m=133 PPPoE starting CHAP Authentication +id=oriosamn sn=deFinibu time="2016/09/13 22:51:07" fw=10.45.25.68 pri=very-high c=emagnama m=346 msg="eprehend" n=hil src=10.136.114.84 dst=10.176.205.96 +colabo id=eme sn=numqu time="2016-9-28 5:53:42" fw=10.232.149.140 pri=very-high c=lum m=264 msg="utali" sess="sitvolup" dur=141.548000 n=ipitla usr="quae" src=10.170.120.4:2062:lo6637 dst=10.193.192.62:0:lo2706 fw_action="allow" +datatn id=mqu sn=apariat time="2016/10/12 12:56:16" fw=10.46.27.57 pri=low c=remi m=36 TCP connection dropped +id=ionevo sn=remagn time="2016/10/26 19:58:50" fw=10.160.205.242 pri=high c=uovolup m=84 msg="Failed to resolve name" n=samvolu dstname=ittenbyC3936.internal.test +id=amc sn=atur time="2016/11/10 03:01:24" fw=10.188.37.199 pri=low c=intoc m=995 msg="oluptas" n=tNequepo src=10.52.186.29:2126 dst=10.6.77.80:4921 note="ione" +gel id=lorsitam sn=mpo time="2016/11/24 10:03:59" fw=10.245.10.170 pri=low c=ulapa m=118 Sending DHCP REQUEST (Verifying). +id=quioffi sn=uptate time="2016/12/08 17:06:33" fw=10.201.6.10 pri=high c=sequa m=346 msg="aera" n=ate src=10.240.242.122 dst=10.144.97.172 +id=uptasn sn=reme time="2016-12-23 12:09:07" fw=10.70.114.233 pri=high c=udantium m=796 msg="pre" n=xeacom fw_action="deny" +id=lorinre sn=olorsita time="2017/01/06 07:11:41" fw=10.226.20.99 pri=medium c=econs m=888 msg="blocked;cancel" n=dol src=10.190.83.161:3386:eth4368:tevelite245.mail.local dst=10.120.167.239:602:lo3664:tmollita6036.internal.example +id=veniamqu sn=nse time="2017/01/20 14:14:16" fw=10.194.247.171 pri=low c=mquisnos m=882 msg="maven" sess=hende n=piscin src=10.112.75.76:1355:eth6843 dst=10.25.39.99:2936:enp0s298 proto=ggp npcs=mveleu +id=tvolu sn=ecte time="2017/02/03 21:16:50" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available +olupta id=litse sn=icabo time="2017/02/18 04:19:24" fw=10.89.208.95 pri=low c=llumdolo m=255 msg="nre" n=ercitat src=10.237.163.139 dst=10.162.172.28 +id=Nequepo sn=ipsumd time="2017/03/04 11:21:59" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed +id=reetdolo sn=smo time="2017/03/18 18:24:33" fw=10.107.31.179 pri=high c=uamest m=1079 msg="Clienttcois assigned IP:10.14.111.221" n=itam +santiumd id=turadip sn=uatD time="2017/04/02 01:27:07" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped +id=volu sn=nonn time="2017/04/16 08:29:41" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login +id=sBon sn=orro time="2017/04/30 15:32:16" fw=10.34.194.149 pri=medium c=ten m=196 msg="vita" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD +amvo id=qui sn=tasn time="2017/05/14 22:34:50" fw=10.243.138.88 pri=high c=Sedutp m=998 msg="utp" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note="quin" +id=tvolupt sn=eufugi time="2017/05/29 05:37:24" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available +temqu id=ovol sn=ptasn time="2017/06/12 12:39:58" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped +id=pid sn=illoin time="2017/06/26 19:42:33" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout +quid id=fugiat sn=atisun time="2017/07/11 02:45:07" fw=10.181.206.78 pri=very-high c=tobeata m=167 Denied UDP packet from LAN +id=essequam sn=acommo time="2017/07/25 09:47:41" fw=10.177.144.70 pri=medium c=iat m=534 msg="etur" n=itecto src=10.226.27.132:2778 dst=10.148.161.250:3791 note="tinv" +id=isnisi sn=ritatise time="2017/08/08 16:50:15" fw=10.38.54.72 pri=very-high c=ciad m=83 msg="tali" sess=lillum n=cusant src=10.64.50.66:3657:enp0s1540 dst=10.149.0.64:6867:eth2202 note="sau" npcs=atevelit +id=billo sn=labo time="2017/08/22 23:52:50" fw=10.221.225.29 pri=medium c=boris m=147 Backup missed heartbeats from Active Primary: Backup going Active +elitse id=ima sn=quasia time="2017/09/06 06:55:24" fw=10.150.107.25 pri=low c=uptate m=1154 msg="mac" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local +id=asiarc sn=ian time="2017/09/20 13:57:58" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed +id=rauto sn=ationev time="2017/10/04 21:00:32" fw=10.92.19.202 pri=high c=nby m=350 msg="mve" n=osqui src=10.161.148.64 dst=10.96.97.81 +id=nsequat sn=doloreme time="2017/10/19 04:03:07" fw=10.206.81.23 pri=high c=tincu m=176 Fraudulent Microsoft Certificate Blocked +itse id=umexerc sn=oremipsu time="2017/11/02 11:05:41" fw=10.87.13.61 pri=medium c=ssecillu m=1231 msg="liqua" n=utodita note="aec" +id=elitse sn=reseo time="2017/11/16 18:08:15" fw=10.71.238.250 pri=very-high c=tiaec m=22 Ping of death blocked +id=plicab sn=oremq time="2017/12/01 01:10:49" fw=10.40.152.253 pri=low c=ritt m=msg msg="iaeco" src=10.53.150.77 dst=10.125.134.213 failure +id=quaea sn=ametcons time="2017/12/15 08:13:24" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL +id=ariatur sn=rer time="2017/12/29 15:15:58" fw=10.210.243.175 pri=low c=atisetqu m=240 msg="issuscip" n=uisa src=10.240.49.224 dst=10.77.174.205 +id=luptatem sn=uaeratv time="2018/01/12 22:18:32" fw=10.240.190.136 pri=medium c=atcupid m=255 msg="quamnih" n=dminima src=10.44.150.31 dst=10.187.210.173 +id=ntutlabo sn=iusmodte time="2018-1-27 5:21:06" fw=10.108.84.24 pri=low c=iosamnis m=606 msg="volupt" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac=miurerep 01:00:5e:b4:c3:ed dstMac=01:00:5e:55:b9:89proto=ipv6 fw_action="cancel" +id=proident sn=maliquam time="2018-2-10 12:23:41" fw=10.229.229.42 pri=high c=vitaedic m=428 msg="orin" n=uii src=10.103.117.31:3987:enp0s3531 dst=10.207.211.230:2800:eth211 srcMac=untincul 01:00:5e:c9:ed:b4 dstMac=01:00:5e:93:39:a4 proto=tcp fw_action="allow" +id=emvele sn=isnost time="2018/02/24 19:26:15" fw=10.71.112.159 pri=medium c=emqu m=412 msg="riss" n=iquamqua src=10.248.165.185:3436 dst=10.32.39.220 note="aliq" +id=mven sn=olorsit time="2018/03/11 02:28:49" fw=10.121.239.183 pri=very-high c=consequa m=27 Land Attack Dropped +id=tatevel sn=boreetdo time="2018/03/25 09:31:24" fw=10.239.118.233 pri=medium c=risnis m=95 Diagnostic Code C +id=ddoeius sn=ugiatn time="2018/04/08 16:33:58" fw=10.50.102.128 pri=high c=abore m=138 XAUTH Succeeded +id=uiadol sn=Duisa time="2018/04/22 23:36:32" fw=10.106.195.93 pri=very-high c=boNem m=107 Got DHCP OFFER. Selecting. +id=emips sn=atv time="2018/05/07 06:39:06" fw=10.2.114.9 pri=high c=alorum m=372 msg="obeataev" n=tempor src=10.134.237.235 dst=10.11.83.126 +id=osquir sn=mod time="2018/05/21 13:41:41" fw=10.28.120.149 pri=very-high c=liquide m=117 Sending DHCP REQUEST (Rebooting). +id=Sedutpe sn=prehen time="2018/06/04 20:44:15" fw=10.209.43.252 pri=very-high c=lloin m=169 Firewall access from LAN +tempor id=citatio sn=oluptat time="2018/06/19 03:46:49" fw=10.35.255.235 pri=very-high c=edquian m=117 Sending DHCP REQUEST (Rebooting). +id=nsequunt sn=proident time="2018/07/03 10:49:23" fw=10.57.167.157 pri=high c=aliquamq m=164 No response from ISP Disconnecting PPPoE. +ugit id=tatem sn=metcons time="2018/07/17 17:51:58" fw=10.252.102.110 pri=medium c=tamet m=412 msg="perspici" n=ationul src=10.115.53.31:6606 dst=10.99.248.145 note="molestia" +id=labore sn=uela time="2018/08/01 00:54:32" fw=10.167.74.79 pri=very-high c=iuntNequ m=616 msg="deny" n=archite src=10.143.228.97:1370 dst=10.168.208.169:6168 +licaboN id=atquo sn=cupi time="2018/08/15 07:57:06" fw=10.151.129.181 pri=very-high c=udan m=373 msg="allow" n=nderiti src=10.43.16.73:2604 dst=10.236.56.233:3484 +id=aeab sn=teur time="2018/08/29 14:59:40" fw=10.231.199.50 pri=low c=stquid m=412 msg="turadipi" n=usmodi src=10.184.254.143:4402 dst=10.222.251.114 note="illu" +id=asuntexp sn=adminim time="2018/09/12 22:02:15" fw=10.115.115.26 pri=high c=modoc m=72 NetBus Attack Dropped +id=iumt sn=tsed time="2018/09/27 05:04:49" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out +orsi id=tetura sn=imadmini time="2018/10/11 12:07:23" fw=10.46.192.198 pri=high c=uat m=96 Status +id=dolorema sn=emagn time="2018-10-25 7:09:57" fw=10.200.86.116 pri=medium m= msg="orinrep" n=quiavolif=enp0s347ucastRx=ratvbcastRx=alorumbytesRx=5253ucastTx=talibcastTx=BCSbytesTx=3474 +id=culpaqui sn=tvolup time="2018/11/09 02:12:32" fw=10.116.146.114 pri=high c=red m=8 New Filter list loaded +id=tatev sn=luptas time="2018/11/23 09:15:06" fw=10.138.124.174 pri=low c=inculp m=66 Unknown IPSec SPI +id=iadese sn=nisiu time="2018/12/07 16:17:40" fw=10.101.178.146 pri=medium c=llit m=148 Primary received error signal from Active Backup: Primary going Active +id=sitametc sn=onsequa time="2018/12/21 23:20:14" fw=10.8.53.182 pri=very-high c=riosa m=9 No new Filter list available +id=pisc sn=urEx time="2019/01/05 06:22:49" fw=10.193.239.124 pri=low c=ercitat m=49 Failure to add data channel +id=tnonproi sn=squira time="2019/01/19 13:25:23" fw=10.141.238.139 pri=medium c=uide m=144 Primary firewall has transitioned to Idle +lmolesti id=meumfugi sn=tquas time="2019/02/02 20:27:57" fw=10.200.22.41 pri=medium c=iame m=83 msg="orroquis" n=aquio src=10.208.79.170:7616:enp0s4472 dst=10.101.163.40:7153:enp0s1370 +id=uisnostr sn=reetdol time="2019/02/17 03:30:32" fw=10.94.132.21 pri=very-high c=odi m=144 Primary firewall has transitioned to Idle +id=runtmo sn=ore time="2019/03/03 10:33:06" fw=10.176.3.121 pri=very-high c=tas m=104 Retransmitting DHCP REQUEST (Verifying). +id=mveleum sn=liq time="2019/03/17 17:35:40" fw=10.197.3.44 pri=low c=aali m=21 Cookie removed +mdolors id=oremi sn=ugitsedq time="2019/04/01 00:38:14" fw=10.143.229.47 pri=medium c=nisiut m=710 msg="cancel" n=quira src=10.175.98.45:3633 dst=10.236.247.87:7360 +tvolup id=consecte sn=pteurs time="2019/04/15 07:40:49" fw=10.152.83.154 pri=high c=saqu m=155 Primary received heartbeat from wrong source +id=unt sn=tass time="2019/04/29 14:43:23" fw=10.74.8.242 pri=very-high c=uid m=53 The cache is full; too many open connections; some will be dropped +id=umdolo sn=rroqui time="2019/05/13 21:45:57" fw=10.76.122.196 pri=high c=epteur m=888 msg="malware;deny" n=iame src=10.81.33.64:22:enp0s2909:cta5467.www.localhost dst=10.22.244.71:1865:eth3249:iam7526.mail.test +cepteur id=aer sn=osquira time="2019/05/28 04:48:31" fw=10.232.158.211 pri=high c=dolorem m=998 msg="sed" n=idata usr=sun src=10.205.21.166:236 dst=10.20.73.247:4228 note="sed" +id=pernat sn=udan time="2019/06/11 11:51:06" fw=10.124.243.58 pri=high c=urQuis m=165 Backup going Active in preempt mode after reboot +id=orum sn=Bonoru time="2019/06/25 18:53:40" fw=10.53.168.187 pri=medium c=emacc m=6 Log successfully sent via email +id=lamcola sn=veli time="2019/07/10 01:56:14" fw=10.104.211.232 pri=high c=idolores m=11 Problem loading the Filter list; check your DNS server +id=mmod sn=iti time="2019/07/24 08:58:48" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked +id=mag sn=gelitse time="2019/08/07 16:01:23" fw=10.195.58.44 pri=high c=radip m=413 msg="upta" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606 +id=nostrud sn=cteturad time="2019/08/21 23:03:57" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F +id=ritati sn=iciade time="2019/09/05 06:06:31" fw=10.202.224.79 pri=low c=nevolupt m=441 msg="aco" n=apar +id=vol sn=psumd time="2019/09/19 13:09:05" fw=10.103.29.178 pri=low c=rios m=355 msg="labo" n=lpaquiof src=10.78.29.246 dst=10.125.85.128 +enbyCi id=reetdo sn=tat time="2019/10/03 20:11:40" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing). +id=quunt sn=itasp time="2019/10/18 03:14:14" fw=10.210.181.12 pri=high c=met m=714 msg="volup" sess=ptate n=entsu src=10.44.198.184:5695:enp0s5214 dst= umwri 10.21.147.52:1816:eth2990 npcs=tur +id=ita sn=amquaer time="2019/11/01 10:16:48" fw=10.47.1.90 pri=high c=lpa m=134 PPPoE starting PAP Authentication +id=smod sn=idunt time="2019/11/15 17:19:22" fw=10.29.120.226 pri=very-high c=aparia m=69 Incompatible IPSec Security Association +lore id=isci sn=Dui time="2019/11/30 00:21:57" fw=10.205.202.225 pri=high c=civelits m=137 Wan IP Changed +id=olore sn=orumS time="2019/12/14 07:24:31" fw=10.25.93.121 pri=low c=rchitect m=35 Attempted administrator login from WAN diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 77967c9c765..688c1a8395d 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -1,162 +1,179 @@ [ { - "destination.nat.ip": "10.49.111.67", - "destination.nat.port": 884, - "event.code": "914", + "@timestamp": "2016-01-29T08:09:59.000Z", + "event.code": "170", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "idi id=pexe sn=nes time=\"2016/01/29 06:09:59\" fw=10.254.41.82 pri=low c=Ute m=914 msg=\"lupt\" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp", + "event.original": "id=consec sn=taliquip time=\"2016/01/29 06:09:59\" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway", "fileset.name": "firewall", - "host.hostname": "oreetdol1714.internal.corp", - "host.name": "nostrud4819.mail.test", "input.type": "log", "log.offset": 0, - "log.original": "lupt", - "observer.egress.interface.name": "eth3598", - "observer.ingress.interface.name": "eth7178", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.49.111.67", - "10.92.136.230" - ], - "rsa.internal.messageid": "914", - "rsa.internal.msg": "lupt", - "rsa.network.dinterface": "eth3598", - "rsa.network.sinterface": "eth7178", + "rsa.internal.messageid": "170", + "rsa.time.date": "2016/01/29", "rsa.time.event_time": "2016-01-29T08:09:59.000Z", "service.type": "sonicwall", - "source.address": "oreetdol1714.internal.corp", - "source.nat.ip": "10.92.136.230", - "source.nat.port": 6437, "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2016-02-12T15:12:33.000Z", + "destination.ip": [ + "10.13.70.213" + ], + "event.code": "372", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=umexe sn=estlabo time=\"2016/02/12 13:12:33\" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed", + "event.original": "id=tconsec sn=nsequat time=\"2016/02/12 13:12:33\" fw=10.137.246.137 pri=medium c=oluptas m=372 msg=\"llu\" n=uptassi src=10.95.245.65 dst=10.13.70.213", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 212, + "log.offset": 141, + "log.original": "llu", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.95.245.65", + "10.13.70.213" + ], + "rsa.internal.messageid": "372", + "rsa.internal.msg": "llu", + "rsa.time.date": "2016/02/12", + "rsa.time.event_time": "2016-02-12T15:12:33.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.95.245.65" + ], "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "destination.ip": [ - "10.227.15.1" - ], - "destination.mac": "01:00:5e:f7:a9:ff", - "destination.port": 410, - "event.action": "allow", - "event.code": "alo", + "@timestamp": "2016-02-26T22:15:08.000Z", + "event.code": "128", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=alo sn=eosquir time=\"2016-2-26 8:15:08\" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg=\"ctetur\" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action=\"allow\"", + "event.original": "id=tempor sn=omnis time=\"2016/02/26 20:15:08\" fw=10.245.94.130 pri=high c=inesci m=128 PPPoE LCP Link Down", "fileset.name": "firewall", - "host.ip": "10.149.203.46", "input.type": "log", - "log.level": "medium", - "log.offset": 319, - "network.protocol": "rdp", - "observer.egress.interface.name": "eth1977", - "observer.ingress.interface.name": "eth6183", + "log.offset": 289, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.149.203.46", - "10.150.156.22", - "10.227.15.1" - ], - "rsa.internal.event_desc": "ctetur", - "rsa.internal.messageid": "1369", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "mwritten", - "rsa.misc.reference_id": "alo", - "rsa.misc.serial_number": "eosquir", - "rsa.misc.severity": "medium", - "rsa.network.dinterface": "eth1977", - "rsa.network.sinterface": "eth6183", - "rsa.time.date": "2016-2-26", - "rsa.time.event_time": "2016-02-26T10:15:08.000Z", + "rsa.internal.messageid": "128", + "rsa.time.date": "2016/02/26", + "rsa.time.event_time": "2016-02-26T22:15:08.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.150.156.22" - ], - "source.mac": "01:00:5e:84:66:6c", - "source.port": 6378, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "127", + "@timestamp": "2016-03-12T05:17:42.000Z", + "destination.nat.ip": "10.163.217.10", + "destination.nat.port": 5722, + "event.code": "413", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "emape id=aer sn=lupt time=\"2016/03/12 03:17:42\" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up", + "event.original": "id=niamquis sn=itati time=\"2016/03/12 03:17:42\" fw=10.220.19.19 pri=low c=atatnonp m=413 msg=\"uiano\" n=mrema src=10.214.225.125:5710 dst=10.163.217.10:5722", "fileset.name": "firewall", "input.type": "log", - "log.offset": 566, + "log.offset": 396, + "log.original": "uiano", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "127", + "related.ip": [ + "10.163.217.10", + "10.214.225.125" + ], + "rsa.internal.messageid": "413", + "rsa.internal.msg": "uiano", + "rsa.time.date": "2016/03/12", "rsa.time.event_time": "2016-03-12T05:17:42.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.214.225.125", + "source.nat.port": 5710, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "170", + "@timestamp": "2016-03-26T12:20:16.000Z", + "destination.address": "mqua3391.www.local", + "destination.ip": [ + "10.64.155.245" + ], + "destination.mac": "01:00:5e:56:32:70", + "destination.port": 6613, + "event.action": "allow", + "event.code": "14", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=consec sn=taliquip time=\"2016/03/26 10:20:16\" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway", + "event.original": "gitsedqu id=uam sn=temq time=\"2016-3-26 10:20:16\" fw=10.38.77.13 pri=low c=Utenimad m=14 msg=\"nibusBon\" app=ehend sess=\"ueipsaqu\" n=uidolore usr=\"niamqu\" src=10.202.66.28:1852:enp0s5098 dst=10.64.155.245:6613:lo5037 srcMac=01:00:5e:4c:ae:05dstMac=01:00:5e:56:32:70 proto=icmp dstname=mqua3391.www.local arg=mquisnos code=loremagn Category=\"iciade\" rule=\"tsed\" fw_action=\"allow\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 674, + "log.offset": 552, + "log.original": "nibusBon", + "network.protocol": "icmp", + "observer.egress.interface.name": "lo5037", + "observer.ingress.interface.name": "enp0s5098", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "170", - "rsa.time.date": "2016/03/26", + "related.ip": [ + "10.202.66.28", + "10.64.155.245" + ], + "rsa.internal.messageid": "14", + "rsa.internal.msg": "nibusBon", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "iciade", + "rsa.misc.param": "mquisnos", + "rsa.misc.result_code": "loremagn", + "rsa.misc.rule": "tsed", + "rsa.network.dinterface": "lo5037", + "rsa.network.host_dst": "mqua3391.www.local", + "rsa.network.sinterface": "enp0s5098", "rsa.time.event_time": "2016-03-26T12:20:16.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.202.66.28" + ], + "source.mac": "01:00:5e:4c:ae:05", + "source.port": 1852, "tags": [ "sonicwall.firewall", "forwarded" + ], + "user.name": [ + "niamqu" ] }, { + "@timestamp": "2016-04-09T19:22:51.000Z", + "event.code": "145", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tconsec sn=nsequat time=\"2016/04/09 17:22:51\" fw=10.137.246.137 pri=medium c=oluptas m=372 msg=\"llu\" n=uptassi src=10.95.245.65 dst=10.13.70.213", + "event.original": "id=oll sn=erc time=\"2016/04/09 17:22:51\" fw=10.5.195.236 pri=medium c=ccusan m=145 Backup firewall has transitioned to Idle", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 815, + "log.offset": 930, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "145", + "rsa.time.date": "2016/04/09", + "rsa.time.event_time": "2016-04-09T19:22:51.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -164,17 +181,19 @@ ] }, { - "event.code": "176", + "@timestamp": "2016-04-24T02:25:25.000Z", + "event.code": "174", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "llamcorp id=ari sn=eataevit time=\"2016/04/24 00:25:25\" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked", + "event.original": "id=aveniam sn=uradi time=\"2016/04/24 00:25:25\" fw=10.151.183.33 pri=high c=uaera m=174 IPSEC Replay Detected", "fileset.name": "firewall", "input.type": "log", - "log.offset": 965, + "log.offset": 1054, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "176", + "rsa.internal.messageid": "174", + "rsa.time.date": "2016/04/24", "rsa.time.event_time": "2016-04-24T02:25:25.000Z", "service.type": "sonicwall", "tags": [ @@ -183,37 +202,54 @@ ] }, { - "event.code": "50", + "@timestamp": "2016-05-08T09:27:59.000Z", + "destination.nat.ip": "10.185.126.247", + "event.code": "src", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "mquisnos id=loremagn sn=iciade time=\"2016/05/08 07:27:59\" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure", + "event.original": "id=ehenderi sn=pidatat time=\"2016/05/08 07:27:59\" fw=10.80.246.230 pri=medium c=mquaera m=src src=10.216.179.229 dst=10.185.126.247 vel", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1105, + "log.offset": 1163, + "log.original": "vel", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "50", + "related.ip": [ + "10.216.179.229", + "10.185.126.247" + ], + "rsa.internal.messageid": "src", + "rsa.internal.msg": "vel", + "rsa.time.date": "2016/05/08", "rsa.time.event_time": "2016-05-08T09:27:59.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.216.179.229", "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2016-05-22T04:30:33.000Z", + "event.action": "cancel", + "event.code": "1149", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=aali sn=ametcons time=\"2016/05/22 14:30:33\" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal", + "event.original": "id=undeo sn=loremip time=\"2016-5-22 2:30:33\" fw=10.134.0.141 pri=very-high c=uis m=1149 msg=\"idolore\" n=onse fw_action=\"cancel\"", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1228, + "log.offset": 1299, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.event_desc": "idolore", + "rsa.internal.messageid": "1149", + "rsa.misc.action": [ + "cancel" + ], + "rsa.time.date": "2016-5-22", + "rsa.time.event_time": "2016-05-22T04:30:33.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -221,17 +257,21 @@ ] }, { - "event.code": "15", + "@timestamp": "2016-06-05T23:33:08.000Z", + "event.code": "654", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "orsitame id=quiratio sn=ite time=\"2016/06/05 21:33:08\" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked", + "event.original": "id=omm sn=idestla time=\"2016/06/05 21:33:08\" fw=10.224.68.213 pri=medium c=aborumSe m=654 msg=\"luptat\" sess=torev n=urExc", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1355, + "log.offset": 1427, + "log.original": "luptat", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "15", + "rsa.internal.messageid": "654", + "rsa.internal.msg": "luptat", + "rsa.time.date": "2016/06/05", "rsa.time.event_time": "2016-06-05T23:33:08.000Z", "service.type": "sonicwall", "tags": [ @@ -240,17 +280,18 @@ ] }, { - "event.code": "70", + "@timestamp": "2016-06-20T06:35:42.000Z", + "event.code": "79", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=usan sn=aper time=\"2016/06/20 04:35:42\" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host", + "event.original": "id=mquidol sn=ita time=\"2016/06/20 04:35:42\" fw=10.100.76.221 pri=very-high c=lupt m=79 Priority Attack Dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1472, + "log.offset": 1549, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "70", + "rsa.internal.messageid": "79", "rsa.time.date": "2016/06/20", "rsa.time.event_time": "2016-06-20T06:35:42.000Z", "service.type": "sonicwall", @@ -260,20 +301,21 @@ ] }, { - "event.code": "129", + "@timestamp": "2016-07-04T13:38:16.000Z", + "event.code": "1110", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=atquovo sn=iumto time=\"2016/07/04 11:38:16\" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated", + "event.original": "id=qua sn=luptatev time=\"2016/07/04 11:38:16\" fw=10.123.104.59 pri=low c=elaudant m=1110 msg=\"tinvol\" n=lores", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1584, + "log.offset": 1661, + "log.original": "tinvol", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "129", + "rsa.internal.messageid": "1110", + "rsa.internal.msg": "tinvol", + "rsa.misc.space": "", "rsa.time.date": "2016/07/04", "rsa.time.event_time": "2016-07-04T13:38:16.000Z", "service.type": "sonicwall", @@ -283,24 +325,20 @@ ] }, { - "event.action": "cancel", - "event.code": "1149", + "@timestamp": "2016-07-18T20:40:50.000Z", + "event.code": "10", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=undeo sn=loremip time=\"2016-7-18 6:40:50\" fw=10.134.0.141 pri=very-high c=uis m=1149 msg=\"idolore\" n=onse fw_action=\"cancel\"", + "event.original": "id=tatiset sn=eprehen time=\"2016/07/18 18:40:50\" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1690, + "log.offset": 1773, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.event_desc": "idolore", - "rsa.internal.messageid": "1149", - "rsa.misc.action": [ - "cancel" - ], - "rsa.time.date": "2016-7-18", - "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "rsa.internal.messageid": "10", + "rsa.time.date": "2016/07/18", + "rsa.time.event_time": "2016-07-18T20:40:50.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -308,56 +346,81 @@ ] }, { + "@timestamp": "2016-08-02T03:43:25.000Z", + "destination.nat.ip": "10.30.196.102", + "event.code": "353", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=rveli sn=rsint time=\"2016/08/02 01:43:25\" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped", + "event.original": "id=aliq sn=rsitam time=\"2016/08/02 01:43:25\" fw=10.79.33.129 pri=high c=umdolo m=353 msg=\"onproide\" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini\"", "fileset.name": "firewall", + "host.hostname": "fugi4637.www.lan", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1818, + "log.offset": 1916, + "log.original": "onproide", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.30.196.102", + "10.241.178.107" + ], + "rsa.internal.messageid": "353", + "rsa.internal.msg": "onproide", + "rsa.misc.misc": "imadmini", + "rsa.misc.ntype": "Nemoen", + "rsa.time.date": "2016/08/02", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", "service.type": "sonicwall", + "source.address": "fugi4637.www.lan", + "source.nat.ip": "10.241.178.107", "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2016-08-16T10:45:59.000Z", + "event.code": "441", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=qua sn=luptatev time=\"2016/08/16 08:45:59\" fw=10.123.104.59 pri=low c=elaudant m=1110 msg=\"tinvol\" n=lores", + "event.original": "prehen id=olupt sn=modoco time=\"2016/08/16 08:45:59\" fw=10.10.110.174 pri=very-high c=tat m=441 msg=\"tion\" n=eataev src= 10.220.85.181 dst= tisetq 10.70.61.205 ", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1947, + "log.offset": 2109, + "log.original": "tion", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.220.85.181" + ], + "rsa.internal.messageid": "441", + "rsa.internal.msg": "tion", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.220.85.181" + ], "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2016-08-30T17:48:33.000Z", + "event.code": "133", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tatiset sn=eprehen time=\"2016/08/30 15:48:33\" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings", + "event.original": "id=riat sn=taut time=\"2016/08/30 15:48:33\" fw=10.114.138.121 pri=very-high c=tati m=133 PPPoE starting CHAP Authentication", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2061, + "log.offset": 2271, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "133", + "rsa.time.date": "2016/08/30", + "rsa.time.event_time": "2016-08-30T17:48:33.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -365,56 +428,98 @@ ] }, { + "@timestamp": "2016-09-14T00:51:07.000Z", + "destination.ip": [ + "10.176.205.96" + ], + "event.code": "346", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=aliq sn=rsitam time=\"2016/09/13 22:51:07\" fw=10.79.33.129 pri=high c=umdolo m=353 msg=\"onproide\" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini\"", + "event.original": "id=oriosamn sn=deFinibu time=\"2016/09/13 22:51:07\" fw=10.45.25.68 pri=very-high c=emagnama m=346 msg=\"eprehend\" n=hil src=10.136.114.84 dst=10.176.205.96", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2206, + "log.offset": 2394, + "log.original": "eprehend", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.136.114.84", + "10.176.205.96" + ], + "rsa.internal.messageid": "346", + "rsa.internal.msg": "eprehend", + "rsa.time.date": "2016/09/13", + "rsa.time.event_time": "2016-09-14T00:51:07.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.136.114.84" + ], "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2016-09-28T07:53:42.000Z", + "destination.ip": [ + "10.193.192.62" + ], + "destination.port": 0, + "event.action": "allow", + "event.code": "264", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=itecto sn=erc time=\"2016/09/28 05:53:42\" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed", + "event.original": "colabo id=eme sn=numqu time=\"2016-9-28 5:53:42\" fw=10.232.149.140 pri=very-high c=lum m=264 msg=\"utali\" sess=\"sitvolup\" dur=141.548000 n=ipitla usr=\"quae\" src=10.170.120.4:2062:lo6637 dst=10.193.192.62:0:lo2706 fw_action=\"allow\"", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2401, + "log.offset": 2548, + "log.original": "utali", + "observer.egress.interface.name": "lo2706", + "observer.ingress.interface.name": "lo6637", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.170.120.4", + "10.193.192.62" + ], + "rsa.internal.messageid": "264", + "rsa.internal.msg": "utali", + "rsa.misc.action": [ + "allow" + ], + "rsa.network.dinterface": "lo2706", + "rsa.network.sinterface": "lo6637", + "rsa.time.duration_time": 141.548, + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.170.120.4" + ], + "source.port": 2062, "tags": [ "sonicwall.firewall", "forwarded" + ], + "user.name": [ + "quae" ] }, { + "@timestamp": "2016-10-12T14:56:16.000Z", + "event.code": "36", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tat sn=tion time=\"2016/10/12 12:56:16\" fw=10.53.150.119 pri=medium c=uasia m=24 msg=\"emp\" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note=\"taut\"", + "event.original": "datatn id=mqu sn=apariat time=\"2016/10/12 12:56:16\" fw=10.46.27.57 pri=low c=remi m=36 TCP connection dropped", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2508, + "log.offset": 2777, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "36", + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -422,69 +527,78 @@ ] }, { - "destination.ip": [ - "10.239.201.234" - ], - "event.code": "87", + "@timestamp": "2016-10-26T21:58:50.000Z", + "destination.address": "ittenbyC3936.internal.test", + "event.action": "Failed to resolve name", + "event.code": "84", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=nidolo sn=tatn time=\"2016/10/26 19:58:50\" fw=10.18.109.121 pri=very-high c=dolo m=87 msg=\"Loremip\" n=idolor src=10.204.11.20 dst=10.239.201.234", + "event.original": "id=ionevo sn=remagn time=\"2016/10/26 19:58:50\" fw=10.160.205.242 pri=high c=uovolup m=84 msg=\"Failed to resolve name\" n=samvolu dstname=ittenbyC3936.internal.test", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2670, - "log.original": "Loremip", + "log.offset": 2887, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.239.201.234", - "10.204.11.20" + "rsa.internal.messageid": "84", + "rsa.misc.action": [ + "Failed to resolve name" ], - "rsa.internal.messageid": "87", - "rsa.internal.msg": "Loremip", + "rsa.network.host_dst": "ittenbyC3936.internal.test", "rsa.time.date": "2016/10/26", "rsa.time.event_time": "2016-10-26T21:58:50.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.204.11.20" - ], "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2016-11-10T05:01:24.000Z", + "destination.nat.ip": "10.6.77.80", + "destination.nat.port": 4921, + "event.code": "995", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=idex sn=xerci time=\"2016/11/10 03:01:24\" fw=10.84.206.79 pri=high c=uipe m=401 msg=\"inesci\" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib ", + "event.original": "id=amc sn=atur time=\"2016/11/10 03:01:24\" fw=10.188.37.199 pri=low c=intoc m=995 msg=\"oluptas\" n=tNequepo src=10.52.186.29:2126 dst=10.6.77.80:4921 note=\"ione\"", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2817, + "log.offset": 3050, + "log.original": "oluptas", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.6.77.80", + "10.52.186.29" + ], + "rsa.internal.event_desc": "ione", + "rsa.internal.messageid": "995", + "rsa.internal.msg": "oluptas", + "rsa.time.date": "2016/11/10", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.52.186.29", + "source.nat.port": 2126, "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2016-11-24T12:03:59.000Z", + "event.code": "118", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ari sn=exercit time=\"2016/11/24 10:03:59\" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active", + "event.original": "gel id=lorsitam sn=mpo time=\"2016/11/24 10:03:59\" fw=10.245.10.170 pri=low c=ulapa m=118 Sending DHCP REQUEST (Verifying).", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2976, + "log.offset": 3210, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "118", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -492,39 +606,67 @@ ] }, { - "event.code": "104", + "@timestamp": "2016-12-08T19:06:33.000Z", + "destination.ip": [ + "10.144.97.172" + ], + "event.code": "346", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=serunt sn=aquaeabi time=\"2016/12/08 17:06:33\" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying).", + "event.original": "id=quioffi sn=uptate time=\"2016/12/08 17:06:33\" fw=10.201.6.10 pri=high c=sequa m=346 msg=\"aera\" n=ate src=10.240.242.122 dst=10.144.97.172", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3109, + "log.offset": 3333, + "log.original": "aera", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "104", + "related.ip": [ + "10.240.242.122", + "10.144.97.172" + ], + "rsa.internal.messageid": "346", + "rsa.internal.msg": "aera", "rsa.time.date": "2016/12/08", "rsa.time.event_time": "2016-12-08T19:06:33.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.240.242.122" + ], "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "156", + "@timestamp": "2016-12-23T14:09:07.000Z", + "event.action": "deny", + "event.code": "uptasn", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=veniamq sn=one time=\"2016/12/23 00:09:07\" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source", + "event.original": "id=uptasn sn=reme time=\"2016-12-23 12:09:07\" fw=10.70.114.233 pri=high c=udantium m=796 msg=\"pre\" n=xeacom fw_action=\"deny\"", "fileset.name": "firewall", + "host.ip": "10.70.114.233", "input.type": "log", - "log.offset": 3238, + "log.level": "high", + "log.offset": 3473, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "156", - "rsa.time.date": "2016/12/23", - "rsa.time.event_time": "2016-12-23T02:09:07.000Z", + "related.ip": [ + "10.70.114.233" + ], + "rsa.internal.event_desc": "pre", + "rsa.internal.messageid": "796", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "udantium", + "rsa.misc.reference_id": "uptasn", + "rsa.misc.serial_number": "reme", + "rsa.misc.severity": "high", + "rsa.time.date": "2016-12-23", + "rsa.time.event_time": "2016-12-23T14:09:07.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -532,58 +674,106 @@ ] }, { + "@timestamp": "2017-01-06T09:11:41.000Z", + "destination.address": "tmollita6036.internal.example", + "destination.ip": [ + "10.120.167.239" + ], + "destination.port": 602, + "event.action": "cancel", + "event.code": "888", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tin sn=tenima time=\"2017/01/06 07:11:41\" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete", + "event.original": "id=lorinre sn=olorsita time=\"2017/01/06 07:11:41\" fw=10.226.20.99 pri=medium c=econs m=888 msg=\"blocked;cancel\" n=dol src=10.190.83.161:3386:eth4368:tevelite245.mail.local dst=10.120.167.239:602:lo3664:tmollita6036.internal.example", "fileset.name": "firewall", + "host.hostname": "tevelite245.mail.local", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3371, + "log.offset": 3597, + "observer.egress.interface.name": "lo3664", + "observer.ingress.interface.name": "eth4368", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.190.83.161", + "10.120.167.239" + ], + "rsa.internal.messageid": "888", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.reason": "blocked", + "rsa.network.dinterface": "lo3664", + "rsa.network.host_dst": "tmollita6036.internal.example", + "rsa.network.sinterface": "eth4368", + "rsa.time.date": "2017/01/06", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "sonicwall", + "source.address": "tevelite245.mail.local", + "source.ip": [ + "10.190.83.161" + ], + "source.port": 3386, "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2017-01-20T16:14:16.000Z", + "destination.ip": [ + "10.25.39.99" + ], + "destination.port": 2936, + "event.code": "882", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=equat sn=derit time=\"2017/01/20 14:14:16\" fw=10.90.86.89 pri=medium c=labor m=867 msg=\"didunt\" sess=uptatema n=intocc ", + "event.original": "id=veniamqu sn=nse time=\"2017/01/20 14:14:16\" fw=10.194.247.171 pri=low c=mquisnos m=882 msg=\"maven\" sess=hende n=piscin src=10.112.75.76:1355:eth6843 dst=10.25.39.99:2936:enp0s298 proto=ggp npcs=mveleu", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3494, + "log.offset": 3829, + "log.original": "maven", + "network.protocol": "ggp", + "observer.egress.interface.name": "enp0s298", + "observer.ingress.interface.name": "eth6843", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.112.75.76", + "10.25.39.99" + ], + "rsa.db.index": "mveleu", + "rsa.internal.messageid": "882", + "rsa.internal.msg": "maven", + "rsa.network.dinterface": "enp0s298", + "rsa.network.sinterface": "eth6843", + "rsa.time.date": "2017/01/20", + "rsa.time.event_time": "2017-01-20T16:14:16.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.112.75.76" + ], + "source.port": 1355, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "129", + "@timestamp": "2017-02-03T23:16:50.000Z", + "event.code": "9", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "eporr id=xeacomm sn=mveleu time=\"2017/02/03 21:16:50\" fw=10.149.128.155 pri=high c=temvel m=129 PPPoE terminated", + "event.original": "id=tvolu sn=ecte time=\"2017/02/03 21:16:50\" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3618, + "log.offset": 4032, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "129", + "rsa.internal.messageid": "9", + "rsa.time.date": "2017/02/03", "rsa.time.event_time": "2017-02-03T23:16:50.000Z", "service.type": "sonicwall", "tags": [ @@ -592,128 +782,122 @@ ] }, { - "event.code": "113", + "@timestamp": "2017-02-18T06:19:24.000Z", + "destination.ip": [ + "10.162.172.28" + ], + "event.code": "255", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=nisi sn=dant time=\"2017/02/18 04:19:24\" fw=10.14.211.43 pri=high c=eiu m=113 DHCP Client sending REQUEST and going to REBIND state.", + "event.original": "olupta id=litse sn=icabo time=\"2017/02/18 04:19:24\" fw=10.89.208.95 pri=low c=llumdolo m=255 msg=\"nre\" n=ercitat src=10.237.163.139 dst=10.162.172.28", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3733, + "log.offset": 4144, + "log.original": "nre", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "113", - "rsa.time.date": "2017/02/18", + "related.ip": [ + "10.237.163.139", + "10.162.172.28" + ], + "rsa.internal.messageid": "255", + "rsa.internal.msg": "nre", "rsa.time.event_time": "2017-02-18T06:19:24.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.237.163.139" + ], "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "destination.ip": [ - "10.237.163.139" - ], - "destination.port": 4402, - "event.code": "882", + "@timestamp": "2017-03-04T13:21:59.000Z", + "event.code": "136", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=quidolor sn=tessec time=\"2017/03/04 11:21:59\" fw=10.135.160.125 pri=low c=icabo m=882 msg=\"itatio\" n=uta src=10.135.187.104:7557:enp0s6614 dst=10.237.163.139:4402:eth1612 proto=igmp", + "event.original": "id=Nequepo sn=ipsumd time=\"2017/03/04 11:21:59\" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3868, - "log.original": "itatio", - "network.protocol": "igmp", - "observer.egress.interface.name": "eth1612", - "observer.ingress.interface.name": "enp0s6614", + "log.offset": 4294, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.135.187.104", - "10.237.163.139" - ], - "rsa.internal.messageid": "882", - "rsa.internal.msg": "itatio", - "rsa.network.dinterface": "eth1612", - "rsa.network.sinterface": "enp0s6614", + "rsa.internal.messageid": "136", "rsa.time.date": "2017/03/04", "rsa.time.event_time": "2017-03-04T13:21:59.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.135.187.104" - ], - "source.port": 7557, "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2017-03-18T20:24:33.000Z", + "event.code": "1079", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=Nequepor sn=ali time=\"2017/03/18 18:24:33\" fw=10.252.74.209 pri=low c=sintocc m=139 XAUTH Failed", + "event.original": "id=reetdolo sn=smo time=\"2017/03/18 18:24:33\" fw=10.107.31.179 pri=high c=uamest m=1079 msg=\"Clienttcois assigned IP:10.14.111.221\" n=itam", "fileset.name": "firewall", + "host.ip": "10.14.111.221", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4053, + "log.offset": 4415, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.14.111.221" + ], + "rsa.internal.messageid": "1079", + "rsa.misc.space": "", + "rsa.time.date": "2017/03/18", + "rsa.time.event_time": "2017-03-18T20:24:33.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", "forwarded" + ], + "user.name": [ + "tco" ] }, { - "destination.ip": [ - "10.248.101.25" - ], - "event.code": "372", + "@timestamp": "2017-04-02T03:27:07.000Z", + "event.code": "76", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ehen sn=tate time=\"2017/04/02 01:27:07\" fw=10.140.167.6 pri=low c=stquido m=372 msg=\"ommodico\" n=ptas src=10.60.129.15 dst=10.248.101.25", + "event.original": "santiumd id=turadip sn=uatD time=\"2017/04/02 01:27:07\" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4155, - "log.original": "ommodico", + "log.offset": 4558, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.60.129.15", - "10.248.101.25" - ], - "rsa.internal.messageid": "372", - "rsa.internal.msg": "ommodico", - "rsa.time.date": "2017/04/02", + "rsa.internal.messageid": "76", "rsa.time.event_time": "2017-04-02T03:27:07.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.60.129.15" - ], "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2017-04-16T10:29:41.000Z", + "event.code": "29", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=Nequepo sn=ipsumd time=\"2017/04/16 08:29:41\" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed", + "event.original": "id=volu sn=nonn time=\"2017/04/16 08:29:41\" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4295, + "log.offset": 4670, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "29", + "rsa.time.date": "2017/04/16", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -721,56 +905,91 @@ ] }, { + "@timestamp": "2017-04-30T17:32:16.000Z", + "destination.ip": [ + "10.14.1.45" + ], + "destination.port": 4499, + "event.code": "196", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=reetdolo sn=smo time=\"2017/04/30 15:32:16\" fw=10.107.31.179 pri=high c=uamest m=1079 msg=\"Clienttcois assigned IP:10.14.111.221\" n=itam", + "event.original": "id=sBon sn=orro time=\"2017/04/30 15:32:16\" fw=10.34.194.149 pri=medium c=ten m=196 msg=\"vita\" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD", "fileset.name": "firewall", + "http.request.method": "HEAD", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4418, + "log.offset": 4788, + "log.original": "vita", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.14.1.45", + "10.126.34.82" + ], + "rsa.internal.messageid": "196", + "rsa.internal.msg": "vita", + "rsa.time.date": "2017/04/30", + "rsa.time.event_time": "2017-04-30T17:32:16.000Z", "service.type": "sonicwall", + "source.bytes": 2224, + "source.ip": [ + "10.126.34.82" + ], + "source.port": 3142, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "76", + "@timestamp": "2017-05-15T00:34:50.000Z", + "destination.nat.ip": "10.101.74.44", + "destination.nat.port": 2134, + "event.code": "998", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "santiumd id=turadip sn=uatD time=\"2017/05/14 22:34:50\" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped", + "event.original": "amvo id=qui sn=tasn time=\"2017/05/14 22:34:50\" fw=10.243.138.88 pri=high c=Sedutp m=998 msg=\"utp\" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note=\"quin\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4563, + "log.offset": 4967, + "log.original": "utp", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "76", + "related.ip": [ + "10.101.74.44", + "10.251.20.13" + ], + "rsa.internal.event_desc": "quin", + "rsa.internal.messageid": "998", + "rsa.internal.msg": "utp", "rsa.time.event_time": "2017-05-15T00:34:50.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.251.20.13", + "source.nat.port": 264, "tags": [ "sonicwall.firewall", "forwarded" + ], + "user.name": [ + "rsitv" ] }, { + "@timestamp": "2017-05-29T07:37:24.000Z", + "event.code": "9", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=volu sn=nonn time=\"2017/05/29 05:37:24\" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login", + "event.original": "id=tvolupt sn=eufugi time=\"2017/05/29 05:37:24\" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4676, + "log.offset": 5136, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "9", + "rsa.time.date": "2017/05/29", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -778,18 +997,19 @@ ] }, { + "@timestamp": "2017-06-12T14:39:58.000Z", + "event.code": "40", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=sBon sn=orro time=\"2017/06/12 12:39:58\" fw=10.34.194.149 pri=medium c=ten m=196 msg=\"vita\" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD", + "event.original": "temqu id=ovol sn=ptasn time=\"2017/06/12 12:39:58\" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4796, + "log.offset": 5250, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "40", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -797,51 +1017,40 @@ ] }, { - "destination.nat.ip": "10.101.74.44", - "destination.nat.port": 2134, - "event.code": "998", + "@timestamp": "2017-06-26T21:42:33.000Z", + "event.code": "163", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "amvo id=qui sn=tasn time=\"2017/06/26 19:42:33\" fw=10.243.138.88 pri=high c=Sedutp m=998 msg=\"utp\" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note=\"quin\"", + "event.original": "id=pid sn=illoin time=\"2017/06/26 19:42:33\" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4977, - "log.original": "utp", + "log.offset": 5364, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.251.20.13", - "10.101.74.44" - ], - "rsa.internal.event_desc": "quin", - "rsa.internal.messageid": "998", - "rsa.internal.msg": "utp", + "rsa.internal.messageid": "163", + "rsa.time.date": "2017/06/26", "rsa.time.event_time": "2017-06-26T21:42:33.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.251.20.13", - "source.nat.port": 264, "tags": [ "sonicwall.firewall", "forwarded" - ], - "user.name": [ - "rsitv" ] }, { + "@timestamp": "2017-07-11T04:45:07.000Z", + "event.code": "167", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tvolupt sn=eufugi time=\"2017/07/11 02:45:07\" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available", + "event.original": "quid id=fugiat sn=atisun time=\"2017/07/11 02:45:07\" fw=10.181.206.78 pri=very-high c=tobeata m=167 Denied UDP packet from LAN", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 5148, + "log.offset": 5491, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "167", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -849,52 +1058,86 @@ ] }, { - "event.code": "40", + "@timestamp": "2017-07-25T11:47:41.000Z", + "destination.nat.ip": "10.148.161.250", + "destination.nat.port": 3791, + "event.code": "534", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "temqu id=ovol sn=ptasn time=\"2017/07/25 09:47:41\" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped", + "event.original": "id=essequam sn=acommo time=\"2017/07/25 09:47:41\" fw=10.177.144.70 pri=medium c=iat m=534 msg=\"etur\" n=itecto src=10.226.27.132:2778 dst=10.148.161.250:3791 note=\"tinv\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5264, + "log.offset": 5617, + "log.original": "etur", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "40", + "related.ip": [ + "10.148.161.250", + "10.226.27.132" + ], + "rsa.internal.event_desc": "tinv", + "rsa.internal.messageid": "534", + "rsa.internal.msg": "etur", + "rsa.time.date": "2017/07/25", "rsa.time.event_time": "2017-07-25T11:47:41.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.226.27.132", + "source.nat.port": 2778, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "163", + "@timestamp": "2017-08-08T18:50:15.000Z", + "destination.ip": [ + "10.149.0.64" + ], + "destination.port": 6867, + "event.code": "83", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=pid sn=illoin time=\"2017/08/08 16:50:15\" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout", + "event.original": "id=isnisi sn=ritatise time=\"2017/08/08 16:50:15\" fw=10.38.54.72 pri=very-high c=ciad m=83 msg=\"tali\" sess=lillum n=cusant src=10.64.50.66:3657:enp0s1540 dst=10.149.0.64:6867:eth2202 note=\"sau\" npcs=atevelit", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5379, + "log.offset": 5785, + "log.original": "tali", + "observer.egress.interface.name": "eth2202", + "observer.ingress.interface.name": "enp0s1540", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "163", + "related.ip": [ + "10.64.50.66", + "10.149.0.64" + ], + "rsa.db.index": "atevelit", + "rsa.internal.messageid": "83", + "rsa.internal.msg": "tali", + "rsa.network.dinterface": "eth2202", + "rsa.network.sinterface": "enp0s1540", "rsa.time.date": "2017/08/08", "rsa.time.event_time": "2017-08-08T18:50:15.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.64.50.66" + ], + "source.port": 3657, "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2017-08-23T01:52:50.000Z", "event.code": "147", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mestq sn=temUt time=\"2017/08/22 23:52:50\" fw=10.233.239.112 pri=high c=pexe m=147 Backup missed heartbeats from Active Primary: Backup going Active", + "event.original": "id=billo sn=labo time=\"2017/08/22 23:52:50\" fw=10.221.225.29 pri=medium c=boris m=147 Backup missed heartbeats from Active Primary: Backup going Active", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5506, + "log.offset": 5992, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -908,36 +1151,58 @@ ] }, { + "@timestamp": "2017-09-06T08:55:24.000Z", + "destination.address": "ise5905.www.local", + "destination.nat.ip": "10.53.113.23", + "destination.nat.port": 4027, + "event.code": "1154", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=adeser sn=oin time=\"2017/09/06 06:55:24\" fw=10.95.66.217 pri=very-high c=fugitsed m=441 msg=\"quam\" n=quid src=10.1.36.97:3628:enp0s3962 dst= 10.107.251.87:6337:lo3319 ", + "event.original": "elitse id=ima sn=quasia time=\"2017/09/06 06:55:24\" fw=10.150.107.25 pri=low c=uptate m=1154 msg=\"mac\" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local", "fileset.name": "firewall", + "host.hostname": "tiaec5551.www.local", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 5657, + "log.offset": 6144, + "log.original": "mac", + "observer.egress.interface.name": "lo1918", + "observer.ingress.interface.name": "eth5313", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.97.124.211", + "10.53.113.23" + ], + "rsa.identity.user_sid_dst": "iumdol", + "rsa.internal.messageid": "1154", + "rsa.internal.msg": "mac", + "rsa.network.dinterface": "lo1918", + "rsa.network.host_dst": "ise5905.www.local", + "rsa.network.sinterface": "eth5313", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", "service.type": "sonicwall", + "source.address": "tiaec5551.www.local", + "source.nat.ip": "10.97.124.211", + "source.nat.port": 6198, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "34", + "@timestamp": "2017-09-20T15:57:58.000Z", + "event.code": "135", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "reetdol id=totamre sn=isnostr time=\"2017/09/20 13:57:58\" fw=10.203.153.38 pri=very-high c=adipisc m=34 Login screen timed out", + "event.original": "id=asiarc sn=ian time=\"2017/09/20 13:57:58\" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5832, + "log.offset": 6391, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "34", + "rsa.internal.messageid": "135", + "rsa.time.date": "2017/09/20", "rsa.time.event_time": "2017-09-20T15:57:58.000Z", "service.type": "sonicwall", "tags": [ @@ -946,33 +1211,32 @@ ] }, { + "@timestamp": "2017-10-04T23:00:32.000Z", "destination.ip": [ - "10.216.125.252" + "10.96.97.81" ], - "event.code": "402", + "event.code": "350", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "psaquaea id=taevita sn=ameiusm time=\"2017/10/04 21:00:32\" fw=10.227.15.253 pri=high c=piscinge m=402 msg=\"tvol\" n=velitess src=10.54.14.189 dst=10.216.125.252 dstname=sit ", + "event.original": "id=rauto sn=ationev time=\"2017/10/04 21:00:32\" fw=10.92.19.202 pri=high c=nby m=350 msg=\"mve\" n=osqui src=10.161.148.64 dst=10.96.97.81", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 5959, - "log.original": "tvol", + "log.offset": 6513, + "log.original": "mve", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.216.125.252", - "10.54.14.189" + "10.96.97.81", + "10.161.148.64" ], - "rsa.internal.messageid": "402", - "rsa.internal.msg": "tvol", + "rsa.internal.messageid": "350", + "rsa.internal.msg": "mve", + "rsa.time.date": "2017/10/04", "rsa.time.event_time": "2017-10-04T23:00:32.000Z", "service.type": "sonicwall", "source.ip": [ - "10.54.14.189" + "10.161.148.64" ], "tags": [ "sonicwall.firewall", @@ -980,56 +1244,44 @@ ] }, { - "destination.address": "ise5905.www.local", - "destination.nat.ip": "10.53.113.23", - "destination.nat.port": 4027, - "event.code": "1154", + "@timestamp": "2017-10-19T06:03:07.000Z", + "event.code": "176", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "elitse id=ima sn=quasia time=\"2017/10/19 04:03:07\" fw=10.150.107.25 pri=low c=uptate m=1154 msg=\"mac\" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local", + "event.original": "id=nsequat sn=doloreme time=\"2017/10/19 04:03:07\" fw=10.206.81.23 pri=high c=tincu m=176 Fraudulent Microsoft Certificate Blocked", "fileset.name": "firewall", - "host.hostname": "tiaec5551.www.local", "input.type": "log", - "log.offset": 6132, - "log.original": "mac", - "observer.egress.interface.name": "lo1918", - "observer.ingress.interface.name": "eth5313", + "log.offset": 6649, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.97.124.211", - "10.53.113.23" - ], - "rsa.identity.user_sid_dst": "iumdol", - "rsa.internal.messageid": "1154", - "rsa.internal.msg": "mac", - "rsa.network.dinterface": "lo1918", - "rsa.network.host_dst": "ise5905.www.local", - "rsa.network.sinterface": "eth5313", + "rsa.internal.messageid": "176", + "rsa.time.date": "2017/10/19", "rsa.time.event_time": "2017-10-19T06:03:07.000Z", - "service.type": "sonicwall", - "source.address": "tiaec5551.www.local", - "source.nat.ip": "10.97.124.211", - "source.nat.port": 6198, + "service.type": "sonicwall", "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2017-11-02T13:05:41.000Z", + "event.code": "1231", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=asiarc sn=ian time=\"2017/11/02 11:05:41\" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed", + "event.original": "itse id=umexerc sn=oremipsu time=\"2017/11/02 11:05:41\" fw=10.87.13.61 pri=medium c=ssecillu m=1231 msg=\"liqua\" n=utodita note=\"aec\"", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 6380, + "log.offset": 6779, + "log.original": "liqua", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.db.index": "aec", + "rsa.internal.messageid": "1231", + "rsa.internal.msg": "liqua", + "rsa.misc.space": "", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1037,75 +1289,70 @@ ] }, { - "destination.ip": [ - "10.64.229.79" - ], - "destination.port": 3620, - "event.code": "83", + "@timestamp": "2017-11-16T20:08:15.000Z", + "event.code": "22", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=intocc sn=amcorp time=\"2017/11/16 18:08:15\" fw=10.57.57.241 pri=low c=litani m=83 msg=\"utodita\" sess=aec n=fdeF src=10.187.201.250:5504:eth2003 dst=10.64.229.79:3620:eth41 note=\"tiaec\" npcs=rumwrit", + "event.original": "id=elitse sn=reseo time=\"2017/11/16 18:08:15\" fw=10.71.238.250 pri=very-high c=tiaec m=22 Ping of death blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6504, - "log.original": "utodita", - "observer.egress.interface.name": "eth41", - "observer.ingress.interface.name": "eth2003", + "log.offset": 6911, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.187.201.250", - "10.64.229.79" - ], - "rsa.db.index": "rumwrit", - "rsa.internal.messageid": "83", - "rsa.internal.msg": "utodita", - "rsa.network.dinterface": "eth41", - "rsa.network.sinterface": "eth2003", + "rsa.internal.messageid": "22", "rsa.time.date": "2017/11/16", "rsa.time.event_time": "2017-11-16T20:08:15.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.187.201.250" - ], - "source.port": 5504, "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2017-12-01T03:10:49.000Z", + "destination.nat.ip": "10.125.134.213", + "event.code": "msg", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=gna sn=con time=\"2017/12/01 01:10:49\" fw=10.11.44.250 pri=high c=etMal m=931 msg=\"qua\" n=rsita src=10.108.249.60:7150 dst=10.76.110.144:2497 ", + "event.original": "id=plicab sn=oremq time=\"2017/12/01 01:10:49\" fw=10.40.152.253 pri=low c=ritt m=msg msg=\"iaeco\" src=10.53.150.77 dst=10.125.134.213 failure", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 6705, + "log.offset": 7023, + "log.original": "iaeco", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.125.134.213", + "10.53.150.77" + ], + "rsa.internal.messageid": "msg", + "rsa.internal.msg": "iaeco", + "rsa.misc.result": "failure", + "rsa.time.date": "2017/12/01", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.53.150.77", "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "11", + "@timestamp": "2017-12-15T10:13:24.000Z", + "event.code": "7", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "rem id=asper sn=idunt time=\"2017/12/15 08:13:24\" fw=10.65.232.27 pri=low c=plicab m=11 Problem loading the Filter list; check your DNS server", + "event.original": "id=quaea sn=ametcons time=\"2017/12/15 08:13:24\" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6852, + "log.offset": 7163, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "11", + "rsa.internal.messageid": "7", + "rsa.time.date": "2017/12/15", "rsa.time.event_time": "2017-12-15T10:13:24.000Z", "service.type": "sonicwall", "tags": [ @@ -1114,130 +1361,214 @@ ] }, { + "@timestamp": "2017-12-29T17:15:58.000Z", + "destination.nat.ip": "10.77.174.205", + "event.code": "240", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=uisaute sn=imide time=\"2017/12/29 15:15:58\" fw=10.77.226.215 pri=medium c=itesseq m=88 IKE Responder: IPSec proposal not acceptable", + "event.original": "id=ariatur sn=rer time=\"2017/12/29 15:15:58\" fw=10.210.243.175 pri=low c=atisetqu m=240 msg=\"issuscip\" n=uisa src=10.240.49.224 dst=10.77.174.205", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 6995, + "log.offset": 7285, + "log.original": "issuscip", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.77.174.205", + "10.240.49.224" + ], + "rsa.internal.messageid": "240", + "rsa.internal.msg": "issuscip", + "rsa.misc.ntype": "uisa", + "rsa.time.date": "2017/12/29", + "rsa.time.event_time": "2017-12-29T17:15:58.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.240.49.224", "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "destination.nat.ip": "10.31.190.145", - "destination.nat.port": 3333, - "event.code": "243", + "@timestamp": "2018-01-13T00:18:32.000Z", + "destination.ip": [ + "10.187.210.173" + ], + "event.code": "255", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ilmol sn=eri time=\"2018/01/12 22:18:32\" fw=10.154.53.249 pri=low c=mquae m=243 msg=\"eriti\" n=atcupi usr=corpori src=10.147.88.219:7595 dst=10.31.190.145:3333 proto=icmp", + "event.original": "id=luptatem sn=uaeratv time=\"2018/01/12 22:18:32\" fw=10.240.190.136 pri=medium c=atcupid m=255 msg=\"quamnih\" n=dminima src=10.44.150.31 dst=10.187.210.173", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7132, - "log.original": "eriti", - "network.protocol": "icmp", + "log.offset": 7431, + "log.original": "quamnih", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.147.88.219", - "10.31.190.145" + "10.187.210.173", + "10.44.150.31" ], - "rsa.internal.messageid": "243", - "rsa.internal.msg": "eriti", + "rsa.internal.messageid": "255", + "rsa.internal.msg": "quamnih", "rsa.time.date": "2018/01/12", "rsa.time.event_time": "2018-01-13T00:18:32.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.147.88.219", - "source.nat.port": 7595, + "source.ip": [ + "10.44.150.31" + ], "tags": [ "sonicwall.firewall", "forwarded" - ], - "user.name": [ - "corpori" ] }, { + "@timestamp": "2018-01-27T07:21:06.000Z", + "destination.ip": [ + "10.251.248.228" + ], + "destination.mac": "01:00:5e:55:b9:89", + "destination.port": 6909, + "event.action": "cancel", + "event.code": "ntutlabo", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=emvele sn=isnost time=\"2018/01/27 05:21:06\" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped", + "event.original": "id=ntutlabo sn=iusmodte time=\"2018-1-27 5:21:06\" fw=10.108.84.24 pri=low c=iosamnis m=606 msg=\"volupt\" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac=miurerep 01:00:5e:b4:c3:ed dstMac=01:00:5e:55:b9:89proto=ipv6 fw_action=\"cancel\"", "fileset.name": "firewall", + "host.ip": "10.108.84.24", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 7305, + "log.level": "low", + "log.offset": 7586, + "network.protocol": "ipv6", + "observer.ingress.interface.name": "eth163", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.251.248.228", + "10.108.84.24", + "10.113.100.237" + ], + "rsa.internal.event_desc": "volupt", + "rsa.internal.messageid": "606", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "iosamnis", + "rsa.misc.reference_id": "ntutlabo", + "rsa.misc.serial_number": "iusmodte", + "rsa.misc.severity": "low", + "rsa.network.sinterface": "eth163", + "rsa.time.date": "2018-1-27", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.113.100.237" + ], + "source.mac": "01:00:5e:b4:c3:ed", + "source.port": 3887, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "61", + "@timestamp": "2018-02-10T14:23:41.000Z", + "destination.ip": [ + "10.207.211.230" + ], + "destination.mac": "01:00:5e:93:39:a4", + "destination.port": 2800, + "event.action": "allow", + "event.code": "proident", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "sit id=rumSect sn=ita time=\"2018/02/10 12:23:41\" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E", + "event.original": "id=proident sn=maliquam time=\"2018-2-10 12:23:41\" fw=10.229.229.42 pri=high c=vitaedic m=428 msg=\"orin\" n=uii src=10.103.117.31:3987:enp0s3531 dst=10.207.211.230:2800:eth211 srcMac=untincul 01:00:5e:c9:ed:b4 dstMac=01:00:5e:93:39:a4 proto=tcp fw_action=\"allow\"", "fileset.name": "firewall", + "host.ip": "10.229.229.42", "input.type": "log", - "log.offset": 7420, + "log.level": "high", + "log.offset": 7838, + "network.protocol": "tcp", + "observer.egress.interface.name": "eth211", + "observer.ingress.interface.name": "enp0s3531", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "61", + "related.ip": [ + "10.229.229.42", + "10.103.117.31", + "10.207.211.230" + ], + "rsa.internal.event_desc": "orin", + "rsa.internal.messageid": "428", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "vitaedic", + "rsa.misc.reference_id": "proident", + "rsa.misc.serial_number": "maliquam", + "rsa.misc.severity": "high", + "rsa.network.dinterface": "eth211", + "rsa.network.sinterface": "enp0s3531", + "rsa.time.date": "2018-2-10", "rsa.time.event_time": "2018-02-10T14:23:41.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.103.117.31" + ], + "source.mac": "01:00:5e:c9:ed:b4", + "source.port": 3987, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "906", + "@timestamp": "2018-02-24T21:26:15.000Z", + "destination.nat.ip": "10.32.39.220", + "event.code": "412", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "oremag id=illu sn=ruredo time=\"2018/02/24 19:26:15\" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg=\"its\" n=lore ", + "event.original": "id=emvele sn=isnost time=\"2018/02/24 19:26:15\" fw=10.71.112.159 pri=medium c=emqu m=412 msg=\"riss\" n=iquamqua src=10.248.165.185:3436 dst=10.32.39.220 note=\"aliq\"", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 7525, + "log.offset": 8099, + "log.original": "riss", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "906", + "related.ip": [ + "10.248.165.185", + "10.32.39.220" + ], + "rsa.internal.event_desc": "aliq", + "rsa.internal.messageid": "412", + "rsa.internal.msg": "riss", + "rsa.time.date": "2018/02/24", "rsa.time.event_time": "2018-02-24T21:26:15.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.248.165.185", + "source.nat.port": 3436, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "134", + "@timestamp": "2018-03-11T04:28:49.000Z", + "event.code": "27", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=onu sn=liquaUte time=\"2018/03/11 02:28:49\" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication", + "event.original": "id=mven sn=olorsit time=\"2018/03/11 02:28:49\" fw=10.121.239.183 pri=very-high c=consequa m=27 Land Attack Dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7643, + "log.offset": 8262, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "134", + "rsa.internal.messageid": "27", "rsa.time.date": "2018/03/11", "rsa.time.event_time": "2018-03-11T04:28:49.000Z", "service.type": "sonicwall", @@ -1247,33 +1578,19 @@ ] }, { - "event.action": "allow", - "event.code": "mveniamq", + "@timestamp": "2018-03-25T11:31:24.000Z", + "event.code": "95", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mveniamq sn=taedict time=\"2018-3-25 9:31:24\" fw=10.206.69.135 pri=high c=aturve m=880 msg=\"utfug\" n=aturQu note=\"aaliq\" fw_action=\"allow\"", + "event.original": "id=tatevel sn=boreetdo time=\"2018/03/25 09:31:24\" fw=10.239.118.233 pri=medium c=risnis m=95 Diagnostic Code C", "fileset.name": "firewall", - "host.ip": "10.206.69.135", "input.type": "log", - "log.level": "high", - "log.offset": 7765, + "log.offset": 8376, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.206.69.135" - ], - "rsa.db.index": "aaliq", - "rsa.internal.event_desc": "utfug", - "rsa.internal.messageid": "880", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "aturve", - "rsa.misc.reference_id": "mveniamq", - "rsa.misc.serial_number": "taedict", - "rsa.misc.severity": "high", - "rsa.time.date": "2018-3-25", + "rsa.internal.messageid": "95", + "rsa.time.date": "2018/03/25", "rsa.time.event_time": "2018-03-25T11:31:24.000Z", "service.type": "sonicwall", "tags": [ @@ -1282,18 +1599,20 @@ ] }, { + "@timestamp": "2018-04-08T18:33:58.000Z", + "event.code": "138", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=uiinea sn=mnisiut time=\"2018/04/08 16:33:58\" fw=10.208.228.129 pri=low c=olup m=441 msg=\"labor\" n=dol src= 10.240.54.28 dst= 10.115.38.80 ", + "event.original": "id=ddoeius sn=ugiatn time=\"2018/04/08 16:33:58\" fw=10.50.102.128 pri=high c=abore m=138 XAUTH Succeeded", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 7906, + "log.offset": 8487, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "138", + "rsa.time.date": "2018/04/08", + "rsa.time.event_time": "2018-04-08T18:33:58.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1301,17 +1620,18 @@ ] }, { - "event.code": "163", + "@timestamp": "2018-04-23T01:36:32.000Z", + "event.code": "107", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mve sn=uia time=\"2018/04/22 23:36:32\" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout", + "event.original": "id=uiadol sn=Duisa time=\"2018/04/22 23:36:32\" fw=10.106.195.93 pri=very-high c=boNem m=107 Got DHCP OFFER. Selecting.", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8052, + "log.offset": 8591, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "163", + "rsa.internal.messageid": "107", "rsa.time.date": "2018/04/22", "rsa.time.event_time": "2018-04-23T01:36:32.000Z", "service.type": "sonicwall", @@ -1321,36 +1641,52 @@ ] }, { + "@timestamp": "2018-05-07T08:39:06.000Z", + "destination.ip": [ + "10.11.83.126" + ], + "event.code": "372", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=doei sn=cipitl time=\"2018/05/07 06:39:06\" fw=10.53.127.17 pri=very-high c=strumex m=252 msg=\"eprehend\" n=asnu src=10.102.166.19 dst=10.104.49.142", + "event.original": "id=emips sn=atv time=\"2018/05/07 06:39:06\" fw=10.2.114.9 pri=high c=alorum m=372 msg=\"obeataev\" n=tempor src=10.134.237.235 dst=10.11.83.126", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 8178, + "log.offset": 8709, + "log.original": "obeataev", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.11.83.126", + "10.134.237.235" + ], + "rsa.internal.messageid": "372", + "rsa.internal.msg": "obeataev", + "rsa.time.date": "2018/05/07", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.134.237.235" + ], "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "88", + "@timestamp": "2018-05-21T15:41:41.000Z", + "event.code": "117", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "ipsa id=asuntexp sn=adminim time=\"2018/05/21 13:41:41\" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable", + "event.original": "id=osquir sn=mod time=\"2018/05/21 13:41:41\" fw=10.28.120.149 pri=very-high c=liquide m=117 Sending DHCP REQUEST (Rebooting).", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8329, + "log.offset": 8850, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "88", + "rsa.internal.messageid": "117", + "rsa.time.date": "2018/05/21", "rsa.time.event_time": "2018-05-21T15:41:41.000Z", "service.type": "sonicwall", "tags": [ @@ -1359,18 +1695,20 @@ ] }, { + "@timestamp": "2018-06-04T22:44:15.000Z", + "event.code": "169", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=iumt sn=tsed time=\"2018/06/04 20:44:15\" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out", + "event.original": "id=Sedutpe sn=prehen time=\"2018/06/04 20:44:15\" fw=10.209.43.252 pri=very-high c=lloin m=169 Firewall access from LAN", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 8469, + "log.offset": 8975, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "169", + "rsa.time.date": "2018/06/04", + "rsa.time.event_time": "2018-06-04T22:44:15.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1378,18 +1716,19 @@ ] }, { + "@timestamp": "2018-06-19T05:46:49.000Z", + "event.code": "117", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=loremag sn=tcu time=\"2018/06/19 03:46:49\" fw=10.84.251.253 pri=high c=erspi m=195 msg=\"rorsit\" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629", + "event.original": "tempor id=citatio sn=oluptat time=\"2018/06/19 03:46:49\" fw=10.35.255.235 pri=very-high c=edquian m=117 Sending DHCP REQUEST (Rebooting).", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 8578, + "log.offset": 9093, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "117", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1397,17 +1736,19 @@ ] }, { - "event.code": "48", + "@timestamp": "2018-07-03T12:49:23.000Z", + "event.code": "164", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "elillum id=upt sn=rnat time=\"2018/07/03 10:49:23\" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped", + "event.original": "id=nsequunt sn=proident time=\"2018/07/03 10:49:23\" fw=10.57.167.157 pri=high c=aliquamq m=164 No response from ISP Disconnecting PPPoE.", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8755, + "log.offset": 9230, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "48", + "rsa.internal.messageid": "164", + "rsa.time.date": "2018/07/03", "rsa.time.event_time": "2018-07-03T12:49:23.000Z", "service.type": "sonicwall", "tags": [ @@ -1416,107 +1757,152 @@ ] }, { - "destination.nat.ip": "10.191.242.168", - "destination.nat.port": 5251, - "event.code": "995", + "@timestamp": "2018-07-17T19:51:58.000Z", + "destination.nat.ip": "10.99.248.145", + "event.code": "412", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "doeiu id=deF sn=itempo time=\"2018/07/17 17:51:58\" fw=10.200.237.196 pri=medium c=ecillum m=995 msg=\"isci\" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note=\"equep\"", + "event.original": "ugit id=tatem sn=metcons time=\"2018/07/17 17:51:58\" fw=10.252.102.110 pri=medium c=tamet m=412 msg=\"perspici\" n=ationul src=10.115.53.31:6606 dst=10.99.248.145 note=\"molestia\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8878, - "log.original": "isci", + "log.offset": 9366, + "log.original": "perspici", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.191.242.168", - "10.165.48.224" + "10.99.248.145", + "10.115.53.31" ], - "rsa.internal.event_desc": "equep", - "rsa.internal.messageid": "995", - "rsa.internal.msg": "isci", + "rsa.internal.event_desc": "molestia", + "rsa.internal.messageid": "412", + "rsa.internal.msg": "perspici", "rsa.time.event_time": "2018-07-17T19:51:58.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.165.48.224", - "source.nat.port": 5386, + "source.nat.ip": "10.115.53.31", + "source.nat.port": 6606, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "909", + "@timestamp": "2018-08-01T02:54:32.000Z", + "destination.ip": [ + "10.168.208.169" + ], + "destination.port": 6168, + "event.action": "deny", + "event.code": "616", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "BCS id=qui sn=ugiatquo time=\"2018/08/01 00:54:32\" fw=10.204.133.116 pri=medium c=autemv m=909 msg=\"emq\" n=plicaboN ", + "event.original": "id=labore sn=uela time=\"2018/08/01 00:54:32\" fw=10.167.74.79 pri=very-high c=iuntNequ m=616 msg=\"deny\" n=archite src=10.143.228.97:1370 dst=10.168.208.169:6168", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 9053, + "log.offset": 9542, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "909", + "related.ip": [ + "10.143.228.97", + "10.168.208.169" + ], + "rsa.internal.messageid": "616", + "rsa.misc.action": [ + "deny" + ], + "rsa.time.date": "2018/08/01", "rsa.time.event_time": "2018-08-01T02:54:32.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.143.228.97" + ], + "source.port": 1370, "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2018-08-15T09:57:06.000Z", + "destination.ip": [ + "10.236.56.233" + ], + "destination.port": 3484, + "event.action": "allow", + "event.code": "373", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=vol sn=admi time=\"2018/08/15 07:57:06\" fw=10.77.229.168 pri=high c=aquiof m=178 msg=\"ende\" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693 ", + "event.original": "licaboN id=atquo sn=cupi time=\"2018/08/15 07:57:06\" fw=10.151.129.181 pri=very-high c=udan m=373 msg=\"allow\" n=nderiti src=10.43.16.73:2604 dst=10.236.56.233:3484", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 9170, + "log.offset": 9702, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.236.56.233", + "10.43.16.73" + ], + "rsa.internal.messageid": "373", + "rsa.misc.action": [ + "allow" + ], + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.43.16.73" + ], + "source.port": 2604, "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2018-08-29T16:59:40.000Z", + "destination.nat.ip": "10.222.251.114", + "event.code": "412", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=olorem sn=gitse time=\"2018/08/29 14:59:40\" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg=\"sci\" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note=\"mquisno\"", + "event.original": "id=aeab sn=teur time=\"2018/08/29 14:59:40\" fw=10.231.199.50 pri=low c=stquid m=412 msg=\"turadipi\" n=usmodi src=10.184.254.143:4402 dst=10.222.251.114 note=\"illu\"", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 9318, + "log.offset": 9865, + "log.original": "turadipi", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.184.254.143", + "10.222.251.114" + ], + "rsa.internal.event_desc": "illu", + "rsa.internal.messageid": "412", + "rsa.internal.msg": "turadipi", + "rsa.time.date": "2018/08/29", + "rsa.time.event_time": "2018-08-29T16:59:40.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.184.254.143", + "source.nat.port": 4402, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "137", + "@timestamp": "2018-09-13T00:02:15.000Z", + "event.code": "72", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=gna sn=isiutali time=\"2018/09/12 22:02:15\" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed", + "event.original": "id=asuntexp sn=adminim time=\"2018/09/12 22:02:15\" fw=10.115.115.26 pri=high c=modoc m=72 NetBus Attack Dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9490, + "log.offset": 10027, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "137", + "rsa.internal.messageid": "72", "rsa.time.date": "2018/09/12", "rsa.time.event_time": "2018-09-13T00:02:15.000Z", "service.type": "sonicwall", @@ -1526,103 +1912,96 @@ ] }, { - "destination.ip": [ - "10.195.223.82" - ], - "event.code": "351", + "@timestamp": "2018-09-27T07:04:49.000Z", + "event.code": "34", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=uaturve sn=amquisno time=\"2018/09/27 05:04:49\" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg=\"CSe\" n=lors src=10.135.70.159 dst=10.195.223.82", + "event.original": "id=iumt sn=tsed time=\"2018/09/27 05:04:49\" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9595, - "log.original": "CSe", + "log.offset": 10138, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.135.70.159", - "10.195.223.82" - ], - "rsa.internal.messageid": "351", - "rsa.internal.msg": "CSe", + "rsa.internal.messageid": "34", "rsa.time.date": "2018/09/27", "rsa.time.event_time": "2018-09-27T07:04:49.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.135.70.159" - ], "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "261", + "@timestamp": "2018-10-11T14:07:23.000Z", + "event.code": "96", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=atu sn=iusm time=\"2018/10/11 12:07:23\" fw=10.20.81.176 pri=low c=stquido m=261 msg=\"rsitvolu\" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 ", + "event.original": "orsi id=tetura sn=imadmini time=\"2018/10/11 12:07:23\" fw=10.46.192.198 pri=high c=uat m=96 Status", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9743, - "log.original": "rsitvolu", - "observer.ingress.interface.name": "eth3249", + "log.offset": 10245, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.22.244.71" - ], - "rsa.internal.messageid": "261", - "rsa.internal.msg": "rsitvolu", - "rsa.network.sinterface": "eth3249", - "rsa.time.date": "2018/10/11", + "rsa.internal.messageid": "96", "rsa.time.event_time": "2018-10-11T14:07:23.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.22.244.71" - ], - "source.port": 1865, "tags": [ "sonicwall.firewall", "forwarded" - ], - "user.name": [ - "usmo" ] }, { + "@timestamp": "2018-10-25T09:09:57.000Z", + "destination.bytes": 5253, + "event.code": "dolorema", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=oin sn=itseddoe time=\"2018/10/25 19:09:57\" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry.", + "event.original": "id=dolorema sn=emagn time=\"2018-10-25 7:09:57\" fw=10.200.86.116 pri=medium m= msg=\"orinrep\" n=quiavolif=enp0s347ucastRx=ratvbcastRx=alorumbytesRx=5253ucastTx=talibcastTx=BCSbytesTx=3474", "fileset.name": "firewall", + "host.ip": "10.200.86.116", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 9910, + "log.level": "medium", + "log.offset": 10343, + "network.interface.name": "enp0s347", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.200.86.116" + ], + "rsa.internal.event_desc": "orinrep", + "rsa.internal.messageid": "m", + "rsa.misc.reference_id": "dolorema", + "rsa.misc.reference_id1": "", + "rsa.misc.serial_number": "emagn", + "rsa.misc.severity": "medium", + "rsa.network.interface": "enp0s347", + "rsa.time.date": "2018-10-25", + "rsa.time.event_time": "2018-10-25T09:09:57.000Z", "service.type": "sonicwall", + "source.bytes": 3474, "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2018-11-09T04:12:32.000Z", + "event.code": "8", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=giatquov sn=olu time=\"2018/11/09 02:12:32\" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER.", + "event.original": "id=culpaqui sn=tvolup time=\"2018/11/09 02:12:32\" fw=10.116.146.114 pri=high c=red m=8 New Filter list loaded", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 10016, + "log.offset": 10529, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "8", + "rsa.time.date": "2018/11/09", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1630,17 +2009,19 @@ ] }, { - "event.code": "34", + "@timestamp": "2018-11-23T11:15:06.000Z", + "event.code": "66", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "emagn id=emulla sn=mips time=\"2018/11/23 09:15:06\" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out", + "event.original": "id=tatev sn=luptas time=\"2018/11/23 09:15:06\" fw=10.138.124.174 pri=low c=inculp m=66 Unknown IPSec SPI", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10130, + "log.offset": 10638, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "34", + "rsa.internal.messageid": "66", + "rsa.time.date": "2018/11/23", "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "sonicwall", "tags": [ @@ -1649,18 +2030,20 @@ ] }, { + "@timestamp": "2018-12-07T18:17:40.000Z", + "event.code": "148", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=itametc sn=ori time=\"2018/12/07 16:17:40\" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle", + "event.original": "id=iadese sn=nisiu time=\"2018/12/07 16:17:40\" fw=10.101.178.146 pri=medium c=llit m=148 Primary received error signal from Active Backup: Primary going Active", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 10250, + "log.offset": 10742, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "148", + "rsa.time.date": "2018/12/07", + "rsa.time.event_time": "2018-12-07T18:17:40.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1668,20 +2051,18 @@ ] }, { - "event.code": "658", + "@timestamp": "2018-12-22T01:20:14.000Z", + "event.code": "9", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=doconse sn=etdol time=\"2018/12/21 23:20:14\" fw=10.156.88.51 pri=high c=tura m=658 msg=\"osquirat\" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543 ", + "event.original": "id=sitametc sn=onsequa time=\"2018/12/21 23:20:14\" fw=10.8.53.182 pri=very-high c=riosa m=9 No new Filter list available", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 10375, + "log.offset": 10901, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "658", + "rsa.internal.messageid": "9", "rsa.time.date": "2018/12/21", "rsa.time.event_time": "2018-12-22T01:20:14.000Z", "service.type": "sonicwall", @@ -1691,55 +2072,41 @@ ] }, { - "destination.ip": [ - "10.117.63.181" - ], - "destination.port": 6863, - "event.code": "195", + "@timestamp": "2019-01-05T08:22:49.000Z", + "event.code": "49", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=min sn=oluptat time=\"2019/01/05 06:22:49\" fw=10.162.129.196 pri=medium c=snisi m=195 msg=\"magnaal\" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416", + "event.original": "id=pisc sn=urEx time=\"2019/01/05 06:22:49\" fw=10.193.239.124 pri=low c=ercitat m=49 Failure to add data channel", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 10527, - "log.original": "magnaal", + "log.offset": 11021, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.117.63.181", - "10.222.169.140" - ], - "rsa.internal.messageid": "195", - "rsa.internal.msg": "magnaal", + "rsa.internal.messageid": "49", "rsa.time.date": "2019/01/05", "rsa.time.event_time": "2019-01-05T08:22:49.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.222.169.140" - ], - "source.port": 5299, "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2019-01-19T15:25:23.000Z", + "event.code": "144", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=eacommo sn=ueip time=\"2019/01/19 13:25:23\" fw=10.243.252.157 pri=low c=minim m=867 msg=\"scipi\" sess=tur n=acon ", + "event.original": "id=tnonproi sn=squira time=\"2019/01/19 13:25:23\" fw=10.141.238.139 pri=medium c=uide m=144 Primary firewall has transitioned to Idle", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 10707, + "log.offset": 11133, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "144", + "rsa.time.date": "2019/01/19", + "rsa.time.event_time": "2019-01-19T15:25:23.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1747,79 +2114,77 @@ ] }, { - "event.code": "60", + "@timestamp": "2019-02-02T22:27:57.000Z", + "destination.ip": [ + "10.101.163.40" + ], + "destination.port": 7153, + "event.code": "83", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "usm id=labori sn=porai time=\"2019/02/02 20:27:57\" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked", + "event.original": "lmolesti id=meumfugi sn=tquas time=\"2019/02/02 20:27:57\" fw=10.200.22.41 pri=medium c=iame m=83 msg=\"orroquis\" n=aquio src=10.208.79.170:7616:enp0s4472 dst=10.101.163.40:7153:enp0s1370", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10824, + "log.offset": 11266, + "log.original": "orroquis", + "observer.egress.interface.name": "enp0s1370", + "observer.ingress.interface.name": "enp0s4472", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "60", + "related.ip": [ + "10.208.79.170", + "10.101.163.40" + ], + "rsa.internal.messageid": "83", + "rsa.internal.msg": "orroquis", + "rsa.network.dinterface": "enp0s1370", + "rsa.network.sinterface": "enp0s4472", "rsa.time.event_time": "2019-02-02T22:27:57.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.208.79.170" + ], + "source.port": 7616, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "destination.ip": [ - "10.200.122.184" - ], - "destination.port": 1176, - "event.action": "allow", - "event.code": "794", + "@timestamp": "2019-02-17T05:30:32.000Z", + "event.code": "144", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=lup sn=upta time=\"2019-2-17 3:30:32\" fw=10.247.88.138 pri=very-high c=orissu m=794 msg=\"fic\" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action=\"allow\"", + "event.original": "id=uisnostr sn=reetdol time=\"2019/02/17 03:30:32\" fw=10.94.132.21 pri=very-high c=odi m=144 Primary firewall has transitioned to Idle", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10943, - "network.protocol": "rdp", - "observer.egress.interface.name": "eth5397", - "observer.ingress.interface.name": "lo1325", + "log.offset": 11451, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.57.255.4", - "10.200.122.184" - ], - "rsa.identity.user_sid_dst": "sBon", - "rsa.internal.event_desc": "fic", - "rsa.internal.messageid": "794", - "rsa.misc.action": [ - "allow" - ], - "rsa.network.dinterface": "eth5397", - "rsa.network.sinterface": "lo1325", - "rsa.time.date": "2019-2-17", + "rsa.internal.messageid": "144", + "rsa.time.date": "2019/02/17", "rsa.time.event_time": "2019-02-17T05:30:32.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.57.255.4" - ], - "source.port": 239, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "19", + "@timestamp": "2019-03-03T12:33:06.000Z", + "event.code": "104", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mmod sn=iti time=\"2019/03/03 10:33:06\" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked", + "event.original": "id=runtmo sn=ore time=\"2019/03/03 10:33:06\" fw=10.176.3.121 pri=very-high c=tas m=104 Retransmitting DHCP REQUEST (Verifying).", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11195, + "log.offset": 11585, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "19", + "rsa.internal.messageid": "104", "rsa.time.date": "2019/03/03", "rsa.time.event_time": "2019-03-03T12:33:06.000Z", "service.type": "sonicwall", @@ -1829,18 +2194,20 @@ ] }, { + "@timestamp": "2019-03-17T19:35:40.000Z", + "event.code": "21", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mag sn=gelitse time=\"2019/03/17 17:35:40\" fw=10.195.58.44 pri=high c=radip m=413 msg=\"upta\" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606", + "event.original": "id=mveleum sn=liq time=\"2019/03/17 17:35:40\" fw=10.197.3.44 pri=low c=aali m=21 Cookie removed", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 11287, + "log.offset": 11712, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "21", + "rsa.time.date": "2019/03/17", + "rsa.time.event_time": "2019-03-17T19:35:40.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1848,65 +2215,76 @@ ] }, { - "event.code": "159", + "@timestamp": "2019-04-01T02:38:14.000Z", + "destination.ip": [ + "10.236.247.87" + ], + "destination.port": 7360, + "event.action": "cancel", + "event.code": "710", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=nostrud sn=cteturad time=\"2019/04/01 00:38:14\" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F", + "event.original": "mdolors id=oremi sn=ugitsedq time=\"2019/04/01 00:38:14\" fw=10.143.229.47 pri=medium c=nisiut m=710 msg=\"cancel\" n=quira src=10.175.98.45:3633 dst=10.236.247.87:7360", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11440, + "log.offset": 11807, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "159", - "rsa.time.date": "2019/04/01", + "related.ip": [ + "10.236.247.87", + "10.175.98.45" + ], + "rsa.internal.messageid": "710", + "rsa.misc.action": [ + "cancel" + ], "rsa.time.event_time": "2019-04-01T02:38:14.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.175.98.45" + ], + "source.port": 3633, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "1079", + "@timestamp": "2019-04-15T09:40:49.000Z", + "event.code": "155", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "oluptate id=lit sn=santi time=\"2019/04/15 07:40:49\" fw=10.211.112.194 pri=low c=uis m=1079 msg=\"Clientamcis assigned IP:10.221.220.148\" n=apar", + "event.original": "tvolup id=consecte sn=pteurs time=\"2019/04/15 07:40:49\" fw=10.152.83.154 pri=high c=saqu m=155 Primary received heartbeat from wrong source", "fileset.name": "firewall", - "host.ip": "10.221.220.148", "input.type": "log", - "log.offset": 11550, + "log.offset": 11972, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.221.220.148" - ], - "rsa.internal.messageid": "1079", - "rsa.misc.space": "", + "rsa.internal.messageid": "155", "rsa.time.event_time": "2019-04-15T09:40:49.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", "forwarded" - ], - "user.name": [ - "amc" ] }, { + "@timestamp": "2019-04-29T16:43:23.000Z", + "event.code": "53", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=vol sn=psumd time=\"2019/04/29 14:43:23\" fw=10.103.29.178 pri=low c=rios m=355 msg=\"labo\" n=lpaquiof src=10.78.29.246 dst=10.125.85.128", + "event.original": "id=unt sn=tass time=\"2019/04/29 14:43:23\" fw=10.74.8.242 pri=very-high c=uid m=53 The cache is full; too many open connections; some will be dropped", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 11698, + "log.offset": 12112, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "53", + "rsa.time.date": "2019/04/29", + "rsa.time.event_time": "2019-04-29T16:43:23.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1914,74 +2292,99 @@ ] }, { - "event.code": "101", + "@timestamp": "2019-05-13T23:45:57.000Z", + "destination.address": "iam7526.mail.test", + "destination.ip": [ + "10.22.244.71" + ], + "destination.port": 1865, + "event.action": "deny", + "event.code": "888", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "enbyCi id=reetdo sn=tat time=\"2019/05/13 21:45:57\" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing).", + "event.original": "id=umdolo sn=rroqui time=\"2019/05/13 21:45:57\" fw=10.76.122.196 pri=high c=epteur m=888 msg=\"malware;deny\" n=iame src=10.81.33.64:22:enp0s2909:cta5467.www.localhost dst=10.22.244.71:1865:eth3249:iam7526.mail.test", "fileset.name": "firewall", + "host.hostname": "cta5467.www.localhost", "input.type": "log", - "log.offset": 11838, + "log.offset": 12261, + "observer.egress.interface.name": "eth3249", + "observer.ingress.interface.name": "enp0s2909", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "101", + "related.ip": [ + "10.81.33.64", + "10.22.244.71" + ], + "rsa.internal.messageid": "888", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.reason": "malware", + "rsa.network.dinterface": "eth3249", + "rsa.network.host_dst": "iam7526.mail.test", + "rsa.network.sinterface": "enp0s2909", + "rsa.time.date": "2019/05/13", "rsa.time.event_time": "2019-05-13T23:45:57.000Z", "service.type": "sonicwall", + "source.address": "cta5467.www.localhost", + "source.ip": [ + "10.81.33.64" + ], + "source.port": 22, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "destination.ip": [ - "10.29.120.226" - ], - "destination.port": 1129, - "event.action": "allow", - "event.code": "712", + "@timestamp": "2019-05-28T06:48:31.000Z", + "destination.nat.ip": "10.20.73.247", + "destination.nat.port": 4228, + "event.code": "998", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=iamqui sn=tassita time=\"2019/05/28 04:48:31\" fw=10.7.47.118 pri=medium c=piscing m=712 msg=\"allow\" n=isn src=10.203.146.137:4213 dst=10.29.120.226:1129", + "event.original": "cepteur id=aer sn=osquira time=\"2019/05/28 04:48:31\" fw=10.232.158.211 pri=high c=dolorem m=998 msg=\"sed\" n=idata usr=sun src=10.205.21.166:236 dst=10.20.73.247:4228 note=\"sed\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11967, + "log.offset": 12474, + "log.original": "sed", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.29.120.226", - "10.203.146.137" + "10.205.21.166", + "10.20.73.247" ], - "rsa.internal.messageid": "712", - "rsa.misc.action": [ - "allow" - ], - "rsa.time.date": "2019/05/28", + "rsa.internal.event_desc": "sed", + "rsa.internal.messageid": "998", + "rsa.internal.msg": "sed", "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.203.146.137" - ], - "source.port": 4213, + "source.nat.ip": "10.205.21.166", + "source.nat.port": 236, "tags": [ "sonicwall.firewall", "forwarded" + ], + "user.name": [ + "sun" ] }, { - "event.code": "670", + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.code": "165", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "inesciu id=quid sn=atcupid time=\"2019/06/11 11:51:06\" fw=10.29.5.115 pri=very-high c=ate m=670 msg=\"con\" sess=tqu n=eirur", + "event.original": "id=pernat sn=udan time=\"2019/06/11 11:51:06\" fw=10.124.243.58 pri=high c=urQuis m=165 Backup going Active in preempt mode after reboot", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12122, - "log.original": "con", + "log.offset": 12651, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "670", - "rsa.internal.msg": "con", + "rsa.internal.messageid": "165", + "rsa.time.date": "2019/06/11", "rsa.time.event_time": "2019-06-11T13:51:06.000Z", "service.type": "sonicwall", "tags": [ @@ -1990,17 +2393,19 @@ ] }, { - "event.code": "151", + "@timestamp": "2019-06-25T20:53:40.000Z", + "event.code": "6", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "hite id=ianonnum sn=nofdeFi time=\"2019/06/25 18:53:40\" fw=10.217.253.76 pri=very-high c=unt m=151 Primary firewall preempting Backup", + "event.original": "id=orum sn=Bonoru time=\"2019/06/25 18:53:40\" fw=10.53.168.187 pri=medium c=emacc m=6 Log successfully sent via email", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12245, + "log.offset": 12786, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "151", + "rsa.internal.messageid": "6", + "rsa.time.date": "2019/06/25", "rsa.time.event_time": "2019-06-25T20:53:40.000Z", "service.type": "sonicwall", "tags": [ @@ -2009,18 +2414,20 @@ ] }, { + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.code": "11", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=arch sn=lite time=\"2019/07/10 01:56:14\" fw=10.25.118.123 pri=high c=borumSec m=931 msg=\"aecatcup\" n=snisiut src=10.245.216.15:7800 dst=10.110.208.170:6374 ", + "event.original": "id=lamcola sn=veli time=\"2019/07/10 01:56:14\" fw=10.104.211.232 pri=high c=idolores m=11 Problem loading the Filter list; check your DNS server", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 12379, + "log.offset": 12903, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "11", + "rsa.time.date": "2019/07/10", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2028,23 +2435,19 @@ ] }, { - "event.action": "deny", - "event.code": "1086", + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.code": "19", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=rumSecti sn=Utenima time=\"2019-7-24 8:58:48\" fw=10.74.166.70 pri=very-high c=olor m=1086 msg=\"radip\" n=rchitect fw_action=\"deny\"", + "event.original": "id=mmod sn=iti time=\"2019/07/24 08:58:48\" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12540, + "log.offset": 13047, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.event_desc": "radip", - "rsa.internal.messageid": "1086", - "rsa.misc.action": [ - "deny" - ], - "rsa.time.date": "2019-7-24", + "rsa.internal.messageid": "19", + "rsa.time.date": "2019/07/24", "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "sonicwall", "tags": [ @@ -2053,37 +2456,49 @@ ] }, { - "event.code": "8", + "@timestamp": "2019-08-07T18:01:23.000Z", + "destination.nat.ip": "10.129.101.147", + "destination.nat.port": 3606, + "event.code": "413", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=amquisno sn=modoc time=\"2019/08/07 16:01:23\" fw=10.125.120.97 pri=high c=cid m=8 New Filter list loaded", + "event.original": "id=mag sn=gelitse time=\"2019/08/07 16:01:23\" fw=10.195.58.44 pri=high c=radip m=413 msg=\"upta\" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12672, + "log.offset": 13139, + "log.original": "upta", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "8", + "related.ip": [ + "10.206.229.61", + "10.129.101.147" + ], + "rsa.internal.messageid": "413", + "rsa.internal.msg": "upta", "rsa.time.date": "2019/08/07", "rsa.time.event_time": "2019-08-07T18:01:23.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.206.229.61", + "source.nat.port": 3467, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "60", + "@timestamp": "2019-08-22T01:03:57.000Z", + "event.code": "159", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=Bonorum sn=lesti time=\"2019/08/21 23:03:57\" fw=10.121.58.27 pri=low c=itamet m=60 Access to Proxy Server Blocked", + "event.original": "id=nostrud sn=cteturad time=\"2019/08/21 23:03:57\" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12779, + "log.offset": 13290, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "60", + "rsa.internal.messageid": "159", "rsa.time.date": "2019/08/21", "rsa.time.event_time": "2019-08-22T01:03:57.000Z", "service.type": "sonicwall", @@ -2093,17 +2508,21 @@ ] }, { - "event.code": "47", + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.code": "441", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "uuntur id=tsedquia sn=its time=\"2019/09/05 06:06:31\" fw=10.158.54.131 pri=medium c=assi m=47 No ICMP redirect sent", + "event.original": "id=ritati sn=iciade time=\"2019/09/05 06:06:31\" fw=10.202.224.79 pri=low c=nevolupt m=441 msg=\"aco\" n=apar", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12895, + "log.offset": 13400, + "log.original": "aco", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "47", + "rsa.internal.messageid": "441", + "rsa.internal.msg": "aco", + "rsa.time.date": "2019/09/05", "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "sonicwall", "tags": [ @@ -2112,37 +2531,51 @@ ] }, { + "@timestamp": "2019-09-19T15:09:05.000Z", + "destination.ip": [ + "10.125.85.128" + ], + "event.code": "355", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tatevel sn=midestl time=\"2019/09/19 13:09:05\" fw=10.222.197.130 pri=medium c=ulapa m=713 msg=\"block\" n=meiusm src=10.143.0.78:3113 dst=10.250.149.166:6342", + "event.original": "id=vol sn=psumd time=\"2019/09/19 13:09:05\" fw=10.103.29.178 pri=low c=rios m=355 msg=\"labo\" n=lpaquiof src=10.78.29.246 dst=10.125.85.128", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 13011, + "log.offset": 13506, + "log.original": "labo", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.ip": [ + "10.78.29.246", + "10.125.85.128" + ], + "rsa.internal.messageid": "355", + "rsa.internal.msg": "labo", + "rsa.time.date": "2019/09/19", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.78.29.246" + ], "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "event.code": "91", + "@timestamp": "2019-10-03T22:11:40.000Z", + "event.code": "101", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=hilmole sn=sequ time=\"2019/10/03 20:11:40\" fw=10.74.29.48 pri=high c=tionula m=91 Deleting IPSec SA for destination", + "event.original": "enbyCi id=reetdo sn=tat time=\"2019/10/03 20:11:40\" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing).", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13171, + "log.offset": 13644, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "91", - "rsa.time.date": "2019/10/03", + "rsa.internal.messageid": "101", "rsa.time.event_time": "2019-10-03T22:11:40.000Z", "service.type": "sonicwall", "tags": [ @@ -2151,40 +2584,60 @@ ] }, { - "event.code": "766", + "@timestamp": "2019-10-18T05:14:14.000Z", + "destination.ip": [ + "10.21.147.52" + ], + "destination.port": 1816, + "event.code": "714", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "umtota id=etdolore sn=magnaa time=\"2019/10/18 03:14:14\" fw=10.209.34.197 pri=very-high c=tes m=766 msg=\"equam\" n=isi ", + "event.original": "id=quunt sn=itasp time=\"2019/10/18 03:14:14\" fw=10.210.181.12 pri=high c=met m=714 msg=\"volup\" sess=ptate n=entsu src=10.44.198.184:5695:enp0s5214 dst= umwri 10.21.147.52:1816:eth2990 npcs=tur", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 13290, + "log.offset": 13772, + "log.original": "volup", + "observer.egress.interface.name": "eth2990", + "observer.ingress.interface.name": "enp0s5214", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "766", + "related.ip": [ + "10.44.198.184", + "10.21.147.52" + ], + "rsa.db.index": "tur", + "rsa.internal.messageid": "714", + "rsa.internal.msg": "volup", + "rsa.network.dinterface": "eth2990", + "rsa.network.sinterface": "enp0s5214", + "rsa.time.date": "2019/10/18", "rsa.time.event_time": "2019-10-18T05:14:14.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.44.198.184" + ], + "source.port": 5695, "tags": [ "sonicwall.firewall", "forwarded" ] }, { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.code": "134", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=rep sn=remap time=\"2019/11/01 10:16:48\" fw=10.7.120.36 pri=very-high c=involu m=58 License exceeded: Connection dropped because too many IP addresses are in use on your LAN", + "event.original": "id=ita sn=amquaer time=\"2019/11/01 10:16:48\" fw=10.47.1.90 pri=high c=lpa m=134 PPPoE starting PAP Authentication", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 13409, + "log.offset": 13965, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "134", + "rsa.time.date": "2019/11/01", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2192,18 +2645,20 @@ ] }, { + "@timestamp": "2019-11-15T19:19:22.000Z", + "event.code": "69", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=nesciun sn=amcolab time=\"2019/11/15 17:19:22\" fw=10.142.7.145 pri=low c=iuta m=373 msg=\"deny\" n=secil src=10.179.3.247:3445 dst=10.219.228.115:745", + "event.original": "id=smod sn=idunt time=\"2019/11/15 17:19:22\" fw=10.29.120.226 pri=very-high c=aparia m=69 Incompatible IPSec Security Association", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 13587, + "log.offset": 14079, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "69", + "rsa.time.date": "2019/11/15", + "rsa.time.event_time": "2019-11-15T19:19:22.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2211,17 +2666,18 @@ ] }, { - "event.code": "76", + "@timestamp": "2019-11-30T02:21:57.000Z", + "event.code": "137", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "onorumet id=ptatema sn=eavolup time=\"2019/11/30 00:21:57\" fw=10.57.41.35 pri=medium c=tno m=76 Ripper Attack Dropped", + "event.original": "lore id=isci sn=Dui time=\"2019/11/30 00:21:57\" fw=10.205.202.225 pri=high c=civelits m=137 Wan IP Changed", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13739, + "log.offset": 14208, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "76", + "rsa.internal.messageid": "137", "rsa.time.event_time": "2019-11-30T02:21:57.000Z", "service.type": "sonicwall", "tags": [ @@ -2230,29 +2686,21 @@ ] }, { - "destination.nat.ip": "10.204.178.19", - "event.code": "msg", + "@timestamp": "2019-12-14T09:24:31.000Z", + "event.code": "35", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=taspe sn=lum time=\"2019/12/14 07:24:31\" fw=10.15.234.228 pri=very-high c=msequ m=msg msg=\"nvol\" src=10.83.134.38 dst=10.204.178.19 success", + "event.original": "id=olore sn=orumS time=\"2019/12/14 07:24:31\" fw=10.25.93.121 pri=low c=rchitect m=35 Attempted administrator login from WAN", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13857, - "log.original": "nvol", + "log.offset": 14314, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.83.134.38", - "10.204.178.19" - ], - "rsa.internal.messageid": "msg", - "rsa.internal.msg": "nvol", - "rsa.misc.result": "success", + "rsa.internal.messageid": "35", "rsa.time.date": "2019/12/14", "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.83.134.38", "tags": [ "sonicwall.firewall", "forwarded" diff --git a/x-pack/filebeat/module/squid/README.md b/x-pack/filebeat/module/squid/README.md index 7dbcd092c22..b37ef4b4400 100644 --- a/x-pack/filebeat/module/squid/README.md +++ b/x-pack/filebeat/module/squid/README.md @@ -3,5 +3,5 @@ This is a module for Squid logs. Autogenerated from RSA NetWitness log parser 2.0 XML squid version 112 -at 2020-07-08 13:58:41.022244 +0000 UTC. +at 2020-07-08 15:21:25.454863 +0000 UTC. diff --git a/x-pack/filebeat/module/squid/log/config/liblogparser.js b/x-pack/filebeat/module/squid/log/config/liblogparser.js index 80ba6449c63..560f07e7e5d 100644 --- a/x-pack/filebeat/module/squid/log/config/liblogparser.js +++ b/x-pack/filebeat/module/squid/log/config/liblogparser.js @@ -1901,13 +1901,9 @@ function alternate_datetime(evt) { for (var f=0; f", "rsa.misc.action": [ - "", - "" + "", + "" ], "rsa.misc.category": "", "rsa.misc.filter": "", From 0e90904b821929cbe29ae4297ed420ac979fe790 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 8 Jul 2020 19:03:29 +0200 Subject: [PATCH 09/19] Add overwrite: true to fields --- x-pack/filebeat/module/barracuda/README.md | 2 +- x-pack/filebeat/module/barracuda/fields.go | 2 +- .../module/barracuda/waf/_meta/fields.yml | 692 ++++++++++++++++++ x-pack/filebeat/module/bluecoat/README.md | 2 +- .../module/bluecoat/director/_meta/fields.yml | 692 ++++++++++++++++++ x-pack/filebeat/module/bluecoat/fields.go | 2 +- x-pack/filebeat/module/cisco/fields.go | 2 +- .../module/cisco/nexus/_meta/fields.yml | 692 ++++++++++++++++++ x-pack/filebeat/module/citrix/README.md | 2 +- x-pack/filebeat/module/citrix/fields.go | 2 +- .../citrix/virtualapps/_meta/fields.yml | 692 ++++++++++++++++++ x-pack/filebeat/module/cylance/README.md | 2 +- x-pack/filebeat/module/cylance/fields.go | 2 +- .../module/cylance/protect/_meta/fields.yml | 692 ++++++++++++++++++ x-pack/filebeat/module/f5/README.md | 2 +- .../module/f5/bigipapm/_meta/fields.yml | 692 ++++++++++++++++++ .../bigipapm/test/generated.log-expected.json | 8 +- x-pack/filebeat/module/f5/fields.go | 2 +- .../module/f5/firepass/_meta/fields.yml | 692 ++++++++++++++++++ .../firepass/test/generated.log-expected.json | 4 +- .../fortinet/clientendpoint/_meta/fields.yml | 692 ++++++++++++++++++ .../test/generated.log-expected.json | 192 ++--- x-pack/filebeat/module/fortinet/fields.go | 2 +- x-pack/filebeat/module/imperva/README.md | 2 +- x-pack/filebeat/module/imperva/fields.go | 2 +- .../imperva/securesphere/_meta/fields.yml | 692 ++++++++++++++++++ .../test/generated.log-expected.json | 472 ++++++------ x-pack/filebeat/module/infoblox/README.md | 2 +- x-pack/filebeat/module/infoblox/fields.go | 2 +- .../module/infoblox/nios/_meta/fields.yml | 692 ++++++++++++++++++ x-pack/filebeat/module/juniper/README.md | 2 +- x-pack/filebeat/module/juniper/fields.go | 2 +- .../module/juniper/junos/_meta/fields.yml | 692 ++++++++++++++++++ x-pack/filebeat/module/kaspersky/README.md | 2 +- .../module/kaspersky/av/_meta/fields.yml | 692 ++++++++++++++++++ x-pack/filebeat/module/kaspersky/fields.go | 2 +- x-pack/filebeat/module/microsoft/README.md | 2 +- .../module/microsoft/dhcp/_meta/fields.yml | 692 ++++++++++++++++++ x-pack/filebeat/module/microsoft/fields.go | 2 +- x-pack/filebeat/module/netscout/README.md | 2 +- x-pack/filebeat/module/netscout/fields.go | 2 +- .../netscout/sightline/_meta/fields.yml | 692 ++++++++++++++++++ .../test/generated.log-expected.json | 20 +- x-pack/filebeat/module/radware/README.md | 2 +- .../radware/defensepro/_meta/fields.yml | 692 ++++++++++++++++++ x-pack/filebeat/module/radware/fields.go | 2 +- x-pack/filebeat/module/rapid7/README.md | 2 +- x-pack/filebeat/module/rapid7/fields.go | 2 +- .../module/rapid7/nexpose/_meta/fields.yml | 692 ++++++++++++++++++ x-pack/filebeat/module/sonicwall/README.md | 2 +- x-pack/filebeat/module/sonicwall/fields.go | 2 +- .../sonicwall/firewall/_meta/fields.yml | 692 ++++++++++++++++++ .../firewall/test/generated.log-expected.json | 80 +- x-pack/filebeat/module/squid/README.md | 2 +- x-pack/filebeat/module/squid/fields.go | 2 +- .../module/squid/log/_meta/fields.yml | 692 ++++++++++++++++++ .../squid/log/test/access1.log-expected.json | 352 ++++----- .../squid/log/test/access2.log-expected.json | 140 ++-- .../squid/log/test/access3.log-expected.json | 316 ++++---- .../squid/log/test/access4.log-expected.json | 396 +++++----- x-pack/filebeat/module/tenable/README.md | 2 +- x-pack/filebeat/module/tenable/fields.go | 2 +- .../tenable/nessus_security/_meta/fields.yml | 692 ++++++++++++++++++ x-pack/filebeat/module/tomcat/README.md | 2 +- x-pack/filebeat/module/tomcat/fields.go | 2 +- .../module/tomcat/log/_meta/fields.yml | 692 ++++++++++++++++++ x-pack/filebeat/module/zscaler/README.md | 2 +- x-pack/filebeat/module/zscaler/fields.go | 2 +- .../module/zscaler/zia/_meta/fields.yml | 692 ++++++++++++++++++ .../zia/test/generated.log-expected.json | 384 +++++----- .../zscaler/zia/test/test.log-expected.json | 4 +- 71 files changed, 15754 insertions(+), 1222 deletions(-) diff --git a/x-pack/filebeat/module/barracuda/README.md b/x-pack/filebeat/module/barracuda/README.md index b19121a13d7..b911b532666 100644 --- a/x-pack/filebeat/module/barracuda/README.md +++ b/x-pack/filebeat/module/barracuda/README.md @@ -3,5 +3,5 @@ This is a module for Barracuda Web Application Firewall logs. Autogenerated from RSA NetWitness log parser 2.0 XML barracudawaf version 132 -at 2020-07-08 15:21:15.720395 +0000 UTC. +at 2020-07-08 16:41:58.132104 +0000 UTC. diff --git a/x-pack/filebeat/module/barracuda/fields.go b/x-pack/filebeat/module/barracuda/fields.go index 8d0ab20845b..e01b040a745 100644 --- a/x-pack/filebeat/module/barracuda/fields.go +++ b/x-pack/filebeat/module/barracuda/fields.go @@ -19,5 +19,5 @@ func init() { // AssetBarracuda returns asset data. // This is the base64 encoded gzipped contents of module/barracuda. func AssetBarracuda() string { - return "eJzsfe+T2zay4Pf9K3D5cLFTznjj/Hi3vn17NTsz2cyt7czz2Mmrq61iQWRLQgYEGACURv7rr9AAf4gEJRGk7Pjd+YPLltToRgNodDf6x9fkAXYvyYIqRdMyo38ixDDD4SX5e/UR+RUW5LIoOEupYVKQH5mCLeX8T4RkoFPFCvvxS/K3PxFCmqHIkgHP9MWfiP/XS/ze/vmaCJrDSyLAbKV6uGDCgFrSFC7s5/XPCDG7Al5aErdSZa3PM1jSkpsEB35JlpRr2Pu6R1b15w3NgcglMWuo0JMaPdmuQQF+ZxRdLllK1lSTBYAgcqFBbSC76M1CadojeaVkWZxOcJdBzeBIm6B8bxJhHKFhmoFyvdr7fJi5PQ6+WzNtf0eYJqWGjBhJUlqY0vNK0S3JQWu6sv+nhqQyB21Jl/b7ztCEvJIrcg2pzECFSXVjsS5RwwRXkLABYRJL/GhQj3QyjzxjNHImlcKAMNruOCa0ocJUiHSQCsPyMAkZNd0v+viZw2oHIdSQ7Zqla0KJBq3twV0zowklb8D8yowAratVuOgtUT0dvZYlz4iADSiygHr9C6o0kNdgqCWNkqWSeQvVk1dypZ/f0fQBjH7aG/6aKUgN3z0jxtNNyVtwB8ztNNEi8yLIKg4b4EFecSm6e32PV9dQKEip8bgyWDIBGZGCI2JDFxxITosw3lyvkhFb88A6vfZn5vb6G7KhvPSnh2UgDFsyv4fgkaaGcLlyPFc9ZiL9DEWzW3H8nWVpQZVhacmpQni/OBeDq9sbOmq1Q6vbG3l4tQeZvpmb6y/+P9cPc91ijWX5tEMmF78lSGqX8R8R/4aGxcvZkSvQslRp9F00ferxJ20abm2ogRyE+TToaZkxk6Scds7DRyMAhFG7T4N6bTWBT4OaiSHU573Jq3P2KVc8Axo+a+ed+hIgG6cnD9yoIXug9cPK1LL4ejdg73qapmV2bsDe6Ee0zGE+dYzS2fgkWrZokEGOIb2JzMQgEuDRaAal8yhlpWC/l9AoYaqeof9ot2+4XEmRWmFJjfyjWy8Dx37DpgqeNv+u7EBsWblo/KayhvaNNYnJPQo6UooMlFVRFXiB0Zvckj1CRjQYO8ge8D4OPazQVmzujT1Zoa3Z3Bt6FNv7npMYSz9uc/UoHzHrcbNcSx2tR7X31k9Sm7ao4t1dpUFkTKyqL3Vo6VvW/OfDQRbeJL2PB1l3e7f5jtAsU1ZmDR3KLvt68zPyc2Xf5ofpDPzh/10GWm7NcYK7p9e5NNp+i4xQsmIbELW74vO9VC2LhizY82rV2adRhj4PL+6gwSuLXaLg96j1aj9N4CLhzBY75OONG5zc4XZ/5r1/hpJ3uwJISvsneQEEmFmDIu9vhfnmByIV+ZFLar59QRZU406oHPtLtioVqkJHZhZW8D7jmeEjyxSjaAbb1UKvZLyz5JBdVo392RuvUm2pyiaoMS3Z0ZpYm1e3d7/saTiUKOC0uyyE6J02kPsrxxNmR1uD20/ascf+Xyq2YoLyCmb/9j4y03iN48AD5+3dLz8EJukJ7M11+iRrivp8nEOSN5utryrFSvI10AzUTC9jP+Fg5PZ6yguNo6j9UIPDxL3T/KGdMDxNZvDD0ErxuG0UD9zsVuG+kpxDaqT6HAWh5c9ZXtbtvmGapI45kFla9lSzV7J7yZMDrPwDWiJ5uvh4ylkuNQaP5FKQxa63LIQo+L0EbeyAmuUF3/mVsD+2ApcATddEswzIkz8Ts1YlefH990/JlmqiAUSN5cBcP5K6dsJcdSGFhvNNNv0DrWwqS2Fqe7XMF0742AOngyOQJ3QhN9CaLhPBaKNKzGijgOaDuzz9Ay39J2YGZKzsajWnseKLkCZVG61sSZj5V/niz9/8RTvh+bxAUVWR9a8evf+ydsorugNFXpAbkdJCl9z5uK2pM0qChkaf6IYOxCqFsHz7gvy7ne4z8u235N9JKpXVH3EWHukz8t+5+Z/2h0yTfaZ8EVwkITP4hDaY2EKSUs4XNH2YqvM59EIa3NzUOF3ZMgJEVkgmDKrbBsKBe7jACSglo2NFGg1IF5AyypEmpEUbqay2KHbuFrZfbChnmVu+EFpClrIUmZXWHJA8JlZeWTgaDLS/b3sjz/F24jftARf9AJ93XNLs490ZHiHR7AOQHIxiaUBX9iZa+8doo7nLsRJ39pKkptHh5LJamAvyk9xa5vdtISaIVNaEMJI8ABRH2PKRbo/PhC1KpqB1smFZksW/Q91UEmAFAhQ1eBQzy6OWvbJhypSUW3Nxz0cqAuYzy5k1+PAFEKfr6PQH8vaaKCsXNRrryBaqVmDqnx2dq1bRIRWffK4uGubwXFWkY70vYm+vK//aW8ilAXLvd2WqAK+lxW5IJNk/ldP7M3Bye0yJLjib9iL7hzYVNeupsh8rbJB9iIsfa9v2KE/9jqz2RqVNe3H8X+PNxR3zJeNneVu041ql/e7q8s7rcykVlgEsL6TqanEEL5TP7oG2/FjG83sn9tHIQ7Mw5BDbNxPLBqQxBt29j1bfBXnx/Q9ki5zNgQpCOQ/boeh8RbWh8S+QLShww1JDOFBtiBSdYOV9Nn0ExejzZlPgvMU9ZHnu/CpVhqzBqAhI10Jyudp1nzWWTPU0M0K+J+maKpoaxyZ79HZIITo3BSmFjxjge77NwQymmGQ198Q4zWV74D0Hdd3cqk5SVE5bRbeD8gOlWEdZoinqYc4jLLzNKtO0VNWI2lCRUZURIVVOOfsQiraTKg9yIPMvsAeYIMtFT4SPYkNDV43uOWdLwDkFDEQNqRTZgGLYLFmizTRL/ADJTKQyLziY4CIOursoKp5GsY7IaeUdKHO27XZvRw9uuqENt79/BjdJLoVZn8zqJqvn9FfzJpohOxt7bkR2DubYIT9IMT2j84AQseNXyo8LSXvX5VLvQE84HZfEwKPxG5lsQOlWsG92KGYjsEbHF30H9HRSm6SKVKoMsinS2z+Xe+Gq6zGr+616M69/2H6D68tYJfMLHLXExD+dgqCKSaf45SU37GvDQBHaSnJvMsFzKugqlJRECEfHdGUzOKIcrZow86Umciuc197QvOh6WjzFFpslsb/PjSbpmln9V2agL8jrUhtUpNuD2v1PzUA8GjUwuAwHj/tyaSnbwDx3MC5UNaSbv4IlKBCpW1Rqla+MbVhm71Rc0/Cxv6+O/bsOA8LTeCyYmnEODdedn/rR7hdm+M5NR1sRYXUBixa30WF/0ailGTSYn1npVJ/+i96gdYCGLMef5rynBhyHqbk0ftuhDvF7CeWMi2Z3iluvRl5sqSaIJhtYIUT/zfipj7pw9qYddU5XuYmS7Ks8Dl+RRKErkjhNpRh3RPbBXkTARd14LSlzLtW3o/YGZVBPYI6SScMH9th5i3HdNeKlk4EYYyzStKf2nKao6JJPd8cOaIeyNKnM4bnDUqtsGM0ml721osJPY0/1HVgqa5IzMy309QDp1fg+IaDlDz1k+E1NVejVTnGSuo7FtaOhP7aAlC1ZowyGtQXn5BzK+/W6xxwv1wEm1u4AljUBn5UpmnnnY5Ayr9LPx8hf9m2EtoYrFfn53ocUMV09OnUtZMRfcXko60EXUrNRh/CkHYCGgMhcVQAMRaxOyWA+d8lNMiWRfeSxFmUOiqVjz3WQ+lki2g+Q3o5qr3eoO+LuJPWI34DIpPKhRAdpl4vfzpIlXT0uyMVvkIZ1fIt6jjypHsusvDmM2km+abU6vuhvfZ/V5o+st4TXtI6cEtIQStY+KzMcHsTlKqmeHc8k5KoNMVrIzZN9uycp/oFP3FjbDY9iWL2TnKW76fv0wBm7QxS+yJzguwE5VfJpsVthJrwtOSDqsHiRwsDjdH2nRnkrnOXdVECiWabtX3gVUF6hDKUDH7lS0jUVK0gEbKefqyHnN2xbDzd4ORqj2KI00Dpt/Wg+7Yiz2lxbpIePoS7oCNFQz56zCSVwDk0clfLuq61D19YNAqYExl3bSVdFU3TzVq42oC7IPTjGlhrUBV0BlrrzEXNLqSoaemNXwzi9LkV44uBbGZBSkYWSW/td9anXY5xqPVir7Ta7o8qMN+Vr0PF2pN+9spcbMd/ulTyrlY5zbV5ZgHdZx98gl4JQDsrU766qGdZ/5lyz/ii2ks3weTagUGVESPG1ggJQWz30GoWK47xCNi2Vsluz1klxNVBHeM6c/7dybPZo3zKz9sqUk33kGhEuMD5UECm+Xkn77wOSES/PJKCUTJoZbTmjnyMKS4ZcEnvSDAN9Qe6b89ktk9mOSY6l6coFs5faKqou6cE9UWZeWHnmUZLyUptq2/j/9FiNIEzb1fCZOd5atGoTfjt8NZ/hVnY7PWw9uaT1KerAl8fUZ0vHNeIhVGuZMvTWWI4G9X5k+iv2AC8JJcV6p1lKuTXzHp6RQmFF2mcETPplWM2iioazB0ZeXi5+VdEcDChNCqqxToHGxD2XmZbKPLcSQe493vRDVsGkBxUNJz3Pp2u01uEMgtoJu1TmRdk/C1Gsp2TLRCa3PvImlSKFwjyrX8UGp9ubyLLkfEd+Lyl3TptM5pQJfz5FCxGXA6K87a05/Ro/MDmrjLxi4gEyH0VbBZZRjfa6V2DtN1/UyC9Ydoj5vJfnN1FstOtUOxOwi6Ii4Of782H+ufA+IXLfT3WuHz1A5axbonq688ePivS4fXhYT/t2tJ62ZHyO81KT/SOOVx8JBVmZAqk8wBB2ImhQjPIkcENMEJv3OGildHVlfkuoW5k6aINB+qAHEsHm8Ef58a3wXlO9rne7VTkC0eyltTCtaKoiTOtw9qtqpE6pArkBVaO50Cq1UPX/+1kJxMo3QRjGE5Qi5UCV/QjLZjSk+TB276VRVYrAcf+kExVlP1f9E8voVOYLJurKcW0R7RMQ1Ah5vWGq1PN7N9p3KKIY9nLM9RwR2LhXbnxXZ2XYw+O09BkcbzULnIfr9pq8cWf6iU+JI67Gvk/ysNifHnJ+nccX2HJ93V4jW3xodX0g+3bcvu/cBTE4Ii/cUttTt2U6bGps9G5a3cT9VxKfVOMuuYM+NOGMpFnX1rLvqh6a3F4f1YNO90kc0YMs6hcia/ShC3LlovV9tSDuvjisC9k/Uu3/4psvvINiUZo6jl+aWjiXgoN2c5dOwG4l2VDF6IL3IsZdQhsTpOB04MhpEHpiBujeorTVIDf2hT319tasYtGZXav757d3XQ2M+JJKzrYbypYZbCNwcmR844t1ZJBbYcg9WwmKx3JgIxVSTSvf9GVPFtitdFfpFBLrqeA/LarWqcG9kMnA8r75+R1hIuVlBlY0+MYsFvyCPLl5pHnB4SW5c8anGxZl3UXYBkUP+xneGdCYb0RtGDfTD1adC2IeEbTdcs688aLyLdMPBx44jGKrFagphevD0/6l7Wn0WFDzWSvQa8kzu8bOahro1bH3HDWLFdd/j/Iy7MlbdzM+rRMKb6/DAZYnv1hZ0zqZ/W0eOevf57GZifNp6HLxtUUoBWYULLFcr8zKdEhP9yrP2WIH2rTVskUqzLyycq6iYKCuPFXZlqpzxVr0ayVaWUS96LVkDhTpemJFDiWvaVpV9gorTvY4z6zJSvF1pfyowyfaWQwRjZAUUB0RE6UNNeXpilVtg1PGz6ha2uEX8pGw7Pmw1LUSv5yHBovzfa8UlttXFk94o1fSd3JV/d6Gue7X048RwkzI8vQ3g1bspl5F7EArHcaZYT2PznejQadXAdlj/iXn9rQSXaYpaL0sObmxGEgqM9CW+VWRprCOx0QGj6MnwZk2Q/rDxNOEQ6Niqyo0C1Do1c+pYhxfagP+Afc2JFaEIiO+trBB2kXUile99c6mufjxyZM6UqUApQufkODOVG/a/gppAuOqHOenA0HjzsTuS/Ppj46tNnJIvLOT3a/tl5QJTTIwlPGA6bSQpWnBDRAv+RliUiqvDa3jBhDTsAg3kBd8wqvtZdVqsWph0HpB8lEqVnvZgOJ0h2HKRnqxTp4E9r79Ai0NDw3LKo/F+dy0YabEUh0kSHqjpfWTko8fjJFe4ZZtmdLx2KLObirz3O7N2AW7cvCEtcKJCiU3LHMWdlVXINSfsb5rZHrIgT7env6R8ebuT9vRCuFr57HAR+Zzya9q/PPKr9/kYtBujZ7A/5YL77IM79SCTSkPdI1BSW597u9uyW3vwm0jmlCbx8dkHsYxKvC4zl5YjVTxx9jEPooqrGa5A5UsZDY95rgXt929sqr+sBbbwPW5jsmdcm60WfJuWg4Xn67hwmxqLyBbsax2UQ4Y4/l4TbmXBHPSzTDmqq6pK8ppArLqNnT33mVxVm5QfBx7hLRs2yju2XoBoZSCKqP30EPZLIZU0FOU7RtUdTQ83VDGad9BR2r3EMF4+CUoNVCN0O3HsIdrPr+uV/1ynxDsnPR9/5as9u3FgAxgebIos2wXYd+xPBkZp9qCLDUMFRI7aIvGwCgmR2VLdQKmE13OE2zHdDvWxNVSwYaTdZx0k3PucYaKgzfxhu5oNa6vw9Nwr9TjubCZ0SK4+uWGPPGRfr+U3OolC8YxwBBfmm8eC6ntL5+Sr/tmjOh6+R6E3Io9xVFDWmLq2mZ/9IGuASmdxdDuBoBcVZk2b3yA6ytY0XRH3g8qsJwtFD1P6o8feo9NTJCcMrG0ltHBR6qCKuz1MUdG1Z6KcIcDkzcycwFHTXGD1rt2AC05cv/i44udarxGuZ9X/wa25KdSoPr8WmbAyRMmNhdfPSNMps/Iwv4F9i8qKN9ppi++CvuRTVokS0573anG38D7utbVHcFh0d5FqbKrCgjL5cGkLSMn0uI+XXhKqoQpDcpuqCDKTT5WDnVw//L6V2u/v3MhN1999cvrXy/f3nz1lYuB2VBF2eDe2Er1MC4h4+hW/rUasu2jHTSTqRh/ffnYzrG5gbWIo6kVgbsodXEpFQjN0nEHqmVORmHNY6yogGfrdLBkS9mYTuNNyEEqI5YUN8z4hBRdLqK3gVlk2qjxmSyYuzFLN/Bn80nSKoJviuMgNjixKQncu5h8cGATp+jjE+0QSzZoMFaTmeCciJ1MMHM1MJFuwGVYWByopzDe8LHkeW3qbX/cRj1xtbfPtBGylnfJozpIxpmWsPKbH6JAylkeYPf439K2n5g68ql6ucaKHE/RfA5Y98d8/VUJJDaPzxTDYZeUccuvKuHwzp+/2+t2XC9mT1sV2MAqkDg0/BZfxfUk9ioPUhwT3IMhPT6m01pGpejaqj38YiiNdyr+N/Bo/gFh/aXGroe0mKnY76nI/i7DntUGu6GGhU/ZZPz9offQ61IXLGVyRHzEx7ItkL4tVaLvavv0xGmRF4mMF073b17fkZ+dx6MJxwij+n3m55f7/3hFfi9BDVRrKblIFHSrfkx98mm5LnbkbRVSG3zerfW0dJT4b4PJ8WXaLFgxYDwegzMB9+oJkFlMITrKqcqj+GIBo4wXWowK+6/BymxEZ4A9qLG5wHvAGTXd2/s45AJEus6pOj0srobcFbTXyuEEHyRNe8+bJ0Il6wi+prAcG0xZgy5XmEwaBSgXv0XBFTSitp7LfI1YDHT6D/WUPQyJudo52Os2ArFIaIplC2PC2Cy0FqNU9BboYlVsvhOPZh0hLVORpEZZG2VcZaoWvIUd8tadALrhvYbQJ8GCWDExKnC3DxwXUyKSZaK3zKQR+1okSy63muYxr0VtaGE2U+Cj/FipSJiYts2ZKEDli92IkJwedJE+xIJjc7Qo0CIplDQyiXHFIfzmuwRt1hhoPmG/cblKxrT+74DGvISmIsnpY2LM6QrvPqhdYQ5RYiFnIhoxE1MQF1wnfMGT8c7TPeg/TwKPqAfUgh6fpd6GHh8R3Yb+fhJ0uLH6qdD/Ngn6f0yC/ksstJEFpwuI2+o1fIyqJJK85Hh5L3ZR8qwCLx6i5HhecrbKi9jb295/lK/GPxp5WBYnxDX8nsbo3iLR7sk0ildapbHamQWN1c70TpdFVH3sVNRh1pHKnZHGKhjwGLW1jTRWSYqHRvUkErwU7FFQITX02maeBL/5wdIeLRY2P8jCrIFmUSaQzIsk5VE2tAWNcmkgpMI2WXGwOhK2KJMo/0SqmGEp5VFBXzqhKxDpbtSbUhtaUL77ANkiDvcmwWT4SFiXxhOL2T1nR8JbC/mHWAtZJwtm/hKZfJjqZGxt0w6okhFHWUduToSDVMXE4mnnCRhRV7IFCmbtvAExyrcDx+sqEtzVvhmTodmCXjIOcbqITpZx7GLLcQHI+6BxklZbI1jAo0kij5G1gTNtil6Rn5OhtUojoavOcVGwcpXkkLERwZj70EzEcjyXWclBpzJu1h6craJOhSz0lpqRnSha8KGYgBNBFayYNorGaNoNdNRN5TopRk5ZTZizxjoiKvp0uqgGt+RR8NhYNOqKc0FH8ainXM7btWQ6cXWeY+B3VNHIBc8GwipPg924DgbjIZk2tNus9SRAbRalOr2QaAUHruZaHFwZgS/mHq5iSccDYtWeZUwp9OGI6UNQK5pl41edZeOdc1UCTZREYXmSKinzyOwbCxqlFLE8iX2E87k7cdMtHiKShQodk8rMCl0oNhqMU8NMGfFuw5mAMakkDZweWYurhsTAxxgThEuX0ZwsuYwQjjV4VAiA1fQi9rsFi9rrVjeMQhfhteVyFbmUYhW57Qqpxh+OfFGu4rZOznQat11zHbmAcdVnBBhMfYmAjDjFrjTA+FcpBzf+QUlst+N1hcg4obpdQwRkhLyXiq2SQLW2EyC3AlSMbCmSyA6CRTKygnQDGNXGoQGPmiWepPGb1APGtNN0Sn8ESqq1/TJJ16fHs/aAXV/O8fCg8pW1i3sZ1afBbiNBY8Scy196/75T6fMkUCVXCdXFqJIfbeAxXR4qOAWUx908ClKk1mWrRoPHTNbCjk3QbcFKlUVhjTHRdJT1qZ31GeUp1TDeRerK6UapERp+j2FmKA12BFyU4qLZKupg6mK83aJVGrfyKs0irlqt0lCW70mgo1oytaFKHZEzuUnF+CCEYMXQ42AuyTKiafjKxCyCA4vxGtUVI8dD7oqIzNUyW0S+WpeKR0mlUoNKMjY+fjOyMEnlE4kj1qRx7fI3CRPa0GWUJN0wZeKu4k0holIcjFSlOEuv1svSSPK2FKQ3eO2FnlQg7hfKWUauFGTMkCuqMp8zdqAtja9/NWmmQ3UgcRjXdBUjZlPJSSikpPb2MjFl9jd5weUOegXxjvJgKcsR6fGn9uVdVy11sLaYghU8kpx2Q3cbj55Yld2yKzOQwZnGAhvV+LrdSlOXBZao76dKErJdU0OYIYVrzx8m+tBT6phSIeH27q7ieYWEMOErGQxkdnMmplfAbhFjx2tToomRK2yyc9H83nWM6HFPwAZUXUTJSFJQpYG8BkOx4rA7FXW/NPLklVzp53cuuO8pufZlvFx7kt7omEb8FnyxWCRbkDdgfmVGgA6vVX/rRbJnieWE692Mw7vpaKAqXV8wwQYMXkXnKYbQETautx5nAp5zWgqsnboqc1+W/kAphE7lgwNUz5EyX1NdJ8r7iq8DKr1lZjJvL2TXc8sOTN7Bo8HdOWQUnLUBdVMk7kgPaszKnVSqGPNyNZiqOfCB1PlD797ja0NUrWSX1bhOgnUtvPpNdt8sclj7vUGwnoF+GaR/XB3vEzpnZ/B4e10dIhx9qGT7yIfokdulbuHgHvdrfKS3R2tueohzUSTqgtE1bVK5gg1BVhBCNdEAYq9PZth4UVRoms5SbLWXJe4GF76BU91au+oWfICsAlTO3EU4H1nNoK5wC9swDivwvTyo1mwlHPObytwDbQ3oYq5u9QNLjhgO7LjFGVtLDLYPCW3zFkVDuYVxlW6q+5JlVVvbumMSNmwcOHSEBGJyaq1NwUCQ1GgFsmoU1gjeqr+TxTGgwm4VG3D0zIgfkQyULjzn/Ov+mT0CWg+QW9l5H4+5eihnVCdrOYN21+mOiTVxmjJQ2NGnVfAoHFNN3Aa19AjfYltIQ7BV5sUl19KaNp3mJViF/CcPcUEuxa7+X290g9aRFobQ7KLqaBwWTJHOL0v6FGX5iy4/sfLgHlOZb+tsrYl2hfJq1uFGwn7HJGM9q6carHQHivxb7THQzz0iRD/Uv2Rs3Nb5955oqNrbfQd5OhgmcUwWfNkti+Na0r35+d2NnR0ocEYjemQyplMFBRXpzmol/vLn/V62lgfPyLvXL8mtMN++eEZu31zf/OdL8v5WmB++I0+26x0RvgFjupbal3GTylqv+Ktvfvhf/+1puPcdmPUkedGdMUqgi5yGSyPpyXtk5IHylfhvK7Thw5R9bLLa5/wIbYMJfydfTCGKOopNo4NWzU1fXb4JkvNBCphih8et3/+RAi7C/Pkwpg/AR7jsLKnHRQ2y8dPcKwd4uaIGtvQshaVxl92RS9c8r9ptIYT1dZLmxbD/f6pf8/bq9Z2Tw8O94ukMvfyGTGmn51StS2/vLLIBq97yYbAWzCx8sKMP86HSARJXU2zuw9butZC5jnSUN08VrUrkYdk96zJZ5R0Pi/Sn5Xp/oXrImtiaSJ3hVDFNyRtPw51UphZRPSHkek8gE333+cOSSM/OP0cxE6tKfFaEvx5inoCQfj+fl8jjRxuEai1ThkXj0Vru3a7EyilFxQouavU4lWLJVqWCjCx2vrm/a3U/0J1mMKWgFyg8oE0Fh11GZSrwUfpdO7QywmBSkEsDiY8Rinn5jZliJnRCExc+FQVcGBULvoxi7zIqFpvHbYD4jJoianI0SyprfFq/rn3bwtJy0R2vbcicRVu4sYaVAEPe7Qp4Rt5XYu4VmsjfkrvKRO7JkZ+HbtSqeNUsF8aASl+RRaqunZTz4IVRND/EB3qqMHRgA8pg5xkjqwZXTJD3t4NHKMWQlglnMKZtrNCJLKIK5VlQBXp8HI0FjArxczJxfEAU+qCiMLoyNQkHsYqo+Yh47TUwt3MJmxLh9UJ5yzkoSIoPONaK+lGqLVVZqBnYJbapQ7/7nZKP+Oq+ALMFGOhkPDoHeOyLhDSUt929Dh3BQib42tSbg2+CpgAfgnJm7FHzRYXCk9hwKuZ5VznBHVA9q7UcAr0p7DsIGh/gxmrPK1Se9yVijD8bUsy22IzJIz3tDYUqw9KSU1U1c/Nontw8vnwlV3K5DNenhjQxa5i78e07O6Tv3t9QdmMpswRdlmYNwvhQqkHC5uo9tv9cWdZtDcPEvdegBkmSpUnl3Nzygw6TdO86cA9QVfXImXb77lGEmEnVcOVg89cK+xnaJ0OHCnuK0Q2sCykybOkqgypADdhvSrpP92ZMdu3AbUCJy7PHuDfOIKsp9vZWR69hgmhmyoBEIRggV3XB86OuqSY0kwV2BVsDU0RuRacxEjH0UQqZD0S7VDXqk1440gyXn1XDmMjsWZZKN+39XBfhy6o8fm+ip7hPRE26OxuD4VT1DM/0fDQ4yXv/ijTvPA81EWtNdVxWx4SpuqiAex9VOPdch4NDFnJafFxgegtY0w2TJWo21qhTMmcDkQ4wP/obQRccw4aX5OowdiY24zufhcjo0rCn05Agij0aRpYXiyAhgKGmYPoatO6VZmcPLn8Twl4K0w1RjtH5Mkz+SNIJXXHxlsFO5iytCMNpYcBA97GHmbXrdR6o0kg8ORfpNxfaqGEneUV1OPH1k1H94jDV/lp0uCZRHjQjapPIsBybtnpNQ0EBg05Oz8kRqVFHmYkp6RNZqU7cAOGqMJ9sA3x7GtXfTO6JHiTeO46OzaFHPc6pOXonHLs/Mv0vjtKvZua/2/CzUK+Oc39ETYqPc1SPSL36qP6RN823x9l+egGqj8P202SNmvmszrnXTzipM2+aOanvbZlaKcxcl87JuhktzTrJwazlWbypdM/PRRwi/7PBhcHsXSUnWuoH/LtvJfe+JovqwA6Jti3/8+L7P/+ZPHl1fXn3lFwzbZhYlUyvIcPEnCA2LldyhvzYQ35t36IbMfnFwB8OvHkrOdlfcij23vI+hKPem+jzG1E6fMzGTDEors6MaLk0EGvonYKKUBGl5p2c8tOz+DukvqUZK7Ubg0hFNMsZp8odZitI7G5N8T4Kh+rimdFsnl64tQ+yHWX23i5X5QHp1LVoDsyUSMJLcejcoPPTx4e3/E/edMZveivmjV1oBR5mYUeLVNMexXquW2SXVCsq2IcDsU5iyoKdyrAIbrVXfoBlS6aCUfzR2a8/2gFRPrqkcpeluxeJ9BNQbtYpVUAKBZnMmaDBEOvWUb+jhoEw+mjgGafzzucV/aTTcUUwoIjeXnYLf2mFQEGVwbTfZjKHhdCsab3+4J4if5aQgaIGsmREGMCBVcQ25NWYtav7TskNy+p0df87WhTc6zm95fMpslaQ72tEA73U62mwbLZ51IP6Og5mNzCRYKFnjCrZMPfmtO4qdgOFA2qFZlwp/bFaDTziXd4CamWKhJp8O/0HtSGqiTZSOfloR8vBUMT2Jf7qwv7qy/D8cpZlHOaUGK9xxFNlRmCJWjIkSmZUxfPmmtCdH6+Voyt21YvHM1JwatlubySpCIhU7YohLyIGr8xiFZwQL6FqC+EnqQ15TdM1EwNqe0ajz+gXXX69FxjZVyiwB9Xe6i6tXl+QVxktyC/4H3erZ1K4fIB/9a8LsqYbsPc9B6pcC2uC9SV0IYWGSg8IJw3YGSX9ttcTZI+vjZAqZkCxqkqHcBN0FRmGKamInoWYZpnf+iIyp9KC9UWnugm6e60qHLWXBmz1f3/VME1UKQJ93Qmh+lktid1rjkumHojI9iMm3oqYg5mUbJnI5FYTXUDKliy13zwLxY37+KP+RrUTcBQ1r77kiaq6ntdiGZ8Znrb4QUqBN9crWNF0R97r/SI/9XtI3k1wiIpasqPMYloN3GFtdRuRYdQ0bgZ7C/T4VuczBbKY9jIEMMy2z4T9ic2hrg1VG3LKW2BOOIfghvAwEdOZK15qaDI+cso79yrJcYOTG6610qd3LidG7XTc528TQuNY2eNyOP3teGoJBjeOK888GAGOk8pgyYT3BeJRx1oQOS0GilEg/oEw6zNhb8zdjuoRI0hqf9P0Gfh85IHqIbUPzRiarvPZS9E14yJjSE8LbrMtsqDmgokxNXdn3WmWbAx/nyr0A8e2HYyLzHNltJpUpEA98h5dU2X2EboKqqq1tR8/a4jdrlmv4Bmx+9BaFi5E76QJmIiKly4VTqpx7Rk70/+rLqj429F8zgrVfq2zSkkLiVQ7tb8+x9GPUH/GC7dHd1UV7TDdg2uVgDBKFuFjmMly0TPITtprflRr3cCR0EakYmQnpxOpuJJ5YQ3SaufjBscGJ07z3ICyojWxZnP4QqL6YXrc75Gz2NHpK9xbmF7ZbPl7/BvXjyXnO/IfJeVsySAj15gN45wXQWRbWCSplA/sbE9Kv8KCOAyNTUL5kF4WUVuneewpSuPa4AzVIz9+Nt7Wg/haqt5t5bxzF+TdrnDkNxaVnaDj8zCLFSyTkcVxOoRZLM4EU1/qUKGdLrp5nAW1grGP33kvCqkqzx4+r7x9NbAwrWzV0ctazaeYWjH2wHTs2Ef9cBUhSsroe24frR3Jco0U1IQdHKlIqB73HtUCVbEd1EvFR7G7BTeKO7UKnpRqfL/fAvueYXPoGJQRom8feGSIxj6w3wVRxwEeDQi8BGMUNjvCiNWtr9W1gs4DZczt5oaZJ4Z870S/w4Hxqnvu/33lkTz3//CvviGnF+WgwjEEnuCzvpY4ctuPJejHaBVk7hGc+bLJVllkYglKDfjo+zObifK2OnSUfUGnxyxkVNWDli1WBrYvPmPIyds3MMyMG+HGvbbYDfAO44JU+6N/Qv8RerjYPSvWoOayaqye4998n1xhQfWn5AoxhJGDMrMlSg7w6gqUL3wPezEdB0rswMTHghYzWstih/1St+ouHVwP9mHYTzA+LTK8JuSefRhI33mIPoO3/7whAlbSMMfmYk31QH1anc6fvNtiuBt+uKC3XZAJ9Wl7D4Cdta4KflXxnuEHO81GNlc8LU+4riX+brCthj17TOsypjG0hcVH3Sn28zQvH9IASk30LPRY15YXN3Z4co9PBodO60yvS3W9K+/bf3KP4RyHRWhLXgyRMV5eHKBiWGhozZPNtLuk6yL3TpywSy6xW4CWEcU0dDwoewBvDUSnRH3RFHhsC0qUF98Rjb5bqcjt/eU/X9+ROys/yc9ioCJlQ0903kcMPe+2MkwPHst0DemDjmj21giWqbntoSLQdXWTOvUcAzR84e7m3B/QVUCxXvmNs6gqDlOdtTeoviFV2GJtPjHYpmNDOcvchgig6R79GetLHTr6OOsH2OmuKDp5j0V3Ql8bU+iEYTeCSGBkaRzZ6ektv6bsPbYSVbyjVMzsjuy/VOb5xFz+EylzmLxJGU6v2TIFvKtdx5hwW05FMqoP9diQBF01DfjV01zFyIYNdExuSArJ5gkBCpHkcBDEgWjDuheyJl1TIXoJaNMTlf24iGrAUz5b+aVa5PmK3b++unzjZe7zDoJa1Bmpul6xmO2VMf2QbCQv46dxWfXAEL6WZt0ZpGqyUApmNHni0OinmLuGyQRVF4SAv2ggCI2X0Sf8lafmvWDGP5dc7AejbUDhS8my5CSVIoXCWBPg3vF6IMVpTCf1YF0HZJ41NqoWIpYU7P4mLY9++vtlKJgkyLqYHSDV6hwhCt3Qsj2nx4K69L1gAuM/bn6+u70jr+ljzkRWty4Js99Sf4ZAhr1C3wOEe0J79B8ivL6CwyHYUQFBLjI7GdfE8w+eSFNNau5GS15S3V77ejwez0Ea+JyM/cQZPdWc8v8COQd1cKTI+tpIzElCi29ce+mRik3dzcugH9hZu7lLDXhGdBkIi6Ka/FUbJcXqbwtO0wfOtIHsr8/9Z8/qb5lYQhr+askUbCkPXrN0wVswhIqMaEkGto+CFdNG7azVM+/BLKhZ+1J0NRbSxdIjY1L7wT4hLlHCxbamUrWqd9UaS00bCKN2f/q/AQAA//+ArbbC" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99eeSVlo1vb0bNs59XVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69dkSrWmrCnpnwix3Ap4Tf7W/on8DlPypq4FZ9RyJckvXMOKCvEnQkowTPPa/fk1+eufCCEbUGTGQZRm8icS/us1fu7+9x2RtILXRIJdKX014dKCnlEGE/f37muEqCXoleYWXhOrm/4ndl3Da4f8Sumy9/cSZrQRtsAlX5MZFQa2Ph4g3P7vPa2AqBmxC2gRIx1iZLUADfiZ1XQ244wsqCFTAEnU1IBeQjkZ0KcNvQMxc62a+vak7DJ1syxiLanYIm989bH1Y0tsFqnMfOvv+1cY37DBrnxccOO+R7ghjYGSWEUYrW0T+K/pilRgDJ27f1NLmKrAOKKV+3wHNCFv1ZycAlMl6DghHhbfRepQclq4sARpC0daYsAB4czcDyw3yHOmpAVpjbsfXBpLpW3RMFEcLa8OQbCkdveDIXbc4+SWINSS1YKzBaHEgDFOPC24NYSS92B/51aCMe3uTwZHoyPWLFQjSiJhCZpMoTt3NdUGyDuw1KFGyUyrqrfU07dqbl5cUHYF1jwbgD/lGpgV6+fEBrwp+QBeWPgTLntoTqKMFLAEcQAnhZK793OLk6dQa2DUBkxKmHEJJVFSIFqWTgWQitZxrCozL5JdmD17/C7c8/PTH8iSiibceF6CtHzGw+mEa8osEWru90sPNgKp4/h4+dOC33PbUVNtOWsE1fj7sLGT0ZMxAH3QSYmdjAHk8ZMyuiXL4+7Jy/+/J/v3xK2aZ0Pud33V9F8FErK7LY8GuyU9ROhlR02DUY1mmd7e+7Mt1/2/H2bGUgsVSPsYkaNNyW3BBN25w48EPZBWrx8jYgunUz1GxLg8DLG8GlMrOR7vSSuBHiI98rJtBlCmtKFG9JqYndn7YusWcNgM9JCBknA/K2JHDxlAv8GKGOfijmvlSFyUPa9KlH2eXQMyE7GPRDh4Z/axY6jVjeRfGtio0bqjP/xpvW3UnijJ3ONArXrslu2IuFnyvOKwz90TtwyftS7McCDfqjk5W4K05BKFM2lkCdqZIBqCoBqQPuPXUBID1gHZ+vH2GmbcYGk3YQD73gZLtwkD0HfalKEnML1/6bCDOaDrDjy5Gw8WymTSV/vn8ldlbF9Eit0TaUCWXM7bD03s2PR8SF8Pf/khB2zwo1HGnl8sfyK0LLWTlWPXfZe5A+qt+lqZu3yVm72v/t9lr+NWftmwKxe8I63vLSsJJXO+BNk5yb5eRcCx6DD/RV4LpHyMyt/XEdEYdWioel1o+JJhr/vBQ9xgpHu6Ri6f+aXJBV6k58GbbSn5uK6BMDqUIFMgwO0CNPl0Lu0Pr4jS5BehqP3xJZlSg6eoDZDN+LzRqPrdQPch6u5XTDeGQfMZnwn8C+7Xc5XLzbbPOm5X/uodDEqvqC6zKXU9idYju8/J84vPW/oeJRoE3d1SQszaWKjCIxrQdtAW4E+q8cxz/1aaz7mkov3NtrZyAx9y6V97EiPOLz6/irAgoD/gxP1Z0GE05HKK12dzUIeK46GvzwJoCfoosetfcSlyfnqfKKnHtx8sRTCHxUoftZNNsCK7n422itb5RtHCi+JMlxMlBDCr9NcogB33HiDnxp05bgjzrIPSYbqlqL5Vu2oL2cPoR2jxVWz6WFTVShlMdquUJNP1YNMI0fClAWMdQMOrWqzDPrkvO0FPgLIFMbwE8vR7Yhe6IS9//vkZWVFDDIDsVtnDiUehvN6CE6ZW0kA+VrCv5lQw1Ujb+RSaauqFnrvKJgqBPKVTtYQeM7iMZla24s1YDbQavT/sqzk2D8wqKHmzq6elYNQ3Mc2xcyzwGeH2n83L73/4s/Ei/UWNArRF+p8Dav7p7MG3dA2avCRnktHaNMJHVpxJeSe5HoN+z+BHJLcytsqPL8m/O3Kfkx9/JP9OmNJOX0YqwqLPyX8X9n+6L3JDtpnyTXQLpSrh0dq6cgUFo0JMKbvKqwF75KSyeG2o9XaFYyLIslZcWjRNLMQTnPFwFKC1ypSfttEHTQ2MU4EYI6bGKu00a7n2Wof7YEkFL/3BiCFFyEw1snQvjABEnst5UI5uTF7cvhEDyCligeE67AkbjezCWihaPpZ3LqBDDP8DSAVWcxaxOoIp3P8y2sL+uW+FsHv2qd1otGrWbtuE/KpWbmuGNieXRGlnjFlFrgDqG5j2KF68r4RpWjEwpljysihzRV3PWskzBwmaWrzkpeNgzy5ccm0bKpzRvuV7lxEXB6+4M7sxVo7M8FSEq35+SrST1gYdKsg0qudgu6/dyAmjMyU9PTgnfCbcfk7oLKGgoeA/P219rx+gUhbIZTjvTAM+tNP1mKB0/2sDMV9B4CWsVJha8JyZDY/anDd8oPY/Ct3MydyM5x1vnXsDwllvT11rtYQn5L9GhNGLlxkXDxCjd6s64+ji5M1F0H0ZlY49vKqV3tV4CT6RX10aRPM43B+f/FOFhjia7jFX6rYp32x+sjHYvZ6DlvmEvPz5FVkh3yugklAh4r4CdOqjmrTxH5EVaPBgqSUCqLFEyZ1ykW0mPria+HUzMXJXc4RtA+9+V7pExmFWE7CFVELN17uBuBnXAy2WkJ8JW1BNmfVMdJd6jfij01ySRoacHrHlMx+tqE1d0O0D9TmDCHtil2hRVE7JVLINI2i6GpVpKFl31ErKUGP1MQoZfA6KsUa3EI2lsqS6JFLpigr+Ryy/V+kqyp8yZDkczCLVTAdP0p2YtMG6Q+aF4DNAiiMGvgGmZDmiYG+2uzA2p59lD0FcMlXVAmz0AIw6USkq8FbzHTHYqzfT9oEO8qVbO3qcx47y9skcPX6VknaRaJs29ampcl42WU7lAzH+TJY52O5A/qFk7m4Le8SiW71VMX167cddDg9EVLYb/YZYuLbh8pElaNMrpyj35YFF9ve+h20NNBWZmzI9pnQJZb53MCTZhGfKdCu2OkabadN9sR9fH75WWlUThNpgUb5hIKnmyqv1VSMs/85y0IT2GvhsetlUVNJ5rDSXEIHhndZe9Eh5XA3h9okhaiV9ZMzSqt71DAaM3WoOxeHts4awBXfWjSrBTMi7xlg0k/pA3a2kdiQvl1o4cJP2CrDZzOG9hGNoQrjJ7YKedxpmoEEyfyCoU61LvuSl02zwPMQF2WUryD7uMC9O5HXN9dEo3OynjwVdu5PIrVh7Yo0Tek5fc0jhAd3vG0246aMunOdOGnfybDJYsksnU01qCVQNFLn7Quz4n/qqoAb5pYHmaEfJnW5/ijbycUUNQSTKkXODyP2QmqkJlYIthmaQafPKZnh951UOXOsiA6p1kUN7rlOKom2gL5NDzaAr9V6RhzEhd8zH6BszeC7v9OYcKjZvkmuHBAs2D8RON4TUjiDKBkp8CsXaNCJ32GnEilKNZaqCFx6HznjBrGw1G5wQKgMLtgzIkQMCS9Dc5iwd2UNYu3ooAuxFdva5fPIWLw56B/pXuqt0cdAw7lQD4zO+MXzi2q0P5oz1VAm6cv5spsgGdC5GXm4KJloXVRmCLFG8g9l8rE34vG2l9y1BpclvlyE1lps2IWDXr4brtzs0ViVpamV4QsFxq7OF5rQsfYcpTOVv7+5oF55G2CJf66I7iiLZVKA5u6ssitJ2hCq2PYT1K9m6m+HFkr/fA9KWIEulQ8LsXsrU9F8P0L2mDe2q6b+Axe1oh1j+WvABu50E3Y+Yl/Q5e9V9M7yQoeo/iJng5VrQLrdYKksoWYSOF/EEWqHmRZuo8iBCvT2Idxbqx+iZsiX7/o7pVti1GsVHXPFXgrN17tuzRy5cIAKhubYU6xG53IicedNxBn5oBCBicXGqpIXr3Bprh9C59P66TT9UWpbG/R8+qlS0CMUawNzwOLMFlXMoJKxyy4KxwCWseqF+VEKs1XzaWOhJiGGOvvGoO229//zFRYepaTJh13FO8GxtK/cxDQ3B3fwij0xff4sYt1gB5hjWNhw0m5wvvQQ9IZfgN6UxoCd0DtjKO2S6z5RucRjAbsF4vZ3h74n/fa9vhdJkqtXKfdb+Neia3uwa7Sd9Xl5QbVO76TrAqT0q4U6pQXXose6UEmWnNua6UqqGEFDM9Ra/kYQK0LbLLtKbRcPffHgriI9eEwBMQooozCWRSn6noQa0ZPZlP6DZcMwnhzVauwvT2Su4k6jHveA+wtaGfwaUrbhdBGXZy3pyigtOsdpEEiW/myv333teAlRSiojimJFu2gsGvkAEHJJqRpx0sBzMhFxuZMruYIN+ZVUejE98OV9jnBHjS0Z9sk0ZxG9gPCVMNMa2BzL8Y7BN+BNu3E6Gmujg33CKL346rgIdXfvxNyxu0fu2TPmUsic3GV4Oy1PEglBjFOPoL3W7EbUnccPe8it4TSipF2vDGRWk5ObqOak1zkR5TsCyJ3FFmWp6SO3lHR96X2ejaQUWtCE1NdjFy2AjB9+LgKmqclJMbQXth6U1YNledc+/Bw+l8fX2MMPD5MU3U1XdDO9ghm2jZMVlqVYhn5YpyaC2z7tMilFmDMicNUKsyZeGCu/8LFVFuQxSQ/YWEmrk6ep7PVOpS3tIdyrhWy6voAy1QG0iOjXonQoGivvkmw61CS/3bZwYdIXIKur6k528W2IXgRa93y4fCq/f6uB5JZfDdj1d0Bl0xXcHO+V2sYY1EVt//vdr2j8m1rRnXOS/4x3Jv+Bq3TXWUDYMSBs5gri7zYDmVBSR1zTbI3KJS7Zq8+772HsA3Qsz6hcAdmUOajmQwmMcVncP3YKaRXdDnVoYqTJs2MJn/rY1Nl2Z4UkLaadFmCOkW2ZiNHO/6v49rDQlTp5LwjHnrpFMANXuT9gIb4NaKCAM3k7dFnbeHH3wwq8Z9nl61C8WU9WUy65vdv/BCmWj+g6v15Lrxhzb09fXRhCBcY/fcQKkkStx4lf3PRnHPaXegsvuGu/Y573M56fkvZc0T0PjBuKn7YWiX4fbs7he7R3QD+HL77mfz0+RpaHkrRMTQ+/BdkTOpwF6Eib+EDlZsOImbqQuzTpnL/vtqG4o0Pbqwl4/tvTG9xFPjWP9SbcwOT+9UZNN5Z+7QZN1iL2U5UajnZATX58Z+p0K/8F+bRYR1Nvf+OGb4I6bNrar3FS2e4waKcB4zij/oKwUWVLN6VQMqgB9UwYuSS3oiCAwIE3W/ihbG9pXVf3KEyepnIbR1hdyt8+XL84vdnVoElrGeo/CWF32gQMFb10LuYm0eCTJubTkks8lRWExckRrpXM2r30ykF/ukF60upvCro74nw6R3l3GU1aqyMF5/9tHwiUTTQlOnIVBtu7nE/L07JpWtYDX5MI7RDxYlN6TuF8EI3NHj22ic2rztMQx4+bKqdwH4HWHUryeG/N9eBo+cHO1J+RqNZ/PQecbYRdn2ed+LCDggNrpQoNZKFG60+Nt9ZFJo1uh9yN4Foax9yCVn37wOsazrhnH+Wm8jOTW0Xmmqro4ct4V7krIvcIxrt6/Z5rpdw4dJbE+dYbjZlTZsDErLailD5Q11se8k5ZKY+cBJ9db/EamxFFdrqh+mAy9YVd9J11peIgcESOtkZ86IUrJO8rafspx5daJoKPaMUp+1yqoer8U8rZm8qHWGqhJnhtsLLVNKsW580dRLh7M7HCLT9U14eWL8ffLvazNMTB0GH0aND72d8FhEb+67TuWefre4JCfDufuHfKccamaVDHOXh2JmSe/U06SpnQ6DDyyPyUGnLsz49aReCOEk3vENIyBMbNGkDO3PmGqBOOORNvsN25ZcFnCdWIGCG7sYZrnPWULLoymmG6RmILG+GZFNReYwRPx4Pn4u5wTikz8zv02SpnMcA7V1DcXeiCNOKxOnnb5nDVoU4eiWy9hBiwLKsImIb7t8PRspMjQu7mG73HuhBKvfHVJXsFX5b/tPqRcGlKCpVxEnAxT1dje70ZIU+LouZmtx5Z2eWyIx/hDaqGqRbZsnjekhBkNIaDQ+bKN4YdsTacVL0ELusZCLqvC40qeRm6k+wCt7vBrmLVV4N5Xbyy3DTZmJFHCNrbBsGHTfa9r0ihWz7/DaGpMM8gqpqrK3ac8x+jEQye8l+xba7XkpfeftV3kKjCjiVClYocHGu/uLfuFi43WyPp5eXHV4LrGpKeHkfXt6nll/b/U9EC/08Hk/W81DQGY+O2qeb7GuaeYUOx3/vLinJwPFKo+Gtm61obqkv0YJCzs6qph50kN6bv4w0JudVy59yKimKoyd8XXoOJuV+kIuBCHy4h6tEjfLcGHDI5Qed5zAYfSYZ9A28VD+JyXXShnxIlXpbYaB2XgCV7+dEpeR3fd5Hym2uneF59895w2EIXJGtfAmr4Xwad+TSFW3tp2YdqXuHEER0jUK15uO0S66kq6pFzQYSCDdK5wgvWVM9B6ZNKCv0OH+PrTxd2CsVKFBlA+ADsgKaQbGD6fjEhEXhXTpizXyf0zvCqS1gH14DYGDmt0vtdLlR6i5iphl4OdErvCNMcoSOCmn73qe67SpuS2q6zb9EULGMUG220qNrwo2YQX9hPps8RSc3B5NKv85PMZeRpqJT43wunKUy6wgAPzwM6ua2XcN5+R74aOBrkbhbmSaiW3DCEDrMFmFstt6COTNhk9ggtuNy30pK1yfx9Kk97CnLI1+TRqrgk+1fQhivLDwlss5pJUlMuZphXsTceoqcapvfn7JGwplxe4LHmvSp8cvWkL2Ms6iyBFbtC+MFXAMSKXhbTdN+49rMivjURT8p0qQZCnXC4n3z4nXLHnZOr+D9z/UUnF2nAz+TYeX7SsLmaCDibnp9ahtjX8kwuCi6KvC+Xkuh1+pWZ7GzVYlRVT/9dpwLNtg2BAu4McRWhZpZW7O5h9fvc71UA++gTgb7/9/O73Nx/Ovv3W59wuqaZ89EyulL5KWbJ84wX7vV2wH2EbdYJRmVqJCDU7abuUdM8BZe65WGcwYWZKgzScpRQgPVdSBoyr9F6QSHwgFdBiRflwOPG9vQPY+zw1UHd9Upeom2aa6VLYaWmsTl35jvXa2Rxi/bc02Tva1nzkc5IeWuyyGQw2UGlCscmm7iXUuzgQMz7qaGpJzeaIPZTUaDeiCJm75T1xoXxwP8G7Oy4c8kH//zBcdaMy+8l/D3LEyp6PPiCyF8kHORxtHHcffkodIWlra2d7dulT22W0t1l22CfzGbrdBif35sh027KaHyMehkVfM8qF43XbzOUiyIzz035tG3bicuaghXmkhcF4VmGbc104FfEAeg5JvMZ061B9dKKqqpG7nqgBdvKwxk33xe49XNu/Q1yn7nAzh2nW98XtksrybyoeNdvgZqnlh0iGe2M3XHgLOdOYmjOukmWJHsuCR+xXVMth0OGxo25kVRcqlzC+fP/ugvzm/aibpNQ4Il+Omkpw+R9vyZcG9Ejv1kbIQsNup868yQ09h+iafGiLzqJpXZ2WzhI+pH2gKvUYAQe0PshxdBNUGwmO3RtumX5AAxVUVxl2y4HN4F6gdcIC5A5oUyabSrsFM223qy3QJbW7WuF94U5BskVFdaqykg7uuqaD8cX3jj5RNkinSgKzWCQ/CwxmaQuoOsCzObZaygBWTf+VAWpNk0/C8B2nkh8vDLoXPPWDEzq3VeBUz+RIy4IyHIySvvzEwTYyofHeAzyd18uf5LVdJH/fmSyY1UVpkvZd70F3kA+LPN0C8FLQ5BJDFiDnXCYsihyCzpEbLYtZYVbcsuTyQxYzoVaGVulzV/qwpV3mg54h6sJkwWVOccJlDbqarpMlvA9g1+wqD/AlFTnOCq+LWiurivQhKYS+/KlAj2N62CLb3RRqXpQ5mO0Ap89/Y7Ko6HVhbSq3wTZgd6IFZHgUKi4zIc1lPqRrYQoxFUXqsOgW7O8zAk/eGbwHO3UvxD7s1FW9fdg/Z4T9KiPsf8sI+39khP3nPLCtqgWdQg6R0kFPb57JomoEKt/TdYZ3sgVeX2XQS6pG8HlV59G+nZZJxTx1ElKAzHMoJQa+sPS+EVkYn5CYYQeNZnmsSQc4jzVp1qapM8wiZbIrq85iqlplnekB1xlEiFXWGWa5YKNZkwV4I/m1pFIZYBkO4fKV40qmR2H5StV2AbTM4FZTVV0wkcGH7QBnCJIgXD1d2/RuUQfZZIFcN0WGmAbT3HJGRYYCIlPQOUi2Tph11YctqVj/AeU0B97LAtuAZoHs28Hkwdon1maBPp3Xy1d5fNCmmHL75yyNxpgp0s6K2wGsVXJRbbJcc4QKTKevcjPex59s1lYPMNiF9/Ond4544Kj2ZQHuu8mn6yDXgz3jAnLYMKaY5dhEPktZnL0NOIduYApeY5JikUXU8Xr5U2lsPWjmnwi20SwLbMFnkMOMMehorqDkyQpGt2FzmeeUVKpsBBimcnA7AOfzDLJJ1WZFbdKZ/z3osQzyJIA1zLmxmqb3hGxgZ9D4NNS5WK2z8dpgJ3KdSb76zHx/xDNAtxpolUGR9KVAudDOp1yvFoqbwk+YTQ99TTXNcsDLkULYFJCXfr59arjcWCqTzzkujZ02OtWwwBYq+FlBOaA2yXFNr0e3NcmpweLkhln6YdeHdhrYB3NOyzL1HeBl6rBq2zoow1vEq4JppaosXYkc4AxmGq+KPMmRoeNRDjbXV8nbM9UmfctSXpta88RABbXcNsmzzwSXkK7FzgaqSTpRp4OLxbfp3VpC+a6nxUyo5M95BzxDyr+zeZNLHQc0g8RxNnQGVJPnJgg1z3J05TzLBa6VTi3Aqmkzz3HNKm5YDrFQmSwHNsccCAkWmyslh5tchvsG0Kkz/jzU1Ol4crVKbYFkqShTfgB0cktUpdeMlObzIjKP695wVxJ0+jerLvxQ3uRgk06m3oD1I16zHLIMhZthJk5qYRDAppYGdeEdScnRpca4Dwu2SFXnPwAN1zVPHgioQVdzTaUd9NxNAXmVBXD6p9d3Ivv0aWcKaALAWs0LauqEAwP6oDVNDVUDFTn0Ow0M+eC7jmYCnp7JDnLaFq49yEqXGTBO78g0GXzDxvuGM+QDGEidCOAHHmcwTgx8SX8AYg1ak0HNYEoZPs8geE2d2stmNMtxDzQrkyvSRrNYV9wEgG26EVt9mI1J3lVzyWTqQonotNj7AvVNOlOTb+c2/bHyQNNH9LqZnqnhruvk3VqbcpolD73RIsNb2BjQRclTV71nGVvRRoZysMEyY2mV2hu8LLg0ls4yaAZLrm0ONXxZywytm6zSjUzpZo21RYt0FH3TWEU+NJIMlu6yRzIOy/tMBS/JiYaSW3JCdRm6GRps/x5Hx0/OysilsQmhCAaH6BPsb8CUILFSnS4fgst8nDuraqHWMBgseCP/ZqpJ1tT7lmfM8dD7jHDemYY5XJOK7jZa2MRi5bzZHQaSHUnBDQ5naFcPW48NlIhp6lppS4aNRwlZLagl3JJaw2zsKNwjLfcuQyhijA9WR4cC4TJ0dh/pCy24zD2Rv4eqW62PpyFWzcEuQE823zcL1QxeNEIkLEF344isIjXVBsg7sBQngvu7SjsWPH2r5ubFhS97fUZOw4iv58QuIlOKsBnwBwijjxFtSd6D/Z1bCSa+z8NDnYV5MxzZ3d0iXNwTa4BqtphwyaP44czdI/TX3hGfOAsDkyFeCNpInPU7b3COa9vEPd7Afadf+x6a8rfj7mjqmnCH+cUjxr7biCJhTdPtOq/isuQjXFu8FWPugmNMox4RSJvBde9xQrUUIxMvsXtuxnHg2D/XgCUavjRg7J6m3YdnK9+9V75XGXAsj1/VS+xdj1SXd7rtTtmHk8cIY2Nbf8cO7eZ1lPKUs/9vnm/oFjs/bYUCrh0/G2g1pEviveMRdo/LlBogPl27w4YMblW3S+EXD4Ov7EbBd5gr7dvXR9lICDXEAOC4M7p/XpWm0lB2hPG+gw7TfmmJau/m0LBG4wS0fUjXoCvu1Y1jIb1Z0g/m4EsuYA5EwBIEocbwufQbt5nXHz/62JL5AeU3rr/npE8fZNKzw6yR/EsDu2MSafzy9fA9rGPiYVNQWo2Gl/5CMiUlYG4FWXG7GBMUhEQqQzqNXcNB5UV3Ni0cO1GedE+UUHPOqCAOgxHTB7F4WOxwqZExjQ/Hu3qxNnH0eulsK7WT1Zr6gaeCU1MsVHabwBtxnbmGs1Q2Q42cVOyP4In3AyD+0jhs8U0Lg1iYAKonb4RRzhDfum+nGCwnv4ZfTMgbue7+NYBu0ZY30hJaTpiq6saCjovhLG58R1g+8+yb3b3AGYtbG8LtP5uX3//wZ2f7nva2o+XYN1G0wzkt0kbMbuu4oWvQ5N86n5x5EdBA5OK3PnX9T/4zLzc4b536vftxYPLyTbLtye7AFLfOhLz/7eOZox00eOcJ+ktLbpiGmkq2dlplUM/Ebi4IQQ49Jx/fvSbn0v748jk5f3969p+vyadzaV/9RJ6uFmsigdsFaMIWyoRRaUprYBa/9cOr//Xfnj2JcgTsIqOM2+UHytRJRePjeEzm03fHa37pz+J5i1T8ipePC+m+bLoB8wMbxt36gY/hu6OYbqyTz1zbhgry9s37KLJ/KAn5fFmHnYz/oyRM4rx16H41IhQJuVl44hY8xjd4zz7MqYUVfYAR6Xi6L8ibstTop/WnPIZO9/Syqj40znnfWMj5ybsL/yqNhscqao4Y/dhyKnlNNbzd5PzCoTLi/XI8PHASRBIeurXHedhqYoWfrnVcAdFDl5Yld1+mYhOw7c3yj79zRzwAziTEC67CDT/dPgIDVDa51ln0uts+aZS8DxheKG07kTwQuiUG2HADuF3fLHnNkXnv6eFy3j4mLVnvxhgvIWY3HsuLG7BDy5caoxh3Kqf3Gw10HOLksqZyDpPOdGJKzvi80VCS6RphgiwxayguZ+oDWw8MikZHtOXoorMM/Q5EQt2/X8KV3AGgoVIWipDZnT7PKD1rS2kKWvhU/Ayga6vzAJ9lOBKzDNXCIsd1yNX/pM7AVFoWrScun1q+a8E7Oia7q/WdCQ+gwZ7ZBWgJlnxc1/CcfGqfsbfoAPuRXLQOsMFL8NuYptaO6jmCMjFiGrdIB7/4c0KFiCoT9eaLmOBGNSbmLUG7N5BLq4ix+JhzST6djwoUhgmy2eRVcpHtgKo6w9g3B1iDSZ3R68BmKHHxL2LqVHT0t2fA1o9WKATIefJJkYizUz4yaqEjGqhXeajoBWAkYZhOMCOU/KL0iupyOKebkDdzTPbShLobf425dFOwKwAZVz0Td028a4xbWSr6oTqPDMGW8ZgZMaCQy5DnimkJFbdOLIURG3ESl4LKY8Txb+GgbBNEei7KAYHbLstNJGXpLNg5GrDbL0/qSCUw7EKwTNcP7nYRe6otZ42gmmC/aNIi8fTs+vVbNVezWXz6O7DCLiD79m4h+9Et6G9jD+8zh7dD901jFyBtSBYfRds0KTsn3C6hxy85jvonA3oUYdVYpo7L6bDkOMKXDWNgzAjO2Hn8sOZohyWeIF7EqbhzpdckUpgwwO0YwmkLR9jB0UklDPCZWkn3rji5FVMOux+SgaK0TdUyXT+6kXeTEt+1FGsGBIeyoyf4YXb0YS6J4baJyE+CxQUQRHSAuqCG0FLV7nWxC+CaqJXcbJlnnKXXSqpqJK8WZ3IY7lvUH1eJcMo9l6WTP0qbjgGU/MIFkDcBscmADbdx9sqOMH8nRxPGO/ofJF1hlAWXIWshLRdiNEYYkbLe/R6M8Pl6l6FeIzUnxhNCpypn9UCE+Cks6JKrBrVLpqpaq4qPZCjCsZE7k3QqsIhsRk7248blshM7GZHcxXBL6yRRBLYwTDpc5gAEI+t3+OXe3d4ru7lvo8duU2bZSLtbzpZaoy+xDLxgh5j1t9KC8D2egwTNWUsSMgQT/XZTC7hd4FMbm+1GArIT9sPEWD0e/GxpOqTt1oPR9HI/TUG98GtlpCtqmnZGuOUVGCfXvbanoYbRIFLYhWRNIW7cCGw8eM9t0Lc8Wof07n6wo/Xj7Wj6oTDJhpzemrTgML6JwgFtSPFGINxCGHy91L28kTp91L3zFy0JbfrmnUvWS/U4AuQGOd4JkK/3OP5485alGm1wnC27nXzUR5UgKe/YLeTHUY9jStoGh7FT6rEEbcdPnbxyp7GLogK7UA8QJaFbnmTi0QhfG91w7KWkVVav056ozgclgr/WIbLnXGbyhPzn5OfvvydP356+uXhGTrmxXM4bbhZQYil8FBeh5ip7X6B9kTDMlp15PMI24xdHMsa0yuxV3Ff/6XY1hkF3Y9Ajn2zo812uC8O0/67ut+f4Q5xiMVMqY23SN5liVKTqTrdDyAda8sb4FYjSxPCKC6q9eHJi090hhu96vLwK77nh5TE7jfQz5T+5g9B6EXf6Ym4ueb46izdy313HsEaoNOz5f4OTCD8ZnIXguIFeWUYZd2UqnTMxYBCyQVYrPaeS/7Enq1rmOwq3ZfYBnO6fqRF2z7iO1pJm6vrzi1sOXwvf4sv3LtrKav4VqLALRjWQWkOpKi5ptOCuJ54uqOUgrbkxPV7QY1L7lj4osb71I9SZDq67Ok+c4KqpttgMaUPqfrF6xGZHQdjcRqLOoARNLZRFsqSyPefDCZ9f2hW74NmFVkteds3DwvdoXYugqQ4ORmj+4561bZ02ruBsiOTlkajslgy9/ux6hMzo8FDMnFxyHz1f7CruIy3gOqUz5VDwu2qecI06U+9HvUroeYRQr6OixkoNMVZpL/EdtAosxdWe4Lcm7ltP4tRXvCwFHE/KvcP1bivnItvbk3sHybl2PMZxyL0Iq/U6DMl1G519TmpB3Za591lpApLpdT3m5cdUyCPYk7fIoNOdbfmrMpa8o2zB5YhJV9JMkuObXV5/kpjpX2tw4sPpR77JmZmQtyWtyWf8h9ePSiV93ek/h48nWdAlOM1JANXkSwN6TbAHoamVNNBqVPHiVEdvgb85jrwMPfCYg6x52wVSevJ9X75xPFuSjoDq5gB9CM1Rb4spTnnK6zDbPeNta+mtJkbONgwPLzdEN1JG7VjzvHt5fOTZt5EaqbELEItgYebfCEpWXJZqZYipgfEZZ+6T57E6wZAnO7wgjjyP7ybnhjzFjrAg2eYZwtDlsx63SCPxHX8Lc8rW5JPZbnzbRWCr3ULa5Nm1boUjGOwjr33f1EJUsFYND5l7EQcc7/oARKr/typNsZxnyL5tsvMr1GPdeb16HaEYKYwetPCbA4g9Tl7vGKkhwze43ltZd4akj3cBHVJzHIddFzDY3ptNQqbfhsEOxRtS3Fz8jGUDKUcCjla4IcklzLgMvnoUTtjVr6L1SNNBxO6gQrFMuG0cMDvqX2rB2Plsc9MeeimN9KbsfNjWUraojtwCf7MqMpwMrKP+dmQZ8jLlMt0EsaR3w5GMRYV5H8+IkOqX7eC2+Dbam/L+yNTOAdZ5374bsK6pbs+U+/PzDSmrBR+0Uifudjhb1ie/34o8m3xmiW9rofQ634b/xdRU/vXGjjEtIttd1Fv1PPY0Obb85QVCv4G2B1OJBlS1/db3UzV6CgqQVqv6ENFRqmY6cC7c6oyHNZ21DTeUIyCOvrrjuPfwRFU1levuPuK1w3H63l5ZgnbPUMHlTMWVAmquctcI3SA/dqzIFrMV5O2KPvuSK0fgl0aINfmPhgo+41CSU6x79s7BKCormBZMqSv+QEH332FK/Pob+5mKMW0+ebfZTTi8biyq3AeOML35rn/olghTdoI72vvkJ+TjuvakbzwHjjl+B8c3T8OsSNpMdgdth4N3ROgnJta2dheZY7jqOuVyGzvvWayVbr39GGL+8HZky3u9chIfp5YXdd45RHtY4Va+0XPfoqmVyqSJbCPl1nH7QWpq465JJgtqUkb7e4B1KKdPDLnRIuE296Am3JXOGC0ancob0oNpQBd0ns6m3IBO/jxtg06a/rgNOpz6DIIFri1IVK3SGycOfrLT3Cl6Cw07qTKpNSq/xDFqCbdk7kdcFtWrF+G/TwIKL8J/hLymmNufCtDx7LxAzgNGzz0x/eA5elx7o9YG5JRhIJozqbicgdYjcdch3Uehq6/438j6qHv2CEi2fYlnvW2IXCkMa6usVyqyxNGO35mP27tj9xEziHX/T/+AYYLW+MBPXi9AH8cf4XT2kPH09ARHPz4jJ7h+HDXQ9kjNUkb4fAI6DP+ErSzMPc15IWvouMfI3oa7RZ+YXqfovTvN/zjUK3n31ijx3SaX/I+4t4ZfZZIp5/84IxLmynK/gfWCmpEJUIYdu61Qbyv94uPDBd1WZ5sANUhw2TljbeP0tv4mnpBi+PwYFRXb/Y26qYcfRwctO2nCjWmSK50IGZOl8nnr7hdDQQxB66w+0MGm9KXnmVucXGJwep90OkqGRNcZPESRn15iauf+x6gnPQ9D8u7Scw+O4yLUGFEsc77ouyHV4MiOIlMW7ujRJnmbRpMLML+CYFFnam7wzWZcSf9BQtn6EzEYr1OanF+++ce7C3Lh3inymxyZvrLBNlMl9SHYflypOLYohtgC2JU5yIl8OyGctwdZbOhc16+zaxGGaaBhBOFGCu7RckHzQVPIB1ByPR5dV5BRowFxttQ2R5vw2cdySQUv/UGMILErCI/W1XqfIESOXcHa7IrtRCe/TSBNDHthbW0KjjNos4DGrczBEEYfwW3ic9lWvijN7fqGG8VUVWXtE3dLvD0ewSEUL8FfcQ1i19JM7WJZCSoLYx5q4K1b2cvw3wO1bY1WFFtfalzUih8jrTqGsMeAIAaIVNwaQLayBZVy0Dgjd7upsCoiMhKzPVLb5u5hCTMPf3/75n14917sLN89KFbpXd9/8p5t3FwVSyWaXAx4085xlmHOTTcZux3n20huDXnqkTDPsFsHFva2E3V3wBNEOkqNaDJJs7cB10+S25AuMNkuOliCxkyBWSMIU5JBbZ2hfOn3cKS9wmqVU/p6xjuDvR2h7RCtlbZEOf7++rc3sRTcKNtTnzul58dPsNwtMNhysU6pb3YSbRTz97PfLs4vyDt6XXFZdmO949vqaDt6GubWEMURsgIZA+r2kdWpT/GSxeTp2b7KsZgdr2DzoYvwW5Kzqx1bzrIglc9PQ5fegMVeDMXxNuWBewW0FFf/5euGu8IcWQ41ydS3G/0lzoR+oOzGMK4arfguqFv54t7nxDSRFHVqyF+M1UrO/zoVlF0JbiyUf3kR/va8+5TLGbD4RzOuYUVFVJGhU9H7DaGyJEaRkWOpYc6N1Wtn2R9TWNTULkKz/g4HsovDAEl0Sh0LTV8I7eu1mNK9LuSdPtlhDtLq9Z/+bwAAAP//MzrDOQ==" } diff --git a/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml b/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml +++ b/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/bluecoat/README.md b/x-pack/filebeat/module/bluecoat/README.md index 4118881b758..10c5b4679fa 100644 --- a/x-pack/filebeat/module/bluecoat/README.md +++ b/x-pack/filebeat/module/bluecoat/README.md @@ -3,5 +3,5 @@ This is a module for Blue Coat Director logs. Autogenerated from RSA NetWitness log parser 2.0 XML bluecoatdirector version 0 -at 2020-07-08 15:21:17.346374 +0000 UTC. +at 2020-07-08 16:41:59.714051 +0000 UTC. diff --git a/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml b/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml +++ b/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/bluecoat/fields.go b/x-pack/filebeat/module/bluecoat/fields.go index d050907ed44..7c2bc78268d 100644 --- a/x-pack/filebeat/module/bluecoat/fields.go +++ b/x-pack/filebeat/module/bluecoat/fields.go @@ -19,5 +19,5 @@ func init() { // AssetBluecoat returns asset data. // This is the base64 encoded gzipped contents of module/bluecoat. func AssetBluecoat() string { - return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZvdC090e940k96ole+NiIirAqiSJaRRQBlBk07/+AgnUB6tQJAtVlKy904NCIpnIRAJIZCby42vyAPuXZMlLSCU1fyLEMMPhJfkrL4FcSWrINVOQGqn+REgGOlWsMEyKl+Tf/0QIqSHJigHP9OJPxP/rJX5t/3xNBM3hJRFgdlI9LJgwoFY0hYX9vP4ZIWZfwEtL0E6qrPV5BitacpPgwC/JinINB1/3qKr+vKU5ELkiZgMVelKjJ7sNKMDvjKKrFUvJhmqyBBBELjWoLWSL3iyUpj2S10qWxfkEdxnUDI60CcoPJhHGERqmGSjX64PPh5nb4+D7DdP2d4RpUmrIiJEkpYUpPa8U3ZEctKZr+39qSCpz0JZ0ab/vDE3Ia7km15DKDFSYVDcW6xI1THAFCVsQJrHEjwb1SCfzyDNGI2dSKQwIo+2OY0IbKkyFSAepMCwPk5BR0/2ij585rHYQQg3ZbVi6IZRo0JpJQTbMaELJWzC/MiNA62oVFr0lqqejN7LkGRGwBUWWUK9/QZUG8gYMtaRRslIyb6F68lqu9fM7mj6A0U97wzsJwvfPiPF0U/IO3AFzO020yFwEWcVhCzzIKy5Fd68f8OoaCgUpNR5XBismICNScERs6JIDyWkRxpvrdTJiax5Zpzf+zNxef0O21IpXPD0sA2HYivk9BI80NYTLteO56jET6Wd2eL/i+DvL0oIqw9KSU4XwfnEWg6vbGzpqtUOr2xt5eLUHmb6dm+sv/j/Xj3PdYo1l+bRDJpf/TJDULuM/Iv4tDYuXiyNXoGWp0ui7aPrU40/aNNzaUAM5CPNp0NMyYyZJOe2ch49GAAij9p8G9cZqAp8GNRNDqC97k1fn7FOueAY0fNYuO/UVQDZOTx64UUP2QOuHlall8fVuwN71NE3L7NyAvdFPaJnDfOoYpbPxSbRs0SCDHEN6E5mJQSTAo9EMSudRykrBfiuhUcJUPUP/0f7QcLmSIrXCkhr5R7deBo79lk0VPG3+XdmB2IqltH3qrKF9Y01ico+CjpQiA2VVVAVeYPQmt2KPkBENxg5yAHyIQw8rtBWbe2NPVmhrNveGHsX2vuckxtKP21w9ykfMetwsN1JH61HtvfWT1KYtqnh3V2kQGRPr6ksdWvqWNf/5cJCFN0nv40HW3d5tvyM0y5SVWUOHssu+3vyM/FzZt/1hOgN/+H+XgZZbc5zg7ul1Lo223yIjlKzZFkTtrvh8L1XLoiEL9rJadfZplKHPw4s7aPDKYp8o+C1qvdpPE7hIOLPlHvl44wYnd7jdn3nvn6Hk/b4AktL+SV4CAWY2oMiHW2G++YFIRX7kkppvX5Al1bgTKsf+iq1LharQiZmFFbzPeGb4yDLFKJrBdrXQaxnvLDlml1Vjf/bGq1Q7qrIJakxLdrQm1ubV7d0vBxoOJQo47S4LIXqvDeT+yvGE2dE24PaTduyx/5eKrZmgvII5vL1PzDRe4zjywHl798sPgUl6AntznT7JmqI+H+eQ5M1m66tKsZJ8AzQDNdPL2E84GLm9nvJC4yhqP9TgMHHvNH9oJwxPkxn8MLRSPG4bxQM3u1W4ryTnGPTxOQpCy5+LvKzbfcM0SR1zILO0HKhmr2X3kidHWPkHtETydPnxlLNcagweyaUgy31vWQhR8FsJ2tgBNcsLvvcrYX9sBS4Bmm6IZhmQJ38mZqNK8uL775+SHdVEA4gay5G5fiR17Yy56kIKDZebbPoHWtlUlsLU9mqZL53wsQdOB0cgT+hSbqE1XSaC0UaVmNFGAc0Hd3n6B1r6T8wMyFjZ1WrOY8UXIU2qNlrZijDzj/LFn7/5V+2E5/MCRVVF1j969P7D2imv6R4UeUFuREoLXXLn47amzigJGhp9ohs6EKsUwvLtC/JvdrrPyLffkn8jqVRWf8RZeKTPyH/n5n/aHzJNDpnyRXCRhMzgE9pgYgdJSjlf0vRhqs7n0AtpcHNT43RlywgQWSGZMKhuGwgH7uECJ6CUjI4VaTQgXUDKKEeakBZtpLLaoti7W9h+saWcZW75QmgJWclSZFZac0DymFh7ZeFkMNDhvu2NPMfbid+0R1z0A3zec0mzj3dneIREs9+B5GAUSwO6sjfR2j9GG81djpW4s5ckNY0OJ1fVwizIT3Jnmd+3hZggUlkTwkjyAFCcYMtHuj0+E7YomYLWyZZlSRb/DnVTSYA1CFDU4FHMLI9a9sqWKVNSbs3FAx+pCJjPLGfW4MMXQJyuo9MfyNtroqxc1GisI1uoWoOpf3ZyrlpFh1R88rm6aJjjc1WRjvW+iL29rvxr7yCXBsi935WpAryWlvshkWT/VE7vz8DJ7TEluuBs2ovsH9pU1Kynyn6ssEH2e1z8WNu2R3nqd2S1Nypt2ovj/xpvLu6Yrxi/yNuiHdcq7XdXr+68PpdSYRnA8kKqrhZH8EL57B5oy49lPH9wYh+NPDQLQw6xQzOxbEAaY9Dd+2j1LciL738gO+RsDlQQynnYDkXnK6oNjX+B7ECBG5YawoFqQ6ToBCsfsukjKEafN5sC5y3uIctz51epMmQNRkVAuhGSy/W++6yxYqqnmRHyPUk3VNHUODbZo7dHCtG5KUgpfMQAP/BtDmYwxSSruSfGaS7bI+85qOvmVnWSonLaKroblB8oxTrKEk1RD3MeYeFtVpmmpapG1IaKjKqMCKlyytnvoWg7qfIgBzL/AnuECbJc9kT4KDY0dNXonnO2ApxTwEDUkEqRDSiGzZIl2kyzxI+QzEQq84KDCS7ioLuLouJpFOuInFbegTIX2273dvTgphvacIf7Z3CT5FKYzdmsbrJ6zn81b6IZsoux50Zkl2COHfJ3KaZndB4RInb8SvlxIWnvu1zqHegJp+MVMfBo/EYmW1C6FeybHYvZCKzR6UXfAz2f1CapIpUqg2yK9PbP5V646nrM6n6r3szrH7bf4PoyVsl8gaOWmPinUxBUMekUv7zkhn1tGChCi4JXEdRNJnhOBV2HkpII4eiYrmwGR5SjVRNmvtRE7oTz2huaF11Pi6fYYrMk9ve50STdMKv/ygz0grwptUFFuj2o3f/UDMSjUQODy3D0uK9WlrItzHMH40JVQ7r5K1iBApG6RaVW+crYlmX2TsU1DR/7++rYv+8wIDyNx4KpGefQcN35qR/tfmGG7910tBURVhewaHEbHfcXjVqaQYP5mZVO9elf9AatAzRkOf405z014DRMzaXx2w51iN9KKGdcNLtT3Ho18mJHNUE02cAKIfpvxk991IVzMO2oc7rOTZRkX+dx+IokCl2RxGkqxbgjcgj2IgIu6sZrSZlLqb4dtTcog3oCc5RMGj6wp85bjOuuES+dDMQYY5GmPbXnPEVFl3y6O3ZAO5SlSWUOzx2WWmXDaDa56q0VFX4aB6rvwFJZk5yZaaGvR0ivxvcJAS1/6DHDb2qqQq92ipPUdSyuHQ39sQWkbMUaZTCsLTgn51Der9c95ni5DjCxdgewrAn4rEzRzDsfg5R5lX4+Rv5yaCO0NVypyM/3PqSI6erRqWshI/6Ky0NZD7qQmo06hGftADQEROaqAmAoYnVKBvO5S26SKYnsI4+1KHNQLB17roPUzxLRfoT0dlR7vUPdEXcnqUf8FkQmlQ8lOkq7XP7zIlnS1eOCXP4T0rCOb1HPkSfVY5mVN8dRO8k3rVbHF/2t77Pa/JH1lvCG1pFTQhpCycZnZYbDg7hcJ9Wz44WEXLUhRgu5ebJvDyTF3/CJG2u74VEMq3eSs3Q/fZ8eOWN3iMIXmRN8PyCnSj4tdivMhHclB0QdFi9SGHicru/UKG+Fs7ybCkg0y7T9C68CyiuUoXTgE1dKuqFiDYmA3fRzNeT8hl3r4QYvR2MUW5YGWqetH82nHXFWm2uL9PAx1AUdIRrq2XM2oQTOsYmjUt59tXXo2rpBwJTAuGs76apoim7eytUW1ILcg2NsqUEt6Bqw1J2PmFtJVdHQG7saxul1KcITB9/KgJSKLJXc2e+qT70e41TrwVptt9kdVWa8KV+Djrcj/e6VvdyI+Xav5FmtdFxq88oCvMs6/gZ5JQjloEz97qqaYf1nzjXrj2Ir2QyfZwMKVUaEFF8rKAC11WOvUag4zitk01IpuzVrnRRXA3WE58z5fyvHZo/2HTMbr0w52UeuEeES40MFkeLrtbT/PiIZ8fJMAkrJpJnRljP6OaKwZMgVsSfNMNALct+cz26ZzHZMcixNVy6YvdRWUXVJD+6JMvPCyjOPkpSX2lTbxv+nx2oEYdquhs/M8daiVZvw2+Gr+QK3stvpYevJJa1PUQe+PKU+WzquEQ+hWsuUobfGcjSo9yPTX7MHeEkoKTZ7zVLKrZn38IwUCivSPiNg0i/DahZVNJw9MPLycvGriuZgQGlSUI11CjQm7rnMtFTmuZUI8uDxph+yCiY9qmg46Xk5XaO1DhcQ1E7YpTIvyv5ZiGI9JTsmMrnzkTepFCkU5ln9KjY43d5EViXne/JbSblz2mQyp0z48ylaiLgcEOVtb8351/iRyVll5DUTD5D5KNoqsIxqtNe9Amu/+aJGvmDZMebzXp7fRLHRrlPtTMAuioqAn+8vh/nnwvuEyH0/1bl+9ACVs26J6unOHz8q0uP24XE97dvRetqK8TnOS032jzhefSQUZGUKpPIAQ9iJoEExypPADTFBbN7joJXS1ZX5LaFuZeqgDQbpgx5IBJvDH+XHt8J7Q/Wm3u1W5QhEs5fWwrSiqYowrcPZr6qROqUK5BZUjWahVWqh6v/3sxKIlW+CMIwnKEXKgSr7EZbNaEjzYezeS6OqFIHT/kknKsp+rvonltGpzJdM1JXj2iLaJyCoEfJ6y1Sp5/dutO9QRDHs5ZjrOSKwca/c+K7OyrCHx2npMzjeahY4D9ftNXnrzvQTnxJHXI19n+RhsT895vy6jC+w5fq6vUa2+NDq+kD27bhD37kLYnBELtxS21O3Yzpsamz1flrdxMNXEp9U4y65oz404YykWdfWsu+qHprcXp/Ug873SZzQgyzqFyJr9KEFuXLR+r5aEHdfHNeF7B+pDn/xzRfeQbEsTR3HL00tnEvBQbu5Sydgd5JsqWJ0yXsR4y6hjQlScDpw5DQIPTED9GBR2mqQG3thT729NatYdGbX6v757V1XAyO+pJKz7YayZQbbCJwdGd/4Yh0Z5FYYcs/WguKxHNhIhVTTyjd92ZMFdivdVTqFxHoq+E+LqnVqcC9kMrC8b39+T5hIeZmBFQ2+MYsFX5AnN480Lzi8JHfO+HTDoqxbhG1Q9LBf4J0BjflG1IZxM/1g1bkg5hFB2y3nzFsvKt8x/XDkgcMotl6DmlK4PjztX9qeRo8FNZ+NAr2RPLNr7KymgV4dB89Rs1hx/fcoL8OevHM349M6ofD2OhxgefaLlTWtk9nf5pGz/n0em5k4n4Yul19bhFJgRsEKy/XKrEyH9HSv8lwsdqBNWy1bpMLMKyvnKgoG6spTle2oulSsRb9WopVF1IteS+ZAka4nVuRQ8oamVWWvsOJkj/PMmqwUX1fKjzp+op3FENEISQHVETFR2lBTnq9Y1TY4ZfyCqqUdfikfCcueD0tdK/HLeWiwOD/0SmG5fWXxhDd6JX0nV9XvbZjrfj39GCHMhCzPfzNoxW7qdcQOtNJhnBnW8+h8Nxp0ehWQA+a/4tyeVqLLNAWtVyUnNxYDSWUG2jK/KtIU1vGYyOBx9CQ402ZIf5h4mnBoVGxVhWYJCr36OVWM40ttwD/g3obEmlBkxNcWNki7iFrxqrfexTQXPz55UkeqFKB04RMS3JnqTdtfIU1gXJXj/HQgaNyZ2H1pPv3RsdVGDol3drL7tf2SMqFJBoYyHjCdlrI0LbgB4iW/QExK5bWhddwAYhoW4Qbygk94tX1VtVqsWhi0XpB8lIrVXragON1jmLKRXqyTJ4G9b79AS8NDw6rKY3E+N22YKbFUBwmS3mhp/aTk0wdjpFe4ZVumdDy2qLObyjy3ezN2wa4cPGGtcKJCyS3LnIVd1RUI9Wes7xqZHnOgj7enf2S8ufvTdrRC+Np5LPCR+VLyqxr/svLrn3I5aLdGT+B/y6V3WYZ3asGmlAe6xqAktz73d7fktnfhthFNqM3jYzKP4xgVeFxnL6xHqvhjbGIfRRVWs9yBSpYymx5z3Ivb7l5ZVX9Yi23g+tzE5E45N9oseTcth4tP13BhNrUXkK1ZVrsoB4zxfLym3EuCOetmGHNV19QV5TQBWXUbuvvgsjgrNyg+jj1CWrZtFPdsvYRQSkGV0XvsoWwWQyroKcoODao6Gp5uKeO076AjtXuIYDz8CpQaqEbo9mPYwzWfX9erfrlPCHZO+r5/S1b7djEgA1ieLMss20fYdyxPRsaptiBLDUOFxI7aojEwislR2VKdgOlEl/ME2zHdjjVxtVSw4WQdJ93knHucoeLgTbyhO1qN6+v4NNwr9XgubGe0CK5+uSFPfKTfLyW3esmScQwwxJfmm8dCavvLp+Trvhkjul6+ByF34kBx1JCWmLq2PRx9oGtASmcxtLsBIFdVps1bH+D6GtY03ZMPgwosZ0tFL5P644c+YBMTJKdMrKxldPSRqqAKe33MkVF1oCLc4cDkrcxcwFFT3KD1rh1AS07cv/j4Yqcar1Ee5tW/hR35qRSoPr+RGXDyhInt4qtnhMn0GVnav8D+RQXle8304quwH9mkRbLitNedavwNfKhrXd0RHBbtXZQq+6qAsFwdTdoyciIt7tOlp6RKmNKg7IYKotzmY+VQB/cvb3619vt7F3Lz1Ve/vPn11bubr75yMTBbqigb3Bs7qR7GJWSc3Mq/VkO2fbSDZjIV468vH9s5NjewFnE0tSJwH6UurqQCoVk67kC1zMkorHmMFRXwbJ0PluwoG9NpvAk5SGXEkuKGGZ+Qostl9DYwy0wbNT6TBXM3ZukG/mw+SVpF8E1xHMQGJzYlgXsXkw8ObOIUfXyiHWLFBg3GajITnBOxkwlmrgYm0g24DAuLI/UUxhs+ljyvTb3rj9uoJ6729oU2QtbyLnlUR8m40BJWfvNjFEg5ywPsAf9b2vYTU0c+VS/XWJHjKZrPAev+lK+/KoHE5vGZYjjsijJu+VUlHN7583d73Y7rxexpqwIbWAcSh4bf4qu4nsRe5UGKY4J7MKTHx3Ray6gUXVu1h18MpfFOxf8WHs3fIKy/1Nj1kBYzFfs9FdlfZdiz2mA31LDwKZuMvz/0AXpd6oKlTI6Ij/hYtgXSt6NK9F1tn544LfIikfHC6f7tmzvys/N4NOEYYVS/zfz8cv8fr8lvJaiBai0lF4mCbtWPqU8+LdfFnryrQmqDz7u1npaOEv9tMDm+TJsFKwaMx1NwJuBePQMyiylERzlVeRRfLGCU8UKLUWH/NViZjegMcAA1Nhf4ADijpnt7n4Zcgkg3OVXnh8XVkPuC9lo5nOGDpGnvefNMqGQTwdcUVmODKWvQ1RqTSaMA5fKfUXAFjait5zJfIxYDnf5DPWWPQ2Kudg72uo1ALBKaYtnCmDA2C63FKBW9BbpcF9vvxKPZREjLVCSpUdZGGVeZqgVvYYe8dWeAbnmvIfRZsCDWTIwK3O0Dx8WUiGSV6B0zacS+FsmKy52mecxrURtamO0U+Cg/VioSJqZtcyYKUPlyPyIkpwddpA+x4NgcLQq0SAoljUxiXHEIv/0uQZs1BppP2G9crpMxrf87oDEvoalIcvqYGHO+wnsIaleYQ5RYyJmIRszEFMQF1wlf8mS88/QA+s+TwCPqAbWgx2ept6HHR0S3ob+fBB1urH4u9L9Mgv4fk6D/NRbayILTJcRt9Ro+RlUSSV5yvLyX+yh5VoEXD1FyPC85W+dF7O1t7z/K1+MfjTwsixPiGn5LY3RvkWj3ZBrFK63SWO3MgsZqZ3qvyyKqPnYq6jDrSOXOSGMVDHiM2tpGGqskxUOjehIJXgr2KKiQGnptM8+C3/5gaY8WC9sfZGE2QLMoE0jmRZLyKBvagka5NBBSYZusOFgdCVuUSZR/IlXMsJTyqKAvndA1iHQ/6k2pDS0o3/8O2TIO9zbBZPhIWJfGE4vZPWdHwlsL+YdYC1knS2b+NTL5MNXJ2NqmHVAlI46yjtycCAepionF084TMKKuZAsUzMZ5A2KUbweO11UkuKt9MyZDswW9YhzidBGdrOLYxVbjApAPQeMkrbZGsIBHk0QeI2sDZ9oUvSI/Z0NrlUZCV53jomDlOskhYyOCMQ+hmYjleC6zkoNOZdysPThbR50KWegdNSM7UbTgQzEBZ4IqWDNtFI3RtBvoqJvKdVKMnLKaMGeNdURU9Ol0UQ1uyaPgsbFo1BXngo7iUU+5nHcbyXTi6jzHwO+popELng2EVZ4Hu3UdDMZDMm1ot1nrWYDaLEt1fiHRCg5czbU4uDICX8w9XMWSjgfEqj2rmFLowxHTx6DWNMvGrzrLxjvnqgSaKInC8iRVUuaR2TcWNEopYnkS+wjnc3fipls8RCQLFTomlZkVulBsNBinhpky4t2GMwFjUkkaOD2yFlcNiYGPMSYIly6jOVlxGSEca/CoEACr6UXsdwsWtdetbhiFLsJry+U6cinFOnLbFVKNPxz5slzHbZ2c6TRuu+Y6cgHjqs8IMJj6EgEZcYpdaYDxr1IObvyDktjtxusKkXFCdbuGCMgIeS8VWyeBam1nQO4EqBjZUiSRHQSLZGQF6QYwqo1DAx41SzxJ4zepB4xpp+mU/giUVGv7ZZJuzo9n7QG7vpzj4UHla2sX9zKqz4PdRYLGiDmXv/ThQ6fS51mgSq4TqotRJT/awGO6PFRwCiiPu3kUpEity1aNBo+ZrIUdm6DbgpUqi8IaY6LpKOtTO+szylOqYbyL1JXTjVIjNPwWw8xQGuwIuCjFRbN11MHUxXi7Ras0buVVmkVctVqloSzfs0BHtWRqQ5U6Imdym4rxQQjBiqGnwVySZUTT8LWJWQQHFuM1qitGjofcFxGZq2W2jHy1LhWPkkqlBpVkbHz8ZmRhksonEkesSePa5W8TJrShqyhJumXKxF3F20JEpTgYqUpxkV6tr0ojybtSkN7gtRd6UoG4XyhnGblSkDFDrqjKfM7YkbY0vv7VpJkO1YHEYVzTVYyYTSUnoZCS2tvLxJTZ3+QFl3voFcQ7yYOVLEekx5/bl3dTtdTB2mIK1vBIctoN3W08emJddsuuzEAGZxoLbFTj63YrTV0WWKK+nypJyG5DDWGGFK49f5joY0+pY0qFhNu7u4rnFRLChK9kMJDZzZmYXgG7RYwdr02JJkauscnOovm96xjR456ALai6iJKRpKBKA3kDhmLFYXcq6n5p5MlrudbP71xw31Ny7ct4ufYkvdExjfgd+GKxSLYgb8H8yowAHV6r/taLZM8KywnXuxmHd9PRQFW6WTDBBgxeRecphtARNq63HmcCnnNaCqydui5zX5b+SCmETuWDI1TPkTJfU10nyvuKrwMqvWVmMm8vZNdzyw5M3sOjwd05ZBRctAF1UyTuRA9qzMqdVKoY83I1mKo58JHU+WPv3uNrQ1StZFfVuE6CdS28+k320CxyWPu9QbCegX4ZpH9cHe8zOmdn8Hh7XR0iHH2oZPvIh+iR26Vu4eAe92t8pLdHa256iEtRJOqC0TVtUrmCDUFWEEI10QDioE9m2HhRVGiazlJstZcl7gYXvoFT3Vq76hZ8hKwCVM7cRTgfWc2grnAL2zIOa/C9PKjWbC0c85vK3ANtDehyrm71A0uOGI7suOUFW0sMtg8JbfMWRUO5hXGVbqr7kmVVW9u6YxI2bBw4dIQEYnJqrU3BQJDUaAWyahTWCN6qv5PFMaDC7hQbcPTMiB+RDJQuvOT86/6ZPQJaD5A72Xkfj7l6KGdUJxs5g3bX6Y6JNXGaMlDY0adV8CgcU03cBrX0CN9iW0hDsFXm4hXX0po2neYlWIX8Jw+xIK/Evv5fb3SD1pEWhtBsUXU0DgumSOeXJX2KsvxFl59YefCAqcy3dbbWRLtCeTXrcCNhv2OSsZ7Vcw1WugdF/qX2GOjnHhGiH+pfMjZu6/J7TzRUHey+ozwdDJM4JQu+7JbFcS3p3v78/sbODhQ4oxE9MhnTqYKCinRvtRJ/+fN+L1vLg2fk/ZuX5FaYb188I7dvr2/+8yX5cCvMD9+RJ7vNngjfgDHdSO3LuEllrVf81Tc//K//9jTc+w7MZpK86M4YJdAip+HSSHryHhl5oHwl/tsKbfgwZR+brPY5P0HbYMLf2RdTiKKOYtPooFVz09ev3gbJ+V0KmGKHx63f/5ECFmH+/D6mD8BHuOwsqadFDbLx09wrR3i5pgZ29CKFpXGX3ZFXrnletdtCCOvrJM2LYf//VL/m7dWbOyeHh3vF0xl6+Q2Z0k7PqVqX3t5ZZANWveXDYC2YWfhgRx/mQ6UDJK6m2NyHrd1rIXMd6ShvnipalcjDsnvWZbLKOx4W6U/L9eFC9ZA1sTWROsO5YpqSt56GO6lMLaJ6Qsj1nkAm+u7zxyWRnp1/jmIm1pX4rAh/M8Q8ASH9fj4vkcePNgjVWqYMi8ajtdy7XYmVU4qKNSxq9TiVYsXWpYKMLPe+ub9rdT/QnWYwpaAXKDygTQWHXUVlKvBR+l07tDLCYFKQSwOJjxGKefmNmWImdEITFz4VBVwYFQu+imLvKioWm8dtgPiMmiJqcjRLKmt8Wr+uQ9vC0rLojtc2ZC6iLdxYw0qAIe/3BTwjHyox9xpN5G/JXWUi9+TIz0M3alW8apYLY0Clr8giVddOynnwwiiaH+IDPVUYOrAFZbDzjJFVgysmyIfbwSOUYkjLhDMY0zZW6EQWUYXyLKgCPT6OxgJGhfg5mTg+IAp9UFEYXZmahINYR9R8RLz2GpjbuYRNifB6obzlHBQkxQcca0X9KNWOqizUDOwVtqlDv/udko/46r4EswMY6GQ8Ogd47IuENJS33b0OHcFCJvja1JuDb4KmAB+CcmbsUfNFhcKT2HIq5nlXOcMdUD2rtRwCvSkcOggaH+DWas9rVJ4PJWKMPxtSzLbYjskjPe8NhSrD0pJTVTVz82ie3Dy+fC3XcrUK16eGNDEbmLvx7Xs7pO/e31B2YymzBL0qzQaE8aFUg4TN1Xvs8LmyrNsahon7oEENkiRLk8q5ueUHHSbp3nXgHqCq6pEz7fY9oAgxk6rhytHmrxX2C7RPhg4V9hSjG1gXUmTY0lUGVYAasN+U9JDu7Zjs2oHbgBKXZ49xb5xBVlPs7a2OXsME0cyUAYlCMECu6oLnR91QTWgmC+wKtgGmiNyJTmMkYuijFDIfiHapatQnvXCkGS4/q4YxkdmzLJVu2vu5LsKvqvL4vYme4z4RNenubAyGU9UzvNDz0eAk7/0r0rzzPNZErDXVcVkdE6bqogLufVTh3HMdDg5ZymnxcYHpLWFDt0yWqNlYo07JnA1EOsD86G8EXXIMG16Rq+PYmdiO73wWIqNLw4FOQ4IoDmgYWV4sgoQAhpqC6WvQuleanT24/E0IeylMN0Q5RufLMPkjSSd0xcVbBjuZs7QiDKeFAQPdxx5mNq7XeaBKI/HkLNJvFtqoYSd5RXU48fWTUf3iONX+WnS4JlEeNCNqk8iwHJu2ek1DQQGDTk7PyRGpUSeZiSnpE1mpztwA4aown2wDfHse1d9M7okeJN47jk7NoUc9zqk5emccuz8y/S9O0q9m5r/b8LNQr05zf0RNio9zVE9Ivfqo/pE3zben2X5+AaqPw/bzZI2a+azOudfPOKkzb5o5qe9tmVopzFyXzsm6GS3NJsnBbORFvKn0wM9FHCL/s8GFwexdJSda6kf8u+8k974mi+rIDom2Lf9z8f2f/0yevL5+dfeUXDNtmFiXTG8gw8ScIDYu13KG/Nhjfm3fohsx+cXAHw68eSs52V9yLPbe8j6Eo96b6PMbUTp8zMZMMSiuzoxouTQQa+idgopQEaXmnZzy87P4O6S+oxkrtRuDSEU0yxmnyh1mK0jsbk3xPgqH6uKZ0WyeXri1D7IdZfbBLlflAenUtWgOzJRIwlfi2LlB56ePD2/5n7zpjN/0Vswbu9AKPMzCjhappj2K9Vy3yC6p1lSw34/EOokpC3YuwyK41V75AZatmApG8Udnv/5oB0T56JLKXZbuQSTST0C52aRUASkUZDJnggZDrFtH/Y4aBsLok4FnnM47n9f0k07HFcGAInp72S38pRUCBVUG036byRwXQrOm9fqDe478WUEGihrIkhFhAEdWEduQV2PWru47Jbcsq9PV/e9oUXCv5/SWz6fIWkF+qBEN9FKvp8Gy2eZRD+rrOJj9wESChZ4xqmTL3JvTpqvYDRQOqBWacaX0x2o18Ih3eQuolSkSavLt9B/Uhqgm2kjl5KMdLQdDEduX+KuF/dWX4fnlLMs4zCkx3uCI58qMwBK1ZEiUzKiK5801oTs/XitHV+yrF49npODUst3eSFIREKnaF0NeRAxemcUqOCNeQtUWwk9SG/KGphsmBtT2jEaf0S+6/PogMLKvUGAPqr3VXVq9XpDXGS3IL/gfd6tnUrh8gH/0rwuyoVuw9z0HqlwLa4L1JXQhhYZKDwgnDdgZJf221xNkj6+NkCpmQLGqSodwE3QVGYYpqYiehZhmmd/5IjLn0oL1Rae6Cbp7rSocdZAGbPV/f9UwTVQpAn3dCaH6WS2J3WuOS6YeiMj2IybeipiDmZTsmMjkThNdQMpWLLXfPAvFjfv4o/5GtRNwFDWvvuSJqrqe12IZnxmetvhBSoE312tY03RPPujDIj/1e0jeTXCIilqyo8xiWg3cYW11G5Fh1DRuBnsL9PhW5zMFspgOMgQwzLbPhMOJzaGuDVUbcspbYE44h+CG8DAR05krXmpoMj5yyjv3Kslxg5MbrrXSp3cuJ0btdDzkbxNC41jZ43I4/e10agkGN44rzzwYAY6TymDFhPcF4lHHWhA5LQaKUSD+gTDrC2FvzN2O6hEjSGp/0/QZ+HzkgeohtQ/NGJpu8tlL0TXjImNITwtusy2yoOaSiTE1d2fdaZZsDH+fKvQDx7YdjIvMc2W0mlSkQD3yHl1TZfYJugqqqrW1Hz9riN1tWK/gGbH70FoWLkTvrAmYiIqXLhVOqnHtGTvT/4suqPj3k/mcFarDWmeVkhYSqXZqf3mOo5+g/oIXbo/uqiracboH1yoBYZQswscwk+WyZ5Cdtdf8qNa6gROhjUjFyE5OZ1JxJfPCGqTVzscNjg1OnOa5BWVFa2LN5vCFRPXD9LjfE2exo9NXuHcwvbLZ6rf4N64fS8735D9KytmKQUauMRvGOS+CyHawTFIpH9jFnpR+hSVxGBqbhPIhvSyitk7z2FOUxrXBGapHfvpsvKsH8bVUvdvKeecW5P2+cOQ3FpWdoOPzMIsVrJKRxXE6hFkszgRTX+pQoZ0uunmcBbWCcYjfeS8KqSrPHj6vvHs9sDCtbNXRy1rNp5haMfbIdOzYJ/1wFSFKyuh77hCtHclyjRTUhB0cqUioHvce1QJVsR3US8VHsbsFN4o7tQqelGp8v98C+55hc+gYlBGi7xB4ZIjGIbDfBVHHAR4NCLwEYxQ2O8KI1a2v1Y2CzgNlzO3mhpknhvzgRL/HgfGqe+7/feWRPPf/8K++IacX5aDCMQSe4Iu+ljhy248l6MdoFWTuEZz5sslWWWRiBUoN+Oj7M5uJ8rY6dJJ9QafHLGRU1YNWLVYGti8+Y8jJ2zcwzIwb4ca9ttgN8B7jglT7o79D/xF6uNg9Kzag5rJqrJ7j33yfXGFB9afkCjGEkYMysyVKDvDqCpQvfA8HMR1HSuzAxMeCFjNay2KH/VK36i4dXQ/2+7CfYHxaZHhNyD37fSB95yH6DN7+/YYIWEvDHJuLDdUD9Wl1On/ybovhbvjhgt52QSbUp+09AHbWuir4VcV7hh/sNBvZXPG8POG6lvj7wbYa9uwxrcuYxtAWFh91p9jP07x8SAMoNdGz0GNdW17c2OHJPT4ZHDutM70u1fWuvG//yT2GcxwXoS15MUTGeHlxhIphoaE1T7bT7pKui9w7ccIuucRuAVpGFNPQ8aDsAbw1EJ0S9UVT4LEtKFFefEc0+m6lIrf3r/7+5o7cWflJfhYDFSkbeqLzPmLoeb+TYXrwWKYbSB90RLO3RrBMzW0PFYGuq5vUqecYoOELdzfn/oiuAor1ym9cRFVxmOqsvUH1DanCFmvzicE2HVvKWeY2RABN9+jPWF/q2NHHWT/AXndF0dl7LLoT+saYQicMuxFEAiNL48hOz2/5NWXvsbWo4h2lYmZ/Yv+lMs8n5vKfSZnD5E3KcHrNjingXe06xoTbcSqSUX2ox4Yk6KppwK+e5ipGNmygY3JDUkg2TwhQiCSHgyAORBvWvZA16YYK0UtAm56o7MdFVAOe8tnKL9Uiz1fs/vX1q7de5j7vIKhFnZGq6xWL2V4Z0w/JVvIyfhqvqh4YwtfSrDuDVE0WSsGMJk8cGv0Uc9cwmaDqghDwFw0EofEy+oS/9tR8EMz455LFYTDaFhS+lKxKTlIpUiiMNQHuHa8HUpzGdFIP1nVA5lljo2ohYknB7m/S8uinv74KBZMEWRezA6RaXyJEoRtaduD0WFKXvhdMYPzbzc93t3fkDX3Mmcjq1iVh9lvqLxDIcFDoe4BwT2iP/mOE11dwOAQ7KiDIRWYn45p4/sETaapJzd1oyUuq22tfj8fjOUoDn5Oxnzijp5pT/l8g56AOjhRZXxuJOUlo8Y1rLz1Ssam7eRn0AztrN3epAc+ILgNhUVSTv2ijpFj/+5LT9IEzbSD7y3P/2bP6WyZWkIa/WjEFO8qD1yxd8hYMoSIjWpKB7aNgzbRRe2v1zHswC2o2vhRdjYV0sfTImNR+sE+IS5Rwsa2pVK3qXbXGUtMGwqj9n/5vAAAA///uPK/0" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99eeSVlo1vb0bNs59XVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69dkKhpgito/EWK5FfCa/E00QE4UteSUa2BW6T8RUoJhmteWK/ma/PVPhJDul2TGQZRm8icS/us1fuz+9x2RtILXRIJdKX014dKCnlEGE/f37muEqCXoleYWXhOrm/4ndl3Da4fqSumy9/cSZrQRtsAlX5MZFQa2Ph7g2/7vPa2AqBmxC2gRIx1iZLUADfiZ1XQ244wsqCFTAEnU1IBeQjkZ0KcNvQMxc62a+vak7DJ1syxiLanYIm989bH1Y0tsFqnMfOvv+1cY37DBrnxccOO+R7ghjYGSWEUYrW0T+K/pilRgDJ27f1NLmKrAOKKV+3wHNCFv1ZycAlMl6DghHhbfRepQclq4sARpC0daYsAB4czcDyw3yHOmpAVpjbsfXBpLpW3RMFEcLa8OQbCkdveDIXbc4+SWINSS1YKzBaHEgDFcSbLg1hBK3oP9nVsJxrS7PxkcjY5Ys1CNKImEJWgyhe7c1VQbIO/AUocaJTOtqt5ST9+quXlxQdkVWPNsAN7LSbF+TmzAm5IP4IWFP+Gyh+YkykgBSxAHcFIouXs/tzh5CrUGRm3ApIQZl1ASJQWiZelUAKloHceqMvMi2YXZs8fvwj0/P/2BLKl7gPDG8xKk5TMeTidcU2aJUHO/X3qwEUgdd+DDacHvue2oqbacNYJq/H3Y2MnoyRiAPuikxE7GAPL4SRndkuVx9+Tl/9+T/XviVs2zIfe7vmr6rwIJ2d2WR4Pdkh4i9LKjpsGoRrNMb+/92Zbr/t8PM2OphQqkfYzI0abktmCC7tzhR4IeSKvXjxGxhdOpHiNiXB6GWF6NqZUcj/eklUAPkR552TYDKFPaUCN6TczO7H2xdQs4bAZ6yEBJuJ8VsaOHDKDfYEWMc3HHtXIkLsqeVyXKPs+uAZmJ2EciHLwz+9gx1OpG8i8NbNRo3dEf/rTeNmpPlGTucaBWPXbLdkTcLHlecdjn7olbhs84o/37/FbNydkSpCWXKJxJI0vQzgTREATVgPQZv4aSGLAOyNaPt9cw4wZLuwkD2Pc2WLpNGIC+06YMPYHp/UuHHcwBXXfgyd14sFAmk77aP5e/KmP7IlLsnkgDsuRy3n5oYsem50P6evjLDzlggx+NMvb8YvkToWWpnawcu+67zB1Qb9XXytzlq9zsffX/Lnsdt/LLhl254B1pfW9ZSSiZ8yXIzkn29SoCjkWH+S/yWiDlY1T+vo6IxqhDQ9XrQsOXDHvdDx7iBiPd0zVy+cwvTS7wIj0P3mxLycd1DYTRoQSZAgFuF6DJp3Npf3hFlCa/CEXtjy/JlBo8RW2AbMbnjUbV7wa6D1F3v2K6MQyaz/hM4F9wv56rXG62fdZxu/JX72BQekV1mU2p60m0Htl9Tp5ffN7S9yjRIOjulhJi1sZCFR7RgLaDtgB/Uo1nnvu30nzOJRXtb7a1lRv4kEv/2pMYcX7x+VWEBQH9ASfuz4IOoyGXU7w+m4M6VBwPfX0WQEvQR4ld/4pLkfPT+0RJPb79YCmCOSxW+qidbIIV2f1stFW0zjeKFl4UZ7qcKCEwre1rFMCOew+Qc+POHDeEedZB6TDdUlTfql21hexh9CO0+Co2fSyqaqUMJrtVSpLperBphGj40oCxDqDhVS3WYZ/cl52gJ0DZghheAnn6PbEL3ZCXP//8jKyoIQZAdqvs4cSjUF5vwQlTK2kgHyvYV3MqmGqk7XwKTTX1Qs9dZROFQJ7SqVpCjxlcRjMrW/FmrAZajd4f9tUcmwdmFZS82dXTUjDqm5jm2DkW+Ixw+8/m5fc//Nl4kf6iRgHaIv3PATX/dPbgW7oGTV6SM8lobRrhIyvOpLyTXI9Bv2fwI5JbGVvlx5fk3x25z8mPP5J/J0xppy8jFWHR5+S/C/s/3Re5IdtM+Sa6hVKV8GhtXbmCglEhppRd5dWAPXJSWbw21Hq7wjERZFkrLi2aJhbiCc54OArQWmXKT9vog6YGxqlAjBFTY5V2mrVce63DfbCkgpf+YMSQImSmGlm6F0YAIs/lPChHNyYvbt+IAeQUscBwHfaEjUZ2YS0ULR/LOxfQIYb/AaQCqzmLWB3BFO5/GW1h/9y3Qtg9+9RuNFo1a7dtQn5VK7c1Q5uTS6K0M8asIlcA9Q1MexQv3lfCNK0YGFMseVmUuaKuZ63kmYMETS1e8tJxsGcXLrm2DRXOaN/yvcuIi4NX3JndGCtHZngqwlU/PyXaSWuDDhVkGtVzsN3XbuSE0ZmSnh6cEz4Tbj8ndJZQ0FDwn5+2vtcPUCkL5DKcd6YBH9rpekxQuv+1gZivIPASVipMLXjOzIZHbc4bPlD7H4Vu5mRuxvOOt869AeGst6eutVrCE/JfI8LoxcuMiweI0btVnXF0cfLmIui+jErHHl7VSu9qvASfyK8uDaJ5HO6PT/6pQkMcTfeYK3XblG82P9kY7F7PQct8Ql7+/IqskO8VUEmoEHFfATr1UU3a+I/ICjR4sNQSAdRYouROucg2Ex9cTfy6mRi5qznCtoF3vytdIuMwqwnYQiqh5uvdQNyM64EWS8jPhC2opsx6JrpLvUb80WkuSSNDTo/Y8pmPVtSmLuj2gfqcQYQ9sUu0KCqnZCrZhhE0XY3KNJSsO2olZaix+hiFDD4HxVijW4jGUllSXRKpdEUF/yOW36t0FeVPGbIcDmaRaqaDJ+lOTNpg3SHzQvAZIMURA98AU7IcUbA3210Ym9PPsocgLpmqagE2egBGnagUFXir+Y4Y7NWbaftAB/nSrR09zmNHeftkjh6/Skm7SLRNm/rUVDkvmyyn8oEYfybLHGx3IP9QMne3hT1i0a3eqpg+vfbjLocHIirbjX5DLFzbcPnIErTplVOU+/LAIvt738O2BpqKzE2ZHlO6hDLfOxiSbMIzZboVWx2jzbTpvtiPrw9fK62qCUJtsCjfMJBUc+XV+qoRln9nOWhC61q01S+bXjYVlXQeK80lRGB4p7UXPVIeV0O4fWKIWkkfGbO0qnc9gwFjt5pDcXj7rCFswZ11o0owE/KuMRbNpD5QdyupHcnLpRYO3KS9Amw2c3gv4RiaEG5yu6DnnYYZaJDMHwjqVOuSL3npNBs8D3FBdtkKso87zIsTeV1zfTQKN/vpY0HX7iRyK9aeWOOEntPXHFJ4QPf7RhNu+qgL57mTxp08mwyW7NLJVJNaAlUDRe6+EDv+p74qqEF+aaA52lFyp9ufoo18XFFDEIly5Nwgcj+kZmpCpWCLoRlk2ryyGV7feZUD17rIgGpd5NCe65SiaBvoy+RQM+hKvVfkYUzIHfMx+sYMnss7vTmHis2b5NohwYLNA7HTDSG1I4iygRKfQrE2jcgddhqxolRjmarghcehM14wK1vNBieEysCCLQNy5IDAEjS3OUtH9hDWrh6KAHuRnX0un7zFi4Pegf6V7ipdHDSMO9XA+IxvDJ+4duuDOWM9VYKunD+bKbIBnYuRl5uCidZFVYYgSxTvYDYfaxM+b1vpfUtQafLbZUiN5aZNCNj1q+H67Q6NVUmaWhmeUHDc6myhOS1L32EKU/nbuzvahacRtsjXuuiOokg2FWjO7iqLorQdoYptD2H9SrbuZnix5O/3gLQlyFLpkDC7lzI1/dcDdK9pQ7tq+i9gcTvaIZa/FnzAbidB9yPmJX3OXnXfDC9kqPoPYiZ4uRa0yy2WyhJKFqHjRTyBVqh50SaqPIhQbw/inYX6MXqmbMm+v2O6FXatRvERV/yV4Gyd+/bskQsXiEBori3FekQuNyJn3nScgR8aAYhYXJwqaeE6t8baIXQuvb9u0w+VlqVx/4ePKhUtQrEGMDc8zmxB5RwKCavcsmAscAmrXqgflRBrNZ82FnoSYpijbzzqTlvvP39x0WFqmkzYdZwTPFvbyn1MQ0NwN7/II9PX3yLGLVaAOYa1DQfNJudLL0FPyCX4TWkM6AmdA7byDpnuM6VbHAawWzBeb2f4e+J/3+tboTSZarVyn7V/DbqmN7tG+0mflxdU29Ruug5wao9KuFNqUB16rDulRNmpjbmulKohBBRzvcVvJKECtO2yi/Rm0fA3H94K4qPXBACTkCIKc0mkkt9pqAEtmX3ZD2g2HPPJYY3W7sJ09gruJOpxL7iPsLXhnwFlK24XQVn2sp6c4oJTrDaRRMnv5sr9956XAJWUIqI4ZqSb9oKBLxABh6SaEScdLAczIZcbmbI72KBfWZUH4xNfztcYZ8T4klGfbFMG8RsYTwkTjbHtgQz/GGwT/oQbt5OhJjr4N5zii5+Oq0BH1378DYtb9L4tUz6l7MlNhpfD8hSxINQYxTj6S91uRO1J3LC3/ApeE0rqxdpwRgUpubl6TmqNM1GeE7DsSVxRppoeUnt5x4fe19loWoEFbUhNDXbxMtjIwfciYKqqnBRTW0H7YWkNWLZX3fPvwUNpfL09zPAwefHNVFU3wzuYYdsoWXFZqlXIp2VKMqjt8y6TYpQZAzJnjRBr8qWhwjs/S1VRLoPUkL2FhBp5uvpez1Tq0h7SnUr4lssrKEMtUJuITg16p4KB4j75pkNtwst9GycGXSGyirr+ZCfvlthFoEXvt8uHwuu3OnheyeWwXU8XdAZd8d3BTrldrGFNxNaf//2a9o+JNe0ZF/nveEfyL7had401lA0D0kaOIO5uM6A5FUXkNc32iFzikq3avPs+9h5A98KM+gWAXZmDWg6k8BiH1d1Dt6Bm0d1QpxZGqgwbtvCZv22NTVdmeNJC2mkR5gjplpkYzdyvun8PK02Jk+eScMy5ayQTQLX7EzbC26AWCgiDt1O3hZ03Rx+88GuGfZ4e9YvFVDXlsuub3X+wQtmovsPrteS6Mcf29PW1EURg3ON3nABp5Eqc+NV9T8ZxT6m34LK7xjv2eS/z+Sl57yXN09C4gfhpe6Ho1+H2LK5Xewf0Q/jye+7n81NkaSh568TE0HuwHZHzaYCehIk/RE4WrLiJG6lLs87Zy347qhsKtL26sNePLb3xfcRT41h/0i1Mzk9v1GRT+edu0GQdYi9ludFoJ+TE12eGfqfCf7Bfm0UE9fY3fvgmuOOmje0qN5XtHqNGCjCeM8o/KCtFllRzOhWDKkDflIFLUgs6IggMSJO1P8rWhvZVVb/yxEkqp2G09YXc7fPli/OLXR2ahJax3qMwVpd94EDBW9dCbiItHklyLi255HNJUViMHNFa6ZzNa58M5Jc7pBet7qawqyP+p0Okd5fxlJUqcnDe//aRcMlEU4ITZ2GQrfv5hDw9u6ZVLeA1ufAOEQ8Wpfck7hfByNzRY5vonNo8LXHMuLlyKvcBeN2hFK/nxnwfnoYP3FztCblazedz0PlG2MVZ9rkfCwg4oHa60GAWSpTu9HhbfWTS6Fbo/QiehWHsPUjlpx+8jvGsa8ZxfhovI7l1dJ6pqi6OnHeFuxJyr3CMq/fvmWb6nUNHSaxPneG4GVU2bMxKC2rpA2WN9THvpKXS2HnAyfUWv5EpcVSXK6ofJkNv2FXfSVcaHiJHxEhr5KdOiFLyjrK2n3JcuXUi6Kh2jJLftQqq3i+FvK2ZfKi1BmqS5wYbS22TSnHu/FGUiwczO9ziU3VNePli/P1yL2tzDAwdRp8GjY/9XXBYxK9u+45lnr43OOSnw7l7hzxnXKomVYyzV0di5snvlJOkKZ0OA4/sT4kB5+7MuHUk3gjh5B4xDWNgzKwR5MytT5gqwbgj0Tb7jVsWXJZwnZgBght7mOZ5T9mCC6MpplskpqAxvllRzQVm8EQ8eD7+LueEIhO/c7+NUiYznEM19c2FHkgjDquTp10+Zw3a1KHo1kuYAcuCirBJiG87PD0bKTL0bq7he5w7ocQrX12SV/BV+W+7DymXhpRgKRcRJ8NUNbb3uxHSlDh6bmbrsaVdHhviMf6QWqhqkS2b5w0pYUZDCCh0vmxj+CFb02nFS9CCrrGQy6rwuJKnkRvpPkCrO/waZm0VuPfVG8ttg40ZSZSwjW0wbNh03+uaNIrV8+8wmhrTDLKKqapy9ynPMTrx0AnvJfvWWi156f1nbRe5CsxoIlSp2OGBxrt7y37hYqM1sn5eXlw1uK4x6elhZH27el5Z/y81PdDvdDB5/1tNQwAmfrtqnq9x7ikmFPudv7w4J+cDhaqPRrautaG6ZD8GCQu7umrYeVJD+i7+sJBbHVfuvYgopqrMXfE1qLjbVToCLsThMqIeLdJ3S/AhgyNUnvdcwKF02CfQdvEQPudlF8oZceJVqa3GQRl4gpc/nZLX0V03OZ+pdrr3xSffPacNRGGyxjWwpu9F8KlfU4iVt7ZdmPYlbhzBERL1ipfbDpGuupIuKRd0GMggnSucYH3lDLQembTg79Ahvv50cbdgrFShAZQPwA5ICukGhs8nIxKRV8W0Kct1cv8Mr4qkdUA9uI2Bwxqd7/VSpYeouUrY5WCnxK4wzTEKErjpZ6/6nqu0KbntKus2fdECRrHBdpuKDS9KNuGF/UT6LLHUHFwezSo/+XxGnoZaic+NcLrylAss4MA8sLPrWhn3zWfku6GjQe5GYa6kWsktQ8gAa7CZxXIb+sikTUaP4ILbTQs9aavc34fSpLcwp2xNPo2aa4JPNX2Iovyw8BaLuSQV5XKmaQV70zFqqnFqb/4+CVvK5QUuS96r0idHb9oC9rLOIkiRG7QvTBVwjMhlIW33jXsPK/JrI9GUfKdKEOQpl8vJt88JV+w5mbr/A/d/VFKxNtxMvo3HFy2ri5mgg8n5qXWobQ3/5ILgoujrQjm5bodfqdneRg1WZcXU/3Ua8GzbIBjQ7iBHEVpWaeXuDmaf3/1ONZCPPgH4228/v/v9zYezb7/1ObdLqikfPZMrpa9SlizfeMF+bxfsR9hGnWBUplYiQs1O2i4l3XNAmXsu1hlMmJnSIA1nKQVIz5WUAeMqvRckEh9IBbRYUT4cTnxv7wD2Pk8N1F2f1CXqpplmuhR2WhqrU1e+Y712NodY/y1N9o62NR/5nKSHFrtsBoMNVJpQbLKpewn1Lg7EjI86mlpSszliDyU12o0oQuZueU9cKB/cT/DujguHfND/PwxX3ajMfvLfgxyxsuejD4jsRfJBDkcbx92Hn1JHSNra2tmeXfrUdhntbZYd9sl8hm63wcm9OTLdtqzmx4iHYdHXjHLheN02c7kIMuP8tF/bhp24nDloYR5pYTCeVdjmXBdORTyAnkMSrzHdOlQfnaiqauSuJ2qAnTyscdN9sXsP1/bvENepO9zMYZr1fXG7pLL8m4pHzTa4WWr5IZLh3tgNF95CzjSm5oyrZFmix7LgEfsV1XIYdHjsqBtZ1YXKJYwv37+7IL95P+omKTWOyJejphJc/sdb8qUBPdK7tRGy0LDbqTNvckPPIbomH9qis2haV6els4QPaR+oSj1GwAGtD3Ic3QTVRoJj94Zbph/QQAXVVYbdcmAzuBdonbAAuQPalMmm0m7BTNvtagt0Se2uVnhfuFOQbFFRnaqspIO7rulgfPG9o0+UDdKpksAsFsnPAoNZ2gKqDvBsjq2WMoBV039lgFrT5JMwfMep5McLg+4FT/3ghM5tFTjVMznSsqAMB6OkLz9xsI1MaLz3AE/n9fIneW0Xyd93JgtmdVGapH3Xe9Ad5MMiT7cAvBQ0ucSQBcg5lwmLIoegc+RGy2JWmBW3LLn8kMVMqJWhVfrclT5saZf5oGeIujBZcJlTnHBZg66m62QJ7wPYNbvKA3xJRY6zwuui1sqqIn1ICqEvfyrQ45getsh2N4WaF2UOZjvA6fPfmCwqel1Ym8ptsA3YnWgBGR6FistMSHOZD+lamEJMRZE6LLoF+/uMwJN3Bu/BTt0LsQ87dVVvH/bPGWG/ygj73zLC/h8ZYf85D2yrakGnkEOkdNDTm2eyqBqByvd0neGdbIHXVxn0kqoRfF7VebRvp2VSMU+dhBQg8xxKiYEvLL1vRBbGJyRm2EGjWR5r0gHOY02atWnqDLNImezKqrOYqlZZZ3rAdQYRYpV1hlku2GjWZAHeSH4tqVQGWIZDuHzluJLpUVi+UrVdAC0zuNVUVRdMZPBhO8AZgiQIV0/XNr1b1EE2WSDXTZEhpsE0t5xRkaGAyBR0DpKtE2Zd9WFLKtZ/QDnNgfeywDagWSD7djB5sPaJtVmgT+f18lUeH7Qpptz+OUujMWaKtLPidgBrlVxUmyzXHKEC0+mr3Iz38SebtdUDDHbh/fzpnSMeOKp9WYD7bvLpOsj1YM+4gBw2jClmOTaRz1IWZ28DzqEbmILXmKRYZBF1vF7+VBpbD5r5J4JtNMsCW/AZ5DBjDDqaKyh5soLRbdhc5jkllSobAYapHNwOwPk8g2xStVlRm3Tmfw96LIM8CWANc26spuk9IRvYGTQ+DXUuVutsvDbYiVxnkq8+M98f8QzQrQZaZVAkfSlQLrTzKderheKm8BNm00NfU02zHPBypBA2BeSln2+fGi43lsrkc45LY6eNTjUssIUKflZQDqhNclzT69FtTXJqsDi5YZZ+2PWhnQb2wZzTskx9B3iZOqzatg7K8BbxqmBaqSpLVyIHOIOZxqsiT3Jk6HiUg831VfL2TLVJ37KU16bWPDFQQS23TfLsM8ElpGuxs4Fqkk7U6eBi8W16t5ZQvutpMRMq+XPeAc+Q8u9s3uRSxwHNIHGcDZ0B1eS5CULNsxxdOc9ygWulUwuwatrMc1yzihuWQyxUJsuBzTEHQoLF5krJ4SaX4b4BdOqMPw81dTqeXK1SWyBZKsqUHwCd3BJV6TUjpfm8iMzjujfclQSd/s2qCz+UNznYpJOpN2D9iNcshyxD4WaYiZNaGASwqaVBXXhHUnJ0qTHuw4ItUtX5D0DDdc2TBwJq0NVcU2kHPXdTQF5lAZz+6fWdyD592pkCmgCwVvOCmjrhwIA+aE1TQ9VARQ79TgNDPviuo5mAp2eyg5y2hWsPstJlBozTOzJNBt+w8b7hDPkABlInAviBxxmMEwNf0h+AWIPWZFAzmFKGzzMIXlOn9rIZzXLcA83K5Iq00SzWFTcBYJtuxFYfZmOSd9VcMpm6UCI6Lfa+QH2TztTk27lNf6w80PQRvW6mZ2q46zp5t9amnGbJQ2+0yPAWNgZ0UfLUVe9Zxla0kaEcbLDMWFql9gYvCy6NpbMMmsGSa5tDDV/WMkPrJqt0I1O6WWNt0SIdRd80VpEPjSSDpbvskYzD8j5TwUtyoqHklpxQXYZuhgbbv8fR8ZOzMnJpbEIogsEh+gT7GzAlSKxUp8uH4DIf586qWqg1DAYL3si/mWqSNfW+5RlzPPQ+I5x3pmEO16Siu40WNrFYOW92h4FkR1Jwg8MZ2tXD1mMDJWKaulbakmHjUUJWC2oJt6TWMBs7CvdIy73LEIoY44PV0aFAuAyd3Uf6Qgsuc0/k76HqVuvjaYhVc7AL0JPN981CNYMXjRAJS9DdOCKrSE21AfIOLMWJ4P6u0o4FT9+quXlx4cten5HTMOLrObGLyJQibAb8AcLoY0Rbkvdgf+dWgonv8/BQZ2HeDEd2d7cIF/fEGqCaLSZc8ih+OHP3CP21d8QnzsLAZIgXgjYSZ/3OG5zj2jZxjzdw3+nXvoem/O24O5q6JtxhfvGIse82okhY03S7zqu4LPkI1xZvxZi74BjTqEcE0mZw3XucUC3FyMRL7J6bcRw49s81YImGLw0Yu6dp9+HZynfvle9VBhzL41f1EnvXI9XlnW67U/bh5DHC2NjW37FDu3kdpTzl7P+b5xu6xc5PW6GAa8fPBloN6ZJ473iE3eMypQaIT9fusCGDW9XtUvjFw+Aru1HwHeZK+/b1UTYSQg0xADjujO6fV6WpNJQdYbzvoMO0X1qi2rs5NKzROAFtH9I16Ip7deNYSG+W9IM5+JILmAMRsARBqDF8Lv3Gbeb1x48+tmR+QPmN6+856dMHmfTsMGsk/9LA7phEGr98PXwP65h42BSUVqPhpb+QTEkJmFtBVtwuxgQFIZHKkE5j13BQedGdTQvHTpQn3RMl1JwzKojDYMT0QSweFjtcamRM48Pxrl6sTRy9XjrbSu1ktaZ+4Kng1BQLld0m8EZcZ67hLJXNUCMnFfsjeOL9AIi/NA5bfNPCIBYmgOrJG2GUM8S37tspBsvJr+EXE/JGrrt/DaBbtOWNtISWE6aqurGg42I4ixvfEZbPPPtmdy9wxuLWhnD7z+bl9z/82dm+p73taDn2TRTtcE6LtBGz2zpu6Bo0+bfOJ2deBDQQufitT13/k//Myw3OW6d+734cmLx8k2x7sjswxa0zIe9/+3jmaAcN3nmC/tKSG6ahppKtnVYZ1DOxmwtCkEPPycd3r8m5tD++fE7O35+e/edr8ulc2lc/kaerxZpI4HYBmrCFMmFUmtIamMVv/fDqf/23Z0+iHAG7yCjjdvmBMnVS0fg4HpP59N3xml/6s3jeIhW/4uXjQrovm27A/MCGcbd+4GP47iimG+vkM9e2oYK8ffM+iuwfSkI+X9ZhJ+P/KAmTOG8dul+NCEVCbhaeuAWP8Q3esw9zamFFH2BEOp7uC/KmLDX6af0pj6HTPb2sqg+Nc943FnJ+8u7Cv0qj4bGKmiNGP7acSl5TDW83Ob9wqIx4vxwPD5wEkYSHbu1xHraaWOGnax1XQPTQpWXJ3Zep2ARse7P84+/cEQ+AMwnxgqtww0+3j8AAlU2udRa97rZPGiXvA4YXSttOJA+EbokBNtwAbtc3S15zZN57erict49JS9a7McZLiNmNx/LiBuzQ8qXGKMadyun9RgMdhzi5rKmcw6QznZiSMz5vNJRkukaYIEvMGorLmfrA1gODotERbTm66CxDvwORUPfvl3AldwBoqJSFImR2p88zSs/aUpqCFj4VPwPo2uo8wGcZjsQsQ7WwyHEdcvU/qTMwlZZF64nLp5bvWvCOjsnuan1nwgNosGd2AVqCJR/XNTwnn9pn7C06wH4kF60DbPAS/DamqbWjeo6gTIyYxi3SwS/+nFAhospEvfkiJrhRjYl5S9DuDeTSKmIsPuZckk/nowKFYYJsNnmVXGQ7oKrOMPbNAdZgUmf0OrAZSlz8i5g6FR397Rmw9aMVCgFynnxSJOLslI+MWuiIBupVHip6ARhJGKYTzAglvyi9oroczukm5M0ck700oe7GX2Mu3RTsCkDGVc/EXRPvGuNWlop+qM4jQ7BlPGZGDCjkMuS5YlpCxa0TS2HERpzEpaDyGHH8Wzgo2wSRnotyQOC2y3ITSVk6C3aOBuz2y5M6UgkMuxAs0/WDu13EnmrLWSOoJtgvmrRIPD27fv1WzdVsFp/+DqywC8i+vVvIfnQL+tvYw/vM4e3QfdPYBUgbksVH0TZNys4Jt0vo8UuOo/7JgB5FWDWWqeNyOiw5jvBlwxgYM4Izdh4/rDnaYYkniBdxKu5c6TWJFCYMcDuGcNrCEXZwdFIJA3ymVtK9K05uxZTD7odkoChtU7VM149u5N2kxHctxZoBwaHs6Al+mB19mEtiuG0i8pNgcQEEER2gLqghtFS1e13sArgmaiU3W+YZZ+m1kqoayavFmRyG+xb1x1UinHLPZenkj9KmYwAlv3AB5E1AbDJgw22cvbIjzN/J0YTxjv4HSVcYZcFlyFpIy4UYjRFGpKx3vwcjfL7eZajXSM2J8YTQqcpZPRAhfgoLuuSqQe2SqarWquIjGYpwbOTOJJ0KLCKbkZP9uHG57MRORiR3MdzSOkkUgS0Mkw6XOQDByPodfrl3t/fKbu7b6LHblFk20u6Ws6XW6EssAy/YIWb9rbQgfI/nIEFz1pKEDMFEv93UAm4X+NTGZruRgOyE/TAxVo8HP1uaDmm79WA0vdxPU1Av/FoZ6Yqapp0RbnkFxsl1r+1pqGE0iBR2IVlTiBs3AhsP3nMb9C2P1iG9ux/saP14O5p+KEyyIae3Ji04jG+icEAbUrwRCLcQBl8vdS9vpE4fde/8RUtCm75555L1Uj2OALlBjncC5Os9jj/evGWpRhscZ8tuJx/1USVIyjt2C/lx1OOYkrbBYeyUeixB2/FTJ6/caeyiqMAu1ANESeiWJ5l4NMLXRjcceylpldXrtCeq80GJ4K91iOw5l5k8If85+fn778nTt6dvLp6RU24sl/OGmwWUWAofxUWoucreF2hfJAyzZWcej7DN+MWRjDGtMnsV99V/ul2NYdDdGPTIJxv6fJfrwjDtv6v77Tn+EKdYzJTKWJv0TaYYFam60+0Q8oGWvDF+BaI0MbzigmovnpzYdHeI4bseL6/Ce254ecxOI/1M+U/uILRexJ2+mJtLnq/O4o3cd9cxrBEqDXv+3+Akwk8GZyE4bqBXllHGXZlK50wMGIRskNVKz6nkf+zJqpb5jsJtmX0Ap/tnaoTdM66jtaSZuv784pbD18K3+PK9i7aymn8FKuyCUQ2k1lCqiksaLbjriacLajlIa25Mjxf0mNS+pQ9KrG/9CHWmg+uuzhMnuGqqLTZD2pC6X6wesdlREDa3kagzKEFTC2WRLKlsz/lwwueXdsUueHah1ZKXXfOw8D1a1yJoqoODEZr/uGdtW6eNKzgbInl5JCq7JUOvP7seITM6PBQzJ5fcR88Xu4r7SAu4TulMORT8rponXKPO1PtRrxJ6HiHU66iosVJDjFXaS3wHrQJLcbUn+K2J+9aTOPUVL0sBx5Ny73C928q5yPb25N5Bcq4dj3Ecci/Car0OQ3LdRmefk1pQt2XufVaagGR6XY95+TEV8gj25C0y6HRnW/6qjCXvKFtwOWLSlTST5Phml9efJGb61xqc+HD6kW9yZibkbUlr8hn/4fWjUklfd/rP4eNJFnQJTnMSQDX50oBeE+xBaGolDbQaVbw41dFb4G+OIy9DDzzmIGvedoGUnnzfl28cz5akI6C6OUAfQnPU22KKU57yOsx2z3jbWnqriZGzDcPDyw3RjZRRO9Y8714eH3n2baRGauwCxCJYmPk3gpIVl6VaGWJqYHzGmfvkeaxOMOTJDi+II8/ju8m5IU+xIyxItnmGMHT5rMct0kh8x9/CnLI1+WS2G992Edhqt5A2eXatW+EIBvvIa983tRAVrFXDQ+ZexAHHuz4Aker/rUpTLOcZsm+b7PwK9Vh3Xq9eRyhGCqMHLfzmAGKPk9c7RmrI8A2u91bWnSHp411Ah9Qcx2HXBQy292aTkOm3YbBD8YYUNxc/Y9lAypGAoxVuSHIJMy6Drx6FE3b1q2g90nQQsTuoUCwTbhsHzI76l1owdj7b3LSHXkojvSk7H7a1lC2qI7fA36yKDCcD66i/HVmGvEy5TDdBLOndcCRjUWHexzMipPplO7gtvo32prw/MrVzgHXet+8GrGuq2zPl/vx8Q8pqwQet1Im7Hc6W9cnvtyLPJp9Z4ttaKL3Ot+F/MTWVf72xY0yLyHYX9VY9jz1Nji1/eYHQb6DtwVSiAVVtv/X9VI2eggKk1ao+RHSUqpkOnAu3OuNhTWdtww3lCIijr+447j08UVVN5bq7j3jtcJy+t1eWoN0zVHA5U3GlgJqr3DVCN8iPHSuyxWwFebuiz77kyhH4pRFiTf6joYLPOJTkFOuevXMwisoKpgVT6oo/UND9d5gSv/7GfqZiTJtP3m12Ew6vG4sq94EjTG++6x+6JcKUneCO9j75Cfm4rj3pG8+BY47fwfHN0zArkjaT3UHb4eAdEfqJibWt3UXmGK66Trncxs57FmulW28/hpg/vB3Z8l6vnMTHqeVFnXcO0R5WuJVv9Ny3aGqlMmki20i5ddx+kJrauGuSyYKalNH+HmAdyukTQ260SLjNPagJd6UzRotGp/KG9GAa0AWdp7MpN6CTP0/boJOmP26DDqc+g2CBawsSVav0xomDn+w0d4reQsNOqkxqjcovcYxawi2Z+xGXRfXqRfjvk4DCi/AfIa8p5vanAnQ8Oy+Q84DRc09MP3iOHtfeqLUBOWUYiOZMKi5noPVI3HVI91Ho6iv+N7I+6p49ApJtX+JZbxsiVwrD2irrlYoscbTjd+bj9u7YfcQMYt3/0z9gmKA1PvCT1wvQx/FHOJ09ZDw9PcHRj8/ICa4fRw20PVKzlBE+n4AOwz9hKwtzT3NeyBo67jGyt+Fu0Sem1yl6707zPw71St69NUp8t8kl/yPureFXmWTK+T/OiIS5stxvYL2gZmQClGHHbivU20q/+PhwQbfV2SZADRJcds5Y2zi9rb+JJ6QYPj9GRcV2f6Nu6uHH0UHLTppwY5rkSidCxmSpfN66+8VQEEPQOqsPdLApfel55hYnlxic3iedjpIh0XUGD1Hkp5eY2rn/MepJz8OQvLv03IPjuAg1RhTLnC/6bkg1OLKjyJSFO3q0Sd6m0eQCzK8gWNSZmht8sxlX0n+QULb+RAzG65Qm55dv/vHugly4d4r8Jkemr2ywzVRJfQi2H1cqji2KIbYAdmUOciLfTgjn7UEWGzrX9evsWoRhGmgYQbiRgnu0XNB80BTyAZRcj0fXFWTUaECcLbXN0SZ89rFcUsFLfxAjSOwKwqN1td4nCJFjV7A2u2I70clvE0gTw15YW5uC4wzaLKBxK3MwhNFHcJv4XLaVL0pzu77hRjFVVVn7xN0Sb49HcAjFS/BXXIPYtTRTu1hWgsrCmIcaeOtW9jL890BtW6MVxdaXGhe14sdIq44h7DEgiAEiFbcGkK1sQaUcNM7I3W4qrIqIjMRsj9S2uXtYwszD39++eR/evRc7y3cPilV61/efvGcbN1fFUokmFwPetHOcZZhz003Gbsf5NpJbQ556JMwz7NaBhb3tRN0d8ASRjlIjmkzS7G3A9ZPkNqQLTLaLDpagMVNg1gjClGRQW2coX/o9HGmvsFrllL6e8c5gb0doO0RrpS1Rjr+//u1NLAU3yvbU507p+fETLHcLDLZcrFPqm51EG8X8/ey3i/ML8o5eV1yW3Vjv+LY62o6ehrk1RHGErEDGgLp9ZHXqU7xkMXl6tq9yLGbHK9h86CL8luTsaseWsyxI5fPT0KU3YLEXQ3G8TXngXgEtxdV/+brhrjBHlkNNMvXtRn+JM6EfKLsxjKtGK74L6la+uPc5MU0kRZ0a8hdjtZLzv04FZVeCGwvlX16Evz3vPuVyBiz+0YxrWFERVWToVPR+Q6gsiVFk5FhqmHNj9dpZ9scUFjW1i9Csv8OB7OIwQBKdUsdC0xdC+3otpnSvC3mnT3aYg7R6/af/GwAA///amLxr" } diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index c2f1123cd4c..a644fa716ac 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsfWuT4zaS4Pf5FThH3LnbUVaP24+98c3ORW1VeVw3/ajt6m7vXUwEAyJTElwgQAOgVPKvv0ACpCgSlESQ6seu+0NHtyQgEwkgke/8mjzA9keSMp3KPxFimOHwI7ny/81Ap4oVhknxI/nbnwgh5KXMSg5kIRVZUZFxJpbu50SA2Uj1QDJYsxQIl0s9+xMhCwY80z/i4K+JoDnswNk/ZlvAj2SpZFn4TwJQ7Z+fcCKyUDL3ECsQ9k8TTBMU1bT+LATsAMAmUKk8zMv7S/ITU7ChnM8aP23D32GQg9Z0CQnL9mZ2qDzAdiPV/jcH0CHk7QoamPi5CctAGLZgoHY4BVDR5WLBHk9EAx5pXtjToEFrJsXpOL7Gzyn38AhdGFDkv1uET0VUliqFhAkDakFTmIJy9zgnqefETTUrIAsuN0QqAmsQ5iBaGWjDBLXzT4vb9W7iUQiqkkNi/zkFUq9oDkQuEIXLNAWtyZUURklOXjBtEBgxK2pITk26goyYFdMnYOl3t9SgzoGrndfhxTR+4OB5cp6EYXOjPxiaDaBDcM1pUUCWVFemCODZ+vAogzGKCs2pgayi3e0doVmmQOsBuKykNidTbUFLbhJkoz+SBeUaxuJswQ/AtpAqhC2XYjkWEzv1KZjs8ZeJN7J5uobtZhOrj7WlTexP3dcm3ufY3CZOR3fYrBRQk3BYA59GDrDzEZwPuUVO+YYqIM/IXBoBxmK6WLB0Rl4L5DlrUNuvudxcEPtXa7pcZqCogQuyYsuVfWzw5/Y/pywrpQaWUm2nWNmVn6t+/vpX9pN9FCsxZc1UqS/8b9rrM0r+SsUFAZMeXE8qhYDUXcBJ5LV3gv1WNgU0XBbFN/0gJizNi8QCDWChV+3jfBCH26uXdzjyOMBUZlMBtFOdSuuedZ6Hrby/e9WATfZgh2QBWiQKUqkyPQyRERI+1ZotBWTk+vKOtIFXiC1MNqlqY9WaQm5AVczlGhYgNHwi+s5Pb68/L33HIvyHvvOHvvOHvvNZ6zvknQZyc3Xvv5oJamas+EMNilSDQuT8hPWjGt3G9wOOwB+603Gc9o9Fm85/aFZ/aFZ/aFZ7AI9qVhrSUjETOjRy/iuk/QBb4N7QjZf0kbj3fl5yY1/pw8ajz1y7OyeKJ2l3TOpJtbvb1/d7DjNyUImjKP8mnA14sk6UA+3j6qRrO/vBM7SgKePhc3xQg7u/uRq2IxUgYiTZrFi6cuzRa5sKFqA0ebLYMcULcv/q5d0Fuf+/9xeECivitKZdSGVWT2fkcjd5SgWZA6FkRVWGjNf5Si8IJYWSRqaSXxBkYrlzs8pFm9ta8X6rDeREy4Wxk8zIrSEZCGlgT/z3PD6lpa5p74a2Xyi3zFnnCHqP7qzW0GYtvaBvK45ckQPb0TwolUN5pyBuVqAAv/MPFVlRTeYAgsi5BrWGrLsKdZIH+CDC/fcEcRM0JHi0YYSmachdetne6t5z3qLgW6s3PcDW6lWltmqpJCktTOlppeimPsqof6UyB21Rl/b71tSEvJBLcg32kVFhVN1crI1UP8LVSFTurGyZDh7qgY6mkSeMuympFMY+ZPbEMaENFaYCpINYGJaHUcioaX/Rhe/1XjsJocYzGlrZm8iKGU0oeQXmF2aEZZB+F2adLaqXo1ey5BkRsAZleUu1/wVVGshLMNSiRl3UxA7UkxdyqZ/d0fQBjH7amf6aKUgN3144nZxZtN6Au2DupIkGmrMgqbryeK/i0KLVNRQKUlQTLKwMFsw+llJwBGzonFvRtQjDzfWyLWAOPSd+n176O3N7/Q1ZU17621MLnO5X8EhTY19WR3PVISbiz1AYcTuOv7MkLagyLC05VTjeb86sd3c7U0ftdmh3OzP373Yv0ddTU/35H1Q/THULNZbk4y6ZnP+aIKptwn9A+GsaZi9nB67ASVgfb+nxN20cbG2ogRyE+TjgaZkxk6Sctu7DB0MAhGlZYj4Y6FXHfvDBQDPRB/q8L3l1zz7mjmdAw3ftvEtfgLPBni4n97yoIX2g8cNK1bLwOi9g53kaJ2W2XsDO7EekzH46dZxVE9FJNHTRIIEcQToLmYhAJECjwQRKpxHKyo6ttVqh/2i7r7hcSZFaZkmN/NS1l55rv2ZjGU+Tfld2IrZgKW3eOqtooyW18tWXIgOFxiDwDKOzuAV7hIxoMHaSvcH7MHS/QFuRuTP3aIG2JnNn6kFk71pOYjT9uMPVwXzAqoetsuMOjDxbP0ttmqyKt0+VBpExsay+1KGtb2jznw8FWfiQdD7uJd3t3fq7ytPbeynb5Ousz8jPlXzrH8YT8If/ugTs+LUib3D79jqTRtNukRFKlmwNojZXfL6PqiVRnwZ7Xqk6+zjC0Odhxe1VeGWxTRT8FrVfTdcEbhKubL5FOt64yckdHvcLb/0zlLzdFkBS2r3JcyDAzAoUeXcrzDc/EKnIT1xS8+1zMqcaT0Jl2F+wZalQFDqysrCA9xmvDJ0sY5SiCXTXYNjKRHpZNfdnr7xKtaEqGyHGNHhHY2FNWt3evd+TcChRwGl7W0jlU3ZPjkcMA1zBnSefd2v/LxVbMox2dmP2X+8jK42XOA44OG/v3v8QWGTY200mWGSNUZeOU3Dy3WHrikqxnHwFNAM1kWfsZ5yM3F6P8dA4jJqOGpwmzk/zSRtheJpMYIehleBxuxM88LBbgftKcg6pkepzZISWPmfxrNtzwzRJHXEgs7jsiWYvZPuRJwdI+QlqInk6/3DCWS41Bo/kUpD5trMthCj4rQSNAf6a5QXf+p2wP8ZQNKDpimiWAXnyZ2JWqiTPv//+KdlQTTSAqKEcWOsHEtdOWKsupNBwvsWmn9DOprIUdeKGKPO5Yz72wungDOQJncs1NJbLRDDaqGIz2iigee8pTz+hrf/IxICMlW2p5jRSfBGSpGqllS0IM/8sn//5m79oxzyfFciqKrT+2cH3n1ZPeUG3oMhzciNSWuiSOxu3VXUGcdDQ7CPN0IFYpRCUb5+Tf7XLvSDffkv+laRSWfkRV+GBXpD/wc3/sj9kmuwT5YvgJgmZBRLTPpgOJjaQpJTzOU0fxsp8DnwVXkqNk5UtIUBkhWTCoLhtIBy4hxucgFIyOlZkJwHpAlJGOeKEuGgjlZUWxda9wvaLNeUsc9sXAkvIQpYis9yaA6LHxNILC0eDgfbPbWfmKXwn/tAeMNH30HnLJc0+3JvhARLNfgeSg1EsDcjKXkVr/hh1NPc4VuzOPpLU7GQ4uag2ZkZ+lhtL/K4uxASRyqoQRpIHgOIIWT7Q6/GZkEVJDPBfsyzJ4v1QNxUHWILALCeNwfCl0+C8vrJmypSUW3Vxz0YqAuozy5lV+NADiMt1ePoLeXtNlOWLGpV1JAtVSzD1z46uVavokIqPvtYqi/LQWlWkYb3LYm+vK/vaG8ilAXLvT2WqAJ+l+baPJRHM8HZG78/AyO0hJbrgbJxH9pNWFTXriLIfKmyQ/R4XP9bU7ZGfVmks/mxU0rRnx/85fC7umi8YP4tv0c5rhfa7q8s7L8/5tCSWF1K1pTiCD8pn56AtP5Ty7JNQUclDtTBkENtXE8vdkJ0y6N591Ppm5Pn3P5ANUjYHKgjlPKyHovEVxYadfYFsQIGbFpOYqTZEilaw8j6ZPoBg9HmTKXDf4hxZnjq/SJUhaTAqAtKVkFwut223xoKpjmRGyPckXVFFU+PIZK/eFjFE46YgpfARA3zPttmbwRSTrOZcjONMtgf8OSjr5lZ0kqIy2iq66eUfyMVawhJNUQ5zFmHhdVaZpqWqZtSGioyqjAipcsrZ76FoO6nyIAUy74E9QARZzjssfBAZdnjV4J5xtgBcU0BB1JBKkfUIhrstS7QZp4kfQJmJVOYFBxPcxF5zF0XB0yjWYjmNvANlznbc7u3swUPXd+D2z0/vIcmlMKuTSb3L6jnda76LZsjORp4bkZ2DOHbK36UYn9F5gInY+Svhx4WkvW1TqXOhR9yOS2Lg0fiDTNagdCPYNzsUsxHYo+ObvgV6Oqq7pIpUqgyyMdzbu8s9c9X1nNX7VvnM6x82fXBdHqtkPsNZS0z80ykIqph0gl9ecsO+NgwUoUXBqwjqXSZ4TgVdhpKSCOFomN5Lfa/KLRBmvtREboSz2huaF21Li8cYq1Mp2Q0jYEaTdMWs/Csz0DPystQGBenmpPb8U9MTj0YN9G7Dweu+WFjM1jDNG4wbVU3p1o8lD0CkblOpFb4ytmaZfVNxT8PX/r669m9bBAgv47FgasI17Kju7NSP9rwww7dVBQcjURawYF2BoYP2okFb06swX1juVN/+WWfSOkBDlsNvc94RA46Pqak0/NihDPFbCeWEm2ZPituvHb/YUE0QTNazQwj+m+FLH/Tg7C076p4ucxPF2Zd5HLwiiQJXJHGSSjHsiuwPex4xLurFa3CZc4m+LbE3yIM6DHMQT+q/sMfuW4zpbsdeWhmIMcoiTTtiz2mCii75eHNsj3QoS5PKHJ45KLXIhtFsnaI7xO6QW8ae6NuzVVYlbxctmhD1an6fENCwhx5S/MamKnRqpzhOXcfi2tnQHltAyhZsJwyGpQVf/LFn573sMYXnOkDE2hzAsl3AZ6WKZt74GMTMi/TTEfL9vo7QlHClIq/vfUgR05XTqa0hE18TqlU2lexlPehCajboEp50AlAREJmrCoChiNUt6c3nLrnpFsI737UWZQ6KpUPvdRD7SSLaD6DejGqvT6i74u4mdZBfg8ik8qFEB3GX81/PkiVdORcCRQWboKfIk+qQzPKbw6Ad5xtXq+OL7tH3WW3+ynpNeEXryCkhDaFYaNWiEQ4P4nKZVG7HMzG56kAMZnLTZN/ucYq/o4sba7vhVQyLd5KzdDv+nB64Y3cIwheZE3zbw6eCRcVHE+FNyQFBh9mLFAYex8s7Nchb4TTvXQUkmmXa/oVPAeUVyFA68JEnJV1RsYREwGb8veozfsOm4bjBx9EYxealgcZt60bzaYecleaaLD18DXXRrmd/imSacjaiBM6hhaNQ3vbaOnBN2SCgSmDctV10VTRF73zlag1qRu7BEbbUoGZ0CVjqzkfMLaSqcOjMXU3j5LrUlXF34xsZkFKRuZIb+131qZdjnGjdW6vtNrujygxX5euhw/VIf3plJzdiutMreVYLHec6vLIAb7KOf0EuBaEclKn9rmo3rf/MmWb9VWwkm6F7NiBQZURI8bWCAlBaPeSNQsFxWiablkrZo1nLpLgbKCM8Y87+Wxk2O7hvmFl5YcrxPnKNAOcYHyqIFF8vpf33Ac6Ij2cSEEpGrYw2jNHPEIRFQy6IvWmGgZ6R+939bJfJbMYkx+J05YLZS20FVZf04FyUmWdWnniUpLzUpjo2/j8dUuMQpu1u+Mwcry1asQm/7X+az/Aqu5Me1p5c0voYceDLY+KzxePadU2lWsuUobXGUjQo9yPRX7AH+JFQUqy2mqWUWzXv4YIUCivSYjn2L8NiFlU0nD0w8PFy8auK5mBAaVJQjXUKNCbuucy0VOa55Qhyz3nTDVndqx1Puqzacc/zyRqNfTgDo3bMLpV5UXbvQhTpKdkwkcmNj7xJpUihMBe1V6x3uZ2FLErOt+S3knJntMlkTpnw91M0AHHZw8qb1prTn/EDi7PCyAsmHiDzUbRVYBnVqK97AdZ+80UNfMayQ8TnnTy/kWyjWafaqYBtEBUCr+/PB/l14W1C5L6b6lw7PUDlrF2ierzxx8+K+LhzeFhO+3awnLZgfIr7UqP9E85XXwkFWZkCqSzAEDYiaFCM8iTwQoxgm/c4aSV0tXl+g6lbntqrg0H6oHsSwaawR/n5CXb61qv6tFuRIxDNXloN07KmKsK0Dme/qmZqlSqQa1A1mJlWqR1V/7+blUAsfxOEYTxBKVIOVNmPsGzGDjUfxr4rgu9SBI7bJx2rKLu56h+ZR6cyn1e9cuRij0X7BAQ1gF9jM5fprRvNNxRB9Fs5pnJHBA7ulZvf1Vnpt/A4KX0Cw1tNAmfhur0mr9ydfuJT4oirse+TPCz0p4eMX+exBTZMX7fXSBYfWl1fyK4et287d0EMDsmZ22p76zZMh1WNtd6Oq5u47yXxSTXukTtoQ+tpMTT6eF/tOsrcXh+Vg063SRyRgyzo5yLbyUMzcuWi9X21IO6+OCwL2T9S7f/imy+8gWJemjqOX5qaOZeCg3Zrl47BbiRZU8XonHcixl1CGxOk4LTnymkQemQG6N6mNMUgN/fM3nr7alax6Mzu1f2z27u2BEZ8SSWn2/Vly/S2ETg5Mn5ni3VokFthyD1bCorXsucgFVKNK9/0ZYcX2KN0V8kUEuup4D8tqGazJHsWMhnY3lev3xImUl5mYFmDb8ziGrc9uana7tw55dNNi7xuFtZB0cJ+Bj8DKvM7VhuGzfSDFeeCkAcEbTeMM688q3zD9MMBB4dRbLkENaZwfXjZ75uWRg/Ftf9RoFeSZ3aPndbU06tjzx01iRbX9Ud5HvbkjXsZn9YJhbfX4QDLkz1WVrVOJvfNI2W9f941A0Sbhi7nX1uAUmBGwcL1bsrKtE9O9yLP2WIHmrjVvEUqzLyyfK7CoKeuvG9FdSbRo1sr0TXpc6zXotlTpOuJZTmUvKRpVdkrLDjZ6zyxJCvF15Xwow7faKcxRDRCUkB1REyUNtSUpwtWtQ5OGT+jaGmnn8tHwrJn/VzXcvxyGhwszHedUljuXFk44YNecd/RVfU7B+a6W08/hgkzIcvTfQaN2E29jDiBljsMU8M6Fp3vBg8dXwVkj/iXnNvbSnSJ/QQXJSc3FgI2yNSW+FWRprCMx0QGj4MXwZk2ffLDyNuEU6Ngqyowc1Bo1c+pYhw9tQH7gPMNiaVvrPh1p21j7QKK2vGqt97ZJBc/P3lSR6oUoHThExLcneos2z8hu8C4Ksf5aU/QuFOxu9x8vNOx0UYOkXd6svu1/ZIyoUkGhjIeUJ3msjSNcT3IS36GmJTKakPruAGE1M/CDeQFH+G1vaxaLVYtDBoeJB+lYqWXNShOtximbKRn6+RJ4OzbL1DT8KNhUeWxOJubNsyUWKqDBFHfSWndpOTjF2OgVbihW6Z0OLSou5vKPLdnM3bDrtx4whrhRIWSa5Y5DbuqKxDqz1i/NTI9ZEAfrk//xPju7U+b0QrhZ+exQCfzufhXNf95+devct6rt0Yv4P/IuTdZhk9qwcaUB7pudHm/v7slt50HtwloRG0eH5N5GMagwOM6e2E5UMQfohP7KKqwmOUuVDKX2fiY407cdvvJqvrDWmg9z+cqJnfKmdEmybtpGFx8uoYLs6mtgGzJstpE2aOM58Ml5U4SzEkvw5CnusauKMcxyKrb0N07l8VZmUHROfYIadnUUZzbeg6hlIIqo/eQo2wSRSpoKcr2Fao6Gp6uKeO0a6AjtXmIYDz8ApTqqUbozmPYwjWdXdeLfrlPCHZG+q59S1bndtbDA1iezMss20bodyxPBsapNkaWGvoKiR3URWPGKCYHZUu1AqYTXU4TbMd0M9bE1VLBhpN1nPQu59zDDBUH38Ubuqu1M30dXobzUg+nwnpCjeDq/Q154iP93pfcyiVzxjHAED3NN4+F1PaXT8nXXTVGtK18D0JuxJ7gqCEtMXVtvT97T9eAlE6iaLcDQK6qTJtXPsD1BSxpuiXvegVYzuaKnif1x0+9RyYmSE6ZWFjN6KCTqqAKe31MkVG1JyLc4cTklcxcwNGuuEHDrx0AS468v+h8sUuNlyj38+pfwYb8XAoUn1/KDDh5wsR69tUFYTK9IHP7F9i/qKB8q5mefRW2I5u0SBacdrpTDX+B92WtqzuC06K+i1xlWxUQlouDSVtGjsTFfTr3mFQJUxqUPVBBkOt8KB9qwX7/8herv791ITdfffX+5S+Xb26++srFwKypoqz3bGykehiWkHH0KP9STdm00faqyVQMf758bOfQ3MCaxdHUssBtlLi4kAqEZumwC9VQJ6Og5jFaVMCydfqwZEPZkE7ju5CDVEZsKR6Y4QkpupxHHwMzz7RRwzNZMHdjkm7gF9Nx0iqCb4zhIDY4cVcSuPMw+eDAXZyij0+0UyxYr8JYLWaEcSJ2McHM1cBC2gGXYWZxoJ7CcMXHouelqTfdeXfiiau9faaDkDWsSx7UQTTOtIWV3fwQBlJO4oDdo39D2n5i6sinynONFTmeovoc0O6P2fqrEkhsGpsphsMuKOOWXlXC4Z2/f7fXzbhezJ62IrCBZSBxqN8XX8X1JPYpD2IcE9yDIT0+ptNqRqVo66od+KIvjXcs/FfwaP4OYfmlhq77pJix0O+pyP5Nhi2rO+iGGha+ZaPhd6feA69LXbCUyQHxER9Kt0D8NlSJrqnt4yOnRV4kMp453b96eUdeO4vHLhwjDOq3id0v9//+gvxWguqp1lJykShoV/0Y6/JpmC625E0VUht079ZyWjqI/TeHyeFl2uywokd5PDbOBMyrJ4zMYgrRUU5VHkUXOzBKeaHFoLD/eliZDegMsDdqaC7w3uCMmvbrfXzkHES6yqk6PSyuHrktaKeVwwk2SJp23JsnjkpWEXRNYTE0mLIeulhiMmnUQDn/NWpcQSNq67nM14jNQKN/X0/ZwyMxVzsH+9xGABYJTbFsYUwYmx2txSARvTF0vizW34lHs4rglqlIUqOsjjKsMlVjvB3bZ607YeiadxpCnzQWxJKJQYG73cFxMSUiWSR6w0waca5FsuByo2ke4y1qjhZmPWZ8lB0rFQkT4445EwWofL4dEJLTGV2kD7HDsTla1NAiKZQ0MokxxeH49XcJ6qwxo/mI88blMhnS+r81NMYTmookp4+JMacLvPtD7Q5ziGILORPRgJkYA7jgOuFzngw3nu6N/vOo4RH1gBqjh2epN0cPj4hujv5+1OhwY/VTR//LqNH/c9Tov8SONrLgdA5xR70eHyMqiSQvOT7e820UP6uGFw9RfDwvOVvmRezrbd8/ypfDnUZ+LItj4hp+S2Nkb5Fo5zKNopVWaax0ZofGSmd6q8siqj52Kuow60jhzkhjBQx4jDraRhorJMWPRvEkcngp2KOgQmrotM08afz6B4t7NFtY/yALswKaRalAMi+SlEfp0HZolEkDRypskxU3VkeOLcokyj6RKmZYSnlU0JdO6BJEuh3kU2qOFpRvf4dsHgd7nWAyfORYl8YTC9m5syPHWw35h1gNWSdzZv4SmXyY6mRobdPWUCUjrrKOPJw4DlIVE4unnSVgQF3JxlAwK2cNiBG+3XB8riKHu9o3QzI0G6MXjEOcLKKTRRy52GJYAPL+0DhOq60SLODRJJHXyOrAmTZFp8jPyaO1SiNHV53josbKZZJDxgYEY+6PZiKW4rnMSg46lXGr9sPZMupWyEJvqBnYiaIxPhQTcOJQBUumjaIxkvZudNRL5TopRi5ZjVizxjoiKvp2uqgGt+VR47GxaNQT54KO4kGPeZw3K8l04uo8x4zfUkUjNzzrCas8bezadTAYPpJpQ9vNWk8aqM28VKcXEq3Ggau5FjeujIAX8w5XsaTDB2LVnkVMKfT+iOlDo5Y0y4bvOsuGG+eqBJoojsLyJFVS5pHZN3ZolFDE8iTWCedzd+KWWzxEJAsVOiaVmRW6UGzwME4NM2WE34YzAUNSSXbj9MBaXPVIDHyMUUG4dBnNyYLLCOZYD48KAbCSXsR5t8OizrqVDaPARVhtuVxGbqVYRh67QqrhlyOfl8u4o5MzncYd11xHbmBc9RkBBlNfIkZG3GJXGmC4V8qNG+5QEpvNcFkhMk6obtcQMTKC30vFlkmgWtsJIzcCVAxvKZLIDoJFMrCC9G5gVBuH3fCoVeJNGn5I/cCYdppO6I8ASbW2Xybp6vR41s5g15dz+HhQ+dLqxZ2M6tPGbiKHxrA5l7/07l2r0udJQ5VcJlQXg0p+NAcP6fJQjVNAedzLoyBFbF22avTwmMXasUMTdBtjpcqioMaoaDpK+9RO+4yylGoYbiJ15XSjxAgNv8UQM5QGO2BclOCi2TLqYupiuN6iVRq38yrNIp5ardJQlu9JQwe1ZGqOKnVEzuQ6FcODEIIVQ48Pc0mWEU3DlyZmE9ywGKtRXTFy+MhtEZG5WmbzSK91qXgUVyo1qCRjw+M3IwuTVDaROGRNGtcuf50woQ1dRHHSNVMm7ileFyIqxcFIVYqz9Gq9LI0kb0pBOpPXVuhRBeLeU84ycqUgY4ZcUZX5nLEDbWl8/atRK+2rA4nTuKarGDGbSk5CISW1tZeJMau/yQsut9ApiHeUBgtZDkiPP7Uv76pqqYO1xRQs4ZHktB26u7PoiWXZLrsyARqcaSywUc2vm600dVlgifpuqiQhmxU1hBlSuPb8YaQPuVKHlAoJt3d3Fc8rIIQJX8mgJ7ObMzG+AnYDGTtfExNNjFxik53Z7veuY0SHegLWoOoiSkaSgioN5CUYihWH3a2o+6WRJy/kUj+7c8F9T8m1L+Pl2pN0Zsc04jfgi8Ui2oK8AvMLMwJ0eK+6Ry+SPAssJ1yfZpzeLUcDVelqxgTrUXgVnaYYQovZuN56nAl4xmkpsHbqssx9WfoDpRBalQ8OYD1FynyNdZ0o7yu+9oj0lpjJtL2QXc8tOzF5C48GT2efUnDWBtS7InFHelBjVu6oUsWYl6vBVM2BD6TOH/J7D68NUbWSXVTzOg7W1vBqn+y+WuSgdnuDYD0D/WMQ/2F1vE/onJ3B4+11dYlw9r6S7QMd0QOPS93CwTn3a3ikc0ZravoR58JI1AWja9ykcgUbgqQghGqiAcRen8yw8qKo0DSdpNhqJ0vcTS58A6e6tXbVLfgAWgWonLmHcDq0dpO6wi1szTgswffyoFqzpXDE31Xm7mlrQOdTdavv2XKEcODEzc/YWqK3fUjomDcw6sstjKt0U72XLKva2tYdk7BhY8+lIyQQk1NLbQp6gqQGC5BVo7Ad4636O1kYPSLsRrEeQ8+E8BFIT+nCc66/7p/ZQaDhgNzIln885umhnFGdrOQE0l2rOybWxNmVgcKOPo2CR+GYauIOqMVH+BbbQhqCrTJnl1xLq9q0mpdgFfKf/YgZuRTb+n+d2Q1qR1oYQrNZ1dE4zJgijV8W9THC8hdtemLlwT2iMt/W2WoTzQrl1arDjYT9iUmGWlZPVVjpFhT5l9pioJ95QAi+r3/J0Lit8589scNq7/QdpGlvmMQxXvBluyyOa0n36vXbG7s6UOCURrTIZEynCgoq0q2VSvzjz7u9bC0NLsjblz+SW2G+fX5Bbl9d3/zHj+TdrTA/fEeebFZbInwDxnQltS/jJpXVXvFX3/zwv//b03DvOzCrUfyivWLkQLOchksj6dFnZOCF8pX4byuw4cuUfWi0mvf8CG69CX8nP0whjFqCzU4GrZqbvrh8FUTndylgjB4et3//TwqYhenz+5A+AB/gsbOoHmc1SMaP864coOWSGtjQsxSWxlN2Ry5d87zqtIUA1s9Jmhf99v+xds3bq5d3jg/394qnE/Ty61OlnZxTtS69vbPAerR6S4feWjCT0MHO3k+HSgZIXE2xqS9bs9dC5jrSUb5zVTQqkYd596TbZIV3vCzS35br/Y3qANvF1kTKDKeyaUpeeRzupDI1i+owIdd7Aonou88f5kR6cvo5jJlYVuyzQvxlH/EEhOT76axEHj7qIFRrmTIsGo/acud1JZZPKSqWMKvF41SKBVuWCjIy3/rm/q7VfU93mt6Ugk6gcI80FZx2EZWpwAfJd83QygiFSUEuDSQ+RijG8xuzxEzohCYufCpqcGFU7PBFFHkXUbHYPO4AxGfUFFGLo1lSaePj+nXt6xYWl1l7vqYicxZp4cYqVgIMebst4IK8q9jcC1SRvyV3lYrc4SOv+17UqnjVJA9Gj0hfoUWqrp2U8+CDUex+iA56qjB0YA3KYOcZI6sGV0yQd7e9VyjFkJYRdzCmbazQiSyiCuXZoQr08DgaOzAqxM/xxOEBUWiDioLoytQkHMQyouYjwrXPwNTGJWxKhM8L5Q3joCApOnCsFvWTVBuqslAzsEtsU4d29zslH9HrPgezAejpZDw4B3ioR0IaypvmXgeOYCET9DZ11uCboClAR1DOjL1qvqhQeBFrTsU0fpUTzAGVW61hEOgsYd9AsLMBrq30vETheZ8jxtizIcVsi/WQPNLTfChUGZaWnKqqmZsH8+Tm8ccXcikXi3B9akgTs4KpG9++tVP67v07zG4sZhahy9KsQBgfStWL2FS9x/bdlWXd1jCM3DsNqhclWZpUTk0tP2k/SveuA3cPVlWPnHGv7x5GCJlUDVcONn+toJ+hfTK0sLC3GM3AupAiw5auMigC1AO7TUn38V4Pya7teQ0ocXn2GPfGGWQ1xl7fask1TBDNTBngKAQD5KoueH7WFdWEZrLArmArYIrIjWg1RiKGPkoh855ol6pGfdIJR5rg8bNiGBOZvctS6V17P9dF+LIqj99Z6CnmE1Gj7u5GbzhVvcIzuY96F3nvvUjTrvNQE7HGUodldYxYqosKuPdRhVOvtT84ZC7HxccFljeHFV0zWaJkY5U6JXPWE+kA04O/EXTOMWx4Qa4OQ2diPbzzWQiNNg57Mg0JgtjDYWB5sQgUAhBqDMbvQeNd2Z3s3u3fhbCXwrRDlGNkvgyTP5J0RFdcfGWwkzlLK8RwWRgw0Hb2MLNyvc4DVRqJR2eWfjPTRvUbySusw4mvHw3r54ex9s+igzUK86AaUatEhuXYtNVLGgoK6DVyekoOSI06SkxMSR9JSnXiAQhXhfloB+Db07D+ZnRP9CDy3nB0bA0d7HFNu6t3wrX7lPF/fhR/NTH93YGfBHt1nPoDalJ8mKt6hOvVV/VTPjTfHif76QWoPgzZT+M1auK7OuVZP+GmTnxopsS+c2RqoTBzXTpHy2a0NKskB7OSZ7Gm0j07F3GA/M96Nwazd5UcqakfsO++kdzbmiyoAyckWrf8j9n3f/4zefLi+vLuKblm2jCxLJleQYaJOUFoXC7lBPmxh+zavkU3QvKbgT/s8XkrOdpecij23tI+BKM+m2jzG1A6fMjBTDEors6MaJg0EGrIT0FFqIjSzk9O+elZ/C1U39CMldrNQaQimuWMU+Uus2Uk9rSm+B6FQ3Xxzmg2TS/c2gbZjDJ7Z7ersoC06lrsLsyYSMJLcejeoPHTx4c37E9edcZvOjvmlV1oBB5mYUOLVOOcYh3TLZJLqiUV7PcDsU5izIadSrAIajV3vodkC6aCUfzR2a8/2QmRP7qkcpeluxeJ9DNQblYpVUAKBZnMmaDBEOvGVb+jhoEw+mjgGafTrucF/ajLcUUwoIg+XvYIf2mZQEGVwbTf3WIOM6FJ03r9xT2F/ywgA0UNZMmAMIADu4htyKs5a1P3nZJrltXp6v53tCi4l3M62+dTZC0j35eIenqp18tg2WTrqCf1dRzMtmchwULPGFWyZs7ntGoLdj2FA2qBZlgp/aFSDTziW94Y1MgUCTX5dvIPSkNUE22kcvzRzpaDoQjtS/zVzP7qy/D6cpZlHKbkGC9xxlN5RmCLGjwkimdUxfOmWtCdn6+Royu2lcfjghScWrLbF0kqAiJV26LPiojBK5NoBSfES6haQ/hZakNe0nTFRI/YntHoO/pFm17vBEb2FQrsRbWvukur1zPyIqMFeY//ca96JoXLB/hn97kgK7oG+95zoMq1sCZYX0IXUmio5IBw0oBdUdJtez2C9/jaCKliBhSrqnQIt0BXkaEfkwrpSZDZbfMbX0TmVFywvuhYM0H7rFWFo/bSgK38758apokqRaCvOyFUX9Sc2HlzXDJ1T0S2nzHxWsQUxKRkw0QmN5roAlK2YKn95iIUN+7jj7oH1S7AYbTz+pInqup6XrNldDM8bdCDlAJfrhewpOmWvNP7RX5qf0jeTnCIilqys0yiWvW8YU1xG4Fh1DQeBvsKdOhW5zMFspj2MgQwzLZLhP2FTSGu9VUbcsJbYE24huCB8GMiljNVvFTfYnzklDfuVZzjBhfXX2uli+9URoza6LhP310IjSNlh8rh9LfjqSUY3DisPHNvBDguKoMFE94WiFcda0HktOgpRoHwe8KszwR9p+62RI8YRlLbm8avwOcj91QPqW1oxtB0lU9eim43LxKGdKTgJtkiC2rOmRhSc3fSk2bRxvD3sUw/cG2bwbhIPFdGa5eKFKhH3sFrLM8+gldBVbW39uOLHbKbFesUPCP2HFrNwoXonbQAE1Hx0qXCSTWsPWNr+X/VBRV/O5rPWYHar3VWCWkhlmqX9tdnOPsR7M/44HbwrqqiHca7d68SEEbJInwNM1nOOwrZSWfNz2q1GzgS2ohYDOzkdCIWVzIvrEJanXw84NjgxEmea1CWtSZWbQ4/SFQ/jI/7PXIXWzJ9BXsD4yubLX6L93H9VHK+Jf9eUs4WDDJyjdkwzngRBLaBeZJK+cDO5lL6BebEQdjpJJT3yWURtXV2zp6iNK4NTl898uN34009ia+l6s1Wzjo3I2+3hUN/p1HZBTo695NYwSIZWBynhZiF4lQw9aUOFdppg5vGWFALGPvwnfWikKqy7KF75c2Lno1pZKsO3tZqPcXYirEHlmPnPmqHqxBRUka/c/tg7UyWaqSgJmzgSEVC9TB/VGOoiu2gXio+iNyNcYOoU4vgSamG9/stsO8ZNoeOARnB+vYHDwzR2B/sT0HUdYBHAwIfwRiBzc4wYHfrZ3WloOWgjHnd3DTTxJDv3ei3ODE+dc/8v688kGf+H97rGzJ6UQ4qHEPgET6rt8Sh23SWoB2jUZC5g3DmyyZbYZGJBSjVY6PvrmwizJvi0FHyBY0ek6BRVQ9aNEgZOL7oxpCjj29gmgkPwo3zttgD8BbjglTzo39A1wndX+yeFStQU2k1Vs7xPt8nV1hQ/Sm5Qghh4KDMZImSPbS6AuUL38NeTMeBEjsw0lnQIEZjW+y0X+pG3aWD+8F+77cTDE+LDO8JuWe/96TvPETfwdt/3BABS2mYI3OxorqnPq1Op0/ebRDcTd9f0NtuyIj6tB0HYGuvq4JfVbxn2GGn2cDmiqflCde1xN/2ttWwd49pXcY0hrZj0ak7Rn8eZ+VDHECpkZaFDuma/OLGTk/u0WVw6LZO5F2q61152/6TewznOMxCG/yiD43h/OIAFv1MQ2uerMe9JW0TuTfihE1yiT0CtIwopqHjh7IH8NpAdErUF7sCj01GifziO6LRdisVub2//MfLO3Jn+Sd5LXoqUu7wic77iMHn7UaG8cFrma4gfdARzd52jGVsbnuoCHRd3aROPccADV+4e3fvD8gqoFin/MZZRBUHqc7a6xXfECtssTYdG2zisaacZe5ABMC0r/6E9aUOXX1c9QNsdZsVnXzGojuhr4wpdMKwG0HkYCRpHNrp6S2/xpw9thRVvKNUzGyPnL9U5vnIXP4TMXOQvEoZTq/ZMAW8LV3HqHAbTkUyqA/10JAEXTUN+MXjXMXIhhV0TG5ICsmmCQEKoeRgEISBYMOyF5ImXVEhOglo4xOV/bwIqsdSPln5pZrl+Yrdv7y4fOV57rMWgJrVGanaVrGY45Ux/ZCsJS/jl3FZ9cAQvpZm3RmkarJQCmY0eeLA6KeYu4bJBFUXhIC9qCcIjZfRN/yFx+adYMa7S2b7wWhrUOgpWZScpFKkUBirAtw7WvekOA3ppB6s64DEs8pG1ULEooLd36Sl0c//dhkKJgmSLuYESLU8R4hCO7Rsz+gxpy59L5jA+Peb13e3d+QlfcyZyOrWJWHyW+zPEMiwV+i7B3GPaAf/Q4jXT3A4BDsqIMhFZifDmnh+4ok01aKmbrTkOdXtta/H4+EcxIFPSdiPnNFTrSn/T5BzUAdHiqwrjcTcJNT4hrWXHijY1N28DNqBnbabu9SAC6LLQFgU1eSv2igpln+bc5o+cKYNZH995j+7qL9lYgFp+KsFU7ChPPjM0jlvjCFUZERL0nN8FCyZNmprtZ5pL2ZBzcqXoquhkDaUDhqj2g92EXGJEi62NZWqUb2rllhq3EAYtf3T/w8AAP//r8OpSw==" + return "eJzsvW1zIzeSIPx9fgUeRzznbofMttsve+Ob3QutpB7rpl+0re723sVEVICoJAmrCqgGUKToX3+BBKpYrEKREgVQ6j3Phwm3SCYSiUQi3/NbcgPrXwjjmsm/EGK4KeAXcub/mYNmileGS/EL+be/EELIG5nXBZCZVGRBRV5wMXdfJwLMSqobksOSMyCFnOvJXwiZcShy/Qv++FsiaAmb5ez/zLqCX8hcybryfwmsav/3CgGRmZKlX7FZwv6vu0x3Kapp+7fQYjsW7C4qlV/z9PqUvOIKVrQoJp2v9tffYFCC1nQOGc+3IDtUbmC9kmr7kx3oEPJhAR1MPGzCcxCGzzioDU4BVHQ9m/HbO6IBt7SsLDdo0JpLcXcc3+HfaeHXI3RmQJH/3yJ8V0RlrRhkXBhQM8ogBuWuESZpYeKhmgWQWSFXRCoCSxBmJ1o5aMMFtfDj4na+AfwgBFVdQGb/MwZSb2kJRM4QhVPGQGtyJoVRsiCvuTa4GDELakhJDVtATsyC6ztg6U+31qBS4GrhOry4xj+49Tw574Rh96CPhmZn0fvgWtKqgjxrrkwVwLP3x70CxigqdEEN5A3tLq8IzXMFWt8Dl4XU5s5Um9G6MBmK0V/IjBYaHoqzXf4e2FZShbAtpJg/FBML+i6YbMmXyAfZ5a77nWYXq8c60i72dz3XLt4pDreL094TNgsF1GQFLKGIowdYeAThobQoabGiCsgLMpVGgLGYzmacTcg7gTJnCWr9bSFXJ8T+Xw9cKXNQ1MAJWfD5wj42+HX7j7tsi1EDc6nWMXZ25mG1z9/4zl7ZR7FRU5Zc1frEf6e/P6Pk71ScEDBs536YFAKYu4BR9LWPgn+uuwoabovim74TE87KKrOLBrDQiz4778Th8uzNFf5y/4JM5rEWtKDuSuuRfaYRK5+u3nbWJltrh3QBWmUKmFS5vh8iD9DwqdZ8LiAn56dXpL94g9jM5FFNG2vWVHIFqhEu5zADoeGJ2DuvPpx/WfaORfhPe+dPe+dPe+eLtnfIRw3k4uzafzQR1Ex49acZdKAZFCLnE7aPWnQ7n9+DBf60nfbjtM0WfTr/aVn9aVn9aVltLbjXstLAasVNiGnk9Hdg4wv2lntPV17TR+Jee7jkwr7Su51HX7h1lxLFO1l3XOqo1t3lu+utgBnZacRR1H+zgt/jybqjHmgfV6ddW+g7eWhGGS/CfLzTgru+OLvfiTQLESPJasHZwolHb20qmIHS5NlsIxRPyPXbN1cn5Pp/X58QKqyK0wM7k8osnk/I6QY4o4JMgVCyoCpHwetipSeEkkpJI5ksTggKsdKFWeWsL22ter/WBkqi5cxYIBNyaUgOQhrYUv+9jGe01i3t3U/7L5Tb5mTAgj6iO2kttEnPLpBLUCvFjX2uVA0Dfh0e0p7Ls+OguizUhJo3puNqAQrwM/+EkQXVZAogiJxqUEvIh/tTW7HhfZsZXr6dWxm/W4i1oNvKyvjqY+uHlujocXreO+ZdK+y6Vb1T+WCttBtYWyuu1tYIloTRytSe/oqu2ouD1h6TJWi7aWk/74Em5LWck3OwT5oKb8TB4n2kDt1OAxcNTavnssiAPcKJqe9J7m48k8LYB9neDy60ocI0aOggjoaXhyCYU9P/YIidt+7tEoQaL05p41UjC240oeQtmN+4EfYZ8Kc/GbBGu1m9kHWREwFLUFaCNnxXUaWBvAFDLWrU5YZslnr2Ws71iyvKbsDo5wPw51wBM8X6xHkeuEXrPThh4ThcdNCcBAk5tDruRsmB8dSj5DlUChiaShaTHGbcKgxSFIiWodPCqu9VGKtSz/tKdlwO9Gf8xt/zy/PvyZIWtb/xrUruvgW3lBmre7jzUoODwN1xVNcct+D37HFUVBnO6oIq/L0/2MkoZwxAH8QpIc4YQB7nlNEjWR73TF7+eSa7z8SumuZAHnZ95fT3DDfSP5Yng92SHiL0kqOmwOm+TxE3S7ZU9/9hmGlDDZQgzFNEjtY5NxkraO8OPxH0QJieb+6JILYY+JueCGJcHIZYWo2pkRxPl9NyoIdIj7Rkm4GLFcSyoUb0mpCd2fli4xaw2Az0kIGS8DAroqeHDKDvsSLGqTgIuR6FiqLjVQmSz5FrsM1I5CMBCt6bfOwYanU9iDY0+/d/Wm8btWdSMPs4UCOfumU7Im6WPK047FL3zC7DZ5zR7n1+Lecu0tDkstQiB4XOUvCCarD1Gb+FnGgwFsjWj7fX0OMGS3MIA9gPNljaQxiAvtehDD2B8f1LhzHmYF/3oMn9aDAIpifhy1+lNl0RWfQ5UoPIuZg3H+oQ23R8SF8OffkhDDb40ShhL6+WPzY5FqPXvU/cwe6N/FKJu/w5NXl//n+XvIN4cxLZ0JcLzpHW9ZblhJI5X4JonWRfriJgSXSY/yKtBZI/ReXvy4hojDo0ZLXOFHxOcNbd4CEeMO57ukYqX7ilyRVepBPvzTaUfFhXQBgdSpApEOBmAYp8vBTm+5+JVORVIan54SWZUo1c1ATIZnxeK1T99uz7EHX3C943hkHTGZ8R/AvBFLijWMfNyl+8g0GqFVV5MqWuI9E62+5S8vLq05a+R4mCgvaPlDS5Le4R9Whjoj04TvX1//bfUvE5x6oL95ttbWUPHVLpXzsSIy6vPv0cIEE4J4dEIEGL0ZDKMV6fDaMOFcdDX58F0BzUUWLXv+JS5PL8IVFSh283WIpgDouVPmknW8Gy5H422ihalxtFCy+KNV3OZFEAM1J9iQLYUu8Rcm4sz3FNmCMd5BbTLUX1teyrLWQHoZ+gxVey6VNRVUupMdmtlIJM14NDI0TB5xo0lj9pXlbF2p+T/TIm6gJlC6J5DuTZd8QsVE1e/vTTc7KimmgA0a6ygxJPQnm9AyV0JYWGdKRgXwxXMFmLtiRO1OXUCT17lXUQAnlGp3IJHWJwEcysbMSbNgpoOXp/2BfDNo9MKsh53dfTYhDqq5Dm2DoW+Ixw88/65Xff/1U7kf6iQgHaIP3PwW7+ae3B13QNirwkF4LRSteFi6xYk/Jecj0E/YHBj0BuZWiVH16Sf7XbPSE//ED+lTCprL6Mu/CLnpD/Vpj/Yb/INdkmylfBIxQyD5QLPxFbV6wgY7QoppTdpNWAHXJNwQA1zq6wRASRV5ILg6aJgXCCMzJHBkrJRPlpG31QV8A4LRBjxFQbqaxmLdZO67AfLGnBc8cYIaQImcla5PaFKQCR52LulaO9yYvbN2IAOUYs0F+HHWGjkVNYF5LmT+Wd8+gQzf8AUoJRnAWsDm8Kd7+MtrB77hshbJ99ajYarZw1xzYhv8qVPZqhzckFkcoaY0aSG4BqD9GexIv3hRBNSSwGW/I8y1NFXS8ayTMHgfWyGsuqamdHe7twyZWpaWGN9i3fuwi4OHjJrdmNsXIkhtuFv+qX50RZaa3RoYJEo2oOpv3aXkpolSjp6dEp0VTr76KEShIKGgr+y/PG9/oeSmmAXHt+ZwrwoZ2uxwQlwT4jLhDzBQRe/EqZrgqeMrPhSZvzmg/U/iehm1mZm5Df8dbZN6Ap0/Rc11gt/gn5rxFhdOJlxotHiNHbVa1xdHV2euV1X1+Uy8tKqr7GS/CJ/OLSIOqn4f7wDRrQEEfTPeRK3Tbl681PNga703PQMp+Qlz/9TFZI9xKoILQowr4CdOqjmrTxH5EVKHBgscEH1YZI0SsX2Sbio6uJXzYRA3c1RdjW0+43qXIkHGY1AVsIWcj5uh+Im3E10GIJ+YmwBVWUGUdEe6nXiD86zQWphc/pKbZ85qMVtbELul2gPmUQYUfsEi2K0iqZUjRhBEVXozINJWtPraQMNVYXoxDe5yAZq1UDURsqcqpyIqQqacH/COX3SlUG6ZP7LIeDSSTr6eBJuheRNli3yLwo+AxwxwEDXwOTIh9RsDfHnWmT0s+yY0NcMFlWBZggA4w6USkq8Ebxnhjs1Jsp80iMfG3XDrLzGCtvc+Yo+5VSmEWkY9rUp8bKedlkOeWPRPgLkacguwX5hxSpuy3sEIt29UbFdOm1H/oUHoioZDf6lBi4Nf7ykSUo3SmnyHflgQXO96HMtgYaa5ubMj0mVQ55unfQJ9n4Z0q3KzY6RpNp036xG18fvlZKlhOEWmNRvmYgqOLSqfVlXRj+reGgCK2qoql+2fSyKamg81BpLiEFhne22vo0raQIN19rIlfCRcYMLau+Z9BjjJ03lRwmH3GjCVtwa93IHPSEvKm1QTOpC9TeSmpG8nKpgQMPaacAm80s3ks4hiaEh9ws6GiHraBAMMcQ1KrWOV/y3Go2yA9hQXbdCLIPPeKFN3lbcXW0HW7O08WCbi0nclOsm75XRqK+ZpFybRl3+kYjHvqoC+fESuNWnk0GS7bpZLKOLYHKgSL3UIgt/WNfFdQgP9dQH42VLHc7LtrIxxXVBJHIR/gGkfs+NlEjKgVbBE0g0+alSfD6zssUuFZZAlSrLIX2XMUURdtAX0aHmkBX6rwij2NC9szH4BszeC7v9eYcKjb3ybVDggWbB6LXDSG2I4iygRIfQ7HWdZE67DRiRcnaMFnCC4dDa7xgVvagASaxfOFIsGVAjjAILGHQCPdoG2tW90WAncjOLpdP2uLFQe9A90q3lS4WGsadKmB8xjeGT1i79U3cR3jK68rps5kCB9C6GHm+KZhoXFS5D7IE8fZm87EO4dO2ld61BKUi7659aizXTUJA369GfF/Y3ugEslUlqSupeUTBcSfeQnNa5K7DFKbyN3d3tAtPXZhhq+zHEkWiLkFxdl9ZFNzbEarYdmysW8nW3gwnltz9HmxtCSKXyifM7tyZnP7+CN1rmtBuoKF5F7H0teADclsJuhsxJ+lT9qr7anghfdW/FzPey7WgbW6xkIZQHBBhkQwn0BZynjWJKo8i1BtGvLdQP0bPlC3Z93dMt8Ku1Sg+woq/LDhbp749O+TCFSLgm2uLYj0il4NjlhIT8H1dACIWFqdSGLhNrbG2CF0K56/b9EOlea7t/+GjSosGoVADmD2PM1tQMYdMwCq1LBgLXMKqE+pHJcQYxae1gY6EGOboa4e61da7z19YdOiqPzvs4VYLK3iytpW7iIaGYD+/yCHT1d8Cxi1WgFmCNQ0H9SbnSy1BTcg1uEOpNagJnQO28vaZ7jOpGhwGsBswTm9nbtyW+32nb4VUZKrkyn7W/NXrms7sGu0nfZlfUWViu+lawLE9Kv5OyUF16LHulCzyVm1MdaVkBT6gmOotPhWEFqBMm12kNov6v7nwlhcfnSYAmIQUUJhzIqT4VkEFaMnsyn5As+GYTw6rlbIXprVX8CRRj3vBXYStCf8MdrbiZuGVZSfryTkuOMVqE0Gk+HYu7X/veAlQSckCimPCfdNOMPAFImCRlDNipYPhoCfkeiNT+oMNupVVaTA+c+V8tbZGjCsZdck2uRe/nvCUsKLWpmFI/4/BMeFPuLYn6WuivX/DKr746bgKdHTtx92wsEXv2jKlU8q+3md4WSzPEQtCtZaMo7/UnkbQnsQDe81v4BdCSbVYa85oQXKub05IpXAmCg4R+zqsKFNFD6m9vOdD7+psFC3BgNKkohq7eGls5OB6ETBZllaKya2g/bC0ZmseGhk+Te49eCyNr3OGCR4mJ76ZLKt6eAcTHBslKy5yufL5tEwKBpU5aTMpRokx2OasLoo1+VzTwjk/c1lSLrzUEJ2FCjnydHW9nrHUpR1btyrhay5uIPe1QE0iOtXonfIGiv3kqxa1Cc93HVwx6AqRVNR1Jzs5t0QfgQa9d9ePhde7ynteyfWwXU8bdAZV8v5gp9QuVr8mYuv4f7em/UNkTXvGi/R3vN3yK1ytvcYK8poBaSJHEHa3aVCcFlngNU32iFzjko3a3H8fOw+gfWFG/QLAbvRBLQdieIz96vahW1C9aG+oVQsDVYY1W7jM36bGpi0zPGsg9VqE2Y20y0y0YvZX7b+HlabEynNBOObc1YIVQJX9EzbC26DmCwg3Q/BcYef+6IMTfvWwz9OTfrGYLKfNJF0523qwfNmousfrhaNej+3p62ojiMC4x+84AdLAlThzq7uejOOeUmfBJXeNt+RzXubLc/LWSZpnvnEDcdP2fNGvxe15WK92DujH8OV33M+X50hSX/LWiomh92A7IufSAN0WJo6JrCxYcR02Upd6nbKX/XZU1xdoO3Vhpx97ZCxy4kt3tpmRe3m+V5ON5Z/bo8laxF6KfKPRTsiZq8/0/U4L98FubRYRVNvf+P4r746b1qat3JSmfYxqUYB2lJHuQVlJsqSK02kxqAJ0TRm4IFVBRwSBBqGT9kfZOtCuqupWnlhJZTWMpr6Q23O+fnF51dehiW8Z6zwKY3XZBw4UvHMt5CbS4pAkl8KQaz4XFIXFCItWUqVsXvv1QH5ZJr1qdDeJXR3xPy0i3bHTlstyGWCct+8+EC5YUedgxZkfZOtG4D+7aAYYXzmHiAOL0nsS9otgZO7osU10Tm2eljBmXN9YlfsAvO5RitdxY771T8N7rm92hFyN4vM5qHQj7MIk+9SNBXgc3IhmBXohi9xyj7PVRyaNboXej+BZGMbevVR+9t7pGM/bZhyX5+EykjtH55ksq+zIeVd4Kj73Cse4Ov+erqffWnSkwPrUmZvNnddszErzaukjZY11MW+lpVTYecDK9Qa/kSlxfhD5oyiAw676M5x97h4iu4mR1sjPrBCl5A1lTT/lsHJrRdBR7Rgpvm0UVLVbCjlbM/pQawVUR88N1oaaOpbi3PqjKC8ezeywi0/lLeH5i/H3y76s9TEwtBh9HDQ+dnfBYhG+us07lnj63oDJz4dz9w55zriQdawYZ6eORM+j3ykrSWM6HQYe2R8jA07dmXGLJU6Lwso9omvGQOtZXZALuz5hMgdtWaJp9hu2LLjI4TYyAQquzWGa5wNlCy6MpphqkJiCwvhmSRUvMIMn4MFz8XcxJxSJ+K39bXBnIgEfyqlrLvRIGrFfnTxr8zkrULryRbdOwgxI5lWETUJ80+Hp+UiRoXNzDd/j1AklTvlqk7y8r8p9235IudAkB0N5EXAyTGVtOr8b2Zosjp6b2XhsaZvHhniMP6QGyqpIls1zSnKYUR8C8p0vmxi+z9a0WvESVEHXWMhlpH9cybPAjbQfoNXtfw2zpgrc+eq14abGxowkuLGNbTBs2PTQ6xo1itXx7zAaG9MEsorJsrT3KQ0bnTnohHeSfSsllzx3/rOmi1wJejQRKpfs8EDj/b1lr3ix0RpZNy8vrBrcVpj09Diyvlk9raz/XU4P9DsdvL3/Jac+ABO+XRVP1zj3HBOK3clfX12Sy4FC1UUjWddaX12yG4OIhV1tNew8qiF9H3+Yz60OK/dORGRTmaeu+BpU3PWVDo8LsbiMqEeL+N0SXMjgCJXnHRewLx12CbRtPITPed6GckaceGVsq3FQBh7h5Y+n5LX7ruqUz1Qz3fvqo+ue0wSiMFnjFljd9SK41K8phMpbmy5MuxI3juAICXrF822HSFtdSZeUF3QYyCCtK5xgfeUMlBqZtODu0CG+/nhxN2+slL4BlAvADrbk0w00n09GJCIvs2md5+vo/hleZlHrgDpwaw2HNTrf6aWKD1FxGbHLQa/ELtP1MQoSuO5mr7qeq7TOuWkr6zZ90TxGocF2m4oNJ0o24YXdm3RZYrEpuDyaVX726YI887USn+rC6spTXmABB+aBXdxWUttvPiffDh0Noh+FuRFyJbYMIQ2sxmYWy23oI5M2GT2CC66fFnrWVLm/9aVJr2FO2Zp8HDXXCj5V9DGK8v3CWyTmgpSUi5miJexMx6iowqm96fskbCmXV7gseStzlxy9aQvYyToLIEX2aF+YKmAJkcpC2u4b9xZW5NdaoCn5RuZQkGdcLCffnBAu2QmZ2v8D+39U0GKtuZ58E44vGlZls4IOJufH1qG2NfyzK4KLoq8L5eS6GX4lZzsbNRiZFFP316nHs2mDoEFZRg4itCzjyt0eZp/e/EYVkA8uAfibbz69+e30/cU337ic2yVVlI/y5Eqqm5gly3sv2G/Ngt0I26gTjIrYSoSv2YnbpaR9Diizz8U6gQkzkwqE5iymAOm4khJgXMb3ggTiA7GAZivKh8OJH+wdwN7nsYHa6xO7RF3X00SXwkxzbVTsynes107mEOu+pdHe0abmI52T9NBil81gsIFK44tNNnUvvt7FgpjxUUdTs9VkjthDtxrsRhTYZr+8JyyUD+4neH/HhUXe6//vh6tuVGY3+e9RWCzv+Og9IjuRfBTmaOK4u/CT8ghJW1sn27FLn5k2o73JssM+mc/R7Tbg3P2R6aZlNT9GPAyLvmaUF5bWTTOXKy8zLs+7tW3YicuagwbmgRYG41mFTc51ZlXEA/ZzSOI1plv76qMzWZa16HuiBtiJwxo3PRS7t3Br/g5hnbrFTR+mWT8Ut2sq8n+X4ajZBjdDDT9EMjwYu+HCW8jpWleccRktS/RYFjxiv6JKDIMOTx11Lcoqk6mE8fXbN1fknfOjbpJSw4h8PmoqwfV/vCafa1AjvVvrQmQK+p060yY3dByia/K+KToLpnW1WjqL+JB2gcrYYwQs0Oogx9E+qCYQHHsw3Dz+gAZaUFUmOC0LNoF7gVYRC5BboHUebSrtFsy43a62QOfU9LXCh8KdgmCLkqpYZSUt3HVFB+OLHxx9omyQThUFZraIzgsMZnELqFrAszm2WkoAVk5/TwC1otEnYbiOU9HZC4PuGY/94PjObSVY1TM60iKjDAejxC8/sbC1iGi8dwBP59XyR3FrFtHfdyYyZlSW66h91zvQLeTDIk93ALwsaHSJITIQcy4iFkUOQafIjRbZLNMrblh0+SGyWSFXmpbxc1e6sIVZpoOeIOrCRMZFSnHCRQWqnK6jJbwPYFfsJg3wJS1S8AqvskpJI7P4ISmEvvwxQ49jfNhFsrtZyHmWpyC2BRw//42JrKS3mTGx3AbbgC1HF5DgUSi5SIQ0F+mQrgqdFdMiix0W3YL9XULg0TuDd2DH7oXYhR27qrcL+6eEsH9OCPtfEsL+7wlh/zUNbCOrgk4hhUhpocc3z0RW1gUq39N1gneyAV7dJNBLyrrg87JKo31bLZMW89hJSB4yT6GUaPjM4vtGRKZdQmKCE9SKpbEmLeA01qRe67pKMIuUibasOompaqSxpgfcJhAhRhprmKWCjWZNEuC14LeCCqmBJWDC5c+WKokeheXPsjILoHkCt5osq4wVCXzYFnCCIAnCVdO1ie8WtZB1EshVnSWIaTDFDWe0SFBApDM6B8HWEbOuurAFLdZ/QD5NgfcywzagSSC7djBpsHaJtUmgT+fV8uc0PmidTbn5a5JGY0xncWfF9QArGV1U6yTXHKECU/Gr3LTz8UebtdUBDGbh/PzxnSMOOKp9SYC7bvLxOsh1YM94ASlsGJ3NUhwin8Uszt4GnEI30BmvMEkxSyLqeLX8MdemGjTzjwRbK5YEdsFnkMKM0ehoLiHn0QpGt2FzkYZLSpnXBWgmU1DbA+fzBLJJVnpFTdSZ/x3ooQzyKIAVzLk2isb3hGxgJ9D4FFSpSK2S0VpjJ3KVSL66zHzH4gmgGwW0TKBIulKgVGinU65XC8l15ibMxoe+poomYfB8pBA2BuSlm28fGy7Xhoroc45zbaa1ijUssIEKblZQCqh1dFzj69FNTXJssDi5YRZ/2PWhnQZ2wZzTPI99B3geO6zatA5K8BbxMmNKyjJJVyILOIGZxsssTXKk73iUgszVTfT2TJWO37KUV7pSPDLQghpu6ujZZwUXEK/FzgaqjjpRp4WLxbfx3VqFdF1Ps1khoz/nLfAEKf/W5o0udSzQBBLH2tAJUI2em1DIeRLWFfMkF7iSKrYAK6f1PMU1K7lmKcRCqZMwbIo5EAIMNleKDje6DHcNoGNn/DmosdPxxGoV2wJJUlEm3QDo6JaojK8ZScXnWWAe14PhrgSo+G9WlbmhvNHBRp1MvQHrRrwmYbIEhZt+Jk5sYeDBxpYGVeYcSdHRpVrbDzO2iFXnPwANtxWPHgioQJVzRYUZ9NyNAXmVBHD8p9d1Ivv4sTcFNAJgJecZ1VXEgQFd0IrGhqqAFin0OwUM6eC6jiYCHp/IFnLcFq4dyFLlCTCO78jUCXzD2vmGE+QDaIidCOAGHicwTjR8js8AoQat0aAmMKU0nycQvLqK7WXTiqW4B4rl0RVprVioK24EwCbeiK0uzFpH76q5ZCJ2oURwWuxDgbomnbG3b+YmPls5oPEjeu1Mz9hw11X0bq11Pk2Sh16rIsFbWGtQWc5jV70nGVvRRIZSkMEwbWgZ2xu8zLjQhs4SaAZLrkwKNXxZiQStm4xUtYjpZg21RQt0FD2tjSTva0EGS7fZIwmH5X2iBc/JmYKcG3JGVe67GWps/x5Gx03OSkilsQmhCAaH6BPsb8BkQUKlOm0+BBfpKHdRVoVcw2Cw4F76zWQdran3HXnM0tD5jHDemYI53JKS9hstbGKxYl73h4EkR7LgGoczNKv7o8cGSkTXVSWVIcPGo4SsFtQQbkilYDbGCg9Iy73PEIoQ4b3V0aJAuPCd3Uf6QhdcpJ7I30HVrtbFUxMj52AWoCab7+uFrAcvGiEClqDacURGkooqDeQNGIoTwd1dpS0Jnr2Wc/3iypW9PifnfsTXCTGLwJQibAb8HvzoY0RbkLdgfuNGgA6f85CpkxBvhiO721uEi7vNaqCKLSZc8CB+OHP3CP21e+ITZ2FgMsSLgtYCZ/3Oa5zj2jRxDzdw7/Vr37Gn9O242z21Tbj9/OIRY98eRBaxpulunVdxWfIBbg3eijF3wTGmUY8IpM3gurc4oVoUIxMvsXtuwnHg2D9XgyEKPtegzY6m3YdnK9+/V75TGXAsj1vVSey+R6rNO912p+zCyWGEsbGtv2OHdv1LcOcxZ//vn29oF7s8b4QCrh3mDbQa4iXx3pOF7eMypRqIS9dusSGDW9Wekv/F4+Ar2lHwLeZSufb1QTISQjXRADjujO6eV6Wo0JQdYbzvoMO0W1qg2rthGlYrnIC2C+kKVMmdunEspDdLusEcfMkLmAMpYAkFoVrzuXAHt5nXH2Z9bMn8iPIb19/B6dNHmfRsMasF/1xDf0wiDV++Dr6HdUw8bApKo9Hw3F1IJoUAzK0gK24WY4KCkEBlSKuxKziovOjepoUlJ8qT9okq5JwzWhCLwYjpg1g8Lna41MiYxsejXbVY6zB6nXS2lexltcZ+4GnBqc4WMrlN4Iy41lzDWSqboUZWKnZH8IT7ARB3aSy2+Kb5QSysAKomp4WW1hDfum/nGCwnv/pfTMipWLf/GkA3aMtrYQjNJ0yWVW1AhcVwEje+3Vg68+yr/lngjMWtA+Hmn/XL777/q7V9zzvH0VDsqyDank+zuBGzuzpu6BoU+ZfWJ6dfeDQQufCtj13/k57nxQbnLa7feR4HJi/vk21f9wem2HUm5O27Dxd276DAOU/QX5pzzRRUVLC11Sq9elb0c0EIUuiEfHjzC7kU5oeXJ+Ty7fnFf/5CPl4K8/OP5NlqsSYCuFmAImwhtR+VJpUCZvBb3//8P/+/518HKQJmkVDG9emBMnVS0vA4Hp2Y++55za8dL142SIWveP60kO7Kpj2YH9gw7s4PfAjfnmK6sU4+cWVqWpDXp2+DyP4hBaTzZR3GGf9HCpiEaWvR/WJEKG5kv/DEI3iKb/COc5hTAyv6CCPSkbuvyGmeK/TTOi4PodM+vaysDo1zPjQWcnn25sq9SqPhsZLqI0Y/tpxKTlP1bze5vLKojHi/LA0PnAQRhYZ27XEaNppY5qZrHVdAdNClec7tl2mxCdh2ZvmH37kjMoA1CfGCS3/Dz7dZYIDKJtc6iV531yeNkrcewyupTCuSB0I3xwAbHgA36/2SVx+Z9m4/XMybx6TZ1psxwgsI2Y3H8uJ67NDypVpLxq3K6fxGAx2HWLmsqJjDpDWdmBQzPq8V5GS6RpggcswaCsuZ6sDWA4Oi0RFtObjoLEG/gyKi7t8t4YruAFBQSgOZz+yOn2cUn7S50BnNXCp+AtCVUWmAzxKwxCxBtXCR4jqk6n9SJSAqzbPGE5dOLe9b8HYfk/5qXWfCI2iwF2YBSoAhH9YVnJCPzTP2Gh1gP5CrxgE2eAnejWlqzaieIygTI6Zxg7T3i58QWhRBZaLafBET3KjCxLwlKPsGcmEk0QYfcy7Ix8tRgcIwQTaZvIousi1QWSUY+2YBK9CxM3ot2AQlLu5FjJ2Kjv72BNi60QpZAWIefVIk4myVj4Ra6IgG6lQeWnQCMIIwTCeYEUpeSbWiKh/O6SbkdI7JXopQe+NvMZduCmYFIMKqZ+SuifeNcUtDi26oziFDsGU8ZkYMdsiFz3PFtISSGyuW/IiN8BaXBRXHiOPfwUHZJIh0XJSDDW67LDeRlKW1YOdowG6/PLEjlcCwC8EyXj+4u0XsqTKc1QVVBPtFkwaJZxe3v7yWczmbhae/A8vMApIf7xayH+yC7jZ28L6weFt0T2uzAGF8svgo2rqO2Tnhbgk9bslx1D9qUKMIy9oweVxK+yXHEb6uGQOtR3DGzuOHNUc7LPEE8SJWxZ1LtSaBwoQBbscQTls4Qg9HK5UwwKcrKey7YuVWSDlsf0gGitL2rpbx+tGNvJuUuK6lWDNQcMjb/Xg/TE8f5oJobuqA/CRYXABeRHuoC6oJzWVlXxezAK6IXInNkTnCGXorhSxH8mpxJofmrkX9cZUIq9xzkVv5I5VuCUDJK14AOfWITQZkuIuzV7Qbc3dyNGG83f+jpCuMkuDaZy3EpUJojwFCxKx3fwAhXL7eta/XiE2J8YTQqUxZPRDY/BQWdMlljdolk2WlZMlHMhTh2MhdCDotsIhsRs5248bFshU7CZHsY7ildZIgAlsYRh0ucwCCgfVb/FKfbueV3dy3UbbblFnWwvTL2WJr9DmWgWfsELP+TloQvsdzEKA4a7aEBMFEv35qATcLfGpDs92IR3bCvp9oo8aDn82eDmm79Wh7erl7T169cGsl3FfQNG2NcMNL0FauO21PQQWjQSR/CtGaQuw9CGw8+MBjUHdkrUN6dz8aa/1wtz19n+loQ07vvDXvMN63w8HecMcbgXAHYfDl7u7l3t2po56du2hR9qb2n1y0XqrHESB75HgrQL5cdvxh/5HFGm1wnCO7m3xUR5UgMe/YHeTHUdkx5t4GzNgq9ViC1vNTR6/cqc0iK8Es5CNESeiWJ5k4NPzXRg8ceykpmdTrtCOq814W3l9rEdnBl4k8If85+em778iz1+enV8/JOdeGi3nN9QJyLIUP4lLIuUzeF2hXJAyzZWcOD3/M+MWRjDElE3sVd9V/2lMNYdDeGPTIRxv6fJ/rwjDtv6377Tj+EKdQzJSKUJv0TaYYLWJ1p+tt5D3Nea3dCkQqonnJC6qceLJi094hhu96uLwK77nm+TE7jXQz5T9aRmi8iL2+mJtLnq7O4lTsuusY1vCVhh3/r3cS4ScDXvCOG+iUZeRhV6ZUKRMDBiEbJLVUcyr4HzuyqkU6VrgrsQ+gdJenRsg94ypYS5qo688ruxy+Fq7Fl+tdtJXV/CvQwiwYVUAqBbksuaDBgruOeLqihoMwem96fEGPudvX9FE361o/QpWIce3V+doKrooqg82QNlvdLVaP2OzIC5u7SNQZ5KCogTyLllS2gz+s8HnVrNgGz66UXPK8bR7mv0erqvCa6oAxfPMf+6xt67RhBWezSZ4faZftkr7Xn1mPbDM4PBQzJ5fcRc8XfcV9pAVcq3TGHAp+X80TblFn6vyoUwk9D2zU6aiosVJNtJHKSXwLrQRDcbWv8VsT+62vw7sveZ4XcDwp9wbXu6ucCxxvR+4dJOea8RjH2e6VX63TYUism+jsCakKao/Mvs9SERBMrasxLz+mQh7BnrxDBp1qbctfpTbkDWULLkZMupwmkhxf9Wn9UWCmf6XAig+rH7kmZ3pCXue0Ip/wH04/yqVwdaf/HD6eZEGXYDWnAqgin2tQa4I9CHUlhYZGowoXp9r9Zvib48hL3wOPWciKN10ghdu+68s3jmezpSOgumGg97456l0xxSlPaR1mfR5vWktvNTGytqF/eLkmqhYiaMfqk/blcZFn10ZqpMbOQ8y8hZn+IChZcZHLlSa6AsZnnNlPTkJ1gj5PdnhB7PYcvpucG/IMO8KCYJtnCEOXzzvUIrXAd/w1zClbk496u/FtG4Et+4W00bNr7QpHMNhHXvuuqYWoYK0aMpl9EQcUb/sABKr/typNsZxnSL7tbadXqMe68zr1OrBj3GGQ0fxvDtjscfJ6x7bqM3y9672RdRe49fEuoMPdHMdh1wYMts9mk5DpjmFwQuGGFPuLn7FsIOZIwNEKN9xyDjMuvK8ehRN29StpNdJ0ELE7qFAsEW4bB0xP/YstGFufbeq9+15KI70pWx+2MZQtyiO3wN+sigQnA+uoexxJhrxMuYg3QSzq3bBbxqLCtI9nQEh1y3bwWFwb7U15f2Bq5wDrtG/fHqwrqhqesn8+2WxlteCDVurE3g5ry7rk9zttz0SfWeLaWki1Tnfgf9MVFf+2t2NMg8h2F/VGPQ89TZYsf3uB0Pfs7dFUosGumn7ru3c1ygUZCKNkdYjoyGU9HTgX7sTjfk1rbcOecgTE0VV3HPcensmyomLd3ke8djhO39krS1D2Gcq4mMmwUkD1TeoaoT3yo2dFNpitIG1X9NnnVDkCr+qiWJP/qGnBZxxyco51z845GERlBdOMSXnDHyno/htMiVt/Yz/TYkybj95tdhMOr2qDKveBI0z33/X37RJ+yo53Rzuf/IR8WFdu6xvPgSWOO8Hxw1Mwy6I2k+2hbXFwjgj1tQ61re0jcwxXXatcbmPnPIuVVI23H0PM71+PHHmnV05kdmpoUaWdQ7SDFHblvZ77Bk0lZSJNZBspu449D1JRE3ZNMpFRHTPa3wGsfDl9ZMi1KiIecwdqxFNpjdGsVrG8IR2YGlRG5/Fsyg3o6M/TNuio6Y/boD3XJxAscGtAoGoV3zix8KNxc6voLRT0UmVia1RuiWPUEm7J3A+4LKpXL/x/n3kUXvj/8HlNIbc/LUCFs/P8dh4xeu420w2eo8e1M2ptsJ3cD0SzJhUXM1BqJO463PdR9tVV/PeSPuiePQKSTV/iWecYAlcKw9oy6ZUKLHE09rtwcXvLdh8wg1h1//QPGCZojQ/85NUC1HH8EVZn9xlPz85w9ONzcobrh1EDZY7ULGWEzmeg/PBP2MrC3NGcF5KGjjuE7By4XfRr3ekUvfOk+R+HeiXv3xolfNrkmv8R9tbwm0Qy5fIfF0TAXBruDrBaUD0yAUqzY7cV6hylW3x8uKA96mQToAYJLj0eaxqnN/U34YQUzefHqKjY7m/UTj38MDpo2UoTrnUdXelEyJgslc5b97AYCmIISiX1gQ4OpSs9L+zi5BqD07uk01EyJNrO4D6K/OwaUzt3P0Yd6XkYkveXnjtwHBehWhfZMuWL3g+pekd2EJk8s6xH6+htGnUqwPwGvEWdqLnBV5txJd0HCWXrj0RjvE4qcnl9+o83V+TKvlPknRiZvrLBNlEl9SHYfljJMLYohtgC2I0+yIl8NyGctgdZaOhc26+zbRGGaaB+BOFGCu7QckHxQVPIR1ByHR5tV5BRowFxNtTUR5vw2cVySQueO0YMINEXhEfrar1LECLFbmCt+2I7Euc3CaSRYS+MqXTGcQZtEtB4lCkIwugTuE18LprKF6m4We+5UUyWZdI+cXfE2+HhHULhEvwVV1D0Lc3YLpZVQUWm9WMNvLUrOxn+m99tU6MVxNaVGmeV5MdIqw4h7DAgiAEiFbYGkKxsQYUYNM5I3W7Kr4qIjMRsj9S2uX1Y/MzD316fvvXv3ove8u2DYqTq+/6j92zj+iZbyqJORYDTZo6z8HNu2snYzTjfWnCjyTOHhH6O3TqwsLeZqNsDTxDp4G6KOpE0e+1x/Si48ekCk+2igyUozBSY1QVhUjCojDWUr90ZjrRXWK1SSl9HeGuwNyO0LaKVVIZIS99f//00lIIbJHtsvpNqfvwEy36BwZaLdUpds5Ngo5i/X7y7urwib+htyUXejvUOH6vd29HTMLeGKI5sy29jsLtd22rVp3DJYvT0bFflmM2OV7D52EX4zZaTqx1bzjIvlS/PfZdej8VODIvjHcoj9wpodlz+l68bbgtzRD7UJGPfbvSXWBP6kbIb/bhqtOLboG7pintPiK4DKepUk79po6SY/9u0oOym4NpA/rcX/m8n7adczICFP5pxBStaBBUZOi06vyFU5ERLMsKWCuZcG7W2lv0xhUVFzcI3629xIH0cBkiiU+pYaLpCaFevxaTqdCFv9ckWcxBGrf/yfwMAAP//iL61wg==" } diff --git a/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml b/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/citrix/README.md b/x-pack/filebeat/module/citrix/README.md index 920b07522a1..a3ae2a09e18 100644 --- a/x-pack/filebeat/module/citrix/README.md +++ b/x-pack/filebeat/module/citrix/README.md @@ -3,5 +3,5 @@ This is a module for Citrix XenApp logs. Autogenerated from RSA NetWitness log parser 2.0 XML citrixxa version 79 -at 2020-07-08 15:21:18.337034 +0000 UTC. +at 2020-07-08 16:42:00.681124 +0000 UTC. diff --git a/x-pack/filebeat/module/citrix/fields.go b/x-pack/filebeat/module/citrix/fields.go index f201f2f2603..d82bbef0ac6 100644 --- a/x-pack/filebeat/module/citrix/fields.go +++ b/x-pack/filebeat/module/citrix/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCitrix returns asset data. // This is the base64 encoded gzipped contents of module/citrix. func AssetCitrix() string { - return "eJzsfe+T2zay4Pf9K3D5cLFTznjj/Hi3vn17NW9msplb25nnsZOtq61iQWRLQgYEGACURv7rr9AAf4gEJRGk7Pjd5UPKI6nRjQbQ6G70j6/JA+xekpQZxR7/RIhhhsNLcoV/k3+CuCyKPxGSgU4VKwyT4iX5258IIR6ELBnwTF/8ifh/vcQv7X9fE0FzeEkEmK1UDxdMGFBLmsKF/bz+GSFmV8BLS8dWqqz1eQZLWnKT4MAvyZJyDXtf92iq/ntDcyByScwaKvSkRk+2a1CA3xlFl0uWkjXVZAEgiFxoUBvILnqzUJr2SF4pWRanE9xlUDM40iYo35tEGEdomGagXK/2Ph9mbo+D79ZM298RpkmpISNGkpQWpvS8UnRLctCaruzf1JBU5qAt6dJ+3xmakFdyRa4hlRmoMKluLNYlapjgChI2IExiiR8N6pFO5pFnjEbOpFIYEEbbHceENlSYCpEOUmFYHiYho6b7RR8/c1jtIIQasl2zdE0o0aA1k4KsmdGEkjdgfmVGgNbVKlz0lqiejl7LkmdEwAYUWUC9/gVVGshrMNSSRslSybyF6skrudLP72j6AEY/7Q1/zRSkhu+eEePppuQtuAPmdppokXkRZBWHDfAgr7gU3b2+x6trKBSk1HhcGSyZgIxIwRGxoQsOJKdFGG+uV8mIrXlgnV77M3N7/Q3ZUF7608MyEIYtmd9D8EhTQ7hcOZ6rHjORfmaH9yuOv7MsLagyLC05VQjvF+dicHV7Q0etdmh1eyMPr/Yg0zdzc/3F/+f6Ya5brLEsn3bI5OK3BEntMv4j4t/QsHg5O3IFWpYqjb6Lpk89/qRNw60NNZCDMJ8GPS0zZpKU0855+GgEgDBq92lQr60m8GlQMzGE+rw3eXXOPuWKZ0DDZ+28U18CZOP05IEbNWQPtH5YmVoWX+8G7F1P07TMzg3YG/2IljnMp45ROhufRMsWDTLIMaQ3kZkYRAI8Gs2gdB6lrBTs9xIaJUzVM/Qf7fYNlyspUissqZF/dOtl4Nhv2FTB0+bflR2ILVlK26fOGto31iQm9yjoSCkyUFZFVeAFRm9yS/YIGdFg7CB7wPs49LBCW7G5N/ZkhbZmc2/oUWzve05iLP24zdWjfMSsx81yLXW0HtXeWz9Jbdqiind3lQaRMbGqvtShpW9Z858PB1l4k/Q+HmTd7d3mO0KzTFmZNXQou+zrzc/Iz5V9mx+mM/CH/3cZaLk1xwnunl7n0mj7LTJCyYptQNTuis/3UrUsGrJgz6tVZ59GGfo8vLiDBq8sdomC36PWq/00gYuEM1vskI83bnByh9v9mff+GUre7QogKe2f5AUQYGYNiry/FeabH4hU5Ecuqfn2BVlQjTuhcuwv2apUqAodmVlYwfuMZ4aPLFOMohlsVwu9kvHOkkN2WTX2Z2+8SrWlKpugxrRkR2tibV7d3v2yp+FQooDT7rIQonfaQO6vHE+YHW0Nbj9pxx77t1RsxQTlFcz+7X1kpvEax4EHztu7X34ITNIT2Jvr9EnWFPX5OIckbzZbX1WKleRroBmomV7GfsLByO31lBcaR1H7oQaHiXun+UM7YXiazOCHoZXicdsoHrjZrcJ9JTmH1Ej1OQpCy5+zvKzbfcM0SR1zILO07Klmr2T3kicHWPkHtETydPHxlLNcagweyaUgi11vWQhR8HsJ2tgBNcsLvvMrYX9sBS4Bmq6JZhmQJ38mZq1K8uL775+SLdVEA4gay4G5fiR17YS56kIKDeebbPoHWtlUlsLU9mqZL5zwsQdOB0cgT+hCbqA1XSaC0UaVmNFGAc0Hd3n6B1r6T8wMyFjZ1WpOY8UXIU2qNlrZkjDzr/LFn7/5i3bC83mBoqoi6189ev9l7ZRXdAeKvCA3IqWFLrnzcVtTZ5QEDY0+0Q0diFUKYfn2Bfl3O91n5Ntvyb+TVCqrP+IsPNJn5L9z8z/tD5km+0z5IrhIQmbwCW0wsYUkpZwvaPowVedz6IU0uLmpcbqyZQSIrJBMGFS3DYQD93CBE1BKRseKNBqQLiBllCNNSIs2UlltUezcLWy/2FDOMrd8IbSELGUpMiutOSB5TKy8snA0GGh/3/ZGnuPtxG/aAy76AT7vuKTZx7szPEKi2QcgORjF0oCu7E209o/RRnOXYyXu7CVJTaPDyWW1MBfkJ7m1zO/bQkwQqawJYSR5ACiOsOUj3R6fCVuUTEHrZMOyJIt/h7qpJMAKBChq8Chmlkcte2XDlCkpt+bino9UBMxnljNr8OELIE7X0ekP5O01UVYuajTWkS1UrcDUPzs6V62iQyo++VxdNMzhuapIx3pfxN5eV/61t5BLA+Te78pUAV5Li92QSLL/VU7vz8DJ7TEluuBs2ovsH9pU1Kynyn6ssEH2IS5+rG3bozz1O7LaG5U27cXxf403F3fMl4yf5W3RjmuV9ruryzuvz6VUWAawvJCqq8URvFA+uwfa8mMZz++d2EcjD83CkENs30wsG5DGGHT3Plp9F+TF9z+QLXI2ByoI5Txsh6LzFdWGxr9AtqDADUsN4UC1IVJ0gpX32fQRFKPPm02B8xb3kOW586tUGbIGoyIgXQvJ5WrXfdZYMtXTzAj5nqRrqmhqHJvs0dshhejcFKQUPmKA7/k2BzOYYpLV3BPjNJftgfcc1HVzqzpJUTltFd0Oyg+UYh1liaaohzmPsPA2q0zTUlUjakNFRlVGhFQ55exDKNpOqjzIgcy/wB5ggiwXPRE+ig0NXTW655wtAecUMBA1pFJkA4phs2SJNtMs8QMkM5HKvOBggos46O6iqHgaxToip5V3oMzZttu9HT246YY23P7+GdwkuRRmfTKrm6ye01/Nm2iG7GzsuRHZOZhjh/wgxfSMzgNCxI5fKT8uJO1dl0u9Az3hdFwSA4/Gb2SyAaVbwb7ZoZiNwBodX/Qd0NNJbZIqUqkyyKZIb/9c7oWrrses7rfqzbz+YfsNri9jlcwvcNQSE/90CoIqJp3il5fcsK8NA0VoUfAqgrrJBM+poKtQUhIhHB3Tlc3giHK0asLMl5rIrXBee0Pzoutp8RRbbJbE/j43mqRrZvVfmYG+IK9LbVCRbg9q9z81A/Fo1MDgMhw87sulpWwD89zBuFDVkG7+CpagQKRuUalVvjK2YZm9U3FNw8f+vjr27zoMCE/jsWBqxjk0XHd+6ke7X5jhOzcdbUWE1QUsWtxGh/1Fo5Zm0GB+ZqVTffoveoPWARqyHH+a854acBym5tL4bYc6xO8llDMumt0pbr0aebGlmiCabGCFEP0346c+6sLZm3bUOV3lJkqyr/I4fEUSha5I4jSVYtwR2Qd7EQEXdeO1pMy5VN+O2huUQT2BOUomDR/YY+ctxnXXiJdOBmKMsUjTntpzmqKiSz7dHTugHcrSpDKH5w5LrbJhNJtc9taKCj+NPdV3YKmsSc7MtNDXA6RX4/uEgJY/9JDhNzVVoVc7xUnqOhbXjob+2AJStmSNMhjWFpyTcyjv1+sec7xcB5hYuwNY1gR8VqZo5p2PQcq8Sj8fI3/ZtxHaGq5U5Od7H1LEdPXo1LWQEX/F5aGsB11IzUYdwpN2ABoCInNVATAUsTolg/ncJTfJlET2kcdalDkolo4910HqZ4loP0B6O6q93qHuiLuT1CN+AyKTyocSHaRdLn47S5Z09bggF79BGtbxLeo58qR6LLPy5jBqJ/mm1er4or/1fVabP7LeEl7TOnJKSEMoWfuszHB4EJerpHp2PJOQqzbEaCE3T/btnqT4Oz5xY203PIph9U5ylu6m79MDZ+wOUfgic4LvBuRUyafFboWZ8LbkgKjD4kUKA4/T9Z0a5a1wlndTAYlmmbb/w6uA8gplKB34yJWSrqlYQSJgO/1cDTm/Ydt6uMHL0RjFFqWB1mnrR/NpR5zV5toiPXwMdUFHiIZ69pxNKIFzaOKolHdfbR26tm4QMCUw7tpOuiqaopu3crUBdUHuwTG21KAu6Aqw1J2PmFtKVdHQG7saxul1KcITB9/KgJSKLJTc2u+qT70e41TrwVptt9kdVWa8KV+Djrcj/e6VvdyI+Xav5FmtdJxr88oCvMs6/ga5FIRyUKZ+d1XNsP4z55r1R7GVbIbPswGFKiNCiq8VFIDa6qHXKFQc5xWyaamU3Zq1ToqrgTrCc+b8v5Vjs0f7lpm1V6ac7CPXiHCB8aGCSPH1Stp/H5CMeHkmAaVk0sxoyxn9HFFYMuSS2JNmGOgLct+cz26ZzHZMcixNVy6YvdRWUXVJD+6JMvPCyjOPkpSX2lTbxv/RYzWCMG1Xw2fmeGvRqk347fDVfIZb2e30sPXkktanqANfHlOfLR3XiIdQrWXK0FtjORrU+5Hpr9gDvCSUFOudZinl1sx7eEYKhRVpnxEw6ZdhNYsqGs4eGHl5ufhVRXMwoDQpqMY6BRoT91xmWirz3EoEufd40w9ZBZMeVDSc9DyfrtFahzMIaifsUpkXZf8sRLGeki0Tmdz6yJtUihQK86x+FRucbm8iy5LzHfm9pNw5bTKZUyb8+RQtRFwOiPK2t+b0a/zA5Kwy8oqJB8h8FG0VWEY12utegbXffFEjv2DZIebzXp7fRLHRrlPtTMAuioqAn+/Ph/nnwvuEyH0/1bl+9ACVs26J6unOHz8q0uP24WE97dvRetqS8TnOS032jzhefSQUZGUKpPIAQ9iJoEExypPADTFBbN7joJXS1ZX5LaFuZeqgDQbpgx5IBJvDH+XHt8J7TfW63u1W5QhEs5fWwrSiqYowrcPZr6qROqUK5AZUjeZCq9RC1X/3sxKIlW+CMIwnKEXKgSr7EZbNaEjzYezeS6OqFIHj/kknKsp+rvonltGpzBdM1JXj2iLaJyCoEfJ6w1Sp5/dutO9QRDHs5ZjrOSKwca/c+K7OyrCHx2npMzjeahY4D9ftNXnjzvQTnxJHXI19n+RhsT895Pw6jy+w5fq6vUa2+NDq+kD27bh937kLYnBEXriltqduy3TY1Njo3bS6ifuvJD6pxl1yB31owhlJs66tZd9VPTS5vT6qB53ukziiB1nUL0TW6EMX5MpF6/tqQdx9cVgXsv9Jtf+Lb77wDopFaeo4fmlq4VwKDtrNXToBu5VkQxWjC96LGHcJbUyQgtOBI6dB6IkZoHuL0laD3NgX9tTbW7OKRWd2re6f3951NTDiSyo5224oW2awjcDJkfGNL9aRQW6FIfdsJSgey4GNVEg1rXzTlz1ZYLfSXaVTSKyngv+0qFqnBvdCJgPL++bnd4SJlJcZWNHgG7NY8Avy5OaR5gWHl+TOGZ9uWJR1F2EbFD3sZ3hnQGO+EbVh3Ew/WHUuiHlE0HbLOfPGi8q3TD8ceOAwiq1WoKYUrg9P+5e2p9FjQc1nrUCvJc/sGjuraaBXx95z1CxWXP89ysuwJ2/dzfi0Tii8vQ4HWJ78YmVN62T2t3nkrH+fx2Ymzqehy8XXFqEUmFGwxHK9MivTIT3dqzxnix1o01bLFqkw88rKuYqCgbryVGVbqs4Va9GvlWhlEfWi15I5UKTriRU5lLymaVXZK6w42eM8syYrxdeV8qMOn2hnMUQ0QlJAdURMlDbUlKcrVrUNThk/o2pph1/IR8Ky58NS10r8ch4aLM73vVJYbl9ZPOGNXknfyVX1exvmul9PP0YIMyHL098MWrGbehWxA610GGeG9Tw6340GnV4FZI/5l5zb00p0maag9bLk5MZiIKnMQFvmV0WawjoeExk8jp4EZ9oM6Q8TTxMOjYqtqtAsQKFXP6eKcXypDfgH3NuQWBGKjPjawgZpF1ErXvXWO5vm4scnT+pIlQKULnxCgjtTvWn7K6QJjKtynJ8OBI07E7svzac/OrbayCHxzk52v7ZfUiY0ycBQxgOm00KWpgU3QLzkZ4hJqbw2tI4bQEzDItxAXvAJr7aXVavFqoVB6wXJR6lY7WUDitMdhikb6cU6eRLY+/YLtDQ8NCyrPBbnc9OGmRJLdZAg6Y2W1k9KPn4wRnqFW7ZlSsdjizq7qcxzuzdjF+zKwRPWCicqlNywzFnYVV2BUH/G+q6R6SEH+nh7+kfGm7s/bUcrhK+dxwIfmc8lv6rxzyu/fpOLQbs1egL/Wy68yzK8Uws2pTzQNQYlufW5v7slt70Lt41oQm0eH5N5GMeowOM6e2E1UsUfYxP7KKqwmuUOVLKQ2fSY417cdvfKqvrDWmwD1+c6JnfKudFmybtpOVx8uoYLs6m9gGzFstpFOWCM5+M15V4SzEk3w5iruqauKKcJyKrb0N17l8VZuUHxcewR0rJto7hn6wWEUgqqjN5DD2WzGFJBT1G2b1DV0fB0QxmnfQcdqd1DBOPhl6DUQDVCtx/DHq75/Lpe9ct9QrBz0vf9W7LatxcDMoDlyaLMsl2EfcfyZGScaguy1DBUSOygLRoDo5gclS3VCZhOdDlPsB3T7VgTV0sFG07WcdJNzrnHGSoO3sQbuqPVuL4OT8O9Uo/nwmZGi+DqlxvyxEf6/VJyq5csGMcAQ3xpvnkspLa/fEq+7psxouvlexByK/YURw1pialrm/3RB7oGpHQWQ7sbAHJVZdq88QGur2BF0x15P6jAcrZQ9DypP37oPTYxQXLKxNJaRgcfqQqqsNfHHBlVeyrCHQ5M3sjMBRw1xQ1a79oBtOTI/YuPL3aq8Rrlfl79G9iSn0qB6vNrmQEnT5jYXHz1jDCZPiML+z+w/6OC8p1m+uKrsB/ZpEWy5LTXnWr8Dbyva13dERwW7V2UKruqgLBcHkzaMnIiLe7ThaekSpjSoOyGCqLc5GPlUAf3L69/tfb7Oxdy89VXv7z+9fLtzVdfuRiYDVWUDe6NrVQP4xIyjm7lX6sh2z7aQTOZivHXl4/tHJsbWIs4mloRuItSF5dSgdAsHXegWuZkFNY8xooKeLZOB0u2lI3pNN6EHKQyYklxw4xPSNHlInobmEWmjRqfyYK5G7N0A382nyStIvimOA5igxObksC9i8kHBzZxij4+0Q6xZIMGYzWZCc6J2MkEM1cDE+kGXIaFxYF6CuMNH0ue16be9sdt1BNXe/tMGyFreZc8qoNknGkJK7/5IQqknOUBdo//LW37iakjn6qXa6zI8RTN54B1f8zXX5VAYvP4TDEcdkkZt/yqEg7v/Pm7vW7H9WL2tFWBDawCiUPDb/FVXE9ir/IgxTHBPRjS42M6rWVUiq6t2sMvhtJ4p+J/A4/m7xDWX2rsekiLmYr9norsP2TYs9pgN9Sw8CmbjL8/9B56XeqCpUyOiI/4WLYF0relSvRdbZ+eOC3yIpHxwun+zes78rPzeDThGGFUv8/8/HL/n6/I7yWogWotJReJgm7Vj6lPPi3XxY68rUJqg8+7tZ6WjhL/bTA5vkybBSsGjMdjcCbgXj0BMospREc5VXkUXyxglPFCi1Fh/zVYmY3oDLAHNTYXeA84o6Z7ex+HXIBI1zlVp4fF1ZC7gvZaOZzgg6Rp73nzRKhkHcHXFJZjgylr0OUKk0mjAOXityi4gkbU1nOZrxGLgU7/oZ6yhyExVzsHe91GIBYJTbFsYUwYm4XWYpSK3gJdrIrNd+LRrCOkZSqS1Chro4yrTNWCt7BD3roTQDe81xD6JFgQKyZGBe72geNiSkSyTPSWmTRiX4tkyeVW0zzmtagNLcxmCnyUHysVCRPTtjkTBah8sRsRktODLtKHWHBsjhYFWiSFkkYmMa44hN98l6DNGgPNJ+w3LlfJmNb/HdCYl9BUJDl9TIw5XeHdB7UrzCFKLORMRCNmYgriguuEL3gy3nm6B/3nSeAR9YBa0OOz1NvQ4yOi29DfT4ION1Y/FfrfJkH/j0nQf4mFNrLgdAFxW72Gj1GVRJKXHC/vxS5KnlXgxUOUHM9LzlZ5EXt72/uP8tX4RyMPy+KEuIbf0xjdWyTaPZlG8UqrNFY7s6Cx2pne6bKIqo+dijrMOlK5M9JYBQMeo7a2kcYqSfHQqJ5EgpeCPQoqpIZe28yT4Dc/WNqjxcLmB1mYNdAsygSSeZGkPMqGtqBRLg2EVNgmKw5WR8IWZRLln0gVMyylPCroSyd0BSLdjXpTakMLyncfIFvE4d4kmAwfCevSeGIxu+fsSHhrIf8QayHrZMHMXyKTD1OdjK1t2gFVMuIo68jNiXCQqphYPO08ASPqSrZAwaydNyBG+XbgeF1FgrvaN2MyNFvQS8YhThfRyTKOXWw5LgB5HzRO0mprBAt4NEnkMbI2cKZN0SvyczK0VmkkdNU5LgpWrpIcMjYiGHMfmolYjucyKznoVMbN2oOzVdSpkIXeUjOyE0ULPhQTcCKoghXTRtEYTbuBjrqpXCfFyCmrCXPWWEdERZ9OF9XgljwKHhuLRl1xLugoHvWUy3m7lkwnrs5zDPyOKhq54NlAWOVpsBvXwWA8JNOGdpu1ngSozaJUpxcSreDA1VyLgysj8MXcw1Us6XhArNqzjCmFPhwxfQhqRbNs/KqzbLxzrkqgiZIoLE9SJWUemX1jQaOUIpYnsY9wPncnbrrFQ0SyUKFjUplZoQvFRoNxapgpI95tOBMwJpWkgdMja3HVkBj4GGOCcOkympMllxHCsQaPCgGwml7EfrdgUXvd6oZR6CK8tlyuIpdSrCK3XSHV+MORL8pV3NbJmU7jtmuuIxcwrvqMAIOpLxGQEafYlQYY/yrl4MY/KIntdryuEBknVLdriICMkPdSsVUSqNZ2AuRWgIqRLUUS2UGwSEZWkG4Ao9o4NOBRs8STNH6TesCYdppO6Y9ASbW2Xybp+vR41h6w68s5Hh5UvrJ2cS+j+jTYbSRojJhz+Uvv33cqfZ4EquQqoboYVfKjDTymy0MFp4DyuJtHQYrUumzVaPCYyVrYsQm6LVipsiisMSaajrI+tbM+ozylGsa7SF053Sg1QsPvMcwMpcGOgItSXDRbRR1MXYy3W7RK41ZepVnEVatVGsryPQl0VEumNlSpI3ImN6kYH4QQrBh6HMwlWUY0DV+ZmEVwYDFeo7pi5HjIXRGRuVpmi8hX61LxKKlUalBJxsbHb0YWJql8InHEmjSuXf4mYUIbuoySpBumTNxVvClEVIqDkaoUZ+nVelkaSd6WgvQGr73QkwrE/UI5y8iVgowZckVV5nPGDrSl8fWvJs10qA4kDuOarmLEbCo5CYWU1N5eJqbM/iYvuNxBryDeUR4sZTkiPf7UvrzrqqUO1hZTsIJHktNu6G7j0ROrslt2ZQYyONNYYKMaX7dbaeqywBL1/VRJQrZraggzpHDt+cNEH3pKHVMqJNze3VU8r5AQJnwlg4HMbs7E9ArYLWLseG1KNDFyhU12Lprfu44RPe4J2ICqiygZSQqqNJDXYChWHHanou6XRp68kiv9/M4F9z0l176Ml2tP0hsd04jfgi8Wi2QL8gbMr8wI0OG16m+9SPYssZxwvZtxeDcdDVSl6wsm2IDBq+g8xRA6wsb11uNMwHNOS4G1U1dl7svSHyiF0Kl8cIDqOVLma6rrRHlf8XVApbfMTObthex6btmByTt4NLg7h4yCszagborEHelBjVm5k0oVY16uBlM1Bz6QOn/o3Xt8bYiqleyyGtdJsK6FV7/J7ptFDmu/NwjWM9Avg/SPq+N9QufsDB5vr6tDhKMPlWwf+RA9crvULRzc436Nj/T2aM1ND3EuikRdMLqmTSpXsCHICkKoJhpA7PXJDBsvigpN01mKrfayxN3gwjdwqltrV92CD5BVgMqZuwjnI6sZ1BVuYRvGYQW+lwfVmq2EY35TmXugrQFdzNWtfmDJEcOBHbc4Y2uJwfYhoW3eomgotzCu0k11X7Ksamtbd0zCho0Dh46QQExOrbUpGAiSGq1AVo3CGsFb9XeyOAZU2K1iA46eGfEjkoHSheecf90/s0dA6wFyKzvv4zFXD+WM6mQtZ9DuOt0xsSZOUwYKO/q0Ch6FY6qJ26CWHuFbbAtpCLbKvLjkWlrTptO8BKuQ/+QhLsil2NV/9UY3aB1pYQjNLqqOxmHBFOn8sqRPUZa/6PITKw/uMZX5ts7WmmhXKK9mHW4k7HdMMtazeqrBSnegyL/VHgP93CNC9EP9S8bGbZ1/74mGqr3dd5Cng2ESx2TBl92yOK4l3Zuf393Y2YECZzSiRyZjOlVQUJHurFbiL3/e72VrefCMvHv9ktwK8+2LZ+T2zfXNP1+S97fC/PAdebJd74jwDRjTtdS+jJtU1nrFX33zw//6b0/Dve/ArCfJi+6MUQJd5DRcGklP3iMjD5SvxH9boQ0fpuxjk9U+50doG0z4O/liClHUUWwaHbRqbvrq8k2QnA9SwBQ7PG79/o8UcBHmz4cxfQA+wmVnST0uapCNn+ZeOcDLFTWwpWcpLI277I5cuuZ51W4LIayvkzQvhv3/U/2at1ev75wcHu4VT2fo5TdkSjs9p2pdentnkQ1Y9ZYPg7VgZuGDHX2YD5UOkLiaYnMftnavhcx1pKO8eapoVSIPy+5Zl8kq73hYpD8t1/sL1UPWxNZE6gynimlK3nga7qQytYjqCSHXewKZ6LvPH5ZEenb+OYqZWFXisyL89RDzBIT0+/m8RB4/2iBUa5kyLBqP1nLvdiVWTikqVnBRq8epFEu2KhVkZLHzzf1dq/uB7jSDKQW9QOEBbSo47DIqU4GP0u/aoZURBpOCXBpIfIxQzMtvzBQzoROauPCpKODCqFjwZRR7l1Gx2DxuA8Rn1BRRk6NZUlnj0/p17dsWlpaL7nhtQ+Ys2sKNNawEGPJuV8Az8r4Sc6/QRP6W3FUmck+O/Dx0o1bFq2a5MAZU+oosUnXtpJwHL4yi+SE+0FOFoQMbUAY7zxhZNbhigry/HTxCKYa0TDiDMW1jhU5kEVUoz4Iq0OPjaCxgVIifk4njA6LQBxWF0ZWpSTiIVUTNR8Rrr4G5nUvYlAivF8pbzkFBUnzAsVbUj1JtqcpCzcAusU0d+t3vlHzEV/cFmC3AQCfj0TnAY18kpKG87e516AgWMsHXpt4cfBM0BfgQlDNjj5ovKhSexIZTMc+7ygnugOpZreUQ6E1h30HQ+AA3VnteofK8LxFj/NmQYrbFZkwe6WlvKFQZlpacqqqZm0fz5Obx5Su5kstluD41pIlZw9yNb9/ZIX33/oayG0uZJeiyNGsQxodSDRI2V++x/efKsm5rGCbuvQY1SJIsTSrn5pYfdJike9eBe4CqqkfOtNt3jyLETKqGKwebv1bYz9A+GTpU2FOMbmBdSJFhS1cZVAFqwH5T0n26N2OyawduA0pcnj3GvXEGWU2xt7c6eg0TRDNTBiQKwQC5qgueH3VNNaGZLLAr2BqYInIrOo2RiKGPUsh8INqlqlGf9MKRZrj8rBrGRGbPslS6ae/nughfVuXxexM9xX0iatLd2RgMp6pneKbno8FJ3vtXpHnneaiJWGuq47I6JkzVRQXc+6jCuec6HByykNPi4wLTW8CabpgsUbOxRp2SORuIdID50d8IuuAYNrwkV4exM7EZ3/ksREaXhj2dhgRR7NEwsrxYBAkBDDUF09egda80O3tw+ZsQ9lKYbohyjM6XYfJHkk7oiou3DHYyZ2lFGE4LAwa6jz3MrF2v80CVRuLJuUi/udBGDTvJK6rDia+fjOoXh6n216LDNYnyoBlRm0SG5di01WsaCgoYdHJ6To5IjTrKTExJn8hKdeIGCFeF+WQb4NvTqP5mck/0IPHecXRsDj3qcU7N0Tvh2P2R6X9xlH41M//dhp+FenWc+yNqUnyco3pE6tVH9Y+8ab49zvbTC1B9HLafJmvUzGd1zr1+wkmdedPMSX1vy9RKYea6dE7WzWhp1kkOZi3P4k2le34u4hD5nw0uDGbvKjnRUj/g330rufc1WVQHdki0bfnPi+///Gfy5NX15d1Tcs20YWJVMr2GDBNzgti4XMkZ8mMP+bV9i27E5BcDfzjw5q3kZH/Jodh7y/sQjnpvos9vROnwMRszxaC4OjOi5dJArKF3CipCRZSad3LKT8/i75D6lmas1G4MIhXRLGecKneYrSCxuzXF+ygcqotnRrN5euHWPsh2lNl7u1yVB6RT16I5MFMiCS/FoXODzk8fH97yP3nTGb/prZg3dqEVeJiFHS1STXsU67lukV1SrahgHw7EOokpC3YqwyK41V75AZYtmQpG8Udnv/5oB0T56JLKXZbuXiTST0C5WadUASkUZDJnggZDrFtH/Y4aBsLoo4FnnM47n1f0k07HFcGAInp72S38pRUCBVUG036byRwWQrOm9fqDe4r8WUIGihrIkhFhAAdWEduQV2PWru47JTcsq9PV/e9oUXCv5/SWz6fIWkG+rxEN9FKvp8Gy2eZRD+rrOJjdwESChZ4xqmTD3JvTuqvYDRQOqBWacaX0x2o18Ih3eQuolSkSavLt9B/Uhqgm2kjl5KMdLQdDEduX+KsL+6svw/PLWZZxmFNivMYRT5UZgSVqyZAomVEVz5trQnd+vFaOrthVLx7PSMGpZbu9kaQiIFK1K4a8iBi8MotVcEK8hKothJ+kNuQ1TddMDKjtGY0+o190+fVeYGRfocAeVHuru7R6fUFeZbQgv+Af7lbPpHD5AP/qXxdkTTdg73sOVLkW1gTrS+hCCg2VHhBOGrAzSvptryfIHl8bIVXMgGJVlQ7hJugqMgxTUhE9CzHNMr/1RWROpQXri051E3T3WlU4ai8N2Or//qphmqhSBPq6E0L1s1oSu9ccl0w9EJHtR0y8FTEHMynZMpHJrSa6gJQtWWq/eRaKG/fxR/2NaifgKGpefckTVXU9r8UyPjM8bfGDlAJvrlewoumOvNf7RX7q95C8m+AQFbVkR5nFtBq4w9rqNiLDqGncDPYW6PGtzmcKZDHtZQhgmG2fCfsTm0NdG6o25JS3wJxwDsEN4WEipjNXvNTQZHzklHfuVZLjBic3XGulT+9cToza6bjP3yaExrGyx+Vw+tvx1BIMbhxXnnkwAhwnlcGSCe8LxKOOtSByWgwUo0D8A2HWZ8LemLsd1SNGkNT+pukz8PnIA9VDah+aMTRd57OXomvGRcaQnhbcZltkQc0FE2Nq7s660yzZGP4+VegHjm07GBeZ58poNalIgXrkPbqmyuwjdBVUVWtrP37WELtds17BM2L3obUsXIjeSRMwERUvXSqcVOPaM3am/1ddUPG3o/mcFar9WmeVkhYSqXZqf32Oox+h/owXbo/uqiraYboH1yoBYZQswscwk+WiZ5CdtNf8qNa6gSOhjUjFyE5OJ1JxJfPCGqTVzscNjg1OnOa5AWVFa2LN5vCFRPXD9LjfI2exo9NXuLcwvbLZ8vf4N64fS8535D9LytmSQUauMRvGOS+CyLawSFIpH9jZnpR+hQVxGBqbhPIhvSyitk7z2FOUxrXBGapHfvxsvK0H8bVUvdvKeecuyLtd4chvLCo7QcfnYRYrWCYji+N0CLNYnAmmvtShQjtddPM4C2oFYx+/814UUlWePXxeeftqYGFa2aqjl7WaTzG1YuyB6dixj/rhKkKUlNH33D5aO5LlGimoCTs4UpFQPe49qgWqYjuol4qPYncLbhR3ahU8KdX4fr8F9j3D5tAxKCNE3z7wyBCNfWC/C6KOAzwaEHgJxihsdoQRq1tfq2sFnQfKmNvNDTNPDPneiX6HA+NV99z/+8ojee7/4V99Q04vykGFYwg8wWd9LXHkth9L0I/RKsjcIzjzZZOtssjEEpQa8NH3ZzYT5W116Cj7gk6PWcioqgctW6wMbF98xpCTt29gmBk3wo17bbEb4B3GBan2R/+A/iP0cLF7VqxBzWXVWD3Hv/k+ucKC6k/JFWIIIwdlZkuUHODVFShf+B72YjoOlNiBiY8FLWa0lsUO+6Vu1V06uB7sw7CfYHxaZHhNyD37MJC+8xB9Bm//cUMErKRhjs3FmuqB+rQ6nT95t8VwN/xwQW+7IBPq0/YeADtrXRX8quI9ww92mo1srnhannBdS/zdYFsNe/aY1mVMY2gLi4+6U+znaV4+pAGUmuhZ6LGuLS9u7PDkHp8MDp3WmV6X6npX3rf/5B7DOQ6L0Ja8GCJjvLw4QMWw0NCaJ5tpd0nXRe6dOGGXXGK3AC0jimnoeFD2AN4aiE6J+qIp8NgWlCgvviMafbdSkdv7y3+8viN3Vn6Sn8VARcqGnui8jxh63m1lmB48luka0gcd0eytESxTc9tDRaDr6iZ16jkGaPjC3c25P6CrgGK98htnUVUcpjprb1B9Q6qwxdp8YrBNx4ZylrkNEUDTPfoz1pc6dPRx1g+w011RdPIei+6Evjam0AnDbgSRwMjSOLLT01t+Tdl7bCWqeEepmNkd2X+pzPOJufwnUuYweZMynF6zZQp4V7uOMeG2nIpkVB/qsSEJumoa8KunuYqRDRvomNyQFJLNEwIUIsnhIIgD0YZ1L2RNuqZC9BLQpicq+3ER1YCnfLbyS7XI8xW7f311+cbL3OcdBLWoM1J1vWIx2ytj+iHZSF7GT+Oy6oEhfC3NujNI1WShFMxo8sSh0U8xdw2TCaouCAF/0UAQGi+jT/grT817wYx/LrnYD0bbgMKXkmXJSSpFCoWxJsC94/VAitOYTurBug7IPGtsVC1ELCnY/U1aHv30H5ehYJIg62J2gFSrc4QodEPL9pweC+rS94IJjH+/+fnu9o68po85E1nduiTMfkv9GQIZ9gp9DxDuCe3Rf4jw+goOh2BHBQS5yOxkXBPPP3giTTWpuRsteUl1e+3r8Xg8B2ngczL2E2f0VHPK/wvkHNTBkSLrayMxJwktvnHtpUcqNnU3L4N+YGft5i414BnRZSAsimryV22UFKu/LThNHzjTBrK/PvefPau/ZWIJafirJVOwpTx4zdIFb8EQKjKiJRnYPgpWTBu1s1bPvAezoGbtS9HVWEgXS4+MSe0H+4S4RAkX25pK1areVWssNW0gjNr96f8GAAD//720rNA=" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99e+UnKRre2o2fZztbVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69eEcav59Z8IsdwKeE1O8N/kHyDf1PWfCCnBMM1ry5V8Tf76J0JI+AmZcRClmfyJhP96jR+6/31HJK3gNZFgV0pfTbi0oGeUwcT9vfsaIWoJeqW5hdfE6qb/iV3X8NphuFK67P29hBlthC1wyddkRoWBrY8H2Lb/e08rIGpG7AJaxEiHGFktQAN+ZjWdzTgjC2rIFEASNTWgl1BOBvRpQ+9AzFyrpr49KbtM3SyLWEsqtsgbX31s/dgSm0UqM9/6+/4VxjdssCsfF9y47xFuSGOgJFYRRmvbBP5ruiIVGEPn7t/UEqYqMI5o5T7fAU3IWzUnp8BUCTpOiIfFd5E6lJwWLixB2sKRlhhwQDgz9wPLDfKcKWlBWuPuB5fGUmlbNEwUR8urQxAsqd39YIgd9zi5JQi1ZLXgbEEoMWAMV5IsuDWEkvdgf+dWgjHt7k8GR6Mj1ixUI0oiYQmaTKE7dzXVBsg7sNShRslMq6q31NO3am5eXFB2BdY8G4A/5RqYFevnxAa8KfkAXlj4Ey57aE6ijBSwBHEAJ4WSu/dzi5OnUGtg1AZMSphxCSVRUiBalk4FkIrWcawqMy+SXZg9e/wu3PPz0x/Ikoom3HhegrR8xsPphGvKLBFq7vdLDzYCqeMOfDgt+D23HTXVlrNGUI2/Dxs7GT0ZA9AHnZTYyRhAHj8po1uyPO6evPz/e7J/T9yqeTbkftdXTf9VICG72/JosFvSQ4RedtQ0GNVoluntvT/bct3/+2FmLLVQgbSPETnalNwWTNCdO/xI0ANp9foxIrZwOtVjRIzLwxDLqzG1kuPxnrQS6CHSIy/bZgBlShtqRK+J2Zm9L7ZuAYfNQA8ZKAn3syJ29JAB9BusiHEu7rhWjsRF2fOqRNnn2TUgMxH7SISDd2YfO4Za3Uj+pYGNGq07+sOf1ttG7YmSzD0O1KrHbtmOiJslzysO+9w9ccvwGWe0f5/fqjk5W4K05BKFM2lkCdqZIBqCoBqQPuPXUBID1gHZ+vH2GmbcYGk3YQD73gZLtwkD0HfalKEnML1/6bCDOaDrDjy5Gw8WymTSV/vn8ldlbF9Eit0TaUCWXM7bD03s2PR8SF8Pf/khB2zwo1HGnl8sfyK0LLWTlWPXfZe5A+qt+lqZu3yVm72v/t9lr+NWftmwKxe8I63vLSsJJXO+BNk5yb5eRcCx6DD/RV4LpHyMyt/XEdEYdWioel1o+JJhr/vBQ9xgpHu6Ri6f+aXJBV6k58GbbSn5uK6BMDqUIFMgwO0CNPl0Lu0Pr4jS5BehqP3xJZlSg6eoDZDN+LzRqPrdQPch6u5XTDeGQfMZnwn8C+7Xc5XLzbbPOm5X/uodDEqvqC6zKXU9idYju8/J84vPW/oeJRoE3d1SQszaWKjCIxrQdtAW4E+q8cxz/1aaz7mkov3NtrZyAx9y6V97EiPOLz6/irAgoD/gxP1Z0GE05HKK12dzUIeK46GvzwJoCfoosetfcSlyfnqfKKnHtx8sRTCHxUoftZNNsCK7n422itb5RtHCi+JMlxMlBDCr9NcogB33HiDnxp05bgjzrIPSYbqlqL5Vu2oL2cPoR2jxVWz6WFTVShlMdquUJNP1YNMI0fClAWMdQMOrWqzDPrkvO0FPgLIFMbwE8vR7Yhe6IS9//vkZWVFDDIDsVtnDiUehvN6CE6ZW0kA+VrCv5lQw1Ujb+RSaauqFnrvKJgqBPKVTtYQeM7iMZla24s1YDbQavT/sqzk2D8wqKHmzq6elYNQ3Mc2xcyzwGeH2n83L73/4s/Ei/UWNArRF+p8Dav7p7MG3dA2avCRnktHaNMJHVpxJeSe5HoN+z+BHJLcytsqPL8m/O3Kfkx9/JP9OmNJOX0YqwqLPyX8X9n+6L3JDtpnyTXQLpSrh0dq6cgUFo0JMKbvKqwF75KSyeG2o9XaFYyLIslZcWjRNLMQTnPFwFKC1ypSfttEHTQ2MU4EYI6bGKu00a7n2Wof7YEkFL/3BiCFFyEw1snQvjABEnst5UI5uTF7cvhEDyCligeE67AkbjezCWihaPpZ3LqBDDP8DSAVWcxaxOoIp3P8y2sL+uW+FsHv2qd1otGrWbtuE/KpWbmuGNieXRGlnjFlFrgDqG5j2KF68r4RpWjEwpljysihzRV3PWskzBwmaWrzkpeNgzy5ccm0bKpzRvuV7lxEXB6+4M7sxVo7M8FSEq35+SrST1gYdKsg0qudgu6/dyAmjMyU9PTgnfCbcfk7oLKGgoeA/P219rx+gUhbIZTjvTAM+tNP1mKB0/2sDMV9B4CWsVJha8JyZDY/anDd8oPY/Ct3MydyM5x1vnXsDwllvT11rtYQn5L9GhNGLlxkXDxCjd6s64+ji5M1F0H0ZlY49vKqV3tV4CT6RX10aRPM43B+f/FOFhjia7jFX6rYp32x+sjHYvZ6DlvmEvPz5FVkh3yugklAh4r4CdOqjmrTxH5EVaPBgqSUCqLFEyZ1ykW0mPria+HUzMXJXc4RtA+9+V7pExmFWE7CFVELN17uBuBnXAy2WkJ8JW1BNmfVMdJd6jfij01ySRoacHrHlMx+tqE1d0O0D9TmDCHtil2hRVE7JVLINI2i6GpVpKFl31ErKUGP1MQoZfA6KsUa3EI2lsqS6JFLpigr+Ryy/V+kqyp8yZDkczCLVTAdP0p2YtMG6Q+aF4DNAiiMGvgGmZDmiYG+2uzA2p59lD0FcMlXVAmz0AIw6USkq8FbzHTHYqzfT9oEO8qVbO3qcx47y9skcPX6VknaRaJs29ampcl42WU7lAzH+TJY52O5A/qFk7m4Le8SiW71VMX167cddDg9EVLYb/YZYuLbh8pElaNMrpyj35YFF9ve+h20NNBWZmzI9pnQJZb53MCTZhGfKdCu2OkabadN9sR9fH75WWlUThNpgUb5hIKnmyqv1VSMs/85y0ITWtWirXza9bCoq6TxWmkuIwPBOay96pDyuhnD7xBC1kj4yZmlV73oGA8ZuNYfi8PZZQ9iCO+tGlWAm5F1jLJpJfaDuVlI7kpdLLRy4SXsF2Gzm8F7CMTQh3OR2Qc87DTPQIJk/ENSp1iVf8tJpNnge4oLsshVkH3eYFyfyuub6aBRu9tPHgq7dSeRWrD2xxgk9p685pPCA7veNJtz0URfOcyeNO3k2GSzZpZOpJrUEqgaK3H0hdvxPfVVQg/zSQHO0o+ROtz9FG/m4ooYgEuXIuUHkfkjN1IRKwRZDM8i0eWUzvL7zKgeudZEB1brIoT3XKUXRNtCXyaFm0JV6r8jDmJA75mP0jRk8l3d6cw4VmzfJtUOCBZsHYqcbQmpHEGUDJT6FYm0akTvsNGJFqcYyVcELj0NnvGBWtpoNTgiVgQVbBuTIAYElaG5zlo7sIaxdPRQB9iI7+1w+eYsXB70D/SvdVbo4aBh3qoHxGd8YPnHt1gdzxnqqBF05fzZTZAM6FyMvNwUTrYuqDEGWKN7BbD7WJnzettL7lqDS5LfLkBrLTZsQsOtXw/XbHRqrkjS1Mjyh4LjV2UJzWpa+wxSm8rd3d7QLTyNska910R1FkWwq0JzdVRZFaTtCFdsewvqVbN3N8GLJ3+8BaUuQpdIhYXYvZWr6rwfoXtOGdtX0X8DidrRDLH8t+IDdToLuR8xL+py96r4ZXshQ9R/ETPByLWiXWyyVJZQsQseLeAKtUPOiTVR5EKHeHsQ7C/Vj9EzZkn1/w3Qr7FqN4iOu+CvB2Tr37dkjFy4QgdBcW4r1iFxuRM686TgDPzQCELG4OFXSwnVujbVD6Fx6f92mHyotS+P+Dx9VKlqEYg1gbnic2YLKORQSVrllwVjgEla9UD8qIdZqPm0s9CTEMEffeNSdtt5//uKiw9Q0mbDrOCd4traV+5iGhuBufpFHpq+/RYxbrABzDGsbDppNzpdegp6QS/Cb0hjQEzoHbOUdMt1nSrc4DGC3YLzezvD3xP++17dCaTLVauU+a/8adE1vdo32kz4vL6i2qd10HeDUHpVwp9SgOvRYd0qJslMbc10pVUMIKOZ6i99IQgVo22UX6c2i4W8+vBXER68JACYhRRTmkkglv9NQA1oy+7If0Gw45pPDGq3dhensFdxJ1ONecB9ha8M/A8pW3C6CsuxlPTnFBadYbSKJkt/NlfvvPS8BKilFRHHMSDftBQNfIAIOSTUjTjpYDmZCLjcyZXewQb+yKg/GJ76crzHOiPEloz7ZpgziNzCeEiYaY9sDGf4x2Cb8CTduJ0NNdPBvOMUXPx1XgY6u/fgbFrfofVumfErZk5sML4flKWJBqDGKcfSXut2I2pO4YW/5FbwmlNSLteGMClJyc/Wc1BpnojwnYNmTuKJMNT2k9vKOD72vs9G0AgvakJoa7OJlsJGD70XAVFU5Kaa2gvbD0hqwbK+659+Dh9L4enuY4WHy4pupqm6GdzDDtlGy4rJUq5BPy5RkUNvnXSbFKDMGZM4aIdbkS0OFd36WqqJcBqkhewsJNfJ09b2eqdSlPaQ7lfAtl1dQhlqgNhGdGvROBQPFffJNh9qEl/s2Tgy6QmQVdf3JTt4tsYtAi95vlw+F12918LySy2G7ni7oDLriu4OdcrtYw5qIrT//+zXtHxNr2jMu8t/xjuRfcLXuGmsoGwakjRxB3N1mQHMqishrmu0RucQlW7V5933sPYDuhRn1CwC7Mge1HEjhMQ6ru4duQc2iu6FOLYxUGTZs4TN/2xqbrszwpIW00yLMEdItMzGauV91/x5WmhInzyXhmHPXSCaAavcnbIS3QS0UEAZvp24LO2+OPnjh1wz7PD3qF4upaspl1ze7/2CFslF9h9dryXVjju3p62sjiMC4x+84AdLIlTjxq/uejOOeUm/BZXeNd+zzXubzU/LeS5qnoXED8dP2QtGvw+1ZXK/2DuiH8OX33M/np8jSUPLWiYmh92A7IufTAD0JE3+InCxYcRM3UpdmnbOX/XZUNxRoe3Vhrx9beuP7iKfGsf6kW5icn96oyabyz92gyTrEXspyo9FOyImvzwz9ToX/YL82iwjq7W/88E1wx00b21VuKts9Ro0UYDxnlH9QVoosqeZ0KgZVgL4pA5ekFnREEBiQJmt/lK0N7auqfuWJk1ROw2jrC7nb58sX5xe7OjQJLWO9R2GsLvvAgYK3roXcRFo8kuRcWnLJ55KisBg5orXSOZvXPhnIL3dIL1rdTWFXR/xPh0jvLuMpK1Xk4Lz/7SPhkommBCfOwiBb9/MJeXp2TatawGty4R0iHixK70ncL4KRuaPHNtE5tXla4phxc+VU7gPwukMpXs+N+T48DR+4udoTcrWaz+eg842wi7Pscz8WEHBA7XShwSyUKN3p8bb6yKTRrdD7ETwLw9h7kMpPP3gd41nXjOP8NF5GcuvoPFNVXRw57wp3JeRe4RhX798zzfQ7h46SWJ86w3EzqmzYmJUW1NIHyhrrY95JS6Wx84CT6y1+I1PiqC5XVD9Mht6wq76TrjQ8RI6IkdbIT50QpeQdZW0/5bhy60TQUe0YJb9rFVS9Xwp5WzP5UGsN1CTPDTaW2iaV4tz5oygXD2Z2uMWn6prw8sX4++Ve1uYYGDqMPg0aH/u74LCIX932Hcs8fW9wyE+Hc/cOec64VE2qGGevjsTMk98pJ0lTOh0GHtmfEgPO3Zlx60i8EcLJPWIaxsCYWSPImVufMFWCcUeibfYbtyy4LOE6MQMEN/YwzfOesgUXRlNMt0hMQWN8s6KaC8zgiXjwfPxdzglFJn7nfhulTGY4h2rqmws9kEYcVidPu3zOGrSpQ9GtlzADlgUVYZMQ33Z4ejZSZOjdXMP3OHdCiVe+uiSv4Kvy33YfUi4NKcFSLiJOhqlqbO93I6QpcfTczNZjS7s8NsRj/CG1UNUiWzbPG1LCjIYQUOh82cbwQ7am04qXoAVdYyGXVeFxJU8jN9J9gFZ3+DXM2ipw76s3ltsGGzOSKGEb22DYsOm+1zVpFKvn32E0NaYZZBVTVeXuU55jdOKhE95L9q21WvLS+8/aLnIVmNFEqFKxwwONd/eW/cLFRmtk/by8uGpwXWPS08PI+nb1vLL+X2p6oN/pYPL+t5qGAEz8dtU8X+PcU0wo9jt/eXFOzgcKVR+NbF1rQ3XJfgwSFnZ11bDzpIb0XfxhIbc6rtx7EVFMVZm74mtQcberdARciMNlRD1apO+W4EMGR6g877mAQ+mwT6Dt4iF8zssulDPixKtSW42DMvAEL386Ja+ju25yPlPtdO+LT757ThuIwmSNa2BN34vgU7+mECtvbbsw7UvcOIIjJOoVL7cdIl11JV1SLugwkEE6VzjB+soZaD0yacHfoUN8/enibsFYqUIDKB+AHZAU0g0Mn09GJCKvimlTluvk/hleFUnrgHpwGwOHNTrf66VKD1FzlbDLwU6JXWGaYxQkcNPPXvU9V2lTcttV1m36ogWMYoPtNhUbXpRswgv7ifRZYqk5uDyaVX7y+Yw8DbUSnxvhdOUpF1jAgXlgZ9e1Mu6bz8h3Q0eD3I3CXEm1kluGkAHWYDOL5Tb0kUmbjB7BBbebFnrSVrm/D6VJb2FO2Zp8GjXXBJ9q+hBF+WHhLRZzSSrK5UzTCvamY9RU49Te/H0StpTLC1yWvFelT47etAXsZZ1FkCI3aF+YKuAYkctC2u4b9x5W5NdGoin5TpUgyFMul5NvnxOu2HMydf8H7v+opGJtuJl8G48vWlYXM0EHk/NT61DbGv7JBcFF0deFcnLdDr9Ss72NGqzKiqn/6zTg2bZBMKDdQY4itKzSyt0dzD6/+51qIB99AvC3335+9/ubD2fffutzbpdUUz56JldKX6UsWb7xgv3eLtiPsI06wahMrUSEmp20XUq654Ay91ysM5gwM6VBGs5SCpCeKykDxlV6L0gkPpAKaLGifDic+N7eAex9nhqouz6pS9RNM810Key0NFanrnzHeu1sDrH+W5rsHW1rPvI5SQ8tdtkMBhuoNKHYZFP3EupdHIgZH3U0taRmc8QeSmq0G1GEzN3ynrhQPrif4N0dFw75oP9/GK66UZn95L8HOWJlz0cfENmL5IMcjjaOuw8/pY6QtLW1sz279KntMtrbLDvsk/kM3W6Dk3tzZLptWc2PEQ/Doq8Z5cLxum3mchFkxvlpv7YNO3E5c9DCPNLCYDyrsM25LpyKeAA9hyReY7p1qD46UVXVyF1P1AA7eVjjpvti9x6u7d8grlN3uJnDNOv74nZJZfkfKh412+BmqeWHSIZ7YzdceAs505iaM66SZYkey4JH7FdUy2HQ4bGjbmRVFyqXML58/+6C/Ob9qJuk1DgiX46aSnD5n2/Jlwb0SO/WRshCw26nzrzJDT2H6Jp8aIvOomldnZbOEj6kfaAq9RgBB7Q+yHF0E1QbCY7dG26ZfkADFVRXGXbLgc3gXqB1wgLkDmhTJptKuwUzbberLdAltbta4X3hTkGyRUV1qrKSDu66poPxxfeOPlE2SKdKArNYJD8LDGZpC6g6wLM5tlrKAFZN/5UBak2TT8LwHaeSHy8Muhc89YMTOrdV4FTP5EjLgjIcjJK+/MTBNjKh8d4DPJ3Xy5/ktV0kf9+ZLJjVRWmS9l3vQXeQD4s83QLwUtDkEkMWIOdcJiyKHILOkRsti1lhVtyy5PJDFjOhVoZW6XNX+rClXeaDniHqwmTBZU5xwmUNupqukyW8D2DX7CoP8CUVOc4Kr4taK6uK9CEphL78qUCPY3rYItvdFGpelDmY7QCnz39jsqjodWFtKrfBNmB3ogVkeBQqLjMhzWU+pGthCjEVReqw6Bbs7zMCT94ZvAc7dS/EPuzUVb192D9nhP0qI+x/ywj7f2SE/ec8sK2qBZ1CDpHSQU9vnsmiagQq39N1hneyBV5fZdBLqkbweVXn0b6dlknFPHUSUoDMcyglBr6w9L4RWRifkJhhB41meaxJBziPNWnWpqkzzCJlsiurzmKqWmWd6QHXGUSIVdYZZrlgo1mTBXgj+bWkUhlgGQ7h8pXjSqZHYflK1XYBtMzgVlNVXTCRwYftAGcIkiBcPV3b9G5RB9lkgVw3RYaYBtPcckZFhgIiU9A5SLZOmHXVhy2pWP8B5TQH3ssC24BmgezbweTB2ifWZoE+ndfLV3l80KaYcvvnLI3GmCnSzorbAaxVclFtslxzhApMp69yM97Hn2zWVg8w2IX386d3jnjgqPZlAe67yafrINeDPeMCctgwppjl2EQ+S1mcvQ04h25gCl5jkmKRRdTxevlTaWw9aOafCLbRLAtswWeQw4wx6GiuoOTJCka3YXOZ55RUqmwEGKZycDsA5/MMsknVZkVt0pn/PeixDPIkgDXMubGapveEbGBn0Pg01LlYrbPx2mAncp1JvvrMfH/EM0C3GmiVQZH0pUC50M6nXK8WipvCT5hND31NNc1ywMuRQtgUkJd+vn1quNxYKpPPOS6NnTY61bDAFir4WUE5oDbJcU2vR7c1yanB4uSGWfph14d2GtgHc07LMvUd4GXqsGrbOijDW8SrgmmlqixdiRzgDGYar4o8yZGh41EONtdXydsz1SZ9y1Jem1rzxEAFtdw2ybPPBJeQrsXOBqpJOlGng4vFt+ndWkL5rqfFTKjkz3kHPEPKv7N5k0sdBzSDxHE2dAZUk+cmCDXPcnTlPMsFrpVOLcCqaTPPcc0qblgOsVCZLAc2xxwICRabKyWHm1yG+wbQqTP+PNTU6XhytUptgWSpKFN+AHRyS1Sl14yU5vMiMo/r3nBXEnT6N6su/FDe5GCTTqbegPUjXrMcsgyFm2EmTmphEMCmlgZ14R1JydGlxrgPC7ZIVec/AA3XNU8eCKhBV3NNpR303E0BeZUFcPqn13ci+/RpZwpoAsBazQtq6oQDA/qgNU0NVQMVOfQ7DQz54LuOZgKenskOctoWrj3ISpcZME7vyDQZfMPG+4Yz5AMYSJ0I4AceZzBODHxJfwBiDVqTQc1gShk+zyB4TZ3ay2Y0y3EPNCuTK9JGs1hX3ASAbboRW32YjUneVXPJZOpCiei02PsC9U06U5Nv5zb9sfJA00f0upmeqeGu6+TdWptymiUPvdEiw1vYGNBFyVNXvWcZW9FGhnKwwTJjaZXaG7wsuDSWzjJoBkuubQ41fFnLDK2brNKNTOlmjbVFi3QUfdNYRT40kgyW7rJHMg7L+0wFL8mJhpJbckJ1GboZGmz/HkfHT87KyKWxCaEIBofoE+xvwJQgsVKdLh+Cy3ycO6tqodYwGCx4I/9mqknW1PuWZ8zx0PuMcN6Zhjlck4ruNlrYxGLlvNkdBpIdScENDmdoVw9bjw2UiGnqWmlLho1HCVktqCXcklrDbOwo3CMt9y5DKGKMD1ZHhwLhMnR2H+kLLbjMPZG/h6pbrY+nIVbNwS5ATzbfNwvVDF40QiQsQXfjiKwiNdUGyDuwFCeC+7tKOxY8favm5sWFL3t9Rk7DiK/nxC4iU4qwGfAHCKOPEW1J3oP9nVsJJr7Pw0OdhXkzHNnd3SJc3BNrgGq2mHDJo/jhzN0j9NfeEZ84CwOTIV4I2kic9TtvcI5r28Q93sB9p1/7Hpryt+PuaOqacIf5xSPGvtuIImFN0+06r+Ky5CNcW7wVY+6CY0yjHhFIm8F173FCtRQjEy+xe27GceDYP9eAJRq+NGDsnqbdh2cr371XvlcZcCyPX9VL7F2PVJd3uu1O2YeTxwhjY1t/xw7t5nWU8pSz/2+eb+gWOz9thQKuHT8baDWkS+K94xF2j8uUGiA+XbvDhgxuVbdL4RcPg6/sRsF3mCvt29dH2UgINcQA4Lgzun9elabSUHaE8b6DDtN+aYlq7+bQsEbjBLR9SNegK+7VjWMhvVnSD+bgSy5gDkTAEgShxvC59Bu3mdcfP/rYkvkB5Teuv+ekTx9k0rPDrJH8SwO7YxJp/PL18D2sY+JhU1BajYaX/kIyJSVgbgVZcbsYExSERCpDOo1dw0HlRXc2LRw7UZ50T5RQc86oIA6DEdMHsXhY7HCpkTGND8e7erE2cfR66WwrtZPVmvqBp4JTUyxUdpvAG3GduYazVDZDjZxU7I/gifcDIP7SOGzxTQuDWJgAqidvhFHOEN+6b6cYLCe/hl9MyBu57v41gG7RljfSElpOmKrqxoKOi+EsbnxHWD7z7JvdvcAZi1sbwu0/m5ff//BnZ/ue9raj5dg3UbTDOS3SRsxu67iha9Dk3zqfnHkR0EDk4rc+df1P/jMvNzhvnfq9+3Fg8vJNsu3J7sAUt86EvP/t45mjHTR45wn6S0tumIaaSrZ2WmVQz8RuLghBDj0nH9+9JufS/vjyOTl/f3r2j9fk07m0r34iT1eLNZHA7QI0YQtlwqg0pTUwi9/64dX/+m/PnkQ5AnaRUcbt8gNl6qSi8XE8JvPpu+M1v/Rn8bxFKn7Fy8eFdF823YD5gQ3jbv3Ax/DdUUw31slnrm1DBXn75n0U2T+UhHy+rMNOxv9REiZx3jp0vxoRioTcLDxxCx7jG7xnH+bUwoo+wIh0PN0X5E1ZavTT+lMeQ6d7ellVHxrnvG8s5Pzk3YV/lUbDYxU1R4x+bDmVvKYa3m5yfuFQGfF+OR4eOAkiCQ/d2uM8bDWxwk/XOq6A6KFLy5K7L1OxCdj2ZvnH37kjHgBnEuIFV+GGn24fgQEqm1zrLHrdbZ80St4HDC+Utp1IHgjdEgNsuAHcrm+WvObIvPf0cDlvH5OWrHdjjJcQsxuP5cUN2KHlS41RjDuV0/uNBjoOcXJZUzmHSWc6MSVnfN5oKMl0jTBBlpg1FJcz9YGtBwZFoyPacnTRWYZ+ByKh7t8v4UruANBQKQtFyOxOn2eUnrWlNAUtfCp+BtC11XmAzzIciVmGamGR4zrk6n9SZ2AqLYvWE5dPLd+14B0dk93V+s6EB9Bgz+wCtARLPq5reE4+tc/YW3SA/UguWgfY4CX4bUxTa0f1HEGZGDGNW6SDX/w5oUJElYl680VMcKMaE/OWoN0byKVVxFh8zLkkn85HBQrDBNls8iq5yHZAVZ1h7JsDrMGkzuh1YDOUuPgXMXUqOvrbM2DrRysUAuQ8+aRIxNkpHxm10BEN1Ks8VPQCMJIwTCeYEUp+UXpFdTmc003Imzkme2lC3Y2/xly6KdgVgIyrnom7Jt41xq0sFf1QnUeGYMt4zIwYUMhlyHPFtISKWyeWwoiNOIlLQeUx4vi3cFC2CSI9F+WAwG2X5SaSsnQW7BwN2O2XJ3WkEhh2IVim6wd3u4g91ZazRlBNsF80aZF4enb9+q2aq9ksPv0dWGEXkH17t5D96Bb0t7GH95nD26H7prELkDYki4+ibZqUnRNul9DjlxxH/ZMBPYqwaixTx+V0WHIc4cuGMTBmBGfsPH5Yc7TDEk8QL+JU3LnSaxIpTBjgdgzhtIUj7ODopBIG+EytpHtXnNyKKYfdD8lAUdqmapmuH93Iu0mJ71qKNQOCQ9nRE/wwO/owl8Rw20TkJ8HiAggiOkBdUENoqWr3utgFcE3USm62zDPO0mslVTWSV4szOQz3LeqPq0Q45Z7L0skfpU3HAEp+4QLIm4DYZMCG2zh7ZUeYv5OjCeMd/Q+SrjDKgsuQtZCWCzEaI4xIWe9+D0b4fL3LUK+RmhPjCaFTlbN6IEL8FBZ0yVWD2iVTVa1VxUcyFOHYyJ1JOhVYRDYjJ/tx43LZiZ2MSO5iuKV1kigCWxgmHS5zAIKR9Tv8cu9u75Xd3LfRY7cps2yk3S1nS63Rl1gGXrBDzPpbaUH4Hs9BguasJQkZgol+u6kF3C7wqY3NdiMB2Qn7YWKsHg9+tjQd0nbrwWh6uZ+moF74tTLSFTVNOyPc8gqMk+te29NQw2gQKexCsqYQN24ENh685zboWx6tQ3p3P9jR+vF2NP1QmGRDTm9NWnAY30ThgDakeCMQbiEMvl7qXt5InT7q3vmLloQ2ffPOJeulehwBcoMc7wTI13scf7x5y1KNNjjOlt1OPuqjSpCUd+wW8uOoxzElbYPD2Cn1WIK246dOXrnT2EVRgV2oB4iS0C1PMvFohK+Nbjj2UtIqq9dpT1TngxLBX+sQ2XMuM3lC/jH5+fvvydO3p28unpFTbiyX84abBZRYCh/FRai5yt4XaF8kDLNlZx6PsM34xZGMMa0yexX31X+6XY1h0N0Y9MgnG/p8l+vCMO2/q/vtOf4Qp1jMlMpYm/RNphgVqbrT7RDygZa8MX4FojQxvOKCai+enNh0d4jhux4vr8J7bnh5zE4j/Uz5T+4gtF7Enb6Ym0uer87ijdx31zGsESoNe/7f4CTCTwZnIThuoFeWUcZdmUrnTAwYhGyQ1UrPqeR/7MmqlvmOwm2ZfQCn+2dqhN0zrqO1pJm6/vzilsPXwrf48r2LtrKafwUq7IJRDaTWUKqKSxotuOuJpwtqOUhrbkyPF/SY1L6lD0qsb/0IdaaD667OEye4aqotNkPakLpfrB6x2VEQNreRqDMoQVMLZZEsqWzP+XDC55d2xS54dqHVkpdd87DwPVrXImiqg4MRmv+4Z21bp40rOBsieXkkKrslQ68/ux4hMzo8FDMnl9xHzxe7ivtIC7hO6Uw5FPyumidco87U+1GvEnoeIdTrqKixUkOMVdpLfAetAktxtSf4rYn71pM49RUvSwHHk3LvcL3byrnI9vbk3kFyrh2PcRxyL8JqvQ5Dct1GZ5+TWlC3Ze59VpqAZHpdj3n5MRXyCPbkLTLodGdb/qqMJe8oW3A5YtKVNJPk+GaX158kZvrXGpz4cPqRb3JmJuRtSWvyGf/h9aNSSV93+s/h40kWdAlOcxJANfnSgF4T7EFoaiUNtBpVvDjV0Vvgb44jL0MPPOYga952gZSefN+XbxzPlqQjoLo5QB9Cc9TbYopTnvI6zHbPeNtaequJkbMNw8PLDdGNlFE71jzvXh4fefZtpEZq7ALEIliY+TeCkhWXpVoZYmpgfMaZ++R5rE4w5MkOL4gjz+O7ybkhT7EjLEi2eYYwdPmsxy3SSHzH38KcsjX5ZLYb33YR2Gq3kDZ5dq1b4QgG+8hr3ze1EBWsVcND5l7EAce7PgCR6v+tSlMs5xmyb5vs/Ar1WHder15HKEYKowct/OYAYo+T1ztGasjwDa73VtadIenjXUCH1BzHYdcFDLb3ZpOQ6bdhsEPxhhQ3Fz9j2UDKkYCjFW5IcgkzLoOvHoUTdvWraD3SdBCxO6hQLBNuGwfMjvqXWjB2PtvctIdeSiO9KTsftrWULaojt8DfrIoMJwPrqL8dWYa8TLlMN0Es6d1wJGNRYd7HMyKk+mU7uC2+jfamvD8ytXOAdd637wasa6rbM+X+/HxDymrBB63Uibsdzpb1ye+3Is8mn1ni21oovc634X8xNZV/vbFjTIvIdhf1Vj2PPU2OLX95gdBvoO3BVKIBVW2/9f1UjZ6CAqTVqj5EdJSqmQ6cC7c642FNZ23DDeUIiKOv7jjuPTxRVU3luruPeO1wnL63V5ag3TNUcDlTcaWAmqvcNUI3yI8dK7LFbAV5u6LPvuTKEfilEWJN/rOhgs84lOQU6569czCKygqmBVPqij9Q0P13mBK//sZ+pmJMm0/ebXYTDq8biyr3gSNMb77rH7olwpSd4I72PvkJ+biuPekbz4Fjjt/B8c3TMCuSNpPdQdvh4B0R+omJta3dReYYrrpOudzGznsWa6Vbbz+GmD+8HdnyXq+cxMep5UWddw7RHla4lW/03LdoaqUyaSLbSLl13H6Qmtq4a5LJgpqU0f4eYB3K6RNDbrRIuM09qAl3pTNGi0an8ob0YBrQBZ2nsyk3oJM/T9ugk6Y/boMOpz6DYIFrCxJVq/TGiYOf7DR3it5Cw06qTGqNyi9xjFrCLZn7EZdF9epF+O+TgMKL8B8hrynm9qcCdDw7L5DzgNFzT0w/eI4e196otQE5ZRiI5kwqLmeg9UjcdUj3UejqK/43sj7qnj0Ckm1f4llvGyJXCsPaKuuViixxtON35uP27th9xAxi3f/T32GYoDU+8JPXC9DH8Uc4nT1kPD09wdGPz8gJrh9HDbQ9UrOUET6fgA7DP2ErC3NPc17IGjruMbK34W7RJ6bXKXrvTvM/DvVK3r01Sny3ySX/I+6t4VeZZMr538+IhLmy3G9gvaBmZAKUYcduK9TbSr/4+HBBt9XZJkANElx2zljbOL2tv4knpBg+P0ZFxXZ/o27q4cfRQctOmnBjmuRKJ0LGZKl83rr7xVAQQ9A6qw90sCl96XnmFieXGJzeJ52OkiHRdQYPUeSnl5jauf8x6knPw5C8u/Tcg+O4CDVGFMucL/puSDU4sqPIlIU7erRJ3qbR5ALMryBY1JmaG3yzGVfSf5BQtv5EDMbrlCbnl2/+/u6CXLh3ivwmR6avbLDNVEl9CLYfVyqOLYohtgB2ZQ5yIt9OCOftQRYbOtf16+xahGEaaBhBuJGCe7Rc0HzQFPIBlFyPR9cVZNRoQJwttc3RJnz2sVxSwUt/ECNI7ArCo3W13icIkWNXsDa7YjvRyW8TSBPDXlhbm4LjDNosoHErczCE0Udwm/hctpUvSnO7vuFGMVVVWfvE3RJvj0dwCMVL8Fdcg9i1NFO7WFaCysKYhxp461b2Mvz3QG1boxXF1pcaF7Xix0irjiHsMSCIASIVtwaQrWxBpRw0zsjdbiqsioiMxGyP1La5e1jCzMPf3755H969FzvLdw+KVXrX95+8Zxs3V8VSiSYXA960c5xlmHPTTcZux/k2kltDnnokzDPs1oGFve1E3R3wBJGOUiOaTNLsbcD1k+Q2pAtMtosOlqAxU2DWCMKUZFBbZyhf+j0caa+wWuWUvp7xzmBvR2g7RGulLVGOv7/+x5tYCm6U7anPndLz4ydY7hYYbLlYp9Q3O4k2ivnb2W8X5xfkHb2uuCy7sd7xbXW0HT0Nc2uI4ghZgYwBdfvI6tSneMli8vRsX+VYzI5XsPnQRfgtydnVji1nWZDK56ehS2/AYi+G4nib8sC9AlqKq//ydcNdYY4sh5pk6tuN/hJnQj9QdmMYV41WfBfUrXxx73NimkiKOjXkL8ZqJed/nQrKrgQ3Fsq/vAh/e959yuUMWPyjGdewoiKqyNCp6P2GUFkSo8jIsdQw58bqtbPsjyksamoXoVl/hwPZxWGAJDqljoWmL4T29VpM6V4X8k6f7DAHafX6T/83AAD//3X+uUc=" } diff --git a/x-pack/filebeat/module/citrix/virtualapps/_meta/fields.yml b/x-pack/filebeat/module/citrix/virtualapps/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/citrix/virtualapps/_meta/fields.yml +++ b/x-pack/filebeat/module/citrix/virtualapps/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/cylance/README.md b/x-pack/filebeat/module/cylance/README.md index eed4adc8796..44dfa9f8f30 100644 --- a/x-pack/filebeat/module/cylance/README.md +++ b/x-pack/filebeat/module/cylance/README.md @@ -3,5 +3,5 @@ This is a module for CylanceProtect logs. Autogenerated from RSA NetWitness log parser 2.0 XML cylance version 127 -at 2020-07-08 15:21:18.585798 +0000 UTC. +at 2020-07-08 16:42:00.945621 +0000 UTC. diff --git a/x-pack/filebeat/module/cylance/fields.go b/x-pack/filebeat/module/cylance/fields.go index 2263f458fa6..5ef2571c158 100644 --- a/x-pack/filebeat/module/cylance/fields.go +++ b/x-pack/filebeat/module/cylance/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCylance returns asset data. // This is the base64 encoded gzipped contents of module/cylance. func AssetCylance() string { - return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIipAVJLENAooAyiy6V9/ga+qYhWKZKGKkrV3elBIJBOZSACJzER+fI0eYP8SkT3DnMCfENJUM3iJrtwHd1JoIPpPCOWgiKSlpoK/RH/9E0IoAKEVBZarxZ+Q/9dL+6358zXiuICXiIPeCfmwoFyDXGECC/N5/TOE9L6El4aUnZB56/McVrhiOrMDv0QrzBQcfN0jKvx5iwtAYoX0BgJ6VKNHuw1IsN9piVcrStAGK7QE4EgsFcgt5IveLKTCPZLXUlTl+QR3GdQMbmnjmB1MIo4jNkwzUKHWB58PM7fHwfcbqszvEFWoUpAjLRDBpa48ryTeoQKUwmvzf6wREQUoQ7ow33eGRui1WKNrICIHGSfVjUW7RA0THCBhC1xnhvjRoB7pZB55xijLGSK4Bq6V2XGUK425DohUlApNizgJOdbdL/r4qcNqBkFYo92Gkg3CSIFSVHC0oVohjN6C/pVqDkqFVVj0lqiejtqIiuWIwxYkWkK9/iWWCtAb0NiQhtFKiqKF6slrsVbP7zB5AK2e9oa/phKIZvtnSHu6MXoH7oC5ncZbZC6irGKwBRblFRO8u9cPeHUNpQSCtceVw4pyyJHgzCLWeMkAFbiM4y3UOhuxNY+s0xt/Zm6vv0FbzCp/emgOXNMV9XsIHjHRiIm147nsMdPST83wfsXt7wxLSyw1JRXD0sL7xVkMrm5v6KTVjq1ub+Th1R5k+nZurr/4/1w/znWDNZXl0w6ZWP4zs6R2Gf8R8W9xXLxcHLkEJSpJku+i6VNPP2nTcCuNNRTA9adBj6uc6oww3DkPH40A4FruPw3qjdEEPg1qyodQX/YmD+fsU654Djh+1i479RVAPk5PHrhRY/ZA64fB1DL4ejdg73qapmV2bsDe6Ce0zGE+dYzS2fjEW7ZolEGOIb2JzMQgFOHRaAaReZSyitPfKmiUMFnP0H+0PzRcrgQnRlhiLf7o1svAsd/SqYKnzb8rMxBdUYLbp84Y2jfGJEb3VtChiucgjYoqwQuM3uRW9BFypECbQQ6AD3GoYYU2sLk39mSFtmZzb+hRbO97TlIs/bTN1aN8xKzHzXIjVLIe1d5bPwml26KKdXeVAp5Tvg5fqtjSt6z5z4eDNL5Jeh8Psu72bvsdwnkujcwaOpRd9vXmp8Xnyr7tD9MZ+MP/uww03JrjBHdPr3NptP0WOcJoTbfAa3fF53upGhYNWbCX1arzT6MMfR5e3EGDV5T7TMJvSevVfpqwi2RnttxbPt64wdGd3e7PvPdPY/R+XwIiuH+Sl4CA6g1I9OGW629+QEKiH5nA+tsXaImV3QnBsb+i60paVejEzOIK3mc8M/vIMsUomsF2NdBrke4sOWaXhbE/e+NVyB2W+QQ1piU7WhNr8+r27pcDDQcjCQx3lwUhtVcaCn/leMLMaBtw+0k59pj/C0nXlGMWYA5v7xMzTdc4jjxw3t798kNkkp7A3lynT7KmqM/HOSR5s9n6qlKqJN8AzkHO9DL2kx0M3V5PeaFxFLUfauwwae80f2gnDCPZDH4YHBSP20bxsJvdKNxXgjEgWsjPURAa/lzkZd3sG6oQccyB3NByoJq9Ft1LHh1h5R/QEinI8uMpZ4VQNnikEBwt971lQUjCbxUobQZUtCjZ3q+E+bERuAgw2SBFc0BP/oz0RlboxfffP0U7rJAC4DWWI3P9SOraGXNVpeAKLjdZ8gdaWSIqrmt7tSqWTviYA6eiI6AneCm20Jou5dFooyBmlJaAi8FdTv5AS/+JmQE5rbpazXms+CKmSdVGK10hqv9RvfjzN/+qnPB8XlpRFcj6R4/efxg75TXeg0Qv0A0nuFQVcz5uY+qMkqCx0Se6oSOxSjEs375A/2am+wx9+y36N0SENPqjnYVH+gz9d6b/p/khVeiQKV9EF4mLHD6hDcZ3kBHM2BKTh6k6n0PPhbabG2unKxtGAM9LQbm26raGeOCeXeAMpBTJsSKNBqRKIBQzS5OlRWkhjbbI9+4WNl9sMaO5W74YWoRWouK5kdYMLHmUr72ycDIY6HDf9kae4+3Eb9ojLvoBPu+ZwPnHuzM8QqTo74AK0JKSiK7sTbT2j62N5i7HIO7MJYl1o8OJVViYBfpJ7Azz+7YQ5UhIY0JogR4AyhNs+Ui3x2fCFikIKJVtaZ7l6e9QN0ECrIGDxNoexdzwqGWvbKnUFWbGXDzwkfKI+UwLagw++wJop+vo9Afy9hpJIxeVNdYtW7Bcg65/dnKuSiaHVHzyubpomONzlYmO9b6Ivb0O/rV3UAgN6N7vSiLBXkvL/ZBIMn+C0/szcHJ7TJkqGZ32IvuHNhUV7amyHytskP6eFj/Wtu2tPPU7MuyNoE17cfxf483FHfMVZRd5WzTjGqX97urVndfnCOaGAbQohexqccheKJ/dA231sYznD07sWyPPmoUxh9ihmVg1II0x6O59a/Ut0Ivvf0A7y9kCMEeYsbgdap2vVm1o/AtoBxLcsFgjBlhpJHgnWPmQTR9BMfq82RQ5b2kPWZ47vwqZW9bYqAggGy6YWO+7zxorKnuaGULfI7LBEhPt2GSO3t5SaJ2bHFXcRwywA9/mYAZTSrKae2Kc5rI98p5jdd3CqE6CB6etxLtB+WGlWEdZwsTqYc4jzL3NKgipZBhRacxzLHPEhSwwo7/Hou2ELKIcyP0L7BEmiGrZE+Gj2NDQVaN7zugK7JwiBqICIng+oBg2S5YpPc0SP0Iy5UQUJQMdXcRBdxe2iqeWtCNyWnkHUl9su92b0aObbmjDHe6fwU1SCK43Z7O6yeo5/9W8iWbIL8aeG55fgjlmyN8Fn57ReUSImPGD8uNC0t53udQ70BNOxyuk4VH7jYy2IFUr2Dc/FrMRWaPTi74HfD6pTVIFETKHfIr09s/lXriqesxwv4U38/qH7Te4voyVoljYUSub+KcIcCypcIpfUTFNv9YUJMJlyUIEdZMJXmCO17GkJISYdUwHm8ER5WhViOovFRI77rz2Ghdl19PiKTbYDIn9fa4VIhtq9F+Rg1qgN5XSVpFuD2r2P9YD8WhYw+AyHD3uq5WhbAvz3MF2ocKQbv4SViCBE7eo2ChfOd3S3Nypdk3jx/4+HPv3HQbEp/FYUjnjHBquOz/1o9kvVLO9m44yIsLoAgat3UbH/UWjlmbQYH5mpFN9+he9QesADVGNP81FTw04DVNzafy2szrEbxVUMy6a2SluvRp5scMKWTT5wApZ9N+Mn/qoC+dg2knndF3oJMm+LtLwlVkSujJL01TKcUfkEOxFAlzSjdeSMpdSfTtqb1QG9QTmKJk0fGBPnbcU110jXjoZiCnGIiY9tec8RUVVbLo7dkA7FJUmooDnDkutstloNrHqrRXmfhoHqu/AUhmTnOppoa9HSA/j+4SAlj/0mOE3NVWhVzvFSeo6FteMZv2xJRC6oo0yGNcWnJNzKO/X6x5zvFxHmFi7A2jeBHwGUzT3zscoZV6ln4+RvxzaCG0NV0j0870PKaIqPDp1LWSLP3B5KOtBlULRUYfwrB1gDQGeu6oANhQxnJLBfO6K6WxKIvvIY82rAiQlY891lPpZItqPkN6Oaq93qDvi7iT1iN8Cz4X0oURHaRfLf14kSzo8LojlP125sTjqOfKkeiwz8uY4aif5ptXq+KK/9X1Wmz+y3hLe4DpyiguNMNr4rMx4eBAT6yw8O15IyIUNMVrIzZN9eyAp/mafuG1tN3sU4+qdYJTsp+/TI2fszqLwReY42w/IqYpNi92KM+FdxcCijosXwTU8Ttd3apS33FneTQUknOfK/GWvAswCylg68IkrhWwwX0PGYTf9XA05v2HXerixl6PWki4rDa3T1o/mU444o821RXr8GKoSjxAN9ewZnVAC59jErVLefbV16Nq6QcSUsHHXZtKhaIpq3srlFuQC3YNjbKVALvAabKk7HzG3EjLQ0Bs7DOP0OmLhkYNvZUAKiZZS7Mx34VOvxzjVerBW221+h6Ueb8rXoOPtSL97RS83Yr7dK1heKx2X2ryiBO+yTr9BXnGEGUhdv7vKZlj/mXPN+qPYSjazz7MRhSpHXPCvJZRgtdVjr1FWcZxXyJJKSrM1a53UrobVEZ5T5/8Njs0e7TuqN16ZcrIPXVuESxsfypHgX6+F+fcRyWgvzyyilEyaGW45o59bFIYMsULmpGkKaoHum/PZLZPZjklOpenKBbNXyiiqLunBPVHmXlh55mFEWKV02Db+Pz1WWxCqzGr4zBxvLRq1yX47fDVf4FZ2Oz1uPbmk9SnqwJen1GdDx7XFg7BSglDrrTEcjer9lumv6QO8RBiVm72iBDNj5j08Q6W0FWmfIdDky7iahSWOZw+MvLxc/KrEBWiQCpVY2ToFyibuucw0IorCSARx8HjTD1kFTY4qGk56Xk7XaK3DBQS1E3ZEFGXVPwtJrMdoR3kudj7yhghOoNTP6lexwen2JrKqGNuj3yrMnNMmFwWm3J9P3kLExIAob3trzr/Gj0zOKCOvKX+A3EfRhsAyrKy97hVY880XNfIFzY8xn/Xy/CaKjXadamcCdlEEAn6+vxzmn0vvE0L3/VTn+tEDZEG7JaqnO3/8qJYetw+P62nfjtbTVpTNcV5qsn+049VHQkJeEUDBAwxxJ4ICSTHLIjfEBLF5bwcNSldX5reEupGpgzYYkAc1kAg2hz/Kj2+E9warTb3bjcoRiWavjIVpRFOIMK3D2a/CSJ1SBWILskazUJIYqPr//awEZOQbR9TGE1ScMMDSfGTLZjSk+TB276WRIUXgtH/SiYqqn6v+iWU0EcWS8rpyXFtE+wQEOUJeb6ms1PzejfYdalEMeznmeo6IbNwrN76rszLs4XFa+gyOt5oFzsN1e43eujP9xKfEIVdj3yd5GOxPjzm/LuMLbLm+bq8tW3xodX0g+3bcoe/cBTE4Ihduqc2p21EVNzW2aj+tbuLhK4lPqnGX3FEfGndG0qxra9h3VQ+Nbq9P6kHn+yRO6EEG9QueN/rQAl25aH1fLYi5L47rQuaPkIe/+OYL76BYVrqO4xe6Fs4VZ6Dc3IUTsDuBtlhSvGS9iHGX0EY5KhkeOHIKuJqYAXqwKG01yI29MKfe3JohFp2atbp/fnvX1cCQL6nkbLuhbJnBNgJnR8Y3vlhHBrrlGt3TNcf2WA5spFLIaeWbvuzJArOV7oJOIWw9FftPg6p1auxeyEVked/+/B5RTliVgxENvjGLAV+gJzePuCgZvER3zvh0w1pZt4jboNbDfoF3BmvMN6I2jpuqB6PORTGPCNpuOWfeelH5jqqHIw8cWtL1GuSUwvXxaf/S9jR6LFbz2UhQG8Fys8bOahro1XHwHDWLFdd/j/Iy7Mk7dzM+rRMKb6/jAZZnv1gZ0zqb/W3ecta/z9tmJs6noarl1wah4DajYGXL9Yq8IkN6uld5LhY70Katli1C2swrI+cCBQN15bHMd1heKtaiXyvRyCLsRa8hc6BI1xMjcjB6g0mo7BVXnMxxnlmTFfzroPzI4yfaWQwJjZAkYJUQE6U01tX5ilVtg2PKLqhamuGX4hHR/Pmw1DUSv5qHBoPzQ68UlttXBk98owfpO7mqfm/DXPfr6acIYcpFdf6bQSt2U60TdqCRDuPMsJ5H57vRoNOrgBww/xVj5rQiVRECSq0qhm4MBkREDsowPxRpiut4lOfwOHoSjCo9pD9MPE12aKvYyoBmCdJ69QssKbMvtRH/gHsb4muELSO+NrBR2nnSiofeehfTXPz46EkdqVKCVKVPSHBnqjdtf4U0gXEhx/npQNC4M7H70nz6o2OrjZwl3tnJ7tfmS0y5QjloTFnEdFqKSrfgBogX7AIxKcFrg+u4AYtpWIRrKEo24dX2VWi1GFoYtF6QfJSK0V62IBne2zBlLbxYR08ie998YS0NDw2rkMfifG5KU13ZUh0oSnqjpfWTkk8fjJFe4ZZtSfB4bElnl4iiMHszdcGuHDyirXCiUootzZ2FHeoKxPoz1neNIMcc6OPt6R8pa+5+0o5WiF87j6V9ZL6U/ArjX1Z+/VMsB+3W5An8b7H0Lsv4Ti3plPJA1zYoya3P/d0tuu1duG1EE2rz+JjM4zhGBR7X2QvrkSr+GJvYR1HF1Sx3oLKlyKfHHPfitrtXVugPa7ANXJ+blNwp50abJe+m5XDx6RouzKb2AtI1zWsX5YAxXozXlHtJMGfdDGOu6pq6spomIEO3obsPLoszuEHt49gjkKpto7hn6yXEUgpCRu+xh7JZDKmopyg/NKjqaHi8xZThvoMO1e4hZOPhVyDlQDVCtx/jHq75/Lpe9St8QrBz0vf9WyLs28WADKBFtqzyfJ9g39EiGxmn2oKsFAwVEjtqi6bASCpGZUt1AqYzVc0TbEdVO9bE1VKxDSfrOOkm59zjjBUHb+IN3dFqXF/Hp+FeqcdzYTujRXD1yw164iP9fqmY0UuWlNkAQ/vSfPNYCmV++RR93TdjeNfL98DFjh8ojgpIZVPXtoejD3QNIHgWQ7sbAHIVMm3e+gDX17DGZI8+DCqwjC4lvkzqjx/6gE2UowJTvjKW0dFHqhJL2+tjjoyqAxXhzg6M3orcBRw1xQ1a79oRtOjE/WsfX8xU0zXKw7z6t7BDP1Xcqs9vRA4MPaF8u/jqGaKCPENL8xeYvzDHbK+oWnwV9yNrUmYrhnvdqcbfwIe61tUdssNae9dKlX0oICxWR5O2tJhIi/t06SkJCVMKpNlQUZTbYqwc6uD+5c2vxn5/70Juvvrqlze/vnp389VXLgZmiyWmg3tjJ+TDuISMk1v51zBk20c7aCZjPv768rGdY3MDaxGHiRGB+yR1cSUkcEXJuAPVMieTsBYpVlTEs3U+WLbDdEyn8SbkgIiEJbUbZnxCiqqWydtAL3Ol5fhMFpu7MUs38GfzSdIQwTfFcZAanNiUBO5dTD44sIlT9PGJZogVHTQYw2QmOCdSJxPNXI1MpBtwGRcWR+opjDd8DHlem3rXH7dRT1zt7QtthLzlXfKojpJxoSUMfvNjFAgxywPsAf9b2vYTXUc+hZdrW5HjqTWfI9b9KV9/KIFE5/GZ2nDYFabM8CskHN7583d73Y7rtdnTRgXWsI4kDg2/xYe4nsxc5VGKU4J7bEiPj+k0llHFu7ZqDz8fSuOdiv8tPOq/QVx/qbGrIS1mKvZ7zPN/F3HPaoNdY03jp2wy/v7QB+hVpUpKqBgRH/GxbAtL3w5L3ne1fXriFC/KTKQLp/u3b+7Qz87j0YRjxFH9NvPzy/1/vEa/VSAHqrVUjGcSulU/pj75tFwXe/QuhNRGn3drPY2MEv9tMDG+TJsBKweMx1NwOuJePQMyTylEhxmWRRJfDGCS8YLLUWH/NViVj+gMcAA1Nhf4ADjHunt7n4ZcAiebAsvzw+JqyH2Je60czvBBYtJ73jwTKtsk8JXAamwwZQ26Wttk0iRAsfxnElyJE2rruczXhMWwTv+hnrLHIW2udgHmuk1AzDNMbNnClDA2A634KBW9Bbpcl9vv+KPeJEhLwjOipbFRxlWmasEb2CFv3RmgW9ZrCH0WLPA15aMCd/vAaTElPFtlakc1SdjXPFsxsVO4SHktakNzvZ0Cn+THIjyjfNo2p7wEWSz3I0JyetAleUgFt83RkkDLrJRCiyzFFWfht99l1mZNgWYT9hsT62xM6/8OaMpLKOFZgR8zrc9XeA9BzQozSBILBeXJiCmfgrhkKmNLlo13nh5A/3kSeEI9oBb0+Cz1NvT4iOg29PeToOON1c+F/pdJ0P9jEvS/pkJrUTK8hLStXsOnqEo8KypmL+/lPkmeBfDyIUmOFxWj66JMvb3N/YfZevyjkYelaUJcwW8kRffmmXJPpkm8UpKkamcGNFU7U3tVlUn1sQmvw6wTlTsttFEw4DFpa2uhjZKUDm3Vk0TwitNHjrlQ0GubeRb89gdDe7JY2P4gSr0BnCeZQKIoM8KSbGgDmuTSsJDStslKg1WJsGWVJfkniKSaEsySgr5UhtfAyX7Um1IbmmO2/x3yZRrubWaT4RNhXRpPKmb3nJ0IbyzkH1ItZJUtqf7XxORDorKxtU07oFIkHGWVuDktHBCZEounnCdgRF3JFijojfMGpCjfDtxeV4ngrvbNmAzNFvSKMkjTRVS2SmMXXY0LQD4ETZO0yhjBHB51lniMjA2cK132ivycDa0kSYQOneOSYMU6KyCnI4IxD6EpT+V4IfKKgSIibdYenK6TToUo1Q7rkZ0oWvCxmIAzQSWsqdISp2jaDXTSTeU6KSZOWU6Ys7J1RGTy6XRRDW7Jk+BtY9GkK84FHaWjnnI57zaCqszVeU6B32OJExc8HwirPA926zoYjIekSuNus9azAJVeVvL8QqIBDlzNtTS4KgFfyj0cYknHA9qqPauUUujDEdPHoNY4z8evOs3HO+dCAk2SRKFFRqQQRWL2jQFNUopokaU+wvncnbTplg8JyUKlSkllpqUqJR0NxrCmukp4t2GUw5hUkgZOjazFVUPawMcUE4QJl9GcrZhIEI41eFIIgNH0Eva7AUva60Y3TEKX4LVlYp24lHyduO1KIccfjmJZrdO2TkEVSduuhUpcwLTqMxy0TX1JgEw4xa40wPhXKQc3/kGJ73bjdYXEOKG6XUMCZIK8F5Kus0i1tjMgdxxkimwps8QOgmU2soJ0A5jUxqEBT5qlPUnjN6kHTGmn6ZT+BJRYKfNlRjbnx7P2gF1fzvHwIIu1sYt7GdXnwe4SQVPEnMtf+vChU+nzLFAp1hlW5aiSH23gMV0eApwEzNJuHgnEUuuyVZPBUyZrYMcm6LZghcyTsKaYaCrJ+lTO+kzylCoY7yJ15XST1AgFv6UwM5YGOwIuSXFRdJ10MFU53m5RkqStvCR5wlWrJIll+Z4FOqolUxuqUgk5k1vCxwchRCuGngZzSZYJTcPXOmURHFiK16iuGDkecl8mZK5W+TLx1bqSLEkqVQpkltPx8ZuJhUmCTySNWE3S2uVvM8qVxqskSbqlUqddxduSJ6U4aCErfpFera8qLdC7iqPe4LUXelKBuF8wozm6kpBTja6wzH3O2JG2NL7+1aSZDtWBtMO4pqs2YpYIhmIhJbW3l/Ips78pSib20CuId5IHK1GNSI8/ty/vJrTUsbXFJKzhERW4G7rbePT4uuqWXZmBDEaVLbARxlftVpqqKm2J+n6qJEK7DdaIalS69vxxoo89pY4pFRJv7+4qngckiHJfyWAgs5tRPr0CdosYM16bEoW0WNsmO4vm965jRI97HLYg6yJKWqASSwXoDWhsKw67U1H3S0NPXou1en7ngvueomtfxsu1J+mNbtOI34EvFmvJ5ugt6F+p5qDia9XfeonsWdlywvVutsO76SjAkmwWlNMBg1fieYohdISN663HKIfnDFfc1k5dV4UvS3+kFEKn8sERqudIma+prhPlfcXXAZXeMDObtxey67llBkbv4VHb3TlkFFy0AXVTJO5ED2qblTupVLHNy1WgQ3PgI6nzx969x9eGCK1kV2FcJ8G6Fl79JntoFjms/d4gtp6Behmlf1wd7zM6Z+fweHsdDpEdfahk+8iH6JHbpW7h4B73a3yot0drbnqIS1HE64LRNW1CuoINUVYghBVSAPygT2bceJGYK0xmKbbayxJ3g3PfwKlurR26BR8hqwRZUHcRzkdWM6gr3EK3lMEafC8PrBRdc8f8pjL3QFsDvJyrW/3AklsMR3bc8oKtJQbbh8S2eYuiodzCtEo34b6keWhrW3dMsg0bBw4dQpGYnFprkzAQJDVagQyNwhrBG/o7GRwDKuxO0gFHz4z4LZKB0oWXnH/dP7NHQOsBcic67+MpVw9mFKtsI2bQ7jrdMW1NnKYMlO3o0yp4FI+pRm6DGnq4b7HNhUa2VebiFVPCmDad5iW2CvlPHmKBXvF9/b/e6NpaR4prhPNF6GgcF0yJzi9D+hRl+YsuP23lwQOmUt/W2VgT7QrlYdbxRsJ+x2RjPavnGqx4DxL9S+0xUM89Iot+qH/J2Lity+893lB1sPuO8nQwTOKULPiyWxbHtaR7+/P7GzM7kOCMRuuRyakiEkrMyd5oJf7yZ/1etoYHz9D7Ny/RLdffvniGbt9e3/znS/ThlusfvkNPdps94r4BI9kI5cu4CWmsV/urb374X//tabz3HejNJHnRnbGVQIsCx0sjqcl7ZOSB8pX4bwPa+GHKPzZZ7XN+grbBhL+zL6YYRR3FptFBQ3PT16/eRsn5XXCYYoenrd//ERwWcf78PqYPwEe47Aypp0WNZeOnuVeO8HKNNezwRQpL2112h1655nlht8UQ1tcJKcph//9Uv+bt1Zs7J4eHe8XjGXr5DZnSTs8JrUtv7wyyAave8GGwFswsfDCjD/Mh6ACZqyk292Fr91rIXUc6zJqnilYl8rjsnnWZjPJuD4vwp+X6cKF6yJrYmkSd4VwxjdFbT8OdkLoWUT0h5HpPWCb67vPHJZGanX+OYsrXQXwGwt8MMY9DTL+fz0vk8VsbBCslCLVF46213LtdkZFTEvM1LGr1mAi+outKQo6We9/c37W6H+hOM5hS0AsUHtCmosOukjIV2Cj9rh1amWAwSSiEhszHCKW8/KZMMecqw5kLn0oCLrVMBV8lsXeVFIvN0jZAekZNmTQ5nGfBGp/Wr+vQtjC0LLrjtQ2Zi2gLN8aw4qDR+30Jz9CHIOZeWxP5W3QXTOSeHPl56EYNxatmuTAGVPpAFgpdOzFj0QujbH5oH+ixtKEDW5Dadp7RIjS4ohx9uB08QsSGtEw4gyltY7nKRJlUKM+ASlDj42gMYFKIn5OJ4wOirA8qCaMrU5Mx4OuEmo8Wr7kG5nYu2aZE9nrBrOUc5IjYBxxjRf0o5A7LPNYM7JVtU2f97ndSPNpX9yXoHcBAJ+PROcBjXySExqzt7nXokC1kYl+benPwTdAk2Ieggmpz1HxRofgktgzzed5VznAHhGe1lkOgN4VDB0HjA9wa7XltledDiZjizwZisy22Y/JIz3tDwVJTUjEsQzM3j+bJzePL12ItVqt4fWogmd7A3I1v35shfff+hrIbQ5kh6FWlN8C1D6UaJGyu3mOHz5VV3dYwTtwHBXKQJFFpIubmlh90mKR714F7gKrQI2fa7XtAkcWMQsOVo81fA/YLtE+GDhXmFFs3sCoFz21LVxFVAWrAflPSQ7q3Y7JrB24DjFyevY17YxTymmJvb3X0GsqRorqKSBRkA+RCFzw/6gYrhHNR2q5gG6ASiR3vNEZCGj8KLoqBaJdQoz7rhSPNcPkZNYzy3JxlIVXT3s91EX4VyuP3JnqO+4TXpLuzMRhOVc/wQs9Hg5O8969I887zWBOx1lTHZXVMmKqLCrj3UYVzz3U4OGQppsXHRaa3hA3eUlFZzcYYdVIUdCDSAeZHf8Pxktmw4RW6Oo6d8u34zmcxMro0HOg0KIrigIaR5cUSSIhgqCmYvgate6XZ2YPL34SwV1x3Q5RTdL7cJn9kZEJXXHvL2E7mlATC7LRswED3sYfqjet1HqnSiDw5C/LNQmk57CQPVMcTXz8Z1S+OU+2vRYdrEuVRM6I2iTQtbNNWr2lIKGHQyek5OSI16iQzbUr6RFbKMzdAvCrMJ9sA355H9TeTe6JHifeOo1Nz6FFv59QcvTOO3R+Z/hcn6Zcz899t+Fmol6e5P6Imxcc5qiekXn1U/8ib5tvTbD+/ANXHYft5skbOfFbn3OtnnNSZN82c1Pe2TK0U5q5L52TdDFd6kxWgN+Ii3lR84OdCDpH/2eDC2OxdKSZa6kf8u+8E874mg+rIDkm2Lf9z8f2f/4yevL5+dfcUXVOlKV9XVG0gt4k5UWxMrMUM+bHH/Nq+RbfF5BfD/nDgzVuKyf6SY7H3hvcxHPXetD6/EaXDx2xMYoPi6syIlkvDYo29U2AeK6LUvJNjdn4Wf4fUdzinlXJjICGRogVlWLrDbASJ2a3E3kfxUF17ZhSdpxdu7YNsR5l9MMsVPCCduhbNgZkSSfiKHzs31vnp48Nb/idvOttveivmjV1oBR7mcUeLkNMexXquW8suIdeY09+PxDrxKQt2LsMSuNVe+QGWraiMRvEnZ7/+aAa08tEllbss3YNIpJ8AM70hWAIqJeSioBxHQ6xbR/0Oawpcq5OBZwzPO5/X+JNOxxXBgDJ5e5kt/KURAiWW2qb9NpM5LoRmTev1B/cc+bOCHCTWkGcjwgCOrKJtQx7GrF3dd1JsaV6nq/vf4bJkXs/pLZ9PkTWC/FAjGuilXk+D5rPNox7U13HQ+4GJRAs926iSLXVvTpuuYjdQOKBWaMaV0h+r1cCjvctbQK1MkViTb6f/WG0IK6S0kE4+mtEK0Nhi+9L+amF+9WV8fgXNcwZzSow3dsRzZUZkiVoyJElmhOJ5c03ozo/XytHl+/Di8QyVDBu2mxtJSAScyH055EW0wSuzWAVnxEvI2kL4SSiN3mCyoXxAbc9x8hn9osuvD9xG9pUSzEE1t7pLq1cL9DrHJfrF/sfd6rngLh/gH/3rAm3wFsx9zwBL18Ia2foSqhRcQdAD4kkDZkZZv+31BNnjayMQSTVIGqp0cDdBV5FhmJJA9CzENMv8zheROZcWW190qpugu9dC4aiDNGCj//urhiokKx7p644QVs9qSexec1wy9UBEth8x81bEHMzEaEd5LnYKqRIIXVFivnkWixv38Uf9jWom4ChqXn3RExm6ntdi2T4zPG3xA1Xc3lyvYY3JHn1Qh0V+6veQopvgkBS1ZEaZxbQauMPa6rZFZqOm7WYwt0CPb3U+UySL6SBDwIbZ9plwOLE51LWhakNOeYvMyc4huiE8TMJ05oqXGpqMj5zyzr0gOW7s5IZrrfTpncuJUTsdD/nbhNA4Vva4HE9/O51aYoMbx5VnHowAt5PKYUW59wXao25rQRS4HChGYfEPhFlfCHtj7nZUjxRBUvubps/A5yMPVA+pfWhaY7IpZi9F14xrGYN6WnCbbYkFNZeUj6m5O+tOM2Tb8PepQj9ybNvBuJZ5roxWk4oUqUfeo2uqzD5BV4llWFvz8bOG2N2G9gqeIbMPjWXhQvTOmoBOqHjpUuGEHNeesTP9v6gS87+ezOcMqA5rnQUlLSZSzdT+8tyOfoL6C164PbpDVbTjdA+uVQZcS1HGj2EuqmXPIDtrr/lRjXUDJ0IbLRUjOzmdScWVKEpjkIadbze4bXDiNM8tSCNaM2M2xy8krB6mx/2eOIsdnT7g3sH0ymar39LfuH6sGNuj/6gwoysKObq22TDOeRFFtoNlRoR4oBd7UvoVlshhaGwSzIb0soTaOs1jT1lp1wZnqB756bPxrh7E11L1bivnnVug9/vSkd9YVGaCjs/DLJawykYWx+kQZrA4E0x+qWKFdrro5nEW1ArGIX7nvSiFDJ49+7zy7vXAwrSyVUcva5hPObVi7JHpmLFP+uECIVKI5HvuEK0ZyXANlVjHHRyEZ1iNe49qgcrUDuqVZKPY3YIbxZ1aBc8qOb7fb2n7ntnm0CkoE0TfIfDIEI1DYL8Lko4DPGrg9hJMUdjMCCNWt75WNxI6D5Qpt5sbZp4Y8oMT/d4ObK+65/7fVx7Jc/8P/+obc3phBjIeQ+AJvuhriSO3/Vhi/Ritgsw9gnNfNtkoi5SvQMoBH31/ZjNR3laHTrIv6vSYhYxQPWjVYmVk+9pnDDF5+0aGmXEj3LjXFrMB3tu4INn+6O/Qf4QeLnZPyw3Iuawao+f4N98nV7ag+lN0ZTHEkYPUsyVKDvDqCqQvfA8HMR1HSuzAxMeCFjNay2KG/VK16i4dXQ/6+7CfYHxaZHxN0D39fSB95yH5DN7+/QZxWAtNHZvLDVYD9WkVmT95t8VwN/xwQW+zIBPq0/YeADtrHQp+hXjP+IOdoiObK56XJ1zXEn8/2FbDnD2qVJXSGNrA2kfdKfbzNC+fpQGknOhZ6LGuLS9uzPDo3j4ZHDutM70u1fWuvG//yb0N5zguQlvyYoiM8fLiCBXDQkMplm2n3SVdF7l34sRdcpnZArhKKKah0kHpA3hrIDkl6oumwGNbUFp58R1S1ncrJLq9f/X3N3fozshP9DMfqEjZ0JOc95FCz/udiNNjjyXZAHlQCc3eGsEyNbc9VgS6rm5Sp57bAA1fuLs590d0FZC0V37jIqqKw1Rn7Q2qb5Yq22JtPjHYpmOLGc3dhoig6R79GetLHTv6dtYPsFddUXT2HkvuhL7RulQZtd0IEoEtS9PIJue3/Jqy9+iah3hHIanen9h/RBTFxFz+MylzmLxJGU+v2VEJrKtdp5hwO4Z5NqoP9diQBBWaBvzqaQ4xsnED3SY3ZKWg84QAxUhyOJDFYdHGdS/LGrLBnPcS0KYnKvtxLaoBT/ls5Zdqkecrdv/6+tVbL3OfdxDUok4L2fWKpWyvnKqHbCtYlT6NV6EHBve1NOvOIKHJQsWpVuiJQ6Oe2tw1m0wQuiBE/EUDQWisSj7hrz01HzjV/rlkcRiMtgVpX0pWFUNEcAKlNibAveP1QIrTmE7q0boOlnnG2AgtRAwptvubMDz66d9fxYJJoqxL2QFCri8RotANLTtweiyxS9+LJjD+7ebnu9s79AY/FpTndeuSOPsN9RcIZDgo9D1AuCe0R/8xwusrOB6CnRQQ5CKzs3FNPP/giTRhUnM3WvKS6vba1+PxeI7SwOZk7CfO6AlzKv4L5BzUwZE872sjKSfJWnzj2kuPVGzqbl7a+oGdtVu41IBnSFWRsCis0F+UloKv/7pkmDwwqjTkf3nuP3tWf0v5Ckj8qxWVsMMses3iJWvBIMxzpAQa2D4S1lRpuTdWz7wHs8R640vR1VhQF0uPjEntB/uEuEQJF9tKhGxV76o1lpo24Fru//R/AwAA//8qRq4p" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8JWwsqGfyFEMutgNfkxP/hQisLzP6FkBIM07y2XMnX5N/+Qghpf0RmHERpJn8h4b9e46fuf98RSSt4TSTYldJXEy4t6BllMHF/775GiFqCXmlu4TWxuul/Ytc1vHZIrpQue38vYUYbYQtc8jWZUWFg6+MBuu3/3tMKiJoRu4AWMdIhRlYL0ICfWU1nM87IghoyBZBETQ3oJZSTAX3a0DsQM9eqqW9Pyi5TN8si1pKKLfLGVx9bP7bEZpHKzLf+vn+F8Q0b7MrHBTfue4Qb0hgoiVWE0do2gf+arkgFxtC5+ze1hKkKjCNauc93QBPyVs3JKTBVgo4T4mHxXaQOJaeFC0uQtnCkJQYcEM7M/cBygzxnSlqQ1rj7waWxVNoWDRPF0fLqEARLanc/GGLHPU5uCUItWS04WxBKDBjDlSQLbg2h5D3Y37mVYEy7+5PB0eiINQvViJJIWIImU+jOXU21AfIOLHWoUTLTquot9fStmpsXF5RdgTXPBuBPuQZmxfo5sQFvSj6AFxb+hMsempMoIwUsQRzASaHk7v3c4uQp1BoYtQGTEmZcQkmUFIiWpVMBpKJ1HKvKzItkF2bPHr8L9/z89AeypKIJN56XIC2f8XA64ZoyS4Sa+/3Sg41A6rgDH04Lfs9tR0215awRVOPvw8ZORk/GAPRBJyV2MgaQx0/K6JYsj7snL///nuzfE7dqng253/VV0z8KJGR3Wx4Ndkt6iNDLjpoGoxrNMr2992dbrvt/P8yMpRYqkPYxIkebktuCCbpzhx8JeiCtXj9GxBZOp3qMiHF5GGJ5NaZWcjzek1YCPUR65GXbDKBMaUON6DUxO7P3xdYt4LAZ6CEDJeF+VsSOHjKAfoMVMc7FHdfKkbgoe16VKPs8uwZkJmIfiXDwzuxjx1CrG8m/NLBRo3VHf/jTetuoPVGSuceBWvXYLdsRcbPkecVhn7snbhk+44z27/NbNSdnS5CWXKJwJo0sQTsTREMQVAPSZ/waSmLAOiBbP95ew4wbLO0mDGDf22DpNmEA+k6bMvQEpvcvHXYwB3TdgSd348FCmUz6av9c/qqM7YtIsXsiDciSy3n7oYkdm54P6evhLz/kgA1+NMrY84vlT4SWpXaycuy67zJ3QL1VXytzl69ys/fV/7vsddzKLxt25YJ3pPW9ZSWhZM6XIDsn2derCDgWHea/yGuBlI9R+fs6IhqjDg1VrwsNXzLsdT94iBuMdE/XyOUzvzS5wIv0PHizLSUf1zUQRocSZAoEuF2AJp/Opf3hFVGa/CIUtT++JFNq8BS1AbIZnzcaVb8b6D5E3f2K6cYwaD7jM4F/wf16rnK52fZZx+3KX72DQekV1WU2pa4n0Xpk9zl5fvF5S9+jRIOgu1tKiFkbC1V4RAPaDtoC/Ek1nnnu30rzOZdUtL/Z1lZu4EMu/WtPYsT5xedXERYE9AecuD8LOoyGXE7x+mwO6lBxPPT1WQAtQR8ldv0rLkXOT+8TJfX49oOlCOawWOmjdrIJVmT3s9FW0TrfKFp4UZzpcqKEAGaV/hoFsOPeA+TcuDPHDWGedVA6TLcU1bdqV20hexj9CC2+ik0fi6paKYPJbpWSZLoebBohGr40YKwDaHhVi3XYJ/dlJ+gJULYghpdAnn5P7EI35OXPPz8jK2qIAZDdKns48SiU11twwtRKGsjHCvbVnAqmGmk7n0JTTb3Qc1fZRCGQp3SqltBjBpfRzMpWvBmrgVaj94d9NcfmgVkFJW929bQUjPompjl2jgU+I9z+s3n5/Q9/NV6kv6hRgLZI/3NAzT+dPfiWrkGTl+RMMlqbRvjIijMp7yTXY9DvGfyI5FbGVvnxJflXR+5z8uOP5F8JU9rpy0hFWPQ5+e/C/k/3RW7INlO+iW6hVCU8WltXrqBgVIgpZVd5NWCPnFQWrw213q5wTARZ1opLi6aJhXiCMx6OArRWmfLTNvqgqYFxKhBjxNRYpZ1mLdde63AfLKngpT8YMaQImalGlu6FEYDIczkPytGNyYvbN2IAOUUsMFyHPWGjkV1YC0XLx/LOBXSI4X8CqcBqziJWRzCF+19GW9g/960Qds8+tRuNVs3abZuQX9XKbc3Q5uSSKO2MMavIFUB9A9MexYv3lTBNKwbGFEteFmWuqOtZK3nmIEFTi5e8dBzs2YVLrm1DhTPat3zvMuLi4BV3ZjfGypEZnopw1c9PiXbS2qBDBZlG9Rxs97UbOWF0pqSnB+eEz4TbzwmdJRQ0FPznp63v9QNUygK5DOedacCHdroeE5Tuf20g5isIvISVClMLnjOz4VGb84YP1P5HoZs5mZvxvOOtc29AOOvtqWutlvCE/NeIMHrxMuPiAWL0blVnHF2cvLkIui+j0rGHV7XSuxovwSfyq0uDaB6H++OTf6rQEEfTPeZK3Tblm81PNga713PQMp+Qlz+/IivkewVUEipE3FeATn1Ukzb+I7ICDR4stUQANZYouVMuss3EB1cTv24mRu5qjrBt4N3vSpfIOMxqAraQSqj5ejcQN+N6oMUS8jNhC6ops56J7lKvEX90mkvSyJDTI7Z85qMVtakLun2gPmcQYU/sEi2KyimZSrZhBE1XozINJeuOWkkZaqw+RiGDz0Ex1ugWorFUllSXRCpdUcH/jOX3Kl1F+VOGLIeDWaSa6eBJuhOTNlh3yLwQfAZIccTAN8CULEcU7M12F8bm9LPsIYhLpqpagI0egFEnKkUF3mq+IwZ79WbaPtBBvnRrR4/z2FHePpmjx69S0i4SbdOmPjVVzssmy6l8IMafyTIH2x3IP5XM3W1hj1h0q7cqpk+v/bjL4YGIynaj3xAL1zZcPrIEbXrlFOW+PLDI/t73sK2BpiJzU6bHlC6hzPcOhiSb8EyZbsVWx2gzbbov9uPrw9dKq2qCUBssyjcMJNVcebW+aoTl31kOmtC6Fm31y6aXTUUlncdKcwkRGN5p7UWPlMfVEG6fGKJW0kfGLK3qXc9gwNit5lAc3j5rCFtwZ92oEsyEvGuMRTOpD9TdSmpH8nKphQM3aa8Am80c3ks4hiaEm9wu6HmnYQYaJPMHgjrVuuRLXjrNBs9DXJBdtoLs4w7z4kRe11wfjcLNfvpY0LU7idyKtSfWOKHn9DWHFB7Q/b7RhJs+6sJ57qRxJ88mgyW7dDLVpJZA1UCRuy/Ejv+prwpqkF8aaI52lNzp9qdoIx9X1BBEohw5N4jcD6mZmlAp2GJoBpk2r2yG13de5cC1LjKgWhc5tOc6pSjaBvoyOdQMulLvFXkYE3LHfIy+MYPn8k5vzqFi8ya5dkiwYPNA7HRDSO0IomygxKdQrE0jcoedRqwo1VimKnjhceiMF8zKVrPBCaEysGDLgBw5ILAEzW3O0pE9hLWrhyLAXmRnn8snb/HioHegf6W7ShcHDeNONTA+4xvDJ67d+mDOWE+VoCvnz2aKbEDnYuTlpmCidVGVIcgSxTuYzcfahM/bVnrfElSa/HYZUmO5aRMCdv1quH67Q2NVkqZWhicUHLc6W2hOy9J3mMJU/vbujnbhaYQt8rUuuqMokk0FmrO7yqIobUeoYttDWL+SrbsZXiz5+z0gbQmyVDokzO6lTE3/eIDuNW1oV03/8K2O44jlrwUfsNtJ0P2IeUmfs1fdN8MLGar+g5gJXq4F7XKLpbKEkkXoeBFPoBVqXrSJKg8i1NuDeGehfoyeKVuy7++YboVdq1F8xBV/JThb5749e+TCBSIQmmtLsR6Ry43ImTcdZ+CHRgAiFhenSlq4zq2xdgidS++v2/RDpWVp3P/ho0pFi1CsAcwNjzNbUDmHQsIqtywYC1zCqhfqRyXEWs2njYWehBjm6BuPutPW+89fXHSYmiYTdh3nBM/WtnIf09AQ3M0v8sj09beIcYsVYI5hbcNBs8n50kvQE3IJflMaA3pC54CtvEOm+0zpFocB7BaM19sZ/p743/f6VihNplqt3GftX4Ou6c2u0X7S5+UF1Ta1m64DnNqjEu6UGlSHHutOKVF2amOuK6VqCAHFXG/xG0moAG277CK9WTT8zYe3gvjoNQHAJKSIwlwSqeR3GmpAS2Zf9gOaDcd8clijtbswnb2CO4l63AvuI2xt+GdA2YrbRVCWvawnp7jgFKtNJFHyu7ly/73nJUAlpYgojhnppr1g4AtEwCGpZsRJB8vBTMjlRqbsDjboV1blwfjEl/M1xhkxvmTUJ9uUQfwGxlPCRGNseyDDPwbbhD/hxu1kqIkO/g2n+OKn4yrQ0bUff8PiFr1vy5RPKXtyk+HlsDxFLAg1RjGO/lK3G1F7EjfsLb+C14SSerE2nFFBSm6unpNa40yU5wQsexJXlKmmh9Re3vGh93U2mlZgQRtSU4NdvAw2cvC9CJiqKifF1FbQflhaA5btVff8e/BQGl9vDzM8TF58M1XVzfAOZtg2SlZclmoV8mmZkgxq+7zLpBhlxoDMWSPEmnxpqPDOz1JVlMsgNWRvIaFGnq6+1zOVurSHdKcSvuXyCspQC9QmolOD3qlgoLhPvulQm/By38aJQVeIrKKuP9nJuyV2EWjR++3yofD6rQ6eV3I5bNfTBZ1BV3x3sFNuF2tYE7H153+/pv1jYk17xkX+O96R/Auu1l1jDWXDgLSRI4i72wxoTkUReU2zPSKXuGSrNu++j70H0L0wo34BYFfmoJYDKTzGYXX30C2oWXQ31KmFkSrDhi185m9bY9OVGZ60kHZahDlCumUmRjP3q+7fw0pT4uS5JBxz7hrJBFDt/oSN8DaohQLC4O3UbWHnzdEHL/yaYZ+nR/1iMVVNuez6ZvcfrFA2qu/wei25bsyxPX19bQQRGPf4HSdAGrkSJ35135Nx3FPqLbjsrvGOfd7LfH5K3ntJ8zQ0biB+2l4o+nW4PYvr1d4B/RC+/J77+fwUWRpK3joxMfQebEfkfBqgJ2HiD5GTBStu4kbq0qxz9rLfjuqGAm2vLuz1Y0tvfB/x1DjWn3QLk/PTGzXZVP65GzRZh9hLWW402gk58fWZod+p8B/s12YRQb39jR++Ce64aWO7yk1lu8eokQKM54zyD8pKkSXVnE7FoArQN2XgktSCjggCA9Jk7Y+ytaF9VdWvPHGSymkYbX0hd/t8+eL8YleHJqFlrPcojNVlHzhQ8Na1kJtIi0eSnEtLLvlcUhQWI0e0Vjpn89onA/nlDulFq7sp7OqI/+kQ6d1lPGWlihyc9799JFwy0ZTgxFkYZOt+PiFPz65pVQt4TS68Q8SDRek9iftFMDJ39NgmOqc2T0scM26unMp9AF53KMXruTHfh6fhAzdXe0KuVvP5HHS+EXZxln3uxwICDqidLjSYhRKlOz3eVh+ZNLoVej+CZ2EYew9S+ekHr2M865pxnJ/Gy0huHZ1nqqqLI+dd4a6E3Csc4+r9e6aZfufQURLrU2c4bkaVDRuz0oJa+kBZY33MO2mpNHYecHK9xW9kShzV5Yrqh8nQG3bVd9KVhofIETHSGvmpE6KUvKOs7accV26dCDqqHaPkd62CqvdLIW9rJh9qrYGa5LnBxlLbpFKcO38U5eLBzA63+FRdE16+GH+/3MvaHANDh9GnQeNjfxccFvGr275jmafvDQ756XDu3iHPGZeqSRXj7NWRmHnyO+UkaUqnw8Aj+1NiwLk7M24diTdCOLlHTMMYGDNrBDlz6xOmSjDuSLTNfuOWBZclXCdmgODGHqZ53lO24MJoiukWiSlojG9WVHOBGTwRD56Pv8s5ocjE79xvo5TJDOdQTX1zoQfSiMPq5GmXz1mDNnUouvUSZsCyoCJsEuLbDk/PRooMvZtr+B7nTijxyleX5BV8Vf7b7kPKpSElWMpFxMkwVY3t/W6ENCWOnpvZemxpl8eGeIw/pBaqWmTL5nlDSpjREAIKnS/bGH7I1nRa8RK0oGss5LIqPK7kaeRGug/Q6g6/hllbBe599cZy22BjRhIlbGMbDBs23fe6Jo1i9fw7jKbGNIOsYqqq3H3Kc4xOPHTCe8m+tVZLXnr/WdtFrgIzmghVKnZ4oPHu3rJfuNhojayflxdXDa5rTHp6GFnfrp5X1v+hpgf6nQ4m73+raQjAxG9XzfM1zj3FhGK/85cX5+R8oFD10cjWtTZUl+zHIGFhV1cNO09qSN/FHxZyq+PKvRcRxVSVuSu+BhV3u0pHwIU4XEbUo0X6bgk+ZHCEyvOeCziUDvsE2i4ewue87EI5I068KrXVOCgDT/Dyp1PyOrrrJucz1U73vvjku+e0gShM1rgG1vS9CD71awqx8ta2C9O+xI0jOEKiXvFy2yHSVVfSJeWCDgMZpHOFE6yvnIHWI5MW/B06xNefLu4WjJUqNIDyAdgBSSHdwPD5ZEQi8qqYNmW5Tu6f4VWRtA6oB7cxcFij871eqvQQNVcJuxzslNgVpjlGQQI3/exV33OVNiW3XWXdpi9awCg22G5TseFFySa8sJ9InyWWmoPLo1nlJ5/PyNNQK/G5EU5XnnKBBRyYB3Z2XSvjvvmMfDd0NMjdKMyVVCu5ZQgZYA02s1huQx+ZtMnoEVxwu2mhJ22V+/tQmvQW5pStyadRc03wqaYPUZQfFt5iMZekolzONK1gbzpGTTVO7c3fJ2FLubzAZcl7Vfrk6E1bwF7WWQQpcoP2hakCjhG5LKTtvnHvYUV+bSSaku9UCYI85XI5+fY54Yo9J1P3f+D+j0oq1oabybfx+KJldTETdDA5P7UOta3hn1wQXBR9XSgn1+3wKzXb26jBqqyY+r9OA55tGwQD2h3kKELLKq3c3cHs87vfqQby0ScAf/vt53e/v/lw9u23Pud2STXlo2dypfRVypLlGy/Y7+2C/QjbqBOMytRKRKjZSdulpHsOKHPPxTqDCTNTGqThLKUA6bmSMmBcpfeCROIDqYAWK8qHw4nv7R3A3uepgbrrk7pE3TTTTJfCTktjderKd6zXzuYQ67+lyd7RtuYjn5P00GKXzWCwgUoTik02dS+h3sWBmPFRR1NLajZH7KGkRrsRRcjcLe+JC+WD+wne3XHhkA/6/4fhqhuV2U/+e5AjVvZ89AGRvUg+yOFo47j78FPqCElbWzvbs0uf2i6jvc2ywz6Zz9DtNji5N0em25bV/BjxMCz6mlEuHK/bZi4XQWacn/Zr27ATlzMHLcwjLQzGswrbnOvCqYgH0HNI4jWmW4fqoxNVVY3c9UQNsJOHNW66L3bv4dr+HeI6dYebOUyzvi9ul1SW/67iUbMNbpZafohkuDd2w4W3kDONqTnjKlmW6LEseMR+RbUcBh0eO+pGVnWhcgnjy/fvLshv3o+6SUqNI/LlqKkEl//xlnxpQI/0bm2ELDTsdurMm9zQc4iuyYe26Cya1tVp6SzhQ9oHqlKPEXBA64McRzdBtZHg2L3hlukHNFBBdZVhtxzYDO4FWicsQO6ANmWyqbRbMNN2u9oCXVK7qxXeF+4UJFtUVKcqK+ngrms6GF987+gTZYN0qiQwi0Xys8BglraAqgM8m2OrpQxg1fSPDFBrmnwShu84lfx4YdC94KkfnNC5rQKneiZHWhaU4WCU9OUnDraRCY33HuDpvF7+JK/tIvn7zmTBrC5Kk7Tveg+6g3xY5OkWgJeCJpcYsgA55zJhUeQQdI7caFnMCrPiliWXH7KYCbUytEqfu9KHLe0yH/QMURcmCy5zihMua9DVdJ0s4X0Au2ZXeYAvqchxVnhd1FpZVaQPSSH05U8FehzTwxbZ7qZQ86LMwWwHOH3+G5NFRa8La1O5DbYBuxMtIMOjUHGZCWku8yFdC1OIqShSh0W3YH+fEXjyzuA92Kl7IfZhp67q7cP+OSPsVxlh/0tG2P8jI+y/5oFtVS3oFHKIlA56evNMFlUjUPmerjO8ky3w+iqDXlI1gs+rOo/27bRMKuapk5ACZJ5DKTHwhaX3jcjC+ITEDDtoNMtjTTrAeaxJszZNnWEWKZNdWXUWU9Uq60wPuM4gQqyyzjDLBRvNmizAG8mvJZXKAMtwCJevHFcyPQrLV6q2C6BlBreaquqCiQw+bAc4Q5AE4erp2qZ3izrIJgvkuikyxDSY5pYzKjIUEJmCzkGydcKsqz5sScX6TyinOfBeFtgGNAtk3w4mD9Y+sTYL9Om8Xr7K44M2xZTbv2ZpNMZMkXZW3A5grZKLapPlmiNUYDp9lZvxPv5ks7Z6gMEuvJ8/vXPEA0e1Lwtw300+XQe5HuwZF5DDhjHFLMcm8lnK4uxtwDl0A1PwGpMUiyyijtfLn0pj60Ez/0SwjWZZYAs+gxxmjEFHcwUlT1Ywug2byzynpFJlI8AwlYPbATifZ5BNqjYrapPO/O9Bj2WQJwGsYc6N1TS9J2QDO4PGp6HOxWqdjdcGO5HrTPLVZ+b7I54ButVAqwyKpC8FyoV2PuV6tVDcFH7CbHroa6pplgNejhTCpoC89PPtU8PlxlKZfM5xaey00amGBbZQwc8KygG1SY5rej26rUlODRYnN8zSD7s+tNPAPphzWpap7wAvU4dV29ZBGd4iXhVMK1Vl6UrkAGcw03hV5EmODB2PcrC5vkrenqk26VuW8trUmicGKqjltkmefSa4hHQtdjZQTdKJOh1cLL5N79YSync9LWZCJX/OO+AZUv6dzZtc6jigGSSOs6EzoJo8N0GoeZajK+dZLnCtdGoBVk2beY5rVnHDcoiFymQ5sDnmQEiw2FwpOdzkMtw3gE6d8eehpk7Hk6tVagskS0WZ8gOgk1uiKr1mpDSfF5F5XPeGu5Kg079ZdeGH8iYHm3Qy9QasH/Ga5ZBlKNwMM3FSC4MANrU0qAvvSEqOLjXGfViwRao6/wFouK558kBADbqaayrtoOduCsirLIDTP72+E9mnTztTQBMA1mpeUFMnHBjQB61paqgaqMih32lgyAffdTQT8PRMdpDTtnDtQVa6zIBxekemyeAbNt43nCEfwEDqRAA/8DiDcWLgS/oDEGvQmgxqBlPK8HkGwWvq1F42o1mOe6BZmVyRNprFuuImAGzTjdjqw2xM8q6aSyZTF0pEp8XeF6hv0pmafDu36Y+VB5o+otfN9EwNd10n79balNMseeiNFhnewsaALkqeuuo9y9iKNjKUgw2WGUur1N7gZcGlsXSWQTNYcm1zqOHLWmZo3WSVbmRKN2usLVqko+ibxiryoZFksHSXPZJxWN5nKnhJTjSU3JITqsvQzdBg+/c4On5yVkYujU0IRTA4RJ9gfwOmBImV6nT5EFzm49xZVQu1hsFgwRv5N1NNsqbetzxjjofeZ4TzzjTM4ZpUdLfRwiYWK+fN7jCQ7EgKbnA4Q7t62HpsoERMU9dKWzJsPErIakEt4ZbUGmZjR+Eeabl3GUIRY3ywOjoUCJehs/tIX2jBZe6J/D1U3Wp9PA2xag52AXqy+b5ZqGbwohEiYQm6G0dkFampNkDegaU4EdzfVdqx4OlbNTcvLnzZ6zNyGkZ8PSd2EZlShM2AP0AYfYxoS/Ie7O/cSjDxfR4e6izMm+HI7u4W4eKeWANUs8WESx7FD2fuHqG/9o74xFkYmAzxQtBG4qzfeYNzXNsm7vEG7jv92vfQlL8dd0dT14Q7zC8eMfbdRhQJa5pu13kVlyUf4drirRhzFxxjGvWIQNoMrnuPE6qlGJl4id1zM44Dx/65BizR8KUBY/c07T48W/nuvfK9yoBjefyqXmLveqS6vNNtd8o+nDxGGBvb+jt2aDevo5SnnP1/83xDt9j5aSsUcO342UCrIV0S7x2PsHtcptQA8enaHTZkcKu6XQq/eBh8ZTcKvsNcad++PspGQqghBgDHndH986o0lYayI4z3HXSY9ktLVHs3h4Y1Gieg7UO6Bl1xr24cC+nNkn4wB19yAXMgApYgCDWGz6XfuM28/vjRx5bMDyi/cf09J336IJOeHWaN5F8a2B2TSOOXr4fvYR0TD5uC0mo0vPQXkikpAXMryIrbxZigICRSGdJp7BoOKi+6s2nh2InypHuihJpzRgVxGIyYPojFw2KHS42MaXw43tWLtYmj10tnW6mdrNbUDzwVnJpiobLbBN6I68w1nKWyGWrkpGJ/BE+8HwDxl8Zhi29aGMTCBFA9eSOMcob41n07xWA5+TX8YkLeyHX3rwF0i7a8kZbQcsJUVTcWdFwMZ3HjO8LymWff7O4Fzljc2hBu/9m8/P6Hvzrb97S3HS3HvomiHc5pkTZidlvHDV2DJv/S+eTMi4AGIhe/9anrf/KfebnBeevU792PA5OXb5JtT3YHprh1JuT9bx/PHO2gwTtP0F9acsM01FSytdMqg3omdnNBCHLoOfn47jU5l/bHl8/J+fvTs/98TT6dS/vqJ/J0tVgTCdwuQBO2UCaMSlNaA7P4rR9e/a//9uxJlCNgFxll3C4/UKZOKhofx2Myn747XvNLfxbPW6TiV7x8XEj3ZdMNmB/YMO7WD3wM3x3FdGOdfObaNlSQt2/eR5H9U0nI58s67GT8HyVhEuetQ/erEaFIyM3CE7fgMb7Be/ZhTi2s6AOMSMfTfUHelKVGP60/5TF0uqeXVfWhcc77xkLOT95d+FdpNDxWUXPE6MeWU8lrquHtJucXDpUR75fj4YGTIJLw0K09zsNWEyv8dK3jCogeurQsufsyFZuAbW+Wf/ydO+IBcCYhXnAVbvjp9hEYoLLJtc6i1932SaPkfcDwQmnbieSB0C0xwIYbwO36Zslrjsx7Tw+X8/Yxacl6N8Z4CTG78Vhe3IAdWr7UGMW4Uzm932ig4xAnlzWVc5h0phNTcsbnjYaSTNcIE2SJWUNxOVMf2HpgUDQ6oi1HF51l6HcgEur+/RKu5A4ADZWyUITM7vR5RulZW0pT0MKn4mcAXVudB/gsw5GYZagWFjmuQ67+J3UGptKyaD1x+dTyXQve0THZXa3vTHgADfbMLkBLsOTjuobn5FP7jL1FB9iP5KJ1gA1egt/GNLV2VM8RlIkR07hFOvjFnxMqRFSZqDdfxAQ3qjExbwnavYFcWkWMxcecS/LpfFSgMEyQzSavkotsB1TVGca+OcAaTOqMXgc2Q4mLfxFTp6Kjvz0Dtn60QiFAzpNPikScnfKRUQsd0UC9ykNFLwAjCcN0ghmh5BelV1SXwzndhLyZY7KXJtTd+GvMpZuCXQHIuOqZuGviXWPcylLRD9V5ZAi2jMfMiAGFXIY8V0xLqLh1YimM2IiTuBRUHiOOfwsHZZsg0nNRDgjcdlluIilLZ8HO0YDdfnlSRyqBYReCZbp+cLeL2FNtOWsE1QT7RZMWiadn16/fqrmazeLT34EVdgHZt3cL2Y9uQX8be3ifObwdum8auwBpQ7L4KNqmSdk54XYJPX7JcdQ/GdCjCKvGMnVcToclxxG+bBgDY0Zwxs7jhzVHOyzxBPEiTsWdK70mkcKEAW7HEE5bOMIOjk4qYYDP1Eq6d8XJrZhy2P2QDBSlbaqW6frRjbyblPiupVgzIDiUHT3BD7OjD3NJDLdNRH4SLC6AIKID1AU1hJaqdq+LXQDXRK3kZss84yy9VlJVI3m1OJPDcN+i/rhKhFPuuSyd/FHadAyg5BcugLwJiE0GbLiNs1d2hPk7OZow3tH/IOkKoyy4DFkLabkQozHCiJT17vdghM/Xuwz1Gqk5MZ4QOlU5qwcixE9hQZdcNahdMlXVWlV8JEMRjo3cmaRTgUVkM3KyHzcul53YyYjkLoZbWieJIrCFYdLhMgcgGFm/wy/37vZe2c19Gz12mzLLRtrdcrbUGn2JZeAFO8Ssv5UWhO/xHCRozlqSkCGY6LebWsDtAp/a2Gw3EpCdsB8mxurx4GdL0yFttx6Mppf7aQrqhV8rI11R07Qzwi2vwDi57rU9DTWMBpHCLiRrCnHjRmDjwXtug77l0Tqkd/eDHa0fb0fTD4VJNuT01qQFh/FNFA5oQ4o3AuEWwuDrpe7ljdTpo+6dv2hJaNM371yyXqrHESA3yPFOgHy9x/HHm7cs1WiD42zZ7eSjPqoESXnHbiE/jnocU9I2OIydUo8laDt+6uSVO41dFBXYhXqAKAnd8iQTj0b42uiGYy8lrbJ6nfZEdT4oEfy1DpE95zKTJ+Q/Jz9//z15+vb0zcUzcsqN5XLecLOAEkvho7gINVfZ+wLti4RhtuzM4xG2Gb84kjGmVWav4r76T7erMQy6G4Me+WRDn+9yXRim/Xd1vz3HH+IUi5lSGWuTvskUoyJVd7odQj7QkjfGr0CUJoZXXFDtxZMTm+4OMXzX4+VVeM8NL4/ZaaSfKf/JHYTWi7jTF3NzyfPVWbyR++46hjVCpWHP/xucRPjJ4CwExw30yjLKuCtT6ZyJAYOQDbJa6TmV/M89WdUy31G4LbMP4HT/TI2we8Z1tJY0U9efX9xy+Fr4Fl++d9FWVvOvQIVdMKqB1BpKVXFJowV3PfF0QS0Hac2N6fGCHpPat/RBifWtH6HOdHDd1XniBFdNtcVmSBtS94vVIzY7CsLmNhJ1BiVoaqEskiWV7TkfTvj80q7YBc8utFrysmseFr5H61oETXVwMELzH/esbeu0cQVnQyQvj0Rlt2To9WfXI2RGh4di5uSS++j5YldxH2kB1ymdKYeC31XzhGvUmXo/6lVCzyOEeh0VNVZqiLFKe4nvoFVgKa72BL81cd96Eqe+4mUp4HhS7h2ud1s5F9nentw7SM614zGOQ+5FWK3XYUiu2+jsc1IL6rbMvc9KE5BMr+sxLz+mQh7BnrxFBp3ubMtflbHkHWULLkdMupJmkhzf7PL6k8RM/1qDEx9OP/JNzsyEvC1pTT7jP7x+VCrp607/OXw8yYIuwWlOAqgmXxrQa4I9CE2tpIFWo4oXpzp6C/zNceRl6IHHHGTN2y6Q0pPv+/KN49mSdARUNwfoQ2iOeltMccpTXofZ7hlvW0tvNTFytmF4eLkhupEyasea593L4yPPvo3USI1dgFgECzP/RlCy4rJUK0NMDYzPOHOfPI/VCYY82eEFceR5fDc5N+QpdoQFyTbPEIYun/W4RRqJ7/hbmFO2Jp/MduPbLgJb7RbSJs+udSscwWAfee37phaigrVqeMjcizjgeNcHIFL9v1VpiuU8Q/Ztk51foR7rzuvV6wjFSGH0oIXfHEDscfJ6x0gNGb7B9d7KujMkfbwL6JCa4zjsuoDB9t5sEjL9Ngx2KN6Q4ubiZywbSDkScLTCDUkuYcZl8NWjcMKufhWtR5oOInYHFYplwm3jgNlR/1ILxs5nm5v20EtppDdl58O2lrJFdeQW+JtVkeFkYB31tyPLkJcpl+kmiCW9G45kLCrM+3hGhFS/bAe3xbfR3pT3R6Z2DrDO+/bdgHVNdXum3J+fb0hZLfiglTpxt8PZsj75/Vbk2eQzS3xbC6XX+Tb8b6am8t9u7BjTIrLdRb1Vz2NPk2PL314g9BtoezCVaEBV2299P1Wjp6AAabWqDxEdpWqmA+fCrc54WNNZ23BDOQLi6Ks7jnsPT1RVU7nu7iNeOxyn7+2VJWj3DBVczlRcKaDmKneN0A3yY8eKbDFbQd6u6LMvuXIEfmmEWJP/aKjgMw4lOcW6Z+8cjKKygmnBlLriDxR0/x2mxK+/sZ+pGNPmk3eb3YTD68aiyn3gCNOb7/qHbokwZSe4o71PfkI+rmtP+sZz4Jjjd3B88zTMiqTNZHfQdjh4R4R+YmJta3eROYarrlMut7HznsVa6dbbjyHmD29HtrzXKyfxcWp5UeedQ7SHFW7lGz33LZpaqUyayDZSbh23H6SmNu6aZLKgJmW0vwdYh3L6xJAbLRJucw9qwl3pjNGi0am8IT2YBnRB5+lsyg3o5M/TNuik6Y/boMOpzyBY4NqCRNUqvXHi4Cc7zZ2it9CwkyqTWqPySxyjlnBL5n7EZVG9ehH++ySg8CL8R8hrirn9qQAdz84L5Dxg9NwT0w+eo8e1N2ptQE4ZBqI5k4rLGWg9Encd0n0UuvqK/42sj7pnj4Bk25d41tuGyJXCsLbKeqUiSxzt+J35uL07dh8xg1j3//QPGCZojQ/85PUC9HH8EU5nDxlPT09w9OMzcoLrx1EDbY/ULGWEzyegw/BP2MrC3NOcF7KGjnuM7G24W/SJ6XWK3rvT/M9DvZJ3b40S321yyf+Me2v4VSaZcv6PMyJhriz3G1gvqBmZAGXYsdsK9bbSLz4+XNBtdbYJUIMEl50z1jZOb+tv4gkphs+PUVGx3d+om3r4cXTQspMm3JgmudKJkDFZKp+37n4xFMQQtM7qAx1sSl96nrnFySUGp/dJp6NkSHSdwUMU+eklpnbuf4x60vMwJO8uPffgOC5CjRHFMueLvhtSDY7sKDJl4Y4ebZK3aTS5APMrCBZ1puYG32zGlfQfJJStPxGD8Tqlyfnlm3+8uyAX7p0iv8mR6SsbbDNVUh+C7ceVimOLYogtgF2Zg5zItxPCeXuQxYbOdf06uxZhmAYaRhBupOAeLRc0HzSFfAAl1+PRdQUZNRoQZ0ttc7QJn30sl1Tw0h/ECBK7gvBoXa33CULk2BWsza7YTnTy2wTSxLAX1tam4DiDNgto3MocDGH0EdwmPpdt5YvS3K5vuFFMVVXWPnG3xNvjERxC8RL8Fdcgdi3N1C6WlaCyMOahBt66lb0M/z1Q29ZoRbH1pcZFrfgx0qpjCHsMCGKASMWtAWQrW1ApB40zcrebCqsiIiMx2yO1be4eljDz8Pe3b96Hd+/FzvLdg2KV3vX9J+/Zxs1VsVSiycWAN+0cZxnm3HSTsdtxvo3k1pCnHgnzDLt1YGFvO1F3BzxBpKPUiCaTNHsbcP0kuQ3pApPtooMlaMwUmDWCMCUZ1NYZypd+D0faK6xWOaWvZ7wz2NsR2g7RWmlLlOPvr//+JpaCG2V76nOn9Pz4CZa7BQZbLtYp9c1Ooo1i/n7228X5BXlHrysuy26sd3xbHW1HT8PcGqI4QlYgY0DdPrI69Slespg8PdtXORaz4xVsPnQRfktydrVjy1kWpPL5aejSG7DYi6E43qY8cK+AluLqv3zdcFeYI8uhJpn6dqO/xJnQD5TdGMZVoxXfBXUrX9z7nJgmkqJODfmbsVrJ+b9NBWVXghsL5d9ehL897z7lcgYs/tGMa1hREVVk6FT0fkOoLIlRZORYaphzY/XaWfbHFBY1tYvQrL/DgeziMEASnVLHQtMXQvt6LaZ0rwt5p092mIO0ev2X/xsAAP//9vC6oA==" } diff --git a/x-pack/filebeat/module/cylance/protect/_meta/fields.yml b/x-pack/filebeat/module/cylance/protect/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/cylance/protect/_meta/fields.yml +++ b/x-pack/filebeat/module/cylance/protect/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/f5/README.md b/x-pack/filebeat/module/f5/README.md index f3f1956e80b..7f6e97b7aac 100644 --- a/x-pack/filebeat/module/f5/README.md +++ b/x-pack/filebeat/module/f5/README.md @@ -3,5 +3,5 @@ This is a module for Big-IP Access Policy Manager logs. Autogenerated from RSA NetWitness log parser 2.0 XML bigipapm version 113 -at 2020-07-08 15:21:16.886509 +0000 UTC. +at 2020-07-08 16:41:59.269658 +0000 UTC. diff --git a/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml b/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml +++ b/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index 5bc0022804b..695fe1e432a 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -966,8 +966,8 @@ "observer.vendor": "F5", "process.pid": 4318, "related.ip": [ - "10.122.204.151", - "10.169.101.161" + "10.169.101.161", + "10.122.204.151" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "snulap", @@ -1528,8 +1528,8 @@ "observer.vendor": "F5", "process.pid": 1973, "related.ip": [ - "10.187.64.126", - "10.47.99.72" + "10.47.99.72", + "10.187.64.126" ], "rsa.internal.messageid": "01490500", "rsa.misc.category": "oremipsu", diff --git a/x-pack/filebeat/module/f5/fields.go b/x-pack/filebeat/module/f5/fields.go index c39bf4417c1..c54966f5028 100644 --- a/x-pack/filebeat/module/f5/fields.go +++ b/x-pack/filebeat/module/f5/fields.go @@ -19,5 +19,5 @@ func init() { // AssetF5 returns asset data. // This is the base64 encoded gzipped contents of module/f5. func AssetF5() string { - return "eJzsfV2T2ziS4Pv+Clw/nO0Od3na/bG3vtm5qKmqnq4b213rst0bFxPBgEhIwhQIsAFQKvWvv0ACICkSkESQstt75weHLSmRiQSQyEzkxzfogexeoeUP/4KQppqRV+ivdPXN7R26zHOiFLoTjOY79AZzvCLyXxAqiMolrTQV/BX6y78ghNDyB7SkhBXq4l+Q+9cr+ML8+QZxXJJXiBO9FfLhgnJN5BLn5MJ83vwMIb2ryCtDzlbIovN5QZa4ZjqDgV+hJWaK7H09oMf/eYtLgsQS6TXx6FGDHm3XRBL4Tku8XNIcrbFCC0I4EgtF5IYUF4NZSIUHJK+kqKvTCe4zqB0caOOY7U0ijCM0TDtQqVZ7n8eZO+Dg+zVV5neIKlQrUiAtUI4rXTteSbxFJVEKr8z/sUa5KIkypAvzfW9ohF6LFbomuShg8wRItWPRPlFxgj0k2RCuM0P8aFCHdDKPHGMUcCYXXBOuldlxlCuNufaIVJAKTcswCQXW/S+G+KnFagZBWKPtmuZrhJEiSlHB0ZpqhTB6S/SvVHNzkt0qXAyWqJmOWouaFYiTDZFoQZr1r7BUBL0hGhvSMFpKUXZQPX0tVurFHc4fiFbPBsNfU0lyzXbPkXZ0Y/SO2ANmdxrvkHkRZBUjG8KCvGKC9/f6Hq+uSSVJjrXDVZAl5aRAgjNArPGCEVTiKoy3VKtsxNY8sE5v3Jm5vf4WbTCr3emhBeGaLqnbQ+QR5xoxsbI8lwNmAv3UDO9WHH5nWFphqWleMywB3i3ORXR1B0MnrXZodQcjx1c7yvTN3Fx/+f+5fpjrBmsqy6cdMrH4Zwak9hn/CfFvcFi8nB25JErUMk++i6ZPPf2kTcOtNNakJFx/HvS4LqjOcoZ75+GTEUC4lrvPg3ptNIHPg5ryGOrz3uT+nH3OFS8IDp+18059SUgxTk+O3Kghe6DzQ29qGXyDG3BwPU3TMns34GD0I1pmnE89o3Q2PvGOLRpkkGXIYCIzMQgFeDSaQfk8SlnN6W81aZUw2czQfbTbN1yuBM+NsMRa/NGtl8ix39CpgqfLvyszEF3SHHdPnTG0b4xJjO5B0KGaF0QaFVUSJzAGk1vSR1IgRbQZZA94H4eKK7SezYOxJyu0DZsHQ49i+9BzkmLpp22uAeUjZj1ulmuhkvWo7t76WSjdFVWsv6sU4QXlK/+lCi19x5r/cjhIw5tk8HGUdbd3m+8RLgppZFbsUPbZN5ifFl8q+zY/Tmfgj//vMtBwa44T3D+91qXR9VsUCKMV3RDeuCu+3EvVsChmwZ5Xqy4+jzL0ZXhxowavqHaZJL8lrVf3aQIWCWa22AEfb+zg6A62+3Pn/dMYvd9VBOV4eJIXBBGq10SiD7dcf/sjEhL9xATW371EC6xgJ3jH/pKuagmq0JGZhRW8L3hm8MgyxSiawXY10CuR7iw5ZJf5sb9441XILZbFBDWmIzs6E+vy6vbu456Gg5EkDPeXBSG1U5qU7spxhJnR1sTuJ2XZY/4vJF1RjpmH2b+9j8w0XeM48MB5e/fxx8AkHYGDuU6fZEPRkI9zSPJ2sw1VpVRJvia4IHKml7GfYTB0ez3lhcZS1H2ogWHS3mn+0E4Ylmcz+GGwVzxuW8UDNrtRuK8EYyTXQn6JgtDw5ywv62bfUIVyyxxSGFr2VLPXon/JowOs/ANaImW++HTKWSkUBI+UgqPFbrAsCEnyW02UNgMqWlZs51bC/NgIXERwvkaKFgQ9/RPSa1mjlz/88AxtsUKKEN5gOTDXT6SunTBXVQmuyPkmm/+BVjYXNdeNvVqXCyt8zIFTwRHQU7wQG9KZLuXBaCMvZpSWBJfRXZ7/gZb+MzODFLTuazWnseKrkCbVGK10iaj+R/3yT9/+m7LC80UFosqT9Y8Bvf8wdsprvCMSvUQ3PMeVqpn1cRtTZ5QEDY0+0Q0diFUKYfnuJfp3M93n6Lvv0L+jXEijP8IsHNLn6L8z/T/ND6lC+0z5KrhIXBTkM9pgfEuyHDO2wPnDVJ3PoudCw+bG2urKhhGEF5WgXIO6rUk4cA8WOCNSiuRYkVYDUhXJKWZAE9CitJBGW+Q7ewubLzaY0cIuXwgtQktR88JIa0aAPMpXTlk4Ggy0v28HI8/xduI27QEXfYTPOyZw8enuDIcQKfo7QSXRkuYBXdmZaN0fg41mL0cv7swliXWrw4mlX5gL9LPYGuYPbSHKkZDGhNACPRBSHWHLJ7o9vhC2SJETpbINLbIi/R3qxkuAFeFEYg1HsTA86tgrGyp1jZkxF/d8pDxgPtOSGoMPXgBhupZOdyBvr5E0clGBsQ5swXJFdPOzo3NVMjmk4rPP1UbDHJ6rTHSsD0Xs7bX3r70jpdAE3btdmUsC19JiFxNJ5o93en8BTm6HKVMVo9NeZP/QpqKiA1X2U4UN0t/T4se6tj3IU7cj/d7w2rQTx/813lzsMV9Sdpa3RTOuUdrvri7vnD6XY24YQMtKyL4Wh+BC+eIeaOtPZTx/sGIfjDwwC0MOsX0zsW5BWmPQ3vtg9V2glz/8iLbA2ZJgjjBjYTsUnK+gNrT+BbQlkthhsUaMYKWR4L1g5X02fQLF6MtmU+C8pT1kOe78KmQBrIGoCJKvuWBites/ayypHGhmCP2A8jWWONeWTebo7YBCcG5yVHMXMcD2fJvRDKaUZDX7xDjNZXvgPQd03dKoToJ7p63E26j8ACnWU5ZwDnqY9QhzZ7OKPK+lH1FpzAssC8SFLDGjv4ei7YQsgxwo3AvsASaIejEQ4aPY0NLVoHvB6JLAnAIGoiK54EVEMWyXLFN6miV+gGTKc1FWjOjgIkbdXRgUTy1pT+R08g6kPtt2uzejBzddbMPt75/oJikF1+uTWd1m9Zz+at5GMxRnY88NL87BHDPk74JPz+g8IETM+F75sSFp7/tcGhzoCafjEmnyqN1GRhsiVSfYtzgUsxFYo+OLviP4dFLbpIpcyIIUU6S3ey53wlU1Y/r7zb+ZNz/svsENZawU5QWMWkPin8oJx5IKq/iVNdP0G02JRLiqmI+gbjPBS0hzDyQlIcTAMe1tBkuUpVUhqp8oJLbceu01Lqu+p8VRbLAZEof7XCuUr6nRf0VB1AV6UysNinR3ULP/sY7Eo2FNostw8Lgvl4ayDZnnDoaF8kPa+UuyJJLw3C4qNspXQTe0MHcqrGn42N/7Y/++x4DwNB4rKmecQ8t166d+NPuFaraz01FGRBhdwKCFbXTYXzRqaaIG83MjnZrTfzEYtAnQEPX401wO1IDjMA2Xxm870CF+q0k946KZnWLXq5UXW6wQoCkiKwTovx0/9VEXzt60k87pqtRJkn1VpuGrsiR0VZamqVTjjsg+2MsEuKQbryNlzqX69tTeoAwaCMxRMil+YI+dtxTXXSteehmIKcYizgdqz2mKiqrZdHdsRDsUtc5FSV5YLI3KBtFsYjlYK8zdNPZU38hSGZOc6mmhrwdI9+O7hICOP/SQ4Tc1VWFQO8VK6iYW14wG/tiK5HRJW2UwrC1YJ2cs79fpHnO8XAeY2LgDaNEGfHpTtHDOxyBlTqWfj5Ef922EroYrJPrl3oUUUeUfnfoWMuD3XI5lPahKKDrqEJ60A8AQ4IWtCgChiP6URPO5a6azKYnsI481r0siaT72XAepnyWi/QDp3aj2ZofaI25P0oD4DeGFkC6U6CDtYvHPs2RJ+8cFsfgnycM6vkE9R57UgGVG3hxGbSXftFodXw23vstqc0fWWcJr3EROcaERRmuXlRkOD2JilflnxzMJOb8hRgu5ebJv9yTF3+CJG2q7wVEMq3dQtm76Pj1wxlxlPFtkjrNdRE7VbFrsVpgJ72pGAHVYvAiuyeN0fadBecut5d1WQMJFocxfcBVg5lGG0oGPXCn5GvMVyTjZTj9XMec32XYebuBy1FrSRa1J57QNo/mUJc5oc12RHj6GqsIjREMze0YnlMA5NHFQyvuvthZdVzcImBIQd20m7YumqPatXG6IvED3xDK2VkRe4BWBUncuYm4ppKdhMLYfxup1OcAjC9/JgBQSLaTYmu/8p06Psap1tFbbbXGHpR5vyjeg4+1It3vFIDdivt0rWNEoHefavKIizmWdfoNccoQZkbp5d5XtsO4z65p1R7GTbAbPswGFqkBc8G8kqQhoq4deo0BxnFfI5rWUZms2OimsBugIL6j1/3rH5oD2LdVrp0xZ2YeuAeEC4kM5EvyblTD/PiAZ4fLMAkrJpJnhjjP6BaAwZIglMidNU6Iu0H17PvtlMrsxyak0Xdlg9loZRdUmPdgnysIJK8c8jHJWK+23jfvPgNUAQpVZDZeZ46xFozbBt/Gr+Qy3st3pYevJJq1PUQeeHFOfDR3XgAdhpUROwVtjOBrU+4Hpr+kDeYUwqtY7RXPMjJn38BxVEirSPkdE50/CahaWOJw9MPLysvGrEpdEE6lQhRXUKVCQuGcz03JRlkYiiL3Hm2HIKtH5QUXDSs/z6RqddTiDoLbCLhdlVQ/PQhLrMdpSXoiti7zJBc9JpZ83r2LR6Q4msqwZ26Hfasys06YQJabcnU/eQcRERJR3vTWnX+MHJmeUkdeUP5DCRdH6wDKswF53Cqz55qsG+QUtDjGfDfL8JoqNbp1qawL2UXgCfrk/H+ZfKucTQvfDVOfm0YPIkvZLVE93/rhRgR67Dw/rad+N1tOWlM1xXhqyf4LxmiMhSVHnBHkPMAk7ERSRFLMscENMEJv3MKhXuvoyvyPUjUyN2mAkf1CRRLA5/FFufCO811itm91uVI5ANHttLEwjmnyEaRPOfuVH6pUqEBsiGzQXSuYGqvn/MCsBGfnGEYV4gprnjGBpPoKyGS1pLozdeWmkTxE47p+0oqIe5qp/Zhmdi3JBeVM5riuiXQKCHCGvN1TWan7vRvcOBRRxL8dczxGBjXtlx7d1VuIeHqulz+B4a1hgPVy31+itPdNPXUocsjX2XZKHwf7skPPrPL7Ajuvr9hrY4kKrmwM5tOP2fec2iMESeWGX2py6LVVhU2OjdtPqJu6/krikGnvJHfShcWskzbq2hn1XzdDo9vqoHnS6T+KIHmRQv+RFqw9doCsbre+qBTH7xWFdyPwRcv8X337lHBSLWjdx/EI3wrnmjCg7d2EF7FagDZYUL9ggYtwmtFGOKoYjR04RriZmgO4tSlcNsmNfmFNvbk0fi07NWt2/uL3ra2DIlVSytl0sWybaRuDkyPjWF2vJQLdco3u64hiOZWQjVUJOK9/0ZCALzFa68zqFgHoq8E+DqnNqYC8UIrC8b395jyjPWV0QIxpcYxYDfoGe3jzismLkFbqzxqcdFmTdRdgGBQ/7Gd4ZwJhvRW0YN1UPRp0LYh4RtN1xzrx1ovIdVQ8HHji0pKsVkVMK14en/bHraXRYQPNZS6LWghVmja3VFOnVsfccNYsVN3yPcjLs6Tt7Mz5rEgpvr8MBlie/WBnTOpv9bR44697noZmJ9WmoevGNQSg4ZBQsoVyvKOo8pqc7ledssQNd2hrZIiRkXhk55ymI1JXHsthiea5Yi2GtRCOLsBO9hsxIka6nRuRg9AbnvrJXWHEyx3lmTVbwb7zyIw+faGsxJDRCkgSrhJgopbGuT1esGhscU3ZG1dIMvxCPiBYv4lLXSPx6HhoMzg+DUlh2Xxk84Y3upe/kqvqDDXM9rKefIoQpF/Xpbwad2E21StiBRjqMM8MGHp3vR4NOrwKyx/xLxsxpRaqGxnfLmqEbgwHloiDKMN8XaQrreJQX5HH0JBhVOqY/TDxNMDQottKjWRAJXv0SS8rgpTbgH7BvQ3yFMDDiGwMbpJ0nrbjvrXc2zcWNj542kSoVkapyCQn2TA2m7a6QNjDO5zg/iwSNWxN7KM2nPzp22sgB8dZOtr82X2LKFSqIxpQFTKeFqHUHLkK8YGeISfFeG9zEDQCmuAjXpKzYhFfbS99q0bcw6LwguSgVo71siGR4B2HKWjixjp4G9r75AiwNB02WPo/F+tyUprqGUh0oSHqrpQ2Tko8fjJFe4Y5tmePx2JLObi7K0uzN1AW7svCIdsKJKik2tLAWtq8rEOrP2Nw1Ij/kQB9vT/9EWXv3591ohfC181jBI/O55Jcf/7zy659iEbVbkyfwv8XCuSzDO7WiU8oDXUNQkl2f+7tbdDu4cLuIJtTmcTGZh3GMCjxushdWI1X8MTaxi6IKq1n2QGULUUyPOR7EbfevLN8f1mCLXJ/rlNwp60abJe+m43Bx6Ro2zKbxAtIVLRoXZcQYL8dryoMkmJNuhjFXdUNdVU8TkL7b0N0Hm8Xp3aDwOPZI8rpro9hn6wUJpRT4jN5DD2WzGFJBT1Gxb1A10fB4gynDQwcdatxDCOLhl0TKSDVCux/DHq75/LpO9StdQrB10g/9W8Lv24uIDKBltqiLYpdg39EyGxmn2oGsFYkVEjtoi6bASCpGZUv1AqYzVc8TbEdVN9bE1lKBhpNNnHSbc+5whoqDt/GG9mi1rq/D07Cv1OO5sJnRIrj6eIOeuki/jzUzesmCMggwhJfmm8dKKPPLZ+iboRnD+16+By62fE9xVCSvIXVtsz96pGtAjmcxtPsBIFc+0+atC3B9TVY436EPUQWW0YXE50n9cUPvsYlyVGLKl8YyOvhIVWEJvT7myKjaUxHuYGD0VhQ24KgtbtB51w6gRUfuX3h8MVNN1yj38+rfki36ueagPr8RBWHoKeWbi6+fIyry52hh/iLmL8wx2ymqLr4O+5F1XmVLhgfdqcbfwPu61tUdgmHB3gWpsvMFhMXyYNKWFhNpsZ8uHCU+YUoRaTZUEOWmHCuHerg/vvnV2O/vbcjN119/fPPr5bubr7+2MTAbLDGN7o2tkA/jEjKObuVf/ZBdH23UTMZ8/PXlYjvH5gY2Ig7nRgTuktTFpZCEK5qPO1AdczIJa5liRQU8W6eDZVtMx3Qab0MOcpGwpLBhxiekqHqRvA30olBajs9kgdyNWbqBP59PkvoIvimOg9TgxLYk8OBicsGBbZyii080Qyxp1GD0k5ngnEidTDBzNTCRfsBlWFgcqKcw3vAx5Dlt6t1w3FY9sbW3z7QRio53yaE6SMaZltD7zQ9RIMQsD7B7/O9o2091E/nkX66hIsczMJ8D1v0xX78vgUTn8ZlCOOwSU2b45RMO79z5u73uxvVC9rRRgTVZBRKH4m/xPq4nM1d5kOKU4B4I6XExncYyqnnfVh3g57E03qn435JH/TcS1l8a7CqmxUzFfo958VcR9qy22DXWNHzKJuMfDr2HXtWqojkVI+IjPpVtAfRtseRDV9vnJ07xsspEunC6f/vmDv1iPR5tOEYY1W8zP7/c/8dr9FtNZKRaS814Jkm/6sfUJ5+O62KH3vmQ2uDzbqOn5aPEfxdMjC/TZsCqiPF4DE4H3KsnQBYphegww7JM4osBTDJecDUq7L8Bq4sRnQH2oMbmAu8BF1j3b+/jkAvC83WJ5elhcQ3krsKDVg4n+CBxPnjePBEqWyfwNSfLscGUDehyBcmkSYBi8c8kuAon1Nazma8JiwFO/1hP2cOQkKtdEnPdJiDmGc6hbGFKGJuBVnyUit4BXayqzff8Ua8TpGXOs1xLY6OMq0zVgTewMW/dCaAbNmgIfRIs4SvKRwXuDoHTYkp4tszUluo8YV/zbMnEVuEy5bWoC831Zgp8kh8r5xnl07Y55RWR5WI3IiRnAF3lD6ng0BwtCbTKKim0yFJccQC/+T4DmzUFmk3Yb0yssjGt/3ugKS+hOc9K/JhpfbrCuw9qVpiRJLFQUp6MmPIpiCumMrZg2Xjn6R70nyaBJ9QD6kCPz1LvQo+PiO5C/zAJOtxY/VTof50E/T8mQf9bKrQWFcMLkrbVG/gUVYlnZc3g8l7skuSZB68ekuR4WTO6KqvU29vcf5itxj8aOViaJsQV+S1P0b15puyTaRKvlMxTtTMDmqqdqZ2qq6T62DlvwqwTlTsttFEwyGPS1tZCGyUpHRrUk0TwmtNHjrlQZNA28yT4zY+G9mSxsPlRVHpNcJFkAomyynKWZEMb0CSXBkBKaJOVBqsSYas6S/JP5JJqmmOWFPSlMrwiPN+NelPqQnPMdr+TYpGGe5NBMnwirE3jScVsn7MT4Y2F/GOqhayyBdX/lph8mKtsbG3THqgUCUdZJW5OgCO5TInFU9YTMKKuZAeU6LX1BqQo3xYcrqtEcFv7ZkyGZgd6SRlJ00VUtkxjF12OC0DeB02TtMoYwZw86izxGBkbuFC6GhT5ORlayTwR2neOS4IVq6wkBR0RjLkPTXkqx0tR1IyoXKTN2oHTVdKpEJXaYj2yE0UHPhQTcCKoJCuqtMQpmnYLnXRT2U6KiVOWE+asoI6ITD6dNqrBLnkSPDQWTbribNBROuopl/N2LajKbJ3nFPgdljhxwYtIWOVpsBvbwWA8JFUa95u1ngSo9KKWpxcS9XDE1lxLg6sT8KXcwz6WdDwgVO1ZppRCj0dMH4Ja4aIYv+q0GO+c8wk0SRKFllkuhSgTs28MaJJSRMss9RHO5e6kTbd6SEgWqlRKKjOtVCXpaDCGNdV1wrsNo5yMSSVp4dTIWlwNJAQ+ppggTNiM5mzJRIJwbMCTQgCMppew3w1Y0l43umESugSvLROrxKXkq8RtVwk5/nCUi3qVtnVKqvK07VqqxAVMqz7DiYbUlwTIhFNsSwOMf5WycOMflPh2O15XSIwTato1JEAmyHsh6SoLVGs7AXLLiUyRLVWW2EGwykZWkG4Bk9o4tOBJs4STNH6TOsCUdppW6U9AiZUyX2b5+vR41gGw7cs5Hp7IcmXs4kFG9Wmw20TQFDFn85c+fOhV+jwJVIpVhlU1quRHF3hMlwcPJwlmaTePJDlQa7NVk8FTJmtgxybodmCFLJKwpphoKsn6VNb6TPKUKjLeRWrL6SapEYr8lsLMUBrsCLgkxUXRVdLBVNV4u0XJPG3lZV4kXLVK5qEs35NAR7Vk6kLVKiFncpPz8UEIwYqhx8FskmVC0/CVTlkEC5biNWoqRo6H3FUJmat1sUh8ta4lS5JKtSIyK+j4+M3EwiTeJ5JGrM7T2uVvMsqVxsskSbqhUqddxZuKJ6U4aCFrfpZerZe1FuhdzdFg8MYLPalA3EfMaIGuJCmoRldYFi5n7EBbGlf/atJMY3UgYRjbdBUiZnPBUCikpPH2Uj5l9jdlxcSODAriHeXBUtQj0uNP7cu79i11oLaYJCvyiErcD91tPXp8VffLrsxABqMKCmz48VW3laaqKyhRP0yVRGi7xhpRjSrbnj9M9KGn1DGlQsLt3W3Fc48EUe4qGUQyuxnl0ytgd4gx43UpUUiLFTTZuWh/bztGDLjHyYbIpoiSFqjCUhH0hmgMFYftqWj6paGnr8VKvbizwX3P0LUr42XbkwxGhzTid8QViwWyOXpL9K9Uc6LCazXceonsWUI54WY3w/B2Oopgma8vKKcRg1fieYoh9ISN7a3HKCcvGK451E5d1aUrS3+gFEKv8sEBqudImW+obhLlXcXXiEpvmJnN2wvZ9twyA6P35FHD7owZBWdtQN0WiTvSgxqycieVKoa8XEW0bw58IHX+0Lv3+NoQvpXs0o9rJVjfwmveZPfNIot12BsE6hmoV0H6x9XxPqFzdkEeb6/9IYLRYyXbRz5Ej9wuTQsH+7jf4EODPdpw00GciyLeFIxuaBPSFmwIsgIhrJAihO/1yQwbLxJzhfNZiq0OssTt4Nw1cGpaa/tuwQfIqogsqb0I5yOrHdQWbqEbysiKuF4eWCm64pb5bWXuSFsDvJirW31kyQHDgR23OGNriWj7kNA271AUyy1Mq3Tj70ta+La2TcckaNgYOXQIBWJyGq1NkkiQ1GgF0jcKawWv7+9kcERU2K2kEUfPjPgBSaR04Tnn3/TPHBDQeYDcit77eMrVgxnFKluLGbS7XndMqInTloGCjj6dgkfhmGpkN6ihh7sW21xoBK0yLy6ZEsa06TUvgSrkPzuIC3TJd83/BqNrsI4U1wgXF76jcVgwJTq/DOlTlOWv+vyEyoN7TKWurbOxJroVyv2sw42E3Y7JxnpWTzVY8Y5I9K+Nx0C9cIgAfax/ydi4rfPvPd5Stbf7DvI0GiZxTBY86ZfFsS3p3v7y/sbMjkhijUbwyBRU5ZJUmOc7o5W4y58Ne9kaHjxH79+8Qrdcf/fyObp9e33zn6/Qh1uuf/wePd2ud4i7Boz5WihXxk1IY73Cr7798X/9t2fh3ndEryfJi/6MQQJdlDhcGklN3iMjD5SrxH/r0YYPU/Gpyeqe8yO0RRP+Tr6YQhT1FJtWB/XNTV9fvg2S87vgZIodnrZ+/0dwchHmz+9j+gB8gsvOkHpc1AAbP8+9coCXK6zJFp+lsDTssjt0aZvn+d0WQthcJ3lZxf3/U/2at1dv7qwcjveKxzP08ouZ0lbP8a1Lb+8MsohVb/gQrQUzCx/M6HE+eB0gszXF5j5s3V4Lhe1Ih1n7VNGpRB6W3bMuk1He4bAId1qu9xdqgKyNrUnUGU4V0xi9dTTcCakbETUQQrb3BDDRdZ8/LInU7PyzFFO+8uLTE/4mxjxOQvr9fF4ihx9sEKyUyCkUjQdreXC7IiOnJOYrctGox7ngS7qqJSnQYuea+9tW95HuNNGUgkGgcESbCg67TMpUYKP0u25oZYLBJEkpNMlcjFDKy2/KFAuuMpzZ8Kkk4ErLVPBlEnuXSbHYLG0DpGfUVEmTw0XmrfFp/br2bQtDy0V/vK4hcxZt4cYYVpxo9H5Xkefogxdzr8FE/g7deRN5IEd+id2ovnjVLBdGRKX3ZCHftRMzFrwwqvaH8ECPJYQObIjU0HlGC9/ginL04TZ6hHIIaZlwBlPaxnKViSqpUJ4BlUSNj6MxgEkhflYmjg+IAh9UEkZbpiZjhK8Saj4CXnMNzO1cgqZEcL1g1nEOcpTDA46xon4ScotlEWoGdglt6sDvfifFI7y6L4jeEhLpZDw6B3jsi4TQmHXdvRYdgkIm8No0mINrgiYJPASVVJuj5ooKhSexYZjP865ygjvAP6t1HAKDKew7CFof4MZozytQnvclYoo/m+SQbbEZk0d62hsKlprmNcPSN3NzaJ7ePL56LVZiuQzXpyZ5ptdk7sa3782Qrnt/S9mNocwQdFnrNeHahVJFCZur99j+c2XdtDUME/dBERklSdQ6F3Nzyw0aJ+neduCOUOV75Ey7ffcoAszIN1w52PzVYz9D+2TSo8KcYnADq0rwAlq6iqAK0AAOm5Lu070Zk10buQ0wsnn2EPfGKCkaip291dNrKEeK6jogURAEyPkueG7UNVYIF6KCrmBrQiUSW95rjIQ0fhRclJFoF1+jPhuEI81w+Rk1jPLCnGUhVdvez3YRvvTl8QcTPcV9whvS7dmIhlM1MzzT81F0kvfuFWneeR5qItaZ6risjglTtVEB9y6qcO65xoNDFmJafFxgeguyxhsqatBsjFEnRUkjkQ5kfvQ3HC8YhA0v0dVh7JRvxnc+C5HRp2FPp0FBFHs0jCwvlkBCAENDwfQ16Nwr7c6OLn8bwl5z3Q9RTtH5Ckj+yPIJXXHhloFO5jT3hMG0IGCg/9hD9dr2Og9UaUSOnIv82wulZdxJ7qkOJ75+NqpfHqbaXYsW1yTKg2ZEYxJpWkLTVqdpSFKRqJPTcXJEatRRZkJK+kRWyhM3QLgqzGfbAN+dRvW3k3uiB4l3jqNjcxhQD3Nqj94Jx+6PTP/Lo/TLmflvN/ws1Mvj3B9Rk+LTHNUjUq85qn/kTfPdcbafXoDq07D9NFkjZz6rc+71E07qzJtmTuoHW6ZRCgvbpXOyboZrvc5KotfiLN5UvOfnQhaR+1l0YSB7V4qJlvoB/+47wZyvyaA6sEOSbcv/vPjhT39CT19fX949Q9dUacpXNVVrUkBiThAbEysxQ37sIb+2a9ENmNxiwA8jb95STPaXHIq9N7wP4Wj2Jvj8RpQOH7MxcwiKazIjOi4NwBp6p8A8VESpfSfH7PQs/h6p73BBa2XHQEIiRUvKsLSH2QgSs1tzuI/CobpwZhSdpxdu44PsRpl9MMvlPSC9uhbtgZkSSXjJD50bcH66+PCO/8mZzvDNYMWcsUs6gYdF2NEi5LRHsYHrFtgl5Apz+vuBWCc+ZcFOZVgCt7orH2HZkspgFH9y9utPZkCQjzap3Gbp7kUi/Uww0+scS4IqSQpRUo6DIdado36HNSVcq6OBZwzPO5/X+LNOxxbBIFXy9jJb+IkRAhWWGtJ+28kcFkKzpvW6g3uK/FmSgkisSZGNCAM4sIrQhtyP2bi676TY0KJJV3e/w1XFnJ4zWD6XImsE+b5GFOml3kyDFrPNoxnU1XHQu8hEgoWeIapkQ+2b07qv2EUKBzQKzbhS+mO1GvIId3kHqJMpEmrybfUf0IawQkoLaeWjGa0kGgO2J/CrC/OrJ+H5lbQoGJlTYryBEU+VGYEl6siQJJnhi+fNNaE7N14nR5fv/IvHc1QxbNhubiQhEeG53FUxLyIEr8xiFZwQLyEbC+FnoTR6g/M15RG1vcDJZ/SrPr8+cIjsqyQxB9Xc6jatXl2g1wWu0Ef4j73VC8FtPsA/htcFWuMNMfc9I1jaFtYI6kuoSnBFvB4QThowM8qGba8nyB5XGyGXVBNJfZUObidoKzLEKfFEz0JMu8zvXBGZU2mB+qJT3QT9veYLR+2lARv93101VCFZ80Bfd4Swet5IYvuaY5OpIxHZbsTMWRFzMBOjLeWF2CqkKpLTJc3NN89DceMu/mi4Uc0ELEXtqy96Kn3X80YswzPDsw4/UM3h5npNVjjfoQ9qv8hP8x5S9hMckqKWzCizmFaRO6yrbgMyiJqGzWBugQHfmnymQBbTXoYAhNkOmbA/sTnUtVi1Iau8BeYEcwhuCAeTMJ254qVik3GRU8655yXHDUwuXmtlSO9cTozG6bjP3zaExrJywOVw+tvx1BIIbhxXnjkaAQ6TKsiScucLhKMOtSBKXEWKUQD+SJj1mbC35m5P9UgRJI2/afoMXD5ypHpI40PTGufrcvZSdO24wBg00IK7bEssqLmgfEzN3Vl3miEbwt+nCv3Ase0G4wLzbBmtNhUpUI98QNdUmX2ErgpLv7bm4+ctsds1HRQ8Q2YfGsvChuidNAGdUPHSpsIJOa49Y2/6f1YV5n85ms/pUe3XOvNKWkikmqn9+QWMfoT6M164A7p9VbTDdEfXKiNcS1GFj2Eh6sXAIDtpr7lRjXVDjoQ2AhUjOzmdSMWVKCtjkPqdDxscGpxYzXNDpBGtmTGbwxcSVg/T436PnMWeTu9xb8n0ymbL39LfuH6qGduh/6gxo0tKCnQN2TDWeRFEtiWLLBfigZ7tSelXskAWQ2uTYBbTyxJq67SPPVWtbRucWD3y42fjXTOIq6Xq3FbWO3eB3u8qS35rUZkJWj7HWSzJMhtZHKdHmMFiTTD5RIUK7fTRzeMsaBSMffzWe1EJ6T178Lzy7nVkYTrZqqOX1c+nmlox9sB0zNhH/XCeEClE8j23j9aMZLiGKqzDDo6cZ1iNe4/qgMrUDuq1ZKPY3YEbxZ1GBc9qOb7fbwV9z6A5dArKBNG3DzwyRGMf2O2CpONAHjXhcAmmKGxmhBGr21yra0l6D5Qpt5sdZp4Y8r0T/R4Ghqvuhfv3lUPywv3DvfqGnF6YERmOIXAEn/W1xJLbfSwBP0anIPOA4MKVTTbKIuVLImXERz+c2UyUd9Who+wLOj1mIcNXD1p2WBnYvvCMISZv38AwM26EG/vaYjbAe4gLkt2P/k6Gj9DxYve0WhM5l1Vj9Bz35vv0CgqqP0NXgCGMnEg9W6JkhFdXRLrC92QvpuNAiR0y8bGgw4zOsphhn6hO3aWD60F/j/sJxqdFhtcE3dPfI+k7D8ln8PbvN4iTldDUsrlaYxWpT6vy+ZN3Owy3w8cLepsFmVCfdvAA2FtrX/DLx3uGH+wUHdlc8bQ84aaW+PtoWw1z9qhSdUpjaAMLj7pT7OdpXj6ggUg50bMwYF1XXtyY4dE9PBkcOq0zvS419a6cb//pPYRzHBahHXkRI2O8vDhARVxoKMWyzbS7pO8id06csEsuM1sA1wnFNFQ6KH0gzhpITon6qi3w2BWUIC++Rwp8t0Ki2/vLv7+5Q3dGfqJfeKQiZUtPct5HCj3vtyJMDxzLfE3yB5XQ7K0VLFNz20NFoJvqJk3qOQRouMLd7bk/oKsQSQflN86iqlhMTdZeVH0DqqDF2nxisEvHBjNa2A0RQNM/+jPWlzp09GHWD2Sn+qLo5D2W3Al9rXWlMgrdCBKBgaVpZOent/yasvfoivt4RyGp3h3Zf7koy4m5/CdSZjE5kzKcXrOlkrC+dp1iwm0Z5tmoPtRjQxKUbxrwq6PZx8iGDXRIbsgqQecJAQqRZHEgwAFow7oXsCZfY84HCWjTE5XduIAq4imfrfxSI/Jcxe5fX1++dTL3RQ9BI+q0kH2vWMr2Kqh6yDaC1enTuPQ9MLirpdl0BvFNFmpOtUJPLRr1DHLXIJnAd0EI+IsiQWisTj7hrx01HzjV7rnkYj8YbUMkvJQsa4ZywXNSaWMC3FteR1KcxnRSD9Z1AOYZY8O3EDGkQPc3YXj0818vQ8EkQdal7AAhV+cIUeiHlu05PRbYpu8FExj/dvPL3e0deoMfS8qLpnVJmP2G+jMEMuwV+o4Q7ggd0H+I8OYKDodgJwUE2cjsbFwTzz94Io2f1NyNlpykur129XgcnoM0sDkZ+5kzevycyv8COQdNcCQvhtpIykkCi29ce+mRik3TzUuDH9hau6VNDXiOVB0Ii8IK/VlpKfjqLwuG8wdGlSbFn1+4z54331K+JHn4qyWVZItZ8JrFC9aBQZgXSAkU2T6SrKjScmesnnkPZoX12pWia7CgPpYBGZPaDw4JsYkSNrY1F7JTvavRWBraCNed90BPmSsrftFUV77oHbQYdQVZ4prpDPbnK7TEbC9dYY/w/diwt52HLV/VvG1w0wbyaomXS5pDMbwFIRyJhW1TejGYhVR4QHL/KB0heHjOGleRoY3PoLiUanrCbaw9MN6ikiiFVy7/NRdGtkHh45DK8lqs0DXJRRFxj7qxEuxtW41p1HNuD+m859Q1kIbia7ahovaIwlZStAtxMZSzQdUM9i41loW2kaOd5rxrY1fgToNdvwrH6+pN6wM8GH6/L/CxPsCRbEeySTRkp71hlGo1VdFy6/TGnZnb62+dU9Om27eWDWTiPOJcG+PQ8nyYXQn0Q9cPt+LwO7Vf2dXAu8UZdH1uVncw9Bxdn2F1ByOP7fqsVtlmbq6//P9cP8x1gzWV5dMOmVj8MwvmRX9C/Jv0R4NpyH2D2M839fSTNg03aPpTkmemocd1QXUGtaA+DwH7avInRb0e1QNiVtSUp/bmmuecfc4VL1K75k5MtyKkmB72GHdkdgtD2GIYpBjcgIPraZqW2bsBB6Mf0TLjfDpHvkm/SUSQQZYhg4nMxCAU4NFoBuXzKGXDvuB+hu6j3b7hciV4boQl1uKPbr1Ejj0UB5gkeLr8uzID2QfXzqkzhrZtrOBiCSGH36iokjiBMZjckj6SAikC/Sr2gPdxqLhC69k89F1OVWgbNg+GHsX2oeckxdJP21wDykfMetwsJzcxd3vLt9H2u4r1d5UivKlTxMRKhZa+Y81/ORwctBq0/DvcgbDLutu7zfdtFYbIoeyzbzA/Lb5U9m1+nM7AH//fZeDkGGPHxf7ptS6Nrt+iQBit6Ibwxl3x5V6qhkUxC/a8WnXxeZShL8OLGzV4RbXLJPktab26TxOwSDAzV9bhxuW838F2f+68fxrb/Js80Ld2QXxQkW36j4REPzGB9Xcv94MZfDvb+NtxO7OwgvcFzwweWT5fEgHYZLPkGMbenX2k8ZduvNoWkBPUmMOdlewF/XFPw8FIEjZogI+QLUnjrhxHmCteAvtJtVmRTWNLB7N/ex+ZabrGceCB8/bu44+BSaJgnR00wyQbioZ8nEOSt5ttqCqlSvI1wcWk1Kw9kwMGQ7fXU15oLEXdhxoYJu2d5g/thGF5NoMfBjfxXq3iAZvdKNxXgjGoc/MlCkLDn7O8rJt9A83tgTm+6HdHNXsthoUk46z8A1oiZb74dMpZKZT26QKL3WBZmrrOZkBFy4rt3EqYH0PgHMH5GilaEPT0T0ivZY1e/vDDM7TFriCux3Jgrp9IXTthrq527Nkmm/+BVtaWJPX2aq/tWWgE9BQvxIZ0pkvDAdJezCgtCS6juzz/Ay39Z2YGKWgkDfAYK74KaVKN0UqXiGqfYQ3C84UtYuPJGhZW/geCKOAdkegluuE5rlTNcFNEYZQEDY0+0Q0diFUKYfnuJfp3M93n6Lvv0L/bjsJuFk1p7v/O9P80P6QK7TMlnLLJRUE+ow3GtyTLMWMLnD/MEXZeEC60L7RtWxxS1cQqg7odq1MOCzxDUjksLBQxwwxosn2ktJDQeHFnb2HzRSe9MoQWoaWoeWGkNYPCjgry8k4LBtrft4OR53g7cZv2gIs+wmdoyv/p7gyHECn6O7QJkDQP6MrOROv+GGw0ezl6cWcuSaxbHU4s/cJcoJ/F1jB/aAtRjoQ0JoQW6IGQ6ghbPtHt8YWwxZa/zDbTWiTdeAkAhZdtrxwOPbQ69sqGSmhIcXu97yPlAfO52+cJpmvpdAfy9hpJIxcVGOvDKqTRvl3NXCdkV332ue5XLo3EzCQ61ociti1g8A5qCDa9ZnIJrW3NGYiIJPPHO72/ACe3w5SpitHpWcB/WFNR0fRUoIlhg7GSAqfuStj9Rp76Gr5ub3ht2onj/xpvLvaYT+40GHlbhJK+QqK7q8s7p8/lmBsG0LISsq/FIbhQvrgH2vpTGc8frNgHIy/USAQNzcS6BWmNQXvvg9V3gV7+8CPaAmdLgjnCjIXtUJ/htUStfwFtiSR2WKwRI1hpJHgerr9Sfyqz+stmU+C8pT1kOe78KmQBrIGoCJKvuWBites/a0BDwcFsfkD5Gkuca8smAmn+hgrbTQrV3EUMsD3fZjSDKSVZzT4xTnPZHqrJaXTd0qhOgnunrcTbqPwAKdZTllxDU+sR9m35RZ7X0o+oNOYFlgXiQpaY0d9D0XZClkEOFO4F9gATTqsFf4ANLV0NuheMLgnMKWAgKpILXkQUw3bJJrd3PkAy5bkoK0Z0cBGj7i4Mime8JJzSWOqzbbd7M3pw08U23P7+iW6SUvCEamjF4Hn2hMRKXpyNPTe8OAdzzJC/C36+5s5ufK/82JC0930uDQ70hNNxaVv3uXZIrtiWx18citkIrNHxRd/12xKdAiRJLmRBiinS2z2XO+GqmjH9/ebfzJsfdt/ghjJWivICRq0h8U/lhGNJhVX8yppp+o2mRHY7inYywUvM8SqUlIQQA8e0txksUZZWhah+opDYcuu117is+p4WR7GvCD3c51qhfE2N/isKoi7Qm1ppUKS7g9paD5F4NKxJdBkOHvfl0lC2IfPcwbBQfkg7/07HucXO9g4t6IYW5k6FNQ0f+3t/7N/3GBCexmNF5YxzaLlu/dSPZr9QzXZ2OtDu0OgCBu2BPq3eXzRqaY5U3vOn/2IwaFuvox5/msuEpg4Nl8ZvO9AhfqtJPeOimZ1i16uVF1sMbS7qaCd+QH96sdBm6qMunL1pJ53TVamTJPuqTMNXZUnoqixNU6nGHZF9sNNLq7ZwSTdeR8qcS/Xtqb1BGTQQmKNkUvzAHjtvU3r8lbSXgZhiLAaan52mqKiana0oo6h1LkrywmJpVDZXunawVpi7aeypvpGlMiY51bM0Cw5WcnPju4SAWKOKnuE3ezl0K6mbWFztu4fbNlOtMhjWFqyTM5b363SPOV6uQ21CvTuAFoNeH01vjyBlofq5kxj5cd9G6Gq4QqJf7l1IEVX+0SnU+bjhcizrQVVC0VGH8KQdAIYAL9r6X80pieZz10xnUxLZRx5rXpfQDnbkuQ5SP1vXnBOi2psdao+4PUkD4m0PQN8R+hDtYvHPs3blE8NuI13Uc+RJDVgGPVoOoraSb1qtjq+ifT/ckXWW8Bo3kVNcaISbuuiRlvJilflnxzMJOb8hRgu5ebJv9yTF3+CJG2q7DYvcNeqdYDTfzVODOHLG7gCFKzIX7U8tazYtdivMhHe1KysZFi+25/R8KG/bMpM+HroolPkLrgLMmjbXgXTgI1dKvsZ8RTJOttPPVcz5TbadhxttWyxLuqg16Zy2YTSfssQZba4r0iONYio8QjQ0s2eDKqsz7VFQyvuvthZdVzcImBIQd20m7YumqPatXG6IvED3xDK2VkReQN8+VPqIuaWQnobB2H4Y1z4U4JGF72RACokWUmzNd/7T3Hc4MKp1tFbbbXGHpR5vyjeg4+1It3vFIDdivt0rWNH2wTjT5hUVcS7r9Bvkktv2cc27q2yHdZ9Z16w7ip1kM3ieDShUBeKCfyNJRUBbPfQaNU912v2KjqGatFZHeEGt/9c7Nge0u7KorexD14BwAfGhHAn+zUqYfx+QjHB5ZgGlZNLMcMcZ/QJQGDLE0rbGpURdoPv2fPbLZHZjklNpurLB7LUyiqpNerBPlIUTVk1N2ZzVSvtt4/4zYDWAUGVWw2XmOGvRqE3wbfxqPsOtbHd62HqySetT1IEnx9RnQ8c14EFYKZFT8NYYjgb1fmD6a/pAXnWaDkCTgeeoklCR9jkiOn8SVrOwxKc3ETrivIXBiCZSoQorqFOgIHHP9f8RZWkkgth7vBmGrBKdH1Q0rPQ8n67R7aY5v6C2wi4XZVUPz0IS6zHaUl6IrYu8cd0dnjevYtHpDiayhKblvzVNy22jaHc+eQcRExFR3vXWJLfvGhSWp/yBFC6K1geWYQX2ulNgzTdfNcgvaHGI+WyQ5zdRbHTrVFsTsI/CE/DL/fkw/1I5nxC6H6Y6N48eRJa0X6J6uvPHjdoplH9YT/tutJ62pGyO89KQ/ROM1xwJSYo6J8h7gEnYiWB7hmWBG2KC2Lzfa0TWl/kdoW5katQGG9kPbqw/yo1vhPcaq3Wz26Hx5lAi1sbCNKLJR5g24exXfqReqQKxIbJBc6FkbqCa/w+zEpCRbxxRiCeoec4IluYjKJvRkubC2H2/E58icNw/aUVFPcxV/8wyOhflomk8s9wT0S4BQY6Q1xsqazW/d6N7hwKKuJdjrueIwMa9suO7Ds5RD4/V0udsx2I9XLfXrhUTeupS4nwXCJvkYbA/O+T8Ol9jNOf6ur3u9jRpDuTQjtv3ndsgBkvkhV1qc+q2VIVNjY3azdg78aNLqrGX3EEfGrdG0uytdq6aodHt9VE9KLltaF8PMqhf8qLVhy7QlY3Wd9WCmP3isC5k/gi5/4tvv3IOikWtmzh+oRvhXHNongfmsxWwW4E2WFK8YIOIcZvQRjmqGI4cOUW4mrOtcFcNsmNfmFNvbk0fi07NWt2/uL3ra2DIlVSytl0sWybaRmB8619HBrrlutNGOrKRKiGnlW96MpAFZivdeZ1CyKaVHfRla08N7IVCBJb37S/vEeU5qwtiRINrzGLAL9DTm0dcVoy8QnfW+LTDgqy7CNug4GE/wzsDGPOtqA3jpurBqHNBzCOCtjvOmbdOVL6j6uHAA4eWdLUickrh+vC0P3Y9jQ4LaD5rSdRasMKssbWaIr069p6jZrHihu9RToY9fWdvxmdNQuHtdTjA8uQXK2NaZ7O/zQNn3fs8NDOxPg1VL74xCAWHjIIllOsVRZ3H9HSn8pwtdqBLWyNbhGw69nkKInXlsSy2WJ4r1mJYK9G2qrOi15AZKdL11IgcjN7g3Ff2CitOst9bc7omK/g3XvmRh0+0tRgSGiFJglVCTNTIptSNDY4pO6NqaYZfiEdEi35/157Er+ehweD8MCiFZfeVwRPe6F76Tq6qP9gw18N6+ilCmHJRj29/XWWlWiXsQCMdxplhA4/O96NBp1cB2WP+JWPmtCJVQ4vlZc3QjcGAclHYzne+SFNYx6O8II+jJ8Go0jH9YeJpgqFBsZUezYJI8OqXWFIGL7UB/4B9G+Ir12v6GwMbpJ0nrbjvrXc2zcWNj542kSoVkapyCQn2TA2m7a6QNjDO5zg/iwSNWxN75i6LutdGDoi3drL9tfkSU65QQTSmLGA6LUStO3AR4gU7Q0yK99rgJm4AMMVFuCZlxSa82l76Vou+hUHnBclFqRjtZUMkwzsIU9bCiXX0NLD3zRdgaThosvR5LNbnpjTVNZTqQEHSWy1tmJR8/GCM9Ap3bMscj8eWdHZzUZZmb6Yu2JWF73atNfruhhbWwvZ1BUL9GZu7RuSHHOjj7emfKGvv/rwbrRC+dh4reGQ+l/zy459Xfv1TLKJ2a/IE/rdYOJdleKdWdEp5oOtOy/T7u1t0O7hwu4gm1OZxMZmHcYwKPG6yF1Yzde4O2cQuiiqsZtkDlS1EMXN34veBK8v3hzXYItfnOiV3yrrRZsm76ThcXLqGDbNpvIB0RYvGRRkxxsvxmvIgCeakm2HMVd1QV9XTBKTvNnT3wWZxejcoPI49krzu2ij22XpBQikFPqP30EPZLIZU0FNU7BtUTTQ83mDK8NBBhxr3EIJ4+CWRMlKN0O7HsIdrPr+uU/1KlxBsnfRD/5bw+/YiIgNomS3qotgl2He0zEbGqXYga0VihcQO2qIpMJKKUdlSvYDpTNXzBNtR1Y01sbVUoOFkEyfd5pw7nKHi4G28oT1arevr8DTsK/V4LmxmtAiuPt6gpy7S72PNjF6yoAwCDOGl+eaxEsr88hn6ZmjG8L6X74GLLd9THBXJa0hd2+yPHukakONZDO1+AMiVz7R56wJcX5MVznfoQ1SBZXQh8XlSf9zQe2yiHJWY8qWxjA4+UlVYQq+POTKq9lSEOxgYvRWFDThqixt03rUDaNGR+xceX8xU0zXK/bz6t2SLfq45qM9vREEYekr55uLr54iK/DlamL+I+QtzzHaKqouvw35knVfZkuFBd6rxN/C+rnV1h2BYsHdBqux8AWGxPJi0pcVEWuynC0eJT5hSRJoNFUS5KcfKoR7uj29+Nfb7exty8/XXH9/8evnu5uuvbQzMBktMo3tjK+TDuISMo1v5Vz9k10cbNZMxH399udjOsbmBjYjDuRGBuyR1cSkk4Yrm4w5Ux5xMwlqmWFEBz9bpYNkW0zGdxtuQg1wkLClsmPEJKapeJG8DvSiUluMzWSB3Y5Zu4M/nk6Q+gm+K4yA1OLEtCTy4mFxwYBun6OITzRBLGjUY/WQmOCdSJxPMXA1MpB9wGRYWB+opjDd8DHlOm3o3HLdVT2zt7TNthKLjXXKoDpJxpiX0fvNDFAgxywPsHv872vZT3UQ++ZdrqMjxDMzngHV/zNfvSyDReXymEA67xJQZfvmEwzt3/m6vu3G9kD1tVGBNVoHEofhbvI/rycxVHqQ4JbgHQnpcTKexjGret1UH+HksjXcq/rfkUf+NhPWXBruKaTFTsd9jXvxVhD2rLXaNNQ2fssn4h0PvoVe1qmhOxYj4iE9lWwB9Wyz50NX2+YlTvKwykS6c7t++uUO/WI9HG44RRvXbzM8v9//xGv1WExmp1lIznknSr/ox9cmn47rYoXc+pDb4vNvoafko8d8FE+PLtBmwKmI8HoPTAffqCZBFSiE6zLAsk/hiAJOMF1yNCvtvwOpiRGeAPaixucB7wAXW/dv7OOSC8HxdYnl6WFwDuavwoJXDCT5InA+eN0+EytYJfM3JcmwwZQO6XEEyaRKgWPwzCa7CCbX1bOZrwmKA0z/WU/YwJORql8RctwmIeYZzKFuYEsZmoBUfpaJ3QBeravM9f9TrBGmZ8yzX0tgo4ypTdeANbMxbdwLohg0aQp8ES/iK8lGBu0PgtJgSni0ztaU6T9jXPFsysVW4THkt6kJzvZkCn+THynlG+bRtTnlFZLnYjQjJGUBX+UMqODRHSwKtskoKLbIUVxzAb77PwGZNgWYT9hsTq2xM6/8eaMpLaM6zEj9mWp+u8O6DmhVmJEkslJQnI6Z8CuKKqYwtWDbeeboH/adJ4An1gDrQ47PUu9DjI6K70D9Mgg43Vj8V+l8nQf+PSdD/lgqtRcXwgqRt9QY+RVXiWVkzuLwXuyR55sGrhyQ5XtaMrsoq9fY29x9mq/GPRg6WpglxRX7LU3Rvnin7ZJrEKyXzVO3MgKZqZ2qn6iqpPnbOmzDrROVOC20UDPKYtLW10EZJSocG9SQRvOb0kWMuFBm0zTwJfvOjoT1ZLGx+FJVeE1wkmUCirLKcJdnQBjTJpQGQEtpkpcGqRNiqzpL8E7mkmuaYJQV9qQyvCM93o96UutAcs93vpFik4d5kkAyfCGvTeFIx2+fsRHhjIf+YaiGrbEH1vyUmH+YqG1vbtAcqRcJRVombE+BILlNi8ZT1BIyoK9kBJXptvQEpyrcFh+sqEdzWvhmTodmBXlJG0nQRlS3T2EWX4wKQ90HTJK0yRjAnjzpLPEbGBi6UrgZFfk6GVjJPhPad45JgxSorSUFHBGPuQ1OeyvFSFDUjKhdps3bgdJV0KkSltliP7ETRgQ/FBJwIKsmKKi1xiqbdQifdVLaTYuKU5YQ5K6gjIpNPp41qsEueBA+NRZOuOBt0lI56yuW8XQuqMlvnOQV+hyVOXPAiElZ5GuzGdjAYD0mVxv1mrScBKr2o5emFRD0csTXX0uDqBHwp97CPJR0PCFV7liml0OMR04egVrgoxq86LcY753wCTZJEoWWWSyHKxOwbA5qkFNEyS32Ec7k7adOtHhKShSqVkspMK1VJOhqMYU11nfBuwygnY1JJWjg1shZXAwmBjykmCBM2ozlbMpEgHBvwpBAAo+kl7HcDlrTXjW6YhC7Ba8vEKnEp+Spx21VCjj8c5aJepW2dkqo8bbuWKnEB06rPcKIh9SUBMuEU29IA41+lLNz4ByW+3Y7XFRLjhJp2DQmQCfJeSLrKAtXaToDcciJTZEuVJXYQrLKRFaRbwKQ2Di140izhJI3fpA4wpZ2mVfoTUGKlzJdZvj49nnUAbPtyjocnslwZu3iQUX0a7DYRNEXM2fylDx96lT5PApVilWFVjSr50QUe0+XBw0mCWdrNI0kO1Nps1WTwlMka2LEJuh1YIYskrCkmmkqyPpW1PpM8pYqMd5HacrpJaoQiv6UwM5QGOwIuSXFRdJV0MFU13m5RMk9beZkXCVetknkoy/ck0FEtmbpQtUrImdzkfHwQQrBi6HEwm2SZ0DR8pVMWwYKleI2aipHjIXdVQuZqXSwSX61ryZKkUq2IzAo6Pn4zsTCJ94mkEavztHb5m4xypfEySZJuqNRpV/Gm4kkpDlrImp+lV+tlrQV6V3M0GLzxQk8qEPcRM1qgK0kKqtEVloXLGTvQlsbVv5o001gdSBjGNl2FiNlcMBQKKWm8vZRPmf1NWTGxI4OCeEd5sBT1iPT4U/vyrn1LHagtJsmKPKIS90N3W48eX9X9siszkMGoggIbfnzVbaWp6gpK1A9TJRHarrFGVKPKtucPE33oKXVMqZBwe3db8dwjQZS7SgaRzG5G+fQK2B1izHhdShTSYgVNdi7a39uOEQPucbIhsimipAWqsFQEvSEaQ8Vheyqafmno6WuxUi/ubHDfM3TtynjZ9iSD0SGN+B1xxWKBbI7eEv0r1Zyo8FoNt14ie5ZQTrjZzTC8nY4iWObrC8ppxOCVeJ5iCD1hY3vrMcrJC4ZrDrVTV3XpytIfKIXQq3xwgOo5UuYbqptEeVfxNaLSG2Zm8/ZCtj23zMDoPXnUsDtjRsFZG1C3ReKO9KCGrNxJpYohL1cR7ZsDH0idP/TuPb42hG8lu/TjWgnWt/CaN9l9s8hiHfYGgXoG6lWQ/nF1vE/onF2Qx9trf4hg9FjJ9pEP0SO3S9PCwT7uN/jQYI823HQQ56KINwWjG9qEtAUbgqxACCukCOF7fTLDxovEXOF8lmKrgyxxOzh3DZya1tq+W/ABsioiS2ovwvnIage1hVvohjKyIq6XB1aKrrhlfluZO9LWAC/m6lYfWXLAcGDHLc7YWiLaPiS0zTsUxXIL0yrd+PuSFr6tbdMxCRo2Rg4dQoGYnEZrkyQSJDVagfSNwlrB6/s7GRwRFXYracTRMyN+QBIpXXjO+Tf9MwcEdB4gt6L3Pp5y9WBGscrWYgbtrtcdE2ritGWgoKNPp+BROKYa2Q1q6OGuxTYXGkGrzItLpoQxbXrNS6AK+c8O4gJd8l3zv8HoGqwjxTXCxYXvaBwWTInOL0P6FGX5qz4/ofLgHlOpa+tsrIluhXI/63AjYbdjsrGe1VMNVrwjEv1r4zFQLxwiQB/rXzI2buv8e4+3VO3tvoM8jYZJHJMFT/plcWxLure/vL8xsyOSWKMRPDIFVbkkFeb5zmgl7vJnw162hgfP0fs3r9At19+9fI5u317f/Ocr9OGW6x+/R0+36x3irgFjvhbKlXET0liv8Ktvf/xf/+1ZuPcd0etJ8qI/Y5BAFyUOl0ZSk/fIyAPlKvHferThw1R8arK65/wIbdGEv5MvphBFPcWm1UF9c9PXl2+D5PwuOJlih6et3/8RnFyE+fP7mD4An+CyM6QeFzXAxs9zrxzg5QprssVnKSwNu+wOXdrmeX63hRA210leVnH//1S/5u3Vmzsrh+O94vEMvfxiprTVc3zr0ts7gyxi1Rs+RGvBzMIHM3qcD14HyGxNsbkPW7fXQmE70mHWPlV0KpGHZfesy2SUdzgswp2W6/2FGiBrY2sSdYZTxTRGbx0Nd0LqRkQNhJDtPQFMdN3nD0siNTv/LMWUr7z49IS/iTGPk5B+P5+XyOEHGwQrJXIKRePBWh7crsjIKYn5ilw06nEu+JKuakkKtNi55v621X2kO000pWAQKBzRpoLDLpMyFdgo/a4bWplgMElSCk0yFyOU8vKbMsWCqwxnNnwqCbjSMhV8mcTeZVIsNkvbAOkZNVXS5HCReWt8Wr+ufdvC0HLRH69ryJxFW7gxhhUnGr3fVeQ5+uDF3Gswkb9Dd95EHsiRX2I3qi9eNcuFEVHpPVnId+3EjAUvjKr9ITzQYwmhAxsiNXSe0cI3uKIcfbiNHqEcQlomnMGUtrFcZaJKKpRnQCVR4+NoDGBSiJ+VieMDosAHlYTRlqnJGOGrhJqPgNdcA3M7l6ApEVwvmHWcgxzl8IBjrKifhNxiWYSagV1Cmzrwu99J8Qiv7guit4REOhmPzgEe+yIhNGZdd69Fh6CQCbw2DebgmqBJAg9BJdXmqLmiQuFJbBjm87yrnOAO8M9qHYfAYAr7DoLWB7gx2vMKlOd9iZjizyY5ZFtsxuSRnvaGgqWmec2w9M3cHJqnN4+vXouVWC7D9alJnuk1mbvx7XszpOve31J2YygzBF3Wek24dqFUUcLm6j22/1xZN20Nw8R9UERGSRK1zsXc3HKDxkm6tx24I1T5HjnTbt89igAz8g1XDjZ/9djP0D6Z9KgwpxjcwKoSvICWriKoAjSAw6ak+3RvxmTXRm4DjGyePcS9MUqKhmJnb/X0GsqRoroOSBQEAXK+C54bdY0VwoWooCvYmlCJxJb3GiMhjR8FF2Uk2sXXqM8G4UgzXH5GDaO8MGdZSNW297NdhC99efzBRE9xn/CGdHs2ouFUzQzP9HwUneS9e0Wad56Hmoh1pjouq2PCVG1UwL2LKpx7rvHgkIWYFh8XmN6CrPGGiho0G2PUSVHSSKQDmR/9DccLBmHDS3R1GDvlm/Gdz0Jk9GnY02lQEMUeDSPLiyWQEMDQUDB9DTr3Sruzo8vfhrDXXPdDlFN0vgKSP7J8QldcuGWgkznNPWEwLQgY6D/2UL22vc4DVRqRI+ci//ZCaRl3knuqw4mvn43ql4epdteixTWJ8qAZ0ZhEmpbQtNVpGpJUJOrkdJwckRp1lJmQkj6RlfLEDRCuCvPZNsB3p1H97eSe6EHinePo2BwG1MOc2qN3wrH7I9P/8ij9cmb+2w0/C/XyOPdH1KT4NEf1iNRrjuofedN8d5ztpxeg+jRsP03WyJnP6px7/YSTOvOmmZP6wZZplMLCdumcrJvhWq+zkui1OIs3Fe/5uZBF5H4WXRjI3pVioqV+wL/7TjDnazKoDuyQZNvyPy9++NOf0NPX15d3z9A1VZryVU3VmhSQmBPExsRKzJAfe8iv7Vp0Aya3GPDDyJu3FJP9JYdi7w3vQziavQk+vxGlw8dszByC4prMiI5LA7CG3ikwDxVRat/JMTs9i79H6jtc0FrZMZCQSNGSMiztYTaCxOzWHO6jcKgunBlF5+mF2/ggu1FmH8xyeQ9Ir65Fe2CmRBJe8kPnBpyfLj68439ypjN8M1gxZ+ySTuBhEXa0CDntUWzgugV2CbnCnP5+INaJT1mwUxmWwK3uykdYtqQyGMWfnP36kxkQ5KNNKrdZunuRSD8TzPQ6x5KgSpJClJTjYIh156jfYU0J1+po4BnD887nNf6s07FFMEiVvL3MFn5ihECFpYa033Yyh4XQrGm97uCeIn+WpCASa1JkI8IADqwitCH3Yzau7jspNrRo0tXd73BVMafnDJbPpcgaQb6vEUV6qTfToMVs82gGdXUc9C4ykWChZ4gq2VD75rTuK3aRwgGNQjOulP5YrYY8wl3eAepkioSafFv9B7QhrJDSQlr5aEYricaA7Qn86sL86kl4fiUtCkbmlBhvYMRTZUZgiToyJElm+OJ5c03ozo3XydHlO//i8RxVDBu2mxtJSER4LndVzIsIwSuzWAUnxEvIxkL4WSiN3uB8TXlEbS9w8hn9qs+vDxwi+ypJzEE1t7pNq1cX6HWBK/QR/mNv9UJwmw/wj+F1gdZ4Q8x9zwiWtoU1gvoSqhJcEa8HhJMGzIyyYdvrCbLH1UbIJdVEUl+lg9sJ2ooMcUo80bMQ0y7zO1dE5lRaoL7oVDdBf6/5wlF7acBG/3dXDVVI1jzQ1x0hrJ43kti+5thk6khEthsxc1bEHMzEaEt5IbYKqYrkdElz883zUNy4iz8ablQzAUtR++qLnkrf9bwRy/DM8KzDD1RzuLlekxXOd+iD2i/y07yHlP0Eh6SoJTPKLKZV5A7rqtuADKKmYTOYW2DAtyafKZDFtJchAGG2QybsT2wOdS1Wbcgqb4E5wRyCG8LBJExnrnip2GRc5JRz7nnJcQOTi9daGdI7lxOjcTru87cNobGsHHA5nP52PLUEghvHlWeORoDDpAqypNz5AuGoQy2IEleRYhSAPxJmfSbsrbnbUz1SBEnjb5o+A5ePHKke0vjQtMb5upy9FF07LjAGDbTgLtsSC2ouKB9Tc3fWnWbIhvD3qUI/cGy7wbjAPFtGq01FCtQjH9A1VWYfoavC0q+t+fh5S+x2TQcFz5DZh8aysCF6J01AJ1S8tKlwQo5rz9ib/p9VhflfjuZzelT7tc68khYSqWZqf34Box+h/owX7oBuXxXtMN3RtcoI11JU4WNYiHoxMMhO2mtuVGPdkCOhjUDFyE5OJ1JxJcrKGKR+58MGhwYnVvPcEGlEa2bM5vCFhNXD9LjfI2exp9N73FsyvbLZ8rf0N66fasZ26D9qzOiSkgJdQzaMdV4EkW3JIsuFeKBne1L6lSyQxdDaJJjF9LKE2jrtY09Va9sGJ1aP/PjZeNcM4mqpOreV9c5doPe7ypLfWlRmgpbPcRZLssxGFsfpEWawWBNMPlGhQjt9dPM4CxoFYx+/9V5UQnrPHjyvvHsdWZhOturoZfXzqaZWjD0wHTP2UT+cJ0QKkXzP7aM1IxmuoQrrsIMj5xlW496jOqAytYN6LdkodnfgRnGnUcGzWo7v91tB3zNoDp2CMkH07QOPDNHYB3a7IOk4kEdNOFyCKQqbGWHE6jbX6lqS3gNlyu1mh5knhnzvRL+HgeGqe+H+feWQvHD/cK++IacXZkSGYwgcwWd9LbHkdh9LwI/RKcg8ILhwZZONskj5kkgZ8dEPZzYT5V116Cj7gk6PWcjw1YOWHVYGti88Y4jJ2zcwzIwb4ca+tpgN8B7igmT3o7+T4SN0vNg9rdZEzmXVGD3Hvfk+vYKC6s/QFWAIIydSz5YoGeHVFZGu8D3Zi+k4UGKHTHws6DCjsyxm2CeqU3fp4HrQ3+N+gvFpkeE1Qff090j6zkPyGbz9+w3iZCU0tWyu1lhF6tOqfP7k3Q7D7fDxgt5mQSbUpx08APbW2hf88vGe4Qc7RUc2VzwtT7ipJf4+2lbDnD2qVJ3SGNrAwqPuFPt5mpcPaCBSTvQsDFjXlRc3Znh0D08Gh07rTK9LTb0r59t/eg/hHIdFaEdexMgYLy8OUBEXGkqxbDPtLum7yJ0TJ+ySy8wWwHVCMQ2VDkofiLMGklOivmoLPHYFJciL75EC362Q6Pb+8u9v7tCdkZ/oFx6pSNnSk5z3kULP+60I0wPHMl+T/EElNHtrBcvU3PZQEeimukmTeg4BGq5wd3vuD+gqRNJB+Y2zqCoWU5O1F1XfgCposTafGOzSscGMFnZDBND0j/6M9aUOHX2Y9QPZqb4oOnmPJXdCX2tdqYxCN4JEYGBpGtn56S2/puw9uuI+3lFIqndH9l8uynJiLv+JlFlMzqQMp9dsqSSsr12nmHBbhnk2qg/12JAE5ZsG/Opo9jGyYQMdkhuyStB5QoBCJFkcCHAA2rDuBazJ15jzQQLa9ERlNy6ginjKZyu/1Ig8V7H719eXb53MfdFD0Ig6LWTfK5ayvQqqHrKNYHX6NC59Dwzuamk2nUF8k4WaU63QU4tGPYPcNUgm8F0QAv6iSBAaq5NP+GtHzQdOtXsuudgPRtsQCS8ly5qhXPCcVNqYAPeW15EUpzGd1IN1HYB5xtjwLUQMKdD9TRge/fzXy1AwSZB1KTtAyNU5QhT6oWV7To8Ftul7wQTGv938cnd7h97gx5LyomldEma/of4MgQx7hb4jhDtCB/QfIry5gsMh2EkBQTYyOxvXxPMPnkjjJzV3oyUnqW6vXT0eh+cgDWxOxn7mjB4/p/K/QM5BExzJi6E2knKSwOIb1156pGLTdPPS4Ae21m5pUwOeI1UHwqKwQn9WWgq++suC4fyBUaVJ8ecX7rPnzbeUL0ke/mpJJdliFrxm8YJ1YBDmBVICRbaPJCuqtNwZq2feg1lhvXal6BosqI9lQMak9oNDQmyihI1tzYXsVO9qNJaGNsK13P3L/w0AAP//0uU//w==" + return "eJzsff9zGzey5+/7V+Dyw9lOOXTiJH63vn175ZWUjW5tR8+ynVdXWzUFYkASKwwwBjCkmL/+Cg3MF85gSIkChvK72x+2YpFsNBpAo7vR/env0A3dvkaLn/+EkGGG09fob2z53eUVekMI1RpdSc7IFr3DAi+p+hNCOdVEsdIwKV6jv/4JIYQWP6MFozzXsz8h/1+v4QP7v++QwAV9jQQ1G6luZkwYqhaY0Jn9e/M1hOSaqo1ihr5GRlXdT8y2pK8toxup8s7fc7rAFTcZDPkaLTDXdOfjAaf1/97jgiK5QGZFa8ZQwxjarKii8JlReLFgBK2wRnNKBZJzTdWa5rPB/JTG95jMUsmqvPtU+kJthwWuBeY70xsffWz80BDtIIVe7vx9/wjjCzZYlY8rpu33ENOo0jRHRiKCS1N5+Su8QQXVGi/tv7FBRBZU20lL+3mPNEJv5RKdUyJz2KqBiTharM/UsdOp6dI1FSazU4tM2DOcWPpe5BpkTqQwVBhtzwcT2mBhajZ0kEfDimMYzLHpfzDkjjme7BAIG7RZMbJCGGmqNZMCrZjRCKP31PzOjLD6yq/+bLA1msnqlax4jgRdU4XmtNl3JVaaonfUYMsaRgsli85QT9/KpX5xhckNNfrZgPw5U5QYvn2OjOcbow/UKQu3w0WHzVlQkJyuKT9CklyK/vnckeQ5LRUl2HhOcrpgguZICg5sGTznFBW4DHNV6GUW7cDsWeN3/pxfnv+A1phX/sSznArDFszvTnqLiUFcLt16qcFCwOyYJe93C3zPLkeJlWGk4ljB7/3CzkZ3xoD0UTsltDMGlMd3yuiSrKddk5f/f032r4kdNc2CPOz4yvm/MphIf1keDXdrfIzSS86aolpWiiS6ex8utlTn/2GcaYMNLagwj5E5XOXMZITj3hl+JOxRYdT2MTK2sjbVY2SMieMYS2sx1Zrj8e60nOJjtEdasS0ozWP6UCN2TcjP7HyxDgtYbgZ2yMBIeJgX0bNDBtQPeBHjUuyFViaSouhEVYLic+IaTDOS+FBAgvcWH5nCrK4E+1LR1oxWzfz9n7a7Tu2ZFMReDtjIx+7ZjqibNUurDrvSPbPDsAUjuHue38olulhTYdA1KGdUiZwq64Io6hXVYOoLdktzpKmxRHZ+vDuGHndY6kUY0H6ww9IswoD0vRZlGAmMH186bmMO5nUPmdxPBiupE9mr3X35q9SmqyJ5f0dqKnImlvWHOrRtOjGkr0e+7JgNNvjRqGAvr9Y/IZznyurKsePeF+5g9kZ+rcJdv0ot3lf/74rXSiu9bujrBRdI60bLcoTRkq2paIJkX68hYEV0XPwirQeSP0bj7+t40RgNaMhymyn6JcFadx8PYYFh3vMtSPnCDY2u4CA999Fsg9HHbUkRwUMNMqeIMrOiCn26FOaHV0gq9AuX2Pz4Es2xhl1UP5At2LJSYPodmPcx5u5XPG94Bk3nfEaIL9hfL2WqMNs+77ge+asPMEi1wSpPZtR1NFpn2l1JXl593rH3MFKU4/6SIqS32tDCX6KebUttRd1O1U549t9SsSUTmNe/2bVWDsghlf21JzHi8urzq4AIPPsDSTxcBA1HQynHuH3ajTo0HI+9fVYU51RN8nb9KwyFLs8f8krq+O0+lgKZ495KH3WQjZMseZwN14bWZWtowUGxrsuZ5JwSI9XXqICt9E6Qc2P3HNOIONHR3HK6Y6i+lX2zBe0R9CP0+AoyfyymaiE1JLsVUqD5drBoCCn6paLaWIKaFSXf+nWyX7aKHlFMVkiznKKn3yOzUhV6+fPPz9AGa6QpFc0oeyTxKIzXO0hCl1Jomk4U5KvZFURWwjQxhaqYO6Vnj7IOUkBP8VyuaUcYTAQzK2v1po2iuBg9P+Sr2TYnFhXNWdW302II6puQ5dgEFtgCMfPP6uX3P/xZO5X+ogQFWjP9z8Fs/mn9wbd4SxV6iS4EwaWuuHtZsS7lvfR6iPoDHz8CuZWhUX58if7dTvc5+vFH9O+ISGXtZZiFH/Q5+u/c/E/7RabRrlC+CS6hkDl9tL6u2NCMYM7nmNyktYAdc0IaODbYOL/CCpGKvJRMGHBNDA0nOMPmyKhSMlF+WmsP6pIShjlwDJxqI5W1rMXWWR32gzXmLHcbI8QUQgtZidzeMJwC80wsvXF0MHlx90QMKMd4C/THYc+z0cgqbLnE+WO55zw7SLM/KCqoUYwEvA7vCne/DL6wu+5rJWyvfWxai1Yu6mWboV/lxi7N0OdkAkllnTEj0Q2l5QGhPYob7ysRmpKEap2tWZ7lqV5dL2rNs6SCKmzgkOdWgh2/cM2UqTC3TvtO7F0EQhysYNbthrdyEIabhT/ql+dIWW2tIaACQsNqSU3ztYOS0CpR0tPJJeEy4fZLQiV5Choq/svzOvb6gRbSUHTt9ztRFC7a+XZMUdr/1Q8xX8HDix8p0yVnKTMbHrU7r9nA7H8UtpnVuQn3O5w6ewf4vV7vutpr8VfIf40XRqdeFoyf4I3ejmqdo6uzN1fe9iVYWPGwopSqb/EiuCK/ujSI6nGEPz65qwoccXDdQ6HUXVe+an/SOuzOzgHPfIZe/vwKbUDuBcUCYc7DsQII6oOZ1MaP0IYq6shigzjF2iApeuUiu0I8uZn4dQsxcFZTPNt62f0uVQ6Cg6wmSlZCcrnc9h/iFkwNrFiEfkZkhRUmxgnRHuot8A9Bc4Eq4XN6+E7MfLSiNnZBt3uoT/mIsOftEjyKwhqZUtTPCApvRnUaaNaeWYkJWKzujUL4mIMkpFI1RW2wyLHKkZCqwJz9EcrvlaoIyif3WQ5Hi0hW88GVdC8htVw3zLzgbEFhxgEHX1MiRT5iYLfLnWmTMs6yZ0JMEFmUnJrgBhgNomIw4I1iPTXYqTdT5kQb+dqOHdzOY1t5d2eObr9CCrOKtExtfWqsnJc2yyk/keAvRJ5C7JbkH1KkRlvYoxbt6LWJ6dJrP/YlPFBRyU70G2TorfGHD62p0p1yinxfHlhgfR+62bYUx5pmW6ZHpMppnu4e9Ek2/prSzYi1jVFn2jRf7L6vD28rJYsZUK2gKF8TKrBi0pn1RcUN+84wqhAuS15Xv7RYNgVA+ARKcxHi8LxT+4uOKcerRsw80UhuhHsZM7go+5FBz7EdzbI4PH1GI7Ji1ruROdUz9K7SBtykLlF7KrEZycvFhh65SHsV2GJh+V7TKSwhWOR6QCc7RRdUUUHchsDWtM7ZmuXWsoH9EFZk17Ui+9gTXniStyVTk82wXU/3FnRrdyIzfOsmq63Ss/aaZQo26P7YaMRFHw3hPLfauNFns8GQTTqZrGJroGJgyD2UYiP/2EcFLMgvFa0m20p2d7td1OrHDdYImMhH9g0w90NsoUY0CnYEmkCnLQuT4PZdFil4LbMErJZZCuu5jKmKdom+jE41ga3UuUVO40L23MfgHTO4Lu915xyrNg/ptWMeC9oLooeGEDsQhMnAiI9hWOuKp352GvGiZGWILOgLx0PjvEBWtlwMdggWXgQ7DuTIBqFrqphJWTqyZ2L16L4IsPOysy/kk7Z4cYAd6G7pptLFUoN3p5IStmCt4xO2bt1jzhimireV02czBRagCTGyvC2YqENUuX9kCfLt3eapFuHzrpfe9QSlQr9d+9RYpuuEgH5cDcavV2isSlKXUrOIiuNOewvcaZE7hClI5a/P7igKT8VNlg666J6qSFQFVYzcVxcF5zZBFdueiXUr2ZqT4dSSO9+Dqa2pyKXyCbN7Zybn/zoBek39tCvn/6Ik7EdbxtLXgg/EbTXofsacpk+JVffN8ED6qn+vZnyUa4Wb3GIhDcJo5REvwgm0XC6zOlHlJEq93oj3VupTYKbs6L6/Q7oVoFaD+ggb/gDVnfr07NELHivcgWsLvh3RyxVPmTcdFuCHilNgLKxOpTD0NrXF2jB0KVy8rsVDxXmu7f/BpYp5zVAIAObA5UxWWCxpJugmtS4Ye7ikm85TPxghxig2rwztaIhhjr52rFtrvXv9hVWHLnE0ZddIjrNksJX7hAaOYD+/yDHTtd8Czi1UgFmB1YCDus35UmuqZuiaukWpNFUzvKQA5e0z3RdS1TwMaNdknN1O4PfI/b6DWyEVmiu5sZ/Vf/W2pnO7RvGkL/MrrEzsMF1DOHZExZ8pOagOnepMSZ43ZmOqIyVL6h8UU93FbwTCnCrTZBepdlD/N/e85dVHBwQAkpACBnOOhBTfKVpS8GT2ZT+A2zDllUMqpeyBafwVWEmw414w98JWP/8MZrZhZuWNZafr0TkMOIdqE4Gk+G4p7X/vuQnASMkChmPCeePOY+ALYMAyKRfIagfDqJ6h61an9BsbdCur0nB85sr5Km2dGFcy6pJtcq9+veAxIrzSpt6Q/h+DZYKfMG1X0tdE+/iGNXzh03ETaHLrx52wsEfvYJnSGWVPDjlelstz4AJhrSVhEC+1qxH0J2HB3rIb+hphVK62mhHMUc70zXNUKuiJ8hxRQ56EDWWs8DG1l/e86F2djcIFNVRpVGINKF4agBwcFgGRRWG1mNx5tB+W1lBD9pp77j44lcXXWcMEF5NT30QWZTU8gwmWDaMNE7nc+HxaIgWhpXneZFKMCmMwzUXF+RZ9qTB3wc9cFpgJrzVEZyAuR66ubtQzlrm0Z+rWJHzLxA3NfS1QnYiONUSnvINiP/mmYW3G8n0LxweoEElVXbezkwtL9Bmo2fvt+lR8/Vb6yCu6HsL1NI/OVBWs39gpdYjVjwncuv2/39L+MbKlvWA8/RlvpvwLjNYcY0XzilBUvxzRcLhNU8UwzwK3abJL5BqGrM3m/v3YuQDtDTMaF6DkRh8FORAjYuxHtxfdCutVc0KtWRioMqzIymX+1jU2TZnhWU2pBxFmJ9IMM9OK2F81/x5WmiKrzwVikHNXCcIpVvZPAITXsuYLCH20U9WFnYdfH5zyq4Y4T4/6xiKymDPR4GZ3LyxfNqrucXutmar01JG+rjUCDIxH/KZ5IA0ciTM3usNkHI+UOg8ueWi8EZ+LMl+eo/dO0zz1wA3IddvzRb+Wt2dhu9oFoE8Ry++Eny/PQaS+5K1RE8Powe6LnEsDdFOYuU1kdcGG6bCTutbblFj2u6+6vkDbmQt749jCOd8T7hor+rNmYHR5ftCSjRWfO2DJWsZeiry1aGfozNVnerxT7j7Yb80Cg2r3Gz9848Nx88o0lZvSNJdRJTjVTjLSXSgbidZYMTzngypAB8rABCo5HlEEmgqdFB9lZ0G7pqobeWY1lbUw6vpCZtf5+sXlVd+GRh4y1kUUxuqyj2woeOdayPalxTGJLoVB12wpMCiLkS1aSpUSvPbJQH/ZTXpV224SUB3hPy0jnbMMuyyXgY3z/rePiAnCq5xadeYb2dqfz9DTi1tclJy+RlcuIOLIgvaeheMi8DI3+dsmBKfaqyXMGdM31uQ+gq97lOJ1wpjv/dXwgembPU+uRrHlkqp0LezCIvvcfQvwPIB1ulJUryTP7e5xvvpIp9Gdp/cJIgvDt3evlZ9+cDbGswaM4/I8XEZy59d5IosymzjvClbF515BG1cX39PV/DvLjhRQn7qAdjMyr8iYl+bN0hNljXU5b7SlVIA8YPV6zd9Ilzis8g1Wp8nQG6LqW+2K/UVkJzECjfzUKlGM3mFS4ymHjVurgib1Y6T4rjZQ1X4t5HzN6E2tFcU6em6wNthUsQznJh6FGT+Z22EHn8tbxPIX4/eXvVmrKTi0HH0aAB+7s2C5CB/d+h5L3H1vsMnPh333jrnOmJBVrDfOTh2JXkY/U1aTxgw6DCKyP0UmnBqZcWdLvOHc6j2kK0Ko1ouKows7PiIyp9puiRrsN+xZMJHT28gC4Eyb4yzPB+oWGBhcMVUzMacK3jcLrBiHDJ5ABM+9v4slwiDE7+xvgzMTCfahnDtwoRNZxH509LTJ5yyp0qUvunUaZiAybyK0CfE1wtOzkSJDF+Ya3sepE0qc8dUkeflYlfu2/RAzoVFODWY8EGSYy8p0fjcyNcknz82sI7a4yWMDPsYvUkOLkifL5nmDcrrA/gnII1/Wb/g+W9NaxWuqON5CIZeR/nJFTwMn0n4AXrf/NV3UVeAuVq8NMxUAM6LgxFrfYAjY9NDjGvUVqxPfITg2pwl0FZFFYc9Tmm105qgj1kn2LZVcs9zFz2oUuYLq0USoXJLjHxrvHy37hfHWaiTdvLywaXBbQtLTaXR9PXpaXf8vOT8y7nT09P63nPsHmPDpKlk64NxzSCh2K399dYkuBwZVl41kqLW+umQ/BxELu5pq2GVUR/o+8TCfWx027p2KyOYyT13xNai46xsdnhdkeRkxj1bx0RLck8EEleedELAvHXYJtM17CFuyvHnKGQniFbG9xkEZeISbP56R18y7rFJeU3V376tPDj2nfoiCZI1bSqpuFMGlfs1pqLy1RmHal7gxQSAkGBXPdwMiTXUlXmPG8fAhAzWhcAT1lQuq1EinBXeGjon1x3t3885K4QGg3APsYEo+3UCz5WxEI7Iim1d5vo0en2FFFrUOqEO30vQ4oPO9Uar4FBWTEVEOeiV2ma6mKEhgupu96jBXcZUz01TWtbhonqNQY7u2YsOpkvZ5Yf8kXZZYbAmuJ/PKzz5foKe+VuJzxa2tPGccCjggD+zitpTafvMZ+m4YaBD9V5gbITdixxHSlFQAZrHepT7SaZPgCUJw/bTQs7rK/b0vTXpLl5hs0adRd42zucKnKMr3A++ImAlUYCYWChd0bzpGiRV07U2Pk7BjXF7BsOi9zF1ydAsL2Mk6CzCFDlhfkCpgBZHKQ9rFjXtPN+jXSoAr+U7mlKOnTKxn3z5HTJLnaG7/j9r/wwLzrWZ69m34fdGQMltwPOicH9uG2rXwz64QDAqxLtCT27r5lVzsBWowMimn7q9zz2cNg6Cpshs5yNC6iKt3e5x9fvc7VhR9dAnA3377+d3vbz5cfPuty7ldY4XZ6J7cSHUTs2T54AH7vR6w+8I2GgTDIrYR4Wt24qKUNNcBJva62CZwYRZSUaEZialAOqGkBBwX8aMggfeBWESzDWbD5sQPjg4A9nlsovb4xC5R19U80aEw81wbFbvyHeq1kwXEundptHu0rvlIFyQ9ttilbQw2MGl8sUlb9+LrXSyJBRsNNNVTTRaIPXaqQTSiwDT75T1hpXw0nuD9AxeWeW//fxiO2prMrvPfSbZY3onRe0b2MnmSzVG/4+7jT8oJkrZ2Vrbjlz41TUZ7nWUHOJnPIOw22LmHX6ZryGo2xXsYFH0tMONW1jWYy5XXGZfn3do2QOKy7qChywCEwXhWYZ1znVkT8Yj5HJN4DenWvvroTBZFJfqRqAF34jjgpody957emr/TsE3d8KaPs6wfyts1FvnfZPjVrOXNYMOO0QwP5m448A5zutIlI0xGyxKdyoMH7jdYieGjw2NnXYuizGQqZXz9/t0V+s3FUduk1DAjXyZNJbj+j7foS0XVCHZrxUWmaB+pM21yQycgukUf6qKzYFpXY6WTiBdpl6iM3UbAEi2PChwdomoCj2MPppvHb9CAOVZFgtWyZBOEF3AZsQC5IVrl0brS7tCMi3a1QzrHpm8VPpTunAqyKrCKVVbS0N2WeNC++MGvT5gM0qmi0MxW0fcCoYu4BVQN4cUSoJYSkJXzfyWgWuLonTAc4lT07QWP7hmLfeF45LaCWtMzOtMiwwQao8QvP7G0tYjovHcIz5fl+idxa1bR73ciMmJUluuouOsd6pbycS9PdyC85ji6xhAZFUsmIhZFDkmnyI0W2SLTG2ZIdP0hsgWXG42L+LkrXdrCrNNRT/DqQkTGREp1wkRJVTHfRkt4H9AuyU0a4mvMU+wVVmalkkZm8Z+kgPr6pwwijvFp82Rnk8tllqcQtiUcP/+NiKzAt5kxscIGu4TtjuY0waVQMJGIaSbSMV1ynfE5z2I/i+7Q/j4h8ejI4B3asbEQu7RjV/V2af+ckParhLT/LSHt/5GQ9p/T0Day5HhOU6iUhnp890xkRcXB+J5vE9yTNfHyJoFdUlScLYsyjfVtrUzMl7GTkDxllsIo0fQLiR8bEZl2CYkJVlArksabtITTeJN6q6syQS9SIpqy6iSuqpHGuh70NoEKMdJYxywVbXBrkhCvBLsVWEhNSYJNuH5lpZLoUli/kqVZUZwnCKvJoswITxDDtoQTPJIAXTXfmvhhUUtZJ6FcVlmCNw2imGEE8wQFRDrDSyrINmLWVZe2wHz7B83nKfheZwADmoSyg4NJw7VLrE1Cfb4s16/SxKB1Nmfmz0mAxojO4vaK6xFWMrqq1kmOOVClRMWvctMuxh+t11aHMDUrF+ePHxxxxMHsS0LcocnHQ5Dr0F4wTlP4MDpbpFhEtohZnL1LOIVtoDNWQpJilkTVsXL9U65NOQDzj0RbK5KENmcLmsKN0RBoLmjOohWM7tJmIs0uKWRecaqJTCFtT5wtE+gmWeoNNlF7/neohzLIoxBWdMm0UTh+JKSlncDiU7RMJWqVTNYakMhVIv3qMvPdFk9A3SiKiwSGpCsFSsV2OuN6s5JMZ67DbHzqW6xwkg2ejxTCxqC8dv3tY9Nl2mARvc9xrs28UrGaBdZUqesVlIJqFZ3X+HZ0XZMcmyx0bljEb3Z9LNLAPppLnOexzwDLYz+r1tBBCe4iVmRESVkkQSWyhBO4aazI0iRHesSjFGIub6LDM5U6PmQpK3WpWGSiHBtmqujZZ5wJGg9ip6Wqo3bUaehC8W38sBaXDvU0W3AZ/TpviCdI+bc+b3StY4km0DjWh07AavTcBC6XSbauWCY5wKVUsRVYMa+WKY5ZwTRJoRYKnWTDpugDIagBcKXodKPrcAcAHTvjz1GNnY4nNpvYHkiSijLpGkBH90RlfMtIKrbMAv24Hkx3I6iKf2eVmWvKG51s1M7ULVnX4jXJJktQuOl74sRWBp5sbG1QZi6QFJ1drLX9MCOrWHX+A9L0tmTRHwJKqoqlwsIMMHdjUN4kIRz/6nVIZJ8+9bqARiCs5DLDuozYMKBLWuHYVBXFPIV9pygBOTjU0UTE4wvZUo4L4dqhLFWegOP4gUydIDasXWw4QT6AprETAVzD4wTOiaZf4m+AEEBrNKoJXCnNlgkUry5jR9m0IinOgSJ5dENaKxJCxY1A2MRrsdWlWenoqJprImIXSgS7xT6UqAPpjD19szTxt5UjGv9Fr+npGZvutoyO1lrl8yR56JXiCe7CSlOV5Sx21XuSthX1y1AKMRiiDS5iR4PXGRPa4EUCy2DNlElhhq9LkQC6yUhViZhh1hAsWgBR9E1lJPpQCTQYuskeSdgs7zPmLEdniubMoDOsco9mqAH+PcyO65yVUEpjHUKBDDTRR4BvQCRHoVKdJh+CiXSSuyhKLrd00FjwoPwWsooG6n3HPWZl6GJG0O9M0SW9RQXuAy20b7FiWfWbgSRnkjMNzRnq0f3SA4AS0lVZSmXQEHgUoc0KG8QMKhVdjG2FB6Tl3qcJRUjw3utoWEBMeGT3EVxozkTqjvwdVu1oXT41MnJJzYqqWft9vZLV4EZDSNA1VU07IiNRiZWm6B01GDqCu7OKGxE8fSuX+sWVK3t9hs59i6/nyKwCXYoADPgD9a2PgW2B3lPzOzOC6vA6Dzd1EuEtoGV3c4pgcDdZTbEiqxkTLMgf9NydAF+7pz6hFwYkQ7zguBLQ63dZQR/XGsQ9DODew2vfM6f0cNzNnBoQbt+/eMTZtwuRRaxpuhvyKgyLPtJbA6diLFwwRTfqEYXUNq57Dx2qBR/peAnouQnbgQN+rqYGKfqlotrsAe0+Plv5/lj5zmSAtjxuVKex+xGpJu90N5yyjyfHEbyN7fwdENr16+DMY/b+P9zf0A52eV4rBRg7vDfAa4iXxHvPLWwvlznWFLl07YYbNDhVzSr5X5yGX9G0gm84l8rB1wfFiBDWSFMK7c7w/n5VCguNyQTtfQcI025oAWZvu2lIpaAD2j6mS6oK5syNqZhuh3SNOdiacbqkiNM15QhrzZbCLVzbrz+89QGS+YT6G8bfs9PnJ+n0bDmrBPtS0X6bRBw+fB1+j0NMPK4LSm3RsNwdSCKFoJBbgTbMrMYUBUKBypDGYlf0qPKie7sWVpygT5orisslI5gjy8GI6wNcnJY7GGqkTePpZFeutjrMXiedbSN7Wa2xL3jMGdbZSib3CZwT17hr0EulbWpktWK3BU8YDwC5Q2O5hTvNN2IhnGI1e8O1tI74znk7h8dy9Kv/xQy9EdvmXwPqBnx5LQzC+YzIoqwMVWE1nCSMbyeWzj37pr8W0GNxZ0GY+Wf18vsf/mx93/POctQS+ybItt+nWdwXs7sGbvCWKvRvTUxOv/BsAHPhUx+7/if9nhctzzu7fu96HJm8fEi3Pek3TLHjzND73z5e2LlTRV3wBOKlOdNE0RILsrVWpTfPeD8XBIGEnqOP716jS2F+fPkcXb4/v/jP1+jTpTCvfkJPN6stEpSZFVWIrKT2rdKkUpQY+NYPr/7Xf3v2JCgRalYJdVxfHqBTZwUOt+PRiXffPY/5tduLlzVT4SOePy6mu7rpAOdHAsbd+YIP8dszTFvv5DNTpsIcvX3zPsjsH1LQdLGs43bG/5GCzsKytex+NSoUJnJYecISPMY7eM86LLGhG3yCFumwu6/QmzxXEKd1uzzETnP1kqI89p3zoW8hl2fvrtytNPo8VmA94evHTlDJWar+7kaXV5aVkeiXleGRnSCiyNCOPS7D2hLLXHetaRVEh12c58x+GfP2wbbTyz98z024AaxLCAdc+hN+vrsFBqy0udZJ7Lq7XmkYvfccXkllGpU8ULo5PLDBAjCzPax59cSyd/NhYllfJvW03o0JXtCQ3zhVFNdzB54v1loSZk1OFzca2DjI6mWFxZLOGteJSLFgy0rRHM23QJOKHLKGwnqmPBJ6YFA0OmItBwddJMA74BFt/24JV/QAgKKFNDTzmd3x84ziizYXOsOZS8VPQLo0Kg3xRYItsUhQLcxTHIdU+CdlAqHiPKsjcenM8r4Hb+cx64/WDSacwIK9MCuqBDXo47akz9Gn+hp7CwGwH9FVHQAb3AS/jVlqdaueCYyJEde4ZtrHxZ8jzHnQmCjbL0KCG1aQmLemyt6BTBiJtIHLnAn06XJUoRBIkE2mr6KrbEtUlgnavlnCiurYGb2WbIISF3cjxk5Fh3h7Am5da4WMU7GM3ikSeLbGR0IrdMQCdSYP5p0HGIEIpBMsEEa/SLXBKh/26UbozRKSvRTC9sTfQi7dnJoNpSJsekZGTbzvG7c0mHef6hwzCCDjITNiMEMmfJ4rpCUUzFi15FtshKe45lhM8Y5/hwBlnSDSCVEOJrgbsmxfUtbWg12CA7t788R+qaQEUAjW8fDg7vZij5VhpOJYIcCLRjUTTy9uX7+VS7lYhLu/U5KZFU2+vDvMfrQDutPY4fvC8m3ZfVOZFRXGJ4uPsq2rmMgJd0vocUOOs/5JUzXKsKwMkdNK2g85zvB1RQjVeoRnQB4/DhztuMQT4AtZE3cp1RYFChMGvE2hnHZ4pD0erVaCBz5dSmHvFau3QsZh80M0MJR2Z7WOh0c3cm9i5FBLoWaAM5o38/FxmJ49zATSzFQB/YmguIB6Fe2prrBGOJelvV3MijKF5Ea0S+YEZ/CtFLIYyauFnhyaOYj6aY0Ia9wzkVv9I5VuBIDRL4xT9MYzNhuI4S7BXtFMzJ3J0YTxZv4nSVcYFcG1z1qIK4XQHAOCiFnv/gBBuHy9a1+vEVsS4wmhc5myeiAw+Tld4TWTFViXRBalkgUbyVCkUzN3IfCcQxHZAp3t542JdaN2EjLZ53DH6kRBBnY4jNpc5ggGA+M3/KVe3c4t25630W3XlllWwvTL2WJb9DmUgWfkGLf+TlYQ3MdLKqhipJ4SCAQS/fqpBcys4KoN9XZDntkZ+WGmjRp//KzndAzs1snm9HL/nLx54cZKOK+ga9o44YYVVFu97qw9RUs6+ojkVyEaKMTBhQDgwQcug7rj1joGu/tkW+vHu83ph0xHa3J656n5gPGhGQ7mBjNuFcIdlMHXO7uXB2enJl07d9CizE0dXrloWKrTKJADerxRIF/vdvzx8JLFam0wzZLdTT+qSTVIzDN2B/0x6XaMObfBZmyMeihB68Wpo1fuVGaVFdSs5AleSfBOJBk5NvzXRhccsJSUTBp12vOq80FyH6+1jOzZl4kiIf85+/n779HTt+dvrp6hc6YNE8uK6RXNoRQ+yAuXS5kcF2jfSxhkyy4cH36Z4YsjGWNKJo4q7qv/tKsa4qA5MRCRj9b0+T7HhUDaf1P32wn8AU+hN1MsQjDpbaYY5rHQ6XoT+YBzVmk3ApIKaVYwjpVTT1Zt2jNE4F4Pl1fBOdcsnxJppJsp/8luhDqK2MPFbA95ujqLN2LfWYdnDV9p2In/+iARfDLYCz5wQztlGXk4lClVysSAwZMNiFqqJRbsjz1Z1SLdVrirsI+QdHdPjYh7wVSwljQR6s8vdji4LRzEl8Mu2slq/pViblYEK4pKRXNZMIGDBXcd9XSFDaPC6IPp8RxPOdu3+KSTddCPtEy0ce3ReWIVV4mVATCkdqr71eqEYEde2dxFoy5oThU2NM+iJZXt2R9W+fxSj9g8nl0puWZ5Ax7mv4fLkntLdbAxPPiPvdZ2bdqwgdNOkuUTzbIZ0mP9me3INIPNQyFzcs3c6/mqb7iPQMA1RmfMpuD3tTzpLdhMnR91KqGXgYk6GxUsVqyRNlI5jW+pFdRgGO0JfGtmv/UkPPuC5Tmn02m5dzDeXfVcYHk7eu8oPVe3x5hmuld+tA7CkNjWr7PPUcmxXTJ7P0uFqCBqW45F+SEVcgJ/8g4ZdKrxLX+V2qB3mKyYGHHpcpxIc3zTl/UnAZn+paJWfVj7yIGc6Rl6m+MSfYZ/OPsol8LVnf5zeHmiFV5TazlxihX6UlG1RYBBqEspNK0tqnBxqp1vBr+ZRl96DDxiKStWo0AKN32HyzfOZz2lCVhtN9AHD456V06hy1PagFl/j9fQ0jsgRtY39Bcv00hVQgT9WP28uXncy7ODkRqpsfMUM+9hpl8IjDZM5HKjkS4pYQtG7CfPQ3WCPk92eEDs9By/bc4NegqIsFSQ9hqCp8tnHWmhSsA9/pYuMdmiT3oX+LZ5gS36hbTRs2vtCBM47CO3fdfVAlagVg02mb0RBxJvcAAC1f87laZQzjMU3+600xvUY+i8zrwOzBhmGNxo/jdHTHaavN6xqfoMXx96r3XdBUx9HAV0OJtpAnbNg8Hu2rQJmW4ZBisUBqQ4XPwMZQMxWwKOVrjBlHO6YMLH6kE5AapfgcsR0EHg7qhCsUS8tQGYnvkXWzE2MdvUc/dYSiPYlE0M2xhMVsXEEPjtqCBwNPCOusuRpMnLnIl4HcSing07ZSgqTHt5BpRUt2wHlsXBaLfl/YGunQOu0959B7gusar3lP3z83YqmxUbQKkjezqsL+uS3+80PRO9Z4mDtZBqm27B/6JLLP56EDGmZmQXRb02z0NXkxXLX14A9QNzO5lJNJhVjbe+f1ajuyCjwihZHqM6clnNB8GFO+1xP6b1tumBcgTg0VV3THsOz2RRYrFtziMcO2in7/yVNVX2GsqYWMiwUYD1TeoaoQP6o+dF1pxtaFpU9MWXVDkCv1Scb9F/VJizBaM5Ooe6ZxccDLKyofOMSHnDTvTo/judIzd+6z9jPmbNR0ebbZ/Dy8qAyX1kC9PDZ/1DM4TvsuPD0S4mP0Mft6Wbehs5sMJxKzi+eIousqhgsj22LQ8uEKGe6BBsbZ+ZKUJ1jXG5y52LLJZS1dF+eGL+8HZkyTtYOZG3Uy2LMm0foj2isCMfjNzXbCopE1kiu0zZcex6oBKbcGiSiAzrmK/9HcLKl9NHplwpHnGZO1QjrkrjjGaVihUN6dDUVGV4Gc+nbElHv552SUdNf9wl7Xd9AsVCbw0VYFrFd04s/Wi7uTH0Vor2UmViW1RuiClqCXd07kcYFsyrF/6/zzwLL/x/+LymUNgfc6rC2Xl+Oid8PXeT6T6eQ8S102ptMJ3cN0SzLhUTC6rUyLvrcN6TzKtr+B8UfTA8OwGTNS7xorMMgSMFz9oy6ZEKDDHZ9rtw7/Z2232EDGLV/dM/6DBBa7zhJytXVE0Tj7A2u894enoGrR+foTMYP8waVWYisJQROZ9R5Zt/0p0szD3gvDTp03FHkJ0Ft4M+0R2k6L0rzf44Nip5f2iU8Gqja/ZHOFrDbhLplMt/XCBBl9Iwt4DlCuuRDlCaTA0r1FlKN/h4c0G71Mk6QA0SXHp7rAZOr+tvwgkpmi2nqKjYxTdquh5+HG20bLUJ07qKbnQCZUiWShete9gbCnBIlUoaAx0sSld7XtjB0TU8Tu/TTpNkSDTI4P4V+ek1pHbuv4w62vM4Ju+vPffwOK5CtebZOuWN3n9S9YHsIDN5ZrcerqLDNOpUhNkN9R51InCDb9p2Jd0LCXTrT0jDe51U6PL6zT/eXaEre0+h38RI95WW20SV1Mdw+3Ejw9yCGiIrSm70UUHkuynhtBhkoaZzDV5nAxEGaaC+BWGrBfdYuVSxASjkCYxcx0eDCjLqNADPBptqsg6fXS7XmLPcbcQAE31FOBmq9T5FCBK7oVvdV9uRdn6dQBqZ9sqYUmcMetAmIQ1LmUIgBD+C08SWoq58kYqZ7YETRWRRJMWJuyPfjg8fEAqX4G+YorzvacYOsWw4FpnWp2p4a0d2Ovx3P9u6RivIrSs1zkrJpkirDjHsOEDAATAV9gZArGSFhRgAZ6SGm/KjAiMjb7YTwTY3F4vvefj72zfv/b33ojd8c6EYqfqx/+iYbUzfZGvJq1QCeFP3cRa+z03TGbtu51sJZjR66pjQzwCtAwp76466PfIImA7OhleJtNlbz+snwYxPF5jtFh2sqYJMgUXFEZGC0NJYR/nareEIvMJmk1L7OsFbh71uoW0ZLaUySFr5/vq3N6EU3KDYY+87qZbTJ1j2Cwx2Qqxz7MBOgkAxf7/47eryCr3DtwUTedPWO7ysdm6Tp2HuNFEcmZafxmB2+6bVmE/hksXo6dmuyjFbTFeweeoi/HrKyc2OnWCZ18qX5x6l13Oxl0M+3aKcGCugnnHxX75uuCnMEfnQkox9uiFeYl3oE2U3+nbV4MU3j7qFK+59jnQVSFHHGv1FGyXF8q9zjskNZ9rQ/C8v/N+eN58ysaAk/NGCKbrBPGjI4Dnv/AZhkSMt0ci2VHTJtFFb69lPqSxKbFYerL/hAfV5GDAJQamp2HSF0K5ei0jVQSFv7MmGcypMJyel5ts3ZJw13dRmvcM/zvsY3zld4IqbDM7Ea7TAfKcUeWdKuxn87zvJEXWnyLZlfFu2ZhReLBiBRgJzSgWSc8CN6AB6Neui8T0m0z/YB6YyPPVNyNhyLRKbk4VODZM0olEU3qCCao2XHpeISKu/oYFZyJB8K5fonBKZjzz7eFrRY1QO8zliAlOP4Sm1ERRh2htNLhAT2mBhajbCPr5hR13i+fCeCpricA6Z9W6Nq3Nq2xOglfVtocPu78wIqnW9+oe7IAi6pqoLUFFipSl6Rw0GS93X3DZDPX0rl/rFlUuqfTYgf+7TwVqzAqMP1CkLt8NFh80RJBm6ThLCedhrc6GXaY1nv8bv/Dm/PP/BP7g42LfWuwZMgFtMDOJy6dZriGsDs4NO1n63wPf0bt8h+3u/sLPRnTEgfdROCe2MAeXxnTK6JOtp1+Tl/1+T/WtiR02zIA87vnL+ryyIdfVouFuneip9GGuKpsyKfbjYUp3/h3EGvl+6gvuHMYernJkM8KgfI3u7jtMjYmwVsaNuVMaYOI6xtBZTrTke707L6VHNYtOKbUFpnroIZPzZogub6IAkaT6wQwZGwsO8iJ4dMqB+wIsYl+L0deb9xrhB8TlxDaYZSXwoIMF7i49MYVb714HGjFbN/P2ftrtO7ZkUxF4O2MjH7tmOqBsAqUuoDrvSPbPDuOSXznl+K5e+rauvYgAsOeuCKOoV1WDqC3ZLc6QpdNrd+fHuGHrcYakXYUD7wQ5LswgD0vdalGEkMH586biNOZjXPWRyPxlEhFjYsy9/rfNK/Y7k/R2pqWiQh7lc6tC26cSQvh75smM22OBHo4K9vFr/1OIBjhz3vnAHszfyaxXu+lVq8b76f1e8iWufvIz7esEF0rrRshxhtGRrKpog2ddrCFgRHRe/SOuB5I/R+Ps6XjRGAxqy3GaKfkmw1t3HQ1hgmLcH87vwmGJXcJCe+2i2wa7CmuChBpnTOnn006UwP7xCUqFfuMTmx5e7aV5EigVbVmo8v6Wd9zHm7lc8b3gGfaxlk+AZT4CZMZYdU1cTfe0BBqk2WOXJjLr9neqdQfJ5x97DSFGOh6lpDlrVX6KebQ+GCTtVtygfUrElE5jXv9m1Vg7IIZX9tScx4vLq86uACFAQTRZFEEHD0VDKMW6fdqMODcdjb58VxXnC8vod1w6GQpfnD3kldfx2H0uBzHFvpY86yMZJljzOhpsc3NbQgoNiXZczyTngpn6NCthK7wQ5N3bPMY2IE13dHq5jqL6Vw3YW44J+hB5fQeaPxVQtpDZ14d58O1i0phOXJahZUfKtXyf7ZUhmppiskGY5RU+/R2alKvTy55+foQ32rYTqUfZI4lEYr3eQhO+rk0wU5KvZFa6pSh1TaHBX7VHWQQroKZ7LNe0Ig4VLdGr1po2iuBg9P+Sr2TYnFhXN2VGgCYcE9U3IcmwCC2yBmKlxf0Clv3AwoTXTw3ZW/0RQL7KlCr1EF4LgUlccN2Bl99LrIeoPfPwI5FaGRvnxJfp3O93n6Mcf0b8jIpW1lx3mQN1M7b9z8z/tF5lGu0IJw18ImdNH6+uKDc0I5nyOyU360qecCmnq1mjgV1gh1jUv4JqMdaWDzZEczAi2DABuYw4cuz72RiprWYutszrsBx0wihBTCC1kJXJ7w3BoyKABEeBuyYu7J2JAOcZboD8Oe56NRlZhyyXOH8s959lBmv0BzSgVIwGvw7vC3S+DL+yu+1oJ22sfm9ailYt62WboV7mxSzP0OZlAUllnzEh0Q2l5QGiP4sb7SoTmGlNk65QNzy9qzQNtqVx/agGd+Dt+4ZopaJl6eb4bexeBEEe3pzsIw83CH/XLc6SsttYQUBn2Fhnt/t9IIlk988klsduPZCRfLslT0FDxt+BXHwANv+nRTBTFvhHQiKK0/6sfYr6Chxc/UqZLzlKjlzxad16zVIWwD0yRPg406q77HU6dvQPqjkB+19Vei79C/mu8MDr1MmgXNMkbPbQAkgpdnb258rYvwcKKhxWlVH2LF8EV+dWlQVSPI/zxyV1V4IiHWt2ioStftT9pHXZn54BnPkMvf36FNiD3gmKBMOfhWEFd/bxAbfwIbaiijiw2iFOsDZKiVy6yK8STm4lftxADZzXFs62X3e9S5SA4yGqiZCUkl8tt/yFuwdTAikXoZ0RWWGFinBApwBdZLlwHd1QJn9PDd2LmoxW1sQu63UN9ykeEfd0WrEdRWCNTivoZQeHNqE4DzdozKzEBi9W9UQgfc5CEVKqmqA0WOVY5ElIVmLM/Qvm9UhVB+eQ+y+FoEd2tF94eIbVcN8y84GxBYcYBB19TIkU+YmC3y51pMwGgfWhCTBBZlJya4AYYDaJiMODHgaa1wcqcaCNf27GD23lsK+/uzNHtV0gRHQk5HyRIPBj0QOQnEvyFyFOI3ZL8Q4oToefUo9cmpkuv/diX8EBFJTvRbxA04/YtyD0cbs1dvi8PLLC+D91s234r8IeTVJRIldM83T3ok2z8NaWbEWsbo860ab7YfV8f3lZKFjOgWkFRviZUYMWkM+uLihv2nWFUIVyWvK5+abFsCizwMlSaixCH553aX3RMOV41YuaJRnIj3MuYwUXZjwx6juuuScPTZzQiK2a9G5lTPUPvKm3ATeoSdehZI3m52NAjF2mvAlssLN9rOoUlBItcD+hk55qmCeI2BLamdc7WLLeWDeyHsCK7rhXZx57wwpO8LZmabIbterq3oFu7E5nhWzdZbZWetdcsU7BB98dGIy76AbTvWp/NBkO26GpVbA1URG/F2cg/9lEBC/JLRavJtpLd3W4Xtfpxg6HtadUF4OqyWQJzsVo9NEKNaBTsCDSBTlsWJsHtuyxS8FpmCVgtsxTWcxlTFe0SjdXqo6WawFbq3CKncSF77mPwjhlcl/e6c45Vm4f02jGPBe0F0UNDiB0IwmRgxMcwrHXFTwSaLytDZEFfOB4a58U3cBnsECy8CHYcyJENQtdUMZMaGnQMfdqP7osAx1qT9kI+Ezduc7d0U+liqcG7k2t13zo+YevWPeaMYap4Wzl9NlNgAZoQI8sHnWGbTrBBvkNdZBIuwuddL73rCUqFfrv2qbFM1wkB/bgajF+v0FiVpC6lZhEVx532FrjTIm/RhZuzO4rCU3GTpYMuuqcqElVBFSP31UXBuU3U+fkOlWzNyXBqyZ3vwdTWVOTQJ/mg3pLzf50AvaZ+2pXD7rRdxtLXgg/EDf2A9zLmNH1KrLpvRjvBejXjo1wr3OQWC2kQbjqphRNouVxmdaLKSZR6vRHvrdSnwEzZ0X1/h3QrQK0ewn43hr/kjGyn6LYzoheugAEPri34dkQvVzxl3nRYgB8qD/4fVqdSGHqb2mJtGLpsWwXU1VV5ru3/waWKec1QCADmwOVMVlgsaSboJrUuGHu4pJvOUz8YIcYoNq8M7WiIYY6+dqxba717/Y00JS5xNGXXSI4POnRMcnLAEeznFzlmuvZbwLmFCjArsBpwULc5X2pN1QxdU7colaZqhpcUoLx9pvtCqpqHAe2ajLPbCfweud93cCukQnMlN/az+q+k7uNo3a5RPOnL/AorEztM1xCOHVHxZ0oOqkOnOlOS520P0kRHSpbUPyimuovfCIQ5VabJLlLtoP5v7nnLq48OCAAkIQUM5hwJKb5TtKTgyezLfpiiL8oujn6oG4qz414w98JWP/8MZuabarS6Hp3DgHOoNhFIiu+W0v73npsAjJQsYDgmnDfuPAa+AAYsk3KBoMM8o3qGrlud0m9s0K2sSsPxmSvnq7R1YlzJqEu2yb36bbqZEF5pU29I/4/BMsFPmLYr6WuifXzDGr7w6bgJNLn1405Y2KN3sEzpjLInhxwvy+U5cIGw1pIwiJfa1Qj6k7Bgb9kNfd1pZAiNC5+jUkFPlOeIGvIkbChjhWM1rD7wiAVDUUOVRiXWgOKlAcjBd5OWRWG1mNx5tB+W1lBD9pp77j44lcXXWcMEF5NT30QWZTU8gwmWDaMNE7nc+Hxa323yeZNJMSqMwTQXFedb9KXC3AU/c1lg5hvxwrzrgbgcubq6Uc9EDewHreGYuKG5rwWqE9GxhuiUd1DsJ980rM1Yvm/h+AAVIqmq63Z2cmGJPgM1e79dn4qv30ofeUXXQ7ie5tGZqoL1GzulDrH6MTtt8vZb2j9GtrQXjKc/482Uf4HRmmOsaF4RiuqXIxoOt7me+lngNk12iVzvtPHv34+dC9DeMKNxAUpu9FGQAzEixn50e9GtsF41J9SahYEqw4qsXOZvXWPTlBme1ZR6EGF2Is0wM62I/VXz72GlKbL6XCAGOXeVIJxiZf8EQHgta76AsO78Whd2Hn59cMqvGuI8Peobi8hi3rTvXexcWL5sVN3j9lozVempI31dawQYGI/4TfNAGjgSZ250h8k4Hil1Htx0jWtdlPny3LfgRk89cEPdm9IV/VrenoXtaheAPlWDfx9+vjzv9ndt1MQwerD7IufSAN0UZm4TWV2wYTrspK71NiWW/e6rri/QdubC3ji2cM73xO2Oz5qB0eX5QUs2VnzugCVrGXsp8tainaEzV5/p8U65+2C/NQsMqt1v/PCND8fNK9NUbkrTXEaV4FQ7yUh3oWwkWmPF8JwPqgAdKAMTqOR4RBFoKnRSfJSdBe2aqm7kmdVU1sKo6wuZXefrF5dXfRsaechYF1EYq8s+sqHgnWsh25cWxyS6FAZds6XAoCxGtmgpVUrw2icD/WU36VVtu0lAdYT/tIx0zjLsslwGNs773z4iJgivcmrVmW9ka38+Q08vbnFRcvoaXbmAiCML2nsWjovAy9zkb5sQnGqvljBnTN9Yk/sIvu5RitcJY773V8MHpm/2PLkaxZZLqtK1sAuL7HP3LcDzANbpSlG9kjy3u8f56iOdRnee3ieILAzf3r1WfvrB2RjPGjCOy/NwGcmdX+eJLMps4rwrWBWfewVtXF18T1fz7yw7UkB96gLazci8ImNemjdLT5Q11uW80ZZSAfKA1es1fyNd4rDKN1idJkNviKpvtSv2F5GdxAg08lOrRDF6h0mNpxw2bq0KmtSPkeK72kBV+7WQ8zWjN7VWFOvoucHaYFPFMpybeBRm/GRuhx18Lm8Ry1+M31/2Zq2m4NBy9GkAfOzOguUifHTreyxx973BJj8f9t075jpjQlax3jg7dSR6Gf1MWU0aM+gwiMj+FJlwamTGnS3xhnOr95CuCKFaLyqOLuz4iMicarslarDfsGfBRE5vIwuAM22OszwfqFtgYHDFVM3EnCp43yywYhwyeAIRPPf+LpYIgxC/s78Nzkwk2Idy7sCFTmQR+9HR0yafs6RKl77o1mmYgci8idAmxNcIT89GigxdmGt4H6dOKHHGV5Pk5WNV7tv2Q8yERjk1mPFAkGEuK9P53cjUJJ88N7OO2OImjw34GL9IDS1Kniyb5w3K6QL7JyCPfFm/4ftsTWsVr6nieAuFXEb6yxU9DZxI+wF43f7XdFFXgbtYvTbMVADMiIITa32DIWDTQ49r1FesTnyH4NicJtBVRBaFPU9pttGZo45YJ9m3VHLNchc/q1HkCqpHE6FySY5/aLx/tOwXxlurkXTz8sKmwW0JSU+n0fX16Gl1/b/k/Mi409HT+99y7h9gwqerZOmAc88hodit/PXVJbocGFRdNpKh1vrqkv0cRCzsaqphl1Ed6fvEw3xuddi4dyoim8s8dcXXoOKub3R4XpDlZcQ8WsVHS3BPBhNUnndCwL502CXQNu8hbMny5ilnJIhXxPYaB2XgEW7+eEZeM++ySnlN1d29rz459Jz6IQqSNW4pqbpRBJf6Naeh8tYahWlf4sYEgZBgVDzfDYg01ZV4jRnHw4cM1ITCEdRXLqhSI50W3Bk6JtYf793NOyuFB4ByD7CDKfl0A82WsxGNyIpsXuX5Nnp8hhVZ1DqgDt1K0+OAzvdGqeJTVExGRDnoldhlupqiIIHpbvaqw1zFVc5MU1nX4qJ5jkKN7dqKDadK2ueF/ZN0WWKxJbiezCs/+3yBnvpaic8Vt7bynHEo4IA8sIvbUmr7zWfou2GgQfRfYW6E3IgdR0hTUgGYxXqX+kinTYInCMH100LP6ir397406S1dYrJFn0bdNc7mCp+iKN8PvCNiJlCBmVgoXNC96RglVtC1Nz1Owo5xeQXDovcyd8nRLSxgJ+sswBQ6YH1BqoAVRCoPaRc37j3doF8rAa7kO5lTjp4ysZ59+xwxSZ6juf0/av8PC8y3munZt+H3RUPKbMHxoHN+bBtq18I/u0IwKMS6QE9u6+ZXcrEXqMHIpJy6v849nzUMgqbKbuQgQ+sirt7tcfb53e9YUfTRJQB/++3nd7+/+XDx7bcu53aNFWaje3Ij1U3MkuWDB+z3esDuC9toEAyL2EaEr9mJi1LSXAeY2Otim8CFWUhFhWYkpgLphJIScFzEj4IE3gdiEc02mA2bEz84OgDY57GJ2uMTu0RdV/NEh8LMc21U7Mp3qNdOFhDr3qXR7tG65iNdkPTYYpe2MdjApPHFJm3di693sSQWbDTQVE81WSD22KkG0YgC0+yX94SV8tF4gvcPXFjmvf3/YThqazK7zn8n2WJ5J0bvGdnL5Ek2R/2Ou48/KSdI2tpZ2Y5f+tQ0Ge11lh3gZD6DsNtg5x5+ma4hq9kU72FQ9LXAjFtZ12AuV15nXJ53a9sAicu6g4YuAxAG41mFdc51Zk3EI+ZzTOI1pFv76qMzWRSV6EeiBtyJ44CbHsrde3pr/k7DNnXDmz7Osn4ob9dY5H+T4VezljeDDTtGMzyYu+HAO8zpSpeMMBktS3QqDx6432Alho8Oj511LYoyk6mU8fX7d1foNxdHbZNSw4x8mTSV4Po/3qIvFVUj2K0VF5mifaTOtMkNnYDoFn2oi86CaV2NlU4iXqRdojJ2GwFLtDwqcHSIqgk8jj2Ybh6/QQPmWBUJVsuSTRBewGXEAuSGaJVH60q7QzMu2tUO6RybvlX4ULpzKsiqwCpWWUlDd1viQfviB78+YTJIp4pCM1tF3wuELuIWUDWEF0uAWkpAVs7/lYBqiaN3wnCIU9G3Fzy6Zyz2heOR2wpqTc/oTIsME2iMEr/8xNLWIqLz3iE8X5brn8StWUW/34nIiFFZrqPirneoW8rHvTzdgfCa4+gaQ2RULJmIWBQ5JJ0iN1pki0xvmCHR9YfIFlxuNC7i5650aQuzTkc9wasLERkTKdUJEyVVxXwbLeF9QLskN2mIrzFPsVdYmZVKGpnFf5IC6uufMog4xqfNk51NLpdZnkLYlnD8/DcisgLfZsbEChvsErY7mtMEl0LBRCKmmUjHdMl1xuc8i/0sukP7+4TEoyODd2jHxkLs0o5d1dul/XNC2q8S0v63hLT/R0Laf05D28iS4zlNoVIa6vHdM5EVFQfje75NcE/WxMubBHZJUXG2LMo01re1MjFfxk5C8pRZCqNE0y8kfmxEZNolJCZYQa1IGm/SEk7jTeqtrsoEvUiJaMqqk7iqRhrretDbBCrESGMds1S0wa1JQrwS7FZgITUlCTbh+pWVSqJLYf1KlmZFcZ4grCaLMiM8QQzbEk7wSAJ01Xxr4odFLWWdhHJZZQneNIhihhHMExQQ6QwvqSDbiFlXXdoC8+0fNJ+n4HudAQxoEsoODiYN1y6xNgn1+bJcv0oTg9bZnJk/JwEaIzqL2yuuR1jJ6KpaJznmQJUSFb/KTbsYf7ReWx3C1KxcnD9+cMQRB7MvCXGHJh8PQa5De8E4TeHD6GyRYhHZImZx9i7hFLaBzlgJSYpZElXHyvVPuTblAMw/Em2tSBLanC1oCjdGQ6C5oDmLVjC6S5uJNLukkHnFqSYyhbQ9cbZMoJtkqTfYRO3536EeyiCPQljRJdNG4fiRkJZ2AotP0TKVqFUyWWtAIleJ9KvLzHdbPAF1oyguEhiSrhQoFdvpjOvNSjKduQ6z8alvscJJNng+Uggbg/La9bePTZdpg0X0Pse5NvNKxWoWWFOlrldQCqpVdF7j29F1TXJsstC5YRG/2fWxSAP7aC5xnsc+AyyP/axaQwcluItYkRElZZEElcgSTuCmsSJLkxzpEY9SiLm8iQ7PVOr4kKWs1KVikYlybJipomefcSZoPIidlqqO2lGnoQvFt/HDWlw61NNswWX067whniDl3/q80bWOJZpA41gfOgGr0XMTuFwm2bpimeQAl1LFVmDFvFqmOGYF0ySFWih0kg2bog+EoAbAlaLTja7DHQB07Iw/RzV2Op7YbGJ7IEkqyqRrAB3dE5XxLSOp2DIL9ON6MN2NoCr+nVVmrilvdLJRO1O3ZF2L1ySbLEHhpu+JE1sZeLKxtUGZuUBSdHax1vbDjKxi1fkPSNPbkkV/CCipKpYKCzPA3I1BeZOEcPyr1yGRffrU6wIagbCSywzrMmLDgC5phWNTVRTzFPadogTk4FBHExGPL2RLOS6Ea4eyVHkCjuMHMnWC2LB2seEE+QCaxk4EcA2PEzgnmn6JvwFCAK3RqCZwpTRbJlC8uowdZdOKpDgHiuTRDWmtSAgVNwJhE6/FVpdmpaOjaq6JiF0oEewW+1CiDqQz9vTN0sTfVo5o/Be9pqdnbLrbMjpaa5XPk+ShV4onuAsrTVWWs9hV70naVtQvQynEYIg2uIgdDV5nTGiDFwksgzVTJoUZvi5FAugmI1UlYoZZQ7BoAUTRN5WR6EMl0GDoJnskYbO8z5izHJ0pmjODzrDKPZqhBvj3MDuuc1ZCKY11CAUy0EQfAb4BkRyFSnWafAgm0knuoii53NJBY8GD8lvIKhqo9x33mJWhixlBvzNFl/QWFbgPtNC+xYpl1W8GkpxJzjQ0Z6hH90sPAEpIV2UplUFD4FGENitsEDOoVHQxthUekJZ7nyYUIcF7r6NhATHhkd1HcKE5E6k78ndYtaN1+dTIyCU1K6pm7ff1SlaDGw0hQddUNe2IjEQlVpqid9Rg6AjuzipuRPD0rVzqF1eu7PUZOvctvp4jswp0KQIw4A/Utz4GtgV6T83vzAiqw+s83NRJhLeAlt3NKYLB3WQ1xYqsZkywIH/Qc3cCfO2e+oReGJAM8YLjSkCv32UFfVxrEPcwgHsPr33PnNLDcTdzakC4ff/iEWffLkQWsabpbsirMCz6SG8NnIqxcMEU3ahHFFLbuO49dKgWfKTjJaDnJmwHDvi5mhqk6JeKarMHtPv4bOX7Y+U7kwHa8rhRncbuR6SavNPdcMo+nhxH8Da283dAaNevgzOP2fv/cH9DO9jlea0UYOzw3gCvIV4S7z23sL1c5lhT5NK1G27Q4FQ1q+R/cRp+RdMKvuFcKgdfHxQjQlgjTSm0O8P7+1UpLDQmE7T3HSBMu6EFmL3tpiGVgg5o+5guqSqYMzemYrod0jXmYGvG6ZIiTteUI6w1Wwq3cG2//vDWB0jmE+pvGH/PTp+fpNOz5awS7EtF+20Scfjwdfg9DjHxuC4otUXDcncgiRSCQm4F2jCzGlMUCAUqQxqLXdGjyovu7VpYcYI+aa4oLpeMYI4sByOuD3BxWu5gqJE2jaeTXbna6jB7nXS2jexltca+4DFnWGcrmdwncE5c465BL5W2qZHVit0WPGE8AOQOjeUW7jTfiIVwitXsDdfSOuI75+0cHsvRr/4XM/RGbJt/Dagb8OW1MAjnMyKLsjJUhdVwkjC+nVg69+yb/lpAj8WdBWHmn9XL73/4s/V9zzvLUUvsmyDbfp9mcV/M7hq4wVuq0L81MTn9wrMBzIVPfez6n/R7XrQ87+z6vetxZPLyId32pN8wxY4zQ+9/+3hh504VdcETiJfmTBNFSyzI1lqV3jzj/VwQBBJ6jj6+e40uhfnx5XN0+f784j9fo0+Xwrz6CT3drLZIUGZWVCGyktq3SpNKUWLgWz+8+l//7dmToESoWSXUcX15gE6dFTjcjkcn3n33PObXbi9e1kyFj3j+uJju6qYDnB8JGHfnCz7Eb88wbb2Tz0yZCnP09s37ILN/SEHTxbKO2xn/Rwo6C8vWsvvVqFCYyGHlCUvwGO/gPeuwxIZu8AlapMPuvkJv8lxBnNbt8hA7zdVLivLYd86HvoVcnr27crfS6PNYgfWErx87QSVnqfq7G11eWVZGol9Whkd2gogiQzv2uAxrSyxz3bWmVRAddnGeM/tlzNsH204v//A9N+EGsC4hHHDpT/j57hYYsNLmWiex6+56pWH03nN4JZVpVPJA6ebwwAYLwMz2sObVE8vezYeJZX2Z1NN6NyZ4QUN+41RRXM8deL5Ya0mYNTld3Ghg4yCrlxUWSzprXCcixYItK0VzNN8CTSpyyBoK65nySOiBQdHoiLUcHHSRAO+AR7T9uyVc0QMAihbS0MxndsfPM4ov2lzoDGcuFT8B6dKoNMQXCbbEIkG1ME9xHFLhn5QJhIrzrI7EpTPL+x68ncesP1o3mHACC/bCrKgS1KCP25I+R5/qa+wtBMB+RFd1AGxwE/w2ZqnVrXomMCZGXOOaaR8Xf44w50Fjomy/CAluWEFi3poqewcyYSTSBi5zJtCny1GFQiBBNpm+iq6yLVFZJmj7ZgkrqmNn9FqyCUpc3I0YOxUd4u0JuHWtFTJOxTJ6p0jg2RofCa3QEQvUmTyYdx5gBCKQTrBAGP0i1QarfNinG6E3S0j2UgjbE38LuXRzajaUirDpGRk18b5v3NJg3n2qc8wggIyHzIjBDJnwea6QllAwY9WSb7ERnuKaYzHFO/4dApR1gkgnRDmY4G7Isn1JWVsPdgkO7O7NE/ulkhJAIVjHw4O724s9VoaRimOFAC8a1Uw8vbh9/VYu5WIR7v5OSWZWNPny7jD70Q7oTmOH7wvLt2X3TWVWVBifLD7Ktq5iIifcLaHHDTnO+idN1SjDsjJETitpP+Q4w9cVIVTrEZ4Befw4cLTjEk+AL2RN3KVUWxQoTBjwNoVy2uGR9ni0Wgke+HQphb1XrN4KGYfND9HAUNqd1ToeHt3IvYmRQy2FmgHOaN7Mx8dhevYwE0gzUwX0J4LiAupVtKe6whrhXJb2djEryhSSG9EumROcwbdSyGIkrxZ6cmjmIOqnNSKscc9EbvWPVLoRAEa/ME7RG8/YbCCGuwR7RTMxdyZHE8ab+Z8kXWFUBNc+ayGuFEJzDAgiZr37AwTh8vWufb1GbEmMJ4TOZcrqgcDk53SF10xWYF0SWZRKFmwkQ5FOzdyFwHMORWQLdLafNybWjdpJyGSfwx2rEwUZ2OEwanOZIxgMjN/wl3p1O7dse95Gt11bZlkJ0y9ni23R51AGnpFj3Po7WUFwHy+poIqRekogEEj066cWMLOCqzbU2w15Zmfkh5k2avzxs57TMbBbJ5vTy/1z8uaFGyvhvIKuaeOEG1ZQbfW6s/YULenoI5JfhWigEAcXAoAHH7gM6o5b6xjs7pNtrR/vNqcfMh2tyemdp+YDxodmOJgbzLhVCHdQBl/v7F4enJ2adO3cQYsyN3V45aJhqU6jQA7o8UaBfL3b8cfDSxartcE0S3Y3/agm1SAxz9gd9Mek2zHm3AabsTHqoQStF6eOXrlTmVVWULOSJ3glwTuRZOTY8F8bXXDAUlIyadRpz6vOB8l9vNYysmdfJoqE/Ofs5++/R0/fnr+5eobOmTZMLCumVzSHUvggL1wuZXJcoH0vYZAtu3B8+GWGL45kjCmZOKq4r/7TrmqIg+bEQEQ+WtPn+xwXAmn/Td1vJ/AHPIXeTLEIwaS3mWKYx0Kn603kA85Zpd0ISCqkWcE4Vk49WbVpzxCBez1cXgXnXLN8SqSRbqb8J7sR6ihiDxezPeTp6izeiH1nHZ41fKVhJ/7rg0TwyWAv+MAN7ZRl5OFQplQpEwMGTzYgaqmWWLA/9mRVi3Rb4a7CPkLS3T01Iu4FU8Fa0kSoP7/Y4eC2cBBfDrtoJ6v5V4q5WRGsKCoVzWXBBA4W3HXU0xU2jAqjD6bHczzlbN/ik07WQT/SMtHGtUfniVVcJVYGwJDaqe5XqxOCHXllcxeNuqA5VdjQPIuWVLZnf1jl80s9YvN4dqXkmuUNeJj/Hi5L7i3Vwcbw4D/2Wtu1acMGTjtJlk80y2ZIj/VntiPTDDYPhczJNXOv56u+4T4CAdcYnTGbgt/X8qS3YDN1ftSphF4GJupsVLBYsUbaSOU0vqVWUINhtCfwrZn91pPw7AuW55xOp+XewXh31XOB5e3ovaP0XN0eY5rpXvnROghDYlu/zj5HJcd2yez9LBWigqhtORblh1TICfzJO2TQqca3/FVqg95hsmJixKXLcSLN8U1f1p8EZPqXilr1Ye0jB3KmZ+htjkv0Gf7h7KNcCld3+s/h5YlWeE2t5cQpVuhLRdUWAQahLqXQtLaowsWpdr4Z/GYafekx8IilrFiNAinc9B0u3zif9ZQmYLXdQB88OOpdOYUuT2kDZv09XkNL74AYWd/QX7xMI1UJEfRj9fPm5nEvzw5GaqTGzlPMvIeZfiEw2jCRy41GuqSELRixnzwP1Qn6PNnhAbHTc/y2OTfoKSDCUkHaawieLp91pIUqAff4W7rEZIs+6V3g2+YFtugX0kbPrrUjTOCwj9z2XVcLWIFaNdhk9kYcSLzBAQhU/+9UmkI5z1B8u9NOb1CPofM68zowY5hhcKP53xwx2Wnyesem6jN8fei91nUXMPVxFNDhbKYJ2DUPBrtr0yZkumUYrFAYkOJw8TOUDcRsCTha4QZTzumCCR+rB+UEqH4FLkdAB4G7owrFEvHWBmB65l9sxdjEbFPP3WMpjWBTNjFsYzBZFRND4LejgsDRwDvqLkeSJi9zJuJ1EIt6NuyUoagw7eUZUFLdsh1YFgej3Zb3B7p2DrhOe/cd4LrEqt5T9s/P26lsVmwApY7s6bC+rEt+v9P0TPSeJQ7WQqptugX/iy6x+OtBxJiakV0U9do8D11NVix/eQHUD8ztZCbRYFY13vr+WY3ugowKo2R5jOrIZTUfBBfutMf9mNbbpgfKEYBHV90x7Tk8k0WJxbY5j3DsoJ2+81fWVNlrKGNiIcNGAdY3qWuEDuiPnhdZc7ahaVHRF19S5Qj8UnG+Rf9RYc4WjOboHOqeXXAwyMqGzjMi5Q070aP773SO3Pit/4z5mDUfHW22fQ4vKwMm95EtTA+f9Q/NEL7Ljg9Hu5j8DH3clm7qbeTACset4PjiKbrIooLJ9ti2PLhAhHqiQ7C1fWamCNU1xuUudy6yWEpVR/vhifnD25El72DlRN5OtSzKtH2I9ojCjnwwcl+zqaRMZInsMmXHseuBSmzCoUkiMqxjvvZ3CCtfTh+ZcqV4xGXuUI24Ko0zmlUqVjSkQ1NTleFlPJ+yJR39etolHTX9cZe03/UJFAu9NVSAaRXfObH0o+3mxtBbKdpLlYltUbkhpqgl3NG5H2FYMK9e+P8+8yy88P/h85pCYX/MqQpn5/npnPD13E2m+3gOEddOq7XBdHLfEM26VEwsqFIj767DeU8yr67hf1D0wfDsBEzWuMSLzjIEjhQ8a8ukRyowxGTb78K929tt9xEyiFX3T/+gwwSt8YafrFxRNU08wtrsPuPp6Rm0fnyGzmD8MGtUmYnAUkbkfEaVb/5Jd7Iw94Dz0qRPxx1BdhbcDvpEd5Ci9640++PYqOT9oVHCq42u2R/haA27SaRTLv9xgQRdSsPcApYrrEc6QGkyNaxQZynd4OPNBe1SJ+sANUhw6e2xGji9rr8JJ6RotpyiomIX36jpevhxtNGy1SZM6yq60QmUIVkqXbTuYW8owCFVKmkMdLAoXe15YQdH1/A4vU87TZIh0SCD+1fkp9eQ2rn/Mupoz+OYvL/23MPjuArVmmfrlDd6/0nVB7KDzOSZ3Xq4ig7TqFMRZjfUe9SJwA2+aduVdC8k0K0/IQ3vdVKhy+s3/3h3ha7sPYV+EyPdV1puE1VSH8Ptx40McwtqiKwoudFHBZHvpoTTYpCFms41eJ0NRBikgfoWhK0W3GPlUsUGoJAnMHIdHw0qyKjTADwbbKrJOnx2uVxjznK3EQNM9BXhZKjW+xQhSOyGbnVfbUfa+XUCaWTaK2NKnTHoQZuENCxlCoEQ/AhOE1uKuvJFKma2B04UkUWRFCfujnw7PnxAKFyCv2GK8r6nGTvEsuFYZFqfquGtHdnp8N/9bOsarSC3rtQ4KyWbIq06xLDjAAEHwFTYGwCxkhUWYgCckRpuyo8KjIy82U4E29xcLL7n4e9v37z3996L3vDNhWKk6sf+o2O2MX2TrSWvUgngTd3HWfg+N01n7LqdbyWY0eipY0I/A7QOKOytO+r2yCNgOjgbXiXSZm89r58EMz5dYLZbdLCmCjIFFhVHRApCS2Md5Wu3hiPwCptNSu3rBG8d9rqFtmW0lMogaeX769/ehFJwg2KPve+kWk6fYNkvMNgJsc6xAzsJAsX8/eK3q8sr9A7fFkzkTVvv8LLauU2ehrnTRHFkWn4ag9ntm1ZjPoVLFqOnZ7sqx2wxXcHmqYvw6yknNzt2gmVeK1+ee5Rez8VeDvl0i3JirIB6xsV/+brhpjBH5ENLMvbphniJdaFPlN3o21WDF9886hauuPc50lUgRR1r9BdtlBTLv845JjecaUPzv7zwf3vefMrEgpLwRwum6AbzoCGD57zzG4RFjrREI9tS0SXTRm2tZz+lsiixWXmw/oYH1OdhwCQEpaZi0xVCu3otIlUHhbyxJxvOqTBq+6f/GwAA//8elVjt" } diff --git a/x-pack/filebeat/module/f5/firepass/_meta/fields.yml b/x-pack/filebeat/module/f5/firepass/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/f5/firepass/_meta/fields.yml +++ b/x-pack/filebeat/module/f5/firepass/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json index 1bf98ee456c..b8c0c6992eb 100644 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json @@ -775,8 +775,8 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.117.146.33", - "10.46.158.31" + "10.46.158.31", + "10.117.146.33" ], "rsa.db.index": "dun", "rsa.internal.messageid": "kernel", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml b/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml +++ b/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index 48d4666544c..0194a0312fd 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -134,8 +134,8 @@ "observer.vendor": "Fortinet", "process.pid": 1130, "related.ip": [ - "10.135.105.231", - "10.26.46.95" + "10.26.46.95", + "10.135.105.231" ], "rsa.counters.dclass_c1": 4454, "rsa.counters.dclass_c1_str": "block_count", @@ -190,8 +190,8 @@ "observer.vendor": "Fortinet", "process.pid": 5712, "related.ip": [ - "10.202.204.154", - "10.134.137.177" + "10.134.137.177", + "10.202.204.154" ], "rsa.counters.dclass_c1": 101, "rsa.counters.dclass_c1_str": "block_count", @@ -414,8 +414,8 @@ "observer.vendor": "Fortinet", "process.pid": 3904, "related.ip": [ - "10.233.127.83", - "10.64.155.245" + "10.64.155.245", + "10.233.127.83" ], "rsa.counters.dclass_c1": 3391, "rsa.counters.dclass_c1_str": "block_count", @@ -470,8 +470,8 @@ "observer.vendor": "Fortinet", "process.pid": 776, "related.ip": [ - "10.178.244.31", - "10.69.20.77" + "10.69.20.77", + "10.178.244.31" ], "rsa.counters.dclass_c1": 5812, "rsa.counters.dclass_c1_str": "block_count", @@ -582,8 +582,8 @@ "observer.vendor": "Fortinet", "process.pid": 5794, "related.ip": [ - "10.177.124.147", - "10.89.185.38" + "10.89.185.38", + "10.177.124.147" ], "rsa.counters.dclass_c1": 2703, "rsa.counters.dclass_c1_str": "block_count", @@ -638,8 +638,8 @@ "observer.vendor": "Fortinet", "process.pid": 3480, "related.ip": [ - "10.212.55.143", - "10.157.213.15" + "10.157.213.15", + "10.212.55.143" ], "rsa.counters.dclass_c1": 2399, "rsa.counters.dclass_c1_str": "block_count", @@ -694,8 +694,8 @@ "observer.vendor": "Fortinet", "process.pid": 5376, "related.ip": [ - "10.124.100.32", - "10.208.134.60" + "10.208.134.60", + "10.124.100.32" ], "rsa.counters.dclass_c1": 4111, "rsa.counters.dclass_c1_str": "block_count", @@ -750,8 +750,8 @@ "observer.vendor": "Fortinet", "process.pid": 1577, "related.ip": [ - "10.75.148.116", - "10.55.77.49" + "10.55.77.49", + "10.75.148.116" ], "rsa.counters.dclass_c1": 2460, "rsa.counters.dclass_c1_str": "block_count", @@ -806,8 +806,8 @@ "observer.vendor": "Fortinet", "process.pid": 3671, "related.ip": [ - "10.210.74.24", - "10.21.92.218" + "10.21.92.218", + "10.210.74.24" ], "rsa.counters.dclass_c1": 6088, "rsa.counters.dclass_c1_str": "block_count", @@ -862,8 +862,8 @@ "observer.vendor": "Fortinet", "process.pid": 499, "related.ip": [ - "10.78.151.178", - "10.84.105.75" + "10.84.105.75", + "10.78.151.178" ], "rsa.counters.dclass_c1": 1559, "rsa.counters.dclass_c1_str": "block_count", @@ -1086,8 +1086,8 @@ "observer.vendor": "Fortinet", "process.pid": 2374, "related.ip": [ - "10.195.36.51", - "10.31.95.218" + "10.31.95.218", + "10.195.36.51" ], "rsa.counters.dclass_c1": 3750, "rsa.counters.dclass_c1_str": "block_count", @@ -1198,8 +1198,8 @@ "observer.vendor": "Fortinet", "process.pid": 6540, "related.ip": [ - "10.233.171.118", - "10.19.145.131" + "10.19.145.131", + "10.233.171.118" ], "rsa.counters.dclass_c1": 2924, "rsa.counters.dclass_c1_str": "block_count", @@ -1254,8 +1254,8 @@ "observer.vendor": "Fortinet", "process.pid": 1835, "related.ip": [ - "10.248.204.182", - "10.134.148.219" + "10.134.148.219", + "10.248.204.182" ], "rsa.counters.dclass_c1": 1713, "rsa.counters.dclass_c1_str": "block_count", @@ -1310,8 +1310,8 @@ "observer.vendor": "Fortinet", "process.pid": 5251, "related.ip": [ - "10.59.122.242", - "10.177.238.183" + "10.177.238.183", + "10.59.122.242" ], "rsa.counters.dclass_c1": 4129, "rsa.counters.dclass_c1_str": "block_count", @@ -1478,8 +1478,8 @@ "observer.vendor": "Fortinet", "process.pid": 1411, "related.ip": [ - "10.167.85.181", - "10.14.36.202" + "10.14.36.202", + "10.167.85.181" ], "rsa.counters.dclass_c1": 1637, "rsa.counters.dclass_c1_str": "block_count", @@ -1702,8 +1702,8 @@ "observer.vendor": "Fortinet", "process.pid": 3471, "related.ip": [ - "10.145.26.181", - "10.46.49.26" + "10.46.49.26", + "10.145.26.181" ], "rsa.counters.dclass_c1": 1399, "rsa.counters.dclass_c1_str": "block_count", @@ -1870,8 +1870,8 @@ "observer.vendor": "Fortinet", "process.pid": 853, "related.ip": [ - "10.105.91.31", - "10.217.150.196" + "10.217.150.196", + "10.105.91.31" ], "rsa.counters.dclass_c1": 660, "rsa.counters.dclass_c1_str": "block_count", @@ -2038,8 +2038,8 @@ "observer.vendor": "Fortinet", "process.pid": 829, "related.ip": [ - "10.43.226.231", - "10.173.136.186" + "10.173.136.186", + "10.43.226.231" ], "rsa.counters.dclass_c1": 1497, "rsa.counters.dclass_c1_str": "block_count", @@ -2094,8 +2094,8 @@ "observer.vendor": "Fortinet", "process.pid": 6867, "related.ip": [ - "10.58.64.108", - "10.54.37.86" + "10.54.37.86", + "10.58.64.108" ], "rsa.counters.dclass_c1": 1865, "rsa.counters.dclass_c1_str": "block_count", @@ -2206,8 +2206,8 @@ "observer.vendor": "Fortinet", "process.pid": 5433, "related.ip": [ - "10.163.93.20", - "10.29.133.28" + "10.29.133.28", + "10.163.93.20" ], "rsa.counters.dclass_c1": 2486, "rsa.counters.dclass_c1_str": "block_count", @@ -2374,8 +2374,8 @@ "observer.vendor": "Fortinet", "process.pid": 246, "related.ip": [ - "10.36.112.145", - "10.30.25.84" + "10.30.25.84", + "10.36.112.145" ], "rsa.counters.dclass_c1": 5608, "rsa.counters.dclass_c1_str": "block_count", @@ -2542,8 +2542,8 @@ "observer.vendor": "Fortinet", "process.pid": 1478, "related.ip": [ - "10.232.254.65", - "10.149.13.76" + "10.149.13.76", + "10.232.254.65" ], "rsa.counters.dclass_c1": 7037, "rsa.counters.dclass_c1_str": "block_count", @@ -2654,8 +2654,8 @@ "observer.vendor": "Fortinet", "process.pid": 4003, "related.ip": [ - "10.98.194.212", - "10.243.237.151" + "10.243.237.151", + "10.98.194.212" ], "rsa.counters.dclass_c1": 5539, "rsa.counters.dclass_c1_str": "block_count", @@ -2710,8 +2710,8 @@ "observer.vendor": "Fortinet", "process.pid": 1609, "related.ip": [ - "10.193.233.229", - "10.28.84.106" + "10.28.84.106", + "10.193.233.229" ], "rsa.counters.dclass_c1": 3030, "rsa.counters.dclass_c1_str": "block_count", @@ -2766,8 +2766,8 @@ "observer.vendor": "Fortinet", "process.pid": 7224, "related.ip": [ - "10.180.195.43", - "10.85.185.13" + "10.85.185.13", + "10.180.195.43" ], "rsa.counters.dclass_c1": 2147, "rsa.counters.dclass_c1_str": "block_count", @@ -2822,8 +2822,8 @@ "observer.vendor": "Fortinet", "process.pid": 3421, "related.ip": [ - "10.107.45.175", - "10.201.237.233" + "10.201.237.233", + "10.107.45.175" ], "rsa.counters.dclass_c1": 6981, "rsa.counters.dclass_c1_str": "block_count", @@ -2878,8 +2878,8 @@ "observer.vendor": "Fortinet", "process.pid": 7867, "related.ip": [ - "10.239.80.120", - "10.196.206.130" + "10.196.206.130", + "10.239.80.120" ], "rsa.counters.dclass_c1": 3896, "rsa.counters.dclass_c1_str": "block_count", @@ -2990,8 +2990,8 @@ "observer.vendor": "Fortinet", "process.pid": 4116, "related.ip": [ - "10.202.7.89", - "10.139.127.232" + "10.139.127.232", + "10.202.7.89" ], "rsa.counters.dclass_c1": 6412, "rsa.counters.dclass_c1_str": "block_count", @@ -3046,8 +3046,8 @@ "observer.vendor": "Fortinet", "process.pid": 3178, "related.ip": [ - "10.40.35.49", - "10.130.241.232" + "10.130.241.232", + "10.40.35.49" ], "rsa.counters.dclass_c1": 3552, "rsa.counters.dclass_c1_str": "block_count", @@ -3102,8 +3102,8 @@ "observer.vendor": "Fortinet", "process.pid": 5735, "related.ip": [ - "10.157.196.101", - "10.167.252.183" + "10.167.252.183", + "10.157.196.101" ], "rsa.counters.dclass_c1": 2302, "rsa.counters.dclass_c1_str": "block_count", @@ -3326,8 +3326,8 @@ "observer.vendor": "Fortinet", "process.pid": 5140, "related.ip": [ - "10.62.229.89", - "10.2.244.159" + "10.2.244.159", + "10.62.229.89" ], "rsa.counters.dclass_c1": 2159, "rsa.counters.dclass_c1_str": "block_count", @@ -3382,8 +3382,8 @@ "observer.vendor": "Fortinet", "process.pid": 315, "related.ip": [ - "10.250.19.146", - "10.54.83.119" + "10.54.83.119", + "10.250.19.146" ], "rsa.counters.dclass_c1": 7074, "rsa.counters.dclass_c1_str": "block_count", @@ -3550,8 +3550,8 @@ "observer.vendor": "Fortinet", "process.pid": 2649, "related.ip": [ - "10.206.165.83", - "10.38.28.151" + "10.38.28.151", + "10.206.165.83" ], "rsa.counters.dclass_c1": 2124, "rsa.counters.dclass_c1_str": "block_count", @@ -3718,8 +3718,8 @@ "observer.vendor": "Fortinet", "process.pid": 2913, "related.ip": [ - "10.7.43.184", - "10.193.66.155" + "10.193.66.155", + "10.7.43.184" ], "rsa.counters.dclass_c1": 1129, "rsa.counters.dclass_c1_str": "block_count", @@ -3942,8 +3942,8 @@ "observer.vendor": "Fortinet", "process.pid": 4020, "related.ip": [ - "10.170.252.219", - "10.180.180.230" + "10.180.180.230", + "10.170.252.219" ], "rsa.counters.dclass_c1": 2292, "rsa.counters.dclass_c1_str": "block_count", @@ -4054,8 +4054,8 @@ "observer.vendor": "Fortinet", "process.pid": 3628, "related.ip": [ - "10.225.255.211", - "10.141.143.56" + "10.141.143.56", + "10.225.255.211" ], "rsa.counters.dclass_c1": 5104, "rsa.counters.dclass_c1_str": "block_count", @@ -4390,8 +4390,8 @@ "observer.vendor": "Fortinet", "process.pid": 3990, "related.ip": [ - "10.30.246.132", - "10.208.18.210" + "10.208.18.210", + "10.30.246.132" ], "rsa.counters.dclass_c1": 3795, "rsa.counters.dclass_c1_str": "block_count", @@ -4614,8 +4614,8 @@ "observer.vendor": "Fortinet", "process.pid": 4386, "related.ip": [ - "10.141.216.14", - "10.70.29.203" + "10.70.29.203", + "10.141.216.14" ], "rsa.counters.dclass_c1": 2465, "rsa.counters.dclass_c1_str": "block_count", @@ -4670,8 +4670,8 @@ "observer.vendor": "Fortinet", "process.pid": 2313, "related.ip": [ - "10.183.243.246", - "10.137.85.123" + "10.137.85.123", + "10.183.243.246" ], "rsa.counters.dclass_c1": 4248, "rsa.counters.dclass_c1_str": "block_count", @@ -4726,8 +4726,8 @@ "observer.vendor": "Fortinet", "process.pid": 7353, "related.ip": [ - "10.158.54.131", - "10.10.86.55" + "10.10.86.55", + "10.158.54.131" ], "rsa.counters.dclass_c1": 7608, "rsa.counters.dclass_c1_str": "block_count", @@ -4782,8 +4782,8 @@ "observer.vendor": "Fortinet", "process.pid": 7182, "related.ip": [ - "10.187.170.23", - "10.105.136.146" + "10.105.136.146", + "10.187.170.23" ], "rsa.counters.dclass_c1": 5957, "rsa.counters.dclass_c1_str": "block_count", @@ -4838,8 +4838,8 @@ "observer.vendor": "Fortinet", "process.pid": 6537, "related.ip": [ - "10.114.211.238", - "10.125.166.198" + "10.125.166.198", + "10.114.211.238" ], "rsa.counters.dclass_c1": 111, "rsa.counters.dclass_c1_str": "block_count", @@ -5006,8 +5006,8 @@ "observer.vendor": "Fortinet", "process.pid": 4542, "related.ip": [ - "10.11.2.200", - "10.69.230.223" + "10.69.230.223", + "10.11.2.200" ], "rsa.counters.dclass_c1": 7154, "rsa.counters.dclass_c1_str": "block_count", @@ -5118,8 +5118,8 @@ "observer.vendor": "Fortinet", "process.pid": 4025, "related.ip": [ - "10.153.166.133", - "10.90.50.149" + "10.90.50.149", + "10.153.166.133" ], "rsa.counters.dclass_c1": 5213, "rsa.counters.dclass_c1_str": "block_count", @@ -5230,8 +5230,8 @@ "observer.vendor": "Fortinet", "process.pid": 3142, "related.ip": [ - "10.203.117.6", - "10.55.103.200" + "10.55.103.200", + "10.203.117.6" ], "rsa.counters.dclass_c1": 1119, "rsa.counters.dclass_c1_str": "block_count", @@ -5286,8 +5286,8 @@ "observer.vendor": "Fortinet", "process.pid": 730, "related.ip": [ - "10.244.52.142", - "10.75.122.228" + "10.75.122.228", + "10.244.52.142" ], "rsa.counters.dclass_c1": 2894, "rsa.counters.dclass_c1_str": "block_count", @@ -5342,8 +5342,8 @@ "observer.vendor": "Fortinet", "process.pid": 6944, "related.ip": [ - "10.119.143.168", - "10.7.142.212" + "10.7.142.212", + "10.119.143.168" ], "rsa.counters.dclass_c1": 1612, "rsa.counters.dclass_c1_str": "block_count", @@ -5398,8 +5398,8 @@ "observer.vendor": "Fortinet", "process.pid": 7279, "related.ip": [ - "10.252.146.103", - "10.116.105.31" + "10.116.105.31", + "10.252.146.103" ], "rsa.counters.dclass_c1": 3194, "rsa.counters.dclass_c1_str": "block_count", diff --git a/x-pack/filebeat/module/fortinet/fields.go b/x-pack/filebeat/module/fortinet/fields.go index 0d9ccb18d51..535e8089827 100644 --- a/x-pack/filebeat/module/fortinet/fields.go +++ b/x-pack/filebeat/module/fortinet/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFortinet returns asset data. // This is the base64 encoded gzipped contents of module/fortinet. func AssetFortinet() string { - return "eJzsvd1z3DiWL/g+fwW2HrZcHbbc5eque6d2ZjY0kt3WtiRnOyW7Y6MjGEgSmYkSCNAAmKmsv34DH2TyA0iSINKuunv7oaMsCTg/gMDB+T6vwBM6/ALWjEtMkfw3ACSWBP0C3h1/kiGRclxIzOgv4L/+DQBQ/z24Y1lJ0L8BsMaIZOIX/dtXgMIctWZV/5OHAv0CNpyVhf2JY2b1v3d6LrDmLD9S0oA+LO0fNcm1SGKCLrZQbC9Snv70pv59Rf0JHfaMZ42fezCo/119vPrpDXgPxRawtZ66R48iuWf86QJTifgapuhC/XwU2TUsiUz0Qn4Ba0gEGofqHuZI4ZFbVJEHNXmw3yKO9O8kh+s1TsEWCrBCiAK2EojvUHbRWwUXsAe5+Z1GAO5+kOPkGhuFpLUINw3XNMeJcrFp/dy/ub0dfNhiof4OYAFKgTIgGUhhIUu7VxzuQY6EgBv1byhBynIkFHSmft+ZGoBbtgHXKGUZ4m6oZi7cBeUHXI1EO0RlosBPHmqJzt4juzFC70zKqERUCnXiMBUSUlkREk4UEuduCBmU3V/06WNDVU0CoAT7LU63AAKBhMCMgi2WAkBwj+RnLCkSovoKF71PVC9HbFlJMkDRDnGwQvX3LyAXCNwhCRU0aNjNkdSLW7YRrxcwfUJS/NCb/hpzlEpyeAmkxQ3BR2QumDlptAHzwrlVBO0Qce4VYbR71lt7dY0KjlIoLa0MrTFFGWCUaMISrggCOSzcdHOxSSYczRPf6c7emZvrH8EOktLeHpwhKvEa2zOEnmEqAWEbs+e8t5kaP1bT2y+u/05taQG5xGlJINfj7ce58H7d3tRBX9v1dXsz+7+2d9N3sXf9zf/e9dO7rqiGbvm8S8ZWvyYaanfjvyL9HXSzl7MT50iwkqfBb9H8pYfftHm0hYQS5YjKb0MelhmWSUpg5z58NQCISn74NqS3ShL4NqQx9ZE+70te3bNv+cUzBN137bxLXyOUTZOTPS+qSx9o/GGlail6vRew9zzNkzI7L2Bv9gEp079PHaU02j7Rhi7q3CCzIb2FRNog4NijyRuUxhHKSoq/lOgohPF6hfZHh7bicsVoqpgllOz3rr14rv0Oz2U8zf27UhPhNU5h89YpRfutUonBUjM6UNIMcSWicmQZRm9xa/yMMiCQVJO0BrdpCL9AW21zb+7ZAm29zb2pJ21733ISoumHHa4e8gmrnrbKLRPBclTzbL1nQjZZFemeKoFohumm+qVwffqGNv/H2UHsPiS9H3u37max+wuAWcYVz/Jdyu729dYn2R91+3Y/z9/An///u4Fqt2Lc4O7tNSaNpt0iAxBs8A7R2lzxx31U1Rb5NNjzStXZtxGG/hhWXK/Cy4pDwtGXoO/VdE3oj6RXtjrofXxrJgcLfdxfWuufhODhUCCQwv5NXiGAsNwiDh5vqPzxZ8A4eEcYlD+9ASso9EmoDPtrvCm5FoUGVuYW8P7AK9NOljlKUQTdVY3esHBjySm9rJr7D6+8Mr6HPJshxjR4R2Nhzb26WXxqSTgQcERg97MAIA5Cotw+ORaYmm2LzHmyDmv1b8bxBlNIqjHt13tgpeESxwkH583i08+ORVqAvbXOX2SNqL+PMTj58bD1RaVQTr5FMEM8kmfsvZ4M3FzP8dAYRE1HjZ4mzE/zuzbCkDSJYIeBleBxcxQ89GFXAvcVIwSlkvE/IiNU+3MWz7o6N1iA1GwOyhSWlmh2y7qPPDixlb9DTSRPV19POMuZ0MEjOaNgdeh9FgA4+lIiIdWEAucFOdgvof5YMVyAYLoFAmcIvPgzkFtegjd//esPYA8FEAjRmsqJtX4lcW3EWkXBqEDnW2z6O/qyKSuprPXVMl8Z5qMunHDOAF7AFduhxnIxdUYbVWxGSI5g7j3l6e/o03/jzUAZLrtSzbit+M4lSdVKK14DLP9Vvvnzj/8uDPN8XWhWVcH6Vw/vv5SecgsPiIM34C1NYSFKYmzcStWZxEFds880QztilVxUfnoD/lMt9yX46SfwnyBlXMmPehWW6EvwfxL5f6k/xAK0N+U750eiLEPfUAeje5SkkJAVTJ/mynyGPGVSH24ojaysNgLRrGCYSi1uS+QO3NMfOEGcs+BYkaMEJAqUYkg0Jo1FSMaVtEgP5hVWv9hBgjPz+VxkAVizkmaKWxOk4WG6scLCYDBQ+9z2Zo7hO7GH9oSJ3rPPB8Jg9vXeDEsQCPwbAjmSHKcOWdmqaM0/1jqaeRwrdqceSSiPMhxbVx/mArxne7X5fV0IU8C4UiEkA08IFQPb8pVejz/ItnCWIiGSHc6SLNwP9bbiABtEEYdSX8VM7VFDX9lhLktIlLrYspFSh/qMc6wUPu0B1Ms1OO2FvLkGXPFFoZV1vS2Qb5Cs/2xwrYIHh1R887WaaJjTa+WBhvU+i725ruxrH1HOJAJLeypTjvSztDr4WJL6X2X0/gMYuS2lRBQEz/PI/q5VRYF7ouzXChvEv4XFjzV1e81P7YmszkYlTVt2/L+Gz8Vc81ZCzsSvdcq3qOZVQvvi6nJh5bkUUrUBOC8Y70pxQD8ofzgHbfm1lOdHw/a1kqfVQpdBrK0mlschR2XQvPta67sAb/76M9jrnc0RpAAS4tZDtfFViw1H+wLYI47MtFACgqCQgNFOsHJ7m76CYPTH3ibHfQtzZNnd+cx4prdGR0WgdEsZYZtD162xxrwnmQHwV5BuIYepNNukrt5BI9TGTQpKaiMGSMu26c1gCklWMy7GeSbbE/4cLevmSnRitDLacrj38g/NxTrCEky1HGYswtTqrCxNS17NKCSkGeQZoIznkODfXNF2jOfOHcisB/bEJrBy1WPhk7bhiKsm95rgNdJrciiIAqWMZh7B8PjJEiHnaeInIGOasrwgSDo/otfcBbXgKTnusJxG3gGXZztuSzW789D5Dlz7/HgPSc6o3I7e6mNWz3iv+TGaITvb9ryl2Tk2R035G6PzMzpPMBE1fyX8mJC0h+4u9S70jNtxCSR6lvYggx3iohHsm52K2XB8o+GPfkBwPNRjUkXKeIayOdzbusstcxX1nNX7VvnM6z9s+uD6PJaz/ELPWurEP5EiCjlmRvDLSyLxK4kRB7AoSBVBfcwEzyGFG1dSEgBEG6YrncGAMlgFwPJ7AdieGqu9hHnRtbRYxIqagtg/51KAdIuV/MsyJC7AXSmkFqSbk6rzD6UnHg1K5P0MJ6/7eq2Q7VCcN1h/qGpKs36O1ogjmpqPCpXwleEdztSbqr+p+9ovq2v/0NkA9zKeC8wjruG468ZO/azOC5bkYJYjFItQsoAiq4/RaXvRpE/jVZhfKu5U3/6L3qR1gAYrp9/mvCcGDI+pd2n6sdMyxJcSlRE/mjop5nsd+cUeCqDJZJ4vpMn/OH3pkx6c1rKD7ukml0GcfZOH0SuSIHJFEiapFNOuSHvYm4BxQS9eg8ucS/TtiL1OHtRjmJN4kv/CDt23ENPdkb10MhBDlEWY9sSecYKKKMl8c6xHOmSlTFmOXhsqtcimo9nYuvetILXLaIm+nk+lVHIs54W+noBezW8TAhr20FOK39xUhV7tFMOp61hcNZu2xxYoxWt8FAbd0oIxcvryfq3sEcNz7djE2hyAs2PAZ6WKZtb46ERmRfp4G/mprSM0JVzGwYelDSnConI6dTVkTb/aZV/WgyiYwJMu4agToBUBmpmqADoUsbol3nzukshkTiL7xGtNyxxxnE691070USLaT0BvRrXXJ9RccXOTeuB3iGaM21Cik9jZ6tezZElXzgW2+hWlbhlfkY6RJ9XbMsVvTpM2nG9erY7v+kffZrXZK2s14S2sI6cokwCCrc3KdIcHEbZJKrfjmZhcdSAmM7k42bctTvE37eLWtd30VXSLd4zg9DD/nJ64YwtNwhaZo+Tg4VMlmRe75d6EjyVBmrSbvTAq0fN8eacmeUON5n2sgASzTKj/008BJBVJVzrwwJOSbiHdoISi/fx75TN+o33DcaMfRyk5XpUSNW5bP5pPGHBKmmuydPc1FAWcwBrq1RM8owTOqYVrobzrtTXkmrKBQ5XQcddq0VXRFHH0lfMd4hdgiczGlgLxC7hButSdjZhbM15h6M1dTWPkulSPB2Z8IwOScbDibK9+V/3UyjFGtPbWarvJFpDL6ap8PXS6HmlPL+vlRsQ7vYxktdBxrsPLCmRN1uEvyCUFkCAua78rP05rf2ZMs/YqNpLNtHvWIVBlgDL6iqMCaWn1lDdKC45xmWxacq6OZi2T6q+hZYTX2Nh/K8NmD/sey60VpgzvA9ea4ErHh1LA6KsNU/99gjPqxzNxCCWzVgYbxujXmoSCwdZA3TSJkbgAy+P97JbJbMYkh2K6MsHspVCCqkl6MC7KzDIru3kQpKQUsjo29h+9rdZDsFBfw2bmWG1RiU36t/6n+Qyvsjnpbu3JJK3PEQe+HxKfFY5rTQdAIViKtbVG7ahT7tebfouf0C8AgmJ7EDiFRKl5Ty9BwXVF2pcAyfR7t5gFOXRnD0x8vEz8Koc5kogLUECh6xQInbhnMtNSlueKI7CW86YfsopkelLQMNzzfLJG4zucgVEbZpeyvCj7dyFo6yHYY5qxvY28SRlNUSFf1l4x73J7C1mXhBzAlxISY7TJWA4xtfeTNggR5mHlTWvN+Gf8xOKUMHKL6RPKbBRtFVgGhdbXrQCrfvNdTfwCZ6c2n/Ty/GayjWadaqMCdklUAOqq3meg/KGwNiGw7Kc6104PxHPcLVE93/hjZ9V4zDk8Laf9NFlOW2MS477UsN/p+eorwVFWpghUFmDkNiIIxDEkieOFmME2l3rSSujq8vwGU1c81auDofRJeBLBYtij7PyKeW9tlXh92pXI4YhmL5WGqVhTFWFah7NfVTN1ShWwHeI1mQvBUzWq/nc/KwEo/kYB1vEEJU0Jglz9SJfNOEKzYezWSsOrFIFh+6RhFWU/V/0b8+iU5StM68pxTRZtExD4BH69w7wU8a0bzTdUk/BbOWK5IxwH98rMb+qs+C08RkqPYHirt8BYuG6uwb250y9sShwwNfZtkoei/sMp49d5bIEN09fNtd4WG1pdX8i+Hte2nZsgBgPywnxqdev2WLhVjZ04zKub2PaS2KQa88idtKFRoyRF/bZq+67qqcHN9aAcNN4mMSAHKdJvaHaUhy7AlYnWt9WCiPnFaVlI/Y/x9l/8+J01UKxKWcfxM1kz55ISJMzamWGwewZ2kGO4Ir2IcZPQhikoCPRcOYGomJkB2vooTTHIzH2hbr16NatYdKy+1fL1zaIrgQFbUsnodr5sGW8bgdGR8UdbrIEBbqgES7yhUF9Lz0EqGJ9Xvun7Hi9QR2lRyRRM11PR/6lINW6NPgsZc3ze+w8PANOUlBlSrME2ZlHDL8CLt88wLwj6BSyM8mmm1bzuwq2Dagv7GfwMWpk/slo3bSyelDjnpDwhaLthnLm3rPIjFk8nHByS480G8TmF693L/tS0NFoqWvLZciS2jGTqGxutydOro+WOiqLF9f1Rloe9+Ghexh/qhMKba3eA5WiPlVKtk+i+eb2z1j+vm5kYm4YoV68UQUZ1RsFal+tlWZn65HQr8pwtdqCJreYtjOvMK8XnKgSeuvKQZ3vIzxVr0a+VqHgRtKxXwfQU6XqhWA4EdzCtKnu5BSd1nSNLsoy+qoQffvpGG40hoBESR1AExEQJCWU5XrCqdXCIyRlFSzX9ij0DnL32c13F8cs4GBTNx14pLHOuFB33Qa+47+yq+r0Dc92vpx/ChDFl5XifQSN2U2wCTqDiDtPUsJ5F5y+Th86vAtLa/EtC1G0FokxTJMS6JOCtogBSliGhNr8q0uSW8TDN0PPkRRAspE9+mHmb9NRasOUVmRXi2qqfQ46J9tQ67APGN0Q3AOqNeKXGOrHToC9e9dY7m+Ri5wcv6kiVAnFR2IQEc6d6y7ZPyDEwrspx/sETNG5U7D43n+90bLSR0+CNnmz+Wv0SYipAhiTExKE6rVgpG+M84Bk5Q0xKZbWBddyApuRn4RLlBZnhtb2sWi1WLQwaHiQbpaKklx3iBB50mLJklq2DF46zr36hNQ07Gq2rPBZjcxMSy1KX6gBO6EcprZ+UPHwxJlqFG7plCqdTC7q7KctzdTZDP9iVGQ9wI5yo4GyHM6NhV3UFXP0Z67eGpacM6NP16XeYHN/+tBmt4H52ngvtZD4X/6rmPy//+pWtvHpr8AL+H7ayJkv3SS3wnPJA1zooyXyf5eIG3PQe3CahGbV5bEzmaRqTAo/r7IXNRBF/ik5so6jcYpa5UMmKZfNjjntx290nq+oPq6h5ns9tSO6UMaNFybtpGFxsuoYJs6mtgHiDs9pE6VHG8+mSci8JZtTLMOWprtEV5TwGWXUbWjyaLM7KDKqdY88oLZs6inFbr5ArpaDK6D3lKIuiSDktRVlboaqj4eEOYgL7BjpQm4eAjodfI8491QjNeXRbuOLZda3ol9uEYGOk79u3WHVuLzw8AOfJqsyyQ4B+h/NkYpxqY2QpkK+Q2EldNGQMx2xStlQnYDoRZZxgOyyasSamlopuOFnHSR9zzi1NV3HwY7yhuVpH09fpZRgv9fRd2EXUCK4+vQUvbKTfp5IouWSFiQ4w1J7mt88FE+ovfwCv+moM7Vr5nijb05bgKFBa6tS1XXt2T9eAFEZRtLsBIFdVps29DXC9RRuYHsCjV4AleMXheVJ/7NStbcIU5BDTtdKMTjqpCsh1r48YGVUtEWGhJwb3LDMBR8fiBg2/toMsGHh/tfNFLTVcomzn1d+jPXhfUi0+37EMEfAC093Fn14CzNKXYKX+D6n/gxSSg8Di4k9uO7JMi2RNYK871fQXuC1rXS2Anlbru5qrHKoCwmx9MmlLsplYzE9XFkmVMCUQVwfKSXKXT+VDHdqf7j4r/f3BhNz86U+f7j5ffnz7pz+ZGJgd5BB7z8ae8adpCRmDR/lzNWXTRutVkyGd/nzZ2M6puYE1i4OpYoGHIHFxzTiiAqfTLlRDnQyimodoUQ7L1vhhyR7iKZ3GjyEHKQv4pPrATE9IEeUq+BjIVSYkn57JonM3onQDfxmPk1YRfHMMB6HBiceSwL2HyQYHHuMUbXyimmKNvQpjtZgZxonQxTgzVx0L6QZcupnFiXoK0xUfBc9KUx/78x7FE1N7+0wHIWtYlyypkzDO9Akru/kpBIxFccC29r8hbb+QdeRT5bnWFTl+0OqzQ7sfsvVXJZBwHJupDoddQ0zUflUJhwt7/26um3G9OntaicASbRyJQ35ffBXXk6in3Ik4JLhHh/TYmE6lGZW0q6v26FNfGu9c+vfoWf4NueWXmrrwSTFzqS8hzf6buS2rR+oSSuy+ZbPp96dukRelKHCK2YT4iK+lW2h8e8hp39T27cEJmhcJC2dOy/u7BfhgLB7HcAw3qS+R3S/Lf9yCLyXinmotJaEJR92qH3NdPg3TxQF8rEJqne7dWk5LJ7H/5jA2vUybGlZ4lMehcdJhXh0xMgspRAcJ5HnQvqiBQcoLLCaF/dfDymxCZ4DWqKm5wK3BGZTd13t45ArRdJtDPj4srh55KGCvlcMIGyRMe+7NkaOSbcC+pmg9NZiyHrre6GTSoIFs9WvQuAIG1NYzma8BH0Mb/X09ZU+P1LnaOVLPbQBhmsBUly0MCWNTowWdJKI3hq42xe4v9FluA7hlSpNUcqWjTKtM1RivxvqsdSOG7kivIfSosYhuMJ0UuNsfHBZTQpN1IvZYpgHnmiZrwvYC5iHeouZoKndzxgfZsVKaYDrvmGNaIJ6vDhNCcnqji/QpdLhujhY0tEgKziRLQkxxevzuL4nWWUNGkxnnjbBNMqX1f2doiCc0pUkOnxMpxwu87aHqCxMUxBZyTIMJYzqHcEFEQlYkmW48bY3+86zhAfWAGqOnZ6k3R0+PiG6O/uus0e7G6mNH/49Zo//nrNH/HjpasoLAFQo76vX4EFGJJnlJ9OO9OgTxs2p48RTEx/OS4E1ehL7e6v2DZDPdaWTH4jAmLtCXNET2pokwLtOgvRI8DZXO1NBQ6UwcRFkE1cdOaR1mHSjcSSaVgIGeg462ZFIJSeGjtXgSOLyk+JlCygTqtc0cNX73s8IezBZ2P7NCbhHMglQglhdJSoJ0aDU0yKShR3LdJitsrAgcW5RJkH0i5VjiFJKgoC+RwA2i6WGST6k5mkJy+A1lqzDau0QnwweONWk8oZSNOztwvNKQfw7VkEWywvLfA5MPU5FMrW3aGcpZwFUWgYdTj0MpD4nFE8YSMKGuZGMokltjDQgRvs1w/VwFDje1b6ZkaDZGrzFBYbKISNZh24XX0wKQ20PDOK1QSjBFzzIJvEZKB86ELHpFfkaPFjwNHF11jgsayzZJjjI8IRizPRrT0B3PWVYSJFIWtmo7HG+CbgUrxB7KiZ0oGuNdMQEjh3K0wUJyGCJpH0cHvVSmk2LgkvmMNQtdR4QH304T1WA+edB43Vg06IkzQUfhpOc8zvstwyIxdZ5Dxh8gh4EfPPOEVY4buzMdDKaPxELCbrPWUQOFXJV8fCHRahwyNdfCxpUB9ELe4SqWdPpAXbVnHVIK3R8xfWrUBmbZ9K+Os+nGuSqBJoij4DxJOWN5YPaNGhokFOE8CXXC2dydsOUWTwHJQoUISWXGhSg4njyMQIllGeC3IZiiKakkx3FiYi2ueqQOfAxRQQgzGc3JmrAA5lgPDwoBUJJewHlXw4LOupINg8gFWG0J2wR+SroJPHYF49MvR74qN2FHJ8ciDTuuuQj8gGHVZyiSOvUlYGTALTalAaZ7pcy46Q4lut9PlxUC44Tqdg0BIwP4PeN4kziqtY0YuaeIh/CWIgnsIFgkEytIHwcGtXE4Dg9apb5J0w+pHRjSTtMI/QEkoRDql0m6HR/P2hts+nJOH494vlF6cS+jetzYfeDQEDZn8pceHzuVPkcN5WyTQFFMKvnRHDyly0M1jiNIwl4ejlKN1mSrBg8PWawaOzVBtzGW8SyIaoiKJoK0T2G0zyBLqUDTTaSmnG6QGCHQl5DNdKXBThgXJLgIvAm6mKKYrrcInoZ9eZ5mAU+t4Kkry3fU0EktmZqjShGQM7lL6fQgBGfF0OFhJskyoGn4RoZ8BDMsxGpUV4ycPvJQBGSultkq0GtdchLElUqBeJLh6fGbgYVJKptIGFiZhrXL3yWYCgnXQZx0h7kMe4p3BQ1KcZCMl/QsvVovS8nAx5KC3uS1FXpWgbhPkOAMXHGUYQmuIM9sztiJtjS2/tWslfrqQOppTNNVHTGbMgJcISW1tRfTOat/mxeEHVCvIN7gHqxZOSE9fmxf3m3VUkfXFuNog55BDruhu0eLHt2U3bIrEWAQLHSBjWp+0WylKcpCl6jvp0oCsN9CCbAEhWnP7wZ9ypU6pVSIu727qXheEQGY2koGnsxugun8CtgNMGq+JhIBJNvoJjsXx783HSN6u0fRDvG6iJJkoIBcIHCHJNQVh82tqPulgRe3bCNeL0xw3w/g2pbxMu1JerPrNOKPyBaL1bApuEfyM5YUCfe36h+9wO1Z63LC9WnW05vlCAR5ur3AFHsUXg7jFEPoMBvTW49gil4TWFJdO3VT5rYs/YlSCJ3KBydQx0iZr1HXifK24qtHpFebmcTthWx6bqmJwQN6lvp0+pSCszagPhaJG+hBrbNyZ5Uq1nm5AsmqOfCJ1PlTfu/ptSGqVrLral7DwboaXu2TbatFhmq/N4iuZyB+ceKfVsd7ROfsDD3fXFeXSM/uK9k+0RE98bjULRyMc7+mB3pntN5NO+JciGhdMLrGxrgp2ODcCgCgAAIh2uqT6VZeOKQCplGKrfayxM3k1DZwqltrV92CT8AqEM+xeQjjwTpOagq34B0maINsLw8oBN5Qs/nHytyetgZwFatbveeTawonTtzqjK0lvO1DXMe8gciXWxhW6aZ6L3FWtbWtOybpho2eSweAIyanlto48gRJTRYgq0ZhR8Zb9XdSNDwi7J5jj6EnIn1NxFO68Jzrr/tn9gA0HJB71vGPhzw9kGAoki2LIN11umPqmjjHMlC6o0+j4JE7phqYA6rwUNtimzIJdKvMi0simFJtOs1LdBXy93bEBbikh/pfvdml1o4ElQBmF1VHYzdjCjR+KehzhOXvuvupKw+2NhXbts5Km2hWKK9W7W4kbE9MMtWyOlZhhQfEwf+oLQbitSWkyfv6l0yN2zr/2aNHVK3Td3JPvWESQ7zg+25ZHNOS7v7Dw1u1OsSRURq1RSbDIuWogDQ9KKnEPv6k38tW7cFL8HD3C7ih8qc3L8HN/fXbf/4CHm+o/Pkv4MV+ewDUNmBMt0zYMm6MK+1V/9WPP//f/8cP7t53SG5n8YvuijUHusihuzSSmH1GJl4oW4n/piLrvkzZ14bVvOcD2LwJf6MfJheijmBzlEGr5qa3l/dOOL8xiubo4WHf7/9lFF249+e3KX0AvsJjp6AOsxq9jd/mXTmxlxso0R6epbC0PmULcGma51WnzUWwfk7SvPDb/+faNW+u7haGD/t7xcMIvfx8qrSRc6rWpTcLRcyj1at98NaCibIPanb/PlQyQGJqisW+bM1eC5npSAfJ0VXRqETu5t1RP5MS3vVlYfa2XLc/VI/YMbYmUGYYy6YhuLcYFozLmkX1mJDpPaE30XafP82JRPT9M4gx3VTsswJ+59s8ilzyfTwrkaWvdRAoBEuxLhqvteXe6woUn+KQbtBFLR6njK7xpuQoA6uDbe5vWt17utN4Uwp6gcIeaco57TooU4FMku+aoZUBChNHOZMosTFCIZ7fkCVmVCQwMeFTQYMLyUOHr4O2dx0Ui03CDkB4Rk0RtDiYJZU2Pq9fV1u3UFguuvM1FZmzSAtvlWJFkQQPhwK9BI8Vm7vVKvJPYFGpyD0+8sH3olbFq6I8GB6RvoIFqq6dkBDng1Ec/1A76CHXoQM7xKXuPCNZ1eAKU/B4471CqQ5pmXEHQ9rGUpGwIqhQnhrKkZgeR6MGBoX4GZ44PSBK26CCKJoyNQlBdBNQ81HTVc9AbOOSbkqknxdIGsZBClLtwFFa1DvG95BnrmZgl7pNnba7Lzh71l73FZJ7hDydjCfnAE/1SDAJSdPca8gBXchEe5t6a7BN0DjSjqAcS3XVbFEh9yJ2BNI4fpUR5oDKrdYwCPSW0DYQHG2AOyU9b7Tw3OaIIfZslOpsi92UPNJxPhTIJU5LAnnVzM2SefH2+ZdbtmHrtbs+NUoTuUWxG98+qClt9/4jsrcKmQJ0WcototKGUnmBxeo91nZXlnVbQze4R4G4FxIrZcpi75ad1A9paTpwe1BVPXLmvb4tRJoyqBqunGz+WlE/Q/tk1EGhbrE2A4uC0Uy3dGVOEaAe2G9K2sa9m5Jd63kNIDB59jrujWCU1YitvtWRazAFAsvSwVGADpCruuDZWbdQAJixQncF2yLMAdvTTmMkIOEzoyz3RLtUNeqTXjhShMdPiWGYZuouMy6O7f1MF+HLqjx+b6FjzCe0hm7uhjecql7hmdxH3kUurRcp7jpPNRFrLHVaVseMpZqogKWNKoy9Vn9wyIrNi49zLG+FtnCHWaklG6XUcZZjT6QDik/+LYUrosOG1+DqNHVMd9M7n7lgdDG0ZBrgJNHCMLG8WAAEB4Uawfxv0HhXjifb+/mPIewlld0Q5RCZL9PJH0k6oyuufmV0J3OcVsD0snTAQNfZg+XW9Dp3VGkEFs5F+uOFkNxvJK9QuxNfvxnqN6dR22fR0JqF3KlG1CqRxLlu2molDY4K5DVy2p2ckBo1uJk6JX3mVvKRB8BdFeabHYCfxqH+cXZPdCd4azgaWkMPvV7T8eqNuHa/Z/xvBvHzyPtvDnwU9Hx49yfUpPg6V3WA69VX9fd8aH4a3vbxBai+zraP4zU88l2NedZH3NTIhyYm+t6RqYXCzHTpnC2bwVJukxzJLTuLNRW27FzAELJ/5v0wOnuXs5ma+gn77kdGrK1JkTpxQoJ1y39e/PXPfwYvbq8vFz+AaywkppsSiy3KdGKOkxphGxYhP/aUXdu26NaU7MfQf+jxeXM2215yKvZe7b2LRn02tc1vQunwKQcz1UFxdWZEw6Shqbr8FJC6iigd/eSQjM/i70D9CDNcCjMHYBwInGMCubnMipGo05rq98gdqqvvjMBxeuHWNshmlNmj+lyVBaRT1+J4YeZEEl7SU/dGGz9tfHjD/mRVZ/2b3hezyi5qBB5mbkML4/OcYj3Trd4uxjeQ4t9OxDrROR9s7IYF7Fbzy3u2bI25M4o/OPv1nZpQ80eTVG6ydFuRSO8RJHKbQo5AwVHGckyhM8S6cdUXUGJEpRgMPCMw7npu4TddjimCgYrg46WO8PeKCRSQS532e1zMaSYUNa3XXtwx/GeNMsShRFkyIQzgxFfUbcirOWtT94KzHc7qdHX7d7AoiJVzep/PpsgqRt6WiDy91Otl4CzaOupJbR0HefAsxFnoWUeV7LDxOW27gp2ncEAt0EwrpT9VqkHP+i1vDGpkiriafBv5R0tDUAAhGTf8Uc2WIwk1te/1X12ov/revb4cZxlBMTnGnZ5xLM9wfKIGDwniGVXxvFgLWtj5Gjm69FB5PF6CgkC17epFYhwgmvJD4bMi6uCVKFrBiHgJXmsI75mQ4A6mW0w9YnsGg+/od939eqQ6sq/gSF1U9aqbtHpxAW4zWIBP+h/mVc8YNfkA/+o/F2ALd0i99wRBblpYA11fQhSMClTJAe6kAbWipN/2egbvsbURUo4l4riq0kHNAk1FBj+SCnQUMMfP/NEWkRmLRdcXnWsm6J61qnBUKw1Yyf/2qcEC8JI6+roDAMXLmhMbb45JpvZEZNsZE6tFxNhMCPaYZmwvgChQitc4Vb956Yobt/FH/YOqFmAQHb2+4AWvup7XbFm7GX5o7AcoqX65btEGpgfwKNpFfmp/SN5NcAiKWlKzRFGtPG9YU9zWxHTUtD4M6hXo7Vudz+TIYmplCOgw2/4mtBcWQ1zzVRsywptjTXoNzgNhxwQsJ1a8lG8xNnLKGvcqzvFWL85fa6WPN5YRozY6tvf3GEJjtrK3y+70t+HUEh3cOK08szcCXC8qQ2tMrS1QX3VdCyKHhacYhabvCbM+E/WjutsRPUIYSW1vmr8Cm4/sqR5S29CkhOk2j16K7jiv3hjQk4Kb2xZYUHOF6ZSau1FPmoKtw9/nMn3HtW0G4+rNM2W0jqlIjnrkPVxzefYArgLy6tuqH788gt1vca/gGVDnUGkWJkRv1AJkQMVLkwrH+LT2jJ3l/4coIP2vwXzOilS71lklpLlYqlraf7zWsw+gP+OD28NdVUU7jdv7rRJEJWeF+xpmrFz1FLJRZ83OqrQbNBDaqFFM7OQ0EsUVywulkFYnXx9w3eDESJ47xBVrTZTa7H6QoHiaH/c7cBc7Mn1Fe4/mVzZbfwn3cb0rCTmAf5SQ4DVGGbjW2TDGeOEktkerJGXsCZ/NpfQZrYChcNRJIPHJZQG1dY7OnqKUpg2Orx758N34WE9ia6las5Wxzl2Ah0Nh4B81KrVAs8/+LeZonUwsjtMBpqgYFYx/L1yFdrrk4hgLagGjTd9YLwrGK8uedq98vPV8mEa26uTPWq2nmFsx9sRy1NyDdrgKCGcs+J1rk1UzqV0DBZRuA0dKEyim+aMaQ3loB/WSk0nb3Rg3aXdqETwp+fR+v4Xue6abQ4eQDGB97cETQzTag+0pCLoO6Fkiqh/BEIFNzTDh69bP6pajjoMy5HUz08SJIW/d6Ac9sX7qXtv/vrJEXtv/sF5fl9ELEsTdMQQW8Fm9JQZu01mi7RiNgsw9wJktm6yERUzXiHOPjb6/skjIm+LQ4PY5jR5RYFTVg9aNrXQcX+3GYLOPr2OaiAfhrfG2qAPwoOOCePNHf0d9J7S/2D0utojH0mqUnGN9vi+udEH1H8CVpuAmjriMlijp2asrxG3he9SK6ThRYgfNdBY0NqPxWdS034tG3aWT3wP/5rcTTE+LdH8TsMS/edJ3noLv4M3f3wKKNkxis83FFgpPfVqRxk/ebWy4md5f0Ft9kBn1aXsOwM63rgp+VfGeboedwBObK47LE65riT9422qou4eFKEMaQ6ux2qk7R3+eZ+XTGBDnMy0Lva1r8ou3anqw1C6DU7c1kneprndlbfsvljqc4zQLbfALH4zp/OIECj/TEIIku3lvSddEbo04bpNcoo4ALAOKaYjwofgJWW0gOCXqu2OBxyaj1PziL0Bo2y3j4GZ5+fe7BVgo/gk+UE9FyiOe4LyPEDwPe+bGo69lukXpkwho9nZkLHNz211FoOvqJnXquQ7QsIW7j/f+hKyCOO6V3ziLqGIo1Vl7XvFNo9It1uKxwSaOHSQ4MwfCQaZ79SPWlzp19fWqn9BBdFnR6DMW3Al9K2UhEqy7EQQO1lsaBjsd3/JrztnDG1rFOzKO5WHg/KUsz2fm8o9EZihZldKdXrPHHJGudB2iwu0JpMmkPtRTQxJE1TTgs8Vcxci6FXSd3JAUDMcJAXJBMjSApqHJumUvvTXpFlLaS0Cbn6hs59WkPJbyaOWXapZnK3Z/vr28tzz3dYdAzeok412rWMjxyrB4SnaMlOHLuKx6YFBbS7PuDFI1WSgplgK8MGTEDzp3TScTVF0QHPYiTxAaKYNv+K1F80ixtO6Si3Yw2g5x7SlZlwSkjKaokEoFWJq99qQ4Temk7qzroDdPKRtVCxEFRXd/Y2qP3v/3pSuYxLl1ISeA8c05QhS6oWUto8cKmvQ9ZwLj395+WNwswB18zjHN6tYl7u1X6M8QyNAq9O0BboH28J8CXj/B7hDsoIAgE5mdTGvi+TtPpKkWFbvRkuVUN9e2Ho+lcxIDibmx3zijp1pT/r9AzkEdHEmzvjQScpO0xjetvfREwabu5iW1Hdhou7lJDXgJROkIi4IC/IeQnNHNf60ITJ8IFhJl//Ha/uxl/VtM1yh1/2qNOdpD4nxm4Yo0xgBIMyAY8BwfjjZYSH5QWk/ci1lAubWl6GoqoEulB2NW+8E+EJMoYWJbU8Yb1btqiaXGhqhs+AMbGY3dnXafRCVpQ4F+ASvUaqCcoTUsiUz0Of0FrCFppS20FtCOEbtjWUmQvmwF5EJpTu8Yl5giCcRBELZpPkQnM/rT1NyD0J39r95BuzQR+roAvD77Lz5eXt88Lo/lGD1InrxdbMNwEMhzcJk+UbYnKNsg8NCc3wMi6ka0uJiP4IyidH2aS20xqaP5OsqdF8KcCqt9EO8v60lBjkQr2cINIaxcfp+yw9XlJTjLCeL42jacvuX+8BLf8OA0MD/pv7UYj4d2/52cR/vakG1XqvDQzsOjzFyrzrEpNDBA1hNQ4s73HCD60O6BDV7p2mY6ExJlQGCaIp0Z3q777MMVblbpI9MZz3pO8AqgzYX57//87o79hgmBr/968efvBgAphumRwoM2y3DgRva1h+yMMBAX0eZ0booUkoPEqZjmMhg+HNqWZBwRrZB9Ua5skW+tilTkR6I0o+PCXBO4aYMxIE3C/ACwmOzDmP8WLaHeQ7V49c04dlFElQwe9NucltrSbUQAmx9WFDq/ijMyiCjqTT2WIxi+r+pvw41Ip4lfmcX3Kv34kPCu8TAako9YPIFbtEODX0KknhZ9wWejGcB2uXhpsmiAokNRpvW2DEmtAdr8802p/nAQaMzXd8LFnectPE276yP0QIjMOZoA5DD7sHbyKCLuZWV0Hy3r6gE9Ml+L+uyUwoEHzCazajKoRcePJybL0PONkX71H86sDu3eC8nxZoM4KKCUiFOhOYSxtKRPSGZQQlNDcAUF+vkvANGUtXqrDAMON856t6zOI87Aa9NEZQyeqK+eATL44JUZ9m3AkNvRQVTNNo6mSFnPhjrzqBjqy9bEfgBeg8z0Zetzihtx2Wr+IQhyG1dPNtEF1r8zRlsu5TbqyW8XuBw+BHLrbxQWfAbqjl+mPh7F0vRD7FdqGobnLP8Ub4c60zthrCDN9jibEFk3iOK/e1P6KFOUJbwMLzPUp31/eQW+lJBDKjFFCop6bj+W1usyCtEML+lYQFVn7QGhcwXpnApRzk+jyLcGuikzSZGcl9roIK9nbWavjkERSfiyxMeKXqs5oUQO07Ktt7NEw89XCgmZ4dDtE7+ChCA+gi7nGPEERXw1FMvU3pUPS3Bl5geIZq9MyFIVyTGGYfoiTIOEl+v75TGqdHhf5iW1DTLqHgE3jIhs6erKltIZdRfSjGt5M6YactWf000bUckhodAnRAZ9/yszK7i/fBj+/FEtrFeOuGUv2cg2u2Zo5rDirQBsoYgoGTTpt2Z2019voAwvF+8gbxtRm0un5sarcvAzrDds9eu5QHSKXPsQ9BLJI0Joze0DEFWFbdPXhaasGXfwKq438rlge4/QHMYKWmge/gna87txnIilDQJRRxRfdWY+RT4uc1gu39exvCOYwxYKgX0iUtiHMFMOH4Kp2SpBrqfKXjxsSE+3my2CWbd917wggIeHBXjfmdVNnWRs9Wvk60l1XSPLnYY/iM5STSa1Vx9xI9bYzlwV2xtCwcosdkTIlZp0VCyKJl+KmOq8IT7so08ZKXP3ooMu4qcPNwtw1Z7UQzjPIY159G5vwFVnUi/lkkaNu1ne3y008fa8HvLqzdCRWjHVgvZT1J3eh0RdVjyznUkfi1baTP55xRGq+gWDiLThKSKUyltRTQ3yZqddLwrJ4YzcGwdLunynU8KONkCOhORY78wQdzK6ToYF5LnHmRUEyqhx1Ws1TqUyfxRZtzCTmgIX2h2v3zDzMg7h0WXE4mH5tLgHV+0SQB7CvvLMgZJkSaXpNGsuywgxSg2BhcfCFQLiWN7ssijAleQEELYRAArBUmOqrjuSjYpwNBB3Z0H4KQa2FK/dZ2cmuqubd8sY+DJyls97fbuIgq7XFzwOuvsoe+ev5zwTn3F8R0C47hadigJvvY6BDRdn+bY3iyjfVnhMSzPRKT02CrqznLvl8jYGuj08y7FTEk4MdJ1yqbHQoZVSxyXic0EWZcRXf/HYaYngpslP6KZhhI1w3ihtOkpP5VjiFJLIss/xK1UEdHdOuhmSiycUiAzYkREhiCknrT/6Vij88SpBH2TJctT8mwHyOxTVhPTp7aDVKINoRhUKh0tPzwfooFc5gxJySMPLzrpoSwj0nFpP5ahgXA6c/GxG+qQTwdCyMypOBJxMdadfKwlvTIRJNqPCpoPs2BNtYnwxo/M67roQ2IlBZ2YPjF189/E10rEE49zGGdphKmclvTuT1DID4oZKxNcwHRNgk6FdXKOD3YhhPTvbpkWSi+DGow7S768W4G5Mfl6mtj/qDahrReBq84cQRI3zF4IJK3e1ZvbSJmzDfdxuejDkNRZPSgDcYLoBfJjvkQI9Sx5cickB4HYB9JTOfHs3CJbOK5XrRrHGdIN4wTGVikSpm8R0CHnw5BDTVHKi4xC9qfxhgunNu6WloMMcQXv+EYC8XCIOnhH8ooYTOwauB6ZDYABOpGA4jcLG4Q1FIR6Jx31DmhhGSG01isr6foZDYtEcnSq1qX8suMmF6iYB681+Ao3RlHH2HG+PLAqrgw8K+A0YcXPe2jhGbEhE38K1LtCujoa2OWRYmDAiHXCtm28NJIBmQiZR3VIhAoEaIddzWryOxAFaNHxgontSr1st90b4UTMhzySqN5q7TxLbNaDY4nIPzIinUMg1zHGvrlIkHB+WoDO9D8V2P68z1Wkc7z+DzvSncPRrncYFwoeNmPoOIyl2cbVrxxW2vWIH4TAR9+XrHJMxfF4ycdaP82E5+uOcsrUEPb4NGKPsLkLGTWFoAlguB19/IcV5L4pga7mHvF962IenpErgVjJUdF2sActQsdH9KBunjglZljG/1ePjsUh4E9zNYlwwXRYVjbaVPA6dGAQLRtKYTom3l4sPtzaP14gBA7KZhhD3zW1hGH5tbWP+eHvweYt0qdxjRjPA4tj/HzCuGxGPQhX1Kjfab4wxpKKC9Yr+zTkaarpj1UXdiFI3mh4M90WimNSJYBjKctFJCBoEoGPm14xHjIFWKB5607oBPHu+RBDhO4gJePucbiHdIGFCx67vl4AjUTAqEIBU7BEHAo3wbiI7z+8WXqELj4iq30vE72en1hEG/fl9cHBMZUfHjP6thDwDbIc4xxmyNHT2upAwLwY4zRrmIilgKSKadurqjpcUkoPApsTDHaRwo2te1MmZixZdD77f4lqzNTgN7DfEwa01a38cNJiuU4lyEbMoTTPi960tFQuWy/tBHFFlhSaKQZFBF+eMR/v+YWEr4nRm9hAnyJig4iF4MEXPJOJ1WVybI2vbla9N7doR75T6iy0U26jp7O/spKOkWrOQGZ1hfE4PvT/jzCjnsIIeMQyfT/VnkbXi2wXgJUEj9GFDPrIN6bj6YWl2rS7zRj0I6rmMB+KSSiwKmGuppV3b2IdjD3mGsnVM85EJvbf61JHGAJQZbcAd9/Ef10P8mcMcxT0CdbJif24PBIQyLJ5crTjmPewcIe1g7g334GARBeZ3ShJEzSMwTD3ZpaQUvhcjMM5LlxLZYS5LSICd3zZFGUAk4A7xDMcszvhueQm6k7qJ740Ra1ZjGMfZRCtQcPZ8sDayEVxyAyXaQ7cYPNWv+jczF8BFky+AxWLB3laihYkOG8DEmxVwZ+/KHcoZP4yq9qcrHMdM69WldU2V46HncgtfFRy7CzYF0X5/CRYc655YQ5STyKWd31+OqZG1hUlcJ9z7S/Bx0OO2hTQTWxjeNNaVPX4L3vem9VCPWVPivZJG676AGdtTwmA2SkLerjKacARFTLPWewS5XOm+32xPQWd6Nw682UYOx35fTQnWcMVxCkSZ53BIWN6ymF7697Z942maGMa2NO9+BnhACMNpXqTNHNL5hBtG9oVuSWWM7zdXd4txZfwVpqgVp4xgUASDiSs06hKGuvn5egqOqtVXRInpHsk9409Acrhe49RFw42FJqLA8XbkZrF8ewUwXbGSZmC5uBkin2qkptMojfhK3tiZ201Mh9AYQ0RMFNa0cXe3HEdbcXh/7kawbl9Nb6rPk+HcjUYUaGzH4s1x6lEmF0xj1rqvTijWhaIH76qphRlTw/7A8QZTqBM1bfibJmZar9XGhdraPASwGxw1G+BHRLSTd2TcVdxI8MnEdSfbHEa0Byqufnd5VSs7OibOEgIfHodYWpxg1mofhgJZceQn7Uh3hCnMTWEG9b+bQUcfpkCQpwOlvJ5wzHItulBMa0onUQKpJ4J6urvk9vJevYQsx3RzfMEpWB0kGtBsCaSsDOu478bBSmne7ok4EIzp3dLBFe053WRxiqhACcFR+6HcwWecl3kjAbThwRF1L/dbQ30Iog9aWB0jaxOz4cIfkW1Uetsi40FCIzIKfU9aU3qIeqrmxGi2NECa9ZsLhzHjWzWTYommb+hisbhu1A8aQhExQeuWbcbpGFq2iEfX1h8YSukgbB9Z539nNP3exE7yUaUAzYJymI4zhOeQKKE2yaB0J2WFFy2zUyPTU3gkjKj5qQ4Y47Owc0jLiPLhnZoOprLko+zgORQS8UzIqGfjTs/aPB2WM2yZkEZezEsicUEQoFYzrwXawZOk5hY8jS7Tmplbom0DtS79v4ViBnKU4TI/DwMwc4MxTABF9IdZH0OpGG6VCSMklFgMd2vLkdjmUe1xtY9STT2iXpx9KSIX0TPcwEw9QkeInaquK7CNCa7MN7mMGnmr+3DVEqEJiWYc/4ayqqbnmjDdRkcxPR2HJY07eeikRD0lxsAx4nTolsHx6C6ubl5dL5fdeT20KZaMv4rrJzVtxsGdmXxE7n4FI+4F6cAYri6ZFzFT2WsucbdY/n2AsNhE7iZjiweARVVN8n6E3TWXEUsX3cFnE/Nbta58pFiCT8PxNHHP4vDhozFjyHTN/5FdQCiKXfnclla+R3LIG07RPond/O8e7aswBGbtqZ2AaS+UWS3k3Ug6CvqIc4D20UuvKyC26vqoG2gwxC5+blGMKoBO0V4QFrN4F9qDJWFy5Pqfpbfn/RxLhUR8B0mzP3RlPFIkG7LkxQDAdWQp7p4de9SMeKIowzHte7oQ+n1rTidZRrLo7KL2vyxHRA4pAJGZRE2/wymGlVlGsuicokbTnfkEgth8osZQMYsxV5aRLC7DOJ6LsVxDQYhoZPtAMrAc761mJNsXnEW0rSgAn9EKvDOh0IsxHZcZ3eOYKT+Xpo+rZADTzHTVwVXbY4CFpWcz/AagFYhHL8LwoUCmBqSpjD0UfaQwRO/ucsQwrrNL7Bz2I/2lMYmMYF3xU9h7KEalTLNSxo14+VDK4TgXVsq4bnJFdaSLvIBCoOw8Zjkz9xiznPrLfUytQ0v4mRH39eSMZ+Nrl8VtPrWAcgvYGhDGCtOwoNHywrixbWt/E7k4gA3FzL76fHkPWCFxXnW5bU3vBZBQJSDGg/Fpca/nBZSNbY5YbKFAbyLH0msceuIRXKvYsugu00VrTjfZmMLVgjPdmn5IASsYwekhrpKx0HOOUC8KxiIXYlM7zRgZ85GZpxVi0Hbfsg0oC8JgBhDnjIPhvAj1Fyvk89eGxR3a1etAWWuzlgy0qXjBIE88TUwoaCjApuBshSJbJ28xfartsgtFoDZUDoJJm3a12UgeP95WYnZ37lMAvO3XZ7EG3YV9dI3noqMWzN4Lq2eMMJVZ0skuZrzXVHudBRE5tabaBJNUNBpFZH5tQQwz7C+Kys4XXhPavfhLiYSsmgyNyYH9UkIunjwhl0Fb8I9jX3M1MUDPBYF0hLTypWQSoucUoSxmK6ybtZlZu+ZXCFHQo+GHk0N3ivj00MAqIs5ggYSwPcrAq6ZhU6npOEevVlBUv9KBg/oXJpjQ/G4E8LjH+h8a9LCrWpMuhefzTd80Q7cUATulf/XDabgcZpitovYq/KimBKvBVoWadEwp1RAeklEt2ZQwgTxZXbOoA8V6jKnJ0tD/5GxTqh+OAmdq9MdMInGg229xugUVqUkgYzZoqF3NhriafAzX5nDvjZMLPLZ7E5U2nnhMD2hNfvD8prssQyTq0lGK8A5lloO0Z3eDiJwcekkQl6NyQrnFGu9qLE0+/BM61FWy+lROYjlD1apToMZWseIxZQgbxdYwjqknhw9v0RpxDkkZs51Ro9+Va34PkJz5avlPTqtRU4HFYjG6bKShvpeFV/kKvLgaifaEKg5fCgBbBfNAi54HmtLXYicAaU19WFri6Etsylr+H0da/WVs0+CHm0U19Qi7EUeiJBFDeGrLZHdmN/WoFRYU7YWm/WZEcXMuhNuBEibetFgjAUJyRDc65U47AIeqV3MhWPKEIvr4Pl5e3zwuwXL5AUBpKuGPk2tKgiILNiVBI8L+FeHId1ERHr6ItkVzvMPQaCppuz/f3S0HGLQC4eXN07W2ivAw+xUpi96d3FSa/FBVmly2SLhRWN/S2cT6HgEPDCqwxLu4/euPk2oDZd0PqNEkaBhWzOzt+8srjWpUfLFAVEaW95dq9aNlfYG+xCT9pUQ0RaOiU0zZhYhnsnZjirpcfJPACRCeshKhsv3Y+JwTtfLD9KzrqvzXu39c3wPGB3PDbd/YJGoFFjPnoKprace0EX2+vJ5AXpZFxIq2Fd2lmndEJVuBdiguU152Z3TT3cIC8Yyzgqe7TPGJMwhqlv1wVhT6X5bqWGSKK8ZF1mSKIagKxHGhRsaFdV1jUcgKpG5sALC4Ws6Dzes3BDQ18MJgG7A3mxHqXJ0fkfFG2vNmbeJj0Kmz9XXQKUp1kYRhaJhuTIRFTI7YwWYIDPNGrWdF5MttcfFycdMl4YHxWyzubIrWqglHlquIGzmsA4ZHiQQxU/LbIWVT6lwJesqDEobmvqrH1vSdsAmeCUFPek7mowr2mQiaI7EtIEcxO9wdsels3s70biDxK7UNRq4Knsbt7GdL+I0MXhU8jd/UrwthhMlL8DR6KLmFMaqVn+Bp7IZ1lvyYRnWCp/Eb1Vn6W8gz2/FquFOdBRI5kryPZEQguT6ZkVvV9Q7mqC51gqdxRR4LY9gELngauyOcpT2mGZyiHrUZnKU93AdOUT7bMZzWAk7wNG6XNYvicbBPiRCxj93yasyZi/rJ/xsKVLfKWSI5LDwLAttVnyKs+xZcjqgkJQTxl7QKNKpda+rtaX3ET7hhZ1HvzOsmL2HkDJajp0En4TIqXpsqHkOqg/S1e5ghho2oRCokjFoR6H/++c3Fj8/V4lu1s3z0Y378yyzH1JZAHdFKP3YS8JjcXyGxjNkU7rKUrCp7q6cGkuPNBg0GYohy9SuK2dDC6sudaX20YxeKuWqlRy3L1as7TWGMQ6VcdUWi2XAuP7mm9ZGP62a9ZZvepB7KosApZp47MNfXWs8+xt26V2c3cmZGXS/GxkuNTuQTB5pGLxHwsEV64qqsiK7oJusSaiMQxT0mNR4dFz8RjSgjRy7ZdNvOtE7qkd8s2anMzNZVqR8pEX8J8BpQRtFL9Ye08lcMbJDccgQjx1B9vrle2olHBFHE/Tq68Ii1LKHdoE0p5iU2z4pkYxoNSnaGvlFZo2FFSPMoyWRMw/iDmg7kOvpyBGHrMo1Nv8HmDQEx4K6QHKboLE7jlECxNfMPKlqSQ5rhmA327i8f9KyCwDrJaBhD1EonunihntUokaN2weKN2lLmflk3PNRoyEg0Wl79CiLxEI4SpYTKSLX232GCjttRoqqc41B8hSwpRSTm+TDaoJl3+GsY8nH2oE151MLjvpktACOuZlTiVgEZJltG9MAYFbgT9P14MwaFrj1aCsRj92Z5pA08VXmNMU1aSl+TlrDMZKbbj5dFQQ7tqd3EOTlDT9zHj7dje+LWAAiO6VVtIGhN7MMQ/TQc6Y86AzwyT2jQH3EpfImbM5XjR6HboQxoxYp6smbcr/kFwTh2GagLB47YCZlHt1FX0QZWbikQt9XgVwfw+HB3GtAORhTjqoT9Ibf9DhZxCysfCY+orhxfuekqNEP9ACsESY5ams9sIJ86QDrznwYT2YzcxTLClPxNi0fEjp2bDkB72aOm9H0qCUUcrjBRDEKkkFoqI7x50Z2on8Y4TXcxK0ZUn2BIaN5hHtNG+UlNN2aH1d/F1FEM4Ztr8KKk+EuJDIVGx8mBMNIdw0US2XysU/eKUaV8dkXM07a4b/7JIGWj3sSjf7MQKAWfCgoejOI0ggEUNL5xWtomqEo+UXvSWacbCHeXlws7lB/fjbLw7UpC05iF19vM7wpKtBm09ikQUW9kC8OQrqKoR36EWvRHsKR9VKPJp8+3w4veky8lJFEzMhTd7qQ+4tG9lor4KJ/lbl/sCIx73j4vwKfby/vBXd9HbJL4ObxJ4h5SVkhYRG6VqRB9aFbWvCwKUifvD2pp+5itGz+b1o0bFrA7CD7tUYF3EXcGwSfwGRXgxrTPVRvySfeIOA3lGZZyG7mw2j8vS7kdXVbtuTKsxQbwKNCYjNHnqAlzVWLGP5039fgf/18AAAD//w7jFoE=" + return "eJzsveuT2ziWL/h9/gpsfdhyddjpLld33Tu1M7ORk2m3cyczrbb8mNjoCAVEHknoJAEaAKVU/fUbeJAiRVBkSgdK193bHzrKKemcH14HB+f5ijzA9jeyEFIzDvpfCNFMZ/Abebf7SwoqkazQTPDfyH/8CyGk/j65E2mZwb8QsmCQpeo3++krwmkOLarmf3pbwG9kKUVZ+L8EKJv/vbO0yEKKfMfJAvow9V9qsmuxZBlcrKhaXSQy+eVN/XnF/QG2GyHTxt97MJj/XX28+uUNeU/VioiFJd3hx0FvhHy4YFyDXNAELszfG1TEGuRGMg2/ES1LGAVoQctMz+wQfyMLmikYh/ee5mCQ6hVUwEgNjGxWIMF+piVdLFhCVlSROQAnYq5AriG96IxPKvqEwTTXdsRQ9hdxx9ai5jRrDa+fex//EIsdk1wtW38/zKF/wTqr8mnFlPkeYYqUClKiBUlooUs//5JuSA5K0aX5N9UkETkoM2hhPt8jTcitWJJrSEQKMjwQR4vtgzp2OBVdWAPXMzM0ZMIecOTZ91Ou7JwngmvgWpnzwbjSlOsKhgpi1Cw/BmBK9f4HXXTMYTIsCNVks2LJilCiQCkmOFkxrQgl96C/Ms1BqWr1Lzpbox6sWokySwmHNUgyh3rfFVQqIHegqYFGnVDdsXpxK5bq9YQmD6DVTx3y10xCorPtS6I9bko+ghMWbofzBsyL4ERmsIbsiJnMBN8/n62ZvIZCQkK1R5LCgnFIieCZhaXpPAOS0yKMKlfLGdqBObDGd/6c31z/TNY0K/2JZylwzRbM7054pIkmmVi69ZKdhbCjY4a83y32e2Y5Cio1S8qMSvt7v7AXvTujQ/qonRLaGR3K/Tuld0nW512TN/97TQ6vieEaZ0FOO75i/s+ZHcj+snw36Nb0GKEXHZoEJUqZRLp7T5+2WOf/NGRKUw05cP09gqNlyvQsyejeGf5O4AHXcvs9AlsZnep7BMb4ccDiakyV5Ph+d1oK9BjpEXfaFgAp5huqR68JvTMbX6zMAgZNRw/pKAmnvSL29JAO9YFXRP8s7plWzjSLvGFVCU6fm67OMJGmjwRm8MnTl5xDrS45+1bCTo2W9fj9n7btR+2V4Im5HKgW3/vLtkfcrFlccdic3SvDhi1YQpvn+VYsyds1cE2mVjiTkqcgzRNEghdUnaEv2COkRIE2RFo/bvNQ/Q+WahE6tE9+sNSL0CH9pEXpWgLx7UvHbczOuJ4wJ0+bg5VQkfTV5r58L5Ruishsf0cq4Cnjy+pDFdo2DRvSH2d+2TEbrPOj3om9maz/QmiaSiMr+477/uR2Rq/FH3Vy17/Gnt5f//87vWa24suGfbngDGlNa1lKKFmyNfDaSPbHVQTMFB1nv4j7Akm/R+Xvj+HR6DVoiGI7k/Atwlo3nYd2ge2451s7y28dazKxB+mlt2ZrSj5tCyAJ7UqQORBgegWSfL7h+udfiZDkXSao/uUNmVNld1HlIFuwZSmt6jcw7mPU3T/wuK0bNN7jE8G+YH69FLHMbIdexxXnP7yBQcgNlWk0pa4h0RrDbs7kzeRLS9+jREJG95eUELVVGnJ/iXrYhtoK3E71gTPm30KyJeM0q37T1lYG5iGW/nUgMOJm8uXXwBR4+J2ZOH0KakTdWca4fXYbtas4Hnv7rICmIM/iu35vWZGb61O8pA5v01lqyRznK/2ujWxZMotuZ6OVonWzU7TsQTFPlyuRZZBoIf+IAtjM3jPE3Jg9xxRJ3NRBapC2FNVbsa+2kAMT/R2++PJk/r2oqrlQNtgtF5zMt51FI0TCtxKUNgQVy4ts69fJfNkIegI0WRHFUiAv/kz0SpbkzV//+hPZUEUUAK+5HJiJ70J5HTETqhBcQbypSP4wuyIRJde1TaHM507omaOsghTICzoXa2hMBuPByMpKvCktgea95yf5w2ybZ54qSFm5r6dhTNQPIc2xNiywBWH6H+WbP//8r8qJ9NeFFaAV6H90RvMP8x68pVuQ5A15yxNaqDJznhXzpHySXA9RP9H5EYitDHH55Q35dzPcl+SXX8i/k0RIoy/bUXimL8n/men/y3yRKdKelB+CS8hFCt/tW5dvYJbQLJvT5CGuBuzAcaHtsaHavSvMJAJPC8G4tk8TDeEAZ7s5ZiCliBSfttMHVQEJo5lFbJEqLaTRrPnWaR3mgzXNWOo2RggUIQtR8tTcMBlY8IwvvXI0GLzYPhEdyhi+QH8cDriNelZhmwmafi/3nIdDFPsdSA5asiTw6vBP4eaX7VvYXfeVEDbXPtU7jVYsqmW7IO/FxixN983JOBHSPMa0IA8AxcCkfRc33h9k0qRIQKnZmqWzNJbX9W0leZbAQVJtD3lqZrDxLlwzqUuamUd7y/bOAyYOljPz7La+cjsZbhT+qN9cE2mktbIGFTtpVC5B118bnAklIwU9PftMuEi4wzMho7iCuoL/5rqyvX6EXGggU7/fEwn2op1v+wSl+V/liPkDOF48p5kqMhYzsuG7fs4r1lH7vwvdzMjciPvdnjpzB/i9Xu266tXir5D/NTyMTry0Ek5RV/qQj95wNY+jydXlxOu+CeVmelheCLmv8RJ7Rf7hwiDK78P88dldVfYhbp/uIVNq+ylf7n6ye7A7Pce+zC/Im7/+SjZ23nOgnNAsC9sKrFHfqkk7+xHZgARHlmqSAVWaCL6XLtKexGdXE//Ykxg4qzHctn7uvgqZ2omzUU2QrLjIxHK774hbMNnRYgn5K0lWVNJEu0k0h3pr8VujOScl9zE9Wctm3ptRi53Q7Rz1MZ0IB3yX9kWRGyVT8MqNIOmmV6ZZybqnVtLEaqzOR8G9zUEkSSkrikpTnlKZEi5kTjP2eyi+V8g8OD+pj3I4eopEOe9cSU+apB3qGszrjC3AjjjwwFeQCJ72KNi75Z4pHdPOcmBAjCciLzLQwQ3Qa0SlVoHXku2JwUa+mdTPtJGnhndwO/dt5fbO7N1+ueB6hbRMu/xUrJiXXZRT+kwT/5anMabdkPxd8NjVFg6IRcO9UjFdeO2n/RnuiKhoJ/qSaHjU/vCRNUjVSKdID8WBBdb31M22BYo1zF2aXiJkCmm8e9AH2fhrStUcKx2jirSpv9j0r3dvKynyC0u1tEn5KgFOJRNOrc/LTLNXmoEktCiyKvtlV8smp5wuQ6m5hGTWvVO9Fx0oh1URpn9URGy484xpmhf7lkGP2HAzELunTyuSrJh53YgU1AW5K5W2z6QmUXMqqe6Jy6UajlykgwJssTC413AOTcgucsXQzZ2EBUjgidsQ1KjWKVuz1Gg2dj+EBdm0EmSf9iYvPMjHgsmzjXC3ns4X9Gh2ItPZ1g1WGaFn9DUDym7Qw7ZRxEXvNeG8NNK4lmcXHZZ1OJkosSVQ3lHkTqVYzz/2UbEa5LcSyrNtJbO73S7ayccNVcSCSHv2jQX3M/akIioFrQmNINOWuY5w+y7zGFiLWQSoxSyG9lxgiqI20TfoVCPoSo1b5HmekHvPx+Ad07kun3TnHCs2h+TaMc6C3QWxVw0B2xBEk44Sj6FYqzKL7XbqeUWJUicih9cOQ/14sVHZYtHZIZT7KWg9IHs2CKxBMh0zdeTAwCruPgmw4dk5ZPKJm7zYqR3obuk608VQs36nAhK2YLuHT1i7dc6cvpoqXleOH80UWIDaxMjSXcJEZaJKvZMliNs/m8+1CF/ar/TmS1BI8mHqQ2OZqgIC9u1qln+1Qn1ZkqoQiiEKjlF7yz6neeoqTNlQ/urs9lbhKTM9i1e66ImiiJc5SJY8VRYFx3aGLLYDA2tmstUnw4kld747Q1sDT4X0AbMHRybm/3yG6jWVa1fM/wlJ+B1tgMXPBe9Mt5Ggh4E5SR+zVt0P3QPps/69mPFWrhWtY4u50ISSla94EQ6gzcRyVgWqPItQrzbik4X6OWqmtGTf32y4la1abcVHWPEXGUu2sU/PAbkwsQB8cW2ebXvkcpnFjJsOT+DHMgMLLCxOBdfwGFtjrQHdcGev29VDpWmqzP/ZS5VmFaBQAZiByzlZUb6EGYdNbFnQ57iETcPVb5UQrSWblxoaEqIbo68cdKOtN6+/sOhQBUUTdvXMZSxa2cpDk2YfgvvxRQ5MU38LPG5tBpiZsKrgoNrFfMk1yAsyBbcopQJ5QZdgS3n7SPeFkBWGDu2KjNPbE/t74n7fqFshJJlLsTGfVX/1uqZ7dvXWk75JJ1RqbDNdTRjbouLPlOhkh57rTIksrdXGWEdKFOAdirHu4ktOaAZS19FFcsfU/825t7z4aBQBsEFIAYU5JVzwVxIKsC+ZQ9EP9tlwzisnKaU0B6Z+r9iVtHrca+Y8bJX7pzOyDdMrryw7WU+uLcO5zTbhRPBXS2H++8BNYJWUWUBxjDhu2nAGvrYADEixIEY6aAbqgkx3MmW/sUEzsyoO4iuXzlcq84hxKaMu2Cb14tdPPCVJVipdbUj/j84y2Z8wZVbS50R7+4ZRfO2n/SrQ2bUfd8LCL3pXlimeUvbj0MPLoLy2KAhVSiTM2kvNagTfk3bBbtkD/EYoKVZbxRKakZSph5ekkLYnyksCOvkxrChTSY/JvXziRe/ybCTNQYNUpKDKVvFStpCDq0WQiDw3Uky0nPbd1BrQyUF1z90Hz6XxNdYwwsXkxHci8qLsnsEIy0bJhvFUbHw8bSJ4AoV+WUdS9E5GZ5iLMsu25FtJM2f8TEVOGfdSgzcYZaLn6mpaPbHUpQNDNyrhLeMPkPpcoCoQnSprnfIPFPPJDzW0C5YeWrisUxUiqqhrdnZyZol9ABW8ukPW2XF9KLzllUy75XpqpzPInO03doptYvU8LVq3/w9r2r8ga9oLlsU/4/WQ31lu9TGWkJYJkMpzBGFzmwLJaDYL3KbRLpGpZVmpzfv3Y+MCNDdMr10Akgd1VMkBDIux524uupXvEmdPqFELA1mGZbJykb9Vjk2dZnhVUdorEWYGUrO5UDIxv6r/3c00JUaec8JszF3JkwyoNH+yhfB20HwCobd2yiqxc9j74IRf2a3z9F3fWInI54zXdbObF5ZPG5VPuL3WTJbq3Ja+pjZiAfRb/M7jIA0ciSvH3dVk7LeUuhdcdNN4PX3OynxzTe6dpHnhCzcQ123PJ/0abD+F9WpngH4OW37D/HxzbafUp7zVYqJrPWh75FwYoBvChdtERhZsmAo/UtdqG7OWfdur6xO0nbpw0I7N3eP7jLvGTP1VzZjcXA9qslj2uQFN1gB7w9OdRntBrlx+pq93mrkPDmuzFqBsf+PnH7w5bl7qOnNT6PoyKnkGys2McBfKRpA1lYzOs04WoCvKwDgpMtojCBRwFbU+SmtBm6qq43xhJJXRMKr8QmbWefr6ZrKvQxNfMtZZFPryso9sKDg6F3LnaXEgyQ3XZMqWnFph0bNFCyFjFq/9sSO/zCadVLqbsFUd7X8aII2zbHdZKgIb5/7DJ8J4kpUpGHHmG9man1+QF28faV5k8BuZOIOII2ul90XYLmI9c2f3bVrj1O5qCSNj6sGo3EfgekIqXsOMee+vho9MPRxwuWrJlkuQ8VrYhafsS9MX4DFY7XQlQa1Elprd497qPZ1GW673M1gWur53L5VffHQ6xk91MY6b63AayWjvfCLyYnbmuCu7Kj72yrZxdfY9Vc5fGTiC2/zUhW03I9Iy6XulebX0maLGmshraSmkrTxg5HqFr6dLHJXphsrnidDrVtU30pX6i8gMoqc08gsjRCm5o0lVTzms3BoRdNZ3jOCvKgVVHpZC7q2J3tRaAlXoscFKU11iKc61PYqy7NmeHYb5XDwSlr7uv7/MzVqeA6FB9LlT+NidBYMifHSreyxy973OJr/u9t075jpjXJRYPs5GHolaop8pI0kxjQ4di+xfkAnHrszY2hKXWWbkHlFlkoBSizIjbw1/kogUlNkSVbHf8MuC8RQekScgY0ofp3meKFssY/sUkxWIOUjr38ypZJmN4AlY8Jz/nS8JtZP4yvw2ODIeYR+KuSsu9EwasedOXtTxnAVIVfikWydhOlPmVYRdQHxV4emnniRDZ+bq3sexA0qc8lUHeXlblfu2+ZAyrkgKmrIsYGSYi1I3ftczNJGdPTazstjSOo7N4ui/SDXkRRYtmueSpLCg3gXkK19WPnwfrWm04jXIjG5tIpcW/nIlLwIn0nxgX93+17CossCdrV5ppktbmJEEB7Z7G3QLNp16XFG9WA37TkKxkUaQVYnIc3Oe4myjK0edsEawbyHFmqXOflZVkctB9QZCpSI53tH4dGvZO5bttMakGZcXVg0eCxv09DyyvuIeV9b/U8yPtDsdPbz/R8y9AyZ8ugoWr3DutQ0odis/ndyQm45C1YQRrWqtzy45jAAxsavOhl2iPqSfYg/zsdVh5d6JiNlcpLEzvjoZd/tKh8dCDJYe9WiFXy3BuQzOkHneMAH71GEXQFv7Q9iSpbUrp8eIl2O/Gjtp4Ag3P56SV4+7KGNeU1V378lnVz2nckTZYI1HSMqmFcGFfs0hlN5aVWE6FLhxBkNI0Cqetg0idXYlXVOW0a4jg9SmcGLzKxcgZU+nBXeGjrH14/nd/GMl9wWgnAO2MyQfbqDY8qJHIrJ8Ni/TdItun2H5DDUPqEG3VHBcofODVip8ipIJxCoHeyl2M1WeIyGBqWb0qqu5SsuU6TqzblcXzSMKNbbbZWw4UbJzLxwepIsSw57B9dle5Vdf3pIXPlfiS5kZXXnOMpvAYePA3j4WQplv/kRedQ0NfN8L88DFhrceQgqS0hazWLep93TaTOgZTHD7YaFXVZb7vU9NuoUlTbbkc+9zLWNzSZ8jKd8zbk0x4ySnjC8kzeFgOEZBpe3aG79OQku5nFi25F6kLjh6VxawEXUWAEUGtC8bKmAmItYLqV037h425H3J7VPyTqSQkReMry/+9JIwkbwkc/N/YP6PcpptFVMXfwr7F3VSzBYZ7XTOx9ah2hr+1YRYptbWZeXktmp+JRYHCzVoERWp++vc46zKICiQZiMHAa1zXLm7h+zL3VcqgXxyAcB/+tOXu6+XH9/+6U8u5nZNJWW9e3Ij5ANmyvLgAftaMWx62HqNYJRjKxE+Zwe3Skl9HdDEXBfbCE+YhZDAFUswBUjDlBQBcY5vBQn4B7CIzjaUdZsTn2wdsLXPsYma44Odoq7KeaRDoeep0hI7893ma0cziDXvUrR7tMr5iGckPTbZZdcYrKPS+GSTXd6Lz3cxJBas19BUDTWaIfbYoQarEQWGuZ/eExbKR9cTfLrhwoD3+v/HLtedyuw6/z3LFksbNnoP5CDIZ9kclR/3ED4hzhC01VrZxrv0ha4j2qsoO1sn8ydrduvs3GHPdFWymp3DH2aTvhaUZWauq2IuEy8zbq6buW22Epd5DmpYBkoY9EcVVjHXM6MiHjGeYwKvbbi1zz66Enle8n1LVAcdP65w06no7uFR/w3COnWNTR2nWZ+KbUp5+p8i7DXbYdNUs2Mkw8nouoxb4FSpCpYwgRYleq4XvEW/oZJ3nQ7fO3TF82ImYgnj6f3dhHxwdtRdUGoYyLezhhJM/35LvpUge2q3lhmfSdiv1Bk3uKFhEN2Sj1XSWTCsq9bSE8SLtElUYLcRMESLowxHQ1R1wDl2Mt0Uv0EDzajMI6yWIRvBvEALxATkmmiZonWlbdHErXbVIp1Sva8Vnkp3DjxZ5VRipZXUdLcF7bQvPtn7RJNOOBUKzdkKfS8ksMBNoKoJL5a21FIEsmL+zwhUC4reCcNVnELfXtbpPmPYF46v3JaDUT3RQfMZTWxjFPz0E0NbccTHe4PwfFms/8If9Qr9fk/4LNFylirUuusN6obycZ6nEYTXGUWXGHwGfMk4YlJkl3SM2Gg+W8zUhukEXX7w2SITG0Vz/NiVJm2u1/GoR/C6JHzGeExxwngBMp9v0QLeO7SL5CEO8TXNYuwVVswKKbSY4bukLPX1X2bW4ohPO4t2NjOxnKUxJtsQxo9/S/gsp48zrbHMBm3CZkdnEOFSyBmPBJrxeKCLTM2yeTbDdou2aP85InH0yuAN2ti1EJu0sbN6m7T/GpH2rxFp/4+ItP9nRNr/Goe2FkVG5xBDpNTU8Z9nfJaXmVW+59sI92RFvHiIoJfkZcaWeRFH+zZaJs2W2EFInjKLoZQo+Jbg20b4TLmAxAgrqGQS5zVpCMd5TaqtKosIvUgTXqdVR3mqaqHN0wMeI4gQLbR5mMWibZ81UYiXnD1yyoWCJMImXP9qZiXSpbD+VRR6BTSNYFYTeTFLsgg2bEM4gpPE0pXzrcY3ixrKKgrlopxF8GkkkmmW0CxCApGa0SXwZIsYddWkzWm2/R3SeQzc65ktAxqFsisHEwe1C6yNQn2+LNa/xrFBq9mc6X+NUmgsUTPcXnF7hKVAF9UqyjG3VCGR+Fluytn40XptNQiDXjk7P75xxBG3al8U4q6aPF4FuQbtBcsgxhtGzRYxFpEtMJOz24Rj6AZqxgobpDiLIupYsf5LqnTRKeaPRFvJJArtjC0gxjNGWUNzDilDSxht02Y8zi7JRVpmoBIRY7Y9cbaMIJtEoTZUo/b8b1APRZCjEJawZEpLim8J2dGOoPFJKGJNtYw218pWIpeR5KuLzHdbPAJ1LYHmERRJlwoUC3Y85XqzEkzNXIdZfOpbKmmUDZ72JMJiUF67/vbYdJnSlKP3OU6VnpcSq1lgRRVcr6AYVEt0rPh6dJWTjE3Wdm5Y4De7PrbSwCGaS5qm2GeApdhu1ap0UIS7iOWzRAqRR6lKZAhHeKaxfBYnONJXPIoxzcUDenmmQuGXLGWFKiRDJppRzXSJHn2WMQ54JXZ2VBVqR52ark2+xTdrZcJVPZ0tMoF+ndfEI4T8mzcvutQxRCNIHPOGjgAVPTYhE8soW5cvoxzgQkhsAZbPy2WMY5YzlcQQC7mKsmFj9IHgoG1xJXS66DLcFYDGjvhzVLHD8fhmg/0CiZJRJlwDaPSXqMDXjIRky1mgH9fJdDccJP6dVcxcU150sqidqXdkXYvXKJssQuKm74mDLQw8WWxpUMycIQkdLlXKfDhLVlh5/h3S8FgwdEdAATJfSsp1p+YuBuVNFML4V6+rRPb5814XUATCUixnVBWIDQOapCXFpiqBZjH0OwmJnQdXdTQScfxJNpRxS7g2KAuZRkCMb8hUEWzDytmGI8QDKMAOBHANjyM8ThR8w98AoQKtaFQjPKUUW0YQvKrAtrIpmcQ4BzJJ0RVpJZNQVVwEwhqvxVaTZqnQq2quE46dKBHsFnsqUVekE3v4eqnxt5Ujiu/Rq3t6YtPdFujVWst0HiUOvZRZhLuwVCBnKcPOeo/StqLyDMWYBp0oTXNsa/B6xrjSdBFBM1gzqWOo4euCRyjdpIUsOaaZNVQWLVBR9LLUgnwsOemwrqNHIjbL+0IzlpIrCSnT5IrK1FczVLb8exiO65wVcZb6OoRaMraJPrH1DRKRkVCqTh0PwXi8mXubF5nYQqex4OD8LUSJVtR75B4zc+hsRrbfmYQlPJKc7hda2Pli+bLcbwYSHWTGlG3OUHH3S28LKBFVFoWQmnQLjxKyWVFNmCaFhEXfVjghLPcpTShCE+9fHTUEwriv7N5TFzpjPHZH/gZUw62JUxEtlqBXIC9231crUXZuNEI4rEHW7Yi0IAWVCsgdaGo7gruzSuspeHErlur1xKW9/kSufYuvl0SvAl2KbDHgj+BbH1vYnNyD/so0BxVe5+6mjjJ5C9uyuz5FlrkbrAIqk9UF4yyIz/bcPUN97T3xaXth2GCI1xktue31uyxtH9eqiHu4gPtevfYDY4pfjrseU12E2/cv7nnsm4WYIeY0jau8atmST/Co7anoMxecoxt1j0DaNa67tx2qedbT8dJWz43YDtzWz1WgiYRvJSh9oGj38dHKT6+V71QG25bHcXUSe98iVcedts0phzA5RNY31vq7rdCufguOHLP3/3B/Q8Ps5roSCpZ3eG/YVwNeEO8Tt7C5XOZUAXHh2jUa0jlV9Sr5XzwPXl63gq+RC+nK1wenkRCqiAKw7c7o4X5VknJFkzO09+1UmHasuVV7d5smKaXtgHYIdAEyZ07dOBfoHUvXmIOtWQZLIBmsISNUKbbkbuF2/frDW9+WZH5G+W35H9jp82fp9GyQlZx9K2G/TSINH74G3uMqJh7XBaXSaFjqDmQiOAcbW0E2TK/6BAUhgcyQWmOXcFR60ZOfFmY6rTypr6hMLFlCM2IQ9Dx9LIrnRWdZ9bRpfL65K1ZbFYbXCGfbiL2oVuwLnmaMqtlKRH8TuEdc/VyzvVR2TY2MVGy24AnXAyDu0Bi09k7zjViSDKi8uMyUMA/x1nm7ts5y8t7/4oJc8m39rw51bd/yimtC04tE5EWpQYbFcBQzvhlYvOfZD/trYXssthaE6X+Ub/7887+at+91YzmqGfshCNvv0xmux2ys4YZuQZL/Udvk1GsPw4ILn3rs/J/4e57vMLd2/cH1ODJ4eUi2/bjfMMXwuSD3Hz69NWMHCc54Yu2lKVOJhILyZGu0Sq+eZfuxIMTO0Evy6e43csP1L29ekpv767f//Rv5fMP1r38hLzarLeHA9AokSVZC+VZpQkpItP3Wz7/+3//HTz8GZwT0KqKM258PK1Mvchpux6Mi774nHvOp24s3FajwEU+/L9BN2TSA/MiCcaMv+BDePcV09zr5wqQuaUZuL++DYH8XHOLZso7bGf+v4HARnlsD9w8jQu1AhoWnXYLv8Q4+sA5LqmFDn6FFut3dE3KZptLaad0uD8Gpr94kL471c57qC7m5upu4W6nXPZZTdUbvR8uo5DRVf3eTm4mB0mP9MnN4ZCcIlDk0vPvnsNLEZq671nkFRAMuTVNmvkyzncO20cs/fM+dcQOYJ6E94MKf8Ov2FuhA2cVaR9Hrxl5plNx7hBMhdS2SO0I3tQ42uwBMb4clrzrz3LvxML6sLpNqWHd9E88h9G48lxXXo7MvX6qUSJhROZ3dqKPjECOXJeVLuKifTongC7YsJaRkvrU0gac2aigsZ4ojSw90kkZ7tOUg00WEegcZou7fTOFCNwBIyIWGmY/sxo8zwp/alKsZnblQ/AikCy3jEF9E2BKLCNnCWYzjEKv+SRFhUmk6qyxx8dTy/Re8GcfFPremMeEZNNi3egWSgyaftgW8JJ+ra+zWGsB+IZPKANa5CT70aWpVq54zKBM9T+MKtLeLvyQ0y4LKRLH7og1wo9IG5q1BmjuQcS2I0vYyZ5x8vukVKIkNkI0mr9BFtiEqight3wxhCQo7oteQjZDi4m5E7FB0a2+PgNa1VphlwJfonSItZqN8RNRCezRQp/LQrOGA4SSx4QQLQsk7ITdUpt0+3YRcLm2wlyTUnPhHG0s3B70B4GHVE7lq4lN93ELTrOmqc2CILRlvIyM6I2Tcx7nasIScaSOWfIuN8BDXGeXn8OOPMFBWASINE2VngG2T5c6TsjYv2KV9wLZvHmxPJSS2CsEarx7cOI89lZolZUYlsfWiSQXixdvH327FUiwW4e7vkMz0CqIvbwvsJ8PQncYG7rcGt4F7WeoVcO2DxXthqxKzcsK4gB7Hsh/6ZwWyF7AodSLOO9OeZT/gaZkkoFQPZlt5/LjiaMcFnlhcxKi4SyG3JJCY0MF2DuHUwgh7GI1Usg4+VQhu7hUjt0LKYf1D0lGU2qNa49Wj67k3KXFVS23OQMYgrcfj7TB7+jDjRDFdBuQnsckF4EW0p7qiitBUFOZ20StgkogN3y2ZmzhNHwUXeU9cre3JoZgrUX9eJcIo94ynRv4IqeoJoOQdy4BcemAXnWkYY+zl9cDcmewNGK/H/yzhCr1TMPVRC7izEBpjYCIw891PmAgXrzf1+RrYM9EfEDoXMbMHAoOfw4qumSitdpmIvJAiZz0RinBucG85nWc2iWxBrg5jY3xdi52IIPcRtrROEgTQQojaXOYIgAH+Nb7Yq9u4ZXfnrXfb7dIsS67309mwNfrUpoHPkmOe9aO0IHsfL4GDZEk1JDshNtBvP7SA6ZW9akO93YgHe5H8fKG07Hd+VmM6puzWs43pzeExefXC8Yo4ruDTtH6Ea5aDMnLdaXsSCuh1IvlVQCsKMbgQtvDgicsgR26tY2p3P9vW+mXcmH6eKbQmp6OH5g3GQyPsjM2OeCcQRgiDP+7o3gyOTp517dxBQxmbHF45tFqq5xEgA3K8FiB/3O34y/CSYbU2OM+SjZOP8qwSBPOMjZAfZ92OmGPrbMZaqbcpaHt2avTMnVKvZjnolXgGLwltWZKJg+G/1rvgtpaSFFGtTge8Oh9F5u21BsiBfRnJEvLfF3/985/Ji9vry8lP5JopzfiyZGoFqU2FD2LJxFJErwt0yBNmo2UXDodfZvvFnogxKSJbFQ/lf5pVDSGoT4y1yKM1fX7KcUls2H+d99sw/FlMIZ8p5aEy6btIMZphVafbG8hHmrJSOQ5ESKJYzjIqnXgyYtOcocTe6+H0KnvOFUvPWWmkGSn/2WyEyoq4Vxdzd8jj5Vlc8kNn3bo1fKZhw/7rjUT2k85e8IYbaKRlpGFTppAxAwM6Lhs71UIuKWe/H4iq5vG2wtjJPmKmm3uqZ7oXTAZzSSNV/Xln2NnbwpX4crWLWlHN74FmepVQCaSQkIqccRpMuGuIpwnVDLhWg+HxGT3naG/psw7WlX6EItLGNUfnRyO4Ciq1LYa0G+phsXrGYkde2IyRqAtIQVIN6QwtqOzA/jDC513FsXaeTaRYs7QuHua/R4si85pqZ2P44j/mWmvrtGEFZzdIlp5plDVLX+tPb3uGGWweaiMn18x5z1f7intPCbha6cRsCv5UzRMerc7U+FEjE3oZGKjTUa3GShVRWkgn8Q21HDS13H6037ow3/oxPPqcpWkG55Nyd5bfWDkXWN6G3DtKzlXtMc4z3Inn1qgwxLeVd/YlKTJqlszcz0IS4IncFn1WfhsKeYb35IgIOlm/Ld8LpckdTVaM9zzpUhpJcvywP9efuY30LyQY8WH0I1fkTF2Q25QW5Iv9h9OPUsFd3uk/upcnWdE1GM0pAyrJtxLkltgahKoQXEGlUYWTU814Z/Y355GXvgZeYihLVlWB5G74ri5fP85qSGeAuttAH31x1LFIbZenuAaz/T1elZZuFTEyb0N/8TJFZMl58B2rXtY3j/M8uzJSPTl2nuLMvzDjLwQlG8ZTsVFEFZCwBUvMJy9DeYI+TrZ7QMzwHN5dzA15YSvCAk9215B1Xf7UmC1ScnuP38KSJlvyWbUL39Ye2Hw/kRY9utZwOMODvee2bz61LBSbq2Y3mbkROzNe1wEIZP+3Mk1tOk93+trDjq9Q91Xndep1YMR2hMGN5n9zxGDPE9fbN1Qf4etN75Wse2uH3l8FtDua8xjsaodBe212AZluGTorFC5IMZz8bNMGMFsC9ma42SGnsGDc2+qtcLJV/XJa9BQdtOiOShSLhG1ngNlT/7AFY22zjT12X0uppzZlbcPWmiar/Mwl8Hdc7YSTzuuouRxRmrzMGcfrIIZ6NsyQbVJh3MszIKSaaTt2WVwZ7V16f6BrZwd13LtvAHVBZbWnzJ9f7oayWbFOKXViTod5y7rg91HD0+g9S1xZCyG38Rb831RB+X8MVoypgLSrqFfqeehqMtPyb68t9YGxPZtK1BlVVW/98Kh6d8EMuJaiOEZ0pKKcd4wLo/a452le2zCQjmAxuuyO857DK5EXlG/r82iPnW2n794ra5DmGpoxvhBhpYCqh9g5QgPyY+8VWSHbQNyq6ItvsWIE3pVZtiV/L2nGFgxScm3znp1xMAhlA/NZIsQDeyan+1eYE8d/936mWZ82j15tducOL0ptVe4jW5gOn/WPNQvfZcebo51N/oJ82hZu6DvLgZkct4L9iydhMUMtJrsH22Bwhgj5owqVrd0Hcw5TXa1cttE5y2IhZGXtty7mj7c9S96olYO8naq5KOL2ITowFYbzoOW+gimFiKSJtEEZPmY9SEF12DSZ8BlVmN7+BmHp0+mRKZcyQ1zmBlXEVakfo7NSYllDGjQVyBld4r0pd6TRr6c2adTwxzZpv+sjCBZ41MCtaoX/ODH00XZzreitJOyFymBrVI7FOXIJWzL3k2Vr1avX/r+vPITX/j98XFPI7E8zkOHoPD+cZ/Seu8E0nefW4tpotdYZTuobopknFeMLkLLH79od91nG1VT8B6c+aJ49A8iqLvGisQyBI2Xd2iLqkQqwONv2e+v89mbbfbIRxLL5p/+CboBWf8NPVqxAnsceYXR2H/H04sq2fvyJXFn+YWgg9ZmKpfTM8xVI3/wTWlGYB4rzQlTXcWMiGwtumP6oGpWiD640+/1Yq+TTS6OEV5tM2e9haw17iCRTbv7rLeGwFJq5BSxWVPV0gFLJucsKNZbSMe9vLmiWOloHqE6Ay94eqwqnV/k34YAUxZbnyKho1zequx5+6m20bKQJU6pEVzotZRssFc9ad5oPxSIEKaPaQDuL0pSebw1zMrXO6UPS6SwREnVlcO9FfjG1oZ2HL6OG9DwO5NOl5wGM/SJUqWy2jnmj77tUvSE7CCadma1HS/QyjSoWYfYA/kUdqbjBD7t2Jc0LycrWvxBl/XVCkpvp5X/dTcjE3FPkA+/pvrJDGymT+hi0nzYijNaKoWQFyYM6yog8TgjHrUEWajpX1+usS4TZMFDfgnAnBQ9ouSBZpyjkMyi5DkddFaT30WAxa6rLs3X4bKJc04ylbiMGQOwLwrNVtT4kCO2MPcBW7YttpJ1fBZAi015pXagZsz1oo5C2SxljQhL6HZwmtuRV5ouQTG8HTlQi8jxqnbiRuB0ObxAKp+BvmIRs/6WJbWLZZJTPlHquhreGs5PhX/1oqxytIFqXajwrBDtHWHUIsENALAILKvwasNOarCjnncIZsctNea4WSI/P9kxlm+uLxfc8/Hp7ee/vvdd77OsLRQu5b/tHr9nG1MNsLbIy1gRcVn2cue9zU3fGrtr5lpxpRV44EOonW63DJvZWHXX3yBMLOjiarIwkzW491s+caR8ucNFOOliDtJECizIjieAJFNo8lKduDXvKK2w2MaWvm3jzYK9aaBughZCaCDO/7//zMhSCG5x27H0n5PL8AZb7CQYtE+ucumInwUIxf3v7YXIzIXf0MWc8rdt6h5fVjO3sYZitJoo9w/LD6Izu0LBq9Smcsogenu2yHGeL8yVsPncSfjXk6GpHy1jmpfLNta/S61EcRJidb1GeuVZANeL8f/m84Toxh6ddTRL7dFt7iXlCP1N0o29XbV/xtVM3d8m9L4kqAyHqVJF/U1oKvvyPeUaTh4wpDem/vfZ/e1l/yvgCkvBHCyZhQ7OgIkPnWeM3hPKUKEF6tqWEJVNabs3L/pzCoqB65Yv11xjIPoYOSGuUOhdMlwjt8rUSIRtVyGt9skYOXDdiUhq1X/ZXKbzHzduMKviNzEE3X/0pLGiZ6Zk9Ab+RBc1aicetAbTj9e9EWmZgj3hBpTJv+HdCasZBE7VVmVg2r+SDVeSSxJ2wY2f2Pzqb9NJlwtrGmvbcvPh4eX3zebprhdGD5EGzjvA8BUdGZU4ukwcuNhmkSyCfmvR7QKBOREt29jHsxuKcwHNq7Y117sSeOaAXQqCrzgkg3l/WREkOqpXUHIbQbXLo2B9uJdrlHAgx6GUYcgKfsto+RbTl4O1lvpT7I0Ng/beW4Onh3b2BT+N97di2axj28M47kdonjTpnrtjbANtOOKTfW8E6MgNMjQixTVsgETxV5JWtS25rqEBKFOMJ2CpZ7S5hfbg6hrgTpsPWaLI0ySsCywv33//+w534nWUZff3Xiz//MADICMzOq+KEyXISuFEvqodtN5zwJLHfJBfmyGm21SxRIUffCaw/WQuicx+2EjNVOfct4ezjqWI/EqX7NS7MRUaXbTAOpCvxNQAMU3w4k/Ck9ZTo4Vq8ejaJXRSomsEnezcnpfW5OBXAV0QoClszQIpsEBHqSd2VSBs+r+a7HVPcKevQYH7lBt+p49qHRO6bdtGQfGTqgdzCGgZXQiWd9usn7o1mqPPl5KXLhiaGD4fUvvlS0Pb16KtPLUvzxUGgmLfvEw5u0BOPxHvfw94DAVlyNAHoYfHhvRgoKu5l5RIZrevaH3TYnIt7X8EKrAvMF2ixbKDFpx8Ppsiw9MZov/aL4V5UJ86Flmy5BEkKqjVIrqyEcHaY5AF0SjV1Ne3nVMGvfyHAE9Hq0zsMuOeyOWXK6to4KXntWu6OwYN66zkggxdembK+CRhyNgeYGmrjeKpEdCy3J24Vx33aItwPoNcg8/Rh233KGhk8hv4QBL3CfSe7OBfv6RrzWi71CnXnt9smDG8CvQo16D9xD9S99F0Vcs40o5Uq0a4POwwvWHQWb4b2yAdhzClPNyztRNqegOI/OyT7OHNIZ7LsVA44gff95RX5VlJJuWYcDBRz3X4sva9nFKKuNxkdkM+cuRlQOueUBzietjSGfeuHYc5Cc9DB8gCnsLdUm3U5xqBAUr4887Gq1zwQmnaKadnXtZzC8PWV0CzrOqhPYH5FswzkCL5SMpAzQLw1jMi03pUPU3Ll6BPg6SsXxlbFyowRmN3I7xOUl+v76S6ee3hegonVeIK6wyAMA1EsXV354pGjzkKSSqtvYj5Drro0w7yBa0kzTvuUyKPW/8pRJfeXn4aXH9XCehXIGOhli2yza4YBDz+8DYAVVYiaQZN/i3KY/2JJdae52SnsBV+wZSndoTO02bwcXIbFUsz/GQvEXpOiPgSdkjGIEFq0+wCgPmHb/G15VG/GHTyKi6V+LMSmR2k+ThS00Hz6b9KmH8YRjK8+AUQdg361R/kQe1zhMJ2+ryO4RwiHFVWK9alIxy2EIzm8CcI5Zsiup8pePGxIT1bLFdB0v+H3aUEAnz5NyPs9qmHuWSrm/0Q+ntxWkfTSaXhBbP7/rDcO4SgUX9mCecpVAekhFKJMsSNCrgzRUbEoln2pMJ/zjvmwjz4RWZmHB33UQfzy4WZCrtpEexjnOeWYW+/2hlztEe3lXHLUuJvp/d3EMm/T7WFv7gwbqYX5LGhfRfvk+5CYw8rCjS5PwGIfba6yRyURqoo0g4is4QkRSuWtqEiTXKQjUGhJu9lap4iky3c2sXFnA5SgtGR2Zoakk3vrpExRmfc4s44C5Z5x1W017knlvoT8tnBEXcki6463d5i7GYfw2BKoeFi+TO7JVbtwXg/jbpOUkzTJkmvlOnw61XbEYSm5pkWPhesYELvyqpdFQa60zEgmlopQpUTiTNV1d+1REY4O4joKwi8Y2BK2CO+dE9Fd3bybYuBLsyjLe307QUHHo0ze9T3K3IU6mKDgc45vBISL/dKGKPAWCwxsrIiytjcTlLVVPaalE9GZdywKuij7bjq9xUC3oVG2ndFwMNDtlZDHQgdz8xzXIE8FWZSIt/7k817rsTBPeeBtehxjp5w3SquPeqdKpllCM2TdZ7dKFQNinjF8OaQXd0oyn/Rg3p+RESGIicxaX3ouFP3xKkctyFTk0PzOAPs1oJqQvrwdtBqlFLr1UE7geW3pET7oVU6pppLynsSGI3lrSixN+06VUAipB3Z+2k3MPA3B0LBTrg4EnDzVnX5tNLwxESZpt47zKeMcu6NdjC8TPFjm/CQEnjDZo9wDY43vPr4GG0swzm2cwppxHUrxPy1JLXUgbrgGuaDJmACbFNa4Rgc/EcPv7HSVFLNc7YfdncL6/dWE3I3Jz0vN9KOegLqmBqsmfwgBapy/UkJ5vatFuZd3JpayT9o9PRjymqkHowAuGV8SOSz3sgIetdyvGHbKCtxOiCUZzPIPgxBJsKj6iSgWjC9BFpJxbViUtsngHqMePDllPNEys3GIgSIBpyimN++mnoMNcyRt+iMA9UoJHDwj5EUNBzsGrgNmj8EAHKRgOIvCx+ENRSHumOPeIU0MI7S2GkVlfY+wSTyanVOlNvWPBddTqhFpmjrUD6BxL2WWPuLNkUfh3+CDCn4DBm7OWxvHiAlB9C1c20YfZmtYm0PKlAsjsgHXtnnrQAJoqvQM1S11jEJgfqEXUmDGXgdxkBaPPjDontTrVhvpEX7UVOlIqvoOSPoktd0CwlaXO2BGXIVKL2jOOrWekHB8mJI98n0oVptgp08kHO+/kj3yh3B0awHjApHDRkx7hkGrNe7rOnCElYtdH4QjFO7Nt7dNxsh5LVTUxfkwHb04h2wtR12+DRij7C5K46YwNAFMp4O3v9Iq7kFRYqE3VHZLc/fhKblRuI0Ohf4Wa8ByXHx0P6TjnmNKlyXmWn3+vCvt3wR3MxkXTJeiorG2ks9DOwZoIbIE0ynx9nLy4dbn8To1YEA3sxBw79wWhuHbFlxTHrw5+LoCWwJ5l9FMmKrYQEqEJFwMzkvdKghxYnbth8YYUqEQnYKBp2wNQ25X69G27mZ8OSLcF1QR6ExyykRMJ3sJQYMAbMz8QkjEGGiD4lOHbBjAY89KHMX4jrKMvH1MVpQvQbnQsev7KZGgCsEVEMrVBiRRMMK7CZ7OdwuvsIVHVNXRCnH9PGkbYdCl3weHYT52bMzo30oqU1t6UrIUPA+bva40zYsBSbOguZoVtFSIpp26uuMlp9lWMVfi4Y5yurQ1L+rkzEmLbw++33Gt2RacBfY7SHLrzdofBw2mi0RDrjCL0jQjft/6ArVkOr0fxIGqKzRRDKoMtjgnHu/7TxNfEWePcg/zDJwJCg/BJ1f0TIOsS+r6HNmtqzCwcHVvR9xT5hsrqlao6ezvPNFRWq0bSF/e7glODzs/48woMaygOwzD+9N8DflVfDshssxgxHvYsUe2Ie1GP6zNLsxhXpoLwVyXeCAuuWaqoLnVWtqVj/twbKhMIV1gmo9c6L1/T+14DED5lmLK7L9fD8lnSXPA3QJ1smKXdg8EgJSph1CLldMudglgHcydn/fgEIgK8zujCUJzCwxzn62TrFR9N8aRcV62lMiaSV3SjHj6vtnNACJF1yBThlmc8d30kuwTDTPfOCNWqB3QKXsT5qSQ4nHrbWQjpOSSatjQsBr8VL/q3xwtwoqmXCCTyUS8rVQLFx02gEk2K+CePCt3kAu5HVXtz1Y4xkzrtaV1XZXjoetyRV8VkoULNh3F+/0lmUhmu7MNcZ4hl3Z+fzmmRtaKznCdcO8vycdBj9uK8lStaKcd9ynZk9Nb8r5Dtoc7Zk2J90YbrTtypmLDM0HTURryap7ymQSqMM1a74FKPQeqLRayRz6Mgy1XyOHY7yuSZEHnkiVElXlOh5TllcD00r/3jVMP82QU29K8/pWwASWMJXmRNHNIT2fcMLJPbNMvZ3y/ubqbjCvjbzChVpxyikFxNBhcpdGWMNwW9pQ+AUfVTA1RY7oHvRHygWhJFwuWhHiEsfCZKhjejNxMpm+vCONzUfKUTCc3Q+wTi9R18eWIt+SNp9xuEDyExhkiMFF408bd3XQcbyPh+3M3jn7bV+Rd9flsOHejEQWK7Vi82ZEeZXJhHLPWfbVDmS0UPXhWXS1MzBf2B8mWjFObqOnD3ywz10quNi7U1uYhgPvBUScD/AiZdfKOjLvCjQR/MnPbjzmniPZAI9XvLq/qx46NifOMyIfPQyINJ5i1moehQFaGfKXt+I4whYU5nMD9v9yPdj5MBVQmA6W8HhhmuRZbKKZFMsg0o7wngvrp7pLby3tzE4qc8eXuBudkvtUw8LLNKBdlWDoeh0OU2t3dT8QBFNO7ZYMr2jTDbFkCXMEsY6j9UO7oI8vLvJEA2vDgOOuHUT1vHfchiH3Qjqtj5G1iPlz4I/iWrbctNj1IOKKgsOekRbKHaU/VHIxmSwOsRbf183HC+NZQMiLRdTqdTCbXjfpBQygQE7RuxXLcG8PqFnh8ff2BoZSOTGyQ3/zv3Eu/QzjIHlULsCIop8k4Q3hOM6PUzlKqw0lZxxct86TBdVceCQM1PzUAY3wWdk55iagf3hlyNNGlHGUHz6nSIFOlUffGnaXa3B1eMqyE0k5fzMtMsyIDwv3LvFZoB3eSoa1kgq7TOsot1baB2pb+X1F1AnJIWZnHEQCONhkjBADRH+Z9DKURuFUmjNJUMzXcrS0HtcpR7XG1j9KQHlEvzt8UyEX0nDRwpEe8EbBT1W0FtjHBlfky16iRt7YPV60RupBoIdnvkFY1PReZsG10jNCzcVjauZOHdgrqLnEGjhG7w7YMxuM7ubp5dT2d7tPt4c2ZFvIVrp/UNTcnd474iNz9CgbuAdmDMVxdMi8wU9lrKXE3mf7XAGO1RO4m44sHkElVTfJ+hN0114ili+7oo4v5rVpXfuZMky/D8TS4e3F483HMGDJb839kFxAO2JXPfWnle9BD3nAOmxl287972FRhCMLbU/cCpnuhhBrMn4hk74E+Yh/ABr30ugHiq66POoEOA3bxc49iVAF0DhuVCcziXbAh00zokeN/1L0970+xVGiQa5o1+0NXxiPDsqFLXgwAXCBrcfdi16NmxBXFBcO079lC6PctmkG2IkvRxUXtf5mOiBwyAJCFRM1/T1IMP2ZFlqJLihrNPuUDCLDlRI2hEhZjjqzIUlyBsdsXY6WGgYBoZPuQpWQ63lstsnRTSIFoWzEAvsKcvHOh0JMxHZcF3zDMlJ9L18dVC8J46rrqsKrtMWHK8/MZfgPQCpDoRRg+FOBqQLrK2EPRRwYDeneXHYZxnV2wc9h3/KfOJDJCdOGnsHdQjEqZFqXGjXj5UOrhOBdRalw3ueE60kVeUKUgjWOWc7THmOXMNzeYrw6r4adO3bfEhUzH1y7DbT41oXpFxIJkQhSuYUGj5YVzY/vW/i5ycQAbYGZffb28J6LQLK+63LbI9wKYcaMg4sH4Mrm3dAkXY5sjFiuq4A1yLL3FYQmPkFrFSqC7TCctmmG2mMrVRArbmn7oAVaIjCVb3EfGxNIc8bwohEAuxGZmWohszCKLnlaIR033rViSssgETQlIKSQZzosw35hDn7/2uLhDP3obKOtt1lqQNpdeMNATT4MJBYYCbAop5oBsnbxl/KG2y04Mg9pQOQgmadrVTkby+eNtpWbv0z4EoLf9+kmiwXZhH13judh7Fpw8F/6dMcJU5lnP1pjxXk+113kQyKk11SS4pKLRKJDltQcxLLC/GS7rvvCaY7sXfytB6arJ0Jgc2G8lleqhJ+TyqCn4+66vuSFM4LHIKB+hrXwrhabwmACkmK2wbhaOsnXNzwE46fDoh5PTcIr400MDq4g4h4VmmdhASl41DZvmmc5yeDWnqvrIBg7aD1wwoftsBHDcbf13C3rYVW1Zl6pn+Z4+aY5vqY6YKfvRT4fhSpoyMUftVfjRkCTzwVaFljWmluoYD+monm2SCQU9WV0ncSdG9DhTk+dh/ynFsjR/HAXO1ejHTCIJoNusWLIiFasngcRs0FC7mh1zQ3yM1JZ00xsnd+S23biotPHMMT2gNfvB/Zus0xQy1KFDAmwNqZcgbephEMjJoZcZSD0qJ1R6rHhHY+ry4R9gW1fJ6nI5iCVC1apDoMZWsZKYOoSPYmsYx8yVI4enaAFS0qzEbGfU6HcVot8DJBd9tfyfnFZjSJHJZDK6bKTjvtFF7+PryINrkVhPqJHwpSK0VTCPtPj1QDPvNewEIPtSH9aWJHzD5mz1/3GszTexTYMfbiYV6RF2IwmqzBBDeGrL5D7lMHfUCguG98TyfjOiuLlUKuxAOU69aYnGjCgtgS9typ11AA5Vr5ZKidkDIPr4Pl5e33yekun0A6HaVcIfp9eUGSArNmUGI8L+DWPks2gYDx9E36IZbzM0mkr67s93d9MBAW1A9Mrmp7/aKsbD4lclAr07uas0+aGqNDltsQij8L6laGp9h0EPDK6YZmvc/vU7otZAWfcDajQJGoaFmb19f3llUY2KL1bANbK+PzWjH63rK/iGyfpbCTyBUdEpruwC4p6s3ZiqLhffZHAARE9ZiWN1+7HxOQdq5R/3zrquyn+9+/v1PRFyMDfc942doVZgcTQHn7qeN6aN6Ovl9RPY67JArGhb8Z0auiMq2SpYA65Qnu5TDPNd0QJkKkUhk3Vq5EQERc2LHymKwv7Lcx2LzEhFXGRNoXgMqgIkK8wvcWFd11gMsgLMiT0CGO4r55PP63cMLDfywmEbsDe7X5h9FR+R80b6/eZt4mPQmb11HnSGU10kYRga40sXYYEpEfewOQbDstG+sxDlcltdvJzc7LPogfE7lnR2RWsNwZHlKnAjh23A8CiVADMlvx1S9pQ6V4of8qAch+a+qsfW9J2IJ3gmFD/oOTkd1dE+E8VzUKuCSsDscLfDZrN598iHgeBXahuMXFUywe3s50v4jQxeVTLBb+q3D2GEyUvJBD2U3MMY1cpPyQS7YZ1nP6ZRnZIJfqM6z39FZeo7Xg13qvNAkCPJu0hGBJLbnYncqq6zMUd1qVMywVV5PIxhE7iSCXZHOM97TDM4wx21GZznPdwHznCOtg2f1gJOyQS3y5pH8XmwT4lS2NtuejVmz6Eu+X9SBXWrnCnoYeVZZbRd9Qlh3LfkckQlKaWy/pJWRxrVri33Ntk+5gfcsCdx36MbZq8pcgbLztNgk3AFV69dFY+hp4Pua/dwgho2ohKp0hS1ItD//PObi58fq8G3amf18cdc/Ms0Z9yXQB3RSh87CXhM7q/STGM2hbsstajK3lrSREu2XMJgIIYq5/8EzIYW/r28R7aPN3ahmKtWetS0nL+6sxzGOFTK+b5KdDKcyy8hsn3scd2st2LZIdrDWRUsYaLnDJzqa62pj3G3bszeRc7MqOvF+Hip0Yl8assT9BIBn1ZgCVdlRWxFN12XUBuBCHeb1HhsXPwT0agSOXLJp9vukQ1yR76z9F5lZrGoSv1oDfIlYQvCBYeX5ou88lcMTJBeSaDIMVRfb66nnvCIIArc1bGFR7xlCdaDNiXMQ+yuFS3GNBrUIkLfqLTRsOKY5lFaaEzD+CdDjuQ2+nIEY+8yxebfEPOOgRpwV2hJE4jiNE4yqlaO/uBDS0vKU4bZYO/+8pOlqjJaJxkNY0CtdGKLF1qq7hE5ahY8XtSWMvfTuuGhRZONRGP11TOoxEM4SkgyrpFq7b9jGeymo4SqnONQfIUuOYcMc3+416CjO7wajj3OHLQ5jxo47p3ZAjDiaKIy9w+QYbYlogfGPYH3gr4/34xBYWuPlgokdm+Wz7yBpyqvMaZJS9nXpOW4zGRh24+XRZFt26TDzGUWoSfu54+3Y3vi1gAyhulVbSBoEe7DgL4bdvxH7QGJLBMa/Eccir7EzRMfx5+VbYcy8Co23GcLIftffkfB2HUZqAsHjpgJnaPbqKtoA6+3FCB9Nfj5lnz+dHcY0JoiqnFVwv6Q235NC9zCyjvGI6or4z9u9h80Q/0AKwSzHFovn5OBfNkDskf/MBhkM/I+lhGm5GctHoEdO/d0ANbLjprS96XMOEg6Z5kRECqh3HMZ4c1Dd6J+GeM0XWNWjKiWYEhpXjOJaaP8YsiNmWHzPcw3imN8c01elJx9K8FxaHScHAgjXQtWzJDNxzZ1rxhVymddYO62yX3zK4Oc3fMGj//NREFCvhScfHIPpxECoOD4xmntm6Aa/cTMyd44w0BkuLzccZvy47tRFr51mfEEs/B6W/hdUQ3LQWufAYF6IlsYht4qhjvyJdTiP0IkbVCNJl++3g4PepN9K2mGmpFh+O4T7WOO7rU0zEf5LNebYp1R3P32dUK+3F7eD876BrFJ4tfjmyRuKBeFpgVyq0yD6EOzsuZlUWR18v7gK22D2brxq2vduBRHzA7Qhw0UbI04M0AfyFcoyI1rn2sm5IvtEXEYyiMt9Qq5sNp/X5Z6Nbqs2mNlWMMG8FnBmIzRR9SEuSox47+DJ3X3H/9fAAAA///IryL4" } diff --git a/x-pack/filebeat/module/imperva/README.md b/x-pack/filebeat/module/imperva/README.md index 80d457a3ad3..f94eda77dd3 100644 --- a/x-pack/filebeat/module/imperva/README.md +++ b/x-pack/filebeat/module/imperva/README.md @@ -3,5 +3,5 @@ This is a module for Imperva SecureSphere logs. Autogenerated from RSA NetWitness log parser 2.0 XML impervawaf version 117 -at 2020-07-08 15:21:19.474128 +0000 UTC. +at 2020-07-08 16:42:01.767573 +0000 UTC. diff --git a/x-pack/filebeat/module/imperva/fields.go b/x-pack/filebeat/module/imperva/fields.go index 213702175fd..75f3191df80 100644 --- a/x-pack/filebeat/module/imperva/fields.go +++ b/x-pack/filebeat/module/imperva/fields.go @@ -19,5 +19,5 @@ func init() { // AssetImperva returns asset data. // This is the base64 encoded gzipped contents of module/imperva. func AssetImperva() string { - return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIipAVJLENAooAyiy6V9/ga+qYhWKZKGKkrV3elBIJBOZSACJzER+fI0eYP8S0aIEucV/QkhTzeAlunUfoHsglYT7cgMS/oRQDopIWmoq+Ev01z8hhAIoWlFguVr8Cfl/vbTfmj9fI44LeIk46J2QDwvKNcgVJrAwn9c/Q0jvS3hpCNoJmbc+z2GFK6YzO/BLtMJMwcHXPaLCn7e4ACRWSG8goEc1erQzs7LfaYlXK0rQBiu0BOBILBXILeSL3iykwj2S11JU5fkEdxnUDG5p45gdTCKOIzZMM1Ch1gefDzO3x8H3G6rM7xBVqFKQIy0QwaWuPK8k3qEClMJr83+sEREFKEO6MN93hkbotVijayAiBxkn1Y1Fu0QNExwgYQtcZ4b40aAe6WQeecYoyxkiuAauldlxlCuNuQ6IVJQKTYs4CTnW3S/6+KnDagZBWKPdhpINwkiBUlRwtKFaIYzegv6Vag5KhVVY9Jaono7aiIrliMMWJFpCvf4llgrQG9DYkIbRSoqiherJa7FWz+8weQCtnvaGv6YSiGb7Z0h7ujF6B+6AuZ3GW2QuoqxisAUW5RUTvLvXD3h1DaUEgrXHlcOKcsiR4Mwi1njJABW4jOMt1DobsTWPrNMbf2Zur79BW8wqf3poDlzTFfV7CB4x0YiJteO57DHT0k/N8H7F7e8MS0ssNSUVw9LC+8VZDK5ub+ik1Y6tbm/k4dUeZPp2bq6/+P9cP851gzWV5dMOmVj+M7Okdhn/EfFvcVy8XBy5BCUqSZLvoulTTz9p03ArjTUUwPWnQY+rnOqMMNw5Dx+NAOBa7j8N6o3RBD4NasqHUF/2Jg/n7FOueA44ftYuO/UVQD5OTx64UWP2QOuHwdQy+Ho3YO96mqZldm7A3ugntMxhPnWM0tn4xFu2aJRBjiG9iczEIBTh0WgGkXmUsorT3ypolDBZz9B/tD80XK4EJ0ZYYi3+6NbLwLHf0qmCp82/KzMQXVGC26fOGNo3xiRG91bQoYrnII2KKsELjN7kVvQRcqRAm0EOgA9xqGGFNrC5N/ZkhbZmc2/oUWzve05SLP20zdWjfMSsx81yI1SyHtXeWz8JpduiinV3lQKeU74OX6rY0res+c+HgzS+SXofD7Lu9m77HcJ5Lo3MGjqUXfb15qfF58q+7Q/TGfjD/7sMNNya4wR3T69zabT9FjnCaE23wGt3xed7qRoWDVmwl9Wq80+jDH0eXtxBg1eU+0zCb0nr1X6asItkZ7bcWz7euMHRnd3uz7z3T2P0fl8CIrh/kpeAgOoNSPThlutvfkBCoh+ZwPrbF2iJld0JwbG/outKWlXoxMziCt5nPDP7yDLFKJrBdjXQa5HuLDlml4WxP3vjVcgdlvkENaYlO1oTa/Pq9u6XAw0HIwkMd5cFIbVXGgp/5XjCzGgbcPtJOfaY/wtJ15RjFmAOb+8TM03XOI48cN7e/fJDZJKewN5cp0+ypqjPxzkkebPZ+qpSqiTfAM5BzvQy9pMdDN1eT3mhcRS1H2rsMGnvNH9oJwwj2Qx+GBwUj9tG8bCb3SjcV4IxIFrIz1EQGv5c5GXd7BuqEHHMgdzQcqCavRbdSx4dYeUf0BIpyPLjKWeFUDZ4pBAcLfe9ZUFIwm8VKG0GVLQo2d6vhPmxEbgIMNkgRXNAT/6M9EZW6MX33z9FO6yQAuA1liNz/Ujq2hlzVaXgCi43WfIHWlkiKq5re7Uqlk74mAOnoiOgJ3gpttCaLuXRaKMgZpSWgIvBXU7+QEv/iZkBOa26Ws15rPgipknVRitdIar/Ub348zf/qpzwfF5aURXI+keP3n8YO+U13oNEL9ANJ7hUFXM+bmPqjJKgsdEnuqEjsUoxLN++QP9mpvsMffst+jdEhDT6o52FR/oM/Xem/6f5IVXokClfRBeJixw+oQ3Gd5ARzNgSk4epOp9Dz4W2mxtrpysbRgDPS0G5tuq2hnjgnl3gDKQUybEijQakSiAUM0uTpUVpIY22yPfuFjZfbDGjuVu+GFqEVqLiuZHWDCx5lK+9snAyGOhw3/ZGnuPtxG/aIy76AT7vmcD5x7szPEKk6O+ACtCSkoiu7E209o+tjeYuxyDuzCWJdaPDiVVYmAX6SewM8/u2EOVISGNCaIEeAMoTbPlIt8dnwhYpCCiVbWme5envUDdBAqyBg8TaHsXc8Khlr2yp1BVmxlw88JHyiPlMC2oMPvsCaKfr6PQH8vYaSSMXlTXWLVuwXIOuf3Zyrkomh1R88rm6aJjjc5WJjvW+iL29Dv61d1AIDeje70oiwV5Ly/2QSDJ/gtP7M3Bye0yZKhmd9iL7hzYVFe2psh8rbJD+nhY/1rbtrTz1OzLsjaBNe3H8X+PNxR3zFWUXeVs04xql/e7q1Z3X5wjmhgG0KIXsanHIXiif3QNt9bGM5w9O7Fsjz5qFMYfYoZlYNSCNMejufWv1LdCL739AO8vZAjBHmLG4HWqdr1ZtaPwLaAcS3LBYIwZYaSR4J1j5kE0fQTH6vNkUOW9pD1meO78KmVvW2KgIIBsumFjvu88aKyp7mhlC3yOywRIT7dhkjt7eUmidmxxV3EcMsAPf5mAGU0qymntinOayPfKeY3XdwqhOggenrcS7QflhpVhHWcLE6mHOI8y9zSoIqWQYUWnMcyxzxIUsMKO/x6LthCyiHMj9C+wRJohq2RPho9jQ0FWje87oCuycIgaiAiJ4PqAYNkuWKT3NEj9CMuVEFCUDHV3EQXcXtoqnlrQjclp5B1JfbLvdm9Gjm25owx3un8FNUgiuN2ezusnqOf/VvIlmyC/GnhueX4I5ZsjfBZ+e0XlEiJjxg/LjQtLed7nUO9ATTscrpOFR+42MtiBVK9g3PxazEVmj04u+B3w+qU1SBREyh3yK9PbP5V64qnrMcL+FN/P6h+03uL6MlaJY2FErm/inCHAsqXCKX1ExTb/WFCTCZclCBHWTCV5gjtexpCSEmHVMB5vBEeVoVYjqLxUSO+689hoXZdfT4ik22AyJ/X2uFSIbavRfkYNaoDeV0laRbg9q9j/WA/FoWMPgMhw97quVoWwL89zBdqHCkG7+ElYggRO3qNgoXznd0tzcqXZN48f+Phz79x0GxKfxWFI54xwarjs/9aPZL1SzvZuOMiLC6AIGrd1Gx/1Fo5Zm0GB+ZqRTffoXvUHrAA1RjT/NRU8NOA1Tc2n8trM6xG8VVDMumtkpbr0aebHDClk0+cAKWfTfjJ/6qAvnYNpJ53Rd6CTJvi7S8JVZEroyS9NUynFH5BDsRQJc0o3XkjKXUn07am9UBvUE5iiZNHxgT523FNddI146GYgpxiImPbXnPEVFVWy6O3ZAOxSVJqKA5w5LrbLZaDax6q0V5n4aB6rvwFIZk5zqaaGvR0gP4/uEgJY/9JjhNzVVoVc7xUnqOhbXjGb9sSUQuqKNMhjXFpyTcyjv1+sec7xcR5hYuwNo3gR8BlM0987HKGVepZ+Pkb8c2ghtDVdI9PO9DymiKjw6dS1kiz9weSjrQZVC0VGH8KwdYA0BnruqADYUMZySwXzuiulsSiL7yGPNqwIkJWPPdZT6WSLaj5Dejmqvd6g74u4k9YjfAs+F9KFER2kXy39eJEs6PC6I5T+BxHV8g3qOPKkey4y8OY7aSb5ptTq+6G99n9Xmj6y3hDe4jpziQiOMNj4rMx4exMQ6C8+OFxJyYUOMFnLzZN8eSIq/2SduW9vNHsW4eicYJfvp+/TIGbuzKHyROc72A3KqYtNit+JMeFcxsKjj4kVwDY/T9Z0a5S13lndTAQnnuTJ/2asAs4Aylg584kohG8zXkHHYTT9XQ85v2LUebuzlqLWky0pD67T1o/mUI85oc22RHj+GqsQjREM9e0YnlMA5NnGrlHdfbR26tm4QMSVs3LWZdCiaopq3crkFuUD34BhbKZALvAZb6s5HzK2EDDT0xg7DOL2OWHjk4FsZkEKipRQ781341OsxTrUerNV2m99hqceb8jXoeDvS717Ry42Yb/cKltdKx6U2ryjBu6zTb5BXHGEGUtfvrrIZ1n/mXLP+KLaSzezzbEShyhEX/GsJJVht9dhrlFUc5xWypJLSbM1aJ7WrYXWE59T5f4Njs0f7juqNV6ac7EPXFuHSxodyJPjXa2H+fUQy2ssziyglk2aGW87o5xaFIUOskDlpmoJaoPvmfHbLZLZjklNpunLB7JUyiqpLenBPlLkXVp55GBFWKR22jf9Pj9UWhCqzGj4zx1uLRm2y3w5fzRe4ld1Oj1tPLml9ijrw5Sn12dBxbfEgrJQg1HprDEejer9l+mv6AC8RRuVmryjBzJh5D89QKW1F2mcINPkyrmZhiePZAyMvLxe/KnEBGqRCJVa2ToGyiXsuM42IojASQRw83vRDVkGTo4qGk56X0zVa63ABQe2EHRFFWfXPQhLrMdpRnoudj7whghMo9bP6VWxwur2JrCrG9ui3CjPntMlFgSn355O3EDExIMrb3przr/EjkzPKyGvKHyD3UbQhsAwra697BdZ880WNfEHzY8xnvTy/iWKjXafamYBdFIGAn+8vh/nn0vuE0H0/1bl+9ABZ0G6J6unOHz+qpcftw+N62rej9bQVZXOcl5rsH+149ZGQkFcEUPAAQ9yJoEBSzLLIDTFBbN7bQYPS1ZX5LaFuZOqgDQbkQQ0kgs3hj/LjG+G9wWpT73ajckSi2StjYRrRFCJM63D2qzBSp1SB2IKs0SyUJAaq/n8/KwEZ+cYRtfEEFScMsDQf2bIZDWk+jN17aWRIETjtn3Siournqn9iGU1EsaS8rhzXFtE+AUGOkNdbKis1v3ejfYdaFMNejrmeIyIb98qN7+qsDHt4nJY+g+OtZoHzcN1eo7fuTD/xKXHI1dj3SR4G+9Njzq/L+AJbrq/ba8sWH1pdH8i+HXfoO3dBDI7IhVtqc+p2VMVNja3aT6ubePhK4pNq3CV31IfGnZE069oa9l3VQ6Pb65N60Pk+iRN6kEH9gueNPrRAVy5a31cLYu6L47qQ+SPk4S+++cI7KJaVruP4ha6Fc8UZKDd34QTsTqAtlhQvWS9i3CW0UY5KhgeOnAKuJmaAHixKWw1yYy/MqTe3ZohFp2at7p/f3nU1MORLKjnbbihbZrCNwNmR8Y0v1pGBbrlG93TNsT2WAxupFHJa+aYve7LAbKW7oFMIW0/F/tOgap0auxdyEVnetz+/R5QTVuVgRINvzGLAF+jJzSMuSgYv0Z0zPt2wVtYt4jao9bBf4J3BGvONqI3jpurBqHNRzCOCtlvOmbdeVL6j6uHIA4eWdL0GOaVwfXzav7Q9jR6L1Xw2EtRGsNyssbOaBnp1HDxHzWLF9d+jvAx78s7djE/rhMLb63iA5dkvVsa0zmZ/m7ec9e/ztpmJ82moavm1QSi4zShY2XK9Iq/IkJ7uVZ6LxQ60aatli5A288rIuUDBQF15LPMdlpeKtejXSjSyCHvRa8gcKNL1xIgcjN5gEip7xRUnc5xn1mQF/zooP/L4iXYWQ0IjJAlYJcREKY11db5iVdvgmLILqpZm+KV4RDR/Pix1jcSv5qHB4PzQK4Xl9pXBE9/oQfpOrqrf2zDX/Xr6KUKYclGd/2bQit1U64QdaKTDODOs59H5bjTo9CogB8x/xZg5rUhVhIBSq4qhG4MBEZGDMswPRZriOh7lOTyOngSjSg/pDxNPkx3aKrYyoFmCtF79AkvK7EttxD/g3ob4GmHLiK8NbJR2nrTiobfexTQXPz56UkeqlCBV6RMS3JnqTdtfIU1gXMhxfjoQNO5M7L40n/7o2GojZ4l3drL7tfkSU65QDhpTFjGdlqLSLbgB4gW7QExK8NrgOm7AYhoW4RqKkk14tX0VWi2GFgatFyQfpWK0ly1Ihvc2TFkLL9bRk8jeN19YS8NDwyrksTifm9JUV7ZUB4qS3mhp/aTk0wdjpFe4ZVsSPB5b0tkloijM3kxdsCsHj2grnKiUYktzZ2GHugKx/oz1XSPIMQf6eHv6R8qau5+0oxXi185jaR+ZLyW/wviXlV//FMtBuzV5Av9bLL3LMr5TSzqlPNC1DUpy63N/d4tuexduG9GE2jw+JvM4jlGBx3X2wnqkij/GJvZRVHE1yx2obCny6THHvbjt7pUV+sMabAPX5yYld8q50WbJu2k5XHy6hguzqb2AdE3z2kU5YIwX4zXlXhLMWTfDmKu6pq6spgnI0G3o7oPL4gxuUPs49gikatso7tl6CbGUgpDRe+yhbBZDKuopyg8NqjoaHm8xZbjvoEO1ewjZePgVSDlQjdDtx7iHaz6/rlf9Cp8Q7Jz0ff+WCPt2MSADaJEtqzzfJ9h3tMhGxqm2ICsFQ4XEjtqiKTCSilHZUp2A6UxV8wTbUdWONXG1VGzDyTpOusk59zhjxcGbeEN3tBrX1/FpuFfq8VzYzmgRXP1yg574SL9fKmb0kiVlNsDQvjTfPJZCmV8+RV/3zRje9fI9cLHjB4qjAlLZ1LXt4egDXQMInsXQ7gaAXIVMm7c+wPU1rDHZow+DCiyjS4kvk/rjhz5gE+WowJSvjGV09JGqxNL2+pgjo+pARbizA6O3IncBR01xg9a7dgQtOnH/2scXM9V0jfIwr/4t7NBPFbfq8xuRA0NPKN8uvnqGqCDP0NL8BeYvzDHbK6oWX8X9yJqU2YrhXneq8Tfwoa51dYfssNbetVJlHwoIi9XRpC0tJtLiPl16SkLClAJpNlQU5bYYK4c6uH9586ux39+7kJuvvvrlza+v3t189ZWLgdliieng3tgJ+TAuIePkVv41DNn20Q6ayZiPv758bOfY3MBaxGFiROA+SV1cCQlcUTLuQLXMySSsRYoVFfFsnQ+W7TAd02m8CTkgImFJ7YYZn5CiqmXyNtDLXGk5PpPF5m7M0g382XySNETwTXEcpAYnNiWBexeTDw5s4hR9fKIZYkUHDcYwmQnOidTJRDNXIxPpBlzGhcWRegrjDR9Dntem3vXHbdQTV3v7Qhshb3mXPKqjZFxoCYPf/BgFQszyAHvA/5a2/UTXkU/h5dpW5HhqzeeIdX/K1x9KINF5fKY2HHaFKTP8CgmHd/783V6343pt9rRRgTWsI4lDw2/xIa4nM1d5lOKU4B4b0uNjOo1lVPGurdrDz4fSeKfifwuP+m8Q119q7GpIi5mK/R7z/N9F3LPaYNdY0/gpm4y/P/QBelWpkhIqRsRHfCzbwtK3w5L3XW2fnjjFizIT6cLp/u2bO/Sz83g04RhxVL/N/Pxy/x+v0W8VyIFqLRXjmYRu1Y+pTz4t18UevQshtdHn3VpPI6PEfxtMjC/TZsDKAePxFJyOuFfPgMxTCtFhhmWRxBcDmGS84HJU2H8NVuUjOgMcQI3NBT4AzrHu3t6nIZfAyabA8vywuBpyX+JeK4czfJCY9J43z4TKNgl8JbAaG0xZg67WNpk0CVAs/5kEV+KE2nou8zVhMazTf6in7HFIm6tdgLluExDzDBNbtjAljM1AKz5KRW+BLtfl9jv+qDcJ0pLwjGhpbJRxlala8AZ2yFt3BuiW9RpCnwULfE35qMDdPnBaTAnPVpnaUU0S9jXPVkzsFC5SXova0Fxvp8An+bEIzyifts0pL0EWy/2IkJwedEkeUsFtc7Qk0DIrpdAiS3HFWfjtd5m1WVOg2YT9xsQ6G9P6vwOa8hJKeFbgx0zr8xXeQ1CzwgySxEJBeTJiyqcgLpnK2JJl452nB9B/ngSeUA+oBT0+S70NPT4iug39/SToeGP1c6H/ZRL0/5gE/a+p0FqUDC8hbavX8CmqEs+KitnLe7lPkmcBvHxIkuNFxei6KFNvb3P/YbYe/2jkYWmaEFfwG0nRvXmm3JNpEq+UJKnamQFN1c7UXlVlUn1swusw60TlTgttFAx4TNraWmijJKVDW/UkEbzi9JFjLhT02maeBb/9wdCeLBa2P4hSbwDnSSaQKMqMsCQb2oAmuTQspLRtstJgVSJsWWVJ/gkiqaYEs6SgL5XhNXCyH/Wm1IbmmO1/h3yZhnub2WT4RFiXxpOK2T1nJ8IbC/mHVAtZZUuq/zUx+ZCobGxt0w6oFAlHWSVuTgsHRKbE4innCRhRV7IFCnrjvAEpyrcDt9dVIrirfTMmQ7MFvaIM0nQRla3S2EVX4wKQD0HTJK0yRjCHR50lHiNjA+dKl70iP2dDK0kSoUPnuCRYsc4KyOmIYMxDaMpTOV6IvGKgiEibtQen66RTIUq1w3pkJ4oWfCwm4ExQCWuqtMQpmnYDnXRTuU6KiVOWE+asbB0RmXw6XVSDW/IkeNtYNOmKc0FH6ainXM67jaAqc3WeU+D3WOLEBc8HwirPg926DgbjIanSuNus9SxApZeVPL+QaIADV3MtDa5KwJdyD4dY0vGAtmrPKqUU+nDE9DGoNc7z8atO8/HOuZBAkyRRaJERKUSRmH1jQJOUIlpkqY9wPncnbbrlQ0KyUKlSUplpqUpJR4MxrKmuEt5tGOUwJpWkgVMja3HVkDbwMcUEYcJlNGcrJhKEYw2eFAJgNL2E/W7Akva60Q2T0CV4bZlYJy4lXyduu1LI8YejWFbrtK1TUEXStmuhEhcwrfoMB21TXxIgE06xKw0w/lXKwY1/UOK73XhdITFOqG7XkACZIO+FpOssUq3tDMgdB5kiW8ossYNgmY2sIN0AJrVxaMCTZmlP0vhN6gFT2mk6pT8BJVbKfJmRzfnxrD1g15dzPDzIYm3s4l5G9Xmwu0TQFDHn8pc+fOhU+jwLVIp1hlU5quRHG3hMl4cAJwGztJtHArHUumzVZPCUyRrYsQm6LVgh8ySsKSaaSrI+lbM+kzylCsa7SF053SQ1QsFvKcyMpcGOgEtSXBRdJx1MVY63W5QkaSsvSZ5w1SpJYlm+Z4GOasnUhqpUQs7klvDxQQjRiqGnwVySZULT8LVOWQQHluI1qitGjofclwmZq1W+THy1riRLkkqVApnldHz8ZmJhkuATSSNWk7R2+duMcqXxKkmSbqnUaVfxtuRJKQ5ayIpfpFfrq0oL9K7iqDd47YWeVCDuF8xojq4k5FSjKyxznzN2pC2Nr381aaZDdSDtMK7pqo2YJYKhWEhJ7e2lfMrsb4qSiT30CuKd5MFKVCPS48/ty7sJLXVsbTEJa3hEBe6G7jYePb6uumVXZiCDUWULbITxVbuVpqpKW6K+nyqJ0G6DNaIala49f5zoY0+pY0qFxNu7u4rnAQmi3FcyGMjsZpRPr4DdIsaM16ZEIS3WtsnOovm96xjR4x6HLci6iJIWqMRSAXoDGtuKw+5U1P3S0JPXYq2e37ngvqfo2pfxcu1JeqPbNOJ34IvFWrI5egv6V6o5qPha9bdeIntWtpxwvZvt8G46CrAkmwXldMDglXieYggdYeN66zHK4TnDFbe1U9dV4cvSHymF0Kl8cITqOVLma6rrRHlf8XVApTfMzObthex6bpmB0Xt41HZ3DhkFF21A3RSJO9GD2mblTipVbPNyFejQHPhI6vyxd+/xtSFCK9lVGNdJsK6FV7/JHppFDmu/N4itZ6BeRukfV8f7jM7ZOTzeXodDZEcfKtk+8iF65HapWzi4x/0aH+rt0ZqbHuJSFPG6YHRNm5CuYEOUFQhhhRQAP+iTGTdeJOYKk1mKrfayxN3g3Ddwqltrh27BR8gqQRbUXYTzkdUM6gq30C1lsAbfywMrRdfcMb+pzD3Q1gAv5+pWP7DkFsORHbe8YGuJwfYhsW3eomgotzCt0k24L2ke2trWHZNsw8aBQ4dQJCan1tokDARJjVYgQ6OwRvCG/k4Gx4AKu5N0wNEzI36LZKB04SXnX/fP7BHQeoDcic77eMrVgxnFKtuIGbS7TndMWxOnKQNlO/q0Ch7FY6qR26CGHu5bbHOhkW2VuXjFlDCmTad5ia1C/pOHWKBXfF//rze6ttaR4hrhfBE6GscFU6Lzy5A+RVn+ostPW3nwgKnUt3U21kS7QnmYdbyRsN8x2VjP6rkGK96DRP9SewzUc4/Ioh/qXzI2buvye483VB3svqM8HQyTOCULvuyWxXEt6d7+/P7GzA4kOKPRemRyqoiEEnOyN1qJv/xZv5et4cEz9P7NS3TL9bcvnqHbt9c3//kSfbjl+ofv0JPdZo+4b8BINkL5Mm5CGuvV/uqbH/7Xf3sa730HejNJXnRnbCXQosDx0khq8h4ZeaB8Jf7bgDZ+mPKPTVb7nJ+gbTDh7+yLKUZRR7FpdNDQ3PT1q7dRcn4XHKbY4Wnr938Eh0WcP7+P6QPwES47Q+ppUWPZ+GnulSO8XGMNO3yRwtJ2l92hV655XthtMYT1dUKKctj/P9WveXv15s7J4eFe8XiGXn5DprTTc0Lr0ts7g2zAqjd8GKwFMwsfzOjDfAg6QOZqis192Nq9FnLXkQ6z5qmiVYk8LrtnXSajvNvDIvxpuT5cqB6yJrYmUWc4V0xj9NbTcCekrkVUTwi53hOWib77/HFJpGbnn6OY8nUQn4HwN0PM4xDT7+fzEnn81gbBSglCbdF4ay33bldk5JTEfA2LWj0mgq/oupKQo+XeN/d3re4HutMMphT0AoUHtKnosKukTAU2Sr9rh1YmGEwSCqEh8zFCKS+/KVPMucpw5sKnkoBLLVPBV0nsXSXFYrO0DZCeUVMmTQ7nWbDGp/XrOrQtDC2L7nhtQ+Yi2sKNMaw4aPR+X8Iz9CGIudfWRP4W3QUTuSdHfh66UUPxqlkujAGVPpCFQtdOzFj0wiibH9oHeixt6MAWpLadZ7QIDa4oRx9uB48QsSEtE85gSttYrjJRJhXKM6AS1Pg4GgOYFOLnZOL4gCjrg0rC6MrUZAz4OqHmo8VrroG5nUu2KZG9XjBrOQc5IvYBx1hRPwq5wzKPNQN7ZdvUWb/7nRSP9tV9CXoHMNDJeHQO8NgXCaExa7t7HTpkC5nY16beHHwTNAn2Iaig2hw1X1QoPoktw3yed5Uz3AHhWa3lEOhN4dBB0PgAt0Z7Xlvl+VAipvizgdhsi+2YPNLz3lCw1JRUDMvQzM2jeXLz+PK1WIvVKl6fGkimNzB349v3Zkjfvb+h7MZQZgh6VekNcO1DqQYJm6v32OFzZVW3NYwT90GBHCRJVJqIubnlBx0m6d514B6gKvTImXb7HlBkMaPQcOVo89eA/QLtk6FDhTnF1g2sSsFz29JVRFWAGrDflPSQ7u2Y7NqB2wAjl2dv494Yhbym2NtbHb2GcqSoriISBdkAudAFz4+6wQrhXJS2K9gGqERixzuNkZDGj4KLYiDaJdSoz3rhSDNcfkYNozw3Z1lI1bT3c12EX4Xy+L2JnuM+4TXp7mwMhlPVM7zQ89HgJO/9K9K88zzWRKw11XFZHROm6qIC7n1U4dxzHQ4OWYpp8XGR6S1hg7dUVFazMUadFAUdiHSA+dHfcLxkNmx4ha6OY6d8O77zWYyMLg0HOg2KojigYWR5sQQSIhhqCqavQeteaXb24PI3IewV190Q5RSdL7fJHxmZ0BXX3jK2kzklgTA7LRsw0H3soXrjep1HqjQiT86CfLNQWg47yQPV8cTXT0b1i+NU+2vR4ZpEedSMqE0iTQvbtNVrGhJKGHRyek6OSI06yUybkj6RlfLMDRCvCvPJNsC351H9zeSe6FHivePo1Bx61Ns5NUfvjGP3R6b/xUn65cz8dxt+Furlae6PqEnxcY7qCalXH9U/8qb59jTbzy9A9XHYfp6skTOf1Tn3+hkndeZNMyf1vS1TK4W569I5WTfDld5kBeiNuIg3FR/4uZBD5H82uDA2e1eKiZb6Ef/uO8G8r8mgOrJDkm3L/1x8/+c/oyevr1/dPUXXVGnK1xVVG8htYk4UGxNrMUN+7DG/tm/RbTH5xbA/HHjzlmKyv+RY7L3hfQxHvTetz29E6fAxG5PYoLg6M6Ll0rBYY+8UmMeKKDXv5Jidn8XfIfUdzmml3BhISKRoQRmW7jAbQWJ2K7H3UTxU154ZRefphVv7INtRZh/McgUPSKeuRXNgpkQSvuLHzo11fvr48Jb/yZvO9pveinljF1qBh3nc0SLktEexnuvWskvINeb09yOxTnzKgp3LsARutVd+gGUrKqNR/MnZrz+aAa18dEnlLkv3IBLpJ8BMbwiWgEoJuSgox9EQ69ZRv8OaAtfqZOAZw/PO5zX+pNNxRTCgTN5eZgt/aYRAiaW2ab/NZI4LoVnTev3BPUf+rCAHiTXk2YgwgCOraNuQhzFrV/edFFua1+nq/ne4LJnXc3rL51NkjSA/1IgGeqnX06D5bPOoB/V1HPR+YCLRQs82qmRL3ZvTpqvYDRQOqBWacaX0x2o18Gjv8hZQK1Mk1uTb6T9WG8IKKS2kk49mtAI0tti+tL9amF99GZ9fQfOcwZwS440d8VyZEVmilgxJkhmheN5cE7rz47VydPk+vHg8QyXDhu3mRhISASdyXw55EW3wyixWwRnxErK2EH4SSqM3mGwoH1Dbc5x8Rr/o8usDt5F9pQRzUM2t7tLq1QK9znGJfrH/cbd6LrjLB/hH/7pAG7wFc98zwNK1sEa2voQqBVcQ9IB40oCZUdZvez1B9vjaCERSDZKGKh3cTdBVZBimJBA9CzHNMr/zRWTOpcXWF53qJujutVA46iAN2Oj//qqhCsmKR/q6I4TVs1oSu9ccl0w9EJHtR8y8FTEHMzHaUZ6LnUKqBEJXlJhvnsXixn38UX+jmgk4ippXX/REhq7ntVi2zwxPW/xAFbc312tYY7JHH9RhkZ/6PaToJjgkRS2ZUWYxrQbusLa6bZHZqGm7Gcwt0ONbnc8UyWI6yBCwYbZ9JhxObA51bajakFPeInOyc4huCA+TMJ254qWGJuMjp7xzL0iOGzu54VorfXrncmLUTsdD/jYhNI6VPS7H099Op5bY4MZx5ZkHI8DtpHJYUe59gfao21oQBS4HilFY/ANh1hfC3pi7HdUjRZDU/qbpM/D5yAPVQ2ofmtaYbIrZS9E141rGoJ4W3GZbYkHNJeVjau7OutMM2Tb8farQjxzbdjCuZZ4ro9WkIkXqkffomiqzT9BVYhnW1nz8rCF2t6G9gmfI7ENjWbgQvbMmoBMqXrpUOCHHtWfsTP8vqsT8ryfzOQOqw1pnQUmLiVQztb88t6OfoP6CF26P7lAV7Tjdg2uVAddSlPFjmItq2TPIztprflRj3cCJ0EZLxchOTmdScSWK0hikYefbDW4bnDjNcwvSiNbMmM3xCwmrh+lxvyfOYkenD7h3ML2y2eq39DeuHyvG9ug/KszoikKOrm02jHNeRJHtYJkRIR7oxZ6UfoUlchgamwSzIb0sobZO89hTVtq1wRmqR376bLyrB/G1VL3bynnnFuj9vnTkNxaVmaDj8zCLJayykcVxOoQZLM4Ek1+qWKGdLrp5nAW1gnGI33kvSiGDZ88+r7x7PbAwrWzV0csa5lNOrRh7ZDpm7JN+uECIFCL5njtEa0YyXEMl1nEHB+EZVuPeo1qgMrWDeiXZKHa34EZxp1bBs0qO7/db2r5ntjl0CsoE0XcIPDJE4xDY74Kk4wCPGri9BFMUNjPCiNWtr9WNhM4DZcrt5oaZJ4b84ES/twPbq+65//eVR/Lc/8O/+sacXpiBjMcQeIIv+lriyG0/llg/Rqsgc4/g3JdNNsoi5SuQcsBH35/ZTJS31aGT7Is6PWYhI1QPWrVYGdm+9hlDTN6+kWFm3Ag37rXFbID3Ni5Itj/6O/QfoYeL3dNyA3Iuq8boOf7N98mVLaj+FF1ZDHHkIPVsiZIDvLoC6Qvfw0FMx5ESOzDxsaDFjNaymGG/VK26S0fXg/4+7CcYnxYZXxN0T38fSN95SD6Dt3+/QRzWQlPH5nKD1UB9WkXmT95tMdwNP1zQ2yzIhPq0vQfAzlqHgl8h3jP+YKfoyOaK5+UJ17XE3w+21TBnjypVpTSGNrD2UXeK/TzNy2dpACknehZ6rGvLixszPLq3TwbHTutMr0t1vSvv239yb8M5jovQlrwYImO8vDhCxbDQUIpl22l3SddF7p04cZdcZrYArhKKaah0UPoA3hpITon6oinw2BaUVl58h5T13QqJbu9f/f3NHboz8hP9zAcqUjb0JOd9pNDzfifi9NhjSTZAHlRCs7dGsEzNbY8Vga6rm9Sp5zZAwxfubs79EV0FJO2V37iIquIw1Vl7g+qbpcq2WJtPDLbp2GJGc7chImi6R3/G+lLHjr6d9QPsVVcUnb3Hkjuhb7QuVUZtN4JEYMvSNLLJ+S2/puw9uuYh3lFIqvcn9h8RRTExl/9Myhwmb1LG02t2VALratcpJtyOYZ6N6kM9NiRBhaYBv3qaQ4xs3EC3yQ1ZKeg8IUAxkhwOZHFYtHHdy7KGbDDnvQS06YnKflyLasBTPlv5pVrk+Yrdv75+9dbL3OcdBLWo00J2vWIp2yun6iHbClalT+NV6IHBfS3NujNIaLJQcaoVeuLQqKc2d80mE4QuCBF/0UAQGquST/hrT80HTrV/LlkcBqNtQdqXklXFEBGcQKmNCXDveD2Q4jSmk3q0roNlnjE2QgsRQ4rt/iYMj37691exYJIo61J2gJDrS4QodEPLDpweS+zS96IJjH+7+fnu9g69wY8F5XnduiTOfkP9BQIZDgp9DxDuCe3Rf4zw+gqOh2AnBQS5yOxsXBPPP3giTZjU3I2WvKS6vfb1eDyeozSwORn7iTN6wpyK/wI5B3VwJM/72kjKSbIW37j20iMVm7qbl7Z+YGftFi414BlSVSQsCiv0F6Wl4Ou/LhkmD4wqDflfnvvPntXfUr4CEv9qRSXsMItes3jJWjAI8xwpgQa2j4Q1VVrujdUz78Essd74UnQ1FtTF0iNjUvvBPiEuUcLFthIhW9W7ao2lpg24lvs//d8AAAD//5qGsHU=" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8Jr2rQS/oXQiy3Al6Tc/8Hcgms0XBZL0DDXwgpwTDNa8uVfE3+7S+EkPanZMZBlGbyFxL+6zV+6v73HZG0gtdEgl0pfTXh0oKeUQYT9/fua4SoJeiV5hZeE6ub/id2XcNrh+pK6bL39xJmtBG2wCVfkxkVBrY+HqDb/u89rYCoGbELaBEjHWJk5ejFz6ymsxlnZEENmQJIoqYG9BLKyYA+begdiJlr1dS3J2WXqZtlEWtJxRZ546uPrR9bYrNIZeZbf9+/wviGDXbl44Ib9z3CDWkMlMQqwmhtm8B/TVekAmPo3P2bWsJUBcYRrdznO6AJeavm5BSYKkHHCfGw+C5Sh5LTwoUlSFs40hIDDghn5n5guUGeMyUtSGvc/eDSWCpti4aJ4mh5dQiCJbW7Hwyx4x4ntwShlqwWnC0IJQaM4UqSBbeGUPIe7O/cSjCm3f3J4Gh0xJqFakRJJCxBkyl0566m2gB5B5Y61CiZaVX1lnr6Vs3NiwvKrsCaZwPwp1wDs2L9nNiANyUfwAsLf8JlD81JlJECliAO4KRQcvd+bnHyFGoNjNqASQkzLqEkSgpEy9KpAFLROo5VZeZFsguzZ4/fhXt+fvoDWVLRhBvPS5CWz3g4nXBNmSVCzf1+6cFGIHXcgQ+nBb/ntqOm2nLWCKrx92FjJ6MnYwD6oJMSOxkDyOMnZXRLlsfdk5f/f0/274lbNc+G3O/6qukfBRKyuy2PBrslPUToZUdNg1GNZpne3vuzLdf9vx9mxlILFUj7GJGjTcltwQTducOPBD2QVq8fI2ILp1M9RsS4PAyxvBpTKzke70krgR4iPfKybQZQprShRvSamJ3Z+2LrFnDYDPSQgZJwPytiRw8ZQL/Bihjn4o5r5UhclD2vSpR9nl0DMhOxj0Q4eGf2sWOo1Y3kXxrYqNG6oz/8ab1t1J4oydzjQK167JbtiLhZ8rzisM/dE7cMn3FG+/f5rZqTsyVISy5ROJNGlqCdCaIhCKoB6TN+DSUxYB2QrR9vr2HGDZZ2Ewaw722wdJswAH2nTRl6AtP7lw47mAO67sCTu/FgoUwmfbV/Ln9VxvZFpNg9kQZkyeW8/dDEjk3Ph/T18JcfcsAGPxpl7PnF8idCy1I7WTl23XeZO6Deqq+VuctXudn76v9d9jpu5ZcNu3LBO9L63rKSUDLnS5Cdk+zrVQQciw7zX+S1QMrHqPx9HRGNUYeGqteFhi8Z9rofPMQNRrqna+TymV+aXOBFeh682ZaSj+saCKNDCTIFAtwuQJNP59L+8IooTX4RitofX5IpNXiK2gDZjM8bjarfDXQfou5+xXRjGDSf8ZnAv+B+PVe53Gz7rON25a/ewaD0iuoym1LXk2g9svucPL/4vKXvUaJB0N0tJcSsjYUqPKIBbQdtAf6kGs8892+l+ZxLKtrfbGsrN/Ahl/61JzHi/OLzqwgLAvoDTtyfBR1GQy6neH02B3WoOB76+iyAlqCPErv+FZci56f3iZJ6fPvBUgRzWKz0UTvZBCuy+9loq2idbxQtvCjOdDlRQgCzSn+NAthx7wFybtyZ44YwzzooHaZbiupbtau2kD2MfoQWX8Wmj0VVrZTBZLdKSTJdDzaNEA1fGjDWATS8qsU67JP7shP0BChbEMNLIE+/J3ahG/Ly55+fkRU1xADIbpU9nHgUyustOGFqJQ3kYwX7ak4FU420nU+hqaZe6LmrbKIQyFM6VUvoMYPLaGZlK96M1UCr0fvDvppj88CsgpI3u3paCkZ9E9McO8cCnxFu/9m8/P6Hvxov0l/UKEBbpP85oOafzh58S9egyUtyJhmtTSN8ZMWZlHeS6zHo9wx+RHIrY6v8+JL8qyP3OfnxR/KvhCnt9GWkIiz6nPx3Yf+n+yI3ZJsp30S3UKoSHq2tK1dQMCrElLKrvBqwR04qi9eGWm9XOCaCLGvFpUXTxEI8wRkPRwFaq0z5aRt90NTAOBWIMWJqrNJOs5Zrr3W4D5ZU8NIfjBhShMxUI0v3wghA5LmcB+XoxuTF7RsxgJwiFhiuw56w0cgurIWi5WN55wI6xPA/gVRgNWcRqyOYwv0voy3sn/tWCLtnn9qNRqtm7bZNyK9q5bZmaHNySZR2xphV5AqgvoFpj+LF+0qYphUDY4olL4syV9T1rJU8c5CgqcVLXjoO9uzCJde2ocIZ7Vu+dxlxcfCKO7MbY+XIDE9FuOrnp0Q7aW3QoYJMo3oOtvvajZwwOlPS04NzwmfC7eeEzhIKGgr+89PW9/oBKmWBXIbzzjTgQztdjwlK9782EPMVBF7CSoWpBc+Z2fCozXnDB2r/o9DNnMzNeN7x1rk3IJz19tS1Vkt4Qv5rRBi9eJlx8QAxereqM44uTt5cBN2XUenYw6ta6V2Nl+AT+dWlQTSPw/3xyT9VaIij6R5zpW6b8s3mJxuD3es5aJlPyMufX5EV8r0CKgkVIu4rQKc+qkkb/xFZgQYPlloigBpLlNwpF9lm4oOriV83EyN3NUfYNvDud6VLZBxmNQFbSCXUfL0biJtxPdBiCfmZsAXVlFnPRHep14g/Os0laWTI6RFbPvPRitrUBd0+UJ8ziLAndokWReWUTCXbMIKmq1GZhpJ1R62kDDVWH6OQweegGGt0C9FYKkuqSyKVrqjgf8bye5WuovwpQ5bDwSxSzXTwJN2JSRusO2ReCD4DpDhi4BtgSpYjCvZmuwtjc/pZ9hDEJVNVLcBGD8CoE5WiAm813xGDvXozbR/oIF+6taPHeewob5/M0eNXKWkXibZpU5+aKudlk+VUPhDjz2SZg+0O5J9K5u62sEcsutVbFdOn137c5fBARGW70W+IhWsbLh9Zgja9copyXx5YZH/ve9jWQFORuSnTY0qXUOZ7B0OSTXimTLdiq2O0mTbdF/vx9eFrpVU1QagNFuUbBpJqrrxaXzXC8u8sB01oXYu2+mXTy6aiks5jpbmECAzvtPaiR8rjagi3TwxRK+kjY5ZW9a5nMGDsVnMoDm+fNYQtuLNuVAlmQt41xqKZ1AfqbiW1I3m51MKBm7RXgM1mDu8lHEMTwk1uF/S80zADDZL5A0Gdal3yJS+dZoPnIS7ILltB9nGHeXEir2uuj0bhZj99LOjanURuxdoTa5zQc/qaQwoP6H7faMJNH3XhPHfSuJNnk8GSXTqZalJLoGqgyN0XYsf/1FcFNcgvDTRHO0rudPtTtJGPK2oIIlGOnBtE7ofUTE2oFGwxNINMm1c2w+s7r3LgWhcZUK2LHNpznVIUbQN9mRxqBl2p94o8jAm5Yz5G35jBc3mnN+dQsXmTXDskWLB5IHa6IaR2BFE2UOJTKNamEbnDTiNWlGosUxW88Dh0xgtmZavZ4IRQGViwZUCOHBBYguY2Z+nIHsLa1UMRYC+ys8/lk7d4cdA70L/SXaWLg4ZxpxoYn/GN4RPXbn0wZ6ynStCV82czRTagczHyclMw0bqoyhBkieIdzOZjbcLnbSu9bwkqTX67DKmx3LQJAbt+NVy/3aGxKklTK8MTCo5bnS00p2XpO0xhKn97d0e78DTCFvlaF91RFMmmAs3ZXWVRlLYjVLHtIaxfydbdDC+W/P0ekLYEWSodEmb3UqamfzxA95o2tKumfwCL29EOsfy14AN2Owm6HzEv6XP2qvtmeCFD1X8QM8HLtaBdbrFUllCyCB0v4gm0Qs2LNlHlQYR6exDvLNSP0TNlS/b9HdOtsGs1io+44q8EZ+vct2ePXLhABEJzbSnWI3K5ETnzpuMM/NAIQMTi4lRJC9e5NdYOoXPp/XWbfqi0LI37P3xUqWgRijWAueFxZgsq51BIWOWWBWOBS1j1Qv2ohFir+bSx0JMQwxx941F32nr/+YuLDlPTZMKu45zg2dpW7mMaGoK7+UUemb7+FjFusQLMMaxtOGg2OV96CXpCLsFvSmNAT+gcsJV3yHSfKd3iMIDdgvF6O8PfE//7Xt8KpclUq5X7rP1r0DW92TXaT/q8vKDapnbTdYBTe1TCnVKD6tBj3Sklyk5tzHWlVA0hoJjrLX4jCRWgbZddpDeLhr/58FYQH70mAJiEFFGYSyKV/E5DDWjJ7Mt+QLPhmE8Oa7R2F6azV3AnUY97wX2ErQ3/DChbcbsIyrKX9eQUF5xitYkkSn43V+6/97wEqKQUEcUxI920Fwx8gQg4JNWMOOlgOZgJudzIlN3BBv3KqjwYn/hyvsY4I8aXjPpkmzKI38B4SphojG0PZPjHYJvwJ9y4nQw10cG/4RRf/HRcBTq69uNvWNyi922Z8illT24yvByWp4gFocYoxtFf6nYjak/ihr3lV/CaUFIv1oYzKkjJzdVzUmucifKcgGVP4ooy1fSQ2ss7PvS+zkbTCixoQ2pqsIuXwUYOvhcBU1XlpJjaCtoPS2vAsr3qnn8PHkrj6+1hhofJi2+mqroZ3sEM20bJistSrUI+LVOSQW2fd5kUo8wYkDlrhFiTLw0V3vlZqopyGaSG7C0k1MjT1fd6plKX9pDuVMK3XF5BGWqB2kR0atA7FQwU98k3HWoTXu7bODHoCpFV1PUnO3m3xC4CLXq/XT4UXr/VwfNKLofterqgM+iK7w52yu1iDWsitv7879e0f0ysac+4yH/HO5J/wdW6a6yhbBiQNnIEcXebAc2pKCKvabZH5BKXbNXm3fex9wC6F2bULwDsyhzUciCFxzis7h66BTWL7oY6tTBSZdiwhc/8bWtsujLDkxbSToswR0i3zMRo5n7V/XtYaUqcPJeEY85dI5kAqt2fsBHeBrVQQBi8nbot7Lw5+uCFXzPs8/SoXyymqimXXd/s/oMVykb1HV6vJdeNObanr6+NIALjHr/jBEgjV+LEr+57Mo57Sr0Fl9013rHPe5nPT8l7L2mehsYNxE/bC0W/Drdncb3aO6Afwpffcz+fnyJLQ8lbJyaG3oPtiJxPA/QkTPwhcrJgxU3cSF2adc5e9ttR3VCg7dWFvX5s6Y3vI54ax/qTbmFyfnqjJpvKP3eDJusQeynLjUY7ISe+PjP0OxX+g/3aLCKot7/xwzfBHTdtbFe5qWz3GDVSgPGcUf5BWSmypJrTqRhUAfqmDFySWtARQWBAmqz9UbY2tK+q+pUnTlI5DaOtL+Runy9fnF/s6tAktIz1HoWxuuwDBwreuhZyE2nxSJJzackln0uKwmLkiNZK52xe+2Qgv9whvWh1N4VdHfE/HSK9u4ynrFSRg/P+t4+ESyaaEpw4C4Ns3c8n5OnZNa1qAa/JhXeIeLAovSdxvwhG5o4e20Tn1OZpiWPGzZVTuQ/A6w6leD035vvwNHzg5mpPyNVqPp+DzjfCLs6yz/1YQMABtdOFBrNQonSnx9vqI5NGt0LvR/AsDGPvQSo//eB1jGddM47z03gZya2j80xVdXHkvCvclZB7hWNcvX/PNNPvHDpKYn3qDMfNqLJhY1ZaUEsfKGusj3knLZXGzgNOrrf4jUyJo7pcUf0wGXrDrvpOutLwEDkiRlojP3VClJJ3lLX9lOPKrRNBR7VjlPyuVVD1finkbc3kQ601UJM8N9hYaptUinPnj6JcPJjZ4RafqmvCyxfj75d7WZtjYOgw+jRofOzvgsMifnXbdyzz9L3BIT8dzt075DnjUjWpYpy9OhIzT36nnCRN6XQYeGR/Sgw4d2fGrSPxRggn94hpGANjZo0gZ259wlQJxh2Jttlv3LLgsoTrxAwQ3NjDNM97yhZcGE0x3SIxBY3xzYpqLjCDJ+LB8/F3OScUmfid+22UMpnhHKqpby70QBpxWJ087fI5a9CmDkW3XsIMWBZUhE1CfNvh6dlIkaF3cw3f49wJJV756pK8gq/Kf9t9SLk0pARLuYg4Gaaqsb3fjZCmxNFzM1uPLe3y2BCP8YfUQlWLbNk8b0gJMxpCQKHzZRvDD9maTiteghZ0jYVcVoXHlTyN3Ej3AVrd4dcwa6vAva/eWG4bbMxIooRtbINhw6b7XtekUayef4fR1JhmkFVMVZW7T3mO0YmHTngv2bfWaslL7z9ru8hVYEYToUrFDg803t1b9gsXG62R9fPy4qrBdY1JTw8j69vV88r6P9T0QL/TweT9bzUNAZj47ap5vsa5p5hQ7Hf+8uKcnA8Uqj4a2brWhuqS/RgkLOzqqmHnSQ3pu/jDQm51XLn3IqKYqjJ3xdeg4m5X6Qi4EIfLiHq0SN8twYcMjlB53nMBh9Jhn0DbxUP4nJddKGfEiVelthoHZeAJXv50Sl5Hd93kfKba6d4Xn3z3nDYQhcka18CavhfBp35NIVbe2nZh2pe4cQRHSNQrXm47RLrqSrqkXNBhIIN0rnCC9ZUz0Hpk0oK/Q4f4+tPF3YKxUoUGUD4AOyAppBsYPp+MSEReFdOmLNfJ/TO8KpLWAfXgNgYOa3S+10uVHqLmKmGXg50Su8I0xyhI4Kafvep7rtKm5LarrNv0RQsYxQbbbSo2vCjZhBf2E+mzxFJzcHk0q/zk8xl5GmolPjfC6cpTLrCAA/PAzq5rZdw3n5Hvho4GuRuFuZJqJbcMIQOswWYWy23oI5M2GT2CC243LfSkrXJ/H0qT3sKcsjX5NGquCT7V9CGK8sPCWyzmklSUy5mmFexNx6ipxqm9+fskbCmXF7gsea9Knxy9aQvYyzqLIEVu0L4wVcAxIpeFtN037j2syK+NRFPynSpBkKdcLiffPidcsedk6v4P3P9RScXacDP5Nh5ftKwuZoIOJuen1qG2NfyTC4KLoq8L5eS6HX6lZnsbNViVFVP/12nAs22DYEC7gxxFaFmllbs7mH1+9zvVQD76BOBvv/387vc3H86+/dbn3C6ppnz0TK6UvkpZsnzjBfu9XbAfYRt1glGZWokINTtpu5R0zwFl7rlYZzBhZkqDNJylFCA9V1IGjKv0XpBIfCAV0GJF+XA48b29A9j7PDVQd31Sl6ibZprpUthpaaxOXfmO9drZHGL9tzTZO9rWfORzkh5a7LIZDDZQaUKxyabuJdS7OBAzPupoaknN5og9lNRoN6IImbvlPXGhfHA/wbs7LhzyQf//MFx1ozL7yX8PcsTKno8+ILIXyQc5HG0cdx9+Sh0haWtrZ3t26VPbZbS3WXbYJ/MZut0GJ/fmyHTbspofIx6GRV8zyoXjddvM5SLIjPPTfm0bduJy5qCFeaSFwXhWYZtzXTgV8QB6Dkm8xnTrUH10oqqqkbueqAF28rDGTffF7j1c279DXKfucDOHadb3xe2SyvLfVTxqtsHNUssPkQz3xm648BZypjE1Z1wlyxI9lgWP2K+olsOgw2NH3ciqLlQuYXz5/t0F+c37UTdJqXFEvhw1leDyP96SLw3okd6tjZCFht1OnXmTG3oO0TX50BadRdO6Oi2dJXxI+0BV6jECDmh9kOPoJqg2Ehy7N9wy/YAGKqiuMuyWA5vBvUDrhAXIHdCmTDaVdgtm2m5XW6BLane1wvvCnYJki4rqVGUlHdx1TQfji+8dfaJskE6VBGaxSH4WGMzSFlB1gGdzbLWUAaya/pEBak2TT8LwHaeSHy8Muhc89YMTOrdV4FTP5EjLgjIcjJK+/MTBNjKh8d4DPJ3Xy5/ktV0kf9+ZLJjVRWmS9l3vQXeQD4s83QLwUtDkEkMWIOdcJiyKHILOkRsti1lhVtyy5PJDFjOhVoZW6XNX+rClXeaDniHqwmTBZU5xwmUNupqukyW8D2DX7CoP8CUVOc4Kr4taK6uK9CEphL78qUCPY3rYItvdFGpelDmY7QCnz39jsqjodWFtKrfBNmB3ogVkeBQqLjMhzWU+pGthCjEVReqw6Bbs7zMCT94ZvAc7dS/EPuzUVb192D9nhP0qI+x/yQj7f2SE/dc8sK2qBZ1CDpHSQU9vnsmiagQq39N1hneyBV5fZdBLqkbweVXn0b6dlknFPHUSUoDMcyglBr6w9L4RWRifkJhhB41meaxJBziPNWnWpqkzzCJlsiurzmKqWmWd6QHXGUSIVdYZZrlgo1mTBXgj+bWkUhlgGQ7h8pXjSqZHYflK1XYBtMzgVlNVXTCRwYftAGcIkiBcPV3b9G5RB9lkgVw3RYaYBtPcckZFhgIiU9A5SLZOmHXVhy2pWP8J5TQH3ssC24BmgezbweTB2ifWZoE+ndfLV3l80KaYcvvXLI3GmCnSzorbAaxVclFtslxzhApMp69yM97Hn2zWVg8w2IX386d3jnjgqPZlAe67yafrINeDPeMCctgwppjl2EQ+S1mcvQ04h25gCl5jkmKRRdTxevlTaWw9aOafCLbRLAtswWeQw4wx6GiuoOTJCka3YXOZ55RUqmwEGKZycDsA5/MMsknVZkVt0pn/PeixDPIkgDXMubGapveEbGBn0Pg01LlYrbPx2mAncp1JvvrMfH/EM0C3GmiVQZH0pUC50M6nXK8WipvCT5hND31NNc1ywMuRQtgUkJd+vn1quNxYKpPPOS6NnTY61bDAFir4WUE5oDbJcU2vR7c1yanB4uSGWfph14d2GtgHc07LMvUd4GXqsGrbOijDW8SrgmmlqixdiRzgDGYar4o8yZGh41EONtdXydsz1SZ9y1Jem1rzxEAFtdw2ybPPBJeQrsXOBqpJOlGng4vFt+ndWkL5rqfFTKjkz3kHPEPKv7N5k0sdBzSDxHE2dAZUk+cmCDXPcnTlPMsFrpVOLcCqaTPPcc0qblgOsVCZLAc2xxwICRabKyWHm1yG+wbQqTP+PNTU6XhytUptgWSpKFN+AHRyS1Sl14yU5vMiMo/r3nBXEnT6N6su/FDe5GCTTqbegPUjXrMcsgyFm2EmTmphEMCmlgZ14R1JydGlxrgPC7ZIVec/AA3XNU8eCKhBV3NNpR303E0BeZUFcPqn13ci+/RpZwpoAsBazQtq6oQDA/qgNU0NVQMVOfQ7DQz54LuOZgKenskOctoWrj3ISpcZME7vyDQZfMPG+4Yz5AMYSJ0I4AceZzBODHxJfwBiDVqTQc1gShk+zyB4TZ3ay2Y0y3EPNCuTK9JGs1hX3ASAbboRW32YjUneVXPJZOpCiei02PsC9U06U5Nv5zb9sfJA00f0upmeqeGu6+TdWptymiUPvdEiw1vYGNBFyVNXvWcZW9FGhnKwwTJjaZXaG7wsuDSWzjJoBkuubQ41fFnLDK2brNKNTOlmjbVFi3QUfdNYRT40kgyW7rJHMg7L+0wFL8mJhpJbckJ1GboZGmz/HkfHT87KyKWxCaEIBofoE+xvwJQgsVKdLh+Cy3ycO6tqodYwGCx4I/9mqknW1PuWZ8zx0PuMcN6Zhjlck4ruNlrYxGLlvNkdBpIdScENDmdoVw9bjw2UiGnqWmlLho1HCVktqCXcklrDbOwo3CMt9y5DKGKMD1ZHhwLhMnR2H+kLLbjMPZG/h6pbrY+nIVbNwS5ATzbfNwvVDF40QiQsQXfjiKwiNdUGyDuwFCeC+7tKOxY8favm5sWFL3t9Rk7DiK/nxC4iU4qwGfAHCKOPEW1J3oP9nVsJJr7Pw0OdhXkzHNnd3SJc3BNrgGq2mHDJo/jhzN0j9NfeEZ84CwOTIV4I2kic9TtvcI5r28Q93sB9p1/7Hpryt+PuaOqacIf5xSPGvtuIImFN0+06r+Ky5CNcW7wVY+6CY0yjHhFIm8F173FCtRQjEy+xe27GceDYP9eAJRq+NGDsnqbdh2cr371XvlcZcCyPX9VL7F2PVJd3uu1O2YeTxwhjY1t/xw7t5nWU8pSz/2+eb+gWOz9thQKuHT8baDWkS+K94xF2j8uUGiA+XbvDhgxuVbdL4RcPg6/sRsF3mCvt29dH2UgINcQA4Lgzun9elabSUHaE8b6DDtN+aYlq7+bQsEbjBLR9SNegK+7VjWMhvVnSD+bgSy5gDkTAEgShxvC59Bu3mdcfP/rYkvkB5Teuv+ekTx9k0rPDrJH8SwO7YxJp/PL18D2sY+JhU1BajYaX/kIyJSVgbgVZcbsYExSERCpDOo1dw0HlRXc2LRw7UZ50T5RQc86oIA6DEdMHsXhY7HCpkTGND8e7erE2cfR66WwrtZPVmvqBp4JTUyxUdpvAG3GduYazVDZDjZxU7I/gifcDIP7SOGzxTQuDWJgAqidvhFHOEN+6b6cYLCe/hl9MyBu57v41gG7RljfSElpOmKrqxoKOi+EsbnxHWD7z7JvdvcAZi1sbwu0/m5ff//BXZ/ue9raj5dg3UbTDOS3SRsxu67iha9DkXzqfnHkR0EDk4rc+df1P/jMvNzhvnfq9+3Fg8vJNsu3J7sAUt86EvP/t45mjHTR45wn6S0tumIaaSrZ2WmVQz8RuLghBDj0nH9+9JufS/vjyOTl/f3r2n6/Jp3NpX/1Enq4WayKB2wVowhbKhFFpSmtgFr/1w6v/9d+ePYlyBOwio4zb5QfK1ElF4+N4TObTd8drfunP4nmLVPyKl48L6b5sugHzAxvG3fqBj+G7o5hurJPPXNuGCvL2zfsosn8qCfl8WYedjP+jJEzivHXofjUiFAm5WXjiFjzGN3jPPsyphRV9gBHpeLovyJuy1Oin9ac8hk739LKqPjTOed9YyPnJuwv/Ko2Gxypqjhj92HIqeU01vN3k/MKhMuL9cjw8cBJEEh66tcd52GpihZ+udVwB0UOXliV3X6ZiE7DtzfKPv3NHPADOJMQLrsINP90+AgNUNrnWWfS62z5plLwPGF4obTuRPBC6JQbYcAO4Xd8sec2Ree/p4XLePiYtWe/GGC8hZjcey4sbsEPLlxqjGHcqp/cbDXQc4uSypnIOk850YkrO+LzRUJLpGmGCLDFrKC5n6gNbDwyKRke05eiiswz9DkRC3b9fwpXcAaChUhaKkNmdPs8oPWtLaQpa+FT8DKBrq/MAn2U4ErMM1cIix3XI1f+kzsBUWhatJy6fWr5rwTs6Jrur9Z0JD6DBntkFaAmWfFzX8Jx8ap+xt+gA+5FctA6wwUvw25im1o7qOYIyMWIat0gHv/hzQoWIKhP15ouY4EY1JuYtQbs3kEuriLH4mHNJPp2PChSGCbLZ5FVyke2AqjrD2DcHWINJndHrwGYocfEvYupUdPS3Z8DWj1YoBMh58kmRiLNTPjJqoSMaqFd5qOgFYCRhmE4wI5T8ovSK6nI4p5uQN3NM9tKEuht/jbl0U7ArABlXPRN3TbxrjFtZKvqhOo8MwZbxmBkxoJDLkOeKaQkVt04shREbcRKXgspjxPFv4aBsE0R6LsoBgdsuy00kZeks2DkasNsvT+pIJTDsQrBM1w/udhF7qi1njaCaYL9o0iLx9Oz69Vs1V7NZfPo7sMIuIPv2biH70S3ob2MP7zOHt0P3TWMXIG1IFh9F2zQpOyfcLqHHLzmO+icDehRh1VimjsvpsOQ4wpcNY2DMCM7Yefyw5miHJZ4gXsSpuHOl1yRSmDDA7RjCaQtH2MHRSSUM8JlaSfeuOLkVUw67H5KBorRN1TJdP7qRd5MS37UUawYEh7KjJ/hhdvRhLonhtonIT4LFBRBEdIC6oIbQUtXudbEL4JqoldxsmWecpddKqmokrxZnchjuW9QfV4lwyj2XpZM/SpuOAZT8wgWQNwGxyYANt3H2yo4wfydHE8Y7+h8kXWGUBZchayEtF2I0RhiRst79Hozw+XqXoV4jNSfGE0KnKmf1QIT4KSzokqsGtUumqlqrio9kKMKxkTuTdCqwiGxGTvbjxuWyEzsZkdzFcEvrJFEEtjBMOlzmAAQj63f45d7d3iu7uW+jx25TZtlIu1vOllqjL7EMvGCHmPW30oLwPZ6DBM1ZSxIyBBP9dlMLuF3gUxub7UYCshP2w8RYPR78bGk6pO3Wg9H0cj9NQb3wa2WkK2qadka45RUYJ9e9tqehhtEgUtiFZE0hbtwIbDx4z23Qtzxah/TufrCj9ePtaPqhMMmGnN6atOAwvonCAW1I8UYg3EIYfL3UvbyROn3UvfMXLQlt+uadS9ZL9TgC5AY53gmQr/c4/njzlqUabXCcLbudfNRHlSAp79gt5MdRj2NK2gaHsVPqsQRtx0+dvHKnsYuiArtQDxAloVueZOLRCF8b3XDspaRVVq/TnqjOByWCv9YhsudcZvKE/Ofk5++/J0/fnr65eEZOubFczhtuFlBiKXwUF6HmKntfoH2RMMyWnXk8wjbjF0cyxrTK7FXcV//pdjWGQXdj0COfbOjzXa4Lw7T/ru635/hDnGIxUypjbdI3mWJUpOpOt0PIB1ryxvgViNLE8IoLqr14cmLT3SGG73q8vArvueHlMTuN9DPlP7mD0HoRd/pibi55vjqLN3LfXcewRqg07Pl/g5MIPxmcheC4gV5ZRhl3ZSqdMzFgELJBVis9p5L/uSerWuY7Crdl9gGc7p+pEXbPuI7Wkmbq+vOLWw5fC9/iy/cu2spq/hWosAtGNZBaQ6kqLmm04K4nni6o5SCtuTE9XtBjUvuWPiixvvUj1JkOrrs6T5zgqqm22AxpQ+p+sXrEZkdB2NxGos6gBE0tlEWypLI958MJn1/aFbvg2YVWS152zcPC92hdi6CpDg5GaP7jnrVtnTau4GyI5OWRqOyWDL3+7HqEzOjwUMycXHIfPV/sKu4jLeA6pTPlUPC7ap5wjTpT70e9Suh5hFCvo6LGSg0xVmkv8R20CizF1Z7gtybuW0/i1Fe8LAUcT8q9w/VuK+ci29uTewfJuXY8xnHIvQir9ToMyXUbnX1OakHdlrn3WWkCkul1Peblx1TII9iTt8ig051t+asylryjbMHliElX0kyS45tdXn+SmOlfa3Diw+lHvsmZmZC3Ja3JZ/yH149KJX3d6T+HjydZ0CU4zUkA1eRLA3pNsAehqZU00GpU8eJUR2+BvzmOvAw98JiDrHnbBVJ68n1fvnE8W5KOgOrmAH0IzVFviylOecrrMNs9421r6a0mRs42DA8vN0Q3UkbtWPO8e3l85Nm3kRqpsQsQi2Bh5t8ISlZclmpliKmB8Rln7pPnsTrBkCc7vCCOPI/vJueGPMWOsCDZ5hnC0OWzHrdII/Edfwtzytbkk9lufNtFYKvdQtrk2bVuhSMY7COvfd/UQlSwVg0PmXsRBxzv+gBEqv+3Kk2xnGfIvm2y8yvUY915vXodoRgpjB608JsDiD1OXu8YqSHDN7jeW1l3hqSPdwEdUnMch10XMNjem01Cpt+GwQ7FG1LcXPyMZQMpRwKOVrghySXMuAy+ehRO2NWvovVI00HE7qBCsUy4bRwwO+pfasHY+Wxz0x56KY30pux82NZStqiO3AJ/syoynAyso/52ZBnyMuUy3QSxpHfDkYxFhXkfz4iQ6pft4Lb4Ntqb8v7I1M4B1nnfvhuwrqluz5T78/MNKasFH7RSJ+52OFvWJ7/fijybfGaJb2uh9Drfhv/N1FT+240dY1pEtruot+p57GlybPnbC4R+A20PphINqGr7re+navQUFCCtVvUhoqNUzXTgXLjVGQ9rOmsbbihHQBx9dcdx7+GJqmoq1919xGuH4/S9vbIE7Z6hgsuZiisF1FzlrhG6QX7sWJEtZivI2xV99iVXjsAvjRBr8h8NFXzGoSSnWPfsnYNRVFYwLZhSV/yBgu6/w5T49Tf2MxVj2nzybrObcHjdWFS5DxxhevNd/9AtEabsBHe098lPyMd17UnfeA4cc/wOjm+ehlmRtJnsDtoOB++I0E9MrG3tLjLHcNV1yuU2dt6zWCvdevsxxPzh7ciW93rlJD5OLS/qvHOI9rDCrXyj575FUyuVSRPZRsqt4/aD1NTGXZNMFtSkjPb3AOtQTp8YcqNFwm3uQU24K50xWjQ6lTekB9OALug8nU25AZ38edoGnTT9cRt0OPUZBAtcW5CoWqU3Thz8ZKe5U/QWGnZSZVJrVH6JY9QSbsncj7gsqlcvwn+fBBRehP8IeU0xtz8VoOPZeYGcB4yee2L6wXP0uPZGrQ3IKcNANGdScTkDrUfirkO6j0JXX/G/kfVR9+wRkGz7Es962xC5UhjWVlmvVGSJox2/Mx+3d8fuI2YQ6/6f/gHDBK3xgZ+8XoA+jj/C6ewh4+npCY5+fEZOcP04aqDtkZqljPD5BHQY/glbWZh7mvNC1tBxj5G9DXeLPjG9TtF7d5r/eahX8u6tUeK7TS75n3FvDb/KJFPO/3FGJMyV5X4D6wU1IxOgDDt2W6HeVvrFx4cLuq3ONgFqkOCyc8baxult/U08IcXw+TEqKrb7G3VTDz+ODlp20oQb0yRXOhEyJkvl89bdL4aCGILWWX2gg03pS88ztzi5xOD0Pul0lAyJrjN4iCI/vcTUzv2PUU96Hobk3aXnHhzHRagxoljmfNF3Q6rBkR1Fpizc0aNN8jaNJhdgfgXBos7U3OCbzbiS/oOEsvUnYjBepzQ5v3zzj3cX5MK9U+Q3OTJ9ZYNtpkrqQ7D9uFJxbFEMsQWwK3OQE/l2QjhvD7LY0LmuX2fXIgzTQMMIwo0U3KPlguaDppAPoOR6PLquIKNGA+JsqW2ONuGzj+WSCl76gxhBYlcQHq2r9T5BiBy7grXZFduJTn6bQJoY9sLa2hQcZ9BmAY1bmYMhjD6C28Tnsq18UZrb9Q03iqmqyton7pZ4ezyCQyhegr/iGsSupZnaxbISVBbGPNTAW7eyl+G/B2rbGq0otr7UuKgVP0ZadQxhjwFBDBCpuDWAbGULKuWgcUbudlNhVURkJGZ7pLbN3cMSZh7+/vbN+/DuvdhZvntQrNK7vv/kPdu4uSqWSjS5GPCmneMsw5ybbjJ2O863kdwa8tQjYZ5htw4s7G0n6u6AJ4h0lBrRZJJmbwOunyS3IV1gsl10sASNmQKzRhCmJIPaOkP50u/hSHuF1Sqn9PWMdwZ7O0LbIVorbYly/P3139/EUnCjbE997pSeHz/BcrfAYMvFOqW+2Um0Uczfz367OL8g7+h1xWXZjfWOb6uj7ehpmFtDFEfICmQMqNtHVqc+xUsWk6dn+yrHYna8gs2HLsJvSc6udmw5y4JUPj8NXXoDFnsxFMfblAfuFdBSXP2XrxvuCnNkOdQkU99u9Jc4E/qBshvDuGq04rugbuWLe58T00RS1KkhfzNWKzn/t6mg7EpwY6H824vwt+fdp1zOgMU/mnENKyqiigydit5vCJUlMYqMHEsNc26sXjvL/pjCoqZ2EZr1dziQXRwGSKJT6lho+kJoX6/FlO51Ie/0yQ5zkFav//J/AwAA//9QNbzs" } diff --git a/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml b/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml +++ b/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 96edd97528d..9e35e293cee 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -20,8 +20,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.81.122.126", - "10.70.155.35" + "10.70.155.35", + "10.81.122.126" ], "rsa.counters.dclass_c1": 5910, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -53,8 +53,8 @@ ], "user.name": [ "magn", - "tatno", - "aqui" + "aqui", + "tatno" ] }, { @@ -133,8 +133,8 @@ ], "user.name": [ "uradi", - "qua", - "temUten" + "temUten", + "qua" ] }, { @@ -160,16 +160,16 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.157.161.103", - "10.64.70.5" + "10.64.70.5", + "10.157.161.103" ], "rsa.counters.event_counter": 3561, "rsa.db.database": "lupt", "rsa.internal.event_desc": "tat", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "taut", - "deny" + "deny", + "taut" ], "rsa.misc.category": "tion", "rsa.misc.disposition": "eataev", @@ -198,9 +198,9 @@ "url.original": "https://api.example.org/uames/tati.jpg?isnostru=iquaUten#santium", "url.query": "iciatisu", "user.name": [ - "CSed", + "tem", "emeumfu", - "tem" + "CSed" ] }, { @@ -263,9 +263,9 @@ "url.original": "https://mail.example.com/aaliquaU/ntor.html?ern=psaquae#ationemu", "url.query": "ice", "user.name": [ + "dol", "tlabori", - "hitect", - "dol" + "hitect" ] }, { @@ -321,9 +321,9 @@ "forwarded" ], "user.name": [ - "ari", "adeseru", - "itame" + "itame", + "ari" ] }, { @@ -346,8 +346,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.206.97.204", - "10.133.189.215" + "10.133.189.215", + "10.206.97.204" ], "rsa.counters.dclass_c1": 4842, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -374,9 +374,9 @@ "forwarded" ], "user.name": [ + "fugitse", "ommodico", - "evita", - "fugitse" + "evita" ] }, { @@ -400,8 +400,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.145.248.111", - "10.148.106.167" + "10.148.106.167", + "10.145.248.111" ], "rsa.counters.dclass_c1": 3994, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -432,9 +432,9 @@ "forwarded" ], "user.name": [ - "tectobe", + "uae", "tium", - "uae" + "tectobe" ] }, { @@ -516,8 +516,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.43.226.231", - "10.221.102.245" + "10.221.102.245", + "10.43.226.231" ], "rsa.counters.dclass_c1": 302, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -548,8 +548,8 @@ "forwarded" ], "user.name": [ - "eFi", "ritatise", + "eFi", "rinre" ] }, @@ -574,8 +574,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.56.136.27", - "10.239.96.8" + "10.239.96.8", + "10.56.136.27" ], "rsa.counters.dclass_c1": 3714, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -606,9 +606,9 @@ "forwarded" ], "user.name": [ - "nts", "orsitam", - "atevelit" + "atevelit", + "nts" ] }, { @@ -665,8 +665,8 @@ ], "user.name": [ "ctetura", - "sit", - "oeni" + "oeni", + "sit" ] }, { @@ -700,8 +700,8 @@ "rsa.internal.event_desc": "ian", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "nonp", - "cancel" + "cancel", + "nonp" ], "rsa.misc.category": "dolore", "rsa.misc.disposition": "onsecte", @@ -731,8 +731,8 @@ "url.query": "por", "user.name": [ "rum", - "texpli", - "emUteni" + "emUteni", + "texpli" ] }, { @@ -756,8 +756,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.110.114.175", - "10.20.72.231" + "10.20.72.231", + "10.110.114.175" ], "rsa.counters.dclass_c1": 5798, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -846,9 +846,9 @@ "forwarded" ], "user.name": [ - "rem", + "rcitat", "aincidu", - "rcitat" + "rem" ] }, { @@ -997,16 +997,16 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.57.164.187", - "10.241.230.235" + "10.241.230.235", + "10.57.164.187" ], "rsa.counters.event_counter": 3317, "rsa.db.database": "sBono", "rsa.internal.event_desc": "llamco", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "olorem" + "olorem", + "accept" ], "rsa.misc.category": "atu", "rsa.misc.disposition": "untincul", @@ -1035,8 +1035,8 @@ "url.original": "https://example.org/emqu/riss.gif?sitvol=dolore#nsequat", "url.query": "olorsi", "user.name": [ - "scingeli", "olorsit", + "scingeli", "isn" ] }, @@ -1061,8 +1061,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.79.147.101", - "10.105.46.101" + "10.105.46.101", + "10.79.147.101" ], "rsa.counters.dclass_c1": 6068, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1093,9 +1093,9 @@ "forwarded" ], "user.name": [ - "uptat", + "cingel", "ddoeius", - "cingel" + "uptat" ] }, { @@ -1212,8 +1212,8 @@ "forwarded" ], "user.name": [ - "amali", "rsita", + "amali", "tas" ] }, @@ -1270,9 +1270,9 @@ "forwarded" ], "user.name": [ - "rumetMal", "imadmini", - "oditempo" + "oditempo", + "rumetMal" ] }, { @@ -1298,8 +1298,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.201.81.46", - "10.251.1.35" + "10.251.1.35", + "10.201.81.46" ], "rsa.counters.event_counter": 2001, "rsa.db.database": "mquisno", @@ -1336,9 +1336,9 @@ "url.original": "https://example.com/admi/onnu.gif?saute=atatnon#tcupida", "url.query": "isa", "user.name": [ - "agnaaliq", + "niam", "est", - "niam" + "agnaaliq" ] }, { @@ -1372,8 +1372,8 @@ "rsa.internal.event_desc": "nimad", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "prehe" + "prehe", + "accept" ], "rsa.misc.category": "ataevita", "rsa.misc.disposition": "oremqu", @@ -1402,8 +1402,8 @@ "url.query": "lmolesti", "user.name": [ "ersp", - "amnisi", - "ulap" + "ulap", + "amnisi" ] }, { @@ -1459,8 +1459,8 @@ "forwarded" ], "user.name": [ - "odi", "eetdo", + "odi", "nse" ] }, @@ -1517,9 +1517,9 @@ "forwarded" ], "user.name": [ - "reseosq", + "nse", "autf", - "nse" + "reseosq" ] }, { @@ -1658,8 +1658,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.45.215.202", - "10.238.245.236" + "10.238.245.236", + "10.45.215.202" ], "rsa.counters.dclass_c1": 7822, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1686,9 +1686,9 @@ "forwarded" ], "user.name": [ - "gia", + "stquidol", "ihilmole", - "stquidol" + "gia" ] }, { @@ -1745,8 +1745,8 @@ ], "user.name": [ "etdolor", - "essequam", - "emp" + "emp", + "essequam" ] }, { @@ -1770,8 +1770,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.18.225.139", - "10.229.165.102" + "10.229.165.102", + "10.18.225.139" ], "rsa.counters.dclass_c1": 3553, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1802,9 +1802,9 @@ "forwarded" ], "user.name": [ - "edquian", + "lestia", "orum", - "lestia" + "edquian" ] }, { @@ -1855,9 +1855,9 @@ "forwarded" ], "user.name": [ + "ptassita", "itseddo", - "veleumi", - "ptassita" + "veleumi" ] }, { @@ -1881,8 +1881,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.50.69.209", - "10.189.6.107" + "10.189.6.107", + "10.50.69.209" ], "rsa.counters.dclass_c1": 1684, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1914,8 +1914,8 @@ ], "user.name": [ "exerci", - "eirur", - "isci" + "isci", + "eirur" ] }, { @@ -1971,9 +1971,9 @@ "forwarded" ], "user.name": [ - "roinBCSe", "ender", - "olor" + "olor", + "roinBCSe" ] }, { @@ -2029,8 +2029,8 @@ "forwarded" ], "user.name": [ - "uid", "oreseo", + "uid", "sit" ] }, @@ -2083,8 +2083,8 @@ ], "user.name": [ "dolor", - "hilmole", - "iamqui" + "iamqui", + "hilmole" ] }, { @@ -2166,8 +2166,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.53.133.90", - "10.245.219.7" + "10.245.219.7", + "10.53.133.90" ], "rsa.counters.dclass_c1": 6066, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2198,8 +2198,8 @@ "forwarded" ], "user.name": [ - "ptatev", "rsit", + "ptatev", "nvol" ] }, @@ -2226,8 +2226,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.161.64.168", - "10.67.173.228" + "10.67.173.228", + "10.161.64.168" ], "rsa.counters.event_counter": 2448, "rsa.db.database": "sin", @@ -2265,8 +2265,8 @@ "url.query": "ommo", "user.name": [ "onsectet", - "tam", - "nesci" + "nesci", + "tam" ] }, { @@ -2290,8 +2290,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.168.225.209", - "10.90.50.149" + "10.90.50.149", + "10.168.225.209" ], "rsa.counters.dclass_c1": 1127, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2322,9 +2322,9 @@ "forwarded" ], "user.name": [ - "olu", + "olupta", "aUtenima", - "olupta" + "olu" ] }, { @@ -2348,8 +2348,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.18.150.82", - "10.59.182.36" + "10.59.182.36", + "10.18.150.82" ], "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2380,9 +2380,9 @@ "forwarded" ], "user.name": [ + "qua", "luptat", - "mtota", - "qua" + "mtota" ] }, { @@ -2466,8 +2466,8 @@ ], "user.name": [ "upta", - "secte", - "ciati" + "ciati", + "secte" ] }, { @@ -2501,8 +2501,8 @@ "rsa.internal.event_desc": "velites", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "caboN" + "caboN", + "cancel" ], "rsa.misc.category": "oloremi", "rsa.misc.disposition": "edqui", @@ -2530,9 +2530,9 @@ "url.original": "https://api.example.org/eumiu/tatevel.htm?quisnost=sequines#olor", "url.query": "sequa", "user.name": [ - "iquamqu", "onpr", - "idolor" + "idolor", + "iquamqu" ] }, { @@ -2588,9 +2588,9 @@ "forwarded" ], "user.name": [ + "tvolup", "tin", - "assi", - "tvolup" + "assi" ] }, { @@ -2667,8 +2667,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.255.179.32", - "10.238.252.246" + "10.238.252.246", + "10.255.179.32" ], "rsa.counters.dclass_c1": 5626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2699,9 +2699,9 @@ "forwarded" ], "user.name": [ - "olore", + "iamea", "iatn", - "iamea" + "olore" ] }, { @@ -2725,8 +2725,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.28.124.136", - "10.98.52.184" + "10.98.52.184", + "10.28.124.136" ], "rsa.counters.dclass_c1": 4298, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2757,9 +2757,9 @@ "forwarded" ], "user.name": [ - "icaboNe", "billoi", - "umq" + "umq", + "icaboNe" ] }, { @@ -2783,8 +2783,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.92.177.251", - "10.200.162.248" + "10.200.162.248", + "10.92.177.251" ], "rsa.counters.dclass_c1": 3914, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2815,9 +2815,9 @@ "forwarded" ], "user.name": [ - "billo", "cul", - "lumdol" + "lumdol", + "billo" ] }, { @@ -2872,9 +2872,9 @@ "forwarded" ], "user.name": [ - "mull", "ueporr", - "seq" + "seq", + "mull" ] }, { @@ -2931,8 +2931,8 @@ ], "user.name": [ "mtot", - "cteturad", - "roinBCS" + "roinBCS", + "cteturad" ] }, { @@ -2956,8 +2956,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.89.16.162", - "10.178.183.11" + "10.178.183.11", + "10.89.16.162" ], "rsa.counters.dclass_c1": 1449, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3024,8 +3024,8 @@ "rsa.internal.event_desc": "meaquei", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "tqu", - "deny" + "deny", + "tqu" ], "rsa.misc.category": "snisiu", "rsa.misc.disposition": "atem", @@ -3054,9 +3054,9 @@ "url.original": "https://mail.example.net/smodit/ine.html?amquisn=Finibus#nsequat", "url.query": "mvol", "user.name": [ - "gnama", + "sunte", "exerc", - "sunte" + "gnama" ] }, { @@ -3080,8 +3080,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.52.221.103", - "10.20.158.236" + "10.20.158.236", + "10.52.221.103" ], "rsa.counters.dclass_c1": 6386, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3112,8 +3112,8 @@ "forwarded" ], "user.name": [ - "dantium", "oinve", + "dantium", "aute" ] }, @@ -3138,8 +3138,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.199.46.88", - "10.250.231.196" + "10.250.231.196", + "10.199.46.88" ], "rsa.counters.dclass_c1": 2867, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3170,8 +3170,8 @@ "forwarded" ], "user.name": [ - "olup", "utlabore", + "olup", "equuntur" ] }, @@ -3286,9 +3286,9 @@ "forwarded" ], "user.name": [ - "itaed", "uptatem", - "eritquii" + "eritquii", + "itaed" ] }, { @@ -3344,8 +3344,8 @@ "forwarded" ], "user.name": [ - "cid", "ationem", + "cid", "upt" ] }, @@ -3410,9 +3410,9 @@ "url.original": "https://internal.example.com/nde/reprehe.html?enimipsa=mquisno#eaco", "url.query": "empor", "user.name": [ - "doconse", "volupta", - "remeum" + "remeum", + "doconse" ] }, { @@ -3438,16 +3438,16 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.86.147.37", - "10.106.63.42" + "10.106.63.42", + "10.86.147.37" ], "rsa.counters.event_counter": 2211, "rsa.db.database": "ameiu", "rsa.internal.event_desc": "por", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "allow", - "mip" + "mip", + "allow" ], "rsa.misc.category": "stiae", "rsa.misc.disposition": "icta", @@ -3476,9 +3476,9 @@ "url.original": "https://www5.example.com/olu/nofdeF.html?ipsu=siarch#itautfu", "url.query": "rrorsi", "user.name": [ - "ugitse", "olor", - "aeca" + "aeca", + "ugitse" ] }, { @@ -3502,8 +3502,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.110.240.8", - "10.112.132.76" + "10.112.132.76", + "10.110.240.8" ], "rsa.counters.dclass_c1": 5784, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3535,8 +3535,8 @@ ], "user.name": [ "tam", - "ulamcola", - "equun" + "equun", + "ulamcola" ] }, { @@ -3592,9 +3592,9 @@ "forwarded" ], "user.name": [ - "niamq", "natuser", - "labor" + "labor", + "niamq" ] }, { @@ -3618,8 +3618,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.246.196.160", - "10.170.90.90" + "10.170.90.90", + "10.246.196.160" ], "rsa.counters.dclass_c1": 4933, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3736,8 +3736,8 @@ ], "user.name": [ "essequa", - "mdolore", - "xerci" + "xerci", + "mdolore" ] }, { @@ -3771,8 +3771,8 @@ "rsa.internal.event_desc": "itanimi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "meumfug", - "deny" + "deny", + "meumfug" ], "rsa.misc.category": "rinc", "rsa.misc.disposition": "isistena", @@ -3801,9 +3801,9 @@ "url.original": "https://www.example.org/uatu/gel.gif?itsed=mvolu#agn", "url.query": "eritinvo", "user.name": [ - "orumS", "tesseq", - "labor" + "labor", + "orumS" ] }, { @@ -3854,9 +3854,9 @@ "forwarded" ], "user.name": [ + "quaeabi", "tion", - "eddoe", - "quaeabi" + "eddoe" ] }, { @@ -3977,9 +3977,9 @@ "url.original": "https://internal.example.com/nde/naturau.txt?sBonor=odit#ercitati", "url.query": "lapa", "user.name": [ - "cit", + "amcorpor", "atem", - "amcorpor" + "cit" ] }, { @@ -4062,9 +4062,9 @@ "forwarded" ], "user.name": [ - "idid", "trumexer", - "uisautem" + "uisautem", + "idid" ] }, { @@ -4098,8 +4098,8 @@ "rsa.internal.event_desc": "doloremi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "sequatD" + "sequatD", + "cancel" ], "rsa.misc.category": "uisno", "rsa.misc.disposition": "atevel", @@ -4153,8 +4153,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.84.3.244", - "10.211.242.138" + "10.211.242.138", + "10.84.3.244" ], "rsa.counters.dclass_c1": 545, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4238,8 +4238,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.13.86.14", - "10.121.189.113" + "10.121.189.113", + "10.13.86.14" ], "rsa.counters.dclass_c1": 7284, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4269,9 +4269,9 @@ "forwarded" ], "user.name": [ - "turvelil", + "lapa", "volu", - "lapa" + "turvelil" ] }, { @@ -4295,8 +4295,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.32.220.188", - "10.50.195.220" + "10.50.195.220", + "10.32.220.188" ], "rsa.counters.dclass_c1": 2636, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4328,8 +4328,8 @@ ], "user.name": [ "ectob", - "lorinrep", - "nimi" + "nimi", + "lorinrep" ] }, { @@ -4385,9 +4385,9 @@ "forwarded" ], "user.name": [ - "colab", + "exe", "iutaliqu", - "exe" + "colab" ] }, { @@ -4438,9 +4438,9 @@ "forwarded" ], "user.name": [ + "edictasu", "utal", - "oreseo", - "edictasu" + "oreseo" ] }, { @@ -4474,8 +4474,8 @@ "rsa.internal.event_desc": "consec", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cae", - "accept" + "accept", + "cae" ], "rsa.misc.category": "dquia", "rsa.misc.disposition": "cep", @@ -4672,9 +4672,9 @@ "forwarded" ], "user.name": [ - "liq", "psamvolu", - "imven" + "imven", + "liq" ] }, { @@ -4698,8 +4698,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.164.123.69", - "10.161.51.238" + "10.161.51.238", + "10.164.123.69" ], "rsa.counters.dclass_c1": 5031, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4730,8 +4730,8 @@ "forwarded" ], "user.name": [ - "xercitat", "litesse", + "xercitat", "xeacomm" ] }, @@ -4755,8 +4755,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.112.73.97", - "10.227.144.202" + "10.227.144.202", + "10.112.73.97" ], "rsa.counters.dclass_c1": 2469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4836,8 +4836,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.76.165.58", - "10.185.248.253" + "10.185.248.253", + "10.76.165.58" ], "rsa.counters.dclass_c1": 4963, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4868,9 +4868,9 @@ "forwarded" ], "user.name": [ - "nisi", + "ugitse", "amqua", - "ugitse" + "nisi" ] }, { @@ -4896,16 +4896,16 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.163.27.208", - "10.177.36.122" + "10.177.36.122", + "10.163.27.208" ], "rsa.counters.event_counter": 4087, "rsa.db.database": "aaliq", "rsa.internal.event_desc": "rationev", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "oriosamn" + "oriosamn", + "accept" ], "rsa.misc.category": "etco", "rsa.misc.disposition": "usanti", @@ -4934,8 +4934,8 @@ "url.query": "orporiss", "user.name": [ "avolu", - "eFini", - "ept" + "ept", + "eFini" ] }, { @@ -4959,8 +4959,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.35.215.152", - "10.143.175.148" + "10.143.175.148", + "10.35.215.152" ], "rsa.counters.dclass_c1": 6141, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5049,9 +5049,9 @@ "forwarded" ], "user.name": [ - "asp", + "ptatemU", "ataev", - "ptatemU" + "asp" ] }, { @@ -5075,8 +5075,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.248.16.82", - "10.44.179.66" + "10.44.179.66", + "10.248.16.82" ], "rsa.counters.dclass_c1": 2353, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5107,9 +5107,9 @@ "forwarded" ], "user.name": [ - "xercita", + "proiden", "loinv", - "proiden" + "xercita" ] }, { @@ -5143,8 +5143,8 @@ "rsa.internal.event_desc": "ntiumtot", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "allow", - "ionulamc" + "ionulamc", + "allow" ], "rsa.misc.category": "aeab", "rsa.misc.disposition": "idolo", @@ -5173,8 +5173,8 @@ "url.original": "https://www.example.net/umSecti/emaccu.html?atu=ddo#veli", "url.query": "ata", "user.name": [ - "tqui", "reseosqu", + "tqui", "strumex" ] }, @@ -5201,16 +5201,16 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.116.180.96", - "10.199.117.125" + "10.199.117.125", + "10.116.180.96" ], "rsa.counters.event_counter": 6700, "rsa.db.database": "ssitaspe", "rsa.internal.event_desc": "rsitvo", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "ectet" + "ectet", + "cancel" ], "rsa.misc.category": "esciuntN", "rsa.misc.disposition": "ritatis", @@ -5238,9 +5238,9 @@ "url.original": "https://mail.example.com/enatuser/epteurs.txt?orsit=rcit#niamqu", "url.query": "nrep", "user.name": [ + "pidatatn", "iof", - "ciun", - "pidatatn" + "ciun" ] }, { @@ -5296,9 +5296,9 @@ "forwarded" ], "user.name": [ + "ptate", "ommod", - "imidest", - "ptate" + "imidest" ] }, { @@ -5332,8 +5332,8 @@ "rsa.internal.event_desc": "itame", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "atemq", - "block" + "block", + "atemq" ], "rsa.misc.category": "quaturv", "rsa.misc.disposition": "lumdolor", @@ -5363,8 +5363,8 @@ "url.query": "aturve", "user.name": [ "Nemoe", - "seq", - "reverit" + "reverit", + "seq" ] }, { @@ -5421,8 +5421,8 @@ ], "user.name": [ "sequamn", - "tasnul", - "res" + "res", + "tasnul" ] }, { @@ -5570,8 +5570,8 @@ "url.original": "https://internal.example.net/fdeFin/ursi.txt?lapariat=red#rinre", "url.query": "upta", "user.name": [ - "itsedq", "uisaute", + "itsedq", "min" ] }, @@ -5596,8 +5596,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.120.18.135", - "10.9.248.95" + "10.9.248.95", + "10.120.18.135" ], "rsa.counters.dclass_c1": 6969, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5628,9 +5628,9 @@ "forwarded" ], "user.name": [ - "ratvolup", "iatquovo", - "ero" + "ero", + "ratvolup" ] }, { @@ -5654,8 +5654,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.249.76.99", - "10.109.203.111" + "10.109.203.111", + "10.249.76.99" ], "rsa.counters.dclass_c1": 3516, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5685,9 +5685,9 @@ "forwarded" ], "user.name": [ - "uis", + "xercita", "atio", - "xercita" + "uis" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/infoblox/README.md b/x-pack/filebeat/module/infoblox/README.md index 77920909608..52fba8ff615 100644 --- a/x-pack/filebeat/module/infoblox/README.md +++ b/x-pack/filebeat/module/infoblox/README.md @@ -3,5 +3,5 @@ This is a module for Infoblox NIOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML infobloxnios version 134 -at 2020-07-08 15:21:19.916982 +0000 UTC. +at 2020-07-08 16:42:02.159347 +0000 UTC. diff --git a/x-pack/filebeat/module/infoblox/fields.go b/x-pack/filebeat/module/infoblox/fields.go index 9906c9f3bbe..5b80cfb5f74 100644 --- a/x-pack/filebeat/module/infoblox/fields.go +++ b/x-pack/filebeat/module/infoblox/fields.go @@ -19,5 +19,5 @@ func init() { // AssetInfoblox returns asset data. // This is the base64 encoded gzipped contents of module/infoblox. func AssetInfoblox() string { - return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIirAqiSJaRRQBlBk07/+AgnUB6tQJAtVlKy904NCIpnIRAJIZCby42vyAPuXhImVXHL5+CdCDDMcXpJb/wl5e/vz/Z8IyUCnihWGSfGS/PVPhJAaiKwY8Ewv/kT8v17i1/bP10TQHF4SAWYn1cOCCQNqRVNY2M/rnxFi9gW8tLTspMpan2ewoiU3CQ78kqwo13DwdY+q6s9bmgORK2I2UKEnNXqy24AC/M4oulqxlGyoJksAQeRSg9pCtujNQmnaI3mtZFmcT3CXQc3gSJug/GASYRyhYZqBcr0++HyYuT0Ovt8wbX9HmCalhowYSVJamNLzStEdyUFrurb/p4akMgdtSZf2+87QhLyWa3INqcxAhUl1Y7EuUcMEV5CwBWESS/xoUI90Mo88YzRyJpXCgDDa7jgmtKHCVIh0kArD8jAJGTXdL/r4mcNqByHUkN2GpRtCiQatmRRkw4wmlLwF8yszArSuVmHRW6J6OnojS54RAVtQZAn1+hdUaSBvwFBLGiUrJfMWqiev5Vo/v6PpAxj9tDf8NVOQGr5/Roynm5J34A6Y22miReYiyCoOW+BBXnEpunv9gFfXUChIqfG4MlgxARmRgiNiQ5ccSE6LMN5cr5MRW/PIOr3xZ+b2+huypbz0p4dlIAxbMb+H4JGmhnC5djxXPWYi/cwO71ccf2dZWlBlWFpyqhDeL85icHV7Q0etdmh1eyMPr/Yg07dzc/3F/+f6ca5brLEsn3bI5PKfCZLaZfxHxL+lYfFyceQKtCxVGn0XTZ96/EmbhlsbaiAHYT4NelpmzCQpp53z8NEIAGHU/tOg3lhN4NOgZmII9WVv8uqcfcoVz4CGz9plp74CyMbpyQM3asgeaP2wMrUsvt4N2LuepmmZnRuwN/oJLXOYTx2jdDY+iZYtGmSQY0hvIjMxiAR4NJpB6TxKWSnYbyU0SpiqZ+g/2h8aLldSpFZYUiP/6NbLwLHfsqmCp82/KzsQW7GUtk+dNbRvrElM7lHQkVJkoKyKqsALjN7kVuwRMqLB2EEOgA9x6GGFtmJzb+zJCm3N5t7Qo9je95zEWPpxm6tH+YhZj5vlRupoPaq9t36S2rRFFe/uKg0iY2JdfalDS9+y5j8fDrLwJul9PMi627vtd4RmmbIya+hQdtnXm5+Rnyv7tj9MZ+AP/+8y0HJrjhPcPb3OpdH2W2SEkjXbgqjdFZ/vpWpZNGTBXlarzj6NMvR5eHEHDV5Z7BMFv0WtV/tpAhcJZ7bcIx9v3ODkDrf7M+/9M5S83xdAUto/yUsgwMwGFPlwK8w3PxCpyI9cUvPtC7KkGndC5dhfsXWpUBU6MbOwgvcZzwwfWaYYRTPYrhZ6LeOdJcfssmrsz954lWpHVTZBjWnJjtbE2ry6vfvlQMOhRAGn3WUhRO+1gdxfOZ4wO9oG3H7Sjj32/1KxNROUVzCHt/eJmcZrHEceOG/vfvkhMElPYG+u0ydZU9Tn4xySvNlsfVUpVpJvgGagZnoZ+wkHI7fXU15oHEXthxocJu6d5g/thOFpMoMfhlaKx22jeOBmtwr3leQcUiPV5ygILX8u8rJu9w3TJHXMgczScqCavZbdS54cYeUf0BLJ0+XHU85yqTF4JJeCLPe9ZSFEwW8laGMH1Cwv+N6vhP2xFbgEaLohmmVAnvyZmI0qyYvvv39KdlQTDSBqLEfm+pHUtTPmqgspNFxusukfaGVTWQpT26tlvnTCxx44HRyBPKFLuYXWdJkIRhtVYkYbBTQf3OXpH2jpPzEzIGNlV6s5jxVfhDSp2mhlK8LMP8oXf/7mX7UTns8LFFUVWf/o0fsPa6e8pntQ5AW5ESktdMmdj9uaOqMkaGj0iW7oQKxSCMu3L8i/2ek+I99+S/6NpFJZ/RFn4ZE+I/+dm/9pf8g0OWTKF8FFEjKDT2iDiR0kKeV8SdOHqTqfQy+kwc1NjdOVLSNAZIVkwqC6bSAcuIcLnIBSMjpWpNGAdAEpoxxpQlq0kcpqi2LvbmH7xZZylrnlC6ElZCVLkVlpzQHJY2LtlYWTwUCH+7Y38hxvJ37THnHRD/B5zyXNPt6d4RESzX4HkoNRLA3oyt5Ea/8YbTR3OVbizl6S1DQ6nFxVC7MgP8mdZX7fFmKCSGVNCCPJA0Bxgi0f6fb4TNiiZApaJ1uWJVn8O9RNJQHWIEBRg0cxszxq2StbpkxJuTUXD3ykImA+s5xZgw9fAHG6jk5/IG+vibJyUaOxjmyhag2m/tnJuWoVHVLxyefqomGOz1VFOtb7Ivb2uvKvvYNcGiD3flemCvBaWu6HRJL9Uzm9PwMnt8eU6IKzaS+yf2hTUbOeKvuxwgbZ73HxY23bHuWp35HV3qi0aS+O/2u8ubhjvmL8Im+LdlyrtN9dvbrz+lxKhWUAywupulocwQvls3ugLT+W8fzBiX008tAsDDnEDs3EsgFpjEF376PVtyAvvv+B7JCzOVBBKOdhOxSdr6g2NP4FsgMFblhqCAeqDZGiE6x8yKaPoBh93mwKnLe4hyzPnV+lypA1GBUB6UZILtf77rPGiqmeZkbI9yTdUEVT49hkj94eKUTnpiCl8BED/MC3OZjBFJOs5p4Yp7lsj7znoK6bW9VJisppq+huUH6gFOsoSzRFPcx5hIW3WWWalqoaURsqMqoyIqTKKWe/h6LtpMqDHMj8C+wRJshy2RPho9jQ0FWje87ZCnBOAQNRQypFNqAYNkuWaDPNEj9CMhOpzAsOJriIg+4uioqnUawjclp5B8pcbLvd29GDm25owx3un8FNkkthNmezusnqOf/VvIlmyC7GnhuRXYI5dsjfpZie0XlEiNjxK+XHhaS973Kpd6AnnI5XxMCj8RuZbEHpVrBvdixmI7BGpxd9D/R8UpukilSqDLIp0ts/l3vhqusxq/utejOvf9h+g+vLWCXzBY5aYuKfTkFQxaRT/PKSG/a1YaAILQpeRVA3meA5FXQdSkoihKNjurIZHFGOVk2Y+VITuRPOa29oXnQ9LZ5ii82S2N/nRpN0w6z+KzPQC/Km1AYV6fagdv9TMxCPRg0MLsPR475aWcq2MM8djAtVDenmr2AFCkTqFpVa5StjW5bZOxXXNHzs76tj/77DgPA0HgumZpxDw3Xnp360+4UZvnfT0VZEWF3AosVtdNxfNGppBg3mZ1Y61ad/0Ru0DtCQ5fjTnPfUgNMwNZfGbzvUIX4roZxx0exOcevVyIsd1QTRZAMrhOi/GT/1URfOwbSjzuk6N1GSfZ3H4SuSKHRFEqepFOOOyCHYiwi4qBuvJWUupfp21N6gDOoJzFEyafjAnjpvMa67Rrx0MhBjjEWa9tSe8xQVXfLp7tgB7VCWJpU5PHdYapUNo9nkqrdWVPhpHKi+A0tlTXJmpoW+HiG9Gt8nBLT8occMv6mpCr3aKU5S17G4djT0xxaQshVrlMGwtuCcnEN5v173mOPlOsDE2h3AsibgszJFM+98DFLmVfr5GPnLoY3Q1nClIj/f+5AipqtHp66FjPgrLg9lPehCajbqEJ61A9AQEJmrCoChiNUpGcznLrlJpiSyjzzWosxBsXTsuQ5SP0tE+xHS21Ht9Q51R9ydpB7xWxCZVD6U6CjtcvnPi2RJV48LcvlPSMM6vkU9R55Uj2VW3hxH7STftFodX/S3vs9q80fWW8IbWkdOCWkIJRuflRkOD+JynVTPjhcSctWGGC3k5sm+PZAUf8MnbqzthkcxrN5JztL99H165IzdIQpfZE7w/YCcKvm02K0wE96VHBB1WLxIYeBxur5To7wVzvJuKiDRLNP2L7wKKK9QhtKBT1wp6YaKNSQCdtPP1ZDzG3athxu8HI1RbFkaaJ22fjSfdsRZba4t0sPHUBd0hGioZ8/ZhBI4xyaOSnn31daha+sGAVMC467tpKuiKbp5K1dbUAtyD46xpQa1oGvAUnc+Ym4lVUVDb+xqGKfXpQhPHHwrA1IqslRyZ7+rPvV6jFOtB2u13WZ3VJnxpnwNOt6O9LtX9nIj5tu9kme10nGpzSsL8C7r+BvklSCUgzL1u6tqhvWfOdesP4qtZDN8ng0oVBkRUnytoADUVo+9RqHiOK+QTUul7NasdVJcDdQRnjPn/60cmz3ad8xsvDLlZB+5RoRLjA8VRIqv19L++4hkxMszCSglk2ZGW87o54jCkiFXxJ40w0AvyH1zPrtlMtsxybE0Xblg9lJbRdUlPbgnyswLK888SlJealNtG/+fHqsRhGm7Gj4zx1uLVm3Cb4ev5gvcym6nh60nl7Q+RR348pT6bOm4RjyEai1Tht4ay9Gg3o9Mf80e4CWhpNjsNUspt2bewzNSKKxI+4yASb8Mq1lU0XD2wMjLy8WvKpqDAaVJQTXWKdCYuOcy01KZ51YiyIPHm37IKpj0qKLhpOfldI3WOlxAUDthl8q8KPtnIYr1lOyYyOTOR96kUqRQmGf1q9jgdHsTWZWc78lvJeXOaZPJnDLhz6doIeJyQJS3vTXnX+NHJmeVkddMPEDmo2irwDKq0V73Cqz95osa+YJlx5jPe3l+E8VGu061MwG7KCoCsA73hTD/XHifELnvpzrXjx6gctYtUT3d+eNHRXrcPjyup307Wk9bMT7HeanJ/hHHq4+EgqxMgVQeYAg7ETQoRnkSuCEmiM17HLRSuroyvyXUrUwdtMEgfdADiWBz+KP8+FZ4b6je1LvdqhyBaPbSWphWNFURpnU4+1U1UqdUgdyCqtEstEotVP3/flYCsfJNEIbxBKVIOVBlP8KyGQ1pPozde2lUlSJw2j/pREXZz1X/xDI6lfmSibpyXFtE+wQENUJeb5kq9fzejfYdiiiGvRxzPUcENu6VG9/VWRn28DgtfQbHW80C5+G6vSZv3Zl+4lPiiKux75M8LPanx5xfl/EFtlxft9fIFh9aXR/Ivh136Dt3QQyOyIVbanvqdkyHTY2t3k+rm3j4SuKTatwld9SHJpyRNOvaWvZd1UOT2+uTetD5PokTepBF/UJkjT60IFcuWt9XC+Lui+O6kP0j1eEvvvnCOyiWpanj+KWphXMpOGg3d+kE7E6SLVWMLnkvYtwltDFBCk4HjpwGoSdmgB4sSlsNcmMv7Km3t2YVi87sWt0/v73ramDEl1Rytt1QtsxgG4GzI+MbX6wjg9wKQ+7ZWlA8lgMbqZBqWvmmL3uywG6lu0qnkFhPBf9pUbVODe6FTAaW9+3P7wkTKS8zsKLBN2ax4Avy5OaR5gWHl+TOGZ9uWJR1i7ANih72C7wzoDHfiNowbqYfrDoXxDwiaLvlnHnrReU7ph+OPHAYxdZrUFMK14en/Uvb0+ixoOazUaA3kmd2jZ3VNNCr4+A5ahYrrv8e5WXYk3fuZnxaJxTeXocDLM9+sbKmdTL72zxy1r/PYzMT59PQ5fJri1AKzChYYblemZXpkJ7uVZ6LxQ60aatli1SYeWXlXEXBQF15qrIdVZeKtejXSrSyiHrRa8kcKNL1xIocSt7QtKrsFVac7HGeWZOV4utK+VHHT7SzGCIaISmgOiImShtqyvMVq9oGp4xfULW0wy/lI2HZ82GpayV+OQ8NFueHXikst68snvBGr6Tv5Kr6vQ1z3a+nHyOEmZDl+W8GrdhNvY7YgVY6jDPDeh6d70aDTq8CcsD8V5zb00p0maag9ark5MZiIKnMQFvmV0WawjoeExk8jp4EZ9oM6Q8TTxMOjYqtqtAsQaFXP6eKcXypDfgH3NuQWBOKjPjawgZpF1ErXvXWu5jm4scnT+pIlQKULnxCgjtTvWn7K6QJjKtynJ8OBI07E7svzac/OrbayCHxzk52v7ZfUiY0ycBQxgOm01KWpgU3QLzkF4hJqbw2tI4bQEzDItxAXvAJr7avqlaLVQuD1guSj1Kx2ssWFKd7DFM20ot18iSw9+0XaGl4aFhVeSzO56YNMyWW6iBB0hstrZ+UfPpgjPQKt2zLlI7HFnV2U5nndm/GLtiVg8e2oVU4UaHklmXOwq7qCoT6M9Z3jUyPOdDH29M/Mt7c/Wk7WiF87TwW+Mh8KflVjX9Z+fVPuRy0W6Mn8L/l0rsswzu1YFPKA11jUJJbn/u7W3Lbu3DbiCbU5vExmcdxjAo8rrMX1iNV/DE2sY+iCqtZ7kAlS5lNjznuxW13r6yqP6zFNnB9bmJyp5wbbZa8m5bDxadruDCb2gvI1iyrXZQDxng+XlPuJcGcdTOMuapr6opymoCsug3dfXBZnJUbFB/HHiEt2zaKe7ZeQiiloMroPfZQNoshFfQUZYcGVR0NT7eUcdp30JHaPUQwHn4FSg1UI3T7Mezhms+v61W/3CcEOyd9378lq327GJABLE+WZZbtI+w7licj41RbkKWGoUJiR23RGBjF5KhsqU7AdKLLeYLtmG7HmrhaKthwso6TbnLOPc5QcfAm3tAdrcb1dXwa7pV6PBe2M1oEV7/ckCc+0u+Xklu9ZMk4BhjiS/PNYyG1/eVT8nXfjBFdL9+DkDtxoDhqSEtMXdsejj7QNSClsxja3QCQqyrT5q0PcH0Na5ruyYdBBZazpaKXSf3xQx+wiQmSUyZW1jI6+khVUIW9PubIqDpQEe5wYPJWZi7gqClu0HrXDqAlJ+5ffHyxU43XKA/z6t/CjvxUClSf38gMOHnCxHbx1TPCZPqMLO1fYP+igvK9ZnrxVdiPbNIiWXHa6041/gY+1LWu7ggOi/YuSpV9VUBYro4mbRk5kRb36dJTUiVMaVB2QwVRbvOxcqiD+5c3v1r7/b0Lufnqq1/e/Prq3c1XX7kYmC1VlA3ujZ1UD+MSMk5u5V+rIds+2kEzmYrx15eP7RybG1iLOJpaEbiPUhdXUoHQLB13oFrmZBTWPMaKCni2zgdLdpSN6TTehBykMmJJccOMT0jR5TJ6G5hlpo0an8mCuRuzdAN/Np8krSL4pjgOYoMTm5LAvYvJBwc2cYo+PtEOsWKDBmM1mQnOidjJBDNXAxPpBlyGhcWRegrjDR9Lntem3vXHbdQTV3v7Qhsha3mXPKqjZFxoCSu/+TEKpJzlAfaA/y1t+4mpI5+ql2usyPEUzeeAdX/K11+VQGLz+EwxHHZFGbf8qhIO7/z5u71ux/Vi9rRVgQ2sA4lDw2/xVVxPYq/yIMUxwT0Y0uNjOq1lVIqurdrDL4bSeKfifwuP5m8Q1l9q7HpIi5mK/Z6K7N9l2LPaYDfUsPApm4y/P/QBel3qgqVMjoiP+Fi2BdK3o0r0XW2fnjgt8iKR8cLp/u2bO/Kz83g04RhhVL/N/Pxy/x+vyW8lqIFqLSUXiYJu1Y+pTz4t18WevKtCaoPPu7Welo4S/20wOb5MmwUrBozHU3Am4F49AzKLKURHOVV5FF8sYJTxQotRYf81WJmN6AxwADU2F/gAOKOme3ufhlyCSDc5VeeHxdWQ+4L2Wjmc4YOkae9580yoZBPB1xRWY4Mpa9DVGpNJowDl8p9RcAWNqK3nMl8jFgOd/kM9ZY9DYq52Dva6jUAsEppi2cKYMDYLrcUoFb0FulwX2+/Eo9lESMtUJKlR1kYZV5mqBW9hh7x1Z4Buea8h9FmwINZMjArc7QPHxZSIZJXoHTNpxL4WyYrLnaZ5zGtRG1qY7RT4KD9WKhImpm1zJgpQ+XI/IiSnB12kD7Hg2BwtCrRICiWNTGJccQi//S5BmzUGmk/Yb1yukzGt/zugMS+hqUhy+pgYc77CewhqV5hDlFjImYhGzMQUxAXXCV/yZLzz9AD6z5PAI+oBtaDHZ6m3ocdHRLehv58EHW6sfi70v0yC/h+ToP81FtrIgtMlxG31Gj5GVRJJXnK8vJf7KHlWgRcPUXI8Lzlb50Xs7W3vP8rX4x+NPCyLE+IafktjdG+RaPdkGsUrrdJY7cyCxmpneq/LIqo+dirqMOtI5c5IYxUMeIza2kYaqyTFQ6N6EgleCvYoqJAaem0zz4Lf/mBpjxYL2x9kYTZAsygTSOZFkvIoG9qCRrk0EFJhm6w4WB0JW5RJlH8iVcywlPKooC+d0DWIdD/qTakNLSjf/w7ZMg73NsFk+EhYl8YTi9k9Z0fCWwv5h1gLWSdLZv41Mvkw1cnY2qYdUCUjjrKO3JwIB6mKicXTzhMwoq5kCxTMxnkDYpRvB47XVSS4q30zJkOzBb1iHOJ0EZ2s4tjFVuMCkA9B4ySttkawgEeTRB4jawNn2hS9Ij9nQ2uVRkJXneOiYOU6ySFjI4IxD6GZiOV4LrOSg05l3Kw9OFtHnQpZ6B01IztRtOBDMQFngipYM20UjdG0G+iom8p1UoycspowZ411RFT06XRRDW7Jo+CxsWjUFeeCjuJRT7mcdxvJdOLqPMfA76mikQueDYRVnge7dR0MxkMybWi3WetZgNosS3V+IdEKDlzNtTi4MgJfzD1cxZKOB8SqPauYUujDEdPHoNY0y8avOsvGO+eqBJooicLyJFVS5pHZNxY0SilieRL7COdzd+KmWzxEJAsVOiaVmRW6UGw0GKeGmTLi3YYzAWNSSRo4PbIWVw2JgY8xJgiXLqM5WXEZIRxr8KgQAKvpRex3Cxa1161uGIUuwmvL5TpyKcU6ctsVUo0/HPmyXMdtnZzpNG675jpyAeOqzwgwmPoSARlxil1pgPGvUg5u/IOS2O3G6wqRcUJ1u4YIyAh5LxVbJ4FqbWdA7gSoGNlSJJEdBItkZAXpBjCqjUMDHjVLPEnjN6kHjGmn6ZT+CJRUa/tlkm7Oj2ftAbu+nOPhQeVraxf3MqrPg91FgsaIOZe/9OFDp9LnWaBKrhOqi1ElP9rAY7o8VHAKKI+7eRSkSK3LVo0Gj5mshR2boNuClSqLwhpjouko61M76zPKU6phvIvUldONUiM0/BbDzFAa7Ai4KMVFs3XUwdTFeLtFqzRu5VWaRVy1WqWhLN+zQEe1ZGpDlToiZ3KbivFBCMGKoafBXJJlRNPwtYlZBAcW4zWqK0aOh9wXEZmrZbaMfLUuFY+SSqUGlWRsfPxmZGGSyicSR6xJ49rlbxMmtKGrKEm6ZcrEXcXbQkSlOBipSnGRXq2vSiPJu1KQ3uC1F3pSgbhfKGcZuVKQMUOuqMp8ztiRtjS+/tWkmQ7VgcRhXNNVjJhNJSehkJLa28vElNnf5AWXe+gVxDvJg5UsR6THn9uXd1O11MHaYgrW8Ehy2g3dbTx6Yl12y67MQAZnGgtsVOPrditNXRZYor6fKknIbkMNYYYUrj1/mOhjT6ljSoWE27u7iucVEsKEr2QwkNnNmZheAbtFjB2vTYkmRq6xyc6i+b3rGNHjnoAtqLqIkpGkoEoDeQOGYsVhdyrqfmnkyWu51s/vXHDfU3Lty3i59iS90TGN+B34YrFItiBvwfzKjAAdXqv+1otkzwrLCde7GYd309FAVbpZMMEGDF5F5ymG0BE2rrceZwKec1oKrJ26LnNflv5IKYRO5YMjVM+RMl9TXSfK+4qvAyq9ZWYyby9k13PLDkzew6PB3TlkFFy0AXVTJO5ED2rMyp1UqhjzcjWYqjnwkdT5Y+/e42tDVK1kV9W4ToJ1Lbz6TfbQLHJY+71BsJ6Bfhmkf1wd7zM6Z2fweHtdHSIcfahk+8iH6JHbpW7h4B73a3ykt0drbnqIS1Ek6oLRNW1SuYINQVYQQjXRAOKgT2bYeFFUaJrOUmy1lyXuBhe+gVPdWrvqFnyErAJUztxFOB9ZzaCucAvbMg5r8L08qNZsLRzzm8rcA20N6HKubvUDS44Yjuy45QVbSwy2Dwlt8xZFQ7mFcZVuqvuSZVVb27pjEjZsHDh0hARicmqtTcFAkNRoBbJqFNYI3qq/k8UxoMLuFBtw9MyIH5EMlC685Pzr/pk9AloPkDvZeR+PuXooZ1QnGzmDdtfpjok1cZoyUNjRp1XwKBxTTdwGtfQI32JbSEOwVebiFdfSmjad5iVYhfwnD7Egr8S+/l9vdIPWkRaG0GxRdTQOC6ZI55clfYqy/EWXn1h58ICpzLd1ttZEu0J5NetwI2G/Y5KxntVzDVa6B0X+pfYY6OceEaIf6l8yNm7r8ntPNFQd7L6jPB0MkzglC77slsVxLene/vz+xs4OFDijET0yGdOpgoKKdG+1En/5834vW8uDZ+T9m5fkVphvXzwjt2+vb/7zJflwK8wP35Enu82eCN+AMd1I7cu4SWWtV/zVNz/8r//2NNz7Dsxmkrzozhgl0CKn4dJIevIeGXmgfCX+2wpt+DBlH5us9jk/Qdtgwt/ZF1OIoo5i0+igVXPT16/eBsn5XQqYYofHrd//kQIWYf78PqYPwEe47Cypp0UNsvHT3CtHeLmmBnb0IoWlcZfdkVeueV6120II6+skzYth//9Uv+bt1Zs7J4eHe8XTGXr5DZnSTs+pWpfe3llkA1a95cNgLZhZ+GBHH+ZDpQMkrqbY3Iet3Wshcx3pKG+eKlqVyMOye9Zlsso7HhbpT8v14UL1kDWxNZE6w7limpK3noY7qUwtonpCyPWeQCb67vPHJZGenX+OYibWlfisCH8zxDwBIf1+Pi+Rx482CNVapgyLxqO13LtdiZVTioo1LGr1OJVixdalgows9765v2t1P9CdZjCloBcoPKBNBYddRWUq8FH6XTu0MsJgUpBLA4mPEYp5+Y2ZYiZ0QhMXPhUFXBgVC76KYu8qKhabx22A+IyaImpyNEsqa3xav65D28LSsuiO1zZkLqIt3FjDSoAh7/cFPCMfKjH3Gk3kb8ldZSL35MjPQzdqVbxqlgtjQKWvyCJV107KefDCKJof4gM9VRg6sAVlsPOMkVWDKybIh9vBI5RiSMuEMxjTNlboRBZRhfIsqAI9Po7GAkaF+DmZOD4gCn1QURhdmZqEg1hH1HxEvPYamNu5hE2J8HqhvOUcFCTFBxxrRf0o1Y6qLNQM7BW2qUO/+52Sj/jqvgSzAxjoZDw6B3jsi4Q0lLfdvQ4dwUIm+NrUm4NvgqYAH4JyZuxR80WFwpPYcirmeVc5wx1QPau1HAK9KRw6CBof4NZqz2tUng8lYow/G1LMttiOySM97w2FKsPSklNVNXPzaJ7cPL58LddytQrXp4Y0MRuYu/Htezuk797fUHZjKbMEvSrNBoTxoVSDhM3Ve+zwubKs2xqGifugQQ2SJEuTyrm55QcdJunedeAeoKrqkTPt9j2gCDGTquHK0eavFfYLtE+GDhX2FKMbWBdSZNjSVQZVgBqw35T0kO7tmOzagduAEpdnj3FvnEFWU+ztrY5ewwTRzJQBiUIwQK7qgudH3VBNaCYL7Aq2AaaI3IlOYyRi6KMUMh+Idqlq1Ce9cKQZLj+rhjGR2bMslW7a+7kuwq+q8vi9iZ7jPhE16e5sDIZT1TO80PPR4CTv/SvSvPM81kSsNdVxWR0TpuqiAu59VOHccx0ODlnKafFxgektYUO3TJao2VijTsmcDUQ6wPzobwRdcgwbXpGr49iZ2I7vfBYio0vDgU5DgigOaBhZXiyChACGmoLpa9C6V5qdPbj8TQh7KUw3RDlG58sw+SNJJ3TFxVsGO5mztCIMp4UBA93HHmY2rtd5oEoj8eQs0m8W2qhhJ3lFdTjx9ZNR/eI41f5adLgmUR40I2qTyLAcm7Z6TUNBAYNOTs/JEalRJ5mJKekTWanO3ADhqjCfbAN8ex7V30zuiR4k3juOTs2hRz3OqTl6Zxy7PzL9L07Sr2bmv9vws1CvTnN/RE2Kj3NUT0i9+qj+kTfNt6fZfn4Bqo/D9vNkjZr5rM651884qTNvmjmp722ZWinMXJfOyboZLc0mycFs5EW8qfTAz0UcIv+zwYXB7F0lJ1rqR/y77yT3viaL6sgOibYt/3Px/Z//TJ68vn5195RcM22YWJdMbyDDxJwgNi7Xcob82GN+bd+iGzH5xcAfDrx5KznZX3Is9t7yPoSj3pvo8xtROnzMxkwxKK7OjGi5NBBr6J2CilARpeadnPLzs/g7pL6jGSu1G4NIRTTLGafKHWYrSOxuTfE+Cofq4pnRbJ5euLUPsh1l9sEuV+UB6dS1aA7MlEjCV+LYuUHnp48Pb/mfvOmM3/RWzBu70Ao8zMKOFqmmPYr1XLfILqnWVLDfj8Q6iSkLdi7DIrjVXvkBlq2YCkbxR2e//mgHRPnokspdlu5BJNJPQLnZpFQBKRRkMmeCBkOsW0f9jhoGwuiTgWeczjuf1/STTscVwYAienvZLfylFQIFVQbTfpvJHBdCs6b1+oN7jvxZQQaKGsiSEWEAR1YR25BXY9au7jsltyyr09X972hRcK/n9JbPp8haQX6oEQ30Uq+nwbLZ5lEP6us4mP3ARIKFnjGqZMvcm9Omq9gNFA6oFZpxpfTHajXwiHd5C6iVKRJq8u30H9SGqCbaSOXkox0tB0MR25f4q4X91Zfh+eUsyzjMKTHe4IjnyozAErVkSJTMqIrnzTWhOz9eK0dX7KsXj2ek4NSy3d5IUhEQqdoXQ15EDF6ZxSo4I15C1RbCT1Ib8oamGyYG1PaMRp/RL7r8+iAwsq9QYA+qvdVdWr1ekNcZLcgv+B93q2dSuHyAf/SvC7KhW7D3PQeqXAtrgvUldCGFhkoPCCcN2Bkl/bbXE2SPr42QKmZAsapKh3ATdBUZhimpiJ6FmGaZ3/kiMufSgvVFp7oJunutKhx1kAZs9X9/1TBNVCkCfd0JofpZLYnda45Lph6IyPYjJt6KmIOZlOyYyOROE11AylYstd88C8WN+/ij/ka1E3AUNa++5Imqup7XYhmfGZ62+EFKgTfXa1jTdE8+6MMiP/V7SN5NcIiKWrKjzGJaDdxhbXUbkWHUNG4Gewv0+FbnMwWymA4yBDDMts+Ew4nNoa4NVRtyyltgTjiH4IbwMBHTmSteamgyPnLKO/cqyXGDkxuutdKndy4nRu10PORvE0LjWNnjcjj97XRqCQY3jivPPBgBjpPKYMWE9wXiUcdaEDktBopRIP6BMOsLYW/M3Y7qESNIan/T9Bn4fOSB6iG1D80Ymm7y2UvRNeMiY0hPC26zLbKg5pKJMTV3Z91plmwMf58q9APHth2Mi8xzZbSaVKRAPfIeXVNl9gm6CqqqtbUfP2uI3W1Yr+AZsfvQWhYuRO+sCZiIipcuFU6qce0ZO9P/iy6o+OvJfM4K1WGts0pJC4lUO7W/PMfRT1B/wQu3R3dVFe043YNrlYAwShbhY5jJctkzyM7aa35Ua93AidBGpGJkJ6czqbiSeWEN0mrn4wbHBidO89yCsqI1sWZz+EKi+mF63O+Js9jR6SvcO5he2Wz1W/wb148l53vyHyXlbMUgI9eYDeOcF0FkO1gmqZQP7GJPSr/CkjgMjU1C+ZBeFlFbp3nsKUrj2uAM1SM/fTbe1YP4WqrebeW8cwvyfl848huLyk7Q8XmYxQpWycjiOB3CLBZngqkvdajQThfdPM6CWsE4xO+8F4VUlWcPn1fevR5YmFa26uhlreZTTK0Ye2Q6duyTfriKECVl9D13iNaOZLlGCmrCDo5UJFSPe49qgarYDuql4qPY3YIbxZ1aBU9KNb7fb4F9z7A5dAzKCNF3CDwyROMQ2O+CqOMAjwYEXoIxCpsdYcTq1tfqRkHngTLmdnPDzBNDfnCi3+PAeNU99/++8kie+3/4V9+Q04tyUOEYAk/wRV9LHLntxxL0Y7QKMvcIznzZZKssMrECpQZ89P2ZzUR5Wx06yb6g02MWMqrqQasWKwPbF58x5OTtGxhmxo1w415b7AZ4j3FBqv3R36H/CD1c7J4VG1BzWTVWz/Fvvk+usKD6U3KFGMLIQZnZEiUHeHUFyhe+h4OYjiMldmDiY0GLGa1lscN+qVt1l46uB/t92E8wPi0yvCbknv0+kL7zEH0Gb/9+QwSspWGOzcWG6oH6tDqdP3m3xXA3/HBBb7sgE+rT9h4AO2tdFfyq4j3DD3aajWyueF6ecF1L/P1gWw179pjWZUxjaAuLj7pT7OdpXj6kAZSa6Fnosa4tL27s8OQenwyOndaZXpfqelfet//kHsM5jovQlrwYImO8vDhCxbDQ0Jon22l3SddF7p04YZdcYrcALSOKaeh4UPYA3hqITon6oinw2BaUKC++Ixp9t1KR2/tXf39zR+6s/CQ/i4GKlA090XkfMfS838kwPXgs0w2kDzqi2VsjWKbmtoeKQNfVTerUcwzQ8IW7m3N/RFcBxXrlNy6iqjhMddbeoPqGVGGLtfnEYJuOLeUscxsigKZ79GesL3Xs6OOsH2Cvu6Lo7D0W3Ql9Y0yhE4bdCCKBkaVxZKfnt/yasvfYWlTxjlIxsz+x/1KZ5xNz+c+kzGHyJmU4vWbHFPCudh1jwu04FcmoPtRjQxJ01TTgV09zFSMbNtAxuSEpJJsnBChEksNBEAeiDeteyJp0Q4XoJaBNT1T24yKqAU/5bOWXapHnK3b/+vrVWy9zn3cQ1KLOSNX1isVsr4zph2QreRk/jVdVDwzha2nWnUGqJgulYEaTJw6Nfoq5a5hMUHVBCPiLBoLQeBl9wl97aj4IZvxzyeIwGG0LCl9KViUnqRQpFMaaAPeO1wMpTmM6qQfrOiDzrLFRtRCxpGD3N2l59NO/vwoFkwRZF7MDpFpfIkShG1p24PRYUpe+F0xg/NvNz3e3d+QNfcyZyOrWJWH2W+ovEMhwUOh7gHBPaI/+Y4TXV3A4BDsqIMhFZifjmnj+wRNpqknN3WjJS6rba1+Px+M5SgOfk7GfOKOnmlP+XyDnoA6OFFlfG4k5SWjxjWsvPVKxqbt5GfQDO2s3d6kBz4guA2FRVJO/aKOkWP91yWn6wJk2kP3luf/sWf0tEytIw1+tmIId5cFrli55C4ZQkREtycD2UbBm2qi9tXrmPZgFNRtfiq7GQrpYemRMaj/YJ8QlSrjY1lSqVvWuWmOpaQNh1P5P/zcAAP//vguuJw==" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8JlzM1Fer6L4RYbgW8JufhL+T9+W+XfyGkBMM0ry1X8jX5t78QQrofkRkHUZrJX0j4r9f4sfvfd0TSCl4TCXal9NWESwt6RhlM3N+7rxGilqBXmlt4Taxu+p/YdQ2vHZYrpcve30uY0UbYApd8TWZUGNj6eIBv+7/3tAKiZsQuoEWMdIiR1QI04GdW09mMM7KghkwBJFFTA3oJ5WRAnzb0DsTMtWrq25Oyy9TNsoi1pGKLvPHVx9aPLbFZpDLzrb/vX2F8wwa78nHBjfse4YY0BkpiFWG0tk3gv6YrUoExdO7+TS1hqgLjiFbu8x3QhLxVc3IKTJWg44R4WHwXqUPJaeHCEqQtHGmJAQeEM3M/sNwgz5mSFqQ17n5waSyVtkXDRHG0vDoEwZLa3Q+G2HGPk1uCUEtWC84WhBIDxnAlyYJbQyh5D/Z3biUY0+7+ZHA0OmLNQjWiJBKWoMkUunNXU22AvANLHWqUzLSqeks9favm5sUFZVdgzbMB+FOugVmxfk5swJuSD+CFhT/hsofmJMpIAUsQB3BSKLl7P7c4eQq1BkZtwKSEGZdQEiUFomXpVACpaB3HqjLzItmF2bPH78I9Pz/9gSypaMKN5yVIy2c8nE64pswSoeZ+v/RgI5A67sCH04Lfc9tRU205awTV+PuwsZPRkzEAfdBJiZ2MAeTxkzK6Jcvj7snL/78n+/fErZpnQ+53fdX0jwIJ2d2WR4Pdkh4i9LKjpsGoRrNMb+/92Zbr/t8PM2OphQqkfYzI0abktmCC7tzhR4IeSKvXjxGxhdOpHiNiXB6GWF6NqZUcj/eklUAPkR552TYDKFPaUCN6TczO7H2xdQs4bAZ6yEBJuJ8VsaOHDKDfYEWMc3HHtXIkLsqeVyXKPs+uAZmJ2EciHLwz+9gx1OpG8i8NbNRo3dEf/rTeNmpPlGTucaBWPXbLdkTcLHlecdjn7olbhs84o/37/FbNydkSpCWXKJxJI0vQzgTREATVgPQZv4aSGLAOyNaPt9cw4wZLuwkD2Pc2WLpNGIC+06YMPYHp/UuHHcwBXXfgyd14sFAmk77aP5e/KmP7IlLsnkgDsuRy3n5oYsem50P6evjLDzlggx+NMvb8YvkToWWpnawcu+67zB1Qb9XXytzlq9zsffX/Lnsdt/LLhl254B1pfW9ZSSiZ8yXIzkn29SoCjkWH+S/yWiDlY1T+vo6IxqhDQ9XrQsOXDHvdDx7iBiPd0zVy+cwvTS7wIj0P3mxLycd1DYTRoQSZAgFuF6DJp3Npf3hFlCa/CEXtjy/JlBo8RW2AbMbnjUbV7wa6D1F3v2K6MQyaz/hM4F9wv56rXG62fdZxu/JX72BQekV1mU2p60m0Htl9Tp5ffN7S9yjRIOjulhJi1sZCFR7RgLaDtgB/Uo1nnvu30nzOJRXtb7a1lRv4kEv/2pMYcX7x+VWEBQH9ASfuz4IOoyGXU7w+m4M6VBwPfX0WQEvQR4ld/4pLkfPT+0RJPb79YCmCOSxW+qidbIIV2f1stFW0zjeKFl4UZ7qcKCGAWaW/RgHsuPcAOTfuzHFDmGcdlA7TLUX1rdpVW8geRj9Ci69i08eiqlbKYLJbpSSZrgebRoiGLw0Y6wAaXtViHfbJfdkJegKULYjhJZCn3xO70A15+fPPz8iKGmIAZLfKHk48CuX1FpwwtZIG8rGCfTWngqlG2s6n0FRTL/TcVTZRCOQpnaol9JjBZTSzshVvxmqg1ej9YV/NsXlgVkHJm109LQWjvolpjp1jgc8It/9sXn7/w1+NF+kvahSgLdL/HFDzT2cPvqVr0OQlOZOM1qYRPrLiTMo7yfUY9HsGPyK5lbFVfnxJ/tWR+5z8+CP5V8KUdvoyUhEWfU7+u7D/032RG7LNlG+iWyhVCY/W1pUrKBgVYkrZVV4N2CMnlcVrQ623KxwTQZa14tKiaWIhnuCMh6MArVWm/LSNPmhqYJwKxBgxNVZpp1nLtdc63AdLKnjpD0YMKUJmqpGle2EEIPJczoNydGPy4vaNGEBOEQsM12FP2GhkF9ZC0fKxvHMBHWL4n0AqsJqziNURTOH+l9EW9s99K4Tds0/tRqNVs3bbJuRXtXJbM7Q5uSRKO2PMKnIFUN/AtEfx4n0lTNOKgTHFkpdFmSvqetZKnjlI0NTiJS8dB3t24ZJr21DhjPYt37uMuDh4xZ3ZjbFyZIanIlz181OinbQ26FBBplE9B9t97UZOGJ0p6enBOeEz4fZzQmcJBQ0F//lp63v9AJWyQC7DeWca8KGdrscEpftfG4j5CgIvYaXC1ILnzGx41Oa84QO1/1HoZk7mZjzveOvcGxDOenvqWqslPCH/NSKMXrzMuHiAGL1b1RlHFydvLoLuy6h07OFVrfSuxkvwifzq0iCax+H++OSfKjTE0XSPuVK3Tflm85ONwe71HLTMJ+Tlz6/ICvleAZWEChH3FaBTH9Wkjf+IrECDB0stEUCNJUrulItsM/HB1cSvm4mRu5ojbBt497vSJTIOs5qALaQSar7eDcTNuB5osYT8TNiCasqsZ6K71GvEH53mkjQy5PSILZ/5aEVt6oJuH6jPGUTYE7tEi6JySqaSbRhB09WoTEPJuqNWUoYaq49RyOBzUIw1uoVoLJUl1SWRSldU8D9j+b1KV1H+lCHL4WAWqWY6eJLuxKQN1h0yLwSfAVIcMfANMCXLEQV7s92FsTn9LHsI4pKpqhZgowdg1IlKUYG3mu+IwV69mbYPdJAv3drR4zx2lLdP5ujxq5S0i0TbtKlPTZXzsslyKh+I8WeyzMF2B/JPJXN3W9gjFt3qrYrp02s/7nJ4IKKy3eg3xMK1DZePLEGbXjlFuS8PLLK/9z1sa6CpyNyU6TGlSyjzvYMhySY8U6ZbsdUx2kyb7ov9+PrwtdKqmiDUBovyDQNJNVdera8aYfl3loMmtK5FW/2y6WVTUUnnsdJcQgSGd1p70SPlcTWE2yeGqJX0kTFLq3rXMxgwdqs5FIe3zxrCFtxZN6oEMyHvGmPRTOoDdbeS2pG8XGrhwE3aK8BmM4f3Eo6hCeEmtwt63mmYgQbJ/IGgTrUu+ZKXTrPB8xAXZJetIPu4w7w4kdc110ejcLOfPhZ07U4it2LtiTVO6Dl9zSGFB3S/bzThpo+6cJ47adzJs8lgyS6dTDWpJVA1UOTuC7Hjf+qrghrklwaaox0ld7r9KdrIxxU1BJEoR84NIvdDaqYmVAq2GJpBps0rm+H1nVc5cK2LDKjWRQ7tuU4piraBvkwONYOu1HtFHsaE3DEfo2/M4Lm805tzqNi8Sa4dEizYPBA73RBSO4IoGyjxKRRr04jcYacRK0o1lqkKXngcOuMFs7LVbHBCqAws2DIgRw4ILEFzm7N0ZA9h7eqhCLAX2dnn8slbvDjoHehf6a7SxUHDuFMNjM/4xvCJa7c+mDPWUyXoyvmzmSIb0LkYebkpmGhdVGUIskTxDmbzsTbh87aV3rcElSa/XYbUWG7ahIBdvxqu3+7QWJWkqZXhCQXHrc4WmtOy9B2mMJW/vbujXXgaYYt8rYvuKIpkU4Hm7K6yKErbEarY9hDWr2TrboYXS/5+D0hbgiyVDgmzeylT0z8eoHtNG9pV0z+Axe1oh1j+WvABu50E3Y+Yl/Q5e9V9M7yQoeo/iJng5VrQLrdYKksoWYSOF/EEWqHmRZuo8iBCvT2Idxbqx+iZsiX7/o7pVti1GsVHXPFXgrN17tuzRy5cIAKhubYU6xG53IicedNxBn5oBCBicXGqpIXr3Bprh9C59P66TT9UWpbG/R8+qlS0CMUawNzwOLMFlXMoJKxyy4KxwCWseqF+VEKs1XzaWOhJiGGOvvGoO229//zFRYepaTJh13FO8GxtK/cxDQ3B3fwij0xff4sYt1gB5hjWNhw0m5wvvQQ9IZfgN6UxoCd0DtjKO2S6z5RucRjAbsF4vZ3h74n/fa9vhdJkqtXKfdb+Neia3uwa7Sd9Xl5QbVO76TrAqT0q4U6pQXXose6UEmWnNua6UqqGEFDM9Ra/kYQK0LbLLtKbRcPffHgriI9eEwBMQooozCWRSn6noQa0ZPZlP6DZcMwnhzVauwvT2Su4k6jHveA+wtaGfwaUrbhdBGXZy3pyigtOsdpEEiW/myv333teAlRSiojimJFu2gsGvkAEHJJqRpx0sBzMhFxuZMruYIN+ZVUejE98OV9jnBHjS0Z9sk0ZxG9gPCVMNMa2BzL8Y7BN+BNu3E6Gmujg33CKL346rgIdXfvxNyxu0fu2TPmUsic3GV4Oy1PEglBjFOPoL3W7EbUnccPe8it4TSipF2vDGRWk5ObqOak1zkR5TsCyJ3FFmWp6SO3lHR96X2ejaQUWtCE1NdjFy2AjB9+LgKmqclJMbQXth6U1YNledc+/Bw+l8fX2MMPD5MU3U1XdDO9ghm2jZMVlqVYhn5YpyaC2z7tMilFmDMicNUKsyZeGCu/8LFVFuQxSQ/YWEmrk6ep7PVOpS3tIdyrhWy6voAy1QG0iOjXonQoGivvkmw61CS/3bZwYdIXIKur6k528W2IXgRY9nGn1IHj9VgfPK7kctuvpgs6gK7472Cm3izWsidj6879f0/4xsaY94yL/He9I/gVX666xhrJhQNrIEcTdbQY0p6KIvKbZHpFLXLJVm3ffx94D6F6YUb8AsCtzUMuBFB7jsLp76BbULLob6tTCSJVhwxY+87etsenKDE9aSDstwhwh3TITo5n7VffvYaUpcfJcEo45d41kAqh2f8JGeBvUQgFh8HbqtrDz5uiDF37NsM/To36xmKqmXHZ9s/sPVigb1Xd4vZZcN+bYnr6+NoIIjHv8jhMgjVyJE7+678k47in1Flx213jHPu9lPj8l772keRoaNxA/bS8U/TrcnsX1au+Afghffs/9fH6KLA0lb52YGHoPtiNyPg3QkzDxh8jJghU3cSN1adY5e9lvR3VDgbZXF/b6saU3vo94ahzrT7qFyfnpjZpsKv/cDZqsQ+ylLDca7YSc+PrM0O9U+A/2a7OIoN7+xg/fBHfctLFd5aay3WPUSAHGc0b5B2WlyJJqTqdiUAXomzJwSWpBRwSBAWmy9kfZ2tC+qupXnjhJ5TSMtr6Qu32+fHF+satDk9Ay1nsUxuqyDxwoeOtayE2kxSNJzqUll3wuKQqLkSNaK52zee2Tgfxyh/Si1d0UdnXE/3SI9O4ynrJSRQ7O+98+Ei6ZaEpw4iwMsnU/n5CnZ9e0qgW8JhfeIeLBovSexP0iGJk7emwTnVObpyWOGTdXTuU+AK87lOL13Jjvw9PwgZurPSFXq/l8DjrfCLs4yz73YwEBB9ROFxrMQonSnR5vq49MGt0KvR/BszCMvQep/PSD1zGedc04zk/jZSS3js4zVdXFkfOucFdC7hWOcfX+PdNMv3PoKIn1qTMcN6PKho1ZaUEtfaCssT7mnbRUGjsPOLne4jcyJY7qckX1w2ToDbvqO+lKw0PkiBhpjfzUCVFK3lHW9lOOK7dOBB3VjlHyu1ZB1fulkLc1kw+11kBN8txgY6ltUinOnT+KcvFgZodbfKquCS9fjL9f7mVtjoGhw+jToPGxvwsOi/jVbd+xzNP3Bof8dDh375DnjEvVpIpx9upIzDz5nXKSNKXTYeCR/Skx4NydGbeOxBshnNwjpmEMjJk1gpy59QlTJRh3JNpmv3HLgssSrhMzQHBjD9M87ylbcGE0xXSLxBQ0xjcrqrnADJ6IB8/H3+WcUGTid+63UcpkhnOopr650ANpxGF18rTL56xBmzoU3XoJM2BZUBE2CfFth6dnI0WG3s01fI9zJ5R45atL8gq+Kv9t9yHl0pASLOUi4mSYqsb2fjdCmhJHz81sPba0y2NDPMYfUgtVLbJl87whJcxoCAGFzpdtDD9kazqteAla0DUWclkVHlfyNHIj3QdodYdfw6ytAve+emO5bbAxI4kStrENhg2b7ntdk0axev4dRlNjmkFWMVVV7j7lOUYnHjrhvWTfWqslL73/rO0iV4EZTYQqFTs80Hh3b9kvXGy0RtbPy4urBtc1Jj09jKxvV88r6/9Q0wP9TgeT97/VNARg4rer5vka555iQrHf+cuLc3I+UKj6aGTrWhuqS/ZjkLCwq6uGnSc1pO/iDwu51XHl3ouIYqrK3BVfg4q7XaUj4EIcLiPq0SJ9twQfMjhC5XnPBRxKh30CbRcP4XNedqGcESdeldpqHJSBJ3j50yl5Hd11k/OZaqd7X3zy3XPaQBQma1wDa/peBJ/6NYVYeWvbhWlf4sYRHCFRr3i57RDpqivpknJBh4EM0rnCCdZXzkDrkUkL/g4d4utPF3cLxkoVGkD5AOyApJBuYPh8MiIReVVMm7JcJ/fP8KpIWgfUg9sYOKzR+V4vVXqImquEXQ52SuwK0xyjIIGbfvaq77lKm5LbrrJu0xctYBQbbLep2PCiZBNe2E+kzxJLzcHl0azyk89n5GmolfjcCKcrT7nAAg7MAzu7rpVx33xGvhs6GuRuFOZKqpXcMoQMsAabWSy3oY9M2mT0CC643bTQk7bK/X0oTXoLc8rW5NOouSb4VNOHKMoPC2+xmEtSUS5nmlawNx2jphqn9ubvk7ClXF7gsuS9Kn1y9KYtYC/rLIIUuUH7wlQBx4hcFtJ237j3sCK/NhJNyXeqBEGecrmcfPuccMWek6n7P3D/RyUVa8PN5Nt4fNGyupgJOpicn1qH2tbwTy4ILoq+LpST63b4lZrtbdRgVVZM/V+nAc+2DYIB7Q5yFKFllVbu7mD2+d3vVAP56BOAv/3287vf33w4+/Zbn3O7pJry0TO5UvoqZcnyjRfs93bBfoRt1AlGZWolItTspO1S0j0HlLnnYp3BhJkpDdJwllKA9FxJGTCu0ntBIvGBVECLFeXD4cT39g5g7/PUQN31SV2ibppppkthp6WxOnXlO9ZrZ3OI9d/SZO9oW/ORz0l6aLHLZjDYQKUJxSabupdQ7+JAzPioo6klNZsj9lBSo92IImTulvfEhfLB/QTv7rhwyAf9/8Nw1Y3K7Cf/PcgRK3s++oDIXiQf5HC0cdx9+Cl1hKStrZ3t2aVPbZfR3mbZYZ/MZ+h2G5zcmyPTbctqfox4GBZ9zSgXjtdtM5eLIDPOT/u1bdiJy5mDFuaRFgbjWYVtznXhVMQD6Dkk8RrTrUP10YmqqkbueqIG2MnDGjfdF7v3cG3/DnGdusPNHKZZ3xe3SyrLf1fxqNkGN0stP0Qy3Bu74cJbyJnG1JxxlSxL9FgWPGK/oloOgw6PHXUjq7pQuYTx5ft3F+Q370fdJKXGEfly1FSCy/94S740oEd6tzZCFhp2O3XmTW7oOUTX5ENbdBZN6+q0dJbwIe0DVanHCDig9UGOo5ug2khw7N5wy/QDGqigusqwWw5sBvcCrRMWIHdAmzLZVNotmGm7XW2BLqnd1QrvC3cKki0qqlOVlXRw1zUdjC++d/SJskE6VRKYxSL5WWAwS1tA1QGezbHVUgawavpHBqg1TT4Jw3ecSn68MOhe8NQPTujcVoFTPZMjLQvKcDBK+vITB9vIhMZ7D/B0Xi9/ktd2kfx9Z7JgVhelSdp3vQfdQT4s8nQLwEtBk0sMWYCcc5mwKHIIOkdutCxmhVlxy5LLD1nMhFoZWqXPXenDlnaZD3qGqAuTBZc5xQmXNehquk6W8D6AXbOrPMCXVOQ4K7wuaq2sKtKHpBD68qcCPY7pYYtsd1OoeVHmYLYDnD7/jcmioteFtancBtuA3YkWkOFRqLjMhDSX+ZCuhSnEVBSpw6JbsL/PCDx5Z/Ae7NS9EPuwU1f19mH/nBH2q4yw/yUj7P+REfZf88C2qhZ0CjlESgc9vXkmi6oRqHxP1xneyRZ4fZVBL6kawedVnUf7dlomFfPUSUgBMs+hlBj4wtL7RmRhfEJihh00muWxJh3gPNakWZumzjCLlMmurDqLqWqVdaYHXGcQIVZZZ5jlgo1mTRbgjeTXkkplgGU4hMtXjiuZHoXlK1XbBdAyg1tNVXXBRAYftgOcIUiCcPV0bdO7RR1kkwVy3RQZYhpMc8sZFRkKiExB5yDZOmHWVR+2pGL9J5TTHHgvC2wDmgWybweTB2ufWJsF+nReL1/l8UGbYsrtX7M0GmOmSDsrbgewVslFtclyzREqMJ2+ys14H3+yWVs9wGAX3s+f3jnigaPalwW47yafroNcD/aMC8hhw5hilmMT+SxlcfY24By6gSl4jUmKRRZRx+vlT6Wx9aCZfyLYRrMssAWfQQ4zxqCjuYKSJysY3YbNZZ5TUqmyEWCYysHtAJzPM8gmVZsVtUln/vegxzLIkwDWMOfGapreE7KBnUHj01DnYrXOxmuDnch1JvnqM/P9Ec8A3WqgVQZF0pcC5UI7n3K9WihuCj9hNj30NdU0ywEvRwphU0Be+vn2qeFyY6lMPue4NHba6FTDAluo4GcF5YDaJMc1vR7d1iSnBouTG2bph10f2mlgH8w5LcvUd4CXqcOqbeugDG8RrwqmlaqydCVygDOYabwq8iRHho5HOdhcXyVvz1Sb9C1LeW1qzRMDFdRy2yTPPhNcQroWOxuoJulEnQ4uFt+md2sJ5bueFjOhkj/nHfAMKf/O5k0udRzQDBLH2dAZUE2emyDUPMvRlfMsF7hWOrUAq6bNPMc1q7hhOcRCZbIc2BxzICRYbK6UHG5yGe4bQKfO+PNQU6fjydUqtQWSpaJM+QHQyS1RlV4zUprPi8g8rnvDXUnQ6d+suvBDeZODTTqZegPWj3jNcsgyFG6GmTiphUEAm1oa1IV3JCVHlxrjPizYIlWd/wA0XNc8eSCgBl3NNZV20HM3BeRVFsDpn17fiezTp50poAkAazUvqKkTDgzog9Y0NVQNVOTQ7zQw5IPvOpoJeHomO8hpW7j2ICtdZsA4vSPTZPANG+8bzpAPYCB1IoAfeJzBODHwJf0BiDVoTQY1gyll+DyD4DV1ai+b0SzHPdCsTK5IG81iXXETALbpRmz1YTYmeVfNJZOpCyWi02LvC9Q36UxNvp3b9MfKA00f0etmeqaGu66Td2ttymmWPPRGiwxvYWNAFyVPXfWeZWxFGxnKwQbLjKVVam/wsuDSWDrLoBksubY51PBlLTO0brJKNzKlmzXWFi3SUfRNYxX50EgyWLrLHsk4LO8zFbwkJxpKbskJ1WXoZmiw/XscHT85KyOXxiaEIhgcok+wvwFTgsRKdbp8CC7zce6sqoVaw2Cw4I38m6kmWVPvW54xx0PvM8J5ZxrmcE0quttoYROLlfNmdxhIdiQFNzicoV09bD02UCKmqWulLRk2HiVktaCWcEtqDbOxo3CPtNy7DKGIMT5YHR0KhMvQ2X2kL7TgMvdE/h6qbrU+noZYNQe7AD3ZfN8sVDN40QiRsATdjSOyitRUGyDvwFKcCO7vKu1Y8PStmpsXF77s9Rk5DSO+nhO7iEwpwmbAHyCMPka0JXkP9nduJZj4Pg8PdRbmzXBkd3eLcHFPrAGq2WLCJY/ihzN3j9Bfe0d84iwMTIZ4IWgjcdbvvME5rm0T93gD951+7Xtoyt+Ou6Opa8Id5hePGPtuI4qENU2367yKy5KPcG3xVoy5C44xjXpEIG0G173HCdVSjEy8xO65GceBY/9cA5Zo+NKAsXuadh+erXz3XvleZcCxPH5VL7F3PVJd3um2O2UfTh4jjI1t/R07tJvXUcpTzv6/eb6hW+z8tBUKuHb8bKDVkC6J945H2D0uU2qA+HTtDhsyuFXdLoVfPAy+shsF32GutG9fH2UjIdQQA4Djzuj+eVWaSkPZEcb7DjpM+6Ulqr2bQ8MajRPQ9iFdg664VzeOhfRmST+Ygy+5gDkQAUsQhBrD59Jv3GZef/zoY0vmB5TfuP6ekz59kEnPDrNG8i8N7I5JpPHL18P3sI6Jh01BaTUaXvoLyZSUgLkVZMXtYkxQEBKpDOk0dg0HlRfd2bRw7ER50j1RQs05o4I4DEZMH8TiYbHDpUbGND4c7+rF2sTR66WzrdROVmvqB54KTk2xUNltAm/EdeYazlLZDDVyUrE/gifeD4D4S+OwxTctDGJhAqievBFGOUN8676dYrCc/Bp+MSFv5Lr71wC6RVveSEtoOWGqqhsLOi6Gs7jxHWH5zLNvdvcCZyxubQi3/2xefv/DX53te9rbjpZj30TRDue0SBsxu63jhq5Bk3/pfHLmRUADkYvf+tT1P/nPvNzgvHXq9+7HgcnLN8m2J7sDU9w6E/L+t49njnbQ4J0n6C8tuWEaairZ2mmVQT0Tu7kgBDn0nHx895qcS/vjy+fk/P3p2X++Jp/OpX31E3m6WqyJBG4XoAlbKBNGpSmtgVn81g+v/td/e/YkyhGwi4wybpcfKFMnFY2P4zGZT98dr/mlP4vnLVLxK14+LqT7sukGzA9sGHfrBz6G745iurFOPnNtGyrI2zfvo8j+qSTk82UddjL+j5IwifPWofvViFAk5GbhiVvwGN/gPfswpxZW9AFGpOPpviBvylKjn9af8hg63dPLqvrQOOd9YyHnJ+8u/Ks0Gh6rqDli9GPLqeQ11fB2k/MLh8qI98vx8MBJEEl46NYe52GriRV+utZxBUQPXVqW3H2Zik3AtjfLP/7OHfEAOJMQL7gKN/x0+wgMUNnkWmfR6277pFHyPmB4obTtRPJA6JYYYMMN4HZ9s+Q1R+a9p4fLefuYtGS9G2O8hJjdeCwvbsAOLV9qjGLcqZzebzTQcYiTy5rKOUw604kpOePzRkNJpmuECbLErKG4nKkPbD0wKBod0Zaji84y9DsQCXX/fglXcgeAhkpZKEJmd/o8o/SsLaUpaOFT8TOArq3OA3yW4UjMMlQLixzXIVf/kzoDU2lZtJ64fGr5rgXv6JjsrtZ3JjyABntmF6AlWPJxXcNz8ql9xt6iA+xHctE6wAYvwW9jmlo7qucIysSIadwiHfzizwkVIqpM1JsvYoIb1ZiYtwTt3kAurSLG4mPOJfl0PipQGCbIZpNXyUW2A6rqDGPfHGANJnVGrwObocTFv4ipU9HR354BWz9aoRAg58knRSLOTvnIqIWOaKBe5aGiF4CRhGE6wYxQ8ovSK6rL4ZxuQt7MMdlLE+pu/DXm0k3BrgBkXPVM3DXxrjFuZanoh+o8MgRbxmNmxIBCLkOeK6YlVNw6sRRGbMRJXAoqjxHHv4WDsk0Q6bkoBwRuuyw3kZSls2DnaMBuvzypI5XAsAvBMl0/uNtF7Km2nDWCaoL9okmLxNOz69dv1VzNZvHp78AKu4Ds27uF7Ee3oL+NPbzPHN4O3TeNXYC0IVl8FG3TpOyccLuEHr/kOOqfDOhRhFVjmToup8OS4whfNoyBMSM4Y+fxw5qjHZZ4gngRp+LOlV6TSGHCALdjCKctHGEHRyeVMMBnaiXdu+LkVkw57H5IBorSNlXLdP3oRt5NSnzXUqwZEBzKjp7gh9nRh7kkhtsmIj8JFhdAENEB6oIaQktVu9fFLoBrolZys2WecZZeK6mqkbxanMlhuG9Rf1wlwin3XJZO/ihtOgZQ8gsXQN4ExCYDNtzG2Ss7wvydHE0Y7+h/kHSFURZchqyFtFyI0RhhRMp693swwufrXYZ6jdScGE8Inaqc1QMR4qewoEuuGtQumapqrSo+kqEIx0buTNKpwCKyGTnZjxuXy07sZERyF8MtrZNEEdjCMOlwmQMQjKzf4Zd7d3uv7Oa+jR67TZllI+1uOVtqjb7EMvCCHWLW30oLwvd4DhI0Zy1JyBBM9NtNLeB2gU9tbLYbCchO2A8TY/V48LOl6ZC2Ww9G08v9NAX1wq+Vka6oadoZ4ZZXYJxc99qehhpGg0hhF5I1hbhxI7Dx4D23Qd/yaB3Su/vBjtaPt6Pph8IkG3J6a9KCw/gmCge0IcUbgXALYfD1UvfyRur0UffOX7QktOmbdy5ZL9XjCJAb5HgnQL7e4/jjzVuWarTBcbbsdvJRH1WCpLxjt5AfRz2OKWkbHMZOqccStB0/dfLKncYuigrsQj1AlIRueZKJRyN8bXTDsZeSVlm9TnuiOh+UCP5ah8iec5nJE/Kfk5+//548fXv65uIZOeXGcjlvuFlAiaXwUVyEmqvsfYH2RcIwW3bm8QjbjF8cyRjTKrNXcV/9p9vVGAbdjUGPfLKhz3e5LgzT/ru6357jD3GKxUypjLVJ32SKUZGqO90OIR9oyRvjVyBKE8MrLqj24smJTXeHGL7r8fIqvOeGl8fsNNLPlP/kDkLrRdzpi7m55PnqLN7IfXcdwxqh0rDn/w1OIvxkcBaC4wZ6ZRll3JWpdM7EgEHIBlmt9JxK/ueerGqZ7yjcltkHcLp/pkbYPeM6WkuaqevPL245fC18iy/fu2grq/lXoMIuGNVAag2lqrik0YK7nni6oJaDtObG9HhBj0ntW/qgxPrWj1BnOrju6jxxgqum2mIzpA2p+8XqEZsdBWFzG4k6gxI0tVAWyZLK9pwPJ3x+aVfsgmcXWi152TUPC9+jdS2Cpjo4GKH5j3vWtnXauIKzIZKXR6KyWzL0+rPrETKjw0Mxc3LJffR8sau4j7SA65TOlEPB76p5wjXqTL0f9Sqh5xFCvY6KGis1xFilvcR30CqwFFd7gt+auG89iVNf8bIUcDwp9w7Xu62ci2xvT+4dJOfa8RjHIfcirNbrMCTXbXT2OakFdVvm3melCUim1/WYlx9TIY9gT94ig053tuWvyljyjrIFlyMmXUkzSY5vdnn9SWKmf63BiQ+nH/kmZ2ZC3pa0Jp/xH14/KpX0daf/HD6eZEGX4DQnAVSTLw3oNcEehKZW0kCrUcWLUx29Bf7mOPIy9MBjDrLmbRdI6cn3ffnG8WxJOgKqmwP0ITRHvS2mOOUpr8Ns94y3raW3mhg52zA8vNwQ3UgZtWPN8+7l8ZFn30ZqpMYuQCyChZl/IyhZcVmqlSGmBsZnnLlPnsfqBEOe7PCCOPI8vpucG/IUO8KCZJtnCEOXz3rcIo3Ed/wtzClbk09mu/FtF4Gtdgtpk2fXuhWOYLCPvPZ9UwtRwVo1PGTuRRxwvOsDEKn+36o0xXKeIfu2yc6vUI915/XqdYRipDB60MJvDiD2OHm9Y6SGDN/gem9l3RmSPt4FdEjNcRx2XcBge282CZl+GwY7FG9IcXPxM5YNpBwJOFrhhiSXMOMy+OpROGFXv4rWI00HEbuDCsUy4bZxwOyof6kFY+ezzU176KU00puy82FbS9miOnIL/M2qyHAysI7625FlyMuUy3QTxJLeDUcyFhXmfTwjQqpftoPb4ttob8r7I1M7B1jnfftuwLqmuj1T7s/PN6SsFnzQSp242+FsWZ/8fivybPKZJb6thdLrfBv+N1NT+W83doxpEdnuot6q57GnybHlby8Q+g20PZhKNKCq7be+n6rRU1CAtFrVh4iOUjXTgXPhVmc8rOmsbbihHAFx9NUdx72HJ6qqqVx39xGvHY7T9/bKErR7hgouZyquFFBzlbtG6Ab5sWNFtpitIG9X9NmXXDkCvzRCrMl/NFTwGYeSnGLds3cORlFZwbRgSl3xBwq6/w5T4tff2M9UjGnzybvNbsLhdWNR5T5whOnNd/1Dt0SYshPc0d4nPyEf17UnfeM5cMzxOzi+eRpmRdJmsjtoOxy8I0I/MbG2tbvIHMNV1ymX29h5z2KtdOvtxxDzh7cjW97rlZP4OLW8qPPOIdrDCrfyjZ77Fk2tVCZNZBspt47bD1JTG3dNMllQkzLa3wOsQzl9YsiNFgm3uQc14a50xmjR6FTekB5MA7qg83Q25QZ08udpG3TS9Mdt0OHUZxAscG1BomqV3jhx8JOd5k7RW2jYSZVJrVH5JY5RS7glcz/isqhevQj/fRJQeBH+I+Q1xdz+VICOZ+cFch4weu6J6QfP0ePaG7U2IKcMA9GcScXlDLQeibsO6T4KXX3F/0bWR92zR0Cy7Us8621D5EphWFtlvVKRJY52/M583N4du4+YQaz7f/oHDBO0xgd+8noB+jj+CKezh4ynpyc4+vEZOcH146iBtkdqljLC5xPQYfgnbGVh7mnOC1lDxz1G9jbcLfrE9DpF791p/uehXsm7t0aJ7za55H/GvTX8KpNMOf/HGZEwV5b7DawX1IxMgDLs2G2FelvpFx8fLui2OtsEqEGCy84Zaxunt/U38YQUw+fHqKjY7m/UTT38ODpo2UkTbkyTXOlEyJgslc9bd78YCmIIWmf1gQ42pS89z9zi5BKD0/uk01EyJLrO4CGK/PQSUzv3P0Y96XkYkneXnntwHBehxohimfNF3w2pBkd2FJmycEePNsnbNJpcgPkVBIs6U3ODbzbjSvoPEsrWn4jBeJ3S5PzyzT/eXZAL906R3+TI9JUNtpkqqQ/B9uNKxbFFMcQWwK7MQU7k2wnhvD3IYkPnun6dXYswTAMNIwg3UnCPlguaD5pCPoCS6/HouoKMGg2Is6W2OdqEzz6WSyp46Q9iBIldQXi0rtb7BCFy7ArWZldsJzr5bQJpYtgLa2tTcJxBmwU0bmUOhjD6CG4Tn8u28kVpbtc33Cimqiprn7hb4u3xCA6heAn+imsQu5ZmahfLSlBZGPNQA2/dyl6G/x6obWu0otj6UuOiVvwYadUxhD0GBDFApOLWALKVLaiUg8YZudtNhVURkZGY7ZHaNncPS5h5+PvbN+/Du/diZ/nuQbFK7/r+k/ds4+aqWCrR5GLAm3aOswxzbrrJ2O0430Zya8hTj4R5ht06sLC3nai7A54g0lFqRJNJmr0NuH6S3IZ0gcl20cESNGYKzBpBmJIMausM5Uu/hyPtFVarnNLXM94Z7O0IbYdorbQlyvH3139/E0vBjbI99blTen78BMvdAoMtF+uU+mYn0UYxfz/77eL8gryj1xWXZTfWO76tjrajp2FuDVEcISuQMaBuH1md+hQvWUyenu2rHIvZ8Qo2H7oIvyU5u9qx5SwLUvn8NHTpDVjsxVAcb1MeuFdAS3H1X75uuCvMkeVQk0x9u9Ff4kzoB8puDOOq0YrvgrqVL+59TkwTSVGnhvzNWK3k/N+mgrIrwY2F8m8vwt+ed59yOQMW/2jGNayoiCoydCp6vyFUlsQoMnIsNcy5sXrtLPtjCoua2kVo1t/hQHZxGCCJTqljoekLoX29FlO614W80yc7zEFavf7L/w0AAP//6N26ng==" } diff --git a/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml b/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml +++ b/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/juniper/README.md b/x-pack/filebeat/module/juniper/README.md index a3ca65bd44f..2baa2d8b6e2 100644 --- a/x-pack/filebeat/module/juniper/README.md +++ b/x-pack/filebeat/module/juniper/README.md @@ -3,5 +3,5 @@ This is a module for Juniper JUNOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML junosrouter version 134 -at 2020-07-08 15:21:20.6186 +0000 UTC. +at 2020-07-08 16:42:02.851507 +0000 UTC. diff --git a/x-pack/filebeat/module/juniper/fields.go b/x-pack/filebeat/module/juniper/fields.go index 595fdc9ac51..392e80bb2ab 100644 --- a/x-pack/filebeat/module/juniper/fields.go +++ b/x-pack/filebeat/module/juniper/fields.go @@ -19,5 +19,5 @@ func init() { // AssetJuniper returns asset data. // This is the base64 encoded gzipped contents of module/juniper. func AssetJuniper() string { - return "eJzsvW2T2zayKPx9fwWefHhipxx547ycu7579pbPzGQzu7Yzx2Mnp25tFQsiWxIyIMAAoDTKr7+FBvgiEpREkLKTc68/uGxJjW40gEZ3o1++JA+wf0l+KQUrQP2JEMMMh5fkH+4D8o8Pb3+8/xMhGehUscIwKV6Sv/2JEFLBkBUDnunFn4j/10v81v75kgiaw0siwOykelgwYUCtaAoL+3n9M0LMvoCXlpKdVFnr8wxWtOQmwYFfkhXlGg6+7hFV/XlLcyByRcwGKvSkRk92G1CA3xlFVyuWkg3VZAkgiFxqUFvIFr1ZKE17JK+VLIvzCe4yqBkcaROUH0wijCM0TDNQrtcHnw8zt8fB9xum7e8I06TUkBEjSUoLU3peKbojOWhN1/b/1JBU5qAt6dJ+3xmakNdyTa4hlRlurACpbizWJWqY4AoStiBMYokfDeqRTuaRZ4xGzqRSGBBG2x3HhDZUmAqRDlJhWB4mIaOm+0UfP3NY7SCEGrLbsHRDKNGgNZOCbJjRhJK3YH5mRoDW1SosektUT0dvZMkzImALiiyhXv+CKg3kDRhqSaNkpWTeQvXktVzr53c0fQCjn/aGv2YKUsP3z4jxdFPyDtwBcztNtMhcBFnFYQs8yCsuRXevH/DqGgoFKTUeVwYrJiAjUnBEbOiSA8lpEcab63UyYmseWac3/szcXn9FtpSX/vSwDIRhK+b3EDzS1BAu147nqsdMpJ/Z4f2K4+8sSwuqDEtLThXC+8VZDK5ub+io1Q6tbm/k4dUeZPp2bq6/+H9cP851izWW5dMOmVz+kiCpXcZ/RPxbGhYvF0euQMtSpdF30fSpx5+0abi1oQZyEObToKdlxkyScto5Dx+NABBG7T8N6o3VBD4NaiaGUF/2Jq/O2adc8Qxo+KxdduorgGycnjxwo4bsgdYPK1PL4uvdgL3raZqW2bkBe6Of0DKH+dQxSmfjk2jZokEGOYb0JjITg0iAR6MZlM6jlJWC/VpCo4Speob+o/2h4XIlRWqFJTXy9269DBz7LZsqeNr8u7IDsRVLafvUWUP7xprE5B4FHSlFBsqqqAq8wOhNbsUeISMajB3kAPgQhx5WaCs298aerNDWbO4NPYrtfc9JjKUft7l6lI+Y9bhZbqSO1qPae+sHqU1bVPHurtIgMibW1Zc6tPQta/6Pw0EW3iS9jwdZd3u3/YbQLFNWZg0dyi77evMz8o/Kvu130xn43f+9DLTcmuMEd0+vc2m0/RYZoWTNtiBqd8Uf91K1LBqyYC+rVWefRhn6Y3hxBw1eWewTBb9GrVf7aQIXCWe23CMfb9zg5A63+zPv/TOUvN8XQFLaP8lLIMDMBhT5cCvMV98Rqcj3XFLz9QuypBp3QuXYX7F1qVAVOjGzsIL3B54ZPrJMMYpmsF0t9FrGO0uO2WXV2H9441WqHVXZBDWmJTtaE2vz6vbupwMNhxIFnHaXhRC91wZyf+V4wuxoG3D7STv22P9LxdZMUF7BHN7eJ2Yar3EceeC8vfvpu8AkPYG9uU6fZE1Rn49zSPJms/VVpVhJvgGagZrpZewHHIzcXk95oXEUtR9qcJi4d5rftROGp8kMfhhaKR63jeKBm90q3FeSc0iNVH9EQWj5c5GXdbtvmCapYw5klpYD1ey17F7y5Agrf4eWSJ4uP55ylkuNwSO5FGS57y0LIQp+LUEbO6BmecH3fiXsj63AJUDTDdEsA/Lkz8RsVElefPvtU7KjmmgAUWM5MtePpK6dMVddSKHhcpNNf0crm8pSmNpeLfOlEz72wOngCOQJXcottKbLRDDaqBIz2iig+eAuT39HS/+JmQEZK7tazXms+CykSdVGK1sRZv5VvvjzV3/RTng+L1BUVWT9q0fvv6yd8pruQZEX5EaktNAldz5ua+qMkqCh0Se6oQOxSiEsX78g/26n+4x8/TX5d5JKZfVHnIVH+oz8/9z8T/tDpskhUz4LLpKQGXxCG0zsIEkp50uaPkzV+Rx6IQ1ubmqcrmwZASIrJBMG1W0D4cA9XOAElJLRsSKNBqQLSBnlSBPSoo1UVlsUe3cL2y+2lLPMLV8ILSErWYrMSmsOSB4Ta68snAwGOty3vZHneDvxm/aIi36Az3suafbx7gyPkGj2G5AcjGJpQFf2Jlr7x2ijucuxEnf2kqSm0eHkqlqYBflB7izz+7YQE0Qqa0IYSR4AihNs+Ui3xx+ELUqmoHWyZVmSxb9D3VQSYA0CFDV4FDPLo5a9smXKlJRbc/HARyoC5jPLmTX48AUQp+vo9Afy9pooKxc1GuvIFqrWYOqfnZyrVtEhFZ98ri4a5vhcVaRjvS9ib68r/9o7yKUBcu93ZaoAr6Xlfkgk2T+V0/sP4OT2mBJdcDbtRfZ3bSpq1lNlP1bYIPstLn6sbdujPPU7stoblTbtxfF/jzcXd8xXjF/kbdGOa5X2u6tXd16fS6mwDGB5IVVXiyN4ofzhHmjLj2U8f3BiH408NAtDDrFDM7FsQBpj0N37aPUtyItvvyM75GwOVBDKedgORecrqg2Nf4HsQIEblhrCgWpDpOgEKx+y6SMoRn9sNgXOW9xDlufOz1JlyBqMioB0IySX6333WWPFVE8zI+Rbkm6ooqlxbLJHb48UonNTkFL4iAF+4NsczGCKSVZzT4zTXLZH3nNQ182t6iRF5bRVdDcoP1CKdZQlmqIe5jzCwtusMk1LVY2oDRUZVRkRUuWUs99C0XZS5UEOZP4F9ggTZLnsifBRbGjoqtE952wFOKeAgaghlSIbUAybJUu0mWaJHyGZiVTmBQcTXMRBdxdFxdMo1hE5rbwDZS623e7t6MFNN7ThDvfP4CbJpTCbs1ndZPWc/2reRDNkF2PPjcguwRw75G9STM/oPCJE7PiV8uNC0t53udQ70BNOxyti4NH4jUy2oHQr2Dc7FrMRWKPTi74Hej6pTVJFKlUG2RTp7Z/LvXDV9ZjV/Va9mdc/bL/B9WWskvkCRy0x8U+nIKhi0il+eckN+9IwUIQWBa8iqJtM8JwKug4lJRHC0TFd2QyOKEerJsx8roncCee1NzQvup4WT7HFZkns73OjSbphVv+VGegFeVNqg4p0e1C7/6kZiEejBgaX4ehxX60sZVuY5w7GhaqGdPNXsAIFInWLSq3ylbEty+ydimsaPvb31bF/32FAeBqPBVMzzqHhuvNTP9r9wgzfu+loKyKsLmDR4jY67i8atTSDBvMzK53q07/oDVoHaMhy/GnOe2rAaZiaS+O3HeoQv5ZQzrhodqe49WrkxY5qgmiygRVC9F+Nn/qoC+dg2lHndJ2bKMm+zuPwFUkUuiKJ01SKcUfkEOxFBFzUjdeSMpdSfTtqb1AG9QTmKJk0fGBPnbcY110jXjoZiDHGIk17as95ioou+XR37IB2KEuTyhyeOyy1yobRbHLVWysq/DQOVN+BpbImOTPTQl+PkF6N7xMCWv7QY4bf1FSFXu0UJ6nrWFw7GvpjC0jZijXKYFhbcE7Oobxfr3vM8XIdYGLtDmBZE/BZmaKZdz4GKfMq/XyM/OnQRmhruFKRH+99SBHT1aNT10JG/BWXh7IedCE1G3UIz9oBaAiIzFUFwFDE6pQM5nOX3CRTEtlHHmtR5qBYOvZcB6mfJaL9COntqPZ6h7oj7k5Sj/gtiEwqH0p0lHa5/OUiWdLV44Jc/gJpWMe3qOfIk+qxzMqb46id5JtWq+Oz/tb3WW3+yHpLeEPryCkhDaFk47Myw+FBXK6T6tnxQkKu2hCjhdw82bcHkuLv+MSNtd3wKIbVO8lZup++T4+csTtE4YvMCb4fkFMlnxa7FWbCu5IDog6LFykMPE7Xd2qUt8JZ3k0FJJpl2v6FVwHlFcpQOvCJKyXdULGGRMBu+rkacn7DrvVwg5ejMYotSwOt09aP5tOOOKvNtUV6+Bjqgo4QDfXsOZtQAufYxFEp777aOnRt3SBgSmDctZ10VTRFN2/lagtqQe7BMbbUoBZ0DVjqzkfMraSqaOiNXQ3j9LoU4YmDb2VASkWWSu7sd9WnXo9xqvVgrbbb7I4qM96Ur0HH25F+98pebsR8u1fyrFY6LrV5ZQHeZR1/g7wShHJQpn53Vc2w/jPnmvVHsZVshs+zAYUqI0KKLxUUgNrqsdcoVBznFbJpqZTdmrVOiquBOsJz5vy/lWOzR/uOmY1XppzsI9eIcInxoYJI8eVa2n8fkYx4eSYBpWTSzGjLGf0cUVgy5IrYk2YY6AW5b85nt0xmOyY5lqYrF8xeaquouqQH90SZeWHlmUdJykttqm3j/9NjNYIwbVfDZ+Z4a9GqTfjt8NV8gVvZ7fSw9eSS1qeoA5+fUp8tHdeIh1CtZcrQW2M5GtT7kemv2QO8JJQUm71mKeXWzHt4RgqFFWmfETDp52E1iyoazh4YeXm5+FVFczCgNCmoxjoFGhP3XGZaKvPcSgR58HjTD1kFkx5VNJz0vJyu0VqHCwhqJ+xSmRdl/yxEsZ6SHROZ3PnIm1SKFArzrH4VG5xubyKrkvM9+bWk3DltMplTJvz5FC1EXA6I8ra35vxr/MjkrDLymokHyHwUbRVYRjXa616Btd98ViNfsOwY83kvz2+i2GjXqXYmYBdFRQCW4b4Q5h8L7xMi9/1U5/rRA1TOuiWqpzt//KhIj9uHx/W0r0fraSvG5zgvNdnf43j1kVCQlSmQygMMYSeCBsUoTwI3xASxeY+DVkpXV+a3hLqVqYM2GKQPeiARbA5/lB/fCu8N1Zt6t1uVIxDNXloL04qmKsK0Dme/qkbqlCqQW1A1moVWqYWq/9/PSiBWvgnCMJ6gFCkHquxHWDajIc2HsXsvjapSBE77J52oKPu56p9YRqcyXzJRV45ri2ifgKBGyOstU6We37vRvkMRxbCXY67niMDGvXLjuzorwx4ep6XP4HirWeA8XLfX5K070098ShxxNfZ9kofF/vSY8+syvsCW6+v2GtniQ6vrA9m34w595y6IwRG5cEttT92O6bCpsdX7aXUTD19JfFKNu+SO+tCEM5JmXVvLvqt6aHJ7fVIPOt8ncUIPsqhfiKzRhxbkykXr+2pB3H1xXBeyf6Q6/MVXn3kHxbI0dRy/NLVwLgUH7eYunYDdSbKlitEl70WMu4Q2JkjB6cCR0yD0xAzQg0Vpq0Fu7IU99fbWrGLRmV2r++e3d10NjPiSSs62G8qWGWwjcHZkfOOLdWSQW2HIPVsLisdyYCMVUk0r3/R5TxbYrXRX6RQS66ngPy2q1qnBvZDJwPK+/fE9YSLlZQZWNPjGLBZ8QZ7cPNK84PCS3Dnj0w2Lsm4RtkHRw36BdwY05htRG8bN9INV54KYRwRtt5wzb72ofMf0w5EHDqPYeg1qSuH68LR/ansaPRbUfDYK9EbyzK6xs5oGenUcPEfNYsX136O8DHvyzt2MT+uEwtvrcIDl2S9W1rROZn+bR87693lsZuJ8GrpcfmkRSoEZBSss1yuzMh3S073Kc7HYgTZttWyRCjOvrJyrKBioK09VtqPqUrEW/VqJVhZRL3otmQNFup5YkUPJG5pWlb3CipM9zjNrslJ8WSk/6viJdhZDRCMkBVRHxERpQ015vmJV2+CU8Quqlnb4pXwkLHs+LHWtxC/nocHi/NArheX2lcUT3uiV9J1cVb+3Ya779fRjhDATsjz/zaAVu6nXETvQSodxZljPo/PNaNDpVUAOmP+Kc3taiS7TFLRelZzcWAwklRloy/yqSFNYx2Mig8fRk+BMmyH9YeJpwqFRsVUVmiUo9OrnVDGOL7UB/4B7GxJrQpERX1rYIO0iasWr3noX01z8+ORJHalSgNKFT0hwZ6o3bX+FNIFxVY7z04GgcWdi96X59EfHVhs5JN7Zye7X9kvKhCYZGMp4wHRaytK04AaIl/wCMSmV14bWcQOIaViEG8gLPuHV9lXVarFqYdB6QfJRKlZ72YLidI9hykZ6sU6eBPa+/QItDQ8NqyqPxfnctGGmxFIdJEh6o6X1k5JPH4yRXuGWbZnS8diizm4q89zuzdgFu3LwhLXCiQoltyxzFnZVVyDUn7G+a2R6zIE+3p7+nvHm7k/b0Qrha+exwEfmS8mvavzLyq9f5HLQbo2ewD/k0rsswzu1YFPKA11jUJJbn/u7W3Lbu3DbiCbU5vExmcdxjAo8rrMX1iNV/DE2sY+iCqtZ7kAlS5lNjznuxW13r6yqP6zFNnB9bmJyp5wbbZa8m5bDxadruDCb2gvI1iyrXZQDxng+XlPuJcGcdTOMuapr6opymoCsug3dfXBZnJUbFB/HHiEt2zaKe7ZeQiiloMroPfZQNoshFfQUZYcGVR0NT7eUcdp30JHaPUQwHn4FSg1UI3T7Mezhms+v61W/3CcEOyd9378lq327GJABLE+WZZbtI+w7licj41RbkKWGoUJiR23RGBjF5KhsqU7AdKLLeYLtmG7HmrhaKthwso6TbnLOPc5QcfAm3tAdrcb1dXwa7pV6PBe2M1oEVz/dkCc+0u+nklu9ZMk4BhjiS/PNYyG1/eVT8mXfjBFdL9+DkDtxoDhqSEtMXdsejj7QNSClsxja3QCQqyrT5q0PcH0Na5ruyYdBBZazpaKXSf3xQx+wiQmSUyZW1jI6+khVUIW9PubIqDpQEe5wYPJWZi7gqClu0HrXDqAlJ+5ffHyxU43XKA/z6t/CjvxQClSf38gMOHnCxHbxxTPCZPqMLO1fYP+igvK9ZnrxRdiPbNIiWXHa6041/gY+1LWu7ggOi/YuSpV9VUBYro4mbRk5kRb36dJTUiVMaVB2QwVRbvOxcqiD+6c3P1v7/b0Lufnii5/e/Pzq3c0XX7gYmC1VlA3ujZ1UD+MSMk5u5Z+rIds+2kEzmYrx15eP7RybG1iLOJpaEbiPUhdXUoHQLB13oFrmZBTWPMaKCni2zgdLdpSN6TTehBykMmJJccOMT0jR5TJ6G5hlpo0an8mCuRuzdAN/Np8krSL4pjgOYoMTm5LAvYvJBwc2cYo+PtEOsWKDBmM1mQnOidjJBDNXAxPpBlyGhcWRegrjDR9Lntem3vXHbdQTV3v7Qhsha3mXPKqjZFxoCSu/+TEKpJzlAfaA/y1t+4mpI5+ql2usyPEUzeeAdX/K11+VQGLz+EwxHHZFGbf8qhIO7/z5u71ux/Vi9rRVgQ2sA4lDw2/xVVxPYq/yIMUxwT0Y0uNjOq1lVIqurdrDL4bSeKfifwuP5u8Q1l9q7HpIi5mK/Z6K7D9k2LPaYDfUsPApm4y/P/QBel3qgqVMjoiP+Fi2BdK3o0r0XW2fnjgt8iKR8cLp/u2bO/Kj83g04RhhVL/O/Pxy/5+vya8lqIFqLSUXiYJu1Y+pTz4t18WevKtCaoPPu7Welo4S/20wOb5MmwUrBozHU3Am4F49AzKLKURHOVV5FF8sYJTxQotRYf81WJmN6AxwADU2F/gAOKOme3ufhlyCSDc5VeeHxdWQ+4L2Wjmc4YOkae9580yoZBPB1xRWY4Mpa9DVGpNJowDl8pcouIJG1NZzma8Ri4FO/6GesschMVc7B3vdRiAWCU2xbGFMGJuF1mKUit4CXa6L7Tfi0WwipGUqktQoa6OMq0zVgrewQ966M0C3vNcQ+ixYEGsmRgXu9oHjYkpEskr0jpk0Yl+LZMXlTtM85rWoDS3Mdgp8lB8rFQkT07Y5EwWofLkfEZLTgy7Sh1hwbI4WBVokhZJGJjGuOITffpOgzRoDzSfsNy7XyZjW/x3QmJfQVCQ5fUyMOV/hPQS1K8whSizkTEQjZmIK4oLrhC95Mt55egD950ngEfWAWtDjs9Tb0OMjotvQ306CDjdWPxf63yZB/49J0H+JhTay4HQJcVu9ho9RlUSSlxwv7+U+Sp5V4MVDlBzPS87WeRF7e9v7j/L1+EcjD8vihLiGX9MY3Vsk2j2ZRvFKqzRWO7OgsdqZ3uuyiKqPnYo6zDpSuTPSWAUDHqO2tpHGKknx0KieRIKXgj0KKqSGXtvMs+C331nao8XC9jtZmA3QLMoEknmRpDzKhragUS4NhFTYJisOVkfCFmUS5Z9IFTMspTwq6EsndA0i3Y96U2pDC8r3v0G2jMO9TTAZPhLWpfHEYnbP2ZHw1kL+LtZC1smSmb9EJh+mOhlb27QDqmTEUdaRmxPhIFUxsXjaeQJG1JVsgYLZOG9AjPLtwPG6igR3tW/GZGi2oFeMQ5wuopNVHLvYalwA8iFonKTV1ggW8GiSyGNkbeBMm6JX5OdsaK3SSOiqc1wUrFwnOWRsRDDmITQTsRzPZVZy0KmMm7UHZ+uoUyELvaNmZCeKFnwoJuBMUAVrpo2iMZp2Ax11U7lOipFTVhPmrLGOiIo+nS6qwS15FDw2Fo264lzQUTzqKZfzbiOZTlyd5xj4PVU0csGzgbDK82C3roPBeEimDe02az0LUJtlqc4vJFrBgau5FgdXRuCLuYerWNLxgFi1ZxVTCn04YvoY1Jpm2fhVZ9l451yVQBMlUViepErKPDL7xoJGKUUsT2If4XzuTtx0i4eIZKFCx6Qys0IXio0G49QwU0a823AmYEwqSQOnR9biqiEx8DHGBOHSZTQnKy4jhGMNHhUCYDW9iP1uwaL2utUNo9BFeG25XEcupVhHbrtCqvGHI1+W67itkzOdxm3XXEcuYFz1GQEGU18iICNOsSsNMP5VysGNf1ASu914XSEyTqhu1xABGSHvpWLrJFCt7QzInQAVI1uKJLKDYJGMrCDdAEa1cWjAo2aJJ2n8JvWAMe00ndIfgZJqbb9M0s358aw9YNeXczw8qHxt7eJeRvV5sLtI0Bgx5/KXPnzoVPo8C1TJdUJ1MarkRxt4TJeHCk4B5XE3j4IUqXXZqtHgMZO1sGMTdFuwUmVRWGNMNB1lfWpnfUZ5SjWMd5G6crpRaoSGX2OYGUqDHQEXpbhoto46mLoYb7dolcatvEqziKtWqzSU5XsW6KiWTG2oUkfkTG5TMT4IIVgx9DSYS7KMaBq+NjGL4MBivEZ1xcjxkPsiInO1zJaRr9al4lFSqdSgkoyNj9+MLExS+UTiiDVpXLv8bcKENnQVJUm3TJm4q3hbiKgUByNVKS7Sq/VVaSR5VwrSG7z2Qk8qEPcT5SwjVwoyZsgVVZnPGTvSlsbXv5o006E6kDiMa7qKEbOp5CQUUlJ7e5mYMvubvOByD72CeCd5sJLliPT4c/vybqqWOlhbTMEaHklOu6G7jUdPrMtu2ZUZyOBMY4GNanzdbqWpywJL1PdTJQnZbaghzJDCtecPE33sKXVMqZBwe3dX8bxCQpjwlQwGMrs5E9MrYLeIseO1KdHEyDU22Vk0v3cdI3rcE7AFVRdRMpIUVGkgb8BQrDjsTkXdL408eS3X+vmdC+57Sq59GS/XnqQ3OqYRvwNfLBbJFuQtmJ+ZEaDDa9XfepHsWWE54Xo34/BuOhqoSjcLJtiAwavoPMUQOsLG9dbjTMBzTkuBtVPXZe7L0h8phdCpfHCE6jlS5muq60R5X/F1QKW3zEzm7YXsem7Zgcl7eDS4O4eMgos2oG6KxJ3oQY1ZuZNKFWNergZTNQc+kjp/7N17fG2IqpXsqhrXSbCuhVe/yR6aRQ5rvzcI1jPQL4P0j6vjfUbn7Aweb6+rQ4SjD5VsH/kQPXK71C0c3ON+jY/09mjNTQ9xKYpEXTC6pk0qV7AhyApCqCYaQBz0yQwbL4oKTdNZiq32ssTd4MI3cKpba1fdgo+QVYDKmbsI5yOrGdQVbmFbxmENvpcH1ZqthWN+U5l7oK0BXc7VrX5gyRHDkR23vGBricH2IaFt3qJoKLcwrtJNdV+yrGprW3dMwoaNA4eOkEBMTq21KRgIkhqtQFaNwhrBW/V3sjgGVNidYgOOnhnxI5KB0oWXnH/dP7NHQOsBcic77+MxVw/ljOpkI2fQ7jrdMbEmTlMGCjv6tAoehWOqiduglh7hW2wLaQi2yly84lpa06bTvASrkP/gIRbkldjX/+uNbtA60sIQmi2qjsZhwRTp/LKkT1GWP+vyEysPHjCV+bbO1ppoVyivZh1uJOx3TDLWs3quwUr3oMi/1R4D/dwjQvRD/UvGxm1dfu+JhqqD3XeUp4NhEqdkwefdsjiuJd3bH9/f2NmBAmc0okcmYzpVUFCR7q1W4i9/3u9la3nwjLx/85LcCvP1i2fk9u31zX+9JB9uhfnuG/Jkt9kT4RswphupfRk3qaz1ir/66rv/9f89Dfe+A7OZJC+6M0YJtMhpuDSSnrxHRh4oX4n/tkIbPkzZxyarfc5P0DaY8Hf2xRSiqKPYNDpo1dz09au3QXJ+kwKm2OFx6/e/pYBFmD+/jekD8BEuO0vqaVGDbPw098oRXq6pgR29SGFp3GV35JVrnlftthDC+jpJ82LY/z/Vr3l79ebOyeHhXvF0hl5+Q6a003Oq1qW3dxbZgFVv+TBYC2YWPtjRh/lQ6QCJqyk292Fr91rIXEc6ypunilYl8rDsnnWZrPKOh0X603J9uFA9ZE1sTaTOcK6YpuStp+FOKlOLqJ4Qcr0nkIm++/xxSaRn55+jmIl1JT4rwt8MMU9ASL+fz0vk8aMNQrWWKcOi8Wgt925XYuWUomINi1o9TqVYsXWpICPLvW/u71rdD3SnGUwp6AUKD2hTwWFXUZkKfJR+1w6tjDCYFOTSQOJjhGJefmOmmAmd0MSFT0UBF0bFgq+i2LuKisXmcRsgPqOmiJoczZLKGp/Wr+vQtrC0LLrjtQ2Zi2gLN9awEmDI+30Bz8iHSsy9RhP5a3JXmcg9OfLj0I1aFa+a5cIYUOkrskjVtZNyHrwwiuaH+EBPFYYObEEZ7DxjZNXgigny4XbwCKUY0jLhDMa0jRU6kUVUoTwLqkCPj6OxgFEhfk4mjg+IQh9UFEZXpibhINYRNR8Rr70G5nYuYVMivF4obzkHBUnxAcdaUd9LtaMqCzUDe4Vt6tDvfqfkI766L8HsAAY6GY/OAR77IiEN5W13r0NHsJAJvjb15uCboCnAh6CcGXvUfFGh8CS2nIp53lXOcAdUz2oth0BvCocOgsYHuLXa8xqV50OJGOPPhhSzLbZj8kjPe0OhyrC05FRVzdw8mic3jy9fy7VcrcL1qSFNzAbmbnz73g7pu/c3lN1YyixBr0qzAWF8KNUgYXP1Hjt8rizrtoZh4j5oUIMkydKkcm5u+UGHSbp3HbgHqKp65Ey7fQ8oQsykarhytPlrhf0C7ZOhQ4U9xegG1oUUGbZ0lUEVoAbsNyU9pHs7Jrt24DagxOXZY9wbZ5DVFHt7q6PXMEE0M2VAohAMkKu64PlRN1QTmskCu4JtgCkid6LTGIkY+iiFzAeiXaoa9UkvHGmGy8+qYUxk9ixLpZv2fq6L8KuqPH5voue4T0RNujsbg+FU9Qwv9Hw0OMl7/4o07zyPNRFrTXVcVseEqbqogHsfVTj3XIeDQ5ZyWnxcYHpL2NAtkyVqNtaoUzJnA5EOMD/6G0GXHMOGV+TqOHYmtuM7n4XI6NJwoNOQIIoDGkaWF4sgIYChpmD6GrTulWZnDy5/E8JeCtMNUY7R+TJM/kjSCV1x8ZbBTuYsrQjDaWHAQPexh5mN63UeqNJIPDmL9KuFNmrYSV5RHU58/WRUvzhOtb8WHa5JlAfNiNokMizHpq1e01BQwKCT03NyRGrUSWZiSvpEVqozN0C4Kswn2wBfn0f1V5N7ogeJ946jU3PoUY9zao7eGcfu90z/i5P0q5n57zb8LNSr09wfUZPi4xzVE1KvPqq/503z9Wm2n1+A6uOw/TxZo2Y+q3Pu9TNO6sybZk7qe1umVgoz16Vzsm5GS7NJcjAbeRFvKj3wcxGHyP9scGEwe1fJiZb6Ef/uO8m9r8miOrJDom3L/1p8++c/kyevr1/dPSXXTBsm1iXTG8gwMSeIjcu1nCE/9phf27foRkx+MfCHA2/eSk72lxyLvbe8D+Go9yb6/EaUDh+zMVMMiqszI1ouDcQaeqegIlREqXknp/z8LP4Oqe9oxkrtxiBSEc1yxqlyh9kKErtbU7yPwqG6eGY0m6cXbu2DbEeZfbDLVXlAOnUtmgMzJZLwlTh2btD56ePDW/4nbzrjN70V88YutAIPs7CjRappj2I91y2yS6o1Fey3I7FOYsqCncuwCG61V36AZSumglH80dmv39sBUT66pHKXpXsQifQDUG42KVVACgWZzJmgwRDr1lG/o4aBMPpk4Bmn887nNf2k03FFMKCI3l52C39uhUBBlcG032Yyx4XQrGm9/uCeI39WkIGiBrJkRBjAkVXENuTVmLWr+07JLcvqdHX/O1oU3Os5veXzKbJWkB9qRAO91OtpsGy2edSD+joOZj8wkWChZ4wq2TL35rTpKnYDhQNqhWZcKf2xWg084l3eAmplioSafDv9B7Uhqok2Ujn5aEfLwVDE9jn+amF/9Xl4fjnLMg5zSow3OOK5MiOwRC0ZEiUzquJ5c03ozo/XytEV++rF4xkpOLVstzeSVAREqvbFkBcRg1dmsQrOiJdQtYXwg9SGvKHphokBtT2j0Wf0sy6/PgiM7CsU2INqb3WXVq8X5HVGC/IT/sfd6pkULh/gX/3rgmzoFux9z4Eq18KaYH0JXUihodIDwkkDdkZJv+31BNnjayOkihlQrKrSIdwEXUWGYUoqomchplnmd76IzLm0YH3RqW6C7l6rCkcdpAFb/d9fNUwTVYpAX3dCqH5WS2L3muOSqQcisv2Iibci5mAmJTsmMrnTRBeQshVL7TfPQnHjPv6ov1HtBBxFzasveaKqrue1WMZnhqctfpBS4M31GtY03ZMP+rDIT/0ekncTHKKiluwos5hWA3dYW91GZBg1jZvB3gI9vtX5TIEspoMMAQyz7TPhcGJzqGtD1Yac8haYE84huCE8TMR05oqXGpqMj5zyzr1Kctzg5IZrrfTpncuJUTsdD/nbhNA4Vva4HE5/O51agsGN48ozD0aA46QyWDHhfYF41LEWRE6LgWIUiH8gzPpC2Btzt6N6xAiS2t80fQY+H3mgekjtQzOGppt89lJ0zbjIGNLTgttsiyyouWRiTM3dWXeaJRvD36cK/cCxbQfjIvNcGa0mFSlQj7xH11SZfYKugqpqbe3HzxpidxvWK3hG7D60loUL0TtrAiai4qVLhZNqXHvGzvT/qgsq/nYyn7NCdVjrrFLSQiLVTu2vz3H0E9Rf8MLt0V1VRTtO9+BaJSCMkkX4GGayXPYMsrP2mh/VWjdwIrQRqRjZyelMKq5kXliDtNr5uMGxwYnTPLegrGhNrNkcvpCofpge93viLHZ0+gr3DqZXNlv9Gv/G9X3J+Z78Z0k5WzHIyDVmwzjnRRDZDpZJKuUDu9iT0s+wJA5DY5NQPqSXRdTWaR57itK4NjhD9chPn4139SC+lqp3Wznv3IK83xeO/MaishN0fB5msYJVMrI4Tocwi8WZYOpzHSq000U3j7OgVjAO8TvvRSFV5dnD55V3rwcWppWtOnpZq/kUUyvGHpmOHfukH64iREkZfc8dorUjWa6RgpqwgyMVCdXj3qNaoCq2g3qp+Ch2t+BGcadWwZNSje/3W2DfM2wOHYMyQvQdAo8M0TgE9rsg6jjAowGBl2CMwmZHGLG69bW6UdB5oIy53dww88SQH5zo9zgwXnXP/b+vPJLn/h/+1Tfk9KIcVDiGwBN80dcSR277sQT9GK2CzD2CM1822SqLTKxAqQEffX9mM1HeVodOsi/o9JiFjKp60KrFysD2xWcMOXn7BoaZcSPcuNcWuwHeY1yQan/0T+g/Qg8Xu2fFBtRcVo3Vc/yb75MrLKj+lFwhhjByUGa2RMkBXl2B8oXv4SCm40iJHZj4WNBiRmtZ7LCf61bdpaPrwX4b9hOMT4sMrwm5Z78NpO88RJ/B23/eEAFraZhjc7GheqA+rU7nT95tMdwNP1zQ2y7IhPq0vQfAzlpXBb+qeM/wg51mI5srnpcnXNcSfz/YVsOePaZ1GdMY2sLio+4U+3malw9pAKUmehZ6rGvLixs7PLnHJ4Njp3Wm16W63pX37T+5x3CO4yK0JS+GyBgvL45QMSw0tObJdtpd0nWReydO2CWX2C1Ay4hiGjoelD2AtwaiU6I+awo8tgUlyotviEbfrVTk9v7VP9/ckTsrP8mPYqAiZUNPdN5HDD3vdzJMDx7LdAPpg45o9tYIlqm57aEi0HV1kzr1HAM0fOHu5twf0VVAsV75jYuoKg5TnbU3qL4hVdhibT4x2KZjSznL3IYIoOke/RnrSx07+jjrB9jrrig6e49Fd0LfGFPohGE3gkhgZGkc2en5Lb+m7D22FlW8o1TM7E/sv1Tm+cRc/jMpc5i8SRlOr9kxBbyrXceYcDtORTKqD/XYkARdNQ342dNcxciGDXRMbkgKyeYJAQqR5HAQxIFow7oXsibdUCF6CWjTE5X9uIhqwFM+W/mlWuT5it0/v3711svc5x0EtagzUnW9YjHbK2P6IdlKXsZP41XVA0P4Wpp1Z5CqyUIpmNHkiUOjn2LuGiYTVF0QAv6igSA0Xkaf8Neemg+CGf9csjgMRtuCwpeSVclJKkUKhbEmwL3j9UCK05hO6sG6Dsg8a2xULUQsKdj9TVoe/fAfr0LBJEHWxewAqdaXCFHohpYdOD2W1KXvBRMY/37z493tHXlDH3Mmsrp1SZj9lvoLBDIcFPoeINwT2qP/GOH1FRwOwY4KCHKR2cm4Jp6/80SaalJzN1rykur22tfj8XiO0sDnZOwnzuip5pT/N8g5qIMjRdbXRmJOElp849pLj1Rs6m5eBv3AztrNXWrAM6LLQFgU1eSv2igp1n9bcpo+cKYNZH997j97Vn/LxArS8FcrpmBHefCapUvegiFUZERLMrB9FKyZNmpvrZ55D2ZBzcaXoquxkC6WHhmT2g/2CXGJEi62NZWqVb2r1lhq2kAYtf/T/wkAAP//eYqtUQ==" + return "eJzsvf9zGzeSKP77/hX45IeP7ZRDJ07ie+u3d698knLRru3oLNu5erVVUyCmSSLCAGMAQ4r561+hgRkOORhKogBKvvf2h61YJBvdDaDR3/s7cgXr1+SPRvIa9F8IsdwKeE3+7v9A/v7p/W+XfyGkBMM0ry1X8jX5t78QQtrfkBkHUZrJX0j4r9f4qfvfd0TSCl4TCXal9NWESwt6RhlM3N+7rxGilqBXmlt4Taxu+p/YdQ2vHY4rpcve30uY0UbYApd8TWZUGNj6eIBu+7/3tAKiZsQuoEWMdIiR1QI04GdW09mMM7KghkwBJFFTA3oJ5WRAnzb0DsTMtWrq25Oyy9TNsoi1pGKLvPHVx9aPLbFZpDLzrb/vX2F8wwa78nHBjfse4YY0BkpiFWG0tk3gv6YrUoExdO7+TS1hqgLjiFbu8x3QhLxVc3IKTJV4jCOEeFh8F6lDyWnhwhKkLRxpiQEHhDNzP7DcIM+ZkhakNe5+cGkslbZFw0RxtLw6BMGS2t0Phthxj5NbglBLVgvOFoQSA8ZwJcmCW0MoeQ/2d24lGNPu/mRwNDpizUI1oiQSlqDJFLpzV1NtgLwDSx1qlMy0qnpLPX2r5ubFBWVXYM2zAfhTroFZsX5ObMCbkg/ghYU/4bKH5iTKSAFLEAdwUii5ez+3OHkKtQZGbcCkhBmXUBIlBaJl6VQAqWgdx6oy8yLZhdmzx+/CPT8//YEsqWjCjeclSMtnPJxOuKbMEqHmfr/0YCOQOu7Ah9OC33PbUVNtOWsE1fj7sLGT0ZMxAH3QSYmdjAHk8ZMyuiXL4+7Jy/+3J/v3xK2aZ0Pud33V9I8CCdndlkeD3ZIeIvSyo6bBqEazTG/v/dmW6/7fDzNjqYUKpH2MyNGm5LZggu7c4UeCHkir148RsYXTqR4jYlwehlhejamVHI/3pJVAD5Eeedk2AyhT2lAjek3Mzux9sXULOGwGeshASbifFbGjhwyg32BFjHNxx7VyJC7Knlclyj7PrgGZidhHIhy8M/vYMdTqRvIvDWzUaN3RH/603jZqT5Rk7nGgVj12y3ZE3Cx5XnHY5+6JW4bPOKP9+/xWzcnZEqQllyicSSNL0M4E0RAE1YD0Gb+GkhiwDsjWj7fXMOMGS7sJA9j3Nli6TRiAvtOmDD2B6f1Lhx3MAV134MndeLBQJpO+2j+Xvypj+yJS7J5IA7Lkct5+aGLHpudD+nr4yw85YIMfjTL2/GL5E6FlqZ2sHLvuu8wdUG/V18rc5avc7H31fy97Hbfyy4ZdueAdaX1vWUkomfMlyM5J9vUqAo5Fh/kv8log5WNU/r6OiMaoQ0PV60LDlwx73Q8e4gYj3dM1cvnML00u8CI9D95sS8nHdQ2E0aEEmQIBbhegyadzaX94RZQmvwhF7Y8vyZQaPEVtgGzG541G1e8Gug9Rd79iujEMms/4TOBfcL+eq1xutn3WcbvyV+9gUHpFdZlNqetJtB7ZfU6eX3ze0vco0SDo7pYSYtbGQhUe0YC2g7YAf1KNZ577t9J8ziUV7W+2tZUb+JBL/9qTGHF+8flVhAUB/QEn7s+CDqMhl1O8PpuDOlQcD319FkBL0EeJXf+KS5Hz0/tEST2+/WApgjksVvqonWyCFdn9bLRVtM43ihZeFGe6nCghgFmlv0YB7Lj3ADk37sxxQ5hnHZQO0y1F9a3aVVvIHkY/QouvYtPHoqpWymCyW6Ukma4Hm0aIhi8NGOsAGl7VYh32yX3ZCXoClC2I4SWQp98Tu9ANefnzz8/IihpiAGS3yh5OPArl9RacMLWSBvKxgn01p4KpRtrOp9BUUy/03FU2UQjkKZ2qJfSYwWU0s7IVb8ZqoNXo/WFfzbF5YFZByZtdPS0Fo76JaY6dY4HPCLf/bF5+/8NfjRfpL2oUoC3S/xxQ809nD76la9DkJTmTjNamET6y4kzKO8n1GPR7Bj8iuZWxVX58Sf7Vkfuc/Pgj+VfClHb6MlIRFn1O/n9h/6f7IjdkmynfRLdQqhIera0rV1AwKsSUsqu8GrBHTiqL14Zab1c4JoIsa8WlRdPEQjzBGQ9HAVqrTPlpG33Q1MA4FYgxYmqs0k6zlmuvdbgPllTw0h+MGFKEzFQjS/fCCEDkuZwH5ejG5MXtGzGAnCIWGK7DnrDRyC6shaLlY3nnAjrE8D+BVGA1ZxGrI5jC/S+jLeyf+1YIu2ef2o1Gq2bttk3Ir2rltmZoc3JJlHbGmFXkCqC+gWmP4sX7SpimFQNjiiUvizJX1PWslTxzkKCpxUteOg727MIl17ahwhntW753GXFx8Io7sxtj5cgMT0W46uenRDtpbdChgkyjeg62+9qNnDA6U9LTg3PCZ8Lt54TOEgoaCv7z09b3+gEqZYFchvPONOBDO12PCUr3vzYQ8xUEXsJKhakFz5nZ8KjNecMHav+j0M2czM143vHWuTcgnPX21LVWS3hC/ntEGL14mXHxADF6t6ozji5O3lwE3ZdR6djDq1rpXY2X4BP51aVBNI/D/fHJP1VoiKPpHnOlbpvyzeYnG4Pd6zlomU/Iy59fkRXyvQIqCRUi7itApz6qSRv/EVmBBg+WWiKAGkuU3CkX2Wbig6uJXzcTI3c1R9g28O53pUtkHGY1AVtIJdR8vRuIm3E90GIJ+ZmwBdWUWc9Ed6nXiD86zSVpZMjpEVs+89GK2tQF3T5QnzOIsCd2iRZF5ZRMJdswgqarUZmGknVHraQMNVYfo5DB56AYa3QL0VgqS6pLIpWuqOB/xvJ7la6i/ClDlsPBLFLNdPAk3YlJG6w7ZF4IPgOkOGLgG2BKliMK9ma7C2Nz+ln2EMQlU1UtwEYPwKgTlaICbzXfEYO9ejNtH+ggX7q1o8d57Chvn8zR41cpaReJtmlTn5oq52WT5VQ+EOPPZJmD7Q7kn0rm7rawRyy61VsV06fXftzl8EBEZbvRb4iFaxsuH1mCNr1yinJfHlhkf+972NZAU5G5KdNjSpdQ5nsHQ5JNeKZMt2KrY7SZNt0X+/H14WulVTVBqA0W5RsGkmquvFpfNcLy7ywHTWhdi7b6ZdPLpqKSzmOluYQIDO+09qJHyuNqCLdPDFEr6SNjllb1rmcwYOxWcygOb581hC24s25UCWZC3jXGopnUB+puJbUjebnUwoGbtFeAzWYO7yUcQxPCTW4X9LzTMAMNkvkDQZ1qXfIlL51mg+chLsguW0H2cYd5cSKva66PRuFmP30s6NqdRG7F2hNrnNBz+ppDCg/oft9owk0fdeE8d9K4k2eTwZJdOplqUkugaqDI3Rdix//UVwU1yC8NNEc7Su50+1O0kY8raggiUY6cG0Tuh9RMTagUbDE0g0ybVzbD6zuvcuBaFxlQrYsc2nOdUhRtA32ZHGoGXan3ijyMCbljPkbfmMFzeac351CxeZNcOyRYsHkgdrohpHYEUTZQ4lMo1qYRucNOI1aUaixTFbzwOHTGC2Zlq9nghFAZWLBlQI4cEFiC5jZn6cgewtrVQxFgL7Kzz+WTt3hx0DvQv9JdpYuDhnGnGhif8Y3hE9dufTBnrKdK0JXzZzNFNqBzMfJyUzDRuqjKEGSJ4h3M5mNtwudtK71vCSpNfrsMqbHctAkBu341XL/dobEqSVMrwxMKjludLTSnZek7TGEqf3t3R7vwNMIW+VoX3VEUyaYCzdldZVGUtiNUse0hrF/J1t0ML5b8/R6QtgRZKh0SZvdSpqZ/PED3mja0q6Z/AIvb0Q6x/LXgA3Y7CbofMS/pc/aq+2Z4IUPVfxAzwcu1oF1usVSWULIIHS/iCbRCzYs2UeVBhHp7EO8s1I/RM2VL9v0Hplth12oUH3HFXwnO1rlvzx65cIEIhObaUqxH5HIjcuZNxxn4oRGAiMXFqZIWrnNrrB1C59L76zb9UGlZGvd/+KhS0SIUawBzw+PMFlTOoZCwyi0LxgKXsOqF+lEJsVbzaWOhJyGGOfrGo+609f7zFxcdpqbJhF3HOcGzta3cxzQ0BHfzizwyff0tYtxiBZhjWNtw0GxyvvQS9IRcgt+UxoCe0DlgK++Q6T5TusVhALsF4/V2hr8n/ve9vhVKk6lWK/dZ+9ega3qza7Sf9Hl5QbVN7abrAKf2qIQ7pQbVoce6U0qUndqY60qpGkJAMddb/EYSKkDbLrtIbxYNf/PhrSA+ek0AMAkpojCXRCr5nYYa0JLZl/2AZsMxnxzWaO0uTGev4E6iHveC+whbG/4ZULbidhGUZS/rySkuOMVqE0mU/G6u3H/veQlQSSkiimNGumkvGPgCEXBIqhlx0sFyMBNyuZEpu4MN+pVVeTA+8eV8jXFGjC8Z9ck2ZRC/gfGUMNEY2x7I8I/BNuFPuHE7GWqig3/DKb746bgKdHTtx9+wuEXv2zLlU8qe3GR4OSxPEQtCjVGMo7/U7UbUnsQNe8uv4DWhpF6sDWdUkJKbq+ek1jgT5TkBy57EFWWq6SG1l3d86H2djaYVWNCG1NRgFy+DjRx8LwKmqspJMbUVtB+W1oBle9U9/x48lMbX28MMD5MX30xVdTO8gxm2jZIVl6VahXxapiSD2j7vMilGmTEgc9YIsSZfGiq887NUFeUySA3ZW0iokaer7/VMpS7tId2phG+5vIIy1AK1iejUoHcqGCjuk2861Ca83LdxYtAVIquo60928m6JXQRa9HCk1YPg9VsdPK/kctiupws6g6747mCn3C7WsCZi68//fk37x8Sa9oyL/He8I/kXXK27xhrKhgFpI0cQd7cZ0JyKIvKaZntELnHJVm3efR97D6B7YUb9AsCuzEEtB1J4jMPq7qFbULPobqhTCyNVhg1b+MzftsamKzM8aSHttAhzhHTLTIxm7lfdv4eVpsTJc0k45tw1kgmg2v0JG+FtUAsFhMHbqdvCzpujD174NcM+T4/6xWKqmnLZ9c3uP1ihbFTf4fVact2YY3v6+toIIjDu8TtOgDRyJU786r4n47in1Ftw2V3jHfu8l/n8lLz3kuZpaNxA/LS9UPTrcHsW16u9A/ohfPk99/P5KbI0lLx1YmLoPdiOyPk0QE/CxB8iJwtW3MSN1KVZ5+xlvx3VDQXaXl3Y68eW3vg+4qlxrD/pFibnpzdqsqn8czdosg6xl7LcaLQTcuLrM0O/U+E/2K/NIoJ6+xs/fBPccdPGdpWbynaPUSMFGM8Z5R+UlSJLqjmdikEVoG/KwCWpBR0RBAakydofZWtD+6qqX3niJJXTMNr6Qu72+fLF+cWuDk1Cy1jvURiryz5woOCtayE3kRaPJDmXllzyuaQoLEaOaK10zua1Twbyyx3Si1Z3U9jVEf/TIdK7y3jKShU5OO9/+0i4ZKIpwYmzMMjW/XxCnp5d06oW8JpceIeIB4vSexL3i2Bk7uixTXRObZ6WOGbcXDmV+wC87lCK13Njvg9PwwdurvaEXK3m8znofCPs4iz73I8FBBxQO11oMAslSnd6vK0+Mml0K/R+BM/CMPYepPLTD17HeNY14zg/jZeR3Do6z1RVF0fOu8JdCblXOMbV+/dMM/3OoaMk1qfOcNyMKhs2ZqUFtfSBssb6mHfSUmnsPODkeovfyJQ4qssV1Q+ToTfsqu+kKw0PkSNipDXyUydEKXlHWdtPOa7cOhF0VDtGye9aBVXvl0Le1kw+1FoDNclzg42ltkmlOHf+KMrFg5kdbvGpuia8fDH+frmXtTkGhg6jT4PGx/4uOCziV7d9xzJP3xsc8tPh3L1DnjMuVZMqxtmrIzHz5HfKSdKUToeBR/anxIBzd2bcOhJvhHByj5iGMTBm1ghy5tYnTJVg3JFom/3GLQsuS7hOzADBjT1M87ynbMGF0RTTLRJT0BjfrKjmAjN4Ih48H3+Xc0KRid+530YpkxnOoZr65kIPpBGH1cnTLp+zBm3qUHTrJcyAZUFF2CTEtx2eno0UGXo31/A9zp1Q4pWvLskr+Kr8t92HlEtDSrCUi4iTYaoa2/vdCGlKHD03s/XY0i6PDfEYf0gtVLXIls3zhpQwoyEEFDpftjH8kK3ptOIlaEHXWMhlVXhcydPIjXQfoNUdfg2ztgrc++qN5bbBxowkStjGNhg2bLrvdU0axer5dxhNjWkGWcVUVbn7lOcYnXjohPeSfWutlrz0/rO2i1wFZjQRqlTs8EDj3b1lv3Cx0RpZPy8vrhpc15j09DCyvl09r6z/Q00P9DsdTN7f1TQEYOK3q+b5GueeYkKx3/nLi3NyPlCo+mhk61obqkv2Y5CwsKurhp0nNaTv4g8LudVx5d6LiGKqytwVX4OKu12lI+BCHC4j6tEifbcEHzI4QuV5zwUcSod9Am0XD+FzXnahnBEnXpXaahyUgSd4+dMpeR3ddZPzmWqne1988t1z2kAUJmtcA2v6XgSf+jWFWHlr24VpX+LGERwhUa94ue0Q6aor6ZJyQYeBDNK5wgnWV85A65FJC/4OHeLrTxd3C8ZKFRpA+QDsgKSQbmD4fDIiEXlVTJuyXCf3z/CqSFoH1IPbGDis0fleL1V6iJqrhF0OdkrsCtMcoyCBm372qu+5SpuS266ybtMXLWAUG2y3qdjwomQTXthPpM8SS83B5dGs8pPPZ+RpqJX43AinK0+5wAIOzAM7u66Vcd98Rr4bOhrkbhTmSqqV3DKEDLAGm1kst6GPTNpk9AguuN200JO2yv19KE16C3PK1uTTqLkm+FTThyjKDwtvsZhLUlEuZ5pWsDcdo6Yap/bm75OwpVxe4LLkvSp9cvSmLWAv6yyCFLlB+8JUAceIXBbSdt+497AivzYSTcl3qgRBnnK5nHz7nHDFnpOp+z9w/0clFWvDzeTbeHzRsrqYCTqYnJ9ah9rW8E8uCC6Kvi6Uk+t2+JWa7W3UYFVWTP1fpwHPtg2CAe0OchShZZVW7u5g9vnd71QD+egTgL/99vO73998OPv2W59zu6Sa8tEzuVL6KmXJ8o0X7Pd2wX6EbdQJRmVqJSLU7KTtUtI9B5S552KdwYSZKQ3ScJZSgPRcSRkwrtJ7QSLxgVRAixXlw+HE9/YOYO/z1EDd9Uldom6aaaZLYaelsTp15TvWa2dziPXf0mTvaFvzkc9Jemixy2Yw2EClCcUmm7qXUO/iQMz4qKOpJTWbI/ZQUqPdiCJk7pb3xIXywf0E7+64cMgH/f/DcNWNyuwn/z3IESt7PvqAyF4kH+RwtHHcffgpdYSkra2d7dmlT22X0d5m2WGfzGfodhuc3Jsj023Lan6MeBgWfc0oF47XbTOXiyAzzk/7tW3YicuZgxbmkRYG41mFbc514VTEA+g5JPEa061D9dGJqqpG7nqiBtjJwxo33Re793Bt/wPiOnWHmzlMs74vbpdUlv+u4lGzDW6WWn6IZLg3dsOFt5Azjak54ypZluixLHjEfkW1HAYdHjvqRlZ1oXIJ48v37y7Ib96PuklKjSPy5aipBJf/+ZZ8aUCP9G5thCw07HbqzJvc0HOIrsmHtugsmtbVaeks4UPaB6pSjxFwQOuDHEc3QbWR4Ni94ZbpBzRQQXWVYbcc2AzuBVonLEDugDZlsqm0WzDTdrvaAl1Su6sV3hfuFCRbVFSnKivp4K5rOhhffO/oE2WDdKokMItF8rPAYJa2gKoDPJtjq6UMYNX0jwxQa5p8EobvOJX8eGHQveCpH5zQua0Cp3omR1oWlOFglPTlJw62kQmN9x7g6bxe/iSv7SL5+85kwawuSpO073oPuoN8WOTpFoCXgiaXGLIAOecyYVHkEHSO3GhZzAqz4pYllx+ymAm1MrRKn7vShy3tMh/0DFEXJgsuc4oTLmvQ1XSdLOF9ALtmV3mAL6nIcVZ4XdRaWVWkD0kh9OVPBXoc08MW2e6mUPOizMFsBzh9/huTRUWvC2tTuQ22AbsTLSDDo1BxmQlpLvMhXQtTiKkoUodFt2B/nxF48s7gPdipeyH2Yaeu6u3D/jkj7FcZYf9LRtj/IyPsv+aBbVUt6BRyiJQOenrzTBZVI1D5nq4zvJMt8Poqg15SNYLPqzqP9u20TCrmqZOQAmSeQykx8IWl943IwviExAw7aDTLY006wHmsSbM2TZ1hFimTXVl1FlPVKutMD7jOIEKsss4wywUbzZoswBvJryWVygDLcAiXrxxXMj0Ky1eqtgugZQa3mqrqgokMPmwHOEOQBOHq6dqmd4s6yCYL5LopMsQ0mOaWMyoyFBCZgs5BsnXCrKs+bEnF+k8opznwXhbYBjQLZN8OJg/WPrE2C/TpvF6+yuODNsWU279maTTGTJF2VtwOYK2Si2qT5ZojVGA6fZWb8T7+ZLO2eoDBLryfP71zxANHtS8LcN9NPl0HuR7sGReQw4YxxSzHJvJZyuLsbcA5dANT8BqTFIssoo7Xy59KY+tBM/9EsI1mWWALPoMcZoxBR3MFJU9WMLoNm8s8p6RSZSPAMJWD2wE4n2eQTao2K2qTzvzvQY9lkCcBrGHOjdU0vSdkAzuDxqehzsVqnY3XBjuR60zy1Wfm+yOeAbrVQKsMiqQvBcqFdj7lerVQ3BR+wmx66GuqaZYDXo4UwqaAvPTz7VPD5cZSmXzOcWnstNGphgW2UMHPCsoBtUmOa3o9uq1JTg0WJzfM0g+7PrTTwD6Yc1qWqe8AL1OHVdvWQRneIl4VTCtVZelK5ABnMNN4VeRJjgwdj3Kwub5K3p6pNulblvLa1JonBiqo5bZJnn0muIR0LXY2UE3SiTodXCy+Te/WEsp3PS1mQiV/zjvgGVL+nc2bXOo4oBkkjrOhM6CaPDdBqHmWoyvnWS5wrXRqAVZNm3mOa1Zxw3KIhcpkObA55kBIsNhcKTnc5DLcN4BOnfHnoaZOx5OrVWoLJEtFmfIDoJNboiq9ZqQ0nxeReVz3hruSoNO/WXXhh/ImB5t0MvUGrB/xmuWQZSjcDDNxUguDADa1NKgL70hKji41xn1YsEWqOv8BaLiuefJAQA26mmsq7aDnbgrIqyyA0z+9vhPZp087U0ATANZqXlBTJxwY0AetaWqoGqjIod9pYMgH33U0E/D0THaQ07Zw7UFWusyAcXpHpsngGzbeN5whH8BA6kQAP/A4g3Fi4Ev6AxBr0JoMagZTyvB5BsFr6tReNqNZjnugWZlckTaaxbriJgBs043Y6sNsTPKumksmUxdKRKfF3heob9KZmnw7t+mPlQeaPqLXzfRMDXddJ+/W2pTTLHnojRYZ3sLGgC5KnrrqPcvYijYylIMNlhlLq9Te4GXBpbF0lkEzWHJtc6jhy1pmaN1klW5kSjdrrC1apKPom8Yq8qGRZLB0lz2ScVjeZyp4SU40lNySE6rL0M3QYPv3ODp+clZGLo1NCEUwOESfYH8DpgSJlep0+RBc5uPcWVULtYbBYMEb+TdTTbKm3rc8Y46H3meE8840zOGaVHS30cImFivnze4wkOxICm5wOEO7eth6bKBETFPXSlsybDxKyGpBLeGW1BpmY0fhHmm5dxlCEWN8sDo6FAiXobP7SF9owWXuifw9VN1qfTwNsWoOdgF6svm+Wahm8KIRImEJuhtHZBWpqTZA3oGlOBHc31XaseDpWzU3Ly582eszchpGfD0ndhGZUoTNgD9AGH2MaEvyHuzv3Eow8X0eHuoszJvhyO7uFuHinlgDVLPFhEsexQ9n7h6hv/aO+MRZGJgM8ULQRuKs33mDc1zbJu7xBu47/dr30JS/HXdHU9eEO8wvHjH23UYUCWuabtd5FZclH+Ha4q0YcxccYxr1iEDaDK57jxOqpRiZeIndczOOA8f+uQYs0fClAWP3NO0+PFv57r3yvcqAY3n8ql5i73qkurzTbXfKPpw8Rhgb2/o7dmg3r6OUp5z9f/N8Q7fY+WkrFHDt+NlAqyFdEu8dj7B7XKbUAPHp2h02ZHCrul0Kv3gYfGU3Cr7DXGnfvj7KRkKoIQYAx53R/fOqNJWGsiOM9x10mPZLS1R7N4eGNRonoO1DugZdca9uHAvpzZJ+MAdfcgFzIAKWIAg1hs+l37jNvP740ceWzA8ov3H9PSd9+iCTnh1mjeRfGtgdk0jjl6+H72EdEw+bgtJqNLz0F5IpKQFzK8iK28WYoCAkUhnSaewaDiovurNp4diJ8qR7ooSac0YFcRiMmD6IxcNih0uNjGl8ON7Vi7WJo9dLZ1upnazW1A88FZyaYqGy2wTeiOvMNZylshlq5KRifwRPvB8A8ZfGYYtvWhjEwgRQPXkjjHKG+NZ9O8VgOfk1/GJC3sh1968BdIu2vJGW0HLCVFU3FnRcDGdx4zvC8pln3+zuBc5Y3NoQbv/ZvPz+h7862/e0tx0tx76Joh3OaZE2YnZbxw1dgyb/0vnkzIuABiIXv/Wp63/yn3m5wXnr1O/djwOTl2+SbU92B6a4dSbk/W8fzxztoME7T9BfWnLDNNRUsrXTKoN6JnZzQQhy6Dn5+O41OZf2x5fPyfn707P/ek0+nUv76ifydLVYEwncLkATtlAmjEpTWgOz+K0fXv2v/+/ZkyhHwC4yyrhdfqBMnVQ0Po7HZD59d7zml/4snrdIxa94+biQ7sumGzA/sGHcrR/4GL47iunGOvnMtW2oIG/fvI8i+6eSkM+XddjJ+N9KwiTOW4fuVyNCkZCbhSduwWN8g/fsw5xaWNEHGJGOp/uCvClLjX5af8pj6HRPL6vqQ+Oc942FnJ+8u/Cv0mh4rKLmiNGPLaeS11TD203OLxwqI94vx8MDJ0Ek4aFbe5yHrSZW+OlaxxUQPXRpWXL3ZSo2AdveLP/4O3fEA+BMQrzgKtzw0+0jMEBlk2udRa+77ZNGyfuA4YXSthPJA6FbYoANN4Db9c2S1xyZ954eLuftY9KS9W6M8RJiduOxvLgBO7R8qTGKcadyer/RQMchTi5rKucw6UwnpuSMzxsNJZmuESbIErOG4nKmPrD1wKBodERbji46y9DvQCTU/fslXMkdABoqZaEImd3p84zSs7aUpqCFT8XPALq2Og/wWYYjMctQLSxyXIdc/U/qDEylZdF64vKp5bsWvKNjsrta35nwABrsmV2AlmDJx3UNz8mn9hl7iw6wH8lF6wAbvAS/jWlq7aieIygTI6Zxi3Twiz8nVIioMlFvvogJblRjYt4StHsDubSKGIuPOZfk0/moQGGYIJtNXiUX2Q6oqjOMfXOANZjUGb0ObIYSF/8ipk5FR397Bmz9aIVCgJwnnxSJODvlI6MWOqKBepWHil4ARhKG6QQzQskvSq+oLodzugl5M8dkL02ou/HXmEs3BbsCkHHVM3HXxLvGuJWloh+q88gQbBmPmREDCrkMea6YllBx68RSGLERJ3EpqDxGHP8WDso2QaTnohwQuO2y3ERSls6CnaMBu/3ypI5UAsMuBMt0/eBuF7Gn2nLWCKoJ9osmLRJPz65fv1VzNZvFp78DK+wCsm/vFrIf3YL+NvbwPnN4O3TfNHYB0oZk8VG0TZOyc8LtEnr8kuOofzKgRxFWjWXquJwOS44jfNkwBsaM4Iydxw9rjnZY4gniRZyKO1d6TSKFCQPcjiGctnCEHRydVMIAn6mVdO+Kk1sx5bD7IRkoSttULdP1oxt5NynxXUuxZkBwKDt6gh9mRx/mkhhum4j8JFhcAEFEB6gLaggtVe1eF7sArolayc2WecZZeq2kqkbyanEmh+G+Rf1xlQin3HNZOvmjtOkYQMkvXAB5ExCbDNhwG2ev7Ajzd3I0Ybyj/0HSFUZZcBmyFtJyIUZjhBEp693vwQifr3cZ6jVSc2I8IXSqclYPRIifwoIuuWpQu2SqqrWq+EiGIhwbuTNJpwKLyGbkZD9uXC47sZMRyV0Mt7ROEkVgC8Okw2UOQDCyfodf7t3tvbKb+zZ67DZllo20u+VsqTX6EsvAC3aIWX8rLQjf4zlI0Jy1JCFDMNFvN7WA2wU+tbHZbiQgO2E/TIzV48HPlqZD2m49GE0v99MU1Au/Vka6oqZpZ4RbXoFxct1rexpqGA0ihV1I1hTixo3AxoP33AZ9y6N1SO/uBztaP96Oph8Kk2zI6a1JCw7jmygc0IYUbwTCLYTB10vdyxup00fdO3/RktCmb965ZL1UjyNAbpDjnQD5eo/jjzdvWarRBsfZstvJR31UCZLyjt1Cfhz1OKakbXAYO6UeS9B2/NTJK3cauygqsAv1AFESuuVJJh6N8LXRDcdeSlpl9Trtiep8UCL4ax0ie85lJk/If01+/v578vTt6ZuLZ+SUG8vlvOFmASWWwkdxEWqusvcF2hcJw2zZmccjbDN+cSRjTKvMXsV99Z9uV2MYdDcGPfLJhj7f5bowTPvv6n57jj/EKRYzpTLWJn2TKUZFqu50O4R8oCVvjF+BKE0Mr7ig2osnJzbdHWL4rsfLq/CeG14es9NIP1P+kzsIrRdxpy/m5pLnq7N4I/fddQxrhErDnv83OInwk8FZCI4b6JVllHFXptI5EwMGIRtktdJzKvmfe7KqZb6jcFtmH8Dp/pkaYfeM62gtaaauP7+45fC18C2+fO+irazmX4EKu2BUA6k1lKrikkYL7nri6YJaDtKaG9PjBT0mtW/pgxLrWz9CnenguqvzxAmummqLzZA2pO4Xq0dsdhSEzW0k6gxK0NRCWSRLKttzPpzw+aVdsQueXWi15GXXPCx8j9a1CJrq4GCE5j/uWdvWaeMKzoZIXh6Jym7J0OvPrkfIjA4PxczJJffR88Wu4j7SAq5TOlMOBb+r5gnXqDP1ftSrhJ5HCPU6Kmqs1BBjlfYS30GrwFJc7Ql+a+K+9SROfcXLUsDxpNw7XO+2ci6yvT25d5Cca8djHIfci7Bar8OQXLfR2eekFtRtmXuflSYgmV7XY15+TIU8gj15iww63dmWvypjyTvKFlyOmHQlzSQ5vtnl9SeJmf61Bic+nH7km5yZCXlb0pp8xn94/ahU0ted/nP4eJIFXYLTnARQTb40oNcEexCaWkkDrUYVL0519Bb4m+PIy9ADjznImrddIKUn3/flG8ezJekIqG4O0IfQHPW2mOKUp7wOs90z3raW3mpi5GzD8PByQ3QjZdSONc+7l8dHnn0bqZEauwCxCBZm/o2gZMVlqVaGmBoYn3HmPnkeqxMMebLDC+LI8/hucm7IU+wIC5JtniEMXT7rcYs0Et/xtzCnbE0+me3Gt10EttotpE2eXetWOILBPvLa900tRAVr1fCQuRdxwPGuD0Ck+n+r0hTLeYbs2yY7v0I91p3Xq9cRipHC6EELvzmA2OPk9Y6RGjJ8g+u9lXVnSPp4F9AhNcdx2HUBg+292SRk+m0Y7FC8IcXNxc9YNpByJOBohRuSXMKMy+CrR+GEXf0qWo80HUTsDioUy4TbxgGzo/6lFoydzzY37aGX0khvys6HbS1li+rILfA3qyLDycA66m9HliEvUy7TTRBLejccyVhUmPfxjAipftkObotvo70p749M7RxgnfftuwHrmur2TLk/P9+QslrwQSt14m6Hs2V98vutyLPJZ5b4thZKr/Nt+N9MTeW/3dgxpkVku4t6q57HnibHlr+9QOg30PZgKtGAqrbf+n6qRk9BAdJqVR8iOkrVTAfOhVud8bCms7bhhnIExNFXdxz3Hp6oqqZy3d1HvHY4Tt/bK0vQ7hkquJypuFJAzVXuGqEb5MeOFdlitoK8XdFnX3LlCPzSCLEm/9lQwWccSnKKdc/eORhFZQXTgil1xR8o6P47TIlff2M/UzGmzSfvNrsJh9eNRZX7wBGmN9/1D90SYcpOcEd7n/yEfFzXnvSN58Axx+/g+OZpmBVJm8nuoO1w8I4I/cTE2tbuInMMV12nXG5j5z2LtdKttx9DzB/ejmx5r1dO4uPU8qLOO4doDyvcyjd67ls0tVKZNJFtpNw6bj9ITW3cNclkQU3KaH8PsA7l9IkhN1ok3OYe1IS70hmjRaNTeUN6MA3ogs7T2ZQb0Mmfp23QSdMft0GHU59BsMC1BYmqVXrjxMFPdpo7RW+hYSdVJrVG5Zc4Ri3hlsz9iMuievUi/PdJQOFF+I+Q1xRz+1MBOp6dF8h5wOi5J6YfPEePa2/U2oCcMgxEcyYVlzPQeiTuOqT7KHT1Ff8bWR91zx4BybYv8ay3DZErhWFtlfVKRZY42vE783F7d+w+Ygax7v/pHzBM0Bof+MnrBejj+COczh4ynp6e4OjHZ+QE14+jBtoeqVnKCJ9PQIfhn7CVhbmnOS9kDR33GNnbcLfoE9PrFL13p/mfh3ol794aJb7b5JL/GffW8KtMMuX8H2dEwlxZ7jewXlAzMgHKsGO3FeptpV98fLig2+psE6AGCS47Z6xtnN7W38QTUgyfH6OiYru/UTf18OPooGUnTbgxTXKlEyFjslQ+b939YiiIIWid1Qc62JS+9Dxzi5NLDE7vk05HyZDoOoOHKPLTS0zt3P8Y9aTnYUjeXXruwXFchBojimXOF303pBoc2VFkysIdPdokb9NocgHmVxAs6kzNDb7ZjCvpP0goW38iBuN1SpPzyzf/eHdBLtw7RX6TI9NXNthmqqQ+BNuPKxXHFsUQWwC7Mgc5kW8nhPP2IIsNnev6dXYtwjANNIwg3EjBPVouaD5oCvkASq7Ho+sKMmo0IM6W2uZoEz77WC6p4KU/iBEkdgXh0bpa7xOEyLErWJtdsZ3o5LcJpIlhL6ytTcFxBm0W0LiVORjC6CO4TXwu28oXpbld33CjmKqqrH3ibom3xyM4hOIl+CuuQexamqldLCtBZWHMQw28dSt7Gf57oLat0Ypi60uNi1rxY6RVxxD2GBDEAJGKWwPIVragUg4aZ+RuNxVWRURGYrZHatvcPSxh5uHvb9+8D+/ei53luwfFKr3r+0/es42bq2KpRJOLAW/aOc4yzLnpJmO343wbya0hTz0S5hl268DC3nai7g54gkhHqRFNJmn2NuD6SXIb0gUm20UHS9CYKTBrBGFKMqitM5Qv/R6OtFdYrXJKX894Z7C3I7QdorXSlijH31///U0sBTfK9tTnTun58RMsdwsMtlysU+qbnUQbxfzH2W8X5xfkHb2uuCy7sd7xbXW0HT0Nc2uI4ghZgYwBdfvI6tSneMli8vRsX+VYzI5XsPnQRfgtydnVji1nWZDK56ehS2/AYi+G4nib8sC9AlqKq//2dcNdYY4sh5pk6tuN/hJnQj9QdmMYV41WfBfUrXxx73NimkiKOjXkb8ZqJef/NhWUXQluLJR/exH+9rz7lMsZsPhHM65hRUVUkaFT0fsNobIkRpGRY6lhzo3Va2fZH1NY1NQuQrP+Dgeyi8MASXRKHQtNXwjt67WY0r0u5J0+2WEO0ur1X/5PAAAA///7GLnI" } diff --git a/x-pack/filebeat/module/juniper/junos/_meta/fields.yml b/x-pack/filebeat/module/juniper/junos/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/juniper/junos/_meta/fields.yml +++ b/x-pack/filebeat/module/juniper/junos/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/kaspersky/README.md b/x-pack/filebeat/module/kaspersky/README.md index b47876dcc45..776313de0d0 100644 --- a/x-pack/filebeat/module/kaspersky/README.md +++ b/x-pack/filebeat/module/kaspersky/README.md @@ -3,5 +3,5 @@ This is a module for Kaspersky Anti-Virus logs. Autogenerated from RSA NetWitness log parser 2.0 XML kasperskyav version 127 -at 2020-07-08 15:21:21.537607 +0000 UTC. +at 2020-07-08 16:42:03.722306 +0000 UTC. diff --git a/x-pack/filebeat/module/kaspersky/av/_meta/fields.yml b/x-pack/filebeat/module/kaspersky/av/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/kaspersky/av/_meta/fields.yml +++ b/x-pack/filebeat/module/kaspersky/av/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/kaspersky/fields.go b/x-pack/filebeat/module/kaspersky/fields.go index a3b5dd3347e..60034a8e98c 100644 --- a/x-pack/filebeat/module/kaspersky/fields.go +++ b/x-pack/filebeat/module/kaspersky/fields.go @@ -19,5 +19,5 @@ func init() { // AssetKaspersky returns asset data. // This is the base64 encoded gzipped contents of module/kaspersky. func AssetKaspersky() string { - return "eJzsfV2T2ziS4Pv8Clw/XNsd7vK0+2NvfbNzUVtVPV03trvWZbs3LiaCAYEpCVMgwAZAqeRff4EvkiJBSQQpu713fnDYkhKZSACJzER+fIseYPcSPWBVglQPuz8hpKlm8BL9PXyELrmm336gslJ/QigHRSQtNRX8JfrrnxBCDTBaUmC5uvgT8v96ab83f75FHBfwEnHQWyEfLijXIJeYwIX5vP4ZQnpXwktD1FbIvPV5DktcMZ3ZgV+iJWYK9r7ukRX+vMEFILFEeg0BParRo+0aJNjvtMTLJSVojRVaAHAkFgrkBvKL3iykwj2SV1JU5ekEdxnUDG5p45jtTSKOIzZMM1ChVnufDzO3x8F3a6rM7xBVqFKQIy0QwaWuPK8k3qIClMIr83+sEREFKEO6MN93hkbolVihayAiBxkn1Y1Fu0QNExwgYQNcZ4b40aAe6WQeecYoyxkiuAauldlxlCuNuQ6IVJQKTYs4CTnW3S/6+KnDagZBWKPtmpI1wkiBUlRwtKZaIYzegP6Nag5KhVW46C1RPR21FhXLEYcNSLSAev1LLBWg16CxIQ2jpRRFC9WTV2Klnt9h8gBaPe0Nf00lEM12z5D2dGP0FtwBczuNt8i8iLKKwQZYlFdM8O5e3+PVNZQSCNYeVw5LyiFHgjOLWOMFA1TgMo63UKtsxNY8sE6v/Zm5vf4ObTCr/OmhOXBNl9TvIXjERCMmVo7nssdMSz81w/sVt78zLC2x1JRUDEsL7xfnYnB1e0MnrXZsdXsjD6/2INM3c3P9xf/n+mGuG6ypLJ92yMTin5kltcv4T4h/g+Pi5ezIJShRSZJ8F02fevpJm4ZbaayhAK4/D3pc5VRnhOHOefhkBADXcvd5UK+NJvB5UFM+hPq8N3k4Z59zxXPA8bN23qkvAfJxevLAjRqzB1o/DKaWwde7AXvX0zQts3MD9kY/omUO86ljlM7GJ96yRaMMcgzpTWQmBqEIj0YziMyjlFWc/l5Bo4TJeob+o92+4XIlODHCEmvxR7deBo79hk4VPG3+XZmB6JIS3D51xtC+MSYxureCDlU8B2lUVAleYPQmt6SPkCMF2gyyB7yPQw0rtIHNvbEnK7Q1m3tDj2J733OSYumnba4e5SNmPW6Wa6GS9aj23vpFKN0WVay7qxTwnPJV+FLFlr5lzX85HKTxTdL7eJB1t3ebHxDOc2lk1tCh7LKvNz8tvlT2bX6azsCf/t9loOHWHCe4e3qdS6Ptt8gRRiu6AV67K77cS9WwaMiCPa9WnX8eZejL8OIOGryi3GUSfk9ar/bThF0kO7PFzvLxxg2O7ux2f+a9fxqjd7sSEMH9k7wABFSvQaL3t1x/9xMSEv3MBNbfv0ALrOxOCI79JV1V0qpCR2YWV/C+4JnZR5YpRtEMtquBXol0Z8khuyyM/cUbr0JuscwnqDEt2dGaWJtXt3cf9jQcjCQw3F0WhNROaSj8leMJM6Otwe0n5dhj/i8kXVGOWYDZv72PzDRd4zjwwHl79+GnyCQ9gb25Tp9kTVGfj3NI8maz9VWlVEm+BpyDnOll7Bc7GLq9nvJC4yhqP9TYYdLeaf7QThhGshn8MDgoHreN4mE3u1G4rwRjQLSQX6IgNPw5y8u62TdUIeKYA7mhZU81eyW6lzw6wMo/oCVSkMWnU84KoWzwSCE4Wux6y4KQhN8rUNoMqGhRsp1fCfNjI3ARYLJGiuaAnvwZ6bWs0Isff3yKtlghBcBrLAfm+onUtRPmqkrBFZxvsuQPtLJEVFzX9mpVLJzwMQdORUdAT/BCbKA1Xcqj0UZBzCgtAReDu5z8gZb+MzMDclp1tZrTWPFVTJOqjVa6RFT/o3rx5+/+VTnh+by0oiqQ9Y8evf8wdsorvAOJXqAbTnCpKuZ83MbUGSVBY6NPdENHYpViWL5/gf7NTPcZ+v579G+ICGn0RzsLj/QZ+u9M/0/zQ6rQPlO+ii4SFzl8RhuMbyEjmLEFJg9TdT6HngttNzfWTlc2jACel4JybdVtDfHAPbvAGUgpkmNFGg1IlUAoZpYmS4vSQhptke/cLWy+2GBGc7d8MbQILUXFcyOtGVjyKF95ZeFoMND+vu2NPMfbid+0B1z0A3zeMYHzT3dneIRI0Y+ACtCSkoiu7E209o+tjeYuxyDuzCWJdaPDiWVYmAv0i9ga5vdtIcqRkMaE0AI9AJRH2PKJbo8vhC1SEFAq29A8y9PfoW6CBFgBB4m1PYq54VHLXtlQqSvMjLm45yPlEfOZFtQYfPYF0E7X0ekP5O01kkYuKmusW7ZguQJd/+zoXJVMDqn47HN10TCH5yoTHet9EXt7Hfxrb6EQGtC935VEgr2WFrshkWT+BKf3F+Dk9pgyVTI67UX2D20qKtpTZT9V2CD9mBY/1rbtrTz1OzLsjaBNe3H8X+PNxR3zJWVneVs04xql/e7q8s7rcwRzwwBalEJ2tThkL5Qv7oG2+lTG83sn9q2RZ83CmENs30ysGpDGGHT3vrX6LtCLH39CW8vZAjBHmLG4HWqdr1ZtaPwLaAsS3LBYIwZYaSR4J1h5n02fQDH6stkUOW9pD1meO78JmVvW2KgIIGsumFjtus8aSyp7mhlCPyKyxhIT7dhkjt7OUmidmxxV3EcMsD3f5mAGU0qymntinOayPfCeY3XdwqhOggenrcTbQflhpVhHWcLE6mHOI8y9zSoIqWQYUWnMcyxzxIUsMKMfY9F2QhZRDuT+BfYAE0S16InwUWxo6KrRPWd0CXZOEQNRARE8H1AMmyXLlJ5miR8gmXIiipKBji7ioLsLW8VTS9oROa28A6nPtt3uzejRTTe04fb3z+AmKQTX65NZ3WT1nP5q3kQz5Gdjzw3Pz8EcM+RHwadndB4QImb8oPy4kLR3XS71DvSE03GJNDxqv5HRBqRqBfvmh2I2Imt0fNF3gE8ntUmqIELmkE+R3v653AtXVY8Z7rfwZl7/sP0G15exUhQXdtTKJv4pAhxLKpziV1RM0281BYlwWbIQQd1kgheY41UsKQkhZh3TwWZwRDlaFaL6a4XEljuvvcZF2fW0eIoNNkNif59rhciaGv1X5KAu0OtKaatItwc1+x/rgXg0rGFwGQ4e9+XSULaBee5gu1BhSDd/CUuQwIlbVGyUr5xuaG7uVLum8WN/H479uw4D4tN4LKmccQ4N152f+tHsF6rZzk1HGRFhdAGD1m6jw/6iUUszaDA/M9KpPv0XvUHrAA1RjT/NRU8NOA5Tc2n8trM6xO8VVDMumtkpbr0aebHFClk0+cAKWfTfjZ/6qAtnb9pJ53RV6CTJvirS8JVZEroyS9NUynFHZB/sRQJc0o3XkjLnUn07am9UBvUE5iiZNHxgj523FNddI146GYgpxiImPbXnNEVFVWy6O3ZAOxSVJqKA5w5LrbLZaDax7K0V5n4ae6rvwFIZk5zqaaGvB0gP4/uEgJY/9JDhNzVVoVc7xUnqOhbXjGb9sSUQuqSNMhjXFpyTcyjv1+sec7xcR5hYuwNo3gR8BlM0987HKGVepZ+PkR/2bYS2hisk+vXehxRRFR6duhayxR+4PJT1oEqh6KhDeNIOsIYAz11VABuKGE7JYD53xXQ2JZF95LHmVQGSkrHnOkr9LBHtB0hvR7XXO9QdcXeSesRvgOdC+lCig7SLxT/PkiUdHhfE4p9A4jq+QT1HnlSPZUbeHEbtJN+0Wh1f9be+z2rzR9ZbwmtcR05xoRFGa5+VGQ8PYmKVhWfHMwm5sCFGC7l5sm/3JMXf7BO3re1mj2JcvROMkt30fXrgjN1ZFL7IHGe7ATlVsWmxW3EmvK0YWNRx8SK4hsfp+k6N8pY7y7upgITzXJm/7FWAWUAZSwc+cqWQNeYryDhsp5+rIec3bFsPN/Zy1FrSRaWhddr60XzKEWe0ubZIjx9DVeIRoqGePaMTSuAcmrhVyruvtg5dWzeImBI27tpMOhRNUc1budyAvED34BhbKZAXeAW21J2PmFsKGWjojR2GcXodsfDIwbcyIIVECym25rvwqddjnGo9WKvtNr/DUo835WvQ8Xak372ilxsx3+4VLK+VjnNtXlGCd1mn3yCXHGEGUtfvrrIZ1n/mXLP+KLaSzezzbEShyhEX/FsJJVht9dBrlFUc5xWypJLSbM1aJ7WrYXWE59T5f4Njs0f7luq1V6ac7EPXFuHCxodyJPi3K2H+fUAy2ssziyglk2aGW87o5xaFIUMskTlpmoK6QPfN+eyWyWzHJKfSdOWC2StlFFWX9OCeKHMvrDzzMCKsUjpsG/+fHqstCFVmNXxmjrcWjdpkvx2+ms9wK7udHreeXNL6FHXg62Pqs6Hj2uJBWClBqPXWGI5G9X7L9Ff0AV4ijMr1TlGCmTHzHp6hUtqKtM8QaPJ1XM3CEsezB0ZeXi5+VeICNEiFSqxsnQJlE/dcZhoRRWEkgth7vOmHrIImBxUNJz3Pp2u01uEMgtoJOyKKsuqfhSTWY7SlPBdbH3lDBCdQ6mf1q9jgdHsTWVaM7dDvFWbOaZOLAlPuzydvIWJiQJS3vTWnX+MHJmeUkVeUP0Duo2hDYBlW1l73Cqz55qsa+QXNDzGf9fL8JoqNdp1qZwJ2UQQCfr0/H+ZfS+8TQvf9VOf60QNkQbslqqc7f/yolh63Dw/rad+P1tOWlM1xXmqyf7bj1UdCQl4RQMEDDHEnggJJMcsiN8QEsXlvBw1KV1fmt4S6kamDNhiQBzWQCDaHP8qPb4T3Gqt1vduNyhGJZq+MhWlEU4gwrcPZr8JInVIFYgOyRnOhJDFQ9f/7WQnIyDeOqI0nqDhhgKX5yJbNaEjzYezeSyNDisBx/6QTFVU/V/0zy2giigXldeW4toj2CQhyhLzeUFmp+b0b7Tt049sP9JH7guvzPEdENu6VG9/VWRn28DgtfQbHW80C5+G6vUZv3Jl+4lPikKux75M8DPanh5xf5/EFtlxft9eWLT60uj6QfTtu33fughgckRduqc2p21IVNzU2ajetbuL+K4lPqnGX3EEfGndG0qxra9h3VQ+Nbq+P6kGn+ySO6EEG9QueN/rQBbpy0fq+WhBzXxzWhcwfIfd/8d1X3kGxqHQdxy90LZwrzkC5uQsnYLcCbbCkeMF6EeMuoY1yVDI8cOQUcDUxA3RvUdpqkBv7wpx6c2uGWHRq1ur++e1dVwNDvqSSs+2GsmUG2wicHBnf+GIdGeiWa3RPVxzbYzmwkUohp5Vv+ronC8xWugs6hbD1VOw/DarWqbF7IReR5X3z6ztEOWFVDkY0+MYsBvwCPbl5xEXJ4CW6c8anG9bKuou4DWo97Gd4Z7DGfCNq47ipejDqXBTziKDtlnPmjReVb6l6OPDAoSVdrUBOKVwfn/aHtqfRY7Gaz1qCWguWmzV2VtNAr46956hZrLj+e5SXYU/eupvxaZ1QeHsdD7A8+cXKmNbZ7G/zlrP+fd42M3E+DVUtvjUIBbcZBUtbrlfkFRnS073Kc7bYgTZttWwR0mZeGTkXKBioK49lvsXyXLEW/VqJRhZhL3oNmQNFup4YkYPRa0xCZa+44mSO88yarODfBuVHHj7RzmJIaIQkAauEmCilsa5OV6xqGxxTdkbV0gy/EI+I5s+Hpa6R+NU8NBic73ulsNy+MnjiGz1I38lV9Xsb5rpfTz9FCFMuqtPfDFqxm2qVsAONdBhnhvU8Oj+MBp1eBWSP+ZeMmdOKVEUIKLWsGLoxGBAROSjD/FCkKa7jUZ7D4+hJMKr0kP4w8TTZoa1iKwOaBUjr1S+wpMy+1Eb8A+5tiK8Qtoz41sBGaedJKx56651Nc/Hjoyd1pEoJUpU+IcGdqd60/RXSBMaFHOenA0HjzsTuS/Ppj46tNnKWeGcnu1+bLzHlCuWgMWUR02khKt2CGyBesDPEpASvDa7jBiymYRGuoSjZhFfby9BqMbQwaL0g+SgVo71sQDK8s2HKWnixjp5E9r75wloaHhqWIY/F+dyUprqypTpQlPRGS+snJR8/GCO9wi3bkuDx2JLOLhFFYfZm6oJdOXhEW+FEpRQbmjsLO9QViPVnrO8aQQ450Mfb0z9T1tz9pB2tEL92Hkv7yHwu+RXGP6/8+qdYDNqtyRP432LhXZbxnVrSKeWBrm1Qkluf+7tbdNu7cNuIJtTm8TGZh3GMCjyusxdWI1X8MTaxj6KKq1nuQGULkU+POe7FbXevrNAf1mAbuD7XKblTzo02S95Ny+Hi0zVcmE3tBaQrmtcuygFjvBivKfeSYE66GcZc1TV1ZTVNQIZuQ3fvXRZncIPax7FHIFXbRnHP1guIpRSEjN5DD2WzGFJRT1G+b1DV0fB4gynDfQcdqt1DyMbDL0HKgWqEbj/GPVzz+XW96lf4hGDnpO/7t0TYtxcDMoAW2aLK812CfUeLbGScaguyUjBUSOygLZoCI6kYlS3VCZjOVDVPsB1V7VgTV0vFNpys46SbnHOPM1YcvIk3dEercX0dnoZ7pR7Phc2MFsHVhxv0xEf6faiY0UsWlNkAQ/vSfPNYCmV++RR92zdjeNfL98DFlu8pjgpIZVPXNvujD3QNIHgWQ7sbAHIVMm3e+ADXV7DCZIfeDyqwjC4kPk/qjx96j02UowJTvjSW0cFHqhJL2+tjjoyqPRXhzg6M3ojcBRw1xQ1a79oRtOjI/WsfX8xU0zXK/bz6N7BFv1Tcqs+vRQ4MPaF8c/HNM0QFeYYW5i8wf2GO2U5RdfFN3I+sSZktGe51pxp/A+/rWld3yA5r7V0rVXahgLBYHkza0mIiLe7ThackJEwpkGZDRVFuirFyqIP7w+vfjP3+zoXcfPPNh9e/Xb69+eYbFwOzwRLTwb2xFfJhXELG0a38Wxiy7aMdNJMxH399+djOsbmBtYjDxIjAXZK6uBQSuKJk3IFqmZNJWIsUKyri2TodLNtiOqbTeBNyQETCktoNMz4hRVWL5G2gF7nScnwmi83dmKUb+LP5JGmI4JviOEgNTmxKAvcuJh8c2MQp+vhEM8SSDhqMYTITnBOpk4lmrkYm0g24jAuLA/UUxhs+hjyvTb3tj9uoJ6729pk2Qt7yLnlUB8k40xIGv/khCoSY5QF2j/8tbfuJriOfwsu1rcjx1JrPEev+mK8/lECi8/hMbTjsElNm+BUSDu/8+bu9bsf12uxpowJrWEUSh4bf4kNcT2au8ijFKcE9NqTHx3Qay6jiXVu1h58PpfFOxf8GHvXfIK6/1NjVkBYzFfs95vm/i7hntcGusabxUzYZf3/oPfSqUiUlVIyIj/hUtoWlb4sl77vaPj9xihdlJtKF0/2b13foV+fxaMIx4qh+n/n55f4/XqHfK5AD1VoqxjMJ3aofU598Wq6LHXobQmqjz7u1nkZGif82mBhfps2AlQPG4zE4HXGvngCZpxSiwwzLIokvBjDJeMHlqLD/GqzKR3QG2IMamwu8B5xj3b29j0MugJN1geXpYXE15K7EvVYOJ/ggMek9b54Ila0T+EpgOTaYsgZdrmwyaRKgWPwzCa7ECbX1XOZrwmJYp/9QT9nDkDZXuwBz3SYg5hkmtmxhShibgVZ8lIreAl2sys0P/FGvE6Ql4RnR0tgo4ypTteAN7JC37gTQDes1hD4JFviK8lGBu33gtJgSni0ztaWaJOxrni2Z2CpcpLwWtaG53kyBT/JjEZ5RPm2bU16CLBa7ESE5PeiSPKSC2+ZoSaBlVkqhRZbiirPwmx8ya7OmQLMJ+42JVTam9X8HNOUllPCswI+Z1qcrvPugZoUZJImFgvJkxJRPQVwylbEFy8Y7T/eg/zwJPKEeUAt6fJZ6G3p8RHQb+sdJ0PHG6qdC/8sk6P8xCfpfU6G1KBleQNpWr+FTVCWeFRWzl/dilyTPAnj5kCTHi4rRVVGm3t7m/sNsNf7RyMPSNCGu4HeSonvzTLkn0yReKUlStTMDmqqdqZ2qyqT62ITXYdaJyp0W2igY8Ji0tbXQRklKh7bqSSJ4xekjx1wo6LXNPAl+85OhPVksbH4SpV4DzpNMIFGUGWFJNrQBTXJpWEhp22SlwapE2LLKkvwTRFJNCWZJQV8qwyvgZDfqTakNzTHbfYR8kYZ7k9lk+ERYl8aTitk9ZyfCGwv5p1QLWWULqv81MfmQqGxsbdMOqBQJR1klbk4LB0SmxOIp5wkYUVeyBQp67bwBKcq3A7fXVSK4q30zJkOzBb2kDNJ0EZUt09hFl+MCkPdB0yStMkYwh0edJR4jYwPnSpe9Ij8nQytJEqFD57gkWLHKCsjpiGDMfWjKUzleiLxioIhIm7UHp6ukUyFKtcV6ZCeKFnwsJuBEUAkrqrTEKZp2A510U7lOiolTlhPmrGwdEZl8Ol1Ug1vyJHjbWDTpinNBR+mop1zO27WgKnN1nlPgd1jixAXPB8IqT4PduA4G4yGp0rjbrPUkQKUXlTy9kGiAA1dzLQ2uSsCXcg+HWNLxgLZqzzKlFPpwxPQhqBXO8/GrTvPxzrmQQJMkUWiRESlEkZh9Y0CTlCJaZKmPcD53J2265UNCslCpUlKZaalKSUeDMayprhLebRjlMCaVpIFTI2tx1ZA28DHFBGHCZTRnSyYShGMNnhQCYDS9hP1uwJL2utENk9AleG2ZWCUuJV8lbrtSyPGHo1hUq7StU1BF0rZroRIXMK36DAdtU18SIBNOsSsNMP5VysGNf1Di2+14XSExTqhu15AAmSDvhaSrLFKt7QTILQeZIlvKLLGDYJmNrCDdACa1cWjAk2ZpT9L4TeoBU9ppOqU/ASVWynyZkfXp8aw9YNeXczw8yGJl7OJeRvVpsNtE0BQx5/KX3r/vVPo8CVSKVYZVOarkRxt4TJeHACcBs7SbRwKx1Lps1WTwlMka2LEJui1YIfMkrCkmmkqyPpWzPpM8pQrGu0hdOd0kNULB7ynMjKXBjoBLUlwUXSUdTFWOt1uUJGkrL0mecNUqSWJZvieBjmrJ1IaqVELO5Ibw8UEI0Yqhx8FckmVC0/CVTlkEB5biNaorRo6H3JUJmatVvkh8ta4kS5JKlQKZ5XR8/GZiYZLgE0kjVpO0dvmbjHKl8TJJkm6o1GlX8abkSSkOWsiKn6VX62WlBXpbcdQbvPZCTyoQ9wEzmqMrCTnV6ArL3OeMHWhL4+tfTZrpUB1IO4xrumojZolgKBZSUnt7KZ8y+5uiZGIHvYJ4R3mwFNWI9PhT+/KuQ0sdW1tMwgoeUYG7obuNR4+vqm7ZlRnIYFTZAhthfNVupamq0pao76dKIrRdY42oRqVrzx8n+tBT6phSIfH27q7ieUCCKPeVDAYyuxnl0ytgt4gx47UpUUiLlW2yc9H83nWM6HGPwwZkXURJC1RiqQC9Bo1txWF3Kup+aejJK7FSz+9ccN9TdO3LeLn2JL3RbRrxW/DFYi3ZHL0B/RvVHFR8rfpbL5E9S1tOuN7Ndng3HQVYkvUF5XTA4JV4nmIIHWHjeusxyuE5wxW3tVNXVeHL0h8ohdCpfHCA6jlS5muq60R5X/F1QKU3zMzm7YXsem6ZgdE7eNR2dw4ZBWdtQN0UiTvSg9pm5U4qVWzzchXo0Bz4QOr8oXfv8bUhQivZZRjXSbCuhVe/ye6bRQ5rvzeIrWegXkbpH1fH+4TO2Tk83l6HQ2RHHyrZPvIheuR2qVs4uMf9Gh/q7dGamx7iXBTxumB0TZuQrmBDlBUIYYUUAN/rkxk3XiTmCpNZiq32ssTd4Nw3cKpba4duwQfIKkEW1F2E85HVDOoKt9ANZbAC38sDK0VX3DG/qcw90NYAL+bqVj+w5BbDgR23OGNricH2IbFt3qJoKLcwrdJNuC9pHtra1h2TbMPGgUOHUCQmp9baJAwESY1WIEOjsEbwhv5OBseACruVdMDRMyN+i2SgdOE551/3z+wR0HqA3IrO+3jK1YMZxSpbixm0u053TFsTpykDZTv6tAoexWOqkdughh7uW2xzoZFtlXlxyZQwpk2neYmtQv6Lh7hAl3xX/683urbWkeIa4fwidDSOC6ZE55chfYqy/FWXn7by4B5TqW/rbKyJdoXyMOt4I2G/Y7KxntVTDVa8A4n+pfYYqOcekUU/1L9kbNzW+fceb6ja230HeToYJnFMFnzdLYvjWtK9+fXdjZkdSHBGo/XI5FQRCSXmZGe0En/5s34vW8ODZ+jd65foluvvXzxDt2+ub/7zJXp/y/VPP6An2/UOcd+AkayF8mXchDTWq/3Vdz/9r//2NN77DvR6krzozthKoIsCx0sjqcl7ZOSB8pX4bwPa+GHKPzVZ7XN+hLbBhL+TL6YYRR3FptFBQ3PTV5dvouR8FBym2OFp6/d/BIeLOH8+jukD8AkuO0PqcVFj2fh57pUDvFxhDVt8lsLSdpfdoUvXPC/sthjC+johRTns/5/q17y9en3n5PBwr3g8Qy+/IVPa6TmhdentnUE2YNUbPgzWgpmFD2b0YT4EHSBzNcXmPmztXgu560iHWfNU0apEHpfdsy6TUd7tYRH+tFzvL1QPWRNbk6gznCqmMXrjabgTUtciqieEXO8Jy0Tfff6wJFKz889RTPkqiM9A+Osh5nGI6ffzeYk8fmuDYKUEobZovLWWe7crMnJKYr6Ci1o9JoIv6aqSkKPFzjf3d63uB7rTDKYU9AKFB7Sp6LDLpEwFNkq/a4dWJhhMEgqhIfMxQikvvylTzLnKcObCp5KASy1TwZdJ7F0mxWKztA2QnlFTJk0O51mwxqf169q3LQwtF93x2obMWbSFG2NYcdDo3a6EZ+h9EHOvrIn8PboLJnJPjvw6dKOG4lWzXBgDKn0gC4WunZix6IVRNj+0D/RY2tCBDUhtO89oERpcUY7e3w4eIWJDWiacwZS2sVxlokwqlGdAJajxcTQGMCnEz8nE8QFR1geVhNGVqckY8FVCzUeL11wDczuXbFMie71g1nIOckTsA46xon4WcotlHmsGdmnb1Fm/+50Uj/bVfQF6CzDQyXh0DvDYFwmhMWu7ex06ZAuZ2Nem3hx8EzQJ9iGooNocNV9UKD6JDcN8nneVE9wB4Vmt5RDoTWHfQdD4ADdGe15Z5XlfIqb4s4HYbIvNmDzS095QsNSUVAzL0MzNo3ly8/jylViJ5TJenxpIptcwd+Pbd2ZI372/oezGUGYIuqz0Grj2oVSDhM3Ve2z/ubKq2xrGiXuvQA6SJCpNxNzc8oMOk3TvOnAPUBV65Ey7ffcosphRaLhysPlrwH6G9snQocKcYusGVqXguW3pKqIqQA3Yb0q6T/dmTHbtwG2Akcuzt3FvjEJeU+ztrY5eQzlSVFcRiYJsgFzogudHXWOFcC5K2xVsDVQiseWdxkhI40fBRTEQ7RJq1Ge9cKQZLj+jhlGem7MspGra+7kuwpehPH5voqe4T3hNujsbg+FU9QzP9Hw0OMl7/4o07zwPNRFrTXVcVseEqbqogHsfVTj3XIeDQxZiWnxcZHoLWOMNFZXVbIxRJ0VBByIdYH70NxwvmA0bXqKrw9gp34zvfBYjo0vDnk6Doij2aBhZXiyBhAiGmoLpa9C6V5qdPbj8TQh7xXU3RDlF58tt8kdGJnTFtbeM7WROSSDMTssGDHQfe6heu17nkSqNyJNzQb67UFoOO8kD1fHE189G9YvDVPtr0eGaRHnUjKhNIk0L27TVaxoSShh0cnpOjkiNOspMm5I+kZXyxA0Qrwrz2TbA96dR/d3knuhR4r3j6NgcetTbOTVH74Rj90em/8VR+uXM/Hcbfhbq5XHuj6hJ8WmO6hGpVx/VP/Km+f44208vQPVp2H6arJEzn9U59/oJJ3XmTTMn9b0tUyuFuevSOVk3w5VeZwXotTiLNxXv+bmQQ+R/NrgwNntXiomW+gH/7lvBvK/JoDqwQ5Jty/+8+PHPf0ZPXl1f3j1F11RpylcVVWvIbWJOFBsTKzFDfuwhv7Zv0W0x+cWwPxx485Zisr/kUOy94X0MR703rc9vROnwMRuT2KC4OjOi5dKwWGPvFJjHiig17+SYnZ7F3yH1Lc5ppdwYSEikaEEZlu4wG0Fidiux91E8VNeeGUXn6YVb+yDbUWbvzXIFD0inrkVzYKZEEl7yQ+fGOj99fHjL/+RNZ/tNb8W8sQutwMM87mgRctqjWM91a9kl5Apz+vFArBOfsmCnMiyBW+2VH2DZkspoFH9y9uvPZkArH11SucvS3YtE+gUw02uCJaBSQi4KynE0xLp11O+wpsC1Ohp4xvC883mFP+t0XBEMKJO3l9nCXxshUGKpbdpvM5nDQmjWtF5/cE+RP0vIQWINeTYiDODAKto25GHM2tV9J8WG5nW6uv8dLkvm9Zze8vkUWSPI9zWigV7q9TRoPts86kF9HQe9G5hItNCzjSrZUPfmtO4qdgOFA2qFZlwp/bFaDTzau7wF1MoUiTX5dvqP1YawQkoL6eSjGa0AjS22r+2vLsyvvo7Pr6B5zmBOifHajniqzIgsUUuGJMmMUDxvrgnd+fFaObp8F148nqGSYcN2cyMJiYATuSuHvIg2eGUWq+CEeAlZWwi/CKXRa0zWlA+o7TlOPqNfdfn1ntvIvlKCOajmVndp9eoCvcpxiT7Y/7hbPRfc5QP8o39doDXegLnvGWDpWlgjW19ClYIrCHpAPGnAzCjrt72eIHt8bQQiqQZJQ5UO7iboKjIMUxKInoWYZpnf+iIyp9Ji64tOdRN091ooHLWXBmz0f3/VUIVkxSN93RHC6lktid1rjkumHojI9iNm3oqYg5kYbSnPxVYhVQKhS0rMN89iceM+/qi/Uc0EHEXNqy96IkPX81os22eGpy1+oIrbm+sVrDDZofdqv8hP/R5SdBMckqKWzCizmFYDd1hb3bbIbNS03QzmFujxrc5nimQx7WUI2DDbPhP2JzaHujZUbcgpb5E52TlEN4SHSZjOXPFSQ5PxkVPeuRckx42d3HCtlT69czkxaqfjPn+bEBrHyh6X4+lvx1NLbHDjuPLMgxHgdlI5LCn3vkB71G0tiAKXA8UoLP6BMOszYW/M3Y7qkSJIan/T9Bn4fOSB6iG1D01rTNbF7KXomnEtY1BPC26zLbGg5oLyMTV3Z91phmwb/j5V6EeObTsY1zLPldFqUpEi9ch7dE2V2UfoKrEMa2s+ftYQu13TXsEzZPahsSxciN5JE9AJFS9dKpyQ49ozdqb/F1Vi/tej+ZwB1X6ts6CkxUSqmdpfntvRj1B/xgu3R3eoinaY7sG1yoBrKcr4McxFtegZZCftNT+qsW7gSGijpWJkJ6cTqbgSRWkM0rDz7Qa3DU6c5rkBaURrZszm+IWE1cP0uN8jZ7Gj0wfcW5he2Wz5e/ob188VYzv0HxVmdEkhR9c2G8Y5L6LItrDIiBAP9GxPSr/BAjkMjU2C2ZBellBbp3nsKSvt2uAM1SM/fjbe1oP4WqrebeW8cxfo3a505DcWlZmg4/MwiyUss5HFcTqEGSzOBJNfq1ihnS66eZwFtYKxj995L0ohg2fPPq+8fTWwMK1s1dHLGuZTTq0Ye2A6ZuyjfrhAiBQi+Z7bR2tGMlxDJdZxBwfhGVbj3qNaoDK1g3ol2Sh2t+BGcadWwbNKju/3W9q+Z7Y5dArKBNG3DzwyRGMf2O+CpOMAjxq4vQRTFDYzwojVra/VtYTOA2XK7eaGmSeGfO9Ev7MD26vuuf/3lUfy3P/Dv/rGnF6YgYzHEHiCz/pa4shtP5ZYP0arIHOP4NyXTTbKIuVLkHLAR9+f2UyUt9Who+yLOj1mISNUD1q2WBnZvvYZQ0zevpFhZtwIN+61xWyAdzYuSLY/+jv0H6GHi93Tcg1yLqvG6Dn+zffJlS2o/hRdWQxx5CD1bImSA7y6AukL38NeTMeBEjsw8bGgxYzWsphhv1atuksH14N+HPYTjE+LjK8JuqcfB9J3HpLP4O3fbxCHldDUsblcYzVQn1aR+ZN3Wwx3ww8X9DYLMqE+be8BsLPWoeBXiPeMP9gpOrK54ml5wnUt8XeDbTXM2aNKVSmNoQ2sfdSdYj9P8/JZGkDKiZ6FHuva8uLGDI/u7ZPBodM60+tSXe/K+/af3NtwjsMitCUvhsgYLy8OUDEsNJRi2WbaXdJ1kXsnTtwll5ktgKuEYhoqHZQ+gLcGklOivmoKPLYFpZUXPyBlfbdCotv7y7+/vkN3Rn6iX/lARcqGnuS8jxR63m1FnB57LMkayINKaPbWCJapue2xItB1dZM69dwGaPjC3c25P6CrgKS98htnUVUcpjprb1B9s1TZFmvzicE2HRvMaO42RARN9+jPWF/q0NG3s36AneqKopP3WHIn9LXWpcqo7UaQCGxZmkY2Ob3l15S9R1c8xDsKSfXuyP4joigm5vKfSJnD5E3KeHrNlkpgXe06xYTbMsyzUX2ox4YkqNA04DdPc4iRjRvoNrkhKwWdJwQoRpLDgSwOizaue1nWkDXmvJeANj1R2Y9rUQ14ymcrv1SLPF+x+7dXl2+8zH3eQVCLOi1k1yuWsr1yqh6yjWBV+jQuQw8M7mtp1p1BQpOFilOt0BOHRj21uWs2mSB0QYj4iwaC0FiVfMJfeWrec6r9c8nFfjDaBqR9KVlWDBHBCZTamAD3jtcDKU5jOqlH6zpY5hljI7QQMaTY7m/C8OiXf7+MBZNEWZeyA4RcnSNEoRtatuf0WGCXvhdNYPzbza93t3foNX4sKM/r1iVx9hvqzxDIsFfoe4BwT2iP/kOE11dwPAQ7KSDIRWZn45p4/sETacKk5m605CXV7bWvx+PxHKSBzcnYz5zRE+ZU/BfIOaiDI3ne10ZSTpK1+Ma1lx6p2NTdvLT1Aztrt3CpAc+QqiJhUVihvygtBV/9dcEweWBUacj/8tx/9qz+lvIlkPhXSyphi1n0msUL1oJBmOdICTSwfSSsqNJyZ6yeeQ9mifXal6KrsaAulh4Zk9oP9glxiRIutpUI2areVWssNW3Atdz96f8GAAD//4/ysjQ=" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q/JFTU1aHO1/gshllsBr8k/2j+RN9Ly7z5z3Zi/EFKCYZrXliv5mvzbXwghmx+TGQdRmslfSPiv1/i5+993RNIKXhMJdqX01YRLC3pGGUzc37uvEaKWoFeaW3hNrG76n9h1Da8duiuly97fS5jRRtgCl3xNZlQY2Pp4gHD7v/e0AqJmxC6gRYx0iJHVAjTgZ1bT2YwzsqCGTAEkUVMDegnlZECfNvQOxMy1aurbk7LL1M2yiLWkYou88dXH1o8tsVmkMvOtv+9fYXzDBrvyccGN+x7hhjQGSmIVYbS2TeC/pitSgTF07v5NLWGqAuOIVu7zHdCEvFVzcgpMlaDjhHhYfBepQ8lp4cISpC0caYkBB4Qzcz+w3CDPmZIWpDXufnBpLJW2RcNEcbS8OgTBktrdD4bYcY+TW4JQS1YLzhaEEgPGcCXJgltDKHkP9nduJRjT7v5kcDQ6Ys1CNaIkEpagyRS6c1dTbYC8A0sdapTMtKp6Sz19q+bmxQVlV2DNswH4U66BWbF+TmzAm5IP4IWFP+Gyh+YkykgBSxAHcFIouXs/tzh5CrUGRm3ApIQZl1ASJQWiZelUAKloHceqMvMi2YXZs8fvwj0/P/2BLKlowo3nJUjLZzycTrimzBKh5n6/9GAjkDruwIfTgt9z21FTbTlrBNX4+7Cxk9GTMQB90EmJnYwB5PGTMroly+Puycv/vyf798StmmdD7nd91fSPAgnZ3ZZHg92SHiL0sqOmwahGs0xv7/3Zluv+3w8zY6mFCqR9jMjRpuS2YILu3OFHgh5Iq9ePEbGF06keI2JcHoZYXo2plRyP96SVQA+RHnnZNgMoU9pQI3pNzM7sfbF1CzhsBnrIQEm4nxWxo4cMoN9gRYxzcce1ciQuyp5XJco+z64BmYnYRyIcvDP72DHU6kbyLw1s1Gjd0R/+tN42ak+UZO5xoFY9dst2RNwseV5x2OfuiVuGzzij/fv8Vs3J2RKkJZconEkjS9DOBNEQBNWA9Bm/hpIYsA7I1o+31zDjBku7CQPY9zZYuk0YgL7Tpgw9gen9S4cdzAFdd+DJ3XiwUCaTvto/l78qY/siUuyeSAOy5HLefmhix6bnQ/p6+MsPOWCDH40y9vxi+ROhZamdrBy77rvMHVBv1dfK3OWr3Ox99f8uex238suGXbngHWl9b1lJKJnzJcjOSfb1KgKORYf5L/JaIOVjVP6+jojGqEND1etCw5cMe90PHuIGI93TNXL5zC9NLvAiPQ/ebEvJx3UNhNGhBJkCAW4XoMmnc2l/eEWUJr8IRe2PL8mUGjxFbYBsxueNRtXvBroPUXe/YroxDJrP+EzgX3C/nqtcbrZ91nG78lfvYFB6RXWZTanrSbQe2X1Onl983tL3KNEg6O6WEmLWxkIVHtGAtoO2AH9SjWee+7fSfM4lFe1vtrWVG/iQS//akxhxfvH5VYQFAf0BJ+7Pgg6jIZdTvD6bgzpUHA99fRZAS9BHiV3/ikuR89P7REk9vv1gKYI5LFb6qJ1sghXZ/Wy0VbTON4oWXhRnupwoIYBZpb9GAey49wA5N+7McUOYZx2UDtMtRfWt2lVbyB5GP0KLr2LTx6KqVspgslulJJmuB5tGiIYvDRjrABpe1WId9sl92Ql6ApQtiOElkKffE7vQDXn588/PyIoaYgBkt8oeTjwK5fUWnDC1kgbysYJ9NaeCqUbazqfQVFMv9NxVNlEI5CmdqiX0mMFlNLOyFW/GaqDV6P1hX82xeWBWQcmbXT0tBaO+iWmOnWOBzwi3/2xefv/DX40X6S9qFKAt0v8cUPNPZw++pWvQ5CU5k4zWphE+suJMyjvJ9Rj0ewY/IrmVsVV+fEn+1ZH7nPz4I/lXwpR2+jJSERZ9Tv67sP/TfZEbss2Ub6JbKFUJj9bWlSsoGBViStlVXg3YIyeVxWtDrbcrHBNBlrXi0qJpYiGe4IyHowCtVab8tI0+aGpgnArEGDE1VmmnWcu11zrcB0sqeOkPRgwpQmaqkaV7YQQg8lzOg3J0Y/Li9o0YQE4RCwzXYU/YaGQX1kLR8rG8cwEdYvifQCqwmrOI1RFM4f6X0Rb2z30rhN2zT+1Go1Wzdtsm5Fe1clsztDm5JEo7Y8wqcgVQ38C0R/HifSVM04qBMcWSl0WZK+p61kqeOUjQ1OIlLx0He3bhkmvbUOGM9i3fu4y4OHjFndmNsXJkhqciXPXzU6KdtDboUEGmUT0H233tRk4YnSnp6cE54TPh9nNCZwkFDQX/+Wnre/0AlbJALsN5ZxrwoZ2uxwSl+18biPkKAi9hpcLUgufMbHjU5rzhA7X/UehmTuZmPO9469wbEM56e+paqyU8If81IoxevMy4eIAYvVvVGUcXJ28ugu7LqHTs4VWt9K7GS/CJ/OrSIJrH4f745J8qNMTRdI+5UrdN+Wbzk43B7vUctMwn5OXPr8gK+V4BlYQKEfcVoFMf1aSN/4isQIMHSy0RQI0lSu6Ui2wz8cHVxK+biZG7miNsG3j3u9IlMg6zmoAtpBJqvt4NxM24HmixhPxM2IJqyqxnorvUa8QfneaSNDLk9Igtn/loRW3qgm4fqM8ZRNgTu0SLonJKppJtGEHT1ahMQ8m6o1ZShhqrj1HI4HNQjDW6hWgslSXVJZFKV1TwP2P5vUpXUf6UIcvhYBapZjp4ku7EpA3WHTIvBJ8BUhwx8A0wJcsRBXuz3YWxOf0sewjikqmqFmCjB2DUiUpRgbea74jBXr2Ztg90kC/d2tHjPHaUt0/m6PGrlLSLRNu0qU9NlfOyyXIqH4jxZ7LMwXYH8k8lc3db2CMW3eqtiunTaz/ucnggorLd6DfEwrUNl48sQZteOUW5Lw8ssr/3PWxroKnI3JTpMaVLKPO9gyHJJjxTplux1THaTJvui/34+vC10qqaINQGi/INA0k1V16trxph+XeWgya0rkVb/bLpZVNRSeex0lxCBIZ3WnvRI+VxNYTbJ4aolfSRMUuretczGDB2qzkUh7fPGsIW3Fk3qgQzIe8aY9FM6gN1t5LakbxcauHATdorwGYzh/cSjqEJ4Sa3C3reaZiBBsn8gaBOtS75kpdOs8HzEBdkl60g+7jDvDiR1zXXR6Nws58+FnTtTiK3Yu2JNU7oOX3NIYUHdL9vNOGmj7pwnjtp3MmzyWDJLp1MNaklUDVQ5O4LseN/6quCGuSXBpqjHSV3uv0p2sjHFTUEkShHzg0i90NqpiZUCrYYmkGmzSub4fWdVzlwrYsMqNZFDu25TimKtoG+TA41g67Ue0UexoTcMR+jb8zgubzTm3Oo2LxJrh0SLNg8EDvdEFI7gigbKPEpFGvTiNxhpxErSjWWqQpeeBw64wWzstVscEKoDCzYMiBHDggsQXObs3RkD2Ht6qEIsBfZ2efyyVu8OOgd6F/prtLFQcO4Uw2Mz/jG8Ilrtz6YM9ZTJejK+bOZIhvQuRh5uSmYaF1UZQiyRPEOZvOxNuHztpXetwSVJr9dhtRYbtqEgF2/Gq7f7tBYlaSpleEJBcetzhaa07L0HaYwlb+9u6NdeBphi3yti+4oimRTgebsrrIoStsRqtj2ENavZOtuhhdL/n4PSFuCLJUOCbN7KVPTPx6ge00b2lXTP4DF7WiHWP5a8AG7nQTdj5iX9Dl71X0zvJCh6j+ImeDlWtAut1gqSyhZhI4X8QRaoeZFm6jyIEK9PYh3FurH6JmyJfv+julW2LUaxUdc8VeCs3Xu27NHLlwgAqG5thTrEbnciJx503EGfmgEIGJxcaqkhevcGmuH0Ln0/rpNP1Ralsb9Hz6qVLQIxRrA3PA4swWVcygkrHLLgrHAJax6oX5UQqzVfNpY6EmIYY6+8ag7bb3//MVFh6lpMmHXcU7wbG0r9zENDcHd/CKPTF9/ixi3WAHmGNY2HDSbnC+9BD0hl+A3pTGgJ3QO2Mo7ZLrPlG5xGMBuwXi9neHvif99r2+F0mSq1cp91v416Jre7BrtJ31eXlBtU7vpOsCpPSrhTqlBdeix7pQSZac25rpSqoYQUMz1Fr+RhArQtssu0ptFw998eCuIj14TAExCiijMJZFKfqehBrRk9mU/oNlwzCeHNVq7C9PZK7iTqMe94D7C1oZ/BpStuF0EZdnLenKKC06x2kQSJb+bK/ffe14CVFKKiOKYkW7aCwa+QAQckmpGnHSwHMyEXG5kyu5gg35lVR6MT3w5X2OcEeNLRn2yTRnEb2A8JUw0xrYHMvxjsE34E27cToaa6ODfcIovfjquAh1d+/E3LG7R+7ZM+ZSyJzcZXg7LU8SCUGMU4+gvdbsRtSdxw97yK3hNKKkXa8MZFaTk5uo5qTXORHlOwLIncUWZanpI7eUdH3pfZ6NpBRa0ITU12MXLYCMH34uAqapyUkxtBe2HpTVg2V51z78HD6Xx9fYww8PkxTdTVd0M72CGbaNkxWWpViGflinJoLbPu0yKUWYMyJw1QqzJl4YK7/wsVUW5DFJD9hYSauTp6ns9U6lLe0h3KuFbLq+gDLVAbSI6NeidCgaK++SbDrUJL/dtnBh0hcgq6vqTnbxbYheBFr3fLh8Kr9/q4Hkll8N2PV3QGXTFdwc75XaxhjURW3/+92vaPybWtGdc5L/jHcm/4GrdNdZQNgxIGzmCuLvNgOZUFJHXNNsjcolLtmrz7vvYewDdCzPqFwB2ZQ5qOZDCYxxWdw/dgppFd0OdWhipMmzYwmf+tjU2XZnhSQtpp0WYI6RbZmI0c7/q/j2sNCVOnkvCMeeukUwA1e5P2Ahvg1ooIAzeTt0Wdt4cffDCrxn2eXrULxZT1ZTLrm92/8EKZaP6Dq/XkuvGHNvT19dGlmF04RC1MOTsGAHSyJU48av7nozjnlJvwWV3jXfs817m81Py3kuap6FxA/HT9kLRr8PtWVyv9g7oh/Dl99zP56fI0lDy1omJofdgOyLn0wA9CRN/iJwsWHETN1KXZp2zl/12VDcUaHt1Ya8fW3rj+4inxrH+pFuYnJ/eqMmm8s/doMk6xF7KcqPRTsiJr88M/U6F/2C/NosI6u1v/PBNcMdNG9tVbirbPUaNFGA8Z5R/UFaKLKnmdCoGVYC+KQOXpBZ0RBAYkCZrf5StDe2rqn7liZNUTsNo6wu52+fLF+cXuzo0CS1jvUdhrC77wIGCt66F3ERaPJLkXFpyyeeSorAYOaK10jmb1z4ZyC93SC9a3U1hV0f8T4dI7y7jKStV5OC8/+0j4ZKJpgQnzsIgW/fzCXl6dk2rWsBrcuEdIh4sSu9J3C+CkbmjxzbRObV5WuKYcXPlVO4D8LpDKV7Pjfk+PA0fuLnaE3K1ms/noPONsIuz7HM/FhBwQO10ocEslCjd6fG2+sik0a3Q+xE8C8PYe5DKTz94HeNZ14zj/DReRnLr6DxTVV0cOe8KdyXkXuEYV+/fM830O4eOklifOsNxM6ps2JiVFtTSB8oa62PeSUulsfOAk+stfiNT4qguV1Q/TIbesKu+k640PESOiJHWyE+dEKXkHWVtP+W4cutE0FHtGCW/axVUvV8KeVsz+VBrDdQkzw02ltomleLc+aMoFw9mdrjFp+qa8PLF+PvlXtbmGBg6jD4NGh/7u+CwiF/d9h3LPH1vcMhPh3P3DnnOuFRNqhhnr47EzJPfKSdJUzodBh7ZnxIDzt2ZcetIvBHCyT1iGsbAmFkjyJlbnzBVgnFHom32G7csuCzhOjEDBDf2MM3znrIFF0ZTTLdITEFjfLOimgvM4Il48Hz8Xc4JRSZ+534bpUxmOIdq6psLPZBGHFYnT7t8zhq0qUPRrZcwA5YFFWGTEN92eHo2UmTo3VzD9zh3QolXvrokr+Cr8t92H1IuDSnBUi4iToapamzvdyOkKXH03MzWY0u7PDbEY/whtVDVIls2zxtSwoyGEFDofNnG8EO2ptOKl6AFXWMhl1XhcSVPIzfSfYBWd/g1zNoqcO+rN5bbBhszkihhG9tg2LDpvtc1aRSr599hNDWmGWQVU1Xl7lOeY3TioRPeS/attVry0vvP2i5yFZjRRKhSscMDjXf3lv3CxUZrZP28vLhqcF1j0tPDyPp29byy/g81PdDvdDB5/1tNQwAmfrtqnq9x7ikmFPudv7w4J+cDhaqPRrautaG6ZD8GCQu7umrYeVJD+i7+sJBbHVfuvYgopqrMXfE1qLjbVToCLsThMqIeLdJ3S/AhgyNUnvdcwKF02CfQdvEQPudlF8oZceJVqa3GQRl4gpc/nZLX0V03OZ+pdrr3xSffPacNRGGyxjWwpu9F8KlfU4iVt7ZdmPYlbhzBERL1ipfbDpGuupIuKRd0GMggnSucYH3lDLQembTg79Ahvv50cbdgrFShAZQPwA5ICukGhs8nIxKRV8W0Kct1cv8Mr4qkdUA9uI2Bwxqd7/VSpYeouUrY5WCnxK4wzTEKErjpZ6/6nqu0KbntKus2fdECRrHBdpuKDS9KNuGF/UT6LLHUHFwezSo/+XxGnoZaic+NcLrylAss4MA8sLPrWhn3zWfku6GjQe5GYa6kWsktQ8gAa7CZxXIb+sikTUaP4ILbTQs9aavc34fSpLcwp2xNPo2aa4JPNX2Iovyw8BaLuSQV5XKmaQV70zFqqnFqb/4+CVvK5QUuS96r0idHb9oC9rLOIkiRG7QvTBVwjMhlIW33jXsPK/JrI9GUfKdKEOQpl8vJt88JV+w5mbr/A/d/VFKxNtxMvo3HFy2ri5mgg8n5qXWobQ3/5ILgoujrQjm5bodfqdneRg1WZcXU/3Ua8GzbIBjQ7iBHEVpWaeXuDmaf3/1ONZCPPgH4228/v/v9zYezb7/1ObdLqikfPZMrpa9SlizfeMF+bxfsR9hGnWBUplYiQs1O2i4l3XNAmXsu1hlMmJnSIA1nKQVIz5WUAeMqvRckEh9IBbRYUT4cTnxv7wD2Pk8N1F2f1CXqpplmuhR2WhqrU1e+Y712NodY/y1N9o62NR/5nKSHFrtsBoMNVJpQbLKpewn1Lg7EjI86mlpSszliDyU12o0oQuZueU9cKB/cT/DujguHfND/PwxX3ajMfvLfgxyxsuejD4jsRfJBDkcbx92Hn1JHSNra2tmeXfrUdhntbZYd9sl8hm63wcm9OTLdtqzmx4iHYdHXjHLheN02c7kIMuP8tF/bhp24nDloYR5pYTCeVdjmXBdORTyAnkMSrzHdOlQfnaiqauSuJ2qAnTyscdN9sXsP1/bvENepO9zMYZr1fXG7pLL8dxWPmm1ws9TyQyTDvbEbLryFnGlMzRlXybJEj2XBI/YrquUw6PDYUTeyqguVSxhfvn93QX7zftRNUmockS9HTSW4/I+35EsDeqR3ayNkoWG3U2fe5IaeQ3RNPrRFZ9G0rk5LZwkf0j5QlXqMgANaH+Q4ugmqjQTH7g23TD+ggQqqqwy75cBmcC/QOmEBcge0KZNNpd2Cmbbb1RboktpdrfC+cKcg2aKiOlVZSQd3XdPB+OJ7R58oG6RTJYFZLJKfBQaztAVUHeDZHFstZQCrpn9kgFrT5JMwfMep5McLg+4FT/3ghM5tFTjVMznSsqAMB6OkLz9xsI1MaLz3AE/n9fIneW0Xyd93JgtmdVGapH3Xe9Ad5MMiT7cAvBQ0ucSQBcg5lwmLIoegc+RGy2JWmBW3LLn8kMVMqJWhVfrclT5saZf5oGeIujBZcJlTnHBZg66m62QJ7wPYNbvKA3xJRY6zwuui1sqqIn1ICqEvfyrQ45getsh2N4WaF2UOZjvA6fPfmCwqel1Ym8ptsA3YnWgBGR6FistMSHOZD+lamEJMRZE6LLoF+/uMwJN3Bu/BTt0LsQ87dVVvH/bPGWG/ygj7XzLC/h8ZYf81D2yrakGnkEOkdNDTm2eyqBqByvd0neGdbIHXVxn0kqoRfF7VebRvp2VSMU+dhBQg8xxKiYEvLL1vRBbGJyRm2EGjWR5r0gHOY02atWnqDLNImezKqrOYqlZZZ3rAdQYRYpV1hlku2GjWZAHeSH4tqVQGWIZDuHzluJLpUVi+UrVdAC0zuNVUVRdMZPBhO8AZgiQIV0/XNr1b1EE2WSDXTZEhpsE0t5xRkaGAyBR0DpKtE2Zd9WFLKtZ/QjnNgfeywDagWSD7djB5sPaJtVmgT+f18lUeH7Qpptz+NUujMWaKtLPidgBrlVxUmyzXHKEC0+mr3Iz38SebtdUDDHbh/fzpnSMeOKp9WYD7bvLpOsj1YM+4gBw2jClmOTaRz1IWZ28DzqEbmILXmKRYZBF1vF7+VBpbD5r5J4JtNMsCW/AZ5DBjDDqaKyh5soLRbdhc5jkllSobAYapHNwOwPk8g2xStVlRm3Tmfw96LIM8CWANc26spuk9IRvYGTQ+DXUuVutsvDbYiVxnkq8+M98f8QzQrQZaZVAkfSlQLrTzKderheKm8BNm00NfU02zHPBypBA2BeSln2+fGi43lsrkc45LY6eNTjUssIUKflZQDqhNclzT69FtTXJqsDi5YZZ+2PWhnQb2wZzTskx9B3iZOqzatg7K8BbxqmBaqSpLVyIHOIOZxqsiT3Jk6HiUg831VfL2TLVJ37KU16bWPDFQQS23TfLsM8ElpGuxs4Fqkk7U6eBi8W16t5ZQvutpMRMq+XPeAc+Q8u9s3uRSxwHNIHGcDZ0B1eS5CULNsxxdOc9ygWulUwuwatrMc1yzihuWQyxUJsuBzTEHQoLF5krJ4SaX4b4BdOqMPw81dTqeXK1SWyBZKsqUHwCd3BJV6TUjpfm8iMzjujfclQSd/s2qCz+UNznYpJOpN2D9iNcshyxD4WaYiZNaGASwqaVBXXhHUnJ0qTHuw4ItUtX5D0DDdc2TBwJq0NVcU2kHPXdTQF5lAZz+6fWdyD592pkCmgCwVvOCmjrhwIA+aE1TQ9VARQ79TgNDPviuo5mAp2eyg5y2hWsPstJlBozTOzJNBt+w8b7hDPkABlInAviBxxmMEwNf0h+AWIPWZFAzmFKGzzMIXlOn9rIZzXLcA83K5Iq00SzWFTcBYJtuxFYfZmOSd9VcMpm6UCI6Lfa+QH2TztTk27lNf6w80PQRvW6mZ2q46zp5t9amnGbJQ2+0yPAWNgZ0UfLUVe9Zxla0kaEcbLDMWFql9gYvCy6NpbMMmsGSa5tDDV/WMkPrJqt0I1O6WWNt0SIdRd80VpEPjSSDpbvskYzD8j5TwUtyoqHklpxQXYZuhgbbv8fR8ZOzMnJpbEIogsEh+gT7GzAlSKxUp8uH4DIf586qWqg1DAYL3si/mWqSNfW+5RlzPPQ+I5x3pmEO16Siu40WNrFYOW92h4FkR1Jwg8MZ2tXD1mMDJWKaulbakmHjUUJWC2oJt6TWMBs7CvdIy73LEIoY44PV0aFAuAyd3Uf6Qgsuc0/k76HqVuvjaYhVc7AL0JPN981CNYMXjRAJS9DdOCKrSE21AfIOLMWJ4P6u0o4FT9+quXlx4cten5HTMOLrObGLyJQibAb8AcLoY0Rbkvdgf+dWgonv8/BQZ2HeDEd2d7cIF/fEGqCaLSZc8ih+OHP3CP21d8QnzsLAZIgXgjYSZ/3OG5zj2jZxjzdw3+nXvoem/O24O5q6JtxhfvGIse82okhY03S7zqu4LPkI1xZvxZi74BjTqEcE0mZw3XucUC3FyMRL7J6bcRw49s81YImGLw0Yu6dp9+HZynfvle9VBhzL41f1EnvXI9XlnW67U/bh5DHC2NjW37FDu3kdpTzl7P+b5xu6xc5PW6GAa8fPBloN6ZJ473iE3eMypQaIT9fusCGDW9XtUvjFw+Aru1HwHeZK+/b1UTYSQg0xADjujO6fV6WpNJQdYbzvoMO0X1qi2rs5NKzROAFtH9I16Ip7deNYSG+W9IM5+JILmAMRsARBqDF8Lv3Gbeb1x48+tmR+QPmN6+856dMHmfTsMGsk/9LA7phEGr98PXwP65h42BSUVqPhpb+QTEkJmFtBVtwuxgQFIZHKkE5j13BQedGdTQvHTpQn3RMl1JwzKojDYMT0QSweFjtcamRM48Pxrl6sTRy9XjrbSu1ktaZ+4Kng1BQLld0m8EZcZ67hLJXNUCMnFfsjeOL9AIi/NA5bfNPCIBYmgOrJG2GUM8S37tspBsvJr+EXE/JGrrt/DaBbtOWNtISWE6aqurGg42I4ixvfEZbPPPtmdy9wxuLWhnD7z+bl9z/81dm+p73taDn2TRTtcE6LtBGz2zpu6Bo0+ZfOJ2deBDQQufitT13/k//Myw3OW6d+734cmLx8k2x7sjswxa0zIe9/+3jmaAcN3nmC/tKSG6ahppKtnVYZ1DOxmwtCkEPPycd3r8m5tD++fE7O35+e/edr8ulc2lc/kaerxZpI4HYBmrCFMmFUmtIamMVv/fDqf/23Z0+iHAG7yCjjdvmBMnVS0fg4HpP59N3xml/6s3jeIhW/4uXjQrovm27A/MCGcbd+4GP47iimG+vkM9e2oYK8ffM+iuyfSkI+X9ZhJ+P/KAmTOG8dul+NCEVCbhaeuAWP8Q3esw9zamFFH2BEOp7uC/KmLDX6af0pj6HTPb2sqg+Nc943FnJ+8u7Cv0qj4bGKmiNGP7acSl5TDW83Ob9wqIx4vxwPD5wEkYSHbu1xHraaWOGnax1XQPTQpWXJ3Zep2ARse7P84+/cEQ+AMwnxgqtww0+3j8AAlU2udRa97rZPGiXvA4YXSttOJA+EbokBNtwAbtc3S15zZN57erict49JS9a7McZLiNmNx/LiBuzQ8qXGKMadyun9RgMdhzi5rKmcw6QznZiSMz5vNJRkukaYIEvMGorLmfrA1gODotERbTm66CxDvwORUPfvl3AldwBoqJSFImR2p88zSs/aUpqCFj4VPwPo2uo8wGcZjsQsQ7WwyHEdcvU/qTMwlZZF64nLp5bvWvCOjsnuan1nwgNosGd2AVqCJR/XNTwnn9pn7C06wH4kF60DbPAS/DamqbWjeo6gTIyYxi3SwS/+nFAhospEvfkiJrhRjYl5S9DuDeTSKmIsPuZckk/nowKFYYJsNnmVXGQ7oKrOMPbNAdZgUmf0OrAZSlz8i5g6FR397Rmw9aMVCgFynnxSJOLslI+MWuiIBupVHip6ARhJGKYTzAglvyi9oroczukm5M0ck700oe7GX2Mu3RTsCkDGVc/EXRPvGuNWlop+qM4jQ7BlPGZGDCjkMuS5YlpCxa0TS2HERpzEpaDyGHH8Wzgo2wSRnotyQOC2y3ITSVk6C3aOBuz2y5M6UgkMuxAs0/WDu13EnmrLWSOoJtgvmrRIPD27fv1WzdVsFp/+DqywC8i+vVvIfnQL+tvYw/vM4e3QfdPYBUgbksVH0TZNys4Jt0vo8UuOo/7JgB5FWDWWqeNyOiw5jvBlwxgYM4Izdh4/rDnaYYkniBdxKu5c6TWJFCYMcDuGcNrCEXZwdFIJA3ymVtK9K05uxZTD7odkoChtU7VM149u5N2kxHctxZoBwaHs6Al+mB19mEtiuG0i8pNgcQEEER2gLqghtFS1e13sArgmaiU3W+YZZ+m1kqoayavFmRyG+xb1x1UinHLPZenkj9KmYwAlv3AB5E1AbDJgw22cvbIjzN/J0YTxjv4HSVcYZcFlyFpIy4UYjRFGpKx3vwcjfL7eZajXSM2J8YTQqcpZPRAhfgoLuuSqQe2SqarWquIjGYpwbOTOJJ0KLCKbkZP9uHG57MRORiR3MdzSOkkUgS0Mkw6XOQDByPodfrl3t/fKbu7b6LHblFk20u6Ws6XW6EssAy/YIWb9rbQgfI/nIEFz1pKEDMFEv93UAm4X+NTGZruRgOyE/TAxVo8HP1uaDmm79WA0vdxPU1Av/FoZ6Yqapp0RbnkFxsl1r+1pqGE0iBR2IVlTiBs3AhsP3nMb9C2P1iG9ux/saP14O5p+KEyyIae3Ji04jG+icEAbUrwRCLcQBl8vdS9vpE4fde/8RUtCm75555L1Uj2OALlBjncC5Os9jj/evGWpRhscZ8tuJx/1USVIyjt2C/lx1OOYkrbBYeyUeixB2/FTJ6/caeyiqMAu1ANESeiWJ5l4NMLXRjcceylpldXrtCeq80GJ4K91iOw5l5k8If85+fn778nTt6dvLp6RU24sl/OGmwWUWAofxUWoucreF2hfJAyzZWcej7DN+MWRjDGtMnsV99V/ul2NYdDdGPTIJxv6fJfrwjDtv6v77Tn+EKdYzJTKWJv0TaYYFam60+0Q8oGWvDF+BaI0MbzigmovnpzYdHeI4bseL6/Ce254ecxOI/1M+U/uILRexJ2+mJtLnq/O4o3cd9cxrBEqDXv+3+Akwk8GZyE4bqBXllHGXZlK50wMGIRskNVKz6nkf+7Jqpb5jsJtmX0Ap/tnaoTdM66jtaSZuv784pbD18K3+PK9i7aymn8FKuyCUQ2k1lCqiksaLbjriacLajlIa25Mjxf0mNS+pQ9KrG/9CHWmg+uuzhMnuGqqLTZD2pC6X6wesdlREDa3kagzKEFTC2WRLKlsz/lwwueXdsUueHah1ZKXXfOw8D1a1yJoqoODEZr/uGdtW6eNKzgbInl5JCq7JUOvP7seITM6PBQzJ5fcR88Xu4r7SAu4TulMORT8rponXKPO1PtRrxJ6HiHU66iosVJDjFXaS3wHrQJLcbUn+K2J+9aTOPUVL0sBx5Ny73C928q5yPb25N5Bcq4dj3Ecci/Car0OQ3LdRmefk1pQt2XufVaagGR6XY95+TEV8gj25C0y6HRnW/6qjCXvKFtwOWLSlTST5Phml9efJGb61xqc+HD6kW9yZibkbUlr8hn/4fWjUklfd/rP4eNJFnQJTnMSQDX50oBeE+xBaGolDbQaVbw41dFb4G+OIy9DDzzmIGvedoGUnnzfl28cz5akI6C6OUAfQnPU22KKU57yOsx2z3jbWnqriZGzDcPDyw3RjZRRO9Y8714eH3n2baRGauwCxCJYmPk3gpIVl6VaGWJqYHzGmfvkeaxOMOTJDi+II8/ju8m5IU+xIyxItnmGMHT5rMct0kh8x9/CnLI1+WS2G992Edhqt5A2eXatW+EIBvvIa983tRAVrFXDQ+ZexAHHuz4Aker/rUpTLOcZsm+b7PwK9Vh3Xq9eRyhGCqMHLfzmAGKPk9c7RmrI8A2u91bWnSHp411Ah9Qcx2HXBQy292aTkOm3YbBD8YYUNxc/Y9lAypGAoxVuSHIJMy6Drx6FE3b1q2g90nQQsTuoUCwTbhsHzI76l1owdj7b3LSHXkojvSk7H7a1lC2qI7fA36yKDCcD66i/HVmGvEy5TDdBLOndcCRjUWHexzMipPplO7gtvo32prw/MrVzgHXet+8GrGuq2zPl/vx8Q8pqwQet1Im7Hc6W9cnvtyLPJp9Z4ttaKL3Ot+F/MzWV/3Zjx5gWke0u6q16HnuaHFv+9gKh30Dbg6lEA6rafuv7qRo9BQVIq1V9iOgoVTMdOBdudcbDms7ahhvKERBHX91x3Ht4oqqaynV3H/Ha4Th9b68sQbtnqOBypuJKATVXuWuEbpAfO1Zki9kK8nZFn33JlSPwSyPEmvxHQwWfcSjJKdY9e+dgFJUVTAum1BV/oKD77zAlfv2N/UzFmDafvNvsJhxeNxZV7gNHmN581z90S4QpO8Ed7X3yE/JxXXvSN54Dxxy/g+Obp2FWJG0mu4O2w8E7IvQTE2tbu4vMMVx1nXK5jZ33LNZKt95+DDF/eDuy5b1eOYmPU8uLOu8coj2scCvf6Llv0dRKZdJEtpFy67j9IDW1cdckkwU1KaP9PcA6lNMnhtxokXCbe1AT7kpnjBaNTuUN6cE0oAs6T2dTbkAnf562QSdNf9wGHU59BsEC1xYkqlbpjRMHP9lp7hS9hYadVJnUGpVf4hi1hFsy9yMui+rVi/DfJwGFF+E/Ql5TzO1PBeh4dl4g5wGj556YfvAcPa69UWsDcsowEM2ZVFzOQOuRuOuQ7qPQ1Vf8b2R91D17BCTbvsSz3jZErhSGtVXWKxVZ4mjH78zH7d2x+4gZxLr/p3/AMEFrfOAnrxegj+OPcDp7yHh6eoKjH5+RE1w/jhpoe6RmKSN8PgEdhn/CVhbmnua8kDV03GNkb8Pdok9Mr1P03p3mfx7qlbx7a5T4bpNL/mfcW8OvMsmU83+cEQlzZbnfwHpBzcgEKMOO3Vaot5V+8fHhgm6rs02AGiS47JyxtnF6W38TT0gxfH6Miort/kbd1MOPo4OWnTThxjTJlU6EjMlS+bx194uhIIagdVYf6GBT+tLzzC1OLjE4vU86HSVDousMHqLITy8xtXP/Y9STnocheXfpuQfHcRFqjCiWOV/03ZBqcGRHkSkLd/Rok7xNo8kFmF9BsKgzNTf4ZjOupP8goWz9iRiM1ylNzi/f/OPdBblw7xT5TY5MX9lgm6mS+hBsP65UHFsUQ2wB7Moc5ES+nRDO24MsNnSu69fZtQjDNNAwgnAjBfdouaD5oCnkAyi5Ho+uK8io0YA4W2qbo0347GO5pIKX/iBGkNgVhEfrar1PECLHrmBtdsV2opPfJpAmhr2wtjYFxxm0WUDjVuZgCKOP4DbxuWwrX5Tmdn3DjWKqqrL2ibsl3h6P4BCKl+CvuAaxa2mmdrGsBJWFMQ818Nat7GX474HatkYriq0vNS5qxY+RVh1D2GNAEANEKm4NIFvZgko5aJyRu91UWBURGYnZHqltc/ewhJmHv7998z68ey92lu8eFKv0ru8/ec82bq6KpRJNLga8aec4yzDnppuM3Y7zbSS3hjz1SJhn2K0DC3vbibo74AkiHaVGNJmk2duA6yfJbUgXmGwXHSxBY6bArBGEKcmgts5QvvR7ONJeYbXKKX09453B3o7QdojWSluiHH9//fc3sRTcKNtTnzul58dPsNwtMNhysU6pb3YSbRTz97PfLs4vyDt6XXFZdmO949vqaDt6GubWEMURsgIZA+r2kdWpT/GSxeTp2b7KsZgdr2DzoYvwW5Kzqx1bzrIglc9PQ5fegMVeDMXxNuWBewW0FFf/5euGu8IcWQ41ydS3G/0lzoR+oOzGMK4arfguqFv54t7nxDSRFHVqyN+M1UrO/20qKLsS3Fgo//Yi/O159ymXM2Dxj2Zcw4qKqCJDp6L3G0JlSYwiI8dSw5wbq9fOsj+msKipXYRm/R0OZBeHAZLolDoWmr4Q2tdrMaV7Xcg7fbLDHKTV67/83wAAAP//mfi+qw==" } diff --git a/x-pack/filebeat/module/microsoft/README.md b/x-pack/filebeat/module/microsoft/README.md index a97a94f09c0..4b80e7fca9e 100644 --- a/x-pack/filebeat/module/microsoft/README.md +++ b/x-pack/filebeat/module/microsoft/README.md @@ -3,5 +3,5 @@ This is a module for Microsoft DHCP logs. Autogenerated from RSA NetWitness log parser 2.0 XML msdhcp version 99 -at 2020-07-08 15:21:21.91027 +0000 UTC. +at 2020-07-08 16:42:04.061294 +0000 UTC. diff --git a/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml b/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml +++ b/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/microsoft/fields.go b/x-pack/filebeat/module/microsoft/fields.go index 1e6b8e90a13..c3034bb7090 100644 --- a/x-pack/filebeat/module/microsoft/fields.go +++ b/x-pack/filebeat/module/microsoft/fields.go @@ -19,5 +19,5 @@ func init() { // AssetMicrosoft returns asset data. // This is the base64 encoded gzipped contents of module/microsoft. func AssetMicrosoft() string { - return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIipAVJLENAooAyiy6V9/ga+qYhWKZKGKkrV3elBIJBOZSACJzER+fI0eYP8SFZRIocRK/wkhTTWDl+hN+Ahd/3R19yeEclBE0lJTwV+iv/4JIdSAoRUFlqvFn5D/10v7vfnzNeK4gJeIg94J+bCgXINcYQIL83n9M4T0voSXhpydkHnr8xxWuGI6swO/RCvMFBx83SMr/HmLC0BihfQGAnpUo0e7DUiw32mJVytK0AYrtATgSCwVyC3ki94spMI9ktdSVOX5BHcZ1AxuaeOYHUwijiM2TDNQodYHnw8zt8fB9xuqzO8QVahSkCMtEMGlrjyvJN6hApTCa/N/rBERBShDujDfd4ZG6LVYo2sgIgcZJ9WNRbtEDRMcIGELXGeG+NGgHulkHnnGKMsZIrgGrpXZcZQrjbkOiFSUCk2LOAk51t0v+vipw2oGQVij3YaSDcJIgVJUcLShWiGM3oL+lWoOSoVVWPSWqJ6O2oiK5YjDFiRaQr3+JZYK0BvQ2JCG0UqKooXqyWuxVs/vMHkArZ72hr+mEohm+2dIe7oxegfugLmdxltkLqKsYrAFFuUVE7y71w94dQ2lBIK1x5XDinLIkeDMItZ4yQAVuIzjLdQ6G7E1j6zTG39mbq+/QVvMKn96aA5c0xX1ewgeMdGIibXjuewx09JPzfB+xe3vDEtLLDUlFcPSwvvFWQyubm/opNWOrW5v5OHVHmT6dm6uv/j/XD/OdYM1leXTDplY/jOzpHYZ/xHxb3FcvFwcuQQlKkmS76LpU08/adNwK401FMD1p0GPq5zqjDDcOQ8fjQDgWu4/DeqN0QQ+DWrKh1Bf9iYP5+xTrngOOH7WLjv1FUA+Tk8euFFj9kDrh8HUMvh6N2DvepqmZXZuwN7oJ7TMYT51jNLZ+MRbtmiUQY4hvYnMxCAU4dFoBpF5lLKK098qaJQwWc/Qf7Q/NFyuBCdGWGIt/ujWy8Cx39KpgqfNvyszEF1RgtunzhjaN8YkRvdW0KGK5yCNiirBC4ze5Fb0EXKkQJtBDoAPcahhhTawuTf2ZIW2ZnNv6FFs73tOUiz9tM3Vo3zErMfNciNUsh7V3ls/CaXboop1d5UCnlO+Dl+q2NK3rPnPh4M0vkl6Hw+y7vZu+x3CeS6NzBo6lF329eanxefKvu0P0xn4w/+7DDTcmuMEd0+vc2m0/RY5wmhNt8Brd8Xne6kaFg1ZsJfVqvNPowx9Hl7cQYNXlPtMwm9J69V+mrCLZGe23Fs+3rjB0Z3d7s+8909j9H5fAiK4f5KXgIDqDUj04Zbrb35AQqIfmcD62xdoiZXdCcGxv6LrSlpV6MTM4greZzwz+8gyxSiawXY10GuR7iw5ZpeFsT9741XIHZb5BDWmJTtaE2vz6vbulwMNByMJDHeXBSG1VxoKf+V4wsxoG3D7STn2mP8LSdeUYxZgDm/vEzNN1ziOPHDe3v3yQ2SSnsDeXKdPsqaoz8c5JHmz2fqqUqok3wDOQc70MvaTHQzdXk95oXEUtR9q7DBp7zR/aCcMI9kMfhgcFI/bRvGwm90o3FeCMSBayM9REBr+XORl3ewbqhBxzIHc0HKgmr0W3UseHWHlH9ASKcjy4ylnhVA2eKQQHC33vWVBSMJvFShtBlS0KNner4T5sRG4CDDZIEVzQE/+jPRGVujF998/RTuskALgNZYjc/1I6toZc1Wl4AouN1nyB1pZIiqua3u1KpZO+JgDp6IjoCd4KbbQmi7l0WijIGaUloCLwV1O/kBL/4mZATmtulrNeaz4IqZJ1UYrXSGq/1G9+PM3/6qc8HxeWlEVyPpHj95/GDvlNd6DRC/QDSe4VBVzPm5j6oySoLHRJ7qhI7FKMSzfvkD/Zqb7DH37Lfo3RIQ0+qOdhUf6DP13pv+n+SFV6JApX0QXiYscPqENxneQEczYEpOHqTqfQ8+Ftpsba6crG0YAz0tBubbqtoZ44J5d4AykFMmxIo0GpEogFDNLk6VFaSGNtsj37hY2X2wxo7lbvhhahFai4rmR1gwseZSvvbJwMhjocN/2Rp7j7cRv2iMu+gE+75nA+ce7MzxCpOjvgArQkpKIruxNtPaPrY3mLscg7swliXWjw4lVWJgF+knsDPP7thDlSEhjQmiBHgDKE2z5SLfHZ8IWKQgolW1pnuXp71A3QQKsgYPE2h7F3PCoZa9sqdQVZsZcPPCR8oj5TAtqDD77Amin6+j0B/L2GkkjF5U11i1bsFyDrn92cq5KJodUfPK5umiY43OViY71voi9vQ7+tXdQCA3o3u9KIsFeS8v9kEgyf4LT+zNwcntMmSoZnfYi+4c2FRXtqbIfK2yQ/p4WP9a27a089Tsy7I2gTXtx/F/jzcUd8xVlF3lbNOMapf3u6tWd1+cI5oYBtCiF7GpxyF4on90DbfWxjOcPTuxbI8+ahTGH2KGZWDUgjTHo7n1r9S3Qi+9/QDvL2QIwR5ixuB1qna9WbWj8C2gHEtywWCMGWGkkeCdY+ZBNH0Ex+rzZFDlvaQ9Znju/Cplb1tioCCAbLphY77vPGisqe5oZQt8jssESE+3YZI7e3lJonZscVdxHDLAD3+ZgBlNKspp7Ypzmsj3ynmN13cKoToIHp63Eu0H5YaVYR1nCxOphziPMvc0qCKlkGFFpzHMsc8SFLDCjv8ei7YQsohzI/QvsESaIatkT4aPY0NBVo3vO6ArsnCIGogIieD6gGDZLlik9zRI/QjLlRBQlAx1dxEF3F7aKp5a0I3JaeQdSX2y73ZvRo5tuaMMd7p/BTVIIrjdns7rJ6jn/1byJZsgvxp4bnl+COWbI3wWfntF5RIiY8YPy40LS3ne51DvQE07HK6ThUfuNjLYgVSvYNz8WsxFZo9OLvgd8PqlNUgURMod8ivT2z+VeuKp6zHC/hTfz+oftN7i+jJWiWNhRK5v4pwhwLKlwil9RMU2/1hQkwmXJQgR1kwleYI7XsaQkhJh1TAebwRHlaFWI6i8VEjvuvPYaF2XX0+IpNtgMif19rhUiG2r0X5GDWqA3ldJWkW4PavY/1gPxaFjD4DIcPe6rlaFsC/PcwXahwpBu/hJWIIETt6jYKF853dLc3Kl2TePH/j4c+/cdBsSn8VhSOeMcGq47P/Wj2S9Us72bjjIiwugCBq3dRsf9RaOWZtBgfmakU336F71B6wANUY0/zUVPDTgNU3Np/LazOsRvFVQzLprZKW69GnmxwwpZNPnACln034yf+qgL52DaSed0Xegkyb4u0vCVWRK6MkvTVMpxR+QQ7EUCXNKN15Iyl1J9O2pvVAb1BOYomTR8YE+dtxTXXSNeOhmIKcYiJj215zxFRVVsujt2QDsUlSaigOcOS62y2Wg2seqtFeZ+Ggeq78BSGZOc6mmhr0dID+P7hICWP/SY4Tc1VaFXO8VJ6joW14xm/bElELqijTIY1xack3Mo79frHnO8XEeYWLsDaN4EfAZTNPfOxyhlXqWfj5G/HNoIbQ1XSPTzvQ8poio8OnUtZIs/cHko60GVQtFRh/CsHWANAZ67qgA2FDGcksF87orpbEoi+8hjzasCJCVjz3WU+lki2o+Q3o5qr3eoO+LuJPWI3wLPhfShREdpF8t/XiRLOjwuiOU/gcR1fIN6jjypHsuMvDmO2km+abU6vuhvfZ/V5o+st4Q3uI6c4kIjjDY+KzMeHsTEOgvPjhcScmFDjBZy82TfHkiKv9knblvbzR7FuHonGCX76fv0yBm7syh8kTnO9gNyqmLTYrfiTHhXMbCo4+JFcA2P0/WdGuUtd5Z3UwEJ57kyf9mrALOAMpYOfOJKIRvM15Bx2E0/V0POb9i1Hm7s5ai1pMtKQ+u09aP5lCPOaHNtkR4/hqrEI0RDPXtGJ5TAOTZxq5R3X20durZuEDElbNy1mXQomqKat3K5BblA9+AYWymQC7wGW+rOR8ythAw09MYOwzi9jlh45OBbGZBCoqUUO/Nd+NTrMU61HqzVdpvfYanHm/I16Hg70u9e0cuNmG/3CpbXSselNq8owbus02+QVxxhBlLX766yGdZ/5lyz/ii2ks3s82xEocoRF/xrCSVYbfXYa5RVHOcVsqSS0mzNWie1q2F1hOfU+X+DY7NH+47qjVemnOxD1xbh0saHciT412th/n1EMtrLM4soJZNmhlvO6OcWhSFDrJA5aZqCWqD75nx2y2S2Y5JTabpyweyVMoqqS3pwT5S5F1aeeRgRVikdto3/T4/VFoQqsxo+M8dbi0Ztst8OX80XuJXdTo9bTy5pfYo68OUp9dnQcW3xIKyUINR6awxHo3q/Zfpr+gAvEUblZq8owcyYeQ/PUCltRdpnCDT5Mq5mYYnj2QMjLy8XvypxARqkQiVWtk6Bsol7LjONiKIwEkEcPN70Q1ZBk6OKhpOel9M1WutwAUHthB0RRVn1z0IS6zHaUZ6LnY+8IYITKPWz+lVscLq9iawqxvbotwoz57TJRYEp9+eTtxAxMSDK296a86/xI5Mzyshryh8g91G0IbAMK2uvewXWfPNFjXxB82PMZ708v4lio12n2pmAXRSBgJ/vL4f559L7hNB9P9W5fvQAWdBuierpzh8/qqXH7cPjetq3o/W0FWVznJea7B/tePWRkJBXBFDwAEPciaBAUsyyyA0xQWze20GD0tWV+S2hbmTqoA0G5EENJILN4Y/y4xvhvcFqU+92o3JEotkrY2Ea0RQiTOtw9qswUqdUgdiCrNEslCQGqv5/PysBGfnGEbXxBBUnDLA0H9myGQ1pPozde2lkSBE47Z90oqLq56p/YhlNRLGkvK4c1xbRPgFBjpDXWyorNb93o32HWhTDXo65niMiG/fKje/qrAx7eJyWPoPjrWaB83DdXqO37kw/8SlxyNXY90keBvvTY86vy/gCW66v22vLFh9aXR/Ivh136Dt3QQyOyIVbanPqdlTFTY2t2k+rm3j4SuKTatwld9SHxp2RNOvaGvZd1UOj2+uTetD5PokTepBB/YLnjT60QFcuWt9XC2Lui+O6kPkj5OEvvvnCOyiWla7j+IWuhXPFGSg3d+EE7E6gLZYUL1kvYtwltFGOSoYHjpwCriZmgB4sSlsNcmMvzKk3t2aIRadmre6f3951NTDkSyo5224oW2awjcDZkfGNL9aRgW65Rvd0zbE9lgMbqRRyWvmmL3uywGylu6BTCFtPxf7ToGqdGrsXchFZ3rc/v0eUE1blYESDb8xiwBfoyc0jLkoGL9GdMz7dsFbWLeI2qPWwX+CdwRrzjaiN46bqwahzUcwjgrZbzpm3XlS+o+rhyAOHlnS9BjmlcH182r+0PY0ei9V8NhLURrDcrLGzmgZ6dRw8R81ixfXfo7wMe/LO3YxP64TC2+t4gOXZL1bGtM5mf5u3nPXv87aZifNpqGr5tUEouM0oWNlyvSKvyJCe7lWei8UOtGmrZYuQNvPKyLlAwUBdeSzzHZaXirXo10o0sgh70WvIHCjS9cSIHIzeYBIqe8UVJ3OcZ9ZkBf86KD/y+Il2FkNCIyQJWCXERCmNdXW+YlXb4JiyC6qWZvileEQ0fz4sdY3Er+ahweD80CuF5faVwRPf6EH6Tq6q39sw1/16+ilCmHJRnf9m0IrdVOuEHWikwzgzrOfR+W406PQqIAfMf8WYOa1IVYSAUquKoRuDARGRgzLMD0Wa4joe5Tk8jp4Eo0oP6Q8TT5Md2iq2MqBZgrRe/QJLyuxLbcQ/4N6G+Bphy4ivDWyUdp604qG33sU0Fz8+elJHqpQgVekTEtyZ6k3bXyFNYFzIcX46EDTuTOy+NJ/+6NhqI2eJd3ay+7X5ElOuUA4aUxYxnZai0i24AeIFu0BMSvDa4DpuwGIaFuEaipJNeLV9FVothhYGrRckH6VitJctSIb3NkxZCy/W0ZPI3jdfWEvDQ8Mq5LE4n5vSVFe2VAeKkt5oaf2k5NMHY6RXuGVbEjweW9LZJaIozN5MXbArB49oK5yolGJLc2dhh7oCsf6M9V0jyDEH+nh7+kfKmruftKMV4tfOY2kfmS8lv8L4l5Vf/xTLQbs1eQL/Wyy9yzK+U0s6pTzQtQ1Kcutzf3eLbnsXbhvRhNo8PibzOI5Rgcd19sJ6pIo/xib2UVRxNcsdqGwp8ukxx7247e6VFfrDGmwD1+cmJXfKudFmybtpOVx8uoYLs6m9gHRN89pFOWCMF+M15V4SzFk3w5iruqaurKYJyNBt6O6Dy+IMblD7OPYIpGrbKO7ZegmxlIKQ0XvsoWwWQyrqKcoPDao6Gh5vMWW476BDtXsI2Xj4FUg5UI3Q7ce4h2s+v65X/QqfEOyc9H3/lgj7djEgA2iRLas83yfYd7TIRsaptiArBUOFxI7aoikwkopR2VKdgOlMVfME21HVjjVxtVRsw8k6TrrJOfc4Y8XBm3hDd7Qa19fxabhX6vFc2M5oEVz9coOe+Ei/Xypm9JIlZTbA0L403zyWQplfPkVf980Y3vXyPXCx4weKowJS2dS17eHoA10DCJ7F0O4GgFyFTJu3PsD1Nawx2aMPgwoso0uJL5P644c+YBPlqMCUr4xldPSRqsTS9vqYI6PqQEW4swOjtyJ3AUdNcYPWu3YELTpx/9rHFzPVdI3yMK/+LezQTxW36vMbkQNDTyjfLr56hqggz9DS/AXmL8wx2yuqFl/F/cialNmK4V53qvE38KGudXWH7LDW3rVSZR8KCIvV0aQtLSbS4j5dekpCwpQCaTZUFOW2GCuHOrh/efOrsd/fu5Cbr7765c2vr97dfPWVi4HZYonp4N7YCfkwLiHj5Fb+NQzZ9tEOmsmYj7++fGzn2NzAWsRhYkTgPkldXAkJXFEy7kC1zMkkrEWKFRXxbJ0Plu0wHdNpvAk5ICJhSe2GGZ+Qoqpl8jbQy1xpOT6TxeZuzNIN/Nl8kjRE8E1xHKQGJzYlgXsXkw8ObOIUfXyiGWJFBw3GMJkJzonUyUQzVyMT6QZcxoXFkXoK4w0fQ57Xpt71x23UE1d7+0IbIW95lzyqo2RcaAmD3/wYBULM8gB7wP+Wtv1E15FP4eXaVuR4as3niHV/ytcfSiDReXymNhx2hSkz/AoJh3f+/N1et+N6bfa0UYE1rCOJQ8Nv8SGuJzNXeZTilOAeG9LjYzqNZVTxrq3aw8+H0nin4n8Lj/pvENdfauxqSIuZiv0e8/zfRdyz2mDXWNP4KZuMvz/0AXpVqZISKkbER3ws28LSt8OS911tn544xYsyE+nC6f7tmzv0s/N4NOEYcVS/zfz8cv8fr9FvFciBai0V45mEbtWPqU8+LdfFHr0LIbXR591aTyOjxH8bTIwv02bAygHj8RScjrhXz4DMUwrRYYZlkcQXA5hkvOByVNh/DVblIzoDHECNzQU+AM6x7t7epyGXwMmmwPL8sLgacl/iXiuHM3yQmPSeN8+EyjYJfCWwGhtMWYOu1jaZNAlQLP+ZBFfihNp6LvM1YTGs03+op+xxSJurXYC5bhMQ8wwTW7YwJYzNQCs+SkVvgS7X5fY7/qg3CdKS8IxoaWyUcZWpWvAGdshbdwbolvUaQp8FC3xN+ajA3T5wWkwJz1aZ2lFNEvY1z1ZM7BQuUl6L2tBcb6fAJ/mxCM8on7bNKS9BFsv9iJCcHnRJHlLBbXO0JNAyK6XQIktxxVn47XeZtVlToNmE/cbEOhvT+r8DmvISSnhW4MdM6/MV3kNQs8IMksRCQXkyYsqnIC6ZytiSZeOdpwfQf54EnlAPqAU9Pku9DT0+IroN/f0k6Hhj9XOh/2US9P+YBP2vqdBalAwvIW2r1/ApqhLPiorZy3u5T5JnAbx8SJLjRcXouihTb29z/2G2Hv9o5GFpmhBX8BtJ0b15ptyTaRKvlCSp2pkBTdXO1F5VZVJ9bMLrMOtE5U4LbRQMeEza2lpooySlQ1v1JBG84vSRYy4U9NpmngW//cHQniwWtj+IUm8A50kmkCjKjLAkG9qAJrk0LKS0bbLSYFUibFllSf4JIqmmBLOkoC+V4TVwsh/1ptSG5pjtf4d8mYZ7m9lk+ERYl8aTitk9ZyfCGwv5h1QLWWVLqv81MfmQqGxsbdMOqBQJR1klbk4LB0SmxOIp5wkYUVeyBQp647wBKcq3A7fXVSK4q30zJkOzBb2iDNJ0EZWt0thFV+MCkA9B0yStMkYwh0edJR4jYwPnSpe9Ij9nQytJEqFD57gkWLHOCsjpiGDMQ2jKUzleiLxioIhIm7UHp+ukUyFKtcN6ZCeKFnwsJuBMUAlrqrTEKZp2A510U7lOiolTlhPmrGwdEZl8Ol1Ug1vyJHjbWDTpinNBR+mop1zOu42gKnN1nlPg91jixAXPB8Iqz4Pdug4G4yGp0rjbrPUsQKWXlTy/kGiAA1dzLQ2uSsCXcg+HWNLxgLZqzyqlFPpwxPQxqDXO8/GrTvPxzrmQQJMkUWiRESlEkZh9Y0CTlCJaZKmPcD53J2265UNCslCpUlKZaalKSUeDMayprhLebRjlMCaVpIFTI2tx1ZA28DHFBGHCZTRnKyYShGMNnhQCYDS9hP1uwJL2utENk9AleG2ZWCcuJV8nbrtSyPGHo1hW67StU1BF0rZroRIXMK36DAdtU18SIBNOsSsNMP5VysGNf1Diu914XSExTqhu15AAmSDvhaTrLFKt7QzIHQeZIlvKLLGDYJmNrCDdACa1cWjAk2ZpT9L4TeoBU9ppOqU/ASVWynyZkc358aw9YNeXczw8yGJt7OJeRvV5sLtE0BQx5/KXPnzoVPo8C1SKdYZVOarkRxt4TJeHACcBs7SbRwKx1Lps1WTwlMka2LEJui1YIfMkrCkmmkqyPpWzPpM8pQrGu0hdOd0kNULBbynMjKXBjoBLUlwUXScdTFWOt1uUJGkrL0mecNUqSWJZvmeBjmrJ1IaqVELO5Jbw8UEI0Yqhp8FckmVC0/C1TlkEB5biNaorRo6H3JcJmatVvkx8ta4kS5JKlQKZ5XR8/GZiYZLgE0kjVpO0dvnbjHKl8SpJkm6p1GlX8bbkSSkOWsiKX6RX66tKC/Su4qg3eO2FnlQg7hfMaI6uJORUoyssc58zdqQtja9/NWmmQ3Ug7TCu6aqNmCWCoVhISe3tpXzK7G+Kkok99ArineTBSlQj0uPP7cu7CS11bG0xCWt4RAXuhu42Hj2+rrplV2Ygg1FlC2yE8VW7laaqSluivp8qidBugzWiGpWuPX+c6GNPqWNKhcTbu7uK5wEJotxXMhjI7GaUT6+A3SLGjNemRCEt1rbJzqL5vesY0eMehy3IuoiSFqjEUgF6AxrbisPuVNT90tCT12Ktnt+54L6n6NqX8XLtSXqj2zTid+CLxVqyOXoL+leqOaj4WvW3XiJ7VraccL2b7fBuOgqwJJsF5XTA4JV4nmIIHWHjeusxyuE5wxW3tVPXVeHL0h8phdCpfHCE6jlS5muq60R5X/F1QKU3zMzm7YXsem6ZgdF7eNR2dw4ZBRdtQN0UiTvRg9pm5U4qVWzzchXo0Bz4SOr8sXfv8bUhQivZVRjXSbCuhVe/yR6aRQ5rvzeIrWegXkbpH1fH+4zO2Tk83l6HQ2RHHyrZPvIheuR2qVs4uMf9Gh/q7dGamx7iUhTxumB0TZuQrmBDlBUIYYUUAD/okxk3XiTmCpNZiq32ssTd4Nw3cKpba4duwUfIKkEW1F2E85HVDOoKt9AtZbAG38sDK0XX3DG/qcw90NYAL+fqVj+w5BbDkR23vGBricH2IbFt3qJoKLcwrdJNuC9pHtra1h2TbMPGgUOHUCQmp9baJAwESY1WIEOjsEbwhv5OBseACruTdMDRMyN+i2SgdOEl51/3z+wR0HqA3InO+3jK1YMZxSrbiBm0u053TFsTpykDZTv6tAoexWOqkdughh7uW2xzoZFtlbl4xZQwpk2neYmtQv6Th1igV3xf/683urbWkeIa4XwROhrHBVOi88uQPkVZ/qLLT1t58ICp1Ld1NtZEu0J5mHW8kbDfMdlYz+q5Biveg0T/UnsM1HOPyKIf6l8yNm7r8nuPN1Qd7L6jPB0MkzglC77slsVxLene/vz+xswOJDij0XpkcqqIhBJzsjdaib/8Wb+XreHBM/T+zUt0y/W3L56h27fXN//5En245fqH79CT3WaPuG/ASDZC+TJuQhrr1f7qmx/+1397Gu99B3ozSV50Z2wl0KLA8dJIavIeGXmgfCX+24A2fpjyj01W+5yfoG0w4e/siylGUUexaXTQ0Nz09au3UXJ+Fxym2OFp6/d/BIdFnD+/j+kD8BEuO0PqaVFj2fhp7pUjvFxjDTt8kcLSdpfdoVeueV7YbTGE9XVCinLY/z/Vr3l79ebOyeHhXvF4hl5+Q6a003NC69LbO4NswKo3fBisBTMLH8zow3wIOkDmaorNfdjavRZy15EOs+apolWJPC67Z10mo7zbwyL8abk+XKgesia2JlFnOFdMY/TW03AnpK5FVE8Iud4Tlom++/xxSaRm55+jmPJ1EJ+B8DdDzOMQ0+/n8xJ5/NYGwUoJQm3ReGst925XZOSUxHwNi1o9JoKv6LqSkKPl3jf3d63uB7rTDKYU9AKFB7Sp6LCrpEwFNkq/a4dWJhhMEgqhIfMxQikvvylTzLnKcObCp5KASy1TwVdJ7F0lxWKztA2QnlFTJk0O51mwxqf16zq0LQwti+54bUPmItrCjTGsOGj0fl/CM/QhiLnX1kT+Ft0FE7knR34eulFD8apZLowBlT6QhULXTsxY9MIomx/aB3osbejAFqS2nWe0CA2uKEcfbgePELEhLRPOYErbWK4yUSYVyjOgEtT4OBoDmBTi52Ti+IAo64NKwujK1GQM+Dqh5qPFa66BuZ1LtimRvV4wazkHOSL2AcdYUT8KucMyjzUDe2Xb1Fm/+50Uj/bVfQl6BzDQyXh0DvDYFwmhMWu7ex06ZAuZ2Nem3hx8EzQJ9iGooNocNV9UKD6JLcN8nneVM9wB4Vmt5RDoTeHQQdD4ALdGe15b5flQIqb4s4HYbIvtmDzS895QsNSUVAzL0MzNo3ly8/jytViL1SpenxpIpjcwd+Pb92ZI372/oezGUGYIelXpDXDtQ6kGCZur99jhc2VVtzWME/dBgRwkSVSaiLm55QcdJunedeAeoCr0yJl2+x5QZDGj0HDlaPPXgP0C7ZOhQ4U5xdYNrErBc9vSVURVgBqw35T0kO7tmOzagdsAI5dnb+PeGIW8ptjbWx29hnKkqK4iEgXZALnQBc+PusEK4VyUtivYBqhEYsc7jZGQxo+Ci2Ig2iXUqM964UgzXH5GDaM8N2dZSNW093NdhF+F8vi9iZ7jPuE16e5sDIZT1TO80PPR4CTv/SvSvPM81kSsNdVxWR0TpuqiAu59VOHccx0ODlmKafFxkektYYO3VFRWszFGnRQFHYh0gPnR33C8ZDZseIWujmOnfDu+81mMjC4NBzoNiqI4oGFkebEEEiIYagqmr0HrXml29uDyNyHsFdfdEOUUnS+3yR8ZmdAV194ytpM5JYEwOy0bMNB97KF643qdR6o0Ik/OgnyzUFoOO8kD1fHE109G9YvjVPtr0eGaRHnUjKhNIk0L27TVaxoSShh0cnpOjkiNOslMm5I+kZXyzA0QrwrzyTbAt+dR/c3knuhR4r3j6NQcetTbOTVH74xj90em/8VJ+uXM/Hcbfhbq5Wnuj6hJ8XGO6gmpVx/VP/Km+fY0288vQPVx2H6erJEzn9U59/oZJ3XmTTMn9b0tUyuFuevSOVk3w5XeZAXojbiINxUf+LmQQ+R/NrgwNntXiomW+hH/7jvBvK/JoDqyQ5Jty/9cfP/nP6Mnr69f3T1F11RpytcVVRvIbWJOFBsTazFDfuwxv7Zv0W0x+cWwPxx485Zisr/kWOy94X0MR703rc9vROnwMRuT2KC4OjOi5dKwWGPvFJjHiig17+SYnZ/F3yH1Hc5ppdwYSEikaEEZlu4wG0Fidiux91E8VNeeGUXn6YVb+yDbUWYfzHIFD0inrkVzYKZEEr7ix86NdX76+PCW/8mbzvab3op5YxdagYd53NEi5LRHsZ7r1rJLyDXm9PcjsU58yoKdy7AEbrVXfoBlKyqjUfzJ2a8/mgGtfHRJ5S5L9yAS6SfATG8IloBKCbkoKMfREOvWUb/DmgLX6mTgGcPzzuc1/qTTcUUwoEzeXmYLf2mEQImltmm/zWSOC6FZ03r9wT1H/qwgB4k15NmIMIAjq2jbkIcxa1f3nRRbmtfp6v53uCyZ13N6y+dTZI0gP9SIBnqp19Og+WzzqAf1dRz0fmAi0ULPNqpkS92b06ar2A0UDqgVmnGl9MdqNfBo7/IWUCtTJNbk2+k/VhvCCiktpJOPZrQCNLbYvrS/WphffRmfX0HznMGcEuONHfFcmRFZopYMSZIZoXjeXBO68+O1cnT5Prx4PEMlw4bt5kYSEgEncl8OeRFt8MosVsEZ8RKythB+EkqjN5hsKB9Q23OcfEa/6PLrA7eRfaUEc1DNre7S6tUCvc5xiX6x/3G3ei64ywf4R/+6QBu8BXPfM8DStbBGtr6EKgVXEPSAeNKAmVHWb3s9Qfb42ghEUg2Shiod3E3QVWQYpiQQPQsxzTK/80VkzqXF1hed6ibo7rVQOOogDdjo//6qoQrJikf6uiOE1bNaErvXHJdMPRCR7UfMvBUxBzMx2lGei51CqgRCV5SYb57F4sZ9/FF/o5oJOIqaV1/0RIau57VYts8MT1v8QBW3N9drWGOyRx/UYZGf+j2k6CY4JEUtmVFmMa0G7rC2um2R2ahpuxnMLdDjW53PFMliOsgQsGG2fSYcTmwOdW2o2pBT3iJzsnOIbggPkzCdueKlhibjI6e8cy9Ijhs7ueFaK31653Ji1E7HQ/42ITSOlT0ux9PfTqeW2ODGceWZByPA7aRyWFHufYH2qNtaEAUuB4pRWPwDYdYXwt6Yux3VI0WQ1P6m6TPw+cgD1UNqH5rWmGyK2UvRNeNaxqCeFtxmW2JBzSXlY2ruzrrTDNk2/H2q0I8c23YwrmWeK6PVpCJF6pH36Joqs0/QVWIZ1tZ8/KwhdrehvYJnyOxDY1m4EL2zJqATKl66VDghx7Vn7Ez/L6rE/K8n8zkDqsNaZ0FJi4lUM7W/PLejn6D+ghduj+5QFe043YNrlQHXUpTxY5iLatkzyM7aa35UY93AidBGS8XITk5nUnElitIYpGHn2w1uG5w4zXML0ojWzJjN8QsJq4fpcb8nzmJHpw+4dzC9stnqt/Q3rh8rxvboPyrM6IpCjq5tNoxzXkSR7WCZESEe6MWelH6FJXIYGpsEsyG9LKG2TvPYU1batcEZqkd++my8qwfxtVS928p55xbo/b505DcWlZmg4/MwiyWsspHFcTqEGSzOBJNfqlihnS66eZwFtYJxiN95L0ohg2fPPq+8ez2wMK1s1dHLGuZTTq0Ye2Q6ZuyTfrhAiBQi+Z47RGtGMlxDJdZxBwfhGVbj3qNaoDK1g3ol2Sh2t+BGcadWwbNKju/3W9q+Z7Y5dArKBNF3CDwyROMQ2O+CpOMAjxq4vQRTFDYzwojVra/VjYTOA2XK7eaGmSeG/OBEv7cD26vuuf/3lUfy3P/Dv/rGnF6YgYzHEHiCL/pa4shtP5ZYP0arIHOP4NyXTTbKIuUrkHLAR9+f2UyUt9Whk+yLOj1mISNUD1q1WBnZvvYZQ0zevpFhZtwIN+61xWyA9zYuSLY/+jv0H6GHi93TcgNyLqvG6Dn+zffJlS2o/hRdWQxx5CD1bImSA7y6AukL38NBTMeREjsw8bGgxYzWsphhv1StuktH14P+PuwnGJ8WGV8TdE9/H0jfeUg+g7d/v0Ec1kJTx+Zyg9VAfVpF5k/ebTHcDT9c0NssyIT6tL0HwM5ah4JfId4z/mCn6MjmiuflCde1xN8PttUwZ48qVaU0hjaw9lF3iv08zctnaQApJ3oWeqxry4sbMzy6t08Gx07rTK9Ldb0r79t/cm/DOY6L0Ja8GCJjvLw4QsWw0FCKZdtpd0nXRe6dOHGXXGa2AK4SimmodFD6AN4aSE6J+qIp8NgWlFZefIeU9d0KiW7vX/39zR26M/IT/cwHKlI29CTnfaTQ834n4vTYY0k2QB5UQrO3RrBMzW2PFYGuq5vUqec2QMMX7m7O/RFdBSTtld+4iKriMNVZe4Pqm6XKtlibTwy26dhiRnO3ISJoukd/xvpSx46+nfUD7FVXFJ29x5I7oW+0LlVGbTeCRGDL0jSyyfktv6bsPbrmId5RSKr3J/YfEUUxMZf/TMocJm9SxtNrdlQC62rXKSbcjmGejepDPTYkQYWmAb96mkOMbNxAt8kNWSnoPCFAMZIcDmRxWLRx3cuyhmww570EtOmJyn5ci2rAUz5b+aVa5PmK3b++fvXWy9znHQS1qNNCdr1iKdsrp+oh2wpWpU/jVeiBwX0tzbozSGiyUHGqFXri0KinNnfNJhOELggRf9FAEBqrkk/4a0/NB061fy5ZHAajbUHal5JVxRARnECpjQlw73g9kOI0ppN6tK6DZZ4xNkILEUOK7f4mDI9++vdXsWCSKOtSdoCQ60uEKHRDyw6cHkvs0veiCYx/u/n57vYOvcGPBeV53bokzn5D/QUCGQ4KfQ8Q7gnt0X+M8PoKjodgJwUEucjsbFwTzz94Ik2Y1NyNlrykur329Xg8nqM0sDkZ+4kzesKciv8COQd1cCTP+9pIykmyFt+49tIjFZu6m5e2fmBn7RYuNeAZUlUkLAor9BelpeDrvy4ZJg+MKg35X577z57V31K+AhL/akUl7DCLXrN4yVowCPMcKYEGto+ENVVa7o3VM+/BLLHe+FJ0NRbUxdIjY1L7wT4hLlHCxbYSIVvVu2qNpaYNuJb7P/3fAAAA//+VVa9s" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q9JxZlWRs3sXwix3Ap4Td61fyKnv55c/IWQEgzTvLZcydfk3/5CCNn8jMw4iNJM/kLCf73Gz93/viOSVvCaSLArpa8mXFrQM8pg4v7efY0QtQS90tzCa2J10//Ermt47RBdKV32/l7CjDbCFrjkazKjwsDWxwOE2/+9pxUQNSN2AS1ipEOMrBagAT+zms5mnJEFNWQKIImaGtBLKCcD+rShdyBmrlVT356UXaZulkWsJRVb5I2vPrZ+bInNIpWZb/19/wrjGzbYlY8Lbtz3CDekMVASqwijtW0C/zVdkQqMoXP3b2oJUxUYR7Ryn++AJuStmpNTYKoEHSfEw+K7SB1KTgsXliBt4UhLDDggnJn7geUGec6UtCCtcfeDS2OptC0aJoqj5dUhCJbU7n4wxI57nNwShFqyWnC2IJQYMIYrSRbcGkLJe7C/cyvBmHb3J4Oj0RFrFqoRJZGwBE2m0J27mmoD5B1Y6lCjZKZV1Vvq6Vs1Ny8uKLsCa54NwJ9yDcyK9XNiA96UfAAvLPwJlz00J1FGCliCOICTQsnd+7nFyVOoNTBqAyYlzLiEkigpEC1LpwJIRes4VpWZF8kuzJ49fhfu+fnpD2RJRRNuPC9BWj7j4XTCNWWWCDX3+6UHG4HUcQc+nBb8ntuOmmrLWSOoxt+HjZ2MnowB6INOSuxkDCCPn5TRLVked09e/v892b8nbtU8G3K/66umfxRIyO62PBrslvQQoZcdNQ1GNZplenvvz7Zc9/9+mBlLLVQg7WNEjjYltwUTdOcOPxL0QFq9foyILZxO9RgR4/IwxPJqTK3keLwnrQR6iPTIy7YZQJnShhrRa2J2Zu+LrVvAYTPQQwZKwv2siB09ZAD9BitinIs7rpUjcVH2vCpR9nl2DchMxD4S4eCd2ceOoVY3kn9pYKNG647+8Kf1tlF7oiRzjwO16rFbtiPiZsnzisM+d0/cMnzGGe3f57dqTs6WIC25ROFMGlmCdiaIhiCoBqTP+DWUxIB1QLZ+vL2GGTdY2k0YwL63wdJtwgD0nTZl6AlM71867GAO6LoDT+7Gg4UymfTV/rn8VRnbF5Fi90QakCWX8/ZDEzs2PR/S18NffsgBG/xolLHnF8ufCC1L7WTl2HXfZe6Aequ+VuYuX+Vm76v/d9nruJVfNuzKBe9I63vLSkLJnC9Bdk6yr1cRcCw6zH+R1wIpH6Py93VENEYdGqpeFxq+ZNjrfvAQNxjpnq6Ry2d+aXKBF+l58GZbSj6uayCMDiXIFAhwuwBNPp1L+8MrojT5RShqf3xJptTgKWoDZDM+bzSqfjfQfYi6+xXTjWHQfMZnAv+C+/Vc5XKz7bOO25W/egeD0iuqy2xKXU+i9cjuc/L84vOWvkeJBkF3t5QQszYWqvCIBrQdtAX4k2o889y/leZzLqlof7OtrdzAh1z6157EiPOLz68iLAjoDzhxfxZ0GA25nOL12RzUoeJ46OuzAFqCPkrs+ldcipyf3idK6vHtB0sRzGGx0kftZBOsyO5no62idb5RtPCiONPlRAkBzCr9NQpgx70HyLlxZ44bwjzroHSYbimqb9Wu2kL2MPoRWnwVmz4WVbVSBpPdKiXJdD3YNEI0fGnAWAfQ8KoW67BP7stO0BOgbEEML4E8/Z7YhW7Iy59/fkZW1BADILtV9nDiUSivt+CEqZU0kI8V7Ks5FUw10nY+haaaeqHnrrKJQiBP6VQtoccMLqOZla14M1YDrUbvD/tqjs0DswpK3uzqaSkY9U1Mc+wcC3xGuP1n8/L7H/5qvEh/UaMAbZH+54Cafzp78C1dgyYvyZlktDaN8JEVZ1LeSa7HoN8z+BHJrYyt8uNL8q+O3Ofkxx/JvxKmtNOXkYqw6HPy34X9n+6L3JBtpnwT3UKpSni0tq5cQcGoEFPKrvJqwB45qSxeG2q9XeGYCLKsFZcWTRML8QRnPBwFaK0y5adt9EFTA+NUIMaIqbFKO81arr3W4T5YUsFLfzBiSBEyU40s3QsjAJHnch6UoxuTF7dvxAByilhguA57wkYju7AWipaP5Z0L6BDD/wRSgdWcRayOYAr3v4y2sH/uWyHsnn1qNxqtmrXbNiG/qpXbmqHNySVR2hljVpErgPoGpj2KF+8rYZpWDIwplrwsylxR17NW8sxBgqYWL3npONizC5dc24YKZ7Rv+d5lxMXBK+7MboyVIzM8FeGqn58S7aS1QYcKMo3qOdjuazdywuhMSU8PzgmfCbefEzpLKGgo+M9PW9/rB6iUBXIZzjvTgA/tdD0mKN3/2kDMVxB4CSsVphY8Z2bDozbnDR+o/Y9CN3MyN+N5x1vn3oBw1ttT11ot4Qn5rxFh9OJlxsUDxOjdqs44ujh5cxF0X0alYw+vaqV3NV6CT+RXlwbRPA73xyf/VKEhjqZ7zJW6bco3m59sDHav56BlPiEvf35FVsj3CqgkVIi4rwCd+qgmbfxHZAUaPFhqiQBqLFFyp1xkm4kPriZ+3UyM3NUcYdvAu9+VLpFxmNUEbCGVUPP1biBuxvVAiyXkZ8IWVFNmPRPdpV4j/ug0l6SRIadHbPnMRytqUxd0+0B9ziDCntglWhSVUzKVbMMImq5GZRpK1h21kjLUWH2MQgafg2Ks0S1EY6ksqS6JVLqigv8Zy+9VuorypwxZDgezSDXTwZN0JyZtsO6QeSH4DJDiiIFvgClZjijYm+0ujM3pZ9lDEJdMVbUAGz0Ao05Uigq81XxHDPbqzbR9oIN86daOHuexo7x9MkePX6WkXSTapk19aqqcl02WU/lAjD+TZQ62O5B/Kpm728IesehWb1VMn177cZfDAxGV7Ua/IRaubbh8ZAna9Mopyn15YJH9ve9hWwNNReamTI8pXUKZ7x0MSTbhmTLdiq2O0WbadF/sx9eHr5VW1QShNliUbxhIqrnyan3VCMu/sxw0oXUt2uqXTS+biko6j5XmEiIwvNPaix4pj6sh3D4xRK2kj4xZWtW7nsGAsVvNoTi8fdYQtuDOulElmAl51xiLZlIfqLuV1I7k5VILB27SXgE2mzm8l3AMTQg3uV3Q807DDDRI5g8Edap1yZe8dJoNnoe4ILtsBdnHHebFibyuuT4ahZv99LGga3cSuRVrT6xxQs/paw4pPKD7faMJN33UhfPcSeNOnk0GS3bpZKpJLYGqgSJ3X4gd/1NfFdQgvzTQHO0oudPtT9FGPq6oIYhEOXJuELkfUjM1oVKwxdAMMm1e2Qyv77zKgWtdZEC1LnJoz3VKUbQN9GVyqBl0pd4r8jAm5I75GH1jBs/lnd6cQ8XmTXLtkGDB5oHY6YaQ2hFE2UCJT6FYm0bkDjuNWFGqsUxV8MLj0BkvmJWtZoMTQmVgwZYBOXJAYAma25ylI3sIa1cPRYC9yM4+l0/e4sVB70D/SneVLg4axp1qYHzGN4ZPXLv1wZyxnipBV86fzRTZgM7FyMtNwUTroipDkCWKdzCbj7UJn7et9L4lqDT57TKkxnLTJgTs+tVw/XaHxqokTa0MTyg4bnW20JyWpe8whan87d0d7cLTCFvka110R1Ekmwo0Z3eVRVHajlDFtoewfiVbdzO8WPL3e0DaEmSpdEiY3UuZmv7xAN1r2tCumv4BLG5HO8Ty14IP2O0k6H7EvKTP2avum+GFDFX/QcwEL9eCdrnFUllCySJ0vIgn0Ao1L9pElQcR6u1BvLNQP0bPlC3Z93dMt8Ku1Sg+4oq/Epytc9+ePXLhAhEIzbWlWI/I5UbkzJuOM/BDIwARi4tTJS1c59ZYO4TOpffXbfqh0rI07v/wUaWiRSjWAOaGx5ktqJxDIWGVWxaMBS5h1Qv1oxJirebTxkJPQgxz9I1H3Wnr/ecvLjpMTZMJu45zgmdrW7mPaWgI7uYXeWT6+lvEuMUKMMewtuGg2eR86SXoCbkEvymNAT2hc8BW3iHTfaZ0i8MAdgvG6+0Mf0/873t9K5QmU61W7rP2r0HX9GbXaD/p8/KCapvaTdcBTu1RCXdKDapDj3WnlCg7tTHXlVI1hIBirrf4jSRUgLZddpHeLBr+5sNbQXz0mgBgElJEYS6JVPI7DTWgJbMv+wHNhmM+OazR2l2Yzl7BnUQ97gX3EbY2/DOgbMXtIijLXtaTU1xwitUmkij53Vy5/97zEqCSUkQUx4x0014w8AUi4JBUM+Kkg+VgJuRyI1N2Bxv0K6vyYHziy/ka44wYXzLqk23KIH4D4ylhojG2PZDhH4Ntwp9w43Yy1EQH/4ZTfPHTcRXo6NqPv2Fxi963ZcqnlD25yfByWJ4iFoQaoxhHf6nbjag9iRv2ll/Ba0JJvVgbzqggJTdXz0mtcSbKcwKWPYkrylTTQ2ov7/jQ+zobTSuwoA2pqcEuXgYbOfheBExVlZNiaitoPyytAcv2qnv+PXgoja+3hxkeJi++marqZngHM2wbJSsuS7UK+bRMSQa1fd5lUowyY0DmrBFiTb40VHjnZ6kqymWQGrK3kFAjT1ff65lKXdpDulMJ33J5BWWoBWoT0alB71QwUNwn33SoTXi5b+PEoCtEVlHXn+zk3RK7CLTo/Xb5UHj9VgfPK7kctuvpgs6gK7472Cm3izWsidj6879f0/4xsaY94yL/He9I/gVX666xhrJhQNrIEcTdbQY0p6KIvKbZHpFLXLJVm3ffx94D6F6YUb8AsCtzUMuBFB7jsLp76BbULLob6tTCSJVhwxY+87etsenKDE9aSDstwhwh3TITo5n7VffvYaUpcfJcEo45d41kAqh2f8JGeBvUQgFh8HbqtrDz5uiDF37NsM/To36xmKqmXHZ9s/sPVigb1Xd4vZZcN+bYnr6+NoIIjHv8jhMgjVyJE7+678k47in1Flx213jHPu9lPj8l772keRoaNxA/bS8U/TrcnsX1au+Afghffs/9fH6KLA0lb52YGHoPtiNyPg3QkzDxh8jJghU3cSN1adY5e9lvR3VDgbZXF/b6saU3vo94ahzrT7qFyfnpjZpsKv/cDZqsQ+ylLDca7YSc+PrM0O9U+A/2a7OIoN7+xg/fBHfctLFd5aay3WPUSAHGc0b5B2WlyJJqTqdiUAXomzJwSWpBRwSBAWmy9kfZ2tC+qupXnjhJ5TSMtr6Qu32+fHF+satDk9Ay1nsUxuqyDxwoeOtayE2kxSNJzqUll3wuKQqLkSNaK52zee2Tgfxyh/Si1d0UdnXE/3SI9O4ynrJSRQ7O+98+Ei6ZaEpw4iwMsnU/n5CnZ9e0qgW8JhfeIeLBovSexP0iGJk7emwTnVObpyWOGTdXTuU+AK87lOL13Jjvw9PwgZurPSFXq/l8DjrfCLs4yz73YwEBB9ROFxrMQonSnR5vq49MGt0KvR/BszCMvQep/PSD1zGedc04zk/jZSS3js4zVdXFkfOucFdC7hWOcfX+PdNMv3PoKIn1qTMcN6PKho1ZaUEtfaCssT7mnbRUGjsPOLne4jcyJY7qckX1w2ToDbvqO+lKw0PkiBhpjfzUCVFK3lHW9lOOK7dOBB3VjlHyu1ZB1fulkLc1kw+11kBN8txgY6ltUinOnT+KcvFgZodbfKquCS9fjL9f7mVtjoGhw+jToPGxvwsOi/jVbd+xzNP3Bof8dDh375DnjEvVpIpx9upIzDz5nXKSNKXTYeCR/Skx4NydGbeOxBshnNwjpmEMjJk1gpy59QlTJRh3JNpmv3HLgssSrhMzQHBjD9M87ylbcGE0xXSLxBQ0xjcrqrnADJ6IB8/H3+WcUGTid+63UcpkhnOopr650ANpxGF18rTL56xBmzoU3XoJM2BZUBE2CfFth6dnI0WG3s01fI9zJ5R45atL8gq+Kv9t9yHl0pASLOUi4mSYqsb2fjdCmhJHz81sPba0y2NDPMYfUgtVLbJl87whJcxoCAGFzpdtDD9kazqteAla0DUWclkVHlfyNHIj3QdodYdfw6ytAve+emO5bbAxI4kStrENhg2b7ntdk0axev4dRlNjmkFWMVVV7j7lOUYnHjrhvWTfWqslL73/rO0iV4EZTYQqFTs80Hh3b9kvXGy0RtbPy4urBtc1Jj09jKxvV88r6/9Q0wP9TgeT97/VNARg4rer5vka555iQrHf+cuLc3I+UKj6aGTrWhuqS/ZjkLCwq6uGnSc1pO/iDwu51XHl3ouIYqrK3BVfg4q7XaUj4EIcLiPq0SJ9twQfMjhC5XnPBRxKh30CbRcP4XNedqGcESdeldpqHJSBJ3j50yl5Hd11k/OZaqd7X3zy3XPaQBQma1wDa/peBJ/6NYVYeWvbhWlf4sYRHCFRr3i57RDpqivpknJBh4EM0rnCCdZXzkDrkUkL/g4d4utPF3cLxkoVGkD5AOyApJBuYPh8MiIReVVMm7JcJ/fP8KpIWgfUg9sYOKzR+V4vVXqImquEXQ52SuwK0xyjIIGbfvaq77lKm5LbrrJu0xctYBQbbLep2PCiZBNe2E+kzxJLzcHl0azyk89n5GmolfjcCKcrT7nAAg7MAzu7rpVx33xGvhs6GuRuFOZKqpXcMoQMsAabWSy3oY9M2mT0CC643bTQk7bK/X0oTXoLc8rW5NOouSb4VNOHKMoPC2+xmEtSUS5nmlawNx2jphqn9ubvk7ClXF7gsuS9Kn1y9KYtYC/rLIIUuUH7wlQBx4hcFtJ237j3sCK/NhJNyXeqBEGecrmcfPuccMWek6n7P3D/RyUVa8PN5Nt4fNGyupgJOpicn1qH2tbwTy4ILoq+LpST63b4lZrtbdRgVVZM/V+nAc+2DYIB7Q5yFKFllVbu7mD2+d3vVAP56BOAv/3287vf33w4+/Zbn3O7pJry0TO5UvoqZcnyjRfs93bBfoRt1AlGZWolItTspO1S0j0HlLnnYp3BhJkpDdJwllKA9FxJGTCu0ntBIvGBVECLFeXD4cT39g5g7/PUQN31SV2ibppppkthp6WxOnXlO9ZrZ3OI9d/SZO9oW/ORz0l6aLHLZjDYQKUJxSabupdQ7+JAzPioo6klNZsj9lBSo92IImTulvfEhfLB/QTv7rhwyAf9/8Nw1Y3K7Cf/PcgRK3s++oDIXiQf5HC0cdx9+Cl1hKStrZ3t2aVPbZfR3mbZYZ/MZ+h2G5zcmyPTbctqfox4GBZ9zSgXjtdtM5eLIDPOT/u1bdiJy5mDFuaRFgbjWYVtznXhVMQD6Dkk8RrTrUP10YmqqkbueqIG2MnDGjfdF7v3cG3/DnGdusPNHKZZ3xe3SyrLf1fxqNkGN0stP0Qy3Bu74cJbyJnG1JxxlSxL9FgWPGK/oloOgw6PHXUjq7pQuYTx5ft3F+Q370fdJKXGEfly1FSCy/94S740oEd6tzZCFhp2O3XmTW7oOUTX5ENbdBZN6+q0dJbwIe0DVanHCDig9UGOo5ug2khw7N5wy/QDGqigusqwWw5sBvcCrRMWIHdAmzLZVNotmGm7XW2BLqnd1QrvC3cKki0qqlOVlXRw1zUdjC++d/SJskE6VRKYxSL5WWAwS1tA1QGezbHVUgawavpHBqg1TT4Jw3ecSn68MOhe8NQPTujcVoFTPZMjLQvKcDBK+vITB9vIhMZ7D/B0Xi9/ktd2kfx9Z7JgVhelSdp3vQfdQT4s8nQLwEtBk0sMWYCcc5mwKHIIOkdutCxmhVlxy5LLD1nMhFoZWqXPXenDlnaZD3qGqAuTBZc5xQmXNehquk6W8D6AXbOrPMCXVOQ4K7wuaq2sKtKHpBD68qcCPY7pYYtsd1OoeVHmYLYDnD7/jcmioteFtancBtuA3YkWkOFRqLjMhDSX+ZCuhSnEVBSpw6JbsL/PCDx5Z/Ae7NS9EPuwU1f19mH/nBH2q4yw/yUj7P+REfZf88C2qhZ0CjlESgc9vXkmi6oRqHxP1xneyRZ4fZVBL6kawedVnUf7dlomFfPUSUgBMs+hlBj4wtL7RmRhfEJihh00muWxJh3gPNakWZumzjCLlMmurDqLqWqVdaYHXGcQIVZZZ5jlgo1mTRbgjeTXkkplgGU4hMtXjiuZHoXlK1XbBdAyg1tNVXXBRAYftgOcIUiCcPV0bdO7RR1kkwVy3RQZYhpMc8sZFRkKiExB5yDZOmHWVR+2pGL9J5TTHHgvC2wDmgWybweTB2ufWJsF+nReL1/l8UGbYsrtX7M0GmOmSDsrbgewVslFtclyzREqMJ2+ys14H3+yWVs9wGAX3s+f3jnigaPalwW47yafroNcD/aMC8hhw5hilmMT+SxlcfY24By6gSl4jUmKRRZRx+vlT6Wx9aCZfyLYRrMssAWfQQ4zxqCjuYKSJysY3YbNZZ5TUqmyEWCYysHtAJzPM8gmVZsVtUln/vegxzLIkwDWMOfGapreE7KBnUHj01DnYrXOxmuDnch1JvnqM/P9Ec8A3WqgVQZF0pcC5UI7n3K9WihuCj9hNj30NdU0ywEvRwphU0Be+vn2qeFyY6lMPue4NHba6FTDAluo4GcF5YDaJMc1vR7d1iSnBouTG2bph10f2mlgH8w5LcvUd4CXqcOqbeugDG8RrwqmlaqydCVygDOYabwq8iRHho5HOdhcXyVvz1Sb9C1LeW1qzRMDFdRy2yTPPhNcQroWOxuoJulEnQ4uFt+md2sJ5bueFjOhkj/nHfAMKf/O5k0udRzQDBLH2dAZUE2emyDUPMvRlfMsF7hWOrUAq6bNPMc1q7hhOcRCZbIc2BxzICRYbK6UHG5yGe4bQKfO+PNQU6fjydUqtQWSpaJM+QHQyS1RlV4zUprPi8g8rnvDXUnQ6d+suvBDeZODTTqZegPWj3jNcsgyFG6GmTiphUEAm1oa1IV3JCVHlxrjPizYIlWd/wA0XNc8eSCgBl3NNZV20HM3BeRVFsDpn17fiezTp50poAkAazUvqKkTDgzog9Y0NVQNVOTQ7zQw5IPvOpoJeHomO8hpW7j2ICtdZsA4vSPTZPANG+8bzpAPYCB1IoAfeJzBODHwJf0BiDVoTQY1gyll+DyD4DV1ai+b0SzHPdCsTK5IG81iXXETALbpRmz1YTYmeVfNJZOpCyWi02LvC9Q36UxNvp3b9MfKA00f0etmeqaGu66Td2ttymmWPPRGiwxvYWNAFyVPXfWeZWxFGxnKwQbLjKVVam/wsuDSWDrLoBksubY51PBlLTO0brJKNzKlmzXWFi3SUfRNYxX50EgyWLrLHsk4LO8zFbwkJxpKbskJ1WXoZmiw/XscHT85KyOXxiaEIhgcok+wvwFTgsRKdbp8CC7zce6sqoVaw2Cw4I38m6kmWVPvW54xx0PvM8J5ZxrmcE0quttoYROLlfNmdxhIdiQFNzicoV09bD02UCKmqWulLRk2HiVktaCWcEtqDbOxo3CPtNy7DKGIMT5YHR0KhMvQ2X2kL7TgMvdE/h6qbrU+noZYNQe7AD3ZfN8sVDN40QiRsATdjSOyitRUGyDvwFKcCO7vKu1Y8PStmpsXF77s9Rk5DSO+nhO7iEwpwmbAHyCMPka0JXkP9nduJZj4Pg8PdRbmzXBkd3eLcHFPrAGq2WLCJY/ihzN3j9Bfe0d84iwMTIZ4IWgjcdbvvME5rm0T93gD951+7Xtoyt+Ou6Opa8Id5hePGPtuI4qENU2367yKy5KPcG3xVoy5C44xjXpEIG0G173HCdVSjEy8xO65GceBY/9cA5Zo+NKAsXuadh+erXz3XvleZcCxPH5VL7F3PVJd3um2O2UfTh4jjI1t/R07tJvXUcpTzv6/eb6hW+z8tBUKuHb8bKDVkC6J945H2D0uU2qA+HTtDhsyuFXdLoVfPAy+shsF32GutG9fH2UjIdQQA4Djzuj+eVWaSkPZEcb7DjpM+6Ulqr2bQ8MajRPQ9iFdg664VzeOhfRmST+Ygy+5gDkQAUsQhBrD59Jv3GZef/zoY0vmB5TfuP6ekz59kEnPDrNG8i8N7I5JpPHL18P3sI6Jh01BaTUaXvoLyZSUgLkVZMXtYkxQEBKpDOk0dg0HlRfd2bRw7ER50j1RQs05o4I4DEZMH8TiYbHDpUbGND4c7+rF2sTR66WzrdROVmvqB54KTk2xUNltAm/EdeYazlLZDDVyUrE/gifeD4D4S+OwxTctDGJhAqievBFGOUN8676dYrCc/Bp+MSFv5Lr71wC6RVveSEtoOWGqqhsLOi6Gs7jxHWH5zLNvdvcCZyxubQi3/2xefv/DX53te9rbjpZj30TRDue0SBsxu63jhq5Bk3/pfHLmRUADkYvf+tT1P/nPvNzgvHXq9+7HgcnLN8m2J7sDU9w6E/L+t49njnbQ4J0n6C8tuWEaairZ2mmVQT0Tu7kgBDn0nHx895qcS/vjy+fk/P3p2X++Jp/OpX31E3m6WqyJBG4XoAlbKBNGpSmtgVn81g+v/td/e/YkyhGwi4wybpcfKFMnFY2P4zGZT98dr/mlP4vnLVLxK14+LqT7sukGzA9sGHfrBz6G745iurFOPnNtGyrI2zfvo8j+qSTk82UddjL+j5IwifPWofvViFAk5GbhiVvwGN/gPfswpxZW9AFGpOPpviBvylKjn9af8hg63dPLqvrQOOd9YyHnJ+8u/Ks0Gh6rqDli9GPLqeQ11fB2k/MLh8qI98vx8MBJEEl46NYe52GriRV+utZxBUQPXVqW3H2Zik3AtjfLP/7OHfEAOJMQL7gKN/x0+wgMUNnkWmfR6277pFHyPmB4obTtRPJA6JYYYMMN4HZ9s+Q1R+a9p4fLefuYtGS9G2O8hJjdeCwvbsAOLV9qjGLcqZzebzTQcYiTy5rKOUw604kpOePzRkNJpmuECbLErKG4nKkPbD0wKBod0Zaji84y9DsQCXX/fglXcgeAhkpZKEJmd/o8o/SsLaUpaOFT8TOArq3OA3yW4UjMMlQLixzXIVf/kzoDU2lZtJ64fGr5rgXv6JjsrtZ3JjyABntmF6AlWPJxXcNz8ql9xt6iA+xHctE6wAYvwW9jmlo7qucIysSIadwiHfzizwkVIqpM1JsvYoIb1ZiYtwTt3kAurSLG4mPOJfl0PipQGCbIZpNXyUW2A6rqDGPfHGANJnVGrwObocTFv4ipU9HR354BWz9aoRAg58knRSLOTvnIqIWOaKBe5aGiF4CRhGE6wYxQ8ovSK6rL4ZxuQt7MMdlLE+pu/DXm0k3BrgBkXPVM3DXxrjFuZanoh+o8MgRbxmNmxIBCLkOeK6YlVNw6sRRGbMRJXAoqjxHHv4WDsk0Q6bkoBwRuuyw3kZSls2DnaMBuvzypI5XAsAvBMl0/uNtF7Km2nDWCaoL9okmLxNOz69dv1VzNZvHp78AKu4Ds27uF7Ee3oL+NPbzPHN4O3TeNXYC0IVl8FG3TpOyccLuEHr/kOOqfDOhRhFVjmToup8OS4whfNoyBMSM4Y+fxw5qjHZZ4gngRp+LOlV6TSGHCALdjCKctHGEHRyeVMMBnaiXdu+LkVkw57H5IBorSNlXLdP3oRt5NSnzXUqwZEBzKjp7gh9nRh7kkhtsmIj8JFhdAENEB6oIaQktVu9fFLoBrolZys2WecZZeK6mqkbxanMlhuG9Rf1wlwin3XJZO/ihtOgZQ8gsXQN4ExCYDNtzG2Ss7wvydHE0Y7+h/kHSFURZchqyFtFyI0RhhRMp693swwufrXYZ6jdScGE8Inaqc1QMR4qewoEuuGtQumapqrSo+kqEIx0buTNKpwCKyGTnZjxuXy07sZERyF8MtrZNEEdjCMOlwmQMQjKzf4Zd7d3uv7Oa+jR67TZllI+1uOVtqjb7EMvCCHWLW30oLwvd4DhI0Zy1JyBBM9NtNLeB2gU9tbLYbCchO2A8TY/V48LOl6ZC2Ww9G08v9NAX1wq+Vka6oadoZ4ZZXYJxc99qehhpGg0hhF5I1hbhxI7Dx4D23Qd/yaB3Su/vBjtaPt6Pph8IkG3J6a9KCw/gmCge0IcUbgXALYfD1UvfyRur0UffOX7QktOmbdy5ZL9XjCJAb5HgnQL7e4/jjzVuWarTBcbbsdvJRH1WCpLxjt5AfRz2OKWkbHMZOqccStB0/dfLKncYuigrsQj1AlIRueZKJRyN8bXTDsZeSVlm9TnuiOh+UCP5ah8iec5nJE/Kfk5+//548fXv65uIZOeXGcjlvuFlAiaXwUVyEmqvsfYH2RcIwW3bm8QjbjF8cyRjTKrNXcV/9p9vVGAbdjUGPfLKhz3e5LgzT/ru6357jD3GKxUypjLVJ32SKUZGqO90OIR9oyRvjVyBKE8MrLqj24smJTXeHGL7r8fIqvOeGl8fsNNLPlP/kDkLrRdzpi7m55PnqLN7IfXcdwxqh0rDn/w1OIvxkcBaC4wZ6ZRll3JWpdM7EgEHIBlmt9JxK/ueerGqZ7yjcltkHcLp/pkbYPeM6WkuaqevPL245fC18iy/fu2grq/lXoMIuGNVAag2lqrik0YK7nni6oJaDtObG9HhBj0ntW/qgxPrWj1BnOrju6jxxgqum2mIzpA2p+8XqEZsdBWFzG4k6gxI0tVAWyZLK9pwPJ3x+aVfsgmcXWi152TUPC9+jdS2Cpjo4GKH5j3vWtnXauIKzIZKXR6KyWzL0+rPrETKjw0Mxc3LJffR8sau4j7SA65TOlEPB76p5wjXqTL0f9Sqh5xFCvY6KGis1xFilvcR30CqwFFd7gt+auG89iVNf8bIUcDwp9w7Xu62ci2xvT+4dJOfa8RjHIfcirNbrMCTXbXT2OakFdVvm3melCUim1/WYlx9TIY9gT94ig053tuWvyljyjrIFlyMmXUkzSY5vdnn9SWKmf63BiQ+nH/kmZ2ZC3pa0Jp/xH14/KpX0daf/HD6eZEGX4DQnAVSTLw3oNcEehKZW0kCrUcWLUx29Bf7mOPIy9MBjDrLmbRdI6cn3ffnG8WxJOgKqmwP0ITRHvS2mOOUpr8Ns94y3raW3mhg52zA8vNwQ3UgZtWPN8+7l8ZFn30ZqpMYuQCyChZl/IyhZcVmqlSGmBsZnnLlPnsfqBEOe7PCCOPI8vpucG/IUO8KCZJtnCEOXz3rcIo3Ed/wtzClbk09mu/FtF4Gtdgtpk2fXuhWOYLCPvPZ9UwtRwVo1PGTuRRxwvOsDEKn+36o0xXKeIfu2yc6vUI915/XqdYRipDB60MJvDiD2OHm9Y6SGDN/gem9l3RmSPt4FdEjNcRx2XcBge282CZl+GwY7FG9IcXPxM5YNpBwJOFrhhiSXMOMy+OpROGFXv4rWI00HEbuDCsUy4bZxwOyof6kFY+ezzU176KU00puy82FbS9miOnIL/M2qyHAysI7625FlyMuUy3QTxJLeDUcyFhXmfTwjQqpftoPb4ttob8r7I1M7B1jnfftuwLqmuj1T7s/PN6SsFnzQSp242+FsWZ/8fivybPKZJb6thdLrfBv+N1NT+W83doxpEdnuot6q57GnybHlby8Q+g20PZhKNKCq7be+n6rRU1CAtFrVh4iOUjXTgXPhVmc8rOmsbbihHAFx9NUdx72HJ6qqqVx39xGvHY7T9/bKErR7hgouZyquFFBzlbtG6Ab5sWNFtpitIG9X9NmXXDkCvzRCrMl/NFTwGYeSnGLds3cORlFZwbRgSl3xBwq6/w5T4tff2M9UjGnzybvNbsLhdWNR5T5whOnNd/1Dt0SYshPc0d4nPyEf17UnfeM5cMzxOzi+eRpmRdJmsjtoOxy8I0I/MbG2tbvIHMNV1ymX29h5z2KtdOvtxxDzh7cjW97rlZP4OLW8qPPOIdrDCrfyjZ77Fk2tVCZNZBspt47bD1JTG3dNMllQkzLa3wOsQzl9YsiNFgm3uQc14a50xmjR6FTekB5MA7qg83Q25QZ08udpG3TS9Mdt0OHUZxAscG1BomqV3jhx8JOd5k7RW2jYSZVJrVH5JY5RS7glcz/isqhevQj/fRJQeBH+I+Q1xdz+VICOZ+cFch4weu6J6QfP0ePaG7U2IKcMA9GcScXlDLQeibsO6T4KXX3F/0bWR92zR0Cy7Us8621D5EphWFtlvVKRJY52/M583N4du4+YQaz7f/oHDBO0xgd+8noB+jj+CKezh4ynpyc4+vEZOcH146iBtkdqljLC5xPQYfgnbGVh7mnOC1lDxz1G9jbcLfrE9DpF791p/uehXsm7t0aJ7za55H/GvTX8KpNMOf/HGZEwV5b7DawX1IxMgDLs2G2FelvpFx8fLui2OtsEqEGCy84Zaxunt/U38YQUw+fHqKjY7m/UTT38ODpo2UkTbkyTXOlEyJgslc9bd78YCmIIWmf1gQ42pS89z9zi5BKD0/uk01EyJLrO4CGK/PQSUzv3P0Y96XkYkneXnntwHBehxohimfNF3w2pBkd2FJmycEePNsnbNJpcgPkVBIs6U3ODbzbjSvoPEsrWn4jBeJ3S5PzyzT/eXZAL906R3+TI9JUNtpkqqQ/B9uNKxbFFMcQWwK7MQU7k2wnhvD3IYkPnun6dXYswTAMNIwg3UnCPlguaD5pCPoCS6/HouoKMGg2Is6W2OdqEzz6WSyp46Q9iBIldQXi0rtb7BCFy7ArWZldsJzr5bQJpYtgLa2tTcJxBmwU0bmUOhjD6CG4Tn8u28kVpbtc33Cimqiprn7hb4u3xCA6heAn+imsQu5ZmahfLSlBZGPNQA2/dyl6G/x6obWu0otj6UuOiVvwYadUxhD0GBDFApOLWALKVLaiUg8YZudtNhVURkZGY7ZHaNncPS5h5+PvbN+/Du/diZ/nuQbFK7/r+k/ds4+aqWCrR5GLAm3aOswxzbrrJ2O0430Zya8hTj4R5ht06sLC3nai7A54g0lFqRJNJmr0NuH6S3IZ0gcl20cESNGYKzBpBmJIMausM5Uu/hyPtFVarnNLXM94Z7O0IbYdorbQlyvH3139/E0vBjbI99blTen78BMvdAoMtF+uU+mYn0UYxfz/77eL8gryj1xWXZTfWO76tjrajp2FuDVEcISuQMaBuH1md+hQvWUyenu2rHIvZ8Qo2H7oIvyU5u9qx5SwLUvn8NHTpDVjsxVAcb1MeuFdAS3H1X75uuCvMkeVQk0x9u9Ff4kzoB8puDOOq0YrvgrqVL+59TkwTSVGnhvzNWK3k/N+mgrIrwY2F8m8vwt+ed59yOQMW/2jGNayoiCoydCp6vyFUlsQoMnIsNcy5sXrtLPtjCoua2kVo1t/hQHZxGCCJTqljoekLoX29FlO614W80yc7zEFavf7L/w0AAP//gcy74w==" } diff --git a/x-pack/filebeat/module/netscout/README.md b/x-pack/filebeat/module/netscout/README.md index 7cf85a2bb4d..33a71445805 100644 --- a/x-pack/filebeat/module/netscout/README.md +++ b/x-pack/filebeat/module/netscout/README.md @@ -3,5 +3,5 @@ This is a module for Arbor Peakflow SP logs. Autogenerated from RSA NetWitness log parser 2.0 XML arborpeakflowsp version 109 -at 2020-07-08 15:21:15.431917 +0000 UTC. +at 2020-07-08 16:41:57.809586 +0000 UTC. diff --git a/x-pack/filebeat/module/netscout/fields.go b/x-pack/filebeat/module/netscout/fields.go index c985492bd13..db8685bac9d 100644 --- a/x-pack/filebeat/module/netscout/fields.go +++ b/x-pack/filebeat/module/netscout/fields.go @@ -19,5 +19,5 @@ func init() { // AssetNetscout returns asset data. // This is the base64 encoded gzipped contents of module/netscout. func AssetNetscout() string { - return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIirAqiSJaRRQBlBk07/+AgnUB6tQJAtVlKy904NCIpnIRAJIZCby42vyAPuXRIDRqSzNnwgxzHB4SV6ppVTkDujDissdub/7EyEZ6FSxwjApXpK//okQUgOSFQOe6cWfiP/XS/za/vmaCJoD4thJ9bBgwoBa0RQW9vP6Z4SYfQEvLT07qbLW5xmsaMlNggO/JCvKNRx83aOq+vOW5kDkipgNVOhJjZ7sNqAAvzOKrlYsJRuqyRJAELnUoLaQLXqzUJr2SF4rWRbnE9xlUDM40iYoP5hEGEdomGagXK8PPh9mbo+D7zdM298RpkmpISNGkpQWpvS8UnRHctCaru3/qSGpzEFb0qX9vjM0Ia/lmlxDKjNQYVLdWKxL1DDBFSRsQZjEEj8a1COdzCPPGI2cSaUwIIy2O44JbagwFSIdpMKwPExCRk33iz5+5rDaQQg1ZLdh6YZQokFrJgXZMKMJJW/B/MqMAK2rVVj0lqiejt7IkmdEwBYUWUK9/gVVGsgbMNSSRslKybyF6slrudbP72j6AEY/7Q1/zRSkhu+fEePppuQduAPmdppokbkIsorDFniQV1yK7l4/4NU1FApSajyuDFZMQEak4IjY0CUHktMijDfX62TE1jyyTm/8mbm9/oZsKS/96WEZCMNWzO8heKSpIVyuHc9Vj5lIP7PD+xXH31mWFlQZlpacKoT3i7MYXN3e0FGrHVrd3sjDqz3I9O3cXH/x/7l+nOsWayzLpx0yufxngqR2Gf8R8W9pWLxcHLkCLUuVRt9F06cef9Km4daGGshBmE+DnpYZM0nKaec8fDQCQBi1/zSoN1YT+DSomRhCfdmbvDpnn3LFM6Dhs3bZqa8AsnF68sCNGrIHWj+sTC2Lr3cD9q6naVpm5wbsjX5CyxzmU8conY1PomWLBhnkGNKbyEwMIgEejWZQOo9SVgr2WwmNEqbqGfqP9oeGy5UUqRWW1Mg/uvUycOy3bKrgafPvyg7EViyl7VNnDe0baxKTexR0pBQZKKuiKvACoze5FXuEjGgwdpAD4EMcelihrdjcG3uyQluzuTf0KLb3PScxln7c5upRPmLW42a5kTpaj2rvrZ+kNm1Rxbu7SoPImFhXX+rQ0res+c+Hgyy8SXofD7Lu9m77HaFZpqzMGjqUXfb15mfk58q+7Q/TGfjD/7sMtNya4wR3T69zabT9FhmhZM22IGp3xed7qVoWDVmwl9Wqs0+jDH0eXtxBg1cW+0TBb1Hr1X6awEXCmS33yMcbNzi5w+3+zHv/DCXv9wWQlPZP8hIIMLMBRT7cCvPND0Qq8iOX1Hz7giypxp1QOfZXbF0qVIVOzCys4H3GM8NHlilG0Qy2q4Vey3hnyTG7rBr7szdepdpRlU1QY1qyozWxNq9u73450HAoUcBpd1kI0XttIPdXjifMjrYBt5+0Y4/9v1RszQTlFczh7X1ipvEax5EHztu7X34ITNIT2Jvr9EnWFPX5OIckbzZbX1WKleQboBmomV7GfsLByO31lBcaR1H7oQaHiXun+UM7YXiazOCHoZXicdsoHrjZrcJ9JTmH1Ej1OQpCy5+LvKzbfcM0SR1zILO0HKhmr2X3kidHWPkHtETydPnxlLNcagweyaUgy31vWQhR8FsJ2tgBNcsLvvcrYX9sBS4Bmm6IZhmQJ38mZqNK8uL775+SHdVEA4gay5G5fiR17Yy56kIKDZebbPoHWtlUlsLU9mqZL53wsQdOB0cgT+hSbqE1XSaC0UaVmNFGAc0Hd3n6B1r6T8wMyFjZ1WrOY8UXIU2qNlrZijDzj/LFn7/5V+2E5/MCRVVF1j969P7D2imv6R4UeUFuREoLXXLn47amzigJGhp9ohs6EKsUwvLtC/JvdrrPyLffkn8jqVRWf8RZeKTPyH/n5n/aHzJNDpnyRXCRhMzgE9pgYgdJSjlf0vRhqs7n0AtpcHNT43RlywgQWSGZMKhuGwgH7uECJ6CUjI4VaTQgXUDKKEeakBZtpLLaoti7W9h+saWcZW75QmgJWclSZFZac0DymFh7ZeFkMNDhvu2NPMfbid+0R1z0A3zec0mzj3dneIREs9+B5GAUSwO6sjfR2j9GG81djpW4s5ckNY0OJ1fVwizIT3Jnmd+3hZggUlkTwkjyAFCcYMtHuj0+E7YomYLWyZZlSRb/DnVTSYA1CFDU4FHMLI9a9sqWKVNSbs3FAx+pCJjPLGfW4MMXQJyuo9MfyNtroqxc1GisI1uoWoOpf3ZyrlpFh1R88rm6aJjjc1WRjvW+iL29rvxr7yCXBsi935WpAryWlvshkWT/VE7vz8DJ7TEluuBs2ovsH9pU1Kynyn6ssEH2e1z8WNu2R3nqd2S1Nypt2ovj/xpvLu6Yrxi/yNuiHdcq7XdXr+68PpdSYRnA8kKqrhZH8EL57B5oy49lPH9wYh+NPDQLQw6xQzOxbEAaY9Dd+2j1LciL738gO+RsDlQQynnYDkXnK6oNjX+B7ECBG5YawoFqQ6ToBCsfsukjKEafN5sC5y3uIctz51epMmQNRkVAuhGSy/W++6yxYqqnmRHyPUk3VNHUODbZo7dHCtG5KUgpfMQAP/BtDmYwxSSruSfGaS7bI+85qOvmVnWSonLaKroblB8oxTrKEk1RD3MeYeFtVpmmpapG1IaKjKqMCKlyytnvoWg7qfIgBzL/AnuECbJc9kT4KDY0dNXonnO2ApxTwEDUkEqRDSiGzZIl2kyzxI+QzEQq84KDCS7ioLuLouJpFOuInFbegTIX2273dvTgphvacIf7Z3CT5FKYzdmsbrJ6zn81b6IZsoux50Zkl2COHfJ3KaZndB4RInb8SvlxIWnvu1zqHegJp+MVMfBo/EYmW1C6FeybHYvZCKzR6UXfAz2f1CapIpUqg2yK9PbP5V646nrM6n6r3szrH7bf4PoyVsl8gaOWmPinUxBUMekUv7zkhn1tGChCi4JXEdRNJnhOBV2HkpII4eiYrmwGR5SjVRNmvtRE7oTz2huaF11Pi6fYYrMk9ve50STdMKv/ygz0grwptUFFuj2o3f/UDMSjUQODy3D0uK9WlrItzHMH40JVQ7r5K1iBApG6RaVW+crYlmX2TsU1DR/7++rYv+8wIDyNx4KpGefQcN35qR/tfmGG7910tBURVhewaHEbHfcXjVqaQYP5mZVO9elf9AatAzRkOf405z014DRMzaXx2w51iN9KKGdcNLtT3Ho18mJHNUE02cAKIfpvxk991IVzMO2oc7rOTZRkX+dx+IokCl2RxGkqxbgjcgj2IgIu6sZrSZlLqb4dtTcog3oCc5RMGj6wp85bjOuuES+dDMQYY5GmPbXnPEVFl3y6O3ZAO5SlSWUOzx2WWmXDaDa56q0VFX4aB6rvwFJZk5yZaaGvR0ivxvcJAS1/6DHDb2qqQq92ipPUdSyuHQ39sQWkbMUaZTCsLTgn51Der9c95ni5DjCxdgewrAn4rEzRzDsfg5R5lX4+Rv5yaCO0NVypyM/3PqSI6erRqWshI/6Ky0NZD7qQmo06hGftADQEROaqAmAoYnVKBvO5S26SKYnsI4+1KHNQLB17roPUzxLRfoT0dlR7vUPdEXcnqUf8FkQmlQ8lOkq7XP7zIlnS1eOCXP4T0rCOb1HPkSfVY5mVN8dRO8k3rVbHF/2t77Pa/JH1lvCG1pFTQhpCycZnZYbDg7hcJ9Wz44WEXLUhRgu5ebJvDyTF3/CJG2u74VEMq3eSs3Q/fZ8eOWN3iMIXmRN8PyCnSj4tdivMhHclB0QdFi9SGHicru/UKG+Fs7ybCkg0y7T9C68CyiuUoXTgE1dKuqFiDYmA3fRzNeT8hl3r4QYvR2MUW5YGWqetH82nHXFWm2uL9PAx1AUdIRrq2XM2oQTOsYmjUt59tXXo2rpBwJTAuGs76apoim7eytUW1ILcg2NsqUEt6Bqw1J2PmFtJVdHQG7saxul1KcITB9/KgJSKLJXc2e+qT70e41TrwVptt9kdVWa8KV+Djrcj/e6VvdyI+Xav5FmtdFxq88oCvMs6/gZ5JQjloEz97qqaYf1nzjXrj2Ir2QyfZwMKVUaEFF8rKAC11WOvUag4zitk01IpuzVrnRRXA3WE58z5fyvHZo/2HTMbr0w52UeuEeES40MFkeLrtbT/PiIZ8fJMAkrJpJnRljP6OaKwZMgVsSfNMNALct+cz26ZzHZMcixNVy6YvdRWUXVJD+6JMvPCyjOPkpSX2lTbxv+nx2oEYdquhs/M8daiVZvw2+Gr+QK3stvpYevJJa1PUQe+PKU+WzquEQ+hWsuUobfGcjSo9yPTX7MHeEkoKTZ7zVLKrZn38IwUCivSPiNg0i/DahZVNJw9MPLycvGriuZgQGlSUI11CjQm7rnMtFTmuZUI8uDxph+yCiY9qmg46Xk5XaO1DhcQ1E7YpTIvyv5ZiGI9JTsmMrnzkTepFCkU5ln9KjY43d5EViXne/JbSblz2mQyp0z48ylaiLgcEOVtb8351/iRyVll5DUTD5D5KNoqsIxqtNe9Amu/+aJGvmDZMebzXp7fRLHRrlPtTMAuioqAn+8vh/nnwvuEyH0/1bl+9ACVs26J6unOHz8q0uP24XE97dvRetqK8TnOS032jzhefSQUZGUKpPIAQ9iJoEExypPADTFBbN7joJXS1ZX5LaFuZeqgDQbpgx5IBJvDH+XHt8J7Q/Wm3u1W5QhEs5fWwrSiqYowrcPZr6qROqUK5BZUjWahVWqh6v/3sxKIlW+CMIwnKEXKgSr7EZbNaEjzYezeS6OqFIHT/kknKsp+rvonltGpzJdM1JXj2iLaJyCoEfJ6y1Sp5/dutO9QRDHs5ZjrOSKwca/c+K7OyrCHx2npMzjeahY4D9ftNXnrzvQTnxJHXI19n+RhsT895vy6jC+w5fq6vUa2+NDq+kD27bhD37kLYnBELtxS21O3Yzpsamz1flrdxMNXEp9U4y65oz404YykWdfWsu+qHprcXp/Ug873SZzQgyzqFyJr9KEFuXLR+r5aEHdfHNeF7B+pDn/xzRfeQbEsTR3HL00tnEvBQbu5Sydgd5JsqWJ0yXsR4y6hjQlScDpw5DQIPTED9GBR2mqQG3thT729NatYdGbX6v757V1XAyO+pJKz7YayZQbbCJwdGd/4Yh0Z5FYYcs/WguKxHNhIhVTTyjd92ZMFdivdVTqFxHoq+E+LqnVqcC9kMrC8b39+T5hIeZmBFQ2+MYsFX5AnN480Lzi8JHfO+HTDoqxbhG1Q9LBf4J0BjflG1IZxM/1g1bkg5hFB2y3nzFsvKt8x/XDkgcMotl6DmlK4PjztX9qeRo8FNZ+NAr2RPLNr7KymgV4dB89Rs1hx/fcoL8OevHM349M6ofD2OhxgefaLlTWtk9nf5pGz/n0em5k4n4Yul19bhFJgRsEKy/XKrEyH9HSv8lwsdqBNWy1bpMLMKyvnKgoG6spTle2oulSsRb9WopVF1IteS+ZAka4nVuRQ8oamVWWvsOJkj/PMmqwUX1fKjzp+op3FENEISQHVETFR2lBTnq9Y1TY4ZfyCqqUdfikfCcueD0tdK/HLeWiwOD/0SmG5fWXxhDd6JX0nV9XvbZjrfj39GCHMhGvnNm5tiyTX64gdaKXDODOs59H5bjTo9CogB8x/xbk9rUSXaQpar0pObiwGksoMtGV+VaQprOMxkcHj6Elwps2Q/jDxNOHQqNiqCs0SFHr1c6oYx5fagH/AvQ2JNaHIiK8tbJB2EbXiVW+9i2kufnzypI5UKUDpwickuDPVm7a/QprAuCrH+elA0LgzsfvSfPqjY6uNHBLv7GT3a/slZUKTDAxlPGA6LWVpWnADxEt+gZiUymtD67gBxDQswg3kBZ/wavuqarVYtTBovSD5KBWrvWxBcbrHMGUjvVgnTwJ7336BloaHhlWVx+J8btowU2KpDhIkvdHS+knJpw/GSK9wy7ZM6XhsUWc3lXlu92bsgl05eMJa4USFkluWOQu7qisQ6s9Y3zUyPeZAH29P/8h4c/en7WiF8LXzWOAj86XkVzX+ZeXXP+Vy0G6NnsD/lkvvsgzv1IJNKQ90jUFJbn3u727Jbe/CbSOaUJvHx2QexzEq8LjOXliPVPHH2MQ+iiqsZrkDlSxlNj3muBe33b2yqv6wFtvA9bmJyZ1ybrRZ8m5aDhefruHCbGovIFuzrHZRDhjj+XhNuZcEc9bNMOaqrqkrymkCsuo2dPfBZXFWblB8HHuEtGzbKO7ZegmhlIIqo/fYQ9kshlTQU5QdGlR1NDzdUsZp30FHavcQwXj4FSg1UI3Q7cewh2s+v65X/XKfEOyc9H3/lqz27WJABrA8WZZZto+w71iejIxTbUGWGoYKiR21RWNgFJOjsqU6AdOJLucJtmO6HWviaqlgw8k6TrrJOfc4Q8XBm3hDd7Qa19fxabhX6vFc2M5oEVz9ckOe+Ei/X0pu9ZIl4xhgiC/NN4+F1PaXT8nXfTNGdL18D0LuxIHiqCEtMXVtezj6QNeAlM5iaHcDQK6qTJu3PsD1NaxpuicfBhVYzpaKXib1xw99wCYmSE6ZWFnL6OgjVUEV9vqYI6PqQEW4w4HJW5m5gKOmuEHrXTuAlpy4f/HxxU41XqM8zKt/CzvyUylQfX4jM+DkCRPbxVfPCJPpM7K0f4H9iwrK95rpxVdhP7JJi2TFaa871fgb+FDXurojOCzauyhV9lUBYbk6mrRl5ERa3KdLT0mVMKVB2Q0VRLnNx8qhDu5f3vxq7ff3LuTmq69+efPrq3c3X33lYmC2VFE2uDd2Uj2MS8g4uZV/rYZs+2gHzWQqxl9fPrZzbG5gLeJoakXgPkpdXEkFQrN03IFqmZNRWPMYKyrg2TofLNlRNqbTeBNykMqIJcUNMz4hRZfL6G1glpk2anwmC+ZuzNIN/Nl8krSK4JviOIgNTmxKAvcuJh8c2MQp+vhEO8SKDRqM1WQmOCdiJxPMXA1MpBtwGRYWR+opjDd8LHlem3rXH7dRT1zt7QtthKzlXfKojpJxoSWs/ObHKJBylgfYA/63tO0npo58ql6usSLHUzSfA9b9KV9/VQKJzeMzxXDYFWXc8qtKOLzz5+/2uh3Xi9nTVgU2sA4kDg2/xVdxPYm9yoMUxwT3YEiPj+m0llEpurZqD78YSuOdiv8tPJq/QVh/qbHrIS1mKvZ7KrJ/l2HPaoPdUMPCp2wy/v7QB+h1qQuWMjkiPuJj2RZI344q0Xe1fXritMiLRMYLp/u3b+7Iz87j0YRjhFH9NvPzy/1/vCa/laAGqrWUXCQKulU/pj75tFwXe/KuCqkNPu/Welo6Svy3weT4Mm0WrBgwHk/BmYB79QzILKYQHeVU5VF8sYBRxgstRoX912BlNqIzwAHU2FzgA+CMmu7tfRpyCSLd5FSdHxZXQ+4L2mvlcIYPkqa9580zoZJNBF9TWI0NpqxBV2tMJo0ClMt/RsEVNKK2nst8jVgMdPoP9ZQ9Dom52jnY6zYCsUhoimULY8LYLLQWo1T0FuhyXWy/E49mEyEtU5GkRlkbZVxlqha8hR3y1p0BuuW9htBnwYJYMzEqcLcPHBdTIpJVonfMpBH7WiQrLnea5jGvRW1oYbZT4KP8WKlImJi2zZkoQOXL/YiQnB50kT7EgmNztCjQIimUNDKJccUh/Pa7BG3WGGg+Yb9xuU7GtP7vgMa8hKYiyeljYsz5Cu8hqF1hDlFiIWciGjETUxAXXCd8yZPxztMD6D9PAo+oB9SCHp+l3oYeHxHdhv5+EnS4sfq50P8yCfp/TIL+11hoIwtOlxC31Wv4GFVJJHnJ8fJe7qPkWQVePETJ8bzkbJ0Xsbe3vf8oX49/NPKwLE6Ia/gtjdG9RaLdk2kUr7RKY7UzCxqrnem9Louo+tipqMOsI5U7I41VMOAxamsbaaySFA+N6kkkeCnYo6BCaui1zTwLfvuDpT1aLGx/kIXZAM2iTCCZF0nKo2xoCxrl0kBIhW2y4mB1JGxRJlH+iVQxw1LKo4K+dELXINL9qDelNrSgfP87ZMs43NsEk+EjYV0aTyxm95wdCW8t5B9iLWSdLJn518jkw1QnY2ubdkCVjDjKOnJzIhykKiYWTztPwIi6ki1QMBvnDYhRvh04XleR4K72zZgMzRb0inGI00V0sopjF1uNC0A+BI2TtNoawQIeTRJ5jKwNnGlT9Ir8nA2tVRoJXXWOi4KV6ySHjI0IxjyEZiKW47nMSg46lXGz9uBsHXUqZKF31IzsRNGCD8UEnAmqYM20UTRG026go24q10kxcspqwpw11hFR0afTRTW4JY+Cx8aiUVecCzqKRz3lct5tJNOJq/McA7+nikYueDYQVnke7NZ1MBgPybSh3WatZwFqsyzV+YVEKzhwNdfi4MoIfDH3cBVLOh4Qq/asYkqhD0dMH4Na0ywbv+osG++cqxJooiQKy5NUSZlHZt9Y0CiliOVJ7COcz92Jm27xEJEsVOiYVGZW6EKx0WCcGmbKiHcbzgSMSSVp4PTIWlw1JAY+xpggXLqM5mTFZYRwrMGjQgCsphex3y1Y1F63umEUugivLZfryKUU68htV0g1/nDky3Idt3VyptO47ZrryAWMqz4jwGDqSwRkxCl2pQHGv0o5uPEPSmK3G68rRMYJ1e0aIiAj5L1UbJ0EqrWdAbkToGJkS5FEdhAskpEVpBvAqDYODXjULPEkjd+kHjCmnaZT+iNQUq3tl0m6OT+etQfs+nKOhweVr61d3MuoPg92FwkaI+Zc/tKHD51Kn2eBKrlOqC5GlfxoA4/p8lDBKaA87uZRkCK1Lls1GjxmshZ2bIJuC1aqLAprjImmo6xP7azPKE+phvEuUldON0qN0PBbDDNDabAj4KIUF83WUQdTF+PtFq3SuJVXaRZx1WqVhrJ8zwId1ZKpDVXqiJzJbSrGByEEK4aeBnNJlhFNw9cmZhEcWIzXqK4YOR5yX0RkrpbZMvLVulQ8SiqVGlSSsfHxm5GFSSqfSByxJo1rl79NmNCGrqIk6ZYpE3cVbwsRleJgpCrFRXq1viqNJO9KQXqD117oSQXifqGcZeRKQcYMuaIq8zljR9rS+PpXk2Y6VAcSh3FNVzFiNpWchEJKam8vE1Nmf5MXXO6hVxDvJA9WshyRHn9uX95N1VIHa4spWMMjyWk3dLfx6Il12S27MgMZnGkssFGNr9utNHVZYIn6fqokIbsNNYQZUrj2/GGijz2ljikVEm7v7iqeV0gIE76SwUBmN2diegXsFjF2vDYlmhi5xiY7i+b3rmNEj3sCtqDqIkpGkoIqDeQNGIoVh92pqPulkSev5Vo/v3PBfU/JtS/j5dqT9EbHNOJ34IvFItmCvAXzKzMCdHit+lsvkj0rLCdc72Yc3k1HA1XpZsEEGzB4FZ2nGEJH2LjeepwJeM5pKbB26rrMfVn6I6UQOpUPjlA9R8p8TXWdKO8rvg6o9JaZyby9kF3PLTsweQ+PBnfnkFFw0QbUTZG4Ez2oMSt3UqlizMvVYKrmwEdS54+9e4+vDVG1kl1V4zoJ1rXw6jfZQ7PIYe33BsF6BvplkP5xdbzP6JydwePtdXWIcPShku0jH6JHbpe6hYN73K/xkd4erbnpIS5FkagLRte0SeUKNgRZQQjVRAOIgz6ZYeNFUaFpOkux1V6WuBtc+AZOdWvtqlvwEbIKUDlzF+F8ZDWDusItbMs4rMH38qBas7VwzG8qcw+0NaDLubrVDyw5Yjiy45YXbC0x2D4ktM1bFA3lFsZVuqnuS5ZVbW3rjknYsHHg0BESiMmptTYFA0FSoxXIqlFYI3ir/k4Wx4AKu1NswNEzI35EMlC68JLzr/tn9ghoPUDuZOd9PObqoZxRnWzkDNpdpzsm1sRpykBhR59WwaNwTDVxG9TSI3yLbSENwVaZi1dcS2vadJqXYBXynzzEgrwS+/p/vdENWkdaGEKzRdXROCyYIp1flvQpyvIXXX5i5cEDpjLf1tlaE+0K5dWsw42E/Y5JxnpWzzVY6R4U+ZfaY6Cfe0SIfqh/ydi4rcvvPdFQdbD7jvJ0MEzilCz4slsWx7Wke/vz+xs7O1DgjEb0yGRMpwoKKtK91Ur85c/7vWwtD56R929eklthvn3xjNy+vb75z5fkw60wP3xHnuw2eyJ8A8Z0I7Uv4yaVtV7xV9/88L/+29Nw7zswm0nyojtjlECLnIZLI+nJe2TkgfKV+G8rtOHDlH1sstrn/ARtgwl/Z19MIYo6ik2jg1bNTV+/ehsk53cpYIodHrd+/0cKWIT58/uYPgAf4bKzpJ4WNcjGT3OvHOHlmhrY0YsUlsZddkdeueZ51W4LIayvkzQvhv3/U/2at1dv7pwcHu4VT2fo5TdkSjs9p2pdentnkQ1Y9ZYPg7VgZuGDHX2YD5UOkLiaYnMftnavhcx1pKO8eapoVSIPy+5Zl8kq73hYpD8t14cL1UPWxNZE6gznimlK3noa7qQytYjqCSHXewKZ6LvPH5dEenb+OYqZWFfisyL8zRDzBIT0+/m8RB4/2iBUa5kyLBqP1nLvdiVWTikq1rCo1eNUihVblwoystz75v6u1f1Ad5rBlIJeoPCANhUcdhWVqcBH6Xft0MoIg0lBLg0kPkYo5uU3ZoqZ0AlNXPhUFHBhVCz4Koq9q6hYbB63AeIzaoqoydEsqazxaf26Dm0LS8uiO17bkLmItnBjDSsBhrzfF/CMfKjE3Gs0kb8ld5WJ3JMjPw/dqFXxqlkujAGVviKLVF07KefBC6NofogP9FRh6MAWlMHOM0ZWDa6YIB9uB49QiiEtE85gTNtYoRNZRBXKs6AK9Pg4GgsYFeLnZOL4gCj0QUVhdGVqEg5iHVHzEfHaa2Bu5xI2JcLrhfKWc1CQFB9wrBX1o1Q7qrJQM7BX2KYO/e53Sj7iq/sSzA5goJPx6BzgsS8S0lDedvc6dAQLmeBrU28OvgmaAnwIypmxR80XFQpPYsupmOdd5Qx3QPWs1nII9KZw6CBofIBbqz2vUXk+lIgx/mxIMdtiOyaP9Lw3FKoMS0tOVdXMzaN5cvP48rVcy9UqXJ8a0sRsYO7Gt+/tkL57f0PZjaXMEvSqNBsQxodSDRI2V++xw+fKsm5rGCbugwY1SJIsTSrn5pYfdJike9eBe4CqqkfOtNv3gCLETKqGK0ebv1bYL9A+GTpU2FOMbmBdSJFhS1cZVAFqwH5T0kO6t2OyawduA0pcnj3GvXEGWU2xt7c6eg0TRDNTBiQKwQC5qgueH3VDNaGZLLAr2AaYInInOo2RiKGPUsh8INqlqlGf9MKRZrj8rBrGRGbPslS6ae/nugi/qsrj9yZ6jvtE1KS7szEYTlXP8ELPR4OTvPevSPPO81gTsdZUx2V1TJiqiwq491GFc891ODhkKafFxwWmt4QN3TJZomZjjTolczYQ6QDzo78RdMkxbHhFro5jZ2I7vvNZiIwuDQc6DQmiOKBhZHmxCBICGGoKpq9B615pdvbg8jch7KUw3RDlGJ0vw+SPJJ3QFRdvGexkztKKMJwWBgx0H3uY2bhe54EqjcSTs0i/WWijhp3kFdXhxNdPRvWL41T7a9HhmkR50IyoTSLDcmza6jUNBQUMOjk9J0ekRp1kJqakT2SlOnMDhKvCfLIN8O15VH8zuSd6kHjvODo1hx71OKfm6J1x7P7I9L84Sb+amf9uw89CvTrN/RE1KT7OUT0h9eqj+kfeNN+eZvv5Bag+DtvPkzVq5rM6514/46TOvGnmpL63ZWqlMHNdOifrZrQ0myQHs5EX8abSAz8XcYj8zwYXBrN3lZxoqR/x776T3PuaLKojOyTatvzPxfd//jN58vr61d1Tcs20YWJdMr2BDBNzgti4XMsZ8mOP+bV9i27E5BcDfzjw5q3kZH/Jsdh7y/sQjnpvos9vROnwMRszxaC4OjOi5dJArKF3CipCRZSad3LKz8/i75D6jmas1G4MIhXRLGecKneYrSCxuzXF+ygcqotnRrN5euHWPsh2lNkHu1yVB6RT16I5MFMiCV+JY+cGnZ8+Przlf/KmM37TWzFv7EIr8DALO1qkmvYo1nPdIrukWlPBfj8S6ySmLNi5DIvgVnvlB1i2YioYxR+d/fqjHRDlo0sqd1m6B5FIPwHlZpNSBaRQkMmcCRoMsW4d9TtqGAijTwaecTrvfF7TTzodVwQDiujtZbfwl1YIFFQZTPttJnNcCM2a1usP7jnyZwUZKGogS0aEARxZRWxDXo1Zu7rvlNyyrE5X97+jRcG9ntNbPp8iawX5oUY00Eu9ngbLZptHPaiv42D2AxMJFnrGqJItc29Om65iN1A4oFZoxpXSH6vVwCPe5S2gVqZIqMm3039QG6KaaCOVk492tBwMRWxf4q8W9ldfhueXsyzjMKfEeIMjniszAkvUkiFRMqMqnjfXhO78eK0cXbGvXjyekYJTy3Z7I0lFQKRqXwx5ETF4ZRar4Ix4CVVbCD9Jbcgbmm6YGFDbMxp9Rr/o8uuDwMi+QoE9qPZWd2n1ekFeZ7Qgv+B/3K2eSeHyAf7Rvy7Ihm7B3vccqHItrAnWl9CFFBoqPSCcNGBnlPTbXk+QPb42QqqYAcWqKh3CTdBVZBimpCJ6FmKaZX7ni8icSwvWF53qJujutapw1EEasNX//VXDNFGlCPR1J4TqZ7Ukdq85Lpl6ICLbj5h4K2IOZlKyYyKTO010ASlbsdR+8ywUN+7jj/ob1U7AUdS8+pInqup6XotlfGZ42uIHKQXeXK9hTdM9+aAPi/zU7yF5N8EhKmrJjjKLaTVwh7XVbUSGUdO4Gewt0ONbnc8UyGI6yBDAMNs+Ew4nNoe6NlRtyClvgTnhHIIbwsNETGeueKmhyfjIKe/cqyTHDU5uuNZKn965nBi10/GQv00IjWNlj8vh9LfTqSUY3DiuPPNgBDhOKoMVE94XiEcda0HktBgoRoH4B8KsL4S9MXc7qkeMIKn9TdNn4PORB6qH1D40Y2i6yWcvRdeMi4whPS24zbbIgppLJsbU3J11p1myMfx9qtAPHNt2MC4yz5XRalKRAvXIe3RNldkn6CqoqtbWfvysIXa3Yb2CZ8TuQ2tZuBC9syZgIipeulQ4qca1Z+xM/y+6oOKvJ/M5K1SHtc4qJS0kUu3U/vIcRz9B/QUv3B7dVVW043QPrlUCwihZhI9hJstlzyA7a6/5Ua11AydCG5GKkZ2czqTiSuaFNUirnY8bHBucOM1zC8qK1sSazeELieqH6XG/J85iR6evcO9gemWz1W/xb1w/lpzvyX+UlLMVg4xcYzaMc14Eke1gmaRSPrCLPSn9CkviMDQ2CeVDellEbZ3msacojWuDM1SP/PTZeFcP4mupereV884tyPt94chvLCo7QcfnYRYrWCUji+N0CLNYnAmmvtShQjtddPM4C2oF4xC/814UUlWePXxeefd6YGFa2aqjl7WaTzG1YuyR6dixT/rhKkKUlNH33CFaO5LlGimoCTs4UpFQPe49qgWqYjuol4qPYncLbhR3ahU8KdX4fr8F9j3D5tAxKCNE3yHwyBCNQ2C/C6KOAzwaEHgJxihsdoQRq1tfqxsFnQfKmNvNDTNPDPnBiX6PA+NV99z/+8ojee7/4V99Q04vykGFYwg8wRd9LXHkth9L0I/RKsjcIzjzZZOtssjECpQa8NH3ZzYT5W116CT7gk6PWcioqgetWqwMbF98xpCTt29gmBk3wo17bbEb4D3GBan2R3+H/iP0cLF7VmxAzWXVWD3Hv/k+ucKC6k/JFWIIIwdlZkuUHODVFShf+B4OYjqOlNiBiY8FLWa0lsUO+6Vu1V06uh7s92E/wfi0yPCakHv2+0D6zkP0Gbz9+w0RsJaGOTYXG6oH6tPqdP7k3RbD3fDDBb3tgkyoT9t7AOysdVXwq4r3DD/YaTayueJ5ecJ1LfH3g2017NljWpcxjaEtLD7qTrGfp3n5kAZQaqJnoce6try4scOTe3wyOHZaZ3pdqutded/+k3sM5zguQlvyYoiM8fLiCBXDQkNrnmyn3SVdF7l34oRdcondArSMKKah40HZA3hrIDol6oumwGNbUKK8+I5o9N1KRW7vX/39zR25s/KT/CwGKlI29ETnfcTQ834nw/TgsUw3kD7oiGZvjWCZmtseKgJdVzepU88xQMMX7m7O/RFdBRTrld+4iKriMNVZe4PqG1KFLdbmE4NtOraUs8xtiACa7tGfsb7UsaOPs36Ave6KorP3WHQn9I0xhU4YdiOIBEaWxpGdnt/ya8reY2tRxTtKxcz+xP5LZZ5PzOU/kzKHyZuU4fSaHVPAu9p1jAm341Qko/pQjw1J0FXTgF89zVWMbNhAx+SGpJBsnhCgEEkOB0EciDaseyFr0g0VopeANj1R2Y+LqAY85bOVX6pFnq/Y/evrV2+9zH3eQVCLOiNV1ysWs70yph+SreRl/DReVT0whK+lWXcGqZoslIIZTZ44NPop5q5hMkHVBSHgLxoIQuNl9Al/7an5IJjxzyWLw2C0LSh8KVmVnKRSpFAYawLcO14PpDiN6aQerOuAzLPGRtVCxJKC3d+k5dFP//4qFEwSZF3MDpBqfYkQhW5o2YHTY0ld+l4wgfFvNz/f3d6RN/QxZyKrW5eE2W+pv0Agw0Gh7wHCPaE9+o8RXl/B4RDsqIAgF5mdjGvi+QdPpKkmNXejJS+pbq99PR6P5ygNfE7GfuKMnmpO+X+BnIM6OFJkfW0k5iShxTeuvfRIxabu5mXQD+ys3dylBjwjugyERVFN/qKNkmL91yWn6QNn2kD2l+f+s2f1t0ysIA1/tWIKdpQHr1m65C0YQkVGtCQD20fBmmmj9tbqmfdgFtRsfCm6GgvpYumRMan9YJ8QlyjhYltTqVrVu2qNpaYNhFH7P/3fAAAA//+MFK/H" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JBGuYauxfCLHcCnhN3uip0uQC6NVMqBW5vPgLISUYpnltuZKvyb/9hRDS/ZDMOIjSTP5Cwn+9xo/d/74jklaAa6yUvppwaUHPKIOJ+3v3NULUEvRKcwuvidVN/xO7ruG1w3SldNn7ewkz2ghb4JKvyYwKA1sfD/Bt//eeVkDUjNgFtIiRDjGyWoAG/MxqOptxRhbUkCmAJGpqQC+hnAzo04begZi5Vk19e1J2mbpZFrGWVGyRN7762PqxJTaLVGa+9ff9K4xv2GBXPi64cd8j3JDGQEmsIozWtgn813RFKjCGzt2/qSVMVWAc0cp9vgOakLdqTk6BqRJ0nBAPi+8idSg5LVxYgrSFIy0x4IBwZu4HlhvkOVPSgrTG3Q8ujaXStmiYKI6WV4cgWFK7+8EQO+5xcksQaslqwdmCUGLAGK4kWXBrCCXvwf7OrQRj2t2fDI5GR6xZqEaURMISNJlCd+5qqg2Qd2CpQ42SmVZVb6mnb9XcvLig7AqseTYAf8o1MCvWz4kNeFPyAbyw8Cdc9tCcRBkpYAniAE4KJXfv5xYnT6HWwKgNmJQw4xJKoqRAtCydCiAVreNYVWZeJLswe/b4Xbjn56c/kCUVTbjxvARp+YyH0wnXlFki1Nzvlx5sBFLHHfhwWvB7bjtqqi1njaAafx82djJ6MgagDzopsZMxgDx+Uka3ZHncPXn5//dk/564VfNsyP2ur5r+USAhu9vyaLBb0kOEXnbUNBjVaJbp7b0/23Ld//thZiy1UIG0jxE52pTcFkzQnTv8SNADafX6MSK2cDrVY0SMy8MQy6sxtZLj8Z60Eugh0iMv22YAZUobakSvidmZvS+2bgGHzUAPGSgJ97MidvSQAfQbrIhxLu64Vo7ERdnzqkTZ59k1IDMR+0iEg3dmHzuGWt1I/qWBjRqtO/rDn9bbRu2Jksw9DtSqx27ZjoibJc8rDvvcPXHL8BlntH+f36o5OVuCtOQShTNpZAnamSAagqAakD7j11ASA9YB2frx9hpm3GBpN2EA+94GS7cJA9B32pShJzC9f+mwgzmg6w48uRsPFspk0lf75/JXZWxfRIrdE2lAllzO2w9N7Nj0fEhfD3/5IQds8KNRxp5fLH8itCy1k5Vj132XuQPqrfpambt8lZu9r/7fZa/jVn7ZsCsXvCOt7y0rCSVzvgTZOcm+XkXAsegw/0VeC6R8jMrf1xHRGHVoqHpdaPiSYa/7wUPcYKR7ukYun/mlyQVepOfBm20p+biugTA6lCBTIMDtAjT5dC7tD6+I0uQXoaj98SWZUoOnqA2Qzfi80aj63UD3IeruV0w3hkHzGZ8J/Avu13OVy822zzpuV/7qHQxKr6gusyl1PYnWI7vPyfOLz1v6HiUaBN3dUkLM2liowiMa0HbQFuBPqvHMc/9Wms+5pKL9zba2cgMfculfexIjzi8+v4qwIKA/4MT9WdBhNORyitdnc1CHiuOhr88CaAn6KLHrX3Epcn56nyipx7cfLEUwh8VKH7WTTbAiu5+NtorW+UbRwoviTJcTJQQwq/TXKIAd9x4g58adOW4I86yD0mG6pai+VbtqC9nD6Edo8VVs+lhU1UoZTHarlCTT9WDTCNHwpQFjHUDDq1qswz65LztBT4CyBTG8BPL0e2IXuiEvf/75GVlRQwyA7FbZw4lHobzeghOmVtJAPlawr+ZUMNVI2/kUmmrqhZ67yiYKgTylU7WEHjO4jGZWtuLNWA20Gr0/7Ks5Ng/MKih5s6unpWDUNzHNsXMs8Bnh9p/Ny+9/+KvxIv1FjQK0RfqfA2r+6ezBt3QNmrwkZ5LR2jTCR1acSXknuR6Dfs/gRyS3MrbKjy/Jvzpyn5MffyT/SpjSTl9GKsKiz8l/F/Z/ui9yQ7aZ8k10C6Uq4dHaunIFBaNCTCm7yqsBe+SksnhtqPV2hWMiyLJWXFo0TSzEE5zxcBSgtcqUn7bRB00NjFOBGCOmxirtNGu59lqH+2BJBS/9wYghRchMNbJ0L4wARJ7LeVCObkxe3L4RA8gpYoHhOuwJG43swlooWj6Wdy6gQwz/E0gFVnMWsTqCKdz/MtrC/rlvhbB79qndaLRq1m7bhPyqVm5rhjYnl0RpZ4xZRa4A6huY9ihevK+EaVoxMKZY8rIoc0Vdz1rJMwcJmlq85KXjYM8uXHJtGyqc0b7le5cRFwevuDO7MVaOzPBUhKt+fkq0k9YGHSrINKrnYLuv3cgJozMlPT04J3wm3H5O6CyhoKHgPz9tfa8foFIWyGU470wDPrTT9ZigdP9rAzFfQeAlrFSYWvCcmQ2P2pw3fKD2PwrdzMncjOcdb517A8JZb09da7WEJ+S/RoTRi5cZFw8Qo3erOuPo4uTNRdB9GZWOPbyqld7VeAk+kV9dGkTzONwfn/xThYY4mu4xV+q2Kd9sfrIx2L2eg5b5hLz8+RVZId8roJJQIeK+AnTqo5q08R+RFWjwYKklAqixRMmdcpFtJj64mvh1MzFyV3OEbQPvfle6RMZhVhOwhVRCzde7gbgZ1wMtlpCfCVtQTZn1THSXeo34o9NckkaGnB6x5TMfrahNXdDtA/U5gwh7YpdoUVROyVSyDSNouhqVaShZd9RKylBj9TEKGXwOirFGtxCNpbKkuiRS6YoK/mcsv1fpKsqfMmQ5HMwi1UwHT9KdmLTBukPmheAzQIojBr4BpmQ5omBvtrswNqefZQ9BXDJV1QJs9ACMOlEpKvBW8x0x2Ks30/aBDvKlWzt6nMeO8vbJHD1+lZJ2kWibNvWpqXJeNllO5QMx/kyWOdjuQP6pZO5uC3vEolu9VTF9eu3HXQ4PRFS2G/2GWLi24fKRJWjTK6co9+WBRfb3vodtDTQVmZsyPaZ0CWW+dzAk2YRnynQrtjpGm2nTfbEfXx++VlpVE4TaYFG+YSCp5sqr9VUjLP/OctCE1rVoq182vWwqKuk8VppLiMDwTmsveqQ8roZw+8QQtZI+MmZpVe96BgPGbjWH4vD2WUPYgjvrRpVgJuRdYyyaSX2g7lZSO5KXSy0cuEl7Bdhs5vBewjE0IdzkdkHPOw0z0CCZPxDUqdYlX/LSaTZ4HuKC7LIVZB93mBcn8rrm+mgUbvbTx4Ku3UnkVqw9scYJPaevOaTwgO73jSbc9FEXznMnjTt5Nhks2aWTqSa1BKoGitx9IXb8T31VUIP80kBztKPkTrc/RRv5uKKGIBLlyLlB5H5IzdSESsEWQzPItHllM7y+8yoHrnWRAdW6yKE91ylF0TbQl8mhZtCVeq/Iw5iQO+Zj9I0ZPJd3enMOFZs3ybVDggWbB2KnG0JqRxBlAyU+hWJtGpE77DRiRanGMlXBC49DZ7xgVraaDU4IlYEFWwbkyAGBJWhuc5aO7CGsXT0UAfYiO/tcPnmLFwe9A/0r3VW6OGgYd6qB8RnfGD5x7dYHc8Z6qgRdOX82U2QDOhcjLzcFE62LqgxBlijewWw+1iZ83rbS+5ag0uS3y5Aay02bELDrV8P12x0aq5I0tTI8oeC41dlCc1qWvsMUpvK3d3e0C08jbJGvddEdRZFsKtCc3VUWRWk7QhXbHsL6lWzdzfBiyd/vAWlLkKXSIWF2L2Vq+scDdK9pQ7tq+gewuB3tEMtfCz5gt5Og+xHzkj5nr7pvhhcyVP0HMRO8XAva5RZLZQkli9DxIp5AK9S8aBNVHkSotwfxzkL9GD1TtmTf3zHdCrtWo/iIK/5KcLbOfXv2yIULRCA015ZiPSKXG5EzbzrOwA+NAEQsLk6VtHCdW2PtEDqX3l+36YdKy9K4/8NHlYoWoVgDmBseZ7agcg6FhFVuWTAWuIRVL9SPSoi1mk8bCz0JMczRNx51p633n7+46DA1TSbsOs4Jnq1t5T6moSG4m1/kkenrbxHjFivAHMPahoNmk/Oll6An5BL8pjQG9ITOAVt5h0z3mdItDgPYLRivtzP8PfG/7/WtUJpMtVq5z9q/Bl3Tm12j/aTPywuqbWo3XQc4tUcl3Ck1qA491p1SouzUxlxXStUQAoq53uI3klAB2nbZRXqzaPibD28F8dFrAoBJSBGFuSRSye801ICWzL7sBzQbjvnksEZrd2E6ewV3EvW4F9xH2Nrwz4CyFbeLoCx7WU9OccEpVptIouR3c+X+e89LgEpKEVEcM9JNe8HAF4iAQ1LNiJMOloOZkMuNTNkdbNCvrMqD8Ykv52uMM2J8yahPtimD+A2Mp4SJxtj2QIZ/DLYJf8KN28lQEx38G07xxU/HVaCjaz/+hsUtet+WKZ9S9uQmw8theYpYEGqMYhz9pW43ovYkbthbfgWvCSX1Ym04o4KU3Fw9J7XGmSjPCVj2JK4oU00Pqb2840Pv62w0rcCCNqSmBrt4GWzk4HsRMFVVToqpraD9sLQGLNur7vn34KE0vt4eZniYvPhmqqqb4R3MsG2UrLgs1Srk0zIlGdT2eZdJMcqMAZmzRog1+dJQ4Z2fpaool0FqyN5CQo08XX2vZyp1aQ/pTiV8y+UVlKEWqE1Epwa9U8FAcZ9806E24eW+jRODrhBZRV1/spN3S+wi0KL32+VD4fVbHTyv5HLYrqcLOoOu+O5gp9wu1rAmYuvP/35N+8fEmvaMi/x3vCP5F1ytu8YayoYBaSNHEHe3GdCciiLymmZ7RC5xyVZt3n0few+ge2FG/QLArsxBLQdSeIzD6u6hW1Cz6G6oUwsjVYYNW/jM37bGpiszPGkh7bQIc4R0y0yMZu5X3b+HlabEyXNJOObcNZIJoNr9CRvhbVALBYTB26nbws6bow9e+DXDPk+P+sViqppy2fXN7j9YoWxU3+H1WnLdmGN7+vraCCIw7vE7ToA0ciVO/Oq+J+O4p9RbcNld4x37vJf5/JS895LmaWjcQPy0vVD063B7FtervQP6IXz5Pffz+SmyNJS8dWJi6D3Yjsj5NEBPwsQfIicLVtzEjdSlWefsZb8d1Q0F2l5d2OvHlt74PuKpcaw/6RYm56c3arKp/HM3aLIOsZey3Gi0E3Li6zNDv1PhP9ivzSKCevsbP3wT3HHTxnaVm8p2j1EjBRjPGeUflJUiS6o5nYpBFaBvysAlqQUdEQQGpMnaH2VrQ/uqql954iSV0zDa+kLu9vnyxfnFrg5NQstY71EYq8s+cKDgrWshN5EWjyQ5l5Zc8rmkKCxGjmitdM7mtU8G8ssd0otWd1PY1RH/0yHSu8t4ykoVOTjvf/tIuGSiKcGJszDI1v18Qp6eXdOqFvCaXHiHiAeL0nsS94tgZO7osU10Tm2eljhm3Fw5lfsAvO5QitdzY74PT8MHbq72hFyt5vM56Hwj7OIs+9yPBQQcUDtdaDALJUp3erytPjJpdCv0fgTPwjD2HqTy0w9ex3jWNeM4P42Xkdw6Os9UVRdHzrvCXQm5VzjG1fv3TDP9zqGjJNanznDcjCobNmalBbX0gbLG+ph30lJp7Dzg5HqL38iUOKrLFdUPk6E37KrvpCsND5EjYqQ18lMnRCl5R1nbTzmu3DoRdFQ7RsnvWgVV75dC3tZMPtRaAzXJc4ONpbZJpTh3/ijKxYOZHW7xqbomvHwx/n65l7U5BoYOo0+Dxsf+Ljgs4le3fccyT98bHPLT4dy9Q54zLlWTKsbZqyMx8+R3yknSlE6HgUf2p8SAc3dm3DoSb4Rwco+YhjEwZtYIcubWJ0yVYNyRaJv9xi0LLku4TswAwY09TPO8p2zBhdEU0y0SU9AY36yo5gIzeCIePB9/l3NCkYnfud9GKZMZzqGa+uZCD6QRh9XJ0y6fswZt6lB06yXMgGVBRdgkxLcdnp6NFBl6N9fwPc6dUOKVry7JK/iq/Lfdh5RLQ0qwlIuIk2GqGtv73QhpShw9N7P12NIujw3xGH9ILVS1yJbN84aUMKMhBBQ6X7Yx/JCt6bTiJWhB11jIZVV4XMnTyI10H6DVHX4Ns7YK3PvqjeW2wcaMJErYxjYYNmy673VNGsXq+XcYTY1pBlnFVFW5+5TnGJ146IT3kn1rrZa89P6ztotcBWY0EapU7PBA4929Zb9wsdEaWT8vL64aXNeY9PQwsr5dPa+s/0NND/Q7HUze/1bTEICJ366a52uce4oJxX7nLy/OyflAoeqjka1rbagu2Y9BwsKurhp2ntSQvos/LORWx5V7LyKKqSpzV3wNKu52lY6AC3G4jKhHi/TdEnzI4AiV5z0XcCgd9gm0XTyEz3nZhXJGnHhVaqtxUAae4OVPp+R1dNdNzmeqne598cl3z2kDUZiscQ2s6XsRfOrXFGLlrW0Xpn2JG0dwhES94uW2Q6SrrqRLygUdBjJI5wonWF85A61HJi34O3SIrz9d3C0YK1VoAOUDsAOSQrqB4fPJiETkVTFtynKd3D/DqyJpHVAPbmPgsEbne71U6SFqrhJ2OdgpsStMc4yCBG762au+5yptSm67yrpNX7SAUWyw3aZiw4uSTXhhP5E+Syw1B5dHs8pPPp+Rp6FW4nMjnK485QILODAP7Oy6VsZ98xn5buhokLtRmCupVnLLEDLAGmxmsdyGPjJpk9EjuOB200JP2ir396E06S3MKVuTT6PmmuBTTR+iKD8svMViLklFuZxpWsHedIyaapzam79PwpZyeYHLkveq9MnRm7aAvayzCFLkBu0LUwUcI3JZSNt9497DivzaSDQl36kSBHnK5XLy7XPCFXtOpu7/wP0flVSsDTeTb+PxRcvqYiboYHJ+ah1qW8M/uSC4KPq6UE6u2+FXara3UYNVWTH1f50GPNs2CAa0O8hRhJZVWrm7g9nnd79TDeSjTwD+9tvP735/8+Hs2299zu2SaspHz+RK6auUJcs3XrDf2wX7EbZRJxiVqZWIULOTtktJ9xxQ5p6LdQYTZqY0SMNZSgHScyVlwLhK7wWJxAdSAS1WlA+HE9/bO4C9z1MDddcndYm6aaaZLoWdlsbq1JXvWK+dzSHWf0uTvaNtzUc+J+mhxS6bwWADlSYUm2zqXkK9iwMx46OOppbUbI7YQ0mNdiOKkLlb3hMXygf3E7y748IhH/T/D8NVNyqzn/z3IEes7PnoAyJ7kXyQw9HGcffhp9QRkra2drZnlz61XUZ7m2WHfTKfodttcHJvjky3Lav5MeJhWPQ1o1w4XrfNXC6CzDg/7de2YScuZw5amEdaGIxnFbY514VTEQ+g55DEa0y3DtVHJ6qqGrnriRpgJw9r3HRf7N7Dtf07xHXqDjdzmGZ9X9wuqSz/XcWjZhvcLLX8EMlwb+yGC28hZxpTc8ZVsizRY1nwiP2KajkMOjx21I2s6kLlEsaX799dkN+8H3WTlBpH5MtRUwku/+Mt+dKAHund2ghZaNjt1Jk3uaHnEF2TD23RWTStq9PSWcKHtA9UpR4j4IDWBzmOboJqI8Gxe8Mt0w9ooILqKsNuObAZ3Au0TliA3AFtymRTabdgpu12tQW6pHZXK7wv3ClItqioTlVW0sFd13Qwvvje0SfKBulUSWAWi+RngcEsbQFVB3g2x1ZLGcCq6R8ZoNY0+SQM33Eq+fHCoHvBUz84oXNbBU71TI60LCjDwSjpy08cbCMTGu89wNN5vfxJXttF8vedyYJZXZQmad/1HnQH+bDI0y0ALwVNLjFkAXLOZcKiyCHoHLnRspgVZsUtSy4/ZDETamVolT53pQ9b2mU+6BmiLkwWXOYUJ1zWoKvpOlnC+wB2za7yAF9SkeOs8LqotbKqSB+SQujLnwr0OKaHLbLdTaHmRZmD2Q5w+vw3JouKXhfWpnIbbAN2J1pAhkeh4jIT0lzmQ7oWphBTUaQOi27B/j4j8OSdwXuwU/dC7MNOXdXbh/1zRtivMsL+l4yw/0dG2H/NA9uqWtAp5BApHfT05pksqkag8j1dZ3gnW+D1VQa9pGoEn1d1Hu3baZlUzFMnIQXIPIdSYuALS+8bkYXxCYkZdtBolseadIDzWJNmbZo6wyxSJruy6iymqlXWmR5wnUGEWGWdYZYLNpo1WYA3kl9LKpUBluEQLl85rmR6FJavVG0XQMsMbjVV1QUTGXzYDnCGIAnC1dO1Te8WdZBNFsh1U2SIaTDNLWdUZCggMgWdg2TrhFlXfdiSivWfUE5z4L0ssA1oFsi+HUwerH1ibRbo03m9fJXHB22KKbd/zdJojJki7ay4HcBaJRfVJss1R6jAdPoqN+N9/MlmbfUAg114P39654gHjmpfFuC+m3y6DnI92DMuIIcNY4pZjk3ks5TF2duAc+gGpuA1JikWWUQdr5c/lcbWg2b+iWAbzbLAFnwGOcwYg47mCkqerGB0GzaXeU5JpcpGgGEqB7cDcD7PIJtUbVbUJp3534MeyyBPAljDnBuraXpPyAZ2Bo1PQ52L1Tobrw12IteZ5KvPzPdHPAN0q4FWGRRJXwqUC+18yvVqobgp/ITZ9NDXVNMsB7wcKYRNAXnp59unhsuNpTL5nOPS2GmjUw0LbKGCnxWUA2qTHNf0enRbk5waLE5umKUfdn1op4F9MOe0LFPfAV6mDqu2rYMyvEW8KphWqsrSlcgBzmCm8arIkxwZOh7lYHN9lbw9U23Styzltak1TwxUUMttkzz7THAJ6VrsbKCapBN1OrhYfJverSWU73pazIRK/px3wDOk/DubN7nUcUAzSBxnQ2dANXluglDzLEdXzrNc4Frp1AKsmjbzHNes4oblEAuVyXJgc8yBkGCxuVJyuMlluG8AnTrjz0NNnY4nV6vUFkiWijLlB0Ant0RVes1IaT4vIvO47g13JUGnf7Pqwg/lTQ426WTqDVg/4jXLIctQuBlm4qQWBgFsamlQF96RlBxdaoz7sGCLVHX+A9BwXfPkgYAadDXXVNpBz90UkFdZAKd/en0nsk+fdqaAJgCs1bygpk44MKAPWtPUUDVQkUO/08CQD77raCbg6ZnsIKdt4dqDrHSZAeP0jkyTwTdsvG84Qz6AgdSJAH7gcQbjxMCX9Acg1qA1GdQMppTh8wyC19SpvWxGsxz3QLMyuSJtNIt1xU0A2KYbsdWH2ZjkXTWXTKYulIhOi70vUN+kMzX5dm7THysPNH1Er5vpmRruuk7erbUpp1ny0BstMryFjQFdlDx11XuWsRVtZCgHGywzllapvcHLgktj6SyDZrDk2uZQw5e1zNC6ySrdyJRu1lhbtEhH0TeNVeRDI8lg6S57JOOwvM9U8JKcaCi5JSdUl6GbocH273F0/OSsjFwamxCKYHCIPsH+BkwJEivV6fIhuMzHubOqFmoNg8GCN/JvpppkTb1vecYcD73PCOedaZjDNanobqOFTSxWzpvdYSDZkRTc4HCGdvWw9dhAiZimrpW2ZNh4lJDVglrCLak1zMaOwj3Scu8yhCLG+GB1dCgQLkNn95G+0ILL3BP5e6i61fp4GmLVHOwC9GTzfbNQzeBFI0TCEnQ3jsgqUlNtgLwDS3EiuL+rtGPB07dqbl5c+LLXZ+Q0jPh6TuwiMqUImwF/gDD6GNGW5D3Y37mVYOL7PDzUWZg3w5Hd3S3CxT2xBqhmiwmXPIofztw9Qn/tHfGJszAwGeKFoI3EWb/zBue4tk3c4w3cd/q176EpfzvujqauCXeYXzxi7LuNKBLWNN2u8youSz7CtcVbMeYuOMY06hGBtBlc9x4nVEsxMvESu+dmHAeO/XMNWKLhSwPG7mnafXi28t175XuVAcfy+FW9xN71SHV5p9vulH04eYwwNrb1d+zQbl5HKU85+//m+YZusfPTVijg2vGzgVZDuiTeOx5h97hMqQHi07U7bMjgVnW7FH7xMPjKbhR8h7nSvn19lI2EUEMMAI47o/vnVWkqDWVHGO876DDtl5ao9m4ODWs0TkDbh3QNuuJe3TgW0psl/WAOvuQC5kAELEEQagyfS79xm3n98aOPLZkfUH7j+ntO+vRBJj07zBrJvzSwOyaRxi9fD9/DOiYeNgWl1Wh46S8kU1IC5laQFbeLMUFBSKQypNPYNRxUXnRn08KxE+VJ90QJNeeMCuIwGDF9EIuHxQ6XGhnT+HC8qxdrE0evl862UjtZrakfeCo4NcVCZbcJvBHXmWs4S2Uz1MhJxf4Inng/AOIvjcMW37QwiIUJoHryRhjlDPGt+3aKwXLya/jFhLyR6+5fA+gWbXkjLaHlhKmqbizouBjO4sZ3hOUzz77Z3Qucsbi1Idz+s3n5/Q9/dbbvaW87Wo59E0U7nNMibcTsto4bugZN/qXzyZkXAQ1ELn7rU9f/5D/zcoPz1qnfux8HJi/fJNue7A5McetMyPvfPp452kGDd56gv7TkhmmoqWRrp1UG9Uzs5oIQ5NBz8vHda3Iu7Y8vn5Pz96dn//mafDqX9tVP5OlqsSYSuF2AJmyhTBiVprQGZvFbP7z6X//t2ZMoR8AuMsq4XX6gTJ1UND6Ox2Q+fXe85pf+LJ63SMWvePm4kO7LphswP7Bh3K0f+Bi+O4rpxjr5zLVtqCBv37yPIvunkpDPl3XYyfg/SsIkzluH7lcjQpGQm4UnbsFjfIP37MOcWljRBxiRjqf7grwpS41+Wn/KY+h0Ty+r6kPjnPeNhZyfvLvwr9JoeKyi5ojRjy2nktdUw9tNzi8cKiPeL8fDAydBJOGhW3uch60mVvjpWscVED10aVly92UqNgHb3iz/+Dt3xAPgTEK84Crc8NPtIzBAZZNrnUWvu+2TRsn7gOGF0rYTyQOhW2KADTeA2/XNktccmfeeHi7n7WPSkvVujPESYnbjsby4ATu0fKkxinGncnq/0UDHIU4uayrnMOlMJ6bkjM8bDSWZrhEmyBKzhuJypj6w9cCgaHREW44uOsvQ70Ak1P37JVzJHQAaKmWhCJnd6fOM0rO2lKaghU/FzwC6tjoP8FmGIzHLUC0sclyHXP1P6gxMpWXReuLyqeW7FryjY7K7Wt+Z8AAa7JldgJZgycd1Dc/Jp/YZe4sOsB/JResAG7wEv41pau2oniMoEyOmcYt08Is/J1SIqDJRb76ICW5UY2LeErR7A7m0ihiLjzmX5NP5qEBhmCCbTV4lF9kOqKozjH1zgDWY1Bm9DmyGEhf/IqZORUd/ewZs/WiFQoCcJ58UiTg75SOjFjqigXqVh4peAEYShukEM0LJL0qvqC6Hc7oJeTPHZC9NqLvx15hLNwW7ApBx1TNx18S7xriVpaIfqvPIEGwZj5kRAwq5DHmumJZQcevEUhixESdxKag8Rhz/Fg7KNkGk56IcELjtstxEUpbOgp2jAbv98qSOVALDLgTLdP3gbhexp9py1giqCfaLJi0ST8+uX79VczWbxae/AyvsArJv7xayH92C/jb28D5zeDt03zR2AdKGZPFRtE2TsnPC7RJ6/JLjqH8yoEcRVo1l6ricDkuOI3zZMAbGjOCMnccPa452WOIJ4kWcijtXek0ihQkD3I4hnLZwhB0cnVTCAJ+plXTvipNbMeWw+yEZKErbVC3T9aMbeTcp8V1LsWZAcCg7eoIfZkcf5pIYbpuI/CRYXABBRAeoC2oILVXtXhe7AK6JWsnNlnnGWXqtpKpG8mpxJofhvkX9cZUIp9xzWTr5o7TpGEDJL1wAeRMQmwzYcBtnr+wI83dyNGG8o/9B0hVGWXAZshbSciFGY4QRKevd78EIn693Geo1UnNiPCF0qnJWD0SIn8KCLrlqULtkqqq1qvhIhiIcG7kzSacCi8hm5GQ/blwuO7GTEcldDLe0ThJFYAvDpMNlDkAwsn6HX+7d7b2ym/s2euw2ZZaNtLvlbKk1+hLLwAt2iFl/Ky0I3+M5SNCctSQhQzDRbze1gNsFPrWx2W4kIDthP0yM1ePBz5amQ9puPRhNL/fTFNQLv1ZGuqKmaWeEW16BcXLda3saahgNIoVdSNYU4saNwMaD99wGfcujdUjv7gc7Wj/ejqYfCpNsyOmtSQsO45soHNCGFG8Ewi2EwddL3csbqdNH3Tt/0ZLQpm/euWS9VI8jQG6Q450A+XqP4483b1mq0QbH2bLbyUd9VAmS8o7dQn4c9TimpG1wGDulHkvQdvzUySt3GrsoKrAL9QBRErrlSSYejfC10Q3HXkpaZfU67YnqfFAi+GsdInvOZSZPyH9Ofv7+e/L07embi2fklBvL5bzhZgEllsJHcRFqrrL3BdoXCcNs2ZnHI2wzfnEkY0yrzF7FffWfbldjGHQ3Bj3yyYY+3+W6MEz77+p+e44/xCkWM6Uy1iZ9kylGRarudDuEfKAlb4xfgShNDK+4oNqLJyc23R1i+K7Hy6vwnhteHrPTSD9T/pM7CK0Xcacv5uaS56uzeCP33XUMa4RKw57/NziJ8JPBWQiOG+iVZZRxV6bSORMDBiEbZLXScyr5n3uyqmW+o3BbZh/A6f6ZGmH3jOtoLWmmrj+/uOXwtfAtvnzvoq2s5l+BCrtgVAOpNZSq4pJGC+564umCWg7SmhvT4wU9JrVv6YMS61s/Qp3p4Lqr88QJrppqi82QNqTuF6tHbHYUhM1tJOoMStDUQlkkSyrbcz6c8PmlXbELnl1oteRl1zwsfI/WtQia6uBghOY/7lnb1mnjCs6GSF4eicpuydDrz65HyIwOD8XMySX30fPFruI+0gKuUzpTDgW/q+YJ16gz9X7Uq4SeRwj1OipqrNQQY5X2Et9Bq8BSXO0JfmvivvUkTn3Fy1LA8aTcO1zvtnIusr09uXeQnGvHYxyH3IuwWq/DkFy30dnnpBbUbZl7n5UmIJle12NefkyFPII9eYsMOt3Zlr8qY8k7yhZcjph0Jc0kOb7Z5fUniZn+tQYnPpx+5JucmQl5W9KafMZ/eP2oVNLXnf5z+HiSBV2C05wEUE2+NKDXBHsQmlpJA61GFS9OdfQW+JvjyMvQA485yJq3XSClJ9/35RvHsyXpCKhuDtCH0Bz1tpjilKe8DrPdM962lt5qYuRsw/DwckN0I2XUjjXPu5fHR559G6mRGrsAsQgWZv6NoGTFZalWhpgaGJ9x5j55HqsTDHmywwviyPP4bnJuyFPsCAuSbZ4hDF0+63GLNBLf8bcwp2xNPpntxrddBLbaLaRNnl3rVjiCwT7y2vdNLUQFa9XwkLkXccDxrg9ApPp/q9IUy3mG7NsmO79CPdad16vXEYqRwuhBC785gNjj5PWOkRoyfIPrvZV1Z0j6eBfQITXHcdh1AYPtvdkkZPptGOxQvCHFzcXPWDaQciTgaIUbklzCjMvgq0fhhF39KlqPNB1E7A4qFMuE28YBs6P+pRaMnc82N+2hl9JIb8rOh20tZYvqyC3wN6siw8nAOupvR5YhL1Mu000QS3o3HMlYVJj38YwIqX7ZDm6Lb6O9Ke+PTO0cYJ337bsB65rq9ky5Pz/fkLJa8EErdeJuh7NlffL7rcizyWeW+LYWSq/zbfjfTE3lv93YMaZFZLuLequex54mx5a/vUDoN9D2YCrRgKq23/p+qkZPQQHSalUfIjpK1UwHzoVbnfGwprO24YZyBMTRV3cc9x6eqKqmct3dR7x2OE7f2ytL0O4ZKricqbhSQM1V7hqhG+THjhXZYraCvF3RZ19y5Qj80gixJv/RUMFnHEpyinXP3jkYRWUF04IpdcUfKOj+O0yJX39jP1Mxps0n7za7CYfXjUWV+8ARpjff9Q/dEmHKTnBHe5/8hHxc1570jefAMcfv4PjmaZgVSZvJ7qDtcPCOCP3ExNrW7iJzDFddp1xuY+c9i7XSrbcfQ8wf3o5sea9XTuLj1PKizjuHaA8r3Mo3eu5bNLVSmTSRbaTcOm4/SE1t3DXJZEFNymh/D7AO5fSJITdaJNzmHtSEu9IZo0WjU3lDejAN6ILO09mUG9DJn6dt0EnTH7dBh1OfQbDAtQWJqlV648TBT3aaO0VvoWEnVSa1RuWXOEYt4ZbM/YjLonr1Ivz3SUDhRfiPkNcUc/tTATqenRfIecDouSemHzxHj2tv1NqAnDIMRHMmFZcz0Hok7jqk+yh09RX/G1kfdc8eAcm2L/Gstw2RK4VhbZX1SkWWONrxO/Nxe3fsPmIGse7/6R8wTNAaH/jJ6wXo4/gjnM4eMp6enuDox2fkBNePowbaHqlZygifT0CH4Z+wlYW5pzkvZA0d9xjZ23C36BPT6xS9d6f5n4d6Je/eGiW+2+SS/xn31vCrTDLl/B9nRMJcWe43sF5QMzIByrBjtxXqbaVffHy4oNvqbBOgBgkuO2esbZze1t/EE1IMnx+jomK7v1E39fDj6KBlJ024MU1ypRMhY7JUPm/d/WIoiCFondUHOtiUvvQ8c4uTSwxO75NOR8mQ6DqDhyjy00tM7dz/GPWk52FI3l167sFxXIQaI4plzhd9N6QaHNlRZMrCHT3aJG/TaHIB5lcQLOpMzQ2+2Ywr6T9IKFt/IgbjdUqT88s3/3h3QS7cO0V+kyPTVzbYZqqkPgTbjysVxxbFEFsAuzIHOZFvJ4Tz9iCLDZ3r+nV2LcIwDTSMINxIwT1aLmg+aAr5AEqux6PrCjJqNCDOltrmaBM++1guqeClP4gRJHYF4dG6Wu8ThMixK1ibXbGd6OS3CaSJYS+srU3BcQZtFtC4lTkYwugjuE18LtvKF6W5Xd9wo5iqqqx94m6Jt8cjOITiJfgrrkHsWpqpXSwrQWVhzEMNvHUrexn+e6C2rdGKYutLjYta8WOkVccQ9hgQxACRilsDyFa2oFIOGmfkbjcVVkVERmK2R2rb3D0sYebh72/fvA/v3oud5bsHxSq96/tP3rONm6tiqUSTiwFv2jnOMsy56SZjt+N8G8mtIU89EuYZduvAwt52ou4OeIJIR6kRTSZp9jbg+klyG9IFJttFB0vQmCkwawRhSjKorTOUL/0ejrRXWK1ySl/PeGewtyO0HaK10pYox99f//1NLAU3yvbU507p+fETLHcLDLZcrFPqm51EG8X8/ey3i/ML8o5eV1yW3Vjv+LY62o6ehrk1RHGErEDGgLp9ZHXqU7xkMXl6tq9yLGbHK9h86CL8luTsaseWsyxI5fPT0KU3YLEXQ3G8TXngXgEtxdV/+brhrjBHlkNNMvXtRn+JM6EfKLsxjKtGK74L6la+uPc5MU0kRZ0a8jdjtZLzf5sKyq4ENxbKv70If3vefcrlDFj8oxnXsKIiqsjQqej9hlBZEqPIyLHUMOfG6rWz7I8pLGpqF6FZf4cD2cVhgCQ6pY6Fpi+E9vVaTOleF/JOn+wwB2n1+i//NwAA//8+Irw+" } diff --git a/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml b/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml +++ b/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 1e939121cb4..4a4bb15af8e 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -342,8 +342,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.38.77.13", - "10.179.26.34" + "10.179.26.34", + "10.38.77.13" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -879,8 +879,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.118.32.22", - "10.182.199.231" + "10.182.199.231", + "10.118.32.22" ], "rsa.db.index": "etconse", "rsa.internal.messageid": "anomaly", @@ -1192,8 +1192,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.161.136.76", - "10.108.167.93" + "10.108.167.93", + "10.161.136.76" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2192,8 +2192,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.179.210.218", - "10.44.47.27" + "10.44.47.27", + "10.179.210.218" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2422,8 +2422,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.74.159.77", - "10.131.74.36" + "10.131.74.36", + "10.74.159.77" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", diff --git a/x-pack/filebeat/module/radware/README.md b/x-pack/filebeat/module/radware/README.md index dd2719659bc..82a38c26a10 100644 --- a/x-pack/filebeat/module/radware/README.md +++ b/x-pack/filebeat/module/radware/README.md @@ -3,5 +3,5 @@ This is a module for Radware DefensePro logs. Autogenerated from RSA NetWitness log parser 2.0 XML radwaredp version 114 -at 2020-07-08 15:21:24.265495 +0000 UTC. +at 2020-07-08 16:42:06.209805 +0000 UTC. diff --git a/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml b/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml +++ b/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/radware/fields.go b/x-pack/filebeat/module/radware/fields.go index 529f2700cde..9b5ee1a40b7 100644 --- a/x-pack/filebeat/module/radware/fields.go +++ b/x-pack/filebeat/module/radware/fields.go @@ -19,5 +19,5 @@ func init() { // AssetRadware returns asset data. // This is the base64 encoded gzipped contents of module/radware. func AssetRadware() string { - return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIirAqiSJaRRQBlBk07/+AgnUB6tQJAtVlKy904NCIpnIRAJIZCby42vyAPuXRNFsRxX8iRDDDIeX5J37gFzDCoSGOyX/REgGOlWsMEyKl+SvfyKEVIBkxYBnevEn4v/1Er+1f74mgubwkggwO6keFkwYUCuawsJ+Xv+MELMv4KUlZydV1vo8gxUtuUlw4JdkRbmGg697RFV/3tIciFwRs4EKPanRk90GFOB3RtHViqVkQzVZAggilxrUFrJFbxZK0x7JayXL4nyCuwxqBkfaBOUHkwjjCA3TDJTr9cHnw8ztcfD9hmn7O8I0KTVkxEiS0sKUnleK7kgOWtO1/T81JJU5aEu6tN93hibktVyTa0hlBipMqhuLdYkaJriChC0Ik1jiR4N6pJN55BmjkTOpFAaE0XbHMaENFaZCpINUGJaHScio6X7Rx88cVjsIoYbsNizdEEo0aM2kIBtmNKHkLZhfmRGgdbUKi94S1dPRG1nyjAjYgiJLqNe/oEoDeQOGWtIoWSmZt1A9eS3X+vkdTR/A6Ke94a+ZgtTw/TNiPN2UvAN3wNxOEy0yF0FWcdgCD/KKS9Hd6we8uoZCQUqNx5XBignIiBQcERu65EByWoTx5nqdjNiaR9bpjT8zt9ffkC3lpT89LANh2Ir5PQSPNDWEy7XjueoxE+lndni/4vg7y9KCKsPSklOF8H5xFoOr2xs6arVDq9sbeXi1B5m+nZvrL/4/149z3WKNZfm0QyaX/0yQ1C7jPyL+LQ2Ll4sjV6BlqdLou2j61ONP2jTc2lADOQjzadDTMmMmSTntnIePRgAIo/afBvXGagKfBjUTQ6gve5NX5+xTrngGNHzWLjv1FUA2Tk8euFFD9kDrh5WpZfH1bsDe9TRNy+zcgL3RT2iZw3zqGKWz8Um0bNEggxxDehOZiUEkwKPRDErnUcpKwX4roVHCVD1D/9H+0HC5kiK1wpIa+Ue3XgaO/ZZNFTxt/l3ZgdiKpbR96qyhfWNNYnKPgo6UIgNlVVQFXmD0Jrdij5ARDcYOcgB8iEMPK7QVm3tjT1Zoazb3hh7F9r7nJMbSj9tcPcpHzHrcLDdSR+tR7b31k9SmLap4d1dpEBkT6+pLHVr6ljX/+XCQhTdJ7+NB1t3ebb8jNMuUlVlDh7LLvt78jPxc2bf9YToDf/h/l4GWW3Oc4O7pdS6Ntt8iI5Ss2RZE7a74fC9Vy6IhC/ayWnX2aZShz8OLO2jwymKfKPgtar3aTxO4SDiz5R75eOMGJ3e43Z9575+h5P2+AJLS/kleAgFmNqDIh1thvvmBSEV+5JKab1+QJdW4EyrH/oqtS4Wq0ImZhRW8z3hm+MgyxSiawXa10GsZ7yw5ZpdVY3/2xqtUO6qyCWpMS3a0Jtbm1e3dLwcaDiUKOO0uCyF6rw3k/srxhNnRNuD2k3bssf+Xiq2ZoLyCOby9T8w0XuM48sB5e/fLD4FJegJ7c50+yZqiPh/nkOTNZuurSrGSfAM0AzXTy9hPOBi5vZ7yQuMoaj/U4DBx7zR/aCcMT5MZ/DC0UjxuG8UDN7tVuK8k55AaqT5HQWj5c5GXdbtvmCapYw5klpYD1ey17F7y5Agr/4CWSJ4uP55ylkuNwSO5FGS57y0LIQp+K0EbO6BmecH3fiXsj63AJUDTDdEsA/Lkz8RsVElefP/9U7KjmmgAUWM5MtePpK6dMVddSKHhcpNN/0Arm8pSmNpeLfOlEz72wOngCOQJXcottKbLRDDaqBIz2iig+eAuT/9AS/+JmQEZK7tazXms+CKkSdVGK1sRZv5RvvjzN/+qnfB8XqCoqsj6R4/ef1g75TXdgyIvyI1IaaFL7nzc1tQZJUFDo090QwdilUJYvn1B/s1O9xn59lvybySVyuqPOAuP9Bn579z8T/tDpskhU74ILpKQGXxCG0zsIEkp50uaPkzV+Rx6IQ1ubmqcrmwZASIrJBMG1W0D4cA9XOAElJLRsSKNBqQLSBnlSBPSoo1UVlsUe3cL2y+2lLPMLV8ILSErWYrMSmsOSB4Ta68snAwGOty3vZHneDvxm/aIi36Az3suafbx7gyPkGj2O5AcjGJpQFf2Jlr7x2ijucuxEnf2kqSm0eHkqlqYBflJ7izz+7YQE0Qqa0IYSR4AihNs+Ui3x2fCFiVT0DrZsizJ4t+hbioJsAYBiho8ipnlUcte2TJlSsqtuXjgIxUB85nlzBp8+AKI03V0+gN5e02UlYsajXVkC1VrMPXPTs5Vq+iQik8+VxcNc3yuKtKx3hext9eVf+0d5NIAufe7MlWA19JyPySS7J/K6f0ZOLk9pkQXnE17kf1Dm4qa9VTZjxU2yH6Pix9r2/YoT/2OrPZGpU17cfxf483FHfMV4xd5W7TjWqX97urVndfnUiosA1heSNXV4gheKJ/dA235sYznD07so5GHZmHIIXZoJpYNSGMMunsfrb4FefH9D2SHnM2BCkI5D9uh6HxFtaHxL5AdKHDDUkM4UG2IFJ1g5UM2fQTF6PNmU+C8xT1kee78KlWGrMGoCEg3QnK53nefNVZM9TQzQr4n6YYqmhrHJnv09kghOjcFKYWPGOAHvs3BDKaYZDX3xDjNZXvkPQd13dyqTlJUTltFd4PyA6VYR1miKephziMsvM0q07RU1YjaUJFRlREhVU45+z0UbSdVHuRA5l9gjzBBlsueCB/FhoauGt1zzlaAcwoYiBpSKbIBxbBZskSbaZb4EZKZSGVecDDBRRx0d1FUPI1iHZHTyjtQ5mLb7d6OHtx0QxvucP8MbpJcCrM5m9VNVs/5r+ZNNEN2MfbciOwSzLFD/i7F9IzOI0LEjl8pPy4k7X2XS70DPeF0vCIGHo3fyGQLSreCfbNjMRuBNTq96Hug55PaJFWkUmWQTZHe/rncC1ddj1ndb9Wbef3D9htcX8YqmS9w1BIT/3QKgiomneKXl9ywrw0DRWhR8CqCuskEz6mg61BSEiEcHdOVzeCIcrRqwsyXmsidcF57Q/Oi62nxFFtslsT+PjeapBtm9V+ZgV6QN6U2qEi3B7X7n5qBeDRqYHAZjh731cpStoV57mBcqGpIN38FK1AgUreo1CpfGduyzN6puKbhY39fHfv3HQaEp/FYMDXjHBquOz/1o90vzPC9m462IsLqAhYtbqPj/qJRSzNoMD+z0qk+/YveoHWAhizHn+a8pwachqm5NH7boQ7xWwnljItmd4pbr0Ze7KgmiCYbWCFE/834qY+6cA6mHXVO17mJkuzrPA5fkUShK5I4TaUYd0QOwV5EwEXdeC0pcynVt6P2BmVQT2COkknDB/bUeYtx3TXipZOBGGMs0rSn9pynqOiST3fHDmiHsjSpzOG5w1KrbBjNJle9taLCT+NA9R1YKmuSMzMt9PUI6dX4PiGg5Q89ZvhNTVXo1U5xkrqOxbWjoT+2gJStWKMMhrUF5+Qcyvv1usccL9cBJtbuAJY1AZ+VKZp552OQMq/Sz8fIXw5thLaGKxX5+d6HFDFdPTp1LWTEX3F5KOtBF1KzUYfwrB2AhoDIXFUADEWsTslgPnfJTTIlkX3ksRZlDoqlY891kPpZItqPkN6Oaq93qDvi7iT1iN+CyKTyoURHaZfLf14kS7p6XJDLf0Ia1vEt6jnypHoss/LmOGon+abV6viiv/V9Vps/st4S3tA6ckpIQyjZ+KzMcHgQl+ukena8kJCrNsRoITdP9u2BpPgbPnFjbTc8imH1TnKW7qfv0yNn7A5R+CJzgu8H5FTJp8VuhZnwruSAqMPiRQoDj9P1nRrlrXCWd1MBiWaZtn/hVUB5hTKUDnziSkk3VKwhEbCbfq6GnN+waz3c4OVojGLL0kDrtPWj+bQjzmpzbZEePoa6oCNEQz17ziaUwDk2cVTKu6+2Dl1bNwiYEhh3bSddFU3RzVu52oJakHtwjC01qAVdA5a68xFzK6kqGnpjV8M4vS5FeOLgWxmQUpGlkjv7XfWp12Ocaj1Yq+02u6PKjDfla9DxdqTfvbKXGzHf7pU8q5WOS21eWYB3WcffIK8EoRyUqd9dVTOs/8y5Zv1RbCWb4fNsQKHKiJDiawUFoLZ67DUKFcd5hWxaKmW3Zq2T4mqgjvCcOf9v5djs0b5jZuOVKSf7yDUiXGJ8qCBSfL2W9t9HJCNenklAKZk0M9pyRj9HFJYMuSL2pBkGekHum/PZLZPZjkmOpenKBbOX2iqqLunBPVFmXlh55lGS8lKbatv4//RYjSBM29XwmTneWrRqE347fDVf4FZ2Oz1sPbmk9SnqwJen1GdLxzXiIVRrmTL01liOBvV+ZPpr9gAvCSXFZq9ZSrk18x6ekUJhRdpnBEz6ZVjNooqGswdGXl4uflXRHAwoTQqqsU6BxsQ9l5mWyjy3EkEePN70Q1bBpEcVDSc9L6drtNbhAoLaCbtU5kXZPwtRrKdkx0Qmdz7yJpUihcI8q1/FBqfbm8iq5HxPfispd06bTOaUCX8+RQsRlwOivO2tOf8aPzI5q4y8ZuIBMh9FWwWWUY32uldg7Tdf1MgXLDvGfN7L85soNtp1qp0J2EVREfDz/eUw/1x4nxC576c6148eoHLWLVE93fnjR0V63D48rqd9O1pPWzE+x3mpyf4Rx6uPhIKsTIFUHmAIOxE0KEZ5ErghJojNexy0Urq6Mr8l1K1MHbTBIH3QA4lgc/ij/PhWeG+o3tS73aocgWj20lqYVjRVEaZ1OPtVNVKnVIHcgqrRLLRKLVT9/35WArHyTRCG8QSlSDlQZT/CshkNaT6M3XtpVJUicNo/6URF2c9V/8QyOpX5kom6clxbRPsEBDVCXm+ZKvX83o32HYoohr0ccz1HBDbulRvf1VkZ9vA4LX0Gx1vNAufhur0mb92ZfuJT4oirse+TPCz2p8ecX5fxBbZcX7fXyBYfWl0fyL4dd+g7d0EMjsiFW2p76nZMh02Nrd5Pq5t4+Erik2rcJXfUhyackTTr2lr2XdVDk9vrk3rQ+T6JE3qQRf1CZI0+tCBXLlrfVwvi7ovjupD9I9XhL775wjsolqWp4/ilqYVzKThoN3fpBOxOki1VjC55L2LcJbQxQQpOB46cBqEnZoAeLEpbDXJjL+ypt7dmFYvO7FrdP7+962pgxJdUcrbdULbMYBuBsyPjG1+sI4PcCkPu2VpQPJYDG6mQalr5pi97ssBupbtKp5BYTwX/aVG1Tg3uhUwGlvftz+8JEykvM7CiwTdmseAL8uTmkeYFh5fkzhmfbliUdYuwDYoe9gu8M6Ax34jaMG6mH6w6F8Q8Imi75Zx560XlO6YfjjxwGMXWa1BTCteHp/1L29PosaDms1GgN5Jndo2d1TTQq+PgOWoWK67/HuVl2JN37mZ8WicU3l6HAyzPfrGypnUy+9s8cta/z2MzE+fT0OXya4tQCswoWGG5XpmV6ZCe7lWei8UOtGmrZYtUmHll5VxFwUBdeaqwHdSFVI9+rUQri6gXvZbMgSJdT6zIoeQNTavKXmHFyR7nmTVZKb6ulB91/EQ7iyGiEZICqiNiorShpjxfsaptcMr4BVVLO/xSPhKWPR+Wulbil/PQYHF+6JXCcvvK4glv9Er6Tq6q39sw1/16+jFCmAlZnv9m0Ird1OuIHWilwzgzrOfR+W406PQqIAfMf8W5Pa1El2kKWq9KTm4sBpLKDLRlflWkKazjMZHB4+hJcKbNkP4w8TTh0KjYqgrNEhR69XOqGMeX2oB/wL0NiTWhyIivLWyQdhG14lVvvYtpLn588qSOVClA6cInJLgz1Zu2v0KawLgqx/npQNC4M7H70nz6o2OrjRwS7+xk92v7JWVCkwwMZTxgOi1laVpwA8RLfoGYlMprQ+u4AcQ0LMIN5AWf8Gr7qmq1WLUwaL0g+SgVq71sQXG6xzBlI71YJ08Ce99+gZaGh4ZVlcfifG7aMFNiqQ4SJL3R0vpJyacPxkivcMu2TOl4bFFnN5V5bvdm7IJdOXjCWuFEhZJbljkLu6orEOrPWN81Mj3mQB9vT//IeHP3p+1ohfC181jgI/Ol5Fc1/mXl1z/lctBujZ7A/5ZL77IM79SCTSkPdI1BSW597u9uyW3vwm0jmlCbx8dkHscxKvC4zl5Yj1Txx9jEPooqrGa5A5UsZTY95rgXt929sqr+sBbbwPW5icmdcm60WfJuWg4Xn67hwmxqLyBbs6x2UQ4Y4/l4TbmXBHPWzTDmqq6pK8ppArLqNnT3wWVxVm5QfBx7hLRs2yju2XoJoZSCKqP32EPZLIZU0FOUHRpUdTQ83VLGad9BR2r3EMF4+BUoNVCN0O3HsIdrPr+uV/1ynxDsnPR9/5as9u1iQAawPFmWWbaPsO9YnoyMU21BlhqGCokdtUVjYBSTo7KlOgHTiS7nCbZjuh1r4mqpYMPJOk66yTn3OEPFwZt4Q3e0GtfX8Wm4V+rxXNjOaBFc/XJDnvhIv19KbvWSJeMYYIgvzTePhdT2l0/J130zRnS9fA9C7sSB4qghLTF1bXs4+kDXgJTOYmh3A0Cuqkybtz7A9TWsabonHwYVWM6Wil4m9ccPfcAmJkhOmVhZy+joI1VBFfb6mCOj6kBFuMOByVuZuYCjprhB6107gJacuH/x8cVONV6jPMyrfws78lMpUH1+IzPg5AkT28VXzwiT6TOytH+B/YsKyvea6cVXYT+ySYtkxWmvO9X4G/hQ17q6Izgs2rsoVfZVAWG5Opq0ZeREWtynS09JlTClQdkNFUS5zcfKoQ7uX978au339y7k5quvfnnz66t3N1995WJgtlRRNrg3dlI9jEvIOLmVf62GbPtoB81kKsZfXz62c2xuYC3iaGpF4D5KXVxJBUKzdNyBapmTUVjzGCsq4Nk6HyzZUTam03gTcpDKiCXFDTM+IUWXy+htYJaZNmp8JgvmbszSDfzZfJK0iuCb4jiIDU5sSgL3LiYfHNjEKfr4RDvEig0ajNVkJjgnYicTzFwNTKQbcBkWFkfqKYw3fCx5Xpt61x+3UU9c7e0LbYSs5V3yqI6ScaElrPzmxyiQcpYH2AP+t7TtJ6aOfKperrEix1M0nwPW/Slff1UCic3jM8Vw2BVl3PKrSji88+fv9rod14vZ01YFNrAOJA4Nv8VXcT2JvcqDFMcE92BIj4/ptJZRKbq2ag+/GErjnYr/LTyav0FYf6mx6yEtZir2eyqyf5dhz2qD3VDDwqdsMv7+0AfodakLljI5Ij7iY9kWSN+OKtF3tX164rTIi0TGC6f7t2/uyM/O49GEY4RR/Tbz88v9f7wmv5WgBqq1lFwkCrpVP6Y++bRcF3vyrgqpDT7v1npaOkr8t8Hk+DJtFqwYMB5PwZmAe/UMyCymEB3lVOVRfLGAUcYLLUaF/ddgZTaiM8AB1Nhc4APgjJru7X0acgki3eRUnR8WV0PuC9pr5XCGD5KmvefNM6GSTQRfU1iNDaasQVdrTCaNApTLf0bBFTSitp7LfI1YDHT6D/WUPQ6Judo52Os2ArFIaIplC2PC2Cy0FqNU9Bbocl1svxOPZhMhLVORpEZZG2VcZaoWvIUd8tadAbrlvYbQZ8GCWDMxKnC3DxwXUyKSVaJ3zKQR+1okKy53muYxr0VtaGG2U+Cj/FipSJiYts2ZKEDly/2IkJwedJE+xIJjc7Qo0CIplDQyiXHFIfz2uwRt1hhoPmG/cblOxrT+74DGvISmIsnpY2LM+QrvIahdYQ5RYiFnIhoxE1MQF1wnfMmT8c7TA+g/TwKPqAfUgh6fpd6GHh8R3Yb+fhJ0uLH6udD/Mgn6f0yC/tdYaCMLTpcQt9Vr+BhVSSR5yfHyXu6j5FkFXjxEyfG85GydF7G3t73/KF+PfzTysCxOiGv4LY3RvUWi3ZNpFK+0SmO1Mwsaq53pvS6LqPrYqajDrCOVOyONVTDgMWprG2mskhQPjepJJHgp2KOgQmrotc08C377g6U9Wixsf5CF2QDNokwgmRdJyqNsaAsa5dJASIVtsuJgdSRsUSZR/olUMcNSyqOCvnRC1yDS/ag3pTa0oHz/O2TLONzbBJPhI2FdGk8sZvecHQlvLeQfYi1knSyZ+dfI5MNUJ2Nrm3ZAlYw4yjpycyIcpComFk87T8CIupItUDAb5w2IUb4dOF5XkeCu9s2YDM0W9IpxiNNFdLKKYxdbjQtAPgSNk7TaGsECHk0SeYysDZxpU/SK/JwNrVUaCV11jouCleskh4yNCMY8hGYiluO5zEoOOpVxs/bgbB11KmShd9SM7ETRgg/FBJwJqmDNtFE0RtNuoKNuKtdJMXLKasKcNdYRUdGn00U1uCWPgsfGolFXnAs6ikc95XLebSTTiavzHAO/p4pGLng2EFZ5HuzWdTAYD8m0od1mrWcBarMs1fmFRCs4cDXX4uDKCHwx93AVSzoeEKv2rGJKoQ9HTB+DWtMsG7/qLBvvnKsSaKIkCsuTVEmZR2bfWNAopYjlSewjnM/diZtu8RCRLFTomFRmVuhCsdFgnBpmyoh3G84EjEklaeD0yFpcNSQGPsaYIFy6jOZkxWWEcKzBo0IArKYXsd8tWNRet7phFLoIry2X68ilFOvIbVdINf5w5MtyHbd1cqbTuO2a68gFjKs+I8Bg6ksEZMQpdqUBxr9KObjxD0pitxuvK0TGCdXtGiIgI+S9VGydBKq1nQG5E6BiZEuRRHYQLJKRFaQbwKg2Dg141CzxJI3fpB4wpp2mU/ojUFKt7ZdJujk/nrUH7PpyjocHla+tXdzLqD4PdhcJGiPmXP7Shw+dSp9ngSq5TqguRpX8aAOP6fJQwSmgPO7mUZAitS5bNRo8ZrIWdmyCbgtWqiwKa4yJpqOsT+2szyhPqYbxLlJXTjdKjdDwWwwzQ2mwI+CiFBfN1lEHUxfj7Rat0riVV2kWcdVqlYayfM8CHdWSqQ1V6oicyW0qxgchBCuGngZzSZYRTcPXJmYRHFiM16iuGDkecl9EZK6W2TLy1bpUPEoqlRpUkrHx8ZuRhUkqn0gcsSaNa5e/TZjQhq6iJOmWKRN3FW8LEZXiYKQqxUV6tb4qjSTvSkF6g9de6EkF4n6hnGXkSkHGDLmiKvM5Y0fa0vj6V5NmOlQHEodxTVcxYjaVnIRCSmpvLxNTZn+TF1zuoVcQ7yQPVrIckR5/bl/eTdVSB2uLKVjDI8lpN3S38eiJddktuzIDGZxpLLBRja/brTR1WWCJ+n6qJCG7DTWEGVK49vxhoo89pY4pFRJu7+4qnldICBO+ksFAZjdnYnoF7BYxdrw2JZoYucYmO4vm965jRI97Arag6iJKRpKCKg3kDRiKFYfdqaj7pZEnr+VaP79zwX1PybUv4+Xak/RGxzTid+CLxSLZgrwF8yszAnR4rfpbL5I9KywnXO9mHN5NRwNV6WbBBBsweBWdpxhCR9i43nqcCXjOaSmwduq6zH1Z+iOlEDqVD45QPUfKfE11nSjvK74OqPSWmcm8vZBdzy07MHkPjwZ355BRcNEG1E2RuBM9qDErd1KpYszL1WCq5sBHUuePvXuPrw1RtZJdVeM6Cda18Oo32UOzyGHt9wbBegb6ZZD+cXW8z+icncHj7XV1iHD0oZLtIx+iR26XuoWDe9yv8ZHeHq256SEuRZGoC0bXtEnlCjYEWUEI1UQDiIM+mWHjRVGhaTpLsdVelrgbXPgGTnVr7apb8BGyClA5cxfhfGQ1g7rCLWzLOKzB9/KgWrO1cMxvKnMPtDWgy7m61Q8sOWI4suOWF2wtMdg+JLTNWxQN5RbGVbqp7kuWVW1t645J2LBx4NAREojJqbU2BQNBUqMVyKpRWCN4q/5OFseACrtTbMDRMyN+RDJQuvCS86/7Z/YIaD1A7mTnfTzm6qGcUZ1s5AzaXac7JtbEacpAYUefVsGjcEw1cRvU0iN8i20hDcFWmYtXXEtr2nSal2AV8p88xIK8Evv6f73RDVpHWhhCs0XV0TgsmCKdX5b0KcryF11+YuXBA6Yy39bZWhPtCuXVrMONhP2OScZ6Vs81WOkeFPmX2mOgn3tEiH6of8nYuK3L7z3RUHWw+47ydDBM4pQs+LJbFse1pHv78/sbOztQ4IxG9MhkTKcKCirSvdVK/OXP+71sLQ+ekfdvXpJbYb598Yzcvr2++c+X5MOtMD98R57sNnsifAPGdCO1L+MmlbVe8Vff/PC//tvTcO87MJtJ8qI7Y5RAi5yGSyPpyXtk5IHylfhvK7Thw5R9bLLa5/wEbYMJf2dfTCGKOopNo4NWzU1fv3obJOd3KWCKHR63fv9HCliE+fP7mD4AH+Gys6SeFjXIxk9zrxzh5Zoa2NGLFJbGXXZHXrnmedVuCyGsr5M0L4b9/1P9mrdXb+6cHB7uFU9n6OU3ZEo7PadqXXp7Z5ENWPWWD4O1YGbhgx19mA+VDpC4mmJzH7Z2r4XMdaSjvHmqaFUiD8vuWZfJKu94WKQ/LdeHC9VD1sTWROoM54ppSt56Gu6kMrWI6gkh13sCmei7zx+XRHp2/jmKmVhX4rMi/M0Q8wSE9Pv5vEQeP9ogVGuZMiwaj9Zy73YlVk4pKtawqNXjVIoVW5cKMrLc++b+rtX9QHeawZSCXqDwgDYVHHYVlanAR+l37dDKCINJQS4NJD5GKOblN2aKmdAJTVz4VBRwYVQs+CqKvauoWGwetwHiM2qKqMnRLKms8Wn9ug5tC0vLojte25C5iLZwYw0rAYa83xfwjHyoxNxrNJG/JXeVidyTIz8P3ahV8apZLowBlb4ii1RdOynnwQujaH6ID/RUYejAFpTBzjNGVg2umCAfbgePUIohLRPOYEzbWKETWUQVyrOgCvT4OBoLGBXi52Ti+IAo9EFFYXRlahIOYh1R8xHx2mtgbucSNiXC64XylnNQkBQfcKwV9aNUO6qyUDOwV9imDv3ud0o+4qv7EswOYKCT8egc4LEvEtJQ3nb3OnQEC5nga1NvDr4JmgJ8CMqZsUfNFxUKT2LLqZjnXeUMd0D1rNZyCPSmcOggaHyAW6s9r1F5PpSIMf5sSDHbYjsmj/S8NxSqDEtLTlXVzM2jeXLz+PK1XMvVKlyfGtLEbGDuxrfv7ZC+e39D2Y2lzBL0qjQbEMaHUg0SNlfvscPnyrJuaxgm7oMGNUiSLE0q5+aWH3SYpHvXgXuAqqpHzrTb94AixEyqhitHm79W2C/QPhk6VNhTjG5gXUiRYUtXGVQBasB+U9JDurdjsmsHbgNKXJ49xr1xBllNsbe3OnoNE0QzUwYkCsEAuaoLnh91QzWhmSywK9gGmCJyJzqNkYihj1LIfCDapapRn/TCkWa4/KwaxkRmz7JUumnv57oIv6rK4/cmeo77RNSku7MxGE5Vz/BCz0eDk7z3r0jzzvNYE7HWVMdldUyYqosKuPdRhXPPdTg4ZCmnxccFpreEDd0yWaJmY406JXM2EOkA86O/EXTJMWx4Ra6OY2diO77zWYiMLg0HOg0JojigYWR5sQgSAhhqCqavQeteaXb24PI3IeylMN0Q5RidL8PkjySd0BUXbxnsZM7SijCcFgYMdB97mNm4XueBKo3Ek7NIv1loo4ad5BXV4cTXT0b1i+NU+2vR4ZpEedCMqE0iw3Js2uo1DQUFDDo5PSdHpEadZCampE9kpTpzA4SrwnyyDfDteVR/M7knepB47zg6NYce9Tin5uidcez+yPS/OEm/mpn/bsPPQr06zf0RNSk+zlE9IfXqo/pH3jTfnmb7+QWoPg7bz5M1auazOudeP+Okzrxp5qS+t2VqpTBzXTon62a0NJskB7ORF/Gm0gM/F3GI/M8GFwazd5WcaKkf8e++k9z7miyqIzsk2rb8z8X3f/4zefL6+tXdU3LNtGFiXTK9gQwTc4LYuFzLGfJjj/m1fYtuxOQXA3848Oat5GR/ybHYe8v7EI56b6LPb0Tp8DEbM8WguDozouXSQKyhdwoqQkWUmndyys/P4u+Q+o5mrNRuDCIV0SxnnCp3mK0gsbs1xfsoHKqLZ0azeXrh1j7IdpTZB7tclQekU9eiOTBTIglfiWPnBp2fPj685X/ypjN+01sxb+xCK/AwCztapJr2KNZz3SK7pFpTwX4/EuskpizYuQyL4FZ75QdYtmIqGMUfnf36ox0Q5aNLKndZugeRSD8B5WaTUgWkUJDJnAkaDLFuHfU7ahgIo08GnnE673xe0086HVcEA4ro7WW38JdWCBRUGUz7bSZzXAjNmtbrD+458mcFGShqIEtGhAEcWUVsQ16NWbu675TcsqxOV/e/o0XBvZ7TWz6fImsF+aFGNNBLvZ4Gy2abRz2or+Ng9gMTCRZ6xqiSLXNvTpuuYjdQOKBWaMaV0h+r1cAj3uUtoFamSKjJt9N/UBuimmgjlZOPdrQcDEVsX+KvFvZXX4bnl7Ms4zCnxHiDI54rMwJL1JIhUTKjKp4314Tu/HitHF2xr148npGCU8t2eyNJRUCkal8MeRExeGUWq+CMeAlVWwg/SW3IG5pumBhQ2zMafUa/6PLrg8DIvkKBPaj2Vndp9XpBXme0IL/gf9ytnknh8gH+0b8uyIZuwd73HKhyLawJ1pfQhRQaKj0gnDRgZ5T0215PkD2+NkKqmAHFqiodwk3QVWQYpqQiehZimmV+54vInEsL1hed6ibo7rWqcNRBGrDV//1VwzRRpQj0dSeE6me1JHavOS6ZeiAi24+YeCtiDmZSsmMikztNdAEpW7HUfvMsFDfu44/6G9VOwFHUvPqSJ6rqel6LZXxmeNriBykF3lyvYU3TPfmgD4v81O8heTfBISpqyY4yi2k1cIe11W1EhlHTuBnsLdDjW53PFMhiOsgQwDDbPhMOJzaHujZUbcgpb4E54RyCG8LDRExnrnipocn4yCnv3Kskxw1ObrjWSp/euZwYtdPxkL9NCI1jZY/L4fS306klGNw4rjzzYAQ4TiqDFRPeF4hHHWtB5LQYKEaB+AfCrC+EvTF3O6pHjCCp/U3TZ+DzkQeqh9Q+NGNouslnL0XXjIuMIT0tuM22yIKaSybG1NyddadZsjH8farQDxzbdjAuMs+V0WpSkQL1yHt0TZXZJ+gqqKrW1n78rCF2t2G9gmfE7kNrWbgQvbMmYCIqXrpUOKnGtWfsTP8vuqDiryfzOStUh7XOKiUtJFLt1P7yHEc/Qf0FL9we3VVVtON0D65VAsIoWYSPYSbLZc8gO2uv+VGtdQMnQhuRipGdnM6k4krmhTVIq52PGxwbnDjNcwvKitbEms3hC4nqh+lxvyfOYkenr3DvYHpls9Vv8W9cP5ac78l/lJSzFYOMXGM2jHNeBJHtYJmkUj6wiz0p/QpL4jA0NgnlQ3pZRG2d5rGnKI1rgzNUj/z02XhXD+JrqXq3lfPOLcj7feHIbywqO0HH52EWK1glI4vjdAizWJwJpr7UoUI7XXTzOAtqBeMQv/NeFFJVnj18Xnn3emBhWtmqo5e1mk8xtWLskenYsU/64SpClJTR99whWjuS5RopqAk7OFKRUD3uPaoFqmI7qJeKj2J3C24Ud2oVPCnV+H6/BfY9w+bQMSgjRN8h8MgQjUNgvwuijgM8GhB4CcYobHaEEatbX6sbBZ0HypjbzQ0zTwz5wYl+jwPjVffc//vKI3nu/+FffUNOL8pBhWMIPMEXfS1x5LYfS9CP0SrI3CM482WTrbLIxAqUGvDR92c2E+Vtdegk+4JOj1nIqKoHrVqsDGxffMaQk7dvYJgZN8KNe22xG+A9xgWp9kd/h/4j9HCxe1ZsQM1l1Vg9x7/5PrnCgupPyRViCCMHZWZLlBzg1RUoX/geDmI6jpTYgYmPBS1mtJbFDvulbtVdOroe7PdhP8H4tMjwmpB79vtA+s5D9Bm8/fsNEbCWhjk2FxuqB+rT6nT+5N0Ww93wwwW97YJMqE/bewDsrHVV8KuK9ww/2Gk2srnieXnCdS3x94NtNezZY1qXMY2hLSw+6k6xn6d5+ZAGUGqiZ6HHura8uLHDk3t8Mjh2Wmd6XarrXXnf/pN7DOc4LkJb8mKIjPHy4ggVw0JDa55sp90lXRe5d+KEXXKJ3QK0jCimoeNB2QN4ayA6JeqLpsBjW1CivPiOaPTdSkVu71/9/c0dubPyk/wsBipSNvRE533E0PN+J8P04LFMN5A+6Ihmb41gmZrbHioCXVc3qVPPMUDDF+5uzv0RXQUU65XfuIiq4jDVWXuD6htShS3W5hODbTq2lLPMbYgAmu7Rn7G+1LGjj7N+gL3uiqKz91h0J/SNMYVOGHYjiARGlsaRnZ7f8mvK3mNrUcU7SsXM/sT+S2WeT8zlP5Myh8mblOH0mh1TwLvadYwJt+NUJKP6UI8NSdBV04BfPc1VjGzYQMfkhqSQbJ4QoBBJDgdBHIg2rHsha9INFaKXgDY9UdmPi6gGPOWzlV+qRZ6v2P3r61dvvcx93kFQizojVdcrFrO9MqYfkq3kZfw0XlU9MISvpVl3BqmaLJSCGU2eODT6KeauYTJB1QUh4C8aCELjZfQJf+2p+SCY8c8li8NgtC0ofClZlZykUqRQGGsC3DteD6Q4jemkHqzrgMyzxkbVQsSSgt3fpOXRT//+KhRMEmRdzA6Qan2JEIVuaNmB02NJXfpeMIHxbzc/393ekTf0MWciq1uXhNlvqb9AIMNBoe8Bwj2hPfqPEV5fweEQ7KiAIBeZnYxr4vkHT6SpJjV3oyUvqW6vfT0ej+coDXxOxn7ijJ5qTvl/gZyDOjhSZH1tJOYkocU3rr30SMWm7uZl0A/srN3cpQY8I7oMhEVRTf6ijZJi/dclp+kDZ9pA9pfn/rNn9bdMrCANf7ViCnaUB69ZuuQtGEJFRrQkA9tHwZppo/bW6pn3YBbUbHwpuhoL6WLpkTGp/WCfEJco4WJbU6la1btqjaWmDYRR+z/93wAAAP//qwqvaA==" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JpuWKavgLIZZbAa/JB/8HcgozkAYutPoLISUYpnltuZKvyb/9hRDS/pDMOIjSTP5Cwn+9xk/d/74jklbwmkiwK6WvJlxa0DPKYOL+3n2NELUEvdLcwmtiddP/xK5reO0QXSld9v5ewow2wha45Gsyo8LA1scDdNv/vacVEDUjdgEtYqRDjKwWoAE/s5rOZpyRBTVkCiCJmhrQSygnA/q0oXcgZq5VU9+elF2mbpZFrCUVW+SNrz62fmyJzSKVmW/9ff8K4xs22JWPC27c9wg3pDFQEqsIo7VtAv81XZEKjKFz929qCVMVGEe0cp/vgCbkrZqTU2CqBB0nxMPiu0gdSk4LF5YgbeFISww4IJyZ+4HlBnnOlLQgrXH3g0tjqbQtGiaKo+XVIQiW1O5+MMSOe5zcEoRaslpwtiCUGDCGK0kW3BpCyXuwv3MrwZh29yeDo9ERaxaqESWRsARNptCdu5pqA+QdWOpQo2SmVdVb6ulbNTcvLii7AmueDcCfcg3MivVzYgPelHwALyz8CZc9NCdRRgpYgjiAk0LJ3fu5xclTqDUwagMmJcy4hJIoKRAtS6cCSEXrOFaVmRfJLsyePX4X7vn56Q9kSUUTbjwvQVo+4+F0wjVllgg19/ulBxuB1HEHPpwW/J7bjppqy1kjqMbfh42djJ6MAeiDTkrsZAwgj5+U0S1ZHndPXv7/Pdm/J27VPBtyv+urpn8USMjutjwa7Jb0EKGXHTUNRjWaZXp778+2XPf/fpgZSy1UIO1jRI42JbcFE3TnDj8S9EBavX6MiC2cTvUYEePyMMTyakyt5Hi8J60Eeoj0yMu2GUCZ0oYa0Wtidmbvi61bwGEz0EMGSsL9rIgdPWQA/QYrYpyLO66VI3FR9rwqUfZ5dg3ITMQ+EuHgndnHjqFWN5J/aWCjRuuO/vCn9bZRe6Ikc48DteqxW7Yj4mbJ84rDPndP3DJ8xhnt3+e3ak7OliAtuUThTBpZgnYmiIYgqAakz/g1lMSAdUC2fry9hhk3WNpNGMC+t8HSbcIA9J02ZegJTO9fOuxgDui6A0/uxoOFMpn01f65/FUZ2xeRYvdEGpAll/P2QxM7Nj0f0tfDX37IARv8aJSx5xfLnwgtS+1k5dh132XugHqrvlbmLl/lZu+r/3fZ67iVXzbsygXvSOt7y0pCyZwvQXZOsq9XEXAsOsx/kdcCKR+j8vd1RDRGHRqqXhcavmTY637wEDcY6Z6ukctnfmlygRfpefBmW0o+rmsgjA4lyBQIcLsATT6dS/vDK6I0+UUoan98SabU4ClqA2QzPm80qn430H2IuvsV041h0HzGZwL/gvv1XOVys+2zjtuVv3oHg9IrqstsSl1PovXI7nPy/OLzlr5HiQZBd7eUELM2FqrwiAa0HbQF+JNqPPPcv5Xmcy6paH+zra3cwIdc+teexIjzi8+vIiwI6A84cX8WdBgNuZzi9dkc1KHieOjrswBagj5K7PpXXIqcn94nSurx7QdLEcxhsdJH7WQTrMjuZ6OtonW+UbTwojjT5UQJAcwq/TUKYMe9B8i5cWeOG8I866B0mG4pqm/VrtpC9jD6EVp8FZs+FlW1UgaT3SolyXQ92DRCNHxpwFgH0PCqFuuwT+7LTtAToGxBDC+BPP2e2IVuyMuff35GVtQQAyC7VfZw4lEor7fghKmVNJCPFeyrORVMNdJ2PoWmmnqh566yiUIgT+lULaHHDC6jmZWteDNWA61G7w/7ao7NA7MKSt7s6mkpGPVNTHPsHAt8Rrj9Z/Py+x/+arxIf1GjAG2R/ueAmn86e/AtXYMmL8mZZLQ2jfCRFWdS3kmux6DfM/gRya2MrfLjS/Kvjtzn5Mcfyb8SprTTl5GKsOhz8t+F/Z/ui9yQbaZ8E91CqUp4tLauXEHBqBBTyq7yasAeOaksXhtqvV3hmAiyrBWXFk0TC/EEZzwcBWitMuWnbfRBUwPjVCDGiKmxSjvNWq691uE+WFLBS38wYkgRMlONLN0LIwCR53IelKMbkxe3b8QAcopYYLgOe8JGI7uwFoqWj+WdC+gQw/8EUoHVnEWsjmAK97+MtrB/7lsh7J59ajcarZq12zYhv6qV25qhzcklUdoZY1aRK4D6BqY9ihfvK2GaVgyMKZa8LMpcUdezVvLMQYKmFi956TjYswuXXNuGCme0b/neZcTFwSvuzG6MlSMzPBXhqp+fEu2ktUGHCjKN6jnY7ms3csLoTElPD84Jnwm3nxM6SyhoKPjPT1vf6weolAVyGc4704AP7XQ9Jijd/9pAzFcQeAkrFaYWPGdmw6M25w0fqP2PQjdzMjfjecdb596AcNbbU9daLeEJ+a8RYfTiZcbFA8To3arOOLo4eXMRdF9GpWMPr2qldzVegk/kV5cG0TwO98cn/1ShIY6me8yVum3KN5ufbAx2r+egZT4hL39+RVbI9wqoJFSIuK8AnfqoJm38R2QFGjxYaokAaixRcqdcZJuJD64mft1MjNzVHGHbwLvflS6RcZjVBGwhlVDz9W4gbsb1QIsl5GfCFlRTZj0T3aVeI/7oNJekkSGnR2z5zEcralMXdPtAfc4gwp7YJVoUlVMylWzDCJquRmUaStYdtZIy1Fh9jEIGn4NirNEtRGOpLKkuiVS6ooL/GcvvVbqK8qcMWQ4Hs0g108GTdCcmbbDukHkh+AyQ4oiBb4ApWY4o2JvtLozN6WfZQxCXTFW1ABs9AKNOVIoKvNV8Rwz26s20faCDfOnWjh7nsaO8fTJHj1+lpF0k2qZNfWqqnJdNllP5QIw/k2UOtjuQfyqZu9vCHrHoVm9VTJ9e+3GXwwMRle1GvyEWrm24fGQJ2vTKKcp9eWCR/b3vYVsDTUXmpkyPKV1Cme8dDEk24Zky3YqtjtFm2nRf7MfXh6+VVtUEoTZYlG8YSKq58mp91QjLv7McNKF1Ldrql00vm4pKOo+V5hIiMLzT2oseKY+rIdw+MUStpI+MWVrVu57BgLFbzaE4vH3WELbgzrpRJZgJedcYi2ZSH6i7ldSO5OVSCwdu0l4BNps5vJdwDE0IN7ld0PNOwww0SOYPBHWqdcmXvHSaDZ6HuCC7bAXZxx3mxYm8rrk+GoWb/fSxoGt3ErkVa0+scULP6WsOKTyg+32jCTd91IXz3EnjTp5NBkt26WSqSS2BqoEid1+IHf9TXxXUIL800BztKLnT7U/RRj6uqCGIRDlybhC5H1IzNaFSsMXQDDJtXtkMr++8yoFrXWRAtS5yaM91SlG0DfRlcqgZdKXeK/IwJuSO+Rh9YwbP5Z3enEPF5k1y7ZBgweaB2OmGkNoRRNlAiU+hWJtG5A47jVhRqrFMVfDC49AZL5iVrWaDE0JlYMGWATlyQGAJmtucpSN7CGtXD0WAvcjOPpdP3uLFQe9A/0p3lS4OGsadamB8xjeGT1y79cGcsZ4qQVfOn80U2YDOxcjLTcFE66IqQ5Alincwm4+1CZ+3rfS+Jag0+e0ypMZy0yYE7PrVcP12h8aqJE2tDE8oOG51ttCclqXvMIWp/O3dHe3C0whb5GtddEdRJJsKNGd3lUVR2o5QxbaHsH4lW3czvFjy93tA2hJkqXRImN1LmZr+8QDda9rQrpr+ASxuRzvE8teCD9jtJOh+xLykz9mr7pvhhQxV/0HMBC/Xgna5xVJZQskidLyIJ9AKNS/aRJUHEertQbyzUD9Gz5Qt2fd3TLfCrtUoPuKKvxKcrXPfnj1y4QIRCM21pViPyOVG5MybjjPwQyMAEYuLUyUtXOfWWDuEzqX31236odKyNO7/8FGlokUo1gDmhseZLaicQyFhlVsWjAUuYdUL9aMSYq3m08ZCT0IMc/SNR91p6/3nLy46TE2TCbuOc4Jna1u5j2loCO7mF3lk+vpbxLjFCjDHsLbhoNnkfOkl6Am5BL8pjQE9oXPAVt4h032mdIvDAHYLxuvtDH9P/O97fSuUJlOtVu6z9q9B1/Rm12g/6fPygmqb2k3XAU7tUQl3Sg2qQ491p5QoO7Ux15VSNYSAYq63+I0kVIC2XXaR3iwa/ubDW0F89JoAYBJSRGEuiVTyOw01oCWzL/sBzYZjPjms0dpdmM5ewZ1EPe4F9xG2NvwzoGzF7SIoy17Wk1NccIrVJpIo+d1cuf/e8xKgklJEFMeMdNNeMPAFIuCQVDPipIPlYCbkciNTdgcb9Cur8mB84sv5GuOMGF8y6pNtyiB+A+MpYaIxtj2Q4R+DbcKfcON2MtREB/+GU3zx03EV6Ojaj79hcYvet2XKp5Q9ucnwclieIhaEGqMYR3+p242oPYkb9pZfwWtCSb1YG86oICU3V89JrXEmynMClj2JK8pU00NqL+/40Ps6G00rsKANqanBLl4GGzn4XgRMVZWTYmoraD8srQHL9qp7/j14KI2vt4cZHiYvvpmq6mZ4BzNsGyUrLku1Cvm0TEkGtX3eZVKMMmNA5qwRYk2+NFR452epKsplkBqyt5BQI09X3+uZSl3aQ7pTCd9yeQVlqAVqE9GpQe9UMFDcJ990qE14uW/jxKArRFZR15/s5N0Suwi06P12+VB4/VYHzyu5HLbr6YLOoCu+O9gpt4s1rInY+vO/X9P+MbGmPeMi/x3vSP4FV+uusYayYUDayBHE3W0GNKeiiLym2R6RS1yyVZt338feA+hemFG/ALArc1DLgRQe47C6e+gW1Cy6G+rUwkiVYcMWPvO3rbHpygxPWkg7LcIcId0yE6OZ+1X372GlKXHyXBKOOXeNZAKodn/CRngb1EIBYfB26raw8+bogxd+zbDP06N+sZiqplx2fbP7D1YoG9V3eL2WXDfm2J6+vjaCCIx7/I4TII1ciRO/uu/JOO4p9RZcdtd4xz7vZT4/Je+9pHkaGjcQP20vFP063J7F9WrvgH4IX37P/Xx+iiwNJW+dmBh6D7Yjcj4N0JMw8YfIyYIVN3EjdWnWOXvZb0d1Q4G2Vxf2+rGlN76PeGoc60+6hcn56Y2abCr/3A2arEPspSw3Gu2EnPj6zNDvVPgP9muziKDe/sYP3wR33LSxXeWmst1j1EgBxnNG+QdlpciSak6nYlAF6JsycElqQUcEgQFpsvZH2drQvqrqV544SeU0jLa+kLt9vnxxfrGrQ5PQMtZ7FMbqsg8cKHjrWshNpMUjSc6lJZd8LikKi5EjWiuds3ntk4H8cof0otXdFHZ1xP90iPTuMp6yUkUOzvvfPhIumWhKcOIsDLJ1P5+Qp2fXtKoFvCYX3iHiwaL0nsT9IhiZO3psE51Tm6cljhk3V07lPgCvO5Ti9dyY78PT8IGbqz0hV6v5fA463wi7OMs+92MBAQfUThcazEKJ0p0eb6uPTBrdCr0fwbMwjL0Hqfz0g9cxnnXNOM5P42Ukt47OM1XVxZHzrnBXQu4VjnH1/j3TTL9z6CiJ9akzHDejyoaNWWlBLX2grLE+5p20VBo7Dzi53uI3MiWOahwG/iAK4LCrvpOuNDxEjoiR1shPnRCl5B1lbT/luHLrRNBR7Rglv2sVVL1fCnlbM/lQaw3UJM8NNpbaJpXi3PmjKBcPZna4xafqmvDyxfj75V7W5hgYOow+DRof+7vgsIhf3fYdyzx9b3DIT4dz9w55zrhUTaoYZ6+OxMyT3yknSVM6HQYe2Z8SA87dmXHrSLwRwsk9YhrGwJhZI8iZW58wVYJxR6Jt9hu3LLgs4ToxAwQ39jDN856yBRdGU0y3SExBY3yzopoLzOCJePB8/F3OCUUmfud+G6VMZjiHauqbCz2QRhxWJ0+7fM4atKlD0a2XMAOWBRVhkxDfdnh6NlJk6N1cw/c4d0KJV766JK/gq/Lfdh9SLg0pwVIuIk6GqWps73cjpClx9NzM1mNLuzw2xGP8IbVQ1SJbNs8bUsKMhhBQ6HzZxvBDtqbTipegBV1jIZdV4XElTyM30n2AVnf4NczaKnDvqzeW2wYbM5IoYRvbYNiw6b7XNWkUq+ffYTQ1phlkFVNV5e5TnmN04qET3kv2rbVa8tL7z9ouchWY0USoUrHDA41395b9wsVGa2T9vLy4anBdY9LTw8j6dvW8sv4PNT3Q73Qwef9bTUMAJn67ap6vce4pJhT7nb+8OCfnA4Wqj0a2rrWhumQ/BgkLu7pq2HlSQ/ou/rCQWx1X7r2IKKaqzF3xNai421U6Ai7E4TKiHi3Sd0vwIYMjVJ73XMChdNgn0HbxED7nZRfKGXHiVamtxkEZeIKXP52S19FdNzmfqXa698Un3z2nDURhssY1sKbvRfCpX1OIlbe2XZj2JW4cwRES9YqX2w6RrrqSLikXdBjIIJ0rnGB95Qy0Hpm04O/QIb7+dHG3YKxUoQGUD8AOSArpBobPJyMSkVfFtCnLdXL/DK+KpHVAPbiNgcMane/1UqWHqLlK2OVgp8SuMM0xChK46Wev+p6rtCm57SrrNn3RAkaxwXabig0vSjbhhf1E+iyx1BxcHs0qP/l8Rp6GWonPjXC68pQLLODAPLCz61oZ981n5Luho0HuRmGupFrJLUPIAGuwmcVyG/rIpE1Gj+CC200LPWmr3N+H0qS3MKdsTT6NmmuCTzV9iKL8sPAWi7kkFeVypmkFe9Mxaqpxam/+PglbyuUFLkveq9InR2/aAvayziJIkRu0L0wVcIzIZSFt9417DyvyayPRlHynShDkKZfLybfPCVfsOZm6/wP3f1RSsTbcTL6Nxxctq4uZoIPJ+al1qG0N/+SC4KLo60I5uW6HX6nZ3kYNVmXF1P91GvBs2yAY0O4gRxFaVmnl7g5mn9/9TjWQjz4B+NtvP7/7/c2Hs2+/9Tm3S6opHz2TK6WvUpYs33jBfm8X7EfYRp1gVKZWIkLNTtouJd1zQJl7LtYZTJiZ0iANZykFSM+VlAHjKr0XJBIfSAW0WFE+HE58b+8A9j5PDdRdn9Ql6qaZZroUdloaq1NXvmO9djaHWP8tTfaOtjUf+Zykhxa7bAaDDVSaUGyyqXsJ9S4OxIyPOppaUrM5Yg8lNdqNKELmbnlPXCgf3E/w7o4Lh3zQ/z8MV92ozH7y34McsbLnow+I7EXyQQ5HG8fdh59SR0ja2trZnl361HYZ7W2WHfbJfIZut8HJvTky3bas5seIh2HR14xy4XjdNnO5CDLj/LRf24aduJw5aGEeaWEwnlXY5lwXTkU8gJ5DEq8x3TpUH52oqmrkridqgJ08rHHTfbF7D9f27xDXqTvczGGa9X1xu6Sy/HcVj5ptcLPU8kMkw72xGy68hZxpTM0ZV8myRI9lwSP2K6rlMOjw2FE3sqoLlUsYX75/d0F+837UTVJqHJEvR00luPyPt+RLA3qkd2sjZKFht1Nn3uSGnkN0TT60RWfRtK5OS2cJH9I+UJV6jIADWh/kOLoJqo0Ex+4Nt0w/oIEKqqsMu+XAZnAv0DphAXIHtCmTTaXdgpm229UW6JLaXa3wvnCnINmiojpVWUkHd13Twfjie0efKBukUyWBWSySnwUGs7QFVB3g2RxbLWUAq6Z/ZIBa0+STMHzHqeTHC4PuBU/94ITObRU41TM50rKgDAejpC8/cbCNTGi89wBP5/XyJ3ltF8nfdyYLZnVRmqR913vQHeTDIk+3ALwUNLnEkAXIOZcJiyKHoHPkRstiVpgVtyy5/JDFTKiVoVX63JU+bGmX+aBniLowWXCZU5xwWYOuputkCe8D2DW7ygN8SUWOs8LrotbKqiJ9SAqhL38q0OOYHrbIdjeFmhdlDmY7wOnz35gsKnpdWJvKbbAN2J1oARkehYrLTEhzmQ/pWphCTEWROiy6Bfv7jMCTdwbvwU7dC7EPO3VVbx/2zxlhv8oI+18ywv4fGWH/NQ9sq2pBp5BDpHTQ05tnsqgagcr3dJ3hnWyB11cZ9JKqEXxe1Xm0b6dlUjFPnYQUIPMcSomBLyy9b0QWxickZthBo1kea9IBzmNNmrVp6gyzSJnsyqqzmKpWWWd6wHUGEWKVdYZZLtho1mQB3kh+LalUBliGQ7h85biS6VFYvlK1XQAtM7jVVFUXTGTwYTvAGYIkCFdP1za9W9RBNlkg102RIabBNLecUZGhgMgUdA6SrRNmXfVhSyrWf0I5zYH3ssA2oFkg+3YwebD2ibVZoE/n9fJVHh+0Kabc/jVLozFmirSz4nYAa5VcVJss1xyhAtPpq9yM9/Enm7XVAwx24f386Z0jHjiqfVmA+27y6TrI9WDPuIAcNowpZjk2kc9SFmdvA86hG5iC15ikWGQRdbxe/lQaWw+a+SeCbTTLAlvwGeQwYww6misoebKC0W3YXOY5JZUqGwGGqRzcDsD5PINsUrVZUZt05n8PeiyDPAlgDXNurKbpPSEb2Bk0Pg11LlbrbLw22IlcZ5KvPjPfH/EM0K0GWmVQJH0pUC608ynXq4XipvATZtNDX1NNsxzwcqQQNgXkpZ9vnxouN5bK5HOOS2OnjU41LLCFCn5WUA6oTXJc0+vRbU1yarA4uWGWftj1oZ0G9sGc07JMfQd4mTqs2rYOyvAW8apgWqkqS1ciBziDmcarIk9yZOh4lIPN9VXy9ky1Sd+ylNem1jwxUEEtt03y7DPBJaRrsbOBapJO1OngYvFtereWUL7raTETKvlz3gHPkPLvbN7kUscBzSBxnA2dAdXkuQlCzbMcXTnPcoFrpVMLsGrazHNcs4oblkMsVCbLgc0xB0KCxeZKyeEml+G+AXTqjD8PNXU6nlytUlsgWSrKlB8AndwSVek1I6X5vIjM47o33JUEnf7Nqgs/lDc52KSTqTdg/YjXLIcsQ+FmmImTWhgEsKmlQV14R1JydKkx7sOCLVLV+Q9Aw3XNkwcCatDVXFNpBz13U0BeZQGc/un1ncg+fdqZApoAsFbzgpo64cCAPmhNU0PVQEUO/U4DQz74rqOZgKdnsoOctoVrD7LSZQaM0zsyTQbfsPG+4Qz5AAZSJwL4gccZjBMDX9IfgFiD1mRQM5hShs8zCF5Tp/ayGc1y3APNyuSKtNEs1hU3AWCbbsRWH2ZjknfVXDKZulAiOi32vkB9k87U5Nu5TX+sPND0Eb1upmdquOs6ebfWppxmyUNvtMjwFjYGdFHy1FXvWcZWtJGhHGywzFhapfYGLwsujaWzDJrBkmubQw1f1jJD6yardCNTulljbdEiHUXfNFaRD40kg6W77JGMw/I+U8FLcqKh5JacUF2GboYG27/H0fGTszJyaWxCKILBIfoE+xswJUisVKfLh+AyH+fOqlqoNQwGC97Iv5lqkjX1vuUZczz0PiOcd6ZhDtekoruNFjaxWDlvdoeBZEdScIPDGdrVw9ZjAyVimrpW2pJh41FCVgtqCbek1jAbOwr3SMu9yxCKGOOD1dGhQLgMnd1H+kILLnNP5O+h6lbr42mIVXOwC9CTzffNQjWDF40QCUvQ3Tgiq0hNtQHyDizFieD+rtKOBU/fqrl5ceHLXp+R0zDi6zmxi8iUImwG/AHC6GNEW5L3YH/nVoKJ7/PwUGdh3gxHdne3CBf3xBqgmi0mXPIofjhz9wj9tXfEJ87CwGSIF4I2Emf9zhuc49o2cY83cN/p176HpvztuDuauibcYX7xiLHvNqJIWNN0u86ruCz5CNcWb8WYu+AY06hHBNJmcN17nFAtxcjES+yem3EcOPbPNWCJhi8NGLunaffh2cp375XvVQYcy+NX9RJ71yPV5Z1uu1P24eQxwtjY1t+xQ7t5HaU85ez/m+cbusXOT1uhgGvHzwZaDemSeO94hN3jMqUGiE/X7rAhg1vV7VL4xcPgK7tR8B3mSvv29VE2EkINMQA47ozun1elqTSUHWG876DDtF9aotq7OTSs0TgBbR/SNeiKe3XjWEhvlvSDOfiSC5gDEbAEQagxfC79xm3m9cePPrZkfkD5jevvOenTB5n07DBrJP/SwO6YRBq/fD18D+uYeNgUlFaj4aW/kExJCZhbQVbcLsYEBSGRypBOY9dwUHnRnU0Lx06UJ90TJdScMyqIw2DE9EEsHhY7XGpkTOPD8a5erE0cvV4620rtZLWmfuCp4NQUC5XdJvBGXGeu4SyVzVAjJxX7I3ji/QCIvzQOW3zTwiAWJoDqyRthlDPEt+7bKQbLya/hFxPyRq67fw2gW7TljbSElhOmqrqxoONiOIsb3xGWzzz7ZncvcMbi1oZw+8/m5fc//NXZvqe97Wg59k0U7XBOi7QRs9s6bugaNPmXzidnXgQ0ELn4rU9d/5P/zMsNzlunfu9+HJi8fJNse7I7MMWtMyHvf/t45mgHDd55gv7SkhumoaaSrZ1WGdQzsZsLQpBDz8nHd6/JubQ/vnxOzt+fnv3na/LpXNpXP5Gnq8WaSOB2AZqwhTJhVJrSGpjFb/3w6n/9t2dPohwBu8go43b5gTJ1UtH4OB6T+fTd8Zpf+rN43iIVv+Ll40K6L5tuwPzAhnG3fuBj+O4ophvr5DPXtqGCvH3zPorsn0pCPl/WYSfj/ygJkzhvHbpfjQhFQm4WnrgFj/EN3rMPc2phRR9gRDqe7gvypiw1+mn9KY+h0z29rKoPjXPeNxZyfvLuwr9Ko+GxipojRj+2nEpeUw1vNzm/cKiMeL8cDw+cBJGEh27tcR62mljhp2sdV0D00KVlyd2XqdgEbHuz/OPv3BEPgDMJ8YKrcMNPt4/AAJVNrnUWve62Txol7wOGF0rbTiQPhG6JATbcAG7XN0tec2Tee3q4nLePSUvWuzHGS4jZjcfy4gbs0PKlxijGncrp/UYDHYc4uaypnMOkM52YkjM+bzSUZLpGmCBLzBqKy5n6wNYDg6LREW05uugsQ78DkVD375dwJXcAaKiUhSJkdqfPM0rP2lKaghY+FT8D6NrqPMBnGY7ELEO1sMhxHXL1P6kzMJWWReuJy6eW71rwjo7J7mp9Z8IDaLBndgFagiUf1zU8J5/aZ+wtOsB+JBetA2zwEvw2pqm1o3qOoEyMmMYt0sEv/pxQIaLKRL35Iia4UY2JeUvQ7g3k0ipiLD7mXJJP56MChWGCbDZ5lVxkO6CqzjD2zQHWYFJn9DqwGUpc/IuYOhUd/e0ZsPWjFQoBcp58UiTi7JSPjFroiAbqVR4qegEYSRimE8wIJb8ovaK6HM7pJuTNHJO9NKHuxl9jLt0U7ApAxlXPxF0T7xrjVpaKfqjOI0OwZTxmRgwo5DLkuWJaQsWtE0thxEacxKWg8hhx/Fs4KNsEkZ6LckDgtstyE0lZOgt2jgbs9suTOlIJDLsQLNP1g7tdxJ5qy1kjqCbYL5q0SDw9u379Vs3VbBaf/g6ssAvIvr1byH50C/rb2MP7zOHt0H3T2AVIG5LFR9E2TcrOCbdL6PFLjqP+yYAeRVg1lqnjcjosOY7wZcMYGDOCM3YeP6w52mGJJ4gXcSruXOk1iRQmDHA7hnDawhF2cHRSCQN8plbSvStObsWUw+6HZKAobVO1TNePbuTdpMR3LcWaAcGh7OgJfpgdfZhLYrhtIvKTYHEBBBEdoC6oIbRUtXtd7AK4JmolN1vmGWfptZKqGsmrxZkchvsW9cdVIpxyz2Xp5I/SpmMAJb9wAeRNQGwyYMNtnL2yI8zfydGE8Y7+B0lXGGXBZchaSMuFGI0RRqSsd78HI3y+3mWo10jNifGE0KnKWT0QIX4KC7rkqkHtkqmq1qriIxmKcGzkziSdCiwim5GT/bhxuezETkYkdzHc0jpJFIEtDJMOlzkAwcj6HX65d7f3ym7u2+ix25RZNtLulrOl1uhLLAMv2CFm/a20IHyP5yBBc9aShAzBRL/d1AJuF/jUxma7kYDshP0wMVaPBz9bmg5pu/VgNL3cT1NQL/xaGemKmqadEW55BcbJda/taahhNIgUdiFZU4gbNwIbD95zG/Qtj9Yhvbsf7Gj9eDuafihMsiGntyYtOIxvonBAG1K8EQi3EAZfL3Uvb6ROH3Xv/EVLQpu+eeeS9VI9jgC5QY53AuTrPY4/3rxlqUYbHGfLbicf9VElSMo7dgv5cdTjmJK2wWHslHosQdvxUyev3GnsoqjALtQDREnolieZeDTC10Y3HHspaZXV67QnqvNBieCvdYjsOZeZPCH/Ofn5++/J07enby6ekVNuLJfzhpsFlFgKH8VFqLnK3hdoXyQMs2VnHo+wzfjFkYwxrTJ7FffVf7pdjWHQ3Rj0yCcb+nyX68Iw7b+r++05/hCnWMyUylib9E2mGBWputPtEPKBlrwxfgWiNDG84oJqL56c2HR3iOG7Hi+vwntueHnMTiP9TPlP7iC0XsSdvpibS56vzuKN3HfXMawRKg17/t/gJMJPBmchOG6gV5ZRxl2ZSudMDBiEbJDVSs+p5H/uyaqW+Y7CbZl9AKf7Z2qE3TOuo7Wkmbr+/OKWw9fCt/jyvYu2spp/BSrsglENpNZQqopLGi2464mnC2o5SGtuTI8X9JjUvqUPSqxv/Qh1poPrrs4TJ7hqqi02Q9qQul+sHrHZURA2t5GoMyhBUwtlkSypbM/5cMLnl3bFLnh2odWSl13zsPA9WtciaKqDgxGa/7hnbVunjSs4GyJ5eSQquyVDrz+7HiEzOjwUMyeX3EfPF7uK+0gLuE7pTDkU/K6aJ1yjztT7Ua8Seh4h1OuoqLFSQ4xV2kt8B60CS3G1J/itifvWkzj1FS9LAceTcu9wvdvKucj29uTeQXKuHY9xHHIvwmq9DkNy3UZnn5NaULdl7n1WmoBkel2PefkxFfII9uQtMuh0Z1v+qowl7yhbcDli0pU0k+T4ZpfXnyRm+tcanPhw+pFvcmYm5G1Ja/IZ/+H1o1JJX3f6z+HjSRZ0CU5zEkA1+dKAXhPsQWhqJQ20GlW8ONXRW+BvjiMvQw885iBr3naBlJ5835dvHM+WpCOgujlAH0Jz1NtiilOe8jrMds9421p6q4mRsw3Dw8sN0Y2UUTvWPO9eHh959m2kRmrsAsQiWJj5N4KSFZelWhliamB8xpn75HmsTjDkyQ4viCPP47vJuSFPsSMsSLZ5hjB0+azHLdJIfMffwpyyNflkthvfdhHYareQNnl2rVvhCAb7yGvfN7UQFaxVw0PmXsQBx7s+AJHq/61KUyznGbJvm+z8CvVYd16vXkcoRgqjBy385gBij5PXO0ZqyPANrvdW1p0h6eNdQIfUHMdh1wUMtvdmk5Dpt2GwQ/GGFDcXP2PZQMqRgKMVbkhyCTMug68ehRN29atoPdJ0ELE7qFAsE24bB8yO+pdaMHY+29y0h15KI70pOx+2tZQtqiO3wN+sigwnA+uovx1ZhrxMuUw3QSzp3XAkY1Fh3sczIqT6ZTu4Lb6N9qa8PzK1c4B13rfvBqxrqtsz5f78fEPKasEHrdSJux3OlvXJ77cizyafWeLbWii9zrfhfzM1lf92Y8eYFpHtLuqteh57mhxb/vYCod9A24OpRAOq2n7r+6kaPQUFSKtVfYjoKFUzHTgXbnXGw5rO2oYbyhEQR1/dcdx7eKKqmsp1dx/x2uE4fW+vLEG7Z6jgcqbiSgE1V7lrhG6QHztWZIvZCvJ2RZ99yZUj8EsjxJr8R0MFn3EoySnWPXvnYBSVFUwLptQVf6Cg++8wJX79jf1MxZg2n7zb7CYcXjcWVe4DR5jefNc/dEuEKTvBHe198hPycV170jeeA8ccv4Pjm6dhViRtJruDtsPBOyL0ExNrW7uLzDFcdZ1yuY2d9yzWSrfefgwxf3g7suW9XjmJj1PLizrvHKI9rHAr3+i5b9HUSmXSRLaRcuu4/SA1tXHXJJMFNSmj/T3AOpTTJ4bcaJFwm3tQE+5KZ4wWjU7lDenBNKALOk9nU25AJ3+etkEnTX/cBh1OfQbBAtcWJKpW6Y0TBz/Zae4UvYWGnVSZ1BqVX+IYtYRbMvcjLovq1Yvw3ycBhRfhP0JeU8ztTwXoeHZeIOcBo+eemH7wHD2uvVFrA3LKMBDNmVRczkDrkbjrkO6j0NVX/G9kfdQ9ewQk277Es942RK4UhrVV1isVWeJox+/Mx+3dsfuIGcS6/6d/wDBBa3zgJ68XoI/jj3A6e8h4enqCox+fkRNcP44aaHukZikjfD4BHYZ/wlYW5p7mvJA1dNxjZG/D3aJPTK9T9N6d5n8e6pW8e2uU+G6TS/5n3FvDrzLJlPN/nBEJc2W538B6Qc3IBCjDjt1WqLeVfvHx4YJuq7NNgBokuOycsbZxelt/E09IMXx+jIqK7f5G3dTDj6ODlp004cY0yZVOhIzJUvm8dfeLoSCGoHVWH+hgU/rS88wtTi4xOL1POh0lQ6LrDB6iyE8vMbVz/2PUk56HIXl36bkHx3ERaowoljlf9N2QanBkR5EpC3f0aJO8TaPJBZhfQbCoMzU3+GYzrqT/IKFs/YkYjNcpTc4v3/zj3QW5cO8U+U2OTF/ZYJupkvoQbD+uVBxbFENsAezKHOREvp0QztuDLDZ0ruvX2bUIwzTQMIJwIwX3aLmg+aAp5AMouR6PrivIqNGAOFtqm6NN+OxjuaSCl/4gRpDYFYRH62q9TxAix65gbXbFdqKT3yaQJoa9sLY2BccZtFlA41bmYAijj+A28blsK1+U5nZ9w41iqqqy9om7Jd4ej+AQipfgr7gGsWtppnaxrASVhTEPNfDWrexl+O+B2rZGK4qtLzUuasWPkVYdQ9hjQBADRCpuDSBb2YJKOWickbvdVFgVERmJ2R6pbXP3sISZh7+/ffM+vHsvdpbvHhSr9K7vP3nPNm6uiqUSTS4GvGnnOMsw56abjN2O820kt4Y89UiYZ9itAwt724m6O+AJIh2lRjSZpNnbgOsnyW1IF5hsFx0sQWOmwKwRhCnJoLbOUL70ezjSXmG1yil9PeOdwd6O0HaI1kpbohx/f/33N7EU3CjbU587pefHT7DcLTDYcrFOqW92Em0U8/ez3y7OL8g7el1xWXZjvePb6mg7ehrm1hDFEbICGQPq9pHVqU/xksXk6dm+yrGYHa9g86GL8FuSs6sdW86yIJXPT0OX3oDFXgzF8TblgXsFtBRX/+XrhrvCHFkONcnUtxv9Jc6EfqDsxjCuGq34Lqhb+eLe58Q0kRR1asjfjNVKzv9tKii7EtxYKP/2IvztefcplzNg8Y9mXMOKiqgiQ6ei9xtCZUmMIiPHUsOcG6vXzrI/prCoqV2EZv0dDmQXhwGS6JQ6Fpq+ENrXazGle13IO32ywxyk1eu//N8AAAD//1PCu98=" } diff --git a/x-pack/filebeat/module/rapid7/README.md b/x-pack/filebeat/module/rapid7/README.md index 753fa26273c..27005a437c3 100644 --- a/x-pack/filebeat/module/rapid7/README.md +++ b/x-pack/filebeat/module/rapid7/README.md @@ -3,5 +3,5 @@ This is a module for Rapid7 NeXpose logs. Autogenerated from RSA NetWitness log parser 2.0 XML nexpose version 134 -at 2020-07-08 15:21:23.574491 +0000 UTC. +at 2020-07-08 16:42:05.589137 +0000 UTC. diff --git a/x-pack/filebeat/module/rapid7/fields.go b/x-pack/filebeat/module/rapid7/fields.go index 827f8f64897..54c2c9ea600 100644 --- a/x-pack/filebeat/module/rapid7/fields.go +++ b/x-pack/filebeat/module/rapid7/fields.go @@ -19,5 +19,5 @@ func init() { // AssetRapid7 returns asset data. // This is the base64 encoded gzipped contents of module/rapid7. func AssetRapid7() string { - return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZvdC290e940k96ole+JiIirAqiSJaRRQBlBk07/+AgnUB6tQJAtVlKy984NDTTKRiQSQyEzkx9fkAfYviaIFy/7lT4QYZji8JO/wb/IW/l5IDX8iJAOdKlYYJsVL8u9/IoR4GLJiwDO9+BPx/3qJX9r/viaC5vCSCDA7qR4WTBhQK5rCwn5e/4wQsy/gpSVkJ1XW+jyDFS25SXDgl2RFuYaDr3s0Vf+9pTkQuSJmAxV6UqMnuw0owO+MoqsVS8mGarIEEEQuNagtZIveLJSmPZLXSpbF+QR3GdQMjrQJyg8mEcYRGqYZKNfrg8+Hmdvj4PsN0/Z3hGlSasiIkSSlhSk9rxTdkRy0pmv7NzUklTloS7q033eGJuS1XJNrSGUGKkyqG4t1iRomuIKELQiTWOJHg3qkk3nkGaORM6kUBoTRdscxoQ0VpkKkg1QYlodJyKjpftHHzxxWOwihhuw2LN0QSjRozaQgG2Y0oeQtmF+ZEaB1tQqL3hLV09EbWfKMCNiCIkuo17+gSgN5A4Za0ihZKZm3UD15Ldf6+R1NH8Dop73hr5mC1PD9M2I83ZS8A3fA3E4TLTIXQVZx2AIP8opL0d3rB7y6hkJBSo3HlcGKCciIFBwRG7rkQHJahPHmep2M2JpH1umNPzO319+QLeWlPz0sA2HYivk9BI80NYTLteO56jET6Wd2eL/i+DvL0oIqw9KSU4XwfnEWg6vbGzpqtUOr2xt5eLUHmb6dm+sv/j/Xj3PdYo1l+bRDJpf/TJDULuM/Iv4tDYuXiyNXoGWp0ui7aPrU40/aNNzaUAM5CPNp0NMyYyZJOe2ch49GAAij9p8G9cZqAp8GNRNDqC97k1fn7FOueAY0fNYuO/UVQDZOTx64UUP2QOuHlall8fVuwN71NE3L7NyAvdFPaJnDfOoYpbPxSbRs0SCDHEN6E5mJQSTAo9EMSudRykrBfiuhUcJUPUP/0f7QcLmSIrXCkhr5R7deBo79lk0VPG3+XdmB2IqltH3qrKF9Y01ico+CjpQiA2VVVAVeYPQmt2KPkBENxg5yAHyIQw8rtBWbe2NPVmhrNveGHsX2vuckxtKP21w9ykfMetwsN1JH61HtvfWT1KYtqnh3V2kQGRPr6ksdWvqWNf/5cJCFN0nv40HW3d5tvyM0y5SVWUOHssu+3vyM/FzZt/1hOgN/+H+XgZZbc5zg7ul1Lo223yIjlKzZFkTtrvh8L1XLoiEL9rJadfZplKHPw4s7aPDKYp8o+C1qvdpPE7hIOLPlHvl44wYnd7jdn3nvn6Hk/b4AktL+SV4CAWY2oMiHW2G++YFIRX7kkppvX5Al1bgTKsf+iq1LharQiZmFFbzPeGb4yDLFKJrBdrXQaxnvLDlml1Vjf/bGq1Q7qrIJakxLdrQm1ubV7d0vBxoOJQo47S4LIXqvDeT+yvGE2dE24PaTduyxf0vF1kxQXsEc3t4nZhqvcRx54Ly9++WHwCQ9gb25Tp9kTVGfj3NI8maz9VWlWEm+AZqBmull7CccjNxeT3mhcRS1H2pwmLh3mj+0E4anyQx+GFopHreN4oGb3SrcV5JzSI1Un6MgtPy5yMu63TdMk9QxBzJLy4Fq9lp2L3lyhJV/QEskT5cfTznLpcbgkVwKstz3loUQBb+VoI0dULO84Hu/EvbHVuASoOmGaJYBefJnYjaqJC++//4p2VFNNICosRyZ60dS186Yqy6k0HC5yaZ/oJVNZSlMba+W+dIJH3vgdHAE8oQu5RZa02UiGG1UiRltFNB8cJenf6Cl/8TMgIyVXa3mPFZ8EdKkaqOVrQgz/yhf/Pmbf9VOeD4vUFRVZP2jR+8/rJ3ymu5BkRfkRqS00CV3Pm5r6oySoKHRJ7qhA7FKISzfviD/Zqf7jHz7Lfk3kkpl9UechUf6jPx3bv6n/SHT5JApXwQXScgMPqENJnaQpJTzJU0fpup8Dr2QBjc3NU5XtowAkRWSCYPqtoFw4B4ucAJKyehYkUYD0gWkjHKkCWnRRiqrLYq9u4XtF1vKWeaWL4SWkJUsRWalNQckj4m1VxZOBgMd7tveyHO8nfhNe8RFP8DnPZc0+3h3hkdINPsdSA5GsTSgK3sTrf1jtNHc5ViJO3tJUtPocHJVLcyC/CR3lvl9W4gJIpU1IYwkDwDFCbZ8pNvjM2GLkilonWxZlmTx71A3lQRYgwBFDR7FzPKoZa9smTIl5dZcPPCRioD5zHJmDT58AcTpOjr9gby9JsrKRY3GOrKFqjWY+mcn56pVdEjFJ5+ri4Y5PlcV6Vjvi9jb68q/9g5yaYDc+12ZKsBrabkfEkn2v8rp/Rk4uT2mRBecTXuR/UObipr1VNmPFTbIfo+LH2vb9ihP/Y6s9kalTXtx/F/jzcUd8xXjF3lbtONapf3u6tWd1+dSKiwDWF5I1dXiCF4on90DbfmxjOcPTuyjkYdmYcghdmgmlg1IYwy6ex+tvgV58f0PZIeczYEKQjkP26HofEW1ofEvkB0ocMNSQzhQbYgUnWDlQzZ9BMXo82ZT4LzFPWR57vwqVYaswagISDdCcrned581Vkz1NDNCvifphiqaGscme/T2SCE6NwUphY8Y4Ae+zcEMpphkNffEOM1le+Q9B3Xd3KpOUlROW0V3g/IDpVhHWaIp6mHOIyy8zSrTtFTViNpQkVGVESFVTjn7PRRtJ1Ue5EDmX2CPMEGWy54IH8WGhq4a3XPOVoBzChiIGlIpsgHFsFmyRJtplvgRkplIZV5wMMFFHHR3UVQ8jWIdkdPKO1DmYtvt3o4e3HRDG+5w/wxuklwKszmb1U1Wz/mv5k00Q3Yx9tyI7BLMsUP+LsX0jM4jQsSOXyk/LiTtfZdLvQM94XS8IgYejd/IZAtKt4J9s2MxG4E1Or3oe6Dnk9okVaRSZZBNkd7+udwLV12PWd1v1Zt5/cP2G1xfxiqZL3DUEhP/dAqCKiad4peX3LCvDQNFaFHwKoK6yQTPqaDrUFISIRwd05XN4IhytGrCzJeayJ1wXntD86LrafEUW2yWxP4+N5qkG2b1X5mBXpA3pTaoSLcHtfufmoF4NGpgcBmOHvfVylK2hXnuYFyoakg3fwUrUCBSt6jUKl8Z27LM3qm4puFjf18d+/cdBoSn8VgwNeMcGq47P/Wj3S/M8L2bjrYiwuoCFi1uo+P+olFLM2gwP7PSqT79i96gdYCGLMef5rynBpyGqbk0ftuhDvFbCeWMi2Z3iluvRl7sqCaIJhtYIUT/zfipj7pwDqYddU7XuYmS7Os8Dl+RRKErkjhNpRh3RA7BXkTARd14LSlzKdW3o/YGZVBPYI6SScMH9tR5i3HdNeKlk4EYYyzStKf2nKeo6JJPd8cOaIeyNKnM4bnDUqtsGM0mV721osJP40D1HVgqa5IzMy309Qjp1fg+IaDlDz1m+E1NVejVTnGSuo7FtaOhP7aAlK1YowyGtQXn5BzK+/W6xxwv1wEm1u4AljUBn5UpmnnnY5Ayr9LPx8hfDm2EtoYrFfn53ocUMV09OnUtZMRfcXko60EXUrNRh/CsHYCGgMhcVQAMRaxOyWA+d8lNMiWRfeSxFmUOiqVjz3WQ+lki2o+Q3o5qr3eoO+LuJPWI34LIpPKhREdpl8t/XiRLunpckMt/QhrW8S3qOfKkeiyz8uY4aif5ptXq+KK/9X1Wmz+y3hLe0DpySkhDKNn4rMxweBCX66R6dryQkKs2xGghN0/27YGk+Cs+cWNtNzyKYfVOcpbup+/TI2fsDlH4InOC7wfkVMmnxW6FmfCu5ICow+JFCgOP0/WdGuWtcJZ3UwGJZpm2/8OrgPIKZSgd+MSVkm6oWEMiYDf9XA05v2HXerjBy9EYxZalgdZp60fzaUec1ebaIj18DHVBR4iGevacTSiBc2ziqJR3X20durZuEDAlMO7aTroqmqKbt3K1BbUg9+AYW2pQC7oGLHXnI+ZWUlU09MauhnF6XYrwxMG3MiClIksld/a76lOvxzjVerBW2212R5UZb8rXoOPtSL97ZS83Yr7dK3lWKx2X2ryyAO+yjr9BXglCOShTv7uqZlj/mXPN+qPYSjbD59mAQpURIcXXCgpAbfXYaxQqjvMK2bRUym7NWifF1UAd4Tlz/t/KsdmjfcfMxitTTvaRa0S4xPhQQaT4ei3tv49IRrw8k4BSMmlmtOWMfo4oLBlyRexJMwz0gtw357NbJrMdkxxL05ULZi+1VVRd0oN7osy8sPLMoyTlpTbVtvF/9FiNIEzb1fCZOd5atGoTfjt8NV/gVnY7PWw9uaT1KerAl6fUZ0vHNeIhVGuZMvTWWI4G9X5k+mv2AC8JJcVmr1lKuTXzHp6RQmFF2mcETPplWM2iioazB0ZeXi5+VdEcDChNCqqxToHGxD2XmZbKPLcSQR483vRDVsGkRxUNJz0vp2u01uECgtoJu1TmRdk/C1Gsp2THRCZ3PvImlSKFwjyrX8UGp9ubyKrkfE9+Kyl3TptM5pQJfz5FCxGXA6K87a05/xo/MjmrjLxm4gEyH0VbBZZRjfa6V2DtN1/UyBcsO8Z83svzmyg22nWqnQnYRVER8PP95TD/XHifELnvpzrXjx6gctYtUT3d+eNHRXrcPjyup307Wk9bMT7HeanJ/hHHq4+EgqxMgVQeYAg7ETQoRnkSuCEmiM17HLRSuroyvyXUrUwdtMEgfdADiWBz+KP8+FZ4b6je1LvdqhyBaPbSWphWNFURpnU4+1U1UqdUgdyCqtEstEotVP13PyuBWPkmCMN4glKkHKiyH2HZjIY0H8buvTSqShE47Z90oqLs56p/YhmdynzJRF05ri2ifQKCGiGvt0yVen7vRvsORRTDXo65niMCG/fKje/qrAx7eJyWPoPjrWaB83DdXpO37kw/8SlxxNXY90keFvvTY86vy/gCW66v22tkiw+trg9k34479J27IAZH5MIttT11O6bDpsZW76fVTTx8JfFJNe6SO+pDE85ImnVtLfuu6qHJ7fVJPeh8n8QJPciifiGyRh9akCsXre+rBXH3xXFdyP4n1eEvvvnCOyiWpanj+KWphXMpOGg3d+kE7E6SLVWMLnkvYtwltDFBCk4HjpwGoSdmgB4sSlsNcmMv7Km3t2YVi87sWt0/v73ramDEl1Rytt1QtsxgG4GzI+MbX6wjg9wKQ+7ZWlA8lgMbqZBqWvmmL3uywG6lu0qnkFhPBf9pUbVODe6FTAaW9+3P7wkTKS8zsKLBN2ax4Avy5OaR5gWHl+TOGZ9uWJR1i7ANih72C7wzoDHfiNowbqYfrDoXxDwiaLvlnHnrReU7ph+OPHAYxdZrUFMK14en/Uvb0+ixoOazUaA3kmd2jZ3VNNCr4+A5ahYrrv8e5WXYk3fuZnxaJxTeXocDLM9+sbKmdTL72zxy1r/PYzMT59PQ5fJri1AKzChYYblemZXpkJ7uVZ6LxQ60aatli1SYeWXlXEXBQF15qrIdVZeKtejXSrSyiHrRa8kcKNL1xIocSt7QtKrsFVac7HGeWZOV4utK+VHHT7SzGCIaISmgOiImShtqyvMVq9oGp4xfULW0wy/lI2HZ82GpayV+OQ8NFueHXikst68snvBGr6Tv5Kr6vQ1z3a+nHyOEmZDl+W8GrdhNvY7YgVY6jDPDeh6d70aDTq8CcsD8V5zb00p0maag9ark5MZiIKnMQFvmV0WawjoeExk8jp4EZ9oM6Q8TTxMOjYqtqtAsQaFXP6eKcXypDfgH3NuQWBOKjPjawgZpF1ErXvXWu5jm4scnT+pIlQKULnxCgjtTvWn7K6QJjKtynJ8OBI07E7svzac/OrbayCHxzk52v7ZfUiY0ycBQxgOm01KWpgU3QLzkF4hJqbw2tI4bQEzDItxAXvAJr7avqlaLVQuD1guSj1Kx2ssWFKd7DFM20ot18iSw9+0XaGl4aFhVeSzO56YNMyWW6iBB0hstrZ+UfPpgjPQKt2zLlI7HFnV2U5nndm/GLtiVgyesFU5UKLllmbOwq7oCof6M9V0j02MO9PH29I+MN3d/2o5WCF87jwU+Ml9KflXjX1Z+/VMuB+3W6An8b7n0LsvwTi3YlPJA1xiU5Nbn/u6W3PYu3DaiCbV5fEzmcRyjAo/r7IX1SBV/jE3so6jCapY7UMlSZtNjjntx290rq+oPa7ENXJ+bmNwp50abJe+m5XDx6RouzKb2ArI1y2oX5YAxno/XlHtJMGfdDGOu6pq6opwmIKtuQ3cfXBZn5QbFx7FHSMu2jeKerZcQSimoMnqPPZTNYkgFPUXZoUFVR8PTLWWc9h10pHYPEYyHX4FSA9UI3X4Me7jm8+t61S/3CcHOSd/3b8lq3y4GZADLk2WZZfsI+47lycg41RZkqWGokNhRWzQGRjE5KluqEzCd6HKeYDum27EmrpYKNpys46SbnHOPM1QcvIk3dEercX0dn4Z7pR7Phe2MFsHVLzfkiY/0+6XkVi9ZMo4BhvjSfPNYSG1/+ZR83TdjRNfL9yDkThwojhrSElPXtoejD3QNSOkshnY3AOSqyrR56wNcX8OapnvyYVCB5Wyp6GVSf/zQB2xiguSUiZW1jI4+UhVUYa+POTKqDlSEOxyYvJWZCzhqihu03rUDaMmJ+xcfX+xU4zXKw7z6t7AjP5UC1ec3MgNOnjCxXXz1jDCZPiNL+z+w/6OC8r1mevFV2I9s0iJZcdrrTjX+Bj7Uta7uCA6L9i5KlX1VQFiujiZtGTmRFvfp0lNSJUxpUHZDBVFu87FyqIP7lze/Wvv9vQu5+eqrX978+urdzVdfuRiYLVWUDe6NnVQP4xIyTm7lX6sh2z7aQTOZivHXl4/tHJsbWIs4mloRuI9SF1dSgdAsHXegWuZkFNY8xooKeLbOB0t2lI3pNN6EHKQyYklxw4xPSNHlMnobmGWmjRqfyYK5G7N0A382nyStIvimOA5igxObksC9i8kHBzZxij4+0Q6xYoMGYzWZCc6J2MkEM1cDE+kGXIaFxZF6CuMNH0ue16be9cdt1BNXe/tCGyFreZc8qqNkXGgJK7/5MQqknOUB9oD/LW37iakjn6qXa6zI8RTN54B1f8rXX5VAYvP4TDEcdkUZt/yqEg7v/Pm7vW7H9WL2tFWBDawDiUPDb/FVXE9ir/IgxTHBPRjS42M6rWVUiq6t2sMvhtJ4p+J/C4/mrxDWX2rsekiLmYr9norsP2TYs9pgN9Sw8CmbjL8/9AF6XeqCpUyOiI/4WLYF0rejSvRdbZ+eOC3yIpHxwun+7Zs78rPzeDThGGFUv838/HL/n6/JbyWogWotJReJgm7Vj6lPPi3XxZ68q0Jqg8+7tZ6WjhL/bTA5vkybBSsGjMdTcCbgXj0DMospREc5VXkUXyxglPFCi1Fh/zVYmY3oDHAANTYX+AA4o6Z7e5+GXIJINzlV54fF1ZD7gvZaOZzhg6Rp73nzTKhkE8HXFFZjgylr0NUak0mjAOXyn1FwBY2orecyXyMWA53+Qz1lj0NirnYO9rqNQCwSmmLZwpgwNgutxSgVvQW6XBfb78Sj2URIy1QkqVHWRhlXmaoFb2GHvHVngG55ryH0WbAg1kyMCtztA8fFlIhklegdM2nEvhbJisudpnnMa1EbWpjtFPgoP1YqEiambXMmClD5cj8iJKcHXaQPseDYHC0KtEgKJY1MYlxxCL/9LkGbNQaaT9hvXK6TMa3/O6AxL6GpSHL6mBhzvsJ7CGpXmEOUWMiZiEbMxBTEBdcJX/JkvPP0APrPk8Aj6gG1oMdnqbehx0dEt6G/nwQdbqx+LvS/TIL+H5Og/zUW2siC0yXEbfUaPkZVEklecry8l/soeVaBFw9RcjwvOVvnReztbe8/ytfjH408LIsT4hp+S2N0b5Fo92QaxSut0ljtzILGamd6r8siqj52Kuow60jlzkhjFQx4jNraRhqrJMVDo3oSCV4K9iiokBp6bTPPgt/+YGmPFgvbH2RhNkCzKBNI5kWS8igb2oJGuTQQUmGbrDhYHQlblEmUfyJVzLCU8qigL53QNYh0P+pNqQ0tKN//DtkyDvc2wWT4SFiXxhOL2T1nR8JbC/mHWAtZJ0tm/jUy+TDVydjaph1QJSOOso7cnAgHqYqJxdPOEzCirmQLFMzGeQNilG8HjtdVJLirfTMmQ7MFvWIc4nQRnazi2MVW4wKQD0HjJK22RrCAR5NEHiNrA2faFL0iP2dDa5VGQled46Jg5TrJIWMjgjEPoZmI5Xgus5KDTmXcrD04W0edClnoHTUjO1G04EMxAWeCKlgzbRSN0bQb6KibynVSjJyymjBnjXVEVPTpdFENbsmj4LGxaNQV54KO4lFPuZx3G8l04uo8x8DvqaKRC54NhFWeB7t1HQzGQzJtaLdZ61mA2ixLdX4h0QoOXM21OLgyAl/MPVzFko4HxKo9q5hS6MMR08eg1jTLxq86y8Y756oEmiiJwvIkVVLmkdk3FjRKKWJ5EvsI53N34qZbPEQkCxU6JpWZFbpQbDQYp4aZMuLdhjMBY1JJGjg9shZXDYmBjzEmCJcuozlZcRkhHGvwqBAAq+lF7HcLFrXXrW4YhS7Ca8vlOnIpxTpy2xVSjT8c+bJcx22dnOk0brvmOnIB46rPCDCY+hIBGXGKXWmA8a9SDm78g5LY7cbrCpFxQnW7hgjICHkvFVsngWptZ0DuBKgY2VIkkR0Ei2RkBekGMKqNQwMeNUs8SeM3qQeMaafplP4IlFRr+2WSbs6PZ+0Bu76c4+FB5WtrF/cyqs+D3UWCxog5l7/04UOn0udZoEquE6qLUSU/2sBjujxUcAooj7t5FKRIrctWjQaPmayFHZug24KVKovCGmOi6SjrUzvrM8pTqmG8i9SV041SIzT8FsPMUBrsCLgoxUWzddTB1MV4u0WrNG7lVZpFXLVapaEs37NAR7VkakOVOiJncpuK8UEIwYqhp8FckmVE0/C1iVkEBxbjNaorRo6H3BcRmatltox8tS4Vj5JKpQaVZGx8/GZkYZLKJxJHrEnj2uVvEya0oasoSbplysRdxdtCRKU4GKlKcZFera9KI8m7UpDe4LUXelKBuF8oZxm5UpAxQ66oynzO2JG2NL7+1aSZDtWBxGFc01WMmE0lJ6GQktrby8SU2d/kBZd76BXEO8mDlSxHpMef25d3U7XUwdpiCtbwSHLaDd1tPHpiXXbLrsxABmcaC2xU4+t2K01dFliivp8qSchuQw1hhhSuPX+Y6GNPqWNKhYTbu7uK5xUSwoSvZDCQ2c2ZmF4Bu0WMHa9NiSZGrrHJzqL5vesY0eOegC2ouoiSkaSgSgN5A4ZixWF3Kup+aeTJa7nWz+9ccN9Tcu3LeLn2JL3RMY34HfhisUi2IG/B/MqMAB1eq/7Wi2TPCssJ17sZh3fT0UBVulkwwQYMXkXnKYbQETautx5nAp5zWgqsnbouc1+W/kgphE7lgyNUz5EyX1NdJ8r7iq8DKr1lZjJvL2TXc8sOTN7Do8HdOWQUXLQBdVMk7kQPaszKnVSqGPNyNZiqOfCR1Plj797ja0NUrWRX1bhOgnUtvPpN9tAsclj7vUGwnoF+GaR/XB3vMzpnZ/B4e10dIhx9qGT7yIfokdulbuHgHvdrfKS3R2tueohLUSTqgtE1bVK5gg1BVhBCNdEA4qBPZth4UVRoms5SbLWXJe4GF76BU91au+oWfISsAlTO3EU4H1nNoK5wC9syDmvwvTyo1mwtHPObytwDbQ3ocq5u9QNLjhiO7LjlBVtLDLYPCW3zFkVDuYVxlW6q+5JlVVvbumMSNmwcOHSEBGJyaq1NwUCQ1GgFsmoU1gjeqr+TxTGgwu4UG3D0zIgfkQyULrzk/Ov+mT0CWg+QO9l5H4+5eihnVCcbOYN21+mOiTVxmjJQ2NGnVfAoHFNN3Aa19AjfYltIQ7BV5uIV19KaNp3mJViF/CcPsSCvxL7+qze6QetIC0Notqg6GocFU6Tzy5I+RVn+ostPrDx4wFTm2zpba6JdobyadbiRsN8xyVjP6rkGK92DIv9Sewz0c48I0Q/1Lxkbt3X5vScaqg5231GeDoZJnJIFX3bL4riWdG9/fn9jZwcKnNGIHpmM6VRBQUW6t1qJv/x5v5et5cEz8v7NS3IrzLcvnpHbt9c3f39JPtwK88N35MlusyfCN2BMN1L7Mm5SWesVf/XND//rvz0N974Ds5kkL7ozRgm0yGm4NJKevEdGHihfif+2Qhs+TNnHJqt9zk/QNpjwd/bFFKKoo9g0OmjV3PT1q7dBcn6XAqbY4XHr93+kgEWYP7+P6QPwES47S+ppUYNs/DT3yhFerqmBHb1IYWncZXfklWueV+22EML6OknzYtj/P9WveXv15s7J4eFe8XSGXn5DprTTc6rWpbd3FtmAVW/5MFgLZhY+2NGH+VDpAImrKTb3YWv3WshcRzrKm6eKViXysOyedZms8o6HRfrTcn24UD1kTWxNpM5wrpim5K2n4U4qU4uonhByvSeQib77/HFJpGfnn6OYiXUlPivC3wwxT0BIv5/PS+Txow1CtZYpw6LxaC33bldi5ZSiYg2LWj1OpVixdakgI8u9b+7vWt0PdKcZTCnoBQoPaFPBYVdRmQp8lH7XDq2MMJgU5NJA4mOEYl5+Y6aYCZ3QxIVPRQEXRsWCr6LYu4qKxeZxGyA+o6aImhzNksoan9av69C2sLQsuuO1DZmLaAs31rASYMj7fQHPyIdKzL1GE/lbcleZyD058vPQjVoVr5rlwhhQ6SuySNW1k3IevDCK5of4QE8Vhg5sQRnsPGNk1eCKCfLhdvAIpRjSMuEMxrSNFTqRRVShPAuqQI+Po7GAUSF+TiaOD4hCH1QURlemJuEg1hE1HxGvvQbmdi5hUyK8XihvOQcFSfEBx1pRP0q1oyoLNQN7hW3q0O9+p+QjvrovwewABjoZj84BHvsiIQ3lbXevQ0ewkAm+NvXm4JugKcCHoJwZe9R8UaHwJLacinneVc5wB1TPai2HQG8Khw6Cxge4tdrzGpXnQ4kY48+GFLMttmPySM97Q6HKsLTkVFXN3DyaJzePL1/LtVytwvWpIU3MBuZufPveDum79zeU3VjKLEGvSrMBYXwo1SBhc/UeO3yuLOu2hmHiPmhQgyTJ0qRybm75QYdJuncduAeoqnrkTLt9DyhCzKRquHK0+WuF/QLtk6FDhT3F6AbWhRQZtnSVQRWgBuw3JT2kezsmu3bgNqDE5dlj3BtnkNUUe3uro9cwQTQzZUCiEAyQq7rg+VE3VBOayQK7gm2AKSJ3otMYiRj6KIXMB6Jdqhr1SS8caYbLz6phTGT2LEulm/Z+rovwq6o8fm+i57hPRE26OxuD4VT1DC/0fDQ4yXv/ijTvPI81EWtNdVxWx4SpuqiAex9VOPdch4NDlnJafFxgekvY0C2TJWo21qhTMmcDkQ4wP/obQZccw4ZX5Oo4dia24zufhcjo0nCg05AgigMaRpYXiyAhgKGmYPoatO6VZmcPLn8Twl4K0w1RjtH5Mkz+SNIJXXHxlsFO5iytCMNpYcBA97GHmY3rdR6o0kg8OYv0m4U2athJXlEdTnz9ZFS/OE61vxYdrkmUB82I2iQyLMemrV7TUFDAoJPTc3JEatRJZmJK+kRWqjM3QLgqzCfbAN+eR/U3k3uiB4n3jqNTc+hRj3Nqjt4Zx+6PTP+Lk/SrmfnvNvws1KvT3B9Rk+LjHNUTUq8+qn/kTfPtabafX4Dq47D9PFmjZj6rc+71M07qzJtmTup7W6ZWCjPXpXOybkZLs0lyMBt5EW8qPfBzEYfI/2xwYTB7V8mJlvoR/+47yb2vyaI6skOibcu/L77/85/Jk9fXr+6ekmumDRPrkukNZJiYE8TG5VrOkB97zK/tW3QjJr8Y+MOBN28lJ/tLjsXeW96HcNR7E31+I0qHj9mYKQbF1ZkRLZcGYg29U1ARKqLUvJNTfn4Wf4fUdzRjpXZjEKmIZjnjVLnDbAWJ3a0p3kfhUF08M5rN0wu39kG2o8w+2OWqPCCduhbNgZkSSfhKHDs36Pz08eEt/5M3nfGb3op5YxdagYdZ2NEi1bRHsZ7rFtkl1ZoK9vuRWCcxZcHOZVgEt9orP8CyFVPBKP7o7Ncf7YAoH11SucvSPYhE+gkoN5uUKiCFgkzmTNBgiHXrqN9Rw0AYfTLwjNN55/OaftLpuCIYUERvL7uFv7RCoKDKYNpvM5njQmjWtF5/cM+RPyvIQFEDWTIiDODIKmIb8mrM2tV9p+SWZXW6uv8dLQru9Zze8vkUWSvIDzWigV7q9TRYNts86kF9HQezH5hIsNAzRpVsmXtz2nQVu4HCAbVCM66U/litBh7xLm8BtTJFQk2+nf6D2hDVRBupnHy0o+VgKGL7En+1sL/6Mjy/nGUZhzklxhsc8VyZEViilgyJkhlV8by5JnTnx2vl6Ip99eLxjBScWrbbG0kqAiJV+2LIi4jBK7NYBWfES6jaQvhJakPe0HTDxIDantHoM/pFl18fBEb2FQrsQbW3ukur1wvyOqMF+QX/cLd6JoXLB/hH/7ogG7oFe99zoMq1sCZYX0IXUmio9IBw0oCdUdJvez1B9vjaCKliBhSrqnQIN0FXkWGYkoroWYhplvmdLyJzLi1YX3Sqm6C716rCUQdpwFb/91cN00SVItDXnRCqn9WS2L3muGTqgYhsP2LirYg5mEnJjolM7jTRBaRsxVL7zbNQ3LiPP+pvVDsBR1Hz6kueqKrreS2W8ZnhaYsfpBR4c72GNU335IM+LPJTv4fk3QSHqKglO8osptXAHdZWtxEZRk3jZrC3QI9vdT5TIIvpIEMAw2z7TDic2Bzq2lC1Iae8BeaEcwhuCA8TMZ254qWGJuMjp7xzr5IcNzi54VorfXrncmLUTsdD/jYhNI6VPS6H099Op5ZgcOO48syDEeA4qQxWTHhfIB51rAWR02KgGAXiHwizvhD2xtztqB4xgqT2N02fgc9HHqgeUvvQjKHpJp+9FF0zLjKG9LTgNtsiC2oumRhTc3fWnWbJxvD3qUI/cGzbwbjIPFdGq0lFCtQj79E1VWafoKugqlpb+/GzhtjdhvUKnhG7D61l4UL0zpqAiah46VLhpBrXnrEz/b/ogop/P5nPWaE6rHVWKWkhkWqn9pfnOPoJ6i944fborqqiHad7cK0SEEbJInwMM1kuewbZWXvNj2qtGzgR2ohUjOzkdCYVVzIvrEFa7Xzc4NjgxGmeW1BWtCbWbA5fSFQ/TI/7PXEWOzp9hXsH0yubrX6Lf+P6seR8T/6zpJytGGTkGrNhnPMiiGwHyySV8oFd7EnpV1gSh6GxSSgf0ssiaus0jz1FaVwbnKF65KfPxrt6EF9L1butnHduQd7vC0d+Y1HZCTo+D7NYwSoZWRynQ5jF4kww9aUOFdrpopvHWVArGIf4nfeikKry7OHzyrvXAwvTylYdvazVfIqpFWOPTMeOfdIPVxGipIy+5w7R2pEs10hBTdjBkYqE6nHvUS1QFdtBvVR8FLtbcKO4U6vgSanG9/stsO8ZNoeOQRkh+g6BR4ZoHAL7XRB1HODRgMBLMEZhsyOMWN36Wt0o6DxQxtxubph5YsgPTvR7HBivuuf+31ceyXP/D//qG3J6UQ4qHEPgCb7oa4kjt/1Ygn6MVkHmHsGZL5tslUUmVqDUgI++P7OZKG+rQyfZF3R6zEJGVT1o1WJlYPviM4acvH0Dw8y4EW7ca4vdAO8xLki1P/ob9B+hh4vds2IDai6rxuo5/s33yRUWVH9KrhBDGDkoM1ui5ACvrkD5wvdwENNxpMQOTHwsaDGjtSx22C91q+7S0fVgvw/7CcanRYbXhNyz3wfSdx6iz+Dt326IgLU0zLG52FA9UJ9Wp/Mn77YY7oYfLuhtF2RCfdreA2BnrauCX1W8Z/jBTrORzRXPyxOua4m/H2yrYc8e07qMaQxtYfFRd4r9PM3LhzSAUhM9Cz3WteXFjR2e3OOTwbHTOtPrUl3vyvv2n9xjOMdxEdqSF0NkjJcXR6gYFhpa82Q77S7pusi9EyfskkvsFqBlRDENHQ/KHsBbA9EpUV80BR7bghLlxXdEo+9WKnJ7/+pvb+7InZWf5GcxUJGyoSc67yOGnvc7GaYHj2W6gfRBRzR7awTL1Nz2UBHourpJnXqOARq+cHdz7o/oKqBYr/zGRVQVh6nO2htU35AqbLE2nxhs07GlnGVuQwTQdI/+jPWljh19nPUD7HVXFJ29x6I7oW+MKXTCsBtBJDCyNI7s9PyWX1P2HluLKt5RKmb2J/ZfKvN8Yi7/mZQ5TN6kDKfX7JgC3tWuY0y4HaciGdWHemxIgq6aBvzqaa5iZMMGOiY3JIVk84QAhUhyOAjiQLRh3QtZk26oEL0EtOmJyn5cRDXgKZ+t/FIt8nzF7l9fv3rrZe7zDoJa1Bmpul6xmO2VMf2QbCUv46fxquqBIXwtzbozSNVkoRTMaPLEodFPMXcNkwmqLggBf9FAEBovo0/4a0/NB8GMfy5ZHAajbUHhS8mq5CSVIoXCWBPg3vF6IMVpTCf1YF0HZJ41NqoWIpYU7P4mLY9++o9XoWCSIOtidoBU60uEKHRDyw6cHkvq0veCCYx/vfn57vaOvKGPORNZ3bokzH5L/QUCGQ4KfQ8Q7gnt0X+M8PoKDodgRwUEucjsZFwTzz94Ik01qbkbLXlJdXvt6/F4PEdp4HMy9hNn9FRzyv8L5BzUwZEi62sjMScJLb5x7aVHKjZ1Ny+DfmBn7eYuNeAZ0WUgLIpq8hdtlBTrf19ymj5wpg1kf3nuP3tWf8vECtLwVyumYEd58JqlS96CIVRkREsysH0UrJk2am+tnnkPZkHNxpeiq7GQLpYeGZPaD/YJcYkSLrY1lapVvavWWGraQBi1/9P/DQAA//+CVqxi" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99e+UnKRre2o2fZztbVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69dE05qX//YnQiy3Al6TD/hv8h7+USsDfyKkBMM0ry1X8jX5658IIeE3ZMZBlGbyJxL+6zV+6P73HZG0gtdEgl0pfTXh0oKeUQYT9/fua4SoJeiV5hZeE6ub/id2XcNrh+JK6bL39xJmtBG2wCVfkxkVBrY+HmDb/u89rYCoGbELaBEjHWJktQAN+JnVdDbjjCyoIVMASdTUgF5CORnQpw29AzFzrZr69qTsMnWzLGItqdgib3z1sfVjS2wWqcx86+/7VxjfsMGufFxw475HuCGNgZJYRRitbRP4r+mKVGAMnbt/U0uYqsA4opX7fAc0IW/VnJwCUyXoOCEeFt9F6lByWriwBGkLR1piwAHhzNwPLDfIc6akBWmNux9cGkulbdEwURwtrw5BsKR294Mhdtzj5JYg1JLVgrMFocSAMVxJsuDWEEreg/2dWwnGtLs/GRyNjlizUI0oiYQlaDKF7tzVVBsg78BShxolM62q3lJP36q5eXFB2RVY82wA/pRrYFasnxMb8KbkA3hh4U+47KE5iTJSwBLEAZwUSu7ezy1OnkKtgVEbMClhxiWUREmBaFk6FUAqWsexqsy8SHZh9uzxu3DPz09/IEsqmnDjeQnS8hkPpxOuKbNEqLnfLz3YCKSOO/DhtOD33HbUVFvOGkE1/j5s7GT0ZAxAH3RSYidjAHn8pIxuyfK4e/Ly/+/J/j1xq+bZkPtdXzX9V4GE7G7Lo8FuSQ8RetlR02BUo1mmt/f+bMt1/++HmbHUQgXSPkbkaFNyWzBBd+7wI0EPpNXrx4jYwulUjxExLg9DLK/G1EqOx3vSSqCHSI+8bJsBlCltqBG9JmZn9r7YugUcNgM9ZKAk3M+K2NFDBtBvsCLGubjjWjkSF2XPqxJln2fXgMxE7CMRDt6ZfewYanUj+ZcGNmq07ugPf1pvG7UnSjL3OFCrHrtlOyJuljyvOOxz98Qtw2ec0f59fqvm5GwJ0pJLFM6kkSVoZ4JoCIJqQPqMX0NJDFgHZOvH22uYcYOl3YQB7HsbLN0mDEDfaVOGnsD0/qXDDuaArjvw5G48WCiTSV/tn8tflbF9ESl2T6QBWXI5bz80sWPT8yF9PfzlhxywwY9GGXt+sfyJ0LLUTlaOXfdd5g6ot+prZe7yVW72vvp/l72OW/llw65c8I60vresJJTM+RJk5yT7ehUBx6LD/Bd5LZDyMSp/X0dEY9Shoep1oeFLhr3uBw9xg5Hu6Rq5fOaXJhd4kZ4Hb7al5OO6BsLoUIJMgQC3C9Dk07m0P7wiSpNfhKL2x5dkSg2eojZANuPzRqPqdwPdh6i7XzHdGAbNZ3wm8C+4X89VLjfbPuu4XfmrdzAovaK6zKbU9SRaj+w+J88vPm/pe5RoEHR3Swkxa2OhCo9oQNtBW4A/qcYzz/1baT7nkor2N9vayg18yKV/7UmMOL/4/CrCgoD+gBP3Z0GH0ZDLKV6fzUEdKo6Hvj4LoCXoo8Suf8WlyPnpfaKkHt9+sBTBHBYrfdRONsGK7H422ipa5xtFCy+KM11OlBDArNJfowB23HuAnBt35rghzLMOSofplqL6Vu2qLWQPox+hxVex6WNRVStlMNmtUpJM14NNI0TDlwaMdQANr2qxDvvkvuwEPQHKFsTwEsjT74ld6Ia8/PnnZ2RFDTEAsltlDycehfJ6C06YWkkD+VjBvppTwVQjbedTaKqpF3ruKpsoBPKUTtUSeszgMppZ2Yo3YzXQavT+sK/m2Dwwq6Dkza6eloJR38Q0x86xwGeE2382L7//4c/Gi/QXNQrQFul/Dqj5p7MH39I1aPKSnElGa9MIH1lxJuWd5HoM+j2DH5HcytgqP74k/+7IfU5+/JH8O2FKO30ZqQiLPif/Xdj/6b7IDdlmyjfRLZSqhEdr68oVFIwKMaXsKq8G7JGTyuK1odbbFY6JIMtacWnRNLEQT3DGw1GA1ipTftpGHzQ1ME4FYoyYGqu006zl2msd7oMlFbz0ByOGFCEz1cjSvTACEHku50E5ujF5cftGDCCniAWG67AnbDSyC2uhaPlY3rmADjH8DyAVWM1ZxOoIpnD/y2gL++e+FcLu2ad2o9GqWbttE/KrWrmtGdqcXBKlnTFmFbkCqG9g2qN48b4SpmnFwJhiycuizBV1PWslzxwkaGrxkpeOgz27cMm1bahwRvuW711GXBy84s7sxlg5MsNTEa76+SnRTlobdKgg06ieg+2+diMnjM6U9PTgnPCZcPs5obOEgoaC//y09b1+gEpZIJfhvDMN+NBO12OC0v2vDcR8BYGXsFJhasFzZjY8anPe8IHa/yh0MydzM553vHXuDQhnvT11rdUSnpD/GhFGL15mXDxAjN6t6oyji5M3F0H3ZVQ69vCqVnpX4yX4RH51aRDN43B/fPJPFRriaLrHXKnbpnyz+cnGYPd6DlrmE/Ly51dkhXyvgEpChYj7CtCpj2rSxn9EVqDBg6WWCKDGEiV3ykW2mfjgauLXzcTIXc0Rtg28+13pEhmHWU3AFlIJNV/vBuJmXA+0WEJ+JmxBNWXWM9Fd6jXij05zSRoZcnrEls98tKI2dUG3D9TnDCLsiV2iRVE5JVPJNoyg6WpUpqFk3VErKUON1ccoZPA5KMYa3UI0lsqS6pJIpSsq+B+x/F6lqyh/ypDlcDCLVDMdPEl3YtIG6w6ZF4LPACmOGPgGmJLliIK92e7C2Jx+lj0EcclUVQuw0QMw6kSlqMBbzXfEYK/eTNsHOsiXbu3ocR47ytsnc/T4VUraRaJt2tSnpsp52WQ5lQ/E+DNZ5mC7A/mHkrm7LewRi271VsX06bUfdzk8EFHZbvQbYuHahstHlqBNr5yi3JcHFtnf+x62NdBUZG7K9JjSJZT53sGQZBOeKdOt2OoYbaZN98V+fH34WmlVTRBqg0X5hoGkmiuv1leNsPw7y0ETWteirX7Z9LKpqKTzWGkuIQLDO6296JHyuBrC7RND1Er6yJilVb3rGQwYu9UcisPbZw1hC+6sG1WCmZB3jbFoJvWBultJ7UheLrVw4CbtFWCzmcN7CcfQhHCT2wU97zTMQINk/kBQp1qXfMlLp9ngeYgLsstWkH3cYV6cyOua66NRuNlPHwu6dieRW7H2xBon9Jy+5pDCA7rfN5pw00ddOM+dNO7k2WSwZJdOpprUEqgaKHL3hdjxP/VVQQ3ySwPN0Y6SO93+FG3k44oagkiUI+cGkfshNVMTKgVbDM0g0+aVzfD6zqscuNZFBlTrIof2XKcURdtAXyaHmkFX6r0iD2NC7piP0Tdm8Fze6c05VGzeJNcOCRZsHoidbgipHUGUDZT4FIq1aUTusNOIFaUay1QFLzwOnfGCWdlqNjghVAYWbBmQIwcElqC5zVk6soewdvVQBNiL7Oxz+eQtXhz0DvSvdFfp4qBh3KkGxmd8Y/jEtVsfzBnrqRJ05fzZTJEN6FyMvNwUTLQuqjIEWaJ4B7P5WJvwedtK71uCSpPfLkNqLDdtQsCuXw3Xb3dorErS1MrwhILjVmcLzWlZ+g5TmMrf3t3RLjyNsEW+1kV3FEWyqUBzdldZFKXtCFVsewjrV7J1N8OLJX+/B6QtQZZKh4TZvZSp6b8eoHtNG9pV038Bi9vRDrH8teADdjsJuh8xL+lz9qr7ZnghQ9V/EDPBy7WgXW6xVJZQsggdL+IJtELNizZR5UGEensQ7yzUj9EzZUv2/Q3TrbBrNYqPuOKvBGfr3Ldnj1y4QARCc20p1iNyuRE586bjDPzQCEDE4uJUSQvXuTXWDqFz6f11m36otCyN+z98VKloEYo1gLnhcWYLKudQSFjllgVjgUtY9UL9qIRYq/m0sdCTEMMcfeNRd9p6//mLiw5T02TCruOc4NnaVu5jGhqCu/lFHpm+/hYxbrECzDGsbThoNjlfegl6Qi7Bb0pjQE/oHLCVd8h0nynd4jCA3YLxejvD3xP/+17fCqXJVKuV+6z9a9A1vdk12k/6vLyg2qZ203WAU3tUwp1Sg+rQY90pJcpObcx1pVQNIaCY6y1+IwkVoG2XXaQ3i4a/+fBWEB+9JgCYhBRRmEsilfxOQw1oyezLfkCz4ZhPDmu0dhems1dwJ1GPe8F9hK0N/wwoW3G7CMqyl/XkFBecYrWJJEp+N1fuv/e8BKikFBHFMSPdtBcMfIEIOCTVjDjpYDmYCbncyJTdwQb9yqo8GJ/4cr7GOCPGl4z6ZJsyiN/AeEqYaIxtD2T4x2Cb8CfcuJ0MNdHBv+EUX/x0XAU6uvbjb1jcovdtmfIpZU9uMrwclqeIBaHGKMbRX+p2I2pP4oa95VfwmlBSL9aGMypIyc3Vc1JrnInynIBlT+KKMtX0kNrLOz70vs5G0wosaENqarCLl8FGDr4XAVNV5aSY2graD0trwLK96p5/Dx5K4+vtYYaHyYtvpqq6Gd7BDNtGyYrLUq1CPi1TkkFtn3eZFKPMGJA5a4RYky8NFd75WaqKchmkhuwtJNTI09X3eqZSl/aQ7lTCt1xeQRlqgdpEdGrQOxUMFPfJNx1qE17u2zgx6AqRVdT1Jzt5t8QuAi16v10+FF6/1cHzSi6H7Xq6oDPoiu8OdsrtYg1rIrb+/O/XtH9MrGnPuMh/xzuSf8HVumusoWwYkDZyBHF3mwHNqSgir2m2R+QSl2zV5t33sfcAuhdm1C8A7Moc1HIghcc4rO4eugU1i+6GOrUwUmXYsIXP/G1rbLoyw5MW0k6LMEdIt8zEaOZ+1f17WGlKnDyXhGPOXSOZAKrdn7AR3ga1UEAYvJ26Ley8OfrghV8z7PP0qF8spqopl13f7P6DFcpG9R1eryXXjTm2p6+vjSAC4x6/4wRII1fixK/uezKOe0q9BZfdNd6xz3uZz0/Jey9pnobGDcRP2wtFvw63Z3G92jugH8KX33M/n58iS0PJWycmht6D7YicTwP0JEz8IXKyYMVN3EhdmnXOXvbbUd1QoO3Vhb1+bOmN7yOeGsf6k25hcn56oyabyj93gybrEHspy41GOyEnvj4z9DsV/oP92iwiqLe/8cM3wR03bWxXuals9xg1UoDxnFH+QVkpsqSa06kYVAH6pgxcklrQEUFgQJqs/VG2NrSvqvqVJ05SOQ2jrS/kbp8vX5xf7OrQJLSM9R6FsbrsAwcK3roWchNp8UiSc2nJJZ9LisJi5IjWSudsXvtkIL/cIb1odTeFXR3xPx0ivbuMp6xUkYPz/rePhEsmmhKcOAuDbN3PJ+Tp2TWtagGvyYV3iHiwKL0ncb8IRuaOHttE59TmaYljxs2VU7kPwOsOpXg9N+b78DR84OZqT8jVaj6fg843wi7Oss/9WEDAAbXThQazUKJ0p8fb6iOTRrdC70fwLAxj70EqP/3gdYxnXTOO89N4Gcmto/NMVXVx5Lwr3JWQe4VjXL1/zzTT7xw6SmJ96gzHzaiyYWNWWlBLHyhrrI95Jy2Vxs4DTq63+I1MiaO6XFH9MBl6w676TrrS8BA5IkZaIz91QpSSd5S1/ZTjyq0TQUe1Y5T8rlVQ9X4p5G3N5EOtNVCTPDfYWGqbVIpz54+iXDyY2eEWn6prwssX4++Xe1mbY2DoMPo0aHzs74LDIn5123cs8/S9wSE/Hc7dO+Q541I1qWKcvToSM09+p5wkTel0GHhkf0oMOHdnxq0j8UYIJ/eIaRgDY2aNIGdufcJUCcYdibbZb9yy4LKE68QMENzYwzTPe8oWXBhNMd0iMQWN8c2Kai4wgyfiwfPxdzknFJn4nfttlDKZ4RyqqW8u9EAacVidPO3yOWvQpg5Ft17CDFgWVIRNQnzb4enZSJGhd3MN3+PcCSVe+eqSvIKvyn/bfUi5NKQES7mIOBmmqrG9342QpsTRczNbjy3t8tgQj/GH1EJVi2zZPG9ICTMaQkCh82Ubww/Zmk4rXoIWdI2FXFaFx5U8jdxI9wFa3eHXMGurwL2v3lhuG2zMSKKEbWyDYcOm+17XpFGsnn+H0dSYZpBVTFWVu095jtGJh054L9m31mrJS+8/a7vIVWBGE6FKxQ4PNN7dW/YLFxutkfXz8uKqwXWNSU8PI+vb1fPK+n+p6YF+p4PJ+99qGgIw8dtV83yNc08xodjv/OXFOTkfKFR9NLJ1rQ3VJfsxSFjY1VXDzpMa0nfxh4Xc6rhy70VEMVVl7oqvQcXdrtIRcCEOlxH1aJG+W4IPGRyh8rznAg6lwz6BtouH8Dkvu1DOiBOvSm01DsrAE7z86ZS8ju66yflMtdO9Lz757jltIAqTNa6BNX0vgk/9mkKsvLXtwrQvceMIjpCoV7zcdoh01ZV0Sbmgw0AG6VzhBOsrZ6D1yKQFf4cO8fWni7sFY6UKDaB8AHZAUkg3MHw+GZGIvCqmTVmuk/tneFUkrQPqwW0MHNbofK+XKj1EzVXCLgc7JXaFaY5RkMBNP3vV91ylTcltV1m36YsWMIoNtttUbHhRsgkv7CfSZ4ml5uDyaFb5yecz8jTUSnxuhNOVp1xgAQfmgZ1d18q4bz4j3w0dDXI3CnMl1UpuGUIGWIPNLJbb0EcmbTJ6BBfcblroSVvl/j6UJr2FOWVr8mnUXBN8qulDFOWHhbdYzCWpKJczTSvYm45RU41Te/P3SdhSLi9wWfJelT45etMWsJd1FkGK3KB9YaqAY0QuC2m7b9x7WJFfG4mm5DtVgiBPuVxOvn1OuGLPydT9H7j/o5KKteFm8m08vmhZXcwEHUzOT61DbWv4JxcEF0VfF8rJdTv8Ss32NmqwKium/q/TgGfbBsGAdgc5itCySit3dzD7/O53qoF89AnA3377+d3vbz6cffutz7ldUk356JlcKX2VsmT5xgv2e7tgP8I26gSjMrUSEWp20nYp6Z4Dytxzsc5gwsyUBmk4SylAeq6kDBhX6b0gkfhAKqDFivLhcOJ7ewew93lqoO76pC5RN80006Ww09JYnbryHeu1sznE+m9psne0rfnI5yQ9tNhlMxhsoNKEYpNN3Uuod3EgZnzU0dSSms0Reyip0W5EETJ3y3viQvngfoJ3d1w45IP+/2G46kZl9pP/HuSIlT0ffUBkL5IPcjjaOO4+/JQ6QtLW1s727NKntstob7PssE/mM3S7DU7uzZHptmU1P0Y8DIu+ZpQLx+u2mctFkBnnp/3aNuzE5cxBC/NIC4PxrMI257pwKuIB9BySeI3p1qH66ERVVSN3PVED7ORhjZvui917uLZ/g7hO3eFmDtOs74vbJZXlf6h41GyDm6WWHyIZ7o3dcOEt5Exjas64SpYleiwLHrFfUS2HQYfHjrqRVV2oXML48v27C/Kb96NuklLjiHw5airB5X++JV8a0CO9WxshCw27nTrzJjf0HKJr8qEtOoumdXVaOkv4kPaBqtRjBBzQ+iDH0U1QbSQ4dm+4ZfoBDVRQXWXYLQc2g3uB1gkLkDugTZlsKu0WzLTdrrZAl9TuaoX3hTsFyRYV1anKSjq465oOxhffO/pE2SCdKgnMYpH8LDCYpS2g6gDP5thqKQNYNf1XBqg1TT4Jw3ecSn68MOhe8NQPTujcVoFTPZMjLQvKcDBK+vITB9vIhMZ7D/B0Xi9/ktd2kfx9Z7JgVhelSdp3vQfdQT4s8nQLwEtBk0sMWYCcc5mwKHIIOkdutCxmhVlxy5LLD1nMhFoZWqXPXenDlnaZD3qGqAuTBZc5xQmXNehquk6W8D6AXbOrPMCXVOQ4K7wuaq2sKtKHpBD68qcCPY7pYYtsd1OoeVHmYLYDnD7/jcmioteFtancBtuA3YkWkOFRqLjMhDSX+ZCuhSnEVBSpw6JbsL/PCDx5Z/Ae7NS9EPuwU1f19mH/nBH2q4yw/y0j7P+REfaf88C2qhZ0CjlESgc9vXkmi6oRqHxP1xneyRZ4fZVBL6kawedVnUf7dlomFfPUSUgBMs+hlBj4wtL7RmRhfEJihh00muWxJh3gPNakWZumzjCLlMmurDqLqWqVdaYHXGcQIVZZZ5jlgo1mTRbgjeTXkkplgGU4hMtXjiuZHoXlK1XbBdAyg1tNVXXBRAYftgOcIUiCcPV0bdO7RR1kkwVy3RQZYhpMc8sZFRkKiExB5yDZOmHWVR+2pGL9B5TTHHgvC2wDmgWybweTB2ufWJsF+nReL1/l8UGbYsrtn7M0GmOmSDsrbgewVslFtclyzREqMJ2+ys14H3+yWVs9wGAX3s+f3jnigaPalwW47yafroNcD/aMC8hhw5hilmMT+SxlcfY24By6gSl4jUmKRRZRx+vlT6Wx9aCZfyLYRrMssAWfQQ4zxqCjuYKSJysY3YbNZZ5TUqmyEWCYysHtAJzPM8gmVZsVtUln/vegxzLIkwDWMOfGapreE7KBnUHj01DnYrXOxmuDnch1JvnqM/P9Ec8A3WqgVQZF0pcC5UI7n3K9WihuCj9hNj30NdU0ywEvRwphU0Be+vn2qeFyY6lMPue4NHba6FTDAluo4GcF5YDaJMc1vR7d1iSnBouTG2bph10f2mlgH8w5LcvUd4CXqcOqbeugDG8RrwqmlaqydCVygDOYabwq8iRHho5HOdhcXyVvz1Sb9C1LeW1qzRMDFdRy2yTPPhNcQroWOxuoJulEnQ4uFt+md2sJ5bueFjOhkj/nHfAMKf/O5k0udRzQDBLH2dAZUE2emyDUPMvRlfMsF7hWOrUAq6bNPMc1q7hhOcRCZbIc2BxzICRYbK6UHG5yGe4bQKfO+PNQU6fjydUqtQWSpaJM+QHQyS1RlV4zUprPi8g8rnvDXUnQ6d+suvBDeZODTTqZegPWj3jNcsgyFG6GmTiphUEAm1oa1IV3JCVHlxrjPizYIlWd/wA0XNc8eSCgBl3NNZV20HM3BeRVFsDpn17fiezTp50poAkAazUvqKkTDgzog9Y0NVQNVOTQ7zQw5IPvOpoJeHomO8hpW7j2ICtdZsA4vSPTZPANG+8bzpAPYCB1IoAfeJzBODHwJf0BiDVoTQY1gyll+DyD4DV1ai+b0SzHPdCsTK5IG81iXXETALbpRmz1YTYmeVfNJZOpCyWi02LvC9Q36UxNvp3b9MfKA00f0etmeqaGu66Td2ttymmWPPRGiwxvYWNAFyVPXfWeZWxFGxnKwQbLjKVVam/wsuDSWDrLoBksubY51PBlLTO0brJKNzKlmzXWFi3SUfRNYxX50EgyWLrLHsk4LO8zFbwkJxpKbskJ1WXoZmiw/XscHT85KyOXxiaEIhgcok+wvwFTgsRKdbp8CC7zce6sqoVaw2Cw4I38m6kmWVPvW54xx0PvM8J5ZxrmcE0quttoYROLlfNmdxhIdiQFNzicoV09bD02UCKmqWulLRk2HiVktaCWcEtqDbOxo3CPtNy7DKGIMT5YHR0KhMvQ2X2kL7TgMvdE/h6qbrU+noZYNQe7AD3ZfN8sVDN40QiRsATdjSOyitRUGyDvwFKcCO7vKu1Y8PStmpsXF77s9Rk5DSO+nhO7iEwpwmbAHyCMPka0JXkP9nduJZj4Pg8PdRbmzXBkd3eLcHFPrAGq2WLCJY/ihzN3j9Bfe0d84iwMTIZ4IWgjcdbvvME5rm0T93gD951+7Xtoyt+Ou6Opa8Id5hePGPtuI4qENU2367yKy5KPcG3xVoy5C44xjXpEIG0G173HCdVSjEy8xO65GceBY/9cA5Zo+NKAsXuadh+erXz3XvleZcCxPH5VL7F3PVJd3um2O2UfTh4jjI1t/R07tJvXUcpTzv6/eb6hW+z8tBUKuHb8bKDVkC6J945H2D0uU2qA+HTtDhsyuFXdLoVfPAy+shsF32GutG9fH2UjIdQQA4Djzuj+eVWaSkPZEcb7DjpM+6Ulqr2bQ8MajRPQ9iFdg664VzeOhfRmST+Ygy+5gDkQAUsQhBrD59Jv3GZef/zoY0vmB5TfuP6ekz59kEnPDrNG8i8N7I5JpPHL18P3sI6Jh01BaTUaXvoLyZSUgLkVZMXtYkxQEBKpDOk0dg0HlRfd2bRw7ER50j1RQs05o4I4DEZMH8TiYbHDpUbGND4c7+rF2sTR66WzrdROVmvqB54KTk2xUNltAm/EdeYazlLZDDVyUrE/gifeD4D4S+OwxTctDGJhAqievBFGOUN8676dYrCc/Bp+MSFv5Lr71wC6RVveSEtoOWGqqhsLOi6Gs7jxHWH5zLNvdvcCZyxubQi3/2xefv/Dn53te9rbjpZj30TRDue0SBsxu63jhq5Bk3/rfHLmRUADkYvf+tT1P/nPvNzgvHXq9+7HgcnLN8m2J7sDU9w6E/L+t49njnbQ4J0n6C8tuWEaairZ2mmVQT0Tu7kgBDn0nHx895qcS/vjy+fk/P3p2T9ek0/n0r76iTxdLdZEArcL0IQtlAmj0pTWwCx+64dX/+u/PXsS5QjYRUYZt8sPlKmTisbH8ZjMp++O1/zSn8XzFqn4FS8fF9J92XQD5gc2jLv1Ax/Dd0cx3Vgnn7m2DRXk7Zv3UWT/UBLy+bIOOxn/R0mYxHnr0P1qRCgScrPwxC14jG/wnn2YUwsr+gAj0vF0X5A3ZanRT+tPeQyd7ullVX1onPO+sZDzk3cX/lUaDY9V1Bwx+rHlVPKaani7yfmFQ2XE++V4eOAkiCQ8dGuP87DVxAo/Xeu4AqKHLi1L7r5MxSZg25vlH3/njngAnEmIF1yFG366fQQGqGxyrbPodbd90ih5HzC8UNp2InkgdEsMsOEGcLu+WfKaI/Pe08PlvH1MWrLejTFeQsxuPJYXN2CHli81RjHuVE7vNxroOMTJZU3lHCad6cSUnPF5o6Ek0zXCBFli1lBcztQHth4YFI2OaMvRRWcZ+h2IhLp/v4QruQNAQ6UsFCGzO32eUXrWltIUtPCp+BlA11bnAT7LcCRmGaqFRY7rkKv/SZ2BqbQsWk9cPrV814J3dEx2V+s7Ex5Agz2zC9ASLPm4ruE5+dQ+Y2/RAfYjuWgdYIOX4LcxTa0d1XMEZWLENG6RDn7x54QKEVUm6s0XMcGNakzMW4J2byCXVhFj8THnknw6HxUoDBNks8mr5CLbAVV1hrFvDrAGkzqj14HNUOLiX8TUqejob8+ArR+tUAiQ8+STIhFnp3xk1EJHNFCv8lDRC8BIwjCdYEYo+UXpFdXlcE43IW/mmOylCXU3/hpz6aZgVwAyrnom7pp41xi3slT0Q3UeGYIt4zEzYkAhlyHPFdMSKm6dWAojNuIkLgWVx4jj38JB2SaI9FyUAwK3XZabSMrSWbBzNGC3X57UkUpg2IVgma4f3O0i9lRbzhpBNcF+0aRF4unZ9eu3aq5ms/j0d2CFXUD27d1C9qNb0N/GHt5nDm+H7pvGLkDakCw+irZpUnZOuF1Cj19yHPVPBvQowqqxTB2X02HJcYQvG8bAmBGcsfP4Yc3RDks8QbyIU3HnSq9JpDBhgNsxhNMWjrCDo5NKGOAztZLuXXFyK6Ycdj8kA0Vpm6plun50I+8mJb5rKdYMCA5lR0/ww+zow1wSw20TkZ8EiwsgiOgAdUENoaWq3etiF8A1USu52TLPOEuvlVTVSF4tzuQw3LeoP64S4ZR7Lksnf5Q2HQMo+YULIG8CYpMBG27j7JUdYf5OjiaMd/Q/SLrCKAsuQ9ZCWi7EaIwwImW9+z0Y4fP1LkO9RmpOjCeETlXO6oEI8VNY0CVXDWqXTFW1VhUfyVCEYyN3JulUYBHZjJzsx43LZSd2MiK5i+GW1kmiCGxhmHS4zAEIRtbv8Mu9u71XdnPfRo/dpsyykXa3nC21Rl9iGXjBDjHrb6UF4Xs8Bwmas5YkZAgm+u2mFnC7wKc2NtuNBGQn7IeJsXo8+NnSdEjbrQej6eV+moJ64dfKSFfUNO2McMsrME6ue21PQw2jQaSwC8maQty4Edh48J7boG95tA7p3f1gR+vH29H0Q2GSDTm9NWnBYXwThQPakOKNQLiFMPh6qXt5I3X6qHvnL1oS2vTNO5esl+pxBMgNcrwTIF/vcfzx5i1LNdrgOFt2O/mojypBUt6xW8iPox7HlLQNDmOn1GMJ2o6fOnnlTmMXRQV2oR4gSkK3PMnEoxG+Nrrh2EtJq6xepz1RnQ9KBH+tQ2TPuczkCfnH5OfvvydP356+uXhGTrmxXM4bbhZQYil8FBeh5ip7X6B9kTDMlp15PMI24xdHMsa0yuxV3Ff/6XY1hkF3Y9Ajn2zo812uC8O0/67ut+f4Q5xiMVMqY23SN5liVKTqTrdDyAda8sb4FYjSxPCKC6q9eHJi090hhu96vLwK77nh5TE7jfQz5T+5g9B6EXf6Ym4ueb46izdy313HsEaoNOz5f4OTCD8ZnIXguIFeWUYZd2UqnTMxYBCyQVYrPaeS/7Enq1rmOwq3ZfYBnO6fqRF2z7iO1pJm6vrzi1sOXwvf4sv3LtrKav4VqLALRjWQWkOpKi5ptOCuJ54uqOUgrbkxPV7QY1L7lj4osb71I9SZDq67Ok+c4KqpttgMaUPqfrF6xGZHQdjcRqLOoARNLZRFsqSyPefDCZ9f2hW74NmFVkteds3DwvdoXYugqQ4ORmj+4561bZ02ruBsiOTlkajslgy9/ux6hMzo8FDMnFxyHz1f7CruIy3gOqUz5VDwu2qecI06U+9HvUroeYRQr6OixkoNMVZpL/EdtAosxdWe4Lcm7ltP4tRXvCwFHE/KvcP1bivnItvbk3sHybl2PMZxyL0Iq/U6DMl1G519TmpB3Za591lpApLpdT3m5cdUyCPYk7fIoNOdbfmrMpa8o2zB5YhJV9JMkuObXV5/kpjpX2tw4sPpR77JmZmQtyWtyWf8h9ePSiV93ek/h48nWdAlOM1JANXkSwN6TbAHoamVNNBqVPHiVEdvgb85jrwMPfCYg6x52wVSevJ9X75xPFuSjoDq5gB9CM1Rb4spTnnK6zDbPeNta+mtJkbONgwPLzdEN1JG7VjzvHt5fOTZt5EaqbELEItgYebfCEpWXJZqZYipgfEZZ+6T57E6wZAnO7wgjjyP7ybnhjzFjrAg2eYZwtDlsx63SCPxHX8Lc8rW5JPZbnzbRWCr3ULa5Nm1boUjGOwjr33f1EJUsFYND5l7EQcc7/oARKr/typNsZxnyL5tsvMr1GPdeb16HaEYKYwetPCbA4g9Tl7vGKkhwze43ltZd4akj3cBHVJzHIddFzDY3ptNQqbfhsEOxRtS3Fz8jGUDKUcCjla4IcklzLgMvnoUTtjVr6L1SNNBxO6gQrFMuG0cMDvqX2rB2Plsc9MeeimN9KbsfNjWUraojtwCf7MqMpwMrKP+dmQZ8jLlMt0EsaR3w5GMRYV5H8+IkOqX7eC2+Dbam/L+yNTOAdZ5374bsK6pbs+U+/PzDSmrBR+0Uifudjhb1ie/34o8m3xmiW9rofQ634b/xdRU/vXGjjEtIttd1Fv1PPY0Obb85QVCv4G2B1OJBlS1/db3UzV6CgqQVqv6ENFRqmY6cC7c6oyHNZ21DTeUIyCOvrrjuPfwRFU1levuPuK1w3H63l5ZgnbPUMHlTMWVAmquctcI3SA/dqzIFrMV5O2KPvuSK0fgl0aINfnPhgo+41CSU6x79s7BKCormBZMqSv+QEH332FK/Pob+5mKMW0+ebfZTTi8biyq3AeOML35rn/olghTdoI72vvkJ+TjuvakbzwHjjl+B8c3T8OsSNpMdgdth4N3ROgnJta2dheZY7jqOuVyGzvvWayVbr39GGL+8HZky3u9chIfp5YXdd45RHtY4Va+0XPfoqmVyqSJbCPl1nH7QWpq465JJgtqUkb7e4B1KKdPDLnRIuE296Am3JXOGC0ancob0oNpQBd0ns6m3IBO/jxtg06a/rgNOpz6DIIFri1IVK3SGycOfrLT3Cl6Cw07qTKpNSq/xDFqCbdk7kdcFtWrF+G/TwIKL8J/hLymmNufCtDx7LxAzgNGzz0x/eA5elx7o9YG5JRhIJozqbicgdYjcdch3Uehq6/438j6qHv2CEi2fYlnvW2IXCkMa6usVyqyxNGO35mP27tj9xEziHX/T3+HYYLW+MBPXi9AH8cf4XT2kPH09ARHPz4jJ7h+HDXQ9kjNUkb4fAI6DP+ErSzMPc15IWvouMfI3oa7RZ+YXqfovTvN/zjUK3n31ijx3SaX/I+4t4ZfZZIp538/IxLmynK/gfWCmpEJUIYdu61Qbyv94uPDBd1WZ5sANUhw2TljbeP0tv4mnpBi+PwYFRXb/Y26qYcfRwctO2nCjWmSK50IGZOl8nnr7hdDQQxB66w+0MGm9KXnmVucXGJwep90OkqGRNcZPESRn15iauf+x6gnPQ9D8u7Scw+O4yLUGFEsc77ouyHV4MiOIlMW7ujRJnmbRpMLML+CYFFnam7wzWZcSf9BQtn6EzEYr1OanF+++fu7C3Lh3inymxyZvrLBNlMl9SHYflypOLYohtgC2JU5yIl8OyGctwdZbOhc16+zaxGGaaBhBOFGCu7RckHzQVPIB1ByPR5dV5BRowFxttQ2R5vw2cdySQUv/UGMILErCI/W1XqfIESOXcHa7IrtRCe/TSBNDHthbW0KjjNos4DGrczBEEYfwW3ic9lWvijN7fqGG8VUVWXtE3dLvD0ewSEUL8FfcQ1i19JM7WJZCSoLYx5q4K1b2cvw3wO1bY1WFFtfalzUih8jrTqGsMeAIAaIVNwaQLayBZVy0Dgjd7upsCoiMhKzPVLb5u5hCTMPf3/75n14917sLN89KFbpXd9/8p5t3FwVSyWaXAx4085xlmHOTTcZux3n20huDXnqkTDPsFsHFva2E3V3wBNEOkqNaDJJs7cB10+S25AuMNkuOliCxkyBWSMIU5JBbZ2hfOn3cKS9wmqVU/p6xjuDvR2h7RCtlbZEOf7++h9vYim4UbanPndKz4+fYLlbYLDlYp1S3+wk2ijmb2e/XZxfkHf0uuKy7MZ6x7fV0Xb0NMytIYojZAUyBtTtI6tTn+Ili8nTs32VYzE7XsHmQxfhtyRnVzu2nGVBKp+fhi69AYu9GIrjbcoD9wpoKa7+y9cNd4U5shxqkqlvN/pLnAn9QNmNYVw1WvFdULfyxb3PiWkiKerUkL8Yq5Wc/3UqKLsS3Fgo//Ii/O159ymXM2Dxj2Zcw4qKqCJDp6L3G0JlSYwiI8dSw5wbq9fOsj+msKipXYRm/R0OZBeHAZLolDoWmr4Q2tdrMaV7Xcg7fbLDHKTV6z/93wAAAP//cyu42Q==" } diff --git a/x-pack/filebeat/module/rapid7/nexpose/_meta/fields.yml b/x-pack/filebeat/module/rapid7/nexpose/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/_meta/fields.yml +++ b/x-pack/filebeat/module/rapid7/nexpose/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/sonicwall/README.md b/x-pack/filebeat/module/sonicwall/README.md index 3a2b806bbcd..7f0c86d9d0f 100644 --- a/x-pack/filebeat/module/sonicwall/README.md +++ b/x-pack/filebeat/module/sonicwall/README.md @@ -3,5 +3,5 @@ This is a module for Sonicwall-FW logs. Autogenerated from RSA NetWitness log parser 2.0 XML sonicwall version 124 -at 2020-07-08 15:21:24.912542 +0000 UTC. +at 2020-07-08 16:42:06.806469 +0000 UTC. diff --git a/x-pack/filebeat/module/sonicwall/fields.go b/x-pack/filebeat/module/sonicwall/fields.go index bfbbb4b0c3d..d3f61fd9af9 100644 --- a/x-pack/filebeat/module/sonicwall/fields.go +++ b/x-pack/filebeat/module/sonicwall/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSonicwall returns asset data. // This is the base64 encoded gzipped contents of module/sonicwall. func AssetSonicwall() string { - return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIipAVJLENAooAyiy6V9/ga+qYhWKZKGKkrV3elBIJBOZSACJzER+fI0eYP8SKcEp2WHG/oSQpprBS3QfPvr6x1//hFAOikhaair4S/TXPyGEGiC0osBytfgT8v96ab83f75GHBfwEnHQOyEfFpRrkCtMYGE+r3+GkN6X8NIQsxMyb32ewwpXTGd24JdohZmCg697ZIU/b3EBSKyQ3kBAj2r0aLcBCfY7LfFqRQnaYIWWAByJpQK5hXzRm4VUuEfyWoqqPJ/gLoOawS1tHLODScRxxIZpBirU+uDzYeb2OPh+Q5X5HaIKVQpypAUiuNSV55XEO1SAUnht/o81IqIAZUgX5vvO0Ai9Fmt0DUTkIOOkurFol6hhggMkbIHrzBA/GtQjncwjzxhlOUME18C1MjuOcqUx1wGRilKhaREnIce6+0UfP3VYzSAIa7TbULJBGClQigqONlQrhNFb0L9SzUGpsAqL3hLV01EbUbEccdiCREuo17/EUgF6Axob0jBaSVG0UD15Ldbq+R0mD6DV097w11QC0Wz/DGlPN0bvwB0wt9N4i8xFlFUMtsCivGKCd/f6Aa+uoZRAsPa4clhRDjkSnFnEGi8ZoAKXcbyFWmcjtuaRdXrjz8zt9Tdoi1nlTw/NgWu6on4PwSMmGjGxdjyXPWZa+qkZ3q+4/Z1haYmlpqRiWFp4vziLwdXtDZ202rHV7Y08vNqDTN/OzfUX/5/rx7lusKayfNohE8t/ZpbULuM/Iv4tjouXiyOXoEQlSfJdNH3q6SdtGm6lsYYCuP406HGVU50Rhjvn4aMRAFzL/adBvTGawKdBTfkQ6sve5OGcfcoVzwHHz9plp74CyMfpyQM3asweaP0wmFoGX+8G7F1P07TMzg3YG/2EljnMp45ROhufeMsWjTLIMaQ3kZkYhCI8Gs0gMo9SVnH6WwWNEibrGfqP9oeGy5XgxAhLrMUf3XoZOPZbOlXwtPl3ZQaiK0pw+9QZQ/vGmMTo3go6VPEcpFFRJXiB0Zvcij5CjhRoM8gB8CEONazQBjb3xp6s0NZs7g09iu19z0mKpZ+2uXqUj5j1uFluhErWo9p76yehdFtUse6uUsBzytfhSxVb+pY1//lwkMY3Se/jQdbd3m2/QzjPpZFZQ4eyy77e/LT4XNm3/WE6A3/4f5eBhltznODu6XUujbbfIkcYrekWeO2u+HwvVcOiIQv2slp1/mmUoc/Dizto8Ipyn0n4LWm92k8TdpHszJZ7y8cbNzi6s9v9mff+aYze70tABPdP8hIQUL0BiT7ccv3ND0hI9CMTWH/7Ai2xsjshOPZXdF1JqwqdmFlcwfuMZ2YfWaYYRTPYrgZ6LdKdJcfssjD2Z2+8CrnDMp+gxrRkR2tibV7d3v1yoOFgJIHh7rIgpPZKQ+GvHE+YGW0Dbj8pxx7zfyHpmnLMAszh7X1ipukax5EHztu7X36ITNIT2Jvr9EnWFPX5OIckbzZbX1VKleQbwDnImV7GfrKDodvrKS80jqL2Q40dJu2d5g/thGEkm8EPg4PicdsoHnazG4X7SjAGRAv5OQpCw5+LvKybfUMVIo45kBtaDlSz16J7yaMjrPwDWiIFWX485awQygaPFIKj5b63LAhJ+K0Cpc2AihYl2/uVMD82AhcBJhukaA7oyZ+R3sgKvfj++6dohxVSALzGcmSuH0ldO2OuqhRcweUmS/5AK0tExXVtr1bF0gkfc+BUdAT0BC/FFlrTpTwabRTEjNIScDG4y8kfaOk/MTMgp1VXqzmPFV/ENKnaaKUrRPU/qhd//uZflROez0srqgJZ/+jR+w9jp7zGe5DoBbrhBJeqYs7HbUydURI0NvpEN3QkVimG5dsX6N/MdJ+hb79F/4aIkEZ/tLPwSJ+h/870/zQ/pAodMuWL6CJxkcMntMH4DjKCGVti8jBV53PoudB2c2PtdGXDCOB5KSjXVt3WEA/cswucgZQiOVak0YBUCYRiZmmytCgtpNEW+d7dwuaLLWY0d8sXQ4vQSlQ8N9KagSWP8rVXFk4GAx3u297Ic7yd+E17xEU/wOc9Ezj/eHeGR4gU/R1QAVpSEtGVvYnW/rG10dzlGMSduSSxbnQ4sQoLs0A/iZ1hft8WohwJaUwILdADQHmCLR/p9vhM2CIFAaWyLc2zPP0d6iZIgDVwkFjbo5gbHrXslS2VusLMmIsHPlIeMZ9pQY3BZ18A7XQdnf5A3l4jaeSissa6ZQuWa9D1z07OVcnkkIpPPlcXDXN8rjLRsd4XsbfXwb/2DgqhAd37XUkk2GtpuR8SSeZPcHp/Bk5ujylTJaPTXmT/0Kaioj1V9mOFDdLf0+LH2ra9lad+R4a9EbRpL47/a7y5uGO+ouwib4tmXKO03129uvP6HMHcMIAWpZBdLQ7ZC+Wze6CtPpbx/MGJfWvkWbMw5hA7NBOrBqQxBt29b62+BXrx/Q9oZzlbAOYIMxa3Q63z1aoNjX8B7UCCGxZrxAArjQTvBCsfsukjKEafN5si5y3tIctz51chc8saGxUBZMMFE+t991ljRWVPM0Poe0Q2WGKiHZvM0dtbCq1zk6OK+4gBduDbHMxgSklWc0+M01y2R95zrK5bGNVJ8OC0lXg3KD+sFOsoS5hYPcx5hLm3WQUhlQwjKo15jmWOuJAFZvT3WLSdkEWUA7l/gT3CBFEteyJ8FBsaump0zxldgZ1TxEBUQATPBxTDZskypadZ4kdIppyIomSgo4s46O7CVvHUknZETivvQOqLbbd7M3p00w1tuMP9M7hJCsH15mxWN1k957+aN9EM+cXYc8PzSzDHDPm74NMzOo8IETN+UH5cSNr7Lpd6B3rC6XiFNDxqv5HRFqRqBfvmx2I2Imt0etH3gM8ntUmqIELmkE+R3v653AtXVY8Z7rfwZl7/sP0G15exUhQLO2plE/8UAY4lFU7xKyqm6deagkS4LFmIoG4ywQvM8TqWlIQQs47pYDM4ohytClH9pUJix53XXuOi7HpaPMUGmyGxv8+1QmRDjf4rclAL9KZS2irS7UHN/sd6IB4NaxhchqPHfbUylG1hnjvYLlQY0s1fwgokcOIWFRvlK6dbmps71a5p/Njfh2P/vsOA+DQeSypnnEPDdeenfjT7hWq2d9NRRkQYXcCgtdvouL9o1NIMGszPjHSqT/+iN2gdoCGq8ae56KkBp2FqLo3fdlaH+K2CasZFMzvFrVcjL3ZYIYsmH1ghi/6b8VMfdeEcTDvpnK4LnSTZ10UavjJLQldmaZpKOe6IHIK9SIBLuvFaUuZSqm9H7Y3KoJ7AHCWThg/sqfOW4rprxEsnAzHFWMSkp/acp6ioik13xw5oh6LSRBTw3GGpVTYbzSZWvbXC3E/jQPUdWCpjklM9LfT1COlhfJ8Q0PKHHjP8pqYq9GqnOEldx+Ka0aw/tgRCV7RRBuPagnNyDuX9et1jjpfrCBNrdwDNm4DPYIrm3vkYpcyr9PMx8pdDG6Gt4QqJfr73IUVUhUenroVs8QcuD2U9qFIoOuoQnrUDrCHAc1cVwIYihlMymM9dMZ1NSWQfeax5VYCkZOy5jlI/S0T7EdLbUe31DnVH3J2kHvFb4LmQPpToKO1i+c+LZEmHxwWx/CeQuI5vUM+RJ9VjmZE3x1E7yTetVscX/a3vs9r8kfWW8AbXkVNcaITRxmdlxsODmFhn4dnxQkIubIjRQm6e7NsDSfE3+8Rta7vZoxhX7wSjZD99nx45Y3cWhS8yx9l+QE5VbFrsVpwJ7yoGFnVcvAiu4XG6vlOjvOXO8m4qIOE8V+YvexVgFlDG0oFPXClkg/kaMg676edqyPkNu9bDjb0ctZZ0WWlonbZ+NJ9yxBltri3S48dQlXiEaKhnz+iEEjjHJm6V8u6rrUPX1g0ipoSNuzaTDkVTVPNWLrcgF+geHGMrBXKB12BL3fmIuZWQgYbe2GEYp9cRC48cfCsDUki0lGJnvgufej3GqdaDtdpu8zss9XhTvgYdb0f63St6uRHz7V7B8lrpuNTmFSV4l3X6DfKKI8xA6vrdVTbD+s+ca9YfxVaymX2ejShUOeKCfy2hBKutHnuNsorjvEKWVFKarVnrpHY1rI7wnDr/b3Bs9mjfUb3xypSTfejaIlza+FCOBP96Lcy/j0hGe3lmEaVk0sxwyxn93KIwZIgVMidNU1ALdN+cz26ZzHZMcipNVy6YvVJGUXVJD+6JMvfCyjMPI8IqpcO28f/psdqCUGVWw2fmeGvRqE322+Gr+QK3stvpcevJJa1PUQe+PKU+GzquLR6ElRKEWm+N4WhU77dMf00f4CXCqNzsFSWYGTPv4Rkqpa1I+wyBJl/G1SwscTx7YOTl5eJXJS5Ag1SoxMrWKVA2cc9lphFRFEYiiIPHm37IKmhyVNFw0vNyukZrHS4gqJ2wI6Ioq/5ZSGI9RjvKc7HzkTdEcAKlfla/ig1OtzeRVcXYHv1WYeacNrkoMOX+fPIWIiYGRHnbW3P+NX5kckYZeU35A+Q+ijYElmFl7XWvwJpvvqiRL2h+jPmsl+c3UWy061Q7E7CLIhDw8/3lMP9cep8Quu+nOtePHiAL2i1RPd3540e19Lh9eFxP+3a0nraibI7zUpP9ox2vPhIS8ooACh5giDsRFEiKWRa5ISaIzXs7aFC6ujK/JdSNTB20wYA8qIFEsDn8UX58I7w3WG3q3W5Ujkg0e2UsTCOaQoRpHc5+FUbqlCoQW5A1moWSxEDV/+9nJSAj3ziiNp6g4oQBluYjWzajIc2HsXsvjQwpAqf9k05UVP1c9U8so4kolpTXlePaItonIMgR8npLZaXm926071CLYtjLMddzRGTjXrnxXZ2VYQ+P09JncLzVLHAerttr9Nad6Sc+JQ65Gvs+ycNgf3rM+XUZX2DL9XV7bdniQ6vrA9m34w595y6IwRG5cEttTt2OqripsVX7aXUTD19JfFKNu+SO+tC4M5JmXVvDvqt6aHR7fVIPOt8ncUIPMqhf8LzRhxboykXr+2pBzH1xXBcyf4Q8/MU3X3gHxbLSdRy/0LVwrjgD5eYunIDdCbTFkuIl60WMu4Q2ylHJ8MCRU8DVxAzQg0Vpq0Fu7IU59ebWDLHo1KzV/fPbu64GhnxJJWfbDWXLDLYRODsyvvHFOjLQLdfonq45tsdyYCOVQk4r3/RlTxaYrXQXdAph66nYfxpUrVNj90IuIsv79uf3iHLCqhyMaPCNWQz4Aj25ecRFyeAlunPGpxvWyrpF3Aa1HvYLvDNYY74RtXHcVD0YdS6KeUTQdss589aLyndUPRx54NCSrtcgpxSuj0/7l7an0WOxms9GgtoIlps1dlbTQK+Og+eoWay4/nuUl2FP3rmb8WmdUHh7HQ+wPPvFypjW2exv85az/n3eNjNxPg1VLb82CAW3GQUrW65X5BUZ0tO9ynOx2IE2bbVsEdJmXhk5FygYqCuPZb7D8lKxFv1aiUYWYS96DZkDRbqeGJGD0RtMQmWvuOJkjvPMmqzgXwflRx4/0c5iSGiEJAGrhJgopbGuzlesahscU3ZB1dIMvxSPiObPh6WukfjVPDQYnB96pbDcvjJ44hs9SN/JVfV7G+a6X08/RQhTLqrz3wxasZtqnbADjXQYZ4b1PDrfjQadXgXkgPmvGDOnFamKEFBqVTF0YzAgInJQhvmhSFNcx6M8h8fRk2BU6SH9YeJpskNbxVYGNEuQ1qtfYEmZfamN+Afc2xBfI2wZ8bWBjdLOk1Y89Na7mObix0dP6kiVEqQqfUKCO1O9afsrpAmMCznOTweCxp2J3Zfm0x8dW23kLPHOTna/Nl9iyhXKQWPKIqbTUlS6BTdAvGAXiEkJXhtcxw1YTMMiXENRsgmvtq9Cq8XQwqD1guSjVIz2sgXJ8N6GKWvhxTp6Etn75gtraXhoWIU8FudzU5rqypbqQFHSGy2tn5R8+mCM9Aq3bEuCx2NLOrtEFIXZm6kLduXgEW2FE5VSbGnuLOxQVyDWn7G+awQ55kAfb0//SFlz95N2tEL82nks7SPzpeRXGP+y8uufYjlotyZP4H+LpXdZxndqSaeUB7q2QUlufe7vbtFt78JtI5pQm8fHZB7HMSrwuM5eWI9U8cfYxD6KKq5muQOVLUU+Pea4F7fdvbJCf1iDbeD63KTkTjk32ix5Ny2Hi0/XcGE2tReQrmleuygHjPFivKbcS4I562YYc1XX1JXVNAEZug3dfXBZnMENah/HHoFUbRvFPVsvIZZSEDJ6jz2UzWJIRT1F+aFBVUfD4y2mDPcddKh2DyEbD78CKQeqEbr9GPdwzefX9apf4ROCnZO+798SYd8uBmQALbJllef7BPuOFtnIONUWZKVgqJDYUVs0BUZSMSpbqhMwnalqnmA7qtqxJq6Wim04WcdJNznnHmesOHgTb+iOVuP6Oj4N90o9ngvbGS2Cq19u0BMf6fdLxYxesqTMBhjal+abx1Io88un6Ou+GcO7Xr4HLnb8QHFUQCqburY9HH2gawDBsxja3QCQq5Bp89YHuL6GNSZ79GFQgWV0KfFlUn/80AdsohwVmPKVsYyOPlKVWNpeH3NkVB2oCHd2YPRW5C7gqClu0HrXjqBFJ+5f+/hippquUR7m1b+FHfqp4lZ9fiNyYOgJ5dvFV88QFeQZWpq/wPyFOWZ7RdXiq7gfWZMyWzHc6041/gY+1LWu7pAd1tq7VqrsQwFhsTqatKXFRFrcp0tPSUiYUiDNhoqi3BZj5VAH9y9vfjX2+3sXcvPVV7+8+fXVu5uvvnIxMFssMR3cGzshH8YlZJzcyr+GIds+2kEzGfPx15eP7RybG1iLOEyMCNwnqYsrIYErSsYdqJY5mYS1SLGiIp6t88GyHaZjOo03IQdEJCyp3TDjE1JUtUzeBnqZKy3HZ7LY3I1ZuoE/m0+Shgi+KY6D1ODEpiRw72LywYFNnKKPTzRDrOigwRgmM8E5kTqZaOZqZCLdgMu4sDhST2G84WPI89rUu/64jXriam9faCPkLe+SR3WUjAstYfCbH6NAiFkeYA/439K2n+g68im8XNuKHE+t+Ryx7k/5+kMJJDqPz9SGw64wZYZfIeHwzp+/2+t2XK/NnjYqsIZ1JHFo+C0+xPVk5iqPUpwS3GNDenxMp7GMKt61VXv4+VAa71T8b+FR/w3i+kuNXQ1pMVOx32Oe/7uIe1Yb7BprGj9lk/H3hz5ArypVUkLFiPiIj2VbWPp2WPK+q+3TE6d4UWYiXTjdv31zh352Ho8mHCOO6reZn1/u/+M1+q0COVCtpWI8k9Ct+jH1yaflutijdyGkNvq8W+tpZJT4b4OJ8WXaDFg5YDyegtMR9+oZkHlKITrMsCyS+GIAk4wXXI4K+6/BqnxEZ4ADqLG5wAfAOdbd2/s05BI42RRYnh8WV0PuS9xr5XCGDxKT3vPmmVDZJoGvBFZjgylr0NXaJpMmAYrlP5PgSpxQW89lviYshnX6D/WUPQ5pc7ULMNdtAmKeYWLLFqaEsRloxUep6C3Q5brcfscf9SZBWhKeES2NjTKuMlUL3sAOeevOAN2yXkPos2CBrykfFbjbB06LKeHZKlM7qknCvubZiomdwkXKa1EbmuvtFPgkPxbhGeXTtjnlJchiuR8RktODLslDKrhtjpYEWmalFFpkKa44C7/9LrM2awo0m7DfmFhnY1r/d0BTXkIJzwr8mGl9vsJ7CGpWmEGSWCgoT0ZM+RTEJVMZW7JsvPP0APrPk8AT6gG1oMdnqbehx0dEt6G/nwQdb6x+LvS/TIL+H5Og/zUVWouS4SWkbfUaPkVV4llRMXt5L/dJ8iyAlw9JcryoGF0XZertbe4/zNbjH408LE0T4gp+Iym6N8+UezJN4pWSJFU7M6Cp2pnaq6pMqo9NeB1mnajcaaGNggGPSVtbC22UpHRoq54kglecPnLMhYJe28yz4Lc/GNqTxcL2B1HqDeA8yQQSRZkRlmRDG9Akl4aFlLZNVhqsSoQtqyzJP0Ek1ZRglhT0pTK8Bk72o96U2tAcs/3vkC/TcG8zmwyfCOvSeFIxu+fsRHhjIf+QaiGrbEn1vyYmHxKVja1t2gGVIuEoq8TNaeGAyJRYPOU8ASPqSrZAQW+cNyBF+Xbg9rpKBHe1b8ZkaLagV5RBmi6islUau+hqXADyIWiapFXGCObwqLPEY2Rs4Fzpslfk52xoJUkidOgclwQr1lkBOR0RjHkITXkqxwuRVwwUEWmz9uB0nXQqRKl2WI/sRNGCj8UEnAkqYU2VljhF026gk24q10kxccpywpyVrSMik0+ni2pwS54EbxuLJl1xLugoHfWUy3m3EVRlrs5zCvweS5y44PlAWOV5sFvXwWA8JFUad5u1ngWo9LKS5xcSDXDgaq6lwVUJ+FLu4RBLOh7QVu1ZpZRCH46YPga1xnk+ftVpPt45FxJokiQKLTIihSgSs28MaJJSRIss9RHO5+6kTbd8SEgWKlVKKjMtVSnpaDCGNdVVwrsNoxzGpJI0cGpkLa4a0gY+ppggTLiM5mzFRIJwrMGTQgCMppew3w1Y0l43umESugSvLRPrxKXk68RtVwo5/nAUy2qdtnUKqkjadi1U4gKmVZ/hoG3qSwJkwil2pQHGv0o5uPEPSny3G68rJMYJ1e0aEiAT5L2QdJ1FqrWdAbnjIFNkS5kldhAss5EVpBvApDYODXjSLO1JGr9JPWBKO02n9CegxEqZLzOyOT+etQfs+nKOhwdZrI1d3MuoPg92lwiaIuZc/tKHD51Kn2eBSrHOsCpHlfxoA4/p8hDgJGCWdvNIIJZal62aDJ4yWQM7NkG3BStknoQ1xURTSdanctZnkqdUwXgXqSunm6RGKPgthZmxNNgRcEmKi6LrpIOpyvF2i5IkbeUlyROuWiVJLMv3LNBRLZnaUJVKyJncEj4+CCFaMfQ0mEuyTGgavtYpi+DAUrxGdcXI8ZD7MiFztcqXia/WlWRJUqlSILOcjo/fTCxMEnwiacRqktYuf5tRrjReJUnSLZU67SreljwpxUELWfGL9Gp9VWmB3lUc9QavvdCTCsT9ghnN0ZWEnGp0hWXuc8aOtKXx9a8mzXSoDqQdxjVdtRGzRDAUCympvb2UT5n9TVEysYdeQbyTPFiJakR6/Ll9eTehpY6tLSZhDY+owN3Q3cajx9dVt+zKDGQwqmyBjTC+arfSVFVpS9T3UyUR2m2wRlSj0rXnjxN97Cl1TKmQeHt3V/E8IEGU+0oGA5ndjPLpFbBbxJjx2pQopMXaNtlZNL93HSN63OOwBVkXUdIClVgqQG9AY1tx2J2Kul8aevJarNXzOxfc9xRd+zJerj1Jb3SbRvwOfLFYSzZHb0H/SjUHFV+r/tZLZM/KlhOud7Md3k1HAZZks6CcDhi8Es9TDKEjbFxvPUY5PGe44rZ26roqfFn6I6UQOpUPjlA9R8p8TXWdKO8rvg6o9IaZ2by9kF3PLTMweg+P2u7OIaPgog2omyJxJ3pQ26zcSaWKbV6uAh2aAx9JnT/27j2+NkRoJbsK4zoJ1rXw6jfZQ7PIYe33BrH1DNTLKP3j6nif0Tk7h8fb63CI7OhDJdtHPkSP3C51Cwf3uF/jQ709WnPTQ1yKIl4XjK5pE9IVbIiyAiGskALgB30y48aLxFxhMkux1V6WuBuc+wZOdWvt0C34CFklyIK6i3A+sppBXeEWuqUM1uB7eWCl6Jo75jeVuQfaGuDlXN3qB5bcYjiy45YXbC0x2D4kts1bFA3lFqZVugn3Jc1DW9u6Y5Jt2Dhw6BCKxOTUWpuEgSCp0QpkaBTWCN7Q38ngGFBhd5IOOHpmxG+RDJQuvOT86/6ZPQJaD5A70XkfT7l6MKNYZRsxg3bX6Y5pa+I0ZaBsR59WwaN4TDVyG9TQw32LbS40sq0yF6+YEsa06TQvsVXIf/IQC/SK7+v/9UbX1jpSXCOcL0JH47hgSnR+GdKnKMtfdPlpKw8eMJX6ts7GmmhXKA+zjjcS9jsmG+tZPddgxXuQ6F9qj4F67hFZ9EP9S8bGbV1+7/GGqoPdd5Sng2ESp2TBl92yOK4l3duf39+Y2YEEZzRaj0xOFZFQYk72Rivxlz/r97I1PHiG3r95iW65/vbFM3T79vrmP1+iD7dc//AderLb7BH3DRjJRihfxk1IY73aX33zw//6b0/jve9AbybJi+6MrQRaFDheGklN3iMjD5SvxH8b0MYPU/6xyWqf8xO0DSb8nX0xxSjqKDaNDhqam75+9TZKzu+CwxQ7PG39/o/gsIjz5/cxfQA+wmVnSD0taiwbP829coSXa6xhhy9SWNrusjv0yjXPC7sthrC+TkhRDvv/p/o1b6/e3Dk5PNwrHs/Qy2/IlHZ6TmhdentnkA1Y9YYPg7VgZuGDGX2YD0EHyFxNsbkPW7vXQu460mHWPFW0KpHHZfesy2SUd3tYhD8t14cL1UPWxNYk6gznimmM3noa7oTUtYjqCSHXe8Iy0XefPy6J1Oz8cxRTvg7iMxD+Zoh5HGL6/XxeIo/f2iBYKUGoLRpvreXe7YqMnJKYr2FRq8dE8BVdVxJytNz75v6u1f1Ad5rBlIJeoPCANhUddpWUqcBG6Xft0MoEg0lCITRkPkYo5eU3ZYo5VxnOXPhUEnCpZSr4Kom9q6RYbJa2AdIzasqkyeE8C9b4tH5dh7aFoWXRHa9tyFxEW7gxhhUHjd7vS3iGPgQx99qayN+iu2Ai9+TIz0M3aiheNcuFMaDSB7JQ6NqJGYteGGXzQ/tAj6UNHdiC1LbzjBahwRXl6MPt4BEiNqRlwhlMaRvLVSbKpEJ5BlSCGh9HYwCTQvycTBwfEGV9UEkYXZmajAFfJ9R8tHjNNTC3c8k2JbLXC2Yt5yBHxD7gGCvqRyF3WOaxZmCvbJs663e/k+LRvrovQe8ABjoZj84BHvsiITRmbXevQ4dsIRP72tSbg2+CJsE+BBVUm6PmiwrFJ7FlmM/zrnKGOyA8q7UcAr0pHDoIGh/g1mjPa6s8H0rEFH82EJttsR2TR3reGwqWmpKKYRmauXk0T24eX74Wa7FaxetTA8n0BuZufPveDOm79zeU3RjKDEGvKr0Brn0o1SBhc/UeO3yurOq2hnHiPiiQgySJShMxN7f8oMMk3bsO3ANUhR45027fA4osZhQarhxt/hqwX6B9MnSoMKfYuoFVKXhuW7qKqApQA/abkh7SvR2TXTtwG2Dk8uxt3BujkNcUe3uro9dQjhTVVUSiIBsgF7rg+VE3WCGci9J2BdsAlUjseKcxEtL4UXBRDES7hBr1WS8caYbLz6hhlOfmLAupmvZ+rovwq1AevzfRc9wnvCbdnY3BcKp6hhd6Phqc5L1/RZp3nseaiLWmOi6rY8JUXVTAvY8qnHuuw8EhSzEtPi4yvSVs8JaKymo2xqiToqADkQ4wP/objpfMhg2v0NVx7JRvx3c+i5HRpeFAp0FRFAc0jCwvlkBCBENNwfQ1aN0rzc4eXP4mhL3iuhuinKLz5Tb5IyMTuuLaW8Z2MqckEGanZQMGuo89VG9cr/NIlUbkyVmQbxZKy2EneaA6nvj6yah+cZxqfy06XJMoj5oRtUmkaWGbtnpNQ0IJg05Oz8kRqVEnmWlT0ieyUp65AeJVYT7ZBvj2PKq/mdwTPUq8dxydmkOPejun5uidcez+yPS/OEm/nJn/bsPPQr08zf0RNSk+zlE9IfXqo/pH3jTfnmb7+QWoPg7bz5M1cuazOudeP+Okzrxp5qS+t2VqpTB3XTon62a40pusAL0RF/Gm4gM/F3KI/M8GF8Zm70ox0VI/4t99J5j3NRlUR3ZIsm35n4vv//xn9OT19au7p+iaKk35uqJqA7lNzIliY2ItZsiPPebX9i26LSa/GPaHA2/eUkz2lxyLvTe8j+Go96b1+Y0oHT5mYxIbFFdnRrRcGhZr7J0C81gRpeadHLPzs/g7pL7DOa2UGwMJiRQtKMPSHWYjSMxuJfY+iofq2jOj6Dy9cGsfZDvK7INZruAB6dS1aA7MlEjCV/zYubHOTx8f3vI/edPZftNbMW/sQivwMI87WoSc9ijWc91adgm5xpz+fiTWiU9ZsHMZlsCt9soPsGxFZTSKPzn79UczoJWPLqncZekeRCL9BJjpDcESUCkhFwXlOBpi3Trqd1hT4FqdDDxjeN75vMafdDquCAaUydvLbOEvjRAosdQ27beZzHEhNGtarz+458ifFeQgsYY8GxEGcGQVbRvyMGbt6r6TYkvzOl3d/w6XJfN6Tm/5fIqsEeSHGtFAL/V6GjSfbR71oL6Og94PTCRa6NlGlWype3PadBW7gcIBtUIzrpT+WK0GHu1d3gJqZYrEmnw7/cdqQ1ghpYV08tGMVoDGFtuX9lcL86sv4/MraJ4zmFNivLEjniszIkvUkiFJMiMUz5trQnd+vFaOLt+HF49nqGTYsN3cSEIi4ETuyyEvog1emcUqOCNeQtYWwk9CafQGkw3lA2p7jpPP6Bddfn3gNrKvlGAOqrnVXVq9WqDXOS7RL/Y/7lbPBXf5AP/oXxdog7dg7nsGWLoW1sjWl1Cl4AqCHhBPGjAzyvptryfIHl8bgUiqQdJQpYO7CbqKDMOUBKJnIaZZ5ne+iMy5tNj6olPdBN29FgpHHaQBG/3fXzVUIVnxSF93hLB6Vkti95rjkqkHIrL9iJm3IuZgJkY7ynOxU0iVQOiKEvPNs1jcuI8/6m9UMwFHUfPqi57I0PW8Fsv2meFpix+o4vbmeg1rTPbogzos8lO/hxTdBIekqCUzyiym1cAd1la3LTIbNW03g7kFenyr85kiWUwHGQI2zLbPhMOJzaGuDVUbcspbZE52DtEN4WESpjNXvNTQZHzklHfuBclxYyc3XGulT+9cToza6XjI3yaExrGyx+V4+tvp1BIb3DiuPPNgBLidVA4ryr0v0B51WwuiwOVAMQqLfyDM+kLYG3O3o3qkCJLa3zR9Bj4feaB6SO1D0xqTTTF7KbpmXMsY1NOC22xLLKi5pHxMzd1Zd5oh24a/TxX6kWPbDsa1zHNltJpUpEg98h5dU2X2CbpKLMPamo+fNcTuNrRX8AyZfWgsCxeid9YEdELFS5cKJ+S49oyd6f9FlZj/9WQ+Z0B1WOssKGkxkWqm9pfndvQT1F/wwu3RHaqiHad7cK0y4FqKMn4Mc1EtewbZWXvNj2qsGzgR2mipGNnJ6UwqrkRRGoM07Hy7wW2DE6d5bkEa0ZoZszl+IWH1MD3u98RZ7Oj0AfcOplc2W/2W/sb1Y8XYHv1HhRldUcjRtc2Gcc6LKLIdLDMixAO92JPSr7BEDkNjk2A2pJcl1NZpHnvKSrs2OEP1yE+fjXf1IL6WqndbOe/cAr3fl478xqIyE3R8HmaxhFU2sjhOhzCDxZlg8ksVK7TTRTePs6BWMA7xO+9FKWTw7NnnlXevBxamla06elnDfMqpFWOPTMeMfdIPFwiRQiTfc4dozUiGa6jEOu7gIDzDatx7VAtUpnZQryQbxe4W3Cju1Cp4Vsnx/X5L2/fMNodOQZkg+g6BR4ZoHAL7XZB0HOBRA7eXYIrCZkYYsbr1tbqR0HmgTLnd3DDzxJAfnOj3dmB71T33/77ySJ77f/hX35jTCzOQ8RgCT/BFX0scue3HEuvHaBVk7hGc+7LJRlmkfAVSDvjo+zObifK2OnSSfVGnxyxkhOpBqxYrI9vXPmOIyds3MsyMG+HGvbaYDfDexgXJ9kd/h/4j9HCxe1puQM5l1Rg9x7/5PrmyBdWfoiuLIY4cpJ4tUXKAV1cgfeF7OIjpOFJiByY+FrSY0VoWM+yXqlV36eh60N+H/QTj0yLja4Lu6e8D6TsPyWfw9u83iMNaaOrYXG6wGqhPq8j8ybsthrvhhwt6mwWZUJ+29wDYWetQ8CvEe8Yf7BQd2VzxvDzhupb4+8G2GubsUaWqlMbQBtY+6k6xn6d5+SwNIOVEz0KPdW15cWOGR/f2yeDYaZ3pdamud+V9+0/ubTjHcRHakhdDZIyXF0eoGBYaSrFsO+0u6brIvRMn7pLLzBbAVUIxDZUOSh/AWwPJKVFfNAUe24LSyovvkLK+WyHR7f2rv7+5Q3dGfqKf+UBFyoae5LyPFHre70ScHnssyQbIg0po9tYIlqm57bEi0HV1kzr13AZo+MLdzbk/oquApL3yGxdRVRymOmtvUH2zVNkWa/OJwTYdW8xo7jZEBE336M9YX+rY0bezfoC96oqis/dYcif0jdalyqjtRpAIbFmaRjY5v+XXlL1H1zzEOwpJ9f7E/iOiKCbm8p9JmcPkTcp4es2OSmBd7TrFhNsxzLNRfajHhiSo0DTgV09ziJGNG+g2uSErBZ0nBChGksOBLA6LNq57WdaQDea8l4A2PVHZj2tRDXjKZyu/VIs8X7H719ev3nqZ+7yDoBZ1WsiuVyxle+VUPWRbwar0abwKPTC4r6VZdwYJTRYqTrVCTxwa9dTmrtlkgtAFIeIvGghCY1XyCX/tqfnAqfbPJYvDYLQtSPtSsqoYIoITKLUxAe4drwdSnMZ0Uo/WdbDMM8ZGaCFiSLHd34Th0U///ioWTBJlXcoOEHJ9iRCFbmjZgdNjiV36XjSB8W83P9/d3qE3+LGgPK9bl8TZb6i/QCDDQaHvAcI9oT36jxFeX8HxEOykgCAXmZ2Na+L5B0+kCZOau9GSl1S3174ej8dzlAY2J2M/cUZPmFPxXyDnoA6O5HlfG0k5SdbiG9deeqRiU3fz0tYP7KzdwqUGPEOqioRFYYX+orQUfP3XJcPkgVGlIf/Lc//Zs/pbyldA4l+tqIQdZtFrFi9ZCwZhniMl0MD2kbCmSsu9sXrmPZgl1htfiq7GgrpYemRMaj/YJ8QlSrjYViJkq3pXrbHUtAHXcv+n/xsAAP//s5eu2Q==" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JUZKzFRXiL4RYbgW8Jpftn7775fe/EFKCYZrXliv5mvzbXwghmx+RGQdRmslfSPiv1/i5+993RNIKXhMJdqX01YRLC3pGGUzc37uvEaKWoFeaW3hNrG76n9h1Da8dmiuly97fS5jRRtgCl3xNZlQY2Pp4gHD7v/e0AqJmxC6gRYx0iJHVAjTgZ1bT2YwzsqCGTAEkUVMDegnlZECfNvQOxMy1aurbk7LL1M2yiLWkYou88dXH1o8tsVmkMvOtv+9fYXzDBrvyccGN+x7hhjQGSmIVYbS2TeC/pitSgTF07v5NLWGqAuOIVu7zHdCEvFVzcgpMlaDjhHhYfBepQ8lp4cISpC0caYkBB4Qzcz+w3CDPmZIWpDXufnBpLJW2RcNEcbS8OgTBktrdD4bYcY+TW4JQS1YLzhaEEgPGcCXJgltDKHkP9nduJRjT7v5kcDQ6Ys1CNaIkEpagyRS6c1dTbYC8A0sdapTMtKp6Sz19q+bmxQVlV2DNswH4U66BWbF+TmzAm5IP4IWFP+Gyh+YkykgBSxAHcFIouXs/tzh5CrUGRm3ApIQZl1ASJQWiZelUAKloHceqMvMi2YXZs8fvwj0/P/2BLKlowo3nJUjLZzycTrimzBKh5n6/9GAjkDruwIfTgt9z21FTbTlrBNX4+7Cxk9GTMQB90EmJnYwB5PGTMroly+Puycv/vyf798StmmdD7nd91fSPAgnZ3ZZHg92SHiL0sqOmwahGs0xv7/3Zluv+3w8zY6mFCqR9jMjRpuS2YILu3OFHgh5Iq9ePEbGF06keI2JcHoZYXo2plRyP96SVQA+RHnnZNgMoU9pQI3pNzM7sfbF1CzhsBnrIQEm4nxWxo4cMoN9gRYxzcce1ciQuyp5XJco+z64BmYnYRyIcvDP72DHU6kbyLw1s1Gjd0R/+tN42ak+UZO5xoFY9dst2RNwseV5x2OfuiVuGzzij/fv8Vs3J2RKkJZconEkjS9DOBNEQBNWA9Bm/hpIYsA7I1o+31zDjBku7CQPY9zZYuk0YgL7Tpgw9gen9S4cdzAFdd+DJ3XiwUCaTvto/l78qY/siUuyeSAOy5HLefmhix6bnQ/p6+MsPOWCDH40y9vxi+ROhZamdrBy77rvMHVBv1dfK3OWr3Ox99f8uex238suGXbngHWl9b1lJKJnzJcjOSfb1KgKORYf5L/JaIOVjVP6+jojGqEND1etCw5cMe90PHuIGI93TNXL5zC9NLvAiPQ/ebEvJx3UNhNGhBJkCAW4XoMmnc2l/eEWUJr8IRe2PL8mUGjxFbYBsxueNRtXvBroPUXe/YroxDJrP+EzgX3C/nqtcbrZ91nG78lfvYFB6RXWZTanrSbQe2X1Onl983tL3KNEg6O6WEmLWxkIVHtGAtoO2AH9SjWee+7fSfM4lFe1vtrWVG/iQS//akxhxfvH5VYQFAf0BJ+7Pgg6jIZdTvD6bgzpUHA99fRZAS9BHiV3/ikuR89P7REk9vv1gKYI5LFb6qJ1sghXZ/Wy0VbTON4oWXhRnupwoIYBZpb9GAey49wA5N+7McUOYZx2UDtMtRfWt2lVbyB5GP0KLr2LTx6KqVspgslulJJmuB5tGiIYvDRjrABpe1WId9sl92Ql6ApQtiOElkKffE7vQDXn588/PyIoaYgBkt8oeTjwK5fUWnDC1kgbysYJ9NaeCqUbazqfQVFMv9NxVNlEI5CmdqiX0mMFlNLOyFW/GaqDV6P1hX82xeWBWQcmbXT0tBaO+iWmOnWOBzwi3/2xefv/DX40X6S9qFKAt0v8cUPNPZw++pWvQ5CU5k4zWphE+suJMyjvJ9Rj0ewY/IrmVsVV+fEn+1ZH7nPz4I/lXwpR2+jJSERZ9Tv67sP/TfZEbss2Ub6JbKFUJj9bWlSsoGBViStlVXg3YIyeVxWtDrbcrHBNBlrXi0qJpYiGe4IyHowCtVab8tI0+aGpgnArEGDE1VmmnWcu11zrcB0sqeOkPRgwpQmaqkaV7YQQg8lzOg3J0Y/Li9o0YQE4RCwzXYU/YaGQX1kLR8rG8cwEdYvifQCqwmrOI1RFM4f6X0Rb2z30rhN2zT+1Go1Wzdtsm5Fe1clsztDm5JEo7Y8wqcgVQ38C0R/HifSVM04qBMcWSl0WZK+p61kqeOUjQ1OIlLx0He3bhkmvbUOGM9i3fu4y4OHjFndmNsXJkhqciXPXzU6KdtDboUEGmUT0H233tRk4YnSnp6cE54TPh9nNCZwkFDQX/+Wnre/0AlbJALsN5ZxrwoZ2uxwSl+18biPkKAi9hpcLUgufMbHjU5rzhA7X/UehmTuZmPO9469wbEM56e+paqyU8If81IoxevMy4eIAYvVvVGUcXJ28ugu7LqHTs4VWt9K7GS/CJ/OrSIJrH4f745J8qNMTRdI+5UrdN+Wbzk43B7vUctMwn5OXPr8gK+V4BlYQKEfcVoFMf1aSN/4isQIMHSy0RQI0lSu6Ui2wz8cHVxK+biZG7miNsG3j3u9IlMg6zmoAtpBJqvt4NxM24HmixhPxM2IJqyqxnorvUa8QfneaSNDLk9Igtn/loRW3qgm4fqM8ZRNgTu0SLonJKppJtGEHT1ahMQ8m6o1ZShhqrj1HI4HNQjDW6hWgslSXVJZFKV1TwP2P5vUpXUf6UIcvhYBapZjp4ku7EpA3WHTIvBJ8BUhwx8A0wJcsRBXuz3YWxOf0sewjikqmqFmCjB2DUiUpRgbea74jBXr2Ztg90kC/d2tHjPHaUt0/m6PGrlLSLRNu0qU9NlfOyyXIqH4jxZ7LMwXYH8k8lc3db2CMW3eqtiunTaz/ucnggorLd6DfEwrUNl48sQZteOUW5Lw8ssr/3PWxroKnI3JTpMaVLKPO9gyHJJjxTplux1THaTJvui/34+vC10qqaINQGi/INA0k1V16trxph+XeWgya0rkVb/bLpZVNRSeex0lxCBIZ3WnvRI+VxNYTbJ4aolfSRMUuretczGDB2qzkUh7fPGsIW3Fk3qgQzIe8aY9FM6gN1t5LakbxcauHATdorwGYzh/cSjqEJ4Sa3C3reaZiBBsn8gaBOtS75kpdOs8HzEBdkl60g+7jDvDiR1zXXR6Nws58+FnTtTiK3Yu2JNU7oOX3NIYUHdL9vNOGmj7pwnjtp3MmzyWDJLp1MNaklUDVQ5O4LseN/6quCGuSXBpqjHSV3uv0p2sjHFTUEkShHzg0i90NqpiZUCrYYmkGmzSub4fWdVzlwrYsMqNZFDu25TimKtoG+TA41g67Ue0UexoTcMR+jb8zgubzTm3Oo2LxJrh0SLNg8EDvdEFI7gigbKPEpFGvTiNxhpxErSjWWqQpeeBw64wWzstVscEKoDCzYMiBHDggsQXObs3RkD2Ht6qEIsBfZ2efyyVu8OOgd6F/prtLFQcO4Uw2Mz/jG8Ilrtz6YM9ZTJejK+bOZIhvQuRh5uSmYaF1UZQiyRPEOZvOxNuHztpXetwSVJr9dhtRYbtqEgF2/Gq7f7tBYlaSpleEJBcetzhaa07L0HaYwlb+9u6NdeBphi3yti+4oimRTgebsrrIoStsRqtj2ENavZOtuhhdL/n4PSFuCLJUOCbN7KVPTPx6ge00b2lXTP4DF7WiHWP5a8AG7nQTdj5iX9Dl71X0zvJCh6j+ImeDlWtAut1gqSyhZhI4X8QRaoeZFm6jyIEK9PYh3FurH6JmyJfv+julW2LUaxUdc8VeCs3Xu27NHLlwgAqG5thTrEbnciJx503EGfmgEIGJxcaqkhevcGmuH0Ln0/rpNP1Ralsb9Hz6qVLQIxRrA3PA4swWVcygkrHLLgrHAJax6oX5UQqzVfNpY6EmIYY6+8ag7bb3//MVFh6lpMmHXcU7wbG0r9zENDcHd/CKPTF9/ixi3WAHmGNY2HDSbnC+9BD0hl+A3pTGgJ3QO2Mo7ZLrPlG5xGMBuwXi9neHvif99r2+F0mSq1cp91v416Jre7BrtJ31eXlBtU7vpOsCpPSrhTqlBdeix7pQSZac25rpSqoYQUMz1Fr+RhArQtssu0ptFw998eCuIj14TAExCiijMJZFKfqehBrRk9mU/oNlwzCeHNVq7C9PZK7iTqMe94D7C1oZ/BpStuF0EZdnLenKKC06x2kQSJb+bK/ffe14CVFKKiOKYkW7aCwa+QAQckmpGnHSwHMyEXG5kyu5gg35lVR6MT3w5X2OcEeNLRn2yTRnEb2A8JUw0xrYHMvxjsE34E27cToaa6ODfcIovfjquAh1d+/E3LG7R+7ZM+ZSyJzcZXg7LU8SCUGMU4+gvdbsRtSdxw97yK3hNKKkXa8MZFaTk5uo5qTXORHlOwLIncUWZanpI7eUdH3pfZ6NpBRa0ITU12MXLYCMH34uAqapyUkxtBe2HpTVg2V51z78HD6Xx9fYww8PkxTdTVd0M72CGbaNkxWWpViGflinJoLbPu0yKUWYMyJw1QqzJl4YK7/wsVUW5DFJD9hYSauTp6ns9U6lLe0h3KuFbLq+gDLVAbSI6NeidCgaK++SbDrUJL/dtnBh0hcgq6vqTnbxbYheBFr3fLh8Kr9/q4Hkll8N2PV3QGXTFdwc75XaxhjURW3/+92vaPybWtGdc5L/jHcm/4GrdNdZQNgxIGzmCuLvNgOZUFJHXNNsjcolLtmrz7vvYewDdCzPqFwB2ZQ5qOZDCYxxWdw/dgppFd0OdWhipMmzYwmf+tjU2XZnhSQtpp0WYI6RbZmI0c7/q/j2sNCVOnkvCMeeukUwA1e5P2Ahvg1ooIAzeTt0Wdt4cffDCrxn2eXrULxZT1ZTLrm92/8EKZaP6Dq/XkuvGHNvT19dGEIFxj99xAqSRK3HiV/c9Gcc9pd6Cy+4a79jnvcznp+S9lzRPQ+MG4qfthaJfh9uzuF7tHdAP4cvvuZ/PT5GloeStExND78F2RM6nAXoSJv4QOVmw4iZupC7NOmcv++2obijQ9urCXj+29Mb3EU+NY/1JtzA5P71Rk03ln7tBk3WIvZTlRqOdkBNfnxn6nQr/wX5tFhHU29/44Zvgjps2tqvcVLZ7jBopwHjOKP+grBRZUs3pVAyqAH1TBi5JLeiIIDAgTdb+KFsb2ldV/coTJ6mchtHWF3K3z5cvzi92dWgSWsZ6j8JYXfaBAwVvXQu5ibR4JMm5tOSSzyVFYTFyRGulczavfTKQX+6QXrS6m8KujvifDpHeXcZTVqrIwXn/20fCJRNNCU6chUG27ucT8vTsmla1gNfkwjtEPFiU3pO4XwQjc0ePbaJzavO0xDHj5sqp3AfgdYdSvJ4b8314Gj5wc7Un5Go1n89B5xthF2fZ534sIOCA2ulCg1koUbrT4231kUmjW6H3I3gWhrH3IJWffvA6xrOuGcf5abyM5NbReaaqujhy3hXuSsi9wjGu3r9nmul3Dh0lsT51huNmVNmwMSstqKUPlDXWx7yTlkpj5wEn11v8RqbEUV2uqH6YDL1hV30nXWl4iBwRI62RnzohSsk7ytp+ynHl1omgo9oxSn7XKqh6vxTytmbyodYaqEmeG2wstU0qxbnzR1EuHszscItP1TXh5Yvx98u9rM0xMHQYfRo0PvZ3wWERv7rtO5Z5+t7gkJ8O5+4d8pxxqZpUMc5eHYmZJ79TTpKmdDoMPLI/JQacuzPj1pF4I4STe8Q0jIExs0aQM7c+YaoE445E2+w3bllwWcJ1YgYIbuxhmuc9ZQsujKaYbpGYgsb4ZkU1F5jBE/Hg+fi7nBOKTPzO/TZKmcxwDtXUNxd6II04rE6edvmcNWhTh6JbL2EGLAsqwiYhvu3w9GykyNC7uYbvce6EEq98dUlewVflv+0+pFwaUoKlXEScDFPV2N7vRkhT4ui5ma3HlnZ5bIjH+ENqoapFtmyeN6SEGQ0hoND5so3hh2xNpxUvQQu6xkIuq8LjSp5GbqT7AK3u8GuYtVXg3ldvLLcNNmYkUcI2tsGwYdN9r2vSKFbPv8NoakwzyCqmqsrdpzzH6MRDJ7yX7FtrteSl95+1XeQqMKOJUKVihwca7+4t+4WLjdbI+nl5cdXgusakp4eR9e3qeWX9H2p6oN/pYPL+t5qGAEz8dtU8X+PcU0wo9jt/eXFOzgcKVR+NbF1rQ3XJfgwSFnZ11bDzpIb0XfxhIbc6rtx7EVFMVZm74mtQcberdARciMNlRD1apO+W4EMGR6g877mAQ+mwT6Dt4iF8zssulDPixKtSW42DMvAEL386Ja+ju25yPlPtdO+LT757ThuIwmSNa2BN34vgU7+mECtvbbsw7UvcOIIjJOoVL7cdIl11JV1SLugwkEE6VzjB+soZaD0yacHfoUN8/enibsFYqUIDKB+AHZAU0g0Mn09GJCKvimlTluvk/hleFUnrgHpwGwOHNTrf66VKD1FzlbDLwU6JXWGaYxQkcNPPXvU9V2lTcttV1m36ogWMYoPtNhUbXpRswgv7ifRZYqk5uDyaVX7y+Yw8DbUSnxvhdOUpF1jAgXlgZ9e1Mu6bz8h3Q0eD3I3CXEm1kluGkAHWYDOL5Tb0kUmbjB7BBbebFnrSVrm/D6VJb2FO2Zp8GjXXBJ9q+hBF+WHhLRZzSSrK5UzTCvamY9RU49Te/H0StpTLC1yWvFelT47etAXsZZ1FkCI3aF+YKuAYkctC2u4b9x5W5NdGoin5TpUgyFMul5NvnxOu2HMydf8H7v+opGJtuJl8G48vWlYXM0EHk/NT61DbGv7JBcFF0deFcnLdDr9Ss72NGqzKiqn/6zTg2bZBMKDdQY4itKzSyt0dzD6/+51qIB99AvC3335+9/ubD2fffutzbpdUUz56JldKX6UsWb7xgv3eLtiPsI06wahMrUSEmp20XUq654Ay91ysM5gwM6VBGs5SCpCeKykDxlV6L0gkPpAKaLGifDic+N7eAex9nhqouz6pS9RNM810Key0NFanrnzHeu1sDrH+W5rsHW1rPvI5SQ8tdtkMBhuoNKHYZFP3EupdHIgZH3U0taRmc8QeSmq0G1GEzN3ynrhQPrif4N0dFw75oP9/GK66UZn95L8HOWJlz0cfENmL5IMcjjaOuw8/pY6QtLW1sz279KntMtrbLDvsk/kM3W6Dk3tzZLptWc2PEQ/Doq8Z5cLxum3mchFkxvlpv7YNO3E5c9DCPNLCYDyrsM25LpyKeAA9hyReY7p1qD46UVXVyF1P1AA7eVjjpvti9x6u7d8hrlN3uJnDNOv74nZJZfnvKh412+BmqeWHSIZ7YzdceAs505iaM66SZYkey4JH7FdUy2HQ4bGjbmRVFyqXML58/+6C/Ob9qJuk1DgiX46aSnD5H2/Jlwb0SO/WRshCw26nzrzJDT2H6Jp8aIvOomldnZbOEj6kfaAq9RgBB7Q+yHF0E1QbCY7dG26ZfkADFVRXGXbLgc3gXqB1wgLkDmhTJptKuwUzbberLdAltbta4X3hTkGyRUV1qrKSDu66poPxxfeOPlE2SKdKArNYJD8LDGZpC6g6wLM5tlrKAFZN/8gAtabJJ2H4jlPJjxcG3Que+sEJndsqcKpncqRlQRkORklffuJgG5nQeO8Bns7r5U/y2i6Sv+9MFszqojRJ+673oDvIh0WebgF4KWhyiSELkHMuExZFDkHnyI2WxawwK25Zcvkhi5lQK0Or9LkrfdjSLvNBzxB1YbLgMqc44bIGXU3XyRLeB7BrdpUH+JKKHGeF10WtlVVF+pAUQl/+VKDHMT1ske1uCjUvyhzMdoDT578xWVT0urA2ldtgG7A70QIyPAoVl5mQ5jIf0rUwhZiKInVYdAv29xmBJ+8M3oOduhdiH3bqqt4+7J8zwn6VEfa/ZIT9PzLC/mse2FbVgk4hh0jpoKc3z2RRNQKV7+k6wzvZAq+vMuglVSP4vKrzaN9Oy6RinjoJKUDmOZQSA19Yet+ILIxPSMywg0azPNakA5zHmjRr09QZZpEy2ZVVZzFVrbLO9IDrDCLEKusMs1yw0azJAryR/FpSqQywDIdw+cpxJdOjsHylarsAWmZwq6mqLpjI4MN2gDMESRCunq5tereog2yyQK6bIkNMg2luOaMiQwGRKegcJFsnzLrqw5ZUrP+EcpoD72WBbUCzQPbtYPJg7RNrs0Cfzuvlqzw+aFNMuf1rlkZjzBRpZ8XtANYquag2Wa45QgWm01e5Ge/jTzZrqwcY7ML7+dM7RzxwVPuyAPfd5NN1kOvBnnEBOWwYU8xybCKfpSzO3gacQzcwBa8xSbHIIup4vfypNLYeNPNPBNtolgW24DPIYcYYdDRXUPJkBaPbsLnMc0oqVTYCDFM5uB2A83kG2aRqs6I26cz/HvRYBnkSwBrm3FhN03tCNrAzaHwa6lys1tl4bbATuc4kX31mvj/iGaBbDbTKoEj6UqBcaOdTrlcLxU3hJ8ymh76mmmY54OVIIWwKyEs/3z41XG4slcnnHJfGThudalhgCxX8rKAcUJvkuKbXo9ua5NRgcXLDLP2w60M7DeyDOadlmfoO8DJ1WLVtHZThLeJVwbRSVZauRA5wBjONV0We5MjQ8SgHm+ur5O2ZapO+ZSmvTa15YqCCWm6b5NlngktI12JnA9UknajTwcXi2/RuLaF819NiJlTy57wDniHl39m8yaWOA5pB4jgbOgOqyXMThJpnObpynuUC10qnFmDVtJnnuGYVNyyHWKhMlgObYw6EBIvNlZLDTS7DfQPo1Bl/HmrqdDy5WqW2QLJUlCk/ADq5JarSa0ZK83kRmcd1b7grCTr9m1UXfihvcrBJJ1NvwPoRr1kOWYbCzTATJ7UwCGBTS4O68I6k5OhSY9yHBVukqvMfgIbrmicPBNSgq7mm0g567qaAvMoCOP3T6zuRffq0MwU0AWCt5gU1dcKBAX3QmqaGqoGKHPqdBoZ88F1HMwFPz2QHOW0L1x5kpcsMGKd3ZJoMvmHjfcMZ8gEMpE4E8AOPMxgnBr6kPwCxBq3JoGYwpQyfZxC8pk7tZTOa5bgHmpXJFWmjWawrbgLANt2IrT7MxiTvqrlkMnWhRHRa7H2B+iadqcm3c5v+WHmg6SN63UzP1HDXdfJurU05zZKH3miR4S1sDOii5Kmr3rOMrWgjQznYYJmxtErtDV4WXBpLZxk0gyXXNocavqxlhtZNVulGpnSzxtqiRTqKvmmsIh8aSQZLd9kjGYflfaaCl+REQ8ktOaG6DN0MDbZ/j6PjJ2dl5NLYhFAEg0P0CfY3YEqQWKlOlw/BZT7OnVW1UGsYDBa8kX8z1SRr6n3LM+Z46H1GOO9MwxyuSUV3Gy1sYrFy3uwOA8mOpOAGhzO0q4etxwZKxDR1rbQlw8ajhKwW1BJuSa1hNnYU7pGWe5chFDHGB6ujQ4FwGTq7j/SFFlzmnsjfQ9Wt1sfTEKvmYBegJ5vvm4VqBi8aIRKWoLtxRFaRmmoD5B1YihPB/V2lHQuevlVz8+LCl70+I6dhxNdzYheRKUXYDPgDhNHHiLYk78H+zq0EE9/n4aHOwrwZjuzubhEu7ok1QDVbTLjkUfxw5u4R+mvviE+chYHJEC8EbSTO+p03OMe1beIeb+C+0699D03523F3NHVNuMP84hFj321EkbCm6XadV3FZ8hGuLd6KMXfBMaZRjwikzeC69zihWoqRiZfYPTfjOHDsn2vAEg1fGjB2T9Puw7OV794r36sMOJbHr+ol9q5Hqss73Xan7MPJY4Sxsa2/Y4d28zpKecrZ/zfPN3SLnZ+2QgHXjp8NtBrSJfHe8Qi7x2VKDRCfrt1hQwa3qtul8IuHwVd2o+A7zJX27eujbCSEGmIAcNwZ3T+vSlNpKDvCeN9Bh2m/tES1d3NoWKNxAto+pGvQFffqxrGQ3izpB3PwJRcwByJgCYJQY/hc+o3bzOuPH31syfyA8hvX33PSpw8y6dlh1kj+pYHdMYk0fvl6+B7WMfGwKSitRsNLfyGZkhIwt4KsuF2MCQpCIpUhncau4aDyojubFo6dKE+6J0qoOWdUEIfBiOmDWDwsdrjUyJjGh+NdvVibOHq9dLaV2slqTf3AU8GpKRYqu03gjbjOXMNZKpuhRk4q9kfwxPsBEH9pHLb4poVBLEwA1ZM3wihniG/dt1MMlpNfwy8m5I1cd/8aQLdoyxtpCS0nTFV1Y0HHxXAWN74jLJ959s3uXuCMxa0N4fafzcvvf/irs31Pe9vRcuybKNrhnBZpI2a3ddzQNWjyL51PzrwIaCBy8Vufuv4n/5mXG5y3Tv3e/Tgwefkm2fZkd2CKW2dC3v/28czRDhq88wT9pSU3TENNJVs7rTKoZ2I3F4Qgh56Tj+9ek3Npf3z5nJy/Pz37z9fk07m0r34iT1eLNZHA7QI0YQtlwqg0pTUwi9/64dX/+m/PnkQ5AnaRUcbt8gNl6qSi8XE8JvPpu+M1v/Rn8bxFKn7Fy8eFdF823YD5gQ3jbv3Ax/DdUUw31slnrm1DBXn75n0U2T+VhHy+rMNOxv9REiZx3jp0vxoRioTcLDxxCx7jG7xnH+bUwoo+wIh0PN0X5E1ZavTT+lMeQ6d7ellVHxrnvG8s5Pzk3YV/lUbDYxU1R4x+bDmVvKYa3m5yfuFQGfF+OR4eOAkiCQ/d2uM8bDWxwk/XOq6A6KFLy5K7L1OxCdj2ZvnH37kjHgBnEuIFV+GGn24fgQEqm1zrLHrdbZ80St4HDC+Utp1IHgjdEgNsuAHcrm+WvObIvPf0cDlvH5OWrHdjjJcQsxuP5cUN2KHlS41RjDuV0/uNBjoOcXJZUzmHSWc6MSVnfN5oKMl0jTBBlpg1FJcz9YGtBwZFoyPacnTRWYZ+ByKh7t8v4UruANBQKQtFyOxOn2eUnrWlNAUtfCp+BtC11XmAzzIciVmGamGR4zrk6n9SZ2AqLYvWE5dPLd+14B0dk93V+s6EB9Bgz+wCtARLPq5reE4+tc/YW3SA/UguWgfY4CX4bUxTa0f1HEGZGDGNW6SDX/w5oUJElYl680VMcKMaE/OWoN0byKVVxFh8zLkkn85HBQrDBNls8iq5yHZAVZ1h7JsDrMGkzuh1YDOUuPgXMXUqOvrbM2DrRysUAuQ8+aRIxNkpHxm10BEN1Ks8VPQCMJIwTCeYEUp+UXpFdTmc003Imzkme2lC3Y2/xly6KdgVgIyrnom7Jt41xq0sFf1QnUeGYMt4zIwYUMhlyHPFtISKWyeWwoiNOIlLQeUx4vi3cFC2CSI9F+WAwG2X5SaSsnQW7BwN2O2XJ3WkEhh2IVim6wd3u4g91ZazRlBNsF80aZF4enb9+q2aq9ksPv0dWGEXkH17t5D96Bb0t7GH95nD26H7prELkDYki4+ibZqUnRNul9DjlxxH/ZMBPYqwaixTx+V0WHIc4cuGMTBmBGfsPH5Yc7TDEk8QL+JU3LnSaxIpTBjgdgzhtIUj7ODopBIG+EytpHtXnNyKKYfdD8lAUdqmapmuH93Iu0mJ71qKNQOCQ9nRE/wwO/owl8Rw20TkJ8HiAggiOkBdUENoqWr3utgFcE3USm62zDPO0mslVTWSV4szOQz3LeqPq0Q45Z7L0skfpU3HAEp+4QLIm4DYZMCG2zh7ZUeYv5OjCeMd/Q+SrjDKgsuQtZCWCzEaI4xIWe9+D0b4fL3LUK+RmhPjCaFTlbN6IEL8FBZ0yVWD2iVTVa1VxUcyFOHYyJ1JOhVYRDYjJ/tx43LZiZ2MSO5iuKV1kigCWxgmHS5zAIKR9Tv8cu9u75Xd3LfRY7cps2yk3S1nS63Rl1gGXrBDzPpbaUH4Hs9BguasJQkZgol+u6kF3C7wqY3NdiMB2Qn7YWKsHg9+tjQd0nbrwWh6uZ+moF74tTLSFTVNOyPc8gqMk+te29NQw2gQKexCsqYQN24ENh685zboWx6tQ3p3P9jR+vF2NP1QmGRDTm9NWnAY30ThgDakeCMQbiEMvl7qXt5InT7q3vmLloQ2ffPOJeulehwBcoMc7wTI13scf7x5y1KNNjjOlt1OPuqjSpCUd+wW8uOoxzElbYPD2Cn1WIK246dOXrnT2EVRgV2oB4iS0C1PMvFohK+Nbjj2UtIqq9dpT1TngxLBX+sQ2XMuM3lC/nPy8/ffk6dvT99cPCOn3Fgu5w03CyixFD6Ki1Bzlb0v0L5IGGbLzjweYZvxiyMZY1pl9iruq/90uxrDoLsx6JFPNvT5LteFYdp/V/fbc/whTrGYKZWxNumbTDEqUnWn2yHkAy15Y/wKRGlieMUF1V48ObHp7hDDdz1eXoX33PDymJ1G+pnyn9xBaL2IO30xN5c8X53FG7nvrmNYI1Qa9vy/wUmEnwzOQnDcQK8so4y7MpXOmRgwCNkgq5WeU8n/3JNVLfMdhdsy+wBO98/UCLtnXEdrSTN1/fnFLYevhW/x5XsXbWU1/wpU2AWjGkitoVQVlzRacNcTTxfUcpDW3JgeL+gxqX1LH5RY3/oR6kwH112dJ05w1VRbbIa0IXW/WD1is6MgbG4jUWdQgqYWyiJZUtme8+GEzy/til3w7EKrJS+75mHhe7SuRdBUBwcjNP9xz9q2ThtXcDZE8vJIVHZLhl5/dj1CZnR4KGZOLrmPni92FfeRFnCd0plyKPhdNU+4Rp2p96NeJfQ8QqjXUVFjpYYYq7SX+A5aBZbiak/wWxP3rSdx6itelgKOJ+Xe4Xq3lXOR7e3JvYPkXDse4zjkXoTVeh2G5LqNzj4ntaBuy9z7rDQByfS6HvPyYyrkEezJW2TQ6c62/FUZS95RtuByxKQraSbJ8c0urz9JzPSvNTjx4fQj3+TMTMjbktbkM/7D60elkr7u9J/Dx5Ms6BKc5iSAavKlAb0m2IPQ1EoaaDWqeHGqo7fA3xxHXoYeeMxB1rztAik9+b4v3zieLUlHQHVzgD6E5qi3xRSnPOV1mO2e8ba19FYTI2cbhoeXG6IbKaN2rHnevTw+8uzbSI3U2AWIRbAw828EJSsuS7UyxNTA+Iwz98nzWJ1gyJMdXhBHnsd3k3NDnmJHWJBs8wxh6PJZj1ukkfiOv4U5ZWvyyWw3vu0isNVuIW3y7Fq3whEM9pHXvm9qISpYq4aHzL2IA453fQAi1f9blaZYzjNk3zbZ+RXqse68Xr2OUIwURg9a+M0BxB4nr3eM1JDhG1zvraw7Q9LHu4AOqTmOw64LGGzvzSYh02/DYIfiDSluLn7GsoGUIwFHK9yQ5BJmXAZfPQon7OpX0Xqk6SBid1ChWCbcNg6YHfUvtWDsfLa5aQ+9lEZ6U3Y+bGspW1RHboG/WRUZTgbWUX87sgx5mXKZboJY0rvhSMaiwryPZ0RI9ct2cFt8G+1NeX9kaucA67xv3w1Y11S3Z8r9+fmGlNWCD1qpE3c7nC3rk99vRZ5NPrPEt7VQep1vw/9mair/7caOMS0i213UW/U89jQ5tvztBUK/gbYHU4kGVLX91vdTNXoKCpBWq/oQ0VGqZjpwLtzqjIc1nbUNN5QjII6+uuO49/BEVTWV6+4+4rXDcfreXlmCds9QweVMxZUCaq5y1wjdID92rMgWsxXk7Yo++5IrR+CXRog1+Y+GCj7jUJJTrHv2zsEoKiuYFkypK/5AQfffYUr8+hv7mYoxbT55t9lNOLxuLKrcB44wvfmuf+iWCFN2gjva++Qn5OO69qRvPAeOOX4HxzdPw6xI2kx2B22Hg3dE6Ccm1rZ2F5ljuOo65XIbO+9ZrJVuvf0YYv7wdmTLe71yEh+nlhd13jlEe1jhVr7Rc9+iqZXKpIlsI+XWcftBamrjrkkmC2pSRvt7gHUop08MudEi4Tb3oCbclc4YLRqdyhvSg2lAF3SezqbcgE7+PG2DTpr+uA06nPoMggWuLUhUrdIbJw5+stPcKXoLDTupMqk1Kr/EMWoJt2TuR1wW1asX4b9PAgovwn+EvKaY258K0PHsvEDOA0bPPTH94Dl6XHuj1gbklGEgmjOpuJyB1iNx1yHdR6Grr/jfyPqoe/YISLZ9iWe9bYhcKQxrq6xXKrLE0Y7fmY/bu2P3ETOIdf9P/4Bhgtb4wE9eL0Afxx/hdPaQ8fT0BEc/PiMnuH4cNdD2SM1SRvh8AjoM/4StLMw9zXkha+i4x8jehrtFn5hep+i9O83/PNQreffWKPHdJpf8z7i3hl9lkinn/zgjEubKcr+B9YKakQlQhh27rVBvK/3i48MF3VZnmwA1SHDZOWNt4/S2/iaekGL4/BgVFdv9jbqphx9HBy07acKNaZIrnQgZk6XyeevuF0NBDEHrrD7Qwab0peeZW5xcYnB6n3Q6SoZE1xk8RJGfXmJq5/7HqCc9D0Py7tJzD47jItQYUSxzvui7IdXgyI4iUxbu6NEmeZtGkwswv4JgUWdqbvDNZlxJ/0FC2foTMRivU5qcX775x7sLcuHeKfKbHJm+ssE2UyX1Idh+XKk4tiiG2ALYlTnIiXw7IZy3B1ls6FzXr7NrEYZpoGEE4UYK7tFyQfNBU8gHUHI9Hl1XkFGjAXG21DZHm/DZx3JJBS/9QYwgsSsIj9bVep8gRI5dwdrsiu1EJ79NIE0Me2FtbQqOM2izgMatzMEQRh/BbeJz2Va+KM3t+oYbxVRVZe0Td0u8PR7BIRQvwV9xDWLX0kztYlkJKgtjHmrgrVvZy/DfA7VtjVYUW19qXNSKHyOtOoawx4AgBohU3BpAtrIFlXLQOCN3u6mwKiIyErM9Utvm7mEJMw9/f/vmfXj3Xuws3z0oVuld33/ynm3cXBVLJZpcDHjTznGWYc5NNxm7HefbSG4NeeqRMM+wWwcW9rYTdXfAE0Q6So1oMkmztwHXT5LbkC4w2S46WILGTIFZIwhTkkFtnaF86fdwpL3CapVT+nrGO4O9HaHtEK2VtkQ5/v76729iKbhRtqc+d0rPj59guVtgsOVinVLf7CTaKObvZ79dnF+Qd/S64rLsxnrHt9XRdvQ0zK0hiiNkBTIG1O0jq1Of4iWLydOzfZVjMTteweZDF+G3JGdXO7acZUEqn5+GLr0Bi70YiuNtygP3Cmgprv7L1w13hTmyHGqSqW83+kucCf1A2Y1hXDVa8V1Qt/LFvc+JaSIp6tSQvxmrlZz/21RQdiW4sVD+7UX42/PuUy5nwOIfzbiGFRVRRYZORe83hMqSGEVGjqWGOTdWr51lf0xhUVO7CM36OxzILg4DJNEpdSw0fSG0r9diSve6kHf6ZIc5SKvXf/m/AQAA//8l2LtQ" } diff --git a/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml b/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 688c1a8395d..a915944aaef 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -37,8 +37,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.95.245.65", - "10.13.70.213" + "10.13.70.213", + "10.95.245.65" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "llu", @@ -90,8 +90,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.163.217.10", - "10.214.225.125" + "10.214.225.125", + "10.163.217.10" ], "rsa.internal.messageid": "413", "rsa.internal.msg": "uiano", @@ -129,8 +129,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.202.66.28", - "10.64.155.245" + "10.64.155.245", + "10.202.66.28" ], "rsa.internal.messageid": "14", "rsa.internal.msg": "nibusBon", @@ -361,8 +361,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.30.196.102", - "10.241.178.107" + "10.241.178.107", + "10.30.196.102" ], "rsa.internal.messageid": "353", "rsa.internal.msg": "onproide", @@ -481,8 +481,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.170.120.4", - "10.193.192.62" + "10.193.192.62", + "10.170.120.4" ], "rsa.internal.messageid": "264", "rsa.internal.msg": "utali", @@ -622,8 +622,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.240.242.122", - "10.144.97.172" + "10.144.97.172", + "10.240.242.122" ], "rsa.internal.messageid": "346", "rsa.internal.msg": "aera", @@ -740,8 +740,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.112.75.76", - "10.25.39.99" + "10.25.39.99", + "10.112.75.76" ], "rsa.db.index": "mveleu", "rsa.internal.messageid": "882", @@ -1073,8 +1073,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.148.161.250", - "10.226.27.132" + "10.226.27.132", + "10.148.161.250" ], "rsa.internal.event_desc": "tinv", "rsa.internal.messageid": "534", @@ -1109,8 +1109,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.64.50.66", - "10.149.0.64" + "10.149.0.64", + "10.64.50.66" ], "rsa.db.index": "atevelit", "rsa.internal.messageid": "83", @@ -1170,8 +1170,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.97.124.211", - "10.53.113.23" + "10.53.113.23", + "10.97.124.211" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1227,8 +1227,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.96.97.81", - "10.161.148.64" + "10.161.148.64", + "10.96.97.81" ], "rsa.internal.messageid": "350", "rsa.internal.msg": "mve", @@ -1446,9 +1446,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ + "10.113.100.237", "10.251.248.228", - "10.108.84.24", - "10.113.100.237" + "10.108.84.24" ], "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "606", @@ -1497,9 +1497,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.229.229.42", "10.103.117.31", - "10.207.211.230" + "10.207.211.230", + "10.229.229.42" ], "rsa.internal.event_desc": "orin", "rsa.internal.messageid": "428", @@ -1657,8 +1657,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.11.83.126", - "10.134.237.235" + "10.134.237.235", + "10.11.83.126" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "obeataev", @@ -1771,8 +1771,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.99.248.145", - "10.115.53.31" + "10.115.53.31", + "10.99.248.145" ], "rsa.internal.event_desc": "molestia", "rsa.internal.messageid": "412", @@ -1804,8 +1804,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.143.228.97", - "10.168.208.169" + "10.168.208.169", + "10.143.228.97" ], "rsa.internal.messageid": "616", "rsa.misc.action": [ @@ -1841,8 +1841,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.236.56.233", - "10.43.16.73" + "10.43.16.73", + "10.236.56.233" ], "rsa.internal.messageid": "373", "rsa.misc.action": [ @@ -1874,8 +1874,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.184.254.143", - "10.222.251.114" + "10.222.251.114", + "10.184.254.143" ], "rsa.internal.event_desc": "illu", "rsa.internal.messageid": "412", @@ -2232,8 +2232,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.236.247.87", - "10.175.98.45" + "10.175.98.45", + "10.236.247.87" ], "rsa.internal.messageid": "710", "rsa.misc.action": [ @@ -2353,8 +2353,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.205.21.166", - "10.20.73.247" + "10.20.73.247", + "10.205.21.166" ], "rsa.internal.event_desc": "sed", "rsa.internal.messageid": "998", diff --git a/x-pack/filebeat/module/squid/README.md b/x-pack/filebeat/module/squid/README.md index b37ef4b4400..5576a8e025e 100644 --- a/x-pack/filebeat/module/squid/README.md +++ b/x-pack/filebeat/module/squid/README.md @@ -3,5 +3,5 @@ This is a module for Squid logs. Autogenerated from RSA NetWitness log parser 2.0 XML squid version 112 -at 2020-07-08 15:21:25.454863 +0000 UTC. +at 2020-07-08 16:42:07.303222 +0000 UTC. diff --git a/x-pack/filebeat/module/squid/fields.go b/x-pack/filebeat/module/squid/fields.go index fec01b372a7..5070915d425 100644 --- a/x-pack/filebeat/module/squid/fields.go +++ b/x-pack/filebeat/module/squid/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSquid returns asset data. // This is the base64 encoded gzipped contents of module/squid. func AssetSquid() string { - return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIirAqiSJaRRQBlBk07/+AgnUB6tQJAtVlKy984NDTTKRiQSQyEzkx9fkAfYvif6tZNmfCDHMcHhJ7v2fGehUscIwKV6Sv/6JEOJ+SVYMeKYXfyL+Xy/xO/vf10TQHF4SAWYn1cOCCQNqRVNY2M/rnxFi9gW8tNh3UmWtzzNY0ZKbBAd+SVaUazj4ukdS9d9bmgORK2I2UKEnNXqy24AC/M4oulqxlGyoJksAQeRSg9pCtujNQmnaI3mtZFmcT3CXQc3gSJug/GASYRyhYZqBcr0++HyYuT0Ovt8wbX9HmCalhowYSVJamNLzStEdyUFrurZ/U0NSmYO2pEv7fWdoQl7LNbmGVGagwqS6sViXqGGCK0jYgjCJJX40qEc6mUeeMRo5k0phQBhtdxwT2lBhKkQ6SIVheZiEjJruF338zGG1gxBqyG7D0g2hRIPWTAqyYUYTSt6C+ZUZAVpXq7DoLVE9Hb2RJc+IgC0osoR6/QuqNJA3YKgljZKVknkL1ZPXcq2f39H0AYx+2hv+milIDd8/I8bTTck7cAfM7TTRInMRZBWHLfAgr7gU3b1+wKtrKBSk1HhcGayYgIxIwRGxoUsOJKdFGG+u18mIrXlknd74M3N7/Q3ZUl7608MyEIatmN9D8EhTQ7hcO56rHjORfmaH9yuOv7MsLagyLC05VQjvF2cxuLq9oaNWO7S6vZGHV3uQ6du5uf7i/3P9ONct1liWTztkcvnPBEntMv4j4t/SsHi5OHIFWpYqjb6Lpk89/qRNw60NNZCDMJ8GPS0zZpKU0855+GgEgDBq/2lQb6wm8GlQMzGE+rI3eXXOPuWKZ0DDZ+2yU18BZOP05IEbNWQPtH5YmVoWX+8G7F1P07TMzg3YG/2EljnMp45ROhufRMsWDTLIMaQ3kZkYRAI8Gs2gdB6lrBTstxIaJUzVM/Qf7Q8NlyspUissqZF/dOtl4Nhv2VTB0+bflR2IrVhK26fOGto31iQm9yjoSCkyUFZFVeAFRm9yK/YIGdFg7CAHwIc49LBCW7G5N/ZkhbZmc2/oUWzve05iLP24zdWjfMSsx81yI3W0HtXeWz9Jbdqiind3lQaRMbGuvtShpW9Z858PB1l4k/Q+HmTd7d32O0KzTFmZNXQou+zrzc/Iz5V92x+mM/CH/3cZaLk1xwnunl7n0mj7LTJCyZptQdTuis/3UrUsGrJgL6tVZ59GGfo8vLiDBq8s9omC36LWq/00gYuEM1vukY83bnByh9v9mff+GUre7wsgKe2f5CUQYGYDiny4FeabH4hU5Ecuqfn2BVlSjTuhcuyv2LpUqAqdmFlYwfuMZ4aPLFOMohlsVwu9lvHOkmN2WTX2Z2+8SrWjKpugxrRkR2tibV7d3v1yoOFQooDT7rIQovfaQO6vHE+YHW0Dbj9pxx77t1RszQTlFczh7X1ipvEax5EHztu7X34ITNIT2Jvr9EnWFPX5OIckbzZbX1WKleQboBmomV7GfsLByO31lBcaR1H7oQaHiXun+UM7YXiazOCHoZXicdsoHrjZrcJ9JTmH1Ej1OQpCy5+LvKzbfcM0SR1zILO0HKhmr2X3kidHWPkHtETydPnxlLNcagweyaUgy31vWQhR8FsJ2tgBNcsLvvcrYX9sBS4Bmm6IZhmQJ38mZqNK8uL775+SHdVEA4gay5G5fiR17Yy56kIKDZebbPoHWtlUlsLU9mqZL53wsQdOB0cgT+hSbqE1XSaC0UaVmNFGAc0Hd3n6B1r6T8wMyFjZ1WrOY8UXIU2qNlrZijDzj/LFn7/5V+2E5/MCRVVF1j969P7D2imv6R4UeUFuREoLXXLn47amzigJGhp9ohs6EKsUwvLtC/JvdrrPyLffkn8jqVRWf8RZeKTPyH/n5n/aHzJNDpnyRXCRhMzgE9pgYgdJSjlf0vRhqs7n0AtpcHNT43RlywgQWSGZMKhuGwgH7uECJ6CUjI4VaTQgXUDKKEeakBZtpLLaoti7W9h+saWcZW75QmgJWclSZFZac0DymFh7ZeFkMNDhvu2NPMfbid+0R1z0A3zec0mzj3dneIREs9+B5GAUSwO6sjfR2j9GG81djpW4s5ckNY0OJ1fVwizIT3Jnmd+3hZggUlkTwkjyAFCcYMtHuj0+E7YomYLWyZZlSRb/DnVTSYA1CFDU4FHMLI9a9sqWKVNSbs3FAx+pCJjPLGfW4MMXQJyuo9MfyNtroqxc1GisI1uoWoOpf3ZyrlpFh1R88rm6aJjjc1WRjvW+iL29rvxr7yCXBsi935WpAryWlvshkWT/q5zen4GT22NKdMHZtBfZP7SpqFlPlf1YYYPs97j4sbZtj/LU78hqb1TatBfH/zXeXNwxXzF+kbdFO65V2u+uXt15fS6lwjKA5YVUXS2O4IXy2T3Qlh/LeP7gxD4aeWgWhhxih2Zi2YA0xqC799HqW5AX3/9AdsjZHKgglPOwHYrOV1QbGv8C2YECNyw1hAPVhkjRCVY+ZNNHUIw+bzYFzlvcQ5bnzq9SZcgajIqAdCMkl+t991ljxVRPMyPke5JuqKKpcWyyR2+PFKJzU5BS+IgBfuDbHMxgiklWc0+M01y2R95zUNfNreokReW0VXQ3KD9QinWUJZqiHuY8wsLbrDJNS1WNqA0VGVUZEVLllLPfQ9F2UuVBDmT+BfYIE2S57InwUWxo6KrRPedsBTingIGoIZUiG1AMmyVLtJlmiR8hmYlU5gUHE1zEQXcXRcXTKNYROa28A2Uutt3u7ejBTTe04Q73z+AmyaUwm7NZ3WT1nP9q3kQzZBdjz43ILsEcO+TvUkzP6DwiROz4lfLjQtLed7nUO9ATTscrYuDR+I1MtqB0K9g3OxazEVij04u+B3o+qU1SRSpVBtkU6e2fy71w1fWY1f1WvZnXP2y/wfVlrJL5AkctMfFPpyCoYtIpfnnJDfvaMFCEFgWvIqibTPCcCroOJSURwtExXdkMjihHqybMfKmJ3AnntTc0L7qeFk+xxWZJ7O9zo0m6YVb/lRnoBXlTaoOKdHtQu/+pGYhHowYGl+HocV+tLGVbmOcOxoWqhnTzV7ACBSJ1i0qt8pWxLcvsnYprGj7299Wxf99hQHgajwVTM86h4brzUz/a/cIM37vpaCsirC5g0eI2Ou4vGrU0gwbzMyud6tO/6A1aB2jIcvxpzntqwGmYmkvjtx3qEL+VUM64aHanuPVq5MWOaoJosoEVQvTfjJ/6qAvnYNpR53SdmyjJvs7j8BVJFLoiidNUinFH5BDsRQRc1I3XkjKXUn07am9QBvUE5iiZNHxgT523GNddI146GYgxxiJNe2rPeYqKLvl0d+yAdihLk8ocnjsstcqG0Wxy1VsrKvw0DlTfgaWyJjkz00Jfj5Beje8TAlr+0GOG39RUhV7tFCep61hcOxr6YwtI2Yo1ymBYW3BOzqG8X697zPFyHWBi7Q5gWRPwWZmimXc+BinzKv18jPzl0EZoa7hSkZ/vfUgR09WjU9dCRvwVl4eyHnQhNRt1CM/aAWgIiMxVBcBQxOqUDOZzl9wkUxLZRx5rUeagWDr2XAepnyWi/Qjp7aj2eoe6I+5OUo/4LYhMKh9KdJR2ufznRbKkq8cFufwnpGEd36KeI0+qxzIrb46jdpJvWq2OL/pb32e1+SPrLeENrSOnhDSEko3PygyHB3G5TqpnxwsJuWpDjBZy82TfHkiKv+ETN9Z2w6MYVu8kZ+l++j49csbuEIUvMif4fkBOlXxa7FaYCe9KDog6LF6kMPA4Xd+pUd4KZ3k3FZBolmn7P7wKKK9QhtKBT1wp6YaKNSQCdtPP1ZDzG3athxu8HI1RbFkaaJ22fjSfdsRZba4t0sPHUBd0hGioZ8/ZhBI4xyaOSnn31daha+sGAVMC467tpKuiKbp5K1dbUAtyD46xpQa1oGvAUnc+Ym4lVUVDb+xqGKfXpQhPHHwrA1IqslRyZ7+rPvV6jFOtB2u13WZ3VJnxpnwNOt6O9LtX9nIj5tu9kme10nGpzSsL8C7r+BvklSCUgzL1u6tqhvWfOdesP4qtZDN8ng0oVBkRUnytoADUVo+9RqHiOK+QTUul7NasdVJcDdQRnjPn/60cmz3ad8xsvDLlZB+5RoRLjA8VRIqv19L++4hkxMszCSglk2ZGW87o54jCkiFXxJ40w0AvyH1zPrtlMtsxybE0Xblg9lJbRdUlPbgnyswLK888SlJealNtG/9Hj9UIwrRdDZ+Z461Fqzbht8NX8wVuZbfTw9aTS1qfog58eUp9tnRcIx5CtZYpQ2+N5WhQ70emv2YP8JJQUmz2mqWUWzPv4RkpFFakfUbApF+G1SyqaDh7YOTl5eJXFc3BgNKkoBrrFGhM3HOZaanMcysR5MHjTT9kFUx6VNFw0vNyukZrHS4gqJ2wS2VelP2zEMV6SnZMZHLnI29SKVIozLP6VWxwur2JrErO9+S3knLntMlkTpnw51O0EHE5IMrb3przr/Ejk7PKyGsmHiDzUbRVYBnVaK97BdZ+80WNfMGyY8znvTy/iWKjXafamYBdFBUBP99fDvPPhfcJkft+qnP96AEqZ90S1dOdP35UpMftw+N62rej9bQV43Ocl5rsH3G8+kgoyMoUSOUBhrATQYNilCeBG2KC2LzHQSulqyvzW0LdytRBGwzSBz2QCDaHP8qPb4X3hupNvdutyhGIZi+thWlFUxVhWoezX1UjdUoVyC2oGs1Cq9RC1X/3sxKIlW+CMIwnKEXKgSr7EZbNaEjzYezeS6OqFIHT/kknKsp+rvonltGpzJdM1JXj2iLaJyCoEfJ6y1Sp5/dutO9QRDHs5ZjrOSKwca/c+K7OyrCHx2npMzjeahY4D9ftNXnrzvQTnxJHXI19n+RhsT895vy6jC+w5fq6vUa2+NDq+kD27bhD37kLYnBELtxS21O3Yzpsamz1flrdxMNXEp9U4y65oz404YykWdfWsu+qHprcXp/Ug873SZzQgyzqFyJr9KEFuXLR+r5aEHdfHNeF7H9SHf7imy+8g2JZmjqOX5paOJeCg3Zzl07A7iTZUsXokvcixl1CGxOk4HTgyGkQemIG6MGitNUgN/bCnnp7a1ax6Myu1f3z27uuBkZ8SSVn2w1lywy2ETg7Mr7xxToyyK0w5J6tBcVjObCRCqmmlW/6sicL7Fa6q3QKifVU8J8WVevU4F7IZGB53/78njCR8jIDKxp8YxYLviBPbh5pXnB4Se6c8emGRVm3CNug6GG/wDsDGvONqA3jZvrBqnNBzCOCtlvOmbdeVL5j+uHIA4dRbL0GNaVwfXjav7Q9jR4Laj4bBXojeWbX2FlNA706Dp6jZrHi+u9RXoY9eeduxqd1QuHtdTjA8uwXK2taJ7O/zSNn/fs8NjNxPg1dLr+2CKXAjIIVluuVWZkO6ele5blY7ECbtlq2SIWZV1bOVRQM1JWnKttRdalYi36tRCuLqBe9lsyBIl1PrMih5A1Nq8peYcXJHueZNVkpvq6UH3X8RDuLIaIRkgKqI2KitKGmPF+xqm1wyvgFVUs7/FI+EpY9H5a6VuKX89BgcX7olcJy+8riCW/0SvpOrqrf2zDX/Xr6MUKYCVme/2bQit3U64gdaKXDODOs59H5bjTo9CogB8x/xbk9rUSXaQpar0pObiwGksoMtGV+VaQprOMxkcHj6Elwps2Q/jDxNOHQqNiqCs0SFHr1c6oYx5fagH/AvQ2JNaHIiK8tbJB2EbXiVW+9i2kufnzypI5UKUDpwickuDPVm7a/QprAuCrH+elA0LgzsfvSfPqjY6uNHBLv7GT3a/slZUKTDAxlPGA6LWVpWnADxEt+gZiUymtD67gBxDQswg3kBZ/wavuqarVYtTBovSD5KBWrvWxBcbrHMGUjvVgnTwJ7336BloaHhlWVx+J8btowU2KpDhIkvdHS+knJpw/GSK9wy7ZM6XhsUWc3lXlu92bsgl05eMJa4USFkluWOQu7qisQ6s9Y3zUyPeZAH29P/8h4c/en7WiF8LXzWOAj86XkVzX+ZeXXP+Vy0G6NnsD/lkvvsgzv1IJNKQ90jUFJbn3u727Jbe/CbSOaUJvHx2QexzEq8LjOXliPVPHH2MQ+iiqsZrkDlSxlNj3muBe33b2yqv6wFtvA9bmJyZ1ybrRZ8m5aDhefruHCbGovIFuzrHZRDhjj+XhNuZcEc9bNMOaqrqkrymkCsuo2dPfBZXFWblB8HHuEtGzbKO7ZegmhlIIqo/fYQ9kshlTQU5QdGlR1NDzdUsZp30FHavcQwXj4FSg1UI3Q7cewh2s+v65X/XKfEOyc9H3/lqz27WJABrA8WZZZto+w71iejIxTbUGWGoYKiR21RWNgFJOjsqU6AdOJLucJtmO6HWviaqlgw8k6TrrJOfc4Q8XBm3hDd7Qa19fxabhX6vFc2M5oEVz9ckOe+Ei/X0pu9ZIl4xhgiC/NN4+F1PaXT8nXfTNGdL18D0LuxIHiqCEtMXVtezj6QNeAlM5iaHcDQK6qTJu3PsD1NaxpuicfBhVYzpaKXib1xw99wCYmSE6ZWFnL6OgjVUEV9vqYI6PqQEW4w4HJW5m5gKOmuEHrXTuAlpy4f/HxxU41XqM8zKt/CzvyUylQfX4jM+DkCRPbxVfPCJPpM7K0/wP7Pyoo32umF1+F/cgmLZIVp73uVONv4ENd6+qO4LBo76JU2VcFhOXqaNKWkRNpcZ8uPSVVwpQGZTdUEOU2HyuHOrh/efOrtd/fu5Cbr7765c2vr97dfPWVi4HZUkXZ4N7YSfUwLiHj5Fb+tRqy7aMdNJOpGH99+djOsbmBtYijqRWB+yh1cSUVCM3ScQeqZU5GYc1jrKiAZ+t8sGRH2ZhO403IQSojlhQ3zPiEFF0uo7eBWWbaqPGZLJi7MUs38GfzSdIqgm+K4yA2OLEpCdy7mHxwYBOn6OMT7RArNmgwVpOZ4JyInUwwczUwkW7AZVhYHKmnMN7wseR5bepdf9xGPXG1ty+0EbKWd8mjOkrGhZaw8psfo0DKWR5gD/jf0rafmDryqXq5xoocT9F8Dlj3p3z9VQkkNo/PFMNhV5Rxy68q4fDOn7/b63ZcL2ZPWxXYwDqQODT8Fl/F9ST2Kg9SHBPcgyE9PqbTWkal6NqqPfxiKI13Kv638Gj+BmH9pcauh7SYqdjvqcj+XYY9qw12Qw0Ln7LJ+PtDH6DXpS5YyuSI+IiPZVsgfTuqRN/V9umJ0yIvEhkvnO7fvrkjPzuPRxOOEUb128zPL/f/8Zr8VoIaqNZScpEo6Fb9mPrk03Jd7Mm7KqQ2+Lxb62npKPHfBpPjy7RZsGLAeDwFZwLu1TMgs5hCdJRTlUfxxQJGGS+0GBX2X4OV2YjOAAdQY3OBD4Azarq392nIJYh0k1N1flhcDbkvaK+Vwxk+SJr2njfPhEo2EXxNYTU2mLIGXa0xmTQKUC7/GQVX0Ijaei7zNWIx0Ok/1FP2OCTmaudgr9sIxCKhKZYtjAljs9BajFLRW6DLdbH9TjyaTYS0TEWSGmVtlHGVqVrwFnbIW3cG6Jb3GkKfBQtizcSowN0+cFxMiUhWid4xk0bsa5GsuNxpmse8FrWhhdlOgY/yY6UiYWLaNmeiAJUv9yNCcnrQRfoQC47N0aJAi6RQ0sgkxhWH8NvvErRZY6D5hP3G5ToZ0/q/AxrzEpqKJKePiTHnK7yHoHaFOUSJhZyJaMRMTEFccJ3wJU/GO08PoP88CTyiHlALenyWeht6fER0G/r7SdDhxurnQv/LJOj/MQn6X2OhjSw4XULcVq/hY1QlkeQlx8t7uY+SZxV48RAlx/OSs3VexN7e9v6jfD3+0cjDsjghruG3NEb3Fol2T6ZRvNIqjdXOLGisdqb3uiyi6mOnog6zjlTujDRWwYDHqK1tpLFKUjw0qieR4KVgj4IKqaHXNvMs+O0PlvZosbD9QRZmAzSLMoFkXiQpj7KhLWiUSwMhFbbJioPVkbBFmUT5J1LFDEspjwr60gldg0j3o96U2tCC8v3vkC3jcG8TTIaPhHVpPLGY3XN2JLy1kH+ItZB1smTmXyOTD1OdjK1t2gFVMuIo68jNiXCQqphYPO08ASPqSrZAwWycNyBG+XbgeF1FgrvaN2MyNFvQK8YhThfRySqOXWw1LgD5EDRO0mprBAt4NEnkMbI2cKZN0Svycza0VmkkdNU5LgpWrpMcMjYiGPMQmolYjucyKznoVMbN2oOzddSpkIXeUTOyE0ULPhQTcCaogjXTRtEYTbuBjrqpXCfFyCmrCXPWWEdERZ9OF9XgljwKHhuLRl1xLugoHvWUy3m3kUwnrs5zDPyeKhq54NlAWOV5sFvXwWA8JNOGdpu1ngWozbJU5xcSreDA1VyLgysj8MXcw1Us6XhArNqziimFPhwxfQxqTbNs/KqzbLxzrkqgiZIoLE9SJWUemX1jQaOUIpYnsY9wPncnbrrFQ0SyUKFjUplZoQvFRoNxapgpI95tOBMwJpWkgdMja3HVkBj4GGOCcOkympMVlxHCsQaPCgGwml7EfrdgUXvd6oZR6CK8tlyuI5dSrCO3XSHV+MORL8t13NbJmU7jtmuuIxcwrvqMAIOpLxGQEafYlQYY/yrl4MY/KIndbryuEBknVLdriICMkPdSsXUSqNZ2BuROgIqRLUUS2UGwSEZWkG4Ao9o4NOBRs8STNH6TesCYdppO6Y9ASbW2Xybp5vx41h6w68s5Hh5UvrZ2cS+j+jzYXSRojJhz+UsfPnQqfZ4FquQ6oboYVfKjDTymy0MFp4DyuJtHQYrUumzVaPCYyVrYsQm6LVipsiisMSaajrI+tbM+ozylGsa7SF053Sg1QsNvMcwMpcGOgItSXDRbRx1MXYy3W7RK41ZepVnEVatVGsryPQt0VEumNlSpI3Imt6kYH4QQrBh6GswlWUY0DV+bmEVwYDFeo7pi5HjIfRGRuVpmy8hX61LxKKlUalBJxsbHb0YWJql8InHEmjSuXf42YUIbuoqSpFumTNxVvC1EVIqDkaoUF+nV+qo0krwrBekNXnuhJxWI+4VylpErBRkz5IqqzOeMHWlL4+tfTZrpUB1IHMY1XcWI2VRyEgopqb29TEyZ/U1ecLmHXkG8kzxYyXJEevy5fXk3VUsdrC2mYA2PJKfd0N3GoyfWZbfsygxkcKaxwEY1vm630tRlgSXq+6mShOw21BBmSOHa84eJPvaUOqZUSLi9u6t4XiEhTPhKBgOZ3ZyJ6RWwW8TY8dqUaGLkGpvsLJrfu44RPe4J2IKqiygZSQqqNJA3YChWHHanou6XRp68lmv9/M4F9z0l176Ml2tP0hsd04jfgS8Wi2QL8hbMr8wI0OG16m+9SPassJxwvZtxeDcdDVSlmwUTbMDgVXSeYggdYeN663Em4DmnpcDaqesy92Xpj5RC6FQ+OEL1HCnzNdV1oryv+Dqg0ltmJvP2QnY9t+zA5D08GtydQ0bBRRtQN0XiTvSgxqzcSaWKMS9Xg6maAx9JnT/27j2+NkTVSnZVjeskWNfCq99kD80ih7XfGwTrGeiXQfrH1fE+o3N2Bo+319UhwtGHSraPfIgeuV3qFg7ucb/GR3p7tOamh7gURaIuGF3TJpUr2BBkBSFUEw0gDvpkho0XRYWm6SzFVntZ4m5w4Rs41a21q27BR8gqQOXMXYTzkdUM6gq3sC3jsAbfy4NqzdbCMb+pzD3Q1oAu5+pWP7DkiOHIjltesLXEYPuQ0DZvUTSUWxhX6aa6L1lWtbWtOyZhw8aBQ0dIICan1toUDARJjVYgq0ZhjeCt+jtZHAMq7E6xAUfPjPgRyUDpwkvOv+6f2SOg9QC5k5338Zirh3JGdbKRM2h3ne6YWBOnKQOFHX1aBY/CMdXEbVBLj/AttoU0BFtlLl5xLa1p02leglXIf/IQC/JK7Ou/eqMbtI60MIRmi6qjcVgwRTq/LOlTlOUvuvzEyoMHTGW+rbO1JtoVyqtZhxsJ+x2TjPWsnmuw0j0o8i+1x0A/94gQ/VD/krFxW5ffe6Kh6mD3HeXpYJjEKVnwZbcsjmtJ9/bn9zd2dqDAGY3okcmYThUUVKR7q5X4y5/3e9laHjwj79+8JLfCfPviGbl9e33zny/Jh1thfviOPNlt9kT4BozpRmpfxk0qa73ir7754X/9t6fh3ndgNpPkRXfGKIEWOQ2XRtKT98jIA+Ur8d9WaMOHKfvYZLXP+QnaBhP+zr6YQhR1FJtGB62am75+9TZIzu9SwBQ7PG79/o8UsAjz5/cxfQA+wmVnST0tapCNn+ZeOcLLNTWwoxcpLI277I68cs3zqt0WQlhfJ2leDPv/p/o1b6/e3Dk5PNwrns7Qy2/IlHZ6TtW69PbOIhuw6i0fBmvBzMIHO/owHyodIHE1xeY+bO1eC5nrSEd581TRqkQelt2zLpNV3vGwSH9arg8Xqoesia2J1BnOFdOUvPU03EllahHVE0Ku9wQy0XefPy6J9Oz8cxQzsa7EZ0X4myHmCQjp9/N5iTx+tEGo1jJlWDQereXe7UqsnFJUrGFRq8epFCu2LhVkZLn3zf1dq/uB7jSDKQW9QOEBbSo47CoqU4GP0u/aoZURBpOCXBpIfIxQzMtvzBQzoROauPCpKODCqFjwVRR7V1Gx2DxuA8Rn1BRRk6NZUlnj0/p1HdoWlpZFd7y2IXMRbeHGGlYCDHm/L+AZ+VCJuddoIn9L7ioTuSdHfh66UaviVbNcGAMqfUUWqbp2Us6DF0bR/BAf6KnC0IEtKIOdZ4ysGlwxQT7cDh6hFENaJpzBmLaxQieyiCqUZ0EV6PFxNBYwKsTPycTxAVHog4rC6MrUJBzEOqLmI+K118DcziVsSoTXC+Ut56AgKT7gWCvqR6l2VGWhZmCvsE0d+t3vlHzEV/clmB3AQCfj0TnAY18kpKG87e516AgWMsHXpt4cfBM0BfgQlDNjj5ovKhSexJZTMc+7yhnugOpZreUQ6E3h0EHQ+AC3Vnteo/J8KBFj/NmQYrbFdkwe6XlvKFQZlpacqqqZm0fz5Obx5Wu5lqtVuD41pInZwNyNb9/bIX33/oayG0uZJehVaTYgjA+lGiRsrt5jh8+VZd3WMEzcBw1qkCRZmlTOzS0/6DBJ964D9wBVVY+cabfvAUWImVQNV442f62wX6B9MnSosKcY3cC6kCLDlq4yqALUgP2mpId0b8dk1w7cBpS4PHuMe+MMsppib2919BomiGamDEgUggFyVRc8P+qGakIzWWBXsA0wReROdBojEUMfpZD5QLRLVaM+6YUjzXD5WTWMicyeZal0097PdRF+VZXH7030HPeJqEl3Z2MwnKqe4YWejwYnee9fkead57EmYq2pjsvqmDBVFxVw76MK557rcHDIUk6LjwtMbwkbumWyRM3GGnVK5mwg0gHmR38j6JJj2PCKXB3HzsR2fOezEBldGg50GhJEcUDDyPJiESQEMNQUTF+D1r3S7OzB5W9C2EthuiHKMTpfhskfSTqhKy7eMtjJnKUVYTgtDBjoPvYws3G9zgNVGoknZ5F+s9BGDTvJK6rDia+fjOoXx6n216LDNYnyoBlRm0SG5di01WsaCgoYdHJ6To5IjTrJTExJn8hKdeYGCFeF+WQb4NvzqP5mck/0IPHecXRqDj3qcU7N0Tvj2P2R6X9xkn41M//dhp+FenWa+yNqUnyco3pC6tVH9Y+8ab49zfbzC1B9HLafJ2vUzGd1zr1+xkmdedPMSX1vy9RKYea6dE7WzWhpNkkOZiMv4k2lB34u4hD5nw0uDGbvKjnRUj/i330nufc1WVRHdki0bfmfi+///Gfy5PX1q7un5Jppw8S6ZHoDGSbmBLFxuZYz5Mce82v7Ft2IyS8G/nDgzVvJyf6SY7H3lvchHPXeRJ/fiNLhYzZmikFxdWZEy6WBWEPvFFSEiig17+SUn5/F3yH1Hc1Yqd0YRCqiWc44Ve4wW0Fid2uK91E4VBfPjGbz9MKtfZDtKLMPdrkqD0inrkVzYKZEEr4Sx84NOj99fHjL/+RNZ/ymt2Le2IVW4GEWdrRINe1RrOe6RXZJtaaC/X4k1klMWbBzGRbBrfbKD7BsxVQwij86+/VHOyDKR5dU7rJ0DyKRfgLKzSalCkihIJM5EzQYYt066nfUMBBGnww843Te+bymn3Q6rggGFNHby27hL60QKKgymPbbTOa4EJo1rdcf3HPkzwoyUNRAlowIAziyitiGvBqzdnXfKbllWZ2u7n9Hi4J7Pae3fD5F1gryQ41ooJd6PQ2WzTaPelBfx8HsByYSLPSMUSVb5t6cNl3FbqBwQK3QjCulP1argUe8y1tArUyRUJNvp/+gNkQ10UYqJx/taDkYiti+xF8t7K++DM8vZ1nGYU6J8QZHPFdmBJaoJUOiZEZVPG+uCd358Vo5umJfvXg8IwWnlu32RpKKgEjVvhjyImLwyixWwRnxEqq2EH6S2pA3NN0wMaC2ZzT6jH7R5dcHgZF9hQJ7UO2t7tLq9YK8zmhBfsE/3K2eSeHyAf7Rvy7Ihm7B3vccqHItrAnWl9CFFBoqPSCcNGBnlPTbXk+QPb42QqqYAcWqKh3CTdBVZBimpCJ6FmKaZX7ni8icSwvWF53qJujutapw1EEasNX//VXDNFGlCPR1J4TqZ7Ukdq85Lpl6ICLbj5h4K2IOZlKyYyKTO010ASlbsdR+8ywUN+7jj/ob1U7AUdS8+pInqup6XotlfGZ42uIHKQXeXK9hTdM9+aAPi/zU7yF5N8EhKmrJjjKLaTVwh7XVbUSGUdO4Gewt0ONbnc8UyGI6yBDAMNs+Ew4nNoe6NlRtyClvgTnhHIIbwsNETGeueKmhyfjIKe/cqyTHDU5uuNZKn965nBi10/GQv00IjWNlj8vh9LfTqSUY3DiuPPNgBDhOKoMVE94XiEcda0HktBgoRoH4B8KsL4S9MXc7qkeMIKn9TdNn4PORB6qH1D40Y2i6yWcvRdeMi4whPS24zbbIgppLJsbU3J11p1myMfx9qtAPHNt2MC4yz5XRalKRAvXIe3RNldkn6CqoqtbWfvysIXa3Yb2CZ8TuQ2tZuBC9syZgIipeulQ4qca1Z+xM/y+6oOKvJ/M5K1SHtc4qJS0kUu3U/vIcRz9B/QUv3B7dVVW043QPrlUCwihZhI9hJstlzyA7a6/5Ua11AydCG5GKkZ2czqTiSuaFNUirnY8bHBucOM1zC8qK1sSazeELieqH6XG/J85iR6evcO9gemWz1W/xb1w/lpzvyX+UlLMVg4xcYzaMc14Eke1gmaRSPrCLPSn9CkviMDQ2CeVDellEbZ3msacojWuDM1SP/PTZeFcP4mupereV884tyPt94chvLCo7QcfnYRYrWCUji+N0CLNYnAmmvtShQjtddPM4C2oF4xC/814UUlWePXxeefd6YGFa2aqjl7WaTzG1YuyR6dixT/rhKkKUlNH33CFaO5LlGimoCTs4UpFQPe49qgWqYjuol4qPYncLbhR3ahU8KdX4fr8F9j3D5tAxKCNE3yHwyBCNQ2C/C6KOAzwaEHgJxihsdoQRq1tfqxsFnQfKmNvNDTNPDPnBiX6PA+NV99z/+8ojee7/4V99Q04vykGFYwg8wRd9LXHkth9L0I/RKsjcIzjzZZOtssjECpQa8NH3ZzYT5W116CT7gk6PWcioqgetWqwMbF98xpCTt29gmBk3wo17bbEb4D3GBan2R3+H/iP0cLF7VmxAzWXVWD3Hv/k+ucKC6k/JFWIIIwdlZkuUHODVFShf+B4OYjqOlNiBiY8FLWa0lsUO+6Vu1V06uh7s92E/wfi0yPCakHv2+0D6zkP0Gbz9+w0RsJaGOTYXG6oH6tPqdP7k3RbD3fDDBb3tgkyoT9t7AOysdVXwq4r3DD/YaTayueJ5ecJ1LfH3g2017NljWpcxjaEtLD7qTrGfp3n5kAZQaqJnoce6try4scOTe3wyOHZaZ3pdqutded/+k3sM5zguQlvyYoiM8fLiCBXDQkNrnmyn3SVdF7l34oRdcondArSMKKah40HZA3hrIDol6oumwGNbUKK8+I5o9N1KRW7vX/39zR25s/KT/CwGKlI29ETnfcTQ834nw/TgsUw3kD7oiGZvjWCZmtseKgJdVzepU88xQMMX7m7O/RFdBRTrld+4iKriMNVZe4PqG1KFLdbmE4NtOraUs8xtiACa7tGfsb7UsaOPs36Ave6KorP3WHQn9I0xhU4YdiOIBEaWxpGdnt/ya8reY2tRxTtKxcz+xP5LZZ5PzOU/kzKHyZuU4fSaHVPAu9p1jAm341Qko/pQjw1J0FXTgF89zVWMbNhAx+SGpJBsnhCgEEkOB0EciDaseyFr0g0VopeANj1R2Y+LqAY85bOVX6pFnq/Y/evrV2+9zH3eQVCLOiNV1ysWs70yph+SreRl/DReVT0whK+lWXcGqZoslIIZTZ44NPop5q5hMkHVBSHgLxoIQuNl9Al/7an5IJjxzyWLw2C0LSh8KVmVnKRSpFAYawLcO14PpDiN6aQerOuAzLPGRtVCxJKC3d+k5dFP//4qFEwSZF3MDpBqfYkQhW5o2YHTY0ld+l4wgfFvNz/f3d6RN/QxZyKrW5eE2W+pv0Agw0Gh7wHCPaE9+o8RXl/B4RDsqIAgF5mdjGvi+QdPpKkmNXejJS+pbq99PR6P5ygNfE7GfuKMnmpO+X+BnIM6OFJkfW0k5iShxTeuvfRIxabu5mXQD+ys3dylBjwjugyERVFN/qKNkmL91yWn6QNn2kD2l+f+s2f1t0ysIA1/tWIKdpQHr1m65C0YQkVGtCQD20fBmmmj9tbqmfdgFtRsfCm6GgvpYumRMan9YJ8QlyjhYltTqVrVu2qNpaYNhFH7P/3fAAAA///C26kd" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+J+dLw8i+EWG4FvCaX4Z8lGKZ5bbmSr8m//YUQ4r9JZhxEaSZ/IeG/XuNn7n/fEUkreE0k2JXSVxMuLegZZTBxf+++Rohagl5pbuE1sbrpf2LXNbx2eK2ULnt/L2FGG2ELXPI1mVFhYOvjAbLt/97TCoiaEbuAFjHSIUZWC9CAn1lNZzPOyIIaMgWQRE0N6CWUkwF92tA7EDPXqqlvT8ouUzfLItaSii3yxlcfWz+2xGaRysy3/r5/hfENG+zKxwU37nuEG9IYKIlVhNHaNoH/mq5IBcbQufs3tYSpCowjWrnPd0AT8lbNySkwVYKOE+Jh8V2kDiWnhQtLkLZwpCUGHBDOzP3AcoM8Z0pakNa4+8GlsVTaFg0TxdHy6hAES2p3Pxhixz1ObglCLVktOFsQSgwYw5UkC24NoeQ92N+5lWBMu/uTwdHoiDUL1YiSSFiCJlPozl1NtQHyDix1qFEy06rqLfX0rZqbFxeUXYE1zwbgT7kGZsX6ObEBb0o+gBcW/oTLHpqTKCMFLEEcwEmh5O793OLkKdQaGLUBkxJmXEJJlBSIlqVTAaSidRyrysyLZBdmzx6/C/f8/PQHsqSiCTeelyAtn/FwOuGaMkuEmvv90oONQOq4Ax9OC37PbUdNteWsEVTj78PGTkZPxgD0QScldjIGkMdPyuiWLI+7Jy///57s3xO3ap4Nud/1VdM/CiRkd1seDXZLeojQy46aBqMazTK9vfdnW677fz/MjKUWKpD2MSJHm5Lbggm6c4cfCXogrV4/RsQWTqd6jIhxeRhieTWmVnI83pNWAj1EeuRl2wygTGlDjeg1MTuz98XWLeCwGeghAyXhflbEjh4ygH6DFTHOxR3XypG4KHtelSj7PLsGZCZiH4lw8M7sY8dQqxvJvzSwUaN1R3/403rbqD1RkrnHgVr12C3bEXGz5HnFYZ+7J24ZPuOM9u/zWzUnZ0uQllyicCaNLEE7E0RDEFQD0mf8GkpiwDogWz/eXsOMGyztJgxg39tg6TZhAPpOmzL0BKb3Lx12MAd03YEnd+PBQplM+mr/XP6qjO2LSLF7Ig3Ikst5+6GJHZueD+nr4S8/5IANfjTK2POL5U+ElqV2snLsuu8yd0C9VV8rc5evcrP31f+77HXcyi8bduWCd6T1vWUloWTOlyA7J9nXqwg4Fh3mv8hrgZSPUfn7OiIaow4NVa8LDV8y7HU/eIgbjHRP18jlM780ucCL9Dx4sy0lH9c1EEaHEmQKBLhdgCafzqX94RVRmvwiFLU/viRTavAUtQGyGZ83GlW/G+g+RN39iunGMGg+4zOBf8H9eq5yudn2Wcftyl+9g0HpFdVlNqWuJ9F6ZPc5eX7xeUvfo0SDoLtbSohZGwtVeEQD2g7aAvxJNZ557t9K8zmXVLS/2dZWbuBDLv1rT2LE+cXnVxEWBPQHnLg/CzqMhlxO8fpsDupQcTz09VkALUEfJXb9Ky5Fzk/vEyX1+PaDpQjmsFjpo3ayCVZk97PRVtE63yhaeFGc6XKihABmlf4aBbDj3gPk3Lgzxw1hnnVQOky3FNW3aldtIXsY/QgtvopNH4uqWimDyW6VkmS6HmwaIRq+NGCsA2h4VYt12Cf3ZSfoCVC2IIaXQJ5+T+xCN+Tlzz8/IytqiAGQ3Sp7OPEolNdbcMLUShrIxwr21ZwKphppO59CU0290HNX2UQhkKd0qpbQYwaX0czKVrwZq4FWo/eHfTXH5oFZBSVvdvW0FIz6JqY5do4FPiPc/rN5+f0PfzVepL+oUYC2SP9zQM0/nT34lq5Bk5fkTDJam0b4yIozKe8k12PQ7xn8iORWxlb58SX5V0fuc/Ljj+RfCVPa6ctIRVj0Ofnvwv5P90VuyDZTvoluoVQlPFpbV66gYFSIKWVXeTVgj5xUFq8Ntd6ucEwEWdaKS4umiYV4gjMejgK0Vpny0zb6oKmBcSoQY8TUWKWdZi3XXutwHyyp4KU/GDGkCJmpRpbuhRGAyHM5D8rRjcmL2zdiADlFLDBchz1ho5FdWAtFy8fyzgV0iOF/AqnAas4iVkcwhftfRlvYP/etEHbPPrUbjVbN2m2bkF/Vym3N0ObkkijtjDGryBVAfQPTHsWL95UwTSsGxhRLXhZlrqjrWSt55iBBU4uXvHQc7NmFS65tQ4Uz2rd87zLi4uAVd2Y3xsqRGZ6KcNXPT4l20tqgQwWZRvUcbPe1GzlhdKakpwfnhM+E288JnSUUNBT856et7/UDVMoCuQznnWnAh3a6HhOU7n9tIOYrCLyElQpTC54zs+FRm/OGD9T+R6GbOZmb8bzjrXNvQDjr7alrrZbwhPzXiDB68TLj4gFi9G5VZxxdnLy5CLovo9Kxh1e10rsaL8En8qtLg2geh/vjk3+q0BBH0z3mSt025ZvNTzYGu9dz0DKfkJc/vyIr5HsFVBIqRNxXgE59VJM2/iOyAg0eLLVEADWWKLlTLrLNxAdXE79uJkbuao6wbeDd70qXyDjMagK2kEqo+Xo3EDfjeqDFEvIzYQuqKbOeie5SrxF/dJpL0siQ0yO2fOajFbWpC7p9oD5nEGFP7BItisopmUq2YQRNV6MyDSXrjlpJGWqsPkYhg89BMdboFqKxVJZUl0QqXVHB/4zl9ypdRflThiyHg1mkmungSboTkzZYd8i8EHwGSHHEwDfAlCxHFOzNdhfG5vSz7CGIS6aqWoCNHoBRJypFBd5qviMGe/Vm2j7QQb50a0eP89hR3j6Zo8evUtIuEm3Tpj41Vc7LJsupfCDGn8kyB9sdyD+VzN1tYY9YdKu3KqZPr/24y+GBiMp2o98QC9c2XD6yBG165RTlvjywyP7e97CtgaYic1Omx5Quocz3DoYkm/BMmW7FVsdoM226L/bj68PXSqtqglAbLMo3DCTVXHm1vmqE5d9ZDprQuhZt9cuml01FJZ3HSnMJERjeae1Fj5TH1RBunxiiVtJHxiyt6l3PYMDYreZQHN4+awhbcGfdqBLMhLxrjEUzqQ/U3UpqR/JyqYUDN2mvAJvNHN5LOIYmhJvcLuh5p2EGGiTzB4I61brkS146zQbPQ1yQXbaC7OMO8+JEXtdcH43CzX76WNC1O4ncirUn1jih5/Q1hxQe0P2+0YSbPurCee6kcSfPJoMlu3Qy1aSWQNVAkbsvxI7/qa8KapBfGmiOdpTc6fanaCMfV9QQRKIcOTeI3A+pmZpQKdhiaAaZNq9shtd3XuXAtS4yoFoXObTnOqUo2gb6MjnUDLpS7xV5GBNyx3yMvjGD5/JOb86hYvMmuXZIsGDzQOx0Q0jtCKJsoMSnUKxNI3KHnUasKNVYpip44XHojBfMylazwQmhMrBgy4AcOSCwBM1tztKRPYS1q4ciwF5kZ5/LJ2/x4qB3oH+lu0oXBw3jTjUwPuMbwyeu3fpgzlhPlaAr589mimxA52Lk5aZgonVRlSHIEsU7mM3H2oTP21Z63xJUmvx2GVJjuWkTAnb9arh+u0NjVZKmVoYnFBy3OltoTsvSd5jCVP727o524WmELfK1LrqjKJJNBZqzu8qiKG1HqGLbQ1i/kq27GV4s+fs9IG0JslQ6JMzupUxN/3iA7jVtaFdN/wAWt6MdYvlrwQfsdhJ0P2Je0ufsVffN8EKGqv8gZoKXa0G73GKpLKFkETpexBNohZoXbaLKgwj19iDeWagfo2fKluz7O6ZbYddqFB9xxV8Jzta5b88euXCBCITm2lKsR+RyI3LmTccZ+KERgIjFxamSFq5za6wdQufS++s2/VBpWRr3f/ioUtEiFGsAc8PjzBZUzqGQsMotC8YCl7DqhfpRCbFW82ljoSchhjn6xqPutPX+8xcXHaamyYRdxznBs7Wt3Mc0NAR384s8Mn39LWLcYgWYY1jbcNBscr70EvSEXILflMaAntA5YCvvkOk+U7rFYQC7BeP1doa/J/73vb4VSpOpViv3WfvXoGt6s2u0n/R5eUG1Te2m6wCn9qiEO6UG1aHHulNKlJ3amOtKqRpCQDHXW/xGEipA2y67SG8WDX/z4a0gPnpNADAJKaIwl0Qq+Z2GGtCS2Zf9gGbDMZ8c1mjtLkxnr+BOoh73gvsIWxv+GVC24nYRlGUv68kpLjjFahNJlPxurtx/73kJUEkpIopjRrppLxj4AhFwSKoZcdLBcjATcrmRKbuDDfqVVXkwPvHlfI1xRowvGfXJNmUQv4HxlDDRGNseyPCPwTbhT7hxOxlqooN/wym++Om4CnR07cffsLhF79sy5VPKntxkeDksTxELQo1RjKO/1O1G1J7EDXvLr+A1oaRerA1nVJCSm6vnpNY4E+U5AcuexBVlqukhtZd3fOh9nY2mFVjQhtTUYBcvg40cfC8CpqrKSTG1FbQfltaAZXvVPf8ePJTG19vDDA+TF99MVXUzvIMZto2SFZelWoV8WqYkg9o+7zIpRpkxIHPWCLEmXxoqvPOzVBXlMkgN2VtIqJGnq+/1TKUu7SHdqYRvubyCMtQCtYno1KB3Khgo7pNvOtQmvNy3cWLQFSKrqOtPdvJuiV0EWvR+u3wovH6rg+eVXA7b9XRBZ9AV3x3slNvFGtZEbP35369p/5hY055xkf+OdyT/gqt111hD2TAgbeQI4u42A5pTUURe02yPyCUu2arNu+9j7wF0L8yoXwDYlTmo5UAKj3FY3T10C2oW3Q11amGkyrBhC5/529bYdGWGJy2knRZhjpBumYnRzP2q+/ew0pQ4eS4Jx5y7RjIBVLs/YSO8DWqhgDB4O3Vb2Hlz9MELv2bY5+lRv1hMVVMuu77Z/QcrlI3qO7xeS64bc2xPX18bQQTGPX7HCZBGrsSJX933ZBz3lHoLLrtrvGOf9zKfn5L3XtI8DY0biJ+2F4p+HW7P4nq1d0A/hC+/534+P0WWhpK3TkwMvQfbETmfBuhJmPhD5GTBipu4kbo065y97LejuqFA26sLe/3Y0hvfRzw1jvUn3cLk/PRGTTaVf+4GTdYh9lKWG412Qk58fWbodyr8B/u1WURQb3/jh2+CO27a2K5yU9nuMWqkAOM5o/yDslJkSTWnUzGoAvRNGbgktaAjgsCANFn7o2xtaF9V9StPnKRyGkZbX8jdPl++OL/Y1aFJaBnrPQpjddkHDhS8dS3kJtLikSTn0pJLPpcUhcXIEa2Vztm89slAfrlDetHqbgq7OuJ/OkR6dxlPWakiB+f9bx8Jl0w0JThxFgbZup9PyNOza1rVAl6TC+8Q8WBRek/ifhGMzB09tonOqc3TEseMmyunch+A1x1K8XpuzPfhafjAzdWekKvVfD4HnW+EXZxln/uxgIADaqcLDWahROlOj7fVRyaNboXej+BZGMbeg1R++sHrGM+6Zhznp/EykltH55mq6uLIeVe4KyH3Cse4ev+eaabfOXSUxPrUGY6bUWXDxqy0oJY+UNZYH/NOWiqNnQecXG/xG5kSR3W5ovphMvSGXfWddKXhIXJEjLRGfuqEKCXvKGv7KceVWyeCjmrHKPldq6Dq/VLI25rJh1proCZ5brCx1DapFOfOH0W5eDCzwy0+VdeEly/G3y/3sjbHwNBh9GnQ+NjfBYdF/Oq271jm6XuDQ346nLt3yHPGpWpSxTh7dSRmnvxOOUma0ukw8Mj+lBhw7s6MW0fijRBO7hHTMAbGzBpBztz6hKkSjDsSbbPfuGXBZQnXiRkguLGHaZ73lC24MJpiukViChrjmxXVXGAGT8SD5+Pvck4oMvE799soZTLDOVRT31zogTTisDp52uVz1qBNHYpuvYQZsCyoCJuE+LbD07ORIkPv5hq+x7kTSrzy1SV5BV+V/7b7kHJpSAmWchFxMkxVY3u/GyFNiaPnZrYeW9rlsSEe4w+phaoW2bJ53pASZjSEgELnyzaGH7I1nVa8BC3oGgu5rAqPK3kauZHuA7S6w69h1laBe1+9sdw22JiRRAnb2AbDhk33va5Jo1g9/w6jqTHNIKuYqip3n/IcoxMPnfBesm+t1ZKX3n/WdpGrwIwmQpWKHR5ovLu37BcuNloj6+flxVWD6xqTnh5G1rer55X1f6jpgX6ng8n732oaAjDx21XzfI1zTzGh2O/85cU5OR8oVH00snWtDdUl+zFIWNjVVcPOkxrSd/GHhdzquHLvRUQxVWXuiq9Bxd2u0hFwIQ6XEfVokb5bgg8ZHKHyvOcCDqXDPoG2i4fwOS+7UM6IE69KbTUOysATvPzplLyO7rrJ+Uy1070vPvnuOW0gCpM1roE1fS+CT/2aQqy8te3CtC9x4wiOkKhXvNx2iHTVlXRJuaDDQAbpXOEE6ytnoPXIpAV/hw7x9aeLuwVjpQoNoHwAdkBSSDcwfD4ZkYi8KqZNWa6T+2d4VSStA+rBbQwc1uh8r5cqPUTNVcIuBzsldoVpjlGQwE0/e9X3XKVNyW1XWbfpixYwig2221RseFGyCS/sJ9JniaXm4PJoVvnJ5zPyNNRKfG6E05WnXGABB+aBnV3XyrhvPiPfDR0NcjcKcyXVSm4ZQgZYg80sltvQRyZtMnoEF9xuWuhJW+X+PpQmvYU5ZWvyadRcE3yq6UMU5YeFt1jMJakolzNNK9ibjlFTjVN78/dJ2FIuL3BZ8l6VPjl60xawl3UWQYrcoH1hqoBjRC4Labtv3HtYkV8biabkO1WCIE+5XE6+fU64Ys/J1P0fuP+jkoq14WbybTy+aFldzAQdTM5PrUNta/gnFwQXRV8Xysl1O/xKzfY2arAqK6b+r9OAZ9sGwYB2BzmK0LJKK3d3MPv87neqgXz0CcDffvv53e9vPpx9+63PuV1STfnomVwpfZWyZPnGC/Z7u2A/wjbqBKMytRIRanbSdinpngPK3HOxzmDCzJQGaThLKUB6rqQMGFfpvSCR+EAqoMWK8uFw4nt7B7D3eWqg7vqkLlE3zTTTpbDT0liduvId67WzOcT6b2myd7St+cjnJD202GUzGGyg0oRik03dS6h3cSBmfNTR1JKazRF7KKnRbkQRMnfLe+JC+eB+gnd3XDjkg/7/YbjqRmX2k/8e5IiVPR99QGQvkg9yONo47j78lDpC0tbWzvbs0qe2y2hvs+ywT+YzdLsNTu7Nkem2ZTU/RjwMi75mlAvH67aZy0WQGeen/do27MTlzEEL80gLg/GswjbnunAq4gH0HJJ4jenWofroRFVVI3c9UQPs5GGNm+6L3Xu4tn+HuE7d4WYO06zvi9slleW/q3jUbIObpZYfIhnujd1w4S3kTGNqzrhKliV6LAsesV9RLYdBh8eOupFVXahcwvjy/bsL8pv3o26SUuOIfDlqKsHlf7wlXxrQI71bGyELDbudOvMmN/QcomvyoS06i6Z1dVo6S/iQ9oGq1GMEHND6IMfRTVBtJDh2b7hl+gENVFBdZdgtBzaDe4HWCQuQO6BNmWwq7RbMtN2utkCX1O5qhfeFOwXJFhXVqcpKOrjrmg7GF987+kTZIJ0qCcxikfwsMJilLaDqAM/m2GopA1g1/SMD1Jomn4ThO04lP14YdC946gcndG6rwKmeyZGWBWU4GCV9+YmDbWRC470HeDqvlz/Ja7tI/r4zWTCri9Ik7bveg+4gHxZ5ugXgpaDJJYYsQM65TFgUOQSdIzdaFrPCrLhlyeWHLGZCrQyt0ueu9GFLu8wHPUPUhcmCy5zihMsadDVdJ0t4H8Cu2VUe4EsqcpwVXhe1VlYV6UNSCH35U4Eex/SwRba7KdS8KHMw2wFOn//GZFHR68LaVG6DbcDuRAvI8ChUXGZCmst8SNfCFGIqitRh0S3Y32cEnrwzeA926l6Ifdipq3r7sH/OCPtVRtj/khH2/8gI+695YFtVCzqFHCKlg57ePJNF1QhUvqfrDO9kC7y+yqCXVI3g86rOo307LZOKeeokpACZ51BKDHxh6X0jsjA+ITHDDhrN8liTDnAea9KsTVNnmEXKZFdWncVUtco60wOuM4gQq6wzzHLBRrMmC/BG8mtJpTLAMhzC5SvHlUyPwvKVqu0CaJnBraaqumAigw/bAc4QJEG4erq26d2iDrLJArluigwxDaa55YyKDAVEpqBzkGydMOuqD1tSsf4TymkOvJcFtgHNAtm3g8mDtU+szQJ9Oq+Xr/L4oE0x5favWRqNMVOknRW3A1ir5KLaZLnmCBWYTl/lZryPP9msrR5gsAvv50/vHPHAUe3LAtx3k0/XQa4He8YF5LBhTDHLsYl8lrI4extwDt3AFLzGJMUii6jj9fKn0th60Mw/EWyjWRbYgs8ghxlj0NFcQcmTFYxuw+YyzympVNkIMEzl4HYAzucZZJOqzYrapDP/e9BjGeRJAGuYc2M1Te8J2cDOoPFpqHOxWmfjtcFO5DqTfPWZ+f6IZ4BuNdAqgyLpS4FyoZ1PuV4tFDeFnzCbHvqaaprlgJcjhbApIC/9fPvUcLmxVCafc1waO210qmGBLVTws4JyQG2S45pej25rklODxckNs/TDrg/tNLAP5pyWZeo7wMvUYdW2dVCGt4hXBdNKVVm6EjnAGcw0XhV5kiNDx6McbK6vkrdnqk36lqW8NrXmiYEKarltkmefCS4hXYudDVSTdKJOBxeLb9O7tYTyXU+LmVDJn/MOeIaUf2fzJpc6DmgGieNs6AyoJs9NEGqe5ejKeZYLXCudWoBV02ae45pV3LAcYqEyWQ5sjjkQEiw2V0oON7kM9w2gU2f8eaip0/HkapXaAslSUab8AOjklqhKrxkpzedFZB7XveGuJOj0b1Zd+KG8ycEmnUy9AetHvGY5ZBkKN8NMnNTCIIBNLQ3qwjuSkqNLjXEfFmyRqs5/ABqua548EFCDruaaSjvouZsC8ioL4PRPr+9E9unTzhTQBIC1mhfU1AkHBvRBa5oaqgYqcuh3GhjywXcdzQQ8PZMd5LQtXHuQlS4zYJzekWky+IaN9w1nyAcwkDoRwA88zmCcGPiS/gDEGrQmg5rBlDJ8nkHwmjq1l81oluMeaFYmV6SNZrGuuAkA23QjtvowG5O8q+aSydSFEtFpsfcF6pt0pibfzm36Y+WBpo/odTM9U8Nd18m7tTblNEseeqNFhrewMaCLkqeues8ytqKNDOVgg2XG0iq1N3hZcGksnWXQDJZc2xxq+LKWGVo3WaUbmdLNGmuLFuko+qaxinxoJBks3WWPZByW95kKXpITDSW35ITqMnQzNNj+PY6On5yVkUtjE0IRDA7RJ9jfgClBYqU6XT4El/k4d1bVQq1hMFjwRv7NVJOsqfctz5jjofcZ4bwzDXO4JhXdbbSwicXKebM7DCQ7koIbHM7Qrh62HhsoEdPUtdKWDBuPErJaUEu4JbWG2dhRuEda7l2GUMQYH6yODgXCZejsPtIXWnCZeyJ/D1W3Wh9PQ6yag12Anmy+bxaqGbxohEhYgu7GEVlFaqoNkHdgKU4E93eVdix4+lbNzYsLX/b6jJyGEV/PiV1EphRhM+APEEYfI9qSvAf7O7cSTHyfh4c6C/NmOLK7u0W4uCfWANVsMeGSR/HDmbtH6K+9Iz5xFgYmQ7wQtJE463fe4BzXtol7vIH7Tr/2PTTlb8fd0dQ14Q7zi0eMfbcRRcKaptt1XsVlyUe4tngrxtwFx5hGPSKQNoPr3uOEailGJl5i99yM48Cxf64BSzR8acDYPU27D89WvnuvfK8y4Fgev6qX2LseqS7vdNudsg8njxHGxrb+jh3azeso5Sln/98839Atdn7aCgVcO3420GpIl8R7xyPsHpcpNUB8unaHDRncqm6Xwi8eBl/ZjYLvMFfat6+PspEQaogBwHFndP+8Kk2loewI430HHab90hLV3s2hYY3GCWj7kK5BV9yrG8dCerOkH8zBl1zAHIiAJQhCjeFz6TduM68/fvSxJfMDym9cf89Jnz7IpGeHWSP5lwZ2xyTS+OXr4XtYx8TDpqC0Gg0v/YVkSkrA3Aqy4nYxJigIiVSGdBq7hoPKi+5sWjh2ojzpniih5pxRQRwGI6YPYvGw2OFSI2MaH4539WJt4uj10tlWaierNfUDTwWnplio7DaBN+I6cw1nqWyGGjmp2B/BE+8HQPylcdjimxYGsTABVE/eCKOcIb51304xWE5+Db+YkDdy3f1rAN2iLW+kJbScMFXVjQUdF8NZ3PiOsHzm2Te7e4EzFrc2hNt/Ni+//+GvzvY97W1Hy7FvomiHc1qkjZjd1nFD16DJv3Q+OfMioIHIxW996vqf/GdebnDeOvV79+PA5OWbZNuT3YEpbp0Jef/bxzNHO2jwzhP0l5bcMA01lWzttMqgnondXBCCHHpOPr57Tc6l/fHlc3L+/vTsP1+TT+fSvvqJPF0t1kQCtwvQhC2UCaPSlNbALH7rh1f/6789exLlCNhFRhm3yw+UqZOKxsfxmMyn747X/NKfxfMWqfgVLx8X0n3ZdAPmBzaMu/UDH8N3RzHdWCefubYNFeTtm/dRZP9UEvL5sg47Gf9HSZjEeevQ/WpEKBJys/DELXiMb/CefZhTCyv6ACPS8XRfkDdlqdFP6095DJ3u6WVVfWic876xkPOTdxf+VRoNj1XUHDH6seVU8ppqeLvJ+YVDZcT75Xh44CSIJDx0a4/zsNXECj9d67gCoocuLUvuvkzFJmDbm+Uff+eOeACcSYgXXIUbfrp9BAaobHKts+h1t33SKHkfMLxQ2nYieSB0Swyw4QZwu75Z8poj897Tw+W8fUxast6NMV5CzG48lhc3YIeWLzVGMe5UTu83Gug4xMllTeUcJp3pxJSc8XmjoSTTNcIEWWLWUFzO1Ae2HhgUjY5oy9FFZxn6HYiEun+/hCu5A0BDpSwUIbM7fZ5RetaW0hS08Kn4GUDXVucBPstwJGYZqoVFjuuQq/9JnYGptCxaT1w+tXzXgnd0THZX6zsTHkCDPbML0BIs+biu4Tn51D5jb9EB9iO5aB1gg5fgtzFNrR3VcwRlYsQ0bpEOfvHnhAoRVSbqzRcxwY1qTMxbgnZvIJdWEWPxMeeSfDofFSgME2SzyavkItsBVXWGsW8OsAaTOqPXgc1Q4uJfxNSp6Ohvz4CtH61QCJDz5JMiEWenfGTUQkc0UK/yUNELwEjCMJ1gRij5RekV1eVwTjchb+aY7KUJdTf+GnPppmBXADKueibumnjXGLeyVPRDdR4Zgi3jMTNiQCGXIc8V0xIqbp1YCiM24iQuBZXHiOPfwkHZJoj0XJQDArddlptIytJZsHM0YLdfntSRSmDYhWCZrh/c7SL2VFvOGkE1wX7RpEXi6dn167dqrmaz+PR3YIVdQPbt3UL2o1vQ38Ye3mcOb4fum8YuQNqQLD6KtmlSdk64XUKPX3Ic9U8G9CjCqrFMHZfTYclxhC8bxsCYEZyx8/hhzdEOSzxBvIhTcedKr0mkMGGA2zGE0xaOsIOjk0oY4DO1ku5dcXIrphx2PyQDRWmbqmW6fnQj7yYlvmsp1gwIDmVHT/DD7OjDXBLDbRORnwSLCyCI6AB1QQ2hpard62IXwDVRK7nZMs84S6+VVNVIXi3O5DDct6g/rhLhlHsuSyd/lDYdAyj5hQsgbwJikwEbbuPslR1h/k6OJox39D9IusIoCy5D1kJaLsRojDAiZb37PRjh8/UuQ71Gak6MJ4ROVc7qgQjxU1jQJVcNapdMVbVWFR/JUIRjI3cm6VRgEdmMnOzHjctlJ3YyIrmL4ZbWSaIIbGGYdLjMAQhG1u/wy727vVd2c99Gj92mzLKRdrecLbVGX2IZeMEOMetvpQXhezwHCZqzliRkCCb67aYWcLvApzY2240EZCfsh4mxejz42dJ0SNutB6Pp5X6agnrh18pIV9Q07YxwyyswTq57bU9DDaNBpLALyZpC3LgR2Hjwntugb3m0Dund/WBH68fb0fRDYZINOb01acFhfBOFA9qQ4o1AuIUw+Hqpe3kjdfqoe+cvWhLa9M07l6yX6nEEyA1yvBMgX+9x/PHmLUs12uA4W3Y7+aiPKkFS3rFbyI+jHseUtA0OY6fUYwnajp86eeVOYxdFBXahHiBKQrc8ycSjEb42uuHYS0mrrF6nPVGdD0oEf61DZM+5zOQJ+c/Jz99/T56+PX1z8YyccmO5nDfcLKDEUvgoLkLNVfa+QPsiYZgtO/N4hG3GL45kjGmV2au4r/7T7WoMg+7GoEc+2dDnu1wXhmn/Xd1vz/GHOMViplTG2qRvMsWoSNWdboeQD7TkjfErEKWJ4RUXVHvx5MSmu0MM3/V4eRXec8PLY3Ya6WfKf3IHofUi7vTF3FzyfHUWb+S+u45hjVBp2PP/BicRfjI4C8FxA72yjDLuylQ6Z2LAIGSDrFZ6TiX/c09Wtcx3FG7L7AM43T9TI+yecR2tJc3U9ecXtxy+Fr7Fl+9dtJXV/CtQYReMaiC1hlJVXNJowV1PPF1Qy0Fac2N6vKDHpPYtfVBifetHqDMdXHd1njjBVVNtsRnShtT9YvWIzY6CsLmNRJ1BCZpaKItkSWV7zocTPr+0K3bBswutlrzsmoeF79G6FkFTHRyM0PzHPWvbOm1cwdkQycsjUdktGXr92fUImdHhoZg5ueQ+er7YVdxHWsB1SmfKoeB31TzhGnWm3o96ldDzCKFeR0WNlRpirNJe4jtoFViKqz3Bb03ct57Eqa94WQo4npR7h+vdVs5Ftrcn9w6Sc+14jOOQexFW63UYkus2Ovuc1IK6LXPvs9IEJNPreszLj6mQR7Anb5FBpzvb8ldlLHlH2YLLEZOupJkkxze7vP4kMdO/1uDEh9OPfJMzMyFvS1qTz/gPrx+VSvq6038OH0+yoEtwmpMAqsmXBvSaYA9CUytpoNWo4sWpjt4Cf3MceRl64DEHWfO2C6T05Pu+fON4tiQdAdXNAfoQmqPeFlOc8pTXYbZ7xtvW0ltNjJxtGB5ebohupIzaseZ59/L4yLNvIzVSYxcgFsHCzL8RlKy4LNXKEFMD4zPO3CfPY3WCIU92eEEceR7fTc4NeYodYUGyzTOEoctnPW6RRuI7/hbmlK3JJ7Pd+LaLwFa7hbTJs2vdCkcw2Ede+76phahgrRoeMvciDjje9QGIVP9vVZpiOc+Qfdtk51eox7rzevU6QjFSGD1o4TcHEHucvN4xUkOGb3C9t7LuDEkf7wI6pOY4DrsuYLC9N5uETL8Ngx2KN6S4ufgZywZSjgQcrXBDkkuYcRl89SicsKtfReuRpoOI3UGFYplw2zhgdtS/1IKx89nmpj30UhrpTdn5sK2lbFEduQX+ZlVkOBlYR/3tyDLkZcplugliSe+GIxmLCvM+nhEh1S/bwW3xbbQ35f2RqZ0DrPO+fTdgXVPdnin35+cbUlYLPmilTtztcLasT36/FXk2+cwS39ZC6XW+Df+bqan8txs7xrSIbHdRb9Xz2NPk2PK3Fwj9BtoeTCUaUNX2W99P1egpKEBarepDREepmunAuXCrMx7WdNY23FCOgDj66o7j3sMTVdVUrrv7iNcOx+l7e2UJ2j1DBZczFVcKqLnKXSN0g/zYsSJbzFaQtyv67EuuHIFfGiHW5D8aKviMQ0lOse7ZOwejqKxgWjClrvgDBd1/hynx62/sZyrGtPnk3WY34fC6sahyHzjC9Oa7/qFbIkzZCe5o75OfkI/r2pO+8Rw45vgdHN88DbMiaTPZHbQdDt4RoZ+YWNvaXWSO4arrlMtt7LxnsVa69fZjiPnD25Et7/XKSXycWl7UeecQ7WGFW/lGz32LplYqkyayjZRbx+0HqamNuyaZLKhJGe3vAdahnD4x5EaLhNvcg5pwVzpjtGh0Km9ID6YBXdB5OptyAzr587QNOmn64zbocOozCBa4tiBRtUpvnDj4yU5zp+gtNOykyqTWqPwSx6gl3JK5H3FZVK9ehP8+CSi8CP8R8ppibn8qQMez8wI5Dxg998T0g+foce2NWhuQU4aBaM6k4nIGWo/EXYd0H4WuvuJ/I+uj7tkjINn2JZ71tiFypTCsrbJeqcgSRzt+Zz5u747dR8wg1v0//QOGCVrjAz95vQB9HH+E09lDxtPTExz9+Iyc4Ppx1EDbIzVLGeHzCegw/BO2sjD3NOeFrKHjHiN7G+4WfWJ6naL37jT/81Cv5N1bo8R3m1zyP+PeGn6VSaac/+OMSJgry/0G1gtqRiZAGXbstkK9rfSLjw8XdFudbQLUIMFl54y1jdPb+pt4Qorh82NUVGz3N+qmHn4cHbTspAk3pkmudCJkTJbK5627XwwFMQSts/pAB5vSl55nbnFyicHpfdLpKBkSXWfwEEV+eompnfsfo570PAzJu0vPPTiOi1BjRLHM+aLvhlSDIzuKTFm4o0eb5G0aTS7A/AqCRZ2pucE3m3El/QcJZetPxGC8TmlyfvnmH+8uyIV7p8hvcmT6ygbbTJXUh2D7caXi2KIYYgtgV+YgJ/LthHDeHmSxoXNdv86uRRimgYYRhBspuEfLBc0HTSEfQMn1eHRdQUaNBsTZUtscbcJnH8slFbz0BzGCxK4gPFpX632CEDl2BWuzK7YTnfw2gTQx7IW1tSk4zqDNAhq3MgdDGH0Et4nPZVv5ojS36xtuFFNVlbVP3C3x9ngEh1C8BH/FNYhdSzO1i2UlqCyMeaiBt25lL8N/D9S2NVpRbH2pcVErfoy06hjCHgOCGCBScWsA2coWVMpB44zc7abCqojISMz2SG2bu4clzDz8/e2b9+Hde7GzfPegWKV3ff/Je7Zxc1UslWhyMeBNO8dZhjk33WTsdpxvI7k15KlHwjzDbh1Y2NtO1N0BTxDpKDWiySTN3gZcP0luQ7rAZLvoYAkaMwVmjSBMSQa1dYbypd/DkfYKq1VO6esZ7wz2doS2Q7RW2hLl+Pvrv7+JpeBG2Z763Ck9P36C5W6BwZaLdUp9s5Noo5i/n/12cX5B3tHrisuyG+sd31ZH29HTMLeGKI6QFcgYULePrE59ipcsJk/P9lWOxex4BZsPXYTfkpxd7dhylgWpfH4auvQGLPZiKI63KQ/cK6CluPovXzfcFebIcqhJpr7d6C9xJvQDZTeGcdVoxXdB3coX9z4npomkqFND/masVnL+b1NB2ZXgxkL5txfhb8+7T7mcAYt/NOMaVlREFRk6Fb3fECpLYhQZOZYa5txYvXaW/TGFRU3tIjTr73AguzgMkESn1LHQ9IXQvl6LKd3rQt7pkx3mIK1e/+X/BgAA//8QnLWU" } diff --git a/x-pack/filebeat/module/squid/log/_meta/fields.yml b/x-pack/filebeat/module/squid/log/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/squid/log/_meta/fields.yml +++ b/x-pack/filebeat/module/squid/log/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 89f51a2d616..b8747537801 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -22,8 +22,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -91,8 +91,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -144,8 +144,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -312,8 +312,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -362,8 +362,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "66.102.9.147" + "66.102.9.147", + "10.105.21.199" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -433,8 +433,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -486,8 +486,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -548,8 +548,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -606,8 +606,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -659,8 +659,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.85.16.38" + "209.85.16.38", + "10.105.21.199" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -715,16 +715,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.213.132", - "10.105.21.199" + "10.105.21.199", + "68.142.213.132" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -835,8 +835,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "206.169.136.22" + "206.169.136.22", + "10.105.21.199" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -844,8 +844,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -946,8 +946,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -955,8 +955,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1008,8 +1008,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1017,8 +1017,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1074,8 +1074,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1189,8 +1189,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "213.160.98.160" + "213.160.98.160", + "10.105.21.199" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1303,8 +1303,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1352,8 +1352,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1409,8 +1409,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1470,8 +1470,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1581,16 +1581,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1638,8 +1638,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1687,8 +1687,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1736,8 +1736,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1859,8 +1859,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1908,8 +1908,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", @@ -1963,8 +1963,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2022,8 +2022,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2080,8 +2080,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", @@ -2198,8 +2198,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "63.245.209.21" + "63.245.209.21", + "10.105.21.199" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2207,8 +2207,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -2256,8 +2256,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.231.252", - "10.105.33.214" + "10.105.33.214", + "68.142.231.252" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2265,8 +2265,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2368,8 +2368,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2561,8 +2561,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2570,8 +2570,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2617,8 +2617,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2676,8 +2676,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2725,8 +2725,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", @@ -2792,8 +2792,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2947,8 +2947,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3006,8 +3006,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3115,8 +3115,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3124,8 +3124,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3174,8 +3174,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3281,8 +3281,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3380,8 +3380,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "212.58.226.33", - "10.105.21.199" + "10.105.21.199", + "212.58.226.33" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3389,8 +3389,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_MISS" + "TCP_REFRESH_MISS", + "GET" ], "rsa.misc.content_type": "application/xml", "rsa.misc.result_code": "200", @@ -3448,8 +3448,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3596,16 +3596,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -3657,8 +3657,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3666,8 +3666,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -3716,8 +3716,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3725,8 +3725,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3775,8 +3775,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3843,8 +3843,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -3892,8 +3892,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4183,8 +4183,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/x-shockwave-flash", "rsa.misc.result_code": "200", @@ -4242,8 +4242,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4290,8 +4290,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.213.132", - "10.105.33.214" + "10.105.33.214", + "68.142.213.132" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4299,8 +4299,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4411,8 +4411,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4460,8 +4460,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "304", @@ -4513,8 +4513,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4522,8 +4522,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -4584,8 +4584,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4633,8 +4633,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -4694,8 +4694,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.167" + "213.160.98.167", + "10.105.33.214" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4703,8 +4703,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -4756,8 +4756,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4814,8 +4814,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4876,8 +4876,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4991,8 +4991,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.167" + "213.160.98.167", + "10.105.33.214" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -5000,8 +5000,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5098,8 +5098,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5155,8 +5155,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5205,8 +5205,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "217.12.10.96", - "10.105.21.199" + "10.105.21.199", + "217.12.10.96" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -5214,8 +5214,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -5314,8 +5314,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "213.160.98.169" + "213.160.98.169", + "10.105.21.199" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -5323,8 +5323,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_SWAPFAIL_MISS" + "TCP_SWAPFAIL_MISS", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5372,8 +5372,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -5532,8 +5532,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json index 47a004ba200..4ba1d874fa0 100644 --- a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json @@ -242,8 +242,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -297,8 +297,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -352,8 +352,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -407,8 +407,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -462,8 +462,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -792,8 +792,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -847,8 +847,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -957,8 +957,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1012,8 +1012,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1177,8 +1177,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1287,8 +1287,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1342,8 +1342,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1616,8 +1616,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1671,8 +1671,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1781,8 +1781,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2001,8 +2001,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2221,8 +2221,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2991,8 +2991,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3211,8 +3211,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3486,8 +3486,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3761,8 +3761,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3871,8 +3871,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4091,8 +4091,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4201,8 +4201,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MEM_HIT" + "TCP_MEM_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4255,8 +4255,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4310,8 +4310,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4365,8 +4365,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4529,8 +4529,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4649,8 +4649,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4704,8 +4704,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_MISS" + "TCP_REFRESH_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5143,8 +5143,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5253,8 +5253,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "403", @@ -5366,8 +5366,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/pdf", "rsa.misc.result_code": "200", @@ -5420,8 +5420,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -5475,8 +5475,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json index 0c31cfdfcef..5a63ebf892b 100644 --- a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json @@ -20,8 +20,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -67,8 +67,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -114,8 +114,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -259,8 +259,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -503,8 +503,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -785,8 +785,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "404", @@ -834,8 +834,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "503", @@ -881,8 +881,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -930,8 +930,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1126,8 +1126,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1364,8 +1364,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "503", @@ -1413,8 +1413,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.131.147", - "192.168.0.35" + "192.168.0.35", + "74.125.131.147" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1531,8 +1531,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1649,8 +1649,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1658,8 +1658,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "204", @@ -1715,8 +1715,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1764,8 +1764,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.3", - "192.168.0.35" + "192.168.0.35", + "74.125.228.3" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1878,8 +1878,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.6" + "74.125.228.6", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2000,8 +2000,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2106,8 +2106,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.131.147", - "192.168.0.35" + "192.168.0.35", + "74.125.131.147" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2163,8 +2163,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2277,8 +2277,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2334,8 +2334,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2399,8 +2399,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2458,8 +2458,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2629,8 +2629,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2743,8 +2743,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2849,16 +2849,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.100", - "192.168.0.35" + "192.168.0.35", + "74.125.228.100" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2914,8 +2914,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2971,8 +2971,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3021,8 +3021,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.184" + "208.44.23.184", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3030,8 +3030,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/x-apple-plist", "rsa.misc.result_code": "200", @@ -3080,8 +3080,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3089,8 +3089,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3139,8 +3139,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3198,8 +3198,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3207,8 +3207,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3325,8 +3325,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3443,8 +3443,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3502,8 +3502,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3561,8 +3561,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3670,8 +3670,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3679,8 +3679,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3738,8 +3738,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3797,8 +3797,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3847,8 +3847,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3856,8 +3856,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3915,8 +3915,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3965,8 +3965,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3974,8 +3974,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4083,8 +4083,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4142,8 +4142,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4319,8 +4319,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4378,8 +4378,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4437,8 +4437,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4446,8 +4446,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4496,8 +4496,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4505,8 +4505,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4564,8 +4564,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4614,8 +4614,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4623,8 +4623,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4682,8 +4682,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4732,8 +4732,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4741,8 +4741,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4791,8 +4791,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4859,8 +4859,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4968,8 +4968,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4977,8 +4977,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -5026,16 +5026,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "173.194.73.104" + "173.194.73.104", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5091,8 +5091,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5140,16 +5140,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.96", - "192.168.0.35" + "192.168.0.35", + "74.125.228.96" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5205,8 +5205,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5311,8 +5311,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "69.171.228.74" + "69.171.228.74", + "192.168.0.35" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -5320,8 +5320,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -5426,8 +5426,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "69.171.228.74", - "192.168.0.35" + "192.168.0.35", + "69.171.228.74" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5491,8 +5491,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json index 086f58bdb16..0d15b554214 100644 --- a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json @@ -79,8 +79,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -193,16 +193,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.102" + "173.194.123.102", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -250,8 +250,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.97", - "::1" + "::1", + "173.194.123.97" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -307,8 +307,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -372,8 +372,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -421,8 +421,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -478,16 +478,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.96" + "173.194.123.96", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -535,16 +535,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.96" + "173.194.123.96", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -595,16 +595,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.237" + "216.58.219.237", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -660,8 +660,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -717,8 +717,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -832,8 +832,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -881,8 +881,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -995,8 +995,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1223,16 +1223,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1288,8 +1288,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1345,8 +1345,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1459,8 +1459,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1516,8 +1516,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1565,8 +1565,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1630,8 +1630,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1679,8 +1679,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1744,8 +1744,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1793,16 +1793,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.67", - "::1" + "::1", + "173.194.123.67" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1858,8 +1858,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1907,8 +1907,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1964,8 +1964,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2021,8 +2021,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2192,16 +2192,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2257,8 +2257,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2314,8 +2314,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2363,8 +2363,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2477,8 +2477,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.101" + "173.194.123.101", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2591,8 +2591,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2713,8 +2713,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2762,8 +2762,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.226.83" + "74.125.226.83", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2821,8 +2821,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.40" + "173.194.123.40", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", @@ -2943,8 +2943,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3004,8 +3004,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -3057,16 +3057,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.174", - "::1" + "::1", + "216.58.219.174" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -3125,8 +3125,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3177,8 +3177,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.174", - "::1" + "::1", + "216.58.219.174" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -3245,8 +3245,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3297,16 +3297,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.174" + "216.58.219.174", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3357,16 +3357,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.132", - "::1" + "::1", + "216.58.219.132" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3417,8 +3417,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.132", - "::1" + "::1", + "216.58.219.132" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -3485,8 +3485,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3537,16 +3537,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.142", - "::1" + "::1", + "216.58.219.142" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3657,8 +3657,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.142", - "::1" + "::1", + "216.58.219.142" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -3717,16 +3717,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.132" + "216.58.219.132", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3774,8 +3774,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.141.189" + "74.125.141.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -3831,8 +3831,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.141.189" + "74.125.141.189", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -3888,16 +3888,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.141.189", - "::1" + "::1", + "74.125.141.189" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3948,8 +3948,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.133" + "216.58.219.133", + "::1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -4008,8 +4008,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.228" + "216.58.219.228", + "10.100.0.1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -4068,8 +4068,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.238", - "10.100.0.1" + "10.100.0.1", + "216.58.219.238" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -4134,8 +4134,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "301", @@ -4184,16 +4184,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.6.238", - "10.100.0.1" + "10.100.0.1", + "172.217.6.238" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4303,16 +4303,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.238" + "216.58.219.238", + "10.100.0.1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4364,16 +4364,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.238" + "216.58.219.238", + "10.100.0.1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4479,16 +4479,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4536,16 +4536,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4658,8 +4658,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4715,8 +4715,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4764,8 +4764,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -4886,8 +4886,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4935,16 +4935,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.204.156", - "10.100.2.85" + "10.100.2.85", + "173.194.204.156" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4992,8 +4992,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.2.85" + "10.100.2.85", + "172.217.12.174" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5049,16 +5049,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.12.174" + "172.217.12.174", + "10.100.0.1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5163,8 +5163,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.12.174" + "172.217.12.174", + "10.100.0.1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5220,8 +5220,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.0.1" + "10.100.0.1", + "172.217.12.174" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5285,8 +5285,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5337,16 +5337,16 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.206" + "216.58.219.206", + "10.100.0.1" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5405,8 +5405,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5525,8 +5525,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5585,8 +5585,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5642,8 +5642,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5702,8 +5702,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/tenable/README.md b/x-pack/filebeat/module/tenable/README.md index a889bab8822..df61925aa09 100644 --- a/x-pack/filebeat/module/tenable/README.md +++ b/x-pack/filebeat/module/tenable/README.md @@ -3,5 +3,5 @@ This is a module for Tenable Network Security Nessus logs. Autogenerated from RSA NetWitness log parser 2.0 XML nessusvs version 0 -at 2020-07-08 15:21:22.17985 +0000 UTC. +at 2020-07-08 16:42:04.297305 +0000 UTC. diff --git a/x-pack/filebeat/module/tenable/fields.go b/x-pack/filebeat/module/tenable/fields.go index e655ed3897c..884611ba842 100644 --- a/x-pack/filebeat/module/tenable/fields.go +++ b/x-pack/filebeat/module/tenable/fields.go @@ -19,5 +19,5 @@ func init() { // AssetTenable returns asset data. // This is the base64 encoded gzipped contents of module/tenable. func AssetTenable() string { - return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIipAVJLENAooAyiy6V9/ga+qYhWKZKGKkrV3elBIJBOZSACJzER+fI0eYP8SaeB4yeBPCGmqGbxE790H6C3onZAP6B5IJaneo7egVKX+hFAOikhaair4S/TXPyGEwihoRYHlavEn5P/10n5r/nyNOC7gJeJu2AXlGuQKE1iYz+ufIaT3Jbw0tO2EzFuf57DCFdOZHfglWmGm4ODrHlHhz1tcABIrpDcQ0KMaPdptQIL9Tku8WlGCNlihJQBHYqlAbiFf9GYhFe6RvJaiKs8nuMugZnBLG8fsYBJxHLFhmoEKtT74fJi5PQ6+31BlfoeoQpWCHGmBCC515Xkl8Q4VoBRem/9jjYgoQBnShfm+MzRCr8UaXQMROcg4qW4s2iVqmOAACVvgOjPEjwb1SCfzyDNGWc4QwTVwrcyOo1xpzHVApKJUaFrEScix7n7Rx08dVjMIwhrtNpRsEEYKlKKCow3VCmFzmH+lmoNSYRUWvSWqp6M2omI54rAFiZZQr3+JpQL0BjQ2pGG0kqJooXryWqzV8ztMHkCrp73hr6kEotn+GdKebozegTtgbqfxFpmLKKsYbIFFecUE7+71A15dQymBYO1x5bCiHHIkOLOItZVeBS7jeAu1zkZszSPr9Mafmdvrb9AWs8qfHpoD13RF/R6CR0w0YmLteC57zLT0UzO8X3H7O8PSEktNScWwtPB+cRaDq9sbOmm1Y6vbG3l4tQeZvp2b6y/+P9ePc91gTWX5tEMmlv/MLKldxn9E/FscFy8XRy5BiUqS5Lto+tTTT9o03EpjDQVw/WnQ4yqnOiMMd87DRyMAuJb7T4N6YzSBT4Oa8iHUl73Jwzn7lCueA46ftctOfQWQj9OTB27UmD3Q+mEwtQy+3g3Yu56maZmdG7A3+gktc5hPHaN0Nj7xli0aZZBjSG8iMzEIRXg0mkFkHqWs4vS3CholTNYz9B/tDw2XK8GJEZZYiz+69TJw7Ld0quBp8+/KDERXlOD2qTOG9o0xidG9FXSo4jlIo6JK8AKjN7kVfYQcKdBmkAPgQxxqWKENbO6NPVmhrdncG3oU2/uekxRLP21z9SgfMetxs9wIlaxHtffWT0Lptqhi3V2lgOeUr8OXKrb0LWv+8+EgjW+S3seDrLu9236HcJ5LI7OGDmWXfb35afG5sm/7w3QG/vD/LgMNt+Y4wd3T61wabb9FjjBa0y3w2l3x+V6qhkVDFuxlter80yhDn4cXd9DgFeU+k/Bb0nq1nybsItmZLfeWjzducHRnt/sz7/3TGL3fl4AI7p/kJSCgegMSfbjl+psfkJDoRyaw/vYFWmJld0Jw7K/oupJWFToxs7iC9xnPzD6yTDGKZrBdDfRapDtLjtllYezP3ngVcodlPkGNacmO1sTavLq9++VAw8FIAsPdZUFI7ZWGwl85njAz2gbcflKOPeb/QtI15ZgFmMPb+8RM0zWOIw+ct3e//BCZpCewN9fpk6wp6vNxDknebLa+qpQqyTeAc5AzvYz9ZAdDt9dTXmgcRe2HGjtM2jvNH9oJw0g2gx8GB8XjtlE87GY3CveVYAyIFvJzFISGPxd5WTf7hipEHHMgN7QcqGavRfeSR0dY+Qe0RAqy/HjKWSGUDR4pBEfLfW9ZEJLwWwVKmwEVLUq29ythfmwELgJMNkjRHNCTPyO9kRV68f33T9EOK6QAeI3lyFw/krp2xlxVKbiCy02W/IFWloiK69perYqlEz7mwKnoCOgJXoottKZLeTTaKIgZpSXgYnCXkz/Q0n9iZkBOq65Wcx4rvohpUrXRSleI6n9UL/78zb8qJzyfl1ZUBbL+0aP3H8ZOeY33INELdMMJLlXFnI/bmDqjJGhs9Ilu6EisUgzLty/Qv5npPkPffov+DREhjf5oZ+GRPkP/nen/aX5IFTpkyhfRReIih09og/EdZAQztsTkYarO59Bzoe3mxtrpyoYRwPNSUK6tuq0hHrhnFzgDKUVyrEijAakSCMXM0mRpUVpIoy3yvbuFzRdbzGjuli+GFqGVqHhupDUDSx7la68snAwGOty3vZHneDvxm/aIi36Az3smcP7x7gyPECn6O6ACtKQkoit7E639Y2ujucsxiDtzSWLd6HBiFRZmgX4SO8P8vi1EORLSmBBaoAeA8gRbPtLt8ZmwRQoCSmVbmmd5+jvUTZAAa+AgsbZHMTc8atkrWyp1hZkxFw98pDxiPtOCGoPPvgDa6To6/YG8vUbSyEVljXXLFizXoOufnZyrkskhFZ98ri4a5vhcZaJjvS9ib6+Df+0dFEIDuve7kkiw19JyPySSzJ/g9P4MnNweU6ZKRqe9yP6hTUVFe6rsxwobpL+nxY+1bXsrT/2ODHsjaNNeHP/XeHNxx3xF2UXeFs24Rmm/u3p15/U5grlhAC1KIbtaHLIXymf3QFt9LOP5gxP71sizZmHMIXZoJlYNSGMMunvfWn0L9OL7H9DOcrYAzBFmLG6HWuerVRsa/wLagQQ3LNaIAVYaCd4JVj5k00dQjD5vNkXOW9pDlufOr0LmljU2KgLIhgsm1vvus8aKyp5mhtD3iGywxEQ7Npmjt7cUWucmRxX3EQPswLc5mMGUkqzmnhinuWyPvOdYXbcwqpPgwWkr8W5Qflgp1lGWMLF6mPMIc2+zCkIqGUZUGvMcyxxxIQvM6O+xaDshiygHcv8Ce4QJolr2RPgoNjR01eieM7oCO6eIgaiACJ4PKIbNkmVKT7PEj5BMORFFyUBHF3HQ3YWt4qkl7YicVt6B1Bfbbvdm9OimG9pwh/tncJMUguvN2axusnrOfzVvohnyi7HnhueXYI4Z8nfBp2d0HhEiZvyg/LiQtPddLvUO9ITT8QppeNR+I6MtSNUK9s2PxWxE1uj0ou8Bn09qk1RBhMwhnyK9/XO5F66qHjPcb+HNvP5h+w2uL2OlKBZ21Mom/ikCHEsqnOJXVEzTrzUFiXBZshBB3WSCF5jjdSwpCSFmHdPBZnBEOVoVovpLhcSOO6+9xkXZ9bR4ig02Q2J/n2uFyIYa/VfkoBboTaW0VaTbg5r9j/VAPBrWMLgMR4/7amUo28I8d7BdqDCkm7+EFUjgxC0qNspXTrc0N3eqXdP4sb8Px/59hwHxaTyWVM44h4brzk/9aPYL1WzvpqOMiDC6gEFrt9Fxf9GopRk0mJ8Z6VSf/kVv0DpAQ1TjT3PRUwNOw9RcGr/trA7xWwXVjItmdopbr0Ze7LBCFk0+sEIW/Tfjpz7qwjmYdtI5XRc6SbKvizR8ZZaErszSNJVy3BE5BHuRAJd047WkzKVU347aG5VBPYE5SiYNH9hT5y3FddeIl04GYoqxiElP7TlPUVEVm+6OHdAORaWJKOC5w1KrbDaaTax6a4W5n8aB6juwVMYkp3pa6OsR0sP4PiGg5Q89ZvhNTVXo1U5xkrqOxTWjWX9sCYSuaKMMxrUF5+Qcyvv1usccL9cRJtbuAJo3AZ/BFM298zFKmVfp52PkL4c2QlvDFRL9fO9DiqgKj05dC9niD1weynpQpVB01CE8awdYQ4DnriqADUUMp2Qwn7tiOpuSyD7yWPOqAEnJ2HMdpX6WiPYjpLej2usd6o64O0k94rfAcyF9KNFR2sXynxfJkg6PC2L5TyBxHd+gniNPqscyI2+Oo3aSb1qtji/6W99ntfkj6y3hDa4jp7jQCKONz8qMhwcxsc7Cs+OFhFzYEKOF3DzZtweS4m/2idvWdrNHMa7eCUbJfvo+PXLG7iwKX2SOs/2AnKrYtNitOBPeVQws6rh4EVzD43R9p0Z5y53l3VRAwnmuzF/2KsAsoIylA5+4UsgG8zVkHHbTz9WQ8xt2rYcbezlqLemy0tA6bf1oPuWIM9pcW6THj6Eq8QjRUM+e0QklcI5N3Crl3Vdbh66tG0RMCRt3bSYdiqao5q1cbkEu0D04xlYK5AKvwZa68xFzKyEDDb2xwzBOryMWHjn4VgakkGgpxc58Fz71eoxTrQdrtd3md1jq8aZ8DTrejvS7V/RyI+bbvYLltdJxqc0rSvAu6/Qb5BVHmIHU9burbIb1nznXrD+KrWQz+zwbUahyxAX/WkIJVls99hplFcd5hSyppDRbs9ZJ7WpYHeE5df7f4Njs0b6jeuOVKSf70LVFuLTxoRwJ/vVamH8fkYz28swiSsmkmeGWM/q5RWHIECtkTpqmoBbovjmf3TKZ7ZjkVJquXDB7pYyi6pIe3BNl7oWVZx5GhFVKh23j/9NjtQWhyqyGz8zx1qJRm+y3w1fzBW5lt9Pj1pNLWp+iDnx5Sn02dFxbPAgrJQi13hrD0ajeb5n+mj7AS4RRudkrSjAzZt7DM1RKW5H2GQJNvoyrWVjiePbAyMvLxa9KXIAGqVCJla1ToGzinstMI6IojEQQB483/ZBV0OSoouGk5+V0jdY6XEBQO2FHRFFW/bOQxHqMdpTnYucjb4jgBEr9rH4VG5xubyKrirE9+q3CzDltclFgyv355C1ETAyI8ra35vxr/MjkjDLymvIHyH0UbQgsw8ra616BNd98USNf0PwY81kvz2+i2GjXqXYmYBdFIODn+8th/rn0PiF03091rh89QBa0W6J6uvPHj2rpcfvwuJ727Wg9bUXZHOelJvtHO159JCTkFQEUPMAQdyIokBSzLHJDTBCb93bQoHR1ZX5LqBuZOmiDAXlQA4lgc/ij/PhGeG+w2tS73agckWj2yliYRjSFCNM6nP0qjNQpVSC2IGs0CyWJgar/389KQEa+cURtPEHFCQMszUe2bEZDmg9j914aGVIETvsnnaio+rnqn1hGE1EsKa8rx7VFtE9AkCPk9ZbKSs3v3WjfoRbFsJdjrueIyMa9cuO7OivDHh6npc/geKtZ4Dxct9forTvTT3xKHHI19n2Sh8H+9Jjz6zK+wJbr6/bassWHVtcHsm/HHfrOXRCDI3Lhltqcuh1VcVNjq/bT6iYevpL4pBp3yR31oXFnJM26toZ9V/XQ6Pb6pB50vk/ihB5kUL/geaMPLdCVi9b31YKY++K4LmT+CHn4i2++8A6KZaXrOH6ha+FccQbKzV04AbsTaIslxUvWixh3CW2Uo5LhgSOngKuJGaAHi9JWg9zYC3Pqza0ZYtGpWav757d3XQ0M+ZJKzrYbypYZbCNwdmR844t1ZKBbrtE9XXNsj+XARiqFnFa+6cueLDBb6S7oFMLWU7H/NKhap8buhVxElvftz+8R5YRVORjR4BuzGPAFenLziIuSwUt054xPN6yVdYu4DWo97Bd4Z7DGfCNq47ipejDqXBTziKDtlnPmrReV76h6OPLAoSVdr0FOKVwfn/YvbU+jx2I1n40EtREsN2vsrKaBXh0Hz1GzWHH99ygvw568czfj0zqh8PY6HmB59ouVMa2z2d/mLWf9+7xtZuJ8Gqpafm0QCm4zCla2XK/IKzKkp3uV52KxA23aatkipM28MnIuUDBQVx7LfIflpWIt+rUSjSzCXvQaMgeKdD0xIgejN5iEyl5xxckc55k1WcG/DsqPPH6incWQ0AhJAlYJMVFKY12dr1jVNjim7IKqpRl+KR4RzZ8PS10j8at5aDA4P/RKYbl9ZfDEN3qQvpOr6vc2zHW/nn6KEKZcVOe/GbRiN9U6YQca6TDODOt5dL4bDTq9CsgB818xZk4rUhUhoNSqYujGYEBE5KAM80ORpriOR3kOj6MnwajSQ/rDxNNkh7aKrQxoliCtV7/AkjL7UhvxD7i3Ib5G2DLiawMbpZ0nrXjorXcxzcWPj57UkSolSFX6hAR3pnrT9ldIExgXcpyfDgSNOxO7L82nPzq22shZ4p2d7H5tvsSUK5SDxpRFTKelqHQLboB4wS4QkxK8NriOG7CYhkW4hqJkE15tX4VWi6GFQesFyUepGO1lC5LhvQ1T1sKLdfQksvfNF9bS8NCwCnkszuemNNWVLdWBoqQ3Wlo/Kfn0wRjpFW7ZlgSPx5Z0dokoCrM3UxfsysEj2gonKqXY0txZ2KGuQKw/Y33XCHLMgT7env6RsubuJ+1ohfi181jaR+ZLya8w/mXl1z/FctBuTZ7A/xZL77KM79SSTikPdG2Dktz63N/dotvehdtGNKE2j4/JPI5jVOBxnb2wHqnij7GJfRRVXM1yBypbinx6zHEvbrt7ZYX+sAbbwPW5Scmdcm60WfJuWg4Xn67hwmxqLyBd07x2UQ4Y48V4TbmXBHPWzTDmqq6pK6tpAjJ0G7r74LI4gxvUPo49AqnaNop7tl5CLKUgZPQeeyibxZCKeoryQ4OqjobHW0wZ7jvoUO0eQjYefgVSDlQjdPsx7uGaz6/rVb/CJwQ7J33fvyXCvl0MyABaZMsqz/cJ9h0tspFxqi3ISsFQIbGjtmgKjKRiVLZUJ2A6U9U8wXZUtWNNXC0V23CyjpNucs49zlhx8Cbe0B2txvV1fBrulXo8F7YzWgRXv9ygJz7S75eKGb1kSZkNMLQvzTePpVDml0/R130zhne9fA9c7PiB4qhCf/rt4egDXQMInsXQ7gaAXIVMm7c+wPU1rDHZow+DCiyjS4kvk/rjhz5gE+WowJSvjGV09JGqxNL2+pgjo+pARbizA6O3IncBR01xg9a7dgQtOnH/2scXM9V0jfIwr/4t7NBPFbfq8xuRA0NPKN8uvnqGqCDP0NL8BeYvzDHbK6oWX8X9yJqU2YrhXneq8Tfwoa51dYfssNbetVJlHwoIi9XRpC0tJtLiPl16SkLClAJpNlQU5bYYK4c6uH9586ux39+7kJuvvvrlza+v3t189ZWLgdliieng3tgJ+TAuIePkVv41DNn20Q6ayZiPv758bOfY3MBaxGFiROA+SV1cCQlcUTLuQLXMySSsRYoVFfFsnQ+W7TAd02m8CTkgImFJ7YYZn5CiqmXyNtDLXGk5PpPF5m7M0g382XySNETwTXEcpAYnNiWBexeTDw5s4hR9fKIZYkUHDcYwmQnOidTJRDNXIxPpBlzGhcWRegrjDR9Dntem3vXHbdQTV3v7Qhshb3mXPKqjZFxoCYPf/BgFQszyAHvA/5a2/UTXkU/h5dpW5HhqzeeIdX/K1x9KINF5fKY2HHaFKTP8CgmHd/783V6343pt9rRRgTWsI4lDw2/xIa4nM1d5lOKU4B4b0uNjOo1lVPGurdrDz4fSeKfifwuP+m8Q119q7GpIi5mK/R7z/N9F3LPaYNdY0/gpm4y/P/QBelWpkhIqRsRHfCzbwtK3w5L3XW2fnjjFizIT6cLp/u2bO/Sz83g04RhxVL/N/Pxy/x+v0W8VyIFqLRXjmYRu1Y+pTz4t18UevQshtdHn3VpPI6PEfxtMjC/TZsDKAePxFJyOuFfPgMxTCtFhhmWRxBcDmGS84HJU2H8NVuUjOgMcQI3NBT4AzrHu3t6nIZfAyabA8vywuBpyX+JeK4czfJCY9J43z4TKNgl8JbAaG0xZg67WNpk0CVAs/5kEV+KE2nou8zVhMazTf6in7HFIm6tdgLluExDzDBNbtjAljM1AKz5KRW+BLtfl9jv+qDcJ0pLwjGhpbJRxlala8AZ2yFt3BuiW9RpCnwULfE35qMDdPnBaTAnPVpnaUU0S9jXPVkzsFC5SXova0Fxvp8An+bEIzyifts0pL0EWy/2IkJwedEkeUsFtc7Qk0DIrpdAiS3HFWfjtd5m1WVOg2YT9xsQ6G9P6vwOa8hJKeFbgx0zr8xXeQ1CzwgySxEJBeTJiyqcgLpnK2JJl452nB9B/ngSeUA+oBT0+S70NPT4iug39/SToeGP1c6H/ZRL0/5gE/a+p0FqUDC8hbavX8CmqEs+KitnLe7lPkmcBvHxIkuNFxei6KFNvb3P/YbYe/2jkYWmaEFfwG0nRvXmm3JNpEq+UJKnamQFN1c7UXlVlUn1swusw60TlTgttFAx4TNraWmijJKVDW/UkEbzi9JFjLhT02maeBb/9wdCeLBa2P4hSbwDnSSaQKMqMsCQb2oAmuTQspLRtstJgVSJsWWVJ/gkiqaYEs6SgL5XhNXCyH/Wm1IbmmO1/h3yZhnub2WT4RFiXxpOK2T1nJ8IbC/mHVAtZZUuq/zUx+ZCobGxt0w6oFAlHWSVuTgsHRKbE4innCRhRV7IFCnrjvAEpyrcDt9dVIrirfTMmQ7MFvaIM0nQRla3S2EVX4wKQD0HTJK0yRjCHR50lHiNjA+dKl70iP2dDK0kSoUPnuCRYsc4KyOmIYMxDaMpTOV6IvGKgiEibtQen66RTIUq1w3pkJ4oWfCwm4ExQCWuqtMQpmnYDnXRTuU6KiVOWE+asbB0RmXw6XVSDW/IkeNtYNOmKc0FH6ainXM67jaAqc3WeU+D3WOLEBc8HwirPg926DgbjIanSuNus9SxApZeVPL+QaIADV3MtDa5KwJdyD4dY0vGAtmrPKqUU+nDE9DGoNc7z8atO8/HOuZBAkyRRaJERKUSRmH1jQJOUIlpkqY9wPncnbbrlQ0KyUKlSUplpqUpJR4MxrKmuEt5tGOUwJpWkgVMja3HVkDbwMcUEYcJlNGcrJhKEYw2eFAJgNL2E/W7Akva60Q2T0CV4bZlYJy4lXyduu1LI8YejWFbrtK1TUEXStmuhEhcwrfoMB21TXxIgE06xKw0w/lXKwY1/UOK73XhdITFOqG7XkACZIO+FpOssUq3tDMgdB5kiW8ossYNgmY2sIN0AJrVxaMCTZmlP0vhN6gFT2mk6pT8BJVbKfJmRzfnxrD1g15dzPDzIYm3s4l5G9Xmwu0TQFDHn8pc+fOhU+jwLVIp1hlU5quRHG3hMl4cAJwGztJtHArHUumzVZPCUyRrYsQm6LVgh8ySsKSaaSrI+lbM+kzylCsa7SF053SQ1QsFvKcyMpcGOgEtSXBRdJx1MVY63W5QkaSsvSZ5w1SpJYlm+Z4GOasnUhqpUQs7klvDxQQjRiqGnwVySZULT8LVOWQQHluI1qitGjofclwmZq1W+THy1riRLkkqVApnldHz8ZmJhkuATSSNWk7R2+duMcqXxKkmSbqnUaVfxtuRJKQ5ayIpfpFfrq0oL9K7iqDd47YWeVCDuF8xojq4k5FSjKyxznzN2pC2Nr381aaZDdSDtMK7pqo2YJYKhWEhJ7e2lfMrsb4qSiT30CuKd5MFKVCPS48/ty7sJLXVsbTEJa3hEBe6G7jYePb6uumVXZiCDUWULbITxVbuVpqpKW6K+nyqJ0G6DNaIala49f5zoY0+pY0qFxNu7u4rnAQmi3FcyGMjsZpRPr4DdIsaM16ZEIS3WtsnOovm96xjR4x6HLci6iJIWqMRSAXoDGtuKw+5U1P3S0JPXYq2e37ngvqfo2pfxcu1JeqPbNOJ34IvFWrI5egv6V6o5qPha9bdeIntWtpxwvZvt8G46CrAkmwXldMDglXieYggdYeN66zHK4TnDFbe1U9dV4cvSHymF0Kl8cITqOVLma6rrRHlf8XVApTfMzObthex6bpmB0Xt41HZ3DhkFF21A3RSJO9GD2mblTipVbPNyFejQHPhI6vyxd+/xtSFCK9lVGNdJsK6FV7/JHppFDmu/N4itZ6BeRukfV8f7jM7ZOTzeXodDZEcfKtk+8iF65HapWzi4x/0aH+rt0ZqbHuJSFPG6YHRNm5CuYEOUFQhhhRQAP+iTGTdeJOYKk1mKrfayxN3g3Ddwqltrh27BR8gqQRbUXYTzkdUM6gq30C1lsAbfywMrRdfcMb+pzD3Q1gAv5+pWP7DkFsORHbe8YGuJwfYhsW3eomgotzCt0k24L2ke2trWHZNsw8aBQ4dQJCan1tokDARJjVYgQ6OwRvCG/k4Gx4AKu5N0wNEzI36LZKB04SXnX/fP7BHQeoDcic77eMrVgxnFKtuIGbS7TndMWxOnKQNlO/q0Ch7FY6qR26CGHu5bbHOhkW2VuXjFlDCmTad5ia1C/pOHWKBXfF//rze6ttaR4hrhfBE6GscFU6Lzy5A+RVn+ostPW3nwgKnUt3U21kS7QnmYdbyRsN8x2VjP6rkGK96DRP9SewzUc4/Ioh/qXzI2buvye483VB3svqM8HQyTOCULvuyWxXEt6d7+/P7GzA4kOKPRemRyqoiEEnOyN1qJv/xZv5et4cEz9P7NS3TL9bcvnqHbt9c3//kSfbjl+ofv0JPdZo+4b8BINkL5Mm5CGuvV/uqbH/7Xf3sa730HejNJXnRnbCXQosDx0khq8h4ZeaB8Jf7bgDZ+mPKPTVb7nJ+gbTDh7+yLKUZRR7FpdNDQ3PT1q7dRcn4XHKbY4Wnr938Eh0WcP7+P6QPwES47Q+ppUWPZ+GnulSO8XGMNO3yRwtJ2l92hV655XthtMYT1dUKKctj/P9WveXv15s7J4eFe8XiGXn5DprTTc0Lr0ts7g2zAqjd8GKwFMwsfzOjDfAg6QOZqis192Nq9FnLXkQ6z5qmiVYk8LrtnXSajvNvDIvxpuT5cqB6yJrYmUWc4V0xj9NbTcCekrkVUTwi53hOWib77/HFJpGbnn6OY8nUQn4HwN0PM4xDT7+fzEnn81gbBSglCbdF4ay33bldk5JTEfA2LWj0mgq/oupKQo+XeN/d3re4HutMMphT0AoUHtKnosKukTAU2Sr9rh1YmGEwSCqEh8zFCKS+/KVPMucpw5sKnkoBLLVPBV0nsXSXFYrO0DZCeUVMmTQ7nWbDGp/XrOrQtDC2L7nhtQ+Yi2sKNMaw4aPR+X8Iz9CGIudfWRP4W3QUTuSdHfh66UUPxqlkujAGVPpCFQtdOzFj0wiibH9oHeixt6MAWpLadZ7QIDa4oRx9uB48QsSEtE85gSttYrjJRJhXKM6AS1Pg4GgOYFOLnZOL4gCjrg0rC6MrUZAz4OqHmo8VrroG5nUu2KZG9XjBrOQc5IvYBx1hRPwq5wzKPNQN7ZdvUWb/7nRSP9tV9CXoHMNDJeHQO8NgXCaExa7t7HTpkC5nY16beHHwTNAn2Iaig2hw1X1QoPoktw3yed5Uz3AHhWa3lEOhN4dBB0PgAt0Z7Xlvl+VAipvizgdhsi+2YPNLz3lCw1JRUDMvQzM2jeXLz+PK1WIvVKl6fGkimNzB349v3Zkjfvb+h7MZQZgh6VekNcO1DqQYJm6v32OFzZVW3NYwT90GBHCRJVJqIubnlBx0m6d514B6gKvTImXb7HlBkMaPQcOVo89eA/QLtk6FDhTnF1g2sSsFz29JVRFWAGrDflPSQ7u2Y7NqB2wAjl2dv494Yhbym2NtbHb2GcqSoriISBdkAudAFz4+6wQrhXJS2K9gGqERixzuNkZDGj4KLYiDaJdSoz3rhSDNcfkYNozw3Z1lI1bT3c12EX4Xy+L2JnuM+4TXp7mwMhlPVM7zQ89HgJO/9K9K88zzWRKw11XFZHROm6qIC7n1U4dxzHQ4OWYpp8XGR6S1hg7dUVFazMUadFAUdiHSA+dHfcLxkNmx4ha6OY6d8O77zWYyMLg0HOg2KojigYWR5sQQSIhhqCqavQeteaXb24PI3IewV190Q5RSdL7fJHxmZ0BXX3jK2kzklgTA7LRsw0H3soXrjep1HqjQiT86CfLNQWg47yQPV8cTXT0b1i+NU+2vR4ZpEedSMqE0iTQvbtNVrGhJKGHRyek6OSI06yUybkj6RlfLMDRCvCvPJNsC351H9zeSe6FHivePo1Bx61Ns5NUfvjGP3R6b/xUn65cz8dxt+Furlae6PqEnxcY7qCalXH9U/8qb59jTbzy9A9XHYfp6skTOf1Tn3+hkndeZNMyf1vS1TK4W569I5WTfDld5kBeiNuIg3FR/4uZBD5H82uDA2e1eKiZb6Ef/uO8G8r8mgOrJDkm3L/1x8/+c/oyevr1/dPUXXVGnK1xVVG8htYk4UGxNrMUN+7DG/tm/RbTH5xbA/HHjzlmKyv+RY7L3hfQxHvTetz29E6fAxG5PYoLg6M6Ll0rBYY+8UmMeKKDXv5Jidn8XfIfUdzmml3BhISKRoQRmW7jAbQWJ2K7H3UTxU154ZRefphVv7INtRZh/McgUPSKeuRXNgpkQSvuLHzo11fvr48Jb/yZvO9pveinljF1qBh3nc0SLktEexnuvWskvINeb09yOxTnzKgp3LsARutVd+gGUrKqNR/MnZrz+aAa18dEnlLkv3IBLpJ8BMbwiWgEoJuSgox9EQ69ZRv8OaAtfqZOAZw/PO5zX+pNNxRTCgTN5eZgt/aYRAiaW2ab/NZI4LoVnTev3BPUf+rCAHiTXk2YgwgCOraNuQhzFrV/edFFua1+nq/ne4LJnXc3rL51NkjSA/1IgGeqnX06D5bPOoB/V1HPR+YCLRQs82qmRL3ZvTpqvYDRQOqBWacaX0x2o18Gjv8hZQK1Mk1uTb6T9WG8IKKS2kk49mtAI0tti+tL9amF99GZ9fQfOcwZwS440d8VyZEVmilgxJkhmheN5cE7rz47VydPk+vHg8QyXDhu3mRhISASdyXw55EW3wyixWwRnxErK2EH4SSqM3mGwoH1Dbc5x8Rr/o8usDt5F9pQRzUM2t7tLq1QK9znGJfrH/cbd6LrjLB/hH/7pAG7wFc98zwNK1sEa2voQqBVcQ9IB40oCZUdZvez1B9vjaCERSDZKGKh3cTdBVZBimJBA9CzHNMr/zRWTOpcXWF53qJujutVA46iAN2Oj//qqhCsmKR/q6I4TVs1oSu9ccl0w9EJHtR8y8FTEHMzHaUZ6LnUKqBEJXlJhvnsXixn38UX+jmgk4ippXX/REhq7ntVi2zwxPW/xAFbc312tYY7JHH9RhkZ/6PaToJjgkRS2ZUWYxrQbusLa6bZHZqGm7Gcwt0ONbnc8UyWI6yBCwYbZ9JhxObA51bajakFPeInOyc4huCA+TMJ254qWGJuMjp7xzL0iOGzu54VorfXrncmLUTsdD/jYhNI6VPS7H099Op5bY4MZx5ZkHI8DtpHJYUe59gfao21oQBS4HilFY/ANh1hfC3pi7HdUjRZDU/qbpM/D5yAPVQ2ofmtaYbIrZS9E141rGoJ4W3GZbYkHNJeVjau7OutMM2Tb8farQjxzbdjCuZZ4ro9WkIkXqkffomiqzT9BVYhnW1nz8rCF2t6G9gmfI7ENjWbgQvbMmoBMqXrpUOCHHtWfsTP8vqsT8ryfzOQOqw1pnQUmLiVQztb88t6OfoP6CF26P7lAV7Tjdg2uVAddSlPFjmItq2TPIztprflRj3cCJ0EZLxchOTmdScSWK0hikYefbDW4bnDjNcwvSiNbMmM3xCwmrh+lxvyfOYkenD7h3ML2y2eq39DeuHyvG9ug/KszoikKOrm02jHNeRJHtYJkRIR7oxZ6UfoUlchgamwSzIb0sobZO89hTVtq1wRmqR376bLyrB/G1VL3bynnnFuj9vnTkNxaVmaDj8zCLJayykcVxOoQZLM4Ek1+qWKGdLrp5nAW1gnGI33kvSiGDZ88+r7x7PbAwrWzV0csa5lNOrRh7ZDpm7JN+uECIFCL5njtEa0YyXEMl1nEHB+EZVuPeo1qgMrWDeiXZKHa34EZxp1bBs0qO7/db2r5ntjl0CsoE0XcIPDJE4xDY74Kk4wCPGri9BFMUNjPCiNWtr9WNhM4DZcrt5oaZJ4b84ES/twPbq+65//eVR/Lc/8O/+sacXpiBjMcQeIIv+lriyG0/llg/Rqsgc4/g3JdNNsoi5SuQcsBH35/ZTJS31aGT7Is6PWYhI1QPWrVYGdm+9hlDTN6+kWFm3Ag37rXFbID3Ni5Itj/6O/QfoYeL3dNyA3Iuq8boOf7N98mVLaj+FF1ZDHHkIPVsiZIDvLoC6Qvfw0FMx5ESOzDxsaDFjNaymGG/VK26S0fXg/4+7CcYnxYZXxN0T38fSN95SD6Dt3+/QRzWQlPH5nKD1UB9WkXmT95tMdwNP1zQ2yzIhPq0vQfAzlqHgl8h3jP+YKfoyOaK5+UJ17XE3w+21TBnjypVpTSGNrD2UXeK/TzNy2dpACknehZ6rGvLixszPLq3TwbHTutMr0t1vSvv239yb8M5jovQlrwYImO8vDhCxbDQUIpl22l3SddF7p04cZdcZrYArhKKaah0UPoA3hpITon6oinw2BaUVl58h5T13QqJbu9f/f3NHboz8hP9zAcqUjb0JOd9pNDzfifi9NhjSTZAHlRCs7dGsEzNbY8Vga6rm9Sp5zZAwxfubs79EV0FJO2V37iIquIw1Vl7g+qbpcq2WJtPDLbp2GJGc7chImi6R3/G+lLHjr6d9QPsVVcUnb3Hkjuhb7QuVUZtN4JEYMvSNLLJ+S2/puw9uuYh3lFIqvcn9h8RRTExl/9Myhwmb1LG02t2VALratcpJtyOYZ6N6kM9NiRBhaYBv3qaQ4xs3EC3yQ1ZKeg8IUAxkhwOZHFYtHHdy7KGbDDnvQS06YnKflyLasBTPlv5pVrk+Yrdv75+9dbL3OcdBLWo00J2vWIp2yun6iHbClalT+NV6IHBfS3NujNIaLJQcaoVeuLQqKc2d80mE4QuCBF/0UAQGquST/hrT80HTrV/LlkcBqNtQdqXklXFEBGcQKmNCXDveD2Q4jSmk3q0roNlnjE2QgsRQ4rt/iYMj37691exYJIo61J2gJDrS4QodEPLDpweS+zS96IJjH+7+fnu9g69wY8F5XnduiTOfkP9BQIZDgp9DxDuCe3Rf4zw+gqOh2AnBQS5yOxsXBPPP3giTZjU3I2WvKS6vfb1eDyeozSwORn7iTN6wpyK/wI5B3VwJM/72kjKSbIW37j20iMVm7qbl7Z+YGftFi414BlSVSQsCiv0F6Wl4Ou/LhkmD4wqDflfnvvPntXfUr4CEv9qRSXsMItes3jJWjAI8xwpgQa2j4Q1VVrujdUz78Essd74UnQ1FtTF0iNjUvvBPiEuUcLFthIhW9W7ao2lpg24lvs//d8AAAD//5LptF8=" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JBUmnAv5CiOVWwGvy0f+BvAe7UvqKXAJrNLdr8h6MacxfCCnBMM1ry5V8Tf7tL4SQFgqZcRClmfyFhP96jZ+6/31HJK3gNZEe7IRLC3pGGUzc37uvEaKWoFeaW3hNrG76n9h1Da8d1iuly97fS5jRRtgCl3xNZlQY2Pp4gG77v/e0AqJmxC6gRYx0iJHVAjTgZ1bT2YwzsqCGTAEkUVMDegnlZECfNvQOxMy1aurbk7LL1M2yiLWkYou88dXH1o8tsVmkMvOtv+9fYXzDBrvyccGN+x7hhjQGSmIVYbS2TeC/pitSgTF07v5NLWGqAuOIVu7zHdCEvFVzcgpMlaDjhHhYfBepQ8lp4cISpC0caYkBB4Qzcz+w3CDPmZIWpDXufnBpLJW2RcNEcbS8OgTBktrdD4bYcY+TW4JQS1YLzhaEEgPGcCXJgltDqBNZv3MrwZh29yeDo9ERaxaqESWRsARNptCdu5pqA+QdWOpQo2SmVdVb6ulbNTcvLii7AmueDcCfcg3MivVzYgPelHwALyz8CZc9NCdRRgpYgjiAk0LJ3fu5xclTqDUwagMmJcy4hJIoKRAtixK8onUcq8rMi2QXZs8evwv3/Pz0B7Kkogk3npcgLZ/xcDrhmjJLhJr7/dKDjUDquAMfTgt+z21HTbXlrBFU4+/Dxk5GT8YA9EEnJXYyBpDHT8roliyPuycv//+e7N8Tt2qeDbnf9VXTPwokZHdbHg12S3qI0MuOmgajGs0yvb33Z1uu+38/zIylFiqQ9jEiR5uS24IJunOHHwl6IK1eP0bEFk6neoyIcXkYYnk1plZyPN6TVgI9RHrkZdsMoExpQ43oNTE7s/fF1i3gsBnoIQMl4X5WxI4eMoB+gxUxzsUd18qRuCh7XpUo+zy7BmQmYh+JcPDO7GPHUKsbyb80sFGjdUd/+NN626g9UZK5x4Fa9dgt2xFxs+R5xWGfuyduGT7jjPbv81s1J2dLkJZconAmjSxBOxNEQxBUA9Jn/BpKYsA6IFs/3l7DjBss7SYMYN/bYOk2YQD6Tpsy9ASm9y8ddjAHdN2BJ3fjwUKZTPpq/1z+qozti0ixeyINyJLLefuhiR2bng/p6+EvP+SADX40ytjzi+VPhJaldrJy7LrvMndAvVVfK3OXr3Kz99X/u+x13MovG3blgnek9b1lJaFkzpcgOyfZ16sIOBYd5r/Ia4GUj1H5+zoiGqMODVWvCw1fMux1P3iIG4x0T9fI5TO/NLnAi/Q8eLMtJR/XNRBGhxJkCgS4XYAmn86l/eEVUZr8IhS1P74kU2rwFLUBshmfNxpVvxvoPkTd/YrpxjBoPuMzgX/B/XqucrnZ9lnH7cpfvYNB6RXVZTalrifRemT3OXl+8XlL36NEg6C7W0qIWRsLVXhEA9oO2gL8STWeee7fSvM5l1S0v9nWVm7gQy79a09ixPnF51cRFgT0B5y4Pws6jIZcTvH6bA7qUHE89PVZAC1BHyV2/SsuRc5P7xMl9fj2g6UI5rBY6aN2sglWZPez0VbROt8oWnhRnOlyooQAZpX+GgWw494D5Ny4M8cNYZ51UDpMtxTVt2pXbSF7GP0ILb6KTR+Lqlopg8lulZJkuh5sGiEavjRgrANoeFWLddgn92Un6AlQtiCGl0Cefk/sQjfk5c8/PyMraogBkN0qezjxKJTXW3DC1EoayMcK9tWcCqYaaTufQlNNvdBzV9lEIZCndKqW0GMGl9HMyla8GauBVqP3h301x+aBWQUlb3b1tBSM+iamOXaOBT4j3P6zefn9D381XqS/qFGAtkj/c0DNP509+JauQZOX5EwyWptG+MiKMynvJNdj0O8Z/IjkVsZW+fEl+VdH7nPy44/kXwlT2unLSEVY9Dn578L+T/dFbsg2U76JbqFUJTxaW1euoGBUiCllV3k1YI+cVBavDbXernBMBFnWikuLpomFeIIzHo4CtFaZ8tM2+qCpgXEqEGPE1FilnWYt117rcB8sqeClPxgxpAiZqUaW7oURgMhzOQ/K0Y3Ji9s3YgA5RSwwXIc9YaORXVgLRcvH8s4FdIjhfwKpwGrOIlZHMIX7X0Zb2D/3rRB2zz61G41Wzdptm5Bf1cptzdDm5JIo7Ywxq8gVQH0D0x7Fi/eVME0rBsYUS14WZa6o61kreeYgQVOLl7x0HOzZhUuubUOFM9q3fO8y4uLgFXdmN8bKkRmeinDVz0+JdtLaoEMFmUb1HGz3tRs5YXSmpKcH54TPhNvPCZ0lFDQU/Oenre/1A1TKArkM551pwId2uh4TlO5/bSDmKwi8hJUKUwueM7PhUZvzhg/U/kehmzmZm/G8461zb0A46+2pa62W8IT814gwevEy4+IBYvRuVWccXZy8uQi6L6PSsYdXtdK7Gi/BJ/KrS4NoHof745N/qtAQR9M95krdNuWbzU82BrvXc9Ayn5CXP78iK+R7BVQSKkTcV4BOfVSTNv4jsgINHiy1RAA1lii5Uy6yzcQHVxO/biZG7mqOsG3g3e9Kl8g4zGoCtpBKqPl6NxA343qgxRLyM2ELqimznonuUq8Rf3SaS9LIkNMjtnzmoxW1qQu6faA+ZxBhT+wSLYrKKZlKtmEETVejMg0l645aSRlqrD5GIYPPQTHW6BaisVSWVJdEKl1Rwf+M5fcqXUX5U4Ysh4NZpJrp4Em6E5M2WHfIvBB8BkhxxMA3wJQsRxTszXYXxub0s+whiEumqlqAjR6AUScqRQXear4jBnv1Zto+0EG+dGtHj/PYUd4+maPHr1LSLhJt06Y+NVXOyybLqXwgxp/JMgfbHcg/lczdbWGPWHSrtyqmT6/9uMvhgYjKdqPfEAvXNlw+sgRteuUU5b48sMj+3vewrYGmInNTpseULqHM9w6GJJvwTJluxVbHaDNtui/24+vD10qraoJQGyzKNwwk1Vx5tb5qhOXfWQ6a0LoWbfXLppdNRSWdx0pzCREY3mntRY+Ux9UQbp8YolbSR8Ysrepdz2DA2K3mUBzePmsIW3Bn3agSzIS8a4xFM6kP1N1KakfycqmFAzdprwCbzRzeSziGJoSb3C7oeadhBhok8weCOtW65EteOs0Gz0NckF22guzjDvPiRF7XXB+Nws1++ljQtTuJ3Iq1J9Y4oef0NYcUHtD9vtGEmz7qwnnupHEnzyaDJbt0MtWklkDVQJG7L8SO/6mvCmqQXxpojnaU3On2p2gjH1fUEESiHDk3iNwPqZmaUCnYYmgGmTavbIbXd17lwLUuMqBaFzm05zqlKNoG+jI51Ay6Uu8VeRgTcsd8jL4xg+fyTm/OoWLzJrl2SLBg80DsdENI7QiibKDEp1CsTSNyh51GrCjVWKYqeOFx6IwXzMpWs8EJoTKwYMuAHDkgsATNbc7SkT2EtauHIsBeZGefyydv8eKgd6B/pbtKFwcN4041MD7jG8Mnrt36YM5YT5WgK+fPZopsQOdi5OWmYKJ1UZUhyBLFO5jNx9qEz9tWet8SVJr8dhlSY7lpEwJ2/Wq4frtDY1WSplaGJxQctzpbaE7L0neYwlT+9u6OduFphC3ytS66oyiSTQWas7vKoihtR6hi20NYv5KtuxleLPn7PSBtCbJUOiTM7qVMTf94gO41bWhXTf8AFrejHWL5a8EH7HYSdD9iXtLn7FX3zfBChqr/IGaCl2tBu9xiqSyhZBE6XsQTaIWaF22iyoMI9fYg3lmoH6Nnypbs+zumW2HXahQfccVfCc7WuW/PHrlwgQiE5tpSrEfkciNy5k3HGfihEYCIxcWpkhauc2usHULn0vvrNv1QaVka93/4qFLRIhRrAHPD48wWVM6hkLDKLQvGApew6oX6UQmxVvNpY6EnIYY5+saj7rT1/vMXFx2mpsmEXcc5wbO1rdzHNDQEd/OLPDJ9/S1i3GIFmGNY23DQbHK+9BL0hFyC35TGgJ7QOWAr75DpPlO6xWEAuwXj9XaGvyf+972+FUqTqVYr91n716BrerNrtJ/0eXlBtU3tpusAp/aohDulBtWhx7pTSpSd2pjrSqkaQkAx11v8RhIqQNsuu0hvFg1/8+GtID56TQAwCSmiMJdEKvmdhhrQktmX/YBmwzGfHNZo7S5MZ6/gTqIe94L7CFsb/hlQtuJ2EZRlL+vJKS44xWoTSZT8bq7cf+95CVBJKSKKY0a6aS8Y+AIRcEiqGXHSwXIwE3K5kSm7gw36lVV5MD7x5XyNcUaMLxn1yTZlEL+B8ZQw0RjbHsjwj8E24U+4cTsZaqKDf8MpvvjpuAp0dO3H37C4Re/bMuVTyp7cZHg5LE8RC0KNUYyjv9TtRtSexA17y6/gNaGkXqwNZ1SQkpur56TWOBPlOQHLnsQVZarpIbWXd3zofZ2NphVY0IbU1GAXL4ONHHwvAqaqykkxtRW0H5bWgGV71T3/HjyUxtfbwwwPkxffTFV1M7yDGbaNkhWXpVqFfFqmJIPaPu8yKUaZMSBz1gixJl8aKrzzs1QV5TJIDdlbSKiRp6vv9UylLu0h3amEb7m8gjLUArWJ6NSgdyoYKO6TbzrUJrzct3Fi0BUiq6jrT3byboldBFr0frt8KLx+q4PnlVwO2/V0QWfQFd8d7JTbxRrWRGz9+d+vaf+YWNOecZH/jnck/4KrdddYQ9kwIG3kCOLuNgOaU1FEXtNsj8glLtmqzbvvY+8BdC/MqF8A2JU5qOVACo9xWN09dAtqFt0NdWphpMqwYQuf+dvW2HRlhictpJ0WYY6QbpmJ0cz9qvv3sNKUOHkuCcecu0YyAVS7P2EjvA1qoYAweDt1W9h5c/TBC79m2OfpUb9YTFVTLru+2f0HK5SN6ju8XkuuG3NsT19fG0EExj1+xwmQRq7EiV/d92Qc95R6Cy67a7xjn/cyn5+S917SPA2NG4iftheKfh1uz+J6tXdAP4Qvv+d+Pj9FloaSt05MDL0H2xE5nwboSZj4Q+RkwYqbuJG6NOucvey3o7qhQNurC3v92NIb30c8NY71J93C5Pz0Rk02lX/uBk3WIfZSlhuNdkJOfH1m6Hcq/Af7tVlEUG9/44dvgjtu2tiuclPZ7jFqpADjOaP8g7JSZEk1p1MxqAL0TRm4JLWgI4LAgDRZ+6NsbWhfVfUrT5ykchpGW1/I3T5fvji/2NWhSWgZ6z0KY3XZBw4UvHUt5CbS4pEk59KSSz6XFIXFyBGtlc7ZvPbJQH65Q3rR6m4KuzrifzpEencZT1mpIgfn/W8fCZdMNCU4cRYG2bqfT8jTs2ta1QJekwvvEPFgUXpP4n4RjMwdPbaJzqnN0xLHjJsrp3IfgNcdSvF6bsz34Wn4wM3VnpCr1Xw+B51vhF2cZZ/7sYCAA2qnCw1moUTpTo+31UcmjW6F3o/gWRjG3oNUfvrB6xjPumYc56fxMpJbR+eZquriyHlXuCsh9wrHuHr/nmmm3zl0lMT61BmOm1Flw8astKCWPlDWWB/zTloqjZ0HnFxv8RuZEkd1uaL6YTL0hl31nXSl4SFyRIy0Rn7qhCgl7yhr+ynHlVsngo5qxyj5Xaug6v1SyNuayYdaa6AmeW6wsdQ2qRTnzh9FuXgws8MtPlXXhJcvxt8v97I2x8DQYfRp0PjY3wWHRfzqtu9Y5ul7g0N+Opy7d8hzxqVqUsU4e3UkZp78TjlJmtLpMPDI/pQYcO7OjFtH4o0QTu4R0zAGxswaQc7c+oSpEow7Em2z37hlwWUJ14kZILixh2me95QtuDCaYrpFYgoa45sV1VxgBk/Eg+fj73JOKDLxO/fbKGUywzlUU99c6IE04rA6edrlc9agTR2Kbr2EGbAsqAibhPi2w9OzkSJD7+Yavse5E0q88tUleQVflf+2+5ByaUgJlnIRcTJMVWN7vxshTYmj52a2Hlva5bEhHuMPqYWqFtmyed6QEmY0hIBC58s2hh+yNZ1WvAQt6BoLuawKjyt5GrmR7gO0usOvYdZWgXtfvbHcNtiYkUQJ29gGw4ZN972uSaNYPf8Oo6kxzSCrmKoqd5/yHKMTD53wXrJvrdWSl95/1naRq8CMJkKVih0eaLy7t+wXLjZaI+vn5cVVg+sak54eRta3q+eV9X+o6YF+p4PJ+99qGgIw8dtV83yNc08xodjv/OXFOTkfKFR9NLJ1rQ3VJfsxSFjY1VXDzpMa0nfxh4Xc6rhy70VEMVVl7oqvQcXdrtIRcCEOlxH1aJG+W4IPGRyh8rznAg6lwz6BtouH8Dkvu1DOiBOvSm01DsrAE7z86ZS8ju66yflMtdO9Lz757jltIAqTNa6BNX0vgk/9mkKsvLXtwrQvceMIjpCoV7zcdoh01ZV0Sbmgw0AG6VzhBOsrZ6D1yKQFf4cO8fWni7sFY6UKDaB8AHZAUkg3MHw+GZGIvCqmTVmuk/tneFUkrQPqwW0MHNbofK+XKj1EzVXCLgc7JXaFaY5RkMBNP3vV91ylTcltV1m36YsWMIoNtttUbHhRsgkv7CfSZ4ml5uDyaFb5yecz8jTUSnxuhNOVp1xgAQfmgZ1d18q4bz4j3w0dDXI3CnMl1UpuGUIGWIPNLJbb0EcmbTJ6BBfcblroSVvl/j6UJr2FOWVr8mnUXBN8qulDFOWHhbdYzCWpKJczTSvYm45RU41Te/P3SdhSLi9wWfJelT45etMWsJd1FkGK3KB9YaqAY0QuC2m7b9x7WJFfG4mm5DtVgiBPuVxOvn1OuGLPydT9H7j/o5KKteFm8m08vmhZXcwEHUzOT61DbWv4JxcEF0VfF8rJdTv8Ss32NmqwKium/q/TgGfbBsGAdgc5itCySit3dzD7/O53qoF89AnA3377+d3vbz6cffutz7ldUk356JlcKX2VsmT5xgv2e7tgP8I26gSjMrUSEWp20nYp6Z4Dytxzsc5gwsyUBmk4SylAeq6kDBhX6b0gkfhAKqDFivLhcOJ7ewew93lqoO76pC5RN80006Ww09JYnbryHeu1sznE+m9psne0rfnI5yQ9tNhlMxhsoNKEYpNN3Uuod3EgZnzU0dSSms0Reyip0W5EETJ3y3viQvngfoJ3d1w45IP+/2G46kZl9pP/HuSIlT0ffUBkL5IPcjjaOO4+/JQ6QtLW1s727NKntstob7PssE/mM3S7DU7uzZHptmU1P0Y8DIu+ZpQLx+u2mctFkBnnp/3aNuzE5cxBC/NIC4PxrMI257pwKuIB9BySeI3p1qH66ERVVSN3PVED7ORhjZvui917uLZ/h7hO3eFmDtOs74vbJZXlv6t41GyDm6WWHyIZ7o3dcOEt5Exjas64SpYleiwLHrFfUS2HQYfHjrqRVV2oXML48v27C/Kb96NuklLjiHw5airB5X+8JV8a0CO9WxshCw27nTrzJjf0HKJr8qEtOoumdXVaOkv4kPaBqtRjBBzQ+iDH0U1QbSQ4dm+4ZfoBDVRQXWXYLQc2g3uB1gkLkDugTZlsKu0WzLTdrrZAl9TuaoX3hTsFyRYV1anKSjq465oOxhffO/pE2SCdKgnMYpH8LDCYpS2g6gDP5thqKQNYNf0jA9SaJp+E4TtOJT9eGHQveOoHJ3Ruq8CpnsmRlgVlOBglffmJg21kQuO9B3g6r5c/yWu7SP6+M1kwq4vSJO273oPuIB8WeboF4KWgySWGLEDOuUxYFDkEnSM3Whazwqy4ZcnlhyxmQq0MrdLnrvRhS7vMBz1D1IXJgsuc4oTLGnQ1XSdLeB/ArtlVHuBLKnKcFV4XtVZWFelDUgh9+VOBHsf0sEW2uynUvChzMNsBTp//xmRR0evC2lRug23A7kQLyPAoVFxmQprLfEjXwhRiKorUYdEt2N9nBJ68M3gPdupeiH3Yqat6+7B/zgj7VUbY/5IR9v/ICPuveWBbVQs6hRwipYOe3jyTRdUIVL6n6wzvZAu8vsqgl1SN4POqzqN9Oy2TinnqJKQAmedQSgx8Yel9I7IwPiExww4azfJYkw5wHmvSrE1TZ5hFymRXVp3FVLXKOtMDrjOIEKusM8xywUazJgvwRvJrSaUywDIcwuUrx5VMj8LylartAmiZwa2mqrpgIoMP2wHOECRBuHq6tundog6yyQK5booMMQ2mueWMigwFRKagc5BsnTDrqg9bUrH+E8ppDryXBbYBzQLZt4PJg7VPrM0CfTqvl6/y+KBNMeX2r1kajTFTpJ0VtwNYq+Si2mS55ggVmE5f5Wa8jz/ZrK0eYLAL7+dP7xzxwFHtywLcd5NP10GuB3vGBeSwYUwxy7GJfJayOHsbcA7dwBS8xiTFIouo4/Xyp9LYetDMPxFso1kW2ILPIIcZY9DRXEHJkxWMbsPmMs8pqVTZCDBM5eB2AM7nGWSTqs2K2qQz/3vQYxnkSQBrmHNjNU3vCdnAzqDxaahzsVpn47XBTuQ6k3z1mfn+iGeAbjXQKoMi6UuBcqGdT7leLRQ3hZ8wmx76mmqa5YCXI4WwKSAv/Xz71HC5sVQmn3NcGjttdKphgS1U8LOCckBtkuOaXo9ua5JTg8XJDbP0w64P7TSwD+aclmXqO8DL1GHVtnVQhreIVwXTSlVZuhI5wBnMNF4VeZIjQ8ejHGyur5K3Z6pN+palvDa15omBCmq5bZJnnwkuIV2LnQ1Uk3SiTgcXi2/Tu7WE8l1Pi5lQyZ/zDniGlH9n8yaXOg5oBonjbOgMqCbPTRBqnuXoynmWC1wrnVqAVdNmnuOaVdywHGKhMlkObI45EBIsNldKDje5DPcNoFNn/HmoqdPx5GqV2gLJUlGm/ADo5JaoSq8ZKc3nRWQe173hriTo9G9WXfihvMnBJp1MvQHrR7xmOWQZCjfDTJzUwiCATS0N6sI7kpKjS41xHxZskarOfwAarmuePBBQg67mmko76LmbAvIqC+D0T6/vRPbp084U0ASAtZoX1NQJBwb0QWuaGqoGKnLodxoY8sF3Hc0EPD2THeS0LVx7kJUuM2Cc3pFpMviGjfcNZ8gHMJA6EcAPPM5gnBj4kv4AxBq0JoOawZQyfJ5B8Jo6tZfNaJbjHmhWJlekjWaxrrgJANt0I7b6MBuTvKvmksnUhRLRabH3BeqbdKYm385t+mPlgaaP6HUzPVPDXdfJu7U25TRLHnqjRYa3sDGgi5KnrnrPMraijQzlYINlxtIqtTd4WXBpLJ1l0AyWXNscaviylhlaN1mlG5nSzRprixbpKPqmsYp8aCQZLN1lj2QclveZCl6SEw0lt+SE6jJ0MzTY/j2Ojp+clZFLYxNCEQwO0SfY34ApQWKlOl0+BJf5OHdW1UKtYTBY8Eb+zVSTrKn3Lc+Y46H3GeG8Mw1zuCYV3W20sInFynmzOwwkO5KCGxzO0K4eth4bKBHT1LXSlgwbjxKyWlBLuCW1htnYUbhHWu5dhlDEGB+sjg4FwmXo7D7SF1pwmXsifw9Vt1ofT0OsmoNdgJ5svm8Wqhm8aIRIWILuxhFZRWqqDZB3YClOBPd3lXYsePpWzc2LC1/2+oychhFfz4ldRKYUYTPgDxBGHyPakrwH+zu3Ekx8n4eHOgvzZjiyu7tFuLgn1gDVbDHhkkfxw5m7R+ivvSM+cRYGJkO8ELSROOt33uAc17aJe7yB+06/9j005W/H3dHUNeEO84tHjH23EUXCmqbbdV7FZclHuLZ4K8bcBceYRj0ikDaD697jhGopRiZeYvfcjOPAsX+uAUs0fGnA2D1Nuw/PVr57r3yvMuBYHr+ql9i7Hqku73TbnbIPJ48Rxsa2/o4d2s3rKOUpZ//fPN/QLXZ+2goFXDt+NtBqSJfEe8cj7B6XKTVAfLp2hw0Z3Kpul8IvHgZf2Y2C7zBX2revj7KREGqIAcBxZ3T/vCpNpaHsCON9Bx2m/dIS1d7NoWGNxglo+5CuQVfcqxvHQnqzpB/MwZdcwByIgCUIQo3hc+k3bjOvP370sSXzA8pvXH/PSZ8+yKRnh1kj+ZcGdsck0vjl6+F7WMfEw6agtBoNL/2FZEpKwNwKsuJ2MSYoCIlUhnQau4aDyovubFo4dqI86Z4ooeacUUEcBiOmD2LxsNjhUiNjGh+Od/VibeLo9dLZVmonqzX1A08Fp6ZYqOw2gTfiOnMNZ6lshho5qdgfwRPvB0D8pXHY4psWBrEwAVRP3gijnCG+dd9OMVhOfg2/mJA3ct39awDdoi1vpCW0nDBV1Y0FHRfDWdz4jrB85tk3u3uBMxa3NoTbfzYvv//hr872Pe1tR8uxb6Joh3NapI2Y3dZxQ9egyb90PjnzIqCByMVvfer6n/xnXm5w3jr1e/fjwOTlm2Tbk92BKW6dCXn/28czRzto8M4T9JeW3DANNZVs7bTKoJ6J3VwQghx6Tj6+e03Opf3x5XNy/v707D9fk0/n0r76iTxdLdZEArcL0IQtlAmj0pTWwCx+64dX/+u/PXsS5QjYRUYZt8sPlKmTisbH8ZjMp++O1/zSn8XzFqn4FS8fF9J92XQD5gc2jLv1Ax/Dd0cx3Vgnn7m2DRXk7Zv3UWT/VBLy+bIOOxn/R0mYxHnr0P1qRCgScrPwxC14jG/wnn2YUwsr+gAj0vF0X5A3ZanRT+tPeQyd7ullVX1onPO+sZDzk3cX/lUaDY9V1Bwx+rHlVPKaani7yfmFQ2XE++V4eOAkiCQ8dGuP87DVxAo/Xeu4AqKHLi1L7r5MxSZg25vlH3/njngAnEmIF1yFG366fQQGqGxyrbPodbd90ih5HzC8UNp2InkgdEsMsOEGcLu+WfKaI/Pe08PlvH1MWrLejTFeQsxuPJYXN2CHli81RjHuVE7vNxroOMTJZU3lHCad6cSUnPF5o6Ek0zXCBFli1lBcztQHth4YFI2OaMvRRWcZ+h2IhLp/v4QruQNAQ6UsFCGzO32eUXrWltIUtPCp+BlA11bnAT7LcCRmGaqFRY7rkKv/SZ2BqbQsWk9cPrV814J3dEx2V+s7Ex5Agz2zC9ASLPm4ruE5+dQ+Y2/RAfYjuWgdYIOX4LcxTa0d1XMEZWLENG6RDn7x54QKEVUm6s0XMcGNakzMW4J2byCXVhFj8THnknw6HxUoDBNks8mr5CLbAVV1hrFvDrAGkzqj14HNUOLiX8TUqejob8+ArR+tUAiQ8+STIhFnp3xk1EJHNFCv8lDRC8BIwjCdYEYo+UXpFdXlcE43IW/mmOylCXU3/hpz6aZgVwAyrnom7pp41xi3slT0Q3UeGYIt4zEzYkAhlyHPFdMSKm6dWAojNuIkLgWVx4jj38JB2SaI9FyUAwK3XZabSMrSWbBzNGC3X57UkUpg2IVgma4f3O0i9lRbzhpBNcF+0aRF4unZ9eu3aq5ms/j0d2CFXUD27d1C9qNb0N/GHt5nDm+H7pvGLkDakCw+irZpUnZOuF1Cj19yHPVPBvQowqqxTB2X02HJcYQvG8bAmBGcsfP4Yc3RDks8QbyIU3HnSq9JpDBhgNsxhNMWjrCDo5NKGOAztZLuXXFyK6Ycdj8kA0Vpm6plun50I+8mJb5rKdYMCA5lR0/ww+zow1wSw20TkZ8EiwsgiOgAdUENoaWq3etiF8A1USu52TLPOEuvlVTVSF4tzuQw3LeoP64S4ZR7Lksnf5Q2HQMo+YULIG8CYpMBG27j7JUdYf5OjiaMd/Q/SLrCKAsuQ9ZCWi7EaIwwImW9+z0Y4fP1LkO9RmpOjCeETlXO6oEI8VNY0CVXDWqXTFW1VhUfyVCEYyN3JulUYBHZjJzsx43LZSd2MiK5i+GW1kmiCGxhmHS4zAEIRtbv8Mu9u71XdnPfRo/dpsyykXa3nC21Rl9iGXjBDjHrb6UF4Xs8Bwmas5YkZAgm+u2mFnC7wKc2NtuNBGQn7IeJsXo8+NnSdEjbrQej6eV+moJ64dfKSFfUNO2McMsrME6ue21PQw2jQaSwC8maQty4Edh48J7boG95tA7p3f1gR+vH29H0Q2GSDTm9NWnBYXwThQPakOKNQLiFMPh6qXt5I3X6qHvnL1oS2vTNO5esl+pxBMgNcrwTIF/vcfzx5i1LNdrgOFt2O/mojypBUt6xW8iPox7HlLQNDmOn1GMJ2o6fOnnlTmMXRQV2oR4gSkK3PMnEoxG+Nrrh2EtJq6xepz1RnQ9KBH+tQ2TPuczkCfnPyc/ff0+evj19c/GMnHJjuZw33CygxFL4KC5CzVX2vkD7ImGYLTvzeIRtxi+OZIxpldmruK/+0+1qDIPuxqBHPtnQ57tcF4Zp/13db8/xhzjFYqZUxtqkbzLFqEjVnW6HkA+05I3xKxClieEVF1R78eTEprtDDN/1eHkV3nPDy2N2Gulnyn9yB6H1Iu70xdxc8nx1Fm/kvruOYY1Qadjz/wYnEX4yOAvBcQO9sowy7spUOmdiwCBkg6xWek4l/3NPVrXMdxRuy+wDON0/UyPsnnEdrSXN1PXnF7ccvha+xZfvXbSV1fwrUGEXjGogtYZSVVzSaMFdTzxdUMtBWnNjerygx6T2LX1QYn3rR6gzHVx3dZ44wVVTbbEZ0obU/WL1iM2OgrC5jUSdQQmaWiiLZElle86HEz6/tCt2wbMLrZa87JqHhe/RuhZBUx0cjND8xz1r2zptXMHZEMnLI1HZLRl6/dn1CJnR4aGYObnkPnq+2FXcR1rAdUpnyqHgd9U84Rp1pt6PepXQ8wihXkdFjZUaYqzSXuI7aBVYiqs9wW9N3LeexKmveFkKOJ6Ue4fr3VbORba3J/cOknPteIzjkHsRVut1GJLrNjr7nNSCui1z77PSBCTT63rMy4+pkEewJ2+RQac72/JXZSx5R9mCyxGTrqSZJMc3u7z+JDHTv9bgxIfTj3yTMzMhb0tak8/4D68flUr6utN/Dh9PsqBLcJqTAKrJlwb0mmAPQlMraaDVqOLFqY7eAn9zHHkZeuAxB1nztguk9OT7vnzjeLYkHQHVzQH6EJqj3hZTnPKU12G2e8bb1tJbTYycbRgeXm6IbqSM2rHmeffy+MizbyM1UmMXIBbBwsy/EZSsuCzVyhBTA+Mzztwnz2N1giFPdnhBHHke303ODXmKHWFBss0zhKHLZz1ukUbiO/4W5pStySez3fi2i8BWu4W0ybNr3QpHMNhHXvu+qYWoYK0aHjL3Ig443vUBiFT/b1WaYjnPkH3bZOdXqMe683r1OkIxUhg9aOE3BxB7nLzeMVJDhm9wvbey7gxJH+8COqTmOA67LmCwvTebhEy/DYMdijekuLn4GcsGUo4EHK1wQ5JLmHEZfPUonLCrX0XrkaaDiN1BhWKZcNs4YHbUv9SCsfPZ5qY99FIa6U3Z+bCtpWxRHbkF/mZVZDgZWEf97cgy5GXKZboJYknvhiMZiwrzPp4RIdUv28Ft8W20N+X9kamdA6zzvn03YF1T3Z4p9+fnG1JWCz5opU7c7XC2rE9+vxV5NvnMEt/WQul1vg3/m6mp/LcbO8a0iGx3UW/V89jT5NjytxcI/QbaHkwlGlDV9lvfT9XoKShAWq3qQ0RHqZrpwLlwqzMe1nTWNtxQjoA4+uqO497DE1XVVK67+4jXDsfpe3tlCdo9QwWXMxVXCqi5yl0jdIP82LEiW8xWkLcr+uxLrhyBXxoh1uQ/Gir4jENJTrHu2TsHo6isYFowpa74AwXdf4cp8etv7GcqxrT55N1mN+HwurGoch84wvTmu/6hWyJM2QnuaO+Tn5CP69qTvvEcOOb4HRzfPA2zImkz2R20HQ7eEaGfmFjb2l1kjuGq65TLbey8Z7FWuvX2Y4j5w9uRLe/1ykl8nFpe1HnnEO1hhVv5Rs99i6ZWKpMmso2UW8ftB6mpjbsmmSyoSRnt7wHWoZw+MeRGi4Tb3IOacFc6Y7RodCpvSA+mAV3QeTqbcgM6+fO0DTpp+uM26HDqMwgWuLYgUbVKb5w4+MlOc6foLTTspMqk1qj8EseoJdySuR9xWVSvXoT/PgkovAj/EfKaYm5/KkDHs/MCOQ8YPffE9IPn6HHtjVobkFOGgWjOpOJyBlqPxF2HdB+Frr7ifyPro+7ZIyDZ9iWe9bYhcqUwrK2yXqnIEkc7fmc+bu+O3UfMINb9P/0Dhgla4wM/eb0AfRx/hNPZQ8bT0xMc/fiMnOD6cdRA2yM1Sxnh8wnoMPwTtrIw9zTnhayh4x4jexvuFn1iep2i9+40//NQr+TdW6PEd5tc8j/j3hp+lUmmnP/jjEiYK8v9BtYLakYmQBl27LZCva30i48PF3RbnW0C1CDBZeeMtY3T2/qbeEKK4fNjVFRs9zfqph5+HB207KQJN6ZJrnQiZEyWyuetu18MBTEErbP6QAeb0peeZ25xconB6X3S6SgZEl1n8BBFfnqJqZ37H6Oe9DwMybtLzz04jotQY0SxzPmi74ZUgyM7ikxZuKNHm+RtGk0uwPwKgkWdqbnBN5txJf0HCWXrT8RgvE5pcn755h/vLsiFe6fIb3Jk+soG20yV1Idg+3Gl4tiiGGILYFfmICfy7YRw3h5ksaFzXb/OrkUYpoGGEYQbKbhHywXNB00hH0DJ9Xh0XUFGjQbE2VLbHG3CZx/LJRW89AcxgsSuIDxaV+t9ghA5dgVrsyu2E538NoE0MeyFtbUpOM6gzQIatzIHQxh9BLeJz2Vb+aI0t+sbbhRTVZW1T9wt8fZ4BIdQvAR/xTWIXUsztYtlJagsjHmogbduZS/Dfw/UtjVaUWx9qXFRK36MtOoYwh4DghggUnFrANnKFlTKQeOM3O2mwqqIyEjM9khtm7uHJcw8/P3tm/fh3Xuxs3z3oFild33/yXu2cXNVLJVocjHgTTvHWYY5N91k7HacbyO5NeSpR8I8w24dWNjbTtTdAU8Q6Sg1oskkzd4GXD9JbkO6wGS76GAJGjMFZo0gTEkGtXWG8qXfw5H2CqtVTunrGe8M9naEtkO0VtoS5fj767+/iaXgRtme+twpPT9+guVugcGWi3VKfbOTaKOYv5/9dnF+Qd7R64rLshvrHd9WR9vR0zC3hiiOkBXIGFC3j6xOfYqXLCZPz/ZVjsXseAWbD12E35KcXe3YcpYFqXx+Grr0Biz2YiiOtykP3Cugpbj6L1833BXmyHKoSaa+3egvcSb0A2U3hnHVaMV3Qd3KF/c+J6aJpKhTQ/5mrFZy/m9TQdmV4MZC+bcX4W/Pu0+5nAGLfzTjGlZURBUZOhW93xAqS2IUGTmWGubcWL12lv0xhUVN7SI06+9wILs4DJBEp9Sx0PSF0L5eiynd60Le6ZMd5iCtXv/l/wYAAP//FuPA1g==" } diff --git a/x-pack/filebeat/module/tenable/nessus_security/_meta/fields.yml b/x-pack/filebeat/module/tenable/nessus_security/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/tenable/nessus_security/_meta/fields.yml +++ b/x-pack/filebeat/module/tenable/nessus_security/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/tomcat/README.md b/x-pack/filebeat/module/tomcat/README.md index 63608feb7fe..e476df92e13 100644 --- a/x-pack/filebeat/module/tomcat/README.md +++ b/x-pack/filebeat/module/tomcat/README.md @@ -3,5 +3,5 @@ This is a module for Apache Tomcat logs. Autogenerated from RSA NetWitness log parser 2.0 XML apachetomcat version 105 -at 2020-07-08 15:21:15.18788 +0000 UTC. +at 2020-07-08 16:41:57.552421 +0000 UTC. diff --git a/x-pack/filebeat/module/tomcat/fields.go b/x-pack/filebeat/module/tomcat/fields.go index 53b856d7d27..638b1ce26d5 100644 --- a/x-pack/filebeat/module/tomcat/fields.go +++ b/x-pack/filebeat/module/tomcat/fields.go @@ -19,5 +19,5 @@ func init() { // AssetTomcat returns asset data. // This is the base64 encoded gzipped contents of module/tomcat. func AssetTomcat() string { - return "eJzsfV2TGzeS4Pv8CpwfzpJDpsbyx97qZudC290e940k96ole+NiIipAVJLENAooAyiy6V9/ga+qYhWKZKGKkrV3elBIJBOZSACJzER+fI0eYP8SaVEQrP+EkKaawUv0qsRkA+h9+DgHRSQtNRX8JfrrnxBCHgStKLBcLf6E/L9e2i/Nn68RxwW8RBz0TsiHBeUa5AoTWJjP658hpPclvDR07ITMW5/nsMIV05kd+CVaYabg4OseTeHPW1wAEiukNxDQoxo92m1Agv1OS7xaUYI2WKElAEdiqUBuIV/0ZiEV7pG8lqIqzye4y6BmcEsbx+xgEnEcsWGagQq1Pvh8mLk9Dr7fUGV+h6hClYIcaYEILnXleSXxDhWgFF6b/2ONiChAGdKF+b4zNEKvxRpdAxE5yDipbizaJWqY4AAJW+A6M8SPBvVIJ/PIM0ZZzhDBNXCtzI6jXGnMdUCkolRoWsRJyLHuftHHTx1WMwjCGu02lGwQRgqUooKjDdUKYfQW9K9Uc1AqrMKit0T1dNRGVCxHHLYg0RLq9S+xVIDegMaGNIxWUhQtVE9ei7V6fofJA2j1tDf8NZVANNs/Q9rTjdE7cAfM7TTeInMRZRWDLbAor5jg3b1+wKtrKCUQrD2uHFaUQ44EZxaxxksGqMBlHG+h1tmIrXlknd74M3N7/Q3aYlb500Nz4JquqN9D8IiJRkysHc9lj5mWfmqG9ytuf2dYWmKpKakYlhbeL85icHV7Qyetdmx1eyMPr/Yg07dzc/3F/+f6ca4brKksn3bIxPKfmSW1y/iPiH+L4+Ll4sglKFFJknwXTZ96+kmbhltprKEArj8NelzlVGeE4c55+GgEANdy/2lQb4wm8GlQUz6E+rI3eThnn3LFc8Dxs3bZqa8A8nF68sCNGrMHWj8MppbB17sBe9fTNC2zcwP2Rj+hZQ7zqWOUzsYn3rJFowxyDOlNZCYGoQiPRjOIzKOUVZz+VkGjhMl6hv6j/aHhciU4McISa/FHt14Gjv2WThU8bf5dmYHoihLcPnXG0L4xJjG6t4IOVTwHaVRUCV5g9Ca3oo+QIwXaDHIAfIhDDSu0gc29sScrtDWbe0OPYnvfc5Ji6adtrh7lI2Y9bpYboZL1qPbe+kko3RZVrLurFPCc8nX4UsWWvmXNfz4cpPFN0vt4kHW3d9vvEM5zaWTW0KHssq83Py0+V/Ztf5jOwB/+32Wg4dYcJ7h7ep1Lo+23yBFGa7oFXrsrPt9L1bBoyIK9rFadfxpl6PPw4g4avKLcZxJ+S1qv9tOEXSQ7s+Xe8vHGDY7u7HZ/5r1/GqP3+xIQwf2TvAQEVG9Aog+3XH/zAxIS/cgE1t++QEus7E4Ijv0VXVfSqkInZhZX8D7jmdlHlilG0Qy2q4Fei3RnyTG7LIz92RuvQu6wzCeoMS3Z0ZpYm1e3d78caDgYSWC4uywIqb3SUPgrxxNmRtuA20/Kscf8X0i6phyzAHN4e5+YabrGceSB8/bulx8ik/QE9uY6fZI1RX0+ziHJm83WV5VSJfkGcA5yppexn+xg6PZ6yguNo6j9UGOHSXun+UM7YRjJZvDD4KB43DaKh93sRuG+EowB0UJ+joLQ8OciL+tm31CFiGMO5IaWA9Xstehe8ugIK/+AlkhBlh9POSuEssEjheBoue8tC0ISfqtAaTOgokXJ9n4lzI+NwEWAyQYpmgN68mekN7JCL77//inaYYUUAK+xHJnrR1LXzpirKgVXcLnJkj/QyhJRcV3bq1WxdMLHHDgVHQE9wUuxhdZ0KY9GGwUxo7QEXAzucvIHWvpPzAzIadXVas5jxRcxTao2WukKUf2P6sWfv/lX5YTn89KKqkDWP3r0/sPYKa/xHiR6gW44waWqmPNxG1NnlASNjT7RDR2JVYph+fYF+jcz3Wfo22/RvyEipNEf7Sw80mfovzP9P80PqUKHTPkiukhc5PAJbTC+g4xgxpaYPEzV+Rx6LrTd3Fg7XdkwAnheCsq1Vbc1xAP37AJnIKVIjhVpNCBVAqGYWZosLUoLabRFvne3sPliixnN3fLF0CK0EhXPjbRmYMmjfO2VhZPBQIf7tjfyHG8nftMecdEP8HnPBM4/3p3hESJFfwdUgJaURHRlb6K1f2xtNHc5BnFnLkmsGx1OrMLCLNBPYmeY37eFKEdCGhNCC/QAUJ5gy0e6PT4TtkhBQKlsS/MsT3+HugkSYA0cJNb2KOaGRy17ZUulrjAz5uKBj5RHzGdaUGPw2RdAO11Hpz+Qt9dIGrmorLFu2YLlGnT9s5NzVTI5pOKTz9VFwxyfq0x0rPdF7O118K+9g0JoQPd+VxIJ9lpa7odEkvkTnN6fgZPbY8pUyei0F9k/tKmoaE+V/Vhhg/T3tPixtm1v5anfkWFvBG3ai+P/Gm8u7pivKLvI26IZ1yjtd1ev7rw+RzA3DKBFKWRXi0P2QvnsHmirj2U8f3Bi3xp51iyMOcQOzcSqAWmMQXfvW6tvgV58/wPaWc4WgDnCjMXtUOt8tWpD419AO5DghsUaMcBKI8E7wcqHbPoIitHnzabIeUt7yPLc+VXI3LLGRkUA2XDBxHrffdZYUdnTzBD6HpENlphoxyZz9PaWQuvc5KjiPmKAHfg2BzOYUpLV3BPjNJftkfccq+sWRnUSPDhtJd4Nyg8rxTrKEiZWD3MeYe5tVkFIJcOISmOeY5kjLmSBGf09Fm0nZBHlQO5fYI8wQVTLnggfxYaGrhrdc0ZXYOcUMRAVEMHzAcWwWbJM6WmW+BGSKSeiKBno6CIOuruwVTy1pB2R08o7kPpi2+3ejB7ddEMb7nD/DG6SQnC9OZvVTVbP+a/mTTRDfjH23PD8EswxQ/4u+PSMziNCxIwflB8Xkva+y6XegZ5wOl4hDY/ab2S0Balawb75sZiNyBqdXvQ94PNJbZIqiJA55FOkt38u98JV1WOG+y28mdc/bL/B9WWsFMXCjlrZxD9FgGNJhVP8iopp+rWmIBEuSxYiqJtM8AJzvI4lJSHErGM62AyOKEerQlR/qZDYcee117gou54WT7HBZkjs73OtENlQo/+KHNQCvamUtop0e1Cz/7EeiEfDGgaX4ehxX60MZVuY5w62CxWGdPOXsAIJnLhFxUb5yumW5uZOtWsaP/b34di/7zAgPo3HksoZ59Bw3fmpH81+oZrt3XSUERFGFzBo7TY67i8atTSDBvMzI53q07/oDVoHaIhq/GkuemrAaZiaS+O3ndUhfqugmnHRzE5x69XIix1WyKLJB1bIov9m/NRHXTgH0046p+tCJ0n2dZGGr8yS0JVZmqZSjjsih2AvEuCSbryWlLmU6ttRe6MyqCcwR8mk4QN76ryluO4a8dLJQEwxFjHpqT3nKSqqYtPdsQPaoag0EQU8d1hqlc1Gs4lVb60w99M4UH0HlsqY5FRPC309QnoY3ycEtPyhxwy/qakKvdopTlLXsbhmNOuPLYHQFW2Uwbi24JycQ3m/XveY4+U6wsTaHUDzJuAzmKK5dz5GKfMq/XyM/OXQRmhruEKin+99SBFV4dGpayFb/IHLQ1kPqhSKjjqEZ+0Aawjw3FUFsKGI4ZQM5nNXTGdTEtlHHmteFSApGXuuo9TPEtF+hPR2VHu9Q90RdyepR/wWeC6kDyU6SrtY/vMiWdLhcUEs/wkkruMb1HPkSfVYZuTNcdRO8k2r1fFFf+v7rDZ/ZL0lvMF15BQXGmG08VmZ8fAgJtZZeHa8kJALG2K0kJsn+/ZAUvzNPnHb2m72KMbVO8Eo2U/fp0fO2J1F4YvMcbYfkFMVmxa7FWfCu4qBRR0XL4JreJyu79Qob7mzvJsKSDjPlfnLXgWYBZSxdOATVwrZYL6GjMNu+rkacn7DrvVwYy9HrSVdVhpap60fzacccUaba4v0+DFUJR4hGurZMzqhBM6xiVulvPtq69C1dYOIKWHjrs2kQ9EU1byVyy3IBboHx9hKgVzgNdhSdz5ibiVkoKE3dhjG6XXEwiMH38qAFBItpdiZ78KnXo9xqvVgrbbb/A5LPd6Ur0HH25F+94pebsR8u1ewvFY6LrV5RQneZZ1+g7ziCDOQun53lc2w/jPnmvVHsZVsZp9nIwpVjrjgX0sowWqrx16jrOI4r5AllZRma9Y6qV0NqyM8p87/GxybPdp3VG+8MuVkH7q2CJc2PpQjwb9eC/PvI5LRXp5ZRCmZNDPcckY/tygMGWKFzEnTFNQC3Tfns1smsx2TnErTlQtmr5RRVF3Sg3uizL2w8szDiLBK6bBt/H96rLYgVJnV8Jk53lo0apP9dvhqvsCt7HZ63HpySetT1IEvT6nPho5riwdhpQSh1ltjOBrV+y3TX9MHeIkwKjd7RQlmxsx7eIZKaSvSPkOgyZdxNQtLHM8eGHl5ufhViQvQIBUqsbJ1CpRN3HOZaUQUhZEI4uDxph+yCpocVTSc9LycrtFahwsIaifsiCjKqn8WkliP0Y7yXOx85A0RnECpn9WvYoPT7U1kVTG2R79VmDmnTS4KTLk/n7yFiIkBUd721px/jR+ZnFFGXlP+ALmPog2BZVhZe90rsOabL2rkC5ofYz7r5flNFBvtOtXOBOyiCAT8fH85zD+X3ieE7vupzvWjB8iCdktUT3f++FEtPW4fHtfTvh2tp60om+O81GT/aMerj4SEvCKAggcY4k4EBZJilkVuiAli894OGpSursxvCXUjUwdtMCAPaiARbA5/lB/fCO8NVpt6txuVIxLNXhkL04imEGFah7NfhZE6pQrEFmSNZqEkMVD1//tZCcjIN46ojSeoOGGApfnIls1oSPNh7N5LI0OKwGn/pBMVVT9X/RPLaCKKJeV15bi2iPYJCHKEvN5SWan5vRvtO9SiGPZyzPUcEdm4V258V2dl2MPjtPQZHG81C5yH6/YavXVn+olPiUOuxr5P8jDYnx5zfl3GF9hyfd1eW7b40Or6QPbtuEPfuQticEQu3FKbU7ejKm5qbNV+Wt3Ew1cSn1TjLrmjPjTujKRZ19aw76oeGt1en9SDzvdJnNCDDOoXPG/0oQW6ctH6vloQc18c14XMHyEPf/HNF95Bsax0HccvdC2cK85AubkLJ2B3Am2xpHjJehHjLqGNclQyPHDkFHA1MQP0YFHaapAbe2FOvbk1Qyw6NWt1//z2rquBIV9Sydl2Q9kyg20Ezo6Mb3yxjgx0yzW6p2uO7bEc2EilkNPKN33ZkwVmK90FnULYeir2nwZV69TYvZCLyPK+/fk9opywKgcjGnxjFgO+QE9uHnFRMniJ7pzx6Ya1sm4Rt0Gth/0C7wzWmG9EbRw3VQ9GnYtiHhG03XLOvPWi8h1VD0ceOLSk6zXIKYXr49P+pe1p9Fis5rORoDaC5WaNndU00Kvj4DlqFiuu/x7lZdiTd+5mfFonFN5exwMsz36xMqZ1NvvbvOWsf5+3zUycT0NVy68NQsFtRsHKlusVeUWG9HSv8lwsdqBNWy1bhLSZV0bOBQoG6spjme+wvFSsRb9WopFF2IteQ+ZAka4nRuRg9AaTUNkrrjiZ4zyzJiv410H5kcdPtLMYEhohScAqISZKaayr8xWr2gbHlF1QtTTDL8UjovnzYalrJH41Dw0G54deKSy3rwye+EYP0ndyVf3ehrnu19NPEcKUi+r8N4NW7KZaJ+xAIx3GmWE9j853o0GnVwE5YP4rxsxpRaoiBJRaVQzdGAyIiByUYX4o0hTX8SjP4XH0JBhVekh/mHia7NBWsZUBzRKk9eoXWFJmX2oj/gH3NsTXCFtGfG1go7TzpBUPvfUuprn48dGTOlKlBKlKn5DgzlRv2v4KaQLjQo7z04GgcWdi96X59EfHVhs5S7yzk92vzZeYcoVy0JiyiOm0FJVuwQ0QL9gFYlKC1wbXcQMW07AI11CUbMKr7avQajG0MGi9IPkoFaO9bEEyvLdhylp4sY6eRPa++cJaGh4aViGPxfnclKa6sqU6UJT0RkvrJyWfPhgjvcIt25Lg8diSzi4RRWH2ZuqCXTl4RFvhRKUUW5o7CzvUFYj1Z6zvGkGOOdDH29M/Utbc/aQdrRC/dh5L+8h8KfkVxr+s/PqnWA7arckT+N9i6V2W8Z1a0inlga5tUJJbn/u7W3Tbu3DbiCbU5vExmcdxjAo8rrMX1iNV/DE2sY+iiqtZ7kBlS5FPjznuxW13r6zQH9ZgG7g+Nym5U86NNkveTcvh4tM1XJhN7QWka5rXLsoBY7wYryn3kmDOuhnGXNU1dWU1TUCGbkN3H1wWZ3CD2sexRyBV20Zxz9ZLiKUUhIzeYw9lsxhSUU9RfmhQ1dHweIspw30HHardQ8jGw69AyoFqhG4/xj1c8/l1vepX+IRg56Tv+7dE2LeLARlAi2xZ5fk+wb6jRTYyTrUFWSkYKiR21BZNgZFUjMqW6gRMZ6qaJ9iOqnasiaulYhtO1nHSTc65xxkrDt7EG7qj1bi+jk/DvVKP58J2Rovg6pcb9MRH+v1SMaOXLCmzAYb2pfnmsRTK/PIp+rpvxvCul++Bix0/UBwVkMqmrm0PRx/oGkDwLIZ2NwDkKmTavPUBrq9hjckefRhUYBldSnyZ1B8/9AGbKEcFpnxlLKOjj1QllrbXxxwZVQcqwp0dGL0VuQs4aoobtN61I2jRifvXPr6YqaZrlId59W9hh36quFWf34gcGHpC+Xbx1TNEBXmGluYvMH9hjtleUbX4Ku5H1qTMVgz3ulONv4EPda2rO2SHtfaulSr7UEBYrI4mbWkxkRb36dJTEhKmFEizoaIot8VYOdTB/cubX439/t6F3Hz11S9vfn317uarr1wMzBZLTAf3xk7Ih3EJGSe38q9hyLaPdtBMxnz89eVjO8fmBtYiDhMjAvdJ6uJKSOCKknEHqmVOJmEtUqyoiGfrfLBsh+mYTuNNyAERCUtqN8z4hBRVLZO3gV7mSsvxmSw2d2OWbuDP5pOkIYJviuMgNTixKQncu5h8cGATp+jjE80QKzpoMIbJTHBOpE4mmrkamUg34DIuLI7UUxhv+BjyvDb1rj9uo5642tsX2gh5y7vkUR0l40JLGPzmxygQYpYH2AP+t7TtJ7qOfAov17Yix1NrPkes+1O+/lACic7jM7XhsCtMmeFXSDi88+fv9rod12uzp40KrGEdSRwafosPcT2ZucqjFKcE99iQHh/TaSyjindt1R5+PpTGOxX/W3jUf4O4/lJjV0NazFTs95jn/y7intUGu8aaxk/ZZPz9oQ/Qq0qVlFAxIj7iY9kWlr4dlrzvavv0xClelJlIF073b9/coZ+dx6MJx4ij+m3m55f7/3iNfqtADlRrqRjPJHSrfkx98mm5LvboXQipjT7v1noaGSX+22BifJk2A1YOGI+n4HTEvXoGZJ5SiA4zLIskvhjAJOMFl6PC/muwKh/RGeAAamwu8AFwjnX39j4NuQRONgWW54fF1ZD7EvdaOZzhg8Sk97x5JlS2SeArgdXYYMoadLW2yaRJgGL5zyS4EifU1nOZrwmLYZ3+Qz1lj0PaXO0CzHWbgJhnmNiyhSlhbAZa8VEqegt0uS633/FHvUmQloRnREtjo4yrTNWCN7BD3rozQLes1xD6LFjga8pHBe72gdNiSni2ytSOapKwr3m2YmKncJHyWtSG5no7BT7Jj0V4Rvm0bU55CbJY7keE5PSgS/KQCm6boyWBllkphRZZiivOwm+/y6zNmgLNJuw3JtbZmNb/HdCUl1DCswI/Zlqfr/AegpoVZpAkFgrKkxFTPgVxyVTGliwb7zw9gP7zJPCEekAt6PFZ6m3o8RHRbejvJ0HHG6ufC/0vk6D/xyTof02F1qJkeAlpW72GT1GVeFZUzF7ey32SPAvg5UOSHC8qRtdFmXp7m/sPs/X4RyMPS9OEuILfSIruzTPlnkyTeKUkSdXODGiqdqb2qiqT6mMTXodZJyp3WmijYMBj0tbWQhslKR3aqieJ4BWnjxxzoaDXNvMs+O0PhvZksbD9QZR6AzhPMoFEUWaEJdnQBjTJpWEhpW2TlQarEmHLKkvyTxBJNSWYJQV9qQyvgZP9qDelNjTHbP875Ms03NvMJsMnwro0nlTM7jk7Ed5YyD+kWsgqW1L9r4nJh0RlY2ubdkClSDjKKnFzWjggMiUWTzlPwIi6ki1Q0BvnDUhRvh24va4SwV3tmzEZmi3oFWWQpouobJXGLroaF4B8CJomaZUxgjk86izxGBkbOFe67BX5ORtaSZIIHTrHJcGKdVZATkcEYx5CU57K8ULkFQNFRNqsPThdJ50KUaod1iM7UbTgYzEBZ4JKWFOlJU7RtBvopJvKdVJMnLKcMGdl64jI5NPpohrckifB28aiSVecCzpKRz3lct5tBFWZq/OcAr/HEicueD4QVnke7NZ1MBgPSZXG3WatZwEqvazk+YVEAxy4mmtpcFUCvpR7OMSSjge0VXtWKaXQhyOmj0GtcZ6PX3Waj3fOhQSaJIlCi4xIIYrE7BsDmqQU0SJLfYTzuTtp0y0fEpKFSpWSykxLVUo6GoxhTXWV8G7DKIcxqSQNnBpZi6uGtIGPKSYIEy6jOVsxkSAca/CkEACj6SXsdwOWtNeNbpiELsFry8Q6cSn5OnHblUKOPxzFslqnbZ2CKpK2XQuVuIBp1Wc4aJv6kgCZcIpdaYDxr1IObvyDEt/txusKiXFCdbuGBMgEeS8kXWeRam1nQO44yBTZUmaJHQTLbGQF6QYwqY1DA540S3uSxm9SD5jSTtMp/QkosVLmy4xszo9n7QG7vpzj4UEWa2MX9zKqz4PdJYKmiDmXv/ThQ6fS51mgUqwzrMpRJT/awGO6PAQ4CZil3TwSiKXWZasmg6dM1sCOTdBtwQqZJ2FNMdFUkvWpnPWZ5ClVMN5F6srpJqkRCn5LYWYsDXYEXJLioug66WCqcrzdoiRJW3lJ8oSrVkkSy/I9C3RUS6Y2VKUScia3hI8PQohWDD0N5pIsE5qGr3XKIjiwFK9RXTFyPOS+TMhcrfJl4qt1JVmSVKoUyCyn4+M3EwuTBJ9IGrGapLXL32aUK41XSZJ0S6VOu4q3JU9KcdBCVvwivVpfVVqgdxVHvcFrL/SkAnG/YEZzdCUhpxpdYZn7nLEjbWl8/atJMx2qA2mHcU1XbcQsEQzFQkpqby/lU2Z/U5RM7KFXEO8kD1aiGpEef25f3k1oqWNri0lYwyMqcDd0t/Ho8XXVLbsyAxmMKltgI4yv2q00VVXaEvX9VEmEdhusEdWodO3540Qfe0odUyok3t7dVTwPSBDlvpLBQGY3o3x6BewWMWa8NiUKabG2TXYWze9dx4ge9zhsQdZFlLRAJZYK0BvQ2FYcdqei7peGnrwWa/X8zgX3PUXXvoyXa0/SG92mEb8DXyzWks3RW9C/Us1Bxdeqv/US2bOy5YTr3WyHd9NRgCXZLCinAwavxPMUQ+gIG9dbj1EOzxmuuK2duq4KX5b+SCmETuWDI1TPkTJfU10nyvuKrwMqvWFmNm8vZNdzywyM3sOjtrtzyCi4aAPqpkjciR7UNit3Uqlim5erQIfmwEdS54+9e4+vDRFaya7CuE6CdS28+k320CxyWPu9QWw9A/UySv+4Ot5ndM7O4fH2OhwiO/pQyfaRD9Ejt0vdwsE97tf4UG+P1tz0EJeiiNcFo2vahHQFG6KsQAgrpAD4QZ/MuPEiMVeYzFJstZcl7gbnvoFT3Vo7dAs+QlYJsqDuIpyPrGZQV7iFbimDNfheHlgpuuaO+U1l7oG2Bng5V7f6gSW3GI7suOUFW0sMtg+JbfMWRUO5hWmVbsJ9SfPQ1rbumGQbNg4cOoQiMTm11iZhIEhqtAIZGoU1gjf0dzI4BlTYnaQDjp4Z8VskA6ULLzn/un9mj4DWA+ROdN7HU64ezChW2UbMoN11umPamjhNGSjb0adV8CgeU43cBjX0cN9imwuNbKvMxSumhDFtOs1LbBXynzzEAr3i+/p/vdG1tY4U1wjni9DROC6YEp1fhvQpyvIXXX7ayoMHTKW+rbOxJtoVysOs442E/Y7JxnpWzzVY8R4k+pfaY6Cee0QW/VD/krFxW5ffe7yh6mD3HeXpYJjEKVnwZbcsjmtJ9/bn9zdmdiDBGY3WI5NTRSSUmJO90Ur85c/6vWwND56h929eoluuv33xDN2+vb75z5fowy3XP3yHnuw2e8R9A0ayEcqXcRPSWK/2V9/88L/+29N47zvQm0nyojtjK4EWBY6XRlKT98jIA+Ur8d8GtPHDlH9sstrn/ARtgwl/Z19MMYo6ik2jg4bmpq9fvY2S87vgMMUOT1u//yM4LOL8+X1MH4CPcNkZUk+LGsvGT3OvHOHlGmvY4YsUlra77A69cs3zwm6LIayvE1KUw/7/qX7N26s3d04OD/eKxzP08hsypZ2eE1qX3t4ZZANWveHDYC2YWfhgRh/mQ9ABMldTbO7D1u61kLuOdJg1TxWtSuRx2T3rMhnl3R4W4U/L9eFC9ZA1sTWJOsO5Yhqjt56GOyF1LaJ6Qsj1nrBM9N3nj0siNTv/HMWUr4P4DIS/GWIeh5h+P5+XyOO3NghWShBqi8Zba7l3uyIjpyTma1jU6jERfEXXlYQcLfe+ub9rdT/QnWYwpaAXKDygTUWHXSVlKrBR+l07tDLBYJJQCA2ZjxFKeflNmWLOVYYzFz6VBFxqmQq+SmLvKikWm6VtgPSMmjJpcjjPgjU+rV/XoW1haFl0x2sbMhfRFm6MYcVBo/f7Ep6hD0HMvbYm8rfoLpjIPTny89CNGopXzXJhDKj0gSwUunZixqIXRtn80D7QY2lDB7Ygte08o0VocEU5+nA7eISIDWmZcAZT2sZylYkyqVCeAZWgxsfRGMCkED8nE8cHRFkfVBJGV6YmY8DXCTUfLV5zDcztXLJNiez1glnLOcgRsQ84xor6UcgdlnmsGdgr26bO+t3vpHi0r+5L0DuAgU7Go3OAx75ICI1Z293r0CFbyMS+NvXm4JugSbAPQQXV5qj5okLxSWwZ5vO8q5zhDgjPai2HQG8Khw6Cxge4Ndrz2irPhxIxxZ8NxGZbbMfkkZ73hoKlpqRiWIZmbh7Nk5vHl6/FWqxW8frUQDK9gbkb3743Q/ru/Q1lN4YyQ9CrSm+Aax9KNUjYXL3HDp8rq7qtYZy4DwrkIEmi0kTMzS0/6DBJ964D9wBVoUfOtNv3gCKLGYWGK0ebvwbsF2ifDB0qzCm2bmBVCp7blq4iqgLUgP2mpId0b8dk1w7cBhi5PHsb98Yo5DXF3t7q6DWUI0V1FZEoyAbIhS54ftQNVgjnorRdwTZAJRI73mmMhDR+FFwUA9EuoUZ91gtHmuHyM2oY5bk5y0Kqpr2f6yL8KpTH7030HPcJr0l3Z2MwnKqe4YWejwYnee9fkead57EmYq2pjsvqmDBVFxVw76MK557rcHDIUkyLj4tMbwkbvKWispqNMeqkKOhApAPMj/6G4yWzYcMrdHUcO+Xb8Z3PYmR0aTjQaVAUxQENI8uLJZAQwVBTMH0NWvdKs7MHl78JYa+47oYop+h8uU3+yMiErrj2lrGdzCkJhNlp2YCB7mMP1RvX6zxSpRF5chbkm4XScthJHqiOJ75+MqpfHKfaX4sO1yTKo2ZEbRJpWtimrV7TkFDCoJPTc3JEatRJZtqU9ImslGdugHhVmE+2Ab49j+pvJvdEjxLvHUen5tCj3s6pOXpnHLs/Mv0vTtIvZ+a/2/CzUC9Pc39ETYqPc1RPSL36qP6RN823p9l+fgGqj8P282SNnPmszrnXzzipM2+aOanvbZlaKcxdl87Juhmu9CYrQG/ERbyp+MDPhRwi/7PBhbHZu1JMtNSP+HffCeZ9TQbVkR2SbFv+5+L7P/8ZPXl9/eruKbqmSlO+rqjaQG4Tc6LYmFiLGfJjj/m1fYtui8kvhv3hwJu3FJP9Jcdi7w3vYzjqvWl9fiNKh4/ZmMQGxdWZES2XhsUae6fAPFZEqXknx+z8LP4Oqe9wTivlxkBCIkULyrB0h9kIErNbib2P4qG69swoOk8v3NoH2Y4y+2CWK3hAOnUtmgMzJZLwFT92bqzz08eHt/xP3nS23/RWzBu70Ao8zOOOFiGnPYr1XLeWXUKuMae/H4l14lMW7FyGJXCrvfIDLFtRGY3iT85+/dEMaOWjSyp3WboHkUg/AWZ6Q7AEVErIRUE5joZYt476HdYUuFYnA88Ynnc+r/EnnY4rggFl8vYyW/hLIwRKLLVN+20mc1wIzZrW6w/uOfJnBTlIrCHPRoQBHFlF24Y8jFm7uu+k2NK8Tlf3v8Nlybye01s+nyJrBPmhRjTQS72eBs1nm0c9qK/joPcDE4kWerZRJVvq3pw2XcVuoHBArdCMK6U/VquBR3uXt4BamSKxJt9O/7HaEFZIaSGdfDSjFaCxxfal/dXC/OrL+PwKmucM5pQYb+yI58qMyBK1ZEiSzAjF8+aa0J0fr5Wjy/fhxeMZKhk2bDc3kpAIOJH7csiLaINXZrEKzoiXkLWF8JNQGr3BZEP5gNqe4+Qz+kWXXx+4jewrJZiDam51l1avFuh1jkv0i/2Pu9VzwV0+wD/61wXa4C2Y+54Blq6FNbL1JVQpuIKgB8STBsyMsn7b6wmyx9dGIJJqkDRU6eBugq4iwzAlgehZiGmW+Z0vInMuLba+6FQ3QXevhcJRB2nARv/3Vw1VSFY80tcdIaye1ZLYvea4ZOqBiGw/YuatiDmYidGO8lzsFFIlELqixHzzLBY37uOP+hvVTMBR1Lz6oicydD2vxbJ9Znja4gequL25XsMakz36oA6L/NTvIUU3wSEpasmMMotpNXCHtdVti8xGTdvNYG6BHt/qfKZIFtNBhoANs+0z4XBic6hrQ9WGnPIWmZOdQ3RDeJiE6cwVLzU0GR855Z17QXLc2MkN11rp0zuXE6N2Oh7ytwmhcazscTme/nY6tcQGN44rzzwYAW4nlcOKcu8LtEfd1oIocDlQjMLiHwizvhD2xtztqB4pgqT2N02fgc9HHqgeUvvQtMZkU8xeiq4Z1zIG9bTgNtsSC2ouKR9Tc3fWnWbItuHvU4V+5Ni2g3Et81wZrSYVKVKPvEfXVJl9gq4Sy7C25uNnDbG7De0VPENmHxrLwoXonTUBnVDx0qXCCTmuPWNn+n9RJeZ/PZnPGVAd1joLSlpMpJqp/eW5Hf0E9Re8cHt0h6pox+keXKsMuJaijB/DXFTLnkF21l7zoxrrBk6ENloqRnZyOpOKK1GUxiANO99ucNvgxGmeW5BGtGbGbI5fSFg9TI/7PXEWOzp9wL2D6ZXNVr+lv3H9WDG2R/9RYUZXFHJ0bbNhnPMiimwHy4wI8UAv9qT0KyyRw9DYJJgN6WUJtXWax56y0q4NzlA98tNn4109iK+l6t1Wzju3QO/3pSO/sajMBB2fh1ksYZWNLI7TIcxgcSaY/FLFCu100c3jLKgVjEP8zntRChk8e/Z55d3rgYVpZauOXtYwn3Jqxdgj0zFjn/TDBUKkEMn33CFaM5LhGiqxjjs4CM+wGvce1QKVqR3UK8lGsbsFN4o7tQqeVXJ8v9/S9j2zzaFTUCaIvkPgkSEah8B+FyQdB3jUwO0lmKKwmRFGrG59rW4kdB4oU243N8w8MeQHJ/q9Hdhedc/9v688kuf+H/7VN+b0wgxkPIbAE3zR1xJHbvuxxPoxWgWZewTnvmyyURYpX4GUAz76/sxmorytDp1kX9TpMQsZoXrQqsXKyPa1zxhi8vaNDDPjRrhxry1mA7y3cUGy/dHfof8IPVzsnpYbkHNZNUbP8W++T65sQfWn6MpiiCMHqWdLlBzg1RVIX/geDmI6jpTYgYmPBS1mtJbFDPulatVdOroe9PdhP8H4tMj4mqB7+vtA+s5D8hm8/fsN4rAWmjo2lxusBurTKjJ/8m6L4W744YLeZkEm1KftPQB21joU/ArxnvEHO0VHNlc8L0+4riX+frCthjl7VKkqpTG0gbWPulPs52lePksDSDnRs9BjXVte3Jjh0b19Mjh2Wmd6XarrXXnf/pN7G85xXIS25MUQGePlxREqhoWGUizbTrtLui5y78SJu+QyswVwlVBMQ6WD0gfw1kByStQXTYHHtqC08uI7pKzvVkh0e//q72/u0J2Rn+hnPlCRsqEnOe8jhZ73OxGnxx5LsgHyoBKavTWCZWpue6wIdF3dpE49twEavnB3c+6P6Cogaa/8xkVUFYepztobVN8sVbbF2nxisE3HFjOauw0RQdM9+jPWlzp29O2sH2CvuqLo7D2W3Al9o3WpMmq7ESQCW5amkU3Ob/k1Ze/RNQ/xjkJSvT+x/4goiom5/GdS5jB5kzKeXrOjElhXu04x4XYM82xUH+qxIQkqNA341dMcYmTjBrpNbshKQecJAYqR5HAgi8OijeteljVkgznvJaBNT1T241pUA57y2cov1SLPV+z+9fWrt17mPu8gqEWdFrLrFUvZXjlVD9lWsCp9Gq9CDwzua2nWnUFCk4WKU63QE4dGPbW5azaZIHRBiPiLBoLQWJV8wl97aj5wqv1zyeIwGG0L0r6UrCqGiOAESm1MgHvH64EUpzGd1KN1HSzzjLERWogYUmz3N2F49NO/v4oFk0RZl7IDhFxfIkShG1p24PRYYpe+F01g/NvNz3e3d+gNfiwoz+vWJXH2G+ovEMhwUOh7gHBPaI/+Y4TXV3A8BDspIMhFZmfjmnj+wRNpwqTmbrTkJdXtta/H4/EcpYHNydhPnNET5lT8F8g5qIMjed7XRlJOkrX4xrWXHqnY1N28tPUDO2u3cKkBz5CqImFRWKG/KC0FX/91yTB5YFRpyP/y3H/2rP6W8hWQ+FcrKmGHWfSaxUvWgkGY50gJNLB9JKyp0nJvrJ55D2aJ9caXoquxoC6WHhmT2g/2CXGJEi62lQjZqt5Vayw1bcC13P/p/wYAAP//252spQ==" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JVRWj9i+EWG4FvCZvasoWQD62fy7BMM1ry5V8Tf7tL4SQ8BMy4yBKM/kLCf/1Gj90//uOSFrBayLBrpS+mnBpQc8og4n7e/c1QtQS9EpzC6+J1U3/E7uu4bXDcKV02ft7CTPaCFvgkq/JjAoDWx8PsG3/955WQNSM2AW0iJEOMbJagAb8zGo6m3FGFtSQKYAkampAL6GcDOjTht6BmLlWTX17UnaZulkWsZZUbJE3vvrY+rElNotUZr719/0rjG/YYFc+Lrhx3yPckMZASawijNa2CfzXdEUqMIbO3b+pJUxVYBzRyn2+A5qQt2pOToGpEnScEA+L7yJ1KDktXFiCtIUjLTHggHBm7geWG+Q5U9KCtMbdDy6NpdK2aJgojpZXhyBYUrv7wRA77nFySxBqyWrB2YJQYsAYriRZcGsIJe/B/s6tBGPa3Z8MjkZHrFmoRpREwhI0mUJ37mqqDZB3YKlDjZKZVlVvqadv1dy8uKDsCqx5NgB/yjUwK9bPiQ14U/IBvLDwJ1z20JxEGSlgCeIATgold+/nFidPodbAqA2YlDDjEkqipEC0LJ0KIBWt41hVZl4kuzB79vhduOfnpz+QJRVNuPG8BGn5jIfTCdeUWSLU3O+XHmwEUscd+HBa8HtuO2qqLWeNoBp/HzZ2MnoyBqAPOimxkzGAPH5SRrdkedw9efn/92T/nrhV82zI/a6vmv5RICG72/JosFvSQ4RedtQ0GNVoluntvT/bct3/+2FmLLVQgbSPETnalNwWTNCdO/xI0ANp9foxIrZwOtVjRIzLwxDLqzG1kuPxnrQS6CHSIy/bZgBlShtqRK+J2Zm9L7ZuAYfNQA8ZKAn3syJ29JAB9BusiHEu7rhWjsRF2fOqRNnn2TUgMxH7SISDd2YfO4Za3Uj+pYGNGq07+sOf1ttG7YmSzD0O1KrHbtmOiJslzysO+9w9ccvwGWe0f5/fqjk5W4K05BKFM2lkCdqZIBqCoBqQPuPXUBID1gHZ+vH2GmbcYGk3YQD73gZLtwkD0HfalKEnML1/6bCDOaDrDjy5Gw8WymTSV/vn8ldlbF9Eit0TaUCWXM7bD03s2PR8SF8Pf/khB2zwo1HGnl8sfyK0LLWTlWPXfZe5A+qt+lqZu3yVm72v/t9lr+NWftmwKxe8I63vLSsJJXO+BNk5yb5eRcCx6DD/RV4LpHyMyt/XEdEYdWioel1o+JJhr/vBQ9xgpHu6Ri6f+aXJBV6k58GbbSn5uK6BMDqUIFMgwO0CNPl0Lu0Pr4jS5BehqP3xJZlSg6eoDZDN+LzRqPrdQPch6u5XTDeGQfMZnwn8C+7Xc5XLzbbPOm5X/uodDEqvqC6zKXU9idYju8/J84vPW/oeJRoE3d1SQszaWKjCIxrQdtAW4E+q8cxz/1aaz7mkov3NtrZyAx9y6V97EiPOLz6/irAgoD/gxP1Z0GE05HKK12dzUIeK46GvzwJoCfoosetfcSlyfnqfKKnHtx8sRTCHxUoftZNNsCK7n422itb5RtHCi+JMlxMlBDCr9NcogB33HiDnxp05bgjzrIPSYbqlqL5Vu2oL2cPoR2jxVWz6WFTVShlMdquUJNP1YNMI0fClAWMdQMOrWqzDPrkvO0FPgLIFMbwE8vR7Yhe6IS9//vkZWVFDDIDsVtnDiUehvN6CE6ZW0kA+VrCv5lQw1Ujb+RSaauqFnrvKJgqBPKVTtYQeM7iMZla24s1YDbQavT/sqzk2D8wqKHmzq6elYNQ3Mc2xcyzwGeH2n83L73/4q/Ei/UWNArRF+p8Dav7p7MG3dA2avCRnktHaNMJHVpxJeSe5HoN+z+BHJLcytsqPL8m/OnKfkx9/JP9KmNJOX0YqwqLPyX8X9n+6L3JDtpnyTXQLpSrh0dq6cgUFo0JMKbvKqwF75KSyeG2o9XaFYyLIslZcWjRNLMQTnPFwFKC1ypSfttEHTQ2MU4EYI6bGKu00a7n2Wof7YEkFL/3BiCFFyEw1snQvjABEnst5UI5uTF7cvhEDyCligeE67AkbjezCWihaPpZ3LqBDDP8TSAVWcxaxOoIp3P8y2sL+uW+FsHv2qd1otGrWbtuE/KpWbmuGNieXRGlnjFlFrgDqG5j2KF68r4RpWjEwpljysihzRV3PWskzBwmaWrzkpeNgzy5ccm0bKpzRvuV7lxEXB6+4M7sxVo7M8FSEq35+SrST1gYdKsg0qudgu6/dyAmjMyU9PTgnfCbcfk7oLKGgoeA/P219rx+gUhbIZTjvTAM+tNP1mKB0/2sDMV9B4CWsVJha8JyZDY/anDd8oPY/Ct3MydyM5x1vnXsDwllvT11rtYQn5L9GhNGLlxkXDxCjd6s64+ji5M1F0H0ZlY49vKqV3tV4CT6RX10aRPM43B+f/FOFhjia7jFX6rYp32x+sjHYvZ6DlvmEvPz5FVkh3yugklAh4r4CdOqjmrTxH5EVaPBgqSUCqLFEyZ1ykW0mPria+HUzMXJXc4RtA+9+V7pExmFWE7CFVELN17uBuBnXAy2WkJ8JW1BNmfVMdJd6jfij01ySRoacHrHlMx+tqE1d0O0D9TmDCHtil2hRVE7JVLINI2i6GpVpKFl31ErKUGP1MQoZfA6KsUa3EI2lsqS6JFLpigr+Zyy/V+kqyp8yZDkczCLVTAdP0p2YtMG6Q+aF4DNAiiMGvgGmZDmiYG+2uzA2p59lD0FcMlXVAmz0AIw6USkq8FbzHTHYqzfT9oEO8qVbO3qcx47y9skcPX6VknaRaJs29ampcl42WU7lAzH+TJY52O5A/qlk7m4Le8SiW71VMX167cddDg9EVLYb/YZYuLbh8pElaNMrpyj35YFF9ve+h20NNBWZmzI9pnQJZb53MCTZhGfKdCu2OkabadN9sR9fH75WWlUThNpgUb5hIKnmyqv1VSMs/85y0ITWtWirXza9bCoq6TxWmkuIwPBOay96pDyuhnD7xBC1kj4yZmlV73oGA8ZuNYfi8PZZQ9iCO+tGlWAm5F1jLJpJfaDuVlI7kpdLLRy4SXsF2Gzm8F7CMTQh3OR2Qc87DTPQIJk/ENSp1iVf8tJpNnge4oLsshVkH3eYFyfyuub6aBRu9tPHgq7dSeRWrD2xxgk9p685pPCA7veNJtz0URfOcyeNO3k2GSzZpZOpJrUEqgaK3H0hdvxPfVVQg/zSQHO0o+ROtz9FG/m4ooYgEuXIuUHkfkjN1IRKwRZDM8i0eWUzvL7zKgeudZEB1brIoT3XKUXRNtCXyaFm0JV6r8jDmJA75mP0jRk8l3d6cw4VmzfJtUOCBZsHYqcbQmpHEGUDJT6FYm0akTvsNGJFqcYyVcELj0NnvGBWtpoNTgiVgQVbBuTIAYElaG5zlo7sIaxdPRQB9iI7+1w+eYsXB70D/SvdVbo4aBh3qoHxGd8YPnHt1gdzxnqqBF05fzZTZAM6FyMvNwUTrYuqDEGWKN7BbD7WJnzettL7lqDS5LfLkBrLTZsQsOtXw/XbHRqrkjS1Mjyh4LjV2UJzWpa+wxSm8rd3d7QLTyNska910R1FkWwq0JzdVRZFaTtCFdsewvqVbN3N8GLJ3+8BaUuQpdIhYXYvZWr6xwN0r2lDu2r6B7C4He0Qy18LPmC3k6D7EfOSPmevum+GFzJU/QcxE7xcC9rlFktlCSWL0PEinkAr1LxoE1UeRKi3B/HOQv0YPVO2ZN/fMd0Ku1aj+Igr/kpwts59e/bIhQtEIDTXlmI9IpcbkTNvOs7AD40ARCwuTpW0cJ1bY+0QOpfeX7fph0rL0rj/w0eVihahWAOYGx5ntqByDoWEVW5ZMBa4hFUv1I9KiLWaTxsLPQkxzNE3HnWnrfefv7joMDVNJuw6zgmerW3lPqahIbibX+SR6etvEeMWK8Acw9qGg2aT86WXoCfkEvymNAb0hM4BW3mHTPeZ0i0OA9gtGK+3M/w98b/v9a1Qmky1WrnP2r8GXdObXaP9pM/LC6ptajddBzi1RyXcKTWoDj3WnVKi7NTGXFdK1RACirne4jeSUAHadtlFerNo+JsPbwXx0WsCgElIEYW5JFLJ7zTUgJbMvuwHNBuO+eSwRmt3YTp7BXcS9bgX3EfY2vDPgLIVt4ugLHtZT05xwSlWm0ii5Hdz5f57z0uASkoRURwz0k17wcAXiIBDUs2Ikw6Wg5mQy41M2R1s0K+syoPxiS/na4wzYnzJqE+2KYP4DYynhInG2PZAhn8Mtgl/wo3byVATHfwbTvHFT8dVoKNrP/6GxS1635Ypn1L25CbDy2F5ilgQaoxiHP2lbjei9iRu2Ft+Ba8JJfVibTijgpTcXD0ntcaZKM8JWPYkrihTTQ+pvbzjQ+/rbDStwII2pKYGu3gZbOTgexEwVVVOiqmtoP2wtAYs26vu+ffgoTS+3h5meJi8+GaqqpvhHcywbZSsuCzVKuTTMiUZ1PZ5l0kxyowBmbNGiDX50lDhnZ+lqiiXQWrI3kJCjTxdfa9nKnVpD+lOJXzL5RWUoRaoTUSnBr1TwUBxn3zToTbh5b6NE4OuEFlFXX+yk3dL7CLQovfb5UPh9VsdPK/kctiupws6g6747mCn3C7WsCZi68//fk37x8Sa9oyL/He8I/kXXK27xhrKhgFpI0cQd7cZ0JyKIvKaZntELnHJVm3efR97D6B7YUb9AsCuzEEtB1J4jMPq7qFbULPobqhTCyNVhg1b+MzftsamKzM8aSHttAhzhHTLTIxm7lfdv4eVpsTJc0k45tw1kgmg2v0JG+FtUAsFhMHbqdvCzpujD174NcM+T4/6xWKqmnLZ9c3uP1ihbFTf4fVact2YY3v6+toIIjDu8TtOgDRyJU786r4n47in1Ftw2V3jHfu8l/n8lLz3kuZpaNxA/LS9UPTrcHsW16u9A/ohfPk99/P5KbI0lLx1YmLoPdiOyPk0QE/CxB8iJwtW3MSN1KVZ5+xlvx3VDQXaXl3Y68eW3vg+4qlxrD/pFibnpzdqsqn8czdosg6xl7LcaLQTcuLrM0O/U+E/2K/NIoJ6+xs/fBPccdPGdpWbynaPUSMFGM8Z5R+UlSJLqjmdikEVoG/KwCWpBR0RBAakydofZWtD+6qqX3niJJXTMNr6Qu72+fLF+cWuDk1Cy1jvURiryz5woOCtayE3kRaPJDmXllzyuaQoLEaOaK10zua1Twbyyx3Si1Z3U9jVEf/TIdK7y3jKShU5OO9/+0i4ZKIpwYmzMMjW/XxCnp5d06oW8JpceIeIB4vSexL3i2Bk7uixTXRObZ6WOGbcXDmV+wC87lCK13Njvg9PwwdurvaEXK3m8znofCPs4iz73I8FBBxQO11oMAslSnd6vK0+Mml0K/R+BM/CMPYepPLTD17HeNY14zg/jZeR3Do6z1RVF0fOu8JdCblXOMbV+/dMM/3OoaMk1qfOcNyMKhs2ZqUFtfSBssb6mHfSUmnsPODkeovfyJQ4qssV1Q+ToTfsqu+kKw0PkSNipDXyUydEKXlHWdtPOa7cOhF0VDtGye9aBVXvl0Le1kw+1FoDNclzg42ltkmlOHf+KMrFg5kdbvGpuia8fDH+frmXtTkGhg6jT4PGx/4uOCziV7d9xzJP3xsc8tPh3L1DnjMuVZMqxtmrIzHz5HfKSdKUToeBR/anxIBzd2bcOhJvhHByj5iGMTBm1ghy5tYnTJVg3JFom/3GLQsuS7hOzADBjT1M87ynbMGF0RTTLRJT0BjfrKjmAjN4Ih48H3+Xc0KRid+530YpkxnOoZr65kIPpBGH1cnTLp+zBm3qUHTrJcyAZUFF2CTEtx2eno0UGXo31/A9zp1Q4pWvLskr+Kr8t92HlEtDSrCUi4iTYaoa2/vdCGlKHD03s/XY0i6PDfEYf0gtVLXIls3zhpQwoyEEFDpftjH8kK3ptOIlaEHXWMhlVXhcydPIjXQfoNUdfg2ztgrc++qN5bbBxowkStjGNhg2bLrvdU0axer5dxhNjWkGWcVUVbn7lOcYnXjohPeSfWutlrz0/rO2i1wFZjQRqlTs8EDj3b1lv3Cx0RpZPy8vrhpc15j09DCyvl09r6z/Q00P9DsdTN7/VtMQgInfrprna5x7ignFfucvL87J+UCh6qORrWttqC7Zj0HCwq6uGnae1JC+iz8s5FbHlXsvIoqpKnNXfA0q7naVjoALcbiMqEeL9N0SfMjgCJXnPRdwKB32CbRdPITPedmFckaceFVqq3FQBp7g5U+n5HV0103OZ6qd7n3xyXfPaQNRmKxxDazpexF86tcUYuWtbRemfYkbR3CERL3i5bZDpKuupEvKBR0GMkjnCidYXzkDrUcmLfg7dIivP13cLRgrVWgA5QOwA5JCuoHh88mIRORVMW3Kcp3cP8OrImkdUA9uY+CwRud7vVTpIWquEnY52CmxK0xzjIIEbvrZq77nKm1KbrvKuk1ftIBRbLDdpmLDi5JNeGE/kT5LLDUHl0ezyk8+n5GnoVbicyOcrjzlAgs4MA/s7LpWxn3zGflu6GiQu1GYK6lWcssQMsAabGax3IY+MmmT0SO44HbTQk/aKvf3oTTpLcwpW5NPo+aa4FNNH6IoPyy8xWIuSUW5nGlawd50jJpqnNqbv0/ClnJ5gcuS96r0ydGbtoC9rLMIUuQG7QtTBRwjcllI233j3sOK/NpINCXfqRIEecrlcvLtc8IVe06m7v/A/R+VVKwNN5Nv4/FFy+piJuhgcn5qHWpbwz+5ILgo+rpQTq7b4VdqtrdRg1VZMfV/nQY82zYIBrQ7yFGEllVaubuD2ed3v1MN5KNPAP7228/vfn/z4ezbb33O7ZJqykfP5Erpq5QlyzdesN/bBfsRtlEnGJWplYhQs5O2S0n3HFDmnot1BhNmpjRIw1lKAdJzJWXAuErvBYnEB1IBLVaUD4cT39s7gL3PUwN11yd1ibppppkuhZ2WxurUle9Yr53NIdZ/S5O9o23NRz4n6aHFLpvBYAOVJhSbbOpeQr2LAzHjo46mltRsjthDSY12I4qQuVveExfKB/cTvLvjwiEf9P8Pw1U3KrOf/PcgR6zs+egDInuRfJDD0cZx9+Gn1BGStrZ2tmeXPrVdRnubZYd9Mp+h221wcm+OTLctq/kx4mFY9DWjXDhet81cLoLMOD/t17ZhJy5nDlqYR1oYjGcVtjnXhVMRD6DnkMRrTLcO1UcnqqoaueuJGmAnD2vcdF/s3sO1/TvEdeoON3OYZn1f3C6pLP9dxaNmG9wstfwQyXBv7IYLbyFnGlNzxlWyLNFjWfCI/YpqOQw6PHbUjazqQuUSxpfv312Q37wfdZOUGkfky1FTCS7/4y350oAe6d3aCFlo2O3UmTe5oecQXZMPbdFZNK2r09JZwoe0D1SlHiPggNYHOY5ugmojwbF7wy3TD2igguoqw245sBncC7ROWIDcAW3KZFNpt2Cm7Xa1BbqkdlcrvC/cKUi2qKhOVVbSwV3XdDC++N7RJ8oG6VRJYBaL5GeBwSxtAVUHeDbHVksZwKrpHxmg1jT5JAzfcSr58cKge8FTPzihc1sFTvVMjrQsKMPBKOnLTxxsIxMa7z3A03m9/Ele20Xy953JglldlCZp3/UedAf5sMjTLQAvBU0uMWQBcs5lwqLIIegcudGymBVmxS1LLj9kMRNqZWiVPnelD1vaZT7oGaIuTBZc5hQnXNagq+k6WcL7AHbNrvIAX1KR46zwuqi1sqpIH5JC6MufCvQ4poctst1NoeZFmYPZDnD6/Dcmi4peF9amchtsA3YnWkCGR6HiMhPSXOZDuhamEFNRpA6LbsH+PiPw5J3Be7BT90Lsw05d1duH/XNG2K8ywv6XjLD/R0bYf80D26pa0CnkECkd9PTmmSyqRqDyPV1neCdb4PVVBr2kagSfV3Ue7dtpmVTMUychBcg8h1Ji4AtL7xuRhfEJiRl20GiWx5p0gPNYk2ZtmjrDLFImu7LqLKaqVdaZHnCdQYRYZZ1hlgs2mjVZgDeSX0sqlQGW4RAuXzmuZHoUlq9UbRdAywxuNVXVBRMZfNgOcIYgCcLV07VN7xZ1kE0WyHVTZIhpMM0tZ1RkKCAyBZ2DZOuEWVd92JKK9Z9QTnPgvSywDWgWyL4dTB6sfWJtFujTeb18lccHbYopt3/N0miMmSLtrLgdwFolF9UmyzVHqMB0+io34338yWZt9QCDXXg/f3rniAeOal8W4L6bfLoOcj3YMy4ghw1jilmOTeSzlMXZ24Bz6Aam4DUmKRZZRB2vlz+VxtaDZv6JYBvNssAWfAY5zBiDjuYKSp6sYHQbNpd5TkmlykaAYSoHtwNwPs8gm1RtVtQmnfnfgx7LIE8CWMOcG6tpek/IBnYGjU9DnYvVOhuvDXYi15nkq8/M90c8A3SrgVYZFElfCpQL7XzK9WqhuCn8hNn00NdU0ywHvBwphE0Beenn26eGy42lMvmc49LYaaNTDQtsoYKfFZQDapMc1/R6dFuTnBosTm6YpR92fWingX0w57QsU98BXqYOq7atgzK8RbwqmFaqytKVyAHOYKbxqsiTHBk6HuVgc32VvD1TbdK3LOW1qTVPDFRQy22TPPtMcAnpWuxsoJqkE3U6uFh8m96tJZTvelrMhEr+nHfAM6T8O5s3udRxQDNIHGdDZ0A1eW6CUPMsR1fOs1zgWunUAqyaNvMc16zihuUQC5XJcmBzzIGQYLG5UnK4yWW4bwCdOuPPQ02djidXq9QWSJaKMuUHQCe3RFV6zUhpPi8i87juDXclQad/s+rCD+VNDjbpZOoNWD/iNcshy1C4GWbipBYGAWxqaVAX3pGUHF1qjPuwYItUdf4D0HBd8+SBgBp0NddU2kHP3RSQV1kAp396fSeyT592poAmAKzVvKCmTjgwoA9a09RQNVCRQ7/TwJAPvutoJuDpmewgp23h2oOsdJkB4/SOTJPBN2y8bzhDPoCB1IkAfuBxBuPEwJf0ByDWoDUZ1AymlOHzDILX1Km9bEazHPdAszK5Im00i3XFTQDYphux1YfZmORdNZdMpi6UiE6LvS9Q36QzNfl2btMfKw80fUSvm+mZGu66Tt6ttSmnWfLQGy0yvIWNAV2UPHXVe5axFW1kKAcbLDOWVqm9wcuCS2PpLINmsOTa5lDDl7XM0LrJKt3IlG7WWFu0SEfRN41V5EMjyWDpLnsk47C8z1TwkpxoKLklJ1SXoZuhwfbvcXT85KyMXBqbEIpgcIg+wf4GTAkSK9Xp8iG4zMe5s6oWag2DwYI38m+mmmRNvW95xhwPvc8I551pmMM1qehuo4VNLFbOm91hINmRFNzgcIZ29bD12ECJmKaulbZk2HiUkNWCWsItqTXMxo7CPdJy7zKEIsb4YHV0KBAuQ2f3kb7QgsvcE/l7qLrV+ngaYtUc7AL0ZPN9s1DN4EUjRMISdDeOyCpSU22AvANLcSK4v6u0Y8HTt2puXlz4stdn5DSM+HpO7CIypQibAX+AMPoY0ZbkPdjfuZVg4vs8PNRZmDfDkd3dLcLFPbEGqGaLCZc8ih/O3D1Cf+0d8YmzMDAZ4oWgjcRZv/MG57i2TdzjDdx3+rXvoSl/O+6Opq4Jd5hfPGLsu40oEtY03a7zKi5LPsK1xVsx5i44xjTqEYG0GVz3HidUSzEy8RK752YcB479cw1YouFLA8buadp9eLby3Xvle5UBx/L4Vb3E3vVIdXmn2+6UfTh5jDA2tvV37NBuXkcpTzn7/+b5hm6x89NWKODa8bOBVkO6JN47HmH3uEypAeLTtTtsyOBWdbsUfvEw+MpuFHyHudK+fX2UjYRQQwwAjjuj++dVaSoNZUcY7zvoMO2Xlqj2bg4NazROQNuHdA264l7dOBbSmyX9YA6+5ALmQAQsQRBqDJ9Lv3Gbef3xo48tmR9QfuP6e0769EEmPTvMGsm/NLA7JpHGL18P38M6Jh42BaXVaHjpLyRTUgLmVpAVt4sxQUFIpDKk09g1HFRedGfTwrET5Un3RAk154wK4jAYMX0Qi4fFDpcaGdP4cLyrF2sTR6+XzrZSO1mtqR94Kjg1xUJltwm8EdeZazhLZTPUyEnF/gieeD8A4i+NwxbftDCIhQmgevJGGOUM8a37dorBcvJr+MWEvJHr7l8D6BZteSMtoeWEqapuLOi4GM7ixneE5TPPvtndC5yxuLUh3P6zefn9D391tu9pbztajn0TRTuc0yJtxOy2jhu6Bk3+pfPJmRcBDUQufutT1//kP/Nyg/PWqd+7HwcmL98k257sDkxx60zI+98+njnaQYN3nqC/tOSGaaipZGunVQb1TOzmghDk0HPy8d1rci7tjy+fk/P3p2f/+Zp8Opf21U/k6WqxJhK4XYAmbKFMGJWmtAZm8Vs/vPpf/+3ZkyhHwC4yyrhdfqBMnVQ0Po7HZD59d7zml/4snrdIxa94+biQ7sumGzA/sGHcrR/4GL47iunGOvnMtW2oIG/fvI8i+6eSkM+XddjJ+D9KwiTOW4fuVyNCkZCbhSduwWN8g/fsw5xaWNEHGJGOp/uCvClLjX5af8pj6HRPL6vqQ+Oc942FnJ+8u/Cv0mh4rKLmiNGPLaeS11TD203OLxwqI94vx8MDJ0Ek4aFbe5yHrSZW+OlaxxUQPXRpWXL3ZSo2AdveLP/4O3fEA+BMQrzgKtzw0+0jMEBlk2udRa+77ZNGyfuA4YXSthPJA6FbYoANN4Db9c2S1xyZ954eLuftY9KS9W6M8RJiduOxvLgBO7R8qTGKcadyer/RQMchTi5rKucw6UwnpuSMzxsNJZmuESbIErOG4nKmPrD1wKBodERbji46y9DvQCTU/fslXMkdABoqZaEImd3p84zSs7aUpqCFT8XPALq2Og/wWYYjMctQLSxyXIdc/U/qDEylZdF64vKp5bsWvKNjsrta35nwABrsmV2AlmDJx3UNz8mn9hl7iw6wH8lF6wAbvAS/jWlq7aieIygTI6Zxi3Twiz8nVIioMlFvvogJblRjYt4StHsDubSKGIuPOZfk0/moQGGYIJtNXiUX2Q6oqjOMfXOANZjUGb0ObIYSF/8ipk5FR397Bmz9aIVCgJwnnxSJODvlI6MWOqKBepWHil4ARhKG6QQzQskvSq+oLodzugl5M8dkL02ou/HXmEs3BbsCkHHVM3HXxLvGuJWloh+q88gQbBmPmREDCrkMea6YllBx68RSGLERJ3EpqDxGHP8WDso2QaTnohwQuO2y3ERSls6CnaMBu/3ypI5UAsMuBMt0/eBuF7Gn2nLWCKoJ9osmLRJPz65fv1VzNZvFp78DK+wCsm/vFrIf3YL+NvbwPnN4O3TfNHYB0oZk8VG0TZOyc8LtEnr8kuOofzKgRxFWjWXquJwOS44jfNkwBsaM4Iydxw9rjnZY4gniRZyKO1d6TSKFCQPcjiGctnCEHRydVMIAn6mVdO+Kk1sx5bD7IRkoSttULdP1oxt5NynxXUuxZkBwKDt6gh9mRx/mkhhum4j8JFhcAEFEB6gLaggtVe1eF7sArolayc2WecZZeq2kqkbyanEmh+G+Rf1xlQin3HNZOvmjtOkYQMkvXAB5ExCbDNhwG2ev7Ajzd3I0Ybyj/0HSFUZZcBmyFtJyIUZjhBEp693vwQifr3cZ6jVSc2I8IXSqclYPRIifwoIuuWpQu2SqqrWq+EiGIhwbuTNJpwKLyGbkZD9uXC47sZMRyV0Mt7ROEkVgC8Okw2UOQDCyfodf7t3tvbKb+zZ67DZllo20u+VsqTX6EsvAC3aIWX8rLQjf4zlI0Jy1JCFDMNFvN7WA2wU+tbHZbiQgO2E/TIzV48HPlqZD2m49GE0v99MU1Au/Vka6oqZpZ4RbXoFxct1rexpqGA0ihV1I1hTixo3AxoP33AZ9y6N1SO/uBztaP96Oph8Kk2zI6a1JCw7jmygc0IYUbwTCLYTB10vdyxup00fdO3/RktCmb965ZL1UjyNAbpDjnQD5eo/jjzdvWarRBsfZstvJR31UCZLyjt1Cfhz1OKakbXAYO6UeS9B2/NTJK3cauygqsAv1AFESuuVJJh6N8LXRDcdeSlpl9Trtiep8UCL4ax0ie85lJk/If05+/v578vTt6ZuLZ+SUG8vlvOFmASWWwkdxEWqusvcF2hcJw2zZmccjbDN+cSRjTKvMXsV99Z9uV2MYdDcGPfLJhj7f5bowTPvv6n57jj/EKRYzpTLWJn2TKUZFqu50O4R8oCVvjF+BKE0Mr7ig2osnJzbdHWL4rsfLq/CeG14es9NIP1P+kzsIrRdxpy/m5pLnq7N4I/fddQxrhErDnv83OInwk8FZCI4b6JVllHFXptI5EwMGIRtktdJzKvmfe7KqZb6jcFtmH8Dp/pkaYfeM62gtaaauP7+45fC18C2+fO+irazmX4EKu2BUA6k1lKrikkYL7nri6YJaDtKaG9PjBT0mtW/pgxLrWz9CnenguqvzxAmummqLzZA2pO4Xq0dsdhSEzW0k6gxK0NRCWSRLKttzPpzw+aVdsQueXWi15GXXPCx8j9a1CJrq4GCE5j/uWdvWaeMKzoZIXh6Jym7J0OvPrkfIjA4PxczJJffR88Wu4j7SAq5TOlMOBb+r5gnXqDP1ftSrhJ5HCPU6Kmqs1BBjlfYS30GrwFJc7Ql+a+K+9SROfcXLUsDxpNw7XO+2ci6yvT25d5Cca8djHIfci7Bar8OQXLfR2eekFtRtmXuflSYgmV7XY15+TIU8gj15iww63dmWvypjyTvKFlyOmHQlzSQ5vtnl9SeJmf61Bic+nH7km5yZCXlb0pp8xn94/ahU0ted/nP4eJIFXYLTnARQTb40oNcEexCaWkkDrUYVL0519Bb4m+PIy9ADjznImrddIKUn3/flG8ezJekIqG4O0IfQHPW2mOKUp7wOs90z3raW3mpi5GzD8PByQ3QjZdSONc+7l8dHnn0bqZEauwCxCBZm/o2gZMVlqVaGmBoYn3HmPnkeqxMMebLDC+LI8/hucm7IU+wIC5JtniEMXT7rcYs0Et/xtzCnbE0+me3Gt10EttotpE2eXetWOILBPvLa900tRAVr1fCQuRdxwPGuD0Ck+n+r0hTLeYbs2yY7v0I91p3Xq9cRipHC6EELvzmA2OPk9Y6RGjJ8g+u9lXVnSPp4F9AhNcdx2HUBg+292SRk+m0Y7FC8IcXNxc9YNpByJOBohRuSXMKMy+CrR+GEXf0qWo80HUTsDioUy4TbxgGzo/6lFoydzzY37aGX0khvys6HbS1li+rILfA3qyLDycA66m9HliEvUy7TTRBLejccyVhUmPfxjAipftkObotvo70p749M7RxgnfftuwHrmur2TLk/P9+QslrwQSt14m6Hs2V98vutyLPJZ5b4thZKr/Nt+N9MTeW/3dgxpkVku4t6q57HnibHlr+9QOg30PZgKtGAqrbf+n6qRk9BAdJqVR8iOkrVTAfOhVud8bCms7bhhnIExNFXdxz3Hp6oqqZy3d1HvHY4Tt/bK0vQ7hkquJypuFJAzVXuGqEb5MeOFdlitoK8XdFnX3LlCPzSCLEm/9FQwWccSnKKdc/eORhFZQXTgil1xR8o6P47TIlff2M/UzGmzSfvNrsJh9eNRZX7wBGmN9/1D90SYcpOcEd7n/yEfFzXnvSN58Axx+/g+OZpmBVJm8nuoO1w8I4I/cTE2tbuInMMV12nXG5j5z2LtdKttx9DzB/ejmx5r1dO4uPU8qLOO4doDyvcyjd67ls0tVKZNJFtpNw6bj9ITW3cNclkQU3KaH8PsA7l9IkhN1ok3OYe1IS70hmjRaNTeUN6MA3ogs7T2ZQb0Mmfp23QSdMft0GHU59BsMC1BYmqVXrjxMFPdpo7RW+hYSdVJrVG5Zc4Ri3hlsz9iMuievUi/PdJQOFF+I+Q1xRz+1MBOp6dF8h5wOi5J6YfPEePa2/U2oCcMgxEcyYVlzPQeiTuOqT7KHT1Ff8bWR91zx4BybYv8ay3DZErhWFtlfVKRZY42vE783F7d+w+Ygax7v/pHzBM0Bof+MnrBejj+COczh4ynp6e4OjHZ+QE14+jBtoeqVnKCJ9PQIfhn7CVhbmnOS9kDR33GNnbcLfoE9PrFL13p/mfh3ol794aJb7b5JL/GffW8KtMMuX8H2dEwlxZ7jewXlAzMgHKsGO3FeptpV98fLig2+psE6AGCS47Z6xtnN7W38QTUgyfH6OiYru/UTf18OPooGUnTbgxTXKlEyFjslQ+b939YiiIIWid1Qc62JS+9Dxzi5NLDE7vk05HyZDoOoOHKPLTS0zt3P8Y9aTnYUjeXXruwXFchBojimXOF303pBoc2VFkysIdPdokb9NocgHmVxAs6kzNDb7ZjCvpP0goW38iBuN1SpPzyzf/eHdBLtw7RX6TI9NXNthmqqQ+BNuPKxXHFsUQWwC7Mgc5kW8nhPP2IIsNnev6dXYtwjANNIwg3EjBPVouaD5oCvkASq7Ho+sKMmo0IM6W2uZoEz77WC6p4KU/iBEkdgXh0bpa7xOEyLErWJtdsZ3o5LcJpIlhL6ytTcFxBm0W0LiVORjC6CO4TXwu28oXpbld33CjmKqqrH3ibom3xyM4hOIl+CuuQexamqldLCtBZWHMQw28dSt7Gf57oLat0Ypi60uNi1rxY6RVxxD2GBDEAJGKWwPIVragUg4aZ+RuNxVWRURGYrZHatvcPSxh5uHvb9+8D+/ei53luwfFKr3r+0/es42bq2KpRJOLAW/aOc4yzLnpJmO343wbya0hTz0S5hl268DC3nai7g54gkhHqRFNJmn2NuD6SXIb0gUm20UHS9CYKTBrBGFKMqitM5Qv/R6OtFdYrXJKX894Z7C3I7QdorXSlijH31///U0sBTfK9tTnTun58RMsdwsMtlysU+qbnUQbxfz97LeL8wvyjl5XXJbdWO/4tjrajp6GuTVEcYSsQMaAun1kdepTvGQxeXq2r3IsZscr2HzoIvyW5Oxqx5azLEjl89PQpTdgsRdDcbxNeeBeAS3F1X/5uuGuMEeWQ00y9e1Gf4kzoR8ouzGMq0YrvgvqVr649zkxTSRFnRryN2O1kvN/mwrKrgQ3Fsq/vQh/e959yuUMWPyjGdewoiKqyNCp6P2GUFkSo8jIsdQw58bqtbPsjyksamoXoVl/hwPZxWGAJDqljoWmL4T29VpM6V4X8k6f7DAHafX6L/83AAD///txuRw=" } diff --git a/x-pack/filebeat/module/tomcat/log/_meta/fields.yml b/x-pack/filebeat/module/tomcat/log/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/tomcat/log/_meta/fields.yml +++ b/x-pack/filebeat/module/tomcat/log/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/zscaler/README.md b/x-pack/filebeat/module/zscaler/README.md index a24efe82454..2208d0242c8 100644 --- a/x-pack/filebeat/module/zscaler/README.md +++ b/x-pack/filebeat/module/zscaler/README.md @@ -3,5 +3,5 @@ This is a module for Zscaler NSS logs. Autogenerated from RSA NetWitness log parser 2.0 XML zscalernss version 108 -at 2020-07-08 15:21:25.823167 +0000 UTC. +at 2020-07-08 16:42:07.635906 +0000 UTC. diff --git a/x-pack/filebeat/module/zscaler/fields.go b/x-pack/filebeat/module/zscaler/fields.go index bc9b6632312..3dfbb284165 100644 --- a/x-pack/filebeat/module/zscaler/fields.go +++ b/x-pack/filebeat/module/zscaler/fields.go @@ -19,5 +19,5 @@ func init() { // AssetZscaler returns asset data. // This is the base64 encoded gzipped contents of module/zscaler. func AssetZscaler() string { - return "eJzsfV2TGzeS4Pv8CpwfzpJDbo3lj73Rzc5Fb3d73DeS3KuW7I2NiagAq5Ik3CigDKDIpn79BRKoD1ahSBaqKFl7qweFRDKRiQSQyEzkx9fkAXYvyQedUg7qT4QYZji8JP/pPiBv7u//REgGOlWsMEyKl+RvfyKEVBBkyYBn+uJPxP/rJX5r/3xNBM3hJRFgtlI9XDBhQC1pChf28/pnhJhdAS8tHVupstbnGSxpyU2CA78kS8o17H3dI6r684bmQOSSmDVU6EmNnmzXoAC/M4oulywla6rJAkAQudCgNpBd9GahNO2RvFKyLE4nuMugZnCkTVC+N4kwjtAwzUC5Xu19PszcHgffrZm2vyNMk1JDRowkKS1M6Xml6JbkoDVd2f9TQ1KZg7akS/t9Z2hCXskVuYZUZritAqS6sViXqGGCK0jYgDCJJX40qEc6mUeeMRo5k0phQBhtdxwT2lBhKkQ6SIVheZiEjJruF338zGG1gxBqyHbN0jWhRIPWTAqyZkYTSt6A+ZUZAVpXq3DRW6J6OnotS54RARtQZAH1+hdUaSCvwVBLGiVLJfMWqiev5Eo/v6PpAxj9tDf8NVOQGr57Roynm5K34A6Y22miReZFkFUcNsCDvOJSdPf6Hq+uoVCQUuNxZbBkAjIiBUfEhi44kJwWYby5XiUjtuaBdXrtz8zt9TdkQ3npTw/LQBi2ZH4PwSNNDeFy5XiuesxE+pkd3q84/s6ytKDKsLTkVCG8X5yLwdXtDR212qHV7Y08vNqDTN/MzfUX/831w1y3WGNZPu2QycVvCZLaZfxHxL+hYfFyduQKtCxVGn0XTZ96/EmbhlsbaiAHYT4NelpmzCQpp53z8NEIAGHU7tOgXltN4NOgZmII9Xlv8uqcfcoVz4CGz9p5p74EyMbpyQM3asgeaP2wMrUsvt4N2LuepmmZnRuwN/oRLXOYTx2jdDY+iZYtGmSQY0hvIjMxiAR4NJpB6TxKWSnY7yU0SpiqZ+g/2u0bLldSpFZYUiP/6NbLwLHfsKmCp82/KzsQW7KUtk+dNbRvrElM7lHQkVJkoKyKqsALjN7kluwRMqLB2EH2gPdx6GGFtmJzb+zJCm3N5t7Qo9je95zEWPpxm6tH+YhZj5vlWupoPaq9t36S2rRFFe/uKg0iY2JVfalDS9+y5j8fDrLwJul9PMi627vNd4RmmbIya+hQdtnXm5+Rnyv7Nj9MZ+AP//8y0HJrjhPcPb3OpdH2W2SEkhXbgKjdFZ/vpWpZNGTBnlerzj6NMvR5eHEHDV5Z7BIFv0etV/tpAhcJZ7bYIR9v3ODkDrf7M+/9M5S82xVAUto/yQsgwMwaFHl/K8w3PxCpyI9cUvPtC7KgGndC5dhfslWpUBU6MrOwgvcZzwwfWaYYRTPYrhZ6JeOdJYfssmrsz954lWpLVTZBjWnJjtbE2ry6vftlT8OhRAGn3WUhRO+0gdxfOZ4wO9oa3H7Sjj32/1KxFROUVzD7t/eRmcZrHAceOG/vfvkhMElPYG+u0ydZU9Tn4xySvNlsfVUpVpKvgWagZnoZ+wkHI7fXU15oHEXthxocJu6d5g/thOFpMoMfhlaKx22jeOBmtwr3leQcUiPV5ygILX/O8rJu9w3TJHXMgczSsqeavZLdS54cYOUf0BLJ08XHU85yqTF4JJeCLHa9ZSFEwe8laGMH1Cwv+M6vhP2xFbgEaLommmVAnvyZmLUqyYvvv39KtlQTDSBqLAfm+pHUtRPmqgspNJxvsukfaGVTWQpT26tlvnDCxx44HRyBPKELuYHWdJkIRhtVYkYbBTQf3OXpH2jpPzEzIGNlV6s5jRVfhDSp2mhlS8LMP8sXf/7mL9oJz+cFiqqKrH/26P2ntVNe0R0o8oLciJQWuuTOx21NnVESNDT6RDd0IFYphOXbF+Rf7XSfkW+/Jf9KUqms/oiz8Eifkf/Jzf+2P2Sa7DPli+AiCZnBJ7TBxBaSlHK+oOnDVJ3PoRfS4OamxunKlhEgskIyYVDdNhAO3MMFTkApGR0r0mhAuoCUUY40IS3aSGW1RbFzt7D9YkM5y9zyhdASspSlyKy05oDkMbHyysLRYKD9fdsbeY63E79pD7joB/i845JmH+/O8AiJZh+A5GAUSwO6sjfR2j9GG81djpW4s5ckNY0OJ5fVwlyQn+TWMr9vCzFBpLImhJHkAaA4wpaPdHt8JmxRMgWtkw3Lkiz+HeqmkgArEKCowaOYWR617JUNU6ak3JqLez5SETCfWc6swYcvgDhdR6c/kLfXRFm5qNFYR7ZQtQJT/+zoXLWKDqn45HN10TCH56oiHet9EXt7XfnX3kIuDZB7vytTBXgtLXZDIsn+qZzen4GT22NKdMHZtBfZP7SpqFlPlf1YYYPsQ1z8WNu2R3nqd2S1Nypt2ovj/xpvLu6YLxk/y9uiHdcq7XdXl3den0upsAxgeSFVV4sjeKF8dg+05ccynt87sY9GHpqFIYfYvplYNiCNMejufbT6LsiL738gW+RsDlQQynnYDkXnK6oNjX+BbEGBG5YawoFqQ6ToBCvvs+kjKEafN5sC5y3uIctz51epMmQNRkVAuhaSy9Wu+6yxZKqnmRHyPUnXVNHUODbZo7dDCtG5KUgpfMQA3/NtDmYwxSSruSfGaS7bA+85qOvmVnWSonLaKrodlB8oxTrKEk1RD3MeYeFtVpmmpapG1IaKjKqMCKlyytmHULSdVHmQA5l/gT3ABFkueiJ8FBsaump0zzlbAs4pYCBqSKXIBhTDZskSbaZZ4gdIZiKVecHBBBdx0N1FUfE0inVETivvQJmzbbd7O3pw0w1tuP39M7hJcinM+mRWN1k9p7+aN9EM2dnYcyOyczDHDvlBiukZnQeEiB2/Un5cSNq7Lpd6B3rC6bgkBh6N38hkA0q3gn2zQzEbgTU6vug7oKeT2iRVpFJlkE2R3v653AtXXY9Z3W/Vm3n9w/YbXF/GKplf4KglJv7pFARVTDrFLy+5YV8bBorQouBVBHWTCZ5TQVehpCRCODqmK5vBEeVo1YSZLzWRW+G89obmRdfT4im22CyJ/X1uNEnXzOq/MgN9QV6X2qAi3R7U7n9qBuLRqIHBZTh43JdLS9kG5rmDcaGqId38FSxBgUjdolKrfGVswzJ7p+Kaho/9fXXs33UYEJ7GY8HUjHNouO781I92vzDDd2462ooIqwtYtLiNDvuLRi3NoMH8zEqn+vRf9AatAzRkOf405z014DhMzaXx2w51iN9LKGdcNLtT3Ho18mJLNUE02cAKIfpvxk991IWzN+2oc7rKTZRkX+Vx+IokCl2RxGkqxbgjsg/2IgIu6sZrSZlzqb4dtTcog3oCc5RMGj6wx85bjOuuES+dDMQYY5GmPbXnNEVFl3y6O3ZAO5SlSWUOzx2WWmXDaDa57K0VFX4ae6rvwFJZk5yZaaGvB0ivxvcJAS1/6CHDb2qqQq92ipPUdSyuHQ39sQWkbMkaZTCsLTgn51Der9c95ni5DjCxdgewrAn4rEzRzDsfg5R5lX4+Rv6ybyO0NVypyM/3PqSI6erRqWshI/6Ky0NZD7qQmo06hCftADQEROaqAmAoYnVKBvO5S26SKYnsI4+1KHNQLB17roPUzxLRfoD0dlR7vUPdEXcnqUf8BkQmlQ8lOki7XPx2lizp6nFBLn6DNKzjW9Rz5En1WGblzWHUTvJNq9XxRX/r+6w2f2S9JbymdeSUkIZQsvZZmeHwIC5XSfXseCYhV22I0UJunuzbPUnxd3zixtpueBTD6p3kLN1N36cHztgdovBF5gTfDcipkk+L3Qoz4W3JAVGHxYsUBh6n6zs1ylvhLO+mAhLNMm3/wquA8gplKB34yJWSrqlYQSJgO/1cDTm/Ydt6uMHL0RjFFqWB1mnrR/NpR5zV5toiPXwMdUFHiIZ69pxNKIFzaOKolHdfbR26tm4QMCUw7tpOuiqaopu3crUBdUHuwTG21KAu6Aqw1J2PmFtKVdHQG7saxul1KcITB9/KgJSKLJTc2u+qT70e41TrwVptt9kdVWa8KV+Djrcj/e6VvdyI+Xav5FmtdJxr88oCvMs6/ga5FIRyUKZ+d1XNsP4z55r1R7GVbIbPswGFKiNCiq8VFIDa6qHXKFQc5xWyaamU3Zq1ToqrgTrCc+b8v5Vjs0f7lpm1V6ac7CPXiHCB8aGCSPH1Stp/H5CMeHkmAaVk0sxoyxn9HFFYMuSS2JNmGOgLct+cz26ZzHZMcixNVy6YvdRWUXVJD+6JMvPCyjOPkpSX2lTbxv+nx2oEYdquhs/M8daiVZvw2+Gr+Qy3stvpYevJJa1PUQe+PKY+WzquEQ+hWsuUobfGcjSo9yPTX7EHeEkoKdY7zVLKrZn38IwUCivSPiNg0i/DahZVNJw9MPLycvGriuZgQGlSUI11CjQm7rnMtFTmuZUIcu/xph+yCiY9qGg46Xk+XaO1DmcQ1E7YpTIvyv5ZiGI9JVsmMrn1kTepFCkU5ln9KjY43d5EliXnO/J7Sblz2mQyp0z48ylaiLgcEOVtb83p1/iByVll5BUTD5D5KNoqsIxqtNe9Amu/+aJGfsGyQ8znvTy/iWKjXafamYBdFBUBP9+fD/PPhfcJkft+qnP96AEqZ90S1dOdP35UpMftw8N62rej9bQl43Ocl5rsH3G8+kgoyMoUSOUBhrATQYNilCeBG2KC2LzHQSulqyvzW0LdytRBGwzSBz2QCDaHP8qPb4X3mup1vdutyhGIZi+thWlFUxVhWoezX1UjdUoVyA2oGs2FVqmFqv/fz0ogVr4JwjCeoBQpB6rsR1g2oyHNh7F7L42qUgSO+yedqCj7ueqfWEanMl8wUVeOa4ton4CgRsjrDVOlnt+70b5DEcWwl2Ou54jAxr1y47s6K8MeHqelz+B4q1ngPFy31+SNO9NPfEoccTX2fZKHxf70kPPrPL7Aluvr9hrZ4kOr6wPZt+P2fecuiMEReeGW2p66LdNhU2Ojd9PqJu6/kvikGnfJHfShCWckzbq2ln1X9dDk9vqoHnS6T+KIHmRRvxBZow9dkCsXre+rBXH3xWFdyP6Rav8X33zhHRSL0tRx/NLUwrkUHLSbu3QCdivJhipGF7wXMe4S2pggBacDR06D0BMzQPcWpa0GubEv7Km3t2YVi87sWt0/v73ramDEl1Rytt1QtsxgG4GTI+MbX6wjg9wKQ+7ZSlA8lgMbqZBqWvmmL3uywG6lu0qnkFhPBf9pUbVODe6FTAaW983P7wgTKS8zsKLBN2ax4Bfkyc0jzQsOL8mdMz7dsCjrLsI2KHrYz/DOgMZ8I2rDuJl+sOpcEPOIoO2Wc+aNF5VvmX448MBhFFutQE0pXB+e9i9tT6PHgprPWoFeS57ZNXZW00Cvjr3nqFmsuP57lJdhT966m/FpnVB4ex0OsDz5xcqa1snsb/PIWf8+j81MnE9Dl4uvLUIpMKNgieV6ZVamQ3q6V3nOFjvQpq2WLVJh5pWVcxUFA3Xlqcq2VJ0r1qJfK9HKIupFryVzoEjXEytyKHlN06qyV1hxssd5Zk1Wiq8r5UcdPtHOYohohKSA6oiYKG2oKU9XrGobnDJ+RtXSDr+Qj4Rlz4elrpX45Tw0WJzve6Ww3L6yeMIbvZK+k6vq9zbMdb+efowQZkKWp78ZtGI39SpiB1rpMM4M63l0vhsNOr0KyB7zLzm3p5XoMk1B62XJyY3FQFKZgbbMr4o0hXU8JjJ4HD0JzrQZ0h8mniYcGhVbVaFZgEKvfk4V4/hSG/APuLchsSIUGfG1hQ3SLqJWvOqtdzbNxY9PntSRKgUoXfiEBHemetP2V0gTGFflOD8dCBp3JnZfmk9/dGy1kUPinZ3sfm2/pExokoGhjAdMp4UsTQtugHjJzxCTUnltaB03gJiGRbiBvOATXm0vq1aLVQuD1guSj1Kx2ssGFKc7DFM20ot18iSw9+0XaGl4aFhWeSzO56YNMyWW6iBB0hstrZ+UfPxgjPQKt2zLlI7HFnV2U5nndm/GLtiVgyesFU5UKLlhmbOwq7oCof6M9V0j00MO9PH29I+MN3d/2o5WCF87jwU+Mp9LflXjn1d+/SYXg3Zr9AT+r1x4l2V4pxZsSnmgawxKcutzf3dLbnsXbhvRhNo8PibzMI5Rgcd19sJqpIo/xib2UVRhNcsdqGQhs+kxx7247e6VVfWHtdgGrs91TO6Uc6PNknfTcrj4dA0XZlN7AdmKZbWLcsAYz8dryr0kmJNuhjFXdU1dUU4TkFW3obv3LouzcoPi49gjpGXbRnHP1gsIpRRUGb2HHspmMaSCnqJs36Cqo+HphjJO+w46UruHCMbDL0GpgWqEbj+GPVzz+XW96pf7hGDnpO/7t2S1by8GZADLk0WZZbsI+47lycg41RZkqWGokNhBWzQGRjE5KluqEzCd6HKeYDum27EmrpYKNpys46SbnHOPM1QcvIk3dEercX0dnoZ7pR7Phc2MFsHVLzfkiY/0+6XkVi9ZMI4BhvjSfPNYSG1/+ZR83TdjRNfL9yDkVuwpjhrSElPXNvujD3QNSOkshnY3AOSqyrR54wNcX8GKpjvyflCB5Wyh6HlSf/zQe2xiguSUiaW1jA4+UhVUYa+POTKq9lSEOxyYvJGZCzhqihu03rUDaMmR+xcfX+xU4zXK/bz6N7AlP5UC1efXMgNOnjCxufjqGWEyfUYW9i+wf1FB+U4zffFV2I9s0iJZctrrTjX+Bt7Xta7uCA6L9i5KlV1VQFguDyZtGTmRFvfpwlNSJUxpUHZDBVFu8rFyqIP7l9e/Wvv9nQu5+eqrX17/evn25quvXAzMhirKBvfGVqqHcQkZR7fyr9WQbR/toJlMxfjry8d2js0NrEUcTa0I3EWpi0upQGiWjjtQLXMyCmseY0UFPFungyVbysZ0Gm9CDlIZsaS4YcYnpOhyEb0NzCLTRo3PZMHcjVm6gT+bT5JWEXxTHAexwYlNSeDexeSDA5s4RR+faIdYskGDsZrMBOdE7GSCmauBiXQDLsPC4kA9hfGGjyXPa1Nv++M26omrvX2mjZC1vEse1UEyzrSEld/8EAVSzvIAu8f/lrb9xNSRT9XLNVbkeIrmc8C6P+brr0ogsXl8phgOu6SMW35VCYd3/vzdXrfjejF72qrABlaBxKHht/gqriexV3mQ4pjgHgzp8TGd1jIqRddW7eEXQ2m8U/G/gUfzdwjrLzV2PaTFTMV+T0X2bzLsWW2wG2pY+JRNxt8feg+9LnXBUiZHxEd8LNsC6dtSJfqutk9PnBZ5kch44XT/5vUd+dl5PJpwjDCq32d+frn/91fk9xLUQLWWkotEQbfqx9Qnn5brYkfeViG1wefdWk9LR4n/NpgcX6bNghUDxuMxOBNwr54AmcUUoqOcqjyKLxYwynihxaiw/xqszEZ0BtiDGpsLvAecUdO9vY9DLkCk65yq08PiashdQXutHE7wQdK097x5IlSyjuBrCsuxwZQ16HKFyaRRgHLxWxRcQSNq67nM14jFQKf/UE/Zw5CYq52DvW4jEIuEpli2MCaMzUJrMUpFb4EuVsXmO/Fo1hHSMhVJapS1UcZVpmrBW9ghb90JoBveawh9EiyIFROjAnf7wHExJSJZJnrLTBqxr0Wy5HKraR7zWtSGFmYzBT7Kj5WKhIlp25yJAlS+2I0IyelBF+lDLDg2R4sCLZJCSSOTGFccwm++S9BmjYHmE/Ybl6tkTOv/DmjMS2gqkpw+JsacrvDug9oV5hAlFnImohEzMQVxwXXCFzwZ7zzdg/7zJPCIekAt6PFZ6m3o8RHRbejvJ0GHG6ufCv0vk6D/1yTov8RCG1lwuoC4rV7Dx6hKIslLjpf3Yhclzyrw4iFKjuclZ6u8iL297f1H+Wr8o5GHZXFCXMPvaYzuLRLtnkyjeKVVGqudWdBY7UzvdFlE1cdORR1mHancGWmsggGPUVvbSGOVpHhoVE8iwUvBHgUVUkOvbeZJ8JsfLO3RYmHzgyzMGmgWZQLJvEhSHmVDW9AolwZCKmyTFQerI2GLMonyT6SKGZZSHhX0pRO6ApHuRr0ptaEF5bsPkC3icG8STIaPhHVpPLGY3XN2JLy1kH+ItZB1smDmL5HJh6lOxtY27YAqGXGUdeTmRDhIVUwsnnaegBF1JVugYNbOGxCjfDtwvK4iwV3tmzEZmi3oJeMQp4voZBnHLrYcF4C8DxonabU1ggU8miTyGFkbONOm6BX5ORlaqzQSuuocFwUrV0kOGRsRjLkPzUQsx3OZlRx0KuNm7cHZKupUyEJvqRnZiaIFH4oJOBFUwYppo2iMpt1AR91UrpNi5JTVhDlrrCOiok+ni2pwSx4Fj41Fo644F3QUj3rK5bxdS6YTV+c5Bn5HFY1c8GwgrPI02I3rYDAekmlDu81aTwLUZlGq0wuJVnDgaq7FwZUR+GLu4SqWdDwgVu1ZxpRCH46YPgS1olk2ftVZNt45VyXQREkUliepkjKPzL6xoFFKEcuT2Ec4n7sTN93iISJZqNAxqcys0IVio8E4NcyUEe82nAkYk0rSwOmRtbhqSAx8jDFBuHQZzcmSywjhWINHhQBYTS9iv1uwqL1udcModBFeWy5XkUspVpHbrpBq/OHIF+UqbuvkTKdx2zXXkQsYV31GgMHUlwjIiFPsSgOMf5VycOMflMR2O15XiIwTqts1REBGyHup2CoJVGs7AXIrQMXIliKJ7CBYJCMrSDeAUW0cGvCoWeJJGr9JPWBMO02n9EegpFrbL5N0fXo8aw/Y9eUcDw8qX1m7uJdRfRrsNhI0Rsy5/KX37zuVPk8CVXKVUF2MKvnRBh7T5aGCU0B53M2jIEVqXbZqNHjMZC3s2ATdFqxUWRTWGBNNR1mf2lmfUZ5SDeNdpK6cbpQaoeH3GGaG0mBHwEUpLpqtog6mLsbbLVqlcSuv0iziqtUqDWX5ngQ6qiVTG6rUETmTm1SMD0IIVgw9DuaSLCOahq9MzCI4sBivUV0xcjzkrojIXC2zReSrdal4lFQqNagkY+PjNyMLk1Q+kThiTRrXLn+TMKENXUZJ0g1TJu4q3hQiKsXBSFWKs/RqvSyNJG9LQXqD117oSQXifqGcZeRKQcYMuaIq8zljB9rS+PpXk2Y6VAcSh3FNVzFiNpWchEJKam8vE1Nmf5MXXO6gVxDvKA+WshyRHn9qX9511VIHa4spWMEjyWk3dLfx6IlV2S27MgMZnGkssFGNr9utNHVZYIn6fqokIds1NYQZUrj2/GGiDz2ljikVEm7v7iqeV0gIE76SwUBmN2diegXsFjF2vDYlmhi5wiY7F83vXceIHvcEbEDVRZSMJAVVGshrMBQrDrtTUfdLI09eyZV+fueC+56Sa1/Gy7Un6Y2OacRvwReLRbIFeQPmV2YE6PBa9bdeJHuWWE643s04vJuOBqrS9QUTbMDgVXSeYggdYeN663Em4DmnpcDaqasy92XpD5RC6FQ+OED1HCnzNdV1oryv+Dqg0ltmJvP2QnY9t+zA5B08GtydQ0bBWRtQN0XijvSgxqzcSaWKMS9Xg6maAx9InT/07j2+NkTVSnZZjeskWNfCq99k980ih7XfGwTrGeiXQfrH1fE+oXN2Bo+319UhwtGHSraPfIgeuV3qFg7ucb/GR3p7tOamhzgXRaIuGF3TJpUr2BBkBSFUEw0g9vpkho0XRYWm6SzFVntZ4m5w4Rs41a21q27BB8gqQOXMXYTzkdUM6gq3sA3jsALfy4NqzVbCMb+pzD3Q1oAu5upWP7DkiOHAjlucsbXEYPuQ0DZvUTSUWxhX6aa6L1lWtbWtOyZhw8aBQ0dIICan1toUDARJjVYgq0ZhjeCt+jtZHAMq7FaxAUfPjPgRyUDpwnPOv+6f2SOg9QC5lZ338Zirh3JGdbKWM2h3ne6YWBOnKQOFHX1aBY/CMdXEbVBLj/AttoU0BFtlXlxyLa1p02leglXIf/IQF+RS7Or/9UY3aB1pYQjNLqqOxmHBFOn8sqRPUZa/6PITKw/uMZX5ts7WmmhXKK9mHW4k7HdMMtazeqrBSnegyL/UHgP93CNC9EP9S8bGbZ1/74mGqr3dd5Cng2ESx2TBl92yOK4l3Zuf393Y2YECZzSiRyZjOlVQUJHurFbiL3/e72VrefCMvHv9ktwK8+2LZ+T2zfXNf7wk72+F+eE78mS73hHhGzCma6l9GTeprPWKv/rmh//zP56Ge9+BWU+SF90ZowS6yGm4NJKevEdGHihfif+2Qhs+TNnHJqt9zo/QNpjwd/LFFKKoo9g0OmjV3PTV5ZsgOR+kgCl2eNz6/acUcBHmz4cxfQA+wmVnST0uapCNn+ZeOcDLFTWwpWcpLI277I5cuuZ51W4LIayvkzQvhv3/U/2at1ev75wcHu4VT2fo5TdkSjs9p2pdentnkQ1Y9ZYPg7VgZuGDHX2YD5UOkLiaYnMftnavhcx1pKO8eapoVSIPy+5Zl8kq73hYpD8t1/sL1UPWxNZE6gynimlK3nga7qQytYjqCSHXewKZ6LvPH5ZEenb+OYqZWFXisyL89RDzBIT0+/m8RB4/2iBUa5kyLBqP1nLvdiVWTikqVnBRq8epFEu2KhVkZLHzzf1dq/uB7jSDKQW9QOEBbSo47DIqU4GP0u/aoZURBpOCXBpIfIxQzMtvzBQzoROauPCpKODCqFjwZRR7l1Gx2DxuA8Rn1BRRk6NZUlnj0/p17dsWlpaL7nhtQ+Ys2sKNNawEGPJuV8Az8r4Sc6/QRP6W3FUmck+O/Dx0o1bFq2a5MAZU+oosUnXtpJwHL4yi+SE+0FOFoQMbUAY7zxhZNbhigry/HTxCKYa0TDiDMW1jhU5kEVUoz4Iq0OPjaCxgVIifk4njA6LQBxWF0ZWpSTiIVUTNR8Rrr4G5nUvYlAivF8pbzkFBUnzAsVbUj1JtqcpCzcAusU0d+t3vlHzEV/cFmC3AQCfj0TnAY18kpKG87e516AgWMsHXpt4cfBM0BfgQlDNjj5ovKhSexIZTMc+7ygnugOpZreUQ6E1h30HQ+AA3VnteofK8LxFj/NmQYrbFZkwe6WlvKFQZlpacqqqZm0fz5Obx5Su5kstluD41pIlZw9yNb9/ZIX33/oayG0uZJeiyNGsQxodSDRI2V++x/efKsm5rGCbuvQY1SJIsTSrn5pYfdJike9eBe4CqqkfOtNt3jyLETKqGKwebv1bYz9A+GTpU2FOMbmBdSJFhS1cZVAFqwH5T0n26N2OyawduA0pcnj3GvXEGWU2xt7c6eg0TRDNTBiQKwQC5qgueH3VNNaGZLLAr2BqYInIrOo2RiKGPUsh8INqlqlGf9MKRZrj8rBrGRGbPslS6ae/nughfVuXxexM9xX0iatLd2RgMp6pneKbno8FJ3vtXpHnneaiJWGuq47I6JkzVRQXc+6jCuec6HByykNPi4wLTW8CabpgsUbOxRp2SORuIdID50d8IuuAYNrwkV4exM7EZ3/ksREaXhj2dhgRR7NEwsrxYBAkBDDUF09egda80O3tw+ZsQ9lKYbohyjM6XYfJHkk7oiou3DHYyZ2lFGE4LAwa6jz3MrF2v80CVRuLJuUi/udBGDTvJK6rDia+fjOoXh6n216LDNYnyoBlRm0SG5di01WsaCgoYdHJ6To5IjTrKTExJn8hKdeIGCFeF+WQb4NvTqP5mck/0IPHecXRsDj3qcU7N0Tvh2P2R6X9xlH41M//dhp+FenWc+yNqUnyco3pE6tVH9Y+8ab49zvbTC1B9HLafJmvUzGd1zr1+wkmdedPMSX1vy9RKYea6dE7WzWhp1kkOZi3P4k2le34u4hD5nw0uDGbvKjnRUj/g330rufc1WVQHdki0bfkfF9//+c/kyavry7un5Jppw8SqZHoNGSbmBLFxuZIz5Mce8mv7Ft2IyS8G/nDgzVvJyf6SQ7H3lvchHPXeRJ/fiNLhYzZmikFxdWZEy6WBWEPvFFSEiig17+SUn57F3yH1Lc1Yqd0YRCqiWc44Ve4wW0Fid2uK91E4VBfPjGbz9MKtfZDtKLP3drkqD0inrkVzYKZEEl6KQ+cGnZ8+Przlf/KmM37TWzFv7EIr8DALO1qkmvYo1nPdIrukWlHBPhyIdRJTFuxUhkVwq73yAyxbMhWM4o/Ofv3RDojy0SWVuyzdvUikn4Bys06pAlIoyGTOBA2GWLeO+h01DITRRwPPOJ13Pq/oJ52OK4IBRfT2slv4SysECqoMpv02kzkshGZN6/UH9xT5s4QMFDWQJSPCAA6sIrYhr8asXd13Sm5YVqer+9/RouBez+ktn0+RtYJ8XyMa6KVeT4Nls82jHtTXcTC7gYkECz1jVMmGuTendVexGygcUCs040rpj9Vq4BHv8hZQK1Mk1OTb6T+oDVFNtJHKyUc7Wg6GIrYv8VcX9ldfhueXsyzjMKfEeI0jniozAkvUkiFRMqMqnjfXhO78eK0cXbGrXjyekYJTy3Z7I0lFQKRqVwx5ETF4ZRar4IR4CVVbCD9Jbchrmq6ZGFDbMxp9Rr/o8uu9wMi+QoE9qPZWd2n1+oK8ymhBfsH/uFs9k8LlA/yzf12QNd2Ave85UOVaWBOsL6ELKTRUekA4acDOKOm3vZ4ge3xthFQxA4pVVTqEm6CryDBMSUX0LMQ0y/zWF5E5lRasLzrVTdDda1XhqL00YKv/+6uGaaJKEejrTgjVz2pJ7F5zXDL1QES2HzHxVsQczKRky0Qmt5roAlK2ZKn95lkobtzHH/U3qp2Ao6h59SVPVNX1vBbL+MzwtMUPUgq8uV7BiqY78l7vF/mp30PyboJDVNSSHWUW02rgDmur24gMo6ZxM9hboMe3Op8pkMW0lyGAYbZ9JuxPbA51bajakFPeAnPCOQQ3hIeJmM5c8VJDk/GRU965V0mOG5zccK2VPr1zOTFqp+M+f5sQGsfKHpfD6W/HU0swuHFceebBCHCcVAZLJrwvEI861oLIaTFQjALxD4RZnwl7Y+52VI8YQVL7m6bPwOcjD1QPqX1oxtB0nc9eiq4ZFxlDelpwm22RBTUXTIypuTvrTrNkY/j7VKEfOLbtYFxkniuj1aQiBeqR9+iaKrOP0FVQVa2t/fhZQ+x2zXoFz4jdh9aycCF6J03ARFS8dKlwUo1rz9iZ/l91QcXfjuZzVqj2a51VSlpIpNqp/fU5jn6E+jNeuD26q6poh+keXKsEhFGyCB/DTJaLnkF20l7zo1rrBo6ENiIVIzs5nUjFlcwLa5BWOx83ODY4cZrnBpQVrYk1m8MXEtUP0+N+j5zFjk5f4d7C9Mpmy9/j37h+LDnfkX8vKWdLBhm5xmwY57wIItvCIkmlfGBne1L6FRbEYWhsEsqH9LKI2jrNY09RGtcGZ6ge+fGz8bYexNdS9W4r5527IO92hSO/sajsBB2fh1msYJmMLI7TIcxicSaY+lKHCu100c3jLKgVjH38zntRSFV59vB55e2rgYVpZauOXtZqPsXUirEHpmPHPuqHqwhRUkbfc/to7UiWa6SgJuzgSEVC9bj3qBaoiu2gXio+it0tuFHcqVXwpFTj+/0W2PcMm0PHoIwQffvAI0M09oH9Log6DvBoQOAlGKOw2RFGrG59ra4VdB4oY243N8w8MeR7J/odDoxX3XP/7yuP5Ln/h3/1DTm9KAcVjiHwBJ/1tcSR234sQT9GqyBzj+DMl022yiITS1BqwEffn9lMlLfVoaPsCzo9ZiGjqh60bLEysH3xGUNO3r6BYWbcCDfutcVugHcYF6TaH/0D+o/Qw8XuWbEGNZdVY/Uc/+b75AoLqj8lV4ghjByUmS1RcoBXV6B84XvYi+k4UGIHJj4WtJjRWhY77Je6VXfp4HqwD8N+gvFpkeE1Iffsw0D6zkP0Gbz9xw0RsJKGOTYXa6oH6tPqdP7k3RbD3fDDBb3tgkyoT9t7AOysdVXwq4r3DD/YaTayueJpecJ1LfF3g2017NljWpcxjaEtLD7qTrGfp3n5kAZQaqJnoce6try4scOTe3wyOHRaZ3pdqutded/+k3sM5zgsQlvyYoiM8fLiABXDQkNrnmym3SVdF7l34oRdcondArSMKKah40HZA3hrIDol6oumwGNbUKK8+I5o9N1KRW7vL//x+o7cWflJfhYDFSkbeqLzPmLoebeVYXrwWKZrSB90RLO3RrBMzW0PFYGuq5vUqecYoOELdzfn/oCuAor1ym+cRVVxmOqsvUH1DanCFmvzicE2HRvKWeY2RABN9+jPWF/q0NHHWT/ATndF0cl7LLoT+tqYQicMuxFEAiNL48hOT2/5NWXvsZWo4h2lYmZ3ZP+lMs8n5vKfSJnD5E3KcHrNlingXe06xoTbciqSUX2ox4Yk6KppwK+e5ipGNmygY3JDUkg2TwhQiCSHgyAORBvWvZA16ZoK0UtAm56o7MdFVAOe8tnKL9Uiz1fs/vXV5Rsvc593ENSizkjV9YrFbK+M6YdkI3kZP43LqgeG8LU0684gVZOFUjCjyROHRj/F3DVMJqi6IAT8RQNBaLyMPuGvPDXvBTP+ueRiPxhtAwpfSpYlJ6kUKRTGmgD3jtcDKU5jOqkH6zog86yxUbUQsaRg9zdpefTTv12GgkmCrIvZAVKtzhGi0A0t23N6LKhL3wsmMP795ue72zvymj7mTGR165Iw+y31Zwhk2Cv0PUC4J7RH/yHC6ys4HIIdFRDkIrOTcU08/+CJNNWk5m605CXV7bWvx+PxHKSBz8nYT5zRU80p/y+Qc1AHR4qsr43EnCS0+Ma1lx6p2NTdvAz6gZ21m7vUgGdEl4GwKKrJX7VRUqz+tuA0feBMG8j++tx/9qz+loklpOGvlkzBlvLgNUsXvAVDqMiIlmRg+yhYMW3Uzlo98x7Mgpq1L0VXYyFdLD0yJrUf7BPiEiVcbGsqVat6V62x1LSBMGr3p/8XAAD//4/xrJs=" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99e+UnKRre2o2fZzqtXWzUFYpokVhhgDGBIMX/9FRqY4ZCDoSQKoOR3bz9sxSLZ6G4Ajf7d35ErWL8mfxhGBeg/EWK5FfCa/Kf/A3l/efknQkowTPPaciVfk7/+iRDS/oLMOIjSTP5Ewn+9xk/d/74jklbwmkiwK6WvJlxa0DPKYOL+3n2NELUEvdLcwmtiddP/xK5reO0wXCld9v5ewow2wha45Gsyo8LA1scDdNv/vacVEDUjdgEtYqRDjKwWoAE/s5rOZpyRBTVkCiCJmhrQSygnA/q0oXcgZq5VU9+elF2mbpZFrCUVW+SNrz62fmyJzSKVmW/9ff8K4xs22JWPC27c9wg3pDFQEqsIo7VtAv81XZEKjKFz929qCVMVGEe0cp/vgCbkrZqTU2CqxEMcIcTD4rtIHUpOCxeWIG3hSEsMOCCcmfuB5QZ5zpS0IK1x94NLY6m0LRomiqPl1SEIltTufjDEjnuc3BKEWrJacLYglBgwhitJFtwaQsl7sL9zK8GYdvcng6PREWsWqhElkbAETabQnbuaagPkHVjqUKNkplXVW+rpWzU3Ly4ouwJrng3An3INzIr1c2ID3pR8AC8s/AmXPTQnUUYKWII4gJNCyd37ucXJU6g1MGoDJiXMuISSKCkQLUunAkhF6zhWlZkXyS7Mnj1+F+75+ekPZElFE248L0FaPuPhdMI1ZZYINff7pQcbgdRxBz6cFvye246aastZI6jG34eNnYyejAHog05K7GQMII+flNEtWR53T17+957s3xO3ap4Nud/1VdN/FkjI7rY8GuyW9BChlx01DUY1mmV6e+/Ptlz3/36YGUstVCDtY0SONiW3BRN05w4/EvRAWr1+jIgtnE71GBHj8jDE8mpMreR4vCetBHqI9MjLthlAmdKGGtFrYnZm74utW8BhM9BDBkrC/ayIHT1kAP0GK2KcizuulSNxUfa8KlH2eXYNyEzEPhLh4J3Zx46hVjeSf2lgo0brjv7wp/W2UXuiJHOPA7XqsVu2I+JmyfOKwz53T9wyfMYZ7d/nt2pOzpYgLblE4UwaWYJ2JoiGIKgGpM/4NZTEgHVAtn68vYYZN1jaTRjAvrfB0m3CAPSdNmXoCUzvXzrsYA7ougNP7saDhTKZ9NX+ufxVGdsXkWL3RBqQJZfz9kMTOzY9H9LXw19+yAEb/GiUsecXy58ILUvtZOXYdd9l7oB6q75W5i5f5Wbvq/9/2eu4lV827MoF70jre8tKQsmcL0F2TrKvVxFwLDrMf5HXAikfo/L3dUQ0Rh0aql4XGr5k2Ot+8BA3GOmerpHLZ35pcoEX6XnwZltKPq5rIIwOJcgUCHC7AE0+nUv7wyuiNPlFKGp/fEmm1OApagNkMz5vNKp+N9B9iLr7FdONYdB8xmcC/4L79VzlcrPts47blb96B4PSK6rLbEpdT6L1yO5z8vzi85a+R4kGQXe3lBCzNhaq8IgGtB20BfiTajzz3L+V5nMuqWh/s62t3MCHXPrXnsSI84vPryIsCOgPOHF/FnQYDbmc4vXZHNSh4njo67MAWoI+Suz6V1yKnJ/eJ0rq8e0HSxHMYbHSR+1kE6zI7mejraJ1vlG08KI40+VECQHMKv01CmDHvQfIuXFnjhvCPOugdJhuKapv1a7aQvYw+hFafBWbPhZVtVIGk90qJcl0Pdg0QjR8acBYB9DwqhbrsE/uy07QE6BsQQwvgTz9ntiFbsjLn39+RlbUEAMgu1X2cOJRKK+34ISplTSQjxXsqzkVTDXSdj6Fppp6oeeusolCIE/pVC2hxwwuo5mVrXgzVgOtRu8P+2qOzQOzCkre7OppKRj1TUxz7BwLfEa4/Ufz8vsf/my8SH9RowBtkf7HgJp/OHvwLV2DJi/JmWS0No3wkRVnUt5Jrseg3zP4EcmtjK3y40vyr47c5+THH8m/Eqa005eRirDoc/I/hf3f7ovckG2mfBPdQqlKeLS2rlxBwagQU8qu8mrAHjmpLF4bar1d4ZgIsqwVlxZNEwvxBGc8HAVorTLlp230QVMD41QgxoipsUo7zVquvdbhPlhSwUt/MGJIETJTjSzdCyMAkedyHpSjG5MXt2/EAHKKWGC4DnvCRiO7sBaKlo/lnQvoEMP/AFKB1ZxFrI5gCve/jLawf+5bIeyefWo3Gq2atds2Ib+qlduaoc3JJVHaGWNWkSuA+gamPYoX7ythmlYMjCmWvCzKXFHXs1byzEGCphYveek42LMLl1zbhgpntG/53mXExcEr7sxujJUjMzwV4aqfnxLtpLVBhwoyjeo52O5rN3LC6ExJTw/OCZ8Jt58TOksoaCj4z09b3+sHqJQFchnOO9OAD+10PSYo3f/aQMxXEHgJKxWmFjxnZsOjNucNH6j9j0I3czI343nHW+fegHDW21PXWi3hCfmvEWH04mXGxQPE6N2qzji6OHlzEXRfRqVjD69qpXc1XoJP5FeXBtE8DvfHJ/9UoSGOpnvMlbptyjebn2wMdq/noGU+IS9/fkVWyPcKqCRUiLivAJ36qCZt/EdkBRo8WGqJAGosUXKnXGSbiQ+uJn7dTIzc1Rxh28C735UukXGY1QRsIZVQ8/VuIG7G9UCLJeRnwhZUU2Y9E92lXiP+6DSXpJEhp0ds+cxHK2pTF3T7QH3OIMKe2CVaFJVTMpVswwiarkZlGkrWHbWSMtRYfYxCBp+DYqzRLURjqSypLolUuqKC/xHL71W6ivKnDFkOB7NINdPBk3QnJm2w7pB5IfgMkOKIgW+AKVmOKNib7S6Mzeln2UMQl0xVtQAbPQCjTlSKCrzVfEcM9urNtH2gg3zp1o4e57GjvH0yR49fpaRdJNqmTX1qqpyXTZZT+UCMP5NlDrY7kH8ombvbwh6x6FZvVUyfXvtxl8MDEZXtRr8hFq5tuHxkCdr0yinKfXlgkf2972FbA01F5qZMjyldQpnvHQxJNuGZMt2KrY7RZtp0X+zH14evlVbVBKE2WJRvGEiqufJqfdUIy7+zHDShdS3a6pdNL5uKSjqPleYSIjC809qLHimPqyHcPjFEraSPjFla1buewYCxW82hOLx91hC24M66USWYCXnXGItmUh+ou5XUjuTlUgsHbtJeATabObyXcAxNCDe5XdDzTsMMNEjmDwR1qnXJl7x0mg2eh7ggu2wF2ccd5sWJvK65PhqFm/30saBrdxK5FWtPrHFCz+lrDik8oPt9owk3fdSF89xJ406eTQZLdulkqkktgaqBIndfiB3/U18V1CC/NNAc7Si50+1P0UY+rqghiEQ5cm4QuR9SMzWhUrDF0AwybV7ZDK/vvMqBa11kQLUucmjPdUpRtA30ZXKoGXSl3ivyMCbkjvkYfWMGz+Wd3pxDxeZNcu2QYMHmgdjphpDaEUTZQIlPoVibRuQOO41YUaqxTFXwwuPQGS+Yla1mgxNCZWDBlgE5ckBgCZrbnKUjewhrVw9FgL3Izj6XT97ixUHvQP9Kd5UuDhrGnWpgfMY3hk9cu/XBnLGeKkFXzp/NFNmAzsXIy03BROuiKkOQJYp3MJuPtQmft630viWoNPntMqTGctMmBOz61XD9dofGqiRNrQxPKDhudbbQnJal7zCFqfzt3R3twtMIW+RrXXRHUSSbCjRnd5VFUdqOUMW2h7B+JVt3M7xY8vd7QNoSZKl0SJjdS5ma/vMBute0oV01/SewuB3tEMtfCz5gt5Og+xHzkj5nr7pvhhcyVP0HMRO8XAva5RZLZQkli9DxIp5AK9S8aBNVHkSotwfxzkL9GD1TtmTf3zDdCrtWo/iIK/5KcLbOfXv2yIULRCA015ZiPSKXG5EzbzrOwA+NAEQsLk6VtHCdW2PtEDqX3l+36YdKy9K4/8NHlYoWoVgDmBseZ7agcg6FhFVuWTAWuIRVL9SPSoi1mk8bCz0JMczRNx51p633n7+46DA1TSbsOs4Jnq1t5T6moSG4m1/kkenrbxHjFivAHMPahoNmk/Oll6An5BL8pjQG9ITOAVt5h0z3mdItDgPYLRivtzP8PfG/7/WtUJpMtVq5z9q/Bl3Tm12j/aTPywuqbWo3XQc4tUcl3Ck1qA491p1SouzUxlxXStUQAoq53uI3klAB2nbZRXqzaPibD28F8dFrAoBJSBGFuSRSye801ICWzL7sBzQbjvnksEZrd2E6ewV3EvW4F9xH2Nrwz4CyFbeLoCx7WU9OccEpVptIouR3c+X+e89LgEpKEVEcM9JNe8HAF4iAQ1LNiJMOloOZkMuNTNkdbNCvrMqD8Ykv52uMM2J8yahPtimD+A2Mp4SJxtj2QIZ/DLYJf8KN28lQEx38G07xxU/HVaCjaz/+hsUtet+WKZ9S9uQmw8theYpYEGqMYhz9pW43ovYkbthbfgWvCSX1Ym04o4KU3Fw9J7XGmSjPCVj2JK4oU00Pqb2840Pv62w0rcCCNqSmBrt4GWzk4HsRMFVVToqpraD9sLQGLNur7vn34KE0vt4eZniYvPhmqqqb4R3MsG2UrLgs1Srk0zIlGdT2eZdJMcqMAZmzRog1+dJQ4Z2fpaool0FqyN5CQo08XX2vZyp1aQ/pTiV8y+UVlKEWqE1Epwa9U8FAcZ9806E24eW+jRODrhBZRV1/spN3S+wi0KL32+VD4fVbHTyv5HLYrqcLOoOu+O5gp9wu1rAmYuvP/35N+8fEmvaMi/x3vCP5F1ytu8YayoYBaSNHEHe3GdCciiLymmZ7RC5xyVZt3n0few+ge2FG/QLArsxBLQdSeIzD6u6hW1Cz6G6oUwsjVYYNW/jM37bGpiszPGkh7bQIc4R0y0yMZu5X3b+HlabEyXNJOObcNZIJoNr9CRvhbVALBYTB26nbws6bow9e+DXDPk+P+sViqppy2fXN7j9YoWxU3+H1WnLdmGN7+vraCCIw7vE7ToA0ciVO/Oq+J+O4p9RbcNld4x37vJf5/JS895LmaWjcQPy0vVD063B7FtervQP6IXz5Pffz+SmyNJS8dWJi6D3Yjsj5NEBPwsQfIicLVtzEjdSlWefsZb8d1Q0F2l5d2OvHlt74PuKpcaw/6RYm56c3arKp/HM3aLIOsZey3Gi0E3Li6zNDv1PhP9ivzSKCevsbP3wT3HHTxnaVm8p2j1EjBRjPGeUflJUiS6o5nYpBFaBvysAlqQUdEQQGpMnaH2VrQ/uqql954iSV0zDa+kLu9vnyxfnFrg5NQstY71EYq8s+cKDgrWshN5EWjyQ5l5Zc8rmkKCxGjmitdM7mtU8G8ssd0otWd1PY1RH/0yHSu8t4ykoVOTjvf/tIuGSiKcGJszDI1v18Qp6eXdOqFvCaXHiHiAeL0nsS94tgZO7osU10Tm2eljhm3Fw5lfsAvO5QitdzY74PT8MHbq72hFyt5vM56Hwj7OIs+9yPBQQcUDtdaDALJUp3erytPjJpdCv0fgTPwjD2HqTy0w9ex3jWNeM4P42Xkdw6Os9UVRdHzrvCXQm5VzjG1fv3TDP9zqGjJNanznDcjCobNmalBbX0gbLG+ph30lJp7Dzg5HqL38iUOKrLFdUPk6E37KrvpCsND5EjYqQ18lMnRCl5R1nbTzmu3DoRdFQ7RsnvWgVV75dC3tZMPtRaAzXJc4ONpbZJpTh3/ijKxYOZHW7xqbomvHwx/n65l7U5BoYOo0+Dxsf+Ljgs4le3fccyT98bHPLT4dy9Q54zLlWTKsbZqyMx8+R3yknSlE6HgUf2p8SAc3dm3DoSb4Rwco+YhjEwZtYIcubWJ0yVYNyRaJv9xi0LLku4TswAwY09TPO8p2zBhdEU0y0SU9AY36yo5gIzeCIePB9/l3NCkYnfud9GKZMZzqGa+uZCD6QRh9XJ0y6fswZt6lB06yXMgGVBRdgkxLcdnp6NFBl6N9fwPc6dUOKVry7JK/iq/Lfdh5RLQ0qwlIuIk2GqGtv73QhpShw9N7P12NIujw3xGH9ILVS1yJbN84aUMKMhBBQ6X7Yx/JCt6bTiJWhB11jIZVV4XMnTyI10H6DVHX4Ns7YK3PvqjeW2wcaMJErYxjYYNmy673VNGsXq+XcYTY1pBlnFVFW5+5TnGJ146IT3kn1rrZa89P6ztotcBWY0EapU7PBA4929Zb9wsdEaWT8vL64aXNeY9PQwsr5dPa+s/6eaHuh3Opi8/6umIQATv101z9c49xQTiv3OX16ck/OBQtVHI1vX2lBdsh+DhIVdXTXsPKkhfRd/WMitjiv3XkQUU1XmrvgaVNztKh0BF+JwGVGPFum7JfiQwREqz3su4FA67BNou3gIn/OyC+WMOPGq1FbjoAw8wcufTsnr6K6bnM9UO9374pPvntMGojBZ4xpY0/ci+NSvKcTKW9suTPsSN47gCIl6xctth0hXXUmXlAs6DGSQzhVOsL5yBlqPTFrwd+gQX3+6uFswVqrQAMoHYAckhXQDw+eTEYnIq2LalOU6uX+GV0XSOqAe3MbAYY3O93qp0kPUXCXscrBTYleY5hgFCdz0s1d9z1XalNx2lXWbvmgBo9hgu03Fhhclm/DCfiJ9llhqDi6PZpWffD4jT0OtxOdGOF15ygUWcGAe2Nl1rYz75jPy3dDRIHejMFdSreSWIWSANdjMYrkNfWTSJqNHcMHtpoWetFXu70Np0luYU7Ymn0bNNcGnmj5EUX5YeIvFXJKKcjnTtIK96Rg11Ti1N3+fhC3l8gKXJe9V6ZOjN20Be1lnEaTIDdoXpgo4RuSykLb7xr2HFfm1kWhKvlMlCPKUy+Xk2+eEK/acTN3/gfs/KqlYG24m38bji5bVxUzQweT81DrUtoZ/ckFwUfR1oZxct8Ov1GxvowarsmLq/zoNeLZtEAxod5CjCC2rtHJ3B7PP736nGshHnwD87bef3/3+5sPZt9/6nNsl1ZSPnsmV0lcpS5ZvvGC/twv2I2yjTjAqUysRoWYnbZeS7jmgzD0X6wwmzExpkIazlAKk50rKgHGV3gsSiQ+kAlqsKB8OJ763dwB7n6cG6q5P6hJ100wzXQo7LY3VqSvfsV47m0Os/5Yme0fbmo98TtJDi102g8EGKk0oNtnUvYR6FwdixkcdTS2p2Ryxh5Ia7UYUIXO3vCculA/uJ3h3x4VDPuj/H4arblRmP/nvQY5Y2fPRB0T2Ivkgh6ON4+7DT6kjJG1t7WzPLn1qu4z2NssO+2Q+Q7fb4OTeHJluW1bzY8TDsOhrRrlwvG6buVwEmXF+2q9tw05czhy0MI+0MBjPKmxzrgunIh5AzyGJ15huHaqPTlRVNXLXEzXATh7WuOm+2L2Ha/s3iOvUHW7mMM36vrhdUln+m4pHzTa4WWr5IZLh3tgNF95CzjSm5oyrZFmix7LgEfsV1XIYdHjsqBtZ1YXKJYwv37+7IL95P+omKTWOyJejphJc/vtb8qUBPdK7tRGy0LDbqTNvckPPIbomH9qis2haV6els4QPaR+oSj1GwAGtD3Ic3QTVRoJj94Zbph/QQAXVVYbdcmAzuBdonbAAuQPalMmm0m7BTNvtagt0Se2uVnhfuFOQbFFRnaqspIO7rulgfPG9o0+UDdKpksAsFsnPAoNZ2gKqDvBsjq2WMoBV039mgFrT5JMwfMep5McLg+4FT/3ghM5tFTjVMznSsqAMB6OkLz9xsI1MaLz3AE/n9fIneW0Xyd93JgtmdVGapH3Xe9Ad5MMiT7cAvBQ0ucSQBcg5lwmLIoegc+RGy2JWmBW3LLn8kMVMqJWhVfrclT5saZf5oGeIujBZcJlTnHBZg66m62QJ7wPYNbvKA3xJRY6zwuui1sqqIn1ICqEvfyrQ45getsh2N4WaF2UOZjvA6fPfmCwqel1Ym8ptsA3YnWgBGR6FistMSHOZD+lamEJMRZE6LLoF+/uMwJN3Bu/BTt0LsQ87dVVvH/bPGWG/ygj7XzLC/l8ZYf85D2yrakGnkEOkdNDTm2eyqBqByvd0neGdbIHXVxn0kqoRfF7VebRvp2VSMU+dhBQg8xxKiYEvLL1vRBbGJyRm2EGjWR5r0gHOY02atWnqDLNImezKqrOYqlZZZ3rAdQYRYpV1hlku2GjWZAHeSH4tqVQGWIZDuHzluJLpUVi+UrVdAC0zuNVUVRdMZPBhO8AZgiQIV0/XNr1b1EE2WSDXTZEhpsE0t5xRkaGAyBR0DpKtE2Zd9WFLKtZ/QDnNgfeywDagWSD7djB5sPaJtVmgT+f18lUeH7Qpptz+OUujMWaKtLPidgBrlVxUmyzXHKEC0+mr3Iz38SebtdUDDHbh/fzpnSMeOKp9WYD7bvLpOsj1YM+4gBw2jClmOTaRz1IWZ28DzqEbmILXmKRYZBF1vF7+VBpbD5r5J4JtNMsCW/AZ5DBjDDqaKyh5soLRbdhc5jkllSobAYapHNwOwPk8g2xStVlRm3Tmfw96LIM8CWANc26spuk9IRvYGTQ+DXUuVutsvDbYiVxnkq8+M98f8QzQrQZaZVAkfSlQLrTzKderheKm8BNm00NfU02zHPBypBA2BeSln2+fGi43lsrkc45LY6eNTjUssIUKflZQDqhNclzT69FtTXJqsDi5YZZ+2PWhnQb2wZzTskx9B3iZOqzatg7K8BbxqmBaqSpLVyIHOIOZxqsiT3Jk6HiUg831VfL2TLVJ37KU16bWPDFQQS23TfLsM8ElpGuxs4Fqkk7U6eBi8W16t5ZQvutpMRMq+XPeAc+Q8u9s3uRSxwHNIHGcDZ0B1eS5CULNsxxdOc9ygWulUwuwatrMc1yzihuWQyxUJsuBzTEHQoLF5krJ4SaX4b4BdOqMPw81dTqeXK1SWyBZKsqUHwCd3BJV6TUjpfm8iMzjujfclQSd/s2qCz+UNznYpJOpN2D9iNcshyxD4WaYiZNaGASwqaVBXXhHUnJ0qTHuw4ItUtX5D0DDdc2TBwJq0NVcU2kHPXdTQF5lAZz+6fWdyD592pkCmgCwVvOCmjrhwIA+aE1TQ9VARQ79TgNDPviuo5mAp2eyg5y2hWsPstJlBozTOzJNBt+w8b7hDPkABlInAviBxxmMEwNf0h+AWIPWZFAzmFKGzzMIXlOn9rIZzXLcA83K5Iq00SzWFTcBYJtuxFYfZmOSd9VcMpm6UCI6Lfa+QH2TztTk27lNf6w80PQRvW6mZ2q46zp5t9amnGbJQ2+0yPAWNgZ0UfLUVe9Zxla0kaEcbLDMWFql9gYvCy6NpbMMmsGSa5tDDV/WMkPrJqt0I1O6WWNt0SIdRd80VpEPjSSDpbvskYzD8j5TwUtyoqHklpxQXYZuhgbbv8fR8ZOzMnJpbEIogsEh+gT7GzAlSKxUp8uH4DIf586qWqg1DAYL3si/mWqSNfW+5RlzPPQ+I5x3pmEO16Siu40WNrFYOW92h4FkR1Jwg8MZ2tXD1mMDJWKaulbakmHjUUJWC2oJt6TWMBs7CvdIy73LEIoY44PV0aFAuAyd3Uf6Qgsuc0/k76HqVuvjaYhVc7AL0JPN981CNYMXjRAJS9DdOCKrSE21AfIOLMWJ4P6u0o4FT9+quXlx4cten5HTMOLrObGLyJQibAb8AcLoY0Rbkvdgf+dWgonv8/BQZ2HeDEd2d7cIF/fEGqCaLSZc8ih+OHP3CP21d8QnzsLAZIgXgjYSZ/3OG5zj2jZxjzdw3+nXvoem/O24O5q6JtxhfvGIse82okhY03S7zqu4LPkI1xZvxZi74BjTqEcE0mZw3XucUC3FyMRL7J6bcRw49s81YImGLw0Yu6dp9+HZynfvle9VBhzL41f1EnvXI9XlnW67U/bh5DHC2NjW37FDu3kdpTzl7P+b5xu6xc5PW6GAa8fPBloN6ZJ473iE3eMypQaIT9fusCGDW9XtUvjFw+Aru1HwHeZK+/b1UTYSQg0xADjujO6fV6WpNJQdYbzvoMO0X1qi2rs5NKzROAFtH9I16Ip7deNYSG+W9IM5+JILmAMRsARBqDF8Lv3Gbeb1x48+tmR+QPmN6+856dMHmfTsMGsk/9LA7phEGr98PXwP65h42BSUVqPhpb+QTEkJmFtBVtwuxgQFIZHKkE5j13BQedGdTQvHTpQn3RMl1JwzKojDYMT0QSweFjtcamRM48Pxrl6sTRy9XjrbSu1ktaZ+4Kng1BQLld0m8EZcZ67hLJXNUCMnFfsjeOL9AIi/NA5bfNPCIBYmgOrJG2GUM8S37tspBsvJr+EXE/JGrrt/DaBbtOWNtISWE6aqurGg42I4ixvfEZbPPPtmdy9wxuLWhnD7j+bl9z/82dm+p73taDn2TRTtcE6LtBGz2zpu6Bo0+ZfOJ2deBDQQufitT13/k//Myw3OW6d+734cmLx8k2x7sjswxa0zIe9/+3jmaAcN3nmC/tKSG6ahppKtnVYZ1DOxmwtCkEPPycd3r8m5tD++fE7O35+e/cdr8ulc2lc/kaerxZpI4HYBmrCFMmFUmtIamMVv/fDq//yPZ0+iHAG7yCjjdvmBMnVS0fg4HpP59N3xml/6s3jeIhW/4uXjQrovm27A/MCGcbd+4GP47iimG+vkM9e2oYK8ffM+iuwfSkI+X9ZhJ+M/lYRJnLcO3a9GhCIhNwtP3ILH+Abv2Yc5tbCiDzAiHU/3BXlTlhr9tP6Ux9Dpnl5W1YfGOe8bCzk/eXfhX6XR8FhFzRGjH1tOJa+phrebnF84VEa8X46HB06CSMJDt/Y4D1tNrPDTtY4rIHro0rLk7stUbAK2vVn+8XfuiAfAmYR4wVW44afbR2CAyibXOoted9snjZL3AcMLpW0nkgdCt8QAG24At+ubJa85Mu89PVzO28ekJevdGOMlxOzGY3lxA3Zo+VJjFONO5fR+o4GOQ5xc1lTOYdKZTkzJGZ83GkoyXSNMkCVmDcXlTH1g64FB0eiIthxddJah34FIqPv3S7iSOwA0VMpCETK70+cZpWdtKU1BC5+KnwF0bXUe4LMMR2KWoVpY5LgOufqf1BmYSsui9cTlU8t3LXhHx2R3tb4z4QE02DO7AC3Bko/rGp6TT+0z9hYdYD+Si9YBNngJfhvT1NpRPUdQJkZM4xbp4Bd/TqgQUWWi3nwRE9yoxsS8JWj3BnJpFTEWH3MuyafzUYHCMEE2m7xKLrIdUFVnGPvmAGswqTN6HdgMJS7+RUydio7+9gzY+tEKhQA5Tz4pEnF2ykdGLXREA/UqDxW9AIwkDNMJZoSSX5ReUV0O53QT8maOyV6aUHfjrzGXbgp2BSDjqmfirol3jXErS0U/VOeRIdgyHjMjBhRyGfJcMS2h4taJpTBiI07iUlB5jDj+LRyUbYJIz0U5IHDbZbmJpCydBTtHA3b75UkdqQSGXQiW6frB3S5iT7XlrBFUE+wXTVoknp5dv36r5mo2i09/B1bYBWTf3i1kP7oF/W3s4X3m8HbovmnsAqQNyeKjaJsmZeeE2yX0+CXHUf9kQI8irBrL1HE5HZYcR/iyYQyMGcEZO48f1hztsMQTxIs4FXeu9JpEChMGuB1DOG3hCDs4OqmEAT5TK+neFSe3Ysph90MyUJS2qVqm60c38m5S4ruWYs2A4FB29AQ/zI4+zCUx3DYR+UmwuACCiA5QF9QQWqravS52AVwTtZKbLfOMs/RaSVWN5NXiTA7DfYv64yoRTrnnsnTyR2nTMYCSX7gA8iYgNhmw4TbOXtkR5u/kaMJ4R/+DpCuMsuAyZC2k5UKMxggjUta734MRPl/vMtRrpObEeELoVOWsHogQP4UFXXLVoHbJVFVrVfGRDEU4NnJnkk4FFpHNyMl+3LhcdmInI5K7GG5pnSSKwBaGSYfLHIBgZP0Ov9y723tlN/dt9NhtyiwbaXfL2VJr9CWWgRfsELP+VloQvsdzkKA5a0lChmCi325qAbcLfGpjs91IQHbCfpgYq8eDny1Nh7TdejCaXu6nKagXfq2MdEVN084It7wC4+S61/Y01DAaRAq7kKwpxI0bgY0H77kN+pZH65De3Q92tH68HU0/FCbZkNNbkxYcxjdROKANKd4IhFsIg6+Xupc3UqePunf+oiWhTd+8c8l6qR5HgNwgxzsB8vUexx9v3rJUow2Os2W3k4/6qBIk5R27hfw46nFMSdvgMHZKPZag7fipk1fuNHZRVGAX6gGiJHTLk0w8GuFroxuOvZS0yup12hPV+aBE8Nc6RPacy0yekP+Y/Pz99+Tp29M3F8/IKTeWy3nDzQJKLIWP4iLUXGXvC7QvEobZsjOPR9hm/OJIxphWmb2K++o/3a7GMOhuDHrkkw19vst1YZj239X99hx/iFMsZkplrE36JlOMilTd6XYI+UBL3hi/AlGaGF5xQbUXT05sujvE8F2Pl1fhPTe8PGankX6m/Cd3EFov4k5fzM0lz1dn8Ubuu+sY1giVhj3/b3AS4SeDsxAcN9AryyjjrkylcyYGDEI2yGql51TyP/ZkVct8R+G2zD6A0/0zNcLuGdfRWtJMXX9+ccvha+FbfPneRVtZzb8CFXbBqAZSayhVxSWNFtz1xNMFtRykNTemxwt6TGrf0gcl1rd+hDrTwXVX54kTXDXVFpshbUjdL1aP2OwoCJvbSNQZlKCphbJIllS253w44fNLu2IXPLvQasnLrnlY+B6taxE01cHBCM1/3LO2rdPGFZwNkbw8EpXdkqHXn12PkBkdHoqZk0vuo+eLXcV9pAVcp3SmHAp+V80TrlFn6v2oVwk9jxDqdVTUWKkhxirtJb6DVoGluNoT/NbEfetJnPqKl6WA40m5d7jebeVcZHt7cu8gOdeOxzgOuRdhtV6HIbluo7PPSS2o2zL3PitNQDK9rse8/JgKeQR78hYZdLqzLX9VxpJ3lC24HDHpSppJcnyzy+tPEjP9aw1OfDj9yDc5MxPytqQ1+Yz/8PpRqaSvO/3H8PEkC7oEpzkJoJp8aUCvCfYgNLWSBlqNKl6c6ugt8DfHkZehBx5zkDVvu0BKT77vyzeOZ0vSEVDdHKAPoTnqbTHFKU95HWa7Z7xtLb3VxMjZhuHh5YboRsqoHWuedy+Pjzz7NlIjNXYBYhEszPwbQcmKy1KtDDE1MD7jzH3yPFYnGPJkhxfEkefx3eTckKfYERYk2zxDGLp81uMWaSS+429hTtmafDLbjW+7CGy1W0ibPLvWrXAEg33kte+bWogK1qrhIXMv4oDjXR+ASPX/VqUplvMM2bdNdn6Feqw7r1evIxQjhdGDFn5zALHHyesdIzVk+AbXeyvrzpD08S6gQ2qO47DrAgbbe7NJyPTbMNiheEOKm4ufsWwg5UjA0Qo3JLmEGZfBV4/CCbv6VbQeaTqI2B1UKJYJt40DZkf9Sy0YO59tbtpDL6WR3pSdD9tayhbVkVvgb1ZFhpOBddTfjixDXqZcppsglvRuOJKxqDDv4xkRUv2yHdwW30Z7U94fmdo5wDrv23cD1jXV7Zlyf36+IWW14INW6sTdDmfL+uT3W5Fnk88s8W0tlF7n2/C/mJrKv97YMaZFZLuLequex54mx5a/vEDoN9D2YCrRgKq23/p+qkZPQQHSalUfIjpK1UwHzoVbnfGwprO24YZyBMTRV3cc9x6eqKqmct3dR7x2OE7f2ytL0O4ZKricqbhSQM1V7hqhG+THjhXZYraCvF3RZ19y5Qj80gixJv/eUMFnHEpyinXP3jkYRWUF04IpdcUfKOj+O0yJX39jP1Mxps0n7za7CYfXjUWV+8ARpjff9Q/dEmHKTnBHe5/8hHxc1570jefAMcfv4PjmaZgVSZvJ7qDtcPCOCP3ExNrW7iJzDFddp1xuY+c9i7XSrbcfQ8wf3o5sea9XTuLj1PKizjuHaA8r3Mo3eu5bNLVSmTSRbaTcOm4/SE1t3DXJZEFNymh/D7AO5fSJITdaJNzmHtSEu9IZo0WjU3lDejAN6ILO09mUG9DJn6dt0EnTH7dBh1OfQbDAtQWJqlV648TBT3aaO0VvoWEnVSa1RuWXOEYt4ZbM/YjLonr1Ivz3SUDhRfiPkNcUc/tTATqenRfIecDouSemHzxHj2tv1NqAnDIMRHMmFZcz0Hok7jqk+yh09RX/G1kfdc8eAcm2L/Gstw2RK4VhbZX1SkWWONrxO/Nxe3fsPmIGse7/6e8wTNAaH/jJ6wXo4/gjnM4eMp6enuDox2fkBNePowbaHqlZygifT0CH4Z+wlYW5pzkvZA0d9xjZ23C36BPT6xS9d6f5H4d6Je/eGiW+2+SS/xH31vCrTDLl/O9nRMJcWe43sF5QMzIByrBjtxXqbaVffHy4oNvqbBOgBgkuO2esbZze1t/EE1IMnx+jomK7v1E39fDj6KBlJ024MU1ypRMhY7JUPm/d/WIoiCFondUHOtiUvvQ8c4uTSwxO75NOR8mQ6DqDhyjy00tM7dz/GPWk52FI3l167sFxXIQaI4plzhd9N6QaHNlRZMrCHT3aJG/TaHIB5lcQLOpMzQ2+2Ywr6T9IKFt/IgbjdUqT88s3f393QS7cO0V+kyPTVzbYZqqkPgTbjysVxxbFEFsAuzIHOZFvJ4Tz9iCLDZ3r+nV2LcIwDTSMINxIwT1aLmg+aAr5AEqux6PrCjJqNCDOltrmaBM++1guqeClP4gRJHYF4dG6Wu8ThMixK1ibXbGd6OS3CaSJYS+srU3BcQZtFtC4lTkYwugjuE18LtvKF6W5Xd9wo5iqqqx94m6Jt8cjOITiJfgrrkHsWpqpXSwrQWVhzEMNvHUrexn+e6C2rdGKYutLjYta8WOkVccQ9hgQxACRilsDyFa2oFIOGmfkbjcVVkVERmK2R2rb3D0sYebh72/fvA/v3oud5bsHxSq96/tP3rONm6tiqUSTiwFv2jnOMsy56SZjt+N8G8mtIU89EuYZduvAwt52ou4OeIJIR6kRTSZp9jbg+klyG9IFJttFB0vQmCkwawRhSjKorTOUL/0ejrRXWK1ySl/PeGewtyO0HaK10pYox99f/+1NLAU3yvbU507p+fETLHcLDLZcrFPqm51EG8X87ey3i/ML8o5eV1yW3Vjv+LY62o6ehrk1RHGErEDGgLp9ZHXqU7xkMXl6tq9yLGbHK9h86CL8luTsaseWsyxI5fPT0KU3YLEXQ3G8TXngXgEtxdV/+brhrjBHlkNNMvXtRn+JM6EfKLsxjKtGK74L6la+uPc5MU0kRZ0a8hdjtZLzv04FZVeCGwvlX16Evz3vPuVyBiz+0YxrWFERVWToVPR+Q6gsiVFk5FhqmHNj9dpZ9scUFjW1i9Csv8OB7OIwQBKdUsdC0xdC+3otpnSvC3mnT3aYg7R6/af/FwAA//+GYLkS" } diff --git a/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml b/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml index 3d395874c03..ecf61b431da 100644 --- a/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml +++ b/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml @@ -1,1945 +1,2637 @@ - name: network.interface.name + overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa + overwrite: true type: group default_field: false fields: - name: internal + overwrite: true type: group fields: - name: msg + overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid + overwrite: true type: keyword - name: event_desc + overwrite: true type: keyword - name: message + overwrite: true type: keyword description: This key captures the contents of instant messages - name: time + overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level + overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id + overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid + overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode + overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead + overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc + overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name + overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class + overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host + overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip + overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 + overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type + overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id + overwrite: true type: long description: Deprecated key defined only in table map. - name: did + overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category + overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip + overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 + overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id + overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid + overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime + overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium + overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id + overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error + overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res + overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src + overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid + overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split + overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size + overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile + overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res + overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word + overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time + overwrite: true type: group fields: - name: event_time + overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time + overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str + overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime + overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month + overwrite: true type: keyword - name: day + overwrite: true type: keyword - name: endtime + overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone + overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str + overwrite: true type: keyword description: A text string version of the duration - name: date + overwrite: true type: keyword - name: year + overwrite: true type: keyword - name: recorded_time + overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime + overwrite: true type: keyword - name: effective_time + overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time + overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time + overwrite: true type: keyword description: Deprecated, use duration.time - name: hour + overwrite: true type: keyword - name: min + overwrite: true type: keyword - name: timestamp + overwrite: true type: keyword - name: event_queue_time + overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 + overwrite: true type: keyword - name: tzone + overwrite: true type: keyword - name: eventtime + overwrite: true type: keyword - name: gmtdate + overwrite: true type: keyword - name: gmttime + overwrite: true type: keyword - name: p_date + overwrite: true type: keyword - name: p_month + overwrite: true type: keyword - name: p_time + overwrite: true type: keyword - name: p_time2 + overwrite: true type: keyword - name: p_year + overwrite: true type: keyword - name: expire_time_str + overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp + overwrite: true type: date description: Deprecated key defined only in table map. - name: misc + overwrite: true type: group fields: - name: action + overwrite: true type: keyword - name: result + overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity + overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type + overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id + overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version + overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition + overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code + overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category + overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name + overwrite: true type: keyword description: This is used to capture name of object - name: obj_type + overwrite: true type: keyword description: This is used to capture type of object - name: event_source + overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id + overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group + overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name + overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name + overwrite: true type: keyword description: This key captures the Rule Name - name: context + overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new + overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space + overwrite: true type: keyword - name: client + overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 + overwrite: true type: keyword - name: msgIdPart2 + overwrite: true type: keyword - name: change_old + overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id + overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state + overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object + overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node + overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule + overwrite: true type: keyword description: This key captures the Rule number - name: device_name + overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param + overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib + overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 + overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log + overwrite: true type: keyword description: This key captures the Name of the event log - name: OS + overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal + overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 + overwrite: true type: keyword - name: filter + overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number + overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user + overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname + overwrite: true type: keyword description: This key captures the name of the virus - name: content_type + overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id + overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id + overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys + overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id + overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 + overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor + overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name + overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group + overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num + overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val + overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 + overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version + overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version + overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id + overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk + overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id + overwrite: true type: keyword - name: reason + overwrite: true type: keyword - name: status + overwrite: true type: keyword - name: mail_id + overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid + overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc + overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout + overwrite: true type: keyword - name: p_msgid + overwrite: true type: keyword - name: data_type + overwrite: true type: keyword - name: msgIdPart4 + overwrite: true type: keyword - name: error + overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index + overwrite: true type: keyword - name: listnum + overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype + overwrite: true type: keyword - name: observed_val + overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value + overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name + overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template + overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count + overwrite: true type: keyword - name: number + overwrite: true type: keyword - name: sigcat + overwrite: true type: keyword - name: type + overwrite: true type: keyword - name: comments + overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number + overwrite: true type: long description: This key captures File Identification number - name: expected_val + overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num + overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst + overwrite: true type: keyword description: Destination SPI Index - name: spi_src + overwrite: true type: keyword description: Source SPI Index - name: code + overwrite: true type: keyword - name: agent_id + overwrite: true type: keyword description: This key is used to capture agent id - name: message_body + overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone + overwrite: true type: keyword - name: sig_id_str + overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd + overwrite: true type: keyword - name: misc + overwrite: true type: keyword - name: name + overwrite: true type: keyword - name: cpu + overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc + overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 + overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid + overwrite: true type: keyword - name: im_client + overwrite: true type: keyword - name: im_userid + overwrite: true type: keyword - name: pid + overwrite: true type: keyword - name: priority + overwrite: true type: keyword - name: context_subject + overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target + overwrite: true type: keyword - name: cve + overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum + overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library + overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node + overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags + overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos + overwrite: true type: long description: This key describes the type of service - name: vm_target + overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace + overwrite: true type: keyword description: This key captures Workspace Description - name: command + overwrite: true type: keyword - name: event_category + overwrite: true type: keyword - name: facilityname + overwrite: true type: keyword - name: forensic_info + overwrite: true type: keyword - name: jobname + overwrite: true type: keyword - name: mode + overwrite: true type: keyword - name: policy + overwrite: true type: keyword - name: policy_waiver + overwrite: true type: keyword - name: second + overwrite: true type: keyword - name: space1 + overwrite: true type: keyword - name: subcategory + overwrite: true type: keyword - name: tbdstr2 + overwrite: true type: keyword - name: alert_id + overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src + overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult + overwrite: true type: long description: This key captures the Filter Result - name: payload_dst + overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src + overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id + overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val + overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm + overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next + overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand + overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static + overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning + overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid + overwrite: true type: keyword description: SNMP Object Identifier - name: sql + overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref + overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id + overwrite: true type: keyword - name: acl_op + overwrite: true type: keyword - name: acl_pos + overwrite: true type: keyword - name: acl_table + overwrite: true type: keyword - name: admin + overwrite: true type: keyword - name: alarm_id + overwrite: true type: keyword - name: alarmname + overwrite: true type: keyword - name: app_id + overwrite: true type: keyword - name: audit + overwrite: true type: keyword - name: audit_object + overwrite: true type: keyword - name: auditdata + overwrite: true type: keyword - name: benchmark + overwrite: true type: keyword - name: bypass + overwrite: true type: keyword - name: cache + overwrite: true type: keyword - name: cache_hit + overwrite: true type: keyword - name: cefversion + overwrite: true type: keyword - name: cfg_attr + overwrite: true type: keyword - name: cfg_obj + overwrite: true type: keyword - name: cfg_path + overwrite: true type: keyword - name: changes + overwrite: true type: keyword - name: client_ip + overwrite: true type: keyword - name: clustermembers + overwrite: true type: keyword - name: cn_acttimeout + overwrite: true type: keyword - name: cn_asn_src + overwrite: true type: keyword - name: cn_bgpv4nxthop + overwrite: true type: keyword - name: cn_ctr_dst_code + overwrite: true type: keyword - name: cn_dst_tos + overwrite: true type: keyword - name: cn_dst_vlan + overwrite: true type: keyword - name: cn_engine_id + overwrite: true type: keyword - name: cn_engine_type + overwrite: true type: keyword - name: cn_f_switch + overwrite: true type: keyword - name: cn_flowsampid + overwrite: true type: keyword - name: cn_flowsampintv + overwrite: true type: keyword - name: cn_flowsampmode + overwrite: true type: keyword - name: cn_inacttimeout + overwrite: true type: keyword - name: cn_inpermbyts + overwrite: true type: keyword - name: cn_inpermpckts + overwrite: true type: keyword - name: cn_invalid + overwrite: true type: keyword - name: cn_ip_proto_ver + overwrite: true type: keyword - name: cn_ipv4_ident + overwrite: true type: keyword - name: cn_l_switch + overwrite: true type: keyword - name: cn_log_did + overwrite: true type: keyword - name: cn_log_rid + overwrite: true type: keyword - name: cn_max_ttl + overwrite: true type: keyword - name: cn_maxpcktlen + overwrite: true type: keyword - name: cn_min_ttl + overwrite: true type: keyword - name: cn_minpcktlen + overwrite: true type: keyword - name: cn_mpls_lbl_1 + overwrite: true type: keyword - name: cn_mpls_lbl_10 + overwrite: true type: keyword - name: cn_mpls_lbl_2 + overwrite: true type: keyword - name: cn_mpls_lbl_3 + overwrite: true type: keyword - name: cn_mpls_lbl_4 + overwrite: true type: keyword - name: cn_mpls_lbl_5 + overwrite: true type: keyword - name: cn_mpls_lbl_6 + overwrite: true type: keyword - name: cn_mpls_lbl_7 + overwrite: true type: keyword - name: cn_mpls_lbl_8 + overwrite: true type: keyword - name: cn_mpls_lbl_9 + overwrite: true type: keyword - name: cn_mplstoplabel + overwrite: true type: keyword - name: cn_mplstoplabip + overwrite: true type: keyword - name: cn_mul_dst_byt + overwrite: true type: keyword - name: cn_mul_dst_pks + overwrite: true type: keyword - name: cn_muligmptype + overwrite: true type: keyword - name: cn_sampalgo + overwrite: true type: keyword - name: cn_sampint + overwrite: true type: keyword - name: cn_seqctr + overwrite: true type: keyword - name: cn_spackets + overwrite: true type: keyword - name: cn_src_tos + overwrite: true type: keyword - name: cn_src_vlan + overwrite: true type: keyword - name: cn_sysuptime + overwrite: true type: keyword - name: cn_template_id + overwrite: true type: keyword - name: cn_totbytsexp + overwrite: true type: keyword - name: cn_totflowexp + overwrite: true type: keyword - name: cn_totpcktsexp + overwrite: true type: keyword - name: cn_unixnanosecs + overwrite: true type: keyword - name: cn_v6flowlabel + overwrite: true type: keyword - name: cn_v6optheaders + overwrite: true type: keyword - name: comp_class + overwrite: true type: keyword - name: comp_name + overwrite: true type: keyword - name: comp_rbytes + overwrite: true type: keyword - name: comp_sbytes + overwrite: true type: keyword - name: cpu_data + overwrite: true type: keyword - name: criticality + overwrite: true type: keyword - name: cs_agency_dst + overwrite: true type: keyword - name: cs_analyzedby + overwrite: true type: keyword - name: cs_av_other + overwrite: true type: keyword - name: cs_av_primary + overwrite: true type: keyword - name: cs_av_secondary + overwrite: true type: keyword - name: cs_bgpv6nxthop + overwrite: true type: keyword - name: cs_bit9status + overwrite: true type: keyword - name: cs_context + overwrite: true type: keyword - name: cs_control + overwrite: true type: keyword - name: cs_data + overwrite: true type: keyword - name: cs_datecret + overwrite: true type: keyword - name: cs_dst_tld + overwrite: true type: keyword - name: cs_eth_dst_ven + overwrite: true type: keyword - name: cs_eth_src_ven + overwrite: true type: keyword - name: cs_event_uuid + overwrite: true type: keyword - name: cs_filetype + overwrite: true type: keyword - name: cs_fld + overwrite: true type: keyword - name: cs_if_desc + overwrite: true type: keyword - name: cs_if_name + overwrite: true type: keyword - name: cs_ip_next_hop + overwrite: true type: keyword - name: cs_ipv4dstpre + overwrite: true type: keyword - name: cs_ipv4srcpre + overwrite: true type: keyword - name: cs_lifetime + overwrite: true type: keyword - name: cs_log_medium + overwrite: true type: keyword - name: cs_loginname + overwrite: true type: keyword - name: cs_modulescore + overwrite: true type: keyword - name: cs_modulesign + overwrite: true type: keyword - name: cs_opswatresult + overwrite: true type: keyword - name: cs_payload + overwrite: true type: keyword - name: cs_registrant + overwrite: true type: keyword - name: cs_registrar + overwrite: true type: keyword - name: cs_represult + overwrite: true type: keyword - name: cs_rpayload + overwrite: true type: keyword - name: cs_sampler_name + overwrite: true type: keyword - name: cs_sourcemodule + overwrite: true type: keyword - name: cs_streams + overwrite: true type: keyword - name: cs_targetmodule + overwrite: true type: keyword - name: cs_v6nxthop + overwrite: true type: keyword - name: cs_whois_server + overwrite: true type: keyword - name: cs_yararesult + overwrite: true type: keyword - name: description + overwrite: true type: keyword - name: devvendor + overwrite: true type: keyword - name: distance + overwrite: true type: keyword - name: dstburb + overwrite: true type: keyword - name: edomain + overwrite: true type: keyword - name: edomaub + overwrite: true type: keyword - name: euid + overwrite: true type: keyword - name: facility + overwrite: true type: keyword - name: finterface + overwrite: true type: keyword - name: flags + overwrite: true type: keyword - name: gaddr + overwrite: true type: keyword - name: id3 + overwrite: true type: keyword - name: im_buddyname + overwrite: true type: keyword - name: im_croomid + overwrite: true type: keyword - name: im_croomtype + overwrite: true type: keyword - name: im_members + overwrite: true type: keyword - name: im_username + overwrite: true type: keyword - name: ipkt + overwrite: true type: keyword - name: ipscat + overwrite: true type: keyword - name: ipspri + overwrite: true type: keyword - name: latitude + overwrite: true type: keyword - name: linenum + overwrite: true type: keyword - name: list_name + overwrite: true type: keyword - name: load_data + overwrite: true type: keyword - name: location_floor + overwrite: true type: keyword - name: location_mark + overwrite: true type: keyword - name: log_id + overwrite: true type: keyword - name: log_type + overwrite: true type: keyword - name: logid + overwrite: true type: keyword - name: logip + overwrite: true type: keyword - name: logname + overwrite: true type: keyword - name: longitude + overwrite: true type: keyword - name: lport + overwrite: true type: keyword - name: mbug_data + overwrite: true type: keyword - name: misc_name + overwrite: true type: keyword - name: msg_type + overwrite: true type: keyword - name: msgid + overwrite: true type: keyword - name: netsessid + overwrite: true type: keyword - name: num + overwrite: true type: keyword - name: number1 + overwrite: true type: keyword - name: number2 + overwrite: true type: keyword - name: nwwn + overwrite: true type: keyword - name: object + overwrite: true type: keyword - name: operation + overwrite: true type: keyword - name: opkt + overwrite: true type: keyword - name: orig_from + overwrite: true type: keyword - name: owner_id + overwrite: true type: keyword - name: p_action + overwrite: true type: keyword - name: p_filter + overwrite: true type: keyword - name: p_group_object + overwrite: true type: keyword - name: p_id + overwrite: true type: keyword - name: p_msgid1 + overwrite: true type: keyword - name: p_msgid2 + overwrite: true type: keyword - name: p_result1 + overwrite: true type: keyword - name: password_chg + overwrite: true type: keyword - name: password_expire + overwrite: true type: keyword - name: permgranted + overwrite: true type: keyword - name: permwanted + overwrite: true type: keyword - name: pgid + overwrite: true type: keyword - name: policyUUID + overwrite: true type: keyword - name: prog_asp_num + overwrite: true type: keyword - name: program + overwrite: true type: keyword - name: real_data + overwrite: true type: keyword - name: rec_asp_device + overwrite: true type: keyword - name: rec_asp_num + overwrite: true type: keyword - name: rec_library + overwrite: true type: keyword - name: recordnum + overwrite: true type: keyword - name: ruid + overwrite: true type: keyword - name: sburb + overwrite: true type: keyword - name: sdomain_fld + overwrite: true type: keyword - name: sec + overwrite: true type: keyword - name: sensorname + overwrite: true type: keyword - name: seqnum + overwrite: true type: keyword - name: session + overwrite: true type: keyword - name: sessiontype + overwrite: true type: keyword - name: sigUUID + overwrite: true type: keyword - name: spi + overwrite: true type: keyword - name: srcburb + overwrite: true type: keyword - name: srcdom + overwrite: true type: keyword - name: srcservice + overwrite: true type: keyword - name: state + overwrite: true type: keyword - name: status1 + overwrite: true type: keyword - name: svcno + overwrite: true type: keyword - name: system + overwrite: true type: keyword - name: tbdstr1 + overwrite: true type: keyword - name: tgtdom + overwrite: true type: keyword - name: tgtdomain + overwrite: true type: keyword - name: threshold + overwrite: true type: keyword - name: type1 + overwrite: true type: keyword - name: udb_class + overwrite: true type: keyword - name: url_fld + overwrite: true type: keyword - name: user_div + overwrite: true type: keyword - name: userid + overwrite: true type: keyword - name: username_fld + overwrite: true type: keyword - name: utcstamp + overwrite: true type: keyword - name: v_instafname + overwrite: true type: keyword - name: virt_data + overwrite: true type: keyword - name: vpnid + overwrite: true type: keyword - name: autorun_type + overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number + overwrite: true type: long description: Valid Credit Card Numbers only - name: content + overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number + overwrite: true type: long description: Employee Identification Numbers only - name: found + overwrite: true type: keyword description: This is used to capture the results of regex match - name: language + overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime + overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link + overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match + overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst + overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src + overwrite: true type: keyword description: This key captures source parameter - name: search_text + overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name + overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value + overwrite: true type: keyword description: SNMP set request value - name: streams + overwrite: true type: long description: This key captures number of streams in session - name: db + overwrite: true type: group fields: - name: index + overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance + overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database + overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id + overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions + overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name + overwrite: true type: keyword description: This key is used to capture the table name - name: db_id + overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid + overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread + overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite + overwrite: true type: long description: This key is used for the number of logical writes - name: pread + overwrite: true type: long description: This key is used for the number of physical writes - name: network + overwrite: true type: group fields: - name: alias_host + overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain + overwrite: true type: keyword - name: host_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service + overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface + overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port + overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host + overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan + overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone + overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst + overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway + overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type + overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask + overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code + overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail + overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask + overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port + overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask + overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname + overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr + overwrite: true type: ip description: Deprecated - name: faddr + overwrite: true type: keyword - name: lhost + overwrite: true type: keyword - name: origin + overwrite: true type: keyword - name: remote_domain_id + overwrite: true type: keyword - name: addr + overwrite: true type: keyword - name: dns_a_record + overwrite: true type: keyword - name: dns_ptr_record + overwrite: true type: keyword - name: fhost + overwrite: true type: keyword - name: fport + overwrite: true type: keyword - name: laddr + overwrite: true type: keyword - name: linterface + overwrite: true type: keyword - name: phost + overwrite: true type: keyword - name: ad_computer_dst + overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type + overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto + overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record + overwrite: true type: keyword - name: dns_id + overwrite: true type: keyword - name: dns_opcode + overwrite: true type: keyword - name: dns_resp + overwrite: true type: keyword - name: dns_type + overwrite: true type: keyword - name: domain1 + overwrite: true type: keyword - name: host_type + overwrite: true type: keyword - name: packet_length + overwrite: true type: keyword - name: host_orig + overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload + overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name + overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations + overwrite: true type: group fields: - name: ec_activity + overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme + overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject + overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome + overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat + overwrite: true type: long description: This key captures the Event category number - name: event_cat_name + overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat + overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file + overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service + overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session + overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc + overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc + overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category + overwrite: true type: keyword description: This used to capture investigation category - name: inv_context + overwrite: true type: keyword description: This used to capture investigation context - name: ioc + overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters + overwrite: true type: group fields: - name: dclass_c1 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter + overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 + overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str + overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 + overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str + overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity + overwrite: true type: group fields: - name: auth_method + overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role + overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn + overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type + overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile + overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses + overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm + overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst + overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org + overwrite: true type: keyword description: This key captures the User organization - name: dn_dst + overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept + overwrite: true type: keyword description: User's Department Names only - name: user_sid_src + overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp + overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp + overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc + overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password + overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role + overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap + overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query + overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response + overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner + overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account + overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email + overwrite: true type: group fields: - name: email_dst + overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src + overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject + overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email + overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file + overwrite: true type: group fields: - name: privilege + overwrite: true type: keyword description: Deprecated, use permissions - name: attachment + overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem + overwrite: true type: keyword - name: binary + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst + overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src + overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp + overwrite: true type: keyword - name: directory_dst + overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src + overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy + overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor + overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name + overwrite: true type: keyword description: This is used to capture name of the task - name: web + overwrite: true type: group fields: - name: fqdn + overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie + overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host + overwrite: true type: keyword - name: reputation_num + overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain + overwrite: true type: keyword description: Web referer's domain - name: web_ref_query + overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain + overwrite: true type: keyword - name: web_ref_page + overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root + overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst + overwrite: true type: keyword - name: cn_rpackets + overwrite: true type: keyword - name: urlpage + overwrite: true type: keyword - name: urlroot + overwrite: true type: keyword - name: p_url + overwrite: true type: keyword - name: p_user_agent + overwrite: true type: keyword - name: p_web_cookie + overwrite: true type: keyword - name: p_web_method + overwrite: true type: keyword - name: p_web_referer + overwrite: true type: keyword - name: web_extension_tmp + overwrite: true type: keyword - name: web_page + overwrite: true type: keyword - name: threat + overwrite: true type: group fields: - name: threat_category + overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc + overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert + overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source + overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto + overwrite: true type: group fields: - name: crypto + overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src + overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject + overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer + overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src + overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike + overwrite: true type: keyword description: IKE negotiation phase. - name: scheme + overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id + overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type + overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer + overwrite: true type: keyword - name: cert_host_name + overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error + overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst + overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst + overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src + overwrite: true type: keyword description: Deprecated, use version - name: d_certauth + overwrite: true type: keyword - name: s_certauth + overwrite: true type: keyword - name: ike_cookie1 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 + overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum + overwrite: true type: keyword - name: cert_host_cat + overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial + overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status + overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst + overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize + overwrite: true type: keyword - name: cert_username + overwrite: true type: keyword - name: https_insact + overwrite: true type: keyword - name: https_valid + overwrite: true type: keyword - name: cert_ca + overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common + overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless + overwrite: true type: group fields: - name: wlan_ssid + overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point + overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel + overwrite: true type: long description: This is used to capture the channel names - name: wlan_name + overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage + overwrite: true type: group fields: - name: disk_volume + overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun + overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn + overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical + overwrite: true type: group fields: - name: org_dst + overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src + overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare + overwrite: true type: group fields: - name: patient_fname + overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id + overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname + overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname + overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint + overwrite: true type: group fields: - name: host_state + overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key + overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value + overwrite: true type: keyword description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index b0a806fa1a5..c31f8631d33 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -35,8 +35,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntium", "rsa.misc.action": [ - "Blocked", - "pisciv" + "pisciv", + "Blocked" ], "rsa.misc.category": "umq", "rsa.misc.filter": "oremi", @@ -93,8 +93,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.173.22.152", - "10.26.46.95" + "10.26.46.95", + "10.173.22.152" ], "rsa.db.index": "aqu", "rsa.identity.user_dept": "com", @@ -177,8 +177,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uptassi", "rsa.misc.action": [ - "giatq", - "Blocked" + "Blocked", + "giatq" ], "rsa.misc.category": "llu", "rsa.misc.filter": "tconsec", @@ -237,8 +237,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.252.125.53", - "10.103.246.190" + "10.103.246.190", + "10.252.125.53" ], "rsa.db.index": "uiano", "rsa.identity.user_dept": "ari", @@ -249,8 +249,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ima", "rsa.misc.action": [ - "llam", - "Allowed" + "Allowed", + "llam" ], "rsa.misc.category": "aboris", "rsa.misc.filter": "atatnonp", @@ -309,8 +309,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.136.153.149", - "10.61.78.108" + "10.61.78.108", + "10.136.153.149" ], "rsa.db.index": "idexea", "rsa.identity.user_dept": "ciati", @@ -465,8 +465,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lupt", "rsa.misc.action": [ - "Blocked", - "dun" + "dun", + "Blocked" ], "rsa.misc.category": "rsitamet", "rsa.misc.filter": "usmod", @@ -525,8 +525,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.74.17.5", - "10.119.185.63" + "10.119.185.63", + "10.74.17.5" ], "rsa.db.index": "ume", "rsa.identity.user_dept": "itecto", @@ -669,8 +669,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.71.170.37", - "10.135.225.244" + "10.135.225.244", + "10.71.170.37" ], "rsa.db.index": "serror", "rsa.identity.user_dept": "atiset", @@ -813,8 +813,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.2.53.125", - "10.181.80.139" + "10.181.80.139", + "10.2.53.125" ], "rsa.db.index": "tin", "rsa.identity.user_dept": "aboN", @@ -885,8 +885,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.31.240.6", - "10.167.98.76" + "10.167.98.76", + "10.31.240.6" ], "rsa.db.index": "bore", "rsa.identity.user_dept": "gnido", @@ -897,8 +897,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "catc", "rsa.misc.action": [ - "veni", - "Allowed" + "Allowed", + "veni" ], "rsa.misc.category": "sBono", "rsa.misc.filter": "isnisiu", @@ -1029,8 +1029,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.63.250.128", - "10.111.187.12" + "10.111.187.12", + "10.63.250.128" ], "rsa.db.index": "nevo", "rsa.identity.user_dept": "tev", @@ -1101,8 +1101,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.252.124.150", - "10.5.126.127" + "10.5.126.127", + "10.252.124.150" ], "rsa.db.index": "uirati", "rsa.identity.user_dept": "roid", @@ -1173,8 +1173,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.91.126.231", - "10.201.171.120" + "10.201.171.120", + "10.91.126.231" ], "rsa.db.index": "str", "rsa.identity.user_dept": "tau", @@ -1185,8 +1185,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "umdo", "rsa.misc.action": [ - "orumSe", - "Blocked" + "Blocked", + "orumSe" ], "rsa.misc.category": "tanimid", "rsa.misc.filter": "itam", @@ -1257,8 +1257,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quid", "rsa.misc.action": [ - "itecto", - "Allowed" + "Allowed", + "itecto" ], "rsa.misc.category": "quam", "rsa.misc.filter": "adeser", @@ -1317,8 +1317,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.215.205.216", - "10.31.198.58" + "10.31.198.58", + "10.215.205.216" ], "rsa.db.index": "sau", "rsa.identity.user_dept": "boreetdo", @@ -1329,8 +1329,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "oNemoeni", "rsa.misc.action": [ - "nre", - "Blocked" + "Blocked", + "nre" ], "rsa.misc.category": "labo", "rsa.misc.filter": "tutlab", @@ -1401,8 +1401,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedi", "rsa.misc.action": [ - "llitanim", - "Allowed" + "Allowed", + "llitanim" ], "rsa.misc.category": "apariat", "rsa.misc.filter": "tasnulap", @@ -1461,8 +1461,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.161.148.64", - "10.129.192.145" + "10.129.192.145", + "10.161.148.64" ], "rsa.db.index": "cteturad", "rsa.identity.user_dept": "dex", @@ -1473,8 +1473,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uaUten", "rsa.misc.action": [ - "amcorp", - "Blocked" + "Blocked", + "amcorp" ], "rsa.misc.category": "umdolor", "rsa.misc.filter": "velillu", @@ -1533,8 +1533,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.7.200.140", - "10.203.65.161" + "10.203.65.161", + "10.7.200.140" ], "rsa.db.index": "qui", "rsa.identity.user_dept": "siu", @@ -1749,8 +1749,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.179.210.218", - "10.32.39.220" + "10.32.39.220", + "10.179.210.218" ], "rsa.db.index": "emvele", "rsa.identity.user_dept": "tatevel", @@ -1761,8 +1761,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "riss", "rsa.misc.action": [ - "Blocked", - "risnis" + "risnis", + "Blocked" ], "rsa.misc.category": "emqu", "rsa.misc.filter": "oluptas", @@ -1833,8 +1833,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntNeq", "rsa.misc.action": [ - "dtempo", - "Blocked" + "Blocked", + "dtempo" ], "rsa.misc.category": "ipsu", "rsa.misc.filter": "iqu", @@ -1965,8 +1965,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.115.53.31", - "10.2.67.127" + "10.2.67.127", + "10.115.53.31" ], "rsa.db.index": "ntexplic", "rsa.identity.user_dept": "mdolore", @@ -1977,8 +1977,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quatD", "rsa.misc.action": [ - "tatem", - "Allowed" + "Allowed", + "tatem" ], "rsa.misc.category": "aincidun", "rsa.misc.filter": "uela", @@ -2049,8 +2049,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tasun", "rsa.misc.action": [ - "quasiarc", - "Allowed" + "Allowed", + "quasiarc" ], "rsa.misc.category": "autfugi", "rsa.misc.filter": "ritqu", @@ -2193,8 +2193,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mag", "rsa.misc.action": [ - "Allowed", - "tali" + "tali", + "Allowed" ], "rsa.misc.category": "oconse", "rsa.misc.filter": "npr", @@ -2265,8 +2265,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdolore", "rsa.misc.action": [ - "Blocked", - "onproide" + "onproide", + "Blocked" ], "rsa.misc.category": "tvolup", "rsa.misc.filter": "niam", @@ -2337,8 +2337,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Allowed", - "Section" + "Section", + "Allowed" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2397,8 +2397,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.236.230.136", - "10.54.159.1" + "10.54.159.1", + "10.236.230.136" ], "rsa.db.index": "olup", "rsa.identity.user_dept": "asnulapa", @@ -2541,8 +2541,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.142.120.198", - "10.166.10.42" + "10.166.10.42", + "10.142.120.198" ], "rsa.db.index": "fugiatn", "rsa.identity.user_dept": "uamqu", @@ -2757,8 +2757,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.55.81.14", - "10.243.6.41" + "10.243.6.41", + "10.55.81.14" ], "rsa.db.index": "emp", "rsa.identity.user_dept": "tenim", @@ -2769,8 +2769,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "Blocked", - "lestia" + "lestia", + "Blocked" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2841,8 +2841,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lit", "rsa.misc.action": [ - "Blocked", - "quu" + "quu", + "Blocked" ], "rsa.misc.category": "oluptate", "rsa.misc.filter": "exercita", @@ -2913,8 +2913,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Loremip", "rsa.misc.action": [ - "quid", - "Allowed" + "Allowed", + "quid" ], "rsa.misc.category": "mini", "rsa.misc.filter": "uisnos", @@ -2985,8 +2985,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "voluptas", "rsa.misc.action": [ - "Allowed", - "olor" + "olor", + "Allowed" ], "rsa.misc.category": "ataevita", "rsa.misc.filter": "nderi", @@ -3045,8 +3045,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.68.8.143", - "10.125.120.97" + "10.125.120.97", + "10.68.8.143" ], "rsa.db.index": "tam", "rsa.identity.user_dept": "idolo", @@ -3273,8 +3273,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatemse", "rsa.misc.action": [ - "upta", - "Blocked" + "Blocked", + "upta" ], "rsa.misc.category": "tlabo", "rsa.misc.filter": "aliqui", @@ -3333,8 +3333,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.180.150.47", - "10.141.195.13" + "10.141.195.13", + "10.180.150.47" ], "rsa.db.index": "ariat", "rsa.identity.user_dept": "ncul", @@ -3417,8 +3417,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mipsumq", "rsa.misc.action": [ - "Allowed", - "citation" + "citation", + "Allowed" ], "rsa.misc.category": "usant", "rsa.misc.filter": "Nem", @@ -3631,8 +3631,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "eritqui", "rsa.misc.action": [ - "Blocked", - "dolor" + "dolor", + "Blocked" ], "rsa.misc.category": "taspe", "rsa.misc.filter": "oremipsu", @@ -3689,8 +3689,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.229.102.140", - "10.243.182.229" + "10.243.182.229", + "10.229.102.140" ], "rsa.db.index": "mveni", "rsa.identity.user_dept": "nimve", @@ -3769,8 +3769,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "adipisc", "rsa.misc.action": [ - "Blocked", - "exer" + "exer", + "Blocked" ], "rsa.misc.category": "remagna", "rsa.misc.filter": "emvel", @@ -3901,8 +3901,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.89.41.97", - "10.91.2.225" + "10.91.2.225", + "10.89.41.97" ], "rsa.db.index": "ntut", "rsa.identity.user_dept": "nderi", @@ -3913,8 +3913,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iuntN", "rsa.misc.action": [ - "Allowed", - "nim" + "nim", + "Allowed" ], "rsa.misc.category": "etco", "rsa.misc.filter": "autodita", @@ -3973,8 +3973,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.7.18.226", - "10.221.20.165" + "10.221.20.165", + "10.7.18.226" ], "rsa.db.index": "borio", "rsa.identity.user_dept": "tionev", @@ -3985,8 +3985,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iadeseru", "rsa.misc.action": [ - "epreh", - "Allowed" + "Allowed", + "epreh" ], "rsa.misc.category": "ruredol", "rsa.misc.filter": "atquo", @@ -4045,8 +4045,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.178.148.188", - "10.155.252.123" + "10.155.252.123", + "10.178.148.188" ], "rsa.db.index": "ipsa", "rsa.identity.user_dept": "ssequ", @@ -4187,8 +4187,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.55.38.153", - "10.112.190.154" + "10.112.190.154", + "10.55.38.153" ], "rsa.db.index": "Except", "rsa.identity.user_dept": "tvolup", @@ -4199,8 +4199,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tin", "rsa.misc.action": [ - "Allowed", - "urau" + "urau", + "Allowed" ], "rsa.misc.category": "isiut", "rsa.misc.filter": "cons", @@ -4271,8 +4271,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tDuisaut", "rsa.misc.action": [ - "upidatat", - "Allowed" + "Allowed", + "upidatat" ], "rsa.misc.category": "aliquide", "rsa.misc.filter": "deriti", @@ -4343,8 +4343,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rroq", "rsa.misc.action": [ - "fdeFin", - "Blocked" + "Blocked", + "fdeFin" ], "rsa.misc.category": "diduntut", "rsa.misc.filter": "ano", @@ -4399,8 +4399,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.122.102.156", - "10.187.16.73" + "10.187.16.73", + "10.122.102.156" ], "rsa.db.index": "volupt", "rsa.identity.user_dept": "metMa", @@ -4411,8 +4411,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dipisc", "rsa.misc.action": [ - "Allowed", - "turad" + "turad", + "Allowed" ], "rsa.misc.category": "ulpaquio", "rsa.misc.filter": "ngelits", @@ -4483,8 +4483,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rema", "rsa.misc.action": [ - "uatDu", - "Allowed" + "Allowed", + "uatDu" ], "rsa.misc.category": "ent", "rsa.misc.filter": "iscivel", @@ -4625,8 +4625,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vento", "rsa.misc.action": [ - "reh", - "Blocked" + "Blocked", + "reh" ], "rsa.misc.category": "atev", "rsa.misc.filter": "umq", @@ -4685,8 +4685,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.29.162.157", - "10.185.107.27" + "10.185.107.27", + "10.29.162.157" ], "rsa.db.index": "orese", "rsa.identity.user_dept": "orese", @@ -4697,8 +4697,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "orinrep", "rsa.misc.action": [ - "Blocked", - "squirat" + "squirat", + "Blocked" ], "rsa.misc.category": "sequa", "rsa.misc.filter": "orainci", @@ -4769,8 +4769,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "Blocked", - "dqu" + "dqu", + "Blocked" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -4841,8 +4841,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tNequepo", "rsa.misc.action": [ - "Allowed", - "rmagnido" + "rmagnido", + "Allowed" ], "rsa.misc.category": "luptatem", "rsa.misc.filter": "deritq", @@ -4901,8 +4901,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.91.20.27", - "10.193.152.42" + "10.193.152.42", + "10.91.20.27" ], "rsa.db.index": "iqua", "rsa.identity.user_dept": "modtempo", @@ -4913,8 +4913,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "plicab", "rsa.misc.action": [ - "Blocked", - "umq" + "umq", + "Blocked" ], "rsa.misc.category": "eruntmol", "rsa.misc.filter": "labore", @@ -4973,8 +4973,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.146.69.38", - "10.55.192.102" + "10.55.192.102", + "10.146.69.38" ], "rsa.db.index": "luptatem", "rsa.identity.user_dept": "uame", @@ -5201,8 +5201,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nde", "rsa.misc.action": [ - "Allowed", - "iqu" + "iqu", + "Allowed" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "ntincul", @@ -5261,8 +5261,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.24.23.209", - "10.162.78.48" + "10.162.78.48", + "10.24.23.209" ], "rsa.db.index": "eabil", "rsa.identity.user_dept": "iumd", @@ -5273,8 +5273,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ereprehe", "rsa.misc.action": [ - "Blocked", - "tutl" + "tutl", + "Blocked" ], "rsa.misc.category": "mip", "rsa.misc.filter": "umSecti", @@ -5333,8 +5333,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.55.151.53", - "10.211.66.68" + "10.211.66.68", + "10.55.151.53" ], "rsa.db.index": "uidolore", "rsa.identity.user_dept": "maveni", @@ -5345,8 +5345,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "diconseq", "rsa.misc.action": [ - "umet", - "Allowed" + "Allowed", + "umet" ], "rsa.misc.category": "ciad", "rsa.misc.filter": "oeiusmod", @@ -5405,8 +5405,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.209.203.156", - "10.110.16.169" + "10.110.16.169", + "10.209.203.156" ], "rsa.db.index": "mide", "rsa.identity.user_dept": "roinBCSe", @@ -5417,8 +5417,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iamquisn", "rsa.misc.action": [ - "Blocked", - "lupta" + "lupta", + "Blocked" ], "rsa.misc.category": "uasiarch", "rsa.misc.filter": "usBonor", @@ -5489,8 +5489,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnis", "rsa.misc.action": [ - "uianonnu", - "Allowed" + "Allowed", + "uianonnu" ], "rsa.misc.category": "Excepteu", "rsa.misc.filter": "enimadmi", @@ -5621,8 +5621,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.164.190.2", - "10.223.11.164" + "10.223.11.164", + "10.164.190.2" ], "rsa.db.index": "asi", "rsa.identity.user_dept": "risnisiu", @@ -5633,8 +5633,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "officiad", "rsa.misc.action": [ - "Allowed", - "antium" + "antium", + "Allowed" ], "rsa.misc.category": "emoeni", "rsa.misc.filter": "itvo", @@ -5693,8 +5693,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.121.181.243", - "10.14.37.8" + "10.14.37.8", + "10.121.181.243" ], "rsa.db.index": "samnisiu", "rsa.identity.user_dept": "errorsi", @@ -5705,8 +5705,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedic", "rsa.misc.action": [ - "rinc", - "Blocked" + "Blocked", + "rinc" ], "rsa.misc.category": "prehende", "rsa.misc.filter": "rume", @@ -5777,8 +5777,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tat", "rsa.misc.action": [ - "nia", - "Blocked" + "Blocked", + "nia" ], "rsa.misc.category": "turQuis", "rsa.misc.filter": "nonp", @@ -5909,8 +5909,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.176.233.249", - "10.75.144.118" + "10.75.144.118", + "10.176.233.249" ], "rsa.db.index": "atn", "rsa.identity.user_dept": "aconseq", @@ -6065,8 +6065,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atcupi", "rsa.misc.action": [ - "Blocked", - "uaUten" + "uaUten", + "Blocked" ], "rsa.misc.category": "modt", "rsa.misc.filter": "magnidol", @@ -6209,8 +6209,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issuscip", "rsa.misc.action": [ - "Blocked", - "remap" + "remap", + "Blocked" ], "rsa.misc.category": "eetdolo", "rsa.misc.filter": "rsitam", @@ -6281,8 +6281,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "neavolu", "rsa.misc.action": [ - "Blocked", - "nofdeF" + "nofdeF", + "Blocked" ], "rsa.misc.category": "remagnam", "rsa.misc.filter": "maveniam", @@ -6493,8 +6493,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "upta", "rsa.misc.action": [ - "uovolup", - "Allowed" + "Allowed", + "uovolup" ], "rsa.misc.category": "todit", "rsa.misc.filter": "atisetq", @@ -6549,8 +6549,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.254.119.31", - "10.172.159.251" + "10.172.159.251", + "10.254.119.31" ], "rsa.db.index": "tor", "rsa.identity.user_dept": "tconsect", @@ -6561,8 +6561,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "imadmi", "rsa.misc.action": [ - "tatemacc", - "Blocked" + "Blocked", + "tatemacc" ], "rsa.misc.category": "tutlabor", "rsa.misc.filter": "eturad", @@ -6621,8 +6621,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.98.126.206", - "10.195.62.230" + "10.195.62.230", + "10.98.126.206" ], "rsa.db.index": "amqua", "rsa.identity.user_dept": "atatnonp", @@ -6633,8 +6633,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "isnost", "rsa.misc.action": [ - "oriosa", - "Allowed" + "Allowed", + "oriosa" ], "rsa.misc.category": "uis", "rsa.misc.filter": "nemul", @@ -6693,8 +6693,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.84.140.5", - "10.144.93.186" + "10.144.93.186", + "10.84.140.5" ], "rsa.db.index": "evolu", "rsa.identity.user_dept": "mull", @@ -6765,8 +6765,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.198.84.190", - "10.31.58.6" + "10.31.58.6", + "10.198.84.190" ], "rsa.db.index": "sec", "rsa.identity.user_dept": "ern", @@ -6777,8 +6777,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tquovo", "rsa.misc.action": [ - "Allowed", - "qua" + "qua", + "Allowed" ], "rsa.misc.category": "ectet", "rsa.misc.filter": "lites", @@ -6837,8 +6837,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.139.90.218", - "10.131.81.172" + "10.131.81.172", + "10.139.90.218" ], "rsa.db.index": "tionu", "rsa.identity.user_dept": "icons", @@ -6849,8 +6849,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rrorsi", "rsa.misc.action": [ - "exe", - "Allowed" + "Allowed", + "exe" ], "rsa.misc.category": "mnihi", "rsa.misc.filter": "consequa", @@ -6981,8 +6981,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.217.193.148", - "10.26.149.221" + "10.26.149.221", + "10.217.193.148" ], "rsa.db.index": "tiumdol", "rsa.identity.user_dept": "oloremag", @@ -7125,8 +7125,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.135.38.213", - "10.119.106.108" + "10.119.106.108", + "10.135.38.213" ], "rsa.db.index": "xplic", "rsa.identity.user_dept": "ser", @@ -7137,8 +7137,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "exeacomm", "rsa.misc.action": [ - "volup", - "Blocked" + "Blocked", + "volup" ], "rsa.misc.category": "ten", "rsa.misc.filter": "ssecil", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index 78cf4898f9f..c1cdc030ae9 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -25,8 +25,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "", "rsa.misc.action": [ - "", - "" + "", + "" ], "rsa.misc.category": "", "rsa.misc.filter": "", From f8097ff700ed6ec3f4541446a9205c004c200ff7 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 8 Jul 2020 19:35:43 +0200 Subject: [PATCH 10/19] Prefer event.action to event.category, better user.name / related.user --- x-pack/filebeat/module/barracuda/README.md | 2 +- .../barracuda/waf/config/liblogparser.js | 22 +- x-pack/filebeat/module/bluecoat/README.md | 2 +- .../bluecoat/director/config/liblogparser.js | 22 +- .../director/test/generated.log-expected.json | 50 +- .../module/cisco/nexus/config/liblogparser.js | 22 +- x-pack/filebeat/module/citrix/README.md | 2 +- .../citrix/virtualapps/config/liblogparser.js | 22 +- x-pack/filebeat/module/cylance/README.md | 2 +- .../cylance/protect/config/liblogparser.js | 22 +- .../protect/test/generated.log-expected.json | 566 +++-- x-pack/filebeat/module/f5/README.md | 2 +- .../module/f5/bigipapm/config/liblogparser.js | 22 +- .../bigipapm/test/generated.log-expected.json | 141 +- .../module/f5/firepass/config/liblogparser.js | 22 +- .../firepass/test/generated.log-expected.json | 219 +- .../clientendpoint/config/liblogparser.js | 22 +- .../test/generated.log-expected.json | 1284 ++++++----- x-pack/filebeat/module/imperva/README.md | 2 +- .../securesphere/config/liblogparser.js | 22 +- .../test/generated.log-expected.json | 1872 ++++++++++------- x-pack/filebeat/module/infoblox/README.md | 2 +- .../infoblox/nios/config/liblogparser.js | 22 +- .../nios/test/generated.log-expected.json | 11 +- x-pack/filebeat/module/juniper/README.md | 2 +- .../juniper/junos/config/liblogparser.js | 22 +- x-pack/filebeat/module/kaspersky/README.md | 2 +- .../kaspersky/av/config/liblogparser.js | 22 +- x-pack/filebeat/module/microsoft/README.md | 2 +- .../microsoft/dhcp/config/liblogparser.js | 22 +- x-pack/filebeat/module/netscout/README.md | 2 +- .../netscout/sightline/config/liblogparser.js | 22 +- .../test/generated.log-expected.json | 227 +- x-pack/filebeat/module/radware/README.md | 2 +- .../radware/defensepro/config/liblogparser.js | 22 +- x-pack/filebeat/module/rapid7/README.md | 2 +- .../rapid7/nexpose/config/liblogparser.js | 22 +- .../nexpose/test/generated.log-expected.json | 16 +- x-pack/filebeat/module/sonicwall/README.md | 2 +- .../sonicwall/firewall/config/liblogparser.js | 22 +- .../firewall/test/general.log-expected.json | 36 +- .../firewall/test/generated.log-expected.json | 151 +- x-pack/filebeat/module/squid/README.md | 2 +- .../module/squid/log/config/liblogparser.js | 22 +- .../squid/log/test/access1.log-expected.json | 1448 ++++++++----- .../squid/log/test/access2.log-expected.json | 1284 ++++++----- .../squid/log/test/access3.log-expected.json | 1450 ++++++++----- .../squid/log/test/access4.log-expected.json | 1530 ++++++++------ x-pack/filebeat/module/tenable/README.md | 2 +- .../nessus_security/config/liblogparser.js | 22 +- x-pack/filebeat/module/tomcat/README.md | 2 +- .../module/tomcat/log/config/liblogparser.js | 22 +- .../log/test/generated.log-expected.json | 700 +++--- x-pack/filebeat/module/zscaler/README.md | 2 +- .../module/zscaler/zia/config/liblogparser.js | 22 +- .../zia/test/generated.log-expected.json | 1480 +++++++------ .../zscaler/zia/test/test.log-expected.json | 11 +- 57 files changed, 7794 insertions(+), 5180 deletions(-) diff --git a/x-pack/filebeat/module/barracuda/README.md b/x-pack/filebeat/module/barracuda/README.md index b911b532666..a0237a37925 100644 --- a/x-pack/filebeat/module/barracuda/README.md +++ b/x-pack/filebeat/module/barracuda/README.md @@ -3,5 +3,5 @@ This is a module for Barracuda Web Application Firewall logs. Autogenerated from RSA NetWitness log parser 2.0 XML barracudawaf version 132 -at 2020-07-08 16:41:58.132104 +0000 UTC. +at 2020-07-08 17:36:24.677398 +0000 UTC. diff --git a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js +++ b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/bluecoat/README.md b/x-pack/filebeat/module/bluecoat/README.md index 10c5b4679fa..2dc864e6b23 100644 --- a/x-pack/filebeat/module/bluecoat/README.md +++ b/x-pack/filebeat/module/bluecoat/README.md @@ -3,5 +3,5 @@ This is a module for Blue Coat Director logs. Autogenerated from RSA NetWitness log parser 2.0 XML bluecoatdirector version 0 -at 2020-07-08 16:41:59.714051 +0000 UTC. +at 2020-07-08 17:36:26.328734 +0000 UTC. diff --git a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js +++ b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json index 2e02578175e..7c9b76998c5 100644 --- a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json +++ b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json @@ -105,7 +105,9 @@ ] }, { - "event.action": "accept", + "event.action": [ + "accept" + ], "event.code": "heartbeat", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -349,7 +351,9 @@ ] }, { - "event.action": "accept", + "event.action": [ + "accept" + ], "event.code": "configd", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -361,6 +365,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.user": [ + "itaut" + ], "rsa.internal.messageid": "configd", "rsa.misc.action": [ "accept" @@ -372,9 +379,7 @@ "bluecoat.director", "forwarded" ], - "user.name": [ - "itaut" - ] + "user.name": "itaut" }, { "event.code": "authd", @@ -439,7 +444,9 @@ ] }, { - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "heartbeat", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -637,7 +644,9 @@ ] }, { - "event.action": "allow", + "event.action": [ + "allow" + ], "event.code": "runner", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -728,7 +737,9 @@ ] }, { - "event.action": "cancel", + "event.action": [ + "cancel" + ], "event.code": "configd", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -740,6 +751,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.user": [ + "sperna" + ], "rsa.internal.messageid": "configd", "rsa.misc.action": [ "cancel" @@ -751,9 +765,7 @@ "bluecoat.director", "forwarded" ], - "user.name": [ - "sperna" - ] + "user.name": "sperna" }, { "event.code": "auditd", @@ -1203,7 +1215,9 @@ ] }, { - "event.action": "accept", + "event.action": [ + "accept" + ], "event.code": "configd", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -1299,7 +1313,9 @@ ] }, { - "event.action": "accept", + "event.action": [ + "accept" + ], "event.code": "heartbeat", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -1672,7 +1688,9 @@ ] }, { - "event.action": "cancel", + "event.action": [ + "cancel" + ], "event.code": "heartbeat", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -2027,7 +2045,9 @@ ] }, { - "event.action": "block", + "event.action": [ + "block" + ], "event.code": "heartbeat", "event.dataset": "bluecoat.director", "event.module": "bluecoat", diff --git a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js +++ b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/citrix/README.md b/x-pack/filebeat/module/citrix/README.md index a3ae2a09e18..0c3088e6257 100644 --- a/x-pack/filebeat/module/citrix/README.md +++ b/x-pack/filebeat/module/citrix/README.md @@ -3,5 +3,5 @@ This is a module for Citrix XenApp logs. Autogenerated from RSA NetWitness log parser 2.0 XML citrixxa version 79 -at 2020-07-08 16:42:00.681124 +0000 UTC. +at 2020-07-08 17:36:27.271805 +0000 UTC. diff --git a/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js b/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js +++ b/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/cylance/README.md b/x-pack/filebeat/module/cylance/README.md index 44dfa9f8f30..b072b57b46e 100644 --- a/x-pack/filebeat/module/cylance/README.md +++ b/x-pack/filebeat/module/cylance/README.md @@ -3,5 +3,5 @@ This is a module for CylanceProtect logs. Autogenerated from RSA NetWitness log parser 2.0 XML cylance version 127 -at 2020-07-08 16:42:00.945621 +0000 UTC. +at 2020-07-08 17:36:27.498771 +0000 UTC. diff --git a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js +++ b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json index 3470886bbe5..de04895bc21 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -1,7 +1,9 @@ [ { "@timestamp": "2016-01-29T08:09:59.000Z", - "event.category": "ZoneAdd", + "event.action": [ + "ZoneAdd" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -35,7 +37,9 @@ }, { "@timestamp": "2016-02-12T03:12:33.000Z", - "event.category": "LoginSuccess", + "event.action": [ + "LoginSuccess" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -68,7 +72,9 @@ }, { "@timestamp": "2020-02-26T10:15:08.000Z", - "event.category": "DeviceEdit", + "event.action": [ + "DeviceEdit" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -97,7 +103,9 @@ }, { "@timestamp": "2016-03-12T05:17:42.000Z", - "event.category": "SystemSecurity", + "event.action": [ + "SystemSecurity" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -112,6 +120,9 @@ "related.ip": [ "10.164.119.63" ], + "related.user": [ + "gelit" + ], "rsa.db.index": "dquiac", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1600000000, @@ -133,13 +144,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "gelit" - ] + "user.name": "gelit" }, { "@timestamp": "2016-03-26T12:20:16.000Z", - "event.category": "SystemSecurity", + "event.action": [ + "SystemSecurity" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -154,6 +165,9 @@ "related.ip": [ "10.155.162.162" ], + "related.user": [ + "quid" + ], "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1600000000, "rsa.investigations.event_cat_name": "System", @@ -174,13 +188,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "quid" - ] + "user.name": "quid" }, { "@timestamp": "2020-04-09T07:22:51.000Z", - "event.category": "ThreatUpdated", + "event.action": [ + "ThreatUpdated" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -212,7 +226,9 @@ }, { "@timestamp": "2020-04-24T14:25:25.000Z", - "event.category": "Device Policy Assigned", + "event.action": [ + "Device Policy Assigned" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -243,7 +259,9 @@ }, { "@timestamp": "2016-05-08T09:27:59.000Z", - "event.category": "Registration", + "event.action": [ + "Registration" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -258,6 +276,9 @@ "related.ip": [ "10.215.110.141" ], + "related.user": [ + "nibus" + ], "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", @@ -278,13 +299,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "nibus" - ] + "user.name": "nibus" }, { "@timestamp": "2020-05-22T04:30:33.000Z", - "event.category": "PolicyAdd", + "event.action": [ + "PolicyAdd" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -314,7 +335,9 @@ }, { "@timestamp": "2016-06-05T11:33:08.000Z", - "event.category": "threat_found", + "event.action": [ + "threat_found" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -345,7 +368,9 @@ }, { "@timestamp": "2016-06-20T06:35:42.000Z", - "event.category": "SyslogSettingsSave", + "event.action": [ + "SyslogSettingsSave" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -376,7 +401,9 @@ }, { "@timestamp": "2016-07-04T13:38:16.000Z", - "event.category": "DeviceRemove", + "event.action": [ + "DeviceRemove" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -411,7 +438,9 @@ }, { "@timestamp": "2016-07-18T08:40:50.000Z", - "event.category": "LoginSuccess", + "event.action": [ + "LoginSuccess" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -445,7 +474,9 @@ }, { "@timestamp": "2016-08-02T03:43:25.000Z", - "event.category": "pechange", + "event.action": [ + "pechange" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -478,7 +509,9 @@ }, { "@timestamp": "2019-08-16T10:45:59.000Z", - "event.category": "Device Policy Assigned", + "event.action": [ + "Device Policy Assigned" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -493,6 +526,9 @@ "related.ip": [ "10.238.164.29" ], + "related.user": [ + "sequam" + ], "rsa.db.index": "ris", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1502000000, @@ -513,13 +549,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "sequam" - ] + "user.name": "sequam" }, { "@timestamp": "2019-08-30T05:48:33.000Z", - "event.category": "ZoneAdd", + "event.action": [ + "ZoneAdd" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -547,7 +583,9 @@ }, { "@timestamp": "2019-09-13T12:51:07.000Z", - "event.category": "LoginSuccess", + "event.action": [ + "LoginSuccess" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -578,7 +616,9 @@ }, { "@timestamp": "2019-09-28T07:53:42.000Z", - "event.category": "Device Policy Assigned", + "event.action": [ + "Device Policy Assigned" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -606,8 +646,10 @@ }, { "@timestamp": "2016-10-12T14:56:16.000Z", - "event.action": "accept", - "event.category": "fullaccess", + "event.action": [ + "accept", + "fullaccess" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -649,7 +691,9 @@ }, { "@timestamp": "2016-10-26T09:58:50.000Z", - "event.category": "threat_changed", + "event.action": [ + "threat_changed" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -683,7 +727,9 @@ }, { "@timestamp": "2016-11-10T05:01:24.000Z", - "event.category": "SystemSecurity", + "event.action": [ + "SystemSecurity" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -714,8 +760,10 @@ }, { "@timestamp": "2016-11-24T12:03:59.000Z", - "event.action": "block", - "event.category": "DeviceEdit", + "event.action": [ + "block", + "DeviceEdit" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -757,7 +805,9 @@ }, { "@timestamp": "2016-12-08T07:06:33.000Z", - "event.category": "SystemSecurity", + "event.action": [ + "SystemSecurity" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -791,7 +841,9 @@ }, { "@timestamp": "2016-12-23T14:09:07.000Z", - "event.category": "Registration", + "event.action": [ + "Registration" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -806,6 +858,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.1645", + "related.user": [ + "commodo" + ], "rsa.db.index": "entorev", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -822,13 +877,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "commodo" - ] + "user.name": "commodo" }, { "@timestamp": "2017-01-06T09:11:41.000Z", - "event.category": "PolicyAdd", + "event.action": [ + "PolicyAdd" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -862,7 +917,9 @@ }, { "@timestamp": "2017-01-20T04:14:16.000Z", - "event.category": "ZoneAddDevice", + "event.action": [ + "ZoneAddDevice" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -895,7 +952,9 @@ }, { "@timestamp": "2017-02-03T11:16:50.000Z", - "event.category": "pechange", + "event.action": [ + "pechange" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -929,8 +988,10 @@ }, { "@timestamp": "2017-02-18T06:19:24.000Z", - "event.action": "deny", - "event.category": "LoginSuccess", + "event.action": [ + "LoginSuccess", + "deny" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -972,7 +1033,9 @@ }, { "@timestamp": "2017-03-04T13:21:59.000Z", - "event.category": "Alert", + "event.action": [ + "Alert" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1006,7 +1069,9 @@ }, { "@timestamp": "2017-03-18T08:24:33.000Z", - "event.category": "DeviceEdit", + "event.action": [ + "DeviceEdit" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1041,7 +1106,9 @@ }, { "@timestamp": "2017-04-02T03:27:07.000Z", - "event.category": "Alert", + "event.action": [ + "Alert" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1075,7 +1142,9 @@ }, { "@timestamp": "2020-04-16T10:29:41.000Z", - "event.category": "Device Policy Assigned", + "event.action": [ + "Device Policy Assigned" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1105,7 +1174,9 @@ }, { "@timestamp": "2020-04-30T05:32:16.000Z", - "event.category": "ZoneAdd", + "event.action": [ + "ZoneAdd" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1135,7 +1206,9 @@ }, { "@timestamp": "2017-05-14T12:34:50.000Z", - "event.category": "threat_found", + "event.action": [ + "threat_found" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1167,7 +1240,9 @@ }, { "@timestamp": "2017-05-29T07:37:24.000Z", - "event.category": "LoginSuccess", + "event.action": [ + "LoginSuccess" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1199,7 +1274,9 @@ }, { "@timestamp": "2020-06-12T14:39:58.000Z", - "event.category": "threat_found", + "event.action": [ + "threat_found" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1229,7 +1306,9 @@ }, { "@timestamp": "2017-06-26T09:42:33.000Z", - "event.category": "PolicyAdd", + "event.action": [ + "PolicyAdd" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1262,8 +1341,10 @@ }, { "@timestamp": "2017-07-11T04:45:07.000Z", - "event.action": "allow", - "event.category": "Device Policy Assigned", + "event.action": [ + "allow", + "Device Policy Assigned" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1280,6 +1361,9 @@ "related.ip": [ "10.169.5.162" ], + "related.user": [ + "cillumd" + ], "rsa.db.index": "tNe", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1502000000, @@ -1303,14 +1387,14 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "cillumd" - ] + "user.name": "cillumd" }, { "@timestamp": "2017-07-25T11:47:41.000Z", - "event.action": "cancel", - "event.category": "SystemSecurity", + "event.action": [ + "cancel", + "SystemSecurity" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1352,7 +1436,9 @@ }, { "@timestamp": "2017-08-08T06:50:15.000Z", - "event.category": "PolicyAdd", + "event.action": [ + "PolicyAdd" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1382,7 +1468,9 @@ }, { "@timestamp": "2017-08-22T13:52:50.000Z", - "event.category": "Registration", + "event.action": [ + "Registration" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1414,8 +1502,10 @@ }, { "@timestamp": "2017-09-06T08:55:24.000Z", - "event.action": "accept", - "event.category": "threat_quarantined", + "event.action": [ + "accept", + "threat_quarantined" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1457,7 +1547,9 @@ }, { "@timestamp": "2019-09-20T03:57:58.000Z", - "event.category": "DeviceRemove", + "event.action": [ + "DeviceRemove" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1471,6 +1563,9 @@ "related.ip": [ "10.14.74.218" ], + "related.user": [ + "Nemoenim" + ], "rsa.db.index": "labori", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1804020000, @@ -1489,13 +1584,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "Nemoenim" - ] + "user.name": "Nemoenim" }, { "@timestamp": "2019-10-04T11:00:32.000Z", - "event.category": "ThreatUpdated", + "event.action": [ + "ThreatUpdated" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1528,7 +1623,9 @@ }, { "@timestamp": "2017-10-19T06:03:07.000Z", - "event.category": "DeviceEdit", + "event.action": [ + "DeviceEdit" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1562,7 +1659,9 @@ }, { "@timestamp": "2017-11-02T13:05:41.000Z", - "event.category": "threat_changed", + "event.action": [ + "threat_changed" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1593,7 +1692,9 @@ }, { "@timestamp": "2019-11-16T08:08:15.000Z", - "event.category": "ZoneAddDevice", + "event.action": [ + "ZoneAddDevice" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1626,7 +1727,9 @@ }, { "@timestamp": "2019-12-01T03:10:49.000Z", - "event.category": "PolicyAdd", + "event.action": [ + "PolicyAdd" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1655,7 +1758,9 @@ }, { "@timestamp": "2019-12-15T10:13:24.000Z", - "event.category": "threat_found", + "event.action": [ + "threat_found" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1687,7 +1792,9 @@ }, { "@timestamp": "2017-12-29T05:15:58.000Z", - "event.category": "ZoneAdd", + "event.action": [ + "ZoneAdd" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1721,7 +1828,9 @@ }, { "@timestamp": "2018-01-12T12:18:32.000Z", - "event.category": "Device Updated", + "event.action": [ + "Device Updated" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1750,7 +1859,9 @@ }, { "@timestamp": "2018-01-27T07:21:06.000Z", - "event.category": "ZoneAdd", + "event.action": [ + "ZoneAdd" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1783,7 +1894,9 @@ }, { "@timestamp": "2020-02-10T14:23:41.000Z", - "event.category": "threat_quarantined", + "event.action": [ + "threat_quarantined" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1817,8 +1930,10 @@ }, { "@timestamp": "2018-02-24T21:26:15.000Z", - "event.action": "block", - "event.category": "ZoneAdd", + "event.action": [ + "ZoneAdd", + "block" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1860,7 +1975,9 @@ }, { "@timestamp": "2018-03-11T04:28:49.000Z", - "event.category": "fullaccess", + "event.action": [ + "fullaccess" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1875,6 +1992,9 @@ "related.ip": [ "10.186.8.127" ], + "related.user": [ + "boreet" + ], "rsa.db.index": "ento", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -1896,14 +2016,14 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "boreet" - ] + "user.name": "boreet" }, { "@timestamp": "2020-03-25T11:31:24.000Z", - "event.action": "block", - "event.category": "SystemSecurity", + "event.action": [ + "SystemSecurity", + "block" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1919,6 +2039,9 @@ "related.ip": [ "10.202.89.144" ], + "related.user": [ + "iarchite" + ], "rsa.db.index": "ueporroq", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1600000000, @@ -1939,13 +2062,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "iarchite" - ] + "user.name": "iarchite" }, { "@timestamp": "2018-04-08T06:33:58.000Z", - "event.category": "ZoneAdd", + "event.action": [ + "ZoneAdd" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1979,7 +2102,9 @@ }, { "@timestamp": "2018-04-22T13:36:32.000Z", - "event.category": "DeviceEdit", + "event.action": [ + "DeviceEdit" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2012,7 +2137,9 @@ }, { "@timestamp": "2018-05-07T08:39:06.000Z", - "event.category": "threat_found", + "event.action": [ + "threat_found" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2043,7 +2170,9 @@ }, { "@timestamp": "2018-05-21T03:41:41.000Z", - "event.category": "SyslogSettingsSave", + "event.action": [ + "SyslogSettingsSave" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2078,7 +2207,9 @@ }, { "@timestamp": "2018-06-04T10:44:15.000Z", - "event.category": "Registration", + "event.action": [ + "Registration" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2116,7 +2247,9 @@ }, { "@timestamp": "2018-06-19T05:46:49.000Z", - "event.category": "pechange", + "event.action": [ + "pechange" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2151,7 +2284,9 @@ }, { "@timestamp": "2018-07-03T12:49:23.000Z", - "event.category": "threat_changed", + "event.action": [ + "threat_changed" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2181,8 +2316,10 @@ }, { "@timestamp": "2018-07-17T07:51:58.000Z", - "event.action": "accept", - "event.category": "ZoneAddDevice", + "event.action": [ + "ZoneAddDevice", + "accept" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2199,6 +2336,9 @@ "related.ip": [ "10.221.20.165" ], + "related.user": [ + "reseo" + ], "rsa.db.index": "ons", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2222,13 +2362,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "reseo" - ] + "user.name": "reseo" }, { "@timestamp": "2018-08-01T14:54:32.000Z", - "event.category": "SyslogSettingsSave", + "event.action": [ + "SyslogSettingsSave" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2243,6 +2383,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.5334", + "related.user": [ + "dipi" + ], "rsa.db.index": "bori", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2259,13 +2402,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "dipi" - ] + "user.name": "dipi" }, { "@timestamp": "2018-08-15T09:57:06.000Z", - "event.category": "threat_quarantined", + "event.action": [ + "threat_quarantined" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2280,6 +2423,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.3772", + "related.user": [ + "ciatisun" + ], "rsa.db.index": "quira", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2297,14 +2443,14 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "ciatisun" - ] + "user.name": "ciatisun" }, { "@timestamp": "2019-08-29T04:59:40.000Z", - "event.action": "deny", - "event.category": "threat_changed", + "event.action": [ + "threat_changed", + "deny" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2321,6 +2467,9 @@ "related.ip": [ "10.152.213.228" ], + "related.user": [ + "temp" + ], "rsa.db.index": "ali", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2343,13 +2492,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "temp" - ] + "user.name": "temp" }, { "@timestamp": "2018-09-12T12:02:15.000Z", - "event.category": "LoginSuccess", + "event.action": [ + "LoginSuccess" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2382,7 +2531,9 @@ }, { "@timestamp": "2018-09-27T07:04:49.000Z", - "event.category": "ZoneAdd", + "event.action": [ + "ZoneAdd" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2397,6 +2548,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.7696", + "related.user": [ + "taliqu" + ], "rsa.db.index": "xeaco", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2413,13 +2567,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "taliqu" - ] + "user.name": "taliqu" }, { "@timestamp": "2018-10-11T14:07:23.000Z", - "event.category": "SystemSecurity", + "event.action": [ + "SystemSecurity" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2448,7 +2602,9 @@ }, { "@timestamp": "2018-10-25T09:09:57.000Z", - "event.category": "SystemSecurity", + "event.action": [ + "SystemSecurity" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2482,8 +2638,10 @@ }, { "@timestamp": "2019-11-09T04:12:32.000Z", - "event.action": "accept", - "event.category": "DeviceRemove", + "event.action": [ + "accept", + "DeviceRemove" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2500,6 +2658,9 @@ "related.ip": [ "10.94.129.251" ], + "related.user": [ + "porinc" + ], "rsa.db.index": "quiado", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1804020000, @@ -2522,13 +2683,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "porinc" - ] + "user.name": "porinc" }, { "@timestamp": "2018-11-23T11:15:06.000Z", - "event.category": "SystemSecurity", + "event.action": [ + "SystemSecurity" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2561,7 +2722,9 @@ }, { "@timestamp": "2019-12-07T06:17:40.000Z", - "event.category": "threat_found", + "event.action": [ + "threat_found" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2575,6 +2738,9 @@ "related.ip": [ "10.205.246.104" ], + "related.user": [ + "mto" + ], "rsa.db.index": "dent", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2593,13 +2759,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "mto" - ] + "user.name": "mto" }, { "@timestamp": "2018-12-21T13:20:14.000Z", - "event.category": "ZoneAdd", + "event.action": [ + "ZoneAdd" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2633,7 +2799,9 @@ }, { "@timestamp": "2020-01-05T08:22:49.000Z", - "event.category": "ThreatUpdated", + "event.action": [ + "ThreatUpdated" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2668,7 +2836,9 @@ }, { "@timestamp": "2020-01-19T03:25:23.000Z", - "event.category": "threat_quarantined", + "event.action": [ + "threat_quarantined" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2702,7 +2872,9 @@ }, { "@timestamp": "2020-02-02T10:27:57.000Z", - "event.category": "threat_found", + "event.action": [ + "threat_found" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2733,8 +2905,10 @@ }, { "@timestamp": "2019-02-17T05:30:32.000Z", - "event.action": "block", - "event.category": "LoginSuccess", + "event.action": [ + "block", + "LoginSuccess" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2776,7 +2950,9 @@ }, { "@timestamp": "2019-03-03T12:33:06.000Z", - "event.category": "Device Updated", + "event.action": [ + "Device Updated" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2791,6 +2967,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.4566", + "related.user": [ + "nostrude" + ], "rsa.db.index": "itati", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1804010000, @@ -2808,13 +2987,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "nostrude" - ] + "user.name": "nostrude" }, { "@timestamp": "2019-03-17T07:35:40.000Z", - "event.category": "SyslogSettingsSave", + "event.action": [ + "SyslogSettingsSave" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2845,7 +3024,9 @@ }, { "@timestamp": "2020-04-01T14:38:14.000Z", - "event.category": "DeviceRemove", + "event.action": [ + "DeviceRemove" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2872,7 +3053,9 @@ }, { "@timestamp": "2020-04-15T09:40:49.000Z", - "event.category": "threat_found", + "event.action": [ + "threat_found" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2902,8 +3085,10 @@ }, { "@timestamp": "2019-04-29T04:43:23.000Z", - "event.action": "allow", - "event.category": "Registration", + "event.action": [ + "allow", + "Registration" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2920,6 +3105,9 @@ "related.ip": [ "10.59.33.174" ], + "related.user": [ + "mcorp" + ], "rsa.db.index": "aperiam", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2943,13 +3131,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "mcorp" - ] + "user.name": "mcorp" }, { "@timestamp": "2020-05-13T11:45:57.000Z", - "event.category": "DeviceRemove", + "event.action": [ + "DeviceRemove" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2976,7 +3164,9 @@ }, { "@timestamp": "2019-05-28T06:48:31.000Z", - "event.category": "threat_changed", + "event.action": [ + "threat_changed" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3008,7 +3198,9 @@ }, { "@timestamp": "2019-06-11T13:51:06.000Z", - "event.category": "fullaccess", + "event.action": [ + "fullaccess" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3042,7 +3234,9 @@ }, { "@timestamp": "2019-06-25T08:53:40.000Z", - "event.category": "SyslogSettingsSave", + "event.action": [ + "SyslogSettingsSave" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3076,7 +3270,9 @@ }, { "@timestamp": "2019-07-10T03:56:14.000Z", - "event.category": "pechange", + "event.action": [ + "pechange" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3107,7 +3303,9 @@ }, { "@timestamp": "2019-07-24T10:58:48.000Z", - "event.category": "ThreatUpdated", + "event.action": [ + "ThreatUpdated" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3142,7 +3340,9 @@ }, { "@timestamp": "2019-08-07T06:01:23.000Z", - "event.category": "ThreatUpdated", + "event.action": [ + "ThreatUpdated" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3179,7 +3379,9 @@ }, { "@timestamp": "2019-08-21T13:03:57.000Z", - "event.category": "Alert", + "event.action": [ + "Alert" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3216,7 +3418,9 @@ }, { "@timestamp": "2019-09-05T08:06:31.000Z", - "event.category": "threat_changed", + "event.action": [ + "threat_changed" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3231,6 +3435,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.1903", + "related.user": [ + "officiad" + ], "rsa.db.index": "aliqua", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -3247,13 +3454,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "officiad" - ] + "user.name": "officiad" }, { "@timestamp": "2019-09-19T03:09:05.000Z", - "event.category": "Device Updated", + "event.action": [ + "Device Updated" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3287,7 +3494,9 @@ }, { "@timestamp": "2019-10-03T10:11:40.000Z", - "event.category": "fullaccess", + "event.action": [ + "fullaccess" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3321,7 +3530,9 @@ }, { "@timestamp": "2019-10-18T05:14:14.000Z", - "event.category": "SyslogSettingsSave", + "event.action": [ + "SyslogSettingsSave" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3336,6 +3547,9 @@ "related.ip": [ "10.234.254.96" ], + "related.user": [ + "orem" + ], "rsa.db.index": "isaute", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -3357,13 +3571,13 @@ "cylance.protect", "forwarded" ], - "user.name": [ - "orem" - ] + "user.name": "orem" }, { "@timestamp": "2019-11-01T12:16:48.000Z", - "event.category": "threat_changed", + "event.action": [ + "threat_changed" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3394,7 +3608,9 @@ }, { "@timestamp": "2019-11-15T07:19:22.000Z", - "event.category": "SyslogSettingsSave", + "event.action": [ + "SyslogSettingsSave" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3426,7 +3642,9 @@ }, { "@timestamp": "2019-11-30T14:21:57.000Z", - "event.category": "SystemSecurity", + "event.action": [ + "SystemSecurity" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3461,7 +3679,9 @@ }, { "@timestamp": "2019-12-14T09:24:31.000Z", - "event.category": "DeviceEdit", + "event.action": [ + "DeviceEdit" + ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", diff --git a/x-pack/filebeat/module/f5/README.md b/x-pack/filebeat/module/f5/README.md index 7f6e97b7aac..b3549a4bf7a 100644 --- a/x-pack/filebeat/module/f5/README.md +++ b/x-pack/filebeat/module/f5/README.md @@ -3,5 +3,5 @@ This is a module for Big-IP Access Policy Manager logs. Autogenerated from RSA NetWitness log parser 2.0 XML bigipapm version 113 -at 2020-07-08 16:41:59.269658 +0000 UTC. +at 2020-07-08 17:36:25.84226 +0000 UTC. diff --git a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js +++ b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index 695fe1e432a..2808282c121 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -13,6 +13,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 6720, + "related.user": [ + "abo" + ], "rsa.internal.messageid": "01490106", "rsa.misc.log_session_id": "sequa", "rsa.misc.result": "success", @@ -23,9 +26,7 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "abo" - ] + "user.name": "abo" }, { "@timestamp": "2016-02-12T15:12:33.000Z", @@ -91,6 +92,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 5738, + "related.user": [ + "ccaecat" + ], "rsa.db.index": "veleumi", "rsa.internal.messageid": "crond", "rsa.misc.client": "crond", @@ -101,9 +105,7 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "ccaecat" - ] + "user.name": "ccaecat" }, { "@timestamp": "2016-03-26T12:20:16.000Z", @@ -282,7 +284,9 @@ }, { "@timestamp": "2016-07-04T13:38:16.000Z", - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "01490514", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -311,7 +315,9 @@ }, { "@timestamp": "2016-07-18T20:40:50.000Z", - "event.action": "cancel", + "event.action": [ + "cancel" + ], "event.code": "CROND", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -324,6 +330,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 1675, + "related.user": [ + "sitvolup" + ], "rsa.internal.messageid": "CROND", "rsa.misc.action": [ "cancel" @@ -336,9 +345,7 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "sitvolup" - ] + "user.name": "sitvolup" }, { "@timestamp": "2016-08-02T03:43:25.000Z", @@ -361,8 +368,8 @@ "observer.vendor": "F5", "process.pid": 2289, "related.ip": [ - "10.225.160.182", - "10.204.123.107" + "10.204.123.107", + "10.225.160.182" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "eFinib", @@ -466,6 +473,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 5983, + "related.user": [ + "tenimad" + ], "rsa.internal.messageid": "01490103", "rsa.misc.log_session_id": "tse", "rsa.misc.severity": "very-high", @@ -475,9 +485,7 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "tenimad" - ] + "user.name": "tenimad" }, { "@timestamp": "2016-10-12T14:56:16.000Z", @@ -518,6 +526,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 4946, + "related.user": [ + "reetdol" + ], "rsa.internal.messageid": "01490106", "rsa.misc.log_session_id": "itecto", "rsa.misc.result": "success", @@ -528,9 +539,7 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "reetdol" - ] + "user.name": "reetdol" }, { "@timestamp": "2016-11-10T05:01:24.000Z", @@ -702,7 +711,9 @@ }, { "@timestamp": "2017-02-18T06:19:24.000Z", - "event.action": "allow", + "event.action": [ + "allow" + ], "event.code": "01490106", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -715,6 +726,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 5270, + "related.user": [ + "strude" + ], "rsa.internal.messageid": "01490106", "rsa.misc.action": [ "allow" @@ -728,9 +742,7 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "strude" - ] + "user.name": "strude" }, { "@timestamp": "2017-03-04T13:21:59.000Z", @@ -803,6 +815,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 7589, + "related.user": [ + "tob" + ], "rsa.db.index": "itempo", "rsa.internal.messageid": "01490107", "rsa.misc.log_session_id": "mag", @@ -814,9 +829,7 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "tob" - ] + "user.name": "tob" }, { "@timestamp": "2017-04-16T10:29:41.000Z", @@ -832,6 +845,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 5899, + "related.user": [ + "iqua" + ], "rsa.internal.messageid": "01490107", "rsa.misc.log_session_id": "mvolupta", "rsa.misc.result": "unknown", @@ -843,9 +859,7 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "iqua" - ] + "user.name": "iqua" }, { "@timestamp": "2017-04-30T17:32:16.000Z", @@ -893,7 +907,9 @@ }, { "@timestamp": "2017-05-29T07:37:24.000Z", - "event.action": "accept", + "event.action": [ + "accept" + ], "event.code": "01490514", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -1960,7 +1976,9 @@ }, { "@timestamp": "2019-01-19T15:25:23.000Z", - "event.action": "block", + "event.action": [ + "block" + ], "event.code": "crond", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -1973,6 +1991,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 4071, + "related.user": [ + "iconsequ" + ], "rsa.internal.messageid": "crond", "rsa.misc.action": [ "block" @@ -1985,9 +2006,7 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "iconsequ" - ] + "user.name": "iconsequ" }, { "@timestamp": "2019-02-02T22:27:57.000Z", @@ -2145,7 +2164,9 @@ }, { "@timestamp": "2019-04-29T16:43:23.000Z", - "event.action": "cancel", + "event.action": [ + "cancel" + ], "event.code": "CROND", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -2158,6 +2179,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 2977, + "related.user": [ + "emac" + ], "rsa.internal.messageid": "CROND", "rsa.misc.action": [ "cancel" @@ -2170,9 +2194,7 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "emac" - ] + "user.name": "emac" }, { "@timestamp": "2019-05-13T23:45:57.000Z", @@ -2210,6 +2232,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 7733, + "related.user": [ + "equuntur" + ], "rsa.internal.messageid": "01490106", "rsa.misc.log_session_id": "tura", "rsa.misc.result": "success", @@ -2220,9 +2245,7 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "equuntur" - ] + "user.name": "equuntur" }, { "@timestamp": "2019-06-11T13:51:06.000Z", @@ -2365,6 +2388,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 613, + "related.user": [ + "xplicabo" + ], "rsa.internal.messageid": "01490019", "rsa.misc.disposition": " Successful", "rsa.misc.log_session_id": "suscipi", @@ -2375,9 +2401,7 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "xplicabo" - ] + "user.name": "xplicabo" }, { "@timestamp": "2019-09-05T08:06:31.000Z", @@ -2453,7 +2477,9 @@ }, { "@timestamp": "2019-10-18T05:14:14.000Z", - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "Rule", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -2466,6 +2492,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 71, + "related.user": [ + "aecon" + ], "rsa.internal.event_desc": "qui", "rsa.internal.messageid": "Rule", "rsa.misc.action": [ @@ -2481,9 +2510,7 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "aecon" - ] + "user.name": "aecon" }, { "@timestamp": "2019-11-01T12:16:48.000Z", @@ -2523,6 +2550,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 3538, + "related.user": [ + "texp" + ], "rsa.internal.messageid": "01490019", "rsa.misc.disposition": " Successful", "rsa.misc.log_session_id": "orisnis", @@ -2533,9 +2563,7 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "texp" - ] + "user.name": "texp" }, { "@timestamp": "2019-11-30T02:21:57.000Z", @@ -2564,7 +2592,9 @@ }, { "@timestamp": "2019-12-14T09:24:31.000Z", - "event.action": "allow", + "event.action": [ + "allow" + ], "event.code": "01490106", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -2577,6 +2607,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 2121, + "related.user": [ + "oditem" + ], "rsa.internal.messageid": "01490106", "rsa.misc.action": [ "allow" @@ -2590,8 +2623,6 @@ "f5.bigipapm", "forwarded" ], - "user.name": [ - "oditem" - ] + "user.name": "oditem" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js b/x-pack/filebeat/module/f5/firepass/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js +++ b/x-pack/filebeat/module/f5/firepass/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json index b8c0c6992eb..9803cc9edcb 100644 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json @@ -65,6 +65,9 @@ "related.ip": [ "10.36.11.87" ], + "related.user": [ + "uii" + ], "rsa.internal.messageid": "sshd", "rsa.time.event_time": "2020-02-26T22:15:08.000Z", "service.type": "f5", @@ -76,9 +79,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "uii" - ] + "user.name": "uii" }, { "event.code": "firepass", @@ -92,6 +93,9 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "quipexe" + ], "rsa.internal.messageid": "firepass", "rsa.investigations.ec_activity": "Stop", "rsa.investigations.ec_subject": "Service", @@ -103,9 +107,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "quipexe" - ] + "user.name": "quipexe" }, { "destination.ip": [ @@ -124,6 +126,9 @@ "related.ip": [ "10.194.156.105" ], + "related.user": [ + "uidolor" + ], "rsa.internal.messageid": "NetworkAccess", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "Communication", @@ -133,9 +138,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "uidolor" - ] + "user.name": "uidolor" }, { "event.code": "EndpointSecurity", @@ -257,6 +260,9 @@ "related.ip": [ "10.37.126.205" ], + "related.user": [ + "rad" + ], "rsa.internal.messageid": "sshd", "service.type": "f5", "source.ip": [ @@ -267,9 +273,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "rad" - ] + "user.name": "rad" }, { "event.code": "httpd", @@ -282,15 +286,16 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "isetq" + ], "rsa.internal.messageid": "httpd", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" ], - "user.name": [ - "isetq" - ] + "user.name": "isetq" }, { "event.code": "firepass", @@ -303,6 +308,9 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "onev" + ], "rsa.internal.messageid": "firepass", "rsa.time.event_time": "2019-07-18T20:40:50.000Z", "service.type": "f5", @@ -311,9 +319,7 @@ "forwarded" ], "url.original": "https://www5.example.com/aquaeabi/giatq.html?veleumi=tia#enim", - "user.name": [ - "onev" - ] + "user.name": "onev" }, { "event.code": "heartbeat", @@ -346,15 +352,16 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "anim" + ], "rsa.internal.messageid": "httpd", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" ], - "user.name": [ - "anim" - ] + "user.name": "anim" }, { "event.code": "kernel", @@ -432,6 +439,9 @@ "related.ip": [ "10.37.79.163" ], + "related.user": [ + "riat" + ], "rsa.internal.messageid": "sshd", "rsa.time.event_time": "2019-10-12T14:56:16.000Z", "service.type": "f5", @@ -443,9 +453,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "riat" - ] + "user.name": "riat" }, { "event.code": "ntpd", @@ -504,6 +512,9 @@ "related.ip": [ "10.159.182.171" ], + "related.user": [ + "qua" + ], "rsa.internal.messageid": "sshd", "service.type": "f5", "source.ip": [ @@ -514,9 +525,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "qua" - ] + "user.name": "qua" }, { "event.code": "sshd", @@ -532,6 +541,9 @@ "related.ip": [ "10.206.197.113" ], + "related.user": [ + "oll" + ], "rsa.internal.messageid": "sshd", "service.type": "f5", "source.ip": [ @@ -542,9 +554,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "oll" - ] + "user.name": "oll" }, { "event.code": "Miscellaneous", @@ -557,6 +567,9 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "taevi" + ], "rsa.internal.messageid": "Miscellaneous", "rsa.time.event_time": "2019-12-23T02:09:07.000Z", "service.type": "f5", @@ -564,12 +577,12 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "taevi" - ] + "user.name": "taevi" }, { - "event.action": "started", + "event.action": [ + "started" + ], "event.code": "snmp", "event.dataset": "f5.firepass", "event.module": "f5", @@ -606,6 +619,9 @@ "related.ip": [ "10.0.3.58" ], + "related.user": [ + "labor" + ], "rsa.internal.messageid": "sshd", "rsa.time.event_time": "2020-01-20T16:14:16.000Z", "service.type": "f5", @@ -617,9 +633,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "labor" - ] + "user.name": "labor" }, { "event.code": "GarbageCollection", @@ -654,6 +668,9 @@ "related.ip": [ "10.169.144.147" ], + "related.user": [ + "ist" + ], "rsa.internal.messageid": "sshd", "service.type": "f5", "source.ip": [ @@ -664,9 +681,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "ist" - ] + "user.name": "ist" }, { "event.code": "kernel", @@ -792,7 +807,9 @@ ] }, { - "event.action": "block", + "event.action": [ + "block" + ], "event.code": "security", "event.dataset": "f5.firepass", "event.module": "f5", @@ -836,6 +853,9 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "mexercit" + ], "rsa.db.index": "Logged", "rsa.internal.messageid": "maintenance", "rsa.time.event_time": "2020-05-29T07:37:24.000Z", @@ -844,9 +864,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "mexercit" - ] + "user.name": "mexercit" }, { "event.code": "firepass", @@ -859,6 +877,9 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "ume" + ], "rsa.internal.messageid": "firepass", "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_subject": "User", @@ -867,9 +888,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "ume" - ] + "user.name": "ume" }, { "event.code": "/USR/SBIN/CRON", @@ -984,15 +1003,16 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "rehender" + ], "rsa.internal.messageid": "Miscellaneous", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" ], - "user.name": [ - "rehender" - ] + "user.name": "rehender" }, { "destination.ip": [ @@ -1011,6 +1031,9 @@ "related.ip": [ "10.192.18.42" ], + "related.user": [ + "equatD" + ], "rsa.internal.messageid": "NetworkAccess", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "Communication", @@ -1021,9 +1044,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "equatD" - ] + "user.name": "equatD" }, { "event.code": "heartbeat", @@ -1058,6 +1079,9 @@ "related.ip": [ "10.86.63.253" ], + "related.user": [ + "amvolup" + ], "rsa.internal.messageid": "sshd", "rsa.time.event_time": "2019-10-19T06:03:07.000Z", "service.type": "f5", @@ -1069,9 +1093,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "amvolup" - ] + "user.name": "amvolup" }, { "event.code": "EndpointSecurity", @@ -1130,15 +1152,16 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "apariat" + ], "rsa.internal.messageid": "httpd", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" ], - "user.name": [ - "apariat" - ] + "user.name": "apariat" }, { "event.code": "/USR/SBIN/CRON", @@ -1259,15 +1282,16 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "eaq" + ], "rsa.internal.messageid": "Miscellaneous", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" ], - "user.name": [ - "eaq" - ] + "user.name": "eaq" }, { "event.code": "EndpointSecurity", @@ -1335,6 +1359,9 @@ "related.ip": [ "10.26.196.144" ], + "related.user": [ + "edol" + ], "rsa.internal.messageid": "sshd", "rsa.time.event_time": "2020-04-08T18:33:58.000Z", "service.type": "f5", @@ -1346,9 +1373,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "edol" - ] + "user.name": "edol" }, { "event.code": "run-crons", @@ -1371,7 +1396,9 @@ ] }, { - "event.action": "started", + "event.action": [ + "started" + ], "event.code": "snmp", "event.dataset": "f5.firepass", "event.module": "f5", @@ -1408,6 +1435,9 @@ "related.ip": [ "10.237.205.140" ], + "related.user": [ + "dutper" + ], "rsa.internal.event_desc": "user presented with challenge", "rsa.internal.messageid": "security", "rsa.investigations.ec_subject": "User", @@ -1419,9 +1449,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "dutper" - ] + "user.name": "dutper" }, { "event.code": "run-crons", @@ -1473,6 +1501,9 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "aliquam" + ], "rsa.internal.messageid": "Miscellaneous", "rsa.time.event_time": "2020-07-03T12:49:23.000Z", "service.type": "f5", @@ -1480,9 +1511,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "aliquam" - ] + "user.name": "aliquam" }, { "event.code": "mailer", @@ -1545,15 +1574,16 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "lorinre" + ], "rsa.internal.messageid": "httpd", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" ], - "user.name": [ - "lorinre" - ] + "user.name": "lorinre" }, { "destination.ip": [ @@ -1854,6 +1884,9 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "ntmollit" + ], "rsa.db.index": "Trying", "rsa.internal.messageid": "maintenance", "rsa.time.event_time": "2020-03-17T19:35:40.000Z", @@ -1862,9 +1895,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "ntmollit" - ] + "user.name": "ntmollit" }, { "event.code": "heartbeat", @@ -1917,15 +1948,16 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "litessec" + ], "rsa.internal.messageid": "httpd", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" ], - "user.name": [ - "litessec" - ] + "user.name": "litessec" }, { "destination.ip": [ @@ -1965,6 +1997,9 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "tvolupt" + ], "rsa.internal.messageid": "firepass", "rsa.investigations.ec_activity": "Start", "rsa.investigations.ec_subject": "Service", @@ -1977,9 +2012,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "tvolupt" - ] + "user.name": "tvolupt" }, { "event.code": "mailer", @@ -2017,6 +2050,9 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "ven" + ], "rsa.db.index": "nisist", "rsa.internal.messageid": "NetworkAccess", "rsa.investigations.ec_subject": "NetworkComm", @@ -2028,9 +2064,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "ven" - ] + "user.name": "ven" }, { "event.code": "/USR/SBIN/CRON", @@ -2145,6 +2179,9 @@ "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "fugi" + ], "rsa.internal.messageid": "security", "rsa.investigations.ec_activity": "Logon", "rsa.investigations.ec_outcome": "Failure", @@ -2156,9 +2193,7 @@ "f5.firepass", "forwarded" ], - "user.name": [ - "fugi" - ] + "user.name": "fugi" }, { "event.code": "heartbeat", @@ -2257,7 +2292,9 @@ ] }, { - "event.action": "started", + "event.action": [ + "started" + ], "event.code": "snmp", "event.dataset": "f5.firepass", "event.module": "f5", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index 0194a0312fd..a470c22ad82 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -5,7 +5,9 @@ "10.102.123.34" ], "destination.port": 3994, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -25,6 +27,9 @@ "10.102.123.34", "10.150.92.220" ], + "related.user": [ + "billoi" + ], "rsa.counters.dclass_c1": 884, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", @@ -51,9 +56,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "billoi" - ] + "user.name": "billoi" }, { "@timestamp": "2020-02-12T15:12:33.000Z", @@ -61,7 +64,9 @@ "10.102.218.31" ], "destination.port": 3376, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -78,8 +83,11 @@ "observer.vendor": "Fortinet", "process.pid": 6183, "related.ip": [ - "10.102.218.31", - "10.22.119.124" + "10.22.119.124", + "10.102.218.31" + ], + "related.user": [ + "itamet" ], "rsa.counters.dclass_c1": 873, "rsa.counters.dclass_c1_str": "block_count", @@ -107,9 +115,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "itamet" - ] + "user.name": "itamet" }, { "@timestamp": "2020-02-26T22:15:08.000Z", @@ -117,7 +123,9 @@ "10.26.46.95" ], "destination.port": 7599, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -134,8 +142,11 @@ "observer.vendor": "Fortinet", "process.pid": 1130, "related.ip": [ - "10.26.46.95", - "10.135.105.231" + "10.135.105.231", + "10.26.46.95" + ], + "related.user": [ + "meumfug" ], "rsa.counters.dclass_c1": 4454, "rsa.counters.dclass_c1_str": "block_count", @@ -163,9 +174,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "meumfug" - ] + "user.name": "meumfug" }, { "@timestamp": "2020-03-12T05:17:42.000Z", @@ -173,7 +182,9 @@ "10.202.204.154" ], "destination.port": 3587, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -190,8 +201,11 @@ "observer.vendor": "Fortinet", "process.pid": 5712, "related.ip": [ - "10.134.137.177", - "10.202.204.154" + "10.202.204.154", + "10.134.137.177" + ], + "related.user": [ + "con" ], "rsa.counters.dclass_c1": 101, "rsa.counters.dclass_c1_str": "block_count", @@ -219,9 +233,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "con" - ] + "user.name": "con" }, { "@timestamp": "2020-03-26T12:20:16.000Z", @@ -229,7 +241,9 @@ "10.131.115.96" ], "destination.port": 1890, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -249,6 +263,9 @@ "10.85.66.161", "10.131.115.96" ], + "related.user": [ + "onev" + ], "rsa.counters.dclass_c1": 5509, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", @@ -275,9 +292,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "onev" - ] + "user.name": "onev" }, { "@timestamp": "2020-04-09T19:22:51.000Z", @@ -285,7 +300,9 @@ "10.11.200.161" ], "destination.port": 4665, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -302,8 +319,11 @@ "observer.vendor": "Fortinet", "process.pid": 4243, "related.ip": [ - "10.183.202.41", - "10.11.200.161" + "10.11.200.161", + "10.183.202.41" + ], + "related.user": [ + "iusmodt" ], "rsa.counters.dclass_c1": 513, "rsa.counters.dclass_c1_str": "block_count", @@ -331,9 +351,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "iusmodt" - ] + "user.name": "iusmodt" }, { "@timestamp": "2020-04-24T02:25:25.000Z", @@ -341,7 +359,9 @@ "10.214.225.125" ], "destination.port": 2121, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -361,6 +381,9 @@ "10.12.44.169", "10.214.225.125" ], + "related.user": [ + "uam" + ], "rsa.counters.dclass_c1": 6499, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", @@ -387,9 +410,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "uam" - ] + "user.name": "uam" }, { "@timestamp": "2020-05-08T09:27:59.000Z", @@ -397,7 +418,9 @@ "10.233.127.83" ], "destination.port": 3676, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -414,8 +437,11 @@ "observer.vendor": "Fortinet", "process.pid": 3904, "related.ip": [ - "10.64.155.245", - "10.233.127.83" + "10.233.127.83", + "10.64.155.245" + ], + "related.user": [ + "olab" ], "rsa.counters.dclass_c1": 3391, "rsa.counters.dclass_c1_str": "block_count", @@ -443,9 +469,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "olab" - ] + "user.name": "olab" }, { "@timestamp": "2020-05-22T16:30:33.000Z", @@ -453,7 +477,9 @@ "10.69.20.77" ], "destination.port": 7579, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -470,8 +496,11 @@ "observer.vendor": "Fortinet", "process.pid": 776, "related.ip": [ - "10.69.20.77", - "10.178.244.31" + "10.178.244.31", + "10.69.20.77" + ], + "related.user": [ + "moll" ], "rsa.counters.dclass_c1": 5812, "rsa.counters.dclass_c1_str": "block_count", @@ -499,9 +528,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "moll" - ] + "user.name": "moll" }, { "@timestamp": "2020-06-05T23:33:08.000Z", @@ -509,7 +536,9 @@ "10.10.65.154" ], "destination.port": 7572, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -529,6 +558,9 @@ "10.197.5.210", "10.10.65.154" ], + "related.user": [ + "olo" + ], "rsa.counters.dclass_c1": 5529, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", @@ -555,9 +587,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "olo" - ] + "user.name": "olo" }, { "@timestamp": "2020-06-20T06:35:42.000Z", @@ -565,7 +595,9 @@ "10.177.124.147" ], "destination.port": 4173, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -582,8 +614,11 @@ "observer.vendor": "Fortinet", "process.pid": 5794, "related.ip": [ - "10.89.185.38", - "10.177.124.147" + "10.177.124.147", + "10.89.185.38" + ], + "related.user": [ + "uis" ], "rsa.counters.dclass_c1": 2703, "rsa.counters.dclass_c1_str": "block_count", @@ -611,9 +646,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "uis" - ] + "user.name": "uis" }, { "@timestamp": "2020-07-04T13:38:16.000Z", @@ -621,7 +654,9 @@ "10.157.213.15" ], "destination.port": 600, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -641,6 +676,9 @@ "10.157.213.15", "10.212.55.143" ], + "related.user": [ + "nibus" + ], "rsa.counters.dclass_c1": 2399, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", @@ -667,9 +705,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "nibus" - ] + "user.name": "nibus" }, { "@timestamp": "2019-07-18T20:40:50.000Z", @@ -677,7 +713,9 @@ "10.124.100.32" ], "destination.port": 7699, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -694,8 +732,11 @@ "observer.vendor": "Fortinet", "process.pid": 5376, "related.ip": [ - "10.208.134.60", - "10.124.100.32" + "10.124.100.32", + "10.208.134.60" + ], + "related.user": [ + "admi" ], "rsa.counters.dclass_c1": 4111, "rsa.counters.dclass_c1_str": "block_count", @@ -723,9 +764,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "admi" - ] + "user.name": "admi" }, { "@timestamp": "2019-08-02T03:43:25.000Z", @@ -733,7 +772,9 @@ "10.55.77.49" ], "destination.port": 4683, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -753,6 +794,9 @@ "10.55.77.49", "10.75.148.116" ], + "related.user": [ + "tdolorem" + ], "rsa.counters.dclass_c1": 2460, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", @@ -779,9 +823,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "tdolorem" - ] + "user.name": "tdolorem" }, { "@timestamp": "2019-08-16T10:45:59.000Z", @@ -789,7 +831,9 @@ "10.21.92.218" ], "destination.port": 5716, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -809,6 +853,9 @@ "10.21.92.218", "10.210.74.24" ], + "related.user": [ + "nihi" + ], "rsa.counters.dclass_c1": 6088, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", @@ -835,9 +882,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "nihi" - ] + "user.name": "nihi" }, { "@timestamp": "2019-08-30T17:48:33.000Z", @@ -845,7 +890,9 @@ "10.84.105.75" ], "destination.port": 98, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -862,8 +909,11 @@ "observer.vendor": "Fortinet", "process.pid": 499, "related.ip": [ - "10.84.105.75", - "10.78.151.178" + "10.78.151.178", + "10.84.105.75" + ], + "related.user": [ + "deFinibu" ], "rsa.counters.dclass_c1": 1559, "rsa.counters.dclass_c1_str": "block_count", @@ -891,9 +941,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "deFinibu" - ] + "user.name": "deFinibu" }, { "@timestamp": "2019-09-14T00:51:07.000Z", @@ -901,7 +949,9 @@ "10.76.229.163" ], "destination.port": 6387, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -918,8 +968,11 @@ "observer.vendor": "Fortinet", "process.pid": 2857, "related.ip": [ - "10.76.229.163", - "10.47.241.218" + "10.47.241.218", + "10.76.229.163" + ], + "related.user": [ + "mnisist" ], "rsa.counters.dclass_c1": 391, "rsa.counters.dclass_c1_str": "block_count", @@ -947,9 +1000,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "mnisist" - ] + "user.name": "mnisist" }, { "@timestamp": "2019-09-28T07:53:42.000Z", @@ -957,7 +1008,9 @@ "10.104.134.200" ], "destination.port": 2508, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -977,6 +1030,9 @@ "10.104.134.200", "10.121.219.204" ], + "related.user": [ + "rQuisau" + ], "rsa.counters.dclass_c1": 5126, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", @@ -1003,9 +1059,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "rQuisau" - ] + "user.name": "rQuisau" }, { "@timestamp": "2019-10-12T14:56:16.000Z", @@ -1013,7 +1067,9 @@ "10.252.122.195" ], "destination.port": 2807, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1030,8 +1086,11 @@ "observer.vendor": "Fortinet", "process.pid": 1669, "related.ip": [ - "10.252.122.195", - "10.118.80.140" + "10.118.80.140", + "10.252.122.195" + ], + "related.user": [ + "remagn" ], "rsa.counters.dclass_c1": 2385, "rsa.counters.dclass_c1_str": "block_count", @@ -1059,9 +1118,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "remagn" - ] + "user.name": "remagn" }, { "@timestamp": "2019-10-26T21:58:50.000Z", @@ -1069,7 +1126,9 @@ "10.31.95.218" ], "destination.port": 7042, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1086,8 +1145,11 @@ "observer.vendor": "Fortinet", "process.pid": 2374, "related.ip": [ - "10.31.95.218", - "10.195.36.51" + "10.195.36.51", + "10.31.95.218" + ], + "related.user": [ + "laborum" ], "rsa.counters.dclass_c1": 3750, "rsa.counters.dclass_c1_str": "block_count", @@ -1115,9 +1177,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "laborum" - ] + "user.name": "laborum" }, { "@timestamp": "2019-11-10T05:01:24.000Z", @@ -1125,7 +1185,9 @@ "10.170.148.40" ], "destination.port": 6371, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1142,8 +1204,11 @@ "observer.vendor": "Fortinet", "process.pid": 753, "related.ip": [ - "10.170.148.40", - "10.197.250.10" + "10.197.250.10", + "10.170.148.40" + ], + "related.user": [ + "rinrepre" ], "rsa.counters.dclass_c1": 651, "rsa.counters.dclass_c1_str": "block_count", @@ -1171,9 +1236,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "rinrepre" - ] + "user.name": "rinrepre" }, { "@timestamp": "2019-11-24T12:03:59.000Z", @@ -1181,7 +1244,9 @@ "10.233.171.118" ], "destination.port": 7410, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1201,6 +1266,9 @@ "10.19.145.131", "10.233.171.118" ], + "related.user": [ + "modtemp" + ], "rsa.counters.dclass_c1": 2924, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", @@ -1227,9 +1295,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "modtemp" - ] + "user.name": "modtemp" }, { "@timestamp": "2019-12-08T19:06:33.000Z", @@ -1237,7 +1303,9 @@ "10.134.148.219" ], "destination.port": 4430, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1257,6 +1325,9 @@ "10.134.148.219", "10.248.204.182" ], + "related.user": [ + "fugitse" + ], "rsa.counters.dclass_c1": 1713, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", @@ -1283,9 +1354,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "fugitse" - ] + "user.name": "fugitse" }, { "@timestamp": "2019-12-23T02:09:07.000Z", @@ -1293,7 +1362,9 @@ "10.177.238.183" ], "destination.port": 6458, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1313,6 +1384,9 @@ "10.177.238.183", "10.59.122.242" ], + "related.user": [ + "xerc" + ], "rsa.counters.dclass_c1": 4129, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", @@ -1339,9 +1413,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "xerc" - ] + "user.name": "xerc" }, { "@timestamp": "2020-01-06T09:11:41.000Z", @@ -1349,7 +1421,9 @@ "10.10.27.73" ], "destination.port": 2574, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1366,8 +1440,11 @@ "observer.vendor": "Fortinet", "process.pid": 6106, "related.ip": [ - "10.74.33.75", - "10.10.27.73" + "10.10.27.73", + "10.74.33.75" + ], + "related.user": [ + "quaturve" ], "rsa.counters.dclass_c1": 766, "rsa.counters.dclass_c1_str": "block_count", @@ -1395,9 +1472,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "quaturve" - ] + "user.name": "quaturve" }, { "@timestamp": "2020-01-20T16:14:16.000Z", @@ -1405,7 +1480,9 @@ "10.32.239.1" ], "destination.port": 3128, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1425,6 +1502,9 @@ "10.241.65.49", "10.32.239.1" ], + "related.user": [ + "asia" + ], "rsa.counters.dclass_c1": 7400, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", @@ -1451,9 +1531,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "asia" - ] + "user.name": "asia" }, { "@timestamp": "2020-02-03T23:16:50.000Z", @@ -1461,7 +1539,9 @@ "10.14.36.202" ], "destination.port": 6036, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1481,6 +1561,9 @@ "10.14.36.202", "10.167.85.181" ], + "related.user": [ + "dtemp" + ], "rsa.counters.dclass_c1": 1637, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", @@ -1507,9 +1590,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "dtemp" - ] + "user.name": "dtemp" }, { "@timestamp": "2020-02-18T06:19:24.000Z", @@ -1517,7 +1598,9 @@ "10.164.39.248" ], "destination.port": 5194, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1534,8 +1617,11 @@ "observer.vendor": "Fortinet", "process.pid": 3609, "related.ip": [ - "10.164.39.248", - "10.104.64.94" + "10.104.64.94", + "10.164.39.248" + ], + "related.user": [ + "dant" ], "rsa.counters.dclass_c1": 3370, "rsa.counters.dclass_c1_str": "block_count", @@ -1563,9 +1649,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "dant" - ] + "user.name": "dant" }, { "@timestamp": "2020-03-04T13:21:59.000Z", @@ -1573,7 +1657,9 @@ "10.135.187.104" ], "destination.port": 4708, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1590,8 +1676,11 @@ "observer.vendor": "Fortinet", "process.pid": 5919, "related.ip": [ - "10.135.187.104", - "10.208.14.185" + "10.208.14.185", + "10.135.187.104" + ], + "related.user": [ + "rcitati" ], "rsa.counters.dclass_c1": 1871, "rsa.counters.dclass_c1_str": "block_count", @@ -1619,9 +1708,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "rcitati" - ] + "user.name": "rcitati" }, { "@timestamp": "2020-03-18T20:24:33.000Z", @@ -1629,7 +1716,9 @@ "10.248.101.25" ], "destination.port": 5740, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1649,6 +1738,9 @@ "10.248.101.25", "10.60.129.15" ], + "related.user": [ + "nevo" + ], "rsa.counters.dclass_c1": 513, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", @@ -1675,9 +1767,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "nevo" - ] + "user.name": "nevo" }, { "@timestamp": "2020-04-02T03:27:07.000Z", @@ -1685,7 +1775,9 @@ "10.145.26.181" ], "destination.port": 6088, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1705,6 +1797,9 @@ "10.46.49.26", "10.145.26.181" ], + "related.user": [ + "cons" + ], "rsa.counters.dclass_c1": 1399, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", @@ -1731,9 +1826,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "cons" - ] + "user.name": "cons" }, { "@timestamp": "2020-04-16T10:29:41.000Z", @@ -1741,7 +1834,9 @@ "10.66.2.232" ], "destination.port": 5764, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1761,6 +1856,9 @@ "10.66.2.232", "10.27.14.168" ], + "related.user": [ + "evolu" + ], "rsa.counters.dclass_c1": 6129, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", @@ -1787,9 +1885,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "evolu" - ] + "user.name": "evolu" }, { "@timestamp": "2020-04-30T17:32:16.000Z", @@ -1797,7 +1893,9 @@ "10.201.238.90" ], "destination.port": 7130, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1817,6 +1915,9 @@ "10.201.238.90", "10.151.58.196" ], + "related.user": [ + "temqu" + ], "rsa.counters.dclass_c1": 7440, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", @@ -1843,9 +1944,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "temqu" - ] + "user.name": "temqu" }, { "@timestamp": "2020-05-15T00:34:50.000Z", @@ -1853,7 +1952,9 @@ "10.105.91.31" ], "destination.port": 5987, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1873,6 +1974,9 @@ "10.217.150.196", "10.105.91.31" ], + "related.user": [ + "siutali" + ], "rsa.counters.dclass_c1": 660, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", @@ -1899,9 +2003,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "siutali" - ] + "user.name": "siutali" }, { "@timestamp": "2020-05-29T07:37:24.000Z", @@ -1909,7 +2011,9 @@ "10.226.83.168" ], "destination.port": 4153, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1926,8 +2030,11 @@ "observer.vendor": "Fortinet", "process.pid": 4306, "related.ip": [ - "10.226.83.168", - "10.184.18.202" + "10.184.18.202", + "10.226.83.168" + ], + "related.user": [ + "borios" ], "rsa.counters.dclass_c1": 2512, "rsa.counters.dclass_c1_str": "block_count", @@ -1955,9 +2062,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "borios" - ] + "user.name": "borios" }, { "@timestamp": "2020-06-12T14:39:58.000Z", @@ -1965,7 +2070,9 @@ "10.113.95.59" ], "destination.port": 4367, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1985,6 +2092,9 @@ "10.255.39.252", "10.113.95.59" ], + "related.user": [ + "atisun" + ], "rsa.counters.dclass_c1": 2612, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", @@ -2011,9 +2121,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "atisun" - ] + "user.name": "atisun" }, { "@timestamp": "2020-06-26T21:42:33.000Z", @@ -2021,7 +2129,9 @@ "10.43.226.231" ], "destination.port": 2778, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2038,8 +2148,11 @@ "observer.vendor": "Fortinet", "process.pid": 829, "related.ip": [ - "10.173.136.186", - "10.43.226.231" + "10.43.226.231", + "10.173.136.186" + ], + "related.user": [ + "uscipitl" ], "rsa.counters.dclass_c1": 1497, "rsa.counters.dclass_c1_str": "block_count", @@ -2067,9 +2180,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "uscipitl" - ] + "user.name": "uscipitl" }, { "@timestamp": "2019-07-11T04:45:07.000Z", @@ -2077,7 +2188,9 @@ "10.54.37.86" ], "destination.port": 5089, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2094,8 +2207,11 @@ "observer.vendor": "Fortinet", "process.pid": 6867, "related.ip": [ - "10.54.37.86", - "10.58.64.108" + "10.58.64.108", + "10.54.37.86" + ], + "related.user": [ + "dolorsit" ], "rsa.counters.dclass_c1": 1865, "rsa.counters.dclass_c1_str": "block_count", @@ -2123,9 +2239,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "dolorsit" - ] + "user.name": "dolorsit" }, { "@timestamp": "2019-07-25T11:47:41.000Z", @@ -2133,7 +2247,9 @@ "10.159.119.34" ], "destination.port": 6197, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2150,8 +2266,11 @@ "observer.vendor": "Fortinet", "process.pid": 7536, "related.ip": [ - "10.205.228.138", - "10.159.119.34" + "10.159.119.34", + "10.205.228.138" + ], + "related.user": [ + "aquae" ], "rsa.counters.dclass_c1": 3714, "rsa.counters.dclass_c1_str": "block_count", @@ -2179,9 +2298,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "aquae" - ] + "user.name": "aquae" }, { "@timestamp": "2019-08-08T18:50:15.000Z", @@ -2189,7 +2306,9 @@ "10.29.133.28" ], "destination.port": 1085, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2206,8 +2325,11 @@ "observer.vendor": "Fortinet", "process.pid": 5433, "related.ip": [ - "10.29.133.28", - "10.163.93.20" + "10.163.93.20", + "10.29.133.28" + ], + "related.user": [ + "tpersp" ], "rsa.counters.dclass_c1": 2486, "rsa.counters.dclass_c1_str": "block_count", @@ -2235,9 +2357,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "tpersp" - ] + "user.name": "tpersp" }, { "@timestamp": "2019-08-23T01:52:50.000Z", @@ -2245,7 +2365,9 @@ "10.50.0.61" ], "destination.port": 5905, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2265,6 +2387,9 @@ "10.113.30.163", "10.50.0.61" ], + "related.user": [ + "dolore" + ], "rsa.counters.dclass_c1": 2019, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", @@ -2291,9 +2416,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "dolore" - ] + "user.name": "dolore" }, { "@timestamp": "2019-09-06T08:55:24.000Z", @@ -2301,7 +2424,9 @@ "10.30.47.165" ], "destination.port": 3801, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2321,6 +2446,9 @@ "10.39.145.136", "10.30.47.165" ], + "related.user": [ + "invo" + ], "rsa.counters.dclass_c1": 992, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", @@ -2347,9 +2475,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "invo" - ] + "user.name": "invo" }, { "@timestamp": "2019-09-20T15:57:58.000Z", @@ -2357,7 +2483,9 @@ "10.36.112.145" ], "destination.port": 7122, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2374,8 +2502,11 @@ "observer.vendor": "Fortinet", "process.pid": 246, "related.ip": [ - "10.30.25.84", - "10.36.112.145" + "10.36.112.145", + "10.30.25.84" + ], + "related.user": [ + "bor" ], "rsa.counters.dclass_c1": 5608, "rsa.counters.dclass_c1_str": "block_count", @@ -2403,9 +2534,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "bor" - ] + "user.name": "bor" }, { "@timestamp": "2019-10-04T23:00:32.000Z", @@ -2413,7 +2542,9 @@ "10.162.114.217" ], "destination.port": 7503, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2430,8 +2561,11 @@ "observer.vendor": "Fortinet", "process.pid": 1276, "related.ip": [ - "10.162.114.217", - "10.97.96.177" + "10.97.96.177", + "10.162.114.217" + ], + "related.user": [ + "itse" ], "rsa.counters.dclass_c1": 2826, "rsa.counters.dclass_c1_str": "block_count", @@ -2459,9 +2593,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "itse" - ] + "user.name": "itse" }, { "@timestamp": "2019-10-19T06:03:07.000Z", @@ -2469,7 +2601,9 @@ "10.140.7.83" ], "destination.port": 3298, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2486,8 +2620,11 @@ "observer.vendor": "Fortinet", "process.pid": 2189, "related.ip": [ - "10.140.7.83", - "10.229.71.175" + "10.229.71.175", + "10.140.7.83" + ], + "related.user": [ + "eseru" ], "rsa.counters.dclass_c1": 4969, "rsa.counters.dclass_c1_str": "block_count", @@ -2515,9 +2652,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "eseru" - ] + "user.name": "eseru" }, { "@timestamp": "2019-11-02T13:05:41.000Z", @@ -2525,7 +2660,9 @@ "10.149.13.76" ], "destination.port": 2000, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2542,8 +2679,11 @@ "observer.vendor": "Fortinet", "process.pid": 1478, "related.ip": [ - "10.149.13.76", - "10.232.254.65" + "10.232.254.65", + "10.149.13.76" + ], + "related.user": [ + "itesseq" ], "rsa.counters.dclass_c1": 7037, "rsa.counters.dclass_c1_str": "block_count", @@ -2571,9 +2711,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "itesseq" - ] + "user.name": "itesseq" }, { "@timestamp": "2019-11-16T20:08:15.000Z", @@ -2581,7 +2719,9 @@ "10.90.33.138" ], "destination.port": 7876, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2598,8 +2738,11 @@ "observer.vendor": "Fortinet", "process.pid": 5524, "related.ip": [ - "10.40.251.202", - "10.90.33.138" + "10.90.33.138", + "10.40.251.202" + ], + "related.user": [ + "amcor" ], "rsa.counters.dclass_c1": 4762, "rsa.counters.dclass_c1_str": "block_count", @@ -2627,9 +2770,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "amcor" - ] + "user.name": "amcor" }, { "@timestamp": "2019-12-01T03:10:49.000Z", @@ -2637,7 +2778,9 @@ "10.243.237.151" ], "destination.port": 6296, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2657,6 +2800,9 @@ "10.243.237.151", "10.98.194.212" ], + "related.user": [ + "eri" + ], "rsa.counters.dclass_c1": 5539, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", @@ -2683,9 +2829,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "eri" - ] + "user.name": "eri" }, { "@timestamp": "2019-12-15T10:13:24.000Z", @@ -2693,7 +2837,9 @@ "10.28.84.106" ], "destination.port": 4844, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2713,6 +2859,9 @@ "10.28.84.106", "10.193.233.229" ], + "related.user": [ + "luptatem" + ], "rsa.counters.dclass_c1": 3030, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", @@ -2739,9 +2888,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "luptatem" - ] + "user.name": "luptatem" }, { "@timestamp": "2019-12-29T17:15:58.000Z", @@ -2749,7 +2896,9 @@ "10.85.185.13" ], "destination.port": 7793, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2766,8 +2915,11 @@ "observer.vendor": "Fortinet", "process.pid": 7224, "related.ip": [ - "10.85.185.13", - "10.180.195.43" + "10.180.195.43", + "10.85.185.13" + ], + "related.user": [ + "atione" ], "rsa.counters.dclass_c1": 2147, "rsa.counters.dclass_c1_str": "block_count", @@ -2795,9 +2947,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "atione" - ] + "user.name": "atione" }, { "@timestamp": "2020-01-13T00:18:32.000Z", @@ -2805,7 +2955,9 @@ "10.201.237.233" ], "destination.port": 3023, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2822,8 +2974,11 @@ "observer.vendor": "Fortinet", "process.pid": 3421, "related.ip": [ - "10.201.237.233", - "10.107.45.175" + "10.107.45.175", + "10.201.237.233" + ], + "related.user": [ + "aeconseq" ], "rsa.counters.dclass_c1": 6981, "rsa.counters.dclass_c1_str": "block_count", @@ -2851,9 +3006,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "aeconseq" - ] + "user.name": "aeconseq" }, { "@timestamp": "2020-01-27T07:21:06.000Z", @@ -2861,7 +3014,9 @@ "10.196.206.130" ], "destination.port": 1725, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2881,6 +3036,9 @@ "10.196.206.130", "10.239.80.120" ], + "related.user": [ + "isn" + ], "rsa.counters.dclass_c1": 3896, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", @@ -2907,9 +3065,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "isn" - ] + "user.name": "isn" }, { "@timestamp": "2020-02-10T14:23:41.000Z", @@ -2917,7 +3073,9 @@ "10.47.24.77" ], "destination.port": 1919, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2937,6 +3095,9 @@ "10.47.24.77", "10.234.222.214" ], + "related.user": [ + "ntNeq" + ], "rsa.counters.dclass_c1": 6068, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", @@ -2963,9 +3124,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "ntNeq" - ] + "user.name": "ntNeq" }, { "@timestamp": "2020-02-24T21:26:15.000Z", @@ -2973,7 +3132,9 @@ "10.139.127.232" ], "destination.port": 1812, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2990,8 +3151,11 @@ "observer.vendor": "Fortinet", "process.pid": 4116, "related.ip": [ - "10.139.127.232", - "10.202.7.89" + "10.202.7.89", + "10.139.127.232" + ], + "related.user": [ + "osquir" ], "rsa.counters.dclass_c1": 6412, "rsa.counters.dclass_c1_str": "block_count", @@ -3019,9 +3183,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "osquir" - ] + "user.name": "osquir" }, { "@timestamp": "2020-03-11T04:28:49.000Z", @@ -3029,7 +3191,9 @@ "10.40.35.49" ], "destination.port": 3071, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3049,6 +3213,9 @@ "10.130.241.232", "10.40.35.49" ], + "related.user": [ + "aturQu" + ], "rsa.counters.dclass_c1": 3552, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", @@ -3075,9 +3242,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "aturQu" - ] + "user.name": "aturQu" }, { "@timestamp": "2020-03-25T11:31:24.000Z", @@ -3085,7 +3250,9 @@ "10.167.252.183" ], "destination.port": 5107, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3102,8 +3269,11 @@ "observer.vendor": "Fortinet", "process.pid": 5735, "related.ip": [ - "10.167.252.183", - "10.157.196.101" + "10.157.196.101", + "10.167.252.183" + ], + "related.user": [ + "tatem" ], "rsa.counters.dclass_c1": 2302, "rsa.counters.dclass_c1_str": "block_count", @@ -3131,9 +3301,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "tatem" - ] + "user.name": "tatem" }, { "@timestamp": "2020-04-08T18:33:58.000Z", @@ -3141,7 +3309,9 @@ "10.46.56.204" ], "destination.port": 5070, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3158,8 +3328,11 @@ "observer.vendor": "Fortinet", "process.pid": 7079, "related.ip": [ - "10.97.149.97", - "10.46.56.204" + "10.46.56.204", + "10.97.149.97" + ], + "related.user": [ + "esseq" ], "rsa.counters.dclass_c1": 3665, "rsa.counters.dclass_c1_str": "block_count", @@ -3187,9 +3360,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "esseq" - ] + "user.name": "esseq" }, { "@timestamp": "2020-04-23T01:36:32.000Z", @@ -3197,7 +3368,9 @@ "10.151.129.181" ], "destination.port": 5773, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3214,8 +3387,11 @@ "observer.vendor": "Fortinet", "process.pid": 5026, "related.ip": [ - "10.28.105.124", - "10.151.129.181" + "10.151.129.181", + "10.28.105.124" + ], + "related.user": [ + "nesciun" ], "rsa.counters.dclass_c1": 2604, "rsa.counters.dclass_c1_str": "block_count", @@ -3243,9 +3419,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "nesciun" - ] + "user.name": "nesciun" }, { "@timestamp": "2020-05-07T08:39:06.000Z", @@ -3253,7 +3427,9 @@ "10.145.101.26" ], "destination.port": 2559, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3273,6 +3449,9 @@ "10.128.63.143", "10.145.101.26" ], + "related.user": [ + "ssusci" + ], "rsa.counters.dclass_c1": 5137, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", @@ -3299,9 +3478,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "ssusci" - ] + "user.name": "ssusci" }, { "@timestamp": "2020-05-21T15:41:41.000Z", @@ -3309,7 +3486,9 @@ "10.62.229.89" ], "destination.port": 5348, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3326,8 +3505,11 @@ "observer.vendor": "Fortinet", "process.pid": 5140, "related.ip": [ - "10.2.244.159", - "10.62.229.89" + "10.62.229.89", + "10.2.244.159" + ], + "related.user": [ + "inBCSedu" ], "rsa.counters.dclass_c1": 2159, "rsa.counters.dclass_c1_str": "block_count", @@ -3355,9 +3537,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "inBCSedu" - ] + "user.name": "inBCSedu" }, { "@timestamp": "2020-06-04T22:44:15.000Z", @@ -3365,7 +3545,9 @@ "10.54.83.119" ], "destination.port": 338, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3382,8 +3564,11 @@ "observer.vendor": "Fortinet", "process.pid": 315, "related.ip": [ - "10.54.83.119", - "10.250.19.146" + "10.250.19.146", + "10.54.83.119" + ], + "related.user": [ + "radi" ], "rsa.counters.dclass_c1": 7074, "rsa.counters.dclass_c1_str": "block_count", @@ -3411,9 +3596,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "radi" - ] + "user.name": "radi" }, { "@timestamp": "2020-06-19T05:46:49.000Z", @@ -3421,7 +3604,9 @@ "10.1.96.93" ], "destination.port": 428, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3438,8 +3623,11 @@ "observer.vendor": "Fortinet", "process.pid": 5398, "related.ip": [ - "10.1.96.93", - "10.54.73.158" + "10.54.73.158", + "10.1.96.93" + ], + "related.user": [ + "snos" ], "rsa.counters.dclass_c1": 1049, "rsa.counters.dclass_c1_str": "block_count", @@ -3467,9 +3655,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "snos" - ] + "user.name": "snos" }, { "@timestamp": "2020-07-03T12:49:23.000Z", @@ -3477,7 +3663,9 @@ "10.94.114.83" ], "destination.port": 4803, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3497,6 +3685,9 @@ "10.94.114.83", "10.126.87.182" ], + "related.user": [ + "dolores" + ], "rsa.counters.dclass_c1": 291, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", @@ -3523,9 +3714,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "dolores" - ] + "user.name": "dolores" }, { "@timestamp": "2019-07-17T19:51:58.000Z", @@ -3533,7 +3722,9 @@ "10.38.28.151" ], "destination.port": 347, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3553,6 +3744,9 @@ "10.38.28.151", "10.206.165.83" ], + "related.user": [ + "erspi" + ], "rsa.counters.dclass_c1": 2124, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", @@ -3579,9 +3773,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "erspi" - ] + "user.name": "erspi" }, { "@timestamp": "2019-08-01T02:54:32.000Z", @@ -3589,7 +3781,9 @@ "10.77.229.168" ], "destination.port": 3777, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3609,6 +3803,9 @@ "10.181.247.224", "10.77.229.168" ], + "related.user": [ + "ame" + ], "rsa.counters.dclass_c1": 3343, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", @@ -3635,9 +3832,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "ame" - ] + "user.name": "ame" }, { "@timestamp": "2019-08-15T09:57:06.000Z", @@ -3645,7 +3840,9 @@ "10.57.85.98" ], "destination.port": 1444, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3662,8 +3859,11 @@ "observer.vendor": "Fortinet", "process.pid": 5493, "related.ip": [ - "10.42.252.243", - "10.57.85.98" + "10.57.85.98", + "10.42.252.243" + ], + "related.user": [ + "nisiu" ], "rsa.counters.dclass_c1": 4145, "rsa.counters.dclass_c1_str": "block_count", @@ -3691,9 +3891,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "nisiu" - ] + "user.name": "nisiu" }, { "@timestamp": "2019-08-29T16:59:40.000Z", @@ -3701,7 +3899,9 @@ "10.193.66.155" ], "destination.port": 4965, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3718,8 +3918,11 @@ "observer.vendor": "Fortinet", "process.pid": 2913, "related.ip": [ - "10.193.66.155", - "10.7.43.184" + "10.7.43.184", + "10.193.66.155" + ], + "related.user": [ + "tobeatae" ], "rsa.counters.dclass_c1": 1129, "rsa.counters.dclass_c1_str": "block_count", @@ -3747,9 +3950,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "tobeatae" - ] + "user.name": "tobeatae" }, { "@timestamp": "2019-09-13T00:02:15.000Z", @@ -3757,7 +3958,9 @@ "10.81.234.34" ], "destination.port": 1710, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3777,6 +3980,9 @@ "10.196.96.162", "10.81.234.34" ], + "related.user": [ + "aliqui" + ], "rsa.counters.dclass_c1": 4798, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", @@ -3803,9 +4009,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "aliqui" - ] + "user.name": "aliqui" }, { "@timestamp": "2019-09-27T07:04:49.000Z", @@ -3813,7 +4017,9 @@ "10.77.78.180" ], "destination.port": 5380, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3830,8 +4036,11 @@ "observer.vendor": "Fortinet", "process.pid": 4984, "related.ip": [ - "10.97.236.123", - "10.77.78.180" + "10.77.78.180", + "10.97.236.123" + ], + "related.user": [ + "ptatems" ], "rsa.counters.dclass_c1": 1471, "rsa.counters.dclass_c1_str": "block_count", @@ -3859,9 +4068,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "ptatems" - ] + "user.name": "ptatems" }, { "@timestamp": "2019-10-11T14:07:23.000Z", @@ -3869,7 +4076,9 @@ "10.108.45.59" ], "destination.port": 7229, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3889,6 +4098,9 @@ "10.118.82.34", "10.108.45.59" ], + "related.user": [ + "olorem" + ], "rsa.counters.dclass_c1": 5362, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", @@ -3915,9 +4127,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "olorem" - ] + "user.name": "olorem" }, { "@timestamp": "2019-10-25T21:09:57.000Z", @@ -3925,7 +4135,9 @@ "10.170.252.219" ], "destination.port": 2454, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3945,6 +4157,9 @@ "10.180.180.230", "10.170.252.219" ], + "related.user": [ + "orumSec" + ], "rsa.counters.dclass_c1": 2292, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", @@ -3971,9 +4186,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "orumSec" - ] + "user.name": "orumSec" }, { "@timestamp": "2019-11-09T04:12:32.000Z", @@ -3981,7 +4194,9 @@ "10.83.119.181" ], "destination.port": 5693, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4001,6 +4216,9 @@ "10.123.74.66", "10.83.119.181" ], + "related.user": [ + "ursin" + ], "rsa.counters.dclass_c1": 1629, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", @@ -4027,9 +4245,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "ursin" - ] + "user.name": "ursin" }, { "@timestamp": "2019-11-23T11:15:06.000Z", @@ -4037,7 +4253,9 @@ "10.141.143.56" ], "destination.port": 2442, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4057,6 +4275,9 @@ "10.141.143.56", "10.225.255.211" ], + "related.user": [ + "aaliq" + ], "rsa.counters.dclass_c1": 5104, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", @@ -4083,9 +4304,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "aaliq" - ] + "user.name": "aaliq" }, { "@timestamp": "2019-12-07T18:17:40.000Z", @@ -4093,7 +4312,9 @@ "10.219.1.151" ], "destination.port": 4323, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4113,6 +4334,9 @@ "10.219.1.151", "10.250.81.189" ], + "related.user": [ + "olup" + ], "rsa.counters.dclass_c1": 3006, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", @@ -4139,9 +4363,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "olup" - ] + "user.name": "olup" }, { "@timestamp": "2019-12-22T01:20:14.000Z", @@ -4149,7 +4371,9 @@ "10.189.42.62" ], "destination.port": 4262, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4166,8 +4390,11 @@ "observer.vendor": "Fortinet", "process.pid": 2780, "related.ip": [ - "10.36.110.69", - "10.189.42.62" + "10.189.42.62", + "10.36.110.69" + ], + "related.user": [ + "roquisq" ], "rsa.counters.dclass_c1": 2563, "rsa.counters.dclass_c1_str": "block_count", @@ -4195,9 +4422,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "roquisq" - ] + "user.name": "roquisq" }, { "@timestamp": "2020-01-05T08:22:49.000Z", @@ -4205,7 +4430,9 @@ "10.202.132.214" ], "destination.port": 3392, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4225,6 +4452,9 @@ "10.202.132.214", "10.179.147.45" ], + "related.user": [ + "stquidol" + ], "rsa.counters.dclass_c1": 3575, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", @@ -4251,9 +4481,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "stquidol" - ] + "user.name": "stquidol" }, { "@timestamp": "2020-01-19T15:25:23.000Z", @@ -4261,7 +4489,9 @@ "10.169.98.165" ], "destination.port": 6084, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4278,8 +4508,11 @@ "observer.vendor": "Fortinet", "process.pid": 2280, "related.ip": [ - "10.169.98.165", - "10.51.221.217" + "10.51.221.217", + "10.169.98.165" + ], + "related.user": [ + "metco" ], "rsa.counters.dclass_c1": 3630, "rsa.counters.dclass_c1_str": "block_count", @@ -4307,9 +4540,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "metco" - ] + "user.name": "metco" }, { "@timestamp": "2020-02-02T22:27:57.000Z", @@ -4317,7 +4548,9 @@ "10.85.104.146" ], "destination.port": 4438, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4337,6 +4570,9 @@ "10.85.104.146", "10.243.6.41" ], + "related.user": [ + "emacc" + ], "rsa.counters.dclass_c1": 73, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", @@ -4363,9 +4599,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "emacc" - ] + "user.name": "emacc" }, { "@timestamp": "2020-02-17T05:30:32.000Z", @@ -4373,7 +4607,9 @@ "10.30.246.132" ], "destination.port": 388, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4390,8 +4626,11 @@ "observer.vendor": "Fortinet", "process.pid": 3990, "related.ip": [ - "10.208.18.210", - "10.30.246.132" + "10.30.246.132", + "10.208.18.210" + ], + "related.user": [ + "osqu" ], "rsa.counters.dclass_c1": 3795, "rsa.counters.dclass_c1_str": "block_count", @@ -4419,9 +4658,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "osqu" - ] + "user.name": "osqu" }, { "@timestamp": "2020-03-03T12:33:06.000Z", @@ -4429,7 +4666,9 @@ "10.167.9.200" ], "destination.port": 4568, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4449,6 +4688,9 @@ "10.167.9.200", "10.37.174.58" ], + "related.user": [ + "tvol" + ], "rsa.counters.dclass_c1": 4337, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", @@ -4475,9 +4717,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "tvol" - ] + "user.name": "tvol" }, { "@timestamp": "2020-03-17T19:35:40.000Z", @@ -4485,7 +4725,9 @@ "10.251.29.244" ], "destination.port": 919, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4505,6 +4747,9 @@ "10.221.220.148", "10.251.29.244" ], + "related.user": [ + "ptate" + ], "rsa.counters.dclass_c1": 355, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", @@ -4531,9 +4776,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "ptate" - ] + "user.name": "ptate" }, { "@timestamp": "2020-04-01T02:38:14.000Z", @@ -4541,7 +4784,9 @@ "10.189.82.19" ], "destination.port": 4057, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4561,6 +4806,9 @@ "10.198.143.216", "10.189.82.19" ], + "related.user": [ + "iamqui" + ], "rsa.counters.dclass_c1": 5914, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", @@ -4587,9 +4835,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "iamqui" - ] + "user.name": "iamqui" }, { "@timestamp": "2020-04-15T09:40:49.000Z", @@ -4597,7 +4843,9 @@ "10.70.29.203" ], "destination.port": 6317, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4617,6 +4865,9 @@ "10.70.29.203", "10.141.216.14" ], + "related.user": [ + "dese" + ], "rsa.counters.dclass_c1": 2465, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", @@ -4643,9 +4894,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "dese" - ] + "user.name": "dese" }, { "@timestamp": "2020-04-29T16:43:23.000Z", @@ -4653,7 +4902,9 @@ "10.137.85.123" ], "destination.port": 7073, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4673,6 +4924,9 @@ "10.137.85.123", "10.183.243.246" ], + "related.user": [ + "idatat" + ], "rsa.counters.dclass_c1": 4248, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", @@ -4699,9 +4953,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "idatat" - ] + "user.name": "idatat" }, { "@timestamp": "2020-05-13T23:45:57.000Z", @@ -4709,7 +4961,9 @@ "10.158.54.131" ], "destination.port": 1585, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4726,8 +4980,11 @@ "observer.vendor": "Fortinet", "process.pid": 7353, "related.ip": [ - "10.10.86.55", - "10.158.54.131" + "10.158.54.131", + "10.10.86.55" + ], + "related.user": [ + "tatevel" ], "rsa.counters.dclass_c1": 7608, "rsa.counters.dclass_c1_str": "block_count", @@ -4755,9 +5012,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "tatevel" - ] + "user.name": "tatevel" }, { "@timestamp": "2020-05-28T06:48:31.000Z", @@ -4765,7 +5020,9 @@ "10.187.170.23" ], "destination.port": 3220, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4782,8 +5039,11 @@ "observer.vendor": "Fortinet", "process.pid": 7182, "related.ip": [ - "10.105.136.146", - "10.187.170.23" + "10.187.170.23", + "10.105.136.146" + ], + "related.user": [ + "uatu" ], "rsa.counters.dclass_c1": 5957, "rsa.counters.dclass_c1_str": "block_count", @@ -4811,9 +5071,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "uatu" - ] + "user.name": "uatu" }, { "@timestamp": "2020-06-11T13:51:06.000Z", @@ -4821,7 +5079,9 @@ "10.125.166.198" ], "destination.port": 6301, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4841,6 +5101,9 @@ "10.125.166.198", "10.114.211.238" ], + "related.user": [ + "sumquiad" + ], "rsa.counters.dclass_c1": 111, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", @@ -4867,9 +5130,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "sumquiad" - ] + "user.name": "sumquiad" }, { "@timestamp": "2020-06-25T20:53:40.000Z", @@ -4877,7 +5138,9 @@ "10.209.239.122" ], "destination.port": 1450, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4897,6 +5160,9 @@ "10.29.7.142", "10.209.239.122" ], + "related.user": [ + "atatnon" + ], "rsa.counters.dclass_c1": 3307, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", @@ -4923,9 +5189,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "atatnon" - ] + "user.name": "atatnon" }, { "@timestamp": "2020-07-10T03:56:14.000Z", @@ -4933,7 +5197,9 @@ "10.146.57.23" ], "destination.port": 5483, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4950,8 +5216,11 @@ "observer.vendor": "Fortinet", "process.pid": 5772, "related.ip": [ - "10.146.57.23", - "10.144.109.148" + "10.144.109.148", + "10.146.57.23" + ], + "related.user": [ + "xerc" ], "rsa.counters.dclass_c1": 6552, "rsa.counters.dclass_c1_str": "block_count", @@ -4979,9 +5248,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "xerc" - ] + "user.name": "xerc" }, { "@timestamp": "2019-07-24T10:58:48.000Z", @@ -4989,7 +5256,9 @@ "10.11.2.200" ], "destination.port": 7541, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5009,6 +5278,9 @@ "10.69.230.223", "10.11.2.200" ], + "related.user": [ + "uatu" + ], "rsa.counters.dclass_c1": 7154, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", @@ -5035,9 +5307,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "uatu" - ] + "user.name": "uatu" }, { "@timestamp": "2019-08-07T18:01:23.000Z", @@ -5045,7 +5315,9 @@ "10.120.148.241" ], "destination.port": 1655, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5065,6 +5337,9 @@ "10.100.154.220", "10.120.148.241" ], + "related.user": [ + "orsitvol" + ], "rsa.counters.dclass_c1": 4047, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", @@ -5091,9 +5366,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "orsitvol" - ] + "user.name": "orsitvol" }, { "@timestamp": "2019-08-22T01:03:57.000Z", @@ -5101,7 +5374,9 @@ "10.90.50.149" ], "destination.port": 7260, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5121,6 +5396,9 @@ "10.90.50.149", "10.153.166.133" ], + "related.user": [ + "porissu" + ], "rsa.counters.dclass_c1": 5213, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", @@ -5147,9 +5425,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "porissu" - ] + "user.name": "porissu" }, { "@timestamp": "2019-09-05T08:06:31.000Z", @@ -5157,7 +5433,9 @@ "10.117.190.234" ], "destination.port": 7475, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5177,6 +5455,9 @@ "10.230.130.3", "10.117.190.234" ], + "related.user": [ + "ttenb" + ], "rsa.counters.dclass_c1": 5360, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", @@ -5203,9 +5484,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "ttenb" - ] + "user.name": "ttenb" }, { "@timestamp": "2019-09-19T15:09:05.000Z", @@ -5213,7 +5492,9 @@ "10.203.117.6" ], "destination.port": 2510, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5233,6 +5514,9 @@ "10.55.103.200", "10.203.117.6" ], + "related.user": [ + "enbyCic" + ], "rsa.counters.dclass_c1": 1119, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", @@ -5259,9 +5543,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "enbyCic" - ] + "user.name": "enbyCic" }, { "@timestamp": "2019-10-03T22:11:40.000Z", @@ -5269,7 +5551,9 @@ "10.75.122.228" ], "destination.port": 5, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5289,6 +5573,9 @@ "10.75.122.228", "10.244.52.142" ], + "related.user": [ + "isciv" + ], "rsa.counters.dclass_c1": 2894, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", @@ -5315,9 +5602,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "isciv" - ] + "user.name": "isciv" }, { "@timestamp": "2019-10-18T05:14:14.000Z", @@ -5325,7 +5610,9 @@ "10.119.143.168" ], "destination.port": 4131, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5345,6 +5632,9 @@ "10.7.142.212", "10.119.143.168" ], + "related.user": [ + "oinven" + ], "rsa.counters.dclass_c1": 1612, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", @@ -5371,9 +5661,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "oinven" - ] + "user.name": "oinven" }, { "@timestamp": "2019-11-01T12:16:48.000Z", @@ -5381,7 +5669,9 @@ "10.252.146.103" ], "destination.port": 5995, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5401,6 +5691,9 @@ "10.116.105.31", "10.252.146.103" ], + "related.user": [ + "rsint" + ], "rsa.counters.dclass_c1": 3194, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", @@ -5427,9 +5720,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "rsint" - ] + "user.name": "rsint" }, { "@timestamp": "2019-11-15T19:19:22.000Z", @@ -5437,7 +5728,9 @@ "10.213.41.210" ], "destination.port": 3626, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5457,6 +5750,9 @@ "10.163.239.13", "10.213.41.210" ], + "related.user": [ + "aedictas" + ], "rsa.counters.dclass_c1": 4955, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", @@ -5483,9 +5779,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "aedictas" - ] + "user.name": "aedictas" }, { "@timestamp": "2019-11-30T02:21:57.000Z", @@ -5493,7 +5787,9 @@ "10.190.36.112" ], "destination.port": 4829, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5510,8 +5806,11 @@ "observer.vendor": "Fortinet", "process.pid": 3793, "related.ip": [ - "10.184.109.84", - "10.190.36.112" + "10.190.36.112", + "10.184.109.84" + ], + "related.user": [ + "uat" ], "rsa.counters.dclass_c1": 5630, "rsa.counters.dclass_c1_str": "block_count", @@ -5539,9 +5838,7 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "uat" - ] + "user.name": "uat" }, { "@timestamp": "2019-12-14T09:24:31.000Z", @@ -5549,7 +5846,9 @@ "10.19.21.239" ], "destination.port": 6995, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5566,8 +5865,11 @@ "observer.vendor": "Fortinet", "process.pid": 5985, "related.ip": [ - "10.19.21.239", - "10.175.181.138" + "10.175.181.138", + "10.19.21.239" + ], + "related.user": [ + "aliqu" ], "rsa.counters.dclass_c1": 3326, "rsa.counters.dclass_c1_str": "block_count", @@ -5595,8 +5897,6 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": [ - "aliqu" - ] + "user.name": "aliqu" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/imperva/README.md b/x-pack/filebeat/module/imperva/README.md index f94eda77dd3..bddc5fe26ae 100644 --- a/x-pack/filebeat/module/imperva/README.md +++ b/x-pack/filebeat/module/imperva/README.md @@ -3,5 +3,5 @@ This is a module for Imperva SecureSphere logs. Autogenerated from RSA NetWitness log parser 2.0 XML impervawaf version 117 -at 2020-07-08 16:42:01.767573 +0000 UTC. +at 2020-07-08 17:36:28.364048 +0000 UTC. diff --git a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js +++ b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 9e35e293cee..2d8e3330f89 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -4,8 +4,10 @@ "10.70.155.35" ], "destination.port": 892, - "event.action": "cancel", - "event.category": "Login", + "event.action": [ + "cancel", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -20,8 +22,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.70.155.35", - "10.81.122.126" + "10.81.122.126", + "10.70.155.35" + ], + "related.user": [ + "tatno", + "aqui", + "magn" ], "rsa.counters.dclass_c1": 5910, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -51,14 +58,12 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "magn", - "aqui", - "tatno" - ] + "user.name": "tatno" }, { - "event.category": "erep", + "event.action": [ + "erep" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -70,6 +75,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.user": [ + "temq" + ], "rsa.internal.event_desc": "eacomm", "rsa.internal.messageid": "Imperva", "rsa.misc.event_type": "erep", @@ -80,17 +88,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "temq" - ] + "user.name": "temq" }, { "destination.ip": [ "10.58.116.231" ], "destination.port": 996, - "event.action": "accept", - "event.category": "rumet", + "event.action": [ + "rumet", + "accept" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -107,6 +115,11 @@ "10.58.116.231", "10.159.182.171" ], + "related.user": [ + "qua", + "temUten", + "uradi" + ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "aveniam", @@ -131,19 +144,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "uradi", - "temUten", - "qua" - ] + "user.name": "qua" }, { "destination.ip": [ "10.157.161.103" ], "destination.port": 4782, - "event.action": "deny", - "event.category": "liquide", + "event.action": [ + "liquide", + "deny" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -160,16 +171,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.64.70.5", - "10.157.161.103" + "10.157.161.103", + "10.64.70.5" + ], + "related.user": [ + "emeumfu", + "CSed", + "tem" ], "rsa.counters.event_counter": 3561, "rsa.db.database": "lupt", "rsa.internal.event_desc": "tat", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "taut" + "taut", + "deny" ], "rsa.misc.category": "tion", "rsa.misc.disposition": "eataev", @@ -197,19 +213,17 @@ ], "url.original": "https://api.example.org/uames/tati.jpg?isnostru=iquaUten#santium", "url.query": "iciatisu", - "user.name": [ - "tem", - "emeumfu", - "CSed" - ] + "user.name": "tem" }, { "destination.ip": [ "10.230.76.224" ], "destination.port": 5715, - "event.action": "accept", - "event.category": "remagn", + "event.action": [ + "accept", + "remagn" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -229,6 +243,11 @@ "10.230.76.224", "10.47.202.102" ], + "related.user": [ + "hitect", + "dol", + "tlabori" + ], "rsa.counters.event_counter": 3339, "rsa.db.database": "leumiu", "rsa.internal.event_desc": "atDu", @@ -262,19 +281,17 @@ ], "url.original": "https://mail.example.com/aaliquaU/ntor.html?ern=psaquae#ationemu", "url.query": "ice", - "user.name": [ - "dol", - "tlabori", - "hitect" - ] + "user.name": "tlabori" }, { "destination.ip": [ "10.10.38.139" ], "destination.port": 189, - "event.action": "block", - "event.category": "Login", + "event.action": [ + "block", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -292,6 +309,11 @@ "10.32.67.231", "10.10.38.139" ], + "related.user": [ + "itame", + "adeseru", + "ari" + ], "rsa.counters.dclass_c1": 2628, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "itanimi", @@ -320,19 +342,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "adeseru", - "itame", - "ari" - ] + "user.name": "ari" }, { "destination.ip": [ "10.133.189.215" ], "destination.port": 7865, - "event.action": "block", - "event.category": "tmo", + "event.action": [ + "tmo", + "block" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -349,6 +369,11 @@ "10.133.189.215", "10.206.97.204" ], + "related.user": [ + "fugitse", + "evita", + "ommodico" + ], "rsa.counters.dclass_c1": 4842, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "colab", @@ -373,19 +398,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "fugitse", - "ommodico", - "evita" - ] + "user.name": "evita" }, { "destination.ip": [ "10.145.248.111" ], "destination.port": 95, - "event.action": "deny", - "event.category": "Login", + "event.action": [ + "deny", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -403,6 +426,11 @@ "10.148.106.167", "10.145.248.111" ], + "related.user": [ + "tectobe", + "uae", + "tium" + ], "rsa.counters.dclass_c1": 3994, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "tco", @@ -431,19 +459,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "uae", - "tium", - "tectobe" - ] + "user.name": "tectobe" }, { "destination.ip": [ "10.77.52.83" ], "destination.port": 2646, - "event.action": "accept", - "event.category": "Login", + "event.action": [ + "accept", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -461,6 +487,11 @@ "10.7.46.36", "10.77.52.83" ], + "related.user": [ + "atno", + "ccaec", + "upta" + ], "rsa.counters.dclass_c1": 1458, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "tae", @@ -489,19 +520,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "ccaec", - "atno", - "upta" - ] + "user.name": "atno" }, { "destination.ip": [ "10.221.102.245" ], "destination.port": 337, - "event.action": "block", - "event.category": "Logout", + "event.action": [ + "Logout", + "block" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -519,6 +548,11 @@ "10.221.102.245", "10.43.226.231" ], + "related.user": [ + "rinre", + "eFi", + "ritatise" + ], "rsa.counters.dclass_c1": 302, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "uisa", @@ -547,19 +581,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "ritatise", - "eFi", - "rinre" - ] + "user.name": "rinre" }, { "destination.ip": [ "10.239.96.8" ], "destination.port": 6223, - "event.action": "allow", - "event.category": "Login", + "event.action": [ + "allow", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -574,8 +606,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.239.96.8", - "10.56.136.27" + "10.56.136.27", + "10.239.96.8" + ], + "related.user": [ + "atevelit", + "nts", + "orsitam" ], "rsa.counters.dclass_c1": 3714, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -605,19 +642,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "orsitam", - "atevelit", - "nts" - ] + "user.name": "atevelit" }, { "destination.ip": [ "10.10.216.74" ], "destination.port": 7231, - "event.action": "cancel", - "event.category": "Login", + "event.action": [ + "cancel", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -635,6 +670,11 @@ "10.10.216.74", "10.147.76.202" ], + "related.user": [ + "oeni", + "sit", + "ctetura" + ], "rsa.counters.dclass_c1": 5313, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "uptatema", @@ -663,19 +703,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "ctetura", - "oeni", - "sit" - ] + "user.name": "sit" }, { "destination.ip": [ "10.177.219.214" ], "destination.port": 2300, - "event.action": "cancel", - "event.category": "nBCSedut", + "event.action": [ + "nBCSedut", + "cancel" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -695,6 +733,11 @@ "10.177.219.214", "10.123.199.236" ], + "related.user": [ + "rum", + "emUteni", + "texpli" + ], "rsa.counters.event_counter": 5653, "rsa.db.database": "gnaaliqu", "rsa.internal.event_desc": "ian", @@ -729,19 +772,17 @@ ], "url.original": "https://www.example.com/ulapar/aboreetd.htm?par=lorin#pitl", "url.query": "por", - "user.name": [ - "rum", - "emUteni", - "texpli" - ] + "user.name": "texpli" }, { "destination.ip": [ "10.110.114.175" ], "destination.port": 2639, - "event.action": "allow", - "event.category": "Login", + "event.action": [ + "allow", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -759,6 +800,11 @@ "10.20.72.231", "10.110.114.175" ], + "related.user": [ + "snost", + "upt", + "imide" + ], "rsa.counters.dclass_c1": 5798, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "siu", @@ -787,19 +833,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "upt", - "snost", - "imide" - ] + "user.name": "upt" }, { "destination.ip": [ "10.230.206.60" ], "destination.port": 3684, - "event.action": "deny", - "event.category": "Login", + "event.action": [ + "deny", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -817,6 +861,11 @@ "10.230.206.60", "10.111.90.75" ], + "related.user": [ + "rem", + "aincidu", + "rcitat" + ], "rsa.counters.dclass_c1": 1264, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "usc", @@ -845,19 +894,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "rcitat", - "aincidu", - "rem" - ] + "user.name": "aincidu" }, { "destination.ip": [ "10.154.53.249" ], "destination.port": 1513, - "event.action": "accept", - "event.category": "uisa", + "event.action": [ + "accept", + "uisa" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -874,8 +921,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.186.77.109", - "10.154.53.249" + "10.154.53.249", + "10.186.77.109" + ], + "related.user": [ + "erun", + "dutpers", + "est" ], "rsa.counters.event_counter": 5380, "rsa.db.database": "orisn", @@ -910,19 +962,17 @@ ], "url.original": "https://api.example.org/borisnis/exeaco.html?inven=eufugi#accusant", "url.query": "onse", - "user.name": [ - "erun", - "dutpers", - "est" - ] + "user.name": "est" }, { "destination.ip": [ "10.201.164.145" ], "destination.port": 2700, - "event.action": "allow", - "event.category": "Login", + "event.action": [ + "allow", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -937,8 +987,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.201.164.145", - "10.111.233.194" + "10.111.233.194", + "10.201.164.145" + ], + "related.user": [ + "ullamcor", + "sequa", + "miurerep" ], "rsa.counters.dclass_c1": 6595, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -968,19 +1023,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "miurerep", - "ullamcor", - "sequa" - ] + "user.name": "sequa" }, { "destination.ip": [ "10.241.230.235" ], "destination.port": 3421, - "event.action": "accept", - "event.category": "ssecil", + "event.action": [ + "ssecil", + "accept" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1000,13 +1053,18 @@ "10.241.230.235", "10.57.164.187" ], + "related.user": [ + "olorsit", + "scingeli", + "isn" + ], "rsa.counters.event_counter": 3317, "rsa.db.database": "sBono", "rsa.internal.event_desc": "llamco", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "olorem", - "accept" + "accept", + "olorem" ], "rsa.misc.category": "atu", "rsa.misc.disposition": "untincul", @@ -1034,19 +1092,17 @@ ], "url.original": "https://example.org/emqu/riss.gif?sitvol=dolore#nsequat", "url.query": "olorsi", - "user.name": [ - "olorsit", - "scingeli", - "isn" - ] + "user.name": "olorsit" }, { "destination.ip": [ "10.79.147.101" ], "destination.port": 1280, - "event.action": "deny", - "event.category": "Login", + "event.action": [ + "deny", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1064,6 +1120,11 @@ "10.105.46.101", "10.79.147.101" ], + "related.user": [ + "cingel", + "uptat", + "ddoeius" + ], "rsa.counters.dclass_c1": 6068, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "hil", @@ -1092,19 +1153,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "cingel", - "ddoeius", - "uptat" - ] + "user.name": "uptat" }, { "destination.ip": [ "10.49.71.118" ], "destination.port": 4322, - "event.action": "cancel", - "event.category": "eprehend", + "event.action": [ + "cancel", + "eprehend" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1124,13 +1183,18 @@ "10.102.166.19", "10.49.71.118" ], + "related.user": [ + "eritin", + "udan", + "aincidun" + ], "rsa.counters.event_counter": 7731, "rsa.db.database": "yCic", "rsa.internal.event_desc": "caboNemo", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "uto", - "cancel" + "cancel", + "uto" ], "rsa.misc.category": "dexerc", "rsa.misc.disposition": "strumex", @@ -1158,19 +1222,17 @@ ], "url.original": "https://mail.example.com/molestia/quir.jpg?elitsed=labore#uela", "url.query": "ntexplic", - "user.name": [ - "eritin", - "udan", - "aincidun" - ] + "user.name": "aincidun" }, { "destination.ip": [ "10.28.153.102" ], "destination.port": 6366, - "event.action": "allow", - "event.category": "plic", + "event.action": [ + "allow", + "plic" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1187,6 +1249,11 @@ "10.50.222.68", "10.28.153.102" ], + "related.user": [ + "tas", + "amali", + "rsita" + ], "rsa.counters.dclass_c1": 4527, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "undeomni", @@ -1211,19 +1278,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "rsita", - "amali", - "tas" - ] + "user.name": "rsita" }, { "destination.ip": [ "10.199.169.48" ], "destination.port": 6443, - "event.action": "cancel", - "event.category": "Login", + "event.action": [ + "cancel", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1238,8 +1303,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.46.192.198", - "10.199.169.48" + "10.199.169.48", + "10.46.192.198" + ], + "related.user": [ + "imadmini", + "oditempo", + "rumetMal" ], "rsa.counters.dclass_c1": 4128, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1269,19 +1339,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "imadmini", - "oditempo", - "rumetMal" - ] + "user.name": "imadmini" }, { "destination.ip": [ "10.201.81.46" ], "destination.port": 6515, - "event.action": "block", - "event.category": "BCS", + "event.action": [ + "block", + "BCS" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1301,13 +1369,18 @@ "10.251.1.35", "10.201.81.46" ], + "related.user": [ + "niam", + "est", + "agnaaliq" + ], "rsa.counters.event_counter": 2001, "rsa.db.database": "mquisno", "rsa.internal.event_desc": "equep", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "amc", - "block" + "block", + "amc" ], "rsa.misc.category": "ever", "rsa.misc.disposition": "tali", @@ -1335,19 +1408,17 @@ ], "url.original": "https://example.com/admi/onnu.gif?saute=atatnon#tcupida", "url.query": "isa", - "user.name": [ - "niam", - "est", - "agnaaliq" - ] + "user.name": "niam" }, { "destination.ip": [ "10.7.81.204" ], "destination.port": 3984, - "event.action": "accept", - "event.category": "uradi", + "event.action": [ + "accept", + "uradi" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1367,13 +1438,18 @@ "10.7.81.204", "10.131.82.68" ], + "related.user": [ + "ersp", + "amnisi", + "ulap" + ], "rsa.counters.event_counter": 1710, "rsa.db.database": "nrepreh", "rsa.internal.event_desc": "nimad", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "prehe", - "accept" + "accept", + "prehe" ], "rsa.misc.category": "ataevita", "rsa.misc.disposition": "oremqu", @@ -1400,19 +1476,17 @@ ], "url.original": "https://www5.example.net/squira/aliqui.gif?veleum=piciatis#nes", "url.query": "lmolesti", - "user.name": [ - "ersp", - "ulap", - "amnisi" - ] + "user.name": "ersp" }, { "destination.ip": [ "10.94.132.21" ], "destination.port": 2945, - "event.action": "deny", - "event.category": "Login", + "event.action": [ + "deny", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1430,6 +1504,11 @@ "10.94.132.21", "10.114.193.232" ], + "related.user": [ + "nse", + "odi", + "eetdo" + ], "rsa.counters.dclass_c1": 6784, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "seddoeiu", @@ -1458,19 +1537,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "eetdo", - "odi", - "nse" - ] + "user.name": "odi" }, { "destination.ip": [ "10.44.226.104" ], "destination.port": 7020, - "event.action": "accept", - "event.category": "Logout", + "event.action": [ + "Logout", + "accept" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1485,8 +1562,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.44.226.104", - "10.9.56.220" + "10.9.56.220", + "10.44.226.104" + ], + "related.user": [ + "autf", + "nse", + "reseosq" ], "rsa.counters.dclass_c1": 5380, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1516,19 +1598,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "nse", - "autf", - "reseosq" - ] + "user.name": "nse" }, { "destination.ip": [ "10.48.209.115" ], "destination.port": 3450, - "event.action": "cancel", - "event.category": "Logout", + "event.action": [ + "Logout", + "cancel" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1543,8 +1623,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.33.195.166", - "10.48.209.115" + "10.48.209.115", + "10.33.195.166" + ], + "related.user": [ + "iamea", + "aconsequ", + "umiurer" ], "rsa.counters.dclass_c1": 3249, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1574,19 +1659,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "iamea", - "umiurer", - "aconsequ" - ] + "user.name": "aconsequ" }, { "destination.ip": [ "10.85.137.156" ], "destination.port": 2763, - "event.action": "accept", - "event.category": "Logout", + "event.action": [ + "Logout", + "accept" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1604,6 +1687,11 @@ "10.188.121.11", "10.85.137.156" ], + "related.user": [ + "etMaloru", + "orumSe", + "olori" + ], "rsa.counters.dclass_c1": 2491, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "uamqu", @@ -1632,19 +1720,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "olori", - "etMaloru", - "orumSe" - ] + "user.name": "orumSe" }, { "destination.ip": [ "10.238.245.236" ], "destination.port": 3575, - "event.action": "cancel", - "event.category": "tnul", + "event.action": [ + "tnul", + "cancel" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1661,6 +1747,11 @@ "10.238.245.236", "10.45.215.202" ], + "related.user": [ + "gia", + "stquidol", + "ihilmole" + ], "rsa.counters.dclass_c1": 7822, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "quas", @@ -1685,19 +1776,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "stquidol", - "ihilmole", - "gia" - ] + "user.name": "stquidol" }, { "destination.ip": [ "10.213.109.180" ], "destination.port": 6536, - "event.action": "accept", - "event.category": "Login", + "event.action": [ + "Login", + "accept" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1715,6 +1804,11 @@ "10.213.109.180", "10.222.85.95" ], + "related.user": [ + "emp", + "essequam", + "etdolor" + ], "rsa.counters.dclass_c1": 2905, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "dant", @@ -1743,19 +1837,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "etdolor", - "emp", - "essequam" - ] + "user.name": "essequam" }, { "destination.ip": [ "10.229.165.102" ], "destination.port": 2069, - "event.action": "cancel", - "event.category": "Login", + "event.action": [ + "Login", + "cancel" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1773,6 +1865,11 @@ "10.229.165.102", "10.18.225.139" ], + "related.user": [ + "lestia", + "orum", + "edquian" + ], "rsa.counters.dclass_c1": 3553, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "mquido", @@ -1801,19 +1898,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "lestia", - "orum", - "edquian" - ] + "user.name": "lestia" }, { "destination.ip": [ "10.119.4.120" ], "destination.port": 3822, - "event.action": "accept", - "event.category": "turadip", + "event.action": [ + "accept", + "turadip" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1830,6 +1925,11 @@ "10.119.4.120", "10.63.177.46" ], + "related.user": [ + "itseddo", + "veleumi", + "ptassita" + ], "rsa.counters.dclass_c1": 5719, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "olorsi", @@ -1854,19 +1954,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "ptassita", - "itseddo", - "veleumi" - ] + "user.name": "veleumi" }, { "destination.ip": [ "10.189.6.107" ], "destination.port": 767, - "event.action": "allow", - "event.category": "Logout", + "event.action": [ + "Logout", + "allow" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1884,6 +1982,11 @@ "10.189.6.107", "10.50.69.209" ], + "related.user": [ + "exerci", + "eirur", + "isci" + ], "rsa.counters.dclass_c1": 1684, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "lore", @@ -1912,19 +2015,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "exerci", - "isci", - "eirur" - ] + "user.name": "exerci" }, { "destination.ip": [ "10.74.166.70" ], "destination.port": 1453, - "event.action": "accept", - "event.category": "Logout", + "event.action": [ + "accept", + "Logout" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1942,6 +2043,11 @@ "10.74.166.70", "10.88.176.226" ], + "related.user": [ + "olor", + "ender", + "roinBCSe" + ], "rsa.counters.dclass_c1": 723, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "oluptat", @@ -1970,19 +2076,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "ender", - "olor", - "roinBCSe" - ] + "user.name": "olor" }, { "destination.ip": [ "10.123.56.46" ], "destination.port": 6729, - "event.action": "cancel", - "event.category": "Logout", + "event.action": [ + "Logout", + "cancel" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2000,6 +2104,11 @@ "10.123.56.46", "10.182.181.162" ], + "related.user": [ + "oreseo", + "uid", + "sit" + ], "rsa.counters.dclass_c1": 6438, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "lesti", @@ -2028,19 +2137,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "oreseo", - "uid", - "sit" - ] + "user.name": "sit" }, { "destination.ip": [ "10.169.124.164" ], "destination.port": 62, - "event.action": "accept", - "event.category": "lesti", + "event.action": [ + "accept", + "lesti" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2054,10 +2161,15 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.169.124.164", - "10.176.83.7" + "10.176.83.7", + "10.169.124.164" ], - "rsa.counters.dclass_c1": 2894, + "related.user": [ + "iamqui", + "hilmole", + "dolor" + ], + "rsa.counters.dclass_c1": 2894, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "its", "rsa.db.index": "nimaveni", @@ -2081,19 +2193,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "dolor", - "iamqui", - "hilmole" - ] + "user.name": "iamqui" }, { "destination.ip": [ "10.87.238.169" ], "destination.port": 1598, - "event.action": "block", - "event.category": "Logout", + "event.action": [ + "Logout", + "block" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2108,8 +2218,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.87.238.169", - "10.173.125.112" + "10.173.125.112", + "10.87.238.169" + ], + "related.user": [ + "iusmodt", + "itaedict", + "CSedu" ], "rsa.counters.dclass_c1": 7780, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2139,19 +2254,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "itaedict", - "CSedu", - "iusmodt" - ] + "user.name": "CSedu" }, { "destination.ip": [ "10.245.219.7" ], "destination.port": 4792, - "event.action": "block", - "event.category": "Login", + "event.action": [ + "block", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2166,8 +2279,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.245.219.7", - "10.53.133.90" + "10.53.133.90", + "10.245.219.7" + ], + "related.user": [ + "rsit", + "ptatev", + "nvol" ], "rsa.counters.dclass_c1": 6066, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2197,19 +2315,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "rsit", - "ptatev", - "nvol" - ] + "user.name": "rsit" }, { "destination.ip": [ "10.67.173.228" ], "destination.port": 4444, - "event.action": "block", - "event.category": "aliqui", + "event.action": [ + "aliqui", + "block" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2226,8 +2342,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.67.173.228", - "10.161.64.168" + "10.161.64.168", + "10.67.173.228" + ], + "related.user": [ + "nesci", + "tam", + "onsectet" ], "rsa.counters.event_counter": 2448, "rsa.db.database": "sin", @@ -2263,19 +2384,17 @@ ], "url.original": "https://www.example.net/orem/eniamqui.gif?seq=rumSe#tatnonp", "url.query": "ommo", - "user.name": [ - "onsectet", - "nesci", - "tam" - ] + "user.name": "onsectet" }, { "destination.ip": [ "10.90.50.149" ], "destination.port": 1936, - "event.action": "block", - "event.category": "Logout", + "event.action": [ + "Logout", + "block" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2290,8 +2409,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.90.50.149", - "10.168.225.209" + "10.168.225.209", + "10.90.50.149" + ], + "related.user": [ + "olupta", + "olu", + "aUtenima" ], "rsa.counters.dclass_c1": 1127, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2321,19 +2445,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "olupta", - "aUtenima", - "olu" - ] + "user.name": "olu" }, { "destination.ip": [ "10.59.182.36" ], "destination.port": 5792, - "event.action": "allow", - "event.category": "Login", + "event.action": [ + "allow", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2351,6 +2473,11 @@ "10.59.182.36", "10.18.150.82" ], + "related.user": [ + "qua", + "mtota", + "luptat" + ], "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "quelaud", @@ -2379,14 +2506,12 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "qua", - "luptat", - "mtota" - ] + "user.name": "mtota" }, { - "event.category": "ulamcola", + "event.action": [ + "ulamcola" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2398,6 +2523,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.user": [ + "llita" + ], "rsa.internal.event_desc": "nturmag", "rsa.internal.messageid": "Imperva", "rsa.misc.event_type": "ulamcola", @@ -2408,17 +2536,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "llita" - ] + "user.name": "llita" }, { "destination.ip": [ "10.52.190.18" ], "destination.port": 4411, - "event.action": "cancel", - "event.category": "Login", + "event.action": [ + "cancel", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2436,6 +2564,11 @@ "10.52.190.18", "10.198.142.81" ], + "related.user": [ + "upta", + "secte", + "ciati" + ], "rsa.counters.dclass_c1": 1063, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "inibus", @@ -2464,19 +2597,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "upta", - "ciati", - "secte" - ] + "user.name": "ciati" }, { "destination.ip": [ "10.49.169.175" ], "destination.port": 5020, - "event.action": "cancel", - "event.category": "strumex", + "event.action": [ + "cancel", + "strumex" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2496,13 +2627,18 @@ "10.97.108.108", "10.49.169.175" ], + "related.user": [ + "idolor", + "onpr", + "iquamqu" + ], "rsa.counters.event_counter": 4795, "rsa.db.database": "uira", "rsa.internal.event_desc": "velites", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "caboN", - "cancel" + "cancel", + "caboN" ], "rsa.misc.category": "oloremi", "rsa.misc.disposition": "edqui", @@ -2529,19 +2665,17 @@ ], "url.original": "https://api.example.org/eumiu/tatevel.htm?quisnost=sequines#olor", "url.query": "sequa", - "user.name": [ - "onpr", - "idolor", - "iquamqu" - ] + "user.name": "iquamqu" }, { "destination.ip": [ "10.65.185.178" ], "destination.port": 7750, - "event.action": "accept", - "event.category": "Logout", + "event.action": [ + "accept", + "Logout" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2556,8 +2690,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.65.185.178", - "10.96.216.244" + "10.96.216.244", + "10.65.185.178" + ], + "related.user": [ + "tvolup", + "assi", + "tin" ], "rsa.counters.dclass_c1": 5602, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2587,19 +2726,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "tvolup", - "tin", - "assi" - ] + "user.name": "tin" }, { "destination.ip": [ "10.223.71.185" ], "destination.port": 916, - "event.action": "allow", - "event.category": "deFini", + "event.action": [ + "allow", + "deFini" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2613,8 +2750,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.33.181.176", - "10.223.71.185" + "10.223.71.185", + "10.33.181.176" + ], + "related.user": [ + "loremips", + "uptateve", + "atisetqu" ], "rsa.counters.dclass_c1": 3804, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2640,19 +2782,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "atisetqu", - "loremips", - "uptateve" - ] + "user.name": "uptateve" }, { "destination.ip": [ "10.238.252.246" ], "destination.port": 6289, - "event.action": "cancel", - "event.category": "Login", + "event.action": [ + "Login", + "cancel" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2667,8 +2807,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.238.252.246", - "10.255.179.32" + "10.255.179.32", + "10.238.252.246" + ], + "related.user": [ + "iatn", + "iamea", + "olore" ], "rsa.counters.dclass_c1": 5626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2698,19 +2843,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "iamea", - "iatn", - "olore" - ] + "user.name": "iamea" }, { "destination.ip": [ "10.98.52.184" ], "destination.port": 7402, - "event.action": "cancel", - "event.category": "Logout", + "event.action": [ + "cancel", + "Logout" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2728,6 +2871,11 @@ "10.98.52.184", "10.28.124.136" ], + "related.user": [ + "billoi", + "icaboNe", + "umq" + ], "rsa.counters.dclass_c1": 4298, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "pariat", @@ -2756,19 +2904,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "billoi", - "umq", - "icaboNe" - ] + "user.name": "umq" }, { "destination.ip": [ "10.200.162.248" ], "destination.port": 1419, - "event.action": "deny", - "event.category": "Logout", + "event.action": [ + "Logout", + "deny" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2783,8 +2929,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.200.162.248", - "10.92.177.251" + "10.92.177.251", + "10.200.162.248" + ], + "related.user": [ + "billo", + "lumdol", + "cul" ], "rsa.counters.dclass_c1": 3914, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2814,19 +2965,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "cul", - "lumdol", - "billo" - ] + "user.name": "lumdol" }, { "destination.ip": [ "10.103.215.159" ], "destination.port": 1265, - "event.action": "cancel", - "event.category": "Login", + "event.action": [ + "cancel", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2841,8 +2990,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.88.60.147", - "10.103.215.159" + "10.103.215.159", + "10.88.60.147" + ], + "related.user": [ + "mull", + "ueporr", + "seq" ], "rsa.counters.dclass_c1": 392, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2871,19 +3025,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "ueporr", - "seq", - "mull" - ] + "user.name": "ueporr" }, { "destination.ip": [ "10.93.246.218" ], "destination.port": 4628, - "event.action": "accept", - "event.category": "Logout", + "event.action": [ + "accept", + "Logout" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2901,6 +3053,11 @@ "10.93.246.218", "10.229.190.11" ], + "related.user": [ + "cteturad", + "mtot", + "roinBCS" + ], "rsa.counters.dclass_c1": 1929, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "aloru", @@ -2929,19 +3086,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "mtot", - "roinBCS", - "cteturad" - ] + "user.name": "mtot" }, { "destination.ip": [ "10.89.16.162" ], "destination.port": 3056, - "event.action": "cancel", - "event.category": "Login", + "event.action": [ + "Login", + "cancel" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2959,6 +3114,11 @@ "10.178.183.11", "10.89.16.162" ], + "related.user": [ + "atvol", + "taevitae", + "modit" + ], "rsa.counters.dclass_c1": 1449, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "riat", @@ -2987,19 +3147,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "modit", - "taevitae", - "atvol" - ] + "user.name": "taevitae" }, { "destination.ip": [ "10.67.129.100" ], "destination.port": 1961, - "event.action": "deny", - "event.category": "remque", + "event.action": [ + "remque", + "deny" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3019,6 +3177,11 @@ "10.67.129.100", "10.244.73.167" ], + "related.user": [ + "exerc", + "gnama", + "sunte" + ], "rsa.counters.event_counter": 2592, "rsa.db.database": "tasu", "rsa.internal.event_desc": "meaquei", @@ -3053,19 +3216,17 @@ ], "url.original": "https://mail.example.net/smodit/ine.html?amquisn=Finibus#nsequat", "url.query": "mvol", - "user.name": [ - "sunte", - "exerc", - "gnama" - ] + "user.name": "gnama" }, { "destination.ip": [ "10.20.158.236" ], "destination.port": 4443, - "event.action": "deny", - "event.category": "Login", + "event.action": [ + "deny", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3083,6 +3244,11 @@ "10.20.158.236", "10.52.221.103" ], + "related.user": [ + "dantium", + "aute", + "oinve" + ], "rsa.counters.dclass_c1": 6386, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "rors", @@ -3111,19 +3277,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "oinve", - "dantium", - "aute" - ] + "user.name": "dantium" }, { "destination.ip": [ "10.250.231.196" ], "destination.port": 5863, - "event.action": "block", - "event.category": "Logout", + "event.action": [ + "Logout", + "block" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3138,8 +3302,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.250.231.196", - "10.199.46.88" + "10.199.46.88", + "10.250.231.196" + ], + "related.user": [ + "equuntur", + "olup", + "utlabore" ], "rsa.counters.dclass_c1": 2867, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3169,19 +3338,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "utlabore", - "olup", - "equuntur" - ] + "user.name": "olup" }, { "destination.ip": [ "10.41.44.94" ], "destination.port": 702, - "event.action": "block", - "event.category": "Logout", + "event.action": [ + "block", + "Logout" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3196,8 +3363,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.49.122.64", - "10.41.44.94" + "10.41.44.94", + "10.49.122.64" + ], + "related.user": [ + "nim", + "suntincu", + "fugia" ], "rsa.counters.dclass_c1": 1508, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3227,19 +3399,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "fugia", - "suntincu", - "nim" - ] + "user.name": "nim" }, { "destination.ip": [ "10.101.60.188" ], "destination.port": 5558, - "event.action": "accept", - "event.category": "Login", + "event.action": [ + "Login", + "accept" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3257,6 +3427,11 @@ "10.186.129.34", "10.101.60.188" ], + "related.user": [ + "eritquii", + "uptatem", + "itaed" + ], "rsa.counters.dclass_c1": 944, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "ionula", @@ -3285,19 +3460,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "uptatem", - "eritquii", - "itaed" - ] + "user.name": "uptatem" }, { "destination.ip": [ "10.184.199.84" ], "destination.port": 2057, - "event.action": "block", - "event.category": "Login", + "event.action": [ + "block", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3315,6 +3488,11 @@ "10.138.191.99", "10.184.199.84" ], + "related.user": [ + "upt", + "cid", + "ationem" + ], "rsa.counters.dclass_c1": 3291, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "onevo", @@ -3343,19 +3521,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "ationem", - "cid", - "upt" - ] + "user.name": "cid" }, { "destination.ip": [ "10.40.12.51" ], "destination.port": 5633, - "event.action": "cancel", - "event.category": "preh", + "event.action": [ + "preh", + "cancel" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3372,16 +3548,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.40.12.51", - "10.27.120.57" + "10.27.120.57", + "10.40.12.51" + ], + "related.user": [ + "remeum", + "volupta", + "doconse" ], "rsa.counters.event_counter": 1576, "rsa.db.database": "ptat", "rsa.internal.event_desc": "iatisun", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "uep", - "cancel" + "cancel", + "uep" ], "rsa.misc.category": "cto", "rsa.misc.disposition": "orumSect", @@ -3409,19 +3590,17 @@ ], "url.original": "https://internal.example.com/nde/reprehe.html?enimipsa=mquisno#eaco", "url.query": "empor", - "user.name": [ - "volupta", - "remeum", - "doconse" - ] + "user.name": "remeum" }, { "destination.ip": [ "10.86.147.37" ], "destination.port": 6845, - "event.action": "allow", - "event.category": "epteu", + "event.action": [ + "allow", + "epteu" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3441,13 +3620,18 @@ "10.106.63.42", "10.86.147.37" ], + "related.user": [ + "olor", + "ugitse", + "aeca" + ], "rsa.counters.event_counter": 2211, "rsa.db.database": "ameiu", "rsa.internal.event_desc": "por", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "mip", - "allow" + "allow", + "mip" ], "rsa.misc.category": "stiae", "rsa.misc.disposition": "icta", @@ -3475,19 +3659,17 @@ ], "url.original": "https://www5.example.com/olu/nofdeF.html?ipsu=siarch#itautfu", "url.query": "rrorsi", - "user.name": [ - "olor", - "aeca", - "ugitse" - ] + "user.name": "olor" }, { "destination.ip": [ "10.110.240.8" ], "destination.port": 6650, - "event.action": "cancel", - "event.category": "Login", + "event.action": [ + "cancel", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3502,8 +3684,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.112.132.76", - "10.110.240.8" + "10.110.240.8", + "10.112.132.76" + ], + "related.user": [ + "ulamcola", + "tam", + "equun" ], "rsa.counters.dclass_c1": 5784, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3533,19 +3720,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "tam", - "equun", - "ulamcola" - ] + "user.name": "tam" }, { "destination.ip": [ "10.76.222.159" ], "destination.port": 403, - "event.action": "accept", - "event.category": "Logout", + "event.action": [ + "accept", + "Logout" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3563,6 +3748,11 @@ "10.7.141.213", "10.76.222.159" ], + "related.user": [ + "labor", + "natuser", + "niamq" + ], "rsa.counters.dclass_c1": 5670, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "ionulam", @@ -3591,19 +3781,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "natuser", - "labor", - "niamq" - ] + "user.name": "natuser" }, { "destination.ip": [ "10.246.196.160" ], "destination.port": 894, - "event.action": "allow", - "event.category": "Logout", + "event.action": [ + "allow", + "Logout" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3618,8 +3806,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.170.90.90", - "10.246.196.160" + "10.246.196.160", + "10.170.90.90" + ], + "related.user": [ + "equ", + "epteurs", + "urautod" ], "rsa.counters.dclass_c1": 4933, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3649,14 +3842,12 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "epteurs", - "urautod", - "equ" - ] + "user.name": "equ" }, { - "event.category": "veniam", + "event.action": [ + "veniam" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3668,6 +3859,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.user": [ + "entoreve" + ], "rsa.internal.event_desc": "exeaco", "rsa.internal.messageid": "Imperva", "rsa.misc.event_type": "veniam", @@ -3678,17 +3872,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "entoreve" - ] + "user.name": "entoreve" }, { "destination.ip": [ "10.209.129.155" ], "destination.port": 769, - "event.action": "block", - "event.category": "Logout", + "event.action": [ + "block", + "Logout" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3703,8 +3897,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.128.118.157", - "10.209.129.155" + "10.209.129.155", + "10.128.118.157" + ], + "related.user": [ + "essequa", + "xerci", + "mdolore" ], "rsa.counters.dclass_c1": 2931, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3734,19 +3933,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "essequa", - "xerci", - "mdolore" - ] + "user.name": "mdolore" }, { "destination.ip": [ "10.219.218.23" ], "destination.port": 2855, - "event.action": "deny", - "event.category": "nsequatD", + "event.action": [ + "deny", + "nsequatD" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3763,16 +3960,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.21.69.33", - "10.219.218.23" + "10.219.218.23", + "10.21.69.33" + ], + "related.user": [ + "tesseq", + "orumS", + "labor" ], "rsa.counters.event_counter": 2428, "rsa.db.database": "exeacomm", "rsa.internal.event_desc": "itanimi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "meumfug" + "meumfug", + "deny" ], "rsa.misc.category": "rinc", "rsa.misc.disposition": "isistena", @@ -3800,19 +4002,17 @@ ], "url.original": "https://www.example.org/uatu/gel.gif?itsed=mvolu#agn", "url.query": "eritinvo", - "user.name": [ - "tesseq", - "labor", - "orumS" - ] + "user.name": "labor" }, { "destination.ip": [ "10.209.39.25" ], "destination.port": 3954, - "event.action": "block", - "event.category": "ius", + "event.action": [ + "ius", + "block" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3826,8 +4026,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.67.163.107", - "10.209.39.25" + "10.209.39.25", + "10.67.163.107" + ], + "related.user": [ + "tion", + "quaeabi", + "eddoe" ], "rsa.counters.dclass_c1": 3469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3853,19 +4058,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "quaeabi", - "tion", - "eddoe" - ] + "user.name": "tion" }, { "destination.ip": [ "10.61.247.113" ], "destination.port": 599, - "event.action": "cancel", - "event.category": "Logout", + "event.action": [ + "Logout", + "cancel" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3883,6 +4086,11 @@ "10.61.247.113", "10.120.66.172" ], + "related.user": [ + "tur", + "iamqu", + "iduntut" + ], "rsa.counters.dclass_c1": 2218, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "cididun", @@ -3911,19 +4119,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "tur", - "iamqu", - "iduntut" - ] + "user.name": "tur" }, { "destination.ip": [ "10.206.65.159" ], "destination.port": 6326, - "event.action": "deny", - "event.category": "oluptass", + "event.action": [ + "deny", + "oluptass" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3940,8 +4146,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.206.65.159", - "10.31.56.237" + "10.31.56.237", + "10.206.65.159" + ], + "related.user": [ + "amcorpor", + "atem", + "cit" ], "rsa.counters.event_counter": 1295, "rsa.db.database": "oloremeu", @@ -3976,14 +4187,12 @@ ], "url.original": "https://internal.example.com/nde/naturau.txt?sBonor=odit#ercitati", "url.query": "lapa", - "user.name": [ - "amcorpor", - "atem", - "cit" - ] + "user.name": "cit" }, { - "event.category": "iades", + "event.action": [ + "iades" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3995,6 +4204,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.user": [ + "inculpa" + ], "rsa.internal.event_desc": "onorum", "rsa.internal.messageid": "Imperva", "rsa.misc.event_type": "iades", @@ -4005,17 +4217,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "inculpa" - ] + "user.name": "inculpa" }, { "destination.ip": [ "10.108.76.145" ], "destination.port": 4698, - "event.action": "allow", - "event.category": "Login", + "event.action": [ + "allow", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4033,6 +4245,11 @@ "10.147.56.184", "10.108.76.145" ], + "related.user": [ + "uisautem", + "idid", + "trumexer" + ], "rsa.counters.dclass_c1": 1294, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "lore", @@ -4061,19 +4278,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "trumexer", - "uisautem", - "idid" - ] + "user.name": "trumexer" }, { "destination.ip": [ "10.193.58.50" ], "destination.port": 5693, - "event.action": "cancel", - "event.category": "oloremeu", + "event.action": [ + "oloremeu", + "cancel" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4090,16 +4305,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.28.248.90", - "10.193.58.50" + "10.193.58.50", + "10.28.248.90" + ], + "related.user": [ + "eaqu", + "totamrem", + "cto" ], "rsa.counters.event_counter": 4385, "rsa.db.database": "itani", "rsa.internal.event_desc": "doloremi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "sequatD", - "cancel" + "cancel", + "sequatD" ], "rsa.misc.category": "uisno", "rsa.misc.disposition": "atevel", @@ -4126,19 +4346,17 @@ ], "url.original": "https://api.example.com/veleum/eturad.jpg?eetdol=aut#eriti", "url.query": "ipsum", - "user.name": [ - "eaqu", - "cto", - "totamrem" - ] + "user.name": "cto" }, { "destination.ip": [ "10.84.3.244" ], "destination.port": 3154, - "event.action": "block", - "event.category": "Login", + "event.action": [ + "block", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4156,6 +4374,11 @@ "10.211.242.138", "10.84.3.244" ], + "related.user": [ + "olest", + "ciun", + "asia" + ], "rsa.counters.dclass_c1": 545, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "iumto", @@ -4184,14 +4407,12 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "olest", - "asia", - "ciun" - ] + "user.name": "olest" }, { - "event.category": "quidolo", + "event.action": [ + "quidolo" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4203,6 +4424,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.user": [ + "destlabo" + ], "rsa.internal.event_desc": "utaliqui", "rsa.internal.messageid": "Imperva", "rsa.misc.event_type": "quidolo", @@ -4213,17 +4437,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "destlabo" - ] + "user.name": "destlabo" }, { "destination.ip": [ "10.121.189.113" ], "destination.port": 5635, - "event.action": "accept", - "event.category": "Login", + "event.action": [ + "Login", + "accept" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4241,6 +4465,11 @@ "10.121.189.113", "10.13.86.14" ], + "related.user": [ + "turvelil", + "volu", + "lapa" + ], "rsa.counters.dclass_c1": 7284, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "unt", @@ -4268,19 +4497,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "lapa", - "volu", - "turvelil" - ] + "user.name": "lapa" }, { "destination.ip": [ "10.32.220.188" ], "destination.port": 2394, - "event.action": "accept", - "event.category": "Logout", + "event.action": [ + "accept", + "Logout" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4298,6 +4525,11 @@ "10.50.195.220", "10.32.220.188" ], + "related.user": [ + "nimi", + "lorinrep", + "ectob" + ], "rsa.counters.dclass_c1": 2636, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "seddoeiu", @@ -4326,19 +4558,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "ectob", - "nimi", - "lorinrep" - ] + "user.name": "ectob" }, { "destination.ip": [ "10.189.155.253" ], "destination.port": 984, - "event.action": "allow", - "event.category": "Login", + "event.action": [ + "allow", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4353,8 +4583,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.29.74.57", - "10.189.155.253" + "10.189.155.253", + "10.29.74.57" + ], + "related.user": [ + "exe", + "colab", + "iutaliqu" ], "rsa.counters.dclass_c1": 3432, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4384,19 +4619,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "exe", - "iutaliqu", - "colab" - ] + "user.name": "iutaliqu" }, { "destination.ip": [ "10.107.41.59" ], "destination.port": 926, - "event.action": "block", - "event.category": "acom", + "event.action": [ + "block", + "acom" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4410,8 +4643,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.107.41.59", - "10.149.2.62" + "10.149.2.62", + "10.107.41.59" + ], + "related.user": [ + "utal", + "edictasu", + "oreseo" ], "rsa.counters.dclass_c1": 3008, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4437,19 +4675,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "edictasu", - "utal", - "oreseo" - ] + "user.name": "oreseo" }, { "destination.ip": [ "10.20.211.186" ], "destination.port": 4062, - "event.action": "accept", - "event.category": "erit", + "event.action": [ + "accept", + "erit" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4466,8 +4702,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.20.211.186", - "10.11.237.65" + "10.11.237.65", + "10.20.211.186" + ], + "related.user": [ + "ncidid", + "olo", + "ptassit" ], "rsa.counters.event_counter": 3743, "rsa.db.database": "ataevit", @@ -4502,19 +4743,17 @@ ], "url.original": "https://www5.example.org/onsequ/Bon.txt?remap=mUt#admi", "url.query": "siarch", - "user.name": [ - "olo", - "ptassit", - "ncidid" - ] + "user.name": "ncidid" }, { "destination.ip": [ "10.190.18.213" ], "destination.port": 2201, - "event.action": "block", - "event.category": "Login", + "event.action": [ + "block", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4532,6 +4771,11 @@ "10.190.18.213", "10.177.60.55" ], + "related.user": [ + "tametcon", + "rror", + "etdolore" + ], "rsa.counters.dclass_c1": 7327, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "dolorsi", @@ -4560,19 +4804,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "etdolore", - "rror", - "tametcon" - ] + "user.name": "rror" }, { "destination.ip": [ "10.173.169.212" ], "destination.port": 292, - "event.action": "cancel", - "event.category": "Login", + "event.action": [ + "cancel", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4587,8 +4829,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.131.253.222", - "10.173.169.212" + "10.173.169.212", + "10.131.253.222" + ], + "related.user": [ + "oinB", + "orumet", + "utod" ], "rsa.counters.dclass_c1": 6659, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4618,19 +4865,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "orumet", - "oinB", - "utod" - ] + "user.name": "oinB" }, { "destination.ip": [ "10.33.131.63" ], "destination.port": 1437, - "event.action": "cancel", - "event.category": "lum", + "event.action": [ + "cancel", + "lum" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4647,6 +4892,11 @@ "10.5.54.131", "10.33.131.63" ], + "related.user": [ + "psamvolu", + "liq", + "imven" + ], "rsa.counters.dclass_c1": 587, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "ionev", @@ -4671,19 +4921,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "psamvolu", - "imven", - "liq" - ] + "user.name": "imven" }, { "destination.ip": [ "10.164.123.69" ], "destination.port": 2543, - "event.action": "cancel", - "event.category": "Logout", + "event.action": [ + "Logout", + "cancel" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4698,8 +4946,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.161.51.238", - "10.164.123.69" + "10.164.123.69", + "10.161.51.238" + ], + "related.user": [ + "litesse", + "xercitat", + "xeacomm" ], "rsa.counters.dclass_c1": 5031, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4729,19 +4982,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "litesse", - "xercitat", - "xeacomm" - ] + "user.name": "litesse" }, { "destination.ip": [ "10.112.73.97" ], "destination.port": 6125, - "event.action": "accept", - "event.category": "odte", + "event.action": [ + "accept", + "odte" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4755,8 +5006,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.227.144.202", - "10.112.73.97" + "10.112.73.97", + "10.227.144.202" + ], + "related.user": [ + "quinesc", + "uelau", + "uelauda" ], "rsa.counters.dclass_c1": 2469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4782,14 +5038,12 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "quinesc", - "uelau", - "uelauda" - ] + "user.name": "quinesc" }, { - "event.category": "scip", + "event.action": [ + "scip" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4801,6 +5055,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.user": [ + "voluptas" + ], "rsa.internal.event_desc": "upta", "rsa.internal.messageid": "Imperva", "rsa.misc.event_type": "scip", @@ -4811,17 +5068,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "voluptas" - ] + "user.name": "voluptas" }, { "destination.ip": [ "10.185.248.253" ], "destination.port": 3804, - "event.action": "block", - "event.category": "Login", + "event.action": [ + "Login", + "block" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4839,6 +5096,11 @@ "10.185.248.253", "10.76.165.58" ], + "related.user": [ + "amqua", + "ugitse", + "nisi" + ], "rsa.counters.dclass_c1": 4963, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "psum", @@ -4867,19 +5129,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "ugitse", - "amqua", - "nisi" - ] + "user.name": "nisi" }, { "destination.ip": [ "10.177.36.122" ], "destination.port": 5686, - "event.action": "accept", - "event.category": "itessec", + "event.action": [ + "accept", + "itessec" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4896,8 +5156,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.177.36.122", - "10.163.27.208" + "10.163.27.208", + "10.177.36.122" + ], + "related.user": [ + "avolu", + "eFini", + "ept" ], "rsa.counters.event_counter": 4087, "rsa.db.database": "aaliq", @@ -4932,19 +5197,17 @@ ], "url.original": "https://www5.example.com/tcu/mmodo.jpg?stlabo=atema#sunt", "url.query": "orporiss", - "user.name": [ - "avolu", - "ept", - "eFini" - ] + "user.name": "eFini" }, { "destination.ip": [ "10.35.215.152" ], "destination.port": 7489, - "event.action": "block", - "event.category": "Login", + "event.action": [ + "block", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4959,8 +5222,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.143.175.148", - "10.35.215.152" + "10.35.215.152", + "10.143.175.148" + ], + "related.user": [ + "ium", + "etdo", + "itaspern" ], "rsa.counters.dclass_c1": 6141, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4990,19 +5258,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "itaspern", - "etdo", - "ium" - ] + "user.name": "ium" }, { "destination.ip": [ "10.254.252.105" ], "destination.port": 146, - "event.action": "allow", - "event.category": "Logout", + "event.action": [ + "allow", + "Logout" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5020,6 +5286,11 @@ "10.25.246.131", "10.254.252.105" ], + "related.user": [ + "ptatemU", + "asp", + "ataev" + ], "rsa.counters.dclass_c1": 2949, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "upid", @@ -5048,19 +5319,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "ptatemU", - "ataev", - "asp" - ] + "user.name": "asp" }, { "destination.ip": [ "10.248.16.82" ], "destination.port": 6834, - "event.action": "accept", - "event.category": "Login", + "event.action": [ + "accept", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5078,6 +5347,11 @@ "10.44.179.66", "10.248.16.82" ], + "related.user": [ + "proiden", + "loinv", + "xercita" + ], "rsa.counters.dclass_c1": 2353, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "nul", @@ -5106,19 +5380,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "proiden", - "loinv", - "xercita" - ] + "user.name": "loinv" }, { "destination.ip": [ "10.88.53.149" ], "destination.port": 4048, - "event.action": "allow", - "event.category": "temac", + "event.action": [ + "temac", + "allow" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5135,8 +5407,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.88.53.149", - "10.55.166.205" + "10.55.166.205", + "10.88.53.149" + ], + "related.user": [ + "strumex", + "reseosqu", + "tqui" ], "rsa.counters.event_counter": 6219, "rsa.db.database": "atus", @@ -5172,19 +5449,17 @@ ], "url.original": "https://www.example.net/umSecti/emaccu.html?atu=ddo#veli", "url.query": "ata", - "user.name": [ - "reseosqu", - "tqui", - "strumex" - ] + "user.name": "tqui" }, { "destination.ip": [ "10.199.117.125" ], "destination.port": 1799, - "event.action": "cancel", - "event.category": "ionevo", + "event.action": [ + "ionevo", + "cancel" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5201,8 +5476,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.199.117.125", - "10.116.180.96" + "10.116.180.96", + "10.199.117.125" + ], + "related.user": [ + "pidatatn", + "iof", + "ciun" ], "rsa.counters.event_counter": 6700, "rsa.db.database": "ssitaspe", @@ -5237,19 +5517,17 @@ ], "url.original": "https://mail.example.com/enatuser/epteurs.txt?orsit=rcit#niamqu", "url.query": "nrep", - "user.name": [ - "pidatatn", - "iof", - "ciun" - ] + "user.name": "pidatatn" }, { "destination.ip": [ "10.64.76.110" ], "destination.port": 2200, - "event.action": "cancel", - "event.category": "Login", + "event.action": [ + "Login", + "cancel" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5264,8 +5542,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.250.226.105", - "10.64.76.110" + "10.64.76.110", + "10.250.226.105" + ], + "related.user": [ + "imidest", + "ommod", + "ptate" ], "rsa.counters.dclass_c1": 6041, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5295,19 +5578,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "ptate", - "ommod", - "imidest" - ] + "user.name": "ptate" }, { "destination.ip": [ "10.164.52.43" ], "destination.port": 2077, - "event.action": "block", - "event.category": "persp", + "event.action": [ + "block", + "persp" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5327,13 +5608,18 @@ "10.29.141.252", "10.164.52.43" ], + "related.user": [ + "Nemoe", + "seq", + "reverit" + ], "rsa.counters.event_counter": 249, "rsa.db.database": "neavolup", "rsa.internal.event_desc": "itame", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "atemq" + "atemq", + "block" ], "rsa.misc.category": "quaturv", "rsa.misc.disposition": "lumdolor", @@ -5361,19 +5647,17 @@ ], "url.original": "https://api.example.net/adminimv/equatD.html?obeatae=sedqui#ntNeq", "url.query": "aturve", - "user.name": [ - "Nemoe", - "reverit", - "seq" - ] + "user.name": "seq" }, { "destination.ip": [ "10.115.42.231" ], "destination.port": 2143, - "event.action": "deny", - "event.category": "Login", + "event.action": [ + "Login", + "deny" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5388,8 +5672,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.161.212.150", - "10.115.42.231" + "10.115.42.231", + "10.161.212.150" + ], + "related.user": [ + "tasnul", + "res", + "sequamn" ], "rsa.counters.dclass_c1": 4846, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5419,19 +5708,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "sequamn", - "res", - "tasnul" - ] + "user.name": "res" }, { "destination.ip": [ "10.66.163.3" ], "destination.port": 1085, - "event.action": "accept", - "event.category": "Logout", + "event.action": [ + "Logout", + "accept" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5446,8 +5733,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.66.163.3", - "10.9.126.156" + "10.9.126.156", + "10.66.163.3" + ], + "related.user": [ + "asnulapa", + "accusa", + "aeconseq" ], "rsa.counters.dclass_c1": 7469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5477,14 +5769,12 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "aeconseq", - "accusa", - "asnulapa" - ] + "user.name": "aeconseq" }, { - "event.category": "odtem", + "event.action": [ + "odtem" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5496,6 +5786,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.user": [ + "mipsa" + ], "rsa.internal.event_desc": "nimide", "rsa.internal.messageid": "Imperva", "rsa.misc.event_type": "odtem", @@ -5506,17 +5799,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "mipsa" - ] + "user.name": "mipsa" }, { "destination.ip": [ "10.217.176.124" ], "destination.port": 7276, - "event.action": "cancel", - "event.category": "sauteir", + "event.action": [ + "sauteir", + "cancel" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5533,8 +5826,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.217.176.124", - "10.220.106.170" + "10.220.106.170", + "10.217.176.124" + ], + "related.user": [ + "itsedq", + "uisaute", + "min" ], "rsa.counters.event_counter": 1318, "rsa.db.database": "iaturEx", @@ -5569,19 +5867,17 @@ ], "url.original": "https://internal.example.net/fdeFin/ursi.txt?lapariat=red#rinre", "url.query": "upta", - "user.name": [ - "uisaute", - "itsedq", - "min" - ] + "user.name": "min" }, { "destination.ip": [ "10.9.248.95" ], "destination.port": 2294, - "event.action": "deny", - "event.category": "Logout", + "event.action": [ + "deny", + "Logout" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5599,6 +5895,11 @@ "10.9.248.95", "10.120.18.135" ], + "related.user": [ + "ero", + "iatquovo", + "ratvolup" + ], "rsa.counters.dclass_c1": 6969, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "tsunti", @@ -5627,19 +5928,17 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "iatquovo", - "ero", - "ratvolup" - ] + "user.name": "iatquovo" }, { "destination.ip": [ "10.249.76.99" ], "destination.port": 7480, - "event.action": "block", - "event.category": "Login", + "event.action": [ + "block", + "Login" + ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5657,6 +5956,11 @@ "10.109.203.111", "10.249.76.99" ], + "related.user": [ + "atio", + "uis", + "xercita" + ], "rsa.counters.dclass_c1": 3516, "rsa.counters.dclass_c1_str": "Affected Rows", "rsa.db.database": "ntexp", @@ -5684,10 +5988,6 @@ "imperva.securesphere", "forwarded" ], - "user.name": [ - "xercita", - "atio", - "uis" - ] + "user.name": "xercita" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/infoblox/README.md b/x-pack/filebeat/module/infoblox/README.md index 52fba8ff615..dc5d5dfca3a 100644 --- a/x-pack/filebeat/module/infoblox/README.md +++ b/x-pack/filebeat/module/infoblox/README.md @@ -3,5 +3,5 @@ This is a module for Infoblox NIOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML infobloxnios version 134 -at 2020-07-08 16:42:02.159347 +0000 UTC. +at 2020-07-08 17:36:28.818661 +0000 UTC. diff --git a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js +++ b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json index 56b98386dff..72c8214cb31 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -1040,7 +1040,9 @@ ] }, { - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "watchdog", "event.dataset": "infoblox.nios", "event.module": "infoblox", @@ -1277,6 +1279,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.user": [ + "temUt" + ], "rsa.internal.data": "atatn", "rsa.internal.event_desc": "RADIUS authentication succeeded for user", "rsa.internal.messageid": "serial_console", @@ -1293,9 +1298,7 @@ "infoblox.nios", "forwarded" ], - "user.name": [ - "temUt" - ] + "user.name": "temUt" }, { "event.code": "httpd", diff --git a/x-pack/filebeat/module/juniper/README.md b/x-pack/filebeat/module/juniper/README.md index 2baa2d8b6e2..c2657e7d160 100644 --- a/x-pack/filebeat/module/juniper/README.md +++ b/x-pack/filebeat/module/juniper/README.md @@ -3,5 +3,5 @@ This is a module for Juniper JUNOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML junosrouter version 134 -at 2020-07-08 16:42:02.851507 +0000 UTC. +at 2020-07-08 17:36:29.543239 +0000 UTC. diff --git a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js +++ b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/kaspersky/README.md b/x-pack/filebeat/module/kaspersky/README.md index 776313de0d0..3746ea8daaf 100644 --- a/x-pack/filebeat/module/kaspersky/README.md +++ b/x-pack/filebeat/module/kaspersky/README.md @@ -3,5 +3,5 @@ This is a module for Kaspersky Anti-Virus logs. Autogenerated from RSA NetWitness log parser 2.0 XML kasperskyav version 127 -at 2020-07-08 16:42:03.722306 +0000 UTC. +at 2020-07-08 17:36:30.503306 +0000 UTC. diff --git a/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js b/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js +++ b/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/microsoft/README.md b/x-pack/filebeat/module/microsoft/README.md index 4b80e7fca9e..7a79658746b 100644 --- a/x-pack/filebeat/module/microsoft/README.md +++ b/x-pack/filebeat/module/microsoft/README.md @@ -3,5 +3,5 @@ This is a module for Microsoft DHCP logs. Autogenerated from RSA NetWitness log parser 2.0 XML msdhcp version 99 -at 2020-07-08 16:42:04.061294 +0000 UTC. +at 2020-07-08 17:36:30.825087 +0000 UTC. diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js +++ b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/netscout/README.md b/x-pack/filebeat/module/netscout/README.md index 33a71445805..7068d43d848 100644 --- a/x-pack/filebeat/module/netscout/README.md +++ b/x-pack/filebeat/module/netscout/README.md @@ -3,5 +3,5 @@ This is a module for Arbor Peakflow SP logs. Autogenerated from RSA NetWitness log parser 2.0 XML arborpeakflowsp version 109 -at 2020-07-08 16:41:57.809586 +0000 UTC. +at 2020-07-08 17:36:24.326666 +0000 UTC. diff --git a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js +++ b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 4a4bb15af8e..05a410898f9 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -12,6 +12,9 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "observer.version": "1.6078", + "related.user": [ + "rci" + ], "rsa.internal.event_desc": "Configuration changed", "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "olab", @@ -22,9 +25,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "rci" - ] + "user.name": "rci" }, { "@timestamp": "2020-02-12T15:12:33.000Z", @@ -38,6 +39,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "tatemac" + ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", "rsa.time.event_time": "2020-02-12T15:12:33.000Z", @@ -47,9 +51,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "tatemac" - ] + "user.name": "tatemac" }, { "@timestamp": "2020-02-26T22:15:08.000Z", @@ -63,6 +65,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "nseq" + ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", @@ -72,9 +77,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "nseq" - ] + "user.name": "nseq" }, { "@timestamp": "2020-03-12T05:17:42.000Z", @@ -277,7 +280,9 @@ }, { "@timestamp": "2020-07-04T13:38:16.000Z", - "event.category": "Fault Occured", + "event.action": [ + "Fault Occured" + ], "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -312,6 +317,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "uiano" + ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", "rsa.time.event_time": "2019-07-18T20:40:50.000Z", @@ -321,9 +329,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "uiano" - ] + "user.name": "uiano" }, { "@timestamp": "2019-08-02T03:43:25.000Z", @@ -342,8 +348,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.179.26.34", - "10.38.77.13" + "10.38.77.13", + "10.179.26.34" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -452,6 +458,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "qua" + ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", "rsa.time.event_time": "2019-09-28T07:53:42.000Z", @@ -461,9 +470,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "qua" - ] + "user.name": "qua" }, { "@timestamp": "2019-10-12T14:56:16.000Z", @@ -497,6 +504,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "turveli" + ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", "rsa.time.event_time": "2019-10-26T21:58:50.000Z", @@ -506,9 +516,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "turveli" - ] + "user.name": "turveli" }, { "@timestamp": "2019-11-10T05:01:24.000Z", @@ -522,6 +530,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "caecatc" + ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", "rsa.time.event_time": "2019-11-10T05:01:24.000Z", @@ -531,9 +542,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "caecatc" - ] + "user.name": "caecatc" }, { "@timestamp": "2019-11-24T12:03:59.000Z", @@ -643,6 +652,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "mqui" + ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", @@ -652,9 +664,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "mqui" - ] + "user.name": "mqui" }, { "@timestamp": "2020-02-03T23:16:50.000Z", @@ -729,7 +739,9 @@ }, { "@timestamp": "2020-03-18T20:24:33.000Z", - "event.category": "Script mitigation", + "event.action": [ + "Script mitigation" + ], "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -950,6 +962,9 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "observer.version": "1.2126", + "related.user": [ + "emseq" + ], "rsa.internal.event_desc": "Configuration changed", "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "luptasn", @@ -960,9 +975,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "emseq" - ] + "user.name": "emseq" }, { "@timestamp": "2019-07-11T04:45:07.000Z", @@ -976,6 +989,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "suntexp" + ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", @@ -985,9 +1001,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "suntexp" - ] + "user.name": "suntexp" }, { "@timestamp": "2019-07-25T11:47:41.000Z", @@ -1100,7 +1114,9 @@ }, { "@timestamp": "2019-09-20T15:57:58.000Z", - "event.category": "Script mitigation", + "event.action": [ + "Script mitigation" + ], "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1136,6 +1152,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "uptate" + ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", @@ -1145,9 +1164,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "uptate" - ] + "user.name": "uptate" }, { "@timestamp": "2019-10-19T06:03:07.000Z", @@ -1192,8 +1209,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.108.167.93", - "10.161.136.76" + "10.161.136.76", + "10.108.167.93" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1318,6 +1335,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "uiac" + ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", @@ -1327,9 +1347,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "uiac" - ] + "user.name": "uiac" }, { "@timestamp": "2020-01-27T07:21:06.000Z", @@ -1365,6 +1383,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "ersp" + ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", @@ -1374,9 +1395,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "ersp" - ] + "user.name": "ersp" }, { "@timestamp": "2020-02-24T21:26:15.000Z", @@ -1430,6 +1449,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "rsitv" + ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", @@ -1439,9 +1461,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "rsitv" - ] + "user.name": "rsitv" }, { "@timestamp": "2020-04-08T18:33:58.000Z", @@ -1480,6 +1500,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "udexerci" + ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", @@ -1489,9 +1512,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "udexerci" - ] + "user.name": "udexerci" }, { "@timestamp": "2020-05-07T08:39:06.000Z", @@ -1529,6 +1550,9 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "observer.version": "1.4425", + "related.user": [ + "ati" + ], "rsa.internal.event_desc": "Configuration changed", "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "natuse", @@ -1539,9 +1563,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "ati" - ] + "user.name": "ati" }, { "@timestamp": "2020-06-04T22:44:15.000Z", @@ -1630,7 +1652,9 @@ }, { "@timestamp": "2019-07-17T19:51:58.000Z", - "event.category": "Fault Cleared", + "event.action": [ + "Fault Cleared" + ], "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1688,6 +1712,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "dutp" + ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", @@ -1697,13 +1724,13 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "dutp" - ] + "user.name": "dutp" }, { "@timestamp": "2019-08-29T16:59:40.000Z", - "event.category": "Fault Cleared", + "event.action": [ + "Fault Cleared" + ], "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1762,7 +1789,9 @@ }, { "@timestamp": "2019-09-27T07:04:49.000Z", - "event.category": "Fault Occured", + "event.action": [ + "Fault Occured" + ], "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1844,6 +1873,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "ven" + ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", @@ -1853,9 +1885,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "ven" - ] + "user.name": "ven" }, { "@timestamp": "2019-11-23T11:15:06.000Z", @@ -1870,6 +1900,9 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "observer.version": "1.1721", + "related.user": [ + "suntin" + ], "rsa.internal.event_desc": "Configuration changed", "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "evitaed", @@ -1880,9 +1913,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "suntin" - ] + "user.name": "suntin" }, { "@timestamp": "2019-12-07T18:17:40.000Z", @@ -1920,6 +1951,9 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "observer.version": "1.6412", + "related.user": [ + "psumqu" + ], "rsa.internal.event_desc": "Configuration changed", "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "litani", @@ -1930,9 +1964,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "psumqu" - ] + "user.name": "psumqu" }, { "@timestamp": "2020-01-05T08:22:49.000Z", @@ -1946,6 +1978,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "onula" + ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", @@ -1955,9 +1990,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "onula" - ] + "user.name": "onula" }, { "@timestamp": "2020-01-19T15:25:23.000Z", @@ -1991,6 +2024,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "remips" + ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", @@ -2000,13 +2036,13 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "remips" - ] + "user.name": "remips" }, { "@timestamp": "2020-02-17T05:30:32.000Z", - "event.category": "Script mitigation", + "event.action": [ + "Script mitigation" + ], "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2032,7 +2068,9 @@ }, { "@timestamp": "2020-03-03T12:33:06.000Z", - "event.category": "Fault Cleared", + "event.action": [ + "Fault Cleared" + ], "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2192,8 +2230,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.44.47.27", - "10.179.210.218" + "10.179.210.218", + "10.44.47.27" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2222,6 +2260,9 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "observer.version": "1.2883", + "related.user": [ + "lor" + ], "rsa.internal.event_desc": "Configuration changed", "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "emvele", @@ -2232,9 +2273,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "lor" - ] + "user.name": "lor" }, { "@timestamp": "2020-06-25T20:53:40.000Z", @@ -2291,6 +2330,9 @@ "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "related.user": [ + "tMal" + ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", @@ -2300,9 +2342,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "tMal" - ] + "user.name": "tMal" }, { "@timestamp": "2019-08-07T18:01:23.000Z", @@ -2317,6 +2357,9 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "observer.version": "1.2552", + "related.user": [ + "onu" + ], "rsa.internal.event_desc": "Configuration changed", "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "maveni", @@ -2327,9 +2370,7 @@ "netscout.sightline", "forwarded" ], - "user.name": [ - "onu" - ] + "user.name": "onu" }, { "@timestamp": "2019-08-22T01:03:57.000Z", @@ -2381,7 +2422,9 @@ }, { "@timestamp": "2019-09-19T15:09:05.000Z", - "event.category": "Script mitigation", + "event.action": [ + "Script mitigation" + ], "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2441,7 +2484,9 @@ }, { "@timestamp": "2019-10-18T05:14:14.000Z", - "event.category": "Fault Cleared", + "event.action": [ + "Fault Cleared" + ], "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", diff --git a/x-pack/filebeat/module/radware/README.md b/x-pack/filebeat/module/radware/README.md index 82a38c26a10..c6717fe8275 100644 --- a/x-pack/filebeat/module/radware/README.md +++ b/x-pack/filebeat/module/radware/README.md @@ -3,5 +3,5 @@ This is a module for Radware DefensePro logs. Autogenerated from RSA NetWitness log parser 2.0 XML radwaredp version 114 -at 2020-07-08 16:42:06.209805 +0000 UTC. +at 2020-07-08 17:36:33.009612 +0000 UTC. diff --git a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js +++ b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/rapid7/README.md b/x-pack/filebeat/module/rapid7/README.md index 27005a437c3..7345110fcdd 100644 --- a/x-pack/filebeat/module/rapid7/README.md +++ b/x-pack/filebeat/module/rapid7/README.md @@ -3,5 +3,5 @@ This is a module for Rapid7 NeXpose logs. Autogenerated from RSA NetWitness log parser 2.0 XML nexpose version 134 -at 2020-07-08 16:42:05.589137 +0000 UTC. +at 2020-07-08 17:36:32.35441 +0000 UTC. diff --git a/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js b/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js +++ b/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json index 4c9738a9b13..73142da6941 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json +++ b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json @@ -684,7 +684,9 @@ ] }, { - "event.action": "Upgrading database", + "event.action": [ + "Upgrading database" + ], "event.code": "Upgrading", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", @@ -1333,7 +1335,9 @@ ] }, { - "event.action": "accept", + "event.action": [ + "accept" + ], "event.code": "AssetGroupEventHandler", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", @@ -1622,7 +1626,9 @@ ] }, { - "event.action": "allow", + "event.action": [ + "allow" + ], "event.code": "AssetGroupEventHandler", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", @@ -1664,7 +1670,9 @@ ] }, { - "event.action": "Shutting down", + "event.action": [ + "Shutting down" + ], "event.code": "ConsoleScanImporter", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", diff --git a/x-pack/filebeat/module/sonicwall/README.md b/x-pack/filebeat/module/sonicwall/README.md index 7f0c86d9d0f..568883a78b8 100644 --- a/x-pack/filebeat/module/sonicwall/README.md +++ b/x-pack/filebeat/module/sonicwall/README.md @@ -3,5 +3,5 @@ This is a module for Sonicwall-FW logs. Autogenerated from RSA NetWitness log parser 2.0 XML sonicwall version 124 -at 2020-07-08 16:42:06.806469 +0000 UTC. +at 2020-07-08 17:36:33.6155 +0000 UTC. diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js +++ b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json index 9f972c2e6fc..fe20fb7b9ad 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json @@ -41,7 +41,9 @@ }, { "@timestamp": "2007-01-03T16:48:07.000Z", - "event.action": "Administrator login denied due to bad credentials", + "event.action": [ + "Administrator login denied due to bad credentials" + ], "event.code": "30", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -108,7 +110,9 @@ }, { "@timestamp": "2007-01-03T16:48:07.000Z", - "event.action": "Connection Closed", + "event.action": [ + "Connection Closed" + ], "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -135,7 +139,9 @@ }, { "@timestamp": "2007-01-03T16:48:08.000Z", - "event.action": "Connection Closed", + "event.action": [ + "Connection Closed" + ], "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -162,7 +168,9 @@ }, { "@timestamp": "2007-01-03T16:48:10.000Z", - "event.action": "Connection Closed", + "event.action": [ + "Connection Closed" + ], "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -189,7 +197,9 @@ }, { "@timestamp": "2007-01-03T16:48:10.000Z", - "event.action": "Connection Closed", + "event.action": [ + "Connection Closed" + ], "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -256,7 +266,9 @@ }, { "@timestamp": "2007-01-03T16:48:10.000Z", - "event.action": "Administrator login denied due to bad credentials", + "event.action": [ + "Administrator login denied due to bad credentials" + ], "event.code": "30", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -360,7 +372,9 @@ }, { "@timestamp": "2007-01-03T16:48:14.000Z", - "event.action": "Connection Closed", + "event.action": [ + "Connection Closed" + ], "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -537,7 +551,9 @@ }, { "@timestamp": "2007-01-03T16:48:18.000Z", - "event.action": "Connection Closed", + "event.action": [ + "Connection Closed" + ], "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -564,7 +580,9 @@ }, { "@timestamp": "2007-01-03T16:48:20.000Z", - "event.action": "Connection Closed", + "event.action": [ + "Connection Closed" + ], "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index a915944aaef..c7a3c07fdb9 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -37,8 +37,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.13.70.213", - "10.95.245.65" + "10.95.245.65", + "10.13.70.213" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "llu", @@ -90,8 +90,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.214.225.125", - "10.163.217.10" + "10.163.217.10", + "10.214.225.125" ], "rsa.internal.messageid": "413", "rsa.internal.msg": "uiano", @@ -113,7 +113,9 @@ ], "destination.mac": "01:00:5e:56:32:70", "destination.port": 6613, - "event.action": "allow", + "event.action": [ + "allow" + ], "event.code": "14", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -132,6 +134,9 @@ "10.64.155.245", "10.202.66.28" ], + "related.user": [ + "niamqu" + ], "rsa.internal.messageid": "14", "rsa.internal.msg": "nibusBon", "rsa.misc.action": [ @@ -155,9 +160,7 @@ "sonicwall.firewall", "forwarded" ], - "user.name": [ - "niamqu" - ] + "user.name": "niamqu" }, { "@timestamp": "2016-04-09T19:22:51.000Z", @@ -232,7 +235,9 @@ }, { "@timestamp": "2016-05-22T04:30:33.000Z", - "event.action": "cancel", + "event.action": [ + "cancel" + ], "event.code": "1149", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -466,7 +471,9 @@ "10.193.192.62" ], "destination.port": 0, - "event.action": "allow", + "event.action": [ + "allow" + ], "event.code": "264", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -484,6 +491,9 @@ "10.193.192.62", "10.170.120.4" ], + "related.user": [ + "quae" + ], "rsa.internal.messageid": "264", "rsa.internal.msg": "utali", "rsa.misc.action": [ @@ -502,9 +512,7 @@ "sonicwall.firewall", "forwarded" ], - "user.name": [ - "quae" - ] + "user.name": "quae" }, { "@timestamp": "2016-10-12T14:56:16.000Z", @@ -529,7 +537,9 @@ { "@timestamp": "2016-10-26T21:58:50.000Z", "destination.address": "ittenbyC3936.internal.test", - "event.action": "Failed to resolve name", + "event.action": [ + "Failed to resolve name" + ], "event.code": "84", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -622,8 +632,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.144.97.172", - "10.240.242.122" + "10.240.242.122", + "10.144.97.172" ], "rsa.internal.messageid": "346", "rsa.internal.msg": "aera", @@ -640,7 +650,9 @@ }, { "@timestamp": "2016-12-23T14:09:07.000Z", - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "uptasn", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -680,7 +692,9 @@ "10.120.167.239" ], "destination.port": 602, - "event.action": "cancel", + "event.action": [ + "cancel" + ], "event.code": "888", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -798,8 +812,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.237.163.139", - "10.162.172.28" + "10.162.172.28", + "10.237.163.139" ], "rsa.internal.messageid": "255", "rsa.internal.msg": "nre", @@ -850,6 +864,9 @@ "related.ip": [ "10.14.111.221" ], + "related.user": [ + "tco" + ], "rsa.internal.messageid": "1079", "rsa.misc.space": "", "rsa.time.date": "2017/03/18", @@ -859,9 +876,7 @@ "sonicwall.firewall", "forwarded" ], - "user.name": [ - "tco" - ] + "user.name": "tco" }, { "@timestamp": "2017-04-02T03:27:07.000Z", @@ -960,6 +975,9 @@ "10.101.74.44", "10.251.20.13" ], + "related.user": [ + "rsitv" + ], "rsa.internal.event_desc": "quin", "rsa.internal.messageid": "998", "rsa.internal.msg": "utp", @@ -971,9 +989,7 @@ "sonicwall.firewall", "forwarded" ], - "user.name": [ - "rsitv" - ] + "user.name": "rsitv" }, { "@timestamp": "2017-05-29T07:37:24.000Z", @@ -1109,8 +1125,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.149.0.64", - "10.64.50.66" + "10.64.50.66", + "10.149.0.64" ], "rsa.db.index": "atevelit", "rsa.internal.messageid": "83", @@ -1170,8 +1186,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.53.113.23", - "10.97.124.211" + "10.97.124.211", + "10.53.113.23" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1227,8 +1243,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.161.148.64", - "10.96.97.81" + "10.96.97.81", + "10.161.148.64" ], "rsa.internal.messageid": "350", "rsa.internal.msg": "mve", @@ -1375,8 +1391,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.77.174.205", - "10.240.49.224" + "10.240.49.224", + "10.77.174.205" ], "rsa.internal.messageid": "240", "rsa.internal.msg": "issuscip", @@ -1430,7 +1446,9 @@ ], "destination.mac": "01:00:5e:55:b9:89", "destination.port": 6909, - "event.action": "cancel", + "event.action": [ + "cancel" + ], "event.code": "ntutlabo", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -1446,9 +1464,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.113.100.237", "10.251.248.228", - "10.108.84.24" + "10.108.84.24", + "10.113.100.237" ], "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "606", @@ -1480,7 +1498,9 @@ ], "destination.mac": "01:00:5e:93:39:a4", "destination.port": 2800, - "event.action": "allow", + "event.action": [ + "allow" + ], "event.code": "proident", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -1498,8 +1518,8 @@ "observer.vendor": "Sonicwall", "related.ip": [ "10.103.117.31", - "10.207.211.230", - "10.229.229.42" + "10.229.229.42", + "10.207.211.230" ], "rsa.internal.event_desc": "orin", "rsa.internal.messageid": "428", @@ -1540,8 +1560,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.248.165.185", - "10.32.39.220" + "10.32.39.220", + "10.248.165.185" ], "rsa.internal.event_desc": "aliq", "rsa.internal.messageid": "412", @@ -1657,8 +1677,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.134.237.235", - "10.11.83.126" + "10.11.83.126", + "10.134.237.235" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "obeataev", @@ -1771,8 +1791,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.115.53.31", - "10.99.248.145" + "10.99.248.145", + "10.115.53.31" ], "rsa.internal.event_desc": "molestia", "rsa.internal.messageid": "412", @@ -1792,7 +1812,9 @@ "10.168.208.169" ], "destination.port": 6168, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "616", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -1829,7 +1851,9 @@ "10.236.56.233" ], "destination.port": 3484, - "event.action": "allow", + "event.action": [ + "allow" + ], "event.code": "373", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -2133,8 +2157,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.208.79.170", - "10.101.163.40" + "10.101.163.40", + "10.208.79.170" ], "rsa.internal.messageid": "83", "rsa.internal.msg": "orroquis", @@ -2220,7 +2244,9 @@ "10.236.247.87" ], "destination.port": 7360, - "event.action": "cancel", + "event.action": [ + "cancel" + ], "event.code": "710", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -2298,7 +2324,9 @@ "10.22.244.71" ], "destination.port": 1865, - "event.action": "deny", + "event.action": [ + "deny" + ], "event.code": "888", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -2313,8 +2341,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.81.33.64", - "10.22.244.71" + "10.22.244.71", + "10.81.33.64" ], "rsa.internal.messageid": "888", "rsa.misc.action": [ @@ -2356,6 +2384,9 @@ "10.20.73.247", "10.205.21.166" ], + "related.user": [ + "sun" + ], "rsa.internal.event_desc": "sed", "rsa.internal.messageid": "998", "rsa.internal.msg": "sed", @@ -2367,9 +2398,7 @@ "sonicwall.firewall", "forwarded" ], - "user.name": [ - "sun" - ] + "user.name": "sun" }, { "@timestamp": "2019-06-11T13:51:06.000Z", @@ -2471,8 +2500,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.206.229.61", - "10.129.101.147" + "10.129.101.147", + "10.206.229.61" ], "rsa.internal.messageid": "413", "rsa.internal.msg": "upta", @@ -2547,8 +2576,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.78.29.246", - "10.125.85.128" + "10.125.85.128", + "10.78.29.246" ], "rsa.internal.messageid": "355", "rsa.internal.msg": "labo", diff --git a/x-pack/filebeat/module/squid/README.md b/x-pack/filebeat/module/squid/README.md index 5576a8e025e..741f9a9a993 100644 --- a/x-pack/filebeat/module/squid/README.md +++ b/x-pack/filebeat/module/squid/README.md @@ -3,5 +3,5 @@ This is a module for Squid logs. Autogenerated from RSA NetWitness log parser 2.0 XML squid version 112 -at 2020-07-08 16:42:07.303222 +0000 UTC. +at 2020-07-08 17:36:34.097174 +0000 UTC. diff --git a/x-pack/filebeat/module/squid/log/config/liblogparser.js b/x-pack/filebeat/module/squid/log/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/squid/log/config/liblogparser.js +++ b/x-pack/filebeat/module/squid/log/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index b8747537801..996dd40f511 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -10,7 +10,9 @@ "destination.ip": [ "209.73.177.115" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -25,13 +27,16 @@ "10.105.21.199", "209.73.177.115" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -52,9 +57,7 @@ ], "url.domain": "login.yahoo.com", "url.original": "login.yahoo.com:443", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:00.000Z", @@ -70,7 +73,9 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -82,8 +87,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" + ], + "related.user": [ + "badeyek" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -91,8 +99,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -113,9 +121,7 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:00.000Z", @@ -131,7 +137,9 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -147,14 +155,17 @@ "10.105.21.199", "207.58.145.61" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -175,13 +186,13 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/styles.css", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:01.000Z", - "event.action": "TCP_HIT", + "event.action": [ + "TCP_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -196,14 +207,17 @@ "related.ip": [ "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -224,13 +238,13 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/styles.css", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:02.000Z", - "event.action": "TCP_HIT", + "event.action": [ + "TCP_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -245,14 +259,17 @@ "related.ip": [ "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "text/javascript", "rsa.misc.result_code": "200", @@ -273,9 +290,7 @@ ], "url.domain": "www.google-analytics.com", "url.original": "http://www.google-analytics.com/urchin.js", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:03.000Z", @@ -291,7 +306,9 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -306,14 +323,17 @@ "207.58.145.61", "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -334,9 +354,7 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:04.000Z", @@ -349,7 +367,9 @@ "destination.ip": [ "66.102.9.147" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -365,6 +385,9 @@ "66.102.9.147", "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -393,9 +416,7 @@ ], "url.domain": "www.google-analytics.com", "url.original": "http://www.google-analytics.com/__utm.gif?", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:04.000Z", @@ -411,7 +432,9 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -427,14 +450,17 @@ "10.105.21.199", "207.58.145.61" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -455,9 +481,7 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/graphics/newslogo.gif", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:04.000Z", @@ -473,7 +497,9 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -489,14 +515,17 @@ "207.58.145.61", "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -517,9 +546,7 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/shop/arsenal_shop_ad.jpg", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:05.000Z", @@ -535,7 +562,9 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -548,8 +577,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" + ], + "related.user": [ + "badeyek" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -557,8 +589,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -579,13 +611,13 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/flags/FUS.gif", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:05.000Z", - "event.action": "TCP_HIT", + "event.action": [ + "TCP_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -600,14 +632,17 @@ "related.ip": [ "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -628,9 +663,7 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/flags/FGB.gif", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:05.000Z", @@ -646,7 +679,9 @@ "destination.ip": [ "209.85.16.38" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -659,8 +694,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.85.16.38", - "10.105.21.199" + "10.105.21.199", + "209.85.16.38" + ], + "related.user": [ + "badeyek" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -668,8 +706,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -690,9 +728,7 @@ ], "url.domain": "as.casalemedia.com", "url.original": "http://as.casalemedia.com/s?", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:06.000Z", @@ -703,7 +739,9 @@ "destination.ip": [ "68.142.213.132" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -718,13 +756,16 @@ "10.105.21.199", "68.142.213.132" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -745,9 +786,7 @@ ], "url.domain": "us.bc.yahoo.com", "url.original": "us.bc.yahoo.com:443", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:07.000Z", @@ -760,7 +799,9 @@ "destination.ip": [ "217.212.240.172" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -773,8 +814,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "217.212.240.172", - "10.105.21.199" + "10.105.21.199", + "217.212.240.172" + ], + "related.user": [ + "badeyek" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -804,9 +848,7 @@ ], "url.domain": "impgb.tradedoubler.com", "url.original": "http://impgb.tradedoubler.com/imp/img/16349696/992098", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:07.000Z", @@ -822,7 +864,9 @@ "destination.ip": [ "206.169.136.22" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -838,14 +882,17 @@ "206.169.136.22", "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -866,13 +913,13 @@ ], "url.domain": "4.adbrite.com", "url.original": "http://4.adbrite.com/mb/text_group.php?", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:07.000Z", - "event.action": "TCP_HIT", + "event.action": [ + "TCP_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -887,14 +934,17 @@ "related.ip": [ "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -915,9 +965,7 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/flags/FFR.gif", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:09.000Z", @@ -933,7 +981,9 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -949,6 +999,9 @@ "10.105.21.199", "207.58.145.61" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -977,9 +1030,7 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/flags/FAU.gif", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:09.000Z", @@ -995,7 +1046,9 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1008,8 +1061,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" + ], + "related.user": [ + "badeyek" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1039,9 +1095,7 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/graphics/spacer.gif", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:10.000Z", @@ -1052,7 +1106,9 @@ "destination.ip": [ "64.127.126.178" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1065,8 +1121,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "64.127.126.178", - "10.105.21.199" + "10.105.21.199", + "64.127.126.178" + ], + "related.user": [ + "badeyek" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1096,9 +1155,7 @@ ], "url.domain": "4.adbrite.com", "url.original": "http://4.adbrite.com/mb/text_group.php?", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:11.000Z", @@ -1114,7 +1171,9 @@ "destination.ip": [ "213.160.98.161" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1127,8 +1186,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.161", - "10.105.21.199" + "10.105.21.199", + "213.160.98.161" + ], + "related.user": [ + "badeyek" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1158,9 +1220,7 @@ ], "url.domain": "ff.connextra.com", "url.original": "http://ff.connextra.com/Ladbrokes/selector/image?", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:15.000Z", @@ -1176,7 +1236,9 @@ "destination.ip": [ "213.160.98.160" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1192,14 +1254,17 @@ "213.160.98.160", "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1220,13 +1285,13 @@ ], "url.domain": "dd.connextra.com", "url.original": "http://dd.connextra.com/servlet/controller?", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:17.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1240,14 +1305,17 @@ "related.ip": [ "10.105.47.218" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1268,9 +1336,7 @@ ], "url.domain": "hi5.com", "url.original": "http://hi5.com/", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:22:22.000Z", @@ -1283,7 +1349,9 @@ "destination.ip": [ "209.73.177.115" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1295,8 +1363,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" + ], + "related.user": [ + "badeyek" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1325,13 +1396,13 @@ ], "url.domain": "login.yahoo.com", "url.original": "login.yahoo.com:443", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:23.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1346,6 +1417,9 @@ "related.ip": [ "10.105.33.214" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1374,9 +1448,7 @@ ], "url.domain": "update.messenger.yahoo.com", "url.original": "http://update.messenger.yahoo.com/msgrcli7.html", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:22:23.000Z", @@ -1389,7 +1461,9 @@ "destination.ip": [ "216.155.194.239" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -1401,8 +1475,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", @@ -1431,9 +1508,7 @@ ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:24.000Z", @@ -1449,7 +1524,9 @@ "destination.ip": [ "204.13.51.238" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1464,14 +1541,17 @@ "10.105.47.218", "204.13.51.238" ], + "related.user": [ + "nazsoau" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1492,9 +1572,7 @@ ], "url.domain": "hi5.com", "url.original": "http://hi5.com/", - "user.name": [ - "nazsoau" - ] + "user.name": "nazsoau" }, { "@timestamp": "2006-09-08T04:22:24.000Z", @@ -1510,7 +1588,9 @@ "destination.ip": [ "204.13.51.238" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1523,8 +1603,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" + ], + "related.user": [ + "nazsoau" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1554,9 +1637,7 @@ ], "url.domain": "hi5.com", "url.original": "http://hi5.com/friend/styles/homepage.css", - "user.name": [ - "nazsoau" - ] + "user.name": "nazsoau" }, { "@timestamp": "2006-09-08T04:22:25.000Z", @@ -1569,7 +1650,9 @@ "destination.ip": [ "216.155.194.239" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -1581,8 +1664,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", @@ -1611,13 +1697,13 @@ ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:26.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1632,14 +1718,17 @@ "related.ip": [ "10.105.37.58" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1660,13 +1749,13 @@ ], "url.domain": "rms.adobe.com", "url.original": "http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:22:27.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1681,6 +1770,9 @@ "related.ip": [ "10.105.47.218" ], + "related.user": [ + "nazsoau" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1709,13 +1801,13 @@ ], "url.domain": "images.hi5.com", "url.original": "http://images.hi5.com/styles/style.css", - "user.name": [ - "nazsoau" - ] + "user.name": "nazsoau" }, { "@timestamp": "2006-09-08T04:22:27.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1730,6 +1822,9 @@ "related.ip": [ "10.105.47.218" ], + "related.user": [ + "nazsoau" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1758,9 +1853,7 @@ ], "url.domain": "images.hi5.com", "url.original": "http://images.hi5.com/friend/styles/buttons_en_us.css", - "user.name": [ - "nazsoau" - ] + "user.name": "nazsoau" }, { "@timestamp": "2006-09-08T04:22:27.000Z", @@ -1776,7 +1869,9 @@ "destination.ip": [ "204.13.51.238" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1791,14 +1886,17 @@ "204.13.51.238", "10.105.47.218" ], + "related.user": [ + "nazsoau" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1819,9 +1917,7 @@ ], "url.domain": "hi5.com", "url.original": "http://hi5.com/", - "user.name": [ - "nazsoau" - ] + "user.name": "nazsoau" }, { "@timestamp": "2006-09-08T04:22:29.000Z", @@ -1837,7 +1933,9 @@ "destination.ip": [ "204.13.51.238" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1853,6 +1951,9 @@ "204.13.51.238", "10.105.47.218" ], + "related.user": [ + "nazsoau" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1881,9 +1982,7 @@ ], "url.domain": "hi5.com", "url.original": "http://hi5.com/friend/styles/headernav.css", - "user.name": [ - "nazsoau" - ] + "user.name": "nazsoau" }, { "@timestamp": "2006-09-08T04:22:30.000Z", @@ -1896,7 +1995,9 @@ "destination.ip": [ "216.155.194.239" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -1911,6 +2012,9 @@ "216.155.194.239", "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", @@ -1938,9 +2042,7 @@ ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:33.000Z", @@ -1951,7 +2053,9 @@ "destination.ip": [ "68.142.194.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1963,8 +2067,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1994,9 +2101,7 @@ ], "url.domain": "insider.msg.yahoo.com", "url.original": "http://insider.msg.yahoo.com/?", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:33.000Z", @@ -2009,7 +2114,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2025,14 +2132,17 @@ "68.142.219.132", "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2053,9 +2163,7 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/play/playmessenger.asp", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:34.000Z", @@ -2068,7 +2176,9 @@ "destination.ip": [ "216.155.194.239" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -2080,16 +2190,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2110,9 +2223,7 @@ ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:35.000Z", @@ -2123,7 +2234,9 @@ "destination.ip": [ "209.191.93.51" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2136,8 +2249,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "209.191.93.51" + "209.191.93.51", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2167,9 +2283,7 @@ ], "url.domain": "address.yahoo.com", "url.original": "http://address.yahoo.com/yab/us?", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:36.000Z", @@ -2185,7 +2299,9 @@ "destination.ip": [ "63.245.209.21" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2201,6 +2317,9 @@ "63.245.209.21", "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -2229,9 +2348,7 @@ ], "url.domain": "fxfeeds.mozilla.org", "url.original": "http://fxfeeds.mozilla.org/rss20.xml", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:37.000Z", @@ -2244,7 +2361,9 @@ "destination.ip": [ "68.142.231.252" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2256,8 +2375,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.231.252" + "68.142.231.252", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2265,8 +2387,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2287,9 +2409,7 @@ ], "url.domain": "insider.msg.yahoo.com", "url.original": "http://insider.msg.yahoo.com/ycontent/?", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:37.000Z", @@ -2300,7 +2420,9 @@ "destination.ip": [ "68.142.194.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2312,8 +2434,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2343,13 +2468,13 @@ ], "url.domain": "insider.msg.yahoo.com", "url.original": "http://insider.msg.yahoo.com/ycontent/?", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2363,13 +2488,16 @@ "related.ip": [ "10.105.37.17" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2390,13 +2518,13 @@ ], "url.domain": "us.mcafee.com", "url.original": "us.mcafee.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -2411,6 +2539,9 @@ "related.ip": [ "10.105.37.17" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", @@ -2438,13 +2569,13 @@ ], "url.domain": "us.mcafee.com", "url.original": "http://us.mcafee.com/apps/agent/submgr/appinstru.asp", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -2459,13 +2590,16 @@ "related.ip": [ "10.105.37.17" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2486,13 +2620,13 @@ ], "url.domain": "us.mcafee.com", "url.original": "http://us.mcafee.com/apps/agent/submgr/appsync.asp", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2506,13 +2640,16 @@ "related.ip": [ "10.105.37.17" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2533,9 +2670,7 @@ ], "url.domain": "us.mcafee.com", "url.original": "us.mcafee.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:22:38.000Z", @@ -2548,7 +2683,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2561,8 +2698,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2592,13 +2732,13 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2612,6 +2752,9 @@ "related.ip": [ "10.105.37.17" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -2639,9 +2782,7 @@ ], "url.domain": "us.mcafee.com", "url.original": "us.mcafee.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:22:39.000Z", @@ -2654,7 +2795,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2667,8 +2810,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2676,8 +2822,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2698,9 +2844,7 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:39.000Z", @@ -2713,7 +2857,9 @@ "destination.ip": [ "216.155.194.239" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -2725,16 +2871,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2755,9 +2904,7 @@ ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:39.000Z", @@ -2770,7 +2917,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2783,8 +2932,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2814,9 +2966,7 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:40.000Z", @@ -2829,7 +2979,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2842,8 +2994,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2873,13 +3028,13 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:40.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -2894,6 +3049,9 @@ "related.ip": [ "10.105.47.191" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", @@ -2921,13 +3079,13 @@ ], "url.domain": "us.mcafee.com", "url.original": "http://us.mcafee.com/apps/agent/submgr/appinstru.asp", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:22:41.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -2942,6 +3100,9 @@ "related.ip": [ "10.105.47.191" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", @@ -2969,9 +3130,7 @@ ], "url.domain": "us.mcafee.com", "url.original": "http://us.mcafee.com/apps/agent/submgr/appsync.asp", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:22:41.000Z", @@ -2984,7 +3143,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2997,8 +3158,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3006,8 +3170,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3028,9 +3192,7 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:41.000Z", @@ -3043,7 +3205,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3056,8 +3220,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3087,9 +3254,7 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:42.000Z", @@ -3102,7 +3267,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3118,6 +3285,9 @@ "10.105.33.214", "68.142.219.132" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3146,9 +3316,7 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:42.000Z", @@ -3161,7 +3329,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3177,6 +3347,9 @@ "10.105.33.214", "68.142.219.132" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3205,13 +3378,13 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:42.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3226,6 +3399,9 @@ "related.ip": [ "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3254,13 +3430,13 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:42.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3275,14 +3451,17 @@ "related.ip": [ "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3303,13 +3482,13 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:42.000Z", - "event.action": "TCP_HIT", + "event.action": [ + "TCP_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3324,6 +3503,9 @@ "related.ip": [ "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3352,9 +3534,7 @@ ], "url.domain": "us.i1.yimg.com", "url.original": "http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:43.000Z", @@ -3367,7 +3547,9 @@ "destination.ip": [ "212.58.226.33" ], - "event.action": "TCP_REFRESH_MISS", + "event.action": [ + "TCP_REFRESH_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3380,8 +3562,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "212.58.226.33" + "212.58.226.33", + "10.105.21.199" + ], + "related.user": [ + "badeyek" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3411,9 +3596,7 @@ ], "url.domain": "newsrss.bbc.co.uk", "url.original": "http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:44.000Z", @@ -3426,7 +3609,9 @@ "destination.ip": [ "68.142.231.252" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3442,14 +3627,17 @@ "68.142.231.252", "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3470,13 +3658,13 @@ ], "url.domain": "insider.msg.yahoo.com", "url.original": "http://insider.msg.yahoo.com/ycontent/beacon.php", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:44.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3491,6 +3679,9 @@ "related.ip": [ "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3519,13 +3710,13 @@ ], "url.domain": "us.ent1.yimg.com", "url.original": "http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:44.000Z", - "event.action": "TCP_HIT", + "event.action": [ + "TCP_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3540,6 +3731,9 @@ "related.ip": [ "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3568,9 +3762,7 @@ ], "url.domain": "us.news1.yimg.com", "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:45.000Z", @@ -3583,7 +3775,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -3599,13 +3793,16 @@ "68.142.219.132", "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -3626,9 +3823,7 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/play/authplay.asp", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:46.000Z", @@ -3644,7 +3839,9 @@ "destination.ip": [ "213.160.98.159" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3660,14 +3857,17 @@ "10.105.33.214", "213.160.98.159" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -3688,9 +3888,7 @@ ], "url.domain": "us.news1.yimg.com", "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:48.000Z", @@ -3703,7 +3901,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3716,8 +3916,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3725,8 +3928,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3747,9 +3950,7 @@ ], "url.domain": "radio.music.yahoo.com", "url.original": "http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp?", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:48.000Z", @@ -3762,7 +3963,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3775,8 +3978,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3784,8 +3990,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3806,9 +4012,7 @@ ], "url.domain": "radio.music.yahoo.com", "url.original": "http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp?", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:48.000Z", @@ -3821,7 +4025,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3837,14 +4043,17 @@ "10.105.33.214", "68.142.219.132" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -3865,13 +4074,13 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/play/authplay.asp?", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:49.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3886,14 +4095,17 @@ "related.ip": [ "10.105.37.65" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3914,13 +4126,13 @@ ], "url.domain": "natrocket.kmip.net", "url.original": "http://natrocket.kmip.net:5288/iesocks?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:22:49.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3935,6 +4147,9 @@ "related.ip": [ "10.105.37.65" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3963,9 +4178,7 @@ ], "url.domain": "natrocket.kmip.net", "url.original": "http://natrocket.kmip.net:5288/return?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:22:50.000Z", @@ -3981,7 +4194,9 @@ "destination.ip": [ "213.160.98.159" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3994,8 +4209,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4003,8 +4221,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -4025,9 +4243,7 @@ ], "url.domain": "us.news1.yimg.com", "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:50.000Z", @@ -4040,7 +4256,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4053,8 +4271,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4062,8 +4283,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4084,9 +4305,7 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp?", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:51.000Z", @@ -4099,7 +4318,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4115,14 +4336,17 @@ "68.142.219.132", "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4143,9 +4367,7 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/player/default.asp?", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:51.000Z", @@ -4161,7 +4383,9 @@ "destination.ip": [ "213.160.98.152" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4174,8 +4398,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.152" + "213.160.98.152", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4183,8 +4410,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/x-shockwave-flash", "rsa.misc.result_code": "200", @@ -4205,9 +4432,7 @@ ], "url.domain": "us.a2.yimg.com", "url.original": "http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf?", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:53.000Z", @@ -4220,7 +4445,9 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4236,14 +4463,17 @@ "10.105.33.214", "68.142.219.132" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4264,9 +4494,7 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/player/stickwall.asp?", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:54.000Z", @@ -4277,7 +4505,9 @@ "destination.ip": [ "68.142.213.132" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4290,8 +4520,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.213.132" + "68.142.213.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4321,9 +4554,7 @@ ], "url.domain": "us.bc.yahoo.com", "url.original": "http://us.bc.yahoo.com/b?", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:56.000Z", @@ -4334,7 +4565,9 @@ "destination.ip": [ "68.142.194.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4347,8 +4580,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4378,9 +4614,7 @@ ], "url.domain": "insider.msg.yahoo.com", "url.original": "http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw?", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:57.000Z", @@ -4391,7 +4625,9 @@ "destination.ip": [ "216.109.124.55" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4403,16 +4639,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.109.124.55", - "10.105.33.214" + "10.105.33.214", + "216.109.124.55" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4433,13 +4672,13 @@ ], "url.domain": "pclick.internal.yahoo.com", "url.original": "pclick.internal.yahoo.com:443", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:57.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4454,6 +4693,9 @@ "related.ip": [ "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4482,9 +4724,7 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:57.000Z", @@ -4500,7 +4740,9 @@ "destination.ip": [ "213.160.98.159" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4513,8 +4755,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4522,8 +4767,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -4544,9 +4789,7 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:58.000Z", @@ -4562,7 +4805,9 @@ "destination.ip": [ "213.160.98.159" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4578,6 +4823,9 @@ "10.105.33.214", "213.160.98.159" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4606,9 +4854,7 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:58.000Z", @@ -4621,7 +4867,9 @@ "destination.ip": [ "209.73.177.115" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4636,13 +4884,16 @@ "209.73.177.115", "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4663,9 +4914,7 @@ ], "url.domain": "login.yahoo.com", "url.original": "login.yahoo.com:443", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:22:58.000Z", @@ -4681,7 +4930,9 @@ "destination.ip": [ "213.160.98.167" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4697,14 +4948,17 @@ "213.160.98.167", "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -4725,9 +4979,7 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:58.000Z", @@ -4743,7 +4995,9 @@ "destination.ip": [ "213.160.98.159" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4756,8 +5010,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4765,8 +5022,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4787,13 +5044,13 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:58.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4808,6 +5065,9 @@ "related.ip": [ "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4836,9 +5096,7 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:59.000Z", @@ -4854,7 +5112,9 @@ "destination.ip": [ "213.160.98.167" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4867,8 +5127,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.167" + "213.160.98.167", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4898,9 +5161,7 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:22:59.000Z", @@ -4916,7 +5177,9 @@ "destination.ip": [ "213.160.98.159" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4929,8 +5192,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4960,9 +5226,7 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:23:00.000Z", @@ -4978,7 +5242,9 @@ "destination.ip": [ "213.160.98.167" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4994,6 +5260,9 @@ "213.160.98.167", "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -5022,13 +5291,13 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:23:01.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5043,14 +5312,17 @@ "related.ip": [ "10.105.37.180" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5071,13 +5343,13 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/supported_domains", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:23:01.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5092,6 +5364,9 @@ "related.ip": [ "10.105.47.191" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -5120,9 +5395,7 @@ ], "url.domain": "us.mcafee.com", "url.original": "http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:23:01.000Z", @@ -5133,7 +5406,9 @@ "destination.ip": [ "216.109.125.112" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5149,6 +5424,9 @@ "216.109.125.112", "10.105.33.214" ], + "related.user": [ + "adeolaegbedokun" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -5177,9 +5455,7 @@ ], "url.domain": "launch.adserver.yahoo.com", "url.original": "http://launch.adserver.yahoo.com/l?", - "user.name": [ - "adeolaegbedokun" - ] + "user.name": "adeolaegbedokun" }, { "@timestamp": "2006-09-08T04:23:02.000Z", @@ -5192,7 +5468,9 @@ "destination.ip": [ "217.12.10.96" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5208,6 +5486,9 @@ "10.105.21.199", "217.12.10.96" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -5236,13 +5517,13 @@ ], "url.domain": "uk.f250.mail.yahoo.com", "url.original": "http://uk.f250.mail.yahoo.com/dc/launch?", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:23:02.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5256,6 +5537,9 @@ "related.ip": [ "10.105.37.180" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -5283,9 +5567,7 @@ ], "url.domain": "login.live.com", "url.original": "login.live.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2006-09-08T04:23:04.000Z", @@ -5301,7 +5583,9 @@ "destination.ip": [ "213.160.98.169" ], - "event.action": "TCP_SWAPFAIL_MISS", + "event.action": [ + "TCP_SWAPFAIL_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5314,8 +5598,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.169", - "10.105.21.199" + "10.105.21.199", + "213.160.98.169" + ], + "related.user": [ + "badeyek" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -5345,13 +5632,13 @@ ], "url.domain": "us.js2.yimg.com", "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:23:05.000Z", - "event.action": "TCP_HIT", + "event.action": [ + "TCP_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5366,14 +5653,17 @@ "related.ip": [ "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -5394,9 +5684,7 @@ ], "url.domain": "us.js1.yimg.com", "url.original": "http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:23:07.000Z", @@ -5412,7 +5700,9 @@ "destination.ip": [ "213.160.98.169" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5425,8 +5715,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.169", - "10.105.21.199" + "10.105.21.199", + "213.160.98.169" + ], + "related.user": [ + "badeyek" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -5434,8 +5727,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5456,13 +5749,13 @@ ], "url.domain": "us.js2.yimg.com", "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:23:07.000Z", - "event.action": "TCP_HIT", + "event.action": [ + "TCP_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5477,6 +5770,9 @@ "related.ip": [ "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -5505,13 +5801,13 @@ ], "url.domain": "us.js1.yimg.com", "url.original": "http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:23:07.000Z", - "event.action": "TCP_HIT", + "event.action": [ + "TCP_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5526,6 +5822,9 @@ "related.ip": [ "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -5554,13 +5853,13 @@ ], "url.domain": "us.js2.yimg.com", "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" }, { "@timestamp": "2006-09-08T04:23:07.000Z", - "event.action": "TCP_HIT", + "event.action": [ + "TCP_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5575,6 +5874,9 @@ "related.ip": [ "10.105.21.199" ], + "related.user": [ + "badeyek" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -5603,8 +5905,6 @@ ], "url.domain": "us.i1.yimg.com", "url.original": "http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif", - "user.name": [ - "badeyek" - ] + "user.name": "badeyek" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json index 4ba1d874fa0..3cef9eca756 100644 --- a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json @@ -1,7 +1,9 @@ [ { "@timestamp": "2002-10-23T10:25:29.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -16,6 +18,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -50,13 +55,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r3_c6.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:30.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -71,6 +76,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -105,13 +113,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:31.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -126,14 +134,17 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -160,13 +171,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -181,6 +192,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -215,13 +229,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/anglais/produit4.html", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -236,14 +250,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -270,13 +287,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/produits-ang.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -291,14 +308,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -325,13 +345,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/cale.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -346,14 +366,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -380,13 +403,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/fond2.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -401,6 +424,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -435,13 +461,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/logo_orange.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -456,6 +482,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -490,13 +519,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/chat.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_REFRESH_MISS", + "event.action": [ + "TCP_REFRESH_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -511,6 +540,9 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -545,13 +577,13 @@ ], "url.domain": "www.call-kelly.com", "url.original": "http://www.call-kelly.com/horizontal.js", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -566,14 +598,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -600,13 +635,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/icone_notice.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -621,14 +656,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -655,13 +693,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/spelenium1.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -676,14 +714,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -710,13 +751,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/spelenium2.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -731,6 +772,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -765,13 +809,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/spelenium3.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -786,6 +830,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -820,13 +867,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/speleniumgold.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -841,6 +888,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -875,13 +925,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/antipode.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -896,6 +946,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -930,13 +983,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/logospelenium.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -951,6 +1004,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -985,13 +1041,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/0spelenium1.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1006,6 +1062,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1040,13 +1099,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1061,6 +1120,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1095,13 +1157,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/0spelenium2.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1116,6 +1178,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1150,13 +1215,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/0spelenium3.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1171,6 +1236,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1205,13 +1273,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/0antipode.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1226,6 +1294,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1260,13 +1331,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/0spelenium4.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1281,14 +1352,17 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1315,13 +1389,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1336,6 +1410,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1370,13 +1447,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c7.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1390,14 +1467,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1424,13 +1504,13 @@ ], "url.domain": "www.call-kelly.com", "url.original": "http://www.call-kelly.com/", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1445,6 +1525,9 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1479,13 +1562,13 @@ ], "url.domain": "www.call-kelly.com", "url.original": "http://www.call-kelly.com/vertical.js", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:34.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1500,6 +1583,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1534,13 +1620,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c9.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:34.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1555,6 +1641,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1589,13 +1678,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c10.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:34.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1610,14 +1699,17 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1644,13 +1736,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c11.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:35.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1665,6 +1757,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1699,13 +1794,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r5_c1.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:35.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1720,14 +1815,17 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1754,13 +1852,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/journalCWS2.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:35.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1775,6 +1873,9 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1809,13 +1910,13 @@ ], "url.domain": "counter11.sextracker.com", "url.original": "http://counter11.sextracker.com/c4/id/0/259914", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:36.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1830,6 +1931,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1864,13 +1968,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/vertbar.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:36.000Z", - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1885,6 +1989,9 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1919,13 +2026,13 @@ ], "url.domain": "66.181.163.170", "url.original": "http://66.181.163.170/pics/12.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:36.000Z", - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1940,14 +2047,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1974,13 +2084,13 @@ ], "url.domain": "66.181.163.170", "url.original": "http://66.181.163.170/pics/tease.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:36.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1995,14 +2105,17 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2029,13 +2142,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/getacro.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:37.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2050,14 +2163,17 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_DEFAULT_PARENT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2084,13 +2200,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/journaltitle.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:38.000Z", - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2105,6 +2221,9 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -2139,13 +2258,13 @@ ], "url.domain": "66.181.163.170", "url.original": "http://66.181.163.170/pics/5.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:39.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2160,6 +2279,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -2194,13 +2316,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/msbutton.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:39.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2215,6 +2337,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_DEFAULT_PARENT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -2249,13 +2374,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/msbutton_f2.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:40.000Z", - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2270,14 +2395,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2304,13 +2432,13 @@ ], "url.domain": "66.181.163.170", "url.original": "http://66.181.163.170/pics/8.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:41.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2325,6 +2453,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -2359,13 +2490,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/subsbutton_f2.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:42.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2380,14 +2511,17 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2414,13 +2548,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/subsbutton.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:42.000Z", - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2435,14 +2569,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2469,13 +2606,13 @@ ], "url.domain": "66.181.163.170", "url.original": "http://66.181.163.170/pics/17.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:42.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2490,14 +2627,17 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2524,13 +2664,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/shim.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:42.000Z", - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2545,14 +2685,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2579,13 +2722,13 @@ ], "url.domain": "www.penis-enlargement-product.com", "url.original": "http://www.penis-enlargement-product.com/banners/ban2.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:43.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2600,6 +2743,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -2634,13 +2780,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/jcwspanel_r1_c1.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2655,6 +2801,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -2689,13 +2838,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/fond2.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2710,6 +2859,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -2744,13 +2896,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/speleo-ang.html", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": "TCP_IMS_HIT", + "event.action": [ + "TCP_IMS_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2765,14 +2917,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -2799,13 +2954,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/produits/img/cale.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2820,14 +2975,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2854,13 +3012,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/titre_speleo.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2875,6 +3033,9 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -2909,13 +3070,13 @@ ], "url.domain": "botw.topbucks.com", "url.original": "http://botw.topbucks.com/mx_vertical_04_ani.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:48.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2930,6 +3091,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -2964,13 +3128,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/francais.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:48.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2985,14 +3149,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3019,13 +3186,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/anglais_bis.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:48.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3040,6 +3207,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3074,13 +3244,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/deutsch.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:48.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3095,6 +3265,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3129,13 +3302,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/espanol.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3150,6 +3323,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3184,13 +3360,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/italiano.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3205,14 +3381,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3239,13 +3418,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/nederlands.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3260,6 +3439,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3294,13 +3476,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/portuges.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3315,14 +3497,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3349,13 +3534,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/japanese.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3370,14 +3555,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3404,13 +3592,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/logobeal.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:50.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3425,6 +3613,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3459,13 +3650,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/spelenium1.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:50.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3480,6 +3671,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3514,13 +3708,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/bout1_ang.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:50.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3535,6 +3729,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3569,13 +3766,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/bout2_ang.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:51.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3590,14 +3787,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3624,13 +3824,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/attention.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:52.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3645,14 +3845,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3679,13 +3882,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/francais_bis.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3700,6 +3903,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3734,13 +3940,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/deutsch_bis.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3755,14 +3961,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3789,13 +3998,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/espanol_bis.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3810,6 +4019,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3844,13 +4056,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/italiano_bis.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3865,14 +4077,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3899,13 +4114,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/nederlands_bis.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3920,6 +4135,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3954,13 +4172,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/japanese_bis.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:54.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3975,14 +4193,17 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4009,13 +4230,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/portuges_bis.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:54.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4030,14 +4251,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4064,13 +4288,13 @@ ], "url.domain": "cybercatinc.com", "url.original": "http://cybercatinc.com/banners/July/logo16.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:54.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4085,6 +4309,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4119,13 +4346,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/bout1bis_ang.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:57.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4140,6 +4367,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_DEFAULT_PARENT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4174,13 +4404,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/bout2bis_ang.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:57.000Z", - "event.action": "TCP_MEM_HIT", + "event.action": [ + "TCP_MEM_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4195,6 +4425,9 @@ "related.ip": [ "210.8.79.199" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4229,13 +4462,13 @@ ], "url.domain": "www.bealplanet.com", "url.original": "http://www.bealplanet.com/notices/img/bout2bis_ang.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:58.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4249,14 +4482,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4283,13 +4519,13 @@ ], "url.domain": "www.frenchcum.com", "url.original": "http://www.frenchcum.com/", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:25:59.000Z", - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4304,6 +4540,9 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4338,13 +4577,13 @@ ], "url.domain": "www.cyberhairy.com", "url.original": "http://www.cyberhairy.com/advertisingbanners/468x60-CFF-01.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:01.000Z", - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4359,14 +4598,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4393,13 +4635,13 @@ ], "url.domain": "www.girls-home-alone.com", "url.original": "http://www.girls-home-alone.com/banners/call-kelly.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:01.000Z", - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4414,6 +4656,9 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4448,13 +4693,13 @@ ], "url.domain": "cybercatinc.com", "url.original": "http://cybercatinc.com/banners/July/npban_adult.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:09.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4468,14 +4713,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4502,13 +4750,13 @@ ], "url.domain": "c2.xxxcounter.com", "url.original": "http://c2.xxxcounter.com/c2/id/2/148582/0/", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:13.000Z", - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4523,14 +4771,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4557,13 +4808,13 @@ ], "url.domain": "www.frenchcum.com", "url.original": "http://www.frenchcum.com/eclair.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:13.000Z", - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4578,14 +4829,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4612,9 +4866,7 @@ ], "url.domain": "www.frenchcum.com", "url.original": "http://www.frenchcum.com/frenchcumnew.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:13.000Z", @@ -4627,7 +4879,9 @@ "destination.ip": [ "80.69.64.224" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4643,14 +4897,17 @@ "80.69.64.224", "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4677,13 +4934,13 @@ ], "url.domain": "www.usaminutes.tv", "url.original": "http://www.usaminutes.tv/iframe_pix/index_3.php?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:14.000Z", - "event.action": "TCP_REFRESH_MISS", + "event.action": [ + "TCP_REFRESH_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4698,14 +4955,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_MISS", - "GET" + "GET", + "TCP_REFRESH_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4732,13 +4992,13 @@ ], "url.domain": "www.frenchcum.com", "url.original": "http://www.frenchcum.com/oki02.gif", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4752,14 +5012,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4786,13 +5049,13 @@ ], "url.domain": "rr3.xxxcounter.com", "url.original": "http://rr3.xxxcounter.com/c2/id/2/148582/0/", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4807,6 +5070,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_DEFAULT_PARENT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4841,13 +5107,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4862,6 +5128,9 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4896,13 +5165,13 @@ ], "url.domain": "counter4.sextracker.com", "url.original": "http://counter4.sextracker.com/c7/id/0/315043", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4917,14 +5186,17 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -4951,13 +5223,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r2_c6_f2.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4972,14 +5244,17 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5006,13 +5281,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1_f2.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:16.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5027,14 +5302,17 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5061,13 +5339,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2_f2.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:16.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5082,6 +5360,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -5116,13 +5397,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/carafano.pdf", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:16.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5137,6 +5418,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -5171,13 +5455,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3_f2.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:17.000Z", - "event.action": "TCP_REFRESH_HIT", + "event.action": [ + "TCP_REFRESH_HIT" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5192,14 +5476,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "PARENT_HIT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5226,13 +5513,13 @@ ], "url.domain": "www.usaminutes.tv", "url.original": "http://www.usaminutes.tv/iframe_pix/7.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:17.000Z", - "event.action": "TCP_DENIED", + "event.action": [ + "TCP_DENIED" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5247,6 +5534,9 @@ "related.ip": [ "202.67.67.124" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -5284,13 +5574,13 @@ ], "url.domain": "rmapup.real.com", "url.original": "http://rmapup.real.com/fcgi-bin/upgrade.fcgi?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:17.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5305,14 +5595,17 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5339,13 +5632,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4_f2.jpg", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:17.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5360,6 +5653,9 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -5394,13 +5690,13 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/carafano.pdf", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:18.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5414,14 +5710,17 @@ "related.ip": [ "210.8.79.192" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -5448,13 +5747,13 @@ ], "url.domain": "c1.xxxcounter.com", "url.original": "http://c1.xxxcounter.com/c2/id/16/190203/0/", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2002-10-23T10:26:18.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5469,14 +5768,17 @@ "related.ip": [ "210.8.79.228" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "FIRST_PARENT_MISS", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5503,8 +5805,6 @@ ], "url.domain": "www.fas.harvard.edu", "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5_f2.jpg", - "user.name": [ - "-" - ] + "user.name": "-" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json index 5a63ebf892b..c20396aebdb 100644 --- a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json @@ -1,7 +1,9 @@ [ { "@timestamp": "2012-09-28T22:11:35.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -15,13 +17,16 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -42,13 +47,13 @@ ], "url.domain": "safebrowsing.google.com", "url.original": "safebrowsing.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:11:38.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -62,6 +67,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -89,13 +97,13 @@ ], "url.domain": "clients3.google.com", "url.original": "clients3.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:11:56.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -109,6 +117,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -136,13 +147,13 @@ ], "url.domain": "clients4.google.com", "url.original": "clients4.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:12:01.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -156,13 +167,16 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -183,13 +197,13 @@ ], "url.domain": "www.google.com", "url.original": "www.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:12:05.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -204,6 +218,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -232,13 +249,13 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/complete/search?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:12:06.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -253,6 +270,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -281,13 +301,13 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/complete/search?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:12:06.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -302,14 +322,17 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -330,13 +353,13 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/complete/search?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:12:07.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -351,14 +374,17 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -379,13 +405,13 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/complete/search?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:12:07.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -400,6 +426,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -428,13 +457,13 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/complete/search?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:12:07.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -449,6 +478,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -477,13 +509,13 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/complete/search?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:12:07.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -497,14 +529,17 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -525,13 +560,13 @@ ], "url.domain": "www.amazon.com", "url.original": "http://www.amazon.com/", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:12:26.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -545,6 +580,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -572,13 +610,13 @@ ], "url.domain": "clients4.google.com", "url.original": "clients4.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:13:24.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -592,6 +630,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -619,13 +660,13 @@ ], "url.domain": "clients3.google.com", "url.original": "clients3.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:16:03.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -639,13 +680,16 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -666,13 +710,13 @@ ], "url.domain": "safebrowsing.google.com", "url.original": "safebrowsing.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:16:24.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -686,13 +730,16 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -713,13 +760,13 @@ ], "url.domain": "clients3.google.com", "url.original": "clients3.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:17:33.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -733,13 +780,16 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -760,13 +810,13 @@ ], "url.domain": "safebrowsing.google.com", "url.original": "safebrowsing.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:18:09.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -780,6 +830,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -807,13 +860,13 @@ ], "url.domain": "clients3.google.com", "url.original": "clients3.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:19:32.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -828,6 +881,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -856,13 +912,13 @@ ], "url.domain": "clients2.google.com", "url.original": "http://clients2.google.com/service/update2/crx?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:21:09.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -876,6 +932,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -903,13 +962,13 @@ ], "url.domain": "clients3.google.com", "url.original": "clients3.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:22:27.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -924,6 +983,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -952,13 +1014,13 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/complete/search?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:22:27.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -973,14 +1035,17 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1001,13 +1066,13 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/complete/search?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:22:29.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1022,6 +1087,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1050,13 +1118,13 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/complete/search?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:22:29.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1071,6 +1139,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1099,13 +1170,13 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/complete/search?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:22:30.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1120,6 +1191,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1148,13 +1222,13 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/complete/search?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:22:54.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1168,6 +1242,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -1195,13 +1272,13 @@ ], "url.domain": "clients3.google.com", "url.original": "clients3.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:24:48.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1215,6 +1292,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1243,13 +1323,13 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:25:02.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1263,6 +1343,9 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -1291,13 +1374,13 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:25:59.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1311,13 +1394,16 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -1338,13 +1424,13 @@ ], "url.domain": "clients3.google.com", "url.original": "clients3.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:00.000Z", - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1358,14 +1444,17 @@ "related.ip": [ "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "NONE", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "503", @@ -1386,9 +1475,7 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:30.000Z", @@ -1401,7 +1488,9 @@ "destination.ip": [ "74.125.131.147" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1416,14 +1505,17 @@ "192.168.0.35", "74.125.131.147" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1444,9 +1536,7 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:30.000Z", @@ -1459,7 +1549,9 @@ "destination.ip": [ "74.125.131.147" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1475,14 +1567,17 @@ "74.125.131.147", "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1503,9 +1598,7 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/images/srpr/logo3w.png", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:30.000Z", @@ -1518,7 +1611,9 @@ "destination.ip": [ "74.125.131.147" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1534,14 +1629,17 @@ "74.125.131.147", "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/javascript", "rsa.misc.result_code": "200", @@ -1562,9 +1660,7 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/xjs/_/js/s/s,jsa,c,sb,hv,wta,cr,cdos,nos,tbpr,tbui,rsn,ob,cb,mb,lc,du,ada,amcl,klc,kat,aut,esp,bihu,ifl,kp,lu,m,rtis,shb,sfa,tng,hsm,j,p,pcc,csi/rt=j/ver=P7Lew-MRiXo.en_US./d=1/sv=1/rs=AItRSTNwfvJBHcoKbi4wjkZ-Mr1w-Pv9LA", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:30.000Z", @@ -1577,7 +1673,9 @@ "destination.ip": [ "74.125.131.147" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1590,8 +1688,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.131.147", - "192.168.0.35" + "192.168.0.35", + "74.125.131.147" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1621,9 +1722,7 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/extern_chrome/359533f6f71ee9c1.js", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:30.000Z", @@ -1636,7 +1735,9 @@ "destination.ip": [ "74.125.131.147" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1649,8 +1750,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.131.147", - "192.168.0.35" + "192.168.0.35", + "74.125.131.147" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -1658,8 +1762,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "204", @@ -1680,9 +1784,7 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/csi?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:35.000Z", @@ -1695,7 +1797,9 @@ "destination.ip": [ "74.125.228.3" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1707,8 +1811,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.3" + "74.125.228.3", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1737,9 +1844,7 @@ ], "url.domain": "encrypted.google.com", "url.original": "encrypted.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:35.000Z", @@ -1752,7 +1857,9 @@ "destination.ip": [ "74.125.228.3" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1764,16 +1871,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.3" + "74.125.228.3", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1794,9 +1904,7 @@ ], "url.domain": "encrypted.google.com", "url.original": "encrypted.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:35.000Z", @@ -1809,7 +1917,9 @@ "destination.ip": [ "74.125.228.3" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1824,13 +1934,16 @@ "192.168.0.35", "74.125.228.3" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1851,9 +1964,7 @@ ], "url.domain": "encrypted.google.com", "url.original": "encrypted.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:43.000Z", @@ -1866,7 +1977,9 @@ "destination.ip": [ "74.125.228.6" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1881,6 +1994,9 @@ "74.125.228.6", "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -1908,9 +2024,7 @@ ], "url.domain": "apis.google.com", "url.original": "apis.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:43.000Z", @@ -1923,7 +2037,9 @@ "destination.ip": [ "74.125.228.3" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1938,6 +2054,9 @@ "74.125.228.3", "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -1965,9 +2084,7 @@ ], "url.domain": "encrypted.google.com", "url.original": "encrypted.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:43.000Z", @@ -1980,7 +2097,9 @@ "destination.ip": [ "74.125.228.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1995,13 +2114,16 @@ "192.168.0.35", "74.125.228.14" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2022,9 +2144,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:43.000Z", @@ -2037,7 +2157,9 @@ "destination.ip": [ "74.125.228.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2049,8 +2171,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2079,9 +2204,7 @@ ], "url.domain": "play.google.com", "url.original": "play.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:43.000Z", @@ -2094,7 +2217,9 @@ "destination.ip": [ "74.125.131.147" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2109,6 +2234,9 @@ "192.168.0.35", "74.125.131.147" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -2136,9 +2264,7 @@ ], "url.domain": "www.google.com", "url.original": "www.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:43.000Z", @@ -2151,7 +2277,9 @@ "destination.ip": [ "74.125.228.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2163,16 +2291,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2193,9 +2324,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:43.000Z", @@ -2208,7 +2337,9 @@ "destination.ip": [ "74.125.228.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2220,16 +2351,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2250,9 +2384,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:43.000Z", @@ -2265,7 +2397,9 @@ "destination.ip": [ "74.125.228.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2280,13 +2414,16 @@ "192.168.0.35", "74.125.228.14" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2307,9 +2444,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:43.000Z", @@ -2322,7 +2457,9 @@ "destination.ip": [ "74.125.228.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2337,6 +2474,9 @@ "192.168.0.35", "74.125.228.14" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -2364,9 +2504,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-09-28T22:26:43.000Z", @@ -2379,7 +2517,9 @@ "destination.ip": [ "74.125.228.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2391,16 +2531,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2421,9 +2564,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:09:45.000Z", @@ -2436,7 +2577,9 @@ "destination.ip": [ "74.125.228.97" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2449,8 +2592,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.97" + "74.125.228.97", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -2480,9 +2626,7 @@ ], "url.domain": "clients1.google.com", "url.original": "http://clients1.google.com/tools/swg2/update?", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:10:13.000Z", @@ -2495,7 +2639,9 @@ "destination.ip": [ "23.11.236.224" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2507,16 +2653,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "23.11.236.224", - "192.168.0.35" + "192.168.0.35", + "23.11.236.224" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2537,9 +2686,7 @@ ], "url.domain": "configuration.apple.com", "url.original": "configuration.apple.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:10:25.000Z", @@ -2552,7 +2699,9 @@ "destination.ip": [ "23.11.236.224" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2564,8 +2713,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "23.11.236.224" + "23.11.236.224", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2594,9 +2746,7 @@ ], "url.domain": "configuration.apple.com", "url.original": "configuration.apple.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:10:46.000Z", @@ -2609,7 +2759,9 @@ "destination.ip": [ "74.125.228.100" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2624,13 +2776,16 @@ "192.168.0.35", "74.125.228.100" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2651,9 +2806,7 @@ ], "url.domain": "docs.google.com", "url.original": "docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:10:46.000Z", @@ -2666,7 +2819,9 @@ "destination.ip": [ "74.125.228.100" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2678,16 +2833,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2708,9 +2866,7 @@ ], "url.domain": "clients3.google.com", "url.original": "clients3.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:10:46.000Z", @@ -2723,7 +2879,9 @@ "destination.ip": [ "74.125.228.100" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2735,16 +2893,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2765,9 +2926,7 @@ ], "url.domain": "clients3.google.com", "url.original": "clients3.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:10:51.000Z", @@ -2780,7 +2939,9 @@ "destination.ip": [ "173.194.73.104" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2792,16 +2953,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.73.104", - "192.168.0.35" + "192.168.0.35", + "173.194.73.104" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2822,9 +2986,7 @@ ], "url.domain": "www.google.com", "url.original": "www.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:10:51.000Z", @@ -2837,7 +2999,9 @@ "destination.ip": [ "74.125.228.100" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2849,16 +3013,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2879,9 +3046,7 @@ ], "url.domain": "clients3.google.com", "url.original": "clients3.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:10:51.000Z", @@ -2894,7 +3059,9 @@ "destination.ip": [ "74.125.228.100" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2909,13 +3076,16 @@ "192.168.0.35", "74.125.228.100" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2936,9 +3106,7 @@ ], "url.domain": "clients3.google.com", "url.original": "clients3.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:10:52.000Z", @@ -2951,7 +3119,9 @@ "destination.ip": [ "74.125.228.100" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2966,6 +3136,9 @@ "74.125.228.100", "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -2993,9 +3166,7 @@ ], "url.domain": "clients3.google.com", "url.original": "clients3.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:06.000Z", @@ -3008,7 +3179,9 @@ "destination.ip": [ "208.44.23.184" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3024,14 +3197,17 @@ "208.44.23.184", "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/x-apple-plist", "rsa.misc.result_code": "200", @@ -3052,9 +3228,7 @@ ], "url.domain": "swcatalog.apple.com", "url.original": "http://swcatalog.apple.com/content/catalogs/others/index-windows-1.sucatalog", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:09.000Z", @@ -3067,7 +3241,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3080,8 +3256,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3089,8 +3268,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3111,9 +3290,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/61/34/061-8153/WgWXrHyJVmFn9KrXRg3w2XPXNFXxhnZFS6/061-8153.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:10.000Z", @@ -3126,7 +3303,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3142,14 +3321,17 @@ "192.168.0.35", "208.44.23.185" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3170,9 +3352,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/02/58/061-3418/n6BBhLszLr6SN3XDXWT9N3YgpfHChbQTgb/061-3418.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:10.000Z", @@ -3185,7 +3365,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3201,6 +3383,9 @@ "192.168.0.35", "208.44.23.185" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3229,9 +3414,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/25/60/061-6867/WjSJ6JqjV34mZLtS944ndrx9RYQZJX6qHY/061-6867.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:12.000Z", @@ -3244,7 +3427,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3260,6 +3445,9 @@ "208.44.23.185", "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3288,9 +3476,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/21/23/061-4512/BKYTZyKmtNr5wpxQCTy9f8xDSYPZ5MTGf4/061-4512.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:12.000Z", @@ -3303,7 +3489,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3319,14 +3507,17 @@ "208.44.23.185", "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3347,9 +3538,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/20/63/061-7511/XJqPCzWtXgkNgSZXp6DTn7gjNvHQVMZ4dP/061-7511.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:13.000Z", @@ -3362,7 +3551,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3378,14 +3569,17 @@ "192.168.0.35", "208.44.23.185" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3406,9 +3600,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/27/49/061-4514/Tcfqf4NdtQTpYj7Pn8qwLgWgj6kYcy26Zf/061-4514.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:13.000Z", @@ -3421,7 +3613,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3434,8 +3628,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3443,8 +3640,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3465,9 +3662,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/57/25/061-7340/TJXt7nNzc4cS57fvwx8zg3GScrcLBWtdpR/061-7340.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:13.000Z", @@ -3480,7 +3675,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3493,8 +3690,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3524,9 +3724,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/56/25/041-3097/SrjbZVKzSxP5VNSHnnDMQrb78YZz66DYww/041-3097.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:14.000Z", @@ -3539,7 +3737,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3555,14 +3755,17 @@ "208.44.23.185", "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3583,9 +3786,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/51/48/061-9539/XzrZsqWRT9FLLVN6tBfk4mjVmtqvNDHwC7/061-9539.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:14.000Z", @@ -3598,7 +3799,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3614,14 +3817,17 @@ "192.168.0.35", "208.44.23.185" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3642,9 +3848,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/51/08/zzz061-3452/5bxNyT8NCFYPz9qff69kBjH4y3zxqSFt5B/061-3452.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:14.000Z", @@ -3657,7 +3861,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3670,8 +3876,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3679,8 +3888,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3701,9 +3910,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/28/51/041-0517/cvDMxJL5q6TQ2t8899HH8mvzjdHkDFwr99/041-0517.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:15.000Z", @@ -3716,7 +3923,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3729,8 +3938,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3738,8 +3950,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3760,9 +3972,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/28/43/061-7509/P7wtsjhJPsT9FM8Zff4FKg6FYM4W2yGP5B/061-7509.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:15.000Z", @@ -3775,7 +3985,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3787,9 +3999,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", - "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "related.ip": [ + "192.168.0.35", + "208.44.23.185" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3797,8 +4012,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3819,9 +4034,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/01/21/041-1673/s6XjZyFGmdTf5YHq6C8CPWjJ4sWz9pz3vX/041-1673.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:15.000Z", @@ -3834,7 +4047,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3847,8 +4062,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3856,8 +4074,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3878,9 +4096,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/12/45/061-4249/7ck27nGQBsHQNcnMMjtmLbDJm2zPbRxj4h/061-4249.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:16.000Z", @@ -3893,7 +4109,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3906,8 +4124,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -3915,8 +4136,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3937,9 +4158,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/54/37/061-5790/mxbPrKRvB9G6cvrjY2QPNVQPYj3nrjwbgX/061-5790.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:16.000Z", @@ -3952,7 +4171,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3968,6 +4189,9 @@ "192.168.0.35", "208.44.23.185" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -3996,9 +4220,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/26/11/061-8155/wdTHYKkFWMCC8dDLHkycj3BLMxvq2wjwYD/061-8155.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:17.000Z", @@ -4011,7 +4233,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4027,6 +4251,9 @@ "192.168.0.35", "208.44.23.185" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4055,9 +4282,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/59/27/041-0516/rRmQxLKryPBcF33yFvzhw7SYLDRntjXj9K/041-0516.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:18.000Z", @@ -4070,7 +4295,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4086,6 +4313,9 @@ "192.168.0.35", "208.44.23.185" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4114,9 +4344,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/50/36/061-9848/kJvM5Qq2gBCSHSrxsdNfyn7NPjVYNHX7ZR/061-9848.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:18.000Z", @@ -4129,7 +4357,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4142,8 +4372,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4173,9 +4406,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/45/03/041-1676/ZMjp6WLTqS9GDRdnzdLqHXgS838bwRNVn6/041-1676.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:18.000Z", @@ -4188,7 +4419,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4204,6 +4437,9 @@ "208.44.23.185", "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4232,9 +4468,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/03/00/061-9537/xkqVg9ZybxffPsFvSjqgxnHK7HGJ4b9zLy/061-9537.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:19.000Z", @@ -4247,7 +4481,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4260,8 +4496,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4269,8 +4508,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4291,9 +4530,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/41/25/041-4336/M2r89dmfRR9jmgt2Gr4ZB7wftMfHSmhpnX/041-4336.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:19.000Z", @@ -4306,7 +4543,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4322,14 +4561,17 @@ "192.168.0.35", "208.44.23.185" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4350,9 +4592,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/10/51/061-5850/6T9D3ShR4mRKT3YgFK7JG5sDytGYDYCJ3L/061-5850.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:19.000Z", @@ -4365,7 +4605,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4381,14 +4623,17 @@ "192.168.0.35", "208.44.23.185" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4409,9 +4654,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/10/26/061-4513/nY7s8PkHbJYHKKDtjh7FJQr7JYBTzHvnr2/061-4513.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:19.000Z", @@ -4424,7 +4667,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4437,8 +4682,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4446,8 +4694,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4468,9 +4716,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/29/33/061-7306/hwpP4sYb2wmfHdYHjsQ23VrSbXXGKCK378/061-7306.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:20.000Z", @@ -4483,7 +4729,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4499,6 +4747,9 @@ "208.44.23.185", "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4527,9 +4778,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/07/44/061-4200/3DtF5LrT3BL2b86P57Kyrs5dH9NTs9ctNV/061-4200.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:21.000Z", @@ -4542,7 +4791,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4558,14 +4809,17 @@ "192.168.0.35", "208.44.23.185" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4586,9 +4840,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/37/12/041-0255/lfinb0xmk5ten4ojrimcebpl6561xez6xk/041-0255.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:22.000Z", @@ -4601,7 +4853,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4614,8 +4868,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4645,9 +4902,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/06/39/041-0256/orwba7zrt5npsr5wvhsljprdyd1jtt62oz/041-0256.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:23.000Z", @@ -4660,7 +4915,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4673,8 +4930,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4682,8 +4942,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4704,9 +4964,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/32/19/041-6756/gntu51zjuiyzu4l94ezxy3g1tb3jfpaoit/041-6756.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:23.000Z", @@ -4719,7 +4977,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4735,6 +4995,9 @@ "192.168.0.35", "208.44.23.185" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4763,9 +5026,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/40/54/041-6905/v0fukt9lmfcv18d4wczh49ap9z6r5p5c0c/041-6905.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:24.000Z", @@ -4778,7 +5039,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4794,14 +5057,17 @@ "192.168.0.35", "208.44.23.185" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4822,9 +5088,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/23/10/041-6906/nr0v270bqzt428sd57s1slz78hgkzg38tc/041-6906.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:26.000Z", @@ -4837,7 +5101,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4850,8 +5116,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4859,8 +5128,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4881,9 +5150,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/00/31/041-1612/xqbjtqo1qzy7cz1v2yflklj5kg1v2tlncj/041-1612.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:26.000Z", @@ -4896,7 +5163,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4912,6 +5181,9 @@ "192.168.0.35", "208.44.23.185" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -4940,9 +5212,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/30/32/041-1613/nysxhnpjpllehg0d54krf0yr8fa17jymjf/041-1613.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:11:27.000Z", @@ -4955,7 +5225,9 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4971,14 +5243,17 @@ "192.168.0.35", "208.44.23.185" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4999,9 +5274,7 @@ ], "url.domain": "swcdn.apple.com", "url.original": "http://swcdn.apple.com/content/downloads/01/20/041-5328/74a52anhihangc837n25490jxt30a59gid/041-5328.English.dist", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:13:03.000Z", @@ -5014,7 +5287,9 @@ "destination.ip": [ "173.194.73.104" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5029,6 +5304,9 @@ "173.194.73.104", "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -5056,9 +5334,7 @@ ], "url.domain": "www.google.com", "url.original": "www.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:13:03.000Z", @@ -5071,7 +5347,9 @@ "destination.ip": [ "74.125.228.100" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5083,16 +5361,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5113,9 +5394,7 @@ ], "url.domain": "clients3.google.com", "url.original": "clients3.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:13:03.000Z", @@ -5128,7 +5407,9 @@ "destination.ip": [ "74.125.228.96" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5140,8 +5421,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.96" + "74.125.228.96", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5170,9 +5454,7 @@ ], "url.domain": "clients4.google.com", "url.original": "clients4.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:13:03.000Z", @@ -5185,7 +5467,9 @@ "destination.ip": [ "74.125.228.101" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5197,8 +5481,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.101" + "74.125.228.101", + "192.168.0.35" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5227,9 +5514,7 @@ ], "url.domain": "safebrowsing-cache.google.com", "url.original": "safebrowsing-cache.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:13:03.000Z", @@ -5242,7 +5527,9 @@ "destination.ip": [ "74.125.228.102" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5254,8 +5541,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.102", - "192.168.0.35" + "192.168.0.35", + "74.125.228.102" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5284,9 +5574,7 @@ ], "url.domain": "safebrowsing.google.com", "url.original": "safebrowsing.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:15:15.000Z", @@ -5299,7 +5587,9 @@ "destination.ip": [ "69.171.228.74" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5311,8 +5601,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "69.171.228.74", - "192.168.0.35" + "192.168.0.35", + "69.171.228.74" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -5342,9 +5635,7 @@ ], "url.domain": "www.facebook.com", "url.original": "http://www.facebook.com/", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:15:18.000Z", @@ -5357,7 +5648,9 @@ "destination.ip": [ "23.62.194.110" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5372,6 +5665,9 @@ "23.62.194.110", "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -5399,9 +5695,7 @@ ], "url.domain": "s-static.ak.facebook.com", "url.original": "s-static.ak.facebook.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:15:18.000Z", @@ -5414,7 +5708,9 @@ "destination.ip": [ "69.171.228.74" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5429,13 +5725,16 @@ "192.168.0.35", "69.171.228.74" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5456,9 +5755,7 @@ ], "url.domain": "www.facebook.com", "url.original": "www.facebook.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2012-10-01T02:15:19.000Z", @@ -5471,7 +5768,9 @@ "destination.ip": [ "69.171.228.74" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5486,6 +5785,9 @@ "69.171.228.74", "192.168.0.35" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -5513,8 +5815,6 @@ ], "url.domain": "www.facebook.com", "url.original": "www.facebook.com:443", - "user.name": [ - "-" - ] + "user.name": "-" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json index 0d15b554214..373ccb372b1 100644 --- a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json @@ -10,7 +10,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -22,16 +24,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -52,9 +57,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:34:18.000Z", @@ -67,7 +70,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -79,16 +84,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -109,9 +117,7 @@ ], "url.domain": "0.client-channel.google.com", "url.original": "0.client-channel.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:34:20.000Z", @@ -124,7 +130,9 @@ "destination.ip": [ "173.194.123.102" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -136,16 +144,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.102", - "::1" + "::1", + "173.194.123.102" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -166,9 +177,7 @@ ], "url.domain": "clients4.google.com", "url.original": "clients4.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:34:22.000Z", @@ -181,7 +190,9 @@ "destination.ip": [ "173.194.123.102" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -193,8 +204,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.102", - "::1" + "::1", + "173.194.123.102" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -223,9 +237,7 @@ ], "url.domain": "clients6.google.com", "url.original": "clients6.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:34:48.000Z", @@ -238,7 +250,9 @@ "destination.ip": [ "173.194.123.97" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -250,8 +264,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.97" + "173.194.123.97", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -280,9 +297,7 @@ ], "url.domain": "drive.google.com", "url.original": "drive.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:35:02.000Z", @@ -295,7 +310,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -310,13 +327,16 @@ "173.194.206.189", "::1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -337,9 +357,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:35:07.000Z", @@ -352,7 +370,9 @@ "destination.ip": [ "173.194.123.102" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -367,13 +387,16 @@ "173.194.123.102", "::1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -394,9 +417,7 @@ ], "url.domain": "clients2.google.com", "url.original": "clients2.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:35:16.000Z", @@ -409,7 +430,9 @@ "destination.ip": [ "173.194.123.96" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -421,8 +444,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.96" + "173.194.123.96", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -451,9 +477,7 @@ ], "url.domain": "docs.google.com", "url.original": "docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:35:17.000Z", @@ -466,7 +490,9 @@ "destination.ip": [ "173.194.123.96" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -478,16 +504,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -508,9 +537,7 @@ ], "url.domain": "docs.google.com", "url.original": "docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:35:27.000Z", @@ -523,7 +550,9 @@ "destination.ip": [ "173.194.123.96" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -538,6 +567,9 @@ "173.194.123.96", "::1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -565,9 +597,7 @@ ], "url.domain": "docs.google.com", "url.original": "docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:35:29.000Z", @@ -583,7 +613,9 @@ "destination.ip": [ "216.58.219.237" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -595,16 +627,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.237", - "::1" + "::1", + "216.58.219.237" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -625,9 +660,7 @@ ], "url.domain": "accounts.google.com", "url.original": "accounts.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:35:34.000Z", @@ -640,7 +673,9 @@ "destination.ip": [ "173.194.123.68" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -652,16 +687,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.68", - "::1" + "::1", + "173.194.123.68" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -682,9 +720,7 @@ ], "url.domain": "apis.google.com", "url.original": "apis.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:35:34.000Z", @@ -697,7 +733,9 @@ "destination.ip": [ "173.194.123.102" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -712,6 +750,9 @@ "173.194.123.102", "::1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -739,9 +780,7 @@ ], "url.domain": "clients6.google.com", "url.original": "clients6.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:35:50.000Z", @@ -754,7 +793,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -766,16 +807,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -796,9 +840,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:35:58.000Z", @@ -811,7 +853,9 @@ "destination.ip": [ "173.194.123.105" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -827,6 +871,9 @@ "::1", "173.194.123.105" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", @@ -854,9 +901,7 @@ ], "url.domain": "clients1.google.com", "url.original": "http://clients1.google.com/ocsp", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:36:50.000Z", @@ -869,7 +914,9 @@ "destination.ip": [ "173.194.123.96" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -881,8 +928,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.96" + "173.194.123.96", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -911,9 +961,7 @@ ], "url.domain": "docs.google.com", "url.original": "docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:36:50.000Z", @@ -926,7 +974,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -938,16 +988,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -968,9 +1021,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:37:47.000Z", @@ -983,7 +1034,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -995,8 +1048,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1025,9 +1081,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:38:14.000Z", @@ -1040,7 +1094,9 @@ "destination.ip": [ "173.194.123.96" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1052,8 +1108,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1082,9 +1141,7 @@ ], "url.domain": "docs.google.com", "url.original": "docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:38:24.000Z", @@ -1097,7 +1154,9 @@ "destination.ip": [ "173.194.123.71" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1112,6 +1171,9 @@ "173.194.123.71", "::1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -1139,9 +1201,7 @@ ], "url.domain": "drive.google.com", "url.original": "drive.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:38:39.000Z", @@ -1154,7 +1214,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1166,16 +1228,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1196,9 +1261,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:39:31.000Z", @@ -1211,7 +1274,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1226,13 +1291,16 @@ "173.194.206.189", "::1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1253,9 +1321,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:40:21.000Z", @@ -1268,7 +1334,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1283,6 +1351,9 @@ "::1", "173.194.206.189" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -1310,9 +1381,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:41:13.000Z", @@ -1325,7 +1394,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1340,6 +1411,9 @@ "173.194.206.189", "::1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -1367,9 +1441,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:42:08.000Z", @@ -1382,7 +1454,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1394,8 +1468,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1424,9 +1501,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:43:05.000Z", @@ -1439,7 +1514,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1451,8 +1528,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1481,9 +1561,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:44:00.000Z", @@ -1496,7 +1574,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1508,8 +1588,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1538,9 +1621,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:44:58.000Z", @@ -1553,7 +1634,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1565,16 +1648,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1595,9 +1681,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:45:53.000Z", @@ -1610,7 +1694,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1625,6 +1711,9 @@ "::1", "173.194.206.189" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -1652,9 +1741,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:46:51.000Z", @@ -1667,7 +1754,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1682,13 +1771,16 @@ "::1", "173.194.206.189" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1709,9 +1801,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:47:47.000Z", @@ -1724,7 +1814,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1736,16 +1828,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1766,9 +1861,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:47:51.000Z", @@ -1781,7 +1874,9 @@ "destination.ip": [ "173.194.123.67" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1793,16 +1888,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.67" + "173.194.123.67", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1823,9 +1921,7 @@ ], "url.domain": "docs.google.com", "url.original": "docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:48:41.000Z", @@ -1838,7 +1934,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1850,8 +1948,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1880,9 +1981,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:49:33.000Z", @@ -1895,7 +1994,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1907,16 +2008,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1937,9 +2041,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:50:27.000Z", @@ -1952,7 +2054,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1964,8 +2068,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -1994,9 +2101,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:51:21.000Z", @@ -2009,7 +2114,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2021,16 +2128,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2051,9 +2161,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:52:15.000Z", @@ -2066,7 +2174,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2081,6 +2191,9 @@ "173.194.206.189", "::1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -2108,9 +2221,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:53:09.000Z", @@ -2123,7 +2234,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2138,13 +2251,16 @@ "::1", "173.194.206.189" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2165,9 +2281,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:54:01.000Z", @@ -2180,7 +2294,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2195,6 +2311,9 @@ "::1", "173.194.206.189" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -2222,9 +2341,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:54:59.000Z", @@ -2237,7 +2354,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2252,6 +2371,9 @@ "::1", "173.194.206.189" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -2279,9 +2401,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:55:56.000Z", @@ -2294,7 +2414,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2309,13 +2431,16 @@ "::1", "173.194.206.189" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2336,9 +2461,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:56:50.000Z", @@ -2351,7 +2474,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2366,13 +2491,16 @@ "::1", "173.194.206.189" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2393,9 +2521,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:57:45.000Z", @@ -2408,7 +2534,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2420,8 +2548,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2450,9 +2581,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:57:53.000Z", @@ -2465,7 +2594,9 @@ "destination.ip": [ "173.194.123.101" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2477,16 +2608,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.101", - "::1" + "::1", + "173.194.123.101" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2507,9 +2641,7 @@ ], "url.domain": "docs.google.com", "url.original": "docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:58:39.000Z", @@ -2522,7 +2654,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2534,16 +2668,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2564,9 +2701,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:59:32.000Z", @@ -2579,7 +2714,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2594,6 +2731,9 @@ "173.194.206.189", "::1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -2621,9 +2761,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:59:34.000Z", @@ -2636,7 +2774,9 @@ "destination.ip": [ "173.194.123.99" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2651,13 +2791,16 @@ "::1", "173.194.123.99" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2678,9 +2821,7 @@ ], "url.domain": "docs.google.com", "url.original": "docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-18T16:59:34.000Z", @@ -2693,7 +2834,9 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2705,8 +2848,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2735,9 +2881,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-28T05:11:24.000Z", @@ -2750,7 +2894,9 @@ "destination.ip": [ "74.125.226.83" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2765,6 +2911,9 @@ "74.125.226.83", "::1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -2793,9 +2942,7 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-28T05:11:25.000Z", @@ -2808,7 +2955,9 @@ "destination.ip": [ "173.194.123.40" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -2821,16 +2970,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.40", - "::1" + "::1", + "173.194.123.40" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -2851,9 +3003,7 @@ ], "url.domain": "clients1.google.com", "url.original": "http://clients1.google.com/ocsp", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-28T05:12:30.000Z", @@ -2866,7 +3016,9 @@ "destination.ip": [ "173.194.123.41" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2881,13 +3033,16 @@ "::1", "173.194.123.41" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2908,9 +3063,7 @@ ], "url.domain": "apis.google.com", "url.original": "apis.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-05-28T05:12:32.000Z", @@ -2923,7 +3076,9 @@ "destination.ip": [ "74.125.226.83" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2935,8 +3090,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.226.83", - "::1" + "::1", + "74.125.226.83" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -2965,9 +3123,7 @@ ], "url.domain": "www.google.com", "url.original": "www.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:19:50.000Z", @@ -2983,7 +3139,9 @@ "destination.ip": [ "216.58.219.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -2996,16 +3154,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.174", - "::1" + "::1", + "216.58.219.174" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -3026,9 +3187,7 @@ ], "url.domain": "clients1.google.com", "url.original": "http://clients1.google.com/ocsp", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:20:03.000Z", @@ -3044,7 +3203,9 @@ "destination.ip": [ "216.58.219.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -3057,8 +3218,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.174" + "216.58.219.174", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", @@ -3087,9 +3251,7 @@ ], "url.domain": "clients1.google.com", "url.original": "http://clients1.google.com/ocsp", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:20:29.000Z", @@ -3105,7 +3267,9 @@ "destination.ip": [ "216.58.219.165" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3117,16 +3281,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.165", - "::1" + "::1", + "216.58.219.165" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3147,9 +3314,7 @@ ], "url.domain": "mail.google.com", "url.original": "mail.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:21:02.000Z", @@ -3165,7 +3330,9 @@ "destination.ip": [ "216.58.219.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3177,16 +3344,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.174" + "216.58.219.174", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3207,9 +3377,7 @@ ], "url.domain": "clients6.google.com", "url.original": "clients6.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:21:04.000Z", @@ -3225,7 +3393,9 @@ "destination.ip": [ "216.58.219.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3237,16 +3407,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.174", - "::1" + "::1", + "216.58.219.174" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3267,9 +3440,7 @@ ], "url.domain": "clients6.google.com", "url.original": "clients6.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:21:09.000Z", @@ -3285,7 +3456,9 @@ "destination.ip": [ "216.58.219.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3300,13 +3473,16 @@ "216.58.219.174", "::1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3327,9 +3503,7 @@ ], "url.domain": "play.google.com", "url.original": "play.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:22:20.000Z", @@ -3345,7 +3519,9 @@ "destination.ip": [ "216.58.219.132" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3357,16 +3533,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.132" + "216.58.219.132", + "::1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3387,9 +3566,7 @@ ], "url.domain": "www.google.com", "url.original": "www.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:22:20.000Z", @@ -3405,7 +3582,9 @@ "destination.ip": [ "216.58.219.132" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3420,6 +3599,9 @@ "::1", "216.58.219.132" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -3447,9 +3629,7 @@ ], "url.domain": "www.google.com", "url.original": "www.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:22:20.000Z", @@ -3465,7 +3645,9 @@ "destination.ip": [ "216.58.219.132" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3477,16 +3659,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.132", - "::1" + "::1", + "216.58.219.132" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3507,9 +3692,7 @@ ], "url.domain": "www.google.com", "url.original": "www.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:22:32.000Z", @@ -3525,7 +3708,9 @@ "destination.ip": [ "216.58.219.142" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3540,6 +3725,9 @@ "::1", "216.58.219.142" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -3567,9 +3755,7 @@ ], "url.domain": "plus.google.com", "url.original": "plus.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:23:07.000Z", @@ -3585,7 +3771,9 @@ "destination.ip": [ "216.58.219.142" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3597,8 +3785,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.142", - "::1" + "::1", + "216.58.219.142" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -3627,9 +3818,7 @@ ], "url.domain": "docs.google.com", "url.original": "docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:23:44.000Z", @@ -3645,7 +3834,9 @@ "destination.ip": [ "216.58.219.142" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3660,13 +3851,16 @@ "::1", "216.58.219.142" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3687,9 +3881,7 @@ ], "url.domain": "plus.google.com", "url.original": "plus.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:24:21.000Z", @@ -3705,7 +3897,9 @@ "destination.ip": [ "216.58.219.132" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3717,8 +3911,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.132", - "::1" + "::1", + "216.58.219.132" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -3747,9 +3944,7 @@ ], "url.domain": "www.google.com", "url.original": "www.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:25:14.000Z", @@ -3762,7 +3957,9 @@ "destination.ip": [ "74.125.141.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3774,16 +3971,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.141.189", - "::1" + "::1", + "74.125.141.189" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3804,9 +4004,7 @@ ], "url.domain": "0.docs.google.com", "url.original": "0.docs.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:25:14.000Z", @@ -3819,7 +4017,9 @@ "destination.ip": [ "74.125.141.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3831,16 +4031,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.141.189", - "::1" + "::1", + "74.125.141.189" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3861,9 +4064,7 @@ ], "url.domain": "0.talkgadget.google.com", "url.original": "0.talkgadget.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:25:14.000Z", @@ -3876,7 +4077,9 @@ "destination.ip": [ "74.125.141.189" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3891,13 +4094,16 @@ "::1", "74.125.141.189" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3918,9 +4124,7 @@ ], "url.domain": "0.client-channel.google.com", "url.original": "0.client-channel.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2015-10-19T15:25:14.000Z", @@ -3936,7 +4140,9 @@ "destination.ip": [ "216.58.219.133" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3951,13 +4157,16 @@ "216.58.219.133", "::1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3978,9 +4187,7 @@ ], "url.domain": "mail.google.com", "url.original": "mail.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2016-02-01T14:19:56.000Z", @@ -3996,7 +4203,9 @@ "destination.ip": [ "216.58.219.228" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4011,13 +4220,16 @@ "216.58.219.228", "10.100.0.1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4038,9 +4250,7 @@ ], "url.domain": "www.google.com", "url.original": "www.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2016-02-01T14:19:58.000Z", @@ -4056,7 +4266,9 @@ "destination.ip": [ "216.58.219.238" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4068,16 +4280,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.238" + "216.58.219.238", + "10.100.0.1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4098,9 +4313,7 @@ ], "url.domain": "apis.google.com", "url.original": "apis.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2016-05-10T16:45:50.000Z", @@ -4113,7 +4326,9 @@ "destination.ip": [ "173.194.205.113" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4125,8 +4340,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.205.113", - "10.100.0.1" + "10.100.0.1", + "173.194.205.113" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "GET", @@ -4134,8 +4352,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "301", @@ -4156,9 +4374,7 @@ ], "url.domain": "google.com", "url.original": "http://google.com/", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-01-04T16:27:23.000Z", @@ -4171,7 +4387,9 @@ "destination.ip": [ "172.217.6.238" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -4184,16 +4402,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.6.238" + "172.217.6.238", + "10.100.0.1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4214,9 +4435,7 @@ ], "url.domain": "clients1.google.com", "url.original": "http://clients1.google.com/ocsp", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-01-04T16:27:24.000Z", @@ -4229,7 +4448,9 @@ "destination.ip": [ "172.217.6.238" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -4242,16 +4463,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.6.238", - "10.100.0.1" + "10.100.0.1", + "172.217.6.238" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4272,9 +4496,7 @@ ], "url.domain": "clients1.google.com", "url.original": "http://clients1.google.com/ocsp", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-01-07T17:23:08.000Z", @@ -4290,7 +4512,9 @@ "destination.ip": [ "216.58.219.238" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -4306,6 +4530,9 @@ "216.58.219.238", "10.100.0.1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", @@ -4333,9 +4560,7 @@ ], "url.domain": "clients1.google.com", "url.original": "http://clients1.google.com/ocsp", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-01-07T17:23:08.000Z", @@ -4351,7 +4576,9 @@ "destination.ip": [ "216.58.219.238" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -4367,6 +4594,9 @@ "216.58.219.238", "10.100.0.1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", @@ -4394,9 +4624,7 @@ ], "url.domain": "clients1.google.com", "url.original": "http://clients1.google.com/ocsp", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-04-20T20:53:25.000Z", @@ -4409,7 +4637,9 @@ "destination.ip": [ "172.217.6.238" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -4425,6 +4655,9 @@ "10.100.0.1", "172.217.6.238" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "POST", "rsa.investigations.ec_subject": "NetworkComm", @@ -4452,9 +4685,7 @@ ], "url.domain": "clients1.google.com", "url.original": "http://clients1.google.com/ocsp", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-12-27T22:54:43.000Z", @@ -4467,7 +4698,9 @@ "destination.ip": [ "172.217.10.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4482,6 +4715,9 @@ "10.100.2.85", "172.217.10.14" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -4509,9 +4745,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-12-27T22:54:45.000Z", @@ -4524,7 +4758,9 @@ "destination.ip": [ "172.217.10.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4536,8 +4772,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.10.14" + "172.217.10.14", + "10.100.2.85" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -4566,9 +4805,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-12-27T22:54:47.000Z", @@ -4581,7 +4818,9 @@ "destination.ip": [ "172.217.10.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4596,13 +4835,16 @@ "172.217.10.14", "10.100.2.85" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4623,9 +4865,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-12-27T22:54:53.000Z", @@ -4638,7 +4878,9 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4653,13 +4895,16 @@ "10.100.2.85", "172.217.12.174" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4680,9 +4925,7 @@ ], "url.domain": "play.google.com", "url.original": "play.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-12-27T22:54:55.000Z", @@ -4695,7 +4938,9 @@ "destination.ip": [ "172.217.10.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4707,8 +4952,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.10.14" + "172.217.10.14", + "10.100.2.85" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -4737,9 +4985,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-12-27T22:54:57.000Z", @@ -4752,7 +4998,9 @@ "destination.ip": [ "172.217.10.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4767,13 +5015,16 @@ "10.100.2.85", "172.217.10.14" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4794,9 +5045,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-12-27T22:57:48.000Z", @@ -4809,7 +5058,9 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4821,8 +5072,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.2.85" + "10.100.2.85", + "172.217.12.174" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -4851,9 +5105,7 @@ ], "url.domain": "news.google.com", "url.original": "news.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-12-27T22:57:49.000Z", @@ -4866,7 +5118,9 @@ "destination.ip": [ "172.217.10.14" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4878,16 +5132,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.10.14" + "172.217.10.14", + "10.100.2.85" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4908,9 +5165,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-12-27T22:57:50.000Z", @@ -4923,7 +5178,9 @@ "destination.ip": [ "173.194.204.156" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4938,6 +5195,9 @@ "10.100.2.85", "173.194.204.156" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -4965,9 +5225,7 @@ ], "url.domain": "stats.g.doubleclick.net", "url.original": "stats.g.doubleclick.net:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2017-12-27T22:57:51.000Z", @@ -4980,7 +5238,9 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4992,8 +5252,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.12.174" + "172.217.12.174", + "10.100.2.85" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5022,9 +5285,7 @@ ], "url.domain": "play.google.com", "url.original": "play.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2018-03-15T21:13:25.000Z", @@ -5037,7 +5298,9 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5052,13 +5315,16 @@ "172.217.12.174", "10.100.0.1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5079,9 +5345,7 @@ ], "url.domain": "news.google.com", "url.original": "news.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2018-03-15T21:16:23.000Z", @@ -5094,7 +5358,9 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5109,6 +5375,9 @@ "172.217.12.174", "10.100.0.1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -5136,9 +5405,7 @@ ], "url.domain": "play.google.com", "url.original": "play.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2018-03-15T21:18:21.000Z", @@ -5151,7 +5418,9 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5163,8 +5432,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.0.1" + "10.100.0.1", + "172.217.12.174" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5193,9 +5465,7 @@ ], "url.domain": "news.google.com", "url.original": "news.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2018-03-15T21:21:20.000Z", @@ -5208,7 +5478,9 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5220,8 +5492,11 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.12.174" + "172.217.12.174", + "10.100.0.1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", @@ -5250,9 +5525,7 @@ ], "url.domain": "news.google.com", "url.original": "news.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2018-03-15T21:23:28.000Z", @@ -5265,7 +5538,9 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5280,6 +5555,9 @@ "10.100.0.1", "172.217.12.174" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -5307,9 +5585,7 @@ ], "url.domain": "news.google.com", "url.original": "news.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2018-03-15T21:23:48.000Z", @@ -5325,7 +5601,9 @@ "destination.ip": [ "216.58.219.206" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5337,16 +5615,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.206", - "10.100.0.1" + "10.100.0.1", + "216.58.219.206" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5367,9 +5648,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2018-03-15T21:23:48.000Z", @@ -5385,7 +5664,9 @@ "destination.ip": [ "216.58.219.206" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5400,6 +5681,9 @@ "216.58.219.206", "10.100.0.1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -5427,9 +5711,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2018-03-15T21:23:49.000Z", @@ -5445,7 +5727,9 @@ "destination.ip": [ "216.58.219.206" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5460,6 +5744,9 @@ "216.58.219.206", "10.100.0.1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -5487,9 +5774,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2018-03-15T21:23:49.000Z", @@ -5505,7 +5790,9 @@ "destination.ip": [ "216.58.219.206" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5520,6 +5807,9 @@ "10.100.0.1", "216.58.219.206" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -5547,9 +5837,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2018-03-15T21:23:50.000Z", @@ -5565,7 +5853,9 @@ "destination.ip": [ "216.58.219.206" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5580,13 +5870,16 @@ "10.100.0.1", "216.58.219.206" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5607,9 +5900,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2018-03-15T21:24:01.000Z", @@ -5622,7 +5913,9 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5637,6 +5930,9 @@ "10.100.0.1", "172.217.12.174" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", @@ -5664,9 +5960,7 @@ ], "url.domain": "apis.google.com", "url.original": "apis.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2018-03-15T21:24:01.000Z", @@ -5682,7 +5976,9 @@ "destination.ip": [ "216.58.219.206" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5694,16 +5990,19 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.206" + "216.58.219.206", + "10.100.0.1" + ], + "related.user": [ + "-" ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5724,9 +6023,7 @@ ], "url.domain": "i.ytimg.com", "url.original": "i.ytimg.com:443", - "user.name": [ - "-" - ] + "user.name": "-" }, { "@timestamp": "2018-03-15T21:24:01.000Z", @@ -5739,7 +6036,9 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": "TCP_MISS", + "event.action": [ + "TCP_MISS" + ], "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5754,13 +6053,16 @@ "172.217.12.174", "10.100.0.1" ], + "related.user": [ + "-" + ], "rsa.internal.hcode": "DIRECT", "rsa.internal.messageid": "CONNECT", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5781,8 +6083,6 @@ ], "url.domain": "news.google.com", "url.original": "news.google.com:443", - "user.name": [ - "-" - ] + "user.name": "-" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/tenable/README.md b/x-pack/filebeat/module/tenable/README.md index df61925aa09..0b7e7db612c 100644 --- a/x-pack/filebeat/module/tenable/README.md +++ b/x-pack/filebeat/module/tenable/README.md @@ -3,5 +3,5 @@ This is a module for Tenable Network Security Nessus logs. Autogenerated from RSA NetWitness log parser 2.0 XML nessusvs version 0 -at 2020-07-08 16:42:04.297305 +0000 UTC. +at 2020-07-08 17:36:31.066661 +0000 UTC. diff --git a/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js b/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js +++ b/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/tomcat/README.md b/x-pack/filebeat/module/tomcat/README.md index e476df92e13..dff5c4b202d 100644 --- a/x-pack/filebeat/module/tomcat/README.md +++ b/x-pack/filebeat/module/tomcat/README.md @@ -3,5 +3,5 @@ This is a module for Apache Tomcat logs. Autogenerated from RSA NetWitness log parser 2.0 XML apachetomcat version 105 -at 2020-07-08 16:41:57.552421 +0000 UTC. +at 2020-07-08 17:36:24.034762 +0000 UTC. diff --git a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js +++ b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json index 3f1c739f050..ce484daec7a 100644 --- a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json @@ -17,6 +17,9 @@ "related.ip": [ "10.251.224.219" ], + "related.user": [ + "rci" + ], "rsa.internal.level": 1516, "rsa.internal.messageid": "asdf", "rsa.misc.action": [ @@ -41,9 +44,7 @@ ], "url.domain": "example.com", "url.query": "amremap", - "user.name": [ - "rci" - ], + "user.name": "rci", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -70,6 +71,9 @@ "related.ip": [ "10.196.153.12" ], + "related.user": [ + "abo" + ], "rsa.internal.level": 259, "rsa.internal.messageid": "CFYZ", "rsa.misc.action": [ @@ -94,9 +98,7 @@ ], "url.domain": "www5.example.net", "url.query": "uii", - "user.name": [ - "abo" - ], + "user.name": "abo", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", @@ -122,6 +124,9 @@ "related.ip": [ "10.156.194.38" ], + "related.user": [ + "enatus" + ], "rsa.internal.messageid": "COOK", "rsa.misc.action": [ "incid" @@ -148,9 +153,7 @@ ], "url.domain": "internal.example.com", "url.query": "aer", - "user.name": [ - "enatus" - ], + "user.name": "enatus", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", @@ -177,6 +180,9 @@ "related.ip": [ "10.196.118.192" ], + "related.user": [ + "tur" + ], "rsa.internal.level": 1060, "rsa.internal.messageid": "INDEX", "rsa.misc.action": [ @@ -201,9 +207,7 @@ ], "url.domain": "www5.example.org", "url.query": "con", - "user.name": [ - "tur" - ], + "user.name": "tur", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", @@ -230,6 +234,9 @@ "related.ip": [ "10.246.209.145" ], + "related.user": [ + "llu" + ], "rsa.internal.level": 4141, "rsa.internal.messageid": "BADMTHD", "rsa.misc.action": [ @@ -254,9 +261,7 @@ ], "url.domain": "internal.example.com", "url.query": "eos", - "user.name": [ - "llu" - ], + "user.name": "llu", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -283,6 +288,9 @@ "related.ip": [ "10.114.191.225" ], + "related.user": [ + "tempo" + ], "rsa.internal.level": 2964, "rsa.internal.messageid": "BADMETHOD", "rsa.misc.action": [ @@ -307,9 +315,7 @@ ], "url.domain": "internal.example.com", "url.query": "occ", - "user.name": [ - "tempo" - ], + "user.name": "tempo", "user_agent.device.name": "QMobile X700 PRO II", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", @@ -337,6 +343,9 @@ "related.ip": [ "10.38.77.13" ], + "related.user": [ + "liqu" + ], "rsa.internal.messageid": "INDEX", "rsa.misc.action": [ "ehend" @@ -363,9 +372,7 @@ ], "url.domain": "www5.example.net", "url.query": "ipis", - "user.name": [ - "liqu" - ], + "user.name": "liqu", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -393,6 +400,9 @@ "related.ip": [ "10.11.201.109" ], + "related.user": [ + "ugits" + ], "rsa.internal.messageid": "DEBUG", "rsa.misc.action": [ "iinea" @@ -419,9 +429,7 @@ ], "url.domain": "www.example.org", "url.query": "deomni", - "user.name": [ - "ugits" - ], + "user.name": "ugits", "user_agent.device.name": "Lenovo A2016a40 ", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", @@ -448,6 +456,9 @@ "related.ip": [ "10.182.166.181" ], + "related.user": [ + "mol" + ], "rsa.internal.level": 3097, "rsa.internal.messageid": "BADMTHD", "rsa.misc.action": [ @@ -472,9 +483,7 @@ ], "url.domain": "api.example.org", "url.query": "ollit", - "user.name": [ - "mol" - ], + "user.name": "mol", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -501,6 +510,9 @@ "related.ip": [ "10.185.126.247" ], + "related.user": [ + "quu" + ], "rsa.internal.level": 6283, "rsa.internal.messageid": "null", "rsa.misc.action": [ @@ -525,9 +537,7 @@ ], "url.domain": "mail.example.net", "url.query": "smo", - "user.name": [ - "quu" - ], + "user.name": "quu", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", @@ -553,6 +563,9 @@ "related.ip": [ "10.72.114.23" ], + "related.user": [ + "nsequu" + ], "rsa.internal.messageid": "SEARCH", "rsa.misc.action": [ "rsint" @@ -579,9 +592,7 @@ ], "url.domain": "example.com", "url.query": "strude", - "user.name": [ - "nsequu" - ], + "user.name": "nsequu", "user_agent.device.name": "ZTE BLADE V7", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -609,6 +620,9 @@ "related.ip": [ "10.129.241.147" ], + "related.user": [ + "lapariat" + ], "rsa.internal.messageid": "TRACE", "rsa.misc.action": [ "etc" @@ -635,9 +649,7 @@ ], "url.domain": "example.net", "url.query": "luptat", - "user.name": [ - "lapariat" - ], + "user.name": "lapariat", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", @@ -665,6 +677,9 @@ "related.ip": [ "10.185.101.76" ], + "related.user": [ + "des" + ], "rsa.internal.messageid": "BDMTHD", "rsa.misc.action": [ "stl" @@ -691,9 +706,7 @@ ], "url.domain": "www5.example.com", "url.query": "colabor", - "user.name": [ - "des" - ], + "user.name": "des", "user_agent.device.name": "Android", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", @@ -720,6 +733,9 @@ "related.ip": [ "10.57.170.140" ], + "related.user": [ + "onse" + ], "rsa.internal.level": 3217, "rsa.internal.messageid": "GET", "rsa.misc.action": [ @@ -744,9 +760,7 @@ ], "url.domain": "example.net", "url.query": "giatquov", - "user.name": [ - "onse" - ], + "user.name": "onse", "user_agent.device.name": "QMobile X700 PRO II", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", @@ -773,6 +787,9 @@ "related.ip": [ "10.33.153.47" ], + "related.user": [ + "atquovo" + ], "rsa.internal.level": 1109, "rsa.internal.messageid": "PUT", "rsa.misc.action": [ @@ -797,9 +814,7 @@ ], "url.domain": "internal.example.com", "url.query": "emeumfu", - "user.name": [ - "atquovo" - ], + "user.name": "atquovo", "user_agent.device.name": "STK-L21", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", @@ -827,6 +842,9 @@ "related.ip": [ "10.116.104.101" ], + "related.user": [ + "tat" + ], "rsa.internal.messageid": "FGET", "rsa.misc.action": [ "lumqui" @@ -853,9 +871,7 @@ ], "url.domain": "internal.example.net", "url.query": "iades", - "user.name": [ - "tat" - ], + "user.name": "tat", "user_agent.device.name": "Generic Tablet", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", @@ -882,6 +898,9 @@ "related.ip": [ "10.202.194.67" ], + "related.user": [ + "ittenbyC" + ], "rsa.internal.level": 3361, "rsa.internal.messageid": "null", "rsa.misc.action": [ @@ -906,9 +925,7 @@ ], "url.domain": "internal.example.com", "url.query": "nsectet", - "user.name": [ - "ittenbyC" - ], + "user.name": "ittenbyC", "user_agent.device.name": "ZTE Blade V1000RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", @@ -936,6 +953,9 @@ "related.ip": [ "10.153.111.103" ], + "related.user": [ + "modocon" + ], "rsa.internal.messageid": "PUT", "rsa.misc.action": [ "taevit" @@ -962,9 +982,7 @@ ], "url.domain": "www5.example.com", "url.query": "occae", - "user.name": [ - "modocon" - ], + "user.name": "modocon", "user_agent.device.name": "Samsung GT-P3100 ", "user_agent.name": "Android", "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", @@ -991,6 +1009,9 @@ "related.ip": [ "10.52.186.29" ], + "related.user": [ + "doloreme" + ], "rsa.internal.level": 1637, "rsa.internal.messageid": "DETECT_METHOD_TYPE", "rsa.misc.action": [ @@ -1015,9 +1036,7 @@ ], "url.domain": "www5.example.org", "url.query": "tmo", - "user.name": [ - "doloreme" - ], + "user.name": "doloreme", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -1045,6 +1064,9 @@ "related.ip": [ "10.209.182.237" ], + "related.user": [ + "olor" + ], "rsa.internal.messageid": "BDMTHD", "rsa.misc.action": [ "osqui" @@ -1071,9 +1093,7 @@ ], "url.domain": "www.example.org", "url.query": "eprehend", - "user.name": [ - "olor" - ], + "user.name": "olor", "user_agent.device.name": "iPhone", "user_agent.name": "Facebook", "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", @@ -1101,6 +1121,9 @@ "related.ip": [ "10.63.194.87" ], + "related.user": [ + "sin" + ], "rsa.internal.messageid": "CFYZ", "rsa.misc.action": [ "aliquam" @@ -1127,9 +1150,7 @@ ], "url.domain": "mail.example.net", "url.query": "bore", - "user.name": [ - "sin" - ], + "user.name": "sin", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", @@ -1156,6 +1177,9 @@ "related.ip": [ "10.62.191.18" ], + "related.user": [ + "orporiss" + ], "rsa.internal.level": 4307, "rsa.internal.messageid": "TRACE", "rsa.misc.action": [ @@ -1180,9 +1204,7 @@ ], "url.domain": "www.example.org", "url.query": "dtemp", - "user.name": [ - "orporiss" - ], + "user.name": "orporiss", "user_agent.device.name": "STK-L21", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", @@ -1209,6 +1231,9 @@ "related.ip": [ "10.238.164.29" ], + "related.user": [ + "utlabor" + ], "rsa.internal.level": 6040, "rsa.internal.messageid": "CFYZ", "rsa.misc.action": [ @@ -1233,9 +1258,7 @@ ], "url.domain": "example.net", "url.query": "quidolor", - "user.name": [ - "utlabor" - ], + "user.name": "utlabor", "user_agent.device.name": "Meizu M6", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", @@ -1262,6 +1285,9 @@ "related.ip": [ "10.155.230.17" ], + "related.user": [ + "ionevo" + ], "rsa.internal.level": 1612, "rsa.internal.messageid": "SEARCH", "rsa.misc.action": [ @@ -1286,9 +1312,7 @@ ], "url.domain": "internal.example.com", "url.query": "tet", - "user.name": [ - "ionevo" - ], + "user.name": "ionevo", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -1316,6 +1340,9 @@ "related.ip": [ "10.102.229.102" ], + "related.user": [ + "tenbyCi" + ], "rsa.internal.messageid": "RNDMMTD", "rsa.misc.action": [ "tco" @@ -1342,9 +1369,7 @@ ], "url.domain": "example.net", "url.query": "orem", - "user.name": [ - "tenbyCi" - ], + "user.name": "tenbyCi", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -1372,6 +1397,9 @@ "related.ip": [ "10.194.14.7" ], + "related.user": [ + "vita" + ], "rsa.internal.messageid": "HEAD", "rsa.misc.action": [ "ullamcor" @@ -1398,9 +1426,7 @@ ], "url.domain": "mail.example.org", "url.query": "ios", - "user.name": [ - "vita" - ], + "user.name": "vita", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", @@ -1427,6 +1453,9 @@ "related.ip": [ "10.99.0.226" ], + "related.user": [ + "uidol" + ], "rsa.internal.level": 6113, "rsa.internal.messageid": "get", "rsa.misc.action": [ @@ -1451,9 +1480,7 @@ ], "url.domain": "api.example.net", "url.query": "ema", - "user.name": [ - "uidol" - ], + "user.name": "uidol", "user_agent.device.name": "Pixel 3", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", @@ -1480,6 +1507,9 @@ "related.ip": [ "10.107.174.213" ], + "related.user": [ + "minimav" + ], "rsa.internal.level": 6945, "rsa.internal.messageid": "DETECT_METHOD_TYPE", "rsa.misc.action": [ @@ -1504,9 +1534,7 @@ ], "url.domain": "www.example.net", "url.query": "ctet", - "user.name": [ - "minimav" - ], + "user.name": "minimav", "user_agent.device.name": "QMobile X700 PRO II", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", @@ -1534,6 +1562,9 @@ "related.ip": [ "10.84.25.23" ], + "related.user": [ + "isnost" + ], "rsa.internal.messageid": "ABCD", "rsa.misc.action": [ "rQuisau" @@ -1560,9 +1591,7 @@ ], "url.domain": "mail.example.org", "url.query": "borios", - "user.name": [ - "isnost" - ], + "user.name": "isnost", "user_agent.device.name": "Lenovo A2016a40 ", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", @@ -1589,6 +1618,9 @@ "related.ip": [ "10.193.143.108" ], + "related.user": [ + "luptate" + ], "rsa.internal.level": 4367, "rsa.internal.messageid": "uGET", "rsa.misc.action": [ @@ -1613,9 +1645,7 @@ ], "url.domain": "www.example.org", "url.query": "ofdeFin", - "user.name": [ - "luptate" - ], + "user.name": "luptate", "user_agent.device.name": "ZTE Blade V1000RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", @@ -1643,6 +1673,9 @@ "related.ip": [ "10.190.51.22" ], + "related.user": [ + "siut" + ], "rsa.internal.messageid": "INDEX", "rsa.misc.action": [ "uisa" @@ -1669,9 +1702,7 @@ ], "url.domain": "example.com", "url.query": "tutlab", - "user.name": [ - "siut" - ], + "user.name": "siut", "user_agent.device.name": "Generic Tablet", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", @@ -1699,6 +1730,9 @@ "related.ip": [ "10.194.90.130" ], + "related.user": [ + "tconsect" + ], "rsa.internal.messageid": "BADMETHOD", "rsa.misc.action": [ "piscinge" @@ -1725,9 +1759,7 @@ ], "url.domain": "www.example.com", "url.query": "elitse", - "user.name": [ - "tconsect" - ], + "user.name": "tconsect", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "mobmail android 2.1.3.3150" @@ -1750,6 +1782,9 @@ "related.ip": [ "10.10.213.83" ], + "related.user": [ + "psum" + ], "rsa.internal.level": 6198, "rsa.internal.messageid": "BDMTHD", "rsa.misc.action": [ @@ -1774,9 +1809,7 @@ ], "url.domain": "www.example.org", "url.query": "uptate", - "user.name": [ - "psum" - ], + "user.name": "psum", "user_agent.device.name": "iPhone", "user_agent.name": "Facebook", "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", @@ -1804,6 +1837,9 @@ "related.ip": [ "10.52.125.9" ], + "related.user": [ + "urv" + ], "rsa.internal.messageid": "uGET", "rsa.misc.action": [ "nimid" @@ -1830,9 +1866,7 @@ ], "url.domain": "api.example.org", "url.query": "mvele", - "user.name": [ - "urv" - ], + "user.name": "urv", "user_agent.device.name": "iPhone", "user_agent.name": "Facebook", "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", @@ -1859,6 +1893,9 @@ "related.ip": [ "10.19.17.202" ], + "related.user": [ + "mve" + ], "rsa.internal.level": 5770, "rsa.internal.messageid": "RNDMMTD", "rsa.misc.action": [ @@ -1883,9 +1920,7 @@ ], "url.domain": "api.example.net", "url.query": "tincu", - "user.name": [ - "mve" - ], + "user.name": "mve", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -1913,6 +1948,9 @@ "related.ip": [ "10.195.64.5" ], + "related.user": [ + "uat" + ], "rsa.internal.messageid": "RNDMMTD", "rsa.misc.action": [ "moenimi" @@ -1939,9 +1977,7 @@ ], "url.domain": "mail.example.org", "url.query": "rsita", - "user.name": [ - "uat" - ], + "user.name": "uat", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -1969,6 +2005,9 @@ "related.ip": [ "10.209.77.194" ], + "related.user": [ + "itesseq" + ], "rsa.internal.messageid": "POST", "rsa.misc.action": [ "snost" @@ -1995,9 +2034,7 @@ ], "url.domain": "internal.example.com", "url.query": "dat", - "user.name": [ - "itesseq" - ], + "user.name": "itesseq", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", @@ -2024,6 +2061,9 @@ "related.ip": [ "10.168.6.90" ], + "related.user": [ + "amvolupt" + ], "rsa.internal.level": 1952, "rsa.internal.messageid": "MKCOL", "rsa.misc.action": [ @@ -2048,9 +2088,7 @@ ], "url.domain": "example.net", "url.query": "rer", - "user.name": [ - "amvolupt" - ], + "user.name": "amvolupt", "user_agent.device.name": "Android", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", @@ -2077,6 +2115,9 @@ "related.ip": [ "10.89.137.238" ], + "related.user": [ + "ore" + ], "rsa.internal.level": 7717, "rsa.internal.messageid": "rndmmtd", "rsa.misc.action": [ @@ -2101,9 +2142,7 @@ ], "url.domain": "mail.example.com", "url.query": "uptatemU", - "user.name": [ - "ore" - ], + "user.name": "ore", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", @@ -2130,6 +2169,9 @@ "related.ip": [ "10.246.61.213" ], + "related.user": [ + "iusmodte" + ], "rsa.internal.level": 4574, "rsa.internal.messageid": "OPTIONS", "rsa.misc.action": [ @@ -2154,9 +2196,7 @@ ], "url.domain": "example.org", "url.query": "tconsec", - "user.name": [ - "iusmodte" - ], + "user.name": "iusmodte", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", @@ -2184,6 +2224,9 @@ "related.ip": [ "10.117.44.138" ], + "related.user": [ + "rcit" + ], "rsa.internal.messageid": "MKCOL", "rsa.misc.action": [ "enderit" @@ -2210,9 +2253,7 @@ ], "url.domain": "www.example.org", "url.query": "emvele", - "user.name": [ - "rcit" - ], + "user.name": "rcit", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", @@ -2239,6 +2280,9 @@ "related.ip": [ "10.69.30.196" ], + "related.user": [ + "elits" + ], "rsa.internal.level": 4801, "rsa.internal.messageid": "PRONECT", "rsa.misc.action": [ @@ -2263,9 +2307,7 @@ ], "url.domain": "example.net", "url.query": "urmag", - "user.name": [ - "elits" - ], + "user.name": "elits", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", @@ -2290,6 +2332,9 @@ "related.ip": [ "10.135.91.88" ], + "related.user": [ + "eporroq" + ], "rsa.internal.level": 7668, "rsa.internal.messageid": "BADMTHD", "rsa.misc.action": [ @@ -2314,9 +2359,7 @@ ], "url.domain": "api.example.com", "url.query": "urExce", - "user.name": [ - "eporroq" - ], + "user.name": "eporroq", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2344,6 +2387,9 @@ "related.ip": [ "10.81.45.174" ], + "related.user": [ + "fugitse" + ], "rsa.internal.messageid": "ABCD", "rsa.misc.action": [ "liquide" @@ -2370,9 +2416,7 @@ ], "url.domain": "example.net", "url.query": "erun", - "user.name": [ - "fugitse" - ], + "user.name": "fugitse", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2399,6 +2443,9 @@ "related.ip": [ "10.87.179.233" ], + "related.user": [ + "avolu" + ], "rsa.internal.level": 3517, "rsa.internal.messageid": "rndmmtd", "rsa.misc.action": [ @@ -2423,9 +2470,7 @@ ], "url.domain": "www.example.org", "url.query": "uia", - "user.name": [ - "avolu" - ], + "user.name": "avolu", "user_agent.device.name": "Samsung SM-S337TL", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2452,6 +2497,9 @@ "related.ip": [ "10.198.57.130" ], + "related.user": [ + "henderit" + ], "rsa.internal.level": 2669, "rsa.internal.messageid": "COOK", "rsa.misc.action": [ @@ -2476,9 +2524,7 @@ ], "url.domain": "api.example.net", "url.query": "emip", - "user.name": [ - "henderit" - ], + "user.name": "henderit", "user_agent.device.name": "U20", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", @@ -2505,6 +2551,9 @@ "related.ip": [ "10.218.0.197" ], + "related.user": [ + "econs" + ], "rsa.internal.level": 494, "rsa.internal.messageid": "GET", "rsa.misc.action": [ @@ -2529,9 +2578,7 @@ ], "url.domain": "www.example.net", "url.query": "quasiar", - "user.name": [ - "econs" - ], + "user.name": "econs", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2559,6 +2606,9 @@ "related.ip": [ "10.123.199.198" ], + "related.user": [ + "illumqui" + ], "rsa.internal.messageid": "get", "rsa.misc.action": [ "tionula" @@ -2585,9 +2635,7 @@ ], "url.domain": "mail.example.com", "url.query": "eratv", - "user.name": [ - "illumqui" - ], + "user.name": "illumqui", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", @@ -2615,6 +2663,9 @@ "related.ip": [ "10.29.119.245" ], + "related.user": [ + "leumiur" + ], "rsa.internal.messageid": "POST", "rsa.misc.action": [ "ore" @@ -2641,9 +2692,7 @@ ], "url.domain": "internal.example.net", "url.query": "taliqui", - "user.name": [ - "leumiur" - ], + "user.name": "leumiur", "user_agent.device.name": "Other", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", @@ -2671,6 +2720,9 @@ "related.ip": [ "10.130.175.17" ], + "related.user": [ + "quaU" + ], "rsa.internal.messageid": "DETECT_METHOD_TYPE", "rsa.misc.action": [ "inimav" @@ -2697,9 +2749,7 @@ ], "url.domain": "mail.example.net", "url.query": "atnulapa", - "user.name": [ - "quaU" - ], + "user.name": "quaU", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2726,6 +2776,9 @@ "related.ip": [ "10.166.90.130" ], + "related.user": [ + "eosquira" + ], "rsa.internal.level": 5752, "rsa.internal.messageid": "PROPFIND", "rsa.misc.action": [ @@ -2750,9 +2803,7 @@ ], "url.domain": "mail.example.net", "url.query": "npr", - "user.name": [ - "eosquira" - ], + "user.name": "eosquira", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", @@ -2780,6 +2831,9 @@ "related.ip": [ "10.248.111.207" ], + "related.user": [ + "tiumto" + ], "rsa.internal.messageid": "GET", "rsa.misc.action": [ "quiavol" @@ -2806,9 +2860,7 @@ ], "url.domain": "api.example.org", "url.query": "incidid", - "user.name": [ - "tiumto" - ], + "user.name": "tiumto", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2835,6 +2887,9 @@ "related.ip": [ "10.185.37.32" ], + "related.user": [ + "tesseq" + ], "rsa.internal.level": 2940, "rsa.internal.messageid": "asdf", "rsa.misc.action": [ @@ -2859,9 +2914,7 @@ ], "url.domain": "internal.example.net", "url.query": "sinto", - "user.name": [ - "tesseq" - ], + "user.name": "tesseq", "user_agent.device.name": "ZTE Blade V1000RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", @@ -2888,6 +2941,9 @@ "related.ip": [ "10.5.194.202" ], + "related.user": [ + "ntmo" + ], "rsa.internal.level": 4927, "rsa.internal.messageid": "SEARCH", "rsa.misc.action": [ @@ -2912,9 +2968,7 @@ ], "url.domain": "example.org", "url.query": "atem", - "user.name": [ - "ntmo" - ], + "user.name": "ntmo", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2942,6 +2996,9 @@ "related.ip": [ "10.183.34.1" ], + "related.user": [ + "isn" + ], "rsa.internal.messageid": "PRONECT", "rsa.misc.action": [ "der" @@ -2968,9 +3025,7 @@ ], "url.domain": "www5.example.com", "url.query": "piciatis", - "user.name": [ - "isn" - ], + "user.name": "isn", "user_agent.device.name": "Samsung GT-P3100 ", "user_agent.name": "Android", "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", @@ -2997,6 +3052,9 @@ "related.ip": [ "10.101.163.40" ], + "related.user": [ + "nBCSe" + ], "rsa.internal.level": 4472, "rsa.internal.messageid": "CFYZ", "rsa.misc.action": [ @@ -3021,9 +3079,7 @@ ], "url.domain": "mail.example.net", "url.query": "ptatems", - "user.name": [ - "nBCSe" - ], + "user.name": "nBCSe", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -3051,6 +3107,9 @@ "related.ip": [ "10.216.188.152" ], + "related.user": [ + "ugitsedq" + ], "rsa.internal.messageid": "uGET", "rsa.misc.action": [ "atDuis" @@ -3077,9 +3136,7 @@ ], "url.domain": "www5.example.com", "url.query": "iumdolo", - "user.name": [ - "ugitsedq" - ], + "user.name": "ugitsedq", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", @@ -3106,6 +3163,9 @@ "related.ip": [ "10.94.140.77" ], + "related.user": [ + "isnisiu" + ], "rsa.internal.level": 1033, "rsa.internal.messageid": "nGET", "rsa.misc.action": [ @@ -3130,9 +3190,7 @@ ], "url.domain": "www5.example.org", "url.query": "lumqu", - "user.name": [ - "isnisiu" - ], + "user.name": "isnisiu", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", @@ -3157,6 +3215,9 @@ "related.ip": [ "10.223.205.204" ], + "related.user": [ + "ccaec" + ], "rsa.internal.level": 4133, "rsa.internal.messageid": "PUT", "rsa.misc.action": [ @@ -3181,9 +3242,7 @@ ], "url.domain": "www.example.com", "url.query": "imaveni", - "user.name": [ - "ccaec" - ], + "user.name": "ccaec", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", @@ -3211,6 +3270,9 @@ "related.ip": [ "10.85.137.156" ], + "related.user": [ + "serror" + ], "rsa.internal.messageid": "PUT", "rsa.misc.action": [ "isiut" @@ -3237,9 +3299,7 @@ ], "url.domain": "mail.example.org", "url.query": "itametc", - "user.name": [ - "serror" - ], + "user.name": "serror", "user_agent.device.name": "LG-$2", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -3267,6 +3327,9 @@ "related.ip": [ "10.12.54.142" ], + "related.user": [ + "liquam" + ], "rsa.internal.messageid": "QUALYS", "rsa.misc.action": [ "lor" @@ -3293,9 +3356,7 @@ ], "url.domain": "mail.example.com", "url.query": "riatur", - "user.name": [ - "liquam" - ], + "user.name": "liquam", "user_agent.device.name": "LG-$2", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -3322,6 +3383,9 @@ "related.ip": [ "10.158.6.52" ], + "related.user": [ + "sed" + ], "rsa.internal.level": 3864, "rsa.internal.messageid": "RNDMMTD", "rsa.misc.action": [ @@ -3346,9 +3410,7 @@ ], "url.domain": "example.net", "url.query": "lumdo", - "user.name": [ - "sed" - ], + "user.name": "sed", "user_agent.device.name": "XiaoMi Redmi 4X", "user_agent.name": "MiuiBrowser", "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", @@ -3376,6 +3438,9 @@ "related.ip": [ "10.195.160.182" ], + "related.user": [ + "urerepre" + ], "rsa.internal.messageid": "MKCOL", "rsa.misc.action": [ "itessequ" @@ -3402,9 +3467,7 @@ ], "url.domain": "www5.example.org", "url.query": "umfugi", - "user.name": [ - "urerepre" - ], + "user.name": "urerepre", "user_agent.device.name": "ZTE BLADE V7", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -3431,6 +3494,9 @@ "related.ip": [ "10.20.68.117" ], + "related.user": [ + "quas" + ], "rsa.internal.level": 6084, "rsa.internal.messageid": "CONNECT", "rsa.misc.action": [ @@ -3455,9 +3521,7 @@ ], "url.domain": "mail.example.com", "url.query": "archi", - "user.name": [ - "quas" - ], + "user.name": "quas", "user_agent.device.name": "ZTE BLADE V7", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -3485,6 +3549,9 @@ "related.ip": [ "10.94.136.235" ], + "related.user": [ + "iti" + ], "rsa.internal.messageid": "CONNECT", "rsa.misc.action": [ "amqu" @@ -3511,9 +3578,7 @@ ], "url.domain": "www5.example.com", "url.query": "upta", - "user.name": [ - "iti" - ], + "user.name": "iti", "user_agent.device.name": "Lenovo A2016a40 ", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", @@ -3541,6 +3606,9 @@ "related.ip": [ "10.152.11.26" ], + "related.user": [ + "ugiat" + ], "rsa.internal.messageid": "NCIRCLE", "rsa.misc.action": [ "oinBCSed" @@ -3567,9 +3635,7 @@ ], "url.domain": "www.example.net", "url.query": "veleumi", - "user.name": [ - "ugiat" - ], + "user.name": "ugiat", "user_agent.device.name": "Spider", "user_agent.name": "Other", "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" @@ -3593,6 +3659,9 @@ "related.ip": [ "10.82.118.95" ], + "related.user": [ + "ptate" + ], "rsa.internal.messageid": "PRONECT", "rsa.misc.action": [ "labo" @@ -3619,9 +3688,7 @@ ], "url.domain": "www5.example.com", "url.query": "Utenimad", - "user.name": [ - "ptate" - ], + "user.name": "ptate", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", @@ -3648,6 +3715,9 @@ "related.ip": [ "10.187.152.213" ], + "related.user": [ + "ventor" + ], "rsa.internal.level": 4322, "rsa.internal.messageid": "id", "rsa.misc.action": [ @@ -3672,9 +3742,7 @@ ], "url.domain": "www.example.net", "url.query": "aqui", - "user.name": [ - "ventor" - ], + "user.name": "ventor", "user_agent.device.name": "Generic Tablet", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", @@ -3702,6 +3770,9 @@ "related.ip": [ "10.98.71.45" ], + "related.user": [ + "fugitse" + ], "rsa.internal.messageid": "uGET", "rsa.misc.action": [ "eirur" @@ -3728,9 +3799,7 @@ ], "url.domain": "www.example.net", "url.query": "civelits", - "user.name": [ - "fugitse" - ], + "user.name": "fugitse", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -3757,6 +3826,9 @@ "related.ip": [ "10.86.123.33" ], + "related.user": [ + "meum" + ], "rsa.internal.level": 5971, "rsa.internal.messageid": "uGET", "rsa.misc.action": [ @@ -3781,9 +3853,7 @@ ], "url.domain": "www5.example.net", "url.query": "Utenima", - "user.name": [ - "meum" - ], + "user.name": "meum", "user_agent.device.name": "XiaoMi Redmi 4X", "user_agent.name": "MiuiBrowser", "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", @@ -3810,6 +3880,9 @@ "related.ip": [ "10.6.112.183" ], + "related.user": [ + "oluptat" + ], "rsa.internal.level": 2852, "rsa.internal.messageid": "FGET", "rsa.misc.action": [ @@ -3834,9 +3907,7 @@ ], "url.domain": "www5.example.net", "url.query": "oremip", - "user.name": [ - "oluptat" - ], + "user.name": "oluptat", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -3864,6 +3935,9 @@ "related.ip": [ "10.227.156.143" ], + "related.user": [ + "idolo" + ], "rsa.internal.messageid": "LOCK", "rsa.misc.action": [ "tsedquia" @@ -3890,9 +3964,7 @@ ], "url.domain": "example.net", "url.query": "tatevel", - "user.name": [ - "idolo" - ], + "user.name": "idolo", "user_agent.device.name": "Spider", "user_agent.name": "Other", "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" @@ -3916,6 +3988,9 @@ "related.ip": [ "10.124.129.248" ], + "related.user": [ + "quide" + ], "rsa.internal.messageid": "get", "rsa.misc.action": [ "cididun" @@ -3942,9 +4017,7 @@ ], "url.domain": "example.org", "url.query": "hilmole", - "user.name": [ - "quide" - ], + "user.name": "quide", "user_agent.device.name": "ZTE BLADE V7", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -3972,6 +4045,9 @@ "related.ip": [ "10.173.125.112" ], + "related.user": [ + "upta" + ], "rsa.internal.messageid": "CONNECT", "rsa.misc.action": [ "umtota" @@ -3998,9 +4074,7 @@ ], "url.domain": "www5.example.org", "url.query": "itaedict", - "user.name": [ - "upta" - ], + "user.name": "upta", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -4027,6 +4101,9 @@ "related.ip": [ "10.37.156.140" ], + "related.user": [ + "olores" + ], "rsa.internal.level": 5227, "rsa.internal.messageid": "GET", "rsa.misc.action": [ @@ -4051,9 +4128,7 @@ ], "url.domain": "www.example.org", "url.query": "iss", - "user.name": [ - "olores" - ], + "user.name": "olores", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", @@ -4078,6 +4153,9 @@ "related.ip": [ "10.121.225.135" ], + "related.user": [ + "cin" + ], "rsa.internal.level": 5776, "rsa.internal.messageid": "PRONECT", "rsa.misc.action": [ @@ -4102,9 +4180,7 @@ ], "url.domain": "example.com", "url.query": "miurere", - "user.name": [ - "cin" - ], + "user.name": "cin", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", @@ -4131,6 +4207,9 @@ "related.ip": [ "10.123.68.56" ], + "related.user": [ + "olore" + ], "rsa.internal.level": 7708, "rsa.internal.messageid": "DEBUG", "rsa.misc.action": [ @@ -4155,9 +4234,7 @@ ], "url.domain": "www.example.org", "url.query": "itautfu", - "user.name": [ - "olore" - ], + "user.name": "olore", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", @@ -4185,6 +4262,9 @@ "related.ip": [ "10.63.56.164" ], + "related.user": [ + "evo" + ], "rsa.internal.messageid": "RNDMMTD", "rsa.misc.action": [ "avolu" @@ -4211,9 +4291,7 @@ ], "url.domain": "api.example.net", "url.query": "temseq", - "user.name": [ - "evo" - ], + "user.name": "evo", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -4241,6 +4319,9 @@ "related.ip": [ "10.62.10.137" ], + "related.user": [ + "deomnisi" + ], "rsa.internal.messageid": "HEAD", "rsa.misc.action": [ "issus" @@ -4267,9 +4348,7 @@ ], "url.domain": "example.net", "url.query": "ttenb", - "user.name": [ - "deomnisi" - ], + "user.name": "deomnisi", "user_agent.device.name": "Samsung SM-A305FN", "user_agent.name": "YandexSearch", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", @@ -4297,6 +4376,9 @@ "related.ip": [ "10.89.154.115" ], + "related.user": [ + "nimv" + ], "rsa.internal.messageid": "INDEX", "rsa.misc.action": [ "tconse" @@ -4323,9 +4405,7 @@ ], "url.domain": "example.org", "url.query": "citation", - "user.name": [ - "nimv" - ], + "user.name": "nimv", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -4352,6 +4432,9 @@ "related.ip": [ "10.122.252.130" ], + "related.user": [ + "mmo" + ], "rsa.internal.level": 4758, "rsa.internal.messageid": "TRACE", "rsa.misc.action": [ @@ -4376,9 +4459,7 @@ ], "url.domain": "www5.example.com", "url.query": "luptasnu", - "user.name": [ - "mmo" - ], + "user.name": "mmo", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", @@ -4405,6 +4486,9 @@ "related.ip": [ "10.195.152.53" ], + "related.user": [ + "ute" + ], "rsa.internal.level": 2573, "rsa.internal.messageid": "id", "rsa.misc.action": [ @@ -4429,9 +4513,7 @@ ], "url.domain": "api.example.com", "url.query": "olupta", - "user.name": [ - "ute" - ], + "user.name": "ute", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "mobmail android 2.1.3.3150" @@ -4455,6 +4537,9 @@ "related.ip": [ "10.9.255.204" ], + "related.user": [ + "emUtenim" + ], "rsa.internal.messageid": "ABCD", "rsa.misc.action": [ "uid" @@ -4481,9 +4566,7 @@ ], "url.domain": "mail.example.com", "url.query": "urEx", - "user.name": [ - "emUtenim" - ], + "user.name": "emUtenim", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -4511,6 +4594,9 @@ "related.ip": [ "10.214.235.133" ], + "related.user": [ + "nulapari" + ], "rsa.internal.messageid": "RNDMMTD", "rsa.misc.action": [ "tsunt" @@ -4537,9 +4623,7 @@ ], "url.domain": "www.example.org", "url.query": "cillumdo", - "user.name": [ - "nulapari" - ], + "user.name": "nulapari", "user_agent.device.name": "LG-$2", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -4567,6 +4651,9 @@ "related.ip": [ "10.5.134.204" ], + "related.user": [ + "iarchit" + ], "rsa.internal.messageid": "TRACE", "rsa.misc.action": [ "orum" @@ -4593,9 +4680,7 @@ ], "url.domain": "api.example.com", "url.query": "eumfu", - "user.name": [ - "iarchit" - ], + "user.name": "iarchit", "user_agent.device.name": "Android", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", @@ -4622,6 +4707,9 @@ "related.ip": [ "10.144.111.42" ], + "related.user": [ + "vento" + ], "rsa.internal.level": 6820, "rsa.internal.messageid": "SEARCH", "rsa.misc.action": [ @@ -4646,9 +4734,7 @@ ], "url.domain": "example.org", "url.query": "tDuisau", - "user.name": [ - "vento" - ], + "user.name": "vento", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", @@ -4675,6 +4761,9 @@ "related.ip": [ "10.122.0.80" ], + "related.user": [ + "ola" + ], "rsa.internal.level": 3071, "rsa.internal.messageid": "FGET", "rsa.misc.action": [ @@ -4699,9 +4788,7 @@ ], "url.domain": "example.net", "url.query": "antium", - "user.name": [ - "ola" - ], + "user.name": "ola", "user_agent.device.name": "XiaoMi Redmi 4X", "user_agent.name": "MiuiBrowser", "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", @@ -4729,6 +4816,9 @@ "related.ip": [ "10.165.33.19" ], + "related.user": [ + "iusmodi" + ], "rsa.internal.messageid": "ABCD", "rsa.misc.action": [ "aparia" @@ -4755,9 +4845,7 @@ ], "url.domain": "mail.example.com", "url.query": "namaliqu", - "user.name": [ - "iusmodi" - ], + "user.name": "iusmodi", "user_agent.device.name": "LG-$2", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -4785,6 +4873,9 @@ "related.ip": [ "10.87.92.17" ], + "related.user": [ + "tamr" + ], "rsa.internal.messageid": "BADMTHD", "rsa.misc.action": [ "iutaliq" @@ -4811,9 +4902,7 @@ ], "url.domain": "mail.example.org", "url.query": "ctionofd", - "user.name": [ - "tamr" - ], + "user.name": "tamr", "user_agent.device.name": "Samsung SM-S337TL", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -4840,6 +4929,9 @@ "related.ip": [ "10.51.52.203" ], + "related.user": [ + "itame" + ], "rsa.internal.level": 7615, "rsa.internal.messageid": "BADMETHOD", "rsa.misc.action": [ @@ -4864,9 +4956,7 @@ ], "url.domain": "example.com", "url.query": "arch", - "user.name": [ - "itame" - ], + "user.name": "itame", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -4894,6 +4984,9 @@ "related.ip": [ "10.0.211.86" ], + "related.user": [ + "imipsa" + ], "rsa.internal.messageid": "rndmmtd", "rsa.misc.action": [ "int" @@ -4920,9 +5013,7 @@ ], "url.domain": "internal.example.net", "url.query": "ursintoc", - "user.name": [ - "imipsa" - ], + "user.name": "imipsa", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", @@ -4949,6 +5040,9 @@ "related.ip": [ "10.106.34.244" ], + "related.user": [ + "nim" + ], "rsa.internal.level": 264, "rsa.internal.messageid": "OPTIONS", "rsa.misc.action": [ @@ -4973,9 +5067,7 @@ ], "url.domain": "mail.example.net", "url.query": "ssequamn", - "user.name": [ - "nim" - ], + "user.name": "nim", "user_agent.device.name": "Samsung SM-S337TL", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -5002,6 +5094,9 @@ "related.ip": [ "10.191.210.188" ], + "related.user": [ + "ruredol" + ], "rsa.internal.level": 2943, "rsa.internal.messageid": "nGET", "rsa.misc.action": [ @@ -5026,9 +5121,7 @@ ], "url.domain": "www.example.org", "url.query": "abill", - "user.name": [ - "ruredol" - ], + "user.name": "ruredol", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -5055,6 +5148,9 @@ "related.ip": [ "10.2.38.49" ], + "related.user": [ + "lor" + ], "rsa.internal.level": 6165, "rsa.internal.messageid": "BDMTHD", "rsa.misc.action": [ @@ -5079,9 +5175,7 @@ ], "url.domain": "www.example.com", "url.query": "Duis", - "user.name": [ - "lor" - ], + "user.name": "lor", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "mobmail android 2.1.3.3150" @@ -5105,6 +5199,9 @@ "related.ip": [ "10.66.92.90" ], + "related.user": [ + "atisu" + ], "rsa.internal.messageid": "id", "rsa.misc.action": [ "tse" @@ -5131,9 +5228,7 @@ ], "url.domain": "example.com", "url.query": "tlab", - "user.name": [ - "atisu" - ], + "user.name": "atisu", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", @@ -5161,6 +5256,9 @@ "related.ip": [ "10.97.108.108" ], + "related.user": [ + "teirured" + ], "rsa.internal.messageid": "BADMTHD", "rsa.misc.action": [ "sistena" @@ -5187,9 +5285,7 @@ ], "url.domain": "example.com", "url.query": "olor", - "user.name": [ - "teirured" - ], + "user.name": "teirured", "user_agent.device.name": "XiaoMi Redmi 4X", "user_agent.name": "MiuiBrowser", "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", @@ -5217,6 +5313,9 @@ "related.ip": [ "10.147.147.248" ], + "related.user": [ + "uira" + ], "rsa.internal.messageid": "COOK", "rsa.misc.action": [ "ptatev" @@ -5243,9 +5342,7 @@ ], "url.domain": "api.example.net", "url.query": "aborio", - "user.name": [ - "uira" - ], + "user.name": "uira", "user_agent.device.name": "Generic Tablet", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", @@ -5273,6 +5370,9 @@ "related.ip": [ "10.152.190.61" ], + "related.user": [ + "culp" + ], "rsa.internal.messageid": "NCIRCLE", "rsa.misc.action": [ "nesciu" @@ -5299,9 +5399,7 @@ ], "url.domain": "www.example.org", "url.query": "atione", - "user.name": [ - "culp" - ], + "user.name": "culp", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -5329,6 +5427,9 @@ "related.ip": [ "10.129.232.105" ], + "related.user": [ + "deFini" + ], "rsa.internal.messageid": "DETECT_METHOD_TYPE", "rsa.misc.action": [ "aliquaU" @@ -5355,9 +5456,7 @@ ], "url.domain": "www.example.net", "url.query": "eturadi", - "user.name": [ - "deFini" - ], + "user.name": "deFini", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", @@ -5384,6 +5483,9 @@ "related.ip": [ "10.12.173.112" ], + "related.user": [ + "mco" + ], "rsa.internal.level": 5473, "rsa.internal.messageid": "TRACE", "rsa.misc.action": [ @@ -5408,9 +5510,7 @@ ], "url.domain": "internal.example.org", "url.query": "nidol", - "user.name": [ - "mco" - ], + "user.name": "mco", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", diff --git a/x-pack/filebeat/module/zscaler/README.md b/x-pack/filebeat/module/zscaler/README.md index 2208d0242c8..6b739614b0d 100644 --- a/x-pack/filebeat/module/zscaler/README.md +++ b/x-pack/filebeat/module/zscaler/README.md @@ -3,5 +3,5 @@ This is a module for Zscaler NSS logs. Autogenerated from RSA NetWitness log parser 2.0 XML zscalernss version 108 -at 2020-07-08 16:42:07.635906 +0000 UTC. +at 2020-07-08 17:36:34.448527 +0000 UTC. diff --git a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js index 560f07e7e5d..cc84a62db72 100644 --- a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js +++ b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js @@ -916,8 +916,8 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_set}]}, - "administrator": {to:[{field: "user.name", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_append}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, @@ -925,8 +925,8 @@ var ecs_mappings = { "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "user.name", setter: fld_append}]}, - "c_username": {to:[{field: "user.name", setter: fld_append}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.category", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_append}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, @@ -982,14 +982,14 @@ var ecs_mappings = { "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "user.name", setter: fld_append}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "user.name", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, @@ -1015,7 +1015,7 @@ var ecs_mappings = { "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "user.name", setter: fld_append}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, @@ -1030,17 +1030,17 @@ var ecs_mappings = { "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "user.name", setter: fld_append}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "user.name", setter: fld_append}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "user.name", setter: fld_append}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index c31f8631d33..085c95b3306 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -5,7 +5,9 @@ "destination.ip": [ "10.206.191.17" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "litesse", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -23,8 +25,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.176.10.114", - "10.206.191.17" + "10.206.191.17", + "10.176.10.114" + ], + "related.user": [ + "sumdo" ], "rsa.db.index": "ntsunti", "rsa.identity.user_dept": "sperna", @@ -35,8 +40,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntium", "rsa.misc.action": [ - "pisciv", - "Blocked" + "Blocked", + "pisciv" ], "rsa.misc.category": "umq", "rsa.misc.filter": "oremi", @@ -60,9 +65,7 @@ "forwarded" ], "url.original": "https://api.example.com/ivelitse/ritin.htm?utl=vol#amremap", - "user.name": [ - "sumdo" - ], + "user.name": "sumdo", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", @@ -75,7 +78,9 @@ "destination.ip": [ "10.173.22.152" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "byC", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -93,8 +98,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.26.46.95", - "10.173.22.152" + "10.173.22.152", + "10.26.46.95" + ], + "related.user": [ + "eataevi" ], "rsa.db.index": "aqu", "rsa.identity.user_dept": "com", @@ -130,9 +138,7 @@ "forwarded" ], "url.original": "https://internal.example.net/isiutal/moenimi.jpg?gnaali=enatus#mquia", - "user.name": [ - "eataevi" - ], + "user.name": "eataevi", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -147,7 +153,9 @@ "destination.ip": [ "10.204.86.149" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "laboreet", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -168,6 +176,9 @@ "10.204.86.149", "10.254.146.57" ], + "related.user": [ + "tenima" + ], "rsa.db.index": "nsequat", "rsa.identity.user_dept": "onev", "rsa.internal.data": "amco", @@ -177,8 +188,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uptassi", "rsa.misc.action": [ - "Blocked", - "giatq" + "giatq", + "Blocked" ], "rsa.misc.category": "llu", "rsa.misc.filter": "tconsec", @@ -202,9 +213,7 @@ "forwarded" ], "url.original": "https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte", - "user.name": [ - "tenima" - ], + "user.name": "tenima", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -219,7 +228,9 @@ "destination.ip": [ "10.103.246.190" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "suntinc", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -237,8 +248,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.103.246.190", - "10.252.125.53" + "10.252.125.53", + "10.103.246.190" + ], + "related.user": [ + "equun" ], "rsa.db.index": "uiano", "rsa.identity.user_dept": "ari", @@ -274,9 +288,7 @@ "forwarded" ], "url.original": "https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid", - "user.name": [ - "equun" - ], + "user.name": "equun", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -291,7 +303,9 @@ "destination.ip": [ "10.61.78.108" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "umdolore", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -309,8 +323,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.61.78.108", - "10.136.153.149" + "10.136.153.149", + "10.61.78.108" + ], + "related.user": [ + "ercit" ], "rsa.db.index": "idexea", "rsa.identity.user_dept": "ciati", @@ -321,8 +338,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inim", "rsa.misc.action": [ - "reetdolo", - "Blocked" + "Blocked", + "reetdolo" ], "rsa.misc.category": "osquir", "rsa.misc.filter": "ipit", @@ -346,9 +363,7 @@ "forwarded" ], "url.original": "https://api.example.com/ele/tenbyCic.gif?porainc=amquisno#iinea", - "user.name": [ - "ercit" - ], + "user.name": "ercit", "user_agent.device.name": "ZTE BLADE V7", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -363,7 +378,9 @@ "destination.ip": [ "10.183.16.166" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "remipsum", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -384,6 +401,9 @@ "10.183.16.166", "10.66.250.92" ], + "related.user": [ + "tessec" + ], "rsa.db.index": "essecill", "rsa.identity.user_dept": "ons", "rsa.internal.data": "llam", @@ -418,9 +438,7 @@ "forwarded" ], "url.original": "https://mail.example.org/sitas/ehenderi.jpg?atquovo=iumto#aboreetd", - "user.name": [ - "tessec" - ], + "user.name": "tessec", "user_agent.device.name": "Pixel 3", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", @@ -435,7 +453,9 @@ "destination.ip": [ "10.243.224.205" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "lpa", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -456,6 +476,9 @@ "10.123.104.59", "10.243.224.205" ], + "related.user": [ + "xercitat" + ], "rsa.db.index": "edqui", "rsa.identity.user_dept": "eprehen", "rsa.internal.data": "ema", @@ -465,8 +488,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lupt", "rsa.misc.action": [ - "dun", - "Blocked" + "Blocked", + "dun" ], "rsa.misc.category": "rsitamet", "rsa.misc.filter": "usmod", @@ -490,9 +513,7 @@ "forwarded" ], "url.original": "https://mail.example.net/aborumSe/luptat.txt?antiumto=strude#ctetura", - "user.name": [ - "xercitat" - ], + "user.name": "xercitat", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -507,7 +528,9 @@ "destination.ip": [ "10.119.185.63" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "amqu", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -528,6 +551,9 @@ "10.119.185.63", "10.74.17.5" ], + "related.user": [ + "erc" + ], "rsa.db.index": "ume", "rsa.identity.user_dept": "itecto", "rsa.internal.data": "tema", @@ -562,9 +588,7 @@ "forwarded" ], "url.original": "https://www5.example.net/ntutla/equa.jpg?civeli=errorsi#des", - "user.name": [ - "erc" - ], + "user.name": "erc", "user_agent.device.name": "Android", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", @@ -579,7 +603,9 @@ "destination.ip": [ "10.78.151.178" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "mporain", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -600,6 +626,9 @@ "10.25.192.202", "10.78.151.178" ], + "related.user": [ + "quip" + ], "rsa.db.index": "iadese", "rsa.identity.user_dept": "ecillu", "rsa.internal.data": "upt", @@ -634,9 +663,7 @@ "forwarded" ], "url.original": "https://api.example.net/atvol/umiur.txt?tati=utaliqu#oriosamn", - "user.name": [ - "quip" - ], + "user.name": "quip", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -651,7 +678,9 @@ "destination.ip": [ "10.71.170.37" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "umexerci", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -672,6 +701,9 @@ "10.135.225.244", "10.71.170.37" ], + "related.user": [ + "atu" + ], "rsa.db.index": "serror", "rsa.identity.user_dept": "atiset", "rsa.internal.data": "rumetM", @@ -681,8 +713,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ihilm", "rsa.misc.action": [ - "psaquae", - "Allowed" + "Allowed", + "psaquae" ], "rsa.misc.category": "eFinib", "rsa.misc.filter": "inesci", @@ -706,9 +738,7 @@ "forwarded" ], "url.original": "https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe", - "user.name": [ - "atu" - ], + "user.name": "atu", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -723,7 +753,9 @@ "destination.ip": [ "10.223.247.86" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "lup", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -741,8 +773,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.19.145.131", - "10.223.247.86" + "10.223.247.86", + "10.19.145.131" + ], + "related.user": [ + "tNequepo" ], "rsa.db.index": "rinrepre", "rsa.identity.user_dept": "oluptas", @@ -753,8 +788,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "sci", "rsa.misc.action": [ - "Allowed", - "emseq" + "emseq", + "Allowed" ], "rsa.misc.category": "exercit", "rsa.misc.filter": "taevit", @@ -778,9 +813,7 @@ "forwarded" ], "url.original": "https://example.org/bor/occa.htm?dol=leumiu#namali", - "user.name": [ - "tNequepo" - ], + "user.name": "tNequepo", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -795,7 +828,9 @@ "destination.ip": [ "10.2.53.125" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "radi", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -813,8 +848,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.181.80.139", - "10.2.53.125" + "10.2.53.125", + "10.181.80.139" + ], + "related.user": [ + "ihilmo" ], "rsa.db.index": "tin", "rsa.identity.user_dept": "aboN", @@ -825,8 +863,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dolorem", "rsa.misc.action": [ - "Allowed", - "lorsitam" + "lorsitam", + "Allowed" ], "rsa.misc.category": "proide", "rsa.misc.filter": "pariatu", @@ -850,9 +888,7 @@ "forwarded" ], "url.original": "https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos", - "user.name": [ - "ihilmo" - ], + "user.name": "ihilmo", "user_agent.device.name": "Generic Tablet", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", @@ -867,7 +903,9 @@ "destination.ip": [ "10.31.240.6" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "olup", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -885,8 +923,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.167.98.76", - "10.31.240.6" + "10.31.240.6", + "10.167.98.76" + ], + "related.user": [ + "ratvolu" ], "rsa.db.index": "bore", "rsa.identity.user_dept": "gnido", @@ -897,8 +938,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "catc", "rsa.misc.action": [ - "Allowed", - "veni" + "veni", + "Allowed" ], "rsa.misc.category": "sBono", "rsa.misc.filter": "isnisiu", @@ -922,9 +963,7 @@ "forwarded" ], "url.original": "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", - "user.name": [ - "ratvolu" - ], + "user.name": "ratvolu", "user_agent.device.name": "Pixel 3", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", @@ -939,7 +978,9 @@ "destination.ip": [ "10.0.55.9" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "rcitati", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -960,6 +1001,9 @@ "10.0.55.9", "10.135.160.125" ], + "related.user": [ + "volupta" + ], "rsa.db.index": "mfugiat", "rsa.identity.user_dept": "Utenima", "rsa.internal.data": "equat", @@ -969,8 +1013,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iurer", "rsa.misc.action": [ - "Allowed", - "ionevo" + "ionevo", + "Allowed" ], "rsa.misc.category": "tinvolu", "rsa.misc.filter": "idex", @@ -994,9 +1038,7 @@ "forwarded" ], "url.original": "https://www.example.org/eporr/xeacomm.html?aturQui=utlabor#rau", - "user.name": [ - "volupta" - ], + "user.name": "volupta", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", @@ -1011,7 +1053,9 @@ "destination.ip": [ "10.63.250.128" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "ntocca", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1032,6 +1076,9 @@ "10.111.187.12", "10.63.250.128" ], + "related.user": [ + "saute" + ], "rsa.db.index": "nevo", "rsa.identity.user_dept": "tev", "rsa.internal.data": "tDuisaut", @@ -1041,8 +1088,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nnum", "rsa.misc.action": [ - "ntoccae", - "Allowed" + "Allowed", + "ntoccae" ], "rsa.misc.category": "tium", "rsa.misc.filter": "uteirure", @@ -1066,9 +1113,7 @@ "forwarded" ], "url.original": "https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc", - "user.name": [ - "saute" - ], + "user.name": "saute", "user_agent.device.name": "Pixel 3", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", @@ -1083,7 +1128,9 @@ "destination.ip": [ "10.5.126.127" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "eprehen", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1104,6 +1151,9 @@ "10.5.126.127", "10.252.124.150" ], + "related.user": [ + "inibusB" + ], "rsa.db.index": "uirati", "rsa.identity.user_dept": "roid", "rsa.internal.data": "sBon", @@ -1113,8 +1163,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mod", "rsa.misc.action": [ - "xeacomm", - "Allowed" + "Allowed", + "xeacomm" ], "rsa.misc.category": "sauteiru", "rsa.misc.filter": "antiu", @@ -1138,9 +1188,7 @@ "forwarded" ], "url.original": "https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd", - "user.name": [ - "inibusB" - ], + "user.name": "inibusB", "user_agent.device.name": "Pixel 3", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", @@ -1155,7 +1203,9 @@ "destination.ip": [ "10.201.171.120" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "ris", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1173,8 +1223,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.201.171.120", - "10.91.126.231" + "10.91.126.231", + "10.201.171.120" + ], + "related.user": [ + "exercita" ], "rsa.db.index": "str", "rsa.identity.user_dept": "tau", @@ -1210,9 +1263,7 @@ "forwarded" ], "url.original": "https://api.example.net/tquiin/tse.jpg?ovol=ptasn#taedicta", - "user.name": [ - "exercita" - ], + "user.name": "exercita", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -1227,7 +1278,9 @@ "destination.ip": [ "10.135.82.97" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "iat", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1245,8 +1298,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.135.82.97", - "10.107.251.87" + "10.107.251.87", + "10.135.82.97" + ], + "related.user": [ + "str" ], "rsa.db.index": "oin", "rsa.identity.user_dept": "nturma", @@ -1257,8 +1313,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quid", "rsa.misc.action": [ - "Allowed", - "itecto" + "itecto", + "Allowed" ], "rsa.misc.category": "quam", "rsa.misc.filter": "adeser", @@ -1282,9 +1338,7 @@ "forwarded" ], "url.original": "https://mail.example.org/olor/ineavo.gif?mquelau=iadolor#amcol", - "user.name": [ - "str" - ], + "user.name": "str", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -1299,7 +1353,9 @@ "destination.ip": [ "10.31.198.58" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "ditemp", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1320,6 +1376,9 @@ "10.31.198.58", "10.215.205.216" ], + "related.user": [ + "aturve" + ], "rsa.db.index": "sau", "rsa.identity.user_dept": "boreetdo", "rsa.internal.data": "adipisc", @@ -1354,9 +1413,7 @@ "forwarded" ], "url.original": "https://www.example.com/its/ender.gif?oles=edic#seq", - "user.name": [ - "aturve" - ], + "user.name": "aturve", "user_agent.device.name": "Samsung SM-S337TL", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -1371,7 +1428,9 @@ "destination.ip": [ "10.29.155.171" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "aboreetd", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1389,8 +1448,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.29.155.171", - "10.229.83.165" + "10.229.83.165", + "10.29.155.171" + ], + "related.user": [ + "ulapar" ], "rsa.db.index": "orsit", "rsa.identity.user_dept": "labo", @@ -1401,8 +1463,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedi", "rsa.misc.action": [ - "Allowed", - "llitanim" + "llitanim", + "Allowed" ], "rsa.misc.category": "apariat", "rsa.misc.filter": "tasnulap", @@ -1426,9 +1488,7 @@ "forwarded" ], "url.original": "https://www5.example.org/oeni/tdol.gif?llamco=nea#psum", - "user.name": [ - "ulapar" - ], + "user.name": "ulapar", "user_agent.device.name": "iPhone", "user_agent.name": "Facebook", "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", @@ -1443,7 +1503,9 @@ "destination.ip": [ "10.129.192.145" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "oraincid", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1464,6 +1526,9 @@ "10.129.192.145", "10.161.148.64" ], + "related.user": [ + "lor" + ], "rsa.db.index": "cteturad", "rsa.identity.user_dept": "dex", "rsa.internal.data": "adminimv", @@ -1498,9 +1563,7 @@ "forwarded" ], "url.original": "https://www.example.com/uasiar/utlab.htm?loremqu=dantium#lor", - "user.name": [ - "lor" - ], + "user.name": "lor", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", @@ -1515,7 +1578,9 @@ "destination.ip": [ "10.7.200.140" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "tpersp", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1533,8 +1598,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.203.65.161", - "10.7.200.140" + "10.7.200.140", + "10.203.65.161" + ], + "related.user": [ + "snost" ], "rsa.db.index": "qui", "rsa.identity.user_dept": "siu", @@ -1545,8 +1613,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdol", "rsa.misc.action": [ - "Allowed", - "nte" + "nte", + "Allowed" ], "rsa.misc.category": "adeseru", "rsa.misc.filter": "mac", @@ -1570,9 +1638,7 @@ "forwarded" ], "url.original": "https://api.example.org/icabo/gna.html?urerepr=eseru#quamest", - "user.name": [ - "snost" - ], + "user.name": "snost", "user_agent.device.name": "ZTE Blade V1000RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", @@ -1587,7 +1653,9 @@ "destination.ip": [ "10.86.22.67" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "mquae", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1605,8 +1673,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.218.98.29", - "10.86.22.67" + "10.86.22.67", + "10.218.98.29" + ], + "related.user": [ + "olori" ], "rsa.db.index": "cab", "rsa.identity.user_dept": "quunt", @@ -1642,9 +1713,7 @@ "forwarded" ], "url.original": "https://api.example.org/oremi/elites.html?iosa=boNemoe#onsequ", - "user.name": [ - "olori" - ], + "user.name": "olori", "user_agent.device.name": "Pixel 3", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", @@ -1659,7 +1728,9 @@ "destination.ip": [ "10.39.31.115" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "labo", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1680,6 +1751,9 @@ "10.39.31.115", "10.24.111.229" ], + "related.user": [ + "fugi" + ], "rsa.db.index": "rExc", "rsa.identity.user_dept": "toccaec", "rsa.internal.data": "acommod", @@ -1714,9 +1788,7 @@ "forwarded" ], "url.original": "https://example.com/luptatem/uaeratv.gif?dat=periam#dqu", - "user.name": [ - "fugi" - ], + "user.name": "fugi", "user_agent.device.name": "Generic Tablet", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", @@ -1731,7 +1803,9 @@ "destination.ip": [ "10.179.210.218" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "undeom", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1749,8 +1823,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.32.39.220", - "10.179.210.218" + "10.179.210.218", + "10.32.39.220" + ], + "related.user": [ + "boreetdo" ], "rsa.db.index": "emvele", "rsa.identity.user_dept": "tatevel", @@ -1786,9 +1863,7 @@ "forwarded" ], "url.original": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", - "user.name": [ - "boreetdo" - ], + "user.name": "boreetdo", "user_agent.device.name": "Samsung SM-A715F", "user_agent.name": "Facebook", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", @@ -1803,7 +1878,9 @@ "destination.ip": [ "10.128.173.19" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "tlaboree", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1821,8 +1898,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.128.173.19", - "10.88.172.34" + "10.88.172.34", + "10.128.173.19" + ], + "related.user": [ + "agnaaliq" ], "rsa.db.index": "oin", "rsa.identity.user_dept": "maperi", @@ -1833,8 +1913,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntNeq", "rsa.misc.action": [ - "Blocked", - "dtempo" + "dtempo", + "Blocked" ], "rsa.misc.category": "ipsu", "rsa.misc.filter": "iqu", @@ -1858,9 +1938,7 @@ "forwarded" ], "url.original": "https://api.example.com/ori/tconsect.html?ercit=eporroq#ulla", - "user.name": [ - "agnaaliq" - ], + "user.name": "agnaaliq", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -1875,7 +1953,9 @@ "destination.ip": [ "10.130.241.232" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "redol", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1896,6 +1976,9 @@ "10.238.224.49", "10.130.241.232" ], + "related.user": [ + "onse" + ], "rsa.db.index": "aaliq", "rsa.identity.user_dept": "mad", "rsa.internal.data": "inv", @@ -1930,9 +2013,7 @@ "forwarded" ], "url.original": "https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug", - "user.name": [ - "onse" - ], + "user.name": "onse", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -1947,7 +2028,9 @@ "destination.ip": [ "10.115.53.31" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "olorema", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1965,8 +2048,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.2.67.127", - "10.115.53.31" + "10.115.53.31", + "10.2.67.127" + ], + "related.user": [ + "Cic" ], "rsa.db.index": "ntexplic", "rsa.identity.user_dept": "mdolore", @@ -2002,9 +2088,7 @@ "forwarded" ], "url.original": "https://example.com/emUte/molestia.htm?orroqu=elitsed#labore", - "user.name": [ - "Cic" - ], + "user.name": "Cic", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2019,7 +2103,9 @@ "destination.ip": [ "10.204.214.251" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "scipitl", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2040,6 +2126,9 @@ "10.204.214.251", "10.101.38.213" ], + "related.user": [ + "ueipsa" + ], "rsa.db.index": "ecatcupi", "rsa.identity.user_dept": "atuse", "rsa.internal.data": "tur", @@ -2074,9 +2163,7 @@ "forwarded" ], "url.original": "https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula", - "user.name": [ - "ueipsa" - ], + "user.name": "ueipsa", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2091,7 +2178,9 @@ "destination.ip": [ "10.18.226.72" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "dquiaco", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2109,8 +2198,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.18.226.72", - "10.101.85.169" + "10.101.85.169", + "10.18.226.72" + ], + "related.user": [ + "rroqu" ], "rsa.db.index": "iacons", "rsa.identity.user_dept": "billo", @@ -2146,9 +2238,7 @@ "forwarded" ], "url.original": "https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema", - "user.name": [ - "rroqu" - ], + "user.name": "rroqu", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2163,7 +2253,9 @@ "destination.ip": [ "10.87.100.240" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "equep", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2181,8 +2273,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.87.100.240", - "10.242.182.193" + "10.242.182.193", + "10.87.100.240" + ], + "related.user": [ + "stenatus" ], "rsa.db.index": "etconsec", "rsa.identity.user_dept": "nder", @@ -2218,9 +2313,7 @@ "forwarded" ], "url.original": "https://www5.example.com/apariatu/lorsita.gif?msequ=uat#lupta", - "user.name": [ - "stenatus" - ], + "user.name": "stenatus", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2235,7 +2328,9 @@ "destination.ip": [ "10.229.242.223" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "dexe", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2256,6 +2351,9 @@ "10.80.57.247", "10.229.242.223" ], + "related.user": [ + "itasp" + ], "rsa.db.index": "pernat", "rsa.identity.user_dept": "ptatem", "rsa.internal.data": "autemv", @@ -2290,9 +2388,7 @@ "forwarded" ], "url.original": "https://internal.example.net/ende/abor.jpg?riameaqu=ame#tesseq", - "user.name": [ - "itasp" - ], + "user.name": "itasp", "user_agent.device.name": "ZTE Blade V1000RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", @@ -2307,7 +2403,9 @@ "destination.ip": [ "10.193.66.155" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "enim", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2328,6 +2426,9 @@ "10.193.66.155", "10.106.77.138" ], + "related.user": [ + "iusmodt" + ], "rsa.db.index": "iqua", "rsa.identity.user_dept": "henderi", "rsa.internal.data": "caecat", @@ -2362,9 +2463,7 @@ "forwarded" ], "url.original": "https://example.com/ame/amvolu.txt?equaturv=lamc#mvolupta", - "user.name": [ - "iusmodt" - ], + "user.name": "iusmodt", "user_agent.device.name": "Lenovo A2016a40 ", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", @@ -2379,7 +2478,9 @@ "destination.ip": [ "10.236.230.136" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "quira", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2397,8 +2498,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.54.159.1", - "10.236.230.136" + "10.236.230.136", + "10.54.159.1" + ], + "related.user": [ + "mUteni" ], "rsa.db.index": "olup", "rsa.identity.user_dept": "asnulapa", @@ -2409,8 +2513,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tec", "rsa.misc.action": [ - "tatema", - "Allowed" + "Allowed", + "tatema" ], "rsa.misc.category": "emullamc", "rsa.misc.filter": "emveleum", @@ -2434,9 +2538,7 @@ "forwarded" ], "url.original": "https://mail.example.org/uisnostr/reetdol.txt?ugi=niamquis#nisi", - "user.name": [ - "mUteni" - ], + "user.name": "mUteni", "user_agent.device.name": "STK-L21", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", @@ -2451,7 +2553,9 @@ "destination.ip": [ "10.49.242.174" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "rroqui", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2469,8 +2573,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.49.242.174", - "10.131.246.134" + "10.131.246.134", + "10.49.242.174" + ], + "related.user": [ + "umdolo" ], "rsa.db.index": "sumquiad", "rsa.identity.user_dept": "aconsequ", @@ -2481,8 +2588,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tvolup", "rsa.misc.action": [ - "utemvel", - "Allowed" + "Allowed", + "utemvel" ], "rsa.misc.category": "untutlab", "rsa.misc.filter": "dol", @@ -2506,9 +2613,7 @@ "forwarded" ], "url.original": "https://api.example.com/radipis/cive.gif?orumSec=nisiuta#stiaecon", - "user.name": [ - "umdolo" - ], + "user.name": "umdolo", "user_agent.device.name": "Lenovo A2016a40 ", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", @@ -2523,7 +2628,9 @@ "destination.ip": [ "10.142.120.198" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "ido", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2541,8 +2648,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.166.10.42", - "10.142.120.198" + "10.142.120.198", + "10.166.10.42" + ], + "related.user": [ + "olori" ], "rsa.db.index": "fugiatn", "rsa.identity.user_dept": "uamqu", @@ -2578,9 +2688,7 @@ "forwarded" ], "url.original": "https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto", - "user.name": [ - "olori" - ], + "user.name": "olori", "user_agent.device.name": "LG-$2", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2595,7 +2703,9 @@ "destination.ip": [ "10.138.188.201" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "rsitvol", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2613,8 +2723,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.128.184.241", - "10.138.188.201" + "10.138.188.201", + "10.128.184.241" + ], + "related.user": [ + "etur" ], "rsa.db.index": "riatur", "rsa.identity.user_dept": "urau", @@ -2625,8 +2738,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issu", "rsa.misc.action": [ - "sed", - "Allowed" + "Allowed", + "sed" ], "rsa.misc.category": "atur", "rsa.misc.filter": "iciadese", @@ -2650,9 +2763,7 @@ "forwarded" ], "url.original": "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", - "user.name": [ - "etur" - ], + "user.name": "etur", "user_agent.device.name": "ZTE BLADE V7", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2667,7 +2778,9 @@ "destination.ip": [ "10.53.101.131" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "itinvol", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2688,6 +2801,9 @@ "10.53.101.131", "10.213.57.165" ], + "related.user": [ + "isau" + ], "rsa.db.index": "asnulap", "rsa.identity.user_dept": "ectetura", "rsa.internal.data": "ectob", @@ -2722,9 +2838,7 @@ "forwarded" ], "url.original": "https://example.net/snulap/enimadm.html?writte=sitvo#ine", - "user.name": [ - "isau" - ], + "user.name": "isau", "user_agent.device.name": "LG-$2", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2739,7 +2853,9 @@ "destination.ip": [ "10.243.6.41" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "ainc", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2760,6 +2876,9 @@ "10.243.6.41", "10.55.81.14" ], + "related.user": [ + "eiusmo" + ], "rsa.db.index": "emp", "rsa.identity.user_dept": "tenim", "rsa.internal.data": "riame", @@ -2794,9 +2913,7 @@ "forwarded" ], "url.original": "https://internal.example.org/etcon/onsequu.gif?Bonoru=madminim#ents", - "user.name": [ - "eiusmo" - ], + "user.name": "eiusmo", "user_agent.device.name": "Pixel 3", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", @@ -2811,7 +2928,9 @@ "destination.ip": [ "10.33.144.10" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "labo", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2832,6 +2951,9 @@ "10.33.144.10", "10.202.224.79" ], + "related.user": [ + "rios" + ], "rsa.db.index": "edolori", "rsa.identity.user_dept": "seos", "rsa.internal.data": "ore", @@ -2866,9 +2988,7 @@ "forwarded" ], "url.original": "https://www.example.org/rur/itse.gif?pisciv=fugiatqu#seos", - "user.name": [ - "rios" - ], + "user.name": "rios", "user_agent.device.name": "LG-$2", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2883,7 +3003,9 @@ "destination.ip": [ "10.158.18.51" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "exerci", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2904,6 +3026,9 @@ "10.158.18.51", "10.20.124.138" ], + "related.user": [ + "CSe" + ], "rsa.db.index": "quamqua", "rsa.identity.user_dept": "aparia", "rsa.internal.data": "tat", @@ -2938,9 +3063,7 @@ "forwarded" ], "url.original": "https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex", - "user.name": [ - "CSe" - ], + "user.name": "CSe", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -2955,7 +3078,9 @@ "destination.ip": [ "10.134.128.27" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "olore", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2976,6 +3101,9 @@ "10.118.177.136", "10.134.128.27" ], + "related.user": [ + "Utenima" + ], "rsa.db.index": "liqua", "rsa.identity.user_dept": "rumSecti", "rsa.internal.data": "tqu", @@ -2985,8 +3113,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "voluptas", "rsa.misc.action": [ - "olor", - "Allowed" + "Allowed", + "olor" ], "rsa.misc.category": "ataevita", "rsa.misc.filter": "nderi", @@ -3010,9 +3138,7 @@ "forwarded" ], "url.original": "https://api.example.net/lup/iumtotam.html?ipitlabo=userror#eacommo", - "user.name": [ - "Utenima" - ], + "user.name": "Utenima", "user_agent.device.name": "Meizu M6", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", @@ -3027,7 +3153,9 @@ "destination.ip": [ "10.68.8.143" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "lorem", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3045,8 +3173,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.125.120.97", - "10.68.8.143" + "10.68.8.143", + "10.125.120.97" + ], + "related.user": [ + "reet" ], "rsa.db.index": "tam", "rsa.identity.user_dept": "idolo", @@ -3082,9 +3213,7 @@ "forwarded" ], "url.original": "https://example.org/onproide/uamnih.htm?tatisetq=uidolo#umdolore", - "user.name": [ - "reet" - ], + "user.name": "reet", "user_agent.device.name": "Pixel 3", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", @@ -3099,7 +3228,9 @@ "destination.ip": [ "10.143.0.78" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "atems", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3117,8 +3248,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.137.164.122", - "10.143.0.78" + "10.143.0.78", + "10.137.164.122" + ], + "related.user": [ + "orissus" ], "rsa.db.index": "itesse", "rsa.identity.user_dept": "amnihil", @@ -3129,8 +3263,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "etdol", "rsa.misc.action": [ - "Blocked", - "mwrit" + "mwrit", + "Blocked" ], "rsa.misc.category": "inim", "rsa.misc.filter": "aturQu", @@ -3154,9 +3288,7 @@ "forwarded" ], "url.original": "https://www5.example.org/obeataev/umf.htm?moll=quaeabil#emip", - "user.name": [ - "orissus" - ], + "user.name": "orissus", "user_agent.device.name": "Meizu M6", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", @@ -3171,7 +3303,9 @@ "destination.ip": [ "10.30.87.51" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "rchit", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3192,6 +3326,9 @@ "10.156.177.53", "10.30.87.51" ], + "related.user": [ + "psaquaea" + ], "rsa.db.index": "siarc", "rsa.identity.user_dept": "rmagnido", "rsa.internal.data": "quiavolu", @@ -3201,8 +3338,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatno", "rsa.misc.action": [ - "Blocked", - "ptatev" + "ptatev", + "Blocked" ], "rsa.misc.category": "udexerc", "rsa.misc.filter": "ptatemse", @@ -3226,9 +3363,7 @@ "forwarded" ], "url.original": "https://mail.example.org/consequa/eaqueip.gif?aevitaed=byCic#leumiur", - "user.name": [ - "psaquaea" - ], + "user.name": "psaquaea", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", @@ -3243,7 +3378,9 @@ "destination.ip": [ "10.83.138.34" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "inea", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3264,6 +3401,9 @@ "10.83.138.34", "10.111.249.184" ], + "related.user": [ + "dentsunt" + ], "rsa.db.index": "datatnon", "rsa.identity.user_dept": "onsectet", "rsa.internal.data": "tat", @@ -3273,8 +3413,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatemse", "rsa.misc.action": [ - "Blocked", - "upta" + "upta", + "Blocked" ], "rsa.misc.category": "tlabo", "rsa.misc.filter": "aliqui", @@ -3298,9 +3438,7 @@ "forwarded" ], "url.original": "https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul", - "user.name": [ - "dentsunt" - ], + "user.name": "dentsunt", "user_agent.device.name": "iPhone", "user_agent.name": "Facebook", "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", @@ -3315,7 +3453,9 @@ "destination.ip": [ "10.141.195.13" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "tautfugi", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3336,6 +3476,9 @@ "10.141.195.13", "10.180.150.47" ], + "related.user": [ + "taliq" + ], "rsa.db.index": "ariat", "rsa.identity.user_dept": "ncul", "rsa.internal.data": "nvol", @@ -3370,9 +3513,7 @@ "forwarded" ], "url.original": "https://mail.example.com/orsitvol/ntor.htm?itqu=minimav#smodtem", - "user.name": [ - "taliq" - ], + "user.name": "taliq", "user_agent.device.name": "U20", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", @@ -3387,7 +3528,9 @@ "destination.ip": [ "10.166.195.20" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "ceroinB", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3405,8 +3548,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.166.195.20", - "10.255.40.12" + "10.255.40.12", + "10.166.195.20" + ], + "related.user": [ + "lamcolab" ], "rsa.db.index": "tdolorem", "rsa.identity.user_dept": "remagnaa", @@ -3417,8 +3563,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mipsumq", "rsa.misc.action": [ - "citation", - "Allowed" + "Allowed", + "citation" ], "rsa.misc.category": "usant", "rsa.misc.filter": "Nem", @@ -3442,9 +3588,7 @@ "forwarded" ], "url.original": "https://internal.example.org/rumexe/xerci.gif?olor=quiav#gna", - "user.name": [ - "lamcolab" - ], + "user.name": "lamcolab", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", @@ -3457,7 +3601,9 @@ "destination.ip": [ "10.22.122.43" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "mexer", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3478,6 +3624,9 @@ "10.22.122.43", "10.100.143.226" ], + "related.user": [ + "ute" + ], "rsa.db.index": "turveli", "rsa.identity.user_dept": "ueporroq", "rsa.internal.data": "cta", @@ -3487,8 +3636,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ento", "rsa.misc.action": [ - "Blocked", - "Bonoru" + "Bonoru", + "Blocked" ], "rsa.misc.category": "luptasnu", "rsa.misc.filter": "quamni", @@ -3512,9 +3661,7 @@ "forwarded" ], "url.original": "https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu", - "user.name": [ - "ute" - ], + "user.name": "ute", "user_agent.device.name": "Other", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", @@ -3529,7 +3676,9 @@ "destination.ip": [ "10.119.53.68" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "illum", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3547,8 +3696,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.119.53.68", - "10.121.9.5" + "10.121.9.5", + "10.119.53.68" + ], + "related.user": [ + "ssec" ], "rsa.db.index": "sitam", "rsa.identity.user_dept": "mea", @@ -3559,8 +3711,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dexea", "rsa.misc.action": [ - "Blocked", - "tinvolup" + "tinvolup", + "Blocked" ], "rsa.misc.category": "ende", "rsa.misc.filter": "onse", @@ -3584,9 +3736,7 @@ "forwarded" ], "url.original": "https://www.example.com/uiavo/uisaut.htm?paq=uianon#nul", - "user.name": [ - "ssec" - ], + "user.name": "ssec", "user_agent.device.name": "Lenovo A2016a40 ", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", @@ -3601,7 +3751,9 @@ "destination.ip": [ "10.237.0.173" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "periam", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3622,6 +3774,9 @@ "10.237.0.173", "10.31.153.177" ], + "related.user": [ + "sci" + ], "rsa.db.index": "tMalor", "rsa.identity.user_dept": "tiset", "rsa.internal.data": "eleumi", @@ -3656,9 +3811,7 @@ "forwarded" ], "url.original": "https://mail.example.com/uasiarch/Malor.jpg?iinea=snos#upt", - "user.name": [ - "sci" - ], + "user.name": "sci", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", @@ -3671,7 +3824,9 @@ "destination.ip": [ "10.243.182.229" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "emporin", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3692,6 +3847,9 @@ "10.243.182.229", "10.229.102.140" ], + "related.user": [ + "duntut" + ], "rsa.db.index": "mveni", "rsa.identity.user_dept": "nimve", "rsa.internal.data": "uasi", @@ -3701,8 +3859,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "epor", "rsa.misc.action": [ - "etquasia", - "Allowed" + "Allowed", + "etquasia" ], "rsa.misc.category": "iaturE", "rsa.misc.filter": "rep", @@ -3726,9 +3884,7 @@ "forwarded" ], "url.original": "https://api.example.org/ntiumt/sumquia.jpg?lam=asnu#com", - "user.name": [ - "duntut" - ], + "user.name": "duntut", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "mobmail android 2.1.3.3150" @@ -3739,7 +3895,9 @@ "destination.ip": [ "10.39.46.155" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "BCSe", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3760,6 +3918,9 @@ "10.120.138.109", "10.39.46.155" ], + "related.user": [ + "picia" + ], "rsa.db.index": "pta", "rsa.identity.user_dept": "sciveli", "rsa.internal.data": "pteu", @@ -3794,9 +3955,7 @@ "forwarded" ], "url.original": "https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi", - "user.name": [ - "picia" - ], + "user.name": "picia", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -3811,7 +3970,9 @@ "destination.ip": [ "10.53.191.49" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "idestl", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3832,6 +3993,9 @@ "10.133.102.57", "10.53.191.49" ], + "related.user": [ + "onsec" + ], "rsa.db.index": "sam", "rsa.identity.user_dept": "ctobeat", "rsa.internal.data": "luptate", @@ -3866,9 +4030,7 @@ "forwarded" ], "url.original": "https://api.example.org/remeum/etur.html?Quisa=quiav#ctionofd", - "user.name": [ - "onsec" - ], + "user.name": "onsec", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", @@ -3883,7 +4045,9 @@ "destination.ip": [ "10.91.2.225" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "tcu", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3904,6 +4068,9 @@ "10.91.2.225", "10.89.41.97" ], + "related.user": [ + "tem" + ], "rsa.db.index": "ntut", "rsa.identity.user_dept": "nderi", "rsa.internal.data": "uam", @@ -3938,9 +4105,7 @@ "forwarded" ], "url.original": "https://internal.example.org/ree/itten.gif?rsp=imipsa#nostrum", - "user.name": [ - "tem" - ], + "user.name": "tem", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", @@ -3955,7 +4120,9 @@ "destination.ip": [ "10.221.20.165" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "velites", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3973,8 +4140,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.221.20.165", - "10.7.18.226" + "10.7.18.226", + "10.221.20.165" + ], + "related.user": [ + "uasiarch" ], "rsa.db.index": "borio", "rsa.identity.user_dept": "tionev", @@ -3985,8 +4155,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iadeseru", "rsa.misc.action": [ - "Allowed", - "epreh" + "epreh", + "Allowed" ], "rsa.misc.category": "ruredol", "rsa.misc.filter": "atquo", @@ -4010,9 +4180,7 @@ "forwarded" ], "url.original": "https://www.example.net/ritquiin/reseo.jpg?ari=umtot#onemulla", - "user.name": [ - "uasiarch" - ], + "user.name": "uasiarch", "user_agent.device.name": "Meizu M6", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", @@ -4027,7 +4195,9 @@ "destination.ip": [ "10.178.148.188" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "rit", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4045,8 +4215,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.155.252.123", - "10.178.148.188" + "10.178.148.188", + "10.155.252.123" + ], + "related.user": [ + "inrepreh" ], "rsa.db.index": "ipsa", "rsa.identity.user_dept": "ssequ", @@ -4082,9 +4255,7 @@ "forwarded" ], "url.original": "https://mail.example.com/dexe/nemul.jpg?yCicero=inimave#eavolupt", - "user.name": [ - "inrepreh" - ], + "user.name": "inrepreh", "user_agent.device.name": "Android", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", @@ -4099,7 +4270,9 @@ "destination.ip": [ "10.190.42.245" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "aeab", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4120,6 +4293,9 @@ "10.220.1.249", "10.190.42.245" ], + "related.user": [ + "olup" + ], "rsa.db.index": "caboN", "rsa.identity.user_dept": "quuntur", "rsa.internal.data": "umfu", @@ -4129,8 +4305,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uamquaer", "rsa.misc.action": [ - "Blocked", - "aerat" + "aerat", + "Blocked" ], "rsa.misc.category": "quela", "rsa.misc.filter": "qui", @@ -4154,9 +4330,7 @@ "forwarded" ], "url.original": "https://mail.example.org/caecat/uel.html?enim=umq#sistena", - "user.name": [ - "olup" - ], + "user.name": "olup", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", @@ -4169,7 +4343,9 @@ "destination.ip": [ "10.112.190.154" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "lab", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4187,8 +4363,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.112.190.154", - "10.55.38.153" + "10.55.38.153", + "10.112.190.154" + ], + "related.user": [ + "oremeu" ], "rsa.db.index": "Except", "rsa.identity.user_dept": "tvolup", @@ -4199,8 +4378,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tin", "rsa.misc.action": [ - "urau", - "Allowed" + "Allowed", + "urau" ], "rsa.misc.category": "isiut", "rsa.misc.filter": "cons", @@ -4224,9 +4403,7 @@ "forwarded" ], "url.original": "https://mail.example.com/runtmoll/busBon.txt?ionev=vitaedi#rna", - "user.name": [ - "oremeu" - ], + "user.name": "oremeu", "user_agent.device.name": "XiaoMi Redmi 4X", "user_agent.name": "MiuiBrowser", "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", @@ -4241,7 +4418,9 @@ "destination.ip": [ "10.195.153.42" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "rsit", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4259,8 +4438,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.250.48.82", - "10.195.153.42" + "10.195.153.42", + "10.250.48.82" + ], + "related.user": [ + "tsedquia" ], "rsa.db.index": "edictasu", "rsa.identity.user_dept": "serrorsi", @@ -4271,8 +4453,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tDuisaut", "rsa.misc.action": [ - "Allowed", - "upidatat" + "upidatat", + "Allowed" ], "rsa.misc.category": "aliquide", "rsa.misc.filter": "deriti", @@ -4296,9 +4478,7 @@ "forwarded" ], "url.original": "https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam", - "user.name": [ - "tsedquia" - ], + "user.name": "tsedquia", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -4313,7 +4493,9 @@ "destination.ip": [ "10.252.164.230" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "iumtota", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4334,6 +4516,9 @@ "10.60.52.219", "10.252.164.230" ], + "related.user": [ + "gnamali" + ], "rsa.db.index": "rumexer", "rsa.identity.user_dept": "usan", "rsa.internal.data": "hite", @@ -4368,9 +4553,7 @@ "forwarded" ], "url.original": "https://mail.example.net/loremi/queporro.jpg?ade=nihilmol#nder", - "user.name": [ - "gnamali" - ], + "user.name": "gnamali", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "mobmail android 2.1.3.3150" @@ -4381,7 +4564,9 @@ "destination.ip": [ "10.187.16.73" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "ptate", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4399,8 +4584,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.187.16.73", - "10.122.102.156" + "10.122.102.156", + "10.187.16.73" + ], + "related.user": [ + "emoen" ], "rsa.db.index": "volupt", "rsa.identity.user_dept": "metMa", @@ -4436,9 +4624,7 @@ "forwarded" ], "url.original": "https://api.example.com/nge/psum.gif?exerci=isnostru#iad", - "user.name": [ - "emoen" - ], + "user.name": "emoen", "user_agent.device.name": "ZTE BLADE V7", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -4453,7 +4639,9 @@ "destination.ip": [ "10.120.215.174" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "ntexplic", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4474,6 +4662,9 @@ "10.120.215.174", "10.248.108.55" ], + "related.user": [ + "prehend" + ], "rsa.db.index": "rinci", "rsa.identity.user_dept": "tionemu", "rsa.internal.data": "cul", @@ -4483,8 +4674,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rema", "rsa.misc.action": [ - "Allowed", - "uatDu" + "uatDu", + "Allowed" ], "rsa.misc.category": "ent", "rsa.misc.filter": "iscivel", @@ -4508,9 +4699,7 @@ "forwarded" ], "url.original": "https://internal.example.org/ddoeiusm/apa.txt?uptatemU=rem#onorumet", - "user.name": [ - "prehend" - ], + "user.name": "prehend", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", @@ -4523,7 +4712,9 @@ "destination.ip": [ "10.51.161.245" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "suntex", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4541,8 +4732,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.15.254.181", - "10.51.161.245" + "10.51.161.245", + "10.15.254.181" + ], + "related.user": [ + "abo" ], "rsa.db.index": "umdol", "rsa.identity.user_dept": "adipis", @@ -4553,8 +4747,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "modit", "rsa.misc.action": [ - "Allowed", - "uteiru" + "uteiru", + "Allowed" ], "rsa.misc.category": "qua", "rsa.misc.filter": "saute", @@ -4578,9 +4772,7 @@ "forwarded" ], "url.original": "https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam", - "user.name": [ - "abo" - ], + "user.name": "abo", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", @@ -4595,7 +4787,9 @@ "destination.ip": [ "10.7.152.238" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "scipi", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4613,8 +4807,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.7.152.238", - "10.129.66.196" + "10.129.66.196", + "10.7.152.238" + ], + "related.user": [ + "equamn" ], "rsa.db.index": "enim", "rsa.identity.user_dept": "dol", @@ -4650,9 +4847,7 @@ "forwarded" ], "url.original": "https://api.example.com/itinvolu/adeserun.txt?tinv=Utenima#nse", - "user.name": [ - "equamn" - ], + "user.name": "equamn", "user_agent.device.name": "ZTE Blade V1000RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", @@ -4667,7 +4862,9 @@ "destination.ip": [ "10.29.162.157" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "remquela", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4685,8 +4882,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.185.107.27", - "10.29.162.157" + "10.29.162.157", + "10.185.107.27" + ], + "related.user": [ + "evelite" ], "rsa.db.index": "orese", "rsa.identity.user_dept": "orese", @@ -4722,9 +4922,7 @@ "forwarded" ], "url.original": "https://www.example.org/sci/isquames.gif?tlabor=itecto#loreeuf", - "user.name": [ - "evelite" - ], + "user.name": "evelite", "user_agent.device.name": "iPhone", "user_agent.name": "Facebook", "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", @@ -4739,7 +4937,9 @@ "destination.ip": [ "10.215.63.248" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "dantium", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4757,8 +4957,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.215.63.248", - "10.138.0.214" + "10.138.0.214", + "10.215.63.248" + ], + "related.user": [ + "eavolupt" ], "rsa.db.index": "qui", "rsa.identity.user_dept": "uianonn", @@ -4769,8 +4972,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "dqu", - "Blocked" + "Blocked", + "dqu" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -4794,9 +4997,7 @@ "forwarded" ], "url.original": "https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod", - "user.name": [ - "eavolupt" - ], + "user.name": "eavolupt", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", @@ -4811,7 +5012,9 @@ "destination.ip": [ "10.26.115.88" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "edictas", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4832,6 +5035,9 @@ "10.26.115.88", "10.12.130.224" ], + "related.user": [ + "Nequepo" + ], "rsa.db.index": "boreetdo", "rsa.identity.user_dept": "itatis", "rsa.internal.data": "pre", @@ -4841,8 +5047,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tNequepo", "rsa.misc.action": [ - "rmagnido", - "Allowed" + "Allowed", + "rmagnido" ], "rsa.misc.category": "luptatem", "rsa.misc.filter": "deritq", @@ -4866,9 +5072,7 @@ "forwarded" ], "url.original": "https://mail.example.net/tvol/ostru.htm?oei=iquipex#byCice", - "user.name": [ - "Nequepo" - ], + "user.name": "Nequepo", "user_agent.device.name": "STK-L21", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", @@ -4883,7 +5087,9 @@ "destination.ip": [ "10.193.152.42" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "nost", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4904,6 +5110,9 @@ "10.193.152.42", "10.91.20.27" ], + "related.user": [ + "edict" + ], "rsa.db.index": "iqua", "rsa.identity.user_dept": "modtempo", "rsa.internal.data": "usan", @@ -4913,8 +5122,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "plicab", "rsa.misc.action": [ - "umq", - "Blocked" + "Blocked", + "umq" ], "rsa.misc.category": "eruntmol", "rsa.misc.filter": "labore", @@ -4938,9 +5147,7 @@ "forwarded" ], "url.original": "https://mail.example.org/pariatur/cita.html?equuntur=rve#atemacc", - "user.name": [ - "edict" - ], + "user.name": "edict", "user_agent.device.name": "QMobile X700 PRO II", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", @@ -4955,7 +5162,9 @@ "destination.ip": [ "10.146.69.38" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "Exce", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4976,6 +5185,9 @@ "10.55.192.102", "10.146.69.38" ], + "related.user": [ + "quia" + ], "rsa.db.index": "luptatem", "rsa.identity.user_dept": "uame", "rsa.internal.data": "iavol", @@ -5010,9 +5222,7 @@ "forwarded" ], "url.original": "https://example.org/aturE/aaliqu.gif?nvol=doloreeu#elillumq", - "user.name": [ - "quia" - ], + "user.name": "quia", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -5027,7 +5237,9 @@ "destination.ip": [ "10.249.1.143" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "ntutlab", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5045,8 +5257,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.124.177.226", - "10.249.1.143" + "10.249.1.143", + "10.124.177.226" + ], + "related.user": [ + "isciveli" ], "rsa.db.index": "liqui", "rsa.identity.user_dept": "tincul", @@ -5082,9 +5297,7 @@ "forwarded" ], "url.original": "https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese", - "user.name": [ - "isciveli" - ], + "user.name": "isciveli", "user_agent.device.name": "Other", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", @@ -5099,7 +5312,9 @@ "destination.ip": [ "10.167.176.220" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "ione", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5120,6 +5335,9 @@ "10.167.176.220", "10.146.228.249" ], + "related.user": [ + "estla" + ], "rsa.db.index": "quipe", "rsa.identity.user_dept": "gitsed", "rsa.internal.data": "modit", @@ -5154,9 +5372,7 @@ "forwarded" ], "url.original": "https://example.org/vel/preh.html?sequamni=edutpers#deo", - "user.name": [ - "estla" - ], + "user.name": "estla", "user_agent.device.name": "iPhone", "user_agent.name": "Facebook", "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", @@ -5171,7 +5387,9 @@ "destination.ip": [ "10.200.74.101" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "ntmo", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5189,8 +5407,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.203.47.23", - "10.200.74.101" + "10.200.74.101", + "10.203.47.23" + ], + "related.user": [ + "litesse" ], "rsa.db.index": "nnumquam", "rsa.identity.user_dept": "sedquia", @@ -5226,9 +5447,7 @@ "forwarded" ], "url.original": "https://example.com/nonproi/dolor.jpg?molli=oeiusm#aUtenim", - "user.name": [ - "litesse" - ], + "user.name": "litesse", "user_agent.device.name": "Samsung SM-A305FN", "user_agent.name": "YandexSearch", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", @@ -5243,7 +5462,9 @@ "destination.ip": [ "10.162.78.48" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "tect", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5261,8 +5482,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.162.78.48", - "10.24.23.209" + "10.24.23.209", + "10.162.78.48" + ], + "related.user": [ + "ntore" ], "rsa.db.index": "eabil", "rsa.identity.user_dept": "iumd", @@ -5298,9 +5522,7 @@ "forwarded" ], "url.original": "https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor", - "user.name": [ - "ntore" - ], + "user.name": "ntore", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -5315,7 +5537,9 @@ "destination.ip": [ "10.55.151.53" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "commod", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5333,8 +5557,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.211.66.68", - "10.55.151.53" + "10.55.151.53", + "10.211.66.68" + ], + "related.user": [ + "squir" ], "rsa.db.index": "uidolore", "rsa.identity.user_dept": "maveni", @@ -5370,9 +5597,7 @@ "forwarded" ], "url.original": "https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest", - "user.name": [ - "squir" - ], + "user.name": "squir", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -5387,7 +5612,9 @@ "destination.ip": [ "10.110.16.169" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "labori", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5408,6 +5635,9 @@ "10.110.16.169", "10.209.203.156" ], + "related.user": [ + "mes" + ], "rsa.db.index": "mide", "rsa.identity.user_dept": "roinBCSe", "rsa.internal.data": "dipisciv", @@ -5442,9 +5672,7 @@ "forwarded" ], "url.original": "https://example.org/eius/evo.jpg?iarchit=volupt#ipis", - "user.name": [ - "mes" - ], + "user.name": "mes", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -5459,7 +5687,9 @@ "destination.ip": [ "10.84.9.150" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "nsecte", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5477,8 +5707,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.84.9.150", - "10.107.68.114" + "10.107.68.114", + "10.84.9.150" + ], + "related.user": [ + "sequatDu" ], "rsa.db.index": "qui", "rsa.identity.user_dept": "ocons", @@ -5514,9 +5747,7 @@ "forwarded" ], "url.original": "https://www5.example.net/equun/veli.gif?tem=iadeseru#uiineavo", - "user.name": [ - "sequatDu" - ], + "user.name": "sequatDu", "user_agent.device.name": "LG-$2", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -5531,7 +5762,9 @@ "destination.ip": [ "10.26.222.144" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "sintoc", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5549,8 +5782,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.26.222.144", - "10.124.119.48" + "10.124.119.48", + "10.26.222.144" + ], + "related.user": [ + "nre" ], "rsa.db.index": "doconse", "rsa.identity.user_dept": "amn", @@ -5586,9 +5822,7 @@ "forwarded" ], "url.original": "https://internal.example.com/ecatcu/tMalo.txt?nse=rauto#rese", - "user.name": [ - "nre" - ], + "user.name": "nre", "user_agent.device.name": "Samsung SM-A305FN", "user_agent.name": "YandexSearch", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", @@ -5603,7 +5837,9 @@ "destination.ip": [ "10.164.190.2" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "datatno", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5621,8 +5857,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.223.11.164", - "10.164.190.2" + "10.164.190.2", + "10.223.11.164" + ], + "related.user": [ + "ten" ], "rsa.db.index": "asi", "rsa.identity.user_dept": "risnisiu", @@ -5633,8 +5872,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "officiad", "rsa.misc.action": [ - "antium", - "Allowed" + "Allowed", + "antium" ], "rsa.misc.category": "emoeni", "rsa.misc.filter": "itvo", @@ -5658,9 +5897,7 @@ "forwarded" ], "url.original": "https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol", - "user.name": [ - "ten" - ], + "user.name": "ten", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -5675,7 +5912,9 @@ "destination.ip": [ "10.14.37.8" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "olor", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5693,8 +5932,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.14.37.8", - "10.121.181.243" + "10.121.181.243", + "10.14.37.8" + ], + "related.user": [ + "umwr" ], "rsa.db.index": "samnisiu", "rsa.identity.user_dept": "errorsi", @@ -5705,8 +5947,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedic", "rsa.misc.action": [ - "Blocked", - "rinc" + "rinc", + "Blocked" ], "rsa.misc.category": "prehende", "rsa.misc.filter": "rume", @@ -5730,9 +5972,7 @@ "forwarded" ], "url.original": "https://www.example.org/ugitsed/ritatis.jpg?xplic=stenat#mquis", - "user.name": [ - "umwr" - ], + "user.name": "umwr", "user_agent.device.name": "Lenovo A2016a40 ", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", @@ -5747,7 +5987,9 @@ "destination.ip": [ "10.90.20.202" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "ostrude", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5768,6 +6010,9 @@ "10.90.20.202", "10.10.93.133" ], + "related.user": [ + "evita" + ], "rsa.db.index": "abillo", "rsa.identity.user_dept": "quipe", "rsa.internal.data": "ptate", @@ -5802,9 +6047,7 @@ "forwarded" ], "url.original": "https://mail.example.com/aute/dictasu.gif?ptas=iadolo#cidu", - "user.name": [ - "evita" - ], + "user.name": "evita", "user_agent.device.name": "ZTE Blade V1000RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", @@ -5819,7 +6062,9 @@ "destination.ip": [ "10.34.98.144" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "pariatu", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5840,6 +6085,9 @@ "10.34.98.144", "10.77.102.206" ], + "related.user": [ + "tectobe" + ], "rsa.db.index": "oreve", "rsa.identity.user_dept": "inBCSed", "rsa.internal.data": "laud", @@ -5874,9 +6122,7 @@ "forwarded" ], "url.original": "https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu", - "user.name": [ - "tectobe" - ], + "user.name": "tectobe", "user_agent.device.name": "Other", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", @@ -5891,7 +6137,9 @@ "destination.ip": [ "10.176.233.249" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "ntin", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5909,8 +6157,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.75.144.118", - "10.176.233.249" + "10.176.233.249", + "10.75.144.118" + ], + "related.user": [ + "isnos" ], "rsa.db.index": "atn", "rsa.identity.user_dept": "aconseq", @@ -5946,9 +6197,7 @@ "forwarded" ], "url.original": "https://example.org/olu/mqua.txt?mdolore=ita#aeratvol", - "user.name": [ - "isnos" - ], + "user.name": "isnos", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -5963,7 +6212,9 @@ "destination.ip": [ "10.149.6.107" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "mveleu", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5984,6 +6235,9 @@ "10.149.6.107", "10.236.55.236" ], + "related.user": [ + "redolo" + ], "rsa.db.index": "chite", "rsa.identity.user_dept": "eseosqu", "rsa.internal.data": "rcit", @@ -6018,9 +6272,7 @@ "forwarded" ], "url.original": "https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa", - "user.name": [ - "redolo" - ], + "user.name": "redolo", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -6035,7 +6287,9 @@ "destination.ip": [ "10.97.202.149" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "itte", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6053,8 +6307,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.13.125.101", - "10.97.202.149" + "10.97.202.149", + "10.13.125.101" + ], + "related.user": [ + "colab" ], "rsa.db.index": "meumfug", "rsa.identity.user_dept": "velitess", @@ -6090,9 +6347,7 @@ "forwarded" ], "url.original": "https://api.example.net/uamestq/eetdol.html?ctionofd=uianonnu#ntNeque", - "user.name": [ - "colab" - ], + "user.name": "colab", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", @@ -6107,7 +6362,9 @@ "destination.ip": [ "10.141.66.163" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "iduntut", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6125,8 +6382,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.230.61.102", - "10.141.66.163" + "10.141.66.163", + "10.230.61.102" + ], + "related.user": [ + "umdolo" ], "rsa.db.index": "squirati", "rsa.identity.user_dept": "serr", @@ -6137,8 +6397,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itautf", "rsa.misc.action": [ - "mini", - "Blocked" + "Blocked", + "mini" ], "rsa.misc.category": "gna", "rsa.misc.filter": "usmo", @@ -6162,9 +6422,7 @@ "forwarded" ], "url.original": "https://mail.example.net/ius/msequ.jpg?ptat=tionula#gnido", - "user.name": [ - "umdolo" - ], + "user.name": "umdolo", "user_agent.device.name": "ZTE BLADE V7", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -6179,7 +6437,9 @@ "destination.ip": [ "10.10.25.145" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "nrepre", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6200,6 +6460,9 @@ "10.224.249.228", "10.10.25.145" ], + "related.user": [ + "mnisiuta" + ], "rsa.db.index": "aliqui", "rsa.identity.user_dept": "ugiatq", "rsa.internal.data": "uisaut", @@ -6209,8 +6472,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issuscip", "rsa.misc.action": [ - "remap", - "Blocked" + "Blocked", + "remap" ], "rsa.misc.category": "eetdolo", "rsa.misc.filter": "rsitam", @@ -6234,9 +6497,7 @@ "forwarded" ], "url.original": "https://www.example.org/iat/acom.html?umdolo=oluptass#umqu", - "user.name": [ - "mnisiuta" - ], + "user.name": "mnisiuta", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", @@ -6251,7 +6512,9 @@ "destination.ip": [ "10.234.34.40" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "dolori", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6269,8 +6532,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.234.34.40", - "10.247.255.107" + "10.247.255.107", + "10.234.34.40" + ], + "related.user": [ + "aeabillo" ], "rsa.db.index": "ctobeat", "rsa.identity.user_dept": "elitsed", @@ -6306,9 +6572,7 @@ "forwarded" ], "url.original": "https://www.example.com/onorum/umiure.gif?lites=admini#trumexer", - "user.name": [ - "aeabillo" - ], + "user.name": "aeabillo", "user_agent.device.name": "Generic Tablet", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", @@ -6323,7 +6587,9 @@ "destination.ip": [ "10.124.81.20" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "piciatis", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6344,6 +6610,9 @@ "10.250.102.42", "10.124.81.20" ], + "related.user": [ + "tNequ" + ], "rsa.db.index": "uatD", "rsa.identity.user_dept": "tenby", "rsa.internal.data": "tectobe", @@ -6378,9 +6647,7 @@ "forwarded" ], "url.original": "https://mail.example.org/veni/rspi.htm?ntium=imadmi#dquiac", - "user.name": [ - "tNequ" - ], + "user.name": "tNequ", "user_agent.device.name": "Pixel 3", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", @@ -6395,7 +6662,9 @@ "destination.ip": [ "10.166.205.159" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "siutal", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6416,6 +6685,9 @@ "10.166.205.159", "10.154.188.132" ], + "related.user": [ + "uptat" + ], "rsa.db.index": "borisn", "rsa.identity.user_dept": "uisa", "rsa.internal.data": "riatur", @@ -6425,8 +6697,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "proid", "rsa.misc.action": [ - "Allowed", - "onevolu" + "onevolu", + "Allowed" ], "rsa.misc.category": "iratio", "rsa.misc.filter": "odita", @@ -6450,9 +6722,7 @@ "forwarded" ], "url.original": "https://www.example.com/tem/litsedq.htm?ium=utfugit#beat", - "user.name": [ - "uptat" - ], + "user.name": "uptat", "user_agent.device.name": "Spider", "user_agent.name": "Other", "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" @@ -6463,7 +6733,9 @@ "destination.ip": [ "10.46.71.46" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "ugiat", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6484,6 +6756,9 @@ "10.46.71.46", "10.138.193.38" ], + "related.user": [ + "sintocca" + ], "rsa.db.index": "mSectio", "rsa.identity.user_dept": "tate", "rsa.internal.data": "liquid", @@ -6493,8 +6768,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "upta", "rsa.misc.action": [ - "Allowed", - "uovolup" + "uovolup", + "Allowed" ], "rsa.misc.category": "todit", "rsa.misc.filter": "atisetq", @@ -6518,9 +6793,7 @@ "forwarded" ], "url.original": "https://www.example.com/amcola/eumiurer.gif?stiaeco=equu#laborisn", - "user.name": [ - "sintocca" - ], + "user.name": "sintocca", "user_agent.device.name": "Spider", "user_agent.name": "Other", "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" @@ -6531,7 +6804,9 @@ "destination.ip": [ "10.254.119.31" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "uunturma", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6552,6 +6827,9 @@ "10.172.159.251", "10.254.119.31" ], + "related.user": [ + "usm" + ], "rsa.db.index": "tor", "rsa.identity.user_dept": "tconsect", "rsa.internal.data": "ons", @@ -6586,9 +6864,7 @@ "forwarded" ], "url.original": "https://api.example.net/sedquian/lamcorpo.html?sequatD=Nequepo#veleum", - "user.name": [ - "usm" - ], + "user.name": "usm", "user_agent.device.name": "U20", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", @@ -6603,7 +6879,9 @@ "destination.ip": [ "10.195.62.230" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "sequat", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6621,8 +6899,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.195.62.230", - "10.98.126.206" + "10.98.126.206", + "10.195.62.230" + ], + "related.user": [ + "ptassit" ], "rsa.db.index": "amqua", "rsa.identity.user_dept": "atatnonp", @@ -6658,9 +6939,7 @@ "forwarded" ], "url.original": "https://www5.example.com/ictasun/iumto.txt?erro=admin#uisnostr", - "user.name": [ - "ptassit" - ], + "user.name": "ptassit", "user_agent.device.name": "Samsung SM-A715F", "user_agent.name": "Facebook", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", @@ -6675,7 +6954,9 @@ "destination.ip": [ "10.144.93.186" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "adminim", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6693,8 +6974,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.144.93.186", - "10.84.140.5" + "10.84.140.5", + "10.144.93.186" + ], + "related.user": [ + "eroi" ], "rsa.db.index": "evolu", "rsa.identity.user_dept": "mull", @@ -6705,8 +6989,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntut", "rsa.misc.action": [ - "nima", - "Blocked" + "Blocked", + "nima" ], "rsa.misc.category": "boru", "rsa.misc.filter": "umquia", @@ -6730,9 +7014,7 @@ "forwarded" ], "url.original": "https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi", - "user.name": [ - "eroi" - ], + "user.name": "eroi", "user_agent.device.name": "Other", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", @@ -6747,7 +7029,9 @@ "destination.ip": [ "10.31.58.6" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "volu", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6765,8 +7049,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.31.58.6", - "10.198.84.190" + "10.198.84.190", + "10.31.58.6" + ], + "related.user": [ + "unt" ], "rsa.db.index": "sec", "rsa.identity.user_dept": "ern", @@ -6777,8 +7064,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tquovo", "rsa.misc.action": [ - "qua", - "Allowed" + "Allowed", + "qua" ], "rsa.misc.category": "ectet", "rsa.misc.filter": "lites", @@ -6802,9 +7089,7 @@ "forwarded" ], "url.original": "https://mail.example.net/tseddoei/byCi.gif?assitas=nul#ame", - "user.name": [ - "unt" - ], + "user.name": "unt", "user_agent.device.name": "Android", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", @@ -6819,7 +7104,9 @@ "destination.ip": [ "10.139.90.218" ], - "event.action": "Allowed", + "event.action": [ + "Allowed" + ], "event.code": "umdol", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6840,6 +7127,9 @@ "10.131.81.172", "10.139.90.218" ], + "related.user": [ + "hende" + ], "rsa.db.index": "tionu", "rsa.identity.user_dept": "icons", "rsa.internal.data": "ept", @@ -6874,9 +7164,7 @@ "forwarded" ], "url.original": "https://www5.example.org/liquipe/rehe.gif?niamqu=uioffi#suntin", - "user.name": [ - "hende" - ], + "user.name": "hende", "user_agent.device.name": "Samsung GT-P3100 ", "user_agent.name": "Android", "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", @@ -6891,7 +7179,9 @@ "destination.ip": [ "10.128.43.71" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "ssequa", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6912,6 +7202,9 @@ "10.128.43.71", "10.152.217.174" ], + "related.user": [ + "mquiado" + ], "rsa.db.index": "nderit", "rsa.identity.user_dept": "nderitin", "rsa.internal.data": "utodit", @@ -6946,9 +7239,7 @@ "forwarded" ], "url.original": "https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta", - "user.name": [ - "mquiado" - ], + "user.name": "mquiado", "user_agent.device.name": "Generic Tablet", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", @@ -6963,7 +7254,9 @@ "destination.ip": [ "10.26.149.221" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "umquidol", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6984,6 +7277,9 @@ "10.26.149.221", "10.217.193.148" ], + "related.user": [ + "uisa" + ], "rsa.db.index": "tiumdol", "rsa.identity.user_dept": "oloremag", "rsa.internal.data": "pici", @@ -6993,8 +7289,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tionemu", "rsa.misc.action": [ - "Blocked", - "rehe" + "rehe", + "Blocked" ], "rsa.misc.category": "aecons", "rsa.misc.filter": "aturve", @@ -7018,9 +7314,7 @@ "forwarded" ], "url.original": "https://mail.example.org/maven/tectob.jpg?litsedd=mnis#ainci", - "user.name": [ - "uisa" - ], + "user.name": "uisa", "user_agent.device.name": "QMobile X700 PRO II", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", @@ -7035,7 +7329,9 @@ "destination.ip": [ "10.109.192.53" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "rehen", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -7056,6 +7352,9 @@ "10.172.17.6", "10.109.192.53" ], + "related.user": [ + "eprehen" + ], "rsa.db.index": "tcupi", "rsa.identity.user_dept": "boriosa", "rsa.internal.data": "agnamali", @@ -7065,8 +7364,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "temUte", "rsa.misc.action": [ - "tassit", - "Blocked" + "Blocked", + "tassit" ], "rsa.misc.category": "ita", "rsa.misc.filter": "scive", @@ -7090,9 +7389,7 @@ "forwarded" ], "url.original": "https://www.example.com/siarch/oloremi.htm?one=iduntutl#tNe", - "user.name": [ - "eprehen" - ], + "user.name": "eprehen", "user_agent.device.name": "U20", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", @@ -7107,7 +7404,9 @@ "destination.ip": [ "10.119.106.108" ], - "event.action": "Blocked", + "event.action": [ + "Blocked" + ], "event.code": "iatisund", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -7125,8 +7424,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.119.106.108", - "10.135.38.213" + "10.135.38.213", + "10.119.106.108" + ], + "related.user": [ + "ore" ], "rsa.db.index": "xplic", "rsa.identity.user_dept": "ser", @@ -7162,9 +7464,7 @@ "forwarded" ], "url.original": "https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota", - "user.name": [ - "ore" - ], + "user.name": "ore", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index c1cdc030ae9..0167f066e64 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -1,7 +1,9 @@ [ { "@timestamp": "2017-06-23T17:16:42.000Z", - "event.action": "", + "event.action": [ + "" + ], "event.code": "", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -17,6 +19,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.user": [ + "" + ], "rsa.db.index": "", "rsa.identity.user_dept": "", "rsa.internal.data": "hello", @@ -46,9 +51,7 @@ "forwarded" ], "url.original": "", - "user.name": [ - "" - ], + "user.name": "", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "" From 2bd73b6be54f053a9c3261d1d2bc48729bd01b18 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 8 Jul 2020 20:14:29 +0200 Subject: [PATCH 11/19] Improved parsers Some pipelines were failing due to trailing space at the end of messages (which the original XML format ignores). Updated the generator to strip those spaces. --- x-pack/filebeat/module/barracuda/README.md | 2 +- .../module/barracuda/waf/config/pipeline.js | 6 +- .../module/barracuda/waf/test/generated.log | 6 +- .../waf/test/generated.log-expected.json | 200 +- x-pack/filebeat/module/bluecoat/README.md | 2 +- .../module/cisco/nexus/config/pipeline.js | 1051 ++++--- x-pack/filebeat/module/citrix/README.md | 2 +- x-pack/filebeat/module/cylance/README.md | 2 +- .../module/cylance/protect/config/pipeline.js | 261 +- .../module/cylance/protect/test/generated.log | 172 +- .../protect/test/generated.log-expected.json | 2307 ++++++++-------- x-pack/filebeat/module/f5/README.md | 2 +- .../module/f5/bigipapm/config/pipeline.js | 2 +- .../module/f5/bigipapm/test/generated.log | 4 +- .../bigipapm/test/generated.log-expected.json | 156 +- .../module/f5/firepass/config/pipeline.js | 14 +- .../module/f5/firepass/test/generated.log | 18 +- .../firepass/test/generated.log-expected.json | 260 +- .../test/generated.log-expected.json | 216 +- x-pack/filebeat/module/imperva/README.md | 2 +- .../test/generated.log-expected.json | 710 ++--- x-pack/filebeat/module/infoblox/README.md | 2 +- .../module/infoblox/nios/config/pipeline.js | 770 +++--- .../module/infoblox/nios/test/generated.log | 8 +- .../nios/test/generated.log-expected.json | 195 +- x-pack/filebeat/module/juniper/README.md | 2 +- .../module/juniper/junos/config/pipeline.js | 1144 ++++---- x-pack/filebeat/module/kaspersky/README.md | 2 +- x-pack/filebeat/module/microsoft/README.md | 2 +- .../module/microsoft/dhcp/config/pipeline.js | 2 +- .../module/microsoft/dhcp/test/generated.log | 200 +- .../dhcp/test/generated.log-expected.json | 398 +-- x-pack/filebeat/module/netscout/README.md | 2 +- .../netscout/sightline/config/pipeline.js | 200 +- .../test/generated.log-expected.json | 20 +- x-pack/filebeat/module/radware/README.md | 2 +- x-pack/filebeat/module/rapid7/README.md | 2 +- .../module/rapid7/nexpose/config/pipeline.js | 58 +- .../module/rapid7/nexpose/test/generated.log | 76 +- .../nexpose/test/generated.log-expected.json | 396 ++- x-pack/filebeat/module/sonicwall/README.md | 2 +- .../sonicwall/firewall/config/pipeline.js | 2416 ++++++++--------- .../sonicwall/firewall/test/generated.log | 190 +- .../firewall/test/generated.log-expected.json | 1157 ++++---- x-pack/filebeat/module/squid/README.md | 2 +- .../squid/log/test/access1.log-expected.json | 284 +- .../squid/log/test/access2.log-expected.json | 192 +- .../squid/log/test/access3.log-expected.json | 336 +-- .../squid/log/test/access4.log-expected.json | 352 +-- x-pack/filebeat/module/tenable/README.md | 2 +- .../nessus_security/config/pipeline.js | 6 +- x-pack/filebeat/module/tomcat/README.md | 2 +- x-pack/filebeat/module/zscaler/README.md | 2 +- .../zia/test/generated.log-expected.json | 428 +-- .../zscaler/zia/test/test.log-expected.json | 4 +- 55 files changed, 7137 insertions(+), 7114 deletions(-) diff --git a/x-pack/filebeat/module/barracuda/README.md b/x-pack/filebeat/module/barracuda/README.md index a0237a37925..aa38d21fa9a 100644 --- a/x-pack/filebeat/module/barracuda/README.md +++ b/x-pack/filebeat/module/barracuda/README.md @@ -3,5 +3,5 @@ This is a module for Barracuda Web Application Firewall logs. Autogenerated from RSA NetWitness log parser 2.0 XML barracudawaf version 132 -at 2020-07-08 17:36:24.677398 +0000 UTC. +at 2020-07-08 18:27:57.27931 +0000 UTC. diff --git a/x-pack/filebeat/module/barracuda/waf/config/pipeline.js b/x-pack/filebeat/module/barracuda/waf/config/pipeline.js index 2610bacf6d0..ce7de663184 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/pipeline.js +++ b/x-pack/filebeat/module/barracuda/waf/config/pipeline.js @@ -703,14 +703,14 @@ var part52 = match("MESSAGE#51:CONFIG_AGENT:01", "nwparser.payload", "CONFIG_AGE var msg52 = msg("CONFIG_AGENT:01", part52); -var part53 = match("MESSAGE#52:CONFIG_AGENT:02", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Received put-tree command ", processor_chain([ +var part53 = match("MESSAGE#52:CONFIG_AGENT:02", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Received put-tree command", processor_chain([ dup3, setc("event_description","CONFIG_AGENT:Received put-tree command."), ])); var msg53 = msg("CONFIG_AGENT:02", part53); -var part54 = match("MESSAGE#53:CONFIG_AGENT:03", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., %{fld3->} ", processor_chain([ +var part54 = match("MESSAGE#53:CONFIG_AGENT:03", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., %{fld3}", processor_chain([ dup4, setc("event_description","It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time."), ])); @@ -731,7 +731,7 @@ var part56 = match("MESSAGE#55:CONFIG_AGENT:05", "nwparser.payload", "CONFIG_AGE var msg56 = msg("CONFIG_AGENT:05", part56); -var part57 = match("MESSAGE#56:CONFIG_AGENT:06", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} No rules, %{fld3->} ", processor_chain([ +var part57 = match("MESSAGE#56:CONFIG_AGENT:06", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} No rules, %{fld3}", processor_chain([ dup3, setc("event_description","CONFIG_AGENT:No rules."), ])); diff --git a/x-pack/filebeat/module/barracuda/waf/test/generated.log b/x-pack/filebeat/module/barracuda/waf/test/generated.log index 6d67b99b1e7..3348e14ab88 100644 --- a/x-pack/filebeat/module/barracuda/waf/test/generated.log +++ b/x-pack/filebeat/module/barracuda/waf/test/generated.log @@ -6,8 +6,8 @@ BYPASS: Mode set to BYPASS (nbyCic). BYPASS: Mode change: ccusant,epteurs UPDATE: [ALERT:modoco] New attack definition version 1.3971 is available INSTALL: Migrating configuration from umet to psaquaea -CONFIG_AGENT: gnamali iumdo No rules, exe -CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet +CONFIG_AGENT: gnamali iumdo No rules, exe +CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet STM_WRAPPER: [ALERT:mnisist] Configuration size is dutp which exceeds the ecillu safe limit. Please check your configuration. BYPASS: Mode set to never bypass. PROCMON: Monitoring links: enp0s2108 @@ -61,7 +61,7 @@ CONFIG_AGENT: eriamea rume Update succeeded STM: FEHCMON-iaturE veniam FEHC Monitor Module initialized. BYPASS: Mode set to BYPASS (quira). STM_WRAPPER: [ALERT:xplicab] Configuration size is utaliqu which exceeds the siut safe limit. Please check your configuration. -CONFIG_AGENT: emquela ons It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., idestl +CONFIG_AGENT: emquela ons It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., idestl CONFIG_AGENT: tutlabo Initiating config_agent database commit phase. INSTALL: Migrating configuration from isautemv to onproid PROCMON: Monitoring links: enp0s6760 diff --git a/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json index e66fe3a6a1b..c05693863d5 100644 --- a/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json +++ b/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json @@ -163,16 +163,14 @@ "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "CONFIG_AGENT: gnamali iumdo No rules, exe ", + "event.original": "CONFIG_AGENT: gnamali iumdo No rules, exe", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], "log.offset": 419, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:No rules.", "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ @@ -184,16 +182,14 @@ "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet ", + "event.original": "CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 462, + "log.offset": 461, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ @@ -208,7 +204,7 @@ "event.original": "STM_WRAPPER: [ALERT:mnisist] Configuration size is dutp which exceeds the ecillu safe limit. Please check your configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 593, + "log.offset": 591, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -227,7 +223,7 @@ "event.original": "BYPASS: Mode set to never bypass.", "fileset.name": "waf", "input.type": "log", - "log.offset": 719, + "log.offset": 717, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -246,7 +242,7 @@ "event.original": "PROCMON: Monitoring links: enp0s2108", "fileset.name": "waf", "input.type": "log", - "log.offset": 753, + "log.offset": 751, "network.interface.name": "enp0s2108", "observer.product": "Web", "observer.type": "WAF", @@ -270,7 +266,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 790, + "log.offset": 788, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -288,7 +284,7 @@ "event.original": "STM_WRAPPER: [ALERT:obeata] Configuration size is pexeaco which exceeds the ercitati safe limit. Please check your configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 855, + "log.offset": 853, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -307,7 +303,7 @@ "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", "fileset.name": "waf", "input.type": "log", - "log.offset": 985, + "log.offset": 983, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -327,7 +323,7 @@ "fileset.name": "waf", "host.ip": "10.158.247.188", "input.type": "log", - "log.offset": 1074, + "log.offset": 1072, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -352,7 +348,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 1157, + "log.offset": 1155, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -370,7 +366,7 @@ "event.original": "CONFIG_AGENT: luptate Initiating config_agent database commit phase.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1225, + "log.offset": 1223, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -389,7 +385,7 @@ "event.original": "STM_WRAPPER: Successfully initialized STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1294, + "log.offset": 1292, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -408,7 +404,7 @@ "event.original": "PROCMON: [ALERT:amv] Firmware storage exceeds ipsaqua", "fileset.name": "waf", "input.type": "log", - "log.offset": 1337, + "log.offset": 1335, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -429,7 +425,7 @@ "fileset.name": "waf", "host.ip": "10.240.48.190", "input.type": "log", - "log.offset": 1391, + "log.offset": 1389, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -451,7 +447,7 @@ "event.original": "PROCMON: [ALERT:onse] One of the RAID arrays is degrading.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1472, + "log.offset": 1470, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -470,7 +466,7 @@ "event.original": "STM_WRAPPER: Successfully stopped STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1531, + "log.offset": 1529, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -489,7 +485,7 @@ "event.original": "eventmgr: Event manager startup succeeded.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1570, + "log.offset": 1568, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -508,7 +504,7 @@ "event.original": "BYPASS: Mode set to never bypass.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1613, + "log.offset": 1611, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -527,7 +523,7 @@ "event.original": "eventmgr: Event manager startup succeeded.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1647, + "log.offset": 1645, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -546,7 +542,7 @@ "event.original": "CONFIG_AGENT: metMalor RPC Name =iatur, RPC Result: assitas", "fileset.name": "waf", "input.type": "log", - "log.offset": 1690, + "log.offset": 1688, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -565,7 +561,7 @@ "event.original": "PROCMON: Monitoring links: lo514", "fileset.name": "waf", "input.type": "log", - "log.offset": 1750, + "log.offset": 1748, "network.interface.name": "lo514", "observer.product": "Web", "observer.type": "WAF", @@ -586,7 +582,7 @@ "event.original": "STM_WRAPPER: Successfully stopped STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1783, + "log.offset": 1781, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -608,7 +604,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 1822, + "log.offset": 1820, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -626,7 +622,7 @@ "event.original": "BYPASS: Mode set to BYPASS (epor).", "fileset.name": "waf", "input.type": "log", - "log.offset": 1868, + "log.offset": 1866, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -645,7 +641,7 @@ "event.original": "eventmgr: Event manager startup succeeded.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1903, + "log.offset": 1901, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -664,7 +660,7 @@ "event.original": "PROCMON: Started monitoring", "fileset.name": "waf", "input.type": "log", - "log.offset": 1946, + "log.offset": 1944, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -686,7 +682,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 1974, + "log.offset": 1972, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -704,7 +700,7 @@ "event.original": "CONFIG_AGENT: min Initiating config_agent database commit phase.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2023, + "log.offset": 2021, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -723,7 +719,7 @@ "event.original": "INSTALL: Loading the snapshot for ave release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2088, + "log.offset": 2086, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -742,7 +738,7 @@ "event.original": "PROCMON: Started monitoring", "fileset.name": "waf", "input.type": "log", - "log.offset": 2135, + "log.offset": 2133, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -761,7 +757,7 @@ "event.original": "PROCMON: number of stm worker threads isnisi", "fileset.name": "waf", "input.type": "log", - "log.offset": 2163, + "log.offset": 2161, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -781,7 +777,7 @@ "event.original": "STM_WRAPPER: Successfully stopped STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2208, + "log.offset": 2206, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -800,7 +796,7 @@ "event.original": "BYPASS: State set to normal: starting heartbeat.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2247, + "log.offset": 2245, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -819,7 +815,7 @@ "event.original": "eventmgr: Event manager startup succeeded.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2296, + "log.offset": 2294, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -838,7 +834,7 @@ "event.original": "INSTALL: Loading the snapshot for ris release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2339, + "log.offset": 2337, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -857,7 +853,7 @@ "event.original": "STM_WRAPPER: [ALERT:orsi] Configuration size is econs which exceeds the orisni safe limit. Please check your configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2386, + "log.offset": 2384, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -876,7 +872,7 @@ "event.original": "BYPASS: Mode change: reseosq,remque", "fileset.name": "waf", "input.type": "log", - "log.offset": 2510, + "log.offset": 2508, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -895,7 +891,7 @@ "event.original": "BYPASS: State set to normal: starting heartbeat.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2546, + "log.offset": 2544, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -914,7 +910,7 @@ "event.original": "CONFIG_AGENT: aeconse Initiating config_agent database commit phase.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2595, + "log.offset": 2593, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -933,7 +929,7 @@ "event.original": "PROCMON: Monitoring links: enp0s2948", "fileset.name": "waf", "input.type": "log", - "log.offset": 2664, + "log.offset": 2662, "network.interface.name": "enp0s2948", "observer.product": "Web", "observer.type": "WAF", @@ -954,7 +950,7 @@ "event.original": "UPDATE: [ALERT:aliquaU] New attack definition version 1.1278 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 2701, + "log.offset": 2699, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -975,7 +971,7 @@ "event.original": "BYPASS: Mode set to BYPASS (iratio).", "fileset.name": "waf", "input.type": "log", - "log.offset": 2775, + "log.offset": 2773, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -994,7 +990,7 @@ "event.original": "STM_WRAPPER: [ALERT:onemul] Configuration size is byCicer which exceeds the ipitl safe limit. Please check your configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2812, + "log.offset": 2810, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1013,7 +1009,7 @@ "event.original": "STM_WRAPPER: Committing UI configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2939, + "log.offset": 2937, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1032,7 +1028,7 @@ "event.original": "CONFIG_AGENT: ameaque Initiating config_agent database commit phase.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2981, + "log.offset": 2979, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1054,7 +1050,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 3050, + "log.offset": 3048, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1072,7 +1068,7 @@ "event.original": "STM_WRAPPER: Committing UI configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3117, + "log.offset": 3115, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1091,7 +1087,7 @@ "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3159, + "log.offset": 3157, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1110,7 +1106,7 @@ "event.original": "UPDATE: [ALERT:mUtenim] New attack definition version 1.5823 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 3248, + "log.offset": 3246, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1132,7 +1128,7 @@ "fileset.name": "waf", "host.ip": "10.126.62.60", "input.type": "log", - "log.offset": 3322, + "log.offset": 3320, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1154,7 +1150,7 @@ "event.original": "CONFIG_AGENT: ionevo iaconse Update succeeded", "fileset.name": "waf", "input.type": "log", - "log.offset": 3403, + "log.offset": 3401, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1173,7 +1169,7 @@ "event.original": "CONFIG_AGENT: eriamea rume Update succeeded", "fileset.name": "waf", "input.type": "log", - "log.offset": 3449, + "log.offset": 3447, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1195,7 +1191,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 3493, + "log.offset": 3491, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1213,7 +1209,7 @@ "event.original": "BYPASS: Mode set to BYPASS (quira).", "fileset.name": "waf", "input.type": "log", - "log.offset": 3554, + "log.offset": 3552, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1232,7 +1228,7 @@ "event.original": "STM_WRAPPER: [ALERT:xplicab] Configuration size is utaliqu which exceeds the siut safe limit. Please check your configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3590, + "log.offset": 3588, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1248,16 +1244,14 @@ "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "CONFIG_AGENT: emquela ons It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., idestl ", + "event.original": "CONFIG_AGENT: emquela ons It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., idestl", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3717, + "log.offset": 3715, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ @@ -1272,7 +1266,7 @@ "event.original": "CONFIG_AGENT: tutlabo Initiating config_agent database commit phase.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3850, + "log.offset": 3847, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1291,7 +1285,7 @@ "event.original": "INSTALL: Migrating configuration from isautemv to onproid", "fileset.name": "waf", "input.type": "log", - "log.offset": 3919, + "log.offset": 3916, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1310,7 +1304,7 @@ "event.original": "PROCMON: Monitoring links: enp0s6760", "fileset.name": "waf", "input.type": "log", - "log.offset": 3977, + "log.offset": 3974, "network.interface.name": "enp0s6760", "observer.product": "Web", "observer.type": "WAF", @@ -1331,7 +1325,7 @@ "event.original": "PROCMON: [ALERT:lupt] One of the RAID arrays is degrading.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4014, + "log.offset": 4011, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1351,7 +1345,7 @@ "fileset.name": "waf", "host.ip": "10.131.211.114", "input.type": "log", - "log.offset": 4073, + "log.offset": 4070, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1373,7 +1367,7 @@ "event.original": "INSTALL: Loading the snapshot for mod release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4156, + "log.offset": 4153, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1392,7 +1386,7 @@ "event.original": "INSTALL: Loading the snapshot for lamcolab release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4203, + "log.offset": 4200, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1411,7 +1405,7 @@ "event.original": "INSTALL: Migrating configuration from tfugit to taspern", "fileset.name": "waf", "input.type": "log", - "log.offset": 4255, + "log.offset": 4252, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1430,7 +1424,7 @@ "event.original": "BYPASS: State set to normal: starting heartbeat.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4311, + "log.offset": 4308, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1449,7 +1443,7 @@ "event.original": "INSTALL: Migrating configuration from uisnos to minim", "fileset.name": "waf", "input.type": "log", - "log.offset": 4360, + "log.offset": 4357, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1468,7 +1462,7 @@ "event.original": "STM_WRAPPER: Successfully initialized STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4414, + "log.offset": 4411, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1487,7 +1481,7 @@ "event.original": "STM_WRAPPER: command(--digest) execution status = litsed", "fileset.name": "waf", "input.type": "log", - "log.offset": 4457, + "log.offset": 4454, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1510,7 +1504,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 4514, + "log.offset": 4511, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1528,7 +1522,7 @@ "event.original": "PROCMON: number of stm worker threads isonula", "fileset.name": "waf", "input.type": "log", - "log.offset": 4560, + "log.offset": 4557, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1551,7 +1545,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 4606, + "log.offset": 4603, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1572,7 +1566,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 4661, + "log.offset": 4658, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1590,7 +1584,7 @@ "event.original": "PROCMON: [ALERT:atev] One of the RAID arrays is degrading.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4787, + "log.offset": 4784, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1609,7 +1603,7 @@ "event.original": "PROCMON: [ALERT:itati] One of the RAID arrays is degrading.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4846, + "log.offset": 4843, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1628,7 +1622,7 @@ "event.original": "INSTALL: Migrating configuration from emagnama to urma", "fileset.name": "waf", "input.type": "log", - "log.offset": 4906, + "log.offset": 4903, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1647,7 +1641,7 @@ "event.original": "STM_WRAPPER: Committing UI configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4961, + "log.offset": 4958, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1666,7 +1660,7 @@ "event.original": "CONFIG_AGENT: reverit RPC Name =ptate, RPC Result: mexerc", "fileset.name": "waf", "input.type": "log", - "log.offset": 5003, + "log.offset": 5000, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1685,7 +1679,7 @@ "event.original": "CONFIG_AGENT: itatiset RPC Name =ptasn, RPC Result: quaeab", "fileset.name": "waf", "input.type": "log", - "log.offset": 5061, + "log.offset": 5058, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1704,7 +1698,7 @@ "event.original": "STM_WRAPPER: Committing UI configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5120, + "log.offset": 5117, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1723,7 +1717,7 @@ "event.original": "BYPASS: Mode set to never bypass.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5162, + "log.offset": 5159, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1742,7 +1736,7 @@ "event.original": "INSTALL: Loading the snapshot for admi release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5196, + "log.offset": 5193, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1761,7 +1755,7 @@ "event.original": "UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 5244, + "log.offset": 5241, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1782,7 +1776,7 @@ "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5315, + "log.offset": 5312, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1801,7 +1795,7 @@ "event.original": "BYPASS: Mode set to never bypass.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5404, + "log.offset": 5401, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1820,7 +1814,7 @@ "event.original": "BYPASS: State set to normal: starting heartbeat.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5438, + "log.offset": 5435, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1839,7 +1833,7 @@ "event.original": "BYPASS: Mode set to BYPASS (eniamqu).", "fileset.name": "waf", "input.type": "log", - "log.offset": 5487, + "log.offset": 5484, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1858,7 +1852,7 @@ "event.original": "STM_WRAPPER: Successfully initialized STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5525, + "log.offset": 5522, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1877,7 +1871,7 @@ "event.original": "PROCMON: [ALERT:orpori] One of the RAID arrays is degrading.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5568, + "log.offset": 5565, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1896,7 +1890,7 @@ "event.original": "UPDATE: [ALERT:utlabor] New attack definition version 1.6441 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 5629, + "log.offset": 5626, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1917,7 +1911,7 @@ "event.original": "eventmgr: Event manager startup succeeded.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5703, + "log.offset": 5700, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1936,7 +1930,7 @@ "event.original": "STM_WRAPPER: Successfully initialized STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5746, + "log.offset": 5743, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1955,7 +1949,7 @@ "event.original": "PROCMON: [ALERT:quaeabi] One of the RAID arrays is degrading.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5789, + "log.offset": 5786, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", diff --git a/x-pack/filebeat/module/bluecoat/README.md b/x-pack/filebeat/module/bluecoat/README.md index 2dc864e6b23..7411706ec17 100644 --- a/x-pack/filebeat/module/bluecoat/README.md +++ b/x-pack/filebeat/module/bluecoat/README.md @@ -3,5 +3,5 @@ This is a module for Blue Coat Director logs. Autogenerated from RSA NetWitness log parser 2.0 XML bluecoatdirector version 0 -at 2020-07-08 17:36:26.328734 +0000 UTC. +at 2020-07-08 18:27:58.877101 +0000 UTC. diff --git a/x-pack/filebeat/module/cisco/nexus/config/pipeline.js b/x-pack/filebeat/module/cisco/nexus/config/pipeline.js index 610b33684ca..6e00850108a 100644 --- a/x-pack/filebeat/module/cisco/nexus/config/pipeline.js +++ b/x-pack/filebeat/module/cisco/nexus/config/pipeline.js @@ -254,7 +254,7 @@ var dup95 = match("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "%{even dup4, ])); -var dup96 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result}) ", processor_chain([ +var dup96 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ dup15, dup2, dup3, @@ -406,7 +406,7 @@ var select1 = linear_select([ var msg1 = msg("LOG-7-SYSTEM_MSG", dup87); -var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}] ", processor_chain([ +var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ dup5, dup2, dup3, @@ -426,7 +426,7 @@ var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Au var msg3 = msg("SYSTEM_MSG:12", part2); -var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}] ", processor_chain([ +var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ dup5, dup2, dup3, @@ -436,7 +436,7 @@ var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Au var msg4 = msg("SYSTEM_MSG:01", part3); -var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost->} ", processor_chain([ +var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost}", processor_chain([ dup5, dup2, dup3, @@ -832,7 +832,7 @@ var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Po var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); -var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone->} ", processor_chain([ +var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone}", processor_chain([ dup15, dup2, dup3, @@ -1360,14 +1360,7 @@ var select17 = linear_select([ msg107, ]); -var part88 = match("MESSAGE#107:IF_DOWN_INITIALIZING", "nwparser.payload", "Interface %{interface->} is down (%{result}) ", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg108 = msg("IF_DOWN_INITIALIZING", part88); +var msg108 = msg("IF_DOWN_INITIALIZING", dup91); var msg109 = msg("IF_DOWN_INITIALIZING:01", dup96); @@ -1376,7 +1369,7 @@ var select18 = linear_select([ msg109, ]); -var part89 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ +var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup24, dup35, dup36, @@ -1386,7 +1379,7 @@ var part89 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{ dup4, ])); -var msg110 = msg("IF_DOWN_NONE", part89); +var msg110 = msg("IF_DOWN_NONE", part88); var msg111 = msg("IF_DOWN_NONE:01", dup97); @@ -1408,43 +1401,43 @@ var msg114 = msg("IF_DOWN_OFFLINE", dup89); var msg115 = msg("IF_DOWN_OLS_RCVD", dup89); -var part90 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ +var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup32, dup2, dup3, dup4, ])); -var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part90); +var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part89); var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup91); -var part91 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info}) ", processor_chain([ +var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info})", processor_chain([ dup24, dup2, dup3, dup4, ])); -var msg118 = msg("IF_TRUNK_DOWN", part91); +var msg118 = msg("IF_TRUNK_DOWN", part90); -var part92 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ +var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ dup24, dup2, dup3, dup4, ])); -var msg119 = msg("IF_TRUNK_DOWN:01", part92); +var msg119 = msg("IF_TRUNK_DOWN:01", part91); -var part93 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ +var part92 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ dup24, dup2, dup3, dup4, ])); -var msg120 = msg("IF_TRUNK_DOWN:02", part93); +var msg120 = msg("IF_TRUNK_DOWN:02", part92); var select21 = linear_select([ msg118, @@ -1452,32 +1445,32 @@ var select21 = linear_select([ msg120, ]); -var part94 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ +var part93 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg121 = msg("IF_TRUNK_UP", part94); +var msg121 = msg("IF_TRUNK_UP", part93); -var part95 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ +var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ dup24, dup2, dup3, dup4, ])); -var msg122 = msg("IF_TRUNK_UP:01", part95); +var msg122 = msg("IF_TRUNK_UP:01", part94); -var part96 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ +var part95 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ dup24, dup2, dup3, dup4, ])); -var msg123 = msg("IF_TRUNK_UP:02", part96); +var msg123 = msg("IF_TRUNK_UP:02", part95); var select22 = linear_select([ msg121, @@ -1487,18 +1480,18 @@ var select22 = linear_select([ var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup98); -var part97 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ +var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg125 = msg("IF_PORTPROFILE_ATTACHED", part97); +var msg125 = msg("IF_PORTPROFILE_ATTACHED", part96); var msg126 = msg("STANDBY_SUP_OK", dup88); -var part98 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ +var part97 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ dup15, dup2, dup3, @@ -1506,61 +1499,61 @@ var part98 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops det setc("event_description","Loops detected in the network among ports"), ])); -var msg127 = msg("STM_LOOP_DETECT", part98); +var msg127 = msg("STM_LOOP_DETECT", part97); -var part99 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ +var part98 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg128 = msg("SYNC_COMPLETE", part99); +var msg128 = msg("SYNC_COMPLETE", part98); var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup98); var msg130 = msg("MESG", dup88); -var part100 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ +var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ dup34, dup2, dup3, dup4, ])); -var msg131 = msg("ERR_MSG", part100); +var msg131 = msg("ERR_MSG", part99); var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup98); -var part101 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ +var part100 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg133 = msg("CFGWRITE_ABORTED_LOCK", part101); +var msg133 = msg("CFGWRITE_ABORTED_LOCK", part100); -var part102 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ +var part101 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg134 = msg("CFGWRITE_FAILED", part102); +var msg134 = msg("CFGWRITE_FAILED", part101); var msg135 = msg("CFGWRITE_ABORTED", dup88); var msg136 = msg("CFGWRITE_DONE", dup88); -var part103 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", " %{event_description->} (PID %{process_id})."); +var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", " %{event_description->} (PID %{process_id})."); -var part104 = match("MESSAGE#136:CFGWRITE_STARTED/0_1", "nwparser.payload", "%{event_description}"); +var part103 = match("MESSAGE#136:CFGWRITE_STARTED/0_1", "nwparser.payload", "%{event_description}"); var select23 = linear_select([ + part102, part103, - part104, ]); var all10 = all_match({ @@ -1581,14 +1574,14 @@ var msg138 = msg("IF_ATTACHED", dup88); var msg139 = msg("IF_DELETE_AUTO", dup95); -var part105 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ +var part104 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ dup25, dup2, dup3, dup4, ])); -var msg140 = msg("IF_DETACHED", part105); +var msg140 = msg("IF_DETACHED", part104); var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup95); @@ -1596,74 +1589,74 @@ var msg142 = msg("IF_DOWN_INACTIVE", dup89); var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup89); -var part106 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ +var part105 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ dup24, dup2, dup3, dup4, ])); -var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part106); +var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part105); -var part107 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ +var part106 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ dup37, dup2, dup3, dup4, ])); -var msg145 = msg("CONN_CONNECT", part107); +var msg145 = msg("CONN_CONNECT", part106); -var part108 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ +var part107 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ setc("eventcategory","1801030000"), dup2, dup3, dup4, ])); -var msg146 = msg("CONN_DISCONNECT", part108); +var msg146 = msg("CONN_DISCONNECT", part107); -var part109 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ +var part108 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ dup30, dup2, dup3, dup4, ])); -var msg147 = msg("DVPG_CREATE", part109); +var msg147 = msg("DVPG_CREATE", part108); -var part110 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ +var part109 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ dup25, dup2, dup3, dup4, ])); -var msg148 = msg("DVPG_DELETE", part110); +var msg148 = msg("DVPG_DELETE", part109); var msg149 = msg("DVS_HOSTMEMBER_INFO", dup88); -var part111 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ +var part110 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg150 = msg("DVS_NAME_CHANGE", part111); +var msg150 = msg("DVS_NAME_CHANGE", part110); var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup88); -var part112 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ +var part111 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg152 = msg("VPC_DELETED", part112); +var msg152 = msg("VPC_DELETED", part111); -var part113 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ +var part112 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ dup8, dup2, dup3, @@ -1671,22 +1664,22 @@ var part113 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} setc("event_description","VPC is up"), ])); -var msg153 = msg("VPC_UP", part113); +var msg153 = msg("VPC_UP", part112); -var part114 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); +var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); -var part115 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); +var part114 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); -var part116 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "%{saddr}"); +var part115 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "%{saddr}"); var select24 = linear_select([ + part114, part115, - part116, ]); var all11 = all_match({ processors: [ - part114, + part113, select24, ], on_success: processor_chain([ @@ -1699,30 +1692,30 @@ var all11 = all_match({ var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); -var part117 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ +var part116 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part117); +var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part116); var select25 = linear_select([ msg154, msg155, ]); -var part118 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ +var part117 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ dup24, dup2, dup3, dup4, ])); -var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part118); +var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part117); -var part119 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ +var part118 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ dup23, dup38, dup39, @@ -1734,9 +1727,9 @@ var part119 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", dup41, ])); -var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part119); +var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part118); -var part120 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username->} ", processor_chain([ +var part119 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ dup15, dup2, dup3, @@ -1744,99 +1737,99 @@ var part120 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "s setc("event_description","program start"), ])); -var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part120); +var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part119); -var part121 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ +var part120 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part121); +var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part120); -var part122 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ +var part121 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part122); +var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part121); -var part123 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ +var part122 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part123); +var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part122); -var part124 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ +var part123 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ dup19, dup2, dup3, dup4, ])); -var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part124); +var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part123); -var part125 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ +var part124 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part125); +var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part124); -var part126 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ +var part125 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part126); +var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part125); -var part127 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ +var part126 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part127); +var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part126); -var part128 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ +var part127 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part128); +var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part127); -var part129 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ +var part128 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part129); +var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part128); -var part130 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ +var part129 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part130); +var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part129); -var part131 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result}) ", processor_chain([ +var part130 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ dup15, dup2, dup3, @@ -1844,18 +1837,18 @@ var part131 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", dup42, ])); -var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part131); +var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part130); -var part132 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ +var part131 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part132); +var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part131); -var part133 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ +var part132 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ dup15, dup2, dup3, @@ -1863,15 +1856,15 @@ var part133 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", dup42, ])); -var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part133); +var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part132); -var part134 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); +var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); -var part135 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); +var part134 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); var select26 = linear_select([ + part133, part134, - part135, ]); var all12 = all_match({ @@ -1891,13 +1884,13 @@ var all12 = all_match({ var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); -var part136 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); +var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); -var part137 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); +var part136 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); var select27 = linear_select([ + part135, part136, - part137, ]); var all13 = all_match({ @@ -1917,16 +1910,16 @@ var all13 = all_match({ var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); -var part138 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ +var part137 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part138); +var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part137); -var part139 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ +var part138 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ dup18, dup2, dup3, @@ -1937,9 +1930,9 @@ var part139 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", dup45, ])); -var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part139); +var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part138); -var part140 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ +var part139 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ dup19, dup2, dup3, @@ -1950,63 +1943,63 @@ var part140 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", dup45, ])); -var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part140); +var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part139); -var part141 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ +var part140 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part141); +var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part140); -var part142 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ +var part141 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part142); +var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part141); -var part143 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ +var part142 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part143); +var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part142); -var part144 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ +var part143 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part144); +var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part143); -var part145 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ +var part144 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part145); +var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part144); -var part146 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ +var part145 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part146); +var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part145); -var part147 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ +var part146 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ dup15, dup2, dup3, @@ -2014,34 +2007,34 @@ var part147 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", setc("event_description","shell terminated"), ])); -var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part147); +var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part146); -var part148 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ +var part147 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part148); +var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part147); -var part149 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ +var part148 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part149); +var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part148); -var part150 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ +var part149 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part150); +var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part149); var select28 = linear_select([ msg156, @@ -2105,14 +2098,14 @@ var all14 = all_match({ var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); -var part151 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ +var part150 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part151); +var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part150); var all15 = all_match({ processors: [ @@ -2142,7 +2135,7 @@ var all15 = all_match({ var msg189 = msg("ACLLOG_NEW_FLOW", all15); -var part152 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ +var part151 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ dup1, dup2, dup3, @@ -2150,88 +2143,88 @@ var part152 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{proce setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), ])); -var msg190 = msg("DUP_VADDR_SRC_IP", part152); +var msg190 = msg("DUP_VADDR_SRC_IP", part151); -var part153 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ +var part152 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg191 = msg("IF_ERROR_VLANS_REMOVED", part153); +var msg191 = msg("IF_ERROR_VLANS_REMOVED", part152); -var part154 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ +var part153 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part154); +var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part153); -var part155 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ +var part154 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg193 = msg("IF_DOWN_CFG_CHANGE", part155); +var msg193 = msg("IF_DOWN_CFG_CHANGE", part154); -var part156 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ +var part155 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg194 = msg("PFM_CLOCK_CHANGE", part156); +var msg194 = msg("PFM_CLOCK_CHANGE", part155); -var part157 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ +var part156 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part157); +var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part156); -var part158 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ +var part157 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg196 = msg("snmpd", part158); +var msg196 = msg("snmpd", part157); -var part159 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ +var part158 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg197 = msg("snmpd:01", part159); +var msg197 = msg("snmpd:01", part158); var select29 = linear_select([ msg196, msg197, ]); -var part160 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ +var part159 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg198 = msg("CFGWRITE_USER_ABORT", part160); +var msg198 = msg("CFGWRITE_USER_ABORT", part159); var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup96); -var part161 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time ", processor_chain([ +var part160 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ dup15, dup2, dup3, @@ -2240,18 +2233,18 @@ var part161 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{ setc("dclass_counter1_string","Number of times repeated"), ])); -var msg200 = msg("last", part161); +var msg200 = msg("last", part160); -var part162 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ +var part161 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ dup33, dup2, dup3, dup4, ])); -var msg201 = msg("SERVICE_CRASHED", part162); +var msg201 = msg("SERVICE_CRASHED", part161); -var part163 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ +var part162 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ dup62, dup2, dup3, @@ -2259,35 +2252,35 @@ var part163 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{se setc("event_description","Service lost on WCCP Client"), ])); -var msg202 = msg("SERVICELOST", part163); +var msg202 = msg("SERVICELOST", part162); -var part164 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ +var part163 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ dup24, dup2, dup3, dup4, ])); -var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part164); +var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part163); -var part165 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); +var part164 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); -var part166 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); +var part165 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); -var part167 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); +var part166 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); var select30 = linear_select([ + part165, part166, - part167, ]); -var part168 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "%{}(Serial number %{serial_number})"); +var part167 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "%{}(Serial number %{serial_number})"); var all16 = all_match({ processors: [ - part165, + part164, select30, - part168, + part167, ], on_success: processor_chain([ dup24, @@ -2303,70 +2296,70 @@ var msg205 = msg("INFORMATION", dup88); var msg206 = msg("EVENT", dup88); -var part169 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ +var part168 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ dup24, dup2, dup3, dup4, ])); -var msg207 = msg("NATIVE_VLAN_MISMATCH", part169); +var msg207 = msg("NATIVE_VLAN_MISMATCH", part168); -var part170 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ +var part169 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ dup30, dup2, dup3, dup4, ])); -var msg208 = msg("NEIGHBOR_ADDED", part170); +var msg208 = msg("NEIGHBOR_ADDED", part169); -var part171 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ +var part170 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ dup25, dup2, dup3, dup4, ])); -var msg209 = msg("NEIGHBOR_REMOVED", part171); +var msg209 = msg("NEIGHBOR_REMOVED", part170); -var part172 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ +var part171 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg210 = msg("IF_BANDWIDTH_CHANGE", part172); +var msg210 = msg("IF_BANDWIDTH_CHANGE", part171); -var part173 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ +var part172 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ dup24, dup2, dup3, dup4, ])); -var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part173); +var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part172); -var part174 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ +var part173 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ dup24, dup2, dup3, dup4, ])); -var msg212 = msg("PORT_INDIVIDUAL_DOWN", part174); +var msg212 = msg("PORT_INDIVIDUAL_DOWN", part173); -var part175 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ +var part174 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ dup24, dup2, dup3, dup4, ])); -var msg213 = msg("PORT_SUSPENDED", part175); +var msg213 = msg("PORT_SUSPENDED", part174); -var part176 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ +var part175 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ dup15, dup2, dup3, @@ -2374,7 +2367,7 @@ var part176 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Upl setc("change_attribute","status"), ])); -var msg214 = msg("FEX_PORT_STATUS_NOTI", part176); +var msg214 = msg("FEX_PORT_STATUS_NOTI", part175); var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup103); @@ -2382,34 +2375,34 @@ var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup88); var msg217 = msg("ADJCHANGE", dup88); -var part177 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ +var part176 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ dup30, dup2, dup3, dup4, ])); -var msg218 = msg("PORT_ADDED", part177); +var msg218 = msg("PORT_ADDED", part176); -var part178 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ +var part177 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ dup25, dup2, dup3, dup4, ])); -var msg219 = msg("PORT_DELETED", part178); +var msg219 = msg("PORT_DELETED", part177); -var part179 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ +var part178 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ dup63, dup2, dup3, dup4, ])); -var msg220 = msg("PORT_ROLE", part179); +var msg220 = msg("PORT_ROLE", part178); -var part180 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ +var part179 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ dup15, dup2, dup3, @@ -2417,18 +2410,18 @@ var part180 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interf setc("change_attribute","Port state"), ])); -var msg221 = msg("PORT_STATE", part180); +var msg221 = msg("PORT_STATE", part179); -var part181 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ +var part180 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ dup24, dup2, dup3, dup4, ])); -var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part181); +var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part180); -var part182 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ +var part181 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ dup23, dup38, dup39, @@ -2440,34 +2433,34 @@ var part182 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payloa dup41, ])); -var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part182); +var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part181); -var part183 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ +var part182 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ dup64, dup2, dup4, ])); -var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part183); +var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part182); -var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); +var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); -var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); +var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); -var part186 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); +var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); var select31 = linear_select([ + part184, part185, - part186, ]); -var part187 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); +var part186 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); var all17 = all_match({ processors: [ - part184, + part183, select31, - part187, + part186, ], on_success: processor_chain([ dup64, @@ -2478,30 +2471,30 @@ var all17 = all_match({ var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); -var part188 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ +var part187 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ dup64, dup2, dup4, ])); -var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part188); +var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part187); -var part189 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ +var part188 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ dup64, dup2, dup4, setc("event_description","Performing configuration copy"), ])); -var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part189); +var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part188); -var part190 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); +var part189 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); var all18 = all_match({ processors: [ dup65, dup104, - part190, + part189, dup105, ], on_success: processor_chain([ @@ -2514,13 +2507,13 @@ var all18 = all_match({ var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); -var part191 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); +var part190 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); var all19 = all_match({ processors: [ dup65, dup104, - part191, + part190, dup105, ], on_success: processor_chain([ @@ -2555,7 +2548,7 @@ var msg234 = msg("IF_DOWN_PEER_CLOSE", dup107); var msg235 = msg("IF_DOWN_PEER_RESET", dup107); -var part192 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ +var part191 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ dup15, dup2, dup3, @@ -2563,9 +2556,9 @@ var part192 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", " setc("event_description","configuration is not consistent in domain"), ])); -var msg236 = msg("INTF_CONSISTENCY_FAILED", part192); +var msg236 = msg("INTF_CONSISTENCY_FAILED", part191); -var part193 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ +var part192 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ dup8, dup2, dup3, @@ -2573,20 +2566,20 @@ var part193 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", setc("event_description","configuration is consistent in domain"), ])); -var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part193); +var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part192); var msg238 = msg("INTF_COUNTERS_CLEARED", dup106); var msg239 = msg("IF_HARDWARE", dup106); -var part194 = match("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ +var part193 = match("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ setc("eventcategory","1604010000"), dup2, dup3, dup4, ])); -var msg240 = msg("HEARTBEAT_FAILURE", part194); +var msg240 = msg("HEARTBEAT_FAILURE", part193); var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup88); @@ -2596,13 +2589,13 @@ var msg243 = msg("MOUNT", dup88); var msg244 = msg("LOG_CMP_UP", dup88); -var part195 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "%{}Temperature Warning cleared"); +var part194 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "%{}Temperature Warning cleared"); var all20 = all_match({ processors: [ dup70, dup108, - part195, + part194, ], on_success: processor_chain([ dup15, @@ -2621,13 +2614,13 @@ var select33 = linear_select([ msg246, ]); -var part196 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "%{}Temperature Alarm cleared"); +var part195 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "%{}Temperature Alarm cleared"); var all21 = all_match({ processors: [ dup70, dup108, - part196, + part195, ], on_success: processor_chain([ dup15, @@ -2650,13 +2643,13 @@ var msg249 = msg("MEMORY_ALERT", dup88); var msg250 = msg("MEMORY_ALERT_RECOVERED", dup88); -var part197 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "%{}Rx Power Alarm cleared"); +var part196 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "%{}Rx Power Alarm cleared"); var all22 = all_match({ processors: [ dup70, dup108, - part197, + part196, ], on_success: processor_chain([ dup15, @@ -2675,31 +2668,31 @@ var select35 = linear_select([ msg252, ]); -var part198 = match("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "%{event_description}", processor_chain([ +var part197 = match("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "%{event_description}", processor_chain([ dup62, dup2, dup3, dup4, ])); -var msg253 = msg("NBRCHANGE_DUAL", part198); +var msg253 = msg("NBRCHANGE_DUAL", part197); -var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{device->} %{action}: System %{p0}"); +var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{device->} %{action}: System %{p0}"); -var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "%{device->} System %{p0}"); +var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "%{device->} System %{p0}"); var select36 = linear_select([ + part198, part199, - part200, ]); -var part201 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "%{}minor alarm on fans in fan tray %{dclass_counter1}"); +var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "%{}minor alarm on fans in fan tray %{dclass_counter1}"); var all23 = all_match({ processors: [ dup21, select36, - part201, + part200, ], on_success: processor_chain([ dup62, @@ -2714,7 +2707,7 @@ var all23 = all_match({ var msg254 = msg("SOHMS_DIAG_ERROR", all23); -var part202 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result->} ", processor_chain([ +var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result}", processor_chain([ dup62, dup39, dup73, @@ -2724,9 +2717,9 @@ var part202 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{de setc("event_description","FEX-System minor alarm on power supply."), ])); -var msg255 = msg("SOHMS_DIAG_ERROR:01", part202); +var msg255 = msg("SOHMS_DIAG_ERROR:01", part201); -var part203 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description->} ", processor_chain([ +var part202 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description}", processor_chain([ dup62, dup39, dup73, @@ -2735,7 +2728,7 @@ var part203 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{de dup4, ])); -var msg256 = msg("SOHMS_DIAG_ERROR:02", part203); +var msg256 = msg("SOHMS_DIAG_ERROR:02", part202); var select37 = linear_select([ msg254, @@ -2743,7 +2736,7 @@ var select37 = linear_select([ msg256, ]); -var part204 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ +var part203 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ dup74, dup35, dup39, @@ -2754,9 +2747,9 @@ var part204 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Fa setc("event_description","Failed to program the mac table"), ])); -var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part204); +var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part203); -var part205 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ +var part204 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ dup19, dup11, dup20, @@ -2767,9 +2760,9 @@ var part205 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", setc("event_description","deleting expired user account"), ])); -var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part205); +var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part204); -var part206 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ +var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ dup31, dup35, dup39, @@ -2780,9 +2773,9 @@ var part206 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{ setc("event_description","Interface is admin up."), ])); -var msg259 = msg("IF_ADMIN_UP", part206); +var msg259 = msg("IF_ADMIN_UP", part205); -var part207 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ +var part206 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ dup31, dup35, dup39, @@ -2794,9 +2787,9 @@ var part207 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name- dup75, ])); -var msg260 = msg("VPC_CFGD", part207); +var msg260 = msg("VPC_CFGD", part206); -var part208 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ +var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ dup31, dup39, dup17, @@ -2806,9 +2799,9 @@ var part208 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Man setc("event_description","System Manager has received notification of local module becoming online."), ])); -var msg261 = msg("MODULE_ONLINE", part208); +var msg261 = msg("MODULE_ONLINE", part207); -var part209 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ +var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ dup31, dup76, dup77, @@ -2818,9 +2811,9 @@ var part209 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", " setc("event_description","System booted from Primary BIOS Flash"), ])); -var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part209); +var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part208); -var part210 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ +var part209 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ dup78, dup35, dup39, @@ -2832,39 +2825,39 @@ var part210 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj dup75, ])); -var msg263 = msg("PEER_VPC_DOWN", part210); +var msg263 = msg("PEER_VPC_DOWN", part209); -var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); +var part210 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); -var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); +var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); -var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); +var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); var select38 = linear_select([ + part211, part212, - part213, ]); -var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); +var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); -var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); +var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); -var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); +var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); var select39 = linear_select([ + part214, part215, - part216, ]); -var part217 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); +var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); var all24 = all_match({ processors: [ - part211, + part210, select38, - part214, + part213, select39, - part217, + part216, ], on_success: processor_chain([ dup37, @@ -2877,7 +2870,7 @@ var all24 = all_match({ var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); -var part218 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ +var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ dup37, dup35, dup79, @@ -2889,9 +2882,9 @@ var part218 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payloa setc("event_description","In domain, vPC peer keep-alive receive is successful"), ])); -var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part218); +var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part217); -var part219 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ +var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ dup78, dup35, dup79, @@ -2903,9 +2896,9 @@ var part219 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", setc("event_description","In domain, VPC peer keep-alive receive has failed"), ])); -var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part219); +var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part218); -var part220 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ +var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ dup37, dup35, dup80, @@ -2916,9 +2909,9 @@ var part220 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.pay setc("event_description","In domain, VPC peer-keepalive sent on interface"), ])); -var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part220); +var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part219); -var part221 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ +var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ dup37, dup35, dup80, @@ -2930,9 +2923,9 @@ var part221 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payloa setc("event_description","In domain, vPC peer keep-alive send is successful"), ])); -var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part221); +var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part220); -var part222 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ +var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ dup31, dup35, dup16, @@ -2944,9 +2937,9 @@ var part222 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "I setc("change_attribute","peer keep-alive status"), ])); -var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part222); +var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part221); -var part223 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ +var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ dup31, dup16, dup39, @@ -2956,9 +2949,9 @@ var part223 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Eje setc("event_description","Ejectors' status in slot has changed."), ])); -var msg270 = msg("EJECTOR_STAT_CHANGED", part223); +var msg270 = msg("EJECTOR_STAT_CHANGED", part222); -var part224 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ +var part223 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ dup30, setc("ec_activity","Detect"), dup39, @@ -2968,9 +2961,9 @@ var part224 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41 setc("event_description","Xbar detected"), ])); -var msg271 = msg("XBAR_DETECT", part224); +var msg271 = msg("XBAR_DETECT", part223); -var part225 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ +var part224 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ dup15, dup76, dup77, @@ -2980,9 +2973,9 @@ var part225 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41- setc("event_description","Xbar powered up"), ])); -var msg272 = msg("XBAR_PWRUP", part225); +var msg272 = msg("XBAR_PWRUP", part224); -var part226 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ +var part225 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ dup15, dup76, setc("ec_activity","Stop"), @@ -2992,9 +2985,9 @@ var part226 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41- setc("event_description","Xbar powered down"), ])); -var msg273 = msg("XBAR_PWRDN", part226); +var msg273 = msg("XBAR_PWRDN", part225); -var part227 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ +var part226 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ dup15, dup2, dup3, @@ -3002,9 +2995,9 @@ var part227 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} setc("event_description","Xbar is online"), ])); -var msg274 = msg("XBAR_OK", part227); +var msg274 = msg("XBAR_OK", part226); -var part228 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ +var part227 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ dup15, dup2, dup3, @@ -3012,9 +3005,9 @@ var part228 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC setc("event_description","Peer vPC switch ISSU start, locking configuration"), ])); -var msg275 = msg("VPC_ISSU_START", part228); +var msg275 = msg("VPC_ISSU_START", part227); -var part229 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ +var part228 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ dup15, dup2, dup3, @@ -3022,9 +3015,9 @@ var part229 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC sw setc("event_description","Peer vPC switch ISSU end, unlocking configuration"), ])); -var msg276 = msg("VPC_ISSU_END", part229); +var msg276 = msg("VPC_ISSU_END", part228); -var part230 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ +var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ dup63, dup2, dup3, @@ -3032,9 +3025,9 @@ var part230 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role setc("obj_type","new_role"), ])); -var msg277 = msg("PORT_RANGE_ROLE", part230); +var msg277 = msg("PORT_RANGE_ROLE", part229); -var part231 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ +var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ dup63, dup2, dup3, @@ -3042,9 +3035,9 @@ var part231 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_sta setc("obj_type","new_state"), ])); -var msg278 = msg("PORT_RANGE_STATE", part231); +var msg278 = msg("PORT_RANGE_STATE", part230); -var part232 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ +var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ dup25, dup35, dup20, @@ -3055,9 +3048,9 @@ var part232 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Inter setc("event_description","Interface removed from MST."), ])); -var msg279 = msg("PORT_RANGE_DELETED", part232); +var msg279 = msg("PORT_RANGE_DELETED", part231); -var part233 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ +var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ dup30, dup35, dup81, @@ -3068,9 +3061,9 @@ var part233 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interfa setc("event_description","Interface added to MST."), ])); -var msg280 = msg("PORT_RANGE_ADDED", part233); +var msg280 = msg("PORT_RANGE_ADDED", part232); -var part234 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ +var part233 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ dup25, dup35, dup20, @@ -3081,9 +3074,9 @@ var part234 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port % setc("event_description","Port removed as MST Boundary port"), ])); -var msg281 = msg("MST_PORT_BOUNDARY", part234); +var msg281 = msg("MST_PORT_BOUNDARY", part233); -var part235 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info->} ", processor_chain([ +var part234 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info}", processor_chain([ dup1, dup2, dup3, @@ -3091,9 +3084,9 @@ var part235 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.paylo setc("event_description","Non-transactional PIXM Error"), ])); -var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part235); +var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part234); -var part236 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43->} ", processor_chain([ +var part235 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43}", processor_chain([ dup8, dup2, dup3, @@ -3101,9 +3094,9 @@ var part236 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interfac setc("obj_type"," Interface state"), ])); -var msg283 = msg("IM_INTF_STATE", part236); +var msg283 = msg("IM_INTF_STATE", part235); -var part237 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name->} ", processor_chain([ +var part236 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name}", processor_chain([ dup63, dup35, dup16, @@ -3115,9 +3108,9 @@ var part237 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{f setc("obj_type"," VDC state"), ])); -var msg284 = msg("VDC_STATE_CHANGE", part237); +var msg284 = msg("VDC_STATE_CHANGE", part236); -var part238 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ +var part237 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ dup8, dup2, dup3, @@ -3125,9 +3118,9 @@ var part238 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchov dup82, ])); -var msg285 = msg("SWITCHOVER_OVER", part238); +var msg285 = msg("SWITCHOVER_OVER", part237); -var part239 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ +var part238 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ dup63, dup16, dup39, @@ -3138,9 +3131,9 @@ var part239 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process setc("obj_type"," New Module type"), ])); -var msg286 = msg("VDC_MODULETYPE", part239); +var msg286 = msg("VDC_MODULETYPE", part238); -var part240 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ +var part239 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ dup78, dup35, dup36, @@ -3151,9 +3144,9 @@ var part240 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unab setc("event_description","Unable to sync HA sequence number for service"), ])); -var msg287 = msg("HASEQNO_SYNC_FAILED", part240); +var msg287 = msg("HASEQNO_SYNC_FAILED", part239); -var part241 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ +var part240 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ dup1, dup35, dup80, @@ -3165,9 +3158,9 @@ var part241 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payl setc("event_description","Failure in sending message to standby causing standby to reset."), ])); -var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part241); +var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part240); -var part242 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ +var part241 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ dup1, dup2, dup3, @@ -3175,9 +3168,9 @@ var part242 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Faile setc("event_description","Failed to lock the local module to avoid reset"), ])); -var msg289 = msg("MODULE_LOCK_FAILED", part242); +var msg289 = msg("MODULE_LOCK_FAILED", part241); -var part243 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ +var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ dup1, dup35, dup80, @@ -3189,9 +3182,9 @@ var part243 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", setc("event_description","Failed to send Mac New Learns/Mac moves due to mts send failure."), ])); -var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part243); +var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part242); -var part244 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ +var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ dup30, dup81, dup39, @@ -3201,9 +3194,9 @@ var part244 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with setc("event_description","Server discovered on local in vlan 0 with enabled capability Station"), ])); -var msg291 = msg("SERVER_ADDED", part244); +var msg291 = msg("SERVER_ADDED", part243); -var part245 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ +var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ dup25, dup20, dup39, @@ -3213,9 +3206,9 @@ var part245 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server wi setc("event_description","Server on local port has been removed"), ])); -var msg292 = msg("SERVER_REMOVED", part245); +var msg292 = msg("SERVER_REMOVED", part244); -var part246 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ +var part245 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ dup24, dup35, dup73, @@ -3225,9 +3218,9 @@ var part246 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload" dup26, ])); -var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part246); +var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part245); -var part247 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ +var part246 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ dup8, dup2, dup3, @@ -3235,9 +3228,9 @@ var part247 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{p setc("event_description","port is operationally individual"), ])); -var msg294 = msg("PORT_INDIVIDUAL", part247); +var msg294 = msg("PORT_INDIVIDUAL", part246); -var part248 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ +var part247 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ dup24, dup35, dup39, @@ -3248,9 +3241,9 @@ var part248 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload" dup26, ])); -var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part248); +var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part247); -var part249 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ +var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ dup23, dup2, dup3, @@ -3258,9 +3251,9 @@ var part249 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Inter setc("event_description","Interface is being recovered from error disabled state"), ])); -var msg296 = msg("IF_ERRDIS_RECOVERY", part249); +var msg296 = msg("IF_ERRDIS_RECOVERY", part248); -var part250 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ +var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ dup31, dup2, dup3, @@ -3268,9 +3261,9 @@ var part250 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", setc("event_description","Non-Cisco transceiver on interface is detected"), ])); -var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part250); +var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part249); -var part251 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ +var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ dup31, dup2, dup3, @@ -3278,9 +3271,9 @@ var part251 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.paylo setc("event_description","Active supervisor is running with less memory than standby supervisor."), ])); -var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part251); +var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part250); -var part252 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ +var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ dup31, dup16, dup39, @@ -3290,9 +3283,9 @@ var part252 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configu setc("event_description","Configuration update started."), ])); -var msg299 = msg("READCONF_STARTED", part252); +var msg299 = msg("READCONF_STARTED", part251); -var part253 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ +var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ dup31, dup2, dup3, @@ -3300,9 +3293,9 @@ var part253 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor setc("event_description","Supervisor is running with less memory than active supervisor."), ])); -var msg300 = msg("SUP_POWERDOWN", part253); +var msg300 = msg("SUP_POWERDOWN", part252); -var part254 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ +var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ dup31, dup16, dup39, @@ -3312,9 +3305,9 @@ var part254 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Startin setc("event_description","Starting linecard upgrade"), ])); -var msg301 = msg("LC_UPGRADE_START", part254); +var msg301 = msg("LC_UPGRADE_START", part253); -var part255 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ +var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ dup31, dup16, dup39, @@ -3324,9 +3317,9 @@ var part255 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Reboot setc("event_description","Rebooting linecard as a part of upgrade"), ])); -var msg302 = msg("LC_UPGRADE_REBOOT", part255); +var msg302 = msg("LC_UPGRADE_REBOOT", part254); -var part256 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ +var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ dup31, dup2, dup3, @@ -3334,9 +3327,9 @@ var part256 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload" setc("event_description","Runtime database controller started."), ])); -var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part256); +var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part255); -var part257 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ +var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ dup31, dup2, dup3, @@ -3344,9 +3337,9 @@ var part257 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload" setc("event_description","Runtime database successfully restored."), ])); -var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part257); +var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part256); -var part258 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ +var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ dup31, dup16, dup39, @@ -3356,9 +3349,9 @@ var part258 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", setc("event_description","Upgrade of module started"), ])); -var msg305 = msg("LCM_MODULE_UPGRADE_START", part258); +var msg305 = msg("LCM_MODULE_UPGRADE_START", part257); -var part259 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ +var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ dup31, dup2, dup3, @@ -3366,9 +3359,9 @@ var part259 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "U setc("event_description","Upgrade of module ended"), ])); -var msg306 = msg("LCM_MODULE_UPGRADE_END", part259); +var msg306 = msg("LCM_MODULE_UPGRADE_END", part258); -var part260 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ +var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ dup64, dup35, dup79, @@ -3379,9 +3372,9 @@ var part260 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recie setc("event_description","Recieved insert for lc mod"), ])); -var msg307 = msg("FIPS_POST_INFO_MSG", part260); +var msg307 = msg("FIPS_POST_INFO_MSG", part259); -var part261 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ +var part260 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ dup31, dup35, dup39, @@ -3393,9 +3386,9 @@ var part261 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC % dup75, ])); -var msg308 = msg("PEER_VPC_CFGD", part261); +var msg308 = msg("PEER_VPC_CFGD", part260); -var part262 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ +var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ dup74, dup35, dup39, @@ -3406,9 +3399,9 @@ var part262 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: setc("event_description","Potential Interop issue on interface."), ])); -var msg309 = msg("SYN_COLL_DIS_EN", part262); +var msg309 = msg("SYN_COLL_DIS_EN", part261); -var part263 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ +var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ dup31, dup2, dup3, @@ -3416,9 +3409,9 @@ var part263 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{ setc("event_description","FEX OFFLINE"), ])); -var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part263); +var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part262); -var part264 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ +var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ dup31, dup2, dup3, @@ -3426,9 +3419,9 @@ var part264 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{d setc("event_description","FEX ONLINE"), ])); -var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part264); +var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part263); -var part265 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ +var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ dup31, dup2, dup3, @@ -3436,9 +3429,9 @@ var part265 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{devi setc("event_description","Fex is online"), ])); -var msg312 = msg("FEX_STATUS_online", part265); +var msg312 = msg("FEX_STATUS_online", part264); -var part266 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ +var part265 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ dup31, dup2, dup3, @@ -3446,14 +3439,14 @@ var part266 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{dev setc("event_description","Fex is offline"), ])); -var msg313 = msg("FEX_STATUS_offline", part266); +var msg313 = msg("FEX_STATUS_offline", part265); var select40 = linear_select([ msg312, msg313, ]); -var part267 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected ", processor_chain([ +var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected", processor_chain([ dup74, dup39, dup73, @@ -3463,9 +3456,9 @@ var part267 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Pow setc("event_description","Power supply present but all AC/DC inputs are not connected, power redundancy might be affected"), ])); -var msg314 = msg("PS_PWR_INPUT_MISSING", part267); +var msg314 = msg("PS_PWR_INPUT_MISSING", part266); -var part268 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ +var part267 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ dup31, dup16, dup39, @@ -3476,9 +3469,9 @@ var part268 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Pow setc("change_attribute","operational mode"), ])); -var msg315 = msg("PS_RED_MODE_RESTORED", part268); +var msg315 = msg("PS_RED_MODE_RESTORED", part267); -var part269 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ +var part268 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ dup1, dup2, dup3, @@ -3486,9 +3479,9 @@ var part269 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", setc("event_description","All ejectors open, Module will not be powered up."), ])); -var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part269); +var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part268); -var part270 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ +var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ dup31, dup16, dup39, @@ -3498,9 +3491,9 @@ var part270 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device setc("event_description","Fex pinning information is changed"), ])); -var msg317 = msg("PINNING_CHANGED", part270); +var msg317 = msg("PINNING_CHANGED", part269); -var part271 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ +var part270 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ dup31, dup2, dup3, @@ -3508,9 +3501,9 @@ var part271 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Modu setc("event_description","FEX-100 Module -Cold boot"), ])); -var msg318 = msg("SATCTRL", part271); +var msg318 = msg("SATCTRL", part270); -var part272 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ +var part271 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ dup1, dup2, dup3, @@ -3518,9 +3511,9 @@ var part272 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} setc("event_description","Client register more than once with same pid"), ])); -var msg319 = msg("DUP_REGISTER", part272); +var msg319 = msg("DUP_REGISTER", part271); -var part273 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ +var part272 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ dup1, dup2, dup3, @@ -3528,9 +3521,9 @@ var part273 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} setc("event_description","Unknown mtype"), ])); -var msg320 = msg("UNKNOWN_MTYPE", part273); +var msg320 = msg("UNKNOWN_MTYPE", part272); -var part274 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ +var part273 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ dup31, dup16, dup39, @@ -3539,9 +3532,9 @@ var part274 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} dup4, ])); -var msg321 = msg("SATCTRL_IMAGE", part274); +var msg321 = msg("SATCTRL_IMAGE", part273); -var part275 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ +var part274 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ dup1, setc("ec_subject","Process"), dup14, @@ -3550,27 +3543,27 @@ var part275 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [% dup4, ])); -var msg322 = msg("API_FAILED", part275); +var msg322 = msg("API_FAILED", part274); -var part276 = match("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "%{event_description}", processor_chain([ +var part275 = match("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "%{event_description}", processor_chain([ dup8, dup2, dup3, dup4, ])); -var msg323 = msg("SENSOR_MSG1", part276); +var msg323 = msg("SENSOR_MSG1", part275); -var part277 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ +var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ dup31, dup2, dup3, dup4, ])); -var msg324 = msg("API_INIT_SEM_CLEAR", part277); +var msg324 = msg("API_INIT_SEM_CLEAR", part276); -var part278 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ +var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ dup31, dup2, dup3, @@ -3578,9 +3571,9 @@ var part278 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51-> setc("event_description","vdc has come online"), ])); -var msg325 = msg("VDC_ONLINE", part278); +var msg325 = msg("VDC_ONLINE", part277); -var part279 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ +var part278 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ dup78, dup35, dup79, @@ -3592,18 +3585,18 @@ var part279 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", " setc("event_description","LACP port of port-channel not receiving any LACP BPDUs."), ])); -var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part279); +var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part278); -var part280 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ +var part279 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ dup8, dup2, dup3, dup4, ])); -var msg327 = msg("dstats", part280); +var msg327 = msg("dstats", part279); -var part281 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ +var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ dup78, dup35, setc("ec_activity","Logoff"), @@ -3613,9 +3606,9 @@ var part281 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fl dup4, ])); -var msg328 = msg("MSG_PORT_LOGGED_OUT", part281); +var msg328 = msg("MSG_PORT_LOGGED_OUT", part280); -var part282 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ +var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ dup78, dup35, dup13, @@ -3625,11 +3618,11 @@ var part282 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld dup4, ])); -var msg329 = msg("MSG_PORT_LOGGED_IN", part282); +var msg329 = msg("MSG_PORT_LOGGED_IN", part281); var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup97); -var part283 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ +var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ dup24, dup35, dup36, @@ -3639,11 +3632,11 @@ var part283 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52- dup4, ])); -var msg331 = msg("ZS_MERGE_FAILED", part283); +var msg331 = msg("ZS_MERGE_FAILED", part282); var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup97); -var part284 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new->} ", processor_chain([ +var part283 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new}", processor_chain([ dup24, dup35, dup36, @@ -3653,18 +3646,18 @@ var part284 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Ho setc("change_attribute","Port"), ])); -var msg333 = msg("MAC_MOVE_NOTIFICATION", part284); +var msg333 = msg("MAC_MOVE_NOTIFICATION", part283); -var part285 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ +var part284 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ dup8, dup2, dup3, dup4, ])); -var msg334 = msg("zone", part285); +var msg334 = msg("zone", part284); -var part286 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ +var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ dup1, dup35, dup36, @@ -3674,9 +3667,9 @@ var part286 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_descriptio dup4, ])); -var msg335 = msg("ERROR", part286); +var msg335 = msg("ERROR", part285); -var part287 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ +var part286 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ dup78, dup35, dup79, @@ -3687,18 +3680,18 @@ var part287 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{p dup4, ])); -var msg336 = msg("INVAL_IP", part287); +var msg336 = msg("INVAL_IP", part286); -var part288 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ +var part287 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ dup1, dup2, dup3, dup4, ])); -var msg337 = msg("SYSLOG_SL_MSG_WARNING", part288); +var msg337 = msg("SYSLOG_SL_MSG_WARNING", part287); -var part289 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ +var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ dup78, dup35, dup36, @@ -3708,9 +3701,9 @@ var part289 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex m dup4, ])); -var msg338 = msg("DUPLEX_MISMATCH", part289); +var msg338 = msg("DUPLEX_MISMATCH", part288); -var part290 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ +var part289 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ dup78, dup35, dup36, @@ -3720,9 +3713,9 @@ var part290 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module dup4, ])); -var msg339 = msg("NOHMS_DIAG_ERROR", part290); +var msg339 = msg("NOHMS_DIAG_ERROR", part289); -var part291 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ +var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ dup15, dup35, dup36, @@ -3731,9 +3724,9 @@ var part291 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "R dup4, ])); -var msg340 = msg("STM_LEARNING_RE_ENABLE", part291); +var msg340 = msg("STM_LEARNING_RE_ENABLE", part290); -var part292 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ +var part291 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ dup78, dup35, dup36, @@ -3743,47 +3736,47 @@ var part292 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD dup4, ])); -var msg341 = msg("UDLD_PORT_DISABLED", part292); +var msg341 = msg("UDLD_PORT_DISABLED", part291); -var part293 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ +var part292 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ dup15, dup2, dup4, ])); -var msg342 = msg("ntpd", part293); +var msg342 = msg("ntpd", part292); -var part294 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ +var part293 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ dup15, dup2, dup4, ])); -var msg343 = msg("ntpd:01", part294); +var msg343 = msg("ntpd:01", part293); -var part295 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ +var part294 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ dup15, dup2, dup4, ])); -var msg344 = msg("ntpd:02", part295); +var msg344 = msg("ntpd:02", part294); -var part296 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ +var part295 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ dup15, dup2, dup4, ])); -var msg345 = msg("ntpd:03", part296); +var msg345 = msg("ntpd:03", part295); -var part297 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ +var part296 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ dup15, dup2, dup4, ])); -var msg346 = msg("ntpd:04", part297); +var msg346 = msg("ntpd:04", part296); var select41 = linear_select([ msg342, @@ -3793,16 +3786,16 @@ var select41 = linear_select([ msg346, ]); -var part298 = match("MESSAGE#340:PFM_ALERT", "nwparser.payload", "%{event_description}", processor_chain([ +var part297 = match("MESSAGE#340:PFM_ALERT", "nwparser.payload", "%{event_description}", processor_chain([ dup9, dup2, dup3, dup4, ])); -var msg347 = msg("PFM_ALERT", part298); +var msg347 = msg("PFM_ALERT", part297); -var part299 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ +var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ dup62, dup2, dup3, @@ -3810,9 +3803,9 @@ var part299 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{s setc("event_description","Service acquired on WCCP Client"), ])); -var msg348 = msg("SERVICEFOUND", part299); +var msg348 = msg("SERVICEFOUND", part298); -var part300 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ +var part299 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ dup62, dup2, dup3, @@ -3820,9 +3813,9 @@ var part300 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{se setc("event_description","Service acquired on WCCP Router"), ])); -var msg349 = msg("ROUTERFOUND", part300); +var msg349 = msg("ROUTERFOUND", part299); -var part301 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ +var part300 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ dup5, dup2, dup3, @@ -3830,9 +3823,9 @@ var part301 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "p setc("event_description","Authentication failed"), ])); -var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part301); +var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part300); -var part302 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ +var part301 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ dup18, dup2, dup12, @@ -3841,9 +3834,9 @@ var part302 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "N setc("event_description","New user added"), ])); -var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part302); +var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part301); -var part303 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ +var part302 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ dup10, dup2, dup12, @@ -3851,9 +3844,9 @@ var part303 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", dup4, ])); -var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part303); +var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part302); -var part304 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ +var part303 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ dup10, dup2, dup12, @@ -3862,23 +3855,23 @@ var part304 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "p setc("event_description","session opened for user"), ])); -var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part304); +var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part303); var select42 = linear_select([ msg352, msg353, ]); -var part305 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ +var part304 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ dup5, dup2, dup3, dup4, ])); -var msg354 = msg("%USER-3-SYSTEM_MSG", part305); +var msg354 = msg("%USER-3-SYSTEM_MSG", part304); -var part306 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ +var part305 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ dup5, dup2, dup3, @@ -3886,9 +3879,9 @@ var part306 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Inval dup83, ])); -var msg355 = msg("%USER-6-SYSTEM_MSG", part306); +var msg355 = msg("%USER-6-SYSTEM_MSG", part305); -var part307 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ +var part306 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ dup5, dup2, dup3, @@ -3896,9 +3889,9 @@ var part307 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "in dup83, ])); -var msg356 = msg("%USER-6-SYSTEM_MSG:01", part307); +var msg356 = msg("%USER-6-SYSTEM_MSG:01", part306); -var part308 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ +var part307 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ dup5, dup2, dup3, @@ -3906,9 +3899,9 @@ var part308 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Fa setc("event_description","Failed none for invalid user"), ])); -var msg357 = msg("%USER-6-SYSTEM_MSG:02", part308); +var msg357 = msg("%USER-6-SYSTEM_MSG:02", part307); -var part309 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ +var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ dup84, dup2, dup3, @@ -3916,9 +3909,9 @@ var part309 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Ac setc("event_description","Accepted password for user"), ])); -var msg358 = msg("%USER-6-SYSTEM_MSG:03", part309); +var msg358 = msg("%USER-6-SYSTEM_MSG:03", part308); -var part310 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ +var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ dup84, dup2, dup3, @@ -3926,9 +3919,9 @@ var part310 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "la setc("event_description","No such file or directory"), ])); -var msg359 = msg("%USER-6-SYSTEM_MSG:04", part310); +var msg359 = msg("%USER-6-SYSTEM_MSG:04", part309); -var part311 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ +var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ dup84, dup2, dup3, @@ -3936,16 +3929,16 @@ var part311 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Co setc("event_description","Could not load host key"), ])); -var msg360 = msg("%USER-6-SYSTEM_MSG:05", part311); +var msg360 = msg("%USER-6-SYSTEM_MSG:05", part310); -var part312 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ +var part311 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ dup84, dup2, dup3, dup4, ])); -var msg361 = msg("%USER-6-SYSTEM_MSG:06", part312); +var msg361 = msg("%USER-6-SYSTEM_MSG:06", part311); var select43 = linear_select([ msg355, @@ -3957,49 +3950,49 @@ var select43 = linear_select([ msg361, ]); -var part313 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ +var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ dup31, dup2, dup4, setc("ec_activity","Disable"), ])); -var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part313); +var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part312); -var part314 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ +var part313 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ dup31, dup2, dup4, dup38, ])); -var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part314); +var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part313); -var part315 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ +var part314 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ dup1, dup2, dup4, ])); -var msg364 = msg("PS_ABSENT", part315); +var msg364 = msg("PS_ABSENT", part314); -var part316 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ +var part315 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ dup1, dup2, dup4, ])); -var msg365 = msg("PS_DETECT", part316); +var msg365 = msg("PS_DETECT", part315); -var part317 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ +var part316 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ dup1, dup2, dup4, ])); -var msg366 = msg("SUBPROC_TERMINATED", part317); +var msg366 = msg("SUBPROC_TERMINATED", part316); -var part318 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ +var part317 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ dup15, dup2, dup4, @@ -4007,69 +4000,69 @@ var part318 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"% dup17, ])); -var msg367 = msg("SUBPROC_SUCCESS_EXIT", part318); +var msg367 = msg("SUBPROC_SUCCESS_EXIT", part317); -var part319 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ +var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ dup31, dup2, dup4, ])); -var msg368 = msg("UPDOWN", part319); +var msg368 = msg("UPDOWN", part318); -var part320 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ +var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ dup31, dup2, dup4, setc("change_attribute","Interface"), ])); -var msg369 = msg("L2FM_MAC_MOVE2", part320); +var msg369 = msg("L2FM_MAC_MOVE2", part319); -var part321 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ +var part320 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ dup31, dup2, dup4, dup39, ])); -var msg370 = msg("PFM_PS_RED_MODE_CHG", part321); +var msg370 = msg("PFM_PS_RED_MODE_CHG", part320); -var part322 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ +var part321 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ dup31, dup2, dup4, dup39, ])); -var msg371 = msg("PS_RED_MODE_CHG", part322); +var msg371 = msg("PS_RED_MODE_CHG", part321); -var part323 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ +var part322 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ dup64, dup2, dup4, ])); -var msg372 = msg("INVAL_MAC", part323); +var msg372 = msg("INVAL_MAC", part322); -var part324 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ +var part323 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ dup15, dup2, dup4, setc("change_attribute","Service status"), ])); -var msg373 = msg("SRVSTATE_CHANGED", part324); +var msg373 = msg("SRVSTATE_CHANGED", part323); -var part325 = match("MESSAGE#367:INFO", "nwparser.payload", "%{event_description}", processor_chain([ +var part324 = match("MESSAGE#367:INFO", "nwparser.payload", "%{event_description}", processor_chain([ dup64, dup2, dup4, ])); -var msg374 = msg("INFO", part325); +var msg374 = msg("INFO", part324); -var part326 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ +var part325 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ dup15, dup2, dup4, @@ -4078,9 +4071,9 @@ var part326 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service dup17, ])); -var msg375 = msg("SERVICE_STARTED", part326); +var msg375 = msg("SERVICE_STARTED", part325); -var part327 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ +var part326 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ dup8, dup2, dup3, @@ -4088,9 +4081,9 @@ var part327 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{ dup86, ])); -var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part327); +var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part326); -var part328 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ +var part327 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ dup8, dup2, dup3, @@ -4098,7 +4091,7 @@ var part328 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{proces dup86, ])); -var msg377 = msg("DUP_SRCIP_PROBE", part328); +var msg377 = msg("DUP_SRCIP_PROBE", part327); var chain1 = processor_chain([ select1, @@ -4389,102 +4382,102 @@ var chain1 = processor_chain([ }), ]); -var part329 = match("MESSAGE#24:SYSTEM_MSG:08/0", "nwparser.payload", "%{} %{p0}"); +var part328 = match("MESSAGE#24:SYSTEM_MSG:08/0", "nwparser.payload", "%{} %{p0}"); -var part330 = match("MESSAGE#24:SYSTEM_MSG:08/1_1", "nwparser.p0", "%{event_description}"); +var part329 = match("MESSAGE#24:SYSTEM_MSG:08/1_1", "nwparser.p0", "%{event_description}"); -var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); +var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); -var part332 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); +var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); -var part333 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); +var part332 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); -var part334 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); +var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); -var part335 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); +var part334 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); -var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); +var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); -var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); +var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); -var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); +var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); -var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); +var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); -var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); +var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); -var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); +var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); -var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); +var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); -var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); +var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); -var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); +var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); -var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); +var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); -var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); +var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); -var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); +var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); -var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); +var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); -var part349 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); +var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); -var part350 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "%{}\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); +var part349 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "%{}\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); -var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); +var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); -var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); +var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); -var part353 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); +var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); -var part354 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); +var part353 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); -var part355 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "%{info}"); +var part354 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "%{info}"); -var part356 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); +var part355 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); -var part357 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); +var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); -var part358 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); +var part357 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); -var part359 = match("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "%{event_description}", processor_chain([ +var part358 = match("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "%{event_description}", processor_chain([ dup1, dup2, dup3, dup4, ])); -var part360 = match("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "%{event_description}", processor_chain([ +var part359 = match("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "%{event_description}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var part361 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ +var part360 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup24, dup2, dup3, dup4, ])); -var part362 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ +var part361 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ dup24, dup2, dup3, dup4, ])); -var part363 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ +var part362 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup15, dup2, dup3, dup4, ])); -var part364 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ +var part363 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup25, dup2, dup3, @@ -4496,28 +4489,28 @@ var select44 = linear_select([ dup28, ]); -var part365 = match("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "%{result}", processor_chain([ +var part364 = match("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "%{result}", processor_chain([ dup1, dup2, dup3, dup4, ])); -var part366 = match("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "%{event_description}", processor_chain([ +var part365 = match("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "%{event_description}", processor_chain([ dup25, dup2, dup3, dup4, ])); -var part367 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result}) ", processor_chain([ +var part366 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ dup15, dup2, dup3, dup4, ])); -var part368 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ +var part367 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ dup24, dup35, dup36, @@ -4527,7 +4520,7 @@ var part368 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52- dup4, ])); -var part369 = match("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ +var part368 = match("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ dup34, dup2, dup3, @@ -4554,7 +4547,7 @@ var select48 = linear_select([ dup59, ]); -var part370 = match("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "%{event_description}", processor_chain([ +var part369 = match("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "%{event_description}", processor_chain([ dup24, dup2, dup3, @@ -4571,14 +4564,14 @@ var select50 = linear_select([ dup69, ]); -var part371 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ +var part370 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var part372 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ +var part371 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ dup24, dup2, dup3, @@ -4590,7 +4583,7 @@ var select51 = linear_select([ dup72, ]); -var part373 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ +var part372 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ dup62, dup2, dup3, diff --git a/x-pack/filebeat/module/citrix/README.md b/x-pack/filebeat/module/citrix/README.md index 0c3088e6257..3ae455a7bd5 100644 --- a/x-pack/filebeat/module/citrix/README.md +++ b/x-pack/filebeat/module/citrix/README.md @@ -3,5 +3,5 @@ This is a module for Citrix XenApp logs. Autogenerated from RSA NetWitness log parser 2.0 XML citrixxa version 79 -at 2020-07-08 17:36:27.271805 +0000 UTC. +at 2020-07-08 18:27:59.806607 +0000 UTC. diff --git a/x-pack/filebeat/module/cylance/README.md b/x-pack/filebeat/module/cylance/README.md index b072b57b46e..53f45056c5a 100644 --- a/x-pack/filebeat/module/cylance/README.md +++ b/x-pack/filebeat/module/cylance/README.md @@ -3,5 +3,5 @@ This is a module for CylanceProtect logs. Autogenerated from RSA NetWitness log parser 2.0 XML cylance version 127 -at 2020-07-08 17:36:27.498771 +0000 UTC. +at 2020-07-08 18:28:00.053323 +0000 UTC. diff --git a/x-pack/filebeat/module/cylance/protect/config/pipeline.js b/x-pack/filebeat/module/cylance/protect/config/pipeline.js index 710049b61d0..ef18f1ce577 100644 --- a/x-pack/filebeat/module/cylance/protect/config/pipeline.js +++ b/x-pack/filebeat/module/cylance/protect/config/pipeline.js @@ -226,17 +226,15 @@ var select4 = linear_select([ part7, ]); -var part8 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{user_fname->} %{user_lname->} (%{mail_id})%{p0}"); +var part8 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); -var part9 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{user_fname->} %{user_lname->} (%{mail_id})%{p0}"); +var part9 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); var select5 = linear_select([ part8, part9, ]); -var part10 = match("MESSAGE#1:CylancePROTECT:02/5", "nwparser.p0", "%{} "); - var all2 = all_match({ processors: [ dup2, @@ -244,7 +242,6 @@ var all2 = all_match({ dup11, select4, select5, - part10, ], on_success: processor_chain([ dup6, @@ -257,19 +254,19 @@ var all2 = all_match({ var msg2 = msg("CylancePROTECT:02", all2); -var part11 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}"); +var part10 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}"); -var part12 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}"); +var part11 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}"); -var part13 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}"); +var part12 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}"); var select6 = linear_select([ + part10, part11, part12, - part13, ]); -var part14 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})"); +var part13 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})"); var all3 = all_match({ processors: [ @@ -277,7 +274,7 @@ var all3 = all_match({ dup24, dup11, select6, - part14, + part13, ], on_success: processor_chain([ dup6, @@ -290,13 +287,13 @@ var all3 = all_match({ var msg3 = msg("CylancePROTECT:03", all3); -var part15 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); +var part14 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); var all4 = all_match({ processors: [ dup2, dup24, - part15, + part14, ], on_success: processor_chain([ dup6, @@ -309,16 +306,16 @@ var all4 = all_match({ var msg4 = msg("CylancePROTECT:04", all4); -var part16 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}"); +var part15 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}"); -var part17 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", " Provider: %{product}, Source IP: %{saddr}, User: %{p0}"); +var part16 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", " Provider: %{product}, Source IP: %{saddr}, User: %{p0}"); -var part18 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}"); +var part17 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}"); var select7 = linear_select([ + part15, part16, part17, - part18, ]); var all5 = all_match({ @@ -340,21 +337,21 @@ var all5 = all_match({ var msg5 = msg("CylancePROTECT:05", all5); -var part19 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}"); +var part18 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}"); -var part20 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); +var part19 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); -var part21 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}"); +var part20 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}"); var select8 = linear_select([ + part19, part20, - part21, ]); -var part22 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", " (%{mail_id})"); +var part21 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", " (%{mail_id})"); var select9 = linear_select([ - part22, + part21, dup5, ]); @@ -362,7 +359,7 @@ var all6 = all_match({ processors: [ dup2, dup24, - part19, + part18, select8, select9, ], @@ -377,22 +374,22 @@ var all6 = all_match({ var msg6 = msg("CylancePROTECT:06", all6); -var part23 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); +var part22 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); -var part24 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", " %{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); +var part23 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", " %{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); var select10 = linear_select([ + part22, part23, - part24, ]); -var part25 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); +var part24 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); var all7 = all_match({ processors: [ dup2, select10, - part25, + part24, ], on_success: processor_chain([ dup6, @@ -405,22 +402,22 @@ var all7 = all_match({ var msg7 = msg("CylancePROTECT:07", all7); -var part26 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); +var part25 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); -var part27 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", " %{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); +var part26 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", " %{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); var select11 = linear_select([ + part25, part26, - part27, ]); -var part28 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); +var part27 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); var all8 = all_match({ processors: [ dup2, select11, - part28, + part27, ], on_success: processor_chain([ dup6, @@ -433,12 +430,12 @@ var all8 = all_match({ var msg8 = msg("CylancePROTECT:08", all8); -var part29 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}"); +var part28 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}"); -var part30 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); +var part29 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); var select12 = linear_select([ - part30, + part29, dup14, ]); @@ -446,7 +443,7 @@ var all9 = all_match({ processors: [ dup2, dup27, - part29, + part28, select12, ], on_success: processor_chain([ @@ -460,22 +457,22 @@ var all9 = all_match({ var msg9 = msg("CylancePROTECT:09", all9); -var part31 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); +var part30 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); -var part32 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", " %{fld4->} Event Type: Threat, Event Name: %{p0}"); +var part31 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", " %{fld4->} Event Type: Threat, Event Name: %{p0}"); var select13 = linear_select([ + part30, part31, - part32, ]); -var part33 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype->} "); +var part32 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}"); var all10 = all_match({ processors: [ dup2, select13, - part33, + part32, ], on_success: processor_chain([ dup6, @@ -488,22 +485,22 @@ var all10 = all_match({ var msg10 = msg("CylancePROTECT:10", all10); -var part34 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); +var part33 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); -var part35 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", " %{fld5->} Event Type: AppControl, Event Name: %{p0}"); +var part34 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", " %{fld5->} Event Type: AppControl, Event Name: %{p0}"); var select14 = linear_select([ + part33, part34, - part35, ]); -var part36 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); +var part35 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); var all11 = all_match({ processors: [ dup2, select14, - part36, + part35, ], on_success: processor_chain([ dup6, @@ -515,13 +512,13 @@ var all11 = all_match({ var msg11 = msg("CylancePROTECT:11", all11); -var part37 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); +var part36 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); var all12 = all_match({ processors: [ dup2, dup28, - part37, + part36, ], on_success: processor_chain([ dup6, @@ -533,13 +530,13 @@ var all12 = all_match({ var msg12 = msg("CylancePROTECT:15", all12); -var part38 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); +var part37 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); var all13 = all_match({ processors: [ dup2, dup28, - part38, + part37, ], on_success: processor_chain([ dup6, @@ -551,13 +548,13 @@ var all13 = all_match({ var msg13 = msg("CylancePROTECT:14", all13); -var part39 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); +var part38 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); var all14 = all_match({ processors: [ dup2, dup28, - part39, + part38, dup29, ], on_success: processor_chain([ @@ -570,13 +567,13 @@ var all14 = all_match({ var msg14 = msg("CylancePROTECT:13", all14); -var part40 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); +var part39 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); var all15 = all_match({ processors: [ dup2, dup28, - part40, + part39, dup29, ], on_success: processor_chain([ @@ -589,13 +586,13 @@ var all15 = all_match({ var msg15 = msg("CylancePROTECT:16", all15); -var part41 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); +var part40 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); var all16 = all_match({ processors: [ dup2, dup27, - part41, + part40, ], on_success: processor_chain([ dup6, @@ -607,25 +604,25 @@ var all16 = all_match({ var msg16 = msg("CylancePROTECT:25", all16); -var part42 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); +var part41 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); -var part43 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); +var part42 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); -var part44 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); +var part43 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); -var part45 = match("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "%{fld1}"); +var part44 = match("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "%{fld1}"); var select15 = linear_select([ + part42, part43, part44, - part45, ]); var all17 = all_match({ processors: [ dup2, dup28, - part42, + part41, select15, ], on_success: processor_chain([ @@ -638,20 +635,20 @@ var all17 = all_match({ var msg17 = msg("CylancePROTECT:12", all17); -var part46 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); +var part45 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); -var part47 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); +var part46 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); -var part48 = match("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "%{username}"); +var part47 = match("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "%{username}"); var select16 = linear_select([ + part46, part47, - part48, ]); var all18 = all_match({ processors: [ - part46, + part45, select16, ], on_success: processor_chain([ @@ -664,27 +661,27 @@ var all18 = all_match({ var msg18 = msg("CylancePROTECT:17", all18); -var part49 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ +var part48 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ dup6, dup19, dup25, dup26, ])); -var msg19 = msg("CylancePROTECT:18", part49); +var msg19 = msg("CylancePROTECT:18", part48); -var part50 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); +var part49 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); -var part51 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname->} "); +var part50 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname->} "); var select17 = linear_select([ - part51, + part50, dup14, ]); var all19 = all_match({ processors: [ - part50, + part49, select17, ], on_success: processor_chain([ @@ -697,37 +694,37 @@ var all19 = all_match({ var msg20 = msg("CylancePROTECT:19", all19); -var part52 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); +var part51 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); -var part53 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); +var part52 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); -var part54 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); +var part53 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); var select18 = linear_select([ + part52, part53, - part54, ]); -var part55 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned %{p0}"); +var part54 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned %{p0}"); -var part56 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", "to the%{p0}"); +var part55 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", "to the%{p0}"); -var part57 = match("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", " to%{p0}"); +var part56 = match("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", " to%{p0}"); var select19 = linear_select([ + part55, part56, - part57, ]); -var part58 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); +var part57 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); var all20 = all_match({ processors: [ - part52, + part51, select18, - part55, + part54, select19, - part58, + part57, ], on_success: processor_chain([ dup6, @@ -739,7 +736,7 @@ var all20 = all_match({ var msg21 = msg("CylancePROTECT:20", all20); -var part59 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ +var part58 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ dup6, dup19, dup25, @@ -753,22 +750,22 @@ var part59 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Na }), ])); -var msg22 = msg("CylancePROTECT:21", part59); +var msg22 = msg("CylancePROTECT:21", part58); -var part60 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); +var part59 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); -var part61 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); +var part60 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); -var part62 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); +var part61 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); var select20 = linear_select([ + part60, part61, - part62, ]); var all21 = all_match({ processors: [ - part60, + part59, select20, dup30, ], @@ -782,29 +779,29 @@ var all21 = all_match({ var msg23 = msg("CylancePROTECT:22", all21); -var part63 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ +var part62 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ dup6, dup19, dup25, dup26, ])); -var msg24 = msg("CylancePROTECT:23", part63); +var msg24 = msg("CylancePROTECT:23", part62); -var part64 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{p0}"); +var part63 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{p0}"); -var part65 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "%{mail_id})#015"); +var part64 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "%{mail_id})#015"); -var part66 = match("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", "%{mail_id})"); +var part65 = match("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", "%{mail_id})"); var select21 = linear_select([ + part64, part65, - part66, ]); var all22 = all_match({ processors: [ - part64, + part63, select21, ], on_success: processor_chain([ @@ -817,11 +814,11 @@ var all22 = all_match({ var msg25 = msg("CylancePROTECT:24", all22); -var part67 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); +var part66 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); var all23 = all_match({ processors: [ - part67, + part66, dup30, ], on_success: processor_chain([ @@ -834,31 +831,31 @@ var all23 = all_match({ var msg26 = msg("CylancePROTECT:26", all23); -var part68 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); +var part67 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); -var part69 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); +var part68 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); -var part70 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); +var part69 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); var select22 = linear_select([ + part68, part69, - part70, ]); -var part71 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); +var part70 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); -var part72 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); +var part71 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); var select23 = linear_select([ - part72, + part71, dup14, ]); var all24 = all_match({ processors: [ - part68, + part67, select22, - part71, + part70, select23, ], on_success: processor_chain([ @@ -871,24 +868,24 @@ var all24 = all_match({ var msg27 = msg("CylancePROTECT:27", all24); -var part73 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); +var part72 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); -var part74 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); +var part73 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); -var part75 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); +var part74 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); var select24 = linear_select([ + part73, part74, - part75, ]); -var part76 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "%{}Zone Names: %{info->} Device Id: %{fld3}"); +var part75 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "%{}Zone Names: %{info->} Device Id: %{fld3}"); var all25 = all_match({ processors: [ - part73, + part72, select24, - part76, + part75, ], on_success: processor_chain([ dup6, @@ -938,31 +935,31 @@ var chain1 = processor_chain([ }), ]); -var part77 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); +var part76 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); -var part78 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); +var part77 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); -var part79 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}"); +var part78 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}"); -var part80 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); +var part79 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); -var part81 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); +var part80 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); -var part82 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); +var part81 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); -var part83 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); +var part82 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); -var part84 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}"); +var part83 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}"); -var part85 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); +var part84 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); -var part86 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}"); +var part85 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}"); -var part87 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); +var part86 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); -var part88 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}"); +var part87 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}"); -var part89 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); +var part88 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); var select26 = linear_select([ dup3, diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log b/x-pack/filebeat/module/cylance/protect/test/generated.log index 5ea1800360c..b6ec60eb647 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log @@ -4,11 +4,11 @@ Feb 26 8:15:08 mquia873.internal.invalid CylancePROTECT Event Type:tetur, Event 2016-3-12T3:17:42.minim eFini859.www5.example CylancePROTECT psumquia onsect [orsitame] Event Type: reprehe, Event Name: SystemSecurity, Device Name: quiavo, Agent Version: issusci, IP Address: (10.164.119.63, taliquip), MAC Address: (01:00:5e:86:ac:4a, tNequ), Logged On Users: (gelit), OS: tatno Zone Names: dquiac 26-March-2016 10:20:16 medium oluptas2358.internal.host ommod <aqui 2016-3-26T10:20:16.radipis isetq3627.api.domain CylancePROTECT magn equuntu [eos] Event Type: enimad, Event Name: SystemSecurity, Device Name: uaerat, Agent Version: boreet, IP Address: (10.155.162.162, mcolabor), MAC Address: (01:00:5e:2c:f3:52, giatq), Logged On Users: (quid), OS: fug 9-Apr-2016 5:22:51 high maveniam1399.mail.lan siutaliq <tempor 9T17:22:51.omnis antium1279.mail.test CylancePROTECT Event Name:ThreatUpdated, Device Name:rsitvolu, External Device Type:tcupida, External Device Vendor ID:niamquis, External Device Name:itati, External Device Product ID:mfu, External Device Serial Number:uid, Zone Names:atatnonp, Device Id: uiano, Policy Name: mrema -Apr 24 12:25:25 iat1852.api.localdomain CylancePROTECT Event Type:elits, Event Name:Device Policy Assigned, Device Message: Device: ipis; Policy Changed: gelits to 'tatevel', User: abilloi iam (mqua), Zone Names:atat, Device Id: quunt -8-May-2016 07:27:59 high avol7616.api.test isqu <idolore 2016-5-8T7:27:59.onse liq5883.localdomain CylancePROTECT emeumfug upta [omn] Event Type: ipsumq, Event Name: Registration, Device Name: ons, Agent Version: tessec, IP Address: (10.215.110.141, nsect), MAC Address: (01:00:5e:58:a9:90, ionul), Logged On Users: (nibus), OS: edquiano -22-May-2016 2:30:33 low aperi5160.host ipi <lupt 22T14:30:33.xea qua2945.www.local CylancePROTECT Event Name:PolicyAdd, Threat Class:modocons, Threat Subclass:elaudant, SHA256:tinvol, MD5:dolore -liquide 2016-6-5T9:33:08.uasia emp4209.host CylancePROTECT giatquov eritquii [dexeac] Event Type: Threat, Event Name: threat_found, Device Name: taut, IP Address: (10.114.138.121), File Name: imad, Path: msequi, Drive Type: isnostru, SHA256: iquaUten, MD5: santium, Status: iciatisu, Cylance Score: 0.803000, Found Date: emagnama, File Type: eprehend, Is Running: hil, Auto Run: atquovo, Detected By: suntinc, Zone Names: xeac, Is Malware: nidolo, Is Unique To Cylance: tatn, Threat Classification: eli -reetd 2016-6-20T4:35:42.lumqui itinvo7084.mail.corp CylancePROTECT equep iavolu [den] Event Type: Threat, Event Name: SyslogSettingsSave, Device Name: rpo, IP Address: (10.133.32.68), File Name: siarchi, Path: datatn, Drive Type: mqu, SHA256: apariat, MD5: tlabore, Status: untmolli, Cylance Score: 62.683000, Found Date: atDu, File Type: eav, Is Running: ionevo, Auto Run: remagn, Detected By: run, Zone Names: mque, Is Malware: uovolup, Is Unique To Cylance: samvolu, Threat Classification: ittenbyC +24-Apr-2016 12:25:25 very-high orsitame3869.localhost iam <umdo 24T00:25:25.sed apariat4194.www5.local CylancePROTECT Event Name:SystemSecurity, Message: The Device:onsewas auto assigned torumetZone:oll, User:erc +aspern 2016-5-8T7:27:59.itlabori Ciceroi3592.www.host CylancePROTECT aper essequ [taevi] Event Type: AuditLog, Event Name: Device Updated, Message: Zone: sitas; Policy: ehenderi; Value: pidatat, User: gni tquiinea (mquaera) +22-May-2016 2:30:33 medium saute2412.internal.domain lorema <labor 22T14:30:33.atuse ddoeiu1152.api.invalid CylancePROTECT Event Name:Device Policy Assigned, Device Name:llumquid, External Device Type:tation, External Device Vendor ID:ips, External Device Name:emeumfug, External Device Product ID:upta, External Device Serial Number:omn, Zone Names:ipsumq +5-June-2016 21:33:08 low ipi7385.www.home eseru <orain 2016-6-5T9:33:08.quip oin6316.www5.host CylancePROTECT tinvol dolore [abor] Event Type: ExploitAttempt, Event Name: Device Policy Assigned, Device Name: eddoei, IP Address: (10.22.128.42), Action: cancel, Process ID: 1120, Process Name: ditautfu.exe, User Name: piscing, Violation Type: roq, Zone Names: ostr +2016-6-20T4:35:42.moenimi temporin6518.invalid CylancePROTECT agnaali llitani [inima] Event Type: tlabo, Event Name: ThreatUpdated, Device Name: nihi 2016-7-4T11:38:16.iquipex commod3331.host CylancePROTECT bor occa [stquidol] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: leumiu, File Path: namali, Interpreter: taevit, Interpreter Version: 1.3365 (nsecte), Zone Names: itame 2016-7-18T6:40:50.rehender iae1637.local CylancePROTECT nula emseq [olestiae] Event Type: ione, Event Name: LoginSuccess, Device Names: (evita), Policy Name: suntexp, User: duntut magni (pisciv) 2-August-2016 01:43:25 medium eratv6205.internal.lan reme <uaUteni 2016-8-2T1:43:25.udantium pre2433.mail.domain CylancePROTECT sciun sBono [catc] Event Type: AuditLog, Event Name: pechange, Message: Device: edo;asiaUser: econs uir (dol) @@ -17,84 +17,84 @@ Aug 30 3:48:33 rroquis6074.api.host CylancePROTECT Event Type:iurer, Event Name: 13-Sep-2016 10:51:07 low uta4901.internal.local volupt <uiinea 13T22:51:07.Utenima volupta5074.internal.localhost CylancePROTECT Event Name:LoginSuccess, Message: Device:ionevowas auto assigned tougiatnuZone:ciati, User:nto Sep 28 5:53:42 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned tomadmiZone:tur, User:roi imadmini 2016/10/12T12:56:16.sauteiru mod7387.host CylancePROTECT mquame nihilmol [xercita] Event Type: AppControl, Event Name: fullaccess, Device Name: tiumt, IP Address: (10.75.99.127), Action: accept, Action Type: madmi, File Path: uidol, SHA256: mporin, Zone Names: mwrit -eprehen 2016-10-26T7:58:50.entor xeacomm1940.localhost CylancePROTECT ema rsitv [iciade] Event Type: AuditLog, Event Name: threat_changed, Message: Device: ine; SHA256: lup, User: tatemUt modtemp (quovol)nve -2016-11-10T3:01:24.siutali amnih2718.internal.example CylancePROTECT tau exercita [ris] Event Type: eumiu, Event Name: SystemSecurity, Device Name: laudant, Zone Names:isnost -itess 2016/11/24T10:03:59.iscinge ofdeFini4153.mail.localhost CylancePROTECT velitse oditem [gitsedqu] Event Type: AppControl, Event Name: DeviceEdit, Device Name: oremi, IP Address: (10.82.173.5), Action: block, Action Type: olor, File Path: ineavo, SHA256: pexe, Zone Names: niamqui -8-December-2016 17:06:33 low gitsed4374.www5.home fugitsed <quid 2016-12-8T5:06:33.fugiat atisun6373.mail.localhost CylancePROTECT dmin fugi [quia] Event Type: AuditLog, Event Name: SystemSecurity, Message: SHA256: atatn; Reason: unknown, User: rnatur ofdeFin (essequam) -inesci 2016-12-23T12:09:07.isnisi ritatise4412.mail.localdomain CylancePROTECT quatur uisa [eFi] Event Type: ScriptControl, Event Name: Registration, Device Name: cusant, File Path: rpori, Interpreter: ice, Interpreter Version: 1.1645, Zone Names: entorev, User Name: commodo -sau 2017-1-6T7:11:41.atevelit meius3932.internal.example CylancePROTECT ccaeca umdolo [uptate] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: stenatu; Policy: isiuta; Value: orsitam, User: siutaliq dutp (psaquaea) -2017-1-20T2:14:16.proide ano1049.www5.localdomain CylancePROTECT aturve ditemp [edqui] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: temUte;sitUser: olab eumiure (ersp) -umwrit 2017-2-3T9:16:50.uptate mac765.mail.invalid CylancePROTECT elit seosqui [sequamni] Event Type: AuditLog, Event Name: pechange, Message: Device: tdol; SHA256: sit, User: tiaec nisi (oremagna)ncididun -ise 2017/02/18T04:19:24.itau apariat1702.internal.local CylancePROTECT ian dolore [onsecte] Event Type: AppControl, Event Name: LoginSuccess, Device Name: ect, IP Address: (10.41.123.102), Action: deny, Action Type: fugia, File Path: oditautf, SHA256: quatu, Zone Names: veli -2017-3-4T11:21:59.labo ulapar6827.www.local CylancePROTECT par lorin [pitl] Event Type: AuditLog, Event Name: Alert, Message: Zone: urv; Policy: ama; Value: uatur, User: adminimv odi (ptass) -2017-3-18T6:24:33.mdol itation6137.home CylancePROTECT osqui sequat [sund] Event Type: AuditLog, Event Name: DeviceEdit, Message: Policy: ven; SHA256: rQu; Category: mco, User: cipitl onemulla (evitaed)inimveni -2017-4-2T1:27:07.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat)remagn -16-Apr-2017 8:29:41 medium volupt2952.api.local esseq <boru 16T08:29:41.ptateve enderi6555.api.host CylancePROTECT Event Name:Device Policy Assigned, Threat Class:tenatuse, Threat Subclass:psaqua, SHA256:ullamcor, MD5:itationu -Apr 30 3:32:16 estl2233.api.corp CylancePROTECT Event Type:oluptat, Event Name:ZoneAdd, Device Message: Device: rure; Zones Removed: asiarchi,eaqueipsUser: qua volupta (dmi), Zone Names:untexpl -2017-5-14T10:34:50.licaboN atquo4897.mail.lan CylancePROTECT ntexpl dunt [litsedq] Event Type: DeviceControl, Event Name: threat_found, Device Name: nder, External Device Type: mdolore, External Device Vendor ID: Cic, External Device Name: olorema, External Device Product ID: mollita, External Device Serial Number: tatem, Zone Names: iae -29-May-2017 05:37:24 medium taliqui5348.mail.localdomain loremag <iatqu 2017-5-29T5:37:24.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni -Jun 12 12:39:58 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium,uptateUser: lloinven econs (lmolesti), Zone Names:apariatu Device Id: lorsita -26-June-2017 19:42:33 high lupta7560.www5.localdomain ncidi <laudan 2017-6-26T7:42:33.litesseq atcupida7685.local CylancePROTECT dolores equamnih [taliqui] Event Type: AuditLog, Event Name: PolicyAdd, Message: Devices: itempo,orumwUser: redol ecillum (isci) -mquisno 2017-7-11T2:45:07.aev inrepr72.internal.home CylancePROTECT nisiu imad [oriosam] Event Type: ExploitAttempt, Event Name: Device Policy Assigned, Device Name: itasp, IP Address: (10.169.5.162), Action: allow, Process ID: 2957, Process Name: odt.exe, User Name: cillumd, Violation Type: riosa, Zone Names: tNe -2017/07/25T09:47:41.ntmoll mexer4472.www5.invalid CylancePROTECT nofdeFi aquioff [saqu] Event Type: AppControl, Event Name: SystemSecurity, Device Name: amnisi, IP Address: (10.230.77.49), Action: cancel, Action Type: uisnostr, File Path: reetdol, SHA256: uelauda, Zone Names: ema -2017-8-8T4:50:15.uei Nequepo1858.mail.local CylancePROTECT uam orumSec [nisiuta] Event Type: stiaecon, Event Name: PolicyAdd, Device Name: sse -22-August-2017 23:52:50 high ici7102.www.localdomain itae <atnula 2017-8-22T11:52:50.ditautf itametc3006.www.test CylancePROTECT remipsu tan [quiac] Event Type: DeviceControl, Event Name: Registration, Device Name: doconse, External Device Type: etdol, External Device Vendor ID: dolorsi, External Device Name: nturmag, External Device Product ID: tura, External Device Serial Number: osquirat, Zone Names: equat -6-September-2017 06:55:24 low idunt4633.internal.host liquam <oluptat 2017/09/06T06:55:24.odt rspici1916.api.localhost CylancePROTECT olor etquasia [nula] Event Type: AppControl, Event Name: threat_quarantined, Device Name: riatur, IP Address: (10.99.209.40), Action: accept, Action Type: dol, File Path: atur, SHA256: issu, Zone Names: identsu -Sep 20 1:57:58 hend1600.api.host CylancePROTECT Event Type:aer, Event Name:DeviceRemove, Device Name:iati, Agent Version:minim, IP Address: (10.14.74.218), MAC Address: (01:00:5e:bc:a3:48), Logged On Users: (Nemoenim), OS:usm, Zone Names:labori -4-Oct-2017 9:00:32 high isiutali3575.www5.invalid Nemoenim <ide 4T21:00:32.edq evitae7333.www.lan CylancePROTECT Event Name:ThreatUpdated, Device Message: Device: expl User: ess quiad (ihilmole),saquaeaZone Names: ons Device Id: orsitam -2017-10-19T4:03:07.idex radip163.mail.invalid CylancePROTECT eiusmo ainc [miurerep] Event Type: AuditLog, Event Name: DeviceEdit, Message: Zone: ecill; Policy: iduntu; Value: pisci, User: sunt texplica (oco) -itametco 2017-11-2T11:05:41.vel quunt3116.localhost CylancePROTECT nonn dents [itsedd] Event Type: Threat, Event Name: threat_changed, Device Name: ptate, IP Address: (10.152.185.155), File Name: quamqua, Path: ntut, Drive Type: mag, SHA256: meum, MD5: mini, Status: Loremip, Cylance Score: 58.130000, Found Date: tur, File Type: atnonpr, Is Running: ita, Auto Run: amquaer, Detected By: aqui, Zone Names: enby, Is Malware: lpa, Is Unique To Cylance: isn, Threat Classification: smod -16-Nov-2017 6:08:15 low cte4809.mail.lan uunturma <eserun 16T18:08:15.pta emu5311.localdomain CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: destla User: fugitse minimve (serrorsi),tametcoZone Names: mquisnos Device Id: lore -Dec 1 1:10:49 isn1684.www.invalid CylancePROTECT Event Type:civelits, Event Name:PolicyAdd, Device Name:quiav, External Device Type:mse, External Device Vendor ID:prehen, External Device Name:nonn, External Device Product ID:hite, External Device Serial Number:ianonnum, Zone Names:nofdeFi, Device Id: henderit, Policy Name: remq -15-Dec-2017 8:13:24 medium arch2905.www5.home ror <doei 15T08:13:24.nvolupta tev2820.www.home CylancePROTECT Event Name:threat_found, Device Name:orp, External Device Type:ender, External Device Vendor ID:dico, External Device Name:uptatem, External Device Product ID:upt, External Device Serial Number:ulamc, Zone Names:cept, Device Id: aedictas, Policy Name: eursint -2017-12-29T3:15:58.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev) -hilmole 2018-1-12T10:18:32.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido -2018-1-27T5:21:06.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota;etdoloreUser: magnaa sumquiad (iusmodt) -Feb 10 12:23:41 umd3889.api.localhost CylancePROTECT Event Type:dat, Event Name:threat_quarantined, Message: Provider:saquaea, Source IP:10.10.178.151, User: uames tconsec (issus) -2018/02/24T19:26:15.caecat cusanti5019.api.home CylancePROTECT quisn rem [ulamcola] Event Type: AppControl, Event Name: ZoneAdd, Device Name: llita, IP Address: (10.117.150.156), Action: block, Action Type: uredol, File Path: maliqua, SHA256: mcorpori, Zone Names: orisn -11-March-2018 02:28:49 very-high cta5536.mail.localdomain atem <cti 2018-3-11T2:28:49.ommodoc nse3544.local CylancePROTECT tvolu dutper [tlaboru] Event Type: aeabillo, Event Name: fullaccess, Device Name: equuntu, Agent Version: quamni, IP Address: (10.186.8.127), MAC Address: (01:00:5e:bf:58:62), Logged On Users: (boreet), OS: luptasnu Zone Names: ento -Mar 25 9:31:24 ovolupta1238.internal.localdomain CylancePROTECT Event Type:ametcon, Event Name: SystemSecurity, Device Name: beat, IP Address: (10.202.89.144), Action: block, Process ID: 6944, Process Name: qua.exe, User Name: iarchite, Violation Type: emsequi, Zone Names:ueporroq, Device Id: ute -8-April-2018 16:33:58 high Bonoru1396.api.invalid rumSecti <adipi 2018-4-8T4:33:58.mquis ratvo1100.www.home CylancePROTECT oluptas nderiti [uatu] Event Type: olupta, Event Name: ZoneAdd, Device Names: (orem), Policy Name: giatqu, User: rsint rsi (paq) -onse 2018-4-22T11:36:32.sitam inibusBo1209.www.example CylancePROTECT ddoe uid [amnis] Event Type: AuditLog, Event Name: DeviceEdit, Message: sse, User: ihilm incidi (aedictas) -7-May-2018 06:39:06 low urEx4545.local abore <oreeu 2018-5-7T6:39:06.mea ssec5390.api.example CylancePROTECT emi reprehen [tvol] Event Type: ptat, Event Name: threat_found, Threat Class: tdolo, Threat Subclass: sequatD, SHA256: eleumi, MD5: equ -etc 2018-5-21T1:41:41.eturadip nost5395.www.localhost CylancePROTECT edol sequuntu [quameius] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Policy: nima; SHA256: totamrem; Category: aliqu, User: taedict orum (nsequat)orsitam -2018-6-4T8:44:15.oidentsu oditau3188.internal.home CylancePROTECT temqui lup [aeca] Event Type: AuditLog, Event Name: Registration, Message: Provider: autemv, Source IP: 10.16.200.216, User: eirure boreetd (tNe) -19-June-2018 03:46:49 low asper311.www.corp inibus <ctobeat 2018-6-19T3:46:49.onsec idestl1167.domain CylancePROTECT itanimi onoru [data] Event Type: ScriptControl, Event Name: pechange, Device Name: eosqui, File Path: dipisciv, Interpreter: uam, Interpreter Version: 1.2575 (llum), Zone Names: mwr -3-July-2018 10:49:23 low pitlabo3498.www.localdomain ntmollit <ionofdeF 2018-7-3T10:49:23.rsp imipsa5374.corp CylancePROTECT ionevo llitani [uscipit] Event Type: luptat, Event Name: threat_changed, Device Name: etco -17-July-2018 17:51:58 medium eumiu5172.internal.domain rehen <ptat 2018-7-17T5:51:58.mipsu velillu827.www5.domain CylancePROTECT rsitamet leumiur [ssequamn] Event Type: ExploitAttempt, Event Name: ZoneAddDevice, Device Name: olesti, IP Address: (10.221.20.165), Action: accept, Process ID: 7294, Process Name: ritquiin.exe, User Name: reseo, Violation Type: amco, Zone Names: ons -2018-8-1T12:54:32.epreh psaqu5224.api.home CylancePROTECT temporin uam [rudexerc] Event Type: ScriptControl, Event Name: SyslogSettingsSave, Device Name: lor, File Path: nvolupt, Interpreter: dquia, Interpreter Version: 1.5334, Zone Names: bori, User Name: dipi -2018-8-15T7:57:06.ite itse1458.www.example CylancePROTECT lupt quatur [dminim] Event Type: ScriptControl, Event Name: threat_quarantined, Device Name: ipsa, File Path: con, Interpreter: eirured, Interpreter Version: 1.3772 (tatiset), Zone Names: quira, User Name: ciatisun -29-Aug-2018 2:59:40 very-high audant5631.www5.local minimve <entorev 29T14:59:40.quuntur olup3841.mail.invalid CylancePROTECT Event Name: threat_changed, Device Name: aerat, IP Address: (10.152.213.228), Action: deny, Process ID: 2571, Process Name: iatquo.exe, User Name: temp, Violation Type: oinvento, Zone Names:ali, Device Id: udexerci -emullam 2018-9-12T10:02:15.quido llo1106.internal.localhost CylancePROTECT assi rch [psa] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: atione,tvolupUser: oremeu lab (lla) -oeiusm 2018-9-27T5:04:49.Excepteu mco6956.internal.test CylancePROTECT lorese teturadi [radipi] Event Type: ScriptControl, Event Name: ZoneAdd, Device Name: upidatat, File Path: mod, Interpreter: niamqui, Interpreter Version: 1.7696, Zone Names: xeaco, User Name: taliqu -2018-10-11T12:07:23.usan gnamali226.internal.test CylancePROTECT edqui tvolu [psu] Event Type: strud, Event Name: SystemSecurity, saute -2018-10-25T7:09:57.atcupi eriti7637.domain CylancePROTECT rema mcol [tion] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: mquis; SHA256: tur, User: itation utlabo (tat)uredo -9-Nov-2018 2:12:32 medium dminimv2485.internal.host rep <docons 9T02:12:32.emipsumq orinr5248.mail.home CylancePROTECT Event Name: DeviceRemove, Device Name: tass, IP Address: (10.94.129.251), Action: accept, Process ID: 782, Process Name: umquiad.exe, User Name: porinc, Violation Type: uameiu, Zone Names:quiado -23-November-2018 09:15:06 medium mvol3890.localhost reh <tcons 2018-11-23T9:15:06.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill;imveniamUser: sunte exerc (tasu) -Dec 7 4:17:40 rcit7003.www5.host CylancePROTECT Event Type:orese, Event Name:threat_found, Device Name:eiusm, Agent Version:oremipsu, IP Address: (10.205.246.104), MAC Address: (01:00:5e:55:3b:e8), Logged On Users: (mto), OS:iae, Zone Names:dent -2018-12-21T11:20:14.itse lapari2702.www.test CylancePROTECT exeaco upta [ivel] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:reprehe; Devices: deFinib , User: edqui oreseosq (corporis) -5-Jan-2019 6:22:49 very-high byCice3357.mail.localhost cin <amestq 5T06:22:49.emvele tNeq5705.home CylancePROTECT Event Name:ThreatUpdated, Device Message: Device: sper Agent Self Protection Level Changed: 'dic' to 'mfugiat', User: magnido liqu (dolor),ingZone Names: amal Device Id: aliq -19-Jan-2019 1:25:23 high conse3977.www.lan giatqu <roid 19T13:25:23.lorum iin1665.api.localdomain CylancePROTECT Event Name:threat_quarantined, Device Message: Device: iat; Policy Changed: orain to 'equaturQ', User: llu quaUt (labor), Zone Names:oris, Device Id: tatemse -2-Feb-2019 8:27:57 medium tincul407.corp amq <lab 2T20:27:57.nsequ ing3291.internal.localhost CylancePROTECT Event Name:threat_found, Message: Device:amnisiuwas auto assigned to theptatZone:epr, User:itanimid -untur 2019/02/17T03:30:32.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: AppControl, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Action Type: ula, File Path: itsed, SHA256: rad, Zone Names: olupta -2019-3-3T10:33:06.sequi uiacon6640.api.localhost CylancePROTECT suntexpl urve [sBonoru] Event Type: ScriptControl, Event Name: Device Updated, Device Name: magnido, File Path: lupta, Interpreter: utla, Interpreter Version: 1.4566 (ncididu), Zone Names: itati, User Name: nostrude -ecillum 2019-3-17T5:35:40.maccu ame226.internal.domain CylancePROTECT urExc autfugit [deomnis] Event Type: Threat, Event Name: SyslogSettingsSave, Device Name: tconsect, IP Address: (10.111.204.45), File Name: agna, Path: dmini, Drive Type: tquid, SHA256: giatquo, MD5: iatisun, Status: cto, Cylance Score: 144.899000, Found Date: dolor, File Type: imadmini, Is Running: iatisund, Auto Run: rnatu, Detected By: atnonpro, Zone Names: isu, Is Malware: ute, Is Unique To Cylance: tdolore, Threat Classification: madminim -Apr 1 12:38:14 prehen4320.api.home CylancePROTECT Event Type:umdolo, Event Name:DeviceRemove, Threat Class:mquisno, Threat Subclass:eaco, SHA256:empor, MD5:mvele -Apr 15 7:40:49 remeum5787.api.example CylancePROTECT Event Type:ostrumex, Event Name:threat_found, Device Message: Device: sedquia; Zones Removed: litesse,ntmoUser: aliqu iqu (onse), Zone Names:paqu -2019-4-29T2:43:23.ptatem mporain5332.mail.host CylancePROTECT commod iumd [ntore] Event Type: ExploitAttempt, Event Name: Registration, Device Name: onproid, IP Address: (10.59.33.174), Action: allow, Process ID: 3114, Process Name: oru.exe, User Name: mcorp, Violation Type: uelaud, Zone Names: aperiam -May 13 9:45:57 quiano3025.api.localhost CylancePROTECT Event Type:oluptat, Event Name:DeviceRemove, Threat Class:equepor, Threat Subclass:iosamn, SHA256:erspicia, MD5:neavolup -ecatcup 2019-5-28T4:48:31.orinrep uamnihil1525.www.lan CylancePROTECT amestqu qui [nemullam] Event Type: DeviceControl, Event Name: threat_changed, Device Name: lorumw, External Device Type: dit, External Device Vendor ID: qui, External Device Name: iaecon, External Device Product ID: dminima, External Device Serial Number: ons, Zone Names: amestqu -2019-6-11T11:51:06.str eius6126.invalid CylancePROTECT iarchit volupt [ipis] Event Type: usBonor, Event Name: fullaccess, Device Names: (umquam), Policy Name: ten, User: Utenim itationu (eprehen) -tatevel 2019-6-25T6:53:40.itin tam942.api.host CylancePROTECT iut leumiur [deser] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Zone: evolupt; Policy: pre; Value: tiumtot, User: ulamcola epr (ptass) -veli 2019-7-10T1:56:14.uptas aali1541.www5.local CylancePROTECT enimadmi qui [ita] Event Type: AuditLog, Event Name: pechange, Message: The Device: sedq was auto assigned to the Zone: IP Address: Fake Devices, User: (olo) -24-July-2019 08:58:48 medium ocons2813.mail.lan natu <acomm 2019-7-24T8:58:48.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did)lamcol -olupta 2019-8-7T4:01:23.emveleum modtempo3314.www5.test CylancePROTECT sequa erc [isq] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: epteurs was auto assigned to the Zone: IP Address: 10.171.165.221, User: (itvo) -21-Aug-2019 11:03:57 low ssequa930.domain eritquii <ecatcu 21T23:03:57.entoreve ion3339.www.localdomain CylancePROTECT Event Name:Alert, Message: Provider:tionev, Source IP:10.198.44.231, User: eni cte (ariatu) -2019-9-5T6:06:31.risnisiu ten5320.test CylancePROTECT siar orisnis [texp] Event Type: ScriptControl, Event Name: threat_changed, Device Name: hend, File Path: ema, Interpreter: ents, Interpreter Version: 1.1903, Zone Names: aliqua, User Name: officiad -onsecte 2019-9-19T1:09:05.inibusBo tqui99.mail.example CylancePROTECT prehende vitaedic [remip] Event Type: AuditLog, Event Name: Device Updated, Message: Device: sauteir; SHA256: CSe, User: olorsita midest (uta)olupta -3-October-2019 20:11:40 low tali7426.invalid reprehen <tocca 2019-10-3T8:11:40.tinvolu ecatc3925.lan CylancePROTECT quin adipisc [sedqui] Event Type: ueporroq, Event Name: fullaccess, Device Names: (eetdol), Policy Name: tia, User: lup inimav (dolor) -18-October-2019 03:14:14 medium dex4759.mail.local uredo <untutla 2019-10-18T3:14:14.iame rrorsi3220.lan CylancePROTECT amestqu luptas [ariatu] Event Type: psumqui, Event Name: SyslogSettingsSave, Device Name: empor, Agent Version: ate, IP Address: (10.234.254.96), MAC Address: (01:00:5e:e8:80:20), Logged On Users: (orem), OS: dquian Zone Names: isaute -1-November-2019 10:16:48 high ula5189.host ntocca <adolorsi 2019-11-1T10:16:48.lupt uis6796.mail.example CylancePROTECT aecatc taevita [eseosqu] Event Type: redolo, Event Name: threat_changed, Threat Class: ivelit, Threat Subclass: lumqu, SHA256: dolore, MD5: isnost -uianonnu 2019-11-15T5:19:22.ntNeque magnidol1024.api.test CylancePROTECT aaliq tDui [ernatur] Event Type: DeviceControl, Event Name: SyslogSettingsSave, Device Name: atcupi, External Device Type: xeacomm, External Device Vendor ID: tla, External Device Name: itaspe, External Device Product ID: xerc, External Device Serial Number: uaeabill, Zone Names: uioffici -30-November-2019 00:21:57 very-high tesseq6251.mail.host adipisci <ptatema 2019-11-30T12:21:57.poriss enatus6421.internal.home CylancePROTECT ficiad saquaea [archi] Event Type: AuditLog, Event Name: SystemSecurity, Message: Policy: imadm; SHA256: ugiat; Category: ius, User: msequ ciatisun (Ute)eddoe -2019-12-14T7:24:31.uasi quaeabi5701.host CylancePROTECT mave essecill [eprehe] Event Type: AuditLog, Event Name: DeviceEdit, Message: Policy: tMaloru; SHA256: rum; Category: utoditau, User: ptassita ionemul (orema)its +eprehen 2016-10-26T7:58:50.entor xeacomm1940.localhost CylancePROTECT ema rsitv [iciade] Event Type: AuditLog, Event Name: threat_changed, Message: Device: ine; SHA256: lup, User: tatemUt modtemp (quovol) +itess 2016/11/10T03:01:24.iscinge ofdeFini4153.mail.localhost CylancePROTECT velitse oditem [gitsedqu] Event Type: AppControl, Event Name: DeviceEdit, Device Name: oremi, IP Address: (10.82.173.5), Action: block, Action Type: olor, File Path: ineavo, SHA256: pexe, Zone Names: niamqui +24-November-2016 10:03:59 low gitsed4374.www5.home fugitsed <quid 2016-11-24T10:03:59.fugiat atisun6373.mail.localhost CylancePROTECT dmin fugi [quia] Event Type: AuditLog, Event Name: SystemSecurity, Message: SHA256: atatn; Reason: unknown, User: rnatur ofdeFin (essequam) +inesci 2016-12-8T5:06:33.isnisi ritatise4412.mail.localdomain CylancePROTECT quatur uisa [eFi] Event Type: ScriptControl, Event Name: Registration, Device Name: cusant, File Path: rpori, Interpreter: ice, Interpreter Version: 1.1645, Zone Names: entorev, User Name: commodo +sau 2016-12-23T12:09:07.atevelit meius3932.internal.example CylancePROTECT ccaeca umdolo [uptate] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: stenatu; Policy: isiuta; Value: orsitam, User: siutaliq dutp (psaquaea) +2017-1-6T7:11:41.proide ano1049.www5.localdomain CylancePROTECT aturve ditemp [edqui] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: temUte;sitUser: olab eumiure (ersp) +umwrit 2017-1-20T2:14:16.uptate mac765.mail.invalid CylancePROTECT elit seosqui [sequamni] Event Type: AuditLog, Event Name: pechange, Message: Device: tdol; SHA256: sit, User: tiaec nisi (oremagna) +3-Feb-2017 9:16:50 high rum959.host velillu <bor 3T21:16:50.rauto ationev5770.www.invalid CylancePROTECT Event Name:DeviceRemove, Device Name:nby, Agent Version:mve, IP Address: (10.96.201.115), MAC Address: (01:00:5e:94:55:60), Logged On Users: (inimve), OS:pis, Zone Names:nsequat +18-February-2017 04:19:24 low ercit7022.host qui <temporin 2017-2-18T4:19:24.equatur adeseru2497.www5.host CylancePROTECT rem asper [idunt] Event Type: ScriptControl, Event Name: threat_changed, Device Name: amcor, File Path: ica, Interpreter: lillum, Interpreter Version: 1.7809 (dicta), Zone Names: taedicta +itesseq 2017-3-4T11:21:59.dictasun veniamqu7284.mail.invalid CylancePROTECT nte mvel [nof] Event Type: AuditLog, Event Name: DeviceEdit, Message: The Device: tetur was auto assigned to the Zone: IP Address: 10.230.206.60, User: ipi imveniam (uaeab) +18-March-2017 18:24:33 low lupta5708.www.test amcor <ineavol 2017-3-18T6:24:33.iosa boNemoe2025.lan CylancePROTECT amvolupt onevolu [mnis] Event Type: AuditLog, Event Name: DeviceRemove, Message: The Device: ites was auto assigned to the Zone: IP Address: 10.126.26.131, User: (nisiut) +2-Apr-2017 1:27:07 low elit429.api.invalid borisnis <emqu 2T01:27:07.nderi acommod6195.www.home CylancePROTECT Event Name:SyslogSettingsSave, Message: Provider:eratvol, Source IP:10.253.132.145, User: est uptatemU (leumiu)#015 +Apr 16 8:29:41 enderit4328.corp CylancePROTECT Event Type:Nequepor, Event Name:DeviceEdit, Message: Device:remwas auto assigned to theididZone:tesse, User:sequat +2017-4-30T3:32:16.aliq mes4801.internal.test CylancePROTECT itaedict oremag [illu] Event Type: AuditLog, Event Name: threat_changed, Message: SHA256: turadip; Reason: success, User: temUt ptassita (its) +ori 2017-5-14T10:34:50.tconsect rum1594.api.domain CylancePROTECT ulla iqu [oin] Event Type: AuditLog, Event Name: PolicyAdd, Message: Devices: abore,squUser: uiadol Duisa (lupta) +2017-5-29T5:37:24.asi ectiono2241.lan CylancePROTECT onu liquaUte [alorum] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ria; Policy: atDu; Value: nsec, User: quidolor oqu (naaliq) +2017-6-12T12:39:58.eaqueips qua3862.mail.home CylancePROTECT aturQu aaliq [mipsamvo] Event Type: DeviceControl, Event Name: ThreatUpdated, Device Name: rsintoc, External Device Type: reetdo, External Device Vendor ID: oreveri, External Device Name: ehende, External Device Product ID: eaqueip, External Device Serial Number: eum, Zone Names: lamc +26-Jun-2017 7:42:33 high metcons5740.mail.localhost sitvo <obeata 26T19:42:33.tatemU mad5185.www5.localhost CylancePROTECT Event Name:SystemSecurity, Device Message: Device: gnaa; Zones Removed: mod; Zones Added: doei,cipitlUser: caboNemo dexerc (strumex), Zone Names:eprehend Device Id: asnu +11-July-2017 02:45:07 low dolor5930.internal.host eritin <yCic 2017-7-11T2:45:07.nder mdolore2604.api.domain CylancePROTECT saqu iscive [quasiar] Event Type: ExploitAttempt, Event Name: Registration, Device Name: quido, IP Address: (10.63.231.55), Action: deny, Process ID: 2622, Process Name: stquid.exe, User Name: turadipi, Violation Type: usmodi, Zone Names: ree +25-Jul-2017 9:47:41 medium illu4130.internal.lan temUten <sitamet 25T09:47:41.utlabo tetur4690.mail.lan CylancePROTECT Event Name: ZoneAddDevice, Device Name: ecatcupi, IP Address: (10.6.6.242), Action: allow, Process ID: 4938, Process Name: onse.exe, User Name: olorem, Violation Type: turvel, Zone Names:eratv +Aug 8 4:50:15 umwritte7596.internal.localdomain CylancePROTECT Event Type:nse, Event Name:pechange, Message: Provider:iameaque, Source IP:10.232.119.56, User: tsed eturad (tiumdolo) +Aug 22 11:52:50 imadmi6980.www.localdomain CylancePROTECT Event Type:olupta, Event Name:LoginSuccess, Device Name:iatqu, Zone Names:inBCSedu, Device Id: erspi +iacons 2017-9-6T6:55:24.occaec acommodi563.internal.home CylancePROTECT fici imve [quide] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: SHA256: aco; Reason: failure, User: accusa natu (liquid) +20-Sep-2017 1:57:58 medium idolo5752.mail.example ugiatquo <uptate 20T13:57:58.lloinven econs2687.internal.localdomain CylancePROTECT Event Name:LoginSuccess, Device Name:lorsita, Zone Names:eavol +2017-10-4T9:00:32.npr etconsec5410.api.invalid CylancePROTECT laudan litesseq [atcupida] Event Type: AuditLog, Event Name: LoginSuccess, Message: Source: tob; SHA256: dolores; Category: equamnih; Reason: success, User: deF itempo (orumw) +mquisno 2017-10-19T4:03:07.aev inrepr72.internal.home CylancePROTECT nisiu imad [oriosam] Event Type: ExploitAttempt, Event Name: Device Policy Assigned, Device Name: itasp, IP Address: (10.169.5.162), Action: allow, Process ID: 2957, Process Name: odt.exe, User Name: cillumd, Violation Type: riosa, Zone Names: tNe +2017/11/02T11:05:41.ntmoll mexer4472.www5.invalid CylancePROTECT nofdeFi aquioff [saqu] Event Type: AppControl, Event Name: SystemSecurity, Device Name: amnisi, IP Address: (10.230.77.49), Action: cancel, Action Type: uisnostr, File Path: reetdol, SHA256: uelauda, Zone Names: ema +2017-11-16T6:08:15.uei Nequepo1858.mail.local CylancePROTECT uam orumSec [nisiuta] Event Type: stiaecon, Event Name: PolicyAdd, Device Name: sse +1-December-2017 01:10:49 high ici7102.www.localdomain itae <atnula 2017-12-1T1:10:49.ditautf itametc3006.www.test CylancePROTECT remipsu tan [quiac] Event Type: DeviceControl, Event Name: Registration, Device Name: doconse, External Device Type: etdol, External Device Vendor ID: dolorsi, External Device Name: nturmag, External Device Product ID: tura, External Device Serial Number: osquirat, Zone Names: equat +15-December-2017 08:13:24 low idunt4633.internal.host liquam <oluptat 2017/12/15T08:13:24.odt rspici1916.api.localhost CylancePROTECT olor etquasia [nula] Event Type: AppControl, Event Name: threat_quarantined, Device Name: riatur, IP Address: (10.99.209.40), Action: accept, Action Type: dol, File Path: atur, SHA256: issu, Zone Names: identsu +Dec 29 3:15:58 hend1600.api.host CylancePROTECT Event Type:aer, Event Name:DeviceRemove, Device Name:iati, Agent Version:minim, IP Address: (10.14.74.218), MAC Address: (01:00:5e:bc:a3:48), Logged On Users: (Nemoenim), OS:usm, Zone Names:labori +12-Jan-2018 10:18:32 high isiutali3575.www5.invalid Nemoenim <ide 12T22:18:32.edq evitae7333.www.lan CylancePROTECT Event Name:ThreatUpdated, Device Message: Device: expl User: ess quiad (ihilmole),saquaeaZone Names: ons Device Id: orsitam +2018-1-27T5:21:06.idex radip163.mail.invalid CylancePROTECT eiusmo ainc [miurerep] Event Type: AuditLog, Event Name: DeviceEdit, Message: Zone: ecill; Policy: iduntu; Value: pisci, User: sunt texplica (oco) +itametco 2018-2-10T12:23:41.vel quunt3116.localhost CylancePROTECT nonn dents [itsedd] Event Type: Threat, Event Name: threat_changed, Device Name: ptate, IP Address: (10.152.185.155), File Name: quamqua, Path: ntut, Drive Type: mag, SHA256: meum, MD5: mini, Status: Loremip, Cylance Score: 58.130000, Found Date: tur, File Type: atnonpr, Is Running: ita, Auto Run: amquaer, Detected By: aqui, Zone Names: enby, Is Malware: lpa, Is Unique To Cylance: isn, Threat Classification: smod +24-Feb-2018 7:26:15 low cte4809.mail.lan uunturma <eserun 24T19:26:15.pta emu5311.localdomain CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: destla User: fugitse minimve (serrorsi),tametcoZone Names: mquisnos Device Id: lore +Mar 11 2:28:49 isn1684.www.invalid CylancePROTECT Event Type:civelits, Event Name:PolicyAdd, Device Name:quiav, External Device Type:mse, External Device Vendor ID:prehen, External Device Name:nonn, External Device Product ID:hite, External Device Serial Number:ianonnum, Zone Names:nofdeFi, Device Id: henderit, Policy Name: remq +25-Mar-2018 9:31:24 medium arch2905.www5.home ror <doei 25T09:31:24.nvolupta tev2820.www.home CylancePROTECT Event Name:threat_found, Device Name:orp, External Device Type:ender, External Device Vendor ID:dico, External Device Name:uptatem, External Device Product ID:upt, External Device Serial Number:ulamc, Zone Names:cept, Device Id: aedictas, Policy Name: eursint +2018-4-8T4:33:58.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev) +hilmole 2018-4-22T11:36:32.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido +2018-5-7T6:39:06.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota;etdoloreUser: magnaa sumquiad (iusmodt) +21-May-2018 1:41:41 high ident4293.api.example ercitati <rro 21T13:41:41.oeiusmo nimv4681.internal.lan CylancePROTECT Event Name:Alert, Message: Provider:quisn, Source IP:10.132.23.6, User: etMa llita (ntsunt)#015 +4-Jun-2018 8:44:15 high temsequi4910.mail.host enbyCic <conseq 4T20:44:15.itame tenat5407.www5.test CylancePROTECT Event Name:ThreatUpdated, Device Name:cti, Zone Names:ommodoc +Jun 19 3:46:49 orem7191.mail.test CylancePROTECT Event Type:uisaut, Event Name:ZoneAdd, Device Name:paq, External Device Type:uianon, External Device Vendor ID:nul, External Device Name:onse, External Device Product ID:sitam, External Device Serial Number:inibusBo, Zone Names:illoin +sequatD 2018-7-3T10:49:23.eleumi equ3413.www.example CylancePROTECT tsunt rnat [oremi] Event Type: AuditLog, Event Name: LoginSuccess, Message: Policy Assigned:ctetu; Devices: oreeu , User: uasiarch Malor (boriosa) +2018-7-17T5:51:58.aliqu taedict4891.api.host CylancePROTECT lor auto [rsinto] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: periam was auto assigned to the Zone: IP Address: 10.137.79.74, User: (lors) +1-August-2018 00:54:32 high aquae7068.test ctetura <tDuisau 2018-8-1T12:54:32.aturve ptateve7615.internal.invalid CylancePROTECT tconsect pariat [iutal] Event Type: teturad, Event Name: ZoneAddDevice, Device Names: (isi), Policy Name: idexeac, User: ntu tdolo (nimve) +ola 2018-8-15T7:57:06.ptat quasi4459.domain CylancePROTECT snostr squamest [quisn] Event Type: pteu, Event Name: fullaccess, Device Names: (illumdo), Policy Name: antium, User: remaper eseosq (iatquovo) +mollit 2018-8-29T2:59:40.eosqui dipisciv7116.www.host CylancePROTECT llum mwr [cia] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Device: estiaec;pitlaboUser: tas rcitat (ree) +temaccu 2018-9-12T10:02:15.uamqua Neq4477.mail.invalid CylancePROTECT nim pteurs [ercitati] Event Type: atem, Event Name: SyslogSettingsSave, Device Name: mipsu, Agent Version: velillu, IP Address: (10.181.241.7), MAC Address: (01:00:5e:e1:72:72), Logged On Users: (riatu), OS: utod +Sep 27 5:04:49 uipe6805.www5.domain CylancePROTECT Event Type:stenat, Event Name:threat_quarantined, Threat Class:sequamn, Threat Subclass:perspici, SHA256:inimve, MD5:aea +udexerci 2018-10-11T12:07:23.uae imveni193.www5.host CylancePROTECT itationu setquas [nbyCi] Event Type: AuditLog, Event Name: LoginSuccess, Message: Provider: magnaali, Source IP: 10.201.95.47, User: isno usBono (ameaq) +lestiae 2018-10-25T7:09:57.iav umiure5186.api.domain CylancePROTECT tno imvenia [culp] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Zone: nesciu; Policy: mali; Value: roinBCSe, User: eetdolor tpersp (assi) +nihilmo 2018-11-9T2:12:32.reetdo xeaco7887.www.localdomain CylancePROTECT hite umfugi [abor] Event Type: AuditLog, Event Name: Device Updated, Message: Zone: remips; Policy: laboreet; Value: uptate, User: tot reme (emeumfu) +2018-11-23T9:15:06.usan gnamali226.internal.test CylancePROTECT edqui tvolu [psu] Event Type: strud, Event Name: SystemSecurity, saute +2018-12-7T4:17:40.atcupi eriti7637.domain CylancePROTECT rema mcol [tion] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: mquis; SHA256: tur, User: itation utlabo (tat) +Dec 21 11:20:14 olu2576.localdomain CylancePROTECT Event Type:enim, Event Name:Device Updated, Device Name:meaquei, External Device Type:snisiu, External Device Vendor ID:atem, External Device Name:remque, External Device Product ID:dol, External Device Serial Number:tvolupt, Zone Names:sedquia, Device Id: inrepr, Policy Name: lla +Jan 5 6:22:49 tqu6566.www.domain CylancePROTECT Event Type:tinvolu, Event Name:Device Policy Assigned, Message: The Device:dunwas auto assigned to thexceZone:dol, User:equamn +19-Jan-2019 1:25:23 low eiu5375.api.domain tcons <ction 19T13:25:23.emveleum siuta2155.lan CylancePROTECT Event Name:DeviceEdit, Device Name:utpe, Agent Version:ill, IP Address: (10.185.28.175), MAC Address: (01:00:5e:1d:a2:74), Logged On Users: (tasu), OS:sci, Zone Names:isquames +Feb 2 8:27:57 iatnula4065.www5.corp CylancePROTECT Event Type:corporis, Event Name:threat_found, Device Message: Device: mmodic; Zones Removed: essequam; Zones Added: undeo,ficiadeUser: uiinea uianonn (eavolupt), Zone Names:dantium Device Id: ors +trude 2019-2-17T3:30:32.snulap onsequat5480.mail.localdomain CylancePROTECT pariatur cita [tvo] Event Type: ema, Event Name: pechange, Threat Class: atemacc, Threat Subclass: labore, SHA256: iqua, MD5: ciunt +Mar 3 10:33:06 ostrumex5015.internal.lan CylancePROTECT Event Type:imaven, Event Name:Device Policy Assigned, Threat Class:uiineav, Threat Subclass:nder, SHA256:lore, MD5:nim +psamvolu 2019/03/17T17:35:40.teturad ritq7853.api.home CylancePROTECT urautodi equamni [fugia] Event Type: AppControl, Event Name: threat_changed, Device Name: nost, IP Address: (10.36.193.127), Action: allow, Action Type: suntincu, File Path: imidest, SHA256: citation, Zone Names: emquel +Apr 1 12:38:14 loremeum2477.www5.localhost CylancePROTECT Event Type:rrorsit, Event Name:threat_changed, Device Message: Device: riameaqu; Policy Changed: etd to 'omnisi', User: dolor rsp (quir), Zone Names:giatqu +15-Apr-2019 7:40:49 medium roiden5489.www5.corp nihilm <orisnisi 15T07:40:49.emquiav ptat5066.www.lan CylancePROTECT Event Name:SyslogSettingsSave, Device Name:ionula, Zone Names:itaed +29-Apr-2019 2:43:23 medium tincul407.corp amq <lab 29T14:43:23.nsequ ing3291.internal.localhost CylancePROTECT Event Name:threat_found, Message: Device:amnisiuwas auto assigned to theptatZone:epr, User:itanimid +untur 2019/05/13T21:45:57.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: AppControl, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Action Type: ula, File Path: itsed, SHA256: rad, Zone Names: olupta +2019-5-28T4:48:31.sequi uiacon6640.api.localhost CylancePROTECT suntexpl urve [sBonoru] Event Type: ScriptControl, Event Name: Device Updated, Device Name: magnido, File Path: lupta, Interpreter: utla, Interpreter Version: 1.4566 (ncididu), Zone Names: itati, User Name: nostrude +ecillum 2019-6-11T11:51:06.maccu ame226.internal.domain CylancePROTECT urExc autfugit [deomnis] Event Type: Threat, Event Name: SyslogSettingsSave, Device Name: tconsect, IP Address: (10.111.204.45), File Name: agna, Path: dmini, Drive Type: tquid, SHA256: giatquo, MD5: iatisun, Status: cto, Cylance Score: 144.899000, Found Date: dolor, File Type: imadmini, Is Running: iatisund, Auto Run: rnatu, Detected By: atnonpro, Zone Names: isu, Is Malware: ute, Is Unique To Cylance: tdolore, Threat Classification: madminim +Jun 25 6:53:40 prehen4320.api.home CylancePROTECT Event Type:umdolo, Event Name:DeviceRemove, Threat Class:mquisno, Threat Subclass:eaco, SHA256:empor, MD5:mvele +Jul 10 1:56:14 remeum5787.api.example CylancePROTECT Event Type:ostrumex, Event Name:threat_found, Device Message: Device: sedquia; Zones Removed: litesse,ntmoUser: aliqu iqu (onse), Zone Names:paqu +2019-7-24T8:58:48.ptatem mporain5332.mail.host CylancePROTECT commod iumd [ntore] Event Type: ExploitAttempt, Event Name: Registration, Device Name: onproid, IP Address: (10.59.33.174), Action: allow, Process ID: 3114, Process Name: oru.exe, User Name: mcorp, Violation Type: uelaud, Zone Names: aperiam +Aug 7 4:01:23 quiano3025.api.localhost CylancePROTECT Event Type:oluptat, Event Name:DeviceRemove, Threat Class:equepor, Threat Subclass:iosamn, SHA256:erspicia, MD5:neavolup +ecatcup 2019-8-21T11:03:57.orinrep uamnihil1525.www.lan CylancePROTECT amestqu qui [nemullam] Event Type: DeviceControl, Event Name: threat_changed, Device Name: lorumw, External Device Type: dit, External Device Vendor ID: qui, External Device Name: iaecon, External Device Product ID: dminima, External Device Serial Number: ons, Zone Names: amestqu +2019-9-5T6:06:31.str eius6126.invalid CylancePROTECT iarchit volupt [ipis] Event Type: usBonor, Event Name: fullaccess, Device Names: (umquam), Policy Name: ten, User: Utenim itationu (eprehen) +tatevel 2019-9-19T1:09:05.itin tam942.api.host CylancePROTECT iut leumiur [deser] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Zone: evolupt; Policy: pre; Value: tiumtot, User: ulamcola epr (ptass) +veli 2019-10-3T8:11:40.uptas aali1541.www5.local CylancePROTECT enimadmi qui [ita] Event Type: AuditLog, Event Name: pechange, Message: The Device: sedq was auto assigned to the Zone: IP Address: Fake Devices, User: (olo) +18-October-2019 03:14:14 medium ocons2813.mail.lan natu <acomm 2019-10-18T3:14:14.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did) +Nov 1 10:16:48 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod +Nov 15 5:19:22 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit +rinci 2019-11-30T12:21:57.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta +14-Dec-2019 7:24:31 low ntutlabo6923.localhost eacommo <tionevol 14T07:24:31.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni,officiadUser: veniam labo (ssecill), Zone Names:umquam Device Id: onev diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json index de04895bc21..8a5e599a976 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -227,29 +227,29 @@ { "@timestamp": "2020-04-24T14:25:25.000Z", "event.action": [ - "Device Policy Assigned" + "SystemSecurity" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Apr 24 12:25:25 iat1852.api.localdomain CylancePROTECT Event Type:elits, Event Name:Device Policy Assigned, Device Message: Device: ipis; Policy Changed: gelits to 'tatevel', User: abilloi iam (mqua), Zone Names:atat, Device Id: quunt", + "event.original": "24-Apr-2016 12:25:25 very-high orsitame3869.localhost iam <umdo 24T00:25:25.sed apariat4194.www5.local CylancePROTECT Event Name:SystemSecurity, Message: The Device:onsewas auto assigned torumetZone:oll, User:erc", "fileset.name": "protect", + "host.name": "apariat4194.www5.local", "input.type": "log", "log.offset": 1819, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "atat", - "rsa.identity.firstname": "abilloi", - "rsa.identity.lastname": "iam", + "rsa.identity.firstname": "erc", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "elits", - "rsa.misc.device_name": "ipis", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.mail_id": "mqua", - "rsa.misc.policy_name": "tatevel", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "onse", + "rsa.network.alias_host": [ + "apariat4194.www5.local" + ], + "rsa.network.zone": "oll", "rsa.time.event_time": "2020-04-24T14:25:25.000Z", "service.type": "cylance", "tags": [ @@ -260,71 +260,65 @@ { "@timestamp": "2016-05-08T09:27:59.000Z", "event.action": [ - "Registration" + "Device Updated" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "8-May-2016 07:27:59 high avol7616.api.test isqu <idolore 2016-5-8T7:27:59.onse liq5883.localdomain CylancePROTECT emeumfug upta [omn] Event Type: ipsumq, Event Name: Registration, Device Name: ons, Agent Version: tessec, IP Address: (10.215.110.141, nsect), MAC Address: (01:00:5e:58:a9:90, ionul), Logged On Users: (nibus), OS: edquiano", + "event.original": "aspern 2016-5-8T7:27:59.itlabori Ciceroi3592.www.host CylancePROTECT aper essequ [taevi] Event Type: AuditLog, Event Name: Device Updated, Message: Zone: sitas; Policy: ehenderi; Value: pidatat, User: gni tquiinea (mquaera)", "fileset.name": "protect", - "host.name": "liq5883.localdomain", + "host.name": "Ciceroi3592.www.host", "input.type": "log", - "log.offset": 2054, + "log.offset": 2038, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.215.110.141" - ], - "related.user": [ - "nibus" - ], + "rsa.db.index": "sitas", + "rsa.identity.firstname": "gni", + "rsa.identity.lastname": "tquiinea", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "ipsumq", - "rsa.misc.OS": "edquiano", - "rsa.misc.event_type": "Registration", - "rsa.misc.node": "ons", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "Device Updated", + "rsa.misc.mail_id": "mquaera", + "rsa.misc.policy_name": "ehenderi", "rsa.network.alias_host": [ - "liq5883.localdomain" + "Ciceroi3592.www.host" ], - "rsa.network.eth_host": "01:00:5e:58:a9:90", "rsa.time.event_time": "2016-05-08T09:27:59.000Z", "service.type": "cylance", - "source.ip": [ - "10.215.110.141" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "nibus" + ] }, { "@timestamp": "2020-05-22T04:30:33.000Z", "event.action": [ - "PolicyAdd" + "Device Policy Assigned" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "22-May-2016 2:30:33 low aperi5160.host ipi <lupt 22T14:30:33.xea qua2945.www.local CylancePROTECT Event Name:PolicyAdd, Threat Class:modocons, Threat Subclass:elaudant, SHA256:tinvol, MD5:dolore", + "event.original": "22-May-2016 2:30:33 medium saute2412.internal.domain lorema <labor 22T14:30:33.atuse ddoeiu1152.api.invalid CylancePROTECT Event Name:Device Policy Assigned, Device Name:llumquid, External Device Type:tation, External Device Vendor ID:ips, External Device Name:emeumfug, External Device Product ID:upta, External Device Serial Number:omn, Zone Names:ipsumq", "fileset.name": "protect", - "host.name": "qua2945.www.local", + "host.name": "ddoeiu1152.api.invalid", "input.type": "log", - "log.offset": 2397, + "log.offset": 2262, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "modocons", + "rsa.db.index": "ipsumq", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.misc.checksum": "tinvol", - "rsa.misc.event_type": "PolicyAdd", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.misc.device_name": "tation", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "llumquid", + "rsa.misc.serial_number": "omn", "rsa.network.alias_host": [ - "qua2945.www.local" + "ddoeiu1152.api.invalid" ], "rsa.time.event_time": "2020-05-22T04:30:33.000Z", "service.type": "cylance", @@ -336,61 +330,77 @@ { "@timestamp": "2016-06-05T11:33:08.000Z", "event.action": [ - "threat_found" + "cancel", + "Device Policy Assigned" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "liquide 2016-6-5T9:33:08.uasia emp4209.host CylancePROTECT giatquov eritquii [dexeac] Event Type: Threat, Event Name: threat_found, Device Name: taut, IP Address: (10.114.138.121), File Name: imad, Path: msequi, Drive Type: isnostru, SHA256: iquaUten, MD5: santium, Status: iciatisu, Cylance Score: 0.803000, Found Date: emagnama, File Type: eprehend, Is Running: hil, Auto Run: atquovo, Detected By: suntinc, Zone Names: xeac, Is Malware: nidolo, Is Unique To Cylance: tatn, Threat Classification: eli ", + "event.original": "5-June-2016 21:33:08 low ipi7385.www.home eseru <orain 2016-6-5T9:33:08.quip oin6316.www5.host CylancePROTECT tinvol dolore [abor] Event Type: ExploitAttempt, Event Name: Device Policy Assigned, Device Name: eddoei, IP Address: (10.22.128.42), Action: cancel, Process ID: 1120, Process Name: ditautfu.exe, User Name: piscing, Violation Type: roq, Zone Names: ostr", "fileset.name": "protect", - "host.name": "emp4209.host", + "host.name": "oin6316.www5.host", "input.type": "log", - "log.offset": 2602, + "log.offset": 2625, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": " xeac, Is Malware: nidolo, Is Unique To Cylance: tatn, Threat Classification: eli", + "process.name": "ditautfu.exe", + "process.pid": 1120, + "related.ip": [ + "10.22.128.42" + ], + "related.user": [ + "piscing" + ], + "rsa.db.index": "ostr", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "Threat", - "rsa.misc.event_type": "threat_found", - "rsa.misc.node": "taut, IP Address: (10.114.138.121), File Name: imad, Path: msequi, Drive Type: isnostru, SHA256: iquaUten, MD5: santium, Status: iciatisu, Cylance Score: 0.803000, Found Date: emagnama, File Type: eprehend, Is Running: hil, Auto Run: atquovo, Detected By: suntinc", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "eddoei", + "rsa.misc.policy_name": "roq", "rsa.network.alias_host": [ - "emp4209.host" + "oin6316.www5.host" ], "rsa.time.event_time": "2016-06-05T11:33:08.000Z", "service.type": "cylance", + "source.ip": [ + "10.22.128.42" + ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "piscing" }, { "@timestamp": "2016-06-20T06:35:42.000Z", "event.action": [ - "SyslogSettingsSave" + "ThreatUpdated" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "reetd 2016-6-20T4:35:42.lumqui itinvo7084.mail.corp CylancePROTECT equep iavolu [den] Event Type: Threat, Event Name: SyslogSettingsSave, Device Name: rpo, IP Address: (10.133.32.68), File Name: siarchi, Path: datatn, Drive Type: mqu, SHA256: apariat, MD5: tlabore, Status: untmolli, Cylance Score: 62.683000, Found Date: atDu, File Type: eav, Is Running: ionevo, Auto Run: remagn, Detected By: run, Zone Names: mque, Is Malware: uovolup, Is Unique To Cylance: samvolu, Threat Classification: ittenbyC ", + "event.original": "2016-6-20T4:35:42.moenimi temporin6518.invalid CylancePROTECT agnaali llitani [inima] Event Type: tlabo, Event Name: ThreatUpdated, Device Name: nihi", "fileset.name": "protect", - "host.name": "itinvo7084.mail.corp", + "host.name": "temporin6518.invalid", "input.type": "log", - "log.offset": 3106, + "log.offset": 2997, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": " mque, Is Malware: uovolup, Is Unique To Cylance: samvolu, Threat Classification: ittenbyC", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "Threat", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "rpo, IP Address: (10.133.32.68), File Name: siarchi, Path: datatn, Drive Type: mqu, SHA256: apariat, MD5: tlabore, Status: untmolli, Cylance Score: 62.683000, Found Date: atDu, File Type: eav, Is Running: ionevo, Auto Run: remagn, Detected By: run", + "rsa.investigations.event_vcat": "tlabo", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "nihi", "rsa.network.alias_host": [ - "itinvo7084.mail.corp" + "temporin6518.invalid" ], "rsa.time.event_time": "2016-06-20T06:35:42.000Z", "service.type": "cylance", @@ -412,7 +422,7 @@ "fileset.name": "protect", "host.name": "commod3331.host", "input.type": "log", - "log.offset": 3609, + "log.offset": 3147, "network.application": "taevit", "observer.product": "Protect", "observer.type": "Anti-Virus", @@ -448,7 +458,7 @@ "fileset.name": "protect", "host.name": "iae1637.local", "input.type": "log", - "log.offset": 3856, + "log.offset": 3394, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -484,7 +494,7 @@ "fileset.name": "protect", "host.name": "pre2433.mail.domain", "input.type": "log", - "log.offset": 4051, + "log.offset": 3589, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -519,7 +529,7 @@ "fileset.name": "protect", "host.name": "didunt1355.corp", "input.type": "log", - "log.offset": 4298, + "log.offset": 3836, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -562,7 +572,7 @@ "event.original": "Aug 30 3:48:33 rroquis6074.api.host CylancePROTECT Event Type:iurer, Event Name:ZoneAdd, Message: Device:autfuwas auto assigned to thegnaaliqZone:mni, User:rem", "fileset.name": "protect", "input.type": "log", - "log.offset": 4604, + "log.offset": 4142, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -593,7 +603,7 @@ "fileset.name": "protect", "host.name": "volupta5074.internal.localhost", "input.type": "log", - "log.offset": 4764, + "log.offset": 4302, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -625,7 +635,7 @@ "event.original": "Sep 28 5:53:42 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned tomadmiZone:tur, User:roi", "fileset.name": "protect", "input.type": "log", - "log.offset": 4996, + "log.offset": 4534, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -647,8 +657,8 @@ { "@timestamp": "2016-10-12T14:56:16.000Z", "event.action": [ - "accept", - "fullaccess" + "fullaccess", + "accept" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -658,7 +668,7 @@ "fileset.name": "protect", "host.name": "mod7387.host", "input.type": "log", - "log.offset": 5174, + "log.offset": 4712, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -697,11 +707,11 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "eprehen 2016-10-26T7:58:50.entor xeacomm1940.localhost CylancePROTECT ema rsitv [iciade] Event Type: AuditLog, Event Name: threat_changed, Message: Device: ine; SHA256: lup, User: tatemUt modtemp (quovol)nve ", + "event.original": "eprehen 2016-10-26T7:58:50.entor xeacomm1940.localhost CylancePROTECT ema rsitv [iciade] Event Type: AuditLog, Event Name: threat_changed, Message: Device: ine; SHA256: lup, User: tatemUt modtemp (quovol)", "fileset.name": "protect", "host.name": "xeacomm1940.localhost", "input.type": "log", - "log.offset": 5450, + "log.offset": 4988, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -727,39 +737,6 @@ }, { "@timestamp": "2016-11-10T05:01:24.000Z", - "event.action": [ - "SystemSecurity" - ], - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2016-11-10T3:01:24.siutali amnih2718.internal.example CylancePROTECT tau exercita [ris] Event Type: eumiu, Event Name: SystemSecurity, Device Name: laudant, Zone Names:isnost", - "fileset.name": "protect", - "host.name": "amnih2718.internal.example", - "input.type": "log", - "log.offset": 5659, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.db.index": "isnost", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": "eumiu", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "laudant", - "rsa.network.alias_host": [ - "amnih2718.internal.example" - ], - "rsa.time.event_time": "2016-11-10T05:01:24.000Z", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "@timestamp": "2016-11-24T12:03:59.000Z", "event.action": [ "block", "DeviceEdit" @@ -767,12 +744,12 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "itess 2016/11/24T10:03:59.iscinge ofdeFini4153.mail.localhost CylancePROTECT velitse oditem [gitsedqu] Event Type: AppControl, Event Name: DeviceEdit, Device Name: oremi, IP Address: (10.82.173.5), Action: block, Action Type: olor, File Path: ineavo, SHA256: pexe, Zone Names: niamqui", + "event.original": "itess 2016/11/10T03:01:24.iscinge ofdeFini4153.mail.localhost CylancePROTECT velitse oditem [gitsedqu] Event Type: AppControl, Event Name: DeviceEdit, Device Name: oremi, IP Address: (10.82.173.5), Action: block, Action Type: olor, File Path: ineavo, SHA256: pexe, Zone Names: niamqui", "file.directory": "ineavo", "fileset.name": "protect", "host.name": "ofdeFini4153.mail.localhost", "input.type": "log", - "log.offset": 5834, + "log.offset": 5193, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -793,7 +770,7 @@ "rsa.network.alias_host": [ "ofdeFini4153.mail.localhost" ], - "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", "service.type": "cylance", "source.ip": [ "10.82.173.5" @@ -804,18 +781,18 @@ ] }, { - "@timestamp": "2016-12-08T07:06:33.000Z", + "@timestamp": "2016-11-24T12:03:59.000Z", "event.action": [ "SystemSecurity" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "8-December-2016 17:06:33 low gitsed4374.www5.home fugitsed <quid 2016-12-8T5:06:33.fugiat atisun6373.mail.localhost CylancePROTECT dmin fugi [quia] Event Type: AuditLog, Event Name: SystemSecurity, Message: SHA256: atatn; Reason: unknown, User: rnatur ofdeFin (essequam)", + "event.original": "24-November-2016 10:03:59 low gitsed4374.www5.home fugitsed <quid 2016-11-24T10:03:59.fugiat atisun6373.mail.localhost CylancePROTECT dmin fugi [quia] Event Type: AuditLog, Event Name: SystemSecurity, Message: SHA256: atatn; Reason: unknown, User: rnatur ofdeFin (essequam)", "fileset.name": "protect", "host.name": "atisun6373.mail.localhost", "input.type": "log", - "log.offset": 6119, + "log.offset": 5478, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -832,7 +809,7 @@ "rsa.network.alias_host": [ "atisun6373.mail.localhost" ], - "rsa.time.event_time": "2016-12-08T07:06:33.000Z", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -840,19 +817,19 @@ ] }, { - "@timestamp": "2016-12-23T14:09:07.000Z", + "@timestamp": "2016-12-08T07:06:33.000Z", "event.action": [ "Registration" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "inesci 2016-12-23T12:09:07.isnisi ritatise4412.mail.localdomain CylancePROTECT quatur uisa [eFi] Event Type: ScriptControl, Event Name: Registration, Device Name: cusant, File Path: rpori, Interpreter: ice, Interpreter Version: 1.1645, Zone Names: entorev, User Name: commodo", + "event.original": "inesci 2016-12-8T5:06:33.isnisi ritatise4412.mail.localdomain CylancePROTECT quatur uisa [eFi] Event Type: ScriptControl, Event Name: Registration, Device Name: cusant, File Path: rpori, Interpreter: ice, Interpreter Version: 1.1645, Zone Names: entorev, User Name: commodo", "file.directory": "rpori", "fileset.name": "protect", "host.name": "ritatise4412.mail.localdomain", "input.type": "log", - "log.offset": 6396, + "log.offset": 5758, "network.application": "ice", "observer.product": "Protect", "observer.type": "Anti-Virus", @@ -871,7 +848,7 @@ "rsa.network.alias_host": [ "ritatise4412.mail.localdomain" ], - "rsa.time.event_time": "2016-12-23T14:09:07.000Z", + "rsa.time.event_time": "2016-12-08T07:06:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -880,18 +857,18 @@ "user.name": "commodo" }, { - "@timestamp": "2017-01-06T09:11:41.000Z", + "@timestamp": "2016-12-23T14:09:07.000Z", "event.action": [ "PolicyAdd" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "sau 2017-1-6T7:11:41.atevelit meius3932.internal.example CylancePROTECT ccaeca umdolo [uptate] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: stenatu; Policy: isiuta; Value: orsitam, User: siutaliq dutp (psaquaea)", + "event.original": "sau 2016-12-23T12:09:07.atevelit meius3932.internal.example CylancePROTECT ccaeca umdolo [uptate] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: stenatu; Policy: isiuta; Value: orsitam, User: siutaliq dutp (psaquaea)", "fileset.name": "protect", "host.name": "meius3932.internal.example", "input.type": "log", - "log.offset": 6672, + "log.offset": 6032, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -908,7 +885,7 @@ "rsa.network.alias_host": [ "meius3932.internal.example" ], - "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "rsa.time.event_time": "2016-12-23T14:09:07.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -916,18 +893,18 @@ ] }, { - "@timestamp": "2017-01-20T04:14:16.000Z", + "@timestamp": "2017-01-06T09:11:41.000Z", "event.action": [ "ZoneAddDevice" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-1-20T2:14:16.proide ano1049.www5.localdomain CylancePROTECT aturve ditemp [edqui] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: temUte;sitUser: olab eumiure (ersp)", + "event.original": "2017-1-6T7:11:41.proide ano1049.www5.localdomain CylancePROTECT aturve ditemp [edqui] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: temUte;sitUser: olab eumiure (ersp)", "fileset.name": "protect", "host.name": "ano1049.www5.localdomain", "input.type": "log", - "log.offset": 6899, + "log.offset": 6262, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -943,7 +920,7 @@ "rsa.network.alias_host": [ "ano1049.www5.localdomain" ], - "rsa.time.event_time": "2017-01-20T04:14:16.000Z", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -951,18 +928,18 @@ ] }, { - "@timestamp": "2017-02-03T11:16:50.000Z", + "@timestamp": "2017-01-20T04:14:16.000Z", "event.action": [ "pechange" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "umwrit 2017-2-3T9:16:50.uptate mac765.mail.invalid CylancePROTECT elit seosqui [sequamni] Event Type: AuditLog, Event Name: pechange, Message: Device: tdol; SHA256: sit, User: tiaec nisi (oremagna)ncididun ", + "event.original": "umwrit 2017-1-20T2:14:16.uptate mac765.mail.invalid CylancePROTECT elit seosqui [sequamni] Event Type: AuditLog, Event Name: pechange, Message: Device: tdol; SHA256: sit, User: tiaec nisi (oremagna)", "fileset.name": "protect", "host.name": "mac765.mail.invalid", "input.type": "log", - "log.offset": 7088, + "log.offset": 6450, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -979,7 +956,7 @@ "rsa.network.alias_host": [ "mac765.mail.invalid" ], - "rsa.time.event_time": "2017-02-03T11:16:50.000Z", + "rsa.time.event_time": "2017-01-20T04:14:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -987,80 +964,80 @@ ] }, { - "@timestamp": "2017-02-18T06:19:24.000Z", + "@timestamp": "2020-02-03T11:16:50.000Z", "event.action": [ - "LoginSuccess", - "deny" + "DeviceRemove" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ise 2017/02/18T04:19:24.itau apariat1702.internal.local CylancePROTECT ian dolore [onsecte] Event Type: AppControl, Event Name: LoginSuccess, Device Name: ect, IP Address: (10.41.123.102), Action: deny, Action Type: fugia, File Path: oditautf, SHA256: quatu, Zone Names: veli", - "file.directory": "oditautf", + "event.original": "3-Feb-2017 9:16:50 high rum959.host velillu <bor 3T21:16:50.rauto ationev5770.www.invalid CylancePROTECT Event Name:DeviceRemove, Device Name:nby, Agent Version:mve, IP Address: (10.96.201.115), MAC Address: (01:00:5e:94:55:60), Logged On Users: (inimve), OS:pis, Zone Names:nsequat", "fileset.name": "protect", - "host.name": "apariat1702.internal.local", + "host.name": "ationev5770.www.invalid", "input.type": "log", - "log.offset": 7295, + "log.offset": 6649, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.ip": [ - "10.41.123.102" + "10.96.201.115" ], - "rsa.db.index": "veli", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "deny" + "related.user": [ + "inimve" ], - "rsa.misc.checksum": "quatu", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "ect", + "rsa.db.index": "nsequat", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.misc.OS": "pis", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "nby", "rsa.network.alias_host": [ - "apariat1702.internal.local" + "ationev5770.www.invalid" ], - "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "rsa.network.eth_host": "01:00:5e:94:55:60", + "rsa.time.event_time": "2020-02-03T11:16:50.000Z", "service.type": "cylance", "source.ip": [ - "10.41.123.102" + "10.96.201.115" ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "inimve" }, { - "@timestamp": "2017-03-04T13:21:59.000Z", + "@timestamp": "2017-02-18T06:19:24.000Z", "event.action": [ - "Alert" + "threat_changed" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-3-4T11:21:59.labo ulapar6827.www.local CylancePROTECT par lorin [pitl] Event Type: AuditLog, Event Name: Alert, Message: Zone: urv; Policy: ama; Value: uatur, User: adminimv odi (ptass)", + "event.original": "18-February-2017 04:19:24 low ercit7022.host qui <temporin 2017-2-18T4:19:24.equatur adeseru2497.www5.host CylancePROTECT rem asper [idunt] Event Type: ScriptControl, Event Name: threat_changed, Device Name: amcor, File Path: ica, Interpreter: lillum, Interpreter Version: 1.7809 (dicta), Zone Names: taedicta", + "file.directory": "ica", "fileset.name": "protect", - "host.name": "ulapar6827.www.local", + "host.name": "adeseru2497.www5.host", "input.type": "log", - "log.offset": 7571, + "log.offset": 6942, + "network.application": "lillum", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "urv", - "rsa.identity.firstname": "adminimv", - "rsa.identity.lastname": "odi", + "observer.version": "1.7809", + "rsa.db.index": "taedicta", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "ptass", - "rsa.misc.policy_name": "ama", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.node": "amcor", + "rsa.misc.version": "1.7809", "rsa.network.alias_host": [ - "ulapar6827.www.local" + "adeseru2497.www5.host" ], - "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1068,36 +1045,34 @@ ] }, { - "@timestamp": "2017-03-18T08:24:33.000Z", + "@timestamp": "2017-03-04T13:21:59.000Z", "event.action": [ "DeviceEdit" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-3-18T6:24:33.mdol itation6137.home CylancePROTECT osqui sequat [sund] Event Type: AuditLog, Event Name: DeviceEdit, Message: Policy: ven; SHA256: rQu; Category: mco, User: cipitl onemulla (evitaed)inimveni ", + "event.original": "itesseq 2017-3-4T11:21:59.dictasun veniamqu7284.mail.invalid CylancePROTECT nte mvel [nof] Event Type: AuditLog, Event Name: DeviceEdit, Message: The Device: tetur was auto assigned to the Zone: IP Address: 10.230.206.60, User: ipi imveniam (uaeab)", "fileset.name": "protect", - "host.name": "itation6137.home", + "host.name": "veniamqu7284.mail.invalid", "input.type": "log", - "log.offset": 7762, + "log.offset": 7259, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "cipitl", - "rsa.identity.lastname": "onemulla", + "rsa.db.index": "The Device: tetur was auto assigned to the Zone: IP Address: 10.230.206.60", + "rsa.identity.firstname": "ipi", + "rsa.identity.lastname": "imveniam", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.category": "mco", - "rsa.misc.checksum": "rQu", "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.mail_id": "evitaed", - "rsa.misc.policy_name": "ven; SHA256: rQu; Category: mco", + "rsa.misc.mail_id": "uaeab", "rsa.network.alias_host": [ - "itation6137.home" + "veniamqu7284.mail.invalid" ], - "rsa.time.event_time": "2017-03-18T08:24:33.000Z", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1105,99 +1080,107 @@ ] }, { - "@timestamp": "2017-04-02T03:27:07.000Z", + "@timestamp": "2017-03-18T08:24:33.000Z", "event.action": [ - "Alert" + "DeviceRemove" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-4-2T1:27:07.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat)remagn ", + "event.original": "18-March-2017 18:24:33 low lupta5708.www.test amcor <ineavol 2017-3-18T6:24:33.iosa boNemoe2025.lan CylancePROTECT amvolupt onevolu [mnis] Event Type: AuditLog, Event Name: DeviceRemove, Message: The Device: ites was auto assigned to the Zone: IP Address: 10.126.26.131, User: (nisiut)", "fileset.name": "protect", - "host.name": "emeumfug4387.internal.lan", + "host.name": "boNemoe2025.lan", "input.type": "log", - "log.offset": 7974, + "log.offset": 7508, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "ccaeca", - "rsa.identity.lastname": "niamq", + "related.ip": [ + "10.126.26.131" + ], + "rsa.db.index": "The Device: ites was auto assigned to the Zone: IP Address: 10.126.26.131", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "iduntu", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "lapariat", - "rsa.misc.node": "untincul", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "AuditLog", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "ites", "rsa.network.alias_host": [ - "emeumfug4387.internal.lan" + "boNemoe2025.lan" ], - "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "rsa.time.event_time": "2017-03-18T08:24:33.000Z", "service.type": "cylance", + "source.ip": [ + "10.126.26.131" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2020-04-16T10:29:41.000Z", + "@timestamp": "2020-04-02T03:27:07.000Z", "event.action": [ - "Device Policy Assigned" + "SyslogSettingsSave" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "16-Apr-2017 8:29:41 medium volupt2952.api.local esseq <boru 16T08:29:41.ptateve enderi6555.api.host CylancePROTECT Event Name:Device Policy Assigned, Threat Class:tenatuse, Threat Subclass:psaqua, SHA256:ullamcor, MD5:itationu", + "event.original": "2-Apr-2017 1:27:07 low elit429.api.invalid borisnis <emqu 2T01:27:07.nderi acommod6195.www.home CylancePROTECT Event Name:SyslogSettingsSave, Message: Provider:eratvol, Source IP:10.253.132.145, User: est uptatemU (leumiu)#015", "fileset.name": "protect", - "host.name": "enderi6555.api.host", + "host.name": "acommod6195.www.home", "input.type": "log", - "log.offset": 8185, + "log.offset": 7804, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "tenatuse", + "related.ip": [ + "10.253.132.145" + ], + "rsa.identity.firstname": "est", + "rsa.identity.lastname": "uptatemU", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.misc.checksum": "ullamcor", - "rsa.misc.event_type": "Device Policy Assigned", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.mail_id": "leumiu", "rsa.network.alias_host": [ - "enderi6555.api.host" + "acommod6195.www.home" ], - "rsa.time.event_time": "2020-04-16T10:29:41.000Z", + "rsa.time.event_time": "2020-04-02T03:27:07.000Z", "service.type": "cylance", + "source.ip": [ + "10.253.132.145" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2020-04-30T05:32:16.000Z", + "@timestamp": "2020-04-16T10:29:41.000Z", "event.action": [ - "ZoneAdd" + "DeviceEdit" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Apr 30 3:32:16 estl2233.api.corp CylancePROTECT Event Type:oluptat, Event Name:ZoneAdd, Device Message: Device: rure; Zones Removed: asiarchi,eaqueipsUser: qua volupta (dmi), Zone Names:untexpl", + "event.original": "Apr 16 8:29:41 enderit4328.corp CylancePROTECT Event Type:Nequepor, Event Name:DeviceEdit, Message: Device:remwas auto assigned to theididZone:tesse, User:sequat", "fileset.name": "protect", "input.type": "log", - "log.offset": 8422, + "log.offset": 8039, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "untexpl", - "rsa.identity.firstname": "qua", - "rsa.identity.lastname": "volupta", + "rsa.identity.firstname": "sequat", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "oluptat", - "rsa.misc.device_name": "rure", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.mail_id": "dmi", - "rsa.time.event_time": "2020-04-30T05:32:16.000Z", + "rsa.investigations.event_vcat": "Nequepor", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "rem", + "rsa.network.zone": "tesse", + "rsa.time.event_time": "2020-04-16T10:29:41.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1205,31 +1188,68 @@ ] }, { - "@timestamp": "2017-05-14T12:34:50.000Z", + "@timestamp": "2017-04-30T05:32:16.000Z", "event.action": [ - "threat_found" + "threat_changed" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-5-14T10:34:50.licaboN atquo4897.mail.lan CylancePROTECT ntexpl dunt [litsedq] Event Type: DeviceControl, Event Name: threat_found, Device Name: nder, External Device Type: mdolore, External Device Vendor ID: Cic, External Device Name: olorema, External Device Product ID: mollita, External Device Serial Number: tatem, Zone Names: iae", + "event.original": "2017-4-30T3:32:16.aliq mes4801.internal.test CylancePROTECT itaedict oremag [illu] Event Type: AuditLog, Event Name: threat_changed, Message: SHA256: turadip; Reason: success, User: temUt ptassita (its)", "fileset.name": "protect", - "host.name": "atquo4897.mail.lan", + "host.name": "mes4801.internal.test", "input.type": "log", - "log.offset": 8616, + "log.offset": 8201, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "iae", + "rsa.identity.firstname": "temUt", + "rsa.identity.lastname": "ptassita", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "threat_found", - "rsa.misc.node": "nder", - "rsa.misc.serial_number": "tatem", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "turadip", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.mail_id": "its", + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "mes4801.internal.test" + ], + "rsa.time.event_time": "2017-04-30T05:32:16.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-14T12:34:50.000Z", + "event.action": [ + "PolicyAdd" + ], + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ori 2017-5-14T10:34:50.tconsect rum1594.api.domain CylancePROTECT ulla iqu [oin] Event Type: AuditLog, Event Name: PolicyAdd, Message: Devices: abore,squUser: uiadol Duisa (lupta)", + "fileset.name": "protect", + "host.name": "rum1594.api.domain", + "input.type": "log", + "log.offset": 8404, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "uiadol", + "rsa.identity.lastname": "Duisa", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "lupta", + "rsa.misc.node": "abore", "rsa.network.alias_host": [ - "atquo4897.mail.lan" + "rum1594.api.domain" ], "rsa.time.event_time": "2017-05-14T12:34:50.000Z", "service.type": "cylance", @@ -1241,29 +1261,31 @@ { "@timestamp": "2017-05-29T07:37:24.000Z", "event.action": [ - "LoginSuccess" + "ZoneAdd" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "29-May-2017 05:37:24 medium taliqui5348.mail.localdomain loremag <iatqu 2017-5-29T5:37:24.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni", + "event.original": "2017-5-29T5:37:24.asi ectiono2241.lan CylancePROTECT onu liquaUte [alorum] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ria; Policy: atDu; Value: nsec, User: quidolor oqu (naaliq)", "fileset.name": "protect", - "host.name": "erspi5757.local", + "host.name": "ectiono2241.lan", "input.type": "log", - "log.offset": 8956, + "log.offset": 8584, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "undeomni", + "rsa.db.index": "ria", + "rsa.identity.firstname": "quidolor", + "rsa.identity.lastname": "oqu", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "uov", - "rsa.misc.serial_number": "quaU", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "naaliq", + "rsa.misc.policy_name": "atDu", "rsa.network.alias_host": [ - "erspi5757.local" + "ectiono2241.lan" ], "rsa.time.event_time": "2017-05-29T07:37:24.000Z", "service.type": "cylance", @@ -1273,31 +1295,33 @@ ] }, { - "@timestamp": "2020-06-12T14:39:58.000Z", + "@timestamp": "2017-06-12T14:39:58.000Z", "event.action": [ - "threat_found" + "ThreatUpdated" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Jun 12 12:39:58 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium,uptateUser: lloinven econs (lmolesti), Zone Names:apariatu Device Id: lorsita", + "event.original": "2017-6-12T12:39:58.eaqueips qua3862.mail.home CylancePROTECT aturQu aaliq [mipsamvo] Event Type: DeviceControl, Event Name: ThreatUpdated, Device Name: rsintoc, External Device Type: reetdo, External Device Vendor ID: oreveri, External Device Name: ehende, External Device Product ID: eaqueip, External Device Serial Number: eum, Zone Names: lamc", "fileset.name": "protect", + "host.name": "qua3862.mail.home", "input.type": "log", - "log.offset": 9369, + "log.offset": 8777, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "apariatu", - "rsa.identity.firstname": "lloinven", - "rsa.identity.lastname": "econs", + "rsa.db.index": "lamc", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "idolo", - "rsa.misc.device_name": "edolo", - "rsa.misc.event_type": "threat_found", - "rsa.misc.mail_id": "lmolesti", - "rsa.time.event_time": "2020-06-12T14:39:58.000Z", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "rsintoc", + "rsa.misc.serial_number": "eum", + "rsa.network.alias_host": [ + "qua3862.mail.home" + ], + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1305,34 +1329,34 @@ ] }, { - "@timestamp": "2017-06-26T09:42:33.000Z", + "@timestamp": "2020-06-26T09:42:33.000Z", "event.action": [ - "PolicyAdd" + "SystemSecurity" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "26-June-2017 19:42:33 high lupta7560.www5.localdomain ncidi <laudan 2017-6-26T7:42:33.litesseq atcupida7685.local CylancePROTECT dolores equamnih [taliqui] Event Type: AuditLog, Event Name: PolicyAdd, Message: Devices: itempo,orumwUser: redol ecillum (isci)", + "event.original": "26-Jun-2017 7:42:33 high metcons5740.mail.localhost sitvo <obeata 26T19:42:33.tatemU mad5185.www5.localhost CylancePROTECT Event Name:SystemSecurity, Device Message: Device: gnaa; Zones Removed: mod; Zones Added: doei,cipitlUser: caboNemo dexerc (strumex), Zone Names:eprehend Device Id: asnu", "fileset.name": "protect", - "host.name": "atcupida7685.local", + "host.name": "mad5185.www5.localhost", "input.type": "log", - "log.offset": 9617, + "log.offset": 9124, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "redol", - "rsa.identity.lastname": "ecillum", + "rsa.db.index": "eprehend", + "rsa.identity.firstname": "caboNemo", + "rsa.identity.lastname": "dexerc", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.mail_id": "isci", - "rsa.misc.node": "itempo", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.misc.device_name": "gnaa", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "strumex", "rsa.network.alias_host": [ - "atcupida7685.local" + "mad5185.www5.localhost" ], - "rsa.time.event_time": "2017-06-26T09:42:33.000Z", + "rsa.time.event_time": "2020-06-26T09:42:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1342,35 +1366,304 @@ { "@timestamp": "2017-07-11T04:45:07.000Z", "event.action": [ - "allow", - "Device Policy Assigned" + "Registration", + "deny" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "mquisno 2017-7-11T2:45:07.aev inrepr72.internal.home CylancePROTECT nisiu imad [oriosam] Event Type: ExploitAttempt, Event Name: Device Policy Assigned, Device Name: itasp, IP Address: (10.169.5.162), Action: allow, Process ID: 2957, Process Name: odt.exe, User Name: cillumd, Violation Type: riosa, Zone Names: tNe", + "event.original": "11-July-2017 02:45:07 low dolor5930.internal.host eritin <yCic 2017-7-11T2:45:07.nder mdolore2604.api.domain CylancePROTECT saqu iscive [quasiar] Event Type: ExploitAttempt, Event Name: Registration, Device Name: quido, IP Address: (10.63.231.55), Action: deny, Process ID: 2622, Process Name: stquid.exe, User Name: turadipi, Violation Type: usmodi, Zone Names: ree", "fileset.name": "protect", - "host.name": "inrepr72.internal.home", + "host.name": "mdolore2604.api.domain", "input.type": "log", - "log.offset": 9884, + "log.offset": 9427, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "odt.exe", - "process.pid": 2957, + "process.name": "stquid.exe", + "process.pid": 2622, "related.ip": [ - "10.169.5.162" + "10.63.231.55" ], "related.user": [ - "cillumd" + "turadipi" ], - "rsa.db.index": "tNe", + "rsa.db.index": "ree", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " ExploitAttempt", "rsa.misc.action": [ - "allow" + "deny" + ], + "rsa.misc.event_type": "Registration", + "rsa.misc.node": "quido", + "rsa.misc.policy_name": "usmodi", + "rsa.network.alias_host": [ + "mdolore2604.api.domain" + ], + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "service.type": "cylance", + "source.ip": [ + "10.63.231.55" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "turadipi" + }, + { + "@timestamp": "2019-07-25T11:47:41.000Z", + "event.action": [ + "ZoneAddDevice", + "allow" + ], + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "25-Jul-2017 9:47:41 medium illu4130.internal.lan temUten <sitamet 25T09:47:41.utlabo tetur4690.mail.lan CylancePROTECT Event Name: ZoneAddDevice, Device Name: ecatcupi, IP Address: (10.6.6.242), Action: allow, Process ID: 4938, Process Name: onse.exe, User Name: olorem, Violation Type: turvel, Zone Names:eratv", + "fileset.name": "protect", + "host.name": "tetur4690.mail.lan", + "input.type": "log", + "log.offset": 9800, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "onse.exe", + "process.pid": 4938, + "related.ip": [ + "10.6.6.242" + ], + "related.user": [ + "olorem" + ], + "rsa.db.index": "eratv", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.device_name": "ecatcupi", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.policy_name": "turvel", + "rsa.network.alias_host": [ + "tetur4690.mail.lan" + ], + "rsa.time.event_time": "2019-07-25T11:47:41.000Z", + "service.type": "cylance", + "source.ip": [ + "10.6.6.242" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "olorem" + }, + { + "@timestamp": "2019-08-08T06:50:15.000Z", + "event.action": [ + "pechange" + ], + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Aug 8 4:50:15 umwritte7596.internal.localdomain CylancePROTECT Event Type:nse, Event Name:pechange, Message: Provider:iameaque, Source IP:10.232.119.56, User: tsed eturad (tiumdolo)", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 10120, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.232.119.56" + ], + "rsa.identity.firstname": "tsed", + "rsa.identity.lastname": "eturad", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "nse", + "rsa.misc.event_type": "pechange", + "rsa.misc.mail_id": "tiumdolo", + "rsa.time.event_time": "2019-08-08T06:50:15.000Z", + "service.type": "cylance", + "source.ip": [ + "10.232.119.56" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-22T13:52:50.000Z", + "event.action": [ + "LoginSuccess" + ], + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Aug 22 11:52:50 imadmi6980.www.localdomain CylancePROTECT Event Type:olupta, Event Name:LoginSuccess, Device Name:iatqu, Zone Names:inBCSedu, Device Id: erspi", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 10302, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "inBCSedu", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": "olupta", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "iatqu", + "rsa.time.event_time": "2019-08-22T13:52:50.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "event.action": [ + "Device Policy Assigned" + ], + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "iacons 2017-9-6T6:55:24.occaec acommodi563.internal.home CylancePROTECT fici imve [quide] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: SHA256: aco; Reason: failure, User: accusa natu (liquid)", + "fileset.name": "protect", + "host.name": "acommodi563.internal.home", + "input.type": "log", + "log.offset": 10461, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "accusa", + "rsa.identity.lastname": "natu", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "aco", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.mail_id": "liquid", + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "acommodi563.internal.home" + ], + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-20T03:57:58.000Z", + "event.action": [ + "LoginSuccess" + ], + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "20-Sep-2017 1:57:58 medium idolo5752.mail.example ugiatquo <uptate 20T13:57:58.lloinven econs2687.internal.localdomain CylancePROTECT Event Name:LoginSuccess, Device Name:lorsita, Zone Names:eavol", + "fileset.name": "protect", + "host.name": "econs2687.internal.localdomain", + "input.type": "log", + "log.offset": 10675, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "eavol", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "lorsita", + "rsa.network.alias_host": [ + "econs2687.internal.localdomain" + ], + "rsa.time.event_time": "2019-09-20T03:57:58.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-04T11:00:32.000Z", + "event.action": [ + "LoginSuccess" + ], + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-10-4T9:00:32.npr etconsec5410.api.invalid CylancePROTECT laudan litesseq [atcupida] Event Type: AuditLog, Event Name: LoginSuccess, Message: Source: tob; SHA256: dolores; Category: equamnih; Reason: success, User: deF itempo (orumw)", + "fileset.name": "protect", + "host.name": "etconsec5410.api.invalid", + "input.type": "log", + "log.offset": 10879, + "observer.product": "tob", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "deF", + "rsa.identity.lastname": "itempo", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.category": "equamnih", + "rsa.misc.checksum": "dolores", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.mail_id": "orumw", + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "etconsec5410.api.invalid" + ], + "rsa.time.event_time": "2017-10-04T11:00:32.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "event.action": [ + "Device Policy Assigned", + "allow" + ], + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "mquisno 2017-10-19T4:03:07.aev inrepr72.internal.home CylancePROTECT nisiu imad [oriosam] Event Type: ExploitAttempt, Event Name: Device Policy Assigned, Device Name: itasp, IP Address: (10.169.5.162), Action: allow, Process ID: 2957, Process Name: odt.exe, User Name: cillumd, Violation Type: riosa, Zone Names: tNe", + "fileset.name": "protect", + "host.name": "inrepr72.internal.home", + "input.type": "log", + "log.offset": 11117, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "odt.exe", + "process.pid": 2957, + "related.ip": [ + "10.169.5.162" + ], + "related.user": [ + "cillumd" + ], + "rsa.db.index": "tNe", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "allow" ], "rsa.misc.event_type": "Device Policy Assigned", "rsa.misc.node": "itasp", @@ -1378,7 +1671,7 @@ "rsa.network.alias_host": [ "inrepr72.internal.home" ], - "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", "service.type": "cylance", "source.ip": [ "10.169.5.162" @@ -1390,7 +1683,7 @@ "user.name": "cillumd" }, { - "@timestamp": "2017-07-25T11:47:41.000Z", + "@timestamp": "2017-11-02T13:05:41.000Z", "event.action": [ "cancel", "SystemSecurity" @@ -1398,12 +1691,12 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017/07/25T09:47:41.ntmoll mexer4472.www5.invalid CylancePROTECT nofdeFi aquioff [saqu] Event Type: AppControl, Event Name: SystemSecurity, Device Name: amnisi, IP Address: (10.230.77.49), Action: cancel, Action Type: uisnostr, File Path: reetdol, SHA256: uelauda, Zone Names: ema", + "event.original": "2017/11/02T11:05:41.ntmoll mexer4472.www5.invalid CylancePROTECT nofdeFi aquioff [saqu] Event Type: AppControl, Event Name: SystemSecurity, Device Name: amnisi, IP Address: (10.230.77.49), Action: cancel, Action Type: uisnostr, File Path: reetdol, SHA256: uelauda, Zone Names: ema", "file.directory": "reetdol", "fileset.name": "protect", "host.name": "mexer4472.www5.invalid", "input.type": "log", - "log.offset": 10200, + "log.offset": 11434, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1424,7 +1717,7 @@ "rsa.network.alias_host": [ "mexer4472.www5.invalid" ], - "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", "service.type": "cylance", "source.ip": [ "10.230.77.49" @@ -1435,18 +1728,18 @@ ] }, { - "@timestamp": "2017-08-08T06:50:15.000Z", + "@timestamp": "2017-11-16T08:08:15.000Z", "event.action": [ "PolicyAdd" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-8-8T4:50:15.uei Nequepo1858.mail.local CylancePROTECT uam orumSec [nisiuta] Event Type: stiaecon, Event Name: PolicyAdd, Device Name: sse", + "event.original": "2017-11-16T6:08:15.uei Nequepo1858.mail.local CylancePROTECT uam orumSec [nisiuta] Event Type: stiaecon, Event Name: PolicyAdd, Device Name: sse", "fileset.name": "protect", "host.name": "Nequepo1858.mail.local", "input.type": "log", - "log.offset": 10481, + "log.offset": 11715, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1459,7 +1752,7 @@ "rsa.network.alias_host": [ "Nequepo1858.mail.local" ], - "rsa.time.event_time": "2017-08-08T06:50:15.000Z", + "rsa.time.event_time": "2017-11-16T08:08:15.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1467,18 +1760,18 @@ ] }, { - "@timestamp": "2017-08-22T13:52:50.000Z", + "@timestamp": "2017-12-01T03:10:49.000Z", "event.action": [ "Registration" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "22-August-2017 23:52:50 high ici7102.www.localdomain itae <atnula 2017-8-22T11:52:50.ditautf itametc3006.www.test CylancePROTECT remipsu tan [quiac] Event Type: DeviceControl, Event Name: Registration, Device Name: doconse, External Device Type: etdol, External Device Vendor ID: dolorsi, External Device Name: nturmag, External Device Product ID: tura, External Device Serial Number: osquirat, Zone Names: equat", + "event.original": "1-December-2017 01:10:49 high ici7102.www.localdomain itae <atnula 2017-12-1T1:10:49.ditautf itametc3006.www.test CylancePROTECT remipsu tan [quiac] Event Type: DeviceControl, Event Name: Registration, Device Name: doconse, External Device Type: etdol, External Device Vendor ID: dolorsi, External Device Name: nturmag, External Device Product ID: tura, External Device Serial Number: osquirat, Zone Names: equat", "fileset.name": "protect", "host.name": "itametc3006.www.test", "input.type": "log", - "log.offset": 10624, + "log.offset": 11860, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1493,7 +1786,7 @@ "rsa.network.alias_host": [ "itametc3006.www.test" ], - "rsa.time.event_time": "2017-08-22T13:52:50.000Z", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1501,7 +1794,7 @@ ] }, { - "@timestamp": "2017-09-06T08:55:24.000Z", + "@timestamp": "2017-12-15T10:13:24.000Z", "event.action": [ "accept", "threat_quarantined" @@ -1509,12 +1802,12 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "6-September-2017 06:55:24 low idunt4633.internal.host liquam <oluptat 2017/09/06T06:55:24.odt rspici1916.api.localhost CylancePROTECT olor etquasia [nula] Event Type: AppControl, Event Name: threat_quarantined, Device Name: riatur, IP Address: (10.99.209.40), Action: accept, Action Type: dol, File Path: atur, SHA256: issu, Zone Names: identsu", + "event.original": "15-December-2017 08:13:24 low idunt4633.internal.host liquam <oluptat 2017/12/15T08:13:24.odt rspici1916.api.localhost CylancePROTECT olor etquasia [nula] Event Type: AppControl, Event Name: threat_quarantined, Device Name: riatur, IP Address: (10.99.209.40), Action: accept, Action Type: dol, File Path: atur, SHA256: issu, Zone Names: identsu", "file.directory": "atur", "fileset.name": "protect", "host.name": "rspici1916.api.localhost", "input.type": "log", - "log.offset": 11045, + "log.offset": 12281, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1535,7 +1828,7 @@ "rsa.network.alias_host": [ "rspici1916.api.localhost" ], - "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", "service.type": "cylance", "source.ip": [ "10.99.209.40" @@ -1546,17 +1839,17 @@ ] }, { - "@timestamp": "2019-09-20T03:57:58.000Z", + "@timestamp": "2019-12-29T05:15:58.000Z", "event.action": [ "DeviceRemove" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Sep 20 1:57:58 hend1600.api.host CylancePROTECT Event Type:aer, Event Name:DeviceRemove, Device Name:iati, Agent Version:minim, IP Address: (10.14.74.218), MAC Address: (01:00:5e:bc:a3:48), Logged On Users: (Nemoenim), OS:usm, Zone Names:labori", + "event.original": "Dec 29 3:15:58 hend1600.api.host CylancePROTECT Event Type:aer, Event Name:DeviceRemove, Device Name:iati, Agent Version:minim, IP Address: (10.14.74.218), MAC Address: (01:00:5e:bc:a3:48), Logged On Users: (Nemoenim), OS:usm, Zone Names:labori", "fileset.name": "protect", "input.type": "log", - "log.offset": 11395, + "log.offset": 12631, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1575,7 +1868,7 @@ "rsa.misc.event_type": "DeviceRemove", "rsa.misc.node": "iati", "rsa.network.eth_host": "01:00:5e:bc:a3:48", - "rsa.time.event_time": "2019-09-20T03:57:58.000Z", + "rsa.time.event_time": "2019-12-29T05:15:58.000Z", "service.type": "cylance", "source.ip": [ "10.14.74.218" @@ -1587,18 +1880,18 @@ "user.name": "Nemoenim" }, { - "@timestamp": "2019-10-04T11:00:32.000Z", + "@timestamp": "2020-01-12T12:18:32.000Z", "event.action": [ "ThreatUpdated" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "4-Oct-2017 9:00:32 high isiutali3575.www5.invalid Nemoenim <ide 4T21:00:32.edq evitae7333.www.lan CylancePROTECT Event Name:ThreatUpdated, Device Message: Device: expl User: ess quiad (ihilmole),saquaeaZone Names: ons Device Id: orsitam", + "event.original": "12-Jan-2018 10:18:32 high isiutali3575.www5.invalid Nemoenim <ide 12T22:18:32.edq evitae7333.www.lan CylancePROTECT Event Name:ThreatUpdated, Device Message: Device: expl User: ess quiad (ihilmole),saquaeaZone Names: ons Device Id: orsitam", "fileset.name": "protect", "host.name": "evitae7333.www.lan", "input.type": "log", - "log.offset": 11640, + "log.offset": 12876, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1614,7 +1907,7 @@ "rsa.network.alias_host": [ "evitae7333.www.lan" ], - "rsa.time.event_time": "2019-10-04T11:00:32.000Z", + "rsa.time.event_time": "2020-01-12T12:18:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1622,18 +1915,18 @@ ] }, { - "@timestamp": "2017-10-19T06:03:07.000Z", + "@timestamp": "2018-01-27T07:21:06.000Z", "event.action": [ "DeviceEdit" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-10-19T4:03:07.idex radip163.mail.invalid CylancePROTECT eiusmo ainc [miurerep] Event Type: AuditLog, Event Name: DeviceEdit, Message: Zone: ecill; Policy: iduntu; Value: pisci, User: sunt texplica (oco)", + "event.original": "2018-1-27T5:21:06.idex radip163.mail.invalid CylancePROTECT eiusmo ainc [miurerep] Event Type: AuditLog, Event Name: DeviceEdit, Message: Zone: ecill; Policy: iduntu; Value: pisci, User: sunt texplica (oco)", "fileset.name": "protect", "host.name": "radip163.mail.invalid", "input.type": "log", - "log.offset": 11887, + "log.offset": 13126, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1650,7 +1943,7 @@ "rsa.network.alias_host": [ "radip163.mail.invalid" ], - "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1658,51 +1951,64 @@ ] }, { - "@timestamp": "2017-11-02T13:05:41.000Z", + "@timestamp": "2018-02-10T14:23:41.000Z", "event.action": [ "threat_changed" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "itametco 2017-11-2T11:05:41.vel quunt3116.localhost CylancePROTECT nonn dents [itsedd] Event Type: Threat, Event Name: threat_changed, Device Name: ptate, IP Address: (10.152.185.155), File Name: quamqua, Path: ntut, Drive Type: mag, SHA256: meum, MD5: mini, Status: Loremip, Cylance Score: 58.130000, Found Date: tur, File Type: atnonpr, Is Running: ita, Auto Run: amquaer, Detected By: aqui, Zone Names: enby, Is Malware: lpa, Is Unique To Cylance: isn, Threat Classification: smod ", + "event.original": "itametco 2018-2-10T12:23:41.vel quunt3116.localhost CylancePROTECT nonn dents [itsedd] Event Type: Threat, Event Name: threat_changed, Device Name: ptate, IP Address: (10.152.185.155), File Name: quamqua, Path: ntut, Drive Type: mag, SHA256: meum, MD5: mini, Status: Loremip, Cylance Score: 58.130000, Found Date: tur, File Type: atnonpr, Is Running: ita, Auto Run: amquaer, Detected By: aqui, Zone Names: enby, Is Malware: lpa, Is Unique To Cylance: isn, Threat Classification: smod", + "file.directory": "ntut", + "file.name": "quamqua", + "file.type": "atnonpr", "fileset.name": "protect", "host.name": "quunt3116.localhost", "input.type": "log", - "log.offset": 12095, + "log.offset": 13333, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": " enby, Is Malware: lpa, Is Unique To Cylance: isn, Threat Classification: smod", + "related.ip": [ + "10.152.185.155" + ], + "rsa.crypto.sig_type": "smod", + "rsa.db.index": "enby", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "Threat", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "meum", + "rsa.misc.event_state": "Loremip", "rsa.misc.event_type": "threat_changed", - "rsa.misc.node": "ptate, IP Address: (10.152.185.155), File Name: quamqua, Path: ntut, Drive Type: mag, SHA256: meum, MD5: mini, Status: Loremip, Cylance Score: 58.130000, Found Date: tur, File Type: atnonpr, Is Running: ita, Auto Run: amquaer, Detected By: aqui", + "rsa.misc.node": "ptate", "rsa.network.alias_host": [ "quunt3116.localhost" ], - "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "rsa.web.reputation_num": 58.13, "service.type": "cylance", + "source.ip": [ + "10.152.185.155" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2019-11-16T08:08:15.000Z", + "@timestamp": "2020-02-24T09:26:15.000Z", "event.action": [ "ZoneAddDevice" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "16-Nov-2017 6:08:15 low cte4809.mail.lan uunturma <eserun 16T18:08:15.pta emu5311.localdomain CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: destla User: fugitse minimve (serrorsi),tametcoZone Names: mquisnos Device Id: lore", + "event.original": "24-Feb-2018 7:26:15 low cte4809.mail.lan uunturma <eserun 24T19:26:15.pta emu5311.localdomain CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: destla User: fugitse minimve (serrorsi),tametcoZone Names: mquisnos Device Id: lore", "fileset.name": "protect", "host.name": "emu5311.localdomain", "input.type": "log", - "log.offset": 12580, + "log.offset": 13817, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1718,7 +2024,7 @@ "rsa.network.alias_host": [ "emu5311.localdomain" ], - "rsa.time.event_time": "2019-11-16T08:08:15.000Z", + "rsa.time.event_time": "2020-02-24T09:26:15.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1726,17 +2032,17 @@ ] }, { - "@timestamp": "2019-12-01T03:10:49.000Z", + "@timestamp": "2020-03-11T04:28:49.000Z", "event.action": [ "PolicyAdd" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Dec 1 1:10:49 isn1684.www.invalid CylancePROTECT Event Type:civelits, Event Name:PolicyAdd, Device Name:quiav, External Device Type:mse, External Device Vendor ID:prehen, External Device Name:nonn, External Device Product ID:hite, External Device Serial Number:ianonnum, Zone Names:nofdeFi, Device Id: henderit, Policy Name: remq ", + "event.original": "Mar 11 2:28:49 isn1684.www.invalid CylancePROTECT Event Type:civelits, Event Name:PolicyAdd, Device Name:quiav, External Device Type:mse, External Device Vendor ID:prehen, External Device Name:nonn, External Device Product ID:hite, External Device Serial Number:ianonnum, Zone Names:nofdeFi, Device Id: henderit, Policy Name: remq ", "fileset.name": "protect", "input.type": "log", - "log.offset": 12833, + "log.offset": 14070, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1749,7 +2055,7 @@ "rsa.misc.event_type": "PolicyAdd", "rsa.misc.node": "quiav", "rsa.misc.serial_number": "ianonnum", - "rsa.time.event_time": "2019-12-01T03:10:49.000Z", + "rsa.time.event_time": "2020-03-11T04:28:49.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1757,18 +2063,18 @@ ] }, { - "@timestamp": "2019-12-15T10:13:24.000Z", + "@timestamp": "2020-03-25T11:31:24.000Z", "event.action": [ "threat_found" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "15-Dec-2017 8:13:24 medium arch2905.www5.home ror <doei 15T08:13:24.nvolupta tev2820.www.home CylancePROTECT Event Name:threat_found, Device Name:orp, External Device Type:ender, External Device Vendor ID:dico, External Device Name:uptatem, External Device Product ID:upt, External Device Serial Number:ulamc, Zone Names:cept, Device Id: aedictas, Policy Name: eursint ", + "event.original": "25-Mar-2018 9:31:24 medium arch2905.www5.home ror <doei 25T09:31:24.nvolupta tev2820.www.home CylancePROTECT Event Name:threat_found, Device Name:orp, External Device Type:ender, External Device Vendor ID:dico, External Device Name:uptatem, External Device Product ID:upt, External Device Serial Number:ulamc, Zone Names:cept, Device Id: aedictas, Policy Name: eursint ", "fileset.name": "protect", "host.name": "tev2820.www.home", "input.type": "log", - "log.offset": 13164, + "log.offset": 14402, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1783,7 +2089,7 @@ "rsa.network.alias_host": [ "tev2820.www.home" ], - "rsa.time.event_time": "2019-12-15T10:13:24.000Z", + "rsa.time.event_time": "2020-03-25T11:31:24.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1791,18 +2097,18 @@ ] }, { - "@timestamp": "2017-12-29T05:15:58.000Z", + "@timestamp": "2018-04-08T06:33:58.000Z", "event.action": [ "ZoneAdd" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-12-29T3:15:58.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev)", + "event.original": "2018-4-8T4:33:58.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev)", "fileset.name": "protect", "host.name": "sit1400.www.lan", "input.type": "log", - "log.offset": 13543, + "log.offset": 14781, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1819,7 +2125,7 @@ "rsa.network.alias_host": [ "sit1400.www.lan" ], - "rsa.time.event_time": "2017-12-29T05:15:58.000Z", + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1827,18 +2133,18 @@ ] }, { - "@timestamp": "2018-01-12T12:18:32.000Z", + "@timestamp": "2018-04-22T13:36:32.000Z", "event.action": [ "Device Updated" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "hilmole 2018-1-12T10:18:32.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido", + "event.original": "hilmole 2018-4-22T11:36:32.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido", "fileset.name": "protect", "host.name": "sectetu7182.localdomain", "input.type": "log", - "log.offset": 13736, + "log.offset": 14972, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1850,7 +2156,7 @@ "rsa.network.alias_host": [ "sectetu7182.localdomain" ], - "rsa.time.event_time": "2018-01-12T12:18:32.000Z", + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1858,18 +2164,18 @@ ] }, { - "@timestamp": "2018-01-27T07:21:06.000Z", + "@timestamp": "2018-05-07T08:39:06.000Z", "event.action": [ "ZoneAdd" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-1-27T5:21:06.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota;etdoloreUser: magnaa sumquiad (iusmodt)", + "event.original": "2018-5-7T6:39:06.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota;etdoloreUser: magnaa sumquiad (iusmodt)", "fileset.name": "protect", "host.name": "officiad4982.www5.domain", "input.type": "log", - "log.offset": 13886, + "log.offset": 15122, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1885,7 +2191,7 @@ "rsa.network.alias_host": [ "officiad4982.www5.domain" ], - "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1893,35 +2199,38 @@ ] }, { - "@timestamp": "2020-02-10T14:23:41.000Z", + "@timestamp": "2020-05-21T03:41:41.000Z", "event.action": [ - "threat_quarantined" + "Alert" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Feb 10 12:23:41 umd3889.api.localhost CylancePROTECT Event Type:dat, Event Name:threat_quarantined, Message: Provider:saquaea, Source IP:10.10.178.151, User: uames tconsec (issus)", + "event.original": "21-May-2018 1:41:41 high ident4293.api.example ercitati <rro 21T13:41:41.oeiusmo nimv4681.internal.lan CylancePROTECT Event Name:Alert, Message: Provider:quisn, Source IP:10.132.23.6, User: etMa llita (ntsunt)#015", "fileset.name": "protect", + "host.name": "nimv4681.internal.lan", "input.type": "log", - "log.offset": 14079, + "log.offset": 15314, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.ip": [ - "10.10.178.151" + "10.132.23.6" ], - "rsa.identity.firstname": "uames", - "rsa.identity.lastname": "tconsec", + "rsa.identity.firstname": "etMa", + "rsa.identity.lastname": "llita", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "dat", - "rsa.misc.event_type": "threat_quarantined", - "rsa.misc.mail_id": "issus", - "rsa.time.event_time": "2020-02-10T14:23:41.000Z", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "ntsunt", + "rsa.network.alias_host": [ + "nimv4681.internal.lan" + ], + "rsa.time.event_time": "2020-05-21T03:41:41.000Z", "service.type": "cylance", "source.ip": [ - "10.10.178.151" + "10.132.23.6" ], "tags": [ "cylance.protect", @@ -1929,206 +2238,173 @@ ] }, { - "@timestamp": "2018-02-24T21:26:15.000Z", + "@timestamp": "2020-06-04T10:44:15.000Z", "event.action": [ - "ZoneAdd", - "block" + "ThreatUpdated" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018/02/24T19:26:15.caecat cusanti5019.api.home CylancePROTECT quisn rem [ulamcola] Event Type: AppControl, Event Name: ZoneAdd, Device Name: llita, IP Address: (10.117.150.156), Action: block, Action Type: uredol, File Path: maliqua, SHA256: mcorpori, Zone Names: orisn", - "file.directory": "maliqua", + "event.original": "4-Jun-2018 8:44:15 high temsequi4910.mail.host enbyCic <conseq 4T20:44:15.itame tenat5407.www5.test CylancePROTECT Event Name:ThreatUpdated, Device Name:cti, Zone Names:ommodoc", "fileset.name": "protect", - "host.name": "cusanti5019.api.home", + "host.name": "tenat5407.www5.test", "input.type": "log", - "log.offset": 14259, + "log.offset": 15533, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.117.150.156" - ], - "rsa.db.index": "orisn", + "rsa.db.index": "ommodoc", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.checksum": "mcorpori", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.node": "llita", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "cti", "rsa.network.alias_host": [ - "cusanti5019.api.home" + "tenat5407.www5.test" ], - "rsa.time.event_time": "2018-02-24T21:26:15.000Z", + "rsa.time.event_time": "2020-06-04T10:44:15.000Z", "service.type": "cylance", - "source.ip": [ - "10.117.150.156" - ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2018-03-11T04:28:49.000Z", + "@timestamp": "2020-06-19T05:46:49.000Z", "event.action": [ - "fullaccess" + "ZoneAdd" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "11-March-2018 02:28:49 very-high cta5536.mail.localdomain atem <cti 2018-3-11T2:28:49.ommodoc nse3544.local CylancePROTECT tvolu dutper [tlaboru] Event Type: aeabillo, Event Name: fullaccess, Device Name: equuntu, Agent Version: quamni, IP Address: (10.186.8.127), MAC Address: (01:00:5e:bf:58:62), Logged On Users: (boreet), OS: luptasnu Zone Names: ento", + "event.original": "Jun 19 3:46:49 orem7191.mail.test CylancePROTECT Event Type:uisaut, Event Name:ZoneAdd, Device Name:paq, External Device Type:uianon, External Device Vendor ID:nul, External Device Name:onse, External Device Product ID:sitam, External Device Serial Number:inibusBo, Zone Names:illoin", "fileset.name": "protect", - "host.name": "nse3544.local", "input.type": "log", - "log.offset": 14530, + "log.offset": 15717, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.186.8.127" - ], - "related.user": [ - "boreet" - ], - "rsa.db.index": "ento", + "rsa.db.index": "illoin", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "aeabillo", - "rsa.misc.OS": "luptasnu", - "rsa.misc.event_type": "fullaccess", - "rsa.misc.node": "equuntu", - "rsa.network.alias_host": [ - "nse3544.local" - ], - "rsa.network.eth_host": "01:00:5e:bf:58:62", - "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "rsa.investigations.event_vcat": "uisaut", + "rsa.misc.device_name": "uianon", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.node": "paq", + "rsa.misc.serial_number": "inibusBo", + "rsa.time.event_time": "2020-06-19T05:46:49.000Z", "service.type": "cylance", - "source.ip": [ - "10.186.8.127" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "boreet" + ] }, { - "@timestamp": "2020-03-25T11:31:24.000Z", + "@timestamp": "2018-07-03T12:49:23.000Z", "event.action": [ - "SystemSecurity", - "block" + "LoginSuccess" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Mar 25 9:31:24 ovolupta1238.internal.localdomain CylancePROTECT Event Type:ametcon, Event Name: SystemSecurity, Device Name: beat, IP Address: (10.202.89.144), Action: block, Process ID: 6944, Process Name: qua.exe, User Name: iarchite, Violation Type: emsequi, Zone Names:ueporroq, Device Id: ute", + "event.original": "sequatD 2018-7-3T10:49:23.eleumi equ3413.www.example CylancePROTECT tsunt rnat [oremi] Event Type: AuditLog, Event Name: LoginSuccess, Message: Policy Assigned:ctetu; Devices: oreeu , User: uasiarch Malor (boriosa)", "fileset.name": "protect", + "host.name": "equ3413.www.example", "input.type": "log", - "log.offset": 14893, + "log.offset": 16001, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "qua.exe", - "process.pid": 6944, - "related.ip": [ - "10.202.89.144" - ], - "related.user": [ - "iarchite" - ], - "rsa.db.index": "ueporroq", + "rsa.identity.firstname": "uasiarch", + "rsa.identity.lastname": "Malor", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": "ametcon", - "rsa.misc.action": [ - "block" + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.mail_id": "boriosa", + "rsa.misc.node": "oreeu", + "rsa.misc.policy_name": "ctetu", + "rsa.network.alias_host": [ + "equ3413.www.example" ], - "rsa.misc.device_name": "beat", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.policy_name": "emsequi", - "rsa.time.event_time": "2020-03-25T11:31:24.000Z", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", "service.type": "cylance", - "source.ip": [ - "10.202.89.144" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "iarchite" + ] }, { - "@timestamp": "2018-04-08T06:33:58.000Z", + "@timestamp": "2018-07-17T07:51:58.000Z", "event.action": [ - "ZoneAdd" + "PolicyAdd" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "8-April-2018 16:33:58 high Bonoru1396.api.invalid rumSecti <adipi 2018-4-8T4:33:58.mquis ratvo1100.www.home CylancePROTECT oluptas nderiti [uatu] Event Type: olupta, Event Name: ZoneAdd, Device Names: (orem), Policy Name: giatqu, User: rsint rsi (paq)", + "event.original": "2018-7-17T5:51:58.aliqu taedict4891.api.host CylancePROTECT lor auto [rsinto] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: periam was auto assigned to the Zone: IP Address: 10.137.79.74, User: (lors)", "fileset.name": "protect", - "host.name": "ratvo1100.www.home", + "host.name": "taedict4891.api.host", "input.type": "log", - "log.offset": 15191, + "log.offset": 16216, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "rsint", - "rsa.identity.lastname": "rsi", + "related.ip": [ + "10.137.79.74" + ], + "rsa.db.index": "The Device: periam was auto assigned to the Zone: IP Address: 10.137.79.74", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "olupta", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.mail_id": "paq", - "rsa.misc.node": "orem", - "rsa.misc.policy_name": "giatqu", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": "AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "periam", "rsa.network.alias_host": [ - "ratvo1100.www.home" + "taedict4891.api.host" ], - "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "rsa.time.event_time": "2018-07-17T07:51:58.000Z", "service.type": "cylance", + "source.ip": [ + "10.137.79.74" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2018-04-22T13:36:32.000Z", + "@timestamp": "2018-08-01T14:54:32.000Z", "event.action": [ - "DeviceEdit" + "ZoneAddDevice" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "onse 2018-4-22T11:36:32.sitam inibusBo1209.www.example CylancePROTECT ddoe uid [amnis] Event Type: AuditLog, Event Name: DeviceEdit, Message: sse, User: ihilm incidi (aedictas)", + "event.original": "1-August-2018 00:54:32 high aquae7068.test ctetura <tDuisau 2018-8-1T12:54:32.aturve ptateve7615.internal.invalid CylancePROTECT tconsect pariat [iutal] Event Type: teturad, Event Name: ZoneAddDevice, Device Names: (isi), Policy Name: idexeac, User: ntu tdolo (nimve)", "fileset.name": "protect", - "host.name": "inibusBo1209.www.example", + "host.name": "ptateve7615.internal.invalid", "input.type": "log", - "log.offset": 15451, + "log.offset": 16439, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "sse", - "rsa.identity.firstname": "ihilm", - "rsa.identity.lastname": "incidi", + "rsa.identity.firstname": "ntu", + "rsa.identity.lastname": "tdolo", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.mail_id": "aedictas", + "rsa.investigations.event_vcat": "teturad", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "nimve", + "rsa.misc.node": "isi", + "rsa.misc.policy_name": "idexeac", "rsa.network.alias_host": [ - "inibusBo1209.www.example" + "ptateve7615.internal.invalid" ], - "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "rsa.time.event_time": "2018-08-01T14:54:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2136,32 +2412,35 @@ ] }, { - "@timestamp": "2018-05-07T08:39:06.000Z", + "@timestamp": "2018-08-15T09:57:06.000Z", "event.action": [ - "threat_found" + "fullaccess" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "7-May-2018 06:39:06 low urEx4545.local abore <oreeu 2018-5-7T6:39:06.mea ssec5390.api.example CylancePROTECT emi reprehen [tvol] Event Type: ptat, Event Name: threat_found, Threat Class: tdolo, Threat Subclass: sequatD, SHA256: eleumi, MD5: equ", + "event.original": "ola 2018-8-15T7:57:06.ptat quasi4459.domain CylancePROTECT snostr squamest [quisn] Event Type: pteu, Event Name: fullaccess, Device Names: (illumdo), Policy Name: antium, User: remaper eseosq (iatquovo)", "fileset.name": "protect", - "host.name": "ssec5390.api.example", + "host.name": "quasi4459.domain", "input.type": "log", - "log.offset": 15628, + "log.offset": 16716, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "tdolo", + "rsa.identity.firstname": "remaper", + "rsa.identity.lastname": "eseosq", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "ptat", - "rsa.misc.checksum": "eleumi", - "rsa.misc.event_type": "threat_found", + "rsa.investigations.event_vcat": "pteu", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.mail_id": "iatquovo", + "rsa.misc.node": "illumdo", + "rsa.misc.policy_name": "antium", "rsa.network.alias_host": [ - "ssec5390.api.example" + "quasi4459.domain" ], - "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2169,36 +2448,34 @@ ] }, { - "@timestamp": "2018-05-21T03:41:41.000Z", + "@timestamp": "2018-08-29T04:59:40.000Z", "event.action": [ "SyslogSettingsSave" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "etc 2018-5-21T1:41:41.eturadip nost5395.www.localhost CylancePROTECT edol sequuntu [quameius] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Policy: nima; SHA256: totamrem; Category: aliqu, User: taedict orum (nsequat)orsitam ", + "event.original": "mollit 2018-8-29T2:59:40.eosqui dipisciv7116.www.host CylancePROTECT llum mwr [cia] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Device: estiaec;pitlaboUser: tas rcitat (ree)", "fileset.name": "protect", - "host.name": "nost5395.www.localhost", + "host.name": "dipisciv7116.www.host", "input.type": "log", - "log.offset": 15880, + "log.offset": 16919, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "taedict", - "rsa.identity.lastname": "orum", + "rsa.identity.firstname": "tas", + "rsa.identity.lastname": "rcitat", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.category": "aliqu", - "rsa.misc.checksum": "totamrem", "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.mail_id": "nsequat", - "rsa.misc.policy_name": "nima; SHA256: totamrem; Category: aliqu", + "rsa.misc.mail_id": "ree", + "rsa.misc.node": "estiaec", "rsa.network.alias_host": [ - "nost5395.www.localhost" + "dipisciv7116.www.host" ], - "rsa.time.event_time": "2018-05-21T03:41:41.000Z", + "rsa.time.event_time": "2018-08-29T04:59:40.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2206,108 +2483,72 @@ ] }, { - "@timestamp": "2018-06-04T10:44:15.000Z", + "@timestamp": "2018-09-12T12:02:15.000Z", "event.action": [ - "Registration" + "SyslogSettingsSave" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-6-4T8:44:15.oidentsu oditau3188.internal.home CylancePROTECT temqui lup [aeca] Event Type: AuditLog, Event Name: Registration, Message: Provider: autemv, Source IP: 10.16.200.216, User: eirure boreetd (tNe)", + "event.original": "temaccu 2018-9-12T10:02:15.uamqua Neq4477.mail.invalid CylancePROTECT nim pteurs [ercitati] Event Type: atem, Event Name: SyslogSettingsSave, Device Name: mipsu, Agent Version: velillu, IP Address: (10.181.241.7), MAC Address: (01:00:5e:e1:72:72), Logged On Users: (riatu), OS: utod", "fileset.name": "protect", - "host.name": "oditau3188.internal.home", + "host.name": "Neq4477.mail.invalid", "input.type": "log", - "log.offset": 16123, - "observer.product": "autemv", + "log.offset": 17112, + "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.ip": [ - "10.16.200.216" + "10.181.241.7" + ], + "related.user": [ + "riatu" ], - "rsa.identity.firstname": "eirure", - "rsa.identity.lastname": "boreetd", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "Registration", - "rsa.misc.mail_id": "tNe", + "rsa.investigations.event_vcat": "atem", + "rsa.misc.OS": "utod", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "mipsu", "rsa.network.alias_host": [ - "oditau3188.internal.home" + "Neq4477.mail.invalid" ], - "rsa.time.event_time": "2018-06-04T10:44:15.000Z", + "rsa.network.eth_host": "01:00:5e:e1:72:72", + "rsa.time.event_time": "2018-09-12T12:02:15.000Z", "service.type": "cylance", "source.ip": [ - "10.16.200.216" + "10.181.241.7" ], "tags": [ "cylance.protect", "forwarded" - ] - }, - { - "@timestamp": "2018-06-19T05:46:49.000Z", - "event.action": [ - "pechange" ], - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "19-June-2018 03:46:49 low asper311.www.corp inibus <ctobeat 2018-6-19T3:46:49.onsec idestl1167.domain CylancePROTECT itanimi onoru [data] Event Type: ScriptControl, Event Name: pechange, Device Name: eosqui, File Path: dipisciv, Interpreter: uam, Interpreter Version: 1.2575 (llum), Zone Names: mwr", - "file.directory": "dipisciv", - "fileset.name": "protect", - "host.name": "idestl1167.domain", - "input.type": "log", - "log.offset": 16336, - "network.application": "uam", - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "observer.version": "1.2575", - "rsa.db.index": "mwr", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ScriptControl", - "rsa.misc.event_type": "pechange", - "rsa.misc.node": "eosqui", - "rsa.misc.version": "1.2575", - "rsa.network.alias_host": [ - "idestl1167.domain" - ], - "rsa.time.event_time": "2018-06-19T05:46:49.000Z", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] + "user.name": "riatu" }, { - "@timestamp": "2018-07-03T12:49:23.000Z", + "@timestamp": "2019-09-27T07:04:49.000Z", "event.action": [ - "threat_changed" + "threat_quarantined" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "3-July-2018 10:49:23 low pitlabo3498.www.localdomain ntmollit <ionofdeF 2018-7-3T10:49:23.rsp imipsa5374.corp CylancePROTECT ionevo llitani [uscipit] Event Type: luptat, Event Name: threat_changed, Device Name: etco", + "event.original": "Sep 27 5:04:49 uipe6805.www5.domain CylancePROTECT Event Type:stenat, Event Name:threat_quarantined, Threat Class:sequamn, Threat Subclass:perspici, SHA256:inimve, MD5:aea", "fileset.name": "protect", - "host.name": "imipsa5374.corp", "input.type": "log", - "log.offset": 16642, + "log.offset": 17395, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "sequamn", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "luptat", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.node": "etco", - "rsa.network.alias_host": [ - "imipsa5374.corp" - ], - "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "rsa.investigations.event_vcat": "stenat", + "rsa.misc.checksum": "inimve", + "rsa.misc.event_type": "threat_quarantined", + "rsa.time.event_time": "2019-09-27T07:04:49.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2315,214 +2556,178 @@ ] }, { - "@timestamp": "2018-07-17T07:51:58.000Z", + "@timestamp": "2018-10-11T14:07:23.000Z", "event.action": [ - "ZoneAddDevice", - "accept" + "LoginSuccess" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "17-July-2018 17:51:58 medium eumiu5172.internal.domain rehen <ptat 2018-7-17T5:51:58.mipsu velillu827.www5.domain CylancePROTECT rsitamet leumiur [ssequamn] Event Type: ExploitAttempt, Event Name: ZoneAddDevice, Device Name: olesti, IP Address: (10.221.20.165), Action: accept, Process ID: 7294, Process Name: ritquiin.exe, User Name: reseo, Violation Type: amco, Zone Names: ons", + "event.original": "udexerci 2018-10-11T12:07:23.uae imveni193.www5.host CylancePROTECT itationu setquas [nbyCi] Event Type: AuditLog, Event Name: LoginSuccess, Message: Provider: magnaali, Source IP: 10.201.95.47, User: isno usBono (ameaq)", "fileset.name": "protect", - "host.name": "velillu827.www5.domain", + "host.name": "imveni193.www5.host", "input.type": "log", - "log.offset": 16864, - "observer.product": "Protect", + "log.offset": 17567, + "observer.product": "magnaali", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "ritquiin.exe", - "process.pid": 7294, "related.ip": [ - "10.221.20.165" - ], - "related.user": [ - "reseo" + "10.201.95.47" ], - "rsa.db.index": "ons", + "rsa.identity.firstname": "isno", + "rsa.identity.lastname": "usBono", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.node": "olesti", - "rsa.misc.policy_name": "amco", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.mail_id": "ameaq", "rsa.network.alias_host": [ - "velillu827.www5.domain" + "imveni193.www5.host" ], - "rsa.time.event_time": "2018-07-17T07:51:58.000Z", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", "service.type": "cylance", "source.ip": [ - "10.221.20.165" + "10.201.95.47" ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "reseo" + ] }, { - "@timestamp": "2018-08-01T14:54:32.000Z", + "@timestamp": "2018-10-25T09:09:57.000Z", "event.action": [ "SyslogSettingsSave" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-8-1T12:54:32.epreh psaqu5224.api.home CylancePROTECT temporin uam [rudexerc] Event Type: ScriptControl, Event Name: SyslogSettingsSave, Device Name: lor, File Path: nvolupt, Interpreter: dquia, Interpreter Version: 1.5334, Zone Names: bori, User Name: dipi", - "file.directory": "nvolupt", + "event.original": "lestiae 2018-10-25T7:09:57.iav umiure5186.api.domain CylancePROTECT tno imvenia [culp] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Zone: nesciu; Policy: mali; Value: roinBCSe, User: eetdolor tpersp (assi)", "fileset.name": "protect", - "host.name": "psaqu5224.api.home", + "host.name": "umiure5186.api.domain", "input.type": "log", - "log.offset": 17251, - "network.application": "dquia", + "log.offset": 17789, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.5334", - "related.user": [ - "dipi" - ], - "rsa.db.index": "bori", + "rsa.db.index": "nesciu", + "rsa.identity.firstname": "eetdolor", + "rsa.identity.lastname": "tpersp", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "lor", - "rsa.misc.version": "1.5334", + "rsa.misc.mail_id": "assi", + "rsa.misc.policy_name": "mali", "rsa.network.alias_host": [ - "psaqu5224.api.home" + "umiure5186.api.domain" ], - "rsa.time.event_time": "2018-08-01T14:54:32.000Z", + "rsa.time.event_time": "2018-10-25T09:09:57.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "dipi" + ] }, { - "@timestamp": "2018-08-15T09:57:06.000Z", + "@timestamp": "2018-11-09T04:12:32.000Z", "event.action": [ - "threat_quarantined" + "Device Updated" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-8-15T7:57:06.ite itse1458.www.example CylancePROTECT lupt quatur [dminim] Event Type: ScriptControl, Event Name: threat_quarantined, Device Name: ipsa, File Path: con, Interpreter: eirured, Interpreter Version: 1.3772 (tatiset), Zone Names: quira, User Name: ciatisun", - "file.directory": "con", + "event.original": "nihilmo 2018-11-9T2:12:32.reetdo xeaco7887.www.localdomain CylancePROTECT hite umfugi [abor] Event Type: AuditLog, Event Name: Device Updated, Message: Zone: remips; Policy: laboreet; Value: uptate, User: tot reme (emeumfu)", "fileset.name": "protect", - "host.name": "itse1458.www.example", + "host.name": "xeaco7887.www.localdomain", "input.type": "log", - "log.offset": 17513, - "network.application": "eirured", + "log.offset": 18013, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.3772", - "related.user": [ - "ciatisun" - ], - "rsa.db.index": "quira", + "rsa.db.index": "remips", + "rsa.identity.firstname": "tot", + "rsa.identity.lastname": "reme", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ScriptControl", - "rsa.misc.event_type": "threat_quarantined", - "rsa.misc.node": "ipsa", - "rsa.misc.version": "1.3772", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "Device Updated", + "rsa.misc.mail_id": "emeumfu", + "rsa.misc.policy_name": "laboreet", "rsa.network.alias_host": [ - "itse1458.www.example" + "xeaco7887.www.localdomain" ], - "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "ciatisun" + ] }, { - "@timestamp": "2019-08-29T04:59:40.000Z", + "@timestamp": "2018-11-23T11:15:06.000Z", "event.action": [ - "threat_changed", - "deny" + "SystemSecurity" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "29-Aug-2018 2:59:40 very-high audant5631.www5.local minimve <entorev 29T14:59:40.quuntur olup3841.mail.invalid CylancePROTECT Event Name: threat_changed, Device Name: aerat, IP Address: (10.152.213.228), Action: deny, Process ID: 2571, Process Name: iatquo.exe, User Name: temp, Violation Type: oinvento, Zone Names:ali, Device Id: udexerci", + "event.original": "2018-11-23T9:15:06.usan gnamali226.internal.test CylancePROTECT edqui tvolu [psu] Event Type: strud, Event Name: SystemSecurity, saute", "fileset.name": "protect", - "host.name": "olup3841.mail.invalid", + "host.name": "gnamali226.internal.test", "input.type": "log", - "log.offset": 17786, + "log.offset": 18237, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "iatquo.exe", - "process.pid": 2571, - "related.ip": [ - "10.152.213.228" - ], - "related.user": [ - "temp" - ], - "rsa.db.index": "ali", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.device_name": "aerat", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.policy_name": "oinvento", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": "strud", + "rsa.misc.event_type": "SystemSecurity", "rsa.network.alias_host": [ - "olup3841.mail.invalid" + "gnamali226.internal.test" ], - "rsa.time.event_time": "2019-08-29T04:59:40.000Z", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "cylance", - "source.ip": [ - "10.152.213.228" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "temp" + ] }, { - "@timestamp": "2018-09-12T12:02:15.000Z", + "@timestamp": "2018-12-07T06:17:40.000Z", "event.action": [ - "LoginSuccess" + "SystemSecurity" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "emullam 2018-9-12T10:02:15.quido llo1106.internal.localhost CylancePROTECT assi rch [psa] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: atione,tvolupUser: oremeu lab (lla)", + "event.original": "2018-12-7T4:17:40.atcupi eriti7637.domain CylancePROTECT rema mcol [tion] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: mquis; SHA256: tur, User: itation utlabo (tat)", "fileset.name": "protect", - "host.name": "llo1106.internal.localhost", + "host.name": "eriti7637.domain", "input.type": "log", - "log.offset": 18137, + "log.offset": 18372, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "oremeu", - "rsa.identity.lastname": "lab", + "rsa.identity.firstname": "itation", + "rsa.identity.lastname": "utlabo", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.mail_id": "lla", - "rsa.misc.node": "atione", + "rsa.misc.checksum": "tur", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "tat", + "rsa.misc.node": "mquis", "rsa.network.alias_host": [ - "llo1106.internal.localhost" + "eriti7637.domain" ], - "rsa.time.event_time": "2018-09-12T12:02:15.000Z", + "rsa.time.event_time": "2018-12-07T06:17:40.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2530,70 +2735,60 @@ ] }, { - "@timestamp": "2018-09-27T07:04:49.000Z", + "@timestamp": "2019-12-21T13:20:14.000Z", "event.action": [ - "ZoneAdd" + "Device Updated" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "oeiusm 2018-9-27T5:04:49.Excepteu mco6956.internal.test CylancePROTECT lorese teturadi [radipi] Event Type: ScriptControl, Event Name: ZoneAdd, Device Name: upidatat, File Path: mod, Interpreter: niamqui, Interpreter Version: 1.7696, Zone Names: xeaco, User Name: taliqu", - "file.directory": "mod", + "event.original": "Dec 21 11:20:14 olu2576.localdomain CylancePROTECT Event Type:enim, Event Name:Device Updated, Device Name:meaquei, External Device Type:snisiu, External Device Vendor ID:atem, External Device Name:remque, External Device Product ID:dol, External Device Serial Number:tvolupt, Zone Names:sedquia, Device Id: inrepr, Policy Name: lla ", "fileset.name": "protect", - "host.name": "mco6956.internal.test", "input.type": "log", - "log.offset": 18329, - "network.application": "niamqui", + "log.offset": 18560, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.7696", - "related.user": [ - "taliqu" - ], - "rsa.db.index": "xeaco", + "rsa.db.index": "sedquia, Device Id: inrepr, Policy Name: lla", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.node": "upidatat", - "rsa.misc.version": "1.7696", - "rsa.network.alias_host": [ - "mco6956.internal.test" - ], - "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_vcat": "enim", + "rsa.misc.device_name": "snisiu", + "rsa.misc.event_type": "Device Updated", + "rsa.misc.node": "meaquei", + "rsa.misc.serial_number": "tvolupt", + "rsa.time.event_time": "2019-12-21T13:20:14.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "taliqu" + ] }, { - "@timestamp": "2018-10-11T14:07:23.000Z", + "@timestamp": "2020-01-05T08:22:49.000Z", "event.action": [ - "SystemSecurity" + "Device Policy Assigned" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-10-11T12:07:23.usan gnamali226.internal.test CylancePROTECT edqui tvolu [psu] Event Type: strud, Event Name: SystemSecurity, saute", + "event.original": "Jan 5 6:22:49 tqu6566.www.domain CylancePROTECT Event Type:tinvolu, Event Name:Device Policy Assigned, Message: The Device:dunwas auto assigned to thexceZone:dol, User:equamn", "fileset.name": "protect", - "host.name": "gnamali226.internal.test", "input.type": "log", - "log.offset": 18600, + "log.offset": 18894, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "rsa.identity.firstname": "equamn", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": "strud", - "rsa.misc.event_type": "SystemSecurity", - "rsa.network.alias_host": [ - "gnamali226.internal.test" - ], - "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "tinvolu", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "dun", + "rsa.network.zone": "dol", + "rsa.time.event_time": "2020-01-05T08:22:49.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2601,119 +2796,108 @@ ] }, { - "@timestamp": "2018-10-25T09:09:57.000Z", + "@timestamp": "2020-01-19T03:25:23.000Z", "event.action": [ - "SystemSecurity" + "DeviceEdit" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-10-25T7:09:57.atcupi eriti7637.domain CylancePROTECT rema mcol [tion] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: mquis; SHA256: tur, User: itation utlabo (tat)uredo ", + "event.original": "19-Jan-2019 1:25:23 low eiu5375.api.domain tcons <ction 19T13:25:23.emveleum siuta2155.lan CylancePROTECT Event Name:DeviceEdit, Device Name:utpe, Agent Version:ill, IP Address: (10.185.28.175), MAC Address: (01:00:5e:1d:a2:74), Logged On Users: (tasu), OS:sci, Zone Names:isquames", "fileset.name": "protect", - "host.name": "eriti7637.domain", + "host.name": "siuta2155.lan", "input.type": "log", - "log.offset": 18736, + "log.offset": 19069, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "itation", - "rsa.identity.lastname": "utlabo", + "related.ip": [ + "10.185.28.175" + ], + "related.user": [ + "tasu" + ], + "rsa.db.index": "isquames", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "tur", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.mail_id": "tat", - "rsa.misc.node": "mquis", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.OS": "sci", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "utpe", "rsa.network.alias_host": [ - "eriti7637.domain" + "siuta2155.lan" ], - "rsa.time.event_time": "2018-10-25T09:09:57.000Z", + "rsa.network.eth_host": "01:00:5e:1d:a2:74", + "rsa.time.event_time": "2020-01-19T03:25:23.000Z", "service.type": "cylance", + "source.ip": [ + "10.185.28.175" + ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "tasu" }, { - "@timestamp": "2019-11-09T04:12:32.000Z", + "@timestamp": "2020-02-02T10:27:57.000Z", "event.action": [ - "accept", - "DeviceRemove" + "threat_found" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "9-Nov-2018 2:12:32 medium dminimv2485.internal.host rep <docons 9T02:12:32.emipsumq orinr5248.mail.home CylancePROTECT Event Name: DeviceRemove, Device Name: tass, IP Address: (10.94.129.251), Action: accept, Process ID: 782, Process Name: umquiad.exe, User Name: porinc, Violation Type: uameiu, Zone Names:quiado", + "event.original": "Feb 2 8:27:57 iatnula4065.www5.corp CylancePROTECT Event Type:corporis, Event Name:threat_found, Device Message: Device: mmodic; Zones Removed: essequam; Zones Added: undeo,ficiadeUser: uiinea uianonn (eavolupt), Zone Names:dantium Device Id: ors", "fileset.name": "protect", - "host.name": "orinr5248.mail.home", "input.type": "log", - "log.offset": 18931, + "log.offset": 19361, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "umquiad.exe", - "process.pid": 782, - "related.ip": [ - "10.94.129.251" - ], - "related.user": [ - "porinc" - ], - "rsa.db.index": "quiado", + "rsa.db.index": "dantium", + "rsa.identity.firstname": "uiinea", + "rsa.identity.lastname": "uianonn", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.device_name": "tass", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.policy_name": "uameiu", - "rsa.network.alias_host": [ - "orinr5248.mail.home" - ], - "rsa.time.event_time": "2019-11-09T04:12:32.000Z", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "corporis", + "rsa.misc.device_name": "mmodic", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "eavolupt", + "rsa.time.event_time": "2020-02-02T10:27:57.000Z", "service.type": "cylance", - "source.ip": [ - "10.94.129.251" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "porinc" + ] }, { - "@timestamp": "2018-11-23T11:15:06.000Z", + "@timestamp": "2019-02-17T05:30:32.000Z", "event.action": [ - "SystemSecurity" + "pechange" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "23-November-2018 09:15:06 medium mvol3890.localhost reh <tcons 2018-11-23T9:15:06.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill;imveniamUser: sunte exerc (tasu)", + "event.original": "trude 2019-2-17T3:30:32.snulap onsequat5480.mail.localdomain CylancePROTECT pariatur cita [tvo] Event Type: ema, Event Name: pechange, Threat Class: atemacc, Threat Subclass: labore, SHA256: iqua, MD5: ciunt", "fileset.name": "protect", - "host.name": "ction491.www5.local", + "host.name": "onsequat5480.mail.localdomain", "input.type": "log", - "log.offset": 19253, + "log.offset": 19608, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "sunte", - "rsa.identity.lastname": "exerc", + "rsa.crypto.sig_type": "atemacc", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.mail_id": "tasu", - "rsa.misc.node": "ill", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ema", + "rsa.misc.checksum": "iqua", + "rsa.misc.event_type": "pechange", "rsa.network.alias_host": [ - "ction491.www5.local" + "onsequat5480.mail.localdomain" ], - "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2721,113 +2905,106 @@ ] }, { - "@timestamp": "2019-12-07T06:17:40.000Z", + "@timestamp": "2020-03-03T12:33:06.000Z", "event.action": [ - "threat_found" + "Device Policy Assigned" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Dec 7 4:17:40 rcit7003.www5.host CylancePROTECT Event Type:orese, Event Name:threat_found, Device Name:eiusm, Agent Version:oremipsu, IP Address: (10.205.246.104), MAC Address: (01:00:5e:55:3b:e8), Logged On Users: (mto), OS:iae, Zone Names:dent", + "event.original": "Mar 3 10:33:06 ostrumex5015.internal.lan CylancePROTECT Event Type:imaven, Event Name:Device Policy Assigned, Threat Class:uiineav, Threat Subclass:nder, SHA256:lore, MD5:nim", "fileset.name": "protect", "input.type": "log", - "log.offset": 19511, + "log.offset": 19816, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.205.246.104" - ], - "related.user": [ - "mto" - ], - "rsa.db.index": "dent", + "rsa.crypto.sig_type": "uiineav", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "orese", - "rsa.misc.OS": "iae", - "rsa.misc.event_type": "threat_found", - "rsa.misc.node": "eiusm", - "rsa.network.eth_host": "01:00:5e:55:3b:e8", - "rsa.time.event_time": "2019-12-07T06:17:40.000Z", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "imaven", + "rsa.misc.checksum": "lore", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.time.event_time": "2020-03-03T12:33:06.000Z", "service.type": "cylance", - "source.ip": [ - "10.205.246.104" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "mto" + ] }, { - "@timestamp": "2018-12-21T13:20:14.000Z", + "@timestamp": "2019-03-17T19:35:40.000Z", "event.action": [ - "ZoneAdd" + "threat_changed", + "allow" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-12-21T11:20:14.itse lapari2702.www.test CylancePROTECT exeaco upta [ivel] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:reprehe; Devices: deFinib , User: edqui oreseosq (corporis)", + "event.original": "psamvolu 2019/03/17T17:35:40.teturad ritq7853.api.home CylancePROTECT urautodi equamni [fugia] Event Type: AppControl, Event Name: threat_changed, Device Name: nost, IP Address: (10.36.193.127), Action: allow, Action Type: suntincu, File Path: imidest, SHA256: citation, Zone Names: emquel", + "file.directory": "imidest", "fileset.name": "protect", - "host.name": "lapari2702.www.test", + "host.name": "ritq7853.api.home", "input.type": "log", - "log.offset": 19757, + "log.offset": 19991, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "edqui", - "rsa.identity.lastname": "oreseosq", + "related.ip": [ + "10.36.193.127" + ], + "rsa.db.index": "emquel", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.mail_id": "corporis", - "rsa.misc.node": "deFinib", - "rsa.misc.policy_name": "reprehe", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.checksum": "citation", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.node": "nost", "rsa.network.alias_host": [ - "lapari2702.www.test" + "ritq7853.api.home" ], - "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "rsa.time.event_time": "2019-03-17T19:35:40.000Z", "service.type": "cylance", + "source.ip": [ + "10.36.193.127" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2020-01-05T08:22:49.000Z", + "@timestamp": "2020-04-01T14:38:14.000Z", "event.action": [ - "ThreatUpdated" + "threat_changed" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "5-Jan-2019 6:22:49 very-high byCice3357.mail.localhost cin <amestq 5T06:22:49.emvele tNeq5705.home CylancePROTECT Event Name:ThreatUpdated, Device Message: Device: sper Agent Self Protection Level Changed: 'dic' to 'mfugiat', User: magnido liqu (dolor),ingZone Names: amal Device Id: aliq", + "event.original": "Apr 1 12:38:14 loremeum2477.www5.localhost CylancePROTECT Event Type:rrorsit, Event Name:threat_changed, Device Message: Device: riameaqu; Policy Changed: etd to 'omnisi', User: dolor rsp (quir), Zone Names:giatqu", "fileset.name": "protect", - "host.name": "tNeq5705.home", "input.type": "log", - "log.offset": 19964, + "log.offset": 20281, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "amal", - "rsa.identity.firstname": "magnido", - "rsa.identity.lastname": "liqu", + "rsa.db.index": "giatqu", + "rsa.identity.firstname": "dolor", + "rsa.identity.lastname": "rsp", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.change_new": "mfugiat", - "rsa.misc.change_old": "dic", - "rsa.misc.device_name": "sper", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.mail_id": "dolor", - "rsa.network.alias_host": [ - "tNeq5705.home" - ], - "rsa.time.event_time": "2020-01-05T08:22:49.000Z", + "rsa.investigations.event_vcat": "rrorsit", + "rsa.misc.device_name": "riameaqu", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.mail_id": "quir", + "rsa.misc.policy_name": "omnisi", + "rsa.time.event_time": "2020-04-01T14:38:14.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2835,35 +3012,31 @@ ] }, { - "@timestamp": "2020-01-19T03:25:23.000Z", + "@timestamp": "2020-04-15T09:40:49.000Z", "event.action": [ - "threat_quarantined" + "SyslogSettingsSave" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "19-Jan-2019 1:25:23 high conse3977.www.lan giatqu <roid 19T13:25:23.lorum iin1665.api.localdomain CylancePROTECT Event Name:threat_quarantined, Device Message: Device: iat; Policy Changed: orain to 'equaturQ', User: llu quaUt (labor), Zone Names:oris, Device Id: tatemse", + "event.original": "15-Apr-2019 7:40:49 medium roiden5489.www5.corp nihilm <orisnisi 15T07:40:49.emquiav ptat5066.www.lan CylancePROTECT Event Name:SyslogSettingsSave, Device Name:ionula, Zone Names:itaed", "fileset.name": "protect", - "host.name": "iin1665.api.localdomain", + "host.name": "ptat5066.www.lan", "input.type": "log", - "log.offset": 20259, + "log.offset": 20495, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "oris", - "rsa.identity.firstname": "llu", - "rsa.identity.lastname": "quaUt", + "rsa.db.index": "itaed", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.device_name": "iat", - "rsa.misc.event_type": "threat_quarantined", - "rsa.misc.mail_id": "labor", - "rsa.misc.policy_name": "equaturQ", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "ionula", "rsa.network.alias_host": [ - "iin1665.api.localdomain" + "ptat5066.www.lan" ], - "rsa.time.event_time": "2020-01-19T03:25:23.000Z", + "rsa.time.event_time": "2020-04-15T09:40:49.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2871,18 +3044,18 @@ ] }, { - "@timestamp": "2020-02-02T10:27:57.000Z", + "@timestamp": "2020-04-29T04:43:23.000Z", "event.action": [ "threat_found" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2-Feb-2019 8:27:57 medium tincul407.corp amq <lab 2T20:27:57.nsequ ing3291.internal.localhost CylancePROTECT Event Name:threat_found, Message: Device:amnisiuwas auto assigned to theptatZone:epr, User:itanimid", + "event.original": "29-Apr-2019 2:43:23 medium tincul407.corp amq <lab 29T14:43:23.nsequ ing3291.internal.localhost CylancePROTECT Event Name:threat_found, Message: Device:amnisiuwas auto assigned to theptatZone:epr, User:itanimid", "fileset.name": "protect", "host.name": "ing3291.internal.localhost", "input.type": "log", - "log.offset": 20537, + "log.offset": 20688, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -2896,7 +3069,7 @@ "ing3291.internal.localhost" ], "rsa.network.zone": "epr", - "rsa.time.event_time": "2020-02-02T10:27:57.000Z", + "rsa.time.event_time": "2020-04-29T04:43:23.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2904,20 +3077,20 @@ ] }, { - "@timestamp": "2019-02-17T05:30:32.000Z", + "@timestamp": "2019-05-13T23:45:57.000Z", "event.action": [ - "block", - "LoginSuccess" + "LoginSuccess", + "block" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "untur 2019/02/17T03:30:32.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: AppControl, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Action Type: ula, File Path: itsed, SHA256: rad, Zone Names: olupta", + "event.original": "untur 2019/05/13T21:45:57.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: AppControl, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Action Type: ula, File Path: itsed, SHA256: rad, Zone Names: olupta", "file.directory": "itsed", "fileset.name": "protect", "host.name": "uraut3756.www5.test", "input.type": "log", - "log.offset": 20754, + "log.offset": 20907, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -2938,7 +3111,7 @@ "rsa.network.alias_host": [ "uraut3756.www5.test" ], - "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "rsa.time.event_time": "2019-05-13T23:45:57.000Z", "service.type": "cylance", "source.ip": [ "10.127.30.119" @@ -2949,19 +3122,19 @@ ] }, { - "@timestamp": "2019-03-03T12:33:06.000Z", + "@timestamp": "2019-05-28T06:48:31.000Z", "event.action": [ "Device Updated" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2019-3-3T10:33:06.sequi uiacon6640.api.localhost CylancePROTECT suntexpl urve [sBonoru] Event Type: ScriptControl, Event Name: Device Updated, Device Name: magnido, File Path: lupta, Interpreter: utla, Interpreter Version: 1.4566 (ncididu), Zone Names: itati, User Name: nostrude", + "event.original": "2019-5-28T4:48:31.sequi uiacon6640.api.localhost CylancePROTECT suntexpl urve [sBonoru] Event Type: ScriptControl, Event Name: Device Updated, Device Name: magnido, File Path: lupta, Interpreter: utla, Interpreter Version: 1.4566 (ncididu), Zone Names: itati, User Name: nostrude", "file.directory": "lupta", "fileset.name": "protect", "host.name": "uiacon6640.api.localhost", "input.type": "log", - "log.offset": 21030, + "log.offset": 21183, "network.application": "utla", "observer.product": "Protect", "observer.type": "Anti-Virus", @@ -2981,7 +3154,7 @@ "rsa.network.alias_host": [ "uiacon6640.api.localhost" ], - "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2990,50 +3163,63 @@ "user.name": "nostrude" }, { - "@timestamp": "2019-03-17T07:35:40.000Z", + "@timestamp": "2019-06-11T13:51:06.000Z", "event.action": [ "SyslogSettingsSave" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ecillum 2019-3-17T5:35:40.maccu ame226.internal.domain CylancePROTECT urExc autfugit [deomnis] Event Type: Threat, Event Name: SyslogSettingsSave, Device Name: tconsect, IP Address: (10.111.204.45), File Name: agna, Path: dmini, Drive Type: tquid, SHA256: giatquo, MD5: iatisun, Status: cto, Cylance Score: 144.899000, Found Date: dolor, File Type: imadmini, Is Running: iatisund, Auto Run: rnatu, Detected By: atnonpro, Zone Names: isu, Is Malware: ute, Is Unique To Cylance: tdolore, Threat Classification: madminim ", + "event.original": "ecillum 2019-6-11T11:51:06.maccu ame226.internal.domain CylancePROTECT urExc autfugit [deomnis] Event Type: Threat, Event Name: SyslogSettingsSave, Device Name: tconsect, IP Address: (10.111.204.45), File Name: agna, Path: dmini, Drive Type: tquid, SHA256: giatquo, MD5: iatisun, Status: cto, Cylance Score: 144.899000, Found Date: dolor, File Type: imadmini, Is Running: iatisund, Auto Run: rnatu, Detected By: atnonpro, Zone Names: isu, Is Malware: ute, Is Unique To Cylance: tdolore, Threat Classification: madminim", + "file.directory": "dmini", + "file.name": "agna", + "file.type": "imadmini", "fileset.name": "protect", "host.name": "ame226.internal.domain", "input.type": "log", - "log.offset": 21310, + "log.offset": 21463, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": " isu, Is Malware: ute, Is Unique To Cylance: tdolore, Threat Classification: madminim", + "related.ip": [ + "10.111.204.45" + ], + "rsa.crypto.sig_type": "madminim", + "rsa.db.index": "isu", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "Threat", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "giatquo", + "rsa.misc.event_state": "cto", "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "tconsect, IP Address: (10.111.204.45), File Name: agna, Path: dmini, Drive Type: tquid, SHA256: giatquo, MD5: iatisun, Status: cto, Cylance Score: 144.899000, Found Date: dolor, File Type: imadmini, Is Running: iatisund, Auto Run: rnatu, Detected By: atnonpro", + "rsa.misc.node": "tconsect", "rsa.network.alias_host": [ "ame226.internal.domain" ], - "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "rsa.web.reputation_num": 144.899, "service.type": "cylance", + "source.ip": [ + "10.111.204.45" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2020-04-01T14:38:14.000Z", + "@timestamp": "2020-06-25T08:53:40.000Z", "event.action": [ "DeviceRemove" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Apr 1 12:38:14 prehen4320.api.home CylancePROTECT Event Type:umdolo, Event Name:DeviceRemove, Threat Class:mquisno, Threat Subclass:eaco, SHA256:empor, MD5:mvele", + "event.original": "Jun 25 6:53:40 prehen4320.api.home CylancePROTECT Event Type:umdolo, Event Name:DeviceRemove, Threat Class:mquisno, Threat Subclass:eaco, SHA256:empor, MD5:mvele", "fileset.name": "protect", "input.type": "log", - "log.offset": 21829, + "log.offset": 21982, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -3044,7 +3230,7 @@ "rsa.investigations.event_vcat": "umdolo", "rsa.misc.checksum": "empor", "rsa.misc.event_type": "DeviceRemove", - "rsa.time.event_time": "2020-04-01T14:38:14.000Z", + "rsa.time.event_time": "2020-06-25T08:53:40.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3052,17 +3238,17 @@ ] }, { - "@timestamp": "2020-04-15T09:40:49.000Z", + "@timestamp": "2020-07-10T03:56:14.000Z", "event.action": [ "threat_found" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Apr 15 7:40:49 remeum5787.api.example CylancePROTECT Event Type:ostrumex, Event Name:threat_found, Device Message: Device: sedquia; Zones Removed: litesse,ntmoUser: aliqu iqu (onse), Zone Names:paqu", + "event.original": "Jul 10 1:56:14 remeum5787.api.example CylancePROTECT Event Type:ostrumex, Event Name:threat_found, Device Message: Device: sedquia; Zones Removed: litesse,ntmoUser: aliqu iqu (onse), Zone Names:paqu", "fileset.name": "protect", "input.type": "log", - "log.offset": 21991, + "log.offset": 22144, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -3076,7 +3262,7 @@ "rsa.misc.device_name": "sedquia", "rsa.misc.event_type": "threat_found", "rsa.misc.mail_id": "onse", - "rsa.time.event_time": "2020-04-15T09:40:49.000Z", + "rsa.time.event_time": "2020-07-10T03:56:14.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3084,19 +3270,19 @@ ] }, { - "@timestamp": "2019-04-29T04:43:23.000Z", + "@timestamp": "2019-07-24T10:58:48.000Z", "event.action": [ - "allow", - "Registration" + "Registration", + "allow" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2019-4-29T2:43:23.ptatem mporain5332.mail.host CylancePROTECT commod iumd [ntore] Event Type: ExploitAttempt, Event Name: Registration, Device Name: onproid, IP Address: (10.59.33.174), Action: allow, Process ID: 3114, Process Name: oru.exe, User Name: mcorp, Violation Type: uelaud, Zone Names: aperiam", + "event.original": "2019-7-24T8:58:48.ptatem mporain5332.mail.host CylancePROTECT commod iumd [ntore] Event Type: ExploitAttempt, Event Name: Registration, Device Name: onproid, IP Address: (10.59.33.174), Action: allow, Process ID: 3114, Process Name: oru.exe, User Name: mcorp, Violation Type: uelaud, Zone Names: aperiam", "fileset.name": "protect", "host.name": "mporain5332.mail.host", "input.type": "log", - "log.offset": 22190, + "log.offset": 22343, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -3122,7 +3308,7 @@ "rsa.network.alias_host": [ "mporain5332.mail.host" ], - "rsa.time.event_time": "2019-04-29T04:43:23.000Z", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "cylance", "source.ip": [ "10.59.33.174" @@ -3134,17 +3320,17 @@ "user.name": "mcorp" }, { - "@timestamp": "2020-05-13T11:45:57.000Z", + "@timestamp": "2019-08-07T06:01:23.000Z", "event.action": [ "DeviceRemove" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "May 13 9:45:57 quiano3025.api.localhost CylancePROTECT Event Type:oluptat, Event Name:DeviceRemove, Threat Class:equepor, Threat Subclass:iosamn, SHA256:erspicia, MD5:neavolup", + "event.original": "Aug 7 4:01:23 quiano3025.api.localhost CylancePROTECT Event Type:oluptat, Event Name:DeviceRemove, Threat Class:equepor, Threat Subclass:iosamn, SHA256:erspicia, MD5:neavolup", "fileset.name": "protect", "input.type": "log", - "log.offset": 22494, + "log.offset": 22647, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -3155,7 +3341,7 @@ "rsa.investigations.event_vcat": "oluptat", "rsa.misc.checksum": "erspicia", "rsa.misc.event_type": "DeviceRemove", - "rsa.time.event_time": "2020-05-13T11:45:57.000Z", + "rsa.time.event_time": "2019-08-07T06:01:23.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3163,18 +3349,18 @@ ] }, { - "@timestamp": "2019-05-28T06:48:31.000Z", + "@timestamp": "2019-08-21T13:03:57.000Z", "event.action": [ "threat_changed" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ecatcup 2019-5-28T4:48:31.orinrep uamnihil1525.www.lan CylancePROTECT amestqu qui [nemullam] Event Type: DeviceControl, Event Name: threat_changed, Device Name: lorumw, External Device Type: dit, External Device Vendor ID: qui, External Device Name: iaecon, External Device Product ID: dminima, External Device Serial Number: ons, Zone Names: amestqu", + "event.original": "ecatcup 2019-8-21T11:03:57.orinrep uamnihil1525.www.lan CylancePROTECT amestqu qui [nemullam] Event Type: DeviceControl, Event Name: threat_changed, Device Name: lorumw, External Device Type: dit, External Device Vendor ID: qui, External Device Name: iaecon, External Device Product ID: dminima, External Device Serial Number: ons, Zone Names: amestqu", "fileset.name": "protect", "host.name": "uamnihil1525.www.lan", "input.type": "log", - "log.offset": 22670, + "log.offset": 22822, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -3189,7 +3375,7 @@ "rsa.network.alias_host": [ "uamnihil1525.www.lan" ], - "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3197,18 +3383,18 @@ ] }, { - "@timestamp": "2019-06-11T13:51:06.000Z", + "@timestamp": "2019-09-05T08:06:31.000Z", "event.action": [ "fullaccess" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2019-6-11T11:51:06.str eius6126.invalid CylancePROTECT iarchit volupt [ipis] Event Type: usBonor, Event Name: fullaccess, Device Names: (umquam), Policy Name: ten, User: Utenim itationu (eprehen)", + "event.original": "2019-9-5T6:06:31.str eius6126.invalid CylancePROTECT iarchit volupt [ipis] Event Type: usBonor, Event Name: fullaccess, Device Names: (umquam), Policy Name: ten, User: Utenim itationu (eprehen)", "fileset.name": "protect", "host.name": "eius6126.invalid", "input.type": "log", - "log.offset": 23021, + "log.offset": 23174, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -3225,7 +3411,7 @@ "rsa.network.alias_host": [ "eius6126.invalid" ], - "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3233,18 +3419,18 @@ ] }, { - "@timestamp": "2019-06-25T08:53:40.000Z", + "@timestamp": "2019-09-19T03:09:05.000Z", "event.action": [ "SyslogSettingsSave" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "tatevel 2019-6-25T6:53:40.itin tam942.api.host CylancePROTECT iut leumiur [deser] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Zone: evolupt; Policy: pre; Value: tiumtot, User: ulamcola epr (ptass)", + "event.original": "tatevel 2019-9-19T1:09:05.itin tam942.api.host CylancePROTECT iut leumiur [deser] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Zone: evolupt; Policy: pre; Value: tiumtot, User: ulamcola epr (ptass)", "fileset.name": "protect", "host.name": "tam942.api.host", "input.type": "log", - "log.offset": 23217, + "log.offset": 23368, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -3261,7 +3447,7 @@ "rsa.network.alias_host": [ "tam942.api.host" ], - "rsa.time.event_time": "2019-06-25T08:53:40.000Z", + "rsa.time.event_time": "2019-09-19T03:09:05.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3269,18 +3455,18 @@ ] }, { - "@timestamp": "2019-07-10T03:56:14.000Z", + "@timestamp": "2019-10-03T10:11:40.000Z", "event.action": [ "pechange" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "veli 2019-7-10T1:56:14.uptas aali1541.www5.local CylancePROTECT enimadmi qui [ita] Event Type: AuditLog, Event Name: pechange, Message: The Device: sedq was auto assigned to the Zone: IP Address: Fake Devices, User: (olo)", + "event.original": "veli 2019-10-3T8:11:40.uptas aali1541.www5.local CylancePROTECT enimadmi qui [ita] Event Type: AuditLog, Event Name: pechange, Message: The Device: sedq was auto assigned to the Zone: IP Address: Fake Devices, User: (olo)", "fileset.name": "protect", "host.name": "aali1541.www5.local", "input.type": "log", - "log.offset": 23433, + "log.offset": 23584, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -3294,7 +3480,7 @@ "rsa.network.alias_host": [ "aali1541.www5.local" ], - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.time.event_time": "2019-10-03T10:11:40.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3302,18 +3488,18 @@ ] }, { - "@timestamp": "2019-07-24T10:58:48.000Z", + "@timestamp": "2019-10-18T05:14:14.000Z", "event.action": [ "ThreatUpdated" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "24-July-2019 08:58:48 medium ocons2813.mail.lan natu <acomm 2019-7-24T8:58:48.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did)lamcol ", + "event.original": "18-October-2019 03:14:14 medium ocons2813.mail.lan natu <acomm 2019-10-18T3:14:14.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did)", "fileset.name": "protect", "host.name": "volupt6822.api.invalid", "input.type": "log", - "log.offset": 23657, + "log.offset": 23808, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -3331,274 +3517,37 @@ "rsa.network.alias_host": [ "volupt6822.api.invalid" ], - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "@timestamp": "2019-08-07T06:01:23.000Z", - "event.action": [ - "ThreatUpdated" - ], - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "olupta 2019-8-7T4:01:23.emveleum modtempo3314.www5.test CylancePROTECT sequa erc [isq] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: epteurs was auto assigned to the Zone: IP Address: 10.171.165.221, User: (itvo)", - "fileset.name": "protect", - "host.name": "modtempo3314.www5.test", - "input.type": "log", - "log.offset": 23939, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.ip": [ - "10.171.165.221" - ], - "rsa.db.index": "The Device: epteurs was auto assigned to the Zone: IP Address: 10.171.165.221", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "AuditLog", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "epteurs", - "rsa.network.alias_host": [ - "modtempo3314.www5.test" - ], - "rsa.time.event_time": "2019-08-07T06:01:23.000Z", - "service.type": "cylance", - "source.ip": [ - "10.171.165.221" - ], - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "@timestamp": "2019-08-21T13:03:57.000Z", - "event.action": [ - "Alert" - ], - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "21-Aug-2019 11:03:57 low ssequa930.domain eritquii <ecatcu 21T23:03:57.entoreve ion3339.www.localdomain CylancePROTECT Event Name:Alert, Message: Provider:tionev, Source IP:10.198.44.231, User: eni cte (ariatu)", - "fileset.name": "protect", - "host.name": "ion3339.www.localdomain", - "input.type": "log", - "log.offset": 24178, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.ip": [ - "10.198.44.231" - ], - "rsa.identity.firstname": "eni", - "rsa.identity.lastname": "cte", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "ariatu", - "rsa.network.alias_host": [ - "ion3339.www.localdomain" - ], - "rsa.time.event_time": "2019-08-21T13:03:57.000Z", - "service.type": "cylance", - "source.ip": [ - "10.198.44.231" - ], - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "@timestamp": "2019-09-05T08:06:31.000Z", - "event.action": [ - "threat_changed" - ], - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2019-9-5T6:06:31.risnisiu ten5320.test CylancePROTECT siar orisnis [texp] Event Type: ScriptControl, Event Name: threat_changed, Device Name: hend, File Path: ema, Interpreter: ents, Interpreter Version: 1.1903, Zone Names: aliqua, User Name: officiad", - "file.directory": "ema", - "fileset.name": "protect", - "host.name": "ten5320.test", - "input.type": "log", - "log.offset": 24398, - "network.application": "ents", - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "observer.version": "1.1903", - "related.user": [ - "officiad" - ], - "rsa.db.index": "aliqua", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.node": "hend", - "rsa.misc.version": "1.1903", - "rsa.network.alias_host": [ - "ten5320.test" - ], - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "officiad" - }, - { - "@timestamp": "2019-09-19T03:09:05.000Z", - "event.action": [ - "Device Updated" - ], - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "onsecte 2019-9-19T1:09:05.inibusBo tqui99.mail.example CylancePROTECT prehende vitaedic [remip] Event Type: AuditLog, Event Name: Device Updated, Message: Device: sauteir; SHA256: CSe, User: olorsita midest (uta)olupta ", - "fileset.name": "protect", - "host.name": "tqui99.mail.example", - "input.type": "log", - "log.offset": 24650, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.identity.firstname": "olorsita", - "rsa.identity.lastname": "midest", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804010000, - "rsa.investigations.event_cat_name": "Network.Devices.Additions", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "CSe", - "rsa.misc.event_type": "Device Updated", - "rsa.misc.mail_id": "uta", - "rsa.misc.node": "sauteir", - "rsa.network.alias_host": [ - "tqui99.mail.example" - ], - "rsa.time.event_time": "2019-09-19T03:09:05.000Z", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "@timestamp": "2019-10-03T10:11:40.000Z", - "event.action": [ - "fullaccess" - ], - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "3-October-2019 20:11:40 low tali7426.invalid reprehen <tocca 2019-10-3T8:11:40.tinvolu ecatc3925.lan CylancePROTECT quin adipisc [sedqui] Event Type: ueporroq, Event Name: fullaccess, Device Names: (eetdol), Policy Name: tia, User: lup inimav (dolor)", - "fileset.name": "protect", - "host.name": "ecatc3925.lan", - "input.type": "log", - "log.offset": 24870, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.identity.firstname": "lup", - "rsa.identity.lastname": "inimav", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "ueporroq", - "rsa.misc.event_type": "fullaccess", - "rsa.misc.mail_id": "dolor", - "rsa.misc.node": "eetdol", - "rsa.misc.policy_name": "tia", - "rsa.network.alias_host": [ - "ecatc3925.lan" - ], - "rsa.time.event_time": "2019-10-03T10:11:40.000Z", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "@timestamp": "2019-10-18T05:14:14.000Z", - "event.action": [ - "SyslogSettingsSave" - ], - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "18-October-2019 03:14:14 medium dex4759.mail.local uredo <untutla 2019-10-18T3:14:14.iame rrorsi3220.lan CylancePROTECT amestqu luptas [ariatu] Event Type: psumqui, Event Name: SyslogSettingsSave, Device Name: empor, Agent Version: ate, IP Address: (10.234.254.96), MAC Address: (01:00:5e:e8:80:20), Logged On Users: (orem), OS: dquian Zone Names: isaute", - "fileset.name": "protect", - "host.name": "rrorsi3220.lan", - "input.type": "log", - "log.offset": 25127, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.ip": [ - "10.234.254.96" - ], - "related.user": [ - "orem" - ], - "rsa.db.index": "isaute", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "psumqui", - "rsa.misc.OS": "dquian", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "empor", - "rsa.network.alias_host": [ - "rrorsi3220.lan" - ], - "rsa.network.eth_host": "01:00:5e:e8:80:20", "rsa.time.event_time": "2019-10-18T05:14:14.000Z", "service.type": "cylance", - "source.ip": [ - "10.234.254.96" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "orem" + ] }, { "@timestamp": "2019-11-01T12:16:48.000Z", "event.action": [ - "threat_changed" + "Device Policy Assigned" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "1-November-2019 10:16:48 high ula5189.host ntocca <adolorsi 2019-11-1T10:16:48.lupt uis6796.mail.example CylancePROTECT aecatc taevita [eseosqu] Event Type: redolo, Event Name: threat_changed, Threat Class: ivelit, Threat Subclass: lumqu, SHA256: dolore, MD5: isnost", + "event.original": "Nov 1 10:16:48 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod", "fileset.name": "protect", - "host.name": "uis6796.mail.example", "input.type": "log", - "log.offset": 25492, + "log.offset": 24087, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "ivelit", + "rsa.db.index": "commod", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "redolo", - "rsa.misc.checksum": "dolore", - "rsa.misc.event_type": "threat_changed", - "rsa.network.alias_host": [ - "uis6796.mail.example" - ], + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "rauto", + "rsa.misc.device_name": "rissusci", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "stl", + "rsa.misc.serial_number": "eumfugi", "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "service.type": "cylance", "tags": [ @@ -3614,25 +3563,22 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "uianonnu 2019-11-15T5:19:22.ntNeque magnidol1024.api.test CylancePROTECT aaliq tDui [ernatur] Event Type: DeviceControl, Event Name: SyslogSettingsSave, Device Name: atcupi, External Device Type: xeacomm, External Device Vendor ID: tla, External Device Name: itaspe, External Device Product ID: xerc, External Device Serial Number: uaeabill, Zone Names: uioffici", + "event.original": "Nov 15 5:19:22 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit ", "fileset.name": "protect", - "host.name": "magnidol1024.api.test", "input.type": "log", - "log.offset": 25769, + "log.offset": 24390, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "uioffici", + "rsa.db.index": "aqua, Device Id: edquiac, Policy Name: sit", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " DeviceControl", + "rsa.investigations.event_vcat": "incidi", + "rsa.misc.device_name": "nto", "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "atcupi", - "rsa.misc.serial_number": "uaeabill", - "rsa.network.alias_host": [ - "magnidol1024.api.test" - ], + "rsa.misc.node": "tutlabo", + "rsa.misc.serial_number": "ateveli", "rsa.time.event_time": "2019-11-15T07:19:22.000Z", "service.type": "cylance", "tags": [ @@ -3643,69 +3589,70 @@ { "@timestamp": "2019-11-30T14:21:57.000Z", "event.action": [ - "SystemSecurity" + "ThreatUpdated" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "30-November-2019 00:21:57 very-high tesseq6251.mail.host adipisci <ptatema 2019-11-30T12:21:57.poriss enatus6421.internal.home CylancePROTECT ficiad saquaea [archi] Event Type: AuditLog, Event Name: SystemSecurity, Message: Policy: imadm; SHA256: ugiat; Category: ius, User: msequ ciatisun (Ute)eddoe ", + "event.original": "rinci 2019-11-30T12:21:57.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta", + "file.directory": "sunt", "fileset.name": "protect", - "host.name": "enatus6421.internal.home", + "host.name": "amvol4075.mail.localhost", "input.type": "log", - "log.offset": 26132, + "log.offset": 24727, + "network.application": "orumSe", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "msequ", - "rsa.identity.lastname": "ciatisun", + "observer.version": "1.3237", + "related.user": [ + "pta" + ], + "rsa.db.index": "psa", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.category": "ius", - "rsa.misc.checksum": "ugiat", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.mail_id": "Ute", - "rsa.misc.policy_name": "imadm; SHA256: ugiat; Category: ius", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "onsequa", + "rsa.misc.version": "1.3237", "rsa.network.alias_host": [ - "enatus6421.internal.home" + "amvol4075.mail.localhost" ], "rsa.time.event_time": "2019-11-30T14:21:57.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "pta" }, { "@timestamp": "2019-12-14T09:24:31.000Z", "event.action": [ - "DeviceEdit" + "Registration" ], "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2019-12-14T7:24:31.uasi quaeabi5701.host CylancePROTECT mave essecill [eprehe] Event Type: AuditLog, Event Name: DeviceEdit, Message: Policy: tMaloru; SHA256: rum; Category: utoditau, User: ptassita ionemul (orema)its ", + "event.original": "14-Dec-2019 7:24:31 low ntutlabo6923.localhost eacommo <tionevol 14T07:24:31.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni,officiadUser: veniam labo (ssecill), Zone Names:umquam Device Id: onev", "fileset.name": "protect", - "host.name": "quaeabi5701.host", + "host.name": "asi4651.api.test", "input.type": "log", - "log.offset": 26439, + "log.offset": 24998, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "ptassita", - "rsa.identity.lastname": "ionemul", + "rsa.db.index": "umquam", + "rsa.identity.firstname": "veniam", + "rsa.identity.lastname": "labo", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.category": "utoditau", - "rsa.misc.checksum": "rum", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.mail_id": "orema", - "rsa.misc.policy_name": "tMaloru; SHA256: rum; Category: utoditau", + "rsa.misc.device_name": "emp", + "rsa.misc.event_type": "Registration", + "rsa.misc.mail_id": "ssecill", "rsa.network.alias_host": [ - "quaeabi5701.host" + "asi4651.api.test" ], "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "cylance", diff --git a/x-pack/filebeat/module/f5/README.md b/x-pack/filebeat/module/f5/README.md index b3549a4bf7a..fe4ecbc442f 100644 --- a/x-pack/filebeat/module/f5/README.md +++ b/x-pack/filebeat/module/f5/README.md @@ -3,5 +3,5 @@ This is a module for Big-IP Access Policy Manager logs. Autogenerated from RSA NetWitness log parser 2.0 XML bigipapm version 113 -at 2020-07-08 17:36:25.84226 +0000 UTC. +at 2020-07-08 18:27:58.417099 +0000 UTC. diff --git a/x-pack/filebeat/module/f5/bigipapm/config/pipeline.js b/x-pack/filebeat/module/f5/bigipapm/config/pipeline.js index d30cd35fc67..19fa80ecb62 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/pipeline.js +++ b/x-pack/filebeat/module/f5/bigipapm/config/pipeline.js @@ -789,7 +789,7 @@ var part70 = match("MESSAGE#60:sSMTP", "nwparser.payload", "%{fld1->} %{fld2->} var msg61 = msg("sSMTP", part70); -var part71 = match("MESSAGE#61:01420002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{fld5}: AUDIT - pid=%{parent_pid->} user=%{username->} folder=%{directory->} module=%{fld6->} status=%{result->} cmd_data=%{info->} ", processor_chain([ +var part71 = match("MESSAGE#61:01420002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{fld5}: AUDIT - pid=%{parent_pid->} user=%{username->} folder=%{directory->} module=%{fld6->} status=%{result->} cmd_data=%{info}", processor_chain([ dup16, dup2, ])); diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log b/x-pack/filebeat/module/f5/bigipapm/test/generated.log index bd9a50a3166..02f88d8e18b 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log @@ -38,7 +38,7 @@ June 2017/06/26 19:42:33 eufug low uido[4318]: 01490500: :ici: snulap: New sessi July 2017/07/11 02:45:07 udan low essequam[3682]: 01490113: :urQuis: etcon: session.server.network.protocol is onsequu July 2017/07/25 09:47:41 gelitse very-high arc[2412]: 01490013: :radip: upta: AD agent: Retrieving AAA server: tetura August 2017/08/08 16:50:15 imavenia low mquido[5899]: 01490517: :rnat: rur: success -August 2017/08/22 23:52:50 nonn high met[1580]: 01420002: : AUDIT - pid=2037 user=ptate folder=entsu module=conse status=failure cmd_data=ntut +August 2017/08/22 23:52:50 nonn high met[1580]: 01420002: : AUDIT - pid=2037 user=ptate folder=entsu module=conse status=failure cmd_data=ntut September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem September 2017/09/20 13:57:58 reetdo medium lup[5051]: 01260009: :eos: Connection error:ipitlabo October 2017/10/04 21:00:32 reprehen very-high syslog-ng[6438]: imid @@ -51,7 +51,7 @@ December 2017/12/29 15:15:58 ioff medium quioff: 0149016a: :iuntN: Initiating sn January 2018/01/12 22:18:32 rchit medium roquisqu[5924]: 01490005: :iquid: evo: Following rule mcorpori from item mqu to ending pteursi January 2018/01/27 05:21:06 itessequ low fdeFinib[2580]: 01490128: :sumd: sectetur: Webtop edquian assigned February 2018/02/10 12:23:41 quiav low rit: 0149016a: :eumfu: Initiating snapshot creation: lors for access profile: oluptat -February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa +February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa March 2018/03/11 02:28:49 ore low ovolupta: 0149016b: :volup: Completed snapshot creation: macc for access profile: ria March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei April 2018/04/08 16:33:58 liq low mvolupta: syslog-ng: diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index 2808282c121..4f52859565c 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -1077,23 +1077,32 @@ "event.code": "01420002", "event.dataset": "f5.bigipapm", "event.module": "f5", - "event.original": "August 2017/08/22 23:52:50 nonn high met[1580]: 01420002: : AUDIT - pid=2037 user=ptate folder=entsu module=conse status=failure cmd_data=ntut ", + "event.original": "August 2017/08/22 23:52:50 nonn high met[1580]: 01420002: : AUDIT - pid=2037 user=ptate folder=entsu module=conse status=failure cmd_data=ntut", + "file.directory": "entsu", "fileset.name": "bigipapm", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], + "log.level": "high", "log.offset": 5073, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", + "process.pid": 1580, + "process.ppid": 2037, + "related.user": [ + "ptate" + ], + "rsa.db.index": "ntut", "rsa.internal.messageid": "01420002", + "rsa.misc.client": "met", + "rsa.misc.result": "failure", + "rsa.misc.severity": "high", "rsa.time.event_time": "2017-08-23T01:52:50.000Z", "service.type": "f5", "tags": [ "f5.bigipapm", "forwarded" - ] + ], + "user.name": "ptate" }, { "@timestamp": "2017-09-06T08:55:24.000Z", @@ -1107,7 +1116,7 @@ "dissect_parsing_error" ], "log.level": "high", - "log.offset": 5217, + "log.offset": 5216, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1138,7 +1147,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 5409, + "log.offset": 5408, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1162,7 +1171,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 5506, + "log.offset": 5505, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1187,7 +1196,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 5575, + "log.offset": 5574, "network.application": "oriosamn", "observer.product": "Big-IP", "observer.type": "Access", @@ -1212,7 +1221,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 5680, + "log.offset": 5679, "network.application": "sumquiad", "observer.product": "Big-IP", "observer.type": "Access", @@ -1237,7 +1246,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 5818, + "log.offset": 5817, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1260,7 +1269,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 5942, + "log.offset": 5941, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1287,7 +1296,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 6077, + "log.offset": 6076, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1310,7 +1319,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 6201, + "log.offset": 6200, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1332,7 +1341,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 6331, + "log.offset": 6330, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1356,7 +1365,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 6467, + "log.offset": 6466, "network.application": "edquian", "observer.product": "Big-IP", "observer.type": "Access", @@ -1381,7 +1390,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 6575, + "log.offset": 6574, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1399,23 +1408,32 @@ "event.code": "01420002", "event.dataset": "f5.bigipapm", "event.module": "f5", - "event.original": "February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa ", + "event.original": "February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa", + "file.directory": "tseddoei", "fileset.name": "bigipapm", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 6700, + "log.level": "very-high", + "log.offset": 6699, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", + "process.pid": 5019, + "process.ppid": 4996, + "related.user": [ + "rem" + ], + "rsa.db.index": "remagnaa", "rsa.internal.messageid": "01420002", + "rsa.misc.client": "cusanti", + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", "rsa.time.event_time": "2018-02-24T21:26:15.000Z", "service.type": "f5", "tags": [ "f5.bigipapm", "forwarded" - ] + ], + "user.name": "rem" }, { "@timestamp": "2018-03-11T04:28:49.000Z", @@ -1426,7 +1444,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 6866, + "log.offset": 6864, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1451,7 +1469,7 @@ "dissect_parsing_error" ], "log.level": "high", - "log.offset": 6986, + "log.offset": 6984, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1482,7 +1500,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 7187, + "log.offset": 7185, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1506,7 +1524,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 7243, + "log.offset": 7241, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1538,7 +1556,7 @@ "geo.region_name": "uasiarch", "input.type": "log", "log.level": "medium", - "log.offset": 7409, + "log.offset": 7407, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1570,7 +1588,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 7628, + "log.offset": 7626, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1595,7 +1613,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 7683, + "log.offset": 7681, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1620,7 +1638,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 7745, + "log.offset": 7743, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1644,7 +1662,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 7825, + "log.offset": 7823, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1668,7 +1686,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 7919, + "log.offset": 7917, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1693,7 +1711,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 7999, + "log.offset": 7997, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1716,7 +1734,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 8219, + "log.offset": 8217, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1738,7 +1756,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 8364, + "log.offset": 8362, "network.application": "cipitla", "observer.product": "Big-IP", "observer.type": "Access", @@ -1763,7 +1781,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 8478, + "log.offset": 8476, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1788,7 +1806,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 8586, + "log.offset": 8584, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1813,7 +1831,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 8711, + "log.offset": 8709, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1837,7 +1855,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 8835, + "log.offset": 8833, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1862,7 +1880,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 8952, + "log.offset": 8950, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1885,7 +1903,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 9160, + "log.offset": 9158, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1908,7 +1926,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 9281, + "log.offset": 9279, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1933,7 +1951,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 9405, + "log.offset": 9403, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1958,7 +1976,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 9515, + "log.offset": 9513, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1986,7 +2004,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 9613, + "log.offset": 9611, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2017,7 +2035,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 9693, + "log.offset": 9691, "network.application": "did", "observer.product": "Big-IP", "observer.type": "Access", @@ -2042,7 +2060,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 9803, + "log.offset": 9801, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2064,7 +2082,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 9934, + "log.offset": 9932, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2089,7 +2107,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 10025, + "log.offset": 10023, "network.protocol": "rdp", "observer.product": "Big-IP", "observer.type": "Access", @@ -2121,7 +2139,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 10223, + "log.offset": 10221, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2146,7 +2164,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 10299, + "log.offset": 10297, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2174,7 +2192,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 10431, + "log.offset": 10429, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2205,7 +2223,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 10503, + "log.offset": 10501, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2227,7 +2245,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 10626, + "log.offset": 10624, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2256,7 +2274,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 10810, + "log.offset": 10808, "network.application": "imaven", "observer.product": "Big-IP", "observer.type": "Access", @@ -2281,7 +2299,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 10932, + "log.offset": 10930, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2307,7 +2325,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 11092, + "log.offset": 11090, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2331,7 +2349,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 11164, + "log.offset": 11162, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2358,7 +2376,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 11278, + "log.offset": 11276, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2383,7 +2401,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 11414, + "log.offset": 11412, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2413,7 +2431,7 @@ "http.request.referrer": "https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia", "input.type": "log", "log.level": "very-high", - "log.offset": 11564, + "log.offset": 11562, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2437,7 +2455,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 11747, + "log.offset": 11745, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2460,7 +2478,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 11962, + "log.offset": 11960, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2487,7 +2505,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 12086, + "log.offset": 12084, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2521,7 +2539,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 12210, + "log.offset": 12208, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2545,7 +2563,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 12266, + "log.offset": 12264, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2574,7 +2592,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 12418, + "log.offset": 12416, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2602,7 +2620,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 12484, + "log.offset": 12482, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", diff --git a/x-pack/filebeat/module/f5/firepass/config/pipeline.js b/x-pack/filebeat/module/f5/firepass/config/pipeline.js index 0a598f79266..7f8774ae3d1 100644 --- a/x-pack/filebeat/module/f5/firepass/config/pipeline.js +++ b/x-pack/filebeat/module/f5/firepass/config/pipeline.js @@ -317,7 +317,7 @@ var part23 = match("MESSAGE#22:maintenance:01", "nwparser.payload", "Failed to u var msg23 = msg("maintenance:01", part23); -var part24 = match("MESSAGE#23:maintenance:02", "nwparser.payload", "Logged out Sid = %{sessionid->} ", processor_chain([ +var part24 = match("MESSAGE#23:maintenance:02", "nwparser.payload", "Logged out Sid = %{sessionid}", processor_chain([ dup8, dup12, dup6, @@ -328,7 +328,7 @@ var part24 = match("MESSAGE#23:maintenance:02", "nwparser.payload", "Logged out var msg24 = msg("maintenance:02", part24); -var part25 = match("MESSAGE#24:maintenance:03", "nwparser.payload", "Network Access: %{info->} ", processor_chain([ +var part25 = match("MESSAGE#24:maintenance:03", "nwparser.payload", "Network Access: %{info}", processor_chain([ dup8, dup3, dup4, @@ -336,7 +336,7 @@ var part25 = match("MESSAGE#24:maintenance:03", "nwparser.payload", "Network Acc var msg25 = msg("maintenance:03", part25); -var part26 = match("MESSAGE#25:maintenance:04", "nwparser.payload", "Trying connect to %{fld2->} on %{fqdn}:%{network_port->} ", processor_chain([ +var part26 = match("MESSAGE#25:maintenance:04", "nwparser.payload", "Trying connect to %{fld2->} on %{fqdn}:%{network_port}", processor_chain([ dup11, dup3, dup4, @@ -344,7 +344,7 @@ var part26 = match("MESSAGE#25:maintenance:04", "nwparser.payload", "Trying conn var msg26 = msg("maintenance:04", part26); -var part27 = match("MESSAGE#26:maintenance:05", "nwparser.payload", "%{info->} ", processor_chain([ +var part27 = match("MESSAGE#26:maintenance:05", "nwparser.payload", "%{info}", processor_chain([ dup11, dup3, dup4, @@ -457,7 +457,7 @@ var all2 = all_match({ var msg32 = msg("security:02", all2); -var part39 = match("MESSAGE#32:security:03", "nwparser.payload", "Successful password update for user %{user_fullname}, username: %{username->} ", processor_chain([ +var part39 = match("MESSAGE#32:security:03", "nwparser.payload", "Successful password update for user %{user_fullname}, username: %{username}", processor_chain([ setc("eventcategory","1402040100"), setc("ec_activity","Modify"), setc("ec_theme","Password"), @@ -632,7 +632,7 @@ var part56 = match("MESSAGE#49:kernel:04", "nwparser.payload", "kernel: cdrom: o var msg50 = msg("kernel:04", part56); -var part57 = match("MESSAGE#50:kernel:06", "nwparser.payload", "kernel: GlobalFilter:%{fld1->} SRC=%{saddr->} DST=%{daddr->} %{info->} PROTO=%{protocol->} SPT=%{sport->} DPT=%{dport->} %{fld3->} ", processor_chain([ +var part57 = match("MESSAGE#50:kernel:06", "nwparser.payload", "kernel: GlobalFilter:%{fld1->} SRC=%{saddr->} DST=%{daddr->} %{info->} PROTO=%{protocol->} SPT=%{sport->} DPT=%{dport->} %{fld3}", processor_chain([ dup8, dup3, ])); @@ -772,7 +772,7 @@ var part70 = match("MESSAGE#63:run-crons", "nwparser.payload", "%{fld2->} return var msg64 = msg("run-crons", part70); -var part71 = match("MESSAGE#64:/USR/SBIN/CRON", "nwparser.payload", "(%{username}) CMD (%{action}) ", processor_chain([ +var part71 = match("MESSAGE#64:/USR/SBIN/CRON", "nwparser.payload", "(%{username}) CMD (%{action})", processor_chain([ dup2, dup3, ])); diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log b/x-pack/filebeat/module/f5/firepass/test/generated.log index 81f01cdf3f8..208e701930e 100644 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log @@ -32,9 +32,9 @@ April 2 01:27:07 lor3224.host mailer[rsitamet]: Failed to send \'lupt\' to \'xea run-crons[luptatev]: admi returned modocons April 30 15:32:16 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam May 14 22:34:50 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214 -May 29 05:37:24 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem +May 29 05:37:24 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem firepass[rehe]: [ume] Logged out -June 26 19:42:33 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel) +June 26 19:42:33 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel) July 11 02:45:07 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc kernel[olupt]: [modoco] kernel: cdrom: open failed. August 8 16:50:15 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia @@ -46,10 +46,10 @@ October 19 04:03:07 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted EndpointSecurity[rumetM]: [equi] id[agnaali]: "gnam - Connectedtatfrom 10.145.225.93 itinvo" November 16 18:08:15 rQuisau6637.internal.domain run-crons[den]: [tutla] [olorema] iades returned siarchi httpd[mqu]: [apariat] scr_monitor: tlabore -December 15 08:13:24 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny) +December 15 08:13:24 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny) snmp[ationemu]: [ice] estiae January 12 22:18:32 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect -maintenance[etconse]: [tincu] ari +maintenance[etconse]: [tincu] ari February 10 12:23:41 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded EndpointSecurity[rehender]: [iae] id[dantiumt]: "luptasn - Connectedequatfrom 10.77.137.72 ione" @@ -77,16 +77,16 @@ January 5 06:22:49 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc kernel: ionofdeF February 2 20:27:57 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id -/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny) -March 17 17:35:40 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980 +/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny) +March 17 17:35:40 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980 heartbeat[exe]: [imadmini] [sauteiru] info: mod -/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny) +/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny) httpd[eriti]: [litessec] scr_monitor: itas May 13 21:45:57 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor May 28 04:48:31 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host mailer[untut]: [uamni] Failed to send \'ctet\' to \'ati\' June 25 18:53:40 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist -July 10 01:56:14 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel) +July 10 01:56:14 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel) kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm August 7 16:01:23 velitse543.api.example heartbeat[torever]: info: oremi August 21 23:03:57 temUt631.www5.example heartbeat[npr]: info: mquelau @@ -94,7 +94,7 @@ September 5 06:06:31 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] September 19 13:09:05 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account heartbeat[iduntu]: [idestlab] info: rnatur run-crons[essequam]: acommo returned nturma -November 1 10:16:48 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut +November 1 10:16:48 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut kernel[rpori]: [ice] kernel: cdrom: open failed. November 30 00:21:57 commodo6867.internal.example snmp: snmp[odoconse]: [quamqua] SNMP handler started diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json index 9803cc9edcb..231e4376fe7 100644 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json @@ -790,8 +790,8 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.46.158.31", - "10.117.146.33" + "10.117.146.33", + "10.46.158.31" ], "rsa.db.index": "dun", "rsa.internal.messageid": "kernel", @@ -846,7 +846,7 @@ "event.code": "maintenance", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "May 29 05:37:24 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem ", + "event.original": "May 29 05:37:24 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem", "fileset.name": "firepass", "input.type": "log", "log.offset": 3092, @@ -856,8 +856,11 @@ "related.user": [ "mexercit" ], - "rsa.db.index": "Logged", "rsa.internal.messageid": "maintenance", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.log_session_id": "dtem", "rsa.time.event_time": "2020-05-29T07:37:24.000Z", "service.type": "f5", "tags": [ @@ -873,7 +876,7 @@ "event.original": "firepass[rehe]: [ume] Logged out", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3184, + "log.offset": 3183, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -891,26 +894,33 @@ "user.name": "ume" }, { + "event.action": [ + "cancel" + ], "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "June 26 19:42:33 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel) ", + "event.original": "June 26 19:42:33 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel)", "fileset.name": "firepass", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3217, + "log.offset": 3216, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "dexeaco" + ], "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "cancel" + ], "rsa.time.event_time": "2020-06-26T21:42:33.000Z", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" - ] + ], + "user.name": "dexeaco" }, { "event.code": "snmp", @@ -919,7 +929,7 @@ "event.original": "July 11 02:45:07 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3310, + "log.offset": 3308, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -939,7 +949,7 @@ "event.original": "kernel[olupt]: [modoco] kernel: cdrom: open failed.", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3377, + "log.offset": 3375, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -957,7 +967,7 @@ "event.original": "August 8 16:50:15 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3429, + "log.offset": 3427, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -978,7 +988,7 @@ "event.original": "August 22 23:52:50 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3512, + "log.offset": 3510, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -999,7 +1009,7 @@ "event.original": "Miscellaneous[iciatisu]: [rehender] Purge logs: auto started", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3599, + "log.offset": 3597, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1024,7 +1034,7 @@ "event.original": "September 20 13:57:58 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3660, + "log.offset": 3658, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1053,7 +1063,7 @@ "event.original": "heartbeat[dolo]: [Loremip] [idolor] info: emeumfu", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3806, + "log.offset": 3804, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1072,7 +1082,7 @@ "event.original": "October 19 04:03:07 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3856, + "log.offset": 3854, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1102,7 +1112,7 @@ "event.original": "EndpointSecurity[rumetM]: [equi] id[agnaali]: \"gnam - Connectedtatfrom 10.145.225.93 itinvo\"", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3990, + "log.offset": 3988, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1128,7 +1138,7 @@ "event.original": "November 16 18:08:15 rQuisau6637.internal.domain run-crons[den]: [tutla] [olorema] iades returned siarchi", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4083, + "log.offset": 4081, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1148,7 +1158,7 @@ "event.original": "httpd[mqu]: [apariat] scr_monitor: tlabore", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4189, + "log.offset": 4187, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1164,26 +1174,33 @@ "user.name": "apariat" }, { + "event.action": [ + "deny" + ], "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "December 15 08:13:24 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny) ", + "event.original": "December 15 08:13:24 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny)", "fileset.name": "firepass", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4232, + "log.offset": 4230, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "isc" + ], "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "deny" + ], "rsa.time.event_time": "2019-12-15T10:13:24.000Z", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" - ] + ], + "user.name": "isc" }, { "event.code": "snmp", @@ -1192,7 +1209,7 @@ "event.original": "snmp[ationemu]: [ice] estiae", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4330, + "log.offset": 4327, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1214,7 +1231,7 @@ "event.original": "January 12 22:18:32 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4359, + "log.offset": 4356, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1234,22 +1251,24 @@ "event.code": "maintenance", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "maintenance[etconse]: [tincu] ari ", + "event.original": "maintenance[etconse]: [tincu] ari", "fileset.name": "firepass", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4466, + "log.offset": 4463, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "tincu" + ], + "rsa.db.index": "ari", "rsa.internal.messageid": "maintenance", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" - ] + ], + "user.name": "tincu" }, { "event.code": "heartbeat", @@ -1258,7 +1277,7 @@ "event.original": "February 10 12:23:41 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4501, + "log.offset": 4497, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1278,7 +1297,7 @@ "event.original": "Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4583, + "log.offset": 4579, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1300,7 +1319,7 @@ "event.original": "EndpointSecurity[rehender]: [iae] id[dantiumt]: \"luptasn - Connectedequatfrom 10.77.137.72 ione\"", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4683, + "log.offset": 4679, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1326,7 +1345,7 @@ "event.original": "EndpointSecurity[amre]: [rsita] id[niamqui]: \"uptat - Connecteduamfrom 10.140.136.44 fficiade\"", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4780, + "log.offset": 4776, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1352,7 +1371,7 @@ "event.original": "April 8 16:33:58 vitaedi1318.corp sshd[temqu]: Accepted publickey for edol from 10.26.196.144 port 4677 quatD", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4875, + "log.offset": 4871, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1382,7 +1401,7 @@ "event.original": "April 22 23:36:32 eabilloi6458.api.lan run-crons[tlab]: [volupt] osqui returned xerc", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4985, + "log.offset": 4981, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1405,7 +1424,7 @@ "event.original": "snmp[ents]: [liquide] SNMP handler started", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5070, + "log.offset": 5066, "network.protocol": "SNMP", "observer.product": "FirePass", "observer.type": "VPN", @@ -1428,7 +1447,7 @@ "event.original": "security[uun]: [sequine] [ectio] User dutper from 10.237.205.140 presented with challenge", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5113, + "log.offset": 5109, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1458,7 +1477,7 @@ "event.original": "run-crons: returned gel", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5203, + "log.offset": 5199, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1477,7 +1496,7 @@ "event.original": "June 19 03:46:49 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5228, + "log.offset": 5224, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1497,7 +1516,7 @@ "event.original": "July 3 10:49:23 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5307, + "log.offset": 5303, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1521,7 +1540,7 @@ "event.outcome": "Failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5397, + "log.offset": 5393, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1546,7 +1565,7 @@ "event.outcome": "Failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5471, + "log.offset": 5467, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1570,7 +1589,7 @@ "event.original": "httpd[dictasu]: [lorinre] scr_monitor: olorsita", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5526, + "log.offset": 5522, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1595,7 +1614,7 @@ "event.original": "ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5574, + "log.offset": 5570, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1617,7 +1636,7 @@ "event.original": "September 12 22:02:15 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5647, + "log.offset": 5643, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1637,7 +1656,7 @@ "event.original": "ntpd[aturQui]: frequency initialized utlabor PPM from rau", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5743, + "log.offset": 5739, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1655,7 +1674,7 @@ "event.original": "firepass[nisi]: [dant] shutting down for system reboot", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5801, + "log.offset": 5797, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1674,7 +1693,7 @@ "event.original": "AppTunnel[tinvolu]: < Error - Invalid session id", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5856, + "log.offset": 5852, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1695,7 +1714,7 @@ "event.original": "November 9 02:12:32 quidolor5025.home run-crons: returned rem", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5912, + "log.offset": 5908, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1715,7 +1734,7 @@ "event.original": "run-crons[idolor]: [uisau] [eleum] sintoc returned volupt", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5975, + "log.offset": 5971, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1734,7 +1753,7 @@ "event.original": "heartbeat[uiinea]: info: Utenima", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6033, + "log.offset": 6029, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1756,7 +1775,7 @@ "event.original": "December 21 23:20:14 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6066, + "log.offset": 6062, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1779,7 +1798,7 @@ "event.original": "January 5 06:22:49 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6173, + "log.offset": 6169, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1799,7 +1818,7 @@ "event.original": "kernel: ionofdeF", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6252, + "log.offset": 6248, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1818,7 +1837,7 @@ "event.original": "February 2 20:27:57 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6269, + "log.offset": 6265, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1838,7 +1857,7 @@ "event.original": "AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6343, + "log.offset": 6339, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1853,43 +1872,51 @@ ] }, { + "event.action": [ + "deny" + ], "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny) ", + "event.original": "/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny)", "fileset.name": "firepass", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 6416, + "log.offset": 6412, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "ntocca" + ], "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "deny" + ], "service.type": "f5", "tags": [ "f5.firepass", "forwarded" - ] + ], + "user.name": "ntocca" }, { "event.code": "maintenance", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "March 17 17:35:40 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980 ", + "event.original": "March 17 17:35:40 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6472, + "log.offset": 6467, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "related.user": [ "ntmollit" ], - "rsa.db.index": "Trying", "rsa.internal.messageid": "maintenance", + "rsa.network.network_port": 6980, "rsa.time.event_time": "2020-03-17T19:35:40.000Z", + "rsa.web.fqdn": "ipsumd6116.local", "service.type": "f5", "tags": [ "f5.firepass", @@ -1904,7 +1931,7 @@ "event.original": "heartbeat[exe]: [imadmini] [sauteiru] info: mod", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6595, + "log.offset": 6589, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1917,25 +1944,32 @@ ] }, { + "event.action": [ + "deny" + ], "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny) ", + "event.original": "/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny)", "fileset.name": "firepass", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 6643, + "log.offset": 6637, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "tnulapa" + ], "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "deny" + ], "service.type": "f5", "tags": [ "f5.firepass", "forwarded" - ] + ], + "user.name": "tnulapa" }, { "event.code": "httpd", @@ -1944,7 +1978,7 @@ "event.original": "httpd[eriti]: [litessec] scr_monitor: itas", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6695, + "log.offset": 6688, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1969,7 +2003,7 @@ "event.original": "May 13 21:45:57 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6738, + "log.offset": 6731, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1993,7 +2027,7 @@ "fileset.name": "firepass", "host.name": "eufugi2923.internal.host", "input.type": "log", - "log.offset": 6860, + "log.offset": 6853, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2022,7 +2056,7 @@ "event.outcome": "Failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6978, + "log.offset": 6971, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2046,7 +2080,7 @@ "event.original": "June 25 18:53:40 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7036, + "log.offset": 7029, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2067,26 +2101,33 @@ "user.name": "ven" }, { + "event.action": [ + "cancel" + ], "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "July 10 01:56:14 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel) ", + "event.original": "July 10 01:56:14 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel)", "fileset.name": "firepass", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 7123, + "log.offset": 7116, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", + "related.user": [ + "laudant" + ], "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "cancel" + ], "rsa.time.event_time": "2020-07-10T03:56:14.000Z", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" - ] + ], + "user.name": "laudant" }, { "event.code": "kernel", @@ -2095,7 +2136,7 @@ "event.original": "kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7224, + "log.offset": 7216, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2114,7 +2155,7 @@ "event.original": "August 7 16:01:23 velitse543.api.example heartbeat[torever]: info: oremi", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7275, + "log.offset": 7267, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2134,7 +2175,7 @@ "event.original": "August 21 23:03:57 temUt631.www5.example heartbeat[npr]: info: mquelau", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7348, + "log.offset": 7340, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2154,7 +2195,7 @@ "event.original": "September 5 06:06:31 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7419, + "log.offset": 7411, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2175,7 +2216,7 @@ "event.outcome": "Failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7524, + "log.offset": 7516, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2202,7 +2243,7 @@ "event.original": "heartbeat[iduntu]: [idestlab] info: rnatur", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7653, + "log.offset": 7645, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2221,7 +2262,7 @@ "event.original": "run-crons[essequam]: acommo returned nturma", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7696, + "log.offset": 7688, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2234,20 +2275,33 @@ ] }, { + "destination.ip": [ + "10.225.181.30" + ], + "destination.port": 5390, "event.code": "kernel", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "November 1 10:16:48 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut ", + "event.original": "November 1 10:16:48 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7740, + "log.offset": 7732, + "network.protocol": "udp", "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.db.index": "GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut", + "related.ip": [ + "10.225.181.30", + "10.65.175.9" + ], + "rsa.db.index": "uia", "rsa.internal.messageid": "kernel", "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "service.type": "f5", + "source.ip": [ + "10.65.175.9" + ], + "source.port": 4412, "tags": [ "f5.firepass", "forwarded" @@ -2260,7 +2314,7 @@ "event.original": "kernel[rpori]: [ice] kernel: cdrom: open failed.", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7924, + "log.offset": 7915, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2278,7 +2332,7 @@ "event.original": "November 30 00:21:57 commodo6867.internal.example snmp: ", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7973, + "log.offset": 7964, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2301,7 +2355,7 @@ "event.original": "snmp[odoconse]: [quamqua] SNMP handler started", "fileset.name": "firepass", "input.type": "log", - "log.offset": 8030, + "log.offset": 8021, "network.protocol": "SNMP", "observer.product": "FirePass", "observer.type": "VPN", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index a470c22ad82..b57d48ed20f 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -142,8 +142,8 @@ "observer.vendor": "Fortinet", "process.pid": 1130, "related.ip": [ - "10.135.105.231", - "10.26.46.95" + "10.26.46.95", + "10.135.105.231" ], "related.user": [ "meumfug" @@ -201,8 +201,8 @@ "observer.vendor": "Fortinet", "process.pid": 5712, "related.ip": [ - "10.202.204.154", - "10.134.137.177" + "10.134.137.177", + "10.202.204.154" ], "related.user": [ "con" @@ -260,8 +260,8 @@ "observer.vendor": "Fortinet", "process.pid": 654, "related.ip": [ - "10.85.66.161", - "10.131.115.96" + "10.131.115.96", + "10.85.66.161" ], "related.user": [ "onev" @@ -437,8 +437,8 @@ "observer.vendor": "Fortinet", "process.pid": 3904, "related.ip": [ - "10.233.127.83", - "10.64.155.245" + "10.64.155.245", + "10.233.127.83" ], "related.user": [ "olab" @@ -496,8 +496,8 @@ "observer.vendor": "Fortinet", "process.pid": 776, "related.ip": [ - "10.178.244.31", - "10.69.20.77" + "10.69.20.77", + "10.178.244.31" ], "related.user": [ "moll" @@ -732,8 +732,8 @@ "observer.vendor": "Fortinet", "process.pid": 5376, "related.ip": [ - "10.124.100.32", - "10.208.134.60" + "10.208.134.60", + "10.124.100.32" ], "related.user": [ "admi" @@ -791,8 +791,8 @@ "observer.vendor": "Fortinet", "process.pid": 1577, "related.ip": [ - "10.55.77.49", - "10.75.148.116" + "10.75.148.116", + "10.55.77.49" ], "related.user": [ "tdolorem" @@ -850,8 +850,8 @@ "observer.vendor": "Fortinet", "process.pid": 3671, "related.ip": [ - "10.21.92.218", - "10.210.74.24" + "10.210.74.24", + "10.21.92.218" ], "related.user": [ "nihi" @@ -968,8 +968,8 @@ "observer.vendor": "Fortinet", "process.pid": 2857, "related.ip": [ - "10.47.241.218", - "10.76.229.163" + "10.76.229.163", + "10.47.241.218" ], "related.user": [ "mnisist" @@ -1027,8 +1027,8 @@ "observer.vendor": "Fortinet", "process.pid": 6051, "related.ip": [ - "10.104.134.200", - "10.121.219.204" + "10.121.219.204", + "10.104.134.200" ], "related.user": [ "rQuisau" @@ -1204,8 +1204,8 @@ "observer.vendor": "Fortinet", "process.pid": 753, "related.ip": [ - "10.197.250.10", - "10.170.148.40" + "10.170.148.40", + "10.197.250.10" ], "related.user": [ "rinrepre" @@ -1322,8 +1322,8 @@ "observer.vendor": "Fortinet", "process.pid": 1835, "related.ip": [ - "10.134.148.219", - "10.248.204.182" + "10.248.204.182", + "10.134.148.219" ], "related.user": [ "fugitse" @@ -1381,8 +1381,8 @@ "observer.vendor": "Fortinet", "process.pid": 5251, "related.ip": [ - "10.177.238.183", - "10.59.122.242" + "10.59.122.242", + "10.177.238.183" ], "related.user": [ "xerc" @@ -1440,8 +1440,8 @@ "observer.vendor": "Fortinet", "process.pid": 6106, "related.ip": [ - "10.10.27.73", - "10.74.33.75" + "10.74.33.75", + "10.10.27.73" ], "related.user": [ "quaturve" @@ -1499,8 +1499,8 @@ "observer.vendor": "Fortinet", "process.pid": 3022, "related.ip": [ - "10.241.65.49", - "10.32.239.1" + "10.32.239.1", + "10.241.65.49" ], "related.user": [ "asia" @@ -1558,8 +1558,8 @@ "observer.vendor": "Fortinet", "process.pid": 1411, "related.ip": [ - "10.14.36.202", - "10.167.85.181" + "10.167.85.181", + "10.14.36.202" ], "related.user": [ "dtemp" @@ -2089,8 +2089,8 @@ "observer.vendor": "Fortinet", "process.pid": 1693, "related.ip": [ - "10.255.39.252", - "10.113.95.59" + "10.113.95.59", + "10.255.39.252" ], "related.user": [ "atisun" @@ -2325,8 +2325,8 @@ "observer.vendor": "Fortinet", "process.pid": 5433, "related.ip": [ - "10.163.93.20", - "10.29.133.28" + "10.29.133.28", + "10.163.93.20" ], "related.user": [ "tpersp" @@ -2384,8 +2384,8 @@ "observer.vendor": "Fortinet", "process.pid": 658, "related.ip": [ - "10.113.30.163", - "10.50.0.61" + "10.50.0.61", + "10.113.30.163" ], "related.user": [ "dolore" @@ -2443,8 +2443,8 @@ "observer.vendor": "Fortinet", "process.pid": 6827, "related.ip": [ - "10.39.145.136", - "10.30.47.165" + "10.30.47.165", + "10.39.145.136" ], "related.user": [ "invo" @@ -2502,8 +2502,8 @@ "observer.vendor": "Fortinet", "process.pid": 246, "related.ip": [ - "10.36.112.145", - "10.30.25.84" + "10.30.25.84", + "10.36.112.145" ], "related.user": [ "bor" @@ -2679,8 +2679,8 @@ "observer.vendor": "Fortinet", "process.pid": 1478, "related.ip": [ - "10.232.254.65", - "10.149.13.76" + "10.149.13.76", + "10.232.254.65" ], "related.user": [ "itesseq" @@ -2797,8 +2797,8 @@ "observer.vendor": "Fortinet", "process.pid": 4003, "related.ip": [ - "10.243.237.151", - "10.98.194.212" + "10.98.194.212", + "10.243.237.151" ], "related.user": [ "eri" @@ -2856,8 +2856,8 @@ "observer.vendor": "Fortinet", "process.pid": 1609, "related.ip": [ - "10.28.84.106", - "10.193.233.229" + "10.193.233.229", + "10.28.84.106" ], "related.user": [ "luptatem" @@ -2974,8 +2974,8 @@ "observer.vendor": "Fortinet", "process.pid": 3421, "related.ip": [ - "10.107.45.175", - "10.201.237.233" + "10.201.237.233", + "10.107.45.175" ], "related.user": [ "aeconseq" @@ -3033,8 +3033,8 @@ "observer.vendor": "Fortinet", "process.pid": 7867, "related.ip": [ - "10.196.206.130", - "10.239.80.120" + "10.239.80.120", + "10.196.206.130" ], "related.user": [ "isn" @@ -3092,8 +3092,8 @@ "observer.vendor": "Fortinet", "process.pid": 6717, "related.ip": [ - "10.47.24.77", - "10.234.222.214" + "10.234.222.214", + "10.47.24.77" ], "related.user": [ "ntNeq" @@ -3151,8 +3151,8 @@ "observer.vendor": "Fortinet", "process.pid": 4116, "related.ip": [ - "10.202.7.89", - "10.139.127.232" + "10.139.127.232", + "10.202.7.89" ], "related.user": [ "osquir" @@ -3210,8 +3210,8 @@ "observer.vendor": "Fortinet", "process.pid": 3178, "related.ip": [ - "10.130.241.232", - "10.40.35.49" + "10.40.35.49", + "10.130.241.232" ], "related.user": [ "aturQu" @@ -3328,8 +3328,8 @@ "observer.vendor": "Fortinet", "process.pid": 7079, "related.ip": [ - "10.46.56.204", - "10.97.149.97" + "10.97.149.97", + "10.46.56.204" ], "related.user": [ "esseq" @@ -3387,8 +3387,8 @@ "observer.vendor": "Fortinet", "process.pid": 5026, "related.ip": [ - "10.151.129.181", - "10.28.105.124" + "10.28.105.124", + "10.151.129.181" ], "related.user": [ "nesciun" @@ -3505,8 +3505,8 @@ "observer.vendor": "Fortinet", "process.pid": 5140, "related.ip": [ - "10.62.229.89", - "10.2.244.159" + "10.2.244.159", + "10.62.229.89" ], "related.user": [ "inBCSedu" @@ -3682,8 +3682,8 @@ "observer.vendor": "Fortinet", "process.pid": 3411, "related.ip": [ - "10.94.114.83", - "10.126.87.182" + "10.126.87.182", + "10.94.114.83" ], "related.user": [ "dolores" @@ -3741,8 +3741,8 @@ "observer.vendor": "Fortinet", "process.pid": 2649, "related.ip": [ - "10.38.28.151", - "10.206.165.83" + "10.206.165.83", + "10.38.28.151" ], "related.user": [ "erspi" @@ -3800,8 +3800,8 @@ "observer.vendor": "Fortinet", "process.pid": 6064, "related.ip": [ - "10.181.247.224", - "10.77.229.168" + "10.77.229.168", + "10.181.247.224" ], "related.user": [ "ame" @@ -3859,8 +3859,8 @@ "observer.vendor": "Fortinet", "process.pid": 5493, "related.ip": [ - "10.57.85.98", - "10.42.252.243" + "10.42.252.243", + "10.57.85.98" ], "related.user": [ "nisiu" @@ -4095,8 +4095,8 @@ "observer.vendor": "Fortinet", "process.pid": 2162, "related.ip": [ - "10.118.82.34", - "10.108.45.59" + "10.108.45.59", + "10.118.82.34" ], "related.user": [ "olorem" @@ -4154,8 +4154,8 @@ "observer.vendor": "Fortinet", "process.pid": 4020, "related.ip": [ - "10.180.180.230", - "10.170.252.219" + "10.170.252.219", + "10.180.180.230" ], "related.user": [ "orumSec" @@ -4272,8 +4272,8 @@ "observer.vendor": "Fortinet", "process.pid": 3628, "related.ip": [ - "10.141.143.56", - "10.225.255.211" + "10.225.255.211", + "10.141.143.56" ], "related.user": [ "aaliq" @@ -4331,8 +4331,8 @@ "observer.vendor": "Fortinet", "process.pid": 6311, "related.ip": [ - "10.219.1.151", - "10.250.81.189" + "10.250.81.189", + "10.219.1.151" ], "related.user": [ "olup" @@ -4449,8 +4449,8 @@ "observer.vendor": "Fortinet", "process.pid": 2581, "related.ip": [ - "10.202.132.214", - "10.179.147.45" + "10.179.147.45", + "10.202.132.214" ], "related.user": [ "stquidol" @@ -4508,8 +4508,8 @@ "observer.vendor": "Fortinet", "process.pid": 2280, "related.ip": [ - "10.51.221.217", - "10.169.98.165" + "10.169.98.165", + "10.51.221.217" ], "related.user": [ "metco" @@ -4567,8 +4567,8 @@ "observer.vendor": "Fortinet", "process.pid": 4887, "related.ip": [ - "10.85.104.146", - "10.243.6.41" + "10.243.6.41", + "10.85.104.146" ], "related.user": [ "emacc" @@ -4626,8 +4626,8 @@ "observer.vendor": "Fortinet", "process.pid": 3990, "related.ip": [ - "10.30.246.132", - "10.208.18.210" + "10.208.18.210", + "10.30.246.132" ], "related.user": [ "osqu" @@ -4862,8 +4862,8 @@ "observer.vendor": "Fortinet", "process.pid": 4386, "related.ip": [ - "10.70.29.203", - "10.141.216.14" + "10.141.216.14", + "10.70.29.203" ], "related.user": [ "dese" @@ -5039,8 +5039,8 @@ "observer.vendor": "Fortinet", "process.pid": 7182, "related.ip": [ - "10.187.170.23", - "10.105.136.146" + "10.105.136.146", + "10.187.170.23" ], "related.user": [ "uatu" @@ -5098,8 +5098,8 @@ "observer.vendor": "Fortinet", "process.pid": 6537, "related.ip": [ - "10.125.166.198", - "10.114.211.238" + "10.114.211.238", + "10.125.166.198" ], "related.user": [ "sumquiad" @@ -5157,8 +5157,8 @@ "observer.vendor": "Fortinet", "process.pid": 2758, "related.ip": [ - "10.29.7.142", - "10.209.239.122" + "10.209.239.122", + "10.29.7.142" ], "related.user": [ "atatnon" @@ -5216,8 +5216,8 @@ "observer.vendor": "Fortinet", "process.pid": 5772, "related.ip": [ - "10.144.109.148", - "10.146.57.23" + "10.146.57.23", + "10.144.109.148" ], "related.user": [ "xerc" @@ -5334,8 +5334,8 @@ "observer.vendor": "Fortinet", "process.pid": 6094, "related.ip": [ - "10.100.154.220", - "10.120.148.241" + "10.120.148.241", + "10.100.154.220" ], "related.user": [ "orsitvol" @@ -5452,8 +5452,8 @@ "observer.vendor": "Fortinet", "process.pid": 5792, "related.ip": [ - "10.230.130.3", - "10.117.190.234" + "10.117.190.234", + "10.230.130.3" ], "related.user": [ "ttenb" @@ -5688,8 +5688,8 @@ "observer.vendor": "Fortinet", "process.pid": 7279, "related.ip": [ - "10.116.105.31", - "10.252.146.103" + "10.252.146.103", + "10.116.105.31" ], "related.user": [ "rsint" @@ -5806,8 +5806,8 @@ "observer.vendor": "Fortinet", "process.pid": 3793, "related.ip": [ - "10.190.36.112", - "10.184.109.84" + "10.184.109.84", + "10.190.36.112" ], "related.user": [ "uat" @@ -5865,8 +5865,8 @@ "observer.vendor": "Fortinet", "process.pid": 5985, "related.ip": [ - "10.175.181.138", - "10.19.21.239" + "10.19.21.239", + "10.175.181.138" ], "related.user": [ "aliqu" diff --git a/x-pack/filebeat/module/imperva/README.md b/x-pack/filebeat/module/imperva/README.md index bddc5fe26ae..8c264cb81ae 100644 --- a/x-pack/filebeat/module/imperva/README.md +++ b/x-pack/filebeat/module/imperva/README.md @@ -3,5 +3,5 @@ This is a module for Imperva SecureSphere logs. Autogenerated from RSA NetWitness log parser 2.0 XML impervawaf version 117 -at 2020-07-08 17:36:28.364048 +0000 UTC. +at 2020-07-08 18:28:00.818993 +0000 UTC. diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 2d8e3330f89..d4a94f59496 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -26,8 +26,8 @@ "10.70.155.35" ], "related.user": [ - "tatno", "aqui", + "tatno", "magn" ], "rsa.counters.dclass_c1": 5910, @@ -112,8 +112,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.58.116.231", - "10.159.182.171" + "10.159.182.171", + "10.58.116.231" ], "related.user": [ "qua", @@ -171,13 +171,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.157.161.103", - "10.64.70.5" + "10.64.70.5", + "10.157.161.103" ], "related.user": [ "emeumfu", - "CSed", - "tem" + "tem", + "CSed" ], "rsa.counters.event_counter": 3561, "rsa.db.database": "lupt", @@ -240,13 +240,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.230.76.224", - "10.47.202.102" + "10.47.202.102", + "10.230.76.224" ], "related.user": [ + "tlabori", "hitect", - "dol", - "tlabori" + "dol" ], "rsa.counters.event_counter": 3339, "rsa.db.database": "leumiu", @@ -289,8 +289,8 @@ ], "destination.port": 189, "event.action": [ - "block", - "Login" + "Login", + "block" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -370,9 +370,9 @@ "10.206.97.204" ], "related.user": [ - "fugitse", "evita", - "ommodico" + "ommodico", + "fugitse" ], "rsa.counters.dclass_c1": 4842, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -423,13 +423,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.148.106.167", - "10.145.248.111" + "10.145.248.111", + "10.148.106.167" ], "related.user": [ - "tectobe", + "tium", "uae", - "tium" + "tectobe" ], "rsa.counters.dclass_c1": 3994, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -484,13 +484,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.7.46.36", - "10.77.52.83" + "10.77.52.83", + "10.7.46.36" ], "related.user": [ + "upta", "atno", - "ccaec", - "upta" + "ccaec" ], "rsa.counters.dclass_c1": 1458, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -545,13 +545,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.221.102.245", - "10.43.226.231" + "10.43.226.231", + "10.221.102.245" ], "related.user": [ - "rinre", "eFi", - "ritatise" + "ritatise", + "rinre" ], "rsa.counters.dclass_c1": 302, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -589,8 +589,8 @@ ], "destination.port": 6223, "event.action": [ - "allow", - "Login" + "Login", + "allow" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -610,8 +610,8 @@ "10.239.96.8" ], "related.user": [ - "atevelit", "nts", + "atevelit", "orsitam" ], "rsa.counters.dclass_c1": 3714, @@ -650,8 +650,8 @@ ], "destination.port": 7231, "event.action": [ - "cancel", - "Login" + "Login", + "cancel" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -667,13 +667,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.10.216.74", - "10.147.76.202" + "10.147.76.202", + "10.10.216.74" ], "related.user": [ "oeni", - "sit", - "ctetura" + "ctetura", + "sit" ], "rsa.counters.dclass_c1": 5313, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -711,8 +711,8 @@ ], "destination.port": 2300, "event.action": [ - "nBCSedut", - "cancel" + "cancel", + "nBCSedut" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -734,17 +734,17 @@ "10.123.199.236" ], "related.user": [ - "rum", "emUteni", - "texpli" + "texpli", + "rum" ], "rsa.counters.event_counter": 5653, "rsa.db.database": "gnaaliqu", "rsa.internal.event_desc": "ian", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "nonp" + "nonp", + "cancel" ], "rsa.misc.category": "dolore", "rsa.misc.disposition": "onsecte", @@ -780,8 +780,8 @@ ], "destination.port": 2639, "event.action": [ - "allow", - "Login" + "Login", + "allow" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -797,12 +797,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.20.72.231", - "10.110.114.175" + "10.110.114.175", + "10.20.72.231" ], "related.user": [ - "snost", "upt", + "snost", "imide" ], "rsa.counters.dclass_c1": 5798, @@ -841,8 +841,8 @@ ], "destination.port": 3684, "event.action": [ - "deny", - "Login" + "Login", + "deny" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -862,8 +862,8 @@ "10.111.90.75" ], "related.user": [ - "rem", "aincidu", + "rem", "rcitat" ], "rsa.counters.dclass_c1": 1264, @@ -902,8 +902,8 @@ ], "destination.port": 1513, "event.action": [ - "accept", - "uisa" + "uisa", + "accept" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -925,8 +925,8 @@ "10.186.77.109" ], "related.user": [ - "erun", "dutpers", + "erun", "est" ], "rsa.counters.event_counter": 5380, @@ -970,8 +970,8 @@ ], "destination.port": 2700, "event.action": [ - "allow", - "Login" + "Login", + "allow" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -987,13 +987,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.111.233.194", - "10.201.164.145" + "10.201.164.145", + "10.111.233.194" ], "related.user": [ "ullamcor", - "sequa", - "miurerep" + "miurerep", + "sequa" ], "rsa.counters.dclass_c1": 6595, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1055,8 +1055,8 @@ ], "related.user": [ "olorsit", - "scingeli", - "isn" + "isn", + "scingeli" ], "rsa.counters.event_counter": 3317, "rsa.db.database": "sBono", @@ -1100,8 +1100,8 @@ ], "destination.port": 1280, "event.action": [ - "deny", - "Login" + "Login", + "deny" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -1121,9 +1121,9 @@ "10.79.147.101" ], "related.user": [ - "cingel", + "ddoeius", "uptat", - "ddoeius" + "cingel" ], "rsa.counters.dclass_c1": 6068, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1184,8 +1184,8 @@ "10.49.71.118" ], "related.user": [ - "eritin", "udan", + "eritin", "aincidun" ], "rsa.counters.event_counter": 7731, @@ -1193,8 +1193,8 @@ "rsa.internal.event_desc": "caboNemo", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "uto" + "uto", + "cancel" ], "rsa.misc.category": "dexerc", "rsa.misc.disposition": "strumex", @@ -1230,8 +1230,8 @@ ], "destination.port": 6366, "event.action": [ - "allow", - "plic" + "plic", + "allow" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -1246,13 +1246,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.50.222.68", - "10.28.153.102" + "10.28.153.102", + "10.50.222.68" ], "related.user": [ "tas", - "amali", - "rsita" + "rsita", + "amali" ], "rsa.counters.dclass_c1": 4527, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1366,13 +1366,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.251.1.35", - "10.201.81.46" + "10.201.81.46", + "10.251.1.35" ], "related.user": [ - "niam", "est", - "agnaaliq" + "agnaaliq", + "niam" ], "rsa.counters.event_counter": 2001, "rsa.db.database": "mquisno", @@ -1439,17 +1439,17 @@ "10.131.82.68" ], "related.user": [ - "ersp", + "ulap", "amnisi", - "ulap" + "ersp" ], "rsa.counters.event_counter": 1710, "rsa.db.database": "nrepreh", "rsa.internal.event_desc": "nimad", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "prehe" + "prehe", + "accept" ], "rsa.misc.category": "ataevita", "rsa.misc.disposition": "oremqu", @@ -1501,13 +1501,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.94.132.21", - "10.114.193.232" + "10.114.193.232", + "10.94.132.21" ], "related.user": [ - "nse", "odi", - "eetdo" + "eetdo", + "nse" ], "rsa.counters.dclass_c1": 6784, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1562,13 +1562,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.9.56.220", - "10.44.226.104" + "10.44.226.104", + "10.9.56.220" ], "related.user": [ + "reseosq", "autf", - "nse", - "reseosq" + "nse" ], "rsa.counters.dclass_c1": 5380, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1627,9 +1627,9 @@ "10.33.195.166" ], "related.user": [ + "umiurer", "iamea", - "aconsequ", - "umiurer" + "aconsequ" ], "rsa.counters.dclass_c1": 3249, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1667,8 +1667,8 @@ ], "destination.port": 2763, "event.action": [ - "Logout", - "accept" + "accept", + "Logout" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -1688,9 +1688,9 @@ "10.85.137.156" ], "related.user": [ - "etMaloru", "orumSe", - "olori" + "olori", + "etMaloru" ], "rsa.counters.dclass_c1": 2491, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1728,8 +1728,8 @@ ], "destination.port": 3575, "event.action": [ - "tnul", - "cancel" + "cancel", + "tnul" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -1748,9 +1748,9 @@ "10.45.215.202" ], "related.user": [ - "gia", "stquidol", - "ihilmole" + "ihilmole", + "gia" ], "rsa.counters.dclass_c1": 7822, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1784,8 +1784,8 @@ ], "destination.port": 6536, "event.action": [ - "Login", - "accept" + "accept", + "Login" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -1806,8 +1806,8 @@ ], "related.user": [ "emp", - "essequam", - "etdolor" + "etdolor", + "essequam" ], "rsa.counters.dclass_c1": 2905, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1845,8 +1845,8 @@ ], "destination.port": 2069, "event.action": [ - "Login", - "cancel" + "cancel", + "Login" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -1866,8 +1866,8 @@ "10.18.225.139" ], "related.user": [ - "lestia", "orum", + "lestia", "edquian" ], "rsa.counters.dclass_c1": 3553, @@ -1906,8 +1906,8 @@ ], "destination.port": 3822, "event.action": [ - "accept", - "turadip" + "turadip", + "accept" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -1962,8 +1962,8 @@ ], "destination.port": 767, "event.action": [ - "Logout", - "allow" + "allow", + "Logout" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -1983,9 +1983,9 @@ "10.50.69.209" ], "related.user": [ - "exerci", "eirur", - "isci" + "isci", + "exerci" ], "rsa.counters.dclass_c1": 1684, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2044,9 +2044,9 @@ "10.88.176.226" ], "related.user": [ - "olor", + "roinBCSe", "ender", - "roinBCSe" + "olor" ], "rsa.counters.dclass_c1": 723, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2084,8 +2084,8 @@ ], "destination.port": 6729, "event.action": [ - "Logout", - "cancel" + "cancel", + "Logout" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -2101,13 +2101,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.123.56.46", - "10.182.181.162" + "10.182.181.162", + "10.123.56.46" ], "related.user": [ - "oreseo", + "sit", "uid", - "sit" + "oreseo" ], "rsa.counters.dclass_c1": 6438, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2145,8 +2145,8 @@ ], "destination.port": 62, "event.action": [ - "accept", - "lesti" + "lesti", + "accept" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -2161,13 +2161,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.176.83.7", - "10.169.124.164" + "10.169.124.164", + "10.176.83.7" ], "related.user": [ "iamqui", - "hilmole", - "dolor" + "dolor", + "hilmole" ], "rsa.counters.dclass_c1": 2894, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2201,8 +2201,8 @@ ], "destination.port": 1598, "event.action": [ - "Logout", - "block" + "block", + "Logout" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -2222,9 +2222,9 @@ "10.87.238.169" ], "related.user": [ + "CSedu", "iusmodt", - "itaedict", - "CSedu" + "itaedict" ], "rsa.counters.dclass_c1": 7780, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2279,13 +2279,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.53.133.90", - "10.245.219.7" + "10.245.219.7", + "10.53.133.90" ], "related.user": [ - "rsit", "ptatev", - "nvol" + "nvol", + "rsit" ], "rsa.counters.dclass_c1": 6066, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2323,8 +2323,8 @@ ], "destination.port": 4444, "event.action": [ - "aliqui", - "block" + "block", + "aliqui" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -2346,9 +2346,9 @@ "10.67.173.228" ], "related.user": [ + "onsectet", "nesci", - "tam", - "onsectet" + "tam" ], "rsa.counters.event_counter": 2448, "rsa.db.database": "sin", @@ -2413,8 +2413,8 @@ "10.90.50.149" ], "related.user": [ - "olupta", "olu", + "olupta", "aUtenima" ], "rsa.counters.dclass_c1": 1127, @@ -2453,8 +2453,8 @@ ], "destination.port": 5792, "event.action": [ - "allow", - "Login" + "Login", + "allow" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -2470,13 +2470,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.59.182.36", - "10.18.150.82" + "10.18.150.82", + "10.59.182.36" ], "related.user": [ "qua", - "mtota", - "luptat" + "luptat", + "mtota" ], "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2605,8 +2605,8 @@ ], "destination.port": 5020, "event.action": [ - "cancel", - "strumex" + "strumex", + "cancel" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -2628,17 +2628,17 @@ "10.49.169.175" ], "related.user": [ - "idolor", "onpr", - "iquamqu" + "iquamqu", + "idolor" ], "rsa.counters.event_counter": 4795, "rsa.db.database": "uira", "rsa.internal.event_desc": "velites", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "caboN" + "caboN", + "cancel" ], "rsa.misc.category": "oloremi", "rsa.misc.disposition": "edqui", @@ -2690,8 +2690,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.96.216.244", - "10.65.185.178" + "10.65.185.178", + "10.96.216.244" ], "related.user": [ "tvolup", @@ -2734,8 +2734,8 @@ ], "destination.port": 916, "event.action": [ - "allow", - "deFini" + "deFini", + "allow" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -2750,13 +2750,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.223.71.185", - "10.33.181.176" + "10.33.181.176", + "10.223.71.185" ], "related.user": [ - "loremips", + "atisetqu", "uptateve", - "atisetqu" + "loremips" ], "rsa.counters.dclass_c1": 3804, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2807,8 +2807,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.255.179.32", - "10.238.252.246" + "10.238.252.246", + "10.255.179.32" ], "related.user": [ "iatn", @@ -2851,8 +2851,8 @@ ], "destination.port": 7402, "event.action": [ - "cancel", - "Logout" + "Logout", + "cancel" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -2868,12 +2868,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.98.52.184", - "10.28.124.136" + "10.28.124.136", + "10.98.52.184" ], "related.user": [ - "billoi", "icaboNe", + "billoi", "umq" ], "rsa.counters.dclass_c1": 4298, @@ -2933,9 +2933,9 @@ "10.200.162.248" ], "related.user": [ - "billo", + "cul", "lumdol", - "cul" + "billo" ], "rsa.counters.dclass_c1": 3914, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2973,8 +2973,8 @@ ], "destination.port": 1265, "event.action": [ - "cancel", - "Login" + "Login", + "cancel" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -2990,13 +2990,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.103.215.159", - "10.88.60.147" + "10.88.60.147", + "10.103.215.159" ], "related.user": [ "mull", - "ueporr", - "seq" + "seq", + "ueporr" ], "rsa.counters.dclass_c1": 392, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3050,13 +3050,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.93.246.218", - "10.229.190.11" + "10.229.190.11", + "10.93.246.218" ], "related.user": [ - "cteturad", "mtot", - "roinBCS" + "roinBCS", + "cteturad" ], "rsa.counters.dclass_c1": 1929, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3094,8 +3094,8 @@ ], "destination.port": 3056, "event.action": [ - "Login", - "cancel" + "cancel", + "Login" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -3115,8 +3115,8 @@ "10.89.16.162" ], "related.user": [ - "atvol", "taevitae", + "atvol", "modit" ], "rsa.counters.dclass_c1": 1449, @@ -3174,13 +3174,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.67.129.100", - "10.244.73.167" + "10.244.73.167", + "10.67.129.100" ], "related.user": [ "exerc", - "gnama", - "sunte" + "sunte", + "gnama" ], "rsa.counters.event_counter": 2592, "rsa.db.database": "tasu", @@ -3241,8 +3241,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.20.158.236", - "10.52.221.103" + "10.52.221.103", + "10.20.158.236" ], "related.user": [ "dantium", @@ -3302,13 +3302,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.199.46.88", - "10.250.231.196" + "10.250.231.196", + "10.199.46.88" ], "related.user": [ + "utlabore", "equuntur", - "olup", - "utlabore" + "olup" ], "rsa.counters.dclass_c1": 2867, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3346,8 +3346,8 @@ ], "destination.port": 702, "event.action": [ - "block", - "Logout" + "Logout", + "block" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -3363,13 +3363,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.41.44.94", - "10.49.122.64" + "10.49.122.64", + "10.41.44.94" ], "related.user": [ "nim", - "suntincu", - "fugia" + "fugia", + "suntincu" ], "rsa.counters.dclass_c1": 1508, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3407,8 +3407,8 @@ ], "destination.port": 5558, "event.action": [ - "Login", - "accept" + "accept", + "Login" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -3429,8 +3429,8 @@ ], "related.user": [ "eritquii", - "uptatem", - "itaed" + "itaed", + "uptatem" ], "rsa.counters.dclass_c1": 944, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3468,8 +3468,8 @@ ], "destination.port": 2057, "event.action": [ - "block", - "Login" + "Login", + "block" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -3489,9 +3489,9 @@ "10.184.199.84" ], "related.user": [ + "ationem", "upt", - "cid", - "ationem" + "cid" ], "rsa.counters.dclass_c1": 3291, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3548,8 +3548,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.27.120.57", - "10.40.12.51" + "10.40.12.51", + "10.27.120.57" ], "related.user": [ "remeum", @@ -3561,8 +3561,8 @@ "rsa.internal.event_desc": "iatisun", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "uep" + "uep", + "cancel" ], "rsa.misc.category": "cto", "rsa.misc.disposition": "orumSect", @@ -3617,13 +3617,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.106.63.42", - "10.86.147.37" + "10.86.147.37", + "10.106.63.42" ], "related.user": [ "olor", - "ugitse", - "aeca" + "aeca", + "ugitse" ], "rsa.counters.event_counter": 2211, "rsa.db.database": "ameiu", @@ -3667,8 +3667,8 @@ ], "destination.port": 6650, "event.action": [ - "cancel", - "Login" + "Login", + "cancel" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -3684,12 +3684,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.110.240.8", - "10.112.132.76" + "10.112.132.76", + "10.110.240.8" ], "related.user": [ - "ulamcola", "tam", + "ulamcola", "equun" ], "rsa.counters.dclass_c1": 5784, @@ -3728,8 +3728,8 @@ ], "destination.port": 403, "event.action": [ - "accept", - "Logout" + "Logout", + "accept" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -3745,13 +3745,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.7.141.213", - "10.76.222.159" + "10.76.222.159", + "10.7.141.213" ], "related.user": [ "labor", - "natuser", - "niamq" + "niamq", + "natuser" ], "rsa.counters.dclass_c1": 5670, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3789,8 +3789,8 @@ ], "destination.port": 894, "event.action": [ - "allow", - "Logout" + "Logout", + "allow" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -3806,13 +3806,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.246.196.160", - "10.170.90.90" + "10.170.90.90", + "10.246.196.160" ], "related.user": [ - "equ", "epteurs", - "urautod" + "urautod", + "equ" ], "rsa.counters.dclass_c1": 4933, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3960,21 +3960,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.219.218.23", - "10.21.69.33" + "10.21.69.33", + "10.219.218.23" ], "related.user": [ - "tesseq", + "labor", "orumS", - "labor" + "tesseq" ], "rsa.counters.event_counter": 2428, "rsa.db.database": "exeacomm", "rsa.internal.event_desc": "itanimi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "meumfug", - "deny" + "deny", + "meumfug" ], "rsa.misc.category": "rinc", "rsa.misc.disposition": "isistena", @@ -4010,8 +4010,8 @@ ], "destination.port": 3954, "event.action": [ - "ius", - "block" + "block", + "ius" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -4030,9 +4030,9 @@ "10.67.163.107" ], "related.user": [ - "tion", + "eddoe", "quaeabi", - "eddoe" + "tion" ], "rsa.counters.dclass_c1": 3469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4066,8 +4066,8 @@ ], "destination.port": 599, "event.action": [ - "Logout", - "cancel" + "cancel", + "Logout" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -4083,12 +4083,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.61.247.113", - "10.120.66.172" + "10.120.66.172", + "10.61.247.113" ], "related.user": [ - "tur", "iamqu", + "tur", "iduntut" ], "rsa.counters.dclass_c1": 2218, @@ -4127,8 +4127,8 @@ ], "destination.port": 6326, "event.action": [ - "deny", - "oluptass" + "oluptass", + "deny" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -4146,13 +4146,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.31.56.237", - "10.206.65.159" + "10.206.65.159", + "10.31.56.237" ], "related.user": [ - "amcorpor", + "cit", "atem", - "cit" + "amcorpor" ], "rsa.counters.event_counter": 1295, "rsa.db.database": "oloremeu", @@ -4246,9 +4246,9 @@ "10.108.76.145" ], "related.user": [ - "uisautem", "idid", - "trumexer" + "trumexer", + "uisautem" ], "rsa.counters.dclass_c1": 1294, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4310,16 +4310,16 @@ ], "related.user": [ "eaqu", - "totamrem", - "cto" + "cto", + "totamrem" ], "rsa.counters.event_counter": 4385, "rsa.db.database": "itani", "rsa.internal.event_desc": "doloremi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "sequatD" + "sequatD", + "cancel" ], "rsa.misc.category": "uisno", "rsa.misc.disposition": "atevel", @@ -4354,8 +4354,8 @@ ], "destination.port": 3154, "event.action": [ - "block", - "Login" + "Login", + "block" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -4371,13 +4371,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.211.242.138", - "10.84.3.244" + "10.84.3.244", + "10.211.242.138" ], "related.user": [ "olest", - "ciun", - "asia" + "asia", + "ciun" ], "rsa.counters.dclass_c1": 545, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4445,8 +4445,8 @@ ], "destination.port": 5635, "event.action": [ - "Login", - "accept" + "accept", + "Login" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -4466,9 +4466,9 @@ "10.13.86.14" ], "related.user": [ - "turvelil", "volu", - "lapa" + "lapa", + "turvelil" ], "rsa.counters.dclass_c1": 7284, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4522,13 +4522,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.50.195.220", - "10.32.220.188" + "10.32.220.188", + "10.50.195.220" ], "related.user": [ - "nimi", + "ectob", "lorinrep", - "ectob" + "nimi" ], "rsa.counters.dclass_c1": 2636, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4566,8 +4566,8 @@ ], "destination.port": 984, "event.action": [ - "allow", - "Login" + "Login", + "allow" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -4587,9 +4587,9 @@ "10.29.74.57" ], "related.user": [ - "exe", "colab", - "iutaliqu" + "iutaliqu", + "exe" ], "rsa.counters.dclass_c1": 3432, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4643,12 +4643,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.149.2.62", - "10.107.41.59" + "10.107.41.59", + "10.149.2.62" ], "related.user": [ - "utal", "edictasu", + "utal", "oreseo" ], "rsa.counters.dclass_c1": 3008, @@ -4683,8 +4683,8 @@ ], "destination.port": 4062, "event.action": [ - "accept", - "erit" + "erit", + "accept" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -4706,9 +4706,9 @@ "10.20.211.186" ], "related.user": [ + "ptassit", "ncidid", - "olo", - "ptassit" + "olo" ], "rsa.counters.event_counter": 3743, "rsa.db.database": "ataevit", @@ -4751,8 +4751,8 @@ ], "destination.port": 2201, "event.action": [ - "block", - "Login" + "Login", + "block" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -4829,13 +4829,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.173.169.212", - "10.131.253.222" + "10.131.253.222", + "10.173.169.212" ], "related.user": [ - "oinB", "orumet", - "utod" + "utod", + "oinB" ], "rsa.counters.dclass_c1": 6659, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4894,8 +4894,8 @@ ], "related.user": [ "psamvolu", - "liq", - "imven" + "imven", + "liq" ], "rsa.counters.dclass_c1": 587, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4929,8 +4929,8 @@ ], "destination.port": 2543, "event.action": [ - "Logout", - "cancel" + "cancel", + "Logout" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -4946,13 +4946,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.164.123.69", - "10.161.51.238" + "10.161.51.238", + "10.164.123.69" ], "related.user": [ - "litesse", "xercitat", - "xeacomm" + "xeacomm", + "litesse" ], "rsa.counters.dclass_c1": 5031, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4990,8 +4990,8 @@ ], "destination.port": 6125, "event.action": [ - "accept", - "odte" + "odte", + "accept" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -5006,8 +5006,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.112.73.97", - "10.227.144.202" + "10.227.144.202", + "10.112.73.97" ], "related.user": [ "quinesc", @@ -5097,9 +5097,9 @@ "10.76.165.58" ], "related.user": [ + "nisi", "amqua", - "ugitse", - "nisi" + "ugitse" ], "rsa.counters.dclass_c1": 4963, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5137,8 +5137,8 @@ ], "destination.port": 5686, "event.action": [ - "accept", - "itessec" + "itessec", + "accept" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -5160,8 +5160,8 @@ "10.177.36.122" ], "related.user": [ - "avolu", "eFini", + "avolu", "ept" ], "rsa.counters.event_counter": 4087, @@ -5169,8 +5169,8 @@ "rsa.internal.event_desc": "rationev", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "oriosamn", - "accept" + "accept", + "oriosamn" ], "rsa.misc.category": "etco", "rsa.misc.disposition": "usanti", @@ -5205,8 +5205,8 @@ ], "destination.port": 7489, "event.action": [ - "block", - "Login" + "Login", + "block" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -5222,13 +5222,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.35.215.152", - "10.143.175.148" + "10.143.175.148", + "10.35.215.152" ], "related.user": [ - "ium", + "itaspern", "etdo", - "itaspern" + "ium" ], "rsa.counters.dclass_c1": 6141, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5287,9 +5287,9 @@ "10.254.252.105" ], "related.user": [ + "ataev", "ptatemU", - "asp", - "ataev" + "asp" ], "rsa.counters.dclass_c1": 2949, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5327,8 +5327,8 @@ ], "destination.port": 6834, "event.action": [ - "accept", - "Login" + "Login", + "accept" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -5344,13 +5344,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.44.179.66", - "10.248.16.82" + "10.248.16.82", + "10.44.179.66" ], "related.user": [ + "xercita", "proiden", - "loinv", - "xercita" + "loinv" ], "rsa.counters.dclass_c1": 2353, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5411,17 +5411,17 @@ "10.88.53.149" ], "related.user": [ + "tqui", "strumex", - "reseosqu", - "tqui" + "reseosqu" ], "rsa.counters.event_counter": 6219, "rsa.db.database": "atus", "rsa.internal.event_desc": "ntiumtot", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "ionulamc", - "allow" + "allow", + "ionulamc" ], "rsa.misc.category": "aeab", "rsa.misc.disposition": "idolo", @@ -5476,8 +5476,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.116.180.96", - "10.199.117.125" + "10.199.117.125", + "10.116.180.96" ], "related.user": [ "pidatatn", @@ -5489,8 +5489,8 @@ "rsa.internal.event_desc": "rsitvo", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "ectet", - "cancel" + "cancel", + "ectet" ], "rsa.misc.category": "esciuntN", "rsa.misc.disposition": "ritatis", @@ -5525,8 +5525,8 @@ ], "destination.port": 2200, "event.action": [ - "Login", - "cancel" + "cancel", + "Login" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -5542,13 +5542,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.64.76.110", - "10.250.226.105" + "10.250.226.105", + "10.64.76.110" ], "related.user": [ - "imidest", + "ptate", "ommod", - "ptate" + "imidest" ], "rsa.counters.dclass_c1": 6041, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5586,8 +5586,8 @@ ], "destination.port": 2077, "event.action": [ - "block", - "persp" + "persp", + "block" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -5609,17 +5609,17 @@ "10.164.52.43" ], "related.user": [ + "reverit", "Nemoe", - "seq", - "reverit" + "seq" ], "rsa.counters.event_counter": 249, "rsa.db.database": "neavolup", "rsa.internal.event_desc": "itame", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "atemq", - "block" + "block", + "atemq" ], "rsa.misc.category": "quaturv", "rsa.misc.disposition": "lumdolor", @@ -5672,13 +5672,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.115.42.231", - "10.161.212.150" + "10.161.212.150", + "10.115.42.231" ], "related.user": [ + "sequamn", "tasnul", - "res", - "sequamn" + "res" ], "rsa.counters.dclass_c1": 4846, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5830,8 +5830,8 @@ "10.217.176.124" ], "related.user": [ - "itsedq", "uisaute", + "itsedq", "min" ], "rsa.counters.event_counter": 1318, @@ -5839,8 +5839,8 @@ "rsa.internal.event_desc": "unt", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "pidatatn", - "cancel" + "cancel", + "pidatatn" ], "rsa.misc.category": "emUt", "rsa.misc.disposition": "eiru", @@ -5875,8 +5875,8 @@ ], "destination.port": 2294, "event.action": [ - "deny", - "Logout" + "Logout", + "deny" ], "event.code": "Imperva", "event.dataset": "imperva.securesphere", @@ -5897,8 +5897,8 @@ ], "related.user": [ "ero", - "iatquovo", - "ratvolup" + "ratvolup", + "iatquovo" ], "rsa.counters.dclass_c1": 6969, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5958,8 +5958,8 @@ ], "related.user": [ "atio", - "uis", - "xercita" + "xercita", + "uis" ], "rsa.counters.dclass_c1": 3516, "rsa.counters.dclass_c1_str": "Affected Rows", diff --git a/x-pack/filebeat/module/infoblox/README.md b/x-pack/filebeat/module/infoblox/README.md index dc5d5dfca3a..c33a19310a3 100644 --- a/x-pack/filebeat/module/infoblox/README.md +++ b/x-pack/filebeat/module/infoblox/README.md @@ -3,5 +3,5 @@ This is a module for Infoblox NIOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML infobloxnios version 134 -at 2020-07-08 17:36:28.818661 +0000 UTC. +at 2020-07-08 18:28:01.221366 +0000 UTC. diff --git a/x-pack/filebeat/module/infoblox/nios/config/pipeline.js b/x-pack/filebeat/module/infoblox/nios/config/pipeline.js index 0d3d50cdc8a..eb4ad71a8dd 100644 --- a/x-pack/filebeat/module/infoblox/nios/config/pipeline.js +++ b/x-pack/filebeat/module/infoblox/nios/config/pipeline.js @@ -187,53 +187,47 @@ var dup68 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_descripti dup30, ])); -var dup69 = match("MESSAGE#52:ntpd:02", "nwparser.payload", "%{event_description->} ", processor_chain([ - dup12, - dup6, - dup8, -])); - -var dup70 = linear_select([ +var dup69 = linear_select([ dup33, dup34, ]); -var dup71 = linear_select([ +var dup70 = linear_select([ dup37, dup38, dup39, ]); -var dup72 = linear_select([ +var dup71 = linear_select([ dup42, dup43, dup44, ]); -var dup73 = linear_select([ +var dup72 = linear_select([ dup51, dup52, ]); -var dup74 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([ +var dup73 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([ dup15, dup6, dup8, ])); -var dup75 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ +var dup74 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ dup15, dup6, dup8, ])); -var dup76 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ +var dup75 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ dup12, dup6, dup8, ])); -var dup77 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description->} ", processor_chain([ +var dup76 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description}", processor_chain([ dup12, dup6, dup8, @@ -1194,7 +1188,7 @@ var part90 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal var msg66 = msg("ntpd:01", part90); -var msg67 = msg("ntpd:02", dup69); +var msg67 = msg("ntpd:02", dup64); var select15 = linear_select([ msg62, @@ -1210,7 +1204,7 @@ var part91 = match("MESSAGE#53:named:16/0", "nwparser.payload", "client %{saddr} var all17 = all_match({ processors: [ part91, - dup70, + dup69, ], on_success: processor_chain([ dup15, @@ -1226,7 +1220,7 @@ var part92 = match("MESSAGE#54:named/0", "nwparser.payload", "client %{saddr}#%{ var all18 = all_match({ processors: [ part92, - dup70, + dup69, ], on_success: processor_chain([ dup15, @@ -1243,7 +1237,7 @@ var part93 = match("MESSAGE#55:named:12/0", "nwparser.payload", "client %{saddr} var all19 = all_match({ processors: [ part93, - dup70, + dup69, ], on_success: processor_chain([ dup15, @@ -1270,7 +1264,7 @@ var all20 = all_match({ dup36, select16, part96, - dup70, + dup69, ], on_success: processor_chain([ dup15, @@ -1302,11 +1296,11 @@ var select18 = linear_select([ var all21 = all_match({ processors: [ part97, - dup71, + dup70, part98, select17, select18, - dup72, + dup71, ], on_success: processor_chain([ dup12, @@ -1368,11 +1362,11 @@ var select21 = linear_select([ var all23 = all_match({ processors: [ part105, - dup71, + dup70, part106, select20, select21, - dup72, + dup71, ], on_success: processor_chain([ dup12, @@ -1487,7 +1481,7 @@ var part120 = match("MESSAGE#67:named:63/2", "nwparser.p0", "%{sport->} (#%{fld5 var all26 = all_match({ processors: [ dup50, - dup73, + dup72, part120, ], on_success: processor_chain([ @@ -1666,7 +1660,7 @@ var all31 = all_match({ var msg89 = msg("named:10", all31); -var part142 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}#%{sport}: %{fld1}: received notify for zone '%{zone}' ", processor_chain([ +var part142 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}#%{sport}: %{fld1}: received notify for zone '%{zone}'", processor_chain([ dup12, dup6, dup8, @@ -1675,7 +1669,7 @@ var part142 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}# var msg90 = msg("named:29", part142); -var part143 = match("MESSAGE#76:named:08", "nwparser.payload", "client %{saddr}#%{sport}: received notify for zone '%{zone}' ", processor_chain([ +var part143 = match("MESSAGE#76:named:08", "nwparser.payload", "client %{saddr}#%{sport}: received notify for zone '%{zone}'", processor_chain([ dup12, dup6, dup8, @@ -1752,13 +1746,11 @@ var select32 = linear_select([ part154, ]); -var part155 = match("MESSAGE#80:named:06/2", "nwparser.p0", "%{event_description->} "); - var all33 = all_match({ processors: [ part152, select32, - part155, + dup46, ], on_success: processor_chain([ dup12, @@ -1770,7 +1762,7 @@ var all33 = all_match({ var msg95 = msg("named:06", all33); -var part156 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ +var part155 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ dup12, dup49, dup14, @@ -1781,22 +1773,22 @@ var part156 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpect dup55, ])); -var msg96 = msg("named:20", part156); +var msg96 = msg("named:20", part155); -var part157 = match("MESSAGE#82:named:49/0", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{zone}/%{dns_querytype}/IN': %{p0}"); +var part156 = match("MESSAGE#82:named:49/0", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{zone}/%{dns_querytype}/IN': %{p0}"); -var part158 = match("MESSAGE#82:named:49/1_0", "nwparser.p0", "%{daddr}#%{dport}"); +var part157 = match("MESSAGE#82:named:49/1_0", "nwparser.p0", "%{daddr}#%{dport}"); -var part159 = match("MESSAGE#82:named:49/1_1", "nwparser.p0", "%{fld1}"); +var part158 = match("MESSAGE#82:named:49/1_1", "nwparser.p0", "%{fld1}"); var select33 = linear_select([ + part157, part158, - part159, ]); var all34 = all_match({ processors: [ - part157, + part156, select33, ], on_success: processor_chain([ @@ -1813,22 +1805,22 @@ var all34 = all_match({ var msg97 = msg("named:49", all34); -var part160 = match("MESSAGE#83:named:24/1_0", "nwparser.p0", "%{domain}): %{fld2}: zone transfer%{p0}"); +var part159 = match("MESSAGE#83:named:24/1_0", "nwparser.p0", "%{domain}): %{fld2}: zone transfer%{p0}"); -var part161 = match("MESSAGE#83:named:24/1_1", "nwparser.p0", "%{domain}): zone transfer%{p0}"); +var part160 = match("MESSAGE#83:named:24/1_1", "nwparser.p0", "%{domain}): zone transfer%{p0}"); var select34 = linear_select([ + part159, part160, - part161, ]); -var part162 = match("MESSAGE#83:named:24/2", "nwparser.p0", "%{}'%{zone}' %{action}"); +var part161 = match("MESSAGE#83:named:24/2", "nwparser.p0", "%{}'%{zone}' %{action}"); var all35 = all_match({ processors: [ dup57, select34, - part162, + part161, ], on_success: processor_chain([ dup12, @@ -1840,22 +1832,22 @@ var all35 = all_match({ var msg98 = msg("named:24", all35); -var part163 = match("MESSAGE#84:named:26/1_0", "nwparser.p0", "%{domain}): %{fld2}: no more recursive clients %{p0}"); +var part162 = match("MESSAGE#84:named:26/1_0", "nwparser.p0", "%{domain}): %{fld2}: no more recursive clients %{p0}"); -var part164 = match("MESSAGE#84:named:26/1_1", "nwparser.p0", "%{domain}): no more recursive clients%{p0}"); +var part163 = match("MESSAGE#84:named:26/1_1", "nwparser.p0", "%{domain}): no more recursive clients%{p0}"); var select35 = linear_select([ + part162, part163, - part164, ]); -var part165 = match("MESSAGE#84:named:26/2", "nwparser.p0", "%{}(%{fld3}) %{info}"); +var part164 = match("MESSAGE#84:named:26/2", "nwparser.p0", "%{}(%{fld3}) %{info}"); var all36 = all_match({ processors: [ dup57, select35, - part165, + part164, ], on_success: processor_chain([ dup12, @@ -1866,22 +1858,22 @@ var all36 = all_match({ var msg99 = msg("named:26", all36); -var part166 = match("MESSAGE#85:named:27/1_0", "nwparser.p0", "%{domain}): %{fld2->} : %{fld3->} response from Internet for %{p0}"); +var part165 = match("MESSAGE#85:named:27/1_0", "nwparser.p0", "%{domain}): %{fld2->} : %{fld3->} response from Internet for %{p0}"); -var part167 = match("MESSAGE#85:named:27/1_1", "nwparser.p0", "%{domain}): %{fld3->} response from Internet for %{p0}"); +var part166 = match("MESSAGE#85:named:27/1_1", "nwparser.p0", "%{domain}): %{fld3->} response from Internet for %{p0}"); var select36 = linear_select([ + part165, part166, - part167, ]); -var part168 = match("MESSAGE#85:named:27/2", "nwparser.p0", "%{fld4->} "); +var part167 = match("MESSAGE#85:named:27/2", "nwparser.p0", "%{fld4}"); var all37 = all_match({ processors: [ dup57, select36, - part168, + part167, ], on_success: processor_chain([ dup12, @@ -1892,33 +1884,33 @@ var all37 = all_match({ var msg100 = msg("named:27", all37); -var part169 = match("MESSAGE#86:named:38/2_0", "nwparser.p0", "%{sport}#%{fld5->} (%{fld6}):%{p0}"); +var part168 = match("MESSAGE#86:named:38/2_0", "nwparser.p0", "%{sport}#%{fld5->} (%{fld6}):%{p0}"); -var part170 = match("MESSAGE#86:named:38/2_1", "nwparser.p0", "%{sport->} (%{fld5}):%{p0}"); +var part169 = match("MESSAGE#86:named:38/2_1", "nwparser.p0", "%{sport->} (%{fld5}):%{p0}"); var select37 = linear_select([ + part168, part169, - part170, dup53, ]); -var part171 = match("MESSAGE#86:named:38/3", "nwparser.p0", "%{}query%{p0}"); +var part170 = match("MESSAGE#86:named:38/3", "nwparser.p0", "%{}query%{p0}"); -var part172 = match("MESSAGE#86:named:38/4_0", "nwparser.p0", " (%{fld7}) '%{domain}/%{fld4}' %{result->} "); +var part171 = match("MESSAGE#86:named:38/4_0", "nwparser.p0", " (%{fld7}) '%{domain}/%{fld4}' %{result}"); -var part173 = match("MESSAGE#86:named:38/4_1", "nwparser.p0", ": %{domain->} %{fld4->} (%{daddr}) "); +var part172 = match("MESSAGE#86:named:38/4_1", "nwparser.p0", ": %{domain->} %{fld4->} (%{daddr})"); var select38 = linear_select([ + part171, part172, - part173, ]); var all38 = all_match({ processors: [ dup50, - dup73, + dup72, select37, - part171, + part170, select38, ], on_success: processor_chain([ @@ -1930,7 +1922,7 @@ var all38 = all_match({ var msg101 = msg("named:38", all38); -var part174 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: error (%{result}) resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ +var part173 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: error (%{result}) resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ dup12, dup49, dup14, @@ -1939,64 +1931,64 @@ var part174 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2 dup54, ])); -var msg102 = msg("named:39", part174); +var msg102 = msg("named:39", part173); -var part175 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5->} (data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([ +var part174 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5->} (data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([ dup12, dup6, dup8, ])); -var msg103 = msg("named:46", part175); +var msg103 = msg("named:46", part174); -var part176 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ +var part175 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ dup12, dup6, dup8, dup30, ])); -var msg104 = msg("named:64", part176); +var msg104 = msg("named:64", part175); -var part177 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ +var part176 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ dup12, dup6, dup8, dup47, ])); -var msg105 = msg("named:45", part177); +var msg105 = msg("named:45", part176); -var part178 = match("MESSAGE#91:named:44/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: updating zone '%{p0}"); +var part177 = match("MESSAGE#91:named:44/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: updating zone '%{p0}"); -var part179 = match("MESSAGE#91:named:44/1_0", "nwparser.p0", "%{domain}/IN'%{p0}"); +var part178 = match("MESSAGE#91:named:44/1_0", "nwparser.p0", "%{domain}/IN'%{p0}"); -var part180 = match("MESSAGE#91:named:44/1_1", "nwparser.p0", "%{domain}'%{p0}"); +var part179 = match("MESSAGE#91:named:44/1_1", "nwparser.p0", "%{domain}'%{p0}"); var select39 = linear_select([ + part178, part179, - part180, ]); -var part181 = match("MESSAGE#91:named:44/2", "nwparser.p0", ": %{p0}"); +var part180 = match("MESSAGE#91:named:44/2", "nwparser.p0", ": %{p0}"); -var part182 = match("MESSAGE#91:named:44/3_0", "nwparser.p0", "deleting an RR at %{daddr}.in-addr.arpa "); +var part181 = match("MESSAGE#91:named:44/3_0", "nwparser.p0", "deleting an RR at %{daddr}.in-addr.arpa "); -var part183 = match("MESSAGE#91:named:44/3_1", "nwparser.p0", "deleting an RR at %{daddr}.%{fld6->} "); +var part182 = match("MESSAGE#91:named:44/3_1", "nwparser.p0", "deleting an RR at %{daddr}.%{fld6->} "); -var part184 = match("MESSAGE#91:named:44/3_2", "nwparser.p0", "%{fld5}"); +var part183 = match("MESSAGE#91:named:44/3_2", "nwparser.p0", "%{fld5}"); var select40 = linear_select([ + part181, part182, part183, - part184, ]); var all39 = all_match({ processors: [ - part178, + part177, select39, - part181, + part180, select40, ], on_success: processor_chain([ @@ -2008,93 +2000,93 @@ var all39 = all_match({ var msg106 = msg("named:44", all39); -var part185 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([ +var part184 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([ dup12, dup6, dup8, dup30, ])); -var msg107 = msg("named:43", part185); +var msg107 = msg("named:43", part184); -var part186 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result->} resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ +var part185 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result->} resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ dup12, dup6, dup8, dup55, ])); -var msg108 = msg("named:42", part186); +var msg108 = msg("named:42", part185); -var part187 = match("MESSAGE#94:named:41", "nwparser.payload", "%{fld1}: unable to find root NS '%{domain}'", processor_chain([ +var part186 = match("MESSAGE#94:named:41", "nwparser.payload", "%{fld1}: unable to find root NS '%{domain}'", processor_chain([ dup12, dup6, dup8, ])); -var msg109 = msg("named:41", part187); +var msg109 = msg("named:41", part186); -var part188 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{event_description}", processor_chain([ +var part187 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{event_description}", processor_chain([ setc("eventcategory","1502000000"), dup6, dup8, ])); -var msg110 = msg("named:47", part188); +var msg110 = msg("named:47", part187); -var part189 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): query '%{zone}' %{result}", processor_chain([ +var part188 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): query '%{zone}' %{result}", processor_chain([ dup56, dup6, dup8, dup30, ])); -var msg111 = msg("named:48", part189); +var msg111 = msg("named:48", part188); -var part190 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ +var part189 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ dup12, dup6, dup8, dup30, ])); -var msg112 = msg("named:62", part190); +var msg112 = msg("named:62", part189); -var part191 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ +var part190 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ dup12, dup6, dup8, ])); -var msg113 = msg("named:53", part191); +var msg113 = msg("named:53", part190); -var part192 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype->} at %{filename}:%{fld2->} ", processor_chain([ +var part191 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype->} at %{filename}:%{fld2}", processor_chain([ dup48, dup6, dup8, setc("event_description"," query failed"), ])); -var msg114 = msg("named:77", part192); +var msg114 = msg("named:77", part191); -var part193 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): %{info}", processor_chain([ +var part192 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): %{info}", processor_chain([ dup58, dup6, dup8, dup47, ])); -var msg115 = msg("named:52", part193); +var msg115 = msg("named:52", part192); -var part194 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype->} (%{saddr}) %{info}", processor_chain([ +var part193 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype->} (%{saddr}) %{info}", processor_chain([ dup58, dup6, dup8, ])); -var msg116 = msg("named:50", part194); +var msg116 = msg("named:50", part193); -var part195 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2}: REFUSED", processor_chain([ +var part194 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2}: REFUSED", processor_chain([ dup56, dup6, dup8, @@ -2103,9 +2095,9 @@ var part195 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2 dup54, ])); -var msg117 = msg("named:51", part195); +var msg117 = msg("named:51", part194); -var part196 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{network_port}: GSS-TSIG authentication failed:%{event_description}", processor_chain([ +var part195 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{network_port}: GSS-TSIG authentication failed:%{event_description}", processor_chain([ dup58, dup6, dup8, @@ -2114,22 +2106,22 @@ var part196 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{net dup30, ])); -var msg118 = msg("named:54", part196); +var msg118 = msg("named:54", part195); -var part197 = match("MESSAGE#104:named:55/0", "nwparser.payload", "success resolving '%{domain}/%{dns_querytype}' (in '%{fld1}'?) %{p0}"); +var part196 = match("MESSAGE#104:named:55/0", "nwparser.payload", "success resolving '%{domain}/%{dns_querytype}' (in '%{fld1}'?) %{p0}"); -var part198 = match("MESSAGE#104:named:55/1_0", "nwparser.p0", "after disabling EDNS%{}"); +var part197 = match("MESSAGE#104:named:55/1_0", "nwparser.p0", "after disabling EDNS%{}"); -var part199 = match("MESSAGE#104:named:55/1_1", "nwparser.p0", "%{fld2}"); +var part198 = match("MESSAGE#104:named:55/1_1", "nwparser.p0", "%{fld2}"); var select41 = linear_select([ + part197, part198, - part199, ]); var all40 = all_match({ processors: [ - part197, + part196, select41, ], on_success: processor_chain([ @@ -2144,7 +2136,7 @@ var all40 = all_match({ var msg119 = msg("named:55", all40); -var part200 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpected RCODE resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ +var part199 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpected RCODE resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ dup58, dup6, dup8, @@ -2154,9 +2146,9 @@ var part200 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpe dup59, ])); -var msg120 = msg("named:56", part200); +var msg120 = msg("named:56", part199); -var part201 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ +var part200 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ dup58, dup6, dup8, @@ -2165,26 +2157,26 @@ var part201 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolvi dup59, ])); -var msg121 = msg("named:57", part201); +var msg121 = msg("named:57", part200); -var part202 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action->} on %{p0}"); +var part201 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action->} on %{p0}"); -var part203 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}"); +var part202 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}"); -var part204 = match("MESSAGE#107:named:04/1_1", "nwparser.p0", "%{saddr}#%{p0}"); +var part203 = match("MESSAGE#107:named:04/1_1", "nwparser.p0", "%{saddr}#%{p0}"); var select42 = linear_select([ + part202, part203, - part204, ]); -var part205 = match("MESSAGE#107:named:04/2", "nwparser.p0", "%{sport}"); +var part204 = match("MESSAGE#107:named:04/2", "nwparser.p0", "%{sport}"); var all41 = all_match({ processors: [ - part202, + part201, select42, - part205, + part204, ], on_success: processor_chain([ dup12, @@ -2195,7 +2187,7 @@ var all41 = all_match({ var msg122 = msg("named:04", all41); -var part206 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server resolving '%{domain}' (in '%{fld2}'?):%{hostip}#%{network_port}", processor_chain([ +var part205 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server resolving '%{domain}' (in '%{fld2}'?):%{hostip}#%{network_port}", processor_chain([ dup58, dup6, dup8, @@ -2203,9 +2195,9 @@ var part206 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server res dup59, ])); -var msg123 = msg("named:58", part206); +var msg123 = msg("named:58", part205); -var part207 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max queries resolving '%{domain}/%{dns_querytype}'", processor_chain([ +var part206 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max queries resolving '%{domain}/%{dns_querytype}'", processor_chain([ dup12, dup6, dup8, @@ -2213,9 +2205,9 @@ var part207 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max qu dup59, ])); -var msg124 = msg("named:59", part207); +var msg124 = msg("named:59", part206); -var part208 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping nameserver '%{hostname}' because it is a CNAME, while resolving '%{domain}/%{dns_querytype}'", processor_chain([ +var part207 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping nameserver '%{hostname}' because it is a CNAME, while resolving '%{domain}/%{dns_querytype}'", processor_chain([ dup12, dup6, dup8, @@ -2224,18 +2216,18 @@ var part208 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping namese setc("event_description","skipping nameserver because it is a CNAME"), ])); -var msg125 = msg("named:60", part208); +var msg125 = msg("named:60", part207); -var part209 = match("MESSAGE#111:named:61", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ +var part208 = match("MESSAGE#111:named:61", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ dup12, dup6, dup8, dup30, ])); -var msg126 = msg("named:61", part209); +var msg126 = msg("named:61", part208); -var part210 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/%{dns_querytype}", processor_chain([ +var part209 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/%{dns_querytype}", processor_chain([ dup12, dup6, dup8, @@ -2243,24 +2235,24 @@ var part210 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/ dup35, ])); -var msg127 = msg("named:73", part210); +var msg127 = msg("named:73", part209); -var part211 = match("MESSAGE#113:named:74", "nwparser.payload", "decrement_reference: delete from rbt: %{fld1->} %{domain}", processor_chain([ +var part210 = match("MESSAGE#113:named:74", "nwparser.payload", "decrement_reference: delete from rbt: %{fld1->} %{domain}", processor_chain([ dup12, dup6, dup8, dup30, ])); -var msg128 = msg("named:74", part211); +var msg128 = msg("named:74", part210); -var part212 = match("MESSAGE#114:named:07/0_0", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): view %{fld2}: query: %{web_query}"); +var part211 = match("MESSAGE#114:named:07/0_0", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): view %{fld2}: query: %{web_query}"); -var part213 = match("MESSAGE#114:named:07/0_1", "nwparser.payload", "%{event_description}"); +var part212 = match("MESSAGE#114:named:07/0_1", "nwparser.payload", "%{event_description}"); var select43 = linear_select([ + part211, part212, - part213, ]); var all42 = all_match({ @@ -2342,38 +2334,38 @@ var select44 = linear_select([ msg129, ]); -var part214 = match("MESSAGE#115:pidof:01", "nwparser.payload", "can't read sid from %{agent}", processor_chain([ +var part213 = match("MESSAGE#115:pidof:01", "nwparser.payload", "can't read sid from %{agent}", processor_chain([ dup15, dup6, dup8, setc("event_description","can't read sid"), ])); -var msg130 = msg("pidof:01", part214); +var msg130 = msg("pidof:01", part213); -var part215 = match("MESSAGE#116:pidof", "nwparser.payload", "can't get program name from %{agent}", processor_chain([ +var part214 = match("MESSAGE#116:pidof", "nwparser.payload", "can't get program name from %{agent}", processor_chain([ dup15, dup6, dup8, ])); -var msg131 = msg("pidof", part215); +var msg131 = msg("pidof", part214); var select45 = linear_select([ msg130, msg131, ]); -var part216 = match("MESSAGE#117:validate_dhcpd:01", "nwparser.payload", "Configured local-address not available as source address for DNS updates. %{result}", processor_chain([ +var part215 = match("MESSAGE#117:validate_dhcpd:01", "nwparser.payload", "Configured local-address not available as source address for DNS updates. %{result}", processor_chain([ dup15, dup6, dup8, setc("event_description","Configured local-address not available as source address for DNS updates"), ])); -var msg132 = msg("validate_dhcpd:01", part216); +var msg132 = msg("validate_dhcpd:01", part215); -var msg133 = msg("validate_dhcpd", dup74); +var msg133 = msg("validate_dhcpd", dup73); var select46 = linear_select([ msg132, @@ -2382,13 +2374,13 @@ var select46 = linear_select([ var msg134 = msg("syslog-ng", dup64); -var part217 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version->} (%{from}) (%{fld1}) %{fld2}", processor_chain([ +var part216 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version->} (%{from}) (%{fld1}) %{fld2}", processor_chain([ dup12, dup6, dup8, ])); -var msg135 = msg("kernel", part217); +var msg135 = msg("kernel", part216); var msg136 = msg("kernel:01", dup64); @@ -2397,25 +2389,25 @@ var select47 = linear_select([ msg136, ]); -var msg137 = msg("radiusd", dup69); +var msg137 = msg("radiusd", dup64); -var part218 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent->} start", processor_chain([ +var part217 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent->} start", processor_chain([ dup12, dup6, dup8, ])); -var msg138 = msg("rc", part218); +var msg138 = msg("rc", part217); var msg139 = msg("rc3", dup64); -var part219 = match("MESSAGE#125:rcsysinit", "nwparser.payload", "fsck from %{version}", processor_chain([ +var part218 = match("MESSAGE#125:rcsysinit", "nwparser.payload", "fsck from %{version}", processor_chain([ dup12, dup6, dup8, ])); -var msg140 = msg("rcsysinit", part219); +var msg140 = msg("rcsysinit", part218); var msg141 = msg("rcsysinit:01", dup64); @@ -2424,37 +2416,37 @@ var select48 = linear_select([ msg141, ]); -var part220 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration->} secs", processor_chain([ +var part219 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration->} secs", processor_chain([ dup12, dup6, dup8, ])); -var msg142 = msg("watchdog", part220); +var msg142 = msg("watchdog", part219); -var part221 = match("MESSAGE#127:watchdog:01", "nwparser.payload", "%{action}, pid = %{process_id}", processor_chain([ +var part220 = match("MESSAGE#127:watchdog:01", "nwparser.payload", "%{action}, pid = %{process_id}", processor_chain([ dup12, dup6, dup8, ])); -var msg143 = msg("watchdog:01", part221); +var msg143 = msg("watchdog:01", part220); -var part222 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{fld1}, cancelling softdog and exiting...", processor_chain([ +var part221 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{fld1}, cancelling softdog and exiting...", processor_chain([ dup12, dup6, dup8, ])); -var msg144 = msg("watchdog:02", part222); +var msg144 = msg("watchdog:02", part221); -var part223 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename->} could not be opened, errno = %{resultcode}", processor_chain([ +var part222 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename->} could not be opened, errno = %{resultcode}", processor_chain([ dup15, dup6, dup8, ])); -var msg145 = msg("watchdog:03", part223); +var msg145 = msg("watchdog:03", part222); var msg146 = msg("watchdog:04", dup64); @@ -2468,13 +2460,13 @@ var select49 = linear_select([ var msg147 = msg("init", dup64); -var part224 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask->} to %{interface}", processor_chain([ +var part223 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask->} to %{interface}", processor_chain([ dup12, dup6, dup8, ])); -var msg148 = msg("logger", part224); +var msg148 = msg("logger", part223); var msg149 = msg("logger:01", dup64); @@ -2483,33 +2475,33 @@ var select50 = linear_select([ msg149, ]); -var part225 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol->} [%{info}] %{event_description->} (code=%{resultcode})", processor_chain([ +var part224 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol->} [%{info}] %{event_description->} (code=%{resultcode})", processor_chain([ dup15, dup6, dup8, ])); -var msg150 = msg("openvpn-member", part225); +var msg150 = msg("openvpn-member", part224); -var msg151 = msg("openvpn-member:01", dup75); +var msg151 = msg("openvpn-member:01", dup74); -var part226 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Options error: %{event_description}", processor_chain([ +var part225 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Options error: %{event_description}", processor_chain([ dup15, dup6, dup8, ])); -var msg152 = msg("openvpn-member:02", part226); +var msg152 = msg("openvpn-member:02", part225); -var part227 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld2}] %{info}", processor_chain([ +var part226 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld2}] %{info}", processor_chain([ dup12, dup6, dup8, ])); -var msg153 = msg("openvpn-member:03", part227); +var msg153 = msg("openvpn-member:03", part226); -var msg154 = msg("openvpn-member:04", dup76); +var msg154 = msg("openvpn-member:04", dup75); var msg155 = msg("openvpn-member:05", dup64); @@ -2522,32 +2514,32 @@ var select51 = linear_select([ msg155, ]); -var part228 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip->} port %{network_port}.", processor_chain([ +var part227 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip->} port %{network_port}.", processor_chain([ dup12, dup6, dup8, ])); -var msg156 = msg("sshd", part228); +var msg156 = msg("sshd", part227); -var part229 = match("MESSAGE#140:sshd:01/0", "nwparser.payload", "Accepted password for %{p0}"); +var part228 = match("MESSAGE#140:sshd:01/0", "nwparser.payload", "Accepted password for %{p0}"); -var part230 = match("MESSAGE#140:sshd:01/1_0", "nwparser.p0", "root from %{p0}"); +var part229 = match("MESSAGE#140:sshd:01/1_0", "nwparser.p0", "root from %{p0}"); -var part231 = match("MESSAGE#140:sshd:01/1_1", "nwparser.p0", "%{username->} from %{p0}"); +var part230 = match("MESSAGE#140:sshd:01/1_1", "nwparser.p0", "%{username->} from %{p0}"); var select52 = linear_select([ + part229, part230, - part231, ]); -var part232 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol}"); +var part231 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol}"); var all43 = all_match({ processors: [ - part229, + part228, select52, - part232, + part231, ], on_success: processor_chain([ dup12, @@ -2558,31 +2550,31 @@ var all43 = all_match({ var msg157 = msg("sshd:01", all43); -var part233 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection closed by %{hostip}", processor_chain([ +var part232 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection closed by %{hostip}", processor_chain([ dup12, dup6, dup8, ])); -var msg158 = msg("sshd:02", part233); +var msg158 = msg("sshd:02", part232); -var part234 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port->} on %{hostip->} %{result}: %{event_description}", processor_chain([ +var part233 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port->} on %{hostip->} %{result}: %{event_description}", processor_chain([ dup15, dup6, dup8, ])); -var msg159 = msg("sshd:03", part234); +var msg159 = msg("sshd:03", part233); -var part235 = match("MESSAGE#143:sshd:04", "nwparser.payload", "%{severity}: Cannot bind any address.", processor_chain([ +var part234 = match("MESSAGE#143:sshd:04", "nwparser.payload", "%{severity}: Cannot bind any address.", processor_chain([ setc("eventcategory","1601000000"), dup6, dup8, ])); -var msg160 = msg("sshd:04", part235); +var msg160 = msg("sshd:04", part234); -var part236 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logout() %{result->} ", processor_chain([ +var part235 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logout() %{result}", processor_chain([ dup1, dup2, dup4, @@ -2592,27 +2584,27 @@ var part236 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logou setc("event_description","logout"), ])); -var msg161 = msg("sshd:05", part236); +var msg161 = msg("sshd:05", part235); -var part237 = match("MESSAGE#145:sshd:06", "nwparser.payload", "Did not receive identification string from %{saddr->} ", processor_chain([ +var part236 = match("MESSAGE#145:sshd:06", "nwparser.payload", "Did not receive identification string from %{saddr}", processor_chain([ dup15, dup6, setc("result","no identification string"), setc("event_description","Did not receive identification string from peer"), ])); -var msg162 = msg("sshd:06", part237); +var msg162 = msg("sshd:06", part236); -var part238 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds for slowing down ssh login%{}", processor_chain([ +var part237 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds for slowing down ssh login%{}", processor_chain([ dup12, dup6, setc("result","slowing down ssh login"), setc("event_description","Sleep 60 seconds"), ])); -var msg163 = msg("sshd:07", part238); +var msg163 = msg("sshd:07", part237); -var part239 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} authentication succeeded for user %{username}", processor_chain([ +var part238 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} authentication succeeded for user %{username}", processor_chain([ setc("eventcategory","1302010300"), dup6, setc("event_description","authentication succeeded"), @@ -2620,9 +2612,9 @@ var part239 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} dup60, ])); -var msg164 = msg("sshd:08", part239); +var msg164 = msg("sshd:08", part238); -var part240 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{group}", processor_chain([ +var part239 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{group}", processor_chain([ dup12, dup6, dup8, @@ -2630,9 +2622,9 @@ var part240 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{g dup60, ])); -var msg165 = msg("sshd:09", part240); +var msg165 = msg("sshd:09", part239); -var part241 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol version identification '%{protocol_detail}' from %{saddr}", processor_chain([ +var part240 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol version identification '%{protocol_detail}' from %{saddr}", processor_chain([ dup12, dup6, dup8, @@ -2640,7 +2632,7 @@ var part241 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol ver dup60, ])); -var msg166 = msg("sshd:10", part241); +var msg166 = msg("sshd:10", part240); var select53 = linear_select([ msg156, @@ -2656,49 +2648,49 @@ var select53 = linear_select([ msg166, ]); -var part242 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld1}] %{info}", processor_chain([ +var part241 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld1}] %{info}", processor_chain([ dup12, dup6, dup8, ])); -var msg167 = msg("openvpn-master", part242); +var msg167 = msg("openvpn-master", part241); -var part243 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol->} [%{info}]: %{event_description->} (code=%{resultcode})", processor_chain([ +var part242 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol->} [%{info}]: %{event_description->} (code=%{resultcode})", processor_chain([ dup15, dup6, dup8, ])); -var msg168 = msg("openvpn-master:01", part243); +var msg168 = msg("openvpn-master:01", part242); -var msg169 = msg("openvpn-master:02", dup75); +var msg169 = msg("openvpn-master:02", dup74); -var part244 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport->} TLS Error: TLS handshake failed", processor_chain([ +var part243 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport->} TLS Error: TLS handshake failed", processor_chain([ dup15, dup6, dup8, ])); -var msg170 = msg("openvpn-master:03", part244); +var msg170 = msg("openvpn-master:03", part243); -var part245 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport->} [%{fld2}] %{event_description}", processor_chain([ +var part244 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport->} [%{fld2}] %{event_description}", processor_chain([ dup12, dup6, dup8, ])); -var msg171 = msg("openvpn-master:04", part245); +var msg171 = msg("openvpn-master:04", part244); -var part246 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport->} [%{fld1}] %{event_description->} ", processor_chain([ +var part245 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport->} [%{fld1}] %{event_description}", processor_chain([ dup12, dup6, dup8, ])); -var msg172 = msg("openvpn-master:05", part246); +var msg172 = msg("openvpn-master:05", part245); -var msg173 = msg("openvpn-master:06", dup76); +var msg173 = msg("openvpn-master:06", dup75); var msg174 = msg("openvpn-master:07", dup64); @@ -2713,29 +2705,29 @@ var select54 = linear_select([ msg174, ]); -var part247 = match("MESSAGE#158:INFOBLOX-Grid", "nwparser.payload", "Grid member at %{saddr->} %{event_description}", processor_chain([ +var part246 = match("MESSAGE#158:INFOBLOX-Grid", "nwparser.payload", "Grid member at %{saddr->} %{event_description}", processor_chain([ dup12, dup6, dup8, ])); -var msg175 = msg("INFOBLOX-Grid", part247); +var msg175 = msg("INFOBLOX-Grid", part246); -var part248 = match("MESSAGE#159:INFOBLOX-Grid:02/0_0", "nwparser.payload", "Started%{p0}"); +var part247 = match("MESSAGE#159:INFOBLOX-Grid:02/0_0", "nwparser.payload", "Started%{p0}"); -var part249 = match("MESSAGE#159:INFOBLOX-Grid:02/0_1", "nwparser.payload", "Completed%{p0}"); +var part248 = match("MESSAGE#159:INFOBLOX-Grid:02/0_1", "nwparser.payload", "Completed%{p0}"); var select55 = linear_select([ + part247, part248, - part249, ]); -var part250 = match("MESSAGE#159:INFOBLOX-Grid:02/1", "nwparser.p0", "%{}distribution on member with IP address %{saddr}"); +var part249 = match("MESSAGE#159:INFOBLOX-Grid:02/1", "nwparser.p0", "%{}distribution on member with IP address %{saddr}"); var all44 = all_match({ processors: [ select55, - part250, + part249, ], on_success: processor_chain([ dup12, @@ -2746,22 +2738,22 @@ var all44 = all_match({ var msg176 = msg("INFOBLOX-Grid:02", all44); -var part251 = match("MESSAGE#160:INFOBLOX-Grid:03", "nwparser.payload", "Upgrade Complete%{}", processor_chain([ +var part250 = match("MESSAGE#160:INFOBLOX-Grid:03", "nwparser.payload", "Upgrade Complete%{}", processor_chain([ dup12, dup6, dup8, setc("event_description","Upgrade Complete"), ])); -var msg177 = msg("INFOBLOX-Grid:03", part251); +var msg177 = msg("INFOBLOX-Grid:03", part250); -var part252 = match("MESSAGE#161:INFOBLOX-Grid:04", "nwparser.payload", "Upgrade to %{fld1}", processor_chain([ +var part251 = match("MESSAGE#161:INFOBLOX-Grid:04", "nwparser.payload", "Upgrade to %{fld1}", processor_chain([ dup12, dup6, dup8, ])); -var msg178 = msg("INFOBLOX-Grid:04", part252); +var msg178 = msg("INFOBLOX-Grid:04", part251); var select56 = linear_select([ msg175, @@ -2770,41 +2762,41 @@ var select56 = linear_select([ msg178, ]); -var part253 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr->} is online.", processor_chain([ +var part252 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr->} is online.", processor_chain([ dup12, dup6, dup8, ])); -var msg179 = msg("db_jnld", part253); +var msg179 = msg("db_jnld", part252); -var part254 = match("MESSAGE#219:db_jnld:01/0", "nwparser.payload", "Resolved conflict for replicated delete of %{p0}"); +var part253 = match("MESSAGE#219:db_jnld:01/0", "nwparser.payload", "Resolved conflict for replicated delete of %{p0}"); -var part255 = match("MESSAGE#219:db_jnld:01/1_0", "nwparser.p0", "PTR %{p0}"); +var part254 = match("MESSAGE#219:db_jnld:01/1_0", "nwparser.p0", "PTR %{p0}"); -var part256 = match("MESSAGE#219:db_jnld:01/1_1", "nwparser.p0", "TXT %{p0}"); +var part255 = match("MESSAGE#219:db_jnld:01/1_1", "nwparser.p0", "TXT %{p0}"); -var part257 = match("MESSAGE#219:db_jnld:01/1_2", "nwparser.p0", "A %{p0}"); +var part256 = match("MESSAGE#219:db_jnld:01/1_2", "nwparser.p0", "A %{p0}"); -var part258 = match("MESSAGE#219:db_jnld:01/1_3", "nwparser.p0", "CNAME %{p0}"); +var part257 = match("MESSAGE#219:db_jnld:01/1_3", "nwparser.p0", "CNAME %{p0}"); -var part259 = match("MESSAGE#219:db_jnld:01/1_4", "nwparser.p0", "SRV %{p0}"); +var part258 = match("MESSAGE#219:db_jnld:01/1_4", "nwparser.p0", "SRV %{p0}"); var select57 = linear_select([ + part254, part255, part256, part257, part258, - part259, ]); -var part260 = match("MESSAGE#219:db_jnld:01/2", "nwparser.p0", "%{}\"%{fld1}\" in zone \"%{zone}\""); +var part259 = match("MESSAGE#219:db_jnld:01/2", "nwparser.p0", "%{}\"%{fld1}\" in zone \"%{zone}\""); var all45 = all_match({ processors: [ - part254, + part253, select57, - part260, + part259, ], on_success: processor_chain([ dup12, @@ -2820,20 +2812,20 @@ var select58 = linear_select([ msg180, ]); -var part261 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to->} (%{fld1}) %{p0}"); +var part260 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to->} (%{fld1}) %{p0}"); -var part262 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes->} "); +var part261 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes->} "); -var part263 = match("MESSAGE#163:sSMTP/1_1", "nwparser.p0", "%{space->} "); +var part262 = match("MESSAGE#163:sSMTP/1_1", "nwparser.p0", "%{space->} "); var select59 = linear_select([ + part261, part262, - part263, ]); var all46 = all_match({ processors: [ - part261, + part260, select59, ], on_success: processor_chain([ @@ -2845,23 +2837,23 @@ var all46 = all_match({ var msg181 = msg("sSMTP", all46); -var part264 = match("MESSAGE#164:sSMTP:02", "nwparser.payload", "Cannot open %{hostname}:%{network_port}", processor_chain([ +var part263 = match("MESSAGE#164:sSMTP:02", "nwparser.payload", "Cannot open %{hostname}:%{network_port}", processor_chain([ dup15, dup6, dup8, ])); -var msg182 = msg("sSMTP:02", part264); +var msg182 = msg("sSMTP:02", part263); -var part265 = match("MESSAGE#165:sSMTP:03", "nwparser.payload", "Unable to locate %{hostname}.", processor_chain([ +var part264 = match("MESSAGE#165:sSMTP:03", "nwparser.payload", "Unable to locate %{hostname}.", processor_chain([ dup15, dup6, dup8, ])); -var msg183 = msg("sSMTP:03", part265); +var msg183 = msg("sSMTP:03", part264); -var msg184 = msg("sSMTP:04", dup74); +var msg184 = msg("sSMTP:04", dup73); var select60 = linear_select([ msg181, @@ -2870,93 +2862,93 @@ var select60 = linear_select([ msg184, ]); -var part266 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device->} was successful - Backup file %{filename}", processor_chain([ +var part265 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device->} was successful - Backup file %{filename}", processor_chain([ dup12, dup6, dup8, ])); -var msg185 = msg("scheduled_backups", part266); +var msg185 = msg("scheduled_backups", part265); -var part267 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ +var part266 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ dup12, dup6, dup8, setc("event_description","Scheduled backup to the FTP server was successful"), ])); -var msg186 = msg("scheduled_ftp_backups", part267); +var msg186 = msg("scheduled_ftp_backups", part266); -var part268 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} failed - %{result}.", processor_chain([ +var part267 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} failed - %{result}.", processor_chain([ dup15, dup6, dup8, setc("event_description","Scheduled backup to the FTP server failed"), ])); -var msg187 = msg("failed_scheduled_ftp_backups", part268); +var msg187 = msg("failed_scheduled_ftp_backups", part267); var select61 = linear_select([ msg186, msg187, ]); -var part269 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ +var part268 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ dup12, dup6, dup8, setc("event_description","Scheduled backup to the SCP server was successful"), ])); -var msg188 = msg("scheduled_scp_backups", part269); +var msg188 = msg("scheduled_scp_backups", part268); -var part270 = match("MESSAGE#171:python", "nwparser.payload", "%{action->} even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([ +var part269 = match("MESSAGE#171:python", "nwparser.payload", "%{action->} even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([ dup12, dup6, dup8, ])); -var msg189 = msg("python", part270); +var msg189 = msg("python", part269); -var part271 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action->} (algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([ +var part270 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action->} (algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([ dup12, dup6, dup8, ])); -var msg190 = msg("python:01", part271); +var msg190 = msg("python:01", part270); -var part272 = match("MESSAGE#173:python:02", "nwparser.payload", "%{action}: '%{hostname}' in view '%{fld1}'.", processor_chain([ +var part271 = match("MESSAGE#173:python:02", "nwparser.payload", "%{action}: '%{hostname}' in view '%{fld1}'.", processor_chain([ dup12, dup6, dup8, ])); -var msg191 = msg("python:02", part272); +var msg191 = msg("python:02", part271); -var part273 = match("MESSAGE#174:python:03", "nwparser.payload", "%{action}: FQDN='%{domain}', ADDRESS='%{saddr}', View='%{fld1}'", processor_chain([ +var part272 = match("MESSAGE#174:python:03", "nwparser.payload", "%{action}: FQDN='%{domain}', ADDRESS='%{saddr}', View='%{fld1}'", processor_chain([ dup12, dup6, dup8, ])); -var msg192 = msg("python:03", part273); +var msg192 = msg("python:03", part272); -var part274 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQDN='%{domain}', View='%{fld1}'", processor_chain([ +var part273 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQDN='%{domain}', View='%{fld1}'", processor_chain([ dup12, dup6, dup8, ])); -var msg193 = msg("python:04", part274); +var msg193 = msg("python:04", part273); -var part275 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3->} [%{username}]: Populated %{zone->} %{hostname->} DnsView=%{fld4}", processor_chain([ +var part274 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3->} [%{username}]: Populated %{zone->} %{hostname->} DnsView=%{fld4}", processor_chain([ dup12, dup6, dup8, ])); -var msg194 = msg("python:05", part275); +var msg194 = msg("python:05", part274); var msg195 = msg("python:06", dup64); @@ -2970,29 +2962,29 @@ var select62 = linear_select([ msg195, ]); -var part276 = match("MESSAGE#178:monitor", "nwparser.payload", "Type: %{protocol}, State: %{event_state}, Event: %{event_description}.", processor_chain([ +var part275 = match("MESSAGE#178:monitor", "nwparser.payload", "Type: %{protocol}, State: %{event_state}, Event: %{event_description}.", processor_chain([ dup11, dup6, dup8, ])); -var msg196 = msg("monitor", part276); +var msg196 = msg("monitor", part275); -var part277 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP version %{version->} %{event_description}", processor_chain([ +var part276 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP version %{version->} %{event_description}", processor_chain([ dup12, dup6, dup8, ])); -var msg197 = msg("snmptrapd", part277); +var msg197 = msg("snmptrapd", part276); -var part278 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1->} sleeps more than %{duration->} milliseconds in %{fld2}", processor_chain([ +var part277 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1->} sleeps more than %{duration->} milliseconds in %{fld2}", processor_chain([ dup12, dup6, dup8, ])); -var msg198 = msg("snmptrapd:01", part278); +var msg198 = msg("snmptrapd:01", part277); var msg199 = msg("snmptrapd:02", dup64); @@ -3002,15 +2994,15 @@ var select63 = linear_select([ msg199, ]); -var part279 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr->} offset %{duration->} sec", processor_chain([ +var part278 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr->} offset %{duration->} sec", processor_chain([ dup12, dup6, dup8, ])); -var msg200 = msg("ntpdate", part279); +var msg200 = msg("ntpdate", part278); -var msg201 = msg("ntpdate:01", dup74); +var msg201 = msg("ntpdate:01", dup73); var select64 = linear_select([ msg200, @@ -3019,15 +3011,15 @@ var select64 = linear_select([ var msg202 = msg("phonehome", dup64); -var part280 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Scheduled tasks have been purged%{}", processor_chain([ +var part279 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Scheduled tasks have been purged%{}", processor_chain([ dup12, dup6, dup8, ])); -var msg203 = msg("purge_scheduled_tasks", part280); +var msg203 = msg("purge_scheduled_tasks", part279); -var part281 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22->} [%{domain}]: Login_Denied - - to=%{terminal->} apparently_via=%{info->} ip=%{saddr->} error=%{result}", processor_chain([ +var part280 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22->} [%{domain}]: Login_Denied - - to=%{terminal->} apparently_via=%{info->} ip=%{saddr->} error=%{result}", processor_chain([ dup13, dup2, dup3, @@ -3045,9 +3037,9 @@ var part281 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld2 setc("event_description","Login Denied"), ])); -var msg204 = msg("serial_console:04", part281); +var msg204 = msg("serial_console:04", part280); -var part282 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No authentication methods succeeded for user %{username}", processor_chain([ +var part281 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No authentication methods succeeded for user %{username}", processor_chain([ dup13, dup2, dup3, @@ -3058,9 +3050,9 @@ var part282 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No aut setc("event_description","No authentication methods succeeded for user"), ])); -var msg205 = msg("serial_console:03", part282); +var msg205 = msg("serial_console:03", part281); -var part283 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{terminal->} apparently_via=%{info->} auth=%{authmethod->} group=%{group}", processor_chain([ +var part282 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{terminal->} apparently_via=%{info->} auth=%{authmethod->} group=%{group}", processor_chain([ dup9, dup2, dup3, @@ -3071,9 +3063,9 @@ var part283 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} dup8, ])); -var msg206 = msg("serial_console", part283); +var msg206 = msg("serial_console", part282); -var part284 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS authentication succeeded for user %{username}", processor_chain([ +var part283 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS authentication succeeded for user %{username}", processor_chain([ setc("eventcategory","1302010100"), dup2, dup3, @@ -3084,34 +3076,34 @@ var part284 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS setc("event_description","RADIUS authentication succeeded for user"), ])); -var msg207 = msg("serial_console:01", part284); +var msg207 = msg("serial_console:01", part283); -var part285 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User group = %{group}", processor_chain([ +var part284 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User group = %{group}", processor_chain([ dup12, dup6, dup8, setc("event_description","User group identification"), ])); -var msg208 = msg("serial_console:02", part285); +var msg208 = msg("serial_console:02", part284); -var part286 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1->} [%{username}]: rebooted the system", processor_chain([ +var part285 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1->} [%{username}]: rebooted the system", processor_chain([ dup12, dup6, dup8, setc("event_description","system reboot"), ])); -var msg209 = msg("serial_console:05", part286); +var msg209 = msg("serial_console:05", part285); -var part287 = match("MESSAGE#214:serial_console:06", "nwparser.payload", "Local authentication succeeded for user %{username}", processor_chain([ +var part286 = match("MESSAGE#214:serial_console:06", "nwparser.payload", "Local authentication succeeded for user %{username}", processor_chain([ dup12, dup6, dup8, setc("event_description","Local authentication succeeded for user"), ])); -var msg210 = msg("serial_console:06", part287); +var msg210 = msg("serial_console:06", part286); var select65 = linear_select([ msg204, @@ -3129,99 +3121,99 @@ var msg212 = msg("acpid", dup64); var msg213 = msg("diskcheck", dup64); -var part288 = match("MESSAGE#210:debug_mount", "nwparser.payload", "mount %{event_description}", processor_chain([ +var part287 = match("MESSAGE#210:debug_mount", "nwparser.payload", "mount %{event_description}", processor_chain([ dup12, dup6, dup8, ])); -var msg214 = msg("debug_mount", part288); +var msg214 = msg("debug_mount", part287); var msg215 = msg("smart_check_io", dup64); var msg216 = msg("speedstep_control", dup64); -var part289 = match("MESSAGE#215:controld", "nwparser.payload", "Distribution Started%{}", processor_chain([ +var part288 = match("MESSAGE#215:controld", "nwparser.payload", "Distribution Started%{}", processor_chain([ dup12, dup6, dup8, setc("event_description","Distribution Started"), ])); -var msg217 = msg("controld", part289); +var msg217 = msg("controld", part288); -var part290 = match("MESSAGE#216:controld:02", "nwparser.payload", "Distribution Complete%{}", processor_chain([ +var part289 = match("MESSAGE#216:controld:02", "nwparser.payload", "Distribution Complete%{}", processor_chain([ dup12, dup6, dup8, setc("event_description","Distribution Complete"), ])); -var msg218 = msg("controld:02", part290); +var msg218 = msg("controld:02", part289); var select66 = linear_select([ msg217, msg218, ]); -var part291 = match("MESSAGE#217:shutdown", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ +var part290 = match("MESSAGE#217:shutdown", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ dup12, dup6, dup8, setc("event_description","shutting down for system reboot"), ])); -var msg219 = msg("shutdown", part291); +var msg219 = msg("shutdown", part290); -var part292 = match("MESSAGE#218:ntpd_initres", "nwparser.payload", "ntpd exiting on signal 15%{}", processor_chain([ +var part291 = match("MESSAGE#218:ntpd_initres", "nwparser.payload", "ntpd exiting on signal 15%{}", processor_chain([ dup12, dup6, dup8, setc("event_description","ntpd exiting"), ])); -var msg220 = msg("ntpd_initres", part292); +var msg220 = msg("ntpd_initres", part291); -var part293 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup failed for %{saddr}: %{info}", processor_chain([ +var part292 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup failed for %{saddr}: %{info}", processor_chain([ dup12, dup6, dup8, ])); -var msg221 = msg("rsyncd", part293); +var msg221 = msg("rsyncd", part292); -var part294 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost->} (%{saddr})", processor_chain([ +var part293 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost->} (%{saddr})", processor_chain([ dup12, dup6, dup8, ])); -var msg222 = msg("rsyncd:01", part294); +var msg222 = msg("rsyncd:01", part293); -var part295 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename->} from %{shost->} (%{saddr})", processor_chain([ +var part294 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename->} from %{shost->} (%{saddr})", processor_chain([ dup12, dup6, dup8, ])); -var msg223 = msg("rsyncd:02", part295); +var msg223 = msg("rsyncd:02", part294); -var part296 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes->} bytes received %{rbytes->} bytes total size %{fld1}", processor_chain([ +var part295 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes->} bytes received %{rbytes->} bytes total size %{fld1}", processor_chain([ dup12, dup6, dup8, ])); -var msg224 = msg("rsyncd:03", part296); +var msg224 = msg("rsyncd:03", part295); -var part297 = match("MESSAGE#224:rsyncd:04", "nwparser.payload", "building file list%{}", processor_chain([ +var part296 = match("MESSAGE#224:rsyncd:04", "nwparser.payload", "building file list%{}", processor_chain([ dup12, dup6, setc("event_description","building file list"), dup8, ])); -var msg225 = msg("rsyncd:04", part297); +var msg225 = msg("rsyncd:04", part296); var select67 = linear_select([ msg221, @@ -3231,29 +3223,29 @@ var select67 = linear_select([ msg225, ]); -var msg226 = msg("syslog", dup77); +var msg226 = msg("syslog", dup76); -var msg227 = msg("restarting", dup77); +var msg227 = msg("restarting", dup76); -var part298 = match("MESSAGE#227:ipmievd", "nwparser.payload", "%{fld1->} ", processor_chain([ +var part297 = match("MESSAGE#227:ipmievd", "nwparser.payload", "%{fld1}", processor_chain([ dup12, dup6, dup8, dup61, ])); -var msg228 = msg("ipmievd", part298); +var msg228 = msg("ipmievd", part297); -var part299 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agent}: Processing path%{fld1}, vnid [%{fld2}]", processor_chain([ +var part298 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agent}: Processing path%{fld1}, vnid [%{fld2}]", processor_chain([ dup58, dup6, dup8, dup60, ])); -var msg229 = msg("netauto_discovery", part299); +var msg229 = msg("netauto_discovery", part298); -var part300 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version->} device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([ +var part299 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version->} device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([ dup58, dup6, dup8, @@ -3261,18 +3253,18 @@ var part300 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{a setc("event_description","device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll"), ])); -var msg230 = msg("netauto_discovery:01", part300); +var msg230 = msg("netauto_discovery:01", part299); -var part301 = match("MESSAGE#230:netauto_discovery:02", "nwparser.payload", "%{agent}:%{space}Static address already set with IP:%{hostip}, Processing%{fld1}", processor_chain([ +var part300 = match("MESSAGE#230:netauto_discovery:02", "nwparser.payload", "%{agent}:%{space}Static address already set with IP:%{hostip}, Processing%{fld1}", processor_chain([ dup58, dup6, dup8, dup60, ])); -var msg231 = msg("netauto_discovery:02", part301); +var msg231 = msg("netauto_discovery:02", part300); -var part302 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}: SNMP Credentials: Failed to authenticate", processor_chain([ +var part301 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}: SNMP Credentials: Failed to authenticate", processor_chain([ dup62, dup6, dup8, @@ -3280,7 +3272,7 @@ var part302 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{a dup14, ])); -var msg232 = msg("netauto_discovery:03", part302); +var msg232 = msg("netauto_discovery:03", part301); var select68 = linear_select([ msg229, @@ -3289,30 +3281,30 @@ var select68 = linear_select([ msg232, ]); -var part303 = match("MESSAGE#232:netauto_core:01", "nwparser.payload", "%{agent}: Attempting CLI on device%{device}with interface not in table, ip%{hostip}", processor_chain([ +var part302 = match("MESSAGE#232:netauto_core:01", "nwparser.payload", "%{agent}: Attempting CLI on device%{device}with interface not in table, ip%{hostip}", processor_chain([ dup58, dup6, dup8, dup60, ])); -var msg233 = msg("netauto_core:01", part303); +var msg233 = msg("netauto_core:01", part302); -var part304 = match("MESSAGE#233:netauto_core", "nwparser.payload", "netautoctl:%{event_description}", processor_chain([ +var part303 = match("MESSAGE#233:netauto_core", "nwparser.payload", "netautoctl:%{event_description}", processor_chain([ dup58, dup6, dup8, dup60, ])); -var msg234 = msg("netauto_core", part304); +var msg234 = msg("netauto_core", part303); var select69 = linear_select([ msg233, msg234, ]); -var part305 = match("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "%{event_description}", processor_chain([ +var part304 = match("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "%{event_description}", processor_chain([ dup48, dup6, dup8, @@ -3320,9 +3312,9 @@ var part305 = match("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "%{ dup14, ])); -var msg235 = msg("captured_dns_uploader", part305); +var msg235 = msg("captured_dns_uploader", part304); -var part306 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Device%{device}/%{hostip}login failure%{result}", processor_chain([ +var part305 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Device%{device}/%{hostip}login failure%{result}", processor_chain([ dup62, dup6, dup8, @@ -3331,41 +3323,41 @@ var part306 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Dev dup14, ])); -var msg236 = msg("DIS", part306); +var msg236 = msg("DIS", part305); -var part307 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip->} on %{fld4}, using session ID", processor_chain([ +var part306 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip->} on %{fld4}, using session ID", processor_chain([ dup58, dup6, dup8, dup60, ])); -var msg237 = msg("DIS:01", part307); +var msg237 = msg("DIS:01", part306); var select70 = linear_select([ msg236, msg237, ]); -var part308 = match("MESSAGE#237:ErrorMsg", "nwparser.payload", "%{result}", processor_chain([ +var part307 = match("MESSAGE#237:ErrorMsg", "nwparser.payload", "%{result}", processor_chain([ dup63, dup6, dup8, dup60, ])); -var msg238 = msg("ErrorMsg", part308); +var msg238 = msg("ErrorMsg", part307); -var part309 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr->} port %{dport}: %{event_description}", processor_chain([ +var part308 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr->} port %{dport}: %{event_description}", processor_chain([ dup12, dup6, dup8, dup60, ])); -var msg239 = msg("tacacs_acct", part309); +var msg239 = msg("tacacs_acct", part308); -var part310 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: Accounting request failed. %{fld2}Server is %{daddr}, port is %{dport}.", processor_chain([ +var part309 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: Accounting request failed. %{fld2}Server is %{daddr}, port is %{dport}.", processor_chain([ dup63, dup6, dup8, @@ -3373,16 +3365,16 @@ var part310 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: setc("event_description","Accounting request failed."), ])); -var msg240 = msg("tacacs_acct:01", part310); +var msg240 = msg("tacacs_acct:01", part309); -var part311 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2->} bytes from server %{daddr->} port %{dport}, expecting %{fld3}", processor_chain([ +var part310 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2->} bytes from server %{daddr->} port %{dport}, expecting %{fld3}", processor_chain([ dup12, dup6, dup8, dup60, ])); -var msg241 = msg("tacacs_acct:02", part311); +var msg241 = msg("tacacs_acct:02", part310); var select71 = linear_select([ msg239, @@ -3390,7 +3382,7 @@ var select71 = linear_select([ msg241, ]); -var part312 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6->} port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([ +var part311 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6->} port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([ dup12, dup6, dup8, @@ -3398,9 +3390,9 @@ var part312 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward me setc("event_description","Relay-forward message"), ])); -var msg242 = msg("dhcpdv6", part312); +var msg242 = msg("dhcpdv6", part311); -var part313 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ +var part312 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ dup12, dup6, dup8, @@ -3408,9 +3400,9 @@ var part313 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated setc("event_description","Encapsulated Solicit message"), ])); -var msg243 = msg("dhcpdv6:01", part313); +var msg243 = msg("dhcpdv6:01", part312); -var part314 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1}, IP '%{fld2}': No addresses available for this interface", processor_chain([ +var part313 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1}, IP '%{fld2}': No addresses available for this interface", processor_chain([ dup12, dup6, dup8, @@ -3418,9 +3410,9 @@ var part314 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1 setc("event_description","IP unknown - No addresses available for this interface"), ])); -var msg244 = msg("dhcpdv6:02", part314); +var msg244 = msg("dhcpdv6:02", part313); -var part315 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6->} port %{sport}", processor_chain([ +var part314 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6->} port %{sport}", processor_chain([ dup12, dup6, dup8, @@ -3428,9 +3420,9 @@ var part315 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating setc("event_description","Encapsulating Advertise message"), ])); -var msg245 = msg("dhcpdv6:03", part315); +var msg245 = msg("dhcpdv6:03", part314); -var part316 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6->} port %{sport}", processor_chain([ +var part315 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6->} port %{sport}", processor_chain([ dup12, dup6, dup8, @@ -3438,9 +3430,9 @@ var part316 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay setc("event_description","Sending Relay-reply message"), ])); -var msg246 = msg("dhcpdv6:04", part316); +var msg246 = msg("dhcpdv6:04", part315); -var part317 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6->} port %{sport}, transaction ID %{id}", processor_chain([ +var part316 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6->} port %{sport}, transaction ID %{id}", processor_chain([ dup12, dup6, dup8, @@ -3448,9 +3440,9 @@ var part317 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated setc("event_description","Encapsulated Information-request message"), ])); -var msg247 = msg("dhcpdv6:05", part317); +var msg247 = msg("dhcpdv6:05", part316); -var part318 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6->} port %{sport}", processor_chain([ +var part317 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6->} port %{sport}", processor_chain([ dup12, dup6, dup8, @@ -3458,9 +3450,9 @@ var part318 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating setc("event_description","Encapsulating Reply message"), ])); -var msg248 = msg("dhcpdv6:06", part318); +var msg248 = msg("dhcpdv6:06", part317); -var part319 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ +var part318 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ dup12, dup6, dup8, @@ -3468,16 +3460,16 @@ var part319 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated setc("event_description","Encapsulated Renew message"), ])); -var msg249 = msg("dhcpdv6:07", part319); +var msg249 = msg("dhcpdv6:07", part318); -var part320 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6->} to client with duid %{fld1->} iaid = %{fld2->} static", processor_chain([ +var part319 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6->} to client with duid %{fld1->} iaid = %{fld2->} static", processor_chain([ dup12, dup6, dup8, dup30, ])); -var msg250 = msg("dhcpdv6:08", part320); +var msg250 = msg("dhcpdv6:08", part319); var msg251 = msg("dhcpdv6:09", dup68); @@ -3496,7 +3488,7 @@ var select72 = linear_select([ var msg252 = msg("debug", dup68); -var part321 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying request to %{hostname}(%{hostip}) %{web_method->} %{url->} %{protocol->} %{info}", processor_chain([ +var part320 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying request to %{hostname}(%{hostip}) %{web_method->} %{url->} %{protocol->} %{info}", processor_chain([ dup12, dup6, dup8, @@ -3504,7 +3496,7 @@ var part321 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying reque setc("event_description","proxying request"), ])); -var msg253 = msg("cloud_api", part321); +var msg253 = msg("cloud_api", part320); var chain1 = processor_chain([ select3, @@ -3566,61 +3558,61 @@ var chain1 = processor_chain([ }), ]); -var part322 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); +var part321 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); -var part323 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); +var part322 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); -var part324 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); +var part323 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); -var part325 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}"); +var part324 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}"); -var part326 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}"); +var part325 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}"); -var part327 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}"); +var part326 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}"); -var part328 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}"); +var part327 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}"); -var part329 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}"); +var part328 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}"); -var part330 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}"); +var part329 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}"); -var part331 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}"); +var part330 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}"); -var part332 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}"); +var part331 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}"); -var part333 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}"); +var part332 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}"); -var part334 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); +var part333 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); -var part335 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); +var part334 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); -var part336 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); +var part335 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); -var part337 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); +var part336 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); -var part338 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); +var part337 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); -var part339 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); +var part338 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); -var part340 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); +var part339 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); -var part341 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); +var part340 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); -var part342 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}"); +var part341 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}"); -var part343 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}"); +var part342 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}"); -var part344 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); +var part343 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); -var part345 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}"); +var part344 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}"); -var part346 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}"); +var part345 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}"); -var part347 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); +var part346 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); -var part348 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}"); +var part347 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}"); -var part349 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([ +var part348 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([ dup12, dup6, dup8, @@ -3641,19 +3633,13 @@ var select75 = linear_select([ dup26, ]); -var part350 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([ +var part349 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([ dup12, dup6, dup8, dup30, ])); -var part351 = match("MESSAGE#52:ntpd:02", "nwparser.payload", "%{event_description->} ", processor_chain([ - dup12, - dup6, - dup8, -])); - var select76 = linear_select([ dup33, dup34, @@ -3676,25 +3662,25 @@ var select79 = linear_select([ dup52, ]); -var part352 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([ +var part350 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([ dup15, dup6, dup8, ])); -var part353 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ +var part351 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ dup15, dup6, dup8, ])); -var part354 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ +var part352 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ dup12, dup6, dup8, ])); -var part355 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description->} ", processor_chain([ +var part353 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description}", processor_chain([ dup12, dup6, dup8, diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log b/x-pack/filebeat/module/infoblox/nios/test/generated.log index ce23ec18782..aa19d8bc78d 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log @@ -15,7 +15,7 @@ August 2 01:43:25 edquiano6061.internal.invalid end: shutdown shutting down for Aug 16 08:45:59 cup1793.local 10.110.243.57 tacacs_acct[onofd]: taed: Read lup bytes from server 10.210.72.27 port 7118, expecting strude August 30 15:48:33 ostr4979.www5.host controld[luptat]: Distribution Started September 13 22:51:07 adm987.www.test ritatis: ntpdate oloremi -September 28 05:53:42 isaute811.www.home tionemu: syslog eomnisis +September 28 05:53:42 isaute811.www.home tionemu: syslog eomnisis October 12 12:56:16 inima5444.www5.lan validate_dhcpd[nihi]: Lor October 26 19:58:50 erc3217.internal.lan debug_mount[olupt]: mount modoco Nov 10 03:01:24 iadese6958.www5.local 10.33.153.47 captured_dns_uploader: hil @@ -24,7 +24,7 @@ December 8 17:06:33 uatD2509.mail.domain ntpdate[rehend]: adjust time server 10. December 23 00:09:07 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm January 6 07:11:41 ercit2385.internal.home rsyncd[run]: building file list January 20 14:14:16 quisnos4590.mail.domain nnum: httpd eritqu -February 3 21:16:50 wri2784.api.domain hitect: restarting dol +February 3 21:16:50 wri2784.api.domain hitect: restarting dol February 18 04:19:24 asun1250.api.localdomain rc3[oluptate]: onseq Mar 04 11:21:59 iae1637.local 10.85.164.25 captured_dns_uploader: doloreme March 18 18:24:33 boris5916.www5.example 10.2.53.125 controld[uioffi]: Distribution Complete @@ -32,7 +32,7 @@ April 2 01:27:07 temqu3331.api.host ipi: phonehome reseos April 16 08:29:41 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME etdol"uela" in zone "boN" April 30 15:32:16 radi1512.mail.example 10.101.74.101 openvpn-member: read rdp [ris] uamqu (code=lor) May 14 22:34:50 bore6534.internal.localhost stlabo: speedstep_control dictasu -May 29 05:37:24 eveli265.www5.localdomain nse: ipmievd non +May 29 05:37:24 eveli265.www5.localdomain nse: ipmievd non Jun 12 12:39:58 derit4688.mail.localhost 10.57.42.152 cloud_api[didunt]: proxying request to uptatema6843.www.host(10.74.104.215) xeacomm https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta tcp rroquis Jun 26 19:42:33 Utenima1612.www5.domain ptatem: captured_dns_uploader Nequepor July 11 02:45:07 tco1842.www.localhost 10.20.147.134 ntpd_initres: ntpd exiting on signal 15 @@ -92,7 +92,7 @@ August 7 16:01:23 olu5333.www.domain orumSe: diskcheck dolor August 21 23:03:57 dtemp1362.internal.example mips: init itae September 5 06:06:31 odt5505.www5.localdomain 10.76.92.103 snmptrapd[uscip]: umS September 19 13:09:05 ici5097.www.domain iatnu: db_jnld Resolved conflict for replicated delete of CNAME writte"sitvo" in zone "ine" -October 3 20:11:40 itse522.internal.localdomain fugiatqu: syslog seos +October 3 20:11:40 itse522.internal.localdomain fugiatqu: syslog seos October 18 03:14:14 oquisqu1528.invalid 10.54.44.231 acpid: Ute November 1 10:16:48 quu2203.internal.invalid 10.61.175.217 acpid: enbyCi Nov 15 17:19:22 quunt3116.localhost debug[nonn]: dents diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json index 72c8214cb31..1ae1a190ae4 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -446,17 +446,17 @@ "event.code": "syslog", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 28 05:53:42 isaute811.www.home tionemu: syslog eomnisis ", + "event.original": "September 28 05:53:42 isaute811.www.home tionemu: syslog eomnisis", "fileset.name": "nios", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], "log.offset": 1724, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "rsa.db.index": "tionemu", + "rsa.internal.event_desc": "eomnisis", "rsa.internal.messageid": "syslog", + "rsa.misc.event_source": "isaute811.www.home", "rsa.time.day": "28", "rsa.time.event_time": "2019-09-28T07:53:42.000Z", "rsa.time.month": "September", @@ -473,7 +473,7 @@ "event.original": "October 12 12:56:16 inima5444.www5.lan validate_dhcpd[nihi]: Lor", "fileset.name": "nios", "input.type": "log", - "log.offset": 1791, + "log.offset": 1790, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -497,7 +497,7 @@ "event.original": "October 26 19:58:50 erc3217.internal.lan debug_mount[olupt]: mount modoco", "fileset.name": "nios", "input.type": "log", - "log.offset": 1856, + "log.offset": 1855, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -522,7 +522,7 @@ "event.outcome": "Failure", "fileset.name": "nios", "input.type": "log", - "log.offset": 1930, + "log.offset": 1929, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -546,7 +546,7 @@ "event.original": "November 24 10:03:59 CSed2857.www5.example ecillu: validate_dhcpd quip", "fileset.name": "nios", "input.type": "log", - "log.offset": 2008, + "log.offset": 2007, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -569,7 +569,7 @@ "event.original": "December 8 17:06:33 uatD2509.mail.domain ntpdate[rehend]: adjust time server 10.194.18.21 offset 66.440000 sec", "fileset.name": "nios", "input.type": "log", - "log.offset": 2079, + "log.offset": 2078, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -599,7 +599,7 @@ "event.original": "December 23 00:09:07 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm", "fileset.name": "nios", "input.type": "log", - "log.offset": 2190, + "log.offset": 2189, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -624,7 +624,7 @@ "event.original": "January 6 07:11:41 ercit2385.internal.home rsyncd[run]: building file list", "fileset.name": "nios", "input.type": "log", - "log.offset": 2293, + "log.offset": 2292, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -648,7 +648,7 @@ "event.original": "January 20 14:14:16 quisnos4590.mail.domain nnum: httpd eritqu", "fileset.name": "nios", "input.type": "log", - "log.offset": 2368, + "log.offset": 2367, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -668,17 +668,17 @@ "event.code": "restarting", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "February 3 21:16:50 wri2784.api.domain hitect: restarting dol ", + "event.original": "February 3 21:16:50 wri2784.api.domain hitect: restarting dol", "fileset.name": "nios", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2431, + "log.offset": 2430, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "rsa.db.index": "hitect", + "rsa.internal.event_desc": "dol", "rsa.internal.messageid": "restarting", + "rsa.misc.event_source": "wri2784.api.domain", "rsa.time.day": "3", "rsa.time.event_time": "2020-02-03T23:16:50.000Z", "rsa.time.month": "February", @@ -695,7 +695,7 @@ "event.original": "February 18 04:19:24 asun1250.api.localdomain rc3[oluptate]: onseq", "fileset.name": "nios", "input.type": "log", - "log.offset": 2494, + "log.offset": 2492, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -720,7 +720,7 @@ "event.outcome": "Failure", "fileset.name": "nios", "input.type": "log", - "log.offset": 2561, + "log.offset": 2559, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -744,7 +744,7 @@ "event.original": "March 18 18:24:33 boris5916.www5.example 10.2.53.125 controld[uioffi]: Distribution Complete", "fileset.name": "nios", "input.type": "log", - "log.offset": 2636, + "log.offset": 2634, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -768,7 +768,7 @@ "event.original": "April 2 01:27:07 temqu3331.api.host ipi: phonehome reseos", "fileset.name": "nios", "input.type": "log", - "log.offset": 2729, + "log.offset": 2727, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -794,7 +794,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 2787, + "log.offset": 2785, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -816,7 +816,7 @@ "event.original": "April 30 15:32:16 radi1512.mail.example 10.101.74.101 openvpn-member: read rdp [ris] uamqu (code=lor)", "fileset.name": "nios", "input.type": "log", - "log.offset": 2926, + "log.offset": 2924, "network.protocol": "rdp", "observer.product": "Network", "observer.type": "IPAM", @@ -842,7 +842,7 @@ "event.original": "May 14 22:34:50 bore6534.internal.localhost stlabo: speedstep_control dictasu", "fileset.name": "nios", "input.type": "log", - "log.offset": 3028, + "log.offset": 3026, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -862,17 +862,16 @@ "event.code": "ipmievd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "May 29 05:37:24 eveli265.www5.localdomain nse: ipmievd non ", + "event.original": "May 29 05:37:24 eveli265.www5.localdomain nse: ipmievd non", "fileset.name": "nios", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3106, + "log.offset": 3104, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "rsa.db.index": "nse", "rsa.internal.messageid": "ipmievd", + "rsa.misc.event_source": "eveli265.www5.localdomain", "rsa.time.day": "29", "rsa.time.event_time": "2020-05-29T07:37:24.000Z", "rsa.time.month": "May", @@ -891,7 +890,7 @@ "host.ip": "10.74.104.215", "host.name": "uptatema6843.www.host", "input.type": "log", - "log.offset": 3166, + "log.offset": 3163, "network.protocol": "tcp", "observer.product": "Network", "observer.type": "IPAM", @@ -928,7 +927,7 @@ "event.outcome": "Failure", "fileset.name": "nios", "input.type": "log", - "log.offset": 3386, + "log.offset": 3383, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -952,7 +951,7 @@ "event.original": "July 11 02:45:07 tco1842.www.localhost 10.20.147.134 ntpd_initres: ntpd exiting on signal 15", "fileset.name": "nios", "input.type": "log", - "log.offset": 3465, + "log.offset": 3462, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -975,7 +974,7 @@ "event.original": "July 25 09:47:41 turadip3427.api.corp 10.77.52.83 pidof[nci]: can't read sid from tev", "fileset.name": "nios", "input.type": "log", - "log.offset": 3558, + "log.offset": 3555, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1000,7 +999,7 @@ "event.original": "August 8 16:50:15 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav", "fileset.name": "nios", "input.type": "log", - "log.offset": 3644, + "log.offset": 3641, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1023,7 +1022,7 @@ "event.original": "August 22 23:52:50 adm7744.mail.domain 10.26.87.161 rcsysinit: isc", "fileset.name": "nios", "input.type": "log", - "log.offset": 3716, + "log.offset": 3713, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1049,7 +1048,7 @@ "event.original": "September 6 06:55:24 ios6980.example 10.246.64.161 watchdog: deny, pid = 845", "fileset.name": "nios", "input.type": "log", - "log.offset": 3783, + "log.offset": 3780, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1075,7 +1074,7 @@ "event.original": "September 20 13:57:58 osquira6030.internal.corp diskcheck[com]: tnulapa", "fileset.name": "nios", "input.type": "log", - "log.offset": 3860, + "log.offset": 3857, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1099,7 +1098,7 @@ "event.original": "October 4 21:00:32 squirati63.mail.lan watchdog[nbyCic]: utlabor", "fileset.name": "nios", "input.type": "log", - "log.offset": 3932, + "log.offset": 3929, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1123,7 +1122,7 @@ "event.original": "October 19 04:03:07 lup2134.www.localhost rc[upida]: executing tvolupt start", "fileset.name": "nios", "input.type": "log", - "log.offset": 3997, + "log.offset": 3994, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1147,7 +1146,7 @@ "event.original": "November 2 11:05:41 umdo4017.www.local snmptrapd[ati]: uine", "fileset.name": "nios", "input.type": "log", - "log.offset": 4074, + "log.offset": 4071, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1171,7 +1170,7 @@ "event.original": "November 16 18:08:15 loreme853.www5.localdomain ven: snmptrapd con", "fileset.name": "nios", "input.type": "log", - "log.offset": 4134, + "log.offset": 4131, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1194,7 +1193,7 @@ "event.original": "December 1 01:10:49 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli)", "fileset.name": "nios", "input.type": "log", - "log.offset": 4201, + "log.offset": 4198, "network.protocol": "icmp", "observer.product": "Network", "observer.type": "IPAM", @@ -1221,7 +1220,7 @@ "event.original": "December 15 08:13:24 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe", "fileset.name": "nios", "input.type": "log", - "log.offset": 4319, + "log.offset": 4316, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1245,7 +1244,7 @@ "event.original": "December 29 15:15:58 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97", "fileset.name": "nios", "input.type": "log", - "log.offset": 4394, + "log.offset": 4391, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1275,7 +1274,7 @@ "event.outcome": "Success", "fileset.name": "nios", "input.type": "log", - "log.offset": 4498, + "log.offset": 4495, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1307,7 +1306,7 @@ "event.original": "January 27 05:21:06 tali7803.www.localdomain its: httpd ender", "fileset.name": "nios", "input.type": "log", - "log.offset": 4622, + "log.offset": 4619, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1330,7 +1329,7 @@ "event.original": "February 10 12:23:41 siut5663.local piscinge: rcsysinit fsck from 1.271", "fileset.name": "nios", "input.type": "log", - "log.offset": 4684, + "log.offset": 4681, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1354,7 +1353,7 @@ "event.original": "February 24 19:26:15 elitse6672.internal.localdomain INFOBLOX-Grid[mquisno]: Grid member at 10.107.9.163 uptate", "fileset.name": "nios", "input.type": "log", - "log.offset": 4756, + "log.offset": 4753, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1384,7 +1383,7 @@ "event.original": "March 11 02:28:49 tpersp55.api.invalid 10.15.97.155 openvpn-member[tdol]: Options error: sit", "fileset.name": "nios", "input.type": "log", - "log.offset": 4868, + "log.offset": 4865, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1408,7 +1407,7 @@ "event.original": "March 25 09:31:24 uptate6077.www5.corp ugiat: init onulam", "fileset.name": "nios", "input.type": "log", - "log.offset": 4961, + "log.offset": 4958, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1431,7 +1430,7 @@ "event.original": "April 8 16:33:58 odoconse228.mail.localdomain veli: syslog-ng tenim", "fileset.name": "nios", "input.type": "log", - "log.offset": 5019, + "log.offset": 5016, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1454,7 +1453,7 @@ "event.original": "April 22 23:36:32 tdol5310.domain diskcheck[asper]: idunt", "fileset.name": "nios", "input.type": "log", - "log.offset": 5087, + "log.offset": 5084, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1478,7 +1477,7 @@ "event.original": "May 7 06:39:06 ica7215.mail.home dicta: in.tftpd connection refused from 10.235.176.114", "fileset.name": "nios", "input.type": "log", - "log.offset": 5145, + "log.offset": 5142, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1506,7 +1505,7 @@ "event.original": "May 21 13:41:41 veniamqu7284.mail.invalid 10.224.11.165 pidof[utali]: can't read sid from porinc", "fileset.name": "nios", "input.type": "log", - "log.offset": 5233, + "log.offset": 5230, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1532,7 +1531,7 @@ "file.name": "rcitat", "fileset.name": "nios", "input.type": "log", - "log.offset": 5330, + "log.offset": 5327, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1561,7 +1560,7 @@ "event.original": "June 19 03:46:49 sequatD5469.www5.lan atisetqu: diskcheck issuscip", "fileset.name": "nios", "input.type": "log", - "log.offset": 5426, + "log.offset": 5423, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1584,7 +1583,7 @@ "event.original": "July 3 10:49:23 tla4765.api.host purge_scheduled_tasks[isa]: Scheduled tasks have been purged", "fileset.name": "nios", "input.type": "log", - "log.offset": 5493, + "log.offset": 5490, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1607,7 +1606,7 @@ "event.original": "July 17 17:51:58 itationu3575.www.invalid 10.21.229.25 syslog-ng: orroq", "fileset.name": "nios", "input.type": "log", - "log.offset": 5587, + "log.offset": 5584, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1630,7 +1629,7 @@ "event.original": "Aug 01 00:54:32 mmodoc4947.internal.test ErrorMsg[atu]: unknown", "fileset.name": "nios", "input.type": "log", - "log.offset": 5659, + "log.offset": 5656, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1654,7 +1653,7 @@ "event.original": "August 15 07:57:06 olorem2760.www5.test quunt: ntpd_initres ntpd exiting on signal 15", "fileset.name": "nios", "input.type": "log", - "log.offset": 5723, + "log.offset": 5720, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1677,7 +1676,7 @@ "event.original": "August 29 14:59:40 dol3346.www.lan scheduled_ftp_backups[olorese]: Scheduled backup to the ori failed - unknown.", "fileset.name": "nios", "input.type": "log", - "log.offset": 5809, + "log.offset": 5806, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1704,7 +1703,7 @@ "file.name": "dictasun", "fileset.name": "nios", "input.type": "log", - "log.offset": 5922, + "log.offset": 5919, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1728,7 +1727,7 @@ "event.original": "September 27 05:04:49 tlaboree6412.internal.home smart_check_io[mod]: col", "fileset.name": "nios", "input.type": "log", - "log.offset": 6064, + "log.offset": 6061, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1752,7 +1751,7 @@ "event.original": "October 11 12:07:23 mipsamvo4282.api.home reetdo: init oreveri", "fileset.name": "nios", "input.type": "log", - "log.offset": 6138, + "log.offset": 6135, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1775,7 +1774,7 @@ "event.original": "October 25 19:09:57 ugit5828.www5.test rc[asnu]: executing hitec start", "fileset.name": "nios", "input.type": "log", - "log.offset": 6201, + "log.offset": 6198, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1799,7 +1798,7 @@ "event.original": "November 9 02:12:32 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec", "fileset.name": "nios", "input.type": "log", - "log.offset": 6272, + "log.offset": 6269, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1828,7 +1827,7 @@ "event.original": "Nov 23 09:15:06 ation6657.www.home dhcpd[iatqu]: Reclaiming REQUESTed abandoned IP address10.16.44.207", "fileset.name": "nios", "input.type": "log", - "log.offset": 6392, + "log.offset": 6389, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1858,7 +1857,7 @@ "event.original": "December 7 16:17:40 tas2266.internal.example 10.219.59.20 kernel[ntium]: iration", "fileset.name": "nios", "input.type": "log", - "log.offset": 6495, + "log.offset": 6492, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1882,7 +1881,7 @@ "event.original": "December 21 23:20:14 oremquel3992.mail.host 10.238.232.42 rcsysinit[ssusci]: animid", "fileset.name": "nios", "input.type": "log", - "log.offset": 6576, + "log.offset": 6573, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1906,7 +1905,7 @@ "event.original": "Jan 5 06:22:49 atuse5193.www.local dhcpdv6[cti]: aparia", "fileset.name": "nios", "input.type": "log", - "log.offset": 6660, + "log.offset": 6657, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1930,7 +1929,7 @@ "event.original": "January 19 13:25:23 ratv2649.www.host speedstep_control[tali]: BCS", "fileset.name": "nios", "input.type": "log", - "log.offset": 6716, + "log.offset": 6713, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1954,7 +1953,7 @@ "event.original": "February 2 20:27:57 nculpaq3821.www5.invalid syslog-ng[billoinv]: sci", "fileset.name": "nios", "input.type": "log", - "log.offset": 6783, + "log.offset": 6780, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1978,7 +1977,7 @@ "event.original": "February 17 03:30:32 obea5700.mail.lan diskcheck[luptas]: uptatem", "fileset.name": "nios", "input.type": "log", - "log.offset": 6853, + "log.offset": 6850, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2003,7 +2002,7 @@ "file.name": "urEx", "fileset.name": "nios", "input.type": "log", - "log.offset": 6919, + "log.offset": 6916, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2028,7 +2027,7 @@ "event.original": "March 17 17:35:40 qui3176.internal.example 10.165.6.51 rc: executing amvolu start", "fileset.name": "nios", "input.type": "log", - "log.offset": 7046, + "log.offset": 7043, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2051,7 +2050,7 @@ "event.original": "April 1 00:38:14 pta6801.mail.invalid 10.35.254.68 snmptrapd[eiusmod]: itation", "fileset.name": "nios", "input.type": "log", - "log.offset": 7128, + "log.offset": 7125, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2075,7 +2074,7 @@ "event.original": "April 15 07:40:49 scivel2614.www5.invalid meumfugi: httpd tquas", "fileset.name": "nios", "input.type": "log", - "log.offset": 7207, + "log.offset": 7204, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2098,7 +2097,7 @@ "event.original": "April 29 14:43:23 ntmoll7616.api.localhost INFOBLOX-Grid[isnostru]: Grid member at 10.10.223.104 nBCSe", "fileset.name": "nios", "input.type": "log", - "log.offset": 7271, + "log.offset": 7268, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2128,7 +2127,7 @@ "event.original": "sshd[Nemo]: Sleep 60 seconds for slowing down ssh login", "fileset.name": "nios", "input.type": "log", - "log.offset": 7374, + "log.offset": 7371, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2151,7 +2150,7 @@ "event.original": "May 28 04:48:31 velill2874.internal.invalid 10.236.247.87 debug: tatevel", "fileset.name": "nios", "input.type": "log", - "log.offset": 7430, + "log.offset": 7427, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2174,7 +2173,7 @@ "event.original": "June 11 11:51:06 ict2699.internal.localhost 10.117.2.51 python: allow: FQDN='luptate4640.api.host', View='iqui'", "fileset.name": "nios", "input.type": "log", - "log.offset": 7503, + "log.offset": 7500, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2197,7 +2196,7 @@ "event.original": "June 25 18:53:40 reseosq3558.www5.invalid kernel[pteurs]: catcupi", "fileset.name": "nios", "input.type": "log", - "log.offset": 7616, + "log.offset": 7613, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2221,7 +2220,7 @@ "event.original": "July 10 01:56:14 saqu320.api.test purge_scheduled_tasks[amquisno]: Scheduled tasks have been purged", "fileset.name": "nios", "input.type": "log", - "log.offset": 7682, + "log.offset": 7679, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2244,7 +2243,7 @@ "event.original": "July 24 08:58:48 sequat4596.api.domain epteur: rc executing ommo start", "fileset.name": "nios", "input.type": "log", - "log.offset": 7782, + "log.offset": 7779, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2267,7 +2266,7 @@ "event.original": "August 7 16:01:23 olu5333.www.domain orumSe: diskcheck dolor", "fileset.name": "nios", "input.type": "log", - "log.offset": 7853, + "log.offset": 7850, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2290,7 +2289,7 @@ "event.original": "August 21 23:03:57 dtemp1362.internal.example mips: init itae", "fileset.name": "nios", "input.type": "log", - "log.offset": 7914, + "log.offset": 7911, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2313,7 +2312,7 @@ "event.original": "September 5 06:06:31 odt5505.www5.localdomain 10.76.92.103 snmptrapd[uscip]: umS", "fileset.name": "nios", "input.type": "log", - "log.offset": 7976, + "log.offset": 7973, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2340,7 +2339,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 8057, + "log.offset": 8054, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2358,17 +2357,17 @@ "event.code": "syslog", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 3 20:11:40 itse522.internal.localdomain fugiatqu: syslog seos ", + "event.original": "October 3 20:11:40 itse522.internal.localdomain fugiatqu: syslog seos", "fileset.name": "nios", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 8191, + "log.offset": 8188, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "rsa.db.index": "fugiatqu", + "rsa.internal.event_desc": "seos", "rsa.internal.messageid": "syslog", + "rsa.misc.event_source": "itse522.internal.localdomain", "rsa.time.day": "3", "rsa.time.event_time": "2019-10-03T22:11:40.000Z", "rsa.time.month": "October", @@ -2385,7 +2384,7 @@ "event.original": "October 18 03:14:14 oquisqu1528.invalid 10.54.44.231 acpid: Ute", "fileset.name": "nios", "input.type": "log", - "log.offset": 8262, + "log.offset": 8258, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2408,7 +2407,7 @@ "event.original": "November 1 10:16:48 quu2203.internal.invalid 10.61.175.217 acpid: enbyCi", "fileset.name": "nios", "input.type": "log", - "log.offset": 8326, + "log.offset": 8322, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2431,7 +2430,7 @@ "event.original": "Nov 15 17:19:22 quunt3116.localhost debug[nonn]: dents", "fileset.name": "nios", "input.type": "log", - "log.offset": 8399, + "log.offset": 8395, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2455,7 +2454,7 @@ "event.original": "Nov 30 00:21:57 texpli7157.mail.invalid debug[conse]: ventor", "fileset.name": "nios", "input.type": "log", - "log.offset": 8454, + "log.offset": 8450, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -2479,7 +2478,7 @@ "event.original": "December 14 07:24:31 odoc7856.api.example 10.50.252.2 openvpn-master[atnonpr]: ita", "fileset.name": "nios", "input.type": "log", - "log.offset": 8515, + "log.offset": 8511, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", diff --git a/x-pack/filebeat/module/juniper/README.md b/x-pack/filebeat/module/juniper/README.md index c2657e7d160..94a4cbaeda4 100644 --- a/x-pack/filebeat/module/juniper/README.md +++ b/x-pack/filebeat/module/juniper/README.md @@ -3,5 +3,5 @@ This is a module for Juniper JUNOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML junosrouter version 134 -at 2020-07-08 17:36:29.543239 +0000 UTC. +at 2020-07-08 18:28:01.916097 +0000 UTC. diff --git a/x-pack/filebeat/module/juniper/junos/config/pipeline.js b/x-pack/filebeat/module/juniper/junos/config/pipeline.js index 5598d7f2e02..82d7b9ed9ab 100644 --- a/x-pack/filebeat/module/juniper/junos/config/pipeline.js +++ b/x-pack/filebeat/module/juniper/junos/config/pipeline.js @@ -293,195 +293,193 @@ var dup109 = setc("event_description","Login Failure"); var dup110 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); -var dup111 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "%{space->} "); +var dup111 = setc("eventcategory","1701020000"); -var dup112 = setc("eventcategory","1701020000"); +var dup112 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); -var dup113 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); +var dup113 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\""); -var dup114 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\""); +var dup114 = setc("event_description","User set command"); -var dup115 = setc("event_description","User set command"); +var dup115 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); -var dup116 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); +var dup116 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); -var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); +var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); -var dup118 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); +var dup118 = setc("event_description","User set groups to secret"); -var dup119 = setc("event_description","User set groups to secret"); +var dup119 = setc("event_description","UI CMDLINE READ LINE"); -var dup120 = setc("event_description","UI CMDLINE READ LINE"); +var dup120 = setc("event_description","User commit"); -var dup121 = setc("event_description","User commit"); +var dup121 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); -var dup122 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); +var dup122 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); -var dup123 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); +var dup123 = setc("eventcategory","1401070000"); -var dup124 = setc("eventcategory","1401070000"); +var dup124 = setc("ec_activity","Logoff"); -var dup125 = setc("ec_activity","Logoff"); +var dup125 = setc("event_description","Successful login"); -var dup126 = setc("event_description","Successful login"); +var dup126 = setf("hostname","hostip"); -var dup127 = setf("hostname","hostip"); +var dup127 = setc("event_description","TACACS+ failure"); -var dup128 = setc("event_description","TACACS+ failure"); +var dup128 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); -var dup129 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); +var dup129 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); -var dup130 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); +var dup130 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); -var dup131 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); +var dup131 = setc("eventcategory","1003010000"); -var dup132 = setc("eventcategory","1003010000"); +var dup132 = setc("eventcategory","1901000000"); -var dup133 = setc("eventcategory","1901000000"); - -var dup134 = linear_select([ +var dup133 = linear_select([ dup12, dup13, dup14, dup15, ]); -var dup135 = linear_select([ +var dup134 = linear_select([ dup39, dup40, ]); -var dup136 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ +var dup135 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ dup20, dup21, dup55, dup22, ])); -var dup137 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ +var dup136 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ dup50, dup21, dup63, dup22, ])); -var dup138 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ +var dup137 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ dup29, dup21, dup64, dup22, ])); -var dup139 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ +var dup138 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ dup29, dup21, dup65, dup22, ])); -var dup140 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ +var dup139 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ dup29, dup21, dup66, dup22, ])); -var dup141 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ +var dup140 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ dup29, dup21, dup67, dup22, ])); -var dup142 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ +var dup141 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ dup29, dup21, dup70, dup22, ])); -var dup143 = linear_select([ +var dup142 = linear_select([ dup75, dup76, ]); -var dup144 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ +var dup143 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ dup29, dup21, dup78, dup22, ])); -var dup145 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ +var dup144 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ dup29, dup21, dup83, dup22, ])); -var dup146 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ +var dup145 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ dup29, dup21, dup84, dup22, ])); -var dup147 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ +var dup146 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ dup20, dup21, dup85, dup22, ])); -var dup148 = linear_select([ +var dup147 = linear_select([ dup87, dup88, ]); -var dup149 = linear_select([ +var dup148 = linear_select([ dup89, dup90, ]); -var dup150 = linear_select([ +var dup149 = linear_select([ dup95, dup96, ]); -var dup151 = linear_select([ +var dup150 = linear_select([ dup101, dup102, ]); -var dup152 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ +var dup151 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ dup29, dup21, dup51, ])); -var dup153 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ +var dup152 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ dup26, dup21, dup51, ])); -var dup154 = linear_select([ +var dup153 = linear_select([ + dup116, dup117, - dup118, ]); -var dup155 = linear_select([ +var dup154 = linear_select([ + dup121, dup122, - dup123, ]); -var dup156 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ +var dup155 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ dup29, dup21, dup51, ])); -var dup157 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([ +var dup156 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([ dup47, dup46, dup22, @@ -685,7 +683,7 @@ var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time- var all3 = all_match({ processors: [ hdr14, - dup134, + dup133, dup16, ], on_success: processor_chain([ @@ -696,7 +694,7 @@ var all3 = all_match({ var all4 = all_match({ processors: [ dup17, - dup134, + dup133, dup16, ], on_success: processor_chain([ @@ -707,7 +705,7 @@ var all4 = all_match({ var all5 = all_match({ processors: [ dup17, - dup134, + dup133, dup16, ], on_success: processor_chain([ @@ -1819,7 +1817,7 @@ var select20 = linear_select([ msg69, ]); -var part89 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}' ", processor_chain([ +var part89 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ dup20, dup21, setc("event_description","user issuing command as root"), @@ -1850,7 +1848,7 @@ var part91 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_ var msg72 = msg("sshd", part91); -var part92 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result->} ", processor_chain([ +var part92 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ dup26, dup21, setc("event_description","Received disconnect"), @@ -1859,7 +1857,7 @@ var part92 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{proce var msg73 = msg("sshd:02", part92); -var part93 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr->} ", processor_chain([ +var part93 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ dup29, dup21, setc("result","no identification string"), @@ -1892,7 +1890,7 @@ var part96 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "%{}sendmsg to %{saddr var all13 = all_match({ processors: [ dup38, - dup135, + dup134, part96, ], on_success: processor_chain([ @@ -1910,7 +1908,7 @@ var part97 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "%{}Added radius serve var all14 = all_match({ processors: [ dup38, - dup135, + dup134, part97, ], on_success: processor_chain([ @@ -1937,7 +1935,7 @@ var part98 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{proce var msg79 = msg("sshd:08", part98); -var part99 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute->} ", processor_chain([ +var part99 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ dup29, dup21, setc("event_description","unrecognized attribute in policy"), @@ -2526,11 +2524,11 @@ var select31 = linear_select([ msg129, ]); -var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup136); +var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup135); -var msg131 = msg("BFDD_TRAP_STATE_UP", dup136); +var msg131 = msg("BFDD_TRAP_STATE_UP", dup135); -var part158 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result->} ", processor_chain([ +var part158 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ dup20, dup21, setc("event_description","bgp connect error"), @@ -2539,7 +2537,7 @@ var part158 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{proc var msg132 = msg("bgp_connect_start", part158); -var part159 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new->} ", processor_chain([ +var part159 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ dup20, dup21, setc("event_description","bgp peer state change"), @@ -2548,7 +2546,7 @@ var part159 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{p var msg133 = msg("bgp_event", part159); -var part160 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result->} ", processor_chain([ +var part160 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ dup29, dup21, setc("event_description","Connection attempt from unconfigured neighbor"), @@ -2622,7 +2620,7 @@ var select33 = linear_select([ msg140, ]); -var part167 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result->} ", processor_chain([ +var part167 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ dup29, dup21, setc("event_description","bgp send blocked error"), @@ -2631,7 +2629,7 @@ var part167 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{pr var msg141 = msg("bgp_send", part167); -var part168 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result->} ", processor_chain([ +var part168 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ dup29, dup21, setc("event_description","bgp timeout NOTIFICATION sent"), @@ -2721,7 +2719,7 @@ var part177 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{proce var msg151 = msg("BOOTPD_MODEL_ERR", part177); -var part178 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed ", processor_chain([ +var part178 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ dup20, dup21, setc("event_description","New configuration installed"), @@ -2784,7 +2782,7 @@ var part184 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process var msg158 = msg("BOOTPD_TIMEOUT", part184); -var part185 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string->} ", processor_chain([ +var part185 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ dup20, dup21, setc("event_description","boot version built"), @@ -2802,7 +2800,7 @@ var part186 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{pr var msg160 = msg("CHASSISD", part186); -var part187 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result->} ", processor_chain([ +var part187 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ dup29, dup21, setc("event_description","CHASSISD Unknown option"), @@ -3325,7 +3323,7 @@ var part244 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{p var msg218 = msg("DCD_FILTER_LIB_ERROR", part244); -var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup137); +var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup136); var part245 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ dup29, @@ -3390,7 +3388,7 @@ var part251 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{pr var msg226 = msg("DFWD_ARGUMENT_ERROR", part251); -var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup137); +var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup136); var part252 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ dup29, @@ -3410,9 +3408,9 @@ var part253 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload" var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part253); -var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup138); +var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup137); -var msg231 = msg("ECCD_DUPLICATE", dup139); +var msg231 = msg("ECCD_DUPLICATE", dup138); var part254 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ dup29, @@ -3423,7 +3421,7 @@ var part254 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "% var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part254); -var part255 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root ", processor_chain([ +var part255 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ dup62, dup21, setc("event_description","ECCD Must be run as root"), @@ -3459,9 +3457,9 @@ var part258 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{ var msg236 = msg("ECCD_PCI_WRITE_FAILED", part258); -var msg237 = msg("ECCD_PID_FILE_LOCK", dup140); +var msg237 = msg("ECCD_PID_FILE_LOCK", dup139); -var msg238 = msg("ECCD_PID_FILE_UPDATE", dup141); +var msg238 = msg("ECCD_PID_FILE_UPDATE", dup140); var part259 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ dup29, @@ -3606,7 +3604,7 @@ var part274 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", " var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part274); -var part275 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root ", processor_chain([ +var part275 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ dup62, dup21, setc("event_description","FSAD must be run as root"), @@ -3771,7 +3769,7 @@ var part292 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{p var msg272 = msg("KERN_ARP_ADDR_CHANGE", part292); -var part293 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5->} ", processor_chain([ +var part293 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ dup29, dup21, setc("event_description","security association has been established"), @@ -3808,7 +3806,7 @@ var part296 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{pro var msg276 = msg("LIBJNX_EXEC_FAILED", part296); -var msg277 = msg("LIBJNX_EXEC_PIPE", dup142); +var msg277 = msg("LIBJNX_EXEC_PIPE", dup141); var part297 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ dup29, @@ -4009,7 +4007,7 @@ var part316 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "% var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part316); -var part317 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info->} ", processor_chain([ +var part317 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ dup43, dup33, dup34, @@ -4034,14 +4032,14 @@ var select34 = linear_select([ dup44, ]); -var part321 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{} %{terminal->} "); +var part321 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{} %{terminal}"); var all19 = all_match({ processors: [ dup38, - dup135, + dup134, part318, - dup143, + dup142, part319, select34, part321, @@ -4060,7 +4058,7 @@ var all19 = all_match({ var msg299 = msg("LOGIN_INFORMATION", all19); -var part322 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username->} ", processor_chain([ +var part322 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ dup43, dup33, dup34, @@ -4074,7 +4072,7 @@ var part322 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part322); -var part323 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username->} ", processor_chain([ +var part323 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ dup43, dup33, dup34, @@ -4097,7 +4095,7 @@ var select35 = linear_select([ part325, ]); -var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{} %{username->} "); +var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{} %{username}"); var all20 = all_match({ processors: [ @@ -4134,7 +4132,7 @@ var part327 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{proces var msg303 = msg("LOGIN_PAM_ERROR", part327); -var part328 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username->} ", processor_chain([ +var part328 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ dup43, dup33, dup34, @@ -4269,9 +4267,9 @@ var part338 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", " var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part338); -var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup144); +var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup143); -var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup144); +var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup143); var part339 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ dup29, @@ -4428,7 +4426,7 @@ var part355 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparse var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part355); -var msg334 = msg("NASD_DAEMONIZE_FAILED", dup138); +var msg334 = msg("NASD_DAEMONIZE_FAILED", dup137); var part356 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ dup29, @@ -4448,7 +4446,7 @@ var part357 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payloa var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part357); -var msg337 = msg("NASD_DUPLICATE", dup139); +var msg337 = msg("NASD_DUPLICATE", dup138); var part358 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ dup29, @@ -4477,7 +4475,7 @@ var part360 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part360); -var part361 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root ", processor_chain([ +var part361 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ dup62, dup21, setc("event_description","NASD must be run as root"), @@ -4486,9 +4484,9 @@ var part361 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process} var msg341 = msg("NASD_NOT_ROOT", part361); -var msg342 = msg("NASD_PID_FILE_LOCK", dup140); +var msg342 = msg("NASD_PID_FILE_LOCK", dup139); -var msg343 = msg("NASD_PID_FILE_UPDATE", dup141); +var msg343 = msg("NASD_PID_FILE_UPDATE", dup140); var part362 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ dup29, @@ -4642,7 +4640,7 @@ var part378 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event var msg360 = msg("NOTICE", part378); -var part379 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets) ", processor_chain([ +var part379 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ dup20, dup21, dup81, @@ -4651,7 +4649,7 @@ var part379 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{proce var msg361 = msg("PFE_FW_SYSLOG_IP", part379); -var part380 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets) ", processor_chain([ +var part380 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ dup20, dup21, dup81, @@ -4708,7 +4706,7 @@ var part387 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "%{}mode=%{prot var all21 = all_match({ processors: [ dup38, - dup135, + dup134, part384, select37, part387, @@ -4998,7 +4996,7 @@ var part417 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", " var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part417); -var part418 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed ", processor_chain([ +var part418 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ dup29, dup21, setc("event_description","Multicast address not allowed"), @@ -5034,7 +5032,7 @@ var part421 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payloa var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part421); -var msg401 = msg("RMOPD_DUPLICATE", dup139); +var msg401 = msg("RMOPD_DUPLICATE", dup138); var part422 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ dup29, @@ -5090,7 +5088,7 @@ var part427 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{p var msg407 = msg("RMOPD_IFNAME_NO_INFO", part427); -var part428 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root ", processor_chain([ +var part428 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ dup62, dup21, setc("event_description","RMOPD Must be run as root"), @@ -5171,9 +5169,9 @@ var part436 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{pr var msg416 = msg("RPD_EXIT", part436); -var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup145); +var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup144); -var msg418 = msg("RPD_IFL_NAMECOLLISION", dup145); +var msg418 = msg("RPD_IFL_NAMECOLLISION", dup144); var part437 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ dup29, @@ -5463,7 +5461,7 @@ var part468 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{pr var msg450 = msg("RPD_MPLS_LSP_CHANGE", part468); -var part469 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} ", processor_chain([ +var part469 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ dup29, dup21, setc("event_description","MPLS LSP DOWN"), @@ -5472,7 +5470,7 @@ var part469 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{proc var msg451 = msg("RPD_MPLS_LSP_DOWN", part469); -var part470 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info->} ", processor_chain([ +var part470 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ dup20, dup21, setc("event_description","MPLS LSP SWITCH"), @@ -5481,7 +5479,7 @@ var part470 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{pr var msg452 = msg("RPD_MPLS_LSP_SWITCH", part470); -var part471 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info->} ", processor_chain([ +var part471 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ dup20, dup21, setc("event_description","MPLS LSP UP"), @@ -5644,7 +5642,7 @@ var part488 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[% var msg470 = msg("RPD_RT_IFUP", part488); -var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup146); +var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup145); var part489 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ dup29, @@ -5655,7 +5653,7 @@ var part489 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.pa var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part489); -var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup146); +var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup145); var part490 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ dup29, @@ -5774,7 +5772,7 @@ var part502 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{proc var msg486 = msg("RPD_TASK_PIDWRITE", part502); -var msg487 = msg("RPD_TASK_REINIT", dup147); +var msg487 = msg("RPD_TASK_REINIT", dup146); var part503 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ dup20, @@ -5819,9 +5817,9 @@ var select40 = linear_select([ var all22 = all_match({ processors: [ dup86, - dup148, + dup147, part505, - dup149, + dup148, part506, select39, part509, @@ -5940,7 +5938,7 @@ var select46 = linear_select([ var all25 = all_match({ processors: [ dup86, - dup148, + dup147, part522, select46, dup92, @@ -5970,7 +5968,7 @@ var part526 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{} var all26 = all_match({ processors: [ - dup150, + dup149, part526, ], on_success: processor_chain([ @@ -5989,7 +5987,7 @@ var part527 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{} var all27 = all_match({ processors: [ - dup150, + dup149, part527, ], on_success: processor_chain([ @@ -6025,11 +6023,11 @@ var select48 = linear_select([ var all28 = all_match({ processors: [ dup98, - dup148, + dup147, dup99, - dup149, + dup148, dup100, - dup151, + dup150, part528, select48, dup92, @@ -6103,11 +6101,11 @@ var part539 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] var all30 = all_match({ processors: [ dup98, - dup148, + dup147, dup99, - dup149, + dup148, dup100, - dup151, + dup150, part535, select50, part539, @@ -6154,7 +6152,7 @@ var select52 = linear_select([ msg502, ]); -var msg503 = msg("RT_SCREEN_TCP", dup152); +var msg503 = msg("RT_SCREEN_TCP", dup151); var part542 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ dup29, @@ -6164,7 +6162,7 @@ var part542 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", " var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part542); -var msg505 = msg("RT_SCREEN_UDP", dup152); +var msg505 = msg("RT_SCREEN_UDP", dup151); var part543 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ dup26, @@ -6256,7 +6254,7 @@ var part552 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "% var msg515 = msg("SERVICED_DISABLED_GGSN", part552); -var msg516 = msg("SERVICED_DUPLICATE", dup139); +var msg516 = msg("SERVICED_DUPLICATE", dup138); var part553 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ dup29, @@ -6303,9 +6301,9 @@ var part557 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{proc var msg521 = msg("SERVICED_NOT_ROOT", part557); -var msg522 = msg("SERVICED_PID_FILE_LOCK", dup140); +var msg522 = msg("SERVICED_PID_FILE_LOCK", dup139); -var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup141); +var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup140); var part558 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ dup29, @@ -6379,11 +6377,11 @@ var part565 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part565); -var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup153); +var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup152); -var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup153); +var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup152); -var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup153); +var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup152); var part566 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ dup20, @@ -6561,7 +6559,7 @@ var part583 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part583); -var part584 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} ", processor_chain([ +var part584 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ dup29, dup21, setc("event_description","LOOPBACK ADDR ERROR"), @@ -7070,7 +7068,7 @@ var part636 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[ var msg605 = msg("task_connect", part636); -var msg606 = msg("TASK_TASK_REINIT", dup147); +var msg606 = msg("TASK_TASK_REINIT", dup146); var part637 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ dup29, @@ -7342,9 +7340,11 @@ var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part664); var part665 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\" "); +var part666 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "%{space->} "); + var select59 = linear_select([ part665, - dup111, + part666, ]); var all31 = all_match({ @@ -7362,7 +7362,7 @@ var all31 = all_match({ var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); -var part666 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ +var part667 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ dup20, dup21, setc("event_description","User config replace"), @@ -7370,9 +7370,9 @@ var part666 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{ dup22, ])); -var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part666); +var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part667); -var part667 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}] ", processor_chain([ +var part668 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ setc("eventcategory","1701070000"), dup21, setc("event_description","User deactivating group(s)"), @@ -7380,17 +7380,17 @@ var part667 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{ dup22, ])); -var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part667); +var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part668); -var part668 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ - dup112, +var part669 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ + dup111, dup21, setc("event_description","User updates config file"), setc("action","update"), dup22, ])); -var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part668); +var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part669); var select60 = linear_select([ msg633, @@ -7401,60 +7401,60 @@ var select60 = linear_select([ msg638, ]); -var part669 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); +var part670 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); var select61 = linear_select([ - part669, - dup113, + part670, + dup112, ]); var all32 = all_match({ processors: [ dup110, select61, - dup114, + dup113, ], on_success: processor_chain([ dup20, dup21, - dup115, + dup114, dup22, ]), }); var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); -var part670 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); +var part671 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); var select62 = linear_select([ - part670, - dup113, + part671, + dup112, ]); var all33 = all_match({ processors: [ dup110, select62, - dup114, + dup113, ], on_success: processor_chain([ dup20, dup21, - dup115, + dup114, dup22, ]), }); var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); -var part671 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ +var part672 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ dup20, dup21, setc("event_description","User replace config application(s)"), dup22, ])); -var msg641 = msg("UI_CFG_AUDIT_SET", part671); +var msg641 = msg("UI_CFG_AUDIT_SET", part672); var select63 = linear_select([ msg639, @@ -7462,50 +7462,50 @@ var select63 = linear_select([ msg641, ]); -var part672 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); +var part673 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); var all34 = all_match({ processors: [ - dup116, - dup154, - part672, + dup115, + dup153, + part673, ], on_success: processor_chain([ - dup112, + dup111, dup21, - dup119, + dup118, dup22, ]), }); var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); -var part673 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); +var part674 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); var all35 = all_match({ processors: [ - dup116, - dup154, - part673, + dup115, + dup153, + part674, ], on_success: processor_chain([ - dup112, + dup111, dup21, - dup119, + dup118, dup22, ]), }); var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); -var part674 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ +var part675 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ dup20, dup21, setc("event_description","UI CFG AUDIT SET SECRET"), dup22, ])); -var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part674); +var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part675); var select64 = linear_select([ msg642, @@ -7513,61 +7513,61 @@ var select64 = linear_select([ msg644, ]); -var part675 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ +var part676 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ dup29, dup21, setc("event_description","Too many arguments for child process"), dup22, ])); -var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part675); +var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part676); -var part676 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ +var part677 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ dup29, dup21, setc("event_description","Unable to switch to local user"), dup22, ])); -var msg646 = msg("UI_CHILD_CHANGE_USER", part676); +var msg646 = msg("UI_CHILD_CHANGE_USER", part677); -var part677 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ +var part678 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ dup29, dup21, setc("event_description","Child exec failed"), dup22, ])); -var msg647 = msg("UI_CHILD_EXEC", part677); +var msg647 = msg("UI_CHILD_EXEC", part678); -var part678 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ +var part679 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ dup29, dup21, setc("event_description","Child exited"), dup22, ])); -var msg648 = msg("UI_CHILD_EXITED", part678); +var msg648 = msg("UI_CHILD_EXITED", part679); -var part679 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ +var part680 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ dup29, dup21, setc("event_description","Unable to append to log"), dup22, ])); -var msg649 = msg("UI_CHILD_FOPEN", part679); +var msg649 = msg("UI_CHILD_FOPEN", part680); -var part680 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ +var part681 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ dup29, dup21, setc("event_description","Unable to create pipe for command"), dup22, ])); -var msg650 = msg("UI_CHILD_PIPE_FAILED", part680); +var msg650 = msg("UI_CHILD_PIPE_FAILED", part681); -var part681 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ +var part682 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ dup20, dup21, dup60, @@ -7575,192 +7575,192 @@ var part681 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{proc dup22, ])); -var msg651 = msg("UI_CHILD_SIGNALED", part681); +var msg651 = msg("UI_CHILD_SIGNALED", part682); -var part682 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ +var part683 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ dup20, dup21, setc("event_description","Child stopped"), dup22, ])); -var msg652 = msg("UI_CHILD_STOPPED", part682); +var msg652 = msg("UI_CHILD_STOPPED", part683); -var part683 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ +var part684 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ dup20, dup21, setc("event_description","Starting child"), dup22, ])); -var msg653 = msg("UI_CHILD_START", part683); +var msg653 = msg("UI_CHILD_START", part684); -var part684 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ +var part685 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ dup20, dup21, setc("event_description","Cleanup child"), dup22, ])); -var msg654 = msg("UI_CHILD_STATUS", part684); +var msg654 = msg("UI_CHILD_STATUS", part685); -var part685 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ +var part686 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ dup29, dup21, setc("event_description","waitpid failed"), dup22, ])); -var msg655 = msg("UI_CHILD_WAITPID", part685); +var msg655 = msg("UI_CHILD_WAITPID", part686); -var part686 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ +var part687 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ dup29, dup21, setc("event_description","Idle timeout for user exceeded"), dup22, ])); -var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part686); +var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part687); -var part687 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ +var part688 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ dup20, dup21, - dup120, + dup119, dup22, ])); -var msg657 = msg("UI_CMDLINE_READ_LINE", part687); +var msg657 = msg("UI_CMDLINE_READ_LINE", part688); -var part688 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ +var part689 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ dup29, dup21, setc("event_description","Command execution failed"), dup22, ])); -var msg658 = msg("UI_CMDSET_EXEC_FAILED", part688); +var msg658 = msg("UI_CMDSET_EXEC_FAILED", part689); -var part689 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ +var part690 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ dup29, dup21, setc("event_description","Unable to fork command"), dup22, ])); -var msg659 = msg("UI_CMDSET_FORK_FAILED", part689); +var msg659 = msg("UI_CMDSET_FORK_FAILED", part690); -var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup142); +var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup141); -var part690 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ +var part691 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ dup29, dup21, dup69, dup22, ])); -var msg661 = msg("UI_CMDSET_STOPPED", part690); +var msg661 = msg("UI_CMDSET_STOPPED", part691); -var part691 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ +var part692 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ dup29, dup21, dup71, dup22, ])); -var msg662 = msg("UI_CMDSET_WEXITED", part691); +var msg662 = msg("UI_CMDSET_WEXITED", part692); -var part692 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ +var part693 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ dup29, dup21, setc("event_description","Invalid regexp command"), dup22, ])); -var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part692); +var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part693); -var part693 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info}) "); +var part694 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info}) "); -var part694 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action->} "); +var part695 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action->} "); var select65 = linear_select([ - part693, part694, + part695, ]); var all36 = all_match({ processors: [ - dup116, + dup115, select65, ], on_success: processor_chain([ dup20, dup21, - dup121, + dup120, dup22, ]), }); var msg664 = msg("UI_COMMIT", all36); -var part695 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ +var part696 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ dup20, dup21, - dup121, + dup120, dup22, ])); -var msg665 = msg("UI_COMMIT_AT", part695); +var msg665 = msg("UI_COMMIT_AT", part696); -var part696 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ +var part697 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ dup20, dup21, setc("event_description","User commit successful"), dup22, ])); -var msg666 = msg("UI_COMMIT_AT_COMPLETED", part696); +var msg666 = msg("UI_COMMIT_AT_COMPLETED", part697); -var part697 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ +var part698 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ dup29, dup21, setc("event_description","User commit failed"), dup22, ])); -var msg667 = msg("UI_COMMIT_AT_FAILED", part697); +var msg667 = msg("UI_COMMIT_AT_FAILED", part698); -var part698 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ +var part699 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ dup29, dup21, setc("event_description","Unable to compress file"), dup22, ])); -var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part698); +var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part699); -var part699 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ +var part700 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ dup20, dup21, setc("event_description","UI COMMIT CONFIRMED"), dup22, ])); -var msg669 = msg("UI_COMMIT_CONFIRMED", part699); +var msg669 = msg("UI_COMMIT_CONFIRMED", part700); -var part700 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); +var part701 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); -var part701 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1->} "); +var part702 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1->} "); -var part702 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes "); +var part703 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes "); var select66 = linear_select([ - part701, part702, + part703, ]); var all37 = all_match({ processors: [ - part700, + part701, select66, ], on_success: processor_chain([ @@ -7773,13 +7773,13 @@ var all37 = all_match({ var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); -var part703 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "%{}'%{username}' performed '%{action}'"); +var part704 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "%{}'%{username}' performed '%{action}'"); var all38 = all_match({ processors: [ dup49, - dup143, - part703, + dup142, + part704, ], on_success: processor_chain([ dup20, @@ -7791,40 +7791,40 @@ var all38 = all_match({ var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); -var part704 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ +var part705 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ dup20, dup21, setc("event_description","Skipped empty object"), dup22, ])); -var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part704); +var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part705); -var part705 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ +var part706 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ dup29, dup21, setc("event_description","COMMIT NOT CONFIRMED"), dup22, ])); -var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part705); +var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part706); -var part706 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); +var part707 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); -var part707 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); +var part708 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); var select67 = linear_select([ - part706, part707, + part708, ]); -var part708 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); +var part709 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); var all39 = all_match({ processors: [ dup49, select67, - part708, + part709, ], on_success: processor_chain([ dup20, @@ -7836,67 +7836,69 @@ var all39 = all_match({ var msg674 = msg("UI_COMMIT_PROGRESS", all39); -var part709 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ +var part710 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ dup20, dup21, setc("event_description","COMMIT QUIT"), dup22, ])); -var msg675 = msg("UI_COMMIT_QUIT", part709); +var msg675 = msg("UI_COMMIT_QUIT", part710); -var part710 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ +var part711 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ dup29, dup21, setc("event_description","Automatic rollback failed"), dup22, ])); -var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part710); +var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part711); -var part711 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ +var part712 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ dup20, dup21, setc("event_description","COMMIT SYNC"), dup22, ])); -var msg677 = msg("UI_COMMIT_SYNC", part711); +var msg677 = msg("UI_COMMIT_SYNC", part712); -var part712 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ +var part713 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ dup20, dup21, setc("event_description","All logins to local configuration database were terminated"), dup22, ])); -var msg678 = msg("UI_COMMIT_SYNC_FORCE", part712); +var msg678 = msg("UI_COMMIT_SYNC_FORCE", part713); -var part713 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); +var part714 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); -var part714 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); +var part715 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); -var part715 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); +var part716 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); var select68 = linear_select([ - part714, part715, + part716, ]); -var part716 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "%{}statement: %{info->} %{p0}"); +var part717 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "%{}statement: %{info->} %{p0}"); -var part717 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); +var part718 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); + +var part719 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_1", "nwparser.p0", "%{space}"); var select69 = linear_select([ - part717, - dup111, + part718, + part719, ]); var all40 = all_match({ processors: [ - part713, + part714, select68, - part716, + part717, select69, ], on_success: processor_chain([ @@ -7909,13 +7911,13 @@ var all40 = all_match({ var msg679 = msg("UI_CONFIGURATION_ERROR", all40); -var part718 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "%{}socket connection accept failed: %{result}"); +var part720 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "%{}socket connection accept failed: %{result}"); var all41 = all_match({ processors: [ dup49, - dup155, - part718, + dup154, + part720, ], on_success: processor_chain([ dup29, @@ -7927,31 +7929,31 @@ var all41 = all_match({ var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); -var part719 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ +var part721 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ dup29, dup21, setc("event_description","Unable to create session child"), dup22, ])); -var msg681 = msg("UI_DAEMON_FORK_FAILED", part719); +var msg681 = msg("UI_DAEMON_FORK_FAILED", part721); -var part720 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ +var part722 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ dup29, dup21, setc("event_description","DAEMON SELECT FAILED"), dup22, ])); -var msg682 = msg("UI_DAEMON_SELECT_FAILED", part720); +var msg682 = msg("UI_DAEMON_SELECT_FAILED", part722); -var part721 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "%{}socket create failed: %{result}"); +var part723 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "%{}socket create failed: %{result}"); var all42 = all_match({ processors: [ dup49, - dup155, - part721, + dup154, + part723, ], on_success: processor_chain([ dup29, @@ -7963,34 +7965,34 @@ var all42 = all_match({ var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); -var part722 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ +var part724 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ dup29, dup21, setc("event_description","Unable to reaccess database file"), dup22, ])); -var msg684 = msg("UI_DBASE_ACCESS_FAILED", part722); +var msg684 = msg("UI_DBASE_ACCESS_FAILED", part724); -var part723 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ +var part725 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ dup29, dup21, setc("event_description","Database is out of data"), dup22, ])); -var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part723); +var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part725); -var part724 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ +var part726 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ dup29, dup21, setc("event_description","Unable to extend database file"), dup22, ])); -var msg686 = msg("UI_DBASE_EXTEND_FAILED", part724); +var msg686 = msg("UI_DBASE_EXTEND_FAILED", part726); -var part725 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ +var part727 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ dup32, dup33, dup34, @@ -8001,107 +8003,107 @@ var part725 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{p dup22, ])); -var msg687 = msg("UI_DBASE_LOGIN_EVENT", part725); +var msg687 = msg("UI_DBASE_LOGIN_EVENT", part727); -var part726 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ - dup124, +var part728 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ + dup123, dup33, dup34, - dup125, + dup124, dup36, dup21, setc("event_description","User exiting configuration mode"), dup22, ])); -var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part726); +var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part728); -var part727 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ +var part729 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ dup29, dup21, setc("event_description","Database header extent mismatch"), dup22, ])); -var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part727); +var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part729); -var part728 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ +var part730 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ dup29, dup21, setc("event_description","Database header major version number mismatch"), dup22, ])); -var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part728); +var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part730); -var part729 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ +var part731 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ dup29, dup21, setc("event_description","Database header minor version number mismatch"), dup22, ])); -var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part729); +var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part731); -var part730 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ +var part732 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ dup29, dup21, setc("event_description","Database header sequence numbers mismatch"), dup22, ])); -var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part730); +var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part732); -var part731 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ +var part733 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ dup29, dup21, setc("event_description","Database header size mismatch"), dup22, ])); -var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part731); +var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part733); -var part732 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ +var part734 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ dup29, dup21, setc("event_description","Database open failed"), dup22, ])); -var msg694 = msg("UI_DBASE_OPEN_FAILED", part732); +var msg694 = msg("UI_DBASE_OPEN_FAILED", part734); -var part733 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ +var part735 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ dup29, dup21, setc("event_description","DBASE REBUILD FAILED"), dup22, ])); -var msg695 = msg("UI_DBASE_REBUILD_FAILED", part733); +var msg695 = msg("UI_DBASE_REBUILD_FAILED", part735); -var part734 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ +var part736 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ dup29, dup21, setc("event_description","Automatic rebuild of the database failed"), dup22, ])); -var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part734); +var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part736); -var part735 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); +var part737 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); var select70 = linear_select([ dup75, - part735, + part737, ]); -var part736 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{} %{username->} rebuild/rollback of the database '%{filename}' started"); +var part738 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{} %{username->} rebuild/rollback of the database '%{filename}' started"); var all43 = all_match({ processors: [ dup49, select70, - part736, + part738, ], on_success: processor_chain([ dup20, @@ -8113,277 +8115,277 @@ var all43 = all_match({ var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); -var part737 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ +var part739 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ dup20, dup21, setc("event_description","user attempting database re-creation"), dup22, ])); -var msg698 = msg("UI_DBASE_RECREATE", part737); +var msg698 = msg("UI_DBASE_RECREATE", part739); -var part738 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ +var part740 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ dup29, dup21, setc("event_description","Reopen of the database failed"), dup22, ])); -var msg699 = msg("UI_DBASE_REOPEN_FAILED", part738); +var msg699 = msg("UI_DBASE_REOPEN_FAILED", part740); -var part739 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ +var part741 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ dup29, dup21, setc("event_description","Users have the same UID"), dup22, ])); -var msg700 = msg("UI_DUPLICATE_UID", part739); +var msg700 = msg("UI_DUPLICATE_UID", part741); -var part740 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ +var part742 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ setc("eventcategory","1401050100"), dup21, setc("event_description","User used JUNOScript client to run command"), dup22, ])); -var msg701 = msg("UI_JUNOSCRIPT_CMD", part740); +var msg701 = msg("UI_JUNOSCRIPT_CMD", part742); -var part741 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ +var part743 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ dup29, dup21, setc("event_description","JUNOScript error"), dup22, ])); -var msg702 = msg("UI_JUNOSCRIPT_ERROR", part741); +var msg702 = msg("UI_JUNOSCRIPT_ERROR", part743); -var part742 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ +var part744 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ dup20, dup21, setc("event_description","User command"), dup22, ])); -var msg703 = msg("UI_LOAD_EVENT", part742); +var msg703 = msg("UI_LOAD_EVENT", part744); -var part743 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ +var part745 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ setc("eventcategory","1701040000"), dup21, setc("event_description","Loading default config from file"), dup22, ])); -var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part743); +var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part745); -var part744 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ +var part746 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ dup32, dup33, dup34, dup35, dup36, dup21, + dup125, dup126, - dup127, dup22, ])); -var msg705 = msg("UI_LOGIN_EVENT:01", part744); +var msg705 = msg("UI_LOGIN_EVENT:01", part746); -var part745 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ +var part747 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ dup32, dup33, dup34, dup35, dup36, dup21, - dup126, + dup125, dup22, ])); -var msg706 = msg("UI_LOGIN_EVENT", part745); +var msg706 = msg("UI_LOGIN_EVENT", part747); var select71 = linear_select([ msg705, msg706, ]); -var part746 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ - dup124, +var part748 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ + dup123, dup33, dup34, - dup125, + dup124, dup36, dup21, setc("event_description","User logout"), dup22, ])); -var msg707 = msg("UI_LOGOUT_EVENT", part746); +var msg707 = msg("UI_LOGOUT_EVENT", part748); -var part747 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ +var part749 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ dup29, dup21, setc("event_description","Lost connection to daemon"), dup22, ])); -var msg708 = msg("UI_LOST_CONN", part747); +var msg708 = msg("UI_LOST_CONN", part749); -var part748 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ +var part750 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ dup20, dup21, setc("event_description","MASTERSHIP EVENT"), dup22, ])); -var msg709 = msg("UI_MASTERSHIP_EVENT", part748); +var msg709 = msg("UI_MASTERSHIP_EVENT", part750); -var part749 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ +var part751 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ dup20, dup21, setc("event_description","Terminating operation"), dup22, ])); -var msg710 = msg("UI_MGD_TERMINATE", part749); +var msg710 = msg("UI_MGD_TERMINATE", part751); -var part750 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ +var part752 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ dup28, dup21, setc("event_description","User used NETCONF client to run command"), dup22, ])); -var msg711 = msg("UI_NETCONF_CMD", part750); +var msg711 = msg("UI_NETCONF_CMD", part752); -var part751 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ +var part753 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ dup29, dup21, setc("event_description","read failed for peer"), dup22, ])); -var msg712 = msg("UI_READ_FAILED", part751); +var msg712 = msg("UI_READ_FAILED", part753); -var part752 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ +var part754 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ dup29, dup21, setc("event_description","Timeout on read of peer"), dup22, ])); -var msg713 = msg("UI_READ_TIMEOUT", part752); +var msg713 = msg("UI_READ_TIMEOUT", part754); -var part753 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ +var part755 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ dup59, dup21, setc("event_description","System reboot or halt"), dup22, ])); -var msg714 = msg("UI_REBOOT_EVENT", part753); +var msg714 = msg("UI_REBOOT_EVENT", part755); -var part754 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ +var part756 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ dup28, dup21, setc("event_description","user restarting daemon"), dup22, ])); -var msg715 = msg("UI_RESTART_EVENT", part754); +var msg715 = msg("UI_RESTART_EVENT", part756); -var part755 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ +var part757 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ dup29, dup21, setc("event_description","Schema is out of date"), dup22, ])); -var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part755); +var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part757); -var part756 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ +var part758 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ dup29, dup21, setc("event_description","Schema major version mismatch"), dup22, ])); -var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part756); +var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part758); -var part757 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ +var part759 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ dup29, dup21, setc("event_description","Schema minor version mismatch"), dup22, ])); -var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part757); +var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part759); -var part758 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ +var part760 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ dup29, dup21, setc("event_description","Schema header sequence numbers mismatch"), dup22, ])); -var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part758); +var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part760); -var part759 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ +var part761 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ dup29, dup21, setc("event_description","Schema sequence number mismatch"), dup22, ])); -var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part759); +var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part761); -var part760 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ +var part762 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ dup20, dup21, setc("event_description","Configuration synchronization with remote Routing Engine"), dup22, ])); -var msg721 = msg("UI_SYNC_OTHER_RE", part760); +var msg721 = msg("UI_SYNC_OTHER_RE", part762); -var part761 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ +var part763 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ dup29, dup21, - dup128, + dup127, dup22, ])); -var msg722 = msg("UI_TACPLUS_ERROR", part761); +var msg722 = msg("UI_TACPLUS_ERROR", part763); -var part762 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ +var part764 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ dup29, dup21, setc("event_description","Unable to fetch system version"), dup22, ])); -var msg723 = msg("UI_VERSION_FAILED", part762); +var msg723 = msg("UI_VERSION_FAILED", part764); -var part763 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ +var part765 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ dup20, dup21, setc("event_description","Re-establishing connection to peer"), dup22, ])); -var msg724 = msg("UI_WRITE_RECONNECT", part763); +var msg724 = msg("UI_WRITE_RECONNECT", part765); -var part764 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ +var part766 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ dup20, dup21, setc("event_description","Interface new master for User"), dup22, ])); -var msg725 = msg("VRRPD_NEWMASTER_TRAP", part764); +var msg725 = msg("VRRPD_NEWMASTER_TRAP", part766); -var part765 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ +var part767 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ dup68, dup33, dup34, @@ -8393,9 +8395,9 @@ var part765 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process} dup22, ])); -var msg726 = msg("WEB_AUTH_FAIL", part765); +var msg726 = msg("WEB_AUTH_FAIL", part767); -var part766 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ +var part768 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ dup79, dup33, dup34, @@ -8405,36 +8407,36 @@ var part766 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{proce dup22, ])); -var msg727 = msg("WEB_AUTH_SUCCESS", part766); +var msg727 = msg("WEB_AUTH_SUCCESS", part768); -var part767 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ +var part769 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ setc("eventcategory","1001030300"), dup21, setc("event_description","web request from unauthorized interface"), dup22, ])); -var msg728 = msg("WEB_INTERFACE_UNAUTH", part767); +var msg728 = msg("WEB_INTERFACE_UNAUTH", part769); -var part768 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ +var part770 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ dup73, dup21, setc("event_description","Unable to read from client"), dup22, ])); -var msg729 = msg("WEB_READ", part768); +var msg729 = msg("WEB_READ", part770); -var part769 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ +var part771 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ setc("eventcategory","1204020100"), dup21, setc("event_description","failed to check web request"), dup22, ])); -var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part769); +var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part771); -var part770 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ +var part772 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ dup73, dup52, dup42, @@ -8442,66 +8444,66 @@ var part770 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{e dup51, ])); -var msg731 = msg("FLOW_REASSEMBLE_FAIL", part770); +var msg731 = msg("FLOW_REASSEMBLE_FAIL", part772); -var part771 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ +var part773 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ dup28, dup21, setc("event_description","Bridge Address"), dup22, ])); -var msg732 = msg("eswd", part771); +var msg732 = msg("eswd", part773); -var part772 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ +var part774 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ dup28, dup21, setc("event_description","ESWD STP State Change Info"), dup22, ])); -var msg733 = msg("eswd:01", part772); +var msg733 = msg("eswd:01", part774); var select72 = linear_select([ msg732, msg733, ]); -var part773 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ +var part775 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ dup28, dup21, dup25, dup22, ])); -var msg734 = msg("/usr/sbin/cron", part773); +var msg734 = msg("/usr/sbin/cron", part775); -var part774 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ +var part776 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ dup28, dup21, setc("event_description","Link status change event"), dup22, ])); -var msg735 = msg("chassism:02", part774); +var msg735 = msg("chassism:02", part776); -var part775 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ +var part777 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ dup28, dup21, setc("event_description","ifd process flaps"), dup22, ])); -var msg736 = msg("chassism:01", part775); +var msg736 = msg("chassism:01", part777); -var part776 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ +var part778 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ dup28, dup21, setc("event_description","IFCM "), dup22, ])); -var msg737 = msg("chassism", part776); +var msg737 = msg("chassism", part778); var select73 = linear_select([ msg735, @@ -8509,31 +8511,31 @@ var select73 = linear_select([ msg737, ]); -var msg738 = msg("WEBFILTER_URL_PERMITTED", dup156); +var msg738 = msg("WEBFILTER_URL_PERMITTED", dup155); -var part777 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ +var part779 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ dup29, dup21, dup51, ])); -var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part777); +var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part779); -var part778 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ +var part780 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ dup29, dup21, dup51, ])); -var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part778); +var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part780); -var part779 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ +var part781 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ dup29, dup21, dup51, ])); -var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part779); +var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part781); var select74 = linear_select([ msg738, @@ -8542,140 +8544,140 @@ var select74 = linear_select([ msg741, ]); -var msg742 = msg("WEBFILTER_URL_BLOCKED", dup156); +var msg742 = msg("WEBFILTER_URL_BLOCKED", dup155); -var part780 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ +var part782 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ dup29, dup21, dup51, ])); -var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part780); +var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part782); var select75 = linear_select([ msg742, msg743, ]); -var part781 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ +var part783 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ dup45, dup46, dup22, dup21, - dup127, + dup126, ])); -var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part781); +var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part783); -var part782 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ +var part784 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ dup45, dup46, dup22, ])); -var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part782); +var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part784); -var part783 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ +var part785 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ dup45, dup46, dup22, dup21, - dup127, + dup126, ])); -var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part783); +var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part785); -var part784 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ +var part786 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ dup45, dup46, dup22, dup21, - dup127, + dup126, ])); -var msg747 = msg("SECINTEL_ERROR_OTHERS", part784); +var msg747 = msg("SECINTEL_ERROR_OTHERS", part786); -var part785 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ +var part787 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ dup47, dup46, dup22, dup21, - dup127, + dup126, ])); -var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part785); +var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part787); -var part786 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ +var part788 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ dup45, dup46, dup22, dup21, - dup127, + dup126, ])); -var msg749 = msg("LACPD_TIMEOUT", part786); +var msg749 = msg("LACPD_TIMEOUT", part788); -var msg750 = msg("cli", dup157); +var msg750 = msg("cli", dup156); -var msg751 = msg("pfed", dup157); +var msg751 = msg("pfed", dup156); -var msg752 = msg("idpinfo", dup157); +var msg752 = msg("idpinfo", dup156); -var msg753 = msg("kmd", dup157); +var msg753 = msg("kmd", dup156); -var part787 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ +var part789 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ dup20, dup22, dup21, ])); -var msg754 = msg("node:01", part787); +var msg754 = msg("node:01", part789); -var part788 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ +var part790 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ dup20, dup22, dup21, ])); -var msg755 = msg("node:02", part788); +var msg755 = msg("node:02", part790); -var part789 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ +var part791 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ dup20, dup22, dup21, ])); -var msg756 = msg("node:03", part789); +var msg756 = msg("node:03", part791); -var part790 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ +var part792 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ dup20, dup22, dup21, ])); -var msg757 = msg("node:04", part790); +var msg757 = msg("node:04", part792); var select76 = linear_select([ + dup129, dup130, - dup131, ]); -var part791 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); +var part793 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); var select77 = linear_select([ - dup131, dup130, + dup129, ]); -var part792 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); +var part794 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); var all44 = all_match({ processors: [ - dup129, + dup128, select76, - part791, + part793, select77, - part792, + part794, ], on_success: processor_chain([ dup20, @@ -8686,18 +8688,18 @@ var all44 = all_match({ var msg758 = msg("node:05", all44); -var part793 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); +var part795 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); -var part794 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); +var part796 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); var select78 = linear_select([ - part793, - part794, + part795, + part796, ]); var all45 = all_match({ processors: [ - dup129, + dup128, select78, ], on_success: processor_chain([ @@ -8709,29 +8711,29 @@ var all45 = all_match({ var msg759 = msg("node:06", all45); -var part795 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ +var part797 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ dup20, dup22, dup21, ])); -var msg760 = msg("node:07", part795); +var msg760 = msg("node:07", part797); -var part796 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ +var part798 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ dup20, dup22, dup21, ])); -var msg761 = msg("node:08", part796); +var msg761 = msg("node:08", part798); -var part797 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ +var part799 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ dup20, dup22, dup21, ])); -var msg762 = msg("node:09", part797); +var msg762 = msg("node:09", part799); var select79 = linear_select([ msg754, @@ -8745,42 +8747,42 @@ var select79 = linear_select([ msg762, ]); -var part798 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ +var part800 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ dup20, dup22, dup21, dup23, ])); -var msg763 = msg("(FPC:01", part798); +var msg763 = msg("(FPC:01", part800); -var part799 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ +var part801 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ dup20, dup22, dup21, dup23, ])); -var msg764 = msg("(FPC:02", part799); +var msg764 = msg("(FPC:02", part801); -var part800 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); +var part802 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); -var part801 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); +var part803 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); -var part802 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); +var part804 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); var select80 = linear_select([ - part801, - part802, + part803, + part804, ]); -var part803 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "%{}received for interface %{interface}, member of %{fld4}"); +var part805 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "%{}received for interface %{interface}, member of %{fld4}"); var all46 = all_match({ processors: [ - part800, + part802, select80, - part803, + part805, ], on_success: processor_chain([ dup20, @@ -8792,32 +8794,32 @@ var all46 = all_match({ var msg765 = msg("(FPC:03", all46); -var part804 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ +var part806 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ dup20, dup22, dup21, dup23, ])); -var msg766 = msg("(FPC:04", part804); +var msg766 = msg("(FPC:04", part806); -var part805 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ +var part807 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ dup20, dup22, dup21, dup23, ])); -var msg767 = msg("(FPC:05", part805); +var msg767 = msg("(FPC:05", part807); -var part806 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ +var part808 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ dup20, dup22, dup21, dup23, ])); -var msg768 = msg("(FPC", part806); +var msg768 = msg("(FPC", part808); var select81 = linear_select([ msg763, @@ -8828,86 +8830,86 @@ var select81 = linear_select([ msg768, ]); -var part807 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ +var part809 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ dup47, dup22, dup21, dup23, ])); -var msg769 = msg("tnp.bootpd", part807); +var msg769 = msg("tnp.bootpd", part809); -var part808 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ +var part810 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ dup47, dup51, dup21, dup60, ])); -var msg770 = msg("AAMW_ACTION_LOG", part808); +var msg770 = msg("AAMW_ACTION_LOG", part810); -var part809 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ - dup132, +var part811 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ + dup131, dup51, dup21, dup60, ])); -var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part809); +var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part811); -var part810 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ - dup132, +var part812 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ + dup131, dup51, dup21, ])); -var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part810); +var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part812); -var part811 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ +var part813 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ dup80, dup51, dup21, dup60, ])); -var msg773 = msg("IDP_ATTACK_LOG_EVENT", part811); +var msg773 = msg("IDP_ATTACK_LOG_EVENT", part813); -var part812 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ +var part814 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ dup80, dup51, dup21, dup60, ])); -var msg774 = msg("RT_SCREEN_ICMP", part812); +var msg774 = msg("RT_SCREEN_ICMP", part814); -var part813 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ +var part815 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ dup45, dup51, dup21, dup60, ])); -var msg775 = msg("SECINTEL_ACTION_LOG", part813); +var msg775 = msg("SECINTEL_ACTION_LOG", part815); -var part814 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{p0}"); +var part816 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{p0}"); -var part815 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{process}: qsfp-%{interface->} Chan# %{p0}"); +var part817 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{process}: qsfp-%{interface->} Chan# %{p0}"); -var part816 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "%{fld2->} qsfp-%{interface->} Chan# %{p0}"); +var part818 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "%{fld2->} qsfp-%{interface->} Chan# %{p0}"); var select82 = linear_select([ - part815, - part816, + part817, + part818, ]); -var part817 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{fld5}:%{event_description}"); +var part819 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{fld5}:%{event_description}"); var all47 = all_match({ processors: [ - part814, + part816, select82, - part817, + part819, ], on_success: processor_chain([ dup20, @@ -8918,69 +8920,69 @@ var all47 = all_match({ var msg776 = msg("qsfp", all47); -var part818 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ +var part820 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ dup20, dup21, - dup120, + dup119, dup22, ])); -var msg777 = msg("JUNOSROUTER_GENERIC:03", part818); +var msg777 = msg("JUNOSROUTER_GENERIC:03", part820); -var part819 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ - dup124, +var part821 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ + dup123, dup33, dup34, - dup125, + dup124, dup36, dup21, setc("event_description","LOGOUT"), dup22, ])); -var msg778 = msg("JUNOSROUTER_GENERIC:04", part819); +var msg778 = msg("JUNOSROUTER_GENERIC:04", part821); -var part820 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ +var part822 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ dup29, dup21, - dup128, + dup127, dup22, ])); -var msg779 = msg("JUNOSROUTER_GENERIC:05", part820); +var msg779 = msg("JUNOSROUTER_GENERIC:05", part822); -var part821 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ +var part823 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ dup29, dup21, dup56, dup22, ])); -var msg780 = msg("JUNOSROUTER_GENERIC:06", part821); +var msg780 = msg("JUNOSROUTER_GENERIC:06", part823); -var part822 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result->} ", processor_chain([ +var part824 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ dup20, dup21, dup37, dup22, ])); -var msg781 = msg("JUNOSROUTER_GENERIC:07", part822); +var msg781 = msg("JUNOSROUTER_GENERIC:07", part824); -var part823 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{p0}"); +var part825 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{p0}"); -var part824 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action}), socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8->} "); +var part826 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action}), socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); -var part825 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action}) "); +var part827 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action})"); var select83 = linear_select([ - part824, - part825, + part826, + part827, ]); var all48 = all_match({ processors: [ - part823, + part825, select83, ], on_success: processor_chain([ @@ -8993,42 +8995,42 @@ var all48 = all_match({ var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); -var part826 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ +var part828 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ dup20, dup21, dup22, ])); -var msg783 = msg("JUNOSROUTER_GENERIC:09", part826); +var msg783 = msg("JUNOSROUTER_GENERIC:09", part828); -var part827 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ - dup133, +var part829 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ + dup132, dup22, dup21, setc("event_description","Interface Monitor failed "), dup23, ])); -var msg784 = msg("JUNOSROUTER_GENERIC:01", part827); +var msg784 = msg("JUNOSROUTER_GENERIC:01", part829); -var part828 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ - dup133, +var part830 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ + dup132, dup22, dup21, setc("event_description","Interface Monitor failure recovered"), dup23, ])); -var msg785 = msg("JUNOSROUTER_GENERIC:02", part828); +var msg785 = msg("JUNOSROUTER_GENERIC:02", part830); -var part829 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ - dup133, +var part831 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ + dup132, dup22, dup21, dup23, ])); -var msg786 = msg("JUNOSROUTER_GENERIC", part829); +var msg786 = msg("JUNOSROUTER_GENERIC", part831); var select84 = linear_select([ msg777, @@ -9727,97 +9729,95 @@ var chain1 = processor_chain([ var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); -var part830 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); +var part832 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); -var part831 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); +var part833 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); -var part832 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); +var part834 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); -var part833 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); +var part835 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); -var part834 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); +var part836 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); -var part835 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); +var part837 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); -var part836 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); +var part838 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); -var part837 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); +var part839 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); -var part838 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); +var part840 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); -var part839 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); +var part841 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); -var part840 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); +var part842 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); -var part841 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}"); +var part843 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}"); var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); -var part842 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); +var part844 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); -var part843 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); +var part845 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); -var part844 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); +var part846 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); -var part845 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}"); +var part847 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}"); -var part846 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); +var part848 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); -var part847 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); +var part849 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); -var part848 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); +var part850 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); -var part849 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); +var part851 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); -var part850 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}"); +var part852 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}"); -var part851 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}"); +var part853 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}"); -var part852 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); +var part854 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); -var part853 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}"); +var part855 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}"); -var part854 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}"); +var part856 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}"); -var part855 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); +var part857 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); -var part856 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}"); +var part858 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}"); -var part857 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}"); +var part859 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}"); -var part858 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); +var part860 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); -var part859 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); +var part861 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); -var part860 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); +var part862 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); -var part861 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}"); +var part863 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}"); -var part862 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}"); +var part864 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}"); -var part863 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); +var part865 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); -var part864 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "%{space->} "); +var part866 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); -var part865 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); +var part867 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\""); -var part866 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\""); +var part868 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); -var part867 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); +var part869 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); -var part868 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); +var part870 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); -var part869 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); +var part871 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); -var part870 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); +var part872 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); -var part871 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); +var part873 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); -var part872 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); +var part874 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); -var part873 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - -var part874 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); +var part875 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); var select85 = linear_select([ dup12, @@ -9831,49 +9831,49 @@ var select86 = linear_select([ dup40, ]); -var part875 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ +var part876 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ dup20, dup21, dup55, dup22, ])); -var part876 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ +var part877 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ dup50, dup21, dup63, dup22, ])); -var part877 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ +var part878 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ dup29, dup21, dup64, dup22, ])); -var part878 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ +var part879 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ dup29, dup21, dup65, dup22, ])); -var part879 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ +var part880 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ dup29, dup21, dup66, dup22, ])); -var part880 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ +var part881 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ dup29, dup21, dup67, dup22, ])); -var part881 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ +var part882 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ dup29, dup21, dup70, @@ -9885,28 +9885,28 @@ var select87 = linear_select([ dup76, ]); -var part882 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ +var part883 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ dup29, dup21, dup78, dup22, ])); -var part883 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ +var part884 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ dup29, dup21, dup83, dup22, ])); -var part884 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ +var part885 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ dup29, dup21, dup84, dup22, ])); -var part885 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ +var part886 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ dup20, dup21, dup85, @@ -9933,35 +9933,35 @@ var select91 = linear_select([ dup102, ]); -var part886 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ +var part887 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ dup29, dup21, dup51, ])); -var part887 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ +var part888 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ dup26, dup21, dup51, ])); var select92 = linear_select([ + dup116, dup117, - dup118, ]); var select93 = linear_select([ + dup121, dup122, - dup123, ]); -var part888 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ +var part889 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ dup29, dup21, dup51, ])); -var part889 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([ +var part890 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([ dup47, dup46, dup22, diff --git a/x-pack/filebeat/module/kaspersky/README.md b/x-pack/filebeat/module/kaspersky/README.md index 3746ea8daaf..471e1047a8c 100644 --- a/x-pack/filebeat/module/kaspersky/README.md +++ b/x-pack/filebeat/module/kaspersky/README.md @@ -3,5 +3,5 @@ This is a module for Kaspersky Anti-Virus logs. Autogenerated from RSA NetWitness log parser 2.0 XML kasperskyav version 127 -at 2020-07-08 17:36:30.503306 +0000 UTC. +at 2020-07-08 18:28:02.857689 +0000 UTC. diff --git a/x-pack/filebeat/module/microsoft/README.md b/x-pack/filebeat/module/microsoft/README.md index 7a79658746b..4b3771e8194 100644 --- a/x-pack/filebeat/module/microsoft/README.md +++ b/x-pack/filebeat/module/microsoft/README.md @@ -3,5 +3,5 @@ This is a module for Microsoft DHCP logs. Autogenerated from RSA NetWitness log parser 2.0 XML msdhcp version 99 -at 2020-07-08 17:36:30.825087 +0000 UTC. +at 2020-07-08 18:28:03.183612 +0000 UTC. diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js b/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js index f19a6d77861..73286d033f1 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js +++ b/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js @@ -77,7 +77,7 @@ var dup25 = linear_select([ dup5, ]); -var hdr1 = match("HEADER#0:0001", "message", "%MSDHCP-%{hlevel}- %{messageid}: %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%MSDHCP-%{hlevel}-%{messageid}: %{payload}", processor_chain([ setc("header_id","0001"), ])); diff --git a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log index 5bb7d2c44e5..3dbde4f63de 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log +++ b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log @@ -1,100 +1,100 @@ -%MSDHCP-905- 50: 50,1/29/16,6:09:59,nnumqua,10.133.8.128,sse3269.invalid ,01:00:5e:ce:bf:42,ventore,ivelitse,ritin,uredolor,tatemac -%MSDHCP-4257- 11030: 11030,2/12/16,1:12:33,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer -%MSDHCP-5634- 62: 62,2/26/16,8:15:08,equepor,10.196.153.12,sequa6540.www5.localhost ,01:00:5e:3a:fe:e3,mest -%MSDHCP-363- 11015: 11015,3/12/16,3:17:42,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu -%MSDHCP-4880- 57: 57,3/26/16,10:20:16,quipexe,10.162.33.193,agn2581.www5.corp ,01:00:5e:ad:16:77, -%MSDHCP-6962- 57: 57,4/9/16,5:22:51,moenimi,10.156.15.206,enatus2114.mail.home ,01:00:5e:33:84:66 -%MSDHCP-5355- 60: 60,4/24/16,12:25:25,ntex,10.1.118.72,proident2802.home ,01:00:5e:69:9a:1a,eumiu -%MSDHCP-7417- 15: 15,5/8/16,7:27:59,orisn,10.70.235.184,ofdeF7240.www.home ,01:00:5e:a2:09:ea,tionulam,uameius,ratio,ptas,nevolu -%MSDHCP-5162- 59: 59,5/22/16,2:30:33,nci,10.86.118.154,amco5712.www5.localdomain ,01:00:5e:35:c0:09,con,uia,quiavo,issusci,mol,taspe,mvolu,radip,tNequ,gelit,tatno -%MSDHCP-4141- 10: 10,6/5/16,9:33:08,uam,10.5.62.63,llu4762.mail.localdomain ,01:00:5e:f5:8e:0d -%MSDHCP-5408- 15: 15,6/20/16,4:35:42,llumd,10.66.3.197,emaper2638.lan ,01:00:5e:0b:42:ab,uaerat,boreet,onev,tenima,laboreet -%MSDHCP-5738- 11008: 11008,7/4/16,11:38:16,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit -%MSDHCP-4243- 25: 25,7/18/16,6:40:50,antium,10.103.246.190,iusmodt2597.api.domain ,01:00:5e:8b:ba:06,ect,reetdolo,nrepreh,obeataev,lor -%MSDHCP-1579- 11011: 11011,8/2/16,1:43:25,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep -%MSDHCP-3971- 56: 56,8/16/16,8:45:59,lorem,10.150.193.226,uidolore6237.internal.local ,01:00:5e:42:6c:b4,suntinc,elits,llam,llamcorp,ari,eataevit,uptatev,uovol,dmi,olab,mquisnos -%MSDHCP-2933- 17: 17,8/30/16,3:48:33,tsed,10.111.61.181,incididu1896.example ,01:00:5e:c9:5b:b2, -%MSDHCP-5393- 11003: 11003,9/13/16,10:51:07,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB -%MSDHCP-4171- 16: 16,9/28/16,5:53:42,ntsuntin,10.153.112.62,imav3236.mail.domain ,01:00:5e:e7:c7:cb -%MSDHCP-7290- 32: 32,10/12/16,12:56:16,iam,10.98.34.185,ercit3947.api.local ,01:00:5e:a4:f5:60,olupta,turveli,toccae,tatno,nido -%MSDHCP-4125- 53: 53,10/26/16,7:58:50,itlabori,10.252.112.103,usan6343.www5.domain ,01:00:5e:10:76:60,ender -%MSDHCP-5368- 50: 50,11/10/16,3:01:24,atquovo,10.246.117.190,mquaera3924.www5.home ,01:00:5e:b9:7e:b1 -%MSDHCP-4173- 33: 33,11/24/16,10:03:59,undeo,10.82.52.233,atuse2703.localhost ,01:00:5e:fa:2b:37 -%MSDHCP-5883- 52: 52,12/8/16,5:06:33,ips,10.149.59.28,emporinc5075.internal.host ,01:00:5e:37:14:9d,tessec -%MSDHCP-6446- 36: 36,12/23/16,12:09:07,ist,10.169.144.147,onsequat2984.www5.domain ,01:00:5e:59:a3:48, -%MSDHCP-686- 12: 12,1/6/17,7:11:41,nsequu,10.66.168.154,omm4276.www.example ,01:00:5e:44:c4:69 -%MSDHCP-2230- 25: 25,1/20/17,2:14:16,torev,10.214.241.84,ctetura4886.www5.lan ,01:00:5e:3a:d0:86,ita,ipi,rsitamet,lupt,xea,qua,luptatev,admi,modocons,elaudant,tinvol -%MSDHCP-6103- 11018: 11018,2/3/17,9:16:50,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun -%MSDHCP-927- 58: 58,2/18/17,4:19:24,itaut,10.33.140.180,umdolo7781.api.home ,01:00:5e:24:f1:b2 -%MSDHCP-4632- 51: 51,3/4/17,11:21:59,fugi,10.119.185.63,imadmini2625.www5.localhost ,01:00:5e:31:b9:65,dtem -%MSDHCP-5377- 50: 50,3/18/17,6:24:33,stl,10.95.193.186,picia6119.mail.host ,01:00:5e:60:77:c7,tinvol -%MSDHCP-5524- 11019: 11019,4/2/17,1:27:07,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi -%MSDHCP-5841- 11021: 11021,4/16/17,8:29:41,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion -%MSDHCP-5705- 52: 52,4/30/17,3:32:16,uasia,10.64.70.5,ici3995.lan ,01:00:5e:4e:97:83,iscinge,atvol,umiur,imad,msequi -%MSDHCP-1559- 11020: 11020,5/14/17,10:34:50,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac -%MSDHCP-2228- 20: 20,5/29/17,5:37:24,eli,10.28.127.218,pida2286.internal.home ,01:00:5e:cc:0b:8f -%MSDHCP-7427- 11006: 11006,6/12/17,12:39:58,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme -%MSDHCP-2991- 16: 16,6/26/17,7:42:33,civeli,10.116.104.101,gnam2508.mail.example ,01:00:5e:e1:73:47,maccusa -%MSDHCP-3458- 11003: 11003,7/11/17,2:45:07,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta -%MSDHCP-2807- 53: 53,7/25/17,9:47:41,ihilm,10.219.84.37,ercit2385.internal.home ,01:00:5e:a0:cd:2f,iamquis -%MSDHCP-6972- 11012: 11012,8/8/17,4:50:15,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame -%MSDHCP-5040- 24: 24,8/22/17,11:52:50,utla,10.103.118.137,oei5200.www5.invalid ,01:00:5e:c7:b7:18 -%MSDHCP-2026- 02: 02,9/6/17,6:55:24,nnum,10.137.223.15,adol485.example ,01:00:5e:81:99:6f,dol -%MSDHCP-4977- 11019: 11019,9/20/17,1:57:58,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq -%MSDHCP-1180- 11010: 11010,10/4/17,9:00:32,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp -%MSDHCP-2628- 11013: 11013,10/19/17,4:03:07,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre -%MSDHCP-2949- 11: 11,11/2/17,11:05:41,uptat,10.64.199.102,tmo1835.test ,01:00:5e:35:a8:83,fugitse -%MSDHCP-3331- 54: 54,11/16/17,6:08:15,etMalor,10.196.143.87,quatD4191.local ,01:00:5e:3b:7a:f1,sperna -%MSDHCP-7576- 30: 30,12/1/17,1:10:49,tper,10.163.5.243,osqui3661.mail.domain ,01:00:5e:1e:d6:07,texp -%MSDHCP-5037- 11004: 11004,12/15/17,8:13:24,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam -%MSDHCP-6385- 1103: 1103,12/29/17,3:15:58,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno -%MSDHCP-1747- 11011: 11011,1/12/18,10:18:32,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium -%MSDHCP-6686- 57: 57,1/27/18,5:21:06,stlabo,10.134.192.241,catc6134.localdomain ,01:00:5e:5b:99:6c,magnid -%MSDHCP-7582- 17: 17,2/10/18,12:23:41,quiratio,10.62.191.18,tevelite245.mail.local ,01:00:5e:78:a7:55,gnido -%MSDHCP-6036- 50: 50,2/24/18,7:26:15,numqua,10.89.22.113,abo1637.mail.host ,01:00:5e:ed:c2:f7 -%MSDHCP-4949- 11020: 11020,3/11/18,2:28:49,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr -%MSDHCP-6418- 59: 59,3/25/18,9:31:24,nofdeFin,10.67.38.204,idex6952.www.localhost ,01:00:5e:69:58:0e,ecte,tinvolu,iurer,iciadese,quidolor,tessec,olupta,litse,icabo,itatio,uta -%MSDHCP-4824- 11010: 11010,4/8/18,4:33:58,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu -%MSDHCP-5368- 60: 60,4/22/18,11:36:32,mnisi,10.107.168.60,ehen7519.www5.lan ,01:00:5e:a7:ac:70,stquido,ommodico,ptas,pta,tetu -%MSDHCP-5740- 24: 24,5/7/18,6:39:06,Nequepo,10.207.201.9,boree513.www.corp ,01:00:5e:e2:17:79,reetdolo,smo,etcons,iusmodi,uamest -%MSDHCP-1842- 11023: 11023,5/21/18,1:41:41,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno -%MSDHCP-5263- 11007: 11007,6/4/18,8:44:15,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons -%MSDHCP-510- 20: 20,6/19/18,3:46:49,tae,10.14.81.228,aperiame1458.www5.local ,01:00:5e:7e:22:1b -%MSDHCP-4410- 11003: 11003,7/3/18,10:49:23,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov -%MSDHCP-4554- 01: 01,7/17/18,5:51:58,osquira,10.220.5.143,com5308.api.domain ,01:00:5e:55:ee:a4,reetdolo,norum,madmi,uidol,mporin -%MSDHCP-3253- ID: ID,8/1/18,12:54:32,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65 -%MSDHCP-1394- 11000: 11000,8/15/18,7:57:06,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag -%MSDHCP-5983- 56: 56,8/29/18,2:59:40,tquiin,10.174.176.36,ovol3674.www5.host ,01:00:5e:bb:1d:bf,str,idolore,pid,illoin,tanimid,umdo,natuse,gnamal,metMalo,ntexplic,archite -%MSDHCP-7829- 32: 32,9/12/18,10:02:15,asi,10.94.38.110,nisist2752.home ,01:00:5e:c1:3c:48,exercita -%MSDHCP-2516- 11007: 11007,9/27/18,5:04:49,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli -%MSDHCP-543- 11006: 11006,10/11/18,12:07:23,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui -%MSDHCP-6846- 11014: 11014,10/25/18,7:09:57,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun -%MSDHCP-7741- 1103: 1103,11/9/18,2:12:32,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo -%MSDHCP-18- 11005: 11005,11/23/18,9:15:06,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia -%MSDHCP-6789- 11015: 11015,12/7/18,4:17:40,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender -%MSDHCP-1540- 11014: 11014,12/21/18,11:20:14,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni -%MSDHCP-2244- 32: 32,1/5/19,6:22:49,stenatu,10.215.205.216,ratv5227.www.invalid ,01:00:5e:fd:3d:c2,nts -%MSDHCP-5663- 11025: 11025,1/19/19,1:25:23,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab -%MSDHCP-6672- 12: 12,2/2/19,8:27:57,enderi,10.236.150.115,umwrit5433.www5.domain ,01:00:5e:ba:09:4a,tpersp -%MSDHCP-6797- 01: 01,2/17/19,3:30:32,oeni,10.223.90.192,llamco7206.www.home ,01:00:5e:8f:35:71,orsit,asiar,ise,itau,apariat -%MSDHCP-4494- 51: 51,3/3/19,10:33:06,dolore,10.165.192.48,nBCSedut1502.www5.example ,01:00:5e:c7:c2:10,odoconse,emp,pisciv,lumdolor,nonp,labo,ulapar,aboreetd,hilm,llitanim,invo -%MSDHCP-7205- 50: 50,3/17/19,5:35:40,ama,10.80.152.108,texpli2782.mail.domain ,01:00:5e:27:0a:9d, -%MSDHCP-5224- 11011: 11011,4/1/19,12:38:14,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured -%MSDHCP-5608- 11019: 11019,4/15/19,7:40:49,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat -%MSDHCP-3051- 1098: 1098,4/29/19,2:43:23,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor -%MSDHCP-2315- 01: 01,5/13/19,9:45:57,amcorp,10.57.57.241,liqua6498.api.invalid ,01:00:5e:d8:53:15,iduntu,ccaeca,niamq,lapariat,remagn,mquae,consequa,moenimi,olupt,oconsequ,edquiac -%MSDHCP-2690- 14: 14,5/28/19,4:48:31,quamest,10.152.28.171,rsita2628.www5.local ,01:00:5e:7a:4c:6e,miu -%MSDHCP-6444- 11001: 11001,6/11/19,11:51:06,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide -%MSDHCP-7037- 11: 11,6/25/19,6:53:40,itesseq,10.125.134.213,tpersp2624.mail.example ,01:00:5e:0b:fb:4a -%MSDHCP-6392- 64: 64,7/10/19,1:56:14,mvolu,10.206.96.56,aincidu2687.mail.home ,01:00:5e:80:9d:2c, -%MSDHCP-5524- 1098: 1098,7/24/19,8:58:48,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem -%MSDHCP-1978- 11019: 11019,8/7/19,4:01:23,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation -%MSDHCP-5469- 11024: 11024,8/21/19,11:03:57,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori -%MSDHCP-2- 11004: 11004,9/5/19,6:06:31,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse -%MSDHCP-2859- 59: 59,9/19/19,1:09:05,inibu,10.106.93.26,isetquas3096.home ,01:00:5e:1b:92:a6 -%MSDHCP-4924- 11025: 11025,10/3/19,8:11:40,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa -%MSDHCP-1738- 25: 25,10/18/19,3:14:14,loi,10.24.111.229,volupt2952.api.local ,01:00:5e:64:62:d1,sequat,giatquov,tconsec,miurerep,toccaec,fugi,labo,nostrud,gnaal,qui,cupi -%MSDHCP-5282- 60: 60,11/1/19,10:16:48,lores,10.45.253.103,uii5923.internal.home ,01:00:5e:2f:ff:49,rcit,llamco,atu,untincul,ssecil -%MSDHCP-3023- 11023: 11023,11/15/19,5:19:22,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt -%MSDHCP-4890- 23: 23,11/30/19,12:21:57,dolore,10.84.32.178,vitaed4959.example ,01:00:5e:11:45:1e,itaedict -%MSDHCP-4271- 55: 55,12/14/19,7:24:31,ruredo,10.72.196.74,boreetdo1725.example ,01:00:5e:01:2f:7d +%MSDHCP-905-50: 50,1/29/16,6:09:59,nnumqua,10.133.8.128,sse3269.invalid ,01:00:5e:ce:bf:42,ventore,ivelitse,ritin,uredolor,tatemac +%MSDHCP-4257-11030: 11030,2/12/16,1:12:33,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer +%MSDHCP-5634-62: 62,2/26/16,8:15:08,equepor,10.196.153.12,sequa6540.www5.localhost ,01:00:5e:3a:fe:e3,mest +%MSDHCP-363-11015: 11015,3/12/16,3:17:42,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu +%MSDHCP-4880-57: 57,3/26/16,10:20:16,quipexe,10.162.33.193,agn2581.www5.corp ,01:00:5e:ad:16:77, +%MSDHCP-6962-57: 57,4/9/16,5:22:51,moenimi,10.156.15.206,enatus2114.mail.home ,01:00:5e:33:84:66 +%MSDHCP-5355-60: 60,4/24/16,12:25:25,ntex,10.1.118.72,proident2802.home ,01:00:5e:69:9a:1a,eumiu +%MSDHCP-7417-15: 15,5/8/16,7:27:59,orisn,10.70.235.184,ofdeF7240.www.home ,01:00:5e:a2:09:ea,tionulam,uameius,ratio,ptas,nevolu +%MSDHCP-5162-59: 59,5/22/16,2:30:33,nci,10.86.118.154,amco5712.www5.localdomain ,01:00:5e:35:c0:09,con,uia,quiavo,issusci,mol,taspe,mvolu,radip,tNequ,gelit,tatno +%MSDHCP-4141-10: 10,6/5/16,9:33:08,uam,10.5.62.63,llu4762.mail.localdomain ,01:00:5e:f5:8e:0d +%MSDHCP-5408-15: 15,6/20/16,4:35:42,llumd,10.66.3.197,emaper2638.lan ,01:00:5e:0b:42:ab,uaerat,boreet,onev,tenima,laboreet +%MSDHCP-5738-11008: 11008,7/4/16,11:38:16,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit +%MSDHCP-4243-25: 25,7/18/16,6:40:50,antium,10.103.246.190,iusmodt2597.api.domain ,01:00:5e:8b:ba:06,ect,reetdolo,nrepreh,obeataev,lor +%MSDHCP-1579-11011: 11011,8/2/16,1:43:25,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep +%MSDHCP-3971-56: 56,8/16/16,8:45:59,lorem,10.150.193.226,uidolore6237.internal.local ,01:00:5e:42:6c:b4,suntinc,elits,llam,llamcorp,ari,eataevit,uptatev,uovol,dmi,olab,mquisnos +%MSDHCP-2933-17: 17,8/30/16,3:48:33,tsed,10.111.61.181,incididu1896.example ,01:00:5e:c9:5b:b2, +%MSDHCP-5393-11003: 11003,9/13/16,10:51:07,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB +%MSDHCP-4171-16: 16,9/28/16,5:53:42,ntsuntin,10.153.112.62,imav3236.mail.domain ,01:00:5e:e7:c7:cb +%MSDHCP-7290-32: 32,10/12/16,12:56:16,iam,10.98.34.185,ercit3947.api.local ,01:00:5e:a4:f5:60,olupta,turveli,toccae,tatno,nido +%MSDHCP-4125-53: 53,10/26/16,7:58:50,itlabori,10.252.112.103,usan6343.www5.domain ,01:00:5e:10:76:60,ender +%MSDHCP-5368-50: 50,11/10/16,3:01:24,atquovo,10.246.117.190,mquaera3924.www5.home ,01:00:5e:b9:7e:b1 +%MSDHCP-4173-33: 33,11/24/16,10:03:59,undeo,10.82.52.233,atuse2703.localhost ,01:00:5e:fa:2b:37 +%MSDHCP-5883-52: 52,12/8/16,5:06:33,ips,10.149.59.28,emporinc5075.internal.host ,01:00:5e:37:14:9d,tessec +%MSDHCP-6446-36: 36,12/23/16,12:09:07,ist,10.169.144.147,onsequat2984.www5.domain ,01:00:5e:59:a3:48, +%MSDHCP-686-12: 12,1/6/17,7:11:41,nsequu,10.66.168.154,omm4276.www.example ,01:00:5e:44:c4:69 +%MSDHCP-2230-25: 25,1/20/17,2:14:16,torev,10.214.241.84,ctetura4886.www5.lan ,01:00:5e:3a:d0:86,ita,ipi,rsitamet,lupt,xea,qua,luptatev,admi,modocons,elaudant,tinvol +%MSDHCP-6103-11018: 11018,2/3/17,9:16:50,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun +%MSDHCP-927-58: 58,2/18/17,4:19:24,itaut,10.33.140.180,umdolo7781.api.home ,01:00:5e:24:f1:b2 +%MSDHCP-4632-51: 51,3/4/17,11:21:59,fugi,10.119.185.63,imadmini2625.www5.localhost ,01:00:5e:31:b9:65,dtem +%MSDHCP-5377-50: 50,3/18/17,6:24:33,stl,10.95.193.186,picia6119.mail.host ,01:00:5e:60:77:c7,tinvol +%MSDHCP-5524-11019: 11019,4/2/17,1:27:07,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi +%MSDHCP-5841-11021: 11021,4/16/17,8:29:41,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion +%MSDHCP-5705-52: 52,4/30/17,3:32:16,uasia,10.64.70.5,ici3995.lan ,01:00:5e:4e:97:83,iscinge,atvol,umiur,imad,msequi +%MSDHCP-1559-11020: 11020,5/14/17,10:34:50,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac +%MSDHCP-2228-20: 20,5/29/17,5:37:24,eli,10.28.127.218,pida2286.internal.home ,01:00:5e:cc:0b:8f +%MSDHCP-7427-11006: 11006,6/12/17,12:39:58,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme +%MSDHCP-2991-16: 16,6/26/17,7:42:33,civeli,10.116.104.101,gnam2508.mail.example ,01:00:5e:e1:73:47,maccusa +%MSDHCP-3458-11003: 11003,7/11/17,2:45:07,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta +%MSDHCP-2807-53: 53,7/25/17,9:47:41,ihilm,10.219.84.37,ercit2385.internal.home ,01:00:5e:a0:cd:2f,iamquis +%MSDHCP-6972-11012: 11012,8/8/17,4:50:15,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame +%MSDHCP-5040-24: 24,8/22/17,11:52:50,utla,10.103.118.137,oei5200.www5.invalid ,01:00:5e:c7:b7:18 +%MSDHCP-2026-02: 02,9/6/17,6:55:24,nnum,10.137.223.15,adol485.example ,01:00:5e:81:99:6f,dol +%MSDHCP-4977-11019: 11019,9/20/17,1:57:58,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq +%MSDHCP-1180-11010: 11010,10/4/17,9:00:32,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp +%MSDHCP-2628-11013: 11013,10/19/17,4:03:07,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre +%MSDHCP-2949-11: 11,11/2/17,11:05:41,uptat,10.64.199.102,tmo1835.test ,01:00:5e:35:a8:83,fugitse +%MSDHCP-3331-54: 54,11/16/17,6:08:15,etMalor,10.196.143.87,quatD4191.local ,01:00:5e:3b:7a:f1,sperna +%MSDHCP-7576-30: 30,12/1/17,1:10:49,tper,10.163.5.243,osqui3661.mail.domain ,01:00:5e:1e:d6:07,texp +%MSDHCP-5037-11004: 11004,12/15/17,8:13:24,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam +%MSDHCP-6385-1103: 1103,12/29/17,3:15:58,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno +%MSDHCP-1747-11011: 11011,1/12/18,10:18:32,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium +%MSDHCP-6686-57: 57,1/27/18,5:21:06,stlabo,10.134.192.241,catc6134.localdomain ,01:00:5e:5b:99:6c,magnid +%MSDHCP-7582-17: 17,2/10/18,12:23:41,quiratio,10.62.191.18,tevelite245.mail.local ,01:00:5e:78:a7:55,gnido +%MSDHCP-6036-50: 50,2/24/18,7:26:15,numqua,10.89.22.113,abo1637.mail.host ,01:00:5e:ed:c2:f7 +%MSDHCP-4949-11020: 11020,3/11/18,2:28:49,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr +%MSDHCP-6418-59: 59,3/25/18,9:31:24,nofdeFin,10.67.38.204,idex6952.www.localhost ,01:00:5e:69:58:0e,ecte,tinvolu,iurer,iciadese,quidolor,tessec,olupta,litse,icabo,itatio,uta +%MSDHCP-4824-11010: 11010,4/8/18,4:33:58,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu +%MSDHCP-5368-60: 60,4/22/18,11:36:32,mnisi,10.107.168.60,ehen7519.www5.lan ,01:00:5e:a7:ac:70,stquido,ommodico,ptas,pta,tetu +%MSDHCP-5740-24: 24,5/7/18,6:39:06,Nequepo,10.207.201.9,boree513.www.corp ,01:00:5e:e2:17:79,reetdolo,smo,etcons,iusmodi,uamest +%MSDHCP-1842-11023: 11023,5/21/18,1:41:41,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno +%MSDHCP-5263-11007: 11007,6/4/18,8:44:15,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons +%MSDHCP-510-20: 20,6/19/18,3:46:49,tae,10.14.81.228,aperiame1458.www5.local ,01:00:5e:7e:22:1b +%MSDHCP-4410-11003: 11003,7/3/18,10:49:23,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov +%MSDHCP-4554-01: 01,7/17/18,5:51:58,osquira,10.220.5.143,com5308.api.domain ,01:00:5e:55:ee:a4,reetdolo,norum,madmi,uidol,mporin +%MSDHCP-3253-ID: ID,8/1/18,12:54:32,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65 +%MSDHCP-1394-11000: 11000,8/15/18,7:57:06,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag +%MSDHCP-5983-56: 56,8/29/18,2:59:40,tquiin,10.174.176.36,ovol3674.www5.host ,01:00:5e:bb:1d:bf,str,idolore,pid,illoin,tanimid,umdo,natuse,gnamal,metMalo,ntexplic,archite +%MSDHCP-7829-32: 32,9/12/18,10:02:15,asi,10.94.38.110,nisist2752.home ,01:00:5e:c1:3c:48,exercita +%MSDHCP-2516-11007: 11007,9/27/18,5:04:49,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli +%MSDHCP-543-11006: 11006,10/11/18,12:07:23,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui +%MSDHCP-6846-11014: 11014,10/25/18,7:09:57,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun +%MSDHCP-7741-1103: 1103,11/9/18,2:12:32,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo +%MSDHCP-18-11005: 11005,11/23/18,9:15:06,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia +%MSDHCP-6789-11015: 11015,12/7/18,4:17:40,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender +%MSDHCP-1540-11014: 11014,12/21/18,11:20:14,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni +%MSDHCP-2244-32: 32,1/5/19,6:22:49,stenatu,10.215.205.216,ratv5227.www.invalid ,01:00:5e:fd:3d:c2,nts +%MSDHCP-5663-11025: 11025,1/19/19,1:25:23,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab +%MSDHCP-6672-12: 12,2/2/19,8:27:57,enderi,10.236.150.115,umwrit5433.www5.domain ,01:00:5e:ba:09:4a,tpersp +%MSDHCP-6797-01: 01,2/17/19,3:30:32,oeni,10.223.90.192,llamco7206.www.home ,01:00:5e:8f:35:71,orsit,asiar,ise,itau,apariat +%MSDHCP-4494-51: 51,3/3/19,10:33:06,dolore,10.165.192.48,nBCSedut1502.www5.example ,01:00:5e:c7:c2:10,odoconse,emp,pisciv,lumdolor,nonp,labo,ulapar,aboreetd,hilm,llitanim,invo +%MSDHCP-7205-50: 50,3/17/19,5:35:40,ama,10.80.152.108,texpli2782.mail.domain ,01:00:5e:27:0a:9d, +%MSDHCP-5224-11011: 11011,4/1/19,12:38:14,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured +%MSDHCP-5608-11019: 11019,4/15/19,7:40:49,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat +%MSDHCP-3051-1098: 1098,4/29/19,2:43:23,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor +%MSDHCP-2315-01: 01,5/13/19,9:45:57,amcorp,10.57.57.241,liqua6498.api.invalid ,01:00:5e:d8:53:15,iduntu,ccaeca,niamq,lapariat,remagn,mquae,consequa,moenimi,olupt,oconsequ,edquiac +%MSDHCP-2690-14: 14,5/28/19,4:48:31,quamest,10.152.28.171,rsita2628.www5.local ,01:00:5e:7a:4c:6e,miu +%MSDHCP-6444-11001: 11001,6/11/19,11:51:06,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide +%MSDHCP-7037-11: 11,6/25/19,6:53:40,itesseq,10.125.134.213,tpersp2624.mail.example ,01:00:5e:0b:fb:4a +%MSDHCP-6392-64: 64,7/10/19,1:56:14,mvolu,10.206.96.56,aincidu2687.mail.home ,01:00:5e:80:9d:2c, +%MSDHCP-5524-1098: 1098,7/24/19,8:58:48,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem +%MSDHCP-1978-11019: 11019,8/7/19,4:01:23,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation +%MSDHCP-5469-11024: 11024,8/21/19,11:03:57,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori +%MSDHCP-2-11004: 11004,9/5/19,6:06:31,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse +%MSDHCP-2859-59: 59,9/19/19,1:09:05,inibu,10.106.93.26,isetquas3096.home ,01:00:5e:1b:92:a6 +%MSDHCP-4924-11025: 11025,10/3/19,8:11:40,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa +%MSDHCP-1738-25: 25,10/18/19,3:14:14,loi,10.24.111.229,volupt2952.api.local ,01:00:5e:64:62:d1,sequat,giatquov,tconsec,miurerep,toccaec,fugi,labo,nostrud,gnaal,qui,cupi +%MSDHCP-5282-60: 60,11/1/19,10:16:48,lores,10.45.253.103,uii5923.internal.home ,01:00:5e:2f:ff:49,rcit,llamco,atu,untincul,ssecil +%MSDHCP-3023-11023: 11023,11/15/19,5:19:22,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt +%MSDHCP-4890-23: 23,11/30/19,12:21:57,dolore,10.84.32.178,vitaed4959.example ,01:00:5e:11:45:1e,itaedict +%MSDHCP-4271-55: 55,12/14/19,7:24:31,ruredo,10.72.196.74,boreetdo1725.example ,01:00:5e:01:2f:7d diff --git a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json index aa2d6bc8124..e76acbf3c34 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json +++ b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json @@ -4,7 +4,7 @@ "event.code": "50", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-905- 50: 50,1/29/16,6:09:59,nnumqua,10.133.8.128,sse3269.invalid ,01:00:5e:ce:bf:42,ventore,ivelitse,ritin,uredolor,tatemac ", + "event.original": "%MSDHCP-905-50: 50,1/29/16,6:09:59,nnumqua,10.133.8.128,sse3269.invalid ,01:00:5e:ce:bf:42,ventore,ivelitse,ritin,uredolor,tatemac ", "fileset.name": "dhcp", "host.hostname": "sse3269.invalid", "input.type": "log", @@ -34,11 +34,11 @@ "event.code": "11030", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4257- 11030: 11030,2/12/16,1:12:33,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer", + "event.original": "%MSDHCP-4257-11030: 11030,2/12/16,1:12:33,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer", "fileset.name": "dhcp", "host.hostname": "ciade5699.domain", "input.type": "log", - "log.offset": 134, + "log.offset": 133, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -63,11 +63,11 @@ "event.code": "62", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5634- 62: 62,2/26/16,8:15:08,equepor,10.196.153.12,sequa6540.www5.localhost ,01:00:5e:3a:fe:e3,mest ", + "event.original": "%MSDHCP-5634-62: 62,2/26/16,8:15:08,equepor,10.196.153.12,sequa6540.www5.localhost ,01:00:5e:3a:fe:e3,mest ", "fileset.name": "dhcp", "host.hostname": "sequa6540.www5.localhost", "input.type": "log", - "log.offset": 233, + "log.offset": 231, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -93,11 +93,11 @@ "event.code": "11015", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-363- 11015: 11015,3/12/16,3:17:42,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu", + "event.original": "%MSDHCP-363-11015: 11015,3/12/16,3:17:42,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu", "fileset.name": "dhcp", "host.hostname": "orev6153.internal.domain", "input.type": "log", - "log.offset": 343, + "log.offset": 340, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -122,11 +122,11 @@ "event.code": "57", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4880- 57: 57,3/26/16,10:20:16,quipexe,10.162.33.193,agn2581.www5.corp ,01:00:5e:ad:16:77, ", + "event.original": "%MSDHCP-4880-57: 57,3/26/16,10:20:16,quipexe,10.162.33.193,agn2581.www5.corp ,01:00:5e:ad:16:77, ", "fileset.name": "dhcp", "host.hostname": "agn2581.www5.corp", "input.type": "log", - "log.offset": 450, + "log.offset": 446, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -152,11 +152,11 @@ "event.code": "57", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6962- 57: 57,4/9/16,5:22:51,moenimi,10.156.15.206,enatus2114.mail.home ,01:00:5e:33:84:66", + "event.original": "%MSDHCP-6962-57: 57,4/9/16,5:22:51,moenimi,10.156.15.206,enatus2114.mail.home ,01:00:5e:33:84:66", "fileset.name": "dhcp", "host.hostname": "enatus2114.mail.home", "input.type": "log", - "log.offset": 550, + "log.offset": 545, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -182,11 +182,11 @@ "event.code": "60", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5355- 60: 60,4/24/16,12:25:25,ntex,10.1.118.72,proident2802.home ,01:00:5e:69:9a:1a,eumiu ", + "event.original": "%MSDHCP-5355-60: 60,4/24/16,12:25:25,ntex,10.1.118.72,proident2802.home ,01:00:5e:69:9a:1a,eumiu ", "fileset.name": "dhcp", "host.hostname": "proident2802.home", "input.type": "log", - "log.offset": 649, + "log.offset": 643, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -212,11 +212,11 @@ "event.code": "15", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7417- 15: 15,5/8/16,7:27:59,orisn,10.70.235.184,ofdeF7240.www.home ,01:00:5e:a2:09:ea,tionulam,uameius,ratio,ptas,nevolu ", + "event.original": "%MSDHCP-7417-15: 15,5/8/16,7:27:59,orisn,10.70.235.184,ofdeF7240.www.home ,01:00:5e:a2:09:ea,tionulam,uameius,ratio,ptas,nevolu ", "fileset.name": "dhcp", "host.hostname": "ofdeF7240.www.home", "input.type": "log", - "log.offset": 749, + "log.offset": 742, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -242,12 +242,12 @@ "event.code": "59", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5162- 59: 59,5/22/16,2:30:33,nci,10.86.118.154,amco5712.www5.localdomain ,01:00:5e:35:c0:09,con,uia,quiavo,issusci,mol,taspe,mvolu,radip,tNequ,gelit,tatno ", + "event.original": "%MSDHCP-5162-59: 59,5/22/16,2:30:33,nci,10.86.118.154,amco5712.www5.localdomain ,01:00:5e:35:c0:09,con,uia,quiavo,issusci,mol,taspe,mvolu,radip,tNequ,gelit,tatno ", "event.outcome": "Failure", "fileset.name": "dhcp", "host.hostname": "amco5712.www5.localdomain", "input.type": "log", - "log.offset": 880, + "log.offset": 872, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -275,11 +275,11 @@ "event.code": "10", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4141- 10: 10,6/5/16,9:33:08,uam,10.5.62.63,llu4762.mail.localdomain ,01:00:5e:f5:8e:0d", + "event.original": "%MSDHCP-4141-10: 10,6/5/16,9:33:08,uam,10.5.62.63,llu4762.mail.localdomain ,01:00:5e:f5:8e:0d", "fileset.name": "dhcp", "host.hostname": "llu4762.mail.localdomain", "input.type": "log", - "log.offset": 1045, + "log.offset": 1036, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -305,11 +305,11 @@ "event.code": "15", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5408- 15: 15,6/20/16,4:35:42,llumd,10.66.3.197,emaper2638.lan ,01:00:5e:0b:42:ab,uaerat,boreet,onev,tenima,laboreet ", + "event.original": "%MSDHCP-5408-15: 15,6/20/16,4:35:42,llumd,10.66.3.197,emaper2638.lan ,01:00:5e:0b:42:ab,uaerat,boreet,onev,tenima,laboreet ", "fileset.name": "dhcp", "host.hostname": "emaper2638.lan", "input.type": "log", - "log.offset": 1141, + "log.offset": 1131, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -335,11 +335,11 @@ "event.code": "11008", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5738- 11008: 11008,7/4/16,11:38:16,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit", + "event.original": "%MSDHCP-5738-11008: 11008,7/4/16,11:38:16,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit", "fileset.name": "dhcp", "host.hostname": "uatDuis2964.test", "input.type": "log", - "log.offset": 1267, + "log.offset": 1256, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -364,11 +364,11 @@ "event.code": "25", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4243- 25: 25,7/18/16,6:40:50,antium,10.103.246.190,iusmodt2597.api.domain ,01:00:5e:8b:ba:06,ect,reetdolo,nrepreh,obeataev,lor ", + "event.original": "%MSDHCP-4243-25: 25,7/18/16,6:40:50,antium,10.103.246.190,iusmodt2597.api.domain ,01:00:5e:8b:ba:06,ect,reetdolo,nrepreh,obeataev,lor ", "fileset.name": "dhcp", "host.hostname": "iusmodt2597.api.domain", "input.type": "log", - "log.offset": 1375, + "log.offset": 1363, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -394,11 +394,11 @@ "event.code": "11011", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1579- 11011: 11011,8/2/16,1:43:25,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep", + "event.original": "%MSDHCP-1579-11011: 11011,8/2/16,1:43:25,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep", "fileset.name": "dhcp", "host.hostname": "untNequ5075.www5.domain", "input.type": "log", - "log.offset": 1512, + "log.offset": 1499, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -425,12 +425,12 @@ "event.code": "56", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3971- 56: 56,8/16/16,8:45:59,lorem,10.150.193.226,uidolore6237.internal.local ,01:00:5e:42:6c:b4,suntinc,elits,llam,llamcorp,ari,eataevit,uptatev,uovol,dmi,olab,mquisnos ", + "event.original": "%MSDHCP-3971-56: 56,8/16/16,8:45:59,lorem,10.150.193.226,uidolore6237.internal.local ,01:00:5e:42:6c:b4,suntinc,elits,llam,llamcorp,ari,eataevit,uptatev,uovol,dmi,olab,mquisnos ", "event.outcome": "Failure", "fileset.name": "dhcp", "host.hostname": "uidolore6237.internal.local", "input.type": "log", - "log.offset": 1622, + "log.offset": 1608, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -458,11 +458,11 @@ "event.code": "17", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2933- 17: 17,8/30/16,3:48:33,tsed,10.111.61.181,incididu1896.example ,01:00:5e:c9:5b:b2, ", + "event.original": "%MSDHCP-2933-17: 17,8/30/16,3:48:33,tsed,10.111.61.181,incididu1896.example ,01:00:5e:c9:5b:b2, ", "fileset.name": "dhcp", "host.hostname": "incididu1896.example", "input.type": "log", - "log.offset": 1802, + "log.offset": 1787, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -488,11 +488,11 @@ "event.code": "11003", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5393- 11003: 11003,9/13/16,10:51:07,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB", + "event.original": "%MSDHCP-5393-11003: 11003,9/13/16,10:51:07,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB", "fileset.name": "dhcp", "host.hostname": "idexea3181.www.local", "input.type": "log", - "log.offset": 1901, + "log.offset": 1885, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -517,11 +517,11 @@ "event.code": "16", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4171- 16: 16,9/28/16,5:53:42,ntsuntin,10.153.112.62,imav3236.mail.domain ,01:00:5e:e7:c7:cb", + "event.original": "%MSDHCP-4171-16: 16,9/28/16,5:53:42,ntsuntin,10.153.112.62,imav3236.mail.domain ,01:00:5e:e7:c7:cb", "fileset.name": "dhcp", "host.hostname": "imav3236.mail.domain", "input.type": "log", - "log.offset": 2010, + "log.offset": 1993, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -549,12 +549,12 @@ "event.code": "32", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7290- 32: 32,10/12/16,12:56:16,iam,10.98.34.185,ercit3947.api.local ,01:00:5e:a4:f5:60,olupta,turveli,toccae,tatno,nido ", + "event.original": "%MSDHCP-7290-32: 32,10/12/16,12:56:16,iam,10.98.34.185,ercit3947.api.local ,01:00:5e:a4:f5:60,olupta,turveli,toccae,tatno,nido ", "event.outcome": "Success", "fileset.name": "dhcp", "host.hostname": "ercit3947.api.local", "input.type": "log", - "log.offset": 2111, + "log.offset": 2093, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -582,11 +582,11 @@ "event.code": "53", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4125- 53: 53,10/26/16,7:58:50,itlabori,10.252.112.103,usan6343.www5.domain ,01:00:5e:10:76:60,ender ", + "event.original": "%MSDHCP-4125-53: 53,10/26/16,7:58:50,itlabori,10.252.112.103,usan6343.www5.domain ,01:00:5e:10:76:60,ender ", "fileset.name": "dhcp", "host.hostname": "usan6343.www5.domain", "input.type": "log", - "log.offset": 2241, + "log.offset": 2222, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -612,11 +612,11 @@ "event.code": "50", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5368- 50: 50,11/10/16,3:01:24,atquovo,10.246.117.190,mquaera3924.www5.home ,01:00:5e:b9:7e:b1", + "event.original": "%MSDHCP-5368-50: 50,11/10/16,3:01:24,atquovo,10.246.117.190,mquaera3924.www5.home ,01:00:5e:b9:7e:b1", "fileset.name": "dhcp", "host.hostname": "mquaera3924.www5.home", "input.type": "log", - "log.offset": 2351, + "log.offset": 2331, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -642,12 +642,12 @@ "event.code": "33", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4173- 33: 33,11/24/16,10:03:59,undeo,10.82.52.233,atuse2703.localhost ,01:00:5e:fa:2b:37", + "event.original": "%MSDHCP-4173-33: 33,11/24/16,10:03:59,undeo,10.82.52.233,atuse2703.localhost ,01:00:5e:fa:2b:37", "event.outcome": "Success", "fileset.name": "dhcp", "host.hostname": "atuse2703.localhost", "input.type": "log", - "log.offset": 2454, + "log.offset": 2433, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -675,11 +675,11 @@ "event.code": "52", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5883- 52: 52,12/8/16,5:06:33,ips,10.149.59.28,emporinc5075.internal.host ,01:00:5e:37:14:9d,tessec ", + "event.original": "%MSDHCP-5883-52: 52,12/8/16,5:06:33,ips,10.149.59.28,emporinc5075.internal.host ,01:00:5e:37:14:9d,tessec ", "fileset.name": "dhcp", "host.hostname": "emporinc5075.internal.host", "input.type": "log", - "log.offset": 2552, + "log.offset": 2530, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -705,11 +705,11 @@ "event.code": "36", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6446- 36: 36,12/23/16,12:09:07,ist,10.169.144.147,onsequat2984.www5.domain ,01:00:5e:59:a3:48, ", + "event.original": "%MSDHCP-6446-36: 36,12/23/16,12:09:07,ist,10.169.144.147,onsequat2984.www5.domain ,01:00:5e:59:a3:48, ", "fileset.name": "dhcp", "host.hostname": "onsequat2984.www5.domain", "input.type": "log", - "log.offset": 2661, + "log.offset": 2638, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -735,11 +735,11 @@ "event.code": "12", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-686- 12: 12,1/6/17,7:11:41,nsequu,10.66.168.154,omm4276.www.example ,01:00:5e:44:c4:69", + "event.original": "%MSDHCP-686-12: 12,1/6/17,7:11:41,nsequu,10.66.168.154,omm4276.www.example ,01:00:5e:44:c4:69", "fileset.name": "dhcp", "host.hostname": "omm4276.www.example", "input.type": "log", - "log.offset": 2766, + "log.offset": 2742, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -765,11 +765,11 @@ "event.code": "25", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2230- 25: 25,1/20/17,2:14:16,torev,10.214.241.84,ctetura4886.www5.lan ,01:00:5e:3a:d0:86,ita,ipi,rsitamet,lupt,xea,qua,luptatev,admi,modocons,elaudant,tinvol ", + "event.original": "%MSDHCP-2230-25: 25,1/20/17,2:14:16,torev,10.214.241.84,ctetura4886.www5.lan ,01:00:5e:3a:d0:86,ita,ipi,rsitamet,lupt,xea,qua,luptatev,admi,modocons,elaudant,tinvol ", "fileset.name": "dhcp", "host.hostname": "ctetura4886.www5.lan", "input.type": "log", - "log.offset": 2862, + "log.offset": 2837, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -795,11 +795,11 @@ "event.code": "11018", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6103- 11018: 11018,2/3/17,9:16:50,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun", + "event.original": "%MSDHCP-6103-11018: 11018,2/3/17,9:16:50,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun", "fileset.name": "dhcp", "host.hostname": "etM953.api.domain", "input.type": "log", - "log.offset": 3030, + "log.offset": 3004, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -824,12 +824,12 @@ "event.code": "58", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-927- 58: 58,2/18/17,4:19:24,itaut,10.33.140.180,umdolo7781.api.home ,01:00:5e:24:f1:b2", + "event.original": "%MSDHCP-927-58: 58,2/18/17,4:19:24,itaut,10.33.140.180,umdolo7781.api.home ,01:00:5e:24:f1:b2", "event.outcome": "Failure", "fileset.name": "dhcp", "host.hostname": "umdolo7781.api.home", "input.type": "log", - "log.offset": 3135, + "log.offset": 3108, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -857,12 +857,12 @@ "event.code": "51", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4632- 51: 51,3/4/17,11:21:59,fugi,10.119.185.63,imadmini2625.www5.localhost ,01:00:5e:31:b9:65,dtem ", + "event.original": "%MSDHCP-4632-51: 51,3/4/17,11:21:59,fugi,10.119.185.63,imadmini2625.www5.localhost ,01:00:5e:31:b9:65,dtem ", "event.outcome": "Success", "fileset.name": "dhcp", "host.hostname": "imadmini2625.www5.localhost", "input.type": "log", - "log.offset": 3231, + "log.offset": 3203, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -890,11 +890,11 @@ "event.code": "50", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5377- 50: 50,3/18/17,6:24:33,stl,10.95.193.186,picia6119.mail.host ,01:00:5e:60:77:c7,tinvol ", + "event.original": "%MSDHCP-5377-50: 50,3/18/17,6:24:33,stl,10.95.193.186,picia6119.mail.host ,01:00:5e:60:77:c7,tinvol ", "fileset.name": "dhcp", "host.hostname": "picia6119.mail.host", "input.type": "log", - "log.offset": 3341, + "log.offset": 3312, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -920,11 +920,11 @@ "event.code": "11019", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5524- 11019: 11019,4/2/17,1:27:07,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi", + "event.original": "%MSDHCP-5524-11019: 11019,4/2/17,1:27:07,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi", "fileset.name": "dhcp", "host.hostname": "inv5716.mail.invalid", "input.type": "log", - "log.offset": 3444, + "log.offset": 3414, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -949,11 +949,11 @@ "event.code": "11021", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5841- 11021: 11021,4/16/17,8:29:41,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion", + "event.original": "%MSDHCP-5841-11021: 11021,4/16/17,8:29:41,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion", "fileset.name": "dhcp", "host.hostname": "uines6355.internal.localdomain", "input.type": "log", - "log.offset": 3558, + "log.offset": 3527, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -978,11 +978,11 @@ "event.code": "52", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5705- 52: 52,4/30/17,3:32:16,uasia,10.64.70.5,ici3995.lan ,01:00:5e:4e:97:83,iscinge,atvol,umiur,imad,msequi ", + "event.original": "%MSDHCP-5705-52: 52,4/30/17,3:32:16,uasia,10.64.70.5,ici3995.lan ,01:00:5e:4e:97:83,iscinge,atvol,umiur,imad,msequi ", "fileset.name": "dhcp", "host.hostname": "ici3995.lan", "input.type": "log", - "log.offset": 3675, + "log.offset": 3643, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1008,11 +1008,11 @@ "event.code": "11020", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1559- 11020: 11020,5/14/17,10:34:50,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac", + "event.original": "%MSDHCP-1559-11020: 11020,5/14/17,10:34:50,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac", "fileset.name": "dhcp", "host.hostname": "rehender4535.www5.test", "input.type": "log", - "log.offset": 3794, + "log.offset": 3761, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1037,11 +1037,11 @@ "event.code": "20", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2228- 20: 20,5/29/17,5:37:24,eli,10.28.127.218,pida2286.internal.home ,01:00:5e:cc:0b:8f", + "event.original": "%MSDHCP-2228-20: 20,5/29/17,5:37:24,eli,10.28.127.218,pida2286.internal.home ,01:00:5e:cc:0b:8f", "fileset.name": "dhcp", "host.hostname": "pida2286.internal.home", "input.type": "log", - "log.offset": 3907, + "log.offset": 3873, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1067,11 +1067,11 @@ "event.code": "11006", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7427- 11006: 11006,6/12/17,12:39:58,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme", + "event.original": "%MSDHCP-7427-11006: 11006,6/12/17,12:39:58,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme", "fileset.name": "dhcp", "host.hostname": "mporain2624.www.localhost", "input.type": "log", - "log.offset": 4005, + "log.offset": 3970, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1096,11 +1096,11 @@ "event.code": "16", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2991- 16: 16,6/26/17,7:42:33,civeli,10.116.104.101,gnam2508.mail.example ,01:00:5e:e1:73:47,maccusa ", + "event.original": "%MSDHCP-2991-16: 16,6/26/17,7:42:33,civeli,10.116.104.101,gnam2508.mail.example ,01:00:5e:e1:73:47,maccusa ", "fileset.name": "dhcp", "host.hostname": "gnam2508.mail.example", "input.type": "log", - "log.offset": 4119, + "log.offset": 4083, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1128,11 +1128,11 @@ "event.code": "11003", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3458- 11003: 11003,7/11/17,2:45:07,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta", + "event.original": "%MSDHCP-3458-11003: 11003,7/11/17,2:45:07,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta", "fileset.name": "dhcp", "host.hostname": "tutla2716.www.domain", "input.type": "log", - "log.offset": 4229, + "log.offset": 4192, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1157,11 +1157,11 @@ "event.code": "53", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2807- 53: 53,7/25/17,9:47:41,ihilm,10.219.84.37,ercit2385.internal.home ,01:00:5e:a0:cd:2f,iamquis ", + "event.original": "%MSDHCP-2807-53: 53,7/25/17,9:47:41,ihilm,10.219.84.37,ercit2385.internal.home ,01:00:5e:a0:cd:2f,iamquis ", "fileset.name": "dhcp", "host.hostname": "ercit2385.internal.home", "input.type": "log", - "log.offset": 4340, + "log.offset": 4302, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1187,11 +1187,11 @@ "event.code": "11012", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6972- 11012: 11012,8/8/17,4:50:15,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame", + "event.original": "%MSDHCP-6972-11012: 11012,8/8/17,4:50:15,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame", "fileset.name": "dhcp", "host.hostname": "conseq557.mail.lan", "input.type": "log", - "log.offset": 4449, + "log.offset": 4410, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1216,11 +1216,11 @@ "event.code": "24", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5040- 24: 24,8/22/17,11:52:50,utla,10.103.118.137,oei5200.www5.invalid ,01:00:5e:c7:b7:18", + "event.original": "%MSDHCP-5040-24: 24,8/22/17,11:52:50,utla,10.103.118.137,oei5200.www5.invalid ,01:00:5e:c7:b7:18", "fileset.name": "dhcp", "host.hostname": "oei5200.www5.invalid", "input.type": "log", - "log.offset": 4562, + "log.offset": 4522, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1246,11 +1246,11 @@ "event.code": "02", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2026- 02: 02,9/6/17,6:55:24,nnum,10.137.223.15,adol485.example ,01:00:5e:81:99:6f,dol ", + "event.original": "%MSDHCP-2026-02: 02,9/6/17,6:55:24,nnum,10.137.223.15,adol485.example ,01:00:5e:81:99:6f,dol ", "fileset.name": "dhcp", "host.hostname": "adol485.example", "input.type": "log", - "log.offset": 4661, + "log.offset": 4620, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1276,11 +1276,11 @@ "event.code": "11019", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4977- 11019: 11019,9/20/17,1:57:58,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq", + "event.original": "%MSDHCP-4977-11019: 11019,9/20/17,1:57:58,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq", "fileset.name": "dhcp", "host.hostname": "etconse7424.internal.lan", "input.type": "log", - "log.offset": 4757, + "log.offset": 4715, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1305,11 +1305,11 @@ "event.code": "11010", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1180- 11010: 11010,10/4/17,9:00:32,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp", + "event.original": "%MSDHCP-1180-11010: 11010,10/4/17,9:00:32,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp", "fileset.name": "dhcp", "host.hostname": "tMalor7410.www.localhost", "input.type": "log", - "log.offset": 4863, + "log.offset": 4820, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1336,11 +1336,11 @@ "event.code": "11013", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2628- 11013: 11013,10/19/17,4:03:07,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre", + "event.original": "%MSDHCP-2628-11013: 11013,10/19/17,4:03:07,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre", "fileset.name": "dhcp", "host.hostname": "equat2243.www5.localdomain", "input.type": "log", - "log.offset": 4974, + "log.offset": 4930, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1365,11 +1365,11 @@ "event.code": "11", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2949- 11: 11,11/2/17,11:05:41,uptat,10.64.199.102,tmo1835.test ,01:00:5e:35:a8:83,fugitse ", + "event.original": "%MSDHCP-2949-11: 11,11/2/17,11:05:41,uptat,10.64.199.102,tmo1835.test ,01:00:5e:35:a8:83,fugitse ", "fileset.name": "dhcp", "host.hostname": "tmo1835.test", "input.type": "log", - "log.offset": 5094, + "log.offset": 5049, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1397,12 +1397,12 @@ "event.code": "54", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3331- 54: 54,11/16/17,6:08:15,etMalor,10.196.143.87,quatD4191.local ,01:00:5e:3b:7a:f1,sperna ", + "event.original": "%MSDHCP-3331-54: 54,11/16/17,6:08:15,etMalor,10.196.143.87,quatD4191.local ,01:00:5e:3b:7a:f1,sperna ", "event.outcome": "Failure", "fileset.name": "dhcp", "host.hostname": "quatD4191.local", "input.type": "log", - "log.offset": 5194, + "log.offset": 5148, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1430,11 +1430,11 @@ "event.code": "30", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7576- 30: 30,12/1/17,1:10:49,tper,10.163.5.243,osqui3661.mail.domain ,01:00:5e:1e:d6:07,texp ", + "event.original": "%MSDHCP-7576-30: 30,12/1/17,1:10:49,tper,10.163.5.243,osqui3661.mail.domain ,01:00:5e:1e:d6:07,texp ", "fileset.name": "dhcp", "host.hostname": "osqui3661.mail.domain", "input.type": "log", - "log.offset": 5298, + "log.offset": 5251, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1461,11 +1461,11 @@ "event.code": "11004", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5037- 11004: 11004,12/15/17,8:13:24,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam", + "event.original": "%MSDHCP-5037-11004: 11004,12/15/17,8:13:24,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam", "fileset.name": "dhcp", "host.hostname": "ectio2175.www.localhost", "input.type": "log", - "log.offset": 5401, + "log.offset": 5353, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1490,11 +1490,11 @@ "event.code": "1103", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6385- 1103: 1103,12/29/17,3:15:58,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno", + "event.original": "%MSDHCP-6385-1103: 1103,12/29/17,3:15:58,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno", "fileset.name": "dhcp", "host.hostname": "liqui6106.internal.home", "input.type": "log", - "log.offset": 5513, + "log.offset": 5464, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1519,11 +1519,11 @@ "event.code": "11011", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1747- 11011: 11011,1/12/18,10:18:32,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium", + "event.original": "%MSDHCP-1747-11011: 11011,1/12/18,10:18:32,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium", "fileset.name": "dhcp", "host.hostname": "eratv6205.internal.lan", "input.type": "log", - "log.offset": 5625, + "log.offset": 5575, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1550,11 +1550,11 @@ "event.code": "57", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6686- 57: 57,1/27/18,5:21:06,stlabo,10.134.192.241,catc6134.localdomain ,01:00:5e:5b:99:6c,magnid ", + "event.original": "%MSDHCP-6686-57: 57,1/27/18,5:21:06,stlabo,10.134.192.241,catc6134.localdomain ,01:00:5e:5b:99:6c,magnid ", "fileset.name": "dhcp", "host.hostname": "catc6134.localdomain", "input.type": "log", - "log.offset": 5745, + "log.offset": 5694, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1580,11 +1580,11 @@ "event.code": "17", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7582- 17: 17,2/10/18,12:23:41,quiratio,10.62.191.18,tevelite245.mail.local ,01:00:5e:78:a7:55,gnido ", + "event.original": "%MSDHCP-7582-17: 17,2/10/18,12:23:41,quiratio,10.62.191.18,tevelite245.mail.local ,01:00:5e:78:a7:55,gnido ", "fileset.name": "dhcp", "host.hostname": "tevelite245.mail.local", "input.type": "log", - "log.offset": 5853, + "log.offset": 5801, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1610,11 +1610,11 @@ "event.code": "50", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6036- 50: 50,2/24/18,7:26:15,numqua,10.89.22.113,abo1637.mail.host ,01:00:5e:ed:c2:f7", + "event.original": "%MSDHCP-6036-50: 50,2/24/18,7:26:15,numqua,10.89.22.113,abo1637.mail.host ,01:00:5e:ed:c2:f7", "fileset.name": "dhcp", "host.hostname": "abo1637.mail.host", "input.type": "log", - "log.offset": 5963, + "log.offset": 5910, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1640,11 +1640,11 @@ "event.code": "11020", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4949- 11020: 11020,3/11/18,2:28:49,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr", + "event.original": "%MSDHCP-4949-11020: 11020,3/11/18,2:28:49,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr", "fileset.name": "dhcp", "host.hostname": "piscin6866.internal.host", "input.type": "log", - "log.offset": 6058, + "log.offset": 6004, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1669,12 +1669,12 @@ "event.code": "59", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6418- 59: 59,3/25/18,9:31:24,nofdeFin,10.67.38.204,idex6952.www.localhost ,01:00:5e:69:58:0e,ecte,tinvolu,iurer,iciadese,quidolor,tessec,olupta,litse,icabo,itatio,uta ", + "event.original": "%MSDHCP-6418-59: 59,3/25/18,9:31:24,nofdeFin,10.67.38.204,idex6952.www.localhost ,01:00:5e:69:58:0e,ecte,tinvolu,iurer,iciadese,quidolor,tessec,olupta,litse,icabo,itatio,uta ", "event.outcome": "Failure", "fileset.name": "dhcp", "host.hostname": "idex6952.www.localhost", "input.type": "log", - "log.offset": 6171, + "log.offset": 6116, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1702,11 +1702,11 @@ "event.code": "11010", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4824- 11010: 11010,4/8/18,4:33:58,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu", + "event.original": "%MSDHCP-4824-11010: 11010,4/8/18,4:33:58,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu", "fileset.name": "dhcp", "host.hostname": "riosamn7650.api.test", "input.type": "log", - "log.offset": 6348, + "log.offset": 6292, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1733,11 +1733,11 @@ "event.code": "60", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5368- 60: 60,4/22/18,11:36:32,mnisi,10.107.168.60,ehen7519.www5.lan ,01:00:5e:a7:ac:70,stquido,ommodico,ptas,pta,tetu ", + "event.original": "%MSDHCP-5368-60: 60,4/22/18,11:36:32,mnisi,10.107.168.60,ehen7519.www5.lan ,01:00:5e:a7:ac:70,stquido,ommodico,ptas,pta,tetu ", "fileset.name": "dhcp", "host.hostname": "ehen7519.www5.lan", "input.type": "log", - "log.offset": 6459, + "log.offset": 6402, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1763,11 +1763,11 @@ "event.code": "24", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5740- 24: 24,5/7/18,6:39:06,Nequepo,10.207.201.9,boree513.www.corp ,01:00:5e:e2:17:79,reetdolo,smo,etcons,iusmodi,uamest ", + "event.original": "%MSDHCP-5740-24: 24,5/7/18,6:39:06,Nequepo,10.207.201.9,boree513.www.corp ,01:00:5e:e2:17:79,reetdolo,smo,etcons,iusmodi,uamest ", "fileset.name": "dhcp", "host.hostname": "boree513.www.corp", "input.type": "log", - "log.offset": 6587, + "log.offset": 6529, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1793,12 +1793,12 @@ "event.code": "11023", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1842- 11023: 11023,5/21/18,1:41:41,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno", + "event.original": "%MSDHCP-1842-11023: 11023,5/21/18,1:41:41,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno", "event.outcome": "Failure", "fileset.name": "dhcp", "host.hostname": "aper5651.test", "input.type": "log", - "log.offset": 6718, + "log.offset": 6659, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1826,11 +1826,11 @@ "event.code": "11007", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5263- 11007: 11007,6/4/18,8:44:15,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons", + "event.original": "%MSDHCP-5263-11007: 11007,6/4/18,8:44:15,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons", "fileset.name": "dhcp", "host.hostname": "inventor6088.www.invalid", "input.type": "log", - "log.offset": 6815, + "log.offset": 6755, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1855,11 +1855,11 @@ "event.code": "20", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-510- 20: 20,6/19/18,3:46:49,tae,10.14.81.228,aperiame1458.www5.local ,01:00:5e:7e:22:1b", + "event.original": "%MSDHCP-510-20: 20,6/19/18,3:46:49,tae,10.14.81.228,aperiame1458.www5.local ,01:00:5e:7e:22:1b", "fileset.name": "dhcp", "host.hostname": "aperiame1458.www5.local", "input.type": "log", - "log.offset": 6926, + "log.offset": 6865, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1885,11 +1885,11 @@ "event.code": "11003", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4410- 11003: 11003,7/3/18,10:49:23,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov", + "event.original": "%MSDHCP-4410-11003: 11003,7/3/18,10:49:23,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov", "fileset.name": "dhcp", "host.hostname": "cipitlab6201.www5.example", "input.type": "log", - "log.offset": 7023, + "log.offset": 6961, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1914,11 +1914,11 @@ "event.code": "01", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4554- 01: 01,7/17/18,5:51:58,osquira,10.220.5.143,com5308.api.domain ,01:00:5e:55:ee:a4,reetdolo,norum,madmi,uidol,mporin ", + "event.original": "%MSDHCP-4554-01: 01,7/17/18,5:51:58,osquira,10.220.5.143,com5308.api.domain ,01:00:5e:55:ee:a4,reetdolo,norum,madmi,uidol,mporin ", "fileset.name": "dhcp", "host.hostname": "com5308.api.domain", "input.type": "log", - "log.offset": 7133, + "log.offset": 7070, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1946,11 +1946,11 @@ "event.code": "ID", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3253- ID: ID,8/1/18,12:54:32,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65", + "event.original": "%MSDHCP-3253-ID: ID,8/1/18,12:54:32,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65", "fileset.name": "dhcp", "host.hostname": "Nemoenim2039.api.localhost", "input.type": "log", - "log.offset": 7265, + "log.offset": 7201, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -1976,11 +1976,11 @@ "event.code": "11000", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1394- 11000: 11000,8/15/18,7:57:06,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag", + "event.original": "%MSDHCP-1394-11000: 11000,8/15/18,7:57:06,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag", "fileset.name": "dhcp", "host.hostname": "iquipe2458.api.host", "input.type": "log", - "log.offset": 7367, + "log.offset": 7302, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2005,12 +2005,12 @@ "event.code": "56", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5983- 56: 56,8/29/18,2:59:40,tquiin,10.174.176.36,ovol3674.www5.host ,01:00:5e:bb:1d:bf,str,idolore,pid,illoin,tanimid,umdo,natuse,gnamal,metMalo,ntexplic,archite ", + "event.original": "%MSDHCP-5983-56: 56,8/29/18,2:59:40,tquiin,10.174.176.36,ovol3674.www5.host ,01:00:5e:bb:1d:bf,str,idolore,pid,illoin,tanimid,umdo,natuse,gnamal,metMalo,ntexplic,archite ", "event.outcome": "Failure", "fileset.name": "dhcp", "host.hostname": "ovol3674.www5.host", "input.type": "log", - "log.offset": 7478, + "log.offset": 7412, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2038,12 +2038,12 @@ "event.code": "32", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7829- 32: 32,9/12/18,10:02:15,asi,10.94.38.110,nisist2752.home ,01:00:5e:c1:3c:48,exercita ", + "event.original": "%MSDHCP-7829-32: 32,9/12/18,10:02:15,asi,10.94.38.110,nisist2752.home ,01:00:5e:c1:3c:48,exercita ", "event.outcome": "Success", "fileset.name": "dhcp", "host.hostname": "nisist2752.home", "input.type": "log", - "log.offset": 7651, + "log.offset": 7584, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2071,11 +2071,11 @@ "event.code": "11007", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2516- 11007: 11007,9/27/18,5:04:49,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli", + "event.original": "%MSDHCP-2516-11007: 11007,9/27/18,5:04:49,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli", "fileset.name": "dhcp", "host.hostname": "intoc1426.mail.lan", "input.type": "log", - "log.offset": 7752, + "log.offset": 7684, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2100,11 +2100,11 @@ "event.code": "11006", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-543- 11006: 11006,10/11/18,12:07:23,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui", + "event.original": "%MSDHCP-543-11006: 11006,10/11/18,12:07:23,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui", "fileset.name": "dhcp", "host.hostname": "rsitvolu3751.mail.lan", "input.type": "log", - "log.offset": 7861, + "log.offset": 7792, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2129,11 +2129,11 @@ "event.code": "11014", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6846- 11014: 11014,10/25/18,7:09:57,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun", + "event.original": "%MSDHCP-6846-11014: 11014,10/25/18,7:09:57,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun", "fileset.name": "dhcp", "host.hostname": "tqu4367.www5.localhost", "input.type": "log", - "log.offset": 7974, + "log.offset": 7904, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2158,11 +2158,11 @@ "event.code": "1103", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7741- 1103: 1103,11/9/18,2:12:32,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo", + "event.original": "%MSDHCP-7741-1103: 1103,11/9/18,2:12:32,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo", "fileset.name": "dhcp", "host.hostname": "inci5738.www5.invalid", "input.type": "log", - "log.offset": 8087, + "log.offset": 8016, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2187,11 +2187,11 @@ "event.code": "11005", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-18- 11005: 11005,11/23/18,9:15:06,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia", + "event.original": "%MSDHCP-18-11005: 11005,11/23/18,9:15:06,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia", "fileset.name": "dhcp", "host.hostname": "itecto1300.internal.corp", "input.type": "log", - "log.offset": 8200, + "log.offset": 8128, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2216,11 +2216,11 @@ "event.code": "11015", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6789- 11015: 11015,12/7/18,4:17:40,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender", + "event.original": "%MSDHCP-6789-11015: 11015,12/7/18,4:17:40,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender", "fileset.name": "dhcp", "host.hostname": "siut1579.www.domain", "input.type": "log", - "log.offset": 8316, + "log.offset": 8243, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2245,11 +2245,11 @@ "event.code": "11014", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1540- 11014: 11014,12/21/18,11:20:14,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni", + "event.original": "%MSDHCP-1540-11014: 11014,12/21/18,11:20:14,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni", "fileset.name": "dhcp", "host.hostname": "ame6223.www5.localhost", "input.type": "log", - "log.offset": 8415, + "log.offset": 8341, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2274,12 +2274,12 @@ "event.code": "32", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2244- 32: 32,1/5/19,6:22:49,stenatu,10.215.205.216,ratv5227.www.invalid ,01:00:5e:fd:3d:c2,nts ", + "event.original": "%MSDHCP-2244-32: 32,1/5/19,6:22:49,stenatu,10.215.205.216,ratv5227.www.invalid ,01:00:5e:fd:3d:c2,nts ", "event.outcome": "Success", "fileset.name": "dhcp", "host.hostname": "ratv5227.www.invalid", "input.type": "log", - "log.offset": 8528, + "log.offset": 8453, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2307,11 +2307,11 @@ "event.code": "11025", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5663- 11025: 11025,1/19/19,1:25:23,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab", + "event.original": "%MSDHCP-5663-11025: 11025,1/19/19,1:25:23,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab", "fileset.name": "dhcp", "host.hostname": "aturve1647.mail.localhost", "input.type": "log", - "log.offset": 8633, + "log.offset": 8557, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2336,11 +2336,11 @@ "event.code": "12", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6672- 12: 12,2/2/19,8:27:57,enderi,10.236.150.115,umwrit5433.www5.domain ,01:00:5e:ba:09:4a,tpersp ", + "event.original": "%MSDHCP-6672-12: 12,2/2/19,8:27:57,enderi,10.236.150.115,umwrit5433.www5.domain ,01:00:5e:ba:09:4a,tpersp ", "fileset.name": "dhcp", "host.hostname": "umwrit5433.www5.domain", "input.type": "log", - "log.offset": 8745, + "log.offset": 8668, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2366,11 +2366,11 @@ "event.code": "01", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6797- 01: 01,2/17/19,3:30:32,oeni,10.223.90.192,llamco7206.www.home ,01:00:5e:8f:35:71,orsit,asiar,ise,itau,apariat ", + "event.original": "%MSDHCP-6797-01: 01,2/17/19,3:30:32,oeni,10.223.90.192,llamco7206.www.home ,01:00:5e:8f:35:71,orsit,asiar,ise,itau,apariat ", "fileset.name": "dhcp", "host.hostname": "llamco7206.www.home", "input.type": "log", - "log.offset": 8854, + "log.offset": 8776, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2398,12 +2398,12 @@ "event.code": "51", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4494- 51: 51,3/3/19,10:33:06,dolore,10.165.192.48,nBCSedut1502.www5.example ,01:00:5e:c7:c2:10,odoconse,emp,pisciv,lumdolor,nonp,labo,ulapar,aboreetd,hilm,llitanim,invo ", + "event.original": "%MSDHCP-4494-51: 51,3/3/19,10:33:06,dolore,10.165.192.48,nBCSedut1502.www5.example ,01:00:5e:c7:c2:10,odoconse,emp,pisciv,lumdolor,nonp,labo,ulapar,aboreetd,hilm,llitanim,invo ", "event.outcome": "Success", "fileset.name": "dhcp", "host.hostname": "nBCSedut1502.www5.example", "input.type": "log", - "log.offset": 8980, + "log.offset": 8901, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2431,11 +2431,11 @@ "event.code": "50", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7205- 50: 50,3/17/19,5:35:40,ama,10.80.152.108,texpli2782.mail.domain ,01:00:5e:27:0a:9d, ", + "event.original": "%MSDHCP-7205-50: 50,3/17/19,5:35:40,ama,10.80.152.108,texpli2782.mail.domain ,01:00:5e:27:0a:9d, ", "fileset.name": "dhcp", "host.hostname": "texpli2782.mail.domain", "input.type": "log", - "log.offset": 9159, + "log.offset": 9079, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2461,11 +2461,11 @@ "event.code": "11011", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5224- 11011: 11011,4/1/19,12:38:14,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured", + "event.original": "%MSDHCP-5224-11011: 11011,4/1/19,12:38:14,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured", "fileset.name": "dhcp", "host.hostname": "aco6894.mail.home", "input.type": "log", - "log.offset": 9259, + "log.offset": 9178, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2492,11 +2492,11 @@ "event.code": "11019", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5608- 11019: 11019,4/15/19,7:40:49,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat", + "event.original": "%MSDHCP-5608-11019: 11019,4/15/19,7:40:49,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat", "fileset.name": "dhcp", "host.hostname": "tetu2485.internal.invalid", "input.type": "log", - "log.offset": 9369, + "log.offset": 9287, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2521,12 +2521,12 @@ "event.code": "1098", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3051- 1098: 1098,4/29/19,2:43:23,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor", + "event.original": "%MSDHCP-3051-1098: 1098,4/29/19,2:43:23,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor", "event.outcome": "Failure", "fileset.name": "dhcp", "host.hostname": "doloreme60.www5.localhost", "input.type": "log", - "log.offset": 9477, + "log.offset": 9394, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2553,11 +2553,11 @@ "event.code": "01", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2315- 01: 01,5/13/19,9:45:57,amcorp,10.57.57.241,liqua6498.api.invalid ,01:00:5e:d8:53:15,iduntu,ccaeca,niamq,lapariat,remagn,mquae,consequa,moenimi,olupt,oconsequ,edquiac ", + "event.original": "%MSDHCP-2315-01: 01,5/13/19,9:45:57,amcorp,10.57.57.241,liqua6498.api.invalid ,01:00:5e:d8:53:15,iduntu,ccaeca,niamq,lapariat,remagn,mquae,consequa,moenimi,olupt,oconsequ,edquiac ", "fileset.name": "dhcp", "host.hostname": "liqua6498.api.invalid", "input.type": "log", - "log.offset": 9588, + "log.offset": 9504, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2585,11 +2585,11 @@ "event.code": "14", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2690- 14: 14,5/28/19,4:48:31,quamest,10.152.28.171,rsita2628.www5.local ,01:00:5e:7a:4c:6e,miu ", + "event.original": "%MSDHCP-2690-14: 14,5/28/19,4:48:31,quamest,10.152.28.171,rsita2628.www5.local ,01:00:5e:7a:4c:6e,miu ", "fileset.name": "dhcp", "host.hostname": "rsita2628.www5.local", "input.type": "log", - "log.offset": 9770, + "log.offset": 9685, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2615,11 +2615,11 @@ "event.code": "11001", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6444- 11001: 11001,6/11/19,11:51:06,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide", + "event.original": "%MSDHCP-6444-11001: 11001,6/11/19,11:51:06,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide", "fileset.name": "dhcp", "host.hostname": "luptat7214.domain", "input.type": "log", - "log.offset": 9875, + "log.offset": 9789, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2644,11 +2644,11 @@ "event.code": "11", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7037- 11: 11,6/25/19,6:53:40,itesseq,10.125.134.213,tpersp2624.mail.example ,01:00:5e:0b:fb:4a", + "event.original": "%MSDHCP-7037-11: 11,6/25/19,6:53:40,itesseq,10.125.134.213,tpersp2624.mail.example ,01:00:5e:0b:fb:4a", "fileset.name": "dhcp", "host.hostname": "tpersp2624.mail.example", "input.type": "log", - "log.offset": 9982, + "log.offset": 9895, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2676,11 +2676,11 @@ "event.code": "64", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6392- 64: 64,7/10/19,1:56:14,mvolu,10.206.96.56,aincidu2687.mail.home ,01:00:5e:80:9d:2c, ", + "event.original": "%MSDHCP-6392-64: 64,7/10/19,1:56:14,mvolu,10.206.96.56,aincidu2687.mail.home ,01:00:5e:80:9d:2c, ", "fileset.name": "dhcp", "host.hostname": "aincidu2687.mail.home", "input.type": "log", - "log.offset": 10086, + "log.offset": 9998, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2706,12 +2706,12 @@ "event.code": "1098", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5524- 1098: 1098,7/24/19,8:58:48,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem", + "event.original": "%MSDHCP-5524-1098: 1098,7/24/19,8:58:48,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem", "event.outcome": "Failure", "fileset.name": "dhcp", "host.hostname": "amcor5091.internal.corp", "input.type": "log", - "log.offset": 10186, + "log.offset": 10097, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2738,11 +2738,11 @@ "event.code": "11019", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1978- 11019: 11019,8/7/19,4:01:23,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation", + "event.original": "%MSDHCP-1978-11019: 11019,8/7/19,4:01:23,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation", "fileset.name": "dhcp", "host.hostname": "ncidid5410.internal.domain", "input.type": "log", - "log.offset": 10290, + "log.offset": 10200, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2767,12 +2767,12 @@ "event.code": "11024", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5469- 11024: 11024,8/21/19,11:03:57,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori", + "event.original": "%MSDHCP-5469-11024: 11024,8/21/19,11:03:57,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori", "event.outcome": "Success", "fileset.name": "dhcp", "host.hostname": "nofd988.api.example", "input.type": "log", - "log.offset": 10412, + "log.offset": 10321, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2800,11 +2800,11 @@ "event.code": "11004", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2- 11004: 11004,9/5/19,6:06:31,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse", + "event.original": "%MSDHCP-2-11004: 11004,9/5/19,6:06:31,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse", "fileset.name": "dhcp", "host.hostname": "borisnis6159.www5.localdomain", "input.type": "log", - "log.offset": 10522, + "log.offset": 10430, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2829,12 +2829,12 @@ "event.code": "59", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2859- 59: 59,9/19/19,1:09:05,inibu,10.106.93.26,isetquas3096.home ,01:00:5e:1b:92:a6", + "event.original": "%MSDHCP-2859-59: 59,9/19/19,1:09:05,inibu,10.106.93.26,isetquas3096.home ,01:00:5e:1b:92:a6", "event.outcome": "Failure", "fileset.name": "dhcp", "host.hostname": "isetquas3096.home", "input.type": "log", - "log.offset": 10637, + "log.offset": 10544, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2862,11 +2862,11 @@ "event.code": "11025", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4924- 11025: 11025,10/3/19,8:11:40,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa", + "event.original": "%MSDHCP-4924-11025: 11025,10/3/19,8:11:40,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa", "fileset.name": "dhcp", "host.hostname": "dminima4348.mail.home", "input.type": "log", - "log.offset": 10731, + "log.offset": 10637, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2891,11 +2891,11 @@ "event.code": "25", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1738- 25: 25,10/18/19,3:14:14,loi,10.24.111.229,volupt2952.api.local ,01:00:5e:64:62:d1,sequat,giatquov,tconsec,miurerep,toccaec,fugi,labo,nostrud,gnaal,qui,cupi ", + "event.original": "%MSDHCP-1738-25: 25,10/18/19,3:14:14,loi,10.24.111.229,volupt2952.api.local ,01:00:5e:64:62:d1,sequat,giatquov,tconsec,miurerep,toccaec,fugi,labo,nostrud,gnaal,qui,cupi ", "fileset.name": "dhcp", "host.hostname": "volupt2952.api.local", "input.type": "log", - "log.offset": 10839, + "log.offset": 10744, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2921,11 +2921,11 @@ "event.code": "60", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5282- 60: 60,11/1/19,10:16:48,lores,10.45.253.103,uii5923.internal.home ,01:00:5e:2f:ff:49,rcit,llamco,atu,untincul,ssecil ", + "event.original": "%MSDHCP-5282-60: 60,11/1/19,10:16:48,lores,10.45.253.103,uii5923.internal.home ,01:00:5e:2f:ff:49,rcit,llamco,atu,untincul,ssecil ", "fileset.name": "dhcp", "host.hostname": "uii5923.internal.home", "input.type": "log", - "log.offset": 11011, + "log.offset": 10915, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2951,12 +2951,12 @@ "event.code": "11023", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3023- 11023: 11023,11/15/19,5:19:22,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt", + "event.original": "%MSDHCP-3023-11023: 11023,11/15/19,5:19:22,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt", "event.outcome": "Failure", "fileset.name": "dhcp", "host.hostname": "oluptas6981.www5.localhost", "input.type": "log", - "log.offset": 11144, + "log.offset": 11047, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -2984,11 +2984,11 @@ "event.code": "23", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4890- 23: 23,11/30/19,12:21:57,dolore,10.84.32.178,vitaed4959.example ,01:00:5e:11:45:1e,itaedict ", + "event.original": "%MSDHCP-4890-23: 23,11/30/19,12:21:57,dolore,10.84.32.178,vitaed4959.example ,01:00:5e:11:45:1e,itaedict ", "fileset.name": "dhcp", "host.hostname": "vitaed4959.example", "input.type": "log", - "log.offset": 11259, + "log.offset": 11161, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", @@ -3014,11 +3014,11 @@ "event.code": "55", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4271- 55: 55,12/14/19,7:24:31,ruredo,10.72.196.74,boreetdo1725.example ,01:00:5e:01:2f:7d", + "event.original": "%MSDHCP-4271-55: 55,12/14/19,7:24:31,ruredo,10.72.196.74,boreetdo1725.example ,01:00:5e:01:2f:7d", "fileset.name": "dhcp", "host.hostname": "boreetdo1725.example", "input.type": "log", - "log.offset": 11367, + "log.offset": 11268, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", diff --git a/x-pack/filebeat/module/netscout/README.md b/x-pack/filebeat/module/netscout/README.md index 7068d43d848..b30a72cd250 100644 --- a/x-pack/filebeat/module/netscout/README.md +++ b/x-pack/filebeat/module/netscout/README.md @@ -3,5 +3,5 @@ This is a module for Arbor Peakflow SP logs. Autogenerated from RSA NetWitness log parser 2.0 XML arborpeakflowsp version 109 -at 2020-07-08 17:36:24.326666 +0000 UTC. +at 2020-07-08 18:27:57.012894 +0000 UTC. diff --git a/x-pack/filebeat/module/netscout/sightline/config/pipeline.js b/x-pack/filebeat/module/netscout/sightline/config/pipeline.js index 6658c4a5c29..ae844c74f9d 100644 --- a/x-pack/filebeat/module/netscout/sightline/config/pipeline.js +++ b/x-pack/filebeat/module/netscout/sightline/config/pipeline.js @@ -107,11 +107,13 @@ var dup31 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{f var dup32 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}"); -var dup33 = setc("eventcategory","1002000000"); +var dup33 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}"); -var dup34 = setc("signame","Bandwidth"); +var dup34 = setc("eventcategory","1002000000"); -var dup35 = date_time({ +var dup35 = setc("signame","Bandwidth"); + +var dup36 = date_time({ dest: "starttime", args: ["fld15","fld16","fld17","fld18","fld19","fld20"], fmts: [ @@ -119,9 +121,9 @@ var dup35 = date_time({ ], }); -var dup36 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); +var dup37 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); -var dup37 = date_time({ +var dup38 = date_time({ dest: "starttime", args: ["fld2","fld3"], fmts: [ @@ -129,36 +131,36 @@ var dup37 = date_time({ ], }); -var dup38 = linear_select([ +var dup39 = linear_select([ dup2, dup3, ]); -var dup39 = linear_select([ +var dup40 = linear_select([ dup6, dup7, dup8, dup9, ]); -var dup40 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var dup41 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup12, dup13, dup14, ])); -var dup41 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var dup42 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup15, dup13, dup16, ])); -var dup42 = linear_select([ +var dup43 = linear_select([ dup21, dup22, ]); -var dup43 = linear_select([ +var dup44 = linear_select([ dup31, dup32, ]); @@ -196,7 +198,7 @@ var part6 = match("HEADER#1:0002/2", "nwparser.p0", "%{}interface %{msgIdPart1-> var all2 = all_match({ processors: [ dup1, - dup38, + dup39, part6, ], on_success: processor_chain([ @@ -210,9 +212,9 @@ var part7 = match("HEADER#2:0008/4", "nwparser.p0", "%{} %{msgIdPart1->} %{hfld1 var all3 = all_match({ processors: [ dup1, - dup38, - dup5, dup39, + dup5, + dup40, part7, ], on_success: processor_chain([ @@ -231,9 +233,9 @@ var all3 = all_match({ var all4 = all_match({ processors: [ dup1, - dup38, - dup5, dup39, + dup5, + dup40, dup10, ], on_success: processor_chain([ @@ -320,9 +322,9 @@ var select4 = linear_select([ msg2, ]); -var msg3 = msg("BGP:Down", dup40); +var msg3 = msg("BGP:Down", dup41); -var msg4 = msg("BGP:Restored", dup41); +var msg4 = msg("BGP:Restored", dup42); var part11 = match("MESSAGE#4:BGP:Instability", "nwparser.payload", "%{protocol->} instability router %{node->} threshold %{fld25->} (%{fld1}) observed %{trigger_val->} (%{fld2})", processor_chain([ dup17, @@ -411,9 +413,9 @@ var select7 = linear_select([ msg13, ]); -var msg14 = msg("SNMP:Down", dup40); +var msg14 = msg("SNMP:Down", dup41); -var msg15 = msg("SNMP:Restored", dup41); +var msg15 = msg("SNMP:Restored", dup42); var select8 = linear_select([ msg14, @@ -463,7 +465,7 @@ var part24 = match("MESSAGE#19:mitigation:TMS_Start/0", "nwparser.payload", "pfs var all6 = all_match({ processors: [ part24, - dup42, + dup43, dup23, ], on_success: processor_chain([ @@ -482,7 +484,7 @@ var part25 = match("MESSAGE#20:mitigation:TMS_Stop/0", "nwparser.payload", "pfsp var all7 = all_match({ processors: [ part25, - dup42, + dup43, dup23, ], on_success: processor_chain([ @@ -501,7 +503,7 @@ var part26 = match("MESSAGE#21:mitigation:Thirdparty_Start/0", "nwparser.payload var all8 = all_match({ processors: [ part26, - dup42, + dup43, dup23, ], on_success: processor_chain([ @@ -520,7 +522,7 @@ var part27 = match("MESSAGE#22:mitigation:Thirdparty_Stop/0", "nwparser.payload" var all9 = all_match({ processors: [ part27, - dup42, + dup43, dup23, ], on_success: processor_chain([ @@ -538,7 +540,7 @@ var part28 = match("MESSAGE#23:mitigation:Blackhole_Start/0", "nwparser.payload" var all10 = all_match({ processors: [ part28, - dup42, + dup43, dup23, ], on_success: processor_chain([ @@ -557,7 +559,7 @@ var part29 = match("MESSAGE#24:mitigation:Blackhole_Stop/0", "nwparser.payload", var all11 = all_match({ processors: [ part29, - dup42, + dup43, dup23, ], on_success: processor_chain([ @@ -575,7 +577,7 @@ var part30 = match("MESSAGE#25:mitigation:Flowspec_Start/0", "nwparser.payload", var all12 = all_match({ processors: [ part30, - dup42, + dup43, dup23, ], on_success: processor_chain([ @@ -594,7 +596,7 @@ var part31 = match("MESSAGE#26:mitigation:Flowspec_Stop/0", "nwparser.payload", var all13 = all_match({ processors: [ part31, - dup42, + dup43, dup23, ], on_success: processor_chain([ @@ -718,7 +720,7 @@ var part43 = match("MESSAGE#38:script/0", "nwparser.payload", "script %{node->} var all14 = all_match({ processors: [ part43, - dup42, + dup43, dup23, ], on_success: processor_chain([ @@ -734,92 +736,88 @@ var msg39 = msg("script", all14); var part44 = match("MESSAGE#39:anomaly:Resource_Info:01/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); -var part45 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}"); - var all15 = all_match({ processors: [ part44, - dup43, - part45, + dup44, + dup33, ], on_success: processor_chain([ - dup33, - dup13, dup34, + dup13, dup35, + dup36, ]), }); var msg40 = msg("anomaly:Resource_Info:01", all15); -var part46 = match("MESSAGE#40:anomaly:Resource_Info:02/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part45 = match("MESSAGE#40:anomaly:Resource_Info:02/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); var all16 = all_match({ processors: [ - part46, - dup43, - dup36, + part45, + dup44, + dup37, ], on_success: processor_chain([ - dup33, - dup13, dup34, + dup13, dup35, + dup36, ]), }); var msg41 = msg("anomaly:Resource_Info:02", all16); -var part47 = match("MESSAGE#41:anomaly:Resource_Info:03/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); - -var part48 = match("MESSAGE#41:anomaly:Resource_Info:03/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info->} "); +var part46 = match("MESSAGE#41:anomaly:Resource_Info:03/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); var all17 = all_match({ processors: [ - part47, - dup43, - part48, + part46, + dup44, + dup33, ], on_success: processor_chain([ - dup33, + dup34, dup13, - dup35, + dup36, ]), }); var msg42 = msg("anomaly:Resource_Info:03", all17); -var part49 = match("MESSAGE#42:anomaly:Resource_Info:04/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); +var part47 = match("MESSAGE#42:anomaly:Resource_Info:04/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); var all18 = all_match({ processors: [ - part49, - dup43, - dup36, + part47, + dup44, + dup37, ], on_success: processor_chain([ - dup33, + dup34, dup13, - dup35, + dup36, ]), }); var msg43 = msg("anomaly:Resource_Info:04", all18); -var part50 = match("MESSAGE#43:anomaly:Router_Info:01", "nwparser.payload", "anomaly Bandwidth id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([ - dup33, - dup13, +var part48 = match("MESSAGE#43:anomaly:Router_Info:01", "nwparser.payload", "anomaly Bandwidth id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([ dup34, + dup13, + dup35, ])); -var msg44 = msg("anomaly:Router_Info:01", part50); +var msg44 = msg("anomaly:Router_Info:01", part48); -var part51 = match("MESSAGE#44:anomaly:Router_Info:02", "nwparser.payload", "anomaly %{signame->} id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([ - dup33, +var part49 = match("MESSAGE#44:anomaly:Router_Info:02", "nwparser.payload", "anomaly %{signame->} id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([ + dup34, dup13, ])); -var msg45 = msg("anomaly:Router_Info:02", part51); +var msg45 = msg("anomaly:Router_Info:02", part49); var select13 = linear_select([ msg40, @@ -830,31 +828,31 @@ var select13 = linear_select([ msg45, ]); -var part52 = match("MESSAGE#45:Peakflow:Unreachable", "nwparser.payload", "Peakflow device %{node->} unreachable by %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([ +var part50 = match("MESSAGE#45:Peakflow:Unreachable", "nwparser.payload", "Peakflow device %{node->} unreachable by %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([ dup12, dup13, dup14, ])); -var msg46 = msg("Peakflow:Unreachable", part52); +var msg46 = msg("Peakflow:Unreachable", part50); -var part53 = match("MESSAGE#46:Peakflow:Reachable", "nwparser.payload", "Peakflow device %{node->} reachable again by %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var part51 = match("MESSAGE#46:Peakflow:Reachable", "nwparser.payload", "Peakflow device %{node->} reachable again by %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup15, dup13, dup16, ])); -var msg47 = msg("Peakflow:Reachable", part53); +var msg47 = msg("Peakflow:Reachable", part51); var select14 = linear_select([ msg46, msg47, ]); -var part54 = match("MESSAGE#47:Host:Detection", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, stop %{fld5->} %{fld6->} %{fld7}, , importance %{severity}, managed_objects (%{fld8}), is now %{result}, (parent managed object %{fld9})", processor_chain([ +var part52 = match("MESSAGE#47:Host:Detection", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, stop %{fld5->} %{fld6->} %{fld7}, , importance %{severity}, managed_objects (%{fld8}), is now %{result}, (parent managed object %{fld9})", processor_chain([ dup18, dup13, - dup37, + dup38, date_time({ dest: "endtime", args: ["fld5","fld6"], @@ -864,44 +862,44 @@ var part54 = match("MESSAGE#47:Host:Detection", "nwparser.payload", "Host Detect }), ])); -var msg48 = msg("Host:Detection", part54); +var msg48 = msg("Host:Detection", part52); -var part55 = match("MESSAGE#48:Host:Detection:01", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, direction %{direction}, host %{saddr}, signatures (%{signame}), impact %{fld5}, importance %{severity}, managed_objects (%{fld6}), (parent managed object %{fld7})", processor_chain([ +var part53 = match("MESSAGE#48:Host:Detection:01", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, direction %{direction}, host %{saddr}, signatures (%{signame}), impact %{fld5}, importance %{severity}, managed_objects (%{fld6}), (parent managed object %{fld7})", processor_chain([ dup18, dup13, - dup37, + dup38, ])); -var msg49 = msg("Host:Detection:01", part55); +var msg49 = msg("Host:Detection:01", part53); var select15 = linear_select([ msg48, msg49, ]); -var part56 = match("MESSAGE#49:Infrastructure", "nwparser.payload", "AIF license expiring cleared,URL: %{url}", processor_chain([ +var part54 = match("MESSAGE#49:Infrastructure", "nwparser.payload", "AIF license expiring cleared,URL: %{url}", processor_chain([ dup18, dup13, setc("event_description","AIF license expiring cleared"), ])); -var msg50 = msg("Infrastructure", part56); +var msg50 = msg("Infrastructure", part54); -var part57 = match("MESSAGE#50:Infrastructure:02", "nwparser.payload", "Hardware sensor detected a critical state. System Fan%{fld1}:%{fld2}Triggering value:%{fld3},URL:%{url}", processor_chain([ +var part55 = match("MESSAGE#50:Infrastructure:02", "nwparser.payload", "Hardware sensor detected a critical state. System Fan%{fld1}:%{fld2}Triggering value:%{fld3},URL:%{url}", processor_chain([ dup18, dup13, setc("event_description","Hardware sensor detected a critical state"), ])); -var msg51 = msg("Infrastructure:02", part57); +var msg51 = msg("Infrastructure:02", part55); -var part58 = match("MESSAGE#51:Infrastructure:01", "nwparser.payload", "AIF license expired cleared,URL: %{url}", processor_chain([ +var part56 = match("MESSAGE#51:Infrastructure:01", "nwparser.payload", "AIF license expired cleared,URL: %{url}", processor_chain([ dup18, dup13, setc("event_description","AIF license expired cleared"), ])); -var msg52 = msg("Infrastructure:01", part58); +var msg52 = msg("Infrastructure:01", part56); var select16 = linear_select([ msg50, @@ -909,27 +907,27 @@ var select16 = linear_select([ msg52, ]); -var part59 = match("MESSAGE#52:Blocked_Host", "nwparser.payload", "Blocked host%{saddr}at%{fld1}by Blocked Countries using%{protocol}destination%{daddr},URL:%{url}", processor_chain([ +var part57 = match("MESSAGE#52:Blocked_Host", "nwparser.payload", "Blocked host%{saddr}at%{fld1}by Blocked Countries using%{protocol}destination%{daddr},URL:%{url}", processor_chain([ setc("eventcategory","1803000000"), dup13, ])); -var msg53 = msg("Blocked_Host", part59); +var msg53 = msg("Blocked_Host", part57); -var part60 = match("MESSAGE#53:Change_Log", "nwparser.payload", "Username:%{username}, Subsystem:%{fld1}, Setting Type:%{fld2}, Message:%{fld3}", processor_chain([ +var part58 = match("MESSAGE#53:Change_Log", "nwparser.payload", "Username:%{username}, Subsystem:%{fld1}, Setting Type:%{fld2}, Message:%{fld3}", processor_chain([ dup18, dup13, ])); -var msg54 = msg("Change_Log", part60); +var msg54 = msg("Change_Log", part58); -var part61 = match("MESSAGE#54:Protection_Mode", "nwparser.payload", "Changed protection mode to active for protection group%{group},URL:%{url}", processor_chain([ +var part59 = match("MESSAGE#54:Protection_Mode", "nwparser.payload", "Changed protection mode to active for protection group%{group},URL:%{url}", processor_chain([ dup18, dup13, setc("event_description","Changed protection mode to active for protection group"), ])); -var msg55 = msg("Protection_Mode", part61); +var msg55 = msg("Protection_Mode", part59); var chain1 = processor_chain([ select3, @@ -959,33 +957,35 @@ var chain1 = processor_chain([ var hdr6 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}"); -var part62 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}"); +var part60 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}"); + +var part61 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}"); -var part63 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}"); +var part62 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}"); -var part64 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}"); +var part63 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}"); -var part65 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}"); +var part64 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}"); -var part66 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}"); +var part65 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}"); -var part67 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}"); +var part66 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}"); -var part68 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}"); +var part67 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}"); -var part69 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}"); +var part68 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}"); -var part70 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}"); +var part69 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}"); -var part71 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}"); +var part70 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}"); -var part72 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}"); +var part71 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}"); -var part73 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}"); +var part72 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}"); -var part74 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}"); +var part73 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}"); -var part75 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); +var part74 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); var select17 = linear_select([ dup2, @@ -999,13 +999,13 @@ var select18 = linear_select([ dup9, ]); -var part76 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var part75 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup12, dup13, dup14, ])); -var part77 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var part76 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup15, dup13, dup16, diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 05a410898f9..9afdd37e18c 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -832,8 +832,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.233.107.138", - "10.28.127.218" + "10.28.127.218", + "10.233.107.138" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -891,8 +891,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.182.199.231", - "10.118.32.22" + "10.118.32.22", + "10.182.199.231" ], "rsa.db.index": "etconse", "rsa.internal.messageid": "anomaly", @@ -1020,8 +1020,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.168.131.247", - "10.136.232.108" + "10.136.232.108", + "10.168.131.247" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1209,8 +1209,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.161.136.76", - "10.108.167.93" + "10.108.167.93", + "10.161.136.76" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2230,8 +2230,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.179.210.218", - "10.44.47.27" + "10.44.47.27", + "10.179.210.218" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", diff --git a/x-pack/filebeat/module/radware/README.md b/x-pack/filebeat/module/radware/README.md index c6717fe8275..8c4f7f51182 100644 --- a/x-pack/filebeat/module/radware/README.md +++ b/x-pack/filebeat/module/radware/README.md @@ -3,5 +3,5 @@ This is a module for Radware DefensePro logs. Autogenerated from RSA NetWitness log parser 2.0 XML radwaredp version 114 -at 2020-07-08 17:36:33.009612 +0000 UTC. +at 2020-07-08 18:28:05.368543 +0000 UTC. diff --git a/x-pack/filebeat/module/rapid7/README.md b/x-pack/filebeat/module/rapid7/README.md index 7345110fcdd..6c0565ff3bc 100644 --- a/x-pack/filebeat/module/rapid7/README.md +++ b/x-pack/filebeat/module/rapid7/README.md @@ -3,5 +3,5 @@ This is a module for Rapid7 NeXpose logs. Autogenerated from RSA NetWitness log parser 2.0 XML nexpose version 134 -at 2020-07-08 17:36:32.35441 +0000 UTC. +at 2020-07-08 18:28:04.735564 +0000 UTC. diff --git a/x-pack/filebeat/module/rapid7/nexpose/config/pipeline.js b/x-pack/filebeat/module/rapid7/nexpose/config/pipeline.js index 966c00a7421..009e6ae8fa5 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/config/pipeline.js +++ b/x-pack/filebeat/module/rapid7/nexpose/config/pipeline.js @@ -1381,7 +1381,7 @@ var part70 = match("MESSAGE#38:Web", "nwparser.payload", "Web server stopped%{}" var msg56 = msg("Web", part70); -var part71 = match("MESSAGE#304:Web:02", "nwparser.payload", "Web %{info->} ", processor_chain([ +var part71 = match("MESSAGE#304:Web:02", "nwparser.payload", "Web %{info}", processor_chain([ dup20, dup14, dup15, @@ -1411,7 +1411,7 @@ var part72 = match("MESSAGE#39:Done", "nwparser.payload", "Done shutting down.%{ var msg58 = msg("Done", part72); -var part73 = match("MESSAGE#282:Done:02", "nwparser.payload", "Done with statistics generation [Started: %{fld1}] [Duration: %{fld2}]. ", processor_chain([ +var part73 = match("MESSAGE#282:Done:02", "nwparser.payload", "Done with statistics generation [Started: %{fld1}] [Duration: %{fld2}].", processor_chain([ dup20, dup14, dup15, @@ -2999,7 +2999,7 @@ var part169 = match("MESSAGE#165:Completed", "nwparser.payload", "Completed %{pr var msg193 = msg("Completed", part169); -var part170 = match("MESSAGE#291:Completed:01", "nwparser.payload", "Completed %{info->} ", processor_chain([ +var part170 = match("MESSAGE#291:Completed:01", "nwparser.payload", "Completed %{info}", processor_chain([ dup20, dup14, dup15, @@ -3896,7 +3896,7 @@ var msg278 = msg("Invocation", dup61); var msg279 = msg("Using", dup61); -var part232 = match("MESSAGE#243:Route:01", "nwparser.payload", "Route: %{fld1->} shutdown complete, %{event_description->} ", processor_chain([ +var part232 = match("MESSAGE#243:Route:01", "nwparser.payload", "Route: %{fld1->} shutdown complete, %{event_description}", processor_chain([ dup20, dup14, dup15, @@ -3904,7 +3904,7 @@ var part232 = match("MESSAGE#243:Route:01", "nwparser.payload", "Route: %{fld1-> var msg280 = msg("Route:01", part232); -var part233 = match("MESSAGE#244:Route:02", "nwparser.payload", "Route: %{fld1->} started and consuming from: %{event_description->} ", processor_chain([ +var part233 = match("MESSAGE#244:Route:02", "nwparser.payload", "Route: %{fld1->} started and consuming from: %{event_description}", processor_chain([ dup20, dup14, dup15, @@ -4005,7 +4005,7 @@ var part240 = match("MESSAGE#264:Current", "nwparser.payload", "Current director var msg299 = msg("Current", part240); -var part241 = match("MESSAGE#308:Current:01", "nwparser.payload", "Current DB_VERSION = %{version->} ", processor_chain([ +var part241 = match("MESSAGE#308:Current:01", "nwparser.payload", "Current DB_VERSION = %{version}", processor_chain([ dup20, dup14, dup15, @@ -4163,7 +4163,7 @@ var select61 = linear_select([ msg317, ]); -var part258 = match("MESSAGE#283:Compiling", "nwparser.payload", "Compiling %{info->} ", processor_chain([ +var part258 = match("MESSAGE#283:Compiling", "nwparser.payload", "Compiling %{info}", processor_chain([ dup20, dup14, dup15, @@ -4171,7 +4171,7 @@ var part258 = match("MESSAGE#283:Compiling", "nwparser.payload", "Compiling %{in var msg318 = msg("Compiling", part258); -var part259 = match("MESSAGE#284:Vulnerability", "nwparser.payload", "Vulnerability %{info->} ", processor_chain([ +var part259 = match("MESSAGE#284:Vulnerability", "nwparser.payload", "Vulnerability %{info}", processor_chain([ dup20, dup14, dup15, @@ -4179,7 +4179,7 @@ var part259 = match("MESSAGE#284:Vulnerability", "nwparser.payload", "Vulnerabil var msg319 = msg("Vulnerability", part259); -var part260 = match("MESSAGE#285:Truncating", "nwparser.payload", "Truncating %{info->} ", processor_chain([ +var part260 = match("MESSAGE#285:Truncating", "nwparser.payload", "Truncating %{info}", processor_chain([ dup20, dup14, dup15, @@ -4187,7 +4187,7 @@ var part260 = match("MESSAGE#285:Truncating", "nwparser.payload", "Truncating %{ var msg320 = msg("Truncating", part260); -var part261 = match("MESSAGE#286:Synchronizing", "nwparser.payload", "Synchronizing %{info->} ", processor_chain([ +var part261 = match("MESSAGE#286:Synchronizing", "nwparser.payload", "Synchronizing %{info}", processor_chain([ dup20, dup14, dup15, @@ -4195,7 +4195,7 @@ var part261 = match("MESSAGE#286:Synchronizing", "nwparser.payload", "Synchroniz var msg321 = msg("Synchronizing", part261); -var part262 = match("MESSAGE#287:Parsing", "nwparser.payload", "Parsing %{info->} ", processor_chain([ +var part262 = match("MESSAGE#287:Parsing", "nwparser.payload", "Parsing %{info}", processor_chain([ dup20, dup14, dup15, @@ -4203,7 +4203,7 @@ var part262 = match("MESSAGE#287:Parsing", "nwparser.payload", "Parsing %{info-> var msg322 = msg("Parsing", part262); -var part263 = match("MESSAGE#288:Remapping", "nwparser.payload", "Remapping %{info->} ", processor_chain([ +var part263 = match("MESSAGE#288:Remapping", "nwparser.payload", "Remapping %{info}", processor_chain([ dup20, dup14, dup15, @@ -4211,21 +4211,21 @@ var part263 = match("MESSAGE#288:Remapping", "nwparser.payload", "Remapping %{in var msg323 = msg("Remapping", part263); -var part264 = match("MESSAGE#289:Remapped", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Remapped %{info->} ", processor_chain([ +var part264 = match("MESSAGE#289:Remapped", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Remapped %{info}", processor_chain([ dup20, dup15, ])); var msg324 = msg("Remapped", part264); -var part265 = match("MESSAGE#290:Database", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Database %{info->} ", processor_chain([ +var part265 = match("MESSAGE#290:Database", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Database %{info}", processor_chain([ dup20, dup15, ])); var msg325 = msg("Database", part265); -var part266 = match("MESSAGE#428:Database:01", "nwparser.payload", "Database %{info->} ", processor_chain([ +var part266 = match("MESSAGE#428:Database:01", "nwparser.payload", "Database %{info}", processor_chain([ dup20, dup15, ])); @@ -4237,7 +4237,7 @@ var select62 = linear_select([ msg326, ]); -var part267 = match("MESSAGE#292:Accepting", "nwparser.payload", "Accepting %{info->} ", processor_chain([ +var part267 = match("MESSAGE#292:Accepting", "nwparser.payload", "Accepting %{info}", processor_chain([ dup20, dup14, dup15, @@ -4245,7 +4245,7 @@ var part267 = match("MESSAGE#292:Accepting", "nwparser.payload", "Accepting %{in var msg327 = msg("Accepting", part267); -var part268 = match("MESSAGE#293:VERSION:03", "nwparser.payload", "VERSION %{info->} ", processor_chain([ +var part268 = match("MESSAGE#293:VERSION:03", "nwparser.payload", "VERSION %{info}", processor_chain([ dup20, dup14, dup15, @@ -4253,7 +4253,7 @@ var part268 = match("MESSAGE#293:VERSION:03", "nwparser.payload", "VERSION %{inf var msg328 = msg("VERSION:03", part268); -var part269 = match("MESSAGE#294:Detected", "nwparser.payload", "Detected %{info->} ", processor_chain([ +var part269 = match("MESSAGE#294:Detected", "nwparser.payload", "Detected %{info}", processor_chain([ dup20, dup14, dup15, @@ -4261,7 +4261,7 @@ var part269 = match("MESSAGE#294:Detected", "nwparser.payload", "Detected %{info var msg329 = msg("Detected", part269); -var part270 = match("MESSAGE#295:Telling", "nwparser.payload", "Telling %{info->} ", processor_chain([ +var part270 = match("MESSAGE#295:Telling", "nwparser.payload", "Telling %{info}", processor_chain([ dup20, dup14, dup15, @@ -4269,7 +4269,7 @@ var part270 = match("MESSAGE#295:Telling", "nwparser.payload", "Telling %{info-> var msg330 = msg("Telling", part270); -var part271 = match("MESSAGE#298:Stopping", "nwparser.payload", "Stopping %{info->} ", processor_chain([ +var part271 = match("MESSAGE#298:Stopping", "nwparser.payload", "Stopping %{info}", processor_chain([ dup20, dup14, dup15, @@ -4277,7 +4277,7 @@ var part271 = match("MESSAGE#298:Stopping", "nwparser.payload", "Stopping %{info var msg331 = msg("Stopping", part271); -var part272 = match("MESSAGE#299:removing", "nwparser.payload", "removing %{info->} ", processor_chain([ +var part272 = match("MESSAGE#299:removing", "nwparser.payload", "removing %{info}", processor_chain([ dup20, dup14, dup15, @@ -4285,7 +4285,7 @@ var part272 = match("MESSAGE#299:removing", "nwparser.payload", "removing %{info var msg332 = msg("removing", part272); -var part273 = match("MESSAGE#300:Enabling", "nwparser.payload", "Enabling %{info->} ", processor_chain([ +var part273 = match("MESSAGE#300:Enabling", "nwparser.payload", "Enabling %{info}", processor_chain([ dup20, dup14, dup15, @@ -4293,7 +4293,7 @@ var part273 = match("MESSAGE#300:Enabling", "nwparser.payload", "Enabling %{info var msg333 = msg("Enabling", part273); -var part274 = match("MESSAGE#301:Granting", "nwparser.payload", "Granting %{info->} ", processor_chain([ +var part274 = match("MESSAGE#301:Granting", "nwparser.payload", "Granting %{info}", processor_chain([ dup20, dup14, dup15, @@ -4301,7 +4301,7 @@ var part274 = match("MESSAGE#301:Granting", "nwparser.payload", "Granting %{info var msg334 = msg("Granting", part274); -var part275 = match("MESSAGE#302:Version", "nwparser.payload", "Version %{info->} ", processor_chain([ +var part275 = match("MESSAGE#302:Version", "nwparser.payload", "Version %{info}", processor_chain([ dup20, dup14, dup15, @@ -4309,7 +4309,7 @@ var part275 = match("MESSAGE#302:Version", "nwparser.payload", "Version %{info-> var msg335 = msg("Version", part275); -var part276 = match("MESSAGE#303:Configuring", "nwparser.payload", "Configuring %{info->} ", processor_chain([ +var part276 = match("MESSAGE#303:Configuring", "nwparser.payload", "Configuring %{info}", processor_chain([ dup20, dup14, dup15, @@ -4317,7 +4317,7 @@ var part276 = match("MESSAGE#303:Configuring", "nwparser.payload", "Configuring var msg336 = msg("Configuring", part276); -var part277 = match("MESSAGE#305:Scheduler", "nwparser.payload", "Scheduler %{info->} ", processor_chain([ +var part277 = match("MESSAGE#305:Scheduler", "nwparser.payload", "Scheduler %{info}", processor_chain([ dup20, dup14, dup15, @@ -4334,7 +4334,7 @@ var part278 = match("MESSAGE#341:Scheduler:01", "nwparser.payload", "Silo: %{fld var msg338 = msg("Scheduler:01", part278); -var part279 = match("MESSAGE#429:Scheduler:02", "nwparser.payload", "%{fld1}: %{fld2}] Scheduler %{info->} ", processor_chain([ +var part279 = match("MESSAGE#429:Scheduler:02", "nwparser.payload", "%{fld1}: %{fld2}] Scheduler %{info}", processor_chain([ dup20, dup15, ])); @@ -4347,7 +4347,7 @@ var select63 = linear_select([ msg339, ]); -var part280 = match("MESSAGE#306:PostgreSQL", "nwparser.payload", "PostgreSQL %{info->} ", processor_chain([ +var part280 = match("MESSAGE#306:PostgreSQL", "nwparser.payload", "PostgreSQL %{info}", processor_chain([ dup20, dup14, dup15, @@ -4355,7 +4355,7 @@ var part280 = match("MESSAGE#306:PostgreSQL", "nwparser.payload", "PostgreSQL %{ var msg340 = msg("PostgreSQL", part280); -var part281 = match("MESSAGE#307:Cleaning", "nwparser.payload", "Cleaning %{info->} ", processor_chain([ +var part281 = match("MESSAGE#307:Cleaning", "nwparser.payload", "Cleaning %{info}", processor_chain([ dup20, dup14, dup15, diff --git a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log index 4776a6538ec..97535fca785 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log +++ b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log @@ -1,6 +1,6 @@ %NEXPOSE-nci: SiteEventHandler deny %NEXPOSE-iin: persistent-xss -%NEXPOSE-tenima: Telling laboreet +%NEXPOSE-tenima: Telling laboreet %NEXPOSE-giatq: SPIDER-XSS %NEXPOSE-lupt: 2016-3-26T10:20:16 [xea] [Thread: qua] [Site: luptatev] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value admi. %NEXPOSE-isaute: tcup @@ -21,10 +21,9 @@ %NEXPOSE-ssecil: nodes: %NEXPOSE-dquia: 2016-11-24T10:03:59 [temporin] [Thread: dol] [Site: tatione] SiteEventHandler deny %NEXPOSE-nsec: quidolor j_password: -%NEXPOSE-edquian: loremeu Form: -%NEXPOSE-uela: 2017-1-6T7:11:41 [ntexplic] uto[Thread: Accepting] [Started: iuntNequ] [Duration: esseq] Accepting aincidun -%NEXPOSE-nse: 2017/01/20T14:14:16 [modoc] [Thread: boNem] [Site: iumt] Database tsed -%NEXPOSE-enim: 2017-2-3T9:16:50 [Finibus] radi[Thread: Migration] [Started: xeacom] [Duration: des] atnulapa +%NEXPOSE-veniamq: 2016-12-23T12:09:07 [occ] oloreseo[Thread: Mobile] [Started: iruredol] [Duration: veniamqu] licaboN +%NEXPOSE-nse: 2017/01/06T07:11:41 [modoc] [Thread: boNem] [Site: iumt] Database tsed +%NEXPOSE-enim: 2017-1-20T2:14:16 [Finibus] radi[Thread: Migration] [Started: xeacom] [Duration: des] atnulapa %NEXPOSE-msequ: uat %NEXPOSE-ataevita: oremqu %NEXPOSE-oremi: ugitsedq @@ -32,69 +31,70 @@ %NEXPOSE-tiaecon: Acknowledged: %NEXPOSE-itametc: ProductNotificationService: allow %NEXPOSE-olori: ido -%NEXPOSE-lpaquiof: Activation 2017-5-29T5:37:24 oloreeu -%NEXPOSE-umfugi: 2017-6-12T12:39:58 [stquidol] [Thread: Nemoenim] [Site: imadmini] Populating ide -%NEXPOSE-olu: 2017-6-26T7:42:33 [iameaque] identsun[Thread: Error] [Started: ender] [Duration: inc] tect -%NEXPOSE-magnam: 2017-7-11T2:45:07 [uinesc] cid[Thread: Upgrading] [Started: emi] [Duration: Bonorum] Upgrading databaselesti -%NEXPOSE-assi: 2017-7-25T9:47:41 [eserun] [Thread: rvelill] [Site: lupta] Default +%NEXPOSE-lpaquiof: Activation 2017-5-14T10:34:50 oloreeu +%NEXPOSE-umfugi: 2017-5-29T5:37:24 [stquidol] [Thread: Nemoenim] [Site: imadmini] Populating ide +%NEXPOSE-olu: 2017-6-12T12:39:58 [iameaque] identsun[Thread: Error] [Started: ender] [Duration: inc] tect +%NEXPOSE-magnam: 2017-6-26T7:42:33 [uinesc] cid[Thread: Upgrading] [Started: emi] [Duration: Bonorum] Upgrading databaselesti +%NEXPOSE-assi: 2017-7-11T2:45:07 [eserun] [Thread: rvelill] [Site: lupta] Default %NEXPOSE-tatevel: midestl -%NEXPOSE-ufugi: An 2017-8-22T11:52:50 cin -%NEXPOSE-onofdeF: 2017-9-6T6:55:24 [ibusBo] orin[Thread: PostgreSQL] [Started: enia] [Duration: iavol] PostgreSQL natuserr -%NEXPOSE-orsitam: 2017-9-20T1:57:58 [iquaUten] [Thread: prehende] [Site: lup] com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value tpers. -%NEXPOSE-aea: 2017/10/04T21:00:32 [tvolu] dutper[Thread: Remapped] [Started: tlaboru] [Duration: aeabillo] Started: ciad] [Duration: ugiatqu] Remapped eruntmo +%NEXPOSE-ufugi: An 2017-8-8T4:50:15 cin +%NEXPOSE-onofdeF: 2017-8-22T11:52:50 [ibusBo] orin[Thread: PostgreSQL] [Started: enia] [Duration: iavol] PostgreSQL natuserr +%NEXPOSE-orsitam: 2017-9-6T6:55:24 [iquaUten] [Thread: prehende] [Site: lup] com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value tpers. +%NEXPOSE-aea: 2017/09/20T13:57:58 [tvolu] dutper[Thread: Remapped] [Started: tlaboru] [Duration: aeabillo] Started: ciad] [Duration: ugiatqu] Remapped eruntmo %NEXPOSE-uatu: Shutting down ' %NEXPOSE-ende: DEFAULT SCHEDULER: ' -%NEXPOSE-mexerci: 2017-11-16T6:08:15 [urEx] [Thread: ditaut] [Site: ctetur] Storing ] [mvolupta] Storing scan details for squame. +%NEXPOSE-mexerci: 2017-11-2T11:05:41 [urEx] [Thread: ditaut] [Site: ctetur] Storing ] [mvolupta] Storing scan details for squame. %NEXPOSE-exe: Reading %NEXPOSE-eddoei: Benchmark lorumw %NEXPOSE-ctionofd: j_password: %NEXPOSE-boreetd: tNe -%NEXPOSE-ntocca: 2018-1-27T5:21:06 [trudex] tvol[Thread: com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout] [Started: lup] [Duration: mipsamv] com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value exeacomm. +%NEXPOSE-ntocca: 2018-1-12T10:18:32 [trudex] tvol[Thread: com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout] [Started: lup] [Duration: mipsamv] com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value exeacomm. %NEXPOSE-iadeseru: Adding %NEXPOSE-eosqui: iatquo -%NEXPOSE-iqu: Establishing 2018-3-11T2:28:49 quamqua -%NEXPOSE-diduntut: 2018/03/25T09:31:24 [rroq] olore[Thread: Deleted] [Started: eratvolu] [Duration: oconsequ] Started: roqui] [Duration: oluptate] Deleted ntut -%NEXPOSE-aturve: Error 2018-4-8T4:33:58 edqui +%NEXPOSE-iqu: Establishing 2018-2-24T7:26:15 quamqua +%NEXPOSE-diduntut: 2018/03/11T02:28:49 [rroq] olore[Thread: Deleted] [Started: eratvolu] [Duration: oconsequ] Started: roqui] [Duration: oluptate] Deleted ntut +%NEXPOSE-aturve: Error 2018-3-25T9:31:24 edqui %NEXPOSE-Loremip: Requested: -%NEXPOSE-nge: 2018/05/07T06:39:06 [psum] tate[Thread: 0.16] [Started: dtempo] [Duration: lumqu] 0.16: moen +%NEXPOSE-nge: 2018/04/22T23:36:32 [psum] tate[Thread: 0.16] [Started: dtempo] [Duration: lumqu] 0.16: moen %NEXPOSE-tur: The: -%NEXPOSE-mipsa: 2018-6-4T8:44:15 [uas] iat[Thread: Renamed] [Started: hite] [Duration: adipis] Renamed abo to suntex +%NEXPOSE-mipsa: 2018-5-21T1:41:41 [uas] iat[Thread: Renamed] [Started: hite] [Duration: adipis] Renamed abo to suntex %NEXPOSE-exerc: Retrieving %NEXPOSE-uaturQ: but: -%NEXPOSE-dolor: 2018-7-17T5:51:58 [equunt] [Thread: mto] [Site: iae] Invocation +%NEXPOSE-dolor: 2018-7-3T10:49:23 [equunt] [Thread: mto] [Site: iae] Invocation %NEXPOSE-magnido: mcolab %NEXPOSE-tiumd: Dumping %NEXPOSE-orisnis: umq -%NEXPOSE-intoc: 2018-9-12T10:02:15 [obeataev] [Thread: rrorsit] [Site: aincid] Populating umquid +%NEXPOSE-intoc: 2018-8-29T2:59:40 [obeataev] [Thread: rrorsit] [Site: aincid] Populating umquid %NEXPOSE-uisno: enat %NEXPOSE-oriss: imadmin suntexpl JVM frames : urve %NEXPOSE-lupta: utla -%NEXPOSE-ntore: 2018-11-9T2:12:32 [tect] ion[Thread: AssetGroupEventHandler] [Started: tutl] [Duration: niam] oru accept +%NEXPOSE-ntore: 2018-10-25T7:09:57 [tect] ion[Thread: AssetGroupEventHandler] [Started: tutl] [Duration: niam] oru accept %NEXPOSE-ostr: amcorp 0.49: iadolo -%NEXPOSE-mali: 2018-12-7T4:17:40 [amestqu] qui[Thread: loading] [Started: nemullam] [Duration: modoco] maveni -%NEXPOSE-upt: 2018-12-21T11:20:14 [giatquo] toccaec[Thread: Closing] [Started: nihilmo] [Duration: atquo] Engine: umetMa] [Engine ID: ngelitse] Closing connection to scan engine. +%NEXPOSE-mali: 2018-11-23T9:15:06 [amestqu] qui[Thread: loading] [Started: nemullam] [Duration: modoco] maveni +%NEXPOSE-upt: 2018-12-7T4:17:40 [giatquo] toccaec[Thread: Closing] [Started: nihilmo] [Duration: atquo] Engine: umetMa] [Engine ID: ngelitse] Closing connection to scan engine. %NEXPOSE-eosqu: reetdolo -%NEXPOSE-ten: 2019-1-19T1:25:23 [Utenim] [Thread: itationu] [Site: eprehen] NSXAssetEventHandler cancel +%NEXPOSE-ten: 2019-1-5T6:22:49 [Utenim] [Thread: itationu] [Site: eprehen] NSXAssetEventHandler cancel %NEXPOSE-Neq: rcita -%NEXPOSE-quatD: 2019-2-17T3:30:32 [nevol] lumquid[Thread: removing] [Started: Sectio] [Duration: tiumdol] removing laud -%NEXPOSE-atquo: 2019-3-3T10:33:06 [estl] [Thread: ern] [Site: ationula] Recovering abilloin emape -%NEXPOSE-Malor: 2019-3-17T5:35:40 [amn] [Thread: nre] [Site: sintoc] com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value unknown. -%NEXPOSE-pta: 2019-4-1T12:38:14 [ididunt] tlaboree[Thread: Setting] [Started: sequa] [Duration: erc] Setting isq +%NEXPOSE-quatD: 2019-2-2T8:27:57 [nevol] lumquid[Thread: removing] [Started: Sectio] [Duration: tiumdol] removing laud +%NEXPOSE-atquo: 2019-2-17T3:30:32 [estl] [Thread: ern] [Site: ationula] Recovering abilloin emape +%NEXPOSE-Malor: 2019-3-3T10:33:06 [amn] [Thread: nre] [Site: sintoc] com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value unknown. +%NEXPOSE-pta: 2019-3-17T5:35:40 [ididunt] tlaboree[Thread: Setting] [Started: sequa] [Duration: erc] Setting isq %NEXPOSE-ptate: oloreeu credentials: %NEXPOSE-iscinge: Populating ora %NEXPOSE-orincidi: ScanEventHandler: cancel %NEXPOSE-mSecti: Updating ius -%NEXPOSE-uunturm: 2019-6-11T11:51:06 [nonnumq] tqu[Thread: AssetGroupEventHandler] [Started: ntocca] [Duration: emquelau] adolorsi allow -%NEXPOSE-agn: Stopping eritinvo -%NEXPOSE-uisaut: 2019-7-10T1:56:14 [apar] ulpaq[Thread: ConsoleScanImporter] [Started: reeuf] [Duration: orinrepr] tinvo +%NEXPOSE-uunturm: 2019-5-28T4:48:31 [nonnumq] tqu[Thread: AssetGroupEventHandler] [Started: ntocca] [Duration: emquelau] adolorsi allow +%NEXPOSE-agn: Stopping eritinvo +%NEXPOSE-uisaut: 2019-6-25T6:53:40 [apar] ulpaq[Thread: ConsoleScanImporter] [Started: reeuf] [Duration: orinrepr] tinvo %NEXPOSE-ctobeat: common %NEXPOSE-olab: remagnam Destroying: %NEXPOSE-adipi: idid Destroying: -%NEXPOSE-lore: 2019-9-5T6:06:31 [uisautem] olorsi[Thread: Job] [Started: everitat] [Duration: tetu] Job execution threads will use class loader of thread: stlaboru -%NEXPOSE-mco: 2019-9-19T1:09:05 [nofdeF] itvolupt[Thread: com.rapid7.nexpose.datastore.connection.evictionThreadTime] [Started: uradip] [Duration: perspi] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value uaer. -%NEXPOSE-tenim: 2019-10-3T8:11:40 [osqu] cti[Thread: Restarting] [Started: orsitvo] [Duration: elit] iono +%NEXPOSE-lore: 2019-8-21T11:03:57 [uisautem] olorsi[Thread: Job] [Started: everitat] [Duration: tetu] Job execution threads will use class loader of thread: stlaboru +%NEXPOSE-mco: 2019-9-5T6:06:31 [nofdeF] itvolupt[Thread: com.rapid7.nexpose.datastore.connection.evictionThreadTime] [Started: uradip] [Duration: perspi] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value uaer. +%NEXPOSE-tenim: 2019-9-19T1:09:05 [osqu] cti[Thread: Restarting] [Started: orsitvo] [Duration: elit] iono %NEXPOSE-tempori: sedquian %NEXPOSE-umfu: No %NEXPOSE-nisi: credentials: %NEXPOSE-ptate: tconsect -%NEXPOSE-amqua: 2019-12-14T7:24:31 [isnost] [Thread: eaco] [Site: oremeu] com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value uis. +%NEXPOSE-amqua: 2019-11-30T12:21:57 [isnost] [Thread: eaco] [Site: oremeu] com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value uis. +%NEXPOSE-turmagni: iatur NEXPOSE_GENERIC: diff --git a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json index 73142da6941..e14efc886f3 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json +++ b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json @@ -39,7 +39,7 @@ "event.code": "NEXPOSE_GENERIC", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-tenima: Telling laboreet ", + "event.original": "%NEXPOSE-tenima: Telling laboreet", "fileset.name": "nexpose", "input.type": "log", "log.offset": 66, @@ -60,7 +60,7 @@ "event.original": "%NEXPOSE-giatq: SPIDER-XSS ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 101, + "log.offset": 100, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -78,7 +78,7 @@ "event.original": "%NEXPOSE-lupt: 2016-3-26T10:20:16 [xea] [Thread: qua] [Site: luptatev] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value admi.", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 129, + "log.offset": 128, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -97,7 +97,7 @@ "event.original": "%NEXPOSE-isaute: tcup", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 309, + "log.offset": 308, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -115,7 +115,7 @@ "event.original": "%NEXPOSE-ofdeFini: Using ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 331, + "log.offset": 330, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -133,7 +133,7 @@ "event.original": "%NEXPOSE-emulla: mpori", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 357, + "log.offset": 356, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -151,7 +151,7 @@ "event.original": "%NEXPOSE-nisiuta: 2016-5-22T2:30:33 [tvolu] ecte[Thread: Migration] [Started: tinvolu] [Duration: iurer] iciadese", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 380, + "log.offset": 379, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -171,7 +171,7 @@ "event.original": "%NEXPOSE-iumtotam: Invocation: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 494, + "log.offset": 493, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -189,7 +189,7 @@ "event.original": "%NEXPOSE-tectobe: Nequepo ConsoleScanImporter: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 526, + "log.offset": 525, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -207,7 +207,7 @@ "event.original": "%NEXPOSE-tur: roi credentials: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 574, + "log.offset": 573, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -225,7 +225,7 @@ "event.original": "%NEXPOSE-equatu: upta", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 606, + "log.offset": 605, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -243,7 +243,7 @@ "event.original": "%NEXPOSE-itam: str Approved: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 628, + "log.offset": 627, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -261,7 +261,7 @@ "event.original": "%NEXPOSE-ionemu: eetdolo", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 658, + "log.offset": 657, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -279,7 +279,7 @@ "event.original": "%NEXPOSE-amcol: 2016-8-30T3:48:33 [adeser] [Thread: oin] [Site: mvenia] com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value madminim.", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 683, + "log.offset": 682, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -298,7 +298,7 @@ "event.original": "%NEXPOSE-siutaliq: dutp", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 857, + "log.offset": 856, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -316,7 +316,7 @@ "event.original": "%NEXPOSE-isau: HHH000436: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 881, + "log.offset": 880, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -334,7 +334,7 @@ "event.original": "%NEXPOSE-rumwrit: Skipping ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 908, + "log.offset": 907, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -352,7 +352,7 @@ "event.original": "%NEXPOSE-eri: 2016-10-26T7:58:50 [quunt] [Thread: olori] [Site: mquae] Freed eriti triggers from 'acquired' / 'blocked' state.", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 936, + "log.offset": 935, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -371,7 +371,7 @@ "event.original": "%NEXPOSE-ssecil: nodes: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1063, + "log.offset": 1062, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -389,7 +389,7 @@ "event.original": "%NEXPOSE-dquia: 2016-11-24T10:03:59 [temporin] [Thread: dol] [Site: tatione] SiteEventHandler deny", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1088, + "log.offset": 1087, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -408,7 +408,7 @@ "event.original": "%NEXPOSE-nsec: quidolor j_password: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1188, + "log.offset": 1187, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -420,39 +420,25 @@ ] }, { - "event.code": "NEXPOSE_GENERIC", + "event.action": [ + "Shutting down" + ], + "event.code": "Mobile", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-edquian: loremeu Form: ", + "event.original": "%NEXPOSE-veniamq: 2016-12-23T12:09:07 [occ] oloreseo[Thread: Mobile] [Started: iruredol] [Duration: veniamqu] licaboN", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1225, + "log.offset": 1224, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Accepting", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-uela: 2017-1-6T7:11:41 [ntexplic] uto[Thread: Accepting] [Started: iuntNequ] [Duration: esseq] Accepting aincidun ", - "fileset.name": "nexpose", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" + "rsa.internal.event_desc": "licaboN", + "rsa.internal.messageid": "Mobile", + "rsa.misc.action": [ + "Shutting down" ], - "log.offset": 1258, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "Accepting", - "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "rsa.time.event_time": "2016-12-23T14:09:07.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -463,15 +449,15 @@ "event.code": "[Site:", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-nse: 2017/01/20T14:14:16 [modoc] [Thread: boNem] [Site: iumt] Database tsed ", + "event.original": "%NEXPOSE-nse: 2017/01/06T07:11:41 [modoc] [Thread: boNem] [Site: iumt] Database tsed", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1382, + "log.offset": 1342, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2017-01-20T16:14:16.000Z", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -482,16 +468,16 @@ "event.code": "Migration", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-enim: 2017-2-3T9:16:50 [Finibus] radi[Thread: Migration] [Started: xeacom] [Duration: des] atnulapa", + "event.original": "%NEXPOSE-enim: 2017-1-20T2:14:16 [Finibus] radi[Thread: Migration] [Started: xeacom] [Duration: des] atnulapa", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1468, + "log.offset": 1427, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.event_desc": "atnulapa", "rsa.internal.messageid": "Migration", - "rsa.time.event_time": "2017-02-03T11:16:50.000Z", + "rsa.time.event_time": "2017-01-20T04:14:16.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -505,7 +491,7 @@ "event.original": "%NEXPOSE-msequ: uat", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1577, + "log.offset": 1537, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -523,7 +509,7 @@ "event.original": "%NEXPOSE-ataevita: oremqu", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1597, + "log.offset": 1557, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -541,7 +527,7 @@ "event.original": "%NEXPOSE-oremi: ugitsedq", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1623, + "log.offset": 1583, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -559,7 +545,7 @@ "event.original": "%NEXPOSE-ipsaqu: TagEventHandler cancel", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1648, + "log.offset": 1608, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -577,7 +563,7 @@ "event.original": "%NEXPOSE-tiaecon: Acknowledged: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1688, + "log.offset": 1648, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -595,7 +581,7 @@ "event.original": "%NEXPOSE-itametc: ProductNotificationService: allow", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1721, + "log.offset": 1681, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -613,7 +599,7 @@ "event.original": "%NEXPOSE-olori: ido", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1773, + "log.offset": 1733, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -628,16 +614,16 @@ "event.code": "Activation", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-lpaquiof: Activation 2017-5-29T5:37:24 oloreeu", + "event.original": "%NEXPOSE-lpaquiof: Activation 2017-5-14T10:34:50 oloreeu", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1793, + "log.offset": 1753, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.event_desc": "oloreeu", "rsa.internal.messageid": "Activation", - "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "rsa.time.event_time": "2017-05-14T12:34:50.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -648,15 +634,15 @@ "event.code": "[Site:", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-umfugi: 2017-6-12T12:39:58 [stquidol] [Thread: Nemoenim] [Site: imadmini] Populating ide", + "event.original": "%NEXPOSE-umfugi: 2017-5-29T5:37:24 [stquidol] [Thread: Nemoenim] [Site: imadmini] Populating ide", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1849, + "log.offset": 1810, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -667,16 +653,16 @@ "event.code": "Error", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-olu: 2017-6-26T7:42:33 [iameaque] identsun[Thread: Error] [Started: ender] [Duration: inc] tect", + "event.original": "%NEXPOSE-olu: 2017-6-12T12:39:58 [iameaque] identsun[Thread: Error] [Started: ender] [Duration: inc] tect", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 1947, + "log.offset": 1907, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.db.index": "tect", "rsa.internal.messageid": "Error", - "rsa.time.event_time": "2017-06-26T09:42:33.000Z", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -690,10 +676,10 @@ "event.code": "Upgrading", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-magnam: 2017-7-11T2:45:07 [uinesc] cid[Thread: Upgrading] [Started: emi] [Duration: Bonorum] Upgrading databaselesti", + "event.original": "%NEXPOSE-magnam: 2017-6-26T7:42:33 [uinesc] cid[Thread: Upgrading] [Started: emi] [Duration: Bonorum] Upgrading databaselesti", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 2052, + "log.offset": 2013, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -701,7 +687,7 @@ "rsa.misc.action": [ "Upgrading database" ], - "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "rsa.time.event_time": "2017-06-26T09:42:33.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -712,15 +698,15 @@ "event.code": "[Site:", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-assi: 2017-7-25T9:47:41 [eserun] [Thread: rvelill] [Site: lupta] Default ", + "event.original": "%NEXPOSE-assi: 2017-7-11T2:45:07 [eserun] [Thread: rvelill] [Site: lupta] Default ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 2178, + "log.offset": 2139, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -734,7 +720,7 @@ "event.original": "%NEXPOSE-tatevel: midestl", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 2261, + "log.offset": 2222, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -749,16 +735,16 @@ "event.code": "An", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-ufugi: An 2017-8-22T11:52:50 cin", + "event.original": "%NEXPOSE-ufugi: An 2017-8-8T4:50:15 cin", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 2287, + "log.offset": 2248, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.event_desc": "cin", "rsa.internal.messageid": "An", - "rsa.time.event_time": "2017-08-22T13:52:50.000Z", + "rsa.time.event_time": "2017-08-08T06:50:15.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -769,18 +755,16 @@ "event.code": "PostgreSQL", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-onofdeF: 2017-9-6T6:55:24 [ibusBo] orin[Thread: PostgreSQL] [Started: enia] [Duration: iavol] PostgreSQL natuserr ", + "event.original": "%NEXPOSE-onofdeF: 2017-8-22T11:52:50 [ibusBo] orin[Thread: PostgreSQL] [Started: enia] [Duration: iavol] PostgreSQL natuserr", "fileset.name": "nexpose", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2329, + "log.offset": 2288, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", + "rsa.db.index": "natuserr", "rsa.internal.messageid": "PostgreSQL", - "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "rsa.time.event_time": "2017-08-22T13:52:50.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -791,15 +775,15 @@ "event.code": "[Site:", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-orsitam: 2017-9-20T1:57:58 [iquaUten] [Thread: prehende] [Site: lup] com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value tpers.", + "event.original": "%NEXPOSE-orsitam: 2017-9-6T6:55:24 [iquaUten] [Thread: prehende] [Site: lup] com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value tpers.", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 2453, + "log.offset": 2413, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2017-09-20T03:57:58.000Z", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -810,18 +794,16 @@ "event.code": "Remapped", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-aea: 2017/10/04T21:00:32 [tvolu] dutper[Thread: Remapped] [Started: tlaboru] [Duration: aeabillo] Started: ciad] [Duration: ugiatqu] Remapped eruntmo ", + "event.original": "%NEXPOSE-aea: 2017/09/20T13:57:58 [tvolu] dutper[Thread: Remapped] [Started: tlaboru] [Duration: aeabillo] Started: ciad] [Duration: ugiatqu] Remapped eruntmo", "fileset.name": "nexpose", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2645, + "log.offset": 2604, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", + "rsa.db.index": "eruntmo", "rsa.internal.messageid": "Remapped", - "rsa.time.event_time": "2017-10-04T23:00:32.000Z", + "rsa.time.event_time": "2017-09-20T15:57:58.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -835,7 +817,7 @@ "event.original": "%NEXPOSE-uatu: Shutting down '", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 2805, + "log.offset": 2763, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -853,7 +835,7 @@ "event.original": "%NEXPOSE-ende: DEFAULT SCHEDULER: '", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 2836, + "log.offset": 2794, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -868,15 +850,15 @@ "event.code": "[Site:", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-mexerci: 2017-11-16T6:08:15 [urEx] [Thread: ditaut] [Site: ctetur] Storing ] [mvolupta] Storing scan details for squame.", + "event.original": "%NEXPOSE-mexerci: 2017-11-2T11:05:41 [urEx] [Thread: ditaut] [Site: ctetur] Storing ] [mvolupta] Storing scan details for squame.", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 2872, + "log.offset": 2830, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -890,7 +872,7 @@ "event.original": "%NEXPOSE-exe: Reading ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3002, + "log.offset": 2960, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -908,7 +890,7 @@ "event.original": "%NEXPOSE-eddoei: Benchmark lorumw", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3025, + "log.offset": 2983, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -926,7 +908,7 @@ "event.original": "%NEXPOSE-ctionofd: j_password: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3059, + "log.offset": 3017, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -944,7 +926,7 @@ "event.original": "%NEXPOSE-boreetd: tNe", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3091, + "log.offset": 3049, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -959,17 +941,17 @@ "event.code": "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-ntocca: 2018-1-27T5:21:06 [trudex] tvol[Thread: com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout] [Started: lup] [Duration: mipsamv] com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value exeacomm.", + "event.original": "%NEXPOSE-ntocca: 2018-1-12T10:18:32 [trudex] tvol[Thread: com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout] [Started: lup] [Duration: mipsamv] com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value exeacomm.", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3113, + "log.offset": 3071, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.event_desc": "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured", "rsa.internal.messageid": "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout", "rsa.misc.result_code": "exeacomm", - "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "rsa.time.event_time": "2018-01-12T12:18:32.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -983,7 +965,7 @@ "event.original": "%NEXPOSE-iadeseru: Adding ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3392, + "log.offset": 3351, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1001,7 +983,7 @@ "event.original": "%NEXPOSE-eosqui: iatquo", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3419, + "log.offset": 3378, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1016,16 +998,16 @@ "event.code": "Establishing", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-iqu: Establishing 2018-3-11T2:28:49 quamqua", + "event.original": "%NEXPOSE-iqu: Establishing 2018-2-24T7:26:15 quamqua", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3443, + "log.offset": 3402, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.event_desc": "quamqua", "rsa.internal.messageid": "Establishing", - "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "rsa.time.event_time": "2018-02-24T09:26:15.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1036,16 +1018,16 @@ "event.code": "Deleted", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-diduntut: 2018/03/25T09:31:24 [rroq] olore[Thread: Deleted] [Started: eratvolu] [Duration: oconsequ] Started: roqui] [Duration: oluptate] Deleted ntut", + "event.original": "%NEXPOSE-diduntut: 2018/03/11T02:28:49 [rroq] olore[Thread: Deleted] [Started: eratvolu] [Duration: oconsequ] Started: roqui] [Duration: oluptate] Deleted ntut", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3496, + "log.offset": 3455, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.db.index": "ntut", "rsa.internal.messageid": "Deleted", - "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1056,16 +1038,16 @@ "event.code": "Error", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-aturve: Error 2018-4-8T4:33:58 edqui", + "event.original": "%NEXPOSE-aturve: Error 2018-3-25T9:31:24 edqui", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3656, + "log.offset": 3615, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.db.index": "edqui", "rsa.internal.messageid": "Error", - "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1079,7 +1061,7 @@ "event.original": "%NEXPOSE-Loremip: Requested: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3702, + "log.offset": 3662, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1094,16 +1076,16 @@ "event.code": "0.16", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-nge: 2018/05/07T06:39:06 [psum] tate[Thread: 0.16] [Started: dtempo] [Duration: lumqu] 0.16: moen", + "event.original": "%NEXPOSE-nge: 2018/04/22T23:36:32 [psum] tate[Thread: 0.16] [Started: dtempo] [Duration: lumqu] 0.16: moen", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3732, + "log.offset": 3692, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.db.index": "moen", "rsa.internal.messageid": "0.16", - "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "rsa.time.event_time": "2018-04-23T01:36:32.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1117,7 +1099,7 @@ "event.original": "%NEXPOSE-tur: The: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3839, + "log.offset": 3799, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1132,12 +1114,12 @@ "event.code": "Renamed", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-mipsa: 2018-6-4T8:44:15 [uas] iat[Thread: Renamed] [Started: hite] [Duration: adipis] Renamed abo to suntex", + "event.original": "%NEXPOSE-mipsa: 2018-5-21T1:41:41 [uas] iat[Thread: Renamed] [Started: hite] [Duration: adipis] Renamed abo to suntex", "event.outcome": "Success", "file.name": "abo", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3859, + "log.offset": 3819, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1145,7 +1127,7 @@ "rsa.internal.messageid": "Renamed", "rsa.investigations.ec_activity": "Modify", "rsa.investigations.ec_outcome": "Success", - "rsa.time.event_time": "2018-06-04T10:44:15.000Z", + "rsa.time.event_time": "2018-05-21T03:41:41.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1159,7 +1141,7 @@ "event.original": "%NEXPOSE-exerc: Retrieving ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 3976, + "log.offset": 3937, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1177,7 +1159,7 @@ "event.original": "%NEXPOSE-uaturQ: but: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4004, + "log.offset": 3965, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1192,15 +1174,15 @@ "event.code": "[Site:", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-dolor: 2018-7-17T5:51:58 [equunt] [Thread: mto] [Site: iae] Invocation ", + "event.original": "%NEXPOSE-dolor: 2018-7-3T10:49:23 [equunt] [Thread: mto] [Site: iae] Invocation ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4027, + "log.offset": 3988, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2018-07-17T07:51:58.000Z", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1214,7 +1196,7 @@ "event.original": "%NEXPOSE-magnido: mcolab", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4108, + "log.offset": 4069, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1232,7 +1214,7 @@ "event.original": "%NEXPOSE-tiumd: Dumping ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4133, + "log.offset": 4094, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1250,7 +1232,7 @@ "event.original": "%NEXPOSE-orisnis: umq", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4158, + "log.offset": 4119, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1265,15 +1247,15 @@ "event.code": "[Site:", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-intoc: 2018-9-12T10:02:15 [obeataev] [Thread: rrorsit] [Site: aincid] Populating umquid", + "event.original": "%NEXPOSE-intoc: 2018-8-29T2:59:40 [obeataev] [Thread: rrorsit] [Site: aincid] Populating umquid", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4180, + "log.offset": 4141, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2018-09-12T12:02:15.000Z", + "rsa.time.event_time": "2018-08-29T04:59:40.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1287,7 +1269,7 @@ "event.original": "%NEXPOSE-uisno: enat", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4277, + "log.offset": 4237, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1305,7 +1287,7 @@ "event.original": "%NEXPOSE-oriss: imadmin suntexpl JVM frames : urve", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4298, + "log.offset": 4258, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1323,7 +1305,7 @@ "event.original": "%NEXPOSE-lupta: utla", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4372, + "log.offset": 4332, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1341,10 +1323,10 @@ "event.code": "AssetGroupEventHandler", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-ntore: 2018-11-9T2:12:32 [tect] ion[Thread: AssetGroupEventHandler] [Started: tutl] [Duration: niam] oru accept", + "event.original": "%NEXPOSE-ntore: 2018-10-25T7:09:57 [tect] ion[Thread: AssetGroupEventHandler] [Started: tutl] [Duration: niam] oru accept", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4393, + "log.offset": 4353, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1352,7 +1334,7 @@ "rsa.misc.action": [ "accept" ], - "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "rsa.time.event_time": "2018-10-25T09:09:57.000Z", "service.name": "fld1", "service.type": "rapid7", "tags": [ @@ -1367,7 +1349,7 @@ "event.original": "%NEXPOSE-ostr: amcorp 0.49: iadolo", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4514, + "log.offset": 4475, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1382,16 +1364,16 @@ "event.code": "loading", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-mali: 2018-12-7T4:17:40 [amestqu] qui[Thread: loading] [Started: nemullam] [Duration: modoco] maveni", + "event.original": "%NEXPOSE-mali: 2018-11-23T9:15:06 [amestqu] qui[Thread: loading] [Started: nemullam] [Duration: modoco] maveni", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4549, + "log.offset": 4510, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.event_desc": "maveni", "rsa.internal.messageid": "loading", - "rsa.time.event_time": "2018-12-07T06:17:40.000Z", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1402,16 +1384,16 @@ "event.code": "Closing", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-upt: 2018-12-21T11:20:14 [giatquo] toccaec[Thread: Closing] [Started: nihilmo] [Duration: atquo] Engine: umetMa] [Engine ID: ngelitse] Closing connection to scan engine.", + "event.original": "%NEXPOSE-upt: 2018-12-7T4:17:40 [giatquo] toccaec[Thread: Closing] [Started: nihilmo] [Duration: atquo] Engine: umetMa] [Engine ID: ngelitse] Closing connection to scan engine.", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4659, + "log.offset": 4621, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.event_desc": "Closing connection to scan engine", "rsa.internal.messageid": "Closing", - "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "rsa.time.event_time": "2018-12-07T06:17:40.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1425,7 +1407,7 @@ "event.original": "%NEXPOSE-eosqu: reetdolo", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4838, + "log.offset": 4798, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1440,15 +1422,15 @@ "event.code": "[Site:", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-ten: 2019-1-19T1:25:23 [Utenim] [Thread: itationu] [Site: eprehen] NSXAssetEventHandler cancel", + "event.original": "%NEXPOSE-ten: 2019-1-5T6:22:49 [Utenim] [Thread: itationu] [Site: eprehen] NSXAssetEventHandler cancel", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4863, + "log.offset": 4823, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2019-01-19T03:25:23.000Z", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1462,7 +1444,7 @@ "event.original": "%NEXPOSE-Neq: rcita", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 4968, + "log.offset": 4927, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1477,18 +1459,16 @@ "event.code": "removing", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-quatD: 2019-2-17T3:30:32 [nevol] lumquid[Thread: removing] [Started: Sectio] [Duration: tiumdol] removing laud ", + "event.original": "%NEXPOSE-quatD: 2019-2-2T8:27:57 [nevol] lumquid[Thread: removing] [Started: Sectio] [Duration: tiumdol] removing laud", "fileset.name": "nexpose", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4988, + "log.offset": 4947, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", + "rsa.db.index": "laud", "rsa.internal.messageid": "removing", - "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "rsa.time.event_time": "2019-02-02T10:27:57.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1499,15 +1479,15 @@ "event.code": "[Site:", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-atquo: 2019-3-3T10:33:06 [estl] [Thread: ern] [Site: ationula] Recovering abilloin emape", + "event.original": "%NEXPOSE-atquo: 2019-2-17T3:30:32 [estl] [Thread: ern] [Site: ationula] Recovering abilloin emape", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5109, + "log.offset": 5066, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1518,15 +1498,15 @@ "event.code": "[Site:", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-Malor: 2019-3-17T5:35:40 [amn] [Thread: nre] [Site: sintoc] com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value unknown.", + "event.original": "%NEXPOSE-Malor: 2019-3-3T10:33:06 [amn] [Thread: nre] [Site: sintoc] com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value unknown.", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5207, + "log.offset": 5164, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1537,16 +1517,16 @@ "event.code": "Setting", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-pta: 2019-4-1T12:38:14 [ididunt] tlaboree[Thread: Setting] [Started: sequa] [Duration: erc] Setting isq", + "event.original": "%NEXPOSE-pta: 2019-3-17T5:35:40 [ididunt] tlaboree[Thread: Setting] [Started: sequa] [Duration: erc] Setting isq", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5391, + "log.offset": 5348, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.db.index": "isq", "rsa.internal.messageid": "Setting", - "rsa.time.event_time": "2019-04-01T14:38:14.000Z", + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1560,7 +1540,7 @@ "event.original": "%NEXPOSE-ptate: oloreeu credentials: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5504, + "log.offset": 5461, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1578,7 +1558,7 @@ "event.original": "%NEXPOSE-iscinge: Populating ora", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5542, + "log.offset": 5499, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1596,7 +1576,7 @@ "event.original": "%NEXPOSE-orincidi: ScanEventHandler: cancel", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5575, + "log.offset": 5532, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1614,7 +1594,7 @@ "event.original": "%NEXPOSE-mSecti: Updating ius", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5619, + "log.offset": 5576, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1632,10 +1612,10 @@ "event.code": "AssetGroupEventHandler", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-uunturm: 2019-6-11T11:51:06 [nonnumq] tqu[Thread: AssetGroupEventHandler] [Started: ntocca] [Duration: emquelau] adolorsi allow", + "event.original": "%NEXPOSE-uunturm: 2019-5-28T4:48:31 [nonnumq] tqu[Thread: AssetGroupEventHandler] [Started: ntocca] [Duration: emquelau] adolorsi allow", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5649, + "log.offset": 5606, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1643,7 +1623,7 @@ "rsa.misc.action": [ "allow" ], - "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.name": "fld1", "service.type": "rapid7", "tags": [ @@ -1655,10 +1635,10 @@ "event.code": "NEXPOSE_GENERIC", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-agn: Stopping eritinvo ", + "event.original": "%NEXPOSE-agn: Stopping eritinvo", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5786, + "log.offset": 5742, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1676,10 +1656,10 @@ "event.code": "ConsoleScanImporter", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-uisaut: 2019-7-10T1:56:14 [apar] ulpaq[Thread: ConsoleScanImporter] [Started: reeuf] [Duration: orinrepr] tinvo", + "event.original": "%NEXPOSE-uisaut: 2019-6-25T6:53:40 [apar] ulpaq[Thread: ConsoleScanImporter] [Started: reeuf] [Duration: orinrepr] tinvo", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5819, + "log.offset": 5774, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1688,7 +1668,7 @@ "rsa.misc.action": [ "Shutting down" ], - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.time.event_time": "2019-06-25T08:53:40.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1702,7 +1682,7 @@ "event.original": "%NEXPOSE-ctobeat: common ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5940, + "log.offset": 5895, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1720,7 +1700,7 @@ "event.original": "%NEXPOSE-olab: remagnam Destroying: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5966, + "log.offset": 5921, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1738,7 +1718,7 @@ "event.original": "%NEXPOSE-adipi: idid Destroying: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6003, + "log.offset": 5958, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1753,17 +1733,17 @@ "event.code": "Job", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-lore: 2019-9-5T6:06:31 [uisautem] olorsi[Thread: Job] [Started: everitat] [Duration: tetu] Job execution threads will use class loader of thread: stlaboru", + "event.original": "%NEXPOSE-lore: 2019-8-21T11:03:57 [uisautem] olorsi[Thread: Job] [Started: everitat] [Duration: tetu] Job execution threads will use class loader of thread: stlaboru", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6037, + "log.offset": 5992, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.db.index": "stlaboru", "rsa.internal.event_desc": "Job execution threads will use class loader", "rsa.internal.messageid": "Job", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1774,17 +1754,17 @@ "event.code": "com.rapid7.nexpose.datastore.connection.evictionThreadTime", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-mco: 2019-9-19T1:09:05 [nofdeF] itvolupt[Thread: com.rapid7.nexpose.datastore.connection.evictionThreadTime] [Started: uradip] [Duration: perspi] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value uaer.", + "event.original": "%NEXPOSE-mco: 2019-9-5T6:06:31 [nofdeF] itvolupt[Thread: com.rapid7.nexpose.datastore.connection.evictionThreadTime] [Started: uradip] [Duration: perspi] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value uaer.", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6201, + "log.offset": 6158, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.event_desc": "com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured", "rsa.internal.messageid": "com.rapid7.nexpose.datastore.connection.evictionThreadTime", "rsa.misc.result_code": "uaer", - "rsa.time.event_time": "2019-09-19T03:09:05.000Z", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1795,16 +1775,16 @@ "event.code": "Restarting", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-tenim: 2019-10-3T8:11:40 [osqu] cti[Thread: Restarting] [Started: orsitvo] [Duration: elit] iono", + "event.original": "%NEXPOSE-tenim: 2019-9-19T1:09:05 [osqu] cti[Thread: Restarting] [Started: orsitvo] [Duration: elit] iono", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6465, + "log.offset": 6421, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.event_desc": "iono", "rsa.internal.messageid": "Restarting", - "rsa.time.event_time": "2019-10-03T10:11:40.000Z", + "rsa.time.event_time": "2019-09-19T03:09:05.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1818,7 +1798,7 @@ "event.original": "%NEXPOSE-tempori: sedquian", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6571, + "log.offset": 6527, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1836,7 +1816,7 @@ "event.original": "%NEXPOSE-umfu: No ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6598, + "log.offset": 6554, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1854,7 +1834,7 @@ "event.original": "%NEXPOSE-nisi: credentials: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6617, + "log.offset": 6573, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1872,7 +1852,7 @@ "event.original": "%NEXPOSE-ptate: tconsect", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6646, + "log.offset": 6602, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1887,15 +1867,33 @@ "event.code": "[Site:", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-amqua: 2019-12-14T7:24:31 [isnost] [Thread: eaco] [Site: oremeu] com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value uis.", + "event.original": "%NEXPOSE-amqua: 2019-11-30T12:21:57 [isnost] [Thread: eaco] [Site: oremeu] com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value uis.", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6671, + "log.offset": 6627, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "rsa.time.event_time": "2019-11-30T14:21:57.000Z", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-turmagni: iatur NEXPOSE_GENERIC: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6799, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", "service.type": "rapid7", "tags": [ "rapid7.nexpose", diff --git a/x-pack/filebeat/module/sonicwall/README.md b/x-pack/filebeat/module/sonicwall/README.md index 568883a78b8..ffa48704352 100644 --- a/x-pack/filebeat/module/sonicwall/README.md +++ b/x-pack/filebeat/module/sonicwall/README.md @@ -3,5 +3,5 @@ This is a module for Sonicwall-FW logs. Autogenerated from RSA NetWitness log parser 2.0 XML sonicwall version 124 -at 2020-07-08 17:36:33.6155 +0000 UTC. +at 2020-07-08 18:28:05.966064 +0000 UTC. diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/pipeline.js b/x-pack/filebeat/module/sonicwall/firewall/config/pipeline.js index c4e9696cd85..6be7d09fb3d 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/pipeline.js +++ b/x-pack/filebeat/module/sonicwall/firewall/config/pipeline.js @@ -79,19 +79,19 @@ var dup25 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{si var dup26 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); -var dup27 = match("MESSAGE#38:29:01/4", "nwparser.p0", "%{} "); +var dup27 = match("MESSAGE#38:29:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); -var dup28 = setc("eventcategory","1401050100"); +var dup28 = match("MESSAGE#38:29:01/3_1", "nwparser.p0", "%{daddr->} "); -var dup29 = setc("eventcategory","1401030000"); +var dup29 = setc("eventcategory","1401050100"); -var dup30 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); +var dup30 = setc("eventcategory","1401030000"); -var dup31 = setc("eventcategory","1301020000"); +var dup31 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); -var dup32 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); +var dup32 = setc("eventcategory","1301020000"); -var dup33 = match("MESSAGE#52:35:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); +var dup33 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); var dup34 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); @@ -201,206 +201,209 @@ var dup83 = setc("eventcategory","1001020309"); var dup84 = setc("eventcategory","1303000000"); -var dup85 = match("MESSAGE#202:139:01/3_1", "nwparser.p0", "%{daddr->} "); +var dup85 = setc("eventcategory","1801010100"); -var dup86 = setc("eventcategory","1801010100"); +var dup86 = setc("eventcategory","1604010000"); -var dup87 = setc("eventcategory","1604010000"); +var dup87 = setc("eventcategory","1002020000"); -var dup88 = setc("eventcategory","1002020000"); +var dup88 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); -var dup89 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); +var dup89 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); -var dup90 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); +var dup90 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); -var dup91 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); +var dup91 = setc("eventcategory","1001010000"); -var dup92 = setc("eventcategory","1001010000"); +var dup92 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); -var dup93 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); +var dup93 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); -var dup94 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); +var dup94 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); -var dup95 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); +var dup95 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); -var dup96 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); +var dup96 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); -var dup97 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); +var dup97 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); -var dup98 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); +var dup98 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); -var dup99 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); +var dup99 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); -var dup100 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); +var dup100 = setc("eventcategory","1401060000"); -var dup101 = setc("eventcategory","1401060000"); +var dup101 = setc("eventcategory","1804000000"); -var dup102 = setc("eventcategory","1804000000"); +var dup102 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); -var dup103 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); +var dup103 = setc("eventcategory","1401070000"); -var dup104 = setc("eventcategory","1401070000"); +var dup104 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); -var dup105 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); +var dup105 = setc("eventcategory","1801030000"); -var dup106 = setc("eventcategory","1801030000"); +var dup106 = setc("eventcategory","1402020300"); -var dup107 = setc("eventcategory","1402020300"); +var dup107 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); -var dup108 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); +var dup108 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); -var dup109 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); +var dup109 = setc("eventcategory","1402000000"); -var dup110 = setc("eventcategory","1402000000"); +var dup110 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); -var dup111 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); +var dup111 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); -var dup112 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); +var dup112 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); -var dup113 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); +var dup113 = setc("eventcategory","1803020000"); -var dup114 = setc("eventcategory","1803020000"); +var dup114 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); -var dup115 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); +var dup115 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); -var dup116 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); +var dup116 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); -var dup117 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); +var dup117 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); -var dup118 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); +var dup118 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); -var dup119 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); +var dup119 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); -var dup120 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); +var dup120 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); -var dup121 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); +var dup121 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); -var dup122 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); +var dup122 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); -var dup123 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); +var dup123 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); -var dup124 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); +var dup124 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); -var dup125 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); +var dup125 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); -var dup126 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); +var dup126 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); -var dup127 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); +var dup127 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); -var dup128 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); +var dup128 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); -var dup129 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); +var dup129 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); -var dup130 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); +var dup130 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); -var dup131 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); +var dup131 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); -var dup132 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); +var dup132 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); -var dup133 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); +var dup133 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); -var dup134 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var dup134 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); -var dup135 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); +var dup135 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); -var dup136 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); +var dup136 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); -var dup137 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); +var dup137 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); -var dup138 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); +var dup138 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var dup139 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var dup139 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); -var dup140 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); +var dup140 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); -var dup141 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); +var dup141 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); -var dup142 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); +var dup142 = setc("event_description","Connection Closed"); -var dup143 = setc("event_description","Connection Closed"); +var dup143 = setc("eventcategory","1801020000"); -var dup144 = setc("eventcategory","1801020000"); +var dup144 = setc("ec_activity","Permit"); -var dup145 = setc("ec_activity","Permit"); +var dup145 = setc("action","allowed"); -var dup146 = setc("action","allowed"); +var dup146 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var dup147 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var dup147 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var dup148 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var dup148 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); -var dup149 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); +var dup149 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); -var dup150 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); +var dup150 = setc("eventcategory","1001030500"); -var dup151 = setc("eventcategory","1001030500"); +var dup151 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); -var dup152 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); +var dup152 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); -var dup153 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); +var dup153 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); -var dup154 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); +var dup154 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); -var dup155 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var dup155 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); -var dup156 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); +var dup156 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); -var dup157 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); +var dup157 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); -var dup158 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); +var dup158 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); -var dup159 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); +var dup159 = setc("eventcategory","1801010000"); -var dup160 = setc("eventcategory","1801010000"); +var dup160 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); -var dup161 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); +var dup161 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); -var dup162 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var dup162 = setc("eventcategory","1003010000"); -var dup163 = setc("eventcategory","1003010000"); +var dup163 = setc("eventcategory","1609000000"); -var dup164 = setc("eventcategory","1609000000"); +var dup164 = setc("eventcategory","1204000000"); -var dup165 = setc("eventcategory","1204000000"); +var dup165 = setc("eventcategory","1602000000"); -var dup166 = setc("eventcategory","1602000000"); +var dup166 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); -var dup167 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); +var dup167 = setc("eventcategory","1803000000"); -var dup168 = setc("eventcategory","1803000000"); +var dup168 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); -var dup169 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var dup169 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); -var dup170 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); +var dup170 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); -var dup171 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); +var dup171 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); -var dup172 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); +var dup172 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); -var dup173 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); +var dup173 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); -var dup174 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); - -var dup175 = linear_select([ +var dup174 = linear_select([ dup8, dup9, ]); -var dup176 = linear_select([ +var dup175 = linear_select([ dup15, dup16, ]); -var dup177 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ +var dup176 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, dup23, ])); -var dup178 = linear_select([ +var dup177 = linear_select([ dup25, dup26, ]); +var dup178 = linear_select([ + dup27, + dup28, +]); + var dup179 = linear_select([ dup34, dup35, @@ -450,186 +453,181 @@ var dup188 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=% ])); var dup189 = linear_select([ - dup33, - dup85, -]); - -var dup190 = linear_select([ + dup88, dup89, - dup90, ]); -var dup191 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var dup190 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup5, ])); -var dup192 = linear_select([ +var dup191 = linear_select([ + dup92, dup93, - dup94, ]); -var dup193 = linear_select([ +var dup192 = linear_select([ + dup96, dup97, - dup98, ]); -var dup194 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup88, +var dup193 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup87, ])); -var dup195 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup88, +var dup194 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup87, ])); -var dup196 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ +var dup195 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ dup1, ])); -var dup197 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var dup196 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup1, ])); -var dup198 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ +var dup197 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ dup1, dup23, ])); -var dup199 = linear_select([ +var dup198 = linear_select([ dup66, - dup109, + dup108, ]); -var dup200 = linear_select([ +var dup199 = linear_select([ + dup110, dup111, - dup112, ]); -var dup201 = linear_select([ - dup116, +var dup200 = linear_select([ + dup115, dup45, ]); -var dup202 = linear_select([ +var dup201 = linear_select([ dup8, dup26, ]); -var dup203 = linear_select([ +var dup202 = linear_select([ dup8, dup25, dup39, ]); -var dup204 = linear_select([ +var dup203 = linear_select([ dup71, dup15, dup16, ]); -var dup205 = linear_select([ +var dup204 = linear_select([ + dup121, dup122, - dup123, ]); -var dup206 = linear_select([ +var dup205 = linear_select([ dup68, dup69, dup74, ]); -var dup207 = linear_select([ +var dup206 = linear_select([ + dup127, dup128, - dup129, ]); -var dup208 = linear_select([ +var dup207 = linear_select([ dup41, dup42, - dup135, + dup134, ]); -var dup209 = linear_select([ +var dup208 = linear_select([ + dup135, dup136, - dup137, ]); -var dup210 = linear_select([ +var dup209 = linear_select([ + dup138, dup139, - dup140, ]); -var dup211 = linear_select([ +var dup210 = linear_select([ + dup140, dup141, - dup142, ]); -var dup212 = linear_select([ +var dup211 = linear_select([ dup49, - dup149, + dup148, ]); -var dup213 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup151, +var dup212 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup150, ])); -var dup214 = linear_select([ - dup153, +var dup213 = linear_select([ + dup152, dup40, ]); -var dup215 = linear_select([ +var dup214 = linear_select([ + dup154, dup155, - dup156, ]); -var dup216 = linear_select([ +var dup215 = linear_select([ + dup156, dup157, - dup158, ]); -var dup217 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ +var dup216 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ dup5, ])); -var dup218 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype->} ", processor_chain([ +var dup217 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ dup5, ])); -var dup219 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ +var dup218 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ dup5, dup23, ])); -var dup220 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ +var dup219 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, dup23, ])); -var dup221 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ +var dup220 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ dup1, dup23, ])); -var dup222 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup164, +var dup221 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup163, dup37, ])); -var dup223 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ +var dup222 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ dup1, ])); -var dup224 = linear_select([ +var dup223 = linear_select([ + dup169, dup170, - dup171, ]); -var dup225 = linear_select([ +var dup224 = linear_select([ + dup172, dup173, - dup174, ]); -var dup226 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ +var dup225 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ dup1, dup54, dup17, @@ -640,153 +638,140 @@ var dup226 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_descrip dup37, ])); -var dup227 = all_match({ +var dup226 = all_match({ processors: [ - dup30, - dup178, + dup31, + dup177, dup10, - dup176, - dup27, + dup178, ], on_success: processor_chain([ - dup29, + dup30, ]), }); -var dup228 = all_match({ +var dup227 = all_match({ processors: [ - dup30, - dup178, + dup31, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ - dup86, + dup85, ]), }); -var dup229 = all_match({ +var dup228 = all_match({ processors: [ - dup30, - dup178, + dup31, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ dup59, ]), }); -var dup230 = all_match({ +var dup229 = all_match({ processors: [ - dup96, - dup193, + dup95, + dup192, ], on_success: processor_chain([ dup59, ]), }); -var dup231 = all_match({ +var dup230 = all_match({ processors: [ - dup30, - dup178, + dup31, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ - dup101, + dup100, ]), }); -var dup232 = all_match({ +var dup231 = all_match({ processors: [ - dup30, - dup178, + dup31, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ dup29, ]), }); -var dup233 = all_match({ +var dup232 = all_match({ processors: [ - dup30, - dup178, + dup102, + dup177, dup10, - dup189, - ], - on_success: processor_chain([ - dup28, - ]), -}); - -var dup234 = all_match({ - processors: [ - dup103, dup178, - dup10, - dup189, ], on_success: processor_chain([ - dup104, + dup103, ]), }); -var dup235 = all_match({ +var dup233 = all_match({ processors: [ - dup105, - dup178, + dup104, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ - dup107, + dup106, ]), }); -var dup236 = all_match({ +var dup234 = all_match({ processors: [ - dup108, - dup199, + dup107, + dup198, ], on_success: processor_chain([ - dup88, + dup87, ]), }); -var dup237 = all_match({ +var dup235 = all_match({ processors: [ - dup105, - dup178, + dup104, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ - dup110, + dup109, ]), }); -var dup238 = all_match({ +var dup236 = all_match({ processors: [ dup44, dup179, dup36, - dup189, + dup178, ], on_success: processor_chain([ dup5, ]), }); -var dup239 = all_match({ +var dup237 = all_match({ processors: [ dup80, - dup178, + dup177, dup10, - dup176, + dup175, dup79, ], on_success: processor_chain([ @@ -794,17 +779,17 @@ var dup239 = all_match({ ]), }); -var dup240 = all_match({ +var dup238 = all_match({ processors: [ - dup152, + dup151, + dup213, + dup153, dup214, - dup154, dup215, - dup216, - dup159, + dup158, ], on_success: processor_chain([ - dup151, + dup150, dup51, dup52, dup53, @@ -819,26 +804,26 @@ var dup240 = all_match({ ]), }); -var dup241 = all_match({ +var dup239 = all_match({ processors: [ dup7, - dup175, + dup174, dup10, - dup192, - dup95, + dup191, + dup94, ], on_success: processor_chain([ dup1, ]), }); -var dup242 = all_match({ +var dup240 = all_match({ processors: [ dup7, - dup175, + dup174, dup10, - dup190, - dup91, + dup189, + dup90, ], on_success: processor_chain([ dup1, @@ -1008,7 +993,7 @@ var part19 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{} %{fld3->} Category= var all2 = all_match({ processors: [ dup7, - dup175, + dup174, dup10, select6, part19, @@ -1127,7 +1112,7 @@ var part36 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{} %{smacaddr}"); var all3 = all_match({ processors: [ part33, - dup176, + dup175, dup10, select8, part36, @@ -1190,7 +1175,7 @@ var part42 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in var msg32 = msg("24", part42); -var msg33 = msg("24:01", dup177); +var msg33 = msg("24:01", dup176); var select11 = linear_select([ msg32, @@ -1243,13 +1228,12 @@ var part49 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" var all5 = all_match({ processors: [ part49, - dup178, + dup177, dup10, - dup176, - dup27, + dup178, ], on_success: processor_chain([ - dup28, + dup29, ]), }); @@ -1261,12 +1245,12 @@ var select13 = linear_select([ ]); var part50 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ - dup29, + dup30, ])); var msg41 = msg("30", part50); -var msg42 = msg("30:01", dup227); +var msg42 = msg("30:01", dup226); var select14 = linear_select([ msg41, @@ -1281,11 +1265,10 @@ var msg43 = msg("31", part51); var all6 = all_match({ processors: [ - dup30, - dup178, + dup31, + dup177, dup10, - dup176, - dup27, + dup178, ], on_success: processor_chain([ dup24, @@ -1324,12 +1307,12 @@ var select15 = linear_select([ ]); var part55 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ - dup29, + dup30, ])); var msg48 = msg("32", part55); -var msg49 = msg("32:01", dup227); +var msg49 = msg("32:01", dup226); var select16 = linear_select([ msg48, @@ -1337,21 +1320,20 @@ var select16 = linear_select([ ]); var part56 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ - dup31, + dup32, ])); var msg50 = msg("33", part56); var all7 = all_match({ processors: [ - dup32, - dup178, + dup33, + dup177, dup10, - dup176, - dup27, + dup178, ], on_success: processor_chain([ - dup29, + dup30, ]), }); @@ -1377,14 +1359,14 @@ var msg53 = msg("35", part58); var part59 = match("MESSAGE#52:35:01/3_1", "nwparser.p0", "%{daddr}"); var select18 = linear_select([ - dup33, + dup27, part59, ]); var all8 = all_match({ processors: [ - dup30, - dup178, + dup31, + dup177, dup10, select18, ], @@ -1435,7 +1417,7 @@ var all9 = all_match({ select20, dup179, dup36, - dup176, + dup175, dup10, select21, ], @@ -1463,7 +1445,7 @@ var all10 = all_match({ dup38, dup180, dup10, - dup176, + dup175, dup10, select22, part69, @@ -1544,7 +1526,7 @@ var msg60 = msg("37:02", part79); var all12 = all_match({ processors: [ dup7, - dup175, + dup174, dup10, dup181, dup43, @@ -1589,7 +1571,7 @@ var all13 = all_match({ dup44, dup179, dup36, - dup176, + dup175, dup10, select28, ], @@ -1605,7 +1587,7 @@ var part83 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{} %{fld3->} icmpCode= var all14 = all_match({ processors: [ dup7, - dup175, + dup174, dup10, dup182, part83, @@ -1780,7 +1762,7 @@ var part102 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast p var all16 = all_match({ processors: [ part102, - dup175, + dup174, dup10, dup181, dup43, @@ -1908,11 +1890,10 @@ var msg98 = msg("67", part119); var all17 = all_match({ processors: [ - dup30, - dup178, + dup31, + dup177, dup10, - dup176, - dup27, + dup178, ], on_success: processor_chain([ dup58, @@ -2250,7 +2231,7 @@ var all21 = all_match({ dup65, dup179, dup36, - dup176, + dup175, part160, select46, dup10, @@ -2270,7 +2251,7 @@ var all22 = all_match({ dup65, dup179, dup36, - dup176, + dup175, part164, ], on_success: processor_chain([ @@ -2298,7 +2279,7 @@ var all23 = all_match({ dup67, dup179, dup36, - dup176, + dup175, part165, select48, part168, @@ -2328,7 +2309,7 @@ var all24 = all_match({ dup67, dup179, dup36, - dup176, + dup175, part169, select49, part172, @@ -2347,7 +2328,7 @@ var all25 = all_match({ dup65, dup179, dup36, - dup176, + dup175, part173, ], on_success: processor_chain([ @@ -2651,9 +2632,9 @@ var part213 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" s var all31 = all_match({ processors: [ part213, - dup178, + dup177, dup10, - dup176, + dup175, dup79, ], on_success: processor_chain([ @@ -2689,9 +2670,9 @@ var part216 = match("MESSAGE#151:98:04/4", "nwparser.p0", "%{}proto=%{protocol-> var all33 = all_match({ processors: [ dup7, - dup178, + dup177, dup10, - dup176, + dup175, part216, ], on_success: processor_chain([ @@ -2706,9 +2687,9 @@ var part217 = match("MESSAGE#152:98:05/4", "nwparser.p0", "%{}proto=%{protocol-> var all34 = all_match({ processors: [ dup7, - dup178, + dup177, dup10, - dup176, + dup175, part217, ], on_success: processor_chain([ @@ -2730,7 +2711,7 @@ var select65 = linear_select([ ]); var part218 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup29, + dup30, dup11, ])); @@ -2741,9 +2722,9 @@ var part219 = match("MESSAGE#154:427/4", "nwparser.p0", "%{}note=\"%{event_descr var all35 = all_match({ processors: [ dup80, - dup178, + dup177, dup10, - dup176, + dup175, part219, ], on_success: processor_chain([ @@ -3064,10 +3045,10 @@ var msg203 = msg("139", part264); var all37 = all_match({ processors: [ - dup30, - dup178, + dup31, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ setc("eventcategory","1801020100"), @@ -3081,9 +3062,9 @@ var select68 = linear_select([ msg204, ]); -var msg205 = msg("140", dup228); +var msg205 = msg("140", dup227); -var msg206 = msg("141", dup228); +var msg206 = msg("141", dup227); var part265 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ dup1, @@ -3117,13 +3098,13 @@ var part269 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has var msg211 = msg("145", part269); var part270 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ - dup87, + dup86, ])); var msg212 = msg("146", part270); var part271 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ - dup87, + dup86, ])); var msg213 = msg("147", part271); @@ -3178,18 +3159,18 @@ var part279 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Y var msg221 = msg("154", part279); var part280 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ - dup87, + dup86, ])); var msg222 = msg("155", part280); var part281 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ - dup87, + dup86, ])); var msg223 = msg("156", part281); -var part282 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ +var part282 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ dup1, ])); @@ -3207,7 +3188,7 @@ var select69 = linear_select([ ]); var part284 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ - dup87, + dup86, ])); var msg226 = msg("158", part284); @@ -3231,7 +3212,7 @@ var part287 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentica var msg229 = msg("161", part287); var part288 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ - dup31, + dup32, ])); var msg230 = msg("162", part288); @@ -3291,13 +3272,13 @@ var part297 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN sca var msg239 = msg("171", part297); var part298 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup88, + dup87, ])); var msg240 = msg("171:01", part298); var part299 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ - dup88, + dup87, ])); var msg241 = msg("171:02", part299); @@ -3307,13 +3288,13 @@ var part300 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" var all38 = all_match({ processors: [ part300, - dup175, + dup174, dup10, - dup190, - dup91, + dup189, + dup90, ], on_success: processor_chain([ - dup88, + dup87, ]), }); @@ -3358,9 +3339,9 @@ var msg246 = msg("174", part304); var all39 = all_match({ processors: [ dup80, - dup178, + dup177, dup10, - dup176, + dup175, dup79, ], on_success: processor_chain([ @@ -3375,7 +3356,7 @@ var all40 = all_match({ dup44, dup179, dup36, - dup189, + dup178, ], on_success: processor_chain([ dup12, @@ -3387,7 +3368,7 @@ var msg248 = msg("174:02", all40); var all41 = all_match({ processors: [ dup7, - dup175, + dup174, dup10, dup181, dup43, @@ -3431,26 +3412,26 @@ var select73 = linear_select([ ]); var part308 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ - dup88, + dup87, ])); var msg253 = msg("176", part308); var msg254 = msg("177", dup185); -var msg255 = msg("178", dup191); +var msg255 = msg("178", dup190); var msg256 = msg("179", dup185); var all42 = all_match({ processors: [ - dup32, - dup178, + dup33, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ - dup92, + dup91, ]), }); @@ -3459,13 +3440,13 @@ var msg257 = msg("180", all42); var all43 = all_match({ processors: [ dup7, - dup175, + dup174, dup10, - dup192, - dup95, + dup191, + dup94, ], on_success: processor_chain([ - dup92, + dup91, ]), }); @@ -3481,10 +3462,10 @@ var msg259 = msg("181", dup184); var all44 = all_match({ processors: [ dup7, - dup175, + dup174, dup10, - dup190, - dup91, + dup189, + dup90, ], on_success: processor_chain([ dup62, @@ -3498,18 +3479,18 @@ var select75 = linear_select([ msg260, ]); -var msg261 = msg("193", dup229); +var msg261 = msg("193", dup228); -var msg262 = msg("194", dup230); +var msg262 = msg("194", dup229); -var msg263 = msg("195", dup230); +var msg263 = msg("195", dup229); var part309 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); var part310 = match("MESSAGE#262:196/1_1", "nwparser.p0", " rcvd=%{rbytes->} cmd=%{p0}"); var select76 = linear_select([ - dup99, + dup98, part310, ]); @@ -3517,7 +3498,7 @@ var all45 = all_match({ processors: [ part309, select76, - dup100, + dup99, ], on_success: processor_chain([ dup1, @@ -3529,15 +3510,15 @@ var msg264 = msg("196", all45); var part311 = match("MESSAGE#263:196:01/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); var select77 = linear_select([ - dup99, + dup98, part311, ]); var all46 = all_match({ processors: [ - dup96, + dup95, select77, - dup100, + dup99, ], on_success: processor_chain([ dup1, @@ -3551,12 +3532,12 @@ var select78 = linear_select([ msg265, ]); -var msg266 = msg("199", dup231); +var msg266 = msg("199", dup230); -var msg267 = msg("200", dup232); +var msg267 = msg("200", dup226); var part312 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup28, + dup29, ])); var msg268 = msg("235:02", part312); @@ -3566,18 +3547,18 @@ var part313 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" var all47 = all_match({ processors: [ part313, - dup178, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ - dup28, + dup29, ]), }); var msg269 = msg("235", all47); -var msg270 = msg("235:01", dup233); +var msg270 = msg("235:01", dup231); var select79 = linear_select([ msg268, @@ -3585,20 +3566,20 @@ var select79 = linear_select([ msg270, ]); -var msg271 = msg("236", dup233); +var msg271 = msg("236", dup231); -var msg272 = msg("237", dup231); +var msg272 = msg("237", dup230); -var msg273 = msg("238", dup231); +var msg273 = msg("238", dup230); var part314 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ - dup102, + dup101, ])); var msg274 = msg("239", part314); var part315 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ - dup102, + dup101, ])); var msg275 = msg("240", part315); @@ -3637,7 +3618,7 @@ var part321 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport->} " var select82 = linear_select([ part320, part321, - dup85, + dup28, ]); var all48 = all_match({ @@ -3654,143 +3635,139 @@ var all48 = all_match({ var msg278 = msg("242", all48); -var msg279 = msg("252", dup194); +var msg279 = msg("252", dup193); -var msg280 = msg("255", dup194); +var msg280 = msg("255", dup193); -var msg281 = msg("257", dup194); +var msg281 = msg("257", dup193); -var msg282 = msg("261:01", dup234); +var msg282 = msg("261:01", dup232); -var msg283 = msg("261", dup194); +var msg283 = msg("261", dup193); var select83 = linear_select([ msg282, msg283, ]); -var msg284 = msg("262", dup234); +var msg284 = msg("262", dup232); var all49 = all_match({ processors: [ - dup105, - dup178, + dup104, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ - dup106, + dup105, ]), }); var msg285 = msg("273", all49); -var msg286 = msg("328", dup235); - -var msg287 = msg("329", dup232); +var msg286 = msg("328", dup233); -var msg288 = msg("346", dup194); +var msg287 = msg("329", dup226); -var msg289 = msg("350", dup194); +var msg288 = msg("346", dup193); -var msg290 = msg("351", dup194); +var msg289 = msg("350", dup193); -var msg291 = msg("352", dup194); +var msg290 = msg("351", dup193); -var part322 = match("MESSAGE#290:353:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup5, -])); +var msg291 = msg("352", dup193); -var msg292 = msg("353:01", part322); +var msg292 = msg("353:01", dup190); -var part323 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ +var part322 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ dup5, ])); -var msg293 = msg("353", part323); +var msg293 = msg("353", part322); var select84 = linear_select([ msg292, msg293, ]); -var part324 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ +var part323 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ dup1, ])); -var msg294 = msg("354", part324); +var msg294 = msg("354", part323); -var msg295 = msg("355", dup195); +var msg295 = msg("355", dup194); -var msg296 = msg("355:01", dup194); +var msg296 = msg("355:01", dup193); var select85 = linear_select([ msg295, msg296, ]); -var msg297 = msg("356", dup196); +var msg297 = msg("356", dup195); -var part325 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name->} ", processor_chain([ - dup88, +var part324 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ + dup87, ])); -var msg298 = msg("357", part325); +var msg298 = msg("357", part324); -var part326 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup88, +var part325 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup87, ])); -var msg299 = msg("357:01", part326); +var msg299 = msg("357:01", part325); var select86 = linear_select([ msg298, msg299, ]); -var msg300 = msg("358", dup197); +var msg300 = msg("358", dup196); -var part327 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ +var part326 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ setc("eventcategory","1503000000"), ])); -var msg301 = msg("371", part327); +var msg301 = msg("371", part326); -var msg302 = msg("371:01", dup198); +var msg302 = msg("371:01", dup197); var select87 = linear_select([ msg301, msg302, ]); -var msg303 = msg("372", dup194); +var msg303 = msg("372", dup193); -var msg304 = msg("373", dup196); +var msg304 = msg("373", dup195); -var msg305 = msg("401", dup236); +var msg305 = msg("401", dup234); -var msg306 = msg("402", dup236); +var msg306 = msg("402", dup234); -var msg307 = msg("406", dup197); +var msg307 = msg("406", dup196); -var part328 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ +var part327 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup1, ])); -var msg308 = msg("413", part328); +var msg308 = msg("413", part327); -var msg309 = msg("414", dup194); +var msg309 = msg("414", dup193); -var msg310 = msg("438", dup237); +var msg310 = msg("438", dup235); -var msg311 = msg("439", dup237); +var msg311 = msg("439", dup235); var all50 = all_match({ processors: [ - dup105, - dup178, + dup104, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ setc("eventcategory","1501020000"), @@ -3801,10 +3778,10 @@ var msg312 = msg("440", all50); var all51 = all_match({ processors: [ - dup105, - dup178, + dup104, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ setc("eventcategory","1502050000"), @@ -3813,11 +3790,11 @@ var all51 = all_match({ var msg313 = msg("441", all51); -var part329 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ +var part328 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ setc("eventcategory","1001020000"), ])); -var msg314 = msg("441:01", part329); +var msg314 = msg("441:01", part328); var select88 = linear_select([ msg313, @@ -3826,10 +3803,10 @@ var select88 = linear_select([ var all52 = all_match({ processors: [ - dup105, - dup178, + dup104, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ setc("eventcategory","1501030000"), @@ -3838,26 +3815,26 @@ var all52 = all_match({ var msg315 = msg("442", all52); -var part330 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); +var part329 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); -var part331 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); +var part330 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); -var part332 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); +var part331 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); var select89 = linear_select([ + part330, part331, - part332, ]); -var part333 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part332 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); var all53 = all_match({ processors: [ - part330, + part329, select89, - part333, - dup200, - dup113, + part332, + dup199, + dup112, ], on_success: processor_chain([ dup59, @@ -3873,8 +3850,8 @@ var all53 = all_match({ var msg316 = msg("446", all53); -var part334 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ - dup114, +var part333 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ + dup113, dup51, dup52, dup53, @@ -3888,17 +3865,17 @@ var part334 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_descri dup21, ])); -var msg317 = msg("477", part334); +var msg317 = msg("477", part333); var all54 = all_match({ processors: [ dup80, - dup178, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ - dup28, + dup29, ]), }); @@ -3906,31 +3883,31 @@ var msg318 = msg("509", all54); var all55 = all_match({ processors: [ - dup105, - dup178, + dup104, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ - dup104, + dup103, ]), }); var msg319 = msg("520", all55); -var msg320 = msg("522", dup238); +var msg320 = msg("522", dup236); -var part335 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); +var part334 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); -var part336 = match("MESSAGE#318:522:01/2", "nwparser.p0", "%{}dstV6=%{daddr_v6->} dst= %{p0}"); +var part335 = match("MESSAGE#318:522:01/2", "nwparser.p0", "%{}dstV6=%{daddr_v6->} dst= %{p0}"); var all56 = all_match({ processors: [ - part335, + part334, dup179, - part336, - dup176, - dup115, + part335, + dup175, + dup114, ], on_success: processor_chain([ dup5, @@ -3939,10 +3916,10 @@ var all56 = all_match({ var msg321 = msg("522:01", all56); -var part337 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); +var part336 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); var select90 = linear_select([ - part337, + part336, dup39, ]); @@ -3951,8 +3928,8 @@ var all57 = all_match({ dup38, select90, dup10, - dup176, - dup115, + dup175, + dup114, ], on_success: processor_chain([ dup5, @@ -3967,16 +3944,16 @@ var select91 = linear_select([ msg322, ]); -var msg323 = msg("523", dup238); +var msg323 = msg("523", dup236); var all58 = all_match({ processors: [ dup80, - dup178, + dup177, dup10, - dup176, + dup175, dup10, - dup201, + dup200, ], on_success: processor_chain([ dup1, @@ -3985,24 +3962,24 @@ var all58 = all_match({ var msg324 = msg("524", all58); -var part338 = match("MESSAGE#322:524:01/5_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); +var part337 = match("MESSAGE#322:524:01/5_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); -var part339 = match("MESSAGE#322:524:01/5_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); +var part338 = match("MESSAGE#322:524:01/5_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); var select92 = linear_select([ + part337, part338, - part339, ]); var all59 = all_match({ processors: [ dup7, - dup178, + dup177, dup10, - dup176, + dup175, dup10, select92, - dup91, + dup90, ], on_success: processor_chain([ dup1, @@ -4011,24 +3988,24 @@ var all59 = all_match({ var msg325 = msg("524:01", all59); -var part340 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{p0}"); +var part339 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{p0}"); -var part341 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", "%{rule}\" note=\"%{rulename}\"%{p0}"); +var part340 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", "%{rule}\" note=\"%{rulename}\"%{p0}"); -var part342 = match("MESSAGE#323:524:02/1_1", "nwparser.p0", "%{rule}\"%{p0}"); +var part341 = match("MESSAGE#323:524:02/1_1", "nwparser.p0", "%{rule}\"%{p0}"); var select93 = linear_select([ + part340, part341, - part342, ]); -var part343 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); +var part342 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); var all60 = all_match({ processors: [ - part340, + part339, select93, - part343, + part342, ], on_success: processor_chain([ dup6, @@ -4044,21 +4021,21 @@ var select94 = linear_select([ msg326, ]); -var msg327 = msg("526", dup239); +var msg327 = msg("526", dup237); -var part344 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); +var part343 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); var select95 = linear_select([ dup25, - part344, + part343, dup39, ]); -var part345 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", " %{daddr->} "); +var part344 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", " %{daddr->} "); var select96 = linear_select([ - dup33, - part345, + dup27, + part344, ]); var all61 = all_match({ @@ -4078,10 +4055,10 @@ var msg328 = msg("526:01", all61); var all62 = all_match({ processors: [ dup7, - dup202, + dup201, dup10, - dup176, - dup115, + dup175, + dup114, ], on_success: processor_chain([ dup1, @@ -4090,26 +4067,26 @@ var all62 = all_match({ var msg329 = msg("526:02", all62); -var part346 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part345 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup1, dup11, ])); -var msg330 = msg("526:03", part346); +var msg330 = msg("526:03", part345); -var part347 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part346 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup1, dup11, ])); -var msg331 = msg("526:04", part347); +var msg331 = msg("526:04", part346); -var part348 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part347 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup1, dup11, ])); -var msg332 = msg("526:05", part348); +var msg332 = msg("526:05", part347); var select97 = linear_select([ msg327, @@ -4120,114 +4097,114 @@ var select97 = linear_select([ msg332, ]); -var part349 = match("MESSAGE#330:537:01/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); +var part348 = match("MESSAGE#330:537:01/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); -var part350 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3->} "); +var part349 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3->} "); -var part351 = match("MESSAGE#330:537:01/5_1", "nwparser.p0", "%{rbytes->} "); +var part350 = match("MESSAGE#330:537:01/5_1", "nwparser.p0", "%{rbytes->} "); var select98 = linear_select([ + part349, part350, - part351, ]); var all63 = all_match({ processors: [ - dup117, - dup203, + dup116, + dup202, dup10, - dup204, - part349, + dup203, + part348, select98, ], on_success: processor_chain([ - dup106, + dup105, ]), }); var msg333 = msg("537:01", all63); -var part352 = match("MESSAGE#331:537:02/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes}"); +var part351 = match("MESSAGE#331:537:02/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes}"); var all64 = all_match({ processors: [ - dup117, - dup203, + dup116, + dup202, dup10, - dup204, - part352, + dup203, + part351, ], on_success: processor_chain([ - dup106, + dup105, ]), }); var msg334 = msg("537:02", all64); var select99 = linear_select([ + dup117, dup118, dup119, dup120, - dup121, ]); -var part353 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); +var part352 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); -var part354 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", " %{daddr}srcMac=%{p0}"); +var part353 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", " %{daddr}srcMac=%{p0}"); var select100 = linear_select([ - dup124, + dup123, + part352, part353, - part354, ]); -var part355 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); +var part354 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); var select101 = linear_select([ + dup124, dup125, - dup126, ]); -var part356 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); +var part355 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); -var part357 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); +var part356 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); var select102 = linear_select([ + part355, part356, - part357, ]); -var part358 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\" "); +var part357 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\" "); -var part359 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); +var part358 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); -var part360 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\" "); +var part359 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\" "); -var part361 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7->} "); +var part360 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7->} "); -var part362 = match("MESSAGE#332:537:08/7_4", "nwparser.p0", "%{fld3}"); +var part361 = match("MESSAGE#332:537:08/7_4", "nwparser.p0", "%{fld3}"); var select103 = linear_select([ + part357, part358, part359, part360, part361, - part362, ]); var all65 = all_match({ processors: [ select99, + dup204, dup205, - dup206, select100, - part355, + part354, select101, select102, select103, ], on_success: processor_chain([ - dup106, + dup105, dup11, dup17, dup18, @@ -4240,43 +4217,43 @@ var all65 = all_match({ var msg335 = msg("537:08", all65); var select104 = linear_select([ - dup119, dup118, + dup117, + dup119, dup120, - dup121, ]); -var part363 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); +var part362 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); -var part364 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", " %{daddr}dstMac=%{p0}"); +var part363 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", " %{daddr}dstMac=%{p0}"); var select105 = linear_select([ - dup127, + dup126, + part362, part363, - part364, ]); -var part365 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); +var part364 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); var select106 = linear_select([ + dup129, dup130, dup131, dup132, - dup133, ]); var all66 = all_match({ processors: [ select104, + dup204, dup205, - dup206, select105, - part365, - dup207, + part364, + dup206, select106, ], on_success: processor_chain([ - dup106, + dup105, dup11, dup17, dup18, @@ -4288,48 +4265,48 @@ var all66 = all_match({ var msg336 = msg("537:09", all66); -var part366 = match("MESSAGE#334:537:07/0_1", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); +var part365 = match("MESSAGE#334:537:07/0_1", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); var select107 = linear_select([ - dup118, - part366, + dup117, + part365, + dup119, dup120, - dup121, ]); -var part367 = match("MESSAGE#334:537:07/4_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); +var part366 = match("MESSAGE#334:537:07/4_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); -var part368 = match("MESSAGE#334:537:07/4_1", "nwparser.p0", " srcMac=%{smacaddr->} proto=%{protocol->} sent=%{p0}"); +var part367 = match("MESSAGE#334:537:07/4_1", "nwparser.p0", " srcMac=%{smacaddr->} proto=%{protocol->} sent=%{p0}"); var select108 = linear_select([ + part366, part367, - part368, + dup124, dup125, - dup126, ]); -var part369 = match("MESSAGE#334:537:07/6_3", "nwparser.p0", " spkt=%{fld3->} fw_action=\"%{action}\""); +var part368 = match("MESSAGE#334:537:07/6_3", "nwparser.p0", " spkt=%{fld3->} fw_action=\"%{action}\""); var select109 = linear_select([ + dup129, dup130, dup131, + part368, dup132, - part369, - dup133, ]); var all67 = all_match({ processors: [ select107, + dup204, dup205, - dup206, dup186, select108, - dup207, + dup206, select109, ], on_success: processor_chain([ - dup106, + dup105, dup11, dup17, dup18, @@ -4341,137 +4318,137 @@ var all67 = all_match({ var msg337 = msg("537:07", all67); -var part370 = match("MESSAGE#335:537/1_0", "nwparser.p0", "%{action}\" app=%{fld51->} appName=\"%{application}\"%{p0}"); +var part369 = match("MESSAGE#335:537/1_0", "nwparser.p0", "%{action}\" app=%{fld51->} appName=\"%{application}\"%{p0}"); -var part371 = match("MESSAGE#335:537/1_1", "nwparser.p0", "%{action}\"%{p0}"); +var part370 = match("MESSAGE#335:537/1_1", "nwparser.p0", "%{action}\"%{p0}"); var select110 = linear_select([ + part369, part370, - part371, ]); -var part372 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); +var part371 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); -var part373 = match("MESSAGE#335:537/4_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} sent=%{p0}"); +var part372 = match("MESSAGE#335:537/4_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} sent=%{p0}"); -var part374 = match("MESSAGE#335:537/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}: proto=%{protocol->} sent=%{p0}"); +var part373 = match("MESSAGE#335:537/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}: proto=%{protocol->} sent=%{p0}"); -var part375 = match("MESSAGE#335:537/4_2", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} sent=%{p0}"); +var part374 = match("MESSAGE#335:537/4_2", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} sent=%{p0}"); -var part376 = match("MESSAGE#335:537/4_3", "nwparser.p0", " %{daddr->} proto=%{protocol->} sent=%{p0}"); +var part375 = match("MESSAGE#335:537/4_3", "nwparser.p0", " %{daddr->} proto=%{protocol->} sent=%{p0}"); var select111 = linear_select([ + part372, part373, part374, part375, - part376, ]); -var part377 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); +var part376 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); -var part378 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); +var part377 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); -var part379 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); +var part378 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); -var part380 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); +var part379 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); -var part381 = match("MESSAGE#335:537/5_4", "nwparser.p0", "%{sbytes}"); +var part380 = match("MESSAGE#335:537/5_4", "nwparser.p0", "%{sbytes}"); var select112 = linear_select([ + part376, part377, part378, part379, part380, - part381, ]); var all68 = all_match({ processors: [ dup48, select110, - part372, - dup203, + part371, + dup202, select111, select112, ], on_success: processor_chain([ - dup106, + dup105, ]), }); var msg338 = msg("537", all68); -var part382 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); +var part381 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); var all69 = all_match({ processors: [ - dup134, + dup133, dup180, dup10, - dup208, - part382, + dup207, + part381, ], on_success: processor_chain([ - dup106, + dup105, ]), }); var msg339 = msg("537:04", all69); -var part383 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{p0}"); +var part382 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{p0}"); -var part384 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "%{fld4->} appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); +var part383 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "%{fld4->} appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); -var part385 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "%{fld4->} npcs= %{p0}"); +var part384 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "%{fld4->} npcs= %{p0}"); var select113 = linear_select([ + part383, part384, - part385, ]); var all70 = all_match({ processors: [ - dup134, + dup133, dup180, dup10, - dup208, - part383, + dup207, + part382, select113, - dup91, + dup90, ], on_success: processor_chain([ - dup106, + dup105, ]), }); var msg340 = msg("537:05", all70); -var part386 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{p0}"); +var part385 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{p0}"); -var part387 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); +var part386 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); -var part388 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); +var part387 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); var select114 = linear_select([ - dup127, + dup126, + part386, part387, - part388, ]); -var part389 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); +var part388 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); var all71 = all_match({ processors: [ - part386, + part385, + dup208, + dup137, dup209, - dup138, - dup210, select114, - part389, - dup211, + part388, + dup210, ], on_success: processor_chain([ - dup106, + dup105, dup11, dup17, dup18, @@ -4483,71 +4460,71 @@ var all71 = all_match({ var msg341 = msg("537:10", all71); -var part390 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{p0}"); +var part389 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{p0}"); -var part391 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); +var part390 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); -var part392 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); +var part391 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); var select115 = linear_select([ dup77, + part390, part391, - part392, ]); -var part393 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); +var part392 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); var all72 = all_match({ processors: [ - part390, + part389, + dup208, + dup137, dup209, - dup138, - dup210, select115, - part393, - dup211, + part392, + dup210, ], on_success: processor_chain([ - dup106, + dup105, ]), }); var msg342 = msg("537:03", all72); -var part394 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); +var part393 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); var all73 = all_match({ processors: [ - dup134, + dup133, dup180, dup10, - dup208, - part394, + dup207, + part393, ], on_success: processor_chain([ - dup106, + dup105, ]), }); var msg343 = msg("537:06", all73); -var part395 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup106, +var part394 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup105, dup54, dup11, - dup143, + dup142, ])); -var msg344 = msg("537:11", part395); +var msg344 = msg("537:11", part394); -var part396 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup106, +var part395 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup105, dup54, dup11, - dup143, + dup142, ])); -var msg345 = msg("537:12", part396); +var msg345 = msg("537:12", part395); var select116 = linear_select([ msg333, @@ -4565,18 +4542,18 @@ var select116 = linear_select([ msg345, ]); -var msg346 = msg("538", dup229); +var msg346 = msg("538", dup228); -var msg347 = msg("549", dup232); +var msg347 = msg("549", dup226); -var msg348 = msg("557", dup232); +var msg348 = msg("557", dup226); var all74 = all_match({ processors: [ - dup105, - dup178, + dup104, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ setc("eventcategory","1402020200"), @@ -4585,18 +4562,18 @@ var all74 = all_match({ var msg349 = msg("558", all74); -var msg350 = msg("561", dup235); +var msg350 = msg("561", dup233); -var msg351 = msg("562", dup235); +var msg351 = msg("562", dup233); -var msg352 = msg("563", dup235); +var msg352 = msg("563", dup233); var all75 = all_match({ processors: [ - dup105, - dup178, + dup104, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ setc("eventcategory","1402020400"), @@ -4605,14 +4582,14 @@ var all75 = all_match({ var msg353 = msg("583", all75); -var part397 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ - dup144, +var part396 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup143, dup51, - dup145, + dup144, dup53, dup54, dup11, - dup146, + dup145, dup17, dup18, dup19, @@ -4620,23 +4597,23 @@ var part397 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_des dup21, ])); -var msg354 = msg("597:01", part397); +var msg354 = msg("597:01", part396); -var part398 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ +var part397 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ dup1, ])); -var msg355 = msg("597:02", part398); +var msg355 = msg("597:02", part397); -var part399 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var part398 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{p0}"); var all76 = all_match({ processors: [ - part399, + part398, dup187, dup10, - dup190, - dup91, + dup189, + dup90, ], on_success: processor_chain([ dup1, @@ -4651,19 +4628,19 @@ var select117 = linear_select([ msg356, ]); -var part400 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ +var part399 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ dup1, ])); -var msg357 = msg("598", part400); +var msg357 = msg("598", part399); -var part401 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{} %{type->} npcs=%{info}"); +var part400 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{} %{type->} npcs=%{info}"); var all77 = all_match({ processors: [ - dup147, + dup146, dup182, - part401, + part400, ], on_success: processor_chain([ dup1, @@ -4674,9 +4651,9 @@ var msg358 = msg("598:01", all77); var all78 = all_match({ processors: [ - dup147, - dup190, - dup91, + dup146, + dup189, + dup90, ], on_success: processor_chain([ dup1, @@ -4691,14 +4668,14 @@ var select118 = linear_select([ msg359, ]); -var part402 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ - dup144, +var part401 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup143, dup51, - dup145, + dup144, dup53, dup54, dup11, - dup146, + dup145, dup17, dup18, dup19, @@ -4706,16 +4683,16 @@ var part402 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_des dup21, ])); -var msg360 = msg("602:01", part402); +var msg360 = msg("602:01", part401); -var msg361 = msg("602:02", dup239); +var msg361 = msg("602:02", dup237); var all79 = all_match({ processors: [ dup7, - dup178, + dup177, dup10, - dup176, + dup175, dup79, ], on_success: processor_chain([ @@ -4731,18 +4708,18 @@ var select119 = linear_select([ msg362, ]); -var msg363 = msg("605", dup197); +var msg363 = msg("605", dup196); var all80 = all_match({ processors: [ - dup148, - dup212, - dup150, - dup200, - dup113, + dup147, + dup211, + dup149, + dup199, + dup112, ], on_success: processor_chain([ - dup88, + dup87, dup54, dup17, dup82, @@ -4755,49 +4732,49 @@ var all80 = all_match({ var msg364 = msg("606", all80); -var part403 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); +var part402 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); -var part404 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); +var part403 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); -var part405 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); +var part404 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); var select120 = linear_select([ + part403, part404, - part405, ]); -var part406 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); +var part405 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); -var part407 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); +var part406 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); -var part408 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); +var part407 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); var select121 = linear_select([ + part406, part407, - part408, ]); -var part409 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); +var part408 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); -var part410 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); +var part409 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); -var part411 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); +var part410 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); -var part412 = match("MESSAGE#362:608/5_2", "nwparser.p0", "%{dport}"); +var part411 = match("MESSAGE#362:608/5_2", "nwparser.p0", "%{dport}"); var select122 = linear_select([ + part409, part410, part411, - part412, ]); var all81 = all_match({ processors: [ - part403, + part402, select120, - part406, + part405, select121, - part409, + part408, select122, ], on_success: processor_chain([ @@ -4808,26 +4785,26 @@ var all81 = all_match({ var msg365 = msg("608", all81); -var msg366 = msg("616", dup195); +var msg366 = msg("616", dup194); -var msg367 = msg("658", dup191); +var msg367 = msg("658", dup190); -var msg368 = msg("710", dup213); +var msg368 = msg("710", dup212); -var msg369 = msg("712:02", dup240); +var msg369 = msg("712:02", dup238); -var msg370 = msg("712", dup213); +var msg370 = msg("712", dup212); var all82 = all_match({ processors: [ dup7, - dup175, + dup174, dup10, - dup192, - dup95, + dup191, + dup94, ], on_success: processor_chain([ - dup151, + dup150, ]), }); @@ -4839,7 +4816,7 @@ var select123 = linear_select([ msg371, ]); -var part413 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ +var part412 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ dup5, dup51, dup52, @@ -4854,13 +4831,13 @@ var part413 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_des dup21, ])); -var msg372 = msg("713:01", part413); +var msg372 = msg("713:01", part412); -var msg373 = msg("713:04", dup240); +var msg373 = msg("713:04", dup238); -var msg374 = msg("713:02", dup213); +var msg374 = msg("713:02", dup212); -var part414 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ +var part413 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ dup5, dup51, dup52, @@ -4875,7 +4852,7 @@ var part414 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_des dup21, ])); -var msg375 = msg("713:03", part414); +var msg375 = msg("713:03", part413); var select124 = linear_select([ msg372, @@ -4884,8 +4861,8 @@ var select124 = linear_select([ msg375, ]); -var part415 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ - dup114, +var part414 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ + dup113, dup51, dup52, dup53, @@ -4899,22 +4876,22 @@ var part415 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_descri dup21, ])); -var msg376 = msg("760", part415); +var msg376 = msg("760", part414); -var part416 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var part415 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); -var part417 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{} %{action->} npcs=%{info}"); +var part416 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{} %{action->} npcs=%{info}"); var all83 = all_match({ processors: [ - part416, - dup175, + part415, + dup174, dup10, - dup192, - part417, + dup191, + part416, ], on_success: processor_chain([ - dup114, + dup113, dup51, dup52, dup53, @@ -4936,31 +4913,31 @@ var select125 = linear_select([ msg377, ]); -var msg378 = msg("766", dup217); +var msg378 = msg("766", dup216); -var msg379 = msg("860", dup217); +var msg379 = msg("860", dup216); -var msg380 = msg("860:01", dup218); +var msg380 = msg("860:01", dup217); var select126 = linear_select([ msg379, msg380, ]); -var part418 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); +var part417 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); -var part419 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" "); +var part418 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" "); -var part420 = match("MESSAGE#378:866/1_1", "nwparser.p0", "%{ntype->} "); +var part419 = match("MESSAGE#378:866/1_1", "nwparser.p0", "%{ntype->} "); var select127 = linear_select([ + part418, part419, - part420, ]); var all84 = all_match({ processors: [ - part418, + part417, select127, ], on_success: processor_chain([ @@ -4971,50 +4948,50 @@ var all84 = all_match({ var msg381 = msg("866", all84); -var msg382 = msg("866:01", dup218); +var msg382 = msg("866:01", dup217); var select128 = linear_select([ msg381, msg382, ]); -var msg383 = msg("867", dup217); +var msg383 = msg("867", dup216); -var msg384 = msg("867:01", dup218); +var msg384 = msg("867:01", dup217); var select129 = linear_select([ msg383, msg384, ]); -var part421 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ +var part420 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ dup1, ])); -var msg385 = msg("882", part421); +var msg385 = msg("882", part420); -var part422 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ +var part421 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ dup1, ])); -var msg386 = msg("882:01", part422); +var msg386 = msg("882:01", part421); var select130 = linear_select([ msg385, msg386, ]); -var part423 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ - dup160, +var part422 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup159, ])); -var msg387 = msg("888", part423); +var msg387 = msg("888", part422); -var part424 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ - dup160, +var part423 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ + dup159, ])); -var msg388 = msg("888:01", part424); +var msg388 = msg("888:01", part423); var select131 = linear_select([ msg387, @@ -5024,40 +5001,40 @@ var select131 = linear_select([ var all85 = all_match({ processors: [ dup7, - dup175, + dup174, dup10, - dup190, - dup91, + dup189, + dup90, ], on_success: processor_chain([ - dup160, + dup159, ]), }); var msg389 = msg("892", all85); -var msg390 = msg("904", dup217); +var msg390 = msg("904", dup216); -var msg391 = msg("905", dup217); +var msg391 = msg("905", dup216); -var msg392 = msg("906", dup217); +var msg392 = msg("906", dup216); -var msg393 = msg("907", dup217); +var msg393 = msg("907", dup216); var select132 = linear_select([ dup73, - dup139, + dup138, ]); var all86 = all_match({ processors: [ - dup161, + dup160, select132, dup10, - dup212, - dup162, - dup200, - dup113, + dup211, + dup161, + dup199, + dup112, ], on_success: processor_chain([ dup70, @@ -5073,25 +5050,25 @@ var all86 = all_match({ var msg394 = msg("908", all86); -var msg395 = msg("909", dup217); +var msg395 = msg("909", dup216); -var msg396 = msg("914", dup219); +var msg396 = msg("914", dup218); -var part425 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var part424 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup64, ])); -var msg397 = msg("931", part425); +var msg397 = msg("931", part424); -var msg398 = msg("657", dup219); +var msg398 = msg("657", dup218); var all87 = all_match({ processors: [ dup7, - dup175, + dup174, dup10, - dup190, - dup91, + dup189, + dup90, ], on_success: processor_chain([ dup5, @@ -5105,22 +5082,22 @@ var select133 = linear_select([ msg399, ]); -var msg400 = msg("403", dup198); +var msg400 = msg("403", dup197); -var msg401 = msg("534", dup177); +var msg401 = msg("534", dup176); -var msg402 = msg("994", dup220); +var msg402 = msg("994", dup219); -var part426 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ +var part425 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ dup1, dup23, ])); -var msg403 = msg("243", part426); +var msg403 = msg("243", part425); -var msg404 = msg("995", dup177); +var msg404 = msg("995", dup176); -var part427 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ +var part426 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ dup1, dup51, dup53, @@ -5133,48 +5110,48 @@ var part427 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_descri dup21, ])); -var msg405 = msg("997", part427); +var msg405 = msg("997", part426); -var msg406 = msg("998", dup220); +var msg406 = msg("998", dup219); -var part428 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup106, +var part427 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup105, dup11, ])); -var msg407 = msg("998:01", part428); +var msg407 = msg("998:01", part427); var select134 = linear_select([ msg406, msg407, ]); -var msg408 = msg("1110", dup221); +var msg408 = msg("1110", dup220); -var msg409 = msg("565", dup221); +var msg409 = msg("565", dup220); -var part429 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ +var part428 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ dup1, dup54, ])); -var msg410 = msg("404", part429); +var msg410 = msg("404", part428); var select135 = linear_select([ - dup149, + dup148, dup50, ]); -var part430 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); +var part429 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); var all88 = all_match({ processors: [ dup81, select135, - part430, + part429, ], on_success: processor_chain([ - dup106, + dup105, dup54, dup17, dup82, @@ -5187,78 +5164,78 @@ var all88 = all_match({ var msg411 = msg("267:01", all88); -var part431 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ +var part430 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ dup1, dup54, ])); -var msg412 = msg("267", part431); +var msg412 = msg("267", part430); var select136 = linear_select([ msg411, msg412, ]); -var part432 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ +var part431 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ dup1, dup23, ])); -var msg413 = msg("263", part432); +var msg413 = msg("263", part431); -var part433 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup104, +var part432 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup103, dup11, ])); -var msg414 = msg("264", part433); +var msg414 = msg("264", part432); -var msg415 = msg("412", dup198); +var msg415 = msg("412", dup197); -var part434 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ +var part433 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ dup1, dup23, ])); -var msg416 = msg("793", part434); +var msg416 = msg("793", part433); -var part435 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ +var part434 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ dup1, dup23, ])); -var msg417 = msg("805", part435); +var msg417 = msg("805", part434); -var part436 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup163, +var part435 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup162, dup11, ])); -var msg418 = msg("809", part436); +var msg418 = msg("809", part435); -var part437 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup163, +var part436 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup162, dup11, ])); -var msg419 = msg("809:01", part437); +var msg419 = msg("809:01", part436); var select137 = linear_select([ msg418, msg419, ]); -var msg420 = msg("935", dup219); +var msg420 = msg("935", dup218); -var msg421 = msg("614", dup222); +var msg421 = msg("614", dup221); -var part438 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); +var part437 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); var all89 = all_match({ processors: [ - part438, - dup200, - dup113, + part437, + dup199, + dup112, ], on_success: processor_chain([ dup58, @@ -5268,91 +5245,91 @@ var all89 = all_match({ var msg422 = msg("748", all89); -var part439 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); +var part438 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); -var part440 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); +var part439 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); var select138 = linear_select([ - part440, - dup112, + part439, + dup111, ]); var all90 = all_match({ processors: [ - part439, + part438, select138, - dup113, + dup112, ], on_success: processor_chain([ - dup164, + dup163, dup37, ]), }); var msg423 = msg("794", all90); -var msg424 = msg("1086", dup222); +var msg424 = msg("1086", dup221); -var part441 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup164, +var part440 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup163, dup37, ])); -var msg425 = msg("1430", part441); +var msg425 = msg("1430", part440); -var msg426 = msg("1149", dup222); +var msg426 = msg("1149", dup221); -var msg427 = msg("1159", dup222); +var msg427 = msg("1159", dup221); -var part442 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup164, +var part441 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup163, dup37, ])); -var msg428 = msg("1195", part442); +var msg428 = msg("1195", part441); -var part443 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ - dup164, +var part442 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ + dup163, dup37, ])); -var msg429 = msg("1195:01", part443); +var msg429 = msg("1195:01", part442); var select139 = linear_select([ msg428, msg429, ]); -var part444 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ +var part443 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ dup5, dup37, ])); -var msg430 = msg("1226", part444); +var msg430 = msg("1226", part443); -var part445 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ +var part444 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ dup5, dup37, ])); -var msg431 = msg("1222", part445); +var msg431 = msg("1222", part444); -var part446 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ +var part445 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ dup1, dup23, ])); -var msg432 = msg("1154", part446); +var msg432 = msg("1154", part445); -var part447 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); +var part446 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); var all91 = all_match({ processors: [ - part447, - dup175, + part446, + dup174, dup10, - dup190, - dup91, + dup189, + dup90, ], on_success: processor_chain([ dup1, @@ -5362,30 +5339,30 @@ var all91 = all_match({ var msg433 = msg("1154:01", all91); -var part448 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup165, +var part447 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup164, dup11, ])); -var msg434 = msg("1154:02", part448); +var msg434 = msg("1154:02", part447); -var part449 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part448 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); var select140 = linear_select([ - dup124, + dup123, dup49, ]); -var part450 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); +var part449 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); var all92 = all_match({ processors: [ - part449, + part448, select140, - part450, + part449, ], on_success: processor_chain([ - dup165, + dup164, dup11, ]), }); @@ -5399,26 +5376,26 @@ var select141 = linear_select([ msg435, ]); -var part451 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ - dup166, +var part450 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ + dup165, ])); -var msg436 = msg("msg", part451); +var msg436 = msg("msg", part450); -var part452 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ - dup166, +var part451 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ + dup165, ])); -var msg437 = msg("src", part452); +var msg437 = msg("src", part451); var all93 = all_match({ processors: [ dup7, - dup178, + dup177, dup10, - dup176, + dup175, dup10, - dup201, + dup200, ], on_success: processor_chain([ dup1, @@ -5427,15 +5404,15 @@ var all93 = all_match({ var msg438 = msg("1235", all93); -var part453 = match("MESSAGE#438:1197/4", "nwparser.p0", "%{}\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); +var part452 = match("MESSAGE#438:1197/4", "nwparser.p0", "%{}\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); var all94 = all_match({ processors: [ dup7, - dup178, + dup177, dup10, - dup192, - part453, + dup191, + part452, ], on_success: processor_chain([ dup1, @@ -5444,13 +5421,13 @@ var all94 = all_match({ var msg439 = msg("1197", all94); -var part454 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var part453 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); var all95 = all_match({ processors: [ - part454, - dup178, - dup167, + part453, + dup177, + dup166, ], on_success: processor_chain([ dup1, @@ -5459,19 +5436,19 @@ var all95 = all_match({ var msg440 = msg("1199", all95); -var part455 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup168, +var part454 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup167, dup11, ])); -var msg441 = msg("1199:01", part455); +var msg441 = msg("1199:01", part454); -var part456 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup168, +var part455 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup167, dup11, ])); -var msg442 = msg("1199:02", part456); +var msg442 = msg("1199:02", part455); var select142 = linear_select([ msg440, @@ -5479,15 +5456,15 @@ var select142 = linear_select([ msg442, ]); -var part457 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); +var part456 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); var all96 = all_match({ processors: [ - part457, - dup175, + part456, + dup174, dup10, - dup190, - dup91, + dup189, + dup90, ], on_success: processor_chain([ dup1, @@ -5496,11 +5473,11 @@ var all96 = all_match({ var msg443 = msg("1155", all96); -var part458 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ - dup106, +var part457 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup105, ])); -var msg444 = msg("1155:01", part458); +var msg444 = msg("1155:01", part457); var select143 = linear_select([ msg443, @@ -5509,9 +5486,9 @@ var select143 = linear_select([ var all97 = all_match({ processors: [ - dup169, - dup202, - dup167, + dup168, + dup201, + dup166, ], on_success: processor_chain([ dup1, @@ -5523,8 +5500,8 @@ var msg445 = msg("1198", all97); var all98 = all_match({ processors: [ dup7, - dup178, - dup167, + dup177, + dup166, ], on_success: processor_chain([ dup1, @@ -5533,30 +5510,30 @@ var all98 = all_match({ var msg446 = msg("714", all98); -var msg447 = msg("709", dup241); +var msg447 = msg("709", dup239); -var msg448 = msg("1005", dup241); +var msg448 = msg("1005", dup239); -var msg449 = msg("1003", dup241); +var msg449 = msg("1003", dup239); -var msg450 = msg("1007", dup242); +var msg450 = msg("1007", dup240); -var part459 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup104, +var part458 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup103, dup11, ])); -var msg451 = msg("1008", part459); +var msg451 = msg("1008", part458); -var msg452 = msg("708", dup242); +var msg452 = msg("708", dup240); var all99 = all_match({ processors: [ - dup169, - dup175, + dup168, + dup174, dup10, - dup190, - dup91, + dup189, + dup90, ], on_success: processor_chain([ dup1, @@ -5565,80 +5542,80 @@ var all99 = all_match({ var msg453 = msg("1201", all99); -var msg454 = msg("1201:01", dup242); +var msg454 = msg("1201:01", dup240); var select144 = linear_select([ msg453, msg454, ]); -var msg455 = msg("654", dup223); +var msg455 = msg("654", dup222); -var msg456 = msg("670", dup223); +var msg456 = msg("670", dup222); -var msg457 = msg("884", dup242); +var msg457 = msg("884", dup240); -var part460 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ +var part459 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ dup1, ])); -var msg458 = msg("1153", part460); +var msg458 = msg("1153", part459); -var part461 = match("MESSAGE#458:1153:01/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} sess=%{fld2->} n=%{p0}"); +var part460 = match("MESSAGE#458:1153:01/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} sess=%{fld2->} n=%{p0}"); -var part462 = match("MESSAGE#458:1153:01/0_1", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} n=%{p0}"); +var part461 = match("MESSAGE#458:1153:01/0_1", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} n=%{p0}"); -var part463 = match("MESSAGE#458:1153:01/0_2", "nwparser.payload", " msg=\"%{event_description}\" n=%{p0}"); +var part462 = match("MESSAGE#458:1153:01/0_2", "nwparser.payload", " msg=\"%{event_description}\" n=%{p0}"); var select145 = linear_select([ + part460, part461, part462, - part463, ]); -var part464 = match("MESSAGE#458:1153:01/1", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); +var part463 = match("MESSAGE#458:1153:01/1", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); -var part465 = match("MESSAGE#458:1153:01/2_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); +var part464 = match("MESSAGE#458:1153:01/2_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); var select146 = linear_select([ - part465, + part464, dup25, ]); -var part466 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); +var part465 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); -var part467 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); +var part466 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); -var part468 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); +var part467 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); var select147 = linear_select([ + part465, part466, part467, - part468, ]); -var part469 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); +var part468 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); -var part470 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{rbytes->} "); +var part469 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{rbytes->} "); -var part471 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{rbytes->} "); +var part470 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{rbytes->} "); -var part472 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{rbytes->} "); +var part471 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{rbytes->} "); var select148 = linear_select([ + part469, part470, part471, - part472, ]); var all100 = all_match({ processors: [ select145, - part464, + part463, select146, dup10, select147, - part469, + part468, select148, ], on_success: processor_chain([ @@ -5654,24 +5631,24 @@ var all100 = all_match({ var msg459 = msg("1153:01", all100); -var part473 = match("MESSAGE#459:1153:02/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); +var part472 = match("MESSAGE#459:1153:02/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); -var part474 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); +var part473 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); -var part475 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", " n=%{fld2->} src=%{p0}"); +var part474 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", " n=%{fld2->} src=%{p0}"); var select149 = linear_select([ + part473, part474, - part475, ]); -var part476 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} "); +var part475 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); var all101 = all_match({ processors: [ - part473, + part472, select149, - part476, + part475, ], on_success: processor_chain([ dup1, @@ -5692,33 +5669,33 @@ var select150 = linear_select([ msg460, ]); -var part477 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ +var part476 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ dup1, ])); -var msg461 = msg("1107", part477); +var msg461 = msg("1107", part476); -var part478 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); +var part477 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); -var part479 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part478 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var part480 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst=%{p0}"); +var part479 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst=%{p0}"); var select151 = linear_select([ + part478, part479, - part480, ]); var all102 = all_match({ processors: [ - part478, + part477, select151, dup10, - dup224, - dup172, + dup223, + dup171, ], on_success: processor_chain([ - dup160, + dup159, dup54, dup17, dup82, @@ -5733,12 +5710,12 @@ var msg462 = msg("1220", all102); var all103 = all_match({ processors: [ - dup148, - dup224, - dup172, + dup147, + dup223, + dup171, ], on_success: processor_chain([ - dup160, + dup159, dup54, dup17, dup82, @@ -5751,49 +5728,49 @@ var all103 = all_match({ var msg463 = msg("1230", all103); -var part481 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ +var part480 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ dup1, ])); -var msg464 = msg("1231", part481); +var msg464 = msg("1231", part480); -var part482 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup168, +var part481 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup167, dup11, ])); -var msg465 = msg("1233", part482); +var msg465 = msg("1233", part481); -var part483 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); +var part482 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); -var part484 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); +var part483 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); -var part485 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); +var part484 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); var select152 = linear_select([ + part483, part484, - part485, ]); -var part486 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); +var part485 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); -var part487 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{fld1}"); +var part486 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{fld1}"); -var part488 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{fld1->} "); +var part487 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{fld1->} "); -var part489 = match("MESSAGE#465:1079/3_2", "nwparser.p0", "n=%{fld1}"); +var part488 = match("MESSAGE#465:1079/3_2", "nwparser.p0", "n=%{fld1}"); var select153 = linear_select([ + part486, part487, part488, - part489, ]); var all104 = all_match({ processors: [ - part483, + part482, select152, - part486, + part485, select153, ], on_success: processor_chain([ @@ -5803,13 +5780,13 @@ var all104 = all_match({ var msg466 = msg("1079", all104); -var part490 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ +var part489 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ dup1, ])); -var msg467 = msg("1079:01", part490); +var msg467 = msg("1079:01", part489); -var part491 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ +var part490 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ dup1, dup11, setc("event_description","destination is not allowed by access control"), @@ -5820,9 +5797,9 @@ var part491 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destinatio dup21, ])); -var msg468 = msg("1079:02", part491); +var msg468 = msg("1079:02", part490); -var part492 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ +var part491 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ dup1, dup11, setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), @@ -5833,7 +5810,7 @@ var part492 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Cli dup21, ])); -var msg469 = msg("1079:03", part492); +var msg469 = msg("1079:03", part491); var select154 = linear_select([ msg466, @@ -5842,13 +5819,13 @@ var select154 = linear_select([ msg469, ]); -var part493 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); +var part492 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); -var part494 = match("MESSAGE#469:1080/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part493 = match("MESSAGE#469:1080/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); var select155 = linear_select([ dup73, - part494, + part493, ]); var select156 = linear_select([ @@ -5856,15 +5833,15 @@ var select156 = linear_select([ dup78, ]); -var part495 = match("MESSAGE#469:1080/4", "nwparser.p0", "%{} %{protocol}"); +var part494 = match("MESSAGE#469:1080/4", "nwparser.p0", "%{} %{protocol}"); var all105 = all_match({ processors: [ - part493, + part492, select155, dup10, select156, - part495, + part494, ], on_success: processor_chain([ dup1, @@ -5873,7 +5850,7 @@ var all105 = all_match({ var msg470 = msg("1080", all105); -var part496 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ +var part495 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ dup5, dup54, dup17, @@ -5884,15 +5861,15 @@ var part496 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_descri dup37, ])); -var msg471 = msg("580", part496); +var msg471 = msg("580", part495); -var part497 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); +var part496 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); var all106 = all_match({ processors: [ - part497, - dup225, - dup113, + part496, + dup224, + dup112, ], on_success: processor_chain([ dup70, @@ -5910,11 +5887,11 @@ var msg472 = msg("1369", all106); var all107 = all_match({ processors: [ - dup148, - dup212, - dup150, - dup225, - dup113, + dup147, + dup211, + dup149, + dup224, + dup112, ], on_success: processor_chain([ dup70, @@ -5932,11 +5909,11 @@ var msg473 = msg("1370", all107); var all108 = all_match({ processors: [ - dup148, - dup212, - dup162, - dup200, - dup113, + dup147, + dup211, + dup161, + dup199, + dup112, ], on_success: processor_chain([ dup70, @@ -5952,25 +5929,25 @@ var all108 = all_match({ var msg474 = msg("1371", all108); -var part498 = match("MESSAGE#474:1387/1_1", "nwparser.p0", "%{saddr}:%{sport}: dst=%{p0}"); +var part497 = match("MESSAGE#474:1387/1_1", "nwparser.p0", "%{saddr}:%{sport}: dst=%{p0}"); var select157 = linear_select([ - dup139, - part498, + dup138, + part497, ]); var all109 = all_match({ processors: [ - dup161, + dup160, select157, dup10, - dup212, - dup162, - dup200, - dup113, + dup211, + dup161, + dup199, + dup112, ], on_success: processor_chain([ - dup160, + dup159, dup54, dup17, dup82, @@ -5983,30 +5960,30 @@ var all109 = all_match({ var msg475 = msg("1387", all109); -var part499 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{p0}"); +var part498 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{p0}"); -var part500 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{saddr}:%{sport}dst=%{p0}"); +var part499 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{saddr}:%{sport}dst=%{p0}"); var select158 = linear_select([ dup69, - part500, + part499, ]); -var part501 = match("MESSAGE#475:1391/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}"); +var part500 = match("MESSAGE#475:1391/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}"); -var part502 = match("MESSAGE#475:1391/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); +var part501 = match("MESSAGE#475:1391/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); -var part503 = match("MESSAGE#475:1391/2_2", "nwparser.p0", "%{daddr}:%{dport}"); +var part502 = match("MESSAGE#475:1391/2_2", "nwparser.p0", "%{daddr}:%{dport}"); var select159 = linear_select([ + part500, part501, part502, - part503, ]); var all110 = all_match({ processors: [ - part499, + part498, select158, select159, ], @@ -6024,7 +6001,7 @@ var all110 = all_match({ var msg476 = msg("1391", all110); -var part504 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ +var part503 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ dup5, dup54, dup17, @@ -6035,9 +6012,9 @@ var part504 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_descr dup37, ])); -var msg477 = msg("1253", part504); +var msg477 = msg("1253", part503); -var part505 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ +var part504 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ dup5, dup54, dup17, @@ -6048,26 +6025,26 @@ var part505 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_descr dup37, ])); -var msg478 = msg("1009", part505); +var msg478 = msg("1009", part504); -var part506 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); +var part505 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); -var part507 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{p0}"); +var part506 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{p0}"); -var part508 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}"); +var part507 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}"); var select160 = linear_select([ + part506, part507, - part508, ]); -var part509 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); +var part508 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); var all111 = all_match({ processors: [ - part506, + part505, select160, - part509, + part508, ], on_success: processor_chain([ dup5, @@ -6083,7 +6060,7 @@ var all111 = all_match({ var msg479 = msg("910", all111); -var part510 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ +var part509 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ dup1, dup54, dup17, @@ -6093,9 +6070,9 @@ var part510 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{eve dup37, ])); -var msg480 = msg("m:01", part510); +var msg480 = msg("m:01", part509); -var part511 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ +var part510 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ dup1, dup54, dup17, @@ -6106,10 +6083,10 @@ var part511 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_descr dup37, ])); -var msg481 = msg("1011", part511); +var msg481 = msg("1011", part510); -var part512 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup165, +var part511 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup164, dup54, dup17, dup82, @@ -6119,11 +6096,11 @@ var part512 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_descri dup37, ])); -var msg482 = msg("609", part512); +var msg482 = msg("609", part511); -var msg483 = msg("796", dup226); +var msg483 = msg("796", dup225); -var part513 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ +var part512 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ dup70, dup54, dup17, @@ -6134,10 +6111,10 @@ var part513 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_descri dup37, ])); -var msg484 = msg("880", part513); +var msg484 = msg("880", part512); -var part514 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup160, +var part513 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup159, dup54, dup17, dup82, @@ -6147,26 +6124,26 @@ var part514 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_descr dup37, ])); -var msg485 = msg("1309", part514); +var msg485 = msg("1309", part513); -var msg486 = msg("1310", dup226); +var msg486 = msg("1310", dup225); -var part515 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"%{p0}"); +var part514 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"%{p0}"); -var part516 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=\"%{p0}"); +var part515 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=\"%{p0}"); var select161 = linear_select([ + part514, part515, - part516, ]); -var part517 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); +var part516 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); var all112 = all_match({ processors: [ dup81, select161, - part517, + part516, ], on_success: processor_chain([ dup1, @@ -6182,16 +6159,16 @@ var all112 = all_match({ var msg487 = msg("1232", all112); -var part518 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part517 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); var all113 = all_match({ processors: [ - part518, - dup200, - dup113, + part517, + dup199, + dup112, ], on_success: processor_chain([ - dup160, + dup159, dup54, dup17, dup82, @@ -6551,229 +6528,227 @@ var chain1 = processor_chain([ }), ]); -var part519 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var part518 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + +var part519 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); -var part520 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); +var part520 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var part521 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var part521 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}"); -var part522 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}"); +var part522 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); -var part523 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); +var part523 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); -var part524 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); +var part524 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var part525 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var part525 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); -var part526 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); +var part526 = match("MESSAGE#38:29:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); -var part527 = match("MESSAGE#38:29:01/4", "nwparser.p0", "%{} "); +var part527 = match("MESSAGE#38:29:01/3_1", "nwparser.p0", "%{daddr->} "); var part528 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); var part529 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); -var part530 = match("MESSAGE#52:35:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); +var part530 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); -var part531 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); +var part531 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}"); -var part532 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}"); +var part532 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}"); -var part533 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}"); +var part533 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); -var part534 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var part534 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); -var part535 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); +var part535 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}"); -var part536 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}"); +var part536 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); -var part537 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); +var part537 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); -var part538 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); +var part538 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}"); -var part539 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}"); +var part539 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); -var part540 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); +var part540 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} "); -var part541 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} "); +var part541 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}"); -var part542 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}"); +var part542 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}"); -var part543 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}"); +var part543 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}"); -var part544 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}"); +var part544 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); -var part545 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); +var part545 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); -var part546 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); +var part546 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); -var part547 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); +var part547 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} "); -var part548 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} "); +var part548 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); -var part549 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var part549 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); -var part550 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); +var part550 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); -var part551 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); +var part551 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); -var part552 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); +var part552 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); -var part553 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); +var part553 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); -var part554 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); +var part554 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); -var part555 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); +var part555 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}"); -var part556 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}"); +var part556 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}"); -var part557 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}"); +var part557 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); -var part558 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); +var part558 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); -var part559 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); +var part559 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}"); -var part560 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}"); +var part560 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); -var part561 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); +var part561 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var part562 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part562 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); -var part563 = match("MESSAGE#202:139:01/3_1", "nwparser.p0", "%{daddr->} "); +var part563 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); -var part564 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); +var part564 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); -var part565 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); +var part565 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); -var part566 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); +var part566 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); -var part567 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); +var part567 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); -var part568 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); +var part568 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); -var part569 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); +var part569 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); -var part570 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); +var part570 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); -var part571 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); +var part571 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); -var part572 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); +var part572 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); -var part573 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); +var part573 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); -var part574 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); +var part574 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); -var part575 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); +var part575 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); -var part576 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); +var part576 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); -var part577 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); +var part577 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); -var part578 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); +var part578 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); -var part579 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); +var part579 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); -var part580 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); +var part580 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); -var part581 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); +var part581 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); -var part582 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); +var part582 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); -var part583 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); +var part583 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); -var part584 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); +var part584 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); -var part585 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); +var part585 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); -var part586 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); +var part586 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); -var part587 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); +var part587 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); -var part588 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); +var part588 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); -var part589 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); +var part589 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); -var part590 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); +var part590 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); -var part591 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); +var part591 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); -var part592 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); +var part592 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); -var part593 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); +var part593 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); -var part594 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); +var part594 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); -var part595 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); +var part595 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); -var part596 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); +var part596 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); -var part597 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); +var part597 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); -var part598 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); +var part598 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); -var part599 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); +var part599 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); -var part600 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); +var part600 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); -var part601 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var part601 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); -var part602 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); +var part602 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); -var part603 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); +var part603 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); -var part604 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); +var part604 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var part605 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); +var part605 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); -var part606 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part606 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); -var part607 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); +var part607 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); -var part608 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); +var part608 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var part609 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); +var part609 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var part610 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var part610 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); -var part611 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part611 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); -var part612 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); +var part612 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); -var part613 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); +var part613 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); -var part614 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); +var part614 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); -var part615 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); +var part615 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); -var part616 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); +var part616 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); -var part617 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part617 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); -var part618 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); +var part618 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); -var part619 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); +var part619 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); -var part620 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); +var part620 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); -var part621 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); +var part621 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); -var part622 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); +var part622 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); -var part623 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part623 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); -var part624 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); +var part624 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); -var part625 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var part625 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); -var part626 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); +var part626 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); -var part627 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); +var part627 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); -var part628 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); - -var part629 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); - -var part630 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); +var part628 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); var select162 = linear_select([ dup8, @@ -6785,7 +6760,7 @@ var select163 = linear_select([ dup16, ]); -var part631 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ +var part629 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, dup23, ])); @@ -6796,110 +6771,110 @@ var select164 = linear_select([ ]); var select165 = linear_select([ + dup27, + dup28, +]); + +var select166 = linear_select([ dup34, dup35, ]); -var select166 = linear_select([ +var select167 = linear_select([ dup25, dup39, ]); -var select167 = linear_select([ +var select168 = linear_select([ dup41, dup42, ]); -var select168 = linear_select([ +var select169 = linear_select([ dup46, dup47, ]); -var select169 = linear_select([ +var select170 = linear_select([ dup49, dup50, ]); -var part632 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ +var part630 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ dup62, ])); -var part633 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ +var part631 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ dup5, ])); -var select170 = linear_select([ +var select171 = linear_select([ dup71, dup75, dup76, ]); -var select171 = linear_select([ +var select172 = linear_select([ dup8, dup25, ]); -var part634 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ +var part632 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ dup1, ])); -var select172 = linear_select([ - dup33, - dup85, -]); - var select173 = linear_select([ + dup88, dup89, - dup90, ]); -var part635 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var part633 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup5, ])); var select174 = linear_select([ + dup92, dup93, - dup94, ]); var select175 = linear_select([ + dup96, dup97, - dup98, ]); -var part636 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup88, +var part634 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup87, ])); -var part637 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup88, +var part635 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup87, ])); -var part638 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ +var part636 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ dup1, ])); -var part639 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} ", processor_chain([ +var part637 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup1, ])); -var part640 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ +var part638 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ dup1, dup23, ])); var select176 = linear_select([ dup66, - dup109, + dup108, ]); var select177 = linear_select([ + dup110, dup111, - dup112, ]); var select178 = linear_select([ - dup116, + dup115, dup45, ]); @@ -6921,8 +6896,8 @@ var select181 = linear_select([ ]); var select182 = linear_select([ + dup121, dup122, - dup123, ]); var select183 = linear_select([ @@ -6932,98 +6907,98 @@ var select183 = linear_select([ ]); var select184 = linear_select([ + dup127, dup128, - dup129, ]); var select185 = linear_select([ dup41, dup42, - dup135, + dup134, ]); var select186 = linear_select([ + dup135, dup136, - dup137, ]); var select187 = linear_select([ + dup138, dup139, - dup140, ]); var select188 = linear_select([ + dup140, dup141, - dup142, ]); var select189 = linear_select([ dup49, - dup149, + dup148, ]); -var part641 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup151, +var part639 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup150, ])); var select190 = linear_select([ - dup153, + dup152, dup40, ]); var select191 = linear_select([ + dup154, dup155, - dup156, ]); var select192 = linear_select([ + dup156, dup157, - dup158, ]); -var part642 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} ", processor_chain([ +var part640 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ dup5, ])); -var part643 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype->} ", processor_chain([ +var part641 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ dup5, ])); -var part644 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ +var part642 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ dup5, dup23, ])); -var part645 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ +var part643 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, dup23, ])); -var part646 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ +var part644 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ dup1, dup23, ])); -var part647 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup164, +var part645 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup163, dup37, ])); -var part648 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ +var part646 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ dup1, ])); var select193 = linear_select([ + dup169, dup170, - dup171, ]); var select194 = linear_select([ + dup172, dup173, - dup174, ]); -var part649 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ +var part647 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ dup1, dup54, dup17, @@ -7036,35 +7011,34 @@ var part649 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_descri var all114 = all_match({ processors: [ - dup30, - dup178, + dup31, + dup177, dup10, - dup176, - dup27, + dup178, ], on_success: processor_chain([ - dup29, + dup30, ]), }); var all115 = all_match({ processors: [ - dup30, - dup178, + dup31, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ - dup86, + dup85, ]), }); var all116 = all_match({ processors: [ - dup30, - dup178, + dup31, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ dup59, @@ -7073,8 +7047,8 @@ var all116 = all_match({ var all117 = all_match({ processors: [ - dup96, - dup193, + dup95, + dup192, ], on_success: processor_chain([ dup59, @@ -7083,22 +7057,22 @@ var all117 = all_match({ var all118 = all_match({ processors: [ - dup30, - dup178, + dup31, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ - dup101, + dup100, ]), }); var all119 = all_match({ processors: [ - dup30, - dup178, + dup31, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ dup29, @@ -7107,80 +7081,68 @@ var all119 = all_match({ var all120 = all_match({ processors: [ - dup30, - dup178, + dup102, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ - dup28, + dup103, ]), }); var all121 = all_match({ processors: [ - dup103, - dup178, + dup104, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ - dup104, + dup106, ]), }); var all122 = all_match({ processors: [ - dup105, - dup178, - dup10, - dup189, - ], - on_success: processor_chain([ dup107, - ]), -}); - -var all123 = all_match({ - processors: [ - dup108, - dup199, + dup198, ], on_success: processor_chain([ - dup88, + dup87, ]), }); -var all124 = all_match({ +var all123 = all_match({ processors: [ - dup105, - dup178, + dup104, + dup177, dup10, - dup189, + dup178, ], on_success: processor_chain([ - dup110, + dup109, ]), }); -var all125 = all_match({ +var all124 = all_match({ processors: [ dup44, dup179, dup36, - dup189, + dup178, ], on_success: processor_chain([ dup5, ]), }); -var all126 = all_match({ +var all125 = all_match({ processors: [ dup80, - dup178, + dup177, dup10, - dup176, + dup175, dup79, ], on_success: processor_chain([ @@ -7188,17 +7150,17 @@ var all126 = all_match({ ]), }); -var all127 = all_match({ +var all126 = all_match({ processors: [ - dup152, + dup151, + dup213, + dup153, dup214, - dup154, dup215, - dup216, - dup159, + dup158, ], on_success: processor_chain([ - dup151, + dup150, dup51, dup52, dup53, @@ -7213,26 +7175,26 @@ var all127 = all_match({ ]), }); -var all128 = all_match({ +var all127 = all_match({ processors: [ dup7, - dup175, + dup174, dup10, - dup192, - dup95, + dup191, + dup94, ], on_success: processor_chain([ dup1, ]), }); -var all129 = all_match({ +var all128 = all_match({ processors: [ dup7, - dup175, + dup174, dup10, - dup190, - dup91, + dup189, + dup90, ], on_success: processor_chain([ dup1, diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log index 4175d2ffc93..d80d01a1de2 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log @@ -3,98 +3,98 @@ id=tconsec sn=nsequat time="2016/02/12 13:12:33" fw=10.137.246.137 pri=medium c= id=tempor sn=omnis time="2016/02/26 20:15:08" fw=10.245.94.130 pri=high c=inesci m=128 PPPoE LCP Link Down id=niamquis sn=itati time="2016/03/12 03:17:42" fw=10.220.19.19 pri=low c=atatnonp m=413 msg="uiano" n=mrema src=10.214.225.125:5710 dst=10.163.217.10:5722 gitsedqu id=uam sn=temq time="2016-3-26 10:20:16" fw=10.38.77.13 pri=low c=Utenimad m=14 msg="nibusBon" app=ehend sess="ueipsaqu" n=uidolore usr="niamqu" src=10.202.66.28:1852:enp0s5098 dst=10.64.155.245:6613:lo5037 srcMac=01:00:5e:4c:ae:05dstMac=01:00:5e:56:32:70 proto=icmp dstname=mqua3391.www.local arg=mquisnos code=loremagn Category="iciade" rule="tsed" fw_action="allow" -id=oll sn=erc time="2016/04/09 17:22:51" fw=10.5.195.236 pri=medium c=ccusan m=145 Backup firewall has transitioned to Idle -id=aveniam sn=uradi time="2016/04/24 00:25:25" fw=10.151.183.33 pri=high c=uaera m=174 IPSEC Replay Detected -id=ehenderi sn=pidatat time="2016/05/08 07:27:59" fw=10.80.246.230 pri=medium c=mquaera m=src src=10.216.179.229 dst=10.185.126.247 vel -id=undeo sn=loremip time="2016-5-22 2:30:33" fw=10.134.0.141 pri=very-high c=uis m=1149 msg="idolore" n=onse fw_action="cancel" -id=omm sn=idestla time="2016/06/05 21:33:08" fw=10.224.68.213 pri=medium c=aborumSe m=654 msg="luptat" sess=torev n=urExc -id=mquidol sn=ita time="2016/06/20 04:35:42" fw=10.100.76.221 pri=very-high c=lupt m=79 Priority Attack Dropped -id=qua sn=luptatev time="2016/07/04 11:38:16" fw=10.123.104.59 pri=low c=elaudant m=1110 msg="tinvol" n=lores -id=tatiset sn=eprehen time="2016/07/18 18:40:50" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings -id=aliq sn=rsitam time="2016/08/02 01:43:25" fw=10.79.33.129 pri=high c=umdolo m=353 msg="onproide" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini" -prehen id=olupt sn=modoco time="2016/08/16 08:45:59" fw=10.10.110.174 pri=very-high c=tat m=441 msg="tion" n=eataev src= 10.220.85.181 dst= tisetq 10.70.61.205 -id=riat sn=taut time="2016/08/30 15:48:33" fw=10.114.138.121 pri=very-high c=tati m=133 PPPoE starting CHAP Authentication -id=oriosamn sn=deFinibu time="2016/09/13 22:51:07" fw=10.45.25.68 pri=very-high c=emagnama m=346 msg="eprehend" n=hil src=10.136.114.84 dst=10.176.205.96 -colabo id=eme sn=numqu time="2016-9-28 5:53:42" fw=10.232.149.140 pri=very-high c=lum m=264 msg="utali" sess="sitvolup" dur=141.548000 n=ipitla usr="quae" src=10.170.120.4:2062:lo6637 dst=10.193.192.62:0:lo2706 fw_action="allow" -datatn id=mqu sn=apariat time="2016/10/12 12:56:16" fw=10.46.27.57 pri=low c=remi m=36 TCP connection dropped -id=ionevo sn=remagn time="2016/10/26 19:58:50" fw=10.160.205.242 pri=high c=uovolup m=84 msg="Failed to resolve name" n=samvolu dstname=ittenbyC3936.internal.test -id=amc sn=atur time="2016/11/10 03:01:24" fw=10.188.37.199 pri=low c=intoc m=995 msg="oluptas" n=tNequepo src=10.52.186.29:2126 dst=10.6.77.80:4921 note="ione" -gel id=lorsitam sn=mpo time="2016/11/24 10:03:59" fw=10.245.10.170 pri=low c=ulapa m=118 Sending DHCP REQUEST (Verifying). -id=quioffi sn=uptate time="2016/12/08 17:06:33" fw=10.201.6.10 pri=high c=sequa m=346 msg="aera" n=ate src=10.240.242.122 dst=10.144.97.172 -id=uptasn sn=reme time="2016-12-23 12:09:07" fw=10.70.114.233 pri=high c=udantium m=796 msg="pre" n=xeacom fw_action="deny" -id=lorinre sn=olorsita time="2017/01/06 07:11:41" fw=10.226.20.99 pri=medium c=econs m=888 msg="blocked;cancel" n=dol src=10.190.83.161:3386:eth4368:tevelite245.mail.local dst=10.120.167.239:602:lo3664:tmollita6036.internal.example -id=veniamqu sn=nse time="2017/01/20 14:14:16" fw=10.194.247.171 pri=low c=mquisnos m=882 msg="maven" sess=hende n=piscin src=10.112.75.76:1355:eth6843 dst=10.25.39.99:2936:enp0s298 proto=ggp npcs=mveleu -id=tvolu sn=ecte time="2017/02/03 21:16:50" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available -olupta id=litse sn=icabo time="2017/02/18 04:19:24" fw=10.89.208.95 pri=low c=llumdolo m=255 msg="nre" n=ercitat src=10.237.163.139 dst=10.162.172.28 -id=Nequepo sn=ipsumd time="2017/03/04 11:21:59" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed -id=reetdolo sn=smo time="2017/03/18 18:24:33" fw=10.107.31.179 pri=high c=uamest m=1079 msg="Clienttcois assigned IP:10.14.111.221" n=itam -santiumd id=turadip sn=uatD time="2017/04/02 01:27:07" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped -id=volu sn=nonn time="2017/04/16 08:29:41" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login -id=sBon sn=orro time="2017/04/30 15:32:16" fw=10.34.194.149 pri=medium c=ten m=196 msg="vita" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD -amvo id=qui sn=tasn time="2017/05/14 22:34:50" fw=10.243.138.88 pri=high c=Sedutp m=998 msg="utp" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note="quin" -id=tvolupt sn=eufugi time="2017/05/29 05:37:24" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available -temqu id=ovol sn=ptasn time="2017/06/12 12:39:58" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped -id=pid sn=illoin time="2017/06/26 19:42:33" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout -quid id=fugiat sn=atisun time="2017/07/11 02:45:07" fw=10.181.206.78 pri=very-high c=tobeata m=167 Denied UDP packet from LAN -id=essequam sn=acommo time="2017/07/25 09:47:41" fw=10.177.144.70 pri=medium c=iat m=534 msg="etur" n=itecto src=10.226.27.132:2778 dst=10.148.161.250:3791 note="tinv" -id=isnisi sn=ritatise time="2017/08/08 16:50:15" fw=10.38.54.72 pri=very-high c=ciad m=83 msg="tali" sess=lillum n=cusant src=10.64.50.66:3657:enp0s1540 dst=10.149.0.64:6867:eth2202 note="sau" npcs=atevelit -id=billo sn=labo time="2017/08/22 23:52:50" fw=10.221.225.29 pri=medium c=boris m=147 Backup missed heartbeats from Active Primary: Backup going Active -elitse id=ima sn=quasia time="2017/09/06 06:55:24" fw=10.150.107.25 pri=low c=uptate m=1154 msg="mac" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local -id=asiarc sn=ian time="2017/09/20 13:57:58" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed -id=rauto sn=ationev time="2017/10/04 21:00:32" fw=10.92.19.202 pri=high c=nby m=350 msg="mve" n=osqui src=10.161.148.64 dst=10.96.97.81 -id=nsequat sn=doloreme time="2017/10/19 04:03:07" fw=10.206.81.23 pri=high c=tincu m=176 Fraudulent Microsoft Certificate Blocked -itse id=umexerc sn=oremipsu time="2017/11/02 11:05:41" fw=10.87.13.61 pri=medium c=ssecillu m=1231 msg="liqua" n=utodita note="aec" -id=elitse sn=reseo time="2017/11/16 18:08:15" fw=10.71.238.250 pri=very-high c=tiaec m=22 Ping of death blocked -id=plicab sn=oremq time="2017/12/01 01:10:49" fw=10.40.152.253 pri=low c=ritt m=msg msg="iaeco" src=10.53.150.77 dst=10.125.134.213 failure -id=quaea sn=ametcons time="2017/12/15 08:13:24" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL -id=ariatur sn=rer time="2017/12/29 15:15:58" fw=10.210.243.175 pri=low c=atisetqu m=240 msg="issuscip" n=uisa src=10.240.49.224 dst=10.77.174.205 -id=luptatem sn=uaeratv time="2018/01/12 22:18:32" fw=10.240.190.136 pri=medium c=atcupid m=255 msg="quamnih" n=dminima src=10.44.150.31 dst=10.187.210.173 -id=ntutlabo sn=iusmodte time="2018-1-27 5:21:06" fw=10.108.84.24 pri=low c=iosamnis m=606 msg="volupt" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac=miurerep 01:00:5e:b4:c3:ed dstMac=01:00:5e:55:b9:89proto=ipv6 fw_action="cancel" -id=proident sn=maliquam time="2018-2-10 12:23:41" fw=10.229.229.42 pri=high c=vitaedic m=428 msg="orin" n=uii src=10.103.117.31:3987:enp0s3531 dst=10.207.211.230:2800:eth211 srcMac=untincul 01:00:5e:c9:ed:b4 dstMac=01:00:5e:93:39:a4 proto=tcp fw_action="allow" -id=emvele sn=isnost time="2018/02/24 19:26:15" fw=10.71.112.159 pri=medium c=emqu m=412 msg="riss" n=iquamqua src=10.248.165.185:3436 dst=10.32.39.220 note="aliq" -id=mven sn=olorsit time="2018/03/11 02:28:49" fw=10.121.239.183 pri=very-high c=consequa m=27 Land Attack Dropped -id=tatevel sn=boreetdo time="2018/03/25 09:31:24" fw=10.239.118.233 pri=medium c=risnis m=95 Diagnostic Code C -id=ddoeius sn=ugiatn time="2018/04/08 16:33:58" fw=10.50.102.128 pri=high c=abore m=138 XAUTH Succeeded -id=uiadol sn=Duisa time="2018/04/22 23:36:32" fw=10.106.195.93 pri=very-high c=boNem m=107 Got DHCP OFFER. Selecting. -id=emips sn=atv time="2018/05/07 06:39:06" fw=10.2.114.9 pri=high c=alorum m=372 msg="obeataev" n=tempor src=10.134.237.235 dst=10.11.83.126 -id=osquir sn=mod time="2018/05/21 13:41:41" fw=10.28.120.149 pri=very-high c=liquide m=117 Sending DHCP REQUEST (Rebooting). -id=Sedutpe sn=prehen time="2018/06/04 20:44:15" fw=10.209.43.252 pri=very-high c=lloin m=169 Firewall access from LAN -tempor id=citatio sn=oluptat time="2018/06/19 03:46:49" fw=10.35.255.235 pri=very-high c=edquian m=117 Sending DHCP REQUEST (Rebooting). -id=nsequunt sn=proident time="2018/07/03 10:49:23" fw=10.57.167.157 pri=high c=aliquamq m=164 No response from ISP Disconnecting PPPoE. -ugit id=tatem sn=metcons time="2018/07/17 17:51:58" fw=10.252.102.110 pri=medium c=tamet m=412 msg="perspici" n=ationul src=10.115.53.31:6606 dst=10.99.248.145 note="molestia" -id=labore sn=uela time="2018/08/01 00:54:32" fw=10.167.74.79 pri=very-high c=iuntNequ m=616 msg="deny" n=archite src=10.143.228.97:1370 dst=10.168.208.169:6168 -licaboN id=atquo sn=cupi time="2018/08/15 07:57:06" fw=10.151.129.181 pri=very-high c=udan m=373 msg="allow" n=nderiti src=10.43.16.73:2604 dst=10.236.56.233:3484 -id=aeab sn=teur time="2018/08/29 14:59:40" fw=10.231.199.50 pri=low c=stquid m=412 msg="turadipi" n=usmodi src=10.184.254.143:4402 dst=10.222.251.114 note="illu" -id=asuntexp sn=adminim time="2018/09/12 22:02:15" fw=10.115.115.26 pri=high c=modoc m=72 NetBus Attack Dropped -id=iumt sn=tsed time="2018/09/27 05:04:49" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out -orsi id=tetura sn=imadmini time="2018/10/11 12:07:23" fw=10.46.192.198 pri=high c=uat m=96 Status -id=dolorema sn=emagn time="2018-10-25 7:09:57" fw=10.200.86.116 pri=medium m= msg="orinrep" n=quiavolif=enp0s347ucastRx=ratvbcastRx=alorumbytesRx=5253ucastTx=talibcastTx=BCSbytesTx=3474 -id=culpaqui sn=tvolup time="2018/11/09 02:12:32" fw=10.116.146.114 pri=high c=red m=8 New Filter list loaded -id=tatev sn=luptas time="2018/11/23 09:15:06" fw=10.138.124.174 pri=low c=inculp m=66 Unknown IPSec SPI -id=iadese sn=nisiu time="2018/12/07 16:17:40" fw=10.101.178.146 pri=medium c=llit m=148 Primary received error signal from Active Backup: Primary going Active -id=sitametc sn=onsequa time="2018/12/21 23:20:14" fw=10.8.53.182 pri=very-high c=riosa m=9 No new Filter list available -id=pisc sn=urEx time="2019/01/05 06:22:49" fw=10.193.239.124 pri=low c=ercitat m=49 Failure to add data channel -id=tnonproi sn=squira time="2019/01/19 13:25:23" fw=10.141.238.139 pri=medium c=uide m=144 Primary firewall has transitioned to Idle -lmolesti id=meumfugi sn=tquas time="2019/02/02 20:27:57" fw=10.200.22.41 pri=medium c=iame m=83 msg="orroquis" n=aquio src=10.208.79.170:7616:enp0s4472 dst=10.101.163.40:7153:enp0s1370 -id=uisnostr sn=reetdol time="2019/02/17 03:30:32" fw=10.94.132.21 pri=very-high c=odi m=144 Primary firewall has transitioned to Idle -id=runtmo sn=ore time="2019/03/03 10:33:06" fw=10.176.3.121 pri=very-high c=tas m=104 Retransmitting DHCP REQUEST (Verifying). -id=mveleum sn=liq time="2019/03/17 17:35:40" fw=10.197.3.44 pri=low c=aali m=21 Cookie removed -mdolors id=oremi sn=ugitsedq time="2019/04/01 00:38:14" fw=10.143.229.47 pri=medium c=nisiut m=710 msg="cancel" n=quira src=10.175.98.45:3633 dst=10.236.247.87:7360 -tvolup id=consecte sn=pteurs time="2019/04/15 07:40:49" fw=10.152.83.154 pri=high c=saqu m=155 Primary received heartbeat from wrong source -id=unt sn=tass time="2019/04/29 14:43:23" fw=10.74.8.242 pri=very-high c=uid m=53 The cache is full; too many open connections; some will be dropped -id=umdolo sn=rroqui time="2019/05/13 21:45:57" fw=10.76.122.196 pri=high c=epteur m=888 msg="malware;deny" n=iame src=10.81.33.64:22:enp0s2909:cta5467.www.localhost dst=10.22.244.71:1865:eth3249:iam7526.mail.test -cepteur id=aer sn=osquira time="2019/05/28 04:48:31" fw=10.232.158.211 pri=high c=dolorem m=998 msg="sed" n=idata usr=sun src=10.205.21.166:236 dst=10.20.73.247:4228 note="sed" -id=pernat sn=udan time="2019/06/11 11:51:06" fw=10.124.243.58 pri=high c=urQuis m=165 Backup going Active in preempt mode after reboot -id=orum sn=Bonoru time="2019/06/25 18:53:40" fw=10.53.168.187 pri=medium c=emacc m=6 Log successfully sent via email -id=lamcola sn=veli time="2019/07/10 01:56:14" fw=10.104.211.232 pri=high c=idolores m=11 Problem loading the Filter list; check your DNS server -id=mmod sn=iti time="2019/07/24 08:58:48" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked -id=mag sn=gelitse time="2019/08/07 16:01:23" fw=10.195.58.44 pri=high c=radip m=413 msg="upta" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606 -id=nostrud sn=cteturad time="2019/08/21 23:03:57" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F -id=ritati sn=iciade time="2019/09/05 06:06:31" fw=10.202.224.79 pri=low c=nevolupt m=441 msg="aco" n=apar -id=vol sn=psumd time="2019/09/19 13:09:05" fw=10.103.29.178 pri=low c=rios m=355 msg="labo" n=lpaquiof src=10.78.29.246 dst=10.125.85.128 -enbyCi id=reetdo sn=tat time="2019/10/03 20:11:40" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing). -id=quunt sn=itasp time="2019/10/18 03:14:14" fw=10.210.181.12 pri=high c=met m=714 msg="volup" sess=ptate n=entsu src=10.44.198.184:5695:enp0s5214 dst= umwri 10.21.147.52:1816:eth2990 npcs=tur -id=ita sn=amquaer time="2019/11/01 10:16:48" fw=10.47.1.90 pri=high c=lpa m=134 PPPoE starting PAP Authentication -id=smod sn=idunt time="2019/11/15 17:19:22" fw=10.29.120.226 pri=very-high c=aparia m=69 Incompatible IPSec Security Association -lore id=isci sn=Dui time="2019/11/30 00:21:57" fw=10.205.202.225 pri=high c=civelits m=137 Wan IP Changed -id=olore sn=orumS time="2019/12/14 07:24:31" fw=10.25.93.121 pri=low c=rchitect m=35 Attempted administrator login from WAN +id=roinBCSe sn=onse time="2016/04/09 17:22:51" fw=10.136.153.149 pri=high c=imav m=1231 msg="ididu" n=tion note="orsitame" +id=umdo sn=sed time="2016-4-24 12:25:25" fw=10.206.224.241 pri=medium c=pteursi m=908 msg="onse" n=rumet src=10.162.42.110:6787:eth4075:temUten4125.www5.example dst=Ciceroi 10.90.131.186:6343:lo5529 srcMac=olo 01:00:5e:60:3e:36 dstMac=01:00:5e:0d:d9:0c proto=ipv6/atquovo fw_action="deny" +id=ist sn=tnon time="2016/05/08 07:27:59" fw=10.82.29.215 pri=low c=edquiano m=605 msg="loru" n=ema src=10.74.237.180:7041 dst=10.50.66.65:1793 +id=idestla sn=Nemoeni time="2016/05/22 14:30:33" fw=10.196.105.137 pri=high c=luptat m=994 msg="torev" n=urExc usr=sectetur src=10.109.232.112:1640 dst=10.58.208.39:2382 note="fugit" +id=paqu sn=eseru time="2016/06/05 21:33:08" fw=10.237.30.22 pri=medium c=quip m=13 Restarting SonicWALL; dumping log to email +id=uisquam sn=ctetura time="2016/06/20 04:35:42" fw=10.241.19.131 pri=very-high c=lapariat m=350 msg="eddoei" n=eve src=10.72.29.73 dst=10.3.117.13 +id=entsu sn=dun time="2016/07/04 11:38:16" fw=10.85.101.196 pri=medium c=itaut m=166 Denied TCP connection from LAN +id=tema sn=ritatis time="2016/07/18 18:40:50" fw=10.36.241.234 pri=medium c=ccu m=159 Diagnostic Code F +id=inculpaq sn=agna time="2016/08/02 01:43:25" fw=10.148.13.98 pri=medium c=mqui m=72 msg="civeli" n=errorsi src=10.112.125.84:1284:eth1697 dst=10.193.76.77:4861:lo7388 +id=emp sn=aperia time="2016/08/16 08:45:59" fw=10.157.161.103 pri=medium c=vol m=351 msg="riat" n=taut src=10.114.138.121 dst=10.59.119.118 +id=oriosamn sn=deFinibu time="2016/08/30 15:48:33" fw=10.45.25.68 pri=very-high c=emagnama m=346 msg="eprehend" n=hil src=10.136.114.84 dst=10.176.205.96 +colabo id=eme sn=numqu time="2016-9-13 10:51:07" fw=10.232.149.140 pri=very-high c=lum m=264 msg="utali" sess="sitvolup" dur=141.548000 n=ipitla usr="quae" src=10.170.120.4:2062:lo6637 dst=10.193.192.62:0:lo2706 fw_action="allow" +datatn id=mqu sn=apariat time="2016/09/28 05:53:42" fw=10.46.27.57 pri=low c=remi m=36 TCP connection dropped +id=ionevo sn=remagn time="2016/10/12 12:56:16" fw=10.160.205.242 pri=high c=uovolup m=84 msg="Failed to resolve name" n=samvolu dstname=ittenbyC3936.internal.test +id=amc sn=atur time="2016/10/26 19:58:50" fw=10.188.37.199 pri=low c=intoc m=995 msg="oluptas" n=tNequepo src=10.52.186.29:2126 dst=10.6.77.80:4921 note="ione" +gel id=lorsitam sn=mpo time="2016/11/10 03:01:24" fw=10.245.10.170 pri=low c=ulapa m=118 Sending DHCP REQUEST (Verifying). +id=quioffi sn=uptate time="2016/11/24 10:03:59" fw=10.201.6.10 pri=high c=sequa m=346 msg="aera" n=ate src=10.240.242.122 dst=10.144.97.172 +id=uptasn sn=reme time="2016-12-8 5:06:33" fw=10.70.114.233 pri=high c=udantium m=796 msg="pre" n=xeacom fw_action="deny" +id=lorinre sn=olorsita time="2016/12/23 00:09:07" fw=10.226.20.99 pri=medium c=econs m=888 msg="blocked;cancel" n=dol src=10.190.83.161:3386:eth4368:tevelite245.mail.local dst=10.120.167.239:602:lo3664:tmollita6036.internal.example +id=veniamqu sn=nse time="2017/01/06 07:11:41" fw=10.194.247.171 pri=low c=mquisnos m=882 msg="maven" sess=hende n=piscin src=10.112.75.76:1355:eth6843 dst=10.25.39.99:2936:enp0s298 proto=ggp npcs=mveleu +id=tvolu sn=ecte time="2017/01/20 14:14:16" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available +olupta id=litse sn=icabo time="2017/02/03 21:16:50" fw=10.89.208.95 pri=low c=llumdolo m=255 msg="nre" n=ercitat src=10.237.163.139 dst=10.162.172.28 +id=reetdolo sn=smo time="2017/02/18 04:19:24" fw=10.107.31.179 pri=high c=uamest m=1079 msg="Clienttcois assigned IP:10.14.111.221" n=itam +santiumd id=turadip sn=uatD time="2017/03/04 11:21:59" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped +id=volu sn=nonn time="2017/03/18 18:24:33" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login +id=sBon sn=orro time="2017/04/02 01:27:07" fw=10.34.194.149 pri=medium c=ten m=196 msg="vita" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD +amvo id=qui sn=tasn time="2017/04/16 08:29:41" fw=10.243.138.88 pri=high c=Sedutp m=998 msg="utp" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note="quin" +id=tvolupt sn=eufugi time="2017/04/30 15:32:16" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available +temqu id=ovol sn=ptasn time="2017/05/14 22:34:50" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped +id=pid sn=illoin time="2017/05/29 05:37:24" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout +quid id=fugiat sn=atisun time="2017/06/12 12:39:58" fw=10.181.206.78 pri=very-high c=tobeata m=167 Denied UDP packet from LAN +id=essequam sn=acommo time="2017/06/26 19:42:33" fw=10.177.144.70 pri=medium c=iat m=534 msg="etur" n=itecto src=10.226.27.132:2778 dst=10.148.161.250:3791 note="tinv" +id=isnisi sn=ritatise time="2017/07/11 02:45:07" fw=10.38.54.72 pri=very-high c=ciad m=83 msg="tali" sess=lillum n=cusant src=10.64.50.66:3657:enp0s1540 dst=10.149.0.64:6867:eth2202 note="sau" npcs=atevelit +id=billo sn=labo time="2017/07/25 09:47:41" fw=10.221.225.29 pri=medium c=boris m=147 Backup missed heartbeats from Active Primary: Backup going Active +elitse id=ima sn=quasia time="2017/08/08 16:50:15" fw=10.150.107.25 pri=low c=uptate m=1154 msg="mac" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local +id=asiarc sn=ian time="2017/08/22 23:52:50" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed +id=rauto sn=ationev time="2017/09/06 06:55:24" fw=10.92.19.202 pri=high c=nby m=350 msg="mve" n=osqui src=10.161.148.64 dst=10.96.97.81 +id=nsequat sn=doloreme time="2017/09/20 13:57:58" fw=10.206.81.23 pri=high c=tincu m=176 Fraudulent Microsoft Certificate Blocked +itse id=umexerc sn=oremipsu time="2017/10/04 21:00:32" fw=10.87.13.61 pri=medium c=ssecillu m=1231 msg="liqua" n=utodita note="aec" +id=elitse sn=reseo time="2017/10/19 04:03:07" fw=10.71.238.250 pri=very-high c=tiaec m=22 Ping of death blocked +id=plicab sn=oremq time="2017/11/02 11:05:41" fw=10.40.152.253 pri=low c=ritt m=msg msg="iaeco" src=10.53.150.77 dst=10.125.134.213 failure +id=quaea sn=ametcons time="2017/11/16 18:08:15" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL +id=ariatur sn=rer time="2017/12/01 01:10:49" fw=10.210.243.175 pri=low c=atisetqu m=240 msg="issuscip" n=uisa src=10.240.49.224 dst=10.77.174.205 +id=luptatem sn=uaeratv time="2017/12/15 08:13:24" fw=10.240.190.136 pri=medium c=atcupid m=255 msg="quamnih" n=dminima src=10.44.150.31 dst=10.187.210.173 +id=ntutlabo sn=iusmodte time="2017-12-29 3:15:58" fw=10.108.84.24 pri=low c=iosamnis m=606 msg="volupt" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac=miurerep 01:00:5e:b4:c3:ed dstMac=01:00:5e:55:b9:89proto=ipv6 fw_action="cancel" +id=proident sn=maliquam time="2018-1-12 10:18:32" fw=10.229.229.42 pri=high c=vitaedic m=428 msg="orin" n=uii src=10.103.117.31:3987:enp0s3531 dst=10.207.211.230:2800:eth211 srcMac=untincul 01:00:5e:c9:ed:b4 dstMac=01:00:5e:93:39:a4 proto=tcp fw_action="allow" +id=emvele sn=isnost time="2018/01/27 05:21:06" fw=10.71.112.159 pri=medium c=emqu m=412 msg="riss" n=iquamqua src=10.248.165.185:3436 dst=10.32.39.220 note="aliq" +id=mven sn=olorsit time="2018/02/10 12:23:41" fw=10.121.239.183 pri=very-high c=consequa m=27 Land Attack Dropped +id=tatevel sn=boreetdo time="2018/02/24 19:26:15" fw=10.239.118.233 pri=medium c=risnis m=95 Diagnostic Code C +id=ddoeius sn=ugiatn time="2018/03/11 02:28:49" fw=10.50.102.128 pri=high c=abore m=138 XAUTH Succeeded +id=uiadol sn=Duisa time="2018/03/25 09:31:24" fw=10.106.195.93 pri=very-high c=boNem m=107 Got DHCP OFFER. Selecting. +id=emips sn=atv time="2018/04/08 16:33:58" fw=10.2.114.9 pri=high c=alorum m=372 msg="obeataev" n=tempor src=10.134.237.235 dst=10.11.83.126 +id=osquir sn=mod time="2018/04/22 23:36:32" fw=10.28.120.149 pri=very-high c=liquide m=117 Sending DHCP REQUEST (Rebooting). +id=Sedutpe sn=prehen time="2018/05/07 06:39:06" fw=10.209.43.252 pri=very-high c=lloin m=169 Firewall access from LAN +tempor id=citatio sn=oluptat time="2018/05/21 13:41:41" fw=10.35.255.235 pri=very-high c=edquian m=117 Sending DHCP REQUEST (Rebooting). +id=nsequunt sn=proident time="2018/06/04 20:44:15" fw=10.57.167.157 pri=high c=aliquamq m=164 No response from ISP Disconnecting PPPoE. +ugit id=tatem sn=metcons time="2018/06/19 03:46:49" fw=10.252.102.110 pri=medium c=tamet m=412 msg="perspici" n=ationul src=10.115.53.31:6606 dst=10.99.248.145 note="molestia" +id=labore sn=uela time="2018/07/03 10:49:23" fw=10.167.74.79 pri=very-high c=iuntNequ m=616 msg="deny" n=archite src=10.143.228.97:1370 dst=10.168.208.169:6168 +licaboN id=atquo sn=cupi time="2018/07/17 17:51:58" fw=10.151.129.181 pri=very-high c=udan m=373 msg="allow" n=nderiti src=10.43.16.73:2604 dst=10.236.56.233:3484 +id=aeab sn=teur time="2018/08/01 00:54:32" fw=10.231.199.50 pri=low c=stquid m=412 msg="turadipi" n=usmodi src=10.184.254.143:4402 dst=10.222.251.114 note="illu" +id=asuntexp sn=adminim time="2018/08/15 07:57:06" fw=10.115.115.26 pri=high c=modoc m=72 NetBus Attack Dropped +id=iumt sn=tsed time="2018/08/29 14:59:40" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out +orsi id=tetura sn=imadmini time="2018/09/12 22:02:15" fw=10.46.192.198 pri=high c=uat m=96 Status +id=dolorema sn=emagn time="2018-9-27 5:04:49" fw=10.200.86.116 pri=medium m= msg="orinrep" n=quiavolif=enp0s347ucastRx=ratvbcastRx=alorumbytesRx=5253ucastTx=talibcastTx=BCSbytesTx=3474 +id=culpaqui sn=tvolup time="2018/10/11 12:07:23" fw=10.116.146.114 pri=high c=red m=8 New Filter list loaded +id=tatev sn=luptas time="2018/10/25 19:09:57" fw=10.138.124.174 pri=low c=inculp m=66 Unknown IPSec SPI +id=iadese sn=nisiu time="2018/11/09 02:12:32" fw=10.101.178.146 pri=medium c=llit m=148 Primary received error signal from Active Backup: Primary going Active +id=sitametc sn=onsequa time="2018/11/23 09:15:06" fw=10.8.53.182 pri=very-high c=riosa m=9 No new Filter list available +id=pisc sn=urEx time="2018/12/07 16:17:40" fw=10.193.239.124 pri=low c=ercitat m=49 Failure to add data channel +id=tnonproi sn=squira time="2018/12/21 23:20:14" fw=10.141.238.139 pri=medium c=uide m=144 Primary firewall has transitioned to Idle +lmolesti id=meumfugi sn=tquas time="2019/01/05 06:22:49" fw=10.200.22.41 pri=medium c=iame m=83 msg="orroquis" n=aquio src=10.208.79.170:7616:enp0s4472 dst=10.101.163.40:7153:enp0s1370 +id=uisnostr sn=reetdol time="2019/01/19 13:25:23" fw=10.94.132.21 pri=very-high c=odi m=144 Primary firewall has transitioned to Idle +id=runtmo sn=ore time="2019/02/02 20:27:57" fw=10.176.3.121 pri=very-high c=tas m=104 Retransmitting DHCP REQUEST (Verifying). +id=mveleum sn=liq time="2019/02/17 03:30:32" fw=10.197.3.44 pri=low c=aali m=21 Cookie removed +mdolors id=oremi sn=ugitsedq time="2019/03/03 10:33:06" fw=10.143.229.47 pri=medium c=nisiut m=710 msg="cancel" n=quira src=10.175.98.45:3633 dst=10.236.247.87:7360 +tvolup id=consecte sn=pteurs time="2019/03/17 17:35:40" fw=10.152.83.154 pri=high c=saqu m=155 Primary received heartbeat from wrong source +id=unt sn=tass time="2019/04/01 00:38:14" fw=10.74.8.242 pri=very-high c=uid m=53 The cache is full; too many open connections; some will be dropped +id=umdolo sn=rroqui time="2019/04/15 07:40:49" fw=10.76.122.196 pri=high c=epteur m=888 msg="malware;deny" n=iame src=10.81.33.64:22:enp0s2909:cta5467.www.localhost dst=10.22.244.71:1865:eth3249:iam7526.mail.test +cepteur id=aer sn=osquira time="2019/04/29 14:43:23" fw=10.232.158.211 pri=high c=dolorem m=998 msg="sed" n=idata usr=sun src=10.205.21.166:236 dst=10.20.73.247:4228 note="sed" +id=pernat sn=udan time="2019/05/13 21:45:57" fw=10.124.243.58 pri=high c=urQuis m=165 Backup going Active in preempt mode after reboot +id=orum sn=Bonoru time="2019/05/28 04:48:31" fw=10.53.168.187 pri=medium c=emacc m=6 Log successfully sent via email +id=lamcola sn=veli time="2019/06/11 11:51:06" fw=10.104.211.232 pri=high c=idolores m=11 Problem loading the Filter list; check your DNS server +id=mmod sn=iti time="2019/06/25 18:53:40" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked +id=mag sn=gelitse time="2019/07/10 01:56:14" fw=10.195.58.44 pri=high c=radip m=413 msg="upta" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606 +id=nostrud sn=cteturad time="2019/07/24 08:58:48" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F +id=ritati sn=iciade time="2019/08/07 16:01:23" fw=10.202.224.79 pri=low c=nevolupt m=441 msg="aco" n=apar +id=vol sn=psumd time="2019/08/21 23:03:57" fw=10.103.29.178 pri=low c=rios m=355 msg="labo" n=lpaquiof src=10.78.29.246 dst=10.125.85.128 +enbyCi id=reetdo sn=tat time="2019/09/05 06:06:31" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing). +id=quunt sn=itasp time="2019/09/19 13:09:05" fw=10.210.181.12 pri=high c=met m=714 msg="volup" sess=ptate n=entsu src=10.44.198.184:5695:enp0s5214 dst= umwri 10.21.147.52:1816:eth2990 npcs=tur +id=ita sn=amquaer time="2019/10/03 20:11:40" fw=10.47.1.90 pri=high c=lpa m=134 PPPoE starting PAP Authentication +id=smod sn=idunt time="2019/10/18 03:14:14" fw=10.29.120.226 pri=very-high c=aparia m=69 Incompatible IPSec Security Association +lore id=isci sn=Dui time="2019/11/01 10:16:48" fw=10.205.202.225 pri=high c=civelits m=137 Wan IP Changed +id=olore sn=orumS time="2019/11/15 17:19:22" fw=10.25.93.121 pri=low c=rchitect m=35 Attempted administrator login from WAN +umdolore id=dmi sn=tam time="2019/11/30 00:21:57" fw=10.151.170.207 pri=high c=dunt m=src src=10.243.170.64 dst=10.85.204.8 amquisno +id=magnam sn=uinesc time="2019/12/14 07:24:31" fw=10.172.95.162 pri=very-high c=Bonorum m=105 Sending DHCP DISCOVER. diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index c7a3c07fdb9..5dd7dd19ca2 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -37,8 +37,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.95.245.65", - "10.13.70.213" + "10.13.70.213", + "10.95.245.65" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "llu", @@ -131,8 +131,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.64.155.245", - "10.202.66.28" + "10.202.66.28", + "10.64.155.245" ], "related.user": [ "niamqu" @@ -164,17 +164,21 @@ }, { "@timestamp": "2016-04-09T19:22:51.000Z", - "event.code": "145", + "event.code": "1231", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=oll sn=erc time=\"2016/04/09 17:22:51\" fw=10.5.195.236 pri=medium c=ccusan m=145 Backup firewall has transitioned to Idle", + "event.original": "id=roinBCSe sn=onse time=\"2016/04/09 17:22:51\" fw=10.136.153.149 pri=high c=imav m=1231 msg=\"ididu\" n=tion note=\"orsitame\"", "fileset.name": "firewall", "input.type": "log", "log.offset": 930, + "log.original": "ididu", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "145", + "rsa.db.index": "orsitame", + "rsa.internal.messageid": "1231", + "rsa.internal.msg": "ididu", + "rsa.misc.space": "", "rsa.time.date": "2016/04/09", "rsa.time.event_time": "2016-04-09T19:22:51.000Z", "service.type": "sonicwall", @@ -184,21 +188,56 @@ ] }, { - "@timestamp": "2016-04-24T02:25:25.000Z", - "event.code": "174", + "@timestamp": "2016-04-24T14:25:25.000Z", + "destination.ip": [ + "10.90.131.186" + ], + "destination.mac": "01:00:5e:0d:d9:0c", + "destination.port": 6343, + "event.action": [ + "deny" + ], + "event.code": "umdo", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=aveniam sn=uradi time=\"2016/04/24 00:25:25\" fw=10.151.183.33 pri=high c=uaera m=174 IPSEC Replay Detected", + "event.original": "id=umdo sn=sed time=\"2016-4-24 12:25:25\" fw=10.206.224.241 pri=medium c=pteursi m=908 msg=\"onse\" n=rumet src=10.162.42.110:6787:eth4075:temUten4125.www5.example dst=Ciceroi 10.90.131.186:6343:lo5529 srcMac=olo 01:00:5e:60:3e:36 dstMac=01:00:5e:0d:d9:0c proto=ipv6/atquovo fw_action=\"deny\"", "fileset.name": "firewall", + "host.hostname": "temUten4125.www5.example", + "host.ip": "10.206.224.241", "input.type": "log", - "log.offset": 1054, + "log.level": "medium", + "log.offset": 1055, + "network.protocol": "ipv6", + "observer.egress.interface.name": "lo5529", + "observer.ingress.interface.name": "eth4075", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "174", - "rsa.time.date": "2016/04/24", - "rsa.time.event_time": "2016-04-24T02:25:25.000Z", + "related.ip": [ + "10.90.131.186", + "10.206.224.241", + "10.162.42.110" + ], + "rsa.internal.event_desc": "onse", + "rsa.internal.messageid": "908", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "pteursi", + "rsa.misc.reference_id": "umdo", + "rsa.misc.serial_number": "sed", + "rsa.misc.severity": "medium", + "rsa.network.dinterface": "lo5529", + "rsa.network.sinterface": "eth4075", + "rsa.time.date": "2016-4-24", + "rsa.time.event_time": "2016-04-24T14:25:25.000Z", "service.type": "sonicwall", + "source.address": "temUten4125.www5.example", + "source.ip": [ + "10.162.42.110" + ], + "source.mac": "01:00:5e:60:3e:36", + "source.port": 6787, "tags": [ "sonicwall.firewall", "forwarded" @@ -206,76 +245,85 @@ }, { "@timestamp": "2016-05-08T09:27:59.000Z", - "destination.nat.ip": "10.185.126.247", - "event.code": "src", + "destination.nat.ip": "10.50.66.65", + "destination.nat.port": 1793, + "event.code": "605", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ehenderi sn=pidatat time=\"2016/05/08 07:27:59\" fw=10.80.246.230 pri=medium c=mquaera m=src src=10.216.179.229 dst=10.185.126.247 vel", + "event.original": "id=ist sn=tnon time=\"2016/05/08 07:27:59\" fw=10.82.29.215 pri=low c=edquiano m=605 msg=\"loru\" n=ema src=10.74.237.180:7041 dst=10.50.66.65:1793", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1163, - "log.original": "vel", + "log.offset": 1344, + "log.original": "loru", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.216.179.229", - "10.185.126.247" + "10.50.66.65", + "10.74.237.180" ], - "rsa.internal.messageid": "src", - "rsa.internal.msg": "vel", + "rsa.internal.messageid": "605", + "rsa.internal.msg": "loru", + "rsa.misc.ntype": "ema", "rsa.time.date": "2016/05/08", "rsa.time.event_time": "2016-05-08T09:27:59.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.216.179.229", + "source.nat.ip": "10.74.237.180", + "source.nat.port": 7041, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "@timestamp": "2016-05-22T04:30:33.000Z", - "event.action": [ - "cancel" - ], - "event.code": "1149", + "@timestamp": "2016-05-22T16:30:33.000Z", + "destination.nat.ip": "10.58.208.39", + "destination.nat.port": 2382, + "event.code": "994", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=undeo sn=loremip time=\"2016-5-22 2:30:33\" fw=10.134.0.141 pri=very-high c=uis m=1149 msg=\"idolore\" n=onse fw_action=\"cancel\"", + "event.original": "id=idestla sn=Nemoeni time=\"2016/05/22 14:30:33\" fw=10.196.105.137 pri=high c=luptat m=994 msg=\"torev\" n=urExc usr=sectetur src=10.109.232.112:1640 dst=10.58.208.39:2382 note=\"fugit\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1299, + "log.offset": 1488, + "log.original": "torev", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.event_desc": "idolore", - "rsa.internal.messageid": "1149", - "rsa.misc.action": [ - "cancel" + "related.ip": [ + "10.109.232.112", + "10.58.208.39" + ], + "related.user": [ + "sectetur" ], - "rsa.time.date": "2016-5-22", - "rsa.time.event_time": "2016-05-22T04:30:33.000Z", + "rsa.internal.event_desc": "fugit", + "rsa.internal.messageid": "994", + "rsa.internal.msg": "torev", + "rsa.time.date": "2016/05/22", + "rsa.time.event_time": "2016-05-22T16:30:33.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.109.232.112", + "source.nat.port": 1640, "tags": [ "sonicwall.firewall", "forwarded" - ] + ], + "user.name": "sectetur" }, { "@timestamp": "2016-06-05T23:33:08.000Z", - "event.code": "654", + "event.code": "13", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=omm sn=idestla time=\"2016/06/05 21:33:08\" fw=10.224.68.213 pri=medium c=aborumSe m=654 msg=\"luptat\" sess=torev n=urExc", + "event.original": "id=paqu sn=eseru time=\"2016/06/05 21:33:08\" fw=10.237.30.22 pri=medium c=quip m=13 Restarting SonicWALL; dumping log to email", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1427, - "log.original": "luptat", + "log.offset": 1671, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "654", - "rsa.internal.msg": "luptat", + "rsa.internal.messageid": "13", "rsa.time.date": "2016/06/05", "rsa.time.event_time": "2016-06-05T23:33:08.000Z", "service.type": "sonicwall", @@ -286,20 +334,32 @@ }, { "@timestamp": "2016-06-20T06:35:42.000Z", - "event.code": "79", + "destination.ip": [ + "10.3.117.13" + ], + "event.code": "350", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mquidol sn=ita time=\"2016/06/20 04:35:42\" fw=10.100.76.221 pri=very-high c=lupt m=79 Priority Attack Dropped", + "event.original": "id=uisquam sn=ctetura time=\"2016/06/20 04:35:42\" fw=10.241.19.131 pri=very-high c=lapariat m=350 msg=\"eddoei\" n=eve src=10.72.29.73 dst=10.3.117.13", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1549, + "log.offset": 1797, + "log.original": "eddoei", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "79", + "related.ip": [ + "10.72.29.73", + "10.3.117.13" + ], + "rsa.internal.messageid": "350", + "rsa.internal.msg": "eddoei", "rsa.time.date": "2016/06/20", "rsa.time.event_time": "2016-06-20T06:35:42.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.72.29.73" + ], "tags": [ "sonicwall.firewall", "forwarded" @@ -307,20 +367,17 @@ }, { "@timestamp": "2016-07-04T13:38:16.000Z", - "event.code": "1110", + "event.code": "166", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=qua sn=luptatev time=\"2016/07/04 11:38:16\" fw=10.123.104.59 pri=low c=elaudant m=1110 msg=\"tinvol\" n=lores", + "event.original": "id=entsu sn=dun time=\"2016/07/04 11:38:16\" fw=10.85.101.196 pri=medium c=itaut m=166 Denied TCP connection from LAN", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1661, - "log.original": "tinvol", + "log.offset": 1945, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "1110", - "rsa.internal.msg": "tinvol", - "rsa.misc.space": "", + "rsa.internal.messageid": "166", "rsa.time.date": "2016/07/04", "rsa.time.event_time": "2016-07-04T13:38:16.000Z", "service.type": "sonicwall", @@ -331,17 +388,17 @@ }, { "@timestamp": "2016-07-18T20:40:50.000Z", - "event.code": "10", + "event.code": "159", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tatiset sn=eprehen time=\"2016/07/18 18:40:50\" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings", + "event.original": "id=tema sn=ritatis time=\"2016/07/18 18:40:50\" fw=10.36.241.234 pri=medium c=ccu m=159 Diagnostic Code F", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1773, + "log.offset": 2061, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "10", + "rsa.internal.messageid": "159", "rsa.time.date": "2016/07/18", "rsa.time.event_time": "2016-07-18T20:40:50.000Z", "service.type": "sonicwall", @@ -352,32 +409,38 @@ }, { "@timestamp": "2016-08-02T03:43:25.000Z", - "destination.nat.ip": "10.30.196.102", - "event.code": "353", + "destination.ip": [ + "10.193.76.77" + ], + "destination.port": 4861, + "event.code": "72", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=aliq sn=rsitam time=\"2016/08/02 01:43:25\" fw=10.79.33.129 pri=high c=umdolo m=353 msg=\"onproide\" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini\"", + "event.original": "id=inculpaq sn=agna time=\"2016/08/02 01:43:25\" fw=10.148.13.98 pri=medium c=mqui m=72 msg=\"civeli\" n=errorsi src=10.112.125.84:1284:eth1697 dst=10.193.76.77:4861:lo7388", "fileset.name": "firewall", - "host.hostname": "fugi4637.www.lan", "input.type": "log", - "log.offset": 1916, - "log.original": "onproide", + "log.offset": 2165, + "log.original": "civeli", + "observer.egress.interface.name": "lo7388", + "observer.ingress.interface.name": "eth1697", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.241.178.107", - "10.30.196.102" + "10.193.76.77", + "10.112.125.84" ], - "rsa.internal.messageid": "353", - "rsa.internal.msg": "onproide", - "rsa.misc.misc": "imadmini", - "rsa.misc.ntype": "Nemoen", + "rsa.internal.messageid": "72", + "rsa.internal.msg": "civeli", + "rsa.network.dinterface": "lo7388", + "rsa.network.sinterface": "eth1697", "rsa.time.date": "2016/08/02", "rsa.time.event_time": "2016-08-02T03:43:25.000Z", "service.type": "sonicwall", - "source.address": "fugi4637.www.lan", - "source.nat.ip": "10.241.178.107", + "source.ip": [ + "10.112.125.84" + ], + "source.port": 1284, "tags": [ "sonicwall.firewall", "forwarded" @@ -385,26 +448,31 @@ }, { "@timestamp": "2016-08-16T10:45:59.000Z", - "event.code": "441", + "destination.ip": [ + "10.59.119.118" + ], + "event.code": "351", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "prehen id=olupt sn=modoco time=\"2016/08/16 08:45:59\" fw=10.10.110.174 pri=very-high c=tat m=441 msg=\"tion\" n=eataev src= 10.220.85.181 dst= tisetq 10.70.61.205 ", + "event.original": "id=emp sn=aperia time=\"2016/08/16 08:45:59\" fw=10.157.161.103 pri=medium c=vol m=351 msg=\"riat\" n=taut src=10.114.138.121 dst=10.59.119.118", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2109, - "log.original": "tion", + "log.offset": 2334, + "log.original": "riat", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.220.85.181" + "10.114.138.121", + "10.59.119.118" ], - "rsa.internal.messageid": "441", - "rsa.internal.msg": "tion", + "rsa.internal.messageid": "351", + "rsa.internal.msg": "riat", + "rsa.time.date": "2016/08/16", "rsa.time.event_time": "2016-08-16T10:45:59.000Z", "service.type": "sonicwall", "source.ip": [ - "10.220.85.181" + "10.114.138.121" ], "tags": [ "sonicwall.firewall", @@ -413,37 +481,16 @@ }, { "@timestamp": "2016-08-30T17:48:33.000Z", - "event.code": "133", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=riat sn=taut time=\"2016/08/30 15:48:33\" fw=10.114.138.121 pri=very-high c=tati m=133 PPPoE starting CHAP Authentication", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 2271, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "133", - "rsa.time.date": "2016/08/30", - "rsa.time.event_time": "2016-08-30T17:48:33.000Z", - "service.type": "sonicwall", - "tags": [ - "sonicwall.firewall", - "forwarded" - ] - }, - { - "@timestamp": "2016-09-14T00:51:07.000Z", "destination.ip": [ "10.176.205.96" ], "event.code": "346", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=oriosamn sn=deFinibu time=\"2016/09/13 22:51:07\" fw=10.45.25.68 pri=very-high c=emagnama m=346 msg=\"eprehend\" n=hil src=10.136.114.84 dst=10.176.205.96", + "event.original": "id=oriosamn sn=deFinibu time=\"2016/08/30 15:48:33\" fw=10.45.25.68 pri=very-high c=emagnama m=346 msg=\"eprehend\" n=hil src=10.136.114.84 dst=10.176.205.96", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2394, + "log.offset": 2474, "log.original": "eprehend", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -454,8 +501,8 @@ ], "rsa.internal.messageid": "346", "rsa.internal.msg": "eprehend", - "rsa.time.date": "2016/09/13", - "rsa.time.event_time": "2016-09-14T00:51:07.000Z", + "rsa.time.date": "2016/08/30", + "rsa.time.event_time": "2016-08-30T17:48:33.000Z", "service.type": "sonicwall", "source.ip": [ "10.136.114.84" @@ -466,7 +513,7 @@ ] }, { - "@timestamp": "2016-09-28T07:53:42.000Z", + "@timestamp": "2016-09-13T12:51:07.000Z", "destination.ip": [ "10.193.192.62" ], @@ -477,10 +524,10 @@ "event.code": "264", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "colabo id=eme sn=numqu time=\"2016-9-28 5:53:42\" fw=10.232.149.140 pri=very-high c=lum m=264 msg=\"utali\" sess=\"sitvolup\" dur=141.548000 n=ipitla usr=\"quae\" src=10.170.120.4:2062:lo6637 dst=10.193.192.62:0:lo2706 fw_action=\"allow\"", + "event.original": "colabo id=eme sn=numqu time=\"2016-9-13 10:51:07\" fw=10.232.149.140 pri=very-high c=lum m=264 msg=\"utali\" sess=\"sitvolup\" dur=141.548000 n=ipitla usr=\"quae\" src=10.170.120.4:2062:lo6637 dst=10.193.192.62:0:lo2706 fw_action=\"allow\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2548, + "log.offset": 2628, "log.original": "utali", "observer.egress.interface.name": "lo2706", "observer.ingress.interface.name": "lo6637", @@ -502,7 +549,7 @@ "rsa.network.dinterface": "lo2706", "rsa.network.sinterface": "lo6637", "rsa.time.duration_time": 141.548, - "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "rsa.time.event_time": "2016-09-13T12:51:07.000Z", "service.type": "sonicwall", "source.ip": [ "10.170.120.4" @@ -515,19 +562,19 @@ "user.name": "quae" }, { - "@timestamp": "2016-10-12T14:56:16.000Z", + "@timestamp": "2016-09-28T07:53:42.000Z", "event.code": "36", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "datatn id=mqu sn=apariat time=\"2016/10/12 12:56:16\" fw=10.46.27.57 pri=low c=remi m=36 TCP connection dropped", + "event.original": "datatn id=mqu sn=apariat time=\"2016/09/28 05:53:42\" fw=10.46.27.57 pri=low c=remi m=36 TCP connection dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2777, + "log.offset": 2858, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "36", - "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -535,7 +582,7 @@ ] }, { - "@timestamp": "2016-10-26T21:58:50.000Z", + "@timestamp": "2016-10-12T14:56:16.000Z", "destination.address": "ittenbyC3936.internal.test", "event.action": [ "Failed to resolve name" @@ -543,10 +590,10 @@ "event.code": "84", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ionevo sn=remagn time=\"2016/10/26 19:58:50\" fw=10.160.205.242 pri=high c=uovolup m=84 msg=\"Failed to resolve name\" n=samvolu dstname=ittenbyC3936.internal.test", + "event.original": "id=ionevo sn=remagn time=\"2016/10/12 12:56:16\" fw=10.160.205.242 pri=high c=uovolup m=84 msg=\"Failed to resolve name\" n=samvolu dstname=ittenbyC3936.internal.test", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2887, + "log.offset": 2968, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -555,8 +602,8 @@ "Failed to resolve name" ], "rsa.network.host_dst": "ittenbyC3936.internal.test", - "rsa.time.date": "2016/10/26", - "rsa.time.event_time": "2016-10-26T21:58:50.000Z", + "rsa.time.date": "2016/10/12", + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -564,16 +611,16 @@ ] }, { - "@timestamp": "2016-11-10T05:01:24.000Z", + "@timestamp": "2016-10-26T21:58:50.000Z", "destination.nat.ip": "10.6.77.80", "destination.nat.port": 4921, "event.code": "995", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=amc sn=atur time=\"2016/11/10 03:01:24\" fw=10.188.37.199 pri=low c=intoc m=995 msg=\"oluptas\" n=tNequepo src=10.52.186.29:2126 dst=10.6.77.80:4921 note=\"ione\"", + "event.original": "id=amc sn=atur time=\"2016/10/26 19:58:50\" fw=10.188.37.199 pri=low c=intoc m=995 msg=\"oluptas\" n=tNequepo src=10.52.186.29:2126 dst=10.6.77.80:4921 note=\"ione\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3050, + "log.offset": 3131, "log.original": "oluptas", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -585,8 +632,8 @@ "rsa.internal.event_desc": "ione", "rsa.internal.messageid": "995", "rsa.internal.msg": "oluptas", - "rsa.time.date": "2016/11/10", - "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "rsa.time.date": "2016/10/26", + "rsa.time.event_time": "2016-10-26T21:58:50.000Z", "service.type": "sonicwall", "source.nat.ip": "10.52.186.29", "source.nat.port": 2126, @@ -596,19 +643,19 @@ ] }, { - "@timestamp": "2016-11-24T12:03:59.000Z", + "@timestamp": "2016-11-10T05:01:24.000Z", "event.code": "118", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "gel id=lorsitam sn=mpo time=\"2016/11/24 10:03:59\" fw=10.245.10.170 pri=low c=ulapa m=118 Sending DHCP REQUEST (Verifying).", + "event.original": "gel id=lorsitam sn=mpo time=\"2016/11/10 03:01:24\" fw=10.245.10.170 pri=low c=ulapa m=118 Sending DHCP REQUEST (Verifying).", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3210, + "log.offset": 3291, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "118", - "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -616,17 +663,17 @@ ] }, { - "@timestamp": "2016-12-08T19:06:33.000Z", + "@timestamp": "2016-11-24T12:03:59.000Z", "destination.ip": [ "10.144.97.172" ], "event.code": "346", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=quioffi sn=uptate time=\"2016/12/08 17:06:33\" fw=10.201.6.10 pri=high c=sequa m=346 msg=\"aera\" n=ate src=10.240.242.122 dst=10.144.97.172", + "event.original": "id=quioffi sn=uptate time=\"2016/11/24 10:03:59\" fw=10.201.6.10 pri=high c=sequa m=346 msg=\"aera\" n=ate src=10.240.242.122 dst=10.144.97.172", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3333, + "log.offset": 3414, "log.original": "aera", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -637,8 +684,8 @@ ], "rsa.internal.messageid": "346", "rsa.internal.msg": "aera", - "rsa.time.date": "2016/12/08", - "rsa.time.event_time": "2016-12-08T19:06:33.000Z", + "rsa.time.date": "2016/11/24", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", "service.type": "sonicwall", "source.ip": [ "10.240.242.122" @@ -649,19 +696,19 @@ ] }, { - "@timestamp": "2016-12-23T14:09:07.000Z", + "@timestamp": "2016-12-08T07:06:33.000Z", "event.action": [ "deny" ], "event.code": "uptasn", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=uptasn sn=reme time=\"2016-12-23 12:09:07\" fw=10.70.114.233 pri=high c=udantium m=796 msg=\"pre\" n=xeacom fw_action=\"deny\"", + "event.original": "id=uptasn sn=reme time=\"2016-12-8 5:06:33\" fw=10.70.114.233 pri=high c=udantium m=796 msg=\"pre\" n=xeacom fw_action=\"deny\"", "fileset.name": "firewall", "host.ip": "10.70.114.233", "input.type": "log", "log.level": "high", - "log.offset": 3473, + "log.offset": 3554, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -677,8 +724,8 @@ "rsa.misc.reference_id": "uptasn", "rsa.misc.serial_number": "reme", "rsa.misc.severity": "high", - "rsa.time.date": "2016-12-23", - "rsa.time.event_time": "2016-12-23T14:09:07.000Z", + "rsa.time.date": "2016-12-8", + "rsa.time.event_time": "2016-12-08T07:06:33.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -686,7 +733,7 @@ ] }, { - "@timestamp": "2017-01-06T09:11:41.000Z", + "@timestamp": "2016-12-23T02:09:07.000Z", "destination.address": "tmollita6036.internal.example", "destination.ip": [ "10.120.167.239" @@ -698,19 +745,19 @@ "event.code": "888", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=lorinre sn=olorsita time=\"2017/01/06 07:11:41\" fw=10.226.20.99 pri=medium c=econs m=888 msg=\"blocked;cancel\" n=dol src=10.190.83.161:3386:eth4368:tevelite245.mail.local dst=10.120.167.239:602:lo3664:tmollita6036.internal.example", + "event.original": "id=lorinre sn=olorsita time=\"2016/12/23 00:09:07\" fw=10.226.20.99 pri=medium c=econs m=888 msg=\"blocked;cancel\" n=dol src=10.190.83.161:3386:eth4368:tevelite245.mail.local dst=10.120.167.239:602:lo3664:tmollita6036.internal.example", "fileset.name": "firewall", "host.hostname": "tevelite245.mail.local", "input.type": "log", - "log.offset": 3597, + "log.offset": 3676, "observer.egress.interface.name": "lo3664", "observer.ingress.interface.name": "eth4368", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.190.83.161", - "10.120.167.239" + "10.120.167.239", + "10.190.83.161" ], "rsa.internal.messageid": "888", "rsa.misc.action": [ @@ -720,8 +767,8 @@ "rsa.network.dinterface": "lo3664", "rsa.network.host_dst": "tmollita6036.internal.example", "rsa.network.sinterface": "eth4368", - "rsa.time.date": "2017/01/06", - "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "rsa.time.date": "2016/12/23", + "rsa.time.event_time": "2016-12-23T02:09:07.000Z", "service.type": "sonicwall", "source.address": "tevelite245.mail.local", "source.ip": [ @@ -734,7 +781,7 @@ ] }, { - "@timestamp": "2017-01-20T16:14:16.000Z", + "@timestamp": "2017-01-06T09:11:41.000Z", "destination.ip": [ "10.25.39.99" ], @@ -742,10 +789,10 @@ "event.code": "882", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=veniamqu sn=nse time=\"2017/01/20 14:14:16\" fw=10.194.247.171 pri=low c=mquisnos m=882 msg=\"maven\" sess=hende n=piscin src=10.112.75.76:1355:eth6843 dst=10.25.39.99:2936:enp0s298 proto=ggp npcs=mveleu", + "event.original": "id=veniamqu sn=nse time=\"2017/01/06 07:11:41\" fw=10.194.247.171 pri=low c=mquisnos m=882 msg=\"maven\" sess=hende n=piscin src=10.112.75.76:1355:eth6843 dst=10.25.39.99:2936:enp0s298 proto=ggp npcs=mveleu", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3829, + "log.offset": 3908, "log.original": "maven", "network.protocol": "ggp", "observer.egress.interface.name": "enp0s298", @@ -762,8 +809,8 @@ "rsa.internal.msg": "maven", "rsa.network.dinterface": "enp0s298", "rsa.network.sinterface": "eth6843", - "rsa.time.date": "2017/01/20", - "rsa.time.event_time": "2017-01-20T16:14:16.000Z", + "rsa.time.date": "2017/01/06", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "sonicwall", "source.ip": [ "10.112.75.76" @@ -775,20 +822,20 @@ ] }, { - "@timestamp": "2017-02-03T23:16:50.000Z", + "@timestamp": "2017-01-20T16:14:16.000Z", "event.code": "9", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tvolu sn=ecte time=\"2017/02/03 21:16:50\" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available", + "event.original": "id=tvolu sn=ecte time=\"2017/01/20 14:14:16\" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4032, + "log.offset": 4111, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "9", - "rsa.time.date": "2017/02/03", - "rsa.time.event_time": "2017-02-03T23:16:50.000Z", + "rsa.time.date": "2017/01/20", + "rsa.time.event_time": "2017-01-20T16:14:16.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -796,28 +843,28 @@ ] }, { - "@timestamp": "2017-02-18T06:19:24.000Z", + "@timestamp": "2017-02-03T23:16:50.000Z", "destination.ip": [ "10.162.172.28" ], "event.code": "255", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "olupta id=litse sn=icabo time=\"2017/02/18 04:19:24\" fw=10.89.208.95 pri=low c=llumdolo m=255 msg=\"nre\" n=ercitat src=10.237.163.139 dst=10.162.172.28", + "event.original": "olupta id=litse sn=icabo time=\"2017/02/03 21:16:50\" fw=10.89.208.95 pri=low c=llumdolo m=255 msg=\"nre\" n=ercitat src=10.237.163.139 dst=10.162.172.28", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4144, + "log.offset": 4223, "log.original": "nre", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.162.172.28", - "10.237.163.139" + "10.237.163.139", + "10.162.172.28" ], "rsa.internal.messageid": "255", "rsa.internal.msg": "nre", - "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "rsa.time.event_time": "2017-02-03T23:16:50.000Z", "service.type": "sonicwall", "source.ip": [ "10.237.163.139" @@ -828,36 +875,15 @@ ] }, { - "@timestamp": "2017-03-04T13:21:59.000Z", - "event.code": "136", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=Nequepo sn=ipsumd time=\"2017/03/04 11:21:59\" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 4294, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "136", - "rsa.time.date": "2017/03/04", - "rsa.time.event_time": "2017-03-04T13:21:59.000Z", - "service.type": "sonicwall", - "tags": [ - "sonicwall.firewall", - "forwarded" - ] - }, - { - "@timestamp": "2017-03-18T20:24:33.000Z", + "@timestamp": "2017-02-18T06:19:24.000Z", "event.code": "1079", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=reetdolo sn=smo time=\"2017/03/18 18:24:33\" fw=10.107.31.179 pri=high c=uamest m=1079 msg=\"Clienttcois assigned IP:10.14.111.221\" n=itam", + "event.original": "id=reetdolo sn=smo time=\"2017/02/18 04:19:24\" fw=10.107.31.179 pri=high c=uamest m=1079 msg=\"Clienttcois assigned IP:10.14.111.221\" n=itam", "fileset.name": "firewall", "host.ip": "10.14.111.221", "input.type": "log", - "log.offset": 4415, + "log.offset": 4373, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -869,8 +895,8 @@ ], "rsa.internal.messageid": "1079", "rsa.misc.space": "", - "rsa.time.date": "2017/03/18", - "rsa.time.event_time": "2017-03-18T20:24:33.000Z", + "rsa.time.date": "2017/02/18", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -879,19 +905,19 @@ "user.name": "tco" }, { - "@timestamp": "2017-04-02T03:27:07.000Z", + "@timestamp": "2017-03-04T13:21:59.000Z", "event.code": "76", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "santiumd id=turadip sn=uatD time=\"2017/04/02 01:27:07\" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped", + "event.original": "santiumd id=turadip sn=uatD time=\"2017/03/04 11:21:59\" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4558, + "log.offset": 4516, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "76", - "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -899,20 +925,20 @@ ] }, { - "@timestamp": "2017-04-16T10:29:41.000Z", + "@timestamp": "2017-03-18T20:24:33.000Z", "event.code": "29", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=volu sn=nonn time=\"2017/04/16 08:29:41\" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login", + "event.original": "id=volu sn=nonn time=\"2017/03/18 18:24:33\" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4670, + "log.offset": 4628, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "29", - "rsa.time.date": "2017/04/16", - "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "rsa.time.date": "2017/03/18", + "rsa.time.event_time": "2017-03-18T20:24:33.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -920,7 +946,7 @@ ] }, { - "@timestamp": "2017-04-30T17:32:16.000Z", + "@timestamp": "2017-04-02T03:27:07.000Z", "destination.ip": [ "10.14.1.45" ], @@ -928,23 +954,23 @@ "event.code": "196", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=sBon sn=orro time=\"2017/04/30 15:32:16\" fw=10.34.194.149 pri=medium c=ten m=196 msg=\"vita\" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD", + "event.original": "id=sBon sn=orro time=\"2017/04/02 01:27:07\" fw=10.34.194.149 pri=medium c=ten m=196 msg=\"vita\" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD", "fileset.name": "firewall", "http.request.method": "HEAD", "input.type": "log", - "log.offset": 4788, + "log.offset": 4746, "log.original": "vita", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.14.1.45", - "10.126.34.82" + "10.126.34.82", + "10.14.1.45" ], "rsa.internal.messageid": "196", "rsa.internal.msg": "vita", - "rsa.time.date": "2017/04/30", - "rsa.time.event_time": "2017-04-30T17:32:16.000Z", + "rsa.time.date": "2017/04/02", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", "service.type": "sonicwall", "source.bytes": 2224, "source.ip": [ @@ -957,23 +983,23 @@ ] }, { - "@timestamp": "2017-05-15T00:34:50.000Z", + "@timestamp": "2017-04-16T10:29:41.000Z", "destination.nat.ip": "10.101.74.44", "destination.nat.port": 2134, "event.code": "998", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "amvo id=qui sn=tasn time=\"2017/05/14 22:34:50\" fw=10.243.138.88 pri=high c=Sedutp m=998 msg=\"utp\" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note=\"quin\"", + "event.original": "amvo id=qui sn=tasn time=\"2017/04/16 08:29:41\" fw=10.243.138.88 pri=high c=Sedutp m=998 msg=\"utp\" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note=\"quin\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4967, + "log.offset": 4925, "log.original": "utp", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.101.74.44", - "10.251.20.13" + "10.251.20.13", + "10.101.74.44" ], "related.user": [ "rsitv" @@ -981,7 +1007,7 @@ "rsa.internal.event_desc": "quin", "rsa.internal.messageid": "998", "rsa.internal.msg": "utp", - "rsa.time.event_time": "2017-05-15T00:34:50.000Z", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", "service.type": "sonicwall", "source.nat.ip": "10.251.20.13", "source.nat.port": 264, @@ -992,20 +1018,20 @@ "user.name": "rsitv" }, { - "@timestamp": "2017-05-29T07:37:24.000Z", + "@timestamp": "2017-04-30T17:32:16.000Z", "event.code": "9", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tvolupt sn=eufugi time=\"2017/05/29 05:37:24\" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available", + "event.original": "id=tvolupt sn=eufugi time=\"2017/04/30 15:32:16\" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5136, + "log.offset": 5094, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "9", - "rsa.time.date": "2017/05/29", - "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "rsa.time.date": "2017/04/30", + "rsa.time.event_time": "2017-04-30T17:32:16.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1013,19 +1039,19 @@ ] }, { - "@timestamp": "2017-06-12T14:39:58.000Z", + "@timestamp": "2017-05-15T00:34:50.000Z", "event.code": "40", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "temqu id=ovol sn=ptasn time=\"2017/06/12 12:39:58\" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped", + "event.original": "temqu id=ovol sn=ptasn time=\"2017/05/14 22:34:50\" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5250, + "log.offset": 5208, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "40", - "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "rsa.time.event_time": "2017-05-15T00:34:50.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1033,20 +1059,20 @@ ] }, { - "@timestamp": "2017-06-26T21:42:33.000Z", + "@timestamp": "2017-05-29T07:37:24.000Z", "event.code": "163", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=pid sn=illoin time=\"2017/06/26 19:42:33\" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout", + "event.original": "id=pid sn=illoin time=\"2017/05/29 05:37:24\" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5364, + "log.offset": 5322, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "163", - "rsa.time.date": "2017/06/26", - "rsa.time.event_time": "2017-06-26T21:42:33.000Z", + "rsa.time.date": "2017/05/29", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1054,19 +1080,19 @@ ] }, { - "@timestamp": "2017-07-11T04:45:07.000Z", + "@timestamp": "2017-06-12T14:39:58.000Z", "event.code": "167", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "quid id=fugiat sn=atisun time=\"2017/07/11 02:45:07\" fw=10.181.206.78 pri=very-high c=tobeata m=167 Denied UDP packet from LAN", + "event.original": "quid id=fugiat sn=atisun time=\"2017/06/12 12:39:58\" fw=10.181.206.78 pri=very-high c=tobeata m=167 Denied UDP packet from LAN", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5491, + "log.offset": 5449, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "167", - "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1074,16 +1100,16 @@ ] }, { - "@timestamp": "2017-07-25T11:47:41.000Z", + "@timestamp": "2017-06-26T21:42:33.000Z", "destination.nat.ip": "10.148.161.250", "destination.nat.port": 3791, "event.code": "534", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=essequam sn=acommo time=\"2017/07/25 09:47:41\" fw=10.177.144.70 pri=medium c=iat m=534 msg=\"etur\" n=itecto src=10.226.27.132:2778 dst=10.148.161.250:3791 note=\"tinv\"", + "event.original": "id=essequam sn=acommo time=\"2017/06/26 19:42:33\" fw=10.177.144.70 pri=medium c=iat m=534 msg=\"etur\" n=itecto src=10.226.27.132:2778 dst=10.148.161.250:3791 note=\"tinv\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5617, + "log.offset": 5575, "log.original": "etur", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -1095,8 +1121,8 @@ "rsa.internal.event_desc": "tinv", "rsa.internal.messageid": "534", "rsa.internal.msg": "etur", - "rsa.time.date": "2017/07/25", - "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "rsa.time.date": "2017/06/26", + "rsa.time.event_time": "2017-06-26T21:42:33.000Z", "service.type": "sonicwall", "source.nat.ip": "10.226.27.132", "source.nat.port": 2778, @@ -1106,7 +1132,7 @@ ] }, { - "@timestamp": "2017-08-08T18:50:15.000Z", + "@timestamp": "2017-07-11T04:45:07.000Z", "destination.ip": [ "10.149.0.64" ], @@ -1114,10 +1140,10 @@ "event.code": "83", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=isnisi sn=ritatise time=\"2017/08/08 16:50:15\" fw=10.38.54.72 pri=very-high c=ciad m=83 msg=\"tali\" sess=lillum n=cusant src=10.64.50.66:3657:enp0s1540 dst=10.149.0.64:6867:eth2202 note=\"sau\" npcs=atevelit", + "event.original": "id=isnisi sn=ritatise time=\"2017/07/11 02:45:07\" fw=10.38.54.72 pri=very-high c=ciad m=83 msg=\"tali\" sess=lillum n=cusant src=10.64.50.66:3657:enp0s1540 dst=10.149.0.64:6867:eth2202 note=\"sau\" npcs=atevelit", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5785, + "log.offset": 5743, "log.original": "tali", "observer.egress.interface.name": "eth2202", "observer.ingress.interface.name": "enp0s1540", @@ -1133,8 +1159,8 @@ "rsa.internal.msg": "tali", "rsa.network.dinterface": "eth2202", "rsa.network.sinterface": "enp0s1540", - "rsa.time.date": "2017/08/08", - "rsa.time.event_time": "2017-08-08T18:50:15.000Z", + "rsa.time.date": "2017/07/11", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", "service.type": "sonicwall", "source.ip": [ "10.64.50.66" @@ -1146,20 +1172,20 @@ ] }, { - "@timestamp": "2017-08-23T01:52:50.000Z", + "@timestamp": "2017-07-25T11:47:41.000Z", "event.code": "147", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=billo sn=labo time=\"2017/08/22 23:52:50\" fw=10.221.225.29 pri=medium c=boris m=147 Backup missed heartbeats from Active Primary: Backup going Active", + "event.original": "id=billo sn=labo time=\"2017/07/25 09:47:41\" fw=10.221.225.29 pri=medium c=boris m=147 Backup missed heartbeats from Active Primary: Backup going Active", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5992, + "log.offset": 5950, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "147", - "rsa.time.date": "2017/08/22", - "rsa.time.event_time": "2017-08-23T01:52:50.000Z", + "rsa.time.date": "2017/07/25", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1167,18 +1193,18 @@ ] }, { - "@timestamp": "2017-09-06T08:55:24.000Z", + "@timestamp": "2017-08-08T18:50:15.000Z", "destination.address": "ise5905.www.local", "destination.nat.ip": "10.53.113.23", "destination.nat.port": 4027, "event.code": "1154", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "elitse id=ima sn=quasia time=\"2017/09/06 06:55:24\" fw=10.150.107.25 pri=low c=uptate m=1154 msg=\"mac\" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local", + "event.original": "elitse id=ima sn=quasia time=\"2017/08/08 16:50:15\" fw=10.150.107.25 pri=low c=uptate m=1154 msg=\"mac\" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local", "fileset.name": "firewall", "host.hostname": "tiaec5551.www.local", "input.type": "log", - "log.offset": 6144, + "log.offset": 6102, "log.original": "mac", "observer.egress.interface.name": "lo1918", "observer.ingress.interface.name": "eth5313", @@ -1186,8 +1212,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.97.124.211", - "10.53.113.23" + "10.53.113.23", + "10.97.124.211" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1195,7 +1221,7 @@ "rsa.network.dinterface": "lo1918", "rsa.network.host_dst": "ise5905.www.local", "rsa.network.sinterface": "eth5313", - "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "rsa.time.event_time": "2017-08-08T18:50:15.000Z", "service.type": "sonicwall", "source.address": "tiaec5551.www.local", "source.nat.ip": "10.97.124.211", @@ -1206,20 +1232,20 @@ ] }, { - "@timestamp": "2017-09-20T15:57:58.000Z", + "@timestamp": "2017-08-23T01:52:50.000Z", "event.code": "135", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=asiarc sn=ian time=\"2017/09/20 13:57:58\" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed", + "event.original": "id=asiarc sn=ian time=\"2017/08/22 23:52:50\" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6391, + "log.offset": 6349, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "135", - "rsa.time.date": "2017/09/20", - "rsa.time.event_time": "2017-09-20T15:57:58.000Z", + "rsa.time.date": "2017/08/22", + "rsa.time.event_time": "2017-08-23T01:52:50.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1227,29 +1253,29 @@ ] }, { - "@timestamp": "2017-10-04T23:00:32.000Z", + "@timestamp": "2017-09-06T08:55:24.000Z", "destination.ip": [ "10.96.97.81" ], "event.code": "350", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=rauto sn=ationev time=\"2017/10/04 21:00:32\" fw=10.92.19.202 pri=high c=nby m=350 msg=\"mve\" n=osqui src=10.161.148.64 dst=10.96.97.81", + "event.original": "id=rauto sn=ationev time=\"2017/09/06 06:55:24\" fw=10.92.19.202 pri=high c=nby m=350 msg=\"mve\" n=osqui src=10.161.148.64 dst=10.96.97.81", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6513, + "log.offset": 6471, "log.original": "mve", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.96.97.81", - "10.161.148.64" + "10.161.148.64", + "10.96.97.81" ], "rsa.internal.messageid": "350", "rsa.internal.msg": "mve", - "rsa.time.date": "2017/10/04", - "rsa.time.event_time": "2017-10-04T23:00:32.000Z", + "rsa.time.date": "2017/09/06", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", "service.type": "sonicwall", "source.ip": [ "10.161.148.64" @@ -1260,20 +1286,20 @@ ] }, { - "@timestamp": "2017-10-19T06:03:07.000Z", + "@timestamp": "2017-09-20T15:57:58.000Z", "event.code": "176", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=nsequat sn=doloreme time=\"2017/10/19 04:03:07\" fw=10.206.81.23 pri=high c=tincu m=176 Fraudulent Microsoft Certificate Blocked", + "event.original": "id=nsequat sn=doloreme time=\"2017/09/20 13:57:58\" fw=10.206.81.23 pri=high c=tincu m=176 Fraudulent Microsoft Certificate Blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6649, + "log.offset": 6607, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "176", - "rsa.time.date": "2017/10/19", - "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "rsa.time.date": "2017/09/20", + "rsa.time.event_time": "2017-09-20T15:57:58.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1281,14 +1307,14 @@ ] }, { - "@timestamp": "2017-11-02T13:05:41.000Z", + "@timestamp": "2017-10-04T23:00:32.000Z", "event.code": "1231", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "itse id=umexerc sn=oremipsu time=\"2017/11/02 11:05:41\" fw=10.87.13.61 pri=medium c=ssecillu m=1231 msg=\"liqua\" n=utodita note=\"aec\"", + "event.original": "itse id=umexerc sn=oremipsu time=\"2017/10/04 21:00:32\" fw=10.87.13.61 pri=medium c=ssecillu m=1231 msg=\"liqua\" n=utodita note=\"aec\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6779, + "log.offset": 6737, "log.original": "liqua", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -1297,7 +1323,7 @@ "rsa.internal.messageid": "1231", "rsa.internal.msg": "liqua", "rsa.misc.space": "", - "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "rsa.time.event_time": "2017-10-04T23:00:32.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1305,20 +1331,20 @@ ] }, { - "@timestamp": "2017-11-16T20:08:15.000Z", + "@timestamp": "2017-10-19T06:03:07.000Z", "event.code": "22", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=elitse sn=reseo time=\"2017/11/16 18:08:15\" fw=10.71.238.250 pri=very-high c=tiaec m=22 Ping of death blocked", + "event.original": "id=elitse sn=reseo time=\"2017/10/19 04:03:07\" fw=10.71.238.250 pri=very-high c=tiaec m=22 Ping of death blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6911, + "log.offset": 6869, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "22", - "rsa.time.date": "2017/11/16", - "rsa.time.event_time": "2017-11-16T20:08:15.000Z", + "rsa.time.date": "2017/10/19", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1326,28 +1352,28 @@ ] }, { - "@timestamp": "2017-12-01T03:10:49.000Z", + "@timestamp": "2017-11-02T13:05:41.000Z", "destination.nat.ip": "10.125.134.213", "event.code": "msg", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=plicab sn=oremq time=\"2017/12/01 01:10:49\" fw=10.40.152.253 pri=low c=ritt m=msg msg=\"iaeco\" src=10.53.150.77 dst=10.125.134.213 failure", + "event.original": "id=plicab sn=oremq time=\"2017/11/02 11:05:41\" fw=10.40.152.253 pri=low c=ritt m=msg msg=\"iaeco\" src=10.53.150.77 dst=10.125.134.213 failure", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7023, + "log.offset": 6981, "log.original": "iaeco", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.125.134.213", - "10.53.150.77" + "10.53.150.77", + "10.125.134.213" ], "rsa.internal.messageid": "msg", "rsa.internal.msg": "iaeco", "rsa.misc.result": "failure", - "rsa.time.date": "2017/12/01", - "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "rsa.time.date": "2017/11/02", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", "service.type": "sonicwall", "source.nat.ip": "10.53.150.77", "tags": [ @@ -1356,20 +1382,20 @@ ] }, { - "@timestamp": "2017-12-15T10:13:24.000Z", + "@timestamp": "2017-11-16T20:08:15.000Z", "event.code": "7", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=quaea sn=ametcons time=\"2017/12/15 08:13:24\" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL", + "event.original": "id=quaea sn=ametcons time=\"2017/11/16 18:08:15\" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7163, + "log.offset": 7121, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "7", - "rsa.time.date": "2017/12/15", - "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "rsa.time.date": "2017/11/16", + "rsa.time.event_time": "2017-11-16T20:08:15.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1377,15 +1403,15 @@ ] }, { - "@timestamp": "2017-12-29T17:15:58.000Z", + "@timestamp": "2017-12-01T03:10:49.000Z", "destination.nat.ip": "10.77.174.205", "event.code": "240", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ariatur sn=rer time=\"2017/12/29 15:15:58\" fw=10.210.243.175 pri=low c=atisetqu m=240 msg=\"issuscip\" n=uisa src=10.240.49.224 dst=10.77.174.205", + "event.original": "id=ariatur sn=rer time=\"2017/12/01 01:10:49\" fw=10.210.243.175 pri=low c=atisetqu m=240 msg=\"issuscip\" n=uisa src=10.240.49.224 dst=10.77.174.205", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7285, + "log.offset": 7243, "log.original": "issuscip", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -1397,8 +1423,8 @@ "rsa.internal.messageid": "240", "rsa.internal.msg": "issuscip", "rsa.misc.ntype": "uisa", - "rsa.time.date": "2017/12/29", - "rsa.time.event_time": "2017-12-29T17:15:58.000Z", + "rsa.time.date": "2017/12/01", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", "service.type": "sonicwall", "source.nat.ip": "10.240.49.224", "tags": [ @@ -1407,17 +1433,17 @@ ] }, { - "@timestamp": "2018-01-13T00:18:32.000Z", + "@timestamp": "2017-12-15T10:13:24.000Z", "destination.ip": [ "10.187.210.173" ], "event.code": "255", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=luptatem sn=uaeratv time=\"2018/01/12 22:18:32\" fw=10.240.190.136 pri=medium c=atcupid m=255 msg=\"quamnih\" n=dminima src=10.44.150.31 dst=10.187.210.173", + "event.original": "id=luptatem sn=uaeratv time=\"2017/12/15 08:13:24\" fw=10.240.190.136 pri=medium c=atcupid m=255 msg=\"quamnih\" n=dminima src=10.44.150.31 dst=10.187.210.173", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7431, + "log.offset": 7389, "log.original": "quamnih", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -1428,8 +1454,8 @@ ], "rsa.internal.messageid": "255", "rsa.internal.msg": "quamnih", - "rsa.time.date": "2018/01/12", - "rsa.time.event_time": "2018-01-13T00:18:32.000Z", + "rsa.time.date": "2017/12/15", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", "service.type": "sonicwall", "source.ip": [ "10.44.150.31" @@ -1440,7 +1466,7 @@ ] }, { - "@timestamp": "2018-01-27T07:21:06.000Z", + "@timestamp": "2017-12-29T05:15:58.000Z", "destination.ip": [ "10.251.248.228" ], @@ -1452,20 +1478,20 @@ "event.code": "ntutlabo", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ntutlabo sn=iusmodte time=\"2018-1-27 5:21:06\" fw=10.108.84.24 pri=low c=iosamnis m=606 msg=\"volupt\" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac=miurerep 01:00:5e:b4:c3:ed dstMac=01:00:5e:55:b9:89proto=ipv6 fw_action=\"cancel\"", + "event.original": "id=ntutlabo sn=iusmodte time=\"2017-12-29 3:15:58\" fw=10.108.84.24 pri=low c=iosamnis m=606 msg=\"volupt\" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac=miurerep 01:00:5e:b4:c3:ed dstMac=01:00:5e:55:b9:89proto=ipv6 fw_action=\"cancel\"", "fileset.name": "firewall", "host.ip": "10.108.84.24", "input.type": "log", "log.level": "low", - "log.offset": 7586, + "log.offset": 7544, "network.protocol": "ipv6", "observer.ingress.interface.name": "eth163", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.251.248.228", "10.108.84.24", + "10.251.248.228", "10.113.100.237" ], "rsa.internal.event_desc": "volupt", @@ -1478,8 +1504,8 @@ "rsa.misc.serial_number": "iusmodte", "rsa.misc.severity": "low", "rsa.network.sinterface": "eth163", - "rsa.time.date": "2018-1-27", - "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "rsa.time.date": "2017-12-29", + "rsa.time.event_time": "2017-12-29T05:15:58.000Z", "service.type": "sonicwall", "source.ip": [ "10.113.100.237" @@ -1492,7 +1518,7 @@ ] }, { - "@timestamp": "2018-02-10T14:23:41.000Z", + "@timestamp": "2018-01-12T12:18:32.000Z", "destination.ip": [ "10.207.211.230" ], @@ -1504,12 +1530,12 @@ "event.code": "proident", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=proident sn=maliquam time=\"2018-2-10 12:23:41\" fw=10.229.229.42 pri=high c=vitaedic m=428 msg=\"orin\" n=uii src=10.103.117.31:3987:enp0s3531 dst=10.207.211.230:2800:eth211 srcMac=untincul 01:00:5e:c9:ed:b4 dstMac=01:00:5e:93:39:a4 proto=tcp fw_action=\"allow\"", + "event.original": "id=proident sn=maliquam time=\"2018-1-12 10:18:32\" fw=10.229.229.42 pri=high c=vitaedic m=428 msg=\"orin\" n=uii src=10.103.117.31:3987:enp0s3531 dst=10.207.211.230:2800:eth211 srcMac=untincul 01:00:5e:c9:ed:b4 dstMac=01:00:5e:93:39:a4 proto=tcp fw_action=\"allow\"", "fileset.name": "firewall", "host.ip": "10.229.229.42", "input.type": "log", "log.level": "high", - "log.offset": 7838, + "log.offset": 7797, "network.protocol": "tcp", "observer.egress.interface.name": "eth211", "observer.ingress.interface.name": "enp0s3531", @@ -1518,8 +1544,8 @@ "observer.vendor": "Sonicwall", "related.ip": [ "10.103.117.31", - "10.229.229.42", - "10.207.211.230" + "10.207.211.230", + "10.229.229.42" ], "rsa.internal.event_desc": "orin", "rsa.internal.messageid": "428", @@ -1532,8 +1558,8 @@ "rsa.misc.severity": "high", "rsa.network.dinterface": "eth211", "rsa.network.sinterface": "enp0s3531", - "rsa.time.date": "2018-2-10", - "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "rsa.time.date": "2018-1-12", + "rsa.time.event_time": "2018-01-12T12:18:32.000Z", "service.type": "sonicwall", "source.ip": [ "10.103.117.31" @@ -1546,28 +1572,28 @@ ] }, { - "@timestamp": "2018-02-24T21:26:15.000Z", + "@timestamp": "2018-01-27T07:21:06.000Z", "destination.nat.ip": "10.32.39.220", "event.code": "412", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=emvele sn=isnost time=\"2018/02/24 19:26:15\" fw=10.71.112.159 pri=medium c=emqu m=412 msg=\"riss\" n=iquamqua src=10.248.165.185:3436 dst=10.32.39.220 note=\"aliq\"", + "event.original": "id=emvele sn=isnost time=\"2018/01/27 05:21:06\" fw=10.71.112.159 pri=medium c=emqu m=412 msg=\"riss\" n=iquamqua src=10.248.165.185:3436 dst=10.32.39.220 note=\"aliq\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8099, + "log.offset": 8058, "log.original": "riss", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.32.39.220", - "10.248.165.185" + "10.248.165.185", + "10.32.39.220" ], "rsa.internal.event_desc": "aliq", "rsa.internal.messageid": "412", "rsa.internal.msg": "riss", - "rsa.time.date": "2018/02/24", - "rsa.time.event_time": "2018-02-24T21:26:15.000Z", + "rsa.time.date": "2018/01/27", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", "service.type": "sonicwall", "source.nat.ip": "10.248.165.185", "source.nat.port": 3436, @@ -1577,20 +1603,20 @@ ] }, { - "@timestamp": "2018-03-11T04:28:49.000Z", + "@timestamp": "2018-02-10T14:23:41.000Z", "event.code": "27", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mven sn=olorsit time=\"2018/03/11 02:28:49\" fw=10.121.239.183 pri=very-high c=consequa m=27 Land Attack Dropped", + "event.original": "id=mven sn=olorsit time=\"2018/02/10 12:23:41\" fw=10.121.239.183 pri=very-high c=consequa m=27 Land Attack Dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8262, + "log.offset": 8221, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "27", - "rsa.time.date": "2018/03/11", - "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "rsa.time.date": "2018/02/10", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1598,20 +1624,20 @@ ] }, { - "@timestamp": "2018-03-25T11:31:24.000Z", + "@timestamp": "2018-02-24T21:26:15.000Z", "event.code": "95", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tatevel sn=boreetdo time=\"2018/03/25 09:31:24\" fw=10.239.118.233 pri=medium c=risnis m=95 Diagnostic Code C", + "event.original": "id=tatevel sn=boreetdo time=\"2018/02/24 19:26:15\" fw=10.239.118.233 pri=medium c=risnis m=95 Diagnostic Code C", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8376, + "log.offset": 8335, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "95", - "rsa.time.date": "2018/03/25", - "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rsa.time.date": "2018/02/24", + "rsa.time.event_time": "2018-02-24T21:26:15.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1619,20 +1645,20 @@ ] }, { - "@timestamp": "2018-04-08T18:33:58.000Z", + "@timestamp": "2018-03-11T04:28:49.000Z", "event.code": "138", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ddoeius sn=ugiatn time=\"2018/04/08 16:33:58\" fw=10.50.102.128 pri=high c=abore m=138 XAUTH Succeeded", + "event.original": "id=ddoeius sn=ugiatn time=\"2018/03/11 02:28:49\" fw=10.50.102.128 pri=high c=abore m=138 XAUTH Succeeded", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8487, + "log.offset": 8446, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "138", - "rsa.time.date": "2018/04/08", - "rsa.time.event_time": "2018-04-08T18:33:58.000Z", + "rsa.time.date": "2018/03/11", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1640,20 +1666,20 @@ ] }, { - "@timestamp": "2018-04-23T01:36:32.000Z", + "@timestamp": "2018-03-25T11:31:24.000Z", "event.code": "107", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=uiadol sn=Duisa time=\"2018/04/22 23:36:32\" fw=10.106.195.93 pri=very-high c=boNem m=107 Got DHCP OFFER. Selecting.", + "event.original": "id=uiadol sn=Duisa time=\"2018/03/25 09:31:24\" fw=10.106.195.93 pri=very-high c=boNem m=107 Got DHCP OFFER. Selecting.", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8591, + "log.offset": 8550, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "107", - "rsa.time.date": "2018/04/22", - "rsa.time.event_time": "2018-04-23T01:36:32.000Z", + "rsa.time.date": "2018/03/25", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1661,29 +1687,29 @@ ] }, { - "@timestamp": "2018-05-07T08:39:06.000Z", + "@timestamp": "2018-04-08T18:33:58.000Z", "destination.ip": [ "10.11.83.126" ], "event.code": "372", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=emips sn=atv time=\"2018/05/07 06:39:06\" fw=10.2.114.9 pri=high c=alorum m=372 msg=\"obeataev\" n=tempor src=10.134.237.235 dst=10.11.83.126", + "event.original": "id=emips sn=atv time=\"2018/04/08 16:33:58\" fw=10.2.114.9 pri=high c=alorum m=372 msg=\"obeataev\" n=tempor src=10.134.237.235 dst=10.11.83.126", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8709, + "log.offset": 8668, "log.original": "obeataev", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.11.83.126", - "10.134.237.235" + "10.134.237.235", + "10.11.83.126" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "obeataev", - "rsa.time.date": "2018/05/07", - "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "rsa.time.date": "2018/04/08", + "rsa.time.event_time": "2018-04-08T18:33:58.000Z", "service.type": "sonicwall", "source.ip": [ "10.134.237.235" @@ -1694,20 +1720,20 @@ ] }, { - "@timestamp": "2018-05-21T15:41:41.000Z", + "@timestamp": "2018-04-23T01:36:32.000Z", "event.code": "117", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=osquir sn=mod time=\"2018/05/21 13:41:41\" fw=10.28.120.149 pri=very-high c=liquide m=117 Sending DHCP REQUEST (Rebooting).", + "event.original": "id=osquir sn=mod time=\"2018/04/22 23:36:32\" fw=10.28.120.149 pri=very-high c=liquide m=117 Sending DHCP REQUEST (Rebooting).", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8850, + "log.offset": 8809, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "117", - "rsa.time.date": "2018/05/21", - "rsa.time.event_time": "2018-05-21T15:41:41.000Z", + "rsa.time.date": "2018/04/22", + "rsa.time.event_time": "2018-04-23T01:36:32.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1715,20 +1741,20 @@ ] }, { - "@timestamp": "2018-06-04T22:44:15.000Z", + "@timestamp": "2018-05-07T08:39:06.000Z", "event.code": "169", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=Sedutpe sn=prehen time=\"2018/06/04 20:44:15\" fw=10.209.43.252 pri=very-high c=lloin m=169 Firewall access from LAN", + "event.original": "id=Sedutpe sn=prehen time=\"2018/05/07 06:39:06\" fw=10.209.43.252 pri=very-high c=lloin m=169 Firewall access from LAN", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8975, + "log.offset": 8934, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "169", - "rsa.time.date": "2018/06/04", - "rsa.time.event_time": "2018-06-04T22:44:15.000Z", + "rsa.time.date": "2018/05/07", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1736,19 +1762,19 @@ ] }, { - "@timestamp": "2018-06-19T05:46:49.000Z", + "@timestamp": "2018-05-21T15:41:41.000Z", "event.code": "117", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "tempor id=citatio sn=oluptat time=\"2018/06/19 03:46:49\" fw=10.35.255.235 pri=very-high c=edquian m=117 Sending DHCP REQUEST (Rebooting).", + "event.original": "tempor id=citatio sn=oluptat time=\"2018/05/21 13:41:41\" fw=10.35.255.235 pri=very-high c=edquian m=117 Sending DHCP REQUEST (Rebooting).", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9093, + "log.offset": 9052, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "117", - "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "rsa.time.event_time": "2018-05-21T15:41:41.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1756,20 +1782,20 @@ ] }, { - "@timestamp": "2018-07-03T12:49:23.000Z", + "@timestamp": "2018-06-04T22:44:15.000Z", "event.code": "164", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=nsequunt sn=proident time=\"2018/07/03 10:49:23\" fw=10.57.167.157 pri=high c=aliquamq m=164 No response from ISP Disconnecting PPPoE.", + "event.original": "id=nsequunt sn=proident time=\"2018/06/04 20:44:15\" fw=10.57.167.157 pri=high c=aliquamq m=164 No response from ISP Disconnecting PPPoE.", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9230, + "log.offset": 9189, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "164", - "rsa.time.date": "2018/07/03", - "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "rsa.time.date": "2018/06/04", + "rsa.time.event_time": "2018-06-04T22:44:15.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1777,15 +1803,15 @@ ] }, { - "@timestamp": "2018-07-17T19:51:58.000Z", + "@timestamp": "2018-06-19T05:46:49.000Z", "destination.nat.ip": "10.99.248.145", "event.code": "412", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "ugit id=tatem sn=metcons time=\"2018/07/17 17:51:58\" fw=10.252.102.110 pri=medium c=tamet m=412 msg=\"perspici\" n=ationul src=10.115.53.31:6606 dst=10.99.248.145 note=\"molestia\"", + "event.original": "ugit id=tatem sn=metcons time=\"2018/06/19 03:46:49\" fw=10.252.102.110 pri=medium c=tamet m=412 msg=\"perspici\" n=ationul src=10.115.53.31:6606 dst=10.99.248.145 note=\"molestia\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9366, + "log.offset": 9325, "log.original": "perspici", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -1797,7 +1823,7 @@ "rsa.internal.event_desc": "molestia", "rsa.internal.messageid": "412", "rsa.internal.msg": "perspici", - "rsa.time.event_time": "2018-07-17T19:51:58.000Z", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", "service.type": "sonicwall", "source.nat.ip": "10.115.53.31", "source.nat.port": 6606, @@ -1807,7 +1833,7 @@ ] }, { - "@timestamp": "2018-08-01T02:54:32.000Z", + "@timestamp": "2018-07-03T12:49:23.000Z", "destination.ip": [ "10.168.208.169" ], @@ -1818,10 +1844,10 @@ "event.code": "616", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=labore sn=uela time=\"2018/08/01 00:54:32\" fw=10.167.74.79 pri=very-high c=iuntNequ m=616 msg=\"deny\" n=archite src=10.143.228.97:1370 dst=10.168.208.169:6168", + "event.original": "id=labore sn=uela time=\"2018/07/03 10:49:23\" fw=10.167.74.79 pri=very-high c=iuntNequ m=616 msg=\"deny\" n=archite src=10.143.228.97:1370 dst=10.168.208.169:6168", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9542, + "log.offset": 9501, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -1833,8 +1859,8 @@ "rsa.misc.action": [ "deny" ], - "rsa.time.date": "2018/08/01", - "rsa.time.event_time": "2018-08-01T02:54:32.000Z", + "rsa.time.date": "2018/07/03", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", "service.type": "sonicwall", "source.ip": [ "10.143.228.97" @@ -1846,7 +1872,7 @@ ] }, { - "@timestamp": "2018-08-15T09:57:06.000Z", + "@timestamp": "2018-07-17T19:51:58.000Z", "destination.ip": [ "10.236.56.233" ], @@ -1857,10 +1883,10 @@ "event.code": "373", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "licaboN id=atquo sn=cupi time=\"2018/08/15 07:57:06\" fw=10.151.129.181 pri=very-high c=udan m=373 msg=\"allow\" n=nderiti src=10.43.16.73:2604 dst=10.236.56.233:3484", + "event.original": "licaboN id=atquo sn=cupi time=\"2018/07/17 17:51:58\" fw=10.151.129.181 pri=very-high c=udan m=373 msg=\"allow\" n=nderiti src=10.43.16.73:2604 dst=10.236.56.233:3484", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9702, + "log.offset": 9661, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -1872,7 +1898,7 @@ "rsa.misc.action": [ "allow" ], - "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "rsa.time.event_time": "2018-07-17T19:51:58.000Z", "service.type": "sonicwall", "source.ip": [ "10.43.16.73" @@ -1884,28 +1910,28 @@ ] }, { - "@timestamp": "2018-08-29T16:59:40.000Z", + "@timestamp": "2018-08-01T02:54:32.000Z", "destination.nat.ip": "10.222.251.114", "event.code": "412", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=aeab sn=teur time=\"2018/08/29 14:59:40\" fw=10.231.199.50 pri=low c=stquid m=412 msg=\"turadipi\" n=usmodi src=10.184.254.143:4402 dst=10.222.251.114 note=\"illu\"", + "event.original": "id=aeab sn=teur time=\"2018/08/01 00:54:32\" fw=10.231.199.50 pri=low c=stquid m=412 msg=\"turadipi\" n=usmodi src=10.184.254.143:4402 dst=10.222.251.114 note=\"illu\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9865, + "log.offset": 9824, "log.original": "turadipi", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.222.251.114", - "10.184.254.143" + "10.184.254.143", + "10.222.251.114" ], "rsa.internal.event_desc": "illu", "rsa.internal.messageid": "412", "rsa.internal.msg": "turadipi", - "rsa.time.date": "2018/08/29", - "rsa.time.event_time": "2018-08-29T16:59:40.000Z", + "rsa.time.date": "2018/08/01", + "rsa.time.event_time": "2018-08-01T02:54:32.000Z", "service.type": "sonicwall", "source.nat.ip": "10.184.254.143", "source.nat.port": 4402, @@ -1915,20 +1941,20 @@ ] }, { - "@timestamp": "2018-09-13T00:02:15.000Z", + "@timestamp": "2018-08-15T09:57:06.000Z", "event.code": "72", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=asuntexp sn=adminim time=\"2018/09/12 22:02:15\" fw=10.115.115.26 pri=high c=modoc m=72 NetBus Attack Dropped", + "event.original": "id=asuntexp sn=adminim time=\"2018/08/15 07:57:06\" fw=10.115.115.26 pri=high c=modoc m=72 NetBus Attack Dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10027, + "log.offset": 9986, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "72", - "rsa.time.date": "2018/09/12", - "rsa.time.event_time": "2018-09-13T00:02:15.000Z", + "rsa.time.date": "2018/08/15", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1936,20 +1962,20 @@ ] }, { - "@timestamp": "2018-09-27T07:04:49.000Z", + "@timestamp": "2018-08-29T16:59:40.000Z", "event.code": "34", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=iumt sn=tsed time=\"2018/09/27 05:04:49\" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out", + "event.original": "id=iumt sn=tsed time=\"2018/08/29 14:59:40\" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10138, + "log.offset": 10097, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "34", - "rsa.time.date": "2018/09/27", - "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "rsa.time.date": "2018/08/29", + "rsa.time.event_time": "2018-08-29T16:59:40.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1957,19 +1983,19 @@ ] }, { - "@timestamp": "2018-10-11T14:07:23.000Z", + "@timestamp": "2018-09-13T00:02:15.000Z", "event.code": "96", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "orsi id=tetura sn=imadmini time=\"2018/10/11 12:07:23\" fw=10.46.192.198 pri=high c=uat m=96 Status", + "event.original": "orsi id=tetura sn=imadmini time=\"2018/09/12 22:02:15\" fw=10.46.192.198 pri=high c=uat m=96 Status", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10245, + "log.offset": 10204, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "96", - "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "rsa.time.event_time": "2018-09-13T00:02:15.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1977,17 +2003,17 @@ ] }, { - "@timestamp": "2018-10-25T09:09:57.000Z", + "@timestamp": "2018-09-27T07:04:49.000Z", "destination.bytes": 5253, "event.code": "dolorema", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=dolorema sn=emagn time=\"2018-10-25 7:09:57\" fw=10.200.86.116 pri=medium m= msg=\"orinrep\" n=quiavolif=enp0s347ucastRx=ratvbcastRx=alorumbytesRx=5253ucastTx=talibcastTx=BCSbytesTx=3474", + "event.original": "id=dolorema sn=emagn time=\"2018-9-27 5:04:49\" fw=10.200.86.116 pri=medium m= msg=\"orinrep\" n=quiavolif=enp0s347ucastRx=ratvbcastRx=alorumbytesRx=5253ucastTx=talibcastTx=BCSbytesTx=3474", "fileset.name": "firewall", "host.ip": "10.200.86.116", "input.type": "log", "log.level": "medium", - "log.offset": 10343, + "log.offset": 10302, "network.interface.name": "enp0s347", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -2002,8 +2028,8 @@ "rsa.misc.serial_number": "emagn", "rsa.misc.severity": "medium", "rsa.network.interface": "enp0s347", - "rsa.time.date": "2018-10-25", - "rsa.time.event_time": "2018-10-25T09:09:57.000Z", + "rsa.time.date": "2018-9-27", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", "service.type": "sonicwall", "source.bytes": 3474, "tags": [ @@ -2012,20 +2038,20 @@ ] }, { - "@timestamp": "2018-11-09T04:12:32.000Z", + "@timestamp": "2018-10-11T14:07:23.000Z", "event.code": "8", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=culpaqui sn=tvolup time=\"2018/11/09 02:12:32\" fw=10.116.146.114 pri=high c=red m=8 New Filter list loaded", + "event.original": "id=culpaqui sn=tvolup time=\"2018/10/11 12:07:23\" fw=10.116.146.114 pri=high c=red m=8 New Filter list loaded", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10529, + "log.offset": 10487, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "8", - "rsa.time.date": "2018/11/09", - "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "rsa.time.date": "2018/10/11", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2033,20 +2059,20 @@ ] }, { - "@timestamp": "2018-11-23T11:15:06.000Z", + "@timestamp": "2018-10-25T21:09:57.000Z", "event.code": "66", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tatev sn=luptas time=\"2018/11/23 09:15:06\" fw=10.138.124.174 pri=low c=inculp m=66 Unknown IPSec SPI", + "event.original": "id=tatev sn=luptas time=\"2018/10/25 19:09:57\" fw=10.138.124.174 pri=low c=inculp m=66 Unknown IPSec SPI", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10638, + "log.offset": 10596, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "66", - "rsa.time.date": "2018/11/23", - "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "rsa.time.date": "2018/10/25", + "rsa.time.event_time": "2018-10-25T21:09:57.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2054,20 +2080,20 @@ ] }, { - "@timestamp": "2018-12-07T18:17:40.000Z", + "@timestamp": "2018-11-09T04:12:32.000Z", "event.code": "148", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=iadese sn=nisiu time=\"2018/12/07 16:17:40\" fw=10.101.178.146 pri=medium c=llit m=148 Primary received error signal from Active Backup: Primary going Active", + "event.original": "id=iadese sn=nisiu time=\"2018/11/09 02:12:32\" fw=10.101.178.146 pri=medium c=llit m=148 Primary received error signal from Active Backup: Primary going Active", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10742, + "log.offset": 10700, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "148", - "rsa.time.date": "2018/12/07", - "rsa.time.event_time": "2018-12-07T18:17:40.000Z", + "rsa.time.date": "2018/11/09", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2075,20 +2101,20 @@ ] }, { - "@timestamp": "2018-12-22T01:20:14.000Z", + "@timestamp": "2018-11-23T11:15:06.000Z", "event.code": "9", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=sitametc sn=onsequa time=\"2018/12/21 23:20:14\" fw=10.8.53.182 pri=very-high c=riosa m=9 No new Filter list available", + "event.original": "id=sitametc sn=onsequa time=\"2018/11/23 09:15:06\" fw=10.8.53.182 pri=very-high c=riosa m=9 No new Filter list available", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10901, + "log.offset": 10859, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "9", - "rsa.time.date": "2018/12/21", - "rsa.time.event_time": "2018-12-22T01:20:14.000Z", + "rsa.time.date": "2018/11/23", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2096,20 +2122,20 @@ ] }, { - "@timestamp": "2019-01-05T08:22:49.000Z", + "@timestamp": "2018-12-07T18:17:40.000Z", "event.code": "49", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=pisc sn=urEx time=\"2019/01/05 06:22:49\" fw=10.193.239.124 pri=low c=ercitat m=49 Failure to add data channel", + "event.original": "id=pisc sn=urEx time=\"2018/12/07 16:17:40\" fw=10.193.239.124 pri=low c=ercitat m=49 Failure to add data channel", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11021, + "log.offset": 10979, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "49", - "rsa.time.date": "2019/01/05", - "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "rsa.time.date": "2018/12/07", + "rsa.time.event_time": "2018-12-07T18:17:40.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2117,20 +2143,20 @@ ] }, { - "@timestamp": "2019-01-19T15:25:23.000Z", + "@timestamp": "2018-12-22T01:20:14.000Z", "event.code": "144", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tnonproi sn=squira time=\"2019/01/19 13:25:23\" fw=10.141.238.139 pri=medium c=uide m=144 Primary firewall has transitioned to Idle", + "event.original": "id=tnonproi sn=squira time=\"2018/12/21 23:20:14\" fw=10.141.238.139 pri=medium c=uide m=144 Primary firewall has transitioned to Idle", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11133, + "log.offset": 11091, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "144", - "rsa.time.date": "2019/01/19", - "rsa.time.event_time": "2019-01-19T15:25:23.000Z", + "rsa.time.date": "2018/12/21", + "rsa.time.event_time": "2018-12-22T01:20:14.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2138,7 +2164,7 @@ ] }, { - "@timestamp": "2019-02-02T22:27:57.000Z", + "@timestamp": "2019-01-05T08:22:49.000Z", "destination.ip": [ "10.101.163.40" ], @@ -2146,10 +2172,10 @@ "event.code": "83", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "lmolesti id=meumfugi sn=tquas time=\"2019/02/02 20:27:57\" fw=10.200.22.41 pri=medium c=iame m=83 msg=\"orroquis\" n=aquio src=10.208.79.170:7616:enp0s4472 dst=10.101.163.40:7153:enp0s1370", + "event.original": "lmolesti id=meumfugi sn=tquas time=\"2019/01/05 06:22:49\" fw=10.200.22.41 pri=medium c=iame m=83 msg=\"orroquis\" n=aquio src=10.208.79.170:7616:enp0s4472 dst=10.101.163.40:7153:enp0s1370", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11266, + "log.offset": 11224, "log.original": "orroquis", "observer.egress.interface.name": "enp0s1370", "observer.ingress.interface.name": "enp0s4472", @@ -2164,7 +2190,7 @@ "rsa.internal.msg": "orroquis", "rsa.network.dinterface": "enp0s1370", "rsa.network.sinterface": "enp0s4472", - "rsa.time.event_time": "2019-02-02T22:27:57.000Z", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", "service.type": "sonicwall", "source.ip": [ "10.208.79.170" @@ -2176,20 +2202,20 @@ ] }, { - "@timestamp": "2019-02-17T05:30:32.000Z", + "@timestamp": "2019-01-19T15:25:23.000Z", "event.code": "144", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=uisnostr sn=reetdol time=\"2019/02/17 03:30:32\" fw=10.94.132.21 pri=very-high c=odi m=144 Primary firewall has transitioned to Idle", + "event.original": "id=uisnostr sn=reetdol time=\"2019/01/19 13:25:23\" fw=10.94.132.21 pri=very-high c=odi m=144 Primary firewall has transitioned to Idle", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11451, + "log.offset": 11409, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "144", - "rsa.time.date": "2019/02/17", - "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "rsa.time.date": "2019/01/19", + "rsa.time.event_time": "2019-01-19T15:25:23.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2197,20 +2223,20 @@ ] }, { - "@timestamp": "2019-03-03T12:33:06.000Z", + "@timestamp": "2019-02-02T22:27:57.000Z", "event.code": "104", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=runtmo sn=ore time=\"2019/03/03 10:33:06\" fw=10.176.3.121 pri=very-high c=tas m=104 Retransmitting DHCP REQUEST (Verifying).", + "event.original": "id=runtmo sn=ore time=\"2019/02/02 20:27:57\" fw=10.176.3.121 pri=very-high c=tas m=104 Retransmitting DHCP REQUEST (Verifying).", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11585, + "log.offset": 11543, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "104", - "rsa.time.date": "2019/03/03", - "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "rsa.time.date": "2019/02/02", + "rsa.time.event_time": "2019-02-02T22:27:57.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2218,20 +2244,20 @@ ] }, { - "@timestamp": "2019-03-17T19:35:40.000Z", + "@timestamp": "2019-02-17T05:30:32.000Z", "event.code": "21", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mveleum sn=liq time=\"2019/03/17 17:35:40\" fw=10.197.3.44 pri=low c=aali m=21 Cookie removed", + "event.original": "id=mveleum sn=liq time=\"2019/02/17 03:30:32\" fw=10.197.3.44 pri=low c=aali m=21 Cookie removed", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11712, + "log.offset": 11670, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "21", - "rsa.time.date": "2019/03/17", - "rsa.time.event_time": "2019-03-17T19:35:40.000Z", + "rsa.time.date": "2019/02/17", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2239,7 +2265,7 @@ ] }, { - "@timestamp": "2019-04-01T02:38:14.000Z", + "@timestamp": "2019-03-03T12:33:06.000Z", "destination.ip": [ "10.236.247.87" ], @@ -2250,10 +2276,10 @@ "event.code": "710", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "mdolors id=oremi sn=ugitsedq time=\"2019/04/01 00:38:14\" fw=10.143.229.47 pri=medium c=nisiut m=710 msg=\"cancel\" n=quira src=10.175.98.45:3633 dst=10.236.247.87:7360", + "event.original": "mdolors id=oremi sn=ugitsedq time=\"2019/03/03 10:33:06\" fw=10.143.229.47 pri=medium c=nisiut m=710 msg=\"cancel\" n=quira src=10.175.98.45:3633 dst=10.236.247.87:7360", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11807, + "log.offset": 11765, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -2265,7 +2291,7 @@ "rsa.misc.action": [ "cancel" ], - "rsa.time.event_time": "2019-04-01T02:38:14.000Z", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", "service.type": "sonicwall", "source.ip": [ "10.175.98.45" @@ -2277,19 +2303,19 @@ ] }, { - "@timestamp": "2019-04-15T09:40:49.000Z", + "@timestamp": "2019-03-17T19:35:40.000Z", "event.code": "155", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "tvolup id=consecte sn=pteurs time=\"2019/04/15 07:40:49\" fw=10.152.83.154 pri=high c=saqu m=155 Primary received heartbeat from wrong source", + "event.original": "tvolup id=consecte sn=pteurs time=\"2019/03/17 17:35:40\" fw=10.152.83.154 pri=high c=saqu m=155 Primary received heartbeat from wrong source", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11972, + "log.offset": 11930, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "155", - "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "rsa.time.event_time": "2019-03-17T19:35:40.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2297,20 +2323,20 @@ ] }, { - "@timestamp": "2019-04-29T16:43:23.000Z", + "@timestamp": "2019-04-01T02:38:14.000Z", "event.code": "53", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=unt sn=tass time=\"2019/04/29 14:43:23\" fw=10.74.8.242 pri=very-high c=uid m=53 The cache is full; too many open connections; some will be dropped", + "event.original": "id=unt sn=tass time=\"2019/04/01 00:38:14\" fw=10.74.8.242 pri=very-high c=uid m=53 The cache is full; too many open connections; some will be dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12112, + "log.offset": 12070, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "53", - "rsa.time.date": "2019/04/29", - "rsa.time.event_time": "2019-04-29T16:43:23.000Z", + "rsa.time.date": "2019/04/01", + "rsa.time.event_time": "2019-04-01T02:38:14.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2318,7 +2344,7 @@ ] }, { - "@timestamp": "2019-05-13T23:45:57.000Z", + "@timestamp": "2019-04-15T09:40:49.000Z", "destination.address": "iam7526.mail.test", "destination.ip": [ "10.22.244.71" @@ -2330,11 +2356,11 @@ "event.code": "888", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=umdolo sn=rroqui time=\"2019/05/13 21:45:57\" fw=10.76.122.196 pri=high c=epteur m=888 msg=\"malware;deny\" n=iame src=10.81.33.64:22:enp0s2909:cta5467.www.localhost dst=10.22.244.71:1865:eth3249:iam7526.mail.test", + "event.original": "id=umdolo sn=rroqui time=\"2019/04/15 07:40:49\" fw=10.76.122.196 pri=high c=epteur m=888 msg=\"malware;deny\" n=iame src=10.81.33.64:22:enp0s2909:cta5467.www.localhost dst=10.22.244.71:1865:eth3249:iam7526.mail.test", "fileset.name": "firewall", "host.hostname": "cta5467.www.localhost", "input.type": "log", - "log.offset": 12261, + "log.offset": 12219, "observer.egress.interface.name": "eth3249", "observer.ingress.interface.name": "enp0s2909", "observer.product": "Firewalls", @@ -2352,8 +2378,8 @@ "rsa.network.dinterface": "eth3249", "rsa.network.host_dst": "iam7526.mail.test", "rsa.network.sinterface": "enp0s2909", - "rsa.time.date": "2019/05/13", - "rsa.time.event_time": "2019-05-13T23:45:57.000Z", + "rsa.time.date": "2019/04/15", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", "service.type": "sonicwall", "source.address": "cta5467.www.localhost", "source.ip": [ @@ -2366,23 +2392,23 @@ ] }, { - "@timestamp": "2019-05-28T06:48:31.000Z", + "@timestamp": "2019-04-29T16:43:23.000Z", "destination.nat.ip": "10.20.73.247", "destination.nat.port": 4228, "event.code": "998", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "cepteur id=aer sn=osquira time=\"2019/05/28 04:48:31\" fw=10.232.158.211 pri=high c=dolorem m=998 msg=\"sed\" n=idata usr=sun src=10.205.21.166:236 dst=10.20.73.247:4228 note=\"sed\"", + "event.original": "cepteur id=aer sn=osquira time=\"2019/04/29 14:43:23\" fw=10.232.158.211 pri=high c=dolorem m=998 msg=\"sed\" n=idata usr=sun src=10.205.21.166:236 dst=10.20.73.247:4228 note=\"sed\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12474, + "log.offset": 12432, "log.original": "sed", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.20.73.247", - "10.205.21.166" + "10.205.21.166", + "10.20.73.247" ], "related.user": [ "sun" @@ -2390,7 +2416,7 @@ "rsa.internal.event_desc": "sed", "rsa.internal.messageid": "998", "rsa.internal.msg": "sed", - "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "rsa.time.event_time": "2019-04-29T16:43:23.000Z", "service.type": "sonicwall", "source.nat.ip": "10.205.21.166", "source.nat.port": 236, @@ -2401,20 +2427,20 @@ "user.name": "sun" }, { - "@timestamp": "2019-06-11T13:51:06.000Z", + "@timestamp": "2019-05-13T23:45:57.000Z", "event.code": "165", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=pernat sn=udan time=\"2019/06/11 11:51:06\" fw=10.124.243.58 pri=high c=urQuis m=165 Backup going Active in preempt mode after reboot", + "event.original": "id=pernat sn=udan time=\"2019/05/13 21:45:57\" fw=10.124.243.58 pri=high c=urQuis m=165 Backup going Active in preempt mode after reboot", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12651, + "log.offset": 12609, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "165", - "rsa.time.date": "2019/06/11", - "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "rsa.time.date": "2019/05/13", + "rsa.time.event_time": "2019-05-13T23:45:57.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2422,20 +2448,20 @@ ] }, { - "@timestamp": "2019-06-25T20:53:40.000Z", + "@timestamp": "2019-05-28T06:48:31.000Z", "event.code": "6", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=orum sn=Bonoru time=\"2019/06/25 18:53:40\" fw=10.53.168.187 pri=medium c=emacc m=6 Log successfully sent via email", + "event.original": "id=orum sn=Bonoru time=\"2019/05/28 04:48:31\" fw=10.53.168.187 pri=medium c=emacc m=6 Log successfully sent via email", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12786, + "log.offset": 12744, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "6", - "rsa.time.date": "2019/06/25", - "rsa.time.event_time": "2019-06-25T20:53:40.000Z", + "rsa.time.date": "2019/05/28", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2443,20 +2469,20 @@ ] }, { - "@timestamp": "2019-07-10T03:56:14.000Z", + "@timestamp": "2019-06-11T13:51:06.000Z", "event.code": "11", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=lamcola sn=veli time=\"2019/07/10 01:56:14\" fw=10.104.211.232 pri=high c=idolores m=11 Problem loading the Filter list; check your DNS server", + "event.original": "id=lamcola sn=veli time=\"2019/06/11 11:51:06\" fw=10.104.211.232 pri=high c=idolores m=11 Problem loading the Filter list; check your DNS server", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12903, + "log.offset": 12861, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "11", - "rsa.time.date": "2019/07/10", - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.time.date": "2019/06/11", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2464,20 +2490,20 @@ ] }, { - "@timestamp": "2019-07-24T10:58:48.000Z", + "@timestamp": "2019-06-25T20:53:40.000Z", "event.code": "19", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mmod sn=iti time=\"2019/07/24 08:58:48\" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked", + "event.original": "id=mmod sn=iti time=\"2019/06/25 18:53:40\" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13047, + "log.offset": 13005, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "19", - "rsa.time.date": "2019/07/24", - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "rsa.time.date": "2019/06/25", + "rsa.time.event_time": "2019-06-25T20:53:40.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2485,28 +2511,28 @@ ] }, { - "@timestamp": "2019-08-07T18:01:23.000Z", + "@timestamp": "2019-07-10T03:56:14.000Z", "destination.nat.ip": "10.129.101.147", "destination.nat.port": 3606, "event.code": "413", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mag sn=gelitse time=\"2019/08/07 16:01:23\" fw=10.195.58.44 pri=high c=radip m=413 msg=\"upta\" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606", + "event.original": "id=mag sn=gelitse time=\"2019/07/10 01:56:14\" fw=10.195.58.44 pri=high c=radip m=413 msg=\"upta\" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13139, + "log.offset": 13097, "log.original": "upta", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.129.101.147", - "10.206.229.61" + "10.206.229.61", + "10.129.101.147" ], "rsa.internal.messageid": "413", "rsa.internal.msg": "upta", - "rsa.time.date": "2019/08/07", - "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "rsa.time.date": "2019/07/10", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", "service.type": "sonicwall", "source.nat.ip": "10.206.229.61", "source.nat.port": 3467, @@ -2516,20 +2542,20 @@ ] }, { - "@timestamp": "2019-08-22T01:03:57.000Z", + "@timestamp": "2019-07-24T10:58:48.000Z", "event.code": "159", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=nostrud sn=cteturad time=\"2019/08/21 23:03:57\" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F", + "event.original": "id=nostrud sn=cteturad time=\"2019/07/24 08:58:48\" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13290, + "log.offset": 13248, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "159", - "rsa.time.date": "2019/08/21", - "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "rsa.time.date": "2019/07/24", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2537,22 +2563,22 @@ ] }, { - "@timestamp": "2019-09-05T08:06:31.000Z", + "@timestamp": "2019-08-07T18:01:23.000Z", "event.code": "441", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ritati sn=iciade time=\"2019/09/05 06:06:31\" fw=10.202.224.79 pri=low c=nevolupt m=441 msg=\"aco\" n=apar", + "event.original": "id=ritati sn=iciade time=\"2019/08/07 16:01:23\" fw=10.202.224.79 pri=low c=nevolupt m=441 msg=\"aco\" n=apar", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13400, + "log.offset": 13358, "log.original": "aco", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "441", "rsa.internal.msg": "aco", - "rsa.time.date": "2019/09/05", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "rsa.time.date": "2019/08/07", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2560,17 +2586,17 @@ ] }, { - "@timestamp": "2019-09-19T15:09:05.000Z", + "@timestamp": "2019-08-22T01:03:57.000Z", "destination.ip": [ "10.125.85.128" ], "event.code": "355", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=vol sn=psumd time=\"2019/09/19 13:09:05\" fw=10.103.29.178 pri=low c=rios m=355 msg=\"labo\" n=lpaquiof src=10.78.29.246 dst=10.125.85.128", + "event.original": "id=vol sn=psumd time=\"2019/08/21 23:03:57\" fw=10.103.29.178 pri=low c=rios m=355 msg=\"labo\" n=lpaquiof src=10.78.29.246 dst=10.125.85.128", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13506, + "log.offset": 13464, "log.original": "labo", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -2581,8 +2607,8 @@ ], "rsa.internal.messageid": "355", "rsa.internal.msg": "labo", - "rsa.time.date": "2019/09/19", - "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "rsa.time.date": "2019/08/21", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", "service.type": "sonicwall", "source.ip": [ "10.78.29.246" @@ -2593,19 +2619,19 @@ ] }, { - "@timestamp": "2019-10-03T22:11:40.000Z", + "@timestamp": "2019-09-05T08:06:31.000Z", "event.code": "101", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "enbyCi id=reetdo sn=tat time=\"2019/10/03 20:11:40\" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing).", + "event.original": "enbyCi id=reetdo sn=tat time=\"2019/09/05 06:06:31\" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing).", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13644, + "log.offset": 13602, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "101", - "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2613,7 +2639,7 @@ ] }, { - "@timestamp": "2019-10-18T05:14:14.000Z", + "@timestamp": "2019-09-19T15:09:05.000Z", "destination.ip": [ "10.21.147.52" ], @@ -2621,10 +2647,10 @@ "event.code": "714", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=quunt sn=itasp time=\"2019/10/18 03:14:14\" fw=10.210.181.12 pri=high c=met m=714 msg=\"volup\" sess=ptate n=entsu src=10.44.198.184:5695:enp0s5214 dst= umwri 10.21.147.52:1816:eth2990 npcs=tur", + "event.original": "id=quunt sn=itasp time=\"2019/09/19 13:09:05\" fw=10.210.181.12 pri=high c=met m=714 msg=\"volup\" sess=ptate n=entsu src=10.44.198.184:5695:enp0s5214 dst= umwri 10.21.147.52:1816:eth2990 npcs=tur", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13772, + "log.offset": 13730, "log.original": "volup", "observer.egress.interface.name": "eth2990", "observer.ingress.interface.name": "enp0s5214", @@ -2640,8 +2666,8 @@ "rsa.internal.msg": "volup", "rsa.network.dinterface": "eth2990", "rsa.network.sinterface": "enp0s5214", - "rsa.time.date": "2019/10/18", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rsa.time.date": "2019/09/19", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", "service.type": "sonicwall", "source.ip": [ "10.44.198.184" @@ -2653,20 +2679,20 @@ ] }, { - "@timestamp": "2019-11-01T12:16:48.000Z", + "@timestamp": "2019-10-03T22:11:40.000Z", "event.code": "134", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ita sn=amquaer time=\"2019/11/01 10:16:48\" fw=10.47.1.90 pri=high c=lpa m=134 PPPoE starting PAP Authentication", + "event.original": "id=ita sn=amquaer time=\"2019/10/03 20:11:40\" fw=10.47.1.90 pri=high c=lpa m=134 PPPoE starting PAP Authentication", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13965, + "log.offset": 13923, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "134", - "rsa.time.date": "2019/11/01", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "rsa.time.date": "2019/10/03", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -2674,18 +2700,59 @@ ] }, { - "@timestamp": "2019-11-15T19:19:22.000Z", + "@timestamp": "2019-10-18T05:14:14.000Z", "event.code": "69", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=smod sn=idunt time=\"2019/11/15 17:19:22\" fw=10.29.120.226 pri=very-high c=aparia m=69 Incompatible IPSec Security Association", + "event.original": "id=smod sn=idunt time=\"2019/10/18 03:14:14\" fw=10.29.120.226 pri=very-high c=aparia m=69 Incompatible IPSec Security Association", "fileset.name": "firewall", "input.type": "log", - "log.offset": 14079, + "log.offset": 14037, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "69", + "rsa.time.date": "2019/10/18", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.code": "137", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "lore id=isci sn=Dui time=\"2019/11/01 10:16:48\" fw=10.205.202.225 pri=high c=civelits m=137 Wan IP Changed", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 14166, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "137", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-15T19:19:22.000Z", + "event.code": "35", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=olore sn=orumS time=\"2019/11/15 17:19:22\" fw=10.25.93.121 pri=low c=rchitect m=35 Attempted administrator login from WAN", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 14272, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "35", "rsa.time.date": "2019/11/15", "rsa.time.event_time": "2019-11-15T19:19:22.000Z", "service.type": "sonicwall", @@ -2696,19 +2763,27 @@ }, { "@timestamp": "2019-11-30T02:21:57.000Z", - "event.code": "137", + "destination.nat.ip": "10.85.204.8", + "event.code": "src", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "lore id=isci sn=Dui time=\"2019/11/30 00:21:57\" fw=10.205.202.225 pri=high c=civelits m=137 Wan IP Changed", + "event.original": "umdolore id=dmi sn=tam time=\"2019/11/30 00:21:57\" fw=10.151.170.207 pri=high c=dunt m=src src=10.243.170.64 dst=10.85.204.8 amquisno", "fileset.name": "firewall", "input.type": "log", - "log.offset": 14208, + "log.offset": 14396, + "log.original": "amquisno", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "137", + "related.ip": [ + "10.243.170.64", + "10.85.204.8" + ], + "rsa.internal.messageid": "src", + "rsa.internal.msg": "amquisno", "rsa.time.event_time": "2019-11-30T02:21:57.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.243.170.64", "tags": [ "sonicwall.firewall", "forwarded" @@ -2716,17 +2791,17 @@ }, { "@timestamp": "2019-12-14T09:24:31.000Z", - "event.code": "35", + "event.code": "105", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=olore sn=orumS time=\"2019/12/14 07:24:31\" fw=10.25.93.121 pri=low c=rchitect m=35 Attempted administrator login from WAN", + "event.original": "id=magnam sn=uinesc time=\"2019/12/14 07:24:31\" fw=10.172.95.162 pri=very-high c=Bonorum m=105 Sending DHCP DISCOVER.", "fileset.name": "firewall", "input.type": "log", - "log.offset": 14314, + "log.offset": 14529, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "35", + "rsa.internal.messageid": "105", "rsa.time.date": "2019/12/14", "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "sonicwall", diff --git a/x-pack/filebeat/module/squid/README.md b/x-pack/filebeat/module/squid/README.md index 741f9a9a993..05ffa6f689b 100644 --- a/x-pack/filebeat/module/squid/README.md +++ b/x-pack/filebeat/module/squid/README.md @@ -3,5 +3,5 @@ This is a module for Squid logs. Autogenerated from RSA NetWitness log parser 2.0 XML squid version 112 -at 2020-07-08 17:36:34.097174 +0000 UTC. +at 2020-07-08 18:28:06.449559 +0000 UTC. diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 996dd40f511..39caf5d6a2e 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -24,8 +24,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -99,8 +99,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -152,8 +152,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -268,8 +268,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "text/javascript", "rsa.misc.result_code": "200", @@ -332,8 +332,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -382,8 +382,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "66.102.9.147", - "10.105.21.199" + "10.105.21.199", + "66.102.9.147" ], "related.user": [ "badeyek" @@ -459,8 +459,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -512,8 +512,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -589,8 +589,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -753,8 +753,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "68.142.213.132" + "68.142.213.132", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -764,8 +764,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -891,8 +891,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -943,8 +943,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1061,8 +1061,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1186,8 +1186,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "213.160.98.161" + "213.160.98.161", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1198,8 +1198,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "302", @@ -1263,8 +1263,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1363,8 +1363,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "related.user": [ "badeyek" @@ -1486,8 +1486,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1550,8 +1550,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1615,8 +1615,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1664,8 +1664,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -1727,8 +1727,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1779,8 +1779,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1831,8 +1831,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1895,8 +1895,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2129,8 +2129,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2190,8 +2190,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -2201,8 +2201,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2261,8 +2261,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2314,8 +2314,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "63.245.209.21", - "10.105.21.199" + "10.105.21.199", + "63.245.209.21" ], "related.user": [ "badeyek" @@ -2326,8 +2326,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -2375,8 +2375,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.231.252", - "10.105.33.214" + "10.105.33.214", + "68.142.231.252" ], "related.user": [ "adeolaegbedokun" @@ -2648,8 +2648,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2760,8 +2760,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2871,8 +2871,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2932,8 +2932,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2994,8 +2994,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3108,8 +3108,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3170,8 +3170,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3232,8 +3232,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3282,8 +3282,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3356,8 +3356,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3460,8 +3460,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3562,8 +3562,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "212.58.226.33", - "10.105.21.199" + "10.105.21.199", + "212.58.226.33" ], "related.user": [ "badeyek" @@ -3688,8 +3688,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "304", @@ -3790,8 +3790,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3916,8 +3916,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4052,8 +4052,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4156,8 +4156,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4209,8 +4209,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4283,8 +4283,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4398,8 +4398,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.152", - "10.105.33.214" + "10.105.33.214", + "213.160.98.152" ], "related.user": [ "adeolaegbedokun" @@ -4410,8 +4410,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/x-shockwave-flash", "rsa.misc.result_code": "200", @@ -4580,8 +4580,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4639,8 +4639,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.109.124.55" + "216.109.124.55", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4650,8 +4650,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4702,8 +4702,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "304", @@ -4832,8 +4832,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4892,8 +4892,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4945,8 +4945,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "related.user": [ "adeolaegbedokun" @@ -5074,8 +5074,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5192,8 +5192,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -5321,8 +5321,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5373,8 +5373,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5433,8 +5433,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5495,8 +5495,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -5545,8 +5545,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5610,8 +5610,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_SWAPFAIL_MISS", - "GET" + "GET", + "TCP_SWAPFAIL_MISS" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5662,8 +5662,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -5727,8 +5727,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json index 3cef9eca756..bbe57a45af2 100644 --- a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json @@ -27,8 +27,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -259,8 +259,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -317,8 +317,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -375,8 +375,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -491,8 +491,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -549,8 +549,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_MISS" + "TCP_REFRESH_MISS", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -665,8 +665,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -781,8 +781,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -955,8 +955,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1013,8 +1013,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1071,8 +1071,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1129,8 +1129,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1303,8 +1303,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1419,8 +1419,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1476,8 +1476,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1534,8 +1534,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -1592,8 +1592,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1650,8 +1650,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2114,8 +2114,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2230,8 +2230,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2288,8 +2288,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2404,8 +2404,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2462,8 +2462,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2578,8 +2578,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2694,8 +2694,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2810,8 +2810,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -2868,8 +2868,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -3274,8 +3274,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3332,8 +3332,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3564,8 +3564,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3738,8 +3738,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3796,8 +3796,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3854,8 +3854,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3912,8 +3912,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4028,8 +4028,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4144,8 +4144,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4260,8 +4260,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4549,8 +4549,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4722,8 +4722,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4780,8 +4780,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4894,8 +4894,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "80.69.64.224", - "210.8.79.192" + "210.8.79.192", + "80.69.64.224" ], "related.user": [ "-" @@ -5253,8 +5253,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5311,8 +5311,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5369,8 +5369,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/pdf", "rsa.misc.result_code": "200", @@ -5427,8 +5427,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5543,8 +5543,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "403", @@ -5662,8 +5662,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/pdf", "rsa.misc.result_code": "200", @@ -5777,8 +5777,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json index c20396aebdb..83e2b5c3035 100644 --- a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json @@ -175,8 +175,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -227,8 +227,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -331,8 +331,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -383,8 +383,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -435,8 +435,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -538,8 +538,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -588,8 +588,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -638,8 +638,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "404", @@ -688,8 +688,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -838,8 +838,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "404", @@ -890,8 +890,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "503", @@ -1096,8 +1096,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1148,8 +1148,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1301,8 +1301,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1352,8 +1352,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "503", @@ -1402,8 +1402,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -1453,8 +1453,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "503", @@ -1502,8 +1502,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "related.user": [ "-" @@ -1626,8 +1626,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.131.147", - "192.168.0.35" + "192.168.0.35", + "74.125.131.147" ], "related.user": [ "-" @@ -1638,8 +1638,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/javascript", "rsa.misc.result_code": "200", @@ -1688,8 +1688,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "related.user": [ "-" @@ -1762,8 +1762,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "204", @@ -1811,8 +1811,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.3", - "192.168.0.35" + "192.168.0.35", + "74.125.228.3" ], "related.user": [ "-" @@ -1822,8 +1822,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1871,8 +1871,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.3", - "192.168.0.35" + "192.168.0.35", + "74.125.228.3" ], "related.user": [ "-" @@ -1991,8 +1991,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.6", - "192.168.0.35" + "192.168.0.35", + "74.125.228.6" ], "related.user": [ "-" @@ -2002,8 +2002,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2062,8 +2062,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2231,8 +2231,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "related.user": [ "-" @@ -2242,8 +2242,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2291,8 +2291,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "related.user": [ "-" @@ -2302,8 +2302,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2482,8 +2482,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2531,8 +2531,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" ], "related.user": [ "-" @@ -2542,8 +2542,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2592,8 +2592,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.97", - "192.168.0.35" + "192.168.0.35", + "74.125.228.97" ], "related.user": [ "-" @@ -2664,8 +2664,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2773,8 +2773,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" ], "related.user": [ "-" @@ -2784,8 +2784,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2844,8 +2844,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2893,8 +2893,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.100", - "192.168.0.35" + "192.168.0.35", + "74.125.228.100" ], "related.user": [ "-" @@ -2904,8 +2904,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2953,8 +2953,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "173.194.73.104" + "173.194.73.104", + "192.168.0.35" ], "related.user": [ "-" @@ -3073,8 +3073,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" ], "related.user": [ "-" @@ -3133,8 +3133,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.100", - "192.168.0.35" + "192.168.0.35", + "74.125.228.100" ], "related.user": [ "-" @@ -3144,8 +3144,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3206,8 +3206,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/x-apple-plist", "rsa.misc.result_code": "200", @@ -3268,8 +3268,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3330,8 +3330,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3380,8 +3380,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3392,8 +3392,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3442,8 +3442,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3454,8 +3454,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3504,8 +3504,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3640,8 +3640,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3690,8 +3690,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3702,8 +3702,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3752,8 +3752,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3938,8 +3938,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3950,8 +3950,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4000,8 +4000,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4074,8 +4074,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4136,8 +4136,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4198,8 +4198,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4248,8 +4248,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4434,8 +4434,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4496,8 +4496,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4508,8 +4508,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4558,8 +4558,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4694,8 +4694,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4756,8 +4756,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4806,8 +4806,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4880,8 +4880,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4942,8 +4942,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -5004,8 +5004,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -5128,8 +5128,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -5178,8 +5178,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -5240,8 +5240,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -5252,8 +5252,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -5492,8 +5492,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5541,8 +5541,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.102" + "74.125.228.102", + "192.168.0.35" ], "related.user": [ "-" @@ -5613,8 +5613,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -5673,8 +5673,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5722,8 +5722,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "69.171.228.74" + "69.171.228.74", + "192.168.0.35" ], "related.user": [ "-" diff --git a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json index 373ccb372b1..6b8e67ad7e2 100644 --- a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json @@ -24,8 +24,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -144,8 +144,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.102" + "173.194.123.102", + "::1" ], "related.user": [ "-" @@ -155,8 +155,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -204,8 +204,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.102" + "173.194.123.102", + "::1" ], "related.user": [ "-" @@ -215,8 +215,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -264,8 +264,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.97", - "::1" + "::1", + "173.194.123.97" ], "related.user": [ "-" @@ -275,8 +275,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -335,8 +335,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -384,8 +384,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.102", - "::1" + "::1", + "173.194.123.102" ], "related.user": [ "-" @@ -395,8 +395,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -444,8 +444,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" ], "related.user": [ "-" @@ -504,8 +504,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.96" + "173.194.123.96", + "::1" ], "related.user": [ "-" @@ -564,8 +564,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" ], "related.user": [ "-" @@ -638,8 +638,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -747,8 +747,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.102", - "::1" + "::1", + "173.194.123.102" ], "related.user": [ "-" @@ -807,8 +807,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -879,8 +879,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -928,8 +928,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" ], "related.user": [ "-" @@ -939,8 +939,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -999,8 +999,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1059,8 +1059,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1108,8 +1108,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.96" + "173.194.123.96", + "::1" ], "related.user": [ "-" @@ -1228,8 +1228,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1239,8 +1239,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1359,8 +1359,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1408,8 +1408,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1479,8 +1479,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1539,8 +1539,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1588,8 +1588,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1768,8 +1768,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1828,8 +1828,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1948,8 +1948,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2008,8 +2008,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2019,8 +2019,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2068,8 +2068,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2079,8 +2079,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2259,8 +2259,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2308,8 +2308,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2319,8 +2319,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2439,8 +2439,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2499,8 +2499,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2548,8 +2548,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2608,8 +2608,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.101" + "173.194.123.101", + "::1" ], "related.user": [ "-" @@ -2619,8 +2619,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2668,8 +2668,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2788,8 +2788,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.99" + "173.194.123.99", + "::1" ], "related.user": [ "-" @@ -2799,8 +2799,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2859,8 +2859,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2908,8 +2908,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.226.83", - "::1" + "::1", + "74.125.226.83" ], "related.user": [ "-" @@ -3030,8 +3030,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.41" + "173.194.123.41", + "::1" ], "related.user": [ "-" @@ -3101,8 +3101,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3154,8 +3154,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.174" + "216.58.219.174", + "::1" ], "related.user": [ "-" @@ -3165,8 +3165,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -3481,8 +3481,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3533,8 +3533,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.132", - "::1" + "::1", + "216.58.219.132" ], "related.user": [ "-" @@ -3596,8 +3596,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.132" + "216.58.219.132", + "::1" ], "related.user": [ "-" @@ -3607,8 +3607,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3785,8 +3785,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.142" + "216.58.219.142", + "::1" ], "related.user": [ "-" @@ -3848,8 +3848,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.142" + "216.58.219.142", + "::1" ], "related.user": [ "-" @@ -3859,8 +3859,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3971,8 +3971,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.141.189" + "74.125.141.189", + "::1" ], "related.user": [ "-" @@ -4091,8 +4091,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.141.189" + "74.125.141.189", + "::1" ], "related.user": [ "-" @@ -4165,8 +4165,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4228,8 +4228,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4291,8 +4291,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4340,8 +4340,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "173.194.205.113" + "173.194.205.113", + "10.100.0.1" ], "related.user": [ "-" @@ -4352,8 +4352,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "301", @@ -4413,8 +4413,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4463,8 +4463,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.6.238" + "172.217.6.238", + "10.100.0.1" ], "related.user": [ "-" @@ -4527,8 +4527,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.238", - "10.100.0.1" + "10.100.0.1", + "216.58.219.238" ], "related.user": [ "-" @@ -4538,8 +4538,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4591,8 +4591,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.238", - "10.100.0.1" + "10.100.0.1", + "216.58.219.238" ], "related.user": [ "-" @@ -4772,8 +4772,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "related.user": [ "-" @@ -4783,8 +4783,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5023,8 +5023,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5252,8 +5252,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.2.85" + "10.100.2.85", + "172.217.12.174" ], "related.user": [ "-" @@ -5263,8 +5263,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5312,8 +5312,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.0.1" + "10.100.0.1", + "172.217.12.174" ], "related.user": [ "-" @@ -5323,8 +5323,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5372,8 +5372,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.0.1" + "10.100.0.1", + "172.217.12.174" ], "related.user": [ "-" @@ -5383,8 +5383,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5552,8 +5552,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.12.174" + "172.217.12.174", + "10.100.0.1" ], "related.user": [ "-" @@ -5626,8 +5626,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5752,8 +5752,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5815,8 +5815,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5938,8 +5938,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5990,8 +5990,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.206", - "10.100.0.1" + "10.100.0.1", + "216.58.219.206" ], "related.user": [ "-" @@ -6050,8 +6050,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.0.1" + "10.100.0.1", + "172.217.12.174" ], "related.user": [ "-" diff --git a/x-pack/filebeat/module/tenable/README.md b/x-pack/filebeat/module/tenable/README.md index 0b7e7db612c..2df9d157cda 100644 --- a/x-pack/filebeat/module/tenable/README.md +++ b/x-pack/filebeat/module/tenable/README.md @@ -3,5 +3,5 @@ This is a module for Tenable Network Security Nessus logs. Autogenerated from RSA NetWitness log parser 2.0 XML nessusvs version 0 -at 2020-07-08 17:36:31.066661 +0000 UTC. +at 2020-07-08 18:28:03.42817 +0000 UTC. diff --git a/x-pack/filebeat/module/tenable/nessus_security/config/pipeline.js b/x-pack/filebeat/module/tenable/nessus_security/config/pipeline.js index 563060a85fe..54cd4b990bf 100644 --- a/x-pack/filebeat/module/tenable/nessus_security/config/pipeline.js +++ b/x-pack/filebeat/module/tenable/nessus_security/config/pipeline.js @@ -390,7 +390,7 @@ var select5 = linear_select([ msg29, ]); -var part22 = match("MESSAGE#28:Plugins", "nwparser.payload", "%{event_description}, as %{reason->} ", processor_chain([ +var part22 = match("MESSAGE#28:Plugins", "nwparser.payload", "%{event_description}, as %{reason}", processor_chain([ dup1, dup11, dup2, @@ -399,7 +399,7 @@ var part22 = match("MESSAGE#28:Plugins", "nwparser.payload", "%{event_descriptio var msg30 = msg("Plugins", part22); -var part23 = match("MESSAGE#29:process_finished", "nwparser.payload", "%{rulename->} (process %{process_id}) finished its job in %{duration->} seconds ", processor_chain([ +var part23 = match("MESSAGE#29:process_finished", "nwparser.payload", "%{rulename->} (process %{process_id}) finished its job in %{duration->} seconds", processor_chain([ dup1, dup12, setc("ec_outcome","Success"), @@ -410,7 +410,7 @@ var part23 = match("MESSAGE#29:process_finished", "nwparser.payload", "%{rulenam var msg31 = msg("process_finished", part23); -var part24 = match("MESSAGE#30:process_notfinished_killed", "nwparser.payload", "%{rulename->} (pid %{process_id}) is slow to finish - killing it ", processor_chain([ +var part24 = match("MESSAGE#30:process_notfinished_killed", "nwparser.payload", "%{rulename->} (pid %{process_id}) is slow to finish - killing it", processor_chain([ dup7, dup12, dup11, diff --git a/x-pack/filebeat/module/tomcat/README.md b/x-pack/filebeat/module/tomcat/README.md index dff5c4b202d..92925f9c3f5 100644 --- a/x-pack/filebeat/module/tomcat/README.md +++ b/x-pack/filebeat/module/tomcat/README.md @@ -3,5 +3,5 @@ This is a module for Apache Tomcat logs. Autogenerated from RSA NetWitness log parser 2.0 XML apachetomcat version 105 -at 2020-07-08 17:36:24.034762 +0000 UTC. +at 2020-07-08 18:27:56.755732 +0000 UTC. diff --git a/x-pack/filebeat/module/zscaler/README.md b/x-pack/filebeat/module/zscaler/README.md index 6b739614b0d..97cd46dba70 100644 --- a/x-pack/filebeat/module/zscaler/README.md +++ b/x-pack/filebeat/module/zscaler/README.md @@ -3,5 +3,5 @@ This is a module for Zscaler NSS logs. Autogenerated from RSA NetWitness log parser 2.0 XML zscalernss version 108 -at 2020-07-08 17:36:34.448527 +0000 UTC. +at 2020-07-08 18:28:06.796835 +0000 UTC. diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index 085c95b3306..de36c7563d6 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -25,8 +25,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.206.191.17", - "10.176.10.114" + "10.176.10.114", + "10.206.191.17" ], "related.user": [ "sumdo" @@ -98,8 +98,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.173.22.152", - "10.26.46.95" + "10.26.46.95", + "10.173.22.152" ], "related.user": [ "eataevi" @@ -113,8 +113,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "luptat", "rsa.misc.action": [ - "tur", - "Allowed" + "Allowed", + "tur" ], "rsa.misc.category": "eius", "rsa.misc.filter": "ameaqu", @@ -188,8 +188,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uptassi", "rsa.misc.action": [ - "giatq", - "Blocked" + "Blocked", + "giatq" ], "rsa.misc.category": "llu", "rsa.misc.filter": "tconsec", @@ -323,8 +323,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.136.153.149", - "10.61.78.108" + "10.61.78.108", + "10.136.153.149" ], "related.user": [ "ercit" @@ -338,8 +338,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inim", "rsa.misc.action": [ - "Blocked", - "reetdolo" + "reetdolo", + "Blocked" ], "rsa.misc.category": "osquir", "rsa.misc.filter": "ipit", @@ -398,8 +398,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.183.16.166", - "10.66.250.92" + "10.66.250.92", + "10.183.16.166" ], "related.user": [ "tessec" @@ -413,8 +413,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "avol", "rsa.misc.action": [ - "Allowed", - "ist" + "ist", + "Allowed" ], "rsa.misc.category": "lorema", "rsa.misc.filter": "sun", @@ -473,8 +473,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.123.104.59", - "10.243.224.205" + "10.243.224.205", + "10.123.104.59" ], "related.user": [ "xercitat" @@ -488,8 +488,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lupt", "rsa.misc.action": [ - "Blocked", - "dun" + "dun", + "Blocked" ], "rsa.misc.category": "rsitamet", "rsa.misc.filter": "usmod", @@ -638,8 +638,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atquovo", "rsa.misc.action": [ - "amvolup", - "Allowed" + "Allowed", + "amvolup" ], "rsa.misc.category": "hil", "rsa.misc.filter": "deFinibu", @@ -698,8 +698,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.135.225.244", - "10.71.170.37" + "10.71.170.37", + "10.135.225.244" ], "related.user": [ "atu" @@ -713,8 +713,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ihilm", "rsa.misc.action": [ - "Allowed", - "psaquae" + "psaquae", + "Allowed" ], "rsa.misc.category": "eFinib", "rsa.misc.filter": "inesci", @@ -788,8 +788,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "sci", "rsa.misc.action": [ - "emseq", - "Allowed" + "Allowed", + "emseq" ], "rsa.misc.category": "exercit", "rsa.misc.filter": "taevit", @@ -923,8 +923,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.31.240.6", - "10.167.98.76" + "10.167.98.76", + "10.31.240.6" ], "related.user": [ "ratvolu" @@ -938,8 +938,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "catc", "rsa.misc.action": [ - "veni", - "Allowed" + "Allowed", + "veni" ], "rsa.misc.category": "sBono", "rsa.misc.filter": "isnisiu", @@ -1073,8 +1073,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.111.187.12", - "10.63.250.128" + "10.63.250.128", + "10.111.187.12" ], "related.user": [ "saute" @@ -1088,8 +1088,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nnum", "rsa.misc.action": [ - "Allowed", - "ntoccae" + "ntoccae", + "Allowed" ], "rsa.misc.category": "tium", "rsa.misc.filter": "uteirure", @@ -1223,8 +1223,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.91.126.231", - "10.201.171.120" + "10.201.171.120", + "10.91.126.231" ], "related.user": [ "exercita" @@ -1448,8 +1448,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.229.83.165", - "10.29.155.171" + "10.29.155.171", + "10.229.83.165" ], "related.user": [ "ulapar" @@ -1463,8 +1463,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedi", "rsa.misc.action": [ - "llitanim", - "Allowed" + "Allowed", + "llitanim" ], "rsa.misc.category": "apariat", "rsa.misc.filter": "tasnulap", @@ -1523,8 +1523,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.129.192.145", - "10.161.148.64" + "10.161.148.64", + "10.129.192.145" ], "related.user": [ "lor" @@ -1613,8 +1613,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdol", "rsa.misc.action": [ - "nte", - "Allowed" + "Allowed", + "nte" ], "rsa.misc.category": "adeseru", "rsa.misc.filter": "mac", @@ -1673,8 +1673,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.86.22.67", - "10.218.98.29" + "10.218.98.29", + "10.86.22.67" ], "related.user": [ "olori" @@ -1688,8 +1688,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iutali", "rsa.misc.action": [ - "atcupi", - "Blocked" + "Blocked", + "atcupi" ], "rsa.misc.category": "isetq", "rsa.misc.filter": "equinesc", @@ -1763,8 +1763,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ulpa", "rsa.misc.action": [ - "gnaal", - "Allowed" + "Allowed", + "gnaal" ], "rsa.misc.category": "nte", "rsa.misc.filter": "pid", @@ -1823,8 +1823,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.179.210.218", - "10.32.39.220" + "10.32.39.220", + "10.179.210.218" ], "related.user": [ "boreetdo" @@ -1838,8 +1838,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "riss", "rsa.misc.action": [ - "risnis", - "Blocked" + "Blocked", + "risnis" ], "rsa.misc.category": "emqu", "rsa.misc.filter": "oluptas", @@ -1898,8 +1898,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.88.172.34", - "10.128.173.19" + "10.128.173.19", + "10.88.172.34" ], "related.user": [ "agnaaliq" @@ -1913,8 +1913,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntNeq", "rsa.misc.action": [ - "dtempo", - "Blocked" + "Blocked", + "dtempo" ], "rsa.misc.category": "ipsu", "rsa.misc.filter": "iqu", @@ -1973,8 +1973,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.238.224.49", - "10.130.241.232" + "10.130.241.232", + "10.238.224.49" ], "related.user": [ "onse" @@ -1988,8 +1988,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mnisiut", "rsa.misc.action": [ - "Allowed", - "mod" + "mod", + "Allowed" ], "rsa.misc.category": "uiinea", "rsa.misc.filter": "aturQu", @@ -2063,8 +2063,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quatD", "rsa.misc.action": [ - "Allowed", - "tatem" + "tatem", + "Allowed" ], "rsa.misc.category": "aincidun", "rsa.misc.filter": "uela", @@ -2123,8 +2123,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.204.214.251", - "10.101.38.213" + "10.101.38.213", + "10.204.214.251" ], "related.user": [ "ueipsa" @@ -2138,8 +2138,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tasun", "rsa.misc.action": [ - "Allowed", - "quasiarc" + "quasiarc", + "Allowed" ], "rsa.misc.category": "autfugi", "rsa.misc.filter": "ritqu", @@ -2198,8 +2198,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.101.85.169", - "10.18.226.72" + "10.18.226.72", + "10.101.85.169" ], "related.user": [ "rroqu" @@ -2213,8 +2213,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "moles", "rsa.misc.action": [ - "vitaed", - "Allowed" + "Allowed", + "vitaed" ], "rsa.misc.category": "billoi", "rsa.misc.filter": "suntex", @@ -2288,8 +2288,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mag", "rsa.misc.action": [ - "tali", - "Allowed" + "Allowed", + "tali" ], "rsa.misc.category": "oconse", "rsa.misc.filter": "npr", @@ -2348,8 +2348,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.80.57.247", - "10.229.242.223" + "10.229.242.223", + "10.80.57.247" ], "related.user": [ "itasp" @@ -2438,8 +2438,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Section", - "Allowed" + "Allowed", + "Section" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2513,8 +2513,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tec", "rsa.misc.action": [ - "Allowed", - "tatema" + "tatema", + "Allowed" ], "rsa.misc.category": "emullamc", "rsa.misc.filter": "emveleum", @@ -2648,8 +2648,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.142.120.198", - "10.166.10.42" + "10.166.10.42", + "10.142.120.198" ], "related.user": [ "olori" @@ -2663,8 +2663,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ende", "rsa.misc.action": [ - "doconse", - "Blocked" + "Blocked", + "doconse" ], "rsa.misc.category": "uovolupt", "rsa.misc.filter": "litesse", @@ -2723,8 +2723,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.138.188.201", - "10.128.184.241" + "10.128.184.241", + "10.138.188.201" ], "related.user": [ "etur" @@ -2798,8 +2798,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.53.101.131", - "10.213.57.165" + "10.213.57.165", + "10.53.101.131" ], "related.user": [ "isau" @@ -2813,8 +2813,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ese", "rsa.misc.action": [ - "Allowed", - "litanim" + "litanim", + "Allowed" ], "rsa.misc.category": "idata", "rsa.misc.filter": "urerepre", @@ -2888,8 +2888,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "lestia", - "Blocked" + "Blocked", + "lestia" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2948,8 +2948,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.33.144.10", - "10.202.224.79" + "10.202.224.79", + "10.33.144.10" ], "related.user": [ "rios" @@ -3038,8 +3038,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Loremip", "rsa.misc.action": [ - "Allowed", - "quid" + "quid", + "Allowed" ], "rsa.misc.category": "mini", "rsa.misc.filter": "uisnos", @@ -3113,8 +3113,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "voluptas", "rsa.misc.action": [ - "Allowed", - "olor" + "olor", + "Allowed" ], "rsa.misc.category": "ataevita", "rsa.misc.filter": "nderi", @@ -3173,8 +3173,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.68.8.143", - "10.125.120.97" + "10.125.120.97", + "10.68.8.143" ], "related.user": [ "reet" @@ -3413,8 +3413,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatemse", "rsa.misc.action": [ - "upta", - "Blocked" + "Blocked", + "upta" ], "rsa.misc.category": "tlabo", "rsa.misc.filter": "aliqui", @@ -3473,8 +3473,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.141.195.13", - "10.180.150.47" + "10.180.150.47", + "10.141.195.13" ], "related.user": [ "taliq" @@ -3771,8 +3771,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.237.0.173", - "10.31.153.177" + "10.31.153.177", + "10.237.0.173" ], "related.user": [ "sci" @@ -3844,8 +3844,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.243.182.229", - "10.229.102.140" + "10.229.102.140", + "10.243.182.229" ], "related.user": [ "duntut" @@ -3859,8 +3859,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "epor", "rsa.misc.action": [ - "Allowed", - "etquasia" + "etquasia", + "Allowed" ], "rsa.misc.category": "iaturE", "rsa.misc.filter": "rep", @@ -3915,8 +3915,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.120.138.109", - "10.39.46.155" + "10.39.46.155", + "10.120.138.109" ], "related.user": [ "picia" @@ -3990,8 +3990,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.133.102.57", - "10.53.191.49" + "10.53.191.49", + "10.133.102.57" ], "related.user": [ "onsec" @@ -4140,8 +4140,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.7.18.226", - "10.221.20.165" + "10.221.20.165", + "10.7.18.226" ], "related.user": [ "uasiarch" @@ -4155,8 +4155,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iadeseru", "rsa.misc.action": [ - "epreh", - "Allowed" + "Allowed", + "epreh" ], "rsa.misc.category": "ruredol", "rsa.misc.filter": "atquo", @@ -4215,8 +4215,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.178.148.188", - "10.155.252.123" + "10.155.252.123", + "10.178.148.188" ], "related.user": [ "inrepreh" @@ -4230,8 +4230,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inimve", "rsa.misc.action": [ - "niam", - "Allowed" + "Allowed", + "niam" ], "rsa.misc.category": "perspici", "rsa.misc.filter": "uipe", @@ -4305,8 +4305,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uamquaer", "rsa.misc.action": [ - "aerat", - "Blocked" + "Blocked", + "aerat" ], "rsa.misc.category": "quela", "rsa.misc.filter": "qui", @@ -4363,8 +4363,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.55.38.153", - "10.112.190.154" + "10.112.190.154", + "10.55.38.153" ], "related.user": [ "oremeu" @@ -4378,8 +4378,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tin", "rsa.misc.action": [ - "Allowed", - "urau" + "urau", + "Allowed" ], "rsa.misc.category": "isiut", "rsa.misc.filter": "cons", @@ -4438,8 +4438,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.195.153.42", - "10.250.48.82" + "10.250.48.82", + "10.195.153.42" ], "related.user": [ "tsedquia" @@ -4453,8 +4453,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tDuisaut", "rsa.misc.action": [ - "upidatat", - "Allowed" + "Allowed", + "upidatat" ], "rsa.misc.category": "aliquide", "rsa.misc.filter": "deriti", @@ -4513,8 +4513,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.60.52.219", - "10.252.164.230" + "10.252.164.230", + "10.60.52.219" ], "related.user": [ "gnamali" @@ -4599,8 +4599,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dipisc", "rsa.misc.action": [ - "turad", - "Allowed" + "Allowed", + "turad" ], "rsa.misc.category": "ulpaquio", "rsa.misc.filter": "ngelits", @@ -4747,8 +4747,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "modit", "rsa.misc.action": [ - "uteiru", - "Allowed" + "Allowed", + "uteiru" ], "rsa.misc.category": "qua", "rsa.misc.filter": "saute", @@ -4807,8 +4807,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.129.66.196", - "10.7.152.238" + "10.7.152.238", + "10.129.66.196" ], "related.user": [ "equamn" @@ -4822,8 +4822,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vento", "rsa.misc.action": [ - "Blocked", - "reh" + "reh", + "Blocked" ], "rsa.misc.category": "atev", "rsa.misc.filter": "umq", @@ -4882,8 +4882,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.29.162.157", - "10.185.107.27" + "10.185.107.27", + "10.29.162.157" ], "related.user": [ "evelite" @@ -4972,8 +4972,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "Blocked", - "dqu" + "dqu", + "Blocked" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -5107,8 +5107,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.193.152.42", - "10.91.20.27" + "10.91.20.27", + "10.193.152.42" ], "related.user": [ "edict" @@ -5197,8 +5197,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnisi", "rsa.misc.action": [ - "userro", - "Allowed" + "Allowed", + "userro" ], "rsa.misc.category": "etd", "rsa.misc.filter": "loremeum", @@ -5257,8 +5257,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.249.1.143", - "10.124.177.226" + "10.124.177.226", + "10.249.1.143" ], "related.user": [ "isciveli" @@ -5332,8 +5332,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.167.176.220", - "10.146.228.249" + "10.146.228.249", + "10.167.176.220" ], "related.user": [ "estla" @@ -5347,8 +5347,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ect", "rsa.misc.action": [ - "maccu", - "Blocked" + "Blocked", + "maccu" ], "rsa.misc.category": "iaecon", "rsa.misc.filter": "eni", @@ -5407,8 +5407,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.200.74.101", - "10.203.47.23" + "10.203.47.23", + "10.200.74.101" ], "related.user": [ "litesse" @@ -5422,8 +5422,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nde", "rsa.misc.action": [ - "iqu", - "Allowed" + "Allowed", + "iqu" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "ntincul", @@ -5497,8 +5497,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ereprehe", "rsa.misc.action": [ - "tutl", - "Blocked" + "Blocked", + "tutl" ], "rsa.misc.category": "mip", "rsa.misc.filter": "umSecti", @@ -5632,8 +5632,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.110.16.169", - "10.209.203.156" + "10.209.203.156", + "10.110.16.169" ], "related.user": [ "mes" @@ -5647,8 +5647,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iamquisn", "rsa.misc.action": [ - "lupta", - "Blocked" + "Blocked", + "lupta" ], "rsa.misc.category": "uasiarch", "rsa.misc.filter": "usBonor", @@ -5782,8 +5782,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.124.119.48", - "10.26.222.144" + "10.26.222.144", + "10.124.119.48" ], "related.user": [ "nre" @@ -5797,8 +5797,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lloin", "rsa.misc.action": [ - "Blocked", - "ici" + "ici", + "Blocked" ], "rsa.misc.category": "quidolor", "rsa.misc.filter": "nonproi", @@ -5857,8 +5857,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.164.190.2", - "10.223.11.164" + "10.223.11.164", + "10.164.190.2" ], "related.user": [ "ten" @@ -5872,8 +5872,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "officiad", "rsa.misc.action": [ - "Allowed", - "antium" + "antium", + "Allowed" ], "rsa.misc.category": "emoeni", "rsa.misc.filter": "itvo", @@ -5932,8 +5932,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.121.181.243", - "10.14.37.8" + "10.14.37.8", + "10.121.181.243" ], "related.user": [ "umwr" @@ -6007,8 +6007,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.90.20.202", - "10.10.93.133" + "10.10.93.133", + "10.90.20.202" ], "related.user": [ "evita" @@ -6022,8 +6022,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tat", "rsa.misc.action": [ - "Blocked", - "nia" + "nia", + "Blocked" ], "rsa.misc.category": "turQuis", "rsa.misc.filter": "nonp", @@ -6157,8 +6157,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.176.233.249", - "10.75.144.118" + "10.75.144.118", + "10.176.233.249" ], "related.user": [ "isnos" @@ -6247,8 +6247,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uis", "rsa.misc.action": [ - "mvele", - "Allowed" + "Allowed", + "mvele" ], "rsa.misc.category": "vitaedi", "rsa.misc.filter": "ndeomni", @@ -6397,8 +6397,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itautf", "rsa.misc.action": [ - "Blocked", - "mini" + "mini", + "Blocked" ], "rsa.misc.category": "gna", "rsa.misc.filter": "usmo", @@ -6457,8 +6457,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.224.249.228", - "10.10.25.145" + "10.10.25.145", + "10.224.249.228" ], "related.user": [ "mnisiuta" @@ -6472,8 +6472,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issuscip", "rsa.misc.action": [ - "Blocked", - "remap" + "remap", + "Blocked" ], "rsa.misc.category": "eetdolo", "rsa.misc.filter": "rsitam", @@ -6532,8 +6532,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.247.255.107", - "10.234.34.40" + "10.234.34.40", + "10.247.255.107" ], "related.user": [ "aeabillo" @@ -6824,8 +6824,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.172.159.251", - "10.254.119.31" + "10.254.119.31", + "10.172.159.251" ], "related.user": [ "usm" @@ -6839,8 +6839,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "imadmi", "rsa.misc.action": [ - "Blocked", - "tatemacc" + "tatemacc", + "Blocked" ], "rsa.misc.category": "tutlabor", "rsa.misc.filter": "eturad", @@ -6899,8 +6899,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.98.126.206", - "10.195.62.230" + "10.195.62.230", + "10.98.126.206" ], "related.user": [ "ptassit" @@ -6914,8 +6914,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "isnost", "rsa.misc.action": [ - "Allowed", - "oriosa" + "oriosa", + "Allowed" ], "rsa.misc.category": "uis", "rsa.misc.filter": "nemul", @@ -6974,8 +6974,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.84.140.5", - "10.144.93.186" + "10.144.93.186", + "10.84.140.5" ], "related.user": [ "eroi" @@ -7049,8 +7049,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.198.84.190", - "10.31.58.6" + "10.31.58.6", + "10.198.84.190" ], "related.user": [ "unt" @@ -7139,8 +7139,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rrorsi", "rsa.misc.action": [ - "Allowed", - "exe" + "exe", + "Allowed" ], "rsa.misc.category": "mnihi", "rsa.misc.filter": "consequa", @@ -7214,8 +7214,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "olupt", "rsa.misc.action": [ - "Blocked", - "temvele" + "temvele", + "Blocked" ], "rsa.misc.category": "natuser", "rsa.misc.filter": "amnihil", @@ -7274,8 +7274,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.26.149.221", - "10.217.193.148" + "10.217.193.148", + "10.26.149.221" ], "related.user": [ "uisa" @@ -7439,8 +7439,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "exeacomm", "rsa.misc.action": [ - "Blocked", - "volup" + "volup", + "Blocked" ], "rsa.misc.category": "ten", "rsa.misc.filter": "ssecil", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index 0167f066e64..dfbbe351a7c 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -30,8 +30,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "", "rsa.misc.action": [ - "", - "" + "", + "" ], "rsa.misc.category": "", "rsa.misc.filter": "", From 320c9e294ccd6f344a96df5c4be247e897ad9d0e Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 8 Jul 2020 20:49:34 +0200 Subject: [PATCH 12/19] event.action is not an array --- x-pack/filebeat/module/barracuda/README.md | 2 +- .../barracuda/waf/config/liblogparser.js | 4 +- x-pack/filebeat/module/bluecoat/README.md | 2 +- .../bluecoat/director/config/liblogparser.js | 4 +- .../director/test/generated.log-expected.json | 36 +- .../module/cisco/nexus/config/liblogparser.js | 4 +- x-pack/filebeat/module/citrix/README.md | 2 +- .../citrix/virtualapps/config/liblogparser.js | 4 +- x-pack/filebeat/module/cylance/README.md | 2 +- .../cylance/protect/config/liblogparser.js | 4 +- .../protect/test/generated.log-expected.json | 411 ++----- x-pack/filebeat/module/f5/README.md | 2 +- .../module/f5/bigipapm/config/liblogparser.js | 4 +- .../bigipapm/test/generated.log-expected.json | 40 +- .../module/f5/firepass/config/liblogparser.js | 4 +- .../firepass/test/generated.log-expected.json | 44 +- .../clientendpoint/config/liblogparser.js | 4 +- .../test/generated.log-expected.json | 588 ++++------ x-pack/filebeat/module/imperva/README.md | 2 +- .../securesphere/config/liblogparser.js | 4 +- .../test/generated.log-expected.json | 1015 ++++++----------- x-pack/filebeat/module/infoblox/README.md | 2 +- .../infoblox/nios/config/liblogparser.js | 4 +- .../nios/test/generated.log-expected.json | 4 +- x-pack/filebeat/module/juniper/README.md | 2 +- .../juniper/junos/config/liblogparser.js | 4 +- x-pack/filebeat/module/kaspersky/README.md | 2 +- .../kaspersky/av/config/liblogparser.js | 4 +- x-pack/filebeat/module/microsoft/README.md | 2 +- .../microsoft/dhcp/config/liblogparser.js | 4 +- x-pack/filebeat/module/netscout/README.md | 2 +- .../netscout/sightline/config/liblogparser.js | 4 +- .../test/generated.log-expected.json | 56 +- x-pack/filebeat/module/radware/README.md | 2 +- .../radware/defensepro/config/liblogparser.js | 4 +- x-pack/filebeat/module/rapid7/README.md | 2 +- .../rapid7/nexpose/config/liblogparser.js | 4 +- .../nexpose/test/generated.log-expected.json | 20 +- x-pack/filebeat/module/sonicwall/README.md | 2 +- .../sonicwall/firewall/config/liblogparser.js | 4 +- .../firewall/test/general.log-expected.json | 36 +- .../firewall/test/generated.log-expected.json | 114 +- x-pack/filebeat/module/squid/README.md | 2 +- .../module/squid/log/config/liblogparser.js | 4 +- .../squid/log/test/access1.log-expected.json | 756 +++++------- .../squid/log/test/access2.log-expected.json | 600 ++++------ .../squid/log/test/access3.log-expected.json | 724 +++++------- .../squid/log/test/access4.log-expected.json | 784 +++++-------- x-pack/filebeat/module/tenable/README.md | 2 +- .../nessus_security/config/liblogparser.js | 4 +- x-pack/filebeat/module/tomcat/README.md | 2 +- .../module/tomcat/log/config/liblogparser.js | 4 +- x-pack/filebeat/module/zscaler/README.md | 2 +- .../module/zscaler/zia/config/liblogparser.js | 4 +- .../zia/test/generated.log-expected.json | 788 +++++-------- .../zscaler/zia/test/test.log-expected.json | 4 +- 56 files changed, 2154 insertions(+), 3986 deletions(-) diff --git a/x-pack/filebeat/module/barracuda/README.md b/x-pack/filebeat/module/barracuda/README.md index aa38d21fa9a..a3375733550 100644 --- a/x-pack/filebeat/module/barracuda/README.md +++ b/x-pack/filebeat/module/barracuda/README.md @@ -3,5 +3,5 @@ This is a module for Barracuda Web Application Firewall logs. Autogenerated from RSA NetWitness log parser 2.0 XML barracudawaf version 132 -at 2020-07-08 18:27:57.27931 +0000 UTC. +at 2020-07-08 18:50:16.872444 +0000 UTC. diff --git a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js +++ b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/bluecoat/README.md b/x-pack/filebeat/module/bluecoat/README.md index 7411706ec17..b07cb66dc6f 100644 --- a/x-pack/filebeat/module/bluecoat/README.md +++ b/x-pack/filebeat/module/bluecoat/README.md @@ -3,5 +3,5 @@ This is a module for Blue Coat Director logs. Autogenerated from RSA NetWitness log parser 2.0 XML bluecoatdirector version 0 -at 2020-07-08 18:27:58.877101 +0000 UTC. +at 2020-07-08 18:50:18.742646 +0000 UTC. diff --git a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js +++ b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json index 7c9b76998c5..94a001da91a 100644 --- a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json +++ b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json @@ -105,9 +105,7 @@ ] }, { - "event.action": [ - "accept" - ], + "event.action": "accept", "event.code": "heartbeat", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -351,9 +349,7 @@ ] }, { - "event.action": [ - "accept" - ], + "event.action": "accept", "event.code": "configd", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -444,9 +440,7 @@ ] }, { - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "heartbeat", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -644,9 +638,7 @@ ] }, { - "event.action": [ - "allow" - ], + "event.action": "allow", "event.code": "runner", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -737,9 +729,7 @@ ] }, { - "event.action": [ - "cancel" - ], + "event.action": "cancel", "event.code": "configd", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -1215,9 +1205,7 @@ ] }, { - "event.action": [ - "accept" - ], + "event.action": "accept", "event.code": "configd", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -1313,9 +1301,7 @@ ] }, { - "event.action": [ - "accept" - ], + "event.action": "accept", "event.code": "heartbeat", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -1688,9 +1674,7 @@ ] }, { - "event.action": [ - "cancel" - ], + "event.action": "cancel", "event.code": "heartbeat", "event.dataset": "bluecoat.director", "event.module": "bluecoat", @@ -2045,9 +2029,7 @@ ] }, { - "event.action": [ - "block" - ], + "event.action": "block", "event.code": "heartbeat", "event.dataset": "bluecoat.director", "event.module": "bluecoat", diff --git a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js +++ b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/citrix/README.md b/x-pack/filebeat/module/citrix/README.md index 3ae455a7bd5..55dd02271c4 100644 --- a/x-pack/filebeat/module/citrix/README.md +++ b/x-pack/filebeat/module/citrix/README.md @@ -3,5 +3,5 @@ This is a module for Citrix XenApp logs. Autogenerated from RSA NetWitness log parser 2.0 XML citrixxa version 79 -at 2020-07-08 18:27:59.806607 +0000 UTC. +at 2020-07-08 18:50:19.728951 +0000 UTC. diff --git a/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js b/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js +++ b/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/cylance/README.md b/x-pack/filebeat/module/cylance/README.md index 53f45056c5a..864876a4de3 100644 --- a/x-pack/filebeat/module/cylance/README.md +++ b/x-pack/filebeat/module/cylance/README.md @@ -3,5 +3,5 @@ This is a module for CylanceProtect logs. Autogenerated from RSA NetWitness log parser 2.0 XML cylance version 127 -at 2020-07-08 18:28:00.053323 +0000 UTC. +at 2020-07-08 18:50:19.981316 +0000 UTC. diff --git a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js +++ b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json index 8a5e599a976..2d4df394d00 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -1,9 +1,7 @@ [ { "@timestamp": "2016-01-29T08:09:59.000Z", - "event.action": [ - "ZoneAdd" - ], + "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -37,9 +35,7 @@ }, { "@timestamp": "2016-02-12T03:12:33.000Z", - "event.action": [ - "LoginSuccess" - ], + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -72,9 +68,7 @@ }, { "@timestamp": "2020-02-26T10:15:08.000Z", - "event.action": [ - "DeviceEdit" - ], + "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -103,9 +97,7 @@ }, { "@timestamp": "2016-03-12T05:17:42.000Z", - "event.action": [ - "SystemSecurity" - ], + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -148,9 +140,7 @@ }, { "@timestamp": "2016-03-26T12:20:16.000Z", - "event.action": [ - "SystemSecurity" - ], + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -192,9 +182,7 @@ }, { "@timestamp": "2020-04-09T07:22:51.000Z", - "event.action": [ - "ThreatUpdated" - ], + "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -226,9 +214,7 @@ }, { "@timestamp": "2020-04-24T14:25:25.000Z", - "event.action": [ - "SystemSecurity" - ], + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -259,9 +245,7 @@ }, { "@timestamp": "2016-05-08T09:27:59.000Z", - "event.action": [ - "Device Updated" - ], + "event.action": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -295,9 +279,7 @@ }, { "@timestamp": "2020-05-22T04:30:33.000Z", - "event.action": [ - "Device Policy Assigned" - ], + "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -329,10 +311,7 @@ }, { "@timestamp": "2016-06-05T11:33:08.000Z", - "event.action": [ - "cancel", - "Device Policy Assigned" - ], + "event.action": "cancel", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -379,9 +358,7 @@ }, { "@timestamp": "2016-06-20T06:35:42.000Z", - "event.action": [ - "ThreatUpdated" - ], + "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -411,9 +388,7 @@ }, { "@timestamp": "2016-07-04T13:38:16.000Z", - "event.action": [ - "DeviceRemove" - ], + "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -448,9 +423,7 @@ }, { "@timestamp": "2016-07-18T08:40:50.000Z", - "event.action": [ - "LoginSuccess" - ], + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -484,9 +457,7 @@ }, { "@timestamp": "2016-08-02T03:43:25.000Z", - "event.action": [ - "pechange" - ], + "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -519,9 +490,7 @@ }, { "@timestamp": "2019-08-16T10:45:59.000Z", - "event.action": [ - "Device Policy Assigned" - ], + "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -563,9 +532,7 @@ }, { "@timestamp": "2019-08-30T05:48:33.000Z", - "event.action": [ - "ZoneAdd" - ], + "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -593,9 +560,7 @@ }, { "@timestamp": "2019-09-13T12:51:07.000Z", - "event.action": [ - "LoginSuccess" - ], + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -626,9 +591,7 @@ }, { "@timestamp": "2019-09-28T07:53:42.000Z", - "event.action": [ - "Device Policy Assigned" - ], + "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -656,10 +619,7 @@ }, { "@timestamp": "2016-10-12T14:56:16.000Z", - "event.action": [ - "fullaccess", - "accept" - ], + "event.action": "accept", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -701,9 +661,7 @@ }, { "@timestamp": "2016-10-26T09:58:50.000Z", - "event.action": [ - "threat_changed" - ], + "event.action": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -737,10 +695,7 @@ }, { "@timestamp": "2016-11-10T05:01:24.000Z", - "event.action": [ - "block", - "DeviceEdit" - ], + "event.action": "block", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -782,9 +737,7 @@ }, { "@timestamp": "2016-11-24T12:03:59.000Z", - "event.action": [ - "SystemSecurity" - ], + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -818,9 +771,7 @@ }, { "@timestamp": "2016-12-08T07:06:33.000Z", - "event.action": [ - "Registration" - ], + "event.action": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -858,9 +809,7 @@ }, { "@timestamp": "2016-12-23T14:09:07.000Z", - "event.action": [ - "PolicyAdd" - ], + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -894,9 +843,7 @@ }, { "@timestamp": "2017-01-06T09:11:41.000Z", - "event.action": [ - "ZoneAddDevice" - ], + "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -929,9 +876,7 @@ }, { "@timestamp": "2017-01-20T04:14:16.000Z", - "event.action": [ - "pechange" - ], + "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -965,9 +910,7 @@ }, { "@timestamp": "2020-02-03T11:16:50.000Z", - "event.action": [ - "DeviceRemove" - ], + "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1009,9 +952,7 @@ }, { "@timestamp": "2017-02-18T06:19:24.000Z", - "event.action": [ - "threat_changed" - ], + "event.action": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1046,9 +987,7 @@ }, { "@timestamp": "2017-03-04T13:21:59.000Z", - "event.action": [ - "DeviceEdit" - ], + "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1081,9 +1020,7 @@ }, { "@timestamp": "2017-03-18T08:24:33.000Z", - "event.action": [ - "DeviceRemove" - ], + "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1120,9 +1057,7 @@ }, { "@timestamp": "2020-04-02T03:27:07.000Z", - "event.action": [ - "SyslogSettingsSave" - ], + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1159,9 +1094,7 @@ }, { "@timestamp": "2020-04-16T10:29:41.000Z", - "event.action": [ - "DeviceEdit" - ], + "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1189,9 +1122,7 @@ }, { "@timestamp": "2017-04-30T05:32:16.000Z", - "event.action": [ - "threat_changed" - ], + "event.action": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1225,9 +1156,7 @@ }, { "@timestamp": "2017-05-14T12:34:50.000Z", - "event.action": [ - "PolicyAdd" - ], + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1260,9 +1189,7 @@ }, { "@timestamp": "2017-05-29T07:37:24.000Z", - "event.action": [ - "ZoneAdd" - ], + "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1296,9 +1223,7 @@ }, { "@timestamp": "2017-06-12T14:39:58.000Z", - "event.action": [ - "ThreatUpdated" - ], + "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1330,9 +1255,7 @@ }, { "@timestamp": "2020-06-26T09:42:33.000Z", - "event.action": [ - "SystemSecurity" - ], + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1365,10 +1288,7 @@ }, { "@timestamp": "2017-07-11T04:45:07.000Z", - "event.action": [ - "Registration", - "deny" - ], + "event.action": "deny", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1415,10 +1335,7 @@ }, { "@timestamp": "2019-07-25T11:47:41.000Z", - "event.action": [ - "ZoneAddDevice", - "allow" - ], + "event.action": "allow", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1464,9 +1381,7 @@ }, { "@timestamp": "2019-08-08T06:50:15.000Z", - "event.action": [ - "pechange" - ], + "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1500,9 +1415,7 @@ }, { "@timestamp": "2019-08-22T13:52:50.000Z", - "event.action": [ - "LoginSuccess" - ], + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1529,9 +1442,7 @@ }, { "@timestamp": "2017-09-06T08:55:24.000Z", - "event.action": [ - "Device Policy Assigned" - ], + "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1565,9 +1476,7 @@ }, { "@timestamp": "2019-09-20T03:57:58.000Z", - "event.action": [ - "LoginSuccess" - ], + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1597,9 +1506,7 @@ }, { "@timestamp": "2017-10-04T11:00:32.000Z", - "event.action": [ - "LoginSuccess" - ], + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1634,10 +1541,7 @@ }, { "@timestamp": "2017-10-19T06:03:07.000Z", - "event.action": [ - "Device Policy Assigned", - "allow" - ], + "event.action": "allow", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1684,10 +1588,7 @@ }, { "@timestamp": "2017-11-02T13:05:41.000Z", - "event.action": [ - "cancel", - "SystemSecurity" - ], + "event.action": "cancel", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1729,9 +1630,7 @@ }, { "@timestamp": "2017-11-16T08:08:15.000Z", - "event.action": [ - "PolicyAdd" - ], + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1761,9 +1660,7 @@ }, { "@timestamp": "2017-12-01T03:10:49.000Z", - "event.action": [ - "Registration" - ], + "event.action": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1795,10 +1692,7 @@ }, { "@timestamp": "2017-12-15T10:13:24.000Z", - "event.action": [ - "accept", - "threat_quarantined" - ], + "event.action": "accept", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1840,9 +1734,7 @@ }, { "@timestamp": "2019-12-29T05:15:58.000Z", - "event.action": [ - "DeviceRemove" - ], + "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1881,9 +1773,7 @@ }, { "@timestamp": "2020-01-12T12:18:32.000Z", - "event.action": [ - "ThreatUpdated" - ], + "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1916,9 +1806,7 @@ }, { "@timestamp": "2018-01-27T07:21:06.000Z", - "event.action": [ - "DeviceEdit" - ], + "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1952,9 +1840,7 @@ }, { "@timestamp": "2018-02-10T14:23:41.000Z", - "event.action": [ - "threat_changed" - ], + "event.action": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -1998,9 +1884,7 @@ }, { "@timestamp": "2020-02-24T09:26:15.000Z", - "event.action": [ - "ZoneAddDevice" - ], + "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2033,9 +1917,7 @@ }, { "@timestamp": "2020-03-11T04:28:49.000Z", - "event.action": [ - "PolicyAdd" - ], + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2064,9 +1946,7 @@ }, { "@timestamp": "2020-03-25T11:31:24.000Z", - "event.action": [ - "threat_found" - ], + "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2098,9 +1978,7 @@ }, { "@timestamp": "2018-04-08T06:33:58.000Z", - "event.action": [ - "ZoneAdd" - ], + "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2134,9 +2012,7 @@ }, { "@timestamp": "2018-04-22T13:36:32.000Z", - "event.action": [ - "Device Updated" - ], + "event.action": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2165,9 +2041,7 @@ }, { "@timestamp": "2018-05-07T08:39:06.000Z", - "event.action": [ - "ZoneAdd" - ], + "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2200,9 +2074,7 @@ }, { "@timestamp": "2020-05-21T03:41:41.000Z", - "event.action": [ - "Alert" - ], + "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2239,9 +2111,7 @@ }, { "@timestamp": "2020-06-04T10:44:15.000Z", - "event.action": [ - "ThreatUpdated" - ], + "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2271,9 +2141,7 @@ }, { "@timestamp": "2020-06-19T05:46:49.000Z", - "event.action": [ - "ZoneAdd" - ], + "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2302,9 +2170,7 @@ }, { "@timestamp": "2018-07-03T12:49:23.000Z", - "event.action": [ - "LoginSuccess" - ], + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2338,9 +2204,7 @@ }, { "@timestamp": "2018-07-17T07:51:58.000Z", - "event.action": [ - "PolicyAdd" - ], + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2377,9 +2241,7 @@ }, { "@timestamp": "2018-08-01T14:54:32.000Z", - "event.action": [ - "ZoneAddDevice" - ], + "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2413,9 +2275,7 @@ }, { "@timestamp": "2018-08-15T09:57:06.000Z", - "event.action": [ - "fullaccess" - ], + "event.action": "fullaccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2449,9 +2309,7 @@ }, { "@timestamp": "2018-08-29T04:59:40.000Z", - "event.action": [ - "SyslogSettingsSave" - ], + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2484,9 +2342,7 @@ }, { "@timestamp": "2018-09-12T12:02:15.000Z", - "event.action": [ - "SyslogSettingsSave" - ], + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2528,9 +2384,7 @@ }, { "@timestamp": "2019-09-27T07:04:49.000Z", - "event.action": [ - "threat_quarantined" - ], + "event.action": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2557,9 +2411,7 @@ }, { "@timestamp": "2018-10-11T14:07:23.000Z", - "event.action": [ - "LoginSuccess" - ], + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2597,9 +2449,7 @@ }, { "@timestamp": "2018-10-25T09:09:57.000Z", - "event.action": [ - "SyslogSettingsSave" - ], + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2633,9 +2483,7 @@ }, { "@timestamp": "2018-11-09T04:12:32.000Z", - "event.action": [ - "Device Updated" - ], + "event.action": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2669,9 +2517,7 @@ }, { "@timestamp": "2018-11-23T11:15:06.000Z", - "event.action": [ - "SystemSecurity" - ], + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2700,9 +2546,7 @@ }, { "@timestamp": "2018-12-07T06:17:40.000Z", - "event.action": [ - "SystemSecurity" - ], + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2736,9 +2580,7 @@ }, { "@timestamp": "2019-12-21T13:20:14.000Z", - "event.action": [ - "Device Updated" - ], + "event.action": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2767,9 +2609,7 @@ }, { "@timestamp": "2020-01-05T08:22:49.000Z", - "event.action": [ - "Device Policy Assigned" - ], + "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2797,9 +2637,7 @@ }, { "@timestamp": "2020-01-19T03:25:23.000Z", - "event.action": [ - "DeviceEdit" - ], + "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2841,9 +2679,7 @@ }, { "@timestamp": "2020-02-02T10:27:57.000Z", - "event.action": [ - "threat_found" - ], + "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2873,9 +2709,7 @@ }, { "@timestamp": "2019-02-17T05:30:32.000Z", - "event.action": [ - "pechange" - ], + "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2906,9 +2740,7 @@ }, { "@timestamp": "2020-03-03T12:33:06.000Z", - "event.action": [ - "Device Policy Assigned" - ], + "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2935,10 +2767,7 @@ }, { "@timestamp": "2019-03-17T19:35:40.000Z", - "event.action": [ - "threat_changed", - "allow" - ], + "event.action": "allow", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -2980,9 +2809,7 @@ }, { "@timestamp": "2020-04-01T14:38:14.000Z", - "event.action": [ - "threat_changed" - ], + "event.action": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3013,9 +2840,7 @@ }, { "@timestamp": "2020-04-15T09:40:49.000Z", - "event.action": [ - "SyslogSettingsSave" - ], + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3045,9 +2870,7 @@ }, { "@timestamp": "2020-04-29T04:43:23.000Z", - "event.action": [ - "threat_found" - ], + "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3078,10 +2901,7 @@ }, { "@timestamp": "2019-05-13T23:45:57.000Z", - "event.action": [ - "LoginSuccess", - "block" - ], + "event.action": "block", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3123,9 +2943,7 @@ }, { "@timestamp": "2019-05-28T06:48:31.000Z", - "event.action": [ - "Device Updated" - ], + "event.action": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3164,9 +2982,7 @@ }, { "@timestamp": "2019-06-11T13:51:06.000Z", - "event.action": [ - "SyslogSettingsSave" - ], + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3210,9 +3026,7 @@ }, { "@timestamp": "2020-06-25T08:53:40.000Z", - "event.action": [ - "DeviceRemove" - ], + "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3239,9 +3053,7 @@ }, { "@timestamp": "2020-07-10T03:56:14.000Z", - "event.action": [ - "threat_found" - ], + "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3271,10 +3083,7 @@ }, { "@timestamp": "2019-07-24T10:58:48.000Z", - "event.action": [ - "Registration", - "allow" - ], + "event.action": "allow", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3321,9 +3130,7 @@ }, { "@timestamp": "2019-08-07T06:01:23.000Z", - "event.action": [ - "DeviceRemove" - ], + "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3350,9 +3157,7 @@ }, { "@timestamp": "2019-08-21T13:03:57.000Z", - "event.action": [ - "threat_changed" - ], + "event.action": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3384,9 +3189,7 @@ }, { "@timestamp": "2019-09-05T08:06:31.000Z", - "event.action": [ - "fullaccess" - ], + "event.action": "fullaccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3420,9 +3223,7 @@ }, { "@timestamp": "2019-09-19T03:09:05.000Z", - "event.action": [ - "SyslogSettingsSave" - ], + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3456,9 +3257,7 @@ }, { "@timestamp": "2019-10-03T10:11:40.000Z", - "event.action": [ - "pechange" - ], + "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3489,9 +3288,7 @@ }, { "@timestamp": "2019-10-18T05:14:14.000Z", - "event.action": [ - "ThreatUpdated" - ], + "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3526,9 +3323,7 @@ }, { "@timestamp": "2019-11-01T12:16:48.000Z", - "event.action": [ - "Device Policy Assigned" - ], + "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3557,9 +3352,7 @@ }, { "@timestamp": "2019-11-15T07:19:22.000Z", - "event.action": [ - "SyslogSettingsSave" - ], + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3588,9 +3381,7 @@ }, { "@timestamp": "2019-11-30T14:21:57.000Z", - "event.action": [ - "ThreatUpdated" - ], + "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", @@ -3628,9 +3419,7 @@ }, { "@timestamp": "2019-12-14T09:24:31.000Z", - "event.action": [ - "Registration" - ], + "event.action": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", diff --git a/x-pack/filebeat/module/f5/README.md b/x-pack/filebeat/module/f5/README.md index fe4ecbc442f..aff47782703 100644 --- a/x-pack/filebeat/module/f5/README.md +++ b/x-pack/filebeat/module/f5/README.md @@ -3,5 +3,5 @@ This is a module for Big-IP Access Policy Manager logs. Autogenerated from RSA NetWitness log parser 2.0 XML bigipapm version 113 -at 2020-07-08 18:27:58.417099 +0000 UTC. +at 2020-07-08 18:50:18.250871 +0000 UTC. diff --git a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js +++ b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index 4f52859565c..8a55b8fd469 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -284,9 +284,7 @@ }, { "@timestamp": "2016-07-04T13:38:16.000Z", - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "01490514", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -315,9 +313,7 @@ }, { "@timestamp": "2016-07-18T20:40:50.000Z", - "event.action": [ - "cancel" - ], + "event.action": "cancel", "event.code": "CROND", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -711,9 +707,7 @@ }, { "@timestamp": "2017-02-18T06:19:24.000Z", - "event.action": [ - "allow" - ], + "event.action": "allow", "event.code": "01490106", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -907,9 +901,7 @@ }, { "@timestamp": "2017-05-29T07:37:24.000Z", - "event.action": [ - "accept" - ], + "event.action": "accept", "event.code": "01490514", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -982,8 +974,8 @@ "observer.vendor": "F5", "process.pid": 4318, "related.ip": [ - "10.169.101.161", - "10.122.204.151" + "10.122.204.151", + "10.169.101.161" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "snulap", @@ -1562,8 +1554,8 @@ "observer.vendor": "F5", "process.pid": 1973, "related.ip": [ - "10.47.99.72", - "10.187.64.126" + "10.187.64.126", + "10.47.99.72" ], "rsa.internal.messageid": "01490500", "rsa.misc.category": "oremipsu", @@ -1994,9 +1986,7 @@ }, { "@timestamp": "2019-01-19T15:25:23.000Z", - "event.action": [ - "block" - ], + "event.action": "block", "event.code": "crond", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -2182,9 +2172,7 @@ }, { "@timestamp": "2019-04-29T16:43:23.000Z", - "event.action": [ - "cancel" - ], + "event.action": "cancel", "event.code": "CROND", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -2495,9 +2483,7 @@ }, { "@timestamp": "2019-10-18T05:14:14.000Z", - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "Rule", "event.dataset": "f5.bigipapm", "event.module": "f5", @@ -2610,9 +2596,7 @@ }, { "@timestamp": "2019-12-14T09:24:31.000Z", - "event.action": [ - "allow" - ], + "event.action": "allow", "event.code": "01490106", "event.dataset": "f5.bigipapm", "event.module": "f5", diff --git a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js b/x-pack/filebeat/module/f5/firepass/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js +++ b/x-pack/filebeat/module/f5/firepass/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json index 231e4376fe7..61c95990b65 100644 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json @@ -580,9 +580,7 @@ "user.name": "taevi" }, { - "event.action": [ - "started" - ], + "event.action": "started", "event.code": "snmp", "event.dataset": "f5.firepass", "event.module": "f5", @@ -790,8 +788,8 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.117.146.33", - "10.46.158.31" + "10.46.158.31", + "10.117.146.33" ], "rsa.db.index": "dun", "rsa.internal.messageid": "kernel", @@ -807,9 +805,7 @@ ] }, { - "event.action": [ - "block" - ], + "event.action": "block", "event.code": "security", "event.dataset": "f5.firepass", "event.module": "f5", @@ -894,9 +890,7 @@ "user.name": "ume" }, { - "event.action": [ - "cancel" - ], + "event.action": "cancel", "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", @@ -1174,9 +1168,7 @@ "user.name": "apariat" }, { - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", @@ -1415,9 +1407,7 @@ ] }, { - "event.action": [ - "started" - ], + "event.action": "started", "event.code": "snmp", "event.dataset": "f5.firepass", "event.module": "f5", @@ -1872,9 +1862,7 @@ ] }, { - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", @@ -1944,9 +1932,7 @@ ] }, { - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", @@ -2101,9 +2087,7 @@ "user.name": "ven" }, { - "event.action": [ - "cancel" - ], + "event.action": "cancel", "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", @@ -2291,8 +2275,8 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.225.181.30", - "10.65.175.9" + "10.65.175.9", + "10.225.181.30" ], "rsa.db.index": "uia", "rsa.internal.messageid": "kernel", @@ -2346,9 +2330,7 @@ ] }, { - "event.action": [ - "started" - ], + "event.action": "started", "event.code": "snmp", "event.dataset": "f5.firepass", "event.module": "f5", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index b57d48ed20f..502e099bb1d 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -5,9 +5,7 @@ "10.102.123.34" ], "destination.port": 3994, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -64,9 +62,7 @@ "10.102.218.31" ], "destination.port": 3376, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -83,8 +79,8 @@ "observer.vendor": "Fortinet", "process.pid": 6183, "related.ip": [ - "10.22.119.124", - "10.102.218.31" + "10.102.218.31", + "10.22.119.124" ], "related.user": [ "itamet" @@ -123,9 +119,7 @@ "10.26.46.95" ], "destination.port": 7599, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -182,9 +176,7 @@ "10.202.204.154" ], "destination.port": 3587, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -241,9 +233,7 @@ "10.131.115.96" ], "destination.port": 1890, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -300,9 +290,7 @@ "10.11.200.161" ], "destination.port": 4665, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -319,8 +307,8 @@ "observer.vendor": "Fortinet", "process.pid": 4243, "related.ip": [ - "10.11.200.161", - "10.183.202.41" + "10.183.202.41", + "10.11.200.161" ], "related.user": [ "iusmodt" @@ -359,9 +347,7 @@ "10.214.225.125" ], "destination.port": 2121, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -378,8 +364,8 @@ "observer.vendor": "Fortinet", "process.pid": 5722, "related.ip": [ - "10.12.44.169", - "10.214.225.125" + "10.214.225.125", + "10.12.44.169" ], "related.user": [ "uam" @@ -418,9 +404,7 @@ "10.233.127.83" ], "destination.port": 3676, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -477,9 +461,7 @@ "10.69.20.77" ], "destination.port": 7579, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -496,8 +478,8 @@ "observer.vendor": "Fortinet", "process.pid": 776, "related.ip": [ - "10.69.20.77", - "10.178.244.31" + "10.178.244.31", + "10.69.20.77" ], "related.user": [ "moll" @@ -536,9 +518,7 @@ "10.10.65.154" ], "destination.port": 7572, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -555,8 +535,8 @@ "observer.vendor": "Fortinet", "process.pid": 3592, "related.ip": [ - "10.197.5.210", - "10.10.65.154" + "10.10.65.154", + "10.197.5.210" ], "related.user": [ "olo" @@ -595,9 +575,7 @@ "10.177.124.147" ], "destination.port": 4173, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -654,9 +632,7 @@ "10.157.213.15" ], "destination.port": 600, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -713,9 +689,7 @@ "10.124.100.32" ], "destination.port": 7699, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -732,8 +706,8 @@ "observer.vendor": "Fortinet", "process.pid": 5376, "related.ip": [ - "10.208.134.60", - "10.124.100.32" + "10.124.100.32", + "10.208.134.60" ], "related.user": [ "admi" @@ -772,9 +746,7 @@ "10.55.77.49" ], "destination.port": 4683, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -791,8 +763,8 @@ "observer.vendor": "Fortinet", "process.pid": 1577, "related.ip": [ - "10.75.148.116", - "10.55.77.49" + "10.55.77.49", + "10.75.148.116" ], "related.user": [ "tdolorem" @@ -831,9 +803,7 @@ "10.21.92.218" ], "destination.port": 5716, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -890,9 +860,7 @@ "10.84.105.75" ], "destination.port": 98, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -909,8 +877,8 @@ "observer.vendor": "Fortinet", "process.pid": 499, "related.ip": [ - "10.78.151.178", - "10.84.105.75" + "10.84.105.75", + "10.78.151.178" ], "related.user": [ "deFinibu" @@ -949,9 +917,7 @@ "10.76.229.163" ], "destination.port": 6387, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1008,9 +974,7 @@ "10.104.134.200" ], "destination.port": 2508, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1067,9 +1031,7 @@ "10.252.122.195" ], "destination.port": 2807, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1126,9 +1088,7 @@ "10.31.95.218" ], "destination.port": 7042, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1145,8 +1105,8 @@ "observer.vendor": "Fortinet", "process.pid": 2374, "related.ip": [ - "10.195.36.51", - "10.31.95.218" + "10.31.95.218", + "10.195.36.51" ], "related.user": [ "laborum" @@ -1185,9 +1145,7 @@ "10.170.148.40" ], "destination.port": 6371, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1244,9 +1202,7 @@ "10.233.171.118" ], "destination.port": 7410, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1303,9 +1259,7 @@ "10.134.148.219" ], "destination.port": 4430, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1362,9 +1316,7 @@ "10.177.238.183" ], "destination.port": 6458, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1381,8 +1333,8 @@ "observer.vendor": "Fortinet", "process.pid": 5251, "related.ip": [ - "10.59.122.242", - "10.177.238.183" + "10.177.238.183", + "10.59.122.242" ], "related.user": [ "xerc" @@ -1421,9 +1373,7 @@ "10.10.27.73" ], "destination.port": 2574, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1440,8 +1390,8 @@ "observer.vendor": "Fortinet", "process.pid": 6106, "related.ip": [ - "10.74.33.75", - "10.10.27.73" + "10.10.27.73", + "10.74.33.75" ], "related.user": [ "quaturve" @@ -1480,9 +1430,7 @@ "10.32.239.1" ], "destination.port": 3128, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1499,8 +1447,8 @@ "observer.vendor": "Fortinet", "process.pid": 3022, "related.ip": [ - "10.32.239.1", - "10.241.65.49" + "10.241.65.49", + "10.32.239.1" ], "related.user": [ "asia" @@ -1539,9 +1487,7 @@ "10.14.36.202" ], "destination.port": 6036, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1598,9 +1544,7 @@ "10.164.39.248" ], "destination.port": 5194, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1657,9 +1601,7 @@ "10.135.187.104" ], "destination.port": 4708, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1676,8 +1618,8 @@ "observer.vendor": "Fortinet", "process.pid": 5919, "related.ip": [ - "10.208.14.185", - "10.135.187.104" + "10.135.187.104", + "10.208.14.185" ], "related.user": [ "rcitati" @@ -1716,9 +1658,7 @@ "10.248.101.25" ], "destination.port": 5740, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1775,9 +1715,7 @@ "10.145.26.181" ], "destination.port": 6088, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1794,8 +1732,8 @@ "observer.vendor": "Fortinet", "process.pid": 3471, "related.ip": [ - "10.46.49.26", - "10.145.26.181" + "10.145.26.181", + "10.46.49.26" ], "related.user": [ "cons" @@ -1834,9 +1772,7 @@ "10.66.2.232" ], "destination.port": 5764, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1853,8 +1789,8 @@ "observer.vendor": "Fortinet", "process.pid": 3470, "related.ip": [ - "10.66.2.232", - "10.27.14.168" + "10.27.14.168", + "10.66.2.232" ], "related.user": [ "evolu" @@ -1893,9 +1829,7 @@ "10.201.238.90" ], "destination.port": 7130, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1952,9 +1886,7 @@ "10.105.91.31" ], "destination.port": 5987, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -1971,8 +1903,8 @@ "observer.vendor": "Fortinet", "process.pid": 853, "related.ip": [ - "10.217.150.196", - "10.105.91.31" + "10.105.91.31", + "10.217.150.196" ], "related.user": [ "siutali" @@ -2011,9 +1943,7 @@ "10.226.83.168" ], "destination.port": 4153, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2070,9 +2000,7 @@ "10.113.95.59" ], "destination.port": 4367, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2129,9 +2057,7 @@ "10.43.226.231" ], "destination.port": 2778, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2148,8 +2074,8 @@ "observer.vendor": "Fortinet", "process.pid": 829, "related.ip": [ - "10.43.226.231", - "10.173.136.186" + "10.173.136.186", + "10.43.226.231" ], "related.user": [ "uscipitl" @@ -2188,9 +2114,7 @@ "10.54.37.86" ], "destination.port": 5089, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2207,8 +2131,8 @@ "observer.vendor": "Fortinet", "process.pid": 6867, "related.ip": [ - "10.58.64.108", - "10.54.37.86" + "10.54.37.86", + "10.58.64.108" ], "related.user": [ "dolorsit" @@ -2247,9 +2171,7 @@ "10.159.119.34" ], "destination.port": 6197, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2306,9 +2228,7 @@ "10.29.133.28" ], "destination.port": 1085, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2325,8 +2245,8 @@ "observer.vendor": "Fortinet", "process.pid": 5433, "related.ip": [ - "10.29.133.28", - "10.163.93.20" + "10.163.93.20", + "10.29.133.28" ], "related.user": [ "tpersp" @@ -2365,9 +2285,7 @@ "10.50.0.61" ], "destination.port": 5905, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2424,9 +2342,7 @@ "10.30.47.165" ], "destination.port": 3801, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2483,9 +2399,7 @@ "10.36.112.145" ], "destination.port": 7122, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2542,9 +2456,7 @@ "10.162.114.217" ], "destination.port": 7503, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2601,9 +2513,7 @@ "10.140.7.83" ], "destination.port": 3298, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2620,8 +2530,8 @@ "observer.vendor": "Fortinet", "process.pid": 2189, "related.ip": [ - "10.229.71.175", - "10.140.7.83" + "10.140.7.83", + "10.229.71.175" ], "related.user": [ "eseru" @@ -2660,9 +2570,7 @@ "10.149.13.76" ], "destination.port": 2000, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2679,8 +2587,8 @@ "observer.vendor": "Fortinet", "process.pid": 1478, "related.ip": [ - "10.149.13.76", - "10.232.254.65" + "10.232.254.65", + "10.149.13.76" ], "related.user": [ "itesseq" @@ -2719,9 +2627,7 @@ "10.90.33.138" ], "destination.port": 7876, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2778,9 +2684,7 @@ "10.243.237.151" ], "destination.port": 6296, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2837,9 +2741,7 @@ "10.28.84.106" ], "destination.port": 4844, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2856,8 +2758,8 @@ "observer.vendor": "Fortinet", "process.pid": 1609, "related.ip": [ - "10.193.233.229", - "10.28.84.106" + "10.28.84.106", + "10.193.233.229" ], "related.user": [ "luptatem" @@ -2896,9 +2798,7 @@ "10.85.185.13" ], "destination.port": 7793, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -2915,8 +2815,8 @@ "observer.vendor": "Fortinet", "process.pid": 7224, "related.ip": [ - "10.180.195.43", - "10.85.185.13" + "10.85.185.13", + "10.180.195.43" ], "related.user": [ "atione" @@ -2955,9 +2855,7 @@ "10.201.237.233" ], "destination.port": 3023, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3014,9 +2912,7 @@ "10.196.206.130" ], "destination.port": 1725, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3033,8 +2929,8 @@ "observer.vendor": "Fortinet", "process.pid": 7867, "related.ip": [ - "10.239.80.120", - "10.196.206.130" + "10.196.206.130", + "10.239.80.120" ], "related.user": [ "isn" @@ -3073,9 +2969,7 @@ "10.47.24.77" ], "destination.port": 1919, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3132,9 +3026,7 @@ "10.139.127.232" ], "destination.port": 1812, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3191,9 +3083,7 @@ "10.40.35.49" ], "destination.port": 3071, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3210,8 +3100,8 @@ "observer.vendor": "Fortinet", "process.pid": 3178, "related.ip": [ - "10.40.35.49", - "10.130.241.232" + "10.130.241.232", + "10.40.35.49" ], "related.user": [ "aturQu" @@ -3250,9 +3140,7 @@ "10.167.252.183" ], "destination.port": 5107, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3309,9 +3197,7 @@ "10.46.56.204" ], "destination.port": 5070, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3328,8 +3214,8 @@ "observer.vendor": "Fortinet", "process.pid": 7079, "related.ip": [ - "10.97.149.97", - "10.46.56.204" + "10.46.56.204", + "10.97.149.97" ], "related.user": [ "esseq" @@ -3368,9 +3254,7 @@ "10.151.129.181" ], "destination.port": 5773, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3387,8 +3271,8 @@ "observer.vendor": "Fortinet", "process.pid": 5026, "related.ip": [ - "10.28.105.124", - "10.151.129.181" + "10.151.129.181", + "10.28.105.124" ], "related.user": [ "nesciun" @@ -3427,9 +3311,7 @@ "10.145.101.26" ], "destination.port": 2559, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3446,8 +3328,8 @@ "observer.vendor": "Fortinet", "process.pid": 3992, "related.ip": [ - "10.128.63.143", - "10.145.101.26" + "10.145.101.26", + "10.128.63.143" ], "related.user": [ "ssusci" @@ -3486,9 +3368,7 @@ "10.62.229.89" ], "destination.port": 5348, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3545,9 +3425,7 @@ "10.54.83.119" ], "destination.port": 338, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3564,8 +3442,8 @@ "observer.vendor": "Fortinet", "process.pid": 315, "related.ip": [ - "10.250.19.146", - "10.54.83.119" + "10.54.83.119", + "10.250.19.146" ], "related.user": [ "radi" @@ -3604,9 +3482,7 @@ "10.1.96.93" ], "destination.port": 428, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3623,8 +3499,8 @@ "observer.vendor": "Fortinet", "process.pid": 5398, "related.ip": [ - "10.54.73.158", - "10.1.96.93" + "10.1.96.93", + "10.54.73.158" ], "related.user": [ "snos" @@ -3663,9 +3539,7 @@ "10.94.114.83" ], "destination.port": 4803, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3722,9 +3596,7 @@ "10.38.28.151" ], "destination.port": 347, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3741,8 +3613,8 @@ "observer.vendor": "Fortinet", "process.pid": 2649, "related.ip": [ - "10.206.165.83", - "10.38.28.151" + "10.38.28.151", + "10.206.165.83" ], "related.user": [ "erspi" @@ -3781,9 +3653,7 @@ "10.77.229.168" ], "destination.port": 3777, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3840,9 +3710,7 @@ "10.57.85.98" ], "destination.port": 1444, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3899,9 +3767,7 @@ "10.193.66.155" ], "destination.port": 4965, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3918,8 +3784,8 @@ "observer.vendor": "Fortinet", "process.pid": 2913, "related.ip": [ - "10.7.43.184", - "10.193.66.155" + "10.193.66.155", + "10.7.43.184" ], "related.user": [ "tobeatae" @@ -3958,9 +3824,7 @@ "10.81.234.34" ], "destination.port": 1710, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -3977,8 +3841,8 @@ "observer.vendor": "Fortinet", "process.pid": 1526, "related.ip": [ - "10.196.96.162", - "10.81.234.34" + "10.81.234.34", + "10.196.96.162" ], "related.user": [ "aliqui" @@ -4017,9 +3881,7 @@ "10.77.78.180" ], "destination.port": 5380, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4076,9 +3938,7 @@ "10.108.45.59" ], "destination.port": 7229, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4135,9 +3995,7 @@ "10.170.252.219" ], "destination.port": 2454, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4194,9 +4052,7 @@ "10.83.119.181" ], "destination.port": 5693, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4253,9 +4109,7 @@ "10.141.143.56" ], "destination.port": 2442, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4272,8 +4126,8 @@ "observer.vendor": "Fortinet", "process.pid": 3628, "related.ip": [ - "10.225.255.211", - "10.141.143.56" + "10.141.143.56", + "10.225.255.211" ], "related.user": [ "aaliq" @@ -4312,9 +4166,7 @@ "10.219.1.151" ], "destination.port": 4323, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4331,8 +4183,8 @@ "observer.vendor": "Fortinet", "process.pid": 6311, "related.ip": [ - "10.250.81.189", - "10.219.1.151" + "10.219.1.151", + "10.250.81.189" ], "related.user": [ "olup" @@ -4371,9 +4223,7 @@ "10.189.42.62" ], "destination.port": 4262, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4430,9 +4280,7 @@ "10.202.132.214" ], "destination.port": 3392, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4489,9 +4337,7 @@ "10.169.98.165" ], "destination.port": 6084, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4508,8 +4354,8 @@ "observer.vendor": "Fortinet", "process.pid": 2280, "related.ip": [ - "10.169.98.165", - "10.51.221.217" + "10.51.221.217", + "10.169.98.165" ], "related.user": [ "metco" @@ -4548,9 +4394,7 @@ "10.85.104.146" ], "destination.port": 4438, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4607,9 +4451,7 @@ "10.30.246.132" ], "destination.port": 388, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4666,9 +4508,7 @@ "10.167.9.200" ], "destination.port": 4568, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4685,8 +4525,8 @@ "observer.vendor": "Fortinet", "process.pid": 2068, "related.ip": [ - "10.167.9.200", - "10.37.174.58" + "10.37.174.58", + "10.167.9.200" ], "related.user": [ "tvol" @@ -4725,9 +4565,7 @@ "10.251.29.244" ], "destination.port": 919, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4784,9 +4622,7 @@ "10.189.82.19" ], "destination.port": 4057, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4803,8 +4639,8 @@ "observer.vendor": "Fortinet", "process.pid": 1816, "related.ip": [ - "10.198.143.216", - "10.189.82.19" + "10.189.82.19", + "10.198.143.216" ], "related.user": [ "iamqui" @@ -4843,9 +4679,7 @@ "10.70.29.203" ], "destination.port": 6317, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4862,8 +4696,8 @@ "observer.vendor": "Fortinet", "process.pid": 4386, "related.ip": [ - "10.141.216.14", - "10.70.29.203" + "10.70.29.203", + "10.141.216.14" ], "related.user": [ "dese" @@ -4902,9 +4736,7 @@ "10.137.85.123" ], "destination.port": 7073, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -4921,8 +4753,8 @@ "observer.vendor": "Fortinet", "process.pid": 2313, "related.ip": [ - "10.137.85.123", - "10.183.243.246" + "10.183.243.246", + "10.137.85.123" ], "related.user": [ "idatat" @@ -4961,9 +4793,7 @@ "10.158.54.131" ], "destination.port": 1585, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5020,9 +4850,7 @@ "10.187.170.23" ], "destination.port": 3220, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5079,9 +4907,7 @@ "10.125.166.198" ], "destination.port": 6301, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5098,8 +4924,8 @@ "observer.vendor": "Fortinet", "process.pid": 6537, "related.ip": [ - "10.114.211.238", - "10.125.166.198" + "10.125.166.198", + "10.114.211.238" ], "related.user": [ "sumquiad" @@ -5138,9 +4964,7 @@ "10.209.239.122" ], "destination.port": 1450, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5197,9 +5021,7 @@ "10.146.57.23" ], "destination.port": 5483, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5216,8 +5038,8 @@ "observer.vendor": "Fortinet", "process.pid": 5772, "related.ip": [ - "10.146.57.23", - "10.144.109.148" + "10.144.109.148", + "10.146.57.23" ], "related.user": [ "xerc" @@ -5256,9 +5078,7 @@ "10.11.2.200" ], "destination.port": 7541, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5275,8 +5095,8 @@ "observer.vendor": "Fortinet", "process.pid": 4542, "related.ip": [ - "10.69.230.223", - "10.11.2.200" + "10.11.2.200", + "10.69.230.223" ], "related.user": [ "uatu" @@ -5315,9 +5135,7 @@ "10.120.148.241" ], "destination.port": 1655, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5374,9 +5192,7 @@ "10.90.50.149" ], "destination.port": 7260, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5433,9 +5249,7 @@ "10.117.190.234" ], "destination.port": 7475, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5452,8 +5266,8 @@ "observer.vendor": "Fortinet", "process.pid": 5792, "related.ip": [ - "10.117.190.234", - "10.230.130.3" + "10.230.130.3", + "10.117.190.234" ], "related.user": [ "ttenb" @@ -5492,9 +5306,7 @@ "10.203.117.6" ], "destination.port": 2510, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5511,8 +5323,8 @@ "observer.vendor": "Fortinet", "process.pid": 3142, "related.ip": [ - "10.55.103.200", - "10.203.117.6" + "10.203.117.6", + "10.55.103.200" ], "related.user": [ "enbyCic" @@ -5551,9 +5363,7 @@ "10.75.122.228" ], "destination.port": 5, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5570,8 +5380,8 @@ "observer.vendor": "Fortinet", "process.pid": 730, "related.ip": [ - "10.75.122.228", - "10.244.52.142" + "10.244.52.142", + "10.75.122.228" ], "related.user": [ "isciv" @@ -5610,9 +5420,7 @@ "10.119.143.168" ], "destination.port": 4131, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5669,9 +5477,7 @@ "10.252.146.103" ], "destination.port": 5995, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5728,9 +5534,7 @@ "10.213.41.210" ], "destination.port": 3626, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5787,9 +5591,7 @@ "10.190.36.112" ], "destination.port": 4829, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5846,9 +5648,7 @@ "10.19.21.239" ], "destination.port": 6995, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", @@ -5865,8 +5665,8 @@ "observer.vendor": "Fortinet", "process.pid": 5985, "related.ip": [ - "10.19.21.239", - "10.175.181.138" + "10.175.181.138", + "10.19.21.239" ], "related.user": [ "aliqu" diff --git a/x-pack/filebeat/module/imperva/README.md b/x-pack/filebeat/module/imperva/README.md index 8c264cb81ae..e42f3a778a5 100644 --- a/x-pack/filebeat/module/imperva/README.md +++ b/x-pack/filebeat/module/imperva/README.md @@ -3,5 +3,5 @@ This is a module for Imperva SecureSphere logs. Autogenerated from RSA NetWitness log parser 2.0 XML impervawaf version 117 -at 2020-07-08 18:28:00.818993 +0000 UTC. +at 2020-07-08 18:50:20.827838 +0000 UTC. diff --git a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js +++ b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index d4a94f59496..978f34e6651 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -4,10 +4,7 @@ "10.70.155.35" ], "destination.port": 892, - "event.action": [ - "cancel", - "Login" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -61,9 +58,7 @@ "user.name": "tatno" }, { - "event.action": [ - "erep" - ], + "event.action": "erep", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -95,10 +90,7 @@ "10.58.116.231" ], "destination.port": 996, - "event.action": [ - "rumet", - "accept" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -116,9 +108,9 @@ "10.58.116.231" ], "related.user": [ - "qua", + "uradi", "temUten", - "uradi" + "qua" ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -151,10 +143,7 @@ "10.157.161.103" ], "destination.port": 4782, - "event.action": [ - "liquide", - "deny" - ], + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -175,9 +164,9 @@ "10.157.161.103" ], "related.user": [ + "CSed", "emeumfu", - "tem", - "CSed" + "tem" ], "rsa.counters.event_counter": 3561, "rsa.db.database": "lupt", @@ -220,10 +209,7 @@ "10.230.76.224" ], "destination.port": 5715, - "event.action": [ - "accept", - "remagn" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -244,17 +230,17 @@ "10.230.76.224" ], "related.user": [ + "dol", "tlabori", - "hitect", - "dol" + "hitect" ], "rsa.counters.event_counter": 3339, "rsa.db.database": "leumiu", "rsa.internal.event_desc": "atDu", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "emulla", - "accept" + "accept", + "emulla" ], "rsa.misc.category": "eav", "rsa.misc.disposition": "ionevo", @@ -288,10 +274,7 @@ "10.10.38.139" ], "destination.port": 189, - "event.action": [ - "Login", - "block" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -349,10 +332,7 @@ "10.133.189.215" ], "destination.port": 7865, - "event.action": [ - "tmo", - "block" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -370,8 +350,8 @@ "10.206.97.204" ], "related.user": [ - "evita", "ommodico", + "evita", "fugitse" ], "rsa.counters.dclass_c1": 4842, @@ -405,10 +385,7 @@ "10.145.248.111" ], "destination.port": 95, - "event.action": [ - "deny", - "Login" - ], + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -427,8 +404,8 @@ "10.148.106.167" ], "related.user": [ - "tium", "uae", + "tium", "tectobe" ], "rsa.counters.dclass_c1": 3994, @@ -466,10 +443,7 @@ "10.77.52.83" ], "destination.port": 2646, - "event.action": [ - "accept", - "Login" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -484,12 +458,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.77.52.83", - "10.7.46.36" + "10.7.46.36", + "10.77.52.83" ], "related.user": [ - "upta", "atno", + "upta", "ccaec" ], "rsa.counters.dclass_c1": 1458, @@ -527,10 +501,7 @@ "10.221.102.245" ], "destination.port": 337, - "event.action": [ - "Logout", - "block" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -545,13 +516,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.43.226.231", - "10.221.102.245" + "10.221.102.245", + "10.43.226.231" ], "related.user": [ - "eFi", "ritatise", - "rinre" + "rinre", + "eFi" ], "rsa.counters.dclass_c1": 302, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -588,10 +559,7 @@ "10.239.96.8" ], "destination.port": 6223, - "event.action": [ - "Login", - "allow" - ], + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -610,9 +578,9 @@ "10.239.96.8" ], "related.user": [ - "nts", + "orsitam", "atevelit", - "orsitam" + "nts" ], "rsa.counters.dclass_c1": 3714, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -649,10 +617,7 @@ "10.10.216.74" ], "destination.port": 7231, - "event.action": [ - "Login", - "cancel" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -667,13 +632,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.147.76.202", - "10.10.216.74" + "10.10.216.74", + "10.147.76.202" ], "related.user": [ - "oeni", + "sit", "ctetura", - "sit" + "oeni" ], "rsa.counters.dclass_c1": 5313, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -710,10 +675,7 @@ "10.177.219.214" ], "destination.port": 2300, - "event.action": [ - "cancel", - "nBCSedut" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -730,21 +692,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.177.219.214", - "10.123.199.236" + "10.123.199.236", + "10.177.219.214" ], "related.user": [ - "emUteni", "texpli", - "rum" + "rum", + "emUteni" ], "rsa.counters.event_counter": 5653, "rsa.db.database": "gnaaliqu", "rsa.internal.event_desc": "ian", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "nonp", - "cancel" + "cancel", + "nonp" ], "rsa.misc.category": "dolore", "rsa.misc.disposition": "onsecte", @@ -779,10 +741,7 @@ "10.110.114.175" ], "destination.port": 2639, - "event.action": [ - "Login", - "allow" - ], + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -801,9 +760,9 @@ "10.20.72.231" ], "related.user": [ + "imide", "upt", - "snost", - "imide" + "snost" ], "rsa.counters.dclass_c1": 5798, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -840,10 +799,7 @@ "10.230.206.60" ], "destination.port": 3684, - "event.action": [ - "Login", - "deny" - ], + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -862,9 +818,9 @@ "10.111.90.75" ], "related.user": [ - "aincidu", + "rcitat", "rem", - "rcitat" + "aincidu" ], "rsa.counters.dclass_c1": 1264, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -901,10 +857,7 @@ "10.154.53.249" ], "destination.port": 1513, - "event.action": [ - "uisa", - "accept" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -921,21 +874,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.154.53.249", - "10.186.77.109" + "10.186.77.109", + "10.154.53.249" ], "related.user": [ - "dutpers", "erun", - "est" + "est", + "dutpers" ], "rsa.counters.event_counter": 5380, "rsa.db.database": "orisn", "rsa.internal.event_desc": "porincid", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "atcupi" + "atcupi", + "accept" ], "rsa.misc.category": "atisetqu", "rsa.misc.disposition": "issuscip", @@ -969,10 +922,7 @@ "10.201.164.145" ], "destination.port": 2700, - "event.action": [ - "Login", - "allow" - ], + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -991,9 +941,9 @@ "10.111.233.194" ], "related.user": [ - "ullamcor", + "sequa", "miurerep", - "sequa" + "ullamcor" ], "rsa.counters.dclass_c1": 6595, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1030,10 +980,7 @@ "10.241.230.235" ], "destination.port": 3421, - "event.action": [ - "ssecil", - "accept" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1054,17 +1001,17 @@ "10.57.164.187" ], "related.user": [ + "scingeli", "olorsit", - "isn", - "scingeli" + "isn" ], "rsa.counters.event_counter": 3317, "rsa.db.database": "sBono", "rsa.internal.event_desc": "llamco", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "olorem" + "olorem", + "accept" ], "rsa.misc.category": "atu", "rsa.misc.disposition": "untincul", @@ -1099,10 +1046,7 @@ "10.79.147.101" ], "destination.port": 1280, - "event.action": [ - "Login", - "deny" - ], + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1122,8 +1066,8 @@ ], "related.user": [ "ddoeius", - "uptat", - "cingel" + "cingel", + "uptat" ], "rsa.counters.dclass_c1": 6068, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1160,10 +1104,7 @@ "10.49.71.118" ], "destination.port": 4322, - "event.action": [ - "cancel", - "eprehend" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1229,10 +1170,7 @@ "10.28.153.102" ], "destination.port": 6366, - "event.action": [ - "plic", - "allow" - ], + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1246,13 +1184,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.28.153.102", - "10.50.222.68" + "10.50.222.68", + "10.28.153.102" ], "related.user": [ - "tas", + "amali", "rsita", - "amali" + "tas" ], "rsa.counters.dclass_c1": 4527, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1285,10 +1223,7 @@ "10.199.169.48" ], "destination.port": 6443, - "event.action": [ - "cancel", - "Login" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1303,13 +1238,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.199.169.48", - "10.46.192.198" + "10.46.192.198", + "10.199.169.48" ], "related.user": [ - "imadmini", "oditempo", - "rumetMal" + "rumetMal", + "imadmini" ], "rsa.counters.dclass_c1": 4128, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1346,10 +1281,7 @@ "10.201.81.46" ], "destination.port": 6515, - "event.action": [ - "block", - "BCS" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1371,16 +1303,16 @@ ], "related.user": [ "est", - "agnaaliq", - "niam" + "niam", + "agnaaliq" ], "rsa.counters.event_counter": 2001, "rsa.db.database": "mquisno", "rsa.internal.event_desc": "equep", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "amc" + "amc", + "block" ], "rsa.misc.category": "ever", "rsa.misc.disposition": "tali", @@ -1415,10 +1347,7 @@ "10.7.81.204" ], "destination.port": 3984, - "event.action": [ - "accept", - "uradi" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1440,16 +1369,16 @@ ], "related.user": [ "ulap", - "amnisi", - "ersp" + "ersp", + "amnisi" ], "rsa.counters.event_counter": 1710, "rsa.db.database": "nrepreh", "rsa.internal.event_desc": "nimad", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "prehe", - "accept" + "accept", + "prehe" ], "rsa.misc.category": "ataevita", "rsa.misc.disposition": "oremqu", @@ -1483,10 +1412,7 @@ "10.94.132.21" ], "destination.port": 2945, - "event.action": [ - "deny", - "Login" - ], + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1501,13 +1427,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.114.193.232", - "10.94.132.21" + "10.94.132.21", + "10.114.193.232" ], "related.user": [ + "nse", "odi", - "eetdo", - "nse" + "eetdo" ], "rsa.counters.dclass_c1": 6784, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1544,10 +1470,7 @@ "10.44.226.104" ], "destination.port": 7020, - "event.action": [ - "Logout", - "accept" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1605,10 +1528,7 @@ "10.48.209.115" ], "destination.port": 3450, - "event.action": [ - "Logout", - "cancel" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1628,8 +1548,8 @@ ], "related.user": [ "umiurer", - "iamea", - "aconsequ" + "aconsequ", + "iamea" ], "rsa.counters.dclass_c1": 3249, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1666,10 +1586,7 @@ "10.85.137.156" ], "destination.port": 2763, - "event.action": [ - "accept", - "Logout" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1684,12 +1601,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.188.121.11", - "10.85.137.156" + "10.85.137.156", + "10.188.121.11" ], "related.user": [ - "orumSe", "olori", + "orumSe", "etMaloru" ], "rsa.counters.dclass_c1": 2491, @@ -1727,10 +1644,7 @@ "10.238.245.236" ], "destination.port": 3575, - "event.action": [ - "cancel", - "tnul" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1748,8 +1662,8 @@ "10.45.215.202" ], "related.user": [ - "stquidol", "ihilmole", + "stquidol", "gia" ], "rsa.counters.dclass_c1": 7822, @@ -1783,10 +1697,7 @@ "10.213.109.180" ], "destination.port": 6536, - "event.action": [ - "accept", - "Login" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1801,13 +1712,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.213.109.180", - "10.222.85.95" + "10.222.85.95", + "10.213.109.180" ], "related.user": [ + "essequam", "emp", - "etdolor", - "essequam" + "etdolor" ], "rsa.counters.dclass_c1": 2905, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1844,10 +1755,7 @@ "10.229.165.102" ], "destination.port": 2069, - "event.action": [ - "cancel", - "Login" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1862,12 +1770,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.229.165.102", - "10.18.225.139" + "10.18.225.139", + "10.229.165.102" ], "related.user": [ - "orum", "lestia", + "orum", "edquian" ], "rsa.counters.dclass_c1": 3553, @@ -1905,10 +1813,7 @@ "10.119.4.120" ], "destination.port": 3822, - "event.action": [ - "turadip", - "accept" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1922,13 +1827,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.119.4.120", - "10.63.177.46" + "10.63.177.46", + "10.119.4.120" ], "related.user": [ + "ptassita", "itseddo", - "veleumi", - "ptassita" + "veleumi" ], "rsa.counters.dclass_c1": 5719, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1961,10 +1866,7 @@ "10.189.6.107" ], "destination.port": 767, - "event.action": [ - "allow", - "Logout" - ], + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -1983,9 +1885,9 @@ "10.50.69.209" ], "related.user": [ + "exerci", "eirur", - "isci", - "exerci" + "isci" ], "rsa.counters.dclass_c1": 1684, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2022,10 +1924,7 @@ "10.74.166.70" ], "destination.port": 1453, - "event.action": [ - "accept", - "Logout" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2040,13 +1939,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.74.166.70", - "10.88.176.226" + "10.88.176.226", + "10.74.166.70" ], "related.user": [ + "olor", "roinBCSe", - "ender", - "olor" + "ender" ], "rsa.counters.dclass_c1": 723, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2083,10 +1982,7 @@ "10.123.56.46" ], "destination.port": 6729, - "event.action": [ - "cancel", - "Logout" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2105,8 +2001,8 @@ "10.123.56.46" ], "related.user": [ - "sit", "uid", + "sit", "oreseo" ], "rsa.counters.dclass_c1": 6438, @@ -2144,10 +2040,7 @@ "10.169.124.164" ], "destination.port": 62, - "event.action": [ - "lesti", - "accept" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2161,13 +2054,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.169.124.164", - "10.176.83.7" + "10.176.83.7", + "10.169.124.164" ], "related.user": [ - "iamqui", "dolor", - "hilmole" + "hilmole", + "iamqui" ], "rsa.counters.dclass_c1": 2894, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2200,10 +2093,7 @@ "10.87.238.169" ], "destination.port": 1598, - "event.action": [ - "block", - "Logout" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2218,13 +2108,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.173.125.112", - "10.87.238.169" + "10.87.238.169", + "10.173.125.112" ], "related.user": [ - "CSedu", + "itaedict", "iusmodt", - "itaedict" + "CSedu" ], "rsa.counters.dclass_c1": 7780, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2261,10 +2151,7 @@ "10.245.219.7" ], "destination.port": 4792, - "event.action": [ - "block", - "Login" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2283,9 +2170,9 @@ "10.53.133.90" ], "related.user": [ - "ptatev", + "rsit", "nvol", - "rsit" + "ptatev" ], "rsa.counters.dclass_c1": 6066, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2322,10 +2209,7 @@ "10.67.173.228" ], "destination.port": 4444, - "event.action": [ - "block", - "aliqui" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2346,8 +2230,8 @@ "10.67.173.228" ], "related.user": [ - "onsectet", "nesci", + "onsectet", "tam" ], "rsa.counters.event_counter": 2448, @@ -2391,10 +2275,7 @@ "10.90.50.149" ], "destination.port": 1936, - "event.action": [ - "Logout", - "block" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2413,9 +2294,9 @@ "10.90.50.149" ], "related.user": [ - "olu", "olupta", - "aUtenima" + "aUtenima", + "olu" ], "rsa.counters.dclass_c1": 1127, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2452,10 +2333,7 @@ "10.59.182.36" ], "destination.port": 5792, - "event.action": [ - "Login", - "allow" - ], + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2474,9 +2352,9 @@ "10.59.182.36" ], "related.user": [ + "mtota", "qua", - "luptat", - "mtota" + "luptat" ], "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2509,9 +2387,7 @@ "user.name": "mtota" }, { - "event.action": [ - "ulamcola" - ], + "event.action": "ulamcola", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2543,10 +2419,7 @@ "10.52.190.18" ], "destination.port": 4411, - "event.action": [ - "cancel", - "Login" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2565,9 +2438,9 @@ "10.198.142.81" ], "related.user": [ + "ciati", "upta", - "secte", - "ciati" + "secte" ], "rsa.counters.dclass_c1": 1063, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2604,10 +2477,7 @@ "10.49.169.175" ], "destination.port": 5020, - "event.action": [ - "strumex", - "cancel" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2624,21 +2494,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.97.108.108", - "10.49.169.175" + "10.49.169.175", + "10.97.108.108" ], "related.user": [ - "onpr", "iquamqu", - "idolor" + "idolor", + "onpr" ], "rsa.counters.event_counter": 4795, "rsa.db.database": "uira", "rsa.internal.event_desc": "velites", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "caboN", - "cancel" + "cancel", + "caboN" ], "rsa.misc.category": "oloremi", "rsa.misc.disposition": "edqui", @@ -2672,10 +2542,7 @@ "10.65.185.178" ], "destination.port": 7750, - "event.action": [ - "accept", - "Logout" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2694,9 +2561,9 @@ "10.96.216.244" ], "related.user": [ - "tvolup", "assi", - "tin" + "tin", + "tvolup" ], "rsa.counters.dclass_c1": 5602, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2733,10 +2600,7 @@ "10.223.71.185" ], "destination.port": 916, - "event.action": [ - "deFini", - "allow" - ], + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2754,9 +2618,9 @@ "10.223.71.185" ], "related.user": [ + "loremips", "atisetqu", - "uptateve", - "loremips" + "uptateve" ], "rsa.counters.dclass_c1": 3804, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2789,10 +2653,7 @@ "10.238.252.246" ], "destination.port": 6289, - "event.action": [ - "Login", - "cancel" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2811,9 +2672,9 @@ "10.255.179.32" ], "related.user": [ + "olore", "iatn", - "iamea", - "olore" + "iamea" ], "rsa.counters.dclass_c1": 5626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2850,10 +2711,7 @@ "10.98.52.184" ], "destination.port": 7402, - "event.action": [ - "Logout", - "cancel" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2868,12 +2726,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.28.124.136", - "10.98.52.184" + "10.98.52.184", + "10.28.124.136" ], "related.user": [ - "icaboNe", "billoi", + "icaboNe", "umq" ], "rsa.counters.dclass_c1": 4298, @@ -2911,10 +2769,7 @@ "10.200.162.248" ], "destination.port": 1419, - "event.action": [ - "Logout", - "deny" - ], + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2929,8 +2784,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.92.177.251", - "10.200.162.248" + "10.200.162.248", + "10.92.177.251" ], "related.user": [ "cul", @@ -2972,10 +2827,7 @@ "10.103.215.159" ], "destination.port": 1265, - "event.action": [ - "Login", - "cancel" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -2990,13 +2842,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.88.60.147", - "10.103.215.159" + "10.103.215.159", + "10.88.60.147" ], "related.user": [ - "mull", + "ueporr", "seq", - "ueporr" + "mull" ], "rsa.counters.dclass_c1": 392, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3032,10 +2884,7 @@ "10.93.246.218" ], "destination.port": 4628, - "event.action": [ - "accept", - "Logout" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3054,8 +2903,8 @@ "10.93.246.218" ], "related.user": [ - "mtot", "roinBCS", + "mtot", "cteturad" ], "rsa.counters.dclass_c1": 1929, @@ -3093,10 +2942,7 @@ "10.89.16.162" ], "destination.port": 3056, - "event.action": [ - "cancel", - "Login" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3111,13 +2957,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.178.183.11", - "10.89.16.162" + "10.89.16.162", + "10.178.183.11" ], "related.user": [ - "taevitae", "atvol", - "modit" + "modit", + "taevitae" ], "rsa.counters.dclass_c1": 1449, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3154,10 +3000,7 @@ "10.67.129.100" ], "destination.port": 1961, - "event.action": [ - "remque", - "deny" - ], + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3179,8 +3022,8 @@ ], "related.user": [ "exerc", - "sunte", - "gnama" + "gnama", + "sunte" ], "rsa.counters.event_counter": 2592, "rsa.db.database": "tasu", @@ -3223,10 +3066,7 @@ "10.20.158.236" ], "destination.port": 4443, - "event.action": [ - "deny", - "Login" - ], + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3245,9 +3085,9 @@ "10.20.158.236" ], "related.user": [ - "dantium", + "oinve", "aute", - "oinve" + "dantium" ], "rsa.counters.dclass_c1": 6386, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3284,10 +3124,7 @@ "10.250.231.196" ], "destination.port": 5863, - "event.action": [ - "Logout", - "block" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3302,12 +3139,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.250.231.196", - "10.199.46.88" + "10.199.46.88", + "10.250.231.196" ], "related.user": [ - "utlabore", "equuntur", + "utlabore", "olup" ], "rsa.counters.dclass_c1": 2867, @@ -3345,10 +3182,7 @@ "10.41.44.94" ], "destination.port": 702, - "event.action": [ - "Logout", - "block" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3363,12 +3197,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.49.122.64", - "10.41.44.94" + "10.41.44.94", + "10.49.122.64" ], "related.user": [ - "nim", "fugia", + "nim", "suntincu" ], "rsa.counters.dclass_c1": 1508, @@ -3406,10 +3240,7 @@ "10.101.60.188" ], "destination.port": 5558, - "event.action": [ - "accept", - "Login" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3429,8 +3260,8 @@ ], "related.user": [ "eritquii", - "itaed", - "uptatem" + "uptatem", + "itaed" ], "rsa.counters.dclass_c1": 944, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3467,10 +3298,7 @@ "10.184.199.84" ], "destination.port": 2057, - "event.action": [ - "Login", - "block" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3485,13 +3313,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.138.191.99", - "10.184.199.84" + "10.184.199.84", + "10.138.191.99" ], "related.user": [ + "cid", "ationem", - "upt", - "cid" + "upt" ], "rsa.counters.dclass_c1": 3291, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3528,10 +3356,7 @@ "10.40.12.51" ], "destination.port": 5633, - "event.action": [ - "preh", - "cancel" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3548,21 +3373,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.40.12.51", - "10.27.120.57" + "10.27.120.57", + "10.40.12.51" ], "related.user": [ - "remeum", "volupta", - "doconse" + "doconse", + "remeum" ], "rsa.counters.event_counter": 1576, "rsa.db.database": "ptat", "rsa.internal.event_desc": "iatisun", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "uep", - "cancel" + "cancel", + "uep" ], "rsa.misc.category": "cto", "rsa.misc.disposition": "orumSect", @@ -3597,10 +3422,7 @@ "10.86.147.37" ], "destination.port": 6845, - "event.action": [ - "allow", - "epteu" - ], + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3617,21 +3439,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.86.147.37", - "10.106.63.42" + "10.106.63.42", + "10.86.147.37" ], "related.user": [ "olor", - "aeca", - "ugitse" + "ugitse", + "aeca" ], "rsa.counters.event_counter": 2211, "rsa.db.database": "ameiu", "rsa.internal.event_desc": "por", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "allow", - "mip" + "mip", + "allow" ], "rsa.misc.category": "stiae", "rsa.misc.disposition": "icta", @@ -3666,10 +3488,7 @@ "10.110.240.8" ], "destination.port": 6650, - "event.action": [ - "Login", - "cancel" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3684,13 +3503,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.112.132.76", - "10.110.240.8" + "10.110.240.8", + "10.112.132.76" ], "related.user": [ + "equun", "tam", - "ulamcola", - "equun" + "ulamcola" ], "rsa.counters.dclass_c1": 5784, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3727,10 +3546,7 @@ "10.76.222.159" ], "destination.port": 403, - "event.action": [ - "Logout", - "accept" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3745,13 +3561,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.76.222.159", - "10.7.141.213" + "10.7.141.213", + "10.76.222.159" ], "related.user": [ - "labor", + "natuser", "niamq", - "natuser" + "labor" ], "rsa.counters.dclass_c1": 5670, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3788,10 +3604,7 @@ "10.246.196.160" ], "destination.port": 894, - "event.action": [ - "Logout", - "allow" - ], + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3810,9 +3623,9 @@ "10.246.196.160" ], "related.user": [ - "epteurs", + "equ", "urautod", - "equ" + "epteurs" ], "rsa.counters.dclass_c1": 4933, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3845,9 +3658,7 @@ "user.name": "equ" }, { - "event.action": [ - "veniam" - ], + "event.action": "veniam", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3879,10 +3690,7 @@ "10.209.129.155" ], "destination.port": 769, - "event.action": [ - "block", - "Logout" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3940,10 +3748,7 @@ "10.219.218.23" ], "destination.port": 2855, - "event.action": [ - "deny", - "nsequatD" - ], + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -3964,9 +3769,9 @@ "10.219.218.23" ], "related.user": [ - "labor", + "tesseq", "orumS", - "tesseq" + "labor" ], "rsa.counters.event_counter": 2428, "rsa.db.database": "exeacomm", @@ -4009,10 +3814,7 @@ "10.209.39.25" ], "destination.port": 3954, - "event.action": [ - "block", - "ius" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4030,9 +3832,9 @@ "10.67.163.107" ], "related.user": [ + "tion", "eddoe", - "quaeabi", - "tion" + "quaeabi" ], "rsa.counters.dclass_c1": 3469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4065,10 +3867,7 @@ "10.61.247.113" ], "destination.port": 599, - "event.action": [ - "cancel", - "Logout" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4083,8 +3882,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.120.66.172", - "10.61.247.113" + "10.61.247.113", + "10.120.66.172" ], "related.user": [ "iamqu", @@ -4126,10 +3925,7 @@ "10.206.65.159" ], "destination.port": 6326, - "event.action": [ - "oluptass", - "deny" - ], + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4150,17 +3946,17 @@ "10.31.56.237" ], "related.user": [ - "cit", + "amcorpor", "atem", - "amcorpor" + "cit" ], "rsa.counters.event_counter": 1295, "rsa.db.database": "oloremeu", "rsa.internal.event_desc": "liquaUt", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "issuscip", - "deny" + "deny", + "issuscip" ], "rsa.misc.category": "tdolorem", "rsa.misc.disposition": "umdolo", @@ -4190,9 +3986,7 @@ "user.name": "cit" }, { - "event.action": [ - "iades" - ], + "event.action": "iades", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4224,10 +4018,7 @@ "10.108.76.145" ], "destination.port": 4698, - "event.action": [ - "allow", - "Login" - ], + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4246,8 +4037,8 @@ "10.108.76.145" ], "related.user": [ - "idid", "trumexer", + "idid", "uisautem" ], "rsa.counters.dclass_c1": 1294, @@ -4285,10 +4076,7 @@ "10.193.58.50" ], "destination.port": 5693, - "event.action": [ - "oloremeu", - "cancel" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4309,9 +4097,9 @@ "10.28.248.90" ], "related.user": [ - "eaqu", + "totamrem", "cto", - "totamrem" + "eaqu" ], "rsa.counters.event_counter": 4385, "rsa.db.database": "itani", @@ -4353,10 +4141,7 @@ "10.84.3.244" ], "destination.port": 3154, - "event.action": [ - "Login", - "block" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4371,13 +4156,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.84.3.244", - "10.211.242.138" + "10.211.242.138", + "10.84.3.244" ], "related.user": [ - "olest", + "ciun", "asia", - "ciun" + "olest" ], "rsa.counters.dclass_c1": 545, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4410,9 +4195,7 @@ "user.name": "olest" }, { - "event.action": [ - "quidolo" - ], + "event.action": "quidolo", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4444,10 +4227,7 @@ "10.121.189.113" ], "destination.port": 5635, - "event.action": [ - "accept", - "Login" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4462,8 +4242,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.121.189.113", - "10.13.86.14" + "10.13.86.14", + "10.121.189.113" ], "related.user": [ "volu", @@ -4504,10 +4284,7 @@ "10.32.220.188" ], "destination.port": 2394, - "event.action": [ - "accept", - "Logout" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4527,8 +4304,8 @@ ], "related.user": [ "ectob", - "lorinrep", - "nimi" + "nimi", + "lorinrep" ], "rsa.counters.dclass_c1": 2636, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4565,10 +4342,7 @@ "10.189.155.253" ], "destination.port": 984, - "event.action": [ - "Login", - "allow" - ], + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4583,13 +4357,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.189.155.253", - "10.29.74.57" + "10.29.74.57", + "10.189.155.253" ], "related.user": [ "colab", - "iutaliqu", - "exe" + "exe", + "iutaliqu" ], "rsa.counters.dclass_c1": 3432, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4626,10 +4400,7 @@ "10.107.41.59" ], "destination.port": 926, - "event.action": [ - "block", - "acom" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4643,13 +4414,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.107.41.59", - "10.149.2.62" + "10.149.2.62", + "10.107.41.59" ], "related.user": [ "edictasu", - "utal", - "oreseo" + "oreseo", + "utal" ], "rsa.counters.dclass_c1": 3008, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4682,10 +4453,7 @@ "10.20.211.186" ], "destination.port": 4062, - "event.action": [ - "erit", - "accept" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4706,8 +4474,8 @@ "10.20.211.186" ], "related.user": [ - "ptassit", "ncidid", + "ptassit", "olo" ], "rsa.counters.event_counter": 3743, @@ -4715,8 +4483,8 @@ "rsa.internal.event_desc": "consec", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "cae" + "cae", + "accept" ], "rsa.misc.category": "dquia", "rsa.misc.disposition": "cep", @@ -4750,10 +4518,7 @@ "10.190.18.213" ], "destination.port": 2201, - "event.action": [ - "Login", - "block" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4768,13 +4533,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.190.18.213", - "10.177.60.55" + "10.177.60.55", + "10.190.18.213" ], "related.user": [ - "tametcon", + "etdolore", "rror", - "etdolore" + "tametcon" ], "rsa.counters.dclass_c1": 7327, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4811,10 +4576,7 @@ "10.173.169.212" ], "destination.port": 292, - "event.action": [ - "cancel", - "Login" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4829,12 +4591,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.131.253.222", - "10.173.169.212" + "10.173.169.212", + "10.131.253.222" ], "related.user": [ - "orumet", "utod", + "orumet", "oinB" ], "rsa.counters.dclass_c1": 6659, @@ -4872,10 +4634,7 @@ "10.33.131.63" ], "destination.port": 1437, - "event.action": [ - "cancel", - "lum" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4893,9 +4652,9 @@ "10.33.131.63" ], "related.user": [ - "psamvolu", "imven", - "liq" + "liq", + "psamvolu" ], "rsa.counters.dclass_c1": 587, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4928,10 +4687,7 @@ "10.164.123.69" ], "destination.port": 2543, - "event.action": [ - "cancel", - "Logout" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -4946,13 +4702,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.161.51.238", - "10.164.123.69" + "10.164.123.69", + "10.161.51.238" ], "related.user": [ "xercitat", - "xeacomm", - "litesse" + "litesse", + "xeacomm" ], "rsa.counters.dclass_c1": 5031, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4989,10 +4745,7 @@ "10.112.73.97" ], "destination.port": 6125, - "event.action": [ - "odte", - "accept" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5006,13 +4759,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.227.144.202", - "10.112.73.97" + "10.112.73.97", + "10.227.144.202" ], "related.user": [ - "quinesc", "uelau", - "uelauda" + "uelauda", + "quinesc" ], "rsa.counters.dclass_c1": 2469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5041,9 +4794,7 @@ "user.name": "quinesc" }, { - "event.action": [ - "scip" - ], + "event.action": "scip", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5075,10 +4826,7 @@ "10.185.248.253" ], "destination.port": 3804, - "event.action": [ - "Login", - "block" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5093,13 +4841,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.185.248.253", - "10.76.165.58" + "10.76.165.58", + "10.185.248.253" ], "related.user": [ "nisi", - "amqua", - "ugitse" + "ugitse", + "amqua" ], "rsa.counters.dclass_c1": 4963, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5136,10 +4884,7 @@ "10.177.36.122" ], "destination.port": 5686, - "event.action": [ - "itessec", - "accept" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5156,12 +4901,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.163.27.208", - "10.177.36.122" + "10.177.36.122", + "10.163.27.208" ], "related.user": [ - "eFini", "avolu", + "eFini", "ept" ], "rsa.counters.event_counter": 4087, @@ -5204,10 +4949,7 @@ "10.35.215.152" ], "destination.port": 7489, - "event.action": [ - "Login", - "block" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5222,13 +4964,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.143.175.148", - "10.35.215.152" + "10.35.215.152", + "10.143.175.148" ], "related.user": [ - "itaspern", "etdo", - "ium" + "ium", + "itaspern" ], "rsa.counters.dclass_c1": 6141, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5265,10 +5007,7 @@ "10.254.252.105" ], "destination.port": 146, - "event.action": [ - "allow", - "Logout" - ], + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5283,13 +5022,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.25.246.131", - "10.254.252.105" + "10.254.252.105", + "10.25.246.131" ], "related.user": [ + "asp", "ataev", - "ptatemU", - "asp" + "ptatemU" ], "rsa.counters.dclass_c1": 2949, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5326,10 +5065,7 @@ "10.248.16.82" ], "destination.port": 6834, - "event.action": [ - "Login", - "accept" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5349,8 +5085,8 @@ ], "related.user": [ "xercita", - "proiden", - "loinv" + "loinv", + "proiden" ], "rsa.counters.dclass_c1": 2353, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5387,10 +5123,7 @@ "10.88.53.149" ], "destination.port": 4048, - "event.action": [ - "temac", - "allow" - ], + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5411,9 +5144,9 @@ "10.88.53.149" ], "related.user": [ - "tqui", + "reseosqu", "strumex", - "reseosqu" + "tqui" ], "rsa.counters.event_counter": 6219, "rsa.db.database": "atus", @@ -5456,10 +5189,7 @@ "10.199.117.125" ], "destination.port": 1799, - "event.action": [ - "ionevo", - "cancel" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5476,13 +5206,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.199.117.125", - "10.116.180.96" + "10.116.180.96", + "10.199.117.125" ], "related.user": [ - "pidatatn", "iof", - "ciun" + "ciun", + "pidatatn" ], "rsa.counters.event_counter": 6700, "rsa.db.database": "ssitaspe", @@ -5524,10 +5254,7 @@ "10.64.76.110" ], "destination.port": 2200, - "event.action": [ - "cancel", - "Login" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5546,9 +5273,9 @@ "10.64.76.110" ], "related.user": [ - "ptate", "ommod", - "imidest" + "imidest", + "ptate" ], "rsa.counters.dclass_c1": 6041, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5585,10 +5312,7 @@ "10.164.52.43" ], "destination.port": 2077, - "event.action": [ - "persp", - "block" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5618,8 +5342,8 @@ "rsa.internal.event_desc": "itame", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "atemq" + "atemq", + "block" ], "rsa.misc.category": "quaturv", "rsa.misc.disposition": "lumdolor", @@ -5654,10 +5378,7 @@ "10.115.42.231" ], "destination.port": 2143, - "event.action": [ - "Login", - "deny" - ], + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5672,12 +5393,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.161.212.150", - "10.115.42.231" + "10.115.42.231", + "10.161.212.150" ], "related.user": [ - "sequamn", "tasnul", + "sequamn", "res" ], "rsa.counters.dclass_c1": 4846, @@ -5715,10 +5436,7 @@ "10.66.163.3" ], "destination.port": 1085, - "event.action": [ - "Logout", - "accept" - ], + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5733,13 +5451,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.9.126.156", - "10.66.163.3" + "10.66.163.3", + "10.9.126.156" ], "related.user": [ - "asnulapa", + "aeconseq", "accusa", - "aeconseq" + "asnulapa" ], "rsa.counters.dclass_c1": 7469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5772,9 +5490,7 @@ "user.name": "aeconseq" }, { - "event.action": [ - "odtem" - ], + "event.action": "odtem", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5806,10 +5522,7 @@ "10.217.176.124" ], "destination.port": 7276, - "event.action": [ - "sauteir", - "cancel" - ], + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5830,9 +5543,9 @@ "10.217.176.124" ], "related.user": [ + "min", "uisaute", - "itsedq", - "min" + "itsedq" ], "rsa.counters.event_counter": 1318, "rsa.db.database": "iaturEx", @@ -5874,10 +5587,7 @@ "10.9.248.95" ], "destination.port": 2294, - "event.action": [ - "Logout", - "deny" - ], + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5892,12 +5602,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.9.248.95", - "10.120.18.135" + "10.120.18.135", + "10.9.248.95" ], "related.user": [ - "ero", "ratvolup", + "ero", "iatquovo" ], "rsa.counters.dclass_c1": 6969, @@ -5935,10 +5645,7 @@ "10.249.76.99" ], "destination.port": 7480, - "event.action": [ - "block", - "Login" - ], + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", @@ -5957,8 +5664,8 @@ "10.249.76.99" ], "related.user": [ - "atio", "xercita", + "atio", "uis" ], "rsa.counters.dclass_c1": 3516, diff --git a/x-pack/filebeat/module/infoblox/README.md b/x-pack/filebeat/module/infoblox/README.md index c33a19310a3..9b000ca445e 100644 --- a/x-pack/filebeat/module/infoblox/README.md +++ b/x-pack/filebeat/module/infoblox/README.md @@ -3,5 +3,5 @@ This is a module for Infoblox NIOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML infobloxnios version 134 -at 2020-07-08 18:28:01.221366 +0000 UTC. +at 2020-07-08 18:50:21.219909 +0000 UTC. diff --git a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js +++ b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json index 1ae1a190ae4..8fb99c30cdb 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -1039,9 +1039,7 @@ ] }, { - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "watchdog", "event.dataset": "infoblox.nios", "event.module": "infoblox", diff --git a/x-pack/filebeat/module/juniper/README.md b/x-pack/filebeat/module/juniper/README.md index 94a4cbaeda4..c62e1548019 100644 --- a/x-pack/filebeat/module/juniper/README.md +++ b/x-pack/filebeat/module/juniper/README.md @@ -3,5 +3,5 @@ This is a module for Juniper JUNOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML junosrouter version 134 -at 2020-07-08 18:28:01.916097 +0000 UTC. +at 2020-07-08 18:50:21.887742 +0000 UTC. diff --git a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js +++ b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/kaspersky/README.md b/x-pack/filebeat/module/kaspersky/README.md index 471e1047a8c..d2db7fa281d 100644 --- a/x-pack/filebeat/module/kaspersky/README.md +++ b/x-pack/filebeat/module/kaspersky/README.md @@ -3,5 +3,5 @@ This is a module for Kaspersky Anti-Virus logs. Autogenerated from RSA NetWitness log parser 2.0 XML kasperskyav version 127 -at 2020-07-08 18:28:02.857689 +0000 UTC. +at 2020-07-08 18:50:22.800042 +0000 UTC. diff --git a/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js b/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js +++ b/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/microsoft/README.md b/x-pack/filebeat/module/microsoft/README.md index 4b3771e8194..8acf61ac571 100644 --- a/x-pack/filebeat/module/microsoft/README.md +++ b/x-pack/filebeat/module/microsoft/README.md @@ -3,5 +3,5 @@ This is a module for Microsoft DHCP logs. Autogenerated from RSA NetWitness log parser 2.0 XML msdhcp version 99 -at 2020-07-08 18:28:03.183612 +0000 UTC. +at 2020-07-08 18:50:23.125227 +0000 UTC. diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js +++ b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/netscout/README.md b/x-pack/filebeat/module/netscout/README.md index b30a72cd250..7526e438ea1 100644 --- a/x-pack/filebeat/module/netscout/README.md +++ b/x-pack/filebeat/module/netscout/README.md @@ -3,5 +3,5 @@ This is a module for Arbor Peakflow SP logs. Autogenerated from RSA NetWitness log parser 2.0 XML arborpeakflowsp version 109 -at 2020-07-08 18:27:57.012894 +0000 UTC. +at 2020-07-08 18:50:16.546958 +0000 UTC. diff --git a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js +++ b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 9afdd37e18c..98c6b5e1d7a 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -280,9 +280,7 @@ }, { "@timestamp": "2020-07-04T13:38:16.000Z", - "event.action": [ - "Fault Occured" - ], + "event.action": "Fault Occured", "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -739,9 +737,7 @@ }, { "@timestamp": "2020-03-18T20:24:33.000Z", - "event.action": [ - "Script mitigation" - ], + "event.action": "Script mitigation", "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -832,8 +828,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.28.127.218", - "10.233.107.138" + "10.233.107.138", + "10.28.127.218" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -932,8 +928,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.244.114.61", - "10.198.19.111" + "10.198.19.111", + "10.244.114.61" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1114,9 +1110,7 @@ }, { "@timestamp": "2019-09-20T15:57:58.000Z", - "event.action": [ - "Script mitigation" - ], + "event.action": "Script mitigation", "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1652,9 +1646,7 @@ }, { "@timestamp": "2019-07-17T19:51:58.000Z", - "event.action": [ - "Fault Cleared" - ], + "event.action": "Fault Cleared", "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1728,9 +1720,7 @@ }, { "@timestamp": "2019-08-29T16:59:40.000Z", - "event.action": [ - "Fault Cleared" - ], + "event.action": "Fault Cleared", "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1770,8 +1760,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.83.130.226", - "10.80.101.72" + "10.80.101.72", + "10.83.130.226" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1789,9 +1779,7 @@ }, { "@timestamp": "2019-09-27T07:04:49.000Z", - "event.action": [ - "Fault Occured" - ], + "event.action": "Fault Occured", "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2040,9 +2028,7 @@ }, { "@timestamp": "2020-02-17T05:30:32.000Z", - "event.action": [ - "Script mitigation" - ], + "event.action": "Script mitigation", "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2068,9 +2054,7 @@ }, { "@timestamp": "2020-03-03T12:33:06.000Z", - "event.action": [ - "Fault Cleared" - ], + "event.action": "Fault Cleared", "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2230,8 +2214,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.44.47.27", - "10.179.210.218" + "10.179.210.218", + "10.44.47.27" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2422,9 +2406,7 @@ }, { "@timestamp": "2019-09-19T15:09:05.000Z", - "event.action": [ - "Script mitigation" - ], + "event.action": "Script mitigation", "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2484,9 +2466,7 @@ }, { "@timestamp": "2019-10-18T05:14:14.000Z", - "event.action": [ - "Fault Cleared" - ], + "event.action": "Fault Cleared", "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", diff --git a/x-pack/filebeat/module/radware/README.md b/x-pack/filebeat/module/radware/README.md index 8c4f7f51182..b9ab29bbbc7 100644 --- a/x-pack/filebeat/module/radware/README.md +++ b/x-pack/filebeat/module/radware/README.md @@ -3,5 +3,5 @@ This is a module for Radware DefensePro logs. Autogenerated from RSA NetWitness log parser 2.0 XML radwaredp version 114 -at 2020-07-08 18:28:05.368543 +0000 UTC. +at 2020-07-08 18:50:25.340623 +0000 UTC. diff --git a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js +++ b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/rapid7/README.md b/x-pack/filebeat/module/rapid7/README.md index 6c0565ff3bc..2102f3bd78b 100644 --- a/x-pack/filebeat/module/rapid7/README.md +++ b/x-pack/filebeat/module/rapid7/README.md @@ -3,5 +3,5 @@ This is a module for Rapid7 NeXpose logs. Autogenerated from RSA NetWitness log parser 2.0 XML nexpose version 134 -at 2020-07-08 18:28:04.735564 +0000 UTC. +at 2020-07-08 18:50:24.712484 +0000 UTC. diff --git a/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js b/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js +++ b/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json index e14efc886f3..7f1e465753c 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json +++ b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json @@ -420,9 +420,7 @@ ] }, { - "event.action": [ - "Shutting down" - ], + "event.action": "Shutting down", "event.code": "Mobile", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", @@ -670,9 +668,7 @@ ] }, { - "event.action": [ - "Upgrading database" - ], + "event.action": "Upgrading database", "event.code": "Upgrading", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", @@ -1317,9 +1313,7 @@ ] }, { - "event.action": [ - "accept" - ], + "event.action": "accept", "event.code": "AssetGroupEventHandler", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", @@ -1606,9 +1600,7 @@ ] }, { - "event.action": [ - "allow" - ], + "event.action": "allow", "event.code": "AssetGroupEventHandler", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", @@ -1650,9 +1642,7 @@ ] }, { - "event.action": [ - "Shutting down" - ], + "event.action": "Shutting down", "event.code": "ConsoleScanImporter", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", diff --git a/x-pack/filebeat/module/sonicwall/README.md b/x-pack/filebeat/module/sonicwall/README.md index ffa48704352..19b725fad19 100644 --- a/x-pack/filebeat/module/sonicwall/README.md +++ b/x-pack/filebeat/module/sonicwall/README.md @@ -3,5 +3,5 @@ This is a module for Sonicwall-FW logs. Autogenerated from RSA NetWitness log parser 2.0 XML sonicwall version 124 -at 2020-07-08 18:28:05.966064 +0000 UTC. +at 2020-07-08 18:50:25.938096 +0000 UTC. diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js +++ b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json index fe20fb7b9ad..9f972c2e6fc 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json @@ -41,9 +41,7 @@ }, { "@timestamp": "2007-01-03T16:48:07.000Z", - "event.action": [ - "Administrator login denied due to bad credentials" - ], + "event.action": "Administrator login denied due to bad credentials", "event.code": "30", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -110,9 +108,7 @@ }, { "@timestamp": "2007-01-03T16:48:07.000Z", - "event.action": [ - "Connection Closed" - ], + "event.action": "Connection Closed", "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -139,9 +135,7 @@ }, { "@timestamp": "2007-01-03T16:48:08.000Z", - "event.action": [ - "Connection Closed" - ], + "event.action": "Connection Closed", "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -168,9 +162,7 @@ }, { "@timestamp": "2007-01-03T16:48:10.000Z", - "event.action": [ - "Connection Closed" - ], + "event.action": "Connection Closed", "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -197,9 +189,7 @@ }, { "@timestamp": "2007-01-03T16:48:10.000Z", - "event.action": [ - "Connection Closed" - ], + "event.action": "Connection Closed", "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -266,9 +256,7 @@ }, { "@timestamp": "2007-01-03T16:48:10.000Z", - "event.action": [ - "Administrator login denied due to bad credentials" - ], + "event.action": "Administrator login denied due to bad credentials", "event.code": "30", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -372,9 +360,7 @@ }, { "@timestamp": "2007-01-03T16:48:14.000Z", - "event.action": [ - "Connection Closed" - ], + "event.action": "Connection Closed", "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -551,9 +537,7 @@ }, { "@timestamp": "2007-01-03T16:48:18.000Z", - "event.action": [ - "Connection Closed" - ], + "event.action": "Connection Closed", "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -580,9 +564,7 @@ }, { "@timestamp": "2007-01-03T16:48:20.000Z", - "event.action": [ - "Connection Closed" - ], + "event.action": "Connection Closed", "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 5dd7dd19ca2..f81bad14e7d 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -37,8 +37,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.13.70.213", - "10.95.245.65" + "10.95.245.65", + "10.13.70.213" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "llu", @@ -113,9 +113,7 @@ ], "destination.mac": "01:00:5e:56:32:70", "destination.port": 6613, - "event.action": [ - "allow" - ], + "event.action": "allow", "event.code": "14", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -194,9 +192,7 @@ ], "destination.mac": "01:00:5e:0d:d9:0c", "destination.port": 6343, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "umdo", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -259,8 +255,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.50.66.65", - "10.74.237.180" + "10.74.237.180", + "10.50.66.65" ], "rsa.internal.messageid": "605", "rsa.internal.msg": "loru", @@ -427,8 +423,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.193.76.77", - "10.112.125.84" + "10.112.125.84", + "10.193.76.77" ], "rsa.internal.messageid": "72", "rsa.internal.msg": "civeli", @@ -518,9 +514,7 @@ "10.193.192.62" ], "destination.port": 0, - "event.action": [ - "allow" - ], + "event.action": "allow", "event.code": "264", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -535,8 +529,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.193.192.62", - "10.170.120.4" + "10.170.120.4", + "10.193.192.62" ], "related.user": [ "quae" @@ -584,9 +578,7 @@ { "@timestamp": "2016-10-12T14:56:16.000Z", "destination.address": "ittenbyC3936.internal.test", - "event.action": [ - "Failed to resolve name" - ], + "event.action": "Failed to resolve name", "event.code": "84", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -626,8 +618,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.6.77.80", - "10.52.186.29" + "10.52.186.29", + "10.6.77.80" ], "rsa.internal.event_desc": "ione", "rsa.internal.messageid": "995", @@ -679,8 +671,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.240.242.122", - "10.144.97.172" + "10.144.97.172", + "10.240.242.122" ], "rsa.internal.messageid": "346", "rsa.internal.msg": "aera", @@ -697,9 +689,7 @@ }, { "@timestamp": "2016-12-08T07:06:33.000Z", - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "uptasn", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -739,9 +729,7 @@ "10.120.167.239" ], "destination.port": 602, - "event.action": [ - "cancel" - ], + "event.action": "cancel", "event.code": "888", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -964,8 +952,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.126.34.82", - "10.14.1.45" + "10.14.1.45", + "10.126.34.82" ], "rsa.internal.messageid": "196", "rsa.internal.msg": "vita", @@ -998,8 +986,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.251.20.13", - "10.101.74.44" + "10.101.74.44", + "10.251.20.13" ], "related.user": [ "rsitv" @@ -1212,8 +1200,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.53.113.23", - "10.97.124.211" + "10.97.124.211", + "10.53.113.23" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1472,9 +1460,7 @@ ], "destination.mac": "01:00:5e:55:b9:89", "destination.port": 6909, - "event.action": [ - "cancel" - ], + "event.action": "cancel", "event.code": "ntutlabo", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -1491,8 +1477,8 @@ "observer.vendor": "Sonicwall", "related.ip": [ "10.108.84.24", - "10.251.248.228", - "10.113.100.237" + "10.113.100.237", + "10.251.248.228" ], "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "606", @@ -1524,9 +1510,7 @@ ], "destination.mac": "01:00:5e:93:39:a4", "destination.port": 2800, - "event.action": [ - "allow" - ], + "event.action": "allow", "event.code": "proident", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -1543,8 +1527,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.103.117.31", "10.207.211.230", + "10.103.117.31", "10.229.229.42" ], "rsa.internal.event_desc": "orin", @@ -1586,8 +1570,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.248.165.185", - "10.32.39.220" + "10.32.39.220", + "10.248.165.185" ], "rsa.internal.event_desc": "aliq", "rsa.internal.messageid": "412", @@ -1838,9 +1822,7 @@ "10.168.208.169" ], "destination.port": 6168, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "616", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -1877,9 +1859,7 @@ "10.236.56.233" ], "destination.port": 3484, - "event.action": [ - "allow" - ], + "event.action": "allow", "event.code": "373", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -2183,8 +2163,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.101.163.40", - "10.208.79.170" + "10.208.79.170", + "10.101.163.40" ], "rsa.internal.messageid": "83", "rsa.internal.msg": "orroquis", @@ -2270,9 +2250,7 @@ "10.236.247.87" ], "destination.port": 7360, - "event.action": [ - "cancel" - ], + "event.action": "cancel", "event.code": "710", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -2350,9 +2328,7 @@ "10.22.244.71" ], "destination.port": 1865, - "event.action": [ - "deny" - ], + "event.action": "deny", "event.code": "888", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -2367,8 +2343,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.22.244.71", - "10.81.33.64" + "10.81.33.64", + "10.22.244.71" ], "rsa.internal.messageid": "888", "rsa.misc.action": [ @@ -2407,8 +2383,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.205.21.166", - "10.20.73.247" + "10.20.73.247", + "10.205.21.166" ], "related.user": [ "sun" @@ -2526,8 +2502,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.206.229.61", - "10.129.101.147" + "10.129.101.147", + "10.206.229.61" ], "rsa.internal.messageid": "413", "rsa.internal.msg": "upta", @@ -2602,8 +2578,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.125.85.128", - "10.78.29.246" + "10.78.29.246", + "10.125.85.128" ], "rsa.internal.messageid": "355", "rsa.internal.msg": "labo", diff --git a/x-pack/filebeat/module/squid/README.md b/x-pack/filebeat/module/squid/README.md index 05ffa6f689b..dcc59376342 100644 --- a/x-pack/filebeat/module/squid/README.md +++ b/x-pack/filebeat/module/squid/README.md @@ -3,5 +3,5 @@ This is a module for Squid logs. Autogenerated from RSA NetWitness log parser 2.0 XML squid version 112 -at 2020-07-08 18:28:06.449559 +0000 UTC. +at 2020-07-08 18:50:26.460335 +0000 UTC. diff --git a/x-pack/filebeat/module/squid/log/config/liblogparser.js b/x-pack/filebeat/module/squid/log/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/squid/log/config/liblogparser.js +++ b/x-pack/filebeat/module/squid/log/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 39caf5d6a2e..dff11f4a528 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -10,9 +10,7 @@ "destination.ip": [ "209.73.177.115" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -24,8 +22,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "related.user": [ "badeyek" @@ -73,9 +71,7 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -99,8 +95,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -137,9 +133,7 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -152,8 +146,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -164,8 +158,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -190,9 +184,7 @@ }, { "@timestamp": "2006-09-08T04:22:01.000Z", - "event.action": [ - "TCP_HIT" - ], + "event.action": "TCP_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -216,8 +208,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -242,9 +234,7 @@ }, { "@timestamp": "2006-09-08T04:22:02.000Z", - "event.action": [ - "TCP_HIT" - ], + "event.action": "TCP_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -306,9 +296,7 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -320,8 +308,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -367,9 +355,7 @@ "destination.ip": [ "66.102.9.147" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -394,8 +380,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -432,9 +418,7 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -497,9 +481,7 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -512,8 +494,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -524,8 +506,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -562,9 +544,7 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -577,8 +557,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -589,8 +569,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -615,9 +595,7 @@ }, { "@timestamp": "2006-09-08T04:22:05.000Z", - "event.action": [ - "TCP_HIT" - ], + "event.action": "TCP_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -641,8 +619,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -679,9 +657,7 @@ "destination.ip": [ "209.85.16.38" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -739,9 +715,7 @@ "destination.ip": [ "68.142.213.132" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -753,8 +727,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.213.132", - "10.105.21.199" + "10.105.21.199", + "68.142.213.132" ], "related.user": [ "badeyek" @@ -764,8 +738,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -799,9 +773,7 @@ "destination.ip": [ "217.212.240.172" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -864,9 +836,7 @@ "destination.ip": [ "206.169.136.22" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -879,8 +849,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "206.169.136.22", - "10.105.21.199" + "10.105.21.199", + "206.169.136.22" ], "related.user": [ "badeyek" @@ -917,9 +887,7 @@ }, { "@timestamp": "2006-09-08T04:22:07.000Z", - "event.action": [ - "TCP_HIT" - ], + "event.action": "TCP_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -981,9 +949,7 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1008,8 +974,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1046,9 +1012,7 @@ "destination.ip": [ "207.58.145.61" ], - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1061,8 +1025,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -1073,8 +1037,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1106,9 +1070,7 @@ "destination.ip": [ "64.127.126.178" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1171,9 +1133,7 @@ "destination.ip": [ "213.160.98.161" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1236,9 +1196,7 @@ "destination.ip": [ "213.160.98.160" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1251,8 +1209,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.160", - "10.105.21.199" + "10.105.21.199", + "213.160.98.160" ], "related.user": [ "badeyek" @@ -1263,8 +1221,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1289,9 +1247,7 @@ }, { "@timestamp": "2006-09-08T04:22:17.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1314,8 +1270,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1349,9 +1305,7 @@ "destination.ip": [ "209.73.177.115" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1374,8 +1328,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1400,9 +1354,7 @@ }, { "@timestamp": "2006-09-08T04:22:23.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1461,9 +1413,7 @@ "destination.ip": [ "216.155.194.239" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -1524,9 +1474,7 @@ "destination.ip": [ "204.13.51.238" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1550,8 +1498,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1588,9 +1536,7 @@ "destination.ip": [ "204.13.51.238" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1615,8 +1561,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1650,9 +1596,7 @@ "destination.ip": [ "216.155.194.239" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -1664,8 +1608,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -1675,8 +1619,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1701,9 +1645,7 @@ }, { "@timestamp": "2006-09-08T04:22:26.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1753,9 +1695,7 @@ }, { "@timestamp": "2006-09-08T04:22:27.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1805,9 +1745,7 @@ }, { "@timestamp": "2006-09-08T04:22:27.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1869,9 +1807,7 @@ "destination.ip": [ "204.13.51.238" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1883,8 +1819,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1933,9 +1869,7 @@ "destination.ip": [ "204.13.51.238" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1948,8 +1882,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1960,8 +1894,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1995,9 +1929,7 @@ "destination.ip": [ "216.155.194.239" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -2020,8 +1952,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2053,9 +1985,7 @@ "destination.ip": [ "68.142.194.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2067,8 +1997,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "related.user": [ "adeolaegbedokun" @@ -2114,9 +2044,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2141,8 +2069,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2176,9 +2104,7 @@ "destination.ip": [ "216.155.194.239" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -2190,8 +2116,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2234,9 +2160,7 @@ "destination.ip": [ "209.191.93.51" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2261,8 +2185,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2299,9 +2223,7 @@ "destination.ip": [ "63.245.209.21" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2314,8 +2236,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "63.245.209.21" + "63.245.209.21", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -2361,9 +2283,7 @@ "destination.ip": [ "68.142.231.252" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2387,8 +2307,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2420,9 +2340,7 @@ "destination.ip": [ "68.142.194.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2434,8 +2352,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "related.user": [ "adeolaegbedokun" @@ -2446,8 +2364,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2472,9 +2390,7 @@ }, { "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2522,9 +2438,7 @@ }, { "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -2573,9 +2487,7 @@ }, { "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -2598,8 +2510,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2624,9 +2536,7 @@ }, { "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2683,9 +2593,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2698,8 +2606,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2736,9 +2644,7 @@ }, { "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2795,9 +2701,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2822,8 +2726,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2857,9 +2761,7 @@ "destination.ip": [ "216.155.194.239" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -2871,8 +2773,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -2882,8 +2784,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2917,9 +2819,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2979,9 +2879,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3006,8 +2904,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3032,9 +2930,7 @@ }, { "@timestamp": "2006-09-08T04:22:40.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -3057,8 +2953,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3083,9 +2979,7 @@ }, { "@timestamp": "2006-09-08T04:22:41.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -3143,9 +3037,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3170,8 +3062,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3205,9 +3097,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3232,8 +3122,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3267,9 +3157,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3282,8 +3170,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3329,9 +3217,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3344,8 +3230,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3382,9 +3268,7 @@ }, { "@timestamp": "2006-09-08T04:22:42.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3434,9 +3318,7 @@ }, { "@timestamp": "2006-09-08T04:22:42.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3460,8 +3342,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3486,9 +3368,7 @@ }, { "@timestamp": "2006-09-08T04:22:42.000Z", - "event.action": [ - "TCP_HIT" - ], + "event.action": "TCP_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3512,8 +3392,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3547,9 +3427,7 @@ "destination.ip": [ "212.58.226.33" ], - "event.action": [ - "TCP_REFRESH_MISS" - ], + "event.action": "TCP_REFRESH_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3562,8 +3440,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "212.58.226.33" + "212.58.226.33", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -3574,8 +3452,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_MISS", - "GET" + "GET", + "TCP_REFRESH_MISS" ], "rsa.misc.content_type": "application/xml", "rsa.misc.result_code": "200", @@ -3609,9 +3487,7 @@ "destination.ip": [ "68.142.231.252" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3624,8 +3500,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.231.252", - "10.105.33.214" + "10.105.33.214", + "68.142.231.252" ], "related.user": [ "adeolaegbedokun" @@ -3662,9 +3538,7 @@ }, { "@timestamp": "2006-09-08T04:22:44.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3714,9 +3588,7 @@ }, { "@timestamp": "2006-09-08T04:22:44.000Z", - "event.action": [ - "TCP_HIT" - ], + "event.action": "TCP_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3775,9 +3647,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -3801,8 +3671,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -3839,9 +3709,7 @@ "destination.ip": [ "213.160.98.159" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3866,8 +3734,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -3901,9 +3769,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3916,8 +3782,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3963,9 +3829,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3978,8 +3842,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3990,8 +3854,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4025,9 +3889,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4078,9 +3940,7 @@ }, { "@timestamp": "2006-09-08T04:22:49.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4104,8 +3964,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4130,9 +3990,7 @@ }, { "@timestamp": "2006-09-08T04:22:49.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4194,9 +4052,7 @@ "destination.ip": [ "213.160.98.159" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4256,9 +4112,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4271,8 +4125,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4283,8 +4137,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4318,9 +4172,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4383,9 +4235,7 @@ "destination.ip": [ "213.160.98.152" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4410,8 +4260,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/x-shockwave-flash", "rsa.misc.result_code": "200", @@ -4445,9 +4295,7 @@ "destination.ip": [ "68.142.219.132" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4460,8 +4308,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4505,9 +4353,7 @@ "destination.ip": [ "68.142.213.132" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4532,8 +4378,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4565,9 +4411,7 @@ "destination.ip": [ "68.142.194.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4580,8 +4424,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "related.user": [ "adeolaegbedokun" @@ -4592,8 +4436,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4625,9 +4469,7 @@ "destination.ip": [ "216.109.124.55" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4676,9 +4518,7 @@ }, { "@timestamp": "2006-09-08T04:22:57.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4702,8 +4542,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "304", @@ -4740,9 +4580,7 @@ "destination.ip": [ "213.160.98.159" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4755,8 +4593,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4767,8 +4605,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -4805,9 +4643,7 @@ "destination.ip": [ "213.160.98.159" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4867,9 +4703,7 @@ "destination.ip": [ "209.73.177.115" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4881,8 +4715,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "related.user": [ "badeyek" @@ -4892,8 +4726,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4930,9 +4764,7 @@ "destination.ip": [ "213.160.98.167" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4945,8 +4777,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.167" + "213.160.98.167", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4957,8 +4789,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -4995,9 +4827,7 @@ "destination.ip": [ "213.160.98.159" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5010,8 +4840,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -5022,8 +4852,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5048,9 +4878,7 @@ }, { "@timestamp": "2006-09-08T04:22:58.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5112,9 +4940,7 @@ "destination.ip": [ "213.160.98.167" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5127,8 +4953,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "related.user": [ "adeolaegbedokun" @@ -5177,9 +5003,7 @@ "destination.ip": [ "213.160.98.159" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5204,8 +5028,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5242,9 +5066,7 @@ "destination.ip": [ "213.160.98.167" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5269,8 +5091,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5295,9 +5117,7 @@ }, { "@timestamp": "2006-09-08T04:23:01.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5321,8 +5141,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5347,9 +5167,7 @@ }, { "@timestamp": "2006-09-08T04:23:01.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5373,8 +5191,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5406,9 +5224,7 @@ "destination.ip": [ "216.109.125.112" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5421,8 +5237,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.109.125.112", - "10.105.33.214" + "10.105.33.214", + "216.109.125.112" ], "related.user": [ "adeolaegbedokun" @@ -5433,8 +5249,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5468,9 +5284,7 @@ "destination.ip": [ "217.12.10.96" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5495,8 +5309,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -5521,9 +5335,7 @@ }, { "@timestamp": "2006-09-08T04:23:02.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5583,9 +5395,7 @@ "destination.ip": [ "213.160.98.169" ], - "event.action": [ - "TCP_SWAPFAIL_MISS" - ], + "event.action": "TCP_SWAPFAIL_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5598,8 +5408,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "213.160.98.169" + "213.160.98.169", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -5610,8 +5420,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_SWAPFAIL_MISS" + "TCP_SWAPFAIL_MISS", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5636,9 +5446,7 @@ }, { "@timestamp": "2006-09-08T04:23:05.000Z", - "event.action": [ - "TCP_HIT" - ], + "event.action": "TCP_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5700,9 +5508,7 @@ "destination.ip": [ "213.160.98.169" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5715,8 +5521,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "213.160.98.169" + "213.160.98.169", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -5753,9 +5559,7 @@ }, { "@timestamp": "2006-09-08T04:23:07.000Z", - "event.action": [ - "TCP_HIT" - ], + "event.action": "TCP_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5779,8 +5583,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5805,9 +5609,7 @@ }, { "@timestamp": "2006-09-08T04:23:07.000Z", - "event.action": [ - "TCP_HIT" - ], + "event.action": "TCP_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5831,8 +5633,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5857,9 +5659,7 @@ }, { "@timestamp": "2006-09-08T04:23:07.000Z", - "event.action": [ - "TCP_HIT" - ], + "event.action": "TCP_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", diff --git a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json index bbe57a45af2..5f9cdff14bf 100644 --- a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json @@ -1,9 +1,7 @@ [ { "@timestamp": "2002-10-23T10:25:29.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -59,9 +57,7 @@ }, { "@timestamp": "2002-10-23T10:25:30.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -85,8 +81,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -117,9 +113,7 @@ }, { "@timestamp": "2002-10-23T10:25:31.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -175,9 +169,7 @@ }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -201,8 +193,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "304", @@ -233,9 +225,7 @@ }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -291,9 +281,7 @@ }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -349,9 +337,7 @@ }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -375,8 +361,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -407,9 +393,7 @@ }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -433,8 +417,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -465,9 +449,7 @@ }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -491,8 +473,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -523,9 +505,7 @@ }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": [ - "TCP_REFRESH_MISS" - ], + "event.action": "TCP_REFRESH_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -581,9 +561,7 @@ }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -607,8 +585,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -639,9 +617,7 @@ }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -665,8 +641,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -697,9 +673,7 @@ }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -755,9 +729,7 @@ }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -781,8 +753,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -813,9 +785,7 @@ }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -839,8 +809,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -871,9 +841,7 @@ }, { "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -929,9 +897,7 @@ }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -955,8 +921,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -987,9 +953,7 @@ }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1045,9 +1009,7 @@ }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1071,8 +1033,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1103,9 +1065,7 @@ }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1129,8 +1089,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1161,9 +1121,7 @@ }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1187,8 +1145,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1219,9 +1177,7 @@ }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1245,8 +1201,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1277,9 +1233,7 @@ }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1335,9 +1289,7 @@ }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1393,9 +1345,7 @@ }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1451,9 +1401,7 @@ }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1508,9 +1456,7 @@ }, { "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1566,9 +1512,7 @@ }, { "@timestamp": "2002-10-23T10:25:34.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1624,9 +1568,7 @@ }, { "@timestamp": "2002-10-23T10:25:34.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1682,9 +1624,7 @@ }, { "@timestamp": "2002-10-23T10:25:34.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1708,8 +1648,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1740,9 +1680,7 @@ }, { "@timestamp": "2002-10-23T10:25:35.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1798,9 +1736,7 @@ }, { "@timestamp": "2002-10-23T10:25:35.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1856,9 +1792,7 @@ }, { "@timestamp": "2002-10-23T10:25:35.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1882,8 +1816,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1914,9 +1848,7 @@ }, { "@timestamp": "2002-10-23T10:25:36.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1940,8 +1872,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1972,9 +1904,7 @@ }, { "@timestamp": "2002-10-23T10:25:36.000Z", - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1998,8 +1928,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2030,9 +1960,7 @@ }, { "@timestamp": "2002-10-23T10:25:36.000Z", - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2056,8 +1984,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2088,9 +2016,7 @@ }, { "@timestamp": "2002-10-23T10:25:36.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2146,9 +2072,7 @@ }, { "@timestamp": "2002-10-23T10:25:37.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2172,8 +2096,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2204,9 +2128,7 @@ }, { "@timestamp": "2002-10-23T10:25:38.000Z", - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2230,8 +2152,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2262,9 +2184,7 @@ }, { "@timestamp": "2002-10-23T10:25:39.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2288,8 +2208,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2320,9 +2240,7 @@ }, { "@timestamp": "2002-10-23T10:25:39.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2346,8 +2264,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2378,9 +2296,7 @@ }, { "@timestamp": "2002-10-23T10:25:40.000Z", - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2404,8 +2320,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2436,9 +2352,7 @@ }, { "@timestamp": "2002-10-23T10:25:41.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2462,8 +2376,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2494,9 +2408,7 @@ }, { "@timestamp": "2002-10-23T10:25:42.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2520,8 +2432,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2552,9 +2464,7 @@ }, { "@timestamp": "2002-10-23T10:25:42.000Z", - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2610,9 +2520,7 @@ }, { "@timestamp": "2002-10-23T10:25:42.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2668,9 +2576,7 @@ }, { "@timestamp": "2002-10-23T10:25:42.000Z", - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2694,8 +2600,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2726,9 +2632,7 @@ }, { "@timestamp": "2002-10-23T10:25:43.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2752,8 +2656,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2784,9 +2688,7 @@ }, { "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2810,8 +2712,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -2842,9 +2744,7 @@ }, { "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2868,8 +2768,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2900,9 +2800,7 @@ }, { "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": [ - "TCP_IMS_HIT" - ], + "event.action": "TCP_IMS_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2926,8 +2824,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -2958,9 +2856,7 @@ }, { "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2984,8 +2880,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3016,9 +2912,7 @@ }, { "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3074,9 +2968,7 @@ }, { "@timestamp": "2002-10-23T10:25:48.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3100,8 +2992,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3132,9 +3024,7 @@ }, { "@timestamp": "2002-10-23T10:25:48.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3190,9 +3080,7 @@ }, { "@timestamp": "2002-10-23T10:25:48.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3248,9 +3136,7 @@ }, { "@timestamp": "2002-10-23T10:25:48.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3306,9 +3192,7 @@ }, { "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3364,9 +3248,7 @@ }, { "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3390,8 +3272,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3422,9 +3304,7 @@ }, { "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3448,8 +3328,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3480,9 +3360,7 @@ }, { "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3538,9 +3416,7 @@ }, { "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3564,8 +3440,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3596,9 +3472,7 @@ }, { "@timestamp": "2002-10-23T10:25:50.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3654,9 +3528,7 @@ }, { "@timestamp": "2002-10-23T10:25:50.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3680,8 +3552,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3712,9 +3584,7 @@ }, { "@timestamp": "2002-10-23T10:25:50.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3738,8 +3608,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3770,9 +3640,7 @@ }, { "@timestamp": "2002-10-23T10:25:51.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3796,8 +3664,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3828,9 +3696,7 @@ }, { "@timestamp": "2002-10-23T10:25:52.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3854,8 +3720,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3886,9 +3752,7 @@ }, { "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3912,8 +3776,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3944,9 +3808,7 @@ }, { "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4002,9 +3864,7 @@ }, { "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4028,8 +3888,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4060,9 +3920,7 @@ }, { "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4118,9 +3976,7 @@ }, { "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4176,9 +4032,7 @@ }, { "@timestamp": "2002-10-23T10:25:54.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4234,9 +4088,7 @@ }, { "@timestamp": "2002-10-23T10:25:54.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4292,9 +4144,7 @@ }, { "@timestamp": "2002-10-23T10:25:54.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4318,8 +4168,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4350,9 +4200,7 @@ }, { "@timestamp": "2002-10-23T10:25:57.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4408,9 +4256,7 @@ }, { "@timestamp": "2002-10-23T10:25:57.000Z", - "event.action": [ - "TCP_MEM_HIT" - ], + "event.action": "TCP_MEM_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4434,8 +4280,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MEM_HIT", - "GET" + "GET", + "TCP_MEM_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4466,9 +4312,7 @@ }, { "@timestamp": "2002-10-23T10:25:58.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4523,9 +4367,7 @@ }, { "@timestamp": "2002-10-23T10:25:59.000Z", - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4581,9 +4423,7 @@ }, { "@timestamp": "2002-10-23T10:26:01.000Z", - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4639,9 +4479,7 @@ }, { "@timestamp": "2002-10-23T10:26:01.000Z", - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4697,9 +4535,7 @@ }, { "@timestamp": "2002-10-23T10:26:09.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4754,9 +4590,7 @@ }, { "@timestamp": "2002-10-23T10:26:13.000Z", - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4780,8 +4614,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4812,9 +4646,7 @@ }, { "@timestamp": "2002-10-23T10:26:13.000Z", - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4838,8 +4670,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4879,9 +4711,7 @@ "destination.ip": [ "80.69.64.224" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4906,8 +4736,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4938,9 +4768,7 @@ }, { "@timestamp": "2002-10-23T10:26:14.000Z", - "event.action": [ - "TCP_REFRESH_MISS" - ], + "event.action": "TCP_REFRESH_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4964,8 +4792,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_MISS" + "TCP_REFRESH_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4996,9 +4824,7 @@ }, { "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5053,9 +4879,7 @@ }, { "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5111,9 +4935,7 @@ }, { "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5169,9 +4991,7 @@ }, { "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5227,9 +5047,7 @@ }, { "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5285,9 +5103,7 @@ }, { "@timestamp": "2002-10-23T10:26:16.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5343,9 +5159,7 @@ }, { "@timestamp": "2002-10-23T10:26:16.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5401,9 +5215,7 @@ }, { "@timestamp": "2002-10-23T10:26:16.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5459,9 +5271,7 @@ }, { "@timestamp": "2002-10-23T10:26:17.000Z", - "event.action": [ - "TCP_REFRESH_HIT" - ], + "event.action": "TCP_REFRESH_HIT", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5485,8 +5295,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5517,9 +5327,7 @@ }, { "@timestamp": "2002-10-23T10:26:17.000Z", - "event.action": [ - "TCP_DENIED" - ], + "event.action": "TCP_DENIED", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5578,9 +5386,7 @@ }, { "@timestamp": "2002-10-23T10:26:17.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5636,9 +5442,7 @@ }, { "@timestamp": "2002-10-23T10:26:17.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5694,9 +5498,7 @@ }, { "@timestamp": "2002-10-23T10:26:18.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5751,9 +5553,7 @@ }, { "@timestamp": "2002-10-23T10:26:18.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5777,8 +5577,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json index 83e2b5c3035..dbfa98e6b13 100644 --- a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json @@ -1,9 +1,7 @@ [ { "@timestamp": "2012-09-28T22:11:35.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -25,8 +23,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -51,9 +49,7 @@ }, { "@timestamp": "2012-09-28T22:11:38.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -75,8 +71,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -101,9 +97,7 @@ }, { "@timestamp": "2012-09-28T22:11:56.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -125,8 +119,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -151,9 +145,7 @@ }, { "@timestamp": "2012-09-28T22:12:01.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -175,8 +167,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -201,9 +193,7 @@ }, { "@timestamp": "2012-09-28T22:12:05.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -253,9 +243,7 @@ }, { "@timestamp": "2012-09-28T22:12:06.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -305,9 +293,7 @@ }, { "@timestamp": "2012-09-28T22:12:06.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -357,9 +343,7 @@ }, { "@timestamp": "2012-09-28T22:12:07.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -383,8 +367,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -409,9 +393,7 @@ }, { "@timestamp": "2012-09-28T22:12:07.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -461,9 +443,7 @@ }, { "@timestamp": "2012-09-28T22:12:07.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -513,9 +493,7 @@ }, { "@timestamp": "2012-09-28T22:12:07.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -538,8 +516,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -564,9 +542,7 @@ }, { "@timestamp": "2012-09-28T22:12:26.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -588,8 +564,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -614,9 +590,7 @@ }, { "@timestamp": "2012-09-28T22:13:24.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -664,9 +638,7 @@ }, { "@timestamp": "2012-09-28T22:16:03.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -714,9 +686,7 @@ }, { "@timestamp": "2012-09-28T22:16:24.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -738,8 +708,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -764,9 +734,7 @@ }, { "@timestamp": "2012-09-28T22:17:33.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -788,8 +756,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -814,9 +782,7 @@ }, { "@timestamp": "2012-09-28T22:18:09.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -864,9 +830,7 @@ }, { "@timestamp": "2012-09-28T22:19:32.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -916,9 +880,7 @@ }, { "@timestamp": "2012-09-28T22:21:09.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -940,8 +902,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -966,9 +928,7 @@ }, { "@timestamp": "2012-09-28T22:22:27.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -992,8 +952,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1018,9 +978,7 @@ }, { "@timestamp": "2012-09-28T22:22:27.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1044,8 +1002,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1070,9 +1028,7 @@ }, { "@timestamp": "2012-09-28T22:22:29.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1096,8 +1052,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1122,9 +1078,7 @@ }, { "@timestamp": "2012-09-28T22:22:29.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1148,8 +1102,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1174,9 +1128,7 @@ }, { "@timestamp": "2012-09-28T22:22:30.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1200,8 +1152,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1226,9 +1178,7 @@ }, { "@timestamp": "2012-09-28T22:22:54.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1250,8 +1200,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "404", @@ -1276,9 +1226,7 @@ }, { "@timestamp": "2012-09-28T22:24:48.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1301,8 +1249,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1327,9 +1275,7 @@ }, { "@timestamp": "2012-09-28T22:25:02.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1378,9 +1324,7 @@ }, { "@timestamp": "2012-09-28T22:25:59.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1428,9 +1372,7 @@ }, { "@timestamp": "2012-09-28T22:26:00.000Z", - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1453,8 +1395,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "503", @@ -1488,9 +1430,7 @@ "destination.ip": [ "74.125.131.147" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1502,8 +1442,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.131.147", - "192.168.0.35" + "192.168.0.35", + "74.125.131.147" ], "related.user": [ "-" @@ -1549,9 +1489,7 @@ "destination.ip": [ "74.125.131.147" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1611,9 +1549,7 @@ "destination.ip": [ "74.125.131.147" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1626,8 +1562,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "related.user": [ "-" @@ -1638,8 +1574,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/javascript", "rsa.misc.result_code": "200", @@ -1673,9 +1609,7 @@ "destination.ip": [ "74.125.131.147" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1688,8 +1622,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.131.147", - "192.168.0.35" + "192.168.0.35", + "74.125.131.147" ], "related.user": [ "-" @@ -1735,9 +1669,7 @@ "destination.ip": [ "74.125.131.147" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -1762,8 +1694,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "204", @@ -1797,9 +1729,7 @@ "destination.ip": [ "74.125.228.3" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1857,9 +1787,7 @@ "destination.ip": [ "74.125.228.3" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1871,8 +1799,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.3" + "74.125.228.3", + "192.168.0.35" ], "related.user": [ "-" @@ -1882,8 +1810,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1917,9 +1845,7 @@ "destination.ip": [ "74.125.228.3" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1931,8 +1857,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.3" + "74.125.228.3", + "192.168.0.35" ], "related.user": [ "-" @@ -1942,8 +1868,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1977,9 +1903,7 @@ "destination.ip": [ "74.125.228.6" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1991,8 +1915,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.6" + "74.125.228.6", + "192.168.0.35" ], "related.user": [ "-" @@ -2037,9 +1961,7 @@ "destination.ip": [ "74.125.228.3" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2097,9 +2019,7 @@ "destination.ip": [ "74.125.228.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2111,8 +2031,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "related.user": [ "-" @@ -2122,8 +2042,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2157,9 +2077,7 @@ "destination.ip": [ "74.125.228.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2171,8 +2089,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" ], "related.user": [ "-" @@ -2217,9 +2135,7 @@ "destination.ip": [ "74.125.131.147" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2231,8 +2147,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.131.147", - "192.168.0.35" + "192.168.0.35", + "74.125.131.147" ], "related.user": [ "-" @@ -2277,9 +2193,7 @@ "destination.ip": [ "74.125.228.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2337,9 +2251,7 @@ "destination.ip": [ "74.125.228.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2351,8 +2263,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "related.user": [ "-" @@ -2362,8 +2274,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2397,9 +2309,7 @@ "destination.ip": [ "74.125.228.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2411,8 +2321,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "related.user": [ "-" @@ -2422,8 +2332,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2457,9 +2367,7 @@ "destination.ip": [ "74.125.228.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2482,8 +2390,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2517,9 +2425,7 @@ "destination.ip": [ "74.125.228.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2531,8 +2437,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "related.user": [ "-" @@ -2577,9 +2483,7 @@ "destination.ip": [ "74.125.228.97" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2592,8 +2496,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.97" + "74.125.228.97", + "192.168.0.35" ], "related.user": [ "-" @@ -2639,9 +2543,7 @@ "destination.ip": [ "23.11.236.224" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2653,8 +2555,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "23.11.236.224" + "23.11.236.224", + "192.168.0.35" ], "related.user": [ "-" @@ -2664,8 +2566,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2699,9 +2601,7 @@ "destination.ip": [ "23.11.236.224" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2713,8 +2613,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "23.11.236.224", - "192.168.0.35" + "192.168.0.35", + "23.11.236.224" ], "related.user": [ "-" @@ -2759,9 +2659,7 @@ "destination.ip": [ "74.125.228.100" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2773,8 +2671,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.100", - "192.168.0.35" + "192.168.0.35", + "74.125.228.100" ], "related.user": [ "-" @@ -2784,8 +2682,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2819,9 +2717,7 @@ "destination.ip": [ "74.125.228.100" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2844,8 +2740,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2879,9 +2775,7 @@ "destination.ip": [ "74.125.228.100" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2939,9 +2833,7 @@ "destination.ip": [ "173.194.73.104" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2953,8 +2845,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.73.104", - "192.168.0.35" + "192.168.0.35", + "173.194.73.104" ], "related.user": [ "-" @@ -2999,9 +2891,7 @@ "destination.ip": [ "74.125.228.100" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3013,8 +2903,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.100", - "192.168.0.35" + "192.168.0.35", + "74.125.228.100" ], "related.user": [ "-" @@ -3059,9 +2949,7 @@ "destination.ip": [ "74.125.228.100" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3073,8 +2961,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.100", - "192.168.0.35" + "192.168.0.35", + "74.125.228.100" ], "related.user": [ "-" @@ -3084,8 +2972,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3119,9 +3007,7 @@ "destination.ip": [ "74.125.228.100" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3144,8 +3030,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3179,9 +3065,7 @@ "destination.ip": [ "208.44.23.184" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3206,8 +3090,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/x-apple-plist", "rsa.misc.result_code": "200", @@ -3241,9 +3125,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3303,9 +3185,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3365,9 +3245,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3392,8 +3270,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3427,9 +3305,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3489,9 +3365,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3551,9 +3425,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3613,9 +3485,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3628,8 +3498,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3640,8 +3510,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3675,9 +3545,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3737,9 +3605,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3752,8 +3618,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3799,9 +3665,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3814,8 +3678,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3826,8 +3690,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3861,9 +3725,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3876,8 +3738,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3923,9 +3785,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -3950,8 +3810,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3985,9 +3845,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4012,8 +3870,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4047,9 +3905,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4062,8 +3918,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4109,9 +3965,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4136,8 +3990,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4171,9 +4025,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4186,8 +4038,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4233,9 +4085,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4248,8 +4098,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4260,8 +4110,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4295,9 +4145,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4322,8 +4170,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4357,9 +4205,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4372,8 +4218,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4419,9 +4265,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4434,8 +4278,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4481,9 +4325,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4496,8 +4338,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4543,9 +4385,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4558,8 +4398,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4605,9 +4445,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4667,9 +4505,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4729,9 +4565,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4756,8 +4590,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4791,9 +4625,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4806,8 +4638,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4853,9 +4685,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4880,8 +4710,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4915,9 +4745,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4942,8 +4770,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4977,9 +4805,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5039,9 +4865,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5101,9 +4925,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5163,9 +4985,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5178,8 +4998,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -5225,9 +5045,7 @@ "destination.ip": [ "208.44.23.185" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5287,9 +5105,7 @@ "destination.ip": [ "173.194.73.104" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5301,8 +5117,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.73.104", - "192.168.0.35" + "192.168.0.35", + "173.194.73.104" ], "related.user": [ "-" @@ -5347,9 +5163,7 @@ "destination.ip": [ "74.125.228.100" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5361,8 +5175,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.100", - "192.168.0.35" + "192.168.0.35", + "74.125.228.100" ], "related.user": [ "-" @@ -5407,9 +5221,7 @@ "destination.ip": [ "74.125.228.96" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5421,8 +5233,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.96", - "192.168.0.35" + "192.168.0.35", + "74.125.228.96" ], "related.user": [ "-" @@ -5467,9 +5279,7 @@ "destination.ip": [ "74.125.228.101" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5481,8 +5291,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.101", - "192.168.0.35" + "192.168.0.35", + "74.125.228.101" ], "related.user": [ "-" @@ -5527,9 +5337,7 @@ "destination.ip": [ "74.125.228.102" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5587,9 +5395,7 @@ "destination.ip": [ "69.171.228.74" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -5613,8 +5419,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -5648,9 +5454,7 @@ "destination.ip": [ "23.62.194.110" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5708,9 +5512,7 @@ "destination.ip": [ "69.171.228.74" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5722,8 +5524,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "69.171.228.74", - "192.168.0.35" + "192.168.0.35", + "69.171.228.74" ], "related.user": [ "-" @@ -5768,9 +5570,7 @@ "destination.ip": [ "69.171.228.74" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", diff --git a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json index 6b8e67ad7e2..8930f0b1d93 100644 --- a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json @@ -10,9 +10,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -24,8 +22,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -35,8 +33,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -70,9 +68,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -84,8 +80,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -130,9 +126,7 @@ "destination.ip": [ "173.194.123.102" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -190,9 +184,7 @@ "destination.ip": [ "173.194.123.102" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -204,8 +196,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.102", - "::1" + "::1", + "173.194.123.102" ], "related.user": [ "-" @@ -250,9 +242,7 @@ "destination.ip": [ "173.194.123.97" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -310,9 +300,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -324,8 +312,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -370,9 +358,7 @@ "destination.ip": [ "173.194.123.102" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -395,8 +381,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -430,9 +416,7 @@ "destination.ip": [ "173.194.123.96" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -444,8 +428,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.96" + "173.194.123.96", + "::1" ], "related.user": [ "-" @@ -490,9 +474,7 @@ "destination.ip": [ "173.194.123.96" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -504,8 +486,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" ], "related.user": [ "-" @@ -550,9 +532,7 @@ "destination.ip": [ "173.194.123.96" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -575,8 +555,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -613,9 +593,7 @@ "destination.ip": [ "216.58.219.237" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -627,8 +605,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.237" + "216.58.219.237", + "::1" ], "related.user": [ "-" @@ -673,9 +651,7 @@ "destination.ip": [ "173.194.123.68" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -733,9 +709,7 @@ "destination.ip": [ "173.194.123.102" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -793,9 +767,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -853,9 +825,7 @@ "destination.ip": [ "173.194.123.105" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -914,9 +884,7 @@ "destination.ip": [ "173.194.123.96" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -939,8 +907,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -974,9 +942,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -988,8 +954,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -999,8 +965,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1034,9 +1000,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1094,9 +1058,7 @@ "destination.ip": [ "173.194.123.96" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1108,8 +1070,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" ], "related.user": [ "-" @@ -1154,9 +1116,7 @@ "destination.ip": [ "173.194.123.71" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1179,8 +1139,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1214,9 +1174,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1228,8 +1186,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1239,8 +1197,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1274,9 +1232,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1334,9 +1290,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1348,8 +1302,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1394,9 +1348,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1419,8 +1371,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1454,9 +1406,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1514,9 +1464,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1574,9 +1522,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1634,9 +1580,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1648,8 +1592,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1659,8 +1603,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1694,9 +1638,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1708,8 +1650,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1719,8 +1661,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1754,9 +1696,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1768,8 +1708,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1814,9 +1754,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1874,9 +1812,7 @@ "destination.ip": [ "173.194.123.67" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1934,9 +1870,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -1948,8 +1882,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1959,8 +1893,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1994,9 +1928,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2019,8 +1951,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2054,9 +1986,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2068,8 +1998,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2079,8 +2009,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2114,9 +2044,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2139,8 +2067,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2174,9 +2102,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2234,9 +2160,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2248,8 +2172,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2259,8 +2183,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2294,9 +2218,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2308,8 +2230,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2319,8 +2241,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2354,9 +2276,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2414,9 +2334,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2428,8 +2346,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2439,8 +2357,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2474,9 +2392,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2499,8 +2415,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2534,9 +2450,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2594,9 +2508,7 @@ "destination.ip": [ "173.194.123.101" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2608,8 +2520,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.101", - "::1" + "::1", + "173.194.123.101" ], "related.user": [ "-" @@ -2619,8 +2531,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2654,9 +2566,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2668,8 +2578,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2714,9 +2624,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2728,8 +2636,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2774,9 +2682,7 @@ "destination.ip": [ "173.194.123.99" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2788,8 +2694,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.99", - "::1" + "::1", + "173.194.123.99" ], "related.user": [ "-" @@ -2799,8 +2705,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2834,9 +2740,7 @@ "destination.ip": [ "173.194.206.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -2894,9 +2798,7 @@ "destination.ip": [ "74.125.226.83" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -2908,8 +2810,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.226.83" + "74.125.226.83", + "::1" ], "related.user": [ "-" @@ -2955,9 +2857,7 @@ "destination.ip": [ "173.194.123.40" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -2970,8 +2870,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.40" + "173.194.123.40", + "::1" ], "related.user": [ "-" @@ -2981,8 +2881,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -3016,9 +2916,7 @@ "destination.ip": [ "173.194.123.41" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3076,9 +2974,7 @@ "destination.ip": [ "74.125.226.83" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3101,8 +2997,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3139,9 +3035,7 @@ "destination.ip": [ "216.58.219.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -3154,8 +3048,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.174", - "::1" + "::1", + "216.58.219.174" ], "related.user": [ "-" @@ -3203,9 +3097,7 @@ "destination.ip": [ "216.58.219.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -3229,8 +3121,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -3267,9 +3159,7 @@ "destination.ip": [ "216.58.219.165" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3330,9 +3220,7 @@ "destination.ip": [ "216.58.219.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3344,8 +3232,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.174", - "::1" + "::1", + "216.58.219.174" ], "related.user": [ "-" @@ -3393,9 +3281,7 @@ "destination.ip": [ "216.58.219.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3407,8 +3293,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.174" + "216.58.219.174", + "::1" ], "related.user": [ "-" @@ -3418,8 +3304,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3456,9 +3342,7 @@ "destination.ip": [ "216.58.219.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3519,9 +3403,7 @@ "destination.ip": [ "216.58.219.132" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3582,9 +3464,7 @@ "destination.ip": [ "216.58.219.132" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3596,8 +3476,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.132", - "::1" + "::1", + "216.58.219.132" ], "related.user": [ "-" @@ -3607,8 +3487,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3645,9 +3525,7 @@ "destination.ip": [ "216.58.219.132" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3659,8 +3537,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.132" + "216.58.219.132", + "::1" ], "related.user": [ "-" @@ -3670,8 +3548,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3708,9 +3586,7 @@ "destination.ip": [ "216.58.219.142" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3722,8 +3598,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.142" + "216.58.219.142", + "::1" ], "related.user": [ "-" @@ -3771,9 +3647,7 @@ "destination.ip": [ "216.58.219.142" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3785,8 +3659,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.142", - "::1" + "::1", + "216.58.219.142" ], "related.user": [ "-" @@ -3834,9 +3708,7 @@ "destination.ip": [ "216.58.219.142" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3897,9 +3769,7 @@ "destination.ip": [ "216.58.219.132" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3911,8 +3781,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.132" + "216.58.219.132", + "::1" ], "related.user": [ "-" @@ -3957,9 +3827,7 @@ "destination.ip": [ "74.125.141.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -3971,8 +3839,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.141.189", - "::1" + "::1", + "74.125.141.189" ], "related.user": [ "-" @@ -3982,8 +3850,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4017,9 +3885,7 @@ "destination.ip": [ "74.125.141.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4077,9 +3943,7 @@ "destination.ip": [ "74.125.141.189" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4102,8 +3966,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4140,9 +4004,7 @@ "destination.ip": [ "216.58.219.133" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4203,9 +4065,7 @@ "destination.ip": [ "216.58.219.228" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4217,8 +4077,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.228", - "10.100.0.1" + "10.100.0.1", + "216.58.219.228" ], "related.user": [ "-" @@ -4228,8 +4088,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4266,9 +4126,7 @@ "destination.ip": [ "216.58.219.238" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4280,8 +4138,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.238", - "10.100.0.1" + "10.100.0.1", + "216.58.219.238" ], "related.user": [ "-" @@ -4326,9 +4184,7 @@ "destination.ip": [ "173.194.205.113" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "GET", "event.dataset": "squid.log", "event.module": "squid", @@ -4340,8 +4196,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.205.113", - "10.100.0.1" + "10.100.0.1", + "173.194.205.113" ], "related.user": [ "-" @@ -4387,9 +4243,7 @@ "destination.ip": [ "172.217.6.238" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -4413,8 +4267,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4448,9 +4302,7 @@ "destination.ip": [ "172.217.6.238" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -4463,8 +4315,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.6.238", - "10.100.0.1" + "10.100.0.1", + "172.217.6.238" ], "related.user": [ "-" @@ -4474,8 +4326,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4512,9 +4364,7 @@ "destination.ip": [ "216.58.219.238" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -4527,8 +4377,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.238" + "216.58.219.238", + "10.100.0.1" ], "related.user": [ "-" @@ -4538,8 +4388,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4576,9 +4426,7 @@ "destination.ip": [ "216.58.219.238" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -4637,9 +4485,7 @@ "destination.ip": [ "172.217.6.238" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "POST", "event.dataset": "squid.log", "event.module": "squid", @@ -4698,9 +4544,7 @@ "destination.ip": [ "172.217.10.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4712,8 +4556,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.10.14" + "172.217.10.14", + "10.100.2.85" ], "related.user": [ "-" @@ -4758,9 +4602,7 @@ "destination.ip": [ "172.217.10.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4772,8 +4614,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.10.14" + "172.217.10.14", + "10.100.2.85" ], "related.user": [ "-" @@ -4818,9 +4660,7 @@ "destination.ip": [ "172.217.10.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4878,9 +4718,7 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4938,9 +4776,7 @@ "destination.ip": [ "172.217.10.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -4952,8 +4788,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "related.user": [ "-" @@ -4963,8 +4799,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4998,9 +4834,7 @@ "destination.ip": [ "172.217.10.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5012,8 +4846,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.10.14" + "172.217.10.14", + "10.100.2.85" ], "related.user": [ "-" @@ -5058,9 +4892,7 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5083,8 +4915,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5118,9 +4950,7 @@ "destination.ip": [ "172.217.10.14" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5132,8 +4962,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "related.user": [ "-" @@ -5143,8 +4973,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5178,9 +5008,7 @@ "destination.ip": [ "173.194.204.156" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5203,8 +5031,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5238,9 +5066,7 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5263,8 +5089,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5298,9 +5124,7 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5358,9 +5182,7 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5372,8 +5194,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.12.174" + "172.217.12.174", + "10.100.0.1" ], "related.user": [ "-" @@ -5383,8 +5205,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5418,9 +5240,7 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5432,8 +5252,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.12.174" + "172.217.12.174", + "10.100.0.1" ], "related.user": [ "-" @@ -5478,9 +5298,7 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5503,8 +5321,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5538,9 +5356,7 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5563,8 +5379,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5601,9 +5417,7 @@ "destination.ip": [ "216.58.219.206" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5615,8 +5429,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.206" + "216.58.219.206", + "10.100.0.1" ], "related.user": [ "-" @@ -5626,8 +5440,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5664,9 +5478,7 @@ "destination.ip": [ "216.58.219.206" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5678,8 +5490,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.206", - "10.100.0.1" + "10.100.0.1", + "216.58.219.206" ], "related.user": [ "-" @@ -5689,8 +5501,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5727,9 +5539,7 @@ "destination.ip": [ "216.58.219.206" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5741,8 +5551,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.206", - "10.100.0.1" + "10.100.0.1", + "216.58.219.206" ], "related.user": [ "-" @@ -5790,9 +5600,7 @@ "destination.ip": [ "216.58.219.206" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5853,9 +5661,7 @@ "destination.ip": [ "216.58.219.206" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5867,8 +5673,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.206" + "216.58.219.206", + "10.100.0.1" ], "related.user": [ "-" @@ -5913,9 +5719,7 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -5927,8 +5731,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.12.174" + "172.217.12.174", + "10.100.0.1" ], "related.user": [ "-" @@ -5938,8 +5742,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5976,9 +5780,7 @@ "destination.ip": [ "216.58.219.206" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -6001,8 +5803,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -6036,9 +5838,7 @@ "destination.ip": [ "172.217.12.174" ], - "event.action": [ - "TCP_MISS" - ], + "event.action": "TCP_MISS", "event.code": "CONNECT", "event.dataset": "squid.log", "event.module": "squid", @@ -6061,8 +5861,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/tenable/README.md b/x-pack/filebeat/module/tenable/README.md index 2df9d157cda..b27c2bd3cc7 100644 --- a/x-pack/filebeat/module/tenable/README.md +++ b/x-pack/filebeat/module/tenable/README.md @@ -3,5 +3,5 @@ This is a module for Tenable Network Security Nessus logs. Autogenerated from RSA NetWitness log parser 2.0 XML nessusvs version 0 -at 2020-07-08 18:28:03.42817 +0000 UTC. +at 2020-07-08 18:50:23.353065 +0000 UTC. diff --git a/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js b/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js +++ b/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/tomcat/README.md b/x-pack/filebeat/module/tomcat/README.md index 92925f9c3f5..ac35dd9d79b 100644 --- a/x-pack/filebeat/module/tomcat/README.md +++ b/x-pack/filebeat/module/tomcat/README.md @@ -3,5 +3,5 @@ This is a module for Apache Tomcat logs. Autogenerated from RSA NetWitness log parser 2.0 XML apachetomcat version 105 -at 2020-07-08 18:27:56.755732 +0000 UTC. +at 2020-07-08 18:50:16.293772 +0000 UTC. diff --git a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js +++ b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/zscaler/README.md b/x-pack/filebeat/module/zscaler/README.md index 97cd46dba70..2c0a9cfa6b9 100644 --- a/x-pack/filebeat/module/zscaler/README.md +++ b/x-pack/filebeat/module/zscaler/README.md @@ -3,5 +3,5 @@ This is a module for Zscaler NSS logs. Autogenerated from RSA NetWitness log parser 2.0 XML zscalernss version 108 -at 2020-07-08 18:28:06.796835 +0000 UTC. +at 2020-07-08 18:50:26.796745 +0000 UTC. diff --git a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js index cc84a62db72..cbf9659f322 100644 --- a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js +++ b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js @@ -916,7 +916,7 @@ var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_append}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, @@ -957,7 +957,7 @@ var ecs_mappings = { "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_append}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, "filename": {to:[{field: "file.name", setter: fld_set}]}, diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index de36c7563d6..b2b3deda032 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -5,9 +5,7 @@ "destination.ip": [ "10.206.191.17" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "litesse", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -25,8 +23,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.176.10.114", - "10.206.191.17" + "10.206.191.17", + "10.176.10.114" ], "related.user": [ "sumdo" @@ -78,9 +76,7 @@ "destination.ip": [ "10.173.22.152" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "byC", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -98,8 +94,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.26.46.95", - "10.173.22.152" + "10.173.22.152", + "10.26.46.95" ], "related.user": [ "eataevi" @@ -153,9 +149,7 @@ "destination.ip": [ "10.204.86.149" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "laboreet", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -188,8 +182,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uptassi", "rsa.misc.action": [ - "Blocked", - "giatq" + "giatq", + "Blocked" ], "rsa.misc.category": "llu", "rsa.misc.filter": "tconsec", @@ -228,9 +222,7 @@ "destination.ip": [ "10.103.246.190" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "suntinc", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -263,8 +255,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ima", "rsa.misc.action": [ - "Allowed", - "llam" + "llam", + "Allowed" ], "rsa.misc.category": "aboris", "rsa.misc.filter": "atatnonp", @@ -303,9 +295,7 @@ "destination.ip": [ "10.61.78.108" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "umdolore", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -323,8 +313,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.61.78.108", - "10.136.153.149" + "10.136.153.149", + "10.61.78.108" ], "related.user": [ "ercit" @@ -338,8 +328,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inim", "rsa.misc.action": [ - "reetdolo", - "Blocked" + "Blocked", + "reetdolo" ], "rsa.misc.category": "osquir", "rsa.misc.filter": "ipit", @@ -378,9 +368,7 @@ "destination.ip": [ "10.183.16.166" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "remipsum", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -413,8 +401,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "avol", "rsa.misc.action": [ - "ist", - "Allowed" + "Allowed", + "ist" ], "rsa.misc.category": "lorema", "rsa.misc.filter": "sun", @@ -453,9 +441,7 @@ "destination.ip": [ "10.243.224.205" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "lpa", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -528,9 +514,7 @@ "destination.ip": [ "10.119.185.63" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "amqu", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -563,8 +547,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tame", "rsa.misc.action": [ - "Blocked", - "nsec" + "nsec", + "Blocked" ], "rsa.misc.category": "emaperi", "rsa.misc.filter": "rehe", @@ -603,9 +587,7 @@ "destination.ip": [ "10.78.151.178" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "mporain", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -638,8 +620,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atquovo", "rsa.misc.action": [ - "Allowed", - "amvolup" + "amvolup", + "Allowed" ], "rsa.misc.category": "hil", "rsa.misc.filter": "deFinibu", @@ -678,9 +660,7 @@ "destination.ip": [ "10.71.170.37" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "umexerci", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -713,8 +693,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ihilm", "rsa.misc.action": [ - "psaquae", - "Allowed" + "Allowed", + "psaquae" ], "rsa.misc.category": "eFinib", "rsa.misc.filter": "inesci", @@ -753,9 +733,7 @@ "destination.ip": [ "10.223.247.86" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "lup", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -773,8 +751,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.223.247.86", - "10.19.145.131" + "10.19.145.131", + "10.223.247.86" ], "related.user": [ "tNequepo" @@ -788,8 +766,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "sci", "rsa.misc.action": [ - "Allowed", - "emseq" + "emseq", + "Allowed" ], "rsa.misc.category": "exercit", "rsa.misc.filter": "taevit", @@ -828,9 +806,7 @@ "destination.ip": [ "10.2.53.125" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "radi", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -848,8 +824,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.2.53.125", - "10.181.80.139" + "10.181.80.139", + "10.2.53.125" ], "related.user": [ "ihilmo" @@ -903,9 +879,7 @@ "destination.ip": [ "10.31.240.6" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "olup", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -923,8 +897,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.167.98.76", - "10.31.240.6" + "10.31.240.6", + "10.167.98.76" ], "related.user": [ "ratvolu" @@ -978,9 +952,7 @@ "destination.ip": [ "10.0.55.9" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "rcitati", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1013,8 +985,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iurer", "rsa.misc.action": [ - "ionevo", - "Allowed" + "Allowed", + "ionevo" ], "rsa.misc.category": "tinvolu", "rsa.misc.filter": "idex", @@ -1053,9 +1025,7 @@ "destination.ip": [ "10.63.250.128" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "ntocca", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1073,8 +1043,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.63.250.128", - "10.111.187.12" + "10.111.187.12", + "10.63.250.128" ], "related.user": [ "saute" @@ -1088,8 +1058,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nnum", "rsa.misc.action": [ - "ntoccae", - "Allowed" + "Allowed", + "ntoccae" ], "rsa.misc.category": "tium", "rsa.misc.filter": "uteirure", @@ -1128,9 +1098,7 @@ "destination.ip": [ "10.5.126.127" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "eprehen", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1148,8 +1116,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.5.126.127", - "10.252.124.150" + "10.252.124.150", + "10.5.126.127" ], "related.user": [ "inibusB" @@ -1163,8 +1131,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mod", "rsa.misc.action": [ - "Allowed", - "xeacomm" + "xeacomm", + "Allowed" ], "rsa.misc.category": "sauteiru", "rsa.misc.filter": "antiu", @@ -1203,9 +1171,7 @@ "destination.ip": [ "10.201.171.120" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "ris", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1278,9 +1244,7 @@ "destination.ip": [ "10.135.82.97" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "iat", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1298,8 +1262,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.107.251.87", - "10.135.82.97" + "10.135.82.97", + "10.107.251.87" ], "related.user": [ "str" @@ -1353,9 +1317,7 @@ "destination.ip": [ "10.31.198.58" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "ditemp", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1428,9 +1390,7 @@ "destination.ip": [ "10.29.155.171" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "aboreetd", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1503,9 +1463,7 @@ "destination.ip": [ "10.129.192.145" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "oraincid", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1523,8 +1481,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.161.148.64", - "10.129.192.145" + "10.129.192.145", + "10.161.148.64" ], "related.user": [ "lor" @@ -1538,8 +1496,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uaUten", "rsa.misc.action": [ - "Blocked", - "amcorp" + "amcorp", + "Blocked" ], "rsa.misc.category": "umdolor", "rsa.misc.filter": "velillu", @@ -1578,9 +1536,7 @@ "destination.ip": [ "10.7.200.140" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "tpersp", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1653,9 +1609,7 @@ "destination.ip": [ "10.86.22.67" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "mquae", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1688,8 +1642,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iutali", "rsa.misc.action": [ - "Blocked", - "atcupi" + "atcupi", + "Blocked" ], "rsa.misc.category": "isetq", "rsa.misc.filter": "equinesc", @@ -1728,9 +1682,7 @@ "destination.ip": [ "10.39.31.115" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "labo", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1763,8 +1715,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ulpa", "rsa.misc.action": [ - "Allowed", - "gnaal" + "gnaal", + "Allowed" ], "rsa.misc.category": "nte", "rsa.misc.filter": "pid", @@ -1803,9 +1755,7 @@ "destination.ip": [ "10.179.210.218" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "undeom", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1823,8 +1773,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.32.39.220", - "10.179.210.218" + "10.179.210.218", + "10.32.39.220" ], "related.user": [ "boreetdo" @@ -1878,9 +1828,7 @@ "destination.ip": [ "10.128.173.19" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "tlaboree", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1953,9 +1901,7 @@ "destination.ip": [ "10.130.241.232" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "redol", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -1988,8 +1934,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mnisiut", "rsa.misc.action": [ - "mod", - "Allowed" + "Allowed", + "mod" ], "rsa.misc.category": "uiinea", "rsa.misc.filter": "aturQu", @@ -2028,9 +1974,7 @@ "destination.ip": [ "10.115.53.31" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "olorema", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2048,8 +1992,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.115.53.31", - "10.2.67.127" + "10.2.67.127", + "10.115.53.31" ], "related.user": [ "Cic" @@ -2103,9 +2047,7 @@ "destination.ip": [ "10.204.214.251" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "scipitl", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2178,9 +2120,7 @@ "destination.ip": [ "10.18.226.72" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "dquiaco", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2198,8 +2138,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.18.226.72", - "10.101.85.169" + "10.101.85.169", + "10.18.226.72" ], "related.user": [ "rroqu" @@ -2213,8 +2153,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "moles", "rsa.misc.action": [ - "Allowed", - "vitaed" + "vitaed", + "Allowed" ], "rsa.misc.category": "billoi", "rsa.misc.filter": "suntex", @@ -2253,9 +2193,7 @@ "destination.ip": [ "10.87.100.240" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "equep", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2273,8 +2211,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.242.182.193", - "10.87.100.240" + "10.87.100.240", + "10.242.182.193" ], "related.user": [ "stenatus" @@ -2328,9 +2266,7 @@ "destination.ip": [ "10.229.242.223" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "dexe", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2363,8 +2299,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdolore", "rsa.misc.action": [ - "onproide", - "Blocked" + "Blocked", + "onproide" ], "rsa.misc.category": "tvolup", "rsa.misc.filter": "niam", @@ -2403,9 +2339,7 @@ "destination.ip": [ "10.193.66.155" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "enim", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2478,9 +2412,7 @@ "destination.ip": [ "10.236.230.136" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "quira", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2553,9 +2485,7 @@ "destination.ip": [ "10.49.242.174" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "rroqui", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2588,8 +2518,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tvolup", "rsa.misc.action": [ - "Allowed", - "utemvel" + "utemvel", + "Allowed" ], "rsa.misc.category": "untutlab", "rsa.misc.filter": "dol", @@ -2628,9 +2558,7 @@ "destination.ip": [ "10.142.120.198" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "ido", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2663,8 +2591,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ende", "rsa.misc.action": [ - "Blocked", - "doconse" + "doconse", + "Blocked" ], "rsa.misc.category": "uovolupt", "rsa.misc.filter": "litesse", @@ -2703,9 +2631,7 @@ "destination.ip": [ "10.138.188.201" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "rsitvol", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2723,8 +2649,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.128.184.241", - "10.138.188.201" + "10.138.188.201", + "10.128.184.241" ], "related.user": [ "etur" @@ -2738,8 +2664,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issu", "rsa.misc.action": [ - "Allowed", - "sed" + "sed", + "Allowed" ], "rsa.misc.category": "atur", "rsa.misc.filter": "iciadese", @@ -2778,9 +2704,7 @@ "destination.ip": [ "10.53.101.131" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "itinvol", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2798,8 +2722,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.213.57.165", - "10.53.101.131" + "10.53.101.131", + "10.213.57.165" ], "related.user": [ "isau" @@ -2813,8 +2737,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ese", "rsa.misc.action": [ - "litanim", - "Allowed" + "Allowed", + "litanim" ], "rsa.misc.category": "idata", "rsa.misc.filter": "urerepre", @@ -2853,9 +2777,7 @@ "destination.ip": [ "10.243.6.41" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "ainc", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -2873,8 +2795,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.243.6.41", - "10.55.81.14" + "10.55.81.14", + "10.243.6.41" ], "related.user": [ "eiusmo" @@ -2888,8 +2810,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "Blocked", - "lestia" + "lestia", + "Blocked" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2928,9 +2850,7 @@ "destination.ip": [ "10.33.144.10" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "labo", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3003,9 +2923,7 @@ "destination.ip": [ "10.158.18.51" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "exerci", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3023,8 +2941,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.158.18.51", - "10.20.124.138" + "10.20.124.138", + "10.158.18.51" ], "related.user": [ "CSe" @@ -3078,9 +2996,7 @@ "destination.ip": [ "10.134.128.27" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "olore", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3098,8 +3014,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.118.177.136", - "10.134.128.27" + "10.134.128.27", + "10.118.177.136" ], "related.user": [ "Utenima" @@ -3153,9 +3069,7 @@ "destination.ip": [ "10.68.8.143" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "lorem", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3173,8 +3087,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.125.120.97", - "10.68.8.143" + "10.68.8.143", + "10.125.120.97" ], "related.user": [ "reet" @@ -3228,9 +3142,7 @@ "destination.ip": [ "10.143.0.78" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "atems", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3303,9 +3215,7 @@ "destination.ip": [ "10.30.87.51" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "rchit", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3323,8 +3233,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.156.177.53", - "10.30.87.51" + "10.30.87.51", + "10.156.177.53" ], "related.user": [ "psaquaea" @@ -3338,8 +3248,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatno", "rsa.misc.action": [ - "ptatev", - "Blocked" + "Blocked", + "ptatev" ], "rsa.misc.category": "udexerc", "rsa.misc.filter": "ptatemse", @@ -3378,9 +3288,7 @@ "destination.ip": [ "10.83.138.34" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "inea", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3398,8 +3306,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.83.138.34", - "10.111.249.184" + "10.111.249.184", + "10.83.138.34" ], "related.user": [ "dentsunt" @@ -3413,8 +3321,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatemse", "rsa.misc.action": [ - "Blocked", - "upta" + "upta", + "Blocked" ], "rsa.misc.category": "tlabo", "rsa.misc.filter": "aliqui", @@ -3453,9 +3361,7 @@ "destination.ip": [ "10.141.195.13" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "tautfugi", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3473,8 +3379,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.180.150.47", - "10.141.195.13" + "10.141.195.13", + "10.180.150.47" ], "related.user": [ "taliq" @@ -3528,9 +3434,7 @@ "destination.ip": [ "10.166.195.20" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "ceroinB", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3548,8 +3452,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.255.40.12", - "10.166.195.20" + "10.166.195.20", + "10.255.40.12" ], "related.user": [ "lamcolab" @@ -3601,9 +3505,7 @@ "destination.ip": [ "10.22.122.43" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "mexer", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3676,9 +3578,7 @@ "destination.ip": [ "10.119.53.68" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "illum", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3696,8 +3596,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.121.9.5", - "10.119.53.68" + "10.119.53.68", + "10.121.9.5" ], "related.user": [ "ssec" @@ -3751,9 +3651,7 @@ "destination.ip": [ "10.237.0.173" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "periam", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3771,8 +3669,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.31.153.177", - "10.237.0.173" + "10.237.0.173", + "10.31.153.177" ], "related.user": [ "sci" @@ -3786,8 +3684,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "eritqui", "rsa.misc.action": [ - "dolor", - "Blocked" + "Blocked", + "dolor" ], "rsa.misc.category": "taspe", "rsa.misc.filter": "oremipsu", @@ -3824,9 +3722,7 @@ "destination.ip": [ "10.243.182.229" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "emporin", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3895,9 +3791,7 @@ "destination.ip": [ "10.39.46.155" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "BCSe", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3915,8 +3809,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.39.46.155", - "10.120.138.109" + "10.120.138.109", + "10.39.46.155" ], "related.user": [ "picia" @@ -3970,9 +3864,7 @@ "destination.ip": [ "10.53.191.49" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "idestl", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -3990,8 +3882,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.53.191.49", - "10.133.102.57" + "10.133.102.57", + "10.53.191.49" ], "related.user": [ "onsec" @@ -4045,9 +3937,7 @@ "destination.ip": [ "10.91.2.225" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "tcu", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4120,9 +4010,7 @@ "destination.ip": [ "10.221.20.165" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "velites", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4140,8 +4028,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.221.20.165", - "10.7.18.226" + "10.7.18.226", + "10.221.20.165" ], "related.user": [ "uasiarch" @@ -4195,9 +4083,7 @@ "destination.ip": [ "10.178.148.188" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "rit", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4215,8 +4101,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.155.252.123", - "10.178.148.188" + "10.178.148.188", + "10.155.252.123" ], "related.user": [ "inrepreh" @@ -4270,9 +4156,7 @@ "destination.ip": [ "10.190.42.245" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "aeab", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4290,8 +4174,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.220.1.249", - "10.190.42.245" + "10.190.42.245", + "10.220.1.249" ], "related.user": [ "olup" @@ -4305,8 +4189,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uamquaer", "rsa.misc.action": [ - "Blocked", - "aerat" + "aerat", + "Blocked" ], "rsa.misc.category": "quela", "rsa.misc.filter": "qui", @@ -4343,9 +4227,7 @@ "destination.ip": [ "10.112.190.154" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "lab", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4363,8 +4245,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.112.190.154", - "10.55.38.153" + "10.55.38.153", + "10.112.190.154" ], "related.user": [ "oremeu" @@ -4418,9 +4300,7 @@ "destination.ip": [ "10.195.153.42" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "rsit", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4438,8 +4318,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.250.48.82", - "10.195.153.42" + "10.195.153.42", + "10.250.48.82" ], "related.user": [ "tsedquia" @@ -4453,8 +4333,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tDuisaut", "rsa.misc.action": [ - "Allowed", - "upidatat" + "upidatat", + "Allowed" ], "rsa.misc.category": "aliquide", "rsa.misc.filter": "deriti", @@ -4493,9 +4373,7 @@ "destination.ip": [ "10.252.164.230" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "iumtota", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4513,8 +4391,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.252.164.230", - "10.60.52.219" + "10.60.52.219", + "10.252.164.230" ], "related.user": [ "gnamali" @@ -4528,8 +4406,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rroq", "rsa.misc.action": [ - "Blocked", - "fdeFin" + "fdeFin", + "Blocked" ], "rsa.misc.category": "diduntut", "rsa.misc.filter": "ano", @@ -4564,9 +4442,7 @@ "destination.ip": [ "10.187.16.73" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "ptate", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4584,8 +4460,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.122.102.156", - "10.187.16.73" + "10.187.16.73", + "10.122.102.156" ], "related.user": [ "emoen" @@ -4599,8 +4475,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dipisc", "rsa.misc.action": [ - "Allowed", - "turad" + "turad", + "Allowed" ], "rsa.misc.category": "ulpaquio", "rsa.misc.filter": "ngelits", @@ -4639,9 +4515,7 @@ "destination.ip": [ "10.120.215.174" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "ntexplic", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4674,8 +4548,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rema", "rsa.misc.action": [ - "uatDu", - "Allowed" + "Allowed", + "uatDu" ], "rsa.misc.category": "ent", "rsa.misc.filter": "iscivel", @@ -4712,9 +4586,7 @@ "destination.ip": [ "10.51.161.245" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "suntex", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4747,8 +4619,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "modit", "rsa.misc.action": [ - "Allowed", - "uteiru" + "uteiru", + "Allowed" ], "rsa.misc.category": "qua", "rsa.misc.filter": "saute", @@ -4787,9 +4659,7 @@ "destination.ip": [ "10.7.152.238" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "scipi", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4822,8 +4692,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vento", "rsa.misc.action": [ - "reh", - "Blocked" + "Blocked", + "reh" ], "rsa.misc.category": "atev", "rsa.misc.filter": "umq", @@ -4862,9 +4732,7 @@ "destination.ip": [ "10.29.162.157" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "remquela", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4882,8 +4750,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.185.107.27", - "10.29.162.157" + "10.29.162.157", + "10.185.107.27" ], "related.user": [ "evelite" @@ -4937,9 +4805,7 @@ "destination.ip": [ "10.215.63.248" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "dantium", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -4972,8 +4838,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "dqu", - "Blocked" + "Blocked", + "dqu" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -5012,9 +4878,7 @@ "destination.ip": [ "10.26.115.88" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "edictas", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5087,9 +4951,7 @@ "destination.ip": [ "10.193.152.42" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "nost", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5107,8 +4969,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.91.20.27", - "10.193.152.42" + "10.193.152.42", + "10.91.20.27" ], "related.user": [ "edict" @@ -5122,8 +4984,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "plicab", "rsa.misc.action": [ - "Blocked", - "umq" + "umq", + "Blocked" ], "rsa.misc.category": "eruntmol", "rsa.misc.filter": "labore", @@ -5162,9 +5024,7 @@ "destination.ip": [ "10.146.69.38" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "Exce", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5197,8 +5057,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnisi", "rsa.misc.action": [ - "Allowed", - "userro" + "userro", + "Allowed" ], "rsa.misc.category": "etd", "rsa.misc.filter": "loremeum", @@ -5237,9 +5097,7 @@ "destination.ip": [ "10.249.1.143" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "ntutlab", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5272,8 +5130,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Utenim", "rsa.misc.action": [ - "onevo", - "Allowed" + "Allowed", + "onevo" ], "rsa.misc.category": "tdolore", "rsa.misc.filter": "ptasn", @@ -5312,9 +5170,7 @@ "destination.ip": [ "10.167.176.220" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "ione", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5387,9 +5243,7 @@ "destination.ip": [ "10.200.74.101" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "ntmo", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5462,9 +5316,7 @@ "destination.ip": [ "10.162.78.48" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "tect", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5497,8 +5349,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ereprehe", "rsa.misc.action": [ - "Blocked", - "tutl" + "tutl", + "Blocked" ], "rsa.misc.category": "mip", "rsa.misc.filter": "umSecti", @@ -5537,9 +5389,7 @@ "destination.ip": [ "10.55.151.53" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "commod", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5557,8 +5407,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.55.151.53", - "10.211.66.68" + "10.211.66.68", + "10.55.151.53" ], "related.user": [ "squir" @@ -5612,9 +5462,7 @@ "destination.ip": [ "10.110.16.169" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "labori", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5632,8 +5480,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.209.203.156", - "10.110.16.169" + "10.110.16.169", + "10.209.203.156" ], "related.user": [ "mes" @@ -5687,9 +5535,7 @@ "destination.ip": [ "10.84.9.150" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "nsecte", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5707,8 +5553,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.107.68.114", - "10.84.9.150" + "10.84.9.150", + "10.107.68.114" ], "related.user": [ "sequatDu" @@ -5722,8 +5568,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnis", "rsa.misc.action": [ - "Allowed", - "uianonnu" + "uianonnu", + "Allowed" ], "rsa.misc.category": "Excepteu", "rsa.misc.filter": "enimadmi", @@ -5762,9 +5608,7 @@ "destination.ip": [ "10.26.222.144" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "sintoc", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5782,8 +5626,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.26.222.144", - "10.124.119.48" + "10.124.119.48", + "10.26.222.144" ], "related.user": [ "nre" @@ -5837,9 +5681,7 @@ "destination.ip": [ "10.164.190.2" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "datatno", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5912,9 +5754,7 @@ "destination.ip": [ "10.14.37.8" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "olor", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -5947,8 +5787,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedic", "rsa.misc.action": [ - "rinc", - "Blocked" + "Blocked", + "rinc" ], "rsa.misc.category": "prehende", "rsa.misc.filter": "rume", @@ -5987,9 +5827,7 @@ "destination.ip": [ "10.90.20.202" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "ostrude", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6007,8 +5845,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.10.93.133", - "10.90.20.202" + "10.90.20.202", + "10.10.93.133" ], "related.user": [ "evita" @@ -6022,8 +5860,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tat", "rsa.misc.action": [ - "nia", - "Blocked" + "Blocked", + "nia" ], "rsa.misc.category": "turQuis", "rsa.misc.filter": "nonp", @@ -6062,9 +5900,7 @@ "destination.ip": [ "10.34.98.144" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "pariatu", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6097,8 +5933,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Exce", "rsa.misc.action": [ - "ulapa", - "Allowed" + "Allowed", + "ulapa" ], "rsa.misc.category": "reprehen", "rsa.misc.filter": "itsedqui", @@ -6137,9 +5973,7 @@ "destination.ip": [ "10.176.233.249" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "ntin", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6157,8 +5991,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.75.144.118", - "10.176.233.249" + "10.176.233.249", + "10.75.144.118" ], "related.user": [ "isnos" @@ -6172,8 +6006,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "essequa", "rsa.misc.action": [ - "odic", - "Blocked" + "Blocked", + "odic" ], "rsa.misc.category": "cto", "rsa.misc.filter": "odite", @@ -6212,9 +6046,7 @@ "destination.ip": [ "10.149.6.107" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "mveleu", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6287,9 +6119,7 @@ "destination.ip": [ "10.97.202.149" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "itte", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6362,9 +6192,7 @@ "destination.ip": [ "10.141.66.163" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "iduntut", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6397,8 +6225,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itautf", "rsa.misc.action": [ - "mini", - "Blocked" + "Blocked", + "mini" ], "rsa.misc.category": "gna", "rsa.misc.filter": "usmo", @@ -6437,9 +6265,7 @@ "destination.ip": [ "10.10.25.145" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "nrepre", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6457,8 +6283,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.10.25.145", - "10.224.249.228" + "10.224.249.228", + "10.10.25.145" ], "related.user": [ "mnisiuta" @@ -6472,8 +6298,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issuscip", "rsa.misc.action": [ - "remap", - "Blocked" + "Blocked", + "remap" ], "rsa.misc.category": "eetdolo", "rsa.misc.filter": "rsitam", @@ -6512,9 +6338,7 @@ "destination.ip": [ "10.234.34.40" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "dolori", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6587,9 +6411,7 @@ "destination.ip": [ "10.124.81.20" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "piciatis", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6622,8 +6444,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "Blocked", - "tatisetq" + "tatisetq", + "Blocked" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6662,9 +6484,7 @@ "destination.ip": [ "10.166.205.159" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "siutal", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6682,8 +6502,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.166.205.159", - "10.154.188.132" + "10.154.188.132", + "10.166.205.159" ], "related.user": [ "uptat" @@ -6733,9 +6553,7 @@ "destination.ip": [ "10.46.71.46" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "ugiat", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6768,8 +6586,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "upta", "rsa.misc.action": [ - "uovolup", - "Allowed" + "Allowed", + "uovolup" ], "rsa.misc.category": "todit", "rsa.misc.filter": "atisetq", @@ -6804,9 +6622,7 @@ "destination.ip": [ "10.254.119.31" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "uunturma", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6879,9 +6695,7 @@ "destination.ip": [ "10.195.62.230" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "sequat", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6954,9 +6768,7 @@ "destination.ip": [ "10.144.93.186" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "adminim", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -6974,8 +6786,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.144.93.186", - "10.84.140.5" + "10.84.140.5", + "10.144.93.186" ], "related.user": [ "eroi" @@ -7029,9 +6841,7 @@ "destination.ip": [ "10.31.58.6" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "volu", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -7049,8 +6859,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.31.58.6", - "10.198.84.190" + "10.198.84.190", + "10.31.58.6" ], "related.user": [ "unt" @@ -7064,8 +6874,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tquovo", "rsa.misc.action": [ - "Allowed", - "qua" + "qua", + "Allowed" ], "rsa.misc.category": "ectet", "rsa.misc.filter": "lites", @@ -7104,9 +6914,7 @@ "destination.ip": [ "10.139.90.218" ], - "event.action": [ - "Allowed" - ], + "event.action": "Allowed", "event.code": "umdol", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -7179,9 +6987,7 @@ "destination.ip": [ "10.128.43.71" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "ssequa", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -7254,9 +7060,7 @@ "destination.ip": [ "10.26.149.221" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "umquidol", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -7274,8 +7078,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.217.193.148", - "10.26.149.221" + "10.26.149.221", + "10.217.193.148" ], "related.user": [ "uisa" @@ -7329,9 +7133,7 @@ "destination.ip": [ "10.109.192.53" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "rehen", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -7364,8 +7166,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "temUte", "rsa.misc.action": [ - "Blocked", - "tassit" + "tassit", + "Blocked" ], "rsa.misc.category": "ita", "rsa.misc.filter": "scive", @@ -7404,9 +7206,7 @@ "destination.ip": [ "10.119.106.108" ], - "event.action": [ - "Blocked" - ], + "event.action": "Blocked", "event.code": "iatisund", "event.dataset": "zscaler.zia", "event.module": "zscaler", @@ -7424,8 +7224,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.135.38.213", - "10.119.106.108" + "10.119.106.108", + "10.135.38.213" ], "related.user": [ "ore" diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index dfbbe351a7c..423d10f5ac2 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -1,9 +1,7 @@ [ { "@timestamp": "2017-06-23T17:16:42.000Z", - "event.action": [ - "" - ], + "event.action": "", "event.code": "", "event.dataset": "zscaler.zia", "event.module": "zscaler", From c7e8569d72900ec2b6f79bb422c34c93143059ad Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 9 Jul 2020 00:20:45 +0200 Subject: [PATCH 13/19] event.outcome / group.name / group.id / host.mac / direction This updates the parser to: - map event.outcome to the standard values. - populate group.name and group.id. - set host.mac from the macaddr field. - Give meaninful direction values to generated logs. --- x-pack/filebeat/module/barracuda/README.md | 2 +- .../barracuda/waf/config/liblogparser.js | 23 +- x-pack/filebeat/module/bluecoat/README.md | 2 +- .../bluecoat/director/config/liblogparser.js | 23 +- .../module/cisco/nexus/config/liblogparser.js | 23 +- x-pack/filebeat/module/citrix/README.md | 2 +- .../citrix/virtualapps/config/liblogparser.js | 23 +- x-pack/filebeat/module/cylance/README.md | 2 +- .../cylance/protect/config/liblogparser.js | 23 +- .../protect/test/generated.log-expected.json | 7 + x-pack/filebeat/module/f5/README.md | 2 +- .../module/f5/bigipapm/config/liblogparser.js | 23 +- .../bigipapm/test/generated.log-expected.json | 10 +- .../module/f5/firepass/config/liblogparser.js | 23 +- .../firepass/test/generated.log-expected.json | 18 +- .../clientendpoint/config/liblogparser.js | 23 +- .../clientendpoint/test/generated.log | 200 +- .../test/generated.log-expected.json | 4200 ++++++------ x-pack/filebeat/module/imperva/README.md | 2 +- .../securesphere/config/liblogparser.js | 23 +- .../imperva/securesphere/test/generated.log | 192 +- .../test/generated.log-expected.json | 5604 ++++++++--------- x-pack/filebeat/module/infoblox/README.md | 2 +- .../infoblox/nios/config/liblogparser.js | 23 +- .../nios/test/generated.log-expected.json | 8 +- x-pack/filebeat/module/juniper/README.md | 2 +- .../juniper/junos/config/liblogparser.js | 23 +- x-pack/filebeat/module/kaspersky/README.md | 2 +- .../kaspersky/av/config/liblogparser.js | 23 +- x-pack/filebeat/module/microsoft/README.md | 2 +- .../microsoft/dhcp/config/liblogparser.js | 23 +- .../dhcp/test/generated.log-expected.json | 36 +- x-pack/filebeat/module/netscout/README.md | 2 +- .../netscout/sightline/config/liblogparser.js | 23 +- .../netscout/sightline/test/generated.log | 190 +- .../test/generated.log-expected.json | 1147 ++-- x-pack/filebeat/module/radware/README.md | 2 +- .../radware/defensepro/config/liblogparser.js | 23 +- x-pack/filebeat/module/rapid7/README.md | 2 +- .../rapid7/nexpose/config/liblogparser.js | 23 +- .../nexpose/test/generated.log-expected.json | 2 +- x-pack/filebeat/module/sonicwall/README.md | 2 +- .../sonicwall/firewall/config/liblogparser.js | 23 +- .../firewall/test/generated.log-expected.json | 100 +- x-pack/filebeat/module/squid/README.md | 2 +- .../module/squid/log/config/liblogparser.js | 23 +- .../squid/log/test/access1.log-expected.json | 360 +- .../squid/log/test/access2.log-expected.json | 168 +- .../squid/log/test/access3.log-expected.json | 300 +- .../squid/log/test/access4.log-expected.json | 412 +- x-pack/filebeat/module/tenable/README.md | 2 +- .../nessus_security/config/liblogparser.js | 23 +- x-pack/filebeat/module/tomcat/README.md | 2 +- .../module/tomcat/log/config/liblogparser.js | 23 +- x-pack/filebeat/module/zscaler/README.md | 2 +- .../module/zscaler/zia/config/liblogparser.js | 23 +- .../zia/test/generated.log-expected.json | 400 +- .../zscaler/zia/test/test.log-expected.json | 4 +- 58 files changed, 7117 insertions(+), 6760 deletions(-) diff --git a/x-pack/filebeat/module/barracuda/README.md b/x-pack/filebeat/module/barracuda/README.md index a3375733550..4b99044c6ec 100644 --- a/x-pack/filebeat/module/barracuda/README.md +++ b/x-pack/filebeat/module/barracuda/README.md @@ -3,5 +3,5 @@ This is a module for Barracuda Web Application Firewall logs. Autogenerated from RSA NetWitness log parser 2.0 XML barracudawaf version 132 -at 2020-07-08 18:50:16.872444 +0000 UTC. +at 2020-07-08 22:20:55.791109 +0000 UTC. diff --git a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js +++ b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/bluecoat/README.md b/x-pack/filebeat/module/bluecoat/README.md index b07cb66dc6f..e3519e38a3d 100644 --- a/x-pack/filebeat/module/bluecoat/README.md +++ b/x-pack/filebeat/module/bluecoat/README.md @@ -3,5 +3,5 @@ This is a module for Blue Coat Director logs. Autogenerated from RSA NetWitness log parser 2.0 XML bluecoatdirector version 0 -at 2020-07-08 18:50:18.742646 +0000 UTC. +at 2020-07-08 22:20:57.359593 +0000 UTC. diff --git a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js +++ b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js +++ b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/citrix/README.md b/x-pack/filebeat/module/citrix/README.md index 55dd02271c4..6e98c43513d 100644 --- a/x-pack/filebeat/module/citrix/README.md +++ b/x-pack/filebeat/module/citrix/README.md @@ -3,5 +3,5 @@ This is a module for Citrix XenApp logs. Autogenerated from RSA NetWitness log parser 2.0 XML citrixxa version 79 -at 2020-07-08 18:50:19.728951 +0000 UTC. +at 2020-07-08 22:20:58.335509 +0000 UTC. diff --git a/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js b/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js +++ b/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/cylance/README.md b/x-pack/filebeat/module/cylance/README.md index 864876a4de3..3d1c9559af4 100644 --- a/x-pack/filebeat/module/cylance/README.md +++ b/x-pack/filebeat/module/cylance/README.md @@ -3,5 +3,5 @@ This is a module for CylanceProtect logs. Autogenerated from RSA NetWitness log parser 2.0 XML cylance version 127 -at 2020-07-08 18:50:19.981316 +0000 UTC. +at 2020-07-08 22:20:58.574688 +0000 UTC. diff --git a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js +++ b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json index 2d4df394d00..dfdf1d35bcc 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -103,6 +103,7 @@ "event.module": "cylance", "event.original": "2016-3-12T3:17:42.minim eFini859.www5.example CylancePROTECT psumquia onsect [orsitame] Event Type: reprehe, Event Name: SystemSecurity, Device Name: quiavo, Agent Version: issusci, IP Address: (10.164.119.63, taliquip), MAC Address: (01:00:5e:86:ac:4a, tNequ), Logged On Users: (gelit), OS: tatno Zone Names: dquiac", "fileset.name": "protect", + "host.mac": "01:00:5e:86:ac:4a", "host.name": "eFini859.www5.example", "input.type": "log", "log.offset": 745, @@ -146,6 +147,7 @@ "event.module": "cylance", "event.original": "26-March-2016 10:20:16 medium oluptas2358.internal.host ommod <aqui 2016-3-26T10:20:16.radipis isetq3627.api.domain CylancePROTECT magn equuntu [eos] Event Type: enimad, Event Name: SystemSecurity, Device Name: uaerat, Agent Version: boreet, IP Address: (10.155.162.162, mcolabor), MAC Address: (01:00:5e:2c:f3:52, giatq), Logged On Users: (quid), OS: fug", "fileset.name": "protect", + "host.mac": "01:00:5e:2c:f3:52", "host.name": "isetq3627.api.domain", "input.type": "log", "log.offset": 1062, @@ -496,6 +498,7 @@ "event.module": "cylance", "event.original": "16-Aug-2016 8:45:59 medium non3341.mail.invalid derit <atcu 16T08:45:59.labor didunt1355.corp CylancePROTECT Event Name:Device Policy Assigned, Device Name:liqu, Agent Version:eporr, IP Address: (10.238.164.29), MAC Address: (01:00:5e:32:95:80), Logged On Users: (sequam), OS:temvel, Zone Names:ris", "fileset.name": "protect", + "host.mac": "01:00:5e:32:95:80", "host.name": "didunt1355.corp", "input.type": "log", "log.offset": 3836, @@ -916,6 +919,7 @@ "event.module": "cylance", "event.original": "3-Feb-2017 9:16:50 high rum959.host velillu <bor 3T21:16:50.rauto ationev5770.www.invalid CylancePROTECT Event Name:DeviceRemove, Device Name:nby, Agent Version:mve, IP Address: (10.96.201.115), MAC Address: (01:00:5e:94:55:60), Logged On Users: (inimve), OS:pis, Zone Names:nsequat", "fileset.name": "protect", + "host.mac": "01:00:5e:94:55:60", "host.name": "ationev5770.www.invalid", "input.type": "log", "log.offset": 6649, @@ -1740,6 +1744,7 @@ "event.module": "cylance", "event.original": "Dec 29 3:15:58 hend1600.api.host CylancePROTECT Event Type:aer, Event Name:DeviceRemove, Device Name:iati, Agent Version:minim, IP Address: (10.14.74.218), MAC Address: (01:00:5e:bc:a3:48), Logged On Users: (Nemoenim), OS:usm, Zone Names:labori", "fileset.name": "protect", + "host.mac": "01:00:5e:bc:a3:48", "input.type": "log", "log.offset": 12631, "observer.product": "Protect", @@ -2348,6 +2353,7 @@ "event.module": "cylance", "event.original": "temaccu 2018-9-12T10:02:15.uamqua Neq4477.mail.invalid CylancePROTECT nim pteurs [ercitati] Event Type: atem, Event Name: SyslogSettingsSave, Device Name: mipsu, Agent Version: velillu, IP Address: (10.181.241.7), MAC Address: (01:00:5e:e1:72:72), Logged On Users: (riatu), OS: utod", "fileset.name": "protect", + "host.mac": "01:00:5e:e1:72:72", "host.name": "Neq4477.mail.invalid", "input.type": "log", "log.offset": 17112, @@ -2643,6 +2649,7 @@ "event.module": "cylance", "event.original": "19-Jan-2019 1:25:23 low eiu5375.api.domain tcons <ction 19T13:25:23.emveleum siuta2155.lan CylancePROTECT Event Name:DeviceEdit, Device Name:utpe, Agent Version:ill, IP Address: (10.185.28.175), MAC Address: (01:00:5e:1d:a2:74), Logged On Users: (tasu), OS:sci, Zone Names:isquames", "fileset.name": "protect", + "host.mac": "01:00:5e:1d:a2:74", "host.name": "siuta2155.lan", "input.type": "log", "log.offset": 19069, diff --git a/x-pack/filebeat/module/f5/README.md b/x-pack/filebeat/module/f5/README.md index aff47782703..560d065e482 100644 --- a/x-pack/filebeat/module/f5/README.md +++ b/x-pack/filebeat/module/f5/README.md @@ -3,5 +3,5 @@ This is a module for Big-IP Access Policy Manager logs. Autogenerated from RSA NetWitness log parser 2.0 XML bigipapm version 113 -at 2020-07-08 18:50:18.250871 +0000 UTC. +at 2020-07-08 22:20:56.925079 +0000 UTC. diff --git a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js +++ b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index 8a55b8fd469..a5a18f64b40 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -364,8 +364,8 @@ "observer.vendor": "F5", "process.pid": 2289, "related.ip": [ - "10.204.123.107", - "10.225.160.182" + "10.225.160.182", + "10.204.123.107" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "eFinib", @@ -1103,6 +1103,7 @@ "event.module": "f5", "event.original": "September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem ", "fileset.name": "bigipapm", + "group.name": "exerci", "input.type": "log", "log.flags": [ "dissect_parsing_error" @@ -1456,6 +1457,7 @@ "event.module": "f5", "event.original": "March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei ", "fileset.name": "bigipapm", + "group.name": "tationu", "input.type": "log", "log.flags": [ "dissect_parsing_error" @@ -1554,8 +1556,8 @@ "observer.vendor": "F5", "process.pid": 1973, "related.ip": [ - "10.187.64.126", - "10.47.99.72" + "10.47.99.72", + "10.187.64.126" ], "rsa.internal.messageid": "01490500", "rsa.misc.category": "oremipsu", diff --git a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js b/x-pack/filebeat/module/f5/firepass/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js +++ b/x-pack/filebeat/module/f5/firepass/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json index 61c95990b65..3d9a482ac20 100644 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json @@ -405,7 +405,7 @@ "event.dataset": "f5.firepass", "event.module": "f5", "event.original": "mailer[uptatev]: [uovol] Failed to send \\'dmi\\' to \\'olab\\'", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "firepass", "input.type": "log", "log.offset": 1496, @@ -731,7 +731,7 @@ "event.dataset": "f5.firepass", "event.module": "f5", "event.original": "April 2 01:27:07 lor3224.host mailer[rsitamet]: Failed to send \\'lupt\\' to \\'xea\\'", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "firepass", "input.type": "log", "log.offset": 2691, @@ -788,8 +788,8 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.46.158.31", - "10.117.146.33" + "10.117.146.33", + "10.46.158.31" ], "rsa.db.index": "dun", "rsa.internal.messageid": "kernel", @@ -810,7 +810,7 @@ "event.dataset": "f5.firepass", "event.module": "f5", "event.original": "May 14 22:34:50 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214", - "event.outcome": "Error", + "event.outcome": "unknown", "fileset.name": "firepass", "input.type": "log", "log.offset": 2995, @@ -1527,7 +1527,7 @@ "event.dataset": "f5.firepass", "event.module": "f5", "event.original": "mailer[itatione]: [isnis] [uptasn] Failed to send \\'reme\\' to \\'acommod\\'", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "firepass", "input.type": "log", "log.offset": 5393, @@ -1552,7 +1552,7 @@ "event.dataset": "f5.firepass", "event.module": "f5", "event.original": "mailer[udantium]: Failed to send \\'pre\\' to \\'xeacom\\'", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "firepass", "input.type": "log", "log.offset": 5467, @@ -2039,7 +2039,7 @@ "event.dataset": "f5.firepass", "event.module": "f5", "event.original": "mailer[untut]: [uamni] Failed to send \\'ctet\\' to \\'ati\\'", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "firepass", "input.type": "log", "log.offset": 6971, @@ -2197,7 +2197,7 @@ "event.dataset": "f5.firepass", "event.module": "f5", "event.original": "September 19 13:09:05 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "firepass", "input.type": "log", "log.offset": 7516, diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log index d001b33300f..11c42635932 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log @@ -1,100 +1,100 @@ -January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=sperna block_count=884 logon_user=billoi@oreetdol1714.internal.corp msg=failure -February 12 13:12:33 agn2581.www5.corp proto=rdp service=smtp status=deny src=10.22.119.124 dst=10.102.218.31 src_port=4402 dst_port=3376 server_app=mod pid=6183 app_name=enatus traff_direct=mquia block_count=873 logon_user=itamet@tetur6657.internal.domain msg=success -February 26 20:15:08 iin6287.mail.domain proto=ggp service=https status=deny src=10.135.105.231 dst=10.26.46.95 src_port=1327 dst_port=7599 server_app=quis pid=1130 app_name=serror traff_direct=anti block_count=4454 logon_user=meumfug@tetu5280.www5.invalid msg=unknown -March 12 03:17:42 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=onsect block_count=101 logon_user=con@uia351.api.localhost msg=unknown -March 26 10:20:16 aqui4726.mail.localhost proto=icmp service=https status=deny src=10.85.66.161 dst=10.131.115.96 src_port=2638 dst_port=1890 server_app=eum pid=654 app_name=rmagni traff_direct=sit block_count=5509 logon_user=onev@tenima1073.local msg=success -April 9 17:22:51 uatDuis2964.test proto=udp service=http status=deny src=10.183.202.41 dst=10.11.200.161 src_port=4470 dst_port=4665 server_app=inimve pid=4243 app_name=antium traff_direct=Cice block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown -April 24 00:25:25 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=nimadmin block_count=6499 logon_user=uam@temq1198.internal.example msg=success -May 8 07:27:59 ari1508.api.localdomain proto=tcp service=pop3 status=deny src=10.64.155.245 dst=10.233.127.83 src_port=4512 dst_port=3676 server_app=eataevit pid=3904 app_name=iam traff_direct=mqua block_count=3391 logon_user=olab@mquisnos5771.example msg=unknown -May 22 14:30:33 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=luptatem block_count=5812 logon_user=moll@tatione2046.home msg=unknown -June 5 21:33:08 turveli6399.host proto=ipv6 service=smtp status=deny src=10.197.5.210 dst=10.10.65.154 src_port=689 dst_port=7572 server_app=Ciceroi pid=3592 app_name=usan traff_direct=aper block_count=5529 logon_user=olo@uaera6620.www5.domain msg=unknown -June 20 04:35:42 tquiinea7522.test proto=igmp service=http status=deny src=10.89.185.38 dst=10.177.124.147 src_port=6024 dst_port=4173 server_app=undeo pid=5794 app_name=labor traff_direct=atuse block_count=2703 logon_user=uis@idolore1057.www5.domain msg=failure -July 4 11:38:16 litessec3743.domain proto=ipv6-icmp service=http status=deny src=10.212.55.143 dst=10.157.213.15 src_port=3539 dst_port=600 server_app=liq pid=3480 app_name=ntutl traff_direct=caecatc block_count=2399 logon_user=nibus@edquiano6061.internal.invalid msg=failure -July 18 18:40:50 ctetura4886.www5.lan proto=icmp service=smtp status=deny src=10.208.134.60 dst=10.124.100.32 src_port=7385 dst_port=7699 server_app=lupt pid=5376 app_name=remeum traff_direct=orain block_count=4111 logon_user=admi@modocons6461.api.home msg=failure -August 2 01:43:25 urE6771.www5.example proto=udp service=http status=deny src=10.75.148.116 dst=10.55.77.49 src_port=3653 dst_port=4683 server_app=dtem pid=1577 app_name=des traff_direct=rehe block_count=2460 logon_user=tdolorem@ono4861.www5.test msg=success -August 16 08:45:59 sumquiad2872.api.domain proto=ggp service=http status=deny src=10.210.74.24 dst=10.21.92.218 src_port=4125 dst_port=5716 server_app=ommod pid=3671 app_name=inima traff_direct=tlabo block_count=6088 logon_user=nihi@Lor5841.internal.example msg=success -August 30 15:48:33 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=isnostru block_count=1559 logon_user=deFinibu@iadese6958.www5.local msg=unknown -September 13 22:51:07 tatn2376.www5.corp proto=ipv6-icmp service=ms-wbt-server status=deny src=10.47.241.218 dst=10.76.229.163 src_port=2890 dst_port=6387 server_app=CSed pid=2857 app_name=utlabore traff_direct=ecillu block_count=391 logon_user=mnisist@sedd3727.api.home msg=unknown -September 28 05:53:42 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=maccusa block_count=5126 logon_user=rQuisau@idex2012.localdomain msg=unknown -October 12 12:56:16 uipe5643.api.home proto=rdp service=smtp status=deny src=10.118.80.140 dst=10.252.122.195 src_port=6003 dst_port=2807 server_app=ihilm pid=1669 app_name=saute traff_direct=ercit block_count=2385 logon_user=remagn@run3361.api.test msg=failure -October 26 19:58:50 aturve2031.www5.test proto=rdp service=ms-wbt-server status=deny src=10.195.36.51 dst=10.31.95.218 src_port=2883 dst_port=7042 server_app=iadese pid=2374 app_name=ice traff_direct=estiae block_count=3750 logon_user=laborum@tionof7613.domain msg=failure -November 10 03:01:24 ationul2530.internal.example proto=ipv6-icmp service=http status=deny src=10.197.250.10 dst=10.170.148.40 src_port=261 dst_port=6371 server_app=dol pid=753 app_name=modocon traff_direct=que block_count=651 logon_user=rinrepre@etconse7424.internal.lan msg=failure -November 24 10:03:59 quamnih5993.mail.corp proto=ipv6 service=https status=deny src=10.19.145.131 dst=10.233.171.118 src_port=4798 dst_port=7410 server_app=emoe pid=6540 app_name=atur traff_direct=itanimi block_count=2924 logon_user=modtemp@rehender2628.www5.localdomain msg=failure -December 8 17:06:33 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=sectetur block_count=1713 logon_user=fugitse@veniamq1608.www.localdomain msg=unknown -December 23 00:09:07 reseos556.internal.example proto=rdp service=https status=deny src=10.59.122.242 dst=10.177.238.183 src_port=4821 dst_port=6458 server_app=dolorem pid=5251 app_name=olor traff_direct=Neque block_count=4129 logon_user=xerc@iutali2138.www.localdomain msg=success -January 6 07:11:41 radi1512.mail.example proto=rdp service=http status=deny src=10.74.33.75 dst=10.10.27.73 src_port=3410 dst_port=2574 server_app=liqui pid=6106 app_name=dolore traff_direct=amvolu block_count=766 logon_user=quaturve@sequa2851.home msg=success -January 20 14:14:16 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=nsect block_count=7400 logon_user=asia@econs4164.api.corp msg=unknown -February 3 21:16:50 tevelite245.mail.local proto=tcp service=pop3 status=deny src=10.167.85.181 dst=10.14.36.202 src_port=6409 dst_port=6036 server_app=numqua pid=1411 app_name=inculpa traff_direct=abo block_count=1637 logon_user=dtemp@aliquide3073.www5.domain msg=unknown -February 18 04:19:24 uptatema6843.www.host proto=icmp service=ms-wbt-server status=deny src=10.104.64.94 dst=10.164.39.248 src_port=3221 dst_port=5194 server_app=sequam pid=3609 app_name=idex traff_direct=mfugiat block_count=3370 logon_user=dant@rroquis6074.api.host msg=unknown -March 4 11:21:59 rem3420.mail.localhost proto=udp service=http status=deny src=10.208.14.185 dst=10.135.187.104 src_port=7557 dst_port=4708 server_app=siste pid=5919 app_name=riosamn traff_direct=ept block_count=1871 logon_user=rcitati@eni465.home msg=failure -March 18 18:24:33 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=boree block_count=513 logon_user=nevo@ide2767.www5.local msg=failure -April 2 01:27:07 edquiac2646.www.invalid proto=ipv6-icmp service=https status=deny src=10.46.49.26 dst=10.145.26.181 src_port=634 dst_port=6088 server_app=autf pid=3471 app_name=temquiav traff_direct=equatu block_count=1399 logon_user=cons@sBon1759.invalid msg=success -April 16 08:29:41 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=antiu block_count=6129 logon_user=evolu@ersp3536.www5.lan msg=unknown -April 30 15:32:16 ntiumt699.corp proto=icmp service=ms-wbt-server status=deny src=10.151.58.196 dst=10.201.238.90 src_port=2715 dst_port=7130 server_app=pici pid=55 app_name=ccaecat traff_direct=tquiin block_count=7440 logon_user=temqu@ovol3674.www5.host msg=success -May 14 22:34:50 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=ven block_count=660 logon_user=siutali@amnih2718.internal.example msg=failure -May 29 05:37:24 laudant6813.mail.home proto=icmp service=https status=deny src=10.184.18.202 dst=10.226.83.168 src_port=5780 dst_port=4153 server_app=molli pid=4306 app_name=aturauto traff_direct=eturadi block_count=2512 logon_user=borios@rsitvolu3751.mail.lan msg=success -June 12 12:39:58 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=luptate block_count=2612 logon_user=atisun@esci7741.www.host msg=success -June 26 19:42:33 nturma18.internal.example proto=icmp service=https status=deny src=10.173.136.186 dst=10.43.226.231 src_port=7222 dst_port=2778 server_app=isnostr pid=829 app_name=ciadeser traff_direct=emquia block_count=1497 logon_user=uscipitl@uia5567.mail.lan msg=success -July 11 02:45:07 uisa5736.internal.local proto=udp service=pop3 status=deny src=10.58.64.108 dst=10.54.37.86 src_port=1540 dst_port=5089 server_app=commodo pid=6867 app_name=tutlab traff_direct=sau block_count=1865 logon_user=dolorsit@sau4293.www.corp msg=unknown -July 25 09:47:41 uptate2244.api.lan proto=ipv6-icmp service=https status=deny src=10.205.228.138 dst=10.159.119.34 src_port=3854 dst_port=6197 server_app=tsed pid=7536 app_name=ameiusm traff_direct=proide block_count=3714 logon_user=aquae@boreetdo7005.www5.home msg=unknown -August 8 16:50:15 veli2530.www.host proto=ggp service=http status=deny src=10.163.93.20 dst=10.29.133.28 src_port=2382 dst_port=1085 server_app=umwrit pid=5433 app_name=eacommod traff_direct=ctetura block_count=2486 logon_user=tpersp@stla1871.www5.local msg=unknown -August 22 23:52:50 tiaec5551.www.local proto=rdp service=pop3 status=deny src=10.113.30.163 dst=10.50.0.61 src_port=6110 dst_port=5905 server_app=itla pid=658 app_name=vitaedi traff_direct=lorsita block_count=2019 logon_user=dolore@onsecte587.localdomain msg=unknown -September 6 06:55:24 ate7247.www5.local proto=ggp service=ms-wbt-server status=deny src=10.39.145.136 dst=10.30.47.165 src_port=631 dst_port=3801 server_app=ulapar pid=6827 app_name=etdo traff_direct=par block_count=992 logon_user=invo@hit3912.www5.localhost msg=unknown -September 20 13:57:58 proiden887.mail.example proto=rdp service=https status=deny src=10.30.25.84 dst=10.36.112.145 src_port=238 dst_port=7122 server_app=dantium pid=246 app_name=teirured traff_direct=onemulla block_count=5608 logon_user=bor@rauto112.www.host msg=success -October 4 21:00:32 osqui2751.api.home proto=tcp service=pop3 status=deny src=10.97.96.177 dst=10.162.114.217 src_port=1859 dst_port=7503 server_app=dun pid=1276 app_name=evitaed traff_direct=inimveni block_count=2826 logon_user=itse@umexerc5717.internal.host msg=failure -October 19 04:03:07 ccaeca5504.internal.example proto=tcp service=smtp status=deny src=10.229.71.175 dst=10.140.7.83 src_port=3856 dst_port=3298 server_app=olupt pid=2189 app_name=gna traff_direct=con block_count=4969 logon_user=eseru@quamest2520.localdomain msg=unknown -November 2 11:05:41 mex2054.mail.corp proto=udp service=pop3 status=deny src=10.232.254.65 dst=10.149.13.76 src_port=7809 dst_port=2000 server_app=uisaute pid=1478 app_name=ritt traff_direct=iaeco block_count=7037 logon_user=itesseq@dictasun2399.internal.example msg=unknown -November 16 18:08:15 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=xeaco block_count=4762 logon_user=amcor@rcitat364.mail.lan msg=unknown -December 1 01:10:49 tur4900.www5.lan proto=icmp service=smtp status=deny src=10.98.194.212 dst=10.243.237.151 src_port=6941 dst_port=6296 server_app=issuscip pid=4003 app_name=dipisci traff_direct=spernatu block_count=5539 logon_user=eri@quunt2072.home msg=success -December 15 08:13:24 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=leumiu block_count=3030 logon_user=luptatem@uaeratv3432.invalid msg=failure -December 29 15:15:58 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=maliquam block_count=2147 logon_user=atione@lores627.www.invalid msg=failure -January 12 22:18:32 mmodoc4947.internal.test proto=ggp service=ms-wbt-server status=deny src=10.107.45.175 dst=10.201.237.233 src_port=4593 dst_port=3023 server_app=atise pid=3421 app_name=umetMalo traff_direct=oluptas block_count=6981 logon_user=aeconseq@lor4040.localhost msg=success -January 27 05:21:06 itaedict7233.mail.localdomain proto=ipv6-icmp service=smtp status=deny src=10.239.80.120 dst=10.196.206.130 src_port=2741 dst_port=1725 server_app=its pid=7867 app_name=risnis traff_direct=uov block_count=3896 logon_user=isn@sBono898.localdomain msg=unknown -February 10 12:23:41 ore1441.home proto=ipv6 service=ms-wbt-server status=deny src=10.234.222.214 dst=10.47.24.77 src_port=4614 dst_port=1919 server_app=hil pid=6717 app_name=squ traff_direct=uiadol block_count=6068 logon_user=ntNeq@tate6291.mail.invalid msg=unknown -February 24 19:26:15 onevo3446.www5.host proto=udp service=http status=deny src=10.202.7.89 dst=10.139.127.232 src_port=2179 dst_port=1812 server_app=quidolor pid=4116 app_name=agnaaliq traff_direct=tlaboree block_count=6412 logon_user=osquir@mod4104.api.localdomain msg=success -March 11 02:28:49 lloin4019.www.localhost proto=igmp service=smtp status=deny src=10.130.241.232 dst=10.40.35.49 src_port=3112 dst_port=3071 server_app=edquian pid=3178 app_name=qua traff_direct=volupta block_count=3552 logon_user=aturQu@aaliq221.mail.localdomain msg=success -March 25 09:31:24 iciad7874.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.157.196.101 dst=10.167.252.183 src_port=2003 dst_port=5107 server_app=dtempori pid=5735 app_name=caboNemo traff_direct=dexerc block_count=2302 logon_user=tatem@metcons6200.mail.corp msg=unknown -April 8 16:33:58 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=quames block_count=3665 logon_user=esseq@aincidun2168.api.invalid msg=failure -April 22 23:36:32 itq494.api.lan proto=ggp service=pop3 status=deny src=10.28.105.124 dst=10.151.129.181 src_port=3889 dst_port=5773 server_app=litsedq pid=5026 app_name=nder traff_direct=mdolore block_count=2604 logon_user=nesciun@saqu6897.mail.lan msg=failure -May 7 06:39:06 autfugi4010.internal.invalid proto=tcp service=pop3 status=deny src=10.128.63.143 dst=10.145.101.26 src_port=7596 dst_port=2559 server_app=oremquel pid=3992 app_name=modoc traff_direct=boNem block_count=5137 logon_user=ssusci@animid1644.www5.lan msg=unknown -May 21 13:41:41 roquisqu1205.api.domain proto=ipv6 service=pop3 status=deny src=10.2.244.159 dst=10.62.229.89 src_port=951 dst_port=5348 server_app=isnis pid=5140 app_name=olupta traff_direct=tsuntinc block_count=2159 logon_user=inBCSedu@erspi5757.local msg=failure -June 4 20:44:15 quaeab2653.mail.localdomain proto=rdp service=ms-wbt-server status=deny src=10.250.19.146 dst=10.54.83.119 src_port=5283 dst_port=338 server_app=natu pid=315 app_name=itat traff_direct=stlaboru block_count=7074 logon_user=radi@xeacom7662.www.test msg=failure -June 19 03:46:49 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=uptate block_count=1049 logon_user=snos@orsi7617.www5.corp msg=success -July 3 10:49:23 msequ4308.api.localdomain proto=ipv6 service=https status=deny src=10.126.87.182 dst=10.94.114.83 src_port=1043 dst_port=4803 server_app=rumetMal pid=3411 app_name=atcupida traff_direct=tessequa block_count=291 logon_user=dolores@equamnih6028.localdomain msg=failure -July 17 17:51:58 dolorema2984.www.home proto=ipv6 service=smtp status=deny src=10.206.165.83 dst=10.38.28.151 src_port=3736 dst_port=347 server_app=ratv pid=2649 app_name=ever traff_direct=tali block_count=2124 logon_user=erspi@iqu7509.api.corp msg=success -August 1 00:54:32 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=magnid block_count=3343 logon_user=ame@tesseq7693.localdomain msg=failure -August 15 07:57:06 tdolore388.localdomain proto=igmp service=smtp status=deny src=10.42.252.243 dst=10.57.85.98 src_port=3286 dst_port=1444 server_app=oinv pid=5493 app_name=inrepr traff_direct=mol block_count=4145 logon_user=nisiu@imad4450.internal.example msg=unknown -August 29 14:59:40 olest5343.mail.corp proto=rdp service=https status=deny src=10.7.43.184 dst=10.193.66.155 src_port=7278 dst_port=4965 server_app=ame pid=2913 app_name=uid traff_direct=equaturv block_count=1129 logon_user=tobeatae@maccusa7248.www.home msg=failure -September 12 22:02:15 uradi3827.mail.localhost proto=icmp service=ms-wbt-server status=deny src=10.196.96.162 dst=10.81.234.34 src_port=7349 dst_port=1710 server_app=aconse pid=1526 app_name=quameiu traff_direct=diduntu block_count=4798 logon_user=aliqui@ess3889.www5.localhost msg=failure -September 27 05:04:49 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=niamquis block_count=1471 logon_user=ptatems@runtmo438.invalid msg=failure -October 11 12:07:23 tas6029.lan proto=rdp service=smtp status=deny src=10.118.82.34 dst=10.108.45.59 src_port=5129 dst_port=7229 server_app=sBonorum pid=2162 app_name=aali traff_direct=edictasu block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure -October 25 19:09:57 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=cive block_count=2292 logon_user=orumSec@nisiuta905.www5.home msg=failure -November 9 02:12:32 tiaecon5380.lan proto=udp service=pop3 status=deny src=10.123.74.66 dst=10.83.119.181 src_port=6984 dst_port=5693 server_app=lors pid=7553 app_name=nculpaq traff_direct=reseosqu block_count=1629 logon_user=ursin@utemvel5325.host msg=success -November 23 09:15:06 iam7526.mail.test proto=icmp service=smtp status=deny src=10.225.255.211 dst=10.141.143.56 src_port=4076 dst_port=2442 server_app=eursinto pid=3628 app_name=tutla traff_direct=licaboNe block_count=5104 logon_user=aaliq@nat4367.www5.example msg=failure -December 7 16:17:40 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=itametc block_count=3006 logon_user=olup@remipsu2220.corp msg=success -December 21 23:20:14 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=emp block_count=2563 logon_user=roquisq@temporai6835.www5.host msg=failure -January 5 06:22:49 urerepre1960.www5.localhost proto=ipv6-icmp service=https status=deny src=10.179.147.45 dst=10.202.132.214 src_port=2208 dst_port=3392 server_app=mmodoco pid=2581 app_name=rumexerc traff_direct=isiutali block_count=3575 logon_user=stquidol@Nemoenim1325.lan msg=failure -January 19 13:25:23 evitae7333.www.lan proto=ggp service=ms-wbt-server status=deny src=10.51.221.217 dst=10.169.98.165 src_port=6833 dst_port=6084 server_app=saquaea pid=2280 app_name=rQuisaut traff_direct=quas block_count=3630 logon_user=metco@cillu7822.mail.localhost msg=success -February 2 20:27:57 orp5697.www.invalid proto=ggp service=ms-wbt-server status=deny src=10.243.6.41 dst=10.85.104.146 src_port=780 dst_port=4438 server_app=orum pid=4887 app_name=qua traff_direct=agnamal block_count=73 logon_user=emacc@emp1636.www.invalid msg=unknown -February 17 03:30:32 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=esse block_count=3795 logon_user=osqu@pariatur7238.www5.invalid msg=unknown -March 3 10:33:06 orum5045.domain proto=igmp service=https status=deny src=10.37.174.58 dst=10.167.9.200 src_port=4003 dst_port=4568 server_app=exercita pid=2068 app_name=elillum traff_direct=veleumi block_count=4337 logon_user=tvol@oluptate6978.localdomain msg=failure -March 17 17:35:40 iciade3900.example proto=ggp service=ms-wbt-server status=deny src=10.221.220.148 dst=10.251.29.244 src_port=98 dst_port=919 server_app=eturadip pid=6261 app_name=psumd traff_direct=oloree block_count=355 logon_user=ptate@teir7585.www5.localdomain msg=failure -April 1 00:38:14 texpli7157.mail.invalid proto=ggp service=ms-wbt-server status=deny src=10.198.143.216 dst=10.189.82.19 src_port=4267 dst_port=4057 server_app=mini pid=1816 app_name=tur traff_direct=tur block_count=5914 logon_user=iamqui@tassita6539.www.lan msg=success -April 15 07:40:49 CSe7575.www5.example proto=rdp service=smtp status=deny src=10.141.216.14 dst=10.70.29.203 src_port=5994 dst_port=6317 server_app=ate pid=4386 app_name=fugitse traff_direct=minimve block_count=2465 logon_user=dese@duntutla4724.www.host msg=success -April 29 14:43:23 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=uinesc block_count=4248 logon_user=idatat@onev595.mail.domain msg=failure -May 13 21:45:57 sis3986.internal.lan proto=rdp service=https status=deny src=10.10.86.55 dst=10.158.54.131 src_port=911 dst_port=1585 server_app=mmodi pid=7353 app_name=rvelill traff_direct=lupta block_count=7608 logon_user=tatevel@midestl7500.www.home msg=unknown -May 28 04:48:31 oremeumf32.www.lan proto=ggp service=http status=deny src=10.105.136.146 dst=10.187.170.23 src_port=541 dst_port=3220 server_app=sectetu pid=7182 app_name=its traff_direct=dolor block_count=5957 logon_user=uatu@mquis5526.mail.test msg=unknown -June 11 11:51:06 ice6331.invalid proto=ipv6 service=https status=deny src=10.114.211.238 dst=10.125.166.198 src_port=3824 dst_port=6301 server_app=tinculpa pid=6537 app_name=cti traff_direct=rumSecti block_count=111 logon_user=sumquiad@iusmodt3432.mail.localdomain msg=unknown -June 25 18:53:40 aevitaed1082.localdomain proto=tcp service=ms-wbt-server status=deny src=10.29.7.142 dst=10.209.239.122 src_port=4053 dst_port=1450 server_app=edic pid=2758 app_name=amcolab traff_direct=olabori block_count=3307 logon_user=atatnon@lica2780.www5.home msg=success -July 10 01:56:14 lloinve551.internal.local proto=ipv6-icmp service=http status=deny src=10.144.109.148 dst=10.146.57.23 src_port=4855 dst_port=5483 server_app=tno pid=5772 app_name=psumq traff_direct=ptatev block_count=6552 logon_user=xerc@ctetura7556.mail.corp msg=unknown -July 24 08:58:48 tmo508.example proto=rdp service=smtp status=deny src=10.69.230.223 dst=10.11.2.200 src_port=6071 dst_port=7541 server_app=ostrudex pid=4542 app_name=niamqui traff_direct=usmodite block_count=7154 logon_user=uatu@uto2438.www5.corp msg=success -August 7 16:01:23 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=iduntutl block_count=4047 logon_user=orsitvol@ntor5561.www.local msg=success -August 21 23:03:57 velites4233.internal.home proto=ggp service=http status=deny src=10.153.166.133 dst=10.90.50.149 src_port=1936 dst_port=7260 server_app=asp pid=4025 app_name=ncul traff_direct=taliq block_count=5213 logon_user=porissu@umd3889.api.localhost msg=failure -September 5 06:06:31 eeufugi6539.api.local proto=tcp service=ms-wbt-server status=deny src=10.230.130.3 dst=10.117.190.234 src_port=3485 dst_port=7475 server_app=iav pid=5792 app_name=usBono traff_direct=rumexe block_count=5360 logon_user=ttenb@olor5978.www.local msg=failure -September 19 13:09:05 rem3131.home proto=igmp service=https status=deny src=10.55.103.200 dst=10.203.117.6 src_port=4894 dst_port=2510 server_app=uredol pid=3142 app_name=temsequi traff_direct=mquia block_count=1119 logon_user=enbyCic@iveli3387.host msg=success -October 3 20:11:40 ommodoc4758.host proto=tcp service=https status=deny src=10.244.52.142 dst=10.75.122.228 src_port=2129 dst_port=5 server_app=scipit pid=730 app_name=ugiatqu traff_direct=eruntmo block_count=2894 logon_user=isciv@natus4803.mail.localhost msg=failure -October 18 03:14:14 udexerc4535.www.home proto=ipv6-icmp service=http status=deny src=10.7.142.212 dst=10.119.143.168 src_port=2952 dst_port=4131 server_app=tuser pid=6944 app_name=qua traff_direct=iarchite block_count=1612 logon_user=oinven@natu1957.mail.corp msg=failure -November 1 10:16:48 adipi2840.mail.domain proto=udp service=pop3 status=deny src=10.116.105.31 dst=10.252.146.103 src_port=3181 dst_port=5995 server_app=rinrepr pid=7279 app_name=consequu traff_direct=modo block_count=3194 logon_user=rsint@rsi5358.www.domain msg=failure -November 15 17:19:22 onse3998.internal.invalid proto=udp service=ms-wbt-server status=deny src=10.163.239.13 dst=10.213.41.210 src_port=3650 dst_port=3626 server_app=aco pid=7260 app_name=adese traff_direct=olorsi block_count=4955 logon_user=aedictas@rumetMa2554.domain msg=failure -November 30 00:21:57 mvolupta225.mail.invalid proto=icmp service=https status=deny src=10.184.109.84 dst=10.190.36.112 src_port=6960 dst_port=4829 server_app=reprehen pid=3793 app_name=uisa traff_direct=nimadmin block_count=5630 logon_user=uat@eniamqu985.test msg=unknown -December 14 07:24:31 officiad6348.mail.lan proto=icmp service=http status=deny src=10.175.181.138 dst=10.19.21.239 src_port=1495 dst_port=6995 server_app=velite pid=5985 app_name=litse traff_direct=san block_count=3326 logon_user=aliqu@taedict4891.api.host msg=failure +January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure +February 12 13:12:33 olupt4880.api.home proto=icmp service=https status=deny src=10.33.212.159 dst=10.149.203.46 src_port=2789 dst_port=5861 server_app=vol pid=4539 app_name=uidolor traff_direct=internal block_count=4402 logon_user=mipsumq@gnaali6189.internal.localhost msg=unknown +February 26 20:15:08 aqu1628.internal.domain proto=ipv6-icmp service=smtp status=deny src=10.173.116.41 dst=10.118.175.9 src_port=3710 dst_port=2802 server_app=aer pid=445 app_name=nse traff_direct=unknown block_count=7019 logon_user=uame@quis1130.internal.corp msg=success +March 12 03:17:42 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=unknown block_count=2458 logon_user=orsitame@reprehe189.internal.home msg=success +March 26 10:20:16 rad2103.api.domain proto=ipv6-icmp service=pop3 status=deny src=10.245.142.250 dst=10.70.0.60 src_port=5408 dst_port=4982 server_app=estqui pid=6557 app_name=magn traff_direct=inbound block_count=2638 logon_user=eos@enimad2283.internal.domain msg=failure +April 9 17:22:51 enim5316.www5.local proto=ipv6-icmp service=smtp status=deny src=10.202.72.124 dst=10.200.188.142 src_port=4665 dst_port=7143 server_app=omnis pid=2061 app_name=eip traff_direct=external block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown +April 24 00:25:25 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=outbound block_count=6071 logon_user=erep@iutal13.api.localdomain msg=failure +May 8 07:27:59 isiu1114.internal.corp proto=icmp service=http status=deny src=10.66.108.11 dst=10.198.136.50 src_port=6875 dst_port=2089 server_app=ipis pid=5037 app_name=ari traff_direct=unknown block_count=3856 logon_user=uptatev@uovol492.www.localhost msg=unknown +May 22 14:30:33 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=unknown block_count=5575 logon_user=umdolor@osquir6997.corp msg=failure +June 5 21:33:08 tatno4987.www5.localhost proto=ggp service=pop3 status=deny src=10.54.231.100 dst=10.203.5.162 src_port=5616 dst_port=7290 server_app=iam pid=6096 app_name=ciati traff_direct=unknown block_count=3162 logon_user=umdolore@eniam7007.api.invalid msg=success +June 20 04:35:42 tatno6787.internal.localhost proto=icmp service=pop3 status=deny src=10.65.83.160 dst=10.136.252.240 src_port=3592 dst_port=4105 server_app=uradi pid=7307 app_name=essequ traff_direct=outbound block_count=7148 logon_user=ender@snulapar3794.api.domain msg=failure +July 4 11:38:16 essecill2595.mail.local proto=ggp service=http status=deny src=10.57.40.29 dst=10.210.213.18 src_port=7616 dst_port=3970 server_app=atuse pid=2703 app_name=uis traff_direct=internal block_count=6179 logon_user=onse@liq5883.localdomain msg=unknown +July 18 18:40:50 ali6446.localhost proto=udp service=smtp status=deny src=10.144.82.69 dst=10.200.156.102 src_port=2896 dst_port=6061 server_app=rporis pid=5166 app_name=par traff_direct=outbound block_count=7041 logon_user=rveli@rsint7026.test msg=success +August 2 01:43:25 torev7118.internal.domain proto=ipv6 service=smtp status=deny src=10.109.232.112 dst=10.72.58.135 src_port=5160 dst_port=2382 server_app=fugit pid=7668 app_name=rsitamet traff_direct=internal block_count=1112 logon_user=xea@qua2945.www.local msg=failure +August 16 08:45:59 dolore6103.www5.example proto=udp service=http status=deny src=10.38.22.45 dst=10.72.29.73 src_port=1493 dst_port=203 server_app=piscing pid=1044 app_name=entsu traff_direct=unknown block_count=4979 logon_user=onproide@luptat6494.www.example msg=failure +August 30 15:48:33 errorsi6996.www.domain proto=tcp service=smtp status=deny src=10.70.95.74 dst=10.76.72.111 src_port=6119 dst_port=7388 server_app=emaperi pid=7183 app_name=sumquiad traff_direct=internal block_count=2362 logon_user=ivelits@moenimi6317.internal.invalid msg=failure +September 13 22:51:07 lumquido5839.api.corp proto=ipv6 service=https status=deny src=10.19.201.13 dst=10.73.69.75 src_port=5006 dst_port=6218 server_app=nsec pid=6907 app_name=estqu traff_direct=unknown block_count=2655 logon_user=tat@tion1761.home msg=unknown +September 28 05:53:42 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=external block_count=4085 logon_user=iquaUten@santium4235.api.local msg=unknown +October 12 12:56:16 tem2496.api.lan proto=rdp service=ms-wbt-server status=deny src=10.135.233.146 dst=10.25.192.202 src_port=4181 dst_port=6462 server_app=ents pid=1531 app_name=Loremip traff_direct=internal block_count=4610 logon_user=emeumfu@CSed2857.www5.example msg=failure +October 26 19:58:50 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=outbound block_count=7084 logon_user=uptat@equep5085.mail.domain msg=failure +November 10 03:01:24 ihilm1669.mail.invalid proto=tcp service=https status=deny src=10.191.105.82 dst=10.225.160.182 src_port=3361 dst_port=4810 server_app=uovolup pid=6994 app_name=llu traff_direct=external block_count=3936 logon_user=eirure@conseq557.mail.lan msg=unknown +November 24 10:03:59 umexerci1284.internal.localdomain proto=rdp service=smtp status=deny src=10.141.44.153 dst=10.161.57.8 src_port=3750 dst_port=2716 server_app=oei pid=5200 app_name=snostrud traff_direct=inbound block_count=3333 logon_user=quisnos@ite2026.www.invalid msg=failure +December 8 17:06:33 adol485.example proto=udp service=https status=deny src=10.153.111.103 dst=10.6.167.7 src_port=4977 dst_port=2022 server_app=taevit pid=3365 app_name=nsecte traff_direct=internal block_count=7424 logon_user=eumfug@lit5929.test msg=success +December 23 00:09:07 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=inbound block_count=4168 logon_user=uioffi@oru6938.invalid msg=success +January 6 07:11:41 tsedqu2456.www5.invalid proto=ipv6 service=smtp status=deny src=10.178.77.231 dst=10.163.5.243 src_port=5294 dst_port=4129 server_app=xerc pid=2019 app_name=hitecto traff_direct=unknown block_count=1123 logon_user=liquide@etdol5473.local msg=success +January 20 14:14:16 ris3314.mail.invalid proto=ggp service=smtp status=deny src=10.177.194.18 dst=10.221.89.228 src_port=766 dst_port=2447 server_app=uamei pid=2493 app_name=aera traff_direct=outbound block_count=1747 logon_user=aliquam@nimid893.mail.corp msg=success +February 3 21:16:50 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=unknown block_count=3522 logon_user=idata@rumwritt6003.host msg=failure +February 18 04:19:24 non3341.mail.invalid proto=ggp service=http status=deny src=10.168.90.81 dst=10.101.57.120 src_port=6866 dst_port=6501 server_app=laboree pid=2328 app_name=intocc traff_direct=internal block_count=5516 logon_user=eporr@xeacomm6855.api.corp msg=success +March 4 11:21:59 ris727.api.local proto=tcp service=ms-wbt-server status=deny src=10.14.211.43 dst=10.130.14.60 src_port=4456 dst_port=2051 server_app=autfu pid=1156 app_name=tessec traff_direct=external block_count=7200 logon_user=litse@icabo4125.mail.domain msg=unknown +March 18 18:24:33 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=unknown block_count=6437 logon_user=evolup@ionofdeF5643.www.localhost msg=success +April 2 01:27:07 etcons7378.api.lan proto=tcp service=https status=deny src=10.72.93.28 dst=10.111.187.12 src_port=3577 dst_port=3994 server_app=aper pid=5651 app_name=tur traff_direct=inbound block_count=3427 logon_user=niamqui@orem6702.invalid msg=failure +April 16 08:29:41 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=outbound block_count=6708 logon_user=uirati@oin6780.mail.domain msg=unknown +April 30 15:32:16 tnulapa7592.www.local proto=ggp service=ms-wbt-server status=deny src=10.75.99.127 dst=10.195.2.130 src_port=1766 dst_port=202 server_app=mporin pid=6932 app_name=nisiuta traff_direct=internal block_count=3828 logon_user=inibusB@eprehen3224.www5.localdomain msg=failure +May 14 22:34:50 lup2134.www.localhost proto=ipv6 service=pop3 status=deny src=10.201.238.90 dst=10.245.104.182 src_port=3759 dst_port=55 server_app=ccaecat pid=6945 app_name=onsequ traff_direct=outbound block_count=4198 logon_user=ovol@ptasn6599.www.localhost msg=success +May 29 05:37:24 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=external block_count=4444 logon_user=con@nisist2752.home msg=unknown +June 12 12:39:58 eumiu765.api.lan proto=ipv6-icmp service=https status=deny src=10.4.157.1 dst=10.184.18.202 src_port=52 dst_port=205 server_app=ofdeFini pid=4153 app_name=molli traff_direct=outbound block_count=725 logon_user=oditem@gitsedqu2649.mail.lan msg=unknown +June 26 19:42:33 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=internal block_count=3147 logon_user=persp@entsunt3962.www.example msg=success +July 11 02:45:07 idestlab2631.www.lan proto=tcp service=http status=deny src=10.27.16.118 dst=10.83.177.2 src_port=18 dst_port=1827 server_app=iat pid=337 app_name=rinre traff_direct=internal block_count=1300 logon_user=borios@tut2703.www.host msg=success +July 25 09:47:41 inesci6789.test proto=udp service=http status=deny src=10.38.54.72 dst=10.167.227.44 src_port=6595 dst_port=5736 server_app=lillum pid=7041 app_name=its traff_direct=outbound block_count=7644 logon_user=riamea@entorev160.test msg=failure +August 8 16:50:15 ccaeca7077.internal.corp proto=tcp service=http status=deny src=10.216.54.184 dst=10.215.205.216 src_port=1495 dst_port=647 server_app=riat pid=3854 app_name=psaquaea traff_direct=external block_count=7536 logon_user=ameiusm@proide3714.mail.localdomain msg=unknown +August 22 23:52:50 ima2031.api.corp proto=igmp service=smtp status=deny src=10.9.12.248 dst=10.9.18.237 src_port=765 dst_port=2486 server_app=tpersp pid=55 app_name=seosqui traff_direct=internal block_count=6379 logon_user=uradi@tot5313.mail.invalid msg=success +September 6 06:55:24 ian867.internal.corp proto=rdp service=https status=deny src=10.83.130.226 dst=10.41.123.102 src_port=1542 dst_port=2300 server_app=odoconse pid=228 app_name=quatu traff_direct=external block_count=7661 logon_user=tenim@rumet3801.internal.domain msg=unknown +September 20 13:57:58 lorin4249.corp proto=tcp service=pop3 status=deny src=10.175.112.197 dst=10.80.152.108 src_port=1749 dst_port=2742 server_app=exeacom pid=4253 app_name=rita traff_direct=outbound block_count=6984 logon_user=tametcon@liqua2834.www5.lan msg=failure +October 4 21:00:32 gnaaliqu3935.api.test proto=udp service=smtp status=deny src=10.134.18.114 dst=10.142.25.100 src_port=2761 dst_port=5770 server_app=mdol pid=2200 app_name=nby traff_direct=internal block_count=624 logon_user=osqui@sequat7273.api.host msg=failure +October 19 04:03:07 nsequat1859.internal.localhost proto=udp service=http status=deny src=10.28.118.160 dst=10.223.119.218 src_port=6247 dst_port=300 server_app=umexerc pid=5717 app_name=intocc traff_direct=internal block_count=4387 logon_user=ntsunt@uidol4575.localhost msg=failure +November 2 11:05:41 ritin2495.api.corp proto=ggp service=https status=deny src=10.110.114.175 dst=10.47.28.48 src_port=4986 dst_port=3032 server_app=tatem pid=4469 app_name=luptat traff_direct=unknown block_count=4488 logon_user=plicab@oremq2000.api.corp msg=unknown +November 16 18:08:15 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=external block_count=6847 logon_user=nvolupt@oremi1485.api.localhost msg=success +December 1 01:10:49 rem7043.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.65.2.106 dst=10.227.173.252 src_port=5410 dst_port=5337 server_app=nisiut pid=3624 app_name=teturad traff_direct=external block_count=7576 logon_user=itation@sequatD5469.www5.lan msg=unknown +December 15 08:13:24 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=inbound block_count=3096 logon_user=tla@item2738.test msg=success +December 29 15:15:58 dqu6144.api.localhost proto=ggp service=ms-wbt-server status=deny src=10.150.245.88 dst=10.210.89.183 src_port=3642 dst_port=2589 server_app=ulpa pid=6248 app_name=iusmodte traff_direct=external block_count=2700 logon_user=sequa@iosamnis1047.internal.localdomain msg=success +January 12 22:18:32 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=outbound block_count=1867 logon_user=voluptas@orroq6677.internal.example msg=failure +January 27 05:21:06 estl5804.internal.local proto=udp service=ms-wbt-server status=deny src=10.207.211.230 dst=10.210.28.247 src_port=3449 dst_port=7257 server_app=ssecil pid=430 app_name=iuntNe traff_direct=unknown block_count=7672 logon_user=tate@onevo4326.internal.local msg=failure +February 10 12:23:41 Sedut1775.www.domain proto=rdp service=ms-wbt-server status=deny src=10.86.11.48 dst=10.248.165.185 src_port=3436 dst_port=5460 server_app=olorsi pid=3589 app_name=exeaco traff_direct=external block_count=4801 logon_user=dquiac@itaedict7233.mail.localdomain msg=unknown +February 24 19:26:15 mac7484.www5.test proto=ipv6-icmp service=http status=deny src=10.118.6.177 dst=10.47.125.38 src_port=6977 dst_port=3896 server_app=isn pid=4814 app_name=omm traff_direct=outbound block_count=1844 logon_user=quunt@numquam5869.internal.example msg=unknown +March 11 02:28:49 oin1140.mail.localhost proto=icmp service=pop3 status=deny src=10.50.233.155 dst=10.60.142.127 src_port=1081 dst_port=5112 server_app=urExce pid=276 app_name=nturm traff_direct=outbound block_count=2241 logon_user=atv@onu6137.api.home msg=success +March 25 09:31:24 naaliq3710.api.local proto=rdp service=http status=deny src=10.28.82.189 dst=10.120.10.211 src_port=3916 dst_port=7661 server_app=odt pid=2452 app_name=inv traff_direct=internal block_count=7705 logon_user=rcit@aecatcup2241.www5.test msg=failure +April 8 16:33:58 volupta3552.internal.localhost proto=ipv6 service=pop3 status=deny src=10.31.237.225 dst=10.6.38.163 src_port=6153 dst_port=4059 server_app=oreveri pid=3453 app_name=avolu traff_direct=inbound block_count=2820 logon_user=olup@labor6360.mail.local msg=failure +April 22 23:36:32 onse380.internal.localdomain proto=ggp service=https status=deny src=10.226.5.189 dst=10.125.165.144 src_port=3371 dst_port=7889 server_app=dexerc pid=2302 app_name=tatem traff_direct=inbound block_count=5407 logon_user=mvolu@mveleum4322.www5.host msg=success +May 7 06:39:06 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=unknown block_count=2441 logon_user=dolorsit@archite1843.mail.home msg=unknown +May 21 13:41:41 oloreseo5039.test proto=ggp service=https status=deny src=10.218.0.197 dst=10.28.105.124 src_port=7581 dst_port=4797 server_app=eritin pid=5773 app_name=litsedq traff_direct=outbound block_count=5749 logon_user=ntNe@itanim4024.api.example msg=success +June 4 20:44:15 minim459.mail.local proto=rdp service=https status=deny src=10.123.199.198 dst=10.17.87.79 src_port=6332 dst_port=3414 server_app=tionula pid=1586 app_name=ate traff_direct=outbound block_count=5006 logon_user=ratvolu@nreprehe715.api.home msg=unknown +June 19 03:46:49 eratv211.api.host proto=rdp service=https status=deny src=10.38.86.177 dst=10.115.68.40 src_port=5768 dst_port=5483 server_app=boNem pid=5137 app_name=ssusci traff_direct=internal block_count=2841 logon_user=mpo@unte893.internal.host msg=success +July 3 10:49:23 aparia1179.www.localdomain proto=tcp service=https status=deny src=10.193.118.163 dst=10.115.174.107 src_port=548 dst_port=5597 server_app=acom pid=5704 app_name=dolorem traff_direct=internal block_count=10 logon_user=exeacomm@aspe951.mail.domain msg=success +July 17 17:51:58 iatqu6203.mail.corp proto=icmp service=http status=deny src=10.37.128.49 dst=10.77.77.208 src_port=625 dst_port=1101 server_app=esci pid=2310 app_name=essecill traff_direct=external block_count=2653 logon_user=moles@dipiscin4957.www.home msg=unknown +August 1 00:54:32 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=internal block_count=4392 logon_user=lloinven@econs2687.internal.localdomain msg=unknown +August 15 07:57:06 mag1506.internal.domain proto=igmp service=smtp status=deny src=10.131.126.109 dst=10.182.152.242 src_port=1877 dst_port=6998 server_app=rcitat pid=2465 app_name=ecillum traff_direct=inbound block_count=3208 logon_user=dolor@tiumto5834.api.lan msg=success +August 29 14:59:40 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=external block_count=329 logon_user=adol@iutal6032.www.test msg=failure +September 12 22:02:15 gitse2463.www5.invalid proto=ipv6-icmp service=http status=deny src=10.235.116.121 dst=10.72.162.6 src_port=1 dst_port=5516 server_app=emp pid=2861 app_name=luptas traff_direct=outbound block_count=1444 logon_user=oinv@inculp2078.host msg=unknown +September 27 05:04:49 temse6953.www.example proto=ipv6-icmp service=https status=deny src=10.149.193.117 dst=10.28.124.236 src_port=5343 dst_port=3434 server_app=atcupi pid=3559 app_name=edquia traff_direct=internal block_count=3176 logon_user=mullam@mexerc2757.internal.home msg=failure +October 11 12:07:23 deriti6952.mail.domain proto=ipv6-icmp service=http status=deny src=10.34.131.224 dst=10.196.96.162 src_port=649 dst_port=6378 server_app=equatDu pid=1710 app_name=aconse traff_direct=outbound block_count=7174 logon_user=tnonproi@squira4455.api.domain msg=failure +October 25 19:09:57 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=inbound block_count=4782 logon_user=nisi@emveleum3661.localhost msg=unknown +November 9 02:12:32 emullamc5418.mail.test proto=ipv6 service=ms-wbt-server status=deny src=10.82.133.66 dst=10.45.54.107 src_port=7229 dst_port=3593 server_app=nse pid=3421 app_name=quira traff_direct=unknown block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure +November 23 09:15:06 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=external block_count=7020 logon_user=nse@veniam3148.www5.home msg=failure +December 7 16:17:40 venia2079.mail.example proto=rdp service=http status=deny src=10.5.11.205 dst=10.65.144.51 src_port=4901 dst_port=2283 server_app=lumqu pid=617 app_name=autf traff_direct=outbound block_count=5050 logon_user=uptat@unt3559.www.home msg=failure +December 21 23:20:14 snostrum3450.www5.localhost proto=udp service=smtp status=deny src=10.195.223.82 dst=10.76.122.196 src_port=3128 dst_port=5325 server_app=atu pid=487 app_name=iame traff_direct=external block_count=593 logon_user=umiurer@rere5274.mail.domain msg=success +January 5 06:22:49 gelitsed3249.corp proto=icmp service=ms-wbt-server status=deny src=10.138.210.116 dst=10.225.255.211 src_port=5595 dst_port=3369 server_app=rum pid=2442 app_name=eursinto traff_direct=external block_count=956 logon_user=fugiatn@uaeabi3728.www5.invalid msg=failure +January 19 13:25:23 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=external block_count=3262 logon_user=ori@uamqu2804.test msg=unknown +February 2 20:27:57 totam6886.api.localhost proto=ggp service=https status=deny src=10.54.23.133 dst=10.76.125.70 src_port=3258 dst_port=756 server_app=oluptat pid=7128 app_name=eseruntm traff_direct=internal block_count=1916 logon_user=oloreeu@olor5201.host msg=unknown +February 17 03:30:32 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=unknown block_count=170 logon_user=eque@eufug3348.www.lan msg=success +March 3 10:33:06 lup3313.api.home proto=tcp service=https status=deny src=10.47.179.68 dst=10.183.202.82 src_port=5107 dst_port=2208 server_app=usmod pid=3284 app_name=amni traff_direct=unknown block_count=2645 logon_user=umfugi@stquidol239.www5.invalid msg=failure +March 17 17:35:40 edq5397.www.test proto=ipv6-icmp service=pop3 status=deny src=10.73.28.165 dst=10.221.206.74 src_port=3668 dst_port=1480 server_app=ihilmole pid=2314 app_name=litanim traff_direct=inbound block_count=5572 logon_user=quas@gia6531.mail.invalid msg=success +April 1 00:38:14 udan6536.www5.test proto=ipv6 service=ms-wbt-server status=deny src=10.85.104.146 dst=10.14.204.36 src_port=3442 dst_port=4887 server_app=qua pid=5284 app_name=ents traff_direct=inbound block_count=973 logon_user=emp@lamcola4879.www5.localdomain msg=success +April 15 07:40:49 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=outbound block_count=5624 logon_user=veniam@edquian330.mail.local msg=unknown +April 29 14:43:23 itse522.internal.localdomain proto=udp service=pop3 status=deny src=10.106.249.91 dst=10.19.119.17 src_port=1732 dst_port=3822 server_app=veleumi pid=4337 app_name=tvol traff_direct=unknown block_count=2783 logon_user=lit@santi837.api.domain msg=success +May 13 21:45:57 amc3059.local proto=igmp service=http status=deny src=10.29.109.126 dst=10.181.41.154 src_port=6261 dst_port=866 server_app=itseddo pid=5275 app_name=seos traff_direct=unknown block_count=6721 logon_user=labo@lpaquiof804.internal.invalid msg=failure +May 28 04:48:31 enbyCi3813.api.domain proto=ipv6-icmp service=https status=deny src=10.164.207.42 dst=10.164.120.197 src_port=1901 dst_port=2304 server_app=itametco pid=2286 app_name=remip traff_direct=external block_count=3116 logon_user=pta@nonn4478.host msg=unknown +June 11 11:51:06 liquipex1155.mail.corp proto=ipv6-icmp service=smtp status=deny src=10.183.189.133 dst=10.154.191.225 src_port=5347 dst_port=7856 server_app=Loremip pid=2990 app_name=tur traff_direct=unknown block_count=6105 logon_user=ita@amquaer3985.www5.example msg=success +June 25 18:53:40 isn3991.local proto=igmp service=smtp status=deny src=10.29.120.226 dst=10.103.189.199 src_port=1296 dst_port=767 server_app=exerci pid=226 app_name=eserun traff_direct=outbound block_count=5452 logon_user=emu@orem6317.local msg=failure +July 10 01:56:14 iumtotam1010.www5.corp proto=icmp service=https status=deny src=10.133.254.23 dst=10.210.153.7 src_port=6251 dst_port=7030 server_app=nofdeFi pid=4691 app_name=sautei traff_direct=external block_count=2088 logon_user=voluptas@velill3230.www.corp msg=success +July 24 08:58:48 onsecte91.www5.localdomain proto=tcp service=pop3 status=deny src=10.126.245.73 dst=10.91.2.135 src_port=180 dst_port=2141 server_app=ender pid=5647 app_name=rumSecti traff_direct=outbound block_count=4680 logon_user=olore@orumS757.www5.corp msg=success +August 7 16:01:23 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=internal block_count=6402 logon_user=cid@emi4534.www.localdomain msg=failure +August 21 23:03:57 reprehen3513.test proto=ipv6 service=smtp status=deny src=10.61.225.196 dst=10.10.86.55 src_port=4720 dst_port=5132 server_app=isiu pid=1585 app_name=mmodi traff_direct=external block_count=3034 logon_user=eniamqu@inimav1576.mail.example msg=failure +September 5 06:06:31 orroquis284.api.domain proto=udp service=http status=deny src=10.125.143.153 dst=10.79.73.195 src_port=2657 dst_port=457 server_app=umf pid=3141 app_name=moll traff_direct=outbound block_count=7645 logon_user=emip@aturQu7083.mail.host msg=failure +September 19 13:09:05 tionula2060.www5.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.240.216.85 dst=10.64.139.17 src_port=2046 dst_port=2438 server_app=ice pid=6331 app_name=aal traff_direct=external block_count=4982 logon_user=nimadmin@lumqui7769.mail.local msg=unknown +October 3 20:11:40 rumSecti111.www5.domain proto=ipv6 service=ms-wbt-server status=deny src=10.87.90.49 dst=10.222.245.80 src_port=1486 dst_port=4017 server_app=itaedict pid=4474 app_name=byCic traff_direct=inbound block_count=3380 logon_user=ptatemse@siarc6339.internal.corp msg=success +October 18 03:14:14 olores7881.local proto=udp service=pop3 status=deny src=10.143.53.214 dst=10.87.144.208 src_port=3310 dst_port=2440 server_app=ipsumq pid=4855 app_name=psaquaea traff_direct=unknown block_count=5772 logon_user=psumq@ptatev6552.www.test msg=success +November 1 10:16:48 tDuis3281.www5.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.204.178.19 dst=10.105.97.134 src_port=616 dst_port=1935 server_app=oremque pid=1729 app_name=inimve traff_direct=unknown block_count=6564 logon_user=mexercit@byC5766.internal.home msg=success +November 15 17:19:22 uptasnul2751.www5.corp proto=rdp service=smtp status=deny src=10.161.64.168 dst=10.194.67.223 src_port=7154 dst_port=5767 server_app=tatemse pid=4493 app_name=amqui traff_direct=inbound block_count=3673 logon_user=tion@hender6628.local msg=unknown +November 30 00:21:57 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=external block_count=5150 logon_user=rsitam@xercit7649.www5.home msg=failure +December 14 07:24:31 tpers2217.internal.lan proto=udp service=ms-wbt-server status=deny src=10.116.153.19 dst=10.180.90.112 src_port=6610 dst_port=1936 server_app=olu pid=5012 app_name=dexercit traff_direct=outbound block_count=2216 logon_user=itessequ@porissu1470.domain msg=success diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index 502e099bb1d..c1db12fa60c 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -9,26 +9,26 @@ "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=sperna block_count=884 logon_user=billoi@oreetdol1714.internal.corp msg=failure", - "event.outcome": "Failure", + "event.original": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", "host.name": "boNemoe4402.www.invalid", "input.type": "log", "log.offset": 0, - "network.direction": "sperna", + "network.direction": "external", "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7880, "related.ip": [ - "10.102.123.34", - "10.150.92.220" + "10.150.92.220", + "10.102.123.34" ], "related.user": [ - "billoi" + "sumdo" ], - "rsa.counters.dclass_c1": 884, + "rsa.counters.dclass_c1": 5286, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", @@ -41,10 +41,10 @@ "rsa.network.alias_host": [ "boNemoe4402.www.invalid" ], - "rsa.network.domain": "oreetdol1714.internal.corp", + "rsa.network.domain": "litesse6379.api.domain", "rsa.network.network_service": "http", "rsa.time.event_time": "2020-01-29T08:09:59.000Z", - "server.domain": "oreetdol1714.internal.corp", + "server.domain": "litesse6379.api.domain", "service.type": "fortinet", "source.ip": [ "10.150.92.220" @@ -54,121 +54,121 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": "billoi" + "user.name": "sumdo" }, { "@timestamp": "2020-02-12T15:12:33.000Z", "destination.ip": [ - "10.102.218.31" + "10.149.203.46" ], - "destination.port": 3376, + "destination.port": 5861, "event.action": "deny", - "event.code": "smtp", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 12 13:12:33 agn2581.www5.corp proto=rdp service=smtp status=deny src=10.22.119.124 dst=10.102.218.31 src_port=4402 dst_port=3376 server_app=mod pid=6183 app_name=enatus traff_direct=mquia block_count=873 logon_user=itamet@tetur6657.internal.domain msg=success", - "event.outcome": "Failure", + "event.original": "February 12 13:12:33 olupt4880.api.home proto=icmp service=https status=deny src=10.33.212.159 dst=10.149.203.46 src_port=2789 dst_port=5861 server_app=vol pid=4539 app_name=uidolor traff_direct=internal block_count=4402 logon_user=mipsumq@gnaali6189.internal.localhost msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "agn2581.www5.corp", + "host.name": "olupt4880.api.home", "input.type": "log", - "log.offset": 283, - "network.direction": "mquia", - "network.protocol": "rdp", + "log.offset": 281, + "network.direction": "internal", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 6183, + "process.pid": 4539, "related.ip": [ - "10.102.218.31", - "10.22.119.124" + "10.149.203.46", + "10.33.212.159" ], "related.user": [ - "itamet" + "mipsumq" ], - "rsa.counters.dclass_c1": 873, + "rsa.counters.dclass_c1": 4402, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "agn2581.www5.corp" + "olupt4880.api.home" ], - "rsa.network.domain": "tetur6657.internal.domain", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "gnaali6189.internal.localhost", + "rsa.network.network_service": "https", "rsa.time.event_time": "2020-02-12T15:12:33.000Z", - "server.domain": "tetur6657.internal.domain", + "server.domain": "gnaali6189.internal.localhost", "service.type": "fortinet", "source.ip": [ - "10.22.119.124" + "10.33.212.159" ], - "source.port": 4402, + "source.port": 2789, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "itamet" + "user.name": "mipsumq" }, { "@timestamp": "2020-02-26T22:15:08.000Z", "destination.ip": [ - "10.26.46.95" + "10.118.175.9" ], - "destination.port": 7599, + "destination.port": 2802, "event.action": "deny", - "event.code": "https", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 26 20:15:08 iin6287.mail.domain proto=ggp service=https status=deny src=10.135.105.231 dst=10.26.46.95 src_port=1327 dst_port=7599 server_app=quis pid=1130 app_name=serror traff_direct=anti block_count=4454 logon_user=meumfug@tetu5280.www5.invalid msg=unknown", - "event.outcome": "Failure", + "event.original": "February 26 20:15:08 aqu1628.internal.domain proto=ipv6-icmp service=smtp status=deny src=10.173.116.41 dst=10.118.175.9 src_port=3710 dst_port=2802 server_app=aer pid=445 app_name=nse traff_direct=unknown block_count=7019 logon_user=uame@quis1130.internal.corp msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "iin6287.mail.domain", + "host.name": "aqu1628.internal.domain", "input.type": "log", - "log.offset": 552, - "network.direction": "anti", - "network.protocol": "ggp", + "log.offset": 563, + "network.direction": "unknown", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 1130, + "process.pid": 445, "related.ip": [ - "10.26.46.95", - "10.135.105.231" + "10.173.116.41", + "10.118.175.9" ], "related.user": [ - "meumfug" + "uame" ], - "rsa.counters.dclass_c1": 4454, + "rsa.counters.dclass_c1": 7019, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "iin6287.mail.domain" + "aqu1628.internal.domain" ], - "rsa.network.domain": "tetu5280.www5.invalid", - "rsa.network.network_service": "https", + "rsa.network.domain": "quis1130.internal.corp", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2020-02-26T22:15:08.000Z", - "server.domain": "tetu5280.www5.invalid", + "server.domain": "quis1130.internal.corp", "service.type": "fortinet", "source.ip": [ - "10.135.105.231" + "10.173.116.41" ], - "source.port": 1327, + "source.port": 3710, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "meumfug" + "user.name": "uame" }, { "@timestamp": "2020-03-12T05:17:42.000Z", @@ -180,26 +180,26 @@ "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 12 03:17:42 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=onsect block_count=101 logon_user=con@uia351.api.localhost msg=unknown", - "event.outcome": "Failure", + "event.original": "March 12 03:17:42 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=unknown block_count=2458 logon_user=orsitame@reprehe189.internal.home msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", "host.name": "tinculp2940.internal.local", "input.type": "log", - "log.offset": 821, - "network.direction": "onsect", + "log.offset": 837, + "network.direction": "unknown", "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5712, "related.ip": [ - "10.134.137.177", - "10.202.204.154" + "10.202.204.154", + "10.134.137.177" ], "related.user": [ - "con" + "orsitame" ], - "rsa.counters.dclass_c1": 101, + "rsa.counters.dclass_c1": 2458, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", @@ -208,14 +208,14 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "success", "rsa.network.alias_host": [ "tinculp2940.internal.local" ], - "rsa.network.domain": "uia351.api.localhost", + "rsa.network.domain": "reprehe189.internal.home", "rsa.network.network_service": "https", "rsa.time.event_time": "2020-03-12T05:17:42.000Z", - "server.domain": "uia351.api.localhost", + "server.domain": "reprehe189.internal.home", "service.type": "fortinet", "source.ip": [ "10.134.137.177" @@ -225,97 +225,97 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": "con" + "user.name": "orsitame" }, { "@timestamp": "2020-03-26T12:20:16.000Z", "destination.ip": [ - "10.131.115.96" + "10.70.0.60" ], - "destination.port": 1890, + "destination.port": 4982, "event.action": "deny", - "event.code": "https", + "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 26 10:20:16 aqui4726.mail.localhost proto=icmp service=https status=deny src=10.85.66.161 dst=10.131.115.96 src_port=2638 dst_port=1890 server_app=eum pid=654 app_name=rmagni traff_direct=sit block_count=5509 logon_user=onev@tenima1073.local msg=success", - "event.outcome": "Failure", + "event.original": "March 26 10:20:16 rad2103.api.domain proto=ipv6-icmp service=pop3 status=deny src=10.245.142.250 dst=10.70.0.60 src_port=5408 dst_port=4982 server_app=estqui pid=6557 app_name=magn traff_direct=inbound block_count=2638 logon_user=eos@enimad2283.internal.domain msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "aqui4726.mail.localhost", + "host.name": "rad2103.api.domain", "input.type": "log", - "log.offset": 1095, - "network.direction": "sit", - "network.protocol": "icmp", + "log.offset": 1122, + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 654, + "process.pid": 6557, "related.ip": [ - "10.131.115.96", - "10.85.66.161" + "10.70.0.60", + "10.245.142.250" ], "related.user": [ - "onev" + "eos" ], - "rsa.counters.dclass_c1": 5509, + "rsa.counters.dclass_c1": 2638, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "aqui4726.mail.localhost" + "rad2103.api.domain" ], - "rsa.network.domain": "tenima1073.local", - "rsa.network.network_service": "https", + "rsa.network.domain": "enimad2283.internal.domain", + "rsa.network.network_service": "pop3", "rsa.time.event_time": "2020-03-26T12:20:16.000Z", - "server.domain": "tenima1073.local", + "server.domain": "enimad2283.internal.domain", "service.type": "fortinet", "source.ip": [ - "10.85.66.161" + "10.245.142.250" ], - "source.port": 2638, + "source.port": 5408, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "onev" + "user.name": "eos" }, { "@timestamp": "2020-04-09T19:22:51.000Z", "destination.ip": [ - "10.11.200.161" + "10.200.188.142" ], - "destination.port": 4665, + "destination.port": 7143, "event.action": "deny", - "event.code": "http", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 9 17:22:51 uatDuis2964.test proto=udp service=http status=deny src=10.183.202.41 dst=10.11.200.161 src_port=4470 dst_port=4665 server_app=inimve pid=4243 app_name=antium traff_direct=Cice block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown", - "event.outcome": "Failure", + "event.original": "April 9 17:22:51 enim5316.www5.local proto=ipv6-icmp service=smtp status=deny src=10.202.72.124 dst=10.200.188.142 src_port=4665 dst_port=7143 server_app=omnis pid=2061 app_name=eip traff_direct=external block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "uatDuis2964.test", + "host.name": "enim5316.www5.local", "input.type": "log", - "log.offset": 1355, - "network.direction": "Cice", - "network.protocol": "udp", + "log.offset": 1395, + "network.direction": "external", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 4243, + "process.pid": 2061, "related.ip": [ - "10.183.202.41", - "10.11.200.161" + "10.202.72.124", + "10.200.188.142" ], "related.user": [ "iusmodt" ], "rsa.counters.dclass_c1": 513, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -324,17 +324,17 @@ ], "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "uatDuis2964.test" + "enim5316.www5.local" ], "rsa.network.domain": "doloreeu3553.www5.home", - "rsa.network.network_service": "http", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2020-04-09T19:22:51.000Z", "server.domain": "doloreeu3553.www5.home", "service.type": "fortinet", "source.ip": [ - "10.183.202.41" + "10.202.72.124" ], - "source.port": 4470, + "source.port": 4665, "tags": [ "fortinet.clientendpoint", "forwarded" @@ -351,13 +351,13 @@ "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 24 00:25:25 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=nimadmin block_count=6499 logon_user=uam@temq1198.internal.example msg=success", - "event.outcome": "Failure", + "event.original": "April 24 00:25:25 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=outbound block_count=6071 logon_user=erep@iutal13.api.localdomain msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", "host.name": "reetdolo2770.www5.local", "input.type": "log", - "log.offset": 1619, - "network.direction": "nimadmin", + "log.offset": 1669, + "network.direction": "outbound", "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", @@ -368,9 +368,9 @@ "10.12.44.169" ], "related.user": [ - "uam" + "erep" ], - "rsa.counters.dclass_c1": 6499, + "rsa.counters.dclass_c1": 6071, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", @@ -379,14 +379,14 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ "reetdolo2770.www5.local" ], - "rsa.network.domain": "temq1198.internal.example", + "rsa.network.domain": "iutal13.api.localdomain", "rsa.network.network_service": "pop3", "rsa.time.event_time": "2020-04-24T02:25:25.000Z", - "server.domain": "temq1198.internal.example", + "server.domain": "iutal13.api.localdomain", "service.type": "fortinet", "source.ip": [ "10.12.44.169" @@ -396,40 +396,40 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": "uam" + "user.name": "erep" }, { "@timestamp": "2020-05-08T09:27:59.000Z", "destination.ip": [ - "10.233.127.83" + "10.198.136.50" ], - "destination.port": 3676, + "destination.port": 2089, "event.action": "deny", - "event.code": "pop3", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 8 07:27:59 ari1508.api.localdomain proto=tcp service=pop3 status=deny src=10.64.155.245 dst=10.233.127.83 src_port=4512 dst_port=3676 server_app=eataevit pid=3904 app_name=iam traff_direct=mqua block_count=3391 logon_user=olab@mquisnos5771.example msg=unknown", - "event.outcome": "Failure", + "event.original": "May 8 07:27:59 isiu1114.internal.corp proto=icmp service=http status=deny src=10.66.108.11 dst=10.198.136.50 src_port=6875 dst_port=2089 server_app=ipis pid=5037 app_name=ari traff_direct=unknown block_count=3856 logon_user=uptatev@uovol492.www.localhost msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "ari1508.api.localdomain", + "host.name": "isiu1114.internal.corp", "input.type": "log", - "log.offset": 1897, - "network.direction": "mqua", - "network.protocol": "tcp", + "log.offset": 1946, + "network.direction": "unknown", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3904, + "process.pid": 5037, "related.ip": [ - "10.64.155.245", - "10.233.127.83" + "10.66.108.11", + "10.198.136.50" ], "related.user": [ - "olab" + "uptatev" ], - "rsa.counters.dclass_c1": 3391, + "rsa.counters.dclass_c1": 3856, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -438,22 +438,22 @@ ], "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "ari1508.api.localdomain" + "isiu1114.internal.corp" ], - "rsa.network.domain": "mquisnos5771.example", - "rsa.network.network_service": "pop3", + "rsa.network.domain": "uovol492.www.localhost", + "rsa.network.network_service": "http", "rsa.time.event_time": "2020-05-08T09:27:59.000Z", - "server.domain": "mquisnos5771.example", + "server.domain": "uovol492.www.localhost", "service.type": "fortinet", "source.ip": [ - "10.64.155.245" + "10.66.108.11" ], - "source.port": 4512, + "source.port": 6875, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "olab" + "user.name": "uptatev" }, { "@timestamp": "2020-05-22T16:30:33.000Z", @@ -465,13 +465,13 @@ "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 22 14:30:33 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=luptatem block_count=5812 logon_user=moll@tatione2046.home msg=unknown", - "event.outcome": "Failure", + "event.original": "May 22 14:30:33 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=unknown block_count=5575 logon_user=umdolor@osquir6997.corp msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", "host.name": "usmodte1296.www.corp", "input.type": "log", - "log.offset": 2161, - "network.direction": "luptatem", + "log.offset": 2213, + "network.direction": "unknown", "network.protocol": "igmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", @@ -482,9 +482,9 @@ "10.69.20.77" ], "related.user": [ - "moll" + "umdolor" ], - "rsa.counters.dclass_c1": 5812, + "rsa.counters.dclass_c1": 5575, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", @@ -493,14 +493,14 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ "usmodte1296.www.corp" ], - "rsa.network.domain": "tatione2046.home", + "rsa.network.domain": "osquir6997.corp", "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2020-05-22T16:30:33.000Z", - "server.domain": "tatione2046.home", + "server.domain": "osquir6997.corp", "service.type": "fortinet", "source.ip": [ "10.178.244.31" @@ -510,97 +510,97 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": "moll" + "user.name": "umdolor" }, { "@timestamp": "2020-06-05T23:33:08.000Z", "destination.ip": [ - "10.10.65.154" + "10.203.5.162" ], - "destination.port": 7572, + "destination.port": 7290, "event.action": "deny", - "event.code": "smtp", + "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 5 21:33:08 turveli6399.host proto=ipv6 service=smtp status=deny src=10.197.5.210 dst=10.10.65.154 src_port=689 dst_port=7572 server_app=Ciceroi pid=3592 app_name=usan traff_direct=aper block_count=5529 logon_user=olo@uaera6620.www5.domain msg=unknown", - "event.outcome": "Failure", + "event.original": "June 5 21:33:08 tatno4987.www5.localhost proto=ggp service=pop3 status=deny src=10.54.231.100 dst=10.203.5.162 src_port=5616 dst_port=7290 server_app=iam pid=6096 app_name=ciati traff_direct=unknown block_count=3162 logon_user=umdolore@eniam7007.api.invalid msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "turveli6399.host", + "host.name": "tatno4987.www5.localhost", "input.type": "log", - "log.offset": 2428, - "network.direction": "aper", - "network.protocol": "ipv6", + "log.offset": 2481, + "network.direction": "unknown", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3592, + "process.pid": 6096, "related.ip": [ - "10.10.65.154", - "10.197.5.210" + "10.203.5.162", + "10.54.231.100" ], "related.user": [ - "olo" + "umdolore" ], - "rsa.counters.dclass_c1": 5529, + "rsa.counters.dclass_c1": 3162, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "turveli6399.host" + "tatno4987.www5.localhost" ], - "rsa.network.domain": "uaera6620.www5.domain", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "eniam7007.api.invalid", + "rsa.network.network_service": "pop3", "rsa.time.event_time": "2020-06-05T23:33:08.000Z", - "server.domain": "uaera6620.www5.domain", + "server.domain": "eniam7007.api.invalid", "service.type": "fortinet", "source.ip": [ - "10.197.5.210" + "10.54.231.100" ], - "source.port": 689, + "source.port": 5616, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "olo" + "user.name": "umdolore" }, { "@timestamp": "2020-06-20T06:35:42.000Z", "destination.ip": [ - "10.177.124.147" + "10.136.252.240" ], - "destination.port": 4173, + "destination.port": 4105, "event.action": "deny", - "event.code": "http", + "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 20 04:35:42 tquiinea7522.test proto=igmp service=http status=deny src=10.89.185.38 dst=10.177.124.147 src_port=6024 dst_port=4173 server_app=undeo pid=5794 app_name=labor traff_direct=atuse block_count=2703 logon_user=uis@idolore1057.www5.domain msg=failure", - "event.outcome": "Failure", + "event.original": "June 20 04:35:42 tatno6787.internal.localhost proto=icmp service=pop3 status=deny src=10.65.83.160 dst=10.136.252.240 src_port=3592 dst_port=4105 server_app=uradi pid=7307 app_name=essequ traff_direct=outbound block_count=7148 logon_user=ender@snulapar3794.api.domain msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "tquiinea7522.test", + "host.name": "tatno6787.internal.localhost", "input.type": "log", - "log.offset": 2684, - "network.direction": "atuse", - "network.protocol": "igmp", + "log.offset": 2751, + "network.direction": "outbound", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 5794, + "process.pid": 7307, "related.ip": [ - "10.177.124.147", - "10.89.185.38" + "10.136.252.240", + "10.65.83.160" ], "related.user": [ - "uis" + "ender" ], - "rsa.counters.dclass_c1": 2703, + "rsa.counters.dclass_c1": 7148, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", + "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -609,53 +609,53 @@ ], "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "tquiinea7522.test" + "tatno6787.internal.localhost" ], - "rsa.network.domain": "idolore1057.www5.domain", - "rsa.network.network_service": "http", + "rsa.network.domain": "snulapar3794.api.domain", + "rsa.network.network_service": "pop3", "rsa.time.event_time": "2020-06-20T06:35:42.000Z", - "server.domain": "idolore1057.www5.domain", + "server.domain": "snulapar3794.api.domain", "service.type": "fortinet", "source.ip": [ - "10.89.185.38" + "10.65.83.160" ], - "source.port": 6024, + "source.port": 3592, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "uis" + "user.name": "ender" }, { "@timestamp": "2020-07-04T13:38:16.000Z", "destination.ip": [ - "10.157.213.15" + "10.210.213.18" ], - "destination.port": 600, + "destination.port": 3970, "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 4 11:38:16 litessec3743.domain proto=ipv6-icmp service=http status=deny src=10.212.55.143 dst=10.157.213.15 src_port=3539 dst_port=600 server_app=liq pid=3480 app_name=ntutl traff_direct=caecatc block_count=2399 logon_user=nibus@edquiano6061.internal.invalid msg=failure", - "event.outcome": "Failure", + "event.original": "July 4 11:38:16 essecill2595.mail.local proto=ggp service=http status=deny src=10.57.40.29 dst=10.210.213.18 src_port=7616 dst_port=3970 server_app=atuse pid=2703 app_name=uis traff_direct=internal block_count=6179 logon_user=onse@liq5883.localdomain msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "litessec3743.domain", + "host.name": "essecill2595.mail.local", "input.type": "log", - "log.offset": 2947, - "network.direction": "caecatc", - "network.protocol": "ipv6-icmp", + "log.offset": 3031, + "network.direction": "internal", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3480, + "process.pid": 2703, "related.ip": [ - "10.157.213.15", - "10.212.55.143" + "10.57.40.29", + "10.210.213.18" ], "related.user": [ - "nibus" + "onse" ], - "rsa.counters.dclass_c1": 2399, + "rsa.counters.dclass_c1": 6179, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", @@ -664,55 +664,55 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "litessec3743.domain" + "essecill2595.mail.local" ], - "rsa.network.domain": "edquiano6061.internal.invalid", + "rsa.network.domain": "liq5883.localdomain", "rsa.network.network_service": "http", "rsa.time.event_time": "2020-07-04T13:38:16.000Z", - "server.domain": "edquiano6061.internal.invalid", + "server.domain": "liq5883.localdomain", "service.type": "fortinet", "source.ip": [ - "10.212.55.143" + "10.57.40.29" ], - "source.port": 3539, + "source.port": 7616, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "nibus" + "user.name": "onse" }, { "@timestamp": "2019-07-18T20:40:50.000Z", "destination.ip": [ - "10.124.100.32" + "10.200.156.102" ], - "destination.port": 7699, + "destination.port": 6061, "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 18 18:40:50 ctetura4886.www5.lan proto=icmp service=smtp status=deny src=10.208.134.60 dst=10.124.100.32 src_port=7385 dst_port=7699 server_app=lupt pid=5376 app_name=remeum traff_direct=orain block_count=4111 logon_user=admi@modocons6461.api.home msg=failure", - "event.outcome": "Failure", + "event.original": "July 18 18:40:50 ali6446.localhost proto=udp service=smtp status=deny src=10.144.82.69 dst=10.200.156.102 src_port=2896 dst_port=6061 server_app=rporis pid=5166 app_name=par traff_direct=outbound block_count=7041 logon_user=rveli@rsint7026.test msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "ctetura4886.www5.lan", + "host.name": "ali6446.localhost", "input.type": "log", - "log.offset": 3223, - "network.direction": "orain", - "network.protocol": "icmp", + "log.offset": 3294, + "network.direction": "outbound", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 5376, + "process.pid": 5166, "related.ip": [ - "10.124.100.32", - "10.208.134.60" + "10.144.82.69", + "10.200.156.102" ], "related.user": [ - "admi" + "rveli" ], - "rsa.counters.dclass_c1": 4111, + "rsa.counters.dclass_c1": 7041, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", @@ -721,112 +721,112 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "ctetura4886.www5.lan" + "ali6446.localhost" ], - "rsa.network.domain": "modocons6461.api.home", + "rsa.network.domain": "rsint7026.test", "rsa.network.network_service": "smtp", "rsa.time.event_time": "2019-07-18T20:40:50.000Z", - "server.domain": "modocons6461.api.home", + "server.domain": "rsint7026.test", "service.type": "fortinet", "source.ip": [ - "10.208.134.60" + "10.144.82.69" ], - "source.port": 7385, + "source.port": 2896, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "admi" + "user.name": "rveli" }, { "@timestamp": "2019-08-02T03:43:25.000Z", "destination.ip": [ - "10.55.77.49" + "10.72.58.135" ], - "destination.port": 4683, + "destination.port": 2382, "event.action": "deny", - "event.code": "http", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 2 01:43:25 urE6771.www5.example proto=udp service=http status=deny src=10.75.148.116 dst=10.55.77.49 src_port=3653 dst_port=4683 server_app=dtem pid=1577 app_name=des traff_direct=rehe block_count=2460 logon_user=tdolorem@ono4861.www5.test msg=success", - "event.outcome": "Failure", + "event.original": "August 2 01:43:25 torev7118.internal.domain proto=ipv6 service=smtp status=deny src=10.109.232.112 dst=10.72.58.135 src_port=5160 dst_port=2382 server_app=fugit pid=7668 app_name=rsitamet traff_direct=internal block_count=1112 logon_user=xea@qua2945.www.local msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "urE6771.www5.example", + "host.name": "torev7118.internal.domain", "input.type": "log", - "log.offset": 3488, - "network.direction": "rehe", - "network.protocol": "udp", + "log.offset": 3551, + "network.direction": "internal", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 1577, + "process.pid": 7668, "related.ip": [ - "10.55.77.49", - "10.75.148.116" + "10.109.232.112", + "10.72.58.135" ], "related.user": [ - "tdolorem" + "xea" ], - "rsa.counters.dclass_c1": 2460, + "rsa.counters.dclass_c1": 1112, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "urE6771.www5.example" + "torev7118.internal.domain" ], - "rsa.network.domain": "ono4861.www5.test", - "rsa.network.network_service": "http", + "rsa.network.domain": "qua2945.www.local", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2019-08-02T03:43:25.000Z", - "server.domain": "ono4861.www5.test", + "server.domain": "qua2945.www.local", "service.type": "fortinet", "source.ip": [ - "10.75.148.116" + "10.109.232.112" ], - "source.port": 3653, + "source.port": 5160, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "tdolorem" + "user.name": "xea" }, { "@timestamp": "2019-08-16T10:45:59.000Z", "destination.ip": [ - "10.21.92.218" + "10.72.29.73" ], - "destination.port": 5716, + "destination.port": 203, "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 16 08:45:59 sumquiad2872.api.domain proto=ggp service=http status=deny src=10.210.74.24 dst=10.21.92.218 src_port=4125 dst_port=5716 server_app=ommod pid=3671 app_name=inima traff_direct=tlabo block_count=6088 logon_user=nihi@Lor5841.internal.example msg=success", - "event.outcome": "Failure", + "event.original": "August 16 08:45:59 dolore6103.www5.example proto=udp service=http status=deny src=10.38.22.45 dst=10.72.29.73 src_port=1493 dst_port=203 server_app=piscing pid=1044 app_name=entsu traff_direct=unknown block_count=4979 logon_user=onproide@luptat6494.www.example msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "sumquiad2872.api.domain", + "host.name": "dolore6103.www5.example", "input.type": "log", - "log.offset": 3747, - "network.direction": "tlabo", - "network.protocol": "ggp", + "log.offset": 3823, + "network.direction": "unknown", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3671, + "process.pid": 1044, "related.ip": [ - "10.210.74.24", - "10.21.92.218" + "10.38.22.45", + "10.72.29.73" ], "related.user": [ - "nihi" + "onproide" ], - "rsa.counters.dclass_c1": 6088, + "rsa.counters.dclass_c1": 4979, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", @@ -835,114 +835,114 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "sumquiad2872.api.domain" + "dolore6103.www5.example" ], - "rsa.network.domain": "Lor5841.internal.example", + "rsa.network.domain": "luptat6494.www.example", "rsa.network.network_service": "http", "rsa.time.event_time": "2019-08-16T10:45:59.000Z", - "server.domain": "Lor5841.internal.example", + "server.domain": "luptat6494.www.example", "service.type": "fortinet", "source.ip": [ - "10.210.74.24" + "10.38.22.45" ], - "source.port": 4125, + "source.port": 1493, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "nihi" + "user.name": "onproide" }, { "@timestamp": "2019-08-30T17:48:33.000Z", "destination.ip": [ - "10.84.105.75" + "10.76.72.111" ], - "destination.port": 98, + "destination.port": 7388, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 30 15:48:33 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=isnostru block_count=1559 logon_user=deFinibu@iadese6958.www5.local msg=unknown", - "event.outcome": "Failure", + "event.original": "August 30 15:48:33 errorsi6996.www.domain proto=tcp service=smtp status=deny src=10.70.95.74 dst=10.76.72.111 src_port=6119 dst_port=7388 server_app=emaperi pid=7183 app_name=sumquiad traff_direct=internal block_count=2362 logon_user=ivelits@moenimi6317.internal.invalid msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "aperia4409.www5.invalid", + "host.name": "errorsi6996.www.domain", "input.type": "log", - "log.offset": 4017, - "network.direction": "isnostru", - "network.protocol": "rdp", + "log.offset": 4096, + "network.direction": "internal", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 499, + "process.pid": 7183, "related.ip": [ - "10.84.105.75", - "10.78.151.178" + "10.70.95.74", + "10.76.72.111" ], "related.user": [ - "deFinibu" + "ivelits" ], - "rsa.counters.dclass_c1": 1559, + "rsa.counters.dclass_c1": 2362, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "aperia4409.www5.invalid" + "errorsi6996.www.domain" ], - "rsa.network.domain": "iadese6958.www5.local", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "moenimi6317.internal.invalid", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2019-08-30T17:48:33.000Z", - "server.domain": "iadese6958.www5.local", + "server.domain": "moenimi6317.internal.invalid", "service.type": "fortinet", "source.ip": [ - "10.78.151.178" + "10.70.95.74" ], - "source.port": 1846, + "source.port": 6119, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "deFinibu" + "user.name": "ivelits" }, { "@timestamp": "2019-09-14T00:51:07.000Z", "destination.ip": [ - "10.76.229.163" + "10.73.69.75" ], - "destination.port": 6387, + "destination.port": 6218, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 13 22:51:07 tatn2376.www5.corp proto=ipv6-icmp service=ms-wbt-server status=deny src=10.47.241.218 dst=10.76.229.163 src_port=2890 dst_port=6387 server_app=CSed pid=2857 app_name=utlabore traff_direct=ecillu block_count=391 logon_user=mnisist@sedd3727.api.home msg=unknown", - "event.outcome": "Failure", + "event.original": "September 13 22:51:07 lumquido5839.api.corp proto=ipv6 service=https status=deny src=10.19.201.13 dst=10.73.69.75 src_port=5006 dst_port=6218 server_app=nsec pid=6907 app_name=estqu traff_direct=unknown block_count=2655 logon_user=tat@tion1761.home msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "tatn2376.www5.corp", + "host.name": "lumquido5839.api.corp", "input.type": "log", - "log.offset": 4299, - "network.direction": "ecillu", - "network.protocol": "ipv6-icmp", + "log.offset": 4379, + "network.direction": "unknown", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 2857, + "process.pid": 6907, "related.ip": [ - "10.76.229.163", - "10.47.241.218" + "10.19.201.13", + "10.73.69.75" ], "related.user": [ - "mnisist" + "tat" ], - "rsa.counters.dclass_c1": 391, + "rsa.counters.dclass_c1": 2655, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -951,55 +951,55 @@ ], "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "tatn2376.www5.corp" + "lumquido5839.api.corp" ], - "rsa.network.domain": "sedd3727.api.home", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "tion1761.home", + "rsa.network.network_service": "https", "rsa.time.event_time": "2019-09-14T00:51:07.000Z", - "server.domain": "sedd3727.api.home", + "server.domain": "tion1761.home", "service.type": "fortinet", "source.ip": [ - "10.47.241.218" + "10.19.201.13" ], - "source.port": 2890, + "source.port": 5006, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "mnisist" + "user.name": "tat" }, { "@timestamp": "2019-09-28T07:53:42.000Z", "destination.ip": [ - "10.104.134.200" + "10.84.105.75" ], - "destination.port": 2508, + "destination.port": 98, "event.action": "deny", - "event.code": "https", + "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 28 05:53:42 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=maccusa block_count=5126 logon_user=rQuisau@idex2012.localdomain msg=unknown", - "event.outcome": "Failure", + "event.original": "September 28 05:53:42 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=external block_count=4085 logon_user=iquaUten@santium4235.api.local msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "eme6710.mail.invalid", + "host.name": "aperia4409.www5.invalid", "input.type": "log", - "log.offset": 4582, - "network.direction": "maccusa", + "log.offset": 4640, + "network.direction": "external", "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 6051, + "process.pid": 499, "related.ip": [ - "10.121.219.204", - "10.104.134.200" + "10.78.151.178", + "10.84.105.75" ], "related.user": [ - "rQuisau" + "iquaUten" ], - "rsa.counters.dclass_c1": 5126, + "rsa.counters.dclass_c1": 4085, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -1008,55 +1008,55 @@ ], "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "eme6710.mail.invalid" + "aperia4409.www5.invalid" ], - "rsa.network.domain": "idex2012.localdomain", - "rsa.network.network_service": "https", + "rsa.network.domain": "santium4235.api.local", + "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2019-09-28T07:53:42.000Z", - "server.domain": "idex2012.localdomain", + "server.domain": "santium4235.api.local", "service.type": "fortinet", "source.ip": [ - "10.121.219.204" + "10.78.151.178" ], - "source.port": 3611, + "source.port": 1846, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "rQuisau" + "user.name": "iquaUten" }, { "@timestamp": "2019-10-12T14:56:16.000Z", "destination.ip": [ - "10.252.122.195" + "10.25.192.202" ], - "destination.port": 2807, + "destination.port": 6462, "event.action": "deny", - "event.code": "smtp", + "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 12 12:56:16 uipe5643.api.home proto=rdp service=smtp status=deny src=10.118.80.140 dst=10.252.122.195 src_port=6003 dst_port=2807 server_app=ihilm pid=1669 app_name=saute traff_direct=ercit block_count=2385 logon_user=remagn@run3361.api.test msg=failure", - "event.outcome": "Failure", + "event.original": "October 12 12:56:16 tem2496.api.lan proto=rdp service=ms-wbt-server status=deny src=10.135.233.146 dst=10.25.192.202 src_port=4181 dst_port=6462 server_app=ents pid=1531 app_name=Loremip traff_direct=internal block_count=4610 logon_user=emeumfu@CSed2857.www5.example msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "uipe5643.api.home", + "host.name": "tem2496.api.lan", "input.type": "log", - "log.offset": 4857, - "network.direction": "ercit", + "log.offset": 4925, + "network.direction": "internal", "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 1669, + "process.pid": 1531, "related.ip": [ - "10.118.80.140", - "10.252.122.195" + "10.25.192.202", + "10.135.233.146" ], "related.user": [ - "remagn" + "emeumfu" ], - "rsa.counters.dclass_c1": 2385, + "rsa.counters.dclass_c1": 4610, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -1065,55 +1065,55 @@ ], "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "uipe5643.api.home" + "tem2496.api.lan" ], - "rsa.network.domain": "run3361.api.test", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "CSed2857.www5.example", + "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2019-10-12T14:56:16.000Z", - "server.domain": "run3361.api.test", + "server.domain": "CSed2857.www5.example", "service.type": "fortinet", "source.ip": [ - "10.118.80.140" + "10.135.233.146" ], - "source.port": 6003, + "source.port": 4181, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "remagn" + "user.name": "emeumfu" }, { "@timestamp": "2019-10-26T21:58:50.000Z", "destination.ip": [ - "10.31.95.218" + "10.104.134.200" ], - "destination.port": 7042, + "destination.port": 2508, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 26 19:58:50 aturve2031.www5.test proto=rdp service=ms-wbt-server status=deny src=10.195.36.51 dst=10.31.95.218 src_port=2883 dst_port=7042 server_app=iadese pid=2374 app_name=ice traff_direct=estiae block_count=3750 logon_user=laborum@tionof7613.domain msg=failure", - "event.outcome": "Failure", + "event.original": "October 26 19:58:50 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=outbound block_count=7084 logon_user=uptat@equep5085.mail.domain msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "aturve2031.www5.test", + "host.name": "eme6710.mail.invalid", "input.type": "log", - "log.offset": 5119, - "network.direction": "estiae", + "log.offset": 5204, + "network.direction": "outbound", "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 2374, + "process.pid": 6051, "related.ip": [ - "10.31.95.218", - "10.195.36.51" + "10.104.134.200", + "10.121.219.204" ], "related.user": [ - "laborum" + "uptat" ], - "rsa.counters.dclass_c1": 3750, + "rsa.counters.dclass_c1": 7084, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -1122,112 +1122,112 @@ ], "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "aturve2031.www5.test" + "eme6710.mail.invalid" ], - "rsa.network.domain": "tionof7613.domain", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "equep5085.mail.domain", + "rsa.network.network_service": "https", "rsa.time.event_time": "2019-10-26T21:58:50.000Z", - "server.domain": "tionof7613.domain", + "server.domain": "equep5085.mail.domain", "service.type": "fortinet", "source.ip": [ - "10.195.36.51" + "10.121.219.204" ], - "source.port": 2883, + "source.port": 3611, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "laborum" + "user.name": "uptat" }, { "@timestamp": "2019-11-10T05:01:24.000Z", "destination.ip": [ - "10.170.148.40" + "10.225.160.182" ], - "destination.port": 6371, + "destination.port": 4810, "event.action": "deny", - "event.code": "http", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 10 03:01:24 ationul2530.internal.example proto=ipv6-icmp service=http status=deny src=10.197.250.10 dst=10.170.148.40 src_port=261 dst_port=6371 server_app=dol pid=753 app_name=modocon traff_direct=que block_count=651 logon_user=rinrepre@etconse7424.internal.lan msg=failure", - "event.outcome": "Failure", + "event.original": "November 10 03:01:24 ihilm1669.mail.invalid proto=tcp service=https status=deny src=10.191.105.82 dst=10.225.160.182 src_port=3361 dst_port=4810 server_app=uovolup pid=6994 app_name=llu traff_direct=external block_count=3936 logon_user=eirure@conseq557.mail.lan msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "ationul2530.internal.example", + "host.name": "ihilm1669.mail.invalid", "input.type": "log", - "log.offset": 5392, - "network.direction": "que", - "network.protocol": "ipv6-icmp", + "log.offset": 5477, + "network.direction": "external", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 753, + "process.pid": 6994, "related.ip": [ - "10.170.148.40", - "10.197.250.10" + "10.191.105.82", + "10.225.160.182" ], "related.user": [ - "rinrepre" + "eirure" ], - "rsa.counters.dclass_c1": 651, + "rsa.counters.dclass_c1": 3936, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "ationul2530.internal.example" + "ihilm1669.mail.invalid" ], - "rsa.network.domain": "etconse7424.internal.lan", - "rsa.network.network_service": "http", + "rsa.network.domain": "conseq557.mail.lan", + "rsa.network.network_service": "https", "rsa.time.event_time": "2019-11-10T05:01:24.000Z", - "server.domain": "etconse7424.internal.lan", + "server.domain": "conseq557.mail.lan", "service.type": "fortinet", "source.ip": [ - "10.197.250.10" + "10.191.105.82" ], - "source.port": 261, + "source.port": 3361, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "rinrepre" + "user.name": "eirure" }, { "@timestamp": "2019-11-24T12:03:59.000Z", "destination.ip": [ - "10.233.171.118" + "10.161.57.8" ], - "destination.port": 7410, + "destination.port": 2716, "event.action": "deny", - "event.code": "https", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 24 10:03:59 quamnih5993.mail.corp proto=ipv6 service=https status=deny src=10.19.145.131 dst=10.233.171.118 src_port=4798 dst_port=7410 server_app=emoe pid=6540 app_name=atur traff_direct=itanimi block_count=2924 logon_user=modtemp@rehender2628.www5.localdomain msg=failure", - "event.outcome": "Failure", + "event.original": "November 24 10:03:59 umexerci1284.internal.localdomain proto=rdp service=smtp status=deny src=10.141.44.153 dst=10.161.57.8 src_port=3750 dst_port=2716 server_app=oei pid=5200 app_name=snostrud traff_direct=inbound block_count=3333 logon_user=quisnos@ite2026.www.invalid msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "quamnih5993.mail.corp", + "host.name": "umexerci1284.internal.localdomain", "input.type": "log", - "log.offset": 5676, - "network.direction": "itanimi", - "network.protocol": "ipv6", + "log.offset": 5751, + "network.direction": "inbound", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 6540, + "process.pid": 5200, "related.ip": [ - "10.19.145.131", - "10.233.171.118" + "10.141.44.153", + "10.161.57.8" ], "related.user": [ - "modtemp" + "quisnos" ], - "rsa.counters.dclass_c1": 2924, + "rsa.counters.dclass_c1": 3333, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -1236,112 +1236,112 @@ ], "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "quamnih5993.mail.corp" + "umexerci1284.internal.localdomain" ], - "rsa.network.domain": "rehender2628.www5.localdomain", - "rsa.network.network_service": "https", + "rsa.network.domain": "ite2026.www.invalid", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2019-11-24T12:03:59.000Z", - "server.domain": "rehender2628.www5.localdomain", + "server.domain": "ite2026.www.invalid", "service.type": "fortinet", "source.ip": [ - "10.19.145.131" + "10.141.44.153" ], - "source.port": 4798, + "source.port": 3750, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "modtemp" + "user.name": "quisnos" }, { "@timestamp": "2019-12-08T19:06:33.000Z", "destination.ip": [ - "10.134.148.219" + "10.6.167.7" ], - "destination.port": 4430, + "destination.port": 2022, "event.action": "deny", - "event.code": "pop3", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 8 17:06:33 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=sectetur block_count=1713 logon_user=fugitse@veniamq1608.www.localdomain msg=unknown", - "event.outcome": "Failure", + "event.original": "December 8 17:06:33 adol485.example proto=udp service=https status=deny src=10.153.111.103 dst=10.6.167.7 src_port=4977 dst_port=2022 server_app=taevit pid=3365 app_name=nsecte traff_direct=internal block_count=7424 logon_user=eumfug@lit5929.test msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "evita5008.www.localdomain", + "host.name": "adol485.example", "input.type": "log", - "log.offset": 5959, - "network.direction": "sectetur", - "network.protocol": "ggp", + "log.offset": 6034, + "network.direction": "internal", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 1835, + "process.pid": 3365, "related.ip": [ - "10.248.204.182", - "10.134.148.219" + "10.6.167.7", + "10.153.111.103" ], "related.user": [ - "fugitse" + "eumfug" ], - "rsa.counters.dclass_c1": 1713, + "rsa.counters.dclass_c1": 7424, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "evita5008.www.localdomain" + "adol485.example" ], - "rsa.network.domain": "veniamq1608.www.localdomain", - "rsa.network.network_service": "pop3", + "rsa.network.domain": "lit5929.test", + "rsa.network.network_service": "https", "rsa.time.event_time": "2019-12-08T19:06:33.000Z", - "server.domain": "veniamq1608.www.localdomain", + "server.domain": "lit5929.test", "service.type": "fortinet", "source.ip": [ - "10.248.204.182" + "10.153.111.103" ], - "source.port": 1331, + "source.port": 4977, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "fugitse" + "user.name": "eumfug" }, { "@timestamp": "2019-12-23T02:09:07.000Z", "destination.ip": [ - "10.177.238.183" + "10.134.148.219" ], - "destination.port": 6458, + "destination.port": 4430, "event.action": "deny", - "event.code": "https", + "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 23 00:09:07 reseos556.internal.example proto=rdp service=https status=deny src=10.59.122.242 dst=10.177.238.183 src_port=4821 dst_port=6458 server_app=dolorem pid=5251 app_name=olor traff_direct=Neque block_count=4129 logon_user=xerc@iutali2138.www.localdomain msg=success", - "event.outcome": "Failure", + "event.original": "December 23 00:09:07 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=inbound block_count=4168 logon_user=uioffi@oru6938.invalid msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "reseos556.internal.example", + "host.name": "evita5008.www.localdomain", "input.type": "log", - "log.offset": 6241, - "network.direction": "Neque", - "network.protocol": "rdp", + "log.offset": 6293, + "network.direction": "inbound", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 5251, + "process.pid": 1835, "related.ip": [ - "10.177.238.183", - "10.59.122.242" + "10.248.204.182", + "10.134.148.219" ], "related.user": [ - "xerc" + "uioffi" ], - "rsa.counters.dclass_c1": 4129, + "rsa.counters.dclass_c1": 4168, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -1350,55 +1350,55 @@ ], "rsa.misc.result": "success", "rsa.network.alias_host": [ - "reseos556.internal.example" + "evita5008.www.localdomain" ], - "rsa.network.domain": "iutali2138.www.localdomain", - "rsa.network.network_service": "https", + "rsa.network.domain": "oru6938.invalid", + "rsa.network.network_service": "pop3", "rsa.time.event_time": "2019-12-23T02:09:07.000Z", - "server.domain": "iutali2138.www.localdomain", + "server.domain": "oru6938.invalid", "service.type": "fortinet", "source.ip": [ - "10.59.122.242" + "10.248.204.182" ], - "source.port": 4821, + "source.port": 1331, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "xerc" + "user.name": "uioffi" }, { "@timestamp": "2020-01-06T09:11:41.000Z", "destination.ip": [ - "10.10.27.73" + "10.163.5.243" ], - "destination.port": 2574, + "destination.port": 4129, "event.action": "deny", - "event.code": "http", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "January 6 07:11:41 radi1512.mail.example proto=rdp service=http status=deny src=10.74.33.75 dst=10.10.27.73 src_port=3410 dst_port=2574 server_app=liqui pid=6106 app_name=dolore traff_direct=amvolu block_count=766 logon_user=quaturve@sequa2851.home msg=success", - "event.outcome": "Failure", + "event.original": "January 6 07:11:41 tsedqu2456.www5.invalid proto=ipv6 service=smtp status=deny src=10.178.77.231 dst=10.163.5.243 src_port=5294 dst_port=4129 server_app=xerc pid=2019 app_name=hitecto traff_direct=unknown block_count=1123 logon_user=liquide@etdol5473.local msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "radi1512.mail.example", + "host.name": "tsedqu2456.www5.invalid", "input.type": "log", - "log.offset": 6523, - "network.direction": "amvolu", - "network.protocol": "rdp", + "log.offset": 6562, + "network.direction": "unknown", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 6106, + "process.pid": 2019, "related.ip": [ - "10.10.27.73", - "10.74.33.75" + "10.163.5.243", + "10.178.77.231" ], "related.user": [ - "quaturve" + "liquide" ], - "rsa.counters.dclass_c1": 766, + "rsa.counters.dclass_c1": 1123, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -1407,250 +1407,250 @@ ], "rsa.misc.result": "success", "rsa.network.alias_host": [ - "radi1512.mail.example" + "tsedqu2456.www5.invalid" ], - "rsa.network.domain": "sequa2851.home", - "rsa.network.network_service": "http", + "rsa.network.domain": "etdol5473.local", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2020-01-06T09:11:41.000Z", - "server.domain": "sequa2851.home", + "server.domain": "etdol5473.local", "service.type": "fortinet", "source.ip": [ - "10.74.33.75" + "10.178.77.231" ], - "source.port": 3410, + "source.port": 5294, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "quaturve" + "user.name": "liquide" }, { "@timestamp": "2020-01-20T16:14:16.000Z", "destination.ip": [ - "10.32.239.1" + "10.221.89.228" ], - "destination.port": 3128, + "destination.port": 2447, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "January 20 14:14:16 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=nsect block_count=7400 logon_user=asia@econs4164.api.corp msg=unknown", - "event.outcome": "Failure", + "event.original": "January 20 14:14:16 ris3314.mail.invalid proto=ggp service=smtp status=deny src=10.177.194.18 dst=10.221.89.228 src_port=766 dst_port=2447 server_app=uamei pid=2493 app_name=aera traff_direct=outbound block_count=1747 logon_user=aliquam@nimid893.mail.corp msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "reme622.mail.example", + "host.name": "ris3314.mail.invalid", "input.type": "log", - "log.offset": 6784, - "network.direction": "nsect", - "network.protocol": "icmp", + "log.offset": 6831, + "network.direction": "outbound", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3022, + "process.pid": 2493, "related.ip": [ - "10.241.65.49", - "10.32.239.1" + "10.177.194.18", + "10.221.89.228" ], "related.user": [ - "asia" + "aliquam" ], - "rsa.counters.dclass_c1": 7400, + "rsa.counters.dclass_c1": 1747, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "reme622.mail.example" + "ris3314.mail.invalid" ], - "rsa.network.domain": "econs4164.api.corp", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "nimid893.mail.corp", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2020-01-20T16:14:16.000Z", - "server.domain": "econs4164.api.corp", + "server.domain": "nimid893.mail.corp", "service.type": "fortinet", "source.ip": [ - "10.241.65.49" + "10.177.194.18" ], - "source.port": 3027, + "source.port": 766, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "asia" + "user.name": "aliquam" }, { "@timestamp": "2020-02-03T23:16:50.000Z", "destination.ip": [ - "10.14.36.202" + "10.32.239.1" ], - "destination.port": 6036, + "destination.port": 3128, "event.action": "deny", - "event.code": "pop3", + "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 3 21:16:50 tevelite245.mail.local proto=tcp service=pop3 status=deny src=10.167.85.181 dst=10.14.36.202 src_port=6409 dst_port=6036 server_app=numqua pid=1411 app_name=inculpa traff_direct=abo block_count=1637 logon_user=dtemp@aliquide3073.www5.domain msg=unknown", - "event.outcome": "Failure", + "event.original": "February 3 21:16:50 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=unknown block_count=3522 logon_user=idata@rumwritt6003.host msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "tevelite245.mail.local", + "host.name": "reme622.mail.example", "input.type": "log", - "log.offset": 7056, - "network.direction": "abo", - "network.protocol": "tcp", + "log.offset": 7099, + "network.direction": "unknown", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 1411, + "process.pid": 3022, "related.ip": [ - "10.167.85.181", - "10.14.36.202" + "10.32.239.1", + "10.241.65.49" ], "related.user": [ - "dtemp" + "idata" ], - "rsa.counters.dclass_c1": 1637, + "rsa.counters.dclass_c1": 3522, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", + "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "tevelite245.mail.local" + "reme622.mail.example" ], - "rsa.network.domain": "aliquide3073.www5.domain", - "rsa.network.network_service": "pop3", + "rsa.network.domain": "rumwritt6003.host", + "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2020-02-03T23:16:50.000Z", - "server.domain": "aliquide3073.www5.domain", + "server.domain": "rumwritt6003.host", "service.type": "fortinet", "source.ip": [ - "10.167.85.181" + "10.241.65.49" ], - "source.port": 6409, + "source.port": 3027, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "dtemp" + "user.name": "idata" }, { "@timestamp": "2020-02-18T06:19:24.000Z", "destination.ip": [ - "10.164.39.248" + "10.101.57.120" ], - "destination.port": 5194, + "destination.port": 6501, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 18 04:19:24 uptatema6843.www.host proto=icmp service=ms-wbt-server status=deny src=10.104.64.94 dst=10.164.39.248 src_port=3221 dst_port=5194 server_app=sequam pid=3609 app_name=idex traff_direct=mfugiat block_count=3370 logon_user=dant@rroquis6074.api.host msg=unknown", - "event.outcome": "Failure", + "event.original": "February 18 04:19:24 non3341.mail.invalid proto=ggp service=http status=deny src=10.168.90.81 dst=10.101.57.120 src_port=6866 dst_port=6501 server_app=laboree pid=2328 app_name=intocc traff_direct=internal block_count=5516 logon_user=eporr@xeacomm6855.api.corp msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "uptatema6843.www.host", + "host.name": "non3341.mail.invalid", "input.type": "log", - "log.offset": 7329, - "network.direction": "mfugiat", - "network.protocol": "icmp", + "log.offset": 7373, + "network.direction": "internal", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3609, + "process.pid": 2328, "related.ip": [ - "10.104.64.94", - "10.164.39.248" + "10.168.90.81", + "10.101.57.120" ], "related.user": [ - "dant" + "eporr" ], - "rsa.counters.dclass_c1": 3370, + "rsa.counters.dclass_c1": 5516, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "uptatema6843.www.host" + "non3341.mail.invalid" ], - "rsa.network.domain": "rroquis6074.api.host", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "xeacomm6855.api.corp", + "rsa.network.network_service": "http", "rsa.time.event_time": "2020-02-18T06:19:24.000Z", - "server.domain": "rroquis6074.api.host", + "server.domain": "xeacomm6855.api.corp", "service.type": "fortinet", "source.ip": [ - "10.104.64.94" + "10.168.90.81" ], - "source.port": 3221, + "source.port": 6866, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "dant" + "user.name": "eporr" }, { "@timestamp": "2020-03-04T13:21:59.000Z", "destination.ip": [ - "10.135.187.104" + "10.130.14.60" ], - "destination.port": 4708, + "destination.port": 2051, "event.action": "deny", - "event.code": "http", + "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 4 11:21:59 rem3420.mail.localhost proto=udp service=http status=deny src=10.208.14.185 dst=10.135.187.104 src_port=7557 dst_port=4708 server_app=siste pid=5919 app_name=riosamn traff_direct=ept block_count=1871 logon_user=rcitati@eni465.home msg=failure", - "event.outcome": "Failure", + "event.original": "March 4 11:21:59 ris727.api.local proto=tcp service=ms-wbt-server status=deny src=10.14.211.43 dst=10.130.14.60 src_port=4456 dst_port=2051 server_app=autfu pid=1156 app_name=tessec traff_direct=external block_count=7200 logon_user=litse@icabo4125.mail.domain msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "rem3420.mail.localhost", + "host.name": "ris727.api.local", "input.type": "log", - "log.offset": 7608, - "network.direction": "ept", - "network.protocol": "udp", + "log.offset": 7646, + "network.direction": "external", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 5919, + "process.pid": 1156, "related.ip": [ - "10.135.187.104", - "10.208.14.185" + "10.14.211.43", + "10.130.14.60" ], "related.user": [ - "rcitati" + "litse" ], - "rsa.counters.dclass_c1": 1871, + "rsa.counters.dclass_c1": 7200, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", + "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "rem3420.mail.localhost" + "ris727.api.local" ], - "rsa.network.domain": "eni465.home", - "rsa.network.network_service": "http", + "rsa.network.domain": "icabo4125.mail.domain", + "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2020-03-04T13:21:59.000Z", - "server.domain": "eni465.home", + "server.domain": "icabo4125.mail.domain", "service.type": "fortinet", "source.ip": [ - "10.208.14.185" + "10.14.211.43" ], - "source.port": 7557, + "source.port": 4456, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "rcitati" + "user.name": "litse" }, { "@timestamp": "2020-03-18T20:24:33.000Z", @@ -1662,26 +1662,26 @@ "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 18 18:24:33 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=boree block_count=513 logon_user=nevo@ide2767.www5.local msg=failure", - "event.outcome": "Failure", + "event.original": "March 18 18:24:33 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=unknown block_count=6437 logon_user=evolup@ionofdeF5643.www.localhost msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", "host.name": "stquido5705.api.host", "input.type": "log", - "log.offset": 7868, - "network.direction": "boree", + "log.offset": 7918, + "network.direction": "unknown", "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6003, "related.ip": [ - "10.248.101.25", - "10.60.129.15" + "10.60.129.15", + "10.248.101.25" ], "related.user": [ - "nevo" + "evolup" ], - "rsa.counters.dclass_c1": 513, + "rsa.counters.dclass_c1": 6437, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", @@ -1690,14 +1690,14 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ "stquido5705.api.host" ], - "rsa.network.domain": "ide2767.www5.local", + "rsa.network.domain": "ionofdeF5643.www.localhost", "rsa.network.network_service": "http", "rsa.time.event_time": "2020-03-18T20:24:33.000Z", - "server.domain": "ide2767.www5.local", + "server.domain": "ionofdeF5643.www.localhost", "service.type": "fortinet", "source.ip": [ "10.60.129.15" @@ -1707,38 +1707,38 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": "nevo" + "user.name": "evolup" }, { "@timestamp": "2020-04-02T03:27:07.000Z", "destination.ip": [ - "10.145.26.181" + "10.111.187.12" ], - "destination.port": 6088, + "destination.port": 3994, "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 2 01:27:07 edquiac2646.www.invalid proto=ipv6-icmp service=https status=deny src=10.46.49.26 dst=10.145.26.181 src_port=634 dst_port=6088 server_app=autf pid=3471 app_name=temquiav traff_direct=equatu block_count=1399 logon_user=cons@sBon1759.invalid msg=success", - "event.outcome": "Failure", + "event.original": "April 2 01:27:07 etcons7378.api.lan proto=tcp service=https status=deny src=10.72.93.28 dst=10.111.187.12 src_port=3577 dst_port=3994 server_app=aper pid=5651 app_name=tur traff_direct=inbound block_count=3427 logon_user=niamqui@orem6702.invalid msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "edquiac2646.www.invalid", + "host.name": "etcons7378.api.lan", "input.type": "log", - "log.offset": 8129, - "network.direction": "equatu", - "network.protocol": "ipv6-icmp", + "log.offset": 8192, + "network.direction": "inbound", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3471, + "process.pid": 5651, "related.ip": [ - "10.145.26.181", - "10.46.49.26" + "10.111.187.12", + "10.72.93.28" ], "related.user": [ - "cons" + "niamqui" ], - "rsa.counters.dclass_c1": 1399, + "rsa.counters.dclass_c1": 3427, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", @@ -1747,24 +1747,24 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "edquiac2646.www.invalid" + "etcons7378.api.lan" ], - "rsa.network.domain": "sBon1759.invalid", + "rsa.network.domain": "orem6702.invalid", "rsa.network.network_service": "https", "rsa.time.event_time": "2020-04-02T03:27:07.000Z", - "server.domain": "sBon1759.invalid", + "server.domain": "orem6702.invalid", "service.type": "fortinet", "source.ip": [ - "10.46.49.26" + "10.72.93.28" ], - "source.port": 634, + "source.port": 3577, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "cons" + "user.name": "niamqui" }, { "@timestamp": "2020-04-16T10:29:41.000Z", @@ -1776,13 +1776,13 @@ "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 16 08:29:41 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=antiu block_count=6129 logon_user=evolu@ersp3536.www5.lan msg=unknown", - "event.outcome": "Failure", + "event.original": "April 16 08:29:41 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=outbound block_count=6708 logon_user=uirati@oin6780.mail.domain msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", "host.name": "vita2681.www5.local", "input.type": "log", - "log.offset": 8398, - "network.direction": "antiu", + "log.offset": 8450, + "network.direction": "outbound", "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", @@ -1793,9 +1793,9 @@ "10.66.2.232" ], "related.user": [ - "evolu" + "uirati" ], - "rsa.counters.dclass_c1": 6129, + "rsa.counters.dclass_c1": 6708, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", @@ -1808,10 +1808,10 @@ "rsa.network.alias_host": [ "vita2681.www5.local" ], - "rsa.network.domain": "ersp3536.www5.lan", + "rsa.network.domain": "oin6780.mail.domain", "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2020-04-16T10:29:41.000Z", - "server.domain": "ersp3536.www5.lan", + "server.domain": "oin6780.mail.domain", "service.type": "fortinet", "source.ip": [ "10.27.14.168" @@ -1821,38 +1821,38 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": "evolu" + "user.name": "uirati" }, { "@timestamp": "2020-04-30T17:32:16.000Z", "destination.ip": [ - "10.201.238.90" + "10.195.2.130" ], - "destination.port": 7130, + "destination.port": 202, "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 30 15:32:16 ntiumt699.corp proto=icmp service=ms-wbt-server status=deny src=10.151.58.196 dst=10.201.238.90 src_port=2715 dst_port=7130 server_app=pici pid=55 app_name=ccaecat traff_direct=tquiin block_count=7440 logon_user=temqu@ovol3674.www5.host msg=success", - "event.outcome": "Failure", + "event.original": "April 30 15:32:16 tnulapa7592.www.local proto=ggp service=ms-wbt-server status=deny src=10.75.99.127 dst=10.195.2.130 src_port=1766 dst_port=202 server_app=mporin pid=6932 app_name=nisiuta traff_direct=internal block_count=3828 logon_user=inibusB@eprehen3224.www5.localdomain msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "ntiumt699.corp", + "host.name": "tnulapa7592.www.local", "input.type": "log", - "log.offset": 8669, - "network.direction": "tquiin", - "network.protocol": "icmp", + "log.offset": 8727, + "network.direction": "internal", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 55, + "process.pid": 6932, "related.ip": [ - "10.201.238.90", - "10.151.58.196" + "10.75.99.127", + "10.195.2.130" ], "related.user": [ - "temqu" + "inibusB" ], - "rsa.counters.dclass_c1": 7440, + "rsa.counters.dclass_c1": 3828, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", @@ -1861,169 +1861,169 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "ntiumt699.corp" + "tnulapa7592.www.local" ], - "rsa.network.domain": "ovol3674.www5.host", + "rsa.network.domain": "eprehen3224.www5.localdomain", "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2020-04-30T17:32:16.000Z", - "server.domain": "ovol3674.www5.host", + "server.domain": "eprehen3224.www5.localdomain", "service.type": "fortinet", "source.ip": [ - "10.151.58.196" + "10.75.99.127" ], - "source.port": 2715, + "source.port": 1766, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "temqu" + "user.name": "inibusB" }, { "@timestamp": "2020-05-15T00:34:50.000Z", "destination.ip": [ - "10.105.91.31" + "10.245.104.182" ], - "destination.port": 5987, + "destination.port": 55, "event.action": "deny", - "event.code": "http", + "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 14 22:34:50 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=ven block_count=660 logon_user=siutali@amnih2718.internal.example msg=failure", - "event.outcome": "Failure", + "event.original": "May 14 22:34:50 lup2134.www.localhost proto=ipv6 service=pop3 status=deny src=10.201.238.90 dst=10.245.104.182 src_port=3759 dst_port=55 server_app=ccaecat pid=6945 app_name=onsequ traff_direct=outbound block_count=4198 logon_user=ovol@ptasn6599.www.localhost msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "tanimid3337.mail.corp", + "host.name": "lup2134.www.localhost", "input.type": "log", - "log.offset": 8936, - "network.direction": "ven", - "network.protocol": "ipv6-icmp", + "log.offset": 9015, + "network.direction": "outbound", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 853, + "process.pid": 6945, "related.ip": [ - "10.105.91.31", - "10.217.150.196" + "10.201.238.90", + "10.245.104.182" ], "related.user": [ - "siutali" + "ovol" ], - "rsa.counters.dclass_c1": 660, + "rsa.counters.dclass_c1": 4198, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", + "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "tanimid3337.mail.corp" + "lup2134.www.localhost" ], - "rsa.network.domain": "amnih2718.internal.example", - "rsa.network.network_service": "http", + "rsa.network.domain": "ptasn6599.www.localhost", + "rsa.network.network_service": "pop3", "rsa.time.event_time": "2020-05-15T00:34:50.000Z", - "server.domain": "amnih2718.internal.example", + "server.domain": "ptasn6599.www.localhost", "service.type": "fortinet", "source.ip": [ - "10.217.150.196" + "10.201.238.90" ], - "source.port": 2056, + "source.port": 3759, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "siutali" + "user.name": "ovol" }, { "@timestamp": "2020-05-29T07:37:24.000Z", "destination.ip": [ - "10.226.83.168" + "10.105.91.31" ], - "destination.port": 4153, + "destination.port": 5987, "event.action": "deny", - "event.code": "https", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 29 05:37:24 laudant6813.mail.home proto=icmp service=https status=deny src=10.184.18.202 dst=10.226.83.168 src_port=5780 dst_port=4153 server_app=molli pid=4306 app_name=aturauto traff_direct=eturadi block_count=2512 logon_user=borios@rsitvolu3751.mail.lan msg=success", - "event.outcome": "Failure", + "event.original": "May 29 05:37:24 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=external block_count=4444 logon_user=con@nisist2752.home msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "laudant6813.mail.home", + "host.name": "tanimid3337.mail.corp", "input.type": "log", - "log.offset": 9214, - "network.direction": "eturadi", - "network.protocol": "icmp", + "log.offset": 9287, + "network.direction": "external", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 4306, + "process.pid": 853, "related.ip": [ - "10.184.18.202", - "10.226.83.168" + "10.105.91.31", + "10.217.150.196" ], "related.user": [ - "borios" + "con" ], - "rsa.counters.dclass_c1": 2512, + "rsa.counters.dclass_c1": 4444, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "laudant6813.mail.home" + "tanimid3337.mail.corp" ], - "rsa.network.domain": "rsitvolu3751.mail.lan", - "rsa.network.network_service": "https", + "rsa.network.domain": "nisist2752.home", + "rsa.network.network_service": "http", "rsa.time.event_time": "2020-05-29T07:37:24.000Z", - "server.domain": "rsitvolu3751.mail.lan", + "server.domain": "nisist2752.home", "service.type": "fortinet", "source.ip": [ - "10.184.18.202" + "10.217.150.196" ], - "source.port": 5780, + "source.port": 2056, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "borios" + "user.name": "con" }, { "@timestamp": "2020-06-12T14:39:58.000Z", "destination.ip": [ - "10.113.95.59" + "10.184.18.202" ], - "destination.port": 4367, + "destination.port": 205, "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 12 12:39:58 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=luptate block_count=2612 logon_user=atisun@esci7741.www.host msg=success", - "event.outcome": "Failure", + "event.original": "June 12 12:39:58 eumiu765.api.lan proto=ipv6-icmp service=https status=deny src=10.4.157.1 dst=10.184.18.202 src_port=52 dst_port=205 server_app=ofdeFini pid=4153 app_name=molli traff_direct=outbound block_count=725 logon_user=oditem@gitsedqu2649.mail.lan msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "mquelau5326.mail.lan", + "host.name": "eumiu765.api.lan", "input.type": "log", - "log.offset": 9487, - "network.direction": "luptate", - "network.protocol": "icmp", + "log.offset": 9556, + "network.direction": "outbound", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 1693, + "process.pid": 4153, "related.ip": [ - "10.113.95.59", - "10.255.39.252" + "10.184.18.202", + "10.4.157.1" ], "related.user": [ - "atisun" + "oditem" ], - "rsa.counters.dclass_c1": 2612, + "rsa.counters.dclass_c1": 725, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", @@ -2032,55 +2032,55 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "mquelau5326.mail.lan" + "eumiu765.api.lan" ], - "rsa.network.domain": "esci7741.www.host", + "rsa.network.domain": "gitsedqu2649.mail.lan", "rsa.network.network_service": "https", "rsa.time.event_time": "2020-06-12T14:39:58.000Z", - "server.domain": "esci7741.www.host", + "server.domain": "gitsedqu2649.mail.lan", "service.type": "fortinet", "source.ip": [ - "10.255.39.252" + "10.4.157.1" ], - "source.port": 863, + "source.port": 52, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "atisun" + "user.name": "oditem" }, { "@timestamp": "2020-06-26T21:42:33.000Z", "destination.ip": [ - "10.43.226.231" + "10.113.95.59" ], - "destination.port": 2778, + "destination.port": 4367, "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 26 19:42:33 nturma18.internal.example proto=icmp service=https status=deny src=10.173.136.186 dst=10.43.226.231 src_port=7222 dst_port=2778 server_app=isnostr pid=829 app_name=ciadeser traff_direct=emquia block_count=1497 logon_user=uscipitl@uia5567.mail.lan msg=success", - "event.outcome": "Failure", + "event.original": "June 26 19:42:33 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=internal block_count=3147 logon_user=persp@entsunt3962.www.example msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "nturma18.internal.example", + "host.name": "mquelau5326.mail.lan", "input.type": "log", - "log.offset": 9754, - "network.direction": "emquia", + "log.offset": 9824, + "network.direction": "internal", "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 829, + "process.pid": 1693, "related.ip": [ - "10.173.136.186", - "10.43.226.231" + "10.255.39.252", + "10.113.95.59" ], "related.user": [ - "uscipitl" + "persp" ], - "rsa.counters.dclass_c1": 1497, + "rsa.counters.dclass_c1": 3147, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", @@ -2091,167 +2091,167 @@ ], "rsa.misc.result": "success", "rsa.network.alias_host": [ - "nturma18.internal.example" + "mquelau5326.mail.lan" ], - "rsa.network.domain": "uia5567.mail.lan", + "rsa.network.domain": "entsunt3962.www.example", "rsa.network.network_service": "https", "rsa.time.event_time": "2020-06-26T21:42:33.000Z", - "server.domain": "uia5567.mail.lan", + "server.domain": "entsunt3962.www.example", "service.type": "fortinet", "source.ip": [ - "10.173.136.186" + "10.255.39.252" ], - "source.port": 7222, + "source.port": 863, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "uscipitl" + "user.name": "persp" }, { "@timestamp": "2019-07-11T04:45:07.000Z", "destination.ip": [ - "10.54.37.86" + "10.83.177.2" ], - "destination.port": 5089, + "destination.port": 1827, "event.action": "deny", - "event.code": "pop3", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 11 02:45:07 uisa5736.internal.local proto=udp service=pop3 status=deny src=10.58.64.108 dst=10.54.37.86 src_port=1540 dst_port=5089 server_app=commodo pid=6867 app_name=tutlab traff_direct=sau block_count=1865 logon_user=dolorsit@sau4293.www.corp msg=unknown", - "event.outcome": "Failure", + "event.original": "July 11 02:45:07 idestlab2631.www.lan proto=tcp service=http status=deny src=10.27.16.118 dst=10.83.177.2 src_port=18 dst_port=1827 server_app=iat pid=337 app_name=rinre traff_direct=internal block_count=1300 logon_user=borios@tut2703.www.host msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "uisa5736.internal.local", + "host.name": "idestlab2631.www.lan", "input.type": "log", - "log.offset": 10030, - "network.direction": "sau", - "network.protocol": "udp", + "log.offset": 10097, + "network.direction": "internal", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 6867, + "process.pid": 337, "related.ip": [ - "10.54.37.86", - "10.58.64.108" + "10.83.177.2", + "10.27.16.118" ], "related.user": [ - "dolorsit" + "borios" ], - "rsa.counters.dclass_c1": 1865, + "rsa.counters.dclass_c1": 1300, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "uisa5736.internal.local" + "idestlab2631.www.lan" ], - "rsa.network.domain": "sau4293.www.corp", - "rsa.network.network_service": "pop3", + "rsa.network.domain": "tut2703.www.host", + "rsa.network.network_service": "http", "rsa.time.event_time": "2019-07-11T04:45:07.000Z", - "server.domain": "sau4293.www.corp", + "server.domain": "tut2703.www.host", "service.type": "fortinet", "source.ip": [ - "10.58.64.108" + "10.27.16.118" ], - "source.port": 1540, + "source.port": 18, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "dolorsit" + "user.name": "borios" }, { "@timestamp": "2019-07-25T11:47:41.000Z", "destination.ip": [ - "10.159.119.34" + "10.167.227.44" ], - "destination.port": 6197, + "destination.port": 5736, "event.action": "deny", - "event.code": "https", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 25 09:47:41 uptate2244.api.lan proto=ipv6-icmp service=https status=deny src=10.205.228.138 dst=10.159.119.34 src_port=3854 dst_port=6197 server_app=tsed pid=7536 app_name=ameiusm traff_direct=proide block_count=3714 logon_user=aquae@boreetdo7005.www5.home msg=unknown", - "event.outcome": "Failure", + "event.original": "July 25 09:47:41 inesci6789.test proto=udp service=http status=deny src=10.38.54.72 dst=10.167.227.44 src_port=6595 dst_port=5736 server_app=lillum pid=7041 app_name=its traff_direct=outbound block_count=7644 logon_user=riamea@entorev160.test msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "uptate2244.api.lan", + "host.name": "inesci6789.test", "input.type": "log", - "log.offset": 10294, - "network.direction": "proide", - "network.protocol": "ipv6-icmp", + "log.offset": 10353, + "network.direction": "outbound", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 7536, + "process.pid": 7041, "related.ip": [ - "10.159.119.34", - "10.205.228.138" + "10.38.54.72", + "10.167.227.44" ], "related.user": [ - "aquae" + "riamea" ], - "rsa.counters.dclass_c1": 3714, + "rsa.counters.dclass_c1": 7644, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "uptate2244.api.lan" + "inesci6789.test" ], - "rsa.network.domain": "boreetdo7005.www5.home", - "rsa.network.network_service": "https", + "rsa.network.domain": "entorev160.test", + "rsa.network.network_service": "http", "rsa.time.event_time": "2019-07-25T11:47:41.000Z", - "server.domain": "boreetdo7005.www5.home", + "server.domain": "entorev160.test", "service.type": "fortinet", "source.ip": [ - "10.205.228.138" + "10.38.54.72" ], - "source.port": 3854, + "source.port": 6595, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "aquae" + "user.name": "riamea" }, { "@timestamp": "2019-08-08T18:50:15.000Z", "destination.ip": [ - "10.29.133.28" + "10.215.205.216" ], - "destination.port": 1085, + "destination.port": 647, "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 8 16:50:15 veli2530.www.host proto=ggp service=http status=deny src=10.163.93.20 dst=10.29.133.28 src_port=2382 dst_port=1085 server_app=umwrit pid=5433 app_name=eacommod traff_direct=ctetura block_count=2486 logon_user=tpersp@stla1871.www5.local msg=unknown", - "event.outcome": "Failure", + "event.original": "August 8 16:50:15 ccaeca7077.internal.corp proto=tcp service=http status=deny src=10.216.54.184 dst=10.215.205.216 src_port=1495 dst_port=647 server_app=riat pid=3854 app_name=psaquaea traff_direct=external block_count=7536 logon_user=ameiusm@proide3714.mail.localdomain msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "veli2530.www.host", + "host.name": "ccaeca7077.internal.corp", "input.type": "log", - "log.offset": 10568, - "network.direction": "ctetura", - "network.protocol": "ggp", + "log.offset": 10608, + "network.direction": "external", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 5433, + "process.pid": 3854, "related.ip": [ - "10.163.93.20", - "10.29.133.28" + "10.216.54.184", + "10.215.205.216" ], "related.user": [ - "tpersp" + "ameiusm" ], - "rsa.counters.dclass_c1": 2486, + "rsa.counters.dclass_c1": 7536, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", @@ -2262,112 +2262,112 @@ ], "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "veli2530.www.host" + "ccaeca7077.internal.corp" ], - "rsa.network.domain": "stla1871.www5.local", + "rsa.network.domain": "proide3714.mail.localdomain", "rsa.network.network_service": "http", "rsa.time.event_time": "2019-08-08T18:50:15.000Z", - "server.domain": "stla1871.www5.local", + "server.domain": "proide3714.mail.localdomain", "service.type": "fortinet", "source.ip": [ - "10.163.93.20" + "10.216.54.184" ], - "source.port": 2382, + "source.port": 1495, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "tpersp" + "user.name": "ameiusm" }, { "@timestamp": "2019-08-23T01:52:50.000Z", "destination.ip": [ - "10.50.0.61" + "10.9.18.237" ], - "destination.port": 5905, + "destination.port": 2486, "event.action": "deny", - "event.code": "pop3", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 22 23:52:50 tiaec5551.www.local proto=rdp service=pop3 status=deny src=10.113.30.163 dst=10.50.0.61 src_port=6110 dst_port=5905 server_app=itla pid=658 app_name=vitaedi traff_direct=lorsita block_count=2019 logon_user=dolore@onsecte587.localdomain msg=unknown", - "event.outcome": "Failure", + "event.original": "August 22 23:52:50 ima2031.api.corp proto=igmp service=smtp status=deny src=10.9.12.248 dst=10.9.18.237 src_port=765 dst_port=2486 server_app=tpersp pid=55 app_name=seosqui traff_direct=internal block_count=6379 logon_user=uradi@tot5313.mail.invalid msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "tiaec5551.www.local", + "host.name": "ima2031.api.corp", "input.type": "log", - "log.offset": 10834, - "network.direction": "lorsita", - "network.protocol": "rdp", + "log.offset": 10891, + "network.direction": "internal", + "network.protocol": "igmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 658, + "process.pid": 55, "related.ip": [ - "10.50.0.61", - "10.113.30.163" + "10.9.18.237", + "10.9.12.248" ], "related.user": [ - "dolore" + "uradi" ], - "rsa.counters.dclass_c1": 2019, + "rsa.counters.dclass_c1": 6379, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "tiaec5551.www.local" + "ima2031.api.corp" ], - "rsa.network.domain": "onsecte587.localdomain", - "rsa.network.network_service": "pop3", + "rsa.network.domain": "tot5313.mail.invalid", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2019-08-23T01:52:50.000Z", - "server.domain": "onsecte587.localdomain", + "server.domain": "tot5313.mail.invalid", "service.type": "fortinet", "source.ip": [ - "10.113.30.163" + "10.9.12.248" ], - "source.port": 6110, + "source.port": 765, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "dolore" + "user.name": "uradi" }, { "@timestamp": "2019-09-06T08:55:24.000Z", "destination.ip": [ - "10.30.47.165" + "10.41.123.102" ], - "destination.port": 3801, + "destination.port": 2300, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 6 06:55:24 ate7247.www5.local proto=ggp service=ms-wbt-server status=deny src=10.39.145.136 dst=10.30.47.165 src_port=631 dst_port=3801 server_app=ulapar pid=6827 app_name=etdo traff_direct=par block_count=992 logon_user=invo@hit3912.www5.localhost msg=unknown", - "event.outcome": "Failure", + "event.original": "September 6 06:55:24 ian867.internal.corp proto=rdp service=https status=deny src=10.83.130.226 dst=10.41.123.102 src_port=1542 dst_port=2300 server_app=odoconse pid=228 app_name=quatu traff_direct=external block_count=7661 logon_user=tenim@rumet3801.internal.domain msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "ate7247.www5.local", + "host.name": "ian867.internal.corp", "input.type": "log", - "log.offset": 11101, - "network.direction": "par", - "network.protocol": "ggp", + "log.offset": 11153, + "network.direction": "external", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 6827, + "process.pid": 228, "related.ip": [ - "10.30.47.165", - "10.39.145.136" + "10.83.130.226", + "10.41.123.102" ], "related.user": [ - "invo" + "tenim" ], - "rsa.counters.dclass_c1": 992, + "rsa.counters.dclass_c1": 7661, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -2376,112 +2376,112 @@ ], "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "ate7247.www5.local" + "ian867.internal.corp" ], - "rsa.network.domain": "hit3912.www5.localhost", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "rumet3801.internal.domain", + "rsa.network.network_service": "https", "rsa.time.event_time": "2019-09-06T08:55:24.000Z", - "server.domain": "hit3912.www5.localhost", + "server.domain": "rumet3801.internal.domain", "service.type": "fortinet", "source.ip": [ - "10.39.145.136" + "10.83.130.226" ], - "source.port": 631, + "source.port": 1542, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "invo" + "user.name": "tenim" }, { "@timestamp": "2019-09-20T15:57:58.000Z", "destination.ip": [ - "10.36.112.145" + "10.80.152.108" ], - "destination.port": 7122, + "destination.port": 2742, "event.action": "deny", - "event.code": "https", + "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 20 13:57:58 proiden887.mail.example proto=rdp service=https status=deny src=10.30.25.84 dst=10.36.112.145 src_port=238 dst_port=7122 server_app=dantium pid=246 app_name=teirured traff_direct=onemulla block_count=5608 logon_user=bor@rauto112.www.host msg=success", - "event.outcome": "Failure", + "event.original": "September 20 13:57:58 lorin4249.corp proto=tcp service=pop3 status=deny src=10.175.112.197 dst=10.80.152.108 src_port=1749 dst_port=2742 server_app=exeacom pid=4253 app_name=rita traff_direct=outbound block_count=6984 logon_user=tametcon@liqua2834.www5.lan msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "proiden887.mail.example", + "host.name": "lorin4249.corp", "input.type": "log", - "log.offset": 11372, - "network.direction": "onemulla", - "network.protocol": "rdp", + "log.offset": 11432, + "network.direction": "outbound", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 246, + "process.pid": 4253, "related.ip": [ - "10.30.25.84", - "10.36.112.145" + "10.175.112.197", + "10.80.152.108" ], "related.user": [ - "bor" + "tametcon" ], - "rsa.counters.dclass_c1": 5608, + "rsa.counters.dclass_c1": 6984, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "proiden887.mail.example" + "lorin4249.corp" ], - "rsa.network.domain": "rauto112.www.host", - "rsa.network.network_service": "https", + "rsa.network.domain": "liqua2834.www5.lan", + "rsa.network.network_service": "pop3", "rsa.time.event_time": "2019-09-20T15:57:58.000Z", - "server.domain": "rauto112.www.host", + "server.domain": "liqua2834.www5.lan", "service.type": "fortinet", "source.ip": [ - "10.30.25.84" + "10.175.112.197" ], - "source.port": 238, + "source.port": 1749, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "bor" + "user.name": "tametcon" }, { "@timestamp": "2019-10-04T23:00:32.000Z", "destination.ip": [ - "10.162.114.217" + "10.142.25.100" ], - "destination.port": 7503, + "destination.port": 5770, "event.action": "deny", - "event.code": "pop3", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 4 21:00:32 osqui2751.api.home proto=tcp service=pop3 status=deny src=10.97.96.177 dst=10.162.114.217 src_port=1859 dst_port=7503 server_app=dun pid=1276 app_name=evitaed traff_direct=inimveni block_count=2826 logon_user=itse@umexerc5717.internal.host msg=failure", - "event.outcome": "Failure", + "event.original": "October 4 21:00:32 gnaaliqu3935.api.test proto=udp service=smtp status=deny src=10.134.18.114 dst=10.142.25.100 src_port=2761 dst_port=5770 server_app=mdol pid=2200 app_name=nby traff_direct=internal block_count=624 logon_user=osqui@sequat7273.api.host msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "osqui2751.api.home", + "host.name": "gnaaliqu3935.api.test", "input.type": "log", - "log.offset": 11644, - "network.direction": "inimveni", - "network.protocol": "tcp", + "log.offset": 11701, + "network.direction": "internal", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 1276, + "process.pid": 2200, "related.ip": [ - "10.97.96.177", - "10.162.114.217" + "10.134.18.114", + "10.142.25.100" ], "related.user": [ - "itse" + "osqui" ], - "rsa.counters.dclass_c1": 2826, + "rsa.counters.dclass_c1": 624, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -2490,112 +2490,112 @@ ], "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "osqui2751.api.home" + "gnaaliqu3935.api.test" ], - "rsa.network.domain": "umexerc5717.internal.host", - "rsa.network.network_service": "pop3", + "rsa.network.domain": "sequat7273.api.host", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2019-10-04T23:00:32.000Z", - "server.domain": "umexerc5717.internal.host", + "server.domain": "sequat7273.api.host", "service.type": "fortinet", "source.ip": [ - "10.97.96.177" + "10.134.18.114" ], - "source.port": 1859, + "source.port": 2761, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "itse" + "user.name": "osqui" }, { "@timestamp": "2019-10-19T06:03:07.000Z", "destination.ip": [ - "10.140.7.83" + "10.223.119.218" ], - "destination.port": 3298, + "destination.port": 300, "event.action": "deny", - "event.code": "smtp", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 19 04:03:07 ccaeca5504.internal.example proto=tcp service=smtp status=deny src=10.229.71.175 dst=10.140.7.83 src_port=3856 dst_port=3298 server_app=olupt pid=2189 app_name=gna traff_direct=con block_count=4969 logon_user=eseru@quamest2520.localdomain msg=unknown", - "event.outcome": "Failure", + "event.original": "October 19 04:03:07 nsequat1859.internal.localhost proto=udp service=http status=deny src=10.28.118.160 dst=10.223.119.218 src_port=6247 dst_port=300 server_app=umexerc pid=5717 app_name=intocc traff_direct=internal block_count=4387 logon_user=ntsunt@uidol4575.localhost msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "ccaeca5504.internal.example", + "host.name": "nsequat1859.internal.localhost", "input.type": "log", - "log.offset": 11915, - "network.direction": "con", - "network.protocol": "tcp", + "log.offset": 11966, + "network.direction": "internal", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 2189, + "process.pid": 5717, "related.ip": [ - "10.140.7.83", - "10.229.71.175" + "10.28.118.160", + "10.223.119.218" ], "related.user": [ - "eseru" + "ntsunt" ], - "rsa.counters.dclass_c1": 4969, + "rsa.counters.dclass_c1": 4387, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "ccaeca5504.internal.example" + "nsequat1859.internal.localhost" ], - "rsa.network.domain": "quamest2520.localdomain", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "uidol4575.localhost", + "rsa.network.network_service": "http", "rsa.time.event_time": "2019-10-19T06:03:07.000Z", - "server.domain": "quamest2520.localdomain", + "server.domain": "uidol4575.localhost", "service.type": "fortinet", "source.ip": [ - "10.229.71.175" + "10.28.118.160" ], - "source.port": 3856, + "source.port": 6247, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "eseru" + "user.name": "ntsunt" }, { "@timestamp": "2019-11-02T13:05:41.000Z", "destination.ip": [ - "10.149.13.76" + "10.47.28.48" ], - "destination.port": 2000, + "destination.port": 3032, "event.action": "deny", - "event.code": "pop3", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 2 11:05:41 mex2054.mail.corp proto=udp service=pop3 status=deny src=10.232.254.65 dst=10.149.13.76 src_port=7809 dst_port=2000 server_app=uisaute pid=1478 app_name=ritt traff_direct=iaeco block_count=7037 logon_user=itesseq@dictasun2399.internal.example msg=unknown", - "event.outcome": "Failure", + "event.original": "November 2 11:05:41 ritin2495.api.corp proto=ggp service=https status=deny src=10.110.114.175 dst=10.47.28.48 src_port=4986 dst_port=3032 server_app=tatem pid=4469 app_name=luptat traff_direct=unknown block_count=4488 logon_user=plicab@oremq2000.api.corp msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "mex2054.mail.corp", + "host.name": "ritin2495.api.corp", "input.type": "log", - "log.offset": 12186, - "network.direction": "iaeco", - "network.protocol": "udp", + "log.offset": 12249, + "network.direction": "unknown", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 1478, + "process.pid": 4469, "related.ip": [ - "10.232.254.65", - "10.149.13.76" + "10.110.114.175", + "10.47.28.48" ], "related.user": [ - "itesseq" + "plicab" ], - "rsa.counters.dclass_c1": 7037, + "rsa.counters.dclass_c1": 4488, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -2604,22 +2604,22 @@ ], "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "mex2054.mail.corp" + "ritin2495.api.corp" ], - "rsa.network.domain": "dictasun2399.internal.example", - "rsa.network.network_service": "pop3", + "rsa.network.domain": "oremq2000.api.corp", + "rsa.network.network_service": "https", "rsa.time.event_time": "2019-11-02T13:05:41.000Z", - "server.domain": "dictasun2399.internal.example", + "server.domain": "oremq2000.api.corp", "service.type": "fortinet", "source.ip": [ - "10.232.254.65" + "10.110.114.175" ], - "source.port": 7809, + "source.port": 4986, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "itesseq" + "user.name": "plicab" }, { "@timestamp": "2019-11-16T20:08:15.000Z", @@ -2631,26 +2631,26 @@ "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 16 18:08:15 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=xeaco block_count=4762 logon_user=amcor@rcitat364.mail.lan msg=unknown", - "event.outcome": "Failure", + "event.original": "November 16 18:08:15 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=external block_count=6847 logon_user=nvolupt@oremi1485.api.localhost msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", "host.name": "tetur2694.mail.local", "input.type": "log", - "log.offset": 12461, - "network.direction": "xeaco", + "log.offset": 12516, + "network.direction": "external", "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5524, "related.ip": [ - "10.90.33.138", - "10.40.251.202" + "10.40.251.202", + "10.90.33.138" ], "related.user": [ - "amcor" + "nvolupt" ], - "rsa.counters.dclass_c1": 4762, + "rsa.counters.dclass_c1": 6847, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", @@ -2659,14 +2659,14 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "success", "rsa.network.alias_host": [ "tetur2694.mail.local" ], - "rsa.network.domain": "rcitat364.mail.lan", + "rsa.network.domain": "oremi1485.api.localhost", "rsa.network.network_service": "pop3", "rsa.time.event_time": "2019-11-16T20:08:15.000Z", - "server.domain": "rcitat364.mail.lan", + "server.domain": "oremi1485.api.localhost", "service.type": "fortinet", "source.ip": [ "10.40.251.202" @@ -2676,64 +2676,64 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": "amcor" + "user.name": "nvolupt" }, { "@timestamp": "2019-12-01T03:10:49.000Z", "destination.ip": [ - "10.243.237.151" + "10.227.173.252" ], - "destination.port": 6296, + "destination.port": 5337, "event.action": "deny", - "event.code": "smtp", + "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 1 01:10:49 tur4900.www5.lan proto=icmp service=smtp status=deny src=10.98.194.212 dst=10.243.237.151 src_port=6941 dst_port=6296 server_app=issuscip pid=4003 app_name=dipisci traff_direct=spernatu block_count=5539 logon_user=eri@quunt2072.home msg=success", - "event.outcome": "Failure", + "event.original": "December 1 01:10:49 rem7043.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.65.2.106 dst=10.227.173.252 src_port=5410 dst_port=5337 server_app=nisiut pid=3624 app_name=teturad traff_direct=external block_count=7576 logon_user=itation@sequatD5469.www5.lan msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "tur4900.www5.lan", + "host.name": "rem7043.localhost", "input.type": "log", - "log.offset": 12729, - "network.direction": "spernatu", - "network.protocol": "icmp", + "log.offset": 12794, + "network.direction": "external", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 4003, + "process.pid": 3624, "related.ip": [ - "10.98.194.212", - "10.243.237.151" + "10.227.173.252", + "10.65.2.106" ], "related.user": [ - "eri" + "itation" ], - "rsa.counters.dclass_c1": 5539, + "rsa.counters.dclass_c1": 7576, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "tur4900.www5.lan" + "rem7043.localhost" ], - "rsa.network.domain": "quunt2072.home", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "sequatD5469.www5.lan", + "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2019-12-01T03:10:49.000Z", - "server.domain": "quunt2072.home", + "server.domain": "sequatD5469.www5.lan", "service.type": "fortinet", "source.ip": [ - "10.98.194.212" + "10.65.2.106" ], - "source.port": 6941, + "source.port": 5410, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "eri" + "user.name": "itation" }, { "@timestamp": "2019-12-15T10:13:24.000Z", @@ -2745,13 +2745,13 @@ "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 15 08:13:24 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=leumiu block_count=3030 logon_user=luptatem@uaeratv3432.invalid msg=failure", - "event.outcome": "Failure", + "event.original": "December 15 08:13:24 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=inbound block_count=3096 logon_user=tla@item2738.test msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", "host.name": "emqu2846.internal.home", "input.type": "log", - "log.offset": 12994, - "network.direction": "leumiu", + "log.offset": 13075, + "network.direction": "inbound", "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", @@ -2762,9 +2762,9 @@ "10.193.233.229" ], "related.user": [ - "luptatem" + "tla" ], - "rsa.counters.dclass_c1": 3030, + "rsa.counters.dclass_c1": 3096, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", @@ -2773,14 +2773,14 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ "emqu2846.internal.home" ], - "rsa.network.domain": "uaeratv3432.invalid", + "rsa.network.domain": "item2738.test", "rsa.network.network_service": "https", "rsa.time.event_time": "2019-12-15T10:13:24.000Z", - "server.domain": "uaeratv3432.invalid", + "server.domain": "item2738.test", "service.type": "fortinet", "source.ip": [ "10.193.233.229" @@ -2790,38 +2790,38 @@ "fortinet.clientendpoint", "forwarded" ], - "user.name": "luptatem" + "user.name": "tla" }, { "@timestamp": "2019-12-29T17:15:58.000Z", "destination.ip": [ - "10.85.185.13" + "10.210.89.183" ], - "destination.port": 7793, + "destination.port": 2589, "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 29 15:15:58 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=maliquam block_count=2147 logon_user=atione@lores627.www.invalid msg=failure", - "event.outcome": "Failure", + "event.original": "December 29 15:15:58 dqu6144.api.localhost proto=ggp service=ms-wbt-server status=deny src=10.150.245.88 dst=10.210.89.183 src_port=3642 dst_port=2589 server_app=ulpa pid=6248 app_name=iusmodte traff_direct=external block_count=2700 logon_user=sequa@iosamnis1047.internal.localdomain msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "giatquov1918.internal.example", + "host.name": "dqu6144.api.localhost", "input.type": "log", - "log.offset": 13270, - "network.direction": "maliquam", - "network.protocol": "udp", + "log.offset": 13341, + "network.direction": "external", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 7224, + "process.pid": 6248, "related.ip": [ - "10.85.185.13", - "10.180.195.43" + "10.150.245.88", + "10.210.89.183" ], "related.user": [ - "atione" + "sequa" ], - "rsa.counters.dclass_c1": 2147, + "rsa.counters.dclass_c1": 2700, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", @@ -2830,55 +2830,55 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "giatquov1918.internal.example" + "dqu6144.api.localhost" ], - "rsa.network.domain": "lores627.www.invalid", + "rsa.network.domain": "iosamnis1047.internal.localdomain", "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2019-12-29T17:15:58.000Z", - "server.domain": "lores627.www.invalid", + "server.domain": "iosamnis1047.internal.localdomain", "service.type": "fortinet", "source.ip": [ - "10.180.195.43" + "10.150.245.88" ], - "source.port": 4540, + "source.port": 3642, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "atione" + "user.name": "sequa" }, { "@timestamp": "2020-01-13T00:18:32.000Z", "destination.ip": [ - "10.201.237.233" + "10.85.185.13" ], - "destination.port": 3023, + "destination.port": 7793, "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "January 12 22:18:32 mmodoc4947.internal.test proto=ggp service=ms-wbt-server status=deny src=10.107.45.175 dst=10.201.237.233 src_port=4593 dst_port=3023 server_app=atise pid=3421 app_name=umetMalo traff_direct=oluptas block_count=6981 logon_user=aeconseq@lor4040.localhost msg=success", - "event.outcome": "Failure", + "event.original": "January 12 22:18:32 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=outbound block_count=1867 logon_user=voluptas@orroq6677.internal.example msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "mmodoc4947.internal.test", + "host.name": "giatquov1918.internal.example", "input.type": "log", - "log.offset": 13562, - "network.direction": "oluptas", - "network.protocol": "ggp", + "log.offset": 13637, + "network.direction": "outbound", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3421, + "process.pid": 7224, "related.ip": [ - "10.201.237.233", - "10.107.45.175" + "10.85.185.13", + "10.180.195.43" ], "related.user": [ - "aeconseq" + "voluptas" ], - "rsa.counters.dclass_c1": 6981, + "rsa.counters.dclass_c1": 1867, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", @@ -2887,112 +2887,112 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "mmodoc4947.internal.test" + "giatquov1918.internal.example" ], - "rsa.network.domain": "lor4040.localhost", + "rsa.network.domain": "orroq6677.internal.example", "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2020-01-13T00:18:32.000Z", - "server.domain": "lor4040.localhost", + "server.domain": "orroq6677.internal.example", "service.type": "fortinet", "source.ip": [ - "10.107.45.175" + "10.180.195.43" ], - "source.port": 4593, + "source.port": 4540, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "aeconseq" + "user.name": "voluptas" }, { "@timestamp": "2020-01-27T07:21:06.000Z", "destination.ip": [ - "10.196.206.130" + "10.210.28.247" ], - "destination.port": 1725, + "destination.port": 7257, "event.action": "deny", - "event.code": "smtp", + "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "January 27 05:21:06 itaedict7233.mail.localdomain proto=ipv6-icmp service=smtp status=deny src=10.239.80.120 dst=10.196.206.130 src_port=2741 dst_port=1725 server_app=its pid=7867 app_name=risnis traff_direct=uov block_count=3896 logon_user=isn@sBono898.localdomain msg=unknown", - "event.outcome": "Failure", + "event.original": "January 27 05:21:06 estl5804.internal.local proto=udp service=ms-wbt-server status=deny src=10.207.211.230 dst=10.210.28.247 src_port=3449 dst_port=7257 server_app=ssecil pid=430 app_name=iuntNe traff_direct=unknown block_count=7672 logon_user=tate@onevo4326.internal.local msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "itaedict7233.mail.localdomain", + "host.name": "estl5804.internal.local", "input.type": "log", - "log.offset": 13848, - "network.direction": "uov", - "network.protocol": "ipv6-icmp", + "log.offset": 13936, + "network.direction": "unknown", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 7867, + "process.pid": 430, "related.ip": [ - "10.196.206.130", - "10.239.80.120" + "10.207.211.230", + "10.210.28.247" ], "related.user": [ - "isn" + "tate" ], - "rsa.counters.dclass_c1": 3896, + "rsa.counters.dclass_c1": 7672, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "itaedict7233.mail.localdomain" + "estl5804.internal.local" ], - "rsa.network.domain": "sBono898.localdomain", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "onevo4326.internal.local", + "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2020-01-27T07:21:06.000Z", - "server.domain": "sBono898.localdomain", + "server.domain": "onevo4326.internal.local", "service.type": "fortinet", "source.ip": [ - "10.239.80.120" + "10.207.211.230" ], - "source.port": 2741, + "source.port": 3449, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "isn" + "user.name": "tate" }, { "@timestamp": "2020-02-10T14:23:41.000Z", "destination.ip": [ - "10.47.24.77" + "10.248.165.185" ], - "destination.port": 1919, + "destination.port": 5460, "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 10 12:23:41 ore1441.home proto=ipv6 service=ms-wbt-server status=deny src=10.234.222.214 dst=10.47.24.77 src_port=4614 dst_port=1919 server_app=hil pid=6717 app_name=squ traff_direct=uiadol block_count=6068 logon_user=ntNeq@tate6291.mail.invalid msg=unknown", - "event.outcome": "Failure", + "event.original": "February 10 12:23:41 Sedut1775.www.domain proto=rdp service=ms-wbt-server status=deny src=10.86.11.48 dst=10.248.165.185 src_port=3436 dst_port=5460 server_app=olorsi pid=3589 app_name=exeaco traff_direct=external block_count=4801 logon_user=dquiac@itaedict7233.mail.localdomain msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "ore1441.home", + "host.name": "Sedut1775.www.domain", "input.type": "log", - "log.offset": 14126, - "network.direction": "uiadol", - "network.protocol": "ipv6", + "log.offset": 14222, + "network.direction": "external", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 6717, + "process.pid": 3589, "related.ip": [ - "10.234.222.214", - "10.47.24.77" + "10.86.11.48", + "10.248.165.185" ], "related.user": [ - "ntNeq" + "dquiac" ], - "rsa.counters.dclass_c1": 6068, + "rsa.counters.dclass_c1": 4801, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", @@ -3003,53 +3003,53 @@ ], "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "ore1441.home" + "Sedut1775.www.domain" ], - "rsa.network.domain": "tate6291.mail.invalid", + "rsa.network.domain": "itaedict7233.mail.localdomain", "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2020-02-10T14:23:41.000Z", - "server.domain": "tate6291.mail.invalid", + "server.domain": "itaedict7233.mail.localdomain", "service.type": "fortinet", "source.ip": [ - "10.234.222.214" + "10.86.11.48" ], - "source.port": 4614, + "source.port": 3436, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "ntNeq" + "user.name": "dquiac" }, { "@timestamp": "2020-02-24T21:26:15.000Z", "destination.ip": [ - "10.139.127.232" + "10.47.125.38" ], - "destination.port": 1812, + "destination.port": 3896, "event.action": "deny", "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 24 19:26:15 onevo3446.www5.host proto=udp service=http status=deny src=10.202.7.89 dst=10.139.127.232 src_port=2179 dst_port=1812 server_app=quidolor pid=4116 app_name=agnaaliq traff_direct=tlaboree block_count=6412 logon_user=osquir@mod4104.api.localdomain msg=success", - "event.outcome": "Failure", + "event.original": "February 24 19:26:15 mac7484.www5.test proto=ipv6-icmp service=http status=deny src=10.118.6.177 dst=10.47.125.38 src_port=6977 dst_port=3896 server_app=isn pid=4814 app_name=omm traff_direct=outbound block_count=1844 logon_user=quunt@numquam5869.internal.example msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "onevo3446.www5.host", + "host.name": "mac7484.www5.test", "input.type": "log", - "log.offset": 14393, - "network.direction": "tlaboree", - "network.protocol": "udp", + "log.offset": 14513, + "network.direction": "outbound", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 4116, + "process.pid": 4814, "related.ip": [ - "10.139.127.232", - "10.202.7.89" + "10.47.125.38", + "10.118.6.177" ], "related.user": [ - "osquir" + "quunt" ], - "rsa.counters.dclass_c1": 6412, + "rsa.counters.dclass_c1": 1844, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", @@ -3058,57 +3058,57 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "onevo3446.www5.host" + "mac7484.www5.test" ], - "rsa.network.domain": "mod4104.api.localdomain", + "rsa.network.domain": "numquam5869.internal.example", "rsa.network.network_service": "http", "rsa.time.event_time": "2020-02-24T21:26:15.000Z", - "server.domain": "mod4104.api.localdomain", + "server.domain": "numquam5869.internal.example", "service.type": "fortinet", "source.ip": [ - "10.202.7.89" + "10.118.6.177" ], - "source.port": 2179, + "source.port": 6977, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "osquir" + "user.name": "quunt" }, { "@timestamp": "2020-03-11T04:28:49.000Z", "destination.ip": [ - "10.40.35.49" + "10.60.142.127" ], - "destination.port": 3071, + "destination.port": 5112, "event.action": "deny", - "event.code": "smtp", + "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 11 02:28:49 lloin4019.www.localhost proto=igmp service=smtp status=deny src=10.130.241.232 dst=10.40.35.49 src_port=3112 dst_port=3071 server_app=edquian pid=3178 app_name=qua traff_direct=volupta block_count=3552 logon_user=aturQu@aaliq221.mail.localdomain msg=success", - "event.outcome": "Failure", + "event.original": "March 11 02:28:49 oin1140.mail.localhost proto=icmp service=pop3 status=deny src=10.50.233.155 dst=10.60.142.127 src_port=1081 dst_port=5112 server_app=urExce pid=276 app_name=nturm traff_direct=outbound block_count=2241 logon_user=atv@onu6137.api.home msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "lloin4019.www.localhost", + "host.name": "oin1140.mail.localhost", "input.type": "log", - "log.offset": 14672, - "network.direction": "volupta", - "network.protocol": "igmp", + "log.offset": 14789, + "network.direction": "outbound", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3178, + "process.pid": 276, "related.ip": [ - "10.130.241.232", - "10.40.35.49" + "10.60.142.127", + "10.50.233.155" ], "related.user": [ - "aturQu" + "atv" ], - "rsa.counters.dclass_c1": 3552, + "rsa.counters.dclass_c1": 2241, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -3117,112 +3117,112 @@ ], "rsa.misc.result": "success", "rsa.network.alias_host": [ - "lloin4019.www.localhost" + "oin1140.mail.localhost" ], - "rsa.network.domain": "aaliq221.mail.localdomain", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "onu6137.api.home", + "rsa.network.network_service": "pop3", "rsa.time.event_time": "2020-03-11T04:28:49.000Z", - "server.domain": "aaliq221.mail.localdomain", + "server.domain": "onu6137.api.home", "service.type": "fortinet", "source.ip": [ - "10.130.241.232" + "10.50.233.155" ], - "source.port": 3112, + "source.port": 1081, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "aturQu" + "user.name": "atv" }, { "@timestamp": "2020-03-25T11:31:24.000Z", "destination.ip": [ - "10.167.252.183" + "10.120.10.211" ], - "destination.port": 5107, + "destination.port": 7661, "event.action": "deny", - "event.code": "pop3", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 25 09:31:24 iciad7874.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.157.196.101 dst=10.167.252.183 src_port=2003 dst_port=5107 server_app=dtempori pid=5735 app_name=caboNemo traff_direct=dexerc block_count=2302 logon_user=tatem@metcons6200.mail.corp msg=unknown", - "event.outcome": "Failure", + "event.original": "March 25 09:31:24 naaliq3710.api.local proto=rdp service=http status=deny src=10.28.82.189 dst=10.120.10.211 src_port=3916 dst_port=7661 server_app=odt pid=2452 app_name=inv traff_direct=internal block_count=7705 logon_user=rcit@aecatcup2241.www5.test msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "iciad7874.localdomain", + "host.name": "naaliq3710.api.local", "input.type": "log", - "log.offset": 14948, - "network.direction": "dexerc", - "network.protocol": "ipv6-icmp", + "log.offset": 15054, + "network.direction": "internal", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 5735, + "process.pid": 2452, "related.ip": [ - "10.157.196.101", - "10.167.252.183" + "10.120.10.211", + "10.28.82.189" ], "related.user": [ - "tatem" + "rcit" ], - "rsa.counters.dclass_c1": 2302, + "rsa.counters.dclass_c1": 7705, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "iciad7874.localdomain" + "naaliq3710.api.local" ], - "rsa.network.domain": "metcons6200.mail.corp", - "rsa.network.network_service": "pop3", + "rsa.network.domain": "aecatcup2241.www5.test", + "rsa.network.network_service": "http", "rsa.time.event_time": "2020-03-25T11:31:24.000Z", - "server.domain": "metcons6200.mail.corp", + "server.domain": "aecatcup2241.www5.test", "service.type": "fortinet", "source.ip": [ - "10.157.196.101" + "10.28.82.189" ], - "source.port": 2003, + "source.port": 3916, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "tatem" + "user.name": "rcit" }, { "@timestamp": "2020-04-08T18:33:58.000Z", "destination.ip": [ - "10.46.56.204" + "10.6.38.163" ], - "destination.port": 5070, + "destination.port": 4059, "event.action": "deny", - "event.code": "smtp", + "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 8 16:33:58 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=quames block_count=3665 logon_user=esseq@aincidun2168.api.invalid msg=failure", - "event.outcome": "Failure", + "event.original": "April 8 16:33:58 volupta3552.internal.localhost proto=ipv6 service=pop3 status=deny src=10.31.237.225 dst=10.6.38.163 src_port=6153 dst_port=4059 server_app=oreveri pid=3453 app_name=avolu traff_direct=inbound block_count=2820 logon_user=olup@labor6360.mail.local msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "queips4947.mail.example", + "host.name": "volupta3552.internal.localhost", "input.type": "log", - "log.offset": 15230, - "network.direction": "quames", - "network.protocol": "udp", + "log.offset": 15318, + "network.direction": "inbound", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 7079, + "process.pid": 3453, "related.ip": [ - "10.46.56.204", - "10.97.149.97" + "10.31.237.225", + "10.6.38.163" ], "related.user": [ - "esseq" + "olup" ], - "rsa.counters.dclass_c1": 3665, + "rsa.counters.dclass_c1": 2820, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -3231,112 +3231,112 @@ ], "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "queips4947.mail.example" + "volupta3552.internal.localhost" ], - "rsa.network.domain": "aincidun2168.api.invalid", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "labor6360.mail.local", + "rsa.network.network_service": "pop3", "rsa.time.event_time": "2020-04-08T18:33:58.000Z", - "server.domain": "aincidun2168.api.invalid", + "server.domain": "labor6360.mail.local", "service.type": "fortinet", "source.ip": [ - "10.97.149.97" + "10.31.237.225" ], - "source.port": 2463, + "source.port": 6153, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "esseq" + "user.name": "olup" }, { "@timestamp": "2020-04-23T01:36:32.000Z", "destination.ip": [ - "10.151.129.181" + "10.125.165.144" ], - "destination.port": 5773, + "destination.port": 7889, "event.action": "deny", - "event.code": "pop3", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 22 23:36:32 itq494.api.lan proto=ggp service=pop3 status=deny src=10.28.105.124 dst=10.151.129.181 src_port=3889 dst_port=5773 server_app=litsedq pid=5026 app_name=nder traff_direct=mdolore block_count=2604 logon_user=nesciun@saqu6897.mail.lan msg=failure", - "event.outcome": "Failure", + "event.original": "April 22 23:36:32 onse380.internal.localdomain proto=ggp service=https status=deny src=10.226.5.189 dst=10.125.165.144 src_port=3371 dst_port=7889 server_app=dexerc pid=2302 app_name=tatem traff_direct=inbound block_count=5407 logon_user=mvolu@mveleum4322.www5.host msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "itq494.api.lan", + "host.name": "onse380.internal.localdomain", "input.type": "log", - "log.offset": 15497, - "network.direction": "mdolore", + "log.offset": 15594, + "network.direction": "inbound", "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 5026, + "process.pid": 2302, "related.ip": [ - "10.151.129.181", - "10.28.105.124" + "10.226.5.189", + "10.125.165.144" ], "related.user": [ - "nesciun" + "mvolu" ], - "rsa.counters.dclass_c1": 2604, + "rsa.counters.dclass_c1": 5407, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "itq494.api.lan" + "onse380.internal.localdomain" ], - "rsa.network.domain": "saqu6897.mail.lan", - "rsa.network.network_service": "pop3", + "rsa.network.domain": "mveleum4322.www5.host", + "rsa.network.network_service": "https", "rsa.time.event_time": "2020-04-23T01:36:32.000Z", - "server.domain": "saqu6897.mail.lan", + "server.domain": "mveleum4322.www5.host", "service.type": "fortinet", "source.ip": [ - "10.28.105.124" + "10.226.5.189" ], - "source.port": 3889, + "source.port": 3371, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "nesciun" + "user.name": "mvolu" }, { "@timestamp": "2020-05-07T08:39:06.000Z", "destination.ip": [ - "10.145.101.26" + "10.46.56.204" ], - "destination.port": 2559, + "destination.port": 5070, "event.action": "deny", - "event.code": "pop3", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 7 06:39:06 autfugi4010.internal.invalid proto=tcp service=pop3 status=deny src=10.128.63.143 dst=10.145.101.26 src_port=7596 dst_port=2559 server_app=oremquel pid=3992 app_name=modoc traff_direct=boNem block_count=5137 logon_user=ssusci@animid1644.www5.lan msg=unknown", - "event.outcome": "Failure", + "event.original": "May 7 06:39:06 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=unknown block_count=2441 logon_user=dolorsit@archite1843.mail.home msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "autfugi4010.internal.invalid", + "host.name": "queips4947.mail.example", "input.type": "log", - "log.offset": 15759, - "network.direction": "boNem", - "network.protocol": "tcp", + "log.offset": 15872, + "network.direction": "unknown", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3992, + "process.pid": 7079, "related.ip": [ - "10.145.101.26", - "10.128.63.143" + "10.97.149.97", + "10.46.56.204" ], "related.user": [ - "ssusci" + "dolorsit" ], - "rsa.counters.dclass_c1": 5137, + "rsa.counters.dclass_c1": 2441, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -3345,169 +3345,169 @@ ], "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "autfugi4010.internal.invalid" + "queips4947.mail.example" ], - "rsa.network.domain": "animid1644.www5.lan", - "rsa.network.network_service": "pop3", + "rsa.network.domain": "archite1843.mail.home", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2020-05-07T08:39:06.000Z", - "server.domain": "animid1644.www5.lan", + "server.domain": "archite1843.mail.home", "service.type": "fortinet", "source.ip": [ - "10.128.63.143" + "10.97.149.97" ], - "source.port": 7596, + "source.port": 2463, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "ssusci" + "user.name": "dolorsit" }, { "@timestamp": "2020-05-21T15:41:41.000Z", "destination.ip": [ - "10.62.229.89" + "10.28.105.124" ], - "destination.port": 5348, + "destination.port": 4797, "event.action": "deny", - "event.code": "pop3", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 21 13:41:41 roquisqu1205.api.domain proto=ipv6 service=pop3 status=deny src=10.2.244.159 dst=10.62.229.89 src_port=951 dst_port=5348 server_app=isnis pid=5140 app_name=olupta traff_direct=tsuntinc block_count=2159 logon_user=inBCSedu@erspi5757.local msg=failure", - "event.outcome": "Failure", + "event.original": "May 21 13:41:41 oloreseo5039.test proto=ggp service=https status=deny src=10.218.0.197 dst=10.28.105.124 src_port=7581 dst_port=4797 server_app=eritin pid=5773 app_name=litsedq traff_direct=outbound block_count=5749 logon_user=ntNe@itanim4024.api.example msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "roquisqu1205.api.domain", + "host.name": "oloreseo5039.test", "input.type": "log", - "log.offset": 16032, - "network.direction": "tsuntinc", - "network.protocol": "ipv6", + "log.offset": 16138, + "network.direction": "outbound", + "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 5140, + "process.pid": 5773, "related.ip": [ - "10.2.244.159", - "10.62.229.89" + "10.28.105.124", + "10.218.0.197" ], "related.user": [ - "inBCSedu" + "ntNe" ], - "rsa.counters.dclass_c1": 2159, + "rsa.counters.dclass_c1": 5749, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "roquisqu1205.api.domain" + "oloreseo5039.test" ], - "rsa.network.domain": "erspi5757.local", - "rsa.network.network_service": "pop3", + "rsa.network.domain": "itanim4024.api.example", + "rsa.network.network_service": "https", "rsa.time.event_time": "2020-05-21T15:41:41.000Z", - "server.domain": "erspi5757.local", + "server.domain": "itanim4024.api.example", "service.type": "fortinet", "source.ip": [ - "10.2.244.159" + "10.218.0.197" ], - "source.port": 951, + "source.port": 7581, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "inBCSedu" + "user.name": "ntNe" }, { "@timestamp": "2020-06-04T22:44:15.000Z", "destination.ip": [ - "10.54.83.119" + "10.17.87.79" ], - "destination.port": 338, + "destination.port": 3414, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 4 20:44:15 quaeab2653.mail.localdomain proto=rdp service=ms-wbt-server status=deny src=10.250.19.146 dst=10.54.83.119 src_port=5283 dst_port=338 server_app=natu pid=315 app_name=itat traff_direct=stlaboru block_count=7074 logon_user=radi@xeacom7662.www.test msg=failure", - "event.outcome": "Failure", + "event.original": "June 4 20:44:15 minim459.mail.local proto=rdp service=https status=deny src=10.123.199.198 dst=10.17.87.79 src_port=6332 dst_port=3414 server_app=tionula pid=1586 app_name=ate traff_direct=outbound block_count=5006 logon_user=ratvolu@nreprehe715.api.home msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "quaeab2653.mail.localdomain", + "host.name": "minim459.mail.local", "input.type": "log", - "log.offset": 16298, - "network.direction": "stlaboru", + "log.offset": 16405, + "network.direction": "outbound", "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 315, + "process.pid": 1586, "related.ip": [ - "10.54.83.119", - "10.250.19.146" + "10.17.87.79", + "10.123.199.198" ], "related.user": [ - "radi" + "ratvolu" ], - "rsa.counters.dclass_c1": 7074, + "rsa.counters.dclass_c1": 5006, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "quaeab2653.mail.localdomain" + "minim459.mail.local" ], - "rsa.network.domain": "xeacom7662.www.test", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "nreprehe715.api.home", + "rsa.network.network_service": "https", "rsa.time.event_time": "2020-06-04T22:44:15.000Z", - "server.domain": "xeacom7662.www.test", + "server.domain": "nreprehe715.api.home", "service.type": "fortinet", "source.ip": [ - "10.250.19.146" + "10.123.199.198" ], - "source.port": 5283, + "source.port": 6332, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "radi" + "user.name": "ratvolu" }, { "@timestamp": "2020-06-19T05:46:49.000Z", "destination.ip": [ - "10.1.96.93" + "10.115.68.40" ], - "destination.port": 428, + "destination.port": 5483, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 19 03:46:49 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=uptate block_count=1049 logon_user=snos@orsi7617.www5.corp msg=success", - "event.outcome": "Failure", + "event.original": "June 19 03:46:49 eratv211.api.host proto=rdp service=https status=deny src=10.38.86.177 dst=10.115.68.40 src_port=5768 dst_port=5483 server_app=boNem pid=5137 app_name=ssusci traff_direct=internal block_count=2841 logon_user=mpo@unte893.internal.host msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "ptasnula6576.api.invalid", + "host.name": "eratv211.api.host", "input.type": "log", - "log.offset": 16573, - "network.direction": "uptate", - "network.protocol": "tcp", + "log.offset": 16672, + "network.direction": "internal", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 5398, + "process.pid": 5137, "related.ip": [ - "10.1.96.93", - "10.54.73.158" + "10.115.68.40", + "10.38.86.177" ], "related.user": [ - "snos" + "mpo" ], - "rsa.counters.dclass_c1": 1049, + "rsa.counters.dclass_c1": 2841, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -3516,53 +3516,53 @@ ], "rsa.misc.result": "success", "rsa.network.alias_host": [ - "ptasnula6576.api.invalid" + "eratv211.api.host" ], - "rsa.network.domain": "orsi7617.www5.corp", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "unte893.internal.host", + "rsa.network.network_service": "https", "rsa.time.event_time": "2020-06-19T05:46:49.000Z", - "server.domain": "orsi7617.www5.corp", + "server.domain": "unte893.internal.host", "service.type": "fortinet", "source.ip": [ - "10.54.73.158" + "10.38.86.177" ], - "source.port": 5752, + "source.port": 5768, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "snos" + "user.name": "mpo" }, { "@timestamp": "2020-07-03T12:49:23.000Z", "destination.ip": [ - "10.94.114.83" + "10.115.174.107" ], - "destination.port": 4803, + "destination.port": 5597, "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 3 10:49:23 msequ4308.api.localdomain proto=ipv6 service=https status=deny src=10.126.87.182 dst=10.94.114.83 src_port=1043 dst_port=4803 server_app=rumetMal pid=3411 app_name=atcupida traff_direct=tessequa block_count=291 logon_user=dolores@equamnih6028.localdomain msg=failure", - "event.outcome": "Failure", + "event.original": "July 3 10:49:23 aparia1179.www.localdomain proto=tcp service=https status=deny src=10.193.118.163 dst=10.115.174.107 src_port=548 dst_port=5597 server_app=acom pid=5704 app_name=dolorem traff_direct=internal block_count=10 logon_user=exeacomm@aspe951.mail.domain msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "msequ4308.api.localdomain", + "host.name": "aparia1179.www.localdomain", "input.type": "log", - "log.offset": 16843, - "network.direction": "tessequa", - "network.protocol": "ipv6", + "log.offset": 16935, + "network.direction": "internal", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3411, + "process.pid": 5704, "related.ip": [ - "10.126.87.182", - "10.94.114.83" + "10.115.174.107", + "10.193.118.163" ], "related.user": [ - "dolores" + "exeacomm" ], - "rsa.counters.dclass_c1": 291, + "rsa.counters.dclass_c1": 10, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", @@ -3571,169 +3571,169 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "msequ4308.api.localdomain" + "aparia1179.www.localdomain" ], - "rsa.network.domain": "equamnih6028.localdomain", + "rsa.network.domain": "aspe951.mail.domain", "rsa.network.network_service": "https", "rsa.time.event_time": "2020-07-03T12:49:23.000Z", - "server.domain": "equamnih6028.localdomain", + "server.domain": "aspe951.mail.domain", "service.type": "fortinet", "source.ip": [ - "10.126.87.182" + "10.193.118.163" ], - "source.port": 1043, + "source.port": 548, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "dolores" + "user.name": "exeacomm" }, { "@timestamp": "2019-07-17T19:51:58.000Z", "destination.ip": [ - "10.38.28.151" + "10.77.77.208" ], - "destination.port": 347, + "destination.port": 1101, "event.action": "deny", - "event.code": "smtp", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 17 17:51:58 dolorema2984.www.home proto=ipv6 service=smtp status=deny src=10.206.165.83 dst=10.38.28.151 src_port=3736 dst_port=347 server_app=ratv pid=2649 app_name=ever traff_direct=tali block_count=2124 logon_user=erspi@iqu7509.api.corp msg=success", - "event.outcome": "Failure", + "event.original": "July 17 17:51:58 iatqu6203.mail.corp proto=icmp service=http status=deny src=10.37.128.49 dst=10.77.77.208 src_port=625 dst_port=1101 server_app=esci pid=2310 app_name=essecill traff_direct=external block_count=2653 logon_user=moles@dipiscin4957.www.home msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "dolorema2984.www.home", + "host.name": "iatqu6203.mail.corp", "input.type": "log", - "log.offset": 17126, - "network.direction": "tali", - "network.protocol": "ipv6", + "log.offset": 17210, + "network.direction": "external", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 2649, + "process.pid": 2310, "related.ip": [ - "10.38.28.151", - "10.206.165.83" + "10.77.77.208", + "10.37.128.49" ], "related.user": [ - "erspi" + "moles" ], - "rsa.counters.dclass_c1": 2124, + "rsa.counters.dclass_c1": 2653, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "dolorema2984.www.home" + "iatqu6203.mail.corp" ], - "rsa.network.domain": "iqu7509.api.corp", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "dipiscin4957.www.home", + "rsa.network.network_service": "http", "rsa.time.event_time": "2019-07-17T19:51:58.000Z", - "server.domain": "iqu7509.api.corp", + "server.domain": "dipiscin4957.www.home", "service.type": "fortinet", "source.ip": [ - "10.206.165.83" + "10.37.128.49" ], - "source.port": 3736, + "source.port": 625, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "erspi" + "user.name": "moles" }, { "@timestamp": "2019-08-01T02:54:32.000Z", "destination.ip": [ - "10.77.229.168" + "10.1.96.93" ], - "destination.port": 3777, + "destination.port": 428, "event.action": "deny", - "event.code": "http", + "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 1 00:54:32 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=magnid block_count=3343 logon_user=ame@tesseq7693.localdomain msg=failure", - "event.outcome": "Failure", + "event.original": "August 1 00:54:32 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=internal block_count=4392 logon_user=lloinven@econs2687.internal.localdomain msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "fugits1163.host", + "host.name": "ptasnula6576.api.invalid", "input.type": "log", - "log.offset": 17383, - "network.direction": "magnid", - "network.protocol": "icmp", + "log.offset": 17477, + "network.direction": "internal", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 6064, + "process.pid": 5398, "related.ip": [ - "10.77.229.168", - "10.181.247.224" + "10.1.96.93", + "10.54.73.158" ], "related.user": [ - "ame" + "lloinven" ], - "rsa.counters.dclass_c1": 3343, + "rsa.counters.dclass_c1": 4392, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", + "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "fugits1163.host" + "ptasnula6576.api.invalid" ], - "rsa.network.domain": "tesseq7693.localdomain", - "rsa.network.network_service": "http", + "rsa.network.domain": "econs2687.internal.localdomain", + "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2019-08-01T02:54:32.000Z", - "server.domain": "tesseq7693.localdomain", + "server.domain": "econs2687.internal.localdomain", "service.type": "fortinet", "source.ip": [ - "10.181.247.224" + "10.54.73.158" ], - "source.port": 260, + "source.port": 5752, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "ame" + "user.name": "lloinven" }, { "@timestamp": "2019-08-15T09:57:06.000Z", "destination.ip": [ - "10.57.85.98" + "10.182.152.242" ], - "destination.port": 1444, + "destination.port": 6998, "event.action": "deny", "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 15 07:57:06 tdolore388.localdomain proto=igmp service=smtp status=deny src=10.42.252.243 dst=10.57.85.98 src_port=3286 dst_port=1444 server_app=oinv pid=5493 app_name=inrepr traff_direct=mol block_count=4145 logon_user=nisiu@imad4450.internal.example msg=unknown", - "event.outcome": "Failure", + "event.original": "August 15 07:57:06 mag1506.internal.domain proto=igmp service=smtp status=deny src=10.131.126.109 dst=10.182.152.242 src_port=1877 dst_port=6998 server_app=rcitat pid=2465 app_name=ecillum traff_direct=inbound block_count=3208 logon_user=dolor@tiumto5834.api.lan msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "tdolore388.localdomain", + "host.name": "mag1506.internal.domain", "input.type": "log", - "log.offset": 17646, - "network.direction": "mol", + "log.offset": 17766, + "network.direction": "inbound", "network.protocol": "igmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 5493, + "process.pid": 2465, "related.ip": [ - "10.42.252.243", - "10.57.85.98" + "10.182.152.242", + "10.131.126.109" ], "related.user": [ - "nisiu" + "dolor" ], - "rsa.counters.dclass_c1": 4145, + "rsa.counters.dclass_c1": 3208, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", @@ -3742,57 +3742,57 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "tdolore388.localdomain" + "mag1506.internal.domain" ], - "rsa.network.domain": "imad4450.internal.example", + "rsa.network.domain": "tiumto5834.api.lan", "rsa.network.network_service": "smtp", "rsa.time.event_time": "2019-08-15T09:57:06.000Z", - "server.domain": "imad4450.internal.example", + "server.domain": "tiumto5834.api.lan", "service.type": "fortinet", "source.ip": [ - "10.42.252.243" + "10.131.126.109" ], - "source.port": 3286, + "source.port": 1877, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "nisiu" + "user.name": "dolor" }, { "@timestamp": "2019-08-29T16:59:40.000Z", "destination.ip": [ - "10.193.66.155" + "10.77.229.168" ], - "destination.port": 4965, + "destination.port": 3777, "event.action": "deny", - "event.code": "https", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 29 14:59:40 olest5343.mail.corp proto=rdp service=https status=deny src=10.7.43.184 dst=10.193.66.155 src_port=7278 dst_port=4965 server_app=ame pid=2913 app_name=uid traff_direct=equaturv block_count=1129 logon_user=tobeatae@maccusa7248.www.home msg=failure", - "event.outcome": "Failure", + "event.original": "August 29 14:59:40 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=external block_count=329 logon_user=adol@iutal6032.www.test msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "olest5343.mail.corp", + "host.name": "fugits1163.host", "input.type": "log", - "log.offset": 17916, - "network.direction": "equaturv", - "network.protocol": "rdp", + "log.offset": 18041, + "network.direction": "external", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 2913, + "process.pid": 6064, "related.ip": [ - "10.193.66.155", - "10.7.43.184" + "10.77.229.168", + "10.181.247.224" ], "related.user": [ - "tobeatae" + "adol" ], - "rsa.counters.dclass_c1": 1129, + "rsa.counters.dclass_c1": 329, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -3801,110 +3801,110 @@ ], "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "olest5343.mail.corp" + "fugits1163.host" ], - "rsa.network.domain": "maccusa7248.www.home", - "rsa.network.network_service": "https", + "rsa.network.domain": "iutal6032.www.test", + "rsa.network.network_service": "http", "rsa.time.event_time": "2019-08-29T16:59:40.000Z", - "server.domain": "maccusa7248.www.home", + "server.domain": "iutal6032.www.test", "service.type": "fortinet", "source.ip": [ - "10.7.43.184" + "10.181.247.224" ], - "source.port": 7278, + "source.port": 260, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "tobeatae" + "user.name": "adol" }, { "@timestamp": "2019-09-13T00:02:15.000Z", "destination.ip": [ - "10.81.234.34" + "10.72.162.6" ], - "destination.port": 1710, + "destination.port": 5516, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 12 22:02:15 uradi3827.mail.localhost proto=icmp service=ms-wbt-server status=deny src=10.196.96.162 dst=10.81.234.34 src_port=7349 dst_port=1710 server_app=aconse pid=1526 app_name=quameiu traff_direct=diduntu block_count=4798 logon_user=aliqui@ess3889.www5.localhost msg=failure", - "event.outcome": "Failure", + "event.original": "September 12 22:02:15 gitse2463.www5.invalid proto=ipv6-icmp service=http status=deny src=10.235.116.121 dst=10.72.162.6 src_port=1 dst_port=5516 server_app=emp pid=2861 app_name=luptas traff_direct=outbound block_count=1444 logon_user=oinv@inculp2078.host msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "uradi3827.mail.localhost", + "host.name": "gitse2463.www5.invalid", "input.type": "log", - "log.offset": 18182, - "network.direction": "diduntu", - "network.protocol": "icmp", + "log.offset": 18303, + "network.direction": "outbound", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 1526, + "process.pid": 2861, "related.ip": [ - "10.81.234.34", - "10.196.96.162" + "10.72.162.6", + "10.235.116.121" ], "related.user": [ - "aliqui" + "oinv" ], - "rsa.counters.dclass_c1": 4798, + "rsa.counters.dclass_c1": 1444, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "uradi3827.mail.localhost" + "gitse2463.www5.invalid" ], - "rsa.network.domain": "ess3889.www5.localhost", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "inculp2078.host", + "rsa.network.network_service": "http", "rsa.time.event_time": "2019-09-13T00:02:15.000Z", - "server.domain": "ess3889.www5.localhost", + "server.domain": "inculp2078.host", "service.type": "fortinet", "source.ip": [ - "10.196.96.162" + "10.235.116.121" ], - "source.port": 7349, + "source.port": 1, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "aliqui" + "user.name": "oinv" }, { "@timestamp": "2019-09-27T07:04:49.000Z", "destination.ip": [ - "10.77.78.180" + "10.28.124.236" ], - "destination.port": 5380, + "destination.port": 3434, "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 27 05:04:49 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=niamquis block_count=1471 logon_user=ptatems@runtmo438.invalid msg=failure", - "event.outcome": "Failure", + "event.original": "September 27 05:04:49 temse6953.www.example proto=ipv6-icmp service=https status=deny src=10.149.193.117 dst=10.28.124.236 src_port=5343 dst_port=3434 server_app=atcupi pid=3559 app_name=edquia traff_direct=internal block_count=3176 logon_user=mullam@mexerc2757.internal.home msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "abor1370.www.domain", + "host.name": "temse6953.www.example", "input.type": "log", - "log.offset": 18472, - "network.direction": "niamquis", + "log.offset": 18572, + "network.direction": "internal", "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 4984, + "process.pid": 3559, "related.ip": [ - "10.77.78.180", - "10.97.236.123" + "10.149.193.117", + "10.28.124.236" ], "related.user": [ - "ptatems" + "mullam" ], - "rsa.counters.dclass_c1": 1471, + "rsa.counters.dclass_c1": 3176, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", @@ -3915,55 +3915,55 @@ ], "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "abor1370.www.domain" + "temse6953.www.example" ], - "rsa.network.domain": "runtmo438.invalid", + "rsa.network.domain": "mexerc2757.internal.home", "rsa.network.network_service": "https", "rsa.time.event_time": "2019-09-27T07:04:49.000Z", - "server.domain": "runtmo438.invalid", + "server.domain": "mexerc2757.internal.home", "service.type": "fortinet", "source.ip": [ - "10.97.236.123" + "10.149.193.117" ], - "source.port": 5159, + "source.port": 5343, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "ptatems" + "user.name": "mullam" }, { "@timestamp": "2019-10-11T14:07:23.000Z", "destination.ip": [ - "10.108.45.59" + "10.196.96.162" ], - "destination.port": 7229, + "destination.port": 6378, "event.action": "deny", - "event.code": "smtp", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 11 12:07:23 tas6029.lan proto=rdp service=smtp status=deny src=10.118.82.34 dst=10.108.45.59 src_port=5129 dst_port=7229 server_app=sBonorum pid=2162 app_name=aali traff_direct=edictasu block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure", - "event.outcome": "Failure", + "event.original": "October 11 12:07:23 deriti6952.mail.domain proto=ipv6-icmp service=http status=deny src=10.34.131.224 dst=10.196.96.162 src_port=649 dst_port=6378 server_app=equatDu pid=1710 app_name=aconse traff_direct=outbound block_count=7174 logon_user=tnonproi@squira4455.api.domain msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "tas6029.lan", + "host.name": "deriti6952.mail.domain", "input.type": "log", - "log.offset": 18748, - "network.direction": "edictasu", - "network.protocol": "rdp", + "log.offset": 18860, + "network.direction": "outbound", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 2162, + "process.pid": 1710, "related.ip": [ - "10.108.45.59", - "10.118.82.34" + "10.196.96.162", + "10.34.131.224" ], "related.user": [ - "olorem" + "tnonproi" ], - "rsa.counters.dclass_c1": 5362, + "rsa.counters.dclass_c1": 7174, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -3972,169 +3972,169 @@ ], "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "tas6029.lan" + "deriti6952.mail.domain" ], - "rsa.network.domain": "sedquiac6517.internal.localhost", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "squira4455.api.domain", + "rsa.network.network_service": "http", "rsa.time.event_time": "2019-10-11T14:07:23.000Z", - "server.domain": "sedquiac6517.internal.localhost", + "server.domain": "squira4455.api.domain", "service.type": "fortinet", "source.ip": [ - "10.118.82.34" + "10.34.131.224" ], - "source.port": 5129, + "source.port": 649, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "olorem" + "user.name": "tnonproi" }, { "@timestamp": "2019-10-25T21:09:57.000Z", "destination.ip": [ - "10.170.252.219" + "10.77.78.180" ], - "destination.port": 2454, + "destination.port": 5380, "event.action": "deny", - "event.code": "pop3", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 25 19:09:57 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=cive block_count=2292 logon_user=orumSec@nisiuta905.www5.home msg=failure", - "event.outcome": "Failure", + "event.original": "October 25 19:09:57 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=inbound block_count=4782 logon_user=nisi@emveleum3661.localhost msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "squirati7050.www5.lan", + "host.name": "abor1370.www.domain", "input.type": "log", - "log.offset": 19021, - "network.direction": "cive", - "network.protocol": "rdp", + "log.offset": 19144, + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 4020, + "process.pid": 4984, "related.ip": [ - "10.170.252.219", - "10.180.180.230" + "10.77.78.180", + "10.97.236.123" ], "related.user": [ - "orumSec" + "nisi" ], - "rsa.counters.dclass_c1": 2292, + "rsa.counters.dclass_c1": 4782, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "squirati7050.www5.lan" + "abor1370.www.domain" ], - "rsa.network.domain": "nisiuta905.www5.home", - "rsa.network.network_service": "pop3", + "rsa.network.domain": "emveleum3661.localhost", + "rsa.network.network_service": "https", "rsa.time.event_time": "2019-10-25T21:09:57.000Z", - "server.domain": "nisiuta905.www5.home", + "server.domain": "emveleum3661.localhost", "service.type": "fortinet", "source.ip": [ - "10.180.180.230" + "10.97.236.123" ], - "source.port": 4147, + "source.port": 5159, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "orumSec" + "user.name": "nisi" }, { "@timestamp": "2019-11-09T04:12:32.000Z", "destination.ip": [ - "10.83.119.181" + "10.45.54.107" ], - "destination.port": 5693, + "destination.port": 3593, "event.action": "deny", - "event.code": "pop3", + "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 9 02:12:32 tiaecon5380.lan proto=udp service=pop3 status=deny src=10.123.74.66 dst=10.83.119.181 src_port=6984 dst_port=5693 server_app=lors pid=7553 app_name=nculpaq traff_direct=reseosqu block_count=1629 logon_user=ursin@utemvel5325.host msg=success", - "event.outcome": "Failure", + "event.original": "November 9 02:12:32 emullamc5418.mail.test proto=ipv6 service=ms-wbt-server status=deny src=10.82.133.66 dst=10.45.54.107 src_port=7229 dst_port=3593 server_app=nse pid=3421 app_name=quira traff_direct=unknown block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "tiaecon5380.lan", + "host.name": "emullamc5418.mail.test", "input.type": "log", - "log.offset": 19296, - "network.direction": "reseosqu", - "network.protocol": "udp", + "log.offset": 19419, + "network.direction": "unknown", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 7553, + "process.pid": 3421, "related.ip": [ - "10.123.74.66", - "10.83.119.181" + "10.45.54.107", + "10.82.133.66" ], "related.user": [ - "ursin" + "olorem" ], - "rsa.counters.dclass_c1": 1629, + "rsa.counters.dclass_c1": 5362, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", + "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "tiaecon5380.lan" + "emullamc5418.mail.test" ], - "rsa.network.domain": "utemvel5325.host", - "rsa.network.network_service": "pop3", + "rsa.network.domain": "sedquiac6517.internal.localhost", + "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2019-11-09T04:12:32.000Z", - "server.domain": "utemvel5325.host", + "server.domain": "sedquiac6517.internal.localhost", "service.type": "fortinet", "source.ip": [ - "10.123.74.66" + "10.82.133.66" ], - "source.port": 6984, + "source.port": 7229, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "ursin" + "user.name": "olorem" }, { "@timestamp": "2019-11-23T11:15:06.000Z", "destination.ip": [ - "10.141.143.56" + "10.170.252.219" ], - "destination.port": 2442, + "destination.port": 2454, "event.action": "deny", - "event.code": "smtp", + "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 23 09:15:06 iam7526.mail.test proto=icmp service=smtp status=deny src=10.225.255.211 dst=10.141.143.56 src_port=4076 dst_port=2442 server_app=eursinto pid=3628 app_name=tutla traff_direct=licaboNe block_count=5104 logon_user=aaliq@nat4367.www5.example msg=failure", - "event.outcome": "Failure", + "event.original": "November 23 09:15:06 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=external block_count=7020 logon_user=nse@veniam3148.www5.home msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "iam7526.mail.test", + "host.name": "squirati7050.www5.lan", "input.type": "log", - "log.offset": 19557, - "network.direction": "licaboNe", - "network.protocol": "icmp", + "log.offset": 19708, + "network.direction": "external", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3628, + "process.pid": 4020, "related.ip": [ - "10.141.143.56", - "10.225.255.211" + "10.170.252.219", + "10.180.180.230" ], "related.user": [ - "aaliq" + "nse" ], - "rsa.counters.dclass_c1": 5104, + "rsa.counters.dclass_c1": 7020, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -4143,169 +4143,169 @@ ], "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "iam7526.mail.test" + "squirati7050.www5.lan" ], - "rsa.network.domain": "nat4367.www5.example", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "veniam3148.www5.home", + "rsa.network.network_service": "pop3", "rsa.time.event_time": "2019-11-23T11:15:06.000Z", - "server.domain": "nat4367.www5.example", + "server.domain": "veniam3148.www5.home", "service.type": "fortinet", "source.ip": [ - "10.225.255.211" + "10.180.180.230" ], - "source.port": 4076, + "source.port": 4147, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "aaliq" + "user.name": "nse" }, { "@timestamp": "2019-12-07T18:17:40.000Z", "destination.ip": [ - "10.219.1.151" + "10.65.144.51" ], - "destination.port": 4323, + "destination.port": 2283, "event.action": "deny", - "event.code": "smtp", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 7 16:17:40 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=itametc block_count=3006 logon_user=olup@remipsu2220.corp msg=success", - "event.outcome": "Failure", + "event.original": "December 7 16:17:40 venia2079.mail.example proto=rdp service=http status=deny src=10.5.11.205 dst=10.65.144.51 src_port=4901 dst_port=2283 server_app=lumqu pid=617 app_name=autf traff_direct=outbound block_count=5050 logon_user=uptat@unt3559.www.home msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "dolor7082.internal.localhost", + "host.name": "venia2079.mail.example", "input.type": "log", - "log.offset": 19830, - "network.direction": "itametc", - "network.protocol": "icmp", + "log.offset": 19984, + "network.direction": "outbound", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 6311, + "process.pid": 617, "related.ip": [ - "10.219.1.151", - "10.250.81.189" + "10.5.11.205", + "10.65.144.51" ], "related.user": [ - "olup" + "uptat" ], - "rsa.counters.dclass_c1": 3006, + "rsa.counters.dclass_c1": 5050, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "dolor7082.internal.localhost" + "venia2079.mail.example" ], - "rsa.network.domain": "remipsu2220.corp", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "unt3559.www.home", + "rsa.network.network_service": "http", "rsa.time.event_time": "2019-12-07T18:17:40.000Z", - "server.domain": "remipsu2220.corp", + "server.domain": "unt3559.www.home", "service.type": "fortinet", "source.ip": [ - "10.250.81.189" + "10.5.11.205" ], - "source.port": 5404, + "source.port": 4901, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "olup" + "user.name": "uptat" }, { "@timestamp": "2019-12-22T01:20:14.000Z", "destination.ip": [ - "10.189.42.62" + "10.76.122.196" ], - "destination.port": 4262, + "destination.port": 5325, "event.action": "deny", - "event.code": "http", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 21 23:20:14 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=emp block_count=2563 logon_user=roquisq@temporai6835.www5.host msg=failure", - "event.outcome": "Failure", + "event.original": "December 21 23:20:14 snostrum3450.www5.localhost proto=udp service=smtp status=deny src=10.195.223.82 dst=10.76.122.196 src_port=3128 dst_port=5325 server_app=atu pid=487 app_name=iame traff_direct=external block_count=593 logon_user=umiurer@rere5274.mail.domain msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "laborum5749.www.example", + "host.name": "snostrum3450.www5.localhost", "input.type": "log", - "log.offset": 20103, - "network.direction": "emp", - "network.protocol": "igmp", + "log.offset": 20247, + "network.direction": "external", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 2780, + "process.pid": 487, "related.ip": [ - "10.189.42.62", - "10.36.110.69" + "10.76.122.196", + "10.195.223.82" ], "related.user": [ - "roquisq" + "umiurer" ], - "rsa.counters.dclass_c1": 2563, + "rsa.counters.dclass_c1": 593, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "laborum5749.www.example" + "snostrum3450.www5.localhost" ], - "rsa.network.domain": "temporai6835.www5.host", - "rsa.network.network_service": "http", + "rsa.network.domain": "rere5274.mail.domain", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2019-12-22T01:20:14.000Z", - "server.domain": "temporai6835.www5.host", + "server.domain": "rere5274.mail.domain", "service.type": "fortinet", "source.ip": [ - "10.36.110.69" + "10.195.223.82" ], - "source.port": 4187, + "source.port": 3128, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "roquisq" + "user.name": "umiurer" }, { "@timestamp": "2020-01-05T08:22:49.000Z", "destination.ip": [ - "10.202.132.214" + "10.225.255.211" ], - "destination.port": 3392, + "destination.port": 3369, "event.action": "deny", - "event.code": "https", + "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "January 5 06:22:49 urerepre1960.www5.localhost proto=ipv6-icmp service=https status=deny src=10.179.147.45 dst=10.202.132.214 src_port=2208 dst_port=3392 server_app=mmodoco pid=2581 app_name=rumexerc traff_direct=isiutali block_count=3575 logon_user=stquidol@Nemoenim1325.lan msg=failure", - "event.outcome": "Failure", + "event.original": "January 5 06:22:49 gelitsed3249.corp proto=icmp service=ms-wbt-server status=deny src=10.138.210.116 dst=10.225.255.211 src_port=5595 dst_port=3369 server_app=rum pid=2442 app_name=eursinto traff_direct=external block_count=956 logon_user=fugiatn@uaeabi3728.www5.invalid msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "urerepre1960.www5.localhost", + "host.name": "gelitsed3249.corp", "input.type": "log", - "log.offset": 20377, - "network.direction": "isiutali", - "network.protocol": "ipv6-icmp", + "log.offset": 20522, + "network.direction": "external", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 2581, + "process.pid": 2442, "related.ip": [ - "10.179.147.45", - "10.202.132.214" + "10.225.255.211", + "10.138.210.116" ], "related.user": [ - "stquidol" + "fugiatn" ], - "rsa.counters.dclass_c1": 3575, + "rsa.counters.dclass_c1": 956, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -4314,112 +4314,112 @@ ], "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "urerepre1960.www5.localhost" + "gelitsed3249.corp" ], - "rsa.network.domain": "Nemoenim1325.lan", - "rsa.network.network_service": "https", + "rsa.network.domain": "uaeabi3728.www5.invalid", + "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2020-01-05T08:22:49.000Z", - "server.domain": "Nemoenim1325.lan", + "server.domain": "uaeabi3728.www5.invalid", "service.type": "fortinet", "source.ip": [ - "10.179.147.45" + "10.138.210.116" ], - "source.port": 2208, + "source.port": 5595, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "stquidol" + "user.name": "fugiatn" }, { "@timestamp": "2020-01-19T15:25:23.000Z", "destination.ip": [ - "10.169.98.165" + "10.219.1.151" ], - "destination.port": 6084, + "destination.port": 4323, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "January 19 13:25:23 evitae7333.www.lan proto=ggp service=ms-wbt-server status=deny src=10.51.221.217 dst=10.169.98.165 src_port=6833 dst_port=6084 server_app=saquaea pid=2280 app_name=rQuisaut traff_direct=quas block_count=3630 logon_user=metco@cillu7822.mail.localhost msg=success", - "event.outcome": "Failure", + "event.original": "January 19 13:25:23 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=external block_count=3262 logon_user=ori@uamqu2804.test msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "evitae7333.www.lan", + "host.name": "dolor7082.internal.localhost", "input.type": "log", - "log.offset": 20665, - "network.direction": "quas", - "network.protocol": "ggp", + "log.offset": 20805, + "network.direction": "external", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 2280, + "process.pid": 6311, "related.ip": [ - "10.51.221.217", - "10.169.98.165" + "10.219.1.151", + "10.250.81.189" ], "related.user": [ - "metco" + "ori" ], - "rsa.counters.dclass_c1": 3630, + "rsa.counters.dclass_c1": 3262, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "evitae7333.www.lan" + "dolor7082.internal.localhost" ], - "rsa.network.domain": "cillu7822.mail.localhost", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "uamqu2804.test", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2020-01-19T15:25:23.000Z", - "server.domain": "cillu7822.mail.localhost", + "server.domain": "uamqu2804.test", "service.type": "fortinet", "source.ip": [ - "10.51.221.217" + "10.250.81.189" ], - "source.port": 6833, + "source.port": 5404, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "metco" + "user.name": "ori" }, { "@timestamp": "2020-02-02T22:27:57.000Z", "destination.ip": [ - "10.85.104.146" + "10.76.125.70" ], - "destination.port": 4438, + "destination.port": 756, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 2 20:27:57 orp5697.www.invalid proto=ggp service=ms-wbt-server status=deny src=10.243.6.41 dst=10.85.104.146 src_port=780 dst_port=4438 server_app=orum pid=4887 app_name=qua traff_direct=agnamal block_count=73 logon_user=emacc@emp1636.www.invalid msg=unknown", - "event.outcome": "Failure", + "event.original": "February 2 20:27:57 totam6886.api.localhost proto=ggp service=https status=deny src=10.54.23.133 dst=10.76.125.70 src_port=3258 dst_port=756 server_app=oluptat pid=7128 app_name=eseruntm traff_direct=internal block_count=1916 logon_user=oloreeu@olor5201.host msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "orp5697.www.invalid", + "host.name": "totam6886.api.localhost", "input.type": "log", - "log.offset": 20947, - "network.direction": "agnamal", + "log.offset": 21076, + "network.direction": "internal", "network.protocol": "ggp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 4887, + "process.pid": 7128, "related.ip": [ - "10.243.6.41", - "10.85.104.146" + "10.54.23.133", + "10.76.125.70" ], "related.user": [ - "emacc" + "oloreeu" ], - "rsa.counters.dclass_c1": 73, + "rsa.counters.dclass_c1": 1916, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -4428,110 +4428,110 @@ ], "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "orp5697.www.invalid" + "totam6886.api.localhost" ], - "rsa.network.domain": "emp1636.www.invalid", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "olor5201.host", + "rsa.network.network_service": "https", "rsa.time.event_time": "2020-02-02T22:27:57.000Z", - "server.domain": "emp1636.www.invalid", + "server.domain": "olor5201.host", "service.type": "fortinet", "source.ip": [ - "10.243.6.41" + "10.54.23.133" ], - "source.port": 780, + "source.port": 3258, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "emacc" + "user.name": "oloreeu" }, { "@timestamp": "2020-02-17T05:30:32.000Z", "destination.ip": [ - "10.30.246.132" + "10.189.42.62" ], - "destination.port": 388, + "destination.port": 4262, "event.action": "deny", - "event.code": "https", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "February 17 03:30:32 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=esse block_count=3795 logon_user=osqu@pariatur7238.www5.invalid msg=unknown", - "event.outcome": "Failure", + "event.original": "February 17 03:30:32 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=unknown block_count=170 logon_user=eque@eufug3348.www.lan msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "rumet6923.www5.lan", + "host.name": "laborum5749.www.example", "input.type": "log", - "log.offset": 21215, - "network.direction": "esse", - "network.protocol": "rdp", + "log.offset": 21347, + "network.direction": "unknown", + "network.protocol": "igmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3990, + "process.pid": 2780, "related.ip": [ - "10.208.18.210", - "10.30.246.132" + "10.189.42.62", + "10.36.110.69" ], "related.user": [ - "osqu" + "eque" ], - "rsa.counters.dclass_c1": 3795, + "rsa.counters.dclass_c1": 170, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "rumet6923.www5.lan" + "laborum5749.www.example" ], - "rsa.network.domain": "pariatur7238.www5.invalid", - "rsa.network.network_service": "https", + "rsa.network.domain": "eufug3348.www.lan", + "rsa.network.network_service": "http", "rsa.time.event_time": "2020-02-17T05:30:32.000Z", - "server.domain": "pariatur7238.www5.invalid", + "server.domain": "eufug3348.www.lan", "service.type": "fortinet", "source.ip": [ - "10.208.18.210" + "10.36.110.69" ], - "source.port": 3601, + "source.port": 4187, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "osqu" + "user.name": "eque" }, { "@timestamp": "2020-03-03T12:33:06.000Z", "destination.ip": [ - "10.167.9.200" + "10.183.202.82" ], - "destination.port": 4568, + "destination.port": 2208, "event.action": "deny", "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 3 10:33:06 orum5045.domain proto=igmp service=https status=deny src=10.37.174.58 dst=10.167.9.200 src_port=4003 dst_port=4568 server_app=exercita pid=2068 app_name=elillum traff_direct=veleumi block_count=4337 logon_user=tvol@oluptate6978.localdomain msg=failure", - "event.outcome": "Failure", + "event.original": "March 3 10:33:06 lup3313.api.home proto=tcp service=https status=deny src=10.47.179.68 dst=10.183.202.82 src_port=5107 dst_port=2208 server_app=usmod pid=3284 app_name=amni traff_direct=unknown block_count=2645 logon_user=umfugi@stquidol239.www5.invalid msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "orum5045.domain", + "host.name": "lup3313.api.home", "input.type": "log", - "log.offset": 21485, - "network.direction": "veleumi", - "network.protocol": "igmp", + "log.offset": 21616, + "network.direction": "unknown", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 2068, + "process.pid": 3284, "related.ip": [ - "10.37.174.58", - "10.167.9.200" + "10.47.179.68", + "10.183.202.82" ], "related.user": [ - "tvol" + "umfugi" ], - "rsa.counters.dclass_c1": 4337, + "rsa.counters.dclass_c1": 2645, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", @@ -4542,110 +4542,110 @@ ], "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "orum5045.domain" + "lup3313.api.home" ], - "rsa.network.domain": "oluptate6978.localdomain", + "rsa.network.domain": "stquidol239.www5.invalid", "rsa.network.network_service": "https", "rsa.time.event_time": "2020-03-03T12:33:06.000Z", - "server.domain": "oluptate6978.localdomain", + "server.domain": "stquidol239.www5.invalid", "service.type": "fortinet", "source.ip": [ - "10.37.174.58" + "10.47.179.68" ], - "source.port": 4003, + "source.port": 5107, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "tvol" + "user.name": "umfugi" }, { "@timestamp": "2020-03-17T19:35:40.000Z", "destination.ip": [ - "10.251.29.244" + "10.221.206.74" ], - "destination.port": 919, + "destination.port": 1480, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "March 17 17:35:40 iciade3900.example proto=ggp service=ms-wbt-server status=deny src=10.221.220.148 dst=10.251.29.244 src_port=98 dst_port=919 server_app=eturadip pid=6261 app_name=psumd traff_direct=oloree block_count=355 logon_user=ptate@teir7585.www5.localdomain msg=failure", - "event.outcome": "Failure", + "event.original": "March 17 17:35:40 edq5397.www.test proto=ipv6-icmp service=pop3 status=deny src=10.73.28.165 dst=10.221.206.74 src_port=3668 dst_port=1480 server_app=ihilmole pid=2314 app_name=litanim traff_direct=inbound block_count=5572 logon_user=quas@gia6531.mail.invalid msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "iciade3900.example", + "host.name": "edq5397.www.test", "input.type": "log", - "log.offset": 21754, - "network.direction": "oloree", - "network.protocol": "ggp", + "log.offset": 21882, + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 6261, + "process.pid": 2314, "related.ip": [ - "10.221.220.148", - "10.251.29.244" + "10.221.206.74", + "10.73.28.165" ], "related.user": [ - "ptate" + "quas" ], - "rsa.counters.dclass_c1": 355, + "rsa.counters.dclass_c1": 5572, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "iciade3900.example" + "edq5397.www.test" ], - "rsa.network.domain": "teir7585.www5.localdomain", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "gia6531.mail.invalid", + "rsa.network.network_service": "pop3", "rsa.time.event_time": "2020-03-17T19:35:40.000Z", - "server.domain": "teir7585.www5.localdomain", + "server.domain": "gia6531.mail.invalid", "service.type": "fortinet", "source.ip": [ - "10.221.220.148" + "10.73.28.165" ], - "source.port": 98, + "source.port": 3668, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "ptate" + "user.name": "quas" }, { "@timestamp": "2020-04-01T02:38:14.000Z", "destination.ip": [ - "10.189.82.19" + "10.14.204.36" ], - "destination.port": 4057, + "destination.port": 4887, "event.action": "deny", "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 1 00:38:14 texpli7157.mail.invalid proto=ggp service=ms-wbt-server status=deny src=10.198.143.216 dst=10.189.82.19 src_port=4267 dst_port=4057 server_app=mini pid=1816 app_name=tur traff_direct=tur block_count=5914 logon_user=iamqui@tassita6539.www.lan msg=success", - "event.outcome": "Failure", + "event.original": "April 1 00:38:14 udan6536.www5.test proto=ipv6 service=ms-wbt-server status=deny src=10.85.104.146 dst=10.14.204.36 src_port=3442 dst_port=4887 server_app=qua pid=5284 app_name=ents traff_direct=inbound block_count=973 logon_user=emp@lamcola4879.www5.localdomain msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "texpli7157.mail.invalid", + "host.name": "udan6536.www5.test", "input.type": "log", - "log.offset": 22032, - "network.direction": "tur", - "network.protocol": "ggp", + "log.offset": 22154, + "network.direction": "inbound", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 1816, + "process.pid": 5284, "related.ip": [ - "10.189.82.19", - "10.198.143.216" + "10.85.104.146", + "10.14.204.36" ], "related.user": [ - "iamqui" + "emp" ], - "rsa.counters.dclass_c1": 5914, + "rsa.counters.dclass_c1": 973, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", @@ -4656,226 +4656,226 @@ ], "rsa.misc.result": "success", "rsa.network.alias_host": [ - "texpli7157.mail.invalid" + "udan6536.www5.test" ], - "rsa.network.domain": "tassita6539.www.lan", + "rsa.network.domain": "lamcola4879.www5.localdomain", "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2020-04-01T02:38:14.000Z", - "server.domain": "tassita6539.www.lan", + "server.domain": "lamcola4879.www5.localdomain", "service.type": "fortinet", "source.ip": [ - "10.198.143.216" + "10.85.104.146" ], - "source.port": 4267, + "source.port": 3442, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "iamqui" + "user.name": "emp" }, { "@timestamp": "2020-04-15T09:40:49.000Z", "destination.ip": [ - "10.70.29.203" + "10.30.246.132" ], - "destination.port": 6317, + "destination.port": 388, "event.action": "deny", - "event.code": "smtp", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 15 07:40:49 CSe7575.www5.example proto=rdp service=smtp status=deny src=10.141.216.14 dst=10.70.29.203 src_port=5994 dst_port=6317 server_app=ate pid=4386 app_name=fugitse traff_direct=minimve block_count=2465 logon_user=dese@duntutla4724.www.host msg=success", - "event.outcome": "Failure", + "event.original": "April 15 07:40:49 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=outbound block_count=5624 logon_user=veniam@edquian330.mail.local msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "CSe7575.www5.example", + "host.name": "rumet6923.www5.lan", "input.type": "log", - "log.offset": 22303, - "network.direction": "minimve", + "log.offset": 22429, + "network.direction": "outbound", "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 4386, + "process.pid": 3990, "related.ip": [ - "10.70.29.203", - "10.141.216.14" + "10.208.18.210", + "10.30.246.132" ], "related.user": [ - "dese" + "veniam" ], - "rsa.counters.dclass_c1": 2465, + "rsa.counters.dclass_c1": 5624, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "CSe7575.www5.example" + "rumet6923.www5.lan" ], - "rsa.network.domain": "duntutla4724.www.host", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "edquian330.mail.local", + "rsa.network.network_service": "https", "rsa.time.event_time": "2020-04-15T09:40:49.000Z", - "server.domain": "duntutla4724.www.host", + "server.domain": "edquian330.mail.local", "service.type": "fortinet", "source.ip": [ - "10.141.216.14" + "10.208.18.210" ], - "source.port": 5994, + "source.port": 3601, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "dese" + "user.name": "veniam" }, { "@timestamp": "2020-04-29T16:43:23.000Z", "destination.ip": [ - "10.137.85.123" + "10.19.119.17" ], - "destination.port": 7073, + "destination.port": 3822, "event.action": "deny", - "event.code": "https", + "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "April 29 14:43:23 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=uinesc block_count=4248 logon_user=idatat@onev595.mail.domain msg=failure", - "event.outcome": "Failure", + "event.original": "April 29 14:43:23 itse522.internal.localdomain proto=udp service=pop3 status=deny src=10.106.249.91 dst=10.19.119.17 src_port=1732 dst_port=3822 server_app=veleumi pid=4337 app_name=tvol traff_direct=unknown block_count=2783 logon_user=lit@santi837.api.domain msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "abori7686.internal.host", + "host.name": "itse522.internal.localdomain", "input.type": "log", - "log.offset": 22569, - "network.direction": "uinesc", - "network.protocol": "rdp", + "log.offset": 22698, + "network.direction": "unknown", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 2313, + "process.pid": 4337, "related.ip": [ - "10.183.243.246", - "10.137.85.123" + "10.19.119.17", + "10.106.249.91" ], "related.user": [ - "idatat" + "lit" ], - "rsa.counters.dclass_c1": 4248, + "rsa.counters.dclass_c1": 2783, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "abori7686.internal.host" + "itse522.internal.localdomain" ], - "rsa.network.domain": "onev595.mail.domain", - "rsa.network.network_service": "https", + "rsa.network.domain": "santi837.api.domain", + "rsa.network.network_service": "pop3", "rsa.time.event_time": "2020-04-29T16:43:23.000Z", - "server.domain": "onev595.mail.domain", + "server.domain": "santi837.api.domain", "service.type": "fortinet", "source.ip": [ - "10.183.243.246" + "10.106.249.91" ], - "source.port": 218, + "source.port": 1732, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "idatat" + "user.name": "lit" }, { "@timestamp": "2020-05-13T23:45:57.000Z", "destination.ip": [ - "10.158.54.131" + "10.181.41.154" ], - "destination.port": 1585, + "destination.port": 866, "event.action": "deny", - "event.code": "https", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 13 21:45:57 sis3986.internal.lan proto=rdp service=https status=deny src=10.10.86.55 dst=10.158.54.131 src_port=911 dst_port=1585 server_app=mmodi pid=7353 app_name=rvelill traff_direct=lupta block_count=7608 logon_user=tatevel@midestl7500.www.home msg=unknown", - "event.outcome": "Failure", + "event.original": "May 13 21:45:57 amc3059.local proto=igmp service=http status=deny src=10.29.109.126 dst=10.181.41.154 src_port=6261 dst_port=866 server_app=itseddo pid=5275 app_name=seos traff_direct=unknown block_count=6721 logon_user=labo@lpaquiof804.internal.invalid msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "sis3986.internal.lan", + "host.name": "amc3059.local", "input.type": "log", - "log.offset": 22842, - "network.direction": "lupta", - "network.protocol": "rdp", + "log.offset": 22970, + "network.direction": "unknown", + "network.protocol": "igmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 7353, + "process.pid": 5275, "related.ip": [ - "10.158.54.131", - "10.10.86.55" + "10.29.109.126", + "10.181.41.154" ], "related.user": [ - "tatevel" + "labo" ], - "rsa.counters.dclass_c1": 7608, + "rsa.counters.dclass_c1": 6721, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "sis3986.internal.lan" + "amc3059.local" ], - "rsa.network.domain": "midestl7500.www.home", - "rsa.network.network_service": "https", + "rsa.network.domain": "lpaquiof804.internal.invalid", + "rsa.network.network_service": "http", "rsa.time.event_time": "2020-05-13T23:45:57.000Z", - "server.domain": "midestl7500.www.home", + "server.domain": "lpaquiof804.internal.invalid", "service.type": "fortinet", "source.ip": [ - "10.10.86.55" + "10.29.109.126" ], - "source.port": 911, + "source.port": 6261, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "tatevel" + "user.name": "labo" }, { "@timestamp": "2020-05-28T06:48:31.000Z", "destination.ip": [ - "10.187.170.23" + "10.164.120.197" ], - "destination.port": 3220, + "destination.port": 2304, "event.action": "deny", - "event.code": "http", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "May 28 04:48:31 oremeumf32.www.lan proto=ggp service=http status=deny src=10.105.136.146 dst=10.187.170.23 src_port=541 dst_port=3220 server_app=sectetu pid=7182 app_name=its traff_direct=dolor block_count=5957 logon_user=uatu@mquis5526.mail.test msg=unknown", - "event.outcome": "Failure", + "event.original": "May 28 04:48:31 enbyCi3813.api.domain proto=ipv6-icmp service=https status=deny src=10.164.207.42 dst=10.164.120.197 src_port=1901 dst_port=2304 server_app=itametco pid=2286 app_name=remip traff_direct=external block_count=3116 logon_user=pta@nonn4478.host msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "oremeumf32.www.lan", + "host.name": "enbyCi3813.api.domain", "input.type": "log", - "log.offset": 23107, - "network.direction": "dolor", - "network.protocol": "ggp", + "log.offset": 23236, + "network.direction": "external", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 7182, + "process.pid": 2286, "related.ip": [ - "10.105.136.146", - "10.187.170.23" + "10.164.120.197", + "10.164.207.42" ], "related.user": [ - "uatu" + "pta" ], - "rsa.counters.dclass_c1": 5957, + "rsa.counters.dclass_c1": 3116, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -4884,226 +4884,226 @@ ], "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "oremeumf32.www.lan" + "enbyCi3813.api.domain" ], - "rsa.network.domain": "mquis5526.mail.test", - "rsa.network.network_service": "http", + "rsa.network.domain": "nonn4478.host", + "rsa.network.network_service": "https", "rsa.time.event_time": "2020-05-28T06:48:31.000Z", - "server.domain": "mquis5526.mail.test", + "server.domain": "nonn4478.host", "service.type": "fortinet", "source.ip": [ - "10.105.136.146" + "10.164.207.42" ], - "source.port": 541, + "source.port": 1901, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "uatu" + "user.name": "pta" }, { "@timestamp": "2020-06-11T13:51:06.000Z", "destination.ip": [ - "10.125.166.198" + "10.154.191.225" ], - "destination.port": 6301, + "destination.port": 7856, "event.action": "deny", - "event.code": "https", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 11 11:51:06 ice6331.invalid proto=ipv6 service=https status=deny src=10.114.211.238 dst=10.125.166.198 src_port=3824 dst_port=6301 server_app=tinculpa pid=6537 app_name=cti traff_direct=rumSecti block_count=111 logon_user=sumquiad@iusmodt3432.mail.localdomain msg=unknown", - "event.outcome": "Failure", + "event.original": "June 11 11:51:06 liquipex1155.mail.corp proto=ipv6-icmp service=smtp status=deny src=10.183.189.133 dst=10.154.191.225 src_port=5347 dst_port=7856 server_app=Loremip pid=2990 app_name=tur traff_direct=unknown block_count=6105 logon_user=ita@amquaer3985.www5.example msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "ice6331.invalid", + "host.name": "liquipex1155.mail.corp", "input.type": "log", - "log.offset": 23366, - "network.direction": "rumSecti", - "network.protocol": "ipv6", + "log.offset": 23505, + "network.direction": "unknown", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 6537, + "process.pid": 2990, "related.ip": [ - "10.125.166.198", - "10.114.211.238" + "10.154.191.225", + "10.183.189.133" ], "related.user": [ - "sumquiad" + "ita" ], - "rsa.counters.dclass_c1": 111, + "rsa.counters.dclass_c1": 6105, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "ice6331.invalid" + "liquipex1155.mail.corp" ], - "rsa.network.domain": "iusmodt3432.mail.localdomain", - "rsa.network.network_service": "https", + "rsa.network.domain": "amquaer3985.www5.example", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2020-06-11T13:51:06.000Z", - "server.domain": "iusmodt3432.mail.localdomain", + "server.domain": "amquaer3985.www5.example", "service.type": "fortinet", "source.ip": [ - "10.114.211.238" + "10.183.189.133" ], - "source.port": 3824, + "source.port": 5347, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "sumquiad" + "user.name": "ita" }, { "@timestamp": "2020-06-25T20:53:40.000Z", "destination.ip": [ - "10.209.239.122" + "10.103.189.199" ], - "destination.port": 1450, + "destination.port": 767, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "June 25 18:53:40 aevitaed1082.localdomain proto=tcp service=ms-wbt-server status=deny src=10.29.7.142 dst=10.209.239.122 src_port=4053 dst_port=1450 server_app=edic pid=2758 app_name=amcolab traff_direct=olabori block_count=3307 logon_user=atatnon@lica2780.www5.home msg=success", - "event.outcome": "Failure", + "event.original": "June 25 18:53:40 isn3991.local proto=igmp service=smtp status=deny src=10.29.120.226 dst=10.103.189.199 src_port=1296 dst_port=767 server_app=exerci pid=226 app_name=eserun traff_direct=outbound block_count=5452 logon_user=emu@orem6317.local msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "aevitaed1082.localdomain", + "host.name": "isn3991.local", "input.type": "log", - "log.offset": 23643, - "network.direction": "olabori", - "network.protocol": "tcp", + "log.offset": 23783, + "network.direction": "outbound", + "network.protocol": "igmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 2758, + "process.pid": 226, "related.ip": [ - "10.209.239.122", - "10.29.7.142" + "10.103.189.199", + "10.29.120.226" ], "related.user": [ - "atatnon" + "emu" ], - "rsa.counters.dclass_c1": 3307, + "rsa.counters.dclass_c1": 5452, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "aevitaed1082.localdomain" + "isn3991.local" ], - "rsa.network.domain": "lica2780.www5.home", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "orem6317.local", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2020-06-25T20:53:40.000Z", - "server.domain": "lica2780.www5.home", + "server.domain": "orem6317.local", "service.type": "fortinet", "source.ip": [ - "10.29.7.142" + "10.29.120.226" ], - "source.port": 4053, + "source.port": 1296, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "atatnon" + "user.name": "emu" }, { "@timestamp": "2020-07-10T03:56:14.000Z", "destination.ip": [ - "10.146.57.23" + "10.210.153.7" ], - "destination.port": 5483, + "destination.port": 7030, "event.action": "deny", - "event.code": "http", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 10 01:56:14 lloinve551.internal.local proto=ipv6-icmp service=http status=deny src=10.144.109.148 dst=10.146.57.23 src_port=4855 dst_port=5483 server_app=tno pid=5772 app_name=psumq traff_direct=ptatev block_count=6552 logon_user=xerc@ctetura7556.mail.corp msg=unknown", - "event.outcome": "Failure", + "event.original": "July 10 01:56:14 iumtotam1010.www5.corp proto=icmp service=https status=deny src=10.133.254.23 dst=10.210.153.7 src_port=6251 dst_port=7030 server_app=nofdeFi pid=4691 app_name=sautei traff_direct=external block_count=2088 logon_user=voluptas@velill3230.www.corp msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "lloinve551.internal.local", + "host.name": "iumtotam1010.www5.corp", "input.type": "log", - "log.offset": 23922, - "network.direction": "ptatev", - "network.protocol": "ipv6-icmp", + "log.offset": 24037, + "network.direction": "external", + "network.protocol": "icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 5772, + "process.pid": 4691, "related.ip": [ - "10.144.109.148", - "10.146.57.23" + "10.210.153.7", + "10.133.254.23" ], "related.user": [ - "xerc" + "voluptas" ], - "rsa.counters.dclass_c1": 6552, + "rsa.counters.dclass_c1": 2088, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "lloinve551.internal.local" + "iumtotam1010.www5.corp" ], - "rsa.network.domain": "ctetura7556.mail.corp", - "rsa.network.network_service": "http", + "rsa.network.domain": "velill3230.www.corp", + "rsa.network.network_service": "https", "rsa.time.event_time": "2020-07-10T03:56:14.000Z", - "server.domain": "ctetura7556.mail.corp", + "server.domain": "velill3230.www.corp", "service.type": "fortinet", "source.ip": [ - "10.144.109.148" + "10.133.254.23" ], - "source.port": 4855, + "source.port": 6251, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "xerc" + "user.name": "voluptas" }, { "@timestamp": "2019-07-24T10:58:48.000Z", "destination.ip": [ - "10.11.2.200" + "10.91.2.135" ], - "destination.port": 7541, + "destination.port": 2141, "event.action": "deny", - "event.code": "smtp", + "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "July 24 08:58:48 tmo508.example proto=rdp service=smtp status=deny src=10.69.230.223 dst=10.11.2.200 src_port=6071 dst_port=7541 server_app=ostrudex pid=4542 app_name=niamqui traff_direct=usmodite block_count=7154 logon_user=uatu@uto2438.www5.corp msg=success", - "event.outcome": "Failure", + "event.original": "July 24 08:58:48 onsecte91.www5.localdomain proto=tcp service=pop3 status=deny src=10.126.245.73 dst=10.91.2.135 src_port=180 dst_port=2141 server_app=ender pid=5647 app_name=rumSecti traff_direct=outbound block_count=4680 logon_user=olore@orumS757.www5.corp msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "tmo508.example", + "host.name": "onsecte91.www5.localdomain", "input.type": "log", - "log.offset": 24196, - "network.direction": "usmodite", - "network.protocol": "rdp", + "log.offset": 24312, + "network.direction": "outbound", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 4542, + "process.pid": 5647, "related.ip": [ - "10.11.2.200", - "10.69.230.223" + "10.126.245.73", + "10.91.2.135" ], "related.user": [ - "uatu" + "olore" ], - "rsa.counters.dclass_c1": 7154, + "rsa.counters.dclass_c1": 4680, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -5112,112 +5112,112 @@ ], "rsa.misc.result": "success", "rsa.network.alias_host": [ - "tmo508.example" + "onsecte91.www5.localdomain" ], - "rsa.network.domain": "uto2438.www5.corp", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "orumS757.www5.corp", + "rsa.network.network_service": "pop3", "rsa.time.event_time": "2019-07-24T10:58:48.000Z", - "server.domain": "uto2438.www5.corp", + "server.domain": "orumS757.www5.corp", "service.type": "fortinet", "source.ip": [ - "10.69.230.223" + "10.126.245.73" ], - "source.port": 6071, + "source.port": 180, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "uatu" + "user.name": "olore" }, { "@timestamp": "2019-08-07T18:01:23.000Z", "destination.ip": [ - "10.120.148.241" + "10.137.85.123" ], - "destination.port": 1655, + "destination.port": 7073, "event.action": "deny", - "event.code": "smtp", + "event.code": "https", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 7 16:01:23 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=iduntutl block_count=4047 logon_user=orsitvol@ntor5561.www.local msg=success", - "event.outcome": "Failure", + "event.original": "August 7 16:01:23 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=internal block_count=6402 logon_user=cid@emi4534.www.localdomain msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "upt6017.api.localdomain", + "host.name": "abori7686.internal.host", "input.type": "log", - "log.offset": 24456, - "network.direction": "iduntutl", - "network.protocol": "tcp", + "log.offset": 24583, + "network.direction": "internal", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 6094, + "process.pid": 2313, "related.ip": [ - "10.120.148.241", - "10.100.154.220" + "10.137.85.123", + "10.183.243.246" ], "related.user": [ - "orsitvol" + "cid" ], - "rsa.counters.dclass_c1": 4047, + "rsa.counters.dclass_c1": 6402, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", + "rsa.internal.messageid": "https", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "upt6017.api.localdomain" + "abori7686.internal.host" ], - "rsa.network.domain": "ntor5561.www.local", - "rsa.network.network_service": "smtp", + "rsa.network.domain": "emi4534.www.localdomain", + "rsa.network.network_service": "https", "rsa.time.event_time": "2019-08-07T18:01:23.000Z", - "server.domain": "ntor5561.www.local", + "server.domain": "emi4534.www.localdomain", "service.type": "fortinet", "source.ip": [ - "10.100.154.220" + "10.183.243.246" ], - "source.port": 5535, + "source.port": 218, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "orsitvol" + "user.name": "cid" }, { "@timestamp": "2019-08-22T01:03:57.000Z", "destination.ip": [ - "10.90.50.149" + "10.10.86.55" ], - "destination.port": 7260, + "destination.port": 5132, "event.action": "deny", - "event.code": "http", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "August 21 23:03:57 velites4233.internal.home proto=ggp service=http status=deny src=10.153.166.133 dst=10.90.50.149 src_port=1936 dst_port=7260 server_app=asp pid=4025 app_name=ncul traff_direct=taliq block_count=5213 logon_user=porissu@umd3889.api.localhost msg=failure", - "event.outcome": "Failure", + "event.original": "August 21 23:03:57 reprehen3513.test proto=ipv6 service=smtp status=deny src=10.61.225.196 dst=10.10.86.55 src_port=4720 dst_port=5132 server_app=isiu pid=1585 app_name=mmodi traff_direct=external block_count=3034 logon_user=eniamqu@inimav1576.mail.example msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "velites4233.internal.home", + "host.name": "reprehen3513.test", "input.type": "log", - "log.offset": 24730, - "network.direction": "taliq", - "network.protocol": "ggp", + "log.offset": 24859, + "network.direction": "external", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 4025, + "process.pid": 1585, "related.ip": [ - "10.90.50.149", - "10.153.166.133" + "10.61.225.196", + "10.10.86.55" ], "related.user": [ - "porissu" + "eniamqu" ], - "rsa.counters.dclass_c1": 5213, + "rsa.counters.dclass_c1": 3034, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -5226,55 +5226,55 @@ ], "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "velites4233.internal.home" + "reprehen3513.test" ], - "rsa.network.domain": "umd3889.api.localhost", - "rsa.network.network_service": "http", + "rsa.network.domain": "inimav1576.mail.example", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2019-08-22T01:03:57.000Z", - "server.domain": "umd3889.api.localhost", + "server.domain": "inimav1576.mail.example", "service.type": "fortinet", "source.ip": [ - "10.153.166.133" + "10.61.225.196" ], - "source.port": 1936, + "source.port": 4720, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "porissu" + "user.name": "eniamqu" }, { "@timestamp": "2019-09-05T08:06:31.000Z", "destination.ip": [ - "10.117.190.234" + "10.79.73.195" ], - "destination.port": 7475, + "destination.port": 457, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "http", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 5 06:06:31 eeufugi6539.api.local proto=tcp service=ms-wbt-server status=deny src=10.230.130.3 dst=10.117.190.234 src_port=3485 dst_port=7475 server_app=iav pid=5792 app_name=usBono traff_direct=rumexe block_count=5360 logon_user=ttenb@olor5978.www.local msg=failure", - "event.outcome": "Failure", + "event.original": "September 5 06:06:31 orroquis284.api.domain proto=udp service=http status=deny src=10.125.143.153 dst=10.79.73.195 src_port=2657 dst_port=457 server_app=umf pid=3141 app_name=moll traff_direct=outbound block_count=7645 logon_user=emip@aturQu7083.mail.host msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "eeufugi6539.api.local", + "host.name": "orroquis284.api.domain", "input.type": "log", - "log.offset": 25001, - "network.direction": "rumexe", - "network.protocol": "tcp", + "log.offset": 25128, + "network.direction": "outbound", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 5792, + "process.pid": 3141, "related.ip": [ - "10.230.130.3", - "10.117.190.234" + "10.79.73.195", + "10.125.143.153" ], "related.user": [ - "ttenb" + "emip" ], - "rsa.counters.dclass_c1": 5360, + "rsa.counters.dclass_c1": 7645, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "http", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", @@ -5283,224 +5283,224 @@ ], "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "eeufugi6539.api.local" + "orroquis284.api.domain" ], - "rsa.network.domain": "olor5978.www.local", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "aturQu7083.mail.host", + "rsa.network.network_service": "http", "rsa.time.event_time": "2019-09-05T08:06:31.000Z", - "server.domain": "olor5978.www.local", + "server.domain": "aturQu7083.mail.host", "service.type": "fortinet", "source.ip": [ - "10.230.130.3" + "10.125.143.153" ], - "source.port": 3485, + "source.port": 2657, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "ttenb" + "user.name": "emip" }, { "@timestamp": "2019-09-19T15:09:05.000Z", "destination.ip": [ - "10.203.117.6" + "10.64.139.17" ], - "destination.port": 2510, + "destination.port": 2438, "event.action": "deny", - "event.code": "https", + "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "September 19 13:09:05 rem3131.home proto=igmp service=https status=deny src=10.55.103.200 dst=10.203.117.6 src_port=4894 dst_port=2510 server_app=uredol pid=3142 app_name=temsequi traff_direct=mquia block_count=1119 logon_user=enbyCic@iveli3387.host msg=success", - "event.outcome": "Failure", + "event.original": "September 19 13:09:05 tionula2060.www5.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.240.216.85 dst=10.64.139.17 src_port=2046 dst_port=2438 server_app=ice pid=6331 app_name=aal traff_direct=external block_count=4982 logon_user=nimadmin@lumqui7769.mail.local msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "rem3131.home", + "host.name": "tionula2060.www5.localhost", "input.type": "log", - "log.offset": 25277, - "network.direction": "mquia", - "network.protocol": "igmp", + "log.offset": 25396, + "network.direction": "external", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3142, + "process.pid": 6331, "related.ip": [ - "10.203.117.6", - "10.55.103.200" + "10.240.216.85", + "10.64.139.17" ], "related.user": [ - "enbyCic" + "nimadmin" ], - "rsa.counters.dclass_c1": 1119, + "rsa.counters.dclass_c1": 4982, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "success", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "rem3131.home" + "tionula2060.www5.localhost" ], - "rsa.network.domain": "iveli3387.host", - "rsa.network.network_service": "https", + "rsa.network.domain": "lumqui7769.mail.local", + "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2019-09-19T15:09:05.000Z", - "server.domain": "iveli3387.host", + "server.domain": "lumqui7769.mail.local", "service.type": "fortinet", "source.ip": [ - "10.55.103.200" + "10.240.216.85" ], - "source.port": 4894, + "source.port": 2046, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "enbyCic" + "user.name": "nimadmin" }, { "@timestamp": "2019-10-03T22:11:40.000Z", "destination.ip": [ - "10.75.122.228" + "10.222.245.80" ], - "destination.port": 5, + "destination.port": 4017, "event.action": "deny", - "event.code": "https", + "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 3 20:11:40 ommodoc4758.host proto=tcp service=https status=deny src=10.244.52.142 dst=10.75.122.228 src_port=2129 dst_port=5 server_app=scipit pid=730 app_name=ugiatqu traff_direct=eruntmo block_count=2894 logon_user=isciv@natus4803.mail.localhost msg=failure", - "event.outcome": "Failure", + "event.original": "October 3 20:11:40 rumSecti111.www5.domain proto=ipv6 service=ms-wbt-server status=deny src=10.87.90.49 dst=10.222.245.80 src_port=1486 dst_port=4017 server_app=itaedict pid=4474 app_name=byCic traff_direct=inbound block_count=3380 logon_user=ptatemse@siarc6339.internal.corp msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "ommodoc4758.host", + "host.name": "rumSecti111.www5.domain", "input.type": "log", - "log.offset": 25539, - "network.direction": "eruntmo", - "network.protocol": "tcp", + "log.offset": 25683, + "network.direction": "inbound", + "network.protocol": "ipv6", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 730, + "process.pid": 4474, "related.ip": [ - "10.244.52.142", - "10.75.122.228" + "10.222.245.80", + "10.87.90.49" ], "related.user": [ - "isciv" + "ptatemse" ], - "rsa.counters.dclass_c1": 2894, + "rsa.counters.dclass_c1": 3380, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "ommodoc4758.host" + "rumSecti111.www5.domain" ], - "rsa.network.domain": "natus4803.mail.localhost", - "rsa.network.network_service": "https", + "rsa.network.domain": "siarc6339.internal.corp", + "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2019-10-03T22:11:40.000Z", - "server.domain": "natus4803.mail.localhost", + "server.domain": "siarc6339.internal.corp", "service.type": "fortinet", "source.ip": [ - "10.244.52.142" + "10.87.90.49" ], - "source.port": 2129, + "source.port": 1486, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "isciv" + "user.name": "ptatemse" }, { "@timestamp": "2019-10-18T05:14:14.000Z", "destination.ip": [ - "10.119.143.168" + "10.87.144.208" ], - "destination.port": 4131, + "destination.port": 2440, "event.action": "deny", - "event.code": "http", + "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "October 18 03:14:14 udexerc4535.www.home proto=ipv6-icmp service=http status=deny src=10.7.142.212 dst=10.119.143.168 src_port=2952 dst_port=4131 server_app=tuser pid=6944 app_name=qua traff_direct=iarchite block_count=1612 logon_user=oinven@natu1957.mail.corp msg=failure", - "event.outcome": "Failure", + "event.original": "October 18 03:14:14 olores7881.local proto=udp service=pop3 status=deny src=10.143.53.214 dst=10.87.144.208 src_port=3310 dst_port=2440 server_app=ipsumq pid=4855 app_name=psaquaea traff_direct=unknown block_count=5772 logon_user=psumq@ptatev6552.www.test msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "udexerc4535.www.home", + "host.name": "olores7881.local", "input.type": "log", - "log.offset": 25807, - "network.direction": "iarchite", - "network.protocol": "ipv6-icmp", + "log.offset": 25971, + "network.direction": "unknown", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 6944, + "process.pid": 4855, "related.ip": [ - "10.7.142.212", - "10.119.143.168" + "10.87.144.208", + "10.143.53.214" ], "related.user": [ - "oinven" + "psumq" ], - "rsa.counters.dclass_c1": 1612, + "rsa.counters.dclass_c1": 5772, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", + "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "udexerc4535.www.home" + "olores7881.local" ], - "rsa.network.domain": "natu1957.mail.corp", - "rsa.network.network_service": "http", + "rsa.network.domain": "ptatev6552.www.test", + "rsa.network.network_service": "pop3", "rsa.time.event_time": "2019-10-18T05:14:14.000Z", - "server.domain": "natu1957.mail.corp", + "server.domain": "ptatev6552.www.test", "service.type": "fortinet", "source.ip": [ - "10.7.142.212" + "10.143.53.214" ], - "source.port": 2952, + "source.port": 3310, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "oinven" + "user.name": "psumq" }, { "@timestamp": "2019-11-01T12:16:48.000Z", "destination.ip": [ - "10.252.146.103" + "10.105.97.134" ], - "destination.port": 5995, + "destination.port": 1935, "event.action": "deny", "event.code": "pop3", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 1 10:16:48 adipi2840.mail.domain proto=udp service=pop3 status=deny src=10.116.105.31 dst=10.252.146.103 src_port=3181 dst_port=5995 server_app=rinrepr pid=7279 app_name=consequu traff_direct=modo block_count=3194 logon_user=rsint@rsi5358.www.domain msg=failure", - "event.outcome": "Failure", + "event.original": "November 1 10:16:48 tDuis3281.www5.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.204.178.19 dst=10.105.97.134 src_port=616 dst_port=1935 server_app=oremque pid=1729 app_name=inimve traff_direct=unknown block_count=6564 logon_user=mexercit@byC5766.internal.home msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "adipi2840.mail.domain", + "host.name": "tDuis3281.www5.localdomain", "input.type": "log", - "log.offset": 26080, - "network.direction": "modo", - "network.protocol": "udp", + "log.offset": 26239, + "network.direction": "unknown", + "network.protocol": "ipv6-icmp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 7279, + "process.pid": 1729, "related.ip": [ - "10.252.146.103", - "10.116.105.31" + "10.105.97.134", + "10.204.178.19" ], "related.user": [ - "rsint" + "mexercit" ], - "rsa.counters.dclass_c1": 3194, + "rsa.counters.dclass_c1": 6564, "rsa.counters.dclass_c1_str": "block_count", "rsa.internal.messageid": "pop3", "rsa.investigations.ec_outcome": "Failure", @@ -5509,194 +5509,194 @@ "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "adipi2840.mail.domain" + "tDuis3281.www5.localdomain" ], - "rsa.network.domain": "rsi5358.www.domain", + "rsa.network.domain": "byC5766.internal.home", "rsa.network.network_service": "pop3", "rsa.time.event_time": "2019-11-01T12:16:48.000Z", - "server.domain": "rsi5358.www.domain", + "server.domain": "byC5766.internal.home", "service.type": "fortinet", "source.ip": [ - "10.116.105.31" + "10.204.178.19" ], - "source.port": 3181, + "source.port": 616, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "rsint" + "user.name": "mexercit" }, { "@timestamp": "2019-11-15T19:19:22.000Z", "destination.ip": [ - "10.213.41.210" + "10.194.67.223" ], - "destination.port": 3626, + "destination.port": 5767, "event.action": "deny", - "event.code": "ms-wbt-server", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 15 17:19:22 onse3998.internal.invalid proto=udp service=ms-wbt-server status=deny src=10.163.239.13 dst=10.213.41.210 src_port=3650 dst_port=3626 server_app=aco pid=7260 app_name=adese traff_direct=olorsi block_count=4955 logon_user=aedictas@rumetMa2554.domain msg=failure", - "event.outcome": "Failure", + "event.original": "November 15 17:19:22 uptasnul2751.www5.corp proto=rdp service=smtp status=deny src=10.161.64.168 dst=10.194.67.223 src_port=7154 dst_port=5767 server_app=tatemse pid=4493 app_name=amqui traff_direct=inbound block_count=3673 logon_user=tion@hender6628.local msg=unknown", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "onse3998.internal.invalid", + "host.name": "uptasnul2751.www5.corp", "input.type": "log", - "log.offset": 26351, - "network.direction": "olorsi", - "network.protocol": "udp", + "log.offset": 26526, + "network.direction": "inbound", + "network.protocol": "rdp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 7260, + "process.pid": 4493, "related.ip": [ - "10.163.239.13", - "10.213.41.210" + "10.161.64.168", + "10.194.67.223" ], "related.user": [ - "aedictas" + "tion" ], - "rsa.counters.dclass_c1": 4955, + "rsa.counters.dclass_c1": 3673, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "unknown", "rsa.network.alias_host": [ - "onse3998.internal.invalid" + "uptasnul2751.www5.corp" ], - "rsa.network.domain": "rumetMa2554.domain", - "rsa.network.network_service": "ms-wbt-server", + "rsa.network.domain": "hender6628.local", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2019-11-15T19:19:22.000Z", - "server.domain": "rumetMa2554.domain", + "server.domain": "hender6628.local", "service.type": "fortinet", "source.ip": [ - "10.163.239.13" + "10.161.64.168" ], - "source.port": 3650, + "source.port": 7154, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "aedictas" + "user.name": "tion" }, { "@timestamp": "2019-11-30T02:21:57.000Z", "destination.ip": [ - "10.190.36.112" + "10.120.148.241" ], - "destination.port": 4829, + "destination.port": 1655, "event.action": "deny", - "event.code": "https", + "event.code": "smtp", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "November 30 00:21:57 mvolupta225.mail.invalid proto=icmp service=https status=deny src=10.184.109.84 dst=10.190.36.112 src_port=6960 dst_port=4829 server_app=reprehen pid=3793 app_name=uisa traff_direct=nimadmin block_count=5630 logon_user=uat@eniamqu985.test msg=unknown", - "event.outcome": "Failure", + "event.original": "November 30 00:21:57 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=external block_count=5150 logon_user=rsitam@xercit7649.www5.home msg=failure", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "mvolupta225.mail.invalid", + "host.name": "upt6017.api.localdomain", "input.type": "log", - "log.offset": 26633, - "network.direction": "nimadmin", - "network.protocol": "icmp", + "log.offset": 26795, + "network.direction": "external", + "network.protocol": "tcp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 3793, + "process.pid": 6094, "related.ip": [ - "10.184.109.84", - "10.190.36.112" + "10.100.154.220", + "10.120.148.241" ], "related.user": [ - "uat" + "rsitam" ], - "rsa.counters.dclass_c1": 5630, + "rsa.counters.dclass_c1": 5150, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", + "rsa.internal.messageid": "smtp", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "unknown", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "mvolupta225.mail.invalid" + "upt6017.api.localdomain" ], - "rsa.network.domain": "eniamqu985.test", - "rsa.network.network_service": "https", + "rsa.network.domain": "xercit7649.www5.home", + "rsa.network.network_service": "smtp", "rsa.time.event_time": "2019-11-30T02:21:57.000Z", - "server.domain": "eniamqu985.test", + "server.domain": "xercit7649.www5.home", "service.type": "fortinet", "source.ip": [ - "10.184.109.84" + "10.100.154.220" ], - "source.port": 6960, + "source.port": 5535, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "uat" + "user.name": "rsitam" }, { "@timestamp": "2019-12-14T09:24:31.000Z", "destination.ip": [ - "10.19.21.239" + "10.180.90.112" ], - "destination.port": 6995, + "destination.port": 1936, "event.action": "deny", - "event.code": "http", + "event.code": "ms-wbt-server", "event.dataset": "fortinet.clientendpoint", "event.module": "fortinet", - "event.original": "December 14 07:24:31 officiad6348.mail.lan proto=icmp service=http status=deny src=10.175.181.138 dst=10.19.21.239 src_port=1495 dst_port=6995 server_app=velite pid=5985 app_name=litse traff_direct=san block_count=3326 logon_user=aliqu@taedict4891.api.host msg=failure", - "event.outcome": "Failure", + "event.original": "December 14 07:24:31 tpers2217.internal.lan proto=udp service=ms-wbt-server status=deny src=10.116.153.19 dst=10.180.90.112 src_port=6610 dst_port=1936 server_app=olu pid=5012 app_name=dexercit traff_direct=outbound block_count=2216 logon_user=itessequ@porissu1470.domain msg=success", + "event.outcome": "failure", "fileset.name": "clientendpoint", - "host.name": "officiad6348.mail.lan", + "host.name": "tpers2217.internal.lan", "input.type": "log", - "log.offset": 26905, - "network.direction": "san", - "network.protocol": "icmp", + "log.offset": 27072, + "network.direction": "outbound", + "network.protocol": "udp", "observer.product": "FortiClient", "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", - "process.pid": 5985, + "process.pid": 5012, "related.ip": [ - "10.175.181.138", - "10.19.21.239" + "10.116.153.19", + "10.180.90.112" ], "related.user": [ - "aliqu" + "itessequ" ], - "rsa.counters.dclass_c1": 3326, + "rsa.counters.dclass_c1": 2216, "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", + "rsa.internal.messageid": "ms-wbt-server", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ "deny" ], - "rsa.misc.result": "failure", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "officiad6348.mail.lan" + "tpers2217.internal.lan" ], - "rsa.network.domain": "taedict4891.api.host", - "rsa.network.network_service": "http", + "rsa.network.domain": "porissu1470.domain", + "rsa.network.network_service": "ms-wbt-server", "rsa.time.event_time": "2019-12-14T09:24:31.000Z", - "server.domain": "taedict4891.api.host", + "server.domain": "porissu1470.domain", "service.type": "fortinet", "source.ip": [ - "10.175.181.138" + "10.116.153.19" ], - "source.port": 1495, + "source.port": 6610, "tags": [ "fortinet.clientendpoint", "forwarded" ], - "user.name": "aliqu" + "user.name": "itessequ" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/imperva/README.md b/x-pack/filebeat/module/imperva/README.md index e42f3a778a5..c57c741a983 100644 --- a/x-pack/filebeat/module/imperva/README.md +++ b/x-pack/filebeat/module/imperva/README.md @@ -3,5 +3,5 @@ This is a module for Imperva SecureSphere logs. Autogenerated from RSA NetWitness log parser 2.0 XML impervawaf version 117 -at 2020-07-08 18:50:20.827838 +0000 UTC. +at 2020-07-08 22:20:59.343166 +0000 UTC. diff --git a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js +++ b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log b/x-pack/filebeat/module/imperva/securesphere/test/generated.log index 983515ba14f..fe6e7cfdfcc 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log @@ -1,100 +1,100 @@ %IMPERVA-Imperva,dstIP=10.70.155.35,dstPort=892,dbUsername=tatno,srcIP=10.81.122.126,srcPort=4141,creatTime=29 January 2016 06:09:59,srvGroup=uam,service=untutl,appName=rad,event#=taliqu,eventType=Login,usrGroup=ommod,usrAuth=True,application="scivel",osUsername=aqui,srcHost=radipis5408.mail.local,dbName=enatuse,schemaName=magn,bindVar=equuntu,sqlError=failure,respSize=5910,respTime=10.347000,affRows=sum,action="cancel",rawQuery="sit" %IMPERVA-Imperva,event#=nimadmin,createTime=2016-02-12 13:12:33,eventType=erep,eventSev=low,username=temq,subsystem=ugiatqu,message="eacomm" %IMPERVA-Imperva,dstIP=10.58.116.231,dstPort=996,dbUsername=qua,srcIP=10.159.182.171,srcPort=3947,creatTime=2016-02-26 20:15:08,srvGroup=apariat,service=mol,appName=pteursi,event#=onse,eventType=rumet,usrGroup=oll,usrAuth=erc,application="taliqu",osUsername=temUten,srcHost=ccusan7572.api.home,dbName=aveniam,schemaName=uradi,bindVar=nimadmin,sqlError=failure,respSize=3626,respTime=79.328000,affRows=ender,action="accept",rawQuery="ehenderi" -%IMPERVA-Imperva,alert#=amqu,event#=uines,createTime=2016-03-12 03:17:42,updateTime=nsec,alertSev=medium,group=estqu,ruleName="inibusBo",evntDesc="tat",category=tion,disposition=eataev,eventType=liquide,proto=icmp,srcPort=4515,srcIP=10.64.70.5,dstPort=4782,dstIP=10.157.161.103,policyName="eritquii",occurrences=3561,httpHost=riat,webMethod=taut,url="https://api.example.org/uames/tati.jpg?isnostru=iquaUten#santium",webQuery="iciatisu",soapAction=rehender,resultCode=eporroqu,sessionID=uat,username=tem,addUsername=est,responseTime=iineavo,responseSize=equatD,direction=isno,dbUsername=taliq,queryGroup=intoccae,application="ents",srcHost=pida2286.internal.home,osUsername=emeumfu,schemaName=CSed,dbName=lupt,hdrName=psaquae,action="deny",errormsg="success" -%IMPERVA-Imperva,alert#=datatn,event#=mqu,createTime=2016-03-26 10:20:16,updateTime=apariat,alertSev=high,group=eFinib,ruleName="ihilm",evntDesc="atDu",category=eav,disposition=ionevo,eventType=remagn,proto=tcp,srcPort=5005,srcIP=10.47.202.102,dstPort=5715,dstIP=10.230.76.224,policyName="licab",occurrences=3339,httpHost=aturve,webMethod=emulla,url="https://mail.example.com/aaliquaU/ntor.html?ern=psaquae#ationemu",webQuery="ice",soapAction=estiae,resultCode=sci,sessionID=oei,username=tlabori,addUsername=oin,responseTime=lapari,responseSize=data,direction=dolor,dbUsername=nnum,queryGroup=eritqu,application="uradip",srcHost=wri2784.api.domain,osUsername=hitect,schemaName=dol,dbName=leumiu,hdrName=namali,action=accept -%IMPERVA-Imperva,dstIP=10.10.38.139,dstPort=189,dbUsername=ari,srcIP=10.32.67.231,srcPort=1250,creatTime=9 April 2016 17:22:51,srvGroup=quamnih,service=oluptate,appName=onseq,event#=serunt,eventType=Login,usrGroup=aquaeabi,usrAuth=False,application="lita",osUsername=adeseru,srcHost=emoe6540.www.domain,dbName=itanimi,schemaName=itame,bindVar=intoc,sqlError=success,respSize=2628,respTime=175.601000,affRows=dantiumt,action="block",rawQuery="nula" -%IMPERVA-Imperva,dstIP=10.133.189.215,dstPort=7865,dbUsername=evita,srcIP=10.206.97.204,srcPort=146,creatTime=2016-04-24 00:25:25,srvGroup=magni,service=pisciv,appName=iquidex,event#=radipisc,eventType=tmo,usrGroup=fficiade,usrAuth=uscipit,application="vitaedi",osUsername=fugitse,srcHost=veniamq1608.www.localdomain,dbName=colab,schemaName=ommodico,bindVar=quatD,sqlError=failure,respSize=4842,respTime=67.309000,affRows=tenima,action="block",rawQuery="sperna" -%IMPERVA-Imperva,dstIP=10.145.248.111,dstPort=95,dbUsername=tectobe,srcIP=10.148.106.167,srcPort=4285,creatTime=8 May 2016 07:27:59,srvGroup=ntocc,service=uteirure,appName=nevo,event#=ide,eventType=Login,usrGroup=aali,usrAuth=False,application="adip",osUsername=tium,srcHost=nnum5428.internal.host,dbName=tco,schemaName=uae,bindVar=officiad,sqlError=success,respSize=3994,respTime=57.835000,affRows=madmi,action="deny",rawQuery="turadip" -%IMPERVA-Imperva,dstIP=10.77.52.83,dstPort=2646,dbUsername=atno,srcIP=10.7.46.36,srcPort=837,creatTime=22 May 2016 14:30:33,srvGroup=nonn,service=inventor,appName=quiavol,event#=rrorsi,eventType=Login,usrGroup=temquiav,usrAuth=False,application="equatu",osUsername=upta,srcHost=dex2490.www.host,dbName=tae,schemaName=ccaec,bindVar=ten,sqlError=success,respSize=1458,respTime=129.251000,affRows=ullamcor,action="accept",rawQuery="emaccusa" -%IMPERVA-Imperva,dstIP=10.221.102.245,dstPort=337,dbUsername=rinre,srcIP=10.43.226.231,srcPort=7222,creatTime=2016-06-05 21:33:08,srvGroup=tut,service=ercita,appName=ciadeser,event#=emquia,eventType=Logout,usrGroup=inesci,usrAuth=True,application="isnisi",osUsername=ritatise,srcHost=uamei2389.internal.example,dbName=uisa,schemaName=eFi,bindVar=mexe,sqlError=failure,respSize=302,respTime=93.746000,affRows=ice,action="block",rawQuery="entorev" -%IMPERVA-Imperva,dstIP=10.239.96.8,dstPort=6223,dbUsername=atevelit,srcIP=10.56.136.27,srcPort=4293,creatTime=20 June 2016 04:35:42,srvGroup=labo,service=oNemoeni,appName=ttenby,event#=boris,eventType=Login,usrGroup=stenatu,usrAuth=False,application="isiuta",osUsername=orsitam,srcHost=siutaliq7201.mail.host,dbName=tsed,schemaName=nts,bindVar=siut,sqlError=unknown,respSize=3714,respTime=20.894000,affRows=piscinge,action="allow",rawQuery="aturve" -%IMPERVA-Imperva,dstIP=10.10.216.74,dstPort=7231,dbUsername=sit,srcIP=10.147.76.202,srcPort=2805,creatTime=4 July 2016 11:38:16,srvGroup=ersp,service=enderi,appName=mquisno,event#=odoconse,eventType=Login,usrGroup=quamqua,usrAuth=True,application="eacommod",osUsername=ctetura,srcHost=aveni2929.www.localdomain,dbName=uptatema,schemaName=oeni,bindVar=tdol,sqlError=failure,respSize=5313,respTime=87.380000,affRows=nea,action="cancel",rawQuery="oremagna" -%IMPERVA-Imperva,alert#=asiar,event#=ise,createTime=2016-07-18 18:40:50,updateTime=itau,alertSev=low,group=iamquis,ruleName="asiarc",evntDesc="ian",category=dolore,disposition=onsecte,eventType=nBCSedut,proto=icmp,srcPort=23,srcIP=10.123.199.236,dstPort=2300,dstIP=10.177.219.214,policyName="quatu",occurrences=5653,httpHost=lumdolor,webMethod=nonp,url="https://www.example.com/ulapar/aboreetd.htm?par=lorin#pitl",webQuery="por",soapAction=quidexea,resultCode=nimid,sessionID=runtmol,username=texpli,addUsername=exeacom,responseTime=roidents,responseSize=tem,direction=dol,dbUsername=proiden,queryGroup=urExcept,application="miurerep",srcHost=aco6894.mail.home,osUsername=emUteni,schemaName=rum,dbName=gnaaliqu,hdrName=teirured,action="cancel",errormsg="unknown" -%IMPERVA-Imperva,dstIP=10.110.114.175,dstPort=2639,dbUsername=upt,srcIP=10.20.72.231,srcPort=5300,creatTime=2 August 2016 01:43:25,srvGroup=untutlab,service=amcor,appName=ica,event#=lillum,eventType=Login,usrGroup=remips,usrAuth=True,application="uisaute",osUsername=imide,srcHost=poriss4719.www5.domain,dbName=siu,schemaName=snost,bindVar=tpersp,sqlError=unknown,respSize=5798,respTime=96.768000,affRows=ametcons,action="allow",rawQuery="nof" -%IMPERVA-Imperva,dstIP=10.230.206.60,dstPort=3684,dbUsername=aincidu,srcIP=10.111.90.75,srcPort=5960,creatTime=16 August 2016 08:45:59,srvGroup=licabo,service=enimadmi,appName=utaliqu,event#=dic,eventType=Login,usrGroup=cola,usrAuth=True,application="amcor",osUsername=rcitat,srcHost=ineavol7807.mail.test,dbName=usc,schemaName=rem,bindVar=amvolupt,sqlError=success,respSize=1264,respTime=123.553000,affRows=xea,action="deny",rawQuery="ncidid" -%IMPERVA-Imperva,alert#=velite,event#=teturad,createTime=2016-08-30 15:48:33,updateTime=perspici,alertSev=high,group=rer,ruleName="iconseq",evntDesc="porincid",category=atisetqu,disposition=issuscip,eventType=uisa,proto=tcp,srcPort=3449,srcIP=10.186.77.109,dstPort=1513,dstIP=10.154.53.249,policyName="tae",occurrences=5380,httpHost=eriti,webMethod=atcupi,url="https://api.example.org/borisnis/exeaco.html?inven=eufugi#accusant",webQuery="onse",soapAction=admin,resultCode=stenatu,sessionID=inibu,username=est,addUsername=uptatemU,responseTime=leumiu,responseSize=tla,direction=item,dbUsername=nimid,queryGroup=dat,application="periam",srcHost=dqu6144.api.localhost,osUsername=dutpers,schemaName=erun,dbName=orisn,hdrName=reetd,action=accept -%IMPERVA-Imperva,dstIP=10.201.164.145,dstPort=2700,dbUsername=sequa,srcIP=10.111.233.194,srcPort=5739,creatTime=13 September 2016 22:51:07,srvGroup=rem,service=idid,appName=tesse,event#=sequat,eventType=Login,usrGroup=giatquov,usrAuth=True,application="tconsec",osUsername=miurerep,srcHost=toccaec7645.www5.home,dbName=psaqua,schemaName=ullamcor,bindVar=itationu,sqlError=unknown,respSize=6595,respTime=106.181000,affRows=tame,action="allow",rawQuery="orroq" -%IMPERVA-Imperva,alert#=orisni,event#=ons,createTime=2016-09-28 05:53:42,updateTime=remagn,alertSev=very-high,group=orem,ruleName="rcit",evntDesc="llamco",category=atu,disposition=untincul,eventType=ssecil,proto=ggp,srcPort=4593,srcIP=10.57.164.187,dstPort=3421,dstIP=10.241.230.235,policyName="utp",occurrences=3317,httpHost=isnost,webMethod=olorem,url="https://example.org/emqu/riss.gif?sitvol=dolore#nsequat",webQuery="olorsi",soapAction=aliq,resultCode=mes,sessionID=mven,username=olorsit,addUsername=tore,responseTime=elits,responseSize=consequa,direction=turadip,dbUsername=tatevel,queryGroup=boreetdo,application="undeom",srcHost=uamnihi4791.www.local,osUsername=scingeli,schemaName=isn,dbName=sBono,hdrName=loremqu,action="accept",errormsg="unknown" -%IMPERVA-Imperva,dstIP=10.79.147.101,dstPort=1280,dbUsername=uptat,srcIP=10.105.46.101,srcPort=3346,creatTime=12 October 2016 12:56:16,srvGroup=cons,service=olorese,appName=ori,event#=tconsect,eventType=Login,usrGroup=rum,usrAuth=True,application="eataevi",osUsername=ddoeius,srcHost=ugiatn4084.domain,dbName=hil,schemaName=cingel,bindVar=modocon,sqlError=success,respSize=6068,respTime=61.550000,affRows=lupta,action="deny",rawQuery="urExce" -%IMPERVA-Imperva,alert#=proident,event#=mipsum,createTime=2016-10-26 19:58:50,updateTime=lmo,alertSev=medium,group=doei,ruleName="cipitl",evntDesc="caboNemo",category=dexerc,disposition=strumex,eventType=eprehend,proto=udp,srcPort=6200,srcIP=10.102.166.19,dstPort=4322,dstIP=10.49.71.118,policyName="ationul",occurrences=7731,httpHost=itsedq,webMethod=uto,url="https://mail.example.com/molestia/quir.jpg?elitsed=labore#uela",webQuery="ntexplic",soapAction=uto,resultCode=iuntNequ,sessionID=esseq,username=aincidun,addUsername=quatD,responseTime=isqua,responseSize=uta,direction=emo,dbUsername=itq,queryGroup=derit,application="orese",srcHost=dolor5930.internal.host,osUsername=eritin,schemaName=udan,dbName=yCic,hdrName=nder,action="cancel",errormsg="failure" -%IMPERVA-Imperva,dstIP=10.28.153.102,dstPort=6366,dbUsername=rsita,srcIP=10.50.222.68,srcPort=6657,creatTime=2016-11-10 03:01:24,srvGroup=illu,service=iatqu,appName=lorsi,event#=repreh,eventType=plic,usrGroup=irured,usrAuth=illumqui,application="saq",osUsername=amali,srcHost=ate7311.mail.example,dbName=undeomni,schemaName=tas,bindVar=autfugi,sqlError=unknown,respSize=4527,respTime=82.523000,affRows=eratv,action="allow",rawQuery="iration" -%IMPERVA-Imperva,dstIP=10.199.169.48,dstPort=6443,dbUsername=imadmini,srcIP=10.46.192.198,srcPort=154,creatTime=24 November 2016 10:03:59,srvGroup=uat,service=lupta,appName=npr,event#=etconsec,eventType=Login,usrGroup=caboNem,usrAuth=True,application="urExcept",osUsername=rumetMal,srcHost=oconse2010.www5.example,dbName=sequam,schemaName=oditempo,bindVar=doeiu,sqlError=failure,respSize=4128,respTime=83.673000,affRows=destlabo,action="cancel",rawQuery="redol" -%IMPERVA-Imperva,alert#=radipis,event#=ctetu,createTime=2016-12-08 17:06:33,updateTime=orinrep,alertSev=low,group=nder,ruleName="stenatus",evntDesc="equep",category=ever,disposition=tali,eventType=BCS,proto=icmp,srcPort=4926,srcIP=10.251.1.35,dstPort=6515,dstIP=10.201.81.46,policyName="sBonor",occurrences=2001,httpHost=plicaboN,webMethod=amc,url="https://example.com/admi/onnu.gif?saute=atatnon#tcupida",webQuery="isa",soapAction=riameaqu,resultCode=ame,sessionID=tesseq,username=niam,addUsername=pernat,responseTime=rerepre,responseSize=nculpaq,direction=culpaqui,dbUsername=tvolup,queryGroup=tdolore,application="ventore",srcHost=red5516.localhost,osUsername=agnaaliq,schemaName=est,dbName=mquisno,hdrName=aev,action="block",errormsg="unknown" -%IMPERVA-Imperva,alert#=uid,event#=equaturv,createTime=2016-12-23 00:09:07,updateTime=lamc,alertSev=very-high,group=maccusa,ruleName="ree",evntDesc="nimad",category=ataevita,disposition=oremqu,eventType=uradi,proto=ipv6-icmp,srcPort=194,srcIP=10.131.82.68,dstPort=3984,dstIP=10.7.81.204,policyName="equatDu",occurrences=1710,httpHost=aconse,webMethod=prehe,url="https://www5.example.net/squira/aliqui.gif?veleum=piciatis#nes",webQuery="lmolesti",soapAction=meumfugi,resultCode=tquas,sessionID=aquio,username=ersp,addUsername=iame,responseTime=orroquis,responseSize=aquio,direction=riatu,dbUsername=loinve,queryGroup=tanimid,application="isnostru",srcHost=nofdeFi5182.mail.domain,osUsername=ulap,schemaName=amnisi,dbName=nrepreh,hdrName=abori,action=accept -%IMPERVA-Imperva,dstIP=10.94.132.21,dstPort=2945,dbUsername=odi,srcIP=10.114.193.232,srcPort=3661,creatTime=6 January 2017 07:11:41,srvGroup=ore,service=isund,appName=exerci,event#=tas,eventType=Login,usrGroup=oraincid,usrAuth=False,application="quaer",osUsername=eetdo,srcHost=tlab2033.lan,dbName=seddoeiu,schemaName=nse,bindVar=aali,sqlError=unknown,respSize=6784,respTime=57.532000,affRows=olorem,action="deny",rawQuery="ugitsedq" -%IMPERVA-Imperva,dstIP=10.44.226.104,dstPort=7020,dbUsername=nse,srcIP=10.9.56.220,srcPort=905,creatTime=2017-01-20 14:14:16,srvGroup=suntincu,service=sse,appName=venia,event#=inBCSe,eventType=Logout,usrGroup=otamrem,usrAuth=True,application="tutlabor",osUsername=reseosq,srcHost=gna4901.internal.localhost,dbName=catcupi,schemaName=autf,bindVar=saqu,sqlError=unknown,respSize=5380,respTime=36.114000,affRows=amquisno,action="accept",rawQuery="tiumdol" -%IMPERVA-Imperva,dstIP=10.48.209.115,dstPort=3450,dbUsername=aconsequ,srcIP=10.33.195.166,srcPort=1629,creatTime=2017-02-03 21:16:50,srvGroup=ursin,service=utemvel,appName=epteur,event#=ommo,eventType=Logout,usrGroup=iame,usrAuth=True,application="laudanti",osUsername=umiurer,srcHost=rere5274.mail.domain,dbName=usmo,schemaName=iamea,bindVar=imaveni,sqlError=failure,respSize=3249,respTime=105.870000,affRows=cor,action="cancel",rawQuery="nihil" -%IMPERVA-Imperva,dstIP=10.85.137.156,dstPort=2763,dbUsername=orumSe,srcIP=10.188.121.11,srcPort=537,creatTime=2017-02-18 04:19:24,srvGroup=dtemp,service=ici,appName=nisiuta,event#=iquaUt,eventType=Logout,usrGroup=mnihilm,usrAuth=True,application="redo",osUsername=etMaloru,srcHost=lmo3262.test,dbName=uamqu,schemaName=olori,bindVar=ido,sqlError=success,respSize=2491,respTime=126.010000,affRows=autfugit,action="accept",rawQuery="dolorsi" -%IMPERVA-Imperva,dstIP=10.238.245.236,dstPort=3575,dbUsername=stquidol,srcIP=10.45.215.202,srcPort=3834,creatTime=2017-03-04 11:21:59,srvGroup=ide,service=edq,appName=evitae,event#=amvo,eventType=tnul,usrGroup=expl,usrAuth=ess,application="quiad",osUsername=ihilmole,srcHost=saquaea2280.www5.invalid,dbName=quas,schemaName=gia,bindVar=itatio,sqlError=failure,respSize=7822,respTime=157.184000,affRows=eddoei,action="cancel",rawQuery="sseq" -%IMPERVA-Imperva,dstIP=10.213.109.180,dstPort=6536,dbUsername=essequam,srcIP=10.222.85.95,srcPort=1742,creatTime=18 March 2017 18:24:33,srvGroup=upt,service=orum,appName=Bonoru,event#=madminim,eventType=Login,usrGroup=ents,usrAuth=False,application="emacc",osUsername=emp,srcHost=lamcola4879.www5.localdomain,dbName=dant,schemaName=etdolor,bindVar=uat,sqlError=unknown,respSize=2905,respTime=85.649000,affRows=iti,action="accept",rawQuery="amqu" -%IMPERVA-Imperva,dstIP=10.229.165.102,dstPort=2069,dbUsername=lestia,srcIP=10.18.225.139,srcPort=3302,creatTime=2 April 2017 01:27:07,srvGroup=inibusB,service=nostrud,appName=cteturad,event#=ore,eventType=Login,usrGroup=esse,usrAuth=True,application="veniam",osUsername=edquian,srcHost=sus7859.www5.lan,dbName=mquido,schemaName=orum,bindVar=oinBCSed,sqlError=success,respSize=3553,respTime=116.549000,affRows=ilm,action="cancel",rawQuery="fugiatqu" -%IMPERVA-Imperva,dstIP=10.119.4.120,dstPort=3822,dbUsername=veleumi,srcIP=10.63.177.46,srcPort=4799,creatTime=2017-04-16 08:29:41,srvGroup=adipisci,service=mip,appName=itatio,event#=oquisqu,eventType=turadip,usrGroup=dip,usrAuth=idolo,application="Ute",osUsername=ptassita,srcHost=caecatcu919.www5.corp,dbName=olorsi,schemaName=itseddo,bindVar=bore,sqlError=unknown,respSize=5719,respTime=42.541000,affRows=labo,action="accept",rawQuery="mvenia" -%IMPERVA-Imperva,dstIP=10.189.6.107,dstPort=767,dbUsername=exerci,srcIP=10.50.69.209,srcPort=5406,creatTime=2017-04-30 15:32:16,srvGroup=atcupid,service=onse,appName=psa,event#=ate,eventType=Logout,usrGroup=con,usrAuth=False,application="tqu",osUsername=eirur,srcHost=dese3161.www5.localhost,dbName=lore,schemaName=isci,bindVar=Dui,sqlError=failure,respSize=1684,respTime=75.877000,affRows=lup,action="allow",rawQuery="eos" -%IMPERVA-Imperva,dstIP=10.74.166.70,dstPort=1453,dbUsername=olor,srcIP=10.88.176.226,srcPort=6937,creatTime=2017-05-14 22:34:50,srvGroup=Dui,service=iameaqu,appName=aaliquaU,event#=olu,eventType=Logout,usrGroup=iameaque,usrAuth=True,application="identsun",osUsername=ender,srcHost=inc5923.www.test,dbName=oluptat,schemaName=roinBCSe,bindVar=maperiam,sqlError=success,respSize=723,respTime=156.893000,affRows=nseq,action="accept",rawQuery="uidolo" -%IMPERVA-Imperva,dstIP=10.123.56.46,dstPort=6729,dbUsername=sit,srcIP=10.182.181.162,srcPort=6169,creatTime=2017-05-29 05:37:24,srvGroup=sistena,service=uidexeac,appName=sequa,event#=ntsunti,eventType=Logout,usrGroup=borios,usrAuth=True,application="ani",osUsername=uid,srcHost=idatat6469.api.invalid,dbName=lesti,schemaName=oreseo,bindVar=reprehen,sqlError=failure,respSize=6438,respTime=159.943000,affRows=idolo,action="cancel",rawQuery="tsedquia" -%IMPERVA-Imperva,dstIP=10.169.124.164,dstPort=62,dbUsername=iamqui,srcIP=10.176.83.7,srcPort=5908,creatTime=2017-06-12 12:39:58,srvGroup=inim,service=etdol,appName=Sed,event#=oremeumf,eventType=lesti,usrGroup=sintocca,usrAuth=mipsumqu,application="eprehen",osUsername=hilmole,srcHost=sequ6424.www.invalid,dbName=its,schemaName=dolor,bindVar=lorumwri,sqlError=success,respSize=2894,respTime=68.248000,affRows=lab,action="accept",rawQuery="nimaveni" -%IMPERVA-Imperva,dstIP=10.87.238.169,dstPort=1598,dbUsername=CSedu,srcIP=10.173.125.112,srcPort=7769,creatTime=2017-06-26 19:42:33,srvGroup=iquip,service=tinculpa,appName=umtota,event#=etdolore,eventType=Logout,usrGroup=magnaa,usrAuth=False,application="sumquiad",osUsername=iusmodt,srcHost=tes1898.www5.test,dbName=eaqueip,schemaName=itaedict,bindVar=olorema,sqlError=failure,respSize=7780,respTime=126.440000,affRows=ptatemse,action="block",rawQuery="quaeratv" -%IMPERVA-Imperva,dstIP=10.245.219.7,dstPort=4792,dbUsername=rsit,srcIP=10.53.133.90,srcPort=940,creatTime=11 July 2017 02:45:07,srvGroup=isiutali,service=quaUten,appName=rmagnido,event#=psaquaea,eventType=Login,usrGroup=rchit,usrAuth=False,application="psumq",osUsername=ptatev,srcHost=atu5950.api.corp,dbName=msequ,schemaName=nvol,bindVar=enimadmi,sqlError=unknown,respSize=6066,respTime=143.250000,affRows=sumdolo,action="block",rawQuery="rors" -%IMPERVA-Imperva,alert#=quaU,event#=ufugi,createTime=2017-07-25 09:47:41,updateTime=cin,alertSev=low,group=byC,ruleName="uae",evntDesc="oremip",category=its,disposition=uptasnul,eventType=aliqui,proto=rdp,srcPort=239,srcIP=10.161.64.168,dstPort=4444,dstIP=10.67.173.228,policyName="uatu",occurrences=2448,httpHost=ntoccaec,webMethod=uamestqu,url="https://www.example.net/orem/eniamqui.gif?seq=rumSe#tatnonp",webQuery="ommo",soapAction=adeser,resultCode=uasiarc,sessionID=doeiu,username=onsectet,addUsername=dentsunt,responseTime=inea,responseSize=animid,direction=upta,dbUsername=ioff,queryGroup=oinBCS,application="itsedd",srcHost=upt6017.api.localdomain,osUsername=nesci,schemaName=tam,dbName=sin,hdrName=idexeac,action="block",errormsg="failure" -%IMPERVA-Imperva,dstIP=10.90.50.149,dstPort=1936,dbUsername=olu,srcIP=10.168.225.209,srcPort=6,creatTime=2017-08-08 16:50:15,srvGroup=taliq,service=tautfugi,appName=fdeFinib,event#=uip,eventType=Logout,usrGroup=ectobea,usrAuth=True,application="dat",osUsername=aUtenima,srcHost=turQuis4046.api.test,dbName=deomnisi,schemaName=olupta,bindVar=oll,sqlError=success,respSize=1127,respTime=55.870000,affRows=evelite,action="block",rawQuery="iav" -%IMPERVA-Imperva,dstIP=10.59.182.36,dstPort=5792,dbUsername=mtota,srcIP=10.18.150.82,srcPort=6648,creatTime=22 August 2017 23:52:50,srvGroup=rit,service=eumfu,appName=lors,event#=oluptat,eventType=Login,usrGroup=enimad,usrAuth=True,application="tis",osUsername=qua,srcHost=con6049.internal.lan,dbName=quelaud,schemaName=luptat,bindVar=rinrep,sqlError=unknown,respSize=6112,respTime=135.357000,affRows=nimv,action="allow",rawQuery="tconse" -%IMPERVA-Imperva,event#=rem,createTime=2017-09-06 06:55:24,eventType=ulamcola,eventSev=very-high,username=llita,subsystem=ntsunt,message="nturmag" -%IMPERVA-Imperva,dstIP=10.52.190.18,dstPort=4411,dbUsername=ciati,srcIP=10.198.142.81,srcPort=283,creatTime=20 September 2017 13:57:58,srvGroup=amei,service=doconseq,appName=conseq,event#=emve,eventType=Login,usrGroup=edutpers,usrAuth=False,application="ctobeat",osUsername=upta,srcHost=asper311.www.corp,dbName=inibus,schemaName=secte,bindVar=ctobeat,sqlError=unknown,respSize=1063,respTime=124.881000,affRows=animide,action="cancel",rawQuery="emp" -%IMPERVA-Imperva,alert#=volupta,event#=umfu,createTime=2017-10-04 21:00:32,updateTime=utla,alertSev=low,group=tDuisaut,ruleName="dolo",evntDesc="velites",category=oloremi,disposition=edqui,eventType=strumex,proto=igmp,srcPort=4011,srcIP=10.97.108.108,dstPort=5020,dstIP=10.49.169.175,policyName="nostru",occurrences=4795,httpHost=qui,webMethod=caboN,url="https://api.example.org/eumiu/tatevel.htm?quisnost=sequines#olor",webQuery="sequa",soapAction=lorum,resultCode=suntexpl,sessionID=iqu,username=iquamqu,addUsername=eumfugia,responseTime=reeufugi,responseSize=sequines,direction=minimve,dbUsername=texplica,queryGroup=entorev,application="quuntur",srcHost=olup3841.mail.invalid,osUsername=idolor,schemaName=onpr,dbName=uira,hdrName=eosqui,action=cancel -%IMPERVA-Imperva,dstIP=10.65.185.178,dstPort=7750,dbUsername=tin,srcIP=10.96.216.244,srcPort=3721,creatTime=2017-10-19 04:03:07,srvGroup=etconse,service=nesciu,appName=mali,event#=roinBCSe,eventType=Logout,usrGroup=eetdolor,usrAuth=False,application="tpersp",osUsername=assi,srcHost=rch5094.www.host,dbName=atione,schemaName=tvolup,bindVar=oremeu,sqlError=failure,respSize=5602,respTime=76.644000,affRows=dan,action="accept",rawQuery="aeca" -%IMPERVA-Imperva,dstIP=10.223.71.185,dstPort=916,dbUsername=uptateve,srcIP=10.33.181.176,srcPort=2546,creatTime=2017-11-02 11:05:41,srvGroup=ectet,service=ionu,appName=eratv,event#=des,eventType=deFini,usrGroup=alorumwr,usrAuth=liq,application="xerc",osUsername=atisetqu,srcHost=squir7186.internal.example,dbName=vol,schemaName=loremips,bindVar=serro,sqlError=unknown,respSize=3804,respTime=7.607000,affRows=noru,action="allow",rawQuery="henderi" -%IMPERVA-Imperva,dstIP=10.238.252.246,dstPort=6289,dbUsername=iamea,srcIP=10.255.179.32,srcPort=5472,creatTime=16 November 2017 18:08:15,srvGroup=tur,service=eFi,appName=uatDuisa,event#=ulapari,eventType=Login,usrGroup=eporroq,usrAuth=False,application="uunturm",osUsername=iatn,srcHost=saquaeab5916.www5.invalid,dbName=rroq,schemaName=olore,bindVar=eratvolu,sqlError=unknown,respSize=5626,respTime=121.916000,affRows=volup,action="cancel",rawQuery="ntut" -%IMPERVA-Imperva,dstIP=10.98.52.184,dstPort=7402,dbUsername=umq,srcIP=10.28.124.136,srcPort=1327,creatTime=2017-12-01 01:10:49,srvGroup=olu,service=exerci,appName=isnostru,event#=iad,eventType=Logout,usrGroup=ngelits,usrAuth=True,application="volupt",osUsername=billoi,srcHost=reseo4447.localdomain,dbName=pariat,schemaName=icaboNe,bindVar=boreetd,sqlError=failure,respSize=4298,respTime=59.204000,affRows=lorem,action="cancel",rawQuery="totamr" -%IMPERVA-Imperva,dstIP=10.200.162.248,dstPort=1419,dbUsername=lumdol,srcIP=10.92.177.251,srcPort=4990,creatTime=2017-12-15 08:13:24,srvGroup=liq,service=ihil,appName=oremip,event#=fdeFi,eventType=Logout,usrGroup=periam,usrAuth=False,application="ccusa",osUsername=billo,srcHost=doloremi3365.api.lan,dbName=agn,schemaName=cul,bindVar=tate,sqlError=success,respSize=3914,respTime=111.123000,affRows=iatnulap,action="deny",rawQuery="idents" -%IMPERVA-Imperva,dstIP=10.103.215.159,dstPort=1265,dbUsername=ueporr,srcIP=10.88.60.147,srcPort=4608,creatTime=29 December 2017 15:15:58,srvGroup=rem,service=onorumet,appName=iscivel,event#=rinci,eventType=Login,usrGroup=eacomm,usrAuth=False,application="aboNem",osUsername=mull,srcHost=ent6907.mail.invalid,dbName=datatn,schemaName=seq,bindVar=mquis,sqlError=failure,respSize=392,respTime=80.092000,affRows=sis,action="cancel",rawQuery="tat" -%IMPERVA-Imperva,dstIP=10.93.246.218,dstPort=4628,dbUsername=mtot,srcIP=10.229.190.11,srcPort=2164,creatTime=2018-01-12 22:18:32,srvGroup=eursi,service=liquid,appName=ulapari,event#=ibus,eventType=Logout,usrGroup=isu,usrAuth=False,application="moll",osUsername=roinBCS,srcHost=odit426.internal.corp,dbName=aloru,schemaName=cteturad,bindVar=modi,sqlError=failure,respSize=1929,respTime=38.172000,affRows=ntoccae,action="accept",rawQuery="edut" -%IMPERVA-Imperva,dstIP=10.89.16.162,dstPort=3056,dbUsername=taevitae,srcIP=10.178.183.11,srcPort=4665,creatTime=27 January 2018 05:21:06,srvGroup=saute,service=umdol,appName=rerepr,event#=ipiscin,eventType=Login,usrGroup=trudexe,usrAuth=True,application="qua",osUsername=modit,srcHost=tatione5638.home,dbName=riat,schemaName=atvol,bindVar=emipsum,sqlError=failure,respSize=1449,respTime=82.202000,affRows=quiado,action="cancel",rawQuery="mipsa" -%IMPERVA-Imperva,alert#=tinv,event#=Utenima,createTime=2018-02-10 12:23:41,updateTime=nse,alertSev=high,group=uradip,ruleName="nesci",evntDesc="meaquei",category=snisiu,disposition=atem,eventType=remque,proto=ggp,srcPort=3525,srcIP=10.244.73.167,dstPort=1961,dstIP=10.67.129.100,policyName="lorem",occurrences=2592,httpHost=eosquir,webMethod=tqu,url="https://mail.example.net/smodit/ine.html?amquisn=Finibus#nsequat",webQuery="mvol",soapAction=asiar,resultCode=eiu,sessionID=maliquam,username=gnama,addUsername=ursintoc,responseTime=minimve,responseSize=eprehe,direction=lillumqu,dbUsername=tamet,queryGroup=ate,application="epteur",srcHost=onproi4354.www5.invalid,osUsername=sunte,schemaName=exerc,dbName=tasu,hdrName=sci,action="deny",errormsg="failure" -%IMPERVA-Imperva,dstIP=10.20.158.236,dstPort=4443,dbUsername=dantium,srcIP=10.52.221.103,srcPort=3962,creatTime=24 February 2018 19:26:15,srvGroup=magnido,service=mcolab,appName=mfugia,event#=eacomm,eventType=Login,usrGroup=orr,usrAuth=True,application="pre",osUsername=aute,srcHost=rchite7405.api.local,dbName=rors,schemaName=oinve,bindVar=ptasnul,sqlError=unknown,respSize=6386,respTime=108.472000,affRows=tvol,action="deny",rawQuery="redolo" -%IMPERVA-Imperva,dstIP=10.250.231.196,dstPort=5863,dbUsername=olup,srcIP=10.199.46.88,srcPort=6342,creatTime=2018-03-11 02:28:49,srvGroup=snulap,service=onsequat,appName=tiumd,event#=atuse,eventType=Logout,usrGroup=imad,usrAuth=False,application="tura",osUsername=equuntur,srcHost=rve472.www.localhost,dbName=xer,schemaName=utlabore,bindVar=nulapari,sqlError=unknown,respSize=2867,respTime=54.004000,affRows=eruntmol,action="block",rawQuery="imaven" -%IMPERVA-Imperva,dstIP=10.41.44.94,dstPort=702,dbUsername=nim,srcIP=10.49.122.64,srcPort=2285,creatTime=2018-03-25 09:31:24,srvGroup=rit,service=unturma,appName=iavol,event#=psumdol,eventType=Logout,usrGroup=urautodi,usrAuth=True,application="equamni",osUsername=fugia,srcHost=uptate5787.api.local,dbName=umq,schemaName=suntincu,bindVar=imidest,sqlError=unknown,respSize=1508,respTime=136.809000,affRows=nof,action="block",rawQuery="iavol" -%IMPERVA-Imperva,dstIP=10.101.60.188,dstPort=5558,dbUsername=uptatem,srcIP=10.186.129.34,srcPort=89,creatTime=8 April 2018 16:33:58,srvGroup=roiden,service=eacommod,appName=tali,event#=roinBCSe,eventType=Login,usrGroup=emagnaal,usrAuth=True,application="isauteir",osUsername=eritquii,srcHost=atevelit325.www.local,dbName=ionula,schemaName=itaed,bindVar=invol,sqlError=unknown,respSize=944,respTime=75.182000,affRows=tdolore,action="accept",rawQuery="nimadmi" -%IMPERVA-Imperva,dstIP=10.184.199.84,dstPort=2057,dbUsername=cid,srcIP=10.138.191.99,srcPort=5362,creatTime=22 April 2018 23:36:32,srvGroup=amal,service=gni,appName=luptat,event#=ehend,eventType=Login,usrGroup=involupt,usrAuth=False,application="itempo",osUsername=upt,srcHost=rve426.api.test,dbName=onevo,schemaName=ationem,bindVar=Nem,sqlError=unknown,respSize=3291,respTime=80.991000,affRows=dipisci,action="block",rawQuery="modit" -%IMPERVA-Imperva,alert#=tationem,event#=urere,createTime=2018-05-07 06:39:06,updateTime=tinvo,alertSev=medium,group=tquid,ruleName="giatquo",evntDesc="iatisun",category=cto,disposition=orumSect,eventType=preh,proto=icmp,srcPort=3791,srcIP=10.27.120.57,dstPort=5633,dstIP=10.40.12.51,policyName="ute",occurrences=1576,httpHost=sed,webMethod=uep,url="https://internal.example.com/nde/reprehe.html?enimipsa=mquisno#eaco",webQuery="empor",soapAction=mvele,resultCode=teveli,sessionID=utperspi,username=remeum,addUsername=temseq,responseTime=orin,responseSize=dexea,direction=sedquia,dbUsername=litesse,queryGroup=ntmo,application="aliqu",srcHost=iqu4429.www5.lan,osUsername=doconse,schemaName=volupta,dbName=ptat,hdrName=oreverit,action="cancel",errormsg="success" -%IMPERVA-Imperva,alert#=urQuisa,event#=ipi,createTime=2018-05-21 13:41:41,updateTime=xcepte,alertSev=low,group=onula,ruleName="ostru",evntDesc="por",category=stiae,disposition=icta,eventType=epteu,proto=tcp,srcPort=2191,srcIP=10.106.63.42,dstPort=6845,dstIP=10.86.147.37,policyName="tDui",occurrences=2211,httpHost=etco,webMethod=mip,url="https://www5.example.com/olu/nofdeF.html?ipsu=siarch#itautfu",webQuery="rrorsi",soapAction=ole,resultCode=odi,sessionID=tper,username=olor,addUsername=corpo,responseTime=commod,responseSize=iumd,direction=ntore,dbUsername=tect,queryGroup=ion,application="tutl",srcHost=niam7512.www5.localhost,osUsername=aeca,schemaName=ugitse,dbName=ameiu,hdrName=utei,action="allow",errormsg="success" -%IMPERVA-Imperva,dstIP=10.110.240.8,dstPort=6650,dbUsername=tam,srcIP=10.112.132.76,srcPort=1314,creatTime=4 June 2018 20:44:15,srvGroup=Neq,service=rcita,appName=eeufugia,event#=evolupt,eventType=Login,usrGroup=pre,usrAuth=True,application="tiumtot",osUsername=ulamcola,srcHost=epr3512.internal.domain,dbName=enbyCice,schemaName=equun,bindVar=veli,sqlError=unknown,respSize=5784,respTime=115.111000,affRows=iadeseru,action="cancel",rawQuery="olorsita" -%IMPERVA-Imperva,dstIP=10.76.222.159,dstPort=403,dbUsername=natuser,srcIP=10.7.141.213,srcPort=7283,creatTime=2018-06-19 03:46:49,srvGroup=tati,service=orinc,appName=teursi,event#=pariatur,eventType=Logout,usrGroup=iofficia,usrAuth=True,application="ira",osUsername=niamq,srcHost=quatD260.internal.test,dbName=ionulam,schemaName=labor,bindVar=Sec,sqlError=unknown,respSize=5670,respTime=85.913000,affRows=tquov,action="accept",rawQuery="pta" -%IMPERVA-Imperva,dstIP=10.246.196.160,dstPort=894,dbUsername=equ,srcIP=10.170.90.90,srcPort=2541,creatTime=2018-07-03 10:49:23,srvGroup=eFinib,service=atione,appName=xcepte,event#=gnaa,eventType=Logout,usrGroup=tio,usrAuth=True,application="qui",osUsername=epteurs,srcHost=did6471.internal.localdomain,dbName=tMalo,schemaName=urautod,bindVar=eveli,sqlError=unknown,respSize=4933,respTime=136.206000,affRows=nonproi,action="allow",rawQuery="quaturve" -%IMPERVA-Imperva,event#=officiad,createTime=2018-07-17 17:51:58,eventType=veniam,eventSev=very-high,username=entoreve,subsystem=ion,message="exeaco" -%IMPERVA-Imperva,dstIP=10.209.129.155,dstPort=769,dbUsername=mdolore,srcIP=10.128.118.157,srcPort=4004,creatTime=2018-08-01 00:54:32,srvGroup=odite,service=atn,appName=sectet,event#=boreetd,eventType=Logout,usrGroup=ueporro,usrAuth=True,application="cto",osUsername=essequa,srcHost=gnidolor1901.test,dbName=quian,schemaName=xerci,bindVar=qua,sqlError=success,respSize=2931,respTime=66.399000,affRows=itten,action="block",rawQuery="abo" -%IMPERVA-Imperva,alert#=uradipi,event#=erita,createTime=2018-08-15 07:57:06,updateTime=eursint,alertSev=high,group=illoinve,ruleName="uis",evntDesc="itanimi",category=rinc,disposition=isistena,eventType=nsequatD,proto=rdp,srcPort=1864,srcIP=10.21.69.33,dstPort=2855,dstIP=10.219.218.23,policyName="entore",occurrences=2428,httpHost=magnidol,webMethod=meumfug,url="https://www.example.org/uatu/gel.gif?itsed=mvolu#agn",webQuery="eritinvo",soapAction=aliq,resultCode=dest,sessionID=uisautei,username=labor,addUsername=ihilmol,responseTime=scinge,responseSize=lum,direction=iinea,dbUsername=xercit,queryGroup=reh,application="velitess",srcHost=colab553.api.localdomain,osUsername=orumS,schemaName=tesseq,dbName=exeacomm,hdrName=uptat,action="deny",errormsg="failure" -%IMPERVA-Imperva,dstIP=10.209.39.25,dstPort=3954,dbUsername=tion,srcIP=10.67.163.107,srcPort=1312,creatTime=2018-08-29 14:59:40,srvGroup=tiumtot,service=ctio,appName=imadm,event#=ugiat,eventType=ius,usrGroup=msequ,usrAuth=ciatisun,application="Ute",osUsername=eddoe,srcHost=seq3852.www5.localdomain,dbName=uasi,schemaName=quaeabi,bindVar=sequ,sqlError=failure,respSize=3469,respTime=69.015000,affRows=essecill,action="block",rawQuery="uovolup" -%IMPERVA-Imperva,dstIP=10.61.247.113,dstPort=599,dbUsername=tur,srcIP=10.120.66.172,srcPort=984,creatTime=2018-09-12 22:02:15,srvGroup=aven,service=Sedut,appName=stiaec,event#=rveli,eventType=Logout,usrGroup=serr,usrAuth=True,application="umdolo",osUsername=iduntut,srcHost=admini511.www5.local,dbName=cididun,schemaName=iamqu,bindVar=ommodoc,sqlError=unknown,respSize=2218,respTime=179.909000,affRows=uisaut,action="cancel",rawQuery="onse" -%IMPERVA-Imperva,alert#=orinrepr,event#=tinvo,createTime=2018-09-27 05:04:49,updateTime=oru,alertSev=medium,group=stena,ruleName="tquid",evntDesc="liquaUt",category=tdolorem,disposition=umdolo,eventType=oluptass,proto=udp,srcPort=5328,srcIP=10.31.56.237,dstPort=6326,dstIP=10.206.65.159,policyName="fdeFini",occurrences=1295,httpHost=eetdolo,webMethod=issuscip,url="https://internal.example.com/nde/naturau.txt?sBonor=odit#ercitati",webQuery="lapa",soapAction=enia,resultCode=atis,sessionID=edol,username=cit,addUsername=adip,responseTime=ugiatq,responseSize=mnisiuta,direction=nrepre,dbUsername=eumfu,queryGroup=remap,application="ecatcup",srcHost=olup2082.localhost,osUsername=atem,schemaName=amcorpor,dbName=oloremeu,hdrName=mquisn,action=deny -%IMPERVA-Imperva,event#=eruntm,createTime=2018-10-11 12:07:23,eventType=iades,eventSev=high,username=inculpa,subsystem=vita,message="onorum" -%IMPERVA-Imperva,dstIP=10.108.76.145,dstPort=4698,dbUsername=trumexer,srcIP=10.147.56.184,srcPort=672,creatTime=25 October 2018 19:09:57,srvGroup=emoenim,service=oqui,appName=olab,event#=remagnam,eventType=Login,usrGroup=neavolu,usrAuth=False,application="adipi",osUsername=idid,srcHost=ela5007.www.lan,dbName=lore,schemaName=uisautem,bindVar=olorsi,sqlError=unknown,respSize=1294,respTime=149.161000,affRows=iamq,action="allow",rawQuery="tiumt" -%IMPERVA-Imperva,alert#=expl,event#=animi,createTime=2018-11-09 02:12:32,updateTime=mdoloree,alertSev=medium,group=Loremips,ruleName="taliqui",evntDesc="doloremi",category=uisno,disposition=atevel,eventType=oloremeu,proto=rdp,srcPort=4601,srcIP=10.28.248.90,dstPort=5693,dstIP=10.193.58.50,policyName="sedquian",occurrences=4385,httpHost=secillum,webMethod=sequatD,url="https://api.example.com/veleum/eturad.jpg?eetdol=aut#eriti",webQuery="ipsum",soapAction=com,resultCode=uptate,sessionID=tevelite,username=cto,addUsername=borisn,responseTime=assitasp,responseSize=nima,direction=abore,dbUsername=tur,queryGroup=tlaboru,application="erun",srcHost=mquid2987.host,osUsername=totamrem,schemaName=eaqu,dbName=itani,hdrName=mni,action=cancel -%IMPERVA-Imperva,dstIP=10.84.3.244,dstPort=3154,dbUsername=olest,srcIP=10.211.242.138,srcPort=6661,creatTime=23 November 2018 09:15:06,srvGroup=ola,service=tla,appName=nimve,event#=edutpe,eventType=Login,usrGroup=tenb,usrAuth=True,application="billoinv",osUsername=asia,srcHost=rsitam4260.api.home,dbName=iumto,schemaName=ciun,bindVar=prehe,sqlError=unknown,respSize=545,respTime=157.352000,affRows=nemul,action="block",rawQuery="nsequa" -%IMPERVA-Imperva,event#=evolu,createTime=2018-12-07 16:17:40,eventType=quidolo,eventSev=medium,username=destlabo,subsystem=fficia,message="utaliqui" -%IMPERVA-Imperva,dstIP=10.121.189.113,dstPort=5635,dbUsername=lapa,srcIP=10.13.86.14,srcPort=798,creatTime=21 December 2018 23:20:14,srvGroup=isiutali,service=upidatat,appName=non,event#=Sed,eventType=Login,usrGroup=commod,usrAuth=True,application="equ",osUsername=turvelil,srcHost=lor5252.host,dbName=unt,schemaName=volu,bindVar=iineavo,sqlError=failure,respSize=7284,respTime=172.281000,affRows=tenbyC,action="accept",rawQuery="itquii" -%IMPERVA-Imperva,dstIP=10.32.220.188,dstPort=2394,dbUsername=ectob,srcIP=10.50.195.220,srcPort=1255,creatTime=2019-01-05 06:22:49,srvGroup=orro,service=quepo,appName=tDuisa,event#=iscive,eventType=Logout,usrGroup=prehende,usrAuth=True,application="volup",osUsername=nimi,srcHost=niamqu3513.api.example,dbName=seddoeiu,schemaName=lorinrep,bindVar=isq,sqlError=failure,respSize=2636,respTime=44.636000,affRows=ione,action="accept",rawQuery="abor" -%IMPERVA-Imperva,dstIP=10.189.155.253,dstPort=984,dbUsername=iutaliqu,srcIP=10.29.74.57,srcPort=4226,creatTime=19 January 2019 13:25:23,srvGroup=tam,service=uovo,appName=scivelit,event#=enimadm,eventType=Login,usrGroup=empo,usrAuth=False,application="apa",osUsername=colab,srcHost=sistenat115.mail.local,dbName=Sedutper,schemaName=exe,bindVar=writt,sqlError=unknown,respSize=3432,respTime=35.197000,affRows=amqua,action="allow",rawQuery="taliquip" -%IMPERVA-Imperva,dstIP=10.107.41.59,dstPort=926,dbUsername=oreseo,srcIP=10.149.2.62,srcPort=7493,creatTime=2019-02-02 20:27:57,srvGroup=maven,service=tectob,appName=sequamn,event#=uiaco,eventType=acom,usrGroup=modi,usrAuth=atisun,application="ntu",osUsername=utal,srcHost=ptatev4160.internal.home,dbName=tionemu,schemaName=edictasu,bindVar=quipexea,sqlError=unknown,respSize=3008,respTime=47.865000,affRows=mnis,action="block",rawQuery="aborumSe" -%IMPERVA-Imperva,alert#=laborio,event#=aaliqu,createTime=2019-02-17 03:30:32,updateTime=tevelit,alertSev=low,group=mid,ruleName="henderi",evntDesc="consec",category=dquia,disposition=cep,eventType=erit,proto=udp,srcPort=3382,srcIP=10.11.237.65,dstPort=4062,dstIP=10.20.211.186,policyName="tionem",occurrences=3743,httpHost=olu,webMethod=cae,url="https://www5.example.org/onsequ/Bon.txt?remap=mUt#admi",webQuery="siarch",soapAction=oloremi,resultCode=ididu,sessionID=uov,username=ncidid,addUsername=audantiu,responseTime=lmolest,responseSize=miurerep,direction=orsitame,dbUsername=Sed,queryGroup=isau,application="temvele",srcHost=ntutl6493.mail.home,osUsername=ptassit,schemaName=olo,dbName=ataevit,hdrName=ficiad,action=accept -%IMPERVA-Imperva,dstIP=10.190.18.213,dstPort=2201,dbUsername=rror,srcIP=10.177.60.55,srcPort=7799,creatTime=3 March 2019 10:33:06,srvGroup=tut,service=umdol,appName=nseq,event#=autodita,eventType=Login,usrGroup=loreme,usrAuth=True,application="eratv",osUsername=tametcon,srcHost=orsi1332.www5.corp,dbName=dolorsi,schemaName=etdolore,bindVar=taevita,sqlError=unknown,respSize=7327,respTime=93.075000,affRows=luptatem,action="block",rawQuery="cons" -%IMPERVA-Imperva,dstIP=10.173.169.212,dstPort=292,dbUsername=oinB,srcIP=10.131.253.222,srcPort=1239,creatTime=17 March 2019 17:35:40,srvGroup=enatuser,service=uia,appName=sistena,event#=reetdolo,eventType=Login,usrGroup=psam,usrAuth=False,application="litseddo",osUsername=orumet,srcHost=aliqu5109.www.test,dbName=sun,schemaName=utod,bindVar=queips,sqlError=unknown,respSize=6659,respTime=138.450000,affRows=riatu,action="cancel",rawQuery="serrors" -%IMPERVA-Imperva,dstIP=10.33.131.63,dstPort=1437,dbUsername=imven,srcIP=10.5.54.131,srcPort=1411,creatTime=2019-04-01 00:38:14,srvGroup=sectetu,service=quiratio,appName=aincidu,event#=eseo,eventType=lum,usrGroup=CSe,usrAuth=umqu,application="aeratvol",osUsername=psamvolu,srcHost=urQui381.mail.example,dbName=ionev,schemaName=liq,bindVar=utlab,sqlError=failure,respSize=587,respTime=125.240000,affRows=tassi,action="cancel",rawQuery="orinre" -%IMPERVA-Imperva,dstIP=10.164.123.69,dstPort=2543,dbUsername=litesse,srcIP=10.161.51.238,srcPort=1809,creatTime=2019-04-15 07:40:49,srvGroup=odt,service=riatur,appName=oremeumf,event#=volupt,eventType=Logout,usrGroup=dicon,usrAuth=False,application="psumquia",osUsername=xercitat,srcHost=giatq1967.api.test,dbName=citat,schemaName=xeacomm,bindVar=itvolup,sqlError=success,respSize=5031,respTime=124.913000,affRows=reetd,action="cancel",rawQuery="ngelit" -%IMPERVA-Imperva,dstIP=10.112.73.97,dstPort=6125,dbUsername=quinesc,srcIP=10.227.144.202,srcPort=3803,creatTime=2019-04-29 14:43:23,srvGroup=doeiusmo,service=tev,appName=elaudant,event#=ratvolu,eventType=odte,usrGroup=enderitq,usrAuth=nnumquam,application="abori",osUsername=uelauda,srcHost=urQuis7078.www5.domain,dbName=rumS,schemaName=uelau,bindVar=quidolor,sqlError=failure,respSize=2469,respTime=53.441000,affRows=quinesci,action="accept",rawQuery="lpaqui" -%IMPERVA-Imperva,event#=utlabo,createTime=2019-05-13 21:45:57,eventType=scip,eventSev=low,username=voluptas,subsystem=inv,message="upta" -%IMPERVA-Imperva,dstIP=10.185.248.253,dstPort=3804,dbUsername=nisi,srcIP=10.76.165.58,srcPort=1381,creatTime=28 May 2019 04:48:31,srvGroup=dipis,service=nderitin,appName=ernatu,event#=usant,eventType=Login,usrGroup=uidolore,usrAuth=False,application="litse",osUsername=ugitse,srcHost=utfugi6811.mail.host,dbName=psum,schemaName=amqua,bindVar=mavenia,sqlError=failure,respSize=4963,respTime=99.486000,affRows=ssuscipi,action="block",rawQuery="eturadi" -%IMPERVA-Imperva,alert#=evelit,event#=oluptat,createTime=2019-06-11 11:51:06,updateTime=ditem,alertSev=low,group=pisciv,ruleName="equamnih",evntDesc="rationev",category=etco,disposition=usanti,eventType=itessec,proto=ipv6,srcPort=2772,srcIP=10.163.27.208,dstPort=5686,dstIP=10.177.36.122,policyName="reseo",occurrences=4087,httpHost=iutaliq,webMethod=oriosamn,url="https://www5.example.com/tcu/mmodo.jpg?stlabo=atema#sunt",webQuery="orporiss",soapAction=iamq,resultCode=edolo,sessionID=oditempo,username=eFini,addUsername=ritin,responseTime=iosam,responseSize=olup,direction=eav,dbUsername=archi,queryGroup=nes,application="atvolupt",srcHost=umwritt2172.www.localhost,osUsername=ept,schemaName=avolu,dbName=aaliq,hdrName=olupta,action=accept -%IMPERVA-Imperva,dstIP=10.35.215.152,dstPort=7489,dbUsername=ium,srcIP=10.143.175.148,srcPort=796,creatTime=25 June 2019 18:53:40,srvGroup=tame,service=olo,appName=vel,event#=equamn,eventType=Login,usrGroup=tempora,usrAuth=True,application="enimip",osUsername=itaspern,srcHost=lupta602.mail.localdomain,dbName=uisno,schemaName=etdo,bindVar=edictas,sqlError=failure,respSize=6141,respTime=167.299000,affRows=urerepr,action="block",rawQuery="Maloru" -%IMPERVA-Imperva,dstIP=10.254.252.105,dstPort=146,dbUsername=asp,srcIP=10.25.246.131,srcPort=212,creatTime=2019-07-10 01:56:14,srvGroup=unde,service=raut,appName=suscip,event#=ectetu,eventType=Logout,usrGroup=rem,usrAuth=False,application="ariat",osUsername=ptatemU,srcHost=eriam2051.api.host,dbName=upid,schemaName=ataev,bindVar=nsecte,sqlError=unknown,respSize=2949,respTime=96.394000,affRows=tutla,action="allow",rawQuery="hitect" -%IMPERVA-Imperva,dstIP=10.248.16.82,dstPort=6834,dbUsername=loinv,srcIP=10.44.179.66,srcPort=357,creatTime=24 July 2019 08:58:48,srvGroup=xercit,service=avolup,appName=etdo,event#=tuserror,eventType=Login,usrGroup=nisiutal,usrAuth=False,application="pisciv",osUsername=proiden,srcHost=cita2058.test,dbName=nul,schemaName=xercita,bindVar=tametco,sqlError=success,respSize=2353,respTime=43.922000,affRows=ididunt,action="accept",rawQuery="eum" -%IMPERVA-Imperva,alert#=tlabo,event#=iameaque,createTime=2019-08-07 16:01:23,updateTime=sautemve,alertSev=high,group=emoe,ruleName="ameiusmo",evntDesc="ntiumtot",category=aeab,disposition=idolo,eventType=temac,proto=ipv6,srcPort=622,srcIP=10.55.166.205,dstPort=4048,dstIP=10.88.53.149,policyName="iut",occurrences=6219,httpHost=tess,webMethod=ionulamc,url="https://www.example.net/umSecti/emaccu.html?atu=ddo#veli",webQuery="ata",soapAction=untmoll,resultCode=ididun,sessionID=olo,username=tqui,addUsername=oru,responseTime=ehender,responseSize=abo,direction=onsec,dbUsername=econse,queryGroup=iac,application="cingel",srcHost=siarchit2807.invalid,osUsername=strumex,schemaName=reseosqu,dbName=atus,hdrName=fugiatq,action="allow",errormsg="success" -%IMPERVA-Imperva,alert#=dquiaco,event#=rumw,createTime=2019-08-21 23:03:57,updateTime=ula,alertSev=high,group=uidolore,ruleName="quam",evntDesc="rsitvo",category=esciuntN,disposition=ritatis,eventType=ionevo,proto=rdp,srcPort=7851,srcIP=10.116.180.96,dstPort=1799,dstIP=10.199.117.125,policyName="dolor",occurrences=6700,httpHost=equinesc,webMethod=ectet,url="https://mail.example.com/enatuser/epteurs.txt?orsit=rcit#niamqu",webQuery="nrep",soapAction=lauda,resultCode=ionevo,sessionID=busB,username=pidatatn,addUsername=ipsamvol,responseTime=tconse,responseSize=ima,direction=nimaveni,dbUsername=cepteurs,queryGroup=siutaliq,application="aliqu",srcHost=serro1855.internal.invalid,osUsername=iof,schemaName=ciun,dbName=ssitaspe,hdrName=deomnis,action=cancel -%IMPERVA-Imperva,dstIP=10.64.76.110,dstPort=2200,dbUsername=ptate,srcIP=10.250.226.105,srcPort=4867,creatTime=5 September 2019 06:06:31,srvGroup=atur,service=aquaeabi,appName=olupt,event#=dolor,eventType=Login,usrGroup=fficiade,usrAuth=False,application="rsi",osUsername=imidest,srcHost=ulamc2151.www5.corp,dbName=dip,schemaName=ommod,bindVar=sisten,sqlError=failure,respSize=6041,respTime=43.322000,affRows=nihi,action="cancel",rawQuery="orumetMa" -%IMPERVA-Imperva,alert#=teturad,event#=nesciu,createTime=2019-09-19 13:09:05,updateTime=ueip,alertSev=low,group=orumSe,ruleName="mSe",evntDesc="itame",category=quaturv,disposition=lumdolor,eventType=persp,proto=ggp,srcPort=7684,srcIP=10.29.141.252,dstPort=2077,dstIP=10.164.52.43,policyName="orum",occurrences=249,httpHost=itvolup,webMethod=atemq,url="https://api.example.net/adminimv/equatD.html?obeatae=sedqui#ntNeq",webQuery="aturve",soapAction=tquasiar,resultCode=eetd,sessionID=orem,username=seq,addUsername=cus,responseTime=tnulap,responseSize=amquisno,direction=epreh,dbUsername=uepo,queryGroup=llumqui,application="sedqu",srcHost=ipitlabo5092.local,osUsername=Nemoe,schemaName=reverit,dbName=neavolup,hdrName=uaturve,action="block",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.232.27.250,dstPort=7838,dbUsername=mquidol,srcIP=10.18.124.28,srcPort=7668,creatTime=12 March 2016 03:17:42,srvGroup=rsitamet,service=lupt,appName=xea,event#=qua,eventType=Login,usrGroup=luptatev,usrAuth=False,application="admi",osUsername=modocons,srcHost=elaudant5931.internal.invalid,dbName=lores,schemaName=lapariat,bindVar=eddoei,sqlError=failure,respSize=6564,respTime=87.496000,affRows=nimadmin,action="cancel",rawQuery="xercitat" +%IMPERVA-Imperva,alert#=ationemu,event#=ice,createTime=2016-03-26 10:20:16,updateTime=estiae,alertSev=high,group=laborum,ruleName="tionof",evntDesc="snostrud",category=nama,disposition=quisnos,eventType=ite,proto=icmp,srcPort=2707,srcIP=10.6.137.200,dstPort=5697,dstIP=10.197.250.10,policyName="bor",occurrences=7243,httpHost=hitect,webMethod=dol,url="https://internal.example.net/namali/taevit.html?nsecte=itame#eumfug",webQuery="lit",soapAction=asun,resultCode=estia,sessionID=eaq,username=occae,addUsername=ctetura,responseTime=labore,responseSize=texp,direction=external,dbUsername=adeseru,queryGroup=emoe,application="eaq",srcHost=amest4147.mail.host,osUsername=intoc,schemaName=oluptas,dbName=tNequepo,hdrName=lup,action=cancel +%IMPERVA-Imperva,alert#=sperna,event#=eabilloi,createTime=2016-04-09 17:22:51,updateTime=estia,alertSev=medium,group=tlab,ruleName="volupt",evntDesc="osqui",category=xerc,disposition=iutali,eventType=fdeFi,proto=igmp,srcPort=1696,srcIP=10.179.124.125,dstPort=5473,dstIP=10.36.194.106,policyName="eprehend",occurrences=2462,httpHost=dutper,webMethod=lamcolab,url="https://example.net/tlabo/uames.gif?mpo=offi#giatnu",webQuery="ulapa",soapAction=liqui,resultCode=quioffi,sessionID=uptate,username=ncidid,addUsername=quaturve,responseTime=sequa,responseSize=aera,direction=outbound,dbUsername=rvel,queryGroup=uid,application="onsecte",srcHost=eratv6205.internal.lan,osUsername=reme,schemaName=acommod,dbName=uaUteni,hdrName=udantium,action=accept +%IMPERVA-Imperva,dstIP=10.129.149.43,dstPort=3304,dbUsername=eveli,srcIP=10.211.105.204,srcPort=2742,creatTime=2016-04-24 00:25:25,srvGroup=aliquide,service=ofde,appName=equat,event#=derit,eventType=Logout,usrGroup=dexea,usrAuth=True,application="atcu",osUsername=labor,srcHost=didunt1355.corp,dbName=udan,schemaName=orema,bindVar=invento,sqlError=failure,respSize=6855,respTime=74.098000,affRows=nofdeFin,action="accept",rawQuery="rau" +%IMPERVA-Imperva,dstIP=10.214.191.180,dstPort=5848,dbUsername=ipsumdol,srcIP=10.112.250.193,srcPort=5705,creatTime=2016-05-08 07:27:59,srvGroup=urerepr,service=ese,appName=isaute,event#=ptatemq,eventType=Logout,usrGroup=luptatev,usrAuth=False,application="tlabore",osUsername=Exc,srcHost=pora6854.www5.home,dbName=nevo,schemaName=ide,bindVar=aali,sqlError=success,respSize=6852,respTime=49.573000,affRows=etcons,action="cancel",rawQuery="tenbyCi" +%IMPERVA-Imperva,dstIP=10.251.20.13,dstPort=264,dbUsername=iquipe,srcIP=10.192.34.76,srcPort=1450,creatTime=2016-05-22 14:30:33,srvGroup=upida,service=tvolupt,appName=eufugi,event#=pici,eventType=abor,usrGroup=utpe,usrAuth=onsequ,application="temqu",osUsername=ovol,srcHost=ptasn6599.www.localhost,dbName=lore,schemaName=tnonpro,bindVar=ionemu,sqlError=success,respSize=3645,respTime=20.909000,affRows=tanimid,action="deny",rawQuery="uamni" +%IMPERVA-Imperva,dstIP=10.74.105.218,dstPort=2438,dbUsername=archite,srcIP=10.59.138.212,srcPort=7829,creatTime=2016-06-05 21:33:08,srvGroup=asi,service=datatno,appName=siutali,event#=amnih,eventType=Logout,usrGroup=ium,usrAuth=True,application="esciuntN",osUsername=idunt,srcHost=ptasnu6684.mail.lan,dbName=orumSe,schemaName=boree,bindVar=intoc,sqlError=success,respSize=248,respTime=158.450000,affRows=eeufugia,action="block",rawQuery="ofdeFini" +%IMPERVA-Imperva,dstIP=10.168.159.13,dstPort=3319,dbUsername=inci,srcIP=10.230.173.4,srcPort=2631,creatTime=2016-06-20 04:35:42,srvGroup=avol,service=icero,appName=xer,event#=emipsumd,eventType=Logout,usrGroup=isisten,usrAuth=False,application="cusant",osUsername=atemq,srcHost=rinre2977.api.corp,dbName=totamre,schemaName=isnostr,bindVar=umqu,sqlError=success,respSize=6135,respTime=86.668000,affRows=inesci,action="accept",rawQuery="uia" +%IMPERVA-Imperva,dstIP=10.49.167.57,dstPort=2119,dbUsername=tali,srcIP=10.41.21.204,srcPort=3540,creatTime=4 July 2016 11:38:16,srvGroup=rpori,service=ice,appName=oles,event#=edic,eventType=Login,usrGroup=seq,usrAuth=True,application="tutlab",osUsername=sau,srcHost=atevelit2450.local,dbName=aperia,schemaName=ccaeca,bindVar=umdolo,sqlError=failure,respSize=6818,respTime=115.224000,affRows=stenatu,action="block",rawQuery="orumSe" +%IMPERVA-Imperva,alert#=dutp,event#=psaquaea,createTime=2016-07-18 18:40:50,updateTime=taevita,alertSev=high,group=siut,ruleName="tconsect",evntDesc="aquae",category=boreetdo,disposition=aturve,eventType=ditemp,proto=ipv6,srcPort=3406,srcIP=10.216.125.252,dstPort=5592,dstIP=10.62.147.186,policyName="eumiure",occurrences=4603,httpHost=ima,webMethod=quasia,url="https://example.org/umwrit/uptate.html?ctetura=aveni#elit",webQuery="seosqui",soapAction=sequamni,resultCode=uradi,sessionID=tot,username=llamco,addUsername=nea,responseTime=psum,responseSize=tasnulap,direction=inbound,dbUsername=umSe,queryGroup=xeacomm,application="cinge",srcHost=itla658.api.localhost,osUsername=lorsita,schemaName=dolore,dbName=uptate,hdrName=quidexea,action="accept",errormsg="unknown" +%IMPERVA-Imperva,alert#=ate,event#=odoconse,createTime=2016-08-02 01:43:25,updateTime=emp,alertSev=very-high,group=veli,ruleName="tenim",evntDesc="rumet",category=verita,disposition=sectet,eventType=etdo,proto=tcp,srcPort=3689,srcIP=10.52.125.9,dstPort=2538,dstIP=10.204.128.215,policyName="ama",occurrences=332,httpHost=runtmol,webMethod=texpli,url="https://api.example.org/roidents/tem.txt?tametcon=liqua#mvele",webQuery="isis",soapAction=uasiar,resultCode=utlab,sessionID=emUteni,username=rum,addUsername=gnaaliqu,responseTime=teirured,responseSize=onemulla,direction=external,dbUsername=bor,queryGroup=rauto,application="ationev",srcHost=umdolor4389.api.home,osUsername=paquioff,schemaName=nci,dbName=isau,hdrName=rautodi,action=deny +%IMPERVA-Imperva,dstIP=10.200.68.129,dstPort=2558,dbUsername=icabo,srcIP=10.34.148.166,srcPort=3022,creatTime=2016-08-16 08:45:59,srvGroup=preh,service=ercit,appName=etMal,event#=qua,eventType=rsita,usrGroup=ate,usrAuth=ipsamvo,application="onula",osUsername=miu,srcHost=rationev6444.localhost,dbName=tatem,schemaName=untutlab,bindVar=amcor,sqlError=failure,respSize=5427,respTime=176.685000,affRows=oremq,action="block",rawQuery="uisaute" +%IMPERVA-Imperva,dstIP=10.226.101.180,dstPort=1000,dbUsername=siu,srcIP=10.134.5.40,srcPort=7284,creatTime=30 August 2016 15:48:33,srvGroup=llamc,service=nte,appName=mvel,event#=nof,eventType=Login,usrGroup=usmodi,usrAuth=False,application="mvolu",osUsername=conse,srcHost=ipi7727.www5.domain,dbName=isiu,schemaName=licabo,bindVar=enimadmi,sqlError=success,respSize=6356,respTime=41.238000,affRows=xeaco,action="deny",rawQuery="amcor" +%IMPERVA-Imperva,dstIP=10.126.26.131,dstPort=2595,dbUsername=velite,srcIP=10.30.98.10,srcPort=7576,creatTime=13 September 2016 22:51:07,srvGroup=itation,service=sequatD,appName=nimave,event#=isciv,eventType=Login,usrGroup=rroqu,usrAuth=False,application="nofd",osUsername=dipisci,srcHost=spernatu5539.domain,dbName=quunt,schemaName=olori,bindVar=mquae,sqlError=unknown,respSize=7717,respTime=96.729000,affRows=cidunt,action="accept",rawQuery="borisnis" +%IMPERVA-Imperva,dstIP=10.190.10.219,dstPort=5530,dbUsername=accusant,srcIP=10.233.120.207,srcPort=136,creatTime=2016-09-28 05:53:42,srvGroup=stenatu,service=inibu,appName=est,event#=uptatemU,eventType=Logout,usrGroup=leumiu,usrAuth=False,application="tla",osUsername=item,srcHost=nimid372.api.corp,dbName=atcupid,schemaName=quamnih,bindVar=dminima,sqlError=success,respSize=3278,respTime=60.949000,affRows=tame,action="cancel",rawQuery="reetd" +%IMPERVA-Imperva,event#=sitam,createTime=2016-10-12 12:56:16,eventType=rad,eventSev=low,username=sequa,subsystem=iosamnis,message="volupt" +%IMPERVA-Imperva,dstIP=10.100.98.56,dstPort=1089,dbUsername=boru,srcIP=10.248.184.200,srcPort=5315,creatTime=2016-10-26 19:58:50,srvGroup=ptatem,service=ptatevel,appName=tenatuse,event#=psaqua,eventType=Logout,usrGroup=ullamcor,usrAuth=False,application="itationu",osUsername=proident,srcHost=maliquam2147.internal.home,dbName=lores,schemaName=ritati,bindVar=orisni,sqlError=failure,respSize=5923,respTime=179.541000,affRows=sitam,action="deny",rawQuery="mmodoc" +%IMPERVA-Imperva,dstIP=10.197.6.245,dstPort=27,dbUsername=dtempo,srcIP=10.82.28.220,srcPort=3570,creatTime=10 November 2016 03:01:24,srvGroup=imad,service=tinvolup,appName=tsed,event#=inv,eventType=Login,usrGroup=rroq,usrAuth=False,application="rcit",osUsername=aecatcup,srcHost=olabor2983.internal.localhost,dbName=citatio,schemaName=oluptat,bindVar=mveniamq,sqlError=success,respSize=3071,respTime=120.142000,affRows=eaqueips,action="allow",rawQuery="aturve" +%IMPERVA-Imperva,dstIP=10.6.27.103,dstPort=3179,dbUsername=redol,srcIP=10.167.252.183,srcPort=2003,creatTime=24 November 2016 10:03:59,srvGroup=doei,service=cipitl,appName=caboNemo,event#=dexerc,eventType=Login,usrGroup=strumex,usrAuth=True,application="eprehend",osUsername=asnu,srcHost=hitec2111.mail.corp,dbName=perspici,schemaName=ationul,bindVar=mquisn,sqlError=failure,respSize=6606,respTime=155.907000,affRows=emUte,action="cancel",rawQuery="ccae" +%IMPERVA-Imperva,alert#=ntNe,event#=itanim,createTime=2016-12-08 17:06:33,updateTime=nesciun,alertSev=medium,group=mollita,ruleName="tatem",evntDesc="iae",category=quido,disposition=emip,eventType=inBC,proto=tcp,srcPort=6165,srcIP=10.88.45.111,dstPort=6735,dstIP=10.81.184.7,policyName="saquaea",occurrences=6344,httpHost=eetd,webMethod=illu,url="https://mail.example.com/lorsi/repreh.gif?sitamet=utlabo#tetur",webQuery="tionula",soapAction=ritqu,resultCode=ecatcupi,sessionID=uamei,username=undeomni,addUsername=tas,responseTime=autfugi,responseSize=tasun,direction=external,dbUsername=eratv,queryGroup=ipsa,application="asuntexp",srcHost=adminim2559.www5.invalid,osUsername=lmole,schemaName=iameaque,dbName=nderi,hdrName=ssusci,action="deny",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.214.3.140,dstPort=6127,dbUsername=scipitl,srcIP=10.29.119.245,srcPort=1179,creatTime=2016-12-23 00:09:07,srvGroup=olli,service=rever,appName=ore,event#=offici,eventType=Logout,usrGroup=ection,usrAuth=False,application="roquisqu",osUsername=edolorin,srcHost=dolorem6882.api.local,dbName=rsi,schemaName=taliqui,bindVar=mides,sqlError=success,respSize=5140,respTime=119.229000,affRows=tcu,action="cancel",rawQuery="inrepreh" +%IMPERVA-Imperva,alert#=dipiscin,event#=olup,createTime=2017-01-06 07:11:41,updateTime=aco,alertSev=medium,group=accusa,ruleName="natu",evntDesc="liquid",category=enim,disposition=Finibus,eventType=radi,proto=rdp,srcPort=2064,srcIP=10.218.123.234,dstPort=57,dstIP=10.110.133.7,policyName="radipisc",occurrences=5347,httpHost=nibus,webMethod=vitaed,url="https://example.org/etconsec/elillum.htm?mporinc=onsectet#idolo",webQuery="atemUte",soapAction=docon,resultCode=mdolore,sessionID=eosquira,username=pta,addUsername=snos,responseTime=orsi,responseSize=tetura,direction=external,dbUsername=lorsita,queryGroup=eavol,application="osamnis",srcHost=temaccu5302.test,osUsername=etconsec,schemaName=caboNem,dbName=urExcept,hdrName=rumetMal,action="allow",errormsg="unknown" +%IMPERVA-Imperva,dstIP=10.105.190.170,dstPort=2519,dbUsername=doeiu,srcIP=10.182.152.242,srcPort=1877,creatTime=2017-01-20 14:14:16,srvGroup=orumw,service=redol,appName=ecillum,event#=isci,eventType=Logout,usrGroup=dolor,usrAuth=True,application="tiumto",osUsername=litan,srcHost=nder347.www.corp,dbName=alorum,schemaName=mquisn,bindVar=atq,sqlError=unknown,respSize=3474,respTime=68.556000,affRows=ugiatquo,action="block",rawQuery="equamnih" +%IMPERVA-Imperva,alert#=citati,event#=uamei,createTime=2017-02-03 21:16:50,updateTime=eursinto,alertSev=low,group=tutla,ruleName="licaboNe",evntDesc="tautfug",category=giatquov,disposition=olu,eventType=rmagnido,proto=ipv6-icmp,srcPort=7647,srcIP=10.59.188.188,dstPort=7082,dstIP=10.123.166.197,policyName="ici",occurrences=7102,httpHost=mips,webMethod=itae,url="https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu",webQuery="tan",soapAction=quiac,resultCode=sunt,sessionID=autfugit,username=emUte,addUsername=iusmodi,responseTime=fdeFi,responseSize=Except,direction=inbound,dbUsername=equat,queryGroup=aliquid,application="usantiu",srcHost=idunt4633.internal.host,osUsername=liquam,schemaName=min,dbName=oluptat,hdrName=odt,action=block +%IMPERVA-Imperva,dstIP=10.72.75.207,dstPort=6336,dbUsername=urau,srcIP=10.201.168.116,srcPort=2037,creatTime=2017-02-18 04:19:24,srvGroup=utali,service=sed,appName=xeac,event#=umdolors,eventType=Logout,usrGroup=lumdo,usrAuth=False,application="acom",osUsername=eFini,srcHost=ectob4634.mail.localhost,dbName=prehend,schemaName=eufug,bindVar=roquisq,sqlError=unknown,respSize=3348,respTime=79.765000,affRows=civelits,action="accept",rawQuery="reet" +%IMPERVA-Imperva,dstIP=10.9.46.123,dstPort=586,dbUsername=mfu,srcIP=10.58.133.175,srcPort=1634,creatTime=4 March 2017 11:21:59,srvGroup=llumq,service=tenim,appName=eiusmo,event#=ainc,eventType=Login,usrGroup=miurerep,usrAuth=True,application="lestia",osUsername=nde,srcHost=snu6436.www.local,dbName=texplica,schemaName=oco,bindVar=aboree,sqlError=unknown,respSize=3795,respTime=14.713000,affRows=edquian,action="block",rawQuery="uames" +%IMPERVA-Imperva,dstIP=10.169.50.59,dstPort=7693,dbUsername=pta,srcIP=10.70.29.203,srcPort=5994,creatTime=18 March 2017 18:24:33,srvGroup=piciatis,service=destla,appName=fugitse,event#=minimve,eventType=Login,usrGroup=serrorsi,usrAuth=False,application="tametco",osUsername=mquisnos,srcHost=lore7099.www.host,dbName=isn,schemaName=veniamq,bindVar=lup,sqlError=unknown,respSize=2358,respTime=94.460000,affRows=ipitlabo,action="block",rawQuery="prehen" +%IMPERVA-Imperva,dstIP=10.165.182.111,dstPort=5525,dbUsername=ames,srcIP=10.137.85.123,srcPort=218,creatTime=2017-04-02 01:27:07,srvGroup=amquisno,service=modoc,appName=magnam,event#=uinesc,eventType=Logout,usrGroup=cid,usrAuth=True,application="emi",osUsername=Bonorum,srcHost=lesti6939.api.local,dbName=idu,schemaName=sis,bindVar=idolo,sqlError=success,respSize=6401,respTime=171.434000,affRows=its,action="block",rawQuery="edutp" +%IMPERVA-Imperva,event#=enimadmi,createTime=2017-04-16 08:29:41,eventType=tateveli,eventSev=high,username=sumdolo,subsystem=idolorem,message="temvele" +%IMPERVA-Imperva,alert#=inimve,event#=uio,createTime=2017-04-30 15:32:16,updateTime=mexercit,alertSev=high,group=onofdeF,ruleName="ibusBo",evntDesc="orin",category=enia,disposition=iavol,eventType=natuserr,proto=rdp,srcPort=3327,srcIP=10.64.184.196,dstPort=6659,dstIP=10.173.178.109,policyName="tatemse",occurrences=4493,httpHost=amqui,webMethod=lamco,url="https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi",webQuery="tlabore",soapAction=idunt,resultCode=expl,sessionID=olore,username=uian,addUsername=atuserro,responseTime=madminim,responseSize=tobeata,direction=inbound,dbUsername=ioff,queryGroup=oinBCS,application="itsedd",srcHost=upt6017.api.localdomain,osUsername=nesci,schemaName=tam,dbName=sin,hdrName=idexeac,action="block",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.90.50.149,dstPort=1936,dbUsername=olu,srcIP=10.168.225.209,srcPort=6,creatTime=2017-05-14 22:34:50,srvGroup=taliq,service=tautfugi,appName=fdeFinib,event#=uip,eventType=Logout,usrGroup=ectobea,usrAuth=True,application="dat",osUsername=aUtenima,srcHost=turQuis4046.api.test,dbName=deomnisi,schemaName=olupta,bindVar=oll,sqlError=success,respSize=1127,respTime=55.870000,affRows=evelite,action="block",rawQuery="iav" +%IMPERVA-Imperva,dstIP=10.59.182.36,dstPort=5792,dbUsername=mtota,srcIP=10.18.150.82,srcPort=6648,creatTime=29 May 2017 05:37:24,srvGroup=rit,service=eumfu,appName=lors,event#=oluptat,eventType=Login,usrGroup=enimad,usrAuth=True,application="tis",osUsername=qua,srcHost=con6049.internal.lan,dbName=quelaud,schemaName=luptat,bindVar=rinrep,sqlError=unknown,respSize=6112,respTime=135.357000,affRows=nimv,action="allow",rawQuery="tconse" +%IMPERVA-Imperva,event#=rem,createTime=2017-06-12 12:39:58,eventType=ulamcola,eventSev=very-high,username=llita,subsystem=ntsunt,message="nturmag" +%IMPERVA-Imperva,dstIP=10.228.229.144,dstPort=3236,dbUsername=ametcons,srcIP=10.151.240.35,srcPort=3197,creatTime=2017-06-26 19:42:33,srvGroup=roquisq,service=uasi,appName=maveniam,event#=uis,eventType=lill,usrGroup=remeum,usrAuth=mmod,application="taevit",osUsername=ama,srcHost=tatnonp1371.www.invalid,dbName=xercit,schemaName=lam,bindVar=asnu,sqlError=failure,respSize=4325,respTime=168.492000,affRows=eriam,action="cancel",rawQuery="aquae" +%IMPERVA-Imperva,dstIP=10.242.48.203,dstPort=1102,dbUsername=ese,srcIP=10.147.142.242,srcPort=2586,creatTime=2017-07-11 02:45:07,srvGroup=eca,service=ctionofd,appName=mpori,event#=olupt,eventType=Logout,usrGroup=ola,usrAuth=False,application="ptat",osUsername=quasi,srcHost=tium3542.internal.invalid,dbName=squamest,schemaName=quisn,bindVar=pteu,sqlError=success,respSize=3970,respTime=11.548000,affRows=antium,action="block",rawQuery="velillum" +%IMPERVA-Imperva,alert#=lapari,event#=Mal,createTime=2017-07-25 09:47:41,updateTime=itinvo,alertSev=very-high,group=paq,ruleName="emipsumq",evntDesc="culpaq",category=quamq,disposition=usan,eventType=tdolo,proto=ipv6,srcPort=4723,srcIP=10.213.165.165,dstPort=3787,dstIP=10.254.10.98,policyName="adipisc",occurrences=7365,httpHost=tasnul,webMethod=uptasn,url="https://example.net/itati/oidentsu.gif?eporroqu=aturve#temqui",webQuery="lup",soapAction=aeca,resultCode=isau,sessionID=giat,username=ttenb,addUsername=eirure,responseTime=boreetd,responseSize=tNe,direction=outbound,dbUsername=eeufug,queryGroup=ntin,application="iades",srcHost=radipis3991.mail.invalid,osUsername=civeli,schemaName=eufugia,dbName=utlabore,hdrName=tamr,action="cancel",errormsg="success" +%IMPERVA-Imperva,event#=onemul,createTime=2017-08-08 16:50:15,eventType=trudexe,eventSev=very-high,username=ura,subsystem=oreeufug,message="Quisa" +%IMPERVA-Imperva,alert#=llitani,event#=uscipit,createTime=2017-08-22 23:52:50,updateTime=luptat,alertSev=very-high,group=etco,ruleName="iuntN",evntDesc="utfugi",category=ursintoc,disposition=tio,eventType=mmodicon,proto=ipv6,srcPort=5439,srcIP=10.116.1.130,dstPort=3402,dstIP=10.169.28.157,policyName="exeacomm",occurrences=1295,httpHost=ionula,webMethod=pexeaco,url="https://api.example.org/uamqua/Neq.gif?eumiu=nim#pteurs",webQuery="ercitati",soapAction=atem,resultCode=serro,sessionID=lumquid,username=eturadip,addUsername=amquaera,responseTime=rsitamet,responseSize=leumiur,direction=internal,dbUsername=utod,queryGroup=olesti,application="edquia",srcHost=ihi7294.www5.localhost,osUsername=reseo,schemaName=amco,dbName=ons,hdrName=onsecte,action="accept",errormsg="unknown" +%IMPERVA-Imperva,dstIP=10.29.138.31,dstPort=5871,dbUsername=volupta,srcIP=10.45.69.152,srcPort=4083,creatTime=6 September 2017 06:55:24,srvGroup=emi,service=uaerat,appName=iduntu,event#=samvol,eventType=Login,usrGroup=equa,usrAuth=False,application="apari",osUsername=tsunt,srcHost=caecat4920.api.host,dbName=enim,schemaName=umq,bindVar=sistena,sqlError=failure,respSize=744,respTime=33.416000,affRows=temquia,action="deny",rawQuery="eumiu" +%IMPERVA-Imperva,dstIP=10.152.213.228,dstPort=3387,dbUsername=ptatev,srcIP=10.100.113.11,srcPort=6971,creatTime=2017-09-20 13:57:58,srvGroup=aliqu,service=sequine,appName=utaliqui,event#=isciv,eventType=Logout,usrGroup=osqu,usrAuth=False,application="ptatemse",osUsername=itationu,srcHost=setquas6188.internal.local,dbName=magnaali,schemaName=velillum,bindVar=ionev,sqlError=success,respSize=7245,respTime=131.118000,affRows=ameaq,action="cancel",rawQuery="Except" +%IMPERVA-Imperva,event#=uiac,createTime=2017-10-04 21:00:32,eventType=tquii,eventSev=low,username=reme,subsystem=emeumfu,message="inBCSedu" +%IMPERVA-Imperva,dstIP=10.208.33.55,dstPort=1849,dbUsername=ulapari,srcIP=10.248.102.129,srcPort=3510,creatTime=2017-10-19 04:03:07,srvGroup=iatn,service=saquaeab,appName=eli,event#=rissusci,eventType=Logout,usrGroup=ectetur,usrAuth=True,application="dictasun",osUsername=inimv,srcHost=nibusBo3674.www5.localhost,dbName=ntut,schemaName=mremaper,bindVar=uteirur,sqlError=unknown,respSize=6433,respTime=111.360000,affRows=isni,action="accept",rawQuery="quovo" +%IMPERVA-Imperva,dstIP=10.203.164.132,dstPort=6213,dbUsername=mporin,srcIP=10.109.230.216,srcPort=4447,creatTime=2017-11-02 11:05:41,srvGroup=uov,service=pariat,appName=icaboNe,event#=boreetd,eventType=Logout,usrGroup=uir,usrAuth=True,application="rumex",osUsername=ectobea,srcHost=totamr7676.www5.home,dbName=imadm,schemaName=ibus,bindVar=lumdol,sqlError=success,respSize=547,respTime=166.971000,affRows=reprehe,action="block",rawQuery="ihil" +%IMPERVA-Imperva,dstIP=10.151.203.60,dstPort=482,dbUsername=dol,srcIP=10.117.81.75,srcPort=3365,creatTime=16 November 2017 18:08:15,srvGroup=iciatis,service=agn,appName=cul,event#=tate,eventType=Login,usrGroup=psam,usrAuth=True,application="itaedi",osUsername=exeac,srcHost=idents7231.mail.home,dbName=veniamqu,schemaName=iconsequ,bindVar=ueporr,sqlError=unknown,respSize=484,respTime=27.563000,affRows=tur,action="block",rawQuery="onorumet" +%IMPERVA-Imperva,dstIP=10.224.217.153,dstPort=6339,dbUsername=eriti,srcIP=10.45.152.205,srcPort=6907,creatTime=1 December 2017 01:10:49,srvGroup=riame,service=datatn,appName=seq,event#=mquis,eventType=Login,usrGroup=tur,usrAuth=True,application="itation",osUsername=utlabo,srcHost=tat50.mail.host,dbName=essequam,schemaName=imav,bindVar=mtot,sqlError=success,respSize=922,respTime=17.709000,affRows=prehend,action="allow",rawQuery="liquid" +%IMPERVA-Imperva,alert#=umq,event#=ipsu,createTime=2017-12-15 08:13:24,updateTime=oremip,alertSev=low,group=odit,ruleName="vol",evntDesc="epteurs",category=itse,disposition=rever,eventType=sBonoru,proto=udp,srcPort=2652,srcIP=10.60.164.100,dstPort=5119,dstIP=10.1.193.187,policyName="yCice",occurrences=508,httpHost=ionem,webMethod=taevitae,url="https://api.example.net/quam/saute.htm?nostru=docons#emipsumq",webQuery="orinr",soapAction=ineavol,resultCode=umdo,sessionID=tass,username=ugi,addUsername=riat,responseTime=atvol,responseSize=emipsum,direction=internal,dbUsername=uameiu,queryGroup=quiado,application="conse",srcHost=mips3283.corp,osUsername=hite,schemaName=adipis,dbName=abo,hdrName=suntex,action="allow",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.248.244.203,dstPort=806,dbUsername=mquamei,srcIP=10.146.228.234,srcPort=4346,creatTime=2017-12-29 15:15:58,srvGroup=rissusci,service=uaturQ,appName=iusmod,event#=susc,eventType=taed,usrGroup=eatae,usrAuth=siutali,application="oloremq",osUsername=sum,srcHost=aliquip7229.mail.domain,dbName=doe,schemaName=eiusm,bindVar=oremipsu,sqlError=failure,respSize=3058,respTime=133.358000,affRows=llum,action="allow",rawQuery="mto" +%IMPERVA-Imperva,dstIP=10.122.127.237,dstPort=1138,dbUsername=consecte,srcIP=10.86.121.152,srcPort=3971,creatTime=2018-01-12 22:18:32,srvGroup=mquamei,service=litesse,appName=fug,event#=liquid,eventType=Logout,usrGroup=uidex,usrAuth=False,application="umdolo",osUsername=nimv,srcHost=fde7756.mail.corp,dbName=usmod,schemaName=ine,bindVar=qui,sqlError=success,respSize=2771,respTime=136.167000,affRows=orsitame,action="block",rawQuery="ipex" +%IMPERVA-Imperva,dstIP=10.201.223.119,dstPort=3614,dbUsername=rcit,srcIP=10.204.223.184,srcPort=6092,creatTime=2018-01-27 05:21:06,srvGroup=giat,service=nculpa,appName=olupt,event#=tvol,eventType=Logout,usrGroup=ostru,usrAuth=True,application="mea",osUsername=tuserror,srcHost=agnama5013.internal.example,dbName=boreetdo,schemaName=teni,bindVar=iin,sqlError=unknown,respSize=4113,respTime=161.837000,affRows=tNeq,action="block",rawQuery="liq" +%IMPERVA-Imperva,dstIP=10.200.12.126,dstPort=2347,dbUsername=magnido,srcIP=10.223.56.33,srcPort=5899,creatTime=10 February 2018 12:23:41,srvGroup=ing,service=amal,appName=aliq,event#=utem,eventType=Login,usrGroup=oreetd,usrAuth=True,application="itatis",osUsername=Nequepo,srcHost=edictas4693.home,dbName=borisnis,schemaName=elitsedd,bindVar=hitecto,sqlError=failure,respSize=3243,respTime=75.415000,affRows=imven,action="block",rawQuery="hende" +%IMPERVA-Imperva,alert#=deseru,event#=aquioff,createTime=2018-02-24 19:26:15,updateTime=cip,alertSev=very-high,group=onsequat,ruleName="tiumd",evntDesc="atuse",category=imad,disposition=tura,eventType=equuntur,proto=ipv6,srcPort=428,srcIP=10.94.89.177,dstPort=1752,dstIP=10.65.225.101,policyName="nulapari",occurrences=2513,httpHost=ostrumex,webMethod=eruntmol,url="https://internal.example.com/imide/uiineav.htm?lloinve=eni#asia",webQuery="edquiac",soapAction=psamvolu,resultCode=teturad,sessionID=ritq,username=tuserror,addUsername=tla,responseTime=orroq,responseSize=modtempo,direction=outbound,dbUsername=uptate,queryGroup=sumqui,application="eritin",srcHost=nibu2565.api.local,osUsername=citation,schemaName=emquel,dbName=rspiciat,hdrName=iavol,action="cancel",errormsg="unknown" +%IMPERVA-Imperva,dstIP=10.65.174.196,dstPort=472,dbUsername=iin,srcIP=10.191.184.105,srcPort=6821,creatTime=2018-03-11 02:28:49,srvGroup=iat,service=orain,appName=equaturQ,event#=llu,eventType=quaUt,usrGroup=labor,usrAuth=oris,application="tatemse",osUsername=uta,srcHost=tsun7120.home,dbName=per,schemaName=tione,bindVar=nibus,sqlError=unknown,respSize=5836,respTime=61.864000,affRows=olo,action="deny",rawQuery="BCSedutp" +%IMPERVA-Imperva,alert#=tdolor,event#=Ute,createTime=2018-03-25 09:31:24,updateTime=tura,alertSev=very-high,group=umSecti,ruleName="eabil",evntDesc="ibusB",category=rporis,disposition=etco,eventType=mip,proto=rdp,srcPort=6078,srcIP=10.224.148.48,dstPort=2803,dstIP=10.41.181.179,policyName="siarch",occurrences=7468,httpHost=setq,webMethod=rumwr,url="https://api.example.com/ptatem/mporain.gif?corpo=commod#iumd",webQuery="ntore",soapAction=tect,resultCode=ion,sessionID=tutl,username=niam,addUsername=oru,responseTime=mcorp,responseSize=uelaud,direction=outbound,dbUsername=ameiu,queryGroup=utei,application="caecat",srcHost=lumquid6940.mail.localdomain,osUsername=equepor,schemaName=iosamn,dbName=erspicia,hdrName=neavolup,action="deny",errormsg="success" +%IMPERVA-Imperva,dstIP=10.21.208.103,dstPort=5543,dbUsername=imidest,srcIP=10.21.61.134,srcPort=6124,creatTime=2018-04-08 16:33:58,srvGroup=iacon,service=ncu,appName=quaturve,event#=ciad,eventType=Logout,usrGroup=diconseq,usrAuth=False,application="utod",osUsername=ostr,srcHost=amcorp7299.api.example,dbName=uptatem,schemaName=mipsa,bindVar=nproide,sqlError=success,respSize=7766,respTime=91.186000,affRows=siutali,action="deny",rawQuery="nemullam" +%IMPERVA-Imperva,dstIP=10.23.6.216,dstPort=4578,dbUsername=iarchit,srcIP=10.221.192.116,srcPort=4688,creatTime=2018-04-22 23:36:32,srvGroup=usBonor,service=mide,appName=sten,event#=enderi,eventType=Logout,usrGroup=labore,usrAuth=False,application="uasiarch",osUsername=iamquisn,srcHost=magnama868.api.local,dbName=Section,schemaName=tevelite,bindVar=esciunt,sqlError=success,respSize=639,respTime=6.388000,affRows=borisnis,action="accept",rawQuery="oremagn" +%IMPERVA-Imperva,alert#=rcita,event#=ataev,createTime=2018-05-07 06:39:06,updateTime=oris,alertSev=very-high,group=tate,ruleName="tutlabo",evntDesc="nto",category=sciv,disposition=tlabo,eventType=nsequun,proto=ipv6,srcPort=2976,srcIP=10.191.142.143,dstPort=5850,dstIP=10.240.62.238,policyName="sintoc",occurrences=7580,httpHost=laboris,webMethod=ali,url="https://www5.example.net/aUten/edutpers.gif?apariatu=mnisis#onsequa",webQuery="sunt",soapAction=orumSe,resultCode=olupta,sessionID=emveleum,username=modtempo,addUsername=mfugi,responseTime=roqui,responseSize=ntutlabo,direction=external,dbUsername=isq,queryGroup=eacommo,application="amqua",srcHost=tionevol3157.mail.invalid,osUsername=nofde,schemaName=animide,dbName=Lore,hdrName=oin,action=cancel +%IMPERVA-Imperva,alert#=ecatcu,event#=entoreve,createTime=2018-05-21 13:41:41,updateTime=ion,alertSev=very-high,group=onev,ruleName="atu",evntDesc="adeseru",category=sitas,disposition=eni,eventType=cte,proto=igmp,srcPort=3124,srcIP=10.178.79.217,dstPort=7499,dstIP=10.111.22.134,policyName="datatno",occurrences=3538,httpHost=siar,webMethod=orisnis,url="https://www.example.net/mvolup/pidat.jpg?ents=nsec#iaeco",webQuery="ommodoco",soapAction=ritinv,resultCode=rita,sessionID=oidents,username=ccusan,addUsername=inimav,responseTime=quel,responseSize=ugitsed,direction=external,dbUsername=idolor,queryGroup=xplic,application="stenat",srcHost=mquis319.api.local,osUsername=inibusBo,schemaName=tqui,dbName=sequun,hdrName=nimadm,action=deny +%IMPERVA-Imperva,dstIP=10.161.225.172,dstPort=3708,dbUsername=meaqu,srcIP=10.77.86.215,srcPort=6390,creatTime=4 June 2018 20:44:15,srvGroup=con,service=aeabil,appName=iumtot,event#=edicta,eventType=Login,usrGroup=itaspern,usrAuth=False,application="tau",osUsername=rcit,srcHost=urad5712.api.host,dbName=sitamet,schemaName=xerc,bindVar=mcolabor,sqlError=success,respSize=7286,respTime=143.926000,affRows=evita,action="block",rawQuery="ant" +%IMPERVA-Imperva,dstIP=10.186.133.184,dstPort=7864,dbUsername=boriosa,srcIP=10.211.161.187,srcPort=843,creatTime=2018-06-19 03:46:49,srvGroup=laud,service=uido,appName=uis,event#=msequin,eventType=autem,usrGroup=mporai,usrAuth=ipi,application="qua",osUsername=acons,srcHost=enbyCic4659.www5.example,dbName=orroqui,schemaName=sci,bindVar=psamvolu,sqlError=unknown,respSize=1578,respTime=66.164000,affRows=temse,action="deny",rawQuery="onevol" +%IMPERVA-Imperva,dstIP=10.160.147.230,dstPort=2126,dbUsername=nimvenia,srcIP=10.254.198.47,srcPort=3925,creatTime=2018-07-03 10:49:23,srvGroup=lit,service=quin,appName=adipisc,event#=sedqui,eventType=ueporroq,usrGroup=dolo,usrAuth=adm,application="dolor",osUsername=ndeomnis,srcHost=inBCSed5308.api.corp,dbName=modicons,schemaName=illoin,bindVar=rinre,sqlError=unknown,respSize=5988,respTime=34.664000,affRows=olorem,action="cancel",rawQuery="dquiaco" +%IMPERVA-Imperva,dstIP=10.40.24.93,dstPort=7487,dbUsername=mSecti,srcIP=10.182.197.243,srcPort=3687,creatTime=2018-07-17 17:51:58,srvGroup=xerci,service=qua,appName=iaecons,event#=pteurs,eventType=Logout,usrGroup=intocc,usrAuth=True,application="abo",osUsername=orisnis,srcHost=reseo2067.api.localdomain,dbName=nsectetu,schemaName=exerci,bindVar=lit,sqlError=success,respSize=4129,respTime=171.277000,affRows=ono,action="cancel",rawQuery="equuntu" +%IMPERVA-Imperva,dstIP=10.249.13.159,dstPort=3023,dbUsername=uisautei,srcIP=10.108.130.106,srcPort=7601,creatTime=1 August 2018 00:54:32,srvGroup=scinge,service=lum,appName=iinea,event#=xercit,eventType=Login,usrGroup=reh,usrAuth=False,application="velitess",osUsername=colab,srcHost=itte6905.mail.invalid,dbName=tesseq,schemaName=exeacomm,bindVar=uptat,sqlError=success,respSize=1044,respTime=112.679000,affRows=ptatema,action="cancel",rawQuery="cepteurs" +%IMPERVA-Imperva,alert#=ioffic,event#=rumetMal,createTime=2018-08-15 07:57:06,updateTime=tiumtot,alertSev=very-high,group=caboNe,ruleName="ptate",evntDesc="enimips",category=Nequepor,disposition=nisiu,eventType=ptat,proto=ggp,srcPort=4082,srcIP=10.64.94.174,dstPort=3852,dstIP=10.39.244.49,policyName="ctas",occurrences=7128,httpHost=sequ,webMethod=gna,url="https://internal.example.org/aev/uovolup.txt?aqueip=aqueip#rautod",webQuery="tur",soapAction=minimav,resultCode=uovo,sessionID=aven,username=Sedut,addUsername=stiaec,responseTime=rveli,responseSize=serr,direction=internal,dbUsername=uid,queryGroup=lamcor,application="rorsitv",srcHost=caboNemo274.www.host,osUsername=estiae,schemaName=iunt,dbName=eFinibu,hdrName=uisaut,action=cancel +%IMPERVA-Imperva,event#=odit,createTime=2018-08-29 14:59:40,eventType=ercitati,eventSev=very-high,username=imad,subsystem=olo,message="deserun" +%IMPERVA-Imperva,event#=scingeli,createTime=2018-09-12 22:02:15,eventType=uatDuis,eventSev=medium,username=apari,subsystem=itesseci,message="utali" +%IMPERVA-Imperva,dstIP=10.115.203.143,dstPort=6889,dbUsername=utoditau,srcIP=10.134.135.22,srcPort=1809,creatTime=27 September 2018 05:04:49,srvGroup=serror,service=itl,appName=Bonoru,event#=rumetMa,eventType=Login,usrGroup=entor,usrAuth=False,application="urere",osUsername=involu,srcHost=qui5978.api.test,dbName=amre,schemaName=orpori,bindVar=sistena,sqlError=failure,respSize=7868,respTime=5.277000,affRows=borisn,action="cancel",rawQuery="quatu" +%IMPERVA-Imperva,dstIP=10.43.244.252,dstPort=1752,dbUsername=inculp,srcIP=10.251.212.166,srcPort=3925,creatTime=11 October 2018 12:07:23,srvGroup=iur,service=aboNemo,appName=tsedquia,event#=ididun,eventType=Login,usrGroup=tatiset,usrAuth=False,application="enim",osUsername=gnido,srcHost=iamq2577.internal.corp,dbName=uisa,schemaName=uptat,bindVar=siutal,sqlError=unknown,respSize=6947,respTime=144.976000,affRows=tempori,action="accept",rawQuery="lamco" +%IMPERVA-Imperva,event#=nimve,createTime=2018-10-25 19:09:57,eventType=edutpe,eventSev=medium,username=isunde,subsystem=nimadm,message="cepte" +%IMPERVA-Imperva,dstIP=10.20.231.188,dstPort=1200,dbUsername=tesseq,srcIP=10.88.189.164,srcPort=1373,creatTime=2018-11-09 02:12:32,srvGroup=iusmod,service=aincid,appName=giatq,event#=tion,eventType=Logout,usrGroup=tNeque,usrAuth=False,application="uidolore",osUsername=uatDuisa,srcHost=usB4127.localhost,dbName=ufugia,schemaName=mqu,bindVar=remagna,sqlError=failure,respSize=1623,respTime=33.468000,affRows=Uteni,action="cancel",rawQuery="porinci" +%IMPERVA-Imperva,event#=edd,createTime=2018-11-23 09:15:06,eventType=uianon,eventSev=low,username=quamquae,subsystem=aaliq,message="nos" +%IMPERVA-Imperva,dstIP=10.231.77.26,dstPort=7082,dbUsername=rehe,srcIP=10.225.11.197,srcPort=3513,creatTime=7 December 2018 16:17:40,srvGroup=siarchi,service=seddoeiu,appName=lorinrep,event#=isq,eventType=Login,usrGroup=quines,usrAuth=False,application="entsu",osUsername=ineavol,srcHost=abor3266.mail.home,dbName=voluptat,schemaName=volu,bindVar=iutaliqu,sqlError=failure,respSize=3064,respTime=61.960000,affRows=iusmo,action="allow",rawQuery="uovo" +%IMPERVA-Imperva,dstIP=10.148.3.197,dstPort=979,dbUsername=usa,srcIP=10.106.166.105,srcPort=4567,creatTime=2018-12-21 23:20:14,srvGroup=oremagna,service=siuta,appName=amnihil,event#=nderit,eventType=ficia,usrGroup=tru,usrAuth=tionu,application="natuser",osUsername=olupt,srcHost=eprehe2455.www.home,dbName=smo,schemaName=avolup,bindVar=litse,sqlError=failure,respSize=2658,respTime=84.894000,affRows=untutlab,action="allow",rawQuery="byCicer" +%IMPERVA-Imperva,dstIP=10.172.121.239,dstPort=5339,dbUsername=iuta,srcIP=10.57.169.205,srcPort=3093,creatTime=2019-01-05 06:22:49,srvGroup=reeufugi,service=oloree,appName=xeaco,event#=urm,eventType=Logout,usrGroup=mpo,usrAuth=False,application="cept",osUsername=ctas,srcHost=destla2110.www5.localdomain,dbName=inea,schemaName=ipsu,bindVar=iden,sqlError=failure,respSize=392,respTime=19.061000,affRows=reetd,action="cancel",rawQuery="maven" +%IMPERVA-Imperva,dstIP=10.129.234.200,dstPort=3833,dbUsername=tisundeo,srcIP=10.42.218.103,srcPort=3315,creatTime=19 January 2019 13:25:23,srvGroup=mnis,service=tametco,appName=snisiut,event#=lit,eventType=Login,usrGroup=laborio,usrAuth=False,application="aaliqu",osUsername=tevelit,srcHost=exerc3694.api.home,dbName=consec,schemaName=dquia,bindVar=cep,sqlError=success,respSize=6709,respTime=34.273000,affRows=volupta,action="allow",rawQuery="ipex" +%IMPERVA-Imperva,dstIP=10.111.132.221,dstPort=2262,dbUsername=ali,srcIP=10.76.121.224,srcPort=4305,creatTime=2019-02-02 20:27:57,srvGroup=xcep,service=ehen,appName=remap,event#=mUt,eventType=Logout,usrGroup=admi,usrAuth=True,application="siarch",osUsername=oloremi,srcHost=ididu5928.www5.local,dbName=tNe,schemaName=scive,bindVar=tcupi,sqlError=unknown,respSize=6155,respTime=139.491000,affRows=Sed,action="cancel",rawQuery="ita" +%IMPERVA-Imperva,dstIP=10.195.8.141,dstPort=4342,dbUsername=enimip,srcIP=10.17.214.21,srcPort=4821,creatTime=17 February 2019 03:30:32,srvGroup=umquiado,service=taspe,appName=empori,event#=mipsum,eventType=Login,usrGroup=tium,usrAuth=True,application="riaturE",osUsername=ota,srcHost=boriosa7066.www.corp,dbName=Nequep,schemaName=dolo,bindVar=exeacom,sqlError=success,respSize=469,respTime=146.775000,affRows=eufugiat,action="accept",rawQuery="non" +%IMPERVA-Imperva,dstIP=10.173.13.179,dstPort=1211,dbUsername=ptasn,srcIP=10.179.60.167,srcPort=1124,creatTime=2019-03-03 10:33:06,srvGroup=amqui,service=itatise,appName=utlab,event#=ostr,eventType=Logout,usrGroup=liqu,usrAuth=True,application="cons",osUsername=apar,srcHost=ssusc1892.internal.host,dbName=xplic,schemaName=isn,bindVar=quepor,sqlError=failure,respSize=758,respTime=58.800000,affRows=etur,action="block",rawQuery="cusan" +%IMPERVA-Imperva,dstIP=10.42.135.34,dstPort=4361,dbUsername=tiset,srcIP=10.178.190.123,srcPort=3288,creatTime=2019-03-17 17:35:40,srvGroup=xercitat,service=ueporr,appName=utlab,event#=entoreve,eventType=Logout,usrGroup=lmolest,usrAuth=False,application="ser",osUsername=ore,srcHost=iatisund424.mail.localdomain,dbName=tametcon,schemaName=orsi,bindVar=ull,sqlError=success,respSize=2290,respTime=1.468000,affRows=etdolore,action="cancel",rawQuery="ore" +%IMPERVA-Imperva,event#=ectetur,createTime=2019-04-01 00:38:14,eventType=cons,eventSev=medium,username=fugit,subsystem=dantiu,message="ntutla" +%IMPERVA-Imperva,dstIP=10.207.198.239,dstPort=4735,dbUsername=Loremips,srcIP=10.8.147.176,srcPort=5920,creatTime=15 April 2019 07:40:49,srvGroup=odtem,service=ite,appName=tseddo,event#=ptatems,eventType=Login,usrGroup=ori,usrAuth=False,application="exerc",osUsername=aUteni,srcHost=uidolo7626.local,dbName=rchite,schemaName=incididu,bindVar=idolor,sqlError=failure,respSize=3043,respTime=36.712000,affRows=oinB,action="accept",rawQuery="econsequ" +%IMPERVA-Imperva,dstIP=10.116.26.185,dstPort=595,dbUsername=oNe,srcIP=10.206.221.180,srcPort=6818,creatTime=2019-04-29 14:43:23,srvGroup=repr,service=idu,appName=otam,event#=amquaera,eventType=rumS,usrGroup=uelau,usrAuth=quidolor,application="cca",osUsername=litesseq,srcHost=dmini3435.internal.domain,dbName=rumexerc,schemaName=nseq,bindVar=quisnost,sqlError=unknown,respSize=3218,respTime=26.485000,affRows=orisnisi,action="block",rawQuery="nul" +%IMPERVA-Imperva,dstIP=10.86.180.150,dstPort=5495,dbUsername=mnisis,srcIP=10.253.127.130,srcPort=5339,creatTime=2019-05-13 21:45:57,srvGroup=isciveli,service=urve,appName=sundeomn,event#=tasu,eventType=Logout,usrGroup=equunt,usrAuth=True,application="uat",osUsername=itasper,srcHost=nibusBo1864.domain,dbName=ent,schemaName=etconsec,bindVar=docons,sqlError=failure,respSize=4564,respTime=4.592000,affRows=mremap,action="allow",rawQuery="sperna" +%IMPERVA-Imperva,alert#=mexe,event#=sequatDu,createTime=2019-05-28 04:48:31,updateTime=ssuscip,alertSev=high,group=ciade,ruleName="busBonor",evntDesc="enima",category=emseq,disposition=osamni,eventType=umetMa,proto=ipv6-icmp,srcPort=4469,srcIP=10.220.175.201,dstPort=579,dstIP=10.158.161.5,policyName="eab",occurrences=4098,httpHost=ciduntut,webMethod=atisu,url="https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu",webQuery="suntincu",soapAction=lore,resultCode=equatu,sessionID=enbyCi,username=dolo,addUsername=adipi,responseTime=beata,responseSize=evelites,direction=inbound,dbUsername=tNeq,queryGroup=umtot,application="eumiurer",srcHost=inv6528.www5.example,osUsername=rrors,schemaName=dolo,dbName=tsed,hdrName=corpori,action=allow +%IMPERVA-Imperva,event#=uioff,createTime=2019-06-11 11:51:06,eventType=ema,eventSev=low,username=mpo,subsystem=deritinv,message="ten" +%IMPERVA-Imperva,dstIP=10.150.27.144,dstPort=5627,dbUsername=res,srcIP=10.248.16.82,srcPort=6834,creatTime=25 June 2019 18:53:40,srvGroup=loinv,service=umd,appName=madmi,event#=xercit,eventType=Login,usrGroup=avolup,usrAuth=True,application="etdo",osUsername=tuserror,srcHost=nisiutal4437.www.example,dbName=uipex,schemaName=ditautf,bindVar=orr,sqlError=failure,respSize=4367,respTime=25.972000,affRows=uptas,action="cancel",rawQuery="osquira" +%IMPERVA-Imperva,dstIP=10.146.131.76,dstPort=2281,dbUsername=orsi,srcIP=10.173.19.140,srcPort=7780,creatTime=2019-07-10 01:56:14,srvGroup=atu,service=ddo,appName=veli,event#=ata,eventType=Logout,usrGroup=untmoll,usrAuth=False,application="ididun",osUsername=olo,srcHost=tqui5172.www.local,dbName=untex,schemaName=Except,bindVar=elitsedd,sqlError=failure,respSize=5844,respTime=52.550000,affRows=cingel,action="allow",rawQuery="seos" +%IMPERVA-Imperva,dstIP=10.69.5.227,dstPort=5845,dbUsername=doloreme,srcIP=10.171.175.165,srcPort=5776,creatTime=2019-07-24 08:58:48,srvGroup=taspe,service=litess,appName=enimadm,event#=corpori,eventType=onemull,usrGroup=emeu,usrAuth=uisaute,application="tvol",osUsername=ntocc,srcHost=intocca6708.mail.corp,dbName=dquiaco,schemaName=rumw,bindVar=ula,sqlError=failure,respSize=5201,respTime=46.690000,affRows=quam,action="deny",rawQuery="edquian" +%IMPERVA-Imperva,dstIP=10.213.214.118,dstPort=7851,dbUsername=ate,srcIP=10.253.175.129,srcPort=5547,creatTime=7 August 2019 16:01:23,srvGroup=rsi,service=tuser,appName=equinesc,event#=ectet,eventType=Login,usrGroup=emull,usrAuth=False,application="enatuser",osUsername=epteurs,srcHost=isetqu2843.www.invalid,dbName=niamqu,schemaName=nrep,bindVar=lauda,sqlError=failure,respSize=6260,respTime=9.295000,affRows=aincidu,action="deny",rawQuery="ipsamvol" +%IMPERVA-Imperva,alert#=estquido,event#=eufugiat,createTime=2019-08-21 23:03:57,updateTime=minima,alertSev=high,group=bor,ruleName="uisnos",evntDesc="loi",category=tation,disposition=seddoe,eventType=adol,proto=rdp,srcPort=7756,srcIP=10.149.91.130,dstPort=3548,dstIP=10.89.26.170,policyName="aqueipsa",occurrences=5863,httpHost=ide,webMethod=atcupi,url="https://www.example.com/sit/ugi.gif?sitametc=rur#edut",webQuery="sitametc",soapAction=iarchite,resultCode=uide,sessionID=iono,username=aboris,addUsername=eturad,responseTime=ipiscive,responseSize=sequu,direction=internal,dbUsername=epteur,queryGroup=iqu,application="uptateve",srcHost=commodo6041.mail.localhost,osUsername=atus,schemaName=orumetMa,dbName=inventor,hdrName=dolo,action=block +%IMPERVA-Imperva,alert#=tmolli,event#=orumSe,createTime=2019-09-05 06:06:31,updateTime=mSe,alertSev=high,group=teturad,ruleName="alorumwr",evntDesc="pis",category=idol,disposition=mmodico,eventType=emaccu,proto=rdp,srcPort=5818,srcIP=10.52.106.68,dstPort=856,dstIP=10.81.108.232,policyName="atemq",occurrences=5098,httpHost=volupta,webMethod=Quisaut,url="https://internal.example.net/obeatae/sedqui.jpg?nulap=onseq#amrem",webQuery="plicab",soapAction=isisten,resultCode=eiusmodt,sessionID=naaliq,username=aco,addUsername=psamvolu,responseTime=inculp,responseSize=eni,direction=inbound,dbUsername=sedqu,queryGroup=ipitlabo,application="olorinr",srcHost=gitse6744.api.local,osUsername=neavolup,schemaName=uaturve,dbName=lapa,hdrName=uepor,action="allow",errormsg="failure" +%IMPERVA-Imperva,alert#=umquamei,event#=nih,createTime=2019-09-19 13:09:05,updateTime=tionev,alertSev=high,group=quia,ruleName="eabill",evntDesc="itatiset",category=uaerat,disposition=met,eventType=isno,proto=icmp,srcPort=2572,srcIP=10.230.48.97,dstPort=1991,dstIP=10.223.10.28,policyName="emveleu",occurrences=4029,httpHost=norumet,webMethod=tconse,url="https://mail.example.com/iaturE/inc.htm?uisaut=mnihilm#itinvo",webQuery="lestia",soapAction=anti,resultCode=eavo,sessionID=enderi,username=erit,addUsername=uptatem,responseTime=reeufug,responseSize=temveleu,direction=unknown,dbUsername=repre,queryGroup=consec,application="untmoll",srcHost=par3605.internal.localdomain,osUsername=usmodte,schemaName=untex,dbName=ommodi,hdrName=ntiu,action="deny",errormsg="success" %IMPERVA-Imperva,dstIP=10.115.42.231,dstPort=2143,dbUsername=res,srcIP=10.161.212.150,srcPort=2748,creatTime=3 October 2019 20:11:40,srvGroup=corporis,service=turExc,appName=urvelil,event#=ulapa,eventType=Login,usrGroup=abi,usrAuth=False,application="ameiusm",osUsername=tasnul,srcHost=isau4356.www.home,dbName=niamqui,schemaName=sequamn,bindVar=onse,sqlError=failure,respSize=4846,respTime=6.993000,affRows=aliquaUt,action="deny",rawQuery="natus" -%IMPERVA-Imperva,dstIP=10.66.163.3,dstPort=1085,dbUsername=aeconseq,srcIP=10.9.126.156,srcPort=628,creatTime=2019-10-18 03:14:14,srvGroup=mqu,service=inima,appName=emipsum,event#=venia,eventType=Logout,usrGroup=Loremi,usrAuth=True,application="uisnostr",osUsername=accusa,srcHost=utod6468.mail.test,dbName=dipi,schemaName=asnulapa,bindVar=atev,sqlError=success,respSize=7469,respTime=147.141000,affRows=ipiscin,action="accept",rawQuery="tionu" -%IMPERVA-Imperva,event#=uidexea,createTime=2019-11-01 10:16:48,eventType=odtem,eventSev=high,username=mipsa,subsystem=teturad,message="nimide" -%IMPERVA-Imperva,alert#=writ,event#=ema,createTime=2019-11-15 17:19:22,updateTime=ioffici,alertSev=medium,group=uunt,ruleName="pic",evntDesc="unt",category=emUt,disposition=eiru,eventType=sauteir,proto=tcp,srcPort=3341,srcIP=10.220.106.170,dstPort=7276,dstIP=10.217.176.124,policyName="elillum",occurrences=1318,httpHost=reetdo,webMethod=pidatatn,url="https://internal.example.net/fdeFin/ursi.txt?lapariat=red#rinre",webQuery="upta",soapAction=mvolupt,resultCode=mseq,sessionID=consequ,username=min,addUsername=riame,responseTime=gnaal,responseSize=nti,direction=tetura,dbUsername=utlab,queryGroup=colabo,application="ditem",srcHost=did2502.mail.example,osUsername=itsedq,schemaName=uisaute,dbName=iaturEx,hdrName=apa,action=cancel -%IMPERVA-Imperva,dstIP=10.9.248.95,dstPort=2294,dbUsername=iatquovo,srcIP=10.120.18.135,srcPort=6260,creatTime=2019-11-30 00:21:57,srvGroup=itametc,service=oremip,appName=isundeo,event#=eli,eventType=Logout,usrGroup=ore,usrAuth=False,application="ips",osUsername=ratvolup,srcHost=iamqu4015.www5.lan,dbName=tsunti,schemaName=ero,bindVar=iusmodi,sqlError=unknown,respSize=6969,respTime=36.585000,affRows=oreetd,action="deny",rawQuery="Loremips" -%IMPERVA-Imperva,dstIP=10.249.76.99,dstPort=7480,dbUsername=xercita,srcIP=10.109.203.111,srcPort=6875,creatTime=14 December 2019 07:24:31,srvGroup=atemquia,service=rumwritt,appName=tio,event#=aconseq,eventType=Login,usrGroup=erit,usrAuth=False,application="quaeab",osUsername=uis,srcHost=eirured1366.mail.domain,dbName=ntexp,schemaName=atio,bindVar=roquisqu,sqlError=success,respSize=3516,respTime=151.020000,affRows=molestia,action="block",rawQuery="boreetdo" +%IMPERVA-Imperva,alert#=emp,event#=suscipit,createTime=2019-10-18 03:14:14,updateTime=iaconseq,alertSev=medium,group=sciuntNe,ruleName="nevo",evntDesc="stiaec",category=officia,disposition=ametcon,eventType=gnid,proto=ipv6,srcPort=5677,srcIP=10.226.75.20,dstPort=3896,dstIP=10.247.108.144,policyName="iutaliqu",occurrences=3711,httpHost=onsectet,webMethod=iat,url="https://www5.example.org/elaud/temsequ.htm?dolo=iciatisu#eip",webQuery="iquaUte",soapAction=aborumSe,resultCode=writt,sessionID=dent,username=tema,addUsername=saquaeab,responseTime=rpo,responseSize=inr,direction=internal,dbUsername=edquiac,queryGroup=olore,application="urEx",srcHost=labo3477.www5.domain,osUsername=maccusan,schemaName=fugia,dbName=psa,hdrName=iset,action="block",errormsg="success" +%IMPERVA-Imperva,dstIP=10.192.15.65,dstPort=3328,dbUsername=nimides,srcIP=10.97.22.61,srcPort=6420,creatTime=2019-11-01 10:16:48,srvGroup=labor,service=quelaud,appName=ira,event#=gna,eventType=aparia,usrGroup=ntoreve,usrAuth=remips,application="uptatemU",osUsername=illumd,srcHost=itseddo2209.mail.domain,dbName=olu,schemaName=rExcep,bindVar=turExcep,sqlError=success,respSize=4173,respTime=166.270000,affRows=duntutla,action="block",rawQuery="tmollit" +%IMPERVA-Imperva,alert#=venia,event#=Loremi,createTime=2019-11-15 17:19:22,updateTime=uisnostr,alertSev=medium,group=vol,ruleName="ommodi",evntDesc="ritat",category=dipi,disposition=asnulapa,eventType=atev,proto=tcp,srcPort=7469,srcIP=10.197.254.133,dstPort=2009,dstIP=10.116.76.161,policyName="tla",occurrences=2608,httpHost=ender,webMethod=quid,url="https://mail.example.net/teturad/nimide.htm?ueporroq=writ#ema",webQuery="ioffici",soapAction=agni,resultCode=tat,sessionID=metconse,username=ide,addUsername=equu,responseTime=pernatur,responseSize=orem,direction=outbound,dbUsername=caecatc,queryGroup=iarc,application="emquia",srcHost=duntutl3396.api.host,osUsername=idu,schemaName=trudex,dbName=ncul,hdrName=mcorpor,action=cancel +%IMPERVA-Imperva,dstIP=10.28.77.79,dstPort=3615,dbUsername=upta,srcIP=10.144.14.15,srcPort=1150,creatTime=30 November 2019 00:21:57,srvGroup=consequ,service=min,appName=riame,event#=gnaal,eventType=Login,usrGroup=nti,usrAuth=True,application="tetura",osUsername=utlab,srcHost=colabo6686.internal.invalid,dbName=uptass,schemaName=rspic,bindVar=itsedq,sqlError=success,respSize=4810,respTime=22.348000,affRows=iut,action="deny",rawQuery="nemu" +%IMPERVA-Imperva,dstIP=10.248.177.182,dstPort=317,dbUsername=quei,srcIP=10.18.15.43,srcPort=2224,creatTime=2019-12-14 07:24:31,srvGroup=reetdol,service=umtotam,appName=itaedi,event#=ant,eventType=tiumt,usrGroup=taedicta,usrAuth=mveniamq,application="exerci",osUsername=quaturve,srcHost=tsunti1164.www.example,dbName=equatur,schemaName=caecat,bindVar=oreetd,sqlError=unknown,respSize=983,respTime=113.318000,affRows=nderit,action="accept",rawQuery="icer" diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 978f34e6651..28b4b361db2 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -9,8 +9,9 @@ "event.dataset": "imperva.securesphere", "event.module": "imperva", "event.original": "%IMPERVA-Imperva,dstIP=10.70.155.35,dstPort=892,dbUsername=tatno,srcIP=10.81.122.126,srcPort=4141,creatTime=29 January 2016 06:09:59,srvGroup=uam,service=untutl,appName=rad,event#=taliqu,eventType=Login,usrGroup=ommod,usrAuth=True,application=\"scivel\",osUsername=aqui,srcHost=radipis5408.mail.local,dbName=enatuse,schemaName=magn,bindVar=equuntu,sqlError=failure,respSize=5910,respTime=10.347000,affRows=sum,action=\"cancel\",rawQuery=\"sit\"", - "event.outcome": "Success", + "event.outcome": "success", "fileset.name": "securesphere", + "group.name": "ommod", "host.hostname": "radipis5408.mail.local", "input.type": "log", "log.offset": 0, @@ -19,13 +20,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.81.122.126", - "10.70.155.35" + "10.70.155.35", + "10.81.122.126" ], "related.user": [ + "magn", "aqui", - "tatno", - "magn" + "tatno" ], "rsa.counters.dclass_c1": 5910, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -96,6 +97,7 @@ "event.module": "imperva", "event.original": "%IMPERVA-Imperva,dstIP=10.58.116.231,dstPort=996,dbUsername=qua,srcIP=10.159.182.171,srcPort=3947,creatTime=2016-02-26 20:15:08,srvGroup=apariat,service=mol,appName=pteursi,event#=onse,eventType=rumet,usrGroup=oll,usrAuth=erc,application=\"taliqu\",osUsername=temUten,srcHost=ccusan7572.api.home,dbName=aveniam,schemaName=uradi,bindVar=nimadmin,sqlError=failure,respSize=3626,respTime=79.328000,affRows=ender,action=\"accept\",rawQuery=\"ehenderi\"", "fileset.name": "securesphere", + "group.name": "oll", "host.hostname": "ccusan7572.api.home", "input.type": "log", "log.offset": 580, @@ -108,9 +110,9 @@ "10.58.116.231" ], "related.user": [ - "uradi", "temUten", - "qua" + "qua", + "uradi" ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -140,394 +142,400 @@ }, { "destination.ip": [ - "10.157.161.103" + "10.232.27.250" ], - "destination.port": 4782, - "event.action": "deny", + "destination.port": 7838, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=amqu,event#=uines,createTime=2016-03-12 03:17:42,updateTime=nsec,alertSev=medium,group=estqu,ruleName=\"inibusBo\",evntDesc=\"tat\",category=tion,disposition=eataev,eventType=liquide,proto=icmp,srcPort=4515,srcIP=10.64.70.5,dstPort=4782,dstIP=10.157.161.103,policyName=\"eritquii\",occurrences=3561,httpHost=riat,webMethod=taut,url=\"https://api.example.org/uames/tati.jpg?isnostru=iquaUten#santium\",webQuery=\"iciatisu\",soapAction=rehender,resultCode=eporroqu,sessionID=uat,username=tem,addUsername=est,responseTime=iineavo,responseSize=equatD,direction=isno,dbUsername=taliq,queryGroup=intoccae,application=\"ents\",srcHost=pida2286.internal.home,osUsername=emeumfu,schemaName=CSed,dbName=lupt,hdrName=psaquae,action=\"deny\",errormsg=\"success\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.232.27.250,dstPort=7838,dbUsername=mquidol,srcIP=10.18.124.28,srcPort=7668,creatTime=12 March 2016 03:17:42,srvGroup=rsitamet,service=lupt,appName=xea,event#=qua,eventType=Login,usrGroup=luptatev,usrAuth=False,application=\"admi\",osUsername=modocons,srcHost=elaudant5931.internal.invalid,dbName=lores,schemaName=lapariat,bindVar=eddoei,sqlError=failure,respSize=6564,respTime=87.496000,affRows=nimadmin,action=\"cancel\",rawQuery=\"xercitat\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "pida2286.internal.home", + "group.name": "luptatev", + "host.hostname": "elaudant5931.internal.invalid", "input.type": "log", - "log.level": "medium", "log.offset": 1023, - "network.application": "ents", - "network.direction": "isno", - "network.protocol": "icmp", + "network.application": "admi", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.64.70.5", - "10.157.161.103" + "10.232.27.250", + "10.18.124.28" ], "related.user": [ - "CSed", - "emeumfu", - "tem" + "lapariat", + "mquidol", + "modocons" ], - "rsa.counters.event_counter": 3561, - "rsa.db.database": "lupt", - "rsa.internal.event_desc": "tat", + "rsa.counters.dclass_c1": 6564, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "lores", + "rsa.db.index": "xercitat", "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "taut", - "deny" + "cancel" ], - "rsa.misc.category": "tion", - "rsa.misc.disposition": "eataev", - "rsa.misc.event_type": "liquide", - "rsa.misc.group": "estqu", - "rsa.misc.log_session_id": "uat", - "rsa.misc.operation_id": "amqu", - "rsa.misc.policy_name": "eritquii", - "rsa.misc.result": "success", - "rsa.misc.result_code": "eporroqu", - "rsa.misc.rule_name": "inibusBo", - "rsa.misc.severity": "medium", + "rsa.misc.event_type": "Login", + "rsa.misc.group": "luptatev", + "rsa.misc.group_object": "rsitamet", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 87.496, "rsa.time.starttime": "2016-03-12T05:17:42.000Z", - "rsa.web.alias_host": "riat", - "rule.name": "inibusBo", "service.type": "imperva", - "source.address": "pida2286.internal.home", + "source.address": "elaudant5931.internal.invalid", "source.ip": [ - "10.64.70.5" + "10.18.124.28" ], - "source.port": 4515, + "source.port": 7668, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://api.example.org/uames/tati.jpg?isnostru=iquaUten#santium", - "url.query": "iciatisu", - "user.name": "tem" + "user.name": "mquidol" }, { "destination.ip": [ - "10.230.76.224" + "10.197.250.10" ], - "destination.port": 5715, - "event.action": "accept", + "destination.port": 5697, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=datatn,event#=mqu,createTime=2016-03-26 10:20:16,updateTime=apariat,alertSev=high,group=eFinib,ruleName=\"ihilm\",evntDesc=\"atDu\",category=eav,disposition=ionevo,eventType=remagn,proto=tcp,srcPort=5005,srcIP=10.47.202.102,dstPort=5715,dstIP=10.230.76.224,policyName=\"licab\",occurrences=3339,httpHost=aturve,webMethod=emulla,url=\"https://mail.example.com/aaliquaU/ntor.html?ern=psaquae#ationemu\",webQuery=\"ice\",soapAction=estiae,resultCode=sci,sessionID=oei,username=tlabori,addUsername=oin,responseTime=lapari,responseSize=data,direction=dolor,dbUsername=nnum,queryGroup=eritqu,application=\"uradip\",srcHost=wri2784.api.domain,osUsername=hitect,schemaName=dol,dbName=leumiu,hdrName=namali,action=accept", + "event.original": "%IMPERVA-Imperva,alert#=ationemu,event#=ice,createTime=2016-03-26 10:20:16,updateTime=estiae,alertSev=high,group=laborum,ruleName=\"tionof\",evntDesc=\"snostrud\",category=nama,disposition=quisnos,eventType=ite,proto=icmp,srcPort=2707,srcIP=10.6.137.200,dstPort=5697,dstIP=10.197.250.10,policyName=\"bor\",occurrences=7243,httpHost=hitect,webMethod=dol,url=\"https://internal.example.net/namali/taevit.html?nsecte=itame#eumfug\",webQuery=\"lit\",soapAction=asun,resultCode=estia,sessionID=eaq,username=occae,addUsername=ctetura,responseTime=labore,responseSize=texp,direction=external,dbUsername=adeseru,queryGroup=emoe,application=\"eaq\",srcHost=amest4147.mail.host,osUsername=intoc,schemaName=oluptas,dbName=tNequepo,hdrName=lup,action=cancel", "fileset.name": "securesphere", - "host.hostname": "wri2784.api.domain", + "group.name": "laborum", + "host.hostname": "amest4147.mail.host", "input.type": "log", "log.level": "high", - "log.offset": 1782, - "network.application": "uradip", - "network.direction": "dolor", - "network.protocol": "tcp", + "log.offset": 1487, + "network.application": "eaq", + "network.direction": "external", + "network.protocol": "icmp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.47.202.102", - "10.230.76.224" + "10.6.137.200", + "10.197.250.10" ], "related.user": [ - "dol", - "tlabori", - "hitect" + "oluptas", + "occae", + "intoc" ], - "rsa.counters.event_counter": 3339, - "rsa.db.database": "leumiu", - "rsa.internal.event_desc": "atDu", + "rsa.counters.event_counter": 7243, + "rsa.db.database": "tNequepo", + "rsa.internal.event_desc": "snostrud", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "emulla" - ], - "rsa.misc.category": "eav", - "rsa.misc.disposition": "ionevo", - "rsa.misc.event_type": "remagn", - "rsa.misc.group": "eFinib", - "rsa.misc.log_session_id": "oei", - "rsa.misc.operation_id": "datatn", - "rsa.misc.policy_name": "licab", - "rsa.misc.result_code": "sci", - "rsa.misc.rule_name": "ihilm", + "dol", + "cancel" + ], + "rsa.misc.category": "nama", + "rsa.misc.disposition": "quisnos", + "rsa.misc.event_type": "ite", + "rsa.misc.group": "laborum", + "rsa.misc.log_session_id": "eaq", + "rsa.misc.operation_id": "ationemu", + "rsa.misc.policy_name": "bor", + "rsa.misc.result_code": "estia", + "rsa.misc.rule_name": "tionof", "rsa.misc.severity": "high", "rsa.time.starttime": "2016-03-26T12:20:16.000Z", - "rsa.web.alias_host": "aturve", - "rule.name": "ihilm", + "rsa.web.alias_host": "hitect", + "rule.name": "tionof", "service.type": "imperva", - "source.address": "wri2784.api.domain", + "source.address": "amest4147.mail.host", "source.ip": [ - "10.47.202.102" + "10.6.137.200" ], - "source.port": 5005, + "source.port": 2707, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://mail.example.com/aaliquaU/ntor.html?ern=psaquae#ationemu", - "url.query": "ice", - "user.name": "tlabori" + "url.original": "https://internal.example.net/namali/taevit.html?nsecte=itame#eumfug", + "url.query": "lit", + "user.name": "occae" }, { "destination.ip": [ - "10.10.38.139" + "10.36.194.106" ], - "destination.port": 189, - "event.action": "block", + "destination.port": 5473, + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.10.38.139,dstPort=189,dbUsername=ari,srcIP=10.32.67.231,srcPort=1250,creatTime=9 April 2016 17:22:51,srvGroup=quamnih,service=oluptate,appName=onseq,event#=serunt,eventType=Login,usrGroup=aquaeabi,usrAuth=False,application=\"lita\",osUsername=adeseru,srcHost=emoe6540.www.domain,dbName=itanimi,schemaName=itame,bindVar=intoc,sqlError=success,respSize=2628,respTime=175.601000,affRows=dantiumt,action=\"block\",rawQuery=\"nula\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,alert#=sperna,event#=eabilloi,createTime=2016-04-09 17:22:51,updateTime=estia,alertSev=medium,group=tlab,ruleName=\"volupt\",evntDesc=\"osqui\",category=xerc,disposition=iutali,eventType=fdeFi,proto=igmp,srcPort=1696,srcIP=10.179.124.125,dstPort=5473,dstIP=10.36.194.106,policyName=\"eprehend\",occurrences=2462,httpHost=dutper,webMethod=lamcolab,url=\"https://example.net/tlabo/uames.gif?mpo=offi#giatnu\",webQuery=\"ulapa\",soapAction=liqui,resultCode=quioffi,sessionID=uptate,username=ncidid,addUsername=quaturve,responseTime=sequa,responseSize=aera,direction=outbound,dbUsername=rvel,queryGroup=uid,application=\"onsecte\",srcHost=eratv6205.internal.lan,osUsername=reme,schemaName=acommod,dbName=uaUteni,hdrName=udantium,action=accept", "fileset.name": "securesphere", - "host.hostname": "emoe6540.www.domain", + "group.name": "tlab", + "host.hostname": "eratv6205.internal.lan", "input.type": "log", - "log.offset": 2506, - "network.application": "lita", + "log.level": "medium", + "log.offset": 2221, + "network.application": "onsecte", + "network.direction": "outbound", + "network.protocol": "igmp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.32.67.231", - "10.10.38.139" + "10.36.194.106", + "10.179.124.125" ], "related.user": [ - "itame", - "adeseru", - "ari" + "reme", + "ncidid", + "acommod" ], - "rsa.counters.dclass_c1": 2628, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "itanimi", - "rsa.db.index": "nula", + "rsa.counters.event_counter": 2462, + "rsa.db.database": "uaUteni", + "rsa.internal.event_desc": "osqui", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "block" + "lamcolab", + "accept" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "aquaeabi", - "rsa.misc.group_object": "quamnih", - "rsa.misc.result": "success", - "rsa.time.duration_time": 175.601, + "rsa.misc.category": "xerc", + "rsa.misc.disposition": "iutali", + "rsa.misc.event_type": "fdeFi", + "rsa.misc.group": "tlab", + "rsa.misc.log_session_id": "uptate", + "rsa.misc.operation_id": "sperna", + "rsa.misc.policy_name": "eprehend", + "rsa.misc.result_code": "quioffi", + "rsa.misc.rule_name": "volupt", + "rsa.misc.severity": "medium", "rsa.time.starttime": "2016-04-09T19:22:51.000Z", + "rsa.web.alias_host": "dutper", + "rule.name": "volupt", "service.type": "imperva", - "source.address": "emoe6540.www.domain", + "source.address": "eratv6205.internal.lan", "source.ip": [ - "10.32.67.231" + "10.179.124.125" ], - "source.port": 1250, + "source.port": 1696, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "ari" + "url.original": "https://example.net/tlabo/uames.gif?mpo=offi#giatnu", + "url.query": "ulapa", + "user.name": "ncidid" }, { "destination.ip": [ - "10.133.189.215" + "10.129.149.43" ], - "destination.port": 7865, - "event.action": "block", + "destination.port": 3304, + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.133.189.215,dstPort=7865,dbUsername=evita,srcIP=10.206.97.204,srcPort=146,creatTime=2016-04-24 00:25:25,srvGroup=magni,service=pisciv,appName=iquidex,event#=radipisc,eventType=tmo,usrGroup=fficiade,usrAuth=uscipit,application=\"vitaedi\",osUsername=fugitse,srcHost=veniamq1608.www.localdomain,dbName=colab,schemaName=ommodico,bindVar=quatD,sqlError=failure,respSize=4842,respTime=67.309000,affRows=tenima,action=\"block\",rawQuery=\"sperna\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.129.149.43,dstPort=3304,dbUsername=eveli,srcIP=10.211.105.204,srcPort=2742,creatTime=2016-04-24 00:25:25,srvGroup=aliquide,service=ofde,appName=equat,event#=derit,eventType=Logout,usrGroup=dexea,usrAuth=True,application=\"atcu\",osUsername=labor,srcHost=didunt1355.corp,dbName=udan,schemaName=orema,bindVar=invento,sqlError=failure,respSize=6855,respTime=74.098000,affRows=nofdeFin,action=\"accept\",rawQuery=\"rau\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "veniamq1608.www.localdomain", + "group.name": "dexea", + "host.hostname": "didunt1355.corp", "input.type": "log", - "log.offset": 2954, - "network.application": "vitaedi", + "log.offset": 2965, + "network.application": "atcu", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.133.189.215", - "10.206.97.204" + "10.211.105.204", + "10.129.149.43" ], "related.user": [ - "ommodico", - "evita", - "fugitse" + "eveli", + "orema", + "labor" ], - "rsa.counters.dclass_c1": 4842, + "rsa.counters.dclass_c1": 6855, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "colab", - "rsa.db.index": "sperna", + "rsa.db.database": "udan", + "rsa.db.index": "rau", "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "block" + "accept" ], - "rsa.misc.event_type": "tmo", - "rsa.misc.group": "fficiade", - "rsa.misc.group_object": "magni", + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "dexea", + "rsa.misc.group_object": "aliquide", "rsa.misc.result": "failure", - "rsa.time.duration_time": 67.309, + "rsa.time.duration_time": 74.098, "rsa.time.starttime": "2016-04-24T02:25:25.000Z", "service.type": "imperva", - "source.address": "veniamq1608.www.localdomain", + "source.address": "didunt1355.corp", "source.ip": [ - "10.206.97.204" + "10.211.105.204" ], - "source.port": 146, + "source.port": 2742, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "evita" + "user.name": "eveli" }, { "destination.ip": [ - "10.145.248.111" + "10.214.191.180" ], - "destination.port": 95, - "event.action": "deny", + "destination.port": 5848, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.145.248.111,dstPort=95,dbUsername=tectobe,srcIP=10.148.106.167,srcPort=4285,creatTime=8 May 2016 07:27:59,srvGroup=ntocc,service=uteirure,appName=nevo,event#=ide,eventType=Login,usrGroup=aali,usrAuth=False,application=\"adip\",osUsername=tium,srcHost=nnum5428.internal.host,dbName=tco,schemaName=uae,bindVar=officiad,sqlError=success,respSize=3994,respTime=57.835000,affRows=madmi,action=\"deny\",rawQuery=\"turadip\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.214.191.180,dstPort=5848,dbUsername=ipsumdol,srcIP=10.112.250.193,srcPort=5705,creatTime=2016-05-08 07:27:59,srvGroup=urerepr,service=ese,appName=isaute,event#=ptatemq,eventType=Logout,usrGroup=luptatev,usrAuth=False,application=\"tlabore\",osUsername=Exc,srcHost=pora6854.www5.home,dbName=nevo,schemaName=ide,bindVar=aali,sqlError=success,respSize=6852,respTime=49.573000,affRows=etcons,action=\"cancel\",rawQuery=\"tenbyCi\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "nnum5428.internal.host", + "group.name": "luptatev", + "host.hostname": "pora6854.www5.home", "input.type": "log", - "log.offset": 3416, - "network.application": "adip", + "log.offset": 3402, + "network.application": "tlabore", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.145.248.111", - "10.148.106.167" + "10.214.191.180", + "10.112.250.193" ], "related.user": [ - "uae", - "tium", - "tectobe" + "Exc", + "ipsumdol", + "ide" ], - "rsa.counters.dclass_c1": 3994, + "rsa.counters.dclass_c1": 6852, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "tco", - "rsa.db.index": "turadip", + "rsa.db.database": "nevo", + "rsa.db.index": "tenbyCi", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "deny" + "cancel" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "aali", - "rsa.misc.group_object": "ntocc", + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "luptatev", + "rsa.misc.group_object": "urerepr", "rsa.misc.result": "success", - "rsa.time.duration_time": 57.835, + "rsa.time.duration_time": 49.573, "rsa.time.starttime": "2016-05-08T09:27:59.000Z", "service.type": "imperva", - "source.address": "nnum5428.internal.host", + "source.address": "pora6854.www5.home", "source.ip": [ - "10.148.106.167" + "10.112.250.193" ], - "source.port": 4285, + "source.port": 5705, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "tectobe" + "user.name": "ipsumdol" }, { "destination.ip": [ - "10.77.52.83" + "10.251.20.13" ], - "destination.port": 2646, - "event.action": "accept", + "destination.port": 264, + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.77.52.83,dstPort=2646,dbUsername=atno,srcIP=10.7.46.36,srcPort=837,creatTime=22 May 2016 14:30:33,srvGroup=nonn,service=inventor,appName=quiavol,event#=rrorsi,eventType=Login,usrGroup=temquiav,usrAuth=False,application=\"equatu\",osUsername=upta,srcHost=dex2490.www.host,dbName=tae,schemaName=ccaec,bindVar=ten,sqlError=success,respSize=1458,respTime=129.251000,affRows=ullamcor,action=\"accept\",rawQuery=\"emaccusa\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.251.20.13,dstPort=264,dbUsername=iquipe,srcIP=10.192.34.76,srcPort=1450,creatTime=2016-05-22 14:30:33,srvGroup=upida,service=tvolupt,appName=eufugi,event#=pici,eventType=abor,usrGroup=utpe,usrAuth=onsequ,application=\"temqu\",osUsername=ovol,srcHost=ptasn6599.www.localhost,dbName=lore,schemaName=tnonpro,bindVar=ionemu,sqlError=success,respSize=3645,respTime=20.909000,affRows=tanimid,action=\"deny\",rawQuery=\"uamni\"", "fileset.name": "securesphere", - "host.hostname": "dex2490.www.host", + "group.name": "utpe", + "host.hostname": "ptasn6599.www.localhost", "input.type": "log", - "log.offset": 3854, - "network.application": "equatu", + "log.offset": 3849, + "network.application": "temqu", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.7.46.36", - "10.77.52.83" + "10.192.34.76", + "10.251.20.13" ], "related.user": [ - "atno", - "upta", - "ccaec" + "ovol", + "tnonpro", + "iquipe" ], - "rsa.counters.dclass_c1": 1458, + "rsa.counters.dclass_c1": 3645, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "tae", - "rsa.db.index": "emaccusa", + "rsa.db.database": "lore", + "rsa.db.index": "uamni", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "accept" + "deny" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "temquiav", - "rsa.misc.group_object": "nonn", + "rsa.misc.event_type": "abor", + "rsa.misc.group": "utpe", + "rsa.misc.group_object": "upida", "rsa.misc.result": "success", - "rsa.time.duration_time": 129.251, + "rsa.time.duration_time": 20.909, "rsa.time.starttime": "2016-05-22T16:30:33.000Z", "service.type": "imperva", - "source.address": "dex2490.www.host", + "source.address": "ptasn6599.www.localhost", "source.ip": [ - "10.7.46.36" + "10.192.34.76" ], - "source.port": 837, + "source.port": 1450, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "atno" + "user.name": "iquipe" }, { "destination.ip": [ - "10.221.102.245" + "10.74.105.218" ], - "destination.port": 337, + "destination.port": 2438, "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.221.102.245,dstPort=337,dbUsername=rinre,srcIP=10.43.226.231,srcPort=7222,creatTime=2016-06-05 21:33:08,srvGroup=tut,service=ercita,appName=ciadeser,event#=emquia,eventType=Logout,usrGroup=inesci,usrAuth=True,application=\"isnisi\",osUsername=ritatise,srcHost=uamei2389.internal.example,dbName=uisa,schemaName=eFi,bindVar=mexe,sqlError=failure,respSize=302,respTime=93.746000,affRows=ice,action=\"block\",rawQuery=\"entorev\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.74.105.218,dstPort=2438,dbUsername=archite,srcIP=10.59.138.212,srcPort=7829,creatTime=2016-06-05 21:33:08,srvGroup=asi,service=datatno,appName=siutali,event#=amnih,eventType=Logout,usrGroup=ium,usrAuth=True,application=\"esciuntN\",osUsername=idunt,srcHost=ptasnu6684.mail.lan,dbName=orumSe,schemaName=boree,bindVar=intoc,sqlError=success,respSize=248,respTime=158.450000,affRows=eeufugia,action=\"block\",rawQuery=\"ofdeFini\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "uamei2389.internal.example", + "group.name": "ium", + "host.hostname": "ptasnu6684.mail.lan", "input.type": "log", - "log.offset": 4293, - "network.application": "isnisi", + "log.offset": 4290, + "network.application": "esciuntN", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.221.102.245", - "10.43.226.231" + "10.59.138.212", + "10.74.105.218" ], "related.user": [ - "ritatise", - "rinre", - "eFi" + "boree", + "idunt", + "archite" ], - "rsa.counters.dclass_c1": 302, + "rsa.counters.dclass_c1": 248, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "uisa", - "rsa.db.index": "entorev", + "rsa.db.database": "orumSe", + "rsa.db.index": "ofdeFini", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Success", @@ -537,719 +545,684 @@ "block" ], "rsa.misc.event_type": "Logout", - "rsa.misc.group": "inesci", - "rsa.misc.group_object": "tut", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 93.746, + "rsa.misc.group": "ium", + "rsa.misc.group_object": "asi", + "rsa.misc.result": "success", + "rsa.time.duration_time": 158.45, "rsa.time.starttime": "2016-06-05T23:33:08.000Z", "service.type": "imperva", - "source.address": "uamei2389.internal.example", + "source.address": "ptasnu6684.mail.lan", "source.ip": [ - "10.43.226.231" + "10.59.138.212" ], - "source.port": 7222, + "source.port": 7829, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "rinre" + "user.name": "archite" }, { "destination.ip": [ - "10.239.96.8" + "10.168.159.13" ], - "destination.port": 6223, - "event.action": "allow", + "destination.port": 3319, + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.239.96.8,dstPort=6223,dbUsername=atevelit,srcIP=10.56.136.27,srcPort=4293,creatTime=20 June 2016 04:35:42,srvGroup=labo,service=oNemoeni,appName=ttenby,event#=boris,eventType=Login,usrGroup=stenatu,usrAuth=False,application=\"isiuta\",osUsername=orsitam,srcHost=siutaliq7201.mail.host,dbName=tsed,schemaName=nts,bindVar=siut,sqlError=unknown,respSize=3714,respTime=20.894000,affRows=piscinge,action=\"allow\",rawQuery=\"aturve\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.168.159.13,dstPort=3319,dbUsername=inci,srcIP=10.230.173.4,srcPort=2631,creatTime=2016-06-20 04:35:42,srvGroup=avol,service=icero,appName=xer,event#=emipsumd,eventType=Logout,usrGroup=isisten,usrAuth=False,application=\"cusant\",osUsername=atemq,srcHost=rinre2977.api.corp,dbName=totamre,schemaName=isnostr,bindVar=umqu,sqlError=success,respSize=6135,respTime=86.668000,affRows=inesci,action=\"accept\",rawQuery=\"uia\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "siutaliq7201.mail.host", + "group.name": "isisten", + "host.hostname": "rinre2977.api.corp", "input.type": "log", - "log.offset": 4739, - "network.application": "isiuta", + "log.offset": 4738, + "network.application": "cusant", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.56.136.27", - "10.239.96.8" + "10.168.159.13", + "10.230.173.4" ], "related.user": [ - "orsitam", - "atevelit", - "nts" + "isnostr", + "atemq", + "inci" ], - "rsa.counters.dclass_c1": 3714, + "rsa.counters.dclass_c1": 6135, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "tsed", - "rsa.db.index": "aturve", + "rsa.db.database": "totamre", + "rsa.db.index": "uia", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "allow" + "accept" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "stenatu", - "rsa.misc.group_object": "labo", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 20.894, + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "isisten", + "rsa.misc.group_object": "avol", + "rsa.misc.result": "success", + "rsa.time.duration_time": 86.668, "rsa.time.starttime": "2016-06-20T06:35:42.000Z", "service.type": "imperva", - "source.address": "siutaliq7201.mail.host", + "source.address": "rinre2977.api.corp", "source.ip": [ - "10.56.136.27" + "10.230.173.4" ], - "source.port": 4293, + "source.port": 2631, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "atevelit" + "user.name": "inci" }, { "destination.ip": [ - "10.10.216.74" + "10.49.167.57" ], - "destination.port": 7231, - "event.action": "cancel", + "destination.port": 2119, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.10.216.74,dstPort=7231,dbUsername=sit,srcIP=10.147.76.202,srcPort=2805,creatTime=4 July 2016 11:38:16,srvGroup=ersp,service=enderi,appName=mquisno,event#=odoconse,eventType=Login,usrGroup=quamqua,usrAuth=True,application=\"eacommod\",osUsername=ctetura,srcHost=aveni2929.www.localdomain,dbName=uptatema,schemaName=oeni,bindVar=tdol,sqlError=failure,respSize=5313,respTime=87.380000,affRows=nea,action=\"cancel\",rawQuery=\"oremagna\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.49.167.57,dstPort=2119,dbUsername=tali,srcIP=10.41.21.204,srcPort=3540,creatTime=4 July 2016 11:38:16,srvGroup=rpori,service=ice,appName=oles,event#=edic,eventType=Login,usrGroup=seq,usrAuth=True,application=\"tutlab\",osUsername=sau,srcHost=atevelit2450.local,dbName=aperia,schemaName=ccaeca,bindVar=umdolo,sqlError=failure,respSize=6818,respTime=115.224000,affRows=stenatu,action=\"block\",rawQuery=\"orumSe\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "aveni2929.www.localdomain", + "group.name": "seq", + "host.hostname": "atevelit2450.local", "input.type": "log", - "log.offset": 5188, - "network.application": "eacommod", + "log.offset": 5178, + "network.application": "tutlab", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.10.216.74", - "10.147.76.202" + "10.41.21.204", + "10.49.167.57" ], "related.user": [ - "sit", - "ctetura", - "oeni" + "ccaeca", + "sau", + "tali" ], - "rsa.counters.dclass_c1": 5313, + "rsa.counters.dclass_c1": 6818, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "uptatema", - "rsa.db.index": "oremagna", + "rsa.db.database": "aperia", + "rsa.db.index": "orumSe", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logon", "rsa.investigations.ec_outcome": "Success", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "cancel" + "block" ], "rsa.misc.event_type": "Login", - "rsa.misc.group": "quamqua", - "rsa.misc.group_object": "ersp", + "rsa.misc.group": "seq", + "rsa.misc.group_object": "rpori", "rsa.misc.result": "failure", - "rsa.time.duration_time": 87.38, + "rsa.time.duration_time": 115.224, "rsa.time.starttime": "2016-07-04T13:38:16.000Z", "service.type": "imperva", - "source.address": "aveni2929.www.localdomain", + "source.address": "atevelit2450.local", "source.ip": [ - "10.147.76.202" + "10.41.21.204" ], - "source.port": 2805, + "source.port": 3540, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "sit" + "user.name": "tali" }, { "destination.ip": [ - "10.177.219.214" + "10.62.147.186" ], - "destination.port": 2300, - "event.action": "cancel", + "destination.port": 5592, + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=asiar,event#=ise,createTime=2016-07-18 18:40:50,updateTime=itau,alertSev=low,group=iamquis,ruleName=\"asiarc\",evntDesc=\"ian\",category=dolore,disposition=onsecte,eventType=nBCSedut,proto=icmp,srcPort=23,srcIP=10.123.199.236,dstPort=2300,dstIP=10.177.219.214,policyName=\"quatu\",occurrences=5653,httpHost=lumdolor,webMethod=nonp,url=\"https://www.example.com/ulapar/aboreetd.htm?par=lorin#pitl\",webQuery=\"por\",soapAction=quidexea,resultCode=nimid,sessionID=runtmol,username=texpli,addUsername=exeacom,responseTime=roidents,responseSize=tem,direction=dol,dbUsername=proiden,queryGroup=urExcept,application=\"miurerep\",srcHost=aco6894.mail.home,osUsername=emUteni,schemaName=rum,dbName=gnaaliqu,hdrName=teirured,action=\"cancel\",errormsg=\"unknown\"", + "event.original": "%IMPERVA-Imperva,alert#=dutp,event#=psaquaea,createTime=2016-07-18 18:40:50,updateTime=taevita,alertSev=high,group=siut,ruleName=\"tconsect\",evntDesc=\"aquae\",category=boreetdo,disposition=aturve,eventType=ditemp,proto=ipv6,srcPort=3406,srcIP=10.216.125.252,dstPort=5592,dstIP=10.62.147.186,policyName=\"eumiure\",occurrences=4603,httpHost=ima,webMethod=quasia,url=\"https://example.org/umwrit/uptate.html?ctetura=aveni#elit\",webQuery=\"seosqui\",soapAction=sequamni,resultCode=uradi,sessionID=tot,username=llamco,addUsername=nea,responseTime=psum,responseSize=tasnulap,direction=inbound,dbUsername=umSe,queryGroup=xeacomm,application=\"cinge\",srcHost=itla658.api.localhost,osUsername=lorsita,schemaName=dolore,dbName=uptate,hdrName=quidexea,action=\"accept\",errormsg=\"unknown\"", "fileset.name": "securesphere", - "host.hostname": "aco6894.mail.home", + "group.name": "siut", + "host.hostname": "itla658.api.localhost", "input.type": "log", - "log.level": "low", - "log.offset": 5642, - "network.application": "miurerep", - "network.direction": "dol", - "network.protocol": "icmp", + "log.level": "high", + "log.offset": 5610, + "network.application": "cinge", + "network.direction": "inbound", + "network.protocol": "ipv6", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.123.199.236", - "10.177.219.214" + "10.62.147.186", + "10.216.125.252" ], "related.user": [ - "texpli", - "rum", - "emUteni" + "llamco", + "lorsita", + "dolore" ], - "rsa.counters.event_counter": 5653, - "rsa.db.database": "gnaaliqu", - "rsa.internal.event_desc": "ian", + "rsa.counters.event_counter": 4603, + "rsa.db.database": "uptate", + "rsa.internal.event_desc": "aquae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "nonp" - ], - "rsa.misc.category": "dolore", - "rsa.misc.disposition": "onsecte", - "rsa.misc.event_type": "nBCSedut", - "rsa.misc.group": "iamquis", - "rsa.misc.log_session_id": "runtmol", - "rsa.misc.operation_id": "asiar", - "rsa.misc.policy_name": "quatu", + "accept", + "quasia" + ], + "rsa.misc.category": "boreetdo", + "rsa.misc.disposition": "aturve", + "rsa.misc.event_type": "ditemp", + "rsa.misc.group": "siut", + "rsa.misc.log_session_id": "tot", + "rsa.misc.operation_id": "dutp", + "rsa.misc.policy_name": "eumiure", "rsa.misc.result": "unknown", - "rsa.misc.result_code": "nimid", - "rsa.misc.rule_name": "asiarc", - "rsa.misc.severity": "low", + "rsa.misc.result_code": "uradi", + "rsa.misc.rule_name": "tconsect", + "rsa.misc.severity": "high", "rsa.time.starttime": "2016-07-18T20:40:50.000Z", - "rsa.web.alias_host": "lumdolor", - "rule.name": "asiarc", + "rsa.web.alias_host": "ima", + "rule.name": "tconsect", "service.type": "imperva", - "source.address": "aco6894.mail.home", + "source.address": "itla658.api.localhost", "source.ip": [ - "10.123.199.236" + "10.216.125.252" ], - "source.port": 23, + "source.port": 3406, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://www.example.com/ulapar/aboreetd.htm?par=lorin#pitl", - "url.query": "por", - "user.name": "texpli" + "url.original": "https://example.org/umwrit/uptate.html?ctetura=aveni#elit", + "url.query": "seosqui", + "user.name": "llamco" }, { "destination.ip": [ - "10.110.114.175" + "10.204.128.215" ], - "destination.port": 2639, - "event.action": "allow", + "destination.port": 2538, + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.110.114.175,dstPort=2639,dbUsername=upt,srcIP=10.20.72.231,srcPort=5300,creatTime=2 August 2016 01:43:25,srvGroup=untutlab,service=amcor,appName=ica,event#=lillum,eventType=Login,usrGroup=remips,usrAuth=True,application=\"uisaute\",osUsername=imide,srcHost=poriss4719.www5.domain,dbName=siu,schemaName=snost,bindVar=tpersp,sqlError=unknown,respSize=5798,respTime=96.768000,affRows=ametcons,action=\"allow\",rawQuery=\"nof\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,alert#=ate,event#=odoconse,createTime=2016-08-02 01:43:25,updateTime=emp,alertSev=very-high,group=veli,ruleName=\"tenim\",evntDesc=\"rumet\",category=verita,disposition=sectet,eventType=etdo,proto=tcp,srcPort=3689,srcIP=10.52.125.9,dstPort=2538,dstIP=10.204.128.215,policyName=\"ama\",occurrences=332,httpHost=runtmol,webMethod=texpli,url=\"https://api.example.org/roidents/tem.txt?tametcon=liqua#mvele\",webQuery=\"isis\",soapAction=uasiar,resultCode=utlab,sessionID=emUteni,username=rum,addUsername=gnaaliqu,responseTime=teirured,responseSize=onemulla,direction=external,dbUsername=bor,queryGroup=rauto,application=\"ationev\",srcHost=umdolor4389.api.home,osUsername=paquioff,schemaName=nci,dbName=isau,hdrName=rautodi,action=deny", "fileset.name": "securesphere", - "host.hostname": "poriss4719.www5.domain", + "group.name": "veli", + "host.hostname": "umdolor4389.api.home", "input.type": "log", - "log.offset": 6405, - "network.application": "uisaute", + "log.level": "very-high", + "log.offset": 6379, + "network.application": "ationev", + "network.direction": "external", + "network.protocol": "tcp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.110.114.175", - "10.20.72.231" + "10.52.125.9", + "10.204.128.215" ], "related.user": [ - "imide", - "upt", - "snost" + "rum", + "nci", + "paquioff" ], - "rsa.counters.dclass_c1": 5798, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "siu", - "rsa.db.index": "nof", + "rsa.counters.event_counter": 332, + "rsa.db.database": "isau", + "rsa.internal.event_desc": "rumet", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "allow" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "remips", - "rsa.misc.group_object": "untutlab", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 96.768, + "deny", + "texpli" + ], + "rsa.misc.category": "verita", + "rsa.misc.disposition": "sectet", + "rsa.misc.event_type": "etdo", + "rsa.misc.group": "veli", + "rsa.misc.log_session_id": "emUteni", + "rsa.misc.operation_id": "ate", + "rsa.misc.policy_name": "ama", + "rsa.misc.result_code": "utlab", + "rsa.misc.rule_name": "tenim", + "rsa.misc.severity": "very-high", "rsa.time.starttime": "2016-08-02T03:43:25.000Z", + "rsa.web.alias_host": "runtmol", + "rule.name": "tenim", "service.type": "imperva", - "source.address": "poriss4719.www5.domain", + "source.address": "umdolor4389.api.home", "source.ip": [ - "10.20.72.231" + "10.52.125.9" ], - "source.port": 5300, + "source.port": 3689, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "upt" + "url.original": "https://api.example.org/roidents/tem.txt?tametcon=liqua#mvele", + "url.query": "isis", + "user.name": "rum" }, { "destination.ip": [ - "10.230.206.60" + "10.200.68.129" ], - "destination.port": 3684, - "event.action": "deny", + "destination.port": 2558, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.230.206.60,dstPort=3684,dbUsername=aincidu,srcIP=10.111.90.75,srcPort=5960,creatTime=16 August 2016 08:45:59,srvGroup=licabo,service=enimadmi,appName=utaliqu,event#=dic,eventType=Login,usrGroup=cola,usrAuth=True,application=\"amcor\",osUsername=rcitat,srcHost=ineavol7807.mail.test,dbName=usc,schemaName=rem,bindVar=amvolupt,sqlError=success,respSize=1264,respTime=123.553000,affRows=xea,action=\"deny\",rawQuery=\"ncidid\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.200.68.129,dstPort=2558,dbUsername=icabo,srcIP=10.34.148.166,srcPort=3022,creatTime=2016-08-16 08:45:59,srvGroup=preh,service=ercit,appName=etMal,event#=qua,eventType=rsita,usrGroup=ate,usrAuth=ipsamvo,application=\"onula\",osUsername=miu,srcHost=rationev6444.localhost,dbName=tatem,schemaName=untutlab,bindVar=amcor,sqlError=failure,respSize=5427,respTime=176.685000,affRows=oremq,action=\"block\",rawQuery=\"uisaute\"", "fileset.name": "securesphere", - "host.hostname": "ineavol7807.mail.test", + "group.name": "ate", + "host.hostname": "rationev6444.localhost", "input.type": "log", - "log.offset": 6849, - "network.application": "amcor", + "log.offset": 7117, + "network.application": "onula", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.230.206.60", - "10.111.90.75" + "10.200.68.129", + "10.34.148.166" ], "related.user": [ - "rcitat", - "rem", - "aincidu" + "icabo", + "untutlab", + "miu" ], - "rsa.counters.dclass_c1": 1264, + "rsa.counters.dclass_c1": 5427, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "usc", - "rsa.db.index": "ncidid", + "rsa.db.database": "tatem", + "rsa.db.index": "uisaute", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "deny" + "block" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "cola", - "rsa.misc.group_object": "licabo", - "rsa.misc.result": "success", - "rsa.time.duration_time": 123.553, + "rsa.misc.event_type": "rsita", + "rsa.misc.group": "ate", + "rsa.misc.group_object": "preh", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 176.685, "rsa.time.starttime": "2016-08-16T10:45:59.000Z", "service.type": "imperva", - "source.address": "ineavol7807.mail.test", + "source.address": "rationev6444.localhost", "source.ip": [ - "10.111.90.75" + "10.34.148.166" ], - "source.port": 5960, + "source.port": 3022, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "aincidu" + "user.name": "icabo" }, { "destination.ip": [ - "10.154.53.249" + "10.226.101.180" ], - "destination.port": 1513, - "event.action": "accept", + "destination.port": 1000, + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=velite,event#=teturad,createTime=2016-08-30 15:48:33,updateTime=perspici,alertSev=high,group=rer,ruleName=\"iconseq\",evntDesc=\"porincid\",category=atisetqu,disposition=issuscip,eventType=uisa,proto=tcp,srcPort=3449,srcIP=10.186.77.109,dstPort=1513,dstIP=10.154.53.249,policyName=\"tae\",occurrences=5380,httpHost=eriti,webMethod=atcupi,url=\"https://api.example.org/borisnis/exeaco.html?inven=eufugi#accusant\",webQuery=\"onse\",soapAction=admin,resultCode=stenatu,sessionID=inibu,username=est,addUsername=uptatemU,responseTime=leumiu,responseSize=tla,direction=item,dbUsername=nimid,queryGroup=dat,application=\"periam\",srcHost=dqu6144.api.localhost,osUsername=dutpers,schemaName=erun,dbName=orisn,hdrName=reetd,action=accept", + "event.original": "%IMPERVA-Imperva,dstIP=10.226.101.180,dstPort=1000,dbUsername=siu,srcIP=10.134.5.40,srcPort=7284,creatTime=30 August 2016 15:48:33,srvGroup=llamc,service=nte,appName=mvel,event#=nof,eventType=Login,usrGroup=usmodi,usrAuth=False,application=\"mvolu\",osUsername=conse,srcHost=ipi7727.www5.domain,dbName=isiu,schemaName=licabo,bindVar=enimadmi,sqlError=success,respSize=6356,respTime=41.238000,affRows=xeaco,action=\"deny\",rawQuery=\"amcor\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "dqu6144.api.localhost", + "group.name": "usmodi", + "host.hostname": "ipi7727.www5.domain", "input.type": "log", - "log.level": "high", - "log.offset": 7293, - "network.application": "periam", - "network.direction": "item", - "network.protocol": "tcp", + "log.offset": 7557, + "network.application": "mvolu", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.186.77.109", - "10.154.53.249" + "10.226.101.180", + "10.134.5.40" ], "related.user": [ - "erun", - "est", - "dutpers" + "licabo", + "conse", + "siu" ], - "rsa.counters.event_counter": 5380, - "rsa.db.database": "orisn", - "rsa.internal.event_desc": "porincid", + "rsa.counters.dclass_c1": 6356, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "isiu", + "rsa.db.index": "amcor", "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "atcupi", - "accept" + "deny" ], - "rsa.misc.category": "atisetqu", - "rsa.misc.disposition": "issuscip", - "rsa.misc.event_type": "uisa", - "rsa.misc.group": "rer", - "rsa.misc.log_session_id": "inibu", - "rsa.misc.operation_id": "velite", - "rsa.misc.policy_name": "tae", - "rsa.misc.result_code": "stenatu", - "rsa.misc.rule_name": "iconseq", - "rsa.misc.severity": "high", + "rsa.misc.event_type": "Login", + "rsa.misc.group": "usmodi", + "rsa.misc.group_object": "llamc", + "rsa.misc.result": "success", + "rsa.time.duration_time": 41.238, "rsa.time.starttime": "2016-08-30T17:48:33.000Z", - "rsa.web.alias_host": "eriti", - "rule.name": "iconseq", "service.type": "imperva", - "source.address": "dqu6144.api.localhost", + "source.address": "ipi7727.www5.domain", "source.ip": [ - "10.186.77.109" + "10.134.5.40" ], - "source.port": 3449, + "source.port": 7284, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://api.example.org/borisnis/exeaco.html?inven=eufugi#accusant", - "url.query": "onse", - "user.name": "est" + "user.name": "siu" }, { "destination.ip": [ - "10.201.164.145" + "10.126.26.131" ], - "destination.port": 2700, - "event.action": "allow", + "destination.port": 2595, + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.201.164.145,dstPort=2700,dbUsername=sequa,srcIP=10.111.233.194,srcPort=5739,creatTime=13 September 2016 22:51:07,srvGroup=rem,service=idid,appName=tesse,event#=sequat,eventType=Login,usrGroup=giatquov,usrAuth=True,application=\"tconsec\",osUsername=miurerep,srcHost=toccaec7645.www5.home,dbName=psaqua,schemaName=ullamcor,bindVar=itationu,sqlError=unknown,respSize=6595,respTime=106.181000,affRows=tame,action=\"allow\",rawQuery=\"orroq\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.126.26.131,dstPort=2595,dbUsername=velite,srcIP=10.30.98.10,srcPort=7576,creatTime=13 September 2016 22:51:07,srvGroup=itation,service=sequatD,appName=nimave,event#=isciv,eventType=Login,usrGroup=rroqu,usrAuth=False,application=\"nofd\",osUsername=dipisci,srcHost=spernatu5539.domain,dbName=quunt,schemaName=olori,bindVar=mquae,sqlError=unknown,respSize=7717,respTime=96.729000,affRows=cidunt,action=\"accept\",rawQuery=\"borisnis\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "toccaec7645.www5.home", + "group.name": "rroqu", + "host.hostname": "spernatu5539.domain", "input.type": "log", - "log.offset": 8035, - "network.application": "tconsec", + "log.offset": 7992, + "network.application": "nofd", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.201.164.145", - "10.111.233.194" + "10.126.26.131", + "10.30.98.10" ], "related.user": [ - "sequa", - "miurerep", - "ullamcor" + "dipisci", + "olori", + "velite" ], - "rsa.counters.dclass_c1": 6595, + "rsa.counters.dclass_c1": 7717, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "psaqua", - "rsa.db.index": "orroq", + "rsa.db.database": "quunt", + "rsa.db.index": "borisnis", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "allow" + "accept" ], "rsa.misc.event_type": "Login", - "rsa.misc.group": "giatquov", - "rsa.misc.group_object": "rem", + "rsa.misc.group": "rroqu", + "rsa.misc.group_object": "itation", "rsa.misc.result": "unknown", - "rsa.time.duration_time": 106.181, + "rsa.time.duration_time": 96.729, "rsa.time.starttime": "2016-09-14T00:51:07.000Z", "service.type": "imperva", - "source.address": "toccaec7645.www5.home", + "source.address": "spernatu5539.domain", "source.ip": [ - "10.111.233.194" + "10.30.98.10" ], - "source.port": 5739, + "source.port": 7576, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "sequa" + "user.name": "velite" }, { "destination.ip": [ - "10.241.230.235" + "10.190.10.219" ], - "destination.port": 3421, - "event.action": "accept", + "destination.port": 5530, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=orisni,event#=ons,createTime=2016-09-28 05:53:42,updateTime=remagn,alertSev=very-high,group=orem,ruleName=\"rcit\",evntDesc=\"llamco\",category=atu,disposition=untincul,eventType=ssecil,proto=ggp,srcPort=4593,srcIP=10.57.164.187,dstPort=3421,dstIP=10.241.230.235,policyName=\"utp\",occurrences=3317,httpHost=isnost,webMethod=olorem,url=\"https://example.org/emqu/riss.gif?sitvol=dolore#nsequat\",webQuery=\"olorsi\",soapAction=aliq,resultCode=mes,sessionID=mven,username=olorsit,addUsername=tore,responseTime=elits,responseSize=consequa,direction=turadip,dbUsername=tatevel,queryGroup=boreetdo,application=\"undeom\",srcHost=uamnihi4791.www.local,osUsername=scingeli,schemaName=isn,dbName=sBono,hdrName=loremqu,action=\"accept\",errormsg=\"unknown\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.190.10.219,dstPort=5530,dbUsername=accusant,srcIP=10.233.120.207,srcPort=136,creatTime=2016-09-28 05:53:42,srvGroup=stenatu,service=inibu,appName=est,event#=uptatemU,eventType=Logout,usrGroup=leumiu,usrAuth=False,application=\"tla\",osUsername=item,srcHost=nimid372.api.corp,dbName=atcupid,schemaName=quamnih,bindVar=dminima,sqlError=success,respSize=3278,respTime=60.949000,affRows=tame,action=\"cancel\",rawQuery=\"reetd\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "uamnihi4791.www.local", + "group.name": "leumiu", + "host.hostname": "nimid372.api.corp", "input.type": "log", - "log.level": "very-high", - "log.offset": 8494, - "network.application": "undeom", - "network.direction": "turadip", - "network.protocol": "ggp", + "log.offset": 8445, + "network.application": "tla", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.241.230.235", - "10.57.164.187" + "10.233.120.207", + "10.190.10.219" ], "related.user": [ - "scingeli", - "olorsit", - "isn" + "quamnih", + "accusant", + "item" ], - "rsa.counters.event_counter": 3317, - "rsa.db.database": "sBono", - "rsa.internal.event_desc": "llamco", + "rsa.counters.dclass_c1": 3278, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "atcupid", + "rsa.db.index": "reetd", "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "olorem", - "accept" + "cancel" ], - "rsa.misc.category": "atu", - "rsa.misc.disposition": "untincul", - "rsa.misc.event_type": "ssecil", - "rsa.misc.group": "orem", - "rsa.misc.log_session_id": "mven", - "rsa.misc.operation_id": "orisni", - "rsa.misc.policy_name": "utp", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "mes", - "rsa.misc.rule_name": "rcit", - "rsa.misc.severity": "very-high", + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "leumiu", + "rsa.misc.group_object": "stenatu", + "rsa.misc.result": "success", + "rsa.time.duration_time": 60.949, "rsa.time.starttime": "2016-09-28T07:53:42.000Z", - "rsa.web.alias_host": "isnost", - "rule.name": "rcit", "service.type": "imperva", - "source.address": "uamnihi4791.www.local", + "source.address": "nimid372.api.corp", "source.ip": [ - "10.57.164.187" + "10.233.120.207" ], - "source.port": 4593, + "source.port": 136, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://example.org/emqu/riss.gif?sitvol=dolore#nsequat", - "url.query": "olorsi", - "user.name": "olorsit" + "user.name": "accusant" }, { - "destination.ip": [ - "10.79.147.101" - ], - "destination.port": 1280, - "event.action": "deny", + "event.action": "rad", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.79.147.101,dstPort=1280,dbUsername=uptat,srcIP=10.105.46.101,srcPort=3346,creatTime=12 October 2016 12:56:16,srvGroup=cons,service=olorese,appName=ori,event#=tconsect,eventType=Login,usrGroup=rum,usrAuth=True,application=\"eataevi\",osUsername=ddoeius,srcHost=ugiatn4084.domain,dbName=hil,schemaName=cingel,bindVar=modocon,sqlError=success,respSize=6068,respTime=61.550000,affRows=lupta,action=\"deny\",rawQuery=\"urExce\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,event#=sitam,createTime=2016-10-12 12:56:16,eventType=rad,eventSev=low,username=sequa,subsystem=iosamnis,message=\"volupt\"", "fileset.name": "securesphere", - "host.hostname": "ugiatn4084.domain", "input.type": "log", - "log.offset": 9252, - "network.application": "eataevi", + "log.level": "low", + "log.offset": 8890, "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", - "related.ip": [ - "10.105.46.101", - "10.79.147.101" - ], "related.user": [ - "ddoeius", - "cingel", - "uptat" + "sequa" ], - "rsa.counters.dclass_c1": 6068, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "hil", - "rsa.db.index": "urExce", + "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "rum", - "rsa.misc.group_object": "cons", - "rsa.misc.result": "success", - "rsa.time.duration_time": 61.55, + "rsa.misc.event_type": "rad", + "rsa.misc.severity": "low", "rsa.time.starttime": "2016-10-12T14:56:16.000Z", "service.type": "imperva", - "source.address": "ugiatn4084.domain", - "source.ip": [ - "10.105.46.101" - ], - "source.port": 3346, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "uptat" + "user.name": "sequa" }, { "destination.ip": [ - "10.49.71.118" + "10.100.98.56" ], - "destination.port": 4322, - "event.action": "cancel", + "destination.port": 1089, + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=proident,event#=mipsum,createTime=2016-10-26 19:58:50,updateTime=lmo,alertSev=medium,group=doei,ruleName=\"cipitl\",evntDesc=\"caboNemo\",category=dexerc,disposition=strumex,eventType=eprehend,proto=udp,srcPort=6200,srcIP=10.102.166.19,dstPort=4322,dstIP=10.49.71.118,policyName=\"ationul\",occurrences=7731,httpHost=itsedq,webMethod=uto,url=\"https://mail.example.com/molestia/quir.jpg?elitsed=labore#uela\",webQuery=\"ntexplic\",soapAction=uto,resultCode=iuntNequ,sessionID=esseq,username=aincidun,addUsername=quatD,responseTime=isqua,responseSize=uta,direction=emo,dbUsername=itq,queryGroup=derit,application=\"orese\",srcHost=dolor5930.internal.host,osUsername=eritin,schemaName=udan,dbName=yCic,hdrName=nder,action=\"cancel\",errormsg=\"failure\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.100.98.56,dstPort=1089,dbUsername=boru,srcIP=10.248.184.200,srcPort=5315,creatTime=2016-10-26 19:58:50,srvGroup=ptatem,service=ptatevel,appName=tenatuse,event#=psaqua,eventType=Logout,usrGroup=ullamcor,usrAuth=False,application=\"itationu\",osUsername=proident,srcHost=maliquam2147.internal.home,dbName=lores,schemaName=ritati,bindVar=orisni,sqlError=failure,respSize=5923,respTime=179.541000,affRows=sitam,action=\"deny\",rawQuery=\"mmodoc\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "dolor5930.internal.host", + "group.name": "ullamcor", + "host.hostname": "maliquam2147.internal.home", "input.type": "log", - "log.level": "medium", - "log.offset": 9695, - "network.application": "orese", - "network.direction": "emo", - "network.protocol": "udp", + "log.offset": 9029, + "network.application": "itationu", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.102.166.19", - "10.49.71.118" + "10.248.184.200", + "10.100.98.56" ], "related.user": [ - "udan", - "eritin", - "aincidun" + "boru", + "ritati", + "proident" ], - "rsa.counters.event_counter": 7731, - "rsa.db.database": "yCic", - "rsa.internal.event_desc": "caboNemo", + "rsa.counters.dclass_c1": 5923, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "lores", + "rsa.db.index": "mmodoc", "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "uto", - "cancel" + "deny" ], - "rsa.misc.category": "dexerc", - "rsa.misc.disposition": "strumex", - "rsa.misc.event_type": "eprehend", - "rsa.misc.group": "doei", - "rsa.misc.log_session_id": "esseq", - "rsa.misc.operation_id": "proident", - "rsa.misc.policy_name": "ationul", + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ullamcor", + "rsa.misc.group_object": "ptatem", "rsa.misc.result": "failure", - "rsa.misc.result_code": "iuntNequ", - "rsa.misc.rule_name": "cipitl", - "rsa.misc.severity": "medium", + "rsa.time.duration_time": 179.541, "rsa.time.starttime": "2016-10-26T21:58:50.000Z", - "rsa.web.alias_host": "itsedq", - "rule.name": "cipitl", "service.type": "imperva", - "source.address": "dolor5930.internal.host", + "source.address": "maliquam2147.internal.home", "source.ip": [ - "10.102.166.19" + "10.248.184.200" ], - "source.port": 6200, + "source.port": 5315, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://mail.example.com/molestia/quir.jpg?elitsed=labore#uela", - "url.query": "ntexplic", - "user.name": "aincidun" + "user.name": "boru" }, { "destination.ip": [ - "10.28.153.102" + "10.197.6.245" ], - "destination.port": 6366, + "destination.port": 27, "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.28.153.102,dstPort=6366,dbUsername=rsita,srcIP=10.50.222.68,srcPort=6657,creatTime=2016-11-10 03:01:24,srvGroup=illu,service=iatqu,appName=lorsi,event#=repreh,eventType=plic,usrGroup=irured,usrAuth=illumqui,application=\"saq\",osUsername=amali,srcHost=ate7311.mail.example,dbName=undeomni,schemaName=tas,bindVar=autfugi,sqlError=unknown,respSize=4527,respTime=82.523000,affRows=eratv,action=\"allow\",rawQuery=\"iration\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.197.6.245,dstPort=27,dbUsername=dtempo,srcIP=10.82.28.220,srcPort=3570,creatTime=10 November 2016 03:01:24,srvGroup=imad,service=tinvolup,appName=tsed,event#=inv,eventType=Login,usrGroup=rroq,usrAuth=False,application=\"rcit\",osUsername=aecatcup,srcHost=olabor2983.internal.localhost,dbName=citatio,schemaName=oluptat,bindVar=mveniamq,sqlError=success,respSize=3071,respTime=120.142000,affRows=eaqueips,action=\"allow\",rawQuery=\"aturve\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "ate7311.mail.example", + "group.name": "rroq", + "host.hostname": "olabor2983.internal.localhost", "input.type": "log", - "log.offset": 10455, - "network.application": "saq", + "log.offset": 9492, + "network.application": "rcit", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.50.222.68", - "10.28.153.102" + "10.82.28.220", + "10.197.6.245" ], "related.user": [ - "amali", - "rsita", - "tas" + "oluptat", + "aecatcup", + "dtempo" ], - "rsa.counters.dclass_c1": 4527, + "rsa.counters.dclass_c1": 3071, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "undeomni", - "rsa.db.index": "iration", + "rsa.db.database": "citatio", + "rsa.db.index": "aturve", "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ "allow" ], - "rsa.misc.event_type": "plic", - "rsa.misc.group": "irured", - "rsa.misc.group_object": "illu", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 82.523, + "rsa.misc.event_type": "Login", + "rsa.misc.group": "rroq", + "rsa.misc.group_object": "imad", + "rsa.misc.result": "success", + "rsa.time.duration_time": 120.142, "rsa.time.starttime": "2016-11-10T05:01:24.000Z", "service.type": "imperva", - "source.address": "ate7311.mail.example", + "source.address": "olabor2983.internal.localhost", "source.ip": [ - "10.50.222.68" + "10.82.28.220" ], - "source.port": 6657, + "source.port": 3570, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "rsita" + "user.name": "dtempo" }, { "destination.ip": [ - "10.199.169.48" + "10.6.27.103" ], - "destination.port": 6443, + "destination.port": 3179, "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.199.169.48,dstPort=6443,dbUsername=imadmini,srcIP=10.46.192.198,srcPort=154,creatTime=24 November 2016 10:03:59,srvGroup=uat,service=lupta,appName=npr,event#=etconsec,eventType=Login,usrGroup=caboNem,usrAuth=True,application=\"urExcept\",osUsername=rumetMal,srcHost=oconse2010.www5.example,dbName=sequam,schemaName=oditempo,bindVar=doeiu,sqlError=failure,respSize=4128,respTime=83.673000,affRows=destlabo,action=\"cancel\",rawQuery=\"redol\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.6.27.103,dstPort=3179,dbUsername=redol,srcIP=10.167.252.183,srcPort=2003,creatTime=24 November 2016 10:03:59,srvGroup=doei,service=cipitl,appName=caboNemo,event#=dexerc,eventType=Login,usrGroup=strumex,usrAuth=True,application=\"eprehend\",osUsername=asnu,srcHost=hitec2111.mail.corp,dbName=perspici,schemaName=ationul,bindVar=mquisn,sqlError=failure,respSize=6606,respTime=155.907000,affRows=emUte,action=\"cancel\",rawQuery=\"ccae\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "oconse2010.www5.example", + "group.name": "strumex", + "host.hostname": "hitec2111.mail.corp", "input.type": "log", - "log.offset": 10897, - "network.application": "urExcept", + "log.offset": 9953, + "network.application": "eprehend", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.46.192.198", - "10.199.169.48" + "10.167.252.183", + "10.6.27.103" ], "related.user": [ - "oditempo", - "rumetMal", - "imadmini" + "asnu", + "redol", + "ationul" ], - "rsa.counters.dclass_c1": 4128, + "rsa.counters.dclass_c1": 6606, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "sequam", - "rsa.db.index": "redol", + "rsa.db.database": "perspici", + "rsa.db.index": "ccae", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logon", "rsa.investigations.ec_outcome": "Success", @@ -1259,3116 +1232,3054 @@ "cancel" ], "rsa.misc.event_type": "Login", - "rsa.misc.group": "caboNem", - "rsa.misc.group_object": "uat", + "rsa.misc.group": "strumex", + "rsa.misc.group_object": "doei", "rsa.misc.result": "failure", - "rsa.time.duration_time": 83.673, + "rsa.time.duration_time": 155.907, "rsa.time.starttime": "2016-11-24T12:03:59.000Z", "service.type": "imperva", - "source.address": "oconse2010.www5.example", + "source.address": "hitec2111.mail.corp", "source.ip": [ - "10.46.192.198" + "10.167.252.183" ], - "source.port": 154, + "source.port": 2003, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "imadmini" + "user.name": "redol" }, { "destination.ip": [ - "10.201.81.46" + "10.81.184.7" ], - "destination.port": 6515, - "event.action": "block", + "destination.port": 6735, + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=radipis,event#=ctetu,createTime=2016-12-08 17:06:33,updateTime=orinrep,alertSev=low,group=nder,ruleName=\"stenatus\",evntDesc=\"equep\",category=ever,disposition=tali,eventType=BCS,proto=icmp,srcPort=4926,srcIP=10.251.1.35,dstPort=6515,dstIP=10.201.81.46,policyName=\"sBonor\",occurrences=2001,httpHost=plicaboN,webMethod=amc,url=\"https://example.com/admi/onnu.gif?saute=atatnon#tcupida\",webQuery=\"isa\",soapAction=riameaqu,resultCode=ame,sessionID=tesseq,username=niam,addUsername=pernat,responseTime=rerepre,responseSize=nculpaq,direction=culpaqui,dbUsername=tvolup,queryGroup=tdolore,application=\"ventore\",srcHost=red5516.localhost,osUsername=agnaaliq,schemaName=est,dbName=mquisno,hdrName=aev,action=\"block\",errormsg=\"unknown\"", + "event.original": "%IMPERVA-Imperva,alert#=ntNe,event#=itanim,createTime=2016-12-08 17:06:33,updateTime=nesciun,alertSev=medium,group=mollita,ruleName=\"tatem\",evntDesc=\"iae\",category=quido,disposition=emip,eventType=inBC,proto=tcp,srcPort=6165,srcIP=10.88.45.111,dstPort=6735,dstIP=10.81.184.7,policyName=\"saquaea\",occurrences=6344,httpHost=eetd,webMethod=illu,url=\"https://mail.example.com/lorsi/repreh.gif?sitamet=utlabo#tetur\",webQuery=\"tionula\",soapAction=ritqu,resultCode=ecatcupi,sessionID=uamei,username=undeomni,addUsername=tas,responseTime=autfugi,responseSize=tasun,direction=external,dbUsername=eratv,queryGroup=ipsa,application=\"asuntexp\",srcHost=adminim2559.www5.invalid,osUsername=lmole,schemaName=iameaque,dbName=nderi,hdrName=ssusci,action=\"deny\",errormsg=\"failure\"", "fileset.name": "securesphere", - "host.hostname": "red5516.localhost", + "group.name": "mollita", + "host.hostname": "adminim2559.www5.invalid", "input.type": "log", - "log.level": "low", - "log.offset": 11359, - "network.application": "ventore", - "network.direction": "culpaqui", - "network.protocol": "icmp", + "log.level": "medium", + "log.offset": 10408, + "network.application": "asuntexp", + "network.direction": "external", + "network.protocol": "tcp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.201.81.46", - "10.251.1.35" + "10.88.45.111", + "10.81.184.7" ], "related.user": [ - "est", - "niam", - "agnaaliq" + "lmole", + "iameaque", + "undeomni" ], - "rsa.counters.event_counter": 2001, - "rsa.db.database": "mquisno", - "rsa.internal.event_desc": "equep", + "rsa.counters.event_counter": 6344, + "rsa.db.database": "nderi", + "rsa.internal.event_desc": "iae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "amc", - "block" - ], - "rsa.misc.category": "ever", - "rsa.misc.disposition": "tali", - "rsa.misc.event_type": "BCS", - "rsa.misc.group": "nder", - "rsa.misc.log_session_id": "tesseq", - "rsa.misc.operation_id": "radipis", - "rsa.misc.policy_name": "sBonor", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "ame", - "rsa.misc.rule_name": "stenatus", - "rsa.misc.severity": "low", + "deny", + "illu" + ], + "rsa.misc.category": "quido", + "rsa.misc.disposition": "emip", + "rsa.misc.event_type": "inBC", + "rsa.misc.group": "mollita", + "rsa.misc.log_session_id": "uamei", + "rsa.misc.operation_id": "ntNe", + "rsa.misc.policy_name": "saquaea", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "ecatcupi", + "rsa.misc.rule_name": "tatem", + "rsa.misc.severity": "medium", "rsa.time.starttime": "2016-12-08T19:06:33.000Z", - "rsa.web.alias_host": "plicaboN", - "rule.name": "stenatus", + "rsa.web.alias_host": "eetd", + "rule.name": "tatem", "service.type": "imperva", - "source.address": "red5516.localhost", + "source.address": "adminim2559.www5.invalid", "source.ip": [ - "10.251.1.35" + "10.88.45.111" ], - "source.port": 4926, + "source.port": 6165, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://example.com/admi/onnu.gif?saute=atatnon#tcupida", - "url.query": "isa", - "user.name": "niam" + "url.original": "https://mail.example.com/lorsi/repreh.gif?sitamet=utlabo#tetur", + "url.query": "tionula", + "user.name": "undeomni" }, { "destination.ip": [ - "10.7.81.204" + "10.214.3.140" ], - "destination.port": 3984, - "event.action": "accept", + "destination.port": 6127, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=uid,event#=equaturv,createTime=2016-12-23 00:09:07,updateTime=lamc,alertSev=very-high,group=maccusa,ruleName=\"ree\",evntDesc=\"nimad\",category=ataevita,disposition=oremqu,eventType=uradi,proto=ipv6-icmp,srcPort=194,srcIP=10.131.82.68,dstPort=3984,dstIP=10.7.81.204,policyName=\"equatDu\",occurrences=1710,httpHost=aconse,webMethod=prehe,url=\"https://www5.example.net/squira/aliqui.gif?veleum=piciatis#nes\",webQuery=\"lmolesti\",soapAction=meumfugi,resultCode=tquas,sessionID=aquio,username=ersp,addUsername=iame,responseTime=orroquis,responseSize=aquio,direction=riatu,dbUsername=loinve,queryGroup=tanimid,application=\"isnostru\",srcHost=nofdeFi5182.mail.domain,osUsername=ulap,schemaName=amnisi,dbName=nrepreh,hdrName=abori,action=accept", + "event.original": "%IMPERVA-Imperva,dstIP=10.214.3.140,dstPort=6127,dbUsername=scipitl,srcIP=10.29.119.245,srcPort=1179,creatTime=2016-12-23 00:09:07,srvGroup=olli,service=rever,appName=ore,event#=offici,eventType=Logout,usrGroup=ection,usrAuth=False,application=\"roquisqu\",osUsername=edolorin,srcHost=dolorem6882.api.local,dbName=rsi,schemaName=taliqui,bindVar=mides,sqlError=success,respSize=5140,respTime=119.229000,affRows=tcu,action=\"cancel\",rawQuery=\"inrepreh\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "nofdeFi5182.mail.domain", + "group.name": "ection", + "host.hostname": "dolorem6882.api.local", "input.type": "log", - "log.level": "very-high", - "log.offset": 12107, - "network.application": "isnostru", - "network.direction": "riatu", - "network.protocol": "ipv6-icmp", + "log.offset": 11171, + "network.application": "roquisqu", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.7.81.204", - "10.131.82.68" + "10.214.3.140", + "10.29.119.245" ], "related.user": [ - "ulap", - "ersp", - "amnisi" + "scipitl", + "edolorin", + "taliqui" ], - "rsa.counters.event_counter": 1710, - "rsa.db.database": "nrepreh", - "rsa.internal.event_desc": "nimad", + "rsa.counters.dclass_c1": 5140, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "rsi", + "rsa.db.index": "inrepreh", "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "accept", - "prehe" - ], - "rsa.misc.category": "ataevita", - "rsa.misc.disposition": "oremqu", - "rsa.misc.event_type": "uradi", - "rsa.misc.group": "maccusa", - "rsa.misc.log_session_id": "aquio", - "rsa.misc.operation_id": "uid", - "rsa.misc.policy_name": "equatDu", - "rsa.misc.result_code": "tquas", - "rsa.misc.rule_name": "ree", - "rsa.misc.severity": "very-high", + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ection", + "rsa.misc.group_object": "olli", + "rsa.misc.result": "success", + "rsa.time.duration_time": 119.229, "rsa.time.starttime": "2016-12-23T02:09:07.000Z", - "rsa.web.alias_host": "aconse", - "rule.name": "ree", "service.type": "imperva", - "source.address": "nofdeFi5182.mail.domain", + "source.address": "dolorem6882.api.local", "source.ip": [ - "10.131.82.68" + "10.29.119.245" ], - "source.port": 194, + "source.port": 1179, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://www5.example.net/squira/aliqui.gif?veleum=piciatis#nes", - "url.query": "lmolesti", - "user.name": "ersp" + "user.name": "scipitl" }, { "destination.ip": [ - "10.94.132.21" + "10.110.133.7" ], - "destination.port": 2945, - "event.action": "deny", + "destination.port": 57, + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.94.132.21,dstPort=2945,dbUsername=odi,srcIP=10.114.193.232,srcPort=3661,creatTime=6 January 2017 07:11:41,srvGroup=ore,service=isund,appName=exerci,event#=tas,eventType=Login,usrGroup=oraincid,usrAuth=False,application=\"quaer\",osUsername=eetdo,srcHost=tlab2033.lan,dbName=seddoeiu,schemaName=nse,bindVar=aali,sqlError=unknown,respSize=6784,respTime=57.532000,affRows=olorem,action=\"deny\",rawQuery=\"ugitsedq\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,alert#=dipiscin,event#=olup,createTime=2017-01-06 07:11:41,updateTime=aco,alertSev=medium,group=accusa,ruleName=\"natu\",evntDesc=\"liquid\",category=enim,disposition=Finibus,eventType=radi,proto=rdp,srcPort=2064,srcIP=10.218.123.234,dstPort=57,dstIP=10.110.133.7,policyName=\"radipisc\",occurrences=5347,httpHost=nibus,webMethod=vitaed,url=\"https://example.org/etconsec/elillum.htm?mporinc=onsectet#idolo\",webQuery=\"atemUte\",soapAction=docon,resultCode=mdolore,sessionID=eosquira,username=pta,addUsername=snos,responseTime=orsi,responseSize=tetura,direction=external,dbUsername=lorsita,queryGroup=eavol,application=\"osamnis\",srcHost=temaccu5302.test,osUsername=etconsec,schemaName=caboNem,dbName=urExcept,hdrName=rumetMal,action=\"allow\",errormsg=\"unknown\"", "fileset.name": "securesphere", - "host.hostname": "tlab2033.lan", + "group.name": "accusa", + "host.hostname": "temaccu5302.test", "input.type": "log", - "log.offset": 12863, - "network.application": "quaer", + "log.level": "medium", + "log.offset": 11619, + "network.application": "osamnis", + "network.direction": "external", + "network.protocol": "rdp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.94.132.21", - "10.114.193.232" + "10.218.123.234", + "10.110.133.7" ], "related.user": [ - "nse", - "odi", - "eetdo" + "caboNem", + "pta", + "etconsec" ], - "rsa.counters.dclass_c1": 6784, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "seddoeiu", - "rsa.db.index": "ugitsedq", + "rsa.counters.event_counter": 5347, + "rsa.db.database": "urExcept", + "rsa.internal.event_desc": "liquid", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "deny" + "vitaed", + "allow" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "oraincid", - "rsa.misc.group_object": "ore", + "rsa.misc.category": "enim", + "rsa.misc.disposition": "Finibus", + "rsa.misc.event_type": "radi", + "rsa.misc.group": "accusa", + "rsa.misc.log_session_id": "eosquira", + "rsa.misc.operation_id": "dipiscin", + "rsa.misc.policy_name": "radipisc", "rsa.misc.result": "unknown", - "rsa.time.duration_time": 57.532, + "rsa.misc.result_code": "mdolore", + "rsa.misc.rule_name": "natu", + "rsa.misc.severity": "medium", "rsa.time.starttime": "2017-01-06T09:11:41.000Z", + "rsa.web.alias_host": "nibus", + "rule.name": "natu", "service.type": "imperva", - "source.address": "tlab2033.lan", + "source.address": "temaccu5302.test", "source.ip": [ - "10.114.193.232" + "10.218.123.234" ], - "source.port": 3661, + "source.port": 2064, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "odi" + "url.original": "https://example.org/etconsec/elillum.htm?mporinc=onsectet#idolo", + "url.query": "atemUte", + "user.name": "pta" }, { "destination.ip": [ - "10.44.226.104" + "10.105.190.170" ], - "destination.port": 7020, - "event.action": "accept", + "destination.port": 2519, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.44.226.104,dstPort=7020,dbUsername=nse,srcIP=10.9.56.220,srcPort=905,creatTime=2017-01-20 14:14:16,srvGroup=suntincu,service=sse,appName=venia,event#=inBCSe,eventType=Logout,usrGroup=otamrem,usrAuth=True,application=\"tutlabor\",osUsername=reseosq,srcHost=gna4901.internal.localhost,dbName=catcupi,schemaName=autf,bindVar=saqu,sqlError=unknown,respSize=5380,respTime=36.114000,affRows=amquisno,action=\"accept\",rawQuery=\"tiumdol\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.105.190.170,dstPort=2519,dbUsername=doeiu,srcIP=10.182.152.242,srcPort=1877,creatTime=2017-01-20 14:14:16,srvGroup=orumw,service=redol,appName=ecillum,event#=isci,eventType=Logout,usrGroup=dolor,usrAuth=True,application=\"tiumto\",osUsername=litan,srcHost=nder347.www.corp,dbName=alorum,schemaName=mquisn,bindVar=atq,sqlError=unknown,respSize=3474,respTime=68.556000,affRows=ugiatquo,action=\"block\",rawQuery=\"equamnih\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "gna4901.internal.localhost", + "group.name": "dolor", + "host.hostname": "nder347.www.corp", "input.type": "log", - "log.offset": 13297, - "network.application": "tutlabor", + "log.offset": 12387, + "network.application": "tiumto", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.44.226.104", - "10.9.56.220" + "10.182.152.242", + "10.105.190.170" ], "related.user": [ - "reseosq", - "autf", - "nse" + "doeiu", + "litan", + "mquisn" ], - "rsa.counters.dclass_c1": 5380, + "rsa.counters.dclass_c1": 3474, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "catcupi", - "rsa.db.index": "tiumdol", + "rsa.db.database": "alorum", + "rsa.db.index": "equamnih", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Success", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "accept" + "block" ], "rsa.misc.event_type": "Logout", - "rsa.misc.group": "otamrem", - "rsa.misc.group_object": "suntincu", + "rsa.misc.group": "dolor", + "rsa.misc.group_object": "orumw", "rsa.misc.result": "unknown", - "rsa.time.duration_time": 36.114, + "rsa.time.duration_time": 68.556, "rsa.time.starttime": "2017-01-20T16:14:16.000Z", "service.type": "imperva", - "source.address": "gna4901.internal.localhost", + "source.address": "nder347.www.corp", "source.ip": [ - "10.9.56.220" + "10.182.152.242" ], - "source.port": 905, + "source.port": 1877, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "nse" + "user.name": "doeiu" }, { "destination.ip": [ - "10.48.209.115" + "10.123.166.197" ], - "destination.port": 3450, - "event.action": "cancel", + "destination.port": 7082, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.48.209.115,dstPort=3450,dbUsername=aconsequ,srcIP=10.33.195.166,srcPort=1629,creatTime=2017-02-03 21:16:50,srvGroup=ursin,service=utemvel,appName=epteur,event#=ommo,eventType=Logout,usrGroup=iame,usrAuth=True,application=\"laudanti\",osUsername=umiurer,srcHost=rere5274.mail.domain,dbName=usmo,schemaName=iamea,bindVar=imaveni,sqlError=failure,respSize=3249,respTime=105.870000,affRows=cor,action=\"cancel\",rawQuery=\"nihil\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,alert#=citati,event#=uamei,createTime=2017-02-03 21:16:50,updateTime=eursinto,alertSev=low,group=tutla,ruleName=\"licaboNe\",evntDesc=\"tautfug\",category=giatquov,disposition=olu,eventType=rmagnido,proto=ipv6-icmp,srcPort=7647,srcIP=10.59.188.188,dstPort=7082,dstIP=10.123.166.197,policyName=\"ici\",occurrences=7102,httpHost=mips,webMethod=itae,url=\"https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu\",webQuery=\"tan\",soapAction=quiac,resultCode=sunt,sessionID=autfugit,username=emUte,addUsername=iusmodi,responseTime=fdeFi,responseSize=Except,direction=inbound,dbUsername=equat,queryGroup=aliquid,application=\"usantiu\",srcHost=idunt4633.internal.host,osUsername=liquam,schemaName=min,dbName=oluptat,hdrName=odt,action=block", "fileset.name": "securesphere", - "host.hostname": "rere5274.mail.domain", + "group.name": "tutla", + "host.hostname": "idunt4633.internal.host", "input.type": "log", - "log.offset": 13750, - "network.application": "laudanti", + "log.level": "low", + "log.offset": 12830, + "network.application": "usantiu", + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.48.209.115", - "10.33.195.166" + "10.123.166.197", + "10.59.188.188" ], "related.user": [ - "umiurer", - "aconsequ", - "iamea" + "min", + "emUte", + "liquam" ], - "rsa.counters.dclass_c1": 3249, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "usmo", - "rsa.db.index": "nihil", + "rsa.counters.event_counter": 7102, + "rsa.db.database": "oluptat", + "rsa.internal.event_desc": "tautfug", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "iame", - "rsa.misc.group_object": "ursin", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 105.87, + "block", + "itae" + ], + "rsa.misc.category": "giatquov", + "rsa.misc.disposition": "olu", + "rsa.misc.event_type": "rmagnido", + "rsa.misc.group": "tutla", + "rsa.misc.log_session_id": "autfugit", + "rsa.misc.operation_id": "citati", + "rsa.misc.policy_name": "ici", + "rsa.misc.result_code": "sunt", + "rsa.misc.rule_name": "licaboNe", + "rsa.misc.severity": "low", "rsa.time.starttime": "2017-02-03T23:16:50.000Z", + "rsa.web.alias_host": "mips", + "rule.name": "licaboNe", "service.type": "imperva", - "source.address": "rere5274.mail.domain", + "source.address": "idunt4633.internal.host", "source.ip": [ - "10.33.195.166" + "10.59.188.188" ], - "source.port": 1629, + "source.port": 7647, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "aconsequ" + "url.original": "https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu", + "url.query": "tan", + "user.name": "emUte" }, { "destination.ip": [ - "10.85.137.156" + "10.72.75.207" ], - "destination.port": 2763, + "destination.port": 6336, "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.85.137.156,dstPort=2763,dbUsername=orumSe,srcIP=10.188.121.11,srcPort=537,creatTime=2017-02-18 04:19:24,srvGroup=dtemp,service=ici,appName=nisiuta,event#=iquaUt,eventType=Logout,usrGroup=mnihilm,usrAuth=True,application=\"redo\",osUsername=etMaloru,srcHost=lmo3262.test,dbName=uamqu,schemaName=olori,bindVar=ido,sqlError=success,respSize=2491,respTime=126.010000,affRows=autfugit,action=\"accept\",rawQuery=\"dolorsi\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.72.75.207,dstPort=6336,dbUsername=urau,srcIP=10.201.168.116,srcPort=2037,creatTime=2017-02-18 04:19:24,srvGroup=utali,service=sed,appName=xeac,event#=umdolors,eventType=Logout,usrGroup=lumdo,usrAuth=False,application=\"acom\",osUsername=eFini,srcHost=ectob4634.mail.localhost,dbName=prehend,schemaName=eufug,bindVar=roquisq,sqlError=unknown,respSize=3348,respTime=79.765000,affRows=civelits,action=\"accept\",rawQuery=\"reet\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "lmo3262.test", + "group.name": "lumdo", + "host.hostname": "ectob4634.mail.localhost", "input.type": "log", - "log.offset": 14197, - "network.application": "redo", + "log.offset": 13585, + "network.application": "acom", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.85.137.156", - "10.188.121.11" + "10.201.168.116", + "10.72.75.207" ], "related.user": [ - "olori", - "orumSe", - "etMaloru" + "eufug", + "eFini", + "urau" ], - "rsa.counters.dclass_c1": 2491, + "rsa.counters.dclass_c1": 3348, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "uamqu", - "rsa.db.index": "dolorsi", + "rsa.db.database": "prehend", + "rsa.db.index": "reet", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ "accept" ], "rsa.misc.event_type": "Logout", - "rsa.misc.group": "mnihilm", - "rsa.misc.group_object": "dtemp", - "rsa.misc.result": "success", - "rsa.time.duration_time": 126.01, + "rsa.misc.group": "lumdo", + "rsa.misc.group_object": "utali", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 79.765, "rsa.time.starttime": "2017-02-18T06:19:24.000Z", "service.type": "imperva", - "source.address": "lmo3262.test", + "source.address": "ectob4634.mail.localhost", "source.ip": [ - "10.188.121.11" + "10.201.168.116" ], - "source.port": 537, + "source.port": 2037, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "orumSe" + "user.name": "urau" }, { "destination.ip": [ - "10.238.245.236" + "10.9.46.123" ], - "destination.port": 3575, - "event.action": "cancel", + "destination.port": 586, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.238.245.236,dstPort=3575,dbUsername=stquidol,srcIP=10.45.215.202,srcPort=3834,creatTime=2017-03-04 11:21:59,srvGroup=ide,service=edq,appName=evitae,event#=amvo,eventType=tnul,usrGroup=expl,usrAuth=ess,application=\"quiad\",osUsername=ihilmole,srcHost=saquaea2280.www5.invalid,dbName=quas,schemaName=gia,bindVar=itatio,sqlError=failure,respSize=7822,respTime=157.184000,affRows=eddoei,action=\"cancel\",rawQuery=\"sseq\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.9.46.123,dstPort=586,dbUsername=mfu,srcIP=10.58.133.175,srcPort=1634,creatTime=4 March 2017 11:21:59,srvGroup=llumq,service=tenim,appName=eiusmo,event#=ainc,eventType=Login,usrGroup=miurerep,usrAuth=True,application=\"lestia\",osUsername=nde,srcHost=snu6436.www.local,dbName=texplica,schemaName=oco,bindVar=aboree,sqlError=unknown,respSize=3795,respTime=14.713000,affRows=edquian,action=\"block\",rawQuery=\"uames\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "saquaea2280.www5.invalid", + "group.name": "miurerep", + "host.hostname": "snu6436.www.local", "input.type": "log", - "log.offset": 14636, - "network.application": "quiad", + "log.offset": 14032, + "network.application": "lestia", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.238.245.236", - "10.45.215.202" + "10.58.133.175", + "10.9.46.123" ], "related.user": [ - "ihilmole", - "stquidol", - "gia" + "oco", + "nde", + "mfu" ], - "rsa.counters.dclass_c1": 7822, + "rsa.counters.dclass_c1": 3795, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "quas", - "rsa.db.index": "sseq", + "rsa.db.database": "texplica", + "rsa.db.index": "uames", "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "cancel" + "block" ], - "rsa.misc.event_type": "tnul", - "rsa.misc.group": "expl", - "rsa.misc.group_object": "ide", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 157.184, + "rsa.misc.event_type": "Login", + "rsa.misc.group": "miurerep", + "rsa.misc.group_object": "llumq", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 14.713, "rsa.time.starttime": "2017-03-04T13:21:59.000Z", "service.type": "imperva", - "source.address": "saquaea2280.www5.invalid", + "source.address": "snu6436.www.local", "source.ip": [ - "10.45.215.202" + "10.58.133.175" ], - "source.port": 3834, + "source.port": 1634, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "stquidol" + "user.name": "mfu" }, { "destination.ip": [ - "10.213.109.180" + "10.169.50.59" ], - "destination.port": 6536, - "event.action": "accept", + "destination.port": 7693, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.213.109.180,dstPort=6536,dbUsername=essequam,srcIP=10.222.85.95,srcPort=1742,creatTime=18 March 2017 18:24:33,srvGroup=upt,service=orum,appName=Bonoru,event#=madminim,eventType=Login,usrGroup=ents,usrAuth=False,application=\"emacc\",osUsername=emp,srcHost=lamcola4879.www5.localdomain,dbName=dant,schemaName=etdolor,bindVar=uat,sqlError=unknown,respSize=2905,respTime=85.649000,affRows=iti,action=\"accept\",rawQuery=\"amqu\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.169.50.59,dstPort=7693,dbUsername=pta,srcIP=10.70.29.203,srcPort=5994,creatTime=18 March 2017 18:24:33,srvGroup=piciatis,service=destla,appName=fugitse,event#=minimve,eventType=Login,usrGroup=serrorsi,usrAuth=False,application=\"tametco\",osUsername=mquisnos,srcHost=lore7099.www.host,dbName=isn,schemaName=veniamq,bindVar=lup,sqlError=unknown,respSize=2358,respTime=94.460000,affRows=ipitlabo,action=\"block\",rawQuery=\"prehen\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "lamcola4879.www5.localdomain", + "group.name": "serrorsi", + "host.hostname": "lore7099.www.host", "input.type": "log", - "log.offset": 15076, - "network.application": "emacc", + "log.offset": 14468, + "network.application": "tametco", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.222.85.95", - "10.213.109.180" + "10.169.50.59", + "10.70.29.203" ], "related.user": [ - "essequam", - "emp", - "etdolor" + "pta", + "mquisnos", + "veniamq" ], - "rsa.counters.dclass_c1": 2905, + "rsa.counters.dclass_c1": 2358, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "dant", - "rsa.db.index": "amqu", + "rsa.db.database": "isn", + "rsa.db.index": "prehen", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logon", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "accept" + "block" ], "rsa.misc.event_type": "Login", - "rsa.misc.group": "ents", - "rsa.misc.group_object": "upt", + "rsa.misc.group": "serrorsi", + "rsa.misc.group_object": "piciatis", "rsa.misc.result": "unknown", - "rsa.time.duration_time": 85.649, + "rsa.time.duration_time": 94.46, "rsa.time.starttime": "2017-03-18T20:24:33.000Z", "service.type": "imperva", - "source.address": "lamcola4879.www5.localdomain", + "source.address": "lore7099.www.host", "source.ip": [ - "10.222.85.95" + "10.70.29.203" ], - "source.port": 1742, + "source.port": 5994, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "essequam" + "user.name": "pta" }, { "destination.ip": [ - "10.229.165.102" + "10.165.182.111" ], - "destination.port": 2069, - "event.action": "cancel", + "destination.port": 5525, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.229.165.102,dstPort=2069,dbUsername=lestia,srcIP=10.18.225.139,srcPort=3302,creatTime=2 April 2017 01:27:07,srvGroup=inibusB,service=nostrud,appName=cteturad,event#=ore,eventType=Login,usrGroup=esse,usrAuth=True,application=\"veniam\",osUsername=edquian,srcHost=sus7859.www5.lan,dbName=mquido,schemaName=orum,bindVar=oinBCSed,sqlError=success,respSize=3553,respTime=116.549000,affRows=ilm,action=\"cancel\",rawQuery=\"fugiatqu\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.165.182.111,dstPort=5525,dbUsername=ames,srcIP=10.137.85.123,srcPort=218,creatTime=2017-04-02 01:27:07,srvGroup=amquisno,service=modoc,appName=magnam,event#=uinesc,eventType=Logout,usrGroup=cid,usrAuth=True,application=\"emi\",osUsername=Bonorum,srcHost=lesti6939.api.local,dbName=idu,schemaName=sis,bindVar=idolo,sqlError=success,respSize=6401,respTime=171.434000,affRows=its,action=\"block\",rawQuery=\"edutp\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "sus7859.www5.lan", + "group.name": "cid", + "host.hostname": "lesti6939.api.local", "input.type": "log", - "log.offset": 15522, - "network.application": "veniam", + "log.offset": 14919, + "network.application": "emi", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.18.225.139", - "10.229.165.102" + "10.165.182.111", + "10.137.85.123" ], "related.user": [ - "lestia", - "orum", - "edquian" + "sis", + "ames", + "Bonorum" ], - "rsa.counters.dclass_c1": 3553, + "rsa.counters.dclass_c1": 6401, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "mquido", - "rsa.db.index": "fugiatqu", + "rsa.db.database": "idu", + "rsa.db.index": "edutp", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Success", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "cancel" + "block" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "esse", - "rsa.misc.group_object": "inibusB", + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "cid", + "rsa.misc.group_object": "amquisno", "rsa.misc.result": "success", - "rsa.time.duration_time": 116.549, + "rsa.time.duration_time": 171.434, "rsa.time.starttime": "2017-04-02T03:27:07.000Z", "service.type": "imperva", - "source.address": "sus7859.www5.lan", + "source.address": "lesti6939.api.local", "source.ip": [ - "10.18.225.139" + "10.137.85.123" ], - "source.port": 3302, + "source.port": 218, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "lestia" + "user.name": "ames" }, { - "destination.ip": [ - "10.119.4.120" - ], - "destination.port": 3822, - "event.action": "accept", + "event.action": "tateveli", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.119.4.120,dstPort=3822,dbUsername=veleumi,srcIP=10.63.177.46,srcPort=4799,creatTime=2017-04-16 08:29:41,srvGroup=adipisci,service=mip,appName=itatio,event#=oquisqu,eventType=turadip,usrGroup=dip,usrAuth=idolo,application=\"Ute\",osUsername=ptassita,srcHost=caecatcu919.www5.corp,dbName=olorsi,schemaName=itseddo,bindVar=bore,sqlError=unknown,respSize=5719,respTime=42.541000,affRows=labo,action=\"accept\",rawQuery=\"mvenia\"", + "event.original": "%IMPERVA-Imperva,event#=enimadmi,createTime=2017-04-16 08:29:41,eventType=tateveli,eventSev=high,username=sumdolo,subsystem=idolorem,message=\"temvele\"", "fileset.name": "securesphere", - "host.hostname": "caecatcu919.www5.corp", "input.type": "log", - "log.offset": 15971, - "network.application": "Ute", + "log.level": "high", + "log.offset": 15352, "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", - "related.ip": [ - "10.63.177.46", - "10.119.4.120" - ], "related.user": [ - "ptassita", - "itseddo", - "veleumi" + "sumdolo" ], - "rsa.counters.dclass_c1": 5719, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "olorsi", - "rsa.db.index": "mvenia", + "rsa.internal.event_desc": "temvele", "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "turadip", - "rsa.misc.group": "dip", - "rsa.misc.group_object": "adipisci", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 42.541, + "rsa.misc.event_type": "tateveli", + "rsa.misc.severity": "high", "rsa.time.starttime": "2017-04-16T10:29:41.000Z", "service.type": "imperva", - "source.address": "caecatcu919.www5.corp", - "source.ip": [ - "10.63.177.46" - ], - "source.port": 4799, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "veleumi" + "user.name": "sumdolo" }, { "destination.ip": [ - "10.189.6.107" + "10.173.178.109" ], - "destination.port": 767, - "event.action": "allow", + "destination.port": 6659, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.189.6.107,dstPort=767,dbUsername=exerci,srcIP=10.50.69.209,srcPort=5406,creatTime=2017-04-30 15:32:16,srvGroup=atcupid,service=onse,appName=psa,event#=ate,eventType=Logout,usrGroup=con,usrAuth=False,application=\"tqu\",osUsername=eirur,srcHost=dese3161.www5.localhost,dbName=lore,schemaName=isci,bindVar=Dui,sqlError=failure,respSize=1684,respTime=75.877000,affRows=lup,action=\"allow\",rawQuery=\"eos\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,alert#=inimve,event#=uio,createTime=2017-04-30 15:32:16,updateTime=mexercit,alertSev=high,group=onofdeF,ruleName=\"ibusBo\",evntDesc=\"orin\",category=enia,disposition=iavol,eventType=natuserr,proto=rdp,srcPort=3327,srcIP=10.64.184.196,dstPort=6659,dstIP=10.173.178.109,policyName=\"tatemse\",occurrences=4493,httpHost=amqui,webMethod=lamco,url=\"https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi\",webQuery=\"tlabore\",soapAction=idunt,resultCode=expl,sessionID=olore,username=uian,addUsername=atuserro,responseTime=madminim,responseSize=tobeata,direction=inbound,dbUsername=ioff,queryGroup=oinBCS,application=\"itsedd\",srcHost=upt6017.api.localdomain,osUsername=nesci,schemaName=tam,dbName=sin,hdrName=idexeac,action=\"block\",errormsg=\"failure\"", "fileset.name": "securesphere", - "host.hostname": "dese3161.www5.localhost", + "group.name": "onofdeF", + "host.hostname": "upt6017.api.localdomain", "input.type": "log", - "log.offset": 16417, - "network.application": "tqu", + "log.level": "high", + "log.offset": 15503, + "network.application": "itsedd", + "network.direction": "inbound", + "network.protocol": "rdp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.189.6.107", - "10.50.69.209" + "10.64.184.196", + "10.173.178.109" ], "related.user": [ - "exerci", - "eirur", - "isci" + "tam", + "nesci", + "uian" ], - "rsa.counters.dclass_c1": 1684, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "lore", - "rsa.db.index": "eos", + "rsa.counters.event_counter": 4493, + "rsa.db.database": "sin", + "rsa.internal.event_desc": "orin", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "allow" + "lamco", + "block" ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "con", - "rsa.misc.group_object": "atcupid", + "rsa.misc.category": "enia", + "rsa.misc.disposition": "iavol", + "rsa.misc.event_type": "natuserr", + "rsa.misc.group": "onofdeF", + "rsa.misc.log_session_id": "olore", + "rsa.misc.operation_id": "inimve", + "rsa.misc.policy_name": "tatemse", "rsa.misc.result": "failure", - "rsa.time.duration_time": 75.877, + "rsa.misc.result_code": "expl", + "rsa.misc.rule_name": "ibusBo", + "rsa.misc.severity": "high", "rsa.time.starttime": "2017-04-30T17:32:16.000Z", + "rsa.web.alias_host": "amqui", + "rule.name": "ibusBo", "service.type": "imperva", - "source.address": "dese3161.www5.localhost", + "source.address": "upt6017.api.localdomain", "source.ip": [ - "10.50.69.209" + "10.64.184.196" ], - "source.port": 5406, + "source.port": 3327, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "exerci" + "url.original": "https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi", + "url.query": "tlabore", + "user.name": "uian" }, { "destination.ip": [ - "10.74.166.70" + "10.90.50.149" ], - "destination.port": 1453, - "event.action": "accept", + "destination.port": 1936, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.74.166.70,dstPort=1453,dbUsername=olor,srcIP=10.88.176.226,srcPort=6937,creatTime=2017-05-14 22:34:50,srvGroup=Dui,service=iameaqu,appName=aaliquaU,event#=olu,eventType=Logout,usrGroup=iameaque,usrAuth=True,application=\"identsun\",osUsername=ender,srcHost=inc5923.www.test,dbName=oluptat,schemaName=roinBCSe,bindVar=maperiam,sqlError=success,respSize=723,respTime=156.893000,affRows=nseq,action=\"accept\",rawQuery=\"uidolo\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.90.50.149,dstPort=1936,dbUsername=olu,srcIP=10.168.225.209,srcPort=6,creatTime=2017-05-14 22:34:50,srvGroup=taliq,service=tautfugi,appName=fdeFinib,event#=uip,eventType=Logout,usrGroup=ectobea,usrAuth=True,application=\"dat\",osUsername=aUtenima,srcHost=turQuis4046.api.test,dbName=deomnisi,schemaName=olupta,bindVar=oll,sqlError=success,respSize=1127,respTime=55.870000,affRows=evelite,action=\"block\",rawQuery=\"iav\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "inc5923.www.test", + "group.name": "ectobea", + "host.hostname": "turQuis4046.api.test", "input.type": "log", - "log.offset": 16841, - "network.application": "identsun", + "log.offset": 16271, + "network.application": "dat", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.88.176.226", - "10.74.166.70" + "10.168.225.209", + "10.90.50.149" ], "related.user": [ - "olor", - "roinBCSe", - "ender" + "aUtenima", + "olupta", + "olu" ], - "rsa.counters.dclass_c1": 723, + "rsa.counters.dclass_c1": 1127, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "oluptat", - "rsa.db.index": "uidolo", + "rsa.db.database": "deomnisi", + "rsa.db.index": "iav", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Success", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "accept" + "block" ], "rsa.misc.event_type": "Logout", - "rsa.misc.group": "iameaque", - "rsa.misc.group_object": "Dui", + "rsa.misc.group": "ectobea", + "rsa.misc.group_object": "taliq", "rsa.misc.result": "success", - "rsa.time.duration_time": 156.893, + "rsa.time.duration_time": 55.87, "rsa.time.starttime": "2017-05-15T00:34:50.000Z", "service.type": "imperva", - "source.address": "inc5923.www.test", + "source.address": "turQuis4046.api.test", "source.ip": [ - "10.88.176.226" + "10.168.225.209" ], - "source.port": 6937, + "source.port": 6, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "olor" + "user.name": "olu" }, { "destination.ip": [ - "10.123.56.46" + "10.59.182.36" ], - "destination.port": 6729, - "event.action": "cancel", + "destination.port": 5792, + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.123.56.46,dstPort=6729,dbUsername=sit,srcIP=10.182.181.162,srcPort=6169,creatTime=2017-05-29 05:37:24,srvGroup=sistena,service=uidexeac,appName=sequa,event#=ntsunti,eventType=Logout,usrGroup=borios,usrAuth=True,application=\"ani\",osUsername=uid,srcHost=idatat6469.api.invalid,dbName=lesti,schemaName=oreseo,bindVar=reprehen,sqlError=failure,respSize=6438,respTime=159.943000,affRows=idolo,action=\"cancel\",rawQuery=\"tsedquia\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.59.182.36,dstPort=5792,dbUsername=mtota,srcIP=10.18.150.82,srcPort=6648,creatTime=29 May 2017 05:37:24,srvGroup=rit,service=eumfu,appName=lors,event#=oluptat,eventType=Login,usrGroup=enimad,usrAuth=True,application=\"tis\",osUsername=qua,srcHost=con6049.internal.lan,dbName=quelaud,schemaName=luptat,bindVar=rinrep,sqlError=unknown,respSize=6112,respTime=135.357000,affRows=nimv,action=\"allow\",rawQuery=\"tconse\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "idatat6469.api.invalid", + "group.name": "enimad", + "host.hostname": "con6049.internal.lan", "input.type": "log", - "log.offset": 17288, - "network.application": "ani", + "log.offset": 16712, + "network.application": "tis", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.182.181.162", - "10.123.56.46" + "10.18.150.82", + "10.59.182.36" ], "related.user": [ - "uid", - "sit", - "oreseo" + "luptat", + "qua", + "mtota" ], - "rsa.counters.dclass_c1": 6438, + "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "lesti", - "rsa.db.index": "tsedquia", + "rsa.db.database": "quelaud", + "rsa.db.index": "tconse", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_activity": "Logon", "rsa.investigations.ec_outcome": "Success", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "cancel" + "allow" ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "borios", - "rsa.misc.group_object": "sistena", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 159.943, + "rsa.misc.event_type": "Login", + "rsa.misc.group": "enimad", + "rsa.misc.group_object": "rit", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 135.357, "rsa.time.starttime": "2017-05-29T07:37:24.000Z", "service.type": "imperva", - "source.address": "idatat6469.api.invalid", + "source.address": "con6049.internal.lan", "source.ip": [ - "10.182.181.162" + "10.18.150.82" ], - "source.port": 6169, + "source.port": 6648, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "sit" + "user.name": "mtota" }, { - "destination.ip": [ - "10.169.124.164" - ], - "destination.port": 62, - "event.action": "accept", + "event.action": "ulamcola", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.169.124.164,dstPort=62,dbUsername=iamqui,srcIP=10.176.83.7,srcPort=5908,creatTime=2017-06-12 12:39:58,srvGroup=inim,service=etdol,appName=Sed,event#=oremeumf,eventType=lesti,usrGroup=sintocca,usrAuth=mipsumqu,application=\"eprehen\",osUsername=hilmole,srcHost=sequ6424.www.invalid,dbName=its,schemaName=dolor,bindVar=lorumwri,sqlError=success,respSize=2894,respTime=68.248000,affRows=lab,action=\"accept\",rawQuery=\"nimaveni\"", + "event.original": "%IMPERVA-Imperva,event#=rem,createTime=2017-06-12 12:39:58,eventType=ulamcola,eventSev=very-high,username=llita,subsystem=ntsunt,message=\"nturmag\"", "fileset.name": "securesphere", - "host.hostname": "sequ6424.www.invalid", "input.type": "log", - "log.offset": 17738, - "network.application": "eprehen", + "log.level": "very-high", + "log.offset": 17148, "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", - "related.ip": [ - "10.176.83.7", - "10.169.124.164" - ], "related.user": [ - "dolor", - "hilmole", - "iamqui" + "llita" ], - "rsa.counters.dclass_c1": 2894, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "its", - "rsa.db.index": "nimaveni", + "rsa.internal.event_desc": "nturmag", "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "lesti", - "rsa.misc.group": "sintocca", - "rsa.misc.group_object": "inim", - "rsa.misc.result": "success", - "rsa.time.duration_time": 68.248, + "rsa.misc.event_type": "ulamcola", + "rsa.misc.severity": "very-high", "rsa.time.starttime": "2017-06-12T14:39:58.000Z", "service.type": "imperva", - "source.address": "sequ6424.www.invalid", - "source.ip": [ - "10.176.83.7" - ], - "source.port": 5908, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "iamqui" + "user.name": "llita" }, { "destination.ip": [ - "10.87.238.169" + "10.228.229.144" ], - "destination.port": 1598, - "event.action": "block", + "destination.port": 3236, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.87.238.169,dstPort=1598,dbUsername=CSedu,srcIP=10.173.125.112,srcPort=7769,creatTime=2017-06-26 19:42:33,srvGroup=iquip,service=tinculpa,appName=umtota,event#=etdolore,eventType=Logout,usrGroup=magnaa,usrAuth=False,application=\"sumquiad\",osUsername=iusmodt,srcHost=tes1898.www5.test,dbName=eaqueip,schemaName=itaedict,bindVar=olorema,sqlError=failure,respSize=7780,respTime=126.440000,affRows=ptatemse,action=\"block\",rawQuery=\"quaeratv\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.228.229.144,dstPort=3236,dbUsername=ametcons,srcIP=10.151.240.35,srcPort=3197,creatTime=2017-06-26 19:42:33,srvGroup=roquisq,service=uasi,appName=maveniam,event#=uis,eventType=lill,usrGroup=remeum,usrAuth=mmod,application=\"taevit\",osUsername=ama,srcHost=tatnonp1371.www.invalid,dbName=xercit,schemaName=lam,bindVar=asnu,sqlError=failure,respSize=4325,respTime=168.492000,affRows=eriam,action=\"cancel\",rawQuery=\"aquae\"", "fileset.name": "securesphere", - "host.hostname": "tes1898.www5.test", + "group.name": "remeum", + "host.hostname": "tatnonp1371.www.invalid", "input.type": "log", - "log.offset": 18186, - "network.application": "sumquiad", + "log.offset": 17295, + "network.application": "taevit", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.87.238.169", - "10.173.125.112" + "10.228.229.144", + "10.151.240.35" ], "related.user": [ - "itaedict", - "iusmodt", - "CSedu" + "ama", + "ametcons", + "lam" ], - "rsa.counters.dclass_c1": 7780, + "rsa.counters.dclass_c1": 4325, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "eaqueip", - "rsa.db.index": "quaeratv", + "rsa.db.database": "xercit", + "rsa.db.index": "aquae", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "block" + "cancel" ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "magnaa", - "rsa.misc.group_object": "iquip", + "rsa.misc.event_type": "lill", + "rsa.misc.group": "remeum", + "rsa.misc.group_object": "roquisq", "rsa.misc.result": "failure", - "rsa.time.duration_time": 126.44, + "rsa.time.duration_time": 168.492, "rsa.time.starttime": "2017-06-26T21:42:33.000Z", "service.type": "imperva", - "source.address": "tes1898.www5.test", + "source.address": "tatnonp1371.www.invalid", "source.ip": [ - "10.173.125.112" + "10.151.240.35" ], - "source.port": 7769, + "source.port": 3197, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "CSedu" + "user.name": "ametcons" }, { "destination.ip": [ - "10.245.219.7" + "10.242.48.203" ], - "destination.port": 4792, + "destination.port": 1102, "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.245.219.7,dstPort=4792,dbUsername=rsit,srcIP=10.53.133.90,srcPort=940,creatTime=11 July 2017 02:45:07,srvGroup=isiutali,service=quaUten,appName=rmagnido,event#=psaquaea,eventType=Login,usrGroup=rchit,usrAuth=False,application=\"psumq\",osUsername=ptatev,srcHost=atu5950.api.corp,dbName=msequ,schemaName=nvol,bindVar=enimadmi,sqlError=unknown,respSize=6066,respTime=143.250000,affRows=sumdolo,action=\"block\",rawQuery=\"rors\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.242.48.203,dstPort=1102,dbUsername=ese,srcIP=10.147.142.242,srcPort=2586,creatTime=2017-07-11 02:45:07,srvGroup=eca,service=ctionofd,appName=mpori,event#=olupt,eventType=Logout,usrGroup=ola,usrAuth=False,application=\"ptat\",osUsername=quasi,srcHost=tium3542.internal.invalid,dbName=squamest,schemaName=quisn,bindVar=pteu,sqlError=success,respSize=3970,respTime=11.548000,affRows=antium,action=\"block\",rawQuery=\"velillum\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "atu5950.api.corp", + "group.name": "ola", + "host.hostname": "tium3542.internal.invalid", "input.type": "log", - "log.offset": 18649, - "network.application": "psumq", + "log.offset": 17739, + "network.application": "ptat", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.245.219.7", - "10.53.133.90" + "10.147.142.242", + "10.242.48.203" ], "related.user": [ - "rsit", - "nvol", - "ptatev" + "ese", + "quisn", + "quasi" ], - "rsa.counters.dclass_c1": 6066, + "rsa.counters.dclass_c1": 3970, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "msequ", - "rsa.db.index": "rors", + "rsa.db.database": "squamest", + "rsa.db.index": "velillum", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ "block" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "rchit", - "rsa.misc.group_object": "isiutali", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 143.25, + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ola", + "rsa.misc.group_object": "eca", + "rsa.misc.result": "success", + "rsa.time.duration_time": 11.548, "rsa.time.starttime": "2017-07-11T04:45:07.000Z", "service.type": "imperva", - "source.address": "atu5950.api.corp", + "source.address": "tium3542.internal.invalid", "source.ip": [ - "10.53.133.90" + "10.147.142.242" ], - "source.port": 940, + "source.port": 2586, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "rsit" + "user.name": "ese" }, { "destination.ip": [ - "10.67.173.228" + "10.254.10.98" ], - "destination.port": 4444, - "event.action": "block", + "destination.port": 3787, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=quaU,event#=ufugi,createTime=2017-07-25 09:47:41,updateTime=cin,alertSev=low,group=byC,ruleName=\"uae\",evntDesc=\"oremip\",category=its,disposition=uptasnul,eventType=aliqui,proto=rdp,srcPort=239,srcIP=10.161.64.168,dstPort=4444,dstIP=10.67.173.228,policyName=\"uatu\",occurrences=2448,httpHost=ntoccaec,webMethod=uamestqu,url=\"https://www.example.net/orem/eniamqui.gif?seq=rumSe#tatnonp\",webQuery=\"ommo\",soapAction=adeser,resultCode=uasiarc,sessionID=doeiu,username=onsectet,addUsername=dentsunt,responseTime=inea,responseSize=animid,direction=upta,dbUsername=ioff,queryGroup=oinBCS,application=\"itsedd\",srcHost=upt6017.api.localdomain,osUsername=nesci,schemaName=tam,dbName=sin,hdrName=idexeac,action=\"block\",errormsg=\"failure\"", + "event.original": "%IMPERVA-Imperva,alert#=lapari,event#=Mal,createTime=2017-07-25 09:47:41,updateTime=itinvo,alertSev=very-high,group=paq,ruleName=\"emipsumq\",evntDesc=\"culpaq\",category=quamq,disposition=usan,eventType=tdolo,proto=ipv6,srcPort=4723,srcIP=10.213.165.165,dstPort=3787,dstIP=10.254.10.98,policyName=\"adipisc\",occurrences=7365,httpHost=tasnul,webMethod=uptasn,url=\"https://example.net/itati/oidentsu.gif?eporroqu=aturve#temqui\",webQuery=\"lup\",soapAction=aeca,resultCode=isau,sessionID=giat,username=ttenb,addUsername=eirure,responseTime=boreetd,responseSize=tNe,direction=outbound,dbUsername=eeufug,queryGroup=ntin,application=\"iades\",srcHost=radipis3991.mail.invalid,osUsername=civeli,schemaName=eufugia,dbName=utlabore,hdrName=tamr,action=\"cancel\",errormsg=\"success\"", "fileset.name": "securesphere", - "host.hostname": "upt6017.api.localdomain", + "group.name": "paq", + "host.hostname": "radipis3991.mail.invalid", "input.type": "log", - "log.level": "low", - "log.offset": 19096, - "network.application": "itsedd", - "network.direction": "upta", - "network.protocol": "rdp", + "log.level": "very-high", + "log.offset": 18185, + "network.application": "iades", + "network.direction": "outbound", + "network.protocol": "ipv6", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.161.64.168", - "10.67.173.228" + "10.254.10.98", + "10.213.165.165" ], "related.user": [ - "nesci", - "onsectet", - "tam" + "eufugia", + "civeli", + "ttenb" ], - "rsa.counters.event_counter": 2448, - "rsa.db.database": "sin", - "rsa.internal.event_desc": "oremip", + "rsa.counters.event_counter": 7365, + "rsa.db.database": "utlabore", + "rsa.internal.event_desc": "culpaq", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "uamestqu" - ], - "rsa.misc.category": "its", - "rsa.misc.disposition": "uptasnul", - "rsa.misc.event_type": "aliqui", - "rsa.misc.group": "byC", - "rsa.misc.log_session_id": "doeiu", - "rsa.misc.operation_id": "quaU", - "rsa.misc.policy_name": "uatu", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "uasiarc", - "rsa.misc.rule_name": "uae", - "rsa.misc.severity": "low", + "uptasn", + "cancel" + ], + "rsa.misc.category": "quamq", + "rsa.misc.disposition": "usan", + "rsa.misc.event_type": "tdolo", + "rsa.misc.group": "paq", + "rsa.misc.log_session_id": "giat", + "rsa.misc.operation_id": "lapari", + "rsa.misc.policy_name": "adipisc", + "rsa.misc.result": "success", + "rsa.misc.result_code": "isau", + "rsa.misc.rule_name": "emipsumq", + "rsa.misc.severity": "very-high", "rsa.time.starttime": "2017-07-25T11:47:41.000Z", - "rsa.web.alias_host": "ntoccaec", - "rule.name": "uae", + "rsa.web.alias_host": "tasnul", + "rule.name": "emipsumq", "service.type": "imperva", - "source.address": "upt6017.api.localdomain", + "source.address": "radipis3991.mail.invalid", "source.ip": [ - "10.161.64.168" + "10.213.165.165" ], - "source.port": 239, + "source.port": 4723, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://www.example.net/orem/eniamqui.gif?seq=rumSe#tatnonp", - "url.query": "ommo", - "user.name": "onsectet" + "url.original": "https://example.net/itati/oidentsu.gif?eporroqu=aturve#temqui", + "url.query": "lup", + "user.name": "ttenb" }, { - "destination.ip": [ - "10.90.50.149" - ], - "destination.port": 1936, - "event.action": "block", + "event.action": "trudexe", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.90.50.149,dstPort=1936,dbUsername=olu,srcIP=10.168.225.209,srcPort=6,creatTime=2017-08-08 16:50:15,srvGroup=taliq,service=tautfugi,appName=fdeFinib,event#=uip,eventType=Logout,usrGroup=ectobea,usrAuth=True,application=\"dat\",osUsername=aUtenima,srcHost=turQuis4046.api.test,dbName=deomnisi,schemaName=olupta,bindVar=oll,sqlError=success,respSize=1127,respTime=55.870000,affRows=evelite,action=\"block\",rawQuery=\"iav\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,event#=onemul,createTime=2017-08-08 16:50:15,eventType=trudexe,eventSev=very-high,username=ura,subsystem=oreeufug,message=\"Quisa\"", "fileset.name": "securesphere", - "host.hostname": "turQuis4046.api.test", "input.type": "log", - "log.offset": 19845, - "network.application": "dat", + "log.level": "very-high", + "log.offset": 18948, "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", - "related.ip": [ - "10.168.225.209", - "10.90.50.149" - ], "related.user": [ - "olupta", - "aUtenima", - "olu" + "ura" ], - "rsa.counters.dclass_c1": 1127, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "deomnisi", - "rsa.db.index": "iav", + "rsa.internal.event_desc": "Quisa", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "ectobea", - "rsa.misc.group_object": "taliq", - "rsa.misc.result": "success", - "rsa.time.duration_time": 55.87, + "rsa.misc.event_type": "trudexe", + "rsa.misc.severity": "very-high", "rsa.time.starttime": "2017-08-08T18:50:15.000Z", "service.type": "imperva", - "source.address": "turQuis4046.api.test", - "source.ip": [ - "10.168.225.209" - ], - "source.port": 6, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "olu" + "user.name": "ura" }, { "destination.ip": [ - "10.59.182.36" + "10.169.28.157" ], - "destination.port": 5792, - "event.action": "allow", + "destination.port": 3402, + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.59.182.36,dstPort=5792,dbUsername=mtota,srcIP=10.18.150.82,srcPort=6648,creatTime=22 August 2017 23:52:50,srvGroup=rit,service=eumfu,appName=lors,event#=oluptat,eventType=Login,usrGroup=enimad,usrAuth=True,application=\"tis\",osUsername=qua,srcHost=con6049.internal.lan,dbName=quelaud,schemaName=luptat,bindVar=rinrep,sqlError=unknown,respSize=6112,respTime=135.357000,affRows=nimv,action=\"allow\",rawQuery=\"tconse\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,alert#=llitani,event#=uscipit,createTime=2017-08-22 23:52:50,updateTime=luptat,alertSev=very-high,group=etco,ruleName=\"iuntN\",evntDesc=\"utfugi\",category=ursintoc,disposition=tio,eventType=mmodicon,proto=ipv6,srcPort=5439,srcIP=10.116.1.130,dstPort=3402,dstIP=10.169.28.157,policyName=\"exeacomm\",occurrences=1295,httpHost=ionula,webMethod=pexeaco,url=\"https://api.example.org/uamqua/Neq.gif?eumiu=nim#pteurs\",webQuery=\"ercitati\",soapAction=atem,resultCode=serro,sessionID=lumquid,username=eturadip,addUsername=amquaera,responseTime=rsitamet,responseSize=leumiur,direction=internal,dbUsername=utod,queryGroup=olesti,application=\"edquia\",srcHost=ihi7294.www5.localhost,osUsername=reseo,schemaName=amco,dbName=ons,hdrName=onsecte,action=\"accept\",errormsg=\"unknown\"", "fileset.name": "securesphere", - "host.hostname": "con6049.internal.lan", + "group.name": "etco", + "host.hostname": "ihi7294.www5.localhost", "input.type": "log", - "log.offset": 20286, - "network.application": "tis", + "log.level": "very-high", + "log.offset": 19095, + "network.application": "edquia", + "network.direction": "internal", + "network.protocol": "ipv6", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.18.150.82", - "10.59.182.36" + "10.169.28.157", + "10.116.1.130" ], "related.user": [ - "mtota", - "qua", - "luptat" + "eturadip", + "reseo", + "amco" ], - "rsa.counters.dclass_c1": 6112, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "quelaud", - "rsa.db.index": "tconse", + "rsa.counters.event_counter": 1295, + "rsa.db.database": "ons", + "rsa.internal.event_desc": "utfugi", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "allow" + "pexeaco", + "accept" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "enimad", - "rsa.misc.group_object": "rit", + "rsa.misc.category": "ursintoc", + "rsa.misc.disposition": "tio", + "rsa.misc.event_type": "mmodicon", + "rsa.misc.group": "etco", + "rsa.misc.log_session_id": "lumquid", + "rsa.misc.operation_id": "llitani", + "rsa.misc.policy_name": "exeacomm", "rsa.misc.result": "unknown", - "rsa.time.duration_time": 135.357, + "rsa.misc.result_code": "serro", + "rsa.misc.rule_name": "iuntN", + "rsa.misc.severity": "very-high", "rsa.time.starttime": "2017-08-23T01:52:50.000Z", + "rsa.web.alias_host": "ionula", + "rule.name": "iuntN", "service.type": "imperva", - "source.address": "con6049.internal.lan", + "source.address": "ihi7294.www5.localhost", "source.ip": [ - "10.18.150.82" + "10.116.1.130" ], - "source.port": 6648, + "source.port": 5439, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "mtota" + "url.original": "https://api.example.org/uamqua/Neq.gif?eumiu=nim#pteurs", + "url.query": "ercitati", + "user.name": "eturadip" }, { - "event.action": "ulamcola", + "destination.ip": [ + "10.29.138.31" + ], + "destination.port": 5871, + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=rem,createTime=2017-09-06 06:55:24,eventType=ulamcola,eventSev=very-high,username=llita,subsystem=ntsunt,message=\"nturmag\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.29.138.31,dstPort=5871,dbUsername=volupta,srcIP=10.45.69.152,srcPort=4083,creatTime=6 September 2017 06:55:24,srvGroup=emi,service=uaerat,appName=iduntu,event#=samvol,eventType=Login,usrGroup=equa,usrAuth=False,application=\"apari\",osUsername=tsunt,srcHost=caecat4920.api.host,dbName=enim,schemaName=umq,bindVar=sistena,sqlError=failure,respSize=744,respTime=33.416000,affRows=temquia,action=\"deny\",rawQuery=\"eumiu\"", + "event.outcome": "failure", "fileset.name": "securesphere", + "group.name": "equa", + "host.hostname": "caecat4920.api.host", "input.type": "log", - "log.level": "very-high", - "log.offset": 20725, + "log.offset": 19873, + "network.application": "apari", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.ip": [ + "10.29.138.31", + "10.45.69.152" + ], "related.user": [ - "llita" + "tsunt", + "umq", + "volupta" ], - "rsa.internal.event_desc": "nturmag", + "rsa.counters.dclass_c1": 744, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "enim", + "rsa.db.index": "eumiu", "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "ulamcola", - "rsa.misc.severity": "very-high", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "equa", + "rsa.misc.group_object": "emi", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 33.416, "rsa.time.starttime": "2017-09-06T08:55:24.000Z", "service.type": "imperva", + "source.address": "caecat4920.api.host", + "source.ip": [ + "10.45.69.152" + ], + "source.port": 4083, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "llita" + "user.name": "volupta" }, { "destination.ip": [ - "10.52.190.18" + "10.152.213.228" ], - "destination.port": 4411, + "destination.port": 3387, "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.52.190.18,dstPort=4411,dbUsername=ciati,srcIP=10.198.142.81,srcPort=283,creatTime=20 September 2017 13:57:58,srvGroup=amei,service=doconseq,appName=conseq,event#=emve,eventType=Login,usrGroup=edutpers,usrAuth=False,application=\"ctobeat\",osUsername=upta,srcHost=asper311.www.corp,dbName=inibus,schemaName=secte,bindVar=ctobeat,sqlError=unknown,respSize=1063,respTime=124.881000,affRows=animide,action=\"cancel\",rawQuery=\"emp\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.152.213.228,dstPort=3387,dbUsername=ptatev,srcIP=10.100.113.11,srcPort=6971,creatTime=2017-09-20 13:57:58,srvGroup=aliqu,service=sequine,appName=utaliqui,event#=isciv,eventType=Logout,usrGroup=osqu,usrAuth=False,application=\"ptatemse\",osUsername=itationu,srcHost=setquas6188.internal.local,dbName=magnaali,schemaName=velillum,bindVar=ionev,sqlError=success,respSize=7245,respTime=131.118000,affRows=ameaq,action=\"cancel\",rawQuery=\"Except\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "asper311.www.corp", + "group.name": "osqu", + "host.hostname": "setquas6188.internal.local", "input.type": "log", - "log.offset": 20872, - "network.application": "ctobeat", + "log.offset": 20314, + "network.application": "ptatemse", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.52.190.18", - "10.198.142.81" + "10.100.113.11", + "10.152.213.228" ], "related.user": [ - "ciati", - "upta", - "secte" + "velillum", + "ptatev", + "itationu" ], - "rsa.counters.dclass_c1": 1063, + "rsa.counters.dclass_c1": 7245, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "inibus", - "rsa.db.index": "emp", + "rsa.db.database": "magnaali", + "rsa.db.index": "Except", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ "cancel" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "edutpers", - "rsa.misc.group_object": "amei", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 124.881, + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "osqu", + "rsa.misc.group_object": "aliqu", + "rsa.misc.result": "success", + "rsa.time.duration_time": 131.118, "rsa.time.starttime": "2017-09-20T15:57:58.000Z", "service.type": "imperva", - "source.address": "asper311.www.corp", + "source.address": "setquas6188.internal.local", "source.ip": [ - "10.198.142.81" + "10.100.113.11" ], - "source.port": 283, + "source.port": 6971, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "ciati" + "user.name": "ptatev" }, { - "destination.ip": [ - "10.49.169.175" - ], - "destination.port": 5020, - "event.action": "cancel", + "event.action": "tquii", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=volupta,event#=umfu,createTime=2017-10-04 21:00:32,updateTime=utla,alertSev=low,group=tDuisaut,ruleName=\"dolo\",evntDesc=\"velites\",category=oloremi,disposition=edqui,eventType=strumex,proto=igmp,srcPort=4011,srcIP=10.97.108.108,dstPort=5020,dstIP=10.49.169.175,policyName=\"nostru\",occurrences=4795,httpHost=qui,webMethod=caboN,url=\"https://api.example.org/eumiu/tatevel.htm?quisnost=sequines#olor\",webQuery=\"sequa\",soapAction=lorum,resultCode=suntexpl,sessionID=iqu,username=iquamqu,addUsername=eumfugia,responseTime=reeufugi,responseSize=sequines,direction=minimve,dbUsername=texplica,queryGroup=entorev,application=\"quuntur\",srcHost=olup3841.mail.invalid,osUsername=idolor,schemaName=onpr,dbName=uira,hdrName=eosqui,action=cancel", + "event.original": "%IMPERVA-Imperva,event#=uiac,createTime=2017-10-04 21:00:32,eventType=tquii,eventSev=low,username=reme,subsystem=emeumfu,message=\"inBCSedu\"", "fileset.name": "securesphere", - "host.hostname": "olup3841.mail.invalid", "input.type": "log", "log.level": "low", - "log.offset": 21322, - "network.application": "quuntur", - "network.direction": "minimve", - "network.protocol": "igmp", + "log.offset": 20779, "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", - "related.ip": [ - "10.49.169.175", - "10.97.108.108" - ], "related.user": [ - "iquamqu", - "idolor", - "onpr" + "reme" ], - "rsa.counters.event_counter": 4795, - "rsa.db.database": "uira", - "rsa.internal.event_desc": "velites", + "rsa.internal.event_desc": "inBCSedu", "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "cancel", - "caboN" - ], - "rsa.misc.category": "oloremi", - "rsa.misc.disposition": "edqui", - "rsa.misc.event_type": "strumex", - "rsa.misc.group": "tDuisaut", - "rsa.misc.log_session_id": "iqu", - "rsa.misc.operation_id": "volupta", - "rsa.misc.policy_name": "nostru", - "rsa.misc.result_code": "suntexpl", - "rsa.misc.rule_name": "dolo", + "rsa.misc.event_type": "tquii", "rsa.misc.severity": "low", "rsa.time.starttime": "2017-10-04T23:00:32.000Z", - "rsa.web.alias_host": "qui", - "rule.name": "dolo", "service.type": "imperva", - "source.address": "olup3841.mail.invalid", - "source.ip": [ - "10.97.108.108" - ], - "source.port": 4011, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://api.example.org/eumiu/tatevel.htm?quisnost=sequines#olor", - "url.query": "sequa", - "user.name": "iquamqu" + "user.name": "reme" }, { "destination.ip": [ - "10.65.185.178" + "10.208.33.55" ], - "destination.port": 7750, + "destination.port": 1849, "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.65.185.178,dstPort=7750,dbUsername=tin,srcIP=10.96.216.244,srcPort=3721,creatTime=2017-10-19 04:03:07,srvGroup=etconse,service=nesciu,appName=mali,event#=roinBCSe,eventType=Logout,usrGroup=eetdolor,usrAuth=False,application=\"tpersp\",osUsername=assi,srcHost=rch5094.www.host,dbName=atione,schemaName=tvolup,bindVar=oremeu,sqlError=failure,respSize=5602,respTime=76.644000,affRows=dan,action=\"accept\",rawQuery=\"aeca\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.208.33.55,dstPort=1849,dbUsername=ulapari,srcIP=10.248.102.129,srcPort=3510,creatTime=2017-10-19 04:03:07,srvGroup=iatn,service=saquaeab,appName=eli,event#=rissusci,eventType=Logout,usrGroup=ectetur,usrAuth=True,application=\"dictasun\",osUsername=inimv,srcHost=nibusBo3674.www5.localhost,dbName=ntut,schemaName=mremaper,bindVar=uteirur,sqlError=unknown,respSize=6433,respTime=111.360000,affRows=isni,action=\"accept\",rawQuery=\"quovo\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "rch5094.www.host", + "group.name": "ectetur", + "host.hostname": "nibusBo3674.www5.localhost", "input.type": "log", - "log.offset": 22077, - "network.application": "tpersp", + "log.offset": 20919, + "network.application": "dictasun", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.65.185.178", - "10.96.216.244" + "10.208.33.55", + "10.248.102.129" ], "related.user": [ - "assi", - "tin", - "tvolup" + "inimv", + "mremaper", + "ulapari" ], - "rsa.counters.dclass_c1": 5602, + "rsa.counters.dclass_c1": 6433, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "atione", - "rsa.db.index": "aeca", + "rsa.db.database": "ntut", + "rsa.db.index": "quovo", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_outcome": "Success", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ "accept" ], "rsa.misc.event_type": "Logout", - "rsa.misc.group": "eetdolor", - "rsa.misc.group_object": "etconse", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 76.644, + "rsa.misc.group": "ectetur", + "rsa.misc.group_object": "iatn", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 111.36, "rsa.time.starttime": "2017-10-19T06:03:07.000Z", "service.type": "imperva", - "source.address": "rch5094.www.host", + "source.address": "nibusBo3674.www5.localhost", "source.ip": [ - "10.96.216.244" + "10.248.102.129" ], - "source.port": 3721, + "source.port": 3510, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "tin" + "user.name": "ulapari" }, { "destination.ip": [ - "10.223.71.185" + "10.203.164.132" ], - "destination.port": 916, - "event.action": "allow", + "destination.port": 6213, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.223.71.185,dstPort=916,dbUsername=uptateve,srcIP=10.33.181.176,srcPort=2546,creatTime=2017-11-02 11:05:41,srvGroup=ectet,service=ionu,appName=eratv,event#=des,eventType=deFini,usrGroup=alorumwr,usrAuth=liq,application=\"xerc\",osUsername=atisetqu,srcHost=squir7186.internal.example,dbName=vol,schemaName=loremips,bindVar=serro,sqlError=unknown,respSize=3804,respTime=7.607000,affRows=noru,action=\"allow\",rawQuery=\"henderi\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.203.164.132,dstPort=6213,dbUsername=mporin,srcIP=10.109.230.216,srcPort=4447,creatTime=2017-11-02 11:05:41,srvGroup=uov,service=pariat,appName=icaboNe,event#=boreetd,eventType=Logout,usrGroup=uir,usrAuth=True,application=\"rumex\",osUsername=ectobea,srcHost=totamr7676.www5.home,dbName=imadm,schemaName=ibus,bindVar=lumdol,sqlError=success,respSize=547,respTime=166.971000,affRows=reprehe,action=\"block\",rawQuery=\"ihil\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "squir7186.internal.example", + "group.name": "uir", + "host.hostname": "totamr7676.www5.home", "input.type": "log", - "log.offset": 22518, - "network.application": "xerc", + "log.offset": 21377, + "network.application": "rumex", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.33.181.176", - "10.223.71.185" + "10.203.164.132", + "10.109.230.216" ], "related.user": [ - "loremips", - "atisetqu", - "uptateve" + "mporin", + "ibus", + "ectobea" ], - "rsa.counters.dclass_c1": 3804, + "rsa.counters.dclass_c1": 547, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "vol", - "rsa.db.index": "henderi", + "rsa.db.database": "imadm", + "rsa.db.index": "ihil", "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "allow" + "block" ], - "rsa.misc.event_type": "deFini", - "rsa.misc.group": "alorumwr", - "rsa.misc.group_object": "ectet", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 7.607, + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "uir", + "rsa.misc.group_object": "uov", + "rsa.misc.result": "success", + "rsa.time.duration_time": 166.971, "rsa.time.starttime": "2017-11-02T13:05:41.000Z", "service.type": "imperva", - "source.address": "squir7186.internal.example", + "source.address": "totamr7676.www5.home", "source.ip": [ - "10.33.181.176" + "10.109.230.216" ], - "source.port": 2546, + "source.port": 4447, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "uptateve" + "user.name": "mporin" }, { "destination.ip": [ - "10.238.252.246" + "10.151.203.60" ], - "destination.port": 6289, - "event.action": "cancel", + "destination.port": 482, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.238.252.246,dstPort=6289,dbUsername=iamea,srcIP=10.255.179.32,srcPort=5472,creatTime=16 November 2017 18:08:15,srvGroup=tur,service=eFi,appName=uatDuisa,event#=ulapari,eventType=Login,usrGroup=eporroq,usrAuth=False,application=\"uunturm\",osUsername=iatn,srcHost=saquaeab5916.www5.invalid,dbName=rroq,schemaName=olore,bindVar=eratvolu,sqlError=unknown,respSize=5626,respTime=121.916000,affRows=volup,action=\"cancel\",rawQuery=\"ntut\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.151.203.60,dstPort=482,dbUsername=dol,srcIP=10.117.81.75,srcPort=3365,creatTime=16 November 2017 18:08:15,srvGroup=iciatis,service=agn,appName=cul,event#=tate,eventType=Login,usrGroup=psam,usrAuth=True,application=\"itaedi\",osUsername=exeac,srcHost=idents7231.mail.home,dbName=veniamqu,schemaName=iconsequ,bindVar=ueporr,sqlError=unknown,respSize=484,respTime=27.563000,affRows=tur,action=\"block\",rawQuery=\"onorumet\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "saquaeab5916.www5.invalid", + "group.name": "psam", + "host.hostname": "idents7231.mail.home", "input.type": "log", - "log.offset": 22965, - "network.application": "uunturm", + "log.offset": 21821, + "network.application": "itaedi", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.238.252.246", - "10.255.179.32" + "10.117.81.75", + "10.151.203.60" ], "related.user": [ - "olore", - "iatn", - "iamea" + "iconsequ", + "dol", + "exeac" ], - "rsa.counters.dclass_c1": 5626, + "rsa.counters.dclass_c1": 484, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "rroq", - "rsa.db.index": "ntut", + "rsa.db.database": "veniamqu", + "rsa.db.index": "onorumet", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_outcome": "Success", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "cancel" + "block" ], "rsa.misc.event_type": "Login", - "rsa.misc.group": "eporroq", - "rsa.misc.group_object": "tur", + "rsa.misc.group": "psam", + "rsa.misc.group_object": "iciatis", "rsa.misc.result": "unknown", - "rsa.time.duration_time": 121.916, + "rsa.time.duration_time": 27.563, "rsa.time.starttime": "2017-11-16T20:08:15.000Z", "service.type": "imperva", - "source.address": "saquaeab5916.www5.invalid", + "source.address": "idents7231.mail.home", "source.ip": [ - "10.255.179.32" + "10.117.81.75" ], - "source.port": 5472, + "source.port": 3365, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "iamea" + "user.name": "dol" }, { "destination.ip": [ - "10.98.52.184" + "10.224.217.153" ], - "destination.port": 7402, - "event.action": "cancel", + "destination.port": 6339, + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.98.52.184,dstPort=7402,dbUsername=umq,srcIP=10.28.124.136,srcPort=1327,creatTime=2017-12-01 01:10:49,srvGroup=olu,service=exerci,appName=isnostru,event#=iad,eventType=Logout,usrGroup=ngelits,usrAuth=True,application=\"volupt\",osUsername=billoi,srcHost=reseo4447.localdomain,dbName=pariat,schemaName=icaboNe,bindVar=boreetd,sqlError=failure,respSize=4298,respTime=59.204000,affRows=lorem,action=\"cancel\",rawQuery=\"totamr\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.224.217.153,dstPort=6339,dbUsername=eriti,srcIP=10.45.152.205,srcPort=6907,creatTime=1 December 2017 01:10:49,srvGroup=riame,service=datatn,appName=seq,event#=mquis,eventType=Login,usrGroup=tur,usrAuth=True,application=\"itation\",osUsername=utlabo,srcHost=tat50.mail.host,dbName=essequam,schemaName=imav,bindVar=mtot,sqlError=success,respSize=922,respTime=17.709000,affRows=prehend,action=\"allow\",rawQuery=\"liquid\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "reseo4447.localdomain", + "group.name": "tur", + "host.hostname": "tat50.mail.host", "input.type": "log", - "log.offset": 23421, - "network.application": "volupt", + "log.offset": 22263, + "network.application": "itation", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.98.52.184", - "10.28.124.136" + "10.45.152.205", + "10.224.217.153" ], "related.user": [ - "billoi", - "icaboNe", - "umq" + "eriti", + "utlabo", + "imav" ], - "rsa.counters.dclass_c1": 4298, + "rsa.counters.dclass_c1": 922, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "pariat", - "rsa.db.index": "totamr", + "rsa.db.database": "essequam", + "rsa.db.index": "liquid", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_activity": "Logon", "rsa.investigations.ec_outcome": "Success", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "cancel" + "allow" ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "ngelits", - "rsa.misc.group_object": "olu", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 59.204, - "rsa.time.starttime": "2017-12-01T03:10:49.000Z", + "rsa.misc.event_type": "Login", + "rsa.misc.group": "tur", + "rsa.misc.group_object": "riame", + "rsa.misc.result": "success", + "rsa.time.duration_time": 17.709, "service.type": "imperva", - "source.address": "reseo4447.localdomain", + "source.address": "tat50.mail.host", "source.ip": [ - "10.28.124.136" + "10.45.152.205" ], - "source.port": 1327, + "source.port": 6907, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "umq" + "user.name": "eriti" }, { "destination.ip": [ - "10.200.162.248" + "10.1.193.187" ], - "destination.port": 1419, - "event.action": "deny", + "destination.port": 5119, + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.200.162.248,dstPort=1419,dbUsername=lumdol,srcIP=10.92.177.251,srcPort=4990,creatTime=2017-12-15 08:13:24,srvGroup=liq,service=ihil,appName=oremip,event#=fdeFi,eventType=Logout,usrGroup=periam,usrAuth=False,application=\"ccusa\",osUsername=billo,srcHost=doloremi3365.api.lan,dbName=agn,schemaName=cul,bindVar=tate,sqlError=success,respSize=3914,respTime=111.123000,affRows=iatnulap,action=\"deny\",rawQuery=\"idents\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,alert#=umq,event#=ipsu,createTime=2017-12-15 08:13:24,updateTime=oremip,alertSev=low,group=odit,ruleName=\"vol\",evntDesc=\"epteurs\",category=itse,disposition=rever,eventType=sBonoru,proto=udp,srcPort=2652,srcIP=10.60.164.100,dstPort=5119,dstIP=10.1.193.187,policyName=\"yCice\",occurrences=508,httpHost=ionem,webMethod=taevitae,url=\"https://api.example.net/quam/saute.htm?nostru=docons#emipsumq\",webQuery=\"orinr\",soapAction=ineavol,resultCode=umdo,sessionID=tass,username=ugi,addUsername=riat,responseTime=atvol,responseSize=emipsum,direction=internal,dbUsername=uameiu,queryGroup=quiado,application=\"conse\",srcHost=mips3283.corp,osUsername=hite,schemaName=adipis,dbName=abo,hdrName=suntex,action=\"allow\",errormsg=\"failure\"", "fileset.name": "securesphere", - "host.hostname": "doloremi3365.api.lan", + "group.name": "odit", + "host.hostname": "mips3283.corp", "input.type": "log", - "log.offset": 23867, - "network.application": "ccusa", + "log.level": "low", + "log.offset": 22703, + "network.application": "conse", + "network.direction": "internal", + "network.protocol": "udp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.200.162.248", - "10.92.177.251" + "10.1.193.187", + "10.60.164.100" ], "related.user": [ - "cul", - "lumdol", - "billo" + "hite", + "ugi", + "adipis" ], - "rsa.counters.dclass_c1": 3914, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "agn", - "rsa.db.index": "idents", + "rsa.counters.event_counter": 508, + "rsa.db.database": "abo", + "rsa.internal.event_desc": "epteurs", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "deny" + "allow", + "taevitae" ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "periam", - "rsa.misc.group_object": "liq", - "rsa.misc.result": "success", - "rsa.time.duration_time": 111.123, + "rsa.misc.category": "itse", + "rsa.misc.disposition": "rever", + "rsa.misc.event_type": "sBonoru", + "rsa.misc.group": "odit", + "rsa.misc.log_session_id": "tass", + "rsa.misc.operation_id": "umq", + "rsa.misc.policy_name": "yCice", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "umdo", + "rsa.misc.rule_name": "vol", + "rsa.misc.severity": "low", "rsa.time.starttime": "2017-12-15T10:13:24.000Z", + "rsa.web.alias_host": "ionem", + "rule.name": "vol", "service.type": "imperva", - "source.address": "doloremi3365.api.lan", + "source.address": "mips3283.corp", "source.ip": [ - "10.92.177.251" + "10.60.164.100" ], - "source.port": 4990, + "source.port": 2652, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "lumdol" + "url.original": "https://api.example.net/quam/saute.htm?nostru=docons#emipsumq", + "url.query": "orinr", + "user.name": "ugi" }, { "destination.ip": [ - "10.103.215.159" + "10.248.244.203" ], - "destination.port": 1265, - "event.action": "cancel", + "destination.port": 806, + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.103.215.159,dstPort=1265,dbUsername=ueporr,srcIP=10.88.60.147,srcPort=4608,creatTime=29 December 2017 15:15:58,srvGroup=rem,service=onorumet,appName=iscivel,event#=rinci,eventType=Login,usrGroup=eacomm,usrAuth=False,application=\"aboNem\",osUsername=mull,srcHost=ent6907.mail.invalid,dbName=datatn,schemaName=seq,bindVar=mquis,sqlError=failure,respSize=392,respTime=80.092000,affRows=sis,action=\"cancel\",rawQuery=\"tat\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.248.244.203,dstPort=806,dbUsername=mquamei,srcIP=10.146.228.234,srcPort=4346,creatTime=2017-12-29 15:15:58,srvGroup=rissusci,service=uaturQ,appName=iusmod,event#=susc,eventType=taed,usrGroup=eatae,usrAuth=siutali,application=\"oloremq\",osUsername=sum,srcHost=aliquip7229.mail.domain,dbName=doe,schemaName=eiusm,bindVar=oremipsu,sqlError=failure,respSize=3058,respTime=133.358000,affRows=llum,action=\"allow\",rawQuery=\"mto\"", "fileset.name": "securesphere", - "host.hostname": "ent6907.mail.invalid", + "group.name": "eatae", + "host.hostname": "aliquip7229.mail.domain", "input.type": "log", - "log.offset": 24305, - "network.application": "aboNem", + "log.offset": 23440, + "network.application": "oloremq", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.103.215.159", - "10.88.60.147" + "10.248.244.203", + "10.146.228.234" ], "related.user": [ - "ueporr", - "seq", - "mull" + "mquamei", + "sum", + "eiusm" ], - "rsa.counters.dclass_c1": 392, + "rsa.counters.dclass_c1": 3058, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "datatn", - "rsa.db.index": "tat", + "rsa.db.database": "doe", + "rsa.db.index": "mto", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "cancel" + "allow" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "eacomm", - "rsa.misc.group_object": "rem", + "rsa.misc.event_type": "taed", + "rsa.misc.group": "eatae", + "rsa.misc.group_object": "rissusci", "rsa.misc.result": "failure", - "rsa.time.duration_time": 80.092, + "rsa.time.duration_time": 133.358, + "rsa.time.starttime": "2017-12-29T17:15:58.000Z", "service.type": "imperva", - "source.address": "ent6907.mail.invalid", + "source.address": "aliquip7229.mail.domain", "source.ip": [ - "10.88.60.147" + "10.146.228.234" ], - "source.port": 4608, + "source.port": 4346, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "ueporr" + "user.name": "mquamei" }, { "destination.ip": [ - "10.93.246.218" + "10.122.127.237" ], - "destination.port": 4628, - "event.action": "accept", + "destination.port": 1138, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.93.246.218,dstPort=4628,dbUsername=mtot,srcIP=10.229.190.11,srcPort=2164,creatTime=2018-01-12 22:18:32,srvGroup=eursi,service=liquid,appName=ulapari,event#=ibus,eventType=Logout,usrGroup=isu,usrAuth=False,application=\"moll\",osUsername=roinBCS,srcHost=odit426.internal.corp,dbName=aloru,schemaName=cteturad,bindVar=modi,sqlError=failure,respSize=1929,respTime=38.172000,affRows=ntoccae,action=\"accept\",rawQuery=\"edut\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.122.127.237,dstPort=1138,dbUsername=consecte,srcIP=10.86.121.152,srcPort=3971,creatTime=2018-01-12 22:18:32,srvGroup=mquamei,service=litesse,appName=fug,event#=liquid,eventType=Logout,usrGroup=uidex,usrAuth=False,application=\"umdolo\",osUsername=nimv,srcHost=fde7756.mail.corp,dbName=usmod,schemaName=ine,bindVar=qui,sqlError=success,respSize=2771,respTime=136.167000,affRows=orsitame,action=\"block\",rawQuery=\"ipex\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "odit426.internal.corp", + "group.name": "uidex", + "host.hostname": "fde7756.mail.corp", "input.type": "log", - "log.offset": 24748, - "network.application": "moll", + "log.offset": 23887, + "network.application": "umdolo", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.229.190.11", - "10.93.246.218" + "10.122.127.237", + "10.86.121.152" ], "related.user": [ - "roinBCS", - "mtot", - "cteturad" + "ine", + "consecte", + "nimv" ], - "rsa.counters.dclass_c1": 1929, + "rsa.counters.dclass_c1": 2771, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "aloru", - "rsa.db.index": "edut", + "rsa.db.database": "usmod", + "rsa.db.index": "ipex", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "accept" + "block" ], "rsa.misc.event_type": "Logout", - "rsa.misc.group": "isu", - "rsa.misc.group_object": "eursi", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 38.172, + "rsa.misc.group": "uidex", + "rsa.misc.group_object": "mquamei", + "rsa.misc.result": "success", + "rsa.time.duration_time": 136.167, "rsa.time.starttime": "2018-01-13T00:18:32.000Z", "service.type": "imperva", - "source.address": "odit426.internal.corp", + "source.address": "fde7756.mail.corp", "source.ip": [ - "10.229.190.11" + "10.86.121.152" ], - "source.port": 2164, + "source.port": 3971, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "mtot" + "user.name": "consecte" }, { "destination.ip": [ - "10.89.16.162" + "10.201.223.119" ], - "destination.port": 3056, - "event.action": "cancel", + "destination.port": 3614, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.89.16.162,dstPort=3056,dbUsername=taevitae,srcIP=10.178.183.11,srcPort=4665,creatTime=27 January 2018 05:21:06,srvGroup=saute,service=umdol,appName=rerepr,event#=ipiscin,eventType=Login,usrGroup=trudexe,usrAuth=True,application=\"qua\",osUsername=modit,srcHost=tatione5638.home,dbName=riat,schemaName=atvol,bindVar=emipsum,sqlError=failure,respSize=1449,respTime=82.202000,affRows=quiado,action=\"cancel\",rawQuery=\"mipsa\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.201.223.119,dstPort=3614,dbUsername=rcit,srcIP=10.204.223.184,srcPort=6092,creatTime=2018-01-27 05:21:06,srvGroup=giat,service=nculpa,appName=olupt,event#=tvol,eventType=Logout,usrGroup=ostru,usrAuth=True,application=\"mea\",osUsername=tuserror,srcHost=agnama5013.internal.example,dbName=boreetdo,schemaName=teni,bindVar=iin,sqlError=unknown,respSize=4113,respTime=161.837000,affRows=tNeq,action=\"block\",rawQuery=\"liq\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "tatione5638.home", + "group.name": "ostru", + "host.hostname": "agnama5013.internal.example", "input.type": "log", - "log.offset": 25191, - "network.application": "qua", + "log.offset": 24328, + "network.application": "mea", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.89.16.162", - "10.178.183.11" + "10.204.223.184", + "10.201.223.119" ], "related.user": [ - "atvol", - "modit", - "taevitae" + "rcit", + "tuserror", + "teni" ], - "rsa.counters.dclass_c1": 1449, + "rsa.counters.dclass_c1": 4113, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "riat", - "rsa.db.index": "mipsa", + "rsa.db.database": "boreetdo", + "rsa.db.index": "liq", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Success", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "cancel" + "block" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "trudexe", - "rsa.misc.group_object": "saute", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 82.202, + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ostru", + "rsa.misc.group_object": "giat", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 161.837, "rsa.time.starttime": "2018-01-27T07:21:06.000Z", "service.type": "imperva", - "source.address": "tatione5638.home", + "source.address": "agnama5013.internal.example", "source.ip": [ - "10.178.183.11" + "10.204.223.184" ], - "source.port": 4665, + "source.port": 6092, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "taevitae" + "user.name": "rcit" }, { "destination.ip": [ - "10.67.129.100" + "10.200.12.126" ], - "destination.port": 1961, - "event.action": "deny", + "destination.port": 2347, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=tinv,event#=Utenima,createTime=2018-02-10 12:23:41,updateTime=nse,alertSev=high,group=uradip,ruleName=\"nesci\",evntDesc=\"meaquei\",category=snisiu,disposition=atem,eventType=remque,proto=ggp,srcPort=3525,srcIP=10.244.73.167,dstPort=1961,dstIP=10.67.129.100,policyName=\"lorem\",occurrences=2592,httpHost=eosquir,webMethod=tqu,url=\"https://mail.example.net/smodit/ine.html?amquisn=Finibus#nsequat\",webQuery=\"mvol\",soapAction=asiar,resultCode=eiu,sessionID=maliquam,username=gnama,addUsername=ursintoc,responseTime=minimve,responseSize=eprehe,direction=lillumqu,dbUsername=tamet,queryGroup=ate,application=\"epteur\",srcHost=onproi4354.www5.invalid,osUsername=sunte,schemaName=exerc,dbName=tasu,hdrName=sci,action=\"deny\",errormsg=\"failure\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.200.12.126,dstPort=2347,dbUsername=magnido,srcIP=10.223.56.33,srcPort=5899,creatTime=10 February 2018 12:23:41,srvGroup=ing,service=amal,appName=aliq,event#=utem,eventType=Login,usrGroup=oreetd,usrAuth=True,application=\"itatis\",osUsername=Nequepo,srcHost=edictas4693.home,dbName=borisnis,schemaName=elitsedd,bindVar=hitecto,sqlError=failure,respSize=3243,respTime=75.415000,affRows=imven,action=\"block\",rawQuery=\"hende\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "onproi4354.www5.invalid", + "group.name": "oreetd", + "host.hostname": "edictas4693.home", "input.type": "log", - "log.level": "high", - "log.offset": 25636, - "network.application": "epteur", - "network.direction": "lillumqu", - "network.protocol": "ggp", + "log.offset": 24771, + "network.application": "itatis", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.244.73.167", - "10.67.129.100" + "10.200.12.126", + "10.223.56.33" ], "related.user": [ - "exerc", - "gnama", - "sunte" + "magnido", + "elitsedd", + "Nequepo" ], - "rsa.counters.event_counter": 2592, - "rsa.db.database": "tasu", - "rsa.internal.event_desc": "meaquei", + "rsa.counters.dclass_c1": 3243, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "borisnis", + "rsa.db.index": "hende", "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "deny", - "tqu" - ], - "rsa.misc.category": "snisiu", - "rsa.misc.disposition": "atem", - "rsa.misc.event_type": "remque", - "rsa.misc.group": "uradip", - "rsa.misc.log_session_id": "maliquam", - "rsa.misc.operation_id": "tinv", - "rsa.misc.policy_name": "lorem", + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "oreetd", + "rsa.misc.group_object": "ing", "rsa.misc.result": "failure", - "rsa.misc.result_code": "eiu", - "rsa.misc.rule_name": "nesci", - "rsa.misc.severity": "high", + "rsa.time.duration_time": 75.415, "rsa.time.starttime": "2018-02-10T14:23:41.000Z", - "rsa.web.alias_host": "eosquir", - "rule.name": "nesci", "service.type": "imperva", - "source.address": "onproi4354.www5.invalid", + "source.address": "edictas4693.home", "source.ip": [ - "10.244.73.167" + "10.223.56.33" ], - "source.port": 3525, + "source.port": 5899, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://mail.example.net/smodit/ine.html?amquisn=Finibus#nsequat", - "url.query": "mvol", - "user.name": "gnama" + "user.name": "magnido" }, { "destination.ip": [ - "10.20.158.236" + "10.65.225.101" ], - "destination.port": 4443, - "event.action": "deny", + "destination.port": 1752, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.20.158.236,dstPort=4443,dbUsername=dantium,srcIP=10.52.221.103,srcPort=3962,creatTime=24 February 2018 19:26:15,srvGroup=magnido,service=mcolab,appName=mfugia,event#=eacomm,eventType=Login,usrGroup=orr,usrAuth=True,application=\"pre\",osUsername=aute,srcHost=rchite7405.api.local,dbName=rors,schemaName=oinve,bindVar=ptasnul,sqlError=unknown,respSize=6386,respTime=108.472000,affRows=tvol,action=\"deny\",rawQuery=\"redolo\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,alert#=deseru,event#=aquioff,createTime=2018-02-24 19:26:15,updateTime=cip,alertSev=very-high,group=onsequat,ruleName=\"tiumd\",evntDesc=\"atuse\",category=imad,disposition=tura,eventType=equuntur,proto=ipv6,srcPort=428,srcIP=10.94.89.177,dstPort=1752,dstIP=10.65.225.101,policyName=\"nulapari\",occurrences=2513,httpHost=ostrumex,webMethod=eruntmol,url=\"https://internal.example.com/imide/uiineav.htm?lloinve=eni#asia\",webQuery=\"edquiac\",soapAction=psamvolu,resultCode=teturad,sessionID=ritq,username=tuserror,addUsername=tla,responseTime=orroq,responseSize=modtempo,direction=outbound,dbUsername=uptate,queryGroup=sumqui,application=\"eritin\",srcHost=nibu2565.api.local,osUsername=citation,schemaName=emquel,dbName=rspiciat,hdrName=iavol,action=\"cancel\",errormsg=\"unknown\"", "fileset.name": "securesphere", - "host.hostname": "rchite7405.api.local", + "group.name": "onsequat", + "host.hostname": "nibu2565.api.local", "input.type": "log", - "log.offset": 26392, - "network.application": "pre", + "log.level": "very-high", + "log.offset": 25217, + "network.application": "eritin", + "network.direction": "outbound", + "network.protocol": "ipv6", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.52.221.103", - "10.20.158.236" + "10.94.89.177", + "10.65.225.101" ], "related.user": [ - "oinve", - "aute", - "dantium" + "tuserror", + "citation", + "emquel" ], - "rsa.counters.dclass_c1": 6386, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "rors", - "rsa.db.index": "redolo", + "rsa.counters.event_counter": 2513, + "rsa.db.database": "rspiciat", + "rsa.internal.event_desc": "atuse", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "deny" + "eruntmol", + "cancel" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "orr", - "rsa.misc.group_object": "magnido", + "rsa.misc.category": "imad", + "rsa.misc.disposition": "tura", + "rsa.misc.event_type": "equuntur", + "rsa.misc.group": "onsequat", + "rsa.misc.log_session_id": "ritq", + "rsa.misc.operation_id": "deseru", + "rsa.misc.policy_name": "nulapari", "rsa.misc.result": "unknown", - "rsa.time.duration_time": 108.472, + "rsa.misc.result_code": "teturad", + "rsa.misc.rule_name": "tiumd", + "rsa.misc.severity": "very-high", "rsa.time.starttime": "2018-02-24T21:26:15.000Z", + "rsa.web.alias_host": "ostrumex", + "rule.name": "tiumd", "service.type": "imperva", - "source.address": "rchite7405.api.local", + "source.address": "nibu2565.api.local", "source.ip": [ - "10.52.221.103" + "10.94.89.177" ], - "source.port": 3962, + "source.port": 428, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "dantium" + "url.original": "https://internal.example.com/imide/uiineav.htm?lloinve=eni#asia", + "url.query": "edquiac", + "user.name": "tuserror" }, { "destination.ip": [ - "10.250.231.196" + "10.65.174.196" ], - "destination.port": 5863, - "event.action": "block", + "destination.port": 472, + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.250.231.196,dstPort=5863,dbUsername=olup,srcIP=10.199.46.88,srcPort=6342,creatTime=2018-03-11 02:28:49,srvGroup=snulap,service=onsequat,appName=tiumd,event#=atuse,eventType=Logout,usrGroup=imad,usrAuth=False,application=\"tura\",osUsername=equuntur,srcHost=rve472.www.localhost,dbName=xer,schemaName=utlabore,bindVar=nulapari,sqlError=unknown,respSize=2867,respTime=54.004000,affRows=eruntmol,action=\"block\",rawQuery=\"imaven\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.65.174.196,dstPort=472,dbUsername=iin,srcIP=10.191.184.105,srcPort=6821,creatTime=2018-03-11 02:28:49,srvGroup=iat,service=orain,appName=equaturQ,event#=llu,eventType=quaUt,usrGroup=labor,usrAuth=oris,application=\"tatemse\",osUsername=uta,srcHost=tsun7120.home,dbName=per,schemaName=tione,bindVar=nibus,sqlError=unknown,respSize=5836,respTime=61.864000,affRows=olo,action=\"deny\",rawQuery=\"BCSedutp\"", "fileset.name": "securesphere", - "host.hostname": "rve472.www.localhost", + "group.name": "labor", + "host.hostname": "tsun7120.home", "input.type": "log", - "log.offset": 26837, - "network.application": "tura", + "log.offset": 26002, + "network.application": "tatemse", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.199.46.88", - "10.250.231.196" + "10.191.184.105", + "10.65.174.196" ], "related.user": [ - "equuntur", - "utlabore", - "olup" + "tione", + "uta", + "iin" ], - "rsa.counters.dclass_c1": 2867, + "rsa.counters.dclass_c1": 5836, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "xer", - "rsa.db.index": "imaven", + "rsa.db.database": "per", + "rsa.db.index": "BCSedutp", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "block" + "deny" ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "imad", - "rsa.misc.group_object": "snulap", + "rsa.misc.event_type": "quaUt", + "rsa.misc.group": "labor", + "rsa.misc.group_object": "iat", "rsa.misc.result": "unknown", - "rsa.time.duration_time": 54.004, + "rsa.time.duration_time": 61.864, "rsa.time.starttime": "2018-03-11T04:28:49.000Z", "service.type": "imperva", - "source.address": "rve472.www.localhost", + "source.address": "tsun7120.home", "source.ip": [ - "10.199.46.88" + "10.191.184.105" ], - "source.port": 6342, + "source.port": 6821, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "olup" + "user.name": "iin" }, { "destination.ip": [ - "10.41.44.94" + "10.41.181.179" ], - "destination.port": 702, - "event.action": "block", + "destination.port": 2803, + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.41.44.94,dstPort=702,dbUsername=nim,srcIP=10.49.122.64,srcPort=2285,creatTime=2018-03-25 09:31:24,srvGroup=rit,service=unturma,appName=iavol,event#=psumdol,eventType=Logout,usrGroup=urautodi,usrAuth=True,application=\"equamni\",osUsername=fugia,srcHost=uptate5787.api.local,dbName=umq,schemaName=suntincu,bindVar=imidest,sqlError=unknown,respSize=1508,respTime=136.809000,affRows=nof,action=\"block\",rawQuery=\"iavol\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,alert#=tdolor,event#=Ute,createTime=2018-03-25 09:31:24,updateTime=tura,alertSev=very-high,group=umSecti,ruleName=\"eabil\",evntDesc=\"ibusB\",category=rporis,disposition=etco,eventType=mip,proto=rdp,srcPort=6078,srcIP=10.224.148.48,dstPort=2803,dstIP=10.41.181.179,policyName=\"siarch\",occurrences=7468,httpHost=setq,webMethod=rumwr,url=\"https://api.example.com/ptatem/mporain.gif?corpo=commod#iumd\",webQuery=\"ntore\",soapAction=tect,resultCode=ion,sessionID=tutl,username=niam,addUsername=oru,responseTime=mcorp,responseSize=uelaud,direction=outbound,dbUsername=ameiu,queryGroup=utei,application=\"caecat\",srcHost=lumquid6940.mail.localdomain,osUsername=equepor,schemaName=iosamn,dbName=erspicia,hdrName=neavolup,action=\"deny\",errormsg=\"success\"", "fileset.name": "securesphere", - "host.hostname": "uptate5787.api.local", + "group.name": "umSecti", + "host.hostname": "lumquid6940.mail.localdomain", "input.type": "log", - "log.offset": 27287, - "network.application": "equamni", + "log.level": "very-high", + "log.offset": 26426, + "network.application": "caecat", + "network.direction": "outbound", + "network.protocol": "rdp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.41.44.94", - "10.49.122.64" + "10.224.148.48", + "10.41.181.179" ], "related.user": [ - "fugia", - "nim", - "suntincu" + "niam", + "iosamn", + "equepor" ], - "rsa.counters.dclass_c1": 1508, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "umq", - "rsa.db.index": "iavol", + "rsa.counters.event_counter": 7468, + "rsa.db.database": "erspicia", + "rsa.internal.event_desc": "ibusB", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "urautodi", - "rsa.misc.group_object": "rit", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 136.809, + "rumwr", + "deny" + ], + "rsa.misc.category": "rporis", + "rsa.misc.disposition": "etco", + "rsa.misc.event_type": "mip", + "rsa.misc.group": "umSecti", + "rsa.misc.log_session_id": "tutl", + "rsa.misc.operation_id": "tdolor", + "rsa.misc.policy_name": "siarch", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ion", + "rsa.misc.rule_name": "eabil", + "rsa.misc.severity": "very-high", "rsa.time.starttime": "2018-03-25T11:31:24.000Z", + "rsa.web.alias_host": "setq", + "rule.name": "eabil", "service.type": "imperva", - "source.address": "uptate5787.api.local", + "source.address": "lumquid6940.mail.localdomain", "source.ip": [ - "10.49.122.64" + "10.224.148.48" ], - "source.port": 2285, + "source.port": 6078, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "nim" + "url.original": "https://api.example.com/ptatem/mporain.gif?corpo=commod#iumd", + "url.query": "ntore", + "user.name": "niam" }, { "destination.ip": [ - "10.101.60.188" + "10.21.208.103" ], - "destination.port": 5558, - "event.action": "accept", + "destination.port": 5543, + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.101.60.188,dstPort=5558,dbUsername=uptatem,srcIP=10.186.129.34,srcPort=89,creatTime=8 April 2018 16:33:58,srvGroup=roiden,service=eacommod,appName=tali,event#=roinBCSe,eventType=Login,usrGroup=emagnaal,usrAuth=True,application=\"isauteir\",osUsername=eritquii,srcHost=atevelit325.www.local,dbName=ionula,schemaName=itaed,bindVar=invol,sqlError=unknown,respSize=944,respTime=75.182000,affRows=tdolore,action=\"accept\",rawQuery=\"nimadmi\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.21.208.103,dstPort=5543,dbUsername=imidest,srcIP=10.21.61.134,srcPort=6124,creatTime=2018-04-08 16:33:58,srvGroup=iacon,service=ncu,appName=quaturve,event#=ciad,eventType=Logout,usrGroup=diconseq,usrAuth=False,application=\"utod\",osUsername=ostr,srcHost=amcorp7299.api.example,dbName=uptatem,schemaName=mipsa,bindVar=nproide,sqlError=success,respSize=7766,respTime=91.186000,affRows=siutali,action=\"deny\",rawQuery=\"nemullam\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "atevelit325.www.local", + "group.name": "diconseq", + "host.hostname": "amcorp7299.api.example", "input.type": "log", - "log.offset": 27727, - "network.application": "isauteir", + "log.offset": 27184, + "network.application": "utod", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.186.129.34", - "10.101.60.188" + "10.21.61.134", + "10.21.208.103" ], "related.user": [ - "eritquii", - "uptatem", - "itaed" + "mipsa", + "ostr", + "imidest" ], - "rsa.counters.dclass_c1": 944, + "rsa.counters.dclass_c1": 7766, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "ionula", - "rsa.db.index": "nimadmi", + "rsa.db.database": "uptatem", + "rsa.db.index": "nemullam", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "accept" + "deny" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "emagnaal", - "rsa.misc.group_object": "roiden", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 75.182, + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "diconseq", + "rsa.misc.group_object": "iacon", + "rsa.misc.result": "success", + "rsa.time.duration_time": 91.186, "rsa.time.starttime": "2018-04-08T18:33:58.000Z", "service.type": "imperva", - "source.address": "atevelit325.www.local", + "source.address": "amcorp7299.api.example", "source.ip": [ - "10.186.129.34" + "10.21.61.134" ], - "source.port": 89, + "source.port": 6124, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "uptatem" + "user.name": "imidest" }, { "destination.ip": [ - "10.184.199.84" + "10.23.6.216" ], - "destination.port": 2057, - "event.action": "block", + "destination.port": 4578, + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.184.199.84,dstPort=2057,dbUsername=cid,srcIP=10.138.191.99,srcPort=5362,creatTime=22 April 2018 23:36:32,srvGroup=amal,service=gni,appName=luptat,event#=ehend,eventType=Login,usrGroup=involupt,usrAuth=False,application=\"itempo\",osUsername=upt,srcHost=rve426.api.test,dbName=onevo,schemaName=ationem,bindVar=Nem,sqlError=unknown,respSize=3291,respTime=80.991000,affRows=dipisci,action=\"block\",rawQuery=\"modit\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.23.6.216,dstPort=4578,dbUsername=iarchit,srcIP=10.221.192.116,srcPort=4688,creatTime=2018-04-22 23:36:32,srvGroup=usBonor,service=mide,appName=sten,event#=enderi,eventType=Logout,usrGroup=labore,usrAuth=False,application=\"uasiarch\",osUsername=iamquisn,srcHost=magnama868.api.local,dbName=Section,schemaName=tevelite,bindVar=esciunt,sqlError=success,respSize=639,respTime=6.388000,affRows=borisnis,action=\"accept\",rawQuery=\"oremagn\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "rve426.api.test", + "group.name": "labore", + "host.hostname": "magnama868.api.local", "input.type": "log", - "log.offset": 28186, - "network.application": "itempo", + "log.offset": 27634, + "network.application": "uasiarch", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.184.199.84", - "10.138.191.99" + "10.23.6.216", + "10.221.192.116" ], "related.user": [ - "cid", - "ationem", - "upt" + "iarchit", + "iamquisn", + "tevelite" ], - "rsa.counters.dclass_c1": 3291, + "rsa.counters.dclass_c1": 639, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "onevo", - "rsa.db.index": "modit", + "rsa.db.database": "Section", + "rsa.db.index": "oremagn", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "block" + "accept" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "involupt", - "rsa.misc.group_object": "amal", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 80.991, + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "labore", + "rsa.misc.group_object": "usBonor", + "rsa.misc.result": "success", + "rsa.time.duration_time": 6.388, "rsa.time.starttime": "2018-04-23T01:36:32.000Z", "service.type": "imperva", - "source.address": "rve426.api.test", + "source.address": "magnama868.api.local", "source.ip": [ - "10.138.191.99" + "10.221.192.116" ], - "source.port": 5362, + "source.port": 4688, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "cid" + "user.name": "iarchit" }, { "destination.ip": [ - "10.40.12.51" + "10.240.62.238" ], - "destination.port": 5633, + "destination.port": 5850, "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=tationem,event#=urere,createTime=2018-05-07 06:39:06,updateTime=tinvo,alertSev=medium,group=tquid,ruleName=\"giatquo\",evntDesc=\"iatisun\",category=cto,disposition=orumSect,eventType=preh,proto=icmp,srcPort=3791,srcIP=10.27.120.57,dstPort=5633,dstIP=10.40.12.51,policyName=\"ute\",occurrences=1576,httpHost=sed,webMethod=uep,url=\"https://internal.example.com/nde/reprehe.html?enimipsa=mquisno#eaco\",webQuery=\"empor\",soapAction=mvele,resultCode=teveli,sessionID=utperspi,username=remeum,addUsername=temseq,responseTime=orin,responseSize=dexea,direction=sedquia,dbUsername=litesse,queryGroup=ntmo,application=\"aliqu\",srcHost=iqu4429.www5.lan,osUsername=doconse,schemaName=volupta,dbName=ptat,hdrName=oreverit,action=\"cancel\",errormsg=\"success\"", + "event.original": "%IMPERVA-Imperva,alert#=rcita,event#=ataev,createTime=2018-05-07 06:39:06,updateTime=oris,alertSev=very-high,group=tate,ruleName=\"tutlabo\",evntDesc=\"nto\",category=sciv,disposition=tlabo,eventType=nsequun,proto=ipv6,srcPort=2976,srcIP=10.191.142.143,dstPort=5850,dstIP=10.240.62.238,policyName=\"sintoc\",occurrences=7580,httpHost=laboris,webMethod=ali,url=\"https://www5.example.net/aUten/edutpers.gif?apariatu=mnisis#onsequa\",webQuery=\"sunt\",soapAction=orumSe,resultCode=olupta,sessionID=emveleum,username=modtempo,addUsername=mfugi,responseTime=roqui,responseSize=ntutlabo,direction=external,dbUsername=isq,queryGroup=eacommo,application=\"amqua\",srcHost=tionevol3157.mail.invalid,osUsername=nofde,schemaName=animide,dbName=Lore,hdrName=oin,action=cancel", "fileset.name": "securesphere", - "host.hostname": "iqu4429.www5.lan", + "group.name": "tate", + "host.hostname": "tionevol3157.mail.invalid", "input.type": "log", - "log.level": "medium", - "log.offset": 28621, - "network.application": "aliqu", - "network.direction": "sedquia", - "network.protocol": "icmp", + "log.level": "very-high", + "log.offset": 28092, + "network.application": "amqua", + "network.direction": "external", + "network.protocol": "ipv6", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.27.120.57", - "10.40.12.51" + "10.240.62.238", + "10.191.142.143" ], "related.user": [ - "volupta", - "doconse", - "remeum" + "animide", + "modtempo", + "nofde" ], - "rsa.counters.event_counter": 1576, - "rsa.db.database": "ptat", - "rsa.internal.event_desc": "iatisun", + "rsa.counters.event_counter": 7580, + "rsa.db.database": "Lore", + "rsa.internal.event_desc": "nto", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "uep" - ], - "rsa.misc.category": "cto", - "rsa.misc.disposition": "orumSect", - "rsa.misc.event_type": "preh", - "rsa.misc.group": "tquid", - "rsa.misc.log_session_id": "utperspi", - "rsa.misc.operation_id": "tationem", - "rsa.misc.policy_name": "ute", - "rsa.misc.result": "success", - "rsa.misc.result_code": "teveli", - "rsa.misc.rule_name": "giatquo", - "rsa.misc.severity": "medium", + "ali", + "cancel" + ], + "rsa.misc.category": "sciv", + "rsa.misc.disposition": "tlabo", + "rsa.misc.event_type": "nsequun", + "rsa.misc.group": "tate", + "rsa.misc.log_session_id": "emveleum", + "rsa.misc.operation_id": "rcita", + "rsa.misc.policy_name": "sintoc", + "rsa.misc.result_code": "olupta", + "rsa.misc.rule_name": "tutlabo", + "rsa.misc.severity": "very-high", "rsa.time.starttime": "2018-05-07T08:39:06.000Z", - "rsa.web.alias_host": "sed", - "rule.name": "giatquo", + "rsa.web.alias_host": "laboris", + "rule.name": "tutlabo", "service.type": "imperva", - "source.address": "iqu4429.www5.lan", + "source.address": "tionevol3157.mail.invalid", "source.ip": [ - "10.27.120.57" + "10.191.142.143" ], - "source.port": 3791, + "source.port": 2976, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://internal.example.com/nde/reprehe.html?enimipsa=mquisno#eaco", - "url.query": "empor", - "user.name": "remeum" + "url.original": "https://www5.example.net/aUten/edutpers.gif?apariatu=mnisis#onsequa", + "url.query": "sunt", + "user.name": "modtempo" }, { "destination.ip": [ - "10.86.147.37" + "10.111.22.134" ], - "destination.port": 6845, - "event.action": "allow", + "destination.port": 7499, + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=urQuisa,event#=ipi,createTime=2018-05-21 13:41:41,updateTime=xcepte,alertSev=low,group=onula,ruleName=\"ostru\",evntDesc=\"por\",category=stiae,disposition=icta,eventType=epteu,proto=tcp,srcPort=2191,srcIP=10.106.63.42,dstPort=6845,dstIP=10.86.147.37,policyName=\"tDui\",occurrences=2211,httpHost=etco,webMethod=mip,url=\"https://www5.example.com/olu/nofdeF.html?ipsu=siarch#itautfu\",webQuery=\"rrorsi\",soapAction=ole,resultCode=odi,sessionID=tper,username=olor,addUsername=corpo,responseTime=commod,responseSize=iumd,direction=ntore,dbUsername=tect,queryGroup=ion,application=\"tutl\",srcHost=niam7512.www5.localhost,osUsername=aeca,schemaName=ugitse,dbName=ameiu,hdrName=utei,action=\"allow\",errormsg=\"success\"", + "event.original": "%IMPERVA-Imperva,alert#=ecatcu,event#=entoreve,createTime=2018-05-21 13:41:41,updateTime=ion,alertSev=very-high,group=onev,ruleName=\"atu\",evntDesc=\"adeseru\",category=sitas,disposition=eni,eventType=cte,proto=igmp,srcPort=3124,srcIP=10.178.79.217,dstPort=7499,dstIP=10.111.22.134,policyName=\"datatno\",occurrences=3538,httpHost=siar,webMethod=orisnis,url=\"https://www.example.net/mvolup/pidat.jpg?ents=nsec#iaeco\",webQuery=\"ommodoco\",soapAction=ritinv,resultCode=rita,sessionID=oidents,username=ccusan,addUsername=inimav,responseTime=quel,responseSize=ugitsed,direction=external,dbUsername=idolor,queryGroup=xplic,application=\"stenat\",srcHost=mquis319.api.local,osUsername=inibusBo,schemaName=tqui,dbName=sequun,hdrName=nimadm,action=deny", "fileset.name": "securesphere", - "host.hostname": "niam7512.www5.localhost", + "group.name": "onev", + "host.hostname": "mquis319.api.local", "input.type": "log", - "log.level": "low", - "log.offset": 29382, - "network.application": "tutl", - "network.direction": "ntore", - "network.protocol": "tcp", + "log.level": "very-high", + "log.offset": 28845, + "network.application": "stenat", + "network.direction": "external", + "network.protocol": "igmp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.106.63.42", - "10.86.147.37" + "10.111.22.134", + "10.178.79.217" ], "related.user": [ - "olor", - "ugitse", - "aeca" + "ccusan", + "inibusBo", + "tqui" ], - "rsa.counters.event_counter": 2211, - "rsa.db.database": "ameiu", - "rsa.internal.event_desc": "por", + "rsa.counters.event_counter": 3538, + "rsa.db.database": "sequun", + "rsa.internal.event_desc": "adeseru", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "mip", - "allow" - ], - "rsa.misc.category": "stiae", - "rsa.misc.disposition": "icta", - "rsa.misc.event_type": "epteu", - "rsa.misc.group": "onula", - "rsa.misc.log_session_id": "tper", - "rsa.misc.operation_id": "urQuisa", - "rsa.misc.policy_name": "tDui", - "rsa.misc.result": "success", - "rsa.misc.result_code": "odi", - "rsa.misc.rule_name": "ostru", - "rsa.misc.severity": "low", + "deny", + "orisnis" + ], + "rsa.misc.category": "sitas", + "rsa.misc.disposition": "eni", + "rsa.misc.event_type": "cte", + "rsa.misc.group": "onev", + "rsa.misc.log_session_id": "oidents", + "rsa.misc.operation_id": "ecatcu", + "rsa.misc.policy_name": "datatno", + "rsa.misc.result_code": "rita", + "rsa.misc.rule_name": "atu", + "rsa.misc.severity": "very-high", "rsa.time.starttime": "2018-05-21T15:41:41.000Z", - "rsa.web.alias_host": "etco", - "rule.name": "ostru", + "rsa.web.alias_host": "siar", + "rule.name": "atu", "service.type": "imperva", - "source.address": "niam7512.www5.localhost", + "source.address": "mquis319.api.local", "source.ip": [ - "10.106.63.42" + "10.178.79.217" ], - "source.port": 2191, + "source.port": 3124, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://www5.example.com/olu/nofdeF.html?ipsu=siarch#itautfu", - "url.query": "rrorsi", - "user.name": "olor" + "url.original": "https://www.example.net/mvolup/pidat.jpg?ents=nsec#iaeco", + "url.query": "ommodoco", + "user.name": "ccusan" }, { "destination.ip": [ - "10.110.240.8" + "10.161.225.172" ], - "destination.port": 6650, - "event.action": "cancel", + "destination.port": 3708, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.110.240.8,dstPort=6650,dbUsername=tam,srcIP=10.112.132.76,srcPort=1314,creatTime=4 June 2018 20:44:15,srvGroup=Neq,service=rcita,appName=eeufugia,event#=evolupt,eventType=Login,usrGroup=pre,usrAuth=True,application=\"tiumtot\",osUsername=ulamcola,srcHost=epr3512.internal.domain,dbName=enbyCice,schemaName=equun,bindVar=veli,sqlError=unknown,respSize=5784,respTime=115.111000,affRows=iadeseru,action=\"cancel\",rawQuery=\"olorsita\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.161.225.172,dstPort=3708,dbUsername=meaqu,srcIP=10.77.86.215,srcPort=6390,creatTime=4 June 2018 20:44:15,srvGroup=con,service=aeabil,appName=iumtot,event#=edicta,eventType=Login,usrGroup=itaspern,usrAuth=False,application=\"tau\",osUsername=rcit,srcHost=urad5712.api.host,dbName=sitamet,schemaName=xerc,bindVar=mcolabor,sqlError=success,respSize=7286,respTime=143.926000,affRows=evita,action=\"block\",rawQuery=\"ant\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "epr3512.internal.domain", + "group.name": "itaspern", + "host.hostname": "urad5712.api.host", "input.type": "log", - "log.offset": 30108, - "network.application": "tiumtot", + "log.offset": 29582, + "network.application": "tau", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.110.240.8", - "10.112.132.76" + "10.77.86.215", + "10.161.225.172" ], "related.user": [ - "equun", - "tam", - "ulamcola" + "xerc", + "meaqu", + "rcit" ], - "rsa.counters.dclass_c1": 5784, + "rsa.counters.dclass_c1": 7286, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "enbyCice", - "rsa.db.index": "olorsita", + "rsa.db.database": "sitamet", + "rsa.db.index": "ant", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "cancel" + "block" ], "rsa.misc.event_type": "Login", - "rsa.misc.group": "pre", - "rsa.misc.group_object": "Neq", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 115.111, + "rsa.misc.group": "itaspern", + "rsa.misc.group_object": "con", + "rsa.misc.result": "success", + "rsa.time.duration_time": 143.926, "rsa.time.starttime": "2018-06-04T22:44:15.000Z", "service.type": "imperva", - "source.address": "epr3512.internal.domain", + "source.address": "urad5712.api.host", "source.ip": [ - "10.112.132.76" + "10.77.86.215" ], - "source.port": 1314, + "source.port": 6390, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "tam" + "user.name": "meaqu" }, { "destination.ip": [ - "10.76.222.159" + "10.186.133.184" ], - "destination.port": 403, - "event.action": "accept", + "destination.port": 7864, + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.76.222.159,dstPort=403,dbUsername=natuser,srcIP=10.7.141.213,srcPort=7283,creatTime=2018-06-19 03:46:49,srvGroup=tati,service=orinc,appName=teursi,event#=pariatur,eventType=Logout,usrGroup=iofficia,usrAuth=True,application=\"ira\",osUsername=niamq,srcHost=quatD260.internal.test,dbName=ionulam,schemaName=labor,bindVar=Sec,sqlError=unknown,respSize=5670,respTime=85.913000,affRows=tquov,action=\"accept\",rawQuery=\"pta\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.186.133.184,dstPort=7864,dbUsername=boriosa,srcIP=10.211.161.187,srcPort=843,creatTime=2018-06-19 03:46:49,srvGroup=laud,service=uido,appName=uis,event#=msequin,eventType=autem,usrGroup=mporai,usrAuth=ipi,application=\"qua\",osUsername=acons,srcHost=enbyCic4659.www5.example,dbName=orroqui,schemaName=sci,bindVar=psamvolu,sqlError=unknown,respSize=1578,respTime=66.164000,affRows=temse,action=\"deny\",rawQuery=\"onevol\"", "fileset.name": "securesphere", - "host.hostname": "quatD260.internal.test", + "group.name": "mporai", + "host.hostname": "enbyCic4659.www5.example", "input.type": "log", - "log.offset": 30561, - "network.application": "ira", + "log.offset": 30021, + "network.application": "qua", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.7.141.213", - "10.76.222.159" + "10.211.161.187", + "10.186.133.184" ], "related.user": [ - "natuser", - "niamq", - "labor" + "sci", + "acons", + "boriosa" ], - "rsa.counters.dclass_c1": 5670, + "rsa.counters.dclass_c1": 1578, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "ionulam", - "rsa.db.index": "pta", + "rsa.db.database": "orroqui", + "rsa.db.index": "onevol", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "accept" + "deny" ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "iofficia", - "rsa.misc.group_object": "tati", + "rsa.misc.event_type": "autem", + "rsa.misc.group": "mporai", + "rsa.misc.group_object": "laud", "rsa.misc.result": "unknown", - "rsa.time.duration_time": 85.913, + "rsa.time.duration_time": 66.164, "rsa.time.starttime": "2018-06-19T05:46:49.000Z", "service.type": "imperva", - "source.address": "quatD260.internal.test", + "source.address": "enbyCic4659.www5.example", "source.ip": [ - "10.7.141.213" + "10.211.161.187" ], - "source.port": 7283, + "source.port": 843, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "natuser" + "user.name": "boriosa" }, { "destination.ip": [ - "10.246.196.160" + "10.160.147.230" ], - "destination.port": 894, - "event.action": "allow", + "destination.port": 2126, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.246.196.160,dstPort=894,dbUsername=equ,srcIP=10.170.90.90,srcPort=2541,creatTime=2018-07-03 10:49:23,srvGroup=eFinib,service=atione,appName=xcepte,event#=gnaa,eventType=Logout,usrGroup=tio,usrAuth=True,application=\"qui\",osUsername=epteurs,srcHost=did6471.internal.localdomain,dbName=tMalo,schemaName=urautod,bindVar=eveli,sqlError=unknown,respSize=4933,respTime=136.206000,affRows=nonproi,action=\"allow\",rawQuery=\"quaturve\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.160.147.230,dstPort=2126,dbUsername=nimvenia,srcIP=10.254.198.47,srcPort=3925,creatTime=2018-07-03 10:49:23,srvGroup=lit,service=quin,appName=adipisc,event#=sedqui,eventType=ueporroq,usrGroup=dolo,usrAuth=adm,application=\"dolor\",osUsername=ndeomnis,srcHost=inBCSed5308.api.corp,dbName=modicons,schemaName=illoin,bindVar=rinre,sqlError=unknown,respSize=5988,respTime=34.664000,affRows=olorem,action=\"cancel\",rawQuery=\"dquiaco\"", "fileset.name": "securesphere", - "host.hostname": "did6471.internal.localdomain", + "group.name": "dolo", + "host.hostname": "inBCSed5308.api.corp", "input.type": "log", - "log.offset": 31003, - "network.application": "qui", + "log.offset": 30463, + "network.application": "dolor", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.170.90.90", - "10.246.196.160" + "10.254.198.47", + "10.160.147.230" ], "related.user": [ - "equ", - "urautod", - "epteurs" + "ndeomnis", + "illoin", + "nimvenia" ], - "rsa.counters.dclass_c1": 4933, + "rsa.counters.dclass_c1": 5988, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "tMalo", - "rsa.db.index": "quaturve", + "rsa.db.database": "modicons", + "rsa.db.index": "dquiaco", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "allow" + "cancel" ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "tio", - "rsa.misc.group_object": "eFinib", + "rsa.misc.event_type": "ueporroq", + "rsa.misc.group": "dolo", + "rsa.misc.group_object": "lit", "rsa.misc.result": "unknown", - "rsa.time.duration_time": 136.206, + "rsa.time.duration_time": 34.664, "rsa.time.starttime": "2018-07-03T12:49:23.000Z", "service.type": "imperva", - "source.address": "did6471.internal.localdomain", + "source.address": "inBCSed5308.api.corp", "source.ip": [ - "10.170.90.90" + "10.254.198.47" ], - "source.port": 2541, + "source.port": 3925, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "equ" + "user.name": "nimvenia" }, { - "event.action": "veniam", + "destination.ip": [ + "10.40.24.93" + ], + "destination.port": 7487, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=officiad,createTime=2018-07-17 17:51:58,eventType=veniam,eventSev=very-high,username=entoreve,subsystem=ion,message=\"exeaco\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.40.24.93,dstPort=7487,dbUsername=mSecti,srcIP=10.182.197.243,srcPort=3687,creatTime=2018-07-17 17:51:58,srvGroup=xerci,service=qua,appName=iaecons,event#=pteurs,eventType=Logout,usrGroup=intocc,usrAuth=True,application=\"abo\",osUsername=orisnis,srcHost=reseo2067.api.localdomain,dbName=nsectetu,schemaName=exerci,bindVar=lit,sqlError=success,respSize=4129,respTime=171.277000,affRows=ono,action=\"cancel\",rawQuery=\"equuntu\"", + "event.outcome": "success", "fileset.name": "securesphere", + "group.name": "intocc", + "host.hostname": "reseo2067.api.localdomain", "input.type": "log", - "log.level": "very-high", - "log.offset": 31453, + "log.offset": 30915, + "network.application": "abo", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.ip": [ + "10.40.24.93", + "10.182.197.243" + ], "related.user": [ - "entoreve" + "orisnis", + "mSecti", + "exerci" ], - "rsa.internal.event_desc": "exeaco", + "rsa.counters.dclass_c1": 4129, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "nsectetu", + "rsa.db.index": "equuntu", "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "veniam", - "rsa.misc.severity": "very-high", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "intocc", + "rsa.misc.group_object": "xerci", + "rsa.misc.result": "success", + "rsa.time.duration_time": 171.277, "rsa.time.starttime": "2018-07-17T19:51:58.000Z", "service.type": "imperva", + "source.address": "reseo2067.api.localdomain", + "source.ip": [ + "10.182.197.243" + ], + "source.port": 3687, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "entoreve" + "user.name": "mSecti" }, { "destination.ip": [ - "10.209.129.155" + "10.249.13.159" ], - "destination.port": 769, - "event.action": "block", + "destination.port": 3023, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.209.129.155,dstPort=769,dbUsername=mdolore,srcIP=10.128.118.157,srcPort=4004,creatTime=2018-08-01 00:54:32,srvGroup=odite,service=atn,appName=sectet,event#=boreetd,eventType=Logout,usrGroup=ueporro,usrAuth=True,application=\"cto\",osUsername=essequa,srcHost=gnidolor1901.test,dbName=quian,schemaName=xerci,bindVar=qua,sqlError=success,respSize=2931,respTime=66.399000,affRows=itten,action=\"block\",rawQuery=\"abo\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.249.13.159,dstPort=3023,dbUsername=uisautei,srcIP=10.108.130.106,srcPort=7601,creatTime=1 August 2018 00:54:32,srvGroup=scinge,service=lum,appName=iinea,event#=xercit,eventType=Login,usrGroup=reh,usrAuth=False,application=\"velitess\",osUsername=colab,srcHost=itte6905.mail.invalid,dbName=tesseq,schemaName=exeacomm,bindVar=uptat,sqlError=success,respSize=1044,respTime=112.679000,affRows=ptatema,action=\"cancel\",rawQuery=\"cepteurs\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "gnidolor1901.test", + "group.name": "reh", + "host.hostname": "itte6905.mail.invalid", "input.type": "log", - "log.offset": 31602, - "network.application": "cto", + "log.offset": 31363, + "network.application": "velitess", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.209.129.155", - "10.128.118.157" + "10.249.13.159", + "10.108.130.106" ], "related.user": [ - "essequa", - "xerci", - "mdolore" + "uisautei", + "colab", + "exeacomm" ], - "rsa.counters.dclass_c1": 2931, + "rsa.counters.dclass_c1": 1044, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "quian", - "rsa.db.index": "abo", + "rsa.db.database": "tesseq", + "rsa.db.index": "cepteurs", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "block" + "cancel" ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "ueporro", - "rsa.misc.group_object": "odite", + "rsa.misc.event_type": "Login", + "rsa.misc.group": "reh", + "rsa.misc.group_object": "scinge", "rsa.misc.result": "success", - "rsa.time.duration_time": 66.399, + "rsa.time.duration_time": 112.679, "rsa.time.starttime": "2018-08-01T02:54:32.000Z", "service.type": "imperva", - "source.address": "gnidolor1901.test", + "source.address": "itte6905.mail.invalid", "source.ip": [ - "10.128.118.157" + "10.108.130.106" ], - "source.port": 4004, + "source.port": 7601, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "mdolore" + "user.name": "uisautei" }, { "destination.ip": [ - "10.219.218.23" + "10.39.244.49" ], - "destination.port": 2855, - "event.action": "deny", + "destination.port": 3852, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=uradipi,event#=erita,createTime=2018-08-15 07:57:06,updateTime=eursint,alertSev=high,group=illoinve,ruleName=\"uis\",evntDesc=\"itanimi\",category=rinc,disposition=isistena,eventType=nsequatD,proto=rdp,srcPort=1864,srcIP=10.21.69.33,dstPort=2855,dstIP=10.219.218.23,policyName=\"entore\",occurrences=2428,httpHost=magnidol,webMethod=meumfug,url=\"https://www.example.org/uatu/gel.gif?itsed=mvolu#agn\",webQuery=\"eritinvo\",soapAction=aliq,resultCode=dest,sessionID=uisautei,username=labor,addUsername=ihilmol,responseTime=scinge,responseSize=lum,direction=iinea,dbUsername=xercit,queryGroup=reh,application=\"velitess\",srcHost=colab553.api.localdomain,osUsername=orumS,schemaName=tesseq,dbName=exeacomm,hdrName=uptat,action=\"deny\",errormsg=\"failure\"", + "event.original": "%IMPERVA-Imperva,alert#=ioffic,event#=rumetMal,createTime=2018-08-15 07:57:06,updateTime=tiumtot,alertSev=very-high,group=caboNe,ruleName=\"ptate\",evntDesc=\"enimips\",category=Nequepor,disposition=nisiu,eventType=ptat,proto=ggp,srcPort=4082,srcIP=10.64.94.174,dstPort=3852,dstIP=10.39.244.49,policyName=\"ctas\",occurrences=7128,httpHost=sequ,webMethod=gna,url=\"https://internal.example.org/aev/uovolup.txt?aqueip=aqueip#rautod\",webQuery=\"tur\",soapAction=minimav,resultCode=uovo,sessionID=aven,username=Sedut,addUsername=stiaec,responseTime=rveli,responseSize=serr,direction=internal,dbUsername=uid,queryGroup=lamcor,application=\"rorsitv\",srcHost=caboNemo274.www.host,osUsername=estiae,schemaName=iunt,dbName=eFinibu,hdrName=uisaut,action=cancel", "fileset.name": "securesphere", - "host.hostname": "colab553.api.localdomain", + "group.name": "caboNe", + "host.hostname": "caboNemo274.www.host", "input.type": "log", - "log.level": "high", - "log.offset": 32038, - "network.application": "velitess", - "network.direction": "iinea", - "network.protocol": "rdp", + "log.level": "very-high", + "log.offset": 31820, + "network.application": "rorsitv", + "network.direction": "internal", + "network.protocol": "ggp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.21.69.33", - "10.219.218.23" + "10.64.94.174", + "10.39.244.49" ], "related.user": [ - "tesseq", - "orumS", - "labor" + "Sedut", + "iunt", + "estiae" ], - "rsa.counters.event_counter": 2428, - "rsa.db.database": "exeacomm", - "rsa.internal.event_desc": "itanimi", + "rsa.counters.event_counter": 7128, + "rsa.db.database": "eFinibu", + "rsa.internal.event_desc": "enimips", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "meumfug" - ], - "rsa.misc.category": "rinc", - "rsa.misc.disposition": "isistena", - "rsa.misc.event_type": "nsequatD", - "rsa.misc.group": "illoinve", - "rsa.misc.log_session_id": "uisautei", - "rsa.misc.operation_id": "uradipi", - "rsa.misc.policy_name": "entore", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "dest", - "rsa.misc.rule_name": "uis", - "rsa.misc.severity": "high", + "cancel", + "gna" + ], + "rsa.misc.category": "Nequepor", + "rsa.misc.disposition": "nisiu", + "rsa.misc.event_type": "ptat", + "rsa.misc.group": "caboNe", + "rsa.misc.log_session_id": "aven", + "rsa.misc.operation_id": "ioffic", + "rsa.misc.policy_name": "ctas", + "rsa.misc.result_code": "uovo", + "rsa.misc.rule_name": "ptate", + "rsa.misc.severity": "very-high", "rsa.time.starttime": "2018-08-15T09:57:06.000Z", - "rsa.web.alias_host": "magnidol", - "rule.name": "uis", + "rsa.web.alias_host": "sequ", + "rule.name": "ptate", "service.type": "imperva", - "source.address": "colab553.api.localdomain", + "source.address": "caboNemo274.www.host", "source.ip": [ - "10.21.69.33" + "10.64.94.174" ], - "source.port": 1864, + "source.port": 4082, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://www.example.org/uatu/gel.gif?itsed=mvolu#agn", - "url.query": "eritinvo", - "user.name": "labor" + "url.original": "https://internal.example.org/aev/uovolup.txt?aqueip=aqueip#rautod", + "url.query": "tur", + "user.name": "Sedut" }, { - "destination.ip": [ - "10.209.39.25" - ], - "destination.port": 3954, - "event.action": "block", + "event.action": "ercitati", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.209.39.25,dstPort=3954,dbUsername=tion,srcIP=10.67.163.107,srcPort=1312,creatTime=2018-08-29 14:59:40,srvGroup=tiumtot,service=ctio,appName=imadm,event#=ugiat,eventType=ius,usrGroup=msequ,usrAuth=ciatisun,application=\"Ute\",osUsername=eddoe,srcHost=seq3852.www5.localdomain,dbName=uasi,schemaName=quaeabi,bindVar=sequ,sqlError=failure,respSize=3469,respTime=69.015000,affRows=essecill,action=\"block\",rawQuery=\"uovolup\"", + "event.original": "%IMPERVA-Imperva,event#=odit,createTime=2018-08-29 14:59:40,eventType=ercitati,eventSev=very-high,username=imad,subsystem=olo,message=\"deserun\"", "fileset.name": "securesphere", - "host.hostname": "seq3852.www5.localdomain", "input.type": "log", - "log.offset": 32802, - "network.application": "Ute", + "log.level": "very-high", + "log.offset": 32562, "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", - "related.ip": [ - "10.209.39.25", - "10.67.163.107" - ], "related.user": [ - "tion", - "eddoe", - "quaeabi" + "imad" ], - "rsa.counters.dclass_c1": 3469, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "uasi", - "rsa.db.index": "uovolup", + "rsa.internal.event_desc": "deserun", "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "ius", - "rsa.misc.group": "msequ", - "rsa.misc.group_object": "tiumtot", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 69.015, + "rsa.misc.event_type": "ercitati", + "rsa.misc.severity": "very-high", "rsa.time.starttime": "2018-08-29T16:59:40.000Z", "service.type": "imperva", - "source.address": "seq3852.www5.localdomain", - "source.ip": [ - "10.67.163.107" + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "imad" + }, + { + "event.action": "uatDuis", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=scingeli,createTime=2018-09-12 22:02:15,eventType=uatDuis,eventSev=medium,username=apari,subsystem=itesseci,message=\"utali\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "medium", + "log.offset": 32706, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "apari" ], - "source.port": 1312, + "rsa.internal.event_desc": "utali", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "uatDuis", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2018-09-13T00:02:15.000Z", + "service.type": "imperva", "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "tion" + "user.name": "apari" }, { "destination.ip": [ - "10.61.247.113" + "10.115.203.143" ], - "destination.port": 599, + "destination.port": 6889, "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.61.247.113,dstPort=599,dbUsername=tur,srcIP=10.120.66.172,srcPort=984,creatTime=2018-09-12 22:02:15,srvGroup=aven,service=Sedut,appName=stiaec,event#=rveli,eventType=Logout,usrGroup=serr,usrAuth=True,application=\"umdolo\",osUsername=iduntut,srcHost=admini511.www5.local,dbName=cididun,schemaName=iamqu,bindVar=ommodoc,sqlError=unknown,respSize=2218,respTime=179.909000,affRows=uisaut,action=\"cancel\",rawQuery=\"onse\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.115.203.143,dstPort=6889,dbUsername=utoditau,srcIP=10.134.135.22,srcPort=1809,creatTime=27 September 2018 05:04:49,srvGroup=serror,service=itl,appName=Bonoru,event#=rumetMa,eventType=Login,usrGroup=entor,usrAuth=False,application=\"urere\",osUsername=involu,srcHost=qui5978.api.test,dbName=amre,schemaName=orpori,bindVar=sistena,sqlError=failure,respSize=7868,respTime=5.277000,affRows=borisn,action=\"cancel\",rawQuery=\"quatu\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "admini511.www5.local", + "group.name": "entor", + "host.hostname": "qui5978.api.test", "input.type": "log", - "log.offset": 33246, - "network.application": "umdolo", + "log.offset": 32854, + "network.application": "urere", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.61.247.113", - "10.120.66.172" + "10.134.135.22", + "10.115.203.143" ], "related.user": [ - "iamqu", - "tur", - "iduntut" + "orpori", + "utoditau", + "involu" ], - "rsa.counters.dclass_c1": 2218, + "rsa.counters.dclass_c1": 7868, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "cididun", - "rsa.db.index": "onse", + "rsa.db.database": "amre", + "rsa.db.index": "quatu", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ "cancel" ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "serr", - "rsa.misc.group_object": "aven", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 179.909, - "rsa.time.starttime": "2018-09-13T00:02:15.000Z", + "rsa.misc.event_type": "Login", + "rsa.misc.group": "entor", + "rsa.misc.group_object": "serror", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 5.277, + "rsa.time.starttime": "2018-09-27T07:04:49.000Z", "service.type": "imperva", - "source.address": "admini511.www5.local", + "source.address": "qui5978.api.test", "source.ip": [ - "10.120.66.172" + "10.134.135.22" ], - "source.port": 984, + "source.port": 1809, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "tur" + "user.name": "utoditau" }, { "destination.ip": [ - "10.206.65.159" + "10.43.244.252" ], - "destination.port": 6326, - "event.action": "deny", + "destination.port": 1752, + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=orinrepr,event#=tinvo,createTime=2018-09-27 05:04:49,updateTime=oru,alertSev=medium,group=stena,ruleName=\"tquid\",evntDesc=\"liquaUt\",category=tdolorem,disposition=umdolo,eventType=oluptass,proto=udp,srcPort=5328,srcIP=10.31.56.237,dstPort=6326,dstIP=10.206.65.159,policyName=\"fdeFini\",occurrences=1295,httpHost=eetdolo,webMethod=issuscip,url=\"https://internal.example.com/nde/naturau.txt?sBonor=odit#ercitati\",webQuery=\"lapa\",soapAction=enia,resultCode=atis,sessionID=edol,username=cit,addUsername=adip,responseTime=ugiatq,responseSize=mnisiuta,direction=nrepre,dbUsername=eumfu,queryGroup=remap,application=\"ecatcup\",srcHost=olup2082.localhost,osUsername=atem,schemaName=amcorpor,dbName=oloremeu,hdrName=mquisn,action=deny", + "event.original": "%IMPERVA-Imperva,dstIP=10.43.244.252,dstPort=1752,dbUsername=inculp,srcIP=10.251.212.166,srcPort=3925,creatTime=11 October 2018 12:07:23,srvGroup=iur,service=aboNemo,appName=tsedquia,event#=ididun,eventType=Login,usrGroup=tatiset,usrAuth=False,application=\"enim\",osUsername=gnido,srcHost=iamq2577.internal.corp,dbName=uisa,schemaName=uptat,bindVar=siutal,sqlError=unknown,respSize=6947,respTime=144.976000,affRows=tempori,action=\"accept\",rawQuery=\"lamco\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "olup2082.localhost", + "group.name": "tatiset", + "host.hostname": "iamq2577.internal.corp", "input.type": "log", - "log.level": "medium", - "log.offset": 33687, - "network.application": "ecatcup", - "network.direction": "nrepre", - "network.protocol": "udp", + "log.offset": 33304, + "network.application": "enim", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.206.65.159", - "10.31.56.237" + "10.251.212.166", + "10.43.244.252" ], "related.user": [ - "amcorpor", - "atem", - "cit" + "uptat", + "gnido", + "inculp" ], - "rsa.counters.event_counter": 1295, - "rsa.db.database": "oloremeu", - "rsa.internal.event_desc": "liquaUt", + "rsa.counters.dclass_c1": 6947, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "uisa", + "rsa.db.index": "lamco", "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "deny", - "issuscip" - ], - "rsa.misc.category": "tdolorem", - "rsa.misc.disposition": "umdolo", - "rsa.misc.event_type": "oluptass", - "rsa.misc.group": "stena", - "rsa.misc.log_session_id": "edol", - "rsa.misc.operation_id": "orinrepr", - "rsa.misc.policy_name": "fdeFini", - "rsa.misc.result_code": "atis", - "rsa.misc.rule_name": "tquid", - "rsa.misc.severity": "medium", - "rsa.time.starttime": "2018-09-27T07:04:49.000Z", - "rsa.web.alias_host": "eetdolo", - "rule.name": "tquid", + "accept" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "tatiset", + "rsa.misc.group_object": "iur", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 144.976, + "rsa.time.starttime": "2018-10-11T14:07:23.000Z", "service.type": "imperva", - "source.address": "olup2082.localhost", + "source.address": "iamq2577.internal.corp", "source.ip": [ - "10.31.56.237" + "10.251.212.166" ], - "source.port": 5328, + "source.port": 3925, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://internal.example.com/nde/naturau.txt?sBonor=odit#ercitati", - "url.query": "lapa", - "user.name": "cit" + "user.name": "inculp" }, { - "event.action": "iades", + "event.action": "edutpe", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=eruntm,createTime=2018-10-11 12:07:23,eventType=iades,eventSev=high,username=inculpa,subsystem=vita,message=\"onorum\"", + "event.original": "%IMPERVA-Imperva,event#=nimve,createTime=2018-10-25 19:09:57,eventType=edutpe,eventSev=medium,username=isunde,subsystem=nimadm,message=\"cepte\"", "fileset.name": "securesphere", "input.type": "log", - "log.level": "high", - "log.offset": 34434, + "log.level": "medium", + "log.offset": 33759, "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.user": [ - "inculpa" + "isunde" ], - "rsa.internal.event_desc": "onorum", + "rsa.internal.event_desc": "cepte", "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "iades", - "rsa.misc.severity": "high", - "rsa.time.starttime": "2018-10-11T14:07:23.000Z", + "rsa.misc.event_type": "edutpe", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2018-10-25T21:09:57.000Z", "service.type": "imperva", "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "inculpa" + "user.name": "isunde" }, { "destination.ip": [ - "10.108.76.145" + "10.20.231.188" ], - "destination.port": 4698, - "event.action": "allow", + "destination.port": 1200, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.108.76.145,dstPort=4698,dbUsername=trumexer,srcIP=10.147.56.184,srcPort=672,creatTime=25 October 2018 19:09:57,srvGroup=emoenim,service=oqui,appName=olab,event#=remagnam,eventType=Login,usrGroup=neavolu,usrAuth=False,application=\"adipi\",osUsername=idid,srcHost=ela5007.www.lan,dbName=lore,schemaName=uisautem,bindVar=olorsi,sqlError=unknown,respSize=1294,respTime=149.161000,affRows=iamq,action=\"allow\",rawQuery=\"tiumt\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.20.231.188,dstPort=1200,dbUsername=tesseq,srcIP=10.88.189.164,srcPort=1373,creatTime=2018-11-09 02:12:32,srvGroup=iusmod,service=aincid,appName=giatq,event#=tion,eventType=Logout,usrGroup=tNeque,usrAuth=False,application=\"uidolore\",osUsername=uatDuisa,srcHost=usB4127.localhost,dbName=ufugia,schemaName=mqu,bindVar=remagna,sqlError=failure,respSize=1623,respTime=33.468000,affRows=Uteni,action=\"cancel\",rawQuery=\"porinci\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "ela5007.www.lan", + "group.name": "tNeque", + "host.hostname": "usB4127.localhost", "input.type": "log", - "log.offset": 34575, - "network.application": "adipi", + "log.offset": 33902, + "network.application": "uidolore", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.147.56.184", - "10.108.76.145" + "10.88.189.164", + "10.20.231.188" ], "related.user": [ - "trumexer", - "idid", - "uisautem" + "tesseq", + "mqu", + "uatDuisa" ], - "rsa.counters.dclass_c1": 1294, + "rsa.counters.dclass_c1": 1623, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "lore", - "rsa.db.index": "tiumt", + "rsa.db.database": "ufugia", + "rsa.db.index": "porinci", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "allow" + "cancel" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "neavolu", - "rsa.misc.group_object": "emoenim", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 149.161, - "rsa.time.starttime": "2018-10-25T21:09:57.000Z", + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "tNeque", + "rsa.misc.group_object": "iusmod", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 33.468, + "rsa.time.starttime": "2018-11-09T04:12:32.000Z", "service.type": "imperva", - "source.address": "ela5007.www.lan", + "source.address": "usB4127.localhost", "source.ip": [ - "10.147.56.184" + "10.88.189.164" ], - "source.port": 672, + "source.port": 1373, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "trumexer" + "user.name": "tesseq" }, { - "destination.ip": [ - "10.193.58.50" - ], - "destination.port": 5693, - "event.action": "cancel", + "event.action": "uianon", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=expl,event#=animi,createTime=2018-11-09 02:12:32,updateTime=mdoloree,alertSev=medium,group=Loremips,ruleName=\"taliqui\",evntDesc=\"doloremi\",category=uisno,disposition=atevel,eventType=oloremeu,proto=rdp,srcPort=4601,srcIP=10.28.248.90,dstPort=5693,dstIP=10.193.58.50,policyName=\"sedquian\",occurrences=4385,httpHost=secillum,webMethod=sequatD,url=\"https://api.example.com/veleum/eturad.jpg?eetdol=aut#eriti\",webQuery=\"ipsum\",soapAction=com,resultCode=uptate,sessionID=tevelite,username=cto,addUsername=borisn,responseTime=assitasp,responseSize=nima,direction=abore,dbUsername=tur,queryGroup=tlaboru,application=\"erun\",srcHost=mquid2987.host,osUsername=totamrem,schemaName=eaqu,dbName=itani,hdrName=mni,action=cancel", + "event.original": "%IMPERVA-Imperva,event#=edd,createTime=2018-11-23 09:15:06,eventType=uianon,eventSev=low,username=quamquae,subsystem=aaliq,message=\"nos\"", "fileset.name": "securesphere", - "host.hostname": "mquid2987.host", "input.type": "log", - "log.level": "medium", - "log.offset": 35021, - "network.application": "erun", - "network.direction": "abore", - "network.protocol": "rdp", + "log.level": "low", + "log.offset": 34350, "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", - "related.ip": [ - "10.193.58.50", - "10.28.248.90" - ], "related.user": [ - "totamrem", - "cto", - "eaqu" + "quamquae" ], - "rsa.counters.event_counter": 4385, - "rsa.db.database": "itani", - "rsa.internal.event_desc": "doloremi", + "rsa.internal.event_desc": "nos", "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "sequatD", - "cancel" - ], - "rsa.misc.category": "uisno", - "rsa.misc.disposition": "atevel", - "rsa.misc.event_type": "oloremeu", - "rsa.misc.group": "Loremips", - "rsa.misc.log_session_id": "tevelite", - "rsa.misc.operation_id": "expl", - "rsa.misc.policy_name": "sedquian", - "rsa.misc.result_code": "uptate", - "rsa.misc.rule_name": "taliqui", - "rsa.misc.severity": "medium", - "rsa.time.starttime": "2018-11-09T04:12:32.000Z", - "rsa.web.alias_host": "secillum", - "rule.name": "taliqui", + "rsa.misc.event_type": "uianon", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2018-11-23T11:15:06.000Z", "service.type": "imperva", - "source.address": "mquid2987.host", - "source.ip": [ - "10.28.248.90" - ], - "source.port": 4601, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://api.example.com/veleum/eturad.jpg?eetdol=aut#eriti", - "url.query": "ipsum", - "user.name": "cto" + "user.name": "quamquae" }, { "destination.ip": [ - "10.84.3.244" + "10.231.77.26" ], - "destination.port": 3154, - "event.action": "block", + "destination.port": 7082, + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.84.3.244,dstPort=3154,dbUsername=olest,srcIP=10.211.242.138,srcPort=6661,creatTime=23 November 2018 09:15:06,srvGroup=ola,service=tla,appName=nimve,event#=edutpe,eventType=Login,usrGroup=tenb,usrAuth=True,application=\"billoinv\",osUsername=asia,srcHost=rsitam4260.api.home,dbName=iumto,schemaName=ciun,bindVar=prehe,sqlError=unknown,respSize=545,respTime=157.352000,affRows=nemul,action=\"block\",rawQuery=\"nsequa\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.231.77.26,dstPort=7082,dbUsername=rehe,srcIP=10.225.11.197,srcPort=3513,creatTime=7 December 2018 16:17:40,srvGroup=siarchi,service=seddoeiu,appName=lorinrep,event#=isq,eventType=Login,usrGroup=quines,usrAuth=False,application=\"entsu\",osUsername=ineavol,srcHost=abor3266.mail.home,dbName=voluptat,schemaName=volu,bindVar=iutaliqu,sqlError=failure,respSize=3064,respTime=61.960000,affRows=iusmo,action=\"allow\",rawQuery=\"uovo\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "rsitam4260.api.home", + "group.name": "quines", + "host.hostname": "abor3266.mail.home", "input.type": "log", - "log.offset": 35759, - "network.application": "billoinv", + "log.offset": 34487, + "network.application": "entsu", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.211.242.138", - "10.84.3.244" + "10.225.11.197", + "10.231.77.26" ], "related.user": [ - "ciun", - "asia", - "olest" + "ineavol", + "rehe", + "volu" ], - "rsa.counters.dclass_c1": 545, + "rsa.counters.dclass_c1": 3064, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "iumto", - "rsa.db.index": "nsequa", + "rsa.db.database": "voluptat", + "rsa.db.index": "uovo", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "block" + "allow" ], "rsa.misc.event_type": "Login", - "rsa.misc.group": "tenb", - "rsa.misc.group_object": "ola", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 157.352, - "rsa.time.starttime": "2018-11-23T11:15:06.000Z", + "rsa.misc.group": "quines", + "rsa.misc.group_object": "siarchi", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 61.96, "service.type": "imperva", - "source.address": "rsitam4260.api.home", + "source.address": "abor3266.mail.home", "source.ip": [ - "10.211.242.138" - ], - "source.port": 6661, - "tags": [ - "imperva.securesphere", - "forwarded" - ], - "user.name": "olest" - }, - { - "event.action": "quidolo", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=evolu,createTime=2018-12-07 16:17:40,eventType=quidolo,eventSev=medium,username=destlabo,subsystem=fficia,message=\"utaliqui\"", - "fileset.name": "securesphere", - "input.type": "log", - "log.level": "medium", - "log.offset": 36197, - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.user": [ - "destlabo" - ], - "rsa.internal.event_desc": "utaliqui", - "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "quidolo", - "rsa.misc.severity": "medium", - "rsa.time.starttime": "2018-12-07T18:17:40.000Z", - "service.type": "imperva", + "10.225.11.197" + ], + "source.port": 3513, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "destlabo" + "user.name": "rehe" }, { "destination.ip": [ - "10.121.189.113" + "10.148.3.197" ], - "destination.port": 5635, - "event.action": "accept", + "destination.port": 979, + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.121.189.113,dstPort=5635,dbUsername=lapa,srcIP=10.13.86.14,srcPort=798,creatTime=21 December 2018 23:20:14,srvGroup=isiutali,service=upidatat,appName=non,event#=Sed,eventType=Login,usrGroup=commod,usrAuth=True,application=\"equ\",osUsername=turvelil,srcHost=lor5252.host,dbName=unt,schemaName=volu,bindVar=iineavo,sqlError=failure,respSize=7284,respTime=172.281000,affRows=tenbyC,action=\"accept\",rawQuery=\"itquii\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.148.3.197,dstPort=979,dbUsername=usa,srcIP=10.106.166.105,srcPort=4567,creatTime=2018-12-21 23:20:14,srvGroup=oremagna,service=siuta,appName=amnihil,event#=nderit,eventType=ficia,usrGroup=tru,usrAuth=tionu,application=\"natuser\",osUsername=olupt,srcHost=eprehe2455.www.home,dbName=smo,schemaName=avolup,bindVar=litse,sqlError=failure,respSize=2658,respTime=84.894000,affRows=untutlab,action=\"allow\",rawQuery=\"byCicer\"", "fileset.name": "securesphere", - "host.hostname": "lor5252.host", + "group.name": "tru", + "host.hostname": "eprehe2455.www.home", "input.type": "log", - "log.offset": 36346, - "network.application": "equ", + "log.offset": 34938, + "network.application": "natuser", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.13.86.14", - "10.121.189.113" + "10.148.3.197", + "10.106.166.105" ], "related.user": [ - "volu", - "lapa", - "turvelil" + "avolup", + "usa", + "olupt" ], - "rsa.counters.dclass_c1": 7284, + "rsa.counters.dclass_c1": 2658, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "unt", - "rsa.db.index": "itquii", + "rsa.db.database": "smo", + "rsa.db.index": "byCicer", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "accept" + "allow" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "commod", - "rsa.misc.group_object": "isiutali", + "rsa.misc.event_type": "ficia", + "rsa.misc.group": "tru", + "rsa.misc.group_object": "oremagna", "rsa.misc.result": "failure", - "rsa.time.duration_time": 172.281, + "rsa.time.duration_time": 84.894, + "rsa.time.starttime": "2018-12-22T01:20:14.000Z", "service.type": "imperva", - "source.address": "lor5252.host", + "source.address": "eprehe2455.www.home", "source.ip": [ - "10.13.86.14" + "10.106.166.105" ], - "source.port": 798, + "source.port": 4567, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "lapa" + "user.name": "usa" }, { "destination.ip": [ - "10.32.220.188" + "10.172.121.239" ], - "destination.port": 2394, - "event.action": "accept", + "destination.port": 5339, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.32.220.188,dstPort=2394,dbUsername=ectob,srcIP=10.50.195.220,srcPort=1255,creatTime=2019-01-05 06:22:49,srvGroup=orro,service=quepo,appName=tDuisa,event#=iscive,eventType=Logout,usrGroup=prehende,usrAuth=True,application=\"volup\",osUsername=nimi,srcHost=niamqu3513.api.example,dbName=seddoeiu,schemaName=lorinrep,bindVar=isq,sqlError=failure,respSize=2636,respTime=44.636000,affRows=ione,action=\"accept\",rawQuery=\"abor\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.172.121.239,dstPort=5339,dbUsername=iuta,srcIP=10.57.169.205,srcPort=3093,creatTime=2019-01-05 06:22:49,srvGroup=reeufugi,service=oloree,appName=xeaco,event#=urm,eventType=Logout,usrGroup=mpo,usrAuth=False,application=\"cept\",osUsername=ctas,srcHost=destla2110.www5.localdomain,dbName=inea,schemaName=ipsu,bindVar=iden,sqlError=failure,respSize=392,respTime=19.061000,affRows=reetd,action=\"cancel\",rawQuery=\"maven\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "niamqu3513.api.example", + "group.name": "mpo", + "host.hostname": "destla2110.www5.localdomain", "input.type": "log", - "log.offset": 36784, - "network.application": "volup", + "log.offset": 35381, + "network.application": "cept", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.32.220.188", - "10.50.195.220" + "10.172.121.239", + "10.57.169.205" ], "related.user": [ - "ectob", - "nimi", - "lorinrep" + "ctas", + "iuta", + "ipsu" ], - "rsa.counters.dclass_c1": 2636, + "rsa.counters.dclass_c1": 392, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "seddoeiu", - "rsa.db.index": "abor", + "rsa.db.database": "inea", + "rsa.db.index": "maven", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "accept" + "cancel" ], "rsa.misc.event_type": "Logout", - "rsa.misc.group": "prehende", - "rsa.misc.group_object": "orro", + "rsa.misc.group": "mpo", + "rsa.misc.group_object": "reeufugi", "rsa.misc.result": "failure", - "rsa.time.duration_time": 44.636, + "rsa.time.duration_time": 19.061, "rsa.time.starttime": "2019-01-05T08:22:49.000Z", "service.type": "imperva", - "source.address": "niamqu3513.api.example", + "source.address": "destla2110.www5.localdomain", "source.ip": [ - "10.50.195.220" + "10.57.169.205" ], - "source.port": 1255, + "source.port": 3093, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "ectob" + "user.name": "iuta" }, { "destination.ip": [ - "10.189.155.253" + "10.129.234.200" ], - "destination.port": 984, + "destination.port": 3833, "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.189.155.253,dstPort=984,dbUsername=iutaliqu,srcIP=10.29.74.57,srcPort=4226,creatTime=19 January 2019 13:25:23,srvGroup=tam,service=uovo,appName=scivelit,event#=enimadm,eventType=Login,usrGroup=empo,usrAuth=False,application=\"apa\",osUsername=colab,srcHost=sistenat115.mail.local,dbName=Sedutper,schemaName=exe,bindVar=writt,sqlError=unknown,respSize=3432,respTime=35.197000,affRows=amqua,action=\"allow\",rawQuery=\"taliquip\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.129.234.200,dstPort=3833,dbUsername=tisundeo,srcIP=10.42.218.103,srcPort=3315,creatTime=19 January 2019 13:25:23,srvGroup=mnis,service=tametco,appName=snisiut,event#=lit,eventType=Login,usrGroup=laborio,usrAuth=False,application=\"aaliqu\",osUsername=tevelit,srcHost=exerc3694.api.home,dbName=consec,schemaName=dquia,bindVar=cep,sqlError=success,respSize=6709,respTime=34.273000,affRows=volupta,action=\"allow\",rawQuery=\"ipex\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "sistenat115.mail.local", + "group.name": "laborio", + "host.hostname": "exerc3694.api.home", "input.type": "log", - "log.offset": 37229, - "network.application": "apa", + "log.offset": 35821, + "network.application": "aaliqu", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.29.74.57", - "10.189.155.253" + "10.42.218.103", + "10.129.234.200" ], "related.user": [ - "colab", - "exe", - "iutaliqu" + "tevelit", + "tisundeo", + "dquia" ], - "rsa.counters.dclass_c1": 3432, + "rsa.counters.dclass_c1": 6709, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "Sedutper", - "rsa.db.index": "taliquip", + "rsa.db.database": "consec", + "rsa.db.index": "ipex", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logon", "rsa.investigations.ec_outcome": "Failure", @@ -4378,662 +4289,644 @@ "allow" ], "rsa.misc.event_type": "Login", - "rsa.misc.group": "empo", - "rsa.misc.group_object": "tam", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 35.197, + "rsa.misc.group": "laborio", + "rsa.misc.group_object": "mnis", + "rsa.misc.result": "success", + "rsa.time.duration_time": 34.273, "rsa.time.starttime": "2019-01-19T15:25:23.000Z", "service.type": "imperva", - "source.address": "sistenat115.mail.local", + "source.address": "exerc3694.api.home", "source.ip": [ - "10.29.74.57" + "10.42.218.103" ], - "source.port": 4226, + "source.port": 3315, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "iutaliqu" + "user.name": "tisundeo" }, { "destination.ip": [ - "10.107.41.59" + "10.111.132.221" ], - "destination.port": 926, - "event.action": "block", + "destination.port": 2262, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.107.41.59,dstPort=926,dbUsername=oreseo,srcIP=10.149.2.62,srcPort=7493,creatTime=2019-02-02 20:27:57,srvGroup=maven,service=tectob,appName=sequamn,event#=uiaco,eventType=acom,usrGroup=modi,usrAuth=atisun,application=\"ntu\",osUsername=utal,srcHost=ptatev4160.internal.home,dbName=tionemu,schemaName=edictasu,bindVar=quipexea,sqlError=unknown,respSize=3008,respTime=47.865000,affRows=mnis,action=\"block\",rawQuery=\"aborumSe\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.111.132.221,dstPort=2262,dbUsername=ali,srcIP=10.76.121.224,srcPort=4305,creatTime=2019-02-02 20:27:57,srvGroup=xcep,service=ehen,appName=remap,event#=mUt,eventType=Logout,usrGroup=admi,usrAuth=True,application=\"siarch\",osUsername=oloremi,srcHost=ididu5928.www5.local,dbName=tNe,schemaName=scive,bindVar=tcupi,sqlError=unknown,respSize=6155,respTime=139.491000,affRows=Sed,action=\"cancel\",rawQuery=\"ita\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "ptatev4160.internal.home", + "group.name": "admi", + "host.hostname": "ididu5928.www5.local", "input.type": "log", - "log.offset": 37677, - "network.application": "ntu", + "log.offset": 36271, + "network.application": "siarch", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.149.2.62", - "10.107.41.59" + "10.111.132.221", + "10.76.121.224" ], "related.user": [ - "edictasu", - "oreseo", - "utal" + "ali", + "oloremi", + "scive" ], - "rsa.counters.dclass_c1": 3008, + "rsa.counters.dclass_c1": 6155, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "tionemu", - "rsa.db.index": "aborumSe", + "rsa.db.database": "tNe", + "rsa.db.index": "ita", "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "block" + "cancel" ], - "rsa.misc.event_type": "acom", - "rsa.misc.group": "modi", - "rsa.misc.group_object": "maven", + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "admi", + "rsa.misc.group_object": "xcep", "rsa.misc.result": "unknown", - "rsa.time.duration_time": 47.865, + "rsa.time.duration_time": 139.491, "rsa.time.starttime": "2019-02-02T22:27:57.000Z", "service.type": "imperva", - "source.address": "ptatev4160.internal.home", + "source.address": "ididu5928.www5.local", "source.ip": [ - "10.149.2.62" + "10.76.121.224" ], - "source.port": 7493, + "source.port": 4305, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "oreseo" + "user.name": "ali" }, { "destination.ip": [ - "10.20.211.186" + "10.195.8.141" ], - "destination.port": 4062, + "destination.port": 4342, "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=laborio,event#=aaliqu,createTime=2019-02-17 03:30:32,updateTime=tevelit,alertSev=low,group=mid,ruleName=\"henderi\",evntDesc=\"consec\",category=dquia,disposition=cep,eventType=erit,proto=udp,srcPort=3382,srcIP=10.11.237.65,dstPort=4062,dstIP=10.20.211.186,policyName=\"tionem\",occurrences=3743,httpHost=olu,webMethod=cae,url=\"https://www5.example.org/onsequ/Bon.txt?remap=mUt#admi\",webQuery=\"siarch\",soapAction=oloremi,resultCode=ididu,sessionID=uov,username=ncidid,addUsername=audantiu,responseTime=lmolest,responseSize=miurerep,direction=orsitame,dbUsername=Sed,queryGroup=isau,application=\"temvele\",srcHost=ntutl6493.mail.home,osUsername=ptassit,schemaName=olo,dbName=ataevit,hdrName=ficiad,action=accept", + "event.original": "%IMPERVA-Imperva,dstIP=10.195.8.141,dstPort=4342,dbUsername=enimip,srcIP=10.17.214.21,srcPort=4821,creatTime=17 February 2019 03:30:32,srvGroup=umquiado,service=taspe,appName=empori,event#=mipsum,eventType=Login,usrGroup=tium,usrAuth=True,application=\"riaturE\",osUsername=ota,srcHost=boriosa7066.www.corp,dbName=Nequep,schemaName=dolo,bindVar=exeacom,sqlError=success,respSize=469,respTime=146.775000,affRows=eufugiat,action=\"accept\",rawQuery=\"non\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "ntutl6493.mail.home", + "group.name": "tium", + "host.hostname": "boriosa7066.www.corp", "input.type": "log", - "log.level": "low", - "log.offset": 38124, - "network.application": "temvele", - "network.direction": "orsitame", - "network.protocol": "udp", + "log.offset": 36701, + "network.application": "riaturE", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.11.237.65", - "10.20.211.186" + "10.17.214.21", + "10.195.8.141" ], "related.user": [ - "ncidid", - "ptassit", - "olo" + "enimip", + "dolo", + "ota" ], - "rsa.counters.event_counter": 3743, - "rsa.db.database": "ataevit", - "rsa.internal.event_desc": "consec", + "rsa.counters.dclass_c1": 469, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "Nequep", + "rsa.db.index": "non", "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "cae", "accept" ], - "rsa.misc.category": "dquia", - "rsa.misc.disposition": "cep", - "rsa.misc.event_type": "erit", - "rsa.misc.group": "mid", - "rsa.misc.log_session_id": "uov", - "rsa.misc.operation_id": "laborio", - "rsa.misc.policy_name": "tionem", - "rsa.misc.result_code": "ididu", - "rsa.misc.rule_name": "henderi", - "rsa.misc.severity": "low", + "rsa.misc.event_type": "Login", + "rsa.misc.group": "tium", + "rsa.misc.group_object": "umquiado", + "rsa.misc.result": "success", + "rsa.time.duration_time": 146.775, "rsa.time.starttime": "2019-02-17T05:30:32.000Z", - "rsa.web.alias_host": "olu", - "rule.name": "henderi", "service.type": "imperva", - "source.address": "ntutl6493.mail.home", + "source.address": "boriosa7066.www.corp", "source.ip": [ - "10.11.237.65" + "10.17.214.21" ], - "source.port": 3382, + "source.port": 4821, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://www5.example.org/onsequ/Bon.txt?remap=mUt#admi", - "url.query": "siarch", - "user.name": "ncidid" + "user.name": "enimip" }, { "destination.ip": [ - "10.190.18.213" + "10.173.13.179" ], - "destination.port": 2201, + "destination.port": 1211, "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.190.18.213,dstPort=2201,dbUsername=rror,srcIP=10.177.60.55,srcPort=7799,creatTime=3 March 2019 10:33:06,srvGroup=tut,service=umdol,appName=nseq,event#=autodita,eventType=Login,usrGroup=loreme,usrAuth=True,application=\"eratv\",osUsername=tametcon,srcHost=orsi1332.www5.corp,dbName=dolorsi,schemaName=etdolore,bindVar=taevita,sqlError=unknown,respSize=7327,respTime=93.075000,affRows=luptatem,action=\"block\",rawQuery=\"cons\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.173.13.179,dstPort=1211,dbUsername=ptasn,srcIP=10.179.60.167,srcPort=1124,creatTime=2019-03-03 10:33:06,srvGroup=amqui,service=itatise,appName=utlab,event#=ostr,eventType=Logout,usrGroup=liqu,usrAuth=True,application=\"cons\",osUsername=apar,srcHost=ssusc1892.internal.host,dbName=xplic,schemaName=isn,bindVar=quepor,sqlError=failure,respSize=758,respTime=58.800000,affRows=etur,action=\"block\",rawQuery=\"cusan\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "orsi1332.www5.corp", + "group.name": "liqu", + "host.hostname": "ssusc1892.internal.host", "input.type": "log", - "log.offset": 38852, - "network.application": "eratv", + "log.offset": 37150, + "network.application": "cons", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.177.60.55", - "10.190.18.213" + "10.173.13.179", + "10.179.60.167" ], "related.user": [ - "etdolore", - "rror", - "tametcon" + "ptasn", + "apar", + "isn" ], - "rsa.counters.dclass_c1": 7327, + "rsa.counters.dclass_c1": 758, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "dolorsi", - "rsa.db.index": "cons", + "rsa.db.database": "xplic", + "rsa.db.index": "cusan", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Success", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ "block" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "loreme", - "rsa.misc.group_object": "tut", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 93.075, + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "liqu", + "rsa.misc.group_object": "amqui", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 58.8, "rsa.time.starttime": "2019-03-03T12:33:06.000Z", "service.type": "imperva", - "source.address": "orsi1332.www5.corp", + "source.address": "ssusc1892.internal.host", "source.ip": [ - "10.177.60.55" + "10.179.60.167" ], - "source.port": 7799, + "source.port": 1124, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "rror" + "user.name": "ptasn" }, { "destination.ip": [ - "10.173.169.212" + "10.42.135.34" ], - "destination.port": 292, + "destination.port": 4361, "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.173.169.212,dstPort=292,dbUsername=oinB,srcIP=10.131.253.222,srcPort=1239,creatTime=17 March 2019 17:35:40,srvGroup=enatuser,service=uia,appName=sistena,event#=reetdolo,eventType=Login,usrGroup=psam,usrAuth=False,application=\"litseddo\",osUsername=orumet,srcHost=aliqu5109.www.test,dbName=sun,schemaName=utod,bindVar=queips,sqlError=unknown,respSize=6659,respTime=138.450000,affRows=riatu,action=\"cancel\",rawQuery=\"serrors\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.42.135.34,dstPort=4361,dbUsername=tiset,srcIP=10.178.190.123,srcPort=3288,creatTime=2019-03-17 17:35:40,srvGroup=xercitat,service=ueporr,appName=utlab,event#=entoreve,eventType=Logout,usrGroup=lmolest,usrAuth=False,application=\"ser\",osUsername=ore,srcHost=iatisund424.mail.localdomain,dbName=tametcon,schemaName=orsi,bindVar=ull,sqlError=success,respSize=2290,respTime=1.468000,affRows=etdolore,action=\"cancel\",rawQuery=\"ore\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "aliqu5109.www.test", + "group.name": "lmolest", + "host.hostname": "iatisund424.mail.localdomain", "input.type": "log", - "log.offset": 39299, - "network.application": "litseddo", + "log.offset": 37585, + "network.application": "ser", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.173.169.212", - "10.131.253.222" + "10.178.190.123", + "10.42.135.34" ], "related.user": [ - "utod", - "orumet", - "oinB" + "orsi", + "tiset", + "ore" ], - "rsa.counters.dclass_c1": 6659, + "rsa.counters.dclass_c1": 2290, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "sun", - "rsa.db.index": "serrors", + "rsa.db.database": "tametcon", + "rsa.db.index": "ore", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ "cancel" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "psam", - "rsa.misc.group_object": "enatuser", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 138.45, + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "lmolest", + "rsa.misc.group_object": "xercitat", + "rsa.misc.result": "success", + "rsa.time.duration_time": 1.468, "rsa.time.starttime": "2019-03-17T19:35:40.000Z", "service.type": "imperva", - "source.address": "aliqu5109.www.test", + "source.address": "iatisund424.mail.localdomain", "source.ip": [ - "10.131.253.222" + "10.178.190.123" ], - "source.port": 1239, + "source.port": 3288, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "oinB" + "user.name": "tiset" }, { - "destination.ip": [ - "10.33.131.63" - ], - "destination.port": 1437, - "event.action": "cancel", + "event.action": "cons", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.33.131.63,dstPort=1437,dbUsername=imven,srcIP=10.5.54.131,srcPort=1411,creatTime=2019-04-01 00:38:14,srvGroup=sectetu,service=quiratio,appName=aincidu,event#=eseo,eventType=lum,usrGroup=CSe,usrAuth=umqu,application=\"aeratvol\",osUsername=psamvolu,srcHost=urQui381.mail.example,dbName=ionev,schemaName=liq,bindVar=utlab,sqlError=failure,respSize=587,respTime=125.240000,affRows=tassi,action=\"cancel\",rawQuery=\"orinre\"", + "event.original": "%IMPERVA-Imperva,event#=ectetur,createTime=2019-04-01 00:38:14,eventType=cons,eventSev=medium,username=fugit,subsystem=dantiu,message=\"ntutla\"", "fileset.name": "securesphere", - "host.hostname": "urQui381.mail.example", "input.type": "log", - "log.offset": 39748, - "network.application": "aeratvol", + "log.level": "medium", + "log.offset": 38037, "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", - "related.ip": [ - "10.5.54.131", - "10.33.131.63" - ], "related.user": [ - "imven", - "liq", - "psamvolu" + "fugit" ], - "rsa.counters.dclass_c1": 587, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "ionev", - "rsa.db.index": "orinre", + "rsa.internal.event_desc": "ntutla", "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "lum", - "rsa.misc.group": "CSe", - "rsa.misc.group_object": "sectetu", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 125.24, + "rsa.misc.event_type": "cons", + "rsa.misc.severity": "medium", "rsa.time.starttime": "2019-04-01T02:38:14.000Z", "service.type": "imperva", - "source.address": "urQui381.mail.example", - "source.ip": [ - "10.5.54.131" - ], - "source.port": 1411, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "imven" + "user.name": "fugit" }, { "destination.ip": [ - "10.164.123.69" + "10.207.198.239" ], - "destination.port": 2543, - "event.action": "cancel", + "destination.port": 4735, + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.164.123.69,dstPort=2543,dbUsername=litesse,srcIP=10.161.51.238,srcPort=1809,creatTime=2019-04-15 07:40:49,srvGroup=odt,service=riatur,appName=oremeumf,event#=volupt,eventType=Logout,usrGroup=dicon,usrAuth=False,application=\"psumquia\",osUsername=xercitat,srcHost=giatq1967.api.test,dbName=citat,schemaName=xeacomm,bindVar=itvolup,sqlError=success,respSize=5031,respTime=124.913000,affRows=reetd,action=\"cancel\",rawQuery=\"ngelit\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.207.198.239,dstPort=4735,dbUsername=Loremips,srcIP=10.8.147.176,srcPort=5920,creatTime=15 April 2019 07:40:49,srvGroup=odtem,service=ite,appName=tseddo,event#=ptatems,eventType=Login,usrGroup=ori,usrAuth=False,application=\"exerc\",osUsername=aUteni,srcHost=uidolo7626.local,dbName=rchite,schemaName=incididu,bindVar=idolor,sqlError=failure,respSize=3043,respTime=36.712000,affRows=oinB,action=\"accept\",rawQuery=\"econsequ\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "giatq1967.api.test", + "group.name": "ori", + "host.hostname": "uidolo7626.local", "input.type": "log", - "log.offset": 40190, - "network.application": "psumquia", + "log.offset": 38180, + "network.application": "exerc", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.164.123.69", - "10.161.51.238" + "10.8.147.176", + "10.207.198.239" ], "related.user": [ - "xercitat", - "litesse", - "xeacomm" + "incididu", + "Loremips", + "aUteni" ], - "rsa.counters.dclass_c1": 5031, + "rsa.counters.dclass_c1": 3043, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "citat", - "rsa.db.index": "ngelit", + "rsa.db.database": "rchite", + "rsa.db.index": "econsequ", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_activity": "Logon", "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "cancel" + "accept" ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "dicon", - "rsa.misc.group_object": "odt", - "rsa.misc.result": "success", - "rsa.time.duration_time": 124.913, + "rsa.misc.event_type": "Login", + "rsa.misc.group": "ori", + "rsa.misc.group_object": "odtem", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 36.712, "rsa.time.starttime": "2019-04-15T09:40:49.000Z", "service.type": "imperva", - "source.address": "giatq1967.api.test", + "source.address": "uidolo7626.local", "source.ip": [ - "10.161.51.238" + "10.8.147.176" ], - "source.port": 1809, + "source.port": 5920, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "litesse" + "user.name": "Loremips" }, { "destination.ip": [ - "10.112.73.97" + "10.116.26.185" ], - "destination.port": 6125, - "event.action": "accept", + "destination.port": 595, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.112.73.97,dstPort=6125,dbUsername=quinesc,srcIP=10.227.144.202,srcPort=3803,creatTime=2019-04-29 14:43:23,srvGroup=doeiusmo,service=tev,appName=elaudant,event#=ratvolu,eventType=odte,usrGroup=enderitq,usrAuth=nnumquam,application=\"abori\",osUsername=uelauda,srcHost=urQuis7078.www5.domain,dbName=rumS,schemaName=uelau,bindVar=quidolor,sqlError=failure,respSize=2469,respTime=53.441000,affRows=quinesci,action=\"accept\",rawQuery=\"lpaqui\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.116.26.185,dstPort=595,dbUsername=oNe,srcIP=10.206.221.180,srcPort=6818,creatTime=2019-04-29 14:43:23,srvGroup=repr,service=idu,appName=otam,event#=amquaera,eventType=rumS,usrGroup=uelau,usrAuth=quidolor,application=\"cca\",osUsername=litesseq,srcHost=dmini3435.internal.domain,dbName=rumexerc,schemaName=nseq,bindVar=quisnost,sqlError=unknown,respSize=3218,respTime=26.485000,affRows=orisnisi,action=\"block\",rawQuery=\"nul\"", "fileset.name": "securesphere", - "host.hostname": "urQuis7078.www5.domain", + "group.name": "uelau", + "host.hostname": "dmini3435.internal.domain", "input.type": "log", - "log.offset": 40644, - "network.application": "abori", + "log.offset": 38627, + "network.application": "cca", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.112.73.97", - "10.227.144.202" + "10.206.221.180", + "10.116.26.185" ], "related.user": [ - "uelau", - "uelauda", - "quinesc" + "litesseq", + "nseq", + "oNe" ], - "rsa.counters.dclass_c1": 2469, + "rsa.counters.dclass_c1": 3218, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "rumS", - "rsa.db.index": "lpaqui", + "rsa.db.database": "rumexerc", + "rsa.db.index": "nul", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept" + "block" ], - "rsa.misc.event_type": "odte", - "rsa.misc.group": "enderitq", - "rsa.misc.group_object": "doeiusmo", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 53.441, + "rsa.misc.event_type": "rumS", + "rsa.misc.group": "uelau", + "rsa.misc.group_object": "repr", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 26.485, "rsa.time.starttime": "2019-04-29T16:43:23.000Z", "service.type": "imperva", - "source.address": "urQuis7078.www5.domain", + "source.address": "dmini3435.internal.domain", "source.ip": [ - "10.227.144.202" + "10.206.221.180" ], - "source.port": 3803, + "source.port": 6818, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "quinesc" + "user.name": "oNe" }, { - "event.action": "scip", + "destination.ip": [ + "10.86.180.150" + ], + "destination.port": 5495, + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=utlabo,createTime=2019-05-13 21:45:57,eventType=scip,eventSev=low,username=voluptas,subsystem=inv,message=\"upta\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.86.180.150,dstPort=5495,dbUsername=mnisis,srcIP=10.253.127.130,srcPort=5339,creatTime=2019-05-13 21:45:57,srvGroup=isciveli,service=urve,appName=sundeomn,event#=tasu,eventType=Logout,usrGroup=equunt,usrAuth=True,application=\"uat\",osUsername=itasper,srcHost=nibusBo1864.domain,dbName=ent,schemaName=etconsec,bindVar=docons,sqlError=failure,respSize=4564,respTime=4.592000,affRows=mremap,action=\"allow\",rawQuery=\"sperna\"", + "event.outcome": "success", "fileset.name": "securesphere", + "group.name": "equunt", + "host.hostname": "nibusBo1864.domain", "input.type": "log", - "log.level": "low", - "log.offset": 41105, + "log.offset": 39075, + "network.application": "uat", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.ip": [ + "10.253.127.130", + "10.86.180.150" + ], "related.user": [ - "voluptas" + "etconsec", + "mnisis", + "itasper" ], - "rsa.internal.event_desc": "upta", + "rsa.counters.dclass_c1": 4564, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "ent", + "rsa.db.index": "sperna", "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "scip", - "rsa.misc.severity": "low", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "equunt", + "rsa.misc.group_object": "isciveli", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 4.592, "rsa.time.starttime": "2019-05-13T23:45:57.000Z", "service.type": "imperva", + "source.address": "nibusBo1864.domain", + "source.ip": [ + "10.253.127.130" + ], + "source.port": 5339, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "voluptas" + "user.name": "mnisis" }, { "destination.ip": [ - "10.185.248.253" + "10.158.161.5" ], - "destination.port": 3804, - "event.action": "block", + "destination.port": 579, + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.185.248.253,dstPort=3804,dbUsername=nisi,srcIP=10.76.165.58,srcPort=1381,creatTime=28 May 2019 04:48:31,srvGroup=dipis,service=nderitin,appName=ernatu,event#=usant,eventType=Login,usrGroup=uidolore,usrAuth=False,application=\"litse\",osUsername=ugitse,srcHost=utfugi6811.mail.host,dbName=psum,schemaName=amqua,bindVar=mavenia,sqlError=failure,respSize=4963,respTime=99.486000,affRows=ssuscipi,action=\"block\",rawQuery=\"eturadi\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,alert#=mexe,event#=sequatDu,createTime=2019-05-28 04:48:31,updateTime=ssuscip,alertSev=high,group=ciade,ruleName=\"busBonor\",evntDesc=\"enima\",category=emseq,disposition=osamni,eventType=umetMa,proto=ipv6-icmp,srcPort=4469,srcIP=10.220.175.201,dstPort=579,dstIP=10.158.161.5,policyName=\"eab\",occurrences=4098,httpHost=ciduntut,webMethod=atisu,url=\"https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu\",webQuery=\"suntincu\",soapAction=lore,resultCode=equatu,sessionID=enbyCi,username=dolo,addUsername=adipi,responseTime=beata,responseSize=evelites,direction=inbound,dbUsername=tNeq,queryGroup=umtot,application=\"eumiurer\",srcHost=inv6528.www5.example,osUsername=rrors,schemaName=dolo,dbName=tsed,hdrName=corpori,action=allow", "fileset.name": "securesphere", - "host.hostname": "utfugi6811.mail.host", + "group.name": "ciade", + "host.hostname": "inv6528.www5.example", "input.type": "log", - "log.offset": 41242, - "network.application": "litse", + "log.level": "high", + "log.offset": 39520, + "network.application": "eumiurer", + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.76.165.58", - "10.185.248.253" + "10.158.161.5", + "10.220.175.201" ], "related.user": [ - "nisi", - "ugitse", - "amqua" + "dolo", + "rrors" ], - "rsa.counters.dclass_c1": 4963, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "psum", - "rsa.db.index": "eturadi", + "rsa.counters.event_counter": 4098, + "rsa.db.database": "tsed", + "rsa.internal.event_desc": "enima", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "block" + "atisu", + "allow" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "uidolore", - "rsa.misc.group_object": "dipis", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 99.486, + "rsa.misc.category": "emseq", + "rsa.misc.disposition": "osamni", + "rsa.misc.event_type": "umetMa", + "rsa.misc.group": "ciade", + "rsa.misc.log_session_id": "enbyCi", + "rsa.misc.operation_id": "mexe", + "rsa.misc.policy_name": "eab", + "rsa.misc.result_code": "equatu", + "rsa.misc.rule_name": "busBonor", + "rsa.misc.severity": "high", "rsa.time.starttime": "2019-05-28T06:48:31.000Z", + "rsa.web.alias_host": "ciduntut", + "rule.name": "busBonor", "service.type": "imperva", - "source.address": "utfugi6811.mail.host", + "source.address": "inv6528.www5.example", "source.ip": [ - "10.76.165.58" + "10.220.175.201" ], - "source.port": 1381, + "source.port": 4469, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "nisi" + "url.original": "https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu", + "url.query": "suntincu", + "user.name": "dolo" }, { - "destination.ip": [ - "10.177.36.122" - ], - "destination.port": 5686, - "event.action": "accept", + "event.action": "ema", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=evelit,event#=oluptat,createTime=2019-06-11 11:51:06,updateTime=ditem,alertSev=low,group=pisciv,ruleName=\"equamnih\",evntDesc=\"rationev\",category=etco,disposition=usanti,eventType=itessec,proto=ipv6,srcPort=2772,srcIP=10.163.27.208,dstPort=5686,dstIP=10.177.36.122,policyName=\"reseo\",occurrences=4087,httpHost=iutaliq,webMethod=oriosamn,url=\"https://www5.example.com/tcu/mmodo.jpg?stlabo=atema#sunt\",webQuery=\"orporiss\",soapAction=iamq,resultCode=edolo,sessionID=oditempo,username=eFini,addUsername=ritin,responseTime=iosam,responseSize=olup,direction=eav,dbUsername=archi,queryGroup=nes,application=\"atvolupt\",srcHost=umwritt2172.www.localhost,osUsername=ept,schemaName=avolu,dbName=aaliq,hdrName=olupta,action=accept", + "event.original": "%IMPERVA-Imperva,event#=uioff,createTime=2019-06-11 11:51:06,eventType=ema,eventSev=low,username=mpo,subsystem=deritinv,message=\"ten\"", "fileset.name": "securesphere", - "host.hostname": "umwritt2172.www.localhost", "input.type": "log", "log.level": "low", - "log.offset": 41693, - "network.application": "atvolupt", - "network.direction": "eav", - "network.protocol": "ipv6", + "log.offset": 40273, "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", - "related.ip": [ - "10.177.36.122", - "10.163.27.208" - ], "related.user": [ - "avolu", - "eFini", - "ept" + "mpo" ], - "rsa.counters.event_counter": 4087, - "rsa.db.database": "aaliq", - "rsa.internal.event_desc": "rationev", + "rsa.internal.event_desc": "ten", "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "accept", - "oriosamn" - ], - "rsa.misc.category": "etco", - "rsa.misc.disposition": "usanti", - "rsa.misc.event_type": "itessec", - "rsa.misc.group": "pisciv", - "rsa.misc.log_session_id": "oditempo", - "rsa.misc.operation_id": "evelit", - "rsa.misc.policy_name": "reseo", - "rsa.misc.result_code": "edolo", - "rsa.misc.rule_name": "equamnih", + "rsa.misc.event_type": "ema", "rsa.misc.severity": "low", "rsa.time.starttime": "2019-06-11T13:51:06.000Z", - "rsa.web.alias_host": "iutaliq", - "rule.name": "equamnih", "service.type": "imperva", - "source.address": "umwritt2172.www.localhost", - "source.ip": [ - "10.163.27.208" - ], - "source.port": 2772, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://www5.example.com/tcu/mmodo.jpg?stlabo=atema#sunt", - "url.query": "orporiss", - "user.name": "eFini" + "user.name": "mpo" }, { "destination.ip": [ - "10.35.215.152" + "10.150.27.144" ], - "destination.port": 7489, - "event.action": "block", + "destination.port": 5627, + "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.35.215.152,dstPort=7489,dbUsername=ium,srcIP=10.143.175.148,srcPort=796,creatTime=25 June 2019 18:53:40,srvGroup=tame,service=olo,appName=vel,event#=equamn,eventType=Login,usrGroup=tempora,usrAuth=True,application=\"enimip\",osUsername=itaspern,srcHost=lupta602.mail.localdomain,dbName=uisno,schemaName=etdo,bindVar=edictas,sqlError=failure,respSize=6141,respTime=167.299000,affRows=urerepr,action=\"block\",rawQuery=\"Maloru\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,dstIP=10.150.27.144,dstPort=5627,dbUsername=res,srcIP=10.248.16.82,srcPort=6834,creatTime=25 June 2019 18:53:40,srvGroup=loinv,service=umd,appName=madmi,event#=xercit,eventType=Login,usrGroup=avolup,usrAuth=True,application=\"etdo\",osUsername=tuserror,srcHost=nisiutal4437.www.example,dbName=uipex,schemaName=ditautf,bindVar=orr,sqlError=failure,respSize=4367,respTime=25.972000,affRows=uptas,action=\"cancel\",rawQuery=\"osquira\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "lupta602.mail.localdomain", + "group.name": "avolup", + "host.hostname": "nisiutal4437.www.example", "input.type": "log", - "log.offset": 42435, - "network.application": "enimip", + "log.offset": 40407, + "network.application": "etdo", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.35.215.152", - "10.143.175.148" + "10.248.16.82", + "10.150.27.144" ], "related.user": [ - "etdo", - "ium", - "itaspern" + "tuserror", + "ditautf", + "res" ], - "rsa.counters.dclass_c1": 6141, + "rsa.counters.dclass_c1": 4367, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "uisno", - "rsa.db.index": "Maloru", + "rsa.db.database": "uipex", + "rsa.db.index": "osquira", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logon", "rsa.investigations.ec_outcome": "Success", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "block" + "cancel" ], "rsa.misc.event_type": "Login", - "rsa.misc.group": "tempora", - "rsa.misc.group_object": "tame", + "rsa.misc.group": "avolup", + "rsa.misc.group_object": "loinv", "rsa.misc.result": "failure", - "rsa.time.duration_time": 167.299, + "rsa.time.duration_time": 25.972, "rsa.time.starttime": "2019-06-25T20:53:40.000Z", "service.type": "imperva", - "source.address": "lupta602.mail.localdomain", + "source.address": "nisiutal4437.www.example", "source.ip": [ - "10.143.175.148" + "10.248.16.82" ], - "source.port": 796, + "source.port": 6834, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "ium" + "user.name": "res" }, { "destination.ip": [ - "10.254.252.105" + "10.146.131.76" ], - "destination.port": 146, + "destination.port": 2281, "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.254.252.105,dstPort=146,dbUsername=asp,srcIP=10.25.246.131,srcPort=212,creatTime=2019-07-10 01:56:14,srvGroup=unde,service=raut,appName=suscip,event#=ectetu,eventType=Logout,usrGroup=rem,usrAuth=False,application=\"ariat\",osUsername=ptatemU,srcHost=eriam2051.api.host,dbName=upid,schemaName=ataev,bindVar=nsecte,sqlError=unknown,respSize=2949,respTime=96.394000,affRows=tutla,action=\"allow\",rawQuery=\"hitect\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.146.131.76,dstPort=2281,dbUsername=orsi,srcIP=10.173.19.140,srcPort=7780,creatTime=2019-07-10 01:56:14,srvGroup=atu,service=ddo,appName=veli,event#=ata,eventType=Logout,usrGroup=untmoll,usrAuth=False,application=\"ididun\",osUsername=olo,srcHost=tqui5172.www.local,dbName=untex,schemaName=Except,bindVar=elitsedd,sqlError=failure,respSize=5844,respTime=52.550000,affRows=cingel,action=\"allow\",rawQuery=\"seos\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "eriam2051.api.host", + "group.name": "untmoll", + "host.hostname": "tqui5172.www.local", "input.type": "log", - "log.offset": 42883, - "network.application": "ariat", + "log.offset": 40851, + "network.application": "ididun", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.254.252.105", - "10.25.246.131" + "10.173.19.140", + "10.146.131.76" ], "related.user": [ - "asp", - "ataev", - "ptatemU" + "orsi", + "Except", + "olo" ], - "rsa.counters.dclass_c1": 2949, + "rsa.counters.dclass_c1": 5844, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "upid", - "rsa.db.index": "hitect", + "rsa.db.database": "untex", + "rsa.db.index": "seos", "rsa.internal.messageid": "Imperva", "rsa.investigations.ec_activity": "Logoff", "rsa.investigations.ec_outcome": "Failure", @@ -5043,335 +4936,335 @@ "allow" ], "rsa.misc.event_type": "Logout", - "rsa.misc.group": "rem", - "rsa.misc.group_object": "unde", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 96.394, + "rsa.misc.group": "untmoll", + "rsa.misc.group_object": "atu", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 52.55, "rsa.time.starttime": "2019-07-10T03:56:14.000Z", "service.type": "imperva", - "source.address": "eriam2051.api.host", + "source.address": "tqui5172.www.local", "source.ip": [ - "10.25.246.131" + "10.173.19.140" ], - "source.port": 212, + "source.port": 7780, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "asp" + "user.name": "orsi" }, { "destination.ip": [ - "10.248.16.82" + "10.69.5.227" ], - "destination.port": 6834, - "event.action": "accept", + "destination.port": 5845, + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.248.16.82,dstPort=6834,dbUsername=loinv,srcIP=10.44.179.66,srcPort=357,creatTime=24 July 2019 08:58:48,srvGroup=xercit,service=avolup,appName=etdo,event#=tuserror,eventType=Login,usrGroup=nisiutal,usrAuth=False,application=\"pisciv\",osUsername=proiden,srcHost=cita2058.test,dbName=nul,schemaName=xercita,bindVar=tametco,sqlError=success,respSize=2353,respTime=43.922000,affRows=ididunt,action=\"accept\",rawQuery=\"eum\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.69.5.227,dstPort=5845,dbUsername=doloreme,srcIP=10.171.175.165,srcPort=5776,creatTime=2019-07-24 08:58:48,srvGroup=taspe,service=litess,appName=enimadm,event#=corpori,eventType=onemull,usrGroup=emeu,usrAuth=uisaute,application=\"tvol\",osUsername=ntocc,srcHost=intocca6708.mail.corp,dbName=dquiaco,schemaName=rumw,bindVar=ula,sqlError=failure,respSize=5201,respTime=46.690000,affRows=quam,action=\"deny\",rawQuery=\"edquian\"", "fileset.name": "securesphere", - "host.hostname": "cita2058.test", + "group.name": "emeu", + "host.hostname": "intocca6708.mail.corp", "input.type": "log", - "log.offset": 43317, - "network.application": "pisciv", + "log.offset": 41284, + "network.application": "tvol", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.248.16.82", - "10.44.179.66" + "10.171.175.165", + "10.69.5.227" ], "related.user": [ - "xercita", - "loinv", - "proiden" + "doloreme", + "ntocc", + "rumw" ], - "rsa.counters.dclass_c1": 2353, + "rsa.counters.dclass_c1": 5201, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "nul", - "rsa.db.index": "eum", + "rsa.db.database": "dquiaco", + "rsa.db.index": "edquian", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "accept" + "deny" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "nisiutal", - "rsa.misc.group_object": "xercit", - "rsa.misc.result": "success", - "rsa.time.duration_time": 43.922, + "rsa.misc.event_type": "onemull", + "rsa.misc.group": "emeu", + "rsa.misc.group_object": "taspe", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 46.69, "rsa.time.starttime": "2019-07-24T10:58:48.000Z", "service.type": "imperva", - "source.address": "cita2058.test", + "source.address": "intocca6708.mail.corp", "source.ip": [ - "10.44.179.66" + "10.171.175.165" ], - "source.port": 357, + "source.port": 5776, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "loinv" + "user.name": "doloreme" }, { "destination.ip": [ - "10.88.53.149" + "10.213.214.118" ], - "destination.port": 4048, - "event.action": "allow", + "destination.port": 7851, + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=tlabo,event#=iameaque,createTime=2019-08-07 16:01:23,updateTime=sautemve,alertSev=high,group=emoe,ruleName=\"ameiusmo\",evntDesc=\"ntiumtot\",category=aeab,disposition=idolo,eventType=temac,proto=ipv6,srcPort=622,srcIP=10.55.166.205,dstPort=4048,dstIP=10.88.53.149,policyName=\"iut\",occurrences=6219,httpHost=tess,webMethod=ionulamc,url=\"https://www.example.net/umSecti/emaccu.html?atu=ddo#veli\",webQuery=\"ata\",soapAction=untmoll,resultCode=ididun,sessionID=olo,username=tqui,addUsername=oru,responseTime=ehender,responseSize=abo,direction=onsec,dbUsername=econse,queryGroup=iac,application=\"cingel\",srcHost=siarchit2807.invalid,osUsername=strumex,schemaName=reseosqu,dbName=atus,hdrName=fugiatq,action=\"allow\",errormsg=\"success\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.213.214.118,dstPort=7851,dbUsername=ate,srcIP=10.253.175.129,srcPort=5547,creatTime=7 August 2019 16:01:23,srvGroup=rsi,service=tuser,appName=equinesc,event#=ectet,eventType=Login,usrGroup=emull,usrAuth=False,application=\"enatuser\",osUsername=epteurs,srcHost=isetqu2843.www.invalid,dbName=niamqu,schemaName=nrep,bindVar=lauda,sqlError=failure,respSize=6260,respTime=9.295000,affRows=aincidu,action=\"deny\",rawQuery=\"ipsamvol\"", + "event.outcome": "failure", "fileset.name": "securesphere", - "host.hostname": "siarchit2807.invalid", + "group.name": "emull", + "host.hostname": "isetqu2843.www.invalid", "input.type": "log", - "log.level": "high", - "log.offset": 43759, - "network.application": "cingel", - "network.direction": "onsec", - "network.protocol": "ipv6", + "log.offset": 41730, + "network.application": "enatuser", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.55.166.205", - "10.88.53.149" + "10.213.214.118", + "10.253.175.129" ], "related.user": [ - "reseosqu", - "strumex", - "tqui" + "nrep", + "ate", + "epteurs" ], - "rsa.counters.event_counter": 6219, - "rsa.db.database": "atus", - "rsa.internal.event_desc": "ntiumtot", + "rsa.counters.dclass_c1": 6260, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "niamqu", + "rsa.db.index": "ipsamvol", "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "allow", - "ionulamc" - ], - "rsa.misc.category": "aeab", - "rsa.misc.disposition": "idolo", - "rsa.misc.event_type": "temac", - "rsa.misc.group": "emoe", - "rsa.misc.log_session_id": "olo", - "rsa.misc.operation_id": "tlabo", - "rsa.misc.policy_name": "iut", - "rsa.misc.result": "success", - "rsa.misc.result_code": "ididun", - "rsa.misc.rule_name": "ameiusmo", - "rsa.misc.severity": "high", + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "emull", + "rsa.misc.group_object": "rsi", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 9.295, "rsa.time.starttime": "2019-08-07T18:01:23.000Z", - "rsa.web.alias_host": "tess", - "rule.name": "ameiusmo", "service.type": "imperva", - "source.address": "siarchit2807.invalid", + "source.address": "isetqu2843.www.invalid", "source.ip": [ - "10.55.166.205" + "10.253.175.129" ], - "source.port": 622, + "source.port": 5547, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://www.example.net/umSecti/emaccu.html?atu=ddo#veli", - "url.query": "ata", - "user.name": "tqui" + "user.name": "ate" }, { "destination.ip": [ - "10.199.117.125" + "10.89.26.170" ], - "destination.port": 1799, - "event.action": "cancel", + "destination.port": 3548, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=dquiaco,event#=rumw,createTime=2019-08-21 23:03:57,updateTime=ula,alertSev=high,group=uidolore,ruleName=\"quam\",evntDesc=\"rsitvo\",category=esciuntN,disposition=ritatis,eventType=ionevo,proto=rdp,srcPort=7851,srcIP=10.116.180.96,dstPort=1799,dstIP=10.199.117.125,policyName=\"dolor\",occurrences=6700,httpHost=equinesc,webMethod=ectet,url=\"https://mail.example.com/enatuser/epteurs.txt?orsit=rcit#niamqu\",webQuery=\"nrep\",soapAction=lauda,resultCode=ionevo,sessionID=busB,username=pidatatn,addUsername=ipsamvol,responseTime=tconse,responseSize=ima,direction=nimaveni,dbUsername=cepteurs,queryGroup=siutaliq,application=\"aliqu\",srcHost=serro1855.internal.invalid,osUsername=iof,schemaName=ciun,dbName=ssitaspe,hdrName=deomnis,action=cancel", + "event.original": "%IMPERVA-Imperva,alert#=estquido,event#=eufugiat,createTime=2019-08-21 23:03:57,updateTime=minima,alertSev=high,group=bor,ruleName=\"uisnos\",evntDesc=\"loi\",category=tation,disposition=seddoe,eventType=adol,proto=rdp,srcPort=7756,srcIP=10.149.91.130,dstPort=3548,dstIP=10.89.26.170,policyName=\"aqueipsa\",occurrences=5863,httpHost=ide,webMethod=atcupi,url=\"https://www.example.com/sit/ugi.gif?sitametc=rur#edut\",webQuery=\"sitametc\",soapAction=iarchite,resultCode=uide,sessionID=iono,username=aboris,addUsername=eturad,responseTime=ipiscive,responseSize=sequu,direction=internal,dbUsername=epteur,queryGroup=iqu,application=\"uptateve\",srcHost=commodo6041.mail.localhost,osUsername=atus,schemaName=orumetMa,dbName=inventor,hdrName=dolo,action=block", "fileset.name": "securesphere", - "host.hostname": "serro1855.internal.invalid", + "group.name": "bor", + "host.hostname": "commodo6041.mail.localhost", "input.type": "log", "log.level": "high", - "log.offset": 44508, - "network.application": "aliqu", - "network.direction": "nimaveni", + "log.offset": 42181, + "network.application": "uptateve", + "network.direction": "internal", "network.protocol": "rdp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.116.180.96", - "10.199.117.125" + "10.89.26.170", + "10.149.91.130" ], "related.user": [ - "iof", - "ciun", - "pidatatn" + "atus", + "orumetMa", + "aboris" ], - "rsa.counters.event_counter": 6700, - "rsa.db.database": "ssitaspe", - "rsa.internal.event_desc": "rsitvo", + "rsa.counters.event_counter": 5863, + "rsa.db.database": "inventor", + "rsa.internal.event_desc": "loi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "ectet" - ], - "rsa.misc.category": "esciuntN", - "rsa.misc.disposition": "ritatis", - "rsa.misc.event_type": "ionevo", - "rsa.misc.group": "uidolore", - "rsa.misc.log_session_id": "busB", - "rsa.misc.operation_id": "dquiaco", - "rsa.misc.policy_name": "dolor", - "rsa.misc.result_code": "ionevo", - "rsa.misc.rule_name": "quam", + "block", + "atcupi" + ], + "rsa.misc.category": "tation", + "rsa.misc.disposition": "seddoe", + "rsa.misc.event_type": "adol", + "rsa.misc.group": "bor", + "rsa.misc.log_session_id": "iono", + "rsa.misc.operation_id": "estquido", + "rsa.misc.policy_name": "aqueipsa", + "rsa.misc.result_code": "uide", + "rsa.misc.rule_name": "uisnos", "rsa.misc.severity": "high", "rsa.time.starttime": "2019-08-22T01:03:57.000Z", - "rsa.web.alias_host": "equinesc", - "rule.name": "quam", + "rsa.web.alias_host": "ide", + "rule.name": "uisnos", "service.type": "imperva", - "source.address": "serro1855.internal.invalid", + "source.address": "commodo6041.mail.localhost", "source.ip": [ - "10.116.180.96" + "10.149.91.130" ], - "source.port": 7851, + "source.port": 7756, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://mail.example.com/enatuser/epteurs.txt?orsit=rcit#niamqu", - "url.query": "nrep", - "user.name": "pidatatn" + "url.original": "https://www.example.com/sit/ugi.gif?sitametc=rur#edut", + "url.query": "sitametc", + "user.name": "aboris" }, { "destination.ip": [ - "10.64.76.110" + "10.81.108.232" ], - "destination.port": 2200, - "event.action": "cancel", + "destination.port": 856, + "event.action": "allow", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.64.76.110,dstPort=2200,dbUsername=ptate,srcIP=10.250.226.105,srcPort=4867,creatTime=5 September 2019 06:06:31,srvGroup=atur,service=aquaeabi,appName=olupt,event#=dolor,eventType=Login,usrGroup=fficiade,usrAuth=False,application=\"rsi\",osUsername=imidest,srcHost=ulamc2151.www5.corp,dbName=dip,schemaName=ommod,bindVar=sisten,sqlError=failure,respSize=6041,respTime=43.322000,affRows=nihi,action=\"cancel\",rawQuery=\"orumetMa\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,alert#=tmolli,event#=orumSe,createTime=2019-09-05 06:06:31,updateTime=mSe,alertSev=high,group=teturad,ruleName=\"alorumwr\",evntDesc=\"pis\",category=idol,disposition=mmodico,eventType=emaccu,proto=rdp,srcPort=5818,srcIP=10.52.106.68,dstPort=856,dstIP=10.81.108.232,policyName=\"atemq\",occurrences=5098,httpHost=volupta,webMethod=Quisaut,url=\"https://internal.example.net/obeatae/sedqui.jpg?nulap=onseq#amrem\",webQuery=\"plicab\",soapAction=isisten,resultCode=eiusmodt,sessionID=naaliq,username=aco,addUsername=psamvolu,responseTime=inculp,responseSize=eni,direction=inbound,dbUsername=sedqu,queryGroup=ipitlabo,application=\"olorinr\",srcHost=gitse6744.api.local,osUsername=neavolup,schemaName=uaturve,dbName=lapa,hdrName=uepor,action=\"allow\",errormsg=\"failure\"", "fileset.name": "securesphere", - "host.hostname": "ulamc2151.www5.corp", + "group.name": "teturad", + "host.hostname": "gitse6744.api.local", "input.type": "log", - "log.offset": 45266, - "network.application": "rsi", + "log.level": "high", + "log.offset": 42925, + "network.application": "olorinr", + "network.direction": "inbound", + "network.protocol": "rdp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.250.226.105", - "10.64.76.110" + "10.52.106.68", + "10.81.108.232" ], "related.user": [ - "ommod", - "imidest", - "ptate" + "neavolup", + "uaturve", + "aco" ], - "rsa.counters.dclass_c1": 6041, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "dip", - "rsa.db.index": "orumetMa", + "rsa.counters.event_counter": 5098, + "rsa.db.database": "lapa", + "rsa.internal.event_desc": "pis", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "cancel" + "Quisaut", + "allow" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "fficiade", - "rsa.misc.group_object": "atur", + "rsa.misc.category": "idol", + "rsa.misc.disposition": "mmodico", + "rsa.misc.event_type": "emaccu", + "rsa.misc.group": "teturad", + "rsa.misc.log_session_id": "naaliq", + "rsa.misc.operation_id": "tmolli", + "rsa.misc.policy_name": "atemq", "rsa.misc.result": "failure", - "rsa.time.duration_time": 43.322, + "rsa.misc.result_code": "eiusmodt", + "rsa.misc.rule_name": "alorumwr", + "rsa.misc.severity": "high", "rsa.time.starttime": "2019-09-05T08:06:31.000Z", + "rsa.web.alias_host": "volupta", + "rule.name": "alorumwr", "service.type": "imperva", - "source.address": "ulamc2151.www5.corp", + "source.address": "gitse6744.api.local", "source.ip": [ - "10.250.226.105" + "10.52.106.68" ], - "source.port": 4867, + "source.port": 5818, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "ptate" + "url.original": "https://internal.example.net/obeatae/sedqui.jpg?nulap=onseq#amrem", + "url.query": "plicab", + "user.name": "aco" }, { "destination.ip": [ - "10.164.52.43" + "10.223.10.28" ], - "destination.port": 2077, - "event.action": "block", + "destination.port": 1991, + "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=teturad,event#=nesciu,createTime=2019-09-19 13:09:05,updateTime=ueip,alertSev=low,group=orumSe,ruleName=\"mSe\",evntDesc=\"itame\",category=quaturv,disposition=lumdolor,eventType=persp,proto=ggp,srcPort=7684,srcIP=10.29.141.252,dstPort=2077,dstIP=10.164.52.43,policyName=\"orum\",occurrences=249,httpHost=itvolup,webMethod=atemq,url=\"https://api.example.net/adminimv/equatD.html?obeatae=sedqui#ntNeq\",webQuery=\"aturve\",soapAction=tquasiar,resultCode=eetd,sessionID=orem,username=seq,addUsername=cus,responseTime=tnulap,responseSize=amquisno,direction=epreh,dbUsername=uepo,queryGroup=llumqui,application=\"sedqu\",srcHost=ipitlabo5092.local,osUsername=Nemoe,schemaName=reverit,dbName=neavolup,hdrName=uaturve,action=\"block\",errormsg=\"failure\"", + "event.original": "%IMPERVA-Imperva,alert#=umquamei,event#=nih,createTime=2019-09-19 13:09:05,updateTime=tionev,alertSev=high,group=quia,ruleName=\"eabill\",evntDesc=\"itatiset\",category=uaerat,disposition=met,eventType=isno,proto=icmp,srcPort=2572,srcIP=10.230.48.97,dstPort=1991,dstIP=10.223.10.28,policyName=\"emveleu\",occurrences=4029,httpHost=norumet,webMethod=tconse,url=\"https://mail.example.com/iaturE/inc.htm?uisaut=mnihilm#itinvo\",webQuery=\"lestia\",soapAction=anti,resultCode=eavo,sessionID=enderi,username=erit,addUsername=uptatem,responseTime=reeufug,responseSize=temveleu,direction=unknown,dbUsername=repre,queryGroup=consec,application=\"untmoll\",srcHost=par3605.internal.localdomain,osUsername=usmodte,schemaName=untex,dbName=ommodi,hdrName=ntiu,action=\"deny\",errormsg=\"success\"", "fileset.name": "securesphere", - "host.hostname": "ipitlabo5092.local", + "group.name": "quia", + "host.hostname": "par3605.internal.localdomain", "input.type": "log", - "log.level": "low", - "log.offset": 45715, - "network.application": "sedqu", - "network.direction": "epreh", - "network.protocol": "ggp", + "log.level": "high", + "log.offset": 43696, + "network.application": "untmoll", + "network.direction": "unknown", + "network.protocol": "icmp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.29.141.252", - "10.164.52.43" + "10.230.48.97", + "10.223.10.28" ], "related.user": [ - "reverit", - "Nemoe", - "seq" + "untex", + "erit", + "usmodte" ], - "rsa.counters.event_counter": 249, - "rsa.db.database": "neavolup", - "rsa.internal.event_desc": "itame", + "rsa.counters.event_counter": 4029, + "rsa.db.database": "ommodi", + "rsa.internal.event_desc": "itatiset", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "atemq", - "block" - ], - "rsa.misc.category": "quaturv", - "rsa.misc.disposition": "lumdolor", - "rsa.misc.event_type": "persp", - "rsa.misc.group": "orumSe", - "rsa.misc.log_session_id": "orem", - "rsa.misc.operation_id": "teturad", - "rsa.misc.policy_name": "orum", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "eetd", - "rsa.misc.rule_name": "mSe", - "rsa.misc.severity": "low", + "deny", + "tconse" + ], + "rsa.misc.category": "uaerat", + "rsa.misc.disposition": "met", + "rsa.misc.event_type": "isno", + "rsa.misc.group": "quia", + "rsa.misc.log_session_id": "enderi", + "rsa.misc.operation_id": "umquamei", + "rsa.misc.policy_name": "emveleu", + "rsa.misc.result": "success", + "rsa.misc.result_code": "eavo", + "rsa.misc.rule_name": "eabill", + "rsa.misc.severity": "high", "rsa.time.starttime": "2019-09-19T15:09:05.000Z", - "rsa.web.alias_host": "itvolup", - "rule.name": "mSe", + "rsa.web.alias_host": "norumet", + "rule.name": "eabill", "service.type": "imperva", - "source.address": "ipitlabo5092.local", + "source.address": "par3605.internal.localdomain", "source.ip": [ - "10.29.141.252" + "10.230.48.97" ], - "source.port": 7684, + "source.port": 2572, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://api.example.net/adminimv/equatD.html?obeatae=sedqui#ntNeq", - "url.query": "aturve", - "user.name": "seq" + "url.original": "https://mail.example.com/iaturE/inc.htm?uisaut=mnihilm#itinvo", + "url.query": "lestia", + "user.name": "erit" }, { "destination.ip": [ @@ -5383,11 +5276,12 @@ "event.dataset": "imperva.securesphere", "event.module": "imperva", "event.original": "%IMPERVA-Imperva,dstIP=10.115.42.231,dstPort=2143,dbUsername=res,srcIP=10.161.212.150,srcPort=2748,creatTime=3 October 2019 20:11:40,srvGroup=corporis,service=turExc,appName=urvelil,event#=ulapa,eventType=Login,usrGroup=abi,usrAuth=False,application=\"ameiusm\",osUsername=tasnul,srcHost=isau4356.www.home,dbName=niamqui,schemaName=sequamn,bindVar=onse,sqlError=failure,respSize=4846,respTime=6.993000,affRows=aliquaUt,action=\"deny\",rawQuery=\"natus\"", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "securesphere", + "group.name": "abi", "host.hostname": "isau4356.www.home", "input.type": "log", - "log.offset": 46474, + "log.offset": 44466, "network.application": "ameiusm", "observer.product": "Secure", "observer.type": "WAF", @@ -5397,9 +5291,9 @@ "10.161.212.150" ], "related.user": [ - "tasnul", "sequamn", - "res" + "res", + "tasnul" ], "rsa.counters.dclass_c1": 4846, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5433,268 +5327,302 @@ }, { "destination.ip": [ - "10.66.163.3" + "10.247.108.144" ], - "destination.port": 1085, - "event.action": "accept", + "destination.port": 3896, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.66.163.3,dstPort=1085,dbUsername=aeconseq,srcIP=10.9.126.156,srcPort=628,creatTime=2019-10-18 03:14:14,srvGroup=mqu,service=inima,appName=emipsum,event#=venia,eventType=Logout,usrGroup=Loremi,usrAuth=True,application=\"uisnostr\",osUsername=accusa,srcHost=utod6468.mail.test,dbName=dipi,schemaName=asnulapa,bindVar=atev,sqlError=success,respSize=7469,respTime=147.141000,affRows=ipiscin,action=\"accept\",rawQuery=\"tionu\"", - "event.outcome": "Success", + "event.original": "%IMPERVA-Imperva,alert#=emp,event#=suscipit,createTime=2019-10-18 03:14:14,updateTime=iaconseq,alertSev=medium,group=sciuntNe,ruleName=\"nevo\",evntDesc=\"stiaec\",category=officia,disposition=ametcon,eventType=gnid,proto=ipv6,srcPort=5677,srcIP=10.226.75.20,dstPort=3896,dstIP=10.247.108.144,policyName=\"iutaliqu\",occurrences=3711,httpHost=onsectet,webMethod=iat,url=\"https://www5.example.org/elaud/temsequ.htm?dolo=iciatisu#eip\",webQuery=\"iquaUte\",soapAction=aborumSe,resultCode=writt,sessionID=dent,username=tema,addUsername=saquaeab,responseTime=rpo,responseSize=inr,direction=internal,dbUsername=edquiac,queryGroup=olore,application=\"urEx\",srcHost=labo3477.www5.domain,osUsername=maccusan,schemaName=fugia,dbName=psa,hdrName=iset,action=\"block\",errormsg=\"success\"", "fileset.name": "securesphere", - "host.hostname": "utod6468.mail.test", + "group.name": "sciuntNe", + "host.hostname": "labo3477.www5.domain", "input.type": "log", - "log.offset": 46922, - "network.application": "uisnostr", + "log.level": "medium", + "log.offset": 44914, + "network.application": "urEx", + "network.direction": "internal", + "network.protocol": "ipv6", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.66.163.3", - "10.9.126.156" + "10.247.108.144", + "10.226.75.20" ], "related.user": [ - "aeconseq", - "accusa", - "asnulapa" + "maccusan", + "fugia", + "tema" ], - "rsa.counters.dclass_c1": 7469, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "dipi", - "rsa.db.index": "tionu", + "rsa.counters.event_counter": 3711, + "rsa.db.database": "psa", + "rsa.internal.event_desc": "stiaec", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "Loremi", - "rsa.misc.group_object": "mqu", + "block", + "iat" + ], + "rsa.misc.category": "officia", + "rsa.misc.disposition": "ametcon", + "rsa.misc.event_type": "gnid", + "rsa.misc.group": "sciuntNe", + "rsa.misc.log_session_id": "dent", + "rsa.misc.operation_id": "emp", + "rsa.misc.policy_name": "iutaliqu", "rsa.misc.result": "success", - "rsa.time.duration_time": 147.141, + "rsa.misc.result_code": "writt", + "rsa.misc.rule_name": "nevo", + "rsa.misc.severity": "medium", "rsa.time.starttime": "2019-10-18T05:14:14.000Z", + "rsa.web.alias_host": "onsectet", + "rule.name": "nevo", "service.type": "imperva", - "source.address": "utod6468.mail.test", + "source.address": "labo3477.www5.domain", "source.ip": [ - "10.9.126.156" + "10.226.75.20" ], - "source.port": 628, + "source.port": 5677, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "aeconseq" + "url.original": "https://www5.example.org/elaud/temsequ.htm?dolo=iciatisu#eip", + "url.query": "iquaUte", + "user.name": "tema" }, { - "event.action": "odtem", + "destination.ip": [ + "10.192.15.65" + ], + "destination.port": 3328, + "event.action": "block", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=uidexea,createTime=2019-11-01 10:16:48,eventType=odtem,eventSev=high,username=mipsa,subsystem=teturad,message=\"nimide\"", + "event.original": "%IMPERVA-Imperva,dstIP=10.192.15.65,dstPort=3328,dbUsername=nimides,srcIP=10.97.22.61,srcPort=6420,creatTime=2019-11-01 10:16:48,srvGroup=labor,service=quelaud,appName=ira,event#=gna,eventType=aparia,usrGroup=ntoreve,usrAuth=remips,application=\"uptatemU\",osUsername=illumd,srcHost=itseddo2209.mail.domain,dbName=olu,schemaName=rExcep,bindVar=turExcep,sqlError=success,respSize=4173,respTime=166.270000,affRows=duntutla,action=\"block\",rawQuery=\"tmollit\"", "fileset.name": "securesphere", + "group.name": "ntoreve", + "host.hostname": "itseddo2209.mail.domain", "input.type": "log", - "log.level": "high", - "log.offset": 47366, + "log.offset": 45679, + "network.application": "uptatemU", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.ip": [ + "10.97.22.61", + "10.192.15.65" + ], "related.user": [ - "mipsa" + "illumd", + "rExcep", + "nimides" ], - "rsa.internal.event_desc": "nimide", + "rsa.counters.dclass_c1": 4173, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "olu", + "rsa.db.index": "tmollit", "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "odtem", - "rsa.misc.severity": "high", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "aparia", + "rsa.misc.group": "ntoreve", + "rsa.misc.group_object": "labor", + "rsa.misc.result": "success", + "rsa.time.duration_time": 166.27, "rsa.time.starttime": "2019-11-01T12:16:48.000Z", "service.type": "imperva", + "source.address": "itseddo2209.mail.domain", + "source.ip": [ + "10.97.22.61" + ], + "source.port": 6420, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "mipsa" + "user.name": "nimides" }, { "destination.ip": [ - "10.217.176.124" + "10.116.76.161" ], - "destination.port": 7276, + "destination.port": 2009, "event.action": "cancel", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=writ,event#=ema,createTime=2019-11-15 17:19:22,updateTime=ioffici,alertSev=medium,group=uunt,ruleName=\"pic\",evntDesc=\"unt\",category=emUt,disposition=eiru,eventType=sauteir,proto=tcp,srcPort=3341,srcIP=10.220.106.170,dstPort=7276,dstIP=10.217.176.124,policyName=\"elillum\",occurrences=1318,httpHost=reetdo,webMethod=pidatatn,url=\"https://internal.example.net/fdeFin/ursi.txt?lapariat=red#rinre\",webQuery=\"upta\",soapAction=mvolupt,resultCode=mseq,sessionID=consequ,username=min,addUsername=riame,responseTime=gnaal,responseSize=nti,direction=tetura,dbUsername=utlab,queryGroup=colabo,application=\"ditem\",srcHost=did2502.mail.example,osUsername=itsedq,schemaName=uisaute,dbName=iaturEx,hdrName=apa,action=cancel", + "event.original": "%IMPERVA-Imperva,alert#=venia,event#=Loremi,createTime=2019-11-15 17:19:22,updateTime=uisnostr,alertSev=medium,group=vol,ruleName=\"ommodi\",evntDesc=\"ritat\",category=dipi,disposition=asnulapa,eventType=atev,proto=tcp,srcPort=7469,srcIP=10.197.254.133,dstPort=2009,dstIP=10.116.76.161,policyName=\"tla\",occurrences=2608,httpHost=ender,webMethod=quid,url=\"https://mail.example.net/teturad/nimide.htm?ueporroq=writ#ema\",webQuery=\"ioffici\",soapAction=agni,resultCode=tat,sessionID=metconse,username=ide,addUsername=equu,responseTime=pernatur,responseSize=orem,direction=outbound,dbUsername=caecatc,queryGroup=iarc,application=\"emquia\",srcHost=duntutl3396.api.host,osUsername=idu,schemaName=trudex,dbName=ncul,hdrName=mcorpor,action=cancel", "fileset.name": "securesphere", - "host.hostname": "did2502.mail.example", + "group.name": "vol", + "host.hostname": "duntutl3396.api.host", "input.type": "log", "log.level": "medium", - "log.offset": 47509, - "network.application": "ditem", - "network.direction": "tetura", + "log.offset": 46132, + "network.application": "emquia", + "network.direction": "outbound", "network.protocol": "tcp", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.220.106.170", - "10.217.176.124" + "10.116.76.161", + "10.197.254.133" ], "related.user": [ - "min", - "uisaute", - "itsedq" + "ide", + "idu", + "trudex" ], - "rsa.counters.event_counter": 1318, - "rsa.db.database": "iaturEx", - "rsa.internal.event_desc": "unt", + "rsa.counters.event_counter": 2608, + "rsa.db.database": "ncul", + "rsa.internal.event_desc": "ritat", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ "cancel", - "pidatatn" - ], - "rsa.misc.category": "emUt", - "rsa.misc.disposition": "eiru", - "rsa.misc.event_type": "sauteir", - "rsa.misc.group": "uunt", - "rsa.misc.log_session_id": "consequ", - "rsa.misc.operation_id": "writ", - "rsa.misc.policy_name": "elillum", - "rsa.misc.result_code": "mseq", - "rsa.misc.rule_name": "pic", + "quid" + ], + "rsa.misc.category": "dipi", + "rsa.misc.disposition": "asnulapa", + "rsa.misc.event_type": "atev", + "rsa.misc.group": "vol", + "rsa.misc.log_session_id": "metconse", + "rsa.misc.operation_id": "venia", + "rsa.misc.policy_name": "tla", + "rsa.misc.result_code": "tat", + "rsa.misc.rule_name": "ommodi", "rsa.misc.severity": "medium", "rsa.time.starttime": "2019-11-15T19:19:22.000Z", - "rsa.web.alias_host": "reetdo", - "rule.name": "pic", + "rsa.web.alias_host": "ender", + "rule.name": "ommodi", "service.type": "imperva", - "source.address": "did2502.mail.example", + "source.address": "duntutl3396.api.host", "source.ip": [ - "10.220.106.170" + "10.197.254.133" ], - "source.port": 3341, + "source.port": 7469, "tags": [ "imperva.securesphere", "forwarded" ], - "url.original": "https://internal.example.net/fdeFin/ursi.txt?lapariat=red#rinre", - "url.query": "upta", - "user.name": "min" + "url.original": "https://mail.example.net/teturad/nimide.htm?ueporroq=writ#ema", + "url.query": "ioffici", + "user.name": "ide" }, { "destination.ip": [ - "10.9.248.95" + "10.28.77.79" ], - "destination.port": 2294, + "destination.port": 3615, "event.action": "deny", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.9.248.95,dstPort=2294,dbUsername=iatquovo,srcIP=10.120.18.135,srcPort=6260,creatTime=2019-11-30 00:21:57,srvGroup=itametc,service=oremip,appName=isundeo,event#=eli,eventType=Logout,usrGroup=ore,usrAuth=False,application=\"ips\",osUsername=ratvolup,srcHost=iamqu4015.www5.lan,dbName=tsunti,schemaName=ero,bindVar=iusmodi,sqlError=unknown,respSize=6969,respTime=36.585000,affRows=oreetd,action=\"deny\",rawQuery=\"Loremips\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.28.77.79,dstPort=3615,dbUsername=upta,srcIP=10.144.14.15,srcPort=1150,creatTime=30 November 2019 00:21:57,srvGroup=consequ,service=min,appName=riame,event#=gnaal,eventType=Login,usrGroup=nti,usrAuth=True,application=\"tetura\",osUsername=utlab,srcHost=colabo6686.internal.invalid,dbName=uptass,schemaName=rspic,bindVar=itsedq,sqlError=success,respSize=4810,respTime=22.348000,affRows=iut,action=\"deny\",rawQuery=\"nemu\"", + "event.outcome": "success", "fileset.name": "securesphere", - "host.hostname": "iamqu4015.www5.lan", + "group.name": "nti", + "host.hostname": "colabo6686.internal.invalid", "input.type": "log", - "log.offset": 48241, - "network.application": "ips", + "log.offset": 46865, + "network.application": "tetura", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.120.18.135", - "10.9.248.95" + "10.28.77.79", + "10.144.14.15" ], "related.user": [ - "ratvolup", - "ero", - "iatquovo" + "rspic", + "utlab", + "upta" ], - "rsa.counters.dclass_c1": 6969, + "rsa.counters.dclass_c1": 4810, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "tsunti", - "rsa.db.index": "Loremips", + "rsa.db.database": "uptass", + "rsa.db.index": "nemu", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ "deny" ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "ore", - "rsa.misc.group_object": "itametc", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 36.585, + "rsa.misc.event_type": "Login", + "rsa.misc.group": "nti", + "rsa.misc.group_object": "consequ", + "rsa.misc.result": "success", + "rsa.time.duration_time": 22.348, "rsa.time.starttime": "2019-11-30T02:21:57.000Z", "service.type": "imperva", - "source.address": "iamqu4015.www5.lan", + "source.address": "colabo6686.internal.invalid", "source.ip": [ - "10.120.18.135" + "10.144.14.15" ], - "source.port": 6260, + "source.port": 1150, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "iatquovo" + "user.name": "upta" }, { "destination.ip": [ - "10.249.76.99" + "10.248.177.182" ], - "destination.port": 7480, - "event.action": "block", + "destination.port": 317, + "event.action": "accept", "event.code": "Imperva", "event.dataset": "imperva.securesphere", "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.249.76.99,dstPort=7480,dbUsername=xercita,srcIP=10.109.203.111,srcPort=6875,creatTime=14 December 2019 07:24:31,srvGroup=atemquia,service=rumwritt,appName=tio,event#=aconseq,eventType=Login,usrGroup=erit,usrAuth=False,application=\"quaeab\",osUsername=uis,srcHost=eirured1366.mail.domain,dbName=ntexp,schemaName=atio,bindVar=roquisqu,sqlError=success,respSize=3516,respTime=151.020000,affRows=molestia,action=\"block\",rawQuery=\"boreetdo\"", - "event.outcome": "Failure", + "event.original": "%IMPERVA-Imperva,dstIP=10.248.177.182,dstPort=317,dbUsername=quei,srcIP=10.18.15.43,srcPort=2224,creatTime=2019-12-14 07:24:31,srvGroup=reetdol,service=umtotam,appName=itaedi,event#=ant,eventType=tiumt,usrGroup=taedicta,usrAuth=mveniamq,application=\"exerci\",osUsername=quaturve,srcHost=tsunti1164.www.example,dbName=equatur,schemaName=caecat,bindVar=oreetd,sqlError=unknown,respSize=983,respTime=113.318000,affRows=nderit,action=\"accept\",rawQuery=\"icer\"", "fileset.name": "securesphere", - "host.hostname": "eirured1366.mail.domain", + "group.name": "taedicta", + "host.hostname": "tsunti1164.www.example", "input.type": "log", - "log.offset": 48684, - "network.application": "quaeab", + "log.offset": 47307, + "network.application": "exerci", "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.109.203.111", - "10.249.76.99" + "10.248.177.182", + "10.18.15.43" ], "related.user": [ - "xercita", - "atio", - "uis" + "caecat", + "quaturve", + "quei" ], - "rsa.counters.dclass_c1": 3516, + "rsa.counters.dclass_c1": 983, "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "ntexp", - "rsa.db.index": "boreetdo", + "rsa.db.database": "equatur", + "rsa.db.index": "icer", "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", "rsa.misc.action": [ - "block" + "accept" ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "erit", - "rsa.misc.group_object": "atemquia", - "rsa.misc.result": "success", - "rsa.time.duration_time": 151.02, + "rsa.misc.event_type": "tiumt", + "rsa.misc.group": "taedicta", + "rsa.misc.group_object": "reetdol", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 113.318, + "rsa.time.starttime": "2019-12-14T09:24:31.000Z", "service.type": "imperva", - "source.address": "eirured1366.mail.domain", + "source.address": "tsunti1164.www.example", "source.ip": [ - "10.109.203.111" + "10.18.15.43" ], - "source.port": 6875, + "source.port": 2224, "tags": [ "imperva.securesphere", "forwarded" ], - "user.name": "xercita" + "user.name": "quei" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/infoblox/README.md b/x-pack/filebeat/module/infoblox/README.md index 9b000ca445e..a77407da393 100644 --- a/x-pack/filebeat/module/infoblox/README.md +++ b/x-pack/filebeat/module/infoblox/README.md @@ -3,5 +3,5 @@ This is a module for Infoblox NIOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML infobloxnios version 134 -at 2020-07-08 18:50:21.219909 +0000 UTC. +at 2020-07-08 22:20:59.743054 +0000 UTC. diff --git a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js +++ b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json index 8fb99c30cdb..c53ccc0296a 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -519,7 +519,7 @@ "event.dataset": "infoblox.nios", "event.module": "infoblox", "event.original": "Nov 10 03:01:24 iadese6958.www5.local 10.33.153.47 captured_dns_uploader: hil", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "nios", "input.type": "log", "log.offset": 1929, @@ -717,7 +717,7 @@ "event.dataset": "infoblox.nios", "event.module": "infoblox", "event.original": "Mar 04 11:21:59 iae1637.local 10.85.164.25 captured_dns_uploader: doloreme", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "nios", "input.type": "log", "log.offset": 2559, @@ -924,7 +924,7 @@ "event.dataset": "infoblox.nios", "event.module": "infoblox", "event.original": "Jun 26 19:42:33 Utenima1612.www5.domain ptatem: captured_dns_uploader Nequepor", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "nios", "input.type": "log", "log.offset": 3383, @@ -1269,7 +1269,7 @@ "event.dataset": "infoblox.nios", "event.module": "infoblox", "event.original": "January 12 22:18:32 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt", - "event.outcome": "Success", + "event.outcome": "success", "fileset.name": "nios", "input.type": "log", "log.offset": 4495, diff --git a/x-pack/filebeat/module/juniper/README.md b/x-pack/filebeat/module/juniper/README.md index c62e1548019..108cdf625ee 100644 --- a/x-pack/filebeat/module/juniper/README.md +++ b/x-pack/filebeat/module/juniper/README.md @@ -3,5 +3,5 @@ This is a module for Juniper JUNOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML junosrouter version 134 -at 2020-07-08 18:50:21.887742 +0000 UTC. +at 2020-07-08 22:21:00.501147 +0000 UTC. diff --git a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js +++ b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/kaspersky/README.md b/x-pack/filebeat/module/kaspersky/README.md index d2db7fa281d..003197a7aaf 100644 --- a/x-pack/filebeat/module/kaspersky/README.md +++ b/x-pack/filebeat/module/kaspersky/README.md @@ -3,5 +3,5 @@ This is a module for Kaspersky Anti-Virus logs. Autogenerated from RSA NetWitness log parser 2.0 XML kasperskyav version 127 -at 2020-07-08 18:50:22.800042 +0000 UTC. +at 2020-07-08 22:21:01.387501 +0000 UTC. diff --git a/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js b/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js +++ b/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/microsoft/README.md b/x-pack/filebeat/module/microsoft/README.md index 8acf61ac571..53b66349dc1 100644 --- a/x-pack/filebeat/module/microsoft/README.md +++ b/x-pack/filebeat/module/microsoft/README.md @@ -3,5 +3,5 @@ This is a module for Microsoft DHCP logs. Autogenerated from RSA NetWitness log parser 2.0 XML msdhcp version 99 -at 2020-07-08 18:50:23.125227 +0000 UTC. +at 2020-07-08 22:21:01.708377 +0000 UTC. diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js +++ b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json index e76acbf3c34..d3335431e1b 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json +++ b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json @@ -243,7 +243,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-5162-59: 59,5/22/16,2:30:33,nci,10.86.118.154,amco5712.www5.localdomain ,01:00:5e:35:c0:09,con,uia,quiavo,issusci,mol,taspe,mvolu,radip,tNequ,gelit,tatno ", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "dhcp", "host.hostname": "amco5712.www5.localdomain", "input.type": "log", @@ -426,7 +426,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-3971-56: 56,8/16/16,8:45:59,lorem,10.150.193.226,uidolore6237.internal.local ,01:00:5e:42:6c:b4,suntinc,elits,llam,llamcorp,ari,eataevit,uptatev,uovol,dmi,olab,mquisnos ", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "dhcp", "host.hostname": "uidolore6237.internal.local", "input.type": "log", @@ -550,7 +550,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-7290-32: 32,10/12/16,12:56:16,iam,10.98.34.185,ercit3947.api.local ,01:00:5e:a4:f5:60,olupta,turveli,toccae,tatno,nido ", - "event.outcome": "Success", + "event.outcome": "success", "fileset.name": "dhcp", "host.hostname": "ercit3947.api.local", "input.type": "log", @@ -643,7 +643,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-4173-33: 33,11/24/16,10:03:59,undeo,10.82.52.233,atuse2703.localhost ,01:00:5e:fa:2b:37", - "event.outcome": "Success", + "event.outcome": "success", "fileset.name": "dhcp", "host.hostname": "atuse2703.localhost", "input.type": "log", @@ -825,7 +825,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-927-58: 58,2/18/17,4:19:24,itaut,10.33.140.180,umdolo7781.api.home ,01:00:5e:24:f1:b2", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "dhcp", "host.hostname": "umdolo7781.api.home", "input.type": "log", @@ -858,7 +858,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-4632-51: 51,3/4/17,11:21:59,fugi,10.119.185.63,imadmini2625.www5.localhost ,01:00:5e:31:b9:65,dtem ", - "event.outcome": "Success", + "event.outcome": "success", "fileset.name": "dhcp", "host.hostname": "imadmini2625.www5.localhost", "input.type": "log", @@ -1398,7 +1398,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-3331-54: 54,11/16/17,6:08:15,etMalor,10.196.143.87,quatD4191.local ,01:00:5e:3b:7a:f1,sperna ", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "dhcp", "host.hostname": "quatD4191.local", "input.type": "log", @@ -1670,7 +1670,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-6418-59: 59,3/25/18,9:31:24,nofdeFin,10.67.38.204,idex6952.www.localhost ,01:00:5e:69:58:0e,ecte,tinvolu,iurer,iciadese,quidolor,tessec,olupta,litse,icabo,itatio,uta ", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "dhcp", "host.hostname": "idex6952.www.localhost", "input.type": "log", @@ -1794,7 +1794,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-1842-11023: 11023,5/21/18,1:41:41,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "dhcp", "host.hostname": "aper5651.test", "input.type": "log", @@ -2006,7 +2006,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-5983-56: 56,8/29/18,2:59:40,tquiin,10.174.176.36,ovol3674.www5.host ,01:00:5e:bb:1d:bf,str,idolore,pid,illoin,tanimid,umdo,natuse,gnamal,metMalo,ntexplic,archite ", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "dhcp", "host.hostname": "ovol3674.www5.host", "input.type": "log", @@ -2039,7 +2039,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-7829-32: 32,9/12/18,10:02:15,asi,10.94.38.110,nisist2752.home ,01:00:5e:c1:3c:48,exercita ", - "event.outcome": "Success", + "event.outcome": "success", "fileset.name": "dhcp", "host.hostname": "nisist2752.home", "input.type": "log", @@ -2275,7 +2275,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-2244-32: 32,1/5/19,6:22:49,stenatu,10.215.205.216,ratv5227.www.invalid ,01:00:5e:fd:3d:c2,nts ", - "event.outcome": "Success", + "event.outcome": "success", "fileset.name": "dhcp", "host.hostname": "ratv5227.www.invalid", "input.type": "log", @@ -2399,7 +2399,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-4494-51: 51,3/3/19,10:33:06,dolore,10.165.192.48,nBCSedut1502.www5.example ,01:00:5e:c7:c2:10,odoconse,emp,pisciv,lumdolor,nonp,labo,ulapar,aboreetd,hilm,llitanim,invo ", - "event.outcome": "Success", + "event.outcome": "success", "fileset.name": "dhcp", "host.hostname": "nBCSedut1502.www5.example", "input.type": "log", @@ -2522,7 +2522,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-3051-1098: 1098,4/29/19,2:43:23,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "dhcp", "host.hostname": "doloreme60.www5.localhost", "input.type": "log", @@ -2707,7 +2707,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-5524-1098: 1098,7/24/19,8:58:48,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "dhcp", "host.hostname": "amcor5091.internal.corp", "input.type": "log", @@ -2768,7 +2768,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-5469-11024: 11024,8/21/19,11:03:57,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori", - "event.outcome": "Success", + "event.outcome": "success", "fileset.name": "dhcp", "host.hostname": "nofd988.api.example", "input.type": "log", @@ -2830,7 +2830,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-2859-59: 59,9/19/19,1:09:05,inibu,10.106.93.26,isetquas3096.home ,01:00:5e:1b:92:a6", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "dhcp", "host.hostname": "isetquas3096.home", "input.type": "log", @@ -2952,7 +2952,7 @@ "event.dataset": "microsoft.dhcp", "event.module": "microsoft", "event.original": "%MSDHCP-3023-11023: 11023,11/15/19,5:19:22,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt", - "event.outcome": "Failure", + "event.outcome": "failure", "fileset.name": "dhcp", "host.hostname": "oluptas6981.www5.localhost", "input.type": "log", diff --git a/x-pack/filebeat/module/netscout/README.md b/x-pack/filebeat/module/netscout/README.md index 7526e438ea1..4341d92aaa1 100644 --- a/x-pack/filebeat/module/netscout/README.md +++ b/x-pack/filebeat/module/netscout/README.md @@ -3,5 +3,5 @@ This is a module for Arbor Peakflow SP logs. Autogenerated from RSA NetWitness log parser 2.0 XML arborpeakflowsp version 109 -at 2020-07-08 18:50:16.546958 +0000 UTC. +at 2020-07-08 22:20:55.507697 +0000 UTC. diff --git a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js +++ b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log b/x-pack/filebeat/module/netscout/sightline/test/generated.log index 2ce1d7c3135..0f7e82a3c5e 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log @@ -3,98 +3,98 @@ February 12 13:12:33 pfsp: Alert Autoclassification was restarted on 2016-02-12 February 26 20:15:08 ntsunti: Change Log: Username:nseq, Subsystem:itinvol, Setting Type:psa, Message:umq March 12 03:17:42 pfsp: Test syslog message March 26 10:20:16 pfsp: Alert Device ritquiin unreachable by controller umqui since 2016-03-26 10:20:16 -April 9 17:22:51 pfsp: Alert Host Detection alert riosam, start 2016-04-9 17:22:51 anonnu, duration 116.480000, direction ameaqu, host 10.132.102.119, signatures (idolor), impact eFinib, importance low, managed_objects (eius), (parent managed object luptat) -April 24 00:25:25 pfsp: The GRE tunnel down for destination 10.46.185.46, leader temvel since 2016-04-24 00:25:25 iatu -May 8 07:27:59 pfsp: The SNMP down for router minim, leader eFini since 2016-05-08 07:27:59 amco -May 22 14:30:33 pfsp: The SNMP restored for router mvolu, leader radip at 2016-05-22 14:30:33 tNequ -June 5 21:33:08 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap -June 20 04:35:42 pfsp: Alert Device uatDuis unreachable by controller ude since 2016-06-20 04:35:42 -July 4 11:38:16 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt -July 18 18:40:50 pfsp: Alert Autoclassification was restarted on 2016-07-18 18:40:50 atatnonp by uiano -August 2 01:43:25 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc -August 16 08:45:59 pfsp: Hardware failure on tatevel since 2016-08-16 08:45:59 GMT: abilloi -August 30 15:48:33 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name "lo5882" porainc -September 13 22:51:07 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name "lo4987" oluptate -September 28 05:53:42 pfsp: Alert Autoclassification was restarted on 2016-09-28 05:53:42 iam by qua -October 12 12:56:16 pfsp: Test syslog message -October 26 19:58:50 pfsp: Autoclassification was restarted on 2016-10-26 19:58:50 olupta by turveli -November 10 03:01:24 pfsp: Alert Autoclassification was restarted on 2016-11-10 03:01:24 ntutl by caecatc -November 24 10:03:59 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2016-11-24 10:03:59 lup -December 8 17:06:33 pfsp: Alert Hardware failure on aperi since 2016-12-08 17:06:33 GMT: lor -December 23 00:09:07 pfsp: The BGP Instability for router oin ended -January 6 07:11:41 pfsp: Hardware failure on ritatis done at 2017-01-06 07:11:41 oloremi GMT: pitla -January 20 14:14:16 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des -February 3 21:16:50 pfsp: Device tdolorem unreachable by controller ono since 2017-02-03 21:16:50 -February 18 04:19:24 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-02-18 04:19:24 lumquido -March 4 11:21:59 Lor: Test: Test syslog message -March 18 18:24:33 pfsp: Alert script modoco ran at 2017-03-18 18:24:33 , estquleader inibusBo -April 2 01:27:07 tion: Protection Mode: Changed protection mode to active for protection groupeataev,URL:https://api.example.org/uasia/emp.txt?ici=giatquov#eritquii -April 16 08:29:41 imad: Protection Mode: Changed protection mode to active for protection groupmsequi,URL:https://www5.example.org/iquaUten/santium.html?imidest=emagnama#eprehend -April 30 15:32:16 xeac: Blocked Host: Blocked host10.233.107.138attaliqby Blocked Countries usingrdpdestination10.28.127.218,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae -May 14 22:34:50 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore -May 29 05:37:24 pfsp: The anomaly Bandwidth id 589fdad7 status iadese severity low classification ice impact estiae src 10.118.32.22/195 tlabori dst 10.182.199.231/1426 data start 2017-05-29 5:37:24 duration dolor 19.507000 percent iquipex rate commod rateUnit adol protocol udp flags bor url https://www.example.com/stquidol/itquiin.htm?namali=taevit#rinrepre, etconse -June 12 12:39:58 asun: Blocked Host: Blocked host10.244.114.61atoluptateby Blocked Countries usingtcpdestination10.198.19.111,URL:https://www5.example.net/lita/adeseru.txt?amc=atur#itanimi -June 26 19:42:33 pfsp: configuration was changed on leader luptasn to version 1.2126 by emseq -July 11 02:45:07 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv -July 25 09:47:41 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu -August 8 16:50:15 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-08-08 16:50:15 olor -August 22 23:52:50 pfsp: Alert Device xerc reachable again by controller iutali at 2017-08-22 23:52:50 fdeFi -September 6 06:55:24 pfsp: BGP down for router ati, leader tlabo since 2017-09-06 06:55:24 uames -September 20 13:57:58 pfsp: script offi ran at 2017-09-20 13:57:58 , giatnuleader ulapa -October 4 21:00:32 quioffi: Change Log: Username:uptate, Subsystem:ncidid, Setting Type:quaturve, Message:sequa -October 19 04:03:07 pfsp: Host Detection alert nimid, start 2017-10-19 04:03:07 itatione, duration 80.096000, stop 2017-10-19 04:03:07 umwr, , importance very-high, managed_objects (reme), is now success, (parent managed object osamn) -November 2 11:05:41 lorinre: Blocked Host: Blocked host10.161.136.76atidataby Blocked Countries usingudpdestination10.108.167.93,URL:https://api.example.com/untex/quiratio.htm?tisetq=tevelite#orporiss -November 16 18:08:15 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-11-16 18:08:15 dexea -December 1 01:10:49 pfsp: Test syslog message -December 15 08:13:24 pfsp: Alert Flow down for router tessec, leader olupta since 2017-12-15 08:13:24 litse -December 29 15:15:58 pfsp: Alert Host Detection alert sperna, start 2017-12-29 15:15:58 sintocc, duration 24.633000, stop 2017-12-29 15:15:58 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius) -January 12 22:18:32 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc -January 27 05:21:06 pfsp: BGP Instability for router iatisu ended -February 10 12:23:41 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven -February 24 19:26:15 pfsp: Test syslog message -March 11 02:28:49 Sedutp: Test: Test syslog message -March 25 09:31:24 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe -April 8 16:33:58 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse -April 22 23:36:32 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro -May 7 06:39:06 pfsp: The Device illoin unreachable by controller tanimid since 2018-05-07 06:39:06 -May 21 13:41:41 pfsp: configuration was changed on leader natuse to version 1.4425 by ati -June 4 20:44:15 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name "enp0s4306" aturauto -June 19 03:46:49 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-06-19 03:46:49 dmin -July 3 10:49:23 pfsp: The Host Detection alert uscipitl, start 2018-07-3 10:49:23 uia, duration 29.657000, direction uamei, host 10.49.167.57, signatures (uisa), impact eFi, importance medium, managed_objects (cusant), (parent managed object rpori) -July 17 17:51:58 pfsp: The TMS 'sau' fault for resource 'aperia' on TMS ccaeca cleared -August 1 00:54:32 pfsp: Hardware failure on boris done at 2018-08-01 00:54:32 stenatu GMT: isiuta -August 15 07:57:06 siutaliq: Change Log: Username:dutp, Subsystem:psaquaea, Setting Type:taevita, Message:ameiusm -August 29 14:59:40 pfsp: The TMS 'enderi' fault for resource 'mquisno' on TMS odoconse cleared -September 12 22:02:15 asiarc: Blocked Host: Blocked host10.80.101.72atuptateby Blocked Countries usingrdpdestination10.83.130.226,URL:https://www5.example.com/gitsed/fugia.htm?emp=pisciv#lumdolor -September 27 05:04:49 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden -October 11 12:07:23 pfsp: Device isis reachable again by controller uasiar at 2018-10-11 12:07:23 utlab -October 25 19:09:57 pfsp: The SNMP restored for router umdolor, leader uaUten at 2018-10-25 19:09:57 nby -November 9 02:12:32 ibusBon: Change Log: Username:ven, Subsystem:rQu, Setting Type:mco, Message:cipitl -November 23 09:15:06 pfsp: configuration was changed on leader evitaed to version 1.1721 by suntin -December 7 16:17:40 pfsp: Peakflow device oraincid unreachable by intocc since 2018-12-07 16:17:40 -December 21 23:20:14 pfsp: Alert configuration was changed on leader litani to version 1.6412 by psumqu -January 5 06:22:49 ipsamvo: Change Log: Username:onula, Subsystem:miu, Setting Type:rationev, Message:rem -January 19 13:25:23 pfsp: Alert Test syslog message -February 2 20:27:57 lillum: Change Log: Username:remips, Subsystem:uisaute, Setting Type:imide, Message:poriss -February 17 03:30:32 pfsp: Alert script usmodi ran at 2019-02-17 03:30:32 , mvoluleader conse -March 3 10:33:06 pfsp: Alert TMS 'licabo' fault for resource 'enimadmi' on TMS utaliqu cleared -March 17 17:35:40 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt -April 1 00:38:14 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation -April 15 07:40:49 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt -April 29 14:43:23 pfsp: The BGP Instability for router eirure ended -May 13 21:45:57 pfsp: Alert BGP instability router tesse threshold sequat (giatquov) observed tconsec (miurerep) -May 28 04:48:31 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo -June 11 11:51:06 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor -June 25 18:53:40 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed) -July 10 01:56:14 pfsp: Alert Test syslog message -July 24 08:58:48 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex -August 7 16:01:23 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu -August 21 23:03:57 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done -September 5 06:06:31 pfsp: Host Detection alert col, start 2019-09-5 06:06:31 mve, duration 177.586000, stop 2019-09-5 06:06:31 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq) -September 19 13:09:05 pfsp: script remipsum ran at 2019-09-19 13:09:05 , temporleader citatio -October 3 20:11:40 mveniamq: Blocked Host: Blocked host10.74.159.77ateaqueipsby Blocked Countries usingicmpdestination10.131.74.36,URL:https://example.com/untexpl/iumtot.htm?eiusmod=emoe#uiinea -October 18 03:14:14 pfsp: Alert TMS 'eaqueip' fault for resource 'eum' on TMS lamc cleared -November 1 10:16:48 pfsp: Alert Peakflow device itasper reachable again by uae at 2019-11-01 10:16:48 mve -November 15 17:19:22 pfsp: Flow restored for router caboNemo, leader dexerc at 2019-11-15 17:19:22 strumex -November 30 00:21:57 pfsp: Alert Hardware failure on dex since 2019-11-30 00:21:57 GMT: ccae -December 14 07:24:31 pfsp: The SNMP down for router aincidun, leader quatD since 2019-12-14 07:24:31 isqua +April 9 17:22:51 pfsp: Alert Host Detection alert riosam, start 2016-04-9 17:22:51 anonnu, duration 116.480000, direction external, host 10.51.132.10, signatures (utper), impact squame, importance medium, managed_objects (omm), (parent managed object iin) +April 24 00:25:25 pfsp: Autoclassification was restarted on 2016-04-24 00:25:25 nim by incidi +May 8 07:27:59 pfsp: Alert Peakflow device oloremqu unreachable by temvel since 2016-05-08 07:27:59 +May 22 14:30:33 pfsp: Autoclassification was restarted on 2016-05-22 14:30:33 serror by anti +June 5 21:33:08 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci +June 20 04:35:42 pfsp: The SNMP restored for router mvolu, leader radip at 2016-06-20 04:35:42 tNequ +July 4 11:38:16 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap +July 18 18:40:50 pfsp: Alert Device uatDuis unreachable by controller ude since 2016-07-18 18:40:50 +August 2 01:43:25 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt +August 16 08:45:59 pfsp: Alert Autoclassification was restarted on 2016-08-16 08:45:59 atatnonp by uiano +August 30 15:48:33 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc +September 13 22:51:07 pfsp: Hardware failure on tatevel since 2016-09-13 22:51:07 GMT: abilloi +September 28 05:53:42 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name "lo5882" porainc +October 12 12:56:16 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name "lo4987" oluptate +October 26 19:58:50 pfsp: Alert Autoclassification was restarted on 2016-10-26 19:58:50 iam by qua +November 10 03:01:24 pfsp: Test syslog message +November 24 10:03:59 pfsp: Autoclassification was restarted on 2016-11-24 10:03:59 olupta by turveli +December 8 17:06:33 pfsp: Alert Autoclassification was restarted on 2016-12-08 17:06:33 ntutl by caecatc +December 23 00:09:07 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2016-12-23 00:09:07 lup +January 6 07:11:41 pfsp: Alert Hardware failure on aperi since 2017-01-06 07:11:41 GMT: lor +January 20 14:14:16 pfsp: The BGP Instability for router oin ended +February 3 21:16:50 pfsp: Hardware failure on ritatis done at 2017-02-03 21:16:50 oloremi GMT: pitla +February 18 04:19:24 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des +March 4 11:21:59 pfsp: Device tdolorem unreachable by controller ono since 2017-03-04 11:21:59 +March 18 18:24:33 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-03-18 18:24:33 lumquido +April 2 01:27:07 Lor: Test: Test syslog message +April 16 08:29:41 pfsp: Alert script modoco ran at 2017-04-16 08:29:41 , estquleader inibusBo +April 30 15:32:16 tion: Protection Mode: Changed protection mode to active for protection groupeataev,URL:https://api.example.org/uasia/emp.txt?ici=giatquov#eritquii +May 14 22:34:50 imad: Protection Mode: Changed protection mode to active for protection groupmsequi,URL:https://www5.example.org/iquaUten/santium.html?imidest=emagnama#eprehend +May 29 05:37:24 xeac: Blocked Host: Blocked host10.233.107.138attaliqby Blocked Countries usingrdpdestination10.28.127.218,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae +June 12 12:39:58 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore +June 26 19:42:33 pfsp: Device mque reachable again by controller uovolup at 2017-06-26 19:42:33 samvolu +July 11 02:45:07 pfsp: The Host Detection alert eirure, start 2017-07-11 02:45:07 conseq, duration 38.117000, stop 2017-07-11 02:45:07 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui) +July 25 09:47:41 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol +August 8 16:50:15 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih) +August 22 23:52:50 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup +September 6 06:55:24 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv +September 20 13:57:58 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu +October 4 21:00:32 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-10-04 21:00:32 olor +October 19 04:03:07 pfsp: Alert Device xerc reachable again by controller iutali at 2017-10-19 04:03:07 fdeFi +November 2 11:05:41 pfsp: BGP down for router ati, leader tlabo since 2017-11-02 11:05:41 uames +November 16 18:08:15 pfsp: script offi ran at 2017-11-16 18:08:15 , giatnuleader ulapa +December 1 01:10:49 quioffi: Change Log: Username:uptate, Subsystem:ncidid, Setting Type:quaturve, Message:sequa +December 15 08:13:24 pfsp: Host Detection alert nimid, start 2017-12-15 08:13:24 itatione, duration 80.096000, stop 2017-12-15 08:13:24 umwr, , importance very-high, managed_objects (reme), is now success, (parent managed object osamn) +December 29 15:15:58 lorinre: Blocked Host: Blocked host10.161.136.76atidataby Blocked Countries usingudpdestination10.108.167.93,URL:https://api.example.com/untex/quiratio.htm?tisetq=tevelite#orporiss +January 12 22:18:32 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2018-01-12 22:18:32 dexea +January 27 05:21:06 pfsp: Test syslog message +February 10 12:23:41 pfsp: Alert Flow down for router tessec, leader olupta since 2018-02-10 12:23:41 litse +February 24 19:26:15 pfsp: Alert Host Detection alert sperna, start 2018-02-24 19:26:15 sintocc, duration 24.633000, stop 2018-02-24 19:26:15 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius) +March 11 02:28:49 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc +March 25 09:31:24 pfsp: BGP Instability for router iatisu ended +April 8 16:33:58 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven +April 22 23:36:32 pfsp: Test syslog message +May 7 06:39:06 Sedutp: Test: Test syslog message +May 21 13:41:41 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe +June 4 20:44:15 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse +June 19 03:46:49 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro +July 3 10:49:23 pfsp: The Device illoin unreachable by controller tanimid since 2018-07-03 10:49:23 +July 17 17:51:58 pfsp: configuration was changed on leader natuse to version 1.4425 by ati +August 1 00:54:32 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name "enp0s4306" aturauto +August 15 07:57:06 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-08-15 07:57:06 dmin +August 29 14:59:40 pfsp: The Host Detection alert uscipitl, start 2018-08-29 14:59:40 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its) +September 12 22:02:15 pfsp: Alert Test syslog message +September 27 05:04:49 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name "lo4293" labo +October 11 12:07:23 pfsp: The TMS 'enderi' fault for resource 'mquisno' on TMS odoconse cleared +October 25 19:09:57 asiarc: Blocked Host: Blocked host10.80.101.72atuptateby Blocked Countries usingrdpdestination10.83.130.226,URL:https://www5.example.com/gitsed/fugia.htm?emp=pisciv#lumdolor +November 9 02:12:32 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden +November 23 09:15:06 pfsp: Device isis reachable again by controller uasiar at 2018-11-23 09:15:06 utlab +December 7 16:17:40 pfsp: The SNMP restored for router umdolor, leader uaUten at 2018-12-07 16:17:40 nby +December 21 23:20:14 ibusBon: Change Log: Username:ven, Subsystem:rQu, Setting Type:mco, Message:cipitl +January 5 06:22:49 pfsp: configuration was changed on leader evitaed to version 1.1721 by suntin +January 19 13:25:23 pfsp: Peakflow device oraincid unreachable by intocc since 2019-01-19 13:25:23 +February 2 20:27:57 pfsp: Alert configuration was changed on leader litani to version 1.6412 by psumqu +February 17 03:30:32 ipsamvo: Change Log: Username:onula, Subsystem:miu, Setting Type:rationev, Message:rem +March 3 10:33:06 pfsp: Alert Test syslog message +March 17 17:35:40 lillum: Change Log: Username:remips, Subsystem:uisaute, Setting Type:imide, Message:poriss +April 1 00:38:14 pfsp: Alert script usmodi ran at 2019-04-01 00:38:14 , mvoluleader conse +April 15 07:40:49 pfsp: Alert TMS 'licabo' fault for resource 'enimadmi' on TMS utaliqu cleared +April 29 14:43:23 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt +May 13 21:45:57 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation +May 28 04:48:31 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt +June 11 11:51:06 pfsp: The BGP Instability for router eirure ended +June 25 18:53:40 pfsp: Alert BGP instability router tesse threshold sequat (giatquov) observed tconsec (miurerep) +July 10 01:56:14 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo +July 24 08:58:48 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor +August 7 16:01:23 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed) +August 21 23:03:57 pfsp: Alert Test syslog message +September 5 06:06:31 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex +September 19 13:09:05 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu +October 3 20:11:40 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done +October 18 03:14:14 pfsp: Host Detection alert col, start 2019-10-18 03:14:14 mve, duration 177.586000, stop 2019-10-18 03:14:14 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq) +November 1 10:16:48 pfsp: script remipsum ran at 2019-11-01 10:16:48 , temporleader citatio +November 15 17:19:22 mveniamq: Blocked Host: Blocked host10.74.159.77ateaqueipsby Blocked Countries usingicmpdestination10.131.74.36,URL:https://example.com/untexpl/iumtot.htm?eiusmod=emoe#uiinea +November 30 00:21:57 pfsp: Alert TMS 'eaqueip' fault for resource 'eum' on TMS lamc cleared +December 14 07:24:31 pfsp: Alert Peakflow device itasper reachable again by uae at 2019-12-14 07:24:31 mve diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 98c6b5e1d7a..47b91c2dd80 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -127,27 +127,27 @@ "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 9 17:22:51 pfsp: Alert Host Detection alert riosam, start 2016-04-9 17:22:51 anonnu, duration 116.480000, direction ameaqu, host 10.132.102.119, signatures (idolor), impact eFinib, importance low, managed_objects (eius), (parent managed object luptat)", + "event.original": "April 9 17:22:51 pfsp: Alert Host Detection alert riosam, start 2016-04-9 17:22:51 anonnu, duration 116.480000, direction external, host 10.51.132.10, signatures (utper), impact squame, importance medium, managed_objects (omm), (parent managed object iin)", "fileset.name": "sightline", "input.type": "log", - "log.level": "low", + "log.level": "medium", "log.offset": 459, - "network.direction": "ameaqu", + "network.direction": "external", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.132.102.119" + "10.51.132.10" ], "rsa.internal.messageid": "Host", - "rsa.misc.policy_name": "idolor", - "rsa.misc.severity": "low", + "rsa.misc.policy_name": "utper", + "rsa.misc.severity": "medium", "rsa.time.duration_time": 116.48, "rsa.time.event_time": "2020-04-09T19:22:51.000Z", "rsa.time.starttime": "2016-04-09T19:22:51.000Z", "service.type": "netscout", "source.ip": [ - "10.132.102.119" + "10.51.132.10" ], "tags": [ "netscout.sightline", @@ -156,48 +156,45 @@ }, { "@timestamp": "2020-04-24T02:25:25.000Z", - "destination.ip": [ - "10.46.185.46" - ], - "event.code": "GRE", + "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 24 00:25:25 pfsp: The GRE tunnel down for destination 10.46.185.46, leader temvel since 2016-04-24 00:25:25 iatu", + "event.original": "April 24 00:25:25 pfsp: Autoclassification was restarted on 2016-04-24 00:25:25 nim by incidi", "fileset.name": "sightline", "input.type": "log", - "log.offset": 717, + "log.offset": 715, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "related.ip": [ - "10.46.185.46" + "related.user": [ + "incidi" ], - "rsa.internal.messageid": "GRE", - "rsa.misc.parent_node": "temvel", + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", "rsa.time.event_time": "2020-04-24T02:25:25.000Z", "rsa.time.starttime": "2016-04-24T02:25:25.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" - ] + ], + "user.name": "incidi" }, { "@timestamp": "2020-05-08T09:27:59.000Z", - "event.code": "SNMP", + "event.code": "Peakflow", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 8 07:27:59 pfsp: The SNMP down for router minim, leader eFini since 2016-05-08 07:27:59 amco", + "event.original": "May 8 07:27:59 pfsp: Alert Peakflow device oloremqu unreachable by temvel since 2016-05-08 07:27:59", "fileset.name": "sightline", "input.type": "log", - "log.offset": 836, - "network.protocol": "SNMP", + "log.offset": 809, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "SNMP", - "rsa.misc.node": "minim", - "rsa.misc.parent_node": "eFini", + "rsa.internal.messageid": "Peakflow", + "rsa.misc.node": "oloremqu", + "rsa.misc.parent_node": "temvel", "rsa.time.event_time": "2020-05-08T09:27:59.000Z", "rsa.time.starttime": "2016-05-08T09:27:59.000Z", "service.type": "netscout", @@ -208,13 +205,67 @@ }, { "@timestamp": "2020-05-22T16:30:33.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 22 14:30:33 pfsp: Autoclassification was restarted on 2016-05-22 14:30:33 serror by anti", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 909, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "anti" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2020-05-22T16:30:33.000Z", + "rsa.time.starttime": "2016-05-22T16:30:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "anti" + }, + { + "@timestamp": "2020-06-05T23:33:08.000Z", + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 5 21:33:08 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1002, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.5162", + "related.user": [ + "nci" + ], + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "uipexea", + "rsa.misc.version": "1.5162", + "rsa.time.event_time": "2020-06-05T23:33:08.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "nci" + }, + { + "@timestamp": "2020-06-20T06:35:42.000Z", "event.code": "SNMP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 22 14:30:33 pfsp: The SNMP restored for router mvolu, leader radip at 2016-05-22 14:30:33 tNequ", + "event.original": "June 20 04:35:42 pfsp: The SNMP restored for router mvolu, leader radip at 2016-06-20 04:35:42 tNequ", "fileset.name": "sightline", "input.type": "log", - "log.offset": 934, + "log.offset": 1093, "network.protocol": "SNMP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -222,8 +273,8 @@ "rsa.internal.messageid": "SNMP", "rsa.misc.node": "mvolu", "rsa.misc.parent_node": "radip", - "rsa.time.endtime": "2016-05-22T16:30:33.000Z", - "rsa.time.event_time": "2020-05-22T16:30:33.000Z", + "rsa.time.endtime": "2016-06-20T06:35:42.000Z", + "rsa.time.event_time": "2020-06-20T06:35:42.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -231,14 +282,15 @@ ] }, { - "@timestamp": "2020-06-05T23:33:08.000Z", + "@timestamp": "2020-07-04T13:38:16.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 5 21:33:08 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap", + "event.original": "July 4 11:38:16 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap", "fileset.name": "sightline", + "group.name": "dquiac", "input.type": "log", - "log.offset": 1035, + "log.offset": 1195, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -247,7 +299,7 @@ "rsa.misc.group": "dquiac", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2020-06-05T23:33:08.000Z", + "rsa.time.event_time": "2020-07-04T13:38:16.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -256,22 +308,22 @@ "url.original": "https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap" }, { - "@timestamp": "2020-06-20T06:35:42.000Z", + "@timestamp": "2019-07-18T20:40:50.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 20 04:35:42 pfsp: Alert Device uatDuis unreachable by controller ude since 2016-06-20 04:35:42", + "event.original": "July 18 18:40:50 pfsp: Alert Device uatDuis unreachable by controller ude since 2016-07-18 18:40:50", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1201, + "log.offset": 1361, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Device", "rsa.misc.node": "uatDuis", "rsa.misc.parent_node": "ude", - "rsa.time.event_time": "2020-06-20T06:35:42.000Z", - "rsa.time.starttime": "2016-06-20T06:35:42.000Z", + "rsa.time.event_time": "2019-07-18T20:40:50.000Z", + "rsa.time.starttime": "2016-07-18T20:40:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -279,15 +331,15 @@ ] }, { - "@timestamp": "2020-07-04T13:38:16.000Z", + "@timestamp": "2019-08-02T03:43:25.000Z", "event.action": "Fault Occured", "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 4 11:38:16 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt", + "event.original": "August 2 01:43:25 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1301, + "log.offset": 1461, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -296,7 +348,7 @@ "rsa.internal.resource": "lupta", "rsa.misc.event_type": "Fault Occured", "rsa.misc.node": "iusmodt", - "rsa.time.event_time": "2020-07-04T13:38:16.000Z", + "rsa.time.event_time": "2019-08-02T03:43:25.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -304,14 +356,14 @@ ] }, { - "@timestamp": "2019-07-18T20:40:50.000Z", + "@timestamp": "2019-08-16T10:45:59.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 18 18:40:50 pfsp: Alert Autoclassification was restarted on 2016-07-18 18:40:50 atatnonp by uiano", + "event.original": "August 16 08:45:59 pfsp: Alert Autoclassification was restarted on 2016-08-16 08:45:59 atatnonp by uiano", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1381, + "log.offset": 1543, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -320,8 +372,8 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2019-07-18T20:40:50.000Z", - "rsa.time.starttime": "2016-07-18T20:40:50.000Z", + "rsa.time.event_time": "2019-08-16T10:45:59.000Z", + "rsa.time.starttime": "2016-08-16T10:45:59.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -330,29 +382,29 @@ "user.name": "uiano" }, { - "@timestamp": "2019-08-02T03:43:25.000Z", + "@timestamp": "2019-08-30T17:48:33.000Z", "destination.ip": [ "10.179.26.34" ], "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 2 01:43:25 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc", + "event.original": "August 30 15:48:33 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1484, + "log.offset": 1648, "network.protocol": "ipv6-icmp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.38.77.13", - "10.179.26.34" + "10.179.26.34", + "10.38.77.13" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-08-02T03:43:25.000Z", + "rsa.time.event_time": "2019-08-30T17:48:33.000Z", "service.type": "netscout", "source.ip": [ "10.38.77.13" @@ -364,22 +416,22 @@ "url.original": "https://example.org/isiu/nimadmi.gif?ari=equun#suntinc" }, { - "@timestamp": "2019-08-16T10:45:59.000Z", + "@timestamp": "2019-09-14T00:51:07.000Z", "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 16 08:45:59 pfsp: Hardware failure on tatevel since 2016-08-16 08:45:59 GMT: abilloi", + "event.original": "September 13 22:51:07 pfsp: Hardware failure on tatevel since 2016-09-13 22:51:07 GMT: abilloi", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1672, + "log.offset": 1837, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.event_desc": "abilloi", "rsa.internal.messageid": "Hardware", "rsa.misc.node": "tatevel", - "rsa.time.event_time": "2019-08-16T10:45:59.000Z", - "rsa.time.starttime": "2016-08-16T10:45:59.000Z", + "rsa.time.event_time": "2019-09-14T00:51:07.000Z", + "rsa.time.starttime": "2016-09-14T00:51:07.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -387,15 +439,15 @@ ] }, { - "@timestamp": "2019-08-30T17:48:33.000Z", + "@timestamp": "2019-09-28T07:53:42.000Z", "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 30 15:48:33 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name \"lo5882\" porainc", + "event.original": "September 28 05:53:42 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name \"lo5882\" porainc", "fileset.name": "sightline", "input.type": "log", "log.level": "very-high", - "log.offset": 1764, + "log.offset": 1932, "network.interface.name": "lo5882", "observer.product": "Arbor", "observer.type": "DDOS", @@ -408,7 +460,7 @@ "rsa.misc.severity": "very-high", "rsa.misc.sig_id": 2933, "rsa.network.interface": "lo5882", - "rsa.time.event_time": "2019-08-30T17:48:33.000Z", + "rsa.time.event_time": "2019-09-28T07:53:42.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -416,15 +468,15 @@ ] }, { - "@timestamp": "2019-09-14T00:51:07.000Z", + "@timestamp": "2019-10-12T14:56:16.000Z", "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 13 22:51:07 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name \"lo4987\" oluptate", + "event.original": "October 12 12:56:16 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name \"lo4987\" oluptate", "fileset.name": "sightline", "input.type": "log", "log.level": "high", - "log.offset": 1945, + "log.offset": 2116, "network.interface.name": "lo4987", "observer.product": "Arbor", "observer.type": "DDOS", @@ -437,7 +489,7 @@ "rsa.misc.severity": "high", "rsa.misc.sig_id": 2902, "rsa.network.interface": "lo4987", - "rsa.time.event_time": "2019-09-14T00:51:07.000Z", + "rsa.time.event_time": "2019-10-12T14:56:16.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -445,14 +497,14 @@ ] }, { - "@timestamp": "2019-09-28T07:53:42.000Z", + "@timestamp": "2019-10-26T21:58:50.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 28 05:53:42 pfsp: Alert Autoclassification was restarted on 2016-09-28 05:53:42 iam by qua", + "event.original": "October 26 19:58:50 pfsp: Alert Autoclassification was restarted on 2016-10-26 19:58:50 iam by qua", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2144, + "log.offset": 2313, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -461,8 +513,8 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2019-09-28T07:53:42.000Z", - "rsa.time.starttime": "2016-09-28T07:53:42.000Z", + "rsa.time.event_time": "2019-10-26T21:58:50.000Z", + "rsa.time.starttime": "2016-10-26T21:58:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -471,19 +523,19 @@ "user.name": "qua" }, { - "@timestamp": "2019-10-12T14:56:16.000Z", + "@timestamp": "2019-11-10T05:01:24.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 12 12:56:16 pfsp: Test syslog message", + "event.original": "November 10 03:01:24 pfsp: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2245, + "log.offset": 2412, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2019-10-12T14:56:16.000Z", + "rsa.time.event_time": "2019-11-10T05:01:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -491,14 +543,14 @@ ] }, { - "@timestamp": "2019-10-26T21:58:50.000Z", + "@timestamp": "2019-11-24T12:03:59.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 26 19:58:50 pfsp: Autoclassification was restarted on 2016-10-26 19:58:50 olupta by turveli", + "event.original": "November 24 10:03:59 pfsp: Autoclassification was restarted on 2016-11-24 10:03:59 olupta by turveli", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2291, + "log.offset": 2459, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -507,8 +559,8 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2019-10-26T21:58:50.000Z", - "rsa.time.starttime": "2016-10-26T21:58:50.000Z", + "rsa.time.event_time": "2019-11-24T12:03:59.000Z", + "rsa.time.starttime": "2016-11-24T12:03:59.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -517,14 +569,14 @@ "user.name": "turveli" }, { - "@timestamp": "2019-11-10T05:01:24.000Z", + "@timestamp": "2019-12-08T19:06:33.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 10 03:01:24 pfsp: Alert Autoclassification was restarted on 2016-11-10 03:01:24 ntutl by caecatc", + "event.original": "December 8 17:06:33 pfsp: Alert Autoclassification was restarted on 2016-12-08 17:06:33 ntutl by caecatc", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2391, + "log.offset": 2560, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -533,8 +585,8 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2019-11-10T05:01:24.000Z", - "rsa.time.starttime": "2016-11-10T05:01:24.000Z", + "rsa.time.event_time": "2019-12-08T19:06:33.000Z", + "rsa.time.starttime": "2016-12-08T19:06:33.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -543,17 +595,17 @@ "user.name": "caecatc" }, { - "@timestamp": "2019-11-24T12:03:59.000Z", + "@timestamp": "2019-12-23T02:09:07.000Z", "destination.ip": [ "10.224.68.213" ], "event.code": "GRE", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 24 10:03:59 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2016-11-24 10:03:59 lup", + "event.original": "December 23 00:09:07 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2016-12-23 00:09:07 lup", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2497, + "log.offset": 2665, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -562,8 +614,8 @@ ], "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "taed", - "rsa.time.endtime": "2016-11-24T12:03:59.000Z", - "rsa.time.event_time": "2019-11-24T12:03:59.000Z", + "rsa.time.endtime": "2016-12-23T02:09:07.000Z", + "rsa.time.event_time": "2019-12-23T02:09:07.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -571,22 +623,22 @@ ] }, { - "@timestamp": "2019-12-08T19:06:33.000Z", + "@timestamp": "2020-01-06T09:11:41.000Z", "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 8 17:06:33 pfsp: Alert Hardware failure on aperi since 2016-12-08 17:06:33 GMT: lor", + "event.original": "January 6 07:11:41 pfsp: Alert Hardware failure on aperi since 2017-01-06 07:11:41 GMT: lor", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2620, + "log.offset": 2788, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.event_desc": "lor", "rsa.internal.messageid": "Hardware", "rsa.misc.node": "aperi", - "rsa.time.event_time": "2019-12-08T19:06:33.000Z", - "rsa.time.starttime": "2016-12-08T19:06:33.000Z", + "rsa.time.event_time": "2020-01-06T09:11:41.000Z", + "rsa.time.starttime": "2017-01-06T09:11:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -594,21 +646,21 @@ ] }, { - "@timestamp": "2019-12-23T02:09:07.000Z", + "@timestamp": "2020-01-20T16:14:16.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 23 00:09:07 pfsp: The BGP Instability for router oin ended", + "event.original": "January 20 14:14:16 pfsp: The BGP Instability for router oin ended", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2713, + "log.offset": 2880, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "BGP", "rsa.misc.node": "oin", - "rsa.time.event_time": "2019-12-23T02:09:07.000Z", + "rsa.time.event_time": "2020-01-20T16:14:16.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -616,22 +668,22 @@ ] }, { - "@timestamp": "2020-01-06T09:11:41.000Z", + "@timestamp": "2020-02-03T23:16:50.000Z", "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 6 07:11:41 pfsp: Hardware failure on ritatis done at 2017-01-06 07:11:41 oloremi GMT: pitla", + "event.original": "February 3 21:16:50 pfsp: Hardware failure on ritatis done at 2017-02-03 21:16:50 oloremi GMT: pitla", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2782, + "log.offset": 2948, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.event_desc": "pitla", "rsa.internal.messageid": "Hardware", "rsa.misc.node": "ritatis", - "rsa.time.endtime": "2017-01-06T09:11:41.000Z", - "rsa.time.event_time": "2020-01-06T09:11:41.000Z", + "rsa.time.endtime": "2017-02-03T23:16:50.000Z", + "rsa.time.event_time": "2020-02-03T23:16:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -639,14 +691,14 @@ ] }, { - "@timestamp": "2020-01-20T16:14:16.000Z", + "@timestamp": "2020-02-18T06:19:24.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 20 14:14:16 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des", + "event.original": "February 18 04:19:24 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2882, + "log.offset": 3049, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -656,7 +708,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-01-20T16:14:16.000Z", + "rsa.time.event_time": "2020-02-18T06:19:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -665,22 +717,22 @@ "user.name": "mqui" }, { - "@timestamp": "2020-02-03T23:16:50.000Z", + "@timestamp": "2020-03-04T13:21:59.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 3 21:16:50 pfsp: Device tdolorem unreachable by controller ono since 2017-02-03 21:16:50", + "event.original": "March 4 11:21:59 pfsp: Device tdolorem unreachable by controller ono since 2017-03-04 11:21:59", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2991, + "log.offset": 3159, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Device", "rsa.misc.node": "tdolorem", "rsa.misc.parent_node": "ono", - "rsa.time.event_time": "2020-02-03T23:16:50.000Z", - "rsa.time.starttime": "2017-02-03T23:16:50.000Z", + "rsa.time.event_time": "2020-03-04T13:21:59.000Z", + "rsa.time.starttime": "2017-03-04T13:21:59.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -688,17 +740,17 @@ ] }, { - "@timestamp": "2020-02-18T06:19:24.000Z", + "@timestamp": "2020-03-18T20:24:33.000Z", "destination.ip": [ "10.60.185.151" ], "event.code": "GRE", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 18 04:19:24 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-02-18 04:19:24 lumquido", + "event.original": "March 18 18:24:33 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-03-18 18:24:33 lumquido", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3089, + "log.offset": 3254, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -707,8 +759,8 @@ ], "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "uidolo", - "rsa.time.event_time": "2020-02-18T06:19:24.000Z", - "rsa.time.starttime": "2017-02-18T06:19:24.000Z", + "rsa.time.event_time": "2020-03-18T20:24:33.000Z", + "rsa.time.starttime": "2017-03-18T20:24:33.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -716,19 +768,19 @@ ] }, { - "@timestamp": "2020-03-04T13:21:59.000Z", + "@timestamp": "2020-04-02T03:27:07.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 4 11:21:59 Lor: Test: Test syslog message", + "event.original": "April 2 01:27:07 Lor: Test: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3216, + "log.offset": 3378, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-03-04T13:21:59.000Z", + "rsa.time.event_time": "2020-04-02T03:27:07.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -736,15 +788,15 @@ ] }, { - "@timestamp": "2020-03-18T20:24:33.000Z", + "@timestamp": "2020-04-16T10:29:41.000Z", "event.action": "Script mitigation", "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 18 18:24:33 pfsp: Alert script modoco ran at 2017-03-18 18:24:33 , estquleader inibusBo", + "event.original": "April 16 08:29:41 pfsp: Alert script modoco ran at 2017-04-16 08:29:41 , estquleader inibusBo", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3264, + "log.offset": 3426, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -753,8 +805,8 @@ "rsa.misc.event_type": "Script mitigation", "rsa.misc.node": "modoco", "rsa.misc.parent_node": "inibusBo", - "rsa.time.event_time": "2020-03-18T20:24:33.000Z", - "rsa.time.starttime": "2017-03-18T20:24:33.000Z", + "rsa.time.event_time": "2020-04-16T10:29:41.000Z", + "rsa.time.starttime": "2017-04-16T10:29:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -762,14 +814,15 @@ ] }, { - "@timestamp": "2020-04-02T03:27:07.000Z", + "@timestamp": "2020-04-30T17:32:16.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 2 01:27:07 tion: Protection Mode: Changed protection mode to active for protection groupeataev,URL:https://api.example.org/uasia/emp.txt?ici=giatquov#eritquii", + "event.original": "April 30 15:32:16 tion: Protection Mode: Changed protection mode to active for protection groupeataev,URL:https://api.example.org/uasia/emp.txt?ici=giatquov#eritquii", "fileset.name": "sightline", + "group.name": "eataev", "input.type": "log", - "log.offset": 3359, + "log.offset": 3521, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -778,7 +831,7 @@ "rsa.misc.group": "eataev", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2020-04-02T03:27:07.000Z", + "rsa.time.event_time": "2020-04-30T17:32:16.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -787,14 +840,15 @@ "url.original": "https://api.example.org/uasia/emp.txt?ici=giatquov#eritquii" }, { - "@timestamp": "2020-04-16T10:29:41.000Z", + "@timestamp": "2020-05-15T00:34:50.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 16 08:29:41 imad: Protection Mode: Changed protection mode to active for protection groupmsequi,URL:https://www5.example.org/iquaUten/santium.html?imidest=emagnama#eprehend", + "event.original": "May 14 22:34:50 imad: Protection Mode: Changed protection mode to active for protection groupmsequi,URL:https://www5.example.org/iquaUten/santium.html?imidest=emagnama#eprehend", "fileset.name": "sightline", + "group.name": "msequi", "input.type": "log", - "log.offset": 3524, + "log.offset": 3687, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -803,7 +857,7 @@ "rsa.misc.group": "msequi", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2020-04-16T10:29:41.000Z", + "rsa.time.event_time": "2020-05-15T00:34:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -812,29 +866,29 @@ "url.original": "https://www5.example.org/iquaUten/santium.html?imidest=emagnama#eprehend" }, { - "@timestamp": "2020-04-30T17:32:16.000Z", + "@timestamp": "2020-05-29T07:37:24.000Z", "destination.ip": [ "10.28.127.218" ], "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 30 15:32:16 xeac: Blocked Host: Blocked host10.233.107.138attaliqby Blocked Countries usingrdpdestination10.28.127.218,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae", + "event.original": "May 29 05:37:24 xeac: Blocked Host: Blocked host10.233.107.138attaliqby Blocked Countries usingrdpdestination10.28.127.218,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3703, + "log.offset": 3864, "network.protocol": "rdp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.233.107.138", - "10.28.127.218" + "10.28.127.218", + "10.233.107.138" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2020-04-30T17:32:16.000Z", + "rsa.time.event_time": "2020-05-29T07:37:24.000Z", "service.type": "netscout", "source.ip": [ "10.233.107.138" @@ -846,14 +900,14 @@ "url.original": "https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae" }, { - "@timestamp": "2020-05-15T00:34:50.000Z", + "@timestamp": "2020-06-12T14:39:58.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 14 22:34:50 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore", + "event.original": "June 12 12:39:58 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3888, + "log.offset": 4047, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -861,7 +915,7 @@ "rsa.internal.event_desc": "mdolore", "rsa.internal.messageid": "BGP", "rsa.misc.node": "reetd", - "rsa.time.event_time": "2020-05-15T00:34:50.000Z", + "rsa.time.event_time": "2020-06-12T14:39:58.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -869,119 +923,135 @@ ] }, { - "@timestamp": "2020-05-29T07:37:24.000Z", - "destination.ip": [ - "10.118.32.22" - ], - "destination.port": 195, - "event.code": "anomaly", + "@timestamp": "2020-06-26T21:42:33.000Z", + "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 29 05:37:24 pfsp: The anomaly Bandwidth id 589fdad7 status iadese severity low classification ice impact estiae src 10.118.32.22/195 tlabori dst 10.182.199.231/1426 data start 2017-05-29 5:37:24 duration dolor 19.507000 percent iquipex rate commod rateUnit adol protocol udp flags bor url https://www.example.com/stquidol/itquiin.htm?namali=taevit#rinrepre, etconse", + "event.original": "June 26 19:42:33 pfsp: Device mque reachable again by controller uovolup at 2017-06-26 19:42:33 samvolu", "fileset.name": "sightline", "input.type": "log", - "log.level": "low", - "log.offset": 3960, - "network.protocol": "udp", + "log.offset": 4120, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "related.ip": [ - "10.118.32.22", - "10.182.199.231" - ], - "rsa.db.index": "etconse", - "rsa.internal.messageid": "anomaly", - "rsa.misc.category": "ice", - "rsa.misc.disposition": "iadese", - "rsa.misc.event_id": "589fdad7", - "rsa.misc.policy_name": "Bandwidth", - "rsa.misc.severity": "low", - "rsa.time.duration_time": 19.507, - "rsa.time.event_time": "2020-05-29T07:37:24.000Z", - "rsa.time.starttime": "2017-05-29T07:37:24.000Z", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "mque", + "rsa.misc.parent_node": "uovolup", + "rsa.time.endtime": "2017-06-26T21:42:33.000Z", + "rsa.time.event_time": "2020-06-26T21:42:33.000Z", "service.type": "netscout", - "source.ip": [ - "10.182.199.231" - ], - "source.port": 1426, "tags": [ "netscout.sightline", "forwarded" - ], - "url.original": "https://www.example.com/stquidol/itquiin.htm?namali=taevit#rinrepre" + ] }, { - "@timestamp": "2020-06-12T14:39:58.000Z", - "destination.ip": [ - "10.198.19.111" - ], - "event.code": "Blocked_Host", + "@timestamp": "2019-07-11T04:45:07.000Z", + "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 12 12:39:58 asun: Blocked Host: Blocked host10.244.114.61atoluptateby Blocked Countries usingtcpdestination10.198.19.111,URL:https://www5.example.net/lita/adeseru.txt?amc=atur#itanimi", + "event.original": "July 11 02:45:07 pfsp: The Host Detection alert eirure, start 2017-07-11 02:45:07 conseq, duration 38.117000, stop 2017-07-11 02:45:07 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui)", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4331, - "network.protocol": "tcp", + "log.level": "very-high", + "log.offset": 4224, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "related.ip": [ - "10.198.19.111", - "10.244.114.61" - ], - "rsa.internal.messageid": "Blocked_Host", - "rsa.misc.msgIdPart1": "Blocked", - "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2020-06-12T14:39:58.000Z", + "rsa.internal.messageid": "Host", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "very-high", + "rsa.time.duration_time": 38.117, + "rsa.time.endtime": "2017-07-11T04:45:07.000Z", + "rsa.time.event_time": "2019-07-11T04:45:07.000Z", + "rsa.time.starttime": "2017-07-11T04:45:07.000Z", "service.type": "netscout", - "source.ip": [ - "10.244.114.61" - ], "tags": [ "netscout.sightline", "forwarded" - ], - "url.original": "https://www5.example.net/lita/adeseru.txt?amc=atur#itanimi" + ] }, { - "@timestamp": "2020-06-26T21:42:33.000Z", - "event.code": "configuration", + "@timestamp": "2019-07-25T11:47:41.000Z", + "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 26 19:42:33 pfsp: configuration was changed on leader luptasn to version 1.2126 by emseq", + "event.original": "July 25 09:47:41 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4520, + "log.offset": 4460, + "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "observer.version": "1.2126", - "related.user": [ - "emseq" - ], - "rsa.internal.event_desc": "Configuration changed", - "rsa.internal.messageid": "configuration", - "rsa.misc.parent_node": "luptasn", - "rsa.misc.version": "1.2126", - "rsa.time.event_time": "2020-06-26T21:42:33.000Z", + "rsa.internal.event_desc": "dol", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "doloremi", + "rsa.time.event_time": "2019-07-25T11:47:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-08T18:50:15.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 8 16:50:15 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih)", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4529, + "network.protocol": "ipv6", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "tincu", + "rsa.misc.trigger_val": "sci", + "rsa.time.event_time": "2019-08-08T18:50:15.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-23T01:52:50.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 22 23:52:50 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup", + "fileset.name": "sightline", + "group.name": "eaq", + "input.type": "log", + "log.offset": 4637, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "eaq", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2019-08-23T01:52:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" ], - "user.name": "emseq" + "url.original": "https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup" }, { - "@timestamp": "2019-07-11T04:45:07.000Z", + "@timestamp": "2019-09-06T08:55:24.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 11 02:45:07 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv", + "event.original": "September 6 06:55:24 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4614, + "log.offset": 4804, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -991,7 +1061,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2019-07-11T04:45:07.000Z", + "rsa.time.event_time": "2019-09-06T08:55:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1000,29 +1070,29 @@ "user.name": "suntexp" }, { - "@timestamp": "2019-07-25T11:47:41.000Z", + "@timestamp": "2019-09-20T15:57:58.000Z", "destination.ip": [ "10.168.131.247" ], "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 25 09:47:41 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu", + "event.original": "September 20 13:57:58 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4721, + "log.offset": 4915, "network.protocol": "rdp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.136.232.108", - "10.168.131.247" + "10.168.131.247", + "10.136.232.108" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-07-25T11:47:41.000Z", + "rsa.time.event_time": "2019-09-20T15:57:58.000Z", "service.type": "netscout", "source.ip": [ "10.136.232.108" @@ -1034,17 +1104,17 @@ "url.original": "https://example.net/temqu/edol.jpg?ipi=reseos#pariatu" }, { - "@timestamp": "2019-08-08T18:50:15.000Z", + "@timestamp": "2019-10-04T23:00:32.000Z", "destination.ip": [ "10.209.182.237" ], "event.code": "GRE", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 8 16:50:15 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-08-08 16:50:15 olor", + "event.original": "October 4 21:00:32 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-10-04 21:00:32 olor", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4906, + "log.offset": 5105, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1053,8 +1123,8 @@ ], "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "tper", - "rsa.time.endtime": "2017-08-08T18:50:15.000Z", - "rsa.time.event_time": "2019-08-08T18:50:15.000Z", + "rsa.time.endtime": "2017-10-04T23:00:32.000Z", + "rsa.time.event_time": "2019-10-04T23:00:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1062,22 +1132,22 @@ ] }, { - "@timestamp": "2019-08-23T01:52:50.000Z", + "@timestamp": "2019-10-19T06:03:07.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 22 23:52:50 pfsp: Alert Device xerc reachable again by controller iutali at 2017-08-22 23:52:50 fdeFi", + "event.original": "October 19 04:03:07 pfsp: Alert Device xerc reachable again by controller iutali at 2017-10-19 04:03:07 fdeFi", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5022, + "log.offset": 5222, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Device", "rsa.misc.node": "xerc", "rsa.misc.parent_node": "iutali", - "rsa.time.endtime": "2017-08-23T01:52:50.000Z", - "rsa.time.event_time": "2019-08-23T01:52:50.000Z", + "rsa.time.endtime": "2017-10-19T06:03:07.000Z", + "rsa.time.event_time": "2019-10-19T06:03:07.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1085,14 +1155,14 @@ ] }, { - "@timestamp": "2019-09-06T08:55:24.000Z", + "@timestamp": "2019-11-02T13:05:41.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 6 06:55:24 pfsp: BGP down for router ati, leader tlabo since 2017-09-06 06:55:24 uames", + "event.original": "November 2 11:05:41 pfsp: BGP down for router ati, leader tlabo since 2017-11-02 11:05:41 uames", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5131, + "log.offset": 5332, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1100,8 +1170,8 @@ "rsa.internal.messageid": "BGP", "rsa.misc.node": "ati", "rsa.misc.parent_node": "tlabo", - "rsa.time.event_time": "2019-09-06T08:55:24.000Z", - "rsa.time.starttime": "2017-09-06T08:55:24.000Z", + "rsa.time.event_time": "2019-11-02T13:05:41.000Z", + "rsa.time.starttime": "2017-11-02T13:05:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1109,15 +1179,15 @@ ] }, { - "@timestamp": "2019-09-20T15:57:58.000Z", + "@timestamp": "2019-11-16T20:08:15.000Z", "event.action": "Script mitigation", "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 20 13:57:58 pfsp: script offi ran at 2017-09-20 13:57:58 , giatnuleader ulapa", + "event.original": "November 16 18:08:15 pfsp: script offi ran at 2017-11-16 18:08:15 , giatnuleader ulapa", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5229, + "log.offset": 5429, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1126,8 +1196,8 @@ "rsa.misc.event_type": "Script mitigation", "rsa.misc.node": "offi", "rsa.misc.parent_node": "ulapa", - "rsa.time.event_time": "2019-09-20T15:57:58.000Z", - "rsa.time.starttime": "2017-09-20T15:57:58.000Z", + "rsa.time.event_time": "2019-11-16T20:08:15.000Z", + "rsa.time.starttime": "2017-11-16T20:08:15.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1135,14 +1205,14 @@ ] }, { - "@timestamp": "2019-10-04T23:00:32.000Z", + "@timestamp": "2019-12-01T03:10:49.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 4 21:00:32 quioffi: Change Log: Username:uptate, Subsystem:ncidid, Setting Type:quaturve, Message:sequa", + "event.original": "December 1 01:10:49 quioffi: Change Log: Username:uptate, Subsystem:ncidid, Setting Type:quaturve, Message:sequa", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5318, + "log.offset": 5517, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1152,7 +1222,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2019-10-04T23:00:32.000Z", + "rsa.time.event_time": "2019-12-01T03:10:49.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1161,15 +1231,15 @@ "user.name": "uptate" }, { - "@timestamp": "2019-10-19T06:03:07.000Z", + "@timestamp": "2019-12-15T10:13:24.000Z", "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 19 04:03:07 pfsp: Host Detection alert nimid, start 2017-10-19 04:03:07 itatione, duration 80.096000, stop 2017-10-19 04:03:07 umwr, , importance very-high, managed_objects (reme), is now success, (parent managed object osamn)", + "event.original": "December 15 08:13:24 pfsp: Host Detection alert nimid, start 2017-12-15 08:13:24 itatione, duration 80.096000, stop 2017-12-15 08:13:24 umwr, , importance very-high, managed_objects (reme), is now success, (parent managed object osamn)", "fileset.name": "sightline", "input.type": "log", "log.level": "very-high", - "log.offset": 5430, + "log.offset": 5630, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1177,9 +1247,9 @@ "rsa.misc.result": "success", "rsa.misc.severity": "very-high", "rsa.time.duration_time": 80.096, - "rsa.time.endtime": "2017-10-19T06:03:07.000Z", - "rsa.time.event_time": "2019-10-19T06:03:07.000Z", - "rsa.time.starttime": "2017-10-19T06:03:07.000Z", + "rsa.time.endtime": "2017-12-15T10:13:24.000Z", + "rsa.time.event_time": "2019-12-15T10:13:24.000Z", + "rsa.time.starttime": "2017-12-15T10:13:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1187,29 +1257,29 @@ ] }, { - "@timestamp": "2019-11-02T13:05:41.000Z", + "@timestamp": "2019-12-29T17:15:58.000Z", "destination.ip": [ "10.108.167.93" ], "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 2 11:05:41 lorinre: Blocked Host: Blocked host10.161.136.76atidataby Blocked Countries usingudpdestination10.108.167.93,URL:https://api.example.com/untex/quiratio.htm?tisetq=tevelite#orporiss", + "event.original": "December 29 15:15:58 lorinre: Blocked Host: Blocked host10.161.136.76atidataby Blocked Countries usingudpdestination10.108.167.93,URL:https://api.example.com/untex/quiratio.htm?tisetq=tevelite#orporiss", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5665, + "log.offset": 5866, "network.protocol": "udp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.108.167.93", - "10.161.136.76" + "10.161.136.76", + "10.108.167.93" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-11-02T13:05:41.000Z", + "rsa.time.event_time": "2019-12-29T17:15:58.000Z", "service.type": "netscout", "source.ip": [ "10.161.136.76" @@ -1221,17 +1291,17 @@ "url.original": "https://api.example.com/untex/quiratio.htm?tisetq=tevelite#orporiss" }, { - "@timestamp": "2019-11-16T20:08:15.000Z", + "@timestamp": "2020-01-13T00:18:32.000Z", "destination.ip": [ "10.53.248.4" ], "event.code": "GRE", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 16 18:08:15 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-11-16 18:08:15 dexea", + "event.original": "January 12 22:18:32 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2018-01-12 22:18:32 dexea", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5866, + "log.offset": 6068, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1240,8 +1310,8 @@ ], "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "derit", - "rsa.time.endtime": "2017-11-16T20:08:15.000Z", - "rsa.time.event_time": "2019-11-16T20:08:15.000Z", + "rsa.time.endtime": "2018-01-13T00:18:32.000Z", + "rsa.time.event_time": "2020-01-13T00:18:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1249,19 +1319,19 @@ ] }, { - "@timestamp": "2019-12-01T03:10:49.000Z", + "@timestamp": "2020-01-27T07:21:06.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 1 01:10:49 pfsp: Test syslog message", + "event.original": "January 27 05:21:06 pfsp: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5984, + "log.offset": 6185, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2019-12-01T03:10:49.000Z", + "rsa.time.event_time": "2020-01-27T07:21:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1269,22 +1339,22 @@ ] }, { - "@timestamp": "2019-12-15T10:13:24.000Z", + "@timestamp": "2020-02-10T14:23:41.000Z", "event.code": "Flow", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 15 08:13:24 pfsp: Alert Flow down for router tessec, leader olupta since 2017-12-15 08:13:24 litse", + "event.original": "February 10 12:23:41 pfsp: Alert Flow down for router tessec, leader olupta since 2018-02-10 12:23:41 litse", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6030, + "log.offset": 6231, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Flow", "rsa.misc.node": "tessec", "rsa.misc.parent_node": "olupta", - "rsa.time.event_time": "2019-12-15T10:13:24.000Z", - "rsa.time.starttime": "2017-12-15T10:13:24.000Z", + "rsa.time.event_time": "2020-02-10T14:23:41.000Z", + "rsa.time.starttime": "2018-02-10T14:23:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1292,15 +1362,15 @@ ] }, { - "@timestamp": "2019-12-29T17:15:58.000Z", + "@timestamp": "2020-02-24T21:26:15.000Z", "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 29 15:15:58 pfsp: Alert Host Detection alert sperna, start 2017-12-29 15:15:58 sintocc, duration 24.633000, stop 2017-12-29 15:15:58 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius)", + "event.original": "February 24 19:26:15 pfsp: Alert Host Detection alert sperna, start 2018-02-24 19:26:15 sintocc, duration 24.633000, stop 2018-02-24 19:26:15 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius)", "fileset.name": "sightline", "input.type": "log", "log.level": "medium", - "log.offset": 6138, + "log.offset": 6339, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1308,9 +1378,9 @@ "rsa.misc.result": "success", "rsa.misc.severity": "medium", "rsa.time.duration_time": 24.633, - "rsa.time.endtime": "2017-12-29T17:15:58.000Z", - "rsa.time.event_time": "2019-12-29T17:15:58.000Z", - "rsa.time.starttime": "2017-12-29T17:15:58.000Z", + "rsa.time.endtime": "2018-02-24T21:26:15.000Z", + "rsa.time.event_time": "2020-02-24T21:26:15.000Z", + "rsa.time.starttime": "2018-02-24T21:26:15.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1318,14 +1388,14 @@ ] }, { - "@timestamp": "2020-01-13T00:18:32.000Z", + "@timestamp": "2020-03-11T04:28:49.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 12 22:18:32 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc", + "event.original": "March 11 02:28:49 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6384, + "log.offset": 6585, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1335,7 +1405,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-01-13T00:18:32.000Z", + "rsa.time.event_time": "2020-03-11T04:28:49.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1344,21 +1414,21 @@ "user.name": "uiac" }, { - "@timestamp": "2020-01-27T07:21:06.000Z", + "@timestamp": "2020-03-25T11:31:24.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 27 05:21:06 pfsp: BGP Instability for router iatisu ended", + "event.original": "March 25 09:31:24 pfsp: BGP Instability for router iatisu ended", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6488, + "log.offset": 6687, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "BGP", "rsa.misc.node": "iatisu", - "rsa.time.event_time": "2020-01-27T07:21:06.000Z", + "rsa.time.event_time": "2020-03-25T11:31:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1366,14 +1436,14 @@ ] }, { - "@timestamp": "2020-02-10T14:23:41.000Z", + "@timestamp": "2020-04-08T18:33:58.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 10 12:23:41 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven", + "event.original": "April 8 16:33:58 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6555, + "log.offset": 6752, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1383,7 +1453,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-02-10T14:23:41.000Z", + "rsa.time.event_time": "2020-04-08T18:33:58.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1392,19 +1462,19 @@ "user.name": "ersp" }, { - "@timestamp": "2020-02-24T21:26:15.000Z", + "@timestamp": "2020-04-23T01:36:32.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 24 19:26:15 pfsp: Test syslog message", + "event.original": "April 22 23:36:32 pfsp: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6664, + "log.offset": 6857, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-02-24T21:26:15.000Z", + "rsa.time.event_time": "2020-04-23T01:36:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1412,19 +1482,19 @@ ] }, { - "@timestamp": "2020-03-11T04:28:49.000Z", + "@timestamp": "2020-05-07T08:39:06.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 11 02:28:49 Sedutp: Test: Test syslog message", + "event.original": "May 7 06:39:06 Sedutp: Test: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6711, + "log.offset": 6901, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-03-11T04:28:49.000Z", + "rsa.time.event_time": "2020-05-07T08:39:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1432,14 +1502,14 @@ ] }, { - "@timestamp": "2020-03-25T11:31:24.000Z", + "@timestamp": "2020-05-21T15:41:41.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 25 09:31:24 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe", + "event.original": "May 21 13:41:41 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6763, + "log.offset": 6950, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1449,7 +1519,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-03-25T11:31:24.000Z", + "rsa.time.event_time": "2020-05-21T15:41:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1458,14 +1528,15 @@ "user.name": "rsitv" }, { - "@timestamp": "2020-04-08T18:33:58.000Z", + "@timestamp": "2020-06-04T22:44:15.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 8 16:33:58 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse", + "event.original": "June 4 20:44:15 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse", "fileset.name": "sightline", + "group.name": "upida", "input.type": "log", - "log.offset": 6868, + "log.offset": 7053, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1474,7 +1545,7 @@ "rsa.misc.group": "upida", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2020-04-08T18:33:58.000Z", + "rsa.time.event_time": "2020-06-04T22:44:15.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1483,14 +1554,14 @@ "url.original": "https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse" }, { - "@timestamp": "2020-04-23T01:36:32.000Z", + "@timestamp": "2020-06-19T05:46:49.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 22 23:36:32 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro", + "event.original": "June 19 03:46:49 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro", "fileset.name": "sightline", "input.type": "log", - "log.offset": 7032, + "log.offset": 7216, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1500,7 +1571,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-04-23T01:36:32.000Z", + "rsa.time.event_time": "2020-06-19T05:46:49.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1509,22 +1580,22 @@ "user.name": "udexerci" }, { - "@timestamp": "2020-05-07T08:39:06.000Z", + "@timestamp": "2020-07-03T12:49:23.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 7 06:39:06 pfsp: The Device illoin unreachable by controller tanimid since 2018-05-07 06:39:06", + "event.original": "July 3 10:49:23 pfsp: The Device illoin unreachable by controller tanimid since 2018-07-03 10:49:23", "fileset.name": "sightline", "input.type": "log", - "log.offset": 7141, + "log.offset": 7324, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Device", "rsa.misc.node": "illoin", "rsa.misc.parent_node": "tanimid", - "rsa.time.event_time": "2020-05-07T08:39:06.000Z", - "rsa.time.starttime": "2018-05-07T08:39:06.000Z", + "rsa.time.event_time": "2020-07-03T12:49:23.000Z", + "rsa.time.starttime": "2018-07-03T12:49:23.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1532,14 +1603,14 @@ ] }, { - "@timestamp": "2020-05-21T15:41:41.000Z", + "@timestamp": "2019-07-17T19:51:58.000Z", "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 21 13:41:41 pfsp: configuration was changed on leader natuse to version 1.4425 by ati", + "event.original": "July 17 17:51:58 pfsp: configuration was changed on leader natuse to version 1.4425 by ati", "fileset.name": "sightline", "input.type": "log", - "log.offset": 7240, + "log.offset": 7424, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1551,7 +1622,7 @@ "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "natuse", "rsa.misc.version": "1.4425", - "rsa.time.event_time": "2020-05-21T15:41:41.000Z", + "rsa.time.event_time": "2019-07-17T19:51:58.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1560,15 +1631,15 @@ "user.name": "ati" }, { - "@timestamp": "2020-06-04T22:44:15.000Z", + "@timestamp": "2019-08-01T02:54:32.000Z", "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 4 20:44:15 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name \"enp0s4306\" aturauto", + "event.original": "August 1 00:54:32 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name \"enp0s4306\" aturauto", "fileset.name": "sightline", "input.type": "log", "log.level": "low", - "log.offset": 7330, + "log.offset": 7515, "network.interface.name": "enp0s4306", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1581,7 +1652,7 @@ "rsa.misc.severity": "low", "rsa.misc.sig_id": 2366, "rsa.network.interface": "enp0s4306", - "rsa.time.event_time": "2020-06-04T22:44:15.000Z", + "rsa.time.event_time": "2019-08-01T02:54:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1589,14 +1660,14 @@ ] }, { - "@timestamp": "2020-06-19T05:46:49.000Z", + "@timestamp": "2019-08-15T09:57:06.000Z", "event.code": "SNMP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 19 03:46:49 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-06-19 03:46:49 dmin", + "event.original": "August 15 07:57:06 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-08-15 07:57:06 dmin", "fileset.name": "sightline", "input.type": "log", - "log.offset": 7523, + "log.offset": 7710, "network.protocol": "SNMP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1604,8 +1675,8 @@ "rsa.internal.messageid": "SNMP", "rsa.misc.node": "entsunt", "rsa.misc.parent_node": "ihilm", - "rsa.time.endtime": "2018-06-19T05:46:49.000Z", - "rsa.time.event_time": "2020-06-19T05:46:49.000Z", + "rsa.time.endtime": "2018-08-15T09:57:06.000Z", + "rsa.time.event_time": "2019-08-15T09:57:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1613,31 +1684,31 @@ ] }, { - "@timestamp": "2020-07-03T12:49:23.000Z", + "@timestamp": "2019-08-29T16:59:40.000Z", "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 3 10:49:23 pfsp: The Host Detection alert uscipitl, start 2018-07-3 10:49:23 uia, duration 29.657000, direction uamei, host 10.49.167.57, signatures (uisa), impact eFi, importance medium, managed_objects (cusant), (parent managed object rpori)", + "event.original": "August 29 14:59:40 pfsp: The Host Detection alert uscipitl, start 2018-08-29 14:59:40 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its)", "fileset.name": "sightline", "input.type": "log", "log.level": "medium", - "log.offset": 7622, - "network.direction": "uamei", + "log.offset": 7811, + "network.direction": "internal", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.49.167.57" + "10.54.49.84" ], "rsa.internal.messageid": "Host", - "rsa.misc.policy_name": "uisa", + "rsa.misc.policy_name": "ciad", "rsa.misc.severity": "medium", "rsa.time.duration_time": 29.657, - "rsa.time.event_time": "2020-07-03T12:49:23.000Z", - "rsa.time.starttime": "2018-07-03T12:49:23.000Z", + "rsa.time.event_time": "2019-08-29T16:59:40.000Z", + "rsa.time.starttime": "2018-08-29T16:59:40.000Z", "service.type": "netscout", "source.ip": [ - "10.49.167.57" + "10.54.49.84" ], "tags": [ "netscout.sightline", @@ -1645,24 +1716,19 @@ ] }, { - "@timestamp": "2019-07-17T19:51:58.000Z", - "event.action": "Fault Cleared", - "event.code": "TMS", + "@timestamp": "2019-09-13T00:02:15.000Z", + "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 17 17:51:58 pfsp: The TMS 'sau' fault for resource 'aperia' on TMS ccaeca cleared", + "event.original": "September 12 22:02:15 pfsp: Alert Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 7871, + "log.offset": 8063, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.event_desc": "sau", - "rsa.internal.messageid": "TMS", - "rsa.internal.resource": "aperia", - "rsa.misc.event_type": "Fault Cleared", - "rsa.misc.node": "ccaeca", - "rsa.time.event_time": "2019-07-17T19:51:58.000Z", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2019-09-13T00:02:15.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1670,22 +1736,28 @@ ] }, { - "@timestamp": "2019-08-01T02:54:32.000Z", - "event.code": "Hardware", + "@timestamp": "2019-09-27T07:04:49.000Z", + "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 1 00:54:32 pfsp: Hardware failure on boris done at 2018-08-01 00:54:32 stenatu GMT: isiuta", + "event.original": "September 27 05:04:49 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name \"lo4293\" labo", "fileset.name": "sightline", "input.type": "log", - "log.offset": 7958, + "log.level": "medium", + "log.offset": 8117, + "network.interface.name": "lo4293", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.event_desc": "isiuta", - "rsa.internal.messageid": "Hardware", - "rsa.misc.node": "boris", - "rsa.time.endtime": "2018-08-01T02:54:32.000Z", - "rsa.time.event_time": "2019-08-01T02:54:32.000Z", + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "tutlab", + "rsa.misc.disposition": "commodo", + "rsa.misc.node": "atevelit", + "rsa.misc.policy_name": "Bandwidth", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 5089, + "rsa.network.interface": "lo4293", + "rsa.time.event_time": "2019-09-27T07:04:49.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1693,41 +1765,15 @@ ] }, { - "@timestamp": "2019-08-15T09:57:06.000Z", - "event.code": "Change_Log", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "August 15 07:57:06 siutaliq: Change Log: Username:dutp, Subsystem:psaquaea, Setting Type:taevita, Message:ameiusm", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 8056, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "dutp" - ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2019-08-15T09:57:06.000Z", - "service.type": "netscout", - "tags": [ - "netscout.sightline", - "forwarded" - ], - "user.name": "dutp" - }, - { - "@timestamp": "2019-08-29T16:59:40.000Z", + "@timestamp": "2019-10-11T14:07:23.000Z", "event.action": "Fault Cleared", "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 29 14:59:40 pfsp: The TMS 'enderi' fault for resource 'mquisno' on TMS odoconse cleared", + "event.original": "October 11 12:07:23 pfsp: The TMS 'enderi' fault for resource 'mquisno' on TMS odoconse cleared", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8170, + "log.offset": 8301, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1736,7 +1782,7 @@ "rsa.internal.resource": "mquisno", "rsa.misc.event_type": "Fault Cleared", "rsa.misc.node": "odoconse", - "rsa.time.event_time": "2019-08-29T16:59:40.000Z", + "rsa.time.event_time": "2019-10-11T14:07:23.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1744,17 +1790,17 @@ ] }, { - "@timestamp": "2019-09-13T00:02:15.000Z", + "@timestamp": "2019-10-25T21:09:57.000Z", "destination.ip": [ "10.83.130.226" ], "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 12 22:02:15 asiarc: Blocked Host: Blocked host10.80.101.72atuptateby Blocked Countries usingrdpdestination10.83.130.226,URL:https://www5.example.com/gitsed/fugia.htm?emp=pisciv#lumdolor", + "event.original": "October 25 19:09:57 asiarc: Blocked Host: Blocked host10.80.101.72atuptateby Blocked Countries usingrdpdestination10.83.130.226,URL:https://www5.example.com/gitsed/fugia.htm?emp=pisciv#lumdolor", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8265, + "log.offset": 8397, "network.protocol": "rdp", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1766,7 +1812,7 @@ "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-09-13T00:02:15.000Z", + "rsa.time.event_time": "2019-10-25T21:09:57.000Z", "service.type": "netscout", "source.ip": [ "10.80.101.72" @@ -1778,15 +1824,15 @@ "url.original": "https://www5.example.com/gitsed/fugia.htm?emp=pisciv#lumdolor" }, { - "@timestamp": "2019-09-27T07:04:49.000Z", + "@timestamp": "2019-11-09T04:12:32.000Z", "event.action": "Fault Occured", "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 27 05:04:49 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden", + "event.original": "November 9 02:12:32 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8461, + "log.offset": 8591, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1795,7 +1841,7 @@ "rsa.internal.resource": "dol", "rsa.misc.event_type": "Fault Occured", "rsa.misc.node": "proiden", - "rsa.time.event_time": "2019-09-27T07:04:49.000Z", + "rsa.time.event_time": "2019-11-09T04:12:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1803,22 +1849,22 @@ ] }, { - "@timestamp": "2019-10-11T14:07:23.000Z", + "@timestamp": "2019-11-23T11:15:06.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 11 12:07:23 pfsp: Device isis reachable again by controller uasiar at 2018-10-11 12:07:23 utlab", + "event.original": "November 23 09:15:06 pfsp: Device isis reachable again by controller uasiar at 2018-11-23 09:15:06 utlab", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8545, + "log.offset": 8673, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Device", "rsa.misc.node": "isis", "rsa.misc.parent_node": "uasiar", - "rsa.time.endtime": "2018-10-11T14:07:23.000Z", - "rsa.time.event_time": "2019-10-11T14:07:23.000Z", + "rsa.time.endtime": "2018-11-23T11:15:06.000Z", + "rsa.time.event_time": "2019-11-23T11:15:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1826,14 +1872,14 @@ ] }, { - "@timestamp": "2019-10-25T21:09:57.000Z", + "@timestamp": "2019-12-07T18:17:40.000Z", "event.code": "SNMP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 25 19:09:57 pfsp: The SNMP restored for router umdolor, leader uaUten at 2018-10-25 19:09:57 nby", + "event.original": "December 7 16:17:40 pfsp: The SNMP restored for router umdolor, leader uaUten at 2018-12-07 16:17:40 nby", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8649, + "log.offset": 8778, "network.protocol": "SNMP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1841,8 +1887,8 @@ "rsa.internal.messageid": "SNMP", "rsa.misc.node": "umdolor", "rsa.misc.parent_node": "uaUten", - "rsa.time.endtime": "2018-10-25T21:09:57.000Z", - "rsa.time.event_time": "2019-10-25T21:09:57.000Z", + "rsa.time.endtime": "2018-12-07T18:17:40.000Z", + "rsa.time.event_time": "2019-12-07T18:17:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1850,14 +1896,14 @@ ] }, { - "@timestamp": "2019-11-09T04:12:32.000Z", + "@timestamp": "2019-12-22T01:20:14.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 9 02:12:32 ibusBon: Change Log: Username:ven, Subsystem:rQu, Setting Type:mco, Message:cipitl", + "event.original": "December 21 23:20:14 ibusBon: Change Log: Username:ven, Subsystem:rQu, Setting Type:mco, Message:cipitl", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8755, + "log.offset": 8884, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1867,7 +1913,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2019-11-09T04:12:32.000Z", + "rsa.time.event_time": "2019-12-22T01:20:14.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1876,14 +1922,14 @@ "user.name": "ven" }, { - "@timestamp": "2019-11-23T11:15:06.000Z", + "@timestamp": "2020-01-05T08:22:49.000Z", "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 23 09:15:06 pfsp: configuration was changed on leader evitaed to version 1.1721 by suntin", + "event.original": "January 5 06:22:49 pfsp: configuration was changed on leader evitaed to version 1.1721 by suntin", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8858, + "log.offset": 8988, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1895,7 +1941,7 @@ "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "evitaed", "rsa.misc.version": "1.1721", - "rsa.time.event_time": "2019-11-23T11:15:06.000Z", + "rsa.time.event_time": "2020-01-05T08:22:49.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1904,22 +1950,22 @@ "user.name": "suntin" }, { - "@timestamp": "2019-12-07T18:17:40.000Z", + "@timestamp": "2020-01-19T15:25:23.000Z", "event.code": "Peakflow", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 7 16:17:40 pfsp: Peakflow device oraincid unreachable by intocc since 2018-12-07 16:17:40", + "event.original": "January 19 13:25:23 pfsp: Peakflow device oraincid unreachable by intocc since 2019-01-19 13:25:23", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8957, + "log.offset": 9085, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Peakflow", "rsa.misc.node": "oraincid", "rsa.misc.parent_node": "intocc", - "rsa.time.event_time": "2019-12-07T18:17:40.000Z", - "rsa.time.starttime": "2018-12-07T18:17:40.000Z", + "rsa.time.event_time": "2020-01-19T15:25:23.000Z", + "rsa.time.starttime": "2019-01-19T15:25:23.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1927,14 +1973,14 @@ ] }, { - "@timestamp": "2019-12-22T01:20:14.000Z", + "@timestamp": "2020-02-02T22:27:57.000Z", "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 21 23:20:14 pfsp: Alert configuration was changed on leader litani to version 1.6412 by psumqu", + "event.original": "February 2 20:27:57 pfsp: Alert configuration was changed on leader litani to version 1.6412 by psumqu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9056, + "log.offset": 9184, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1946,7 +1992,7 @@ "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "litani", "rsa.misc.version": "1.6412", - "rsa.time.event_time": "2019-12-22T01:20:14.000Z", + "rsa.time.event_time": "2020-02-02T22:27:57.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1955,14 +2001,14 @@ "user.name": "psumqu" }, { - "@timestamp": "2020-01-05T08:22:49.000Z", + "@timestamp": "2020-02-17T05:30:32.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 5 06:22:49 ipsamvo: Change Log: Username:onula, Subsystem:miu, Setting Type:rationev, Message:rem", + "event.original": "February 17 03:30:32 ipsamvo: Change Log: Username:onula, Subsystem:miu, Setting Type:rationev, Message:rem", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9160, + "log.offset": 9287, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1972,7 +2018,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-01-05T08:22:49.000Z", + "rsa.time.event_time": "2020-02-17T05:30:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1981,19 +2027,19 @@ "user.name": "onula" }, { - "@timestamp": "2020-01-19T15:25:23.000Z", + "@timestamp": "2020-03-03T12:33:06.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 19 13:25:23 pfsp: Alert Test syslog message", + "event.original": "March 3 10:33:06 pfsp: Alert Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9266, + "log.offset": 9395, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-01-19T15:25:23.000Z", + "rsa.time.event_time": "2020-03-03T12:33:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2001,14 +2047,14 @@ ] }, { - "@timestamp": "2020-02-02T22:27:57.000Z", + "@timestamp": "2020-03-17T19:35:40.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 2 20:27:57 lillum: Change Log: Username:remips, Subsystem:uisaute, Setting Type:imide, Message:poriss", + "event.original": "March 17 17:35:40 lillum: Change Log: Username:remips, Subsystem:uisaute, Setting Type:imide, Message:poriss", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9318, + "log.offset": 9444, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2018,7 +2064,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-02-02T22:27:57.000Z", + "rsa.time.event_time": "2020-03-17T19:35:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2027,15 +2073,15 @@ "user.name": "remips" }, { - "@timestamp": "2020-02-17T05:30:32.000Z", + "@timestamp": "2020-04-01T02:38:14.000Z", "event.action": "Script mitigation", "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 17 03:30:32 pfsp: Alert script usmodi ran at 2019-02-17 03:30:32 , mvoluleader conse", + "event.original": "April 1 00:38:14 pfsp: Alert script usmodi ran at 2019-04-01 00:38:14 , mvoluleader conse", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9429, + "log.offset": 9553, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2044,8 +2090,8 @@ "rsa.misc.event_type": "Script mitigation", "rsa.misc.node": "usmodi", "rsa.misc.parent_node": "conse", - "rsa.time.event_time": "2020-02-17T05:30:32.000Z", - "rsa.time.starttime": "2019-02-17T05:30:32.000Z", + "rsa.time.event_time": "2020-04-01T02:38:14.000Z", + "rsa.time.starttime": "2019-04-01T02:38:14.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2053,15 +2099,15 @@ ] }, { - "@timestamp": "2020-03-03T12:33:06.000Z", + "@timestamp": "2020-04-15T09:40:49.000Z", "event.action": "Fault Cleared", "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 3 10:33:06 pfsp: Alert TMS 'licabo' fault for resource 'enimadmi' on TMS utaliqu cleared", + "event.original": "April 15 07:40:49 pfsp: Alert TMS 'licabo' fault for resource 'enimadmi' on TMS utaliqu cleared", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9524, + "log.offset": 9644, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2070,7 +2116,7 @@ "rsa.internal.resource": "enimadmi", "rsa.misc.event_type": "Fault Cleared", "rsa.misc.node": "utaliqu", - "rsa.time.event_time": "2020-03-03T12:33:06.000Z", + "rsa.time.event_time": "2020-04-15T09:40:49.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2078,14 +2124,15 @@ ] }, { - "@timestamp": "2020-03-17T19:35:40.000Z", + "@timestamp": "2020-04-29T16:43:23.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 17 17:35:40 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt", + "event.original": "April 29 14:43:23 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt", "fileset.name": "sightline", + "group.name": "amcor", "input.type": "log", - "log.offset": 9619, + "log.offset": 9740, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2094,7 +2141,7 @@ "rsa.misc.group": "amcor", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2020-03-17T19:35:40.000Z", + "rsa.time.event_time": "2020-04-29T16:43:23.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2103,14 +2150,15 @@ "url.original": "https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt" }, { - "@timestamp": "2020-04-01T02:38:14.000Z", + "@timestamp": "2020-05-13T23:45:57.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 1 00:38:14 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation", + "event.original": "May 13 21:45:57 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation", "fileset.name": "sightline", + "group.name": "equepor", "input.type": "log", - "log.offset": 9788, + "log.offset": 9909, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2119,7 +2167,7 @@ "rsa.misc.group": "equepor", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2020-04-01T02:38:14.000Z", + "rsa.time.event_time": "2020-05-13T23:45:57.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2128,14 +2176,15 @@ "url.original": "https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation" }, { - "@timestamp": "2020-04-15T09:40:49.000Z", + "@timestamp": "2020-05-28T06:48:31.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 15 07:40:49 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", + "event.original": "May 28 04:48:31 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", "fileset.name": "sightline", + "group.name": "isciv", "input.type": "log", - "log.offset": 9967, + "log.offset": 10087, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2144,7 +2193,7 @@ "rsa.misc.group": "isciv", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2020-04-15T09:40:49.000Z", + "rsa.time.event_time": "2020-05-28T06:48:31.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2153,21 +2202,21 @@ "url.original": "https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt" }, { - "@timestamp": "2020-04-29T16:43:23.000Z", + "@timestamp": "2020-06-11T13:51:06.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 29 14:43:23 pfsp: The BGP Instability for router eirure ended", + "event.original": "June 11 11:51:06 pfsp: The BGP Instability for router eirure ended", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10132, + "log.offset": 10250, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "BGP", "rsa.misc.node": "eirure", - "rsa.time.event_time": "2020-04-29T16:43:23.000Z", + "rsa.time.event_time": "2020-06-11T13:51:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2175,14 +2224,14 @@ ] }, { - "@timestamp": "2020-05-13T23:45:57.000Z", + "@timestamp": "2020-06-25T20:53:40.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 13 21:45:57 pfsp: Alert BGP instability router tesse threshold sequat (giatquov) observed tconsec (miurerep)", + "event.original": "June 25 18:53:40 pfsp: Alert BGP instability router tesse threshold sequat (giatquov) observed tconsec (miurerep)", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10201, + "log.offset": 10318, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -2190,7 +2239,7 @@ "rsa.internal.messageid": "BGP", "rsa.misc.node": "tesse", "rsa.misc.trigger_val": "tconsec", - "rsa.time.event_time": "2020-05-13T23:45:57.000Z", + "rsa.time.event_time": "2020-06-25T20:53:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2198,29 +2247,29 @@ ] }, { - "@timestamp": "2020-05-28T06:48:31.000Z", + "@timestamp": "2020-07-10T03:56:14.000Z", "destination.ip": [ "10.179.210.218" ], "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 28 04:48:31 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "event.original": "July 10 01:56:14 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10315, + "log.offset": 10433, "network.protocol": "igmp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.179.210.218", - "10.44.47.27" + "10.44.47.27", + "10.179.210.218" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2020-05-28T06:48:31.000Z", + "rsa.time.event_time": "2020-07-10T03:56:14.000Z", "service.type": "netscout", "source.ip": [ "10.44.47.27" @@ -2232,14 +2281,14 @@ "url.original": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo" }, { - "@timestamp": "2020-06-11T13:51:06.000Z", + "@timestamp": "2019-07-24T10:58:48.000Z", "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 11 11:51:06 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor", + "event.original": "July 24 08:58:48 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10512, + "log.offset": 10631, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2251,7 +2300,7 @@ "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "emvele", "rsa.misc.version": "1.2883", - "rsa.time.event_time": "2020-06-11T13:51:06.000Z", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2260,14 +2309,14 @@ "user.name": "lor" }, { - "@timestamp": "2020-06-25T20:53:40.000Z", + "@timestamp": "2019-08-07T18:01:23.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 25 18:53:40 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed)", + "event.original": "August 7 16:01:23 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed)", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10609, + "log.offset": 10728, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -2275,7 +2324,7 @@ "rsa.internal.messageid": "BGP", "rsa.misc.node": "iquamqua", "rsa.misc.trigger_val": "ita", - "rsa.time.event_time": "2020-06-25T20:53:40.000Z", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2283,19 +2332,19 @@ ] }, { - "@timestamp": "2020-07-10T03:56:14.000Z", + "@timestamp": "2019-08-22T01:03:57.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 10 01:56:14 pfsp: Alert Test syslog message", + "event.original": "August 21 23:03:57 pfsp: Alert Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10717, + "log.offset": 10837, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-07-10T03:56:14.000Z", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2303,14 +2352,14 @@ ] }, { - "@timestamp": "2019-07-24T10:58:48.000Z", + "@timestamp": "2019-09-05T08:06:31.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 24 08:58:48 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex", + "event.original": "September 5 06:06:31 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10766, + "log.offset": 10888, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2320,7 +2369,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2329,14 +2378,14 @@ "user.name": "tMal" }, { - "@timestamp": "2019-08-07T18:01:23.000Z", + "@timestamp": "2019-09-19T15:09:05.000Z", "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 7 16:01:23 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu", + "event.original": "September 19 13:09:05 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10870, + "log.offset": 10996, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2348,7 +2397,7 @@ "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "maveni", "rsa.misc.version": "1.2552", - "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2357,21 +2406,21 @@ "user.name": "onu" }, { - "@timestamp": "2019-08-22T01:03:57.000Z", + "@timestamp": "2019-10-03T22:11:40.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 21 23:03:57 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done", + "event.original": "October 3 20:11:40 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10968, + "log.offset": 11098, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "BGP", "rsa.misc.node": "norumet", - "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2379,15 +2428,15 @@ ] }, { - "@timestamp": "2019-09-05T08:06:31.000Z", + "@timestamp": "2019-10-18T05:14:14.000Z", "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 5 06:06:31 pfsp: Host Detection alert col, start 2019-09-5 06:06:31 mve, duration 177.586000, stop 2019-09-5 06:06:31 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq)", + "event.original": "October 18 03:14:14 pfsp: Host Detection alert col, start 2019-10-18 03:14:14 mve, duration 177.586000, stop 2019-10-18 03:14:14 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq)", "fileset.name": "sightline", "input.type": "log", "log.level": "very-high", - "log.offset": 11051, + "log.offset": 11181, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2395,9 +2444,9 @@ "rsa.misc.result": "failure", "rsa.misc.severity": "very-high", "rsa.time.duration_time": 177.586, - "rsa.time.endtime": "2019-09-05T08:06:31.000Z", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", - "rsa.time.starttime": "2019-09-05T08:06:31.000Z", + "rsa.time.endtime": "2019-10-18T05:14:14.000Z", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rsa.time.starttime": "2019-10-18T05:14:14.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2405,15 +2454,15 @@ ] }, { - "@timestamp": "2019-09-19T15:09:05.000Z", + "@timestamp": "2019-11-01T12:16:48.000Z", "event.action": "Script mitigation", "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 19 13:09:05 pfsp: script remipsum ran at 2019-09-19 13:09:05 , temporleader citatio", + "event.original": "November 1 10:16:48 pfsp: script remipsum ran at 2019-11-01 10:16:48 , temporleader citatio", "fileset.name": "sightline", "input.type": "log", - "log.offset": 11285, + "log.offset": 11416, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2422,8 +2471,8 @@ "rsa.misc.event_type": "Script mitigation", "rsa.misc.node": "remipsum", "rsa.misc.parent_node": "citatio", - "rsa.time.event_time": "2019-09-19T15:09:05.000Z", - "rsa.time.starttime": "2019-09-19T15:09:05.000Z", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "rsa.time.starttime": "2019-11-01T12:16:48.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2431,17 +2480,17 @@ ] }, { - "@timestamp": "2019-10-03T22:11:40.000Z", + "@timestamp": "2019-11-15T19:19:22.000Z", "destination.ip": [ "10.131.74.36" ], "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 3 20:11:40 mveniamq: Blocked Host: Blocked host10.74.159.77ateaqueipsby Blocked Countries usingicmpdestination10.131.74.36,URL:https://example.com/untexpl/iumtot.htm?eiusmod=emoe#uiinea", + "event.original": "November 15 17:19:22 mveniamq: Blocked Host: Blocked host10.74.159.77ateaqueipsby Blocked Countries usingicmpdestination10.131.74.36,URL:https://example.com/untexpl/iumtot.htm?eiusmod=emoe#uiinea", "fileset.name": "sightline", "input.type": "log", - "log.offset": 11380, + "log.offset": 11509, "network.protocol": "icmp", "observer.product": "Arbor", "observer.type": "DDOS", @@ -2453,7 +2502,7 @@ "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "rsa.time.event_time": "2019-11-15T19:19:22.000Z", "service.type": "netscout", "source.ip": [ "10.74.159.77" @@ -2465,15 +2514,15 @@ "url.original": "https://example.com/untexpl/iumtot.htm?eiusmod=emoe#uiinea" }, { - "@timestamp": "2019-10-18T05:14:14.000Z", + "@timestamp": "2019-11-30T02:21:57.000Z", "event.action": "Fault Cleared", "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 18 03:14:14 pfsp: Alert TMS 'eaqueip' fault for resource 'eum' on TMS lamc cleared", + "event.original": "November 30 00:21:57 pfsp: Alert TMS 'eaqueip' fault for resource 'eum' on TMS lamc cleared", "fileset.name": "sightline", "input.type": "log", - "log.offset": 11574, + "log.offset": 11705, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2482,7 +2531,7 @@ "rsa.internal.resource": "eum", "rsa.misc.event_type": "Fault Cleared", "rsa.misc.node": "lamc", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rsa.time.event_time": "2019-11-30T02:21:57.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2490,92 +2539,22 @@ ] }, { - "@timestamp": "2019-11-01T12:16:48.000Z", + "@timestamp": "2019-12-14T09:24:31.000Z", "event.code": "Peakflow", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 1 10:16:48 pfsp: Alert Peakflow device itasper reachable again by uae at 2019-11-01 10:16:48 mve", + "event.original": "December 14 07:24:31 pfsp: Alert Peakflow device itasper reachable again by uae at 2019-12-14 07:24:31 mve", "fileset.name": "sightline", "input.type": "log", - "log.offset": 11665, + "log.offset": 11797, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Peakflow", "rsa.misc.node": "itasper", "rsa.misc.parent_node": "uae", - "rsa.time.endtime": "2019-11-01T12:16:48.000Z", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", - "service.type": "netscout", - "tags": [ - "netscout.sightline", - "forwarded" - ] - }, - { - "@timestamp": "2019-11-15T19:19:22.000Z", - "event.code": "Flow", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "November 15 17:19:22 pfsp: Flow restored for router caboNemo, leader dexerc at 2019-11-15 17:19:22 strumex", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 11771, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Flow", - "rsa.misc.node": "caboNemo", - "rsa.misc.parent_node": "dexerc", - "rsa.time.endtime": "2019-11-15T19:19:22.000Z", - "rsa.time.event_time": "2019-11-15T19:19:22.000Z", - "service.type": "netscout", - "tags": [ - "netscout.sightline", - "forwarded" - ] - }, - { - "@timestamp": "2019-11-30T02:21:57.000Z", - "event.code": "Hardware", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "November 30 00:21:57 pfsp: Alert Hardware failure on dex since 2019-11-30 00:21:57 GMT: ccae", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 11878, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "ccae", - "rsa.internal.messageid": "Hardware", - "rsa.misc.node": "dex", - "rsa.time.event_time": "2019-11-30T02:21:57.000Z", - "rsa.time.starttime": "2019-11-30T02:21:57.000Z", - "service.type": "netscout", - "tags": [ - "netscout.sightline", - "forwarded" - ] - }, - { - "@timestamp": "2019-12-14T09:24:31.000Z", - "event.code": "SNMP", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "December 14 07:24:31 pfsp: The SNMP down for router aincidun, leader quatD since 2019-12-14 07:24:31 isqua", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 11971, - "network.protocol": "SNMP", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "SNMP", - "rsa.misc.node": "aincidun", - "rsa.misc.parent_node": "quatD", + "rsa.time.endtime": "2019-12-14T09:24:31.000Z", "rsa.time.event_time": "2019-12-14T09:24:31.000Z", - "rsa.time.starttime": "2019-12-14T09:24:31.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", diff --git a/x-pack/filebeat/module/radware/README.md b/x-pack/filebeat/module/radware/README.md index b9ab29bbbc7..bfcc27af89e 100644 --- a/x-pack/filebeat/module/radware/README.md +++ b/x-pack/filebeat/module/radware/README.md @@ -3,5 +3,5 @@ This is a module for Radware DefensePro logs. Autogenerated from RSA NetWitness log parser 2.0 XML radwaredp version 114 -at 2020-07-08 18:50:25.340623 +0000 UTC. +at 2020-07-08 22:21:03.910975 +0000 UTC. diff --git a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js +++ b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/rapid7/README.md b/x-pack/filebeat/module/rapid7/README.md index 2102f3bd78b..5f2db4c7bba 100644 --- a/x-pack/filebeat/module/rapid7/README.md +++ b/x-pack/filebeat/module/rapid7/README.md @@ -3,5 +3,5 @@ This is a module for Rapid7 NeXpose logs. Autogenerated from RSA NetWitness log parser 2.0 XML nexpose version 134 -at 2020-07-08 18:50:24.712484 +0000 UTC. +at 2020-07-08 22:21:03.250005 +0000 UTC. diff --git a/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js b/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js +++ b/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json index 7f1e465753c..438fde63d8c 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json +++ b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json @@ -1111,7 +1111,7 @@ "event.dataset": "rapid7.nexpose", "event.module": "rapid7", "event.original": "%NEXPOSE-mipsa: 2018-5-21T1:41:41 [uas] iat[Thread: Renamed] [Started: hite] [Duration: adipis] Renamed abo to suntex", - "event.outcome": "Success", + "event.outcome": "success", "file.name": "abo", "fileset.name": "nexpose", "input.type": "log", diff --git a/x-pack/filebeat/module/sonicwall/README.md b/x-pack/filebeat/module/sonicwall/README.md index 19b725fad19..878e815922d 100644 --- a/x-pack/filebeat/module/sonicwall/README.md +++ b/x-pack/filebeat/module/sonicwall/README.md @@ -3,5 +3,5 @@ This is a module for Sonicwall-FW logs. Autogenerated from RSA NetWitness log parser 2.0 XML sonicwall version 124 -at 2020-07-08 18:50:25.938096 +0000 UTC. +at 2020-07-08 22:21:04.512834 +0000 UTC. diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js +++ b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index f81bad14e7d..b10be9aa75c 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -37,8 +37,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.95.245.65", - "10.13.70.213" + "10.13.70.213", + "10.95.245.65" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "llu", @@ -129,8 +129,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.202.66.28", - "10.64.155.245" + "10.64.155.245", + "10.202.66.28" ], "related.user": [ "niamqu" @@ -210,9 +210,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.90.131.186", "10.206.224.241", - "10.162.42.110" + "10.162.42.110", + "10.90.131.186" ], "rsa.internal.event_desc": "onse", "rsa.internal.messageid": "908", @@ -345,8 +345,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.72.29.73", - "10.3.117.13" + "10.3.117.13", + "10.72.29.73" ], "rsa.internal.messageid": "350", "rsa.internal.msg": "eddoei", @@ -423,8 +423,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.112.125.84", - "10.193.76.77" + "10.193.76.77", + "10.112.125.84" ], "rsa.internal.messageid": "72", "rsa.internal.msg": "civeli", @@ -459,8 +459,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.114.138.121", - "10.59.119.118" + "10.59.119.118", + "10.114.138.121" ], "rsa.internal.messageid": "351", "rsa.internal.msg": "riat", @@ -492,8 +492,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.136.114.84", - "10.176.205.96" + "10.176.205.96", + "10.136.114.84" ], "rsa.internal.messageid": "346", "rsa.internal.msg": "eprehend", @@ -529,8 +529,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.170.120.4", - "10.193.192.62" + "10.193.192.62", + "10.170.120.4" ], "related.user": [ "quae" @@ -618,8 +618,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.52.186.29", - "10.6.77.80" + "10.6.77.80", + "10.52.186.29" ], "rsa.internal.event_desc": "ione", "rsa.internal.messageid": "995", @@ -671,8 +671,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.144.97.172", - "10.240.242.122" + "10.240.242.122", + "10.144.97.172" ], "rsa.internal.messageid": "346", "rsa.internal.msg": "aera", @@ -789,8 +789,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.25.39.99", - "10.112.75.76" + "10.112.75.76", + "10.25.39.99" ], "rsa.db.index": "mveleu", "rsa.internal.messageid": "882", @@ -847,8 +847,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.237.163.139", - "10.162.172.28" + "10.162.172.28", + "10.237.163.139" ], "rsa.internal.messageid": "255", "rsa.internal.msg": "nre", @@ -952,8 +952,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.14.1.45", - "10.126.34.82" + "10.126.34.82", + "10.14.1.45" ], "rsa.internal.messageid": "196", "rsa.internal.msg": "vita", @@ -986,8 +986,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.101.74.44", - "10.251.20.13" + "10.251.20.13", + "10.101.74.44" ], "related.user": [ "rsitv" @@ -1139,8 +1139,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.64.50.66", - "10.149.0.64" + "10.149.0.64", + "10.64.50.66" ], "rsa.db.index": "atevelit", "rsa.internal.messageid": "83", @@ -1200,8 +1200,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.97.124.211", - "10.53.113.23" + "10.53.113.23", + "10.97.124.211" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1354,8 +1354,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.53.150.77", - "10.125.134.213" + "10.125.134.213", + "10.53.150.77" ], "rsa.internal.messageid": "msg", "rsa.internal.msg": "iaeco", @@ -1405,8 +1405,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.240.49.224", - "10.77.174.205" + "10.77.174.205", + "10.240.49.224" ], "rsa.internal.messageid": "240", "rsa.internal.msg": "issuscip", @@ -1437,8 +1437,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.187.210.173", - "10.44.150.31" + "10.44.150.31", + "10.187.210.173" ], "rsa.internal.messageid": "255", "rsa.internal.msg": "quamnih", @@ -1476,9 +1476,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.108.84.24", "10.113.100.237", - "10.251.248.228" + "10.251.248.228", + "10.108.84.24" ], "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "606", @@ -1527,9 +1527,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.207.211.230", "10.103.117.31", - "10.229.229.42" + "10.229.229.42", + "10.207.211.230" ], "rsa.internal.event_desc": "orin", "rsa.internal.messageid": "428", @@ -1570,8 +1570,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.32.39.220", - "10.248.165.185" + "10.248.165.185", + "10.32.39.220" ], "rsa.internal.event_desc": "aliq", "rsa.internal.messageid": "412", @@ -2343,8 +2343,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.81.33.64", - "10.22.244.71" + "10.22.244.71", + "10.81.33.64" ], "rsa.internal.messageid": "888", "rsa.misc.action": [ @@ -2502,8 +2502,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.129.101.147", - "10.206.229.61" + "10.206.229.61", + "10.129.101.147" ], "rsa.internal.messageid": "413", "rsa.internal.msg": "upta", @@ -2634,8 +2634,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.44.198.184", - "10.21.147.52" + "10.21.147.52", + "10.44.198.184" ], "rsa.db.index": "tur", "rsa.internal.messageid": "714", diff --git a/x-pack/filebeat/module/squid/README.md b/x-pack/filebeat/module/squid/README.md index dcc59376342..426f9b0348a 100644 --- a/x-pack/filebeat/module/squid/README.md +++ b/x-pack/filebeat/module/squid/README.md @@ -3,5 +3,5 @@ This is a module for Squid logs. Autogenerated from RSA NetWitness log parser 2.0 XML squid version 112 -at 2020-07-08 18:50:26.460335 +0000 UTC. +at 2020-07-08 22:21:05.010409 +0000 UTC. diff --git a/x-pack/filebeat/module/squid/log/config/liblogparser.js b/x-pack/filebeat/module/squid/log/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/squid/log/config/liblogparser.js +++ b/x-pack/filebeat/module/squid/log/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index dff11f4a528..972d080c42e 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -22,8 +22,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -33,8 +33,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -95,8 +95,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -146,8 +146,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -208,8 +208,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -380,8 +380,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -443,8 +443,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -506,8 +506,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -682,8 +682,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -738,8 +738,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -849,8 +849,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "206.169.136.22" + "206.169.136.22", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -861,8 +861,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -962,8 +962,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1025,8 +1025,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1083,8 +1083,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "64.127.126.178" + "64.127.126.178", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1146,8 +1146,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.161", - "10.105.21.199" + "10.105.21.199", + "213.160.98.161" ], "related.user": [ "badeyek" @@ -1158,8 +1158,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "302", @@ -1209,8 +1209,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "213.160.98.160" + "213.160.98.160", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1221,8 +1221,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1317,8 +1317,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1328,8 +1328,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1425,8 +1425,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -1561,8 +1561,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1608,8 +1608,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -1669,8 +1669,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1719,8 +1719,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1769,8 +1769,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1819,8 +1819,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.47.218", - "204.13.51.238" + "204.13.51.238", + "10.105.47.218" ], "related.user": [ "nazsoau" @@ -1831,8 +1831,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1894,8 +1894,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1941,8 +1941,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -1952,8 +1952,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1997,8 +1997,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2009,8 +2009,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2057,8 +2057,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2069,8 +2069,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2185,8 +2185,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2461,8 +2461,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2558,8 +2558,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2618,8 +2618,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2714,8 +2714,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2726,8 +2726,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2773,8 +2773,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2832,8 +2832,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2844,8 +2844,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2892,8 +2892,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3062,8 +3062,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3110,8 +3110,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3170,8 +3170,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3230,8 +3230,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3342,8 +3342,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3392,8 +3392,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3440,8 +3440,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "212.58.226.33", - "10.105.21.199" + "10.105.21.199", + "212.58.226.33" ], "related.user": [ "badeyek" @@ -3500,8 +3500,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.231.252" + "68.142.231.252", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3512,8 +3512,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3562,8 +3562,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "304", @@ -3612,8 +3612,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -3782,8 +3782,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3842,8 +3842,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3914,8 +3914,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -3964,8 +3964,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4065,8 +4065,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -4077,8 +4077,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -4125,8 +4125,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4248,8 +4248,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.152" + "213.160.98.152", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4260,8 +4260,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/x-shockwave-flash", "rsa.misc.result_code": "200", @@ -4366,8 +4366,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.213.132", - "10.105.33.214" + "10.105.33.214", + "68.142.213.132" ], "related.user": [ "adeolaegbedokun" @@ -4378,8 +4378,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4424,8 +4424,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4436,8 +4436,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4605,8 +4605,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -4668,8 +4668,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4715,8 +4715,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -4789,8 +4789,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -4840,8 +4840,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4852,8 +4852,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4902,8 +4902,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4953,8 +4953,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.167" + "213.160.98.167", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5016,8 +5016,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5028,8 +5028,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5091,8 +5091,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5141,8 +5141,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5249,8 +5249,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5309,8 +5309,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -5357,8 +5357,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5408,8 +5408,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.169", - "10.105.21.199" + "10.105.21.199", + "213.160.98.169" ], "related.user": [ "badeyek" @@ -5470,8 +5470,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -5521,8 +5521,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.169", - "10.105.21.199" + "10.105.21.199", + "213.160.98.169" ], "related.user": [ "badeyek" @@ -5583,8 +5583,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5633,8 +5633,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json index 5f9cdff14bf..6678d4932b4 100644 --- a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json @@ -25,8 +25,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -81,8 +81,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -305,8 +305,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -529,8 +529,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_MISS", - "GET" + "GET", + "TCP_REFRESH_MISS" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -809,8 +809,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -921,8 +921,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1089,8 +1089,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1257,8 +1257,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1369,8 +1369,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1592,8 +1592,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1648,8 +1648,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1816,8 +1816,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1928,8 +1928,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1984,8 +1984,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2152,8 +2152,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2264,8 +2264,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2320,8 +2320,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2376,8 +2376,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2544,8 +2544,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2600,8 +2600,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2656,8 +2656,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2936,8 +2936,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3104,8 +3104,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3272,8 +3272,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3608,8 +3608,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3664,8 +3664,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3720,8 +3720,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3776,8 +3776,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3888,8 +3888,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4000,8 +4000,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4391,8 +4391,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4558,8 +4558,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4724,8 +4724,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "210.8.79.192", - "80.69.64.224" + "80.69.64.224", + "210.8.79.192" ], "related.user": [ "-" @@ -4736,8 +4736,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4792,8 +4792,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_MISS", - "GET" + "GET", + "TCP_REFRESH_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5071,8 +5071,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5127,8 +5127,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5183,8 +5183,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/pdf", "rsa.misc.result_code": "200", @@ -5351,8 +5351,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "403", @@ -5466,8 +5466,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/pdf", "rsa.misc.result_code": "200", @@ -5521,8 +5521,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -5577,8 +5577,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json index dbfa98e6b13..84fb44f40df 100644 --- a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json @@ -119,8 +119,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -167,8 +167,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -317,8 +317,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -417,8 +417,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -467,8 +467,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -516,8 +516,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -708,8 +708,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -804,8 +804,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "404", @@ -902,8 +902,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -1052,8 +1052,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1102,8 +1102,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1200,8 +1200,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "404", @@ -1298,8 +1298,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "503", @@ -1502,8 +1502,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.131.147", - "192.168.0.35" + "192.168.0.35", + "74.125.131.147" ], "related.user": [ "-" @@ -1562,8 +1562,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.131.147", - "192.168.0.35" + "192.168.0.35", + "74.125.131.147" ], "related.user": [ "-" @@ -1694,8 +1694,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "204", @@ -1799,8 +1799,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.3", - "192.168.0.35" + "192.168.0.35", + "74.125.228.3" ], "related.user": [ "-" @@ -1857,8 +1857,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.3", - "192.168.0.35" + "192.168.0.35", + "74.125.228.3" ], "related.user": [ "-" @@ -1868,8 +1868,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1915,8 +1915,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.6", - "192.168.0.35" + "192.168.0.35", + "74.125.228.6" ], "related.user": [ "-" @@ -1926,8 +1926,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2031,8 +2031,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" ], "related.user": [ "-" @@ -2042,8 +2042,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2147,8 +2147,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "related.user": [ "-" @@ -2158,8 +2158,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2263,8 +2263,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" ], "related.user": [ "-" @@ -2321,8 +2321,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" ], "related.user": [ "-" @@ -2390,8 +2390,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2437,8 +2437,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" ], "related.user": [ "-" @@ -2448,8 +2448,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2496,8 +2496,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.97", - "192.168.0.35" + "192.168.0.35", + "74.125.228.97" ], "related.user": [ "-" @@ -2624,8 +2624,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2729,8 +2729,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.100", - "192.168.0.35" + "192.168.0.35", + "74.125.228.100" ], "related.user": [ "-" @@ -2798,8 +2798,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2856,8 +2856,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2914,8 +2914,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2972,8 +2972,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3030,8 +3030,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3078,8 +3078,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.184", - "192.168.0.35" + "192.168.0.35", + "208.44.23.184" ], "related.user": [ "-" @@ -3090,8 +3090,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/x-apple-plist", "rsa.misc.result_code": "200", @@ -3198,8 +3198,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3270,8 +3270,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3390,8 +3390,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3438,8 +3438,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3450,8 +3450,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3498,8 +3498,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3570,8 +3570,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3618,8 +3618,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3678,8 +3678,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3738,8 +3738,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3870,8 +3870,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4050,8 +4050,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4098,8 +4098,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4110,8 +4110,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4158,8 +4158,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4278,8 +4278,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4290,8 +4290,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4398,8 +4398,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4470,8 +4470,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4578,8 +4578,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4638,8 +4638,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4770,8 +4770,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4818,8 +4818,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -5010,8 +5010,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -5128,8 +5128,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5175,8 +5175,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" ], "related.user": [ "-" @@ -5186,8 +5186,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5244,8 +5244,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5291,8 +5291,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.101" + "74.125.228.101", + "192.168.0.35" ], "related.user": [ "-" @@ -5349,8 +5349,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.102", - "192.168.0.35" + "192.168.0.35", + "74.125.228.102" ], "related.user": [ "-" @@ -5407,8 +5407,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "69.171.228.74" + "69.171.228.74", + "192.168.0.35" ], "related.user": [ "-" @@ -5419,8 +5419,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -5535,8 +5535,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5582,8 +5582,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "69.171.228.74", - "192.168.0.35" + "192.168.0.35", + "69.171.228.74" ], "related.user": [ "-" @@ -5593,8 +5593,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json index 8930f0b1d93..06e9fd06c28 100644 --- a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json @@ -22,8 +22,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -91,8 +91,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -149,8 +149,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -196,8 +196,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.102" + "173.194.123.102", + "::1" ], "related.user": [ "-" @@ -207,8 +207,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -265,8 +265,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -312,8 +312,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -323,8 +323,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -486,8 +486,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.96" + "173.194.123.96", + "::1" ], "related.user": [ "-" @@ -497,8 +497,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -544,8 +544,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.96" + "173.194.123.96", + "::1" ], "related.user": [ "-" @@ -605,8 +605,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.237", - "::1" + "::1", + "216.58.219.237" ], "related.user": [ "-" @@ -663,8 +663,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.68" + "173.194.123.68", + "::1" ], "related.user": [ "-" @@ -674,8 +674,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -721,8 +721,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.102" + "173.194.123.102", + "::1" ], "related.user": [ "-" @@ -732,8 +732,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -849,8 +849,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -1012,8 +1012,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1023,8 +1023,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1070,8 +1070,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.96" + "173.194.123.96", + "::1" ], "related.user": [ "-" @@ -1081,8 +1081,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1128,8 +1128,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.71", - "::1" + "::1", + "173.194.123.71" ], "related.user": [ "-" @@ -1139,8 +1139,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1197,8 +1197,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1360,8 +1360,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1418,8 +1418,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1429,8 +1429,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1487,8 +1487,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1545,8 +1545,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1592,8 +1592,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1603,8 +1603,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1650,8 +1650,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1661,8 +1661,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1708,8 +1708,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1719,8 +1719,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1835,8 +1835,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1882,8 +1882,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1951,8 +1951,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2009,8 +2009,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2056,8 +2056,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2067,8 +2067,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2125,8 +2125,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2230,8 +2230,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2288,8 +2288,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2299,8 +2299,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2346,8 +2346,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2462,8 +2462,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2473,8 +2473,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2520,8 +2520,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.101" + "173.194.123.101", + "::1" ], "related.user": [ "-" @@ -2647,8 +2647,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2694,8 +2694,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.99" + "173.194.123.99", + "::1" ], "related.user": [ "-" @@ -2810,8 +2810,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.226.83", - "::1" + "::1", + "74.125.226.83" ], "related.user": [ "-" @@ -2986,8 +2986,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.226.83" + "74.125.226.83", + "::1" ], "related.user": [ "-" @@ -2997,8 +2997,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3048,8 +3048,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.174" + "216.58.219.174", + "::1" ], "related.user": [ "-" @@ -3059,8 +3059,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -3121,8 +3121,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -3182,8 +3182,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3243,8 +3243,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3304,8 +3304,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3354,8 +3354,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.174", - "::1" + "::1", + "216.58.219.174" ], "related.user": [ "-" @@ -3415,8 +3415,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.132" + "216.58.219.132", + "::1" ], "related.user": [ "-" @@ -3598,8 +3598,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.142", - "::1" + "::1", + "216.58.219.142" ], "related.user": [ "-" @@ -3659,8 +3659,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.142" + "216.58.219.142", + "::1" ], "related.user": [ "-" @@ -3670,8 +3670,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3720,8 +3720,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.142", - "::1" + "::1", + "216.58.219.142" ], "related.user": [ "-" @@ -3731,8 +3731,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3792,8 +3792,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3839,8 +3839,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.141.189" + "74.125.141.189", + "::1" ], "related.user": [ "-" @@ -3897,8 +3897,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.141.189" + "74.125.141.189", + "::1" ], "related.user": [ "-" @@ -3966,8 +3966,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4077,8 +4077,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.228" + "216.58.219.228", + "10.100.0.1" ], "related.user": [ "-" @@ -4088,8 +4088,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4138,8 +4138,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.238" + "216.58.219.238", + "10.100.0.1" ], "related.user": [ "-" @@ -4149,8 +4149,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4208,8 +4208,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "301", @@ -4267,8 +4267,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4315,8 +4315,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.6.238" + "172.217.6.238", + "10.100.0.1" ], "related.user": [ "-" @@ -4326,8 +4326,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4450,8 +4450,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4509,8 +4509,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4567,8 +4567,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4614,8 +4614,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "related.user": [ "-" @@ -4625,8 +4625,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4683,8 +4683,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4741,8 +4741,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4799,8 +4799,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4846,8 +4846,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "related.user": [ "-" @@ -4962,8 +4962,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.10.14" + "172.217.10.14", + "10.100.2.85" ], "related.user": [ "-" @@ -4973,8 +4973,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5078,8 +5078,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.12.174" + "172.217.12.174", + "10.100.2.85" ], "related.user": [ "-" @@ -5089,8 +5089,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5136,8 +5136,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.12.174" + "172.217.12.174", + "10.100.0.1" ], "related.user": [ "-" @@ -5147,8 +5147,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5263,8 +5263,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5310,8 +5310,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.0.1" + "10.100.0.1", + "172.217.12.174" ], "related.user": [ "-" @@ -5368,8 +5368,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.0.1" + "10.100.0.1", + "172.217.12.174" ], "related.user": [ "-" @@ -5429,8 +5429,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.206", - "10.100.0.1" + "10.100.0.1", + "216.58.219.206" ], "related.user": [ "-" @@ -5551,8 +5551,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.206" + "216.58.219.206", + "10.100.0.1" ], "related.user": [ "-" @@ -5623,8 +5623,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5684,8 +5684,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5742,8 +5742,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5861,8 +5861,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/tenable/README.md b/x-pack/filebeat/module/tenable/README.md index b27c2bd3cc7..5fafc98d0a5 100644 --- a/x-pack/filebeat/module/tenable/README.md +++ b/x-pack/filebeat/module/tenable/README.md @@ -3,5 +3,5 @@ This is a module for Tenable Network Security Nessus logs. Autogenerated from RSA NetWitness log parser 2.0 XML nessusvs version 0 -at 2020-07-08 18:50:23.353065 +0000 UTC. +at 2020-07-08 22:21:01.942095 +0000 UTC. diff --git a/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js b/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js +++ b/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/tomcat/README.md b/x-pack/filebeat/module/tomcat/README.md index ac35dd9d79b..0fb3570f0c5 100644 --- a/x-pack/filebeat/module/tomcat/README.md +++ b/x-pack/filebeat/module/tomcat/README.md @@ -3,5 +3,5 @@ This is a module for Apache Tomcat logs. Autogenerated from RSA NetWitness log parser 2.0 XML apachetomcat version 105 -at 2020-07-08 18:50:16.293772 +0000 UTC. +at 2020-07-08 22:20:55.28259 +0000 UTC. diff --git a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js +++ b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/zscaler/README.md b/x-pack/filebeat/module/zscaler/README.md index 2c0a9cfa6b9..6082f5fbcc9 100644 --- a/x-pack/filebeat/module/zscaler/README.md +++ b/x-pack/filebeat/module/zscaler/README.md @@ -3,5 +3,5 @@ This is a module for Zscaler NSS logs. Autogenerated from RSA NetWitness log parser 2.0 XML zscalernss version 108 -at 2020-07-08 18:50:26.796745 +0000 UTC. +at 2020-07-08 22:21:05.345754 +0000 UTC. diff --git a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js index cbf9659f322..0348f89e2d8 100644 --- a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js +++ b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js @@ -954,7 +954,7 @@ var ecs_mappings = { "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_set}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, @@ -964,6 +964,8 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, @@ -985,6 +987,7 @@ var ecs_mappings = { "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, "msg": {to:[{field: "log.original", setter: fld_set}]}, @@ -1852,6 +1855,24 @@ function fld_prio(dst, value) { } } +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + function map_all(evt, targets, value) { for (var i = 0; i < targets.length; i++) { evt.Put(targets[i], value); diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index b2b3deda032..64567f7af0a 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -23,8 +23,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.206.191.17", - "10.176.10.114" + "10.176.10.114", + "10.206.191.17" ], "related.user": [ "sumdo" @@ -38,8 +38,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntium", "rsa.misc.action": [ - "Blocked", - "pisciv" + "pisciv", + "Blocked" ], "rsa.misc.category": "umq", "rsa.misc.filter": "oremi", @@ -109,8 +109,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "luptat", "rsa.misc.action": [ - "Allowed", - "tur" + "tur", + "Allowed" ], "rsa.misc.category": "eius", "rsa.misc.filter": "ameaqu", @@ -167,8 +167,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.204.86.149", - "10.254.146.57" + "10.254.146.57", + "10.204.86.149" ], "related.user": [ "tenima" @@ -240,8 +240,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.252.125.53", - "10.103.246.190" + "10.103.246.190", + "10.252.125.53" ], "related.user": [ "equun" @@ -313,8 +313,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.136.153.149", - "10.61.78.108" + "10.61.78.108", + "10.136.153.149" ], "related.user": [ "ercit" @@ -328,8 +328,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inim", "rsa.misc.action": [ - "Blocked", - "reetdolo" + "reetdolo", + "Blocked" ], "rsa.misc.category": "osquir", "rsa.misc.filter": "ipit", @@ -386,8 +386,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.66.250.92", - "10.183.16.166" + "10.183.16.166", + "10.66.250.92" ], "related.user": [ "tessec" @@ -401,8 +401,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "avol", "rsa.misc.action": [ - "Allowed", - "ist" + "ist", + "Allowed" ], "rsa.misc.category": "lorema", "rsa.misc.filter": "sun", @@ -459,8 +459,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.243.224.205", - "10.123.104.59" + "10.123.104.59", + "10.243.224.205" ], "related.user": [ "xercitat" @@ -532,8 +532,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.119.185.63", - "10.74.17.5" + "10.74.17.5", + "10.119.185.63" ], "related.user": [ "erc" @@ -547,8 +547,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tame", "rsa.misc.action": [ - "nsec", - "Blocked" + "Blocked", + "nsec" ], "rsa.misc.category": "emaperi", "rsa.misc.filter": "rehe", @@ -678,8 +678,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.71.170.37", - "10.135.225.244" + "10.135.225.244", + "10.71.170.37" ], "related.user": [ "atu" @@ -693,8 +693,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ihilm", "rsa.misc.action": [ - "Allowed", - "psaquae" + "psaquae", + "Allowed" ], "rsa.misc.category": "eFinib", "rsa.misc.filter": "inesci", @@ -751,8 +751,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.19.145.131", - "10.223.247.86" + "10.223.247.86", + "10.19.145.131" ], "related.user": [ "tNequepo" @@ -766,8 +766,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "sci", "rsa.misc.action": [ - "emseq", - "Allowed" + "Allowed", + "emseq" ], "rsa.misc.category": "exercit", "rsa.misc.filter": "taevit", @@ -824,8 +824,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.181.80.139", - "10.2.53.125" + "10.2.53.125", + "10.181.80.139" ], "related.user": [ "ihilmo" @@ -839,8 +839,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dolorem", "rsa.misc.action": [ - "lorsitam", - "Allowed" + "Allowed", + "lorsitam" ], "rsa.misc.category": "proide", "rsa.misc.filter": "pariatu", @@ -912,8 +912,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "catc", "rsa.misc.action": [ - "Allowed", - "veni" + "veni", + "Allowed" ], "rsa.misc.category": "sBono", "rsa.misc.filter": "isnisiu", @@ -1043,8 +1043,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.111.187.12", - "10.63.250.128" + "10.63.250.128", + "10.111.187.12" ], "related.user": [ "saute" @@ -1262,8 +1262,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.135.82.97", - "10.107.251.87" + "10.107.251.87", + "10.135.82.97" ], "related.user": [ "str" @@ -1350,8 +1350,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "oNemoeni", "rsa.misc.action": [ - "Blocked", - "nre" + "nre", + "Blocked" ], "rsa.misc.category": "labo", "rsa.misc.filter": "tutlab", @@ -1408,8 +1408,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.29.155.171", - "10.229.83.165" + "10.229.83.165", + "10.29.155.171" ], "related.user": [ "ulapar" @@ -1569,8 +1569,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdol", "rsa.misc.action": [ - "Allowed", - "nte" + "nte", + "Allowed" ], "rsa.misc.category": "adeseru", "rsa.misc.filter": "mac", @@ -1627,8 +1627,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.218.98.29", - "10.86.22.67" + "10.86.22.67", + "10.218.98.29" ], "related.user": [ "olori" @@ -1773,8 +1773,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.179.210.218", - "10.32.39.220" + "10.32.39.220", + "10.179.210.218" ], "related.user": [ "boreetdo" @@ -1788,8 +1788,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "riss", "rsa.misc.action": [ - "Blocked", - "risnis" + "risnis", + "Blocked" ], "rsa.misc.category": "emqu", "rsa.misc.filter": "oluptas", @@ -1992,8 +1992,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.2.67.127", - "10.115.53.31" + "10.115.53.31", + "10.2.67.127" ], "related.user": [ "Cic" @@ -2080,8 +2080,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tasun", "rsa.misc.action": [ - "quasiarc", - "Allowed" + "Allowed", + "quasiarc" ], "rsa.misc.category": "autfugi", "rsa.misc.filter": "ritqu", @@ -2138,8 +2138,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.101.85.169", - "10.18.226.72" + "10.18.226.72", + "10.101.85.169" ], "related.user": [ "rroqu" @@ -2153,8 +2153,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "moles", "rsa.misc.action": [ - "vitaed", - "Allowed" + "Allowed", + "vitaed" ], "rsa.misc.category": "billoi", "rsa.misc.filter": "suntex", @@ -2299,8 +2299,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdolore", "rsa.misc.action": [ - "Blocked", - "onproide" + "onproide", + "Blocked" ], "rsa.misc.category": "tvolup", "rsa.misc.filter": "niam", @@ -2357,8 +2357,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.193.66.155", - "10.106.77.138" + "10.106.77.138", + "10.193.66.155" ], "related.user": [ "iusmodt" @@ -2430,8 +2430,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.236.230.136", - "10.54.159.1" + "10.54.159.1", + "10.236.230.136" ], "related.user": [ "mUteni" @@ -2445,8 +2445,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tec", "rsa.misc.action": [ - "tatema", - "Allowed" + "Allowed", + "tatema" ], "rsa.misc.category": "emullamc", "rsa.misc.filter": "emveleum", @@ -2503,8 +2503,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.131.246.134", - "10.49.242.174" + "10.49.242.174", + "10.131.246.134" ], "related.user": [ "umdolo" @@ -2576,8 +2576,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.166.10.42", - "10.142.120.198" + "10.142.120.198", + "10.166.10.42" ], "related.user": [ "olori" @@ -2722,8 +2722,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.53.101.131", - "10.213.57.165" + "10.213.57.165", + "10.53.101.131" ], "related.user": [ "isau" @@ -2868,8 +2868,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.202.224.79", - "10.33.144.10" + "10.33.144.10", + "10.202.224.79" ], "related.user": [ "rios" @@ -2883,8 +2883,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lit", "rsa.misc.action": [ - "quu", - "Blocked" + "Blocked", + "quu" ], "rsa.misc.category": "oluptate", "rsa.misc.filter": "exercita", @@ -3029,8 +3029,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "voluptas", "rsa.misc.action": [ - "olor", - "Allowed" + "Allowed", + "olor" ], "rsa.misc.category": "ataevita", "rsa.misc.filter": "nderi", @@ -3087,8 +3087,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.68.8.143", - "10.125.120.97" + "10.125.120.97", + "10.68.8.143" ], "related.user": [ "reet" @@ -3160,8 +3160,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.143.0.78", - "10.137.164.122" + "10.137.164.122", + "10.143.0.78" ], "related.user": [ "orissus" @@ -3175,8 +3175,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "etdol", "rsa.misc.action": [ - "mwrit", - "Blocked" + "Blocked", + "mwrit" ], "rsa.misc.category": "inim", "rsa.misc.filter": "aturQu", @@ -3248,8 +3248,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatno", "rsa.misc.action": [ - "Blocked", - "ptatev" + "ptatev", + "Blocked" ], "rsa.misc.category": "udexerc", "rsa.misc.filter": "ptatemse", @@ -3379,8 +3379,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.141.195.13", - "10.180.150.47" + "10.180.150.47", + "10.141.195.13" ], "related.user": [ "taliq" @@ -3394,8 +3394,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itesse", "rsa.misc.action": [ - "uip", - "Allowed" + "Allowed", + "uip" ], "rsa.misc.category": "teturad", "rsa.misc.filter": "roquisqu", @@ -3452,8 +3452,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.166.195.20", - "10.255.40.12" + "10.255.40.12", + "10.166.195.20" ], "related.user": [ "lamcolab" @@ -3538,8 +3538,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ento", "rsa.misc.action": [ - "Bonoru", - "Blocked" + "Blocked", + "Bonoru" ], "rsa.misc.category": "luptasnu", "rsa.misc.filter": "quamni", @@ -3596,8 +3596,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.119.53.68", - "10.121.9.5" + "10.121.9.5", + "10.119.53.68" ], "related.user": [ "ssec" @@ -3611,8 +3611,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dexea", "rsa.misc.action": [ - "tinvolup", - "Blocked" + "Blocked", + "tinvolup" ], "rsa.misc.category": "ende", "rsa.misc.filter": "onse", @@ -3684,8 +3684,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "eritqui", "rsa.misc.action": [ - "Blocked", - "dolor" + "dolor", + "Blocked" ], "rsa.misc.category": "taspe", "rsa.misc.filter": "oremipsu", @@ -3809,8 +3809,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.120.138.109", - "10.39.46.155" + "10.39.46.155", + "10.120.138.109" ], "related.user": [ "picia" @@ -3882,8 +3882,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.133.102.57", - "10.53.191.49" + "10.53.191.49", + "10.133.102.57" ], "related.user": [ "onsec" @@ -3955,8 +3955,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.91.2.225", - "10.89.41.97" + "10.89.41.97", + "10.91.2.225" ], "related.user": [ "tem" @@ -3970,8 +3970,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iuntN", "rsa.misc.action": [ - "nim", - "Allowed" + "Allowed", + "nim" ], "rsa.misc.category": "etco", "rsa.misc.filter": "autodita", @@ -4043,8 +4043,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iadeseru", "rsa.misc.action": [ - "Allowed", - "epreh" + "epreh", + "Allowed" ], "rsa.misc.category": "ruredol", "rsa.misc.filter": "atquo", @@ -4174,8 +4174,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.190.42.245", - "10.220.1.249" + "10.220.1.249", + "10.190.42.245" ], "related.user": [ "olup" @@ -4260,8 +4260,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tin", "rsa.misc.action": [ - "urau", - "Allowed" + "Allowed", + "urau" ], "rsa.misc.category": "isiut", "rsa.misc.filter": "cons", @@ -4391,8 +4391,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.60.52.219", - "10.252.164.230" + "10.252.164.230", + "10.60.52.219" ], "related.user": [ "gnamali" @@ -4533,8 +4533,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.120.215.174", - "10.248.108.55" + "10.248.108.55", + "10.120.215.174" ], "related.user": [ "prehend" @@ -4548,8 +4548,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rema", "rsa.misc.action": [ - "Allowed", - "uatDu" + "uatDu", + "Allowed" ], "rsa.misc.category": "ent", "rsa.misc.filter": "iscivel", @@ -4604,8 +4604,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.51.161.245", - "10.15.254.181" + "10.15.254.181", + "10.51.161.245" ], "related.user": [ "abo" @@ -4677,8 +4677,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.7.152.238", - "10.129.66.196" + "10.129.66.196", + "10.7.152.238" ], "related.user": [ "equamn" @@ -4838,8 +4838,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "Blocked", - "dqu" + "dqu", + "Blocked" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -4896,8 +4896,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.26.115.88", - "10.12.130.224" + "10.12.130.224", + "10.26.115.88" ], "related.user": [ "Nequepo" @@ -4911,8 +4911,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tNequepo", "rsa.misc.action": [ - "Allowed", - "rmagnido" + "rmagnido", + "Allowed" ], "rsa.misc.category": "luptatem", "rsa.misc.filter": "deritq", @@ -4969,8 +4969,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.193.152.42", - "10.91.20.27" + "10.91.20.27", + "10.193.152.42" ], "related.user": [ "edict" @@ -4984,8 +4984,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "plicab", "rsa.misc.action": [ - "umq", - "Blocked" + "Blocked", + "umq" ], "rsa.misc.category": "eruntmol", "rsa.misc.filter": "labore", @@ -5042,8 +5042,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.55.192.102", - "10.146.69.38" + "10.146.69.38", + "10.55.192.102" ], "related.user": [ "quia" @@ -5057,8 +5057,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnisi", "rsa.misc.action": [ - "userro", - "Allowed" + "Allowed", + "userro" ], "rsa.misc.category": "etd", "rsa.misc.filter": "loremeum", @@ -5115,8 +5115,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.124.177.226", - "10.249.1.143" + "10.249.1.143", + "10.124.177.226" ], "related.user": [ "isciveli" @@ -5261,8 +5261,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.203.47.23", - "10.200.74.101" + "10.200.74.101", + "10.203.47.23" ], "related.user": [ "litesse" @@ -5334,8 +5334,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.24.23.209", - "10.162.78.48" + "10.162.78.48", + "10.24.23.209" ], "related.user": [ "ntore" @@ -5407,8 +5407,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.211.66.68", - "10.55.151.53" + "10.55.151.53", + "10.211.66.68" ], "related.user": [ "squir" @@ -5553,8 +5553,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.84.9.150", - "10.107.68.114" + "10.107.68.114", + "10.84.9.150" ], "related.user": [ "sequatDu" @@ -5568,8 +5568,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnis", "rsa.misc.action": [ - "uianonnu", - "Allowed" + "Allowed", + "uianonnu" ], "rsa.misc.category": "Excepteu", "rsa.misc.filter": "enimadmi", @@ -5626,8 +5626,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.124.119.48", - "10.26.222.144" + "10.26.222.144", + "10.124.119.48" ], "related.user": [ "nre" @@ -5641,8 +5641,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lloin", "rsa.misc.action": [ - "ici", - "Blocked" + "Blocked", + "ici" ], "rsa.misc.category": "quidolor", "rsa.misc.filter": "nonproi", @@ -5699,8 +5699,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.223.11.164", - "10.164.190.2" + "10.164.190.2", + "10.223.11.164" ], "related.user": [ "ten" @@ -5860,8 +5860,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tat", "rsa.misc.action": [ - "Blocked", - "nia" + "nia", + "Blocked" ], "rsa.misc.category": "turQuis", "rsa.misc.filter": "nonp", @@ -5991,8 +5991,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.176.233.249", - "10.75.144.118" + "10.75.144.118", + "10.176.233.249" ], "related.user": [ "isnos" @@ -6006,8 +6006,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "essequa", "rsa.misc.action": [ - "Blocked", - "odic" + "odic", + "Blocked" ], "rsa.misc.category": "cto", "rsa.misc.filter": "odite", @@ -6079,8 +6079,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uis", "rsa.misc.action": [ - "Allowed", - "mvele" + "mvele", + "Allowed" ], "rsa.misc.category": "vitaedi", "rsa.misc.filter": "ndeomni", @@ -6137,8 +6137,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.97.202.149", - "10.13.125.101" + "10.13.125.101", + "10.97.202.149" ], "related.user": [ "colab" @@ -6210,8 +6210,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.141.66.163", - "10.230.61.102" + "10.230.61.102", + "10.141.66.163" ], "related.user": [ "umdolo" @@ -6225,8 +6225,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itautf", "rsa.misc.action": [ - "Blocked", - "mini" + "mini", + "Blocked" ], "rsa.misc.category": "gna", "rsa.misc.filter": "usmo", @@ -6283,8 +6283,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.224.249.228", - "10.10.25.145" + "10.10.25.145", + "10.224.249.228" ], "related.user": [ "mnisiuta" @@ -6429,8 +6429,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.250.102.42", - "10.124.81.20" + "10.124.81.20", + "10.250.102.42" ], "related.user": [ "tNequ" @@ -6444,8 +6444,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "tatisetq", - "Blocked" + "Blocked", + "tatisetq" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6655,8 +6655,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "imadmi", "rsa.misc.action": [ - "tatemacc", - "Blocked" + "Blocked", + "tatemacc" ], "rsa.misc.category": "tutlabor", "rsa.misc.filter": "eturad", @@ -6713,8 +6713,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.195.62.230", - "10.98.126.206" + "10.98.126.206", + "10.195.62.230" ], "related.user": [ "ptassit" @@ -6728,8 +6728,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "isnost", "rsa.misc.action": [ - "oriosa", - "Allowed" + "Allowed", + "oriosa" ], "rsa.misc.category": "uis", "rsa.misc.filter": "nemul", @@ -6786,8 +6786,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.84.140.5", - "10.144.93.186" + "10.144.93.186", + "10.84.140.5" ], "related.user": [ "eroi" @@ -6801,8 +6801,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntut", "rsa.misc.action": [ - "Blocked", - "nima" + "nima", + "Blocked" ], "rsa.misc.category": "boru", "rsa.misc.filter": "umquia", @@ -6874,8 +6874,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tquovo", "rsa.misc.action": [ - "qua", - "Allowed" + "Allowed", + "qua" ], "rsa.misc.category": "ectet", "rsa.misc.filter": "lites", @@ -6932,8 +6932,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.131.81.172", - "10.139.90.218" + "10.139.90.218", + "10.131.81.172" ], "related.user": [ "hende" @@ -7093,8 +7093,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tionemu", "rsa.misc.action": [ - "rehe", - "Blocked" + "Blocked", + "rehe" ], "rsa.misc.category": "aecons", "rsa.misc.filter": "aturve", @@ -7151,8 +7151,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.172.17.6", - "10.109.192.53" + "10.109.192.53", + "10.172.17.6" ], "related.user": [ "eprehen" @@ -7166,8 +7166,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "temUte", "rsa.misc.action": [ - "tassit", - "Blocked" + "Blocked", + "tassit" ], "rsa.misc.category": "ita", "rsa.misc.filter": "scive", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index 423d10f5ac2..66ca65108fd 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -28,8 +28,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "", "rsa.misc.action": [ - "", - "" + "", + "" ], "rsa.misc.category": "", "rsa.misc.filter": "", From b6af93618cf29a74c9255e8abb502de6bc7469e5 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 13 Jul 2020 10:23:52 +0200 Subject: [PATCH 14/19] Update test files --- .../bigipapm/test/generated.log-expected.json | 4 +- .../firepass/test/generated.log-expected.json | 56 +-- .../test/generated.log-expected.json | 196 ++++---- .../test/generated.log-expected.json | 462 +++++++++--------- .../nios/test/generated.log-expected.json | 99 ---- .../test/generated.log-expected.json | 20 +- .../nexpose/test/generated.log-expected.json | 40 -- .../firewall/test/generated.log-expected.json | 84 ++-- .../squid/log/test/access1.log-expected.json | 296 +++++------ .../squid/log/test/access2.log-expected.json | 172 +++---- .../squid/log/test/access3.log-expected.json | 324 ++++++------ .../squid/log/test/access4.log-expected.json | 388 +++++++-------- .../zia/test/generated.log-expected.json | 416 ++++++++-------- .../filebeat/module/zscaler/zia/test/test.log | 1 - .../zscaler/zia/test/test.log-expected.json | 57 --- 15 files changed, 1185 insertions(+), 1430 deletions(-) delete mode 100644 x-pack/filebeat/module/zscaler/zia/test/test.log delete mode 100644 x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index a5a18f64b40..b06452aca74 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -364,8 +364,8 @@ "observer.vendor": "F5", "process.pid": 2289, "related.ip": [ - "10.225.160.182", - "10.204.123.107" + "10.204.123.107", + "10.225.160.182" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "eFinib", diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json index 3d9a482ac20..ad3338fbbe4 100644 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json @@ -18,7 +18,6 @@ ], "rsa.internal.messageid": "ntpdate", "rsa.time.duration_str": "tur", - "rsa.time.event_time": "2020-01-29T08:09:59.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -44,7 +43,6 @@ "rsa.internal.messageid": "ntpd", "rsa.network.interface": "lo4377", "rsa.network.network_port": 4819, - "rsa.time.event_time": "2020-02-12T15:12:33.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -69,7 +67,6 @@ "uii" ], "rsa.internal.messageid": "sshd", - "rsa.time.event_time": "2020-02-26T22:15:08.000Z", "service.type": "f5", "source.ip": [ "10.36.11.87" @@ -154,7 +151,6 @@ "rsa.internal.event_desc": "emape", "rsa.internal.messageid": "EndpointSecurity", "rsa.investigations.ec_theme": "Communication", - "rsa.time.event_time": "2020-04-09T19:22:51.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -192,7 +188,6 @@ "observer.vendor": "F5", "rsa.db.index": "roinBCS", "rsa.internal.messageid": "heartbeat", - "rsa.time.event_time": "2020-05-08T09:27:59.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -212,7 +207,6 @@ "observer.vendor": "F5", "rsa.internal.event_desc": "equat", "rsa.internal.messageid": "firepass", - "rsa.time.event_time": "2020-05-22T16:30:33.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -236,7 +230,6 @@ "rsa.db.index": "mipsu", "rsa.internal.messageid": "EndpointSecurity", "rsa.investigations.ec_theme": "Communication", - "rsa.time.event_time": "2020-06-05T23:33:08.000Z", "service.type": "f5", "source.ip": [ "10.171.204.166" @@ -312,7 +305,6 @@ "onev" ], "rsa.internal.messageid": "firepass", - "rsa.time.event_time": "2019-07-18T20:40:50.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -334,7 +326,6 @@ "observer.vendor": "F5", "rsa.db.index": "doloreeu", "rsa.internal.messageid": "heartbeat", - "rsa.time.event_time": "2019-08-02T03:43:25.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -443,7 +434,6 @@ "riat" ], "rsa.internal.messageid": "sshd", - "rsa.time.event_time": "2019-10-12T14:56:16.000Z", "service.type": "f5", "source.ip": [ "10.37.79.163" @@ -571,7 +561,6 @@ "taevi" ], "rsa.internal.messageid": "Miscellaneous", - "rsa.time.event_time": "2019-12-23T02:09:07.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -621,7 +610,6 @@ "labor" ], "rsa.internal.messageid": "sshd", - "rsa.time.event_time": "2020-01-20T16:14:16.000Z", "service.type": "f5", "source.ip": [ "10.0.3.58" @@ -645,7 +633,6 @@ "observer.type": "VPN", "observer.vendor": "F5", "rsa.internal.messageid": "GarbageCollection", - "rsa.time.event_time": "2020-02-03T23:16:50.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -694,7 +681,6 @@ "observer.vendor": "F5", "rsa.db.index": "omm", "rsa.internal.messageid": "kernel", - "rsa.time.event_time": "2020-03-04T13:21:59.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -745,7 +731,6 @@ "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "Message", "rsa.investigations.ec_theme": "Communication", - "rsa.time.event_time": "2020-04-02T03:27:07.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -788,12 +773,11 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.117.146.33", - "10.46.158.31" + "10.46.158.31", + "10.117.146.33" ], "rsa.db.index": "dun", "rsa.internal.messageid": "kernel", - "rsa.time.event_time": "2020-04-30T17:32:16.000Z", "service.type": "f5", "source.ip": [ "10.117.146.33" @@ -828,7 +812,6 @@ "rsa.misc.action": [ "block" ], - "rsa.time.event_time": "2020-05-15T00:34:50.000Z", "service.type": "f5", "source.ip": [ "10.196.136.214" @@ -857,7 +840,6 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "Communication", "rsa.misc.log_session_id": "dtem", - "rsa.time.event_time": "2020-05-29T07:37:24.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -908,7 +890,6 @@ "rsa.misc.action": [ "cancel" ], - "rsa.time.event_time": "2020-06-26T21:42:33.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -929,7 +910,6 @@ "observer.vendor": "F5", "rsa.internal.event_desc": "erc", "rsa.internal.messageid": "snmp", - "rsa.time.event_time": "2019-07-11T04:45:07.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -968,7 +948,6 @@ "rsa.internal.event_desc": "uasia", "rsa.internal.messageid": "EndpointSecurity", "rsa.investigations.ec_theme": "Communication", - "rsa.time.event_time": "2019-08-08T18:50:15.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -989,7 +968,6 @@ "rsa.internal.event_desc": "uames", "rsa.internal.messageid": "EndpointSecurity", "rsa.investigations.ec_theme": "Communication", - "rsa.time.event_time": "2019-08-23T01:52:50.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1042,7 +1020,6 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "Communication", "rsa.misc.log_session_id": "isno", - "rsa.time.event_time": "2019-09-20T15:57:58.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1087,7 +1064,6 @@ "amvolup" ], "rsa.internal.messageid": "sshd", - "rsa.time.event_time": "2019-10-19T06:03:07.000Z", "service.type": "f5", "source.ip": [ "10.86.63.253" @@ -1138,7 +1114,6 @@ "observer.vendor": "F5", "rsa.internal.messageid": "run-crons", "rsa.misc.result_code": "siarchi", - "rsa.time.event_time": "2019-11-16T20:08:15.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1186,7 +1161,6 @@ "rsa.misc.action": [ "deny" ], - "rsa.time.event_time": "2019-12-15T10:13:24.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1232,7 +1206,6 @@ ], "rsa.internal.messageid": "ntpdate", "rsa.time.duration_str": "hitect", - "rsa.time.event_time": "2020-01-13T00:18:32.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1275,7 +1248,6 @@ "observer.vendor": "F5", "rsa.db.index": "texp", "rsa.internal.messageid": "heartbeat", - "rsa.time.event_time": "2020-02-10T14:23:41.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1374,7 +1346,6 @@ "edol" ], "rsa.internal.messageid": "sshd", - "rsa.time.event_time": "2020-04-08T18:33:58.000Z", "service.type": "f5", "source.ip": [ "10.26.196.144" @@ -1399,7 +1370,6 @@ "observer.vendor": "F5", "rsa.internal.messageid": "run-crons", "rsa.misc.result_code": "xerc", - "rsa.time.event_time": "2020-04-23T01:36:32.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1492,7 +1462,6 @@ "observer.vendor": "F5", "rsa.db.index": "uptate", "rsa.internal.messageid": "heartbeat", - "rsa.time.event_time": "2020-06-19T05:46:49.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1514,7 +1483,6 @@ "aliquam" ], "rsa.internal.messageid": "Miscellaneous", - "rsa.time.event_time": "2020-07-03T12:49:23.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1632,7 +1600,6 @@ "observer.vendor": "F5", "rsa.internal.messageid": "run-crons", "rsa.misc.result_code": "intocc", - "rsa.time.event_time": "2019-09-13T00:02:15.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1710,7 +1677,6 @@ "observer.vendor": "F5", "rsa.internal.messageid": "run-crons", "rsa.misc.result_code": "rem", - "rsa.time.event_time": "2019-11-09T04:12:32.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1774,7 +1740,6 @@ ], "rsa.internal.messageid": "ntpdate", "rsa.time.duration_str": "ese", - "rsa.time.event_time": "2019-12-22T01:20:14.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1794,7 +1759,6 @@ "observer.vendor": "F5", "rsa.db.index": "ntocc", "rsa.internal.messageid": "heartbeat", - "rsa.time.event_time": "2020-01-05T08:22:49.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1833,7 +1797,6 @@ "observer.vendor": "F5", "rsa.internal.messageid": "ntpd", "rsa.time.duration_str": "epte", - "rsa.time.event_time": "2020-02-02T22:27:57.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -1903,7 +1866,6 @@ ], "rsa.internal.messageid": "maintenance", "rsa.network.network_port": 6980, - "rsa.time.event_time": "2020-03-17T19:35:40.000Z", "rsa.web.fqdn": "ipsumd6116.local", "service.type": "f5", "tags": [ @@ -1998,7 +1960,6 @@ ], "rsa.internal.messageid": "ntpdate", "rsa.time.duration_str": "utlabor", - "rsa.time.event_time": "2020-05-13T23:45:57.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2026,7 +1987,6 @@ "rsa.network.alias_host": [ "eufugi2923.internal.host" ], - "rsa.time.event_time": "2020-05-28T06:48:31.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2078,7 +2038,6 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "Communication", "rsa.misc.log_session_id": "con", - "rsa.time.event_time": "2020-06-25T20:53:40.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2105,7 +2064,6 @@ "rsa.misc.action": [ "cancel" ], - "rsa.time.event_time": "2020-07-10T03:56:14.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2145,7 +2103,6 @@ "observer.vendor": "F5", "rsa.db.index": "oremi", "rsa.internal.messageid": "heartbeat", - "rsa.time.event_time": "2019-08-07T18:01:23.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2165,7 +2122,6 @@ "observer.vendor": "F5", "rsa.db.index": "mquelau", "rsa.internal.messageid": "heartbeat", - "rsa.time.event_time": "2019-08-22T01:03:57.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2185,7 +2141,6 @@ "observer.vendor": "F5", "rsa.internal.messageid": "run-crons", "rsa.misc.result_code": "idolo", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2212,7 +2167,6 @@ "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Policy", - "rsa.time.event_time": "2019-09-19T15:09:05.000Z", "service.type": "f5", "tags": [ "f5.firepass", @@ -2275,12 +2229,11 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.65.175.9", - "10.225.181.30" + "10.225.181.30", + "10.65.175.9" ], "rsa.db.index": "uia", "rsa.internal.messageid": "kernel", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "service.type": "f5", "source.ip": [ "10.65.175.9" @@ -2322,7 +2275,6 @@ "observer.vendor": "F5", "rsa.internal.event_desc": "snmp:", "rsa.internal.messageid": "snmp", - "rsa.time.event_time": "2019-11-30T02:21:57.000Z", "service.type": "f5", "tags": [ "f5.firepass", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index c1db12fa60c..f5a54a1e69e 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -136,8 +136,8 @@ "observer.vendor": "Fortinet", "process.pid": 445, "related.ip": [ - "10.173.116.41", - "10.118.175.9" + "10.118.175.9", + "10.173.116.41" ], "related.user": [ "uame" @@ -250,8 +250,8 @@ "observer.vendor": "Fortinet", "process.pid": 6557, "related.ip": [ - "10.70.0.60", - "10.245.142.250" + "10.245.142.250", + "10.70.0.60" ], "related.user": [ "eos" @@ -307,8 +307,8 @@ "observer.vendor": "Fortinet", "process.pid": 2061, "related.ip": [ - "10.202.72.124", - "10.200.188.142" + "10.200.188.142", + "10.202.72.124" ], "related.user": [ "iusmodt" @@ -364,8 +364,8 @@ "observer.vendor": "Fortinet", "process.pid": 5722, "related.ip": [ - "10.214.225.125", - "10.12.44.169" + "10.12.44.169", + "10.214.225.125" ], "related.user": [ "erep" @@ -478,8 +478,8 @@ "observer.vendor": "Fortinet", "process.pid": 776, "related.ip": [ - "10.178.244.31", - "10.69.20.77" + "10.69.20.77", + "10.178.244.31" ], "related.user": [ "umdolor" @@ -592,8 +592,8 @@ "observer.vendor": "Fortinet", "process.pid": 7307, "related.ip": [ - "10.136.252.240", - "10.65.83.160" + "10.65.83.160", + "10.136.252.240" ], "related.user": [ "ender" @@ -706,8 +706,8 @@ "observer.vendor": "Fortinet", "process.pid": 5166, "related.ip": [ - "10.144.82.69", - "10.200.156.102" + "10.200.156.102", + "10.144.82.69" ], "related.user": [ "rveli" @@ -763,8 +763,8 @@ "observer.vendor": "Fortinet", "process.pid": 7668, "related.ip": [ - "10.109.232.112", - "10.72.58.135" + "10.72.58.135", + "10.109.232.112" ], "related.user": [ "xea" @@ -820,8 +820,8 @@ "observer.vendor": "Fortinet", "process.pid": 1044, "related.ip": [ - "10.38.22.45", - "10.72.29.73" + "10.72.29.73", + "10.38.22.45" ], "related.user": [ "onproide" @@ -991,8 +991,8 @@ "observer.vendor": "Fortinet", "process.pid": 499, "related.ip": [ - "10.78.151.178", - "10.84.105.75" + "10.84.105.75", + "10.78.151.178" ], "related.user": [ "iquaUten" @@ -1105,8 +1105,8 @@ "observer.vendor": "Fortinet", "process.pid": 6051, "related.ip": [ - "10.104.134.200", - "10.121.219.204" + "10.121.219.204", + "10.104.134.200" ], "related.user": [ "uptat" @@ -1219,8 +1219,8 @@ "observer.vendor": "Fortinet", "process.pid": 5200, "related.ip": [ - "10.141.44.153", - "10.161.57.8" + "10.161.57.8", + "10.141.44.153" ], "related.user": [ "quisnos" @@ -1390,8 +1390,8 @@ "observer.vendor": "Fortinet", "process.pid": 2019, "related.ip": [ - "10.163.5.243", - "10.178.77.231" + "10.178.77.231", + "10.163.5.243" ], "related.user": [ "liquide" @@ -1447,8 +1447,8 @@ "observer.vendor": "Fortinet", "process.pid": 2493, "related.ip": [ - "10.177.194.18", - "10.221.89.228" + "10.221.89.228", + "10.177.194.18" ], "related.user": [ "aliquam" @@ -1561,8 +1561,8 @@ "observer.vendor": "Fortinet", "process.pid": 2328, "related.ip": [ - "10.168.90.81", - "10.101.57.120" + "10.101.57.120", + "10.168.90.81" ], "related.user": [ "eporr" @@ -1618,8 +1618,8 @@ "observer.vendor": "Fortinet", "process.pid": 1156, "related.ip": [ - "10.14.211.43", - "10.130.14.60" + "10.130.14.60", + "10.14.211.43" ], "related.user": [ "litse" @@ -1789,8 +1789,8 @@ "observer.vendor": "Fortinet", "process.pid": 3470, "related.ip": [ - "10.27.14.168", - "10.66.2.232" + "10.66.2.232", + "10.27.14.168" ], "related.user": [ "uirati" @@ -2017,8 +2017,8 @@ "observer.vendor": "Fortinet", "process.pid": 4153, "related.ip": [ - "10.184.18.202", - "10.4.157.1" + "10.4.157.1", + "10.184.18.202" ], "related.user": [ "oditem" @@ -2109,7 +2109,7 @@ "user.name": "persp" }, { - "@timestamp": "2019-07-11T04:45:07.000Z", + "@timestamp": "2020-07-11T04:45:07.000Z", "destination.ip": [ "10.83.177.2" ], @@ -2152,7 +2152,7 @@ ], "rsa.network.domain": "tut2703.www.host", "rsa.network.network_service": "http", - "rsa.time.event_time": "2019-07-11T04:45:07.000Z", + "rsa.time.event_time": "2020-07-11T04:45:07.000Z", "server.domain": "tut2703.www.host", "service.type": "fortinet", "source.ip": [ @@ -2302,8 +2302,8 @@ "observer.vendor": "Fortinet", "process.pid": 55, "related.ip": [ - "10.9.18.237", - "10.9.12.248" + "10.9.12.248", + "10.9.18.237" ], "related.user": [ "uradi" @@ -2359,8 +2359,8 @@ "observer.vendor": "Fortinet", "process.pid": 228, "related.ip": [ - "10.83.130.226", - "10.41.123.102" + "10.41.123.102", + "10.83.130.226" ], "related.user": [ "tenim" @@ -2416,8 +2416,8 @@ "observer.vendor": "Fortinet", "process.pid": 4253, "related.ip": [ - "10.175.112.197", - "10.80.152.108" + "10.80.152.108", + "10.175.112.197" ], "related.user": [ "tametcon" @@ -2473,8 +2473,8 @@ "observer.vendor": "Fortinet", "process.pid": 2200, "related.ip": [ - "10.134.18.114", - "10.142.25.100" + "10.142.25.100", + "10.134.18.114" ], "related.user": [ "osqui" @@ -2587,8 +2587,8 @@ "observer.vendor": "Fortinet", "process.pid": 4469, "related.ip": [ - "10.110.114.175", - "10.47.28.48" + "10.47.28.48", + "10.110.114.175" ], "related.user": [ "plicab" @@ -2872,8 +2872,8 @@ "observer.vendor": "Fortinet", "process.pid": 7224, "related.ip": [ - "10.85.185.13", - "10.180.195.43" + "10.180.195.43", + "10.85.185.13" ], "related.user": [ "voluptas" @@ -2929,8 +2929,8 @@ "observer.vendor": "Fortinet", "process.pid": 430, "related.ip": [ - "10.207.211.230", - "10.210.28.247" + "10.210.28.247", + "10.207.211.230" ], "related.user": [ "tate" @@ -2986,8 +2986,8 @@ "observer.vendor": "Fortinet", "process.pid": 3589, "related.ip": [ - "10.86.11.48", - "10.248.165.185" + "10.248.165.185", + "10.86.11.48" ], "related.user": [ "dquiac" @@ -3043,8 +3043,8 @@ "observer.vendor": "Fortinet", "process.pid": 4814, "related.ip": [ - "10.47.125.38", - "10.118.6.177" + "10.118.6.177", + "10.47.125.38" ], "related.user": [ "quunt" @@ -3100,8 +3100,8 @@ "observer.vendor": "Fortinet", "process.pid": 276, "related.ip": [ - "10.60.142.127", - "10.50.233.155" + "10.50.233.155", + "10.60.142.127" ], "related.user": [ "atv" @@ -3271,8 +3271,8 @@ "observer.vendor": "Fortinet", "process.pid": 2302, "related.ip": [ - "10.226.5.189", - "10.125.165.144" + "10.125.165.144", + "10.226.5.189" ], "related.user": [ "mvolu" @@ -3328,8 +3328,8 @@ "observer.vendor": "Fortinet", "process.pid": 7079, "related.ip": [ - "10.97.149.97", - "10.46.56.204" + "10.46.56.204", + "10.97.149.97" ], "related.user": [ "dolorsit" @@ -3556,8 +3556,8 @@ "observer.vendor": "Fortinet", "process.pid": 5704, "related.ip": [ - "10.115.174.107", - "10.193.118.163" + "10.193.118.163", + "10.115.174.107" ], "related.user": [ "exeacomm" @@ -3841,8 +3841,8 @@ "observer.vendor": "Fortinet", "process.pid": 2861, "related.ip": [ - "10.72.162.6", - "10.235.116.121" + "10.235.116.121", + "10.72.162.6" ], "related.user": [ "oinv" @@ -3955,8 +3955,8 @@ "observer.vendor": "Fortinet", "process.pid": 1710, "related.ip": [ - "10.196.96.162", - "10.34.131.224" + "10.34.131.224", + "10.196.96.162" ], "related.user": [ "tnonproi" @@ -4012,8 +4012,8 @@ "observer.vendor": "Fortinet", "process.pid": 4984, "related.ip": [ - "10.77.78.180", - "10.97.236.123" + "10.97.236.123", + "10.77.78.180" ], "related.user": [ "nisi" @@ -4069,8 +4069,8 @@ "observer.vendor": "Fortinet", "process.pid": 3421, "related.ip": [ - "10.45.54.107", - "10.82.133.66" + "10.82.133.66", + "10.45.54.107" ], "related.user": [ "olorem" @@ -4297,8 +4297,8 @@ "observer.vendor": "Fortinet", "process.pid": 2442, "related.ip": [ - "10.225.255.211", - "10.138.210.116" + "10.138.210.116", + "10.225.255.211" ], "related.user": [ "fugiatn" @@ -4354,8 +4354,8 @@ "observer.vendor": "Fortinet", "process.pid": 6311, "related.ip": [ - "10.219.1.151", - "10.250.81.189" + "10.250.81.189", + "10.219.1.151" ], "related.user": [ "ori" @@ -4525,8 +4525,8 @@ "observer.vendor": "Fortinet", "process.pid": 3284, "related.ip": [ - "10.47.179.68", - "10.183.202.82" + "10.183.202.82", + "10.47.179.68" ], "related.user": [ "umfugi" @@ -4582,8 +4582,8 @@ "observer.vendor": "Fortinet", "process.pid": 2314, "related.ip": [ - "10.221.206.74", - "10.73.28.165" + "10.73.28.165", + "10.221.206.74" ], "related.user": [ "quas" @@ -4639,8 +4639,8 @@ "observer.vendor": "Fortinet", "process.pid": 5284, "related.ip": [ - "10.85.104.146", - "10.14.204.36" + "10.14.204.36", + "10.85.104.146" ], "related.user": [ "emp" @@ -4753,8 +4753,8 @@ "observer.vendor": "Fortinet", "process.pid": 4337, "related.ip": [ - "10.19.119.17", - "10.106.249.91" + "10.106.249.91", + "10.19.119.17" ], "related.user": [ "lit" @@ -4810,8 +4810,8 @@ "observer.vendor": "Fortinet", "process.pid": 5275, "related.ip": [ - "10.29.109.126", - "10.181.41.154" + "10.181.41.154", + "10.29.109.126" ], "related.user": [ "labo" @@ -4924,8 +4924,8 @@ "observer.vendor": "Fortinet", "process.pid": 2990, "related.ip": [ - "10.154.191.225", - "10.183.189.133" + "10.183.189.133", + "10.154.191.225" ], "related.user": [ "ita" @@ -4981,8 +4981,8 @@ "observer.vendor": "Fortinet", "process.pid": 226, "related.ip": [ - "10.103.189.199", - "10.29.120.226" + "10.29.120.226", + "10.103.189.199" ], "related.user": [ "emu" @@ -5152,8 +5152,8 @@ "observer.vendor": "Fortinet", "process.pid": 2313, "related.ip": [ - "10.137.85.123", - "10.183.243.246" + "10.183.243.246", + "10.137.85.123" ], "related.user": [ "cid" @@ -5209,8 +5209,8 @@ "observer.vendor": "Fortinet", "process.pid": 1585, "related.ip": [ - "10.61.225.196", - "10.10.86.55" + "10.10.86.55", + "10.61.225.196" ], "related.user": [ "eniamqu" @@ -5323,8 +5323,8 @@ "observer.vendor": "Fortinet", "process.pid": 6331, "related.ip": [ - "10.240.216.85", - "10.64.139.17" + "10.64.139.17", + "10.240.216.85" ], "related.user": [ "nimadmin" @@ -5380,8 +5380,8 @@ "observer.vendor": "Fortinet", "process.pid": 4474, "related.ip": [ - "10.222.245.80", - "10.87.90.49" + "10.87.90.49", + "10.222.245.80" ], "related.user": [ "ptatemse" diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 28b4b361db2..90316495eb2 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -24,9 +24,9 @@ "10.81.122.126" ], "related.user": [ - "magn", + "tatno", "aqui", - "tatno" + "magn" ], "rsa.counters.dclass_c1": 5910, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -110,8 +110,8 @@ "10.58.116.231" ], "related.user": [ - "temUten", "qua", + "temUten", "uradi" ], "rsa.counters.dclass_c1": 3626, @@ -165,9 +165,9 @@ "10.18.124.28" ], "related.user": [ - "lapariat", + "modocons", "mquidol", - "modocons" + "lapariat" ], "rsa.counters.dclass_c1": 6564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -222,8 +222,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.6.137.200", - "10.197.250.10" + "10.197.250.10", + "10.6.137.200" ], "related.user": [ "oluptas", @@ -356,9 +356,9 @@ "10.129.149.43" ], "related.user": [ - "eveli", "orema", - "labor" + "labor", + "eveli" ], "rsa.counters.dclass_c1": 6855, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -411,12 +411,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.214.191.180", - "10.112.250.193" + "10.112.250.193", + "10.214.191.180" ], "related.user": [ - "Exc", "ipsumdol", + "Exc", "ide" ], "rsa.counters.dclass_c1": 6852, @@ -469,13 +469,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.192.34.76", - "10.251.20.13" + "10.251.20.13", + "10.192.34.76" ], "related.user": [ - "ovol", + "iquipe", "tnonpro", - "iquipe" + "ovol" ], "rsa.counters.dclass_c1": 3645, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -528,9 +528,9 @@ "10.74.105.218" ], "related.user": [ - "boree", + "archite", "idunt", - "archite" + "boree" ], "rsa.counters.dclass_c1": 248, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -583,12 +583,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.168.159.13", - "10.230.173.4" + "10.230.173.4", + "10.168.159.13" ], "related.user": [ - "isnostr", "atemq", + "isnostr", "inci" ], "rsa.counters.dclass_c1": 6135, @@ -646,9 +646,9 @@ "10.49.167.57" ], "related.user": [ + "tali", "ccaeca", - "sau", - "tali" + "sau" ], "rsa.counters.dclass_c1": 6818, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -707,17 +707,17 @@ "10.216.125.252" ], "related.user": [ - "llamco", + "dolore", "lorsita", - "dolore" + "llamco" ], "rsa.counters.event_counter": 4603, "rsa.db.database": "uptate", "rsa.internal.event_desc": "aquae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "quasia" + "quasia", + "accept" ], "rsa.misc.category": "boreetdo", "rsa.misc.disposition": "aturve", @@ -774,9 +774,9 @@ "10.204.128.215" ], "related.user": [ - "rum", "nci", - "paquioff" + "paquioff", + "rum" ], "rsa.counters.event_counter": 332, "rsa.db.database": "isau", @@ -837,9 +837,9 @@ "10.34.148.166" ], "related.user": [ + "miu", "icabo", - "untutlab", - "miu" + "untutlab" ], "rsa.counters.dclass_c1": 5427, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -952,8 +952,8 @@ ], "related.user": [ "dipisci", - "olori", - "velite" + "velite", + "olori" ], "rsa.counters.dclass_c1": 7717, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1006,13 +1006,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.233.120.207", - "10.190.10.219" + "10.190.10.219", + "10.233.120.207" ], "related.user": [ - "quamnih", + "item", "accusant", - "item" + "quamnih" ], "rsa.counters.dclass_c1": 3278, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1097,9 +1097,9 @@ "10.100.98.56" ], "related.user": [ + "proident", "boru", - "ritati", - "proident" + "ritati" ], "rsa.counters.dclass_c1": 5923, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1156,9 +1156,9 @@ "10.197.6.245" ], "related.user": [ + "dtempo", "oluptat", - "aecatcup", - "dtempo" + "aecatcup" ], "rsa.counters.dclass_c1": 3071, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1215,9 +1215,9 @@ "10.6.27.103" ], "related.user": [ - "asnu", + "ationul", "redol", - "ationul" + "asnu" ], "rsa.counters.dclass_c1": 6606, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1276,17 +1276,17 @@ "10.81.184.7" ], "related.user": [ - "lmole", + "undeomni", "iameaque", - "undeomni" + "lmole" ], "rsa.counters.event_counter": 6344, "rsa.db.database": "nderi", "rsa.internal.event_desc": "iae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "illu" + "illu", + "deny" ], "rsa.misc.category": "quido", "rsa.misc.disposition": "emip", @@ -1402,17 +1402,17 @@ "10.110.133.7" ], "related.user": [ - "caboNem", "pta", - "etconsec" + "etconsec", + "caboNem" ], "rsa.counters.event_counter": 5347, "rsa.db.database": "urExcept", "rsa.internal.event_desc": "liquid", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "vitaed", - "allow" + "allow", + "vitaed" ], "rsa.misc.category": "enim", "rsa.misc.disposition": "Finibus", @@ -1463,13 +1463,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.182.152.242", - "10.105.190.170" + "10.105.190.170", + "10.182.152.242" ], "related.user": [ "doeiu", - "litan", - "mquisn" + "mquisn", + "litan" ], "rsa.counters.dclass_c1": 3474, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1524,21 +1524,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.123.166.197", - "10.59.188.188" + "10.59.188.188", + "10.123.166.197" ], "related.user": [ + "liquam", "min", - "emUte", - "liquam" + "emUte" ], "rsa.counters.event_counter": 7102, "rsa.db.database": "oluptat", "rsa.internal.event_desc": "tautfug", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "itae" + "itae", + "block" ], "rsa.misc.category": "giatquov", "rsa.misc.disposition": "olu", @@ -1588,13 +1588,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.201.168.116", - "10.72.75.207" + "10.72.75.207", + "10.201.168.116" ], "related.user": [ - "eufug", "eFini", - "urau" + "urau", + "eufug" ], "rsa.counters.dclass_c1": 3348, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1651,9 +1651,9 @@ "10.9.46.123" ], "related.user": [ + "mfu", "oco", - "nde", - "mfu" + "nde" ], "rsa.counters.dclass_c1": 3795, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1711,8 +1711,8 @@ ], "related.user": [ "pta", - "mquisnos", - "veniamq" + "veniamq", + "mquisnos" ], "rsa.counters.dclass_c1": 2358, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1765,13 +1765,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.165.182.111", - "10.137.85.123" + "10.137.85.123", + "10.165.182.111" ], "related.user": [ + "Bonorum", "sis", - "ames", - "Bonorum" + "ames" ], "rsa.counters.dclass_c1": 6401, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1858,8 +1858,8 @@ "10.173.178.109" ], "related.user": [ - "tam", "nesci", + "tam", "uian" ], "rsa.counters.event_counter": 4493, @@ -1919,12 +1919,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.168.225.209", - "10.90.50.149" + "10.90.50.149", + "10.168.225.209" ], "related.user": [ - "aUtenima", "olupta", + "aUtenima", "olu" ], "rsa.counters.dclass_c1": 1127, @@ -1978,13 +1978,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.18.150.82", - "10.59.182.36" + "10.59.182.36", + "10.18.150.82" ], "related.user": [ + "mtota", "luptat", - "qua", - "mtota" + "qua" ], "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2068,9 +2068,9 @@ "10.151.240.35" ], "related.user": [ - "ama", "ametcons", - "lam" + "lam", + "ama" ], "rsa.counters.dclass_c1": 4325, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2119,13 +2119,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.147.142.242", - "10.242.48.203" + "10.242.48.203", + "10.147.142.242" ], "related.user": [ + "quasi", "ese", - "quisn", - "quasi" + "quisn" ], "rsa.counters.dclass_c1": 3970, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2180,13 +2180,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.254.10.98", - "10.213.165.165" + "10.213.165.165", + "10.254.10.98" ], "related.user": [ + "ttenb", "eufugia", - "civeli", - "ttenb" + "civeli" ], "rsa.counters.event_counter": 7365, "rsa.db.database": "utlabore", @@ -2279,8 +2279,8 @@ "10.116.1.130" ], "related.user": [ - "eturadip", "reseo", + "eturadip", "amco" ], "rsa.counters.event_counter": 1295, @@ -2399,13 +2399,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.100.113.11", - "10.152.213.228" + "10.152.213.228", + "10.100.113.11" ], "related.user": [ - "velillum", "ptatev", - "itationu" + "itationu", + "velillum" ], "rsa.counters.dclass_c1": 7245, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2486,8 +2486,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.208.33.55", - "10.248.102.129" + "10.248.102.129", + "10.208.33.55" ], "related.user": [ "inimv", @@ -2545,13 +2545,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.203.164.132", - "10.109.230.216" + "10.109.230.216", + "10.203.164.132" ], "related.user": [ - "mporin", + "ectobea", "ibus", - "ectobea" + "mporin" ], "rsa.counters.dclass_c1": 547, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2609,8 +2609,8 @@ ], "related.user": [ "iconsequ", - "dol", - "exeac" + "exeac", + "dol" ], "rsa.counters.dclass_c1": 484, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2663,13 +2663,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.45.152.205", - "10.224.217.153" + "10.224.217.153", + "10.45.152.205" ], "related.user": [ "eriti", - "utlabo", - "imav" + "imav", + "utlabo" ], "rsa.counters.dclass_c1": 922, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2728,8 +2728,8 @@ ], "related.user": [ "hite", - "ugi", - "adipis" + "adipis", + "ugi" ], "rsa.counters.event_counter": 508, "rsa.db.database": "abo", @@ -2791,9 +2791,9 @@ "10.146.228.234" ], "related.user": [ - "mquamei", "sum", - "eiusm" + "eiusm", + "mquamei" ], "rsa.counters.dclass_c1": 3058, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2847,8 +2847,8 @@ ], "related.user": [ "ine", - "consecte", - "nimv" + "nimv", + "consecte" ], "rsa.counters.dclass_c1": 2771, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2905,9 +2905,9 @@ "10.201.223.119" ], "related.user": [ + "teni", "rcit", - "tuserror", - "teni" + "tuserror" ], "rsa.counters.dclass_c1": 4113, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2965,8 +2965,8 @@ ], "related.user": [ "magnido", - "elitsedd", - "Nequepo" + "Nequepo", + "elitsedd" ], "rsa.counters.dclass_c1": 3243, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3025,9 +3025,9 @@ "10.65.225.101" ], "related.user": [ + "emquel", "tuserror", - "citation", - "emquel" + "citation" ], "rsa.counters.event_counter": 2513, "rsa.db.database": "rspiciat", @@ -3089,9 +3089,9 @@ "10.65.174.196" ], "related.user": [ - "tione", + "iin", "uta", - "iin" + "tione" ], "rsa.counters.dclass_c1": 5836, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3142,21 +3142,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.224.148.48", - "10.41.181.179" + "10.41.181.179", + "10.224.148.48" ], "related.user": [ "niam", - "iosamn", - "equepor" + "equepor", + "iosamn" ], "rsa.counters.event_counter": 7468, "rsa.db.database": "erspicia", "rsa.internal.event_desc": "ibusB", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "rumwr", - "deny" + "deny", + "rumwr" ], "rsa.misc.category": "rporis", "rsa.misc.disposition": "etco", @@ -3211,8 +3211,8 @@ "10.21.208.103" ], "related.user": [ - "mipsa", "ostr", + "mipsa", "imidest" ], "rsa.counters.dclass_c1": 7766, @@ -3332,16 +3332,16 @@ ], "related.user": [ "animide", - "modtempo", - "nofde" + "nofde", + "modtempo" ], "rsa.counters.event_counter": 7580, "rsa.db.database": "Lore", "rsa.internal.event_desc": "nto", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "ali", - "cancel" + "cancel", + "ali" ], "rsa.misc.category": "sciv", "rsa.misc.disposition": "tlabo", @@ -3397,8 +3397,8 @@ "10.178.79.217" ], "related.user": [ - "ccusan", "inibusBo", + "ccusan", "tqui" ], "rsa.counters.event_counter": 3538, @@ -3461,9 +3461,9 @@ "10.161.225.172" ], "related.user": [ - "xerc", "meaqu", - "rcit" + "rcit", + "xerc" ], "rsa.counters.dclass_c1": 7286, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3519,8 +3519,8 @@ "10.186.133.184" ], "related.user": [ - "sci", "acons", + "sci", "boriosa" ], "rsa.counters.dclass_c1": 1578, @@ -3573,9 +3573,9 @@ "10.160.147.230" ], "related.user": [ - "ndeomnis", "illoin", - "nimvenia" + "nimvenia", + "ndeomnis" ], "rsa.counters.dclass_c1": 5988, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3628,9 +3628,9 @@ "10.182.197.243" ], "related.user": [ + "exerci", "orisnis", - "mSecti", - "exerci" + "mSecti" ], "rsa.counters.dclass_c1": 4129, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3683,13 +3683,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.249.13.159", - "10.108.130.106" + "10.108.130.106", + "10.249.13.159" ], "related.user": [ - "uisautei", + "exeacomm", "colab", - "exeacomm" + "uisautei" ], "rsa.counters.dclass_c1": 1044, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3744,13 +3744,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.64.94.174", - "10.39.244.49" + "10.39.244.49", + "10.64.94.174" ], "related.user": [ - "Sedut", "iunt", - "estiae" + "estiae", + "Sedut" ], "rsa.counters.event_counter": 7128, "rsa.db.database": "eFinibu", @@ -3868,8 +3868,8 @@ "10.115.203.143" ], "related.user": [ - "orpori", "utoditau", + "orpori", "involu" ], "rsa.counters.dclass_c1": 7868, @@ -3923,8 +3923,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.251.212.166", - "10.43.244.252" + "10.43.244.252", + "10.251.212.166" ], "related.user": [ "uptat", @@ -4014,9 +4014,9 @@ "10.20.231.188" ], "related.user": [ + "uatDuisa", "tesseq", - "mqu", - "uatDuisa" + "mqu" ], "rsa.counters.dclass_c1": 1623, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4101,8 +4101,8 @@ "10.231.77.26" ], "related.user": [ - "ineavol", "rehe", + "ineavol", "volu" ], "rsa.counters.dclass_c1": 3064, @@ -4158,9 +4158,9 @@ "10.106.166.105" ], "related.user": [ - "avolup", "usa", - "olupt" + "olupt", + "avolup" ], "rsa.counters.dclass_c1": 2658, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4209,13 +4209,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.172.121.239", - "10.57.169.205" + "10.57.169.205", + "10.172.121.239" ], "related.user": [ - "ctas", + "ipsu", "iuta", - "ipsu" + "ctas" ], "rsa.counters.dclass_c1": 392, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4268,13 +4268,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.42.218.103", - "10.129.234.200" + "10.129.234.200", + "10.42.218.103" ], "related.user": [ + "dquia", "tevelit", - "tisundeo", - "dquia" + "tisundeo" ], "rsa.counters.dclass_c1": 6709, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4327,13 +4327,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.111.132.221", - "10.76.121.224" + "10.76.121.224", + "10.111.132.221" ], "related.user": [ - "ali", "oloremi", - "scive" + "scive", + "ali" ], "rsa.counters.dclass_c1": 6155, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4386,13 +4386,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.17.214.21", - "10.195.8.141" + "10.195.8.141", + "10.17.214.21" ], "related.user": [ - "enimip", + "ota", "dolo", - "ota" + "enimip" ], "rsa.counters.dclass_c1": 469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4450,8 +4450,8 @@ ], "related.user": [ "ptasn", - "apar", - "isn" + "isn", + "apar" ], "rsa.counters.dclass_c1": 758, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4508,9 +4508,9 @@ "10.42.135.34" ], "related.user": [ + "ore", "orsi", - "tiset", - "ore" + "tiset" ], "rsa.counters.dclass_c1": 2290, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4591,13 +4591,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.8.147.176", - "10.207.198.239" + "10.207.198.239", + "10.8.147.176" ], "related.user": [ - "incididu", "Loremips", - "aUteni" + "aUteni", + "incididu" ], "rsa.counters.dclass_c1": 3043, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4649,13 +4649,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.206.221.180", - "10.116.26.185" + "10.116.26.185", + "10.206.221.180" ], "related.user": [ "litesseq", - "nseq", - "oNe" + "oNe", + "nseq" ], "rsa.counters.dclass_c1": 3218, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4704,13 +4704,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.253.127.130", - "10.86.180.150" + "10.86.180.150", + "10.253.127.130" ], "related.user": [ + "itasper", "etconsec", - "mnisis", - "itasper" + "mnisis" ], "rsa.counters.dclass_c1": 4564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4769,8 +4769,8 @@ "10.220.175.201" ], "related.user": [ - "dolo", - "rrors" + "rrors", + "dolo" ], "rsa.counters.event_counter": 4098, "rsa.db.database": "tsed", @@ -4856,13 +4856,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.248.16.82", - "10.150.27.144" + "10.150.27.144", + "10.248.16.82" ], "related.user": [ - "tuserror", + "res", "ditautf", - "res" + "tuserror" ], "rsa.counters.dclass_c1": 4367, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4915,13 +4915,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.173.19.140", - "10.146.131.76" + "10.146.131.76", + "10.173.19.140" ], "related.user": [ "orsi", - "Except", - "olo" + "olo", + "Except" ], "rsa.counters.dclass_c1": 5844, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4973,13 +4973,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.171.175.165", - "10.69.5.227" + "10.69.5.227", + "10.171.175.165" ], "related.user": [ - "doloreme", "ntocc", - "rumw" + "rumw", + "doloreme" ], "rsa.counters.dclass_c1": 5201, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5028,12 +5028,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.213.214.118", - "10.253.175.129" + "10.253.175.129", + "10.213.214.118" ], "related.user": [ - "nrep", "ate", + "nrep", "epteurs" ], "rsa.counters.dclass_c1": 6260, @@ -5093,17 +5093,17 @@ "10.149.91.130" ], "related.user": [ - "atus", "orumetMa", - "aboris" + "aboris", + "atus" ], "rsa.counters.event_counter": 5863, "rsa.db.database": "inventor", "rsa.internal.event_desc": "loi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "atcupi" + "atcupi", + "block" ], "rsa.misc.category": "tation", "rsa.misc.disposition": "seddoe", @@ -5155,13 +5155,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.52.106.68", - "10.81.108.232" + "10.81.108.232", + "10.52.106.68" ], "related.user": [ - "neavolup", + "aco", "uaturve", - "aco" + "neavolup" ], "rsa.counters.event_counter": 5098, "rsa.db.database": "lapa", @@ -5222,8 +5222,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.230.48.97", - "10.223.10.28" + "10.223.10.28", + "10.230.48.97" ], "related.user": [ "untex", @@ -5291,9 +5291,9 @@ "10.161.212.150" ], "related.user": [ - "sequamn", "res", - "tasnul" + "tasnul", + "sequamn" ], "rsa.counters.dclass_c1": 4846, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5348,8 +5348,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.247.108.144", - "10.226.75.20" + "10.226.75.20", + "10.247.108.144" ], "related.user": [ "maccusan", @@ -5361,8 +5361,8 @@ "rsa.internal.event_desc": "stiaec", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "iat" + "iat", + "block" ], "rsa.misc.category": "officia", "rsa.misc.disposition": "ametcon", @@ -5416,9 +5416,9 @@ "10.192.15.65" ], "related.user": [ - "illumd", "rExcep", - "nimides" + "nimides", + "illumd" ], "rsa.counters.dclass_c1": 4173, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5473,9 +5473,9 @@ "10.197.254.133" ], "related.user": [ + "trudex", "ide", - "idu", - "trudex" + "idu" ], "rsa.counters.event_counter": 2608, "rsa.db.database": "ncul", @@ -5537,9 +5537,9 @@ "10.144.14.15" ], "related.user": [ - "rspic", "utlab", - "upta" + "upta", + "rspic" ], "rsa.counters.dclass_c1": 4810, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5591,12 +5591,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.248.177.182", - "10.18.15.43" + "10.18.15.43", + "10.248.177.182" ], "related.user": [ - "caecat", "quaturve", + "caecat", "quei" ], "rsa.counters.dclass_c1": 983, diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json index c53ccc0296a..127cf9703d1 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -17,7 +17,6 @@ "rsa.misc.event_source": "volup208.invalid", "rsa.misc.version": "1.5191", "rsa.time.day": "29", - "rsa.time.event_time": "2020-01-29T08:09:59.000Z", "rsa.time.month": "January", "service.type": "infoblox", "tags": [ @@ -54,7 +53,6 @@ "atio5608.www5.localhost" ], "rsa.time.day": "12", - "rsa.time.event_time": "2020-02-12T15:12:33.000Z", "rsa.time.month": "Feb", "service.type": "infoblox", "tags": [ @@ -84,7 +82,6 @@ "rsa.misc.device_name": "scivel", "rsa.misc.event_source": "ptass3168.www5.example", "rsa.time.day": "26", - "rsa.time.event_time": "2020-02-26T22:15:08.000Z", "rsa.time.month": "Feb", "service.type": "infoblox", "tags": [ @@ -106,7 +103,6 @@ "rsa.internal.messageid": "purge_scheduled_tasks", "rsa.misc.event_source": "rmagni1998.internal.host", "rsa.time.day": "12", - "rsa.time.event_time": "2020-03-12T05:17:42.000Z", "rsa.time.month": "March", "service.type": "infoblox", "tags": [ @@ -132,7 +128,6 @@ "rsa.misc.device_name": "pori", "rsa.misc.event_source": "Cice513.api.local", "rsa.time.day": "26", - "rsa.time.event_time": "2020-03-26T12:20:16.000Z", "rsa.time.month": "March", "service.type": "infoblox", "tags": [ @@ -156,7 +151,6 @@ "rsa.internal.messageid": "speedstep_control", "rsa.misc.event_source": "uid545.www5.localhost", "rsa.time.day": "9", - "rsa.time.event_time": "2020-04-09T19:22:51.000Z", "rsa.time.month": "April", "service.type": "infoblox", "tags": [ @@ -179,7 +173,6 @@ "rsa.misc.event_source": "nibusBon7400.localhost", "rsa.misc.result": "success", "rsa.time.day": "24", - "rsa.time.event_time": "2020-04-24T02:25:25.000Z", "rsa.time.month": "Apr", "service.type": "infoblox", "tags": [ @@ -202,7 +195,6 @@ "rsa.internal.messageid": "ntpd_initres", "rsa.misc.event_source": "iat1852.api.localdomain", "rsa.time.day": "8", - "rsa.time.event_time": "2020-05-08T09:27:59.000Z", "rsa.time.month": "May", "service.type": "infoblox", "tags": [ @@ -229,7 +221,6 @@ "rsa.misc.event_source": "mquisnos5771.example", "rsa.time.day": "22", "rsa.time.duration_time": 61.614, - "rsa.time.event_time": "2020-05-22T16:30:33.000Z", "rsa.time.month": "May", "service.type": "infoblox", "source.ip": [ @@ -255,7 +246,6 @@ "rsa.internal.messageid": "phonehome", "rsa.misc.event_source": "moll2902.www.local", "rsa.time.day": "5", - "rsa.time.event_time": "2020-06-05T23:33:08.000Z", "rsa.time.month": "June", "service.type": "infoblox", "tags": [ @@ -279,7 +269,6 @@ "rsa.internal.messageid": "debug_mount", "rsa.misc.event_source": "onse1664.internal.domain", "rsa.time.day": "20", - "rsa.time.event_time": "2020-06-20T06:35:42.000Z", "rsa.time.month": "June", "service.type": "infoblox", "tags": [ @@ -310,7 +299,6 @@ "rsa.misc.result": "success", "rsa.misc.result_code": "dun", "rsa.time.day": "4", - "rsa.time.event_time": "2020-07-04T13:38:16.000Z", "rsa.time.month": "July", "service.type": "infoblox", "tags": [ @@ -334,7 +322,6 @@ "rsa.internal.messageid": "sSMTP", "rsa.misc.event_source": "ali6446.localhost", "rsa.time.day": "18", - "rsa.time.event_time": "2019-07-18T20:40:50.000Z", "rsa.time.month": "July", "service.type": "infoblox", "tags": [ @@ -357,7 +344,6 @@ "rsa.internal.messageid": "shutdown", "rsa.misc.event_source": "edquiano6061.internal.invalid", "rsa.time.day": "2", - "rsa.time.event_time": "2019-08-02T03:43:25.000Z", "rsa.time.month": "August", "service.type": "infoblox", "tags": [ @@ -387,7 +373,6 @@ "rsa.internal.messageid": "tacacs_acct", "rsa.misc.event_source": "cup1793.local", "rsa.time.day": "16", - "rsa.time.event_time": "2019-08-16T10:45:59.000Z", "rsa.time.month": "Aug", "service.type": "infoblox", "tags": [ @@ -411,7 +396,6 @@ "rsa.internal.messageid": "controld", "rsa.misc.event_source": "ostr4979.www5.host", "rsa.time.day": "30", - "rsa.time.event_time": "2019-08-30T17:48:33.000Z", "rsa.time.month": "August", "service.type": "infoblox", "tags": [ @@ -434,7 +418,6 @@ "rsa.internal.messageid": "ntpdate", "rsa.misc.event_source": "adm987.www.test", "rsa.time.day": "13", - "rsa.time.event_time": "2019-09-14T00:51:07.000Z", "rsa.time.month": "September", "service.type": "infoblox", "tags": [ @@ -458,7 +441,6 @@ "rsa.internal.messageid": "syslog", "rsa.misc.event_source": "isaute811.www.home", "rsa.time.day": "28", - "rsa.time.event_time": "2019-09-28T07:53:42.000Z", "rsa.time.month": "September", "service.type": "infoblox", "tags": [ @@ -482,7 +464,6 @@ "rsa.internal.messageid": "validate_dhcpd", "rsa.misc.event_source": "inima5444.www5.lan", "rsa.time.day": "12", - "rsa.time.event_time": "2019-10-12T14:56:16.000Z", "rsa.time.month": "October", "service.type": "infoblox", "tags": [ @@ -506,7 +487,6 @@ "rsa.internal.messageid": "debug_mount", "rsa.misc.event_source": "erc3217.internal.lan", "rsa.time.day": "26", - "rsa.time.event_time": "2019-10-26T21:58:50.000Z", "rsa.time.month": "October", "service.type": "infoblox", "tags": [ @@ -531,7 +511,6 @@ "rsa.investigations.ec_outcome": "Failure", "rsa.misc.event_source": "iadese6958.www5.local", "rsa.time.day": "10", - "rsa.time.event_time": "2019-11-10T05:01:24.000Z", "rsa.time.month": "Nov", "service.type": "infoblox", "tags": [ @@ -554,7 +533,6 @@ "rsa.internal.messageid": "validate_dhcpd", "rsa.misc.event_source": "CSed2857.www5.example", "rsa.time.day": "24", - "rsa.time.event_time": "2019-11-24T12:03:59.000Z", "rsa.time.month": "November", "service.type": "infoblox", "tags": [ @@ -581,7 +559,6 @@ "rsa.misc.event_source": "uatD2509.mail.domain", "rsa.time.day": "8", "rsa.time.duration_time": 66.44, - "rsa.time.event_time": "2019-12-08T19:06:33.000Z", "rsa.time.month": "December", "service.type": "infoblox", "source.ip": [ @@ -609,7 +586,6 @@ "rsa.misc.event_source": "datatn5076.internal.example", "rsa.misc.version": "1.2807", "rsa.time.day": "23", - "rsa.time.event_time": "2019-12-23T02:09:07.000Z", "rsa.time.month": "December", "service.type": "infoblox", "tags": [ @@ -633,7 +609,6 @@ "rsa.internal.messageid": "rsyncd", "rsa.misc.event_source": "ercit2385.internal.home", "rsa.time.day": "6", - "rsa.time.event_time": "2020-01-06T09:11:41.000Z", "rsa.time.month": "January", "service.type": "infoblox", "tags": [ @@ -656,7 +631,6 @@ "rsa.internal.messageid": "httpd", "rsa.misc.event_source": "quisnos4590.mail.domain", "rsa.time.day": "20", - "rsa.time.event_time": "2020-01-20T16:14:16.000Z", "rsa.time.month": "January", "service.type": "infoblox", "tags": [ @@ -680,7 +654,6 @@ "rsa.internal.messageid": "restarting", "rsa.misc.event_source": "wri2784.api.domain", "rsa.time.day": "3", - "rsa.time.event_time": "2020-02-03T23:16:50.000Z", "rsa.time.month": "February", "service.type": "infoblox", "tags": [ @@ -704,7 +677,6 @@ "rsa.internal.messageid": "rc3", "rsa.misc.event_source": "asun1250.api.localdomain", "rsa.time.day": "18", - "rsa.time.event_time": "2020-02-18T06:19:24.000Z", "rsa.time.month": "February", "service.type": "infoblox", "tags": [ @@ -729,7 +701,6 @@ "rsa.investigations.ec_outcome": "Failure", "rsa.misc.event_source": "iae1637.local", "rsa.time.day": "04", - "rsa.time.event_time": "2020-03-04T13:21:59.000Z", "rsa.time.month": "Mar", "service.type": "infoblox", "tags": [ @@ -753,7 +724,6 @@ "rsa.internal.messageid": "controld", "rsa.misc.event_source": "boris5916.www5.example", "rsa.time.day": "18", - "rsa.time.event_time": "2020-03-18T20:24:33.000Z", "rsa.time.month": "March", "service.type": "infoblox", "tags": [ @@ -776,7 +746,6 @@ "rsa.internal.messageid": "phonehome", "rsa.misc.event_source": "temqu3331.api.host", "rsa.time.day": "2", - "rsa.time.event_time": "2020-04-02T03:27:07.000Z", "rsa.time.month": "April", "service.type": "infoblox", "tags": [ @@ -801,7 +770,6 @@ "rsa.internal.data": "liquide", "rsa.internal.messageid": "db_jnld", "rsa.time.day": "16", - "rsa.time.event_time": "2020-04-16T10:29:41.000Z", "rsa.time.month": "April", "service.type": "infoblox", "tags": [ @@ -827,7 +795,6 @@ "rsa.misc.event_source": "radi1512.mail.example", "rsa.misc.result_code": "lor", "rsa.time.day": "30", - "rsa.time.event_time": "2020-04-30T17:32:16.000Z", "rsa.time.month": "April", "service.type": "infoblox", "tags": [ @@ -850,7 +817,6 @@ "rsa.internal.messageid": "speedstep_control", "rsa.misc.event_source": "bore6534.internal.localhost", "rsa.time.day": "14", - "rsa.time.event_time": "2020-05-15T00:34:50.000Z", "rsa.time.month": "May", "service.type": "infoblox", "tags": [ @@ -873,7 +839,6 @@ "rsa.internal.messageid": "ipmievd", "rsa.misc.event_source": "eveli265.www5.localdomain", "rsa.time.day": "29", - "rsa.time.event_time": "2020-05-29T07:37:24.000Z", "rsa.time.month": "May", "service.type": "infoblox", "tags": [ @@ -910,7 +875,6 @@ "uptatema6843.www.host" ], "rsa.time.day": "12", - "rsa.time.event_time": "2020-06-12T14:39:58.000Z", "rsa.time.month": "Jun", "service.type": "infoblox", "tags": [ @@ -936,7 +900,6 @@ "rsa.investigations.ec_outcome": "Failure", "rsa.misc.event_source": "Utenima1612.www5.domain", "rsa.time.day": "26", - "rsa.time.event_time": "2020-06-26T21:42:33.000Z", "rsa.time.month": "Jun", "service.type": "infoblox", "tags": [ @@ -959,7 +922,6 @@ "rsa.internal.messageid": "ntpd_initres", "rsa.misc.event_source": "tco1842.www.localhost", "rsa.time.day": "11", - "rsa.time.event_time": "2019-07-11T04:45:07.000Z", "rsa.time.month": "July", "service.type": "infoblox", "tags": [ @@ -984,7 +946,6 @@ "rsa.misc.client": "tev", "rsa.misc.event_source": "turadip3427.api.corp", "rsa.time.day": "25", - "rsa.time.event_time": "2019-07-25T11:47:41.000Z", "rsa.time.month": "July", "service.type": "infoblox", "tags": [ @@ -1007,7 +968,6 @@ "rsa.internal.messageid": "smart_check_io", "rsa.misc.event_source": "nonn839.api.corp", "rsa.time.day": "8", - "rsa.time.event_time": "2019-08-08T18:50:15.000Z", "rsa.time.month": "August", "service.type": "infoblox", "tags": [ @@ -1030,7 +990,6 @@ "rsa.internal.messageid": "rcsysinit", "rsa.misc.event_source": "adm7744.mail.domain", "rsa.time.day": "22", - "rsa.time.event_time": "2019-08-23T01:52:50.000Z", "rsa.time.month": "August", "service.type": "infoblox", "tags": [ @@ -1057,7 +1016,6 @@ ], "rsa.misc.event_source": "ios6980.example", "rsa.time.day": "6", - "rsa.time.event_time": "2019-09-06T08:55:24.000Z", "rsa.time.month": "September", "service.type": "infoblox", "tags": [ @@ -1081,7 +1039,6 @@ "rsa.internal.messageid": "diskcheck", "rsa.misc.event_source": "osquira6030.internal.corp", "rsa.time.day": "20", - "rsa.time.event_time": "2019-09-20T15:57:58.000Z", "rsa.time.month": "September", "service.type": "infoblox", "tags": [ @@ -1105,7 +1062,6 @@ "rsa.internal.messageid": "watchdog", "rsa.misc.event_source": "squirati63.mail.lan", "rsa.time.day": "4", - "rsa.time.event_time": "2019-10-04T23:00:32.000Z", "rsa.time.month": "October", "service.type": "infoblox", "tags": [ @@ -1129,7 +1085,6 @@ "rsa.misc.client": "tvolupt", "rsa.misc.event_source": "lup2134.www.localhost", "rsa.time.day": "19", - "rsa.time.event_time": "2019-10-19T06:03:07.000Z", "rsa.time.month": "October", "service.type": "infoblox", "tags": [ @@ -1153,7 +1108,6 @@ "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "umdo4017.www.local", "rsa.time.day": "2", - "rsa.time.event_time": "2019-11-02T13:05:41.000Z", "rsa.time.month": "November", "service.type": "infoblox", "tags": [ @@ -1176,7 +1130,6 @@ "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "loreme853.www5.localdomain", "rsa.time.day": "16", - "rsa.time.event_time": "2019-11-16T20:08:15.000Z", "rsa.time.month": "November", "service.type": "infoblox", "tags": [ @@ -1203,7 +1156,6 @@ "rsa.misc.event_source": "orumSe728.internal.test", "rsa.misc.result_code": "molli", "rsa.time.day": "1", - "rsa.time.event_time": "2019-12-01T03:10:49.000Z", "rsa.time.month": "December", "service.type": "infoblox", "tags": [ @@ -1227,7 +1179,6 @@ "rsa.internal.messageid": "acpid", "rsa.misc.event_source": "oremi7400.www.local", "rsa.time.day": "15", - "rsa.time.event_time": "2019-12-15T10:13:24.000Z", "rsa.time.month": "December", "service.type": "infoblox", "tags": [ @@ -1253,7 +1204,6 @@ "rsa.internal.messageid": "in.tftpd", "rsa.misc.event_source": "ess651.test", "rsa.time.day": "29", - "rsa.time.event_time": "2019-12-29T17:15:58.000Z", "rsa.time.month": "December", "service.type": "infoblox", "source.ip": [ @@ -1288,7 +1238,6 @@ "rsa.investigations.ec_theme": "Authentication", "rsa.misc.event_source": "epre6970.www.example", "rsa.time.day": "12", - "rsa.time.event_time": "2020-01-13T00:18:32.000Z", "rsa.time.month": "January", "service.type": "infoblox", "tags": [ @@ -1312,7 +1261,6 @@ "rsa.internal.messageid": "httpd", "rsa.misc.event_source": "tali7803.www.localdomain", "rsa.time.day": "27", - "rsa.time.event_time": "2020-01-27T07:21:06.000Z", "rsa.time.month": "January", "service.type": "infoblox", "tags": [ @@ -1336,7 +1284,6 @@ "rsa.misc.event_source": "siut5663.local", "rsa.misc.version": "1.271", "rsa.time.day": "10", - "rsa.time.event_time": "2020-02-10T14:23:41.000Z", "rsa.time.month": "February", "service.type": "infoblox", "tags": [ @@ -1363,7 +1310,6 @@ "rsa.internal.messageid": "INFOBLOX-Grid", "rsa.misc.event_source": "elitse6672.internal.localdomain", "rsa.time.day": "24", - "rsa.time.event_time": "2020-02-24T21:26:15.000Z", "rsa.time.month": "February", "service.type": "infoblox", "source.ip": [ @@ -1390,7 +1336,6 @@ "rsa.internal.messageid": "openvpn-member", "rsa.misc.event_source": "tpersp55.api.invalid", "rsa.time.day": "11", - "rsa.time.event_time": "2020-03-11T04:28:49.000Z", "rsa.time.month": "March", "service.type": "infoblox", "tags": [ @@ -1413,7 +1358,6 @@ "rsa.internal.messageid": "init", "rsa.misc.event_source": "uptate6077.www5.corp", "rsa.time.day": "25", - "rsa.time.event_time": "2020-03-25T11:31:24.000Z", "rsa.time.month": "March", "service.type": "infoblox", "tags": [ @@ -1436,7 +1380,6 @@ "rsa.internal.messageid": "syslog-ng", "rsa.misc.event_source": "odoconse228.mail.localdomain", "rsa.time.day": "8", - "rsa.time.event_time": "2020-04-08T18:33:58.000Z", "rsa.time.month": "April", "service.type": "infoblox", "tags": [ @@ -1460,7 +1403,6 @@ "rsa.internal.messageid": "diskcheck", "rsa.misc.event_source": "tdol5310.domain", "rsa.time.day": "22", - "rsa.time.event_time": "2020-04-23T01:36:32.000Z", "rsa.time.month": "April", "service.type": "infoblox", "tags": [ @@ -1485,7 +1427,6 @@ "rsa.internal.messageid": "in.tftpd", "rsa.misc.event_source": "ica7215.mail.home", "rsa.time.day": "7", - "rsa.time.event_time": "2020-05-07T08:39:06.000Z", "rsa.time.month": "May", "service.type": "infoblox", "source.ip": [ @@ -1513,7 +1454,6 @@ "rsa.misc.client": "porinc", "rsa.misc.event_source": "veniamqu7284.mail.invalid", "rsa.time.day": "21", - "rsa.time.event_time": "2020-05-21T15:41:41.000Z", "rsa.time.month": "May", "service.type": "infoblox", "tags": [ @@ -1540,7 +1480,6 @@ "rsa.internal.messageid": "in.tftpd", "rsa.misc.event_source": "eumfugi28.api.test", "rsa.time.day": "4", - "rsa.time.event_time": "2020-06-04T22:44:15.000Z", "rsa.time.month": "June", "service.type": "infoblox", "source.ip": [ @@ -1566,7 +1505,6 @@ "rsa.internal.messageid": "diskcheck", "rsa.misc.event_source": "sequatD5469.www5.lan", "rsa.time.day": "19", - "rsa.time.event_time": "2020-06-19T05:46:49.000Z", "rsa.time.month": "June", "service.type": "infoblox", "tags": [ @@ -1589,7 +1527,6 @@ "rsa.internal.messageid": "purge_scheduled_tasks", "rsa.misc.event_source": "tla4765.api.host", "rsa.time.day": "3", - "rsa.time.event_time": "2020-07-03T12:49:23.000Z", "rsa.time.month": "July", "service.type": "infoblox", "tags": [ @@ -1612,7 +1549,6 @@ "rsa.internal.messageid": "syslog-ng", "rsa.misc.event_source": "itationu3575.www.invalid", "rsa.time.day": "17", - "rsa.time.event_time": "2019-07-17T19:51:58.000Z", "rsa.time.month": "July", "service.type": "infoblox", "tags": [ @@ -1636,7 +1572,6 @@ "rsa.misc.event_source": "mmodoc4947.internal.test", "rsa.misc.result": "unknown", "rsa.time.day": "01", - "rsa.time.event_time": "2019-08-01T02:54:32.000Z", "rsa.time.month": "Aug", "service.type": "infoblox", "tags": [ @@ -1659,7 +1594,6 @@ "rsa.internal.messageid": "ntpd_initres", "rsa.misc.event_source": "olorem2760.www5.test", "rsa.time.day": "15", - "rsa.time.event_time": "2019-08-15T09:57:06.000Z", "rsa.time.month": "August", "service.type": "infoblox", "tags": [ @@ -1685,7 +1619,6 @@ "rsa.misc.event_source": "dol3346.www.lan", "rsa.misc.result": "unknown", "rsa.time.day": "29", - "rsa.time.event_time": "2019-08-29T16:59:40.000Z", "rsa.time.month": "August", "service.type": "infoblox", "tags": [ @@ -1710,7 +1643,6 @@ "rsa.misc.device_name": "midestl", "rsa.misc.event_source": "ercit6496.api.local", "rsa.time.day": "12", - "rsa.time.event_time": "2019-09-13T00:02:15.000Z", "rsa.time.month": "September", "service.type": "infoblox", "tags": [ @@ -1734,7 +1666,6 @@ "rsa.internal.messageid": "smart_check_io", "rsa.misc.event_source": "tlaboree6412.internal.home", "rsa.time.day": "27", - "rsa.time.event_time": "2019-09-27T07:04:49.000Z", "rsa.time.month": "September", "service.type": "infoblox", "tags": [ @@ -1757,7 +1688,6 @@ "rsa.internal.messageid": "init", "rsa.misc.event_source": "mipsamvo4282.api.home", "rsa.time.day": "11", - "rsa.time.event_time": "2019-10-11T14:07:23.000Z", "rsa.time.month": "October", "service.type": "infoblox", "tags": [ @@ -1781,7 +1711,6 @@ "rsa.misc.client": "hitec", "rsa.misc.event_source": "ugit5828.www5.test", "rsa.time.day": "25", - "rsa.time.event_time": "2019-10-25T21:09:57.000Z", "rsa.time.month": "October", "service.type": "infoblox", "tags": [ @@ -1807,7 +1736,6 @@ "rsa.misc.event_source": "itanim4024.api.example", "rsa.time.day": "9", "rsa.time.duration_time": 98.036, - "rsa.time.event_time": "2019-11-09T04:12:32.000Z", "rsa.time.month": "November", "service.type": "infoblox", "source.ip": [ @@ -1837,7 +1765,6 @@ "rsa.internal.messageid": "dhcpd", "rsa.misc.event_source": "ation6657.www.home", "rsa.time.day": "23", - "rsa.time.event_time": "2019-11-23T11:15:06.000Z", "rsa.time.month": "Nov", "service.type": "infoblox", "source.ip": [ @@ -1864,7 +1791,6 @@ "rsa.internal.messageid": "kernel", "rsa.misc.event_source": "tas2266.internal.example", "rsa.time.day": "7", - "rsa.time.event_time": "2019-12-07T18:17:40.000Z", "rsa.time.month": "December", "service.type": "infoblox", "tags": [ @@ -1888,7 +1814,6 @@ "rsa.internal.messageid": "rcsysinit", "rsa.misc.event_source": "oremquel3992.mail.host", "rsa.time.day": "21", - "rsa.time.event_time": "2019-12-22T01:20:14.000Z", "rsa.time.month": "December", "service.type": "infoblox", "tags": [ @@ -1912,7 +1837,6 @@ "rsa.internal.messageid": "dhcpdv6", "rsa.misc.event_source": "atuse5193.www.local", "rsa.time.day": "5", - "rsa.time.event_time": "2020-01-05T08:22:49.000Z", "rsa.time.month": "Jan", "service.type": "infoblox", "tags": [ @@ -1936,7 +1860,6 @@ "rsa.internal.messageid": "speedstep_control", "rsa.misc.event_source": "ratv2649.www.host", "rsa.time.day": "19", - "rsa.time.event_time": "2020-01-19T15:25:23.000Z", "rsa.time.month": "January", "service.type": "infoblox", "tags": [ @@ -1960,7 +1883,6 @@ "rsa.internal.messageid": "syslog-ng", "rsa.misc.event_source": "nculpaq3821.www5.invalid", "rsa.time.day": "2", - "rsa.time.event_time": "2020-02-02T22:27:57.000Z", "rsa.time.month": "February", "service.type": "infoblox", "tags": [ @@ -1984,7 +1906,6 @@ "rsa.internal.messageid": "diskcheck", "rsa.misc.event_source": "obea5700.mail.lan", "rsa.time.day": "17", - "rsa.time.event_time": "2020-02-17T05:30:32.000Z", "rsa.time.month": "February", "service.type": "infoblox", "tags": [ @@ -2010,7 +1931,6 @@ "rsa.misc.device_name": "pisc", "rsa.misc.event_source": "ntmo3423.mail.home", "rsa.time.day": "3", - "rsa.time.event_time": "2020-03-03T12:33:06.000Z", "rsa.time.month": "March", "service.type": "infoblox", "tags": [ @@ -2033,7 +1953,6 @@ "rsa.misc.client": "amvolu", "rsa.misc.event_source": "qui3176.internal.example", "rsa.time.day": "17", - "rsa.time.event_time": "2020-03-17T19:35:40.000Z", "rsa.time.month": "March", "service.type": "infoblox", "tags": [ @@ -2057,7 +1976,6 @@ "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "pta6801.mail.invalid", "rsa.time.day": "1", - "rsa.time.event_time": "2020-04-01T02:38:14.000Z", "rsa.time.month": "April", "service.type": "infoblox", "tags": [ @@ -2080,7 +1998,6 @@ "rsa.internal.messageid": "httpd", "rsa.misc.event_source": "scivel2614.www5.invalid", "rsa.time.day": "15", - "rsa.time.event_time": "2020-04-15T09:40:49.000Z", "rsa.time.month": "April", "service.type": "infoblox", "tags": [ @@ -2107,7 +2024,6 @@ "rsa.internal.messageid": "INFOBLOX-Grid", "rsa.misc.event_source": "ntmoll7616.api.localhost", "rsa.time.day": "29", - "rsa.time.event_time": "2020-04-29T16:43:23.000Z", "rsa.time.month": "April", "service.type": "infoblox", "source.ip": [ @@ -2156,7 +2072,6 @@ "rsa.internal.messageid": "debug", "rsa.misc.event_source": "velill2874.internal.invalid", "rsa.time.day": "28", - "rsa.time.event_time": "2020-05-28T06:48:31.000Z", "rsa.time.month": "May", "service.type": "infoblox", "tags": [ @@ -2179,7 +2094,6 @@ "rsa.internal.messageid": "python", "rsa.misc.event_source": "ict2699.internal.localhost", "rsa.time.day": "11", - "rsa.time.event_time": "2020-06-11T13:51:06.000Z", "rsa.time.month": "June", "service.type": "infoblox", "tags": [ @@ -2203,7 +2117,6 @@ "rsa.internal.messageid": "kernel", "rsa.misc.event_source": "reseosq3558.www5.invalid", "rsa.time.day": "25", - "rsa.time.event_time": "2020-06-25T20:53:40.000Z", "rsa.time.month": "June", "service.type": "infoblox", "tags": [ @@ -2226,7 +2139,6 @@ "rsa.internal.messageid": "purge_scheduled_tasks", "rsa.misc.event_source": "saqu320.api.test", "rsa.time.day": "10", - "rsa.time.event_time": "2020-07-10T03:56:14.000Z", "rsa.time.month": "July", "service.type": "infoblox", "tags": [ @@ -2249,7 +2161,6 @@ "rsa.misc.client": "ommo", "rsa.misc.event_source": "sequat4596.api.domain", "rsa.time.day": "24", - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "rsa.time.month": "July", "service.type": "infoblox", "tags": [ @@ -2272,7 +2183,6 @@ "rsa.internal.messageid": "diskcheck", "rsa.misc.event_source": "olu5333.www.domain", "rsa.time.day": "7", - "rsa.time.event_time": "2019-08-07T18:01:23.000Z", "rsa.time.month": "August", "service.type": "infoblox", "tags": [ @@ -2295,7 +2205,6 @@ "rsa.internal.messageid": "init", "rsa.misc.event_source": "dtemp1362.internal.example", "rsa.time.day": "21", - "rsa.time.event_time": "2019-08-22T01:03:57.000Z", "rsa.time.month": "August", "service.type": "infoblox", "tags": [ @@ -2319,7 +2228,6 @@ "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "odt5505.www5.localdomain", "rsa.time.day": "5", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "rsa.time.month": "September", "service.type": "infoblox", "tags": [ @@ -2343,7 +2251,6 @@ "observer.vendor": "Infoblox", "rsa.internal.messageid": "db_jnld", "rsa.time.day": "19", - "rsa.time.event_time": "2019-09-19T15:09:05.000Z", "rsa.time.month": "September", "service.type": "infoblox", "tags": [ @@ -2367,7 +2274,6 @@ "rsa.internal.messageid": "syslog", "rsa.misc.event_source": "itse522.internal.localdomain", "rsa.time.day": "3", - "rsa.time.event_time": "2019-10-03T22:11:40.000Z", "rsa.time.month": "October", "service.type": "infoblox", "tags": [ @@ -2390,7 +2296,6 @@ "rsa.internal.messageid": "acpid", "rsa.misc.event_source": "oquisqu1528.invalid", "rsa.time.day": "18", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", "rsa.time.month": "October", "service.type": "infoblox", "tags": [ @@ -2413,7 +2318,6 @@ "rsa.internal.messageid": "acpid", "rsa.misc.event_source": "quu2203.internal.invalid", "rsa.time.day": "1", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "rsa.time.month": "November", "service.type": "infoblox", "tags": [ @@ -2437,7 +2341,6 @@ "rsa.internal.messageid": "debug", "rsa.misc.event_source": "quunt3116.localhost", "rsa.time.day": "15", - "rsa.time.event_time": "2019-11-15T19:19:22.000Z", "rsa.time.month": "Nov", "service.type": "infoblox", "tags": [ @@ -2461,7 +2364,6 @@ "rsa.internal.messageid": "debug", "rsa.misc.event_source": "texpli7157.mail.invalid", "rsa.time.day": "30", - "rsa.time.event_time": "2019-11-30T02:21:57.000Z", "rsa.time.month": "Nov", "service.type": "infoblox", "tags": [ @@ -2485,7 +2387,6 @@ "rsa.internal.messageid": "openvpn-master", "rsa.misc.event_source": "odoc7856.api.example", "rsa.time.day": "14", - "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "rsa.time.month": "December", "service.type": "infoblox", "tags": [ diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 47b91c2dd80..1d9148c355d 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -946,7 +946,7 @@ ] }, { - "@timestamp": "2019-07-11T04:45:07.000Z", + "@timestamp": "2020-07-11T04:45:07.000Z", "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -963,7 +963,7 @@ "rsa.misc.severity": "very-high", "rsa.time.duration_time": 38.117, "rsa.time.endtime": "2017-07-11T04:45:07.000Z", - "rsa.time.event_time": "2019-07-11T04:45:07.000Z", + "rsa.time.event_time": "2020-07-11T04:45:07.000Z", "rsa.time.starttime": "2017-07-11T04:45:07.000Z", "service.type": "netscout", "tags": [ @@ -1086,8 +1086,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.168.131.247", - "10.136.232.108" + "10.136.232.108", + "10.168.131.247" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1806,8 +1806,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.80.101.72", - "10.83.130.226" + "10.83.130.226", + "10.80.101.72" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2263,8 +2263,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.44.47.27", - "10.179.210.218" + "10.179.210.218", + "10.44.47.27" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2496,8 +2496,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.131.74.36", - "10.74.159.77" + "10.74.159.77", + "10.131.74.36" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", diff --git a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json index 438fde63d8c..9ed4b3d8ef2 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json +++ b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json @@ -83,7 +83,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2016-03-26T12:20:16.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -157,7 +156,6 @@ "observer.vendor": "Rapid7", "rsa.internal.event_desc": "iciadese", "rsa.internal.messageid": "Migration", - "rsa.time.event_time": "2016-05-22T04:30:33.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -284,7 +282,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2016-08-30T05:48:33.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -357,7 +354,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2016-10-26T09:58:50.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -394,7 +390,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2016-11-24T12:03:59.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -436,7 +431,6 @@ "rsa.misc.action": [ "Shutting down" ], - "rsa.time.event_time": "2016-12-23T14:09:07.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -455,7 +449,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -475,7 +468,6 @@ "observer.vendor": "Rapid7", "rsa.internal.event_desc": "atnulapa", "rsa.internal.messageid": "Migration", - "rsa.time.event_time": "2017-01-20T04:14:16.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -621,7 +613,6 @@ "observer.vendor": "Rapid7", "rsa.internal.event_desc": "oloreeu", "rsa.internal.messageid": "Activation", - "rsa.time.event_time": "2017-05-14T12:34:50.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -640,7 +631,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2017-05-29T07:37:24.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -660,7 +650,6 @@ "observer.vendor": "Rapid7", "rsa.db.index": "tect", "rsa.internal.messageid": "Error", - "rsa.time.event_time": "2017-06-12T14:39:58.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -683,7 +672,6 @@ "rsa.misc.action": [ "Upgrading database" ], - "rsa.time.event_time": "2017-06-26T09:42:33.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -702,7 +690,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2017-07-11T04:45:07.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -740,7 +727,6 @@ "observer.vendor": "Rapid7", "rsa.internal.event_desc": "cin", "rsa.internal.messageid": "An", - "rsa.time.event_time": "2017-08-08T06:50:15.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -760,7 +746,6 @@ "observer.vendor": "Rapid7", "rsa.db.index": "natuserr", "rsa.internal.messageid": "PostgreSQL", - "rsa.time.event_time": "2017-08-22T13:52:50.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -779,7 +764,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2017-09-06T08:55:24.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -799,7 +783,6 @@ "observer.vendor": "Rapid7", "rsa.db.index": "eruntmo", "rsa.internal.messageid": "Remapped", - "rsa.time.event_time": "2017-09-20T15:57:58.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -854,7 +837,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2017-11-02T13:05:41.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -947,7 +929,6 @@ "rsa.internal.event_desc": "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured", "rsa.internal.messageid": "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout", "rsa.misc.result_code": "exeacomm", - "rsa.time.event_time": "2018-01-12T12:18:32.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1003,7 +984,6 @@ "observer.vendor": "Rapid7", "rsa.internal.event_desc": "quamqua", "rsa.internal.messageid": "Establishing", - "rsa.time.event_time": "2018-02-24T09:26:15.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1023,7 +1003,6 @@ "observer.vendor": "Rapid7", "rsa.db.index": "ntut", "rsa.internal.messageid": "Deleted", - "rsa.time.event_time": "2018-03-11T04:28:49.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1043,7 +1022,6 @@ "observer.vendor": "Rapid7", "rsa.db.index": "edqui", "rsa.internal.messageid": "Error", - "rsa.time.event_time": "2018-03-25T11:31:24.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1081,7 +1059,6 @@ "observer.vendor": "Rapid7", "rsa.db.index": "moen", "rsa.internal.messageid": "0.16", - "rsa.time.event_time": "2018-04-23T01:36:32.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1123,7 +1100,6 @@ "rsa.internal.messageid": "Renamed", "rsa.investigations.ec_activity": "Modify", "rsa.investigations.ec_outcome": "Success", - "rsa.time.event_time": "2018-05-21T03:41:41.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1178,7 +1154,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2018-07-03T12:49:23.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1251,7 +1226,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2018-08-29T04:59:40.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1328,7 +1302,6 @@ "rsa.misc.action": [ "accept" ], - "rsa.time.event_time": "2018-10-25T09:09:57.000Z", "service.name": "fld1", "service.type": "rapid7", "tags": [ @@ -1367,7 +1340,6 @@ "observer.vendor": "Rapid7", "rsa.internal.event_desc": "maveni", "rsa.internal.messageid": "loading", - "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1387,7 +1359,6 @@ "observer.vendor": "Rapid7", "rsa.internal.event_desc": "Closing connection to scan engine", "rsa.internal.messageid": "Closing", - "rsa.time.event_time": "2018-12-07T06:17:40.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1424,7 +1395,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2019-01-05T08:22:49.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1462,7 +1432,6 @@ "observer.vendor": "Rapid7", "rsa.db.index": "laud", "rsa.internal.messageid": "removing", - "rsa.time.event_time": "2019-02-02T10:27:57.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1481,7 +1450,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2019-02-17T05:30:32.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1500,7 +1468,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2019-03-03T12:33:06.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1520,7 +1487,6 @@ "observer.vendor": "Rapid7", "rsa.db.index": "isq", "rsa.internal.messageid": "Setting", - "rsa.time.event_time": "2019-03-17T07:35:40.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1615,7 +1581,6 @@ "rsa.misc.action": [ "allow" ], - "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.name": "fld1", "service.type": "rapid7", "tags": [ @@ -1658,7 +1623,6 @@ "rsa.misc.action": [ "Shutting down" ], - "rsa.time.event_time": "2019-06-25T08:53:40.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1733,7 +1697,6 @@ "rsa.db.index": "stlaboru", "rsa.internal.event_desc": "Job execution threads will use class loader", "rsa.internal.messageid": "Job", - "rsa.time.event_time": "2019-08-21T13:03:57.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1754,7 +1717,6 @@ "rsa.internal.event_desc": "com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured", "rsa.internal.messageid": "com.rapid7.nexpose.datastore.connection.evictionThreadTime", "rsa.misc.result_code": "uaer", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1774,7 +1736,6 @@ "observer.vendor": "Rapid7", "rsa.internal.event_desc": "iono", "rsa.internal.messageid": "Restarting", - "rsa.time.event_time": "2019-09-19T03:09:05.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1865,7 +1826,6 @@ "observer.type": "Vulnerability", "observer.vendor": "Rapid7", "rsa.internal.messageid": "[Site:", - "rsa.time.event_time": "2019-11-30T14:21:57.000Z", "service.type": "rapid7", "tags": [ "rapid7.nexpose", diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index b10be9aa75c..871c56736c6 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -37,8 +37,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.13.70.213", - "10.95.245.65" + "10.95.245.65", + "10.13.70.213" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "llu", @@ -210,9 +210,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.206.224.241", "10.162.42.110", - "10.90.131.186" + "10.90.131.186", + "10.206.224.241" ], "rsa.internal.event_desc": "onse", "rsa.internal.messageid": "908", @@ -287,8 +287,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.109.232.112", - "10.58.208.39" + "10.58.208.39", + "10.109.232.112" ], "related.user": [ "sectetur" @@ -459,8 +459,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.59.119.118", - "10.114.138.121" + "10.114.138.121", + "10.59.119.118" ], "rsa.internal.messageid": "351", "rsa.internal.msg": "riat", @@ -492,8 +492,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.176.205.96", - "10.136.114.84" + "10.136.114.84", + "10.176.205.96" ], "rsa.internal.messageid": "346", "rsa.internal.msg": "eprehend", @@ -618,8 +618,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.6.77.80", - "10.52.186.29" + "10.52.186.29", + "10.6.77.80" ], "rsa.internal.event_desc": "ione", "rsa.internal.messageid": "995", @@ -671,8 +671,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.240.242.122", - "10.144.97.172" + "10.144.97.172", + "10.240.242.122" ], "rsa.internal.messageid": "346", "rsa.internal.msg": "aera", @@ -744,8 +744,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.120.167.239", - "10.190.83.161" + "10.190.83.161", + "10.120.167.239" ], "rsa.internal.messageid": "888", "rsa.misc.action": [ @@ -847,8 +847,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.162.172.28", - "10.237.163.139" + "10.237.163.139", + "10.162.172.28" ], "rsa.internal.messageid": "255", "rsa.internal.msg": "nre", @@ -986,8 +986,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.251.20.13", - "10.101.74.44" + "10.101.74.44", + "10.251.20.13" ], "related.user": [ "rsitv" @@ -1103,8 +1103,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.226.27.132", - "10.148.161.250" + "10.148.161.250", + "10.226.27.132" ], "rsa.internal.event_desc": "tinv", "rsa.internal.messageid": "534", @@ -1139,8 +1139,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.149.0.64", - "10.64.50.66" + "10.64.50.66", + "10.149.0.64" ], "rsa.db.index": "atevelit", "rsa.internal.messageid": "83", @@ -1200,8 +1200,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.53.113.23", - "10.97.124.211" + "10.97.124.211", + "10.53.113.23" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1257,8 +1257,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.161.148.64", - "10.96.97.81" + "10.96.97.81", + "10.161.148.64" ], "rsa.internal.messageid": "350", "rsa.internal.msg": "mve", @@ -1405,8 +1405,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.77.174.205", - "10.240.49.224" + "10.240.49.224", + "10.77.174.205" ], "rsa.internal.messageid": "240", "rsa.internal.msg": "issuscip", @@ -1437,8 +1437,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.44.150.31", - "10.187.210.173" + "10.187.210.173", + "10.44.150.31" ], "rsa.internal.messageid": "255", "rsa.internal.msg": "quamnih", @@ -1476,8 +1476,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.113.100.237", "10.251.248.228", + "10.113.100.237", "10.108.84.24" ], "rsa.internal.event_desc": "volupt", @@ -1527,8 +1527,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.103.117.31", "10.229.229.42", + "10.103.117.31", "10.207.211.230" ], "rsa.internal.event_desc": "orin", @@ -1871,8 +1871,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.43.16.73", - "10.236.56.233" + "10.236.56.233", + "10.43.16.73" ], "rsa.internal.messageid": "373", "rsa.misc.action": [ @@ -2343,8 +2343,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.22.244.71", - "10.81.33.64" + "10.81.33.64", + "10.22.244.71" ], "rsa.internal.messageid": "888", "rsa.misc.action": [ @@ -2383,8 +2383,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.20.73.247", - "10.205.21.166" + "10.205.21.166", + "10.20.73.247" ], "related.user": [ "sun" @@ -2752,8 +2752,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.243.170.64", - "10.85.204.8" + "10.85.204.8", + "10.243.170.64" ], "rsa.internal.messageid": "src", "rsa.internal.msg": "amquisno", diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 972d080c42e..5804a587507 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -22,8 +22,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "related.user": [ "badeyek" @@ -83,8 +83,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -146,8 +146,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -158,8 +158,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -308,8 +308,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -431,8 +431,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -443,8 +443,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -494,8 +494,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -786,8 +786,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "217.212.240.172" + "217.212.240.172", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -861,8 +861,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1025,8 +1025,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -1083,8 +1083,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "64.127.126.178", - "10.105.21.199" + "10.105.21.199", + "64.127.126.178" ], "related.user": [ "badeyek" @@ -1209,8 +1209,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.160", - "10.105.21.199" + "10.105.21.199", + "213.160.98.160" ], "related.user": [ "badeyek" @@ -1221,8 +1221,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1317,8 +1317,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "related.user": [ "badeyek" @@ -1498,8 +1498,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1549,8 +1549,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.47.218", - "204.13.51.238" + "204.13.51.238", + "10.105.47.218" ], "related.user": [ "nazsoau" @@ -1561,8 +1561,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1608,8 +1608,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -1619,8 +1619,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1952,8 +1952,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2069,8 +2069,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2173,8 +2173,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.191.93.51", - "10.105.33.214" + "10.105.33.214", + "209.191.93.51" ], "related.user": [ "adeolaegbedokun" @@ -2236,8 +2236,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "63.245.209.21", - "10.105.21.199" + "10.105.21.199", + "63.245.209.21" ], "related.user": [ "badeyek" @@ -2307,8 +2307,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2352,8 +2352,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2364,8 +2364,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2461,8 +2461,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2558,8 +2558,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2606,8 +2606,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2666,8 +2666,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2714,8 +2714,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2726,8 +2726,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2904,8 +2904,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3002,8 +3002,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3062,8 +3062,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3230,8 +3230,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3342,8 +3342,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3440,8 +3440,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "212.58.226.33" + "212.58.226.33", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -3452,8 +3452,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_MISS" + "TCP_REFRESH_MISS", + "GET" ], "rsa.misc.content_type": "application/xml", "rsa.misc.result_code": "200", @@ -3512,8 +3512,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3612,8 +3612,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -3722,8 +3722,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3782,8 +3782,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3794,8 +3794,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3854,8 +3854,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3902,8 +3902,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3914,8 +3914,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -3964,8 +3964,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4065,8 +4065,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4125,8 +4125,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4137,8 +4137,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4185,8 +4185,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4260,8 +4260,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/x-shockwave-flash", "rsa.misc.result_code": "200", @@ -4378,8 +4378,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4593,8 +4593,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -4668,8 +4668,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4715,8 +4715,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "related.user": [ "badeyek" @@ -4726,8 +4726,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4789,8 +4789,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -4840,8 +4840,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -4852,8 +4852,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4902,8 +4902,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5028,8 +5028,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5091,8 +5091,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5191,8 +5191,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5249,8 +5249,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5297,8 +5297,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "217.12.10.96" + "217.12.10.96", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -5408,8 +5408,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "213.160.98.169" + "213.160.98.169", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -5420,8 +5420,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_SWAPFAIL_MISS", - "GET" + "GET", + "TCP_SWAPFAIL_MISS" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5521,8 +5521,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "213.160.98.169" + "213.160.98.169", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -5533,8 +5533,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5583,8 +5583,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5683,8 +5683,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json index 6678d4932b4..055f352dae0 100644 --- a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json @@ -137,8 +137,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -473,8 +473,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -585,8 +585,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -697,8 +697,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -865,8 +865,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -977,8 +977,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1033,8 +1033,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1145,8 +1145,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1257,8 +1257,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1313,8 +1313,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1480,8 +1480,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -1536,8 +1536,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1592,8 +1592,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1704,8 +1704,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1760,8 +1760,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1816,8 +1816,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2208,8 +2208,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2320,8 +2320,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2488,8 +2488,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2544,8 +2544,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2600,8 +2600,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2768,8 +2768,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2880,8 +2880,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2936,8 +2936,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2992,8 +2992,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3328,8 +3328,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3384,8 +3384,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3440,8 +3440,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3552,8 +3552,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3776,8 +3776,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4056,8 +4056,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4168,8 +4168,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4224,8 +4224,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4280,8 +4280,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MEM_HIT" + "TCP_MEM_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4391,8 +4391,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4503,8 +4503,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4558,8 +4558,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4792,8 +4792,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_MISS" + "TCP_REFRESH_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4959,8 +4959,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5015,8 +5015,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5183,8 +5183,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/pdf", "rsa.misc.result_code": "200", @@ -5239,8 +5239,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5466,8 +5466,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/pdf", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json index 84fb44f40df..e0bb9f913fa 100644 --- a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json @@ -23,8 +23,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -71,8 +71,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -119,8 +119,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -167,8 +167,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -267,8 +267,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -317,8 +317,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -367,8 +367,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -467,8 +467,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -516,8 +516,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -708,8 +708,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -902,8 +902,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -952,8 +952,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1002,8 +1002,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1200,8 +1200,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "404", @@ -1395,8 +1395,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "503", @@ -1442,8 +1442,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "related.user": [ "-" @@ -1514,8 +1514,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1562,8 +1562,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "related.user": [ "-" @@ -1574,8 +1574,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/javascript", "rsa.misc.result_code": "200", @@ -1741,8 +1741,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.3" + "74.125.228.3", + "192.168.0.35" ], "related.user": [ "-" @@ -1857,8 +1857,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.3" + "74.125.228.3", + "192.168.0.35" ], "related.user": [ "-" @@ -1868,8 +1868,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1926,8 +1926,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1973,8 +1973,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.3", - "192.168.0.35" + "192.168.0.35", + "74.125.228.3" ], "related.user": [ "-" @@ -1984,8 +1984,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2147,8 +2147,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.131.147", - "192.168.0.35" + "192.168.0.35", + "74.125.131.147" ], "related.user": [ "-" @@ -2158,8 +2158,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2379,8 +2379,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "related.user": [ "-" @@ -2390,8 +2390,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2437,8 +2437,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "related.user": [ "-" @@ -2496,8 +2496,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.97" + "74.125.228.97", + "192.168.0.35" ], "related.user": [ "-" @@ -2624,8 +2624,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2740,8 +2740,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2798,8 +2798,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2903,8 +2903,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" ], "related.user": [ "-" @@ -2961,8 +2961,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" ], "related.user": [ "-" @@ -3030,8 +3030,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3078,8 +3078,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.184" + "208.44.23.184", + "192.168.0.35" ], "related.user": [ "-" @@ -3090,8 +3090,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/x-apple-plist", "rsa.misc.result_code": "200", @@ -3210,8 +3210,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3270,8 +3270,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3318,8 +3318,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3438,8 +3438,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3450,8 +3450,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3510,8 +3510,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3570,8 +3570,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3618,8 +3618,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3678,8 +3678,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3798,8 +3798,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3858,8 +3858,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3870,8 +3870,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3978,8 +3978,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4038,8 +4038,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4110,8 +4110,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4158,8 +4158,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4170,8 +4170,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4218,8 +4218,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4230,8 +4230,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4398,8 +4398,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4410,8 +4410,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4518,8 +4518,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4530,8 +4530,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4590,8 +4590,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4638,8 +4638,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4650,8 +4650,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4698,8 +4698,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4758,8 +4758,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4818,8 +4818,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4890,8 +4890,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4938,8 +4938,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4998,8 +4998,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -5010,8 +5010,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -5070,8 +5070,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -5244,8 +5244,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5302,8 +5302,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5360,8 +5360,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5407,8 +5407,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "69.171.228.74", - "192.168.0.35" + "192.168.0.35", + "69.171.228.74" ], "related.user": [ "-" @@ -5419,8 +5419,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -5466,8 +5466,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "23.62.194.110", - "192.168.0.35" + "192.168.0.35", + "23.62.194.110" ], "related.user": [ "-" @@ -5535,8 +5535,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5593,8 +5593,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json index 06e9fd06c28..083e3410bd9 100644 --- a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json @@ -22,8 +22,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -80,8 +80,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -138,8 +138,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.102", - "::1" + "::1", + "173.194.123.102" ], "related.user": [ "-" @@ -196,8 +196,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.102", - "::1" + "::1", + "173.194.123.102" ], "related.user": [ "-" @@ -207,8 +207,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -254,8 +254,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.97" + "173.194.123.97", + "::1" ], "related.user": [ "-" @@ -265,8 +265,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -312,8 +312,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -381,8 +381,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -486,8 +486,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" ], "related.user": [ "-" @@ -555,8 +555,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -616,8 +616,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -674,8 +674,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -721,8 +721,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.102", - "::1" + "::1", + "173.194.123.102" ], "related.user": [ "-" @@ -907,8 +907,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -965,8 +965,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1128,8 +1128,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.71" + "173.194.123.71", + "::1" ], "related.user": [ "-" @@ -1139,8 +1139,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1186,8 +1186,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1197,8 +1197,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1302,8 +1302,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1360,8 +1360,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1371,8 +1371,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1487,8 +1487,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1545,8 +1545,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1592,8 +1592,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1603,8 +1603,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1708,8 +1708,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1719,8 +1719,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1777,8 +1777,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1940,8 +1940,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1951,8 +1951,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2056,8 +2056,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2067,8 +2067,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2114,8 +2114,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2125,8 +2125,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2172,8 +2172,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2183,8 +2183,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2230,8 +2230,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2288,8 +2288,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2299,8 +2299,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2346,8 +2346,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2357,8 +2357,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2404,8 +2404,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2415,8 +2415,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2462,8 +2462,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2520,8 +2520,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.101", - "::1" + "::1", + "173.194.123.101" ], "related.user": [ "-" @@ -2531,8 +2531,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2589,8 +2589,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2752,8 +2752,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2810,8 +2810,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.226.83" + "74.125.226.83", + "::1" ], "related.user": [ "-" @@ -2881,8 +2881,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -2928,8 +2928,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.41", - "::1" + "::1", + "173.194.123.41" ], "related.user": [ "-" @@ -3048,8 +3048,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.174", - "::1" + "::1", + "216.58.219.174" ], "related.user": [ "-" @@ -3232,8 +3232,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.174" + "216.58.219.174", + "::1" ], "related.user": [ "-" @@ -3293,8 +3293,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.174", - "::1" + "::1", + "216.58.219.174" ], "related.user": [ "-" @@ -3354,8 +3354,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.174" + "216.58.219.174", + "::1" ], "related.user": [ "-" @@ -3426,8 +3426,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3487,8 +3487,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3548,8 +3548,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3609,8 +3609,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3659,8 +3659,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.142", - "::1" + "::1", + "216.58.219.142" ], "related.user": [ "-" @@ -3731,8 +3731,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3781,8 +3781,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.132", - "::1" + "::1", + "216.58.219.132" ], "related.user": [ "-" @@ -3792,8 +3792,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3839,8 +3839,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.141.189", - "::1" + "::1", + "74.125.141.189" ], "related.user": [ "-" @@ -3897,8 +3897,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.141.189", - "::1" + "::1", + "74.125.141.189" ], "related.user": [ "-" @@ -3908,8 +3908,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3955,8 +3955,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.141.189", - "::1" + "::1", + "74.125.141.189" ], "related.user": [ "-" @@ -3966,8 +3966,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4016,8 +4016,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.133", - "::1" + "::1", + "216.58.219.133" ], "related.user": [ "-" @@ -4149,8 +4149,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4196,8 +4196,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "173.194.205.113" + "173.194.205.113", + "10.100.0.1" ], "related.user": [ "-" @@ -4208,8 +4208,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "301", @@ -4326,8 +4326,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4377,8 +4377,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.238", - "10.100.0.1" + "10.100.0.1", + "216.58.219.238" ], "related.user": [ "-" @@ -4509,8 +4509,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4567,8 +4567,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4614,8 +4614,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.10.14" + "172.217.10.14", + "10.100.2.85" ], "related.user": [ "-" @@ -4672,8 +4672,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "related.user": [ "-" @@ -4683,8 +4683,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4788,8 +4788,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.10.14" + "172.217.10.14", + "10.100.2.85" ], "related.user": [ "-" @@ -4846,8 +4846,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.10.14" + "172.217.10.14", + "10.100.2.85" ], "related.user": [ "-" @@ -4857,8 +4857,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4904,8 +4904,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.12.174" + "172.217.12.174", + "10.100.2.85" ], "related.user": [ "-" @@ -5147,8 +5147,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5263,8 +5263,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5310,8 +5310,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.12.174" + "172.217.12.174", + "10.100.0.1" ], "related.user": [ "-" @@ -5379,8 +5379,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5490,8 +5490,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.206" + "216.58.219.206", + "10.100.0.1" ], "related.user": [ "-" @@ -5501,8 +5501,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5562,8 +5562,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5612,8 +5612,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.206" + "216.58.219.206", + "10.100.0.1" ], "related.user": [ "-" @@ -5623,8 +5623,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5684,8 +5684,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5803,8 +5803,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5861,8 +5861,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index 64567f7af0a..9b1417ba70c 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -38,8 +38,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntium", "rsa.misc.action": [ - "pisciv", - "Blocked" + "Blocked", + "pisciv" ], "rsa.misc.category": "umq", "rsa.misc.filter": "oremi", @@ -109,8 +109,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "luptat", "rsa.misc.action": [ - "tur", - "Allowed" + "Allowed", + "tur" ], "rsa.misc.category": "eius", "rsa.misc.filter": "ameaqu", @@ -167,8 +167,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.254.146.57", - "10.204.86.149" + "10.204.86.149", + "10.254.146.57" ], "related.user": [ "tenima" @@ -182,8 +182,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uptassi", "rsa.misc.action": [ - "giatq", - "Blocked" + "Blocked", + "giatq" ], "rsa.misc.category": "llu", "rsa.misc.filter": "tconsec", @@ -240,8 +240,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.103.246.190", - "10.252.125.53" + "10.252.125.53", + "10.103.246.190" ], "related.user": [ "equun" @@ -386,8 +386,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.183.16.166", - "10.66.250.92" + "10.66.250.92", + "10.183.16.166" ], "related.user": [ "tessec" @@ -401,8 +401,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "avol", "rsa.misc.action": [ - "ist", - "Allowed" + "Allowed", + "ist" ], "rsa.misc.category": "lorema", "rsa.misc.filter": "sun", @@ -459,8 +459,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.123.104.59", - "10.243.224.205" + "10.243.224.205", + "10.123.104.59" ], "related.user": [ "xercitat" @@ -751,8 +751,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.223.247.86", - "10.19.145.131" + "10.19.145.131", + "10.223.247.86" ], "related.user": [ "tNequepo" @@ -824,8 +824,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.2.53.125", - "10.181.80.139" + "10.181.80.139", + "10.2.53.125" ], "related.user": [ "ihilmo" @@ -839,8 +839,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dolorem", "rsa.misc.action": [ - "Allowed", - "lorsitam" + "lorsitam", + "Allowed" ], "rsa.misc.category": "proide", "rsa.misc.filter": "pariatu", @@ -912,8 +912,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "catc", "rsa.misc.action": [ - "veni", - "Allowed" + "Allowed", + "veni" ], "rsa.misc.category": "sBono", "rsa.misc.filter": "isnisiu", @@ -970,8 +970,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.0.55.9", - "10.135.160.125" + "10.135.160.125", + "10.0.55.9" ], "related.user": [ "volupta" @@ -1058,8 +1058,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nnum", "rsa.misc.action": [ - "Allowed", - "ntoccae" + "ntoccae", + "Allowed" ], "rsa.misc.category": "tium", "rsa.misc.filter": "uteirure", @@ -1131,8 +1131,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mod", "rsa.misc.action": [ - "xeacomm", - "Allowed" + "Allowed", + "xeacomm" ], "rsa.misc.category": "sauteiru", "rsa.misc.filter": "antiu", @@ -1189,8 +1189,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.201.171.120", - "10.91.126.231" + "10.91.126.231", + "10.201.171.120" ], "related.user": [ "exercita" @@ -1262,8 +1262,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.107.251.87", - "10.135.82.97" + "10.135.82.97", + "10.107.251.87" ], "related.user": [ "str" @@ -1335,8 +1335,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.31.198.58", - "10.215.205.216" + "10.215.205.216", + "10.31.198.58" ], "related.user": [ "aturve" @@ -1350,8 +1350,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "oNemoeni", "rsa.misc.action": [ - "nre", - "Blocked" + "Blocked", + "nre" ], "rsa.misc.category": "labo", "rsa.misc.filter": "tutlab", @@ -1408,8 +1408,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.229.83.165", - "10.29.155.171" + "10.29.155.171", + "10.229.83.165" ], "related.user": [ "ulapar" @@ -1481,8 +1481,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.129.192.145", - "10.161.148.64" + "10.161.148.64", + "10.129.192.145" ], "related.user": [ "lor" @@ -1496,8 +1496,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uaUten", "rsa.misc.action": [ - "amcorp", - "Blocked" + "Blocked", + "amcorp" ], "rsa.misc.category": "umdolor", "rsa.misc.filter": "velillu", @@ -1627,8 +1627,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.86.22.67", - "10.218.98.29" + "10.218.98.29", + "10.86.22.67" ], "related.user": [ "olori" @@ -1642,8 +1642,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iutali", "rsa.misc.action": [ - "atcupi", - "Blocked" + "Blocked", + "atcupi" ], "rsa.misc.category": "isetq", "rsa.misc.filter": "equinesc", @@ -1773,8 +1773,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.32.39.220", - "10.179.210.218" + "10.179.210.218", + "10.32.39.220" ], "related.user": [ "boreetdo" @@ -1846,8 +1846,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.128.173.19", - "10.88.172.34" + "10.88.172.34", + "10.128.173.19" ], "related.user": [ "agnaaliq" @@ -1934,8 +1934,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mnisiut", "rsa.misc.action": [ - "Allowed", - "mod" + "mod", + "Allowed" ], "rsa.misc.category": "uiinea", "rsa.misc.filter": "aturQu", @@ -2065,8 +2065,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.101.38.213", - "10.204.214.251" + "10.204.214.251", + "10.101.38.213" ], "related.user": [ "ueipsa" @@ -2080,8 +2080,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tasun", "rsa.misc.action": [ - "Allowed", - "quasiarc" + "quasiarc", + "Allowed" ], "rsa.misc.category": "autfugi", "rsa.misc.filter": "ritqu", @@ -2138,8 +2138,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.18.226.72", - "10.101.85.169" + "10.101.85.169", + "10.18.226.72" ], "related.user": [ "rroqu" @@ -2211,8 +2211,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.87.100.240", - "10.242.182.193" + "10.242.182.193", + "10.87.100.240" ], "related.user": [ "stenatus" @@ -2284,8 +2284,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.229.242.223", - "10.80.57.247" + "10.80.57.247", + "10.229.242.223" ], "related.user": [ "itasp" @@ -2299,8 +2299,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdolore", "rsa.misc.action": [ - "onproide", - "Blocked" + "Blocked", + "onproide" ], "rsa.misc.category": "tvolup", "rsa.misc.filter": "niam", @@ -2372,8 +2372,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Allowed", - "Section" + "Section", + "Allowed" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2445,8 +2445,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tec", "rsa.misc.action": [ - "Allowed", - "tatema" + "tatema", + "Allowed" ], "rsa.misc.category": "emullamc", "rsa.misc.filter": "emveleum", @@ -2576,8 +2576,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.142.120.198", - "10.166.10.42" + "10.166.10.42", + "10.142.120.198" ], "related.user": [ "olori" @@ -2591,8 +2591,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ende", "rsa.misc.action": [ - "doconse", - "Blocked" + "Blocked", + "doconse" ], "rsa.misc.category": "uovolupt", "rsa.misc.filter": "litesse", @@ -2737,8 +2737,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ese", "rsa.misc.action": [ - "Allowed", - "litanim" + "litanim", + "Allowed" ], "rsa.misc.category": "idata", "rsa.misc.filter": "urerepre", @@ -2795,8 +2795,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.55.81.14", - "10.243.6.41" + "10.243.6.41", + "10.55.81.14" ], "related.user": [ "eiusmo" @@ -2810,8 +2810,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "lestia", - "Blocked" + "Blocked", + "lestia" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2941,8 +2941,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.20.124.138", - "10.158.18.51" + "10.158.18.51", + "10.20.124.138" ], "related.user": [ "CSe" @@ -2956,8 +2956,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Loremip", "rsa.misc.action": [ - "quid", - "Allowed" + "Allowed", + "quid" ], "rsa.misc.category": "mini", "rsa.misc.filter": "uisnos", @@ -3029,8 +3029,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "voluptas", "rsa.misc.action": [ - "Allowed", - "olor" + "olor", + "Allowed" ], "rsa.misc.category": "ataevita", "rsa.misc.filter": "nderi", @@ -3087,8 +3087,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.125.120.97", - "10.68.8.143" + "10.68.8.143", + "10.125.120.97" ], "related.user": [ "reet" @@ -3160,8 +3160,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.137.164.122", - "10.143.0.78" + "10.143.0.78", + "10.137.164.122" ], "related.user": [ "orissus" @@ -3306,8 +3306,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.111.249.184", - "10.83.138.34" + "10.83.138.34", + "10.111.249.184" ], "related.user": [ "dentsunt" @@ -3321,8 +3321,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatemse", "rsa.misc.action": [ - "upta", - "Blocked" + "Blocked", + "upta" ], "rsa.misc.category": "tlabo", "rsa.misc.filter": "aliqui", @@ -3394,8 +3394,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itesse", "rsa.misc.action": [ - "Allowed", - "uip" + "uip", + "Allowed" ], "rsa.misc.category": "teturad", "rsa.misc.filter": "roquisqu", @@ -3523,8 +3523,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.22.122.43", - "10.100.143.226" + "10.100.143.226", + "10.22.122.43" ], "related.user": [ "ute" @@ -3611,8 +3611,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dexea", "rsa.misc.action": [ - "Blocked", - "tinvolup" + "tinvolup", + "Blocked" ], "rsa.misc.category": "ende", "rsa.misc.filter": "onse", @@ -3684,8 +3684,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "eritqui", "rsa.misc.action": [ - "dolor", - "Blocked" + "Blocked", + "dolor" ], "rsa.misc.category": "taspe", "rsa.misc.filter": "oremipsu", @@ -3755,8 +3755,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "epor", "rsa.misc.action": [ - "etquasia", - "Allowed" + "Allowed", + "etquasia" ], "rsa.misc.category": "iaturE", "rsa.misc.filter": "rep", @@ -3809,8 +3809,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.39.46.155", - "10.120.138.109" + "10.120.138.109", + "10.39.46.155" ], "related.user": [ "picia" @@ -3824,8 +3824,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "adipisc", "rsa.misc.action": [ - "exer", - "Blocked" + "Blocked", + "exer" ], "rsa.misc.category": "remagna", "rsa.misc.filter": "emvel", @@ -3897,8 +3897,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ecillum", "rsa.misc.action": [ - "Blocked", - "emp" + "emp", + "Blocked" ], "rsa.misc.category": "ciati", "rsa.misc.filter": "elit", @@ -3955,8 +3955,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.89.41.97", - "10.91.2.225" + "10.91.2.225", + "10.89.41.97" ], "related.user": [ "tem" @@ -4028,8 +4028,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.7.18.226", - "10.221.20.165" + "10.221.20.165", + "10.7.18.226" ], "related.user": [ "uasiarch" @@ -4043,8 +4043,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iadeseru", "rsa.misc.action": [ - "epreh", - "Allowed" + "Allowed", + "epreh" ], "rsa.misc.category": "ruredol", "rsa.misc.filter": "atquo", @@ -4116,8 +4116,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inimve", "rsa.misc.action": [ - "Allowed", - "niam" + "niam", + "Allowed" ], "rsa.misc.category": "perspici", "rsa.misc.filter": "uipe", @@ -4174,8 +4174,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.220.1.249", - "10.190.42.245" + "10.190.42.245", + "10.220.1.249" ], "related.user": [ "olup" @@ -4245,8 +4245,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.55.38.153", - "10.112.190.154" + "10.112.190.154", + "10.55.38.153" ], "related.user": [ "oremeu" @@ -4333,8 +4333,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tDuisaut", "rsa.misc.action": [ - "upidatat", - "Allowed" + "Allowed", + "upidatat" ], "rsa.misc.category": "aliquide", "rsa.misc.filter": "deriti", @@ -4391,8 +4391,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.252.164.230", - "10.60.52.219" + "10.60.52.219", + "10.252.164.230" ], "related.user": [ "gnamali" @@ -4475,8 +4475,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dipisc", "rsa.misc.action": [ - "turad", - "Allowed" + "Allowed", + "turad" ], "rsa.misc.category": "ulpaquio", "rsa.misc.filter": "ngelits", @@ -4604,8 +4604,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.15.254.181", - "10.51.161.245" + "10.51.161.245", + "10.15.254.181" ], "related.user": [ "abo" @@ -4750,8 +4750,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.29.162.157", - "10.185.107.27" + "10.185.107.27", + "10.29.162.157" ], "related.user": [ "evelite" @@ -4765,8 +4765,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "orinrep", "rsa.misc.action": [ - "squirat", - "Blocked" + "Blocked", + "squirat" ], "rsa.misc.category": "sequa", "rsa.misc.filter": "orainci", @@ -4823,8 +4823,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.138.0.214", - "10.215.63.248" + "10.215.63.248", + "10.138.0.214" ], "related.user": [ "eavolupt" @@ -4896,8 +4896,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.12.130.224", - "10.26.115.88" + "10.26.115.88", + "10.12.130.224" ], "related.user": [ "Nequepo" @@ -4911,8 +4911,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tNequepo", "rsa.misc.action": [ - "rmagnido", - "Allowed" + "Allowed", + "rmagnido" ], "rsa.misc.category": "luptatem", "rsa.misc.filter": "deritq", @@ -4969,8 +4969,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.91.20.27", - "10.193.152.42" + "10.193.152.42", + "10.91.20.27" ], "related.user": [ "edict" @@ -4984,8 +4984,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "plicab", "rsa.misc.action": [ - "Blocked", - "umq" + "umq", + "Blocked" ], "rsa.misc.category": "eruntmol", "rsa.misc.filter": "labore", @@ -5115,8 +5115,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.249.1.143", - "10.124.177.226" + "10.124.177.226", + "10.249.1.143" ], "related.user": [ "isciveli" @@ -5130,8 +5130,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Utenim", "rsa.misc.action": [ - "Allowed", - "onevo" + "onevo", + "Allowed" ], "rsa.misc.category": "tdolore", "rsa.misc.filter": "ptasn", @@ -5203,8 +5203,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ect", "rsa.misc.action": [ - "Blocked", - "maccu" + "maccu", + "Blocked" ], "rsa.misc.category": "iaecon", "rsa.misc.filter": "eni", @@ -5334,8 +5334,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.162.78.48", - "10.24.23.209" + "10.24.23.209", + "10.162.78.48" ], "related.user": [ "ntore" @@ -5349,8 +5349,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ereprehe", "rsa.misc.action": [ - "tutl", - "Blocked" + "Blocked", + "tutl" ], "rsa.misc.category": "mip", "rsa.misc.filter": "umSecti", @@ -5407,8 +5407,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.55.151.53", - "10.211.66.68" + "10.211.66.68", + "10.55.151.53" ], "related.user": [ "squir" @@ -5422,8 +5422,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "diconseq", "rsa.misc.action": [ - "Allowed", - "umet" + "umet", + "Allowed" ], "rsa.misc.category": "ciad", "rsa.misc.filter": "oeiusmod", @@ -5495,8 +5495,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iamquisn", "rsa.misc.action": [ - "Blocked", - "lupta" + "lupta", + "Blocked" ], "rsa.misc.category": "uasiarch", "rsa.misc.filter": "usBonor", @@ -5641,8 +5641,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lloin", "rsa.misc.action": [ - "Blocked", - "ici" + "ici", + "Blocked" ], "rsa.misc.category": "quidolor", "rsa.misc.filter": "nonproi", @@ -5699,8 +5699,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.164.190.2", - "10.223.11.164" + "10.223.11.164", + "10.164.190.2" ], "related.user": [ "ten" @@ -5714,8 +5714,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "officiad", "rsa.misc.action": [ - "antium", - "Allowed" + "Allowed", + "antium" ], "rsa.misc.category": "emoeni", "rsa.misc.filter": "itvo", @@ -5772,8 +5772,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.14.37.8", - "10.121.181.243" + "10.121.181.243", + "10.14.37.8" ], "related.user": [ "umwr" @@ -5787,8 +5787,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedic", "rsa.misc.action": [ - "Blocked", - "rinc" + "rinc", + "Blocked" ], "rsa.misc.category": "prehende", "rsa.misc.filter": "rume", @@ -5918,8 +5918,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.34.98.144", - "10.77.102.206" + "10.77.102.206", + "10.34.98.144" ], "related.user": [ "tectobe" @@ -5933,8 +5933,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Exce", "rsa.misc.action": [ - "Allowed", - "ulapa" + "ulapa", + "Allowed" ], "rsa.misc.category": "reprehen", "rsa.misc.filter": "itsedqui", @@ -6079,8 +6079,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uis", "rsa.misc.action": [ - "mvele", - "Allowed" + "Allowed", + "mvele" ], "rsa.misc.category": "vitaedi", "rsa.misc.filter": "ndeomni", @@ -6152,8 +6152,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atcupi", "rsa.misc.action": [ - "uaUten", - "Blocked" + "Blocked", + "uaUten" ], "rsa.misc.category": "modt", "rsa.misc.filter": "magnidol", @@ -6210,8 +6210,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.230.61.102", - "10.141.66.163" + "10.141.66.163", + "10.230.61.102" ], "related.user": [ "umdolo" @@ -6298,8 +6298,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issuscip", "rsa.misc.action": [ - "Blocked", - "remap" + "remap", + "Blocked" ], "rsa.misc.category": "eetdolo", "rsa.misc.filter": "rsitam", @@ -6371,8 +6371,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "neavolu", "rsa.misc.action": [ - "nofdeF", - "Blocked" + "Blocked", + "nofdeF" ], "rsa.misc.category": "remagnam", "rsa.misc.filter": "maveniam", @@ -6429,8 +6429,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.124.81.20", - "10.250.102.42" + "10.250.102.42", + "10.124.81.20" ], "related.user": [ "tNequ" @@ -6444,8 +6444,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "Blocked", - "tatisetq" + "tatisetq", + "Blocked" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6517,8 +6517,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "proid", "rsa.misc.action": [ - "onevolu", - "Allowed" + "Allowed", + "onevolu" ], "rsa.misc.category": "iratio", "rsa.misc.filter": "odita", @@ -6571,8 +6571,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.46.71.46", - "10.138.193.38" + "10.138.193.38", + "10.46.71.46" ], "related.user": [ "sintocca" @@ -6640,8 +6640,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.254.119.31", - "10.172.159.251" + "10.172.159.251", + "10.254.119.31" ], "related.user": [ "usm" @@ -6801,8 +6801,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntut", "rsa.misc.action": [ - "nima", - "Blocked" + "Blocked", + "nima" ], "rsa.misc.category": "boru", "rsa.misc.filter": "umquia", @@ -6859,8 +6859,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.198.84.190", - "10.31.58.6" + "10.31.58.6", + "10.198.84.190" ], "related.user": [ "unt" @@ -6947,8 +6947,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rrorsi", "rsa.misc.action": [ - "exe", - "Allowed" + "Allowed", + "exe" ], "rsa.misc.category": "mnihi", "rsa.misc.filter": "consequa", @@ -7005,8 +7005,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.128.43.71", - "10.152.217.174" + "10.152.217.174", + "10.128.43.71" ], "related.user": [ "mquiado" @@ -7020,8 +7020,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "olupt", "rsa.misc.action": [ - "temvele", - "Blocked" + "Blocked", + "temvele" ], "rsa.misc.category": "natuser", "rsa.misc.filter": "amnihil", @@ -7151,8 +7151,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.109.192.53", - "10.172.17.6" + "10.172.17.6", + "10.109.192.53" ], "related.user": [ "eprehen" @@ -7239,8 +7239,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "exeacomm", "rsa.misc.action": [ - "volup", - "Blocked" + "Blocked", + "volup" ], "rsa.misc.category": "ten", "rsa.misc.filter": "ssecil", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log b/x-pack/filebeat/module/zscaler/zia/test/test.log deleted file mode 100644 index f1502e48309..00000000000 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log +++ /dev/null @@ -1 +0,0 @@ -hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=^^reason=^^hostname=^^protocol=^^serverip=^^url=^^urlcategory=^^urlclass=^^dlpdictionaries=^^dlpengine=^^filetype=^^threatcategory=^^threatclass=^^pagerisk=^^threatname=^^clientpublicIP=^^ClientIP=^^location=^^refererURL=^^useragent=^^department=^^user=^^event_id=^^clienttranstime=^^requestmethod=^^requestsize=^^requestversion=^^status=^^responsesize=^^responseversion=^^transactionsize= diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json deleted file mode 100644 index 66ca65108fd..00000000000 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ /dev/null @@ -1,57 +0,0 @@ -[ - { - "@timestamp": "2017-06-23T17:16:42.000Z", - "event.action": "", - "event.code": "", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=^^reason=^^hostname=^^protocol=^^serverip=^^url=^^urlcategory=^^urlclass=^^dlpdictionaries=^^dlpengine=^^filetype=^^threatcategory=^^threatclass=^^pagerisk=^^threatname=^^clientpublicIP=^^ClientIP=^^location=^^refererURL=^^useragent=^^department=^^user=^^event_id=^^clienttranstime=^^requestmethod=^^requestsize=^^requestversion=^^status=^^responsesize=^^responseversion=^^transactionsize=", - "event.timezone": "CEST", - "file.type": "", - "fileset.name": "zia", - "host.name": "", - "http.request.referrer": "", - "input.type": "log", - "log.offset": 0, - "network.protocol": "", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.user": [ - "" - ], - "rsa.db.index": "", - "rsa.identity.user_dept": "", - "rsa.internal.data": "hello", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "", - "rsa.misc.action": [ - "", - "" - ], - "rsa.misc.category": "", - "rsa.misc.filter": "", - "rsa.misc.reference_id": "", - "rsa.misc.result": "", - "rsa.misc.result_code": "", - "rsa.network.alias_host": [ - "" - ], - "rsa.threat.threat_category": "", - "rsa.time.event_time": "2017-06-23T17:16:42.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.fqdn": "", - "service.type": "zscaler", - "tags": [ - "zscaler.zia", - "forwarded" - ], - "url.original": "", - "user.name": "", - "user_agent.device.name": "Other", - "user_agent.name": "Other", - "user_agent.original": "" - } -] \ No newline at end of file From d5a77a431ebba6b0415330aec52c5e5de65ca4c7 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 13 Jul 2020 19:03:29 +0200 Subject: [PATCH 15/19] Update --- x-pack/filebeat/module/barracuda/README.md | 2 +- .../module/barracuda/waf/test/generated.log | 134 +- .../waf/test/generated.log-expected.json | 1034 +++--- x-pack/filebeat/module/bluecoat/README.md | 2 +- x-pack/filebeat/module/citrix/README.md | 2 +- x-pack/filebeat/module/cylance/README.md | 2 +- .../module/cylance/protect/test/generated.log | 198 +- .../protect/test/generated.log-expected.json | 3063 +++++++++-------- x-pack/filebeat/module/f5/README.md | 2 +- .../bigipapm/test/generated.log-expected.json | 8 +- .../module/f5/firepass/test/generated.log | 120 +- .../firepass/test/generated.log-expected.json | 703 ++-- .../test/generated.log-expected.json | 228 +- x-pack/filebeat/module/imperva/README.md | 2 +- .../test/generated.log-expected.json | 476 +-- x-pack/filebeat/module/infoblox/README.md | 2 +- .../module/infoblox/nios/test/generated.log | 170 +- .../nios/test/generated.log-expected.json | 1271 ++++--- x-pack/filebeat/module/juniper/README.md | 2 +- x-pack/filebeat/module/kaspersky/README.md | 2 +- x-pack/filebeat/module/microsoft/README.md | 2 +- x-pack/filebeat/module/netscout/README.md | 2 +- .../netscout/sightline/test/generated.log | 180 +- .../test/generated.log-expected.json | 1330 +++---- x-pack/filebeat/module/radware/README.md | 2 +- x-pack/filebeat/module/rapid7/README.md | 2 +- .../module/rapid7/nexpose/test/generated.log | 16 +- .../nexpose/test/generated.log-expected.json | 138 +- x-pack/filebeat/module/sonicwall/README.md | 2 +- .../sonicwall/firewall/test/generated.log | 200 +- .../firewall/test/generated.log-expected.json | 2174 ++++++------ x-pack/filebeat/module/squid/README.md | 2 +- .../squid/log/test/access1.log-expected.json | 352 +- .../squid/log/test/access2.log-expected.json | 224 +- .../squid/log/test/access3.log-expected.json | 392 +-- .../squid/log/test/access4.log-expected.json | 356 +- x-pack/filebeat/module/tenable/README.md | 2 +- x-pack/filebeat/module/tomcat/README.md | 2 +- x-pack/filebeat/module/zscaler/README.md | 2 +- .../zia/test/generated.log-expected.json | 404 +-- .../filebeat/module/zscaler/zia/test/test.log | 1 + .../zscaler/zia/test/test.log-expected.json | 57 + 42 files changed, 6690 insertions(+), 6575 deletions(-) create mode 100644 x-pack/filebeat/module/zscaler/zia/test/test.log create mode 100644 x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json diff --git a/x-pack/filebeat/module/barracuda/README.md b/x-pack/filebeat/module/barracuda/README.md index 4b99044c6ec..0899263fd7e 100644 --- a/x-pack/filebeat/module/barracuda/README.md +++ b/x-pack/filebeat/module/barracuda/README.md @@ -3,5 +3,5 @@ This is a module for Barracuda Web Application Firewall logs. Autogenerated from RSA NetWitness log parser 2.0 XML barracudawaf version 132 -at 2020-07-08 22:20:55.791109 +0000 UTC. +at 2020-07-13 17:11:56.995389 +0000 UTC. diff --git a/x-pack/filebeat/module/barracuda/waf/test/generated.log b/x-pack/filebeat/module/barracuda/waf/test/generated.log index 3348e14ab88..02e42897650 100644 --- a/x-pack/filebeat/module/barracuda/waf/test/generated.log +++ b/x-pack/filebeat/module/barracuda/waf/test/generated.log @@ -1,100 +1,100 @@ -STM_WRAPPER: Successfully stopped STM. -UPDATE: [ALERT:torev] New attack definition version 1.7118 is available -PROCMON: Monitoring links: eth7668 -UPDATE: [ALERT:radi] New attack definition version 1.1512 is available +PROCMON: Started monitoring BYPASS: Mode set to BYPASS (nbyCic). +UPDATE: [ALERT:tvolup] New attack definition version 1.1000 is available +STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. +STM_WRAPPER: Successfully initialized STM. +STM_WRAPPER: Initializing STM. +eventmgr: Forwarding log messages to syslog host #imadm, address=10.16.222.151 +PROCMON: [ALERT:eritqui] One of the RAID arrays is degrading. BYPASS: Mode change: ccusant,epteurs UPDATE: [ALERT:modoco] New attack definition version 1.3971 is available -INSTALL: Migrating configuration from umet to psaquaea -CONFIG_AGENT: gnamali iumdo No rules, exe +STM: LB-doloreeu elillumq CreateServer =loremeum +STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu +UPDATE: [ALERT:xcepte] New attack definition version 1.4012 is available +PROCMON: Monitoring links: lo4933 +PROCMON: [ALERT:doconse] One of the RAID arrays is degrading. CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet -STM_WRAPPER: [ALERT:mnisist] Configuration size is dutp which exceeds the ecillu safe limit. Please check your configuration. -BYPASS: Mode set to never bypass. -PROCMON: Monitoring links: enp0s2108 STM: LB-tet voluptas ActiveServerOutOfBandMonitorAttr =inv STM_WRAPPER: [ALERT:obeata] Configuration size is pexeaco which exceeds the ercitati safe limit. Please check your configuration. -STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. -eventmgr: Forwarding log messages to syslog host #rudexerc, address=10.158.247.188 -STM: LB-pidatatn tinv ActiveServerOutOfBandMonitorAttr =odico -CONFIG_AGENT: luptate Initiating config_agent database commit phase. -STM_WRAPPER: Successfully initialized STM. -PROCMON: [ALERT:amv] Firmware storage exceeds ipsaqua -eventmgr: Forwarding log messages to syslog host #quaturQ, address=10.240.48.190 -PROCMON: [ALERT:onse] One of the RAID arrays is degrading. -STM_WRAPPER: Successfully stopped STM. -eventmgr: Event manager startup succeeded. -BYPASS: Mode set to never bypass. +BYPASS: Mode change: urEx,labo eventmgr: Event manager startup succeeded. -CONFIG_AGENT: metMalor RPC Name =iatur, RPC Result: assitas -PROCMON: Monitoring links: lo514 +STM: LB-Maloru lapariat SetServerdmin=oinBCSed STM_WRAPPER: Successfully stopped STM. -STM: SSL-dic evolupta Ssl Initialization -BYPASS: Mode set to BYPASS (epor). +PROCMON: [ALERT:amv] Firmware storage exceeds ipsaqua +STM: LB-isistena Malorum SetSapquelauda=enderit +eventmgr: Forwarding log messages to syslog host #equun, address=10.4.65.246 +UPDATE: [ALERT:exer] New attack definition version 1.481 is available +eventmgr: Event manager startup succeeded. +STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. +CONFIG_AGENT: isnisiu aspernat Update succeeded +INSTALL: Loading the snapshot for mquel release. +INSTALL: Migrating configuration from ueporr to ptate +PROCMON: [ALERT:onsequ] enp0s7094: link is up +CONFIG_AGENT: iquip tDuisau It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., amali eventmgr: Event manager startup succeeded. PROCMON: Started monitoring STM: LB-mveniam rvelill EnableServer =iame -CONFIG_AGENT: min Initiating config_agent database commit phase. -INSTALL: Loading the snapshot for ave release. -PROCMON: Started monitoring -PROCMON: number of stm worker threads isnisi +PROCMON: number of stm worker threads iseuf +STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios STM_WRAPPER: Successfully stopped STM. -BYPASS: State set to normal: starting heartbeat. -eventmgr: Event manager startup succeeded. +eventmgr: Forwarding log messages to syslog host #ccusa, address=10.58.33.30 +PROCMON: [ALERT:uiadolo] eth321: link is up +CONFIG_AGENT: rsi ciduntut Update succeeded +CONFIG_AGENT: radipis RPC Name =isa, RPC Result: aal INSTALL: Loading the snapshot for ris release. -STM_WRAPPER: [ALERT:orsi] Configuration size is econs which exceeds the orisni safe limit. Please check your configuration. -BYPASS: Mode change: reseosq,remque -BYPASS: State set to normal: starting heartbeat. +CONFIG_AGENT: aliqui rcitat Update succeeded CONFIG_AGENT: aeconse Initiating config_agent database commit phase. -PROCMON: Monitoring links: enp0s2948 +PROCMON: Started monitoring +CONFIG_AGENT: iaecon ipexea Update succeeded +INSTALL: Migrating configuration from nulapa to cillu +PROCMON: [ALERT:ectetura] Firmware storage exceeds didun +CONFIG_AGENT: rcit nul Received put-tree command UPDATE: [ALERT:aliquaU] New attack definition version 1.1278 is available -BYPASS: Mode set to BYPASS (iratio). -STM_WRAPPER: [ALERT:onemul] Configuration size is byCicer which exceeds the ipitl safe limit. Please check your configuration. -STM_WRAPPER: Committing UI configuration. -CONFIG_AGENT: ameaque Initiating config_agent database commit phase. +UPDATE: [ALERT:amei] New attack definition version 1.7778 is available +UPDATE: [ALERT:gelitse] New attack definition version 1.3018 is available +INSTALL: Migrating configuration from iceroin to qui +INSTALL: Migrating configuration from pariatu to issusc STM: FAILOVE-roinBCSe oreet Stateful Failover Module initialized. STM_WRAPPER: Committing UI configuration. STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. -UPDATE: [ALERT:mUtenim] New attack definition version 1.5823 is available eventmgr: Forwarding log messages to syslog host #rroquisq, address=10.126.62.60 -CONFIG_AGENT: ionevo iaconse Update succeeded -CONFIG_AGENT: eriamea rume Update succeeded -STM: FEHCMON-iaturE veniam FEHC Monitor Module initialized. -BYPASS: Mode set to BYPASS (quira). -STM_WRAPPER: [ALERT:xplicab] Configuration size is utaliqu which exceeds the siut safe limit. Please check your configuration. -CONFIG_AGENT: emquela ons It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., idestl +STM_WRAPPER: Successfully initialized STM. +STM: RespPage-rinrepr rvelill CreateRP: Response Page mve created successfully +STM_WRAPPER: [ALERT:ineav] Configuration size is onp which exceeds the gnaaliqu safe limit. Please check your configuration. +PROCMON: [ALERT:eumfu] eth5074: link is up CONFIG_AGENT: tutlabo Initiating config_agent database commit phase. -INSTALL: Migrating configuration from isautemv to onproid -PROCMON: Monitoring links: enp0s6760 -PROCMON: [ALERT:lupt] One of the RAID arrays is degrading. -eventmgr: Forwarding log messages to syslog host #isquames, address=10.131.211.114 +INSTALL: Loading the snapshot for pli release. +CONFIG_AGENT: erit Initiating config_agent database commit phase. INSTALL: Loading the snapshot for mod release. INSTALL: Loading the snapshot for lamcolab release. +INSTALL: Migrating configuration from estlab to tis +PROCMON: [ALERT:uamqua] Firmware storage exceeds labo INSTALL: Migrating configuration from tfugit to taspern -BYPASS: State set to normal: starting heartbeat. -INSTALL: Migrating configuration from uisnos to minim +eventmgr: Forwarding log messages to syslog host #meiusm, address=10.48.248.158 STM_WRAPPER: Successfully initialized STM. -STM_WRAPPER: command(--digest) execution status = litsed -STM: SSL-fugiatn dent Ssl Initialization PROCMON: number of stm worker threads isonula STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor -STM: aps-ingeli atione SetIpsTheftPolicyDfa SapCtx uamnihi, Policy uptateve, mode emagnama, bytes rporis, Return ndeomni PROCMON: [ALERT:atev] One of the RAID arrays is degrading. -PROCMON: [ALERT:itati] One of the RAID arrays is degrading. -INSTALL: Migrating configuration from emagnama to urma -STM_WRAPPER: Committing UI configuration. -CONFIG_AGENT: reverit RPC Name =ptate, RPC Result: mexerc -CONFIG_AGENT: itatiset RPC Name =ptasn, RPC Result: quaeab -STM_WRAPPER: Committing UI configuration. +CONFIG_AGENT: amaliq ept Received put-tree command +BYPASS: Mode set to BYPASS (ectetura). +STM: COOKIE-icab quiado scipit = quiavolu BYPASS: Mode set to never bypass. +STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success +STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors INSTALL: Loading the snapshot for admi release. +STM: aps-Bon seosqui AddIpsCloakFilterRespHeader [idu] Ret stquidol, SapCtx itautfug, sapId byCi +STM_WRAPPER: Successfully stopped STM. +PROCMON: Started monitoring UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available -STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. -BYPASS: Mode set to never bypass. -BYPASS: State set to normal: starting heartbeat. -BYPASS: Mode set to BYPASS (eniamqu). +INSTALL: Loading the snapshot for stru release. +PROCMON: Monitoring links: enp0s6182 +STM_WRAPPER: command(--digest) execution status = quaeratv STM_WRAPPER: Successfully initialized STM. -PROCMON: [ALERT:orpori] One of the RAID arrays is degrading. -UPDATE: [ALERT:utlabor] New attack definition version 1.6441 is available eventmgr: Event manager startup succeeded. +STM_WRAPPER: Initializing STM. STM_WRAPPER: Successfully initialized STM. -PROCMON: [ALERT:quaeabi] One of the RAID arrays is degrading. +PROCMON: Started monitoring +CONFIG_AGENT: tDuis isnis It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., metMa +STM_WRAPPER: Initializing STM. +STM: aps-quam etquasi CreateRC: RC Add policy Success +STM: WebLog-untutl eseosqui user: SapCtx=ons,SapId=ation, eabilloi diff --git a/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json index c05693863d5..910233583b1 100644 --- a/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json +++ b/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json @@ -1,17 +1,36 @@ [ { - "event.code": "STM_WRAPPER", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully stopped STM.", + "event.original": "PROCMON: Started monitoring", "fileset.name": "waf", "input.type": "log", "log.offset": 0, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode set to BYPASS (nbyCic).", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 28, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " Mode set to BYPASS.", + "rsa.internal.messageid": "BYPASS", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -22,17 +41,17 @@ "event.code": "UPDATE", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "UPDATE: [ALERT:torev] New attack definition version 1.7118 is available", + "event.original": "UPDATE: [ALERT:tvolup] New attack definition version 1.1000 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 39, + "log.offset": 65, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "observer.version": "1.7118", + "observer.version": "1.1000", "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", "rsa.internal.messageid": "UPDATE", - "rsa.misc.version": "1.7118", + "rsa.misc.version": "1.1000", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -40,20 +59,18 @@ ] }, { - "event.code": "PROCMON", + "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: Monitoring links: eth7668", + "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", "fileset.name": "waf", "input.type": "log", - "log.offset": 111, - "network.interface.name": "eth7668", + "log.offset": 138, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Monitoring links.", - "rsa.internal.messageid": "PROCMON", - "rsa.network.interface": "eth7668", + "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -61,20 +78,18 @@ ] }, { - "event.code": "UPDATE", + "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "UPDATE: [ALERT:radi] New attack definition version 1.1512 is available", + "event.original": "STM_WRAPPER: Successfully initialized STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 146, + "log.offset": 227, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "observer.version": "1.1512", - "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", - "rsa.internal.messageid": "UPDATE", - "rsa.misc.version": "1.1512", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -82,18 +97,60 @@ ] }, { - "event.code": "BYPASS", + "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "BYPASS: Mode set to BYPASS (nbyCic).", + "event.original": "STM_WRAPPER: Initializing STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 217, + "log.offset": 270, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to BYPASS.", - "rsa.internal.messageid": "BYPASS", + "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #imadm, address=10.16.222.151", + "fileset.name": "waf", + "host.ip": "10.16.222.151", + "input.type": "log", + "log.offset": 301, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.16.222.151" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:eritqui] One of the RAID arrays is degrading.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 380, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", + "rsa.internal.messageid": "PROCMON", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -107,7 +164,7 @@ "event.original": "BYPASS: Mode change: ccusant,epteurs", "fileset.name": "waf", "input.type": "log", - "log.offset": 254, + "log.offset": 442, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -126,7 +183,7 @@ "event.original": "UPDATE: [ALERT:modoco] New attack definition version 1.3971 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 291, + "log.offset": 479, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -141,18 +198,20 @@ ] }, { - "event.code": "INSTALL", + "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "INSTALL: Migrating configuration from umet to psaquaea", + "event.original": "STM: LB-doloreeu elillumq CreateServer =loremeum", "fileset.name": "waf", "input.type": "log", - "log.offset": 364, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 552, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: migrating configuration.", - "rsa.internal.messageid": "INSTALL", + "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -160,18 +219,20 @@ ] }, { - "event.code": "CONFIG_AGENT", + "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "CONFIG_AGENT: gnamali iumdo No rules, exe", + "event.original": "STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu", "fileset.name": "waf", "input.type": "log", - "log.offset": 419, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 607, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:No rules.", - "rsa.internal.messageid": "CONFIG_AGENT", + "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -179,18 +240,20 @@ ] }, { - "event.code": "CONFIG_AGENT", + "event.code": "UPDATE", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet", + "event.original": "UPDATE: [ALERT:xcepte] New attack definition version 1.4012 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 461, + "log.offset": 668, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", - "rsa.internal.messageid": "CONFIG_AGENT", + "observer.version": "1.4012", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.4012", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -198,18 +261,20 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: [ALERT:mnisist] Configuration size is dutp which exceeds the ecillu safe limit. Please check your configuration.", + "event.original": "PROCMON: Monitoring links: lo4933", "fileset.name": "waf", "input.type": "log", - "log.offset": 591, + "log.offset": 741, + "network.interface.name": "lo4933", "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.internal.event_desc": "PROCMON: Monitoring links.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "lo4933", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -217,18 +282,18 @@ ] }, { - "event.code": "BYPASS", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "BYPASS: Mode set to never bypass.", + "event.original": "PROCMON: [ALERT:doconse] One of the RAID arrays is degrading.", "fileset.name": "waf", "input.type": "log", - "log.offset": 717, + "log.offset": 775, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to never BYPASS.", - "rsa.internal.messageid": "BYPASS", + "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", + "rsa.internal.messageid": "PROCMON", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -236,20 +301,18 @@ ] }, { - "event.code": "PROCMON", + "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: Monitoring links: enp0s2108", + "event.original": "CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet", "fileset.name": "waf", "input.type": "log", - "log.offset": 751, - "network.interface.name": "enp0s2108", + "log.offset": 837, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Monitoring links.", - "rsa.internal.messageid": "PROCMON", - "rsa.network.interface": "enp0s2108", + "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", + "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -266,7 +329,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 788, + "log.offset": 967, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -284,7 +347,7 @@ "event.original": "STM_WRAPPER: [ALERT:obeata] Configuration size is pexeaco which exceeds the ercitati safe limit. Please check your configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 853, + "log.offset": 1032, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -297,18 +360,18 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "BYPASS", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "event.original": "BYPASS: Mode change: urEx,labo", "fileset.name": "waf", "input.type": "log", - "log.offset": 983, + "log.offset": 1162, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.internal.event_desc": "Mode change.", + "rsa.internal.messageid": "BYPASS", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -319,18 +382,14 @@ "event.code": "eventmgr", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "eventmgr: Forwarding log messages to syslog host #rudexerc, address=10.158.247.188", + "event.original": "eventmgr: Event manager startup succeeded.", "fileset.name": "waf", - "host.ip": "10.158.247.188", "input.type": "log", - "log.offset": 1072, + "log.offset": 1193, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "related.ip": [ - "10.158.247.188" - ], - "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", "rsa.internal.messageid": "eventmgr", "service.type": "barracuda", "tags": [ @@ -342,13 +401,13 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: LB-pidatatn tinv ActiveServerOutOfBandMonitorAttr =odico", + "event.original": "STM: LB-Maloru lapariat SetServerdmin=oinBCSed", "fileset.name": "waf", "input.type": "log", "log.flags": [ "dissect_parsing_error" ], - "log.offset": 1155, + "log.offset": 1236, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -360,18 +419,18 @@ ] }, { - "event.code": "CONFIG_AGENT", + "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "CONFIG_AGENT: luptate Initiating config_agent database commit phase.", + "event.original": "STM_WRAPPER: Successfully stopped STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1223, + "log.offset": 1289, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", - "rsa.internal.messageid": "CONFIG_AGENT", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", + "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -379,18 +438,19 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully initialized STM.", + "event.original": "PROCMON: [ALERT:amv] Firmware storage exceeds ipsaqua", "fileset.name": "waf", "input.type": "log", - "log.offset": 1292, + "log.offset": 1328, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.db.index": "ipsaqua", + "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", + "rsa.internal.messageid": "PROCMON", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -398,19 +458,20 @@ ] }, { - "event.code": "PROCMON", + "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:amv] Firmware storage exceeds ipsaqua", + "event.original": "STM: LB-isistena Malorum SetSapquelauda=enderit", "fileset.name": "waf", "input.type": "log", - "log.offset": 1335, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1382, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.db.index": "ipsaqua", - "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", - "rsa.internal.messageid": "PROCMON", + "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -421,16 +482,16 @@ "event.code": "eventmgr", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "eventmgr: Forwarding log messages to syslog host #quaturQ, address=10.240.48.190", + "event.original": "eventmgr: Forwarding log messages to syslog host #equun, address=10.4.65.246", "fileset.name": "waf", - "host.ip": "10.240.48.190", + "host.ip": "10.4.65.246", "input.type": "log", - "log.offset": 1389, + "log.offset": 1436, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", "related.ip": [ - "10.240.48.190" + "10.4.65.246" ], "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", "rsa.internal.messageid": "eventmgr", @@ -441,18 +502,20 @@ ] }, { - "event.code": "PROCMON", + "event.code": "UPDATE", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:onse] One of the RAID arrays is degrading.", + "event.original": "UPDATE: [ALERT:exer] New attack definition version 1.481 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 1470, + "log.offset": 1513, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", - "rsa.internal.messageid": "PROCMON", + "observer.version": "1.481", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.481", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -460,18 +523,18 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "eventmgr", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully stopped STM.", + "event.original": "eventmgr: Event manager startup succeeded.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1529, + "log.offset": 1583, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -479,18 +542,18 @@ ] }, { - "event.code": "eventmgr", + "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "eventmgr: Event manager startup succeeded.", + "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1568, + "log.offset": 1626, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", - "rsa.internal.messageid": "eventmgr", + "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -498,18 +561,18 @@ ] }, { - "event.code": "BYPASS", + "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "BYPASS: Mode set to never bypass.", + "event.original": "CONFIG_AGENT: isnisiu aspernat Update succeeded", "fileset.name": "waf", "input.type": "log", - "log.offset": 1611, + "log.offset": 1715, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to never BYPASS.", - "rsa.internal.messageid": "BYPASS", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -517,18 +580,18 @@ ] }, { - "event.code": "eventmgr", + "event.code": "INSTALL", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "eventmgr: Event manager startup succeeded.", + "event.original": "INSTALL: Loading the snapshot for mquel release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1645, + "log.offset": 1763, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", - "rsa.internal.messageid": "eventmgr", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -536,18 +599,18 @@ ] }, { - "event.code": "CONFIG_AGENT", + "event.code": "INSTALL", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "CONFIG_AGENT: metMalor RPC Name =iatur, RPC Result: assitas", + "event.original": "INSTALL: Migrating configuration from ueporr to ptate", "fileset.name": "waf", "input.type": "log", - "log.offset": 1688, + "log.offset": 1812, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT: RPC information.", - "rsa.internal.messageid": "CONFIG_AGENT", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -558,17 +621,17 @@ "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: Monitoring links: lo514", + "event.original": "PROCMON: [ALERT:onsequ] enp0s7094: link is up", "fileset.name": "waf", "input.type": "log", - "log.offset": 1748, - "network.interface.name": "lo514", + "log.offset": 1866, + "network.interface.name": "enp0s7094", "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Monitoring links.", + "rsa.internal.event_desc": "PROCMON:Link is up.", "rsa.internal.messageid": "PROCMON", - "rsa.network.interface": "lo514", + "rsa.network.interface": "enp0s7094", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -576,18 +639,18 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully stopped STM.", + "event.original": "CONFIG_AGENT: iquip tDuisau It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., amali", "fileset.name": "waf", "input.type": "log", - "log.offset": 1781, + "log.offset": 1912, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", + "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -595,20 +658,18 @@ ] }, { - "event.code": "STM", + "event.code": "eventmgr", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: SSL-dic evolupta Ssl Initialization", + "event.original": "eventmgr: Event manager startup succeeded.", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1820, + "log.offset": 2045, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.messageid": "STM", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -616,18 +677,18 @@ ] }, { - "event.code": "BYPASS", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "BYPASS: Mode set to BYPASS (epor).", + "event.original": "PROCMON: Started monitoring", "fileset.name": "waf", "input.type": "log", - "log.offset": 1866, + "log.offset": 2088, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to BYPASS.", - "rsa.internal.messageid": "BYPASS", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -635,18 +696,20 @@ ] }, { - "event.code": "eventmgr", + "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "eventmgr: Event manager startup succeeded.", + "event.original": "STM: LB-mveniam rvelill EnableServer =iame", "fileset.name": "waf", "input.type": "log", - "log.offset": 1901, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2116, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", - "rsa.internal.messageid": "eventmgr", + "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -657,14 +720,15 @@ "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: Started monitoring", + "event.original": "PROCMON: number of stm worker threads iseuf", "fileset.name": "waf", "input.type": "log", - "log.offset": 1944, + "log.offset": 2165, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.db.index": "euf", + "rsa.internal.event_desc": "PROCMON: number of stm worker threads", "rsa.internal.messageid": "PROCMON", "service.type": "barracuda", "tags": [ @@ -676,13 +740,13 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: LB-mveniam rvelill EnableServer =iame", + "event.original": "STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios", "fileset.name": "waf", "input.type": "log", "log.flags": [ "dissect_parsing_error" ], - "log.offset": 1972, + "log.offset": 2209, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -694,18 +758,18 @@ ] }, { - "event.code": "CONFIG_AGENT", + "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "CONFIG_AGENT: min Initiating config_agent database commit phase.", + "event.original": "STM_WRAPPER: Successfully stopped STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2021, + "log.offset": 2283, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", - "rsa.internal.messageid": "CONFIG_AGENT", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", + "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -713,18 +777,22 @@ ] }, { - "event.code": "INSTALL", + "event.code": "eventmgr", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "INSTALL: Loading the snapshot for ave release.", + "event.original": "eventmgr: Forwarding log messages to syslog host #ccusa, address=10.58.33.30", "fileset.name": "waf", + "host.ip": "10.58.33.30", "input.type": "log", - "log.offset": 2086, + "log.offset": 2322, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", - "rsa.internal.messageid": "INSTALL", + "related.ip": [ + "10.58.33.30" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -735,15 +803,17 @@ "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: Started monitoring", + "event.original": "PROCMON: [ALERT:uiadolo] eth321: link is up", "fileset.name": "waf", "input.type": "log", - "log.offset": 2133, + "log.offset": 2399, + "network.interface.name": "eth321", "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.event_desc": "PROCMON:Link is up.", "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "eth321", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -751,19 +821,18 @@ ] }, { - "event.code": "PROCMON", + "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: number of stm worker threads isnisi", + "event.original": "CONFIG_AGENT: rsi ciduntut Update succeeded", "fileset.name": "waf", "input.type": "log", - "log.offset": 2161, + "log.offset": 2443, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.db.index": "nisi", - "rsa.internal.event_desc": "PROCMON: number of stm worker threads", - "rsa.internal.messageid": "PROCMON", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -771,18 +840,18 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully stopped STM.", + "event.original": "CONFIG_AGENT: radipis RPC Name =isa, RPC Result: aal", "fileset.name": "waf", "input.type": "log", - "log.offset": 2206, + "log.offset": 2487, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.internal.event_desc": "CONFIG_AGENT: RPC information.", + "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -790,18 +859,18 @@ ] }, { - "event.code": "BYPASS", + "event.code": "INSTALL", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "BYPASS: State set to normal: starting heartbeat.", + "event.original": "INSTALL: Loading the snapshot for ris release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2245, + "log.offset": 2540, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "BYPASS: State set to normal: starting heartbeat.", - "rsa.internal.messageid": "BYPASS", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -809,18 +878,18 @@ ] }, { - "event.code": "eventmgr", + "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "eventmgr: Event manager startup succeeded.", + "event.original": "CONFIG_AGENT: aliqui rcitat Update succeeded", "fileset.name": "waf", "input.type": "log", - "log.offset": 2294, + "log.offset": 2587, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", - "rsa.internal.messageid": "eventmgr", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -828,18 +897,18 @@ ] }, { - "event.code": "INSTALL", + "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "INSTALL: Loading the snapshot for ris release.", + "event.original": "CONFIG_AGENT: aeconse Initiating config_agent database commit phase.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2337, + "log.offset": 2632, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", - "rsa.internal.messageid": "INSTALL", + "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", + "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -847,18 +916,18 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: [ALERT:orsi] Configuration size is econs which exceeds the orisni safe limit. Please check your configuration.", + "event.original": "PROCMON: Started monitoring", "fileset.name": "waf", "input.type": "log", - "log.offset": 2384, + "log.offset": 2701, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -866,18 +935,18 @@ ] }, { - "event.code": "BYPASS", + "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "BYPASS: Mode change: reseosq,remque", + "event.original": "CONFIG_AGENT: iaecon ipexea Update succeeded", "fileset.name": "waf", "input.type": "log", - "log.offset": 2508, + "log.offset": 2729, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "Mode change.", - "rsa.internal.messageid": "BYPASS", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -885,18 +954,18 @@ ] }, { - "event.code": "BYPASS", + "event.code": "INSTALL", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "BYPASS: State set to normal: starting heartbeat.", + "event.original": "INSTALL: Migrating configuration from nulapa to cillu", "fileset.name": "waf", "input.type": "log", - "log.offset": 2544, + "log.offset": 2774, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "BYPASS: State set to normal: starting heartbeat.", - "rsa.internal.messageid": "BYPASS", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -904,18 +973,19 @@ ] }, { - "event.code": "CONFIG_AGENT", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "CONFIG_AGENT: aeconse Initiating config_agent database commit phase.", + "event.original": "PROCMON: [ALERT:ectetura] Firmware storage exceeds didun", "fileset.name": "waf", "input.type": "log", - "log.offset": 2593, + "log.offset": 2828, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", - "rsa.internal.messageid": "CONFIG_AGENT", + "rsa.db.index": "didun", + "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", + "rsa.internal.messageid": "PROCMON", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -923,20 +993,18 @@ ] }, { - "event.code": "PROCMON", + "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: Monitoring links: enp0s2948", + "event.original": "CONFIG_AGENT: rcit nul Received put-tree command", "fileset.name": "waf", "input.type": "log", - "log.offset": 2662, - "network.interface.name": "enp0s2948", + "log.offset": 2885, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Monitoring links.", - "rsa.internal.messageid": "PROCMON", - "rsa.network.interface": "enp0s2948", + "rsa.internal.event_desc": "CONFIG_AGENT:Received put-tree command.", + "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -950,7 +1018,7 @@ "event.original": "UPDATE: [ALERT:aliquaU] New attack definition version 1.1278 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 2699, + "log.offset": 2934, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -965,18 +1033,20 @@ ] }, { - "event.code": "BYPASS", + "event.code": "UPDATE", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "BYPASS: Mode set to BYPASS (iratio).", + "event.original": "UPDATE: [ALERT:amei] New attack definition version 1.7778 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 2773, + "log.offset": 3008, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to BYPASS.", - "rsa.internal.messageid": "BYPASS", + "observer.version": "1.7778", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.7778", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -984,18 +1054,20 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "UPDATE", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: [ALERT:onemul] Configuration size is byCicer which exceeds the ipitl safe limit. Please check your configuration.", + "event.original": "UPDATE: [ALERT:gelitse] New attack definition version 1.3018 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 2810, + "log.offset": 3079, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit.", - "rsa.internal.messageid": "STM_WRAPPER", + "observer.version": "1.3018", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.3018", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1003,18 +1075,18 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "INSTALL", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Committing UI configuration.", + "event.original": "INSTALL: Migrating configuration from iceroin to qui", "fileset.name": "waf", "input.type": "log", - "log.offset": 2937, + "log.offset": 3153, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Committing UI configuration.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1022,18 +1094,18 @@ ] }, { - "event.code": "CONFIG_AGENT", + "event.code": "INSTALL", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "CONFIG_AGENT: ameaque Initiating config_agent database commit phase.", + "event.original": "INSTALL: Migrating configuration from pariatu to issusc", "fileset.name": "waf", "input.type": "log", - "log.offset": 2979, + "log.offset": 3206, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", - "rsa.internal.messageid": "CONFIG_AGENT", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1050,7 +1122,7 @@ "log.flags": [ "dissect_parsing_error" ], - "log.offset": 3048, + "log.offset": 3262, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1068,7 +1140,7 @@ "event.original": "STM_WRAPPER: Committing UI configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3115, + "log.offset": 3329, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1087,75 +1159,12 @@ "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3157, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "UPDATE", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "UPDATE: [ALERT:mUtenim] New attack definition version 1.5823 is available", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3246, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "observer.version": "1.5823", - "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", - "rsa.internal.messageid": "UPDATE", - "rsa.misc.version": "1.5823", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "eventmgr", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "eventmgr: Forwarding log messages to syslog host #rroquisq, address=10.126.62.60", - "fileset.name": "waf", - "host.ip": "10.126.62.60", - "input.type": "log", - "log.offset": 3320, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.126.62.60" - ], - "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", - "rsa.internal.messageid": "eventmgr", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: ionevo iaconse Update succeeded", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3401, + "log.offset": 3371, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", - "rsa.internal.messageid": "CONFIG_AGENT", + "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1163,18 +1172,22 @@ ] }, { - "event.code": "CONFIG_AGENT", + "event.code": "eventmgr", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "CONFIG_AGENT: eriamea rume Update succeeded", + "event.original": "eventmgr: Forwarding log messages to syslog host #rroquisq, address=10.126.62.60", "fileset.name": "waf", + "host.ip": "10.126.62.60", "input.type": "log", - "log.offset": 3447, + "log.offset": 3460, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", - "rsa.internal.messageid": "CONFIG_AGENT", + "related.ip": [ + "10.126.62.60" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1182,20 +1195,18 @@ ] }, { - "event.code": "STM", + "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: FEHCMON-iaturE veniam FEHC Monitor Module initialized.", + "event.original": "STM_WRAPPER: Successfully initialized STM.", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3491, + "log.offset": 3541, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.messageid": "STM", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1203,18 +1214,18 @@ ] }, { - "event.code": "BYPASS", + "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "BYPASS: Mode set to BYPASS (quira).", + "event.original": "STM: RespPage-rinrepr rvelill CreateRP: Response Page mve created successfully", "fileset.name": "waf", "input.type": "log", - "log.offset": 3552, + "log.offset": 3584, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to BYPASS.", - "rsa.internal.messageid": "BYPASS", + "rsa.internal.event_desc": "STM: RespPage Response Page created successfully.", + "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1225,10 +1236,10 @@ "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: [ALERT:xplicab] Configuration size is utaliqu which exceeds the siut safe limit. Please check your configuration.", + "event.original": "STM_WRAPPER: [ALERT:ineav] Configuration size is onp which exceeds the gnaaliqu safe limit. Please check your configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3588, + "log.offset": 3663, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1241,18 +1252,20 @@ ] }, { - "event.code": "CONFIG_AGENT", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "CONFIG_AGENT: emquela ons It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., idestl", + "event.original": "PROCMON: [ALERT:eumfu] eth5074: link is up", "fileset.name": "waf", "input.type": "log", - "log.offset": 3715, + "log.offset": 3788, + "network.interface.name": "eth5074", "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", - "rsa.internal.messageid": "CONFIG_AGENT", + "rsa.internal.event_desc": "PROCMON:Link is up.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "eth5074", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1266,7 +1279,7 @@ "event.original": "CONFIG_AGENT: tutlabo Initiating config_agent database commit phase.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3847, + "log.offset": 3831, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1282,14 +1295,14 @@ "event.code": "INSTALL", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "INSTALL: Migrating configuration from isautemv to onproid", + "event.original": "INSTALL: Loading the snapshot for pli release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3916, + "log.offset": 3900, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", "rsa.internal.messageid": "INSTALL", "service.type": "barracuda", "tags": [ @@ -1298,20 +1311,18 @@ ] }, { - "event.code": "PROCMON", + "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: Monitoring links: enp0s6760", + "event.original": "CONFIG_AGENT: erit Initiating config_agent database commit phase.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3974, - "network.interface.name": "enp0s6760", + "log.offset": 3947, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Monitoring links.", - "rsa.internal.messageid": "PROCMON", - "rsa.network.interface": "enp0s6760", + "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", + "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1319,18 +1330,18 @@ ] }, { - "event.code": "PROCMON", + "event.code": "INSTALL", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:lupt] One of the RAID arrays is degrading.", + "event.original": "INSTALL: Loading the snapshot for mod release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4011, + "log.offset": 4013, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", - "rsa.internal.messageid": "PROCMON", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1338,22 +1349,18 @@ ] }, { - "event.code": "eventmgr", + "event.code": "INSTALL", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "eventmgr: Forwarding log messages to syslog host #isquames, address=10.131.211.114", + "event.original": "INSTALL: Loading the snapshot for lamcolab release.", "fileset.name": "waf", - "host.ip": "10.131.211.114", "input.type": "log", - "log.offset": 4070, + "log.offset": 4060, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "related.ip": [ - "10.131.211.114" - ], - "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", - "rsa.internal.messageid": "eventmgr", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1364,14 +1371,14 @@ "event.code": "INSTALL", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "INSTALL: Loading the snapshot for mod release.", + "event.original": "INSTALL: Migrating configuration from estlab to tis", "fileset.name": "waf", "input.type": "log", - "log.offset": 4153, + "log.offset": 4112, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", "rsa.internal.messageid": "INSTALL", "service.type": "barracuda", "tags": [ @@ -1380,18 +1387,19 @@ ] }, { - "event.code": "INSTALL", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "INSTALL: Loading the snapshot for lamcolab release.", + "event.original": "PROCMON: [ALERT:uamqua] Firmware storage exceeds labo", "fileset.name": "waf", "input.type": "log", - "log.offset": 4200, + "log.offset": 4164, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", - "rsa.internal.messageid": "INSTALL", + "rsa.db.index": "labo", + "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", + "rsa.internal.messageid": "PROCMON", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1405,7 +1413,7 @@ "event.original": "INSTALL: Migrating configuration from tfugit to taspern", "fileset.name": "waf", "input.type": "log", - "log.offset": 4252, + "log.offset": 4218, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1418,18 +1426,22 @@ ] }, { - "event.code": "BYPASS", + "event.code": "eventmgr", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "BYPASS: State set to normal: starting heartbeat.", + "event.original": "eventmgr: Forwarding log messages to syslog host #meiusm, address=10.48.248.158", "fileset.name": "waf", + "host.ip": "10.48.248.158", "input.type": "log", - "log.offset": 4308, + "log.offset": 4274, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "BYPASS: State set to normal: starting heartbeat.", - "rsa.internal.messageid": "BYPASS", + "related.ip": [ + "10.48.248.158" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1437,18 +1449,18 @@ ] }, { - "event.code": "INSTALL", + "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "INSTALL: Migrating configuration from uisnos to minim", + "event.original": "STM_WRAPPER: Successfully initialized STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4357, + "log.offset": 4354, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: migrating configuration.", - "rsa.internal.messageid": "INSTALL", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1456,18 +1468,19 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully initialized STM.", + "event.original": "PROCMON: number of stm worker threads isonula", "fileset.name": "waf", "input.type": "log", - "log.offset": 4411, + "log.offset": 4397, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.db.index": "onula", + "rsa.internal.event_desc": "PROCMON: number of stm worker threads", + "rsa.internal.messageid": "PROCMON", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1475,19 +1488,20 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: command(--digest) execution status = litsed", + "event.original": "STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor", "fileset.name": "waf", "input.type": "log", - "log.offset": 4454, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4443, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.db.index": "litsed", - "rsa.internal.event_desc": "STM_WRAPPER: command execution status.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1495,20 +1509,18 @@ ] }, { - "event.code": "STM", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: SSL-fugiatn dent Ssl Initialization", + "event.original": "PROCMON: [ALERT:atev] One of the RAID arrays is degrading.", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4511, + "log.offset": 4498, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.messageid": "STM", + "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", + "rsa.internal.messageid": "PROCMON", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1516,19 +1528,18 @@ ] }, { - "event.code": "PROCMON", + "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: number of stm worker threads isonula", + "event.original": "CONFIG_AGENT: amaliq ept Received put-tree command", "fileset.name": "waf", "input.type": "log", "log.offset": 4557, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.db.index": "onula", - "rsa.internal.event_desc": "PROCMON: number of stm worker threads", - "rsa.internal.messageid": "PROCMON", + "rsa.internal.event_desc": "CONFIG_AGENT:Received put-tree command.", + "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1536,20 +1547,18 @@ ] }, { - "event.code": "STM", + "event.code": "BYPASS", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor", + "event.original": "BYPASS: Mode set to BYPASS (ectetura).", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4603, + "log.offset": 4608, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.messageid": "STM", + "rsa.internal.event_desc": " Mode set to BYPASS.", + "rsa.internal.messageid": "BYPASS", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1560,13 +1569,13 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: aps-ingeli atione SetIpsTheftPolicyDfa SapCtx uamnihi, Policy uptateve, mode emagnama, bytes rporis, Return ndeomni", + "event.original": "STM: COOKIE-icab quiado scipit = quiavolu", "fileset.name": "waf", "input.type": "log", "log.flags": [ "dissect_parsing_error" ], - "log.offset": 4658, + "log.offset": 4647, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1578,18 +1587,18 @@ ] }, { - "event.code": "PROCMON", + "event.code": "BYPASS", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:atev] One of the RAID arrays is degrading.", + "event.original": "BYPASS: Mode set to never bypass.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4784, + "log.offset": 4691, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", - "rsa.internal.messageid": "PROCMON", + "rsa.internal.event_desc": " Mode set to never BYPASS.", + "rsa.internal.messageid": "BYPASS", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1597,18 +1606,20 @@ ] }, { - "event.code": "PROCMON", + "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:itati] One of the RAID arrays is degrading.", + "event.original": "STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success", "fileset.name": "waf", "input.type": "log", - "log.offset": 4843, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4725, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", - "rsa.internal.messageid": "PROCMON", + "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1616,18 +1627,20 @@ ] }, { - "event.code": "INSTALL", + "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "INSTALL: Migrating configuration from emagnama to urma", + "event.original": "STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors", "fileset.name": "waf", "input.type": "log", - "log.offset": 4903, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4803, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: migrating configuration.", - "rsa.internal.messageid": "INSTALL", + "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1635,18 +1648,18 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "INSTALL", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Committing UI configuration.", + "event.original": "INSTALL: Loading the snapshot for admi release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4958, + "log.offset": 4903, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Committing UI configuration.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1654,18 +1667,20 @@ ] }, { - "event.code": "CONFIG_AGENT", + "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "CONFIG_AGENT: reverit RPC Name =ptate, RPC Result: mexerc", + "event.original": "STM: aps-Bon seosqui AddIpsCloakFilterRespHeader [idu] Ret stquidol, SapCtx itautfug, sapId byCi", "fileset.name": "waf", "input.type": "log", - "log.offset": 5000, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4951, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT: RPC information.", - "rsa.internal.messageid": "CONFIG_AGENT", + "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1673,18 +1688,18 @@ ] }, { - "event.code": "CONFIG_AGENT", + "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "CONFIG_AGENT: itatiset RPC Name =ptasn, RPC Result: quaeab", + "event.original": "STM_WRAPPER: Successfully stopped STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5058, + "log.offset": 5053, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT: RPC information.", - "rsa.internal.messageid": "CONFIG_AGENT", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", + "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1692,18 +1707,18 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Committing UI configuration.", + "event.original": "PROCMON: Started monitoring", "fileset.name": "waf", "input.type": "log", - "log.offset": 5117, + "log.offset": 5092, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Committing UI configuration.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1711,18 +1726,20 @@ ] }, { - "event.code": "BYPASS", + "event.code": "UPDATE", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "BYPASS: Mode set to never bypass.", + "event.original": "UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 5159, + "log.offset": 5120, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to never BYPASS.", - "rsa.internal.messageid": "BYPASS", + "observer.version": "1.7781", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.7781", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1733,10 +1750,10 @@ "event.code": "INSTALL", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "INSTALL: Loading the snapshot for admi release.", + "event.original": "INSTALL: Loading the snapshot for stru release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5193, + "log.offset": 5191, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1749,20 +1766,20 @@ ] }, { - "event.code": "UPDATE", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available", + "event.original": "PROCMON: Monitoring links: enp0s6182", "fileset.name": "waf", "input.type": "log", - "log.offset": 5241, + "log.offset": 5239, + "network.interface.name": "enp0s6182", "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "observer.version": "1.7781", - "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", - "rsa.internal.messageid": "UPDATE", - "rsa.misc.version": "1.7781", + "rsa.internal.event_desc": "PROCMON: Monitoring links.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "enp0s6182", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1773,14 +1790,15 @@ "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "event.original": "STM_WRAPPER: command(--digest) execution status = quaeratv", "fileset.name": "waf", "input.type": "log", - "log.offset": 5312, + "log.offset": 5276, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "rsa.db.index": "quaeratv", + "rsa.internal.event_desc": "STM_WRAPPER: command execution status.", "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ @@ -1789,18 +1807,18 @@ ] }, { - "event.code": "BYPASS", + "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "BYPASS: Mode set to never bypass.", + "event.original": "STM_WRAPPER: Successfully initialized STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5401, + "log.offset": 5335, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to never BYPASS.", - "rsa.internal.messageid": "BYPASS", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1808,18 +1826,18 @@ ] }, { - "event.code": "BYPASS", + "event.code": "eventmgr", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "BYPASS: State set to normal: starting heartbeat.", + "event.original": "eventmgr: Event manager startup succeeded.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5435, + "log.offset": 5378, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "BYPASS: State set to normal: starting heartbeat.", - "rsa.internal.messageid": "BYPASS", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1827,18 +1845,18 @@ ] }, { - "event.code": "BYPASS", + "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "BYPASS: Mode set to BYPASS (eniamqu).", + "event.original": "STM_WRAPPER: Initializing STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5484, + "log.offset": 5421, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to BYPASS.", - "rsa.internal.messageid": "BYPASS", + "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", + "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1852,7 +1870,7 @@ "event.original": "STM_WRAPPER: Successfully initialized STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5522, + "log.offset": 5452, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1868,14 +1886,14 @@ "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:orpori] One of the RAID arrays is degrading.", + "event.original": "PROCMON: Started monitoring", "fileset.name": "waf", "input.type": "log", - "log.offset": 5565, + "log.offset": 5495, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", + "rsa.internal.event_desc": "PROCMON: Started monitoring", "rsa.internal.messageid": "PROCMON", "service.type": "barracuda", "tags": [ @@ -1884,20 +1902,18 @@ ] }, { - "event.code": "UPDATE", + "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "UPDATE: [ALERT:utlabor] New attack definition version 1.6441 is available", + "event.original": "CONFIG_AGENT: tDuis isnis It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., metMa", "fileset.name": "waf", "input.type": "log", - "log.offset": 5626, + "log.offset": 5523, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "observer.version": "1.6441", - "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", - "rsa.internal.messageid": "UPDATE", - "rsa.misc.version": "1.6441", + "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", + "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1905,18 +1921,18 @@ ] }, { - "event.code": "eventmgr", + "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "eventmgr: Event manager startup succeeded.", + "event.original": "STM_WRAPPER: Initializing STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5700, + "log.offset": 5654, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", - "rsa.internal.messageid": "eventmgr", + "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", + "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1924,18 +1940,20 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully initialized STM.", + "event.original": "STM: aps-quam etquasi CreateRC: RC Add policy Success", "fileset.name": "waf", "input.type": "log", - "log.offset": 5743, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5685, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1943,18 +1961,20 @@ ] }, { - "event.code": "PROCMON", + "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:quaeabi] One of the RAID arrays is degrading.", + "event.original": "STM: WebLog-untutl eseosqui user: SapCtx=ons,SapId=ation, eabilloi", "fileset.name": "waf", "input.type": "log", - "log.offset": 5786, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5744, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", - "rsa.internal.messageid": "PROCMON", + "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ "barracuda.waf", diff --git a/x-pack/filebeat/module/bluecoat/README.md b/x-pack/filebeat/module/bluecoat/README.md index e3519e38a3d..aa7727fb180 100644 --- a/x-pack/filebeat/module/bluecoat/README.md +++ b/x-pack/filebeat/module/bluecoat/README.md @@ -3,5 +3,5 @@ This is a module for Blue Coat Director logs. Autogenerated from RSA NetWitness log parser 2.0 XML bluecoatdirector version 0 -at 2020-07-08 22:20:57.359593 +0000 UTC. +at 2020-07-13 17:11:58.975221 +0000 UTC. diff --git a/x-pack/filebeat/module/citrix/README.md b/x-pack/filebeat/module/citrix/README.md index 6e98c43513d..ee3fcffaa1b 100644 --- a/x-pack/filebeat/module/citrix/README.md +++ b/x-pack/filebeat/module/citrix/README.md @@ -3,5 +3,5 @@ This is a module for Citrix XenApp logs. Autogenerated from RSA NetWitness log parser 2.0 XML citrixxa version 79 -at 2020-07-08 22:20:58.335509 +0000 UTC. +at 2020-07-13 17:12:00.034336 +0000 UTC. diff --git a/x-pack/filebeat/module/cylance/README.md b/x-pack/filebeat/module/cylance/README.md index 3d1c9559af4..fb94459f763 100644 --- a/x-pack/filebeat/module/cylance/README.md +++ b/x-pack/filebeat/module/cylance/README.md @@ -3,5 +3,5 @@ This is a module for CylanceProtect logs. Autogenerated from RSA NetWitness log parser 2.0 XML cylance version 127 -at 2020-07-08 22:20:58.574688 +0000 UTC. +at 2020-07-13 17:12:00.315005 +0000 UTC. diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log b/x-pack/filebeat/module/cylance/protect/test/generated.log index b6ec60eb647..85f71671cc9 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log @@ -1,100 +1,100 @@ 29-January-2016 06:09:59 high boNemoe4402.www.invalid dolore <abo 2016-1-29T6:09:59.squira nostrud4819.mail.test CylancePROTECT mqui nci [billoi] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:orev; Devices: pisciv , User: uii umexe (estlabo) -2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol,luptatUser: isiutal moenimi (mod) -Feb 26 8:15:08 mquia873.internal.invalid CylancePROTECT Event Type:tetur, Event Name:DeviceEdit, Device Name:squame, External Device Type:ntex, External Device Vendor ID:eius, External Device Name:luptat, External Device Product ID:emape, External Device Serial Number:aer, Zone Names:lupt -2016-3-12T3:17:42.minim eFini859.www5.example CylancePROTECT psumquia onsect [orsitame] Event Type: reprehe, Event Name: SystemSecurity, Device Name: quiavo, Agent Version: issusci, IP Address: (10.164.119.63, taliquip), MAC Address: (01:00:5e:86:ac:4a, tNequ), Logged On Users: (gelit), OS: tatno Zone Names: dquiac -26-March-2016 10:20:16 medium oluptas2358.internal.host ommod <aqui 2016-3-26T10:20:16.radipis isetq3627.api.domain CylancePROTECT magn equuntu [eos] Event Type: enimad, Event Name: SystemSecurity, Device Name: uaerat, Agent Version: boreet, IP Address: (10.155.162.162, mcolabor), MAC Address: (01:00:5e:2c:f3:52, giatq), Logged On Users: (quid), OS: fug -9-Apr-2016 5:22:51 high maveniam1399.mail.lan siutaliq <tempor 9T17:22:51.omnis antium1279.mail.test CylancePROTECT Event Name:ThreatUpdated, Device Name:rsitvolu, External Device Type:tcupida, External Device Vendor ID:niamquis, External Device Name:itati, External Device Product ID:mfu, External Device Serial Number:uid, Zone Names:atatnonp, Device Id: uiano, Policy Name: mrema -24-Apr-2016 12:25:25 very-high orsitame3869.localhost iam <umdo 24T00:25:25.sed apariat4194.www5.local CylancePROTECT Event Name:SystemSecurity, Message: The Device:onsewas auto assigned torumetZone:oll, User:erc -aspern 2016-5-8T7:27:59.itlabori Ciceroi3592.www.host CylancePROTECT aper essequ [taevi] Event Type: AuditLog, Event Name: Device Updated, Message: Zone: sitas; Policy: ehenderi; Value: pidatat, User: gni tquiinea (mquaera) -22-May-2016 2:30:33 medium saute2412.internal.domain lorema <labor 22T14:30:33.atuse ddoeiu1152.api.invalid CylancePROTECT Event Name:Device Policy Assigned, Device Name:llumquid, External Device Type:tation, External Device Vendor ID:ips, External Device Name:emeumfug, External Device Product ID:upta, External Device Serial Number:omn, Zone Names:ipsumq -5-June-2016 21:33:08 low ipi7385.www.home eseru <orain 2016-6-5T9:33:08.quip oin6316.www5.host CylancePROTECT tinvol dolore [abor] Event Type: ExploitAttempt, Event Name: Device Policy Assigned, Device Name: eddoei, IP Address: (10.22.128.42), Action: cancel, Process ID: 1120, Process Name: ditautfu.exe, User Name: piscing, Violation Type: roq, Zone Names: ostr -2016-6-20T4:35:42.moenimi temporin6518.invalid CylancePROTECT agnaali llitani [inima] Event Type: tlabo, Event Name: ThreatUpdated, Device Name: nihi -2016-7-4T11:38:16.iquipex commod3331.host CylancePROTECT bor occa [stquidol] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: leumiu, File Path: namali, Interpreter: taevit, Interpreter Version: 1.3365 (nsecte), Zone Names: itame -2016-7-18T6:40:50.rehender iae1637.local CylancePROTECT nula emseq [olestiae] Event Type: ione, Event Name: LoginSuccess, Device Names: (evita), Policy Name: suntexp, User: duntut magni (pisciv) -2-August-2016 01:43:25 medium eratv6205.internal.lan reme <uaUteni 2016-8-2T1:43:25.udantium pre2433.mail.domain CylancePROTECT sciun sBono [catc] Event Type: AuditLog, Event Name: pechange, Message: Device: edo;asiaUser: econs uir (dol) -16-Aug-2016 8:45:59 medium non3341.mail.invalid derit <atcu 16T08:45:59.labor didunt1355.corp CylancePROTECT Event Name:Device Policy Assigned, Device Name:liqu, Agent Version:eporr, IP Address: (10.238.164.29), MAC Address: (01:00:5e:32:95:80), Logged On Users: (sequam), OS:temvel, Zone Names:ris -Aug 30 3:48:33 rroquis6074.api.host CylancePROTECT Event Type:iurer, Event Name:ZoneAdd, Message: Device:autfuwas auto assigned to thegnaaliqZone:mni, User:rem -13-Sep-2016 10:51:07 low uta4901.internal.local volupt <uiinea 13T22:51:07.Utenima volupta5074.internal.localhost CylancePROTECT Event Name:LoginSuccess, Message: Device:ionevowas auto assigned tougiatnuZone:ciati, User:nto -Sep 28 5:53:42 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned tomadmiZone:tur, User:roi -imadmini 2016/10/12T12:56:16.sauteiru mod7387.host CylancePROTECT mquame nihilmol [xercita] Event Type: AppControl, Event Name: fullaccess, Device Name: tiumt, IP Address: (10.75.99.127), Action: accept, Action Type: madmi, File Path: uidol, SHA256: mporin, Zone Names: mwrit -eprehen 2016-10-26T7:58:50.entor xeacomm1940.localhost CylancePROTECT ema rsitv [iciade] Event Type: AuditLog, Event Name: threat_changed, Message: Device: ine; SHA256: lup, User: tatemUt modtemp (quovol) -itess 2016/11/10T03:01:24.iscinge ofdeFini4153.mail.localhost CylancePROTECT velitse oditem [gitsedqu] Event Type: AppControl, Event Name: DeviceEdit, Device Name: oremi, IP Address: (10.82.173.5), Action: block, Action Type: olor, File Path: ineavo, SHA256: pexe, Zone Names: niamqui -24-November-2016 10:03:59 low gitsed4374.www5.home fugitsed <quid 2016-11-24T10:03:59.fugiat atisun6373.mail.localhost CylancePROTECT dmin fugi [quia] Event Type: AuditLog, Event Name: SystemSecurity, Message: SHA256: atatn; Reason: unknown, User: rnatur ofdeFin (essequam) -inesci 2016-12-8T5:06:33.isnisi ritatise4412.mail.localdomain CylancePROTECT quatur uisa [eFi] Event Type: ScriptControl, Event Name: Registration, Device Name: cusant, File Path: rpori, Interpreter: ice, Interpreter Version: 1.1645, Zone Names: entorev, User Name: commodo -sau 2016-12-23T12:09:07.atevelit meius3932.internal.example CylancePROTECT ccaeca umdolo [uptate] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: stenatu; Policy: isiuta; Value: orsitam, User: siutaliq dutp (psaquaea) -2017-1-6T7:11:41.proide ano1049.www5.localdomain CylancePROTECT aturve ditemp [edqui] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: temUte;sitUser: olab eumiure (ersp) -umwrit 2017-1-20T2:14:16.uptate mac765.mail.invalid CylancePROTECT elit seosqui [sequamni] Event Type: AuditLog, Event Name: pechange, Message: Device: tdol; SHA256: sit, User: tiaec nisi (oremagna) -3-Feb-2017 9:16:50 high rum959.host velillu <bor 3T21:16:50.rauto ationev5770.www.invalid CylancePROTECT Event Name:DeviceRemove, Device Name:nby, Agent Version:mve, IP Address: (10.96.201.115), MAC Address: (01:00:5e:94:55:60), Logged On Users: (inimve), OS:pis, Zone Names:nsequat -18-February-2017 04:19:24 low ercit7022.host qui <temporin 2017-2-18T4:19:24.equatur adeseru2497.www5.host CylancePROTECT rem asper [idunt] Event Type: ScriptControl, Event Name: threat_changed, Device Name: amcor, File Path: ica, Interpreter: lillum, Interpreter Version: 1.7809 (dicta), Zone Names: taedicta -itesseq 2017-3-4T11:21:59.dictasun veniamqu7284.mail.invalid CylancePROTECT nte mvel [nof] Event Type: AuditLog, Event Name: DeviceEdit, Message: The Device: tetur was auto assigned to the Zone: IP Address: 10.230.206.60, User: ipi imveniam (uaeab) -18-March-2017 18:24:33 low lupta5708.www.test amcor <ineavol 2017-3-18T6:24:33.iosa boNemoe2025.lan CylancePROTECT amvolupt onevolu [mnis] Event Type: AuditLog, Event Name: DeviceRemove, Message: The Device: ites was auto assigned to the Zone: IP Address: 10.126.26.131, User: (nisiut) -2-Apr-2017 1:27:07 low elit429.api.invalid borisnis <emqu 2T01:27:07.nderi acommod6195.www.home CylancePROTECT Event Name:SyslogSettingsSave, Message: Provider:eratvol, Source IP:10.253.132.145, User: est uptatemU (leumiu)#015 -Apr 16 8:29:41 enderit4328.corp CylancePROTECT Event Type:Nequepor, Event Name:DeviceEdit, Message: Device:remwas auto assigned to theididZone:tesse, User:sequat -2017-4-30T3:32:16.aliq mes4801.internal.test CylancePROTECT itaedict oremag [illu] Event Type: AuditLog, Event Name: threat_changed, Message: SHA256: turadip; Reason: success, User: temUt ptassita (its) -ori 2017-5-14T10:34:50.tconsect rum1594.api.domain CylancePROTECT ulla iqu [oin] Event Type: AuditLog, Event Name: PolicyAdd, Message: Devices: abore,squUser: uiadol Duisa (lupta) -2017-5-29T5:37:24.asi ectiono2241.lan CylancePROTECT onu liquaUte [alorum] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ria; Policy: atDu; Value: nsec, User: quidolor oqu (naaliq) -2017-6-12T12:39:58.eaqueips qua3862.mail.home CylancePROTECT aturQu aaliq [mipsamvo] Event Type: DeviceControl, Event Name: ThreatUpdated, Device Name: rsintoc, External Device Type: reetdo, External Device Vendor ID: oreveri, External Device Name: ehende, External Device Product ID: eaqueip, External Device Serial Number: eum, Zone Names: lamc -26-Jun-2017 7:42:33 high metcons5740.mail.localhost sitvo <obeata 26T19:42:33.tatemU mad5185.www5.localhost CylancePROTECT Event Name:SystemSecurity, Device Message: Device: gnaa; Zones Removed: mod; Zones Added: doei,cipitlUser: caboNemo dexerc (strumex), Zone Names:eprehend Device Id: asnu -11-July-2017 02:45:07 low dolor5930.internal.host eritin <yCic 2017-7-11T2:45:07.nder mdolore2604.api.domain CylancePROTECT saqu iscive [quasiar] Event Type: ExploitAttempt, Event Name: Registration, Device Name: quido, IP Address: (10.63.231.55), Action: deny, Process ID: 2622, Process Name: stquid.exe, User Name: turadipi, Violation Type: usmodi, Zone Names: ree -25-Jul-2017 9:47:41 medium illu4130.internal.lan temUten <sitamet 25T09:47:41.utlabo tetur4690.mail.lan CylancePROTECT Event Name: ZoneAddDevice, Device Name: ecatcupi, IP Address: (10.6.6.242), Action: allow, Process ID: 4938, Process Name: onse.exe, User Name: olorem, Violation Type: turvel, Zone Names:eratv -Aug 8 4:50:15 umwritte7596.internal.localdomain CylancePROTECT Event Type:nse, Event Name:pechange, Message: Provider:iameaque, Source IP:10.232.119.56, User: tsed eturad (tiumdolo) -Aug 22 11:52:50 imadmi6980.www.localdomain CylancePROTECT Event Type:olupta, Event Name:LoginSuccess, Device Name:iatqu, Zone Names:inBCSedu, Device Id: erspi -iacons 2017-9-6T6:55:24.occaec acommodi563.internal.home CylancePROTECT fici imve [quide] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: SHA256: aco; Reason: failure, User: accusa natu (liquid) -20-Sep-2017 1:57:58 medium idolo5752.mail.example ugiatquo <uptate 20T13:57:58.lloinven econs2687.internal.localdomain CylancePROTECT Event Name:LoginSuccess, Device Name:lorsita, Zone Names:eavol -2017-10-4T9:00:32.npr etconsec5410.api.invalid CylancePROTECT laudan litesseq [atcupida] Event Type: AuditLog, Event Name: LoginSuccess, Message: Source: tob; SHA256: dolores; Category: equamnih; Reason: success, User: deF itempo (orumw) -mquisno 2017-10-19T4:03:07.aev inrepr72.internal.home CylancePROTECT nisiu imad [oriosam] Event Type: ExploitAttempt, Event Name: Device Policy Assigned, Device Name: itasp, IP Address: (10.169.5.162), Action: allow, Process ID: 2957, Process Name: odt.exe, User Name: cillumd, Violation Type: riosa, Zone Names: tNe -2017/11/02T11:05:41.ntmoll mexer4472.www5.invalid CylancePROTECT nofdeFi aquioff [saqu] Event Type: AppControl, Event Name: SystemSecurity, Device Name: amnisi, IP Address: (10.230.77.49), Action: cancel, Action Type: uisnostr, File Path: reetdol, SHA256: uelauda, Zone Names: ema -2017-11-16T6:08:15.uei Nequepo1858.mail.local CylancePROTECT uam orumSec [nisiuta] Event Type: stiaecon, Event Name: PolicyAdd, Device Name: sse -1-December-2017 01:10:49 high ici7102.www.localdomain itae <atnula 2017-12-1T1:10:49.ditautf itametc3006.www.test CylancePROTECT remipsu tan [quiac] Event Type: DeviceControl, Event Name: Registration, Device Name: doconse, External Device Type: etdol, External Device Vendor ID: dolorsi, External Device Name: nturmag, External Device Product ID: tura, External Device Serial Number: osquirat, Zone Names: equat -15-December-2017 08:13:24 low idunt4633.internal.host liquam <oluptat 2017/12/15T08:13:24.odt rspici1916.api.localhost CylancePROTECT olor etquasia [nula] Event Type: AppControl, Event Name: threat_quarantined, Device Name: riatur, IP Address: (10.99.209.40), Action: accept, Action Type: dol, File Path: atur, SHA256: issu, Zone Names: identsu -Dec 29 3:15:58 hend1600.api.host CylancePROTECT Event Type:aer, Event Name:DeviceRemove, Device Name:iati, Agent Version:minim, IP Address: (10.14.74.218), MAC Address: (01:00:5e:bc:a3:48), Logged On Users: (Nemoenim), OS:usm, Zone Names:labori -12-Jan-2018 10:18:32 high isiutali3575.www5.invalid Nemoenim <ide 12T22:18:32.edq evitae7333.www.lan CylancePROTECT Event Name:ThreatUpdated, Device Message: Device: expl User: ess quiad (ihilmole),saquaeaZone Names: ons Device Id: orsitam -2018-1-27T5:21:06.idex radip163.mail.invalid CylancePROTECT eiusmo ainc [miurerep] Event Type: AuditLog, Event Name: DeviceEdit, Message: Zone: ecill; Policy: iduntu; Value: pisci, User: sunt texplica (oco) -itametco 2018-2-10T12:23:41.vel quunt3116.localhost CylancePROTECT nonn dents [itsedd] Event Type: Threat, Event Name: threat_changed, Device Name: ptate, IP Address: (10.152.185.155), File Name: quamqua, Path: ntut, Drive Type: mag, SHA256: meum, MD5: mini, Status: Loremip, Cylance Score: 58.130000, Found Date: tur, File Type: atnonpr, Is Running: ita, Auto Run: amquaer, Detected By: aqui, Zone Names: enby, Is Malware: lpa, Is Unique To Cylance: isn, Threat Classification: smod -24-Feb-2018 7:26:15 low cte4809.mail.lan uunturma <eserun 24T19:26:15.pta emu5311.localdomain CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: destla User: fugitse minimve (serrorsi),tametcoZone Names: mquisnos Device Id: lore -Mar 11 2:28:49 isn1684.www.invalid CylancePROTECT Event Type:civelits, Event Name:PolicyAdd, Device Name:quiav, External Device Type:mse, External Device Vendor ID:prehen, External Device Name:nonn, External Device Product ID:hite, External Device Serial Number:ianonnum, Zone Names:nofdeFi, Device Id: henderit, Policy Name: remq -25-Mar-2018 9:31:24 medium arch2905.www5.home ror <doei 25T09:31:24.nvolupta tev2820.www.home CylancePROTECT Event Name:threat_found, Device Name:orp, External Device Type:ender, External Device Vendor ID:dico, External Device Name:uptatem, External Device Product ID:upt, External Device Serial Number:ulamc, Zone Names:cept, Device Id: aedictas, Policy Name: eursint -2018-4-8T4:33:58.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev) -hilmole 2018-4-22T11:36:32.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido -2018-5-7T6:39:06.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota;etdoloreUser: magnaa sumquiad (iusmodt) -21-May-2018 1:41:41 high ident4293.api.example ercitati <rro 21T13:41:41.oeiusmo nimv4681.internal.lan CylancePROTECT Event Name:Alert, Message: Provider:quisn, Source IP:10.132.23.6, User: etMa llita (ntsunt)#015 -4-Jun-2018 8:44:15 high temsequi4910.mail.host enbyCic <conseq 4T20:44:15.itame tenat5407.www5.test CylancePROTECT Event Name:ThreatUpdated, Device Name:cti, Zone Names:ommodoc -Jun 19 3:46:49 orem7191.mail.test CylancePROTECT Event Type:uisaut, Event Name:ZoneAdd, Device Name:paq, External Device Type:uianon, External Device Vendor ID:nul, External Device Name:onse, External Device Product ID:sitam, External Device Serial Number:inibusBo, Zone Names:illoin -sequatD 2018-7-3T10:49:23.eleumi equ3413.www.example CylancePROTECT tsunt rnat [oremi] Event Type: AuditLog, Event Name: LoginSuccess, Message: Policy Assigned:ctetu; Devices: oreeu , User: uasiarch Malor (boriosa) -2018-7-17T5:51:58.aliqu taedict4891.api.host CylancePROTECT lor auto [rsinto] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: periam was auto assigned to the Zone: IP Address: 10.137.79.74, User: (lors) -1-August-2018 00:54:32 high aquae7068.test ctetura <tDuisau 2018-8-1T12:54:32.aturve ptateve7615.internal.invalid CylancePROTECT tconsect pariat [iutal] Event Type: teturad, Event Name: ZoneAddDevice, Device Names: (isi), Policy Name: idexeac, User: ntu tdolo (nimve) -ola 2018-8-15T7:57:06.ptat quasi4459.domain CylancePROTECT snostr squamest [quisn] Event Type: pteu, Event Name: fullaccess, Device Names: (illumdo), Policy Name: antium, User: remaper eseosq (iatquovo) -mollit 2018-8-29T2:59:40.eosqui dipisciv7116.www.host CylancePROTECT llum mwr [cia] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Device: estiaec;pitlaboUser: tas rcitat (ree) -temaccu 2018-9-12T10:02:15.uamqua Neq4477.mail.invalid CylancePROTECT nim pteurs [ercitati] Event Type: atem, Event Name: SyslogSettingsSave, Device Name: mipsu, Agent Version: velillu, IP Address: (10.181.241.7), MAC Address: (01:00:5e:e1:72:72), Logged On Users: (riatu), OS: utod -Sep 27 5:04:49 uipe6805.www5.domain CylancePROTECT Event Type:stenat, Event Name:threat_quarantined, Threat Class:sequamn, Threat Subclass:perspici, SHA256:inimve, MD5:aea -udexerci 2018-10-11T12:07:23.uae imveni193.www5.host CylancePROTECT itationu setquas [nbyCi] Event Type: AuditLog, Event Name: LoginSuccess, Message: Provider: magnaali, Source IP: 10.201.95.47, User: isno usBono (ameaq) -lestiae 2018-10-25T7:09:57.iav umiure5186.api.domain CylancePROTECT tno imvenia [culp] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Zone: nesciu; Policy: mali; Value: roinBCSe, User: eetdolor tpersp (assi) -nihilmo 2018-11-9T2:12:32.reetdo xeaco7887.www.localdomain CylancePROTECT hite umfugi [abor] Event Type: AuditLog, Event Name: Device Updated, Message: Zone: remips; Policy: laboreet; Value: uptate, User: tot reme (emeumfu) -2018-11-23T9:15:06.usan gnamali226.internal.test CylancePROTECT edqui tvolu [psu] Event Type: strud, Event Name: SystemSecurity, saute -2018-12-7T4:17:40.atcupi eriti7637.domain CylancePROTECT rema mcol [tion] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: mquis; SHA256: tur, User: itation utlabo (tat) -Dec 21 11:20:14 olu2576.localdomain CylancePROTECT Event Type:enim, Event Name:Device Updated, Device Name:meaquei, External Device Type:snisiu, External Device Vendor ID:atem, External Device Name:remque, External Device Product ID:dol, External Device Serial Number:tvolupt, Zone Names:sedquia, Device Id: inrepr, Policy Name: lla -Jan 5 6:22:49 tqu6566.www.domain CylancePROTECT Event Type:tinvolu, Event Name:Device Policy Assigned, Message: The Device:dunwas auto assigned to thexceZone:dol, User:equamn -19-Jan-2019 1:25:23 low eiu5375.api.domain tcons <ction 19T13:25:23.emveleum siuta2155.lan CylancePROTECT Event Name:DeviceEdit, Device Name:utpe, Agent Version:ill, IP Address: (10.185.28.175), MAC Address: (01:00:5e:1d:a2:74), Logged On Users: (tasu), OS:sci, Zone Names:isquames -Feb 2 8:27:57 iatnula4065.www5.corp CylancePROTECT Event Type:corporis, Event Name:threat_found, Device Message: Device: mmodic; Zones Removed: essequam; Zones Added: undeo,ficiadeUser: uiinea uianonn (eavolupt), Zone Names:dantium Device Id: ors -trude 2019-2-17T3:30:32.snulap onsequat5480.mail.localdomain CylancePROTECT pariatur cita [tvo] Event Type: ema, Event Name: pechange, Threat Class: atemacc, Threat Subclass: labore, SHA256: iqua, MD5: ciunt -Mar 3 10:33:06 ostrumex5015.internal.lan CylancePROTECT Event Type:imaven, Event Name:Device Policy Assigned, Threat Class:uiineav, Threat Subclass:nder, SHA256:lore, MD5:nim -psamvolu 2019/03/17T17:35:40.teturad ritq7853.api.home CylancePROTECT urautodi equamni [fugia] Event Type: AppControl, Event Name: threat_changed, Device Name: nost, IP Address: (10.36.193.127), Action: allow, Action Type: suntincu, File Path: imidest, SHA256: citation, Zone Names: emquel -Apr 1 12:38:14 loremeum2477.www5.localhost CylancePROTECT Event Type:rrorsit, Event Name:threat_changed, Device Message: Device: riameaqu; Policy Changed: etd to 'omnisi', User: dolor rsp (quir), Zone Names:giatqu -15-Apr-2019 7:40:49 medium roiden5489.www5.corp nihilm <orisnisi 15T07:40:49.emquiav ptat5066.www.lan CylancePROTECT Event Name:SyslogSettingsSave, Device Name:ionula, Zone Names:itaed -29-Apr-2019 2:43:23 medium tincul407.corp amq <lab 29T14:43:23.nsequ ing3291.internal.localhost CylancePROTECT Event Name:threat_found, Message: Device:amnisiuwas auto assigned to theptatZone:epr, User:itanimid -untur 2019/05/13T21:45:57.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: AppControl, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Action Type: ula, File Path: itsed, SHA256: rad, Zone Names: olupta -2019-5-28T4:48:31.sequi uiacon6640.api.localhost CylancePROTECT suntexpl urve [sBonoru] Event Type: ScriptControl, Event Name: Device Updated, Device Name: magnido, File Path: lupta, Interpreter: utla, Interpreter Version: 1.4566 (ncididu), Zone Names: itati, User Name: nostrude -ecillum 2019-6-11T11:51:06.maccu ame226.internal.domain CylancePROTECT urExc autfugit [deomnis] Event Type: Threat, Event Name: SyslogSettingsSave, Device Name: tconsect, IP Address: (10.111.204.45), File Name: agna, Path: dmini, Drive Type: tquid, SHA256: giatquo, MD5: iatisun, Status: cto, Cylance Score: 144.899000, Found Date: dolor, File Type: imadmini, Is Running: iatisund, Auto Run: rnatu, Detected By: atnonpro, Zone Names: isu, Is Malware: ute, Is Unique To Cylance: tdolore, Threat Classification: madminim -Jun 25 6:53:40 prehen4320.api.home CylancePROTECT Event Type:umdolo, Event Name:DeviceRemove, Threat Class:mquisno, Threat Subclass:eaco, SHA256:empor, MD5:mvele -Jul 10 1:56:14 remeum5787.api.example CylancePROTECT Event Type:ostrumex, Event Name:threat_found, Device Message: Device: sedquia; Zones Removed: litesse,ntmoUser: aliqu iqu (onse), Zone Names:paqu -2019-7-24T8:58:48.ptatem mporain5332.mail.host CylancePROTECT commod iumd [ntore] Event Type: ExploitAttempt, Event Name: Registration, Device Name: onproid, IP Address: (10.59.33.174), Action: allow, Process ID: 3114, Process Name: oru.exe, User Name: mcorp, Violation Type: uelaud, Zone Names: aperiam -Aug 7 4:01:23 quiano3025.api.localhost CylancePROTECT Event Type:oluptat, Event Name:DeviceRemove, Threat Class:equepor, Threat Subclass:iosamn, SHA256:erspicia, MD5:neavolup -ecatcup 2019-8-21T11:03:57.orinrep uamnihil1525.www.lan CylancePROTECT amestqu qui [nemullam] Event Type: DeviceControl, Event Name: threat_changed, Device Name: lorumw, External Device Type: dit, External Device Vendor ID: qui, External Device Name: iaecon, External Device Product ID: dminima, External Device Serial Number: ons, Zone Names: amestqu -2019-9-5T6:06:31.str eius6126.invalid CylancePROTECT iarchit volupt [ipis] Event Type: usBonor, Event Name: fullaccess, Device Names: (umquam), Policy Name: ten, User: Utenim itationu (eprehen) -tatevel 2019-9-19T1:09:05.itin tam942.api.host CylancePROTECT iut leumiur [deser] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Zone: evolupt; Policy: pre; Value: tiumtot, User: ulamcola epr (ptass) -veli 2019-10-3T8:11:40.uptas aali1541.www5.local CylancePROTECT enimadmi qui [ita] Event Type: AuditLog, Event Name: pechange, Message: The Device: sedq was auto assigned to the Zone: IP Address: Fake Devices, User: (olo) -18-October-2019 03:14:14 medium ocons2813.mail.lan natu <acomm 2019-10-18T3:14:14.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did) -Nov 1 10:16:48 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod -Nov 15 5:19:22 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit -rinci 2019-11-30T12:21:57.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta -14-Dec-2019 7:24:31 low ntutlabo6923.localhost eacommo <tionevol 14T07:24:31.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni,officiadUser: veniam labo (ssecill), Zone Names:umquam Device Id: onev +2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol, User: luptat isiutal (moenimi) +26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: lupt tia (oloremqu), Zone Names: temvel Device Id: iatu +2016-3-12T3:17:42.ceroinBC ratvolup497.www.corp CylancePROTECT ionofde con [uia] Event Type: AuditLog, Event Name: SystemSecurity, Message: ommodic, User: mipsu consec (taliquip) +2016-3-26T10:20:16.gelit tatno5625.api.local CylancePROTECT taev roidents [oluptas] Event Type: AuditLog, Event Name: Alert, Message: Source: taliqu; SHA256: ommod; Reason: failure, User: tur aperi (iveli) +uatDuis 2016-4-9T5:22:51.ude maveniam1399.mail.lan CylancePROTECT siutaliq exercit [tempor] Event Type: omnis, Event Name: SystemSecurity, Device Name: eip, Agent Version: lupta, IP Address: (10.124.61.119), MAC Address: (01:00:5e:dc:bb:8b), Logged On Users: (occ), OS: ect Zone Names: reetdolo +24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: urerep aquaeab (liqu), Zone Names: lorem Device Id: emq +ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: dmi olab (mquisnos) +2016-5-22T2:30:33.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan +2016-6-5T9:33:08.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc +20-Jun-2016 4:35:42 high fugit7668.www5.invalid lupt <qua 20T04:35:42.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu +2016-7-4T11:38:16.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute +July 2016/07/18 18:40:50 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc +olupt 2016-8-2T1:43:25.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend +2016-8-16T8:45:59.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd +ipitla 2016-8-30T3:48:33.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib +13-Sep-2016 10:51:07 low eav3687.internal.local siar <iamquis 13T22:51:07.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae +Sep 28 5:53:42 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit +12-October-2016 12:56:16 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-10-12T12:56:16.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat +ommodico 2016-10-26T7:58:50.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi +Nov 10 3:01:24 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam +24-Nov-2016 10:03:59 very-high reme622.mail.example isnisiu <tsu 24T10:03:59.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: idata rumwritt (magnid), Zone Names: enderit Device Id: untex +8-Dec-2016 5:06:33 medium tvolu3997.mail.home eiu <autfu 8T17:06:33.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum +Dec 23 12:09:07 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur +6-January-2017 07:11:41 very-high orem6702.invalid tev <ntocca 2017-1-6T7:11:41.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame +20-Jan-2017 2:14:16 high tobea2364.internal.localhost itinvol <fugiatn 20T14:14:16.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame +2017-2-3T9:16:50.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi) +uamni 2017-2-18T4:19:24.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte) +2017-3-4T11:21:59.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser (oin) +2017-3-18T6:24:33.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat) +uat 2017-4-2T1:27:07.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu +Apr 16 8:29:41 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015 +30-April-2017 15:32:16 high isiu5733.api.domain etdolor <xeaco 2017-4-30T3:32:16.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites) +14-May-2017 10:34:50 high nvol6269.internal.local tla <nimid 14T22:34:50.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq +iuntNe 2017-5-29T5:37:24.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom +2017-6-12T12:39:58.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte +2017-6-26T7:42:33.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: dol sciun (metcons) +11-July-2017 02:45:07 low oloreseo5039.test derit <dolor 2017-7-11T2:45:07.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid +25-Jul-2017 9:47:41 very-high idolor3916.www5.home tas <tasun 25T09:47:41.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo +8-August-2017 16:50:15 medium taliqui5348.mail.localdomain loremag <iatqu 2017-8-8T4:50:15.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni +Aug 22 11:52:50 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu +September 2017/09/06 06:55:24 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute +2017-9-20T1:57:58.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea +4-Oct-2017 9:00:32 high uptatem4483.localhost inrepr <umdolors 4T21:00:32.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide +nde 2017-10-19T4:03:07.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita +Nov 2 11:05:41 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema +16-November-2017 18:08:15 high oeni179.api.localhost gna <lumqu 2017-11-16T6:08:15.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm +1-Dec-2017 1:10:49 very-high trudex4443.www5.localhost lor <eseruntm 1T01:10:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau +hend 2017-12-15T8:13:24.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai +ostr 2017-12-29T3:15:58.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici +Jan 12 10:18:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud +Jan 27 5:21:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat +bore 2018-2-10T12:23:41.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad) +Feb 24 7:26:15 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse +Mar 11 2:28:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: nvo iamqui (tassita), Zone Names: colabori Device Id: imidestl +2018-3-25T9:31:24.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: (ever) +quiav 2018-4-8T4:33:58.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum +2018-4-22T11:36:32.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev) +hilmole 2018-5-7T6:39:06.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido +2018-5-21T1:41:41.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad) +2018-6-4T8:44:15.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun +2018-6-19T3:46:49.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui +3-July-2018 10:49:23 low sumd3215.test aUtenima <taevi 2018-7-3T10:49:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati +17-July-2018 17:51:58 high taspe1205.mail.domain cti <nse 2018-7-17T5:51:58.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu) +edqu 2018-8-1T12:54:32.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine +15-Aug-2018 7:57:06 low ditaut33.mail.localhost iumdo <mea 15T07:57:06.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo +29-August-2018 14:59:40 low iaturE3103.api.domain aturve <iatu 2018/08/29T14:59:40.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia +2018-9-12T10:02:15.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug) +2018-9-27T5:04:49.data ugits5961.www5.local CylancePROTECT uam quis [exe] Event Type: naa, Event Name: SyslogSettingsSave, Device Name: idolo, Agent Version: mqu, IP Address: (10.91.2.225, rcitat), MAC Address: (01:00:5e:42:41:00, ionofdeF), Logged On Users: (rsp), OS: imipsa Zone Names: nostrum +2018-10-11T12:07:23.onsecte prehende5460.mail.localdomain CylancePROTECT equatD uidol [inculpa] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: uido, IP Address: (10.191.99.14), Action: block, Process ID: 601, Process Name: nimadmi.exe, User Name: lapa, Violation Type: emoenimi, Zone Names: iquipex +25-Oct-2018 7:09:57 high abill5290.lan mini <tionev 25T19:09:57.uasiarch velites1745.api.corp CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: psaqu Agent Self Protection Level Changed: 'nimides' to 'olorsit', User: naaliq plica (asiarc), Zone Names: lor Device Id: nvolupt +9-Nov-2018 2:12:32 high bori319.api.localdomain utf <dexe 9T02:12:32.nemul Duis583.api.local CylancePROTECT Event Name:LoginSuccess, Threat Class:dminim, Threat Subclass:ptatevel, SHA256:aperiame, MD5:stenat +inrepreh 2018-11-23T9:15:06.rit velitess2401.www.lan CylancePROTECT vel ionevo [ntsun] Event Type: ScriptControl, Event Name: DeviceEdit, Device Name: volupta, File Path: umfu, Interpreter: utla, Interpreter Version: 1.2478 (tDuisaut), Zone Names: dolo +2018-12-7T4:17:40.quisnost sequines3991.mail.local CylancePROTECT illum ore [spici] Event Type: AuditLog, Event Name: pechange, Message: Policy: iquamqu; SHA256: eumfugia; Category: reeufugi, User: sequines minimve (texplica) +21-December-2018 23:20:14 very-high olup3841.mail.invalid idolor <uira 2018-12-21T11:20:14.eosqui iatquo2815.mail.host CylancePROTECT aliqu sequine [utaliqui] Event Type: Threat, Event Name: pechange, Device Name: imveni, IP Address: (10.181.215.164), File Name: itationu, Path: setquas, Drive Type: nbyCi, SHA256: runtmoll, MD5: busBon, Status: norumetM, Cylance Score: 38.593000, Found Date: vitaedi, File Type: rna, Is Running: cons, Auto Run: Except, Detected By: lestiae, Zone Names: iav, Is Malware: umiure, Is Unique To Cylance: isiut, Threat Classification: tin +Jan 5 6:22:49 reetdo6578.mail.domain CylancePROTECT Event Type:inBC, Event Name:Device Policy Assigned, Device Message: Device: atevelit; Zones Removed: ugitsed; Zones Added: dminimve, User: remips laboreet (uptate), Zone Names:tot Device Id: reme +19-Jan-2019 1:25:23 very-high ide4421.api.localdomain isautem <gnamali 19T13:25:23.iumtota issusci7005.mail.host CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: ore Agent Self Protection Level Changed: 'lors' to 'saute', User: ecillumd iumto (sequatu), Zone Names: tiumtot Device Id: tate +inBCSed 2019/02/02T20:27:57.cteturad umq7428.invalid CylancePROTECT psum tate [dtempo] Event Type: AppControl, Event Name: SyslogSettingsSave, Device Name: iad, IP Address: (10.164.59.219), Action: accept, Action Type: billoi, File Path: reseo, SHA256: quam, Zone Names: ulpaquio +Feb 17 3:30:32 iconsequ5445.local CylancePROTECT Event Type:archite, Event Name:PolicyAdd, Device Message: Device: rem User: onorumet iscivel (rinci), Zone Names: eacomm Device Id: aboNem +odit 2019/03/03T10:33:06.vol epteurs5503.www5.home CylancePROTECT modi cip [tla] Event Type: AppControl, Event Name: threat_found, Device Name: iscive, IP Address: (10.1.193.187), Action: block, Action Type: nproiden, File Path: ionem, SHA256: taevitae, Zone Names: dminimv +Mar 17 5:35:40 rep6417.internal.test CylancePROTECT Event Type:ipiscin, Event Name:DeviceRemove, Device Message: Device: orinr; Policy Changed: ineavol to 'umdo', User: tass ugi (riat), Zone Names:atvol, Device Id: emipsum +1-Apr-2019 12:38:14 medium atDuisa4718.www.domain dolo <umexe 1T00:38:14.xce omnisis5339.www5.local CylancePROTECT Event Name:DeviceEdit, Device Name:stiaec, External Device Type:Cicero, External Device Vendor ID:ven, External Device Name:ipsaqua, External Device Product ID:uel, External Device Serial Number:mqui, Zone Names:deom, Device Id: tiumdo, Policy Name: rautod +15-April-2019 07:40:49 medium mvol3890.localhost reh <tcons 2019-4-15T7:40:49.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill; User: imveniam sunte (exerc) +isquames 2019-4-29T2:43:23.mvolupta undeom7847.api.corp CylancePROTECT orainci orese [aev] Event Type: uelaudan, Event Name: Alert, Device Name: teiru, Agent Version: mquamei, IP Address: (10.146.228.234, uradi), MAC Address: (01:00:5e:9a:f3:b9, iusmod), Logged On Users: (susc), OS: taed Zone Names: eatae +2019-5-13T9:45:57.rcit dolo6230.mail.invalid CylancePROTECT evelite remquela [toreve] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97, User: (niam) +2019-5-28T4:48:31.uisaut nvolup6280.api.home CylancePROTECT eomn esse [nihi] Event Type: xeaco, Event Name: SyslogSettingsSave, Device Names: (uianonn), Policy Name: eavolupt, User: dantium ors (dqu) +11-June-2019 11:51:06 high asia5842.localhost rit <iavol 2019-6-11T11:51:06.psumdol urautodi3892.www5.example CylancePROTECT edict nost [orisnis] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: nibu; Policy: quatur; Value: isiutali, User: mdolo nof (usantiu) +Jun 25 6:53:40 litess7754.www5.invalid CylancePROTECT Event Type:itempo, Event Name: Alert, Device Name: isciveli, IP Address: (10.36.18.24), Action: allow, Process ID: 452, Process Name: lab.exe, User Name: nsequ, Violation Type: ing, Zone Names:ollita +10-July-2019 01:56:14 low ptat5268.www5.localdomain emq <untur 2019-7-10T1:56:14.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: ExploitAttempt, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Process ID: 4608, Process Name: oluptat.exe, User Name: stenatus, Violation Type: eabillo, Zone Names: iaecon +24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam +Aug 7 4:01:23 ncu3839.www.localhost CylancePROTECT Event Type:snos, Event Name:threat_changed, Device Message: Device: utod; Zones Removed: ostr; Zones Added: amcorp, User: iadolo ecatcup (orinrep), Zone Names:uamnihil Device Id: nisi +21-August-2019 23:03:57 high mfugi4289.internal.home maveni <commod 2019-8-21T11:03:57.umqu umet5891.api.localdomain CylancePROTECT aliqua upt [giatquo] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: dipisciv, IP Address: (10.8.150.213), Action: deny, Process ID: 4190, Process Name: ngelitse.exe, User Name: ugiatnul, Violation Type: mips, Zone Names: hil +5-Sep-2019 6:06:31 medium ncidid126.localhost aecatcu <eosqu 5T06:06:31.reetdolo umquam5574.internal.test CylancePROTECT Event Name:DeviceEdit, Message: Provider:itationu, Source IP:10.108.59.10, User: magnama reprehe (citatio)#015 +19-September-2019 13:09:05 medium ocons2813.mail.lan natu <acomm 2019-9-19T1:09:05.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did) +Oct 3 8:11:40 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod +Oct 18 3:14:14 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit +rinci 2019-11-1T10:16:48.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta +15-Nov-2019 5:19:22 low ntutlabo6923.localhost eacommo <tionevol 15T17:19:22.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni, User: officiad veniam (labo), Zone Names:ssecill Device Id: umquam +ali 2019-11-30T12:21:57.ionu perna6751.internal.home CylancePROTECT ess ria [ationevo] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233, User: (orisnis) +14-December-2019 07:24:31 medium olor874.internal.lan mquis <samnisiu 2019-12-14T7:24:31.yCiceroi evolupta7790.internal.local CylancePROTECT equamnih isetqua [turExce] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: rehe; Policy: aper; Value: gnaa, User: tam deser (int) diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json index dfdf1d35bcc..abf3264f09f 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -39,7 +39,7 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol,luptatUser: isiutal moenimi (mod)", + "event.original": "2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol, User: luptat isiutal (moenimi)", "fileset.name": "protect", "host.name": "volup208.invalid", "input.type": "log", @@ -47,14 +47,14 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "isiutal", - "rsa.identity.lastname": "moenimi", + "rsa.identity.firstname": "luptat", + "rsa.identity.lastname": "isiutal", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1401060000, "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", "rsa.investigations.event_vcat": " AuditLog", "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.mail_id": "mod", + "rsa.misc.mail_id": "moenimi", "rsa.misc.node": "vol", "rsa.network.alias_host": [ "volup208.invalid" @@ -68,26 +68,30 @@ }, { "@timestamp": "2020-02-26T10:15:08.000Z", - "event.action": "DeviceEdit", + "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Feb 26 8:15:08 mquia873.internal.invalid CylancePROTECT Event Type:tetur, Event Name:DeviceEdit, Device Name:squame, External Device Type:ntex, External Device Vendor ID:eius, External Device Name:luptat, External Device Product ID:emape, External Device Serial Number:aer, Zone Names:lupt", + "event.original": "26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: lupt tia (oloremqu), Zone Names: temvel Device Id: iatu", "fileset.name": "protect", + "host.name": "eius6159.www5.localhost", "input.type": "log", - "log.offset": 455, + "log.offset": 453, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "lupt", + "rsa.db.index": "temvel", + "rsa.identity.firstname": "lupt", + "rsa.identity.lastname": "tia", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "tetur", - "rsa.misc.device_name": "ntex", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.node": "squame", - "rsa.misc.serial_number": "aer", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.misc.device_name": "aer", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "oloremqu", + "rsa.network.alias_host": [ + "eius6159.www5.localhost" + ], "rsa.time.event_time": "2020-02-26T10:15:08.000Z", "service.type": "cylance", "tags": [ @@ -101,143 +105,137 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-3-12T3:17:42.minim eFini859.www5.example CylancePROTECT psumquia onsect [orsitame] Event Type: reprehe, Event Name: SystemSecurity, Device Name: quiavo, Agent Version: issusci, IP Address: (10.164.119.63, taliquip), MAC Address: (01:00:5e:86:ac:4a, tNequ), Logged On Users: (gelit), OS: tatno Zone Names: dquiac", + "event.original": "2016-3-12T3:17:42.ceroinBC ratvolup497.www.corp CylancePROTECT ionofde con [uia] Event Type: AuditLog, Event Name: SystemSecurity, Message: ommodic, User: mipsu consec (taliquip)", "fileset.name": "protect", - "host.mac": "01:00:5e:86:ac:4a", - "host.name": "eFini859.www5.example", + "host.name": "ratvolup497.www.corp", "input.type": "log", - "log.offset": 745, + "log.offset": 690, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.164.119.63" - ], - "related.user": [ - "gelit" - ], - "rsa.db.index": "dquiac", + "rsa.db.index": "ommodic", + "rsa.identity.firstname": "mipsu", + "rsa.identity.lastname": "consec", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1600000000, "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": "reprehe", - "rsa.misc.OS": "tatno", + "rsa.investigations.event_vcat": " AuditLog", "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "quiavo", + "rsa.misc.mail_id": "taliquip", "rsa.network.alias_host": [ - "eFini859.www5.example" + "ratvolup497.www.corp" ], - "rsa.network.eth_host": "01:00:5e:86:ac:4a", "rsa.time.event_time": "2016-03-12T05:17:42.000Z", "service.type": "cylance", - "source.ip": [ - "10.164.119.63" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "gelit" + ] }, { "@timestamp": "2016-03-26T12:20:16.000Z", - "event.action": "SystemSecurity", + "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "26-March-2016 10:20:16 medium oluptas2358.internal.host ommod <aqui 2016-3-26T10:20:16.radipis isetq3627.api.domain CylancePROTECT magn equuntu [eos] Event Type: enimad, Event Name: SystemSecurity, Device Name: uaerat, Agent Version: boreet, IP Address: (10.155.162.162, mcolabor), MAC Address: (01:00:5e:2c:f3:52, giatq), Logged On Users: (quid), OS: fug", + "event.original": "2016-3-26T10:20:16.gelit tatno5625.api.local CylancePROTECT taev roidents [oluptas] Event Type: AuditLog, Event Name: Alert, Message: Source: taliqu; SHA256: ommod; Reason: failure, User: tur aperi (iveli)", "fileset.name": "protect", - "host.mac": "01:00:5e:2c:f3:52", - "host.name": "isetq3627.api.domain", + "host.name": "tatno5625.api.local", "input.type": "log", - "log.offset": 1062, - "observer.product": "Protect", + "log.offset": 869, + "observer.product": "taliqu", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.155.162.162" - ], - "related.user": [ - "quid" - ], + "rsa.identity.firstname": "tur", + "rsa.identity.lastname": "aperi", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": "enimad", - "rsa.misc.OS": "fug", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "uaerat", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "ommod", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "iveli", + "rsa.misc.result": "failure", "rsa.network.alias_host": [ - "isetq3627.api.domain" + "tatno5625.api.local" ], - "rsa.network.eth_host": "01:00:5e:2c:f3:52", "rsa.time.event_time": "2016-03-26T12:20:16.000Z", "service.type": "cylance", - "source.ip": [ - "10.155.162.162" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "quid" + ] }, { - "@timestamp": "2020-04-09T07:22:51.000Z", - "event.action": "ThreatUpdated", + "@timestamp": "2016-04-09T07:22:51.000Z", + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "9-Apr-2016 5:22:51 high maveniam1399.mail.lan siutaliq <tempor 9T17:22:51.omnis antium1279.mail.test CylancePROTECT Event Name:ThreatUpdated, Device Name:rsitvolu, External Device Type:tcupida, External Device Vendor ID:niamquis, External Device Name:itati, External Device Product ID:mfu, External Device Serial Number:uid, Zone Names:atatnonp, Device Id: uiano, Policy Name: mrema ", + "event.original": "uatDuis 2016-4-9T5:22:51.ude maveniam1399.mail.lan CylancePROTECT siutaliq exercit [tempor] Event Type: omnis, Event Name: SystemSecurity, Device Name: eip, Agent Version: lupta, IP Address: (10.124.61.119), MAC Address: (01:00:5e:dc:bb:8b), Logged On Users: (occ), OS: ect Zone Names: reetdolo", "fileset.name": "protect", - "host.name": "antium1279.mail.test", + "host.mac": "01:00:5e:dc:bb:8b", + "host.name": "maveniam1399.mail.lan", "input.type": "log", - "log.offset": 1426, + "log.offset": 1075, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "atatnonp, Device Id: uiano, Policy Name: mrema", + "related.ip": [ + "10.124.61.119" + ], + "related.user": [ + "occ" + ], + "rsa.db.index": "reetdolo", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.device_name": "tcupida", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "rsitvolu", - "rsa.misc.serial_number": "uid", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": "omnis", + "rsa.misc.OS": "ect", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "eip", "rsa.network.alias_host": [ - "antium1279.mail.test" + "maveniam1399.mail.lan" ], - "rsa.time.event_time": "2020-04-09T07:22:51.000Z", + "rsa.network.eth_host": "01:00:5e:dc:bb:8b", + "rsa.time.event_time": "2016-04-09T07:22:51.000Z", "service.type": "cylance", + "source.ip": [ + "10.124.61.119" + ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "occ" }, { "@timestamp": "2020-04-24T14:25:25.000Z", - "event.action": "SystemSecurity", + "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "24-Apr-2016 12:25:25 very-high orsitame3869.localhost iam <umdo 24T00:25:25.sed apariat4194.www5.local CylancePROTECT Event Name:SystemSecurity, Message: The Device:onsewas auto assigned torumetZone:oll, User:erc", + "event.original": "24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: urerep aquaeab (liqu), Zone Names: lorem Device Id: emq", "fileset.name": "protect", - "host.name": "apariat4194.www5.local", + "host.name": "nimadmin6499.local", "input.type": "log", - "log.offset": 1819, + "log.offset": 1370, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "erc", + "rsa.db.index": "lorem", + "rsa.identity.firstname": "urerep", + "rsa.identity.lastname": "aquaeab", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "onse", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.misc.device_name": "dexe", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.mail_id": "liqu", "rsa.network.alias_host": [ - "apariat4194.www5.local" + "nimadmin6499.local" ], - "rsa.network.zone": "oll", "rsa.time.event_time": "2020-04-24T14:25:25.000Z", "service.type": "cylance", "tags": [ @@ -247,30 +245,30 @@ }, { "@timestamp": "2016-05-08T09:27:59.000Z", - "event.action": "Device Updated", + "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "aspern 2016-5-8T7:27:59.itlabori Ciceroi3592.www.host CylancePROTECT aper essequ [taevi] Event Type: AuditLog, Event Name: Device Updated, Message: Zone: sitas; Policy: ehenderi; Value: pidatat, User: gni tquiinea (mquaera)", + "event.original": "ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: dmi olab (mquisnos)", "fileset.name": "protect", - "host.name": "Ciceroi3592.www.host", + "host.name": "suntinc4934.www5.test", "input.type": "log", - "log.offset": 2038, + "log.offset": 1612, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "sitas", - "rsa.identity.firstname": "gni", - "rsa.identity.lastname": "tquiinea", + "rsa.identity.firstname": "dmi", + "rsa.identity.lastname": "olab", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804010000, - "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "Device Updated", - "rsa.misc.mail_id": "mquaera", - "rsa.misc.policy_name": "ehenderi", + "rsa.misc.checksum": "uovol", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "mquisnos", + "rsa.misc.policy_name": "uptatev", "rsa.network.alias_host": [ - "Ciceroi3592.www.host" + "suntinc4934.www5.test" ], "rsa.time.event_time": "2016-05-08T09:27:59.000Z", "service.type": "cylance", @@ -280,108 +278,99 @@ ] }, { - "@timestamp": "2020-05-22T04:30:33.000Z", - "event.action": "Device Policy Assigned", + "@timestamp": "2016-05-22T04:30:33.000Z", + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "22-May-2016 2:30:33 medium saute2412.internal.domain lorema <labor 22T14:30:33.atuse ddoeiu1152.api.invalid CylancePROTECT Event Name:Device Policy Assigned, Device Name:llumquid, External Device Type:tation, External Device Vendor ID:ips, External Device Name:emeumfug, External Device Product ID:upta, External Device Serial Number:omn, Zone Names:ipsumq", + "event.original": "2016-5-22T2:30:33.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan", + "file.directory": "aspern", "fileset.name": "protect", - "host.name": "ddoeiu1152.api.invalid", + "host.name": "reetdolo2451.www.example", "input.type": "log", - "log.offset": 2262, + "log.offset": 1814, + "network.application": "itlabori", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "ipsumq", + "observer.version": "1.2344", + "related.user": [ + "usan" + ], + "rsa.db.index": "ollit", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.misc.device_name": "tation", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "llumquid", - "rsa.misc.serial_number": "omn", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "llam", + "rsa.misc.version": "1.2344", "rsa.network.alias_host": [ - "ddoeiu1152.api.invalid" + "reetdolo2451.www.example" ], - "rsa.time.event_time": "2020-05-22T04:30:33.000Z", + "rsa.time.event_time": "2016-05-22T04:30:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "usan" }, { "@timestamp": "2016-06-05T11:33:08.000Z", - "event.action": "cancel", + "event.action": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "5-June-2016 21:33:08 low ipi7385.www.home eseru <orain 2016-6-5T9:33:08.quip oin6316.www5.host CylancePROTECT tinvol dolore [abor] Event Type: ExploitAttempt, Event Name: Device Policy Assigned, Device Name: eddoei, IP Address: (10.22.128.42), Action: cancel, Process ID: 1120, Process Name: ditautfu.exe, User Name: piscing, Violation Type: roq, Zone Names: ostr", + "event.original": "2016-6-5T9:33:08.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc", "fileset.name": "protect", - "host.name": "oin6316.www5.host", + "host.name": "uis7612.www5.domain", "input.type": "log", - "log.offset": 2625, + "log.offset": 2074, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "ditautfu.exe", - "process.pid": 1120, - "related.ip": [ - "10.22.128.42" - ], - "related.user": [ - "piscing" - ], - "rsa.db.index": "ostr", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "eddoei", - "rsa.misc.policy_name": "roq", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "emeumfug", + "rsa.misc.event_type": "Registration", "rsa.network.alias_host": [ - "oin6316.www5.host" + "uis7612.www5.domain" ], "rsa.time.event_time": "2016-06-05T11:33:08.000Z", "service.type": "cylance", - "source.ip": [ - "10.22.128.42" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "piscing" + ] }, { - "@timestamp": "2016-06-20T06:35:42.000Z", - "event.action": "ThreatUpdated", + "@timestamp": "2020-06-20T06:35:42.000Z", + "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-6-20T4:35:42.moenimi temporin6518.invalid CylancePROTECT agnaali llitani [inima] Event Type: tlabo, Event Name: ThreatUpdated, Device Name: nihi", + "event.original": "20-Jun-2016 4:35:42 high fugit7668.www5.invalid lupt <qua 20T04:35:42.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu", "fileset.name": "protect", - "host.name": "temporin6518.invalid", + "host.name": "admi3749.api.lan", "input.type": "log", - "log.offset": 2997, + "log.offset": 2210, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "rsa.db.index": "nimadmin", + "rsa.identity.firstname": "iqui", + "rsa.identity.lastname": "etc", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "tlabo", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "nihi", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.misc.device_name": "tinvol", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.mail_id": "etM", "rsa.network.alias_host": [ - "temporin6518.invalid" + "admi3749.api.lan" ], - "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "rsa.time.event_time": "2020-06-20T06:35:42.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -390,68 +379,76 @@ }, { "@timestamp": "2016-07-04T13:38:16.000Z", - "event.action": "DeviceRemove", + "event.action": "fullaccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-7-4T11:38:16.iquipex commod3331.host CylancePROTECT bor occa [stquidol] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: leumiu, File Path: namali, Interpreter: taevit, Interpreter Version: 1.3365 (nsecte), Zone Names: itame", - "file.directory": "namali", + "event.original": "2016-7-4T11:38:16.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute", + "file.directory": "Nemoen", "fileset.name": "protect", - "host.name": "commod3331.host", + "host.name": "rudexerc703.internal.host", "input.type": "log", - "log.offset": 3147, - "network.application": "taevit", + "log.offset": 2487, + "network.application": "tfug", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.3365", - "rsa.db.index": "itame", + "observer.version": "1.5383", + "related.user": [ + "isaute" + ], + "rsa.db.index": "urE", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " ScriptControl", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "leumiu", - "rsa.misc.version": "1.3365", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.node": "onproide", + "rsa.misc.version": "1.5383", "rsa.network.alias_host": [ - "commod3331.host" + "rudexerc703.internal.host" ], "rsa.time.event_time": "2016-07-04T13:38:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "isaute" }, { - "@timestamp": "2016-07-18T08:40:50.000Z", - "event.action": "LoginSuccess", + "@timestamp": "2016-07-18T20:40:00.000Z", + "event.action": "cancel", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-7-18T6:40:50.rehender iae1637.local CylancePROTECT nula emseq [olestiae] Event Type: ione, Event Name: LoginSuccess, Device Names: (evita), Policy Name: suntexp, User: duntut magni (pisciv)", + "event.original": "July 2016/07/18 18:40:50 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc", + "file.directory": "Lor", "fileset.name": "protect", - "host.name": "iae1637.local", "input.type": "log", - "log.offset": 3394, + "log.offset": 2754, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "duntut", - "rsa.identity.lastname": "magni", + "related.ip": [ + "10.199.98.186" + ], + "rsa.db.index": "erc", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": "ione", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.mail_id": "pisciv", - "rsa.misc.node": "evita", - "rsa.misc.policy_name": "suntexp", - "rsa.network.alias_host": [ - "iae1637.local" + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "cancel" ], - "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "rsa.misc.checksum": "itecto", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "sequatur", + "rsa.time.event_time": "2016-07-18T20:40:00.000Z", "service.type": "cylance", + "source.ip": [ + "10.199.98.186" + ], "tags": [ "cylance.protect", "forwarded" @@ -459,132 +456,164 @@ }, { "@timestamp": "2016-08-02T03:43:25.000Z", - "event.action": "pechange", + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2-August-2016 01:43:25 medium eratv6205.internal.lan reme <uaUteni 2016-8-2T1:43:25.udantium pre2433.mail.domain CylancePROTECT sciun sBono [catc] Event Type: AuditLog, Event Name: pechange, Message: Device: edo;asiaUser: econs uir (dol)", + "event.original": "olupt 2016-8-2T1:43:25.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend", + "file.directory": "giatquov", + "file.name": "ici", + "file.type": "tati", "fileset.name": "protect", - "host.name": "pre2433.mail.domain", + "host.name": "estqu1709.internal.example", "input.type": "log", - "log.offset": 3589, + "log.offset": 3047, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "econs", - "rsa.identity.lastname": "uir", + "related.ip": [ + "10.64.70.5" + ], + "rsa.crypto.sig_type": "eprehend", + "rsa.db.index": "iadese", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "pechange", - "rsa.misc.mail_id": "dol", - "rsa.misc.node": "edo", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "dexeac", + "rsa.misc.event_state": "atvol", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "uasia", "rsa.network.alias_host": [ - "pre2433.mail.domain" + "estqu1709.internal.example" ], "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "rsa.web.reputation_num": 145.898, "service.type": "cylance", + "source.ip": [ + "10.64.70.5" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2019-08-16T10:45:59.000Z", - "event.action": "Device Policy Assigned", + "@timestamp": "2016-08-16T10:45:59.000Z", + "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "16-Aug-2016 8:45:59 medium non3341.mail.invalid derit <atcu 16T08:45:59.labor didunt1355.corp CylancePROTECT Event Name:Device Policy Assigned, Device Name:liqu, Agent Version:eporr, IP Address: (10.238.164.29), MAC Address: (01:00:5e:32:95:80), Logged On Users: (sequam), OS:temvel, Zone Names:ris", + "event.original": "2016-8-16T8:45:59.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd", "fileset.name": "protect", - "host.mac": "01:00:5e:32:95:80", - "host.name": "didunt1355.corp", + "host.mac": "01:00:5e:93:1c:9f", + "host.name": "xeac7155.www.localdomain", "input.type": "log", - "log.offset": 3836, + "log.offset": 3563, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.ip": [ - "10.238.164.29" + "10.143.239.210" ], "related.user": [ - "sequam" + "oinBCSe" ], - "rsa.db.index": "ris", + "rsa.db.index": "sedd", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.misc.OS": "temvel", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "liqu", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "pida", + "rsa.misc.OS": "mnisist", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "idolor", "rsa.network.alias_host": [ - "didunt1355.corp" + "xeac7155.www.localdomain" ], - "rsa.network.eth_host": "01:00:5e:32:95:80", - "rsa.time.event_time": "2019-08-16T10:45:59.000Z", + "rsa.network.eth_host": "01:00:5e:93:1c:9f", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", "service.type": "cylance", "source.ip": [ - "10.238.164.29" + "10.143.239.210" ], "tags": [ "cylance.protect", "forwarded" ], - "user.name": "sequam" + "user.name": "oinBCSe" }, { - "@timestamp": "2019-08-30T05:48:33.000Z", - "event.action": "ZoneAdd", + "@timestamp": "2016-08-30T05:48:33.000Z", + "event.action": "accept", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Aug 30 3:48:33 rroquis6074.api.host CylancePROTECT Event Type:iurer, Event Name:ZoneAdd, Message: Device:autfuwas auto assigned to thegnaaliqZone:mni, User:rem", + "event.original": "ipitla 2016-8-30T3:48:33.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib", "fileset.name": "protect", + "host.name": "maccusa5126.api.domain", "input.type": "log", - "log.offset": 4142, + "log.offset": 3854, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "rem", + "process.name": "aliqu.exe", + "process.pid": 2289, + "related.ip": [ + "10.32.143.134" + ], + "related.user": [ + "olupta" + ], + "rsa.db.index": "eFinib", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "iurer", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.node": "autfu", - "rsa.network.zone": "mni", - "rsa.time.event_time": "2019-08-30T05:48:33.000Z", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "olorema", + "rsa.misc.policy_name": "mipsumd", + "rsa.network.alias_host": [ + "maccusa5126.api.domain" + ], + "rsa.time.event_time": "2016-08-30T05:48:33.000Z", "service.type": "cylance", + "source.ip": [ + "10.32.143.134" + ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "olupta" }, { "@timestamp": "2019-09-13T12:51:07.000Z", - "event.action": "LoginSuccess", + "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "13-Sep-2016 10:51:07 low uta4901.internal.local volupt <uiinea 13T22:51:07.Utenima volupta5074.internal.localhost CylancePROTECT Event Name:LoginSuccess, Message: Device:ionevowas auto assigned tougiatnuZone:ciati, User:nto", + "event.original": "13-Sep-2016 10:51:07 low eav3687.internal.local siar <iamquis 13T22:51:07.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae", "fileset.name": "protect", - "host.name": "volupta5074.internal.localhost", + "host.name": "llu4718.localhost", "input.type": "log", - "log.offset": 4302, + "log.offset": 4159, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "nto", + "rsa.db.index": "psaquae", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "ionevo", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.device_name": "oidentsu", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "conseq", + "rsa.misc.serial_number": "ern", "rsa.network.alias_host": [ - "volupta5074.internal.localhost" + "llu4718.localhost" ], - "rsa.network.zone": "ciati", "rsa.time.event_time": "2019-09-13T12:51:07.000Z", "service.type": "cylance", "tags": [ @@ -594,25 +623,28 @@ }, { "@timestamp": "2019-09-28T07:53:42.000Z", - "event.action": "Device Policy Assigned", + "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Sep 28 5:53:42 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned tomadmiZone:tur, User:roi", + "event.original": "Sep 28 5:53:42 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit", "fileset.name": "protect", "input.type": "log", - "log.offset": 4534, + "log.offset": 4504, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "roi", + "rsa.db.index": "ari", + "rsa.identity.firstname": "rinrepre", + "rsa.identity.lastname": "etconse", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "officiad", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "quinesc", - "rsa.network.zone": "tur", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "stquidol", + "rsa.misc.device_name": "leumiu", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.mail_id": "tincu", + "rsa.misc.policy_name": "taevit", "rsa.time.event_time": "2019-09-28T07:53:42.000Z", "service.type": "cylance", "tags": [ @@ -622,41 +654,30 @@ }, { "@timestamp": "2016-10-12T14:56:16.000Z", - "event.action": "accept", + "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "imadmini 2016/10/12T12:56:16.sauteiru mod7387.host CylancePROTECT mquame nihilmol [xercita] Event Type: AppControl, Event Name: fullaccess, Device Name: tiumt, IP Address: (10.75.99.127), Action: accept, Action Type: madmi, File Path: uidol, SHA256: mporin, Zone Names: mwrit", - "file.directory": "uidol", + "event.original": "12-October-2016 12:56:16 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-10-12T12:56:16.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat", "fileset.name": "protect", - "host.name": "mod7387.host", + "host.name": "eaq908.api.home", "input.type": "log", - "log.offset": 4712, + "log.offset": 4737, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.75.99.127" - ], - "rsa.db.index": "mwrit", + "rsa.db.index": "equat", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.checksum": "mporin", - "rsa.misc.event_type": "fullaccess", - "rsa.misc.node": "tiumt", + "rsa.investigations.event_vcat": "tNequepo", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.node": "luptasn", "rsa.network.alias_host": [ - "mod7387.host" + "eaq908.api.home" ], "rsa.time.event_time": "2016-10-12T14:56:16.000Z", "service.type": "cylance", - "source.ip": [ - "10.75.99.127" - ], "tags": [ "cylance.protect", "forwarded" @@ -664,108 +685,110 @@ }, { "@timestamp": "2016-10-26T09:58:50.000Z", - "event.action": "threat_changed", + "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "eprehen 2016-10-26T7:58:50.entor xeacomm1940.localhost CylancePROTECT ema rsitv [iciade] Event Type: AuditLog, Event Name: threat_changed, Message: Device: ine; SHA256: lup, User: tatemUt modtemp (quovol)", + "event.original": "ommodico 2016-10-26T7:58:50.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi", + "file.directory": "olor", "fileset.name": "protect", - "host.name": "xeacomm1940.localhost", + "host.name": "mcolab379.internal.home", "input.type": "log", - "log.offset": 4988, + "log.offset": 4991, + "network.application": "Neque", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "tatemUt", - "rsa.identity.lastname": "modtemp", + "observer.version": "1.4129", + "related.user": [ + "fdeFi" + ], + "rsa.db.index": "iutali", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "lup", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.mail_id": "quovol", - "rsa.misc.node": "ine", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "tper", + "rsa.misc.version": "1.4129", "rsa.network.alias_host": [ - "xeacomm1940.localhost" + "mcolab379.internal.home" ], "rsa.time.event_time": "2016-10-26T09:58:50.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "fdeFi" }, { - "@timestamp": "2016-11-10T05:01:24.000Z", - "event.action": "block", + "@timestamp": "2019-11-10T05:01:24.000Z", + "event.action": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "itess 2016/11/10T03:01:24.iscinge ofdeFini4153.mail.localhost CylancePROTECT velitse oditem [gitsedqu] Event Type: AppControl, Event Name: DeviceEdit, Device Name: oremi, IP Address: (10.82.173.5), Action: block, Action Type: olor, File Path: ineavo, SHA256: pexe, Zone Names: niamqui", - "file.directory": "ineavo", + "event.original": "Nov 10 3:01:24 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam", "fileset.name": "protect", - "host.name": "ofdeFini4153.mail.localhost", + "host.mac": "01:00:5e:3f:c4:6c", "input.type": "log", - "log.offset": 5193, + "log.offset": 5268, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.ip": [ - "10.82.173.5" + "10.237.205.140" + ], + "related.user": [ + "uames" ], - "rsa.db.index": "niamqui", + "rsa.db.index": "veniam", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.checksum": "pexe", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.node": "oremi", - "rsa.network.alias_host": [ - "ofdeFini4153.mail.localhost" - ], - "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "rsa.investigations.event_vcat": "boN", + "rsa.misc.OS": "iduntu", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.node": "ectio", + "rsa.network.eth_host": "01:00:5e:3f:c4:6c", + "rsa.time.event_time": "2019-11-10T05:01:24.000Z", "service.type": "cylance", "source.ip": [ - "10.82.173.5" + "10.237.205.140" ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "uames" }, { - "@timestamp": "2016-11-24T12:03:59.000Z", - "event.action": "SystemSecurity", + "@timestamp": "2019-11-24T12:03:59.000Z", + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "24-November-2016 10:03:59 low gitsed4374.www5.home fugitsed <quid 2016-11-24T10:03:59.fugiat atisun6373.mail.localhost CylancePROTECT dmin fugi [quia] Event Type: AuditLog, Event Name: SystemSecurity, Message: SHA256: atatn; Reason: unknown, User: rnatur ofdeFin (essequam)", + "event.original": "24-Nov-2016 10:03:59 very-high reme622.mail.example isnisiu <tsu 24T10:03:59.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: idata rumwritt (magnid), Zone Names: enderit Device Id: untex", "fileset.name": "protect", - "host.name": "atisun6373.mail.localhost", + "host.name": "sciun4694.api.lan", "input.type": "log", - "log.offset": 5478, + "log.offset": 5527, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "rnatur", - "rsa.identity.lastname": "ofdeFin", + "rsa.db.index": "enderit", + "rsa.identity.firstname": "idata", + "rsa.identity.lastname": "rumwritt", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "atatn", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.mail_id": "essequam", - "rsa.misc.result": "unknown", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.device_name": "nsect", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.mail_id": "magnid", "rsa.network.alias_host": [ - "atisun6373.mail.localhost" + "sciun4694.api.lan" ], - "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "rsa.time.event_time": "2019-11-24T12:03:59.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -773,71 +796,57 @@ ] }, { - "@timestamp": "2016-12-08T07:06:33.000Z", - "event.action": "Registration", + "@timestamp": "2019-12-08T07:06:33.000Z", + "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "inesci 2016-12-8T5:06:33.isnisi ritatise4412.mail.localdomain CylancePROTECT quatur uisa [eFi] Event Type: ScriptControl, Event Name: Registration, Device Name: cusant, File Path: rpori, Interpreter: ice, Interpreter Version: 1.1645, Zone Names: entorev, User Name: commodo", - "file.directory": "rpori", + "event.original": "8-Dec-2016 5:06:33 medium tvolu3997.mail.home eiu <autfu 8T17:06:33.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum", "fileset.name": "protect", - "host.name": "ritatise4412.mail.localdomain", + "host.name": "mni7200.mail.localdomain", "input.type": "log", - "log.offset": 5758, - "network.application": "ice", + "log.offset": 5772, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.1645", - "related.user": [ - "commodo" - ], - "rsa.db.index": "entorev", + "rsa.db.index": "uisau", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "Registration", - "rsa.misc.node": "cusant", - "rsa.misc.version": "1.1645", + "rsa.misc.event_type": "pechange", + "rsa.misc.node": "idolor", "rsa.network.alias_host": [ - "ritatise4412.mail.localdomain" + "mni7200.mail.localdomain" ], - "rsa.time.event_time": "2016-12-08T07:06:33.000Z", + "rsa.time.event_time": "2019-12-08T07:06:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "commodo" + ] }, { - "@timestamp": "2016-12-23T14:09:07.000Z", - "event.action": "PolicyAdd", + "@timestamp": "2019-12-23T14:09:07.000Z", + "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "sau 2016-12-23T12:09:07.atevelit meius3932.internal.example CylancePROTECT ccaeca umdolo [uptate] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: stenatu; Policy: isiuta; Value: orsitam, User: siutaliq dutp (psaquaea)", + "event.original": "Dec 23 12:09:07 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur", "fileset.name": "protect", - "host.name": "meius3932.internal.example", "input.type": "log", - "log.offset": 6032, + "log.offset": 5973, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "stenatu", - "rsa.identity.firstname": "siutaliq", - "rsa.identity.lastname": "dutp", + "rsa.identity.firstname": "tur", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.mail_id": "psaquaea", - "rsa.misc.policy_name": "isiuta", - "rsa.network.alias_host": [ - "meius3932.internal.example" - ], - "rsa.time.event_time": "2016-12-23T14:09:07.000Z", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "officiad", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "quinesc", + "rsa.network.zone": "madmi", + "rsa.time.event_time": "2019-12-23T14:09:07.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -846,65 +855,68 @@ }, { "@timestamp": "2017-01-06T09:11:41.000Z", - "event.action": "ZoneAddDevice", + "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-1-6T7:11:41.proide ano1049.www5.localdomain CylancePROTECT aturve ditemp [edqui] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: temUte;sitUser: olab eumiure (ersp)", + "event.original": "6-January-2017 07:11:41 very-high orem6702.invalid tev <ntocca 2017-1-6T7:11:41.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame", + "file.directory": "orro", "fileset.name": "protect", - "host.name": "ano1049.www5.localdomain", + "host.name": "ntoccae1705.internal.invalid", "input.type": "log", - "log.offset": 6262, + "log.offset": 6150, + "network.application": "tae", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "olab", - "rsa.identity.lastname": "eumiure", + "observer.version": "1.3212", + "related.user": [ + "aperiame" + ], + "rsa.db.index": "tlab", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.mail_id": "ersp", - "rsa.misc.node": "temUte", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "sBon", + "rsa.misc.version": "1.3212", "rsa.network.alias_host": [ - "ano1049.www5.localdomain" + "ntoccae1705.internal.invalid" ], "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "aperiame" }, { - "@timestamp": "2017-01-20T04:14:16.000Z", - "event.action": "pechange", + "@timestamp": "2020-01-20T04:14:16.000Z", + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "umwrit 2017-1-20T2:14:16.uptate mac765.mail.invalid CylancePROTECT elit seosqui [sequamni] Event Type: AuditLog, Event Name: pechange, Message: Device: tdol; SHA256: sit, User: tiaec nisi (oremagna)", + "event.original": "20-Jan-2017 2:14:16 high tobea2364.internal.localhost itinvol <fugiatn 20T14:14:16.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame", "fileset.name": "protect", - "host.name": "mac765.mail.invalid", + "host.name": "etconsec6708.internal.invalid", "input.type": "log", - "log.offset": 6450, + "log.offset": 6477, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "tiaec", - "rsa.identity.lastname": "nisi", + "rsa.db.index": "mquame", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "sit", - "rsa.misc.event_type": "pechange", - "rsa.misc.mail_id": "oremagna", - "rsa.misc.node": "tdol", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.misc.device_name": "tquov", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "ersp", + "rsa.misc.serial_number": "tes", "rsa.network.alias_host": [ - "mac765.mail.invalid" + "etconsec6708.internal.invalid" ], - "rsa.time.event_time": "2017-01-20T04:14:16.000Z", + "rsa.time.event_time": "2020-01-20T04:14:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -912,75 +924,64 @@ ] }, { - "@timestamp": "2020-02-03T11:16:50.000Z", - "event.action": "DeviceRemove", + "@timestamp": "2017-02-03T11:16:50.000Z", + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "3-Feb-2017 9:16:50 high rum959.host velillu <bor 3T21:16:50.rauto ationev5770.www.invalid CylancePROTECT Event Name:DeviceRemove, Device Name:nby, Agent Version:mve, IP Address: (10.96.201.115), MAC Address: (01:00:5e:94:55:60), Logged On Users: (inimve), OS:pis, Zone Names:nsequat", + "event.original": "2017-2-3T9:16:50.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi)", "fileset.name": "protect", - "host.mac": "01:00:5e:94:55:60", - "host.name": "ationev5770.www.invalid", + "host.name": "Sedutp7428.internal.home", "input.type": "log", - "log.offset": 6649, + "log.offset": 6841, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.96.201.115" - ], - "related.user": [ - "inimve" - ], - "rsa.db.index": "nsequat", + "rsa.db.index": "iquipe", + "rsa.identity.firstname": "upida", + "rsa.identity.lastname": "tvolupt", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.misc.OS": "pis", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "nby", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "eufugi", + "rsa.misc.policy_name": "itempor", "rsa.network.alias_host": [ - "ationev5770.www.invalid" + "Sedutp7428.internal.home" ], - "rsa.network.eth_host": "01:00:5e:94:55:60", - "rsa.time.event_time": "2020-02-03T11:16:50.000Z", + "rsa.time.event_time": "2017-02-03T11:16:50.000Z", "service.type": "cylance", - "source.ip": [ - "10.96.201.115" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "inimve" + ] }, { "@timestamp": "2017-02-18T06:19:24.000Z", - "event.action": "threat_changed", + "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "18-February-2017 04:19:24 low ercit7022.host qui <temporin 2017-2-18T4:19:24.equatur adeseru2497.www5.host CylancePROTECT rem asper [idunt] Event Type: ScriptControl, Event Name: threat_changed, Device Name: amcor, File Path: ica, Interpreter: lillum, Interpreter Version: 1.7809 (dicta), Zone Names: taedicta", - "file.directory": "ica", + "event.original": "uamni 2017-2-18T4:19:24.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte)", "fileset.name": "protect", - "host.name": "adeseru2497.www5.host", + "host.name": "ati4639.www5.home", "input.type": "log", - "log.offset": 6942, - "network.application": "lillum", + "log.offset": 7059, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.7809", - "rsa.db.index": "taedicta", + "rsa.identity.firstname": "con", + "rsa.identity.lastname": "nisist", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ScriptControl", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.node": "amcor", - "rsa.misc.version": "1.7809", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "usmodte", + "rsa.misc.node": "ven", "rsa.network.alias_host": [ - "adeseru2497.www5.host" + "ati4639.www5.home" ], "rsa.time.event_time": "2017-02-18T06:19:24.000Z", "service.type": "cylance", @@ -991,29 +992,29 @@ }, { "@timestamp": "2017-03-04T13:21:59.000Z", - "event.action": "DeviceEdit", + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "itesseq 2017-3-4T11:21:59.dictasun veniamqu7284.mail.invalid CylancePROTECT nte mvel [nof] Event Type: AuditLog, Event Name: DeviceEdit, Message: The Device: tetur was auto assigned to the Zone: IP Address: 10.230.206.60, User: ipi imveniam (uaeab)", + "event.original": "2017-3-4T11:21:59.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser (oin)", "fileset.name": "protect", - "host.name": "veniamqu7284.mail.invalid", + "host.name": "torever662.www5.home", "input.type": "log", - "log.offset": 7259, + "log.offset": 7233, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "The Device: tetur was auto assigned to the Zone: IP Address: 10.230.206.60", - "rsa.identity.firstname": "ipi", - "rsa.identity.lastname": "imveniam", + "rsa.db.index": "The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240", + "rsa.identity.firstname": "amcol", + "rsa.identity.lastname": "adeser", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.mail_id": "uaeab", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "oin", "rsa.network.alias_host": [ - "veniamqu7284.mail.invalid" + "torever662.www5.home" ], "rsa.time.event_time": "2017-03-04T13:21:59.000Z", "service.type": "cylance", @@ -1024,73 +1025,65 @@ }, { "@timestamp": "2017-03-18T08:24:33.000Z", - "event.action": "DeviceRemove", + "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "18-March-2017 18:24:33 low lupta5708.www.test amcor <ineavol 2017-3-18T6:24:33.iosa boNemoe2025.lan CylancePROTECT amvolupt onevolu [mnis] Event Type: AuditLog, Event Name: DeviceRemove, Message: The Device: ites was auto assigned to the Zone: IP Address: 10.126.26.131, User: (nisiut)", + "event.original": "2017-3-18T6:24:33.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat)", "fileset.name": "protect", - "host.name": "boNemoe2025.lan", + "host.name": "emeumfug4387.internal.lan", "input.type": "log", - "log.offset": 7508, + "log.offset": 7474, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.126.26.131" - ], - "rsa.db.index": "The Device: ites was auto assigned to the Zone: IP Address: 10.126.26.131", + "rsa.identity.firstname": "ccaeca", + "rsa.identity.lastname": "niamq", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": "AuditLog", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "ites", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "iduntu", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "lapariat", + "rsa.misc.node": "untincul", "rsa.network.alias_host": [ - "boNemoe2025.lan" + "emeumfug4387.internal.lan" ], "rsa.time.event_time": "2017-03-18T08:24:33.000Z", "service.type": "cylance", - "source.ip": [ - "10.126.26.131" - ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2020-04-02T03:27:07.000Z", - "event.action": "SyslogSettingsSave", + "@timestamp": "2017-04-02T03:27:07.000Z", + "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2-Apr-2017 1:27:07 low elit429.api.invalid borisnis <emqu 2T01:27:07.nderi acommod6195.www.home CylancePROTECT Event Name:SyslogSettingsSave, Message: Provider:eratvol, Source IP:10.253.132.145, User: est uptatemU (leumiu)#015", + "event.original": "uat 2017-4-2T1:27:07.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu", "fileset.name": "protect", - "host.name": "acommod6195.www.home", + "host.name": "rumwrit764.www5.local", "input.type": "log", - "log.offset": 7804, + "log.offset": 7679, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.253.132.145" - ], - "rsa.identity.firstname": "est", - "rsa.identity.lastname": "uptatemU", + "rsa.db.index": "miu", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.mail_id": "leumiu", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "etMal", + "rsa.misc.serial_number": "onula", "rsa.network.alias_host": [ - "acommod6195.www.home" + "rumwrit764.www5.local" ], - "rsa.time.event_time": "2020-04-02T03:27:07.000Z", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", "service.type": "cylance", - "source.ip": [ - "10.253.132.145" - ], "tags": [ "cylance.protect", "forwarded" @@ -1098,27 +1091,33 @@ }, { "@timestamp": "2020-04-16T10:29:41.000Z", - "event.action": "DeviceEdit", + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Apr 16 8:29:41 enderit4328.corp CylancePROTECT Event Type:Nequepor, Event Name:DeviceEdit, Message: Device:remwas auto assigned to theididZone:tesse, User:sequat", + "event.original": "Apr 16 8:29:41 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015", "fileset.name": "protect", "input.type": "log", - "log.offset": 8039, + "log.offset": 8019, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "sequat", + "related.ip": [ + "10.13.66.97" + ], + "rsa.identity.firstname": "dicta", + "rsa.identity.lastname": "taedicta", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "Nequepor", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.node": "rem", - "rsa.network.zone": "tesse", + "rsa.investigations.event_vcat": "luptat", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.mail_id": "ritt", "rsa.time.event_time": "2020-04-16T10:29:41.000Z", "service.type": "cylance", + "source.ip": [ + "10.13.66.97" + ], "tags": [ "cylance.protect", "forwarded" @@ -1126,30 +1125,30 @@ }, { "@timestamp": "2017-04-30T05:32:16.000Z", - "event.action": "threat_changed", + "event.action": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-4-30T3:32:16.aliq mes4801.internal.test CylancePROTECT itaedict oremag [illu] Event Type: AuditLog, Event Name: threat_changed, Message: SHA256: turadip; Reason: success, User: temUt ptassita (its)", + "event.original": "30-April-2017 15:32:16 high isiu5733.api.domain etdolor <xeaco 2017-4-30T3:32:16.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites)", "fileset.name": "protect", - "host.name": "mes4801.internal.test", + "host.name": "oremi1485.api.localhost", "input.type": "log", - "log.offset": 8201, + "log.offset": 8195, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "temUt", - "rsa.identity.lastname": "ptassita", + "rsa.identity.firstname": "atisund", + "rsa.identity.lastname": "xea", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "turadip", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.mail_id": "its", + "rsa.misc.checksum": "amvolupt", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.mail_id": "ites", "rsa.misc.result": "success", "rsa.network.alias_host": [ - "mes4801.internal.test" + "oremi1485.api.localhost" ], "rsa.time.event_time": "2017-04-30T05:32:16.000Z", "service.type": "cylance", @@ -1159,32 +1158,29 @@ ] }, { - "@timestamp": "2017-05-14T12:34:50.000Z", - "event.action": "PolicyAdd", + "@timestamp": "2020-05-14T12:34:50.000Z", + "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ori 2017-5-14T10:34:50.tconsect rum1594.api.domain CylancePROTECT ulla iqu [oin] Event Type: AuditLog, Event Name: PolicyAdd, Message: Devices: abore,squUser: uiadol Duisa (lupta)", + "event.original": "14-May-2017 10:34:50 high nvol6269.internal.local tla <nimid 14T22:34:50.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq", "fileset.name": "protect", - "host.name": "rum1594.api.domain", + "host.name": "periam126.api.host", "input.type": "log", - "log.offset": 8404, + "log.offset": 8475, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "uiadol", - "rsa.identity.lastname": "Duisa", + "rsa.crypto.sig_type": "rExc", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.mail_id": "lupta", - "rsa.misc.node": "abore", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.checksum": "tame", + "rsa.misc.event_type": "threat_found", "rsa.network.alias_host": [ - "rum1594.api.domain" + "periam126.api.host" ], - "rsa.time.event_time": "2017-05-14T12:34:50.000Z", + "rsa.time.event_time": "2020-05-14T12:34:50.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1193,33 +1189,43 @@ }, { "@timestamp": "2017-05-29T07:37:24.000Z", - "event.action": "ZoneAdd", + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-5-29T5:37:24.asi ectiono2241.lan CylancePROTECT onu liquaUte [alorum] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ria; Policy: atDu; Value: nsec, User: quidolor oqu (naaliq)", + "event.original": "iuntNe 2017-5-29T5:37:24.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom", + "file.directory": "sit", + "file.name": "iquamqua", + "file.type": "olorsit", "fileset.name": "protect", - "host.name": "ectiono2241.lan", + "host.name": "tate6578.api.localdomain", "input.type": "log", - "log.offset": 8584, + "log.offset": 8683, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "ria", - "rsa.identity.firstname": "quidolor", - "rsa.identity.lastname": "oqu", + "related.ip": [ + "10.252.165.146" + ], + "rsa.crypto.sig_type": "undeom", + "rsa.db.index": "turadip", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.mail_id": "naaliq", - "rsa.misc.policy_name": "atDu", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "ita", + "rsa.misc.event_state": "exeaco", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "yCiceroi", "rsa.network.alias_host": [ - "ectiono2241.lan" + "tate6578.api.localdomain" ], "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "rsa.web.reputation_num": 51.523, "service.type": "cylance", + "source.ip": [ + "10.252.165.146" + ], "tags": [ "cylance.protect", "forwarded" @@ -1227,63 +1233,75 @@ }, { "@timestamp": "2017-06-12T14:39:58.000Z", - "event.action": "ThreatUpdated", + "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-6-12T12:39:58.eaqueips qua3862.mail.home CylancePROTECT aturQu aaliq [mipsamvo] Event Type: DeviceControl, Event Name: ThreatUpdated, Device Name: rsintoc, External Device Type: reetdo, External Device Vendor ID: oreveri, External Device Name: ehende, External Device Product ID: eaqueip, External Device Serial Number: eum, Zone Names: lamc", + "event.original": "2017-6-12T12:39:58.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte", "fileset.name": "protect", - "host.name": "qua3862.mail.home", + "host.mac": "01:00:5e:f9:78:c2", + "host.name": "midestl1919.host", "input.type": "log", - "log.offset": 8777, + "log.offset": 9194, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "lamc", + "related.ip": [ + "10.124.88.222" + ], + "related.user": [ + "onu" + ], "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "rsintoc", - "rsa.misc.serial_number": "eum", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "ntNeq", + "rsa.misc.OS": "liquaUte", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "aUt", "rsa.network.alias_host": [ - "qua3862.mail.home" + "midestl1919.host" ], + "rsa.network.eth_host": "01:00:5e:f9:78:c2", "rsa.time.event_time": "2017-06-12T14:39:58.000Z", "service.type": "cylance", + "source.ip": [ + "10.124.88.222" + ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "onu" }, { - "@timestamp": "2020-06-26T09:42:33.000Z", - "event.action": "SystemSecurity", + "@timestamp": "2017-06-26T09:42:33.000Z", + "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "26-Jun-2017 7:42:33 high metcons5740.mail.localhost sitvo <obeata 26T19:42:33.tatemU mad5185.www5.localhost CylancePROTECT Event Name:SystemSecurity, Device Message: Device: gnaa; Zones Removed: mod; Zones Added: doei,cipitlUser: caboNemo dexerc (strumex), Zone Names:eprehend Device Id: asnu", + "event.original": "2017-6-26T7:42:33.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: dol sciun (metcons)", "fileset.name": "protect", - "host.name": "mad5185.www5.localhost", + "host.name": "eiusmod3517.internal.invalid", "input.type": "log", - "log.offset": 9124, + "log.offset": 9469, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "eprehend", - "rsa.identity.firstname": "caboNemo", - "rsa.identity.lastname": "dexerc", + "rsa.identity.firstname": "dol", + "rsa.identity.lastname": "sciun", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.misc.device_name": "gnaa", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.mail_id": "strumex", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "labor", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "metcons", + "rsa.misc.node": "olup", "rsa.network.alias_host": [ - "mad5185.www5.localhost" + "eiusmod3517.internal.invalid" ], - "rsa.time.event_time": "2020-06-26T09:42:33.000Z", + "rsa.time.event_time": "2017-06-26T09:42:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1292,126 +1310,118 @@ }, { "@timestamp": "2017-07-11T04:45:07.000Z", - "event.action": "deny", + "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "11-July-2017 02:45:07 low dolor5930.internal.host eritin <yCic 2017-7-11T2:45:07.nder mdolore2604.api.domain CylancePROTECT saqu iscive [quasiar] Event Type: ExploitAttempt, Event Name: Registration, Device Name: quido, IP Address: (10.63.231.55), Action: deny, Process ID: 2622, Process Name: stquid.exe, User Name: turadipi, Violation Type: usmodi, Zone Names: ree", + "event.original": "11-July-2017 02:45:07 low oloreseo5039.test derit <dolor 2017-7-11T2:45:07.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid", "fileset.name": "protect", - "host.name": "mdolore2604.api.domain", + "host.mac": "01:00:5e:54:ab:3f", + "host.name": "ntexpl3889.www.home", "input.type": "log", - "log.offset": 9427, + "log.offset": 9678, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "stquid.exe", - "process.pid": 2622, "related.ip": [ - "10.63.231.55" + "10.156.34.19" ], "related.user": [ - "turadipi" + "imveni" ], - "rsa.db.index": "ree", + "rsa.db.index": "stquid", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "Registration", - "rsa.misc.node": "quido", - "rsa.misc.policy_name": "usmodi", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "Cic", + "rsa.misc.OS": "ariaturE", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "saqu", "rsa.network.alias_host": [ - "mdolore2604.api.domain" + "ntexpl3889.www.home" ], + "rsa.network.eth_host": "01:00:5e:54:ab:3f", "rsa.time.event_time": "2017-07-11T04:45:07.000Z", "service.type": "cylance", "source.ip": [ - "10.63.231.55" + "10.156.34.19" ], "tags": [ "cylance.protect", "forwarded" ], - "user.name": "turadipi" + "user.name": "imveni" }, { "@timestamp": "2019-07-25T11:47:41.000Z", - "event.action": "allow", + "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "25-Jul-2017 9:47:41 medium illu4130.internal.lan temUten <sitamet 25T09:47:41.utlabo tetur4690.mail.lan CylancePROTECT Event Name: ZoneAddDevice, Device Name: ecatcupi, IP Address: (10.6.6.242), Action: allow, Process ID: 4938, Process Name: onse.exe, User Name: olorem, Violation Type: turvel, Zone Names:eratv", + "event.original": "25-Jul-2017 9:47:41 very-high idolor3916.www5.home tas <tasun 25T09:47:41.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo", "fileset.name": "protect", - "host.name": "tetur4690.mail.lan", + "host.mac": "01:00:5e:ee:e8:77", + "host.name": "ntium4450.www5.localdomain", "input.type": "log", - "log.offset": 9800, + "log.offset": 10027, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "onse.exe", - "process.pid": 4938, "related.ip": [ - "10.6.6.242" + "10.22.94.10" ], "related.user": [ - "olorem" + "ssusci" ], - "rsa.db.index": "eratv", + "rsa.db.index": "mpo", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.device_name": "ecatcupi", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.policy_name": "turvel", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.misc.OS": "animid", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "vol", "rsa.network.alias_host": [ - "tetur4690.mail.lan" + "ntium4450.www5.localdomain" ], + "rsa.network.eth_host": "01:00:5e:ee:e8:77", "rsa.time.event_time": "2019-07-25T11:47:41.000Z", "service.type": "cylance", "source.ip": [ - "10.6.6.242" + "10.22.94.10" ], "tags": [ "cylance.protect", "forwarded" ], - "user.name": "olorem" + "user.name": "ssusci" }, { - "@timestamp": "2019-08-08T06:50:15.000Z", - "event.action": "pechange", + "@timestamp": "2017-08-08T06:50:15.000Z", + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Aug 8 4:50:15 umwritte7596.internal.localdomain CylancePROTECT Event Type:nse, Event Name:pechange, Message: Provider:iameaque, Source IP:10.232.119.56, User: tsed eturad (tiumdolo)", + "event.original": "8-August-2017 16:50:15 medium taliqui5348.mail.localdomain loremag <iatqu 2017-8-8T4:50:15.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni", "fileset.name": "protect", + "host.name": "erspi5757.local", "input.type": "log", - "log.offset": 10120, + "log.offset": 10341, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.232.119.56" - ], - "rsa.identity.firstname": "tsed", - "rsa.identity.lastname": "eturad", + "rsa.db.index": "undeomni", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "nse", - "rsa.misc.event_type": "pechange", - "rsa.misc.mail_id": "tiumdolo", - "rsa.time.event_time": "2019-08-08T06:50:15.000Z", - "service.type": "cylance", - "source.ip": [ - "10.232.119.56" + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "uov", + "rsa.misc.serial_number": "quaU", + "rsa.network.alias_host": [ + "erspi5757.local" ], + "rsa.time.event_time": "2017-08-08T06:50:15.000Z", + "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" @@ -1419,24 +1429,27 @@ }, { "@timestamp": "2019-08-22T13:52:50.000Z", - "event.action": "LoginSuccess", + "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Aug 22 11:52:50 imadmi6980.www.localdomain CylancePROTECT Event Type:olupta, Event Name:LoginSuccess, Device Name:iatqu, Zone Names:inBCSedu, Device Id: erspi", + "event.original": "Aug 22 11:52:50 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu", "fileset.name": "protect", "input.type": "log", - "log.offset": 10302, + "log.offset": 10755, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "inBCSedu", + "rsa.db.index": "lmolesti", + "rsa.identity.firstname": "uptate", + "rsa.identity.lastname": "lloinven", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": "olupta", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "iatqu", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "idolo", + "rsa.misc.device_name": "edolo", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "econs", "rsa.time.event_time": "2019-08-22T13:52:50.000Z", "service.type": "cylance", "tags": [ @@ -1445,63 +1458,69 @@ ] }, { - "@timestamp": "2017-09-06T08:55:24.000Z", - "event.action": "Device Policy Assigned", + "@timestamp": "2017-09-06T08:55:00.000Z", + "event.action": "allow", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "iacons 2017-9-6T6:55:24.occaec acommodi563.internal.home CylancePROTECT fici imve [quide] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: SHA256: aco; Reason: failure, User: accusa natu (liquid)", + "event.original": "September 2017/09/06 06:55:24 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute", + "file.directory": "isi", "fileset.name": "protect", - "host.name": "acommodi563.internal.home", "input.type": "log", - "log.offset": 10461, + "log.offset": 10997, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "accusa", - "rsa.identity.lastname": "natu", + "related.ip": [ + "10.153.34.43" + ], + "rsa.db.index": "saute", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "aco", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.mail_id": "liquid", - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "acommodi563.internal.home" + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "allow" ], - "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "rsa.misc.checksum": "culpaq", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "fugits", + "rsa.time.event_time": "2017-09-06T08:55:00.000Z", "service.type": "cylance", + "source.ip": [ + "10.153.34.43" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2019-09-20T03:57:58.000Z", - "event.action": "LoginSuccess", + "@timestamp": "2017-09-20T03:57:58.000Z", + "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "20-Sep-2017 1:57:58 medium idolo5752.mail.example ugiatquo <uptate 20T13:57:58.lloinven econs2687.internal.localdomain CylancePROTECT Event Name:LoginSuccess, Device Name:lorsita, Zone Names:eavol", + "event.original": "2017-9-20T1:57:58.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea", "fileset.name": "protect", - "host.name": "econs2687.internal.localdomain", + "host.name": "magnid3343.home", "input.type": "log", - "log.offset": 10675, + "log.offset": 11290, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "eavol", + "rsa.db.index": "obea", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "lorsita", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "gitse", + "rsa.misc.serial_number": "col", "rsa.network.alias_host": [ - "econs2687.internal.localdomain" + "magnid3343.home" ], - "rsa.time.event_time": "2019-09-20T03:57:58.000Z", + "rsa.time.event_time": "2017-09-20T03:57:58.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1509,34 +1528,30 @@ ] }, { - "@timestamp": "2017-10-04T11:00:32.000Z", - "event.action": "LoginSuccess", + "@timestamp": "2019-10-04T11:00:32.000Z", + "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-10-4T9:00:32.npr etconsec5410.api.invalid CylancePROTECT laudan litesseq [atcupida] Event Type: AuditLog, Event Name: LoginSuccess, Message: Source: tob; SHA256: dolores; Category: equamnih; Reason: success, User: deF itempo (orumw)", + "event.original": "4-Oct-2017 9:00:32 high uptatem4483.localhost inrepr <umdolors 4T21:00:32.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide", "fileset.name": "protect", - "host.name": "etconsec5410.api.invalid", + "host.name": "asperna7623.www.home", "input.type": "log", - "log.offset": 10879, - "observer.product": "tob", + "log.offset": 11623, + "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "deF", - "rsa.identity.lastname": "itempo", + "rsa.identity.firstname": "onproide", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.category": "equamnih", - "rsa.misc.checksum": "dolores", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.mail_id": "orumw", - "rsa.misc.result": "success", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "dexe", "rsa.network.alias_host": [ - "etconsec5410.api.invalid" + "asperna7623.www.home" ], - "rsa.time.event_time": "2017-10-04T11:00:32.000Z", + "rsa.network.zone": "tat", + "rsa.time.event_time": "2019-10-04T11:00:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1545,88 +1560,65 @@ }, { "@timestamp": "2017-10-19T06:03:07.000Z", - "event.action": "allow", + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "mquisno 2017-10-19T4:03:07.aev inrepr72.internal.home CylancePROTECT nisiu imad [oriosam] Event Type: ExploitAttempt, Event Name: Device Policy Assigned, Device Name: itasp, IP Address: (10.169.5.162), Action: allow, Process ID: 2957, Process Name: odt.exe, User Name: cillumd, Violation Type: riosa, Zone Names: tNe", + "event.original": "nde 2017-10-19T4:03:07.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita", + "file.directory": "seddoeiu", "fileset.name": "protect", - "host.name": "inrepr72.internal.home", + "host.name": "undeom845.www5.example", "input.type": "log", - "log.offset": 11117, + "log.offset": 11837, + "network.application": "nse", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "odt.exe", - "process.pid": 2957, - "related.ip": [ - "10.169.5.162" - ], + "observer.version": "1.3421", "related.user": [ - "cillumd" + "tassita" ], - "rsa.db.index": "tNe", + "rsa.db.index": "quira", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "itasp", - "rsa.misc.policy_name": "riosa", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "liq", + "rsa.misc.version": "1.3421", "rsa.network.alias_host": [ - "inrepr72.internal.home" + "undeom845.www5.example" ], "rsa.time.event_time": "2017-10-19T06:03:07.000Z", "service.type": "cylance", - "source.ip": [ - "10.169.5.162" - ], "tags": [ "cylance.protect", "forwarded" ], - "user.name": "cillumd" + "user.name": "tassita" }, { - "@timestamp": "2017-11-02T13:05:41.000Z", - "event.action": "cancel", + "@timestamp": "2019-11-02T13:05:41.000Z", + "event.action": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017/11/02T11:05:41.ntmoll mexer4472.www5.invalid CylancePROTECT nofdeFi aquioff [saqu] Event Type: AppControl, Event Name: SystemSecurity, Device Name: amnisi, IP Address: (10.230.77.49), Action: cancel, Action Type: uisnostr, File Path: reetdol, SHA256: uelauda, Zone Names: ema", - "file.directory": "reetdol", + "event.original": "Nov 2 11:05:41 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema", "fileset.name": "protect", - "host.name": "mexer4472.www5.invalid", "input.type": "log", - "log.offset": 11434, + "log.offset": 12101, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.230.77.49" - ], - "rsa.db.index": "ema", + "rsa.identity.firstname": "tatema", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.checksum": "uelauda", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "amnisi", - "rsa.network.alias_host": [ - "mexer4472.www5.invalid" - ], - "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "nisiut", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.node": "quira", + "rsa.network.zone": "rror", + "rsa.time.event_time": "2019-11-02T13:05:41.000Z", "service.type": "cylance", - "source.ip": [ - "10.230.77.49" - ], "tags": [ "cylance.protect", "forwarded" @@ -1634,174 +1626,181 @@ }, { "@timestamp": "2017-11-16T08:08:15.000Z", - "event.action": "PolicyAdd", + "event.action": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-11-16T6:08:15.uei Nequepo1858.mail.local CylancePROTECT uam orumSec [nisiuta] Event Type: stiaecon, Event Name: PolicyAdd, Device Name: sse", + "event.original": "16-November-2017 18:08:15 high oeni179.api.localhost gna <lumqu 2017-11-16T6:08:15.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm", + "file.directory": "nculpaq", + "file.name": "psa", + "file.type": "iame", "fileset.name": "protect", - "host.name": "Nequepo1858.mail.local", + "host.name": "ons5050.mail.test", "input.type": "log", - "log.offset": 11715, + "log.offset": 12269, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.ip": [ + "10.48.209.115" + ], + "rsa.crypto.sig_type": "adm", + "rsa.db.index": "cta", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": "stiaecon", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.node": "sse", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "sequat", + "rsa.misc.event_state": "ccaec", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.node": "mquiad", "rsa.network.alias_host": [ - "Nequepo1858.mail.local" + "ons5050.mail.test" ], "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "rsa.web.reputation_num": 75.498, "service.type": "cylance", + "source.ip": [ + "10.48.209.115" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2017-12-01T03:10:49.000Z", - "event.action": "Registration", + "@timestamp": "2019-12-01T03:10:49.000Z", + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "1-December-2017 01:10:49 high ici7102.www.localdomain itae <atnula 2017-12-1T1:10:49.ditautf itametc3006.www.test CylancePROTECT remipsu tan [quiac] Event Type: DeviceControl, Event Name: Registration, Device Name: doconse, External Device Type: etdol, External Device Vendor ID: dolorsi, External Device Name: nturmag, External Device Product ID: tura, External Device Serial Number: osquirat, Zone Names: equat", + "event.original": "1-Dec-2017 1:10:49 very-high trudex4443.www5.localhost lor <eseruntm 1T01:10:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau", "fileset.name": "protect", - "host.name": "itametc3006.www.test", + "host.mac": "01:00:5e:e8:41:ae", + "host.name": "oloreeu7597.mail.home", "input.type": "log", - "log.offset": 11860, + "log.offset": 12834, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "equat", + "related.ip": [ + "10.7.99.47" + ], + "related.user": [ + "evolupta" + ], + "rsa.db.index": "ditau", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "Registration", - "rsa.misc.node": "doconse", - "rsa.misc.serial_number": "osquirat", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.misc.OS": "teturadi", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "nula", "rsa.network.alias_host": [ - "itametc3006.www.test" + "oloreeu7597.mail.home" ], - "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "rsa.network.eth_host": "01:00:5e:e8:41:ae", + "rsa.time.event_time": "2019-12-01T03:10:49.000Z", "service.type": "cylance", + "source.ip": [ + "10.7.99.47" + ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "evolupta" }, { "@timestamp": "2017-12-15T10:13:24.000Z", - "event.action": "accept", + "event.action": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "15-December-2017 08:13:24 low idunt4633.internal.host liquam <oluptat 2017/12/15T08:13:24.odt rspici1916.api.localhost CylancePROTECT olor etquasia [nula] Event Type: AppControl, Event Name: threat_quarantined, Device Name: riatur, IP Address: (10.99.209.40), Action: accept, Action Type: dol, File Path: atur, SHA256: issu, Zone Names: identsu", - "file.directory": "atur", + "event.original": "hend 2017-12-15T8:13:24.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai", "fileset.name": "protect", - "host.name": "rspici1916.api.localhost", + "host.name": "ueip5847.api.test", "input.type": "log", - "log.offset": 12281, + "log.offset": 13150, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.99.209.40" - ], - "rsa.db.index": "identsu", + "rsa.crypto.sig_type": "Nemoenim", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.checksum": "issu", - "rsa.misc.event_type": "threat_quarantined", - "rsa.misc.node": "riatur", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_vcat": "sed", + "rsa.misc.checksum": "labori", + "rsa.misc.event_type": "Device Updated", "rsa.network.alias_host": [ - "rspici1916.api.localhost" + "ueip5847.api.test" ], "rsa.time.event_time": "2017-12-15T10:13:24.000Z", "service.type": "cylance", - "source.ip": [ - "10.99.209.40" - ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2019-12-29T05:15:58.000Z", - "event.action": "DeviceRemove", + "@timestamp": "2017-12-29T05:15:58.000Z", + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Dec 29 3:15:58 hend1600.api.host CylancePROTECT Event Type:aer, Event Name:DeviceRemove, Device Name:iati, Agent Version:minim, IP Address: (10.14.74.218), MAC Address: (01:00:5e:bc:a3:48), Logged On Users: (Nemoenim), OS:usm, Zone Names:labori", + "event.original": "ostr 2017-12-29T3:15:58.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici", + "file.directory": "eufug", "fileset.name": "protect", - "host.mac": "01:00:5e:bc:a3:48", + "host.name": "uid3520.www.home", "input.type": "log", - "log.offset": 12631, + "log.offset": 13355, + "network.application": "roquisq", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.14.74.218" - ], + "observer.version": "1.989", "related.user": [ - "Nemoenim" + "ici" ], - "rsa.db.index": "labori", + "rsa.db.index": "civelits", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": "aer", - "rsa.misc.OS": "usm", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "iati", - "rsa.network.eth_host": "01:00:5e:bc:a3:48", - "rsa.time.event_time": "2019-12-29T05:15:58.000Z", - "service.type": "cylance", - "source.ip": [ - "10.14.74.218" + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "prehend", + "rsa.misc.version": "1.989", + "rsa.network.alias_host": [ + "uid3520.www.home" ], + "rsa.time.event_time": "2017-12-29T05:15:58.000Z", + "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" ], - "user.name": "Nemoenim" + "user.name": "ici" }, { "@timestamp": "2020-01-12T12:18:32.000Z", - "event.action": "ThreatUpdated", + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "12-Jan-2018 10:18:32 high isiutali3575.www5.invalid Nemoenim <ide 12T22:18:32.edq evitae7333.www.lan CylancePROTECT Event Name:ThreatUpdated, Device Message: Device: expl User: ess quiad (ihilmole),saquaeaZone Names: ons Device Id: orsitam", + "event.original": "Jan 12 10:18:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud", "fileset.name": "protect", - "host.name": "evitae7333.www.lan", "input.type": "log", - "log.offset": 12876, + "log.offset": 13623, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "ons", - "rsa.identity.firstname": "ess", - "rsa.identity.lastname": "quiad", + "rsa.db.index": "nostrud", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.device_name": "expl", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.mail_id": "ihilmole", - "rsa.network.alias_host": [ - "evitae7333.www.lan" - ], + "rsa.investigations.event_vcat": "iduntu", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "inibusB", "rsa.time.event_time": "2020-01-12T12:18:32.000Z", "service.type": "cylance", "tags": [ @@ -1810,33 +1809,27 @@ ] }, { - "@timestamp": "2018-01-27T07:21:06.000Z", - "event.action": "DeviceEdit", + "@timestamp": "2020-01-27T07:21:06.000Z", + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-1-27T5:21:06.idex radip163.mail.invalid CylancePROTECT eiusmo ainc [miurerep] Event Type: AuditLog, Event Name: DeviceEdit, Message: Zone: ecill; Policy: iduntu; Value: pisci, User: sunt texplica (oco)", + "event.original": "Jan 27 5:21:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat", "fileset.name": "protect", - "host.name": "radip163.mail.invalid", "input.type": "log", - "log.offset": 13126, + "log.offset": 13772, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "ecill", - "rsa.identity.firstname": "sunt", - "rsa.identity.lastname": "texplica", + "rsa.identity.firstname": "ugiat", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.mail_id": "oco", - "rsa.misc.policy_name": "iduntu", - "rsa.network.alias_host": [ - "radip163.mail.invalid" - ], - "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "rsa.investigations.event_vcat": "pariatur", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "imavenia", + "rsa.network.zone": "expli", + "rsa.time.event_time": "2020-01-27T07:21:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1845,43 +1838,32 @@ }, { "@timestamp": "2018-02-10T14:23:41.000Z", - "event.action": "threat_changed", + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "itametco 2018-2-10T12:23:41.vel quunt3116.localhost CylancePROTECT nonn dents [itsedd] Event Type: Threat, Event Name: threat_changed, Device Name: ptate, IP Address: (10.152.185.155), File Name: quamqua, Path: ntut, Drive Type: mag, SHA256: meum, MD5: mini, Status: Loremip, Cylance Score: 58.130000, Found Date: tur, File Type: atnonpr, Is Running: ita, Auto Run: amquaer, Detected By: aqui, Zone Names: enby, Is Malware: lpa, Is Unique To Cylance: isn, Threat Classification: smod", - "file.directory": "ntut", - "file.name": "quamqua", - "file.type": "atnonpr", + "event.original": "bore 2018-2-10T12:23:41.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad)", "fileset.name": "protect", - "host.name": "quunt3116.localhost", + "host.name": "teir7585.www5.localdomain", "input.type": "log", - "log.offset": 13333, + "log.offset": 13945, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.152.185.155" - ], - "rsa.crypto.sig_type": "smod", - "rsa.db.index": "enby", + "rsa.identity.firstname": "scip", + "rsa.identity.lastname": "Finibus", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " Threat", - "rsa.misc.checksum": "meum", - "rsa.misc.event_state": "Loremip", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.node": "ptate", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "Utenimad", + "rsa.misc.node": "oreverit", "rsa.network.alias_host": [ - "quunt3116.localhost" + "teir7585.www5.localdomain" ], "rsa.time.event_time": "2018-02-10T14:23:41.000Z", - "rsa.web.reputation_num": 58.13, "service.type": "cylance", - "source.ip": [ - "10.152.185.155" - ], "tags": [ "cylance.protect", "forwarded" @@ -1889,30 +1871,26 @@ }, { "@timestamp": "2020-02-24T09:26:15.000Z", - "event.action": "ZoneAddDevice", + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "24-Feb-2018 7:26:15 low cte4809.mail.lan uunturma <eserun 24T19:26:15.pta emu5311.localdomain CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: destla User: fugitse minimve (serrorsi),tametcoZone Names: mquisnos Device Id: lore", + "event.original": "Feb 24 7:26:15 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse ", "fileset.name": "protect", - "host.name": "emu5311.localdomain", "input.type": "log", - "log.offset": 13817, + "log.offset": 14144, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "mquisnos", - "rsa.identity.firstname": "fugitse", - "rsa.identity.lastname": "minimve", + "rsa.db.index": "ptate, Device Id: entsu, Policy Name: conse", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.device_name": "destla", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.mail_id": "serrorsi", - "rsa.network.alias_host": [ - "emu5311.localdomain" - ], + "rsa.investigations.event_vcat": "ali", + "rsa.misc.device_name": "itasp", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "quunt", + "rsa.misc.serial_number": "volup", "rsa.time.event_time": "2020-02-24T09:26:15.000Z", "service.type": "cylance", "tags": [ @@ -1922,26 +1900,27 @@ }, { "@timestamp": "2020-03-11T04:28:49.000Z", - "event.action": "PolicyAdd", + "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Mar 11 2:28:49 isn1684.www.invalid CylancePROTECT Event Type:civelits, Event Name:PolicyAdd, Device Name:quiav, External Device Type:mse, External Device Vendor ID:prehen, External Device Name:nonn, External Device Product ID:hite, External Device Serial Number:ianonnum, Zone Names:nofdeFi, Device Id: henderit, Policy Name: remq ", + "event.original": "Mar 11 2:28:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: nvo iamqui (tassita), Zone Names: colabori Device Id: imidestl", "fileset.name": "protect", "input.type": "log", - "log.offset": 14070, + "log.offset": 14471, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "nofdeFi, Device Id: henderit, Policy Name: remq", + "rsa.db.index": "colabori", + "rsa.identity.firstname": "nvo", + "rsa.identity.lastname": "iamqui", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": "civelits", - "rsa.misc.device_name": "mse", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.node": "quiav", - "rsa.misc.serial_number": "ianonnum", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "atura", + "rsa.misc.device_name": "oreeu", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "tassita", "rsa.time.event_time": "2020-03-11T04:28:49.000Z", "service.type": "cylance", "tags": [ @@ -1950,31 +1929,30 @@ ] }, { - "@timestamp": "2020-03-25T11:31:24.000Z", - "event.action": "threat_found", + "@timestamp": "2018-03-25T11:31:24.000Z", + "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "25-Mar-2018 9:31:24 medium arch2905.www5.home ror <doei 25T09:31:24.nvolupta tev2820.www.home CylancePROTECT Event Name:threat_found, Device Name:orp, External Device Type:ender, External Device Vendor ID:dico, External Device Name:uptatem, External Device Product ID:upt, External Device Serial Number:ulamc, Zone Names:cept, Device Id: aedictas, Policy Name: eursint ", + "event.original": "2018-3-25T9:31:24.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: (ever)", "fileset.name": "protect", - "host.name": "tev2820.www.home", + "host.name": "serrorsi1096.www5.localdomain", "input.type": "log", - "log.offset": 14402, + "log.offset": 14653, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "cept, Device Id: aedictas, Policy Name: eursint", + "rsa.db.index": "The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.device_name": "ender", - "rsa.misc.event_type": "threat_found", - "rsa.misc.node": "orp", - "rsa.misc.serial_number": "ulamc", + "rsa.investigations.event_vcat": "AuditLog", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.node": "reetdo", "rsa.network.alias_host": [ - "tev2820.www.home" + "serrorsi1096.www5.localdomain" ], - "rsa.time.event_time": "2020-03-25T11:31:24.000Z", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1983,15 +1961,47 @@ }, { "@timestamp": "2018-04-08T06:33:58.000Z", + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "quiav 2018-4-8T4:33:58.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum", + "fileset.name": "protect", + "host.name": "prehen4807.mail.invalid", + "input.type": "log", + "log.offset": 14890, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "meum", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "remq", + "rsa.misc.serial_number": "ugia", + "rsa.network.alias_host": [ + "prehen4807.mail.invalid" + ], + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-22T13:36:32.000Z", "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-4-8T4:33:58.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev)", + "event.original": "2018-4-22T11:36:32.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev)", "fileset.name": "protect", "host.name": "sit1400.www.lan", "input.type": "log", - "log.offset": 14781, + "log.offset": 15226, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -2008,7 +2018,7 @@ "rsa.network.alias_host": [ "sit1400.www.lan" ], - "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2016,16 +2026,16 @@ ] }, { - "@timestamp": "2018-04-22T13:36:32.000Z", + "@timestamp": "2018-05-07T08:39:06.000Z", "event.action": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "hilmole 2018-4-22T11:36:32.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido", + "event.original": "hilmole 2018-5-7T6:39:06.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido", "fileset.name": "protect", "host.name": "sectetu7182.localdomain", "input.type": "log", - "log.offset": 14972, + "log.offset": 15419, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -2037,7 +2047,7 @@ "rsa.network.alias_host": [ "sectetu7182.localdomain" ], - "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2045,99 +2055,63 @@ ] }, { - "@timestamp": "2018-05-07T08:39:06.000Z", + "@timestamp": "2018-05-21T03:41:41.000Z", "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-5-7T6:39:06.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota;etdoloreUser: magnaa sumquiad (iusmodt)", + "event.original": "2018-5-21T1:41:41.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad)", "fileset.name": "protect", "host.name": "officiad4982.www5.domain", "input.type": "log", - "log.offset": 15122, + "log.offset": 15567, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "magnaa", - "rsa.identity.lastname": "sumquiad", + "rsa.identity.firstname": "etdolore", + "rsa.identity.lastname": "magnaa", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AuditLog", "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.mail_id": "iusmodt", + "rsa.misc.mail_id": "sumquiad", "rsa.misc.node": "umtota", "rsa.network.alias_host": [ "officiad4982.www5.domain" ], - "rsa.time.event_time": "2018-05-07T08:39:06.000Z", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "@timestamp": "2020-05-21T03:41:41.000Z", - "event.action": "Alert", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "21-May-2018 1:41:41 high ident4293.api.example ercitati <rro 21T13:41:41.oeiusmo nimv4681.internal.lan CylancePROTECT Event Name:Alert, Message: Provider:quisn, Source IP:10.132.23.6, User: etMa llita (ntsunt)#015", - "fileset.name": "protect", - "host.name": "nimv4681.internal.lan", - "input.type": "log", - "log.offset": 15314, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.ip": [ - "10.132.23.6" - ], - "rsa.identity.firstname": "etMa", - "rsa.identity.lastname": "llita", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "ntsunt", - "rsa.network.alias_host": [ - "nimv4681.internal.lan" - ], - "rsa.time.event_time": "2020-05-21T03:41:41.000Z", + "rsa.time.event_time": "2018-05-21T03:41:41.000Z", "service.type": "cylance", - "source.ip": [ - "10.132.23.6" - ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2020-06-04T10:44:15.000Z", - "event.action": "ThreatUpdated", + "@timestamp": "2018-06-04T10:44:15.000Z", + "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "4-Jun-2018 8:44:15 high temsequi4910.mail.host enbyCic <conseq 4T20:44:15.itame tenat5407.www5.test CylancePROTECT Event Name:ThreatUpdated, Device Name:cti, Zone Names:ommodoc", + "event.original": "2018-6-4T8:44:15.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun", "fileset.name": "protect", - "host.name": "tenat5407.www5.test", + "host.name": "consequa1486.internal.localdomain", "input.type": "log", - "log.offset": 15533, + "log.offset": 15754, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "ommodoc", + "rsa.crypto.sig_type": "quaeratv", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "cti", + "rsa.investigations.event_vcat": "ptatemse", + "rsa.misc.checksum": "tobeata", + "rsa.misc.event_type": "pechange", "rsa.network.alias_host": [ - "tenat5407.www5.test" + "consequa1486.internal.localdomain" ], - "rsa.time.event_time": "2020-06-04T10:44:15.000Z", + "rsa.time.event_time": "2018-06-04T10:44:15.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2145,63 +2119,87 @@ ] }, { - "@timestamp": "2020-06-19T05:46:49.000Z", - "event.action": "ZoneAdd", + "@timestamp": "2018-06-19T05:46:49.000Z", + "event.action": "fullaccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Jun 19 3:46:49 orem7191.mail.test CylancePROTECT Event Type:uisaut, Event Name:ZoneAdd, Device Name:paq, External Device Type:uianon, External Device Vendor ID:nul, External Device Name:onse, External Device Product ID:sitam, External Device Serial Number:inibusBo, Zone Names:illoin", + "event.original": "2018-6-19T3:46:49.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui", "fileset.name": "protect", + "host.mac": "01:00:5e:bc:c1:21", + "host.name": "its6443.mail.example", "input.type": "log", - "log.offset": 15717, + "log.offset": 15974, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "illoin", + "related.ip": [ + "10.139.80.71" + ], + "related.user": [ + "orem" + ], "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "uisaut", - "rsa.misc.device_name": "uianon", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.node": "paq", - "rsa.misc.serial_number": "inibusBo", - "rsa.time.event_time": "2020-06-19T05:46:49.000Z", + "rsa.investigations.event_vcat": "miurere", + "rsa.misc.OS": "eniamqui", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.node": "tlabo", + "rsa.network.alias_host": [ + "its6443.mail.example" + ], + "rsa.network.eth_host": "01:00:5e:bc:c1:21", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", "service.type": "cylance", + "source.ip": [ + "10.139.80.71" + ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "orem" }, { "@timestamp": "2018-07-03T12:49:23.000Z", - "event.action": "LoginSuccess", + "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "sequatD 2018-7-3T10:49:23.eleumi equ3413.www.example CylancePROTECT tsunt rnat [oremi] Event Type: AuditLog, Event Name: LoginSuccess, Message: Policy Assigned:ctetu; Devices: oreeu , User: uasiarch Malor (boriosa)", + "event.original": "3-July-2018 10:49:23 low sumd3215.test aUtenima <taevi 2018-7-3T10:49:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati", + "file.directory": "ttenb", + "file.name": "itl", + "file.type": "oluptat", "fileset.name": "protect", - "host.name": "equ3413.www.example", + "host.name": "tconsec7604.corp", "input.type": "log", - "log.offset": 16001, + "log.offset": 16248, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "uasiarch", - "rsa.identity.lastname": "Malor", + "related.ip": [ + "10.223.246.244" + ], + "rsa.crypto.sig_type": "ercitati", + "rsa.db.index": "con", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.mail_id": "boriosa", - "rsa.misc.node": "oreeu", - "rsa.misc.policy_name": "ctetu", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "quiav", + "rsa.misc.event_state": "Nem", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "stiaecon", "rsa.network.alias_host": [ - "equ3413.www.example" + "tconsec7604.corp" ], "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "rsa.web.reputation_num": 105.845, "service.type": "cylance", + "source.ip": [ + "10.223.246.244" + ], "tags": [ "cylance.protect", "forwarded" @@ -2209,36 +2207,33 @@ }, { "@timestamp": "2018-07-17T07:51:58.000Z", - "event.action": "PolicyAdd", + "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-7-17T5:51:58.aliqu taedict4891.api.host CylancePROTECT lor auto [rsinto] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: periam was auto assigned to the Zone: IP Address: 10.137.79.74, User: (lors)", + "event.original": "17-July-2018 17:51:58 high taspe1205.mail.domain cti <nse 2018-7-17T5:51:58.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu)", "fileset.name": "protect", - "host.name": "taedict4891.api.host", + "host.name": "tuser2694.internal.invalid", "input.type": "log", - "log.offset": 16216, + "log.offset": 16788, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.137.79.74" - ], - "rsa.db.index": "The Device: periam was auto assigned to the Zone: IP Address: 10.137.79.74", + "rsa.identity.firstname": "natus", + "rsa.identity.lastname": "boreet", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": "AuditLog", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.node": "periam", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ugiatqu", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "luptasnu", + "rsa.misc.node": "turveli", + "rsa.misc.policy_name": "isciv", "rsa.network.alias_host": [ - "taedict4891.api.host" + "tuser2694.internal.invalid" ], "rsa.time.event_time": "2018-07-17T07:51:58.000Z", "service.type": "cylance", - "source.ip": [ - "10.137.79.74" - ], "tags": [ "cylance.protect", "forwarded" @@ -2246,30 +2241,27 @@ }, { "@timestamp": "2018-08-01T14:54:32.000Z", - "event.action": "ZoneAddDevice", + "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "1-August-2018 00:54:32 high aquae7068.test ctetura <tDuisau 2018-8-1T12:54:32.aturve ptateve7615.internal.invalid CylancePROTECT tconsect pariat [iutal] Event Type: teturad, Event Name: ZoneAddDevice, Device Names: (isi), Policy Name: idexeac, User: ntu tdolo (nimve)", + "event.original": "edqu 2018-8-1T12:54:32.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine", "fileset.name": "protect", - "host.name": "ptateve7615.internal.invalid", + "host.name": "gnaaliq5240.api.test", "input.type": "log", - "log.offset": 16439, + "log.offset": 17069, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "ntu", - "rsa.identity.lastname": "tdolo", + "rsa.crypto.sig_type": "ratvo", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "teturad", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.mail_id": "nimve", - "rsa.misc.node": "isi", - "rsa.misc.policy_name": "idexeac", + "rsa.investigations.event_vcat": "esciun", + "rsa.misc.checksum": "volupt", + "rsa.misc.event_type": "pechange", "rsa.network.alias_host": [ - "ptateve7615.internal.invalid" + "gnaaliq5240.api.test" ], "rsa.time.event_time": "2018-08-01T14:54:32.000Z", "service.type": "cylance", @@ -2279,33 +2271,29 @@ ] }, { - "@timestamp": "2018-08-15T09:57:06.000Z", - "event.action": "fullaccess", + "@timestamp": "2019-08-15T09:57:06.000Z", + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ola 2018-8-15T7:57:06.ptat quasi4459.domain CylancePROTECT snostr squamest [quisn] Event Type: pteu, Event Name: fullaccess, Device Names: (illumdo), Policy Name: antium, User: remaper eseosq (iatquovo)", + "event.original": "15-Aug-2018 7:57:06 low ditaut33.mail.localhost iumdo <mea 15T07:57:06.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo", "fileset.name": "protect", - "host.name": "quasi4459.domain", + "host.name": "illum2625.test", "input.type": "log", - "log.offset": 16716, + "log.offset": 17270, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "remaper", - "rsa.identity.lastname": "eseosq", + "rsa.crypto.sig_type": "iaeconse", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "pteu", - "rsa.misc.event_type": "fullaccess", - "rsa.misc.mail_id": "iatquovo", - "rsa.misc.node": "illumdo", - "rsa.misc.policy_name": "antium", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.checksum": "nimadmin", + "rsa.misc.event_type": "LoginSuccess", "rsa.network.alias_host": [ - "quasi4459.domain" + "illum2625.test" ], - "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "rsa.time.event_time": "2019-08-15T09:57:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2313,33 +2301,42 @@ ] }, { - "@timestamp": "2018-08-29T04:59:40.000Z", - "event.action": "SyslogSettingsSave", + "@timestamp": "2018-08-29T16:59:40.000Z", + "event.action": "deny", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "mollit 2018-8-29T2:59:40.eosqui dipisciv7116.www.host CylancePROTECT llum mwr [cia] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Device: estiaec;pitlaboUser: tas rcitat (ree)", + "event.original": "29-August-2018 14:59:40 low iaturE3103.api.domain aturve <iatu 2018/08/29T14:59:40.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia", + "file.directory": "emporin", "fileset.name": "protect", - "host.name": "dipisciv7116.www.host", + "host.name": "nulamc5617.mail.host", "input.type": "log", - "log.offset": 16919, + "log.offset": 17480, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "tas", - "rsa.identity.lastname": "rcitat", + "related.ip": [ + "10.134.137.205" + ], + "rsa.db.index": "etquasia", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.mail_id": "ree", - "rsa.misc.node": "estiaec", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.checksum": "oreseosq", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "ntu", "rsa.network.alias_host": [ - "dipisciv7116.www.host" + "nulamc5617.mail.host" ], - "rsa.time.event_time": "2018-08-29T04:59:40.000Z", + "rsa.time.event_time": "2018-08-29T16:59:40.000Z", "service.type": "cylance", + "source.ip": [ + "10.134.137.205" + ], "tags": [ "cylance.protect", "forwarded" @@ -2347,140 +2344,158 @@ }, { "@timestamp": "2018-09-12T12:02:15.000Z", - "event.action": "SyslogSettingsSave", + "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "temaccu 2018-9-12T10:02:15.uamqua Neq4477.mail.invalid CylancePROTECT nim pteurs [ercitati] Event Type: atem, Event Name: SyslogSettingsSave, Device Name: mipsu, Agent Version: velillu, IP Address: (10.181.241.7), MAC Address: (01:00:5e:e1:72:72), Logged On Users: (riatu), OS: utod", + "event.original": "2018-9-12T10:02:15.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug)", "fileset.name": "protect", - "host.mac": "01:00:5e:e1:72:72", - "host.name": "Neq4477.mail.invalid", + "host.name": "tatem4713.internal.host", "input.type": "log", - "log.offset": 17112, + "log.offset": 17827, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.181.241.7" - ], - "related.user": [ - "riatu" - ], + "rsa.db.index": "usci", + "rsa.identity.firstname": "lupta", + "rsa.identity.lastname": "ura", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "atem", - "rsa.misc.OS": "utod", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "mipsu", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "oreeufug", + "rsa.misc.policy_name": "unturmag", "rsa.network.alias_host": [ - "Neq4477.mail.invalid" + "tatem4713.internal.host" ], - "rsa.network.eth_host": "01:00:5e:e1:72:72", "rsa.time.event_time": "2018-09-12T12:02:15.000Z", "service.type": "cylance", - "source.ip": [ - "10.181.241.7" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "riatu" + ] }, { - "@timestamp": "2019-09-27T07:04:49.000Z", - "event.action": "threat_quarantined", + "@timestamp": "2018-09-27T07:04:49.000Z", + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Sep 27 5:04:49 uipe6805.www5.domain CylancePROTECT Event Type:stenat, Event Name:threat_quarantined, Threat Class:sequamn, Threat Subclass:perspici, SHA256:inimve, MD5:aea", + "event.original": "2018-9-27T5:04:49.data ugits5961.www5.local CylancePROTECT uam quis [exe] Event Type: naa, Event Name: SyslogSettingsSave, Device Name: idolo, Agent Version: mqu, IP Address: (10.91.2.225, rcitat), MAC Address: (01:00:5e:42:41:00, ionofdeF), Logged On Users: (rsp), OS: imipsa Zone Names: nostrum", "fileset.name": "protect", + "host.mac": "01:00:5e:42:41:00", + "host.name": "ugits5961.www5.local", "input.type": "log", - "log.offset": 17395, + "log.offset": 18043, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "sequamn", + "related.ip": [ + "10.91.2.225" + ], + "related.user": [ + "rsp" + ], + "rsa.db.index": "nostrum", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "stenat", - "rsa.misc.checksum": "inimve", - "rsa.misc.event_type": "threat_quarantined", - "rsa.time.event_time": "2019-09-27T07:04:49.000Z", + "rsa.investigations.event_vcat": "naa", + "rsa.misc.OS": "imipsa", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "idolo", + "rsa.network.alias_host": [ + "ugits5961.www5.local" + ], + "rsa.network.eth_host": "01:00:5e:42:41:00", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", "service.type": "cylance", + "source.ip": [ + "10.91.2.225" + ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "rsp" }, { "@timestamp": "2018-10-11T14:07:23.000Z", - "event.action": "LoginSuccess", + "event.action": "block", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "udexerci 2018-10-11T12:07:23.uae imveni193.www5.host CylancePROTECT itationu setquas [nbyCi] Event Type: AuditLog, Event Name: LoginSuccess, Message: Provider: magnaali, Source IP: 10.201.95.47, User: isno usBono (ameaq)", + "event.original": "2018-10-11T12:07:23.onsecte prehende5460.mail.localdomain CylancePROTECT equatD uidol [inculpa] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: uido, IP Address: (10.191.99.14), Action: block, Process ID: 601, Process Name: nimadmi.exe, User Name: lapa, Violation Type: emoenimi, Zone Names: iquipex", "fileset.name": "protect", - "host.name": "imveni193.www5.host", + "host.name": "prehende5460.mail.localdomain", "input.type": "log", - "log.offset": 17567, - "observer.product": "magnaali", + "log.offset": 18340, + "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "process.name": "nimadmi.exe", + "process.pid": 601, "related.ip": [ - "10.201.95.47" + "10.191.99.14" ], - "rsa.identity.firstname": "isno", - "rsa.identity.lastname": "usBono", + "related.user": [ + "lapa" + ], + "rsa.db.index": "iquipex", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.mail_id": "ameaq", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "uido", + "rsa.misc.policy_name": "emoenimi", "rsa.network.alias_host": [ - "imveni193.www5.host" + "prehende5460.mail.localdomain" ], "rsa.time.event_time": "2018-10-11T14:07:23.000Z", "service.type": "cylance", "source.ip": [ - "10.201.95.47" + "10.191.99.14" ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "lapa" }, { - "@timestamp": "2018-10-25T09:09:57.000Z", - "event.action": "SyslogSettingsSave", + "@timestamp": "2019-10-25T09:09:57.000Z", + "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "lestiae 2018-10-25T7:09:57.iav umiure5186.api.domain CylancePROTECT tno imvenia [culp] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Zone: nesciu; Policy: mali; Value: roinBCSe, User: eetdolor tpersp (assi)", + "event.original": "25-Oct-2018 7:09:57 high abill5290.lan mini <tionev 25T19:09:57.uasiarch velites1745.api.corp CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: psaqu Agent Self Protection Level Changed: 'nimides' to 'olorsit', User: naaliq plica (asiarc), Zone Names: lor Device Id: nvolupt", "fileset.name": "protect", - "host.name": "umiure5186.api.domain", + "host.name": "velites1745.api.corp", "input.type": "log", - "log.offset": 17789, + "log.offset": 18660, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "nesciu", - "rsa.identity.firstname": "eetdolor", - "rsa.identity.lastname": "tpersp", + "rsa.db.index": "lor", + "rsa.identity.firstname": "naaliq", + "rsa.identity.lastname": "plica", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.mail_id": "assi", - "rsa.misc.policy_name": "mali", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.misc.change_new": "olorsit", + "rsa.misc.change_old": "nimides", + "rsa.misc.device_name": "psaqu", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.mail_id": "asiarc", "rsa.network.alias_host": [ - "umiure5186.api.domain" + "velites1745.api.corp" ], - "rsa.time.event_time": "2018-10-25T09:09:57.000Z", + "rsa.time.event_time": "2019-10-25T09:09:57.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2488,33 +2503,29 @@ ] }, { - "@timestamp": "2018-11-09T04:12:32.000Z", - "event.action": "Device Updated", + "@timestamp": "2019-11-09T04:12:32.000Z", + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "nihilmo 2018-11-9T2:12:32.reetdo xeaco7887.www.localdomain CylancePROTECT hite umfugi [abor] Event Type: AuditLog, Event Name: Device Updated, Message: Zone: remips; Policy: laboreet; Value: uptate, User: tot reme (emeumfu)", + "event.original": "9-Nov-2018 2:12:32 high bori319.api.localdomain utf <dexe 9T02:12:32.nemul Duis583.api.local CylancePROTECT Event Name:LoginSuccess, Threat Class:dminim, Threat Subclass:ptatevel, SHA256:aperiame, MD5:stenat", "fileset.name": "protect", - "host.name": "xeaco7887.www.localdomain", + "host.name": "Duis583.api.local", "input.type": "log", - "log.offset": 18013, + "log.offset": 18964, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "remips", - "rsa.identity.firstname": "tot", - "rsa.identity.lastname": "reme", + "rsa.crypto.sig_type": "dminim", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804010000, - "rsa.investigations.event_cat_name": "Network.Devices.Additions", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "Device Updated", - "rsa.misc.mail_id": "emeumfu", - "rsa.misc.policy_name": "laboreet", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.checksum": "aperiame", + "rsa.misc.event_type": "LoginSuccess", "rsa.network.alias_host": [ - "xeaco7887.www.localdomain" + "Duis583.api.local" ], - "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "rsa.time.event_time": "2019-11-09T04:12:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2523,25 +2534,31 @@ }, { "@timestamp": "2018-11-23T11:15:06.000Z", - "event.action": "SystemSecurity", + "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-11-23T9:15:06.usan gnamali226.internal.test CylancePROTECT edqui tvolu [psu] Event Type: strud, Event Name: SystemSecurity, saute", + "event.original": "inrepreh 2018-11-23T9:15:06.rit velitess2401.www.lan CylancePROTECT vel ionevo [ntsun] Event Type: ScriptControl, Event Name: DeviceEdit, Device Name: volupta, File Path: umfu, Interpreter: utla, Interpreter Version: 1.2478 (tDuisaut), Zone Names: dolo", + "file.directory": "umfu", "fileset.name": "protect", - "host.name": "gnamali226.internal.test", + "host.name": "velitess2401.www.lan", "input.type": "log", - "log.offset": 18237, + "log.offset": 19179, + "network.application": "utla", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "observer.version": "1.2478", + "rsa.db.index": "dolo", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": "strud", - "rsa.misc.event_type": "SystemSecurity", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "volupta", + "rsa.misc.version": "1.2478", "rsa.network.alias_host": [ - "gnamali226.internal.test" + "velitess2401.www.lan" ], "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "cylance", @@ -2552,30 +2569,31 @@ }, { "@timestamp": "2018-12-07T06:17:40.000Z", - "event.action": "SystemSecurity", + "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-12-7T4:17:40.atcupi eriti7637.domain CylancePROTECT rema mcol [tion] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: mquis; SHA256: tur, User: itation utlabo (tat)", + "event.original": "2018-12-7T4:17:40.quisnost sequines3991.mail.local CylancePROTECT illum ore [spici] Event Type: AuditLog, Event Name: pechange, Message: Policy: iquamqu; SHA256: eumfugia; Category: reeufugi, User: sequines minimve (texplica)", "fileset.name": "protect", - "host.name": "eriti7637.domain", + "host.name": "sequines3991.mail.local", "input.type": "log", - "log.offset": 18372, + "log.offset": 19432, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "itation", - "rsa.identity.lastname": "utlabo", + "rsa.identity.firstname": "sequines", + "rsa.identity.lastname": "minimve", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "tur", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.mail_id": "tat", - "rsa.misc.node": "mquis", + "rsa.misc.category": "reeufugi", + "rsa.misc.checksum": "eumfugia", + "rsa.misc.event_type": "pechange", + "rsa.misc.mail_id": "texplica", + "rsa.misc.policy_name": "iquamqu", "rsa.network.alias_host": [ - "eriti7637.domain" + "sequines3991.mail.local" ], "rsa.time.event_time": "2018-12-07T06:17:40.000Z", "service.type": "cylance", @@ -2585,29 +2603,44 @@ ] }, { - "@timestamp": "2019-12-21T13:20:14.000Z", - "event.action": "Device Updated", + "@timestamp": "2018-12-21T13:20:14.000Z", + "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Dec 21 11:20:14 olu2576.localdomain CylancePROTECT Event Type:enim, Event Name:Device Updated, Device Name:meaquei, External Device Type:snisiu, External Device Vendor ID:atem, External Device Name:remque, External Device Product ID:dol, External Device Serial Number:tvolupt, Zone Names:sedquia, Device Id: inrepr, Policy Name: lla ", + "event.original": "21-December-2018 23:20:14 very-high olup3841.mail.invalid idolor <uira 2018-12-21T11:20:14.eosqui iatquo2815.mail.host CylancePROTECT aliqu sequine [utaliqui] Event Type: Threat, Event Name: pechange, Device Name: imveni, IP Address: (10.181.215.164), File Name: itationu, Path: setquas, Drive Type: nbyCi, SHA256: runtmoll, MD5: busBon, Status: norumetM, Cylance Score: 38.593000, Found Date: vitaedi, File Type: rna, Is Running: cons, Auto Run: Except, Detected By: lestiae, Zone Names: iav, Is Malware: umiure, Is Unique To Cylance: isiut, Threat Classification: tin", + "file.directory": "setquas", + "file.name": "itationu", + "file.type": "rna", "fileset.name": "protect", + "host.name": "iatquo2815.mail.host", "input.type": "log", - "log.offset": 18560, + "log.offset": 19658, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "sedquia, Device Id: inrepr, Policy Name: lla", + "related.ip": [ + "10.181.215.164" + ], + "rsa.crypto.sig_type": "tin", + "rsa.db.index": "iav", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804010000, - "rsa.investigations.event_cat_name": "Network.Devices.Additions", - "rsa.investigations.event_vcat": "enim", - "rsa.misc.device_name": "snisiu", - "rsa.misc.event_type": "Device Updated", - "rsa.misc.node": "meaquei", - "rsa.misc.serial_number": "tvolupt", - "rsa.time.event_time": "2019-12-21T13:20:14.000Z", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "runtmoll", + "rsa.misc.event_state": "norumetM", + "rsa.misc.event_type": "pechange", + "rsa.misc.node": "imveni", + "rsa.network.alias_host": [ + "iatquo2815.mail.host" + ], + "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "rsa.web.reputation_num": 38.593, "service.type": "cylance", + "source.ip": [ + "10.181.215.164" + ], "tags": [ "cylance.protect", "forwarded" @@ -2619,21 +2652,23 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Jan 5 6:22:49 tqu6566.www.domain CylancePROTECT Event Type:tinvolu, Event Name:Device Policy Assigned, Message: The Device:dunwas auto assigned to thexceZone:dol, User:equamn", + "event.original": "Jan 5 6:22:49 reetdo6578.mail.domain CylancePROTECT Event Type:inBC, Event Name:Device Policy Assigned, Device Message: Device: atevelit; Zones Removed: ugitsed; Zones Added: dminimve, User: remips laboreet (uptate), Zone Names:tot Device Id: reme", "fileset.name": "protect", "input.type": "log", - "log.offset": 18894, + "log.offset": 20234, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "equamn", + "rsa.db.index": "tot", + "rsa.identity.firstname": "remips", + "rsa.identity.lastname": "laboreet", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1502000000, "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "tinvolu", + "rsa.investigations.event_vcat": "inBC", + "rsa.misc.device_name": "atevelit", "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "dun", - "rsa.network.zone": "dol", + "rsa.misc.mail_id": "uptate", "rsa.time.event_time": "2020-01-05T08:22:49.000Z", "service.type": "cylance", "tags": [ @@ -2643,129 +2678,105 @@ }, { "@timestamp": "2020-01-19T03:25:23.000Z", - "event.action": "DeviceEdit", + "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "19-Jan-2019 1:25:23 low eiu5375.api.domain tcons <ction 19T13:25:23.emveleum siuta2155.lan CylancePROTECT Event Name:DeviceEdit, Device Name:utpe, Agent Version:ill, IP Address: (10.185.28.175), MAC Address: (01:00:5e:1d:a2:74), Logged On Users: (tasu), OS:sci, Zone Names:isquames", + "event.original": "19-Jan-2019 1:25:23 very-high ide4421.api.localdomain isautem <gnamali 19T13:25:23.iumtota issusci7005.mail.host CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: ore Agent Self Protection Level Changed: 'lors' to 'saute', User: ecillumd iumto (sequatu), Zone Names: tiumtot Device Id: tate", "fileset.name": "protect", - "host.mac": "01:00:5e:1d:a2:74", - "host.name": "siuta2155.lan", + "host.name": "issusci7005.mail.host", "input.type": "log", - "log.offset": 19069, + "log.offset": 20482, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.185.28.175" - ], - "related.user": [ - "tasu" - ], - "rsa.db.index": "isquames", + "rsa.db.index": "tiumtot", + "rsa.identity.firstname": "ecillumd", + "rsa.identity.lastname": "iumto", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.OS": "sci", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.node": "utpe", + "rsa.misc.change_new": "saute", + "rsa.misc.change_old": "lors", + "rsa.misc.device_name": "ore", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "sequatu", "rsa.network.alias_host": [ - "siuta2155.lan" + "issusci7005.mail.host" ], - "rsa.network.eth_host": "01:00:5e:1d:a2:74", "rsa.time.event_time": "2020-01-19T03:25:23.000Z", "service.type": "cylance", - "source.ip": [ - "10.185.28.175" - ], - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "tasu" - }, - { - "@timestamp": "2020-02-02T10:27:57.000Z", - "event.action": "threat_found", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Feb 2 8:27:57 iatnula4065.www5.corp CylancePROTECT Event Type:corporis, Event Name:threat_found, Device Message: Device: mmodic; Zones Removed: essequam; Zones Added: undeo,ficiadeUser: uiinea uianonn (eavolupt), Zone Names:dantium Device Id: ors", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 19361, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.db.index": "dantium", - "rsa.identity.firstname": "uiinea", - "rsa.identity.lastname": "uianonn", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "corporis", - "rsa.misc.device_name": "mmodic", - "rsa.misc.event_type": "threat_found", - "rsa.misc.mail_id": "eavolupt", - "rsa.time.event_time": "2020-02-02T10:27:57.000Z", - "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2019-02-17T05:30:32.000Z", - "event.action": "pechange", + "@timestamp": "2019-02-02T22:27:57.000Z", + "event.action": "accept", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "trude 2019-2-17T3:30:32.snulap onsequat5480.mail.localdomain CylancePROTECT pariatur cita [tvo] Event Type: ema, Event Name: pechange, Threat Class: atemacc, Threat Subclass: labore, SHA256: iqua, MD5: ciunt", + "event.original": "inBCSed 2019/02/02T20:27:57.cteturad umq7428.invalid CylancePROTECT psum tate [dtempo] Event Type: AppControl, Event Name: SyslogSettingsSave, Device Name: iad, IP Address: (10.164.59.219), Action: accept, Action Type: billoi, File Path: reseo, SHA256: quam, Zone Names: ulpaquio", + "file.directory": "reseo", "fileset.name": "protect", - "host.name": "onsequat5480.mail.localdomain", + "host.name": "umq7428.invalid", "input.type": "log", - "log.offset": 19608, + "log.offset": 20794, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "atemacc", + "related.ip": [ + "10.164.59.219" + ], + "rsa.db.index": "ulpaquio", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "ema", - "rsa.misc.checksum": "iqua", - "rsa.misc.event_type": "pechange", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.checksum": "quam", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "iad", "rsa.network.alias_host": [ - "onsequat5480.mail.localdomain" + "umq7428.invalid" ], - "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "rsa.time.event_time": "2019-02-02T22:27:57.000Z", "service.type": "cylance", + "source.ip": [ + "10.164.59.219" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2020-03-03T12:33:06.000Z", - "event.action": "Device Policy Assigned", + "@timestamp": "2020-02-17T05:30:32.000Z", + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Mar 3 10:33:06 ostrumex5015.internal.lan CylancePROTECT Event Type:imaven, Event Name:Device Policy Assigned, Threat Class:uiineav, Threat Subclass:nder, SHA256:lore, MD5:nim", + "event.original": "Feb 17 3:30:32 iconsequ5445.local CylancePROTECT Event Type:archite, Event Name:PolicyAdd, Device Message: Device: rem User: onorumet iscivel (rinci), Zone Names: eacomm Device Id: aboNem", "fileset.name": "protect", "input.type": "log", - "log.offset": 19816, + "log.offset": 21074, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "uiineav", + "rsa.db.index": "eacomm", + "rsa.identity.firstname": "onorumet", + "rsa.identity.lastname": "iscivel", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "imaven", - "rsa.misc.checksum": "lore", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.time.event_time": "2020-03-03T12:33:06.000Z", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": "archite", + "rsa.misc.device_name": "rem", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "rinci", + "rsa.time.event_time": "2020-02-17T05:30:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2773,41 +2784,41 @@ ] }, { - "@timestamp": "2019-03-17T19:35:40.000Z", - "event.action": "allow", + "@timestamp": "2019-03-03T12:33:06.000Z", + "event.action": "block", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "psamvolu 2019/03/17T17:35:40.teturad ritq7853.api.home CylancePROTECT urautodi equamni [fugia] Event Type: AppControl, Event Name: threat_changed, Device Name: nost, IP Address: (10.36.193.127), Action: allow, Action Type: suntincu, File Path: imidest, SHA256: citation, Zone Names: emquel", - "file.directory": "imidest", + "event.original": "odit 2019/03/03T10:33:06.vol epteurs5503.www5.home CylancePROTECT modi cip [tla] Event Type: AppControl, Event Name: threat_found, Device Name: iscive, IP Address: (10.1.193.187), Action: block, Action Type: nproiden, File Path: ionem, SHA256: taevitae, Zone Names: dminimv", + "file.directory": "ionem", "fileset.name": "protect", - "host.name": "ritq7853.api.home", + "host.name": "epteurs5503.www5.home", "input.type": "log", - "log.offset": 19991, + "log.offset": 21262, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.ip": [ - "10.36.193.127" + "10.1.193.187" ], - "rsa.db.index": "emquel", + "rsa.db.index": "dminimv", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AppControl", "rsa.misc.action": [ - "allow" + "block" ], - "rsa.misc.checksum": "citation", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.node": "nost", + "rsa.misc.checksum": "taevitae", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "iscive", "rsa.network.alias_host": [ - "ritq7853.api.home" + "epteurs5503.www5.home" ], - "rsa.time.event_time": "2019-03-17T19:35:40.000Z", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", "service.type": "cylance", "source.ip": [ - "10.36.193.127" + "10.1.193.187" ], "tags": [ "cylance.protect", @@ -2815,30 +2826,30 @@ ] }, { - "@timestamp": "2020-04-01T14:38:14.000Z", - "event.action": "threat_changed", + "@timestamp": "2020-03-17T07:35:40.000Z", + "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Apr 1 12:38:14 loremeum2477.www5.localhost CylancePROTECT Event Type:rrorsit, Event Name:threat_changed, Device Message: Device: riameaqu; Policy Changed: etd to 'omnisi', User: dolor rsp (quir), Zone Names:giatqu", + "event.original": "Mar 17 5:35:40 rep6417.internal.test CylancePROTECT Event Type:ipiscin, Event Name:DeviceRemove, Device Message: Device: orinr; Policy Changed: ineavol to 'umdo', User: tass ugi (riat), Zone Names:atvol, Device Id: emipsum", "fileset.name": "protect", "input.type": "log", - "log.offset": 20281, + "log.offset": 21536, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "giatqu", - "rsa.identity.firstname": "dolor", - "rsa.identity.lastname": "rsp", + "rsa.db.index": "atvol", + "rsa.identity.firstname": "tass", + "rsa.identity.lastname": "ugi", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "rrorsit", - "rsa.misc.device_name": "riameaqu", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.mail_id": "quir", - "rsa.misc.policy_name": "omnisi", - "rsa.time.event_time": "2020-04-01T14:38:14.000Z", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "ipiscin", + "rsa.misc.device_name": "orinr", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.mail_id": "riat", + "rsa.misc.policy_name": "umdo", + "rsa.time.event_time": "2020-03-17T07:35:40.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2846,29 +2857,31 @@ ] }, { - "@timestamp": "2020-04-15T09:40:49.000Z", - "event.action": "SyslogSettingsSave", + "@timestamp": "2020-04-01T14:38:14.000Z", + "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "15-Apr-2019 7:40:49 medium roiden5489.www5.corp nihilm <orisnisi 15T07:40:49.emquiav ptat5066.www.lan CylancePROTECT Event Name:SyslogSettingsSave, Device Name:ionula, Zone Names:itaed", + "event.original": "1-Apr-2019 12:38:14 medium atDuisa4718.www.domain dolo <umexe 1T00:38:14.xce omnisis5339.www5.local CylancePROTECT Event Name:DeviceEdit, Device Name:stiaec, External Device Type:Cicero, External Device Vendor ID:ven, External Device Name:ipsaqua, External Device Product ID:uel, External Device Serial Number:mqui, Zone Names:deom, Device Id: tiumdo, Policy Name: rautod ", "fileset.name": "protect", - "host.name": "ptat5066.www.lan", + "host.name": "omnisis5339.www5.local", "input.type": "log", - "log.offset": 20495, + "log.offset": 21759, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "itaed", + "rsa.db.index": "deom, Device Id: tiumdo, Policy Name: rautod", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "ionula", + "rsa.misc.device_name": "Cicero", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "stiaec", + "rsa.misc.serial_number": "mqui", "rsa.network.alias_host": [ - "ptat5066.www.lan" + "omnisis5339.www5.local" ], - "rsa.time.event_time": "2020-04-15T09:40:49.000Z", + "rsa.time.event_time": "2020-04-01T14:38:14.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2876,30 +2889,32 @@ ] }, { - "@timestamp": "2020-04-29T04:43:23.000Z", - "event.action": "threat_found", + "@timestamp": "2019-04-15T09:40:49.000Z", + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "29-Apr-2019 2:43:23 medium tincul407.corp amq <lab 29T14:43:23.nsequ ing3291.internal.localhost CylancePROTECT Event Name:threat_found, Message: Device:amnisiuwas auto assigned to theptatZone:epr, User:itanimid", + "event.original": "15-April-2019 07:40:49 medium mvol3890.localhost reh <tcons 2019-4-15T7:40:49.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill; User: imveniam sunte (exerc)", "fileset.name": "protect", - "host.name": "ing3291.internal.localhost", + "host.name": "ction491.www5.local", "input.type": "log", - "log.offset": 20688, + "log.offset": 22140, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "itanimid", + "rsa.identity.firstname": "imveniam", + "rsa.identity.lastname": "sunte", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "threat_found", - "rsa.misc.node": "amnisiu", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "exerc", + "rsa.misc.node": "ill", "rsa.network.alias_host": [ - "ing3291.internal.localhost" + "ction491.www5.local" ], - "rsa.network.zone": "epr", - "rsa.time.event_time": "2020-04-29T04:43:23.000Z", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2907,151 +2922,148 @@ ] }, { - "@timestamp": "2019-05-13T23:45:57.000Z", - "event.action": "block", + "@timestamp": "2019-04-29T04:43:23.000Z", + "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "untur 2019/05/13T21:45:57.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: AppControl, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Action Type: ula, File Path: itsed, SHA256: rad, Zone Names: olupta", - "file.directory": "itsed", + "event.original": "isquames 2019-4-29T2:43:23.mvolupta undeom7847.api.corp CylancePROTECT orainci orese [aev] Event Type: uelaudan, Event Name: Alert, Device Name: teiru, Agent Version: mquamei, IP Address: (10.146.228.234, uradi), MAC Address: (01:00:5e:9a:f3:b9, iusmod), Logged On Users: (susc), OS: taed Zone Names: eatae", "fileset.name": "protect", - "host.name": "uraut3756.www5.test", + "host.mac": "01:00:5e:9a:f3:b9", + "host.name": "undeom7847.api.corp", "input.type": "log", - "log.offset": 20907, + "log.offset": 22391, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.ip": [ - "10.127.30.119" + "10.146.228.234" ], - "rsa.db.index": "olupta", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "block" + "related.user": [ + "susc" ], - "rsa.misc.checksum": "rad", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "ollita", + "rsa.db.index": "eatae", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "uelaudan", + "rsa.misc.OS": "taed", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "teiru", "rsa.network.alias_host": [ - "uraut3756.www5.test" + "undeom7847.api.corp" ], - "rsa.time.event_time": "2019-05-13T23:45:57.000Z", + "rsa.network.eth_host": "01:00:5e:9a:f3:b9", + "rsa.time.event_time": "2019-04-29T04:43:23.000Z", "service.type": "cylance", "source.ip": [ - "10.127.30.119" + "10.146.228.234" ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "susc" }, { - "@timestamp": "2019-05-28T06:48:31.000Z", - "event.action": "Device Updated", + "@timestamp": "2019-05-13T11:45:57.000Z", + "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2019-5-28T4:48:31.sequi uiacon6640.api.localhost CylancePROTECT suntexpl urve [sBonoru] Event Type: ScriptControl, Event Name: Device Updated, Device Name: magnido, File Path: lupta, Interpreter: utla, Interpreter Version: 1.4566 (ncididu), Zone Names: itati, User Name: nostrude", - "file.directory": "lupta", + "event.original": "2019-5-13T9:45:57.rcit dolo6230.mail.invalid CylancePROTECT evelite remquela [toreve] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97, User: (niam)", "fileset.name": "protect", - "host.name": "uiacon6640.api.localhost", + "host.name": "dolo6230.mail.invalid", "input.type": "log", - "log.offset": 21183, - "network.application": "utla", + "log.offset": 22698, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.4566", - "related.user": [ - "nostrude" + "related.ip": [ + "10.59.232.97" ], - "rsa.db.index": "itati", + "rsa.db.index": "The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804010000, - "rsa.investigations.event_cat_name": "Network.Devices.Additions", - "rsa.investigations.event_vcat": " ScriptControl", - "rsa.misc.event_type": "Device Updated", - "rsa.misc.node": "magnido", - "rsa.misc.version": "1.4566", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "AuditLog", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "dolor", "rsa.network.alias_host": [ - "uiacon6640.api.localhost" + "dolo6230.mail.invalid" ], - "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "rsa.time.event_time": "2019-05-13T11:45:57.000Z", "service.type": "cylance", + "source.ip": [ + "10.59.232.97" + ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "nostrude" + ] }, { - "@timestamp": "2019-06-11T13:51:06.000Z", + "@timestamp": "2019-05-28T06:48:31.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ecillum 2019-6-11T11:51:06.maccu ame226.internal.domain CylancePROTECT urExc autfugit [deomnis] Event Type: Threat, Event Name: SyslogSettingsSave, Device Name: tconsect, IP Address: (10.111.204.45), File Name: agna, Path: dmini, Drive Type: tquid, SHA256: giatquo, MD5: iatisun, Status: cto, Cylance Score: 144.899000, Found Date: dolor, File Type: imadmini, Is Running: iatisund, Auto Run: rnatu, Detected By: atnonpro, Zone Names: isu, Is Malware: ute, Is Unique To Cylance: tdolore, Threat Classification: madminim", - "file.directory": "dmini", - "file.name": "agna", - "file.type": "imadmini", + "event.original": "2019-5-28T4:48:31.uisaut nvolup6280.api.home CylancePROTECT eomn esse [nihi] Event Type: xeaco, Event Name: SyslogSettingsSave, Device Names: (uianonn), Policy Name: eavolupt, User: dantium ors (dqu)", "fileset.name": "protect", - "host.name": "ame226.internal.domain", + "host.name": "nvolup6280.api.home", "input.type": "log", - "log.offset": 21463, + "log.offset": 22932, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.ip": [ - "10.111.204.45" - ], - "rsa.crypto.sig_type": "madminim", - "rsa.db.index": "isu", + "rsa.identity.firstname": "dantium", + "rsa.identity.lastname": "ors", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " Threat", - "rsa.misc.checksum": "giatquo", - "rsa.misc.event_state": "cto", + "rsa.investigations.event_vcat": "xeaco", "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "tconsect", + "rsa.misc.mail_id": "dqu", + "rsa.misc.node": "uianonn", + "rsa.misc.policy_name": "eavolupt", "rsa.network.alias_host": [ - "ame226.internal.domain" + "nvolup6280.api.home" ], - "rsa.time.event_time": "2019-06-11T13:51:06.000Z", - "rsa.web.reputation_num": 144.899, + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.type": "cylance", - "source.ip": [ - "10.111.204.45" - ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2020-06-25T08:53:40.000Z", - "event.action": "DeviceRemove", + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Jun 25 6:53:40 prehen4320.api.home CylancePROTECT Event Type:umdolo, Event Name:DeviceRemove, Threat Class:mquisno, Threat Subclass:eaco, SHA256:empor, MD5:mvele", + "event.original": "11-June-2019 11:51:06 high asia5842.localhost rit <iavol 2019-6-11T11:51:06.psumdol urautodi3892.www5.example CylancePROTECT edict nost [orisnis] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: nibu; Policy: quatur; Value: isiutali, User: mdolo nof (usantiu)", "fileset.name": "protect", + "host.name": "urautodi3892.www5.example", "input.type": "log", - "log.offset": 21982, + "log.offset": 23132, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "mquisno", + "rsa.db.index": "nibu", + "rsa.identity.firstname": "mdolo", + "rsa.identity.lastname": "nof", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": "umdolo", - "rsa.misc.checksum": "empor", - "rsa.misc.event_type": "DeviceRemove", - "rsa.time.event_time": "2020-06-25T08:53:40.000Z", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "usantiu", + "rsa.misc.policy_name": "quatur", + "rsa.network.alias_host": [ + "urautodi3892.www5.example" + ], + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3059,103 +3071,122 @@ ] }, { - "@timestamp": "2020-07-10T03:56:14.000Z", - "event.action": "threat_found", + "@timestamp": "2020-06-25T08:53:40.000Z", + "event.action": "allow", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Jul 10 1:56:14 remeum5787.api.example CylancePROTECT Event Type:ostrumex, Event Name:threat_found, Device Message: Device: sedquia; Zones Removed: litesse,ntmoUser: aliqu iqu (onse), Zone Names:paqu", + "event.original": "Jun 25 6:53:40 litess7754.www5.invalid CylancePROTECT Event Type:itempo, Event Name: Alert, Device Name: isciveli, IP Address: (10.36.18.24), Action: allow, Process ID: 452, Process Name: lab.exe, User Name: nsequ, Violation Type: ing, Zone Names:ollita", "fileset.name": "protect", "input.type": "log", - "log.offset": 22144, + "log.offset": 23412, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "paqu", - "rsa.identity.firstname": "aliqu", - "rsa.identity.lastname": "iqu", + "process.name": "lab.exe", + "process.pid": 452, + "related.ip": [ + "10.36.18.24" + ], + "related.user": [ + "nsequ" + ], + "rsa.db.index": "ollita", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "ostrumex", - "rsa.misc.device_name": "sedquia", - "rsa.misc.event_type": "threat_found", - "rsa.misc.mail_id": "onse", - "rsa.time.event_time": "2020-07-10T03:56:14.000Z", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "itempo", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.device_name": "isciveli", + "rsa.misc.event_type": "Alert", + "rsa.misc.policy_name": "ing", + "rsa.time.event_time": "2020-06-25T08:53:40.000Z", "service.type": "cylance", + "source.ip": [ + "10.36.18.24" + ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "nsequ" }, { - "@timestamp": "2019-07-24T10:58:48.000Z", - "event.action": "allow", + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.action": "block", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2019-7-24T8:58:48.ptatem mporain5332.mail.host CylancePROTECT commod iumd [ntore] Event Type: ExploitAttempt, Event Name: Registration, Device Name: onproid, IP Address: (10.59.33.174), Action: allow, Process ID: 3114, Process Name: oru.exe, User Name: mcorp, Violation Type: uelaud, Zone Names: aperiam", + "event.original": "10-July-2019 01:56:14 low ptat5268.www5.localdomain emq <untur 2019-7-10T1:56:14.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: ExploitAttempt, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Process ID: 4608, Process Name: oluptat.exe, User Name: stenatus, Violation Type: eabillo, Zone Names: iaecon", "fileset.name": "protect", - "host.name": "mporain5332.mail.host", + "host.name": "uraut3756.www5.test", "input.type": "log", - "log.offset": 22343, + "log.offset": 23666, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "oru.exe", - "process.pid": 3114, + "process.name": "oluptat.exe", + "process.pid": 4608, "related.ip": [ - "10.59.33.174" + "10.127.30.119" ], "related.user": [ - "mcorp" + "stenatus" ], - "rsa.db.index": "aperiam", + "rsa.db.index": "iaecon", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", "rsa.investigations.event_vcat": " ExploitAttempt", "rsa.misc.action": [ - "allow" + "block" ], - "rsa.misc.event_type": "Registration", - "rsa.misc.node": "onproid", - "rsa.misc.policy_name": "uelaud", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "ollita", + "rsa.misc.policy_name": "eabillo", "rsa.network.alias_host": [ - "mporain5332.mail.host" + "uraut3756.www5.test" ], - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", "service.type": "cylance", "source.ip": [ - "10.59.33.174" + "10.127.30.119" ], "tags": [ "cylance.protect", "forwarded" ], - "user.name": "mcorp" + "user.name": "stenatus" }, { - "@timestamp": "2019-08-07T06:01:23.000Z", - "event.action": "DeviceRemove", + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Aug 7 4:01:23 quiano3025.api.localhost CylancePROTECT Event Type:oluptat, Event Name:DeviceRemove, Threat Class:equepor, Threat Subclass:iosamn, SHA256:erspicia, MD5:neavolup", + "event.original": "24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam", "fileset.name": "protect", + "host.name": "squ2213.www.test", "input.type": "log", - "log.offset": 22647, + "log.offset": 24048, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.crypto.sig_type": "equepor", + "rsa.db.index": "rExce", + "rsa.identity.firstname": "rinc", + "rsa.identity.lastname": "tno", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": "oluptat", - "rsa.misc.checksum": "erspicia", - "rsa.misc.event_type": "DeviceRemove", - "rsa.time.event_time": "2019-08-07T06:01:23.000Z", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.misc.device_name": "ncididu", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "meumf", + "rsa.network.alias_host": [ + "squ2213.www.test" + ], + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3163,31 +3194,29 @@ ] }, { - "@timestamp": "2019-08-21T13:03:57.000Z", + "@timestamp": "2019-08-07T06:01:23.000Z", "event.action": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ecatcup 2019-8-21T11:03:57.orinrep uamnihil1525.www.lan CylancePROTECT amestqu qui [nemullam] Event Type: DeviceControl, Event Name: threat_changed, Device Name: lorumw, External Device Type: dit, External Device Vendor ID: qui, External Device Name: iaecon, External Device Product ID: dminima, External Device Serial Number: ons, Zone Names: amestqu", + "event.original": "Aug 7 4:01:23 ncu3839.www.localhost CylancePROTECT Event Type:snos, Event Name:threat_changed, Device Message: Device: utod; Zones Removed: ostr; Zones Added: amcorp, User: iadolo ecatcup (orinrep), Zone Names:uamnihil Device Id: nisi", "fileset.name": "protect", - "host.name": "uamnihil1525.www.lan", "input.type": "log", - "log.offset": 22822, + "log.offset": 24334, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "amestqu", + "rsa.db.index": "uamnihil", + "rsa.identity.firstname": "iadolo", + "rsa.identity.lastname": "ecatcup", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " DeviceControl", + "rsa.investigations.event_vcat": "snos", + "rsa.misc.device_name": "utod", "rsa.misc.event_type": "threat_changed", - "rsa.misc.node": "lorumw", - "rsa.misc.serial_number": "ons", - "rsa.network.alias_host": [ - "uamnihil1525.www.lan" - ], - "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "rsa.misc.mail_id": "orinrep", + "rsa.time.event_time": "2019-08-07T06:01:23.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3195,115 +3224,100 @@ ] }, { - "@timestamp": "2019-09-05T08:06:31.000Z", - "event.action": "fullaccess", + "@timestamp": "2019-08-21T13:03:57.000Z", + "event.action": "deny", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2019-9-5T6:06:31.str eius6126.invalid CylancePROTECT iarchit volupt [ipis] Event Type: usBonor, Event Name: fullaccess, Device Names: (umquam), Policy Name: ten, User: Utenim itationu (eprehen)", + "event.original": "21-August-2019 23:03:57 high mfugi4289.internal.home maveni <commod 2019-8-21T11:03:57.umqu umet5891.api.localdomain CylancePROTECT aliqua upt [giatquo] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: dipisciv, IP Address: (10.8.150.213), Action: deny, Process ID: 4190, Process Name: ngelitse.exe, User Name: ugiatnul, Violation Type: mips, Zone Names: hil", "fileset.name": "protect", - "host.name": "eius6126.invalid", + "host.name": "umet5891.api.localdomain", "input.type": "log", - "log.offset": 23174, + "log.offset": 24569, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "Utenim", - "rsa.identity.lastname": "itationu", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "usBonor", - "rsa.misc.event_type": "fullaccess", - "rsa.misc.mail_id": "eprehen", - "rsa.misc.node": "umquam", - "rsa.misc.policy_name": "ten", - "rsa.network.alias_host": [ - "eius6126.invalid" + "process.name": "ngelitse.exe", + "process.pid": 4190, + "related.ip": [ + "10.8.150.213" ], - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "@timestamp": "2019-09-19T03:09:05.000Z", - "event.action": "SyslogSettingsSave", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "tatevel 2019-9-19T1:09:05.itin tam942.api.host CylancePROTECT iut leumiur [deser] Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Zone: evolupt; Policy: pre; Value: tiumtot, User: ulamcola epr (ptass)", - "fileset.name": "protect", - "host.name": "tam942.api.host", - "input.type": "log", - "log.offset": 23368, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.db.index": "evolupt", - "rsa.identity.firstname": "ulamcola", - "rsa.identity.lastname": "epr", + "related.user": [ + "ugiatnul" + ], + "rsa.db.index": "hil", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.mail_id": "ptass", - "rsa.misc.policy_name": "pre", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "dipisciv", + "rsa.misc.policy_name": "mips", "rsa.network.alias_host": [ - "tam942.api.host" + "umet5891.api.localdomain" ], - "rsa.time.event_time": "2019-09-19T03:09:05.000Z", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", "service.type": "cylance", + "source.ip": [ + "10.8.150.213" + ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "ugiatnul" }, { - "@timestamp": "2019-10-03T10:11:40.000Z", - "event.action": "pechange", + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "veli 2019-10-3T8:11:40.uptas aali1541.www5.local CylancePROTECT enimadmi qui [ita] Event Type: AuditLog, Event Name: pechange, Message: The Device: sedq was auto assigned to the Zone: IP Address: Fake Devices, User: (olo)", + "event.original": "5-Sep-2019 6:06:31 medium ncidid126.localhost aecatcu <eosqu 5T06:06:31.reetdolo umquam5574.internal.test CylancePROTECT Event Name:DeviceEdit, Message: Provider:itationu, Source IP:10.108.59.10, User: magnama reprehe (citatio)#015", "fileset.name": "protect", - "host.name": "aali1541.www5.local", + "host.name": "umquam5574.internal.test", "input.type": "log", - "log.offset": 23584, + "log.offset": 24954, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "The Device: sedq was auto assigned to the Zone: IP Address: Fake Devices", + "related.ip": [ + "10.108.59.10" + ], + "rsa.identity.firstname": "magnama", + "rsa.identity.lastname": "reprehe", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "AuditLog", - "rsa.misc.event_type": "pechange", - "rsa.misc.node": "sedq", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.mail_id": "citatio", "rsa.network.alias_host": [ - "aali1541.www5.local" + "umquam5574.internal.test" ], - "rsa.time.event_time": "2019-10-03T10:11:40.000Z", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "cylance", + "source.ip": [ + "10.108.59.10" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "@timestamp": "2019-10-18T05:14:14.000Z", + "@timestamp": "2019-09-19T03:09:05.000Z", "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "18-October-2019 03:14:14 medium ocons2813.mail.lan natu <acomm 2019-10-18T3:14:14.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did)", + "event.original": "19-September-2019 13:09:05 medium ocons2813.mail.lan natu <acomm 2019-9-19T1:09:05.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did)", "fileset.name": "protect", "host.name": "volupt6822.api.invalid", "input.type": "log", - "log.offset": 23808, + "log.offset": 25191, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -3321,7 +3335,7 @@ "rsa.network.alias_host": [ "volupt6822.api.invalid" ], - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rsa.time.event_time": "2019-09-19T03:09:05.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3329,15 +3343,15 @@ ] }, { - "@timestamp": "2019-11-01T12:16:48.000Z", + "@timestamp": "2019-10-03T10:11:40.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Nov 1 10:16:48 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod", + "event.original": "Oct 3 8:11:40 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod", "fileset.name": "protect", "input.type": "log", - "log.offset": 24087, + "log.offset": 25471, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -3350,7 +3364,7 @@ "rsa.misc.event_type": "Device Policy Assigned", "rsa.misc.node": "stl", "rsa.misc.serial_number": "eumfugi", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "rsa.time.event_time": "2019-10-03T10:11:40.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3358,15 +3372,15 @@ ] }, { - "@timestamp": "2019-11-15T07:19:22.000Z", + "@timestamp": "2019-10-18T05:14:14.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Nov 15 5:19:22 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit ", + "event.original": "Oct 18 3:14:14 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit ", "fileset.name": "protect", "input.type": "log", - "log.offset": 24390, + "log.offset": 25773, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -3379,7 +3393,7 @@ "rsa.misc.event_type": "SyslogSettingsSave", "rsa.misc.node": "tutlabo", "rsa.misc.serial_number": "ateveli", - "rsa.time.event_time": "2019-11-15T07:19:22.000Z", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3387,17 +3401,17 @@ ] }, { - "@timestamp": "2019-11-30T14:21:57.000Z", + "@timestamp": "2019-11-01T12:16:48.000Z", "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "rinci 2019-11-30T12:21:57.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta", + "event.original": "rinci 2019-11-1T10:16:48.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta", "file.directory": "sunt", "fileset.name": "protect", "host.name": "amvol4075.mail.localhost", "input.type": "log", - "log.offset": 24727, + "log.offset": 26110, "network.application": "orumSe", "observer.product": "Protect", "observer.type": "Anti-Virus", @@ -3416,7 +3430,7 @@ "rsa.network.alias_host": [ "amvol4075.mail.localhost" ], - "rsa.time.event_time": "2019-11-30T14:21:57.000Z", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3425,31 +3439,102 @@ "user.name": "pta" }, { - "@timestamp": "2019-12-14T09:24:31.000Z", + "@timestamp": "2019-11-15T07:19:22.000Z", "event.action": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "14-Dec-2019 7:24:31 low ntutlabo6923.localhost eacommo <tionevol 14T07:24:31.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni,officiadUser: veniam labo (ssecill), Zone Names:umquam Device Id: onev", + "event.original": "15-Nov-2019 5:19:22 low ntutlabo6923.localhost eacommo <tionevol 15T17:19:22.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni, User: officiad veniam (labo), Zone Names:ssecill Device Id: umquam", "fileset.name": "protect", "host.name": "asi4651.api.test", "input.type": "log", - "log.offset": 24998, + "log.offset": 26380, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "umquam", - "rsa.identity.firstname": "veniam", - "rsa.identity.lastname": "labo", + "rsa.db.index": "ssecill", + "rsa.identity.firstname": "officiad", + "rsa.identity.lastname": "veniam", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.device_name": "emp", "rsa.misc.event_type": "Registration", - "rsa.misc.mail_id": "ssecill", + "rsa.misc.mail_id": "labo", "rsa.network.alias_host": [ "asi4651.api.test" ], + "rsa.time.event_time": "2019-11-15T07:19:22.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-30T14:21:57.000Z", + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ali 2019-11-30T12:21:57.ionu perna6751.internal.home CylancePROTECT ess ria [ationevo] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233, User: (orisnis)", + "fileset.name": "protect", + "host.name": "perna6751.internal.home", + "input.type": "log", + "log.offset": 26645, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.138.85.233" + ], + "rsa.db.index": "The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "AuditLog", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "datatno", + "rsa.network.alias_host": [ + "perna6751.internal.home" + ], + "rsa.time.event_time": "2019-11-30T14:21:57.000Z", + "service.type": "cylance", + "source.ip": [ + "10.138.85.233" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "event.action": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "14-December-2019 07:24:31 medium olor874.internal.lan mquis <samnisiu 2019-12-14T7:24:31.yCiceroi evolupta7790.internal.local CylancePROTECT equamnih isetqua [turExce] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: rehe; Policy: aper; Value: gnaa, User: tam deser (int)", + "fileset.name": "protect", + "host.name": "evolupta7790.internal.local", + "input.type": "log", + "log.offset": 26895, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "rehe", + "rsa.identity.firstname": "tam", + "rsa.identity.lastname": "deser", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "int", + "rsa.misc.policy_name": "aper", + "rsa.network.alias_host": [ + "evolupta7790.internal.local" + ], "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "cylance", "tags": [ diff --git a/x-pack/filebeat/module/f5/README.md b/x-pack/filebeat/module/f5/README.md index 560d065e482..f9333a47cf5 100644 --- a/x-pack/filebeat/module/f5/README.md +++ b/x-pack/filebeat/module/f5/README.md @@ -3,5 +3,5 @@ This is a module for Big-IP Access Policy Manager logs. Autogenerated from RSA NetWitness log parser 2.0 XML bigipapm version 113 -at 2020-07-08 22:20:56.925079 +0000 UTC. +at 2020-07-13 17:11:58.45876 +0000 UTC. diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index b06452aca74..a638870f05e 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -364,8 +364,8 @@ "observer.vendor": "F5", "process.pid": 2289, "related.ip": [ - "10.204.123.107", - "10.225.160.182" + "10.225.160.182", + "10.204.123.107" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "eFinib", @@ -1556,8 +1556,8 @@ "observer.vendor": "F5", "process.pid": 1973, "related.ip": [ - "10.47.99.72", - "10.187.64.126" + "10.187.64.126", + "10.47.99.72" ], "rsa.internal.messageid": "01490500", "rsa.misc.category": "oremipsu", diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log b/x-pack/filebeat/module/f5/firepass/test/generated.log index 208e701930e..dcd42eb4778 100644 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log @@ -7,94 +7,94 @@ April 9 17:22:51 itamet3338.mail.host EndpointSecurity[squame]: [ntex] [eius] id GarbageCollection[nse]: [eumiu] [uame] no servers defined for Radius Accounting May 8 07:27:59 orisn6294.www.lan heartbeat[ofdeF]: [metcons] info: roinBCS May 22 14:30:33 eataevi4044.mail.localhost firepass[ptas]: [nevolu] equat -June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: "con - Connecteduiafrom 10.171.204.166 mipsu" -sshd[untutl]: Accepted publickey for rad from 10.37.126.205 port 3179 scivel -httpd[radipis]: [isetq] scr_monitor: estqui -July 18 18:40:50 enimad2283.internal.domain firepass[boreet]: [onev] [tenima] Accessing https://www5.example.com/aquaeabi/giatq.html?veleumi=tia#enim -August 2 01:43:25 antium1279.mail.test heartbeat[iusmodt]: info: doloreeu -httpd[uidexea]: [anim] [autfugi] scr_monitor: inBCSedu -kernel[nimadmin]: kernel: cdrom: open failed. -ntpd[temq]: [ugiatqu] kernel time sync status eacomm -mailer[uptatev]: [uovol] Failed to send \'dmi\' to \'olab\' -October 12 12:56:16 temsequ3857.www.localdomain sshd[idexea]: Accepted publickey for riat from 10.37.79.163 port 457 osquir -ntpd[deomni]: [tquovol] frequency initialized ntsuntin PPM from aecatcup -ntpdate[oluptate]: adjust time server 10.52.54.178 offset turQuisa -sshd[lit]: [iam] Accepted publickey for qua from 10.159.182.171 port 3947 apariat -sshd[pteursi]: [onse] [rumet] Accepted publickey for oll from 10.206.197.113 port 4075 temUten -December 23 00:09:07 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records +June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: "con - Connected from 10.38.189.242 ommodic" +/USR/SBIN/CRON[consec]: [taliquip] [psumq] (atcup) CMD (accept) +/USR/SBIN/CRON[llu]: (uptassi) CMD (accept) +/USR/SBIN/CRON[aqui]: [radipis] (isetq) CMD (deny) +August 2 01:43:25 magn2890.api.localhost sshd[eum]: Accepted publickey for sum from 10.175.6.112 port 5509 onev +maintenance[giatq]: [quid] [fug] uatDuis +firepass[veri]: [rsita] [siutaliq] exercit +September 13 22:51:07 Cice513.api.local kernel[doloreeu]: [pori] kernel: Marketing_resource:occ SRC=10.18.220.102 DST=10.230.12.79 obeataev PROTO=ggp SPT=5000 DPT=340 autfu +September 28 05:53:42 aboris2946.api.host mailer[ssitaspe]: [gitsedqu] Failed to send \'uam\' to \'temq\' +October 12 12:56:16 nsequat6875.www.lan EndpointSecurity[llamcorp]: id[ari]: "eataevit - Connected from 10.50.112.141 mqua" +sshd[ptat]: [ore] [etconsec] Accepted publickey for err from 10.61.78.108 port 2398 eci +November 10 03:01:24 ugits4426.mail.corp mailer[ipit]: Failed to send \'idexea\' to \'riat\' +heartbeat[umdolor]: [osquir] info: inim +December 8 17:06:33 tquovol3689.lan GarbageCollection[tatno]: timeout happened. restarting imav services +December 23 00:09:07 turQuisa1567.www5.domain EndpointSecurity[ite]: [ntN] [ciati] id[ercit]: "Connected from 10.243.206.225 mol" +January 6 07:11:41 turveli6399.host kernel[erc]: [taliqu] [temUten] kernel: ccusan +January 20 14:14:16 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records snmp[gni]: [tquiinea] [mquaera] SNMP handler started -January 20 14:14:16 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb -February 3 21:16:50 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it +February 18 04:19:24 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb +March 4 11:21:59 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it sshd[tessec]: [remipsum] [liq] Accepted publickey for ist from 10.169.144.147 port 2399 nibus -March 4 11:21:59 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm +April 2 01:27:07 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm ntpdate[Nemoeni]: adjust time server 10.196.105.137 offset lup -April 2 01:27:07 lor3224.host mailer[rsitamet]: Failed to send \'lupt\' to \'xea\' +April 30 15:32:16 lor3224.host mailer[rsitamet]: Failed to send \'lupt\' to \'xea\' run-crons[luptatev]: admi returned modocons -April 30 15:32:16 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam -May 14 22:34:50 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214 -May 29 05:37:24 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem +May 29 05:37:24 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam +June 12 12:39:58 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214 +June 26 19:42:33 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem firepass[rehe]: [ume] Logged out -June 26 19:42:33 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel) -July 11 02:45:07 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc +July 25 09:47:41 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel) +August 8 16:50:15 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc kernel[olupt]: [modoco] kernel: cdrom: open failed. -August 8 16:50:15 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia -August 22 23:52:50 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames +September 6 06:55:24 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia +September 20 13:57:58 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames Miscellaneous[iciatisu]: [rehender] Purge logs: auto started -September 20 13:57:58 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42 +October 19 04:03:07 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42 heartbeat[dolo]: [Loremip] [idolor] info: emeumfu -October 19 04:03:07 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio -EndpointSecurity[rumetM]: [equi] id[agnaali]: "gnam - Connectedtatfrom 10.145.225.93 itinvo" -November 16 18:08:15 rQuisau6637.internal.domain run-crons[den]: [tutla] [olorema] iades returned siarchi -httpd[mqu]: [apariat] scr_monitor: tlabore -December 15 08:13:24 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny) +November 16 18:08:15 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio +EndpointSecurity[rumetM]: [equi] id[agnaali]: "gnam - Connected from 10.26.236.35 lumqui" +httpd[rpo]: [uipe] [inesci] scr_monitor: serror +ntpd[apariat]: kernel time sync status tlabore +January 12 22:18:32 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny) snmp[ationemu]: [ice] estiae -January 12 22:18:32 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect +February 10 12:23:41 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect maintenance[etconse]: [tincu] ari -February 10 12:23:41 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp +March 11 02:28:49 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded -EndpointSecurity[rehender]: [iae] id[dantiumt]: "luptasn - Connectedequatfrom 10.77.137.72 ione" -EndpointSecurity[amre]: [rsita] id[niamqui]: "uptat - Connecteduamfrom 10.140.136.44 fficiade" -April 8 16:33:58 vitaedi1318.corp sshd[temqu]: Accepted publickey for edol from 10.26.196.144 port 4677 quatD -April 22 23:36:32 eabilloi6458.api.lan run-crons[tlab]: [volupt] osqui returned xerc -snmp[ents]: [liquide] SNMP handler started -security[uun]: [sequine] [ectio] User dutper from 10.237.205.140 presented with challenge +EndpointSecurity[rehender]: [iae] id[dantiumt]: "luptasn - Connected from 10.164.6.207 olestiae" +/USR/SBIN/CRON[ihilmole]: [eriamea] (amre) CMD (allow) +May 7 06:39:06 pisciv7108.lan mailer[boris]: [nti] [abi] Failed to send \'sectetur\' to \'uioffi\' +May 21 13:41:41 temqu3331.api.host mailer[ipi]: Failed to send \'reseos\' to \'pariatu\' +June 4 20:44:15 tenima5685.internal.example heartbeat[eabilloi]: [estia] [tper] info: olor +June 19 03:46:49 orem2138.internal.lan run-crons[fdeFi]: texp returned tasuntex +/USR/SBIN/CRON[sequine]: [ectio] [dutper] (lamcolab) CMD (deny) run-crons: returned gel -June 19 03:46:49 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate -July 3 10:49:23 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started +August 1 00:54:32 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate +August 15 07:57:06 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started mailer[itatione]: [isnis] [uptasn] Failed to send \'reme\' to \'acommod\' mailer[udantium]: Failed to send \'pre\' to \'xeacom\' httpd[dictasu]: [lorinre] scr_monitor: olorsita ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide -September 12 22:02:15 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc +October 25 19:09:57 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc ntpd[aturQui]: frequency initialized utlabor PPM from rau firepass[nisi]: [dant] shutting down for system reboot AppTunnel[tinvolu]: < Error - Invalid session id -November 9 02:12:32 quidolor5025.home run-crons: returned rem +December 21 23:20:14 quidolor5025.home run-crons: returned rem run-crons[idolor]: [uisau] [eleum] sintoc returned volupt heartbeat[uiinea]: info: Utenima -December 21 23:20:14 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese -January 5 06:22:49 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc +February 2 20:27:57 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese +February 17 03:30:32 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc kernel: ionofdeF -February 2 20:27:57 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte +March 17 17:35:40 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id /USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny) -March 17 17:35:40 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980 +April 29 14:43:23 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980 heartbeat[exe]: [imadmini] [sauteiru] info: mod /USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny) httpd[eriti]: [litessec] scr_monitor: itas -May 13 21:45:57 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor -May 28 04:48:31 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host +June 25 18:53:40 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor +July 10 01:56:14 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host mailer[untut]: [uamni] Failed to send \'ctet\' to \'ati\' -June 25 18:53:40 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist -July 10 01:56:14 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel) +August 7 16:01:23 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist +August 21 23:03:57 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel) kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm -August 7 16:01:23 velitse543.api.example heartbeat[torever]: info: oremi -August 21 23:03:57 temUt631.www5.example heartbeat[npr]: info: mquelau -September 5 06:06:31 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo -September 19 13:09:05 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account +September 19 13:09:05 velitse543.api.example heartbeat[torever]: info: oremi +October 3 20:11:40 temUt631.www5.example heartbeat[npr]: info: mquelau +October 18 03:14:14 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo +November 1 10:16:48 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account heartbeat[iduntu]: [idestlab] info: rnatur run-crons[essequam]: acommo returned nturma -November 1 10:16:48 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut -kernel[rpori]: [ice] kernel: cdrom: open failed. -November 30 00:21:57 commodo6867.internal.example snmp: -snmp[odoconse]: [quamqua] SNMP handler started +December 14 07:24:31 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json index ad3338fbbe4..6c58cc63ba7 100644 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json @@ -217,7 +217,7 @@ "event.code": "EndpointSecurity", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: \"con - Connecteduiafrom 10.171.204.166 mipsu\"", + "event.original": "June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: \"con - Connected from 10.38.189.242 ommodic\"", "fileset.name": "firepass", "input.type": "log", "log.offset": 869, @@ -225,14 +225,14 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.171.204.166" + "10.38.189.242" ], - "rsa.db.index": "mipsu", + "rsa.db.index": "ommodic", "rsa.internal.messageid": "EndpointSecurity", "rsa.investigations.ec_theme": "Communication", "service.type": "f5", "source.ip": [ - "10.171.204.166" + "10.38.189.242" ], "tags": [ "f5.firepass", @@ -240,132 +240,148 @@ ] }, { - "event.code": "sshd", + "event.action": "accept", + "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "sshd[untutl]: Accepted publickey for rad from 10.37.126.205 port 3179 scivel", + "event.original": "/USR/SBIN/CRON[consec]: [taliquip] [psumq] (atcup) CMD (accept)", "fileset.name": "firepass", "input.type": "log", - "log.offset": 997, + "log.offset": 996, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "related.ip": [ - "10.37.126.205" - ], "related.user": [ - "rad" + "atcup" ], - "rsa.internal.messageid": "sshd", - "service.type": "f5", - "source.ip": [ - "10.37.126.205" + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "accept" ], - "source.port": 3179, + "service.type": "f5", "tags": [ "f5.firepass", "forwarded" ], - "user.name": "rad" + "user.name": "atcup" }, { - "event.code": "httpd", + "event.action": "accept", + "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "httpd[radipis]: [isetq] scr_monitor: estqui", + "event.original": "/USR/SBIN/CRON[llu]: (uptassi) CMD (accept)", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1074, + "log.offset": 1060, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "related.user": [ - "isetq" + "uptassi" + ], + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "accept" ], - "rsa.internal.messageid": "httpd", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" ], - "user.name": "isetq" + "user.name": "uptassi" }, { - "event.code": "firepass", + "event.action": "deny", + "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "July 18 18:40:50 enimad2283.internal.domain firepass[boreet]: [onev] [tenima] Accessing https://www5.example.com/aquaeabi/giatq.html?veleumi=tia#enim", + "event.original": "/USR/SBIN/CRON[aqui]: [radipis] (isetq) CMD (deny)", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1118, + "log.offset": 1104, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "related.user": [ - "onev" + "isetq" + ], + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "deny" ], - "rsa.internal.messageid": "firepass", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" ], - "url.original": "https://www5.example.com/aquaeabi/giatq.html?veleumi=tia#enim", - "user.name": "onev" + "user.name": "isetq" }, { - "event.code": "heartbeat", + "event.code": "sshd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "August 2 01:43:25 antium1279.mail.test heartbeat[iusmodt]: info: doloreeu", + "event.original": "August 2 01:43:25 magn2890.api.localhost sshd[eum]: Accepted publickey for sum from 10.175.6.112 port 5509 onev", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1268, + "log.offset": 1155, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.db.index": "doloreeu", - "rsa.internal.messageid": "heartbeat", + "related.ip": [ + "10.175.6.112" + ], + "related.user": [ + "sum" + ], + "rsa.internal.messageid": "sshd", "service.type": "f5", + "source.ip": [ + "10.175.6.112" + ], + "source.port": 5509, "tags": [ "f5.firepass", "forwarded" - ] + ], + "user.name": "sum" }, { - "event.code": "httpd", + "event.code": "maintenance", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "httpd[uidexea]: [anim] [autfugi] scr_monitor: inBCSedu", + "event.original": "maintenance[giatq]: [quid] [fug] uatDuis", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1342, + "log.offset": 1267, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "related.user": [ - "anim" + "quid" ], - "rsa.internal.messageid": "httpd", + "rsa.db.index": "uatDuis", + "rsa.internal.messageid": "maintenance", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" ], - "user.name": "anim" + "user.name": "quid" }, { - "event.code": "kernel", + "event.code": "firepass", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "kernel[nimadmin]: kernel: cdrom: open failed.", + "event.original": "firepass[veri]: [rsita] [siutaliq] exercit", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1397, + "log.offset": 1308, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.messageid": "kernel", + "rsa.internal.event_desc": "exercit", + "rsa.internal.messageid": "firepass", "service.type": "f5", "tags": [ "f5.firepass", @@ -373,19 +389,32 @@ ] }, { - "event.code": "ntpd", + "destination.ip": [ + "10.230.12.79" + ], + "destination.port": 340, + "event.code": "kernel", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "ntpd[temq]: [ugiatqu] kernel time sync status eacomm", + "event.original": "September 13 22:51:07 Cice513.api.local kernel[doloreeu]: [pori] kernel: Marketing_resource:occ SRC=10.18.220.102 DST=10.230.12.79 obeataev PROTO=ggp SPT=5000 DPT=340 autfu", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1443, + "log.offset": 1351, + "network.protocol": "ggp", "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.messageid": "ntpd", - "rsa.misc.result_code": "eacomm", + "related.ip": [ + "10.230.12.79", + "10.18.220.102" + ], + "rsa.db.index": "obeataev", + "rsa.internal.messageid": "kernel", "service.type": "f5", + "source.ip": [ + "10.18.220.102" + ], + "source.port": 5000, "tags": [ "f5.firepass", "forwarded" @@ -395,16 +424,16 @@ "event.code": "mailer", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "mailer[uptatev]: [uovol] Failed to send \\'dmi\\' to \\'olab\\'", + "event.original": "September 28 05:53:42 aboris2946.api.host mailer[ssitaspe]: [gitsedqu] Failed to send \\'uam\\' to \\'temq\\'", "event.outcome": "failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1496, + "log.offset": 1524, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.email.email_dst": "olab", - "rsa.email.subject": "dmi", + "rsa.email.email_dst": "temq", + "rsa.email.subject": "uam", "rsa.internal.messageid": "mailer", "rsa.investigations.ec_activity": "Send", "rsa.investigations.ec_outcome": "Failure", @@ -416,47 +445,80 @@ "forwarded" ] }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "October 12 12:56:16 nsequat6875.www.lan EndpointSecurity[llamcorp]: id[ari]: \"eataevit - Connected from 10.50.112.141 mqua\"", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1630, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.50.112.141" + ], + "rsa.db.index": "mqua", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "source.ip": [ + "10.50.112.141" + ], + "tags": [ + "f5.firepass", + "forwarded" + ] + }, { "event.code": "sshd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "October 12 12:56:16 temsequ3857.www.localdomain sshd[idexea]: Accepted publickey for riat from 10.37.79.163 port 457 osquir", + "event.original": "sshd[ptat]: [ore] [etconsec] Accepted publickey for err from 10.61.78.108 port 2398 eci", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1556, + "log.offset": 1754, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.37.79.163" + "10.61.78.108" ], "related.user": [ - "riat" + "err" ], "rsa.internal.messageid": "sshd", "service.type": "f5", "source.ip": [ - "10.37.79.163" + "10.61.78.108" ], - "source.port": 457, + "source.port": 2398, "tags": [ "f5.firepass", "forwarded" ], - "user.name": "riat" + "user.name": "err" }, { - "event.code": "ntpd", + "event.code": "mailer", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "ntpd[deomni]: [tquovol] frequency initialized ntsuntin PPM from aecatcup", + "event.original": "November 10 03:01:24 ugits4426.mail.corp mailer[ipit]: Failed to send \\'idexea\\' to \\'riat\\'", + "event.outcome": "failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1680, + "log.offset": 1842, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.messageid": "ntpd", + "rsa.email.email_dst": "riat", + "rsa.email.subject": "idexea", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", "service.type": "f5", "tags": [ "f5.firepass", @@ -464,24 +526,18 @@ ] }, { - "destination.ip": [ - "10.52.54.178" - ], - "event.code": "ntpdate", + "event.code": "heartbeat", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "ntpdate[oluptate]: adjust time server 10.52.54.178 offset turQuisa", + "event.original": "heartbeat[umdolor]: [osquir] info: inim", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1753, + "log.offset": 1935, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "related.ip": [ - "10.52.54.178" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.time.duration_str": "turQuisa", + "rsa.db.index": "inim", + "rsa.internal.messageid": "heartbeat", "service.type": "f5", "tags": [ "f5.firepass", @@ -489,71 +545,77 @@ ] }, { - "event.code": "sshd", + "event.code": "GarbageCollection", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "sshd[lit]: [iam] Accepted publickey for qua from 10.159.182.171 port 3947 apariat", + "event.original": "December 8 17:06:33 tquovol3689.lan GarbageCollection[tatno]: timeout happened. restarting imav services", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1820, + "log.offset": 1975, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "related.ip": [ - "10.159.182.171" - ], - "related.user": [ - "qua" - ], - "rsa.internal.messageid": "sshd", + "rsa.internal.event_desc": "timeout happened. restarting services", + "rsa.internal.messageid": "GarbageCollection", "service.type": "f5", - "source.ip": [ - "10.159.182.171" - ], - "source.port": 3947, "tags": [ "f5.firepass", "forwarded" - ], - "user.name": "qua" + ] }, { - "event.code": "sshd", + "event.code": "EndpointSecurity", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "sshd[pteursi]: [onse] [rumet] Accepted publickey for oll from 10.206.197.113 port 4075 temUten", + "event.original": "December 23 00:09:07 turQuisa1567.www5.domain EndpointSecurity[ite]: [ntN] [ciati] id[ercit]: \"Connected from 10.243.206.225 mol\"", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1902, + "log.offset": 2080, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.206.197.113" + "10.243.206.225" ], - "related.user": [ - "oll" - ], - "rsa.internal.messageid": "sshd", + "rsa.db.index": "mol", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", "service.type": "f5", "source.ip": [ - "10.206.197.113" + "10.243.206.225" ], - "source.port": 4075, "tags": [ "f5.firepass", "forwarded" - ], - "user.name": "oll" + ] + }, + { + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "January 6 07:11:41 turveli6399.host kernel[erc]: [taliqu] [temUten] kernel: ccusan", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2210, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "ccusan", + "rsa.internal.messageid": "kernel", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] }, { "event.code": "Miscellaneous", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "December 23 00:09:07 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records", + "event.original": "January 20 14:14:16 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records", "fileset.name": "firepass", "input.type": "log", - "log.offset": 1997, + "log.offset": 2293, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -576,7 +638,7 @@ "event.original": "snmp[gni]: [tquiinea] [mquaera] SNMP handler started", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2131, + "log.offset": 2426, "network.protocol": "SNMP", "observer.product": "FirePass", "observer.type": "VPN", @@ -596,10 +658,10 @@ "event.code": "sshd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "January 20 14:14:16 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb", + "event.original": "February 18 04:19:24 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2184, + "log.offset": 2479, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -625,10 +687,10 @@ "event.code": "GarbageCollection", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "February 3 21:16:50 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it", + "event.original": "March 4 11:21:59 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2309, + "log.offset": 2605, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -646,7 +708,7 @@ "event.original": "sshd[tessec]: [remipsum] [liq] Accepted publickey for ist from 10.169.144.147 port 2399 nibus", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2439, + "log.offset": 2732, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -672,10 +734,10 @@ "event.code": "kernel", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "March 4 11:21:59 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm", + "event.original": "April 2 01:27:07 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2533, + "log.offset": 2826, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -697,7 +759,7 @@ "event.original": "ntpdate[Nemoeni]: adjust time server 10.196.105.137 offset lup", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2628, + "log.offset": 2921, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -716,11 +778,11 @@ "event.code": "mailer", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "April 2 01:27:07 lor3224.host mailer[rsitamet]: Failed to send \\'lupt\\' to \\'xea\\'", + "event.original": "April 30 15:32:16 lor3224.host mailer[rsitamet]: Failed to send \\'lupt\\' to \\'xea\\'", "event.outcome": "failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2691, + "log.offset": 2984, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -744,7 +806,7 @@ "event.original": "run-crons[luptatev]: admi returned modocons", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2774, + "log.offset": 3068, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -764,10 +826,10 @@ "event.code": "kernel", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "April 30 15:32:16 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam", + "event.original": "May 29 05:37:24 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2818, + "log.offset": 3112, "network.protocol": "rdp", "observer.product": "FirePass", "observer.type": "VPN", @@ -793,11 +855,11 @@ "event.code": "security", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "May 14 22:34:50 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214", + "event.original": "June 12 12:39:58 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214", "event.outcome": "unknown", "fileset.name": "firepass", "input.type": "log", - "log.offset": 2995, + "log.offset": 3287, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -825,10 +887,10 @@ "event.code": "maintenance", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "May 29 05:37:24 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem", + "event.original": "June 26 19:42:33 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3092, + "log.offset": 3385, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -854,7 +916,7 @@ "event.original": "firepass[rehe]: [ume] Logged out", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3183, + "log.offset": 3477, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -876,10 +938,10 @@ "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "June 26 19:42:33 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel)", + "event.original": "July 25 09:47:41 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel)", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3216, + "log.offset": 3510, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -901,10 +963,10 @@ "event.code": "snmp", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "July 11 02:45:07 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc", + "event.original": "August 8 16:50:15 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3308, + "log.offset": 3602, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -923,7 +985,7 @@ "event.original": "kernel[olupt]: [modoco] kernel: cdrom: open failed.", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3375, + "log.offset": 3670, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -938,10 +1000,10 @@ "event.code": "EndpointSecurity", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "August 8 16:50:15 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia", + "event.original": "September 6 06:55:24 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3427, + "log.offset": 3722, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -958,10 +1020,10 @@ "event.code": "EndpointSecurity", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "August 22 23:52:50 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames", + "event.original": "September 20 13:57:58 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3510, + "log.offset": 3808, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -981,7 +1043,7 @@ "event.original": "Miscellaneous[iciatisu]: [rehender] Purge logs: auto started", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3597, + "log.offset": 3898, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1003,10 +1065,10 @@ "event.code": "NetworkAccess", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "September 20 13:57:58 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42", + "event.original": "October 19 04:03:07 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3658, + "log.offset": 3959, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1034,7 +1096,7 @@ "event.original": "heartbeat[dolo]: [Loremip] [idolor] info: emeumfu", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3804, + "log.offset": 4103, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1050,10 +1112,10 @@ "event.code": "sshd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "October 19 04:03:07 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio", + "event.original": "November 16 18:08:15 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3854, + "log.offset": 4153, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1079,22 +1141,22 @@ "event.code": "EndpointSecurity", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "EndpointSecurity[rumetM]: [equi] id[agnaali]: \"gnam - Connectedtatfrom 10.145.225.93 itinvo\"", + "event.original": "EndpointSecurity[rumetM]: [equi] id[agnaali]: \"gnam - Connected from 10.26.236.35 lumqui\"", "fileset.name": "firepass", "input.type": "log", - "log.offset": 3988, + "log.offset": 4288, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.145.225.93" + "10.26.236.35" ], - "rsa.db.index": "itinvo", + "rsa.db.index": "lumqui", "rsa.internal.messageid": "EndpointSecurity", "rsa.investigations.ec_theme": "Communication", "service.type": "f5", "source.ip": [ - "10.145.225.93" + "10.26.236.35" ], "tags": [ "f5.firepass", @@ -1102,55 +1164,55 @@ ] }, { - "event.code": "run-crons", + "event.code": "httpd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "November 16 18:08:15 rQuisau6637.internal.domain run-crons[den]: [tutla] [olorema] iades returned siarchi", + "event.original": "httpd[rpo]: [uipe] [inesci] scr_monitor: serror", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4081, + "log.offset": 4378, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "siarchi", + "related.user": [ + "uipe" + ], + "rsa.internal.messageid": "httpd", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" - ] + ], + "user.name": "uipe" }, { - "event.code": "httpd", + "event.code": "ntpd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "httpd[mqu]: [apariat] scr_monitor: tlabore", + "event.original": "ntpd[apariat]: kernel time sync status tlabore", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4187, + "log.offset": 4426, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "related.user": [ - "apariat" - ], - "rsa.internal.messageid": "httpd", + "rsa.internal.messageid": "ntpd", + "rsa.misc.result_code": "tlabore", "service.type": "f5", "tags": [ "f5.firepass", "forwarded" - ], - "user.name": "apariat" + ] }, { "event.action": "deny", "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "December 15 08:13:24 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny)", + "event.original": "January 12 22:18:32 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny)", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4230, + "log.offset": 4473, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1175,7 +1237,7 @@ "event.original": "snmp[ationemu]: [ice] estiae", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4327, + "log.offset": 4569, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1194,10 +1256,10 @@ "event.code": "ntpdate", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "January 12 22:18:32 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect", + "event.original": "February 10 12:23:41 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4356, + "log.offset": 4598, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1219,7 +1281,7 @@ "event.original": "maintenance[etconse]: [tincu] ari", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4463, + "log.offset": 4706, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1239,10 +1301,10 @@ "event.code": "heartbeat", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "February 10 12:23:41 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp", + "event.original": "March 11 02:28:49 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4497, + "log.offset": 4740, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1261,7 +1323,7 @@ "event.original": "Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4579, + "log.offset": 4819, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1280,22 +1342,22 @@ "event.code": "EndpointSecurity", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "EndpointSecurity[rehender]: [iae] id[dantiumt]: \"luptasn - Connectedequatfrom 10.77.137.72 ione\"", + "event.original": "EndpointSecurity[rehender]: [iae] id[dantiumt]: \"luptasn - Connected from 10.164.6.207 olestiae\"", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4679, + "log.offset": 4919, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.77.137.72" + "10.164.6.207" ], - "rsa.db.index": "ione", + "rsa.db.index": "olestiae", "rsa.internal.messageid": "EndpointSecurity", "rsa.investigations.ec_theme": "Communication", "service.type": "f5", "source.ip": [ - "10.77.137.72" + "10.164.6.207" ], "tags": [ "f5.firepass", @@ -1303,73 +1365,94 @@ ] }, { - "event.code": "EndpointSecurity", + "event.action": "allow", + "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "EndpointSecurity[amre]: [rsita] id[niamqui]: \"uptat - Connecteduamfrom 10.140.136.44 fficiade\"", + "event.original": "/USR/SBIN/CRON[ihilmole]: [eriamea] (amre) CMD (allow)", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4776, + "log.offset": 5016, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "related.ip": [ - "10.140.136.44" + "related.user": [ + "amre" + ], + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "allow" ], - "rsa.db.index": "fficiade", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", "service.type": "f5", - "source.ip": [ - "10.140.136.44" + "tags": [ + "f5.firepass", + "forwarded" ], + "user.name": "amre" + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "May 7 06:39:06 pisciv7108.lan mailer[boris]: [nti] [abi] Failed to send \\'sectetur\\' to \\'uioffi\\'", + "event.outcome": "failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5071, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "uioffi", + "rsa.email.subject": "sectetur", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", "tags": [ "f5.firepass", "forwarded" ] }, { - "event.code": "sshd", + "event.code": "mailer", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "April 8 16:33:58 vitaedi1318.corp sshd[temqu]: Accepted publickey for edol from 10.26.196.144 port 4677 quatD", + "event.original": "May 21 13:41:41 temqu3331.api.host mailer[ipi]: Failed to send \\'reseos\\' to \\'pariatu\\'", + "event.outcome": "failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4871, + "log.offset": 5170, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "related.ip": [ - "10.26.196.144" - ], - "related.user": [ - "edol" - ], - "rsa.internal.messageid": "sshd", + "rsa.email.email_dst": "pariatu", + "rsa.email.subject": "reseos", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", "service.type": "f5", - "source.ip": [ - "10.26.196.144" - ], - "source.port": 4677, "tags": [ "f5.firepass", "forwarded" - ], - "user.name": "edol" + ] }, { - "event.code": "run-crons", + "event.code": "heartbeat", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "April 22 23:36:32 eabilloi6458.api.lan run-crons[tlab]: [volupt] osqui returned xerc", + "event.original": "June 4 20:44:15 tenima5685.internal.example heartbeat[eabilloi]: [estia] [tper] info: olor", "fileset.name": "firepass", "input.type": "log", - "log.offset": 4981, + "log.offset": 5259, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "xerc", + "rsa.db.index": "olor", + "rsa.internal.messageid": "heartbeat", "service.type": "f5", "tags": [ "f5.firepass", @@ -1377,23 +1460,18 @@ ] }, { - "event.action": "started", - "event.code": "snmp", + "event.code": "run-crons", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "snmp[ents]: [liquide] SNMP handler started", + "event.original": "June 19 03:46:49 orem2138.internal.lan run-crons[fdeFi]: texp returned tasuntex", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5066, - "network.protocol": "SNMP", + "log.offset": 5350, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "rsa.internal.event_desc": "SNMP handler started", - "rsa.internal.messageid": "snmp", - "rsa.misc.action": [ - "started" - ], + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "tasuntex", "service.type": "f5", "tags": [ "f5.firepass", @@ -1401,34 +1479,30 @@ ] }, { - "event.code": "security", + "event.action": "deny", + "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "security[uun]: [sequine] [ectio] User dutper from 10.237.205.140 presented with challenge", + "event.original": "/USR/SBIN/CRON[sequine]: [ectio] [dutper] (lamcolab) CMD (deny)", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5109, + "log.offset": 5430, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", - "related.ip": [ - "10.237.205.140" - ], "related.user": [ - "dutper" + "lamcolab" ], - "rsa.internal.event_desc": "user presented with challenge", - "rsa.internal.messageid": "security", - "rsa.investigations.ec_subject": "User", - "service.type": "f5", - "source.ip": [ - "10.237.205.140" + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "deny" ], + "service.type": "f5", "tags": [ "f5.firepass", "forwarded" ], - "user.name": "dutper" + "user.name": "lamcolab" }, { "event.code": "run-crons", @@ -1437,7 +1511,7 @@ "event.original": "run-crons: returned gel", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5199, + "log.offset": 5494, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1453,10 +1527,10 @@ "event.code": "heartbeat", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "June 19 03:46:49 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate", + "event.original": "August 1 00:54:32 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5224, + "log.offset": 5519, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1472,10 +1546,10 @@ "event.code": "Miscellaneous", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "July 3 10:49:23 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started", + "event.original": "August 15 07:57:06 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5303, + "log.offset": 5599, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1498,7 +1572,7 @@ "event.outcome": "failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5393, + "log.offset": 5692, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1523,7 +1597,7 @@ "event.outcome": "failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5467, + "log.offset": 5766, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1547,7 +1621,7 @@ "event.original": "httpd[dictasu]: [lorinre] scr_monitor: olorsita", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5522, + "log.offset": 5821, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1572,7 +1646,7 @@ "event.original": "ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5570, + "log.offset": 5869, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1591,10 +1665,10 @@ "event.code": "run-crons", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "September 12 22:02:15 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc", + "event.original": "October 25 19:09:57 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5643, + "log.offset": 5942, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1613,7 +1687,7 @@ "event.original": "ntpd[aturQui]: frequency initialized utlabor PPM from rau", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5739, + "log.offset": 6036, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1631,7 +1705,7 @@ "event.original": "firepass[nisi]: [dant] shutting down for system reboot", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5797, + "log.offset": 6094, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1650,7 +1724,7 @@ "event.original": "AppTunnel[tinvolu]: < Error - Invalid session id", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5852, + "log.offset": 6149, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1668,10 +1742,10 @@ "event.code": "run-crons", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "November 9 02:12:32 quidolor5025.home run-crons: returned rem", + "event.original": "December 21 23:20:14 quidolor5025.home run-crons: returned rem", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5908, + "log.offset": 6205, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1690,7 +1764,7 @@ "event.original": "run-crons[idolor]: [uisau] [eleum] sintoc returned volupt", "fileset.name": "firepass", "input.type": "log", - "log.offset": 5971, + "log.offset": 6269, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1709,7 +1783,7 @@ "event.original": "heartbeat[uiinea]: info: Utenima", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6029, + "log.offset": 6327, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1728,10 +1802,10 @@ "event.code": "ntpdate", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "December 21 23:20:14 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese", + "event.original": "February 2 20:27:57 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6062, + "log.offset": 6360, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1750,10 +1824,10 @@ "event.code": "heartbeat", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "January 5 06:22:49 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc", + "event.original": "February 17 03:30:32 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6169, + "log.offset": 6466, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1772,7 +1846,7 @@ "event.original": "kernel: ionofdeF", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6248, + "log.offset": 6547, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1788,10 +1862,10 @@ "event.code": "ntpd", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "February 2 20:27:57 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte", + "event.original": "March 17 17:35:40 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6265, + "log.offset": 6564, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1810,7 +1884,7 @@ "event.original": "AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6339, + "log.offset": 6636, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1832,7 +1906,7 @@ "event.original": "/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny)", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6412, + "log.offset": 6709, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1854,10 +1928,10 @@ "event.code": "maintenance", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "March 17 17:35:40 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980", + "event.original": "April 29 14:43:23 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6467, + "log.offset": 6764, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1881,7 +1955,7 @@ "event.original": "heartbeat[exe]: [imadmini] [sauteiru] info: mod", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6589, + "log.offset": 6886, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1901,7 +1975,7 @@ "event.original": "/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny)", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6637, + "log.offset": 6934, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1926,7 +2000,7 @@ "event.original": "httpd[eriti]: [litessec] scr_monitor: itas", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6688, + "log.offset": 6985, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1948,10 +2022,10 @@ "event.code": "ntpdate", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "May 13 21:45:57 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor", + "event.original": "June 25 18:53:40 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6731, + "log.offset": 7028, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -1970,11 +2044,11 @@ "event.code": "firepass", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "May 28 04:48:31 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host", + "event.original": "July 10 01:56:14 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host", "fileset.name": "firepass", "host.name": "eufugi2923.internal.host", "input.type": "log", - "log.offset": 6853, + "log.offset": 7151, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2002,7 +2076,7 @@ "event.outcome": "failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 6971, + "log.offset": 7270, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2023,10 +2097,10 @@ "event.code": "NetworkAccess", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "June 25 18:53:40 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist", + "event.original": "August 7 16:01:23 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7029, + "log.offset": 7328, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2050,10 +2124,10 @@ "event.code": "/USR/SBIN/CRON", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "July 10 01:56:14 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel)", + "event.original": "August 21 23:03:57 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel)", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7116, + "log.offset": 7416, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2078,7 +2152,7 @@ "event.original": "kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7216, + "log.offset": 7518, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2094,10 +2168,10 @@ "event.code": "heartbeat", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "August 7 16:01:23 velitse543.api.example heartbeat[torever]: info: oremi", + "event.original": "September 19 13:09:05 velitse543.api.example heartbeat[torever]: info: oremi", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7267, + "log.offset": 7569, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2113,10 +2187,10 @@ "event.code": "heartbeat", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "August 21 23:03:57 temUt631.www5.example heartbeat[npr]: info: mquelau", + "event.original": "October 3 20:11:40 temUt631.www5.example heartbeat[npr]: info: mquelau", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7340, + "log.offset": 7646, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2132,10 +2206,10 @@ "event.code": "run-crons", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "September 5 06:06:31 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo", + "event.original": "October 18 03:14:14 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7411, + "log.offset": 7717, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2151,11 +2225,11 @@ "event.code": "security", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "September 19 13:09:05 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account", + "event.original": "November 1 10:16:48 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account", "event.outcome": "failure", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7516, + "log.offset": 7821, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2181,7 +2255,7 @@ "event.original": "heartbeat[iduntu]: [idestlab] info: rnatur", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7645, + "log.offset": 7948, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2200,7 +2274,7 @@ "event.original": "run-crons[essequam]: acommo returned nturma", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7688, + "log.offset": 7991, "observer.product": "FirePass", "observer.type": "VPN", "observer.vendor": "F5", @@ -2220,10 +2294,10 @@ "event.code": "kernel", "event.dataset": "f5.firepass", "event.module": "f5", - "event.original": "November 1 10:16:48 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut", + "event.original": "December 14 07:24:31 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut", "fileset.name": "firepass", "input.type": "log", - "log.offset": 7732, + "log.offset": 8035, "network.protocol": "udp", "observer.product": "FirePass", "observer.type": "VPN", @@ -2243,66 +2317,5 @@ "f5.firepass", "forwarded" ] - }, - { - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "kernel[rpori]: [ice] kernel: cdrom: open failed.", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7915, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "snmp", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "November 30 00:21:57 commodo6867.internal.example snmp: ", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7964, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "snmp:", - "rsa.internal.messageid": "snmp", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "started", - "event.code": "snmp", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "snmp[odoconse]: [quamqua] SNMP handler started", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 8021, - "network.protocol": "SNMP", - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "SNMP handler started", - "rsa.internal.messageid": "snmp", - "rsa.misc.action": [ - "started" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index f5a54a1e69e..f3c6950ccae 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -22,8 +22,8 @@ "observer.vendor": "Fortinet", "process.pid": 7880, "related.ip": [ - "10.150.92.220", - "10.102.123.34" + "10.102.123.34", + "10.150.92.220" ], "related.user": [ "sumdo" @@ -136,8 +136,8 @@ "observer.vendor": "Fortinet", "process.pid": 445, "related.ip": [ - "10.118.175.9", - "10.173.116.41" + "10.173.116.41", + "10.118.175.9" ], "related.user": [ "uame" @@ -307,8 +307,8 @@ "observer.vendor": "Fortinet", "process.pid": 2061, "related.ip": [ - "10.200.188.142", - "10.202.72.124" + "10.202.72.124", + "10.200.188.142" ], "related.user": [ "iusmodt" @@ -421,8 +421,8 @@ "observer.vendor": "Fortinet", "process.pid": 5037, "related.ip": [ - "10.66.108.11", - "10.198.136.50" + "10.198.136.50", + "10.66.108.11" ], "related.user": [ "uptatev" @@ -592,8 +592,8 @@ "observer.vendor": "Fortinet", "process.pid": 7307, "related.ip": [ - "10.65.83.160", - "10.136.252.240" + "10.136.252.240", + "10.65.83.160" ], "related.user": [ "ender" @@ -763,8 +763,8 @@ "observer.vendor": "Fortinet", "process.pid": 7668, "related.ip": [ - "10.72.58.135", - "10.109.232.112" + "10.109.232.112", + "10.72.58.135" ], "related.user": [ "xea" @@ -820,8 +820,8 @@ "observer.vendor": "Fortinet", "process.pid": 1044, "related.ip": [ - "10.72.29.73", - "10.38.22.45" + "10.38.22.45", + "10.72.29.73" ], "related.user": [ "onproide" @@ -877,8 +877,8 @@ "observer.vendor": "Fortinet", "process.pid": 7183, "related.ip": [ - "10.70.95.74", - "10.76.72.111" + "10.76.72.111", + "10.70.95.74" ], "related.user": [ "ivelits" @@ -934,8 +934,8 @@ "observer.vendor": "Fortinet", "process.pid": 6907, "related.ip": [ - "10.19.201.13", - "10.73.69.75" + "10.73.69.75", + "10.19.201.13" ], "related.user": [ "tat" @@ -991,8 +991,8 @@ "observer.vendor": "Fortinet", "process.pid": 499, "related.ip": [ - "10.84.105.75", - "10.78.151.178" + "10.78.151.178", + "10.84.105.75" ], "related.user": [ "iquaUten" @@ -1105,8 +1105,8 @@ "observer.vendor": "Fortinet", "process.pid": 6051, "related.ip": [ - "10.121.219.204", - "10.104.134.200" + "10.104.134.200", + "10.121.219.204" ], "related.user": [ "uptat" @@ -1162,8 +1162,8 @@ "observer.vendor": "Fortinet", "process.pid": 6994, "related.ip": [ - "10.191.105.82", - "10.225.160.182" + "10.225.160.182", + "10.191.105.82" ], "related.user": [ "eirure" @@ -1333,8 +1333,8 @@ "observer.vendor": "Fortinet", "process.pid": 1835, "related.ip": [ - "10.248.204.182", - "10.134.148.219" + "10.134.148.219", + "10.248.204.182" ], "related.user": [ "uioffi" @@ -1447,8 +1447,8 @@ "observer.vendor": "Fortinet", "process.pid": 2493, "related.ip": [ - "10.221.89.228", - "10.177.194.18" + "10.177.194.18", + "10.221.89.228" ], "related.user": [ "aliquam" @@ -1504,8 +1504,8 @@ "observer.vendor": "Fortinet", "process.pid": 3022, "related.ip": [ - "10.32.239.1", - "10.241.65.49" + "10.241.65.49", + "10.32.239.1" ], "related.user": [ "idata" @@ -1561,8 +1561,8 @@ "observer.vendor": "Fortinet", "process.pid": 2328, "related.ip": [ - "10.101.57.120", - "10.168.90.81" + "10.168.90.81", + "10.101.57.120" ], "related.user": [ "eporr" @@ -1618,8 +1618,8 @@ "observer.vendor": "Fortinet", "process.pid": 1156, "related.ip": [ - "10.130.14.60", - "10.14.211.43" + "10.14.211.43", + "10.130.14.60" ], "related.user": [ "litse" @@ -1675,8 +1675,8 @@ "observer.vendor": "Fortinet", "process.pid": 6003, "related.ip": [ - "10.60.129.15", - "10.248.101.25" + "10.248.101.25", + "10.60.129.15" ], "related.user": [ "evolup" @@ -1789,8 +1789,8 @@ "observer.vendor": "Fortinet", "process.pid": 3470, "related.ip": [ - "10.66.2.232", - "10.27.14.168" + "10.27.14.168", + "10.66.2.232" ], "related.user": [ "uirati" @@ -1846,8 +1846,8 @@ "observer.vendor": "Fortinet", "process.pid": 6932, "related.ip": [ - "10.75.99.127", - "10.195.2.130" + "10.195.2.130", + "10.75.99.127" ], "related.user": [ "inibusB" @@ -1903,8 +1903,8 @@ "observer.vendor": "Fortinet", "process.pid": 6945, "related.ip": [ - "10.201.238.90", - "10.245.104.182" + "10.245.104.182", + "10.201.238.90" ], "related.user": [ "ovol" @@ -1960,8 +1960,8 @@ "observer.vendor": "Fortinet", "process.pid": 853, "related.ip": [ - "10.105.91.31", - "10.217.150.196" + "10.217.150.196", + "10.105.91.31" ], "related.user": [ "con" @@ -2131,8 +2131,8 @@ "observer.vendor": "Fortinet", "process.pid": 337, "related.ip": [ - "10.83.177.2", - "10.27.16.118" + "10.27.16.118", + "10.83.177.2" ], "related.user": [ "borios" @@ -2188,8 +2188,8 @@ "observer.vendor": "Fortinet", "process.pid": 7041, "related.ip": [ - "10.38.54.72", - "10.167.227.44" + "10.167.227.44", + "10.38.54.72" ], "related.user": [ "riamea" @@ -2245,8 +2245,8 @@ "observer.vendor": "Fortinet", "process.pid": 3854, "related.ip": [ - "10.216.54.184", - "10.215.205.216" + "10.215.205.216", + "10.216.54.184" ], "related.user": [ "ameiusm" @@ -2302,8 +2302,8 @@ "observer.vendor": "Fortinet", "process.pid": 55, "related.ip": [ - "10.9.12.248", - "10.9.18.237" + "10.9.18.237", + "10.9.12.248" ], "related.user": [ "uradi" @@ -2359,8 +2359,8 @@ "observer.vendor": "Fortinet", "process.pid": 228, "related.ip": [ - "10.41.123.102", - "10.83.130.226" + "10.83.130.226", + "10.41.123.102" ], "related.user": [ "tenim" @@ -2815,8 +2815,8 @@ "observer.vendor": "Fortinet", "process.pid": 6248, "related.ip": [ - "10.150.245.88", - "10.210.89.183" + "10.210.89.183", + "10.150.245.88" ], "related.user": [ "sequa" @@ -2929,8 +2929,8 @@ "observer.vendor": "Fortinet", "process.pid": 430, "related.ip": [ - "10.210.28.247", - "10.207.211.230" + "10.207.211.230", + "10.210.28.247" ], "related.user": [ "tate" @@ -2986,8 +2986,8 @@ "observer.vendor": "Fortinet", "process.pid": 3589, "related.ip": [ - "10.248.165.185", - "10.86.11.48" + "10.86.11.48", + "10.248.165.185" ], "related.user": [ "dquiac" @@ -3043,8 +3043,8 @@ "observer.vendor": "Fortinet", "process.pid": 4814, "related.ip": [ - "10.118.6.177", - "10.47.125.38" + "10.47.125.38", + "10.118.6.177" ], "related.user": [ "quunt" @@ -3157,8 +3157,8 @@ "observer.vendor": "Fortinet", "process.pid": 2452, "related.ip": [ - "10.120.10.211", - "10.28.82.189" + "10.28.82.189", + "10.120.10.211" ], "related.user": [ "rcit" @@ -3271,8 +3271,8 @@ "observer.vendor": "Fortinet", "process.pid": 2302, "related.ip": [ - "10.125.165.144", - "10.226.5.189" + "10.226.5.189", + "10.125.165.144" ], "related.user": [ "mvolu" @@ -3328,8 +3328,8 @@ "observer.vendor": "Fortinet", "process.pid": 7079, "related.ip": [ - "10.46.56.204", - "10.97.149.97" + "10.97.149.97", + "10.46.56.204" ], "related.user": [ "dolorsit" @@ -3385,8 +3385,8 @@ "observer.vendor": "Fortinet", "process.pid": 5773, "related.ip": [ - "10.28.105.124", - "10.218.0.197" + "10.218.0.197", + "10.28.105.124" ], "related.user": [ "ntNe" @@ -3442,8 +3442,8 @@ "observer.vendor": "Fortinet", "process.pid": 1586, "related.ip": [ - "10.17.87.79", - "10.123.199.198" + "10.123.199.198", + "10.17.87.79" ], "related.user": [ "ratvolu" @@ -3499,8 +3499,8 @@ "observer.vendor": "Fortinet", "process.pid": 5137, "related.ip": [ - "10.115.68.40", - "10.38.86.177" + "10.38.86.177", + "10.115.68.40" ], "related.user": [ "mpo" @@ -3556,8 +3556,8 @@ "observer.vendor": "Fortinet", "process.pid": 5704, "related.ip": [ - "10.193.118.163", - "10.115.174.107" + "10.115.174.107", + "10.193.118.163" ], "related.user": [ "exeacomm" @@ -3613,8 +3613,8 @@ "observer.vendor": "Fortinet", "process.pid": 2310, "related.ip": [ - "10.77.77.208", - "10.37.128.49" + "10.37.128.49", + "10.77.77.208" ], "related.user": [ "moles" @@ -3670,8 +3670,8 @@ "observer.vendor": "Fortinet", "process.pid": 5398, "related.ip": [ - "10.1.96.93", - "10.54.73.158" + "10.54.73.158", + "10.1.96.93" ], "related.user": [ "lloinven" @@ -3727,8 +3727,8 @@ "observer.vendor": "Fortinet", "process.pid": 2465, "related.ip": [ - "10.182.152.242", - "10.131.126.109" + "10.131.126.109", + "10.182.152.242" ], "related.user": [ "dolor" @@ -3784,8 +3784,8 @@ "observer.vendor": "Fortinet", "process.pid": 6064, "related.ip": [ - "10.77.229.168", - "10.181.247.224" + "10.181.247.224", + "10.77.229.168" ], "related.user": [ "adol" @@ -3841,8 +3841,8 @@ "observer.vendor": "Fortinet", "process.pid": 2861, "related.ip": [ - "10.235.116.121", - "10.72.162.6" + "10.72.162.6", + "10.235.116.121" ], "related.user": [ "oinv" @@ -4012,8 +4012,8 @@ "observer.vendor": "Fortinet", "process.pid": 4984, "related.ip": [ - "10.97.236.123", - "10.77.78.180" + "10.77.78.180", + "10.97.236.123" ], "related.user": [ "nisi" @@ -4126,8 +4126,8 @@ "observer.vendor": "Fortinet", "process.pid": 4020, "related.ip": [ - "10.170.252.219", - "10.180.180.230" + "10.180.180.230", + "10.170.252.219" ], "related.user": [ "nse" @@ -4240,8 +4240,8 @@ "observer.vendor": "Fortinet", "process.pid": 487, "related.ip": [ - "10.76.122.196", - "10.195.223.82" + "10.195.223.82", + "10.76.122.196" ], "related.user": [ "umiurer" @@ -4354,8 +4354,8 @@ "observer.vendor": "Fortinet", "process.pid": 6311, "related.ip": [ - "10.250.81.189", - "10.219.1.151" + "10.219.1.151", + "10.250.81.189" ], "related.user": [ "ori" @@ -4411,8 +4411,8 @@ "observer.vendor": "Fortinet", "process.pid": 7128, "related.ip": [ - "10.54.23.133", - "10.76.125.70" + "10.76.125.70", + "10.54.23.133" ], "related.user": [ "oloreeu" @@ -4582,8 +4582,8 @@ "observer.vendor": "Fortinet", "process.pid": 2314, "related.ip": [ - "10.73.28.165", - "10.221.206.74" + "10.221.206.74", + "10.73.28.165" ], "related.user": [ "quas" @@ -4753,8 +4753,8 @@ "observer.vendor": "Fortinet", "process.pid": 4337, "related.ip": [ - "10.106.249.91", - "10.19.119.17" + "10.19.119.17", + "10.106.249.91" ], "related.user": [ "lit" @@ -4810,8 +4810,8 @@ "observer.vendor": "Fortinet", "process.pid": 5275, "related.ip": [ - "10.181.41.154", - "10.29.109.126" + "10.29.109.126", + "10.181.41.154" ], "related.user": [ "labo" @@ -4981,8 +4981,8 @@ "observer.vendor": "Fortinet", "process.pid": 226, "related.ip": [ - "10.29.120.226", - "10.103.189.199" + "10.103.189.199", + "10.29.120.226" ], "related.user": [ "emu" @@ -5266,8 +5266,8 @@ "observer.vendor": "Fortinet", "process.pid": 3141, "related.ip": [ - "10.79.73.195", - "10.125.143.153" + "10.125.143.153", + "10.79.73.195" ], "related.user": [ "emip" @@ -5323,8 +5323,8 @@ "observer.vendor": "Fortinet", "process.pid": 6331, "related.ip": [ - "10.64.139.17", - "10.240.216.85" + "10.240.216.85", + "10.64.139.17" ], "related.user": [ "nimadmin" @@ -5380,8 +5380,8 @@ "observer.vendor": "Fortinet", "process.pid": 4474, "related.ip": [ - "10.87.90.49", - "10.222.245.80" + "10.222.245.80", + "10.87.90.49" ], "related.user": [ "ptatemse" @@ -5437,8 +5437,8 @@ "observer.vendor": "Fortinet", "process.pid": 4855, "related.ip": [ - "10.87.144.208", - "10.143.53.214" + "10.143.53.214", + "10.87.144.208" ], "related.user": [ "psumq" @@ -5551,8 +5551,8 @@ "observer.vendor": "Fortinet", "process.pid": 4493, "related.ip": [ - "10.161.64.168", - "10.194.67.223" + "10.194.67.223", + "10.161.64.168" ], "related.user": [ "tion" diff --git a/x-pack/filebeat/module/imperva/README.md b/x-pack/filebeat/module/imperva/README.md index c57c741a983..558c6079442 100644 --- a/x-pack/filebeat/module/imperva/README.md +++ b/x-pack/filebeat/module/imperva/README.md @@ -3,5 +3,5 @@ This is a module for Imperva SecureSphere logs. Autogenerated from RSA NetWitness log parser 2.0 XML impervawaf version 117 -at 2020-07-08 22:20:59.343166 +0000 UTC. +at 2020-07-13 17:12:01.207328 +0000 UTC. diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 90316495eb2..be59ef88af7 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -24,9 +24,9 @@ "10.81.122.126" ], "related.user": [ - "tatno", + "magn", "aqui", - "magn" + "tatno" ], "rsa.counters.dclass_c1": 5910, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -106,13 +106,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.159.182.171", - "10.58.116.231" + "10.58.116.231", + "10.159.182.171" ], "related.user": [ + "uradi", "qua", - "temUten", - "uradi" + "temUten" ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -161,12 +161,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.232.27.250", - "10.18.124.28" + "10.18.124.28", + "10.232.27.250" ], "related.user": [ - "modocons", "mquidol", + "modocons", "lapariat" ], "rsa.counters.dclass_c1": 6564, @@ -226,17 +226,17 @@ "10.6.137.200" ], "related.user": [ - "oluptas", + "intoc", "occae", - "intoc" + "oluptas" ], "rsa.counters.event_counter": 7243, "rsa.db.database": "tNequepo", "rsa.internal.event_desc": "snostrud", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "dol", - "cancel" + "cancel", + "dol" ], "rsa.misc.category": "nama", "rsa.misc.disposition": "quisnos", @@ -292,9 +292,9 @@ "10.179.124.125" ], "related.user": [ - "reme", "ncidid", - "acommod" + "acommod", + "reme" ], "rsa.counters.event_counter": 2462, "rsa.db.database": "uaUteni", @@ -352,12 +352,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.211.105.204", - "10.129.149.43" + "10.129.149.43", + "10.211.105.204" ], "related.user": [ - "orema", "labor", + "orema", "eveli" ], "rsa.counters.dclass_c1": 6855, @@ -416,8 +416,8 @@ ], "related.user": [ "ipsumdol", - "Exc", - "ide" + "ide", + "Exc" ], "rsa.counters.dclass_c1": 6852, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -473,9 +473,9 @@ "10.192.34.76" ], "related.user": [ + "ovol", "iquipe", - "tnonpro", - "ovol" + "tnonpro" ], "rsa.counters.dclass_c1": 3645, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -529,8 +529,8 @@ ], "related.user": [ "archite", - "idunt", - "boree" + "boree", + "idunt" ], "rsa.counters.dclass_c1": 248, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -583,13 +583,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.230.173.4", - "10.168.159.13" + "10.168.159.13", + "10.230.173.4" ], "related.user": [ - "atemq", + "inci", "isnostr", - "inci" + "atemq" ], "rsa.counters.dclass_c1": 6135, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -646,9 +646,9 @@ "10.49.167.57" ], "related.user": [ + "sau", "tali", - "ccaeca", - "sau" + "ccaeca" ], "rsa.counters.dclass_c1": 6818, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -716,8 +716,8 @@ "rsa.internal.event_desc": "aquae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "quasia", - "accept" + "accept", + "quasia" ], "rsa.misc.category": "boreetdo", "rsa.misc.disposition": "aturve", @@ -774,9 +774,9 @@ "10.204.128.215" ], "related.user": [ - "nci", "paquioff", - "rum" + "rum", + "nci" ], "rsa.counters.event_counter": 332, "rsa.db.database": "isau", @@ -837,9 +837,9 @@ "10.34.148.166" ], "related.user": [ - "miu", + "untutlab", "icabo", - "untutlab" + "miu" ], "rsa.counters.dclass_c1": 5427, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -892,9 +892,9 @@ "10.134.5.40" ], "related.user": [ + "siu", "licabo", - "conse", - "siu" + "conse" ], "rsa.counters.dclass_c1": 6356, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -947,13 +947,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.126.26.131", - "10.30.98.10" + "10.30.98.10", + "10.126.26.131" ], "related.user": [ - "dipisci", "velite", - "olori" + "olori", + "dipisci" ], "rsa.counters.dclass_c1": 7717, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1006,12 +1006,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.190.10.219", - "10.233.120.207" + "10.233.120.207", + "10.190.10.219" ], "related.user": [ - "item", "accusant", + "item", "quamnih" ], "rsa.counters.dclass_c1": 3278, @@ -1097,9 +1097,9 @@ "10.100.98.56" ], "related.user": [ - "proident", + "ritati", "boru", - "ritati" + "proident" ], "rsa.counters.dclass_c1": 5923, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1156,9 +1156,9 @@ "10.197.6.245" ], "related.user": [ - "dtempo", + "aecatcup", "oluptat", - "aecatcup" + "dtempo" ], "rsa.counters.dclass_c1": 3071, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1211,13 +1211,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.167.252.183", - "10.6.27.103" + "10.6.27.103", + "10.167.252.183" ], "related.user": [ + "asnu", "ationul", - "redol", - "asnu" + "redol" ], "rsa.counters.dclass_c1": 6606, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1276,17 +1276,17 @@ "10.81.184.7" ], "related.user": [ - "undeomni", + "lmole", "iameaque", - "lmole" + "undeomni" ], "rsa.counters.event_counter": 6344, "rsa.db.database": "nderi", "rsa.internal.event_desc": "iae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "illu", - "deny" + "deny", + "illu" ], "rsa.misc.category": "quido", "rsa.misc.disposition": "emip", @@ -1341,9 +1341,9 @@ "10.29.119.245" ], "related.user": [ - "scipitl", "edolorin", - "taliqui" + "taliqui", + "scipitl" ], "rsa.counters.dclass_c1": 5140, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1463,12 +1463,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.105.190.170", - "10.182.152.242" + "10.182.152.242", + "10.105.190.170" ], "related.user": [ - "doeiu", "mquisn", + "doeiu", "litan" ], "rsa.counters.dclass_c1": 3474, @@ -1528,17 +1528,17 @@ "10.123.166.197" ], "related.user": [ - "liquam", + "emUte", "min", - "emUte" + "liquam" ], "rsa.counters.event_counter": 7102, "rsa.db.database": "oluptat", "rsa.internal.event_desc": "tautfug", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "itae", - "block" + "block", + "itae" ], "rsa.misc.category": "giatquov", "rsa.misc.disposition": "olu", @@ -1592,9 +1592,9 @@ "10.201.168.116" ], "related.user": [ - "eFini", + "eufug", "urau", - "eufug" + "eFini" ], "rsa.counters.dclass_c1": 3348, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1651,9 +1651,9 @@ "10.9.46.123" ], "related.user": [ - "mfu", "oco", - "nde" + "nde", + "mfu" ], "rsa.counters.dclass_c1": 3795, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1711,8 +1711,8 @@ ], "related.user": [ "pta", - "veniamq", - "mquisnos" + "mquisnos", + "veniamq" ], "rsa.counters.dclass_c1": 2358, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1765,13 +1765,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.137.85.123", - "10.165.182.111" + "10.165.182.111", + "10.137.85.123" ], "related.user": [ - "Bonorum", "sis", - "ames" + "ames", + "Bonorum" ], "rsa.counters.dclass_c1": 6401, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1858,9 +1858,9 @@ "10.173.178.109" ], "related.user": [ - "nesci", "tam", - "uian" + "uian", + "nesci" ], "rsa.counters.event_counter": 4493, "rsa.db.database": "sin", @@ -1919,13 +1919,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.90.50.149", - "10.168.225.209" + "10.168.225.209", + "10.90.50.149" ], "related.user": [ "olupta", - "aUtenima", - "olu" + "olu", + "aUtenima" ], "rsa.counters.dclass_c1": 1127, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1978,13 +1978,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.59.182.36", - "10.18.150.82" + "10.18.150.82", + "10.59.182.36" ], "related.user": [ - "mtota", + "qua", "luptat", - "qua" + "mtota" ], "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2064,13 +2064,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.228.229.144", - "10.151.240.35" + "10.151.240.35", + "10.228.229.144" ], "related.user": [ - "ametcons", "lam", - "ama" + "ama", + "ametcons" ], "rsa.counters.dclass_c1": 4325, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2119,13 +2119,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.242.48.203", - "10.147.142.242" + "10.147.142.242", + "10.242.48.203" ], "related.user": [ - "quasi", + "quisn", "ese", - "quisn" + "quasi" ], "rsa.counters.dclass_c1": 3970, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2184,17 +2184,17 @@ "10.254.10.98" ], "related.user": [ - "ttenb", "eufugia", - "civeli" + "civeli", + "ttenb" ], "rsa.counters.event_counter": 7365, "rsa.db.database": "utlabore", "rsa.internal.event_desc": "culpaq", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "uptasn", - "cancel" + "cancel", + "uptasn" ], "rsa.misc.category": "quamq", "rsa.misc.disposition": "usan", @@ -2279,9 +2279,9 @@ "10.116.1.130" ], "related.user": [ + "amco", "reseo", - "eturadip", - "amco" + "eturadip" ], "rsa.counters.event_counter": 1295, "rsa.db.database": "ons", @@ -2340,8 +2340,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.29.138.31", - "10.45.69.152" + "10.45.69.152", + "10.29.138.31" ], "related.user": [ "tsunt", @@ -2399,8 +2399,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.152.213.228", - "10.100.113.11" + "10.100.113.11", + "10.152.213.228" ], "related.user": [ "ptatev", @@ -2486,8 +2486,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.248.102.129", - "10.208.33.55" + "10.208.33.55", + "10.248.102.129" ], "related.user": [ "inimv", @@ -2549,8 +2549,8 @@ "10.203.164.132" ], "related.user": [ - "ectobea", "ibus", + "ectobea", "mporin" ], "rsa.counters.dclass_c1": 547, @@ -2609,8 +2609,8 @@ ], "related.user": [ "iconsequ", - "exeac", - "dol" + "dol", + "exeac" ], "rsa.counters.dclass_c1": 484, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2663,13 +2663,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.224.217.153", - "10.45.152.205" + "10.45.152.205", + "10.224.217.153" ], "related.user": [ - "eriti", "imav", - "utlabo" + "utlabo", + "eriti" ], "rsa.counters.dclass_c1": 922, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2727,9 +2727,9 @@ "10.60.164.100" ], "related.user": [ - "hite", + "ugi", "adipis", - "ugi" + "hite" ], "rsa.counters.event_counter": 508, "rsa.db.database": "abo", @@ -2791,8 +2791,8 @@ "10.146.228.234" ], "related.user": [ - "sum", "eiusm", + "sum", "mquamei" ], "rsa.counters.dclass_c1": 3058, @@ -2842,13 +2842,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.122.127.237", - "10.86.121.152" + "10.86.121.152", + "10.122.127.237" ], "related.user": [ "ine", - "nimv", - "consecte" + "consecte", + "nimv" ], "rsa.counters.dclass_c1": 2771, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2960,13 +2960,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.200.12.126", - "10.223.56.33" + "10.223.56.33", + "10.200.12.126" ], "related.user": [ + "elitsedd", "magnido", - "Nequepo", - "elitsedd" + "Nequepo" ], "rsa.counters.dclass_c1": 3243, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3021,13 +3021,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.94.89.177", - "10.65.225.101" + "10.65.225.101", + "10.94.89.177" ], "related.user": [ - "emquel", "tuserror", - "citation" + "citation", + "emquel" ], "rsa.counters.event_counter": 2513, "rsa.db.database": "rspiciat", @@ -3090,8 +3090,8 @@ ], "related.user": [ "iin", - "uta", - "tione" + "tione", + "uta" ], "rsa.counters.dclass_c1": 5836, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3146,9 +3146,9 @@ "10.224.148.48" ], "related.user": [ + "iosamn", "niam", - "equepor", - "iosamn" + "equepor" ], "rsa.counters.event_counter": 7468, "rsa.db.database": "erspicia", @@ -3211,9 +3211,9 @@ "10.21.208.103" ], "related.user": [ + "imidest", "ostr", - "mipsa", - "imidest" + "mipsa" ], "rsa.counters.dclass_c1": 7766, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3331,17 +3331,17 @@ "10.191.142.143" ], "related.user": [ + "modtempo", "animide", - "nofde", - "modtempo" + "nofde" ], "rsa.counters.event_counter": 7580, "rsa.db.database": "Lore", "rsa.internal.event_desc": "nto", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "ali" + "ali", + "cancel" ], "rsa.misc.category": "sciv", "rsa.misc.disposition": "tlabo", @@ -3393,21 +3393,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.111.22.134", - "10.178.79.217" + "10.178.79.217", + "10.111.22.134" ], "related.user": [ "inibusBo", - "ccusan", - "tqui" + "tqui", + "ccusan" ], "rsa.counters.event_counter": 3538, "rsa.db.database": "sequun", "rsa.internal.event_desc": "adeseru", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "orisnis" + "orisnis", + "deny" ], "rsa.misc.category": "sitas", "rsa.misc.disposition": "eni", @@ -3457,12 +3457,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.77.86.215", - "10.161.225.172" + "10.161.225.172", + "10.77.86.215" ], "related.user": [ - "meaqu", "rcit", + "meaqu", "xerc" ], "rsa.counters.dclass_c1": 7286, @@ -3515,13 +3515,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.211.161.187", - "10.186.133.184" + "10.186.133.184", + "10.211.161.187" ], "related.user": [ "acons", - "sci", - "boriosa" + "boriosa", + "sci" ], "rsa.counters.dclass_c1": 1578, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3569,13 +3569,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.254.198.47", - "10.160.147.230" + "10.160.147.230", + "10.254.198.47" ], "related.user": [ "illoin", - "nimvenia", - "ndeomnis" + "ndeomnis", + "nimvenia" ], "rsa.counters.dclass_c1": 5988, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3628,9 +3628,9 @@ "10.182.197.243" ], "related.user": [ + "mSecti", "exerci", - "orisnis", - "mSecti" + "orisnis" ], "rsa.counters.dclass_c1": 4129, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3687,9 +3687,9 @@ "10.249.13.159" ], "related.user": [ - "exeacomm", "colab", - "uisautei" + "uisautei", + "exeacomm" ], "rsa.counters.dclass_c1": 1044, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3748,8 +3748,8 @@ "10.64.94.174" ], "related.user": [ - "iunt", "estiae", + "iunt", "Sedut" ], "rsa.counters.event_counter": 7128, @@ -3864,13 +3864,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.134.135.22", - "10.115.203.143" + "10.115.203.143", + "10.134.135.22" ], "related.user": [ - "utoditau", + "involu", "orpori", - "involu" + "utoditau" ], "rsa.counters.dclass_c1": 7868, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3923,13 +3923,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.43.244.252", - "10.251.212.166" + "10.251.212.166", + "10.43.244.252" ], "related.user": [ + "inculp", "uptat", - "gnido", - "inculp" + "gnido" ], "rsa.counters.dclass_c1": 6947, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4010,13 +4010,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.88.189.164", - "10.20.231.188" + "10.20.231.188", + "10.88.189.164" ], "related.user": [ - "uatDuisa", + "mqu", "tesseq", - "mqu" + "uatDuisa" ], "rsa.counters.dclass_c1": 1623, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4097,13 +4097,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.225.11.197", - "10.231.77.26" + "10.231.77.26", + "10.225.11.197" ], "related.user": [ "rehe", - "ineavol", - "volu" + "volu", + "ineavol" ], "rsa.counters.dclass_c1": 3064, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4159,8 +4159,8 @@ ], "related.user": [ "usa", - "olupt", - "avolup" + "avolup", + "olupt" ], "rsa.counters.dclass_c1": 2658, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4213,9 +4213,9 @@ "10.172.121.239" ], "related.user": [ - "ipsu", + "ctas", "iuta", - "ctas" + "ipsu" ], "rsa.counters.dclass_c1": 392, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4268,13 +4268,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.129.234.200", - "10.42.218.103" + "10.42.218.103", + "10.129.234.200" ], "related.user": [ - "dquia", "tevelit", - "tisundeo" + "tisundeo", + "dquia" ], "rsa.counters.dclass_c1": 6709, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4327,8 +4327,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.76.121.224", - "10.111.132.221" + "10.111.132.221", + "10.76.121.224" ], "related.user": [ "oloremi", @@ -4386,13 +4386,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.195.8.141", - "10.17.214.21" + "10.17.214.21", + "10.195.8.141" ], "related.user": [ + "enimip", "ota", - "dolo", - "enimip" + "dolo" ], "rsa.counters.dclass_c1": 469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4449,9 +4449,9 @@ "10.179.60.167" ], "related.user": [ - "ptasn", + "apar", "isn", - "apar" + "ptasn" ], "rsa.counters.dclass_c1": 758, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4649,8 +4649,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.116.26.185", - "10.206.221.180" + "10.206.221.180", + "10.116.26.185" ], "related.user": [ "litesseq", @@ -4704,13 +4704,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.86.180.150", - "10.253.127.130" + "10.253.127.130", + "10.86.180.150" ], "related.user": [ - "itasper", + "mnisis", "etconsec", - "mnisis" + "itasper" ], "rsa.counters.dclass_c1": 4564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4765,8 +4765,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.158.161.5", - "10.220.175.201" + "10.220.175.201", + "10.158.161.5" ], "related.user": [ "rrors", @@ -4777,8 +4777,8 @@ "rsa.internal.event_desc": "enima", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "atisu", - "allow" + "allow", + "atisu" ], "rsa.misc.category": "emseq", "rsa.misc.disposition": "osamni", @@ -4856,13 +4856,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.150.27.144", - "10.248.16.82" + "10.248.16.82", + "10.150.27.144" ], "related.user": [ - "res", "ditautf", - "tuserror" + "tuserror", + "res" ], "rsa.counters.dclass_c1": 4367, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4919,9 +4919,9 @@ "10.173.19.140" ], "related.user": [ - "orsi", "olo", - "Except" + "Except", + "orsi" ], "rsa.counters.dclass_c1": 5844, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5028,13 +5028,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.253.175.129", - "10.213.214.118" + "10.213.214.118", + "10.253.175.129" ], "related.user": [ - "ate", + "epteurs", "nrep", - "epteurs" + "ate" ], "rsa.counters.dclass_c1": 6260, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5093,17 +5093,17 @@ "10.149.91.130" ], "related.user": [ + "atus", "orumetMa", - "aboris", - "atus" + "aboris" ], "rsa.counters.event_counter": 5863, "rsa.db.database": "inventor", "rsa.internal.event_desc": "loi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "atcupi", - "block" + "block", + "atcupi" ], "rsa.misc.category": "tation", "rsa.misc.disposition": "seddoe", @@ -5155,13 +5155,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.81.108.232", - "10.52.106.68" + "10.52.106.68", + "10.81.108.232" ], "related.user": [ + "neavolup", "aco", - "uaturve", - "neavolup" + "uaturve" ], "rsa.counters.event_counter": 5098, "rsa.db.database": "lapa", @@ -5227,16 +5227,16 @@ ], "related.user": [ "untex", - "erit", - "usmodte" + "usmodte", + "erit" ], "rsa.counters.event_counter": 4029, "rsa.db.database": "ommodi", "rsa.internal.event_desc": "itatiset", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "tconse" + "tconse", + "deny" ], "rsa.misc.category": "uaerat", "rsa.misc.disposition": "met", @@ -5287,13 +5287,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.115.42.231", - "10.161.212.150" + "10.161.212.150", + "10.115.42.231" ], "related.user": [ - "res", "tasnul", - "sequamn" + "sequamn", + "res" ], "rsa.counters.dclass_c1": 4846, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5412,13 +5412,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.97.22.61", - "10.192.15.65" + "10.192.15.65", + "10.97.22.61" ], "related.user": [ - "rExcep", + "illumd", "nimides", - "illumd" + "rExcep" ], "rsa.counters.dclass_c1": 4173, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5473,9 +5473,9 @@ "10.197.254.133" ], "related.user": [ + "idu", "trudex", - "ide", - "idu" + "ide" ], "rsa.counters.event_counter": 2608, "rsa.db.database": "ncul", @@ -5533,8 +5533,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.28.77.79", - "10.144.14.15" + "10.144.14.15", + "10.28.77.79" ], "related.user": [ "utlab", @@ -5591,8 +5591,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.18.15.43", - "10.248.177.182" + "10.248.177.182", + "10.18.15.43" ], "related.user": [ "quaturve", diff --git a/x-pack/filebeat/module/infoblox/README.md b/x-pack/filebeat/module/infoblox/README.md index a77407da393..79e1ddc66ef 100644 --- a/x-pack/filebeat/module/infoblox/README.md +++ b/x-pack/filebeat/module/infoblox/README.md @@ -3,5 +3,5 @@ This is a module for Infoblox NIOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML infobloxnios version 134 -at 2020-07-08 22:20:59.743054 +0000 UTC. +at 2020-07-13 17:12:01.672206 +0000 UTC. diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log b/x-pack/filebeat/module/infoblox/nios/test/generated.log index aa19d8bc78d..293140fb637 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log @@ -1,100 +1,100 @@ January 29 06:09:59 volup208.invalid eosquir: openvpn-master OpenVPN 1.5191 [igmp] [nulapari] mwritten Feb 12 13:12:33 com1060.api.example 10.14.94.160 cloud_api[tur]: proxying request to atio5608.www5.localhost(10.202.204.154) eFini https://www.example.org/exe/iatu.jpg?orsitame=reprehe#rsitam ggp issusci Feb 26 20:15:08 ptass3168.www5.example 10.62.40.126 netauto_core[taliqu]: ommod: Attempting CLI on devicescivelwith interface not in table, ip10.13.70.213 -March 12 03:17:42 rmagni1998.internal.host onev: purge_scheduled_tasks Scheduled tasks have been purged -March 26 10:20:16 Cice513.api.local scheduled_scp_backups[doloreeu]: Scheduled backup to the pori was successful - Backup file occ -April 9 17:22:51 uid545.www5.localhost 10.12.44.169 speedstep_control[autfu]: natura +March 12 03:17:42 mcolabor1656.www5.corp 10.56.250.70 acpid[veleumi]: tia +March 26 10:20:16 Cice513.api.local 10.143.220.51 openvpn-member: read igmp [occ] ect (code=reetdolo) +April 9 17:22:51 obeataev7086.mail.invalid autfu: speedstep_control natura Apr 24 00:25:25 nibusBon7400.localhost isiu: ErrorMsg success May 8 07:27:59 iat1852.api.localdomain 10.64.155.245 ntpd_initres: ntpd exiting on signal 15 May 22 14:30:33 mquisnos5771.example ntpdate[etconsec]: adjust time server 10.104.111.129 offset 61.614000 sec -June 5 21:33:08 moll2902.www.local ema: phonehome roinBCSe -June 20 04:35:42 onse1664.internal.domain 10.42.206.48 debug_mount[taliqu]: mount temUten -July 4 11:38:16 atquovo5642.www5.test mquaera: in.tftpd sending NAK (dun, success) to 10.185.126.247 -July 18 18:40:50 ali6446.localhost sSMTP[tnon]: ionul -August 2 01:43:25 edquiano6061.internal.invalid end: shutdown shutting down for system reboot -Aug 16 08:45:59 cup1793.local 10.110.243.57 tacacs_acct[onofd]: taed: Read lup bytes from server 10.210.72.27 port 7118, expecting strude -August 30 15:48:33 ostr4979.www5.host controld[luptat]: Distribution Started -September 13 22:51:07 adm987.www.test ritatis: ntpdate oloremi -September 28 05:53:42 isaute811.www.home tionemu: syslog eomnisis -October 12 12:56:16 inima5444.www5.lan validate_dhcpd[nihi]: Lor -October 26 19:58:50 erc3217.internal.lan debug_mount[olupt]: mount modoco -Nov 10 03:01:24 iadese6958.www5.local 10.33.153.47 captured_dns_uploader: hil -November 24 10:03:59 CSed2857.www5.example ecillu: validate_dhcpd quip -December 8 17:06:33 uatD2509.mail.domain ntpdate[rehend]: adjust time server 10.194.18.21 offset 66.440000 sec -December 23 00:09:07 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm -January 6 07:11:41 ercit2385.internal.home rsyncd[run]: building file list -January 20 14:14:16 quisnos4590.mail.domain nnum: httpd eritqu -February 3 21:16:50 wri2784.api.domain hitect: restarting dol -February 18 04:19:24 asun1250.api.localdomain rc3[oluptate]: onseq -Mar 04 11:21:59 iae1637.local 10.85.164.25 captured_dns_uploader: doloreme +June 5 21:33:08 ite996.host kernel[umdo]: Linux version 1.3162 (umdolore) (eniam) reetdolo +June 20 04:35:42 enim2780.www.lan rc6[eriame]: lorema +July 4 11:38:16 emporinc5075.internal.host watchdog[atcu]: oremagna could not be opened, errno = ationu +July 18 18:40:50 strude910.internal.local 10.27.72.147 shutdown: shutting down for system reboot +August 2 01:43:25 fugit7668.www5.invalid -ntpd_initres: ntpd exiting on signal 15 +August 16 08:45:59 itaut7095.invalid 10.103.107.47 rc: executing ritatis start +August 30 15:48:33 colabor1552.www5.local untut: phonehome lorumw +September 13 22:51:07 inima5444.www5.lan validate_dhcpd[nihi]: Lor +September 28 05:53:42 erc3217.internal.lan debug_mount[olupt]: mount modoco +October 12 12:56:16 uames499.internal.host isnostru: named accept on IPv4 interface lo1132, 10.45.25.68#1463 +October 26 19:58:50 iineavo951.internal.test 10.25.192.202 rcsysinit[intoccae]: fsck from 1.2299 +November 10 03:01:24 Loremip6417.mail.test emoeni: syslog oenimips +November 24 10:03:59 mnisist2347.mail.host 10.142.139.20 sSMTP[temveleu]: Sent mail for colabo (eme) +December 8 17:06:33 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm +December 23 00:09:07 ercit2385.internal.home rsyncd[run]: building file list +January 6 07:11:41 quisnos4590.mail.domain nnum: httpd eritqu +January 20 14:14:16 wri2784.api.domain hitect: restarting dol +February 3 21:16:50 asun1250.api.localdomain rc3[oluptate]: onseq +February 18 04:19:24 intoc2428.domain scheduled_backups[dantiumt]: Backup to luptasn was successful - Backup file equat +March 4 11:21:59 ento4488.www5.localhost eriamea: rc6 amre March 18 18:24:33 boris5916.www5.example 10.2.53.125 controld[uioffi]: Distribution Complete April 2 01:27:07 temqu3331.api.host ipi: phonehome reseos -April 16 08:29:41 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME etdol"uela" in zone "boN" +April 16 08:29:41 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME "etdol" in zone "uela" April 30 15:32:16 radi1512.mail.example 10.101.74.101 openvpn-member: read rdp [ris] uamqu (code=lor) -May 14 22:34:50 bore6534.internal.localhost stlabo: speedstep_control dictasu +May 14 22:34:50 onsecte7184.mail.domain uptasn: syslog-ng reme May 29 05:37:24 eveli265.www5.localdomain nse: ipmievd non Jun 12 12:39:58 derit4688.mail.localhost 10.57.42.152 cloud_api[didunt]: proxying request to uptatema6843.www.host(10.74.104.215) xeacomm https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta tcp rroquis -Jun 26 19:42:33 Utenima1612.www5.domain ptatem: captured_dns_uploader Nequepor -July 11 02:45:07 tco1842.www.localhost 10.20.147.134 ntpd_initres: ntpd exiting on signal 15 -July 25 09:47:41 turadip3427.api.corp 10.77.52.83 pidof[nci]: can't read sid from tev -August 8 16:50:15 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav -August 22 23:52:50 adm7744.mail.domain 10.26.87.161 rcsysinit: isc -September 6 06:55:24 ios6980.example 10.246.64.161 watchdog: deny, pid = 845 -September 20 13:57:58 osquira6030.internal.corp diskcheck[com]: tnulapa -October 4 21:00:32 squirati63.mail.lan watchdog[nbyCic]: utlabor -October 19 04:03:07 lup2134.www.localhost rc[upida]: executing tvolupt start -November 2 11:05:41 umdo4017.www.local snmptrapd[ati]: uine -November 16 18:08:15 loreme853.www5.localdomain ven: snmptrapd con -December 1 01:10:49 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli) -December 15 08:13:24 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe -December 29 15:15:58 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97 -January 12 22:18:32 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt -January 27 05:21:06 tali7803.www.localdomain its: httpd ender -February 10 12:23:41 siut5663.local piscinge: rcsysinit fsck from 1.271 -February 24 19:26:15 elitse6672.internal.localdomain INFOBLOX-Grid[mquisno]: Grid member at 10.107.9.163 uptate -March 11 02:28:49 tpersp55.api.invalid 10.15.97.155 openvpn-member[tdol]: Options error: sit -March 25 09:31:24 uptate6077.www5.corp ugiat: init onulam -April 8 16:33:58 odoconse228.mail.localdomain veli: syslog-ng tenim -April 22 23:36:32 tdol5310.domain diskcheck[asper]: idunt -May 7 06:39:06 ica7215.mail.home dicta: in.tftpd connection refused from 10.235.176.114 -May 21 13:41:41 veniamqu7284.mail.invalid 10.224.11.165 pidof[utali]: can't read sid from porinc -June 4 20:44:15 eumfugi28.api.test 10.86.22.67 in.tftpd: RRQ from 10.96.166.208 filename rcitat -June 19 03:46:49 sequatD5469.www5.lan atisetqu: diskcheck issuscip -July 3 10:49:23 tla4765.api.host purge_scheduled_tasks[isa]: Scheduled tasks have been purged -July 17 17:51:58 itationu3575.www.invalid 10.21.229.25 syslog-ng: orroq +June 26 19:42:33 evolup4403.local 10.121.203.60 INFOBLOX-Grid[smo]: Upgrade to etcons +July 11 02:45:07 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav +July 25 09:47:41 adm7744.mail.domain 10.26.87.161 rcsysinit: isc +August 8 16:50:15 ios6980.example 10.246.64.161 watchdog: deny, pid = 845 +August 22 23:52:50 osquira6030.internal.corp diskcheck[com]: tnulapa +September 6 06:55:24 squirati63.mail.lan watchdog[nbyCic]: utlabor +September 20 13:57:58 lup2134.www.localhost rc[upida]: executing tvolupt start +October 4 21:00:32 umdo4017.www.local snmptrapd[ati]: uine +October 19 04:03:07 loreme853.www5.localdomain ven: snmptrapd con +November 2 11:05:41 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli) +November 16 18:08:15 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe +December 1 01:10:49 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97 +December 15 08:13:24 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt +December 29 15:15:58 tali7803.www.localdomain its: httpd ender +January 12 22:18:32 uradi6198.test tiaec: ntpd frequency initialized success from psum +January 27 05:21:06 umSe1918.local itau: ntpd ntpd exiting on signal 2836 +February 10 12:23:41 odoconse228.mail.localdomain veli: syslog-ng tenim +February 24 19:26:15 cteturad4074.mail.host nreprehe: validate_dhcpd tetu +March 11 02:28:49 itation6137.home osqui: debug_mount mount sequat +sshd: Sleep 60 seconds for slowing down ssh login +April 8 16:33:58 dun1276.api.localdomain inimveni: ntpd time slew failure +April 22 23:36:32 iquidexe304.mail.test 10.195.64.5 smart_check_io: oreetd +May 07 06:39:06 preh2690.api.localdomain captured_dns_uploader[mac]: qui +May 21 13:41:41 rem3032.mail.domain 10.203.65.161 kernel: Linux version 1.7214 (ica) (lillum) remips +June 4 20:44:15 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv +June 19 03:46:49 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi +July 3 10:49:23 tame4953.mail.localhost prehen: restarting ntutlabo +July 17 17:51:58 loi7596.www5.home 10.31.177.226 scheduled_backups[deserun]: Backup to esseq was successful - Backup file adminima Aug 01 00:54:32 mmodoc4947.internal.test ErrorMsg[atu]: unknown August 15 07:57:06 olorem2760.www5.test quunt: ntpd_initres ntpd exiting on signal 15 August 29 14:59:40 dol3346.www.lan scheduled_ftp_backups[olorese]: Scheduled backup to the ori failed - unknown. September 12 22:02:15 ercit6496.api.local ugiatn: scheduled_scp_backups Scheduled backup to the midestl was successful - Backup file dictasun -September 27 05:04:49 tlaboree6412.internal.home smart_check_io[mod]: col -October 11 12:07:23 mipsamvo4282.api.home reetdo: init oreveri -October 25 19:09:57 ugit5828.www5.test rc[asnu]: executing hitec start -November 9 02:12:32 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec -Nov 23 09:15:06 ation6657.www.home dhcpd[iatqu]: Reclaiming REQUESTed abandoned IP address10.16.44.207 -December 7 16:17:40 tas2266.internal.example 10.219.59.20 kernel[ntium]: iration -December 21 23:20:14 oremquel3992.mail.host 10.238.232.42 rcsysinit[ssusci]: animid -Jan 5 06:22:49 atuse5193.www.local dhcpdv6[cti]: aparia -January 19 13:25:23 ratv2649.www.host speedstep_control[tali]: BCS -February 2 20:27:57 nculpaq3821.www5.invalid syslog-ng[billoinv]: sci -February 17 03:30:32 obea5700.mail.lan diskcheck[luptas]: uptatem -March 3 10:33:06 ntmo3423.mail.home scheduled_scp_backups[tNe]: Scheduled backup to the pisc was successful - Backup file urEx -March 17 17:35:40 qui3176.internal.example 10.165.6.51 rc: executing amvolu start -April 1 00:38:14 pta6801.mail.invalid 10.35.254.68 snmptrapd[eiusmod]: itation -April 15 07:40:49 scivel2614.www5.invalid meumfugi: httpd tquas -April 29 14:43:23 ntmoll7616.api.localhost INFOBLOX-Grid[isnostru]: Grid member at 10.10.223.104 nBCSe -sshd[Nemo]: Sleep 60 seconds for slowing down ssh login -May 28 04:48:31 velill2874.internal.invalid 10.236.247.87 debug: tatevel -June 11 11:51:06 ict2699.internal.localhost 10.117.2.51 python: allow: FQDN='luptate4640.api.host', View='iqui' -June 25 18:53:40 reseosq3558.www5.invalid kernel[pteurs]: catcupi -July 10 01:56:14 saqu320.api.test purge_scheduled_tasks[amquisno]: Scheduled tasks have been purged -July 24 08:58:48 sequat4596.api.domain epteur: rc executing ommo start -August 7 16:01:23 olu5333.www.domain orumSe: diskcheck dolor -August 21 23:03:57 dtemp1362.internal.example mips: init itae -September 5 06:06:31 odt5505.www5.localdomain 10.76.92.103 snmptrapd[uscip]: umS -September 19 13:09:05 ici5097.www.domain iatnu: db_jnld Resolved conflict for replicated delete of CNAME writte"sitvo" in zone "ine" -October 3 20:11:40 itse522.internal.localdomain fugiatqu: syslog seos -October 18 03:14:14 oquisqu1528.invalid 10.54.44.231 acpid: Ute -November 1 10:16:48 quu2203.internal.invalid 10.61.175.217 acpid: enbyCi -Nov 15 17:19:22 quunt3116.localhost debug[nonn]: dents -Nov 30 00:21:57 texpli7157.mail.invalid debug[conse]: ventor -December 14 07:24:31 odoc7856.api.example 10.50.252.2 openvpn-master[atnonpr]: ita +September 27 05:04:49 agnaaliq1829.mail.test ntpd_initres: ntpd exiting on signal 15 +October 11 12:07:23 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807 +October 25 19:09:57 mipsamvo4282.api.home reetdo: init oreveri +Nov 9 02:12:32 umq1309.api.test uae: debug mve +November 23 09:15:06 ugit5828.www5.test rc[asnu]: executing hitec start +December 7 16:17:40 ntexplic4824.internal.localhost ntpd_initres: ntpd exiting on signal 15 +December 21 23:20:14 archite1843.mail.home isqua: radiusd uta +January 5 06:22:49 derit5270.mail.local 10.105.52.140 rcsysinit: ntexpl +January 19 13:25:23 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec +sshd[saquaea]: Did not receive identification string from 10.222.251.114 +February 17 03:30:32 ataevi1984.internal.host plic: in.tftpd connection refused from 10.17.87.79 +March 3 10:33:06 tionula1586.host ntpd_initres[idolor]: ntpd exiting on signal 15 +March 17 17:35:40 llam1884.www.corp quasiarc: ntpd time slew success +April 1 00:38:14 ore5643.api.lan 10.126.163.125 acpid[edolorin]: dolorem +April 15 07:40:49 exeacomm79.api.corp rc3[mides]: ciun +April 29 14:43:23 lorsita6602.mail.local uat: watchdog lupta could not be opened, errno = npr +May 13 21:45:57 ratv2649.www.host speedstep_control[tali]: BCS +May 28 04:48:31 abor4353.www5.host ame: python tesseq +June 11 11:51:06 rerepre6748.internal.domain 10.47.31.181 openvpn-member[tdolore]: OpenVPN 1.388 [icmp] [red] sinto +June 25 18:53:40 qui3176.internal.example 10.165.6.51 rc: executing amvolu start +July 10 01:56:14 der7349.invalid 10.133.146.125 monitor: Type: igmp, State: diduntu, Event: eiusmod. +July 24 08:58:48 veleum3833.internal.test henderi: diskcheck iusmodt +August 7 16:01:23 aquio6685.internal.test 10.17.193.123 rc6[aquio]: riatu +Aug 21 23:03:57 tanimid4871.internal.domain debug[abor]: nBCSe +September 5 06:06:31 icta82.internal.lan 10.252.116.137 pidof[uei]: can't read sid from Nequepo +September 19 13:09:05 dol6197.mail.localdomain speedstep_control[inBCSe]: otamrem +October 3 20:11:40 lumqu617.www.test 10.39.172.93 ntpd: time slew success +October 18 03:14:14 uido492.www5.home pidof[uid]: can't get program name from snostrum +November 1 10:16:48 reseosqu1629.mail.lan 10.36.166.81 snmptrapd: NET-SNMP version 1.6198 ommo +November 15 17:19:22 itseddoe5595.internal.localhost 10.228.102.170 smart_check_io[ehende]: tutla +November 30 00:21:57 olu5333.www.domain orumSe: diskcheck dolor +December 14 07:24:31 dtemp1362.internal.example mips: init itae diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json index 127cf9703d1..9552bff05b5 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -90,18 +90,20 @@ ] }, { - "event.code": "purge_scheduled_tasks", + "event.code": "acpid", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "March 12 03:17:42 rmagni1998.internal.host onev: purge_scheduled_tasks Scheduled tasks have been purged", + "event.original": "March 12 03:17:42 mcolabor1656.www5.corp 10.56.250.70 acpid[veleumi]: tia", "fileset.name": "nios", "input.type": "log", "log.offset": 462, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.messageid": "purge_scheduled_tasks", - "rsa.misc.event_source": "rmagni1998.internal.host", + "rsa.internal.data": "veleumi", + "rsa.internal.event_desc": "tia", + "rsa.internal.messageid": "acpid", + "rsa.misc.event_source": "mcolabor1656.www5.corp", "rsa.time.day": "12", "rsa.time.month": "March", "service.type": "infoblox", @@ -111,22 +113,22 @@ ] }, { - "event.code": "scheduled_scp_backups", + "event.code": "openvpn-member", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "March 26 10:20:16 Cice513.api.local scheduled_scp_backups[doloreeu]: Scheduled backup to the pori was successful - Backup file occ", - "file.name": "occ", + "event.original": "March 26 10:20:16 Cice513.api.local 10.143.220.51 openvpn-member: read igmp [occ] ect (code=reetdolo)", "fileset.name": "nios", "input.type": "log", - "log.offset": 566, + "log.offset": 536, + "network.protocol": "igmp", "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "doloreeu", - "rsa.internal.event_desc": "Scheduled backup to the SCP server was successful", - "rsa.internal.messageid": "scheduled_scp_backups", - "rsa.misc.device_name": "pori", + "rsa.db.index": "occ", + "rsa.internal.event_desc": "ect", + "rsa.internal.messageid": "openvpn-member", "rsa.misc.event_source": "Cice513.api.local", + "rsa.misc.result_code": "reetdolo", "rsa.time.day": "26", "rsa.time.month": "March", "service.type": "infoblox", @@ -139,17 +141,16 @@ "event.code": "speedstep_control", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "April 9 17:22:51 uid545.www5.localhost 10.12.44.169 speedstep_control[autfu]: natura", + "event.original": "April 9 17:22:51 obeataev7086.mail.invalid autfu: speedstep_control natura", "fileset.name": "nios", "input.type": "log", - "log.offset": 697, + "log.offset": 638, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "autfu", "rsa.internal.event_desc": "natura", "rsa.internal.messageid": "speedstep_control", - "rsa.misc.event_source": "uid545.www5.localhost", + "rsa.misc.event_source": "obeataev7086.mail.invalid", "rsa.time.day": "9", "rsa.time.month": "April", "service.type": "infoblox", @@ -165,7 +166,7 @@ "event.original": "Apr 24 00:25:25 nibusBon7400.localhost isiu: ErrorMsg success", "fileset.name": "nios", "input.type": "log", - "log.offset": 782, + "log.offset": 713, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -187,7 +188,7 @@ "event.original": "May 8 07:27:59 iat1852.api.localdomain 10.64.155.245 ntpd_initres: ntpd exiting on signal 15", "fileset.name": "nios", "input.type": "log", - "log.offset": 844, + "log.offset": 775, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -209,7 +210,7 @@ "event.original": "May 22 14:30:33 mquisnos5771.example ntpdate[etconsec]: adjust time server 10.104.111.129 offset 61.614000 sec", "fileset.name": "nios", "input.type": "log", - "log.offset": 937, + "log.offset": 868, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -232,19 +233,22 @@ ] }, { - "event.code": "phonehome", + "event.code": "kernel", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "June 5 21:33:08 moll2902.www.local ema: phonehome roinBCSe", + "event.original": "June 5 21:33:08 ite996.host kernel[umdo]: Linux version 1.3162 (umdolore) (eniam) reetdolo", "fileset.name": "nios", "input.type": "log", - "log.offset": 1048, + "log.offset": 979, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "roinBCSe", - "rsa.internal.messageid": "phonehome", - "rsa.misc.event_source": "moll2902.www.local", + "observer.version": "1.3162", + "rsa.email.email_src": "umdolore", + "rsa.internal.data": "umdo", + "rsa.internal.messageid": "kernel", + "rsa.misc.event_source": "ite996.host", + "rsa.misc.version": "1.3162", "rsa.time.day": "5", "rsa.time.month": "June", "service.type": "infoblox", @@ -254,20 +258,20 @@ ] }, { - "event.code": "debug_mount", + "event.code": "rc6", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "June 20 04:35:42 onse1664.internal.domain 10.42.206.48 debug_mount[taliqu]: mount temUten", + "event.original": "June 20 04:35:42 enim2780.www.lan rc6[eriame]: lorema", "fileset.name": "nios", "input.type": "log", - "log.offset": 1107, + "log.offset": 1070, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "taliqu", - "rsa.internal.event_desc": "temUten", - "rsa.internal.messageid": "debug_mount", - "rsa.misc.event_source": "onse1664.internal.domain", + "rsa.internal.data": "eriame", + "rsa.internal.event_desc": "lorema", + "rsa.internal.messageid": "rc6", + "rsa.misc.event_source": "enim2780.www.lan", "rsa.time.day": "20", "rsa.time.month": "June", "service.type": "infoblox", @@ -277,27 +281,21 @@ ] }, { - "destination.ip": [ - "10.185.126.247" - ], - "event.code": "in.tftpd", + "event.code": "watchdog", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "July 4 11:38:16 atquovo5642.www5.test mquaera: in.tftpd sending NAK (dun, success) to 10.185.126.247", + "event.original": "July 4 11:38:16 emporinc5075.internal.host watchdog[atcu]: oremagna could not be opened, errno = ationu", + "file.name": "oremagna", "fileset.name": "nios", "input.type": "log", - "log.offset": 1197, + "log.offset": 1124, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "related.ip": [ - "10.185.126.247" - ], - "rsa.internal.event_desc": "sending NAK to remote host", - "rsa.internal.messageid": "in.tftpd", - "rsa.misc.event_source": "atquovo5642.www5.test", - "rsa.misc.result": "success", - "rsa.misc.result_code": "dun", + "rsa.internal.data": "atcu", + "rsa.internal.messageid": "watchdog", + "rsa.misc.event_source": "emporinc5075.internal.host", + "rsa.misc.result_code": "ationu", "rsa.time.day": "4", "rsa.time.month": "July", "service.type": "infoblox", @@ -307,20 +305,19 @@ ] }, { - "event.code": "sSMTP", + "event.code": "shutdown", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "July 18 18:40:50 ali6446.localhost sSMTP[tnon]: ionul", + "event.original": "July 18 18:40:50 strude910.internal.local 10.27.72.147 shutdown: shutting down for system reboot", "fileset.name": "nios", "input.type": "log", - "log.offset": 1298, + "log.offset": 1228, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "tnon", - "rsa.internal.event_desc": "ionul", - "rsa.internal.messageid": "sSMTP", - "rsa.misc.event_source": "ali6446.localhost", + "rsa.internal.event_desc": "shutting down for system reboot", + "rsa.internal.messageid": "shutdown", + "rsa.misc.event_source": "strude910.internal.local", "rsa.time.day": "18", "rsa.time.month": "July", "service.type": "infoblox", @@ -330,19 +327,17 @@ ] }, { - "event.code": "shutdown", + "event.code": "", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "August 2 01:43:25 edquiano6061.internal.invalid end: shutdown shutting down for system reboot", + "event.original": "August 2 01:43:25 fugit7668.www5.invalid -ntpd_initres: ntpd exiting on signal 15", "fileset.name": "nios", "input.type": "log", - "log.offset": 1352, + "log.offset": 1325, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "shutting down for system reboot", - "rsa.internal.messageid": "shutdown", - "rsa.misc.event_source": "edquiano6061.internal.invalid", + "rsa.internal.messageid": "", "rsa.time.day": "2", "rsa.time.month": "August", "service.type": "infoblox", @@ -352,28 +347,21 @@ ] }, { - "destination.ip": [ - "10.210.72.27" - ], - "destination.port": 7118, - "event.code": "tacacs_acct", + "event.code": "rc", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "Aug 16 08:45:59 cup1793.local 10.110.243.57 tacacs_acct[onofd]: taed: Read lup bytes from server 10.210.72.27 port 7118, expecting strude", + "event.original": "August 16 08:45:59 itaut7095.invalid 10.103.107.47 rc: executing ritatis start", "fileset.name": "nios", "input.type": "log", - "log.offset": 1446, + "log.offset": 1408, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "related.ip": [ - "10.210.72.27" - ], - "rsa.internal.data": "onofd", - "rsa.internal.messageid": "tacacs_acct", - "rsa.misc.event_source": "cup1793.local", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "ritatis", + "rsa.misc.event_source": "itaut7095.invalid", "rsa.time.day": "16", - "rsa.time.month": "Aug", + "rsa.time.month": "August", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -381,20 +369,19 @@ ] }, { - "event.code": "controld", + "event.code": "phonehome", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "August 30 15:48:33 ostr4979.www5.host controld[luptat]: Distribution Started", + "event.original": "August 30 15:48:33 colabor1552.www5.local untut: phonehome lorumw", "fileset.name": "nios", "input.type": "log", - "log.offset": 1584, + "log.offset": 1487, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "luptat", - "rsa.internal.event_desc": "Distribution Started", - "rsa.internal.messageid": "controld", - "rsa.misc.event_source": "ostr4979.www5.host", + "rsa.internal.event_desc": "lorumw", + "rsa.internal.messageid": "phonehome", + "rsa.misc.event_source": "colabor1552.www5.local", "rsa.time.day": "30", "rsa.time.month": "August", "service.type": "infoblox", @@ -404,19 +391,20 @@ ] }, { - "event.code": "ntpdate", + "event.code": "validate_dhcpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 13 22:51:07 adm987.www.test ritatis: ntpdate oloremi", + "event.original": "September 13 22:51:07 inima5444.www5.lan validate_dhcpd[nihi]: Lor", "fileset.name": "nios", "input.type": "log", - "log.offset": 1661, + "log.offset": 1553, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "oloremi", - "rsa.internal.messageid": "ntpdate", - "rsa.misc.event_source": "adm987.www.test", + "rsa.internal.data": "nihi", + "rsa.internal.event_desc": "Lor", + "rsa.internal.messageid": "validate_dhcpd", + "rsa.misc.event_source": "inima5444.www5.lan", "rsa.time.day": "13", "rsa.time.month": "September", "service.type": "infoblox", @@ -426,20 +414,20 @@ ] }, { - "event.code": "syslog", + "event.code": "debug_mount", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 28 05:53:42 isaute811.www.home tionemu: syslog eomnisis", + "event.original": "September 28 05:53:42 erc3217.internal.lan debug_mount[olupt]: mount modoco", "fileset.name": "nios", "input.type": "log", - "log.offset": 1724, + "log.offset": 1620, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.db.index": "tionemu", - "rsa.internal.event_desc": "eomnisis", - "rsa.internal.messageid": "syslog", - "rsa.misc.event_source": "isaute811.www.home", + "rsa.internal.data": "olupt", + "rsa.internal.event_desc": "modoco", + "rsa.internal.messageid": "debug_mount", + "rsa.misc.event_source": "erc3217.internal.lan", "rsa.time.day": "28", "rsa.time.month": "September", "service.type": "infoblox", @@ -449,43 +437,55 @@ ] }, { - "event.code": "validate_dhcpd", + "event.action": "accept", + "event.code": "named", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 12 12:56:16 inima5444.www5.lan validate_dhcpd[nihi]: Lor", + "event.original": "October 12 12:56:16 uames499.internal.host isnostru: named accept on IPv4 interface lo1132, 10.45.25.68#1463", "fileset.name": "nios", "input.type": "log", - "log.offset": 1790, + "log.offset": 1696, + "observer.ingress.interface.name": "lo1132", "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "nihi", - "rsa.internal.event_desc": "Lor", - "rsa.internal.messageid": "validate_dhcpd", - "rsa.misc.event_source": "inima5444.www5.lan", + "related.ip": [ + "10.45.25.68" + ], + "rsa.internal.messageid": "named", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_source": "uames499.internal.host", + "rsa.network.sinterface": "lo1132", "rsa.time.day": "12", "rsa.time.month": "October", "service.type": "infoblox", + "source.ip": [ + "10.45.25.68" + ], + "source.port": 1463, "tags": [ "infoblox.nios", "forwarded" ] }, { - "event.code": "debug_mount", + "event.code": "rcsysinit", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 26 19:58:50 erc3217.internal.lan debug_mount[olupt]: mount modoco", + "event.original": "October 26 19:58:50 iineavo951.internal.test 10.25.192.202 rcsysinit[intoccae]: fsck from 1.2299", "fileset.name": "nios", "input.type": "log", - "log.offset": 1855, + "log.offset": 1805, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "olupt", - "rsa.internal.event_desc": "modoco", - "rsa.internal.messageid": "debug_mount", - "rsa.misc.event_source": "erc3217.internal.lan", + "observer.version": "1.2299", + "rsa.internal.data": "intoccae", + "rsa.internal.messageid": "rcsysinit", + "rsa.misc.event_source": "iineavo951.internal.test", + "rsa.misc.version": "1.2299", "rsa.time.day": "26", "rsa.time.month": "October", "service.type": "infoblox", @@ -495,23 +495,22 @@ ] }, { - "event.code": "captured_dns_uploader", + "event.code": "syslog", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "Nov 10 03:01:24 iadese6958.www5.local 10.33.153.47 captured_dns_uploader: hil", - "event.outcome": "failure", + "event.original": "November 10 03:01:24 Loremip6417.mail.test emoeni: syslog oenimips", "fileset.name": "nios", "input.type": "log", - "log.offset": 1929, + "log.offset": 1902, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "hil", - "rsa.internal.messageid": "captured_dns_uploader", - "rsa.investigations.ec_outcome": "Failure", - "rsa.misc.event_source": "iadese6958.www5.local", + "rsa.db.index": "emoeni", + "rsa.internal.event_desc": "oenimips", + "rsa.internal.messageid": "syslog", + "rsa.misc.event_source": "Loremip6417.mail.test", "rsa.time.day": "10", - "rsa.time.month": "Nov", + "rsa.time.month": "November", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -519,19 +518,20 @@ ] }, { - "event.code": "validate_dhcpd", + "event.code": "sSMTP", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "November 24 10:03:59 CSed2857.www5.example ecillu: validate_dhcpd quip", + "event.original": "November 24 10:03:59 mnisist2347.mail.host 10.142.139.20 sSMTP[temveleu]: Sent mail for colabo (eme) ", "fileset.name": "nios", "input.type": "log", - "log.offset": 2007, + "log.offset": 1969, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "quip", - "rsa.internal.messageid": "validate_dhcpd", - "rsa.misc.event_source": "CSed2857.www5.example", + "rsa.internal.data": "temveleu", + "rsa.internal.event_desc": "Sent mail for colabo (eme)", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.event_source": "mnisist2347.mail.host", "rsa.time.day": "24", "rsa.time.month": "November", "service.type": "infoblox", @@ -540,43 +540,14 @@ "forwarded" ] }, - { - "event.code": "ntpdate", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "December 8 17:06:33 uatD2509.mail.domain ntpdate[rehend]: adjust time server 10.194.18.21 offset 66.440000 sec", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 2078, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.ip": [ - "10.194.18.21" - ], - "rsa.internal.data": "rehend", - "rsa.internal.messageid": "ntpdate", - "rsa.misc.event_source": "uatD2509.mail.domain", - "rsa.time.day": "8", - "rsa.time.duration_time": 66.44, - "rsa.time.month": "December", - "service.type": "infoblox", - "source.ip": [ - "10.194.18.21" - ], - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, { "event.code": "snmptrapd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "December 23 00:09:07 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm", + "event.original": "December 8 17:06:33 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm", "fileset.name": "nios", "input.type": "log", - "log.offset": 2189, + "log.offset": 2076, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -585,7 +556,7 @@ "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "datatn5076.internal.example", "rsa.misc.version": "1.2807", - "rsa.time.day": "23", + "rsa.time.day": "8", "rsa.time.month": "December", "service.type": "infoblox", "tags": [ @@ -597,10 +568,10 @@ "event.code": "rsyncd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "January 6 07:11:41 ercit2385.internal.home rsyncd[run]: building file list", + "event.original": "December 23 00:09:07 ercit2385.internal.home rsyncd[run]: building file list", "fileset.name": "nios", "input.type": "log", - "log.offset": 2292, + "log.offset": 2178, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -608,8 +579,8 @@ "rsa.internal.event_desc": "building file list", "rsa.internal.messageid": "rsyncd", "rsa.misc.event_source": "ercit2385.internal.home", - "rsa.time.day": "6", - "rsa.time.month": "January", + "rsa.time.day": "23", + "rsa.time.month": "December", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -620,17 +591,17 @@ "event.code": "httpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "January 20 14:14:16 quisnos4590.mail.domain nnum: httpd eritqu", + "event.original": "January 6 07:11:41 quisnos4590.mail.domain nnum: httpd eritqu", "fileset.name": "nios", "input.type": "log", - "log.offset": 2367, + "log.offset": 2255, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "rsa.internal.event_desc": "eritqu", "rsa.internal.messageid": "httpd", "rsa.misc.event_source": "quisnos4590.mail.domain", - "rsa.time.day": "20", + "rsa.time.day": "6", "rsa.time.month": "January", "service.type": "infoblox", "tags": [ @@ -642,10 +613,10 @@ "event.code": "restarting", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "February 3 21:16:50 wri2784.api.domain hitect: restarting dol", + "event.original": "January 20 14:14:16 wri2784.api.domain hitect: restarting dol", "fileset.name": "nios", "input.type": "log", - "log.offset": 2430, + "log.offset": 2317, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -653,8 +624,8 @@ "rsa.internal.event_desc": "dol", "rsa.internal.messageid": "restarting", "rsa.misc.event_source": "wri2784.api.domain", - "rsa.time.day": "3", - "rsa.time.month": "February", + "rsa.time.day": "20", + "rsa.time.month": "January", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -665,10 +636,10 @@ "event.code": "rc3", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "February 18 04:19:24 asun1250.api.localdomain rc3[oluptate]: onseq", + "event.original": "February 3 21:16:50 asun1250.api.localdomain rc3[oluptate]: onseq", "fileset.name": "nios", "input.type": "log", - "log.offset": 2492, + "log.offset": 2379, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -676,6 +647,30 @@ "rsa.internal.event_desc": "onseq", "rsa.internal.messageid": "rc3", "rsa.misc.event_source": "asun1250.api.localdomain", + "rsa.time.day": "3", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 18 04:19:24 intoc2428.domain scheduled_backups[dantiumt]: Backup to luptasn was successful - Backup file equat", + "file.name": "equat", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2445, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "dantiumt", + "rsa.internal.messageid": "scheduled_backups", + "rsa.misc.device_name": "luptasn", + "rsa.misc.event_source": "intoc2428.domain", "rsa.time.day": "18", "rsa.time.month": "February", "service.type": "infoblox", @@ -685,23 +680,21 @@ ] }, { - "event.code": "captured_dns_uploader", + "event.code": "rc6", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "Mar 04 11:21:59 iae1637.local 10.85.164.25 captured_dns_uploader: doloreme", - "event.outcome": "failure", + "event.original": "March 4 11:21:59 ento4488.www5.localhost eriamea: rc6 amre", "fileset.name": "nios", "input.type": "log", - "log.offset": 2559, + "log.offset": 2565, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "doloreme", - "rsa.internal.messageid": "captured_dns_uploader", - "rsa.investigations.ec_outcome": "Failure", - "rsa.misc.event_source": "iae1637.local", - "rsa.time.day": "04", - "rsa.time.month": "Mar", + "rsa.internal.event_desc": "amre", + "rsa.internal.messageid": "rc6", + "rsa.misc.event_source": "ento4488.www5.localhost", + "rsa.time.day": "4", + "rsa.time.month": "March", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -715,7 +708,7 @@ "event.original": "March 18 18:24:33 boris5916.www5.example 10.2.53.125 controld[uioffi]: Distribution Complete", "fileset.name": "nios", "input.type": "log", - "log.offset": 2634, + "log.offset": 2624, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -738,7 +731,7 @@ "event.original": "April 2 01:27:07 temqu3331.api.host ipi: phonehome reseos", "fileset.name": "nios", "input.type": "log", - "log.offset": 2727, + "log.offset": 2717, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -757,13 +750,13 @@ "event.code": "db_jnld", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "April 16 08:29:41 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME etdol\"uela\" in zone \"boN\"", + "event.original": "April 16 08:29:41 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME \"etdol\" in zone \"uela\"", "fileset.name": "nios", "input.type": "log", "log.flags": [ "dissect_parsing_error" ], - "log.offset": 2785, + "log.offset": 2775, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -784,7 +777,7 @@ "event.original": "April 30 15:32:16 radi1512.mail.example 10.101.74.101 openvpn-member: read rdp [ris] uamqu (code=lor)", "fileset.name": "nios", "input.type": "log", - "log.offset": 2924, + "log.offset": 2912, "network.protocol": "rdp", "observer.product": "Network", "observer.type": "IPAM", @@ -803,19 +796,19 @@ ] }, { - "event.code": "speedstep_control", + "event.code": "syslog-ng", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "May 14 22:34:50 bore6534.internal.localhost stlabo: speedstep_control dictasu", + "event.original": "May 14 22:34:50 onsecte7184.mail.domain uptasn: syslog-ng reme", "fileset.name": "nios", "input.type": "log", - "log.offset": 3026, + "log.offset": 3014, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "dictasu", - "rsa.internal.messageid": "speedstep_control", - "rsa.misc.event_source": "bore6534.internal.localhost", + "rsa.internal.event_desc": "reme", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.event_source": "onsecte7184.mail.domain", "rsa.time.day": "14", "rsa.time.month": "May", "service.type": "infoblox", @@ -831,7 +824,7 @@ "event.original": "May 29 05:37:24 eveli265.www5.localdomain nse: ipmievd non", "fileset.name": "nios", "input.type": "log", - "log.offset": 3104, + "log.offset": 3077, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -855,7 +848,7 @@ "host.ip": "10.74.104.215", "host.name": "uptatema6843.www.host", "input.type": "log", - "log.offset": 3163, + "log.offset": 3136, "network.protocol": "tcp", "observer.product": "Network", "observer.type": "IPAM", @@ -884,69 +877,21 @@ "url.original": "https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta" }, { - "event.code": "captured_dns_uploader", + "event.code": "INFOBLOX-Grid", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "Jun 26 19:42:33 Utenima1612.www5.domain ptatem: captured_dns_uploader Nequepor", - "event.outcome": "failure", + "event.original": "June 26 19:42:33 evolup4403.local 10.121.203.60 INFOBLOX-Grid[smo]: Upgrade to etcons", "fileset.name": "nios", "input.type": "log", - "log.offset": 3383, + "log.offset": 3356, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "Nequepor", - "rsa.internal.messageid": "captured_dns_uploader", - "rsa.investigations.ec_outcome": "Failure", - "rsa.misc.event_source": "Utenima1612.www5.domain", + "rsa.internal.data": "smo", + "rsa.internal.messageid": "INFOBLOX-Grid", + "rsa.misc.event_source": "evolup4403.local", "rsa.time.day": "26", - "rsa.time.month": "Jun", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "ntpd_initres", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "July 11 02:45:07 tco1842.www.localhost 10.20.147.134 ntpd_initres: ntpd exiting on signal 15", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 3462, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "ntpd exiting", - "rsa.internal.messageid": "ntpd_initres", - "rsa.misc.event_source": "tco1842.www.localhost", - "rsa.time.day": "11", - "rsa.time.month": "July", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "pidof", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "July 25 09:47:41 turadip3427.api.corp 10.77.52.83 pidof[nci]: can't read sid from tev", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 3555, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "rsa.internal.data": "nci", - "rsa.internal.event_desc": "can't read sid", - "rsa.internal.messageid": "pidof", - "rsa.misc.client": "tev", - "rsa.misc.event_source": "turadip3427.api.corp", - "rsa.time.day": "25", - "rsa.time.month": "July", + "rsa.time.month": "June", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -957,18 +902,18 @@ "event.code": "smart_check_io", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "August 8 16:50:15 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav", + "event.original": "July 11 02:45:07 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav", "fileset.name": "nios", "input.type": "log", - "log.offset": 3641, + "log.offset": 3442, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "rsa.internal.event_desc": "temquiav", "rsa.internal.messageid": "smart_check_io", "rsa.misc.event_source": "nonn839.api.corp", - "rsa.time.day": "8", - "rsa.time.month": "August", + "rsa.time.day": "11", + "rsa.time.month": "July", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -979,18 +924,18 @@ "event.code": "rcsysinit", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "August 22 23:52:50 adm7744.mail.domain 10.26.87.161 rcsysinit: isc", + "event.original": "July 25 09:47:41 adm7744.mail.domain 10.26.87.161 rcsysinit: isc", "fileset.name": "nios", "input.type": "log", - "log.offset": 3713, + "log.offset": 3513, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "rsa.internal.event_desc": "isc", "rsa.internal.messageid": "rcsysinit", "rsa.misc.event_source": "adm7744.mail.domain", - "rsa.time.day": "22", - "rsa.time.month": "August", + "rsa.time.day": "25", + "rsa.time.month": "July", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1002,10 +947,10 @@ "event.code": "watchdog", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 6 06:55:24 ios6980.example 10.246.64.161 watchdog: deny, pid = 845", + "event.original": "August 8 16:50:15 ios6980.example 10.246.64.161 watchdog: deny, pid = 845", "fileset.name": "nios", "input.type": "log", - "log.offset": 3780, + "log.offset": 3578, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1015,8 +960,8 @@ "deny" ], "rsa.misc.event_source": "ios6980.example", - "rsa.time.day": "6", - "rsa.time.month": "September", + "rsa.time.day": "8", + "rsa.time.month": "August", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1027,10 +972,10 @@ "event.code": "diskcheck", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 20 13:57:58 osquira6030.internal.corp diskcheck[com]: tnulapa", + "event.original": "August 22 23:52:50 osquira6030.internal.corp diskcheck[com]: tnulapa", "fileset.name": "nios", "input.type": "log", - "log.offset": 3857, + "log.offset": 3652, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1038,8 +983,8 @@ "rsa.internal.event_desc": "tnulapa", "rsa.internal.messageid": "diskcheck", "rsa.misc.event_source": "osquira6030.internal.corp", - "rsa.time.day": "20", - "rsa.time.month": "September", + "rsa.time.day": "22", + "rsa.time.month": "August", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1050,10 +995,10 @@ "event.code": "watchdog", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 4 21:00:32 squirati63.mail.lan watchdog[nbyCic]: utlabor", + "event.original": "September 6 06:55:24 squirati63.mail.lan watchdog[nbyCic]: utlabor", "fileset.name": "nios", "input.type": "log", - "log.offset": 3929, + "log.offset": 3721, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1061,8 +1006,8 @@ "rsa.internal.event_desc": "utlabor", "rsa.internal.messageid": "watchdog", "rsa.misc.event_source": "squirati63.mail.lan", - "rsa.time.day": "4", - "rsa.time.month": "October", + "rsa.time.day": "6", + "rsa.time.month": "September", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1073,10 +1018,10 @@ "event.code": "rc", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 19 04:03:07 lup2134.www.localhost rc[upida]: executing tvolupt start", + "event.original": "September 20 13:57:58 lup2134.www.localhost rc[upida]: executing tvolupt start", "fileset.name": "nios", "input.type": "log", - "log.offset": 3994, + "log.offset": 3788, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1084,8 +1029,8 @@ "rsa.internal.messageid": "rc", "rsa.misc.client": "tvolupt", "rsa.misc.event_source": "lup2134.www.localhost", - "rsa.time.day": "19", - "rsa.time.month": "October", + "rsa.time.day": "20", + "rsa.time.month": "September", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1096,10 +1041,10 @@ "event.code": "snmptrapd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "November 2 11:05:41 umdo4017.www.local snmptrapd[ati]: uine", + "event.original": "October 4 21:00:32 umdo4017.www.local snmptrapd[ati]: uine", "fileset.name": "nios", "input.type": "log", - "log.offset": 4071, + "log.offset": 3867, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1107,8 +1052,8 @@ "rsa.internal.event_desc": "uine", "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "umdo4017.www.local", - "rsa.time.day": "2", - "rsa.time.month": "November", + "rsa.time.day": "4", + "rsa.time.month": "October", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1119,18 +1064,18 @@ "event.code": "snmptrapd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "November 16 18:08:15 loreme853.www5.localdomain ven: snmptrapd con", + "event.original": "October 19 04:03:07 loreme853.www5.localdomain ven: snmptrapd con", "fileset.name": "nios", "input.type": "log", - "log.offset": 4131, + "log.offset": 3926, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "rsa.internal.event_desc": "con", "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "loreme853.www5.localdomain", - "rsa.time.day": "16", - "rsa.time.month": "November", + "rsa.time.day": "19", + "rsa.time.month": "October", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1141,10 +1086,10 @@ "event.code": "openvpn-master", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "December 1 01:10:49 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli)", + "event.original": "November 2 11:05:41 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli)", "fileset.name": "nios", "input.type": "log", - "log.offset": 4198, + "log.offset": 3992, "network.protocol": "icmp", "observer.product": "Network", "observer.type": "IPAM", @@ -1155,8 +1100,8 @@ "rsa.internal.messageid": "openvpn-master", "rsa.misc.event_source": "orumSe728.internal.test", "rsa.misc.result_code": "molli", - "rsa.time.day": "1", - "rsa.time.month": "December", + "rsa.time.day": "2", + "rsa.time.month": "November", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1167,10 +1112,10 @@ "event.code": "acpid", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "December 15 08:13:24 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe", + "event.original": "November 16 18:08:15 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe", "fileset.name": "nios", "input.type": "log", - "log.offset": 4316, + "log.offset": 4110, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1178,8 +1123,8 @@ "rsa.internal.event_desc": "pexe", "rsa.internal.messageid": "acpid", "rsa.misc.event_source": "oremi7400.www.local", - "rsa.time.day": "15", - "rsa.time.month": "December", + "rsa.time.day": "16", + "rsa.time.month": "November", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1190,10 +1135,10 @@ "event.code": "in.tftpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "December 29 15:15:58 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97", + "event.original": "December 1 01:10:49 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97", "fileset.name": "nios", "input.type": "log", - "log.offset": 4391, + "log.offset": 4185, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1203,7 +1148,7 @@ "rsa.internal.data": "reprehen", "rsa.internal.messageid": "in.tftpd", "rsa.misc.event_source": "ess651.test", - "rsa.time.day": "29", + "rsa.time.day": "1", "rsa.time.month": "December", "service.type": "infoblox", "source.ip": [ @@ -1218,11 +1163,11 @@ "event.code": "serial_console", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "January 12 22:18:32 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt", + "event.original": "December 15 08:13:24 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt", "event.outcome": "success", "fileset.name": "nios", "input.type": "log", - "log.offset": 4495, + "log.offset": 4288, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1237,8 +1182,8 @@ "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.event_source": "epre6970.www.example", - "rsa.time.day": "12", - "rsa.time.month": "January", + "rsa.time.day": "15", + "rsa.time.month": "December", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1250,18 +1195,18 @@ "event.code": "httpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "January 27 05:21:06 tali7803.www.localdomain its: httpd ender", + "event.original": "December 29 15:15:58 tali7803.www.localdomain its: httpd ender", "fileset.name": "nios", "input.type": "log", - "log.offset": 4619, + "log.offset": 4413, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "rsa.internal.event_desc": "ender", "rsa.internal.messageid": "httpd", "rsa.misc.event_source": "tali7803.www.localdomain", - "rsa.time.day": "27", - "rsa.time.month": "January", + "rsa.time.day": "29", + "rsa.time.month": "December", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1269,22 +1214,23 @@ ] }, { - "event.code": "rcsysinit", + "event.code": "ntpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "February 10 12:23:41 siut5663.local piscinge: rcsysinit fsck from 1.271", + "event.original": "January 12 22:18:32 uradi6198.test tiaec: ntpd frequency initialized success from psum", + "file.name": "psum", "fileset.name": "nios", "input.type": "log", - "log.offset": 4681, + "log.offset": 4476, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "observer.version": "1.271", - "rsa.internal.messageid": "rcsysinit", - "rsa.misc.event_source": "siut5663.local", - "rsa.misc.version": "1.271", - "rsa.time.day": "10", - "rsa.time.month": "February", + "rsa.internal.event_desc": "frequency initialized from file", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "uradi6198.test", + "rsa.misc.result": "success", + "rsa.time.day": "12", + "rsa.time.month": "January", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1292,49 +1238,86 @@ ] }, { - "event.code": "INFOBLOX-Grid", + "event.code": "ntpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "February 24 19:26:15 elitse6672.internal.localdomain INFOBLOX-Grid[mquisno]: Grid member at 10.107.9.163 uptate", + "event.original": "January 27 05:21:06 umSe1918.local itau: ntpd ntpd exiting on signal 2836", "fileset.name": "nios", "input.type": "log", - "log.offset": 4753, + "log.offset": 4563, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "related.ip": [ - "10.107.9.163" - ], - "rsa.internal.data": "mquisno", - "rsa.internal.event_desc": "uptate", - "rsa.internal.messageid": "INFOBLOX-Grid", - "rsa.misc.event_source": "elitse6672.internal.localdomain", - "rsa.time.day": "24", - "rsa.time.month": "February", - "service.type": "infoblox", - "source.ip": [ - "10.107.9.163" - ], + "rsa.counters.dclass_c1": 2836, + "rsa.internal.event_desc": "ntpd exiting on signal", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "umSe1918.local", + "rsa.time.day": "27", + "rsa.time.month": "January", + "service.type": "infoblox", "tags": [ "infoblox.nios", "forwarded" ] }, { - "event.code": "openvpn-member", + "event.code": "syslog-ng", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "March 11 02:28:49 tpersp55.api.invalid 10.15.97.155 openvpn-member[tdol]: Options error: sit", + "event.original": "February 10 12:23:41 odoconse228.mail.localdomain veli: syslog-ng tenim", "fileset.name": "nios", "input.type": "log", - "log.offset": 4865, + "log.offset": 4637, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "tdol", - "rsa.internal.event_desc": "sit", - "rsa.internal.messageid": "openvpn-member", - "rsa.misc.event_source": "tpersp55.api.invalid", + "rsa.internal.event_desc": "tenim", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.event_source": "odoconse228.mail.localdomain", + "rsa.time.day": "10", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "validate_dhcpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 24 19:26:15 cteturad4074.mail.host nreprehe: validate_dhcpd tetu", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4709, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "tetu", + "rsa.internal.messageid": "validate_dhcpd", + "rsa.misc.event_source": "cteturad4074.mail.host", + "rsa.time.day": "24", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "debug_mount", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 11 02:28:49 itation6137.home osqui: debug_mount mount sequat", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4783, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "sequat", + "rsa.internal.messageid": "debug_mount", + "rsa.misc.event_source": "itation6137.home", "rsa.time.day": "11", "rsa.time.month": "March", "service.type": "infoblox", @@ -1344,21 +1327,21 @@ ] }, { - "event.code": "init", + "event.code": "sshd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "March 25 09:31:24 uptate6077.www5.corp ugiat: init onulam", + "event.original": "sshd: Sleep 60 seconds for slowing down ssh login", "fileset.name": "nios", "input.type": "log", - "log.offset": 4958, + "log.offset": 4850, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "onulam", - "rsa.internal.messageid": "init", - "rsa.misc.event_source": "uptate6077.www5.corp", - "rsa.time.day": "25", - "rsa.time.month": "March", + "rsa.internal.event_desc": "Sleep 60 seconds", + "rsa.internal.messageid": "sshd", + "rsa.misc.result": "slowing down ssh login", + "rsa.time.day": "Sleep", + "rsa.time.month": "sshd:", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1366,19 +1349,20 @@ ] }, { - "event.code": "syslog-ng", + "event.code": "ntpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "April 8 16:33:58 odoconse228.mail.localdomain veli: syslog-ng tenim", + "event.original": "April 8 16:33:58 dun1276.api.localdomain inimveni: ntpd time slew failure", "fileset.name": "nios", "input.type": "log", - "log.offset": 5016, + "log.offset": 4900, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "tenim", - "rsa.internal.messageid": "syslog-ng", - "rsa.misc.event_source": "odoconse228.mail.localdomain", + "rsa.internal.event_desc": "time slew duraion", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "dun1276.api.localdomain", + "rsa.misc.result": "failure", "rsa.time.day": "8", "rsa.time.month": "April", "service.type": "infoblox", @@ -1388,20 +1372,19 @@ ] }, { - "event.code": "diskcheck", + "event.code": "smart_check_io", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "April 22 23:36:32 tdol5310.domain diskcheck[asper]: idunt", + "event.original": "April 22 23:36:32 iquidexe304.mail.test 10.195.64.5 smart_check_io: oreetd", "fileset.name": "nios", "input.type": "log", - "log.offset": 5084, + "log.offset": 4974, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "asper", - "rsa.internal.event_desc": "idunt", - "rsa.internal.messageid": "diskcheck", - "rsa.misc.event_source": "tdol5310.domain", + "rsa.internal.event_desc": "oreetd", + "rsa.internal.messageid": "smart_check_io", + "rsa.misc.event_source": "iquidexe304.mail.test", "rsa.time.day": "22", "rsa.time.month": "April", "service.type": "infoblox", @@ -1411,48 +1394,46 @@ ] }, { - "event.code": "in.tftpd", + "event.code": "captured_dns_uploader", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "May 7 06:39:06 ica7215.mail.home dicta: in.tftpd connection refused from 10.235.176.114", + "event.original": "May 07 06:39:06 preh2690.api.localdomain captured_dns_uploader[mac]: qui", + "event.outcome": "failure", "fileset.name": "nios", "input.type": "log", - "log.offset": 5142, + "log.offset": 5049, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "related.ip": [ - "10.235.176.114" - ], - "rsa.internal.messageid": "in.tftpd", - "rsa.misc.event_source": "ica7215.mail.home", - "rsa.time.day": "7", + "rsa.internal.data": "mac", + "rsa.internal.event_desc": "qui", + "rsa.internal.messageid": "captured_dns_uploader", + "rsa.investigations.ec_outcome": "Failure", + "rsa.misc.event_source": "preh2690.api.localdomain", + "rsa.time.day": "07", "rsa.time.month": "May", "service.type": "infoblox", - "source.ip": [ - "10.235.176.114" - ], "tags": [ "infoblox.nios", "forwarded" ] }, { - "event.code": "pidof", + "event.code": "kernel", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "May 21 13:41:41 veniamqu7284.mail.invalid 10.224.11.165 pidof[utali]: can't read sid from porinc", + "event.original": "May 21 13:41:41 rem3032.mail.domain 10.203.65.161 kernel: Linux version 1.7214 (ica) (lillum) remips", "fileset.name": "nios", "input.type": "log", - "log.offset": 5230, + "log.offset": 5122, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "utali", - "rsa.internal.event_desc": "can't read sid", - "rsa.internal.messageid": "pidof", - "rsa.misc.client": "porinc", - "rsa.misc.event_source": "veniamqu7284.mail.invalid", + "observer.version": "1.7214", + "rsa.email.email_src": "ica", + "rsa.internal.messageid": "kernel", + "rsa.misc.event_source": "rem3032.mail.domain", + "rsa.misc.version": "1.7214", "rsa.time.day": "21", "rsa.time.month": "May", "service.type": "infoblox", @@ -1462,48 +1443,45 @@ ] }, { - "event.code": "in.tftpd", + "event.code": "openvpn-member", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "June 4 20:44:15 eumfugi28.api.test 10.86.22.67 in.tftpd: RRQ from 10.96.166.208 filename rcitat", - "file.name": "rcitat", + "event.original": "June 4 20:44:15 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv", "fileset.name": "nios", "input.type": "log", - "log.offset": 5327, + "log.offset": 5223, + "network.protocol": "ipv6-icmp", "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "related.ip": [ - "10.96.166.208" - ], - "rsa.internal.event_desc": "RRQ from remote host", - "rsa.internal.messageid": "in.tftpd", - "rsa.misc.event_source": "eumfugi28.api.test", + "observer.version": "1.7727", + "rsa.db.index": "itinv", + "rsa.internal.messageid": "openvpn-member", + "rsa.misc.event_source": "tetur2694.mail.local", + "rsa.misc.version": "1.7727", "rsa.time.day": "4", "rsa.time.month": "June", "service.type": "infoblox", - "source.ip": [ - "10.96.166.208" - ], "tags": [ "infoblox.nios", "forwarded" ] }, { - "event.code": "diskcheck", + "event.code": "pidof", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "June 19 03:46:49 sequatD5469.www5.lan atisetqu: diskcheck issuscip", + "event.original": "June 19 03:46:49 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi", "fileset.name": "nios", "input.type": "log", - "log.offset": 5423, + "log.offset": 5321, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "issuscip", - "rsa.internal.messageid": "diskcheck", - "rsa.misc.event_source": "sequatD5469.www5.lan", + "rsa.internal.event_desc": "can't read sid", + "rsa.internal.messageid": "pidof", + "rsa.misc.client": "oremi", + "rsa.misc.event_source": "utaliqu6138.mail.localhost", "rsa.time.day": "19", "rsa.time.month": "June", "service.type": "infoblox", @@ -1513,19 +1491,20 @@ ] }, { - "event.code": "purge_scheduled_tasks", + "event.code": "restarting", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "July 3 10:49:23 tla4765.api.host purge_scheduled_tasks[isa]: Scheduled tasks have been purged", + "event.original": "July 3 10:49:23 tame4953.mail.localhost prehen: restarting ntutlabo", "fileset.name": "nios", "input.type": "log", - "log.offset": 5490, + "log.offset": 5406, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "isa", - "rsa.internal.messageid": "purge_scheduled_tasks", - "rsa.misc.event_source": "tla4765.api.host", + "rsa.db.index": "prehen", + "rsa.internal.event_desc": "ntutlabo", + "rsa.internal.messageid": "restarting", + "rsa.misc.event_source": "tame4953.mail.localhost", "rsa.time.day": "3", "rsa.time.month": "July", "service.type": "infoblox", @@ -1535,19 +1514,21 @@ ] }, { - "event.code": "syslog-ng", + "event.code": "scheduled_backups", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "July 17 17:51:58 itationu3575.www.invalid 10.21.229.25 syslog-ng: orroq", + "event.original": "July 17 17:51:58 loi7596.www5.home 10.31.177.226 scheduled_backups[deserun]: Backup to esseq was successful - Backup file adminima", + "file.name": "adminima", "fileset.name": "nios", "input.type": "log", - "log.offset": 5584, + "log.offset": 5474, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "orroq", - "rsa.internal.messageid": "syslog-ng", - "rsa.misc.event_source": "itationu3575.www.invalid", + "rsa.internal.data": "deserun", + "rsa.internal.messageid": "scheduled_backups", + "rsa.misc.device_name": "esseq", + "rsa.misc.event_source": "loi7596.www5.home", "rsa.time.day": "17", "rsa.time.month": "July", "service.type": "infoblox", @@ -1563,7 +1544,7 @@ "event.original": "Aug 01 00:54:32 mmodoc4947.internal.test ErrorMsg[atu]: unknown", "fileset.name": "nios", "input.type": "log", - "log.offset": 5656, + "log.offset": 5605, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1586,7 +1567,7 @@ "event.original": "August 15 07:57:06 olorem2760.www5.test quunt: ntpd_initres ntpd exiting on signal 15", "fileset.name": "nios", "input.type": "log", - "log.offset": 5720, + "log.offset": 5669, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1608,7 +1589,7 @@ "event.original": "August 29 14:59:40 dol3346.www.lan scheduled_ftp_backups[olorese]: Scheduled backup to the ori failed - unknown.", "fileset.name": "nios", "input.type": "log", - "log.offset": 5806, + "log.offset": 5755, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1634,7 +1615,7 @@ "file.name": "dictasun", "fileset.name": "nios", "input.type": "log", - "log.offset": 5919, + "log.offset": 5868, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1651,20 +1632,17 @@ ] }, { - "event.code": "smart_check_io", + "event.code": "", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 27 05:04:49 tlaboree6412.internal.home smart_check_io[mod]: col", + "event.original": "September 27 05:04:49 agnaaliq1829.mail.test ntpd_initres: ntpd exiting on signal 15", "fileset.name": "nios", "input.type": "log", - "log.offset": 6061, + "log.offset": 6010, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "mod", - "rsa.internal.event_desc": "col", - "rsa.internal.messageid": "smart_check_io", - "rsa.misc.event_source": "tlaboree6412.internal.home", + "rsa.internal.messageid": "", "rsa.time.day": "27", "rsa.time.month": "September", "service.type": "infoblox", @@ -1674,19 +1652,20 @@ ] }, { - "event.code": "init", + "event.code": "sSMTP", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 11 12:07:23 mipsamvo4282.api.home reetdo: init oreveri", + "event.original": "October 11 12:07:23 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807 ", "fileset.name": "nios", "input.type": "log", - "log.offset": 6135, + "log.offset": 6096, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "oreveri", - "rsa.internal.messageid": "init", - "rsa.misc.event_source": "mipsamvo4282.api.home", + "rsa.email.email_dst": "tsed", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.event_source": "col3570.www.invalid", + "rsa.misc.space": "", "rsa.time.day": "11", "rsa.time.month": "October", "service.type": "infoblox", @@ -1696,20 +1675,19 @@ ] }, { - "event.code": "rc", + "event.code": "init", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 25 19:09:57 ugit5828.www5.test rc[asnu]: executing hitec start", + "event.original": "October 25 19:09:57 mipsamvo4282.api.home reetdo: init oreveri", "fileset.name": "nios", "input.type": "log", - "log.offset": 6198, + "log.offset": 6216, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "asnu", - "rsa.internal.messageid": "rc", - "rsa.misc.client": "hitec", - "rsa.misc.event_source": "ugit5828.www5.test", + "rsa.internal.event_desc": "oreveri", + "rsa.internal.messageid": "init", + "rsa.misc.event_source": "mipsamvo4282.api.home", "rsa.time.day": "25", "rsa.time.month": "October", "service.type": "infoblox", @@ -1719,77 +1697,62 @@ ] }, { - "event.code": "ntpdate", + "event.code": "debug", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "November 9 02:12:32 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec", + "event.original": "Nov 9 02:12:32 umq1309.api.test uae: debug mve", "fileset.name": "nios", "input.type": "log", - "log.offset": 6269, + "log.offset": 6279, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "related.ip": [ - "10.156.34.19" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.misc.event_source": "itanim4024.api.example", + "rsa.internal.event_desc": "mve", + "rsa.internal.messageid": "debug", + "rsa.misc.event_source": "umq1309.api.test", "rsa.time.day": "9", - "rsa.time.duration_time": 98.036, - "rsa.time.month": "November", + "rsa.time.month": "Nov", "service.type": "infoblox", - "source.ip": [ - "10.156.34.19" - ], "tags": [ "infoblox.nios", "forwarded" ] }, { - "event.code": "dhcpd", + "event.code": "rc", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "Nov 23 09:15:06 ation6657.www.home dhcpd[iatqu]: Reclaiming REQUESTed abandoned IP address10.16.44.207", + "event.original": "November 23 09:15:06 ugit5828.www5.test rc[asnu]: executing hitec start", "fileset.name": "nios", "input.type": "log", - "log.offset": 6389, + "log.offset": 6326, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "related.ip": [ - "10.16.44.207" - ], - "rsa.internal.data": "iatqu", - "rsa.internal.event_desc": "Reclaiming REQUESTed abandoned IP address", - "rsa.internal.messageid": "dhcpd", - "rsa.misc.event_source": "ation6657.www.home", + "rsa.internal.data": "asnu", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "hitec", + "rsa.misc.event_source": "ugit5828.www5.test", "rsa.time.day": "23", - "rsa.time.month": "Nov", + "rsa.time.month": "November", "service.type": "infoblox", - "source.ip": [ - "10.16.44.207" - ], "tags": [ "infoblox.nios", "forwarded" ] }, { - "event.code": "kernel", + "event.code": "", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "December 7 16:17:40 tas2266.internal.example 10.219.59.20 kernel[ntium]: iration", + "event.original": "December 7 16:17:40 ntexplic4824.internal.localhost ntpd_initres: ntpd exiting on signal 15", "fileset.name": "nios", "input.type": "log", - "log.offset": 6492, + "log.offset": 6398, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "ntium", - "rsa.internal.event_desc": "iration", - "rsa.internal.messageid": "kernel", - "rsa.misc.event_source": "tas2266.internal.example", + "rsa.internal.messageid": "", "rsa.time.day": "7", "rsa.time.month": "December", "service.type": "infoblox", @@ -1799,20 +1762,19 @@ ] }, { - "event.code": "rcsysinit", + "event.code": "radiusd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "December 21 23:20:14 oremquel3992.mail.host 10.238.232.42 rcsysinit[ssusci]: animid", + "event.original": "December 21 23:20:14 archite1843.mail.home isqua: radiusd uta", "fileset.name": "nios", "input.type": "log", - "log.offset": 6573, + "log.offset": 6491, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "ssusci", - "rsa.internal.event_desc": "animid", - "rsa.internal.messageid": "rcsysinit", - "rsa.misc.event_source": "oremquel3992.mail.host", + "rsa.internal.event_desc": "uta", + "rsa.internal.messageid": "radiusd", + "rsa.misc.event_source": "archite1843.mail.home", "rsa.time.day": "21", "rsa.time.month": "December", "service.type": "infoblox", @@ -1822,22 +1784,21 @@ ] }, { - "event.code": "dhcpdv6", + "event.code": "rcsysinit", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "Jan 5 06:22:49 atuse5193.www.local dhcpdv6[cti]: aparia", + "event.original": "January 5 06:22:49 derit5270.mail.local 10.105.52.140 rcsysinit: ntexpl", "fileset.name": "nios", "input.type": "log", - "log.offset": 6657, + "log.offset": 6553, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "cti", - "rsa.internal.event_desc": "aparia", - "rsa.internal.messageid": "dhcpdv6", - "rsa.misc.event_source": "atuse5193.www.local", + "rsa.internal.event_desc": "ntexpl", + "rsa.internal.messageid": "rcsysinit", + "rsa.misc.event_source": "derit5270.mail.local", "rsa.time.day": "5", - "rsa.time.month": "Jan", + "rsa.time.month": "January", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1845,91 +1806,104 @@ ] }, { - "event.code": "speedstep_control", + "event.code": "ntpdate", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "January 19 13:25:23 ratv2649.www.host speedstep_control[tali]: BCS", + "event.original": "January 19 13:25:23 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec", "fileset.name": "nios", "input.type": "log", - "log.offset": 6713, + "log.offset": 6625, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "tali", - "rsa.internal.event_desc": "BCS", - "rsa.internal.messageid": "speedstep_control", - "rsa.misc.event_source": "ratv2649.www.host", + "related.ip": [ + "10.156.34.19" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.misc.event_source": "itanim4024.api.example", "rsa.time.day": "19", + "rsa.time.duration_time": 98.036, "rsa.time.month": "January", "service.type": "infoblox", + "source.ip": [ + "10.156.34.19" + ], "tags": [ "infoblox.nios", "forwarded" ] }, { - "event.code": "syslog-ng", + "event.code": "sshd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "February 2 20:27:57 nculpaq3821.www5.invalid syslog-ng[billoinv]: sci", + "event.original": "sshd[saquaea]: Did not receive identification string from 10.222.251.114", "fileset.name": "nios", "input.type": "log", - "log.offset": 6780, + "log.offset": 6745, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "billoinv", - "rsa.internal.event_desc": "sci", - "rsa.internal.messageid": "syslog-ng", - "rsa.misc.event_source": "nculpaq3821.www5.invalid", - "rsa.time.day": "2", - "rsa.time.month": "February", + "related.ip": [ + "10.222.251.114" + ], + "rsa.internal.data": "saquaea", + "rsa.internal.event_desc": "Did not receive identification string from peer", + "rsa.internal.messageid": "sshd", + "rsa.misc.result": "no identification string", + "rsa.time.day": "Did", + "rsa.time.month": "sshd[saquaea]:", "service.type": "infoblox", + "source.ip": [ + "10.222.251.114" + ], "tags": [ "infoblox.nios", "forwarded" ] }, { - "event.code": "diskcheck", + "event.code": "in.tftpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "February 17 03:30:32 obea5700.mail.lan diskcheck[luptas]: uptatem", + "event.original": "February 17 03:30:32 ataevi1984.internal.host plic: in.tftpd connection refused from 10.17.87.79", "fileset.name": "nios", "input.type": "log", - "log.offset": 6850, + "log.offset": 6818, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "luptas", - "rsa.internal.event_desc": "uptatem", - "rsa.internal.messageid": "diskcheck", - "rsa.misc.event_source": "obea5700.mail.lan", + "related.ip": [ + "10.17.87.79" + ], + "rsa.internal.messageid": "in.tftpd", + "rsa.misc.event_source": "ataevi1984.internal.host", "rsa.time.day": "17", "rsa.time.month": "February", "service.type": "infoblox", + "source.ip": [ + "10.17.87.79" + ], "tags": [ "infoblox.nios", "forwarded" ] }, { - "event.code": "scheduled_scp_backups", + "event.code": "ntpd_initres", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "March 3 10:33:06 ntmo3423.mail.home scheduled_scp_backups[tNe]: Scheduled backup to the pisc was successful - Backup file urEx", - "file.name": "urEx", + "event.original": "March 3 10:33:06 tionula1586.host ntpd_initres[idolor]: ntpd exiting on signal 15", "fileset.name": "nios", "input.type": "log", - "log.offset": 6916, + "log.offset": 6915, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "tNe", - "rsa.internal.event_desc": "Scheduled backup to the SCP server was successful", - "rsa.internal.messageid": "scheduled_scp_backups", - "rsa.misc.device_name": "pisc", - "rsa.misc.event_source": "ntmo3423.mail.home", + "rsa.internal.data": "idolor", + "rsa.internal.event_desc": "ntpd exiting", + "rsa.internal.messageid": "ntpd_initres", + "rsa.misc.event_source": "tionula1586.host", "rsa.time.day": "3", "rsa.time.month": "March", "service.type": "infoblox", @@ -1939,19 +1913,20 @@ ] }, { - "event.code": "rc", + "event.code": "ntpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "March 17 17:35:40 qui3176.internal.example 10.165.6.51 rc: executing amvolu start", + "event.original": "March 17 17:35:40 llam1884.www.corp quasiarc: ntpd time slew success", "fileset.name": "nios", "input.type": "log", - "log.offset": 7043, + "log.offset": 6997, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.messageid": "rc", - "rsa.misc.client": "amvolu", - "rsa.misc.event_source": "qui3176.internal.example", + "rsa.internal.event_desc": "time slew duraion", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "llam1884.www.corp", + "rsa.misc.result": "success", "rsa.time.day": "17", "rsa.time.month": "March", "service.type": "infoblox", @@ -1961,20 +1936,20 @@ ] }, { - "event.code": "snmptrapd", + "event.code": "acpid", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "April 1 00:38:14 pta6801.mail.invalid 10.35.254.68 snmptrapd[eiusmod]: itation", + "event.original": "April 1 00:38:14 ore5643.api.lan 10.126.163.125 acpid[edolorin]: dolorem", "fileset.name": "nios", "input.type": "log", - "log.offset": 7125, + "log.offset": 7066, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "eiusmod", - "rsa.internal.event_desc": "itation", - "rsa.internal.messageid": "snmptrapd", - "rsa.misc.event_source": "pta6801.mail.invalid", + "rsa.internal.data": "edolorin", + "rsa.internal.event_desc": "dolorem", + "rsa.internal.messageid": "acpid", + "rsa.misc.event_source": "ore5643.api.lan", "rsa.time.day": "1", "rsa.time.month": "April", "service.type": "infoblox", @@ -1984,19 +1959,20 @@ ] }, { - "event.code": "httpd", + "event.code": "rc3", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "April 15 07:40:49 scivel2614.www5.invalid meumfugi: httpd tquas", + "event.original": "April 15 07:40:49 exeacomm79.api.corp rc3[mides]: ciun", "fileset.name": "nios", "input.type": "log", - "log.offset": 7204, + "log.offset": 7139, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "tquas", - "rsa.internal.messageid": "httpd", - "rsa.misc.event_source": "scivel2614.www5.invalid", + "rsa.internal.data": "mides", + "rsa.internal.event_desc": "ciun", + "rsa.internal.messageid": "rc3", + "rsa.misc.event_source": "exeacomm79.api.corp", "rsa.time.day": "15", "rsa.time.month": "April", "service.type": "infoblox", @@ -2006,51 +1982,45 @@ ] }, { - "event.code": "INFOBLOX-Grid", + "event.code": "watchdog", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "April 29 14:43:23 ntmoll7616.api.localhost INFOBLOX-Grid[isnostru]: Grid member at 10.10.223.104 nBCSe", + "event.original": "April 29 14:43:23 lorsita6602.mail.local uat: watchdog lupta could not be opened, errno = npr", + "file.name": "lupta", "fileset.name": "nios", "input.type": "log", - "log.offset": 7268, + "log.offset": 7194, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "related.ip": [ - "10.10.223.104" - ], - "rsa.internal.data": "isnostru", - "rsa.internal.event_desc": "nBCSe", - "rsa.internal.messageid": "INFOBLOX-Grid", - "rsa.misc.event_source": "ntmoll7616.api.localhost", + "rsa.internal.messageid": "watchdog", + "rsa.misc.event_source": "lorsita6602.mail.local", + "rsa.misc.result_code": "npr", "rsa.time.day": "29", "rsa.time.month": "April", "service.type": "infoblox", - "source.ip": [ - "10.10.223.104" - ], "tags": [ "infoblox.nios", "forwarded" ] }, { - "event.code": "sshd", + "event.code": "speedstep_control", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "sshd[Nemo]: Sleep 60 seconds for slowing down ssh login", + "event.original": "May 13 21:45:57 ratv2649.www.host speedstep_control[tali]: BCS", "fileset.name": "nios", "input.type": "log", - "log.offset": 7371, + "log.offset": 7288, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "Nemo", - "rsa.internal.event_desc": "Sleep 60 seconds", - "rsa.internal.messageid": "sshd", - "rsa.misc.result": "slowing down ssh login", - "rsa.time.day": "Sleep", - "rsa.time.month": "sshd[Nemo]:", + "rsa.internal.data": "tali", + "rsa.internal.event_desc": "BCS", + "rsa.internal.messageid": "speedstep_control", + "rsa.misc.event_source": "ratv2649.www.host", + "rsa.time.day": "13", + "rsa.time.month": "May", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -2058,19 +2028,19 @@ ] }, { - "event.code": "debug", + "event.code": "python", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "May 28 04:48:31 velill2874.internal.invalid 10.236.247.87 debug: tatevel", + "event.original": "May 28 04:48:31 abor4353.www5.host ame: python tesseq", "fileset.name": "nios", "input.type": "log", - "log.offset": 7427, + "log.offset": 7351, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "tatevel", - "rsa.internal.messageid": "debug", - "rsa.misc.event_source": "velill2874.internal.invalid", + "rsa.internal.event_desc": "tesseq", + "rsa.internal.messageid": "python", + "rsa.misc.event_source": "abor4353.www5.host", "rsa.time.day": "28", "rsa.time.month": "May", "service.type": "infoblox", @@ -2080,19 +2050,23 @@ ] }, { - "event.code": "python", + "event.code": "openvpn-member", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "June 11 11:51:06 ict2699.internal.localhost 10.117.2.51 python: allow: FQDN='luptate4640.api.host', View='iqui'", + "event.original": "June 11 11:51:06 rerepre6748.internal.domain 10.47.31.181 openvpn-member[tdolore]: OpenVPN 1.388 [icmp] [red] sinto", "fileset.name": "nios", "input.type": "log", - "log.offset": 7500, + "log.offset": 7405, + "network.protocol": "icmp", "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "allow: FQDN='luptate4640.api.host', View='iqui'", - "rsa.internal.messageid": "python", - "rsa.misc.event_source": "ict2699.internal.localhost", + "observer.version": "1.388", + "rsa.db.index": "sinto", + "rsa.internal.data": "tdolore", + "rsa.internal.messageid": "openvpn-member", + "rsa.misc.event_source": "rerepre6748.internal.domain", + "rsa.misc.version": "1.388", "rsa.time.day": "11", "rsa.time.month": "June", "service.type": "infoblox", @@ -2102,20 +2076,19 @@ ] }, { - "event.code": "kernel", + "event.code": "rc", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "June 25 18:53:40 reseosq3558.www5.invalid kernel[pteurs]: catcupi", + "event.original": "June 25 18:53:40 qui3176.internal.example 10.165.6.51 rc: executing amvolu start", "fileset.name": "nios", "input.type": "log", - "log.offset": 7613, + "log.offset": 7521, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "pteurs", - "rsa.internal.event_desc": "catcupi", - "rsa.internal.messageid": "kernel", - "rsa.misc.event_source": "reseosq3558.www5.invalid", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "amvolu", + "rsa.misc.event_source": "qui3176.internal.example", "rsa.time.day": "25", "rsa.time.month": "June", "service.type": "infoblox", @@ -2125,19 +2098,21 @@ ] }, { - "event.code": "purge_scheduled_tasks", + "event.code": "monitor", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "July 10 01:56:14 saqu320.api.test purge_scheduled_tasks[amquisno]: Scheduled tasks have been purged", + "event.original": "July 10 01:56:14 der7349.invalid 10.133.146.125 monitor: Type: igmp, State: diduntu, Event: eiusmod.", "fileset.name": "nios", "input.type": "log", - "log.offset": 7679, + "log.offset": 7602, + "network.protocol": "igmp", "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "amquisno", - "rsa.internal.messageid": "purge_scheduled_tasks", - "rsa.misc.event_source": "saqu320.api.test", + "rsa.internal.event_desc": "eiusmod", + "rsa.internal.messageid": "monitor", + "rsa.misc.event_source": "der7349.invalid", + "rsa.misc.event_state": "diduntu", "rsa.time.day": "10", "rsa.time.month": "July", "service.type": "infoblox", @@ -2147,19 +2122,19 @@ ] }, { - "event.code": "rc", + "event.code": "diskcheck", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "July 24 08:58:48 sequat4596.api.domain epteur: rc executing ommo start", + "event.original": "July 24 08:58:48 veleum3833.internal.test henderi: diskcheck iusmodt", "fileset.name": "nios", "input.type": "log", - "log.offset": 7779, + "log.offset": 7703, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.messageid": "rc", - "rsa.misc.client": "ommo", - "rsa.misc.event_source": "sequat4596.api.domain", + "rsa.internal.event_desc": "iusmodt", + "rsa.internal.messageid": "diskcheck", + "rsa.misc.event_source": "veleum3833.internal.test", "rsa.time.day": "24", "rsa.time.month": "July", "service.type": "infoblox", @@ -2169,19 +2144,20 @@ ] }, { - "event.code": "diskcheck", + "event.code": "rc6", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "August 7 16:01:23 olu5333.www.domain orumSe: diskcheck dolor", + "event.original": "August 7 16:01:23 aquio6685.internal.test 10.17.193.123 rc6[aquio]: riatu", "fileset.name": "nios", "input.type": "log", - "log.offset": 7850, + "log.offset": 7772, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "dolor", - "rsa.internal.messageid": "diskcheck", - "rsa.misc.event_source": "olu5333.www.domain", + "rsa.internal.data": "aquio", + "rsa.internal.event_desc": "riatu", + "rsa.internal.messageid": "rc6", + "rsa.misc.event_source": "aquio6685.internal.test", "rsa.time.day": "7", "rsa.time.month": "August", "service.type": "infoblox", @@ -2191,21 +2167,22 @@ ] }, { - "event.code": "init", + "event.code": "debug", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "August 21 23:03:57 dtemp1362.internal.example mips: init itae", + "event.original": "Aug 21 23:03:57 tanimid4871.internal.domain debug[abor]: nBCSe", "fileset.name": "nios", "input.type": "log", - "log.offset": 7911, + "log.offset": 7846, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "itae", - "rsa.internal.messageid": "init", - "rsa.misc.event_source": "dtemp1362.internal.example", + "rsa.internal.data": "abor", + "rsa.internal.event_desc": "nBCSe", + "rsa.internal.messageid": "debug", + "rsa.misc.event_source": "tanimid4871.internal.domain", "rsa.time.day": "21", - "rsa.time.month": "August", + "rsa.time.month": "Aug", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -2213,20 +2190,21 @@ ] }, { - "event.code": "snmptrapd", + "event.code": "pidof", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 5 06:06:31 odt5505.www5.localdomain 10.76.92.103 snmptrapd[uscip]: umS", + "event.original": "September 5 06:06:31 icta82.internal.lan 10.252.116.137 pidof[uei]: can't read sid from Nequepo", "fileset.name": "nios", "input.type": "log", - "log.offset": 7973, + "log.offset": 7909, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "uscip", - "rsa.internal.event_desc": "umS", - "rsa.internal.messageid": "snmptrapd", - "rsa.misc.event_source": "odt5505.www5.localdomain", + "rsa.internal.data": "uei", + "rsa.internal.event_desc": "can't read sid", + "rsa.internal.messageid": "pidof", + "rsa.misc.client": "Nequepo", + "rsa.misc.event_source": "icta82.internal.lan", "rsa.time.day": "5", "rsa.time.month": "September", "service.type": "infoblox", @@ -2236,20 +2214,20 @@ ] }, { - "event.code": "db_jnld", + "event.code": "speedstep_control", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 19 13:09:05 ici5097.www.domain iatnu: db_jnld Resolved conflict for replicated delete of CNAME writte\"sitvo\" in zone \"ine\"", + "event.original": "September 19 13:09:05 dol6197.mail.localdomain speedstep_control[inBCSe]: otamrem", "fileset.name": "nios", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 8054, + "log.offset": 8005, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.messageid": "db_jnld", + "rsa.internal.data": "inBCSe", + "rsa.internal.event_desc": "otamrem", + "rsa.internal.messageid": "speedstep_control", + "rsa.misc.event_source": "dol6197.mail.localdomain", "rsa.time.day": "19", "rsa.time.month": "September", "service.type": "infoblox", @@ -2259,20 +2237,20 @@ ] }, { - "event.code": "syslog", + "event.code": "ntpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 3 20:11:40 itse522.internal.localdomain fugiatqu: syslog seos", + "event.original": "October 3 20:11:40 lumqu617.www.test 10.39.172.93 ntpd: time slew success", "fileset.name": "nios", "input.type": "log", - "log.offset": 8188, + "log.offset": 8087, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.db.index": "fugiatqu", - "rsa.internal.event_desc": "seos", - "rsa.internal.messageid": "syslog", - "rsa.misc.event_source": "itse522.internal.localdomain", + "rsa.internal.event_desc": "time slew duraion", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "lumqu617.www.test", + "rsa.misc.result": "success", "rsa.time.day": "3", "rsa.time.month": "October", "service.type": "infoblox", @@ -2282,19 +2260,20 @@ ] }, { - "event.code": "acpid", + "event.code": "pidof", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 18 03:14:14 oquisqu1528.invalid 10.54.44.231 acpid: Ute", + "event.original": "October 18 03:14:14 uido492.www5.home pidof[uid]: can't get program name from snostrum", "fileset.name": "nios", "input.type": "log", - "log.offset": 8258, + "log.offset": 8161, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "Ute", - "rsa.internal.messageid": "acpid", - "rsa.misc.event_source": "oquisqu1528.invalid", + "rsa.internal.data": "uid", + "rsa.internal.messageid": "pidof", + "rsa.misc.client": "snostrum", + "rsa.misc.event_source": "uido492.www5.home", "rsa.time.day": "18", "rsa.time.month": "October", "service.type": "infoblox", @@ -2304,19 +2283,21 @@ ] }, { - "event.code": "acpid", + "event.code": "snmptrapd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "November 1 10:16:48 quu2203.internal.invalid 10.61.175.217 acpid: enbyCi", + "event.original": "November 1 10:16:48 reseosqu1629.mail.lan 10.36.166.81 snmptrapd: NET-SNMP version 1.6198 ommo", "fileset.name": "nios", "input.type": "log", - "log.offset": 8322, + "log.offset": 8248, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.event_desc": "enbyCi", - "rsa.internal.messageid": "acpid", - "rsa.misc.event_source": "quu2203.internal.invalid", + "observer.version": "1.6198", + "rsa.internal.event_desc": "ommo", + "rsa.internal.messageid": "snmptrapd", + "rsa.misc.event_source": "reseosqu1629.mail.lan", + "rsa.misc.version": "1.6198", "rsa.time.day": "1", "rsa.time.month": "November", "service.type": "infoblox", @@ -2326,22 +2307,22 @@ ] }, { - "event.code": "debug", + "event.code": "smart_check_io", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "Nov 15 17:19:22 quunt3116.localhost debug[nonn]: dents", + "event.original": "November 15 17:19:22 itseddoe5595.internal.localhost 10.228.102.170 smart_check_io[ehende]: tutla", "fileset.name": "nios", "input.type": "log", - "log.offset": 8395, + "log.offset": 8343, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "nonn", - "rsa.internal.event_desc": "dents", - "rsa.internal.messageid": "debug", - "rsa.misc.event_source": "quunt3116.localhost", + "rsa.internal.data": "ehende", + "rsa.internal.event_desc": "tutla", + "rsa.internal.messageid": "smart_check_io", + "rsa.misc.event_source": "itseddoe5595.internal.localhost", "rsa.time.day": "15", - "rsa.time.month": "Nov", + "rsa.time.month": "November", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -2349,22 +2330,21 @@ ] }, { - "event.code": "debug", + "event.code": "diskcheck", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "Nov 30 00:21:57 texpli7157.mail.invalid debug[conse]: ventor", + "event.original": "November 30 00:21:57 olu5333.www.domain orumSe: diskcheck dolor", "fileset.name": "nios", "input.type": "log", - "log.offset": 8450, + "log.offset": 8441, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "conse", - "rsa.internal.event_desc": "ventor", - "rsa.internal.messageid": "debug", - "rsa.misc.event_source": "texpli7157.mail.invalid", + "rsa.internal.event_desc": "dolor", + "rsa.internal.messageid": "diskcheck", + "rsa.misc.event_source": "olu5333.www.domain", "rsa.time.day": "30", - "rsa.time.month": "Nov", + "rsa.time.month": "November", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -2372,20 +2352,19 @@ ] }, { - "event.code": "openvpn-master", + "event.code": "init", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "December 14 07:24:31 odoc7856.api.example 10.50.252.2 openvpn-master[atnonpr]: ita", + "event.original": "December 14 07:24:31 dtemp1362.internal.example mips: init itae", "fileset.name": "nios", "input.type": "log", - "log.offset": 8511, + "log.offset": 8505, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.data": "atnonpr", - "rsa.internal.event_desc": "ita", - "rsa.internal.messageid": "openvpn-master", - "rsa.misc.event_source": "odoc7856.api.example", + "rsa.internal.event_desc": "itae", + "rsa.internal.messageid": "init", + "rsa.misc.event_source": "dtemp1362.internal.example", "rsa.time.day": "14", "rsa.time.month": "December", "service.type": "infoblox", diff --git a/x-pack/filebeat/module/juniper/README.md b/x-pack/filebeat/module/juniper/README.md index 108cdf625ee..ba28336f27b 100644 --- a/x-pack/filebeat/module/juniper/README.md +++ b/x-pack/filebeat/module/juniper/README.md @@ -3,5 +3,5 @@ This is a module for Juniper JUNOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML junosrouter version 134 -at 2020-07-08 22:21:00.501147 +0000 UTC. +at 2020-07-13 17:12:02.433653 +0000 UTC. diff --git a/x-pack/filebeat/module/kaspersky/README.md b/x-pack/filebeat/module/kaspersky/README.md index 003197a7aaf..9a0179648de 100644 --- a/x-pack/filebeat/module/kaspersky/README.md +++ b/x-pack/filebeat/module/kaspersky/README.md @@ -3,5 +3,5 @@ This is a module for Kaspersky Anti-Virus logs. Autogenerated from RSA NetWitness log parser 2.0 XML kasperskyav version 127 -at 2020-07-08 22:21:01.387501 +0000 UTC. +at 2020-07-13 17:12:03.3951 +0000 UTC. diff --git a/x-pack/filebeat/module/microsoft/README.md b/x-pack/filebeat/module/microsoft/README.md index 53b66349dc1..28097b09093 100644 --- a/x-pack/filebeat/module/microsoft/README.md +++ b/x-pack/filebeat/module/microsoft/README.md @@ -3,5 +3,5 @@ This is a module for Microsoft DHCP logs. Autogenerated from RSA NetWitness log parser 2.0 XML msdhcp version 99 -at 2020-07-08 22:21:01.708377 +0000 UTC. +at 2020-07-13 17:12:03.76582 +0000 UTC. diff --git a/x-pack/filebeat/module/netscout/README.md b/x-pack/filebeat/module/netscout/README.md index 4341d92aaa1..40e66db6287 100644 --- a/x-pack/filebeat/module/netscout/README.md +++ b/x-pack/filebeat/module/netscout/README.md @@ -3,5 +3,5 @@ This is a module for Arbor Peakflow SP logs. Autogenerated from RSA NetWitness log parser 2.0 XML arborpeakflowsp version 109 -at 2020-07-08 22:20:55.507697 +0000 UTC. +at 2020-07-13 17:11:56.553557 +0000 UTC. diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log b/x-pack/filebeat/module/netscout/sightline/test/generated.log index 0f7e82a3c5e..892a1fc0f2b 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log @@ -7,94 +7,94 @@ April 9 17:22:51 pfsp: Alert Host Detection alert riosam, start 2016-04-9 17:22: April 24 00:25:25 pfsp: Autoclassification was restarted on 2016-04-24 00:25:25 nim by incidi May 8 07:27:59 pfsp: Alert Peakflow device oloremqu unreachable by temvel since 2016-05-08 07:27:59 May 22 14:30:33 pfsp: Autoclassification was restarted on 2016-05-22 14:30:33 serror by anti -June 5 21:33:08 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci -June 20 04:35:42 pfsp: The SNMP restored for router mvolu, leader radip at 2016-06-20 04:35:42 tNequ -July 4 11:38:16 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap -July 18 18:40:50 pfsp: Alert Device uatDuis unreachable by controller ude since 2016-07-18 18:40:50 -August 2 01:43:25 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt -August 16 08:45:59 pfsp: Alert Autoclassification was restarted on 2016-08-16 08:45:59 atatnonp by uiano -August 30 15:48:33 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc -September 13 22:51:07 pfsp: Hardware failure on tatevel since 2016-09-13 22:51:07 GMT: abilloi -September 28 05:53:42 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name "lo5882" porainc -October 12 12:56:16 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name "lo4987" oluptate -October 26 19:58:50 pfsp: Alert Autoclassification was restarted on 2016-10-26 19:58:50 iam by qua -November 10 03:01:24 pfsp: Test syslog message -November 24 10:03:59 pfsp: Autoclassification was restarted on 2016-11-24 10:03:59 olupta by turveli -December 8 17:06:33 pfsp: Alert Autoclassification was restarted on 2016-12-08 17:06:33 ntutl by caecatc -December 23 00:09:07 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2016-12-23 00:09:07 lup -January 6 07:11:41 pfsp: Alert Hardware failure on aperi since 2017-01-06 07:11:41 GMT: lor -January 20 14:14:16 pfsp: The BGP Instability for router oin ended -February 3 21:16:50 pfsp: Hardware failure on ritatis done at 2017-02-03 21:16:50 oloremi GMT: pitla -February 18 04:19:24 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des -March 4 11:21:59 pfsp: Device tdolorem unreachable by controller ono since 2017-03-04 11:21:59 -March 18 18:24:33 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-03-18 18:24:33 lumquido -April 2 01:27:07 Lor: Test: Test syslog message -April 16 08:29:41 pfsp: Alert script modoco ran at 2017-04-16 08:29:41 , estquleader inibusBo -April 30 15:32:16 tion: Protection Mode: Changed protection mode to active for protection groupeataev,URL:https://api.example.org/uasia/emp.txt?ici=giatquov#eritquii -May 14 22:34:50 imad: Protection Mode: Changed protection mode to active for protection groupmsequi,URL:https://www5.example.org/iquaUten/santium.html?imidest=emagnama#eprehend -May 29 05:37:24 xeac: Blocked Host: Blocked host10.233.107.138attaliqby Blocked Countries usingrdpdestination10.28.127.218,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae -June 12 12:39:58 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore -June 26 19:42:33 pfsp: Device mque reachable again by controller uovolup at 2017-06-26 19:42:33 samvolu -July 11 02:45:07 pfsp: The Host Detection alert eirure, start 2017-07-11 02:45:07 conseq, duration 38.117000, stop 2017-07-11 02:45:07 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui) -July 25 09:47:41 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol -August 8 16:50:15 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih) -August 22 23:52:50 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup -September 6 06:55:24 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv -September 20 13:57:58 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu -October 4 21:00:32 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-10-04 21:00:32 olor -October 19 04:03:07 pfsp: Alert Device xerc reachable again by controller iutali at 2017-10-19 04:03:07 fdeFi -November 2 11:05:41 pfsp: BGP down for router ati, leader tlabo since 2017-11-02 11:05:41 uames -November 16 18:08:15 pfsp: script offi ran at 2017-11-16 18:08:15 , giatnuleader ulapa -December 1 01:10:49 quioffi: Change Log: Username:uptate, Subsystem:ncidid, Setting Type:quaturve, Message:sequa -December 15 08:13:24 pfsp: Host Detection alert nimid, start 2017-12-15 08:13:24 itatione, duration 80.096000, stop 2017-12-15 08:13:24 umwr, , importance very-high, managed_objects (reme), is now success, (parent managed object osamn) -December 29 15:15:58 lorinre: Blocked Host: Blocked host10.161.136.76atidataby Blocked Countries usingudpdestination10.108.167.93,URL:https://api.example.com/untex/quiratio.htm?tisetq=tevelite#orporiss -January 12 22:18:32 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2018-01-12 22:18:32 dexea -January 27 05:21:06 pfsp: Test syslog message -February 10 12:23:41 pfsp: Alert Flow down for router tessec, leader olupta since 2018-02-10 12:23:41 litse -February 24 19:26:15 pfsp: Alert Host Detection alert sperna, start 2018-02-24 19:26:15 sintocc, duration 24.633000, stop 2018-02-24 19:26:15 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius) -March 11 02:28:49 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc -March 25 09:31:24 pfsp: BGP Instability for router iatisu ended -April 8 16:33:58 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven -April 22 23:36:32 pfsp: Test syslog message -May 7 06:39:06 Sedutp: Test: Test syslog message -May 21 13:41:41 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe -June 4 20:44:15 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse -June 19 03:46:49 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro -July 3 10:49:23 pfsp: The Device illoin unreachable by controller tanimid since 2018-07-03 10:49:23 -July 17 17:51:58 pfsp: configuration was changed on leader natuse to version 1.4425 by ati -August 1 00:54:32 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name "enp0s4306" aturauto -August 15 07:57:06 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-08-15 07:57:06 dmin -August 29 14:59:40 pfsp: The Host Detection alert uscipitl, start 2018-08-29 14:59:40 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its) -September 12 22:02:15 pfsp: Alert Test syslog message -September 27 05:04:49 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name "lo4293" labo -October 11 12:07:23 pfsp: The TMS 'enderi' fault for resource 'mquisno' on TMS odoconse cleared -October 25 19:09:57 asiarc: Blocked Host: Blocked host10.80.101.72atuptateby Blocked Countries usingrdpdestination10.83.130.226,URL:https://www5.example.com/gitsed/fugia.htm?emp=pisciv#lumdolor -November 9 02:12:32 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden -November 23 09:15:06 pfsp: Device isis reachable again by controller uasiar at 2018-11-23 09:15:06 utlab -December 7 16:17:40 pfsp: The SNMP restored for router umdolor, leader uaUten at 2018-12-07 16:17:40 nby -December 21 23:20:14 ibusBon: Change Log: Username:ven, Subsystem:rQu, Setting Type:mco, Message:cipitl -January 5 06:22:49 pfsp: configuration was changed on leader evitaed to version 1.1721 by suntin -January 19 13:25:23 pfsp: Peakflow device oraincid unreachable by intocc since 2019-01-19 13:25:23 -February 2 20:27:57 pfsp: Alert configuration was changed on leader litani to version 1.6412 by psumqu -February 17 03:30:32 ipsamvo: Change Log: Username:onula, Subsystem:miu, Setting Type:rationev, Message:rem +June 5 21:33:08 pfsp: Alert Test syslog message +June 20 04:35:42 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci +July 4 11:38:16 pfsp: The SNMP restored for router mvolu, leader radip at 2016-07-04 11:38:16 tNequ +July 18 18:40:50 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap +August 2 01:43:25 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis +August 16 08:45:59 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt +August 30 15:48:33 pfsp: Alert Autoclassification was restarted on 2016-08-30 15:48:33 atatnonp by uiano +September 13 22:51:07 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc +September 28 05:53:42 pfsp: Hardware failure on tatevel since 2016-09-28 05:53:42 GMT: abilloi +October 12 12:56:16 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name "lo5882" porainc +October 26 19:58:50 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name "lo4987" oluptate +November 10 03:01:24 pfsp: Alert Autoclassification was restarted on 2016-11-10 03:01:24 iam by qua +November 24 10:03:59 pfsp: Test syslog message +December 8 17:06:33 pfsp: Autoclassification was restarted on 2016-12-08 17:06:33 olupta by turveli +December 23 00:09:07 pfsp: Alert Autoclassification was restarted on 2016-12-23 00:09:07 ntutl by caecatc +January 6 07:11:41 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2017-01-06 07:11:41 lup +January 20 14:14:16 pfsp: Alert Hardware failure on aperi since 2017-01-20 14:14:16 GMT: lor +February 3 21:16:50 pfsp: The BGP Instability for router oin ended +February 18 04:19:24 pfsp: Hardware failure on ritatis done at 2017-02-18 04:19:24 oloremi GMT: pitla +March 4 11:21:59 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des +March 18 18:24:33 pfsp: Device tdolorem unreachable by controller ono since 2017-03-18 18:24:33 +April 2 01:27:07 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-04-02 01:27:07 lumquido +April 16 08:29:41 Lor: Test: Test syslog message +April 30 15:32:16 pfsp: Alert script modoco ran at 2017-04-30 15:32:16 , leader estqu +May 14 22:34:50 intoccae: Protection Mode: Changed protection mode to active for protection groupents,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae +May 29 05:37:24 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore +June 12 12:39:58 pfsp: Device mque reachable again by controller uovolup at 2017-06-12 12:39:58 samvolu +June 26 19:42:33 pfsp: The Host Detection alert eirure, start 2017-06-26 19:42:33 conseq, duration 38.117000, stop 2017-06-26 19:42:33 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui) +July 11 02:45:07 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol +July 25 09:47:41 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih) +August 8 16:50:15 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup +August 22 23:52:50 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv +September 6 06:55:24 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu +September 20 13:57:58 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-09-20 13:57:58 olor +October 4 21:00:32 pfsp: Alert Device xerc reachable again by controller iutali at 2017-10-04 21:00:32 fdeFi +October 19 04:03:07 pfsp: BGP down for router ati, leader tlabo since 2017-10-19 04:03:07 uames +November 2 11:05:41 pfsp: script offi ran at 2017-11-02 11:05:41 , leader giatnu +November 16 18:08:15 pfsp: Alert anomaly ncidid id 6f3fd2c5 status uamei severity very-high classification aera src 10.128.31.83/2346 nimid dst 10.97.164.220/6205 uptasn start 2017-11-16 6:08:15 duration 50.929000 percent issus rate osamn rateUnit isnisiu protocol udp flags pre url https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata +December 1 01:10:49 untex: Blocked Host: Blocked host10.83.23.104attisetqby Blocked Countries usingrdpdestination10.163.161.165,URL:https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte +December 15 08:13:24 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-12-15 08:13:24 dexea +December 29 15:15:58 pfsp: Test syslog message +January 12 22:18:32 pfsp: Alert Flow down for router tessec, leader olupta since 2018-01-12 22:18:32 litse +January 27 05:21:06 pfsp: Alert Host Detection alert sperna, start 2018-01-27 05:21:06 sintocc, duration 24.633000, stop 2018-01-27 05:21:06 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius) +February 10 12:23:41 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc +February 24 19:26:15 pfsp: BGP Instability for router iatisu ended +March 11 02:28:49 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven +March 25 09:31:24 pfsp: Test syslog message +April 8 16:33:58 Sedutp: Test: Test syslog message +April 22 23:36:32 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe +May 7 06:39:06 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse +May 21 13:41:41 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro +June 4 20:44:15 pfsp: The Device illoin unreachable by controller tanimid since 2018-06-04 20:44:15 +June 19 03:46:49 pfsp: configuration was changed on leader natuse to version 1.4425 by ati +July 3 10:49:23 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name "enp0s4306" aturauto +July 17 17:51:58 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-07-17 17:51:58 dmin +August 1 00:54:32 pfsp: The Host Detection alert uscipitl, start 2018-08-1 00:54:32 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its) +August 15 07:57:06 pfsp: Alert Test syslog message +August 29 14:59:40 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name "lo4293" labo +September 12 22:02:15 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla) +September 27 05:04:49 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden +October 11 12:07:23 pfsp: Device isis reachable again by controller uasiar at 2018-10-11 12:07:23 utlab +October 25 19:09:57 pfsp: The anomaly ntsunt id c8947b2b status liqua severity low classification utodita src 10.216.83.142/4365 iquidexe dst 10.224.198.212/2003 reseo start 2018-10-25 7:09:57 duration 2.919000 percent mquae rate consequa rateUnit moenimi protocol tcp flags icabo url https://example.net/con/preh.html?quamest=mac#qui +November 9 02:12:32 temporin: Blocked Host: Blocked host10.122.76.148atmiuby Blocked Countries usingipv6-icmpdestination10.28.226.128,URL:https://mail.example.org/idunt/luptat.txt?ica=lillum#remips +November 23 09:15:06 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt +December 7 16:17:40 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation +December 21 23:20:14 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt +January 5 06:22:49 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo +January 19 13:25:23 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo +February 2 20:27:57 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor +February 17 03:30:32 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed) March 3 10:33:06 pfsp: Alert Test syslog message -March 17 17:35:40 lillum: Change Log: Username:remips, Subsystem:uisaute, Setting Type:imide, Message:poriss -April 1 00:38:14 pfsp: Alert script usmodi ran at 2019-04-01 00:38:14 , mvoluleader conse -April 15 07:40:49 pfsp: Alert TMS 'licabo' fault for resource 'enimadmi' on TMS utaliqu cleared -April 29 14:43:23 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt -May 13 21:45:57 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation -May 28 04:48:31 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt -June 11 11:51:06 pfsp: The BGP Instability for router eirure ended -June 25 18:53:40 pfsp: Alert BGP instability router tesse threshold sequat (giatquov) observed tconsec (miurerep) -July 10 01:56:14 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo -July 24 08:58:48 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor -August 7 16:01:23 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed) -August 21 23:03:57 pfsp: Alert Test syslog message -September 5 06:06:31 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex -September 19 13:09:05 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu -October 3 20:11:40 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done -October 18 03:14:14 pfsp: Host Detection alert col, start 2019-10-18 03:14:14 mve, duration 177.586000, stop 2019-10-18 03:14:14 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq) -November 1 10:16:48 pfsp: script remipsum ran at 2019-11-01 10:16:48 , temporleader citatio -November 15 17:19:22 mveniamq: Blocked Host: Blocked host10.74.159.77ateaqueipsby Blocked Countries usingicmpdestination10.131.74.36,URL:https://example.com/untexpl/iumtot.htm?eiusmod=emoe#uiinea -November 30 00:21:57 pfsp: Alert TMS 'eaqueip' fault for resource 'eum' on TMS lamc cleared -December 14 07:24:31 pfsp: Alert Peakflow device itasper reachable again by uae at 2019-12-14 07:24:31 mve +March 17 17:35:40 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex +April 1 00:38:14 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu +April 15 07:40:49 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done +April 29 14:43:23 pfsp: Host Detection alert col, start 2019-04-29 14:43:23 mve, duration 177.586000, stop 2019-04-29 14:43:23 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq) +May 13 21:45:57 pfsp: script remipsum ran at 2019-05-13 21:45:57 , leader tempor +May 28 04:48:31 ccae: Change Log: Username:orroqu, Subsystem:elitsed, Setting Type:labore, Message:uela +June 11 11:51:06 uto: Test: Test syslog message +June 25 18:53:40 remq: Change Log: Username:veniamq, Subsystem:occ, Setting Type:oloreseo, Message:iruredol +July 10 01:56:14 cupi: Blocked Host: Blocked host10.151.129.181atduntby Blocked Countries usingggpdestination10.55.156.64,URL:https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae +July 24 08:58:48 eumi: Protection Mode: Changed protection mode to active for protection groupquasiarc,URL:https://www.example.net/rever/ore.jpg?oluptat=metco#acom +August 7 16:01:23 pfsp: The Host Detection alert inBCSedu, start 2019-08-7 16:01:23 erspi, duration 77.637000, direction internal, host 10.46.77.76, signatures (iacons), impact occaec, importance medium, managed_objects (uov), (parent managed object quaeab) +August 21 23:03:57 pfsp: Hardware failure on ntiu since 2019-08-21 23:03:57 GMT: radipisc +September 5 06:06:31 upt: Blocked Host: Blocked host10.73.89.189atidoloby Blocked Countries usingicmpdestination10.166.90.130,URL:https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu +September 19 13:09:05 tlabori: Protection Mode: Changed protection mode to active for protection grouplaudan,URL:https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui +October 3 20:11:40 destlabo: Change Log: Username:rcitat, Subsystem:dolorema, Setting Type:emagn, Message:radipis +October 18 03:14:14 fugits: Test: Test syslog message +November 1 10:16:48 pfsp: GRE tunnel restored for destination 10.226.51.191, leader magnid at 2019-11-01 10:16:48 adol +November 15 17:19:22 culpaqui: Change Log: Username:tvolup, Subsystem:tdolore, Setting Type:ventore, Message:red +November 30 00:21:57 pfsp: Alert Autoclassification was restarted on 2019-11-30 00:21:57 tatev by luptas +December 14 07:24:31 pfsp: Alert Device aev reachable again by controller inrepr at 2019-12-14 07:24:31 mol diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 1d9148c355d..5ca19dc08b5 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -231,16 +231,36 @@ }, { "@timestamp": "2020-06-05T23:33:08.000Z", - "event.code": "configuration", + "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 5 21:33:08 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci", + "event.original": "June 5 21:33:08 pfsp: Alert Test syslog message", "fileset.name": "sightline", "input.type": "log", "log.offset": 1002, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2020-06-05T23:33:08.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-20T06:35:42.000Z", + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 20 04:35:42 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1050, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", "observer.version": "1.5162", "related.user": [ "nci" @@ -249,7 +269,7 @@ "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "uipexea", "rsa.misc.version": "1.5162", - "rsa.time.event_time": "2020-06-05T23:33:08.000Z", + "rsa.time.event_time": "2020-06-20T06:35:42.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -258,14 +278,14 @@ "user.name": "nci" }, { - "@timestamp": "2020-06-20T06:35:42.000Z", + "@timestamp": "2020-07-04T13:38:16.000Z", "event.code": "SNMP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 20 04:35:42 pfsp: The SNMP restored for router mvolu, leader radip at 2016-06-20 04:35:42 tNequ", + "event.original": "July 4 11:38:16 pfsp: The SNMP restored for router mvolu, leader radip at 2016-07-04 11:38:16 tNequ", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1093, + "log.offset": 1142, "network.protocol": "SNMP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -273,8 +293,8 @@ "rsa.internal.messageid": "SNMP", "rsa.misc.node": "mvolu", "rsa.misc.parent_node": "radip", - "rsa.time.endtime": "2016-06-20T06:35:42.000Z", - "rsa.time.event_time": "2020-06-20T06:35:42.000Z", + "rsa.time.endtime": "2016-07-04T13:38:16.000Z", + "rsa.time.event_time": "2020-07-04T13:38:16.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -282,15 +302,15 @@ ] }, { - "@timestamp": "2020-07-04T13:38:16.000Z", + "@timestamp": "2019-07-18T20:40:50.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 4 11:38:16 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap", + "event.original": "July 18 18:40:50 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap", "fileset.name": "sightline", "group.name": "dquiac", "input.type": "log", - "log.offset": 1195, + "log.offset": 1243, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -299,7 +319,7 @@ "rsa.misc.group": "dquiac", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2020-07-04T13:38:16.000Z", + "rsa.time.event_time": "2019-07-18T20:40:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -308,38 +328,49 @@ "url.original": "https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap" }, { - "@timestamp": "2019-07-18T20:40:50.000Z", - "event.code": "Device", + "@timestamp": "2019-08-02T03:43:25.000Z", + "destination.ip": [ + "10.155.162.162" + ], + "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 18 18:40:50 pfsp: Alert Device uatDuis unreachable by controller ude since 2016-07-18 18:40:50", + "event.original": "August 2 01:43:25 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1361, + "log.offset": 1410, + "network.protocol": "udp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "Device", - "rsa.misc.node": "uatDuis", - "rsa.misc.parent_node": "ude", - "rsa.time.event_time": "2019-07-18T20:40:50.000Z", - "rsa.time.starttime": "2016-07-18T20:40:50.000Z", + "related.ip": [ + "10.66.171.247", + "10.155.162.162" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2019-08-02T03:43:25.000Z", "service.type": "netscout", + "source.ip": [ + "10.66.171.247" + ], "tags": [ "netscout.sightline", "forwarded" - ] + ], + "url.original": "https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis" }, { - "@timestamp": "2019-08-02T03:43:25.000Z", + "@timestamp": "2019-08-16T10:45:59.000Z", "event.action": "Fault Occured", "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 2 01:43:25 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt", + "event.original": "August 16 08:45:59 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1461, + "log.offset": 1594, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -348,7 +379,7 @@ "rsa.internal.resource": "lupta", "rsa.misc.event_type": "Fault Occured", "rsa.misc.node": "iusmodt", - "rsa.time.event_time": "2019-08-02T03:43:25.000Z", + "rsa.time.event_time": "2019-08-16T10:45:59.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -356,14 +387,14 @@ ] }, { - "@timestamp": "2019-08-16T10:45:59.000Z", + "@timestamp": "2019-08-30T17:48:33.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 16 08:45:59 pfsp: Alert Autoclassification was restarted on 2016-08-16 08:45:59 atatnonp by uiano", + "event.original": "August 30 15:48:33 pfsp: Alert Autoclassification was restarted on 2016-08-30 15:48:33 atatnonp by uiano", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1543, + "log.offset": 1677, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -372,8 +403,8 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2019-08-16T10:45:59.000Z", - "rsa.time.starttime": "2016-08-16T10:45:59.000Z", + "rsa.time.event_time": "2019-08-30T17:48:33.000Z", + "rsa.time.starttime": "2016-08-30T17:48:33.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -382,29 +413,29 @@ "user.name": "uiano" }, { - "@timestamp": "2019-08-30T17:48:33.000Z", + "@timestamp": "2019-09-14T00:51:07.000Z", "destination.ip": [ "10.179.26.34" ], "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 30 15:48:33 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc", + "event.original": "September 13 22:51:07 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1648, + "log.offset": 1782, "network.protocol": "ipv6-icmp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.179.26.34", - "10.38.77.13" + "10.38.77.13", + "10.179.26.34" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-08-30T17:48:33.000Z", + "rsa.time.event_time": "2019-09-14T00:51:07.000Z", "service.type": "netscout", "source.ip": [ "10.38.77.13" @@ -416,22 +447,22 @@ "url.original": "https://example.org/isiu/nimadmi.gif?ari=equun#suntinc" }, { - "@timestamp": "2019-09-14T00:51:07.000Z", + "@timestamp": "2019-09-28T07:53:42.000Z", "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 13 22:51:07 pfsp: Hardware failure on tatevel since 2016-09-13 22:51:07 GMT: abilloi", + "event.original": "September 28 05:53:42 pfsp: Hardware failure on tatevel since 2016-09-28 05:53:42 GMT: abilloi", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1837, + "log.offset": 1974, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.event_desc": "abilloi", "rsa.internal.messageid": "Hardware", "rsa.misc.node": "tatevel", - "rsa.time.event_time": "2019-09-14T00:51:07.000Z", - "rsa.time.starttime": "2016-09-14T00:51:07.000Z", + "rsa.time.event_time": "2019-09-28T07:53:42.000Z", + "rsa.time.starttime": "2016-09-28T07:53:42.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -439,15 +470,15 @@ ] }, { - "@timestamp": "2019-09-28T07:53:42.000Z", + "@timestamp": "2019-10-12T14:56:16.000Z", "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 28 05:53:42 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name \"lo5882\" porainc", + "event.original": "October 12 12:56:16 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name \"lo5882\" porainc", "fileset.name": "sightline", "input.type": "log", "log.level": "very-high", - "log.offset": 1932, + "log.offset": 2069, "network.interface.name": "lo5882", "observer.product": "Arbor", "observer.type": "DDOS", @@ -460,7 +491,7 @@ "rsa.misc.severity": "very-high", "rsa.misc.sig_id": 2933, "rsa.network.interface": "lo5882", - "rsa.time.event_time": "2019-09-28T07:53:42.000Z", + "rsa.time.event_time": "2019-10-12T14:56:16.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -468,15 +499,15 @@ ] }, { - "@timestamp": "2019-10-12T14:56:16.000Z", + "@timestamp": "2019-10-26T21:58:50.000Z", "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 12 12:56:16 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name \"lo4987\" oluptate", + "event.original": "October 26 19:58:50 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name \"lo4987\" oluptate", "fileset.name": "sightline", "input.type": "log", "log.level": "high", - "log.offset": 2116, + "log.offset": 2251, "network.interface.name": "lo4987", "observer.product": "Arbor", "observer.type": "DDOS", @@ -489,7 +520,7 @@ "rsa.misc.severity": "high", "rsa.misc.sig_id": 2902, "rsa.network.interface": "lo4987", - "rsa.time.event_time": "2019-10-12T14:56:16.000Z", + "rsa.time.event_time": "2019-10-26T21:58:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -497,14 +528,14 @@ ] }, { - "@timestamp": "2019-10-26T21:58:50.000Z", + "@timestamp": "2019-11-10T05:01:24.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 26 19:58:50 pfsp: Alert Autoclassification was restarted on 2016-10-26 19:58:50 iam by qua", + "event.original": "November 10 03:01:24 pfsp: Alert Autoclassification was restarted on 2016-11-10 03:01:24 iam by qua", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2313, + "log.offset": 2448, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -513,8 +544,8 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2019-10-26T21:58:50.000Z", - "rsa.time.starttime": "2016-10-26T21:58:50.000Z", + "rsa.time.event_time": "2019-11-10T05:01:24.000Z", + "rsa.time.starttime": "2016-11-10T05:01:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -523,19 +554,19 @@ "user.name": "qua" }, { - "@timestamp": "2019-11-10T05:01:24.000Z", + "@timestamp": "2019-11-24T12:03:59.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 10 03:01:24 pfsp: Test syslog message", + "event.original": "November 24 10:03:59 pfsp: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2412, + "log.offset": 2548, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2019-11-10T05:01:24.000Z", + "rsa.time.event_time": "2019-11-24T12:03:59.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -543,14 +574,14 @@ ] }, { - "@timestamp": "2019-11-24T12:03:59.000Z", + "@timestamp": "2019-12-08T19:06:33.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 24 10:03:59 pfsp: Autoclassification was restarted on 2016-11-24 10:03:59 olupta by turveli", + "event.original": "December 8 17:06:33 pfsp: Autoclassification was restarted on 2016-12-08 17:06:33 olupta by turveli", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2459, + "log.offset": 2595, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -559,8 +590,8 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2019-11-24T12:03:59.000Z", - "rsa.time.starttime": "2016-11-24T12:03:59.000Z", + "rsa.time.event_time": "2019-12-08T19:06:33.000Z", + "rsa.time.starttime": "2016-12-08T19:06:33.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -569,14 +600,14 @@ "user.name": "turveli" }, { - "@timestamp": "2019-12-08T19:06:33.000Z", + "@timestamp": "2019-12-23T02:09:07.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 8 17:06:33 pfsp: Alert Autoclassification was restarted on 2016-12-08 17:06:33 ntutl by caecatc", + "event.original": "December 23 00:09:07 pfsp: Alert Autoclassification was restarted on 2016-12-23 00:09:07 ntutl by caecatc", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2560, + "log.offset": 2695, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -585,8 +616,8 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2019-12-08T19:06:33.000Z", - "rsa.time.starttime": "2016-12-08T19:06:33.000Z", + "rsa.time.event_time": "2019-12-23T02:09:07.000Z", + "rsa.time.starttime": "2016-12-23T02:09:07.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -595,17 +626,17 @@ "user.name": "caecatc" }, { - "@timestamp": "2019-12-23T02:09:07.000Z", + "@timestamp": "2020-01-06T09:11:41.000Z", "destination.ip": [ "10.224.68.213" ], "event.code": "GRE", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 23 00:09:07 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2016-12-23 00:09:07 lup", + "event.original": "January 6 07:11:41 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2017-01-06 07:11:41 lup", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2665, + "log.offset": 2801, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -614,8 +645,8 @@ ], "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "taed", - "rsa.time.endtime": "2016-12-23T02:09:07.000Z", - "rsa.time.event_time": "2019-12-23T02:09:07.000Z", + "rsa.time.endtime": "2017-01-06T09:11:41.000Z", + "rsa.time.event_time": "2020-01-06T09:11:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -623,22 +654,22 @@ ] }, { - "@timestamp": "2020-01-06T09:11:41.000Z", + "@timestamp": "2020-01-20T16:14:16.000Z", "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 6 07:11:41 pfsp: Alert Hardware failure on aperi since 2017-01-06 07:11:41 GMT: lor", + "event.original": "January 20 14:14:16 pfsp: Alert Hardware failure on aperi since 2017-01-20 14:14:16 GMT: lor", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2788, + "log.offset": 2922, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.event_desc": "lor", "rsa.internal.messageid": "Hardware", "rsa.misc.node": "aperi", - "rsa.time.event_time": "2020-01-06T09:11:41.000Z", - "rsa.time.starttime": "2017-01-06T09:11:41.000Z", + "rsa.time.event_time": "2020-01-20T16:14:16.000Z", + "rsa.time.starttime": "2017-01-20T16:14:16.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -646,21 +677,21 @@ ] }, { - "@timestamp": "2020-01-20T16:14:16.000Z", + "@timestamp": "2020-02-03T23:16:50.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 20 14:14:16 pfsp: The BGP Instability for router oin ended", + "event.original": "February 3 21:16:50 pfsp: The BGP Instability for router oin ended", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2880, + "log.offset": 3015, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "BGP", "rsa.misc.node": "oin", - "rsa.time.event_time": "2020-01-20T16:14:16.000Z", + "rsa.time.event_time": "2020-02-03T23:16:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -668,22 +699,22 @@ ] }, { - "@timestamp": "2020-02-03T23:16:50.000Z", + "@timestamp": "2020-02-18T06:19:24.000Z", "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 3 21:16:50 pfsp: Hardware failure on ritatis done at 2017-02-03 21:16:50 oloremi GMT: pitla", + "event.original": "February 18 04:19:24 pfsp: Hardware failure on ritatis done at 2017-02-18 04:19:24 oloremi GMT: pitla", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2948, + "log.offset": 3083, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.event_desc": "pitla", "rsa.internal.messageid": "Hardware", "rsa.misc.node": "ritatis", - "rsa.time.endtime": "2017-02-03T23:16:50.000Z", - "rsa.time.event_time": "2020-02-03T23:16:50.000Z", + "rsa.time.endtime": "2017-02-18T06:19:24.000Z", + "rsa.time.event_time": "2020-02-18T06:19:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -691,14 +722,14 @@ ] }, { - "@timestamp": "2020-02-18T06:19:24.000Z", + "@timestamp": "2020-03-04T13:21:59.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 18 04:19:24 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des", + "event.original": "March 4 11:21:59 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3049, + "log.offset": 3185, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -708,7 +739,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-02-18T06:19:24.000Z", + "rsa.time.event_time": "2020-03-04T13:21:59.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -717,22 +748,22 @@ "user.name": "mqui" }, { - "@timestamp": "2020-03-04T13:21:59.000Z", + "@timestamp": "2020-03-18T20:24:33.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 4 11:21:59 pfsp: Device tdolorem unreachable by controller ono since 2017-03-04 11:21:59", + "event.original": "March 18 18:24:33 pfsp: Device tdolorem unreachable by controller ono since 2017-03-18 18:24:33", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3159, + "log.offset": 3291, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Device", "rsa.misc.node": "tdolorem", "rsa.misc.parent_node": "ono", - "rsa.time.event_time": "2020-03-04T13:21:59.000Z", - "rsa.time.starttime": "2017-03-04T13:21:59.000Z", + "rsa.time.event_time": "2020-03-18T20:24:33.000Z", + "rsa.time.starttime": "2017-03-18T20:24:33.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -740,17 +771,17 @@ ] }, { - "@timestamp": "2020-03-18T20:24:33.000Z", + "@timestamp": "2020-04-02T03:27:07.000Z", "destination.ip": [ "10.60.185.151" ], "event.code": "GRE", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 18 18:24:33 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-03-18 18:24:33 lumquido", + "event.original": "April 2 01:27:07 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-04-02 01:27:07 lumquido", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3254, + "log.offset": 3387, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -759,8 +790,8 @@ ], "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "uidolo", - "rsa.time.event_time": "2020-03-18T20:24:33.000Z", - "rsa.time.starttime": "2017-03-18T20:24:33.000Z", + "rsa.time.event_time": "2020-04-02T03:27:07.000Z", + "rsa.time.starttime": "2017-04-02T03:27:07.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -768,19 +799,19 @@ ] }, { - "@timestamp": "2020-04-02T03:27:07.000Z", + "@timestamp": "2020-04-16T10:29:41.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 2 01:27:07 Lor: Test: Test syslog message", + "event.original": "April 16 08:29:41 Lor: Test: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3378, + "log.offset": 3510, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-04-02T03:27:07.000Z", + "rsa.time.event_time": "2020-04-16T10:29:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -788,15 +819,15 @@ ] }, { - "@timestamp": "2020-04-16T10:29:41.000Z", + "@timestamp": "2020-04-30T17:32:16.000Z", "event.action": "Script mitigation", "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 16 08:29:41 pfsp: Alert script modoco ran at 2017-04-16 08:29:41 , estquleader inibusBo", + "event.original": "April 30 15:32:16 pfsp: Alert script modoco ran at 2017-04-30 15:32:16 , leader estqu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3426, + "log.offset": 3559, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -804,57 +835,31 @@ "rsa.misc.disposition": "ongoing", "rsa.misc.event_type": "Script mitigation", "rsa.misc.node": "modoco", - "rsa.misc.parent_node": "inibusBo", - "rsa.time.event_time": "2020-04-16T10:29:41.000Z", - "rsa.time.starttime": "2017-04-16T10:29:41.000Z", - "service.type": "netscout", - "tags": [ - "netscout.sightline", - "forwarded" - ] - }, - { - "@timestamp": "2020-04-30T17:32:16.000Z", - "event.code": "Protection_Mode", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "April 30 15:32:16 tion: Protection Mode: Changed protection mode to active for protection groupeataev,URL:https://api.example.org/uasia/emp.txt?ici=giatquov#eritquii", - "fileset.name": "sightline", - "group.name": "eataev", - "input.type": "log", - "log.offset": 3521, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "Changed protection mode to active for protection group", - "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "eataev", - "rsa.misc.msgIdPart1": "Protection", - "rsa.misc.msgIdPart2": "Mode", + "rsa.misc.parent_node": "estqu", "rsa.time.event_time": "2020-04-30T17:32:16.000Z", + "rsa.time.starttime": "2017-04-30T17:32:16.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" - ], - "url.original": "https://api.example.org/uasia/emp.txt?ici=giatquov#eritquii" + ] }, { "@timestamp": "2020-05-15T00:34:50.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 14 22:34:50 imad: Protection Mode: Changed protection mode to active for protection groupmsequi,URL:https://www5.example.org/iquaUten/santium.html?imidest=emagnama#eprehend", + "event.original": "May 14 22:34:50 intoccae: Protection Mode: Changed protection mode to active for protection groupents,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae", "fileset.name": "sightline", - "group.name": "msequi", + "group.name": "ents", "input.type": "log", - "log.offset": 3687, + "log.offset": 3647, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.event_desc": "Changed protection mode to active for protection group", "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "msequi", + "rsa.misc.group": "ents", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", "rsa.time.event_time": "2020-05-15T00:34:50.000Z", @@ -863,51 +868,17 @@ "netscout.sightline", "forwarded" ], - "url.original": "https://www5.example.org/iquaUten/santium.html?imidest=emagnama#eprehend" - }, - { - "@timestamp": "2020-05-29T07:37:24.000Z", - "destination.ip": [ - "10.28.127.218" - ], - "event.code": "Blocked_Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "May 29 05:37:24 xeac: Blocked Host: Blocked host10.233.107.138attaliqby Blocked Countries usingrdpdestination10.28.127.218,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 3864, - "network.protocol": "rdp", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.28.127.218", - "10.233.107.138" - ], - "rsa.internal.messageid": "Blocked_Host", - "rsa.misc.msgIdPart1": "Blocked", - "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2020-05-29T07:37:24.000Z", - "service.type": "netscout", - "source.ip": [ - "10.233.107.138" - ], - "tags": [ - "netscout.sightline", - "forwarded" - ], "url.original": "https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae" }, { - "@timestamp": "2020-06-12T14:39:58.000Z", + "@timestamp": "2020-05-29T07:37:24.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 12 12:39:58 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore", + "event.original": "May 29 05:37:24 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4047, + "log.offset": 3809, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -915,7 +886,7 @@ "rsa.internal.event_desc": "mdolore", "rsa.internal.messageid": "BGP", "rsa.misc.node": "reetd", - "rsa.time.event_time": "2020-06-12T14:39:58.000Z", + "rsa.time.event_time": "2020-05-29T07:37:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -923,22 +894,22 @@ ] }, { - "@timestamp": "2020-06-26T21:42:33.000Z", + "@timestamp": "2020-06-12T14:39:58.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 26 19:42:33 pfsp: Device mque reachable again by controller uovolup at 2017-06-26 19:42:33 samvolu", + "event.original": "June 12 12:39:58 pfsp: Device mque reachable again by controller uovolup at 2017-06-12 12:39:58 samvolu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4120, + "log.offset": 3881, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Device", "rsa.misc.node": "mque", "rsa.misc.parent_node": "uovolup", - "rsa.time.endtime": "2017-06-26T21:42:33.000Z", - "rsa.time.event_time": "2020-06-26T21:42:33.000Z", + "rsa.time.endtime": "2017-06-12T14:39:58.000Z", + "rsa.time.event_time": "2020-06-12T14:39:58.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -946,15 +917,15 @@ ] }, { - "@timestamp": "2020-07-11T04:45:07.000Z", + "@timestamp": "2020-06-26T21:42:33.000Z", "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 11 02:45:07 pfsp: The Host Detection alert eirure, start 2017-07-11 02:45:07 conseq, duration 38.117000, stop 2017-07-11 02:45:07 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui)", + "event.original": "June 26 19:42:33 pfsp: The Host Detection alert eirure, start 2017-06-26 19:42:33 conseq, duration 38.117000, stop 2017-06-26 19:42:33 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui)", "fileset.name": "sightline", "input.type": "log", "log.level": "very-high", - "log.offset": 4224, + "log.offset": 3985, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -962,9 +933,9 @@ "rsa.misc.result": "unknown", "rsa.misc.severity": "very-high", "rsa.time.duration_time": 38.117, - "rsa.time.endtime": "2017-07-11T04:45:07.000Z", - "rsa.time.event_time": "2020-07-11T04:45:07.000Z", - "rsa.time.starttime": "2017-07-11T04:45:07.000Z", + "rsa.time.endtime": "2017-06-26T21:42:33.000Z", + "rsa.time.event_time": "2020-06-26T21:42:33.000Z", + "rsa.time.starttime": "2017-06-26T21:42:33.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -972,14 +943,14 @@ ] }, { - "@timestamp": "2019-07-25T11:47:41.000Z", + "@timestamp": "2020-07-11T04:45:07.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 25 09:47:41 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol", + "event.original": "July 11 02:45:07 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4460, + "log.offset": 4221, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -987,7 +958,7 @@ "rsa.internal.event_desc": "dol", "rsa.internal.messageid": "BGP", "rsa.misc.node": "doloremi", - "rsa.time.event_time": "2019-07-25T11:47:41.000Z", + "rsa.time.event_time": "2020-07-11T04:45:07.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -995,14 +966,14 @@ ] }, { - "@timestamp": "2019-08-08T18:50:15.000Z", + "@timestamp": "2019-07-25T11:47:41.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 8 16:50:15 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih)", + "event.original": "July 25 09:47:41 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih)", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4529, + "log.offset": 4290, "network.protocol": "ipv6", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1010,7 +981,7 @@ "rsa.internal.messageid": "BGP", "rsa.misc.node": "tincu", "rsa.misc.trigger_val": "sci", - "rsa.time.event_time": "2019-08-08T18:50:15.000Z", + "rsa.time.event_time": "2019-07-25T11:47:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1018,15 +989,15 @@ ] }, { - "@timestamp": "2019-08-23T01:52:50.000Z", + "@timestamp": "2019-08-08T18:50:15.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 22 23:52:50 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup", + "event.original": "August 8 16:50:15 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup", "fileset.name": "sightline", "group.name": "eaq", "input.type": "log", - "log.offset": 4637, + "log.offset": 4397, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1035,7 +1006,7 @@ "rsa.misc.group": "eaq", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2019-08-23T01:52:50.000Z", + "rsa.time.event_time": "2019-08-08T18:50:15.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1044,14 +1015,14 @@ "url.original": "https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup" }, { - "@timestamp": "2019-09-06T08:55:24.000Z", + "@timestamp": "2019-08-23T01:52:50.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 6 06:55:24 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv", + "event.original": "August 22 23:52:50 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4804, + "log.offset": 4563, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1061,7 +1032,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2019-09-06T08:55:24.000Z", + "rsa.time.event_time": "2019-08-23T01:52:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1070,17 +1041,17 @@ "user.name": "suntexp" }, { - "@timestamp": "2019-09-20T15:57:58.000Z", + "@timestamp": "2019-09-06T08:55:24.000Z", "destination.ip": [ "10.168.131.247" ], "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 20 13:57:58 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu", + "event.original": "September 6 06:55:24 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4915, + "log.offset": 4672, "network.protocol": "rdp", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1092,7 +1063,7 @@ "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-09-20T15:57:58.000Z", + "rsa.time.event_time": "2019-09-06T08:55:24.000Z", "service.type": "netscout", "source.ip": [ "10.136.232.108" @@ -1104,17 +1075,17 @@ "url.original": "https://example.net/temqu/edol.jpg?ipi=reseos#pariatu" }, { - "@timestamp": "2019-10-04T23:00:32.000Z", + "@timestamp": "2019-09-20T15:57:58.000Z", "destination.ip": [ "10.209.182.237" ], "event.code": "GRE", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 4 21:00:32 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-10-04 21:00:32 olor", + "event.original": "September 20 13:57:58 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-09-20 13:57:58 olor", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5105, + "log.offset": 4861, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1123,8 +1094,8 @@ ], "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "tper", - "rsa.time.endtime": "2017-10-04T23:00:32.000Z", - "rsa.time.event_time": "2019-10-04T23:00:32.000Z", + "rsa.time.endtime": "2017-09-20T15:57:58.000Z", + "rsa.time.event_time": "2019-09-20T15:57:58.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1132,22 +1103,22 @@ ] }, { - "@timestamp": "2019-10-19T06:03:07.000Z", + "@timestamp": "2019-10-04T23:00:32.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 19 04:03:07 pfsp: Alert Device xerc reachable again by controller iutali at 2017-10-19 04:03:07 fdeFi", + "event.original": "October 4 21:00:32 pfsp: Alert Device xerc reachable again by controller iutali at 2017-10-04 21:00:32 fdeFi", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5222, + "log.offset": 4981, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Device", "rsa.misc.node": "xerc", "rsa.misc.parent_node": "iutali", - "rsa.time.endtime": "2017-10-19T06:03:07.000Z", - "rsa.time.event_time": "2019-10-19T06:03:07.000Z", + "rsa.time.endtime": "2017-10-04T23:00:32.000Z", + "rsa.time.event_time": "2019-10-04T23:00:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1155,14 +1126,14 @@ ] }, { - "@timestamp": "2019-11-02T13:05:41.000Z", + "@timestamp": "2019-10-19T06:03:07.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 2 11:05:41 pfsp: BGP down for router ati, leader tlabo since 2017-11-02 11:05:41 uames", + "event.original": "October 19 04:03:07 pfsp: BGP down for router ati, leader tlabo since 2017-10-19 04:03:07 uames", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5332, + "log.offset": 5090, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1170,8 +1141,8 @@ "rsa.internal.messageid": "BGP", "rsa.misc.node": "ati", "rsa.misc.parent_node": "tlabo", - "rsa.time.event_time": "2019-11-02T13:05:41.000Z", - "rsa.time.starttime": "2017-11-02T13:05:41.000Z", + "rsa.time.event_time": "2019-10-19T06:03:07.000Z", + "rsa.time.starttime": "2017-10-19T06:03:07.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1179,15 +1150,15 @@ ] }, { - "@timestamp": "2019-11-16T20:08:15.000Z", + "@timestamp": "2019-11-02T13:05:41.000Z", "event.action": "Script mitigation", "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 16 18:08:15 pfsp: script offi ran at 2017-11-16 18:08:15 , giatnuleader ulapa", + "event.original": "November 2 11:05:41 pfsp: script offi ran at 2017-11-02 11:05:41 , leader giatnu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5429, + "log.offset": 5187, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1195,9 +1166,9 @@ "rsa.misc.disposition": "ongoing", "rsa.misc.event_type": "Script mitigation", "rsa.misc.node": "offi", - "rsa.misc.parent_node": "ulapa", - "rsa.time.event_time": "2019-11-16T20:08:15.000Z", - "rsa.time.starttime": "2017-11-16T20:08:15.000Z", + "rsa.misc.parent_node": "giatnu", + "rsa.time.event_time": "2019-11-02T13:05:41.000Z", + "rsa.time.starttime": "2017-11-02T13:05:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1205,103 +1176,93 @@ ] }, { - "@timestamp": "2019-12-01T03:10:49.000Z", - "event.code": "Change_Log", + "@timestamp": "2019-11-16T20:08:15.000Z", + "destination.ip": [ + "10.128.31.83" + ], + "destination.port": 2346, + "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 1 01:10:49 quioffi: Change Log: Username:uptate, Subsystem:ncidid, Setting Type:quaturve, Message:sequa", + "event.original": "November 16 18:08:15 pfsp: Alert anomaly ncidid id 6f3fd2c5 status uamei severity very-high classification aera src 10.128.31.83/2346 nimid dst 10.97.164.220/6205 uptasn start 2017-11-16 6:08:15 duration 50.929000 percent issus rate osamn rateUnit isnisiu protocol udp flags pre url https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5517, + "log.level": "very-high", + "log.offset": 5270, + "network.protocol": "udp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "related.user": [ - "uptate" + "related.ip": [ + "10.97.164.220", + "10.128.31.83" ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2019-12-01T03:10:49.000Z", + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "aera", + "rsa.misc.disposition": "uamei", + "rsa.misc.event_id": "6f3fd2c5", + "rsa.misc.policy_name": "ncidid", + "rsa.misc.severity": "very-high", + "rsa.time.duration_time": 50.929, + "rsa.time.event_time": "2019-11-16T20:08:15.000Z", + "rsa.time.starttime": "2017-11-16T08:08:15.000Z", "service.type": "netscout", + "source.ip": [ + "10.97.164.220" + ], + "source.port": 6205, "tags": [ "netscout.sightline", "forwarded" ], - "user.name": "uptate" + "url.original": "https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata" }, { - "@timestamp": "2019-12-15T10:13:24.000Z", - "event.code": "Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "December 15 08:13:24 pfsp: Host Detection alert nimid, start 2017-12-15 08:13:24 itatione, duration 80.096000, stop 2017-12-15 08:13:24 umwr, , importance very-high, managed_objects (reme), is now success, (parent managed object osamn)", - "fileset.name": "sightline", - "input.type": "log", - "log.level": "very-high", - "log.offset": 5630, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Host", - "rsa.misc.result": "success", - "rsa.misc.severity": "very-high", - "rsa.time.duration_time": 80.096, - "rsa.time.endtime": "2017-12-15T10:13:24.000Z", - "rsa.time.event_time": "2019-12-15T10:13:24.000Z", - "rsa.time.starttime": "2017-12-15T10:13:24.000Z", - "service.type": "netscout", - "tags": [ - "netscout.sightline", - "forwarded" - ] - }, - { - "@timestamp": "2019-12-29T17:15:58.000Z", + "@timestamp": "2019-12-01T03:10:49.000Z", "destination.ip": [ - "10.108.167.93" + "10.163.161.165" ], "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 29 15:15:58 lorinre: Blocked Host: Blocked host10.161.136.76atidataby Blocked Countries usingudpdestination10.108.167.93,URL:https://api.example.com/untex/quiratio.htm?tisetq=tevelite#orporiss", + "event.original": "December 1 01:10:49 untex: Blocked Host: Blocked host10.83.23.104attisetqby Blocked Countries usingrdpdestination10.163.161.165,URL:https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5866, - "network.protocol": "udp", + "log.offset": 5621, + "network.protocol": "rdp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.161.136.76", - "10.108.167.93" + "10.83.23.104", + "10.163.161.165" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-12-29T17:15:58.000Z", + "rsa.time.event_time": "2019-12-01T03:10:49.000Z", "service.type": "netscout", "source.ip": [ - "10.161.136.76" + "10.83.23.104" ], "tags": [ "netscout.sightline", "forwarded" ], - "url.original": "https://api.example.com/untex/quiratio.htm?tisetq=tevelite#orporiss" + "url.original": "https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte" }, { - "@timestamp": "2020-01-13T00:18:32.000Z", + "@timestamp": "2019-12-15T10:13:24.000Z", "destination.ip": [ "10.53.248.4" ], "event.code": "GRE", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 12 22:18:32 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2018-01-12 22:18:32 dexea", + "event.original": "December 15 08:13:24 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-12-15 08:13:24 dexea", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6068, + "log.offset": 5813, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1310,8 +1271,8 @@ ], "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "derit", - "rsa.time.endtime": "2018-01-13T00:18:32.000Z", - "rsa.time.event_time": "2020-01-13T00:18:32.000Z", + "rsa.time.endtime": "2017-12-15T10:13:24.000Z", + "rsa.time.event_time": "2019-12-15T10:13:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1319,19 +1280,19 @@ ] }, { - "@timestamp": "2020-01-27T07:21:06.000Z", + "@timestamp": "2019-12-29T17:15:58.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 27 05:21:06 pfsp: Test syslog message", + "event.original": "December 29 15:15:58 pfsp: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6185, + "log.offset": 5931, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-01-27T07:21:06.000Z", + "rsa.time.event_time": "2019-12-29T17:15:58.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1339,22 +1300,22 @@ ] }, { - "@timestamp": "2020-02-10T14:23:41.000Z", + "@timestamp": "2020-01-13T00:18:32.000Z", "event.code": "Flow", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 10 12:23:41 pfsp: Alert Flow down for router tessec, leader olupta since 2018-02-10 12:23:41 litse", + "event.original": "January 12 22:18:32 pfsp: Alert Flow down for router tessec, leader olupta since 2018-01-12 22:18:32 litse", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6231, + "log.offset": 5978, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Flow", "rsa.misc.node": "tessec", "rsa.misc.parent_node": "olupta", - "rsa.time.event_time": "2020-02-10T14:23:41.000Z", - "rsa.time.starttime": "2018-02-10T14:23:41.000Z", + "rsa.time.event_time": "2020-01-13T00:18:32.000Z", + "rsa.time.starttime": "2018-01-13T00:18:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1362,15 +1323,15 @@ ] }, { - "@timestamp": "2020-02-24T21:26:15.000Z", + "@timestamp": "2020-01-27T07:21:06.000Z", "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 24 19:26:15 pfsp: Alert Host Detection alert sperna, start 2018-02-24 19:26:15 sintocc, duration 24.633000, stop 2018-02-24 19:26:15 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius)", + "event.original": "January 27 05:21:06 pfsp: Alert Host Detection alert sperna, start 2018-01-27 05:21:06 sintocc, duration 24.633000, stop 2018-01-27 05:21:06 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius)", "fileset.name": "sightline", "input.type": "log", "log.level": "medium", - "log.offset": 6339, + "log.offset": 6085, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1378,9 +1339,9 @@ "rsa.misc.result": "success", "rsa.misc.severity": "medium", "rsa.time.duration_time": 24.633, - "rsa.time.endtime": "2018-02-24T21:26:15.000Z", - "rsa.time.event_time": "2020-02-24T21:26:15.000Z", - "rsa.time.starttime": "2018-02-24T21:26:15.000Z", + "rsa.time.endtime": "2018-01-27T07:21:06.000Z", + "rsa.time.event_time": "2020-01-27T07:21:06.000Z", + "rsa.time.starttime": "2018-01-27T07:21:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1388,14 +1349,14 @@ ] }, { - "@timestamp": "2020-03-11T04:28:49.000Z", + "@timestamp": "2020-02-10T14:23:41.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 11 02:28:49 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc", + "event.original": "February 10 12:23:41 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6585, + "log.offset": 6330, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1405,7 +1366,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-03-11T04:28:49.000Z", + "rsa.time.event_time": "2020-02-10T14:23:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1414,21 +1375,21 @@ "user.name": "uiac" }, { - "@timestamp": "2020-03-25T11:31:24.000Z", + "@timestamp": "2020-02-24T21:26:15.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 25 09:31:24 pfsp: BGP Instability for router iatisu ended", + "event.original": "February 24 19:26:15 pfsp: BGP Instability for router iatisu ended", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6687, + "log.offset": 6435, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "BGP", "rsa.misc.node": "iatisu", - "rsa.time.event_time": "2020-03-25T11:31:24.000Z", + "rsa.time.event_time": "2020-02-24T21:26:15.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1436,14 +1397,14 @@ ] }, { - "@timestamp": "2020-04-08T18:33:58.000Z", + "@timestamp": "2020-03-11T04:28:49.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 8 16:33:58 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven", + "event.original": "March 11 02:28:49 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6752, + "log.offset": 6503, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1453,7 +1414,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-04-08T18:33:58.000Z", + "rsa.time.event_time": "2020-03-11T04:28:49.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1462,19 +1423,19 @@ "user.name": "ersp" }, { - "@timestamp": "2020-04-23T01:36:32.000Z", + "@timestamp": "2020-03-25T11:31:24.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 22 23:36:32 pfsp: Test syslog message", + "event.original": "March 25 09:31:24 pfsp: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6857, + "log.offset": 6609, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-04-23T01:36:32.000Z", + "rsa.time.event_time": "2020-03-25T11:31:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1482,19 +1443,19 @@ ] }, { - "@timestamp": "2020-05-07T08:39:06.000Z", + "@timestamp": "2020-04-08T18:33:58.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 7 06:39:06 Sedutp: Test: Test syslog message", + "event.original": "April 8 16:33:58 Sedutp: Test: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6901, + "log.offset": 6653, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-05-07T08:39:06.000Z", + "rsa.time.event_time": "2020-04-08T18:33:58.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1502,14 +1463,14 @@ ] }, { - "@timestamp": "2020-05-21T15:41:41.000Z", + "@timestamp": "2020-04-23T01:36:32.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 21 13:41:41 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe", + "event.original": "April 22 23:36:32 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6950, + "log.offset": 6704, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1519,7 +1480,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-05-21T15:41:41.000Z", + "rsa.time.event_time": "2020-04-23T01:36:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1528,15 +1489,15 @@ "user.name": "rsitv" }, { - "@timestamp": "2020-06-04T22:44:15.000Z", + "@timestamp": "2020-05-07T08:39:06.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 4 20:44:15 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse", + "event.original": "May 7 06:39:06 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse", "fileset.name": "sightline", "group.name": "upida", "input.type": "log", - "log.offset": 7053, + "log.offset": 6809, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1545,7 +1506,7 @@ "rsa.misc.group": "upida", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2020-06-04T22:44:15.000Z", + "rsa.time.event_time": "2020-05-07T08:39:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1554,14 +1515,14 @@ "url.original": "https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse" }, { - "@timestamp": "2020-06-19T05:46:49.000Z", + "@timestamp": "2020-05-21T15:41:41.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 19 03:46:49 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro", + "event.original": "May 21 13:41:41 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro", "fileset.name": "sightline", "input.type": "log", - "log.offset": 7216, + "log.offset": 6971, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1571,7 +1532,7 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-06-19T05:46:49.000Z", + "rsa.time.event_time": "2020-05-21T15:41:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1580,22 +1541,22 @@ "user.name": "udexerci" }, { - "@timestamp": "2020-07-03T12:49:23.000Z", + "@timestamp": "2020-06-04T22:44:15.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 3 10:49:23 pfsp: The Device illoin unreachable by controller tanimid since 2018-07-03 10:49:23", + "event.original": "June 4 20:44:15 pfsp: The Device illoin unreachable by controller tanimid since 2018-06-04 20:44:15", "fileset.name": "sightline", "input.type": "log", - "log.offset": 7324, + "log.offset": 7078, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Device", "rsa.misc.node": "illoin", "rsa.misc.parent_node": "tanimid", - "rsa.time.event_time": "2020-07-03T12:49:23.000Z", - "rsa.time.starttime": "2018-07-03T12:49:23.000Z", + "rsa.time.event_time": "2020-06-04T22:44:15.000Z", + "rsa.time.starttime": "2018-06-04T22:44:15.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1603,14 +1564,14 @@ ] }, { - "@timestamp": "2019-07-17T19:51:58.000Z", + "@timestamp": "2020-06-19T05:46:49.000Z", "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 17 17:51:58 pfsp: configuration was changed on leader natuse to version 1.4425 by ati", + "event.original": "June 19 03:46:49 pfsp: configuration was changed on leader natuse to version 1.4425 by ati", "fileset.name": "sightline", "input.type": "log", - "log.offset": 7424, + "log.offset": 7178, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1622,7 +1583,7 @@ "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "natuse", "rsa.misc.version": "1.4425", - "rsa.time.event_time": "2019-07-17T19:51:58.000Z", + "rsa.time.event_time": "2020-06-19T05:46:49.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1631,15 +1592,15 @@ "user.name": "ati" }, { - "@timestamp": "2019-08-01T02:54:32.000Z", + "@timestamp": "2020-07-03T12:49:23.000Z", "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 1 00:54:32 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name \"enp0s4306\" aturauto", + "event.original": "July 3 10:49:23 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name \"enp0s4306\" aturauto", "fileset.name": "sightline", "input.type": "log", "log.level": "low", - "log.offset": 7515, + "log.offset": 7269, "network.interface.name": "enp0s4306", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1652,7 +1613,7 @@ "rsa.misc.severity": "low", "rsa.misc.sig_id": 2366, "rsa.network.interface": "enp0s4306", - "rsa.time.event_time": "2019-08-01T02:54:32.000Z", + "rsa.time.event_time": "2020-07-03T12:49:23.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1660,14 +1621,14 @@ ] }, { - "@timestamp": "2019-08-15T09:57:06.000Z", + "@timestamp": "2019-07-17T19:51:58.000Z", "event.code": "SNMP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 15 07:57:06 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-08-15 07:57:06 dmin", + "event.original": "July 17 17:51:58 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-07-17 17:51:58 dmin", "fileset.name": "sightline", "input.type": "log", - "log.offset": 7710, + "log.offset": 7462, "network.protocol": "SNMP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1675,8 +1636,8 @@ "rsa.internal.messageid": "SNMP", "rsa.misc.node": "entsunt", "rsa.misc.parent_node": "ihilm", - "rsa.time.endtime": "2018-08-15T09:57:06.000Z", - "rsa.time.event_time": "2019-08-15T09:57:06.000Z", + "rsa.time.endtime": "2018-07-17T19:51:58.000Z", + "rsa.time.event_time": "2019-07-17T19:51:58.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1684,15 +1645,15 @@ ] }, { - "@timestamp": "2019-08-29T16:59:40.000Z", + "@timestamp": "2019-08-01T02:54:32.000Z", "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 29 14:59:40 pfsp: The Host Detection alert uscipitl, start 2018-08-29 14:59:40 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its)", + "event.original": "August 1 00:54:32 pfsp: The Host Detection alert uscipitl, start 2018-08-1 00:54:32 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its)", "fileset.name": "sightline", "input.type": "log", "log.level": "medium", - "log.offset": 7811, + "log.offset": 7561, "network.direction": "internal", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1704,8 +1665,8 @@ "rsa.misc.policy_name": "ciad", "rsa.misc.severity": "medium", "rsa.time.duration_time": 29.657, - "rsa.time.event_time": "2019-08-29T16:59:40.000Z", - "rsa.time.starttime": "2018-08-29T16:59:40.000Z", + "rsa.time.event_time": "2019-08-01T02:54:32.000Z", + "rsa.time.starttime": "2018-08-01T02:54:32.000Z", "service.type": "netscout", "source.ip": [ "10.54.49.84" @@ -1716,19 +1677,19 @@ ] }, { - "@timestamp": "2019-09-13T00:02:15.000Z", + "@timestamp": "2019-08-15T09:57:06.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 12 22:02:15 pfsp: Alert Test syslog message", + "event.original": "August 15 07:57:06 pfsp: Alert Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8063, + "log.offset": 7811, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2019-09-13T00:02:15.000Z", + "rsa.time.event_time": "2019-08-15T09:57:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1736,15 +1697,15 @@ ] }, { - "@timestamp": "2019-09-27T07:04:49.000Z", + "@timestamp": "2019-08-29T16:59:40.000Z", "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 27 05:04:49 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name \"lo4293\" labo", + "event.original": "August 29 14:59:40 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name \"lo4293\" labo", "fileset.name": "sightline", "input.type": "log", "log.level": "medium", - "log.offset": 8117, + "log.offset": 7862, "network.interface.name": "lo4293", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1757,7 +1718,7 @@ "rsa.misc.severity": "medium", "rsa.misc.sig_id": 5089, "rsa.network.interface": "lo4293", - "rsa.time.event_time": "2019-09-27T07:04:49.000Z", + "rsa.time.event_time": "2019-08-29T16:59:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1765,23 +1726,69 @@ ] }, { - "@timestamp": "2019-10-11T14:07:23.000Z", - "event.action": "Fault Cleared", + "@timestamp": "2019-09-13T00:02:15.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 12 22:02:15 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla)", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8043, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "uptate", + "rsa.misc.trigger_val": "tpersp", + "rsa.time.event_time": "2019-09-13T00:02:15.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-27T07:04:49.000Z", + "event.action": "Fault Occured", "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 11 12:07:23 pfsp: The TMS 'enderi' fault for resource 'mquisno' on TMS odoconse cleared", + "event.original": "September 27 05:04:49 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8301, + "log.offset": 8152, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.event_desc": "enderi", + "rsa.internal.event_desc": "tem", "rsa.internal.messageid": "TMS", - "rsa.internal.resource": "mquisno", - "rsa.misc.event_type": "Fault Cleared", - "rsa.misc.node": "odoconse", + "rsa.internal.resource": "dol", + "rsa.misc.event_type": "Fault Occured", + "rsa.misc.node": "proiden", + "rsa.time.event_time": "2019-09-27T07:04:49.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-11T14:07:23.000Z", + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 11 12:07:23 pfsp: Device isis reachable again by controller uasiar at 2018-10-11 12:07:23 utlab", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8236, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "isis", + "rsa.misc.parent_node": "uasiar", + "rsa.time.endtime": "2018-10-11T14:07:23.000Z", "rsa.time.event_time": "2019-10-11T14:07:23.000Z", "service.type": "netscout", "tags": [ @@ -1792,239 +1799,275 @@ { "@timestamp": "2019-10-25T21:09:57.000Z", "destination.ip": [ - "10.83.130.226" + "10.216.83.142" ], - "event.code": "Blocked_Host", + "destination.port": 4365, + "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 25 19:09:57 asiarc: Blocked Host: Blocked host10.80.101.72atuptateby Blocked Countries usingrdpdestination10.83.130.226,URL:https://www5.example.com/gitsed/fugia.htm?emp=pisciv#lumdolor", + "event.original": "October 25 19:09:57 pfsp: The anomaly ntsunt id c8947b2b status liqua severity low classification utodita src 10.216.83.142/4365 iquidexe dst 10.224.198.212/2003 reseo start 2018-10-25 7:09:57 duration 2.919000 percent mquae rate consequa rateUnit moenimi protocol tcp flags icabo url https://example.net/con/preh.html?quamest=mac#qui", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8397, - "network.protocol": "rdp", + "log.level": "low", + "log.offset": 8340, + "network.protocol": "tcp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.83.130.226", - "10.80.101.72" + "10.216.83.142", + "10.224.198.212" ], - "rsa.internal.messageid": "Blocked_Host", - "rsa.misc.msgIdPart1": "Blocked", - "rsa.misc.msgIdPart2": "Host", + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "utodita", + "rsa.misc.disposition": "liqua", + "rsa.misc.event_id": "c8947b2b", + "rsa.misc.policy_name": "ntsunt", + "rsa.misc.severity": "low", + "rsa.time.duration_time": 2.919, "rsa.time.event_time": "2019-10-25T21:09:57.000Z", + "rsa.time.starttime": "2018-10-25T09:09:57.000Z", "service.type": "netscout", "source.ip": [ - "10.80.101.72" + "10.224.198.212" ], + "source.port": 2003, "tags": [ "netscout.sightline", "forwarded" ], - "url.original": "https://www5.example.com/gitsed/fugia.htm?emp=pisciv#lumdolor" + "url.original": "https://example.net/con/preh.html?quamest=mac#qui" }, { "@timestamp": "2019-11-09T04:12:32.000Z", - "event.action": "Fault Occured", - "event.code": "TMS", + "destination.ip": [ + "10.28.226.128" + ], + "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 9 02:12:32 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden", + "event.original": "November 9 02:12:32 temporin: Blocked Host: Blocked host10.122.76.148atmiuby Blocked Countries usingipv6-icmpdestination10.28.226.128,URL:https://mail.example.org/idunt/luptat.txt?ica=lillum#remips", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8591, + "log.offset": 8678, + "network.protocol": "ipv6-icmp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.event_desc": "tem", - "rsa.internal.messageid": "TMS", - "rsa.internal.resource": "dol", - "rsa.misc.event_type": "Fault Occured", - "rsa.misc.node": "proiden", + "related.ip": [ + "10.122.76.148", + "10.28.226.128" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", "rsa.time.event_time": "2019-11-09T04:12:32.000Z", "service.type": "netscout", + "source.ip": [ + "10.122.76.148" + ], "tags": [ "netscout.sightline", "forwarded" - ] + ], + "url.original": "https://mail.example.org/idunt/luptat.txt?ica=lillum#remips" }, { "@timestamp": "2019-11-23T11:15:06.000Z", - "event.code": "Device", + "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 23 09:15:06 pfsp: Device isis reachable again by controller uasiar at 2018-11-23 09:15:06 utlab", + "event.original": "November 23 09:15:06 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt", "fileset.name": "sightline", + "group.name": "amcor", "input.type": "log", - "log.offset": 8673, + "log.offset": 8876, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "Device", - "rsa.misc.node": "isis", - "rsa.misc.parent_node": "uasiar", - "rsa.time.endtime": "2018-11-23T11:15:06.000Z", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "amcor", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", "rsa.time.event_time": "2019-11-23T11:15:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" - ] + ], + "url.original": "https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt" }, { "@timestamp": "2019-12-07T18:17:40.000Z", - "event.code": "SNMP", + "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 7 16:17:40 pfsp: The SNMP restored for router umdolor, leader uaUten at 2018-12-07 16:17:40 nby", + "event.original": "December 7 16:17:40 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation", "fileset.name": "sightline", + "group.name": "equepor", "input.type": "log", - "log.offset": 8778, - "network.protocol": "SNMP", + "log.offset": 9048, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "SNMP", - "rsa.misc.node": "umdolor", - "rsa.misc.parent_node": "uaUten", - "rsa.time.endtime": "2018-12-07T18:17:40.000Z", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "equepor", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", "rsa.time.event_time": "2019-12-07T18:17:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" - ] + ], + "url.original": "https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation" }, { "@timestamp": "2019-12-22T01:20:14.000Z", - "event.code": "Change_Log", + "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 21 23:20:14 ibusBon: Change Log: Username:ven, Subsystem:rQu, Setting Type:mco, Message:cipitl", + "event.original": "December 21 23:20:14 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", "fileset.name": "sightline", + "group.name": "isciv", "input.type": "log", - "log.offset": 8884, + "log.offset": 9230, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "related.user": [ - "ven" - ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "isciv", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", "rsa.time.event_time": "2019-12-22T01:20:14.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" ], - "user.name": "ven" + "url.original": "https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt" }, { "@timestamp": "2020-01-05T08:22:49.000Z", - "event.code": "configuration", + "destination.ip": [ + "10.98.209.10" + ], + "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 5 06:22:49 pfsp: configuration was changed on leader evitaed to version 1.1721 by suntin", + "event.original": "January 5 06:22:49 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8988, + "log.offset": 9398, + "network.protocol": "ggp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "observer.version": "1.1721", - "related.user": [ - "suntin" + "related.ip": [ + "10.98.209.10", + "10.31.177.226" ], - "rsa.internal.event_desc": "Configuration changed", - "rsa.internal.messageid": "configuration", - "rsa.misc.parent_node": "evitaed", - "rsa.misc.version": "1.1721", + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", "rsa.time.event_time": "2020-01-05T08:22:49.000Z", "service.type": "netscout", + "source.ip": [ + "10.31.177.226" + ], "tags": [ "netscout.sightline", "forwarded" ], - "user.name": "suntin" + "url.original": "https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo" }, { "@timestamp": "2020-01-19T15:25:23.000Z", - "event.code": "Peakflow", + "destination.ip": [ + "10.179.210.218" + ], + "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 19 13:25:23 pfsp: Peakflow device oraincid unreachable by intocc since 2019-01-19 13:25:23", + "event.original": "January 19 13:25:23 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9085, + "log.offset": 9594, + "network.protocol": "igmp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "Peakflow", - "rsa.misc.node": "oraincid", - "rsa.misc.parent_node": "intocc", + "related.ip": [ + "10.44.47.27", + "10.179.210.218" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", "rsa.time.event_time": "2020-01-19T15:25:23.000Z", - "rsa.time.starttime": "2019-01-19T15:25:23.000Z", "service.type": "netscout", + "source.ip": [ + "10.44.47.27" + ], "tags": [ "netscout.sightline", "forwarded" - ] + ], + "url.original": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo" }, { "@timestamp": "2020-02-02T22:27:57.000Z", "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 2 20:27:57 pfsp: Alert configuration was changed on leader litani to version 1.6412 by psumqu", + "event.original": "February 2 20:27:57 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9184, + "log.offset": 9795, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "observer.version": "1.6412", + "observer.version": "1.2883", "related.user": [ - "psumqu" + "lor" ], "rsa.internal.event_desc": "Configuration changed", "rsa.internal.messageid": "configuration", - "rsa.misc.parent_node": "litani", - "rsa.misc.version": "1.6412", + "rsa.misc.parent_node": "emvele", + "rsa.misc.version": "1.2883", "rsa.time.event_time": "2020-02-02T22:27:57.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" ], - "user.name": "psumqu" + "user.name": "lor" }, { "@timestamp": "2020-02-17T05:30:32.000Z", - "event.code": "Change_Log", + "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 17 03:30:32 ipsamvo: Change Log: Username:onula, Subsystem:miu, Setting Type:rationev, Message:rem", + "event.original": "February 17 03:30:32 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed)", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9287, + "log.offset": 9895, + "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "related.user": [ - "onula" - ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "iquamqua", + "rsa.misc.trigger_val": "ita", "rsa.time.event_time": "2020-02-17T05:30:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" - ], - "user.name": "onula" + ] }, { "@timestamp": "2020-03-03T12:33:06.000Z", @@ -2034,7 +2077,7 @@ "event.original": "March 3 10:33:06 pfsp: Alert Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9395, + "log.offset": 10007, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2051,15 +2094,15 @@ "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 17 17:35:40 lillum: Change Log: Username:remips, Subsystem:uisaute, Setting Type:imide, Message:poriss", + "event.original": "March 17 17:35:40 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9444, + "log.offset": 10056, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.user": [ - "remips" + "tMal" ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", @@ -2070,52 +2113,51 @@ "netscout.sightline", "forwarded" ], - "user.name": "remips" + "user.name": "tMal" }, { "@timestamp": "2020-04-01T02:38:14.000Z", - "event.action": "Script mitigation", - "event.code": "script", + "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 1 00:38:14 pfsp: Alert script usmodi ran at 2019-04-01 00:38:14 , mvoluleader conse", + "event.original": "April 1 00:38:14 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9553, + "log.offset": 10161, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "script", - "rsa.misc.disposition": "ongoing", - "rsa.misc.event_type": "Script mitigation", - "rsa.misc.node": "usmodi", - "rsa.misc.parent_node": "conse", + "observer.version": "1.2552", + "related.user": [ + "onu" + ], + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "maveni", + "rsa.misc.version": "1.2552", "rsa.time.event_time": "2020-04-01T02:38:14.000Z", - "rsa.time.starttime": "2019-04-01T02:38:14.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" - ] + ], + "user.name": "onu" }, { "@timestamp": "2020-04-15T09:40:49.000Z", - "event.action": "Fault Cleared", - "event.code": "TMS", + "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 15 07:40:49 pfsp: Alert TMS 'licabo' fault for resource 'enimadmi' on TMS utaliqu cleared", + "event.original": "April 15 07:40:49 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9644, + "log.offset": 10258, + "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.event_desc": "licabo", - "rsa.internal.messageid": "TMS", - "rsa.internal.resource": "enimadmi", - "rsa.misc.event_type": "Fault Cleared", - "rsa.misc.node": "utaliqu", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "norumet", "rsa.time.event_time": "2020-04-15T09:40:49.000Z", "service.type": "netscout", "tags": [ @@ -2125,97 +2167,95 @@ }, { "@timestamp": "2020-04-29T16:43:23.000Z", - "event.code": "Protection_Mode", + "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 29 14:43:23 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt", + "event.original": "April 29 14:43:23 pfsp: Host Detection alert col, start 2019-04-29 14:43:23 mve, duration 177.586000, stop 2019-04-29 14:43:23 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq)", "fileset.name": "sightline", - "group.name": "amcor", "input.type": "log", - "log.offset": 9740, + "log.level": "very-high", + "log.offset": 10340, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.event_desc": "Changed protection mode to active for protection group", - "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "amcor", - "rsa.misc.msgIdPart1": "Protection", - "rsa.misc.msgIdPart2": "Mode", + "rsa.internal.messageid": "Host", + "rsa.misc.result": "failure", + "rsa.misc.severity": "very-high", + "rsa.time.duration_time": 177.586, + "rsa.time.endtime": "2019-04-29T16:43:23.000Z", "rsa.time.event_time": "2020-04-29T16:43:23.000Z", + "rsa.time.starttime": "2019-04-29T16:43:23.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" - ], - "url.original": "https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt" + ] }, { "@timestamp": "2020-05-13T23:45:57.000Z", - "event.code": "Protection_Mode", + "event.action": "Script mitigation", + "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 13 21:45:57 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation", + "event.original": "May 13 21:45:57 pfsp: script remipsum ran at 2019-05-13 21:45:57 , leader tempor", "fileset.name": "sightline", - "group.name": "equepor", "input.type": "log", - "log.offset": 9909, + "log.offset": 10573, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.event_desc": "Changed protection mode to active for protection group", - "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "equepor", - "rsa.misc.msgIdPart1": "Protection", - "rsa.misc.msgIdPart2": "Mode", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "remipsum", + "rsa.misc.parent_node": "tempor", "rsa.time.event_time": "2020-05-13T23:45:57.000Z", + "rsa.time.starttime": "2019-05-13T23:45:57.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" - ], - "url.original": "https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation" + ] }, { "@timestamp": "2020-05-28T06:48:31.000Z", - "event.code": "Protection_Mode", + "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 28 04:48:31 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", + "event.original": "May 28 04:48:31 ccae: Change Log: Username:orroqu, Subsystem:elitsed, Setting Type:labore, Message:uela", "fileset.name": "sightline", - "group.name": "isciv", "input.type": "log", - "log.offset": 10087, + "log.offset": 10656, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.event_desc": "Changed protection mode to active for protection group", - "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "isciv", - "rsa.misc.msgIdPart1": "Protection", - "rsa.misc.msgIdPart2": "Mode", + "related.user": [ + "orroqu" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", "rsa.time.event_time": "2020-05-28T06:48:31.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" ], - "url.original": "https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt" + "user.name": "orroqu" }, { "@timestamp": "2020-06-11T13:51:06.000Z", - "event.code": "BGP", + "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 11 11:51:06 pfsp: The BGP Instability for router eirure ended", + "event.original": "June 11 11:51:06 uto: Test: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10250, - "network.protocol": "BGP", + "log.offset": 10760, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "BGP", - "rsa.misc.node": "eirure", + "rsa.internal.messageid": "Test", "rsa.time.event_time": "2020-06-11T13:51:06.000Z", "service.type": "netscout", "tags": [ @@ -2225,46 +2265,49 @@ }, { "@timestamp": "2020-06-25T20:53:40.000Z", - "event.code": "BGP", + "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 25 18:53:40 pfsp: Alert BGP instability router tesse threshold sequat (giatquov) observed tconsec (miurerep)", + "event.original": "June 25 18:53:40 remq: Change Log: Username:veniamq, Subsystem:occ, Setting Type:oloreseo, Message:iruredol", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10318, - "network.protocol": "BGP", + "log.offset": 10808, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "BGP", - "rsa.misc.node": "tesse", - "rsa.misc.trigger_val": "tconsec", + "related.user": [ + "veniamq" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", "rsa.time.event_time": "2020-06-25T20:53:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" - ] + ], + "user.name": "veniamq" }, { "@timestamp": "2020-07-10T03:56:14.000Z", "destination.ip": [ - "10.179.210.218" + "10.55.156.64" ], "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 10 01:56:14 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "event.original": "July 10 01:56:14 cupi: Blocked Host: Blocked host10.151.129.181atduntby Blocked Countries usingggpdestination10.55.156.64,URL:https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10433, - "network.protocol": "igmp", + "log.offset": 10916, + "network.protocol": "ggp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.179.210.218", - "10.44.47.27" + "10.151.129.181", + "10.55.156.64" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2272,60 +2315,67 @@ "rsa.time.event_time": "2020-07-10T03:56:14.000Z", "service.type": "netscout", "source.ip": [ - "10.44.47.27" + "10.151.129.181" ], "tags": [ "netscout.sightline", "forwarded" ], - "url.original": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo" + "url.original": "https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae" }, { "@timestamp": "2019-07-24T10:58:48.000Z", - "event.code": "configuration", + "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 24 08:58:48 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor", + "event.original": "July 24 08:58:48 eumi: Protection Mode: Changed protection mode to active for protection groupquasiarc,URL:https://www.example.net/rever/ore.jpg?oluptat=metco#acom", "fileset.name": "sightline", + "group.name": "quasiarc", "input.type": "log", - "log.offset": 10631, + "log.offset": 11103, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "observer.version": "1.2883", - "related.user": [ - "lor" - ], - "rsa.internal.event_desc": "Configuration changed", - "rsa.internal.messageid": "configuration", - "rsa.misc.parent_node": "emvele", - "rsa.misc.version": "1.2883", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "quasiarc", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" ], - "user.name": "lor" + "url.original": "https://www.example.net/rever/ore.jpg?oluptat=metco#acom" }, { "@timestamp": "2019-08-07T18:01:23.000Z", - "event.code": "BGP", + "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 7 16:01:23 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed)", + "event.original": "August 7 16:01:23 pfsp: The Host Detection alert inBCSedu, start 2019-08-7 16:01:23 erspi, duration 77.637000, direction internal, host 10.46.77.76, signatures (iacons), impact occaec, importance medium, managed_objects (uov), (parent managed object quaeab)", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10728, - "network.protocol": "BGP", + "log.level": "medium", + "log.offset": 11267, + "network.direction": "internal", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "BGP", - "rsa.misc.node": "iquamqua", - "rsa.misc.trigger_val": "ita", + "related.ip": [ + "10.46.77.76" + ], + "rsa.internal.messageid": "Host", + "rsa.misc.policy_name": "iacons", + "rsa.misc.severity": "medium", + "rsa.time.duration_time": 77.637, "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "rsa.time.starttime": "2019-08-07T18:01:23.000Z", "service.type": "netscout", + "source.ip": [ + "10.46.77.76" + ], "tags": [ "netscout.sightline", "forwarded" @@ -2333,18 +2383,21 @@ }, { "@timestamp": "2019-08-22T01:03:57.000Z", - "event.code": "Test", + "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 21 23:03:57 pfsp: Alert Test syslog message", + "event.original": "August 21 23:03:57 pfsp: Hardware failure on ntiu since 2019-08-21 23:03:57 GMT: radipisc", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10837, + "log.offset": 11525, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "Test", + "rsa.internal.event_desc": "radipisc", + "rsa.internal.messageid": "Hardware", + "rsa.misc.node": "ntiu", "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "rsa.time.starttime": "2019-08-22T01:03:57.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2353,100 +2406,104 @@ }, { "@timestamp": "2019-09-05T08:06:31.000Z", - "event.code": "Change_Log", + "destination.ip": [ + "10.166.90.130" + ], + "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 5 06:06:31 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex", + "event.original": "September 5 06:06:31 upt: Blocked Host: Blocked host10.73.89.189atidoloby Blocked Countries usingicmpdestination10.166.90.130,URL:https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10888, + "log.offset": 11615, + "network.protocol": "icmp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "related.user": [ - "tMal" + "related.ip": [ + "10.166.90.130", + "10.73.89.189" ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "netscout", + "source.ip": [ + "10.73.89.189" + ], "tags": [ "netscout.sightline", "forwarded" ], - "user.name": "tMal" + "url.original": "https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu" }, { "@timestamp": "2019-09-19T15:09:05.000Z", - "event.code": "configuration", + "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 19 13:09:05 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu", + "event.original": "September 19 13:09:05 tlabori: Protection Mode: Changed protection mode to active for protection grouplaudan,URL:https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui", "fileset.name": "sightline", + "group.name": "laudan", "input.type": "log", - "log.offset": 10996, + "log.offset": 11810, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "observer.version": "1.2552", - "related.user": [ - "onu" - ], - "rsa.internal.event_desc": "Configuration changed", - "rsa.internal.messageid": "configuration", - "rsa.misc.parent_node": "maveni", - "rsa.misc.version": "1.2552", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "laudan", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", "rsa.time.event_time": "2019-09-19T15:09:05.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" ], - "user.name": "onu" + "url.original": "https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui" }, { "@timestamp": "2019-10-03T22:11:40.000Z", - "event.code": "BGP", + "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 3 20:11:40 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done", + "event.original": "October 3 20:11:40 destlabo: Change Log: Username:rcitat, Subsystem:dolorema, Setting Type:emagn, Message:radipis", "fileset.name": "sightline", "input.type": "log", - "log.offset": 11098, - "network.protocol": "BGP", + "log.offset": 11995, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "BGP", - "rsa.misc.node": "norumet", + "related.user": [ + "rcitat" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", "rsa.time.event_time": "2019-10-03T22:11:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" - ] + ], + "user.name": "rcitat" }, { "@timestamp": "2019-10-18T05:14:14.000Z", - "event.code": "Host", + "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 18 03:14:14 pfsp: Host Detection alert col, start 2019-10-18 03:14:14 mve, duration 177.586000, stop 2019-10-18 03:14:14 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq)", + "event.original": "October 18 03:14:14 fugits: Test: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.level": "very-high", - "log.offset": 11181, + "log.offset": 12109, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "Host", - "rsa.misc.result": "failure", - "rsa.misc.severity": "very-high", - "rsa.time.duration_time": 177.586, - "rsa.time.endtime": "2019-10-18T05:14:14.000Z", + "rsa.internal.messageid": "Test", "rsa.time.event_time": "2019-10-18T05:14:14.000Z", - "rsa.time.starttime": "2019-10-18T05:14:14.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2455,24 +2512,26 @@ }, { "@timestamp": "2019-11-01T12:16:48.000Z", - "event.action": "Script mitigation", - "event.code": "script", + "destination.ip": [ + "10.226.51.191" + ], + "event.code": "GRE", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 1 10:16:48 pfsp: script remipsum ran at 2019-11-01 10:16:48 , temporleader citatio", + "event.original": "November 1 10:16:48 pfsp: GRE tunnel restored for destination 10.226.51.191, leader magnid at 2019-11-01 10:16:48 adol", "fileset.name": "sightline", "input.type": "log", - "log.offset": 11416, + "log.offset": 12163, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "script", - "rsa.misc.disposition": "ongoing", - "rsa.misc.event_type": "Script mitigation", - "rsa.misc.node": "remipsum", - "rsa.misc.parent_node": "citatio", + "related.ip": [ + "10.226.51.191" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "magnid", + "rsa.time.endtime": "2019-11-01T12:16:48.000Z", "rsa.time.event_time": "2019-11-01T12:16:48.000Z", - "rsa.time.starttime": "2019-11-01T12:16:48.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2481,78 +2540,71 @@ }, { "@timestamp": "2019-11-15T19:19:22.000Z", - "destination.ip": [ - "10.131.74.36" - ], - "event.code": "Blocked_Host", + "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 15 17:19:22 mveniamq: Blocked Host: Blocked host10.74.159.77ateaqueipsby Blocked Countries usingicmpdestination10.131.74.36,URL:https://example.com/untexpl/iumtot.htm?eiusmod=emoe#uiinea", + "event.original": "November 15 17:19:22 culpaqui: Change Log: Username:tvolup, Subsystem:tdolore, Setting Type:ventore, Message:red", "fileset.name": "sightline", "input.type": "log", - "log.offset": 11509, - "network.protocol": "icmp", + "log.offset": 12282, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "related.ip": [ - "10.74.159.77", - "10.131.74.36" + "related.user": [ + "tvolup" ], - "rsa.internal.messageid": "Blocked_Host", - "rsa.misc.msgIdPart1": "Blocked", - "rsa.misc.msgIdPart2": "Host", + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", "rsa.time.event_time": "2019-11-15T19:19:22.000Z", "service.type": "netscout", - "source.ip": [ - "10.74.159.77" - ], "tags": [ "netscout.sightline", "forwarded" ], - "url.original": "https://example.com/untexpl/iumtot.htm?eiusmod=emoe#uiinea" + "user.name": "tvolup" }, { "@timestamp": "2019-11-30T02:21:57.000Z", - "event.action": "Fault Cleared", - "event.code": "TMS", + "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 30 00:21:57 pfsp: Alert TMS 'eaqueip' fault for resource 'eum' on TMS lamc cleared", + "event.original": "November 30 00:21:57 pfsp: Alert Autoclassification was restarted on 2019-11-30 00:21:57 tatev by luptas", "fileset.name": "sightline", "input.type": "log", - "log.offset": 11705, + "log.offset": 12395, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.event_desc": "eaqueip", - "rsa.internal.messageid": "TMS", - "rsa.internal.resource": "eum", - "rsa.misc.event_type": "Fault Cleared", - "rsa.misc.node": "lamc", + "related.user": [ + "luptas" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", "rsa.time.event_time": "2019-11-30T02:21:57.000Z", + "rsa.time.starttime": "2019-11-30T02:21:57.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" - ] + ], + "user.name": "luptas" }, { "@timestamp": "2019-12-14T09:24:31.000Z", - "event.code": "Peakflow", + "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 14 07:24:31 pfsp: Alert Peakflow device itasper reachable again by uae at 2019-12-14 07:24:31 mve", + "event.original": "December 14 07:24:31 pfsp: Alert Device aev reachable again by controller inrepr at 2019-12-14 07:24:31 mol", "fileset.name": "sightline", "input.type": "log", - "log.offset": 11797, + "log.offset": 12500, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "Peakflow", - "rsa.misc.node": "itasper", - "rsa.misc.parent_node": "uae", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "aev", + "rsa.misc.parent_node": "inrepr", "rsa.time.endtime": "2019-12-14T09:24:31.000Z", "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "netscout", diff --git a/x-pack/filebeat/module/radware/README.md b/x-pack/filebeat/module/radware/README.md index bfcc27af89e..6dfe9e19bef 100644 --- a/x-pack/filebeat/module/radware/README.md +++ b/x-pack/filebeat/module/radware/README.md @@ -3,5 +3,5 @@ This is a module for Radware DefensePro logs. Autogenerated from RSA NetWitness log parser 2.0 XML radwaredp version 114 -at 2020-07-08 22:21:03.910975 +0000 UTC. +at 2020-07-13 17:12:06.083221 +0000 UTC. diff --git a/x-pack/filebeat/module/rapid7/README.md b/x-pack/filebeat/module/rapid7/README.md index 5f2db4c7bba..64d0e632596 100644 --- a/x-pack/filebeat/module/rapid7/README.md +++ b/x-pack/filebeat/module/rapid7/README.md @@ -3,5 +3,5 @@ This is a module for Rapid7 NeXpose logs. Autogenerated from RSA NetWitness log parser 2.0 XML nexpose version 134 -at 2020-07-08 22:21:03.250005 +0000 UTC. +at 2020-07-13 17:12:05.404155 +0000 UTC. diff --git a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log index 97535fca785..ed2f7ef05fa 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log +++ b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log @@ -83,18 +83,18 @@ %NEXPOSE-iscinge: Populating ora %NEXPOSE-orincidi: ScanEventHandler: cancel %NEXPOSE-mSecti: Updating ius -%NEXPOSE-uunturm: 2019-5-28T4:48:31 [nonnumq] tqu[Thread: AssetGroupEventHandler] [Started: ntocca] [Duration: emquelau] adolorsi allow +%NEXPOSE-aturExc: 2019-5-28T4:48:31 [rsit] intocca[Thread: No] [Started: equuntu] [Duration: ntutlab] eaq +%NEXPOSE-ipis: 2019-6-11T11:51:06 [nsecte] [Thread: miurere] [Site: tat] persistent-xss +%NEXPOSE-olupta: 2019-6-25T6:53:40 [ape] amestqu[Thread: Activation] [Started: luptas] [Duration: ariatu] psumqui +%NEXPOSE-uunturm: 2019-7-10T1:56:14 [nonnumq] tqu[Thread: AssetGroupEventHandler] [Started: ntocca] [Duration: emquelau] adolorsi allow %NEXPOSE-agn: Stopping eritinvo -%NEXPOSE-uisaut: 2019-6-25T6:53:40 [apar] ulpaq[Thread: ConsoleScanImporter] [Started: reeuf] [Duration: orinrepr] tinvo +%NEXPOSE-uisaut: 2019-8-7T4:01:23 [apar] ulpaq[Thread: ConsoleScanImporter] [Started: reeuf] [Duration: orinrepr] tinvo %NEXPOSE-ctobeat: common %NEXPOSE-olab: remagnam Destroying: %NEXPOSE-adipi: idid Destroying: -%NEXPOSE-lore: 2019-8-21T11:03:57 [uisautem] olorsi[Thread: Job] [Started: everitat] [Duration: tetu] Job execution threads will use class loader of thread: stlaboru -%NEXPOSE-mco: 2019-9-5T6:06:31 [nofdeF] itvolupt[Thread: com.rapid7.nexpose.datastore.connection.evictionThreadTime] [Started: uradip] [Duration: perspi] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value uaer. -%NEXPOSE-tenim: 2019-9-19T1:09:05 [osqu] cti[Thread: Restarting] [Started: orsitvo] [Duration: elit] iono +%NEXPOSE-lore: 2019-10-3T8:11:40 [uisautem] olorsi[Thread: Job] [Started: everitat] [Duration: tetu] Job execution threads will use class loader of thread: stlaboru +%NEXPOSE-mco: 2019-10-18T3:14:14 [nofdeF] itvolupt[Thread: com.rapid7.nexpose.datastore.connection.evictionThreadTime] [Started: uradip] [Duration: perspi] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value uaer. +%NEXPOSE-tenim: 2019-11-1T10:16:48 [osqu] cti[Thread: Restarting] [Started: orsitvo] [Duration: elit] iono %NEXPOSE-tempori: sedquian %NEXPOSE-umfu: No %NEXPOSE-nisi: credentials: -%NEXPOSE-ptate: tconsect -%NEXPOSE-amqua: 2019-11-30T12:21:57 [isnost] [Thread: eaco] [Site: oremeu] com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value uis. -%NEXPOSE-turmagni: iatur NEXPOSE_GENERIC: diff --git a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json index 9ed4b3d8ef2..741cde33d3f 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json +++ b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json @@ -1566,22 +1566,18 @@ ] }, { - "event.action": "allow", - "event.code": "AssetGroupEventHandler", + "event.code": "No", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-uunturm: 2019-5-28T4:48:31 [nonnumq] tqu[Thread: AssetGroupEventHandler] [Started: ntocca] [Duration: emquelau] adolorsi allow", + "event.original": "%NEXPOSE-aturExc: 2019-5-28T4:48:31 [rsit] intocca[Thread: No] [Started: equuntu] [Duration: ntutlab] eaq", "fileset.name": "nexpose", "input.type": "log", "log.offset": 5606, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", - "rsa.internal.messageid": "AssetGroupEventHandler", - "rsa.misc.action": [ - "allow" - ], - "service.name": "fld1", + "rsa.internal.event_desc": "eaq", + "rsa.internal.messageid": "No", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1589,17 +1585,17 @@ ] }, { - "event.code": "NEXPOSE_GENERIC", + "event.code": "[Site:", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-agn: Stopping eritinvo", + "event.original": "%NEXPOSE-ipis: 2019-6-11T11:51:06 [nsecte] [Thread: miurere] [Site: tat] persistent-xss ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5742, + "log.offset": 5712, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", + "rsa.internal.messageid": "[Site:", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1607,22 +1603,18 @@ ] }, { - "event.action": "Shutting down", - "event.code": "ConsoleScanImporter", + "event.code": "Activation", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-uisaut: 2019-6-25T6:53:40 [apar] ulpaq[Thread: ConsoleScanImporter] [Started: reeuf] [Duration: orinrepr] tinvo", + "event.original": "%NEXPOSE-olupta: 2019-6-25T6:53:40 [ape] amestqu[Thread: Activation] [Started: luptas] [Duration: ariatu] psumqui", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5774, + "log.offset": 5801, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "tinvo", - "rsa.internal.messageid": "ConsoleScanImporter", - "rsa.misc.action": [ - "Shutting down" - ], + "rsa.internal.event_desc": "psumqui", + "rsa.internal.messageid": "Activation", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1630,17 +1622,22 @@ ] }, { - "event.code": "NEXPOSE_GENERIC", + "event.action": "allow", + "event.code": "AssetGroupEventHandler", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-ctobeat: common ", + "event.original": "%NEXPOSE-uunturm: 2019-7-10T1:56:14 [nonnumq] tqu[Thread: AssetGroupEventHandler] [Started: ntocca] [Duration: emquelau] adolorsi allow", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5895, + "log.offset": 5915, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", + "rsa.internal.messageid": "AssetGroupEventHandler", + "rsa.misc.action": [ + "allow" + ], + "service.name": "fld1", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1651,10 +1648,10 @@ "event.code": "NEXPOSE_GENERIC", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-olab: remagnam Destroying: ", + "event.original": "%NEXPOSE-agn: Stopping eritinvo", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5921, + "log.offset": 6051, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1666,17 +1663,22 @@ ] }, { - "event.code": "NEXPOSE_GENERIC", + "event.action": "Shutting down", + "event.code": "ConsoleScanImporter", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-adipi: idid Destroying: ", + "event.original": "%NEXPOSE-uisaut: 2019-8-7T4:01:23 [apar] ulpaq[Thread: ConsoleScanImporter] [Started: reeuf] [Duration: orinrepr] tinvo", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5958, + "log.offset": 6083, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", + "rsa.internal.event_desc": "tinvo", + "rsa.internal.messageid": "ConsoleScanImporter", + "rsa.misc.action": [ + "Shutting down" + ], "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1684,19 +1686,17 @@ ] }, { - "event.code": "Job", + "event.code": "NEXPOSE_GENERIC", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-lore: 2019-8-21T11:03:57 [uisautem] olorsi[Thread: Job] [Started: everitat] [Duration: tetu] Job execution threads will use class loader of thread: stlaboru", + "event.original": "%NEXPOSE-ctobeat: common ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 5992, + "log.offset": 6203, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", - "rsa.db.index": "stlaboru", - "rsa.internal.event_desc": "Job execution threads will use class loader", - "rsa.internal.messageid": "Job", + "rsa.internal.messageid": "NEXPOSE_GENERIC", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1704,19 +1704,17 @@ ] }, { - "event.code": "com.rapid7.nexpose.datastore.connection.evictionThreadTime", + "event.code": "NEXPOSE_GENERIC", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-mco: 2019-9-5T6:06:31 [nofdeF] itvolupt[Thread: com.rapid7.nexpose.datastore.connection.evictionThreadTime] [Started: uradip] [Duration: perspi] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value uaer.", + "event.original": "%NEXPOSE-olab: remagnam Destroying: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6158, + "log.offset": 6229, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured", - "rsa.internal.messageid": "com.rapid7.nexpose.datastore.connection.evictionThreadTime", - "rsa.misc.result_code": "uaer", + "rsa.internal.messageid": "NEXPOSE_GENERIC", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1724,18 +1722,17 @@ ] }, { - "event.code": "Restarting", + "event.code": "NEXPOSE_GENERIC", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-tenim: 2019-9-19T1:09:05 [osqu] cti[Thread: Restarting] [Started: orsitvo] [Duration: elit] iono", + "event.original": "%NEXPOSE-adipi: idid Destroying: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6421, + "log.offset": 6266, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "iono", - "rsa.internal.messageid": "Restarting", + "rsa.internal.messageid": "NEXPOSE_GENERIC", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1743,17 +1740,19 @@ ] }, { - "event.code": "NEXPOSE_GENERIC", + "event.code": "Job", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-tempori: sedquian", + "event.original": "%NEXPOSE-lore: 2019-10-3T8:11:40 [uisautem] olorsi[Thread: Job] [Started: everitat] [Duration: tetu] Job execution threads will use class loader of thread: stlaboru", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6527, + "log.offset": 6300, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", + "rsa.db.index": "stlaboru", + "rsa.internal.event_desc": "Job execution threads will use class loader", + "rsa.internal.messageid": "Job", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1761,17 +1760,19 @@ ] }, { - "event.code": "NEXPOSE_GENERIC", + "event.code": "com.rapid7.nexpose.datastore.connection.evictionThreadTime", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-umfu: No ", + "event.original": "%NEXPOSE-mco: 2019-10-18T3:14:14 [nofdeF] itvolupt[Thread: com.rapid7.nexpose.datastore.connection.evictionThreadTime] [Started: uradip] [Duration: perspi] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value uaer.", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6554, + "log.offset": 6465, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", + "rsa.internal.event_desc": "com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured", + "rsa.internal.messageid": "com.rapid7.nexpose.datastore.connection.evictionThreadTime", + "rsa.misc.result_code": "uaer", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1779,17 +1780,18 @@ ] }, { - "event.code": "NEXPOSE_GENERIC", + "event.code": "Restarting", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-nisi: credentials: ", + "event.original": "%NEXPOSE-tenim: 2019-11-1T10:16:48 [osqu] cti[Thread: Restarting] [Started: orsitvo] [Duration: elit] iono", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6573, + "log.offset": 6730, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", + "rsa.internal.event_desc": "iono", + "rsa.internal.messageid": "Restarting", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1800,10 +1802,10 @@ "event.code": "NEXPOSE_GENERIC", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-ptate: tconsect", + "event.original": "%NEXPOSE-tempori: sedquian", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6602, + "log.offset": 6837, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", @@ -1815,17 +1817,17 @@ ] }, { - "event.code": "[Site:", + "event.code": "NEXPOSE_GENERIC", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-amqua: 2019-11-30T12:21:57 [isnost] [Thread: eaco] [Site: oremeu] com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value uis.", + "event.original": "%NEXPOSE-umfu: No ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6627, + "log.offset": 6864, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", + "rsa.internal.messageid": "NEXPOSE_GENERIC", "service.type": "rapid7", "tags": [ "rapid7.nexpose", @@ -1836,10 +1838,10 @@ "event.code": "NEXPOSE_GENERIC", "event.dataset": "rapid7.nexpose", "event.module": "rapid7", - "event.original": "%NEXPOSE-turmagni: iatur NEXPOSE_GENERIC: ", + "event.original": "%NEXPOSE-nisi: credentials: ", "fileset.name": "nexpose", "input.type": "log", - "log.offset": 6799, + "log.offset": 6883, "observer.product": "Nexpose", "observer.type": "Vulnerability", "observer.vendor": "Rapid7", diff --git a/x-pack/filebeat/module/sonicwall/README.md b/x-pack/filebeat/module/sonicwall/README.md index 878e815922d..da355eb9ff1 100644 --- a/x-pack/filebeat/module/sonicwall/README.md +++ b/x-pack/filebeat/module/sonicwall/README.md @@ -3,5 +3,5 @@ This is a module for Sonicwall-FW logs. Autogenerated from RSA NetWitness log parser 2.0 XML sonicwall version 124 -at 2020-07-08 22:21:04.512834 +0000 UTC. +at 2020-07-13 17:12:06.770947 +0000 UTC. diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log index d80d01a1de2..eb7e231070a 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log @@ -1,100 +1,100 @@ -id=consec sn=taliquip time="2016/01/29 06:09:59" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway -id=tconsec sn=nsequat time="2016/02/12 13:12:33" fw=10.137.246.137 pri=medium c=oluptas m=372 msg="llu" n=uptassi src=10.95.245.65 dst=10.13.70.213 -id=tempor sn=omnis time="2016/02/26 20:15:08" fw=10.245.94.130 pri=high c=inesci m=128 PPPoE LCP Link Down -id=niamquis sn=itati time="2016/03/12 03:17:42" fw=10.220.19.19 pri=low c=atatnonp m=413 msg="uiano" n=mrema src=10.214.225.125:5710 dst=10.163.217.10:5722 -gitsedqu id=uam sn=temq time="2016-3-26 10:20:16" fw=10.38.77.13 pri=low c=Utenimad m=14 msg="nibusBon" app=ehend sess="ueipsaqu" n=uidolore usr="niamqu" src=10.202.66.28:1852:enp0s5098 dst=10.64.155.245:6613:lo5037 srcMac=01:00:5e:4c:ae:05dstMac=01:00:5e:56:32:70 proto=icmp dstname=mqua3391.www.local arg=mquisnos code=loremagn Category="iciade" rule="tsed" fw_action="allow" -id=roinBCSe sn=onse time="2016/04/09 17:22:51" fw=10.136.153.149 pri=high c=imav m=1231 msg="ididu" n=tion note="orsitame" -id=umdo sn=sed time="2016-4-24 12:25:25" fw=10.206.224.241 pri=medium c=pteursi m=908 msg="onse" n=rumet src=10.162.42.110:6787:eth4075:temUten4125.www5.example dst=Ciceroi 10.90.131.186:6343:lo5529 srcMac=olo 01:00:5e:60:3e:36 dstMac=01:00:5e:0d:d9:0c proto=ipv6/atquovo fw_action="deny" -id=ist sn=tnon time="2016/05/08 07:27:59" fw=10.82.29.215 pri=low c=edquiano m=605 msg="loru" n=ema src=10.74.237.180:7041 dst=10.50.66.65:1793 -id=idestla sn=Nemoeni time="2016/05/22 14:30:33" fw=10.196.105.137 pri=high c=luptat m=994 msg="torev" n=urExc usr=sectetur src=10.109.232.112:1640 dst=10.58.208.39:2382 note="fugit" -id=paqu sn=eseru time="2016/06/05 21:33:08" fw=10.237.30.22 pri=medium c=quip m=13 Restarting SonicWALL; dumping log to email -id=uisquam sn=ctetura time="2016/06/20 04:35:42" fw=10.241.19.131 pri=very-high c=lapariat m=350 msg="eddoei" n=eve src=10.72.29.73 dst=10.3.117.13 -id=entsu sn=dun time="2016/07/04 11:38:16" fw=10.85.101.196 pri=medium c=itaut m=166 Denied TCP connection from LAN -id=tema sn=ritatis time="2016/07/18 18:40:50" fw=10.36.241.234 pri=medium c=ccu m=159 Diagnostic Code F -id=inculpaq sn=agna time="2016/08/02 01:43:25" fw=10.148.13.98 pri=medium c=mqui m=72 msg="civeli" n=errorsi src=10.112.125.84:1284:eth1697 dst=10.193.76.77:4861:lo7388 -id=emp sn=aperia time="2016/08/16 08:45:59" fw=10.157.161.103 pri=medium c=vol m=351 msg="riat" n=taut src=10.114.138.121 dst=10.59.119.118 -id=oriosamn sn=deFinibu time="2016/08/30 15:48:33" fw=10.45.25.68 pri=very-high c=emagnama m=346 msg="eprehend" n=hil src=10.136.114.84 dst=10.176.205.96 -colabo id=eme sn=numqu time="2016-9-13 10:51:07" fw=10.232.149.140 pri=very-high c=lum m=264 msg="utali" sess="sitvolup" dur=141.548000 n=ipitla usr="quae" src=10.170.120.4:2062:lo6637 dst=10.193.192.62:0:lo2706 fw_action="allow" -datatn id=mqu sn=apariat time="2016/09/28 05:53:42" fw=10.46.27.57 pri=low c=remi m=36 TCP connection dropped -id=ionevo sn=remagn time="2016/10/12 12:56:16" fw=10.160.205.242 pri=high c=uovolup m=84 msg="Failed to resolve name" n=samvolu dstname=ittenbyC3936.internal.test -id=amc sn=atur time="2016/10/26 19:58:50" fw=10.188.37.199 pri=low c=intoc m=995 msg="oluptas" n=tNequepo src=10.52.186.29:2126 dst=10.6.77.80:4921 note="ione" -gel id=lorsitam sn=mpo time="2016/11/10 03:01:24" fw=10.245.10.170 pri=low c=ulapa m=118 Sending DHCP REQUEST (Verifying). -id=quioffi sn=uptate time="2016/11/24 10:03:59" fw=10.201.6.10 pri=high c=sequa m=346 msg="aera" n=ate src=10.240.242.122 dst=10.144.97.172 -id=uptasn sn=reme time="2016-12-8 5:06:33" fw=10.70.114.233 pri=high c=udantium m=796 msg="pre" n=xeacom fw_action="deny" -id=lorinre sn=olorsita time="2016/12/23 00:09:07" fw=10.226.20.99 pri=medium c=econs m=888 msg="blocked;cancel" n=dol src=10.190.83.161:3386:eth4368:tevelite245.mail.local dst=10.120.167.239:602:lo3664:tmollita6036.internal.example -id=veniamqu sn=nse time="2017/01/06 07:11:41" fw=10.194.247.171 pri=low c=mquisnos m=882 msg="maven" sess=hende n=piscin src=10.112.75.76:1355:eth6843 dst=10.25.39.99:2936:enp0s298 proto=ggp npcs=mveleu -id=tvolu sn=ecte time="2017/01/20 14:14:16" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available -olupta id=litse sn=icabo time="2017/02/03 21:16:50" fw=10.89.208.95 pri=low c=llumdolo m=255 msg="nre" n=ercitat src=10.237.163.139 dst=10.162.172.28 -id=reetdolo sn=smo time="2017/02/18 04:19:24" fw=10.107.31.179 pri=high c=uamest m=1079 msg="Clienttcois assigned IP:10.14.111.221" n=itam -santiumd id=turadip sn=uatD time="2017/03/04 11:21:59" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped -id=volu sn=nonn time="2017/03/18 18:24:33" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login -id=sBon sn=orro time="2017/04/02 01:27:07" fw=10.34.194.149 pri=medium c=ten m=196 msg="vita" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD -amvo id=qui sn=tasn time="2017/04/16 08:29:41" fw=10.243.138.88 pri=high c=Sedutp m=998 msg="utp" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note="quin" -id=tvolupt sn=eufugi time="2017/04/30 15:32:16" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available -temqu id=ovol sn=ptasn time="2017/05/14 22:34:50" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped -id=pid sn=illoin time="2017/05/29 05:37:24" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout -quid id=fugiat sn=atisun time="2017/06/12 12:39:58" fw=10.181.206.78 pri=very-high c=tobeata m=167 Denied UDP packet from LAN -id=essequam sn=acommo time="2017/06/26 19:42:33" fw=10.177.144.70 pri=medium c=iat m=534 msg="etur" n=itecto src=10.226.27.132:2778 dst=10.148.161.250:3791 note="tinv" -id=isnisi sn=ritatise time="2017/07/11 02:45:07" fw=10.38.54.72 pri=very-high c=ciad m=83 msg="tali" sess=lillum n=cusant src=10.64.50.66:3657:enp0s1540 dst=10.149.0.64:6867:eth2202 note="sau" npcs=atevelit -id=billo sn=labo time="2017/07/25 09:47:41" fw=10.221.225.29 pri=medium c=boris m=147 Backup missed heartbeats from Active Primary: Backup going Active -elitse id=ima sn=quasia time="2017/08/08 16:50:15" fw=10.150.107.25 pri=low c=uptate m=1154 msg="mac" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local -id=asiarc sn=ian time="2017/08/22 23:52:50" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed -id=rauto sn=ationev time="2017/09/06 06:55:24" fw=10.92.19.202 pri=high c=nby m=350 msg="mve" n=osqui src=10.161.148.64 dst=10.96.97.81 -id=nsequat sn=doloreme time="2017/09/20 13:57:58" fw=10.206.81.23 pri=high c=tincu m=176 Fraudulent Microsoft Certificate Blocked -itse id=umexerc sn=oremipsu time="2017/10/04 21:00:32" fw=10.87.13.61 pri=medium c=ssecillu m=1231 msg="liqua" n=utodita note="aec" -id=elitse sn=reseo time="2017/10/19 04:03:07" fw=10.71.238.250 pri=very-high c=tiaec m=22 Ping of death blocked -id=plicab sn=oremq time="2017/11/02 11:05:41" fw=10.40.152.253 pri=low c=ritt m=msg msg="iaeco" src=10.53.150.77 dst=10.125.134.213 failure -id=quaea sn=ametcons time="2017/11/16 18:08:15" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL -id=ariatur sn=rer time="2017/12/01 01:10:49" fw=10.210.243.175 pri=low c=atisetqu m=240 msg="issuscip" n=uisa src=10.240.49.224 dst=10.77.174.205 -id=luptatem sn=uaeratv time="2017/12/15 08:13:24" fw=10.240.190.136 pri=medium c=atcupid m=255 msg="quamnih" n=dminima src=10.44.150.31 dst=10.187.210.173 -id=ntutlabo sn=iusmodte time="2017-12-29 3:15:58" fw=10.108.84.24 pri=low c=iosamnis m=606 msg="volupt" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac=miurerep 01:00:5e:b4:c3:ed dstMac=01:00:5e:55:b9:89proto=ipv6 fw_action="cancel" -id=proident sn=maliquam time="2018-1-12 10:18:32" fw=10.229.229.42 pri=high c=vitaedic m=428 msg="orin" n=uii src=10.103.117.31:3987:enp0s3531 dst=10.207.211.230:2800:eth211 srcMac=untincul 01:00:5e:c9:ed:b4 dstMac=01:00:5e:93:39:a4 proto=tcp fw_action="allow" -id=emvele sn=isnost time="2018/01/27 05:21:06" fw=10.71.112.159 pri=medium c=emqu m=412 msg="riss" n=iquamqua src=10.248.165.185:3436 dst=10.32.39.220 note="aliq" -id=mven sn=olorsit time="2018/02/10 12:23:41" fw=10.121.239.183 pri=very-high c=consequa m=27 Land Attack Dropped -id=tatevel sn=boreetdo time="2018/02/24 19:26:15" fw=10.239.118.233 pri=medium c=risnis m=95 Diagnostic Code C -id=ddoeius sn=ugiatn time="2018/03/11 02:28:49" fw=10.50.102.128 pri=high c=abore m=138 XAUTH Succeeded -id=uiadol sn=Duisa time="2018/03/25 09:31:24" fw=10.106.195.93 pri=very-high c=boNem m=107 Got DHCP OFFER. Selecting. -id=emips sn=atv time="2018/04/08 16:33:58" fw=10.2.114.9 pri=high c=alorum m=372 msg="obeataev" n=tempor src=10.134.237.235 dst=10.11.83.126 -id=osquir sn=mod time="2018/04/22 23:36:32" fw=10.28.120.149 pri=very-high c=liquide m=117 Sending DHCP REQUEST (Rebooting). -id=Sedutpe sn=prehen time="2018/05/07 06:39:06" fw=10.209.43.252 pri=very-high c=lloin m=169 Firewall access from LAN -tempor id=citatio sn=oluptat time="2018/05/21 13:41:41" fw=10.35.255.235 pri=very-high c=edquian m=117 Sending DHCP REQUEST (Rebooting). -id=nsequunt sn=proident time="2018/06/04 20:44:15" fw=10.57.167.157 pri=high c=aliquamq m=164 No response from ISP Disconnecting PPPoE. -ugit id=tatem sn=metcons time="2018/06/19 03:46:49" fw=10.252.102.110 pri=medium c=tamet m=412 msg="perspici" n=ationul src=10.115.53.31:6606 dst=10.99.248.145 note="molestia" -id=labore sn=uela time="2018/07/03 10:49:23" fw=10.167.74.79 pri=very-high c=iuntNequ m=616 msg="deny" n=archite src=10.143.228.97:1370 dst=10.168.208.169:6168 -licaboN id=atquo sn=cupi time="2018/07/17 17:51:58" fw=10.151.129.181 pri=very-high c=udan m=373 msg="allow" n=nderiti src=10.43.16.73:2604 dst=10.236.56.233:3484 -id=aeab sn=teur time="2018/08/01 00:54:32" fw=10.231.199.50 pri=low c=stquid m=412 msg="turadipi" n=usmodi src=10.184.254.143:4402 dst=10.222.251.114 note="illu" -id=asuntexp sn=adminim time="2018/08/15 07:57:06" fw=10.115.115.26 pri=high c=modoc m=72 NetBus Attack Dropped -id=iumt sn=tsed time="2018/08/29 14:59:40" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out -orsi id=tetura sn=imadmini time="2018/09/12 22:02:15" fw=10.46.192.198 pri=high c=uat m=96 Status -id=dolorema sn=emagn time="2018-9-27 5:04:49" fw=10.200.86.116 pri=medium m= msg="orinrep" n=quiavolif=enp0s347ucastRx=ratvbcastRx=alorumbytesRx=5253ucastTx=talibcastTx=BCSbytesTx=3474 -id=culpaqui sn=tvolup time="2018/10/11 12:07:23" fw=10.116.146.114 pri=high c=red m=8 New Filter list loaded -id=tatev sn=luptas time="2018/10/25 19:09:57" fw=10.138.124.174 pri=low c=inculp m=66 Unknown IPSec SPI -id=iadese sn=nisiu time="2018/11/09 02:12:32" fw=10.101.178.146 pri=medium c=llit m=148 Primary received error signal from Active Backup: Primary going Active -id=sitametc sn=onsequa time="2018/11/23 09:15:06" fw=10.8.53.182 pri=very-high c=riosa m=9 No new Filter list available -id=pisc sn=urEx time="2018/12/07 16:17:40" fw=10.193.239.124 pri=low c=ercitat m=49 Failure to add data channel -id=tnonproi sn=squira time="2018/12/21 23:20:14" fw=10.141.238.139 pri=medium c=uide m=144 Primary firewall has transitioned to Idle -lmolesti id=meumfugi sn=tquas time="2019/01/05 06:22:49" fw=10.200.22.41 pri=medium c=iame m=83 msg="orroquis" n=aquio src=10.208.79.170:7616:enp0s4472 dst=10.101.163.40:7153:enp0s1370 -id=uisnostr sn=reetdol time="2019/01/19 13:25:23" fw=10.94.132.21 pri=very-high c=odi m=144 Primary firewall has transitioned to Idle -id=runtmo sn=ore time="2019/02/02 20:27:57" fw=10.176.3.121 pri=very-high c=tas m=104 Retransmitting DHCP REQUEST (Verifying). -id=mveleum sn=liq time="2019/02/17 03:30:32" fw=10.197.3.44 pri=low c=aali m=21 Cookie removed -mdolors id=oremi sn=ugitsedq time="2019/03/03 10:33:06" fw=10.143.229.47 pri=medium c=nisiut m=710 msg="cancel" n=quira src=10.175.98.45:3633 dst=10.236.247.87:7360 -tvolup id=consecte sn=pteurs time="2019/03/17 17:35:40" fw=10.152.83.154 pri=high c=saqu m=155 Primary received heartbeat from wrong source -id=unt sn=tass time="2019/04/01 00:38:14" fw=10.74.8.242 pri=very-high c=uid m=53 The cache is full; too many open connections; some will be dropped -id=umdolo sn=rroqui time="2019/04/15 07:40:49" fw=10.76.122.196 pri=high c=epteur m=888 msg="malware;deny" n=iame src=10.81.33.64:22:enp0s2909:cta5467.www.localhost dst=10.22.244.71:1865:eth3249:iam7526.mail.test -cepteur id=aer sn=osquira time="2019/04/29 14:43:23" fw=10.232.158.211 pri=high c=dolorem m=998 msg="sed" n=idata usr=sun src=10.205.21.166:236 dst=10.20.73.247:4228 note="sed" -id=pernat sn=udan time="2019/05/13 21:45:57" fw=10.124.243.58 pri=high c=urQuis m=165 Backup going Active in preempt mode after reboot -id=orum sn=Bonoru time="2019/05/28 04:48:31" fw=10.53.168.187 pri=medium c=emacc m=6 Log successfully sent via email -id=lamcola sn=veli time="2019/06/11 11:51:06" fw=10.104.211.232 pri=high c=idolores m=11 Problem loading the Filter list; check your DNS server -id=mmod sn=iti time="2019/06/25 18:53:40" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked -id=mag sn=gelitse time="2019/07/10 01:56:14" fw=10.195.58.44 pri=high c=radip m=413 msg="upta" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606 -id=nostrud sn=cteturad time="2019/07/24 08:58:48" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F -id=ritati sn=iciade time="2019/08/07 16:01:23" fw=10.202.224.79 pri=low c=nevolupt m=441 msg="aco" n=apar -id=vol sn=psumd time="2019/08/21 23:03:57" fw=10.103.29.178 pri=low c=rios m=355 msg="labo" n=lpaquiof src=10.78.29.246 dst=10.125.85.128 -enbyCi id=reetdo sn=tat time="2019/09/05 06:06:31" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing). -id=quunt sn=itasp time="2019/09/19 13:09:05" fw=10.210.181.12 pri=high c=met m=714 msg="volup" sess=ptate n=entsu src=10.44.198.184:5695:enp0s5214 dst= umwri 10.21.147.52:1816:eth2990 npcs=tur -id=ita sn=amquaer time="2019/10/03 20:11:40" fw=10.47.1.90 pri=high c=lpa m=134 PPPoE starting PAP Authentication -id=smod sn=idunt time="2019/10/18 03:14:14" fw=10.29.120.226 pri=very-high c=aparia m=69 Incompatible IPSec Security Association -lore id=isci sn=Dui time="2019/11/01 10:16:48" fw=10.205.202.225 pri=high c=civelits m=137 Wan IP Changed -id=olore sn=orumS time="2019/11/15 17:19:22" fw=10.25.93.121 pri=low c=rchitect m=35 Attempted administrator login from WAN -umdolore id=dmi sn=tam time="2019/11/30 00:21:57" fw=10.151.170.207 pri=high c=dunt m=src src=10.243.170.64 dst=10.85.204.8 amquisno -id=magnam sn=uinesc time="2019/12/14 07:24:31" fw=10.172.95.162 pri=very-high c=Bonorum m=105 Sending DHCP DISCOVER. +idi id=pexe sn=nes time="2016/01/29 06:09:59" fw=10.254.41.82 pri=low c=Ute m=914 msg="lupt" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp +id=umexe sn=estlabo time="2016/02/12 13:12:33" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed +id=alo sn=eosquir time="2016-2-26 8:15:08" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg="ctetur" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action="allow" +emape id=aer sn=lupt time="2016/03/12 03:17:42" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up +id=consec sn=taliquip time="2016/03/26 10:20:16" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway +id=tconsec sn=nsequat time="2016/04/09 17:22:51" fw=10.137.246.137 pri=medium c=oluptas m=372 msg="llu" n=uptassi src=10.95.245.65 dst=10.13.70.213 +llamcorp id=ari sn=eataevit time="2016/04/24 00:25:25" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked +mquisnos id=loremagn sn=iciade time="2016/05/08 07:27:59" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure +id=aali sn=ametcons time="2016/05/22 14:30:33" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal +orsitame id=quiratio sn=ite time="2016/06/05 21:33:08" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked +id=usan sn=aper time="2016/06/20 04:35:42" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host +id=atquovo sn=iumto time="2016/07/04 11:38:16" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated +id=undeo sn=loremip time="2016-7-18 6:40:50" fw=10.134.0.141 pri=very-high c=uis m=1149 msg="idolore" n=onse fw_action="cancel" +id=rveli sn=rsint time="2016/08/02 01:43:25" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped +id=qua sn=luptatev time="2016/08/16 08:45:59" fw=10.123.104.59 pri=low c=elaudant m=1110 msg="tinvol" n=lores +id=tatiset sn=eprehen time="2016/08/30 15:48:33" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings +id=aliq sn=rsitam time="2016/09/13 22:51:07" fw=10.79.33.129 pri=high c=umdolo m=353 msg="onproide" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini" +id=itecto sn=erc time="2016/09/28 05:53:42" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed +id=tat sn=tion time="2016/10/12 12:56:16" fw=10.53.150.119 pri=medium c=uasia m=24 msg="emp" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note="taut" +id=nidolo sn=tatn time="2016/10/26 19:58:50" fw=10.18.109.121 pri=very-high c=dolo m=87 msg="Loremip" n=idolor src=10.204.11.20 dst=10.239.201.234 +id=quip sn=mporain time="2016-11-10 3:01:24" fw=10.34.161.166 pri=very-high c=sequi m=428 msg="rehend" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action="accept" +id=idex sn=xerci time="2016/11/24 10:03:59" fw=10.84.206.79 pri=high c=uipe m=401 msg="inesci" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib +id=ari sn=exercit time="2016/12/08 17:06:33" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active +id=serunt sn=aquaeabi time="2016/12/23 00:09:07" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying). +id=veniamq sn=one time="2017/01/06 07:11:41" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source +id=tin sn=tenima time="2017/01/20 14:14:16" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete +id=equat sn=derit time="2017/02/03 21:16:50" fw=10.90.86.89 pri=medium c=labor m=867 msg="didunt" sess=uptatema n=intocc +eporr id=xeacomm sn=mveleu time="2017/02/18 04:19:24" fw=10.149.128.155 pri=high c=temvel m=129 PPPoE terminated +id=nisi sn=dant time="2017/03/04 11:21:59" fw=10.14.211.43 pri=high c=eiu m=113 DHCP Client sending REQUEST and going to REBIND state. +id=quidolor sn=tessec time="2017/03/18 18:24:33" fw=10.135.160.125 pri=low c=icabo m=882 msg="itatio" n=uta src=10.135.187.104:7557:enp0s6614 dst=10.237.163.139:4402:eth1612 proto=igmp +id=Nequepor sn=ali time="2017/04/02 01:27:07" fw=10.252.74.209 pri=low c=sintocc m=139 XAUTH Failed +id=ehen sn=tate time="2017/04/16 08:29:41" fw=10.140.167.6 pri=low c=stquido m=372 msg="ommodico" n=ptas src=10.60.129.15 dst=10.248.101.25 +id=Nequepo sn=ipsumd time="2017/04/30 15:32:16" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed +id=reetdolo sn=smo time="2017/05/14 22:34:50" fw=10.107.31.179 pri=high c=uamest m=1079 msg="Clienttcois assigned IP:10.14.111.221" n=itam +santiumd id=turadip sn=uatD time="2017/05/29 05:37:24" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped +id=volu sn=nonn time="2017/06/12 12:39:58" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login +id=sBon sn=orro time="2017/06/26 19:42:33" fw=10.34.194.149 pri=medium c=ten m=196 msg="vita" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD +amvo id=qui sn=tasn time="2017/07/11 02:45:07" fw=10.243.138.88 pri=high c=Sedutp m=998 msg="utp" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note="quin" +id=tvolupt sn=eufugi time="2017/07/25 09:47:41" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available +temqu id=ovol sn=ptasn time="2017/08/08 16:50:15" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped +id=pid sn=illoin time="2017/08/22 23:52:50" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout +id=mestq sn=temUt time="2017/09/06 06:55:24" fw=10.233.239.112 pri=high c=pexe m=147 Backup missed heartbeats from Active Primary: Backup going Active +id=adeser sn=oin time="2017/09/20 13:57:58" fw=10.95.66.217 pri=very-high c=fugitsed m=441 msg="quam" n=quid src=10.1.36.97:3628:enp0s3962 dst= 10.107.251.87:6337:lo3319 +reetdol id=totamre sn=isnostr time="2017/10/04 21:00:32" fw=10.203.153.38 pri=very-high c=adipisc m=34 Login screen timed out +psaquaea id=taevita sn=ameiusm time="2017/10/19 04:03:07" fw=10.227.15.253 pri=high c=piscinge m=402 msg="tvol" n=velitess src=10.54.14.189 dst=10.216.125.252 dstname=sit +elitse id=ima sn=quasia time="2017/11/02 11:05:41" fw=10.150.107.25 pri=low c=uptate m=1154 msg="mac" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local +id=asiarc sn=ian time="2017/11/16 18:08:15" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed +id=intocc sn=amcorp time="2017/12/01 01:10:49" fw=10.57.57.241 pri=low c=litani m=83 msg="utodita" sess=aec n=fdeF src=10.187.201.250:5504:eth2003 dst=10.64.229.79:3620:eth41 note="tiaec" npcs=rumwrit +id=gna sn=con time="2017/12/15 08:13:24" fw=10.11.44.250 pri=high c=etMal m=931 msg="qua" n=rsita src=10.108.249.60:7150 dst=10.76.110.144:2497 +rem id=asper sn=idunt time="2017/12/29 15:15:58" fw=10.65.232.27 pri=low c=plicab m=11 Problem loading the Filter list; check your DNS server +id=uisaute sn=imide time="2018/01/12 22:18:32" fw=10.77.226.215 pri=medium c=itesseq m=88 IKE Responder: IPSec proposal not acceptable +id=ilmol sn=eri time="2018/01/27 05:21:06" fw=10.154.53.249 pri=low c=mquae m=243 msg="eriti" n=atcupi usr=corpori src=10.147.88.219:7595 dst=10.31.190.145:3333 proto=icmp +id=ntutlabo sn=iusmodte time="2018-2-10 12:23:41" fw=10.108.84.24 pri=low c=iosamnis m=606 msg="volupt" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action="deny" +id=emvele sn=isnost time="2018/02/24 19:26:15" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped +sit id=rumSect sn=ita time="2018/03/11 02:28:49" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E +oremag id=illu sn=ruredo time="2018/03/25 09:31:24" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg="its" n=lore +id=onu sn=liquaUte time="2018/04/08 16:33:58" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication +id=mveniamq sn=taedict time="2018-4-22 11:36:32" fw=10.206.69.135 pri=high c=aturve m=880 msg="utfug" n=aturQu note="aaliq" fw_action="allow" +id=uiinea sn=mnisiut time="2018/05/07 06:39:06" fw=10.208.228.129 pri=low c=olup m=441 msg="labor" n=dol src= 10.240.54.28 dst= 10.115.38.80 +id=mve sn=uia time="2018/05/21 13:41:41" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout +id=doei sn=cipitl time="2018/06/04 20:44:15" fw=10.53.127.17 pri=very-high c=strumex m=252 msg="eprehend" n=asnu src=10.102.166.19 dst=10.104.49.142 +ipsa id=asuntexp sn=adminim time="2018/06/19 03:46:49" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable +id=iumt sn=tsed time="2018/07/03 10:49:23" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out +id=loremag sn=tcu time="2018/07/17 17:51:58" fw=10.84.251.253 pri=high c=erspi m=195 msg="rorsit" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629 +elillum id=upt sn=rnat time="2018/08/01 00:54:32" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped +doeiu id=deF sn=itempo time="2018/08/15 07:57:06" fw=10.200.237.196 pri=medium c=ecillum m=995 msg="isci" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note="equep" +BCS id=qui sn=ugiatquo time="2018/08/29 14:59:40" fw=10.204.133.116 pri=medium c=autemv m=909 msg="emq" n=plicaboN +id=vol sn=admi time="2018/09/12 22:02:15" fw=10.77.229.168 pri=high c=aquiof m=178 msg="ende" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693 +id=olorem sn=gitse time="2018/09/27 05:04:49" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg="sci" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note="mquisno" +id=gna sn=isiutali time="2018/10/11 12:07:23" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed +id=uaturve sn=amquisno time="2018/10/25 19:09:57" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg="CSe" n=lors src=10.135.70.159 dst=10.195.223.82 +id=atu sn=iusm time="2018/11/09 02:12:32" fw=10.20.81.176 pri=low c=stquido m=261 msg="rsitvolu" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 +id=oin sn=itseddoe time="2018/11/23 09:15:06" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry. +id=giatquov sn=olu time="2018/12/07 16:17:40" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER. +emagn id=emulla sn=mips time="2018/12/21 23:20:14" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out +id=itametc sn=ori time="2019/01/05 06:22:49" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle +id=doconse sn=etdol time="2019/01/19 13:25:23" fw=10.156.88.51 pri=high c=tura m=658 msg="osquirat" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543 +id=min sn=oluptat time="2019/02/02 20:27:57" fw=10.162.129.196 pri=medium c=snisi m=195 msg="magnaal" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416 +id=eacommo sn=ueip time="2019/02/17 03:30:32" fw=10.243.252.157 pri=low c=minim m=867 msg="scipi" sess=tur n=acon +usm id=labori sn=porai time="2019/03/03 10:33:06" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked +id=lup sn=upta time="2019-3-17 5:35:40" fw=10.247.88.138 pri=very-high c=orissu m=794 msg="fic" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action="allow" +id=mmod sn=iti time="2019/04/01 00:38:14" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked +id=mag sn=gelitse time="2019/04/15 07:40:49" fw=10.195.58.44 pri=high c=radip m=413 msg="upta" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606 +id=nostrud sn=cteturad time="2019/04/29 14:43:23" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F +oluptate id=lit sn=santi time="2019/05/13 21:45:57" fw=10.211.112.194 pri=low c=uis m=1079 msg="Clientamcis assigned IP:10.221.220.148" n=apar +id=vol sn=psumd time="2019/05/28 04:48:31" fw=10.103.29.178 pri=low c=rios m=355 msg="labo" n=lpaquiof src=10.78.29.246 dst=10.125.85.128 +enbyCi id=reetdo sn=tat time="2019/06/11 11:51:06" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing). +id=iamqui sn=tassita time="2019/06/25 18:53:40" fw=10.7.47.118 pri=medium c=piscing m=712 msg="allow" n=isn src=10.203.146.137:4213 dst=10.29.120.226:1129 +inesciu id=quid sn=atcupid time="2019/07/10 01:56:14" fw=10.29.5.115 pri=very-high c=ate m=670 msg="con" sess=tqu n=eirur +hite id=ianonnum sn=nofdeFi time="2019/07/24 08:58:48" fw=10.217.253.76 pri=very-high c=unt m=151 Primary firewall preempting Backup +id=arch sn=lite time="2019/08/07 16:01:23" fw=10.25.118.123 pri=high c=borumSec m=931 msg="aecatcup" n=snisiut src=10.245.216.15:7800 dst=10.110.208.170:6374 +id=rumSecti sn=Utenima time="2019-8-21 11:03:57" fw=10.74.166.70 pri=very-high c=olor m=1086 msg="radip" n=rchitect fw_action="deny" +id=amquisno sn=modoc time="2019/09/05 06:06:31" fw=10.125.120.97 pri=high c=cid m=8 New Filter list loaded +id=Bonorum sn=lesti time="2019/09/19 13:09:05" fw=10.121.58.27 pri=low c=itamet m=60 Access to Proxy Server Blocked +uuntur id=tsedquia sn=its time="2019/10/03 20:11:40" fw=10.158.54.131 pri=medium c=assi m=47 No ICMP redirect sent +id=tatevel sn=midestl time="2019/10/18 03:14:14" fw=10.222.197.130 pri=medium c=ulapa m=713 msg="block" n=meiusm src=10.143.0.78:3113 dst=10.250.149.166:6342 +id=hilmole sn=sequ time="2019/11/01 10:16:48" fw=10.74.29.48 pri=high c=tionula m=91 Deleting IPSec SA for destination +umtota id=etdolore sn=magnaa time="2019/11/15 17:19:22" fw=10.209.34.197 pri=very-high c=tes m=766 msg="equam" n=isi +id=rep sn=remap time="2019/11/30 00:21:57" fw=10.7.120.36 pri=very-high c=involu m=58 License exceeded: Connection dropped because too many IP addresses are in use on your LAN +id=nesciun sn=amcolab time="2019/12/14 07:24:31" fw=10.142.7.145 pri=low c=iuta m=373 msg="deny" n=secil src=10.179.3.247:3445 dst=10.219.228.115:745 diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 871c56736c6..8151dfe8288 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -1,20 +1,36 @@ [ { "@timestamp": "2016-01-29T08:09:59.000Z", - "event.code": "170", + "destination.nat.ip": "10.49.111.67", + "destination.nat.port": 884, + "event.code": "914", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=consec sn=taliquip time=\"2016/01/29 06:09:59\" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway", + "event.original": "idi id=pexe sn=nes time=\"2016/01/29 06:09:59\" fw=10.254.41.82 pri=low c=Ute m=914 msg=\"lupt\" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp", "fileset.name": "firewall", + "host.hostname": "oreetdol1714.internal.corp", + "host.name": "nostrud4819.mail.test", "input.type": "log", "log.offset": 0, + "log.original": "lupt", + "observer.egress.interface.name": "eth3598", + "observer.ingress.interface.name": "eth7178", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "170", - "rsa.time.date": "2016/01/29", + "related.ip": [ + "10.49.111.67", + "10.92.136.230" + ], + "rsa.internal.messageid": "914", + "rsa.internal.msg": "lupt", + "rsa.network.dinterface": "eth3598", + "rsa.network.sinterface": "eth7178", "rsa.time.event_time": "2016-01-29T08:09:59.000Z", "service.type": "sonicwall", + "source.address": "oreetdol1714.internal.corp", + "source.nat.ip": "10.92.136.230", + "source.nat.port": 6437, "tags": [ "sonicwall.firewall", "forwarded" @@ -22,53 +38,72 @@ }, { "@timestamp": "2016-02-12T15:12:33.000Z", - "destination.ip": [ - "10.13.70.213" - ], - "event.code": "372", + "event.code": "16", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tconsec sn=nsequat time=\"2016/02/12 13:12:33\" fw=10.137.246.137 pri=medium c=oluptas m=372 msg=\"llu\" n=uptassi src=10.95.245.65 dst=10.13.70.213", + "event.original": "id=umexe sn=estlabo time=\"2016/02/12 13:12:33\" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed", "fileset.name": "firewall", "input.type": "log", - "log.offset": 141, - "log.original": "llu", + "log.offset": 211, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.95.245.65", - "10.13.70.213" - ], - "rsa.internal.messageid": "372", - "rsa.internal.msg": "llu", + "rsa.internal.messageid": "16", "rsa.time.date": "2016/02/12", "rsa.time.event_time": "2016-02-12T15:12:33.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.95.245.65" - ], "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "@timestamp": "2016-02-26T22:15:08.000Z", - "event.code": "128", + "@timestamp": "2016-02-26T10:15:08.000Z", + "destination.ip": [ + "10.227.15.1" + ], + "destination.mac": "01:00:5e:f7:a9:ff", + "destination.port": 410, + "event.action": "allow", + "event.code": "alo", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tempor sn=omnis time=\"2016/02/26 20:15:08\" fw=10.245.94.130 pri=high c=inesci m=128 PPPoE LCP Link Down", + "event.original": "id=alo sn=eosquir time=\"2016-2-26 8:15:08\" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg=\"ctetur\" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action=\"allow\"", "fileset.name": "firewall", + "host.ip": "10.149.203.46", "input.type": "log", - "log.offset": 289, + "log.level": "medium", + "log.offset": 316, + "network.protocol": "rdp", + "observer.egress.interface.name": "eth1977", + "observer.ingress.interface.name": "eth6183", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "128", - "rsa.time.date": "2016/02/26", - "rsa.time.event_time": "2016-02-26T22:15:08.000Z", + "related.ip": [ + "10.227.15.1", + "10.149.203.46", + "10.150.156.22" + ], + "rsa.internal.event_desc": "ctetur", + "rsa.internal.messageid": "1369", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "mwritten", + "rsa.misc.reference_id": "alo", + "rsa.misc.serial_number": "eosquir", + "rsa.misc.severity": "medium", + "rsa.network.dinterface": "eth1977", + "rsa.network.sinterface": "eth6183", + "rsa.time.date": "2016-2-26", + "rsa.time.event_time": "2016-02-26T10:15:08.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.150.156.22" + ], + "source.mac": "01:00:5e:84:66:6c", + "source.port": 6378, "tags": [ "sonicwall.firewall", "forwarded" @@ -76,30 +111,19 @@ }, { "@timestamp": "2016-03-12T05:17:42.000Z", - "destination.nat.ip": "10.163.217.10", - "destination.nat.port": 5722, - "event.code": "413", + "event.code": "127", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=niamquis sn=itati time=\"2016/03/12 03:17:42\" fw=10.220.19.19 pri=low c=atatnonp m=413 msg=\"uiano\" n=mrema src=10.214.225.125:5710 dst=10.163.217.10:5722", + "event.original": "emape id=aer sn=lupt time=\"2016/03/12 03:17:42\" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up", "fileset.name": "firewall", "input.type": "log", - "log.offset": 396, - "log.original": "uiano", + "log.offset": 563, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.163.217.10", - "10.214.225.125" - ], - "rsa.internal.messageid": "413", - "rsa.internal.msg": "uiano", - "rsa.time.date": "2016/03/12", + "rsa.internal.messageid": "127", "rsa.time.event_time": "2016-03-12T05:17:42.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.214.225.125", - "source.nat.port": 5710, "tags": [ "sonicwall.firewall", "forwarded" @@ -107,133 +131,73 @@ }, { "@timestamp": "2016-03-26T12:20:16.000Z", - "destination.address": "mqua3391.www.local", - "destination.ip": [ - "10.64.155.245" - ], - "destination.mac": "01:00:5e:56:32:70", - "destination.port": 6613, - "event.action": "allow", - "event.code": "14", + "event.code": "170", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "gitsedqu id=uam sn=temq time=\"2016-3-26 10:20:16\" fw=10.38.77.13 pri=low c=Utenimad m=14 msg=\"nibusBon\" app=ehend sess=\"ueipsaqu\" n=uidolore usr=\"niamqu\" src=10.202.66.28:1852:enp0s5098 dst=10.64.155.245:6613:lo5037 srcMac=01:00:5e:4c:ae:05dstMac=01:00:5e:56:32:70 proto=icmp dstname=mqua3391.www.local arg=mquisnos code=loremagn Category=\"iciade\" rule=\"tsed\" fw_action=\"allow\"", + "event.original": "id=consec sn=taliquip time=\"2016/03/26 10:20:16\" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway", "fileset.name": "firewall", "input.type": "log", - "log.offset": 552, - "log.original": "nibusBon", - "network.protocol": "icmp", - "observer.egress.interface.name": "lo5037", - "observer.ingress.interface.name": "enp0s5098", + "log.offset": 670, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.64.155.245", - "10.202.66.28" - ], - "related.user": [ - "niamqu" - ], - "rsa.internal.messageid": "14", - "rsa.internal.msg": "nibusBon", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "iciade", - "rsa.misc.param": "mquisnos", - "rsa.misc.result_code": "loremagn", - "rsa.misc.rule": "tsed", - "rsa.network.dinterface": "lo5037", - "rsa.network.host_dst": "mqua3391.www.local", - "rsa.network.sinterface": "enp0s5098", + "rsa.internal.messageid": "170", + "rsa.time.date": "2016/03/26", "rsa.time.event_time": "2016-03-26T12:20:16.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.202.66.28" - ], - "source.mac": "01:00:5e:4c:ae:05", - "source.port": 1852, "tags": [ "sonicwall.firewall", "forwarded" - ], - "user.name": "niamqu" + ] }, { "@timestamp": "2016-04-09T19:22:51.000Z", - "event.code": "1231", + "destination.ip": [ + "10.13.70.213" + ], + "event.code": "372", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=roinBCSe sn=onse time=\"2016/04/09 17:22:51\" fw=10.136.153.149 pri=high c=imav m=1231 msg=\"ididu\" n=tion note=\"orsitame\"", + "event.original": "id=tconsec sn=nsequat time=\"2016/04/09 17:22:51\" fw=10.137.246.137 pri=medium c=oluptas m=372 msg=\"llu\" n=uptassi src=10.95.245.65 dst=10.13.70.213", "fileset.name": "firewall", "input.type": "log", - "log.offset": 930, - "log.original": "ididu", + "log.offset": 811, + "log.original": "llu", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.db.index": "orsitame", - "rsa.internal.messageid": "1231", - "rsa.internal.msg": "ididu", - "rsa.misc.space": "", + "related.ip": [ + "10.95.245.65", + "10.13.70.213" + ], + "rsa.internal.messageid": "372", + "rsa.internal.msg": "llu", "rsa.time.date": "2016/04/09", "rsa.time.event_time": "2016-04-09T19:22:51.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.95.245.65" + ], "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "@timestamp": "2016-04-24T14:25:25.000Z", - "destination.ip": [ - "10.90.131.186" - ], - "destination.mac": "01:00:5e:0d:d9:0c", - "destination.port": 6343, - "event.action": "deny", - "event.code": "umdo", + "@timestamp": "2016-04-24T02:25:25.000Z", + "event.code": "176", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=umdo sn=sed time=\"2016-4-24 12:25:25\" fw=10.206.224.241 pri=medium c=pteursi m=908 msg=\"onse\" n=rumet src=10.162.42.110:6787:eth4075:temUten4125.www5.example dst=Ciceroi 10.90.131.186:6343:lo5529 srcMac=olo 01:00:5e:60:3e:36 dstMac=01:00:5e:0d:d9:0c proto=ipv6/atquovo fw_action=\"deny\"", + "event.original": "llamcorp id=ari sn=eataevit time=\"2016/04/24 00:25:25\" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked", "fileset.name": "firewall", - "host.hostname": "temUten4125.www5.example", - "host.ip": "10.206.224.241", "input.type": "log", - "log.level": "medium", - "log.offset": 1055, - "network.protocol": "ipv6", - "observer.egress.interface.name": "lo5529", - "observer.ingress.interface.name": "eth4075", + "log.offset": 959, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.162.42.110", - "10.90.131.186", - "10.206.224.241" - ], - "rsa.internal.event_desc": "onse", - "rsa.internal.messageid": "908", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "pteursi", - "rsa.misc.reference_id": "umdo", - "rsa.misc.serial_number": "sed", - "rsa.misc.severity": "medium", - "rsa.network.dinterface": "lo5529", - "rsa.network.sinterface": "eth4075", - "rsa.time.date": "2016-4-24", - "rsa.time.event_time": "2016-04-24T14:25:25.000Z", + "rsa.internal.messageid": "176", + "rsa.time.event_time": "2016-04-24T02:25:25.000Z", "service.type": "sonicwall", - "source.address": "temUten4125.www5.example", - "source.ip": [ - "10.162.42.110" - ], - "source.mac": "01:00:5e:60:3e:36", - "source.port": 6787, "tags": [ "sonicwall.firewall", "forwarded" @@ -241,31 +205,19 @@ }, { "@timestamp": "2016-05-08T09:27:59.000Z", - "destination.nat.ip": "10.50.66.65", - "destination.nat.port": 1793, - "event.code": "605", + "event.code": "50", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ist sn=tnon time=\"2016/05/08 07:27:59\" fw=10.82.29.215 pri=low c=edquiano m=605 msg=\"loru\" n=ema src=10.74.237.180:7041 dst=10.50.66.65:1793", + "event.original": "mquisnos id=loremagn sn=iciade time=\"2016/05/08 07:27:59\" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1344, - "log.original": "loru", + "log.offset": 1098, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.74.237.180", - "10.50.66.65" - ], - "rsa.internal.messageid": "605", - "rsa.internal.msg": "loru", - "rsa.misc.ntype": "ema", - "rsa.time.date": "2016/05/08", + "rsa.internal.messageid": "50", "rsa.time.event_time": "2016-05-08T09:27:59.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.74.237.180", - "source.nat.port": 7041, "tags": [ "sonicwall.firewall", "forwarded" @@ -273,54 +225,38 @@ }, { "@timestamp": "2016-05-22T16:30:33.000Z", - "destination.nat.ip": "10.58.208.39", - "destination.nat.port": 2382, - "event.code": "994", + "event.code": "87", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=idestla sn=Nemoeni time=\"2016/05/22 14:30:33\" fw=10.196.105.137 pri=high c=luptat m=994 msg=\"torev\" n=urExc usr=sectetur src=10.109.232.112:1640 dst=10.58.208.39:2382 note=\"fugit\"", + "event.original": "id=aali sn=ametcons time=\"2016/05/22 14:30:33\" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1488, - "log.original": "torev", + "log.offset": 1220, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.58.208.39", - "10.109.232.112" - ], - "related.user": [ - "sectetur" - ], - "rsa.internal.event_desc": "fugit", - "rsa.internal.messageid": "994", - "rsa.internal.msg": "torev", + "rsa.internal.messageid": "87", "rsa.time.date": "2016/05/22", "rsa.time.event_time": "2016-05-22T16:30:33.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.109.232.112", - "source.nat.port": 1640, "tags": [ "sonicwall.firewall", "forwarded" - ], - "user.name": "sectetur" + ] }, { "@timestamp": "2016-06-05T23:33:08.000Z", - "event.code": "13", + "event.code": "15", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=paqu sn=eseru time=\"2016/06/05 21:33:08\" fw=10.237.30.22 pri=medium c=quip m=13 Restarting SonicWALL; dumping log to email", + "event.original": "orsitame id=quiratio sn=ite time=\"2016/06/05 21:33:08\" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1671, + "log.offset": 1345, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "13", - "rsa.time.date": "2016/06/05", + "rsa.internal.messageid": "15", "rsa.time.event_time": "2016-06-05T23:33:08.000Z", "service.type": "sonicwall", "tags": [ @@ -330,32 +266,20 @@ }, { "@timestamp": "2016-06-20T06:35:42.000Z", - "destination.ip": [ - "10.3.117.13" - ], - "event.code": "350", + "event.code": "70", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=uisquam sn=ctetura time=\"2016/06/20 04:35:42\" fw=10.241.19.131 pri=very-high c=lapariat m=350 msg=\"eddoei\" n=eve src=10.72.29.73 dst=10.3.117.13", + "event.original": "id=usan sn=aper time=\"2016/06/20 04:35:42\" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1797, - "log.original": "eddoei", + "log.offset": 1461, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.3.117.13", - "10.72.29.73" - ], - "rsa.internal.messageid": "350", - "rsa.internal.msg": "eddoei", + "rsa.internal.messageid": "70", "rsa.time.date": "2016/06/20", "rsa.time.event_time": "2016-06-20T06:35:42.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.72.29.73" - ], "tags": [ "sonicwall.firewall", "forwarded" @@ -363,17 +287,20 @@ }, { "@timestamp": "2016-07-04T13:38:16.000Z", - "event.code": "166", + "event.code": "129", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=entsu sn=dun time=\"2016/07/04 11:38:16\" fw=10.85.101.196 pri=medium c=itaut m=166 Denied TCP connection from LAN", + "event.original": "id=atquovo sn=iumto time=\"2016/07/04 11:38:16\" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1945, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1573, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "166", + "rsa.internal.messageid": "129", "rsa.time.date": "2016/07/04", "rsa.time.event_time": "2016-07-04T13:38:16.000Z", "service.type": "sonicwall", @@ -383,20 +310,25 @@ ] }, { - "@timestamp": "2016-07-18T20:40:50.000Z", - "event.code": "159", + "@timestamp": "2016-07-18T08:40:50.000Z", + "event.action": "cancel", + "event.code": "1149", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tema sn=ritatis time=\"2016/07/18 18:40:50\" fw=10.36.241.234 pri=medium c=ccu m=159 Diagnostic Code F", + "event.original": "id=undeo sn=loremip time=\"2016-7-18 6:40:50\" fw=10.134.0.141 pri=very-high c=uis m=1149 msg=\"idolore\" n=onse fw_action=\"cancel\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2061, + "log.offset": 1679, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "159", - "rsa.time.date": "2016/07/18", - "rsa.time.event_time": "2016-07-18T20:40:50.000Z", + "rsa.internal.event_desc": "idolore", + "rsa.internal.messageid": "1149", + "rsa.misc.action": [ + "cancel" + ], + "rsa.time.date": "2016-7-18", + "rsa.time.event_time": "2016-07-18T08:40:50.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -405,38 +337,20 @@ }, { "@timestamp": "2016-08-02T03:43:25.000Z", - "destination.ip": [ - "10.193.76.77" - ], - "destination.port": 4861, - "event.code": "72", + "event.code": "81", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=inculpaq sn=agna time=\"2016/08/02 01:43:25\" fw=10.148.13.98 pri=medium c=mqui m=72 msg=\"civeli\" n=errorsi src=10.112.125.84:1284:eth1697 dst=10.193.76.77:4861:lo7388", + "event.original": "id=rveli sn=rsint time=\"2016/08/02 01:43:25\" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2165, - "log.original": "civeli", - "observer.egress.interface.name": "lo7388", - "observer.ingress.interface.name": "eth1697", + "log.offset": 1807, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.193.76.77", - "10.112.125.84" - ], - "rsa.internal.messageid": "72", - "rsa.internal.msg": "civeli", - "rsa.network.dinterface": "lo7388", - "rsa.network.sinterface": "eth1697", + "rsa.internal.messageid": "81", "rsa.time.date": "2016/08/02", "rsa.time.event_time": "2016-08-02T03:43:25.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.112.125.84" - ], - "source.port": 1284, "tags": [ "sonicwall.firewall", "forwarded" @@ -444,32 +358,23 @@ }, { "@timestamp": "2016-08-16T10:45:59.000Z", - "destination.ip": [ - "10.59.119.118" - ], - "event.code": "351", + "event.code": "1110", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=emp sn=aperia time=\"2016/08/16 08:45:59\" fw=10.157.161.103 pri=medium c=vol m=351 msg=\"riat\" n=taut src=10.114.138.121 dst=10.59.119.118", + "event.original": "id=qua sn=luptatev time=\"2016/08/16 08:45:59\" fw=10.123.104.59 pri=low c=elaudant m=1110 msg=\"tinvol\" n=lores", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2334, - "log.original": "riat", + "log.offset": 1934, + "log.original": "tinvol", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.114.138.121", - "10.59.119.118" - ], - "rsa.internal.messageid": "351", - "rsa.internal.msg": "riat", + "rsa.internal.messageid": "1110", + "rsa.internal.msg": "tinvol", + "rsa.misc.space": "", "rsa.time.date": "2016/08/16", "rsa.time.event_time": "2016-08-16T10:45:59.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.114.138.121" - ], "tags": [ "sonicwall.firewall", "forwarded" @@ -477,97 +382,72 @@ }, { "@timestamp": "2016-08-30T17:48:33.000Z", - "destination.ip": [ - "10.176.205.96" - ], - "event.code": "346", + "event.code": "10", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=oriosamn sn=deFinibu time=\"2016/08/30 15:48:33\" fw=10.45.25.68 pri=very-high c=emagnama m=346 msg=\"eprehend\" n=hil src=10.136.114.84 dst=10.176.205.96", + "event.original": "id=tatiset sn=eprehen time=\"2016/08/30 15:48:33\" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2474, - "log.original": "eprehend", + "log.offset": 2046, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.136.114.84", - "10.176.205.96" - ], - "rsa.internal.messageid": "346", - "rsa.internal.msg": "eprehend", + "rsa.internal.messageid": "10", "rsa.time.date": "2016/08/30", "rsa.time.event_time": "2016-08-30T17:48:33.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.136.114.84" - ], "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "@timestamp": "2016-09-13T12:51:07.000Z", - "destination.ip": [ - "10.193.192.62" - ], - "destination.port": 0, - "event.action": "allow", - "event.code": "264", + "@timestamp": "2016-09-14T00:51:07.000Z", + "destination.nat.ip": "10.30.196.102", + "event.code": "353", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "colabo id=eme sn=numqu time=\"2016-9-13 10:51:07\" fw=10.232.149.140 pri=very-high c=lum m=264 msg=\"utali\" sess=\"sitvolup\" dur=141.548000 n=ipitla usr=\"quae\" src=10.170.120.4:2062:lo6637 dst=10.193.192.62:0:lo2706 fw_action=\"allow\"", + "event.original": "id=aliq sn=rsitam time=\"2016/09/13 22:51:07\" fw=10.79.33.129 pri=high c=umdolo m=353 msg=\"onproide\" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini\"", "fileset.name": "firewall", + "host.hostname": "fugi4637.www.lan", "input.type": "log", - "log.offset": 2628, - "log.original": "utali", - "observer.egress.interface.name": "lo2706", - "observer.ingress.interface.name": "lo6637", + "log.offset": 2189, + "log.original": "onproide", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.193.192.62", - "10.170.120.4" - ], - "related.user": [ - "quae" - ], - "rsa.internal.messageid": "264", - "rsa.internal.msg": "utali", - "rsa.misc.action": [ - "allow" + "10.30.196.102", + "10.241.178.107" ], - "rsa.network.dinterface": "lo2706", - "rsa.network.sinterface": "lo6637", - "rsa.time.duration_time": 141.548, - "rsa.time.event_time": "2016-09-13T12:51:07.000Z", + "rsa.internal.messageid": "353", + "rsa.internal.msg": "onproide", + "rsa.misc.misc": "imadmini", + "rsa.misc.ntype": "Nemoen", + "rsa.time.date": "2016/09/13", + "rsa.time.event_time": "2016-09-14T00:51:07.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.170.120.4" - ], - "source.port": 2062, + "source.address": "fugi4637.www.lan", + "source.nat.ip": "10.241.178.107", "tags": [ "sonicwall.firewall", "forwarded" - ], - "user.name": "quae" + ] }, { "@timestamp": "2016-09-28T07:53:42.000Z", - "event.code": "36", + "event.code": "68", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "datatn id=mqu sn=apariat time=\"2016/09/28 05:53:42\" fw=10.46.27.57 pri=low c=remi m=36 TCP connection dropped", + "event.original": "id=itecto sn=erc time=\"2016/09/28 05:53:42\" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2858, + "log.offset": 2382, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "36", + "rsa.internal.messageid": "68", + "rsa.time.date": "2016/09/28", "rsa.time.event_time": "2016-09-28T07:53:42.000Z", "service.type": "sonicwall", "tags": [ @@ -577,26 +457,31 @@ }, { "@timestamp": "2016-10-12T14:56:16.000Z", - "destination.address": "ittenbyC3936.internal.test", - "event.action": "Failed to resolve name", - "event.code": "84", + "destination.nat.ip": "10.78.151.178", + "destination.nat.port": 3088, + "event.code": "24", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ionevo sn=remagn time=\"2016/10/12 12:56:16\" fw=10.160.205.242 pri=high c=uovolup m=84 msg=\"Failed to resolve name\" n=samvolu dstname=ittenbyC3936.internal.test", + "event.original": "id=tat sn=tion time=\"2016/10/12 12:56:16\" fw=10.53.150.119 pri=medium c=uasia m=24 msg=\"emp\" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note=\"taut\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2968, + "log.offset": 2487, + "log.original": "emp", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "84", - "rsa.misc.action": [ - "Failed to resolve name" + "related.ip": [ + "10.78.151.178", + "10.157.161.103" ], - "rsa.network.host_dst": "ittenbyC3936.internal.test", + "rsa.internal.event_desc": "taut", + "rsa.internal.messageid": "24", + "rsa.internal.msg": "emp", "rsa.time.date": "2016/10/12", "rsa.time.event_time": "2016-10-12T14:56:16.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.157.161.103", + "source.nat.port": 383, "tags": [ "sonicwall.firewall", "forwarded" @@ -604,31 +489,32 @@ }, { "@timestamp": "2016-10-26T21:58:50.000Z", - "destination.nat.ip": "10.6.77.80", - "destination.nat.port": 4921, - "event.code": "995", + "destination.ip": [ + "10.239.201.234" + ], + "event.code": "87", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=amc sn=atur time=\"2016/10/26 19:58:50\" fw=10.188.37.199 pri=low c=intoc m=995 msg=\"oluptas\" n=tNequepo src=10.52.186.29:2126 dst=10.6.77.80:4921 note=\"ione\"", + "event.original": "id=nidolo sn=tatn time=\"2016/10/26 19:58:50\" fw=10.18.109.121 pri=very-high c=dolo m=87 msg=\"Loremip\" n=idolor src=10.204.11.20 dst=10.239.201.234", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3131, - "log.original": "oluptas", + "log.offset": 2647, + "log.original": "Loremip", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.52.186.29", - "10.6.77.80" + "10.239.201.234", + "10.204.11.20" ], - "rsa.internal.event_desc": "ione", - "rsa.internal.messageid": "995", - "rsa.internal.msg": "oluptas", + "rsa.internal.messageid": "87", + "rsa.internal.msg": "Loremip", "rsa.time.date": "2016/10/26", "rsa.time.event_time": "2016-10-26T21:58:50.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.52.186.29", - "source.nat.port": 2126, + "source.ip": [ + "10.204.11.20" + ], "tags": [ "sonicwall.firewall", "forwarded" @@ -636,19 +522,51 @@ }, { "@timestamp": "2016-11-10T05:01:24.000Z", - "event.code": "118", + "destination.ip": [ + "10.219.116.137" + ], + "destination.mac": "01:00:5e:e1:73:47", + "destination.port": 3452, + "event.action": "accept", + "event.code": "quip", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "gel id=lorsitam sn=mpo time=\"2016/11/10 03:01:24\" fw=10.245.10.170 pri=low c=ulapa m=118 Sending DHCP REQUEST (Verifying).", + "event.original": "id=quip sn=mporain time=\"2016-11-10 3:01:24\" fw=10.34.161.166 pri=very-high c=sequi m=428 msg=\"rehend\" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action=\"accept\"", "fileset.name": "firewall", + "host.ip": "10.34.161.166", "input.type": "log", - "log.offset": 3291, + "log.level": "very-high", + "log.offset": 2794, + "network.protocol": "icmp", + "observer.egress.interface.name": "enp0s3611", + "observer.ingress.interface.name": "eth4059", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "118", + "related.ip": [ + "10.34.161.166", + "10.245.200.97", + "10.219.116.137" + ], + "rsa.internal.event_desc": "rehend", + "rsa.internal.messageid": "428", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "sequi", + "rsa.misc.reference_id": "quip", + "rsa.misc.serial_number": "mporain", + "rsa.misc.severity": "very-high", + "rsa.network.dinterface": "enp0s3611", + "rsa.network.sinterface": "eth4059", + "rsa.time.date": "2016-11-10", "rsa.time.event_time": "2016-11-10T05:01:24.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.245.200.97" + ], + "source.mac": " 01:00:5e:1a:ec:91", + "source.port": 3768, "tags": [ "sonicwall.firewall", "forwarded" @@ -657,30 +575,33 @@ { "@timestamp": "2016-11-24T12:03:59.000Z", "destination.ip": [ - "10.144.97.172" + "10.252.122.195" ], - "event.code": "346", + "event.code": "401", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=quioffi sn=uptate time=\"2016/11/24 10:03:59\" fw=10.201.6.10 pri=high c=sequa m=346 msg=\"aera\" n=ate src=10.240.242.122 dst=10.144.97.172", + "event.original": "id=idex sn=xerci time=\"2016/11/24 10:03:59\" fw=10.84.206.79 pri=high c=uipe m=401 msg=\"inesci\" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib ", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3414, - "log.original": "aera", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3050, + "log.original": "inesci", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.144.97.172", - "10.240.242.122" + "10.118.80.140", + "10.252.122.195" ], - "rsa.internal.messageid": "346", - "rsa.internal.msg": "aera", + "rsa.internal.messageid": "401", + "rsa.internal.msg": "inesci", "rsa.time.date": "2016/11/24", "rsa.time.event_time": "2016-11-24T12:03:59.000Z", "service.type": "sonicwall", "source.ip": [ - "10.240.242.122" + "10.118.80.140" ], "tags": [ "sonicwall.firewall", @@ -688,34 +609,20 @@ ] }, { - "@timestamp": "2016-12-08T07:06:33.000Z", - "event.action": "deny", - "event.code": "uptasn", + "@timestamp": "2016-12-08T19:06:33.000Z", + "event.code": "143", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=uptasn sn=reme time=\"2016-12-8 5:06:33\" fw=10.70.114.233 pri=high c=udantium m=796 msg=\"pre\" n=xeacom fw_action=\"deny\"", + "event.original": "id=ari sn=exercit time=\"2016/12/08 17:06:33\" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active", "fileset.name": "firewall", - "host.ip": "10.70.114.233", "input.type": "log", - "log.level": "high", - "log.offset": 3554, + "log.offset": 3207, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.70.114.233" - ], - "rsa.internal.event_desc": "pre", - "rsa.internal.messageid": "796", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "udantium", - "rsa.misc.reference_id": "uptasn", - "rsa.misc.serial_number": "reme", - "rsa.misc.severity": "high", - "rsa.time.date": "2016-12-8", - "rsa.time.event_time": "2016-12-08T07:06:33.000Z", + "rsa.internal.messageid": "143", + "rsa.time.date": "2016/12/08", + "rsa.time.event_time": "2016-12-08T19:06:33.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -724,45 +631,20 @@ }, { "@timestamp": "2016-12-23T02:09:07.000Z", - "destination.address": "tmollita6036.internal.example", - "destination.ip": [ - "10.120.167.239" - ], - "destination.port": 602, - "event.action": "cancel", - "event.code": "888", + "event.code": "104", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=lorinre sn=olorsita time=\"2016/12/23 00:09:07\" fw=10.226.20.99 pri=medium c=econs m=888 msg=\"blocked;cancel\" n=dol src=10.190.83.161:3386:eth4368:tevelite245.mail.local dst=10.120.167.239:602:lo3664:tmollita6036.internal.example", + "event.original": "id=serunt sn=aquaeabi time=\"2016/12/23 00:09:07\" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying).", "fileset.name": "firewall", - "host.hostname": "tevelite245.mail.local", "input.type": "log", - "log.offset": 3676, - "observer.egress.interface.name": "lo3664", - "observer.ingress.interface.name": "eth4368", + "log.offset": 3338, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.190.83.161", - "10.120.167.239" - ], - "rsa.internal.messageid": "888", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.reason": "blocked", - "rsa.network.dinterface": "lo3664", - "rsa.network.host_dst": "tmollita6036.internal.example", - "rsa.network.sinterface": "eth4368", + "rsa.internal.messageid": "104", "rsa.time.date": "2016/12/23", "rsa.time.event_time": "2016-12-23T02:09:07.000Z", "service.type": "sonicwall", - "source.address": "tevelite245.mail.local", - "source.ip": [ - "10.190.83.161" - ], - "source.port": 3386, "tags": [ "sonicwall.firewall", "forwarded" @@ -770,40 +652,20 @@ }, { "@timestamp": "2017-01-06T09:11:41.000Z", - "destination.ip": [ - "10.25.39.99" - ], - "destination.port": 2936, - "event.code": "882", + "event.code": "156", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=veniamqu sn=nse time=\"2017/01/06 07:11:41\" fw=10.194.247.171 pri=low c=mquisnos m=882 msg=\"maven\" sess=hende n=piscin src=10.112.75.76:1355:eth6843 dst=10.25.39.99:2936:enp0s298 proto=ggp npcs=mveleu", + "event.original": "id=veniamq sn=one time=\"2017/01/06 07:11:41\" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3908, - "log.original": "maven", - "network.protocol": "ggp", - "observer.egress.interface.name": "enp0s298", - "observer.ingress.interface.name": "eth6843", + "log.offset": 3467, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.112.75.76", - "10.25.39.99" - ], - "rsa.db.index": "mveleu", - "rsa.internal.messageid": "882", - "rsa.internal.msg": "maven", - "rsa.network.dinterface": "enp0s298", - "rsa.network.sinterface": "eth6843", + "rsa.internal.messageid": "156", "rsa.time.date": "2017/01/06", "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.112.75.76" - ], - "source.port": 1355, "tags": [ "sonicwall.firewall", "forwarded" @@ -811,17 +673,17 @@ }, { "@timestamp": "2017-01-20T16:14:16.000Z", - "event.code": "9", + "event.code": "132", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tvolu sn=ecte time=\"2017/01/20 14:14:16\" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available", + "event.original": "id=tin sn=tenima time=\"2017/01/20 14:14:16\" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4111, + "log.offset": 3600, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "9", + "rsa.internal.messageid": "132", "rsa.time.date": "2017/01/20", "rsa.time.event_time": "2017-01-20T16:14:16.000Z", "service.type": "sonicwall", @@ -832,31 +694,23 @@ }, { "@timestamp": "2017-02-03T23:16:50.000Z", - "destination.ip": [ - "10.162.172.28" - ], - "event.code": "255", + "event.code": "867", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "olupta id=litse sn=icabo time=\"2017/02/03 21:16:50\" fw=10.89.208.95 pri=low c=llumdolo m=255 msg=\"nre\" n=ercitat src=10.237.163.139 dst=10.162.172.28", + "event.original": "id=equat sn=derit time=\"2017/02/03 21:16:50\" fw=10.90.86.89 pri=medium c=labor m=867 msg=\"didunt\" sess=uptatema n=intocc", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4223, - "log.original": "nre", + "log.offset": 3721, + "log.original": "didunt", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.237.163.139", - "10.162.172.28" - ], - "rsa.internal.messageid": "255", - "rsa.internal.msg": "nre", + "rsa.internal.messageid": "867", + "rsa.internal.msg": "didunt", + "rsa.misc.ntype": "intocc", + "rsa.time.date": "2017/02/03", "rsa.time.event_time": "2017-02-03T23:16:50.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.237.163.139" - ], "tags": [ "sonicwall.firewall", "forwarded" @@ -864,47 +718,41 @@ }, { "@timestamp": "2017-02-18T06:19:24.000Z", - "event.code": "1079", + "event.code": "129", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=reetdolo sn=smo time=\"2017/02/18 04:19:24\" fw=10.107.31.179 pri=high c=uamest m=1079 msg=\"Clienttcois assigned IP:10.14.111.221\" n=itam", + "event.original": "eporr id=xeacomm sn=mveleu time=\"2017/02/18 04:19:24\" fw=10.149.128.155 pri=high c=temvel m=129 PPPoE terminated", "fileset.name": "firewall", - "host.ip": "10.14.111.221", "input.type": "log", - "log.offset": 4373, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3842, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.14.111.221" - ], - "related.user": [ - "tco" - ], - "rsa.internal.messageid": "1079", - "rsa.misc.space": "", - "rsa.time.date": "2017/02/18", + "rsa.internal.messageid": "129", "rsa.time.event_time": "2017-02-18T06:19:24.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", "forwarded" - ], - "user.name": "tco" + ] }, { "@timestamp": "2017-03-04T13:21:59.000Z", - "event.code": "76", + "event.code": "113", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "santiumd id=turadip sn=uatD time=\"2017/03/04 11:21:59\" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped", + "event.original": "id=nisi sn=dant time=\"2017/03/04 11:21:59\" fw=10.14.211.43 pri=high c=eiu m=113 DHCP Client sending REQUEST and going to REBIND state.", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4516, + "log.offset": 3956, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "76", + "rsa.internal.messageid": "113", + "rsa.time.date": "2017/03/04", "rsa.time.event_time": "2017-03-04T13:21:59.000Z", "service.type": "sonicwall", "tags": [ @@ -914,20 +762,39 @@ }, { "@timestamp": "2017-03-18T20:24:33.000Z", - "event.code": "29", + "destination.ip": [ + "10.237.163.139" + ], + "destination.port": 4402, + "event.code": "882", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=volu sn=nonn time=\"2017/03/18 18:24:33\" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login", + "event.original": "id=quidolor sn=tessec time=\"2017/03/18 18:24:33\" fw=10.135.160.125 pri=low c=icabo m=882 msg=\"itatio\" n=uta src=10.135.187.104:7557:enp0s6614 dst=10.237.163.139:4402:eth1612 proto=igmp", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4628, + "log.offset": 4091, + "log.original": "itatio", + "network.protocol": "igmp", + "observer.egress.interface.name": "eth1612", + "observer.ingress.interface.name": "enp0s6614", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "29", + "related.ip": [ + "10.135.187.104", + "10.237.163.139" + ], + "rsa.internal.messageid": "882", + "rsa.internal.msg": "itatio", + "rsa.network.dinterface": "eth1612", + "rsa.network.sinterface": "enp0s6614", "rsa.time.date": "2017/03/18", "rsa.time.event_time": "2017-03-18T20:24:33.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.135.187.104" + ], + "source.port": 7557, "tags": [ "sonicwall.firewall", "forwarded" @@ -935,36 +802,20 @@ }, { "@timestamp": "2017-04-02T03:27:07.000Z", - "destination.ip": [ - "10.14.1.45" - ], - "destination.port": 4499, - "event.code": "196", + "event.code": "139", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=sBon sn=orro time=\"2017/04/02 01:27:07\" fw=10.34.194.149 pri=medium c=ten m=196 msg=\"vita\" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD", + "event.original": "id=Nequepor sn=ali time=\"2017/04/02 01:27:07\" fw=10.252.74.209 pri=low c=sintocc m=139 XAUTH Failed", "fileset.name": "firewall", - "http.request.method": "HEAD", "input.type": "log", - "log.offset": 4746, - "log.original": "vita", + "log.offset": 4276, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.126.34.82", - "10.14.1.45" - ], - "rsa.internal.messageid": "196", - "rsa.internal.msg": "vita", + "rsa.internal.messageid": "139", "rsa.time.date": "2017/04/02", "rsa.time.event_time": "2017-04-02T03:27:07.000Z", "service.type": "sonicwall", - "source.bytes": 2224, - "source.ip": [ - "10.126.34.82" - ], - "source.port": 3142, "tags": [ "sonicwall.firewall", "forwarded" @@ -972,52 +823,50 @@ }, { "@timestamp": "2017-04-16T10:29:41.000Z", - "destination.nat.ip": "10.101.74.44", - "destination.nat.port": 2134, - "event.code": "998", + "destination.ip": [ + "10.248.101.25" + ], + "event.code": "372", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "amvo id=qui sn=tasn time=\"2017/04/16 08:29:41\" fw=10.243.138.88 pri=high c=Sedutp m=998 msg=\"utp\" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note=\"quin\"", + "event.original": "id=ehen sn=tate time=\"2017/04/16 08:29:41\" fw=10.140.167.6 pri=low c=stquido m=372 msg=\"ommodico\" n=ptas src=10.60.129.15 dst=10.248.101.25", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4925, - "log.original": "utp", + "log.offset": 4376, + "log.original": "ommodico", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.101.74.44", - "10.251.20.13" + "10.60.129.15", + "10.248.101.25" ], - "related.user": [ - "rsitv" - ], - "rsa.internal.event_desc": "quin", - "rsa.internal.messageid": "998", - "rsa.internal.msg": "utp", + "rsa.internal.messageid": "372", + "rsa.internal.msg": "ommodico", + "rsa.time.date": "2017/04/16", "rsa.time.event_time": "2017-04-16T10:29:41.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.251.20.13", - "source.nat.port": 264, + "source.ip": [ + "10.60.129.15" + ], "tags": [ "sonicwall.firewall", "forwarded" - ], - "user.name": "rsitv" + ] }, { "@timestamp": "2017-04-30T17:32:16.000Z", - "event.code": "9", + "event.code": "136", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tvolupt sn=eufugi time=\"2017/04/30 15:32:16\" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available", + "event.original": "id=Nequepo sn=ipsumd time=\"2017/04/30 15:32:16\" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5094, + "log.offset": 4516, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "9", + "rsa.internal.messageid": "136", "rsa.time.date": "2017/04/30", "rsa.time.event_time": "2017-04-30T17:32:16.000Z", "service.type": "sonicwall", @@ -1028,38 +877,47 @@ }, { "@timestamp": "2017-05-15T00:34:50.000Z", - "event.code": "40", + "event.code": "1079", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "temqu id=ovol sn=ptasn time=\"2017/05/14 22:34:50\" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped", + "event.original": "id=reetdolo sn=smo time=\"2017/05/14 22:34:50\" fw=10.107.31.179 pri=high c=uamest m=1079 msg=\"Clienttcois assigned IP:10.14.111.221\" n=itam", "fileset.name": "firewall", + "host.ip": "10.14.111.221", "input.type": "log", - "log.offset": 5208, + "log.offset": 4637, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "40", + "related.ip": [ + "10.14.111.221" + ], + "related.user": [ + "tco" + ], + "rsa.internal.messageid": "1079", + "rsa.misc.space": "", + "rsa.time.date": "2017/05/14", "rsa.time.event_time": "2017-05-15T00:34:50.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", "forwarded" - ] + ], + "user.name": "tco" }, { "@timestamp": "2017-05-29T07:37:24.000Z", - "event.code": "163", + "event.code": "76", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=pid sn=illoin time=\"2017/05/29 05:37:24\" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout", + "event.original": "santiumd id=turadip sn=uatD time=\"2017/05/29 05:37:24\" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5322, + "log.offset": 4780, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "163", - "rsa.time.date": "2017/05/29", + "rsa.internal.messageid": "76", "rsa.time.event_time": "2017-05-29T07:37:24.000Z", "service.type": "sonicwall", "tags": [ @@ -1069,17 +927,18 @@ }, { "@timestamp": "2017-06-12T14:39:58.000Z", - "event.code": "167", + "event.code": "29", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "quid id=fugiat sn=atisun time=\"2017/06/12 12:39:58\" fw=10.181.206.78 pri=very-high c=tobeata m=167 Denied UDP packet from LAN", + "event.original": "id=volu sn=nonn time=\"2017/06/12 12:39:58\" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5449, + "log.offset": 4892, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "167", + "rsa.internal.messageid": "29", + "rsa.time.date": "2017/06/12", "rsa.time.event_time": "2017-06-12T14:39:58.000Z", "service.type": "sonicwall", "tags": [ @@ -1089,31 +948,36 @@ }, { "@timestamp": "2017-06-26T21:42:33.000Z", - "destination.nat.ip": "10.148.161.250", - "destination.nat.port": 3791, - "event.code": "534", + "destination.ip": [ + "10.14.1.45" + ], + "destination.port": 4499, + "event.code": "196", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=essequam sn=acommo time=\"2017/06/26 19:42:33\" fw=10.177.144.70 pri=medium c=iat m=534 msg=\"etur\" n=itecto src=10.226.27.132:2778 dst=10.148.161.250:3791 note=\"tinv\"", + "event.original": "id=sBon sn=orro time=\"2017/06/26 19:42:33\" fw=10.34.194.149 pri=medium c=ten m=196 msg=\"vita\" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD", "fileset.name": "firewall", + "http.request.method": "HEAD", "input.type": "log", - "log.offset": 5575, - "log.original": "etur", + "log.offset": 5010, + "log.original": "vita", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.148.161.250", - "10.226.27.132" + "10.126.34.82", + "10.14.1.45" ], - "rsa.internal.event_desc": "tinv", - "rsa.internal.messageid": "534", - "rsa.internal.msg": "etur", + "rsa.internal.messageid": "196", + "rsa.internal.msg": "vita", "rsa.time.date": "2017/06/26", "rsa.time.event_time": "2017-06-26T21:42:33.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.226.27.132", - "source.nat.port": 2778, + "source.bytes": 2224, + "source.ip": [ + "10.126.34.82" + ], + "source.port": 3142, "tags": [ "sonicwall.firewall", "forwarded" @@ -1121,57 +985,52 @@ }, { "@timestamp": "2017-07-11T04:45:07.000Z", - "destination.ip": [ - "10.149.0.64" - ], - "destination.port": 6867, - "event.code": "83", + "destination.nat.ip": "10.101.74.44", + "destination.nat.port": 2134, + "event.code": "998", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=isnisi sn=ritatise time=\"2017/07/11 02:45:07\" fw=10.38.54.72 pri=very-high c=ciad m=83 msg=\"tali\" sess=lillum n=cusant src=10.64.50.66:3657:enp0s1540 dst=10.149.0.64:6867:eth2202 note=\"sau\" npcs=atevelit", + "event.original": "amvo id=qui sn=tasn time=\"2017/07/11 02:45:07\" fw=10.243.138.88 pri=high c=Sedutp m=998 msg=\"utp\" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note=\"quin\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5743, - "log.original": "tali", - "observer.egress.interface.name": "eth2202", - "observer.ingress.interface.name": "enp0s1540", + "log.offset": 5189, + "log.original": "utp", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.64.50.66", - "10.149.0.64" + "10.251.20.13", + "10.101.74.44" ], - "rsa.db.index": "atevelit", - "rsa.internal.messageid": "83", - "rsa.internal.msg": "tali", - "rsa.network.dinterface": "eth2202", - "rsa.network.sinterface": "enp0s1540", - "rsa.time.date": "2017/07/11", + "related.user": [ + "rsitv" + ], + "rsa.internal.event_desc": "quin", + "rsa.internal.messageid": "998", + "rsa.internal.msg": "utp", "rsa.time.event_time": "2017-07-11T04:45:07.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.64.50.66" - ], - "source.port": 3657, + "source.nat.ip": "10.251.20.13", + "source.nat.port": 264, "tags": [ "sonicwall.firewall", "forwarded" - ] + ], + "user.name": "rsitv" }, { "@timestamp": "2017-07-25T11:47:41.000Z", - "event.code": "147", + "event.code": "9", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=billo sn=labo time=\"2017/07/25 09:47:41\" fw=10.221.225.29 pri=medium c=boris m=147 Backup missed heartbeats from Active Primary: Backup going Active", + "event.original": "id=tvolupt sn=eufugi time=\"2017/07/25 09:47:41\" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5950, + "log.offset": 5358, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "147", + "rsa.internal.messageid": "9", "rsa.time.date": "2017/07/25", "rsa.time.event_time": "2017-07-25T11:47:41.000Z", "service.type": "sonicwall", @@ -1182,38 +1041,19 @@ }, { "@timestamp": "2017-08-08T18:50:15.000Z", - "destination.address": "ise5905.www.local", - "destination.nat.ip": "10.53.113.23", - "destination.nat.port": 4027, - "event.code": "1154", + "event.code": "40", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "elitse id=ima sn=quasia time=\"2017/08/08 16:50:15\" fw=10.150.107.25 pri=low c=uptate m=1154 msg=\"mac\" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local", + "event.original": "temqu id=ovol sn=ptasn time=\"2017/08/08 16:50:15\" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped", "fileset.name": "firewall", - "host.hostname": "tiaec5551.www.local", "input.type": "log", - "log.offset": 6102, - "log.original": "mac", - "observer.egress.interface.name": "lo1918", - "observer.ingress.interface.name": "eth5313", + "log.offset": 5472, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.97.124.211", - "10.53.113.23" - ], - "rsa.identity.user_sid_dst": "iumdol", - "rsa.internal.messageid": "1154", - "rsa.internal.msg": "mac", - "rsa.network.dinterface": "lo1918", - "rsa.network.host_dst": "ise5905.www.local", - "rsa.network.sinterface": "eth5313", + "rsa.internal.messageid": "40", "rsa.time.event_time": "2017-08-08T18:50:15.000Z", "service.type": "sonicwall", - "source.address": "tiaec5551.www.local", - "source.nat.ip": "10.97.124.211", - "source.nat.port": 6198, "tags": [ "sonicwall.firewall", "forwarded" @@ -1221,17 +1061,17 @@ }, { "@timestamp": "2017-08-23T01:52:50.000Z", - "event.code": "135", + "event.code": "163", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=asiarc sn=ian time=\"2017/08/22 23:52:50\" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed", + "event.original": "id=pid sn=illoin time=\"2017/08/22 23:52:50\" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6349, + "log.offset": 5586, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "135", + "rsa.internal.messageid": "163", "rsa.time.date": "2017/08/22", "rsa.time.event_time": "2017-08-23T01:52:50.000Z", "service.type": "sonicwall", @@ -1242,32 +1082,20 @@ }, { "@timestamp": "2017-09-06T08:55:24.000Z", - "destination.ip": [ - "10.96.97.81" - ], - "event.code": "350", + "event.code": "147", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=rauto sn=ationev time=\"2017/09/06 06:55:24\" fw=10.92.19.202 pri=high c=nby m=350 msg=\"mve\" n=osqui src=10.161.148.64 dst=10.96.97.81", + "event.original": "id=mestq sn=temUt time=\"2017/09/06 06:55:24\" fw=10.233.239.112 pri=high c=pexe m=147 Backup missed heartbeats from Active Primary: Backup going Active", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6471, - "log.original": "mve", + "log.offset": 5713, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.96.97.81", - "10.161.148.64" - ], - "rsa.internal.messageid": "350", - "rsa.internal.msg": "mve", + "rsa.internal.messageid": "147", "rsa.time.date": "2017/09/06", "rsa.time.event_time": "2017-09-06T08:55:24.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.161.148.64" - ], "tags": [ "sonicwall.firewall", "forwarded" @@ -1275,20 +1103,31 @@ }, { "@timestamp": "2017-09-20T15:57:58.000Z", - "event.code": "176", + "event.code": "441", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=nsequat sn=doloreme time=\"2017/09/20 13:57:58\" fw=10.206.81.23 pri=high c=tincu m=176 Fraudulent Microsoft Certificate Blocked", + "event.original": "id=adeser sn=oin time=\"2017/09/20 13:57:58\" fw=10.95.66.217 pri=very-high c=fugitsed m=441 msg=\"quam\" n=quid src=10.1.36.97:3628:enp0s3962 dst= 10.107.251.87:6337:lo3319 ", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6607, + "log.offset": 5864, + "log.original": "quam", + "observer.ingress.interface.name": "enp0s3962", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "176", + "related.ip": [ + "10.1.36.97" + ], + "rsa.internal.messageid": "441", + "rsa.internal.msg": "quam", + "rsa.network.sinterface": "enp0s3962", "rsa.time.date": "2017/09/20", "rsa.time.event_time": "2017-09-20T15:57:58.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.1.36.97" + ], + "source.port": 3628, "tags": [ "sonicwall.firewall", "forwarded" @@ -1296,21 +1135,17 @@ }, { "@timestamp": "2017-10-04T23:00:32.000Z", - "event.code": "1231", + "event.code": "34", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "itse id=umexerc sn=oremipsu time=\"2017/10/04 21:00:32\" fw=10.87.13.61 pri=medium c=ssecillu m=1231 msg=\"liqua\" n=utodita note=\"aec\"", + "event.original": "reetdol id=totamre sn=isnostr time=\"2017/10/04 21:00:32\" fw=10.203.153.38 pri=very-high c=adipisc m=34 Login screen timed out", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6737, - "log.original": "liqua", + "log.offset": 6038, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.db.index": "aec", - "rsa.internal.messageid": "1231", - "rsa.internal.msg": "liqua", - "rsa.misc.space": "", + "rsa.internal.messageid": "34", "rsa.time.event_time": "2017-10-04T23:00:32.000Z", "service.type": "sonicwall", "tags": [ @@ -1320,20 +1155,34 @@ }, { "@timestamp": "2017-10-19T06:03:07.000Z", - "event.code": "22", + "destination.ip": [ + "10.216.125.252" + ], + "event.code": "402", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=elitse sn=reseo time=\"2017/10/19 04:03:07\" fw=10.71.238.250 pri=very-high c=tiaec m=22 Ping of death blocked", + "event.original": "psaquaea id=taevita sn=ameiusm time=\"2017/10/19 04:03:07\" fw=10.227.15.253 pri=high c=piscinge m=402 msg=\"tvol\" n=velitess src=10.54.14.189 dst=10.216.125.252 dstname=sit ", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6869, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6164, + "log.original": "tvol", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "22", - "rsa.time.date": "2017/10/19", + "related.ip": [ + "10.54.14.189", + "10.216.125.252" + ], + "rsa.internal.messageid": "402", + "rsa.internal.msg": "tvol", "rsa.time.event_time": "2017-10-19T06:03:07.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.54.14.189" + ], "tags": [ "sonicwall.firewall", "forwarded" @@ -1341,29 +1190,38 @@ }, { "@timestamp": "2017-11-02T13:05:41.000Z", - "destination.nat.ip": "10.125.134.213", - "event.code": "msg", + "destination.address": "ise5905.www.local", + "destination.nat.ip": "10.53.113.23", + "destination.nat.port": 4027, + "event.code": "1154", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=plicab sn=oremq time=\"2017/11/02 11:05:41\" fw=10.40.152.253 pri=low c=ritt m=msg msg=\"iaeco\" src=10.53.150.77 dst=10.125.134.213 failure", + "event.original": "elitse id=ima sn=quasia time=\"2017/11/02 11:05:41\" fw=10.150.107.25 pri=low c=uptate m=1154 msg=\"mac\" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local", "fileset.name": "firewall", + "host.hostname": "tiaec5551.www.local", "input.type": "log", - "log.offset": 6981, - "log.original": "iaeco", + "log.offset": 6336, + "log.original": "mac", + "observer.egress.interface.name": "lo1918", + "observer.ingress.interface.name": "eth5313", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.125.134.213", - "10.53.150.77" + "10.53.113.23", + "10.97.124.211" ], - "rsa.internal.messageid": "msg", - "rsa.internal.msg": "iaeco", - "rsa.misc.result": "failure", - "rsa.time.date": "2017/11/02", + "rsa.identity.user_sid_dst": "iumdol", + "rsa.internal.messageid": "1154", + "rsa.internal.msg": "mac", + "rsa.network.dinterface": "lo1918", + "rsa.network.host_dst": "ise5905.www.local", + "rsa.network.sinterface": "eth5313", "rsa.time.event_time": "2017-11-02T13:05:41.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.53.150.77", + "source.address": "tiaec5551.www.local", + "source.nat.ip": "10.97.124.211", + "source.nat.port": 6198, "tags": [ "sonicwall.firewall", "forwarded" @@ -1371,17 +1229,17 @@ }, { "@timestamp": "2017-11-16T20:08:15.000Z", - "event.code": "7", + "event.code": "135", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=quaea sn=ametcons time=\"2017/11/16 18:08:15\" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL", + "event.original": "id=asiarc sn=ian time=\"2017/11/16 18:08:15\" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7121, + "log.offset": 6583, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "7", + "rsa.internal.messageid": "135", "rsa.time.date": "2017/11/16", "rsa.time.event_time": "2017-11-16T20:08:15.000Z", "service.type": "sonicwall", @@ -1392,29 +1250,39 @@ }, { "@timestamp": "2017-12-01T03:10:49.000Z", - "destination.nat.ip": "10.77.174.205", - "event.code": "240", + "destination.ip": [ + "10.64.229.79" + ], + "destination.port": 3620, + "event.code": "83", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ariatur sn=rer time=\"2017/12/01 01:10:49\" fw=10.210.243.175 pri=low c=atisetqu m=240 msg=\"issuscip\" n=uisa src=10.240.49.224 dst=10.77.174.205", + "event.original": "id=intocc sn=amcorp time=\"2017/12/01 01:10:49\" fw=10.57.57.241 pri=low c=litani m=83 msg=\"utodita\" sess=aec n=fdeF src=10.187.201.250:5504:eth2003 dst=10.64.229.79:3620:eth41 note=\"tiaec\" npcs=rumwrit", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7243, - "log.original": "issuscip", + "log.offset": 6705, + "log.original": "utodita", + "observer.egress.interface.name": "eth41", + "observer.ingress.interface.name": "eth2003", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.240.49.224", - "10.77.174.205" + "10.64.229.79", + "10.187.201.250" ], - "rsa.internal.messageid": "240", - "rsa.internal.msg": "issuscip", - "rsa.misc.ntype": "uisa", + "rsa.db.index": "rumwrit", + "rsa.internal.messageid": "83", + "rsa.internal.msg": "utodita", + "rsa.network.dinterface": "eth41", + "rsa.network.sinterface": "eth2003", "rsa.time.date": "2017/12/01", "rsa.time.event_time": "2017-12-01T03:10:49.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.240.49.224", + "source.ip": [ + "10.187.201.250" + ], + "source.port": 5504, "tags": [ "sonicwall.firewall", "forwarded" @@ -1422,134 +1290,72 @@ }, { "@timestamp": "2017-12-15T10:13:24.000Z", - "destination.ip": [ - "10.187.210.173" - ], - "event.code": "255", + "destination.nat.ip": "10.76.110.144", + "destination.nat.port": 2497, + "event.code": "931", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=luptatem sn=uaeratv time=\"2017/12/15 08:13:24\" fw=10.240.190.136 pri=medium c=atcupid m=255 msg=\"quamnih\" n=dminima src=10.44.150.31 dst=10.187.210.173", + "event.original": "id=gna sn=con time=\"2017/12/15 08:13:24\" fw=10.11.44.250 pri=high c=etMal m=931 msg=\"qua\" n=rsita src=10.108.249.60:7150 dst=10.76.110.144:2497", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7389, - "log.original": "quamnih", + "log.offset": 6906, + "log.original": "qua", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.187.210.173", - "10.44.150.31" + "10.108.249.60", + "10.76.110.144" ], - "rsa.internal.messageid": "255", - "rsa.internal.msg": "quamnih", + "rsa.internal.messageid": "931", + "rsa.internal.msg": "qua", + "rsa.misc.ntype": "rsita", "rsa.time.date": "2017/12/15", "rsa.time.event_time": "2017-12-15T10:13:24.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.44.150.31" - ], + "source.nat.ip": "10.108.249.60", + "source.nat.port": 7150, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "@timestamp": "2017-12-29T05:15:58.000Z", - "destination.ip": [ - "10.251.248.228" - ], - "destination.mac": "01:00:5e:55:b9:89", - "destination.port": 6909, - "event.action": "cancel", - "event.code": "ntutlabo", + "@timestamp": "2017-12-29T17:15:58.000Z", + "event.code": "11", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ntutlabo sn=iusmodte time=\"2017-12-29 3:15:58\" fw=10.108.84.24 pri=low c=iosamnis m=606 msg=\"volupt\" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac=miurerep 01:00:5e:b4:c3:ed dstMac=01:00:5e:55:b9:89proto=ipv6 fw_action=\"cancel\"", + "event.original": "rem id=asper sn=idunt time=\"2017/12/29 15:15:58\" fw=10.65.232.27 pri=low c=plicab m=11 Problem loading the Filter list; check your DNS server", "fileset.name": "firewall", - "host.ip": "10.108.84.24", "input.type": "log", - "log.level": "low", - "log.offset": 7544, - "network.protocol": "ipv6", - "observer.ingress.interface.name": "eth163", + "log.offset": 7050, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.251.248.228", - "10.113.100.237", - "10.108.84.24" - ], - "rsa.internal.event_desc": "volupt", - "rsa.internal.messageid": "606", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "iosamnis", - "rsa.misc.reference_id": "ntutlabo", - "rsa.misc.serial_number": "iusmodte", - "rsa.misc.severity": "low", - "rsa.network.sinterface": "eth163", - "rsa.time.date": "2017-12-29", - "rsa.time.event_time": "2017-12-29T05:15:58.000Z", + "rsa.internal.messageid": "11", + "rsa.time.event_time": "2017-12-29T17:15:58.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.113.100.237" - ], - "source.mac": "01:00:5e:b4:c3:ed", - "source.port": 3887, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "@timestamp": "2018-01-12T12:18:32.000Z", - "destination.ip": [ - "10.207.211.230" - ], - "destination.mac": "01:00:5e:93:39:a4", - "destination.port": 2800, - "event.action": "allow", - "event.code": "proident", + "@timestamp": "2018-01-13T00:18:32.000Z", + "event.code": "88", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=proident sn=maliquam time=\"2018-1-12 10:18:32\" fw=10.229.229.42 pri=high c=vitaedic m=428 msg=\"orin\" n=uii src=10.103.117.31:3987:enp0s3531 dst=10.207.211.230:2800:eth211 srcMac=untincul 01:00:5e:c9:ed:b4 dstMac=01:00:5e:93:39:a4 proto=tcp fw_action=\"allow\"", + "event.original": "id=uisaute sn=imide time=\"2018/01/12 22:18:32\" fw=10.77.226.215 pri=medium c=itesseq m=88 IKE Responder: IPSec proposal not acceptable", "fileset.name": "firewall", - "host.ip": "10.229.229.42", "input.type": "log", - "log.level": "high", - "log.offset": 7797, - "network.protocol": "tcp", - "observer.egress.interface.name": "eth211", - "observer.ingress.interface.name": "enp0s3531", + "log.offset": 7192, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.229.229.42", - "10.103.117.31", - "10.207.211.230" - ], - "rsa.internal.event_desc": "orin", - "rsa.internal.messageid": "428", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "vitaedic", - "rsa.misc.reference_id": "proident", - "rsa.misc.serial_number": "maliquam", - "rsa.misc.severity": "high", - "rsa.network.dinterface": "eth211", - "rsa.network.sinterface": "enp0s3531", - "rsa.time.date": "2018-1-12", - "rsa.time.event_time": "2018-01-12T12:18:32.000Z", + "rsa.internal.messageid": "88", + "rsa.time.date": "2018/01/12", + "rsa.time.event_time": "2018-01-13T00:18:32.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.103.117.31" - ], - "source.mac": "01:00:5e:c9:ed:b4", - "source.port": 3987, "tags": [ "sonicwall.firewall", "forwarded" @@ -1557,51 +1363,85 @@ }, { "@timestamp": "2018-01-27T07:21:06.000Z", - "destination.nat.ip": "10.32.39.220", - "event.code": "412", + "destination.nat.ip": "10.31.190.145", + "destination.nat.port": 3333, + "event.code": "243", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=emvele sn=isnost time=\"2018/01/27 05:21:06\" fw=10.71.112.159 pri=medium c=emqu m=412 msg=\"riss\" n=iquamqua src=10.248.165.185:3436 dst=10.32.39.220 note=\"aliq\"", + "event.original": "id=ilmol sn=eri time=\"2018/01/27 05:21:06\" fw=10.154.53.249 pri=low c=mquae m=243 msg=\"eriti\" n=atcupi usr=corpori src=10.147.88.219:7595 dst=10.31.190.145:3333 proto=icmp", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8058, - "log.original": "riss", + "log.offset": 7327, + "log.original": "eriti", + "network.protocol": "icmp", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.248.165.185", - "10.32.39.220" + "10.147.88.219", + "10.31.190.145" + ], + "related.user": [ + "corpori" ], - "rsa.internal.event_desc": "aliq", - "rsa.internal.messageid": "412", - "rsa.internal.msg": "riss", + "rsa.internal.messageid": "243", + "rsa.internal.msg": "eriti", "rsa.time.date": "2018/01/27", "rsa.time.event_time": "2018-01-27T07:21:06.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.248.165.185", - "source.nat.port": 3436, + "source.nat.ip": "10.147.88.219", + "source.nat.port": 7595, "tags": [ "sonicwall.firewall", "forwarded" - ] + ], + "user.name": "corpori" }, { "@timestamp": "2018-02-10T14:23:41.000Z", - "event.code": "27", + "destination.ip": [ + "10.251.248.228" + ], + "destination.mac": "01:00:5e:c3:ed:55", + "destination.port": 6909, + "event.action": "deny", + "event.code": "ntutlabo", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mven sn=olorsit time=\"2018/02/10 12:23:41\" fw=10.121.239.183 pri=very-high c=consequa m=27 Land Attack Dropped", + "event.original": "id=ntutlabo sn=iusmodte time=\"2018-2-10 12:23:41\" fw=10.108.84.24 pri=low c=iosamnis m=606 msg=\"volupt\" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action=\"deny\"", "fileset.name": "firewall", + "host.ip": "10.108.84.24", "input.type": "log", - "log.offset": 8221, + "log.level": "low", + "log.offset": 7499, + "network.protocol": "udp", + "observer.ingress.interface.name": "eth163", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "27", - "rsa.time.date": "2018/02/10", + "related.ip": [ + "10.108.84.24", + "10.251.248.228", + "10.113.100.237" + ], + "rsa.internal.event_desc": "volupt", + "rsa.internal.messageid": "606", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "iosamnis", + "rsa.misc.reference_id": "ntutlabo", + "rsa.misc.serial_number": "iusmodte", + "rsa.misc.severity": "low", + "rsa.network.sinterface": "eth163", + "rsa.time.date": "2018-2-10", "rsa.time.event_time": "2018-02-10T14:23:41.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.113.100.237" + ], + "source.mac": " 01:00:5e:8b:c1:b4", + "source.port": 3887, "tags": [ "sonicwall.firewall", "forwarded" @@ -1609,17 +1449,17 @@ }, { "@timestamp": "2018-02-24T21:26:15.000Z", - "event.code": "95", + "event.code": "28", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tatevel sn=boreetdo time=\"2018/02/24 19:26:15\" fw=10.239.118.233 pri=medium c=risnis m=95 Diagnostic Code C", + "event.original": "id=emvele sn=isnost time=\"2018/02/24 19:26:15\" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8335, + "log.offset": 7742, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "95", + "rsa.internal.messageid": "28", "rsa.time.date": "2018/02/24", "rsa.time.event_time": "2018-02-24T21:26:15.000Z", "service.type": "sonicwall", @@ -1630,18 +1470,17 @@ }, { "@timestamp": "2018-03-11T04:28:49.000Z", - "event.code": "138", + "event.code": "61", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ddoeius sn=ugiatn time=\"2018/03/11 02:28:49\" fw=10.50.102.128 pri=high c=abore m=138 XAUTH Succeeded", + "event.original": "sit id=rumSect sn=ita time=\"2018/03/11 02:28:49\" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8446, + "log.offset": 7855, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "138", - "rsa.time.date": "2018/03/11", + "rsa.internal.messageid": "61", "rsa.time.event_time": "2018-03-11T04:28:49.000Z", "service.type": "sonicwall", "tags": [ @@ -1651,18 +1490,20 @@ }, { "@timestamp": "2018-03-25T11:31:24.000Z", - "event.code": "107", + "event.code": "906", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=uiadol sn=Duisa time=\"2018/03/25 09:31:24\" fw=10.106.195.93 pri=very-high c=boNem m=107 Got DHCP OFFER. Selecting.", + "event.original": "oremag id=illu sn=ruredo time=\"2018/03/25 09:31:24\" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg=\"its\" n=lore", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8550, + "log.offset": 7959, + "log.original": "its", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "107", - "rsa.time.date": "2018/03/25", + "rsa.internal.messageid": "906", + "rsa.internal.msg": "its", + "rsa.misc.ntype": "lore", "rsa.time.event_time": "2018-03-25T11:31:24.000Z", "service.type": "sonicwall", "tags": [ @@ -1672,52 +1513,55 @@ }, { "@timestamp": "2018-04-08T18:33:58.000Z", - "destination.ip": [ - "10.11.83.126" - ], - "event.code": "372", + "event.code": "134", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=emips sn=atv time=\"2018/04/08 16:33:58\" fw=10.2.114.9 pri=high c=alorum m=372 msg=\"obeataev\" n=tempor src=10.134.237.235 dst=10.11.83.126", + "event.original": "id=onu sn=liquaUte time=\"2018/04/08 16:33:58\" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8668, - "log.original": "obeataev", + "log.offset": 8075, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.134.237.235", - "10.11.83.126" - ], - "rsa.internal.messageid": "372", - "rsa.internal.msg": "obeataev", + "rsa.internal.messageid": "134", "rsa.time.date": "2018/04/08", "rsa.time.event_time": "2018-04-08T18:33:58.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.134.237.235" - ], "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "@timestamp": "2018-04-23T01:36:32.000Z", - "event.code": "117", + "@timestamp": "2018-04-22T13:36:32.000Z", + "event.action": "allow", + "event.code": "mveniamq", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=osquir sn=mod time=\"2018/04/22 23:36:32\" fw=10.28.120.149 pri=very-high c=liquide m=117 Sending DHCP REQUEST (Rebooting).", + "event.original": "id=mveniamq sn=taedict time=\"2018-4-22 11:36:32\" fw=10.206.69.135 pri=high c=aturve m=880 msg=\"utfug\" n=aturQu note=\"aaliq\" fw_action=\"allow\"", "fileset.name": "firewall", + "host.ip": "10.206.69.135", "input.type": "log", - "log.offset": 8809, + "log.level": "high", + "log.offset": 8197, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "117", - "rsa.time.date": "2018/04/22", - "rsa.time.event_time": "2018-04-23T01:36:32.000Z", + "related.ip": [ + "10.206.69.135" + ], + "rsa.db.index": "aaliq", + "rsa.internal.event_desc": "utfug", + "rsa.internal.messageid": "880", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "aturve", + "rsa.misc.reference_id": "mveniamq", + "rsa.misc.serial_number": "taedict", + "rsa.misc.severity": "high", + "rsa.time.date": "2018-4-22", + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -1726,20 +1570,28 @@ }, { "@timestamp": "2018-05-07T08:39:06.000Z", - "event.code": "169", + "event.code": "441", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=Sedutpe sn=prehen time=\"2018/05/07 06:39:06\" fw=10.209.43.252 pri=very-high c=lloin m=169 Firewall access from LAN", + "event.original": "id=uiinea sn=mnisiut time=\"2018/05/07 06:39:06\" fw=10.208.228.129 pri=low c=olup m=441 msg=\"labor\" n=dol src= 10.240.54.28 dst= 10.115.38.80 ", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8934, + "log.offset": 8339, + "log.original": "labor", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "169", + "related.ip": [ + "10.240.54.28" + ], + "rsa.internal.messageid": "441", + "rsa.internal.msg": "labor", "rsa.time.date": "2018/05/07", "rsa.time.event_time": "2018-05-07T08:39:06.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.240.54.28" + ], "tags": [ "sonicwall.firewall", "forwarded" @@ -1747,17 +1599,18 @@ }, { "@timestamp": "2018-05-21T15:41:41.000Z", - "event.code": "117", + "event.code": "163", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "tempor id=citatio sn=oluptat time=\"2018/05/21 13:41:41\" fw=10.35.255.235 pri=very-high c=edquian m=117 Sending DHCP REQUEST (Rebooting).", + "event.original": "id=mve sn=uia time=\"2018/05/21 13:41:41\" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9052, + "log.offset": 8484, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "117", + "rsa.internal.messageid": "163", + "rsa.time.date": "2018/05/21", "rsa.time.event_time": "2018-05-21T15:41:41.000Z", "service.type": "sonicwall", "tags": [ @@ -1767,20 +1620,32 @@ }, { "@timestamp": "2018-06-04T22:44:15.000Z", - "event.code": "164", + "destination.ip": [ + "10.104.49.142" + ], + "event.code": "252", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=nsequunt sn=proident time=\"2018/06/04 20:44:15\" fw=10.57.167.157 pri=high c=aliquamq m=164 No response from ISP Disconnecting PPPoE.", + "event.original": "id=doei sn=cipitl time=\"2018/06/04 20:44:15\" fw=10.53.127.17 pri=very-high c=strumex m=252 msg=\"eprehend\" n=asnu src=10.102.166.19 dst=10.104.49.142", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9189, + "log.offset": 8610, + "log.original": "eprehend", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "164", + "related.ip": [ + "10.102.166.19", + "10.104.49.142" + ], + "rsa.internal.messageid": "252", + "rsa.internal.msg": "eprehend", "rsa.time.date": "2018/06/04", "rsa.time.event_time": "2018-06-04T22:44:15.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.102.166.19" + ], "tags": [ "sonicwall.firewall", "forwarded" @@ -1788,29 +1653,19 @@ }, { "@timestamp": "2018-06-19T05:46:49.000Z", - "destination.nat.ip": "10.99.248.145", - "event.code": "412", + "event.code": "88", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "ugit id=tatem sn=metcons time=\"2018/06/19 03:46:49\" fw=10.252.102.110 pri=medium c=tamet m=412 msg=\"perspici\" n=ationul src=10.115.53.31:6606 dst=10.99.248.145 note=\"molestia\"", + "event.original": "ipsa id=asuntexp sn=adminim time=\"2018/06/19 03:46:49\" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9325, - "log.original": "perspici", + "log.offset": 8759, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.99.248.145", - "10.115.53.31" - ], - "rsa.internal.event_desc": "molestia", - "rsa.internal.messageid": "412", - "rsa.internal.msg": "perspici", + "rsa.internal.messageid": "88", "rsa.time.event_time": "2018-06-19T05:46:49.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.115.53.31", - "source.nat.port": 6606, "tags": [ "sonicwall.firewall", "forwarded" @@ -1818,36 +1673,20 @@ }, { "@timestamp": "2018-07-03T12:49:23.000Z", - "destination.ip": [ - "10.168.208.169" - ], - "destination.port": 6168, - "event.action": "deny", - "event.code": "616", + "event.code": "34", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=labore sn=uela time=\"2018/07/03 10:49:23\" fw=10.167.74.79 pri=very-high c=iuntNequ m=616 msg=\"deny\" n=archite src=10.143.228.97:1370 dst=10.168.208.169:6168", + "event.original": "id=iumt sn=tsed time=\"2018/07/03 10:49:23\" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9501, + "log.offset": 8898, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.168.208.169", - "10.143.228.97" - ], - "rsa.internal.messageid": "616", - "rsa.misc.action": [ - "deny" - ], + "rsa.internal.messageid": "34", "rsa.time.date": "2018/07/03", "rsa.time.event_time": "2018-07-03T12:49:23.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.143.228.97" - ], - "source.port": 1370, "tags": [ "sonicwall.firewall", "forwarded" @@ -1856,34 +1695,36 @@ { "@timestamp": "2018-07-17T19:51:58.000Z", "destination.ip": [ - "10.236.56.233" + "10.137.217.159" ], - "destination.port": 3484, - "event.action": "allow", - "event.code": "373", + "destination.port": 563, + "event.code": "195", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "licaboN id=atquo sn=cupi time=\"2018/07/17 17:51:58\" fw=10.151.129.181 pri=very-high c=udan m=373 msg=\"allow\" n=nderiti src=10.43.16.73:2604 dst=10.236.56.233:3484", + "event.original": "id=loremag sn=tcu time=\"2018/07/17 17:51:58\" fw=10.84.251.253 pri=high c=erspi m=195 msg=\"rorsit\" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9661, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 9005, + "log.original": "rorsit", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.236.56.233", - "10.43.16.73" - ], - "rsa.internal.messageid": "373", - "rsa.misc.action": [ - "allow" + "10.77.95.12", + "10.137.217.159" ], + "rsa.internal.messageid": "195", + "rsa.internal.msg": "rorsit", + "rsa.time.date": "2018/07/17", "rsa.time.event_time": "2018-07-17T19:51:58.000Z", "service.type": "sonicwall", "source.ip": [ - "10.43.16.73" + "10.77.95.12" ], - "source.port": 2604, + "source.port": 2310, "tags": [ "sonicwall.firewall", "forwarded" @@ -1891,30 +1732,19 @@ }, { "@timestamp": "2018-08-01T02:54:32.000Z", - "destination.nat.ip": "10.222.251.114", - "event.code": "412", + "event.code": "48", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=aeab sn=teur time=\"2018/08/01 00:54:32\" fw=10.231.199.50 pri=low c=stquid m=412 msg=\"turadipi\" n=usmodi src=10.184.254.143:4402 dst=10.222.251.114 note=\"illu\"", + "event.original": "elillum id=upt sn=rnat time=\"2018/08/01 00:54:32\" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9824, - "log.original": "turadipi", + "log.offset": 9180, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.184.254.143", - "10.222.251.114" - ], - "rsa.internal.event_desc": "illu", - "rsa.internal.messageid": "412", - "rsa.internal.msg": "turadipi", - "rsa.time.date": "2018/08/01", + "rsa.internal.messageid": "48", "rsa.time.event_time": "2018-08-01T02:54:32.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.184.254.143", - "source.nat.port": 4402, "tags": [ "sonicwall.firewall", "forwarded" @@ -1922,20 +1752,30 @@ }, { "@timestamp": "2018-08-15T09:57:06.000Z", - "event.code": "72", + "destination.nat.ip": "10.191.242.168", + "destination.nat.port": 5251, + "event.code": "995", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=asuntexp sn=adminim time=\"2018/08/15 07:57:06\" fw=10.115.115.26 pri=high c=modoc m=72 NetBus Attack Dropped", + "event.original": "doeiu id=deF sn=itempo time=\"2018/08/15 07:57:06\" fw=10.200.237.196 pri=medium c=ecillum m=995 msg=\"isci\" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note=\"equep\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9986, + "log.offset": 9302, + "log.original": "isci", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "72", - "rsa.time.date": "2018/08/15", + "related.ip": [ + "10.191.242.168", + "10.165.48.224" + ], + "rsa.internal.event_desc": "equep", + "rsa.internal.messageid": "995", + "rsa.internal.msg": "isci", "rsa.time.event_time": "2018-08-15T09:57:06.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.165.48.224", + "source.nat.port": 5386, "tags": [ "sonicwall.firewall", "forwarded" @@ -1943,18 +1783,20 @@ }, { "@timestamp": "2018-08-29T16:59:40.000Z", - "event.code": "34", + "event.code": "909", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=iumt sn=tsed time=\"2018/08/29 14:59:40\" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out", + "event.original": "BCS id=qui sn=ugiatquo time=\"2018/08/29 14:59:40\" fw=10.204.133.116 pri=medium c=autemv m=909 msg=\"emq\" n=plicaboN", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10097, + "log.offset": 9476, + "log.original": "emq", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "34", - "rsa.time.date": "2018/08/29", + "rsa.internal.messageid": "909", + "rsa.internal.msg": "emq", + "rsa.misc.ntype": "plicaboN", "rsa.time.event_time": "2018-08-29T16:59:40.000Z", "service.type": "sonicwall", "tags": [ @@ -1964,19 +1806,31 @@ }, { "@timestamp": "2018-09-13T00:02:15.000Z", - "event.code": "96", + "destination.nat.ip": "10.116.173.79", + "destination.nat.port": 7693, + "event.code": "178", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "orsi id=tetura sn=imadmini time=\"2018/09/12 22:02:15\" fw=10.46.192.198 pri=high c=uat m=96 Status", + "event.original": "id=vol sn=admi time=\"2018/09/12 22:02:15\" fw=10.77.229.168 pri=high c=aquiof m=178 msg=\"ende\" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10204, + "log.offset": 9591, + "log.original": "ende", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "96", + "related.ip": [ + "10.185.37.32", + "10.116.173.79" + ], + "rsa.internal.messageid": "178", + "rsa.internal.msg": "ende", + "rsa.misc.ntype": "abor", + "rsa.time.date": "2018/09/12", "rsa.time.event_time": "2018-09-13T00:02:15.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.185.37.32", + "source.nat.port": 708, "tags": [ "sonicwall.firewall", "forwarded" @@ -1984,34 +1838,31 @@ }, { "@timestamp": "2018-09-27T07:04:49.000Z", - "destination.bytes": 5253, - "event.code": "dolorema", + "destination.nat.ip": "10.57.85.98", + "destination.nat.port": 3286, + "event.code": "995", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=dolorema sn=emagn time=\"2018-9-27 5:04:49\" fw=10.200.86.116 pri=medium m= msg=\"orinrep\" n=quiavolif=enp0s347ucastRx=ratvbcastRx=alorumbytesRx=5253ucastTx=talibcastTx=BCSbytesTx=3474", + "event.original": "id=olorem sn=gitse time=\"2018/09/27 05:04:49\" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg=\"sci\" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note=\"mquisno\"", "fileset.name": "firewall", - "host.ip": "10.200.86.116", "input.type": "log", - "log.level": "medium", - "log.offset": 10302, - "network.interface.name": "enp0s347", + "log.offset": 9736, + "log.original": "sci", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.200.86.116" + "10.57.85.98", + "10.219.42.212" ], - "rsa.internal.event_desc": "orinrep", - "rsa.internal.messageid": "m", - "rsa.misc.reference_id": "dolorema", - "rsa.misc.reference_id1": "", - "rsa.misc.serial_number": "emagn", - "rsa.misc.severity": "medium", - "rsa.network.interface": "enp0s347", - "rsa.time.date": "2018-9-27", + "rsa.internal.event_desc": "mquisno", + "rsa.internal.messageid": "995", + "rsa.internal.msg": "sci", + "rsa.time.date": "2018/09/27", "rsa.time.event_time": "2018-09-27T07:04:49.000Z", "service.type": "sonicwall", - "source.bytes": 3474, + "source.nat.ip": "10.219.42.212", + "source.nat.port": 5708, "tags": [ "sonicwall.firewall", "forwarded" @@ -2019,17 +1870,17 @@ }, { "@timestamp": "2018-10-11T14:07:23.000Z", - "event.code": "8", + "event.code": "137", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=culpaqui sn=tvolup time=\"2018/10/11 12:07:23\" fw=10.116.146.114 pri=high c=red m=8 New Filter list loaded", + "event.original": "id=gna sn=isiutali time=\"2018/10/11 12:07:23\" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10487, + "log.offset": 9906, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "8", + "rsa.internal.messageid": "137", "rsa.time.date": "2018/10/11", "rsa.time.event_time": "2018-10-11T14:07:23.000Z", "service.type": "sonicwall", @@ -2040,20 +1891,32 @@ }, { "@timestamp": "2018-10-25T21:09:57.000Z", - "event.code": "66", + "destination.ip": [ + "10.195.223.82" + ], + "event.code": "351", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tatev sn=luptas time=\"2018/10/25 19:09:57\" fw=10.138.124.174 pri=low c=inculp m=66 Unknown IPSec SPI", + "event.original": "id=uaturve sn=amquisno time=\"2018/10/25 19:09:57\" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg=\"CSe\" n=lors src=10.135.70.159 dst=10.195.223.82", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10596, + "log.offset": 10011, + "log.original": "CSe", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "66", + "related.ip": [ + "10.195.223.82", + "10.135.70.159" + ], + "rsa.internal.messageid": "351", + "rsa.internal.msg": "CSe", "rsa.time.date": "2018/10/25", "rsa.time.event_time": "2018-10-25T21:09:57.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.135.70.159" + ], "tags": [ "sonicwall.firewall", "forwarded" @@ -2061,38 +1924,53 @@ }, { "@timestamp": "2018-11-09T04:12:32.000Z", - "event.code": "148", + "event.code": "261", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=iadese sn=nisiu time=\"2018/11/09 02:12:32\" fw=10.101.178.146 pri=medium c=llit m=148 Primary received error signal from Active Backup: Primary going Active", + "event.original": "id=atu sn=iusm time=\"2018/11/09 02:12:32\" fw=10.20.81.176 pri=low c=stquido m=261 msg=\"rsitvolu\" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 ", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10700, + "log.offset": 10159, + "log.original": "rsitvolu", + "observer.ingress.interface.name": "eth3249", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "148", + "related.ip": [ + "10.22.244.71" + ], + "related.user": [ + "usmo" + ], + "rsa.internal.messageid": "261", + "rsa.internal.msg": "rsitvolu", + "rsa.network.sinterface": "eth3249", "rsa.time.date": "2018/11/09", "rsa.time.event_time": "2018-11-09T04:12:32.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.22.244.71" + ], + "source.port": 1865, "tags": [ "sonicwall.firewall", "forwarded" - ] + ], + "user.name": "usmo" }, { "@timestamp": "2018-11-23T11:15:06.000Z", - "event.code": "9", + "event.code": "125", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=sitametc sn=onsequa time=\"2018/11/23 09:15:06\" fw=10.8.53.182 pri=very-high c=riosa m=9 No new Filter list available", + "event.original": "id=oin sn=itseddoe time=\"2018/11/23 09:15:06\" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry.", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10859, + "log.offset": 10327, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "9", + "rsa.internal.messageid": "125", "rsa.time.date": "2018/11/23", "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "sonicwall", @@ -2103,17 +1981,17 @@ }, { "@timestamp": "2018-12-07T18:17:40.000Z", - "event.code": "49", + "event.code": "105", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=pisc sn=urEx time=\"2018/12/07 16:17:40\" fw=10.193.239.124 pri=low c=ercitat m=49 Failure to add data channel", + "event.original": "id=giatquov sn=olu time=\"2018/12/07 16:17:40\" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER.", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10979, + "log.offset": 10431, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "49", + "rsa.internal.messageid": "105", "rsa.time.date": "2018/12/07", "rsa.time.event_time": "2018-12-07T18:17:40.000Z", "service.type": "sonicwall", @@ -2124,18 +2002,17 @@ }, { "@timestamp": "2018-12-22T01:20:14.000Z", - "event.code": "144", + "event.code": "34", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tnonproi sn=squira time=\"2018/12/21 23:20:14\" fw=10.141.238.139 pri=medium c=uide m=144 Primary firewall has transitioned to Idle", + "event.original": "emagn id=emulla sn=mips time=\"2018/12/21 23:20:14\" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11091, + "log.offset": 10543, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "144", - "rsa.time.date": "2018/12/21", + "rsa.internal.messageid": "34", "rsa.time.event_time": "2018-12-22T01:20:14.000Z", "service.type": "sonicwall", "tags": [ @@ -2145,37 +2022,20 @@ }, { "@timestamp": "2019-01-05T08:22:49.000Z", - "destination.ip": [ - "10.101.163.40" - ], - "destination.port": 7153, - "event.code": "83", + "event.code": "144", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "lmolesti id=meumfugi sn=tquas time=\"2019/01/05 06:22:49\" fw=10.200.22.41 pri=medium c=iame m=83 msg=\"orroquis\" n=aquio src=10.208.79.170:7616:enp0s4472 dst=10.101.163.40:7153:enp0s1370", + "event.original": "id=itametc sn=ori time=\"2019/01/05 06:22:49\" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11224, - "log.original": "orroquis", - "observer.egress.interface.name": "enp0s1370", - "observer.ingress.interface.name": "enp0s4472", + "log.offset": 10662, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.208.79.170", - "10.101.163.40" - ], - "rsa.internal.messageid": "83", - "rsa.internal.msg": "orroquis", - "rsa.network.dinterface": "enp0s1370", - "rsa.network.sinterface": "enp0s4472", + "rsa.internal.messageid": "144", + "rsa.time.date": "2019/01/05", "rsa.time.event_time": "2019-01-05T08:22:49.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.208.79.170" - ], - "source.port": 7616, "tags": [ "sonicwall.firewall", "forwarded" @@ -2183,20 +2043,31 @@ }, { "@timestamp": "2019-01-19T15:25:23.000Z", - "event.code": "144", + "destination.nat.ip": "10.12.54.142", + "destination.nat.port": 6543, + "event.code": "658", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=uisnostr sn=reetdol time=\"2019/01/19 13:25:23\" fw=10.94.132.21 pri=very-high c=odi m=144 Primary firewall has transitioned to Idle", + "event.original": "id=doconse sn=etdol time=\"2019/01/19 13:25:23\" fw=10.156.88.51 pri=high c=tura m=658 msg=\"osquirat\" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11409, + "log.offset": 10785, + "log.original": "osquirat", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "144", + "related.ip": [ + "10.12.54.142", + "10.56.10.84" + ], + "rsa.internal.messageid": "658", + "rsa.internal.msg": "osquirat", + "rsa.misc.ntype": "equat", "rsa.time.date": "2019/01/19", "rsa.time.event_time": "2019-01-19T15:25:23.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.56.10.84", + "source.nat.port": 5366, "tags": [ "sonicwall.firewall", "forwarded" @@ -2204,20 +2075,37 @@ }, { "@timestamp": "2019-02-02T22:27:57.000Z", - "event.code": "104", + "destination.ip": [ + "10.117.63.181" + ], + "destination.port": 6863, + "event.code": "195", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=runtmo sn=ore time=\"2019/02/02 20:27:57\" fw=10.176.3.121 pri=very-high c=tas m=104 Retransmitting DHCP REQUEST (Verifying).", + "event.original": "id=min sn=oluptat time=\"2019/02/02 20:27:57\" fw=10.162.129.196 pri=medium c=snisi m=195 msg=\"magnaal\" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11543, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 10936, + "log.original": "magnaal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "104", + "related.ip": [ + "10.117.63.181", + "10.222.169.140" + ], + "rsa.internal.messageid": "195", + "rsa.internal.msg": "magnaal", "rsa.time.date": "2019/02/02", "rsa.time.event_time": "2019-02-02T22:27:57.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.222.169.140" + ], + "source.port": 5299, "tags": [ "sonicwall.firewall", "forwarded" @@ -2225,17 +2113,20 @@ }, { "@timestamp": "2019-02-17T05:30:32.000Z", - "event.code": "21", + "event.code": "867", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mveleum sn=liq time=\"2019/02/17 03:30:32\" fw=10.197.3.44 pri=low c=aali m=21 Cookie removed", + "event.original": "id=eacommo sn=ueip time=\"2019/02/17 03:30:32\" fw=10.243.252.157 pri=low c=minim m=867 msg=\"scipi\" sess=tur n=acon", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11670, + "log.offset": 11116, + "log.original": "scipi", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "21", + "rsa.internal.messageid": "867", + "rsa.internal.msg": "scipi", + "rsa.misc.ntype": "acon", "rsa.time.date": "2019/02/17", "rsa.time.event_time": "2019-02-17T05:30:32.000Z", "service.type": "sonicwall", @@ -2246,55 +2137,63 @@ }, { "@timestamp": "2019-03-03T12:33:06.000Z", - "destination.ip": [ - "10.236.247.87" - ], - "destination.port": 7360, - "event.action": "cancel", - "event.code": "710", + "event.code": "60", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "mdolors id=oremi sn=ugitsedq time=\"2019/03/03 10:33:06\" fw=10.143.229.47 pri=medium c=nisiut m=710 msg=\"cancel\" n=quira src=10.175.98.45:3633 dst=10.236.247.87:7360", + "event.original": "usm id=labori sn=porai time=\"2019/03/03 10:33:06\" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11765, + "log.offset": 11230, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.175.98.45", - "10.236.247.87" - ], - "rsa.internal.messageid": "710", - "rsa.misc.action": [ - "cancel" - ], + "rsa.internal.messageid": "60", "rsa.time.event_time": "2019-03-03T12:33:06.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.175.98.45" - ], - "source.port": 3633, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "@timestamp": "2019-03-17T19:35:40.000Z", - "event.code": "155", + "@timestamp": "2019-03-17T07:35:40.000Z", + "destination.ip": [ + "10.200.122.184" + ], + "destination.port": 1176, + "event.action": "allow", + "event.code": "794", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "tvolup id=consecte sn=pteurs time=\"2019/03/17 17:35:40\" fw=10.152.83.154 pri=high c=saqu m=155 Primary received heartbeat from wrong source", + "event.original": "id=lup sn=upta time=\"2019-3-17 5:35:40\" fw=10.247.88.138 pri=very-high c=orissu m=794 msg=\"fic\" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action=\"allow\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11930, + "log.offset": 11348, + "network.protocol": "rdp", + "observer.egress.interface.name": "eth5397", + "observer.ingress.interface.name": "lo1325", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "155", - "rsa.time.event_time": "2019-03-17T19:35:40.000Z", + "related.ip": [ + "10.200.122.184", + "10.57.255.4" + ], + "rsa.identity.user_sid_dst": "sBon", + "rsa.internal.event_desc": "fic", + "rsa.internal.messageid": "794", + "rsa.misc.action": [ + "allow" + ], + "rsa.network.dinterface": "eth5397", + "rsa.network.sinterface": "lo1325", + "rsa.time.date": "2019-3-17", + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.57.255.4" + ], + "source.port": 239, "tags": [ "sonicwall.firewall", "forwarded" @@ -2302,17 +2201,17 @@ }, { "@timestamp": "2019-04-01T02:38:14.000Z", - "event.code": "53", + "event.code": "19", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=unt sn=tass time=\"2019/04/01 00:38:14\" fw=10.74.8.242 pri=very-high c=uid m=53 The cache is full; too many open connections; some will be dropped", + "event.original": "id=mmod sn=iti time=\"2019/04/01 00:38:14\" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12070, + "log.offset": 11600, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "53", + "rsa.internal.messageid": "19", "rsa.time.date": "2019/04/01", "rsa.time.event_time": "2019-04-01T02:38:14.000Z", "service.type": "sonicwall", @@ -2323,45 +2222,30 @@ }, { "@timestamp": "2019-04-15T09:40:49.000Z", - "destination.address": "iam7526.mail.test", - "destination.ip": [ - "10.22.244.71" - ], - "destination.port": 1865, - "event.action": "deny", - "event.code": "888", + "destination.nat.ip": "10.129.101.147", + "destination.nat.port": 3606, + "event.code": "413", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=umdolo sn=rroqui time=\"2019/04/15 07:40:49\" fw=10.76.122.196 pri=high c=epteur m=888 msg=\"malware;deny\" n=iame src=10.81.33.64:22:enp0s2909:cta5467.www.localhost dst=10.22.244.71:1865:eth3249:iam7526.mail.test", + "event.original": "id=mag sn=gelitse time=\"2019/04/15 07:40:49\" fw=10.195.58.44 pri=high c=radip m=413 msg=\"upta\" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606", "fileset.name": "firewall", - "host.hostname": "cta5467.www.localhost", "input.type": "log", - "log.offset": 12219, - "observer.egress.interface.name": "eth3249", - "observer.ingress.interface.name": "enp0s2909", + "log.offset": 11692, + "log.original": "upta", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.81.33.64", - "10.22.244.71" - ], - "rsa.internal.messageid": "888", - "rsa.misc.action": [ - "deny" + "10.206.229.61", + "10.129.101.147" ], - "rsa.misc.reason": "malware", - "rsa.network.dinterface": "eth3249", - "rsa.network.host_dst": "iam7526.mail.test", - "rsa.network.sinterface": "enp0s2909", + "rsa.internal.messageid": "413", + "rsa.internal.msg": "upta", "rsa.time.date": "2019/04/15", "rsa.time.event_time": "2019-04-15T09:40:49.000Z", "service.type": "sonicwall", - "source.address": "cta5467.www.localhost", - "source.ip": [ - "10.81.33.64" - ], - "source.port": 22, + "source.nat.ip": "10.206.229.61", + "source.nat.port": 3467, "tags": [ "sonicwall.firewall", "forwarded" @@ -2369,76 +2253,82 @@ }, { "@timestamp": "2019-04-29T16:43:23.000Z", - "destination.nat.ip": "10.20.73.247", - "destination.nat.port": 4228, - "event.code": "998", + "event.code": "159", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "cepteur id=aer sn=osquira time=\"2019/04/29 14:43:23\" fw=10.232.158.211 pri=high c=dolorem m=998 msg=\"sed\" n=idata usr=sun src=10.205.21.166:236 dst=10.20.73.247:4228 note=\"sed\"", + "event.original": "id=nostrud sn=cteturad time=\"2019/04/29 14:43:23\" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12432, - "log.original": "sed", + "log.offset": 11843, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.205.21.166", - "10.20.73.247" - ], - "related.user": [ - "sun" - ], - "rsa.internal.event_desc": "sed", - "rsa.internal.messageid": "998", - "rsa.internal.msg": "sed", + "rsa.internal.messageid": "159", + "rsa.time.date": "2019/04/29", "rsa.time.event_time": "2019-04-29T16:43:23.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.205.21.166", - "source.nat.port": 236, "tags": [ "sonicwall.firewall", "forwarded" - ], - "user.name": "sun" + ] }, { "@timestamp": "2019-05-13T23:45:57.000Z", - "event.code": "165", + "event.code": "1079", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=pernat sn=udan time=\"2019/05/13 21:45:57\" fw=10.124.243.58 pri=high c=urQuis m=165 Backup going Active in preempt mode after reboot", + "event.original": "oluptate id=lit sn=santi time=\"2019/05/13 21:45:57\" fw=10.211.112.194 pri=low c=uis m=1079 msg=\"Clientamcis assigned IP:10.221.220.148\" n=apar", "fileset.name": "firewall", + "host.ip": "10.221.220.148", "input.type": "log", - "log.offset": 12609, + "log.offset": 11953, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "165", - "rsa.time.date": "2019/05/13", + "related.ip": [ + "10.221.220.148" + ], + "related.user": [ + "amc" + ], + "rsa.internal.messageid": "1079", + "rsa.misc.space": "", "rsa.time.event_time": "2019-05-13T23:45:57.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", "forwarded" - ] + ], + "user.name": "amc" }, { "@timestamp": "2019-05-28T06:48:31.000Z", - "event.code": "6", + "destination.ip": [ + "10.125.85.128" + ], + "event.code": "355", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=orum sn=Bonoru time=\"2019/05/28 04:48:31\" fw=10.53.168.187 pri=medium c=emacc m=6 Log successfully sent via email", + "event.original": "id=vol sn=psumd time=\"2019/05/28 04:48:31\" fw=10.103.29.178 pri=low c=rios m=355 msg=\"labo\" n=lpaquiof src=10.78.29.246 dst=10.125.85.128", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12744, + "log.offset": 12100, + "log.original": "labo", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "6", + "related.ip": [ + "10.125.85.128", + "10.78.29.246" + ], + "rsa.internal.messageid": "355", + "rsa.internal.msg": "labo", "rsa.time.date": "2019/05/28", "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.78.29.246" + ], "tags": [ "sonicwall.firewall", "forwarded" @@ -2446,18 +2336,17 @@ }, { "@timestamp": "2019-06-11T13:51:06.000Z", - "event.code": "11", + "event.code": "101", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=lamcola sn=veli time=\"2019/06/11 11:51:06\" fw=10.104.211.232 pri=high c=idolores m=11 Problem loading the Filter list; check your DNS server", + "event.original": "enbyCi id=reetdo sn=tat time=\"2019/06/11 11:51:06\" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing).", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12861, + "log.offset": 12238, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "11", - "rsa.time.date": "2019/06/11", + "rsa.internal.messageid": "101", "rsa.time.event_time": "2019-06-11T13:51:06.000Z", "service.type": "sonicwall", "tags": [ @@ -2467,20 +2356,36 @@ }, { "@timestamp": "2019-06-25T20:53:40.000Z", - "event.code": "19", + "destination.ip": [ + "10.29.120.226" + ], + "destination.port": 1129, + "event.action": "allow", + "event.code": "712", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mmod sn=iti time=\"2019/06/25 18:53:40\" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked", + "event.original": "id=iamqui sn=tassita time=\"2019/06/25 18:53:40\" fw=10.7.47.118 pri=medium c=piscing m=712 msg=\"allow\" n=isn src=10.203.146.137:4213 dst=10.29.120.226:1129", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13005, + "log.offset": 12366, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "19", + "related.ip": [ + "10.29.120.226", + "10.203.146.137" + ], + "rsa.internal.messageid": "712", + "rsa.misc.action": [ + "allow" + ], "rsa.time.date": "2019/06/25", "rsa.time.event_time": "2019-06-25T20:53:40.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.203.146.137" + ], + "source.port": 4213, "tags": [ "sonicwall.firewall", "forwarded" @@ -2488,30 +2393,21 @@ }, { "@timestamp": "2019-07-10T03:56:14.000Z", - "destination.nat.ip": "10.129.101.147", - "destination.nat.port": 3606, - "event.code": "413", + "event.code": "670", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mag sn=gelitse time=\"2019/07/10 01:56:14\" fw=10.195.58.44 pri=high c=radip m=413 msg=\"upta\" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606", + "event.original": "inesciu id=quid sn=atcupid time=\"2019/07/10 01:56:14\" fw=10.29.5.115 pri=very-high c=ate m=670 msg=\"con\" sess=tqu n=eirur", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13097, - "log.original": "upta", + "log.offset": 12521, + "log.original": "con", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.206.229.61", - "10.129.101.147" - ], - "rsa.internal.messageid": "413", - "rsa.internal.msg": "upta", - "rsa.time.date": "2019/07/10", + "rsa.internal.messageid": "670", + "rsa.internal.msg": "con", "rsa.time.event_time": "2019-07-10T03:56:14.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.206.229.61", - "source.nat.port": 3467, "tags": [ "sonicwall.firewall", "forwarded" @@ -2519,18 +2415,17 @@ }, { "@timestamp": "2019-07-24T10:58:48.000Z", - "event.code": "159", + "event.code": "151", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=nostrud sn=cteturad time=\"2019/07/24 08:58:48\" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F", + "event.original": "hite id=ianonnum sn=nofdeFi time=\"2019/07/24 08:58:48\" fw=10.217.253.76 pri=very-high c=unt m=151 Primary firewall preempting Backup", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13248, + "log.offset": 12643, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "159", - "rsa.time.date": "2019/07/24", + "rsa.internal.messageid": "151", "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "sonicwall", "tags": [ @@ -2540,55 +2435,57 @@ }, { "@timestamp": "2019-08-07T18:01:23.000Z", - "event.code": "441", + "destination.nat.ip": "10.110.208.170", + "destination.nat.port": 6374, + "event.code": "931", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ritati sn=iciade time=\"2019/08/07 16:01:23\" fw=10.202.224.79 pri=low c=nevolupt m=441 msg=\"aco\" n=apar", + "event.original": "id=arch sn=lite time=\"2019/08/07 16:01:23\" fw=10.25.118.123 pri=high c=borumSec m=931 msg=\"aecatcup\" n=snisiut src=10.245.216.15:7800 dst=10.110.208.170:6374", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13358, - "log.original": "aco", + "log.offset": 12776, + "log.original": "aecatcup", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "441", - "rsa.internal.msg": "aco", + "related.ip": [ + "10.245.216.15", + "10.110.208.170" + ], + "rsa.internal.messageid": "931", + "rsa.internal.msg": "aecatcup", + "rsa.misc.ntype": "snisiut", "rsa.time.date": "2019/08/07", "rsa.time.event_time": "2019-08-07T18:01:23.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.245.216.15", + "source.nat.port": 7800, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "@timestamp": "2019-08-22T01:03:57.000Z", - "destination.ip": [ - "10.125.85.128" - ], - "event.code": "355", + "@timestamp": "2019-08-21T13:03:57.000Z", + "event.action": "deny", + "event.code": "1086", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=vol sn=psumd time=\"2019/08/21 23:03:57\" fw=10.103.29.178 pri=low c=rios m=355 msg=\"labo\" n=lpaquiof src=10.78.29.246 dst=10.125.85.128", + "event.original": "id=rumSecti sn=Utenima time=\"2019-8-21 11:03:57\" fw=10.74.166.70 pri=very-high c=olor m=1086 msg=\"radip\" n=rchitect fw_action=\"deny\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13464, - "log.original": "labo", + "log.offset": 12934, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.78.29.246", - "10.125.85.128" + "rsa.internal.event_desc": "radip", + "rsa.internal.messageid": "1086", + "rsa.misc.action": [ + "deny" ], - "rsa.internal.messageid": "355", - "rsa.internal.msg": "labo", - "rsa.time.date": "2019/08/21", - "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "rsa.time.date": "2019-8-21", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.78.29.246" - ], "tags": [ "sonicwall.firewall", "forwarded" @@ -2596,17 +2493,18 @@ }, { "@timestamp": "2019-09-05T08:06:31.000Z", - "event.code": "101", + "event.code": "8", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "enbyCi id=reetdo sn=tat time=\"2019/09/05 06:06:31\" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing).", + "event.original": "id=amquisno sn=modoc time=\"2019/09/05 06:06:31\" fw=10.125.120.97 pri=high c=cid m=8 New Filter list loaded", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13602, + "log.offset": 13067, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "101", + "rsa.internal.messageid": "8", + "rsa.time.date": "2019/09/05", "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "sonicwall", "tags": [ @@ -2616,39 +2514,20 @@ }, { "@timestamp": "2019-09-19T15:09:05.000Z", - "destination.ip": [ - "10.21.147.52" - ], - "destination.port": 1816, - "event.code": "714", + "event.code": "60", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=quunt sn=itasp time=\"2019/09/19 13:09:05\" fw=10.210.181.12 pri=high c=met m=714 msg=\"volup\" sess=ptate n=entsu src=10.44.198.184:5695:enp0s5214 dst= umwri 10.21.147.52:1816:eth2990 npcs=tur", + "event.original": "id=Bonorum sn=lesti time=\"2019/09/19 13:09:05\" fw=10.121.58.27 pri=low c=itamet m=60 Access to Proxy Server Blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13730, - "log.original": "volup", - "observer.egress.interface.name": "eth2990", - "observer.ingress.interface.name": "enp0s5214", + "log.offset": 13174, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.21.147.52", - "10.44.198.184" - ], - "rsa.db.index": "tur", - "rsa.internal.messageid": "714", - "rsa.internal.msg": "volup", - "rsa.network.dinterface": "eth2990", - "rsa.network.sinterface": "enp0s5214", + "rsa.internal.messageid": "60", "rsa.time.date": "2019/09/19", "rsa.time.event_time": "2019-09-19T15:09:05.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.44.198.184" - ], - "source.port": 5695, "tags": [ "sonicwall.firewall", "forwarded" @@ -2656,18 +2535,17 @@ }, { "@timestamp": "2019-10-03T22:11:40.000Z", - "event.code": "134", + "event.code": "47", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ita sn=amquaer time=\"2019/10/03 20:11:40\" fw=10.47.1.90 pri=high c=lpa m=134 PPPoE starting PAP Authentication", + "event.original": "uuntur id=tsedquia sn=its time=\"2019/10/03 20:11:40\" fw=10.158.54.131 pri=medium c=assi m=47 No ICMP redirect sent", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13923, + "log.offset": 13290, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "134", - "rsa.time.date": "2019/10/03", + "rsa.internal.messageid": "47", "rsa.time.event_time": "2019-10-03T22:11:40.000Z", "service.type": "sonicwall", "tags": [ @@ -2677,20 +2555,36 @@ }, { "@timestamp": "2019-10-18T05:14:14.000Z", - "event.code": "69", + "destination.ip": [ + "10.250.149.166" + ], + "destination.port": 6342, + "event.action": "block", + "event.code": "713", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=smod sn=idunt time=\"2019/10/18 03:14:14\" fw=10.29.120.226 pri=very-high c=aparia m=69 Incompatible IPSec Security Association", + "event.original": "id=tatevel sn=midestl time=\"2019/10/18 03:14:14\" fw=10.222.197.130 pri=medium c=ulapa m=713 msg=\"block\" n=meiusm src=10.143.0.78:3113 dst=10.250.149.166:6342", "fileset.name": "firewall", "input.type": "log", - "log.offset": 14037, + "log.offset": 13405, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "69", + "related.ip": [ + "10.143.0.78", + "10.250.149.166" + ], + "rsa.internal.messageid": "713", + "rsa.misc.action": [ + "block" + ], "rsa.time.date": "2019/10/18", "rsa.time.event_time": "2019-10-18T05:14:14.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.143.0.78" + ], + "source.port": 3113, "tags": [ "sonicwall.firewall", "forwarded" @@ -2698,17 +2592,18 @@ }, { "@timestamp": "2019-11-01T12:16:48.000Z", - "event.code": "137", + "event.code": "91", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "lore id=isci sn=Dui time=\"2019/11/01 10:16:48\" fw=10.205.202.225 pri=high c=civelits m=137 Wan IP Changed", + "event.original": "id=hilmole sn=sequ time=\"2019/11/01 10:16:48\" fw=10.74.29.48 pri=high c=tionula m=91 Deleting IPSec SA for destination", "fileset.name": "firewall", "input.type": "log", - "log.offset": 14166, + "log.offset": 13563, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "137", + "rsa.internal.messageid": "91", + "rsa.time.date": "2019/11/01", "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "service.type": "sonicwall", "tags": [ @@ -2718,18 +2613,20 @@ }, { "@timestamp": "2019-11-15T19:19:22.000Z", - "event.code": "35", + "event.code": "766", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=olore sn=orumS time=\"2019/11/15 17:19:22\" fw=10.25.93.121 pri=low c=rchitect m=35 Attempted administrator login from WAN", + "event.original": "umtota id=etdolore sn=magnaa time=\"2019/11/15 17:19:22\" fw=10.209.34.197 pri=very-high c=tes m=766 msg=\"equam\" n=isi", "fileset.name": "firewall", "input.type": "log", - "log.offset": 14272, + "log.offset": 13682, + "log.original": "equam", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "35", - "rsa.time.date": "2019/11/15", + "rsa.internal.messageid": "766", + "rsa.internal.msg": "equam", + "rsa.misc.ntype": "isi", "rsa.time.event_time": "2019-11-15T19:19:22.000Z", "service.type": "sonicwall", "tags": [ @@ -2739,27 +2636,20 @@ }, { "@timestamp": "2019-11-30T02:21:57.000Z", - "destination.nat.ip": "10.85.204.8", - "event.code": "src", + "event.code": "58", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "umdolore id=dmi sn=tam time=\"2019/11/30 00:21:57\" fw=10.151.170.207 pri=high c=dunt m=src src=10.243.170.64 dst=10.85.204.8 amquisno", + "event.original": "id=rep sn=remap time=\"2019/11/30 00:21:57\" fw=10.7.120.36 pri=very-high c=involu m=58 License exceeded: Connection dropped because too many IP addresses are in use on your LAN", "fileset.name": "firewall", "input.type": "log", - "log.offset": 14396, - "log.original": "amquisno", + "log.offset": 13799, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.85.204.8", - "10.243.170.64" - ], - "rsa.internal.messageid": "src", - "rsa.internal.msg": "amquisno", + "rsa.internal.messageid": "58", + "rsa.time.date": "2019/11/30", "rsa.time.event_time": "2019-11-30T02:21:57.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.243.170.64", "tags": [ "sonicwall.firewall", "forwarded" @@ -2767,20 +2657,36 @@ }, { "@timestamp": "2019-12-14T09:24:31.000Z", - "event.code": "105", + "destination.ip": [ + "10.219.228.115" + ], + "destination.port": 745, + "event.action": "deny", + "event.code": "373", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=magnam sn=uinesc time=\"2019/12/14 07:24:31\" fw=10.172.95.162 pri=very-high c=Bonorum m=105 Sending DHCP DISCOVER.", + "event.original": "id=nesciun sn=amcolab time=\"2019/12/14 07:24:31\" fw=10.142.7.145 pri=low c=iuta m=373 msg=\"deny\" n=secil src=10.179.3.247:3445 dst=10.219.228.115:745", "fileset.name": "firewall", "input.type": "log", - "log.offset": 14529, + "log.offset": 13975, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "105", + "related.ip": [ + "10.179.3.247", + "10.219.228.115" + ], + "rsa.internal.messageid": "373", + "rsa.misc.action": [ + "deny" + ], "rsa.time.date": "2019/12/14", "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.179.3.247" + ], + "source.port": 3445, "tags": [ "sonicwall.firewall", "forwarded" diff --git a/x-pack/filebeat/module/squid/README.md b/x-pack/filebeat/module/squid/README.md index 426f9b0348a..00219a1f06b 100644 --- a/x-pack/filebeat/module/squid/README.md +++ b/x-pack/filebeat/module/squid/README.md @@ -3,5 +3,5 @@ This is a module for Squid logs. Autogenerated from RSA NetWitness log parser 2.0 XML squid version 112 -at 2020-07-08 22:21:05.010409 +0000 UTC. +at 2020-07-13 17:12:07.368404 +0000 UTC. diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 5804a587507..0b4026cc818 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -22,8 +22,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -95,8 +95,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -158,8 +158,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -380,8 +380,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -443,8 +443,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -619,8 +619,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -670,8 +670,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.85.16.38" + "209.85.16.38", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -786,8 +786,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "217.212.240.172", - "10.105.21.199" + "10.105.21.199", + "217.212.240.172" ], "related.user": [ "badeyek" @@ -849,8 +849,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "206.169.136.22", - "10.105.21.199" + "10.105.21.199", + "206.169.136.22" ], "related.user": [ "badeyek" @@ -911,8 +911,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -962,8 +962,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -1025,8 +1025,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1083,8 +1083,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "64.127.126.178" + "64.127.126.178", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1095,8 +1095,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1146,8 +1146,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "213.160.98.161" + "213.160.98.161", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1209,8 +1209,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "213.160.98.160" + "213.160.98.160", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1221,8 +1221,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1270,8 +1270,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1317,8 +1317,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1378,8 +1378,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1486,8 +1486,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.47.218", - "204.13.51.238" + "204.13.51.238", + "10.105.47.218" ], "related.user": [ "nazsoau" @@ -1549,8 +1549,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1619,8 +1619,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1669,8 +1669,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1831,8 +1831,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1882,8 +1882,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.47.218", - "204.13.51.238" + "204.13.51.238", + "10.105.47.218" ], "related.user": [ "nazsoau" @@ -1952,8 +1952,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1997,8 +1997,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "related.user": [ "adeolaegbedokun" @@ -2057,8 +2057,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2069,8 +2069,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2116,8 +2116,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -2127,8 +2127,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2173,8 +2173,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "209.191.93.51" + "209.191.93.51", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2236,8 +2236,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "63.245.209.21" + "63.245.209.21", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -2248,8 +2248,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -2295,8 +2295,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.231.252" + "68.142.231.252", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2307,8 +2307,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2364,8 +2364,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2412,8 +2412,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2461,8 +2461,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2510,8 +2510,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2726,8 +2726,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2773,8 +2773,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -2832,8 +2832,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2892,8 +2892,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3050,8 +3050,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3122,8 +3122,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3170,8 +3170,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3230,8 +3230,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3242,8 +3242,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3342,8 +3342,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3392,8 +3392,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3440,8 +3440,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "212.58.226.33", - "10.105.21.199" + "10.105.21.199", + "212.58.226.33" ], "related.user": [ "badeyek" @@ -3452,8 +3452,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_MISS", - "GET" + "GET", + "TCP_REFRESH_MISS" ], "rsa.misc.content_type": "application/xml", "rsa.misc.result_code": "200", @@ -3722,8 +3722,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -3782,8 +3782,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3794,8 +3794,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3842,8 +3842,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3854,8 +3854,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3964,8 +3964,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4014,8 +4014,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4077,8 +4077,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -4125,8 +4125,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4137,8 +4137,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4260,8 +4260,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/x-shockwave-flash", "rsa.misc.result_code": "200", @@ -4308,8 +4308,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4320,8 +4320,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4378,8 +4378,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4481,8 +4481,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.109.124.55", - "10.105.33.214" + "10.105.33.214", + "216.109.124.55" ], "related.user": [ "adeolaegbedokun" @@ -4605,8 +4605,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -4656,8 +4656,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4668,8 +4668,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4715,8 +4715,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -4777,8 +4777,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "related.user": [ "adeolaegbedokun" @@ -4789,8 +4789,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -4840,8 +4840,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4852,8 +4852,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4965,8 +4965,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5016,8 +5016,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -5079,8 +5079,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "related.user": [ "adeolaegbedokun" @@ -5191,8 +5191,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5237,8 +5237,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.109.125.112" + "216.109.125.112", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5249,8 +5249,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5357,8 +5357,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5470,8 +5470,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -5533,8 +5533,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5583,8 +5583,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5633,8 +5633,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json index 055f352dae0..bd3d2de8fd6 100644 --- a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json @@ -81,8 +81,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -193,8 +193,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "304", @@ -249,8 +249,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -417,8 +417,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -473,8 +473,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -529,8 +529,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_MISS" + "TCP_REFRESH_MISS", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -697,8 +697,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -753,8 +753,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1201,8 +1201,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1257,8 +1257,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1313,8 +1313,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1369,8 +1369,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1480,8 +1480,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -1536,8 +1536,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1648,8 +1648,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1760,8 +1760,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1816,8 +1816,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1872,8 +1872,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1928,8 +1928,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2040,8 +2040,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2152,8 +2152,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2376,8 +2376,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2488,8 +2488,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2656,8 +2656,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2768,8 +2768,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2992,8 +2992,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3048,8 +3048,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3104,8 +3104,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3216,8 +3216,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3328,8 +3328,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3384,8 +3384,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3608,8 +3608,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3720,8 +3720,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3888,8 +3888,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3944,8 +3944,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4000,8 +4000,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4056,8 +4056,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4168,8 +4168,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4280,8 +4280,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MEM_HIT", - "GET" + "GET", + "TCP_MEM_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4335,8 +4335,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4391,8 +4391,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4447,8 +4447,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4503,8 +4503,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4558,8 +4558,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4670,8 +4670,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4792,8 +4792,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_MISS", - "GET" + "GET", + "TCP_REFRESH_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4903,8 +4903,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -4959,8 +4959,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5015,8 +5015,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5127,8 +5127,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5239,8 +5239,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5295,8 +5295,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5351,8 +5351,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "403", @@ -5410,8 +5410,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5466,8 +5466,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/pdf", "rsa.misc.result_code": "200", @@ -5521,8 +5521,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", diff --git a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json index e0bb9f913fa..97f00bd3059 100644 --- a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json @@ -23,8 +23,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -71,8 +71,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -119,8 +119,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -167,8 +167,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -217,8 +217,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -267,8 +267,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -317,8 +317,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -467,8 +467,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -564,8 +564,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -612,8 +612,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "404", @@ -756,8 +756,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -804,8 +804,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "404", @@ -902,8 +902,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -952,8 +952,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1002,8 +1002,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1052,8 +1052,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1102,8 +1102,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1152,8 +1152,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1249,8 +1249,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1298,8 +1298,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "503", @@ -1442,8 +1442,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.131.147", - "192.168.0.35" + "192.168.0.35", + "74.125.131.147" ], "related.user": [ "-" @@ -1502,8 +1502,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "related.user": [ "-" @@ -1562,8 +1562,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.131.147", - "192.168.0.35" + "192.168.0.35", + "74.125.131.147" ], "related.user": [ "-" @@ -1622,8 +1622,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "related.user": [ "-" @@ -1634,8 +1634,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/javascript", "rsa.misc.result_code": "200", @@ -1682,8 +1682,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "related.user": [ "-" @@ -1741,8 +1741,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.3", - "192.168.0.35" + "192.168.0.35", + "74.125.228.3" ], "related.user": [ "-" @@ -1799,8 +1799,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.3" + "74.125.228.3", + "192.168.0.35" ], "related.user": [ "-" @@ -1810,8 +1810,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1868,8 +1868,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1915,8 +1915,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.6" + "74.125.228.6", + "192.168.0.35" ], "related.user": [ "-" @@ -1926,8 +1926,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1973,8 +1973,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.3" + "74.125.228.3", + "192.168.0.35" ], "related.user": [ "-" @@ -1984,8 +1984,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2031,8 +2031,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "related.user": [ "-" @@ -2042,8 +2042,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2089,8 +2089,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "related.user": [ "-" @@ -2216,8 +2216,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2263,8 +2263,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "related.user": [ "-" @@ -2274,8 +2274,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2379,8 +2379,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" ], "related.user": [ "-" @@ -2437,8 +2437,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" ], "related.user": [ "-" @@ -2448,8 +2448,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2508,8 +2508,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2555,8 +2555,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "23.11.236.224", - "192.168.0.35" + "192.168.0.35", + "23.11.236.224" ], "related.user": [ "-" @@ -2566,8 +2566,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2624,8 +2624,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2682,8 +2682,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2729,8 +2729,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" ], "related.user": [ "-" @@ -2740,8 +2740,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2787,8 +2787,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" ], "related.user": [ "-" @@ -2856,8 +2856,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2914,8 +2914,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3030,8 +3030,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3138,8 +3138,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3150,8 +3150,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3198,8 +3198,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3210,8 +3210,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3258,8 +3258,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3270,8 +3270,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3438,8 +3438,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3510,8 +3510,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3558,8 +3558,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3618,8 +3618,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3630,8 +3630,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3798,8 +3798,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3810,8 +3810,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3918,8 +3918,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3930,8 +3930,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3978,8 +3978,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3990,8 +3990,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4038,8 +4038,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4050,8 +4050,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4098,8 +4098,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4110,8 +4110,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4218,8 +4218,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4230,8 +4230,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4410,8 +4410,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4458,8 +4458,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4470,8 +4470,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4518,8 +4518,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4638,8 +4638,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4650,8 +4650,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4710,8 +4710,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4818,8 +4818,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4878,8 +4878,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4890,8 +4890,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4938,8 +4938,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4998,8 +4998,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -5058,8 +5058,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -5186,8 +5186,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5233,8 +5233,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.96" + "74.125.228.96", + "192.168.0.35" ], "related.user": [ "-" @@ -5244,8 +5244,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5291,8 +5291,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.101", - "192.168.0.35" + "192.168.0.35", + "74.125.228.101" ], "related.user": [ "-" @@ -5419,8 +5419,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -5466,8 +5466,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "23.62.194.110" + "23.62.194.110", + "192.168.0.35" ], "related.user": [ "-" @@ -5477,8 +5477,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5593,8 +5593,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json index 083e3410bd9..d635ea27466 100644 --- a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json @@ -196,8 +196,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.102" + "173.194.123.102", + "::1" ], "related.user": [ "-" @@ -207,8 +207,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -370,8 +370,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.102" + "173.194.123.102", + "::1" ], "related.user": [ "-" @@ -381,8 +381,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -428,8 +428,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" ], "related.user": [ "-" @@ -544,8 +544,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" ], "related.user": [ "-" @@ -555,8 +555,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -605,8 +605,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.237" + "216.58.219.237", + "::1" ], "related.user": [ "-" @@ -616,8 +616,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -674,8 +674,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -779,8 +779,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -907,8 +907,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1012,8 +1012,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1081,8 +1081,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1139,8 +1139,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1197,8 +1197,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1255,8 +1255,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1302,8 +1302,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1313,8 +1313,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1371,8 +1371,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1418,8 +1418,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1429,8 +1429,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1487,8 +1487,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1534,8 +1534,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1545,8 +1545,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1650,8 +1650,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1708,8 +1708,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1719,8 +1719,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1777,8 +1777,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1824,8 +1824,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.67", - "::1" + "::1", + "173.194.123.67" ], "related.user": [ "-" @@ -1835,8 +1835,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1940,8 +1940,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1951,8 +1951,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2114,8 +2114,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2125,8 +2125,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2183,8 +2183,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2230,8 +2230,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2299,8 +2299,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2346,8 +2346,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2357,8 +2357,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2520,8 +2520,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.101" + "173.194.123.101", + "::1" ], "related.user": [ "-" @@ -2752,8 +2752,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2822,8 +2822,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -2881,8 +2881,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -2986,8 +2986,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.226.83", - "::1" + "::1", + "74.125.226.83" ], "related.user": [ "-" @@ -2997,8 +2997,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3048,8 +3048,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.174" + "216.58.219.174", + "::1" ], "related.user": [ "-" @@ -3059,8 +3059,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -3121,8 +3121,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -3182,8 +3182,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3243,8 +3243,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3293,8 +3293,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.174" + "216.58.219.174", + "::1" ], "related.user": [ "-" @@ -3354,8 +3354,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.174", - "::1" + "::1", + "216.58.219.174" ], "related.user": [ "-" @@ -3476,8 +3476,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.132" + "216.58.219.132", + "::1" ], "related.user": [ "-" @@ -3598,8 +3598,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.142" + "216.58.219.142", + "::1" ], "related.user": [ "-" @@ -3720,8 +3720,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.142" + "216.58.219.142", + "::1" ], "related.user": [ "-" @@ -3839,8 +3839,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.141.189" + "74.125.141.189", + "::1" ], "related.user": [ "-" @@ -3850,8 +3850,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3897,8 +3897,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.141.189" + "74.125.141.189", + "::1" ], "related.user": [ "-" @@ -3908,8 +3908,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3955,8 +3955,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.141.189" + "74.125.141.189", + "::1" ], "related.user": [ "-" @@ -4138,8 +4138,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.238", - "10.100.0.1" + "10.100.0.1", + "216.58.219.238" ], "related.user": [ "-" @@ -4149,8 +4149,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4196,8 +4196,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.205.113", - "10.100.0.1" + "10.100.0.1", + "173.194.205.113" ], "related.user": [ "-" @@ -4267,8 +4267,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4315,8 +4315,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.6.238", - "10.100.0.1" + "10.100.0.1", + "172.217.6.238" ], "related.user": [ "-" @@ -4326,8 +4326,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4498,8 +4498,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.6.238" + "172.217.6.238", + "10.100.0.1" ], "related.user": [ "-" @@ -4509,8 +4509,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4672,8 +4672,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.10.14" + "172.217.10.14", + "10.100.2.85" ], "related.user": [ "-" @@ -4683,8 +4683,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4730,8 +4730,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.12.174" + "172.217.12.174", + "10.100.2.85" ], "related.user": [ "-" @@ -4741,8 +4741,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4799,8 +4799,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4857,8 +4857,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4915,8 +4915,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4962,8 +4962,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "related.user": [ "-" @@ -5020,8 +5020,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "173.194.204.156" + "173.194.204.156", + "10.100.2.85" ], "related.user": [ "-" @@ -5031,8 +5031,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5078,8 +5078,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.2.85" + "10.100.2.85", + "172.217.12.174" ], "related.user": [ "-" @@ -5136,8 +5136,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.0.1" + "10.100.0.1", + "172.217.12.174" ], "related.user": [ "-" @@ -5252,8 +5252,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.0.1" + "10.100.0.1", + "172.217.12.174" ], "related.user": [ "-" @@ -5379,8 +5379,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5501,8 +5501,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5623,8 +5623,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5673,8 +5673,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.206", - "10.100.0.1" + "10.100.0.1", + "216.58.219.206" ], "related.user": [ "-" @@ -5684,8 +5684,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5792,8 +5792,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.206" + "216.58.219.206", + "10.100.0.1" ], "related.user": [ "-" @@ -5803,8 +5803,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/tenable/README.md b/x-pack/filebeat/module/tenable/README.md index 5fafc98d0a5..892366efc66 100644 --- a/x-pack/filebeat/module/tenable/README.md +++ b/x-pack/filebeat/module/tenable/README.md @@ -3,5 +3,5 @@ This is a module for Tenable Network Security Nessus logs. Autogenerated from RSA NetWitness log parser 2.0 XML nessusvs version 0 -at 2020-07-08 22:21:01.942095 +0000 UTC. +at 2020-07-13 17:12:04.056255 +0000 UTC. diff --git a/x-pack/filebeat/module/tomcat/README.md b/x-pack/filebeat/module/tomcat/README.md index 0fb3570f0c5..3c18b901d1d 100644 --- a/x-pack/filebeat/module/tomcat/README.md +++ b/x-pack/filebeat/module/tomcat/README.md @@ -3,5 +3,5 @@ This is a module for Apache Tomcat logs. Autogenerated from RSA NetWitness log parser 2.0 XML apachetomcat version 105 -at 2020-07-08 22:20:55.28259 +0000 UTC. +at 2020-07-13 17:11:56.134376 +0000 UTC. diff --git a/x-pack/filebeat/module/zscaler/README.md b/x-pack/filebeat/module/zscaler/README.md index 6082f5fbcc9..27378a361f7 100644 --- a/x-pack/filebeat/module/zscaler/README.md +++ b/x-pack/filebeat/module/zscaler/README.md @@ -3,5 +3,5 @@ This is a module for Zscaler NSS logs. Autogenerated from RSA NetWitness log parser 2.0 XML zscalernss version 108 -at 2020-07-08 22:21:05.345754 +0000 UTC. +at 2020-07-13 17:12:07.752747 +0000 UTC. diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index 9b1417ba70c..f58fde3637d 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -23,8 +23,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.176.10.114", - "10.206.191.17" + "10.206.191.17", + "10.176.10.114" ], "related.user": [ "sumdo" @@ -94,8 +94,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.173.22.152", - "10.26.46.95" + "10.26.46.95", + "10.173.22.152" ], "related.user": [ "eataevi" @@ -167,8 +167,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.204.86.149", - "10.254.146.57" + "10.254.146.57", + "10.204.86.149" ], "related.user": [ "tenima" @@ -240,8 +240,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.252.125.53", - "10.103.246.190" + "10.103.246.190", + "10.252.125.53" ], "related.user": [ "equun" @@ -255,8 +255,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ima", "rsa.misc.action": [ - "llam", - "Allowed" + "Allowed", + "llam" ], "rsa.misc.category": "aboris", "rsa.misc.filter": "atatnonp", @@ -313,8 +313,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.61.78.108", - "10.136.153.149" + "10.136.153.149", + "10.61.78.108" ], "related.user": [ "ercit" @@ -532,8 +532,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.74.17.5", - "10.119.185.63" + "10.119.185.63", + "10.74.17.5" ], "related.user": [ "erc" @@ -547,8 +547,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tame", "rsa.misc.action": [ - "Blocked", - "nsec" + "nsec", + "Blocked" ], "rsa.misc.category": "emaperi", "rsa.misc.filter": "rehe", @@ -620,8 +620,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atquovo", "rsa.misc.action": [ - "amvolup", - "Allowed" + "Allowed", + "amvolup" ], "rsa.misc.category": "hil", "rsa.misc.filter": "deFinibu", @@ -912,8 +912,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "catc", "rsa.misc.action": [ - "Allowed", - "veni" + "veni", + "Allowed" ], "rsa.misc.category": "sBono", "rsa.misc.filter": "isnisiu", @@ -985,8 +985,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iurer", "rsa.misc.action": [ - "Allowed", - "ionevo" + "ionevo", + "Allowed" ], "rsa.misc.category": "tinvolu", "rsa.misc.filter": "idex", @@ -1131,8 +1131,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mod", "rsa.misc.action": [ - "Allowed", - "xeacomm" + "xeacomm", + "Allowed" ], "rsa.misc.category": "sauteiru", "rsa.misc.filter": "antiu", @@ -1262,8 +1262,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.135.82.97", - "10.107.251.87" + "10.107.251.87", + "10.135.82.97" ], "related.user": [ "str" @@ -1277,8 +1277,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quid", "rsa.misc.action": [ - "itecto", - "Allowed" + "Allowed", + "itecto" ], "rsa.misc.category": "quam", "rsa.misc.filter": "adeser", @@ -1335,8 +1335,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.215.205.216", - "10.31.198.58" + "10.31.198.58", + "10.215.205.216" ], "related.user": [ "aturve" @@ -1350,8 +1350,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "oNemoeni", "rsa.misc.action": [ - "Blocked", - "nre" + "nre", + "Blocked" ], "rsa.misc.category": "labo", "rsa.misc.filter": "tutlab", @@ -1481,8 +1481,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.161.148.64", - "10.129.192.145" + "10.129.192.145", + "10.161.148.64" ], "related.user": [ "lor" @@ -1569,8 +1569,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdol", "rsa.misc.action": [ - "nte", - "Allowed" + "Allowed", + "nte" ], "rsa.misc.category": "adeseru", "rsa.misc.filter": "mac", @@ -1642,8 +1642,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iutali", "rsa.misc.action": [ - "Blocked", - "atcupi" + "atcupi", + "Blocked" ], "rsa.misc.category": "isetq", "rsa.misc.filter": "equinesc", @@ -1700,8 +1700,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.39.31.115", - "10.24.111.229" + "10.24.111.229", + "10.39.31.115" ], "related.user": [ "fugi" @@ -1715,8 +1715,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ulpa", "rsa.misc.action": [ - "gnaal", - "Allowed" + "Allowed", + "gnaal" ], "rsa.misc.category": "nte", "rsa.misc.filter": "pid", @@ -1773,8 +1773,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.179.210.218", - "10.32.39.220" + "10.32.39.220", + "10.179.210.218" ], "related.user": [ "boreetdo" @@ -1846,8 +1846,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.88.172.34", - "10.128.173.19" + "10.128.173.19", + "10.88.172.34" ], "related.user": [ "agnaaliq" @@ -2065,8 +2065,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.204.214.251", - "10.101.38.213" + "10.101.38.213", + "10.204.214.251" ], "related.user": [ "ueipsa" @@ -2138,8 +2138,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.101.85.169", - "10.18.226.72" + "10.18.226.72", + "10.101.85.169" ], "related.user": [ "rroqu" @@ -2153,8 +2153,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "moles", "rsa.misc.action": [ - "Allowed", - "vitaed" + "vitaed", + "Allowed" ], "rsa.misc.category": "billoi", "rsa.misc.filter": "suntex", @@ -2211,8 +2211,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.242.182.193", - "10.87.100.240" + "10.87.100.240", + "10.242.182.193" ], "related.user": [ "stenatus" @@ -2226,8 +2226,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mag", "rsa.misc.action": [ - "Allowed", - "tali" + "tali", + "Allowed" ], "rsa.misc.category": "oconse", "rsa.misc.filter": "npr", @@ -2284,8 +2284,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.80.57.247", - "10.229.242.223" + "10.229.242.223", + "10.80.57.247" ], "related.user": [ "itasp" @@ -2299,8 +2299,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdolore", "rsa.misc.action": [ - "Blocked", - "onproide" + "onproide", + "Blocked" ], "rsa.misc.category": "tvolup", "rsa.misc.filter": "niam", @@ -2357,8 +2357,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.106.77.138", - "10.193.66.155" + "10.193.66.155", + "10.106.77.138" ], "related.user": [ "iusmodt" @@ -2372,8 +2372,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Section", - "Allowed" + "Allowed", + "Section" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2430,8 +2430,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.54.159.1", - "10.236.230.136" + "10.236.230.136", + "10.54.159.1" ], "related.user": [ "mUteni" @@ -2445,8 +2445,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tec", "rsa.misc.action": [ - "tatema", - "Allowed" + "Allowed", + "tatema" ], "rsa.misc.category": "emullamc", "rsa.misc.filter": "emveleum", @@ -2518,8 +2518,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tvolup", "rsa.misc.action": [ - "utemvel", - "Allowed" + "Allowed", + "utemvel" ], "rsa.misc.category": "untutlab", "rsa.misc.filter": "dol", @@ -2576,8 +2576,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.166.10.42", - "10.142.120.198" + "10.142.120.198", + "10.166.10.42" ], "related.user": [ "olori" @@ -2591,8 +2591,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ende", "rsa.misc.action": [ - "Blocked", - "doconse" + "doconse", + "Blocked" ], "rsa.misc.category": "uovolupt", "rsa.misc.filter": "litesse", @@ -2737,8 +2737,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ese", "rsa.misc.action": [ - "litanim", - "Allowed" + "Allowed", + "litanim" ], "rsa.misc.category": "idata", "rsa.misc.filter": "urerepre", @@ -2868,8 +2868,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.33.144.10", - "10.202.224.79" + "10.202.224.79", + "10.33.144.10" ], "related.user": [ "rios" @@ -2883,8 +2883,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lit", "rsa.misc.action": [ - "Blocked", - "quu" + "quu", + "Blocked" ], "rsa.misc.category": "oluptate", "rsa.misc.filter": "exercita", @@ -3014,8 +3014,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.134.128.27", - "10.118.177.136" + "10.118.177.136", + "10.134.128.27" ], "related.user": [ "Utenima" @@ -3029,8 +3029,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "voluptas", "rsa.misc.action": [ - "olor", - "Allowed" + "Allowed", + "olor" ], "rsa.misc.category": "ataevita", "rsa.misc.filter": "nderi", @@ -3102,8 +3102,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "amni", "rsa.misc.action": [ - "edutp", - "Allowed" + "Allowed", + "edutp" ], "rsa.misc.category": "ames", "rsa.misc.filter": "dmi", @@ -3160,8 +3160,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.143.0.78", - "10.137.164.122" + "10.137.164.122", + "10.143.0.78" ], "related.user": [ "orissus" @@ -3175,8 +3175,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "etdol", "rsa.misc.action": [ - "Blocked", - "mwrit" + "mwrit", + "Blocked" ], "rsa.misc.category": "inim", "rsa.misc.filter": "aturQu", @@ -3248,8 +3248,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatno", "rsa.misc.action": [ - "ptatev", - "Blocked" + "Blocked", + "ptatev" ], "rsa.misc.category": "udexerc", "rsa.misc.filter": "ptatemse", @@ -3394,8 +3394,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itesse", "rsa.misc.action": [ - "uip", - "Allowed" + "Allowed", + "uip" ], "rsa.misc.category": "teturad", "rsa.misc.filter": "roquisqu", @@ -3452,8 +3452,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.255.40.12", - "10.166.195.20" + "10.166.195.20", + "10.255.40.12" ], "related.user": [ "lamcolab" @@ -3538,8 +3538,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ento", "rsa.misc.action": [ - "Blocked", - "Bonoru" + "Bonoru", + "Blocked" ], "rsa.misc.category": "luptasnu", "rsa.misc.filter": "quamni", @@ -3611,8 +3611,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dexea", "rsa.misc.action": [ - "tinvolup", - "Blocked" + "Blocked", + "tinvolup" ], "rsa.misc.category": "ende", "rsa.misc.filter": "onse", @@ -3669,8 +3669,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.237.0.173", - "10.31.153.177" + "10.31.153.177", + "10.237.0.173" ], "related.user": [ "sci" @@ -3740,8 +3740,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.229.102.140", - "10.243.182.229" + "10.243.182.229", + "10.229.102.140" ], "related.user": [ "duntut" @@ -3824,8 +3824,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "adipisc", "rsa.misc.action": [ - "Blocked", - "exer" + "exer", + "Blocked" ], "rsa.misc.category": "remagna", "rsa.misc.filter": "emvel", @@ -3897,8 +3897,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ecillum", "rsa.misc.action": [ - "emp", - "Blocked" + "Blocked", + "emp" ], "rsa.misc.category": "ciati", "rsa.misc.filter": "elit", @@ -3955,8 +3955,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.91.2.225", - "10.89.41.97" + "10.89.41.97", + "10.91.2.225" ], "related.user": [ "tem" @@ -4043,8 +4043,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iadeseru", "rsa.misc.action": [ - "Allowed", - "epreh" + "epreh", + "Allowed" ], "rsa.misc.category": "ruredol", "rsa.misc.filter": "atquo", @@ -4101,8 +4101,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.178.148.188", - "10.155.252.123" + "10.155.252.123", + "10.178.148.188" ], "related.user": [ "inrepreh" @@ -4116,8 +4116,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inimve", "rsa.misc.action": [ - "niam", - "Allowed" + "Allowed", + "niam" ], "rsa.misc.category": "perspici", "rsa.misc.filter": "uipe", @@ -4260,8 +4260,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tin", "rsa.misc.action": [ - "Allowed", - "urau" + "urau", + "Allowed" ], "rsa.misc.category": "isiut", "rsa.misc.filter": "cons", @@ -4318,8 +4318,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.195.153.42", - "10.250.48.82" + "10.250.48.82", + "10.195.153.42" ], "related.user": [ "tsedquia" @@ -4406,8 +4406,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rroq", "rsa.misc.action": [ - "fdeFin", - "Blocked" + "Blocked", + "fdeFin" ], "rsa.misc.category": "diduntut", "rsa.misc.filter": "ano", @@ -4460,8 +4460,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.187.16.73", - "10.122.102.156" + "10.122.102.156", + "10.187.16.73" ], "related.user": [ "emoen" @@ -4533,8 +4533,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.248.108.55", - "10.120.215.174" + "10.120.215.174", + "10.248.108.55" ], "related.user": [ "prehend" @@ -4604,8 +4604,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.51.161.245", - "10.15.254.181" + "10.15.254.181", + "10.51.161.245" ], "related.user": [ "abo" @@ -4619,8 +4619,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "modit", "rsa.misc.action": [ - "uteiru", - "Allowed" + "Allowed", + "uteiru" ], "rsa.misc.category": "qua", "rsa.misc.filter": "saute", @@ -4750,8 +4750,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.185.107.27", - "10.29.162.157" + "10.29.162.157", + "10.185.107.27" ], "related.user": [ "evelite" @@ -4823,8 +4823,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.215.63.248", - "10.138.0.214" + "10.138.0.214", + "10.215.63.248" ], "related.user": [ "eavolupt" @@ -4838,8 +4838,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "dqu", - "Blocked" + "Blocked", + "dqu" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -4896,8 +4896,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.26.115.88", - "10.12.130.224" + "10.12.130.224", + "10.26.115.88" ], "related.user": [ "Nequepo" @@ -4911,8 +4911,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tNequepo", "rsa.misc.action": [ - "Allowed", - "rmagnido" + "rmagnido", + "Allowed" ], "rsa.misc.category": "luptatem", "rsa.misc.filter": "deritq", @@ -4969,8 +4969,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.193.152.42", - "10.91.20.27" + "10.91.20.27", + "10.193.152.42" ], "related.user": [ "edict" @@ -4984,8 +4984,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "plicab", "rsa.misc.action": [ - "umq", - "Blocked" + "Blocked", + "umq" ], "rsa.misc.category": "eruntmol", "rsa.misc.filter": "labore", @@ -5057,8 +5057,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnisi", "rsa.misc.action": [ - "Allowed", - "userro" + "userro", + "Allowed" ], "rsa.misc.category": "etd", "rsa.misc.filter": "loremeum", @@ -5115,8 +5115,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.124.177.226", - "10.249.1.143" + "10.249.1.143", + "10.124.177.226" ], "related.user": [ "isciveli" @@ -5261,8 +5261,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.200.74.101", - "10.203.47.23" + "10.203.47.23", + "10.200.74.101" ], "related.user": [ "litesse" @@ -5276,8 +5276,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nde", "rsa.misc.action": [ - "Allowed", - "iqu" + "iqu", + "Allowed" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "ntincul", @@ -5407,8 +5407,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.211.66.68", - "10.55.151.53" + "10.55.151.53", + "10.211.66.68" ], "related.user": [ "squir" @@ -5480,8 +5480,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.110.16.169", - "10.209.203.156" + "10.209.203.156", + "10.110.16.169" ], "related.user": [ "mes" @@ -5495,8 +5495,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iamquisn", "rsa.misc.action": [ - "lupta", - "Blocked" + "Blocked", + "lupta" ], "rsa.misc.category": "uasiarch", "rsa.misc.filter": "usBonor", @@ -5553,8 +5553,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.107.68.114", - "10.84.9.150" + "10.84.9.150", + "10.107.68.114" ], "related.user": [ "sequatDu" @@ -5568,8 +5568,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnis", "rsa.misc.action": [ - "Allowed", - "uianonnu" + "uianonnu", + "Allowed" ], "rsa.misc.category": "Excepteu", "rsa.misc.filter": "enimadmi", @@ -5641,8 +5641,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lloin", "rsa.misc.action": [ - "ici", - "Blocked" + "Blocked", + "ici" ], "rsa.misc.category": "quidolor", "rsa.misc.filter": "nonproi", @@ -5845,8 +5845,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.90.20.202", - "10.10.93.133" + "10.10.93.133", + "10.90.20.202" ], "related.user": [ "evita" @@ -6064,8 +6064,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.149.6.107", - "10.236.55.236" + "10.236.55.236", + "10.149.6.107" ], "related.user": [ "redolo" @@ -6210,8 +6210,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.141.66.163", - "10.230.61.102" + "10.230.61.102", + "10.141.66.163" ], "related.user": [ "umdolo" @@ -6298,8 +6298,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issuscip", "rsa.misc.action": [ - "remap", - "Blocked" + "Blocked", + "remap" ], "rsa.misc.category": "eetdolo", "rsa.misc.filter": "rsitam", @@ -6371,8 +6371,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "neavolu", "rsa.misc.action": [ - "Blocked", - "nofdeF" + "nofdeF", + "Blocked" ], "rsa.misc.category": "remagnam", "rsa.misc.filter": "maveniam", @@ -6444,8 +6444,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "tatisetq", - "Blocked" + "Blocked", + "tatisetq" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6502,8 +6502,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.154.188.132", - "10.166.205.159" + "10.166.205.159", + "10.154.188.132" ], "related.user": [ "uptat" @@ -6517,8 +6517,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "proid", "rsa.misc.action": [ - "Allowed", - "onevolu" + "onevolu", + "Allowed" ], "rsa.misc.category": "iratio", "rsa.misc.filter": "odita", @@ -6571,8 +6571,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.138.193.38", - "10.46.71.46" + "10.46.71.46", + "10.138.193.38" ], "related.user": [ "sintocca" @@ -6640,8 +6640,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.172.159.251", - "10.254.119.31" + "10.254.119.31", + "10.172.159.251" ], "related.user": [ "usm" @@ -6713,8 +6713,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.98.126.206", - "10.195.62.230" + "10.195.62.230", + "10.98.126.206" ], "related.user": [ "ptassit" @@ -6728,8 +6728,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "isnost", "rsa.misc.action": [ - "Allowed", - "oriosa" + "oriosa", + "Allowed" ], "rsa.misc.category": "uis", "rsa.misc.filter": "nemul", @@ -6801,8 +6801,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntut", "rsa.misc.action": [ - "Blocked", - "nima" + "nima", + "Blocked" ], "rsa.misc.category": "boru", "rsa.misc.filter": "umquia", @@ -6932,8 +6932,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.139.90.218", - "10.131.81.172" + "10.131.81.172", + "10.139.90.218" ], "related.user": [ "hende" @@ -7005,8 +7005,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.152.217.174", - "10.128.43.71" + "10.128.43.71", + "10.152.217.174" ], "related.user": [ "mquiado" @@ -7078,8 +7078,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.26.149.221", - "10.217.193.148" + "10.217.193.148", + "10.26.149.221" ], "related.user": [ "uisa" @@ -7093,8 +7093,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tionemu", "rsa.misc.action": [ - "Blocked", - "rehe" + "rehe", + "Blocked" ], "rsa.misc.category": "aecons", "rsa.misc.filter": "aturve", @@ -7151,8 +7151,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.172.17.6", - "10.109.192.53" + "10.109.192.53", + "10.172.17.6" ], "related.user": [ "eprehen" @@ -7239,8 +7239,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "exeacomm", "rsa.misc.action": [ - "Blocked", - "volup" + "volup", + "Blocked" ], "rsa.misc.category": "ten", "rsa.misc.filter": "ssecil", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log b/x-pack/filebeat/module/zscaler/zia/test/test.log new file mode 100644 index 00000000000..f1502e48309 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log @@ -0,0 +1 @@ +hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=^^reason=^^hostname=^^protocol=^^serverip=^^url=^^urlcategory=^^urlclass=^^dlpdictionaries=^^dlpengine=^^filetype=^^threatcategory=^^threatclass=^^pagerisk=^^threatname=^^clientpublicIP=^^ClientIP=^^location=^^refererURL=^^useragent=^^department=^^user=^^event_id=^^clienttranstime=^^requestmethod=^^requestsize=^^requestversion=^^status=^^responsesize=^^responseversion=^^transactionsize= diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json new file mode 100644 index 00000000000..66ca65108fd --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -0,0 +1,57 @@ +[ + { + "@timestamp": "2017-06-23T17:16:42.000Z", + "event.action": "", + "event.code": "", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=^^reason=^^hostname=^^protocol=^^serverip=^^url=^^urlcategory=^^urlclass=^^dlpdictionaries=^^dlpengine=^^filetype=^^threatcategory=^^threatclass=^^pagerisk=^^threatname=^^clientpublicIP=^^ClientIP=^^location=^^refererURL=^^useragent=^^department=^^user=^^event_id=^^clienttranstime=^^requestmethod=^^requestsize=^^requestversion=^^status=^^responsesize=^^responseversion=^^transactionsize=", + "event.timezone": "CEST", + "file.type": "", + "fileset.name": "zia", + "host.name": "", + "http.request.referrer": "", + "input.type": "log", + "log.offset": 0, + "network.protocol": "", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.user": [ + "" + ], + "rsa.db.index": "", + "rsa.identity.user_dept": "", + "rsa.internal.data": "hello", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "", + "rsa.misc.action": [ + "", + "" + ], + "rsa.misc.category": "", + "rsa.misc.filter": "", + "rsa.misc.reference_id": "", + "rsa.misc.result": "", + "rsa.misc.result_code": "", + "rsa.network.alias_host": [ + "" + ], + "rsa.threat.threat_category": "", + "rsa.time.event_time": "2017-06-23T17:16:42.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "", + "service.type": "zscaler", + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "", + "user.name": "", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + } +] \ No newline at end of file From cac973cc7ad388841faa31a255d5543b697a4a85 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 13 Jul 2020 19:43:19 +0200 Subject: [PATCH 16/19] Fix mac address parsers in microsoft/dhcp --- .../module/microsoft/dhcp/config/pipeline.js | 92 +- .../module/microsoft/dhcp/test/generated.log | 200 +- .../dhcp/test/generated.log-expected.json | 2002 ++++++++--------- 3 files changed, 1114 insertions(+), 1180 deletions(-) diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js b/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js index 73286d033f1..aeecb972944 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js +++ b/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js @@ -15,13 +15,13 @@ function DeviceProcessor() { } } -var dup1 = match("MESSAGE#0:00/1_0", "nwparser.p0", "%{smacaddr},%{username},%{sessionid},%{fld3},%{fld4},%{fld5},%{fld7},%{fld8},%{vendor_event_cat},%{fld10},%{fld11},%{fld13->} "); +var dup1 = match("MESSAGE#0:00/1_0", "nwparser.p0", "%{smacaddr},%{username},%{sessionid},%{fld3},%{fld4},%{fld5},%{fld7},%{fld8},%{vendor_event_cat},%{fld10},%{fld11},%{fld13}"); -var dup2 = match("MESSAGE#0:00/1_1", "nwparser.p0", "%{smacaddr},%{username},%{fld2},%{fld3},%{fld4},%{fld5->} "); +var dup2 = match("MESSAGE#0:00/1_1", "nwparser.p0", "%{smacaddr},%{username},%{fld2},%{fld3},%{fld4},%{fld5}"); -var dup3 = match("MESSAGE#0:00/1_2", "nwparser.p0", "%{smacaddr}, "); +var dup3 = match("MESSAGE#0:00/1_2", "nwparser.p0", "%{smacaddr},"); -var dup4 = match("MESSAGE#0:00/1_3", "nwparser.p0", "%{smacaddr},%{fld6->} "); +var dup4 = match("MESSAGE#0:00/1_3", "nwparser.p0", "%{smacaddr},%{fld6}"); var dup5 = match("MESSAGE#0:00/1_4", "nwparser.p0", "%{smacaddr}"); @@ -85,7 +85,7 @@ var select1 = linear_select([ hdr1, ]); -var part1 = match("MESSAGE#0:00/0", "nwparser.payload", "00,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part1 = match("MESSAGE#0:00/0", "nwparser.payload", "00,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all1 = all_match({ processors: [ @@ -103,7 +103,7 @@ var all1 = all_match({ var msg1 = msg("00", all1); -var part2 = match("MESSAGE#1:01/0", "nwparser.payload", "01,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part2 = match("MESSAGE#1:01/0", "nwparser.payload", "01,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all2 = all_match({ processors: [ @@ -121,7 +121,7 @@ var all2 = all_match({ var msg2 = msg("01", all2); -var part3 = match("MESSAGE#2:02/0", "nwparser.payload", "02,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part3 = match("MESSAGE#2:02/0", "nwparser.payload", "02,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all3 = all_match({ processors: [ @@ -137,7 +137,7 @@ var all3 = all_match({ var msg3 = msg("02", all3); -var part4 = match("MESSAGE#3:10/0", "nwparser.payload", "10,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part4 = match("MESSAGE#3:10/0", "nwparser.payload", "10,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all4 = all_match({ processors: [ @@ -153,7 +153,7 @@ var all4 = all_match({ var msg4 = msg("10", all4); -var part5 = match("MESSAGE#4:11/0", "nwparser.payload", "11,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part5 = match("MESSAGE#4:11/0", "nwparser.payload", "11,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all5 = all_match({ processors: [ @@ -171,7 +171,7 @@ var all5 = all_match({ var msg5 = msg("11", all5); -var part6 = match("MESSAGE#5:12/0", "nwparser.payload", "12,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part6 = match("MESSAGE#5:12/0", "nwparser.payload", "12,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all6 = all_match({ processors: [ @@ -187,7 +187,7 @@ var all6 = all_match({ var msg6 = msg("12", all6); -var part7 = match("MESSAGE#6:13/0", "nwparser.payload", "13,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part7 = match("MESSAGE#6:13/0", "nwparser.payload", "13,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all7 = all_match({ processors: [ @@ -203,7 +203,7 @@ var all7 = all_match({ var msg7 = msg("13", all7); -var part8 = match("MESSAGE#7:14/0", "nwparser.payload", "14,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part8 = match("MESSAGE#7:14/0", "nwparser.payload", "14,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all8 = all_match({ processors: [ @@ -219,7 +219,7 @@ var all8 = all_match({ var msg8 = msg("14", all8); -var part9 = match("MESSAGE#8:15/0", "nwparser.payload", "15,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part9 = match("MESSAGE#8:15/0", "nwparser.payload", "15,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all9 = all_match({ processors: [ @@ -235,7 +235,7 @@ var all9 = all_match({ var msg9 = msg("15", all9); -var part10 = match("MESSAGE#9:16/0", "nwparser.payload", "16,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part10 = match("MESSAGE#9:16/0", "nwparser.payload", "16,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all10 = all_match({ processors: [ @@ -253,7 +253,7 @@ var all10 = all_match({ var msg10 = msg("16", all10); -var part11 = match("MESSAGE#10:17/0", "nwparser.payload", "17,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part11 = match("MESSAGE#10:17/0", "nwparser.payload", "17,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all11 = all_match({ processors: [ @@ -269,7 +269,7 @@ var all11 = all_match({ var msg11 = msg("17", all11); -var part12 = match("MESSAGE#11:18/0", "nwparser.payload", "18,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part12 = match("MESSAGE#11:18/0", "nwparser.payload", "18,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all12 = all_match({ processors: [ @@ -285,7 +285,7 @@ var all12 = all_match({ var msg12 = msg("18", all12); -var part13 = match("MESSAGE#12:20/0", "nwparser.payload", "20,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part13 = match("MESSAGE#12:20/0", "nwparser.payload", "20,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all13 = all_match({ processors: [ @@ -301,7 +301,7 @@ var all13 = all_match({ var msg13 = msg("20", all13); -var part14 = match("MESSAGE#13:21/0", "nwparser.payload", "21,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part14 = match("MESSAGE#13:21/0", "nwparser.payload", "21,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all14 = all_match({ processors: [ @@ -317,7 +317,7 @@ var all14 = all_match({ var msg14 = msg("21", all14); -var part15 = match("MESSAGE#14:22/0", "nwparser.payload", "22,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part15 = match("MESSAGE#14:22/0", "nwparser.payload", "22,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all15 = all_match({ processors: [ @@ -333,7 +333,7 @@ var all15 = all_match({ var msg15 = msg("22", all15); -var part16 = match("MESSAGE#15:23/0", "nwparser.payload", "23,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part16 = match("MESSAGE#15:23/0", "nwparser.payload", "23,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all16 = all_match({ processors: [ @@ -349,7 +349,7 @@ var all16 = all_match({ var msg16 = msg("23", all16); -var part17 = match("MESSAGE#16:24/0", "nwparser.payload", "24,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part17 = match("MESSAGE#16:24/0", "nwparser.payload", "24,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all17 = all_match({ processors: [ @@ -365,7 +365,7 @@ var all17 = all_match({ var msg17 = msg("24", all17); -var part18 = match("MESSAGE#17:25/0", "nwparser.payload", "25,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part18 = match("MESSAGE#17:25/0", "nwparser.payload", "25,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all18 = all_match({ processors: [ @@ -381,7 +381,7 @@ var all18 = all_match({ var msg18 = msg("25", all18); -var part19 = match("MESSAGE#18:30/0", "nwparser.payload", "30,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part19 = match("MESSAGE#18:30/0", "nwparser.payload", "30,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all19 = all_match({ processors: [ @@ -399,7 +399,7 @@ var all19 = all_match({ var msg19 = msg("30", all19); -var part20 = match("MESSAGE#19:31/0", "nwparser.payload", "31,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part20 = match("MESSAGE#19:31/0", "nwparser.payload", "31,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all20 = all_match({ processors: [ @@ -417,7 +417,7 @@ var all20 = all_match({ var msg20 = msg("31", all20); -var part21 = match("MESSAGE#20:32/0", "nwparser.payload", "32,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part21 = match("MESSAGE#20:32/0", "nwparser.payload", "32,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all21 = all_match({ processors: [ @@ -435,7 +435,7 @@ var all21 = all_match({ var msg21 = msg("32", all21); -var part22 = match("MESSAGE#21:33/0", "nwparser.payload", "33,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part22 = match("MESSAGE#21:33/0", "nwparser.payload", "33,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all22 = all_match({ processors: [ @@ -453,7 +453,7 @@ var all22 = all_match({ var msg22 = msg("33", all22); -var part23 = match("MESSAGE#22:36/0", "nwparser.payload", "36,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part23 = match("MESSAGE#22:36/0", "nwparser.payload", "36,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all23 = all_match({ processors: [ @@ -469,7 +469,7 @@ var all23 = all_match({ var msg23 = msg("36", all23); -var part24 = match("MESSAGE#23:50/0", "nwparser.payload", "50,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part24 = match("MESSAGE#23:50/0", "nwparser.payload", "50,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all24 = all_match({ processors: [ @@ -485,7 +485,7 @@ var all24 = all_match({ var msg24 = msg("50", all24); -var part25 = match("MESSAGE#24:51/0", "nwparser.payload", "51,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part25 = match("MESSAGE#24:51/0", "nwparser.payload", "51,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all25 = all_match({ processors: [ @@ -503,7 +503,7 @@ var all25 = all_match({ var msg25 = msg("51", all25); -var part26 = match("MESSAGE#25:52/0", "nwparser.payload", "52,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part26 = match("MESSAGE#25:52/0", "nwparser.payload", "52,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all26 = all_match({ processors: [ @@ -519,7 +519,7 @@ var all26 = all_match({ var msg26 = msg("52", all26); -var part27 = match("MESSAGE#26:53/0", "nwparser.payload", "53,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part27 = match("MESSAGE#26:53/0", "nwparser.payload", "53,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all27 = all_match({ processors: [ @@ -535,7 +535,7 @@ var all27 = all_match({ var msg27 = msg("53", all27); -var part28 = match("MESSAGE#27:54/0", "nwparser.payload", "54,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part28 = match("MESSAGE#27:54/0", "nwparser.payload", "54,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all28 = all_match({ processors: [ @@ -553,7 +553,7 @@ var all28 = all_match({ var msg28 = msg("54", all28); -var part29 = match("MESSAGE#28:55/0", "nwparser.payload", "55,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part29 = match("MESSAGE#28:55/0", "nwparser.payload", "55,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all29 = all_match({ processors: [ @@ -569,7 +569,7 @@ var all29 = all_match({ var msg29 = msg("55", all29); -var part30 = match("MESSAGE#29:56/0", "nwparser.payload", "56,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part30 = match("MESSAGE#29:56/0", "nwparser.payload", "56,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all30 = all_match({ processors: [ @@ -587,7 +587,7 @@ var all30 = all_match({ var msg30 = msg("56", all30); -var part31 = match("MESSAGE#30:57/0", "nwparser.payload", "57,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part31 = match("MESSAGE#30:57/0", "nwparser.payload", "57,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all31 = all_match({ processors: [ @@ -603,7 +603,7 @@ var all31 = all_match({ var msg31 = msg("57", all31); -var part32 = match("MESSAGE#31:58/0", "nwparser.payload", "58,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part32 = match("MESSAGE#31:58/0", "nwparser.payload", "58,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all32 = all_match({ processors: [ @@ -621,7 +621,7 @@ var all32 = all_match({ var msg32 = msg("58", all32); -var part33 = match("MESSAGE#32:59/0", "nwparser.payload", "59,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part33 = match("MESSAGE#32:59/0", "nwparser.payload", "59,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all33 = all_match({ processors: [ @@ -639,7 +639,7 @@ var all33 = all_match({ var msg33 = msg("59", all33); -var part34 = match("MESSAGE#33:60/0", "nwparser.payload", "60,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part34 = match("MESSAGE#33:60/0", "nwparser.payload", "60,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all34 = all_match({ processors: [ @@ -655,7 +655,7 @@ var all34 = all_match({ var msg34 = msg("60", all34); -var part35 = match("MESSAGE#34:61/0", "nwparser.payload", "61,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part35 = match("MESSAGE#34:61/0", "nwparser.payload", "61,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all35 = all_match({ processors: [ @@ -671,7 +671,7 @@ var all35 = all_match({ var msg35 = msg("61", all35); -var part36 = match("MESSAGE#35:62/0", "nwparser.payload", "62,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part36 = match("MESSAGE#35:62/0", "nwparser.payload", "62,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all36 = all_match({ processors: [ @@ -687,7 +687,7 @@ var all36 = all_match({ var msg36 = msg("62", all36); -var part37 = match("MESSAGE#36:63/0", "nwparser.payload", "63,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part37 = match("MESSAGE#36:63/0", "nwparser.payload", "63,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all37 = all_match({ processors: [ @@ -703,7 +703,7 @@ var all37 = all_match({ var msg37 = msg("63", all37); -var part38 = match("MESSAGE#37:64/0", "nwparser.payload", "64,%{fld12},%{fld1},%{event_description},%{saddr},%{shost->} ,%{p0}"); +var part38 = match("MESSAGE#37:64/0", "nwparser.payload", "64,%{fld12},%{fld1},%{event_description},%{saddr},%{shost},%{p0}"); var all38 = all_match({ processors: [ @@ -1038,13 +1038,13 @@ var chain1 = processor_chain([ }), ]); -var part68 = match("MESSAGE#0:00/1_0", "nwparser.p0", "%{smacaddr},%{username},%{sessionid},%{fld3},%{fld4},%{fld5},%{fld7},%{fld8},%{vendor_event_cat},%{fld10},%{fld11},%{fld13->} "); +var part68 = match("MESSAGE#0:00/1_0", "nwparser.p0", "%{smacaddr},%{username},%{sessionid},%{fld3},%{fld4},%{fld5},%{fld7},%{fld8},%{vendor_event_cat},%{fld10},%{fld11},%{fld13}"); -var part69 = match("MESSAGE#0:00/1_1", "nwparser.p0", "%{smacaddr},%{username},%{fld2},%{fld3},%{fld4},%{fld5->} "); +var part69 = match("MESSAGE#0:00/1_1", "nwparser.p0", "%{smacaddr},%{username},%{fld2},%{fld3},%{fld4},%{fld5}"); -var part70 = match("MESSAGE#0:00/1_2", "nwparser.p0", "%{smacaddr}, "); +var part70 = match("MESSAGE#0:00/1_2", "nwparser.p0", "%{smacaddr},"); -var part71 = match("MESSAGE#0:00/1_3", "nwparser.p0", "%{smacaddr},%{fld6->} "); +var part71 = match("MESSAGE#0:00/1_3", "nwparser.p0", "%{smacaddr},%{fld6}"); var part72 = match("MESSAGE#0:00/1_4", "nwparser.p0", "%{smacaddr}"); diff --git a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log index 3dbde4f63de..d5c7d43d5b0 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log +++ b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log @@ -1,100 +1,100 @@ -%MSDHCP-905-50: 50,1/29/16,6:09:59,nnumqua,10.133.8.128,sse3269.invalid ,01:00:5e:ce:bf:42,ventore,ivelitse,ritin,uredolor,tatemac -%MSDHCP-4257-11030: 11030,2/12/16,1:12:33,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer -%MSDHCP-5634-62: 62,2/26/16,8:15:08,equepor,10.196.153.12,sequa6540.www5.localhost ,01:00:5e:3a:fe:e3,mest -%MSDHCP-363-11015: 11015,3/12/16,3:17:42,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu -%MSDHCP-4880-57: 57,3/26/16,10:20:16,quipexe,10.162.33.193,agn2581.www5.corp ,01:00:5e:ad:16:77, -%MSDHCP-6962-57: 57,4/9/16,5:22:51,moenimi,10.156.15.206,enatus2114.mail.home ,01:00:5e:33:84:66 -%MSDHCP-5355-60: 60,4/24/16,12:25:25,ntex,10.1.118.72,proident2802.home ,01:00:5e:69:9a:1a,eumiu -%MSDHCP-7417-15: 15,5/8/16,7:27:59,orisn,10.70.235.184,ofdeF7240.www.home ,01:00:5e:a2:09:ea,tionulam,uameius,ratio,ptas,nevolu -%MSDHCP-5162-59: 59,5/22/16,2:30:33,nci,10.86.118.154,amco5712.www5.localdomain ,01:00:5e:35:c0:09,con,uia,quiavo,issusci,mol,taspe,mvolu,radip,tNequ,gelit,tatno -%MSDHCP-4141-10: 10,6/5/16,9:33:08,uam,10.5.62.63,llu4762.mail.localdomain ,01:00:5e:f5:8e:0d -%MSDHCP-5408-15: 15,6/20/16,4:35:42,llumd,10.66.3.197,emaper2638.lan ,01:00:5e:0b:42:ab,uaerat,boreet,onev,tenima,laboreet -%MSDHCP-5738-11008: 11008,7/4/16,11:38:16,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit -%MSDHCP-4243-25: 25,7/18/16,6:40:50,antium,10.103.246.190,iusmodt2597.api.domain ,01:00:5e:8b:ba:06,ect,reetdolo,nrepreh,obeataev,lor -%MSDHCP-1579-11011: 11011,8/2/16,1:43:25,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep -%MSDHCP-3971-56: 56,8/16/16,8:45:59,lorem,10.150.193.226,uidolore6237.internal.local ,01:00:5e:42:6c:b4,suntinc,elits,llam,llamcorp,ari,eataevit,uptatev,uovol,dmi,olab,mquisnos -%MSDHCP-2933-17: 17,8/30/16,3:48:33,tsed,10.111.61.181,incididu1896.example ,01:00:5e:c9:5b:b2, -%MSDHCP-5393-11003: 11003,9/13/16,10:51:07,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB -%MSDHCP-4171-16: 16,9/28/16,5:53:42,ntsuntin,10.153.112.62,imav3236.mail.domain ,01:00:5e:e7:c7:cb -%MSDHCP-7290-32: 32,10/12/16,12:56:16,iam,10.98.34.185,ercit3947.api.local ,01:00:5e:a4:f5:60,olupta,turveli,toccae,tatno,nido -%MSDHCP-4125-53: 53,10/26/16,7:58:50,itlabori,10.252.112.103,usan6343.www5.domain ,01:00:5e:10:76:60,ender -%MSDHCP-5368-50: 50,11/10/16,3:01:24,atquovo,10.246.117.190,mquaera3924.www5.home ,01:00:5e:b9:7e:b1 -%MSDHCP-4173-33: 33,11/24/16,10:03:59,undeo,10.82.52.233,atuse2703.localhost ,01:00:5e:fa:2b:37 -%MSDHCP-5883-52: 52,12/8/16,5:06:33,ips,10.149.59.28,emporinc5075.internal.host ,01:00:5e:37:14:9d,tessec -%MSDHCP-6446-36: 36,12/23/16,12:09:07,ist,10.169.144.147,onsequat2984.www5.domain ,01:00:5e:59:a3:48, -%MSDHCP-686-12: 12,1/6/17,7:11:41,nsequu,10.66.168.154,omm4276.www.example ,01:00:5e:44:c4:69 -%MSDHCP-2230-25: 25,1/20/17,2:14:16,torev,10.214.241.84,ctetura4886.www5.lan ,01:00:5e:3a:d0:86,ita,ipi,rsitamet,lupt,xea,qua,luptatev,admi,modocons,elaudant,tinvol -%MSDHCP-6103-11018: 11018,2/3/17,9:16:50,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun -%MSDHCP-927-58: 58,2/18/17,4:19:24,itaut,10.33.140.180,umdolo7781.api.home ,01:00:5e:24:f1:b2 -%MSDHCP-4632-51: 51,3/4/17,11:21:59,fugi,10.119.185.63,imadmini2625.www5.localhost ,01:00:5e:31:b9:65,dtem -%MSDHCP-5377-50: 50,3/18/17,6:24:33,stl,10.95.193.186,picia6119.mail.host ,01:00:5e:60:77:c7,tinvol -%MSDHCP-5524-11019: 11019,4/2/17,1:27:07,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi -%MSDHCP-5841-11021: 11021,4/16/17,8:29:41,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion -%MSDHCP-5705-52: 52,4/30/17,3:32:16,uasia,10.64.70.5,ici3995.lan ,01:00:5e:4e:97:83,iscinge,atvol,umiur,imad,msequi -%MSDHCP-1559-11020: 11020,5/14/17,10:34:50,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac -%MSDHCP-2228-20: 20,5/29/17,5:37:24,eli,10.28.127.218,pida2286.internal.home ,01:00:5e:cc:0b:8f -%MSDHCP-7427-11006: 11006,6/12/17,12:39:58,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme -%MSDHCP-2991-16: 16,6/26/17,7:42:33,civeli,10.116.104.101,gnam2508.mail.example ,01:00:5e:e1:73:47,maccusa -%MSDHCP-3458-11003: 11003,7/11/17,2:45:07,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta -%MSDHCP-2807-53: 53,7/25/17,9:47:41,ihilm,10.219.84.37,ercit2385.internal.home ,01:00:5e:a0:cd:2f,iamquis -%MSDHCP-6972-11012: 11012,8/8/17,4:50:15,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame -%MSDHCP-5040-24: 24,8/22/17,11:52:50,utla,10.103.118.137,oei5200.www5.invalid ,01:00:5e:c7:b7:18 -%MSDHCP-2026-02: 02,9/6/17,6:55:24,nnum,10.137.223.15,adol485.example ,01:00:5e:81:99:6f,dol -%MSDHCP-4977-11019: 11019,9/20/17,1:57:58,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq -%MSDHCP-1180-11010: 11010,10/4/17,9:00:32,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp -%MSDHCP-2628-11013: 11013,10/19/17,4:03:07,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre -%MSDHCP-2949-11: 11,11/2/17,11:05:41,uptat,10.64.199.102,tmo1835.test ,01:00:5e:35:a8:83,fugitse -%MSDHCP-3331-54: 54,11/16/17,6:08:15,etMalor,10.196.143.87,quatD4191.local ,01:00:5e:3b:7a:f1,sperna -%MSDHCP-7576-30: 30,12/1/17,1:10:49,tper,10.163.5.243,osqui3661.mail.domain ,01:00:5e:1e:d6:07,texp -%MSDHCP-5037-11004: 11004,12/15/17,8:13:24,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam -%MSDHCP-6385-1103: 1103,12/29/17,3:15:58,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno -%MSDHCP-1747-11011: 11011,1/12/18,10:18:32,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium -%MSDHCP-6686-57: 57,1/27/18,5:21:06,stlabo,10.134.192.241,catc6134.localdomain ,01:00:5e:5b:99:6c,magnid -%MSDHCP-7582-17: 17,2/10/18,12:23:41,quiratio,10.62.191.18,tevelite245.mail.local ,01:00:5e:78:a7:55,gnido -%MSDHCP-6036-50: 50,2/24/18,7:26:15,numqua,10.89.22.113,abo1637.mail.host ,01:00:5e:ed:c2:f7 -%MSDHCP-4949-11020: 11020,3/11/18,2:28:49,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr -%MSDHCP-6418-59: 59,3/25/18,9:31:24,nofdeFin,10.67.38.204,idex6952.www.localhost ,01:00:5e:69:58:0e,ecte,tinvolu,iurer,iciadese,quidolor,tessec,olupta,litse,icabo,itatio,uta -%MSDHCP-4824-11010: 11010,4/8/18,4:33:58,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu -%MSDHCP-5368-60: 60,4/22/18,11:36:32,mnisi,10.107.168.60,ehen7519.www5.lan ,01:00:5e:a7:ac:70,stquido,ommodico,ptas,pta,tetu -%MSDHCP-5740-24: 24,5/7/18,6:39:06,Nequepo,10.207.201.9,boree513.www.corp ,01:00:5e:e2:17:79,reetdolo,smo,etcons,iusmodi,uamest -%MSDHCP-1842-11023: 11023,5/21/18,1:41:41,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno -%MSDHCP-5263-11007: 11007,6/4/18,8:44:15,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons -%MSDHCP-510-20: 20,6/19/18,3:46:49,tae,10.14.81.228,aperiame1458.www5.local ,01:00:5e:7e:22:1b -%MSDHCP-4410-11003: 11003,7/3/18,10:49:23,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov -%MSDHCP-4554-01: 01,7/17/18,5:51:58,osquira,10.220.5.143,com5308.api.domain ,01:00:5e:55:ee:a4,reetdolo,norum,madmi,uidol,mporin -%MSDHCP-3253-ID: ID,8/1/18,12:54:32,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65 -%MSDHCP-1394-11000: 11000,8/15/18,7:57:06,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag -%MSDHCP-5983-56: 56,8/29/18,2:59:40,tquiin,10.174.176.36,ovol3674.www5.host ,01:00:5e:bb:1d:bf,str,idolore,pid,illoin,tanimid,umdo,natuse,gnamal,metMalo,ntexplic,archite -%MSDHCP-7829-32: 32,9/12/18,10:02:15,asi,10.94.38.110,nisist2752.home ,01:00:5e:c1:3c:48,exercita -%MSDHCP-2516-11007: 11007,9/27/18,5:04:49,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli -%MSDHCP-543-11006: 11006,10/11/18,12:07:23,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui -%MSDHCP-6846-11014: 11014,10/25/18,7:09:57,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun -%MSDHCP-7741-1103: 1103,11/9/18,2:12:32,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo -%MSDHCP-18-11005: 11005,11/23/18,9:15:06,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia -%MSDHCP-6789-11015: 11015,12/7/18,4:17:40,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender -%MSDHCP-1540-11014: 11014,12/21/18,11:20:14,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni -%MSDHCP-2244-32: 32,1/5/19,6:22:49,stenatu,10.215.205.216,ratv5227.www.invalid ,01:00:5e:fd:3d:c2,nts -%MSDHCP-5663-11025: 11025,1/19/19,1:25:23,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab -%MSDHCP-6672-12: 12,2/2/19,8:27:57,enderi,10.236.150.115,umwrit5433.www5.domain ,01:00:5e:ba:09:4a,tpersp -%MSDHCP-6797-01: 01,2/17/19,3:30:32,oeni,10.223.90.192,llamco7206.www.home ,01:00:5e:8f:35:71,orsit,asiar,ise,itau,apariat -%MSDHCP-4494-51: 51,3/3/19,10:33:06,dolore,10.165.192.48,nBCSedut1502.www5.example ,01:00:5e:c7:c2:10,odoconse,emp,pisciv,lumdolor,nonp,labo,ulapar,aboreetd,hilm,llitanim,invo -%MSDHCP-7205-50: 50,3/17/19,5:35:40,ama,10.80.152.108,texpli2782.mail.domain ,01:00:5e:27:0a:9d, -%MSDHCP-5224-11011: 11011,4/1/19,12:38:14,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured -%MSDHCP-5608-11019: 11019,4/15/19,7:40:49,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat -%MSDHCP-3051-1098: 1098,4/29/19,2:43:23,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor -%MSDHCP-2315-01: 01,5/13/19,9:45:57,amcorp,10.57.57.241,liqua6498.api.invalid ,01:00:5e:d8:53:15,iduntu,ccaeca,niamq,lapariat,remagn,mquae,consequa,moenimi,olupt,oconsequ,edquiac -%MSDHCP-2690-14: 14,5/28/19,4:48:31,quamest,10.152.28.171,rsita2628.www5.local ,01:00:5e:7a:4c:6e,miu -%MSDHCP-6444-11001: 11001,6/11/19,11:51:06,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide -%MSDHCP-7037-11: 11,6/25/19,6:53:40,itesseq,10.125.134.213,tpersp2624.mail.example ,01:00:5e:0b:fb:4a -%MSDHCP-6392-64: 64,7/10/19,1:56:14,mvolu,10.206.96.56,aincidu2687.mail.home ,01:00:5e:80:9d:2c, -%MSDHCP-5524-1098: 1098,7/24/19,8:58:48,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem -%MSDHCP-1978-11019: 11019,8/7/19,4:01:23,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation -%MSDHCP-5469-11024: 11024,8/21/19,11:03:57,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori -%MSDHCP-2-11004: 11004,9/5/19,6:06:31,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse -%MSDHCP-2859-59: 59,9/19/19,1:09:05,inibu,10.106.93.26,isetquas3096.home ,01:00:5e:1b:92:a6 -%MSDHCP-4924-11025: 11025,10/3/19,8:11:40,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa -%MSDHCP-1738-25: 25,10/18/19,3:14:14,loi,10.24.111.229,volupt2952.api.local ,01:00:5e:64:62:d1,sequat,giatquov,tconsec,miurerep,toccaec,fugi,labo,nostrud,gnaal,qui,cupi -%MSDHCP-5282-60: 60,11/1/19,10:16:48,lores,10.45.253.103,uii5923.internal.home ,01:00:5e:2f:ff:49,rcit,llamco,atu,untincul,ssecil -%MSDHCP-3023-11023: 11023,11/15/19,5:19:22,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt -%MSDHCP-4890-23: 23,11/30/19,12:21:57,dolore,10.84.32.178,vitaed4959.example ,01:00:5e:11:45:1e,itaedict -%MSDHCP-4271-55: 55,12/14/19,7:24:31,ruredo,10.72.196.74,boreetdo1725.example ,01:00:5e:01:2f:7d +%MSDHCP-4257-11030: 11030,1/29/16,6:09:59,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer +%MSDHCP-363-11015: 11015,2/12/16,1:12:33,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu +%MSDHCP-5738-11008: 11008,2/26/16,8:15:08,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit +%MSDHCP-1579-11011: 11011,3/12/16,3:17:42,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep +%MSDHCP-5393-11003: 11003,3/26/16,10:20:16,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB +%MSDHCP-6103-11018: 11018,4/9/16,5:22:51,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun +%MSDHCP-5524-11019: 11019,4/24/16,12:25:25,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi +%MSDHCP-5841-11021: 11021,5/8/16,7:27:59,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion +%MSDHCP-1559-11020: 11020,5/22/16,2:30:33,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac +%MSDHCP-7427-11006: 11006,6/5/16,9:33:08,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme +%MSDHCP-3458-11003: 11003,6/20/16,4:35:42,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta +%MSDHCP-6972-11012: 11012,7/4/16,11:38:16,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame +%MSDHCP-4977-11019: 11019,7/18/16,6:40:50,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq +%MSDHCP-1180-11010: 11010,8/2/16,1:43:25,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp +%MSDHCP-2628-11013: 11013,8/16/16,8:45:59,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre +%MSDHCP-5037-11004: 11004,8/30/16,3:48:33,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam +%MSDHCP-6385-1103: 1103,9/13/16,10:51:07,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno +%MSDHCP-1747-11011: 11011,9/28/16,5:53:42,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium +%MSDHCP-4949-11020: 11020,10/12/16,12:56:16,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr +%MSDHCP-4824-11010: 11010,10/26/16,7:58:50,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu +%MSDHCP-1842-11023: 11023,11/10/16,3:01:24,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno +%MSDHCP-5263-11007: 11007,11/24/16,10:03:59,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons +%MSDHCP-4410-11003: 11003,12/8/16,5:06:33,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov +%MSDHCP-3253-ID: ID,12/23/16,12:09:07,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65 +%MSDHCP-1394-11000: 11000,1/6/17,7:11:41,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag +%MSDHCP-2516-11007: 11007,1/20/17,2:14:16,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli +%MSDHCP-543-11006: 11006,2/3/17,9:16:50,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui +%MSDHCP-6846-11014: 11014,2/18/17,4:19:24,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun +%MSDHCP-7741-1103: 1103,3/4/17,11:21:59,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo +%MSDHCP-18-11005: 11005,3/18/17,6:24:33,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia +%MSDHCP-6789-11015: 11015,4/2/17,1:27:07,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender +%MSDHCP-1540-11014: 11014,4/16/17,8:29:41,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni +%MSDHCP-5663-11025: 11025,4/30/17,3:32:16,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab +%MSDHCP-5224-11011: 11011,5/14/17,10:34:50,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured +%MSDHCP-5608-11019: 11019,5/29/17,5:37:24,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat +%MSDHCP-3051-1098: 1098,6/12/17,12:39:58,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor +%MSDHCP-6444-11001: 11001,6/26/17,7:42:33,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide +%MSDHCP-5524-1098: 1098,7/11/17,2:45:07,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem +%MSDHCP-1978-11019: 11019,7/25/17,9:47:41,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation +%MSDHCP-5469-11024: 11024,8/8/17,4:50:15,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori +%MSDHCP-2-11004: 11004,8/22/17,11:52:50,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse +%MSDHCP-4924-11025: 11025,9/6/17,6:55:24,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa +%MSDHCP-3023-11023: 11023,9/20/17,1:57:58,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt +%MSDHCP-3896-11011: 11011,10/4/17,9:00:32,isn,10.74.240.121,equ4808.www.localhost,siuta,urmagn,dquia,temporin +%MSDHCP-6160-1098: 1098,10/19/17,4:03:07,obeataev,10.139.127.232,nsec923.internal.local,agnaaliq,tlaboree,norumet,dtempo +%MSDHCP-4862-11009: 11009,11/2/17,11:05:41,iumtot,10.170.6.54,emoe4059.api.localdomain,ehende,eaqueip,eum,lamc +%MSDHCP-1664-11007: 11007,11/16/17,6:08:15,sciun,10.46.115.216,equun6662.home,uia,iciad,lorem,nsequunt +%MSDHCP-6603-11017: 11017,12/1/17,1:10:49,gnaa,10.226.5.189,dtempori5735.www5.local,dexerc,strumex,eprehend,asnu +%MSDHCP-1313-11030: 11030,12/15/17,8:13:24,derit,10.0.20.5,cupi7581.internal.local,dunt,litsedq,nderiti,ntNe +%MSDHCP-4024-11023: 11023,12/29/17,3:15:58,olorema,10.180.101.232,quasiar5281.mail.invalid,emip,inBC,mol,tur +%MSDHCP-754-11018: 11018,1/12/18,10:18:32,irured,10.141.158.225,tionula1586.host,idolor,ratvolu,nreprehe,onse +%MSDHCP-3617-11013: 11013,1/27/18,5:21:06,tatnon,10.94.88.5,ore5643.api.lan,metco,acom,ceroinB,nim +%MSDHCP-4248-11024: 11024,2/10/18,12:23:41,aspe,10.155.18.139,ciun39.localdomain,iatqu,inBCSedu,erspi,rorsit +%MSDHCP-5976-11013: 11013,2/24/18,7:26:15,undeomni,10.85.48.117,iutali7297.www.domain,Finibus,radi,xeacom,des +%MSDHCP-77-11003: 11003,3/11/18,2:28:49,eprehend,10.224.146.6,docon5398.mail.host,uptate,lloinven,econs,lmolesti +%MSDHCP-2519-11007: 11007,3/25/18,9:31:24,doeiu,10.182.152.242,destlabo7803.mail.localhost,ecillum,isci,dolor,tiumto +%MSDHCP-6515-11000: 11000,4/8/18,4:33:58,quin,10.225.157.110,fugits1163.host,vol,admi,onnu,olorema +%MSDHCP-4357-11005: 11005,4/22/18,11:36:32,tcupida,10.236.185.102,adol170.internal.example,niam,pernat,rerepre,nculpaq +%MSDHCP-2577-11010: 11010,5/7/18,6:39:06,billoinv,10.146.72.62,red5516.localhost,agnaaliq,est,mquisno,aev +%MSDHCP-5343-1103: 1103,5/21/18,1:41:41,lapar,10.221.7.206,qui3176.internal.example,mexerc,meaque,uid,equaturv +%MSDHCP-653-1103: 1103,6/4/18,8:44:15,maccusa,10.196.35.130,luptat2979.internal.local,uradi,velitsed,magnaali,mwrit +%MSDHCP-6378-11014: 11014,6/19/18,3:46:49,equatDu,10.182.219.241,prehe1037.api.example,eiusmod,itation,veleum,piciatis +%MSDHCP-7616-11021: 11021,7/3/18,10:49:23,tanimid,10.101.163.40,abor1370.www.domain,remips,illoi,reetdolo,rationev +%MSDHCP-3147-11003: 11003,7/17/18,5:51:58,oremi,10.141.39.190,atDuis5759.internal.test,rumwri,velill,ore,tation +%MSDHCP-7360-11009: 11009,8/1/18,12:54:32,tperspic,10.41.89.217,ict2699.internal.localhost,riosamni,icta,luptate,llamc +%MSDHCP-2454-11007: 11007,8/15/18,7:57:06,tesseci,10.86.44.130,cive2292.api.local,nisiuta,stiaecon,dol,sumquiad +%MSDHCP-7311-11024: 11024,8/29/18,2:59:40,uid,10.209.71.69,aconsequ2331.www5.localhost,sequat,lor,ccaec,atu +%MSDHCP-4968-1098: 1098,9/12/18,10:02:15,laudanti,10.48.104.137,rsitvolu3596.www.test,uameiusm,adm,gelitsed,tiumto +%MSDHCP-2648-11023: 11023,9/27/18,5:04:49,nihil,10.225.255.211,elites6366.mail.lan,eursinto,litesse,fugiatn,uaeabi +%MSDHCP-2724-11013: 11013,10/11/18,12:07:23,olu,10.137.103.62,orumSe4514.www.corp,umquam,emagn,emulla,mips +%MSDHCP-3887-11015: 11015,10/25/18,7:09:57,etdol,10.156.88.51,fdeFi6975.www5.local,equat,aliquid,usantiu,idunt +%MSDHCP-5999-11025: 11025,11/9/18,2:12:32,quiacons,10.7.99.47,dol3000.www5.local,teturadi,ditau,atemaccu,veritat +%MSDHCP-5374-11010: 11010,11/23/18,9:15:06,ueip,10.243.252.157,umd5182.mail.host,tur,acon,Nemoenim,usm +%MSDHCP-5397-11013: 11013,12/7/18,4:17:40,tise,10.95.73.196,expl2616.www.test,itinvol,ten,litanim,rQuisaut +%MSDHCP-1636-11004: 11004,12/21/18,11:20:14,teni,10.145.104.170,risni1535.example,onemulla,riaturEx,deri,amqu +%MSDHCP-1303-11018: 11018,1/5/19,6:22:49,edquian,10.18.152.236,umtotamr7221.mail.host,rnat,rur,itse,ilm +%MSDHCP-2746-11015: 11015,1/19/19,1:25:23,oloree,10.15.240.220,teir7585.www5.localdomain,quu,xeac,llitanim,quamei +%MSDHCP-5996-11000: 11000,2/2/19,8:27:57,meum,10.147.130.71,tur4536.localdomain,iamqui,tassita,colabori,imidestl +%MSDHCP-956-11002: 11002,2/17/19,3:30:32,isn,10.203.146.137,ffic6926.home,aparia,CSe,exerci,inesciu +%MSDHCP-5452-11012: 11012,3/3/19,10:33:06,emu,10.5.98.182,ate4386.api.localhost,minimve,serrorsi,tametco,mquisnos +%MSDHCP-6034-11014: 11014,3/17/19,5:35:40,ici,10.6.180.90,iameaque5093.api.corp,aquio,rspicia,deom,oluptat +%MSDHCP-3545-11004: 11004,4/1/19,12:38:14,onproide,10.111.93.224,tatisetq3237.www5.corp,emag,oquisq,abori,sit +%MSDHCP-7051-11002: 11002,4/15/19,7:40:49,lumdolor,10.196.157.28,rvelill32.internal.corp,tatevel,midestl,nci,orroquis +%MSDHCP-4040-11017: 11017,4/29/19,2:43:23,meiusm,10.143.0.78,ectetura2657.www.localdomain,seq,moll,quaeabil,emip +%MSDHCP-3376-1103: 1103,5/13/19,9:45:57,mipsumqu,10.184.187.32,ico3220.api.test,evi,tionula,accus,uatu +%MSDHCP-111-11019: 11019,5/28/19,4:48:31,sumquiad,10.30.87.51,Duisa7769.test,iaecon,aevitaed,byCic,leumiur +%MSDHCP-5483-11000: 11000,6/11/19,11:51:06,tno,10.180.62.222,ptatev6552.www.test,ctetura,msequ,nvol,enimadmi +%MSDHCP-7708-1098: 1098,6/25/19,6:53:40,adeser,10.198.9.209,olore6487.www5.local,inea,animid,upta,ioff +%MSDHCP-4197-1098: 1098,7/10/19,1:56:14,iuntN,10.41.217.115,nvol548.corp,sin,idexeac,nimadmin,midest +%MSDHCP-2952-11030: 11030,7/24/19,8:58:48,quatu,10.212.196.228,pteursi466.www.localdomain,essecill,totamre,rpo,velites +%MSDHCP-7651-11002: 11002,8/7/19,4:01:23,uisaute,10.166.180.119,olupt1936.host,imide,ncul,taliq,tautfugi +%MSDHCP-163-11030: 11030,8/21/19,11:03:57,volup,10.7.142.212,uisaut2157.corp,tuser,ctasu,irat,sitame +%MSDHCP-3403-11023: 11023,9/5/19,6:06:31,uptateve,10.209.237.97,ecte882.www5.host,Malor,boriosa,cillumdo,ditau +%MSDHCP-801-11025: 11025,9/19/19,1:09:05,sci,10.61.26.207,doloreeu4417.example,ametcons,tconse,eumf,roquisq +%MSDHCP-3103-1098: 1098,10/3/19,8:11:40,tDuisau,10.139.88.194,tper4341.lan,nulamc,sint,etcon,ctobeat +%MSDHCP-598-11008: 11008,10/18/19,3:14:14,lorumw,10.86.134.125,nimve4965.mail.corp,ola,ptat,quasi,tium +%MSDHCP-5046-11008: 11008,11/1/19,10:16:48,nul,10.41.78.169,mquisno5146.home,mipsamv,exeacomm,sequines,cto +%MSDHCP-5270-11014: 11014,11/15/19,5:19:22,lumquid,10.69.181.95,imaveni4500.api.localdomain,ssequamn,ave,taliqui,idi +%MSDHCP-5895-1098: 1098,11/30/19,12:21:57,mqu,10.222.6.52,veleu2874.www5.localhost,tasnu,loru,iadeser,litess +%MSDHCP-7704-ID: ID,12/14/19,7:24:31,quovolu,10.218.41.80,nemul5083.api.localdomain,01:00:5e:52:c7:67 diff --git a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json index d3335431e1b..a350394d3bd 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json +++ b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json @@ -1,29 +1,28 @@ [ { "@timestamp": "2016-01-29T08:09:59.000Z", - "event.code": "50", + "event.code": "11030", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-905-50: 50,1/29/16,6:09:59,nnumqua,10.133.8.128,sse3269.invalid ,01:00:5e:ce:bf:42,ventore,ivelitse,ritin,uredolor,tatemac ", + "event.original": "%MSDHCP-4257-11030: 11030,1/29/16,6:09:59,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer", "fileset.name": "dhcp", - "host.hostname": "sse3269.invalid", + "host.hostname": "ciade5699.domain", "input.type": "log", "log.offset": 0, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.133.8.128" + "10.124.22.221" ], - "rsa.internal.event_desc": "nnumqua", - "rsa.internal.messageid": "50", + "rsa.internal.event_desc": "oremi", + "rsa.internal.messageid": "11030", "rsa.time.event_time": "2016-01-29T08:09:59.000Z", "service.type": "microsoft", - "source.address": "sse3269.invalid", + "source.address": "ciade5699.domain", "source.ip": [ - "10.133.8.128" + "10.124.22.221" ], - "source.mac": "01:00:5e:ce:bf:42,ventore,ivelitse,ritin,uredolor,tatemac", "tags": [ "microsoft.dhcp", "forwarded" @@ -31,27 +30,27 @@ }, { "@timestamp": "2016-02-12T03:12:33.000Z", - "event.code": "11030", + "event.code": "11015", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4257-11030: 11030,2/12/16,1:12:33,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer", + "event.original": "%MSDHCP-363-11015: 11015,2/12/16,1:12:33,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu", "fileset.name": "dhcp", - "host.hostname": "ciade5699.domain", + "host.hostname": "orev6153.internal.domain", "input.type": "log", - "log.offset": 133, + "log.offset": 98, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.124.22.221" + "10.103.162.55" ], - "rsa.internal.event_desc": "oremi", - "rsa.internal.messageid": "11030", + "rsa.internal.event_desc": "nci", + "rsa.internal.messageid": "11015", "rsa.time.event_time": "2016-02-12T03:12:33.000Z", "service.type": "microsoft", - "source.address": "ciade5699.domain", + "source.address": "orev6153.internal.domain", "source.ip": [ - "10.124.22.221" + "10.103.162.55" ], "tags": [ "microsoft.dhcp", @@ -60,29 +59,28 @@ }, { "@timestamp": "2016-02-26T10:15:08.000Z", - "event.code": "62", + "event.code": "11008", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5634-62: 62,2/26/16,8:15:08,equepor,10.196.153.12,sequa6540.www5.localhost ,01:00:5e:3a:fe:e3,mest ", + "event.original": "%MSDHCP-5738-11008: 11008,2/26/16,8:15:08,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit", "fileset.name": "dhcp", - "host.hostname": "sequa6540.www5.localhost", + "host.hostname": "uatDuis2964.test", "input.type": "log", - "log.offset": 231, + "log.offset": 204, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.196.153.12" + "10.58.0.245" ], - "rsa.internal.event_desc": "equepor", - "rsa.internal.messageid": "62", + "rsa.internal.event_desc": "ccaecat", + "rsa.internal.messageid": "11008", "rsa.time.event_time": "2016-02-26T10:15:08.000Z", "service.type": "microsoft", - "source.address": "sequa6540.www5.localhost", + "source.address": "uatDuis2964.test", "source.ip": [ - "10.196.153.12" + "10.58.0.245" ], - "source.mac": "01:00:5e:3a:fe:e3,mest", "tags": [ "microsoft.dhcp", "forwarded" @@ -90,27 +88,29 @@ }, { "@timestamp": "2016-03-12T05:17:42.000Z", - "event.code": "11015", + "event.code": "11011", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-363-11015: 11015,3/12/16,3:17:42,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu", + "event.original": "%MSDHCP-1579-11011: 11011,3/12/16,3:17:42,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep", "fileset.name": "dhcp", - "host.hostname": "orev6153.internal.domain", + "host.hostname": "untNequ5075.www5.domain", "input.type": "log", - "log.offset": 340, + "log.offset": 311, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.103.162.55" + "10.163.217.10" ], - "rsa.internal.event_desc": "nci", - "rsa.internal.messageid": "11015", + "rsa.internal.event_desc": "natura", + "rsa.internal.messageid": "11011", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2016-03-12T05:17:42.000Z", "service.type": "microsoft", - "source.address": "orev6153.internal.domain", + "source.address": "untNequ5075.www5.domain", "source.ip": [ - "10.103.162.55" + "10.163.217.10" ], "tags": [ "microsoft.dhcp", @@ -119,29 +119,28 @@ }, { "@timestamp": "2016-03-26T12:20:16.000Z", - "event.code": "57", + "event.code": "11003", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4880-57: 57,3/26/16,10:20:16,quipexe,10.162.33.193,agn2581.www5.corp ,01:00:5e:ad:16:77, ", + "event.original": "%MSDHCP-5393-11003: 11003,3/26/16,10:20:16,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB", "fileset.name": "dhcp", - "host.hostname": "agn2581.www5.corp", + "host.hostname": "idexea3181.www.local", "input.type": "log", - "log.offset": 446, + "log.offset": 421, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.162.33.193" + "10.111.27.193" ], - "rsa.internal.event_desc": "quipexe", - "rsa.internal.messageid": "57", + "rsa.internal.event_desc": "temsequ", + "rsa.internal.messageid": "11003", "rsa.time.event_time": "2016-03-26T12:20:16.000Z", "service.type": "microsoft", - "source.address": "agn2581.www5.corp", + "source.address": "idexea3181.www.local", "source.ip": [ - "10.162.33.193" + "10.111.27.193" ], - "source.mac": "01:00:5e:ad:16:77,", "tags": [ "microsoft.dhcp", "forwarded" @@ -149,29 +148,28 @@ }, { "@timestamp": "2016-04-09T07:22:51.000Z", - "event.code": "57", + "event.code": "11018", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6962-57: 57,4/9/16,5:22:51,moenimi,10.156.15.206,enatus2114.mail.home ,01:00:5e:33:84:66", + "event.original": "%MSDHCP-6103-11018: 11018,4/9/16,5:22:51,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun", "fileset.name": "dhcp", - "host.hostname": "enatus2114.mail.home", + "host.hostname": "etM953.api.domain", "input.type": "log", - "log.offset": 545, + "log.offset": 529, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.156.15.206" + "10.97.38.141" ], - "rsa.internal.event_desc": "moenimi", - "rsa.internal.messageid": "57", + "rsa.internal.event_desc": "lapariat", + "rsa.internal.messageid": "11018", "rsa.time.event_time": "2016-04-09T07:22:51.000Z", "service.type": "microsoft", - "source.address": "enatus2114.mail.home", + "source.address": "etM953.api.domain", "source.ip": [ - "10.156.15.206" + "10.97.38.141" ], - "source.mac": "01:00:5e:33:84:66", "tags": [ "microsoft.dhcp", "forwarded" @@ -179,29 +177,28 @@ }, { "@timestamp": "2016-04-24T14:25:25.000Z", - "event.code": "60", + "event.code": "11019", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5355-60: 60,4/24/16,12:25:25,ntex,10.1.118.72,proident2802.home ,01:00:5e:69:9a:1a,eumiu ", + "event.original": "%MSDHCP-5524-11019: 11019,4/24/16,12:25:25,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi", "fileset.name": "dhcp", - "host.hostname": "proident2802.home", + "host.hostname": "inv5716.mail.invalid", "input.type": "log", - "log.offset": 643, + "log.offset": 633, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.1.118.72" + "10.17.21.125" ], - "rsa.internal.event_desc": "ntex", - "rsa.internal.messageid": "60", + "rsa.internal.event_desc": "moenimi", + "rsa.internal.messageid": "11019", "rsa.time.event_time": "2016-04-24T14:25:25.000Z", "service.type": "microsoft", - "source.address": "proident2802.home", + "source.address": "inv5716.mail.invalid", "source.ip": [ - "10.1.118.72" + "10.17.21.125" ], - "source.mac": "01:00:5e:69:9a:1a,eumiu", "tags": [ "microsoft.dhcp", "forwarded" @@ -209,29 +206,28 @@ }, { "@timestamp": "2016-05-08T09:27:59.000Z", - "event.code": "15", + "event.code": "11021", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7417-15: 15,5/8/16,7:27:59,orisn,10.70.235.184,ofdeF7240.www.home ,01:00:5e:a2:09:ea,tionulam,uameius,ratio,ptas,nevolu ", + "event.original": "%MSDHCP-5841-11021: 11021,5/8/16,7:27:59,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion", "fileset.name": "dhcp", - "host.hostname": "ofdeF7240.www.home", + "host.hostname": "uines6355.internal.localdomain", "input.type": "log", - "log.offset": 742, + "log.offset": 748, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.70.235.184" + "10.73.69.75" ], - "rsa.internal.event_desc": "orisn", - "rsa.internal.messageid": "15", + "rsa.internal.event_desc": "nofdeF", + "rsa.internal.messageid": "11021", "rsa.time.event_time": "2016-05-08T09:27:59.000Z", "service.type": "microsoft", - "source.address": "ofdeF7240.www.home", + "source.address": "uines6355.internal.localdomain", "source.ip": [ - "10.70.235.184" + "10.73.69.75" ], - "source.mac": "01:00:5e:a2:09:ea,tionulam,uameius,ratio,ptas,nevolu", "tags": [ "microsoft.dhcp", "forwarded" @@ -239,32 +235,28 @@ }, { "@timestamp": "2016-05-22T04:30:33.000Z", - "event.code": "59", + "event.code": "11020", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5162-59: 59,5/22/16,2:30:33,nci,10.86.118.154,amco5712.www5.localdomain ,01:00:5e:35:c0:09,con,uia,quiavo,issusci,mol,taspe,mvolu,radip,tNequ,gelit,tatno ", - "event.outcome": "failure", + "event.original": "%MSDHCP-1559-11020: 11020,5/22/16,2:30:33,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac", "fileset.name": "dhcp", - "host.hostname": "amco5712.www5.localdomain", + "host.hostname": "rehender4535.www5.test", "input.type": "log", - "log.offset": 872, + "log.offset": 863, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.86.118.154" + "10.45.25.68" ], - "rsa.internal.event_desc": "nci", - "rsa.internal.messageid": "59", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "deFinibu", + "rsa.internal.messageid": "11020", "rsa.time.event_time": "2016-05-22T04:30:33.000Z", "service.type": "microsoft", - "source.address": "amco5712.www5.localdomain", + "source.address": "rehender4535.www5.test", "source.ip": [ - "10.86.118.154" + "10.45.25.68" ], - "source.mac": "01:00:5e:35:c0:09,con,uia,quiavo,issusci,mol,taspe,mvolu,radip,tNequ,gelit,tatno", "tags": [ "microsoft.dhcp", "forwarded" @@ -272,29 +264,28 @@ }, { "@timestamp": "2016-06-05T11:33:08.000Z", - "event.code": "10", + "event.code": "11006", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4141-10: 10,6/5/16,9:33:08,uam,10.5.62.63,llu4762.mail.localdomain ,01:00:5e:f5:8e:0d", + "event.original": "%MSDHCP-7427-11006: 11006,6/5/16,9:33:08,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme", "fileset.name": "dhcp", - "host.hostname": "llu4762.mail.localdomain", + "host.hostname": "mporain2624.www.localhost", "input.type": "log", - "log.offset": 1036, + "log.offset": 974, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.5.62.63" + "10.68.93.6" ], - "rsa.internal.event_desc": "uam", - "rsa.internal.messageid": "10", + "rsa.internal.event_desc": "psaquae", + "rsa.internal.messageid": "11006", "rsa.time.event_time": "2016-06-05T11:33:08.000Z", "service.type": "microsoft", - "source.address": "llu4762.mail.localdomain", + "source.address": "mporain2624.www.localhost", "source.ip": [ - "10.5.62.63" + "10.68.93.6" ], - "source.mac": "01:00:5e:f5:8e:0d", "tags": [ "microsoft.dhcp", "forwarded" @@ -302,29 +293,28 @@ }, { "@timestamp": "2016-06-20T06:35:42.000Z", - "event.code": "15", + "event.code": "11003", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5408-15: 15,6/20/16,4:35:42,llumd,10.66.3.197,emaper2638.lan ,01:00:5e:0b:42:ab,uaerat,boreet,onev,tenima,laboreet ", + "event.original": "%MSDHCP-3458-11003: 11003,6/20/16,4:35:42,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta", "fileset.name": "dhcp", - "host.hostname": "emaper2638.lan", + "host.hostname": "tutla2716.www.domain", "input.type": "log", - "log.offset": 1131, + "log.offset": 1085, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.66.3.197" + "10.192.110.182" ], - "rsa.internal.event_desc": "llumd", - "rsa.internal.messageid": "15", + "rsa.internal.event_desc": "idex", + "rsa.internal.messageid": "11003", "rsa.time.event_time": "2016-06-20T06:35:42.000Z", "service.type": "microsoft", - "source.address": "emaper2638.lan", + "source.address": "tutla2716.www.domain", "source.ip": [ - "10.66.3.197" + "10.192.110.182" ], - "source.mac": "01:00:5e:0b:42:ab,uaerat,boreet,onev,tenima,laboreet", "tags": [ "microsoft.dhcp", "forwarded" @@ -332,27 +322,27 @@ }, { "@timestamp": "2016-07-04T13:38:16.000Z", - "event.code": "11008", + "event.code": "11012", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5738-11008: 11008,7/4/16,11:38:16,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit", + "event.original": "%MSDHCP-6972-11012: 11012,7/4/16,11:38:16,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame", "fileset.name": "dhcp", - "host.hostname": "uatDuis2964.test", + "host.hostname": "conseq557.mail.lan", "input.type": "log", - "log.offset": 1256, + "log.offset": 1195, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.58.0.245" + "10.148.153.201" ], - "rsa.internal.event_desc": "ccaecat", - "rsa.internal.messageid": "11008", + "rsa.internal.event_desc": "ittenbyC", + "rsa.internal.messageid": "11012", "rsa.time.event_time": "2016-07-04T13:38:16.000Z", "service.type": "microsoft", - "source.address": "uatDuis2964.test", + "source.address": "conseq557.mail.lan", "source.ip": [ - "10.58.0.245" + "10.148.153.201" ], "tags": [ "microsoft.dhcp", @@ -361,29 +351,28 @@ }, { "@timestamp": "2016-07-18T08:40:50.000Z", - "event.code": "25", + "event.code": "11019", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4243-25: 25,7/18/16,6:40:50,antium,10.103.246.190,iusmodt2597.api.domain ,01:00:5e:8b:ba:06,ect,reetdolo,nrepreh,obeataev,lor ", + "event.original": "%MSDHCP-4977-11019: 11019,7/18/16,6:40:50,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq", "fileset.name": "dhcp", - "host.hostname": "iusmodt2597.api.domain", + "host.hostname": "etconse7424.internal.lan", "input.type": "log", - "log.offset": 1363, + "log.offset": 1308, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.103.246.190" + "10.213.147.241" ], - "rsa.internal.event_desc": "antium", - "rsa.internal.messageid": "25", + "rsa.internal.event_desc": "que", + "rsa.internal.messageid": "11019", "rsa.time.event_time": "2016-07-18T08:40:50.000Z", "service.type": "microsoft", - "source.address": "iusmodt2597.api.domain", + "source.address": "etconse7424.internal.lan", "source.ip": [ - "10.103.246.190" + "10.213.147.241" ], - "source.mac": "01:00:5e:8b:ba:06,ect,reetdolo,nrepreh,obeataev,lor", "tags": [ "microsoft.dhcp", "forwarded" @@ -391,29 +380,29 @@ }, { "@timestamp": "2016-08-02T03:43:25.000Z", - "event.code": "11011", + "event.code": "11010", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1579-11011: 11011,8/2/16,1:43:25,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep", + "event.original": "%MSDHCP-1180-11010: 11010,8/2/16,1:43:25,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp", "fileset.name": "dhcp", - "host.hostname": "untNequ5075.www5.domain", + "host.hostname": "tMalor7410.www.localhost", "input.type": "log", - "log.offset": 1499, + "log.offset": 1413, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.163.217.10" + "10.183.233.5" ], - "rsa.internal.event_desc": "natura", - "rsa.internal.messageid": "11011", - "rsa.investigations.ec_activity": "Stop", + "rsa.internal.event_desc": "serunt", + "rsa.internal.messageid": "11010", + "rsa.investigations.ec_activity": "Start", "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2016-08-02T03:43:25.000Z", "service.type": "microsoft", - "source.address": "untNequ5075.www5.domain", + "source.address": "tMalor7410.www.localhost", "source.ip": [ - "10.163.217.10" + "10.183.233.5" ], "tags": [ "microsoft.dhcp", @@ -422,32 +411,28 @@ }, { "@timestamp": "2016-08-16T10:45:59.000Z", - "event.code": "56", + "event.code": "11013", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3971-56: 56,8/16/16,8:45:59,lorem,10.150.193.226,uidolore6237.internal.local ,01:00:5e:42:6c:b4,suntinc,elits,llam,llamcorp,ari,eataevit,uptatev,uovol,dmi,olab,mquisnos ", - "event.outcome": "failure", + "event.original": "%MSDHCP-2628-11013: 11013,8/16/16,8:45:59,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre", "fileset.name": "dhcp", - "host.hostname": "uidolore6237.internal.local", + "host.hostname": "equat2243.www5.localdomain", "input.type": "log", - "log.offset": 1608, + "log.offset": 1522, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.150.193.226" + "10.52.186.29" ], - "rsa.internal.event_desc": "lorem", - "rsa.internal.messageid": "56", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "AccessControl", + "rsa.internal.event_desc": "tNequepo", + "rsa.internal.messageid": "11013", "rsa.time.event_time": "2016-08-16T10:45:59.000Z", "service.type": "microsoft", - "source.address": "uidolore6237.internal.local", + "source.address": "equat2243.www5.localdomain", "source.ip": [ - "10.150.193.226" + "10.52.186.29" ], - "source.mac": "01:00:5e:42:6c:b4,suntinc,elits,llam,llamcorp,ari,eataevit,uptatev,uovol,dmi,olab,mquisnos", "tags": [ "microsoft.dhcp", "forwarded" @@ -455,29 +440,28 @@ }, { "@timestamp": "2016-08-30T05:48:33.000Z", - "event.code": "17", + "event.code": "11004", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2933-17: 17,8/30/16,3:48:33,tsed,10.111.61.181,incididu1896.example ,01:00:5e:c9:5b:b2, ", + "event.original": "%MSDHCP-5037-11004: 11004,8/30/16,3:48:33,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam", "fileset.name": "dhcp", - "host.hostname": "incididu1896.example", + "host.hostname": "ectio2175.www.localhost", "input.type": "log", - "log.offset": 1787, + "log.offset": 1640, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.111.61.181" + "10.194.114.58" ], - "rsa.internal.event_desc": "tsed", - "rsa.internal.messageid": "17", + "rsa.internal.event_desc": "uela", + "rsa.internal.messageid": "11004", "rsa.time.event_time": "2016-08-30T05:48:33.000Z", "service.type": "microsoft", - "source.address": "incididu1896.example", + "source.address": "ectio2175.www.localhost", "source.ip": [ - "10.111.61.181" + "10.194.114.58" ], - "source.mac": "01:00:5e:c9:5b:b2,", "tags": [ "microsoft.dhcp", "forwarded" @@ -485,27 +469,27 @@ }, { "@timestamp": "2016-09-13T12:51:07.000Z", - "event.code": "11003", + "event.code": "1103", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5393-11003: 11003,9/13/16,10:51:07,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB", + "event.original": "%MSDHCP-6385-1103: 1103,9/13/16,10:51:07,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno", "fileset.name": "dhcp", - "host.hostname": "idexea3181.www.local", + "host.hostname": "liqui6106.internal.home", "input.type": "log", - "log.offset": 1885, + "log.offset": 1750, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.111.27.193" + "10.212.42.224" ], - "rsa.internal.event_desc": "temsequ", - "rsa.internal.messageid": "11003", + "rsa.internal.event_desc": "ris", + "rsa.internal.messageid": "1103", "rsa.time.event_time": "2016-09-13T12:51:07.000Z", "service.type": "microsoft", - "source.address": "idexea3181.www.local", + "source.address": "liqui6106.internal.home", "source.ip": [ - "10.111.27.193" + "10.212.42.224" ], "tags": [ "microsoft.dhcp", @@ -514,31 +498,30 @@ }, { "@timestamp": "2016-09-28T07:53:42.000Z", - "event.code": "16", + "event.code": "11011", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4171-16: 16,9/28/16,5:53:42,ntsuntin,10.153.112.62,imav3236.mail.domain ,01:00:5e:e7:c7:cb", + "event.original": "%MSDHCP-1747-11011: 11011,9/28/16,5:53:42,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium", "fileset.name": "dhcp", - "host.hostname": "imav3236.mail.domain", + "host.hostname": "eratv6205.internal.lan", "input.type": "log", - "log.offset": 1993, + "log.offset": 1861, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.153.112.62" + "10.244.144.198" ], - "rsa.internal.event_desc": "ntsuntin", - "rsa.internal.messageid": "16", - "rsa.investigations.ec_activity": "Delete", + "rsa.internal.event_desc": "aliquam", + "rsa.internal.messageid": "11011", + "rsa.investigations.ec_activity": "Stop", "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2016-09-28T07:53:42.000Z", "service.type": "microsoft", - "source.address": "imav3236.mail.domain", + "source.address": "eratv6205.internal.lan", "source.ip": [ - "10.153.112.62" + "10.244.144.198" ], - "source.mac": "01:00:5e:e7:c7:cb", "tags": [ "microsoft.dhcp", "forwarded" @@ -546,32 +529,28 @@ }, { "@timestamp": "2016-10-12T14:56:16.000Z", - "event.code": "32", + "event.code": "11020", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7290-32: 32,10/12/16,12:56:16,iam,10.98.34.185,ercit3947.api.local ,01:00:5e:a4:f5:60,olupta,turveli,toccae,tatno,nido ", - "event.outcome": "success", + "event.original": "%MSDHCP-4949-11020: 11020,10/12/16,12:56:16,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr", "fileset.name": "dhcp", - "host.hostname": "ercit3947.api.local", + "host.hostname": "piscin6866.internal.host", "input.type": "log", - "log.offset": 2093, + "log.offset": 1979, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.98.34.185" + "10.90.86.89" ], - "rsa.internal.event_desc": "iam", - "rsa.internal.messageid": "32", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_theme": "Configuration", + "rsa.internal.event_desc": "derit", + "rsa.internal.messageid": "11020", "rsa.time.event_time": "2016-10-12T14:56:16.000Z", "service.type": "microsoft", - "source.address": "ercit3947.api.local", + "source.address": "piscin6866.internal.host", "source.ip": [ - "10.98.34.185" + "10.90.86.89" ], - "source.mac": "01:00:5e:a4:f5:60,olupta,turveli,toccae,tatno,nido", "tags": [ "microsoft.dhcp", "forwarded" @@ -579,29 +558,30 @@ }, { "@timestamp": "2016-10-26T09:58:50.000Z", - "event.code": "53", + "event.code": "11010", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4125-53: 53,10/26/16,7:58:50,itlabori,10.252.112.103,usan6343.www5.domain ,01:00:5e:10:76:60,ender ", + "event.original": "%MSDHCP-4824-11010: 11010,10/26/16,7:58:50,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu", "fileset.name": "dhcp", - "host.hostname": "usan6343.www5.domain", + "host.hostname": "riosamn7650.api.test", "input.type": "log", - "log.offset": 2222, + "log.offset": 2093, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.252.112.103" + "10.158.237.92" ], - "rsa.internal.event_desc": "itlabori", - "rsa.internal.messageid": "53", + "rsa.internal.event_desc": "volupt", + "rsa.internal.messageid": "11010", + "rsa.investigations.ec_activity": "Start", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2016-10-26T09:58:50.000Z", "service.type": "microsoft", - "source.address": "usan6343.www5.domain", + "source.address": "riosamn7650.api.test", "source.ip": [ - "10.252.112.103" + "10.158.237.92" ], - "source.mac": "01:00:5e:10:76:60,ender", "tags": [ "microsoft.dhcp", "forwarded" @@ -609,29 +589,32 @@ }, { "@timestamp": "2016-11-10T05:01:24.000Z", - "event.code": "50", + "event.code": "11023", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5368-50: 50,11/10/16,3:01:24,atquovo,10.246.117.190,mquaera3924.www5.home ,01:00:5e:b9:7e:b1", + "event.original": "%MSDHCP-1842-11023: 11023,11/10/16,3:01:24,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "mquaera3924.www5.home", + "host.hostname": "aper5651.test", "input.type": "log", - "log.offset": 2331, + "log.offset": 2205, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.246.117.190" + "10.20.147.134" ], - "rsa.internal.event_desc": "atquovo", - "rsa.internal.messageid": "50", + "rsa.internal.event_desc": "epte", + "rsa.internal.messageid": "11023", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Service", + "rsa.investigations.ec_theme": "AccessControl", "rsa.time.event_time": "2016-11-10T05:01:24.000Z", "service.type": "microsoft", - "source.address": "mquaera3924.www5.home", + "source.address": "aper5651.test", "source.ip": [ - "10.246.117.190" + "10.20.147.134" ], - "source.mac": "01:00:5e:b9:7e:b1", "tags": [ "microsoft.dhcp", "forwarded" @@ -639,32 +622,28 @@ }, { "@timestamp": "2016-11-24T12:03:59.000Z", - "event.code": "33", + "event.code": "11007", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4173-33: 33,11/24/16,10:03:59,undeo,10.82.52.233,atuse2703.localhost ,01:00:5e:fa:2b:37", - "event.outcome": "success", + "event.original": "%MSDHCP-5263-11007: 11007,11/24/16,10:03:59,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons", "fileset.name": "dhcp", - "host.hostname": "atuse2703.localhost", + "host.hostname": "inventor6088.www.invalid", "input.type": "log", - "log.offset": 2433, + "log.offset": 2302, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.82.52.233" + "10.213.145.202" ], - "rsa.internal.event_desc": "undeo", - "rsa.internal.messageid": "33", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_theme": "Configuration", + "rsa.internal.event_desc": "saute", + "rsa.internal.messageid": "11007", "rsa.time.event_time": "2016-11-24T12:03:59.000Z", "service.type": "microsoft", - "source.address": "atuse2703.localhost", + "source.address": "inventor6088.www.invalid", "source.ip": [ - "10.82.52.233" + "10.213.145.202" ], - "source.mac": "01:00:5e:fa:2b:37", "tags": [ "microsoft.dhcp", "forwarded" @@ -672,29 +651,28 @@ }, { "@timestamp": "2016-12-08T07:06:33.000Z", - "event.code": "52", + "event.code": "11003", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5883-52: 52,12/8/16,5:06:33,ips,10.149.59.28,emporinc5075.internal.host ,01:00:5e:37:14:9d,tessec ", + "event.original": "%MSDHCP-4410-11003: 11003,12/8/16,5:06:33,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov", "fileset.name": "dhcp", - "host.hostname": "emporinc5075.internal.host", + "host.hostname": "cipitlab6201.www5.example", "input.type": "log", - "log.offset": 2530, + "log.offset": 2415, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.149.59.28" + "10.76.10.73" ], - "rsa.internal.event_desc": "ips", - "rsa.internal.messageid": "52", + "rsa.internal.event_desc": "itinvol", + "rsa.internal.messageid": "11003", "rsa.time.event_time": "2016-12-08T07:06:33.000Z", "service.type": "microsoft", - "source.address": "emporinc5075.internal.host", + "source.address": "cipitlab6201.www5.example", "source.ip": [ - "10.149.59.28" + "10.76.10.73" ], - "source.mac": "01:00:5e:37:14:9d,tessec", "tags": [ "microsoft.dhcp", "forwarded" @@ -702,29 +680,29 @@ }, { "@timestamp": "2016-12-23T14:09:07.000Z", - "event.code": "36", + "event.code": "ID", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6446-36: 36,12/23/16,12:09:07,ist,10.169.144.147,onsequat2984.www5.domain ,01:00:5e:59:a3:48, ", + "event.original": "%MSDHCP-3253-ID: ID,12/23/16,12:09:07,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65", "fileset.name": "dhcp", - "host.hostname": "onsequat2984.www5.domain", + "host.hostname": "Nemoenim2039.api.localhost", "input.type": "log", - "log.offset": 2638, + "log.offset": 2524, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.169.144.147" + "10.226.199.190" ], - "rsa.internal.event_desc": "ist", - "rsa.internal.messageid": "36", + "rsa.internal.event_desc": "roid", + "rsa.internal.messageid": "ID", "rsa.time.event_time": "2016-12-23T14:09:07.000Z", "service.type": "microsoft", - "source.address": "onsequat2984.www5.domain", + "source.address": "Nemoenim2039.api.localhost", "source.ip": [ - "10.169.144.147" + "10.226.199.190" ], - "source.mac": "01:00:5e:59:a3:48,", + "source.mac": "01:00:5e:f6:ba:65", "tags": [ "microsoft.dhcp", "forwarded" @@ -732,29 +710,28 @@ }, { "@timestamp": "2017-01-06T09:11:41.000Z", - "event.code": "12", + "event.code": "11000", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-686-12: 12,1/6/17,7:11:41,nsequu,10.66.168.154,omm4276.www.example ,01:00:5e:44:c4:69", + "event.original": "%MSDHCP-1394-11000: 11000,1/6/17,7:11:41,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag", "fileset.name": "dhcp", - "host.hostname": "omm4276.www.example", + "host.hostname": "iquipe2458.api.host", "input.type": "log", - "log.offset": 2742, + "log.offset": 2627, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.66.168.154" + "10.20.129.206" ], - "rsa.internal.event_desc": "nsequu", - "rsa.internal.messageid": "12", + "rsa.internal.event_desc": "itessequ", + "rsa.internal.messageid": "11000", "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "microsoft", - "source.address": "omm4276.www.example", + "source.address": "iquipe2458.api.host", "source.ip": [ - "10.66.168.154" + "10.20.129.206" ], - "source.mac": "01:00:5e:44:c4:69", "tags": [ "microsoft.dhcp", "forwarded" @@ -762,29 +739,28 @@ }, { "@timestamp": "2017-01-20T04:14:16.000Z", - "event.code": "25", + "event.code": "11007", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2230-25: 25,1/20/17,2:14:16,torev,10.214.241.84,ctetura4886.www5.lan ,01:00:5e:3a:d0:86,ita,ipi,rsitamet,lupt,xea,qua,luptatev,admi,modocons,elaudant,tinvol ", + "event.original": "%MSDHCP-2516-11007: 11007,1/20/17,2:14:16,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli", "fileset.name": "dhcp", - "host.hostname": "ctetura4886.www5.lan", + "host.hostname": "intoc1426.mail.lan", "input.type": "log", - "log.offset": 2837, + "log.offset": 2736, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.214.241.84" + "10.22.110.210" ], - "rsa.internal.event_desc": "torev", - "rsa.internal.messageid": "25", + "rsa.internal.event_desc": "oremeu", + "rsa.internal.messageid": "11007", "rsa.time.event_time": "2017-01-20T04:14:16.000Z", "service.type": "microsoft", - "source.address": "ctetura4886.www5.lan", + "source.address": "intoc1426.mail.lan", "source.ip": [ - "10.214.241.84" + "10.22.110.210" ], - "source.mac": "01:00:5e:3a:d0:86,ita,ipi,rsitamet,lupt,xea,qua,luptatev,admi,modocons,elaudant,tinvol", "tags": [ "microsoft.dhcp", "forwarded" @@ -792,27 +768,27 @@ }, { "@timestamp": "2017-02-03T11:16:50.000Z", - "event.code": "11018", + "event.code": "11006", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6103-11018: 11018,2/3/17,9:16:50,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun", + "event.original": "%MSDHCP-543-11006: 11006,2/3/17,9:16:50,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui", "fileset.name": "dhcp", - "host.hostname": "etM953.api.domain", + "host.hostname": "rsitvolu3751.mail.lan", "input.type": "log", - "log.offset": 3004, + "log.offset": 2844, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.97.38.141" + "10.218.87.174" ], - "rsa.internal.event_desc": "lapariat", - "rsa.internal.messageid": "11018", + "rsa.internal.event_desc": "eturadi", + "rsa.internal.messageid": "11006", "rsa.time.event_time": "2017-02-03T11:16:50.000Z", "service.type": "microsoft", - "source.address": "etM953.api.domain", + "source.address": "rsitvolu3751.mail.lan", "source.ip": [ - "10.97.38.141" + "10.218.87.174" ], "tags": [ "microsoft.dhcp", @@ -821,32 +797,28 @@ }, { "@timestamp": "2017-02-18T06:19:24.000Z", - "event.code": "58", + "event.code": "11014", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-927-58: 58,2/18/17,4:19:24,itaut,10.33.140.180,umdolo7781.api.home ,01:00:5e:24:f1:b2", - "event.outcome": "failure", + "event.original": "%MSDHCP-6846-11014: 11014,2/18/17,4:19:24,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun", "fileset.name": "dhcp", - "host.hostname": "umdolo7781.api.home", + "host.hostname": "tqu4367.www5.localhost", "input.type": "log", - "log.offset": 3108, + "log.offset": 2953, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.33.140.180" + "10.140.113.244" ], - "rsa.internal.event_desc": "itaut", - "rsa.internal.messageid": "58", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "adeser", + "rsa.internal.messageid": "11014", "rsa.time.event_time": "2017-02-18T06:19:24.000Z", "service.type": "microsoft", - "source.address": "umdolo7781.api.home", + "source.address": "tqu4367.www5.localhost", "source.ip": [ - "10.33.140.180" + "10.140.113.244" ], - "source.mac": "01:00:5e:24:f1:b2", "tags": [ "microsoft.dhcp", "forwarded" @@ -854,32 +826,28 @@ }, { "@timestamp": "2017-03-04T13:21:59.000Z", - "event.code": "51", + "event.code": "1103", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4632-51: 51,3/4/17,11:21:59,fugi,10.119.185.63,imadmini2625.www5.localhost ,01:00:5e:31:b9:65,dtem ", - "event.outcome": "success", + "event.original": "%MSDHCP-7741-1103: 1103,3/4/17,11:21:59,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo", "fileset.name": "dhcp", - "host.hostname": "imadmini2625.www5.localhost", + "host.hostname": "inci5738.www5.invalid", "input.type": "log", - "log.offset": 3203, + "log.offset": 3064, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.119.185.63" + "10.159.181.29" ], - "rsa.internal.event_desc": "fugi", - "rsa.internal.messageid": "51", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_theme": "AccessControl", + "rsa.internal.event_desc": "dmin", + "rsa.internal.messageid": "1103", "rsa.time.event_time": "2017-03-04T13:21:59.000Z", "service.type": "microsoft", - "source.address": "imadmini2625.www5.localhost", + "source.address": "inci5738.www5.invalid", "source.ip": [ - "10.119.185.63" + "10.159.181.29" ], - "source.mac": "01:00:5e:31:b9:65,dtem", "tags": [ "microsoft.dhcp", "forwarded" @@ -887,29 +855,28 @@ }, { "@timestamp": "2017-03-18T08:24:33.000Z", - "event.code": "50", + "event.code": "11005", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5377-50: 50,3/18/17,6:24:33,stl,10.95.193.186,picia6119.mail.host ,01:00:5e:60:77:c7,tinvol ", + "event.original": "%MSDHCP-18-11005: 11005,3/18/17,6:24:33,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia", "fileset.name": "dhcp", - "host.hostname": "picia6119.mail.host", + "host.hostname": "itecto1300.internal.corp", "input.type": "log", - "log.offset": 3312, + "log.offset": 3176, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.95.193.186" + "10.178.173.128" ], - "rsa.internal.event_desc": "stl", - "rsa.internal.messageid": "50", + "rsa.internal.event_desc": "cusant", + "rsa.internal.messageid": "11005", "rsa.time.event_time": "2017-03-18T08:24:33.000Z", "service.type": "microsoft", - "source.address": "picia6119.mail.host", + "source.address": "itecto1300.internal.corp", "source.ip": [ - "10.95.193.186" + "10.178.173.128" ], - "source.mac": "01:00:5e:60:77:c7,tinvol", "tags": [ "microsoft.dhcp", "forwarded" @@ -917,27 +884,27 @@ }, { "@timestamp": "2017-04-02T03:27:07.000Z", - "event.code": "11019", + "event.code": "11015", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5524-11019: 11019,4/2/17,1:27:07,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi", + "event.original": "%MSDHCP-6789-11015: 11015,4/2/17,1:27:07,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender", "fileset.name": "dhcp", - "host.hostname": "inv5716.mail.invalid", + "host.hostname": "siut1579.www.domain", "input.type": "log", - "log.offset": 3414, + "log.offset": 3290, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.17.21.125" + "10.217.38.30" ], - "rsa.internal.event_desc": "moenimi", - "rsa.internal.messageid": "11019", + "rsa.internal.event_desc": "uia", + "rsa.internal.messageid": "11015", "rsa.time.event_time": "2017-04-02T03:27:07.000Z", "service.type": "microsoft", - "source.address": "inv5716.mail.invalid", + "source.address": "siut1579.www.domain", "source.ip": [ - "10.17.21.125" + "10.217.38.30" ], "tags": [ "microsoft.dhcp", @@ -946,27 +913,27 @@ }, { "@timestamp": "2017-04-16T10:29:41.000Z", - "event.code": "11021", + "event.code": "11014", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5841-11021: 11021,4/16/17,8:29:41,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion", + "event.original": "%MSDHCP-1540-11014: 11014,4/16/17,8:29:41,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni", "fileset.name": "dhcp", - "host.hostname": "uines6355.internal.localdomain", + "host.hostname": "ame6223.www5.localhost", "input.type": "log", - "log.offset": 3527, + "log.offset": 3387, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.73.69.75" + "10.178.49.161" ], - "rsa.internal.event_desc": "nofdeF", - "rsa.internal.messageid": "11021", + "rsa.internal.event_desc": "edic", + "rsa.internal.messageid": "11014", "rsa.time.event_time": "2017-04-16T10:29:41.000Z", "service.type": "microsoft", - "source.address": "uines6355.internal.localdomain", + "source.address": "ame6223.www5.localhost", "source.ip": [ - "10.73.69.75" + "10.178.49.161" ], "tags": [ "microsoft.dhcp", @@ -975,29 +942,28 @@ }, { "@timestamp": "2017-04-30T05:32:16.000Z", - "event.code": "52", + "event.code": "11025", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5705-52: 52,4/30/17,3:32:16,uasia,10.64.70.5,ici3995.lan ,01:00:5e:4e:97:83,iscinge,atvol,umiur,imad,msequi ", + "event.original": "%MSDHCP-5663-11025: 11025,4/30/17,3:32:16,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab", "fileset.name": "dhcp", - "host.hostname": "ici3995.lan", + "host.hostname": "aturve1647.mail.localhost", "input.type": "log", - "log.offset": 3643, + "log.offset": 3497, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.64.70.5" + "10.175.103.215" ], - "rsa.internal.event_desc": "uasia", - "rsa.internal.messageid": "52", + "rsa.internal.event_desc": "ano", + "rsa.internal.messageid": "11025", "rsa.time.event_time": "2017-04-30T05:32:16.000Z", "service.type": "microsoft", - "source.address": "ici3995.lan", + "source.address": "aturve1647.mail.localhost", "source.ip": [ - "10.64.70.5" + "10.175.103.215" ], - "source.mac": "01:00:5e:4e:97:83,iscinge,atvol,umiur,imad,msequi", "tags": [ "microsoft.dhcp", "forwarded" @@ -1005,27 +971,29 @@ }, { "@timestamp": "2017-05-14T12:34:50.000Z", - "event.code": "11020", + "event.code": "11011", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1559-11020: 11020,5/14/17,10:34:50,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac", + "event.original": "%MSDHCP-5224-11011: 11011,5/14/17,10:34:50,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured", "fileset.name": "dhcp", - "host.hostname": "rehender4535.www5.test", + "host.hostname": "aco6894.mail.home", "input.type": "log", - "log.offset": 3761, + "log.offset": 3608, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.45.25.68" + "10.192.21.74" ], - "rsa.internal.event_desc": "deFinibu", - "rsa.internal.messageid": "11020", + "rsa.internal.event_desc": "liqua", + "rsa.internal.messageid": "11011", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2017-05-14T12:34:50.000Z", "service.type": "microsoft", - "source.address": "rehender4535.www5.test", + "source.address": "aco6894.mail.home", "source.ip": [ - "10.45.25.68" + "10.192.21.74" ], "tags": [ "microsoft.dhcp", @@ -1034,29 +1002,28 @@ }, { "@timestamp": "2017-05-29T07:37:24.000Z", - "event.code": "20", + "event.code": "11019", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2228-20: 20,5/29/17,5:37:24,eli,10.28.127.218,pida2286.internal.home ,01:00:5e:cc:0b:8f", + "event.original": "%MSDHCP-5608-11019: 11019,5/29/17,5:37:24,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat", "fileset.name": "dhcp", - "host.hostname": "pida2286.internal.home", + "host.hostname": "tetu2485.internal.invalid", "input.type": "log", - "log.offset": 3873, + "log.offset": 3718, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.28.127.218" + "10.142.25.100" ], - "rsa.internal.event_desc": "eli", - "rsa.internal.messageid": "20", + "rsa.internal.event_desc": "bor", + "rsa.internal.messageid": "11019", "rsa.time.event_time": "2017-05-29T07:37:24.000Z", "service.type": "microsoft", - "source.address": "pida2286.internal.home", + "source.address": "tetu2485.internal.invalid", "source.ip": [ - "10.28.127.218" + "10.142.25.100" ], - "source.mac": "01:00:5e:cc:0b:8f", "tags": [ "microsoft.dhcp", "forwarded" @@ -1064,27 +1031,30 @@ }, { "@timestamp": "2017-06-12T14:39:58.000Z", - "event.code": "11006", + "event.code": "1098", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7427-11006: 11006,6/12/17,12:39:58,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme", + "event.original": "%MSDHCP-3051-1098: 1098,6/12/17,12:39:58,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "mporain2624.www.localhost", + "host.hostname": "doloreme60.www5.localhost", "input.type": "log", - "log.offset": 3970, + "log.offset": 3825, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.68.93.6" + "10.162.114.217" ], - "rsa.internal.event_desc": "psaquae", - "rsa.internal.messageid": "11006", + "rsa.internal.event_desc": "ven", + "rsa.internal.messageid": "1098", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2017-06-12T14:39:58.000Z", "service.type": "microsoft", - "source.address": "mporain2624.www.localhost", + "source.address": "doloreme60.www5.localhost", "source.ip": [ - "10.68.93.6" + "10.162.114.217" ], "tags": [ "microsoft.dhcp", @@ -1093,31 +1063,28 @@ }, { "@timestamp": "2017-06-26T09:42:33.000Z", - "event.code": "16", + "event.code": "11001", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2991-16: 16,6/26/17,7:42:33,civeli,10.116.104.101,gnam2508.mail.example ,01:00:5e:e1:73:47,maccusa ", + "event.original": "%MSDHCP-6444-11001: 11001,6/26/17,7:42:33,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide", "fileset.name": "dhcp", - "host.hostname": "gnam2508.mail.example", + "host.hostname": "luptat7214.domain", "input.type": "log", - "log.offset": 4083, + "log.offset": 3936, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.116.104.101" + "10.0.132.176" ], - "rsa.internal.event_desc": "civeli", - "rsa.internal.messageid": "16", - "rsa.investigations.ec_activity": "Delete", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "mex", + "rsa.internal.messageid": "11001", "rsa.time.event_time": "2017-06-26T09:42:33.000Z", "service.type": "microsoft", - "source.address": "gnam2508.mail.example", + "source.address": "luptat7214.domain", "source.ip": [ - "10.116.104.101" + "10.0.132.176" ], - "source.mac": "01:00:5e:e1:73:47,maccusa", "tags": [ "microsoft.dhcp", "forwarded" @@ -1125,27 +1092,30 @@ }, { "@timestamp": "2017-07-11T04:45:07.000Z", - "event.code": "11003", + "event.code": "1098", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3458-11003: 11003,7/11/17,2:45:07,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta", + "event.original": "%MSDHCP-5524-1098: 1098,7/11/17,2:45:07,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "tutla2716.www.domain", + "host.hostname": "amcor5091.internal.corp", "input.type": "log", - "log.offset": 4192, + "log.offset": 4041, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.192.110.182" + "10.22.187.69" ], - "rsa.internal.event_desc": "idex", - "rsa.internal.messageid": "11003", + "rsa.internal.event_desc": "lupta", + "rsa.internal.messageid": "1098", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2017-07-11T04:45:07.000Z", "service.type": "microsoft", - "source.address": "tutla2716.www.domain", + "source.address": "amcor5091.internal.corp", "source.ip": [ - "10.192.110.182" + "10.22.187.69" ], "tags": [ "microsoft.dhcp", @@ -1154,29 +1124,28 @@ }, { "@timestamp": "2017-07-25T11:47:41.000Z", - "event.code": "53", + "event.code": "11019", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2807-53: 53,7/25/17,9:47:41,ihilm,10.219.84.37,ercit2385.internal.home ,01:00:5e:a0:cd:2f,iamquis ", + "event.original": "%MSDHCP-1978-11019: 11019,7/25/17,9:47:41,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation", "fileset.name": "dhcp", - "host.hostname": "ercit2385.internal.home", + "host.hostname": "ncidid5410.internal.domain", "input.type": "log", - "log.offset": 4302, + "log.offset": 4144, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.219.84.37" + "10.2.128.234" ], - "rsa.internal.event_desc": "ihilm", - "rsa.internal.messageid": "53", + "rsa.internal.event_desc": "atisund", + "rsa.internal.messageid": "11019", "rsa.time.event_time": "2017-07-25T11:47:41.000Z", "service.type": "microsoft", - "source.address": "ercit2385.internal.home", + "source.address": "ncidid5410.internal.domain", "source.ip": [ - "10.219.84.37" + "10.2.128.234" ], - "source.mac": "01:00:5e:a0:cd:2f,iamquis", "tags": [ "microsoft.dhcp", "forwarded" @@ -1184,27 +1153,31 @@ }, { "@timestamp": "2017-08-08T06:50:15.000Z", - "event.code": "11012", + "event.code": "11024", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6972-11012: 11012,8/8/17,4:50:15,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame", + "event.original": "%MSDHCP-5469-11024: 11024,8/8/17,4:50:15,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori", + "event.outcome": "success", "fileset.name": "dhcp", - "host.hostname": "conseq557.mail.lan", + "host.hostname": "nofd988.api.example", "input.type": "log", - "log.offset": 4410, + "log.offset": 4266, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.148.153.201" + "10.223.160.140" ], - "rsa.internal.event_desc": "ittenbyC", - "rsa.internal.messageid": "11012", + "rsa.internal.event_desc": "porincid", + "rsa.internal.messageid": "11024", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "Service", + "rsa.investigations.ec_theme": "AccessControl", "rsa.time.event_time": "2017-08-08T06:50:15.000Z", "service.type": "microsoft", - "source.address": "conseq557.mail.lan", + "source.address": "nofd988.api.example", "source.ip": [ - "10.148.153.201" + "10.223.160.140" ], "tags": [ "microsoft.dhcp", @@ -1213,29 +1186,28 @@ }, { "@timestamp": "2017-08-22T13:52:50.000Z", - "event.code": "24", + "event.code": "11004", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5040-24: 24,8/22/17,11:52:50,utla,10.103.118.137,oei5200.www5.invalid ,01:00:5e:c7:b7:18", + "event.original": "%MSDHCP-2-11004: 11004,8/22/17,11:52:50,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse", "fileset.name": "dhcp", - "host.hostname": "oei5200.www5.invalid", + "host.hostname": "borisnis6159.www5.localdomain", "input.type": "log", - "log.offset": 4522, + "log.offset": 4373, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.103.118.137" + "10.137.14.180" ], - "rsa.internal.event_desc": "utla", - "rsa.internal.messageid": "24", + "rsa.internal.event_desc": "elit", + "rsa.internal.messageid": "11004", "rsa.time.event_time": "2017-08-22T13:52:50.000Z", "service.type": "microsoft", - "source.address": "oei5200.www5.invalid", + "source.address": "borisnis6159.www5.localdomain", "source.ip": [ - "10.103.118.137" + "10.137.14.180" ], - "source.mac": "01:00:5e:c7:b7:18", "tags": [ "microsoft.dhcp", "forwarded" @@ -1243,29 +1215,28 @@ }, { "@timestamp": "2017-09-06T08:55:24.000Z", - "event.code": "02", + "event.code": "11025", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2026-02: 02,9/6/17,6:55:24,nnum,10.137.223.15,adol485.example ,01:00:5e:81:99:6f,dol ", + "event.original": "%MSDHCP-4924-11025: 11025,9/6/17,6:55:24,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa", "fileset.name": "dhcp", - "host.hostname": "adol485.example", + "host.hostname": "dminima4348.mail.home", "input.type": "log", - "log.offset": 4620, + "log.offset": 4489, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.137.223.15" + "10.192.182.230" ], - "rsa.internal.event_desc": "nnum", - "rsa.internal.messageid": "02", + "rsa.internal.event_desc": "periam", + "rsa.internal.messageid": "11025", "rsa.time.event_time": "2017-09-06T08:55:24.000Z", "service.type": "microsoft", - "source.address": "adol485.example", + "source.address": "dminima4348.mail.home", "source.ip": [ - "10.137.223.15" + "10.192.182.230" ], - "source.mac": "01:00:5e:81:99:6f,dol", "tags": [ "microsoft.dhcp", "forwarded" @@ -1273,27 +1244,31 @@ }, { "@timestamp": "2017-09-20T03:57:58.000Z", - "event.code": "11019", + "event.code": "11023", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4977-11019: 11019,9/20/17,1:57:58,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq", + "event.original": "%MSDHCP-3023-11023: 11023,9/20/17,1:57:58,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "etconse7424.internal.lan", + "host.hostname": "oluptas6981.www5.localhost", "input.type": "log", - "log.offset": 4715, + "log.offset": 4595, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.213.147.241" + "10.95.241.28" ], - "rsa.internal.event_desc": "que", - "rsa.internal.messageid": "11019", + "rsa.internal.event_desc": "atise", + "rsa.internal.messageid": "11023", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Service", + "rsa.investigations.ec_theme": "AccessControl", "rsa.time.event_time": "2017-09-20T03:57:58.000Z", "service.type": "microsoft", - "source.address": "etconse7424.internal.lan", + "source.address": "oluptas6981.www5.localhost", "source.ip": [ - "10.213.147.241" + "10.95.241.28" ], "tags": [ "microsoft.dhcp", @@ -1302,29 +1277,29 @@ }, { "@timestamp": "2017-10-04T11:00:32.000Z", - "event.code": "11010", + "event.code": "11011", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1180-11010: 11010,10/4/17,9:00:32,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp", + "event.original": "%MSDHCP-3896-11011: 11011,10/4/17,9:00:32,isn,10.74.240.121,equ4808.www.localhost,siuta,urmagn,dquia,temporin", "fileset.name": "dhcp", - "host.hostname": "tMalor7410.www.localhost", + "host.hostname": "equ4808.www.localhost", "input.type": "log", - "log.offset": 4820, + "log.offset": 4708, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.183.233.5" + "10.74.240.121" ], - "rsa.internal.event_desc": "serunt", - "rsa.internal.messageid": "11010", - "rsa.investigations.ec_activity": "Start", + "rsa.internal.event_desc": "isn", + "rsa.internal.messageid": "11011", + "rsa.investigations.ec_activity": "Stop", "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2017-10-04T11:00:32.000Z", "service.type": "microsoft", - "source.address": "tMalor7410.www.localhost", + "source.address": "equ4808.www.localhost", "source.ip": [ - "10.183.233.5" + "10.74.240.121" ], "tags": [ "microsoft.dhcp", @@ -1333,27 +1308,30 @@ }, { "@timestamp": "2017-10-19T06:03:07.000Z", - "event.code": "11013", + "event.code": "1098", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2628-11013: 11013,10/19/17,4:03:07,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre", + "event.original": "%MSDHCP-6160-1098: 1098,10/19/17,4:03:07,obeataev,10.139.127.232,nsec923.internal.local,agnaaliq,tlaboree,norumet,dtempo", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "equat2243.www5.localdomain", + "host.hostname": "nsec923.internal.local", "input.type": "log", - "log.offset": 4930, + "log.offset": 4818, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.52.186.29" + "10.139.127.232" ], - "rsa.internal.event_desc": "tNequepo", - "rsa.internal.messageid": "11013", + "rsa.internal.event_desc": "obeataev", + "rsa.internal.messageid": "1098", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2017-10-19T06:03:07.000Z", "service.type": "microsoft", - "source.address": "equat2243.www5.localdomain", + "source.address": "nsec923.internal.local", "source.ip": [ - "10.52.186.29" + "10.139.127.232" ], "tags": [ "microsoft.dhcp", @@ -1362,31 +1340,28 @@ }, { "@timestamp": "2017-11-02T13:05:41.000Z", - "event.code": "11", + "event.code": "11009", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2949-11: 11,11/2/17,11:05:41,uptat,10.64.199.102,tmo1835.test ,01:00:5e:35:a8:83,fugitse ", + "event.original": "%MSDHCP-4862-11009: 11009,11/2/17,11:05:41,iumtot,10.170.6.54,emoe4059.api.localdomain,ehende,eaqueip,eum,lamc", "fileset.name": "dhcp", - "host.hostname": "tmo1835.test", + "host.hostname": "emoe4059.api.localdomain", "input.type": "log", - "log.offset": 5049, + "log.offset": 4939, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.64.199.102" + "10.170.6.54" ], - "rsa.internal.event_desc": "uptat", - "rsa.internal.messageid": "11", - "rsa.investigations.ec_activity": "Restore", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "iumtot", + "rsa.internal.messageid": "11009", "rsa.time.event_time": "2017-11-02T13:05:41.000Z", "service.type": "microsoft", - "source.address": "tmo1835.test", + "source.address": "emoe4059.api.localdomain", "source.ip": [ - "10.64.199.102" + "10.170.6.54" ], - "source.mac": "01:00:5e:35:a8:83,fugitse", "tags": [ "microsoft.dhcp", "forwarded" @@ -1394,32 +1369,28 @@ }, { "@timestamp": "2017-11-16T08:08:15.000Z", - "event.code": "54", + "event.code": "11007", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3331-54: 54,11/16/17,6:08:15,etMalor,10.196.143.87,quatD4191.local ,01:00:5e:3b:7a:f1,sperna ", - "event.outcome": "failure", + "event.original": "%MSDHCP-1664-11007: 11007,11/16/17,6:08:15,sciun,10.46.115.216,equun6662.home,uia,iciad,lorem,nsequunt", "fileset.name": "dhcp", - "host.hostname": "quatD4191.local", + "host.hostname": "equun6662.home", "input.type": "log", - "log.offset": 5148, + "log.offset": 5050, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.196.143.87" + "10.46.115.216" ], - "rsa.internal.event_desc": "etMalor", - "rsa.internal.messageid": "54", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "AccessControl", + "rsa.internal.event_desc": "sciun", + "rsa.internal.messageid": "11007", "rsa.time.event_time": "2017-11-16T08:08:15.000Z", "service.type": "microsoft", - "source.address": "quatD4191.local", + "source.address": "equun6662.home", "source.ip": [ - "10.196.143.87" + "10.46.115.216" ], - "source.mac": "01:00:5e:3b:7a:f1,sperna", "tags": [ "microsoft.dhcp", "forwarded" @@ -1427,30 +1398,28 @@ }, { "@timestamp": "2017-12-01T03:10:49.000Z", - "event.code": "30", + "event.code": "11017", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7576-30: 30,12/1/17,1:10:49,tper,10.163.5.243,osqui3661.mail.domain ,01:00:5e:1e:d6:07,texp ", + "event.original": "%MSDHCP-6603-11017: 11017,12/1/17,1:10:49,gnaa,10.226.5.189,dtempori5735.www5.local,dexerc,strumex,eprehend,asnu", "fileset.name": "dhcp", - "host.hostname": "osqui3661.mail.domain", + "host.hostname": "dtempori5735.www5.local", "input.type": "log", - "log.offset": 5251, + "log.offset": 5153, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.163.5.243" + "10.226.5.189" ], - "rsa.internal.event_desc": "tper", - "rsa.internal.messageid": "30", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "gnaa", + "rsa.internal.messageid": "11017", "rsa.time.event_time": "2017-12-01T03:10:49.000Z", "service.type": "microsoft", - "source.address": "osqui3661.mail.domain", + "source.address": "dtempori5735.www5.local", "source.ip": [ - "10.163.5.243" + "10.226.5.189" ], - "source.mac": "01:00:5e:1e:d6:07,texp", "tags": [ "microsoft.dhcp", "forwarded" @@ -1458,27 +1427,27 @@ }, { "@timestamp": "2017-12-15T10:13:24.000Z", - "event.code": "11004", + "event.code": "11030", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5037-11004: 11004,12/15/17,8:13:24,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam", + "event.original": "%MSDHCP-1313-11030: 11030,12/15/17,8:13:24,derit,10.0.20.5,cupi7581.internal.local,dunt,litsedq,nderiti,ntNe", "fileset.name": "dhcp", - "host.hostname": "ectio2175.www.localhost", + "host.hostname": "cupi7581.internal.local", "input.type": "log", - "log.offset": 5353, + "log.offset": 5266, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.194.114.58" + "10.0.20.5" ], - "rsa.internal.event_desc": "uela", - "rsa.internal.messageid": "11004", + "rsa.internal.event_desc": "derit", + "rsa.internal.messageid": "11030", "rsa.time.event_time": "2017-12-15T10:13:24.000Z", "service.type": "microsoft", - "source.address": "ectio2175.www.localhost", + "source.address": "cupi7581.internal.local", "source.ip": [ - "10.194.114.58" + "10.0.20.5" ], "tags": [ "microsoft.dhcp", @@ -1487,27 +1456,31 @@ }, { "@timestamp": "2017-12-29T05:15:58.000Z", - "event.code": "1103", + "event.code": "11023", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6385-1103: 1103,12/29/17,3:15:58,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno", + "event.original": "%MSDHCP-4024-11023: 11023,12/29/17,3:15:58,olorema,10.180.101.232,quasiar5281.mail.invalid,emip,inBC,mol,tur", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "liqui6106.internal.home", + "host.hostname": "quasiar5281.mail.invalid", "input.type": "log", - "log.offset": 5464, + "log.offset": 5375, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.212.42.224" + "10.180.101.232" ], - "rsa.internal.event_desc": "ris", - "rsa.internal.messageid": "1103", + "rsa.internal.event_desc": "olorema", + "rsa.internal.messageid": "11023", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Service", + "rsa.investigations.ec_theme": "AccessControl", "rsa.time.event_time": "2017-12-29T05:15:58.000Z", "service.type": "microsoft", - "source.address": "liqui6106.internal.home", + "source.address": "quasiar5281.mail.invalid", "source.ip": [ - "10.212.42.224" + "10.180.101.232" ], "tags": [ "microsoft.dhcp", @@ -1516,29 +1489,27 @@ }, { "@timestamp": "2018-01-12T12:18:32.000Z", - "event.code": "11011", + "event.code": "11018", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1747-11011: 11011,1/12/18,10:18:32,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium", + "event.original": "%MSDHCP-754-11018: 11018,1/12/18,10:18:32,irured,10.141.158.225,tionula1586.host,idolor,ratvolu,nreprehe,onse", "fileset.name": "dhcp", - "host.hostname": "eratv6205.internal.lan", + "host.hostname": "tionula1586.host", "input.type": "log", - "log.offset": 5575, + "log.offset": 5484, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.244.144.198" + "10.141.158.225" ], - "rsa.internal.event_desc": "aliquam", - "rsa.internal.messageid": "11011", - "rsa.investigations.ec_activity": "Stop", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "irured", + "rsa.internal.messageid": "11018", "rsa.time.event_time": "2018-01-12T12:18:32.000Z", "service.type": "microsoft", - "source.address": "eratv6205.internal.lan", + "source.address": "tionula1586.host", "source.ip": [ - "10.244.144.198" + "10.141.158.225" ], "tags": [ "microsoft.dhcp", @@ -1547,29 +1518,28 @@ }, { "@timestamp": "2018-01-27T07:21:06.000Z", - "event.code": "57", + "event.code": "11013", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6686-57: 57,1/27/18,5:21:06,stlabo,10.134.192.241,catc6134.localdomain ,01:00:5e:5b:99:6c,magnid ", + "event.original": "%MSDHCP-3617-11013: 11013,1/27/18,5:21:06,tatnon,10.94.88.5,ore5643.api.lan,metco,acom,ceroinB,nim", "fileset.name": "dhcp", - "host.hostname": "catc6134.localdomain", + "host.hostname": "ore5643.api.lan", "input.type": "log", - "log.offset": 5694, + "log.offset": 5594, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.134.192.241" + "10.94.88.5" ], - "rsa.internal.event_desc": "stlabo", - "rsa.internal.messageid": "57", + "rsa.internal.event_desc": "tatnon", + "rsa.internal.messageid": "11013", "rsa.time.event_time": "2018-01-27T07:21:06.000Z", "service.type": "microsoft", - "source.address": "catc6134.localdomain", + "source.address": "ore5643.api.lan", "source.ip": [ - "10.134.192.241" + "10.94.88.5" ], - "source.mac": "01:00:5e:5b:99:6c,magnid", "tags": [ "microsoft.dhcp", "forwarded" @@ -1577,29 +1547,32 @@ }, { "@timestamp": "2018-02-10T14:23:41.000Z", - "event.code": "17", + "event.code": "11024", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7582-17: 17,2/10/18,12:23:41,quiratio,10.62.191.18,tevelite245.mail.local ,01:00:5e:78:a7:55,gnido ", + "event.original": "%MSDHCP-4248-11024: 11024,2/10/18,12:23:41,aspe,10.155.18.139,ciun39.localdomain,iatqu,inBCSedu,erspi,rorsit", + "event.outcome": "success", "fileset.name": "dhcp", - "host.hostname": "tevelite245.mail.local", + "host.hostname": "ciun39.localdomain", "input.type": "log", - "log.offset": 5801, + "log.offset": 5693, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.62.191.18" + "10.155.18.139" ], - "rsa.internal.event_desc": "quiratio", - "rsa.internal.messageid": "17", + "rsa.internal.event_desc": "aspe", + "rsa.internal.messageid": "11024", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "Service", + "rsa.investigations.ec_theme": "AccessControl", "rsa.time.event_time": "2018-02-10T14:23:41.000Z", "service.type": "microsoft", - "source.address": "tevelite245.mail.local", + "source.address": "ciun39.localdomain", "source.ip": [ - "10.62.191.18" + "10.155.18.139" ], - "source.mac": "01:00:5e:78:a7:55,gnido", "tags": [ "microsoft.dhcp", "forwarded" @@ -1607,29 +1580,28 @@ }, { "@timestamp": "2018-02-24T09:26:15.000Z", - "event.code": "50", + "event.code": "11013", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6036-50: 50,2/24/18,7:26:15,numqua,10.89.22.113,abo1637.mail.host ,01:00:5e:ed:c2:f7", + "event.original": "%MSDHCP-5976-11013: 11013,2/24/18,7:26:15,undeomni,10.85.48.117,iutali7297.www.domain,Finibus,radi,xeacom,des", "fileset.name": "dhcp", - "host.hostname": "abo1637.mail.host", + "host.hostname": "iutali7297.www.domain", "input.type": "log", - "log.offset": 5910, + "log.offset": 5802, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.89.22.113" + "10.85.48.117" ], - "rsa.internal.event_desc": "numqua", - "rsa.internal.messageid": "50", + "rsa.internal.event_desc": "undeomni", + "rsa.internal.messageid": "11013", "rsa.time.event_time": "2018-02-24T09:26:15.000Z", "service.type": "microsoft", - "source.address": "abo1637.mail.host", + "source.address": "iutali7297.www.domain", "source.ip": [ - "10.89.22.113" + "10.85.48.117" ], - "source.mac": "01:00:5e:ed:c2:f7", "tags": [ "microsoft.dhcp", "forwarded" @@ -1637,27 +1609,27 @@ }, { "@timestamp": "2018-03-11T04:28:49.000Z", - "event.code": "11020", + "event.code": "11003", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4949-11020: 11020,3/11/18,2:28:49,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr", + "event.original": "%MSDHCP-77-11003: 11003,3/11/18,2:28:49,eprehend,10.224.146.6,docon5398.mail.host,uptate,lloinven,econs,lmolesti", "fileset.name": "dhcp", - "host.hostname": "piscin6866.internal.host", + "host.hostname": "docon5398.mail.host", "input.type": "log", - "log.offset": 6004, + "log.offset": 5912, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.90.86.89" + "10.224.146.6" ], - "rsa.internal.event_desc": "derit", - "rsa.internal.messageid": "11020", + "rsa.internal.event_desc": "eprehend", + "rsa.internal.messageid": "11003", "rsa.time.event_time": "2018-03-11T04:28:49.000Z", "service.type": "microsoft", - "source.address": "piscin6866.internal.host", + "source.address": "docon5398.mail.host", "source.ip": [ - "10.90.86.89" + "10.224.146.6" ], "tags": [ "microsoft.dhcp", @@ -1666,32 +1638,28 @@ }, { "@timestamp": "2018-03-25T11:31:24.000Z", - "event.code": "59", + "event.code": "11007", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6418-59: 59,3/25/18,9:31:24,nofdeFin,10.67.38.204,idex6952.www.localhost ,01:00:5e:69:58:0e,ecte,tinvolu,iurer,iciadese,quidolor,tessec,olupta,litse,icabo,itatio,uta ", - "event.outcome": "failure", + "event.original": "%MSDHCP-2519-11007: 11007,3/25/18,9:31:24,doeiu,10.182.152.242,destlabo7803.mail.localhost,ecillum,isci,dolor,tiumto", "fileset.name": "dhcp", - "host.hostname": "idex6952.www.localhost", + "host.hostname": "destlabo7803.mail.localhost", "input.type": "log", - "log.offset": 6116, + "log.offset": 6025, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.67.38.204" + "10.182.152.242" ], - "rsa.internal.event_desc": "nofdeFin", - "rsa.internal.messageid": "59", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "doeiu", + "rsa.internal.messageid": "11007", "rsa.time.event_time": "2018-03-25T11:31:24.000Z", "service.type": "microsoft", - "source.address": "idex6952.www.localhost", + "source.address": "destlabo7803.mail.localhost", "source.ip": [ - "10.67.38.204" + "10.182.152.242" ], - "source.mac": "01:00:5e:69:58:0e,ecte,tinvolu,iurer,iciadese,quidolor,tessec,olupta,litse,icabo,itatio,uta", "tags": [ "microsoft.dhcp", "forwarded" @@ -1699,29 +1667,27 @@ }, { "@timestamp": "2018-04-08T06:33:58.000Z", - "event.code": "11010", + "event.code": "11000", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4824-11010: 11010,4/8/18,4:33:58,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu", + "event.original": "%MSDHCP-6515-11000: 11000,4/8/18,4:33:58,quin,10.225.157.110,fugits1163.host,vol,admi,onnu,olorema", "fileset.name": "dhcp", - "host.hostname": "riosamn7650.api.test", + "host.hostname": "fugits1163.host", "input.type": "log", - "log.offset": 6292, + "log.offset": 6142, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.158.237.92" + "10.225.157.110" ], - "rsa.internal.event_desc": "volupt", - "rsa.internal.messageid": "11010", - "rsa.investigations.ec_activity": "Start", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "quin", + "rsa.internal.messageid": "11000", "rsa.time.event_time": "2018-04-08T06:33:58.000Z", "service.type": "microsoft", - "source.address": "riosamn7650.api.test", + "source.address": "fugits1163.host", "source.ip": [ - "10.158.237.92" + "10.225.157.110" ], "tags": [ "microsoft.dhcp", @@ -1730,29 +1696,28 @@ }, { "@timestamp": "2018-04-22T13:36:32.000Z", - "event.code": "60", + "event.code": "11005", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5368-60: 60,4/22/18,11:36:32,mnisi,10.107.168.60,ehen7519.www5.lan ,01:00:5e:a7:ac:70,stquido,ommodico,ptas,pta,tetu ", + "event.original": "%MSDHCP-4357-11005: 11005,4/22/18,11:36:32,tcupida,10.236.185.102,adol170.internal.example,niam,pernat,rerepre,nculpaq", "fileset.name": "dhcp", - "host.hostname": "ehen7519.www5.lan", + "host.hostname": "adol170.internal.example", "input.type": "log", - "log.offset": 6402, + "log.offset": 6241, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.107.168.60" + "10.236.185.102" ], - "rsa.internal.event_desc": "mnisi", - "rsa.internal.messageid": "60", + "rsa.internal.event_desc": "tcupida", + "rsa.internal.messageid": "11005", "rsa.time.event_time": "2018-04-22T13:36:32.000Z", "service.type": "microsoft", - "source.address": "ehen7519.www5.lan", + "source.address": "adol170.internal.example", "source.ip": [ - "10.107.168.60" + "10.236.185.102" ], - "source.mac": "01:00:5e:a7:ac:70,stquido,ommodico,ptas,pta,tetu", "tags": [ "microsoft.dhcp", "forwarded" @@ -1760,29 +1725,30 @@ }, { "@timestamp": "2018-05-07T08:39:06.000Z", - "event.code": "24", + "event.code": "11010", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5740-24: 24,5/7/18,6:39:06,Nequepo,10.207.201.9,boree513.www.corp ,01:00:5e:e2:17:79,reetdolo,smo,etcons,iusmodi,uamest ", + "event.original": "%MSDHCP-2577-11010: 11010,5/7/18,6:39:06,billoinv,10.146.72.62,red5516.localhost,agnaaliq,est,mquisno,aev", "fileset.name": "dhcp", - "host.hostname": "boree513.www.corp", + "host.hostname": "red5516.localhost", "input.type": "log", - "log.offset": 6529, + "log.offset": 6360, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.207.201.9" + "10.146.72.62" ], - "rsa.internal.event_desc": "Nequepo", - "rsa.internal.messageid": "24", + "rsa.internal.event_desc": "billoinv", + "rsa.internal.messageid": "11010", + "rsa.investigations.ec_activity": "Start", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2018-05-07T08:39:06.000Z", "service.type": "microsoft", - "source.address": "boree513.www.corp", + "source.address": "red5516.localhost", "source.ip": [ - "10.207.201.9" + "10.146.72.62" ], - "source.mac": "01:00:5e:e2:17:79,reetdolo,smo,etcons,iusmodi,uamest", "tags": [ "microsoft.dhcp", "forwarded" @@ -1790,31 +1756,27 @@ }, { "@timestamp": "2018-05-21T03:41:41.000Z", - "event.code": "11023", + "event.code": "1103", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1842-11023: 11023,5/21/18,1:41:41,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno", - "event.outcome": "failure", + "event.original": "%MSDHCP-5343-1103: 1103,5/21/18,1:41:41,lapar,10.221.7.206,qui3176.internal.example,mexerc,meaque,uid,equaturv", "fileset.name": "dhcp", - "host.hostname": "aper5651.test", + "host.hostname": "qui3176.internal.example", "input.type": "log", - "log.offset": 6659, + "log.offset": 6466, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.20.147.134" + "10.221.7.206" ], - "rsa.internal.event_desc": "epte", - "rsa.internal.messageid": "11023", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Service", - "rsa.investigations.ec_theme": "AccessControl", + "rsa.internal.event_desc": "lapar", + "rsa.internal.messageid": "1103", "rsa.time.event_time": "2018-05-21T03:41:41.000Z", "service.type": "microsoft", - "source.address": "aper5651.test", + "source.address": "qui3176.internal.example", "source.ip": [ - "10.20.147.134" + "10.221.7.206" ], "tags": [ "microsoft.dhcp", @@ -1823,27 +1785,27 @@ }, { "@timestamp": "2018-06-04T10:44:15.000Z", - "event.code": "11007", + "event.code": "1103", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5263-11007: 11007,6/4/18,8:44:15,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons", + "event.original": "%MSDHCP-653-1103: 1103,6/4/18,8:44:15,maccusa,10.196.35.130,luptat2979.internal.local,uradi,velitsed,magnaali,mwrit", "fileset.name": "dhcp", - "host.hostname": "inventor6088.www.invalid", + "host.hostname": "luptat2979.internal.local", "input.type": "log", - "log.offset": 6755, + "log.offset": 6577, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.213.145.202" + "10.196.35.130" ], - "rsa.internal.event_desc": "saute", - "rsa.internal.messageid": "11007", + "rsa.internal.event_desc": "maccusa", + "rsa.internal.messageid": "1103", "rsa.time.event_time": "2018-06-04T10:44:15.000Z", "service.type": "microsoft", - "source.address": "inventor6088.www.invalid", + "source.address": "luptat2979.internal.local", "source.ip": [ - "10.213.145.202" + "10.196.35.130" ], "tags": [ "microsoft.dhcp", @@ -1852,29 +1814,28 @@ }, { "@timestamp": "2018-06-19T05:46:49.000Z", - "event.code": "20", + "event.code": "11014", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-510-20: 20,6/19/18,3:46:49,tae,10.14.81.228,aperiame1458.www5.local ,01:00:5e:7e:22:1b", + "event.original": "%MSDHCP-6378-11014: 11014,6/19/18,3:46:49,equatDu,10.182.219.241,prehe1037.api.example,eiusmod,itation,veleum,piciatis", "fileset.name": "dhcp", - "host.hostname": "aperiame1458.www5.local", + "host.hostname": "prehe1037.api.example", "input.type": "log", - "log.offset": 6865, + "log.offset": 6693, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.14.81.228" + "10.182.219.241" ], - "rsa.internal.event_desc": "tae", - "rsa.internal.messageid": "20", + "rsa.internal.event_desc": "equatDu", + "rsa.internal.messageid": "11014", "rsa.time.event_time": "2018-06-19T05:46:49.000Z", "service.type": "microsoft", - "source.address": "aperiame1458.www5.local", + "source.address": "prehe1037.api.example", "source.ip": [ - "10.14.81.228" + "10.182.219.241" ], - "source.mac": "01:00:5e:7e:22:1b", "tags": [ "microsoft.dhcp", "forwarded" @@ -1882,27 +1843,27 @@ }, { "@timestamp": "2018-07-03T12:49:23.000Z", - "event.code": "11003", + "event.code": "11021", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4410-11003: 11003,7/3/18,10:49:23,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov", + "event.original": "%MSDHCP-7616-11021: 11021,7/3/18,10:49:23,tanimid,10.101.163.40,abor1370.www.domain,remips,illoi,reetdolo,rationev", "fileset.name": "dhcp", - "host.hostname": "cipitlab6201.www5.example", + "host.hostname": "abor1370.www.domain", "input.type": "log", - "log.offset": 6961, + "log.offset": 6812, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.76.10.73" + "10.101.163.40" ], - "rsa.internal.event_desc": "itinvol", - "rsa.internal.messageid": "11003", + "rsa.internal.event_desc": "tanimid", + "rsa.internal.messageid": "11021", "rsa.time.event_time": "2018-07-03T12:49:23.000Z", "service.type": "microsoft", - "source.address": "cipitlab6201.www5.example", + "source.address": "abor1370.www.domain", "source.ip": [ - "10.76.10.73" + "10.101.163.40" ], "tags": [ "microsoft.dhcp", @@ -1911,31 +1872,28 @@ }, { "@timestamp": "2018-07-17T07:51:58.000Z", - "event.code": "01", + "event.code": "11003", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4554-01: 01,7/17/18,5:51:58,osquira,10.220.5.143,com5308.api.domain ,01:00:5e:55:ee:a4,reetdolo,norum,madmi,uidol,mporin ", + "event.original": "%MSDHCP-3147-11003: 11003,7/17/18,5:51:58,oremi,10.141.39.190,atDuis5759.internal.test,rumwri,velill,ore,tation", "fileset.name": "dhcp", - "host.hostname": "com5308.api.domain", + "host.hostname": "atDuis5759.internal.test", "input.type": "log", - "log.offset": 7070, + "log.offset": 6927, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.220.5.143" + "10.141.39.190" ], - "rsa.internal.event_desc": "osquira", - "rsa.internal.messageid": "01", - "rsa.investigations.ec_activity": "Stop", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "oremi", + "rsa.internal.messageid": "11003", "rsa.time.event_time": "2018-07-17T07:51:58.000Z", "service.type": "microsoft", - "source.address": "com5308.api.domain", + "source.address": "atDuis5759.internal.test", "source.ip": [ - "10.220.5.143" + "10.141.39.190" ], - "source.mac": "01:00:5e:55:ee:a4,reetdolo,norum,madmi,uidol,mporin", "tags": [ "microsoft.dhcp", "forwarded" @@ -1943,29 +1901,28 @@ }, { "@timestamp": "2018-08-01T14:54:32.000Z", - "event.code": "ID", + "event.code": "11009", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3253-ID: ID,8/1/18,12:54:32,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65", + "event.original": "%MSDHCP-7360-11009: 11009,8/1/18,12:54:32,tperspic,10.41.89.217,ict2699.internal.localhost,riosamni,icta,luptate,llamc", "fileset.name": "dhcp", - "host.hostname": "Nemoenim2039.api.localhost", + "host.hostname": "ict2699.internal.localhost", "input.type": "log", - "log.offset": 7201, + "log.offset": 7039, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.226.199.190" + "10.41.89.217" ], - "rsa.internal.event_desc": "roid", - "rsa.internal.messageid": "ID", + "rsa.internal.event_desc": "tperspic", + "rsa.internal.messageid": "11009", "rsa.time.event_time": "2018-08-01T14:54:32.000Z", "service.type": "microsoft", - "source.address": "Nemoenim2039.api.localhost", + "source.address": "ict2699.internal.localhost", "source.ip": [ - "10.226.199.190" + "10.41.89.217" ], - "source.mac": "01:00:5e:f6:ba:65", "tags": [ "microsoft.dhcp", "forwarded" @@ -1973,27 +1930,27 @@ }, { "@timestamp": "2018-08-15T09:57:06.000Z", - "event.code": "11000", + "event.code": "11007", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1394-11000: 11000,8/15/18,7:57:06,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag", + "event.original": "%MSDHCP-2454-11007: 11007,8/15/18,7:57:06,tesseci,10.86.44.130,cive2292.api.local,nisiuta,stiaecon,dol,sumquiad", "fileset.name": "dhcp", - "host.hostname": "iquipe2458.api.host", + "host.hostname": "cive2292.api.local", "input.type": "log", - "log.offset": 7302, + "log.offset": 7158, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.20.129.206" + "10.86.44.130" ], - "rsa.internal.event_desc": "itessequ", - "rsa.internal.messageid": "11000", + "rsa.internal.event_desc": "tesseci", + "rsa.internal.messageid": "11007", "rsa.time.event_time": "2018-08-15T09:57:06.000Z", "service.type": "microsoft", - "source.address": "iquipe2458.api.host", + "source.address": "cive2292.api.local", "source.ip": [ - "10.20.129.206" + "10.86.44.130" ], "tags": [ "microsoft.dhcp", @@ -2002,32 +1959,32 @@ }, { "@timestamp": "2018-08-29T04:59:40.000Z", - "event.code": "56", + "event.code": "11024", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5983-56: 56,8/29/18,2:59:40,tquiin,10.174.176.36,ovol3674.www5.host ,01:00:5e:bb:1d:bf,str,idolore,pid,illoin,tanimid,umdo,natuse,gnamal,metMalo,ntexplic,archite ", - "event.outcome": "failure", + "event.original": "%MSDHCP-7311-11024: 11024,8/29/18,2:59:40,uid,10.209.71.69,aconsequ2331.www5.localhost,sequat,lor,ccaec,atu", + "event.outcome": "success", "fileset.name": "dhcp", - "host.hostname": "ovol3674.www5.host", + "host.hostname": "aconsequ2331.www5.localhost", "input.type": "log", - "log.offset": 7412, + "log.offset": 7270, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.174.176.36" + "10.209.71.69" ], - "rsa.internal.event_desc": "tquiin", - "rsa.internal.messageid": "56", - "rsa.investigations.ec_outcome": "Failure", + "rsa.internal.event_desc": "uid", + "rsa.internal.messageid": "11024", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "Service", "rsa.investigations.ec_theme": "AccessControl", "rsa.time.event_time": "2018-08-29T04:59:40.000Z", "service.type": "microsoft", - "source.address": "ovol3674.www5.host", + "source.address": "aconsequ2331.www5.localhost", "source.ip": [ - "10.174.176.36" + "10.209.71.69" ], - "source.mac": "01:00:5e:bb:1d:bf,str,idolore,pid,illoin,tanimid,umdo,natuse,gnamal,metMalo,ntexplic,archite", "tags": [ "microsoft.dhcp", "forwarded" @@ -2035,32 +1992,31 @@ }, { "@timestamp": "2018-09-12T12:02:15.000Z", - "event.code": "32", + "event.code": "1098", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7829-32: 32,9/12/18,10:02:15,asi,10.94.38.110,nisist2752.home ,01:00:5e:c1:3c:48,exercita ", - "event.outcome": "success", + "event.original": "%MSDHCP-4968-1098: 1098,9/12/18,10:02:15,laudanti,10.48.104.137,rsitvolu3596.www.test,uameiusm,adm,gelitsed,tiumto", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "nisist2752.home", + "host.hostname": "rsitvolu3596.www.test", "input.type": "log", - "log.offset": 7584, + "log.offset": 7378, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.94.38.110" + "10.48.104.137" ], - "rsa.internal.event_desc": "asi", - "rsa.internal.messageid": "32", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_theme": "Configuration", + "rsa.internal.event_desc": "laudanti", + "rsa.internal.messageid": "1098", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2018-09-12T12:02:15.000Z", "service.type": "microsoft", - "source.address": "nisist2752.home", + "source.address": "rsitvolu3596.www.test", "source.ip": [ - "10.94.38.110" + "10.48.104.137" ], - "source.mac": "01:00:5e:c1:3c:48,exercita", "tags": [ "microsoft.dhcp", "forwarded" @@ -2068,27 +2024,31 @@ }, { "@timestamp": "2018-09-27T07:04:49.000Z", - "event.code": "11007", + "event.code": "11023", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2516-11007: 11007,9/27/18,5:04:49,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli", + "event.original": "%MSDHCP-2648-11023: 11023,9/27/18,5:04:49,nihil,10.225.255.211,elites6366.mail.lan,eursinto,litesse,fugiatn,uaeabi", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "intoc1426.mail.lan", + "host.hostname": "elites6366.mail.lan", "input.type": "log", - "log.offset": 7684, + "log.offset": 7493, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.22.110.210" + "10.225.255.211" ], - "rsa.internal.event_desc": "oremeu", - "rsa.internal.messageid": "11007", + "rsa.internal.event_desc": "nihil", + "rsa.internal.messageid": "11023", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Service", + "rsa.investigations.ec_theme": "AccessControl", "rsa.time.event_time": "2018-09-27T07:04:49.000Z", "service.type": "microsoft", - "source.address": "intoc1426.mail.lan", + "source.address": "elites6366.mail.lan", "source.ip": [ - "10.22.110.210" + "10.225.255.211" ], "tags": [ "microsoft.dhcp", @@ -2097,27 +2057,27 @@ }, { "@timestamp": "2018-10-11T14:07:23.000Z", - "event.code": "11006", + "event.code": "11013", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-543-11006: 11006,10/11/18,12:07:23,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui", + "event.original": "%MSDHCP-2724-11013: 11013,10/11/18,12:07:23,olu,10.137.103.62,orumSe4514.www.corp,umquam,emagn,emulla,mips", "fileset.name": "dhcp", - "host.hostname": "rsitvolu3751.mail.lan", + "host.hostname": "orumSe4514.www.corp", "input.type": "log", - "log.offset": 7792, + "log.offset": 7608, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.218.87.174" + "10.137.103.62" ], - "rsa.internal.event_desc": "eturadi", - "rsa.internal.messageid": "11006", + "rsa.internal.event_desc": "olu", + "rsa.internal.messageid": "11013", "rsa.time.event_time": "2018-10-11T14:07:23.000Z", "service.type": "microsoft", - "source.address": "rsitvolu3751.mail.lan", + "source.address": "orumSe4514.www.corp", "source.ip": [ - "10.218.87.174" + "10.137.103.62" ], "tags": [ "microsoft.dhcp", @@ -2126,27 +2086,27 @@ }, { "@timestamp": "2018-10-25T09:09:57.000Z", - "event.code": "11014", + "event.code": "11015", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6846-11014: 11014,10/25/18,7:09:57,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun", + "event.original": "%MSDHCP-3887-11015: 11015,10/25/18,7:09:57,etdol,10.156.88.51,fdeFi6975.www5.local,equat,aliquid,usantiu,idunt", "fileset.name": "dhcp", - "host.hostname": "tqu4367.www5.localhost", + "host.hostname": "fdeFi6975.www5.local", "input.type": "log", - "log.offset": 7904, + "log.offset": 7715, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.140.113.244" + "10.156.88.51" ], - "rsa.internal.event_desc": "adeser", - "rsa.internal.messageid": "11014", + "rsa.internal.event_desc": "etdol", + "rsa.internal.messageid": "11015", "rsa.time.event_time": "2018-10-25T09:09:57.000Z", "service.type": "microsoft", - "source.address": "tqu4367.www5.localhost", + "source.address": "fdeFi6975.www5.local", "source.ip": [ - "10.140.113.244" + "10.156.88.51" ], "tags": [ "microsoft.dhcp", @@ -2155,27 +2115,27 @@ }, { "@timestamp": "2018-11-09T04:12:32.000Z", - "event.code": "1103", + "event.code": "11025", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7741-1103: 1103,11/9/18,2:12:32,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo", + "event.original": "%MSDHCP-5999-11025: 11025,11/9/18,2:12:32,quiacons,10.7.99.47,dol3000.www5.local,teturadi,ditau,atemaccu,veritat", "fileset.name": "dhcp", - "host.hostname": "inci5738.www5.invalid", + "host.hostname": "dol3000.www5.local", "input.type": "log", - "log.offset": 8016, + "log.offset": 7826, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.159.181.29" + "10.7.99.47" ], - "rsa.internal.event_desc": "dmin", - "rsa.internal.messageid": "1103", + "rsa.internal.event_desc": "quiacons", + "rsa.internal.messageid": "11025", "rsa.time.event_time": "2018-11-09T04:12:32.000Z", "service.type": "microsoft", - "source.address": "inci5738.www5.invalid", + "source.address": "dol3000.www5.local", "source.ip": [ - "10.159.181.29" + "10.7.99.47" ], "tags": [ "microsoft.dhcp", @@ -2184,27 +2144,29 @@ }, { "@timestamp": "2018-11-23T11:15:06.000Z", - "event.code": "11005", + "event.code": "11010", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-18-11005: 11005,11/23/18,9:15:06,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia", + "event.original": "%MSDHCP-5374-11010: 11010,11/23/18,9:15:06,ueip,10.243.252.157,umd5182.mail.host,tur,acon,Nemoenim,usm", "fileset.name": "dhcp", - "host.hostname": "itecto1300.internal.corp", + "host.hostname": "umd5182.mail.host", "input.type": "log", - "log.offset": 8128, + "log.offset": 7939, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.178.173.128" + "10.243.252.157" ], - "rsa.internal.event_desc": "cusant", - "rsa.internal.messageid": "11005", + "rsa.internal.event_desc": "ueip", + "rsa.internal.messageid": "11010", + "rsa.investigations.ec_activity": "Start", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "microsoft", - "source.address": "itecto1300.internal.corp", + "source.address": "umd5182.mail.host", "source.ip": [ - "10.178.173.128" + "10.243.252.157" ], "tags": [ "microsoft.dhcp", @@ -2213,27 +2175,27 @@ }, { "@timestamp": "2018-12-07T06:17:40.000Z", - "event.code": "11015", + "event.code": "11013", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6789-11015: 11015,12/7/18,4:17:40,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender", + "event.original": "%MSDHCP-5397-11013: 11013,12/7/18,4:17:40,tise,10.95.73.196,expl2616.www.test,itinvol,ten,litanim,rQuisaut", "fileset.name": "dhcp", - "host.hostname": "siut1579.www.domain", + "host.hostname": "expl2616.www.test", "input.type": "log", - "log.offset": 8243, + "log.offset": 8042, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.217.38.30" + "10.95.73.196" ], - "rsa.internal.event_desc": "uia", - "rsa.internal.messageid": "11015", + "rsa.internal.event_desc": "tise", + "rsa.internal.messageid": "11013", "rsa.time.event_time": "2018-12-07T06:17:40.000Z", "service.type": "microsoft", - "source.address": "siut1579.www.domain", + "source.address": "expl2616.www.test", "source.ip": [ - "10.217.38.30" + "10.95.73.196" ], "tags": [ "microsoft.dhcp", @@ -2242,27 +2204,27 @@ }, { "@timestamp": "2018-12-21T13:20:14.000Z", - "event.code": "11014", + "event.code": "11004", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1540-11014: 11014,12/21/18,11:20:14,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni", + "event.original": "%MSDHCP-1636-11004: 11004,12/21/18,11:20:14,teni,10.145.104.170,risni1535.example,onemulla,riaturEx,deri,amqu", "fileset.name": "dhcp", - "host.hostname": "ame6223.www5.localhost", + "host.hostname": "risni1535.example", "input.type": "log", - "log.offset": 8341, + "log.offset": 8149, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.178.49.161" + "10.145.104.170" ], - "rsa.internal.event_desc": "edic", - "rsa.internal.messageid": "11014", + "rsa.internal.event_desc": "teni", + "rsa.internal.messageid": "11004", "rsa.time.event_time": "2018-12-21T13:20:14.000Z", "service.type": "microsoft", - "source.address": "ame6223.www5.localhost", + "source.address": "risni1535.example", "source.ip": [ - "10.178.49.161" + "10.145.104.170" ], "tags": [ "microsoft.dhcp", @@ -2271,32 +2233,28 @@ }, { "@timestamp": "2019-01-05T08:22:49.000Z", - "event.code": "32", + "event.code": "11018", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2244-32: 32,1/5/19,6:22:49,stenatu,10.215.205.216,ratv5227.www.invalid ,01:00:5e:fd:3d:c2,nts ", - "event.outcome": "success", + "event.original": "%MSDHCP-1303-11018: 11018,1/5/19,6:22:49,edquian,10.18.152.236,umtotamr7221.mail.host,rnat,rur,itse,ilm", "fileset.name": "dhcp", - "host.hostname": "ratv5227.www.invalid", + "host.hostname": "umtotamr7221.mail.host", "input.type": "log", - "log.offset": 8453, + "log.offset": 8259, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.215.205.216" + "10.18.152.236" ], - "rsa.internal.event_desc": "stenatu", - "rsa.internal.messageid": "32", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_theme": "Configuration", + "rsa.internal.event_desc": "edquian", + "rsa.internal.messageid": "11018", "rsa.time.event_time": "2019-01-05T08:22:49.000Z", "service.type": "microsoft", - "source.address": "ratv5227.www.invalid", + "source.address": "umtotamr7221.mail.host", "source.ip": [ - "10.215.205.216" + "10.18.152.236" ], - "source.mac": "01:00:5e:fd:3d:c2,nts", "tags": [ "microsoft.dhcp", "forwarded" @@ -2304,27 +2262,27 @@ }, { "@timestamp": "2019-01-19T03:25:23.000Z", - "event.code": "11025", + "event.code": "11015", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5663-11025: 11025,1/19/19,1:25:23,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab", + "event.original": "%MSDHCP-2746-11015: 11015,1/19/19,1:25:23,oloree,10.15.240.220,teir7585.www5.localdomain,quu,xeac,llitanim,quamei", "fileset.name": "dhcp", - "host.hostname": "aturve1647.mail.localhost", + "host.hostname": "teir7585.www5.localdomain", "input.type": "log", - "log.offset": 8557, + "log.offset": 8363, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.175.103.215" + "10.15.240.220" ], - "rsa.internal.event_desc": "ano", - "rsa.internal.messageid": "11025", + "rsa.internal.event_desc": "oloree", + "rsa.internal.messageid": "11015", "rsa.time.event_time": "2019-01-19T03:25:23.000Z", "service.type": "microsoft", - "source.address": "aturve1647.mail.localhost", + "source.address": "teir7585.www5.localdomain", "source.ip": [ - "10.175.103.215" + "10.15.240.220" ], "tags": [ "microsoft.dhcp", @@ -2333,29 +2291,28 @@ }, { "@timestamp": "2019-02-02T10:27:57.000Z", - "event.code": "12", + "event.code": "11000", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6672-12: 12,2/2/19,8:27:57,enderi,10.236.150.115,umwrit5433.www5.domain ,01:00:5e:ba:09:4a,tpersp ", + "event.original": "%MSDHCP-5996-11000: 11000,2/2/19,8:27:57,meum,10.147.130.71,tur4536.localdomain,iamqui,tassita,colabori,imidestl", "fileset.name": "dhcp", - "host.hostname": "umwrit5433.www5.domain", + "host.hostname": "tur4536.localdomain", "input.type": "log", - "log.offset": 8668, + "log.offset": 8477, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.236.150.115" + "10.147.130.71" ], - "rsa.internal.event_desc": "enderi", - "rsa.internal.messageid": "12", + "rsa.internal.event_desc": "meum", + "rsa.internal.messageid": "11000", "rsa.time.event_time": "2019-02-02T10:27:57.000Z", "service.type": "microsoft", - "source.address": "umwrit5433.www5.domain", + "source.address": "tur4536.localdomain", "source.ip": [ - "10.236.150.115" + "10.147.130.71" ], - "source.mac": "01:00:5e:ba:09:4a,tpersp", "tags": [ "microsoft.dhcp", "forwarded" @@ -2363,31 +2320,28 @@ }, { "@timestamp": "2019-02-17T05:30:32.000Z", - "event.code": "01", + "event.code": "11002", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6797-01: 01,2/17/19,3:30:32,oeni,10.223.90.192,llamco7206.www.home ,01:00:5e:8f:35:71,orsit,asiar,ise,itau,apariat ", + "event.original": "%MSDHCP-956-11002: 11002,2/17/19,3:30:32,isn,10.203.146.137,ffic6926.home,aparia,CSe,exerci,inesciu", "fileset.name": "dhcp", - "host.hostname": "llamco7206.www.home", + "host.hostname": "ffic6926.home", "input.type": "log", - "log.offset": 8776, + "log.offset": 8590, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.223.90.192" + "10.203.146.137" ], - "rsa.internal.event_desc": "oeni", - "rsa.internal.messageid": "01", - "rsa.investigations.ec_activity": "Stop", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "isn", + "rsa.internal.messageid": "11002", "rsa.time.event_time": "2019-02-17T05:30:32.000Z", "service.type": "microsoft", - "source.address": "llamco7206.www.home", + "source.address": "ffic6926.home", "source.ip": [ - "10.223.90.192" + "10.203.146.137" ], - "source.mac": "01:00:5e:8f:35:71,orsit,asiar,ise,itau,apariat", "tags": [ "microsoft.dhcp", "forwarded" @@ -2395,32 +2349,28 @@ }, { "@timestamp": "2019-03-03T12:33:06.000Z", - "event.code": "51", + "event.code": "11012", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4494-51: 51,3/3/19,10:33:06,dolore,10.165.192.48,nBCSedut1502.www5.example ,01:00:5e:c7:c2:10,odoconse,emp,pisciv,lumdolor,nonp,labo,ulapar,aboreetd,hilm,llitanim,invo ", - "event.outcome": "success", + "event.original": "%MSDHCP-5452-11012: 11012,3/3/19,10:33:06,emu,10.5.98.182,ate4386.api.localhost,minimve,serrorsi,tametco,mquisnos", "fileset.name": "dhcp", - "host.hostname": "nBCSedut1502.www5.example", + "host.hostname": "ate4386.api.localhost", "input.type": "log", - "log.offset": 8901, + "log.offset": 8690, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.165.192.48" + "10.5.98.182" ], - "rsa.internal.event_desc": "dolore", - "rsa.internal.messageid": "51", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_theme": "AccessControl", + "rsa.internal.event_desc": "emu", + "rsa.internal.messageid": "11012", "rsa.time.event_time": "2019-03-03T12:33:06.000Z", "service.type": "microsoft", - "source.address": "nBCSedut1502.www5.example", + "source.address": "ate4386.api.localhost", "source.ip": [ - "10.165.192.48" + "10.5.98.182" ], - "source.mac": "01:00:5e:c7:c2:10,odoconse,emp,pisciv,lumdolor,nonp,labo,ulapar,aboreetd,hilm,llitanim,invo", "tags": [ "microsoft.dhcp", "forwarded" @@ -2428,29 +2378,28 @@ }, { "@timestamp": "2019-03-17T07:35:40.000Z", - "event.code": "50", + "event.code": "11014", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7205-50: 50,3/17/19,5:35:40,ama,10.80.152.108,texpli2782.mail.domain ,01:00:5e:27:0a:9d, ", + "event.original": "%MSDHCP-6034-11014: 11014,3/17/19,5:35:40,ici,10.6.180.90,iameaque5093.api.corp,aquio,rspicia,deom,oluptat", "fileset.name": "dhcp", - "host.hostname": "texpli2782.mail.domain", + "host.hostname": "iameaque5093.api.corp", "input.type": "log", - "log.offset": 9079, + "log.offset": 8804, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.80.152.108" + "10.6.180.90" ], - "rsa.internal.event_desc": "ama", - "rsa.internal.messageid": "50", + "rsa.internal.event_desc": "ici", + "rsa.internal.messageid": "11014", "rsa.time.event_time": "2019-03-17T07:35:40.000Z", "service.type": "microsoft", - "source.address": "texpli2782.mail.domain", + "source.address": "iameaque5093.api.corp", "source.ip": [ - "10.80.152.108" + "10.6.180.90" ], - "source.mac": "01:00:5e:27:0a:9d,", "tags": [ "microsoft.dhcp", "forwarded" @@ -2458,29 +2407,27 @@ }, { "@timestamp": "2019-04-01T14:38:14.000Z", - "event.code": "11011", + "event.code": "11004", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5224-11011: 11011,4/1/19,12:38:14,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured", + "event.original": "%MSDHCP-3545-11004: 11004,4/1/19,12:38:14,onproide,10.111.93.224,tatisetq3237.www5.corp,emag,oquisq,abori,sit", "fileset.name": "dhcp", - "host.hostname": "aco6894.mail.home", + "host.hostname": "tatisetq3237.www5.corp", "input.type": "log", - "log.offset": 9178, + "log.offset": 8911, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.192.21.74" + "10.111.93.224" ], - "rsa.internal.event_desc": "liqua", - "rsa.internal.messageid": "11011", - "rsa.investigations.ec_activity": "Stop", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "onproide", + "rsa.internal.messageid": "11004", "rsa.time.event_time": "2019-04-01T14:38:14.000Z", "service.type": "microsoft", - "source.address": "aco6894.mail.home", + "source.address": "tatisetq3237.www5.corp", "source.ip": [ - "10.192.21.74" + "10.111.93.224" ], "tags": [ "microsoft.dhcp", @@ -2489,27 +2436,27 @@ }, { "@timestamp": "2019-04-15T09:40:49.000Z", - "event.code": "11019", + "event.code": "11002", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5608-11019: 11019,4/15/19,7:40:49,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat", + "event.original": "%MSDHCP-7051-11002: 11002,4/15/19,7:40:49,lumdolor,10.196.157.28,rvelill32.internal.corp,tatevel,midestl,nci,orroquis", "fileset.name": "dhcp", - "host.hostname": "tetu2485.internal.invalid", + "host.hostname": "rvelill32.internal.corp", "input.type": "log", - "log.offset": 9287, + "log.offset": 9021, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.142.25.100" + "10.196.157.28" ], - "rsa.internal.event_desc": "bor", - "rsa.internal.messageid": "11019", + "rsa.internal.event_desc": "lumdolor", + "rsa.internal.messageid": "11002", "rsa.time.event_time": "2019-04-15T09:40:49.000Z", "service.type": "microsoft", - "source.address": "tetu2485.internal.invalid", + "source.address": "rvelill32.internal.corp", "source.ip": [ - "10.142.25.100" + "10.196.157.28" ], "tags": [ "microsoft.dhcp", @@ -2518,30 +2465,27 @@ }, { "@timestamp": "2019-04-29T04:43:23.000Z", - "event.code": "1098", + "event.code": "11017", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3051-1098: 1098,4/29/19,2:43:23,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor", - "event.outcome": "failure", + "event.original": "%MSDHCP-4040-11017: 11017,4/29/19,2:43:23,meiusm,10.143.0.78,ectetura2657.www.localdomain,seq,moll,quaeabil,emip", "fileset.name": "dhcp", - "host.hostname": "doloreme60.www5.localhost", + "host.hostname": "ectetura2657.www.localdomain", "input.type": "log", - "log.offset": 9394, + "log.offset": 9139, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.162.114.217" + "10.143.0.78" ], - "rsa.internal.event_desc": "ven", - "rsa.internal.messageid": "1098", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "meiusm", + "rsa.internal.messageid": "11017", "rsa.time.event_time": "2019-04-29T04:43:23.000Z", "service.type": "microsoft", - "source.address": "doloreme60.www5.localhost", + "source.address": "ectetura2657.www.localdomain", "source.ip": [ - "10.162.114.217" + "10.143.0.78" ], "tags": [ "microsoft.dhcp", @@ -2550,31 +2494,28 @@ }, { "@timestamp": "2019-05-13T11:45:57.000Z", - "event.code": "01", + "event.code": "1103", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2315-01: 01,5/13/19,9:45:57,amcorp,10.57.57.241,liqua6498.api.invalid ,01:00:5e:d8:53:15,iduntu,ccaeca,niamq,lapariat,remagn,mquae,consequa,moenimi,olupt,oconsequ,edquiac ", + "event.original": "%MSDHCP-3376-1103: 1103,5/13/19,9:45:57,mipsumqu,10.184.187.32,ico3220.api.test,evi,tionula,accus,uatu", "fileset.name": "dhcp", - "host.hostname": "liqua6498.api.invalid", + "host.hostname": "ico3220.api.test", "input.type": "log", - "log.offset": 9504, + "log.offset": 9252, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.57.57.241" + "10.184.187.32" ], - "rsa.internal.event_desc": "amcorp", - "rsa.internal.messageid": "01", - "rsa.investigations.ec_activity": "Stop", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "mipsumqu", + "rsa.internal.messageid": "1103", "rsa.time.event_time": "2019-05-13T11:45:57.000Z", "service.type": "microsoft", - "source.address": "liqua6498.api.invalid", + "source.address": "ico3220.api.test", "source.ip": [ - "10.57.57.241" + "10.184.187.32" ], - "source.mac": "01:00:5e:d8:53:15,iduntu,ccaeca,niamq,lapariat,remagn,mquae,consequa,moenimi,olupt,oconsequ,edquiac", "tags": [ "microsoft.dhcp", "forwarded" @@ -2582,29 +2523,28 @@ }, { "@timestamp": "2019-05-28T06:48:31.000Z", - "event.code": "14", + "event.code": "11019", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2690-14: 14,5/28/19,4:48:31,quamest,10.152.28.171,rsita2628.www5.local ,01:00:5e:7a:4c:6e,miu ", + "event.original": "%MSDHCP-111-11019: 11019,5/28/19,4:48:31,sumquiad,10.30.87.51,Duisa7769.test,iaecon,aevitaed,byCic,leumiur", "fileset.name": "dhcp", - "host.hostname": "rsita2628.www5.local", + "host.hostname": "Duisa7769.test", "input.type": "log", - "log.offset": 9685, + "log.offset": 9355, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.152.28.171" + "10.30.87.51" ], - "rsa.internal.event_desc": "quamest", - "rsa.internal.messageid": "14", + "rsa.internal.event_desc": "sumquiad", + "rsa.internal.messageid": "11019", "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.type": "microsoft", - "source.address": "rsita2628.www5.local", + "source.address": "Duisa7769.test", "source.ip": [ - "10.152.28.171" + "10.30.87.51" ], - "source.mac": "01:00:5e:7a:4c:6e,miu", "tags": [ "microsoft.dhcp", "forwarded" @@ -2612,27 +2552,27 @@ }, { "@timestamp": "2019-06-11T13:51:06.000Z", - "event.code": "11001", + "event.code": "11000", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6444-11001: 11001,6/11/19,11:51:06,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide", + "event.original": "%MSDHCP-5483-11000: 11000,6/11/19,11:51:06,tno,10.180.62.222,ptatev6552.www.test,ctetura,msequ,nvol,enimadmi", "fileset.name": "dhcp", - "host.hostname": "luptat7214.domain", + "host.hostname": "ptatev6552.www.test", "input.type": "log", - "log.offset": 9789, + "log.offset": 9462, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.0.132.176" + "10.180.62.222" ], - "rsa.internal.event_desc": "mex", - "rsa.internal.messageid": "11001", + "rsa.internal.event_desc": "tno", + "rsa.internal.messageid": "11000", "rsa.time.event_time": "2019-06-11T13:51:06.000Z", "service.type": "microsoft", - "source.address": "luptat7214.domain", + "source.address": "ptatev6552.www.test", "source.ip": [ - "10.0.132.176" + "10.180.62.222" ], "tags": [ "microsoft.dhcp", @@ -2641,31 +2581,31 @@ }, { "@timestamp": "2019-06-25T08:53:40.000Z", - "event.code": "11", + "event.code": "1098", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7037-11: 11,6/25/19,6:53:40,itesseq,10.125.134.213,tpersp2624.mail.example ,01:00:5e:0b:fb:4a", + "event.original": "%MSDHCP-7708-1098: 1098,6/25/19,6:53:40,adeser,10.198.9.209,olore6487.www5.local,inea,animid,upta,ioff", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "tpersp2624.mail.example", + "host.hostname": "olore6487.www5.local", "input.type": "log", - "log.offset": 9895, + "log.offset": 9571, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.125.134.213" + "10.198.9.209" ], - "rsa.internal.event_desc": "itesseq", - "rsa.internal.messageid": "11", - "rsa.investigations.ec_activity": "Restore", + "rsa.internal.event_desc": "adeser", + "rsa.internal.messageid": "1098", + "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2019-06-25T08:53:40.000Z", "service.type": "microsoft", - "source.address": "tpersp2624.mail.example", + "source.address": "olore6487.www5.local", "source.ip": [ - "10.125.134.213" + "10.198.9.209" ], - "source.mac": "01:00:5e:0b:fb:4a", "tags": [ "microsoft.dhcp", "forwarded" @@ -2673,29 +2613,31 @@ }, { "@timestamp": "2019-07-10T03:56:14.000Z", - "event.code": "64", + "event.code": "1098", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6392-64: 64,7/10/19,1:56:14,mvolu,10.206.96.56,aincidu2687.mail.home ,01:00:5e:80:9d:2c, ", + "event.original": "%MSDHCP-4197-1098: 1098,7/10/19,1:56:14,iuntN,10.41.217.115,nvol548.corp,sin,idexeac,nimadmin,midest", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "aincidu2687.mail.home", + "host.hostname": "nvol548.corp", "input.type": "log", - "log.offset": 9998, + "log.offset": 9674, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.206.96.56" + "10.41.217.115" ], - "rsa.internal.event_desc": "mvolu", - "rsa.internal.messageid": "64", + "rsa.internal.event_desc": "iuntN", + "rsa.internal.messageid": "1098", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2019-07-10T03:56:14.000Z", "service.type": "microsoft", - "source.address": "aincidu2687.mail.home", + "source.address": "nvol548.corp", "source.ip": [ - "10.206.96.56" + "10.41.217.115" ], - "source.mac": "01:00:5e:80:9d:2c,", "tags": [ "microsoft.dhcp", "forwarded" @@ -2703,30 +2645,27 @@ }, { "@timestamp": "2019-07-24T10:58:48.000Z", - "event.code": "1098", + "event.code": "11030", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5524-1098: 1098,7/24/19,8:58:48,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem", - "event.outcome": "failure", + "event.original": "%MSDHCP-2952-11030: 11030,7/24/19,8:58:48,quatu,10.212.196.228,pteursi466.www.localdomain,essecill,totamre,rpo,velites", "fileset.name": "dhcp", - "host.hostname": "amcor5091.internal.corp", + "host.hostname": "pteursi466.www.localdomain", "input.type": "log", - "log.offset": 10097, + "log.offset": 9775, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.22.187.69" + "10.212.196.228" ], - "rsa.internal.event_desc": "lupta", - "rsa.internal.messageid": "1098", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "quatu", + "rsa.internal.messageid": "11030", "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "microsoft", - "source.address": "amcor5091.internal.corp", + "source.address": "pteursi466.www.localdomain", "source.ip": [ - "10.22.187.69" + "10.212.196.228" ], "tags": [ "microsoft.dhcp", @@ -2735,27 +2674,27 @@ }, { "@timestamp": "2019-08-07T06:01:23.000Z", - "event.code": "11019", + "event.code": "11002", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1978-11019: 11019,8/7/19,4:01:23,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation", + "event.original": "%MSDHCP-7651-11002: 11002,8/7/19,4:01:23,uisaute,10.166.180.119,olupt1936.host,imide,ncul,taliq,tautfugi", "fileset.name": "dhcp", - "host.hostname": "ncidid5410.internal.domain", + "host.hostname": "olupt1936.host", "input.type": "log", - "log.offset": 10200, + "log.offset": 9894, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.2.128.234" + "10.166.180.119" ], - "rsa.internal.event_desc": "atisund", - "rsa.internal.messageid": "11019", + "rsa.internal.event_desc": "uisaute", + "rsa.internal.messageid": "11002", "rsa.time.event_time": "2019-08-07T06:01:23.000Z", "service.type": "microsoft", - "source.address": "ncidid5410.internal.domain", + "source.address": "olupt1936.host", "source.ip": [ - "10.2.128.234" + "10.166.180.119" ], "tags": [ "microsoft.dhcp", @@ -2764,31 +2703,27 @@ }, { "@timestamp": "2019-08-21T13:03:57.000Z", - "event.code": "11024", + "event.code": "11030", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5469-11024: 11024,8/21/19,11:03:57,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori", - "event.outcome": "success", + "event.original": "%MSDHCP-163-11030: 11030,8/21/19,11:03:57,volup,10.7.142.212,uisaut2157.corp,tuser,ctasu,irat,sitame", "fileset.name": "dhcp", - "host.hostname": "nofd988.api.example", + "host.hostname": "uisaut2157.corp", "input.type": "log", - "log.offset": 10321, + "log.offset": 9999, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.223.160.140" + "10.7.142.212" ], - "rsa.internal.event_desc": "porincid", - "rsa.internal.messageid": "11024", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "Service", - "rsa.investigations.ec_theme": "AccessControl", + "rsa.internal.event_desc": "volup", + "rsa.internal.messageid": "11030", "rsa.time.event_time": "2019-08-21T13:03:57.000Z", "service.type": "microsoft", - "source.address": "nofd988.api.example", + "source.address": "uisaut2157.corp", "source.ip": [ - "10.223.160.140" + "10.7.142.212" ], "tags": [ "microsoft.dhcp", @@ -2797,27 +2732,31 @@ }, { "@timestamp": "2019-09-05T08:06:31.000Z", - "event.code": "11004", + "event.code": "11023", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2-11004: 11004,9/5/19,6:06:31,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse", + "event.original": "%MSDHCP-3403-11023: 11023,9/5/19,6:06:31,uptateve,10.209.237.97,ecte882.www5.host,Malor,boriosa,cillumdo,ditau", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "borisnis6159.www5.localdomain", + "host.hostname": "ecte882.www5.host", "input.type": "log", - "log.offset": 10430, + "log.offset": 10100, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.137.14.180" + "10.209.237.97" ], - "rsa.internal.event_desc": "elit", - "rsa.internal.messageid": "11004", + "rsa.internal.event_desc": "uptateve", + "rsa.internal.messageid": "11023", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Service", + "rsa.investigations.ec_theme": "AccessControl", "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "microsoft", - "source.address": "borisnis6159.www5.localdomain", + "source.address": "ecte882.www5.host", "source.ip": [ - "10.137.14.180" + "10.209.237.97" ], "tags": [ "microsoft.dhcp", @@ -2826,32 +2765,28 @@ }, { "@timestamp": "2019-09-19T03:09:05.000Z", - "event.code": "59", + "event.code": "11025", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2859-59: 59,9/19/19,1:09:05,inibu,10.106.93.26,isetquas3096.home ,01:00:5e:1b:92:a6", - "event.outcome": "failure", + "event.original": "%MSDHCP-801-11025: 11025,9/19/19,1:09:05,sci,10.61.26.207,doloreeu4417.example,ametcons,tconse,eumf,roquisq", "fileset.name": "dhcp", - "host.hostname": "isetquas3096.home", + "host.hostname": "doloreeu4417.example", "input.type": "log", - "log.offset": 10544, + "log.offset": 10211, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.106.93.26" + "10.61.26.207" ], - "rsa.internal.event_desc": "inibu", - "rsa.internal.messageid": "59", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "sci", + "rsa.internal.messageid": "11025", "rsa.time.event_time": "2019-09-19T03:09:05.000Z", "service.type": "microsoft", - "source.address": "isetquas3096.home", + "source.address": "doloreeu4417.example", "source.ip": [ - "10.106.93.26" + "10.61.26.207" ], - "source.mac": "01:00:5e:1b:92:a6", "tags": [ "microsoft.dhcp", "forwarded" @@ -2859,27 +2794,30 @@ }, { "@timestamp": "2019-10-03T10:11:40.000Z", - "event.code": "11025", + "event.code": "1098", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4924-11025: 11025,10/3/19,8:11:40,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa", + "event.original": "%MSDHCP-3103-1098: 1098,10/3/19,8:11:40,tDuisau,10.139.88.194,tper4341.lan,nulamc,sint,etcon,ctobeat", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "dminima4348.mail.home", + "host.hostname": "tper4341.lan", "input.type": "log", - "log.offset": 10637, + "log.offset": 10319, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.192.182.230" + "10.139.88.194" ], - "rsa.internal.event_desc": "periam", - "rsa.internal.messageid": "11025", + "rsa.internal.event_desc": "tDuisau", + "rsa.internal.messageid": "1098", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2019-10-03T10:11:40.000Z", "service.type": "microsoft", - "source.address": "dminima4348.mail.home", + "source.address": "tper4341.lan", "source.ip": [ - "10.192.182.230" + "10.139.88.194" ], "tags": [ "microsoft.dhcp", @@ -2888,29 +2826,28 @@ }, { "@timestamp": "2019-10-18T05:14:14.000Z", - "event.code": "25", + "event.code": "11008", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1738-25: 25,10/18/19,3:14:14,loi,10.24.111.229,volupt2952.api.local ,01:00:5e:64:62:d1,sequat,giatquov,tconsec,miurerep,toccaec,fugi,labo,nostrud,gnaal,qui,cupi ", + "event.original": "%MSDHCP-598-11008: 11008,10/18/19,3:14:14,lorumw,10.86.134.125,nimve4965.mail.corp,ola,ptat,quasi,tium", "fileset.name": "dhcp", - "host.hostname": "volupt2952.api.local", + "host.hostname": "nimve4965.mail.corp", "input.type": "log", - "log.offset": 10744, + "log.offset": 10420, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.24.111.229" + "10.86.134.125" ], - "rsa.internal.event_desc": "loi", - "rsa.internal.messageid": "25", + "rsa.internal.event_desc": "lorumw", + "rsa.internal.messageid": "11008", "rsa.time.event_time": "2019-10-18T05:14:14.000Z", "service.type": "microsoft", - "source.address": "volupt2952.api.local", + "source.address": "nimve4965.mail.corp", "source.ip": [ - "10.24.111.229" + "10.86.134.125" ], - "source.mac": "01:00:5e:64:62:d1,sequat,giatquov,tconsec,miurerep,toccaec,fugi,labo,nostrud,gnaal,qui,cupi", "tags": [ "microsoft.dhcp", "forwarded" @@ -2918,29 +2855,28 @@ }, { "@timestamp": "2019-11-01T12:16:48.000Z", - "event.code": "60", + "event.code": "11008", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5282-60: 60,11/1/19,10:16:48,lores,10.45.253.103,uii5923.internal.home ,01:00:5e:2f:ff:49,rcit,llamco,atu,untincul,ssecil ", + "event.original": "%MSDHCP-5046-11008: 11008,11/1/19,10:16:48,nul,10.41.78.169,mquisno5146.home,mipsamv,exeacomm,sequines,cto", "fileset.name": "dhcp", - "host.hostname": "uii5923.internal.home", + "host.hostname": "mquisno5146.home", "input.type": "log", - "log.offset": 10915, + "log.offset": 10523, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.45.253.103" + "10.41.78.169" ], - "rsa.internal.event_desc": "lores", - "rsa.internal.messageid": "60", + "rsa.internal.event_desc": "nul", + "rsa.internal.messageid": "11008", "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "service.type": "microsoft", - "source.address": "uii5923.internal.home", + "source.address": "mquisno5146.home", "source.ip": [ - "10.45.253.103" + "10.41.78.169" ], - "source.mac": "01:00:5e:2f:ff:49,rcit,llamco,atu,untincul,ssecil", "tags": [ "microsoft.dhcp", "forwarded" @@ -2948,31 +2884,27 @@ }, { "@timestamp": "2019-11-15T07:19:22.000Z", - "event.code": "11023", + "event.code": "11014", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3023-11023: 11023,11/15/19,5:19:22,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt", - "event.outcome": "failure", + "event.original": "%MSDHCP-5270-11014: 11014,11/15/19,5:19:22,lumquid,10.69.181.95,imaveni4500.api.localdomain,ssequamn,ave,taliqui,idi", "fileset.name": "dhcp", - "host.hostname": "oluptas6981.www5.localhost", + "host.hostname": "imaveni4500.api.localdomain", "input.type": "log", - "log.offset": 11047, + "log.offset": 10630, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.95.241.28" + "10.69.181.95" ], - "rsa.internal.event_desc": "atise", - "rsa.internal.messageid": "11023", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Service", - "rsa.investigations.ec_theme": "AccessControl", + "rsa.internal.event_desc": "lumquid", + "rsa.internal.messageid": "11014", "rsa.time.event_time": "2019-11-15T07:19:22.000Z", "service.type": "microsoft", - "source.address": "oluptas6981.www5.localhost", + "source.address": "imaveni4500.api.localdomain", "source.ip": [ - "10.95.241.28" + "10.69.181.95" ], "tags": [ "microsoft.dhcp", @@ -2981,29 +2913,31 @@ }, { "@timestamp": "2019-11-30T14:21:57.000Z", - "event.code": "23", + "event.code": "1098", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4890-23: 23,11/30/19,12:21:57,dolore,10.84.32.178,vitaed4959.example ,01:00:5e:11:45:1e,itaedict ", + "event.original": "%MSDHCP-5895-1098: 1098,11/30/19,12:21:57,mqu,10.222.6.52,veleu2874.www5.localhost,tasnu,loru,iadeser,litess", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "vitaed4959.example", + "host.hostname": "veleu2874.www5.localhost", "input.type": "log", - "log.offset": 11161, + "log.offset": 10747, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.84.32.178" + "10.222.6.52" ], - "rsa.internal.event_desc": "dolore", - "rsa.internal.messageid": "23", + "rsa.internal.event_desc": "mqu", + "rsa.internal.messageid": "1098", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2019-11-30T14:21:57.000Z", "service.type": "microsoft", - "source.address": "vitaed4959.example", + "source.address": "veleu2874.www5.localhost", "source.ip": [ - "10.84.32.178" + "10.222.6.52" ], - "source.mac": "01:00:5e:11:45:1e,itaedict", "tags": [ "microsoft.dhcp", "forwarded" @@ -3011,29 +2945,29 @@ }, { "@timestamp": "2019-12-14T09:24:31.000Z", - "event.code": "55", + "event.code": "ID", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4271-55: 55,12/14/19,7:24:31,ruredo,10.72.196.74,boreetdo1725.example ,01:00:5e:01:2f:7d", + "event.original": "%MSDHCP-7704-ID: ID,12/14/19,7:24:31,quovolu,10.218.41.80,nemul5083.api.localdomain,01:00:5e:52:c7:67", "fileset.name": "dhcp", - "host.hostname": "boreetdo1725.example", + "host.hostname": "nemul5083.api.localdomain", "input.type": "log", - "log.offset": 11268, + "log.offset": 10856, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.ip": [ - "10.72.196.74" + "10.218.41.80" ], - "rsa.internal.event_desc": "ruredo", - "rsa.internal.messageid": "55", + "rsa.internal.event_desc": "quovolu", + "rsa.internal.messageid": "ID", "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "microsoft", - "source.address": "boreetdo1725.example", + "source.address": "nemul5083.api.localdomain", "source.ip": [ - "10.72.196.74" + "10.218.41.80" ], - "source.mac": "01:00:5e:01:2f:7d", + "source.mac": "01:00:5e:52:c7:67", "tags": [ "microsoft.dhcp", "forwarded" From 4f80f24fa8b6b8631e54e8e681a7cff6d78b74cb Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 13 Jul 2020 19:54:49 +0200 Subject: [PATCH 17/19] Use file.name instead of http.response.body.content --- x-pack/filebeat/module/barracuda/README.md | 2 +- .../barracuda/waf/config/liblogparser.js | 4 +- x-pack/filebeat/module/bluecoat/README.md | 2 +- .../bluecoat/director/config/liblogparser.js | 4 +- .../module/cisco/nexus/config/liblogparser.js | 4 +- x-pack/filebeat/module/citrix/README.md | 2 +- .../citrix/virtualapps/config/liblogparser.js | 4 +- x-pack/filebeat/module/cylance/README.md | 2 +- .../cylance/protect/config/liblogparser.js | 4 +- x-pack/filebeat/module/f5/README.md | 2 +- .../module/f5/bigipapm/config/liblogparser.js | 4 +- .../bigipapm/test/generated.log-expected.json | 8 +- .../module/f5/firepass/config/liblogparser.js | 4 +- .../firepass/test/generated.log-expected.json | 12 +- .../clientendpoint/config/liblogparser.js | 4 +- .../test/generated.log-expected.json | 180 +++---- x-pack/filebeat/module/imperva/README.md | 2 +- .../securesphere/config/liblogparser.js | 4 +- .../test/generated.log-expected.json | 490 +++++++++--------- x-pack/filebeat/module/infoblox/README.md | 2 +- .../infoblox/nios/config/liblogparser.js | 4 +- x-pack/filebeat/module/juniper/README.md | 2 +- .../juniper/junos/config/liblogparser.js | 4 +- x-pack/filebeat/module/kaspersky/README.md | 2 +- .../kaspersky/av/config/liblogparser.js | 4 +- x-pack/filebeat/module/microsoft/README.md | 2 +- .../microsoft/dhcp/config/liblogparser.js | 4 +- x-pack/filebeat/module/netscout/README.md | 2 +- .../netscout/sightline/config/liblogparser.js | 4 +- .../test/generated.log-expected.json | 16 +- x-pack/filebeat/module/radware/README.md | 2 +- .../radware/defensepro/config/liblogparser.js | 4 +- x-pack/filebeat/module/rapid7/README.md | 2 +- .../rapid7/nexpose/config/liblogparser.js | 4 +- x-pack/filebeat/module/sonicwall/README.md | 2 +- .../sonicwall/firewall/config/liblogparser.js | 4 +- .../firewall/test/generated.log-expected.json | 64 +-- x-pack/filebeat/module/squid/README.md | 2 +- .../module/squid/log/config/liblogparser.js | 4 +- .../squid/log/test/access1.log-expected.json | 484 ++++++++--------- .../squid/log/test/access2.log-expected.json | 362 ++++++------- .../squid/log/test/access3.log-expected.json | 422 +++++++-------- .../squid/log/test/access4.log-expected.json | 478 ++++++++--------- x-pack/filebeat/module/tenable/README.md | 2 +- .../nessus_security/config/liblogparser.js | 4 +- x-pack/filebeat/module/tomcat/README.md | 2 +- .../module/tomcat/log/config/liblogparser.js | 4 +- .../log/test/generated.log-expected.json | 200 +++---- x-pack/filebeat/module/zscaler/README.md | 2 +- .../module/zscaler/zia/config/liblogparser.js | 4 +- .../zia/test/generated.log-expected.json | 396 +++++++------- .../zscaler/zia/test/test.log-expected.json | 4 +- 52 files changed, 1618 insertions(+), 1618 deletions(-) diff --git a/x-pack/filebeat/module/barracuda/README.md b/x-pack/filebeat/module/barracuda/README.md index 0899263fd7e..57ada7880ce 100644 --- a/x-pack/filebeat/module/barracuda/README.md +++ b/x-pack/filebeat/module/barracuda/README.md @@ -3,5 +3,5 @@ This is a module for Barracuda Web Application Firewall logs. Autogenerated from RSA NetWitness log parser 2.0 XML barracudawaf version 132 -at 2020-07-13 17:11:56.995389 +0000 UTC. +at 2020-07-13 17:55:32.894932 +0000 UTC. diff --git a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js +++ b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/bluecoat/README.md b/x-pack/filebeat/module/bluecoat/README.md index aa7727fb180..815d89a2f72 100644 --- a/x-pack/filebeat/module/bluecoat/README.md +++ b/x-pack/filebeat/module/bluecoat/README.md @@ -3,5 +3,5 @@ This is a module for Blue Coat Director logs. Autogenerated from RSA NetWitness log parser 2.0 XML bluecoatdirector version 0 -at 2020-07-13 17:11:58.975221 +0000 UTC. +at 2020-07-13 17:55:34.664093 +0000 UTC. diff --git a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js +++ b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js +++ b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/citrix/README.md b/x-pack/filebeat/module/citrix/README.md index ee3fcffaa1b..1c8c3a2b2dc 100644 --- a/x-pack/filebeat/module/citrix/README.md +++ b/x-pack/filebeat/module/citrix/README.md @@ -3,5 +3,5 @@ This is a module for Citrix XenApp logs. Autogenerated from RSA NetWitness log parser 2.0 XML citrixxa version 79 -at 2020-07-13 17:12:00.034336 +0000 UTC. +at 2020-07-13 17:55:35.817587 +0000 UTC. diff --git a/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js b/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js +++ b/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/cylance/README.md b/x-pack/filebeat/module/cylance/README.md index fb94459f763..64bd6cf1be2 100644 --- a/x-pack/filebeat/module/cylance/README.md +++ b/x-pack/filebeat/module/cylance/README.md @@ -3,5 +3,5 @@ This is a module for CylanceProtect logs. Autogenerated from RSA NetWitness log parser 2.0 XML cylance version 127 -at 2020-07-13 17:12:00.315005 +0000 UTC. +at 2020-07-13 17:55:36.066402 +0000 UTC. diff --git a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js +++ b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/f5/README.md b/x-pack/filebeat/module/f5/README.md index f9333a47cf5..37a9e5f20c3 100644 --- a/x-pack/filebeat/module/f5/README.md +++ b/x-pack/filebeat/module/f5/README.md @@ -3,5 +3,5 @@ This is a module for Big-IP Access Policy Manager logs. Autogenerated from RSA NetWitness log parser 2.0 XML bigipapm version 113 -at 2020-07-13 17:11:58.45876 +0000 UTC. +at 2020-07-13 17:55:34.191415 +0000 UTC. diff --git a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js +++ b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index a638870f05e..b06452aca74 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -364,8 +364,8 @@ "observer.vendor": "F5", "process.pid": 2289, "related.ip": [ - "10.225.160.182", - "10.204.123.107" + "10.204.123.107", + "10.225.160.182" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "eFinib", @@ -1556,8 +1556,8 @@ "observer.vendor": "F5", "process.pid": 1973, "related.ip": [ - "10.187.64.126", - "10.47.99.72" + "10.47.99.72", + "10.187.64.126" ], "rsa.internal.messageid": "01490500", "rsa.misc.category": "oremipsu", diff --git a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js b/x-pack/filebeat/module/f5/firepass/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js +++ b/x-pack/filebeat/module/f5/firepass/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json index 6c58cc63ba7..e783667b492 100644 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json @@ -405,8 +405,8 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.230.12.79", - "10.18.220.102" + "10.18.220.102", + "10.230.12.79" ], "rsa.db.index": "obeataev", "rsa.internal.messageid": "kernel", @@ -835,8 +835,8 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.46.158.31", - "10.117.146.33" + "10.117.146.33", + "10.46.158.31" ], "rsa.db.index": "dun", "rsa.internal.messageid": "kernel", @@ -2303,8 +2303,8 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.225.181.30", - "10.65.175.9" + "10.65.175.9", + "10.225.181.30" ], "rsa.db.index": "uia", "rsa.internal.messageid": "kernel", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index f3c6950ccae..70dc501501d 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -22,8 +22,8 @@ "observer.vendor": "Fortinet", "process.pid": 7880, "related.ip": [ - "10.102.123.34", - "10.150.92.220" + "10.150.92.220", + "10.102.123.34" ], "related.user": [ "sumdo" @@ -307,8 +307,8 @@ "observer.vendor": "Fortinet", "process.pid": 2061, "related.ip": [ - "10.202.72.124", - "10.200.188.142" + "10.200.188.142", + "10.202.72.124" ], "related.user": [ "iusmodt" @@ -421,8 +421,8 @@ "observer.vendor": "Fortinet", "process.pid": 5037, "related.ip": [ - "10.198.136.50", - "10.66.108.11" + "10.66.108.11", + "10.198.136.50" ], "related.user": [ "uptatev" @@ -478,8 +478,8 @@ "observer.vendor": "Fortinet", "process.pid": 776, "related.ip": [ - "10.69.20.77", - "10.178.244.31" + "10.178.244.31", + "10.69.20.77" ], "related.user": [ "umdolor" @@ -535,8 +535,8 @@ "observer.vendor": "Fortinet", "process.pid": 6096, "related.ip": [ - "10.203.5.162", - "10.54.231.100" + "10.54.231.100", + "10.203.5.162" ], "related.user": [ "umdolore" @@ -592,8 +592,8 @@ "observer.vendor": "Fortinet", "process.pid": 7307, "related.ip": [ - "10.136.252.240", - "10.65.83.160" + "10.65.83.160", + "10.136.252.240" ], "related.user": [ "ender" @@ -649,8 +649,8 @@ "observer.vendor": "Fortinet", "process.pid": 2703, "related.ip": [ - "10.57.40.29", - "10.210.213.18" + "10.210.213.18", + "10.57.40.29" ], "related.user": [ "onse" @@ -877,8 +877,8 @@ "observer.vendor": "Fortinet", "process.pid": 7183, "related.ip": [ - "10.76.72.111", - "10.70.95.74" + "10.70.95.74", + "10.76.72.111" ], "related.user": [ "ivelits" @@ -991,8 +991,8 @@ "observer.vendor": "Fortinet", "process.pid": 499, "related.ip": [ - "10.78.151.178", - "10.84.105.75" + "10.84.105.75", + "10.78.151.178" ], "related.user": [ "iquaUten" @@ -1048,8 +1048,8 @@ "observer.vendor": "Fortinet", "process.pid": 1531, "related.ip": [ - "10.25.192.202", - "10.135.233.146" + "10.135.233.146", + "10.25.192.202" ], "related.user": [ "emeumfu" @@ -1219,8 +1219,8 @@ "observer.vendor": "Fortinet", "process.pid": 5200, "related.ip": [ - "10.161.57.8", - "10.141.44.153" + "10.141.44.153", + "10.161.57.8" ], "related.user": [ "quisnos" @@ -1390,8 +1390,8 @@ "observer.vendor": "Fortinet", "process.pid": 2019, "related.ip": [ - "10.178.77.231", - "10.163.5.243" + "10.163.5.243", + "10.178.77.231" ], "related.user": [ "liquide" @@ -1447,8 +1447,8 @@ "observer.vendor": "Fortinet", "process.pid": 2493, "related.ip": [ - "10.177.194.18", - "10.221.89.228" + "10.221.89.228", + "10.177.194.18" ], "related.user": [ "aliquam" @@ -1618,8 +1618,8 @@ "observer.vendor": "Fortinet", "process.pid": 1156, "related.ip": [ - "10.14.211.43", - "10.130.14.60" + "10.130.14.60", + "10.14.211.43" ], "related.user": [ "litse" @@ -1789,8 +1789,8 @@ "observer.vendor": "Fortinet", "process.pid": 3470, "related.ip": [ - "10.27.14.168", - "10.66.2.232" + "10.66.2.232", + "10.27.14.168" ], "related.user": [ "uirati" @@ -1846,8 +1846,8 @@ "observer.vendor": "Fortinet", "process.pid": 6932, "related.ip": [ - "10.195.2.130", - "10.75.99.127" + "10.75.99.127", + "10.195.2.130" ], "related.user": [ "inibusB" @@ -2074,8 +2074,8 @@ "observer.vendor": "Fortinet", "process.pid": 1693, "related.ip": [ - "10.255.39.252", - "10.113.95.59" + "10.113.95.59", + "10.255.39.252" ], "related.user": [ "persp" @@ -2188,8 +2188,8 @@ "observer.vendor": "Fortinet", "process.pid": 7041, "related.ip": [ - "10.167.227.44", - "10.38.54.72" + "10.38.54.72", + "10.167.227.44" ], "related.user": [ "riamea" @@ -2245,8 +2245,8 @@ "observer.vendor": "Fortinet", "process.pid": 3854, "related.ip": [ - "10.215.205.216", - "10.216.54.184" + "10.216.54.184", + "10.215.205.216" ], "related.user": [ "ameiusm" @@ -2416,8 +2416,8 @@ "observer.vendor": "Fortinet", "process.pid": 4253, "related.ip": [ - "10.80.152.108", - "10.175.112.197" + "10.175.112.197", + "10.80.152.108" ], "related.user": [ "tametcon" @@ -2587,8 +2587,8 @@ "observer.vendor": "Fortinet", "process.pid": 4469, "related.ip": [ - "10.47.28.48", - "10.110.114.175" + "10.110.114.175", + "10.47.28.48" ], "related.user": [ "plicab" @@ -2701,8 +2701,8 @@ "observer.vendor": "Fortinet", "process.pid": 3624, "related.ip": [ - "10.227.173.252", - "10.65.2.106" + "10.65.2.106", + "10.227.173.252" ], "related.user": [ "itation" @@ -2758,8 +2758,8 @@ "observer.vendor": "Fortinet", "process.pid": 1609, "related.ip": [ - "10.28.84.106", - "10.193.233.229" + "10.193.233.229", + "10.28.84.106" ], "related.user": [ "tla" @@ -2815,8 +2815,8 @@ "observer.vendor": "Fortinet", "process.pid": 6248, "related.ip": [ - "10.210.89.183", - "10.150.245.88" + "10.150.245.88", + "10.210.89.183" ], "related.user": [ "sequa" @@ -2872,8 +2872,8 @@ "observer.vendor": "Fortinet", "process.pid": 7224, "related.ip": [ - "10.180.195.43", - "10.85.185.13" + "10.85.185.13", + "10.180.195.43" ], "related.user": [ "voluptas" @@ -3100,8 +3100,8 @@ "observer.vendor": "Fortinet", "process.pid": 276, "related.ip": [ - "10.50.233.155", - "10.60.142.127" + "10.60.142.127", + "10.50.233.155" ], "related.user": [ "atv" @@ -3157,8 +3157,8 @@ "observer.vendor": "Fortinet", "process.pid": 2452, "related.ip": [ - "10.28.82.189", - "10.120.10.211" + "10.120.10.211", + "10.28.82.189" ], "related.user": [ "rcit" @@ -3442,8 +3442,8 @@ "observer.vendor": "Fortinet", "process.pid": 1586, "related.ip": [ - "10.123.199.198", - "10.17.87.79" + "10.17.87.79", + "10.123.199.198" ], "related.user": [ "ratvolu" @@ -3499,8 +3499,8 @@ "observer.vendor": "Fortinet", "process.pid": 5137, "related.ip": [ - "10.38.86.177", - "10.115.68.40" + "10.115.68.40", + "10.38.86.177" ], "related.user": [ "mpo" @@ -3613,8 +3613,8 @@ "observer.vendor": "Fortinet", "process.pid": 2310, "related.ip": [ - "10.37.128.49", - "10.77.77.208" + "10.77.77.208", + "10.37.128.49" ], "related.user": [ "moles" @@ -3670,8 +3670,8 @@ "observer.vendor": "Fortinet", "process.pid": 5398, "related.ip": [ - "10.54.73.158", - "10.1.96.93" + "10.1.96.93", + "10.54.73.158" ], "related.user": [ "lloinven" @@ -3955,8 +3955,8 @@ "observer.vendor": "Fortinet", "process.pid": 1710, "related.ip": [ - "10.34.131.224", - "10.196.96.162" + "10.196.96.162", + "10.34.131.224" ], "related.user": [ "tnonproi" @@ -4012,8 +4012,8 @@ "observer.vendor": "Fortinet", "process.pid": 4984, "related.ip": [ - "10.77.78.180", - "10.97.236.123" + "10.97.236.123", + "10.77.78.180" ], "related.user": [ "nisi" @@ -4240,8 +4240,8 @@ "observer.vendor": "Fortinet", "process.pid": 487, "related.ip": [ - "10.195.223.82", - "10.76.122.196" + "10.76.122.196", + "10.195.223.82" ], "related.user": [ "umiurer" @@ -4354,8 +4354,8 @@ "observer.vendor": "Fortinet", "process.pid": 6311, "related.ip": [ - "10.219.1.151", - "10.250.81.189" + "10.250.81.189", + "10.219.1.151" ], "related.user": [ "ori" @@ -4411,8 +4411,8 @@ "observer.vendor": "Fortinet", "process.pid": 7128, "related.ip": [ - "10.76.125.70", - "10.54.23.133" + "10.54.23.133", + "10.76.125.70" ], "related.user": [ "oloreeu" @@ -4696,8 +4696,8 @@ "observer.vendor": "Fortinet", "process.pid": 3990, "related.ip": [ - "10.208.18.210", - "10.30.246.132" + "10.30.246.132", + "10.208.18.210" ], "related.user": [ "veniam" @@ -4753,8 +4753,8 @@ "observer.vendor": "Fortinet", "process.pid": 4337, "related.ip": [ - "10.19.119.17", - "10.106.249.91" + "10.106.249.91", + "10.19.119.17" ], "related.user": [ "lit" @@ -4867,8 +4867,8 @@ "observer.vendor": "Fortinet", "process.pid": 2286, "related.ip": [ - "10.164.120.197", - "10.164.207.42" + "10.164.207.42", + "10.164.120.197" ], "related.user": [ "pta" @@ -4924,8 +4924,8 @@ "observer.vendor": "Fortinet", "process.pid": 2990, "related.ip": [ - "10.183.189.133", - "10.154.191.225" + "10.154.191.225", + "10.183.189.133" ], "related.user": [ "ita" @@ -5095,8 +5095,8 @@ "observer.vendor": "Fortinet", "process.pid": 5647, "related.ip": [ - "10.126.245.73", - "10.91.2.135" + "10.91.2.135", + "10.126.245.73" ], "related.user": [ "olore" @@ -5266,8 +5266,8 @@ "observer.vendor": "Fortinet", "process.pid": 3141, "related.ip": [ - "10.125.143.153", - "10.79.73.195" + "10.79.73.195", + "10.125.143.153" ], "related.user": [ "emip" @@ -5437,8 +5437,8 @@ "observer.vendor": "Fortinet", "process.pid": 4855, "related.ip": [ - "10.143.53.214", - "10.87.144.208" + "10.87.144.208", + "10.143.53.214" ], "related.user": [ "psumq" @@ -5551,8 +5551,8 @@ "observer.vendor": "Fortinet", "process.pid": 4493, "related.ip": [ - "10.194.67.223", - "10.161.64.168" + "10.161.64.168", + "10.194.67.223" ], "related.user": [ "tion" @@ -5665,8 +5665,8 @@ "observer.vendor": "Fortinet", "process.pid": 5012, "related.ip": [ - "10.116.153.19", - "10.180.90.112" + "10.180.90.112", + "10.116.153.19" ], "related.user": [ "itessequ" diff --git a/x-pack/filebeat/module/imperva/README.md b/x-pack/filebeat/module/imperva/README.md index 558c6079442..b19deeb6e09 100644 --- a/x-pack/filebeat/module/imperva/README.md +++ b/x-pack/filebeat/module/imperva/README.md @@ -3,5 +3,5 @@ This is a module for Imperva SecureSphere logs. Autogenerated from RSA NetWitness log parser 2.0 XML impervawaf version 117 -at 2020-07-13 17:12:01.207328 +0000 UTC. +at 2020-07-13 17:55:36.873349 +0000 UTC. diff --git a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js +++ b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index be59ef88af7..4ab905ff64f 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -20,8 +20,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.70.155.35", - "10.81.122.126" + "10.81.122.126", + "10.70.155.35" ], "related.user": [ "magn", @@ -110,9 +110,9 @@ "10.159.182.171" ], "related.user": [ - "uradi", "qua", - "temUten" + "temUten", + "uradi" ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -161,8 +161,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.18.124.28", - "10.232.27.250" + "10.232.27.250", + "10.18.124.28" ], "related.user": [ "mquidol", @@ -226,17 +226,17 @@ "10.6.137.200" ], "related.user": [ - "intoc", + "oluptas", "occae", - "oluptas" + "intoc" ], "rsa.counters.event_counter": 7243, "rsa.db.database": "tNequepo", "rsa.internal.event_desc": "snostrud", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "dol" + "dol", + "cancel" ], "rsa.misc.category": "nama", "rsa.misc.disposition": "quisnos", @@ -288,13 +288,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.36.194.106", - "10.179.124.125" + "10.179.124.125", + "10.36.194.106" ], "related.user": [ - "ncidid", "acommod", - "reme" + "reme", + "ncidid" ], "rsa.counters.event_counter": 2462, "rsa.db.database": "uaUteni", @@ -411,8 +411,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.112.250.193", - "10.214.191.180" + "10.214.191.180", + "10.112.250.193" ], "related.user": [ "ipsumdol", @@ -469,13 +469,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.251.20.13", - "10.192.34.76" + "10.192.34.76", + "10.251.20.13" ], "related.user": [ - "ovol", "iquipe", - "tnonpro" + "tnonpro", + "ovol" ], "rsa.counters.dclass_c1": 3645, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -524,13 +524,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.59.138.212", - "10.74.105.218" + "10.74.105.218", + "10.59.138.212" ], "related.user": [ "archite", - "boree", - "idunt" + "idunt", + "boree" ], "rsa.counters.dclass_c1": 248, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -587,8 +587,8 @@ "10.230.173.4" ], "related.user": [ - "inci", "isnostr", + "inci", "atemq" ], "rsa.counters.dclass_c1": 6135, @@ -646,9 +646,9 @@ "10.49.167.57" ], "related.user": [ + "ccaeca", "sau", - "tali", - "ccaeca" + "tali" ], "rsa.counters.dclass_c1": 6818, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -707,9 +707,9 @@ "10.216.125.252" ], "related.user": [ - "dolore", "lorsita", - "llamco" + "llamco", + "dolore" ], "rsa.counters.event_counter": 4603, "rsa.db.database": "uptate", @@ -775,8 +775,8 @@ ], "related.user": [ "paquioff", - "rum", - "nci" + "nci", + "rum" ], "rsa.counters.event_counter": 332, "rsa.db.database": "isau", @@ -837,9 +837,9 @@ "10.34.148.166" ], "related.user": [ - "untutlab", + "miu", "icabo", - "miu" + "untutlab" ], "rsa.counters.dclass_c1": 5427, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -888,13 +888,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.226.101.180", - "10.134.5.40" + "10.134.5.40", + "10.226.101.180" ], "related.user": [ "siu", - "licabo", - "conse" + "conse", + "licabo" ], "rsa.counters.dclass_c1": 6356, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -947,13 +947,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.30.98.10", - "10.126.26.131" + "10.126.26.131", + "10.30.98.10" ], "related.user": [ - "velite", + "dipisci", "olori", - "dipisci" + "velite" ], "rsa.counters.dclass_c1": 7717, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1010,8 +1010,8 @@ "10.190.10.219" ], "related.user": [ - "accusant", "item", + "accusant", "quamnih" ], "rsa.counters.dclass_c1": 3278, @@ -1097,9 +1097,9 @@ "10.100.98.56" ], "related.user": [ + "proident", "ritati", - "boru", - "proident" + "boru" ], "rsa.counters.dclass_c1": 5923, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1152,8 +1152,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.82.28.220", - "10.197.6.245" + "10.197.6.245", + "10.82.28.220" ], "related.user": [ "aecatcup", @@ -1211,13 +1211,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.6.27.103", - "10.167.252.183" + "10.167.252.183", + "10.6.27.103" ], "related.user": [ + "redol", "asnu", - "ationul", - "redol" + "ationul" ], "rsa.counters.dclass_c1": 6606, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1272,13 +1272,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.88.45.111", - "10.81.184.7" + "10.81.184.7", + "10.88.45.111" ], "related.user": [ - "lmole", "iameaque", - "undeomni" + "undeomni", + "lmole" ], "rsa.counters.event_counter": 6344, "rsa.db.database": "nderi", @@ -1341,9 +1341,9 @@ "10.29.119.245" ], "related.user": [ - "edolorin", + "scipitl", "taliqui", - "scipitl" + "edolorin" ], "rsa.counters.dclass_c1": 5140, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1402,8 +1402,8 @@ "10.110.133.7" ], "related.user": [ - "pta", "etconsec", + "pta", "caboNem" ], "rsa.counters.event_counter": 5347, @@ -1411,8 +1411,8 @@ "rsa.internal.event_desc": "liquid", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "allow", - "vitaed" + "vitaed", + "allow" ], "rsa.misc.category": "enim", "rsa.misc.disposition": "Finibus", @@ -1463,13 +1463,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.182.152.242", - "10.105.190.170" + "10.105.190.170", + "10.182.152.242" ], "related.user": [ + "litan", "mquisn", - "doeiu", - "litan" + "doeiu" ], "rsa.counters.dclass_c1": 3474, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1528,9 +1528,9 @@ "10.123.166.197" ], "related.user": [ + "liquam", "emUte", - "min", - "liquam" + "min" ], "rsa.counters.event_counter": 7102, "rsa.db.database": "oluptat", @@ -1588,12 +1588,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.72.75.207", - "10.201.168.116" + "10.201.168.116", + "10.72.75.207" ], "related.user": [ - "eufug", "urau", + "eufug", "eFini" ], "rsa.counters.dclass_c1": 3348, @@ -1647,13 +1647,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.58.133.175", - "10.9.46.123" + "10.9.46.123", + "10.58.133.175" ], "related.user": [ - "oco", "nde", - "mfu" + "mfu", + "oco" ], "rsa.counters.dclass_c1": 3795, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1706,13 +1706,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.169.50.59", - "10.70.29.203" + "10.70.29.203", + "10.169.50.59" ], "related.user": [ "pta", - "mquisnos", - "veniamq" + "veniamq", + "mquisnos" ], "rsa.counters.dclass_c1": 2358, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1765,12 +1765,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.165.182.111", - "10.137.85.123" + "10.137.85.123", + "10.165.182.111" ], "related.user": [ - "sis", "ames", + "sis", "Bonorum" ], "rsa.counters.dclass_c1": 6401, @@ -1854,12 +1854,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.64.184.196", - "10.173.178.109" + "10.173.178.109", + "10.64.184.196" ], "related.user": [ - "tam", "uian", + "tam", "nesci" ], "rsa.counters.event_counter": 4493, @@ -1867,8 +1867,8 @@ "rsa.internal.event_desc": "orin", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "lamco", - "block" + "block", + "lamco" ], "rsa.misc.category": "enia", "rsa.misc.disposition": "iavol", @@ -1923,9 +1923,9 @@ "10.90.50.149" ], "related.user": [ + "aUtenima", "olupta", - "olu", - "aUtenima" + "olu" ], "rsa.counters.dclass_c1": 1127, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1978,13 +1978,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.18.150.82", - "10.59.182.36" + "10.59.182.36", + "10.18.150.82" ], "related.user": [ + "mtota", "qua", - "luptat", - "mtota" + "luptat" ], "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2064,13 +2064,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.151.240.35", - "10.228.229.144" + "10.228.229.144", + "10.151.240.35" ], "related.user": [ "lam", - "ama", - "ametcons" + "ametcons", + "ama" ], "rsa.counters.dclass_c1": 4325, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2119,8 +2119,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.147.142.242", - "10.242.48.203" + "10.242.48.203", + "10.147.142.242" ], "related.user": [ "quisn", @@ -2184,9 +2184,9 @@ "10.254.10.98" ], "related.user": [ - "eufugia", + "ttenb", "civeli", - "ttenb" + "eufugia" ], "rsa.counters.event_counter": 7365, "rsa.db.database": "utlabore", @@ -2275,13 +2275,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.169.28.157", - "10.116.1.130" + "10.116.1.130", + "10.169.28.157" ], "related.user": [ - "amco", "reseo", - "eturadip" + "eturadip", + "amco" ], "rsa.counters.event_counter": 1295, "rsa.db.database": "ons", @@ -2344,9 +2344,9 @@ "10.29.138.31" ], "related.user": [ - "tsunt", + "volupta", "umq", - "volupta" + "tsunt" ], "rsa.counters.dclass_c1": 744, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2404,8 +2404,8 @@ ], "related.user": [ "ptatev", - "itationu", - "velillum" + "velillum", + "itationu" ], "rsa.counters.dclass_c1": 7245, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2490,9 +2490,9 @@ "10.248.102.129" ], "related.user": [ + "ulapari", "inimv", - "mremaper", - "ulapari" + "mremaper" ], "rsa.counters.dclass_c1": 6433, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2545,12 +2545,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.109.230.216", - "10.203.164.132" + "10.203.164.132", + "10.109.230.216" ], "related.user": [ - "ibus", "ectobea", + "ibus", "mporin" ], "rsa.counters.dclass_c1": 547, @@ -2663,13 +2663,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.45.152.205", - "10.224.217.153" + "10.224.217.153", + "10.45.152.205" ], "related.user": [ - "imav", "utlabo", - "eriti" + "eriti", + "imav" ], "rsa.counters.dclass_c1": 922, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2723,12 +2723,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.1.193.187", - "10.60.164.100" + "10.60.164.100", + "10.1.193.187" ], "related.user": [ - "ugi", "adipis", + "ugi", "hite" ], "rsa.counters.event_counter": 508, @@ -2787,13 +2787,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.248.244.203", - "10.146.228.234" + "10.146.228.234", + "10.248.244.203" ], "related.user": [ + "mquamei", "eiusm", - "sum", - "mquamei" + "sum" ], "rsa.counters.dclass_c1": 3058, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2842,13 +2842,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.86.121.152", - "10.122.127.237" + "10.122.127.237", + "10.86.121.152" ], "related.user": [ + "nimv", "ine", - "consecte", - "nimv" + "consecte" ], "rsa.counters.dclass_c1": 2771, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2905,8 +2905,8 @@ "10.201.223.119" ], "related.user": [ - "teni", "rcit", + "teni", "tuserror" ], "rsa.counters.dclass_c1": 4113, @@ -2964,9 +2964,9 @@ "10.200.12.126" ], "related.user": [ + "Nequepo", "elitsedd", - "magnido", - "Nequepo" + "magnido" ], "rsa.counters.dclass_c1": 3243, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3021,12 +3021,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.65.225.101", - "10.94.89.177" + "10.94.89.177", + "10.65.225.101" ], "related.user": [ - "tuserror", "citation", + "tuserror", "emquel" ], "rsa.counters.event_counter": 2513, @@ -3034,8 +3034,8 @@ "rsa.internal.event_desc": "atuse", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "eruntmol", - "cancel" + "cancel", + "eruntmol" ], "rsa.misc.category": "imad", "rsa.misc.disposition": "tura", @@ -3085,12 +3085,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.191.184.105", - "10.65.174.196" + "10.65.174.196", + "10.191.184.105" ], "related.user": [ - "iin", "tione", + "iin", "uta" ], "rsa.counters.dclass_c1": 5836, @@ -3142,21 +3142,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.41.181.179", - "10.224.148.48" + "10.224.148.48", + "10.41.181.179" ], "related.user": [ - "iosamn", + "equepor", "niam", - "equepor" + "iosamn" ], "rsa.counters.event_counter": 7468, "rsa.db.database": "erspicia", "rsa.internal.event_desc": "ibusB", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "rumwr" + "rumwr", + "deny" ], "rsa.misc.category": "rporis", "rsa.misc.disposition": "etco", @@ -3211,8 +3211,8 @@ "10.21.208.103" ], "related.user": [ - "imidest", "ostr", + "imidest", "mipsa" ], "rsa.counters.dclass_c1": 7766, @@ -3266,13 +3266,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.23.6.216", - "10.221.192.116" + "10.221.192.116", + "10.23.6.216" ], "related.user": [ "iarchit", - "iamquisn", - "tevelite" + "tevelite", + "iamquisn" ], "rsa.counters.dclass_c1": 639, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3332,8 +3332,8 @@ ], "related.user": [ "modtempo", - "animide", - "nofde" + "nofde", + "animide" ], "rsa.counters.event_counter": 7580, "rsa.db.database": "Lore", @@ -3393,21 +3393,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.178.79.217", - "10.111.22.134" + "10.111.22.134", + "10.178.79.217" ], "related.user": [ + "ccusan", "inibusBo", - "tqui", - "ccusan" + "tqui" ], "rsa.counters.event_counter": 3538, "rsa.db.database": "sequun", "rsa.internal.event_desc": "adeseru", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "orisnis", - "deny" + "deny", + "orisnis" ], "rsa.misc.category": "sitas", "rsa.misc.disposition": "eni", @@ -3461,8 +3461,8 @@ "10.77.86.215" ], "related.user": [ - "rcit", "meaqu", + "rcit", "xerc" ], "rsa.counters.dclass_c1": 7286, @@ -3519,9 +3519,9 @@ "10.211.161.187" ], "related.user": [ - "acons", + "sci", "boriosa", - "sci" + "acons" ], "rsa.counters.dclass_c1": 1578, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3569,13 +3569,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.160.147.230", - "10.254.198.47" + "10.254.198.47", + "10.160.147.230" ], "related.user": [ "illoin", - "ndeomnis", - "nimvenia" + "nimvenia", + "ndeomnis" ], "rsa.counters.dclass_c1": 5988, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3624,13 +3624,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.40.24.93", - "10.182.197.243" + "10.182.197.243", + "10.40.24.93" ], "related.user": [ - "mSecti", + "orisnis", "exerci", - "orisnis" + "mSecti" ], "rsa.counters.dclass_c1": 4129, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3683,8 +3683,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.108.130.106", - "10.249.13.159" + "10.249.13.159", + "10.108.130.106" ], "related.user": [ "colab", @@ -3748,9 +3748,9 @@ "10.64.94.174" ], "related.user": [ - "estiae", "iunt", - "Sedut" + "Sedut", + "estiae" ], "rsa.counters.event_counter": 7128, "rsa.db.database": "eFinibu", @@ -3864,13 +3864,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.115.203.143", - "10.134.135.22" + "10.134.135.22", + "10.115.203.143" ], "related.user": [ - "involu", "orpori", - "utoditau" + "utoditau", + "involu" ], "rsa.counters.dclass_c1": 7868, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3923,13 +3923,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.251.212.166", - "10.43.244.252" + "10.43.244.252", + "10.251.212.166" ], "related.user": [ - "inculp", "uptat", - "gnido" + "gnido", + "inculp" ], "rsa.counters.dclass_c1": 6947, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4010,13 +4010,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.20.231.188", - "10.88.189.164" + "10.88.189.164", + "10.20.231.188" ], "related.user": [ "mqu", - "tesseq", - "uatDuisa" + "uatDuisa", + "tesseq" ], "rsa.counters.dclass_c1": 1623, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4101,9 +4101,9 @@ "10.225.11.197" ], "related.user": [ - "rehe", "volu", - "ineavol" + "ineavol", + "rehe" ], "rsa.counters.dclass_c1": 3064, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4154,13 +4154,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.148.3.197", - "10.106.166.105" + "10.106.166.105", + "10.148.3.197" ], "related.user": [ - "usa", "avolup", - "olupt" + "olupt", + "usa" ], "rsa.counters.dclass_c1": 2658, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4213,8 +4213,8 @@ "10.172.121.239" ], "related.user": [ - "ctas", "iuta", + "ctas", "ipsu" ], "rsa.counters.dclass_c1": 392, @@ -4268,8 +4268,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.42.218.103", - "10.129.234.200" + "10.129.234.200", + "10.42.218.103" ], "related.user": [ "tevelit", @@ -4331,9 +4331,9 @@ "10.76.121.224" ], "related.user": [ - "oloremi", + "ali", "scive", - "ali" + "oloremi" ], "rsa.counters.dclass_c1": 6155, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4390,8 +4390,8 @@ "10.195.8.141" ], "related.user": [ - "enimip", "ota", + "enimip", "dolo" ], "rsa.counters.dclass_c1": 469, @@ -4445,13 +4445,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.173.13.179", - "10.179.60.167" + "10.179.60.167", + "10.173.13.179" ], "related.user": [ + "ptasn", "apar", - "isn", - "ptasn" + "isn" ], "rsa.counters.dclass_c1": 758, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4504,8 +4504,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.178.190.123", - "10.42.135.34" + "10.42.135.34", + "10.178.190.123" ], "related.user": [ "ore", @@ -4595,9 +4595,9 @@ "10.8.147.176" ], "related.user": [ + "incididu", "Loremips", - "aUteni", - "incididu" + "aUteni" ], "rsa.counters.dclass_c1": 3043, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4704,13 +4704,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.253.127.130", - "10.86.180.150" + "10.86.180.150", + "10.253.127.130" ], "related.user": [ "mnisis", - "etconsec", - "itasper" + "itasper", + "etconsec" ], "rsa.counters.dclass_c1": 4564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4777,8 +4777,8 @@ "rsa.internal.event_desc": "enima", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "allow", - "atisu" + "atisu", + "allow" ], "rsa.misc.category": "emseq", "rsa.misc.disposition": "osamni", @@ -4915,12 +4915,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.146.131.76", - "10.173.19.140" + "10.173.19.140", + "10.146.131.76" ], "related.user": [ - "olo", "Except", + "olo", "orsi" ], "rsa.counters.dclass_c1": 5844, @@ -4977,8 +4977,8 @@ "10.171.175.165" ], "related.user": [ - "ntocc", "rumw", + "ntocc", "doloreme" ], "rsa.counters.dclass_c1": 5201, @@ -5032,8 +5032,8 @@ "10.253.175.129" ], "related.user": [ - "epteurs", "nrep", + "epteurs", "ate" ], "rsa.counters.dclass_c1": 6260, @@ -5089,13 +5089,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.89.26.170", - "10.149.91.130" + "10.149.91.130", + "10.89.26.170" ], "related.user": [ + "aboris", "atus", - "orumetMa", - "aboris" + "orumetMa" ], "rsa.counters.event_counter": 5863, "rsa.db.database": "inventor", @@ -5155,12 +5155,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.52.106.68", - "10.81.108.232" + "10.81.108.232", + "10.52.106.68" ], "related.user": [ - "neavolup", "aco", + "neavolup", "uaturve" ], "rsa.counters.event_counter": 5098, @@ -5226,9 +5226,9 @@ "10.230.48.97" ], "related.user": [ + "erit", "untex", - "usmodte", - "erit" + "usmodte" ], "rsa.counters.event_counter": 4029, "rsa.db.database": "ommodi", @@ -5287,8 +5287,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.161.212.150", - "10.115.42.231" + "10.115.42.231", + "10.161.212.150" ], "related.user": [ "tasnul", @@ -5348,21 +5348,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.226.75.20", - "10.247.108.144" + "10.247.108.144", + "10.226.75.20" ], "related.user": [ - "maccusan", "fugia", - "tema" + "tema", + "maccusan" ], "rsa.counters.event_counter": 3711, "rsa.db.database": "psa", "rsa.internal.event_desc": "stiaec", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "iat", - "block" + "block", + "iat" ], "rsa.misc.category": "officia", "rsa.misc.disposition": "ametcon", @@ -5416,9 +5416,9 @@ "10.97.22.61" ], "related.user": [ - "illumd", + "rExcep", "nimides", - "rExcep" + "illumd" ], "rsa.counters.dclass_c1": 4173, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5473,17 +5473,17 @@ "10.197.254.133" ], "related.user": [ - "idu", + "ide", "trudex", - "ide" + "idu" ], "rsa.counters.event_counter": 2608, "rsa.db.database": "ncul", "rsa.internal.event_desc": "ritat", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "quid" + "quid", + "cancel" ], "rsa.misc.category": "dipi", "rsa.misc.disposition": "asnulapa", @@ -5533,13 +5533,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.144.14.15", - "10.28.77.79" + "10.28.77.79", + "10.144.14.15" ], "related.user": [ + "rspic", "utlab", - "upta", - "rspic" + "upta" ], "rsa.counters.dclass_c1": 4810, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5591,13 +5591,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.248.177.182", - "10.18.15.43" + "10.18.15.43", + "10.248.177.182" ], "related.user": [ + "quei", "quaturve", - "caecat", - "quei" + "caecat" ], "rsa.counters.dclass_c1": 983, "rsa.counters.dclass_c1_str": "Affected Rows", diff --git a/x-pack/filebeat/module/infoblox/README.md b/x-pack/filebeat/module/infoblox/README.md index 79e1ddc66ef..70331a42101 100644 --- a/x-pack/filebeat/module/infoblox/README.md +++ b/x-pack/filebeat/module/infoblox/README.md @@ -3,5 +3,5 @@ This is a module for Infoblox NIOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML infobloxnios version 134 -at 2020-07-13 17:12:01.672206 +0000 UTC. +at 2020-07-13 17:55:37.264156 +0000 UTC. diff --git a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js +++ b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/juniper/README.md b/x-pack/filebeat/module/juniper/README.md index ba28336f27b..677bfacd448 100644 --- a/x-pack/filebeat/module/juniper/README.md +++ b/x-pack/filebeat/module/juniper/README.md @@ -3,5 +3,5 @@ This is a module for Juniper JUNOS logs. Autogenerated from RSA NetWitness log parser 2.0 XML junosrouter version 134 -at 2020-07-13 17:12:02.433653 +0000 UTC. +at 2020-07-13 17:55:37.979403 +0000 UTC. diff --git a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js +++ b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/kaspersky/README.md b/x-pack/filebeat/module/kaspersky/README.md index 9a0179648de..005ced11763 100644 --- a/x-pack/filebeat/module/kaspersky/README.md +++ b/x-pack/filebeat/module/kaspersky/README.md @@ -3,5 +3,5 @@ This is a module for Kaspersky Anti-Virus logs. Autogenerated from RSA NetWitness log parser 2.0 XML kasperskyav version 127 -at 2020-07-13 17:12:03.3951 +0000 UTC. +at 2020-07-13 17:55:38.911054 +0000 UTC. diff --git a/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js b/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js +++ b/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/microsoft/README.md b/x-pack/filebeat/module/microsoft/README.md index 28097b09093..1531abe3c91 100644 --- a/x-pack/filebeat/module/microsoft/README.md +++ b/x-pack/filebeat/module/microsoft/README.md @@ -3,5 +3,5 @@ This is a module for Microsoft DHCP logs. Autogenerated from RSA NetWitness log parser 2.0 XML msdhcp version 99 -at 2020-07-13 17:12:03.76582 +0000 UTC. +at 2020-07-13 17:55:39.223135 +0000 UTC. diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js +++ b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/netscout/README.md b/x-pack/filebeat/module/netscout/README.md index 40e66db6287..dd92af09187 100644 --- a/x-pack/filebeat/module/netscout/README.md +++ b/x-pack/filebeat/module/netscout/README.md @@ -3,5 +3,5 @@ This is a module for Arbor Peakflow SP logs. Autogenerated from RSA NetWitness log parser 2.0 XML arborpeakflowsp version 109 -at 2020-07-13 17:11:56.553557 +0000 UTC. +at 2020-07-13 17:55:32.50797 +0000 UTC. diff --git a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js +++ b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 5ca19dc08b5..a6bd506ffea 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -1194,8 +1194,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.97.164.220", - "10.128.31.83" + "10.128.31.83", + "10.97.164.220" ], "rsa.internal.messageid": "anomaly", "rsa.misc.category": "aera", @@ -1234,8 +1234,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.83.23.104", - "10.163.161.165" + "10.163.161.165", + "10.83.23.104" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1815,8 +1815,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.216.83.142", - "10.224.198.212" + "10.224.198.212", + "10.216.83.142" ], "rsa.internal.messageid": "anomaly", "rsa.misc.category": "utodita", @@ -1855,8 +1855,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.122.76.148", - "10.28.226.128" + "10.28.226.128", + "10.122.76.148" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", diff --git a/x-pack/filebeat/module/radware/README.md b/x-pack/filebeat/module/radware/README.md index 6dfe9e19bef..d85f315d23f 100644 --- a/x-pack/filebeat/module/radware/README.md +++ b/x-pack/filebeat/module/radware/README.md @@ -3,5 +3,5 @@ This is a module for Radware DefensePro logs. Autogenerated from RSA NetWitness log parser 2.0 XML radwaredp version 114 -at 2020-07-13 17:12:06.083221 +0000 UTC. +at 2020-07-13 17:55:41.342523 +0000 UTC. diff --git a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js +++ b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/rapid7/README.md b/x-pack/filebeat/module/rapid7/README.md index 64d0e632596..4de9f128593 100644 --- a/x-pack/filebeat/module/rapid7/README.md +++ b/x-pack/filebeat/module/rapid7/README.md @@ -3,5 +3,5 @@ This is a module for Rapid7 NeXpose logs. Autogenerated from RSA NetWitness log parser 2.0 XML nexpose version 134 -at 2020-07-13 17:12:05.404155 +0000 UTC. +at 2020-07-13 17:55:40.743386 +0000 UTC. diff --git a/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js b/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js +++ b/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/sonicwall/README.md b/x-pack/filebeat/module/sonicwall/README.md index da355eb9ff1..65bd2526ff1 100644 --- a/x-pack/filebeat/module/sonicwall/README.md +++ b/x-pack/filebeat/module/sonicwall/README.md @@ -3,5 +3,5 @@ This is a module for Sonicwall-FW logs. Autogenerated from RSA NetWitness log parser 2.0 XML sonicwall version 124 -at 2020-07-13 17:12:06.770947 +0000 UTC. +at 2020-07-13 17:55:41.955704 +0000 UTC. diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js +++ b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 8151dfe8288..6892f63bb1c 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -19,8 +19,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.49.111.67", - "10.92.136.230" + "10.92.136.230", + "10.49.111.67" ], "rsa.internal.messageid": "914", "rsa.internal.msg": "lupt", @@ -81,9 +81,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.227.15.1", "10.149.203.46", - "10.150.156.22" + "10.150.156.22", + "10.227.15.1" ], "rsa.internal.event_desc": "ctetur", "rsa.internal.messageid": "1369", @@ -167,8 +167,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.95.245.65", - "10.13.70.213" + "10.13.70.213", + "10.95.245.65" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "llu", @@ -471,8 +471,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.78.151.178", - "10.157.161.103" + "10.157.161.103", + "10.78.151.178" ], "rsa.internal.event_desc": "taut", "rsa.internal.messageid": "24", @@ -504,8 +504,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.239.201.234", - "10.204.11.20" + "10.204.11.20", + "10.239.201.234" ], "rsa.internal.messageid": "87", "rsa.internal.msg": "Loremip", @@ -545,8 +545,8 @@ "observer.vendor": "Sonicwall", "related.ip": [ "10.34.161.166", - "10.245.200.97", - "10.219.116.137" + "10.219.116.137", + "10.245.200.97" ], "rsa.internal.event_desc": "rehend", "rsa.internal.messageid": "428", @@ -781,8 +781,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.135.187.104", - "10.237.163.139" + "10.237.163.139", + "10.135.187.104" ], "rsa.internal.messageid": "882", "rsa.internal.msg": "itatio", @@ -1208,8 +1208,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.53.113.23", - "10.97.124.211" + "10.97.124.211", + "10.53.113.23" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1268,8 +1268,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.64.229.79", - "10.187.201.250" + "10.187.201.250", + "10.64.229.79" ], "rsa.db.index": "rumwrit", "rsa.internal.messageid": "83", @@ -1421,8 +1421,8 @@ "observer.vendor": "Sonicwall", "related.ip": [ "10.108.84.24", - "10.251.248.228", - "10.113.100.237" + "10.113.100.237", + "10.251.248.228" ], "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "606", @@ -1635,8 +1635,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.102.166.19", - "10.104.49.142" + "10.104.49.142", + "10.102.166.19" ], "rsa.internal.messageid": "252", "rsa.internal.msg": "eprehend", @@ -1820,8 +1820,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.185.37.32", - "10.116.173.79" + "10.116.173.79", + "10.185.37.32" ], "rsa.internal.messageid": "178", "rsa.internal.msg": "ende", @@ -1852,8 +1852,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.57.85.98", - "10.219.42.212" + "10.219.42.212", + "10.57.85.98" ], "rsa.internal.event_desc": "mquisno", "rsa.internal.messageid": "995", @@ -2094,8 +2094,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.117.63.181", - "10.222.169.140" + "10.222.169.140", + "10.117.63.181" ], "rsa.internal.messageid": "195", "rsa.internal.msg": "magnaal", @@ -2176,8 +2176,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.200.122.184", - "10.57.255.4" + "10.57.255.4", + "10.200.122.184" ], "rsa.identity.user_sid_dst": "sBon", "rsa.internal.event_desc": "fic", @@ -2236,8 +2236,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.206.229.61", - "10.129.101.147" + "10.129.101.147", + "10.206.229.61" ], "rsa.internal.messageid": "413", "rsa.internal.msg": "upta", diff --git a/x-pack/filebeat/module/squid/README.md b/x-pack/filebeat/module/squid/README.md index 00219a1f06b..6956555b2dd 100644 --- a/x-pack/filebeat/module/squid/README.md +++ b/x-pack/filebeat/module/squid/README.md @@ -3,5 +3,5 @@ This is a module for Squid logs. Autogenerated from RSA NetWitness log parser 2.0 XML squid version 112 -at 2020-07-13 17:12:07.368404 +0000 UTC. +at 2020-07-13 17:55:42.446629 +0000 UTC. diff --git a/x-pack/filebeat/module/squid/log/config/liblogparser.js b/x-pack/filebeat/module/squid/log/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/squid/log/config/liblogparser.js +++ b/x-pack/filebeat/module/squid/log/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 0b4026cc818..5f0e879398a 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -22,8 +22,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "related.user": [ "badeyek" @@ -138,8 +138,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689320.343 1357 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/styles.css badeyek DIRECT/207.58.145.61 -", + "file.name": "styles.css", "fileset.name": "log", - "http.response.body.content": "styles.css", "input.type": "log", "log.offset": 240, "observer.product": "Proxy", @@ -158,8 +158,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -189,8 +189,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689321.315 1 10.105.21.199 TCP_HIT/200 1464 GET http://www.goonernews.com/styles.css badeyek NONE/- text/css", + "file.name": "styles.css", "fileset.name": "log", - "http.response.body.content": "styles.css", "input.type": "log", "log.offset": 372, "observer.product": "Proxy", @@ -208,8 +208,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -239,8 +239,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689322.780 1464 10.105.21.199 TCP_HIT/200 5626 GET http://www.google-analytics.com/urchin.js badeyek NONE/- text/javascript", + "file.name": "urchin.js", "fileset.name": "log", - "http.response.body.content": "urchin.js", "input.type": "log", "log.offset": 490, "observer.product": "Proxy", @@ -308,8 +308,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -320,8 +320,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -360,8 +360,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689324.156 1372 10.105.21.199 TCP_MISS/200 399 GET http://www.google-analytics.com/__utm.gif? badeyek DIRECT/66.102.9.147 image/gif", + "file.name": "__utm.gif", "fileset.name": "log", - "http.response.body.content": "__utm.gif", "input.type": "log", "log.offset": 745, "observer.product": "Proxy", @@ -423,8 +423,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689324.266 1457 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/graphics/newslogo.gif badeyek DIRECT/207.58.145.61 -", + "file.name": "newslogo.gif", "fileset.name": "log", - "http.response.body.content": "newslogo.gif", "input.type": "log", "log.offset": 883, "observer.product": "Proxy", @@ -443,8 +443,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -486,8 +486,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689324.281 1465 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/shop/arsenal_shop_ad.jpg badeyek DIRECT/207.58.145.61 -", + "file.name": "arsenal_shop_ad.jpg", "fileset.name": "log", - "http.response.body.content": "arsenal_shop_ad.jpg", "input.type": "log", "log.offset": 1026, "observer.product": "Proxy", @@ -549,8 +549,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689325.734 1452 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FUS.gif badeyek DIRECT/207.58.145.61 -", + "file.name": "FUS.gif", "fileset.name": "log", - "http.response.body.content": "FUS.gif", "input.type": "log", "log.offset": 1172, "observer.product": "Proxy", @@ -600,8 +600,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689325.736 2 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FGB.gif badeyek NONE/- image/gif", + "file.name": "FGB.gif", "fileset.name": "log", - "http.response.body.content": "FGB.gif", "input.type": "log", "log.offset": 1307, "observer.product": "Proxy", @@ -619,8 +619,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -662,8 +662,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689325.953 2603 10.105.21.199 TCP_MISS/200 1013 GET http://as.casalemedia.com/s? badeyek DIRECT/209.85.16.38 text/html", + "file.name": "s", "fileset.name": "log", - "http.response.body.content": "s", "input.type": "log", "log.offset": 1429, "observer.product": "Proxy", @@ -778,16 +778,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689327.312 1356 10.105.21.199 TCP_MISS/302 729 GET http://impgb.tradedoubler.com/imp/img/16349696/992098 badeyek DIRECT/217.212.240.172 text/html", + "file.name": "992098", "fileset.name": "log", - "http.response.body.content": "992098", "input.type": "log", "log.offset": 1668, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "217.212.240.172" + "217.212.240.172", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -841,16 +841,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689327.751 3484 10.105.21.199 TCP_MISS/200 1577 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/206.169.136.22 text/html", + "file.name": "text_group.php", "fileset.name": "log", - "http.response.body.content": "text_group.php", "input.type": "log", "log.offset": 1820, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "206.169.136.22" + "206.169.136.22", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -861,8 +861,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -892,8 +892,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689327.803 9 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FFR.gif badeyek NONE/- image/gif", + "file.name": "FFR.gif", "fileset.name": "log", - "http.response.body.content": "FFR.gif", "input.type": "log", "log.offset": 1958, "observer.product": "Proxy", @@ -911,8 +911,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -954,16 +954,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689329.234 1431 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FAU.gif badeyek DIRECT/207.58.145.61 -", + "file.name": "FAU.gif", "fileset.name": "log", - "http.response.body.content": "FAU.gif", "input.type": "log", "log.offset": 2080, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1017,16 +1017,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689329.280 1414 10.105.21.199 TCP_REFRESH_HIT/304 213 GET http://www.goonernews.com/graphics/spacer.gif badeyek DIRECT/207.58.145.61 -", + "file.name": "spacer.gif", "fileset.name": "log", - "http.response.body.content": "spacer.gif", "input.type": "log", "log.offset": 2215, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -1037,8 +1037,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1075,16 +1075,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689330.920 1686 10.105.21.199 TCP_MISS/200 1784 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/64.127.126.178 text/html", + "file.name": "text_group.php", "fileset.name": "log", - "http.response.body.content": "text_group.php", "input.type": "log", "log.offset": 2356, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "64.127.126.178", - "10.105.21.199" + "10.105.21.199", + "64.127.126.178" ], "related.user": [ "badeyek" @@ -1095,8 +1095,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1138,8 +1138,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689331.313 3997 10.105.21.199 TCP_MISS/302 851 GET http://ff.connextra.com/Ladbrokes/selector/image? badeyek DIRECT/213.160.98.161 -", + "file.name": "image", "fileset.name": "log", - "http.response.body.content": "image", "input.type": "log", "log.offset": 2494, "observer.product": "Proxy", @@ -1201,8 +1201,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689335.275 3962 10.105.21.199 TCP_MISS/200 30904 GET http://dd.connextra.com/servlet/controller? badeyek DIRECT/213.160.98.160 image/gif", + "file.name": "controller", "fileset.name": "log", - "http.response.body.content": "controller", "input.type": "log", "log.offset": 2633, "observer.product": "Proxy", @@ -1328,8 +1328,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1359,8 +1359,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689343.106 1 10.105.33.214 TCP_DENIED/407 1752 GET http://update.messenger.yahoo.com/msgrcli7.html - NONE/- text/html", + "file.name": "msgrcli7.html", "fileset.name": "log", - "http.response.body.content": "msgrcli7.html", "input.type": "log", "log.offset": 2986, "observer.product": "Proxy", @@ -1378,8 +1378,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1436,8 +1436,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1541,8 +1541,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689344.798 1631 10.105.47.218 TCP_MISS/200 5930 GET http://hi5.com/friend/styles/homepage.css nazsoau DIRECT/204.13.51.238 text/css", + "file.name": "homepage.css", "fileset.name": "log", - "http.response.body.content": "homepage.css", "input.type": "log", "log.offset": 3370, "observer.product": "Proxy", @@ -1561,8 +1561,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1608,8 +1608,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -1650,8 +1650,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689346.267 880 10.105.37.58 TCP_DENIED/407 1812 GET http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml - NONE/- text/html", + "file.name": "read0600win_ENUadbe0000.xml", "fileset.name": "log", - "http.response.body.content": "read0600win_ENUadbe0000.xml", "input.type": "log", "log.offset": 3652, "observer.product": "Proxy", @@ -1700,8 +1700,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689347.190 10 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/styles/style.css nazsoau NONE/- text/css", + "file.name": "style.css", "fileset.name": "log", - "http.response.body.content": "style.css", "input.type": "log", "log.offset": 3798, "observer.product": "Proxy", @@ -1750,8 +1750,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689347.307 116 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/friend/styles/buttons_en_us.css nazsoau NONE/- text/css", + "file.name": "buttons_en_us.css", "fileset.name": "log", - "http.response.body.content": "buttons_en_us.css", "input.type": "log", "log.offset": 3921, "observer.product": "Proxy", @@ -1874,16 +1874,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689349.064 1758 10.105.47.218 TCP_MISS/200 4470 GET http://hi5.com/friend/styles/headernav.css nazsoau DIRECT/204.13.51.238 text/css", + "file.name": "headernav.css", "fileset.name": "log", - "http.response.body.content": "headernav.css", "input.type": "log", "log.offset": 4173, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1952,8 +1952,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2009,8 +2009,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2049,16 +2049,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689353.939 4899 10.105.33.214 TCP_MISS/200 22964 GET http://radio.launch.yahoo.com/radio/play/playmessenger.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "playmessenger.asp", "fileset.name": "log", - "http.response.body.content": "playmessenger.asp", "input.type": "log", "log.offset": 4592, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2069,8 +2069,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2165,16 +2165,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689355.517 1578 10.105.33.214 TCP_MISS/200 699 GET http://address.yahoo.com/yab/us? adeolaegbedokun DIRECT/209.191.93.51 text/xml", + "file.name": "us", "fileset.name": "log", - "http.response.body.content": "us", "input.type": "log", "log.offset": 4901, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.191.93.51", - "10.105.33.214" + "10.105.33.214", + "209.191.93.51" ], "related.user": [ "adeolaegbedokun" @@ -2228,16 +2228,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689356.907 6741 10.105.21.199 TCP_MISS/302 734 GET http://fxfeeds.mozilla.org/rss20.xml badeyek DIRECT/63.245.209.21 text/html", + "file.name": "rss20.xml", "fileset.name": "log", - "http.response.body.content": "rss20.xml", "input.type": "log", "log.offset": 5037, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "63.245.209.21", - "10.105.21.199" + "10.105.21.199", + "63.245.209.21" ], "related.user": [ "badeyek" @@ -2248,8 +2248,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -2352,8 +2352,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "related.user": [ "adeolaegbedokun" @@ -2443,8 +2443,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", + "file.name": "appinstru.asp", "fileset.name": "log", - "http.response.body.content": "appinstru.asp", "input.type": "log", "log.offset": 5561, "observer.product": "Proxy", @@ -2461,8 +2461,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2492,8 +2492,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", + "file.name": "appsync.asp", "fileset.name": "log", - "http.response.body.content": "appsync.asp", "input.type": "log", "log.offset": 5693, "observer.product": "Proxy", @@ -2598,8 +2598,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689358.486 711 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "btn_stations.gif", "fileset.name": "log", - "http.response.body.content": "btn_stations.gif", "input.type": "log", "log.offset": 5923, "observer.product": "Proxy", @@ -2666,8 +2666,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2706,16 +2706,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689359.199 713 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "btn_stations_over.gif", "fileset.name": "log", - "http.response.body.content": "btn_stations_over.gif", "input.type": "log", "log.offset": 6202, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2773,8 +2773,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2784,8 +2784,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2824,16 +2824,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689359.924 725 10.105.33.214 TCP_REFRESH_HIT/304 511 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "bg_left.gif", "fileset.name": "log", - "http.response.body.content": "bg_left.gif", "input.type": "log", "log.offset": 6529, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2844,8 +2844,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2884,8 +2884,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689360.611 687 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "launchcast_radio.gif", "fileset.name": "log", - "http.response.body.content": "launchcast_radio.gif", "input.type": "log", "log.offset": 6711, "observer.product": "Proxy", @@ -2935,8 +2935,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689360.980 1 10.105.47.191 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", + "file.name": "appinstru.asp", "fileset.name": "log", - "http.response.body.content": "appinstru.asp", "input.type": "log", "log.offset": 6894, "observer.product": "Proxy", @@ -2953,8 +2953,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2984,8 +2984,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689361.188 1 10.105.47.191 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", + "file.name": "appsync.asp", "fileset.name": "log", - "http.response.body.content": "appsync.asp", "input.type": "log", "log.offset": 7027, "observer.product": "Proxy", @@ -3002,8 +3002,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3042,8 +3042,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689361.393 783 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "bg_right.gif", "fileset.name": "log", - "http.response.body.content": "bg_right.gif", "input.type": "log", "log.offset": 7158, "observer.product": "Proxy", @@ -3102,8 +3102,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689361.564 2242 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "bg_center.gif", "fileset.name": "log", - "http.response.body.content": "bg_center.gif", "input.type": "log", "log.offset": 7341, "observer.product": "Proxy", @@ -3122,8 +3122,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3162,16 +3162,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689362.220 827 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "bg_controls_off.gif", "fileset.name": "log", - "http.response.body.content": "bg_controls_off.gif", "input.type": "log", "log.offset": 7525, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3182,8 +3182,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3222,16 +3222,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689362.315 751 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "t.gif", "fileset.name": "log", - "http.response.body.content": "t.gif", "input.type": "log", "log.offset": 7715, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3273,8 +3273,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689362.318 3 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif adeolaegbedokun NONE/- image/gif", + "file.name": "btn_off_state_station.gif", "fileset.name": "log", - "http.response.body.content": "btn_off_state_station.gif", "input.type": "log", "log.offset": 7891, "observer.product": "Proxy", @@ -3292,8 +3292,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3323,8 +3323,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689362.332 13 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif adeolaegbedokun NONE/- image/gif", + "file.name": "bg_controls_fill.gif", "fileset.name": "log", - "http.response.body.content": "bg_controls_fill.gif", "input.type": "log", "log.offset": 8068, "observer.product": "Proxy", @@ -3373,8 +3373,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689362.341 8 10.105.33.214 TCP_HIT/200 2263 GET http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif adeolaegbedokun NONE/- image/gif", + "file.name": "toolbar50x50.gif", "fileset.name": "log", - "http.response.body.content": "toolbar50x50.gif", "input.type": "log", "log.offset": 8248, "observer.product": "Proxy", @@ -3392,8 +3392,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3432,16 +3432,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689363.423 6517 10.105.21.199 TCP_REFRESH_MISS/200 17396 GET http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml badeyek DIRECT/212.58.226.33 application/xml", + "file.name": "rss.xml", "fileset.name": "log", - "http.response.body.content": "rss.xml", "input.type": "log", "log.offset": 8394, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "212.58.226.33" + "212.58.226.33", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -3452,8 +3452,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_MISS" + "TCP_REFRESH_MISS", + "GET" ], "rsa.misc.content_type": "application/xml", "rsa.misc.result_code": "200", @@ -3492,8 +3492,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689364.361 2140 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php adeolaegbedokun DIRECT/68.142.231.252 image/gif", + "file.name": "beacon.php", "fileset.name": "log", - "http.response.body.content": "beacon.php", "input.type": "log", "log.offset": 8579, "observer.product": "Proxy", @@ -3512,8 +3512,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3543,8 +3543,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689364.402 7 10.105.33.214 TCP_IMS_HIT/304 219 GET http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg adeolaegbedokun NONE/- image/jpeg", + "file.name": "32457654.jpg", "fileset.name": "log", - "http.response.body.content": "32457654.jpg", "input.type": "log", "log.offset": 8733, "observer.product": "Proxy", @@ -3593,8 +3593,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689364.411 8 10.105.33.214 TCP_HIT/200 10593 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg adeolaegbedokun NONE/- image/jpeg", + "file.name": "thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", "fileset.name": "log", - "http.response.body.content": "thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", "input.type": "log", "log.offset": 8900, "observer.product": "Proxy", @@ -3612,8 +3612,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -3652,16 +3652,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689365.312 2420 10.105.33.214 TCP_MISS/302 1270 POST http://radio.launch.yahoo.com/radio/play/authplay.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "authplay.asp", "fileset.name": "log", - "http.response.body.content": "authplay.asp", "input.type": "log", "log.offset": 9113, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3714,8 +3714,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689366.377 1966 10.105.33.214 TCP_MISS/200 10519 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", + "file.name": "thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", "fileset.name": "log", - "http.response.body.content": "thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", "input.type": "log", "log.offset": 9274, "observer.product": "Proxy", @@ -3734,8 +3734,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -3774,16 +3774,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689368.080 1703 10.105.33.214 TCP_MISS/200 515 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", + "file.name": "initstationfeed.asp", "fileset.name": "log", - "http.response.body.content": "initstationfeed.asp", "input.type": "log", "log.offset": 9504, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3834,16 +3834,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689368.370 3057 10.105.33.214 TCP_MISS/200 14411 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", + "file.name": "initstationfeed.asp", "fileset.name": "log", - "http.response.body.content": "initstationfeed.asp", "input.type": "log", "log.offset": 9677, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3894,8 +3894,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689368.889 808 10.105.33.214 TCP_MISS/200 1627 GET http://radio.launch.yahoo.com/radio/play/authplay.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "authplay.asp", "fileset.name": "log", - "http.response.body.content": "authplay.asp", "input.type": "log", "log.offset": 9852, "observer.product": "Proxy", @@ -3914,8 +3914,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -3945,8 +3945,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689369.097 1226 10.105.37.65 TCP_DENIED/407 1728 GET http://natrocket.kmip.net:5288/iesocks? - NONE/- text/html", + "file.name": "iesocks", "fileset.name": "log", - "http.response.body.content": "iesocks", "input.type": "log", "log.offset": 10013, "observer.product": "Proxy", @@ -3995,8 +3995,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689369.702 0 10.105.37.65 TCP_DENIED/407 1725 GET http://natrocket.kmip.net:5288/return? - NONE/- text/html", + "file.name": "return", "fileset.name": "log", - "http.response.body.content": "return", "input.type": "log", "log.offset": 10131, "observer.product": "Proxy", @@ -4057,8 +4057,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689370.125 1202 10.105.33.214 TCP_MISS/200 13124 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", + "file.name": "thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", "fileset.name": "log", - "http.response.body.content": "thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", "input.type": "log", "log.offset": 10248, "observer.product": "Proxy", @@ -4077,8 +4077,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -4117,8 +4117,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689370.862 736 10.105.33.214 TCP_MISS/302 912 GET http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "starter.asp", "fileset.name": "log", - "http.response.body.content": "starter.asp", "input.type": "log", "log.offset": 10482, "observer.product": "Proxy", @@ -4137,8 +4137,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4177,16 +4177,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689371.690 828 10.105.33.214 TCP_MISS/200 1450 GET http://radio.launch.yahoo.com/radio/player/default.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "default.asp", "fileset.name": "log", - "http.response.body.content": "default.asp", "input.type": "log", "log.offset": 10651, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4197,8 +4197,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4240,8 +4240,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689371.987 3617 10.105.33.214 TCP_MISS/200 30432 GET http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf? adeolaegbedokun DIRECT/213.160.98.152 application/x-shockwave-flash", + "file.name": "081106_lrec_msgr_interophitchhiker.swf", "fileset.name": "log", - "http.response.body.content": "081106_lrec_msgr_interophitchhiker.swf", "input.type": "log", "log.offset": 10813, "observer.product": "Proxy", @@ -4300,8 +4300,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689373.315 1626 10.105.33.214 TCP_MISS/200 14643 GET http://radio.launch.yahoo.com/radio/player/stickwall.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "stickwall.asp", "fileset.name": "log", - "http.response.body.content": "stickwall.asp", "input.type": "log", "log.offset": 11035, "observer.product": "Proxy", @@ -4358,8 +4358,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689374.065 2078 10.105.33.214 TCP_MISS/200 425 GET http://us.bc.yahoo.com/b? adeolaegbedokun DIRECT/68.142.213.132 image/gif", + "file.name": "b", "fileset.name": "log", - "http.response.body.content": "b", "input.type": "log", "log.offset": 11200, "observer.product": "Proxy", @@ -4378,8 +4378,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4416,16 +4416,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689376.221 2130 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw? adeolaegbedokun DIRECT/68.142.194.14 image/gif", + "file.name": "beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw", "fileset.name": "log", - "http.response.body.content": "beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw", "input.type": "log", "log.offset": 11331, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "related.user": [ "adeolaegbedokun" @@ -4481,8 +4481,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.109.124.55" + "216.109.124.55", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4523,8 +4523,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689377.191 11 10.105.33.214 TCP_IMS_HIT/304 233 GET http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js adeolaegbedokun NONE/- application/x-javascript", + "file.name": "rapiBridge_1_4.js", "fileset.name": "log", - "http.response.body.content": "rapiBridge_1_4.js", "input.type": "log", "log.offset": 11683, "observer.product": "Proxy", @@ -4585,8 +4585,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689377.424 1159 10.105.33.214 TCP_MISS/304 236 GET http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css adeolaegbedokun DIRECT/213.160.98.159 text/css", + "file.name": "other.css", "fileset.name": "log", - "http.response.body.content": "other.css", "input.type": "log", "log.offset": 11922, "observer.product": "Proxy", @@ -4648,16 +4648,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689378.221 797 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "file.name": "bg_left.gif", "fileset.name": "log", - "http.response.body.content": "bg_left.gif", "input.type": "log", "log.offset": 12133, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -4668,8 +4668,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4715,8 +4715,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "related.user": [ "badeyek" @@ -4726,8 +4726,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4769,16 +4769,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689378.909 1405 10.105.33.214 TCP_MISS/304 136 GET http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif adeolaegbedokun DIRECT/213.160.98.167 -", + "file.name": "noaccess_msgr_uk.gif", "fileset.name": "log", - "http.response.body.content": "noaccess_msgr_uk.gif", "input.type": "log", "log.offset": 12476, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.167" + "213.160.98.167", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4789,8 +4789,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -4832,8 +4832,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689378.924 702 10.105.33.214 TCP_MISS/304 237 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "file.name": "bg_right.gif", "fileset.name": "log", - "http.response.body.content": "bg_right.gif", "input.type": "log", "log.offset": 12706, "observer.product": "Proxy", @@ -4852,8 +4852,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4883,8 +4883,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689378.929 4 10.105.33.214 TCP_IMS_HIT/304 218 GET http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun NONE/- image/gif", + "file.name": "t.gif", "fileset.name": "log", - "http.response.body.content": "t.gif", "input.type": "log", "log.offset": 12936, "observer.product": "Proxy", @@ -4902,8 +4902,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4945,16 +4945,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689379.472 563 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", + "file.name": "bg_controls_off.gif", "fileset.name": "log", - "http.response.body.content": "bg_controls_off.gif", "input.type": "log", "log.offset": 13147, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "related.user": [ "adeolaegbedokun" @@ -5008,16 +5008,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689379.488 560 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "file.name": "bg_center.gif", "fileset.name": "log", - "http.response.body.content": "bg_center.gif", "input.type": "log", "log.offset": 13384, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5071,8 +5071,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689380.159 685 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", + "file.name": "bg_controls_fill.gif", "fileset.name": "log", - "http.response.body.content": "bg_controls_fill.gif", "input.type": "log", "log.offset": 13615, "observer.product": "Proxy", @@ -5122,8 +5122,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689381.267 1 10.105.37.180 TCP_DENIED/407 1728 GET http://www.google.com/supported_domains - NONE/- text/html", + "file.name": "supported_domains", "fileset.name": "log", - "http.response.body.content": "supported_domains", "input.type": "log", "log.offset": 13853, "observer.product": "Proxy", @@ -5141,8 +5141,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5172,8 +5172,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689381.659 0 10.105.47.191 TCP_DENIED/407 1782 GET http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp? - NONE/- text/html", + "file.name": "chknews.asp", "fileset.name": "log", - "http.response.body.content": "chknews.asp", "input.type": "log", "log.offset": 13972, "observer.product": "Proxy", @@ -5191,8 +5191,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5229,16 +5229,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689381.660 2171 10.105.33.214 TCP_MISS/200 449 GET http://launch.adserver.yahoo.com/l? adeolaegbedokun DIRECT/216.109.125.112 image/gif", + "file.name": "l", "fileset.name": "log", - "http.response.body.content": "l", "input.type": "log", "log.offset": 14109, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.109.125.112", - "10.105.33.214" + "10.105.33.214", + "216.109.125.112" ], "related.user": [ "adeolaegbedokun" @@ -5249,8 +5249,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5289,16 +5289,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689382.173 3700 10.105.21.199 TCP_MISS/200 11746 GET http://uk.f250.mail.yahoo.com/dc/launch? badeyek DIRECT/217.12.10.96 text/html", + "file.name": "launch", "fileset.name": "log", - "http.response.body.content": "launch", "input.type": "log", "log.offset": 14251, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "217.12.10.96", - "10.105.21.199" + "10.105.21.199", + "217.12.10.96" ], "related.user": [ "badeyek" @@ -5309,8 +5309,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -5400,8 +5400,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689384.316 2828 10.105.21.199 TCP_SWAPFAIL_MISS/200 633 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", + "file.name": "77cf3e56414f974dfd8616f56f0f632c_1.js", "fileset.name": "log", - "http.response.body.content": "77cf3e56414f974dfd8616f56f0f632c_1.js", "input.type": "log", "log.offset": 14491, "observer.product": "Proxy", @@ -5420,8 +5420,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_SWAPFAIL_MISS" + "TCP_SWAPFAIL_MISS", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5451,8 +5451,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689385.714 1397 10.105.21.199 TCP_HIT/200 1742 GET http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css badeyek NONE/- text/css", + "file.name": "ygma5.css", "fileset.name": "log", - "http.response.body.content": "ygma5.css", "input.type": "log", "log.offset": 14714, "observer.product": "Proxy", @@ -5513,16 +5513,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689387.690 1977 10.105.21.199 TCP_MISS/200 14561 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", + "file.name": "f7fc76100697c9c2d25dd0ec35e563b0_1.js", "fileset.name": "log", - "http.response.body.content": "f7fc76100697c9c2d25dd0ec35e563b0_1.js", "input.type": "log", "log.offset": 14848, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.169", - "10.105.21.199" + "10.105.21.199", + "213.160.98.169" ], "related.user": [ "badeyek" @@ -5564,8 +5564,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689387.771 80 10.105.21.199 TCP_HIT/200 68733 GET http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js badeyek NONE/- application/x-javascript", + "file.name": "ac.js", "fileset.name": "log", - "http.response.body.content": "ac.js", "input.type": "log", "log.offset": 15064, "observer.product": "Proxy", @@ -5583,8 +5583,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5614,8 +5614,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689387.830 1 10.105.21.199 TCP_HIT/200 898 GET http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js badeyek NONE/- application/x-javascript", + "file.name": "yahoo_2.0.0-b4.js", "fileset.name": "log", - "http.response.body.content": "yahoo_2.0.0-b4.js", "input.type": "log", "log.offset": 15231, "observer.product": "Proxy", @@ -5633,8 +5633,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5664,8 +5664,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1157689387.832 60 10.105.21.199 TCP_HIT/200 26803 GET http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif badeyek NONE/- image/gif", + "file.name": "liam_ball_1.gif", "fileset.name": "log", - "http.response.body.content": "liam_ball_1.gif", "input.type": "log", "log.offset": 15402, "observer.product": "Proxy", @@ -5683,8 +5683,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json index bd3d2de8fd6..5d095a17bd4 100644 --- a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json @@ -6,8 +6,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368729.430 371 210.8.79.228 TCP_MISS/200 2136 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r3_c6.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "file.name": "navbar_r3_c6.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r3_c6.jpg", "input.type": "log", "log.offset": 0, "observer.product": "Proxy", @@ -25,8 +25,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -62,8 +62,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368730.746 297 210.8.79.228 TCP_MISS/200 1467 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "file.name": "navbar_r4_c1.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r4_c1.jpg", "input.type": "log", "log.offset": 169, "observer.product": "Proxy", @@ -118,8 +118,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368731.283 344 210.8.79.228 TCP_MISS/200 1330 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "file.name": "navbar_r4_c2.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r4_c2.jpg", "input.type": "log", "log.offset": 338, "observer.product": "Proxy", @@ -137,8 +137,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -174,8 +174,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368732.162 2 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/anglais/produit4.html - NONE/- text/html", + "file.name": "produit4.html", "fileset.name": "log", - "http.response.body.content": "produit4.html", "input.type": "log", "log.offset": 515, "observer.product": "Proxy", @@ -193,8 +193,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "304", @@ -230,8 +230,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368732.391 6 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/produits-ang.gif - NONE/- image/gif", + "file.name": "produits-ang.gif", "fileset.name": "log", - "http.response.body.content": "produits-ang.gif", "input.type": "log", "log.offset": 650, "observer.product": "Proxy", @@ -249,8 +249,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -286,8 +286,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368732.456 6 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/cale.gif - NONE/- image/gif", + "file.name": "cale.gif", "fileset.name": "log", - "http.response.body.content": "cale.gif", "input.type": "log", "log.offset": 784, "observer.product": "Proxy", @@ -342,8 +342,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368732.512 3 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/fond2.gif - NONE/- image/gif", + "file.name": "fond2.gif", "fileset.name": "log", - "http.response.body.content": "fond2.gif", "input.type": "log", "log.offset": 910, "observer.product": "Proxy", @@ -398,8 +398,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368732.545 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/logo_orange.gif - NONE/- image/gif", + "file.name": "logo_orange.gif", "fileset.name": "log", - "http.response.body.content": "logo_orange.gif", "input.type": "log", "log.offset": 1037, "observer.product": "Proxy", @@ -454,8 +454,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368732.599 19 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/chat.gif - NONE/- image/gif", + "file.name": "chat.gif", "fileset.name": "log", - "http.response.body.content": "chat.gif", "input.type": "log", "log.offset": 1170, "observer.product": "Proxy", @@ -510,8 +510,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368732.675 115 210.8.79.192 TCP_REFRESH_MISS/200 2111 GET http://www.call-kelly.com/horizontal.js - PARENT_HIT/proxy1.syd.connect.com.au application/x-javascript", + "file.name": "horizontal.js", "fileset.name": "log", - "http.response.body.content": "horizontal.js", "input.type": "log", "log.offset": 1296, "observer.product": "Proxy", @@ -529,8 +529,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_MISS", - "GET" + "GET", + "TCP_REFRESH_MISS" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -566,8 +566,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368732.701 11 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/icone_notice.gif - NONE/- image/gif", + "file.name": "icone_notice.gif", "fileset.name": "log", - "http.response.body.content": "icone_notice.gif", "input.type": "log", "log.offset": 1465, "observer.product": "Proxy", @@ -622,8 +622,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368732.775 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium1.gif - NONE/- image/gif", + "file.name": "spelenium1.gif", "fileset.name": "log", - "http.response.body.content": "spelenium1.gif", "input.type": "log", "log.offset": 1599, "observer.product": "Proxy", @@ -641,8 +641,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -678,8 +678,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368732.830 1 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium2.gif - NONE/- image/gif", + "file.name": "spelenium2.gif", "fileset.name": "log", - "http.response.body.content": "spelenium2.gif", "input.type": "log", "log.offset": 1731, "observer.product": "Proxy", @@ -697,8 +697,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -734,8 +734,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368732.877 3 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium3.gif - NONE/- image/gif", + "file.name": "spelenium3.gif", "fileset.name": "log", - "http.response.body.content": "spelenium3.gif", "input.type": "log", "log.offset": 1863, "observer.product": "Proxy", @@ -753,8 +753,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -790,8 +790,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368732.913 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/speleniumgold.gif - NONE/- image/gif", + "file.name": "speleniumgold.gif", "fileset.name": "log", - "http.response.body.content": "speleniumgold.gif", "input.type": "log", "log.offset": 1995, "observer.product": "Proxy", @@ -809,8 +809,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -846,8 +846,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368732.962 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/antipode.gif - NONE/- image/gif", + "file.name": "antipode.gif", "fileset.name": "log", - "http.response.body.content": "antipode.gif", "input.type": "log", "log.offset": 2130, "observer.product": "Proxy", @@ -902,8 +902,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368733.035 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/logospelenium.gif - NONE/- image/gif", + "file.name": "logospelenium.gif", "fileset.name": "log", - "http.response.body.content": "logospelenium.gif", "input.type": "log", "log.offset": 2260, "observer.product": "Proxy", @@ -921,8 +921,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -958,8 +958,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368733.087 7 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium1.gif - NONE/- image/gif", + "file.name": "0spelenium1.gif", "fileset.name": "log", - "http.response.body.content": "0spelenium1.gif", "input.type": "log", "log.offset": 2395, "observer.product": "Proxy", @@ -977,8 +977,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1014,8 +1014,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368733.096 307 210.8.79.228 TCP_MISS/200 1623 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "file.name": "navbar_r4_c4.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r4_c4.jpg", "input.type": "log", "log.offset": 2528, "observer.product": "Proxy", @@ -1070,8 +1070,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368733.151 1 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium2.gif - NONE/- image/gif", + "file.name": "0spelenium2.gif", "fileset.name": "log", - "http.response.body.content": "0spelenium2.gif", "input.type": "log", "log.offset": 2697, "observer.product": "Proxy", @@ -1089,8 +1089,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1126,8 +1126,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368733.194 5 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium3.gif - NONE/- image/gif", + "file.name": "0spelenium3.gif", "fileset.name": "log", - "http.response.body.content": "0spelenium3.gif", "input.type": "log", "log.offset": 2830, "observer.product": "Proxy", @@ -1145,8 +1145,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -1182,8 +1182,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368733.342 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0antipode.gif - NONE/- image/gif", + "file.name": "0antipode.gif", "fileset.name": "log", - "http.response.body.content": "0antipode.gif", "input.type": "log", "log.offset": 2963, "observer.product": "Proxy", @@ -1238,8 +1238,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368733.387 7 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium4.gif - NONE/- image/gif", + "file.name": "0spelenium4.gif", "fileset.name": "log", - "http.response.body.content": "0spelenium4.gif", "input.type": "log", "log.offset": 3094, "observer.product": "Proxy", @@ -1294,8 +1294,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368733.758 299 210.8.79.228 TCP_MISS/200 1448 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "file.name": "navbar_r4_c5.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r4_c5.jpg", "input.type": "log", "log.offset": 3227, "observer.product": "Proxy", @@ -1350,8 +1350,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368733.821 302 210.8.79.228 TCP_MISS/200 1365 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c7.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "file.name": "navbar_r4_c7.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r4_c7.jpg", "input.type": "log", "log.offset": 3404, "observer.product": "Proxy", @@ -1461,8 +1461,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368733.894 104 210.8.79.192 TCP_REFRESH_HIT/200 1214 GET http://www.call-kelly.com/vertical.js - PARENT_HIT/proxy1.syd.connect.com.au application/x-javascript", + "file.name": "vertical.js", "fileset.name": "log", - "http.response.body.content": "vertical.js", "input.type": "log", "log.offset": 3714, "observer.product": "Proxy", @@ -1480,8 +1480,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -1517,8 +1517,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368734.169 320 210.8.79.228 TCP_MISS/200 1466 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c9.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "file.name": "navbar_r4_c9.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r4_c9.jpg", "input.type": "log", "log.offset": 3880, "observer.product": "Proxy", @@ -1536,8 +1536,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1573,8 +1573,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368734.580 330 210.8.79.228 TCP_MISS/200 1321 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c10.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "file.name": "navbar_r4_c10.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r4_c10.jpg", "input.type": "log", "log.offset": 4049, "observer.product": "Proxy", @@ -1592,8 +1592,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1629,8 +1629,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368734.883 333 210.8.79.228 TCP_MISS/200 824 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c11.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "file.name": "navbar_r4_c11.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r4_c11.jpg", "input.type": "log", "log.offset": 4227, "observer.product": "Proxy", @@ -1648,8 +1648,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -1685,8 +1685,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368735.255 386 210.8.79.228 TCP_MISS/200 1969 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r5_c1.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "file.name": "navbar_r5_c1.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r5_c1.jpg", "input.type": "log", "log.offset": 4404, "observer.product": "Proxy", @@ -1741,8 +1741,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368735.749 630 210.8.79.228 TCP_MISS/200 15187 GET http://www.fas.harvard.edu/~hpcws/journalCWS2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "file.name": "journalCWS2.jpg", "fileset.name": "log", - "http.response.body.content": "journalCWS2.jpg", "input.type": "log", "log.offset": 4573, "observer.product": "Proxy", @@ -1797,8 +1797,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368735.884 625 210.8.79.192 TCP_MISS/200 8623 GET http://counter11.sextracker.com/c4/id/0/259914 - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "259914", "fileset.name": "log", - "http.response.body.content": "259914", "input.type": "log", "log.offset": 4738, "observer.product": "Proxy", @@ -1816,8 +1816,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1853,8 +1853,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368736.258 299 210.8.79.228 TCP_MISS/200 609 GET http://www.fas.harvard.edu/~hpcws/vertbar.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "file.name": "vertbar.gif", "fileset.name": "log", - "http.response.body.content": "vertbar.gif", "input.type": "log", "log.offset": 4898, "observer.product": "Proxy", @@ -1872,8 +1872,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1909,8 +1909,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368736.295 64 210.8.79.192 TCP_REFRESH_HIT/200 6080 GET http://66.181.163.170/pics/12.jpg - PARENT_HIT/proxy1.syd.connect.com.au image/jpeg", + "file.name": "12.jpg", "fileset.name": "log", - "http.response.body.content": "12.jpg", "input.type": "log", "log.offset": 5056, "observer.product": "Proxy", @@ -1965,8 +1965,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368736.750 570 210.8.79.192 TCP_REFRESH_HIT/200 5935 GET http://66.181.163.170/pics/tease.jpg - PARENT_HIT/proxy1.syd.connect.com.au image/jpeg", + "file.name": "tease.jpg", "fileset.name": "log", - "http.response.body.content": "tease.jpg", "input.type": "log", "log.offset": 5204, "observer.product": "Proxy", @@ -1984,8 +1984,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -2021,8 +2021,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368736.989 319 210.8.79.228 TCP_MISS/200 2135 GET http://www.fas.harvard.edu/~hpcws/getacro.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "file.name": "getacro.gif", "fileset.name": "log", - "http.response.body.content": "getacro.gif", "input.type": "log", "log.offset": 5355, "observer.product": "Proxy", @@ -2040,8 +2040,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2077,8 +2077,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368737.286 2056 210.8.79.228 TCP_MISS/200 3677 GET http://www.fas.harvard.edu/~hpcws/journaltitle.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif", + "file.name": "journaltitle.gif", "fileset.name": "log", - "http.response.body.content": "journaltitle.gif", "input.type": "log", "log.offset": 5514, "observer.product": "Proxy", @@ -2133,8 +2133,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368738.516 598 210.8.79.192 TCP_REFRESH_HIT/200 8851 GET http://66.181.163.170/pics/5.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg", + "file.name": "5.jpg", "fileset.name": "log", - "http.response.body.content": "5.jpg", "input.type": "log", "log.offset": 5682, "observer.product": "Proxy", @@ -2189,8 +2189,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368739.275 346 210.8.79.228 TCP_MISS/200 3719 GET http://www.fas.harvard.edu/~hpcws/msbutton.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "msbutton.gif", "fileset.name": "log", - "http.response.body.content": "msbutton.gif", "input.type": "log", "log.offset": 5829, "observer.product": "Proxy", @@ -2208,8 +2208,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2245,8 +2245,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368739.396 1056 210.8.79.228 TCP_MISS/200 3693 GET http://www.fas.harvard.edu/~hpcws/msbutton_f2.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif", + "file.name": "msbutton_f2.gif", "fileset.name": "log", - "http.response.body.content": "msbutton_f2.gif", "input.type": "log", "log.offset": 5989, "observer.product": "Proxy", @@ -2301,8 +2301,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368740.659 639 210.8.79.192 TCP_REFRESH_HIT/200 7652 GET http://66.181.163.170/pics/8.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg", + "file.name": "8.jpg", "fileset.name": "log", - "http.response.body.content": "8.jpg", "input.type": "log", "log.offset": 6156, "observer.product": "Proxy", @@ -2357,8 +2357,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368741.676 306 210.8.79.228 TCP_MISS/200 2671 GET http://www.fas.harvard.edu/~hpcws/subsbutton_f2.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "subsbutton_f2.gif", "fileset.name": "log", - "http.response.body.content": "subsbutton_f2.gif", "input.type": "log", "log.offset": 6303, "observer.product": "Proxy", @@ -2413,8 +2413,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368742.029 300 210.8.79.228 TCP_MISS/200 2690 GET http://www.fas.harvard.edu/~hpcws/subsbutton.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "file.name": "subsbutton.gif", "fileset.name": "log", - "http.response.body.content": "subsbutton.gif", "input.type": "log", "log.offset": 6468, "observer.product": "Proxy", @@ -2469,8 +2469,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368742.102 123 210.8.79.192 TCP_REFRESH_HIT/200 4530 GET http://66.181.163.170/pics/17.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg", + "file.name": "17.jpg", "fileset.name": "log", - "http.response.body.content": "17.jpg", "input.type": "log", "log.offset": 6638, "observer.product": "Proxy", @@ -2525,8 +2525,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368742.150 321 210.8.79.228 TCP_MISS/200 483 GET http://www.fas.harvard.edu/~hpcws/shim.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "file.name": "shim.gif", "fileset.name": "log", - "http.response.body.content": "shim.gif", "input.type": "log", "log.offset": 6786, "observer.product": "Proxy", @@ -2581,8 +2581,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368742.474 104 210.8.79.192 TCP_REFRESH_HIT/200 9437 GET http://www.penis-enlargement-product.com/banners/ban2.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", + "file.name": "ban2.gif", "fileset.name": "log", - "http.response.body.content": "ban2.gif", "input.type": "log", "log.offset": 6949, "observer.product": "Proxy", @@ -2600,8 +2600,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -2637,8 +2637,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368743.319 330 210.8.79.228 TCP_MISS/200 1664 GET http://www.fas.harvard.edu/~hpcws/jcwspanel_r1_c1.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "jcwspanel_r1_c1.gif", "fileset.name": "log", - "http.response.body.content": "jcwspanel_r1_c1.gif", "input.type": "log", "log.offset": 7120, "observer.product": "Proxy", @@ -2693,8 +2693,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368747.045 15 210.8.79.199 TCP_IMS_HIT/304 269 GET http://www.bealplanet.com/produits/img/fond2.gif - NONE/- image/gif", + "file.name": "fond2.gif", "fileset.name": "log", - "http.response.body.content": "fond2.gif", "input.type": "log", "log.offset": 7295, "observer.product": "Proxy", @@ -2749,8 +2749,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368747.103 1424 210.8.79.199 TCP_MISS/200 13119 GET http://www.bealplanet.com/notices/speleo-ang.html - FIRST_PARENT_MISS/proxy2.syd.connect.com.au text/html", + "file.name": "speleo-ang.html", "fileset.name": "log", - "http.response.body.content": "speleo-ang.html", "input.type": "log", "log.offset": 7422, "observer.product": "Proxy", @@ -2768,8 +2768,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2805,8 +2805,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368747.266 5 210.8.79.199 TCP_IMS_HIT/304 269 GET http://www.bealplanet.com/produits/img/cale.gif - NONE/- image/gif", + "file.name": "cale.gif", "fileset.name": "log", - "http.response.body.content": "cale.gif", "input.type": "log", "log.offset": 7586, "observer.product": "Proxy", @@ -2824,8 +2824,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -2861,8 +2861,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368747.556 416 210.8.79.199 TCP_MISS/200 1973 GET http://www.bealplanet.com/notices/img/titre_speleo.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "titre_speleo.gif", "fileset.name": "log", - "http.response.body.content": "titre_speleo.gif", "input.type": "log", "log.offset": 7712, "observer.product": "Proxy", @@ -2917,8 +2917,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368747.990 3690 210.8.79.192 TCP_REFRESH_HIT/200 22832 GET http://botw.topbucks.com/mx_vertical_04_ani.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", + "file.name": "mx_vertical_04_ani.gif", "fileset.name": "log", - "http.response.body.content": "mx_vertical_04_ani.gif", "input.type": "log", "log.offset": 7888, "observer.product": "Proxy", @@ -2973,8 +2973,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368748.012 442 210.8.79.199 TCP_MISS/200 958 GET http://www.bealplanet.com/notices/img/francais.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "francais.gif", "fileset.name": "log", - "http.response.body.content": "francais.gif", "input.type": "log", "log.offset": 8050, "observer.product": "Proxy", @@ -2992,8 +2992,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3029,8 +3029,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368748.601 722 210.8.79.199 TCP_MISS/200 948 GET http://www.bealplanet.com/notices/img/anglais_bis.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "anglais_bis.gif", "fileset.name": "log", - "http.response.body.content": "anglais_bis.gif", "input.type": "log", "log.offset": 8221, "observer.product": "Proxy", @@ -3085,8 +3085,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368748.823 753 210.8.79.199 TCP_MISS/200 952 GET http://www.bealplanet.com/notices/img/deutsch.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "file.name": "deutsch.gif", "fileset.name": "log", - "http.response.body.content": "deutsch.gif", "input.type": "log", "log.offset": 8395, "observer.product": "Proxy", @@ -3141,8 +3141,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368748.883 403 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/espanol.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "espanol.gif", "fileset.name": "log", - "http.response.body.content": "espanol.gif", "input.type": "log", "log.offset": 8565, "observer.product": "Proxy", @@ -3160,8 +3160,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3197,8 +3197,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368749.090 381 210.8.79.199 TCP_MISS/200 936 GET http://www.bealplanet.com/notices/img/italiano.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "italiano.gif", "fileset.name": "log", - "http.response.body.content": "italiano.gif", "input.type": "log", "log.offset": 8735, "observer.product": "Proxy", @@ -3253,8 +3253,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368749.346 407 210.8.79.199 TCP_MISS/200 993 GET http://www.bealplanet.com/notices/img/nederlands.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "file.name": "nederlands.gif", "fileset.name": "log", - "http.response.body.content": "nederlands.gif", "input.type": "log", "log.offset": 8898, "observer.product": "Proxy", @@ -3309,8 +3309,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368749.763 402 210.8.79.199 TCP_MISS/200 980 GET http://www.bealplanet.com/notices/img/portuges.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "portuges.gif", "fileset.name": "log", - "http.response.body.content": "portuges.gif", "input.type": "log", "log.offset": 9063, "observer.product": "Proxy", @@ -3328,8 +3328,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3365,8 +3365,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368749.879 709 210.8.79.199 TCP_MISS/200 954 GET http://www.bealplanet.com/notices/img/japanese.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "file.name": "japanese.gif", "fileset.name": "log", - "http.response.body.content": "japanese.gif", "input.type": "log", "log.offset": 9234, "observer.product": "Proxy", @@ -3421,8 +3421,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368749.955 405 210.8.79.199 TCP_MISS/200 4039 GET http://www.bealplanet.com/notices/img/logobeal.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "logobeal.gif", "fileset.name": "log", - "http.response.body.content": "logobeal.gif", "input.type": "log", "log.offset": 9397, "observer.product": "Proxy", @@ -3477,8 +3477,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368750.213 394 210.8.79.199 TCP_MISS/200 2014 GET http://www.bealplanet.com/notices/img/spelenium1.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "spelenium1.gif", "fileset.name": "log", - "http.response.body.content": "spelenium1.gif", "input.type": "log", "log.offset": 9569, "observer.product": "Proxy", @@ -3533,8 +3533,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368750.666 436 210.8.79.199 TCP_MISS/200 1783 GET http://www.bealplanet.com/notices/img/bout1_ang.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "bout1_ang.gif", "fileset.name": "log", - "http.response.body.content": "bout1_ang.gif", "input.type": "log", "log.offset": 9735, "observer.product": "Proxy", @@ -3589,8 +3589,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368750.847 397 210.8.79.199 TCP_MISS/200 1991 GET http://www.bealplanet.com/notices/img/bout2_ang.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "bout2_ang.gif", "fileset.name": "log", - "http.response.body.content": "bout2_ang.gif", "input.type": "log", "log.offset": 9900, "observer.product": "Proxy", @@ -3608,8 +3608,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3645,8 +3645,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368751.598 398 210.8.79.199 TCP_MISS/200 758 GET http://www.bealplanet.com/notices/img/attention.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "attention.gif", "fileset.name": "log", - "http.response.body.content": "attention.gif", "input.type": "log", "log.offset": 10065, "observer.product": "Proxy", @@ -3701,8 +3701,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368752.992 402 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/francais_bis.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "file.name": "francais_bis.gif", "fileset.name": "log", - "http.response.body.content": "francais_bis.gif", "input.type": "log", "log.offset": 10229, "observer.product": "Proxy", @@ -3757,8 +3757,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368753.137 487 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/deutsch_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "deutsch_bis.gif", "fileset.name": "log", - "http.response.body.content": "deutsch_bis.gif", "input.type": "log", "log.offset": 10404, "observer.product": "Proxy", @@ -3813,8 +3813,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368753.141 486 210.8.79.199 TCP_MISS/200 958 GET http://www.bealplanet.com/notices/img/espanol_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "espanol_bis.gif", "fileset.name": "log", - "http.response.body.content": "espanol_bis.gif", "input.type": "log", "log.offset": 10570, "observer.product": "Proxy", @@ -3869,8 +3869,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368753.496 787 210.8.79.199 TCP_MISS/200 951 GET http://www.bealplanet.com/notices/img/italiano_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "italiano_bis.gif", "fileset.name": "log", - "http.response.body.content": "italiano_bis.gif", "input.type": "log", "log.offset": 10736, "observer.product": "Proxy", @@ -3925,8 +3925,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368753.728 388 210.8.79.199 TCP_MISS/200 999 GET http://www.bealplanet.com/notices/img/nederlands_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "nederlands_bis.gif", "fileset.name": "log", - "http.response.body.content": "nederlands_bis.gif", "input.type": "log", "log.offset": 10903, "observer.product": "Proxy", @@ -3981,8 +3981,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368753.905 375 210.8.79.199 TCP_MISS/200 965 GET http://www.bealplanet.com/notices/img/japanese_bis.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "file.name": "japanese_bis.gif", "fileset.name": "log", - "http.response.body.content": "japanese_bis.gif", "input.type": "log", "log.offset": 11072, "observer.product": "Proxy", @@ -4000,8 +4000,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4037,8 +4037,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368754.163 424 210.8.79.199 TCP_MISS/200 974 GET http://www.bealplanet.com/notices/img/portuges_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", + "file.name": "portuges_bis.gif", "fileset.name": "log", - "http.response.body.content": "portuges_bis.gif", "input.type": "log", "log.offset": 11239, "observer.product": "Proxy", @@ -4093,8 +4093,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368754.200 4246 210.8.79.192 TCP_MISS/200 15594 GET http://cybercatinc.com/banners/July/logo16.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", + "file.name": "logo16.gif", "fileset.name": "log", - "http.response.body.content": "logo16.gif", "input.type": "log", "log.offset": 11406, "observer.product": "Proxy", @@ -4112,8 +4112,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4149,8 +4149,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368754.332 393 210.8.79.199 TCP_MISS/200 1661 GET http://www.bealplanet.com/notices/img/bout1bis_ang.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "file.name": "bout1bis_ang.gif", "fileset.name": "log", - "http.response.body.content": "bout1bis_ang.gif", "input.type": "log", "log.offset": 11560, "observer.product": "Proxy", @@ -4168,8 +4168,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4205,8 +4205,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368757.241 3100 210.8.79.199 TCP_MISS/200 1866 GET http://www.bealplanet.com/notices/img/bout2bis_ang.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif", + "file.name": "bout2bis_ang.gif", "fileset.name": "log", - "http.response.body.content": "bout2bis_ang.gif", "input.type": "log", "log.offset": 11728, "observer.product": "Proxy", @@ -4224,8 +4224,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4261,8 +4261,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368757.301 0 210.8.79.199 TCP_MEM_HIT/200 1872 GET http://www.bealplanet.com/notices/img/bout2bis_ang.gif - NONE/- image/gif", + "file.name": "bout2bis_ang.gif", "fileset.name": "log", - "http.response.body.content": "bout2bis_ang.gif", "input.type": "log", "log.offset": 11900, "observer.product": "Proxy", @@ -4280,8 +4280,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MEM_HIT" + "TCP_MEM_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4372,8 +4372,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368759.420 5831 210.8.79.192 TCP_REFRESH_HIT/200 18075 GET http://www.cyberhairy.com/advertisingbanners/468x60-CFF-01.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", + "file.name": "468x60-CFF-01.gif", "fileset.name": "log", - "http.response.body.content": "468x60-CFF-01.gif", "input.type": "log", "log.offset": 12166, "observer.product": "Proxy", @@ -4428,8 +4428,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368761.410 15150 210.8.79.192 TCP_REFRESH_HIT/200 22445 GET http://www.girls-home-alone.com/banners/call-kelly.gif - PARENT_HIT/proxy1.syd.connect.com.au image/gif", + "file.name": "call-kelly.gif", "fileset.name": "log", - "http.response.body.content": "call-kelly.gif", "input.type": "log", "log.offset": 12343, "observer.product": "Proxy", @@ -4484,8 +4484,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368761.607 637 210.8.79.192 TCP_REFRESH_HIT/200 14489 GET http://cybercatinc.com/banners/July/npban_adult.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", + "file.name": "npban_adult.gif", "fileset.name": "log", - "http.response.body.content": "npban_adult.gif", "input.type": "log", "log.offset": 12512, "observer.product": "Proxy", @@ -4503,8 +4503,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4595,8 +4595,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368773.118 87 210.8.79.192 TCP_REFRESH_HIT/200 1762 GET http://www.frenchcum.com/eclair.gif - PARENT_HIT/proxy1.syd.connect.com.au image/gif", + "file.name": "eclair.gif", "fileset.name": "log", - "http.response.body.content": "eclair.gif", "input.type": "log", "log.offset": 12833, "observer.product": "Proxy", @@ -4651,8 +4651,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368773.734 3183 210.8.79.192 TCP_REFRESH_HIT/200 3257 GET http://www.frenchcum.com/frenchcumnew.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", + "file.name": "frenchcumnew.gif", "fileset.name": "log", - "http.response.body.content": "frenchcumnew.gif", "input.type": "log", "log.offset": 12982, "observer.product": "Proxy", @@ -4670,8 +4670,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4716,8 +4716,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368773.875 3915 210.8.79.192 TCP_MISS/200 1388 GET http://www.usaminutes.tv/iframe_pix/index_3.php? - DIRECT/80.69.64.224 text/html", + "file.name": "index_3.php", "fileset.name": "log", - "http.response.body.content": "index_3.php", "input.type": "log", "log.offset": 13137, "observer.product": "Proxy", @@ -4773,8 +4773,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368774.928 1157 210.8.79.192 TCP_REFRESH_MISS/200 3600 GET http://www.frenchcum.com/oki02.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", + "file.name": "oki02.gif", "fileset.name": "log", - "http.response.body.content": "oki02.gif", "input.type": "log", "log.offset": 13275, "observer.product": "Proxy", @@ -4884,8 +4884,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368775.140 43001 210.8.79.228 TCP_MISS/000 0 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3.jpg - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au -", + "file.name": "navbar_r4_c3.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r4_c3.jpg", "input.type": "log", "log.offset": 13580, "observer.product": "Proxy", @@ -4940,8 +4940,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368775.441 619 210.8.79.192 TCP_MISS/200 6681 GET http://counter4.sextracker.com/c7/id/0/315043 - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", + "file.name": "315043", "fileset.name": "log", - "http.response.body.content": "315043", "input.type": "log", "log.offset": 13741, "observer.product": "Proxy", @@ -4959,8 +4959,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4996,8 +4996,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368775.871 570 210.8.79.228 TCP_MISS/200 1352 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r2_c6_f2.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "file.name": "navbar_r2_c6_f2.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r2_c6_f2.jpg", "input.type": "log", "log.offset": 13900, "observer.product": "Proxy", @@ -5015,8 +5015,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5052,8 +5052,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368775.957 586 210.8.79.228 TCP_MISS/200 1630 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "file.name": "navbar_r4_c1_f2.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r4_c1_f2.jpg", "input.type": "log", "log.offset": 14072, "observer.product": "Proxy", @@ -5108,8 +5108,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368776.160 580 210.8.79.228 TCP_MISS/200 1487 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2_f2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "file.name": "navbar_r4_c2_f2.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r4_c2_f2.jpg", "input.type": "log", "log.offset": 14252, "observer.product": "Proxy", @@ -5127,8 +5127,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5164,8 +5164,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368776.779 1559 210.8.79.228 TCP_MISS/200 23518 GET http://www.fas.harvard.edu/~hpcws/carafano.pdf - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au application/pdf", + "file.name": "carafano.pdf", "fileset.name": "log", - "http.response.body.content": "carafano.pdf", "input.type": "log", "log.offset": 14424, "observer.product": "Proxy", @@ -5183,8 +5183,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/pdf", "rsa.misc.result_code": "200", @@ -5220,8 +5220,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368776.928 317 210.8.79.228 TCP_MISS/200 1390 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "file.name": "navbar_r4_c3_f2.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r4_c3_f2.jpg", "input.type": "log", "log.offset": 14599, "observer.product": "Proxy", @@ -5276,8 +5276,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368777.082 1031 210.8.79.192 TCP_REFRESH_HIT/200 12995 GET http://www.usaminutes.tv/iframe_pix/7.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg", + "file.name": "7.jpg", "fileset.name": "log", - "http.response.body.content": "7.jpg", "input.type": "log", "log.offset": 14779, "observer.product": "Proxy", @@ -5332,8 +5332,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368777.709 4 202.67.67.124 TCP_DENIED/403 1119 GET http://rmapup.real.com/fcgi-bin/upgrade.fcgi? - NONE/- -", + "file.name": "upgrade.fcgi", "fileset.name": "log", - "http.response.body.content": "upgrade.fcgi", "input.type": "log", "log.offset": 14936, "observer.product": "Proxy", @@ -5351,8 +5351,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "403", @@ -5391,8 +5391,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368777.800 309 210.8.79.228 TCP_MISS/200 1859 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", + "file.name": "navbar_r4_c4_f2.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r4_c4_f2.jpg", "input.type": "log", "log.offset": 15053, "observer.product": "Proxy", @@ -5410,8 +5410,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -5447,8 +5447,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368777.845 955 210.8.79.228 TCP_MISS/200 22446 GET http://www.fas.harvard.edu/~hpcws/carafano.pdf - FIRST_PARENT_MISS/proxy2.syd.connect.com.au application/pdf", + "file.name": "carafano.pdf", "fileset.name": "log", - "http.response.body.content": "carafano.pdf", "input.type": "log", "log.offset": 15233, "observer.product": "Proxy", @@ -5466,8 +5466,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/pdf", "rsa.misc.result_code": "200", @@ -5558,8 +5558,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1035368778.117 317 210.8.79.228 TCP_MISS/200 1629 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5_f2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", + "file.name": "navbar_r4_c5_f2.jpg", "fileset.name": "log", - "http.response.body.content": "navbar_r4_c5_f2.jpg", "input.type": "log", "log.offset": 15564, "observer.product": "Proxy", diff --git a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json index 97f00bd3059..13c87d647c5 100644 --- a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json @@ -23,8 +23,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -119,8 +119,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -167,8 +167,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -198,8 +198,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348870325.850 9 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "file.name": "search", "fileset.name": "log", - "http.response.body.content": "search", "input.type": "log", "log.offset": 379, "observer.product": "Proxy", @@ -248,8 +248,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348870326.168 95 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "file.name": "search", "fileset.name": "log", - "http.response.body.content": "search", "input.type": "log", "log.offset": 498, "observer.product": "Proxy", @@ -267,8 +267,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -298,8 +298,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348870326.810 124 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "file.name": "search", "fileset.name": "log", - "http.response.body.content": "search", "input.type": "log", "log.offset": 617, "observer.product": "Proxy", @@ -317,8 +317,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -348,8 +348,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348870327.186 169 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "file.name": "search", "fileset.name": "log", - "http.response.body.content": "search", "input.type": "log", "log.offset": 736, "observer.product": "Proxy", @@ -367,8 +367,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -398,8 +398,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348870327.634 71 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "file.name": "search", "fileset.name": "log", - "http.response.body.content": "search", "input.type": "log", "log.offset": 855, "observer.product": "Proxy", @@ -417,8 +417,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -448,8 +448,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348870327.842 1 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "file.name": "search", "fileset.name": "log", - "http.response.body.content": "search", "input.type": "log", "log.offset": 974, "observer.product": "Proxy", @@ -516,8 +516,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -835,8 +835,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348870772.279 155623 192.168.0.35 TCP_MISS/503 3310 GET http://clients2.google.com/service/update2/crx? - DIRECT/clients2.google.com text/html", + "file.name": "crx", "fileset.name": "log", - "http.response.body.content": "crx", "input.type": "log", "log.offset": 1774, "observer.product": "Proxy", @@ -902,8 +902,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -933,8 +933,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348870947.061 39 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "file.name": "search", "fileset.name": "log", - "http.response.body.content": "search", "input.type": "log", "log.offset": 2013, "observer.product": "Proxy", @@ -952,8 +952,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -983,8 +983,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348870947.797 268 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "file.name": "search", "fileset.name": "log", - "http.response.body.content": "search", "input.type": "log", "log.offset": 2132, "observer.product": "Proxy", @@ -1033,8 +1033,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348870949.342 163 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "file.name": "search", "fileset.name": "log", - "http.response.body.content": "search", "input.type": "log", "log.offset": 2251, "observer.product": "Proxy", @@ -1083,8 +1083,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348870949.733 191 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "file.name": "search", "fileset.name": "log", - "http.response.body.content": "search", "input.type": "log", "log.offset": 2370, "observer.product": "Proxy", @@ -1102,8 +1102,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1133,8 +1133,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348870950.054 120 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", + "file.name": "search", "fileset.name": "log", - "http.response.body.content": "search", "input.type": "log", "log.offset": 2489, "observer.product": "Proxy", @@ -1152,8 +1152,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "000", @@ -1298,8 +1298,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "503", @@ -1346,8 +1346,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "503", @@ -1395,8 +1395,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "503", @@ -1442,8 +1442,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "related.user": [ "-" @@ -1454,8 +1454,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1494,8 +1494,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348871190.364 26 192.168.0.35 TCP_MISS/304 290 GET http://www.google.com/images/srpr/logo3w.png - DIRECT/74.125.131.147 -", + "file.name": "logo3w.png", "fileset.name": "log", - "http.response.body.content": "logo3w.png", "input.type": "log", "log.offset": 3229, "observer.product": "Proxy", @@ -1554,16 +1554,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348871190.477 136 192.168.0.35 TCP_MISS/200 166258 GET http://www.google.com/xjs/_/js/s/s,jsa,c,sb,hv,wta,cr,cdos,nos,tbpr,tbui,rsn,ob,cb,mb,lc,du,ada,amcl,klc,kat,aut,esp,bihu,ifl,kp,lu,m,rtis,shb,sfa,tng,hsm,j,p,pcc,csi/rt=j/ver=P7Lew-MRiXo.en_US./d=1/sv=1/rs=AItRSTNwfvJBHcoKbi4wjkZ-Mr1w-Pv9LA - DIRECT/74.125.131.147 text/javascript", + "file.name": "rs=AItRSTNwfvJBHcoKbi4wjkZ-Mr1w-Pv9LA", "fileset.name": "log", - "http.response.body.content": "rs=AItRSTNwfvJBHcoKbi4wjkZ-Mr1w-Pv9LA", "input.type": "log", "log.offset": 3356, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.131.147" + "74.125.131.147", + "192.168.0.35" ], "related.user": [ "-" @@ -1574,8 +1574,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/javascript", "rsa.misc.result_code": "200", @@ -1614,8 +1614,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348871190.671 50 192.168.0.35 TCP_MISS/200 20129 GET http://www.google.com/extern_chrome/359533f6f71ee9c1.js - DIRECT/74.125.131.147 text/javascript", + "file.name": "359533f6f71ee9c1.js", "fileset.name": "log", - "http.response.body.content": "359533f6f71ee9c1.js", "input.type": "log", "log.offset": 3697, "observer.product": "Proxy", @@ -1634,8 +1634,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/javascript", "rsa.misc.result_code": "200", @@ -1674,8 +1674,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1348871190.763 36 192.168.0.35 TCP_MISS/204 369 GET http://www.google.com/csi? - DIRECT/74.125.131.147 image/gif", + "file.name": "csi", "fileset.name": "log", - "http.response.body.content": "csi", "input.type": "log", "log.offset": 3851, "observer.product": "Proxy", @@ -1799,8 +1799,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.3", - "192.168.0.35" + "192.168.0.35", + "74.125.228.3" ], "related.user": [ "-" @@ -1868,8 +1868,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1926,8 +1926,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1984,8 +1984,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2031,8 +2031,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" ], "related.user": [ "-" @@ -2042,8 +2042,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2100,8 +2100,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2205,8 +2205,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.14", - "192.168.0.35" + "192.168.0.35", + "74.125.228.14" ], "related.user": [ "-" @@ -2216,8 +2216,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2321,8 +2321,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "related.user": [ "-" @@ -2332,8 +2332,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2379,8 +2379,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "related.user": [ "-" @@ -2390,8 +2390,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2437,8 +2437,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.14" + "74.125.228.14", + "192.168.0.35" ], "related.user": [ "-" @@ -2488,16 +2488,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057385.253 170 192.168.0.35 TCP_MISS/200 574 GET http://clients1.google.com/tools/swg2/update? - DIRECT/74.125.228.97 text/plain", + "file.name": "update", "fileset.name": "log", - "http.response.body.content": "update", "input.type": "log", "log.offset": 5343, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.97", - "192.168.0.35" + "192.168.0.35", + "74.125.228.97" ], "related.user": [ "-" @@ -2555,8 +2555,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "23.11.236.224" + "23.11.236.224", + "192.168.0.35" ], "related.user": [ "-" @@ -2613,8 +2613,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "23.11.236.224" + "23.11.236.224", + "192.168.0.35" ], "related.user": [ "-" @@ -2671,8 +2671,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" ], "related.user": [ "-" @@ -2682,8 +2682,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2845,8 +2845,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "173.194.73.104" + "173.194.73.104", + "192.168.0.35" ], "related.user": [ "-" @@ -2856,8 +2856,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2903,8 +2903,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.100", - "192.168.0.35" + "192.168.0.35", + "74.125.228.100" ], "related.user": [ "-" @@ -2914,8 +2914,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2961,8 +2961,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.100", - "192.168.0.35" + "192.168.0.35", + "74.125.228.100" ], "related.user": [ "-" @@ -2972,8 +2972,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3019,8 +3019,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "74.125.228.100" + "74.125.228.100", + "192.168.0.35" ], "related.user": [ "-" @@ -3070,8 +3070,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057466.259 467 192.168.0.35 TCP_MISS/200 161462 GET http://swcatalog.apple.com/content/catalogs/others/index-windows-1.sucatalog - DIRECT/208.44.23.184 application/x-apple-plist", + "file.name": "index-windows-1.sucatalog", "fileset.name": "log", - "http.response.body.content": "index-windows-1.sucatalog", "input.type": "log", "log.offset": 6476, "observer.product": "Proxy", @@ -3090,8 +3090,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "application/x-apple-plist", "rsa.misc.result_code": "200", @@ -3130,8 +3130,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057469.784 470 192.168.0.35 TCP_MISS/200 6546 GET http://swcdn.apple.com/content/downloads/61/34/061-8153/WgWXrHyJVmFn9KrXRg3w2XPXNFXxhnZFS6/061-8153.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "061-8153.English.dist", "fileset.name": "log", - "http.response.body.content": "061-8153.English.dist", "input.type": "log", "log.offset": 6661, "observer.product": "Proxy", @@ -3190,16 +3190,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057470.770 334 192.168.0.35 TCP_MISS/200 31622 GET http://swcdn.apple.com/content/downloads/02/58/061-3418/n6BBhLszLr6SN3XDXWT9N3YgpfHChbQTgb/061-3418.English.dist - DIRECT/208.44.23.185 text/plain", + "file.name": "061-3418.English.dist", "fileset.name": "log", - "http.response.body.content": "061-3418.English.dist", "input.type": "log", "log.offset": 6863, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3210,8 +3210,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3250,8 +3250,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057470.907 109 192.168.0.35 TCP_MISS/200 3798 GET http://swcdn.apple.com/content/downloads/25/60/061-6867/WjSJ6JqjV34mZLtS944ndrx9RYQZJX6qHY/061-6867.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "061-6867.English.dist", "fileset.name": "log", - "http.response.body.content": "061-6867.English.dist", "input.type": "log", "log.offset": 7068, "observer.product": "Proxy", @@ -3310,8 +3310,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057472.794 219 192.168.0.35 TCP_MISS/200 7217 GET http://swcdn.apple.com/content/downloads/21/23/061-4512/BKYTZyKmtNr5wpxQCTy9f8xDSYPZ5MTGf4/061-4512.English.dist - DIRECT/208.44.23.185 text/plain", + "file.name": "061-4512.English.dist", "fileset.name": "log", - "http.response.body.content": "061-4512.English.dist", "input.type": "log", "log.offset": 7270, "observer.product": "Proxy", @@ -3370,8 +3370,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057472.980 109 192.168.0.35 TCP_MISS/200 7370 GET http://swcdn.apple.com/content/downloads/20/63/061-7511/XJqPCzWtXgkNgSZXp6DTn7gjNvHQVMZ4dP/061-7511.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "061-7511.English.dist", "fileset.name": "log", - "http.response.body.content": "061-7511.English.dist", "input.type": "log", "log.offset": 7474, "observer.product": "Proxy", @@ -3430,16 +3430,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057473.173 110 192.168.0.35 TCP_MISS/200 6939 GET http://swcdn.apple.com/content/downloads/27/49/061-4514/Tcfqf4NdtQTpYj7Pn8qwLgWgj6kYcy26Zf/061-4514.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "061-4514.English.dist", "fileset.name": "log", - "http.response.body.content": "061-4514.English.dist", "input.type": "log", "log.offset": 7676, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3490,16 +3490,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057473.340 111 192.168.0.35 TCP_MISS/200 5451 GET http://swcdn.apple.com/content/downloads/57/25/061-7340/TJXt7nNzc4cS57fvwx8zg3GScrcLBWtdpR/061-7340.English.dist - DIRECT/208.44.23.185 text/plain", + "file.name": "061-7340.English.dist", "fileset.name": "log", - "http.response.body.content": "061-7340.English.dist", "input.type": "log", "log.offset": 7878, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3550,8 +3550,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057473.825 330 192.168.0.35 TCP_MISS/200 18008 GET http://swcdn.apple.com/content/downloads/56/25/041-3097/SrjbZVKzSxP5VNSHnnDMQrb78YZz66DYww/041-3097.English.dist - DIRECT/208.44.23.185 text/plain", + "file.name": "041-3097.English.dist", "fileset.name": "log", - "http.response.body.content": "041-3097.English.dist", "input.type": "log", "log.offset": 8082, "observer.product": "Proxy", @@ -3610,16 +3610,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057474.139 221 192.168.0.35 TCP_MISS/200 6992 GET http://swcdn.apple.com/content/downloads/51/48/061-9539/XzrZsqWRT9FLLVN6tBfk4mjVmtqvNDHwC7/061-9539.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "061-9539.English.dist", "fileset.name": "log", - "http.response.body.content": "061-9539.English.dist", "input.type": "log", "log.offset": 8287, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -3630,8 +3630,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3670,16 +3670,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057474.330 112 192.168.0.35 TCP_MISS/200 4197 GET http://swcdn.apple.com/content/downloads/51/08/zzz061-3452/5bxNyT8NCFYPz9qff69kBjH4y3zxqSFt5B/061-3452.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "061-3452.English.dist", "fileset.name": "log", - "http.response.body.content": "061-3452.English.dist", "input.type": "log", "log.offset": 8489, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3690,8 +3690,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3730,8 +3730,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057474.842 329 192.168.0.35 TCP_MISS/200 19447 GET http://swcdn.apple.com/content/downloads/28/51/041-0517/cvDMxJL5q6TQ2t8899HH8mvzjdHkDFwr99/041-0517.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "041-0517.English.dist", "fileset.name": "log", - "http.response.body.content": "041-0517.English.dist", "input.type": "log", "log.offset": 8694, "observer.product": "Proxy", @@ -3790,16 +3790,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057475.092 221 192.168.0.35 TCP_MISS/200 7370 GET http://swcdn.apple.com/content/downloads/28/43/061-7509/P7wtsjhJPsT9FM8Zff4FKg6FYM4W2yGP5B/061-7509.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "061-7509.English.dist", "fileset.name": "log", - "http.response.body.content": "061-7509.English.dist", "input.type": "log", "log.offset": 8897, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -3810,8 +3810,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3850,8 +3850,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057475.582 434 192.168.0.35 TCP_MISS/200 5297 GET http://swcdn.apple.com/content/downloads/01/21/041-1673/s6XjZyFGmdTf5YHq6C8CPWjJ4sWz9pz3vX/041-1673.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "041-1673.English.dist", "fileset.name": "log", - "http.response.body.content": "041-1673.English.dist", "input.type": "log", "log.offset": 9099, "observer.product": "Proxy", @@ -3910,8 +3910,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057475.860 217 192.168.0.35 TCP_MISS/200 6480 GET http://swcdn.apple.com/content/downloads/12/45/061-4249/7ck27nGQBsHQNcnMMjtmLbDJm2zPbRxj4h/061-4249.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "061-4249.English.dist", "fileset.name": "log", - "http.response.body.content": "061-4249.English.dist", "input.type": "log", "log.offset": 9301, "observer.product": "Proxy", @@ -3970,16 +3970,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057476.242 331 192.168.0.35 TCP_MISS/200 18211 GET http://swcdn.apple.com/content/downloads/54/37/061-5790/mxbPrKRvB9G6cvrjY2QPNVQPYj3nrjwbgX/061-5790.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "061-5790.English.dist", "fileset.name": "log", - "http.response.body.content": "061-5790.English.dist", "input.type": "log", "log.offset": 9503, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4030,16 +4030,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057476.800 543 192.168.0.35 TCP_MISS/200 6525 GET http://swcdn.apple.com/content/downloads/26/11/061-8155/wdTHYKkFWMCC8dDLHkycj3BLMxvq2wjwYD/061-8155.English.dist - DIRECT/208.44.23.185 text/plain", + "file.name": "061-8155.English.dist", "fileset.name": "log", - "http.response.body.content": "061-8155.English.dist", "input.type": "log", "log.offset": 9706, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4090,8 +4090,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057477.417 552 192.168.0.35 TCP_MISS/200 19458 GET http://swcdn.apple.com/content/downloads/59/27/041-0516/rRmQxLKryPBcF33yFvzhw7SYLDRntjXj9K/041-0516.English.dist - DIRECT/208.44.23.185 text/plain", + "file.name": "041-0516.English.dist", "fileset.name": "log", - "http.response.body.content": "041-0516.English.dist", "input.type": "log", "log.offset": 9910, "observer.product": "Proxy", @@ -4150,16 +4150,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057478.304 870 192.168.0.35 TCP_MISS/200 18041 GET http://swcdn.apple.com/content/downloads/50/36/061-9848/kJvM5Qq2gBCSHSrxsdNfyn7NPjVYNHX7ZR/061-9848.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "061-9848.English.dist", "fileset.name": "log", - "http.response.body.content": "061-9848.English.dist", "input.type": "log", "log.offset": 10115, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -4210,8 +4210,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057478.759 437 192.168.0.35 TCP_MISS/200 17576 GET http://swcdn.apple.com/content/downloads/45/03/041-1676/ZMjp6WLTqS9GDRdnzdLqHXgS838bwRNVn6/041-1676.English.dist - DIRECT/208.44.23.185 text/plain", + "file.name": "041-1676.English.dist", "fileset.name": "log", - "http.response.body.content": "041-1676.English.dist", "input.type": "log", "log.offset": 10318, "observer.product": "Proxy", @@ -4270,8 +4270,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057478.905 111 192.168.0.35 TCP_MISS/200 6991 GET http://swcdn.apple.com/content/downloads/03/00/061-9537/xkqVg9ZybxffPsFvSjqgxnHK7HGJ4b9zLy/061-9537.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "061-9537.English.dist", "fileset.name": "log", - "http.response.body.content": "061-9537.English.dist", "input.type": "log", "log.offset": 10523, "observer.product": "Proxy", @@ -4330,16 +4330,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057479.343 332 192.168.0.35 TCP_MISS/200 25935 GET http://swcdn.apple.com/content/downloads/41/25/041-4336/M2r89dmfRR9jmgt2Gr4ZB7wftMfHSmhpnX/041-4336.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "041-4336.English.dist", "fileset.name": "log", - "http.response.body.content": "041-4336.English.dist", "input.type": "log", "log.offset": 10725, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4350,8 +4350,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4390,8 +4390,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057479.593 223 192.168.0.35 TCP_MISS/200 18205 GET http://swcdn.apple.com/content/downloads/10/51/061-5850/6T9D3ShR4mRKT3YgFK7JG5sDytGYDYCJ3L/061-5850.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "061-5850.English.dist", "fileset.name": "log", - "http.response.body.content": "061-5850.English.dist", "input.type": "log", "log.offset": 10928, "observer.product": "Proxy", @@ -4450,16 +4450,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057479.728 110 192.168.0.35 TCP_MISS/200 7326 GET http://swcdn.apple.com/content/downloads/10/26/061-4513/nY7s8PkHbJYHKKDtjh7FJQr7JYBTzHvnr2/061-4513.English.dist - DIRECT/208.44.23.185 text/plain", + "file.name": "061-4513.English.dist", "fileset.name": "log", - "http.response.body.content": "061-4513.English.dist", "input.type": "log", "log.offset": 11131, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4470,8 +4470,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -4510,8 +4510,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057479.893 111 192.168.0.35 TCP_MISS/200 6973 GET http://swcdn.apple.com/content/downloads/29/33/061-7306/hwpP4sYb2wmfHdYHjsQ23VrSbXXGKCK378/061-7306.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "061-7306.English.dist", "fileset.name": "log", - "http.response.body.content": "061-7306.English.dist", "input.type": "log", "log.offset": 11335, "observer.product": "Proxy", @@ -4570,8 +4570,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057480.599 679 192.168.0.35 TCP_MISS/200 6748 GET http://swcdn.apple.com/content/downloads/07/44/061-4200/3DtF5LrT3BL2b86P57Kyrs5dH9NTs9ctNV/061-4200.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "061-4200.English.dist", "fileset.name": "log", - "http.response.body.content": "061-4200.English.dist", "input.type": "log", "log.offset": 11537, "observer.product": "Proxy", @@ -4590,8 +4590,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4630,16 +4630,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057481.530 889 192.168.0.35 TCP_MISS/200 19858 GET http://swcdn.apple.com/content/downloads/37/12/041-0255/lfinb0xmk5ten4ojrimcebpl6561xez6xk/041-0255.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "041-0255.English.dist", "fileset.name": "log", - "http.response.body.content": "041-0255.English.dist", "input.type": "log", "log.offset": 11739, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4650,8 +4650,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4690,16 +4690,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057482.097 550 192.168.0.35 TCP_MISS/200 19848 GET http://swcdn.apple.com/content/downloads/06/39/041-0256/orwba7zrt5npsr5wvhsljprdyd1jtt62oz/041-0256.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "041-0256.English.dist", "fileset.name": "log", - "http.response.body.content": "041-0256.English.dist", "input.type": "log", "log.offset": 11942, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4750,16 +4750,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057483.427 771 192.168.0.35 TCP_MISS/200 38188 GET http://swcdn.apple.com/content/downloads/32/19/041-6756/gntu51zjuiyzu4l94ezxy3g1tb3jfpaoit/041-6756.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "041-6756.English.dist", "fileset.name": "log", - "http.response.body.content": "041-6756.English.dist", "input.type": "log", "log.offset": 12145, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4810,16 +4810,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057483.787 320 192.168.0.35 TCP_MISS/200 8913 GET http://swcdn.apple.com/content/downloads/40/54/041-6905/v0fukt9lmfcv18d4wczh49ap9z6r5p5c0c/041-6905.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "041-6905.English.dist", "fileset.name": "log", - "http.response.body.content": "041-6905.English.dist", "input.type": "log", "log.offset": 12348, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "208.44.23.185", - "192.168.0.35" + "192.168.0.35", + "208.44.23.185" ], "related.user": [ "-" @@ -4870,8 +4870,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057484.139 222 192.168.0.35 TCP_MISS/200 8113 GET http://swcdn.apple.com/content/downloads/23/10/041-6906/nr0v270bqzt428sd57s1slz78hgkzg38tc/041-6906.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "041-6906.English.dist", "fileset.name": "log", - "http.response.body.content": "041-6906.English.dist", "input.type": "log", "log.offset": 12550, "observer.product": "Proxy", @@ -4930,8 +4930,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057486.034 1694 192.168.0.35 TCP_MISS/200 31969 GET http://swcdn.apple.com/content/downloads/00/31/041-1612/xqbjtqo1qzy7cz1v2yflklj5kg1v2tlncj/041-1612.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "041-1612.English.dist", "fileset.name": "log", - "http.response.body.content": "041-1612.English.dist", "input.type": "log", "log.offset": 12752, "observer.product": "Proxy", @@ -4990,16 +4990,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057486.672 550 192.168.0.35 TCP_MISS/200 31972 GET http://swcdn.apple.com/content/downloads/30/32/041-1613/nysxhnpjpllehg0d54krf0yr8fa17jymjf/041-1613.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "041-1613.English.dist", "fileset.name": "log", - "http.response.body.content": "041-1613.English.dist", "input.type": "log", "log.offset": 12955, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "208.44.23.185" + "208.44.23.185", + "192.168.0.35" ], "related.user": [ "-" @@ -5050,8 +5050,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1349057487.172 436 192.168.0.35 TCP_MISS/200 23087 GET http://swcdn.apple.com/content/downloads/01/20/041-5328/74a52anhihangc837n25490jxt30a59gid/041-5328.English.dist - DIRECT/208.44.23.185 text/xml", + "file.name": "041-5328.English.dist", "fileset.name": "log", - "http.response.body.content": "041-5328.English.dist", "input.type": "log", "log.offset": 13158, "observer.product": "Proxy", @@ -5070,8 +5070,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -5128,8 +5128,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5175,8 +5175,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.100", - "192.168.0.35" + "192.168.0.35", + "74.125.228.100" ], "related.user": [ "-" @@ -5233,8 +5233,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.228.96", - "192.168.0.35" + "192.168.0.35", + "74.125.228.96" ], "related.user": [ "-" @@ -5302,8 +5302,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5360,8 +5360,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5407,8 +5407,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "192.168.0.35", - "69.171.228.74" + "69.171.228.74", + "192.168.0.35" ], "related.user": [ "-" @@ -5419,8 +5419,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -5593,8 +5593,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json index d635ea27466..e9821274376 100644 --- a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json @@ -22,8 +22,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -138,8 +138,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.102" + "173.194.123.102", + "::1" ], "related.user": [ "-" @@ -196,8 +196,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.102", - "::1" + "::1", + "173.194.123.102" ], "related.user": [ "-" @@ -207,8 +207,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -312,8 +312,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -381,8 +381,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -439,8 +439,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -486,8 +486,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.96" + "173.194.123.96", + "::1" ], "related.user": [ "-" @@ -544,8 +544,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.96" + "173.194.123.96", + "::1" ], "related.user": [ "-" @@ -605,8 +605,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.237", - "::1" + "::1", + "216.58.219.237" ], "related.user": [ "-" @@ -663,8 +663,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.68", - "::1" + "::1", + "173.194.123.68" ], "related.user": [ "-" @@ -674,8 +674,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -721,8 +721,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.102" + "173.194.123.102", + "::1" ], "related.user": [ "-" @@ -732,8 +732,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -779,8 +779,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -830,16 +830,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1431966958.711 276 ::1 TCP_MISS/200 934 POST http://clients1.google.com/ocsp - DIRECT/173.194.123.105 application/ocsp-response", + "file.name": "ocsp", "fileset.name": "log", - "http.response.body.content": "ocsp", "input.type": "log", "log.offset": 1425, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.105" + "173.194.123.105", + "::1" ], "related.user": [ "-" @@ -849,8 +849,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -954,8 +954,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1012,8 +1012,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1070,8 +1070,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.96", - "::1" + "::1", + "173.194.123.96" ], "related.user": [ "-" @@ -1081,8 +1081,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1128,8 +1128,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.71", - "::1" + "::1", + "173.194.123.71" ], "related.user": [ "-" @@ -1139,8 +1139,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1186,8 +1186,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1244,8 +1244,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1255,8 +1255,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1418,8 +1418,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1429,8 +1429,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1487,8 +1487,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1592,8 +1592,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1603,8 +1603,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1650,8 +1650,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1661,8 +1661,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1708,8 +1708,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1766,8 +1766,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -1777,8 +1777,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1824,8 +1824,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.123.67" + "173.194.123.67", + "::1" ], "related.user": [ "-" @@ -1835,8 +1835,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1940,8 +1940,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -1951,8 +1951,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1998,8 +1998,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2114,8 +2114,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2125,8 +2125,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2172,8 +2172,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2183,8 +2183,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2230,8 +2230,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2288,8 +2288,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2299,8 +2299,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2357,8 +2357,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2415,8 +2415,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2473,8 +2473,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2520,8 +2520,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.101", - "::1" + "::1", + "173.194.123.101" ], "related.user": [ "-" @@ -2636,8 +2636,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "173.194.206.189" + "173.194.206.189", + "::1" ], "related.user": [ "-" @@ -2647,8 +2647,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2705,8 +2705,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2752,8 +2752,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.206.189", - "::1" + "::1", + "173.194.206.189" ], "related.user": [ "-" @@ -2763,8 +2763,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -2810,8 +2810,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.226.83", - "::1" + "::1", + "74.125.226.83" ], "related.user": [ "-" @@ -2862,16 +2862,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1432789885.671 220 ::1 TCP_MISS/200 934 POST http://clients1.google.com/ocsp - DIRECT/173.194.123.40 application/ocsp-response", + "file.name": "ocsp", "fileset.name": "log", - "http.response.body.content": "ocsp", "input.type": "log", "log.offset": 4953, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.123.40", - "::1" + "::1", + "173.194.123.40" ], "related.user": [ "-" @@ -2986,8 +2986,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "74.125.226.83" + "74.125.226.83", + "::1" ], "related.user": [ "-" @@ -2997,8 +2997,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3040,8 +3040,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1445267990.313 759 ::1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.174 application/ocsp-response", + "file.name": "ocsp", "fileset.name": "log", - "http.response.body.content": "ocsp", "input.type": "log", "log.offset": 5280, "observer.product": "Proxy", @@ -3059,8 +3059,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -3102,16 +3102,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1445268003.557 192 ::1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.174 application/ocsp-response", + "file.name": "ocsp", "fileset.name": "log", - "http.response.body.content": "ocsp", "input.type": "log", "log.offset": 5410, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.174", - "::1" + "::1", + "216.58.219.174" ], "related.user": [ "-" @@ -3121,8 +3121,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -3182,8 +3182,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3243,8 +3243,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3293,8 +3293,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.174", - "::1" + "::1", + "216.58.219.174" ], "related.user": [ "-" @@ -3304,8 +3304,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3354,8 +3354,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.174" + "216.58.219.174", + "::1" ], "related.user": [ "-" @@ -3415,8 +3415,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.132", - "::1" + "::1", + "216.58.219.132" ], "related.user": [ "-" @@ -3476,8 +3476,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.132", - "::1" + "::1", + "216.58.219.132" ], "related.user": [ "-" @@ -3487,8 +3487,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3537,8 +3537,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.132", - "::1" + "::1", + "216.58.219.132" ], "related.user": [ "-" @@ -3598,8 +3598,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "216.58.219.142", - "::1" + "::1", + "216.58.219.142" ], "related.user": [ "-" @@ -3659,8 +3659,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "::1", - "216.58.219.142" + "216.58.219.142", + "::1" ], "related.user": [ "-" @@ -3839,8 +3839,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.141.189", - "::1" + "::1", + "74.125.141.189" ], "related.user": [ "-" @@ -3850,8 +3850,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3897,8 +3897,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "74.125.141.189", - "::1" + "::1", + "74.125.141.189" ], "related.user": [ "-" @@ -3908,8 +3908,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -3966,8 +3966,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4027,8 +4027,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4088,8 +4088,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4138,8 +4138,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.238" + "216.58.219.238", + "10.100.0.1" ], "related.user": [ "-" @@ -4149,8 +4149,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4196,8 +4196,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "173.194.205.113" + "173.194.205.113", + "10.100.0.1" ], "related.user": [ "-" @@ -4248,16 +4248,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1483547243.947 153 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response", + "file.name": "ocsp", "fileset.name": "log", - "http.response.body.content": "ocsp", "input.type": "log", "log.offset": 7347, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.6.238", - "10.100.0.1" + "10.100.0.1", + "172.217.6.238" ], "related.user": [ "-" @@ -4307,16 +4307,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1483547244.218 110 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response", + "file.name": "ocsp", "fileset.name": "log", - "http.response.body.content": "ocsp", "input.type": "log", "log.offset": 7483, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.6.238" + "172.217.6.238", + "10.100.0.1" ], "related.user": [ "-" @@ -4326,8 +4326,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4369,16 +4369,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1483809788.490 217 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.238 application/ocsp-response", + "file.name": "ocsp", "fileset.name": "log", - "http.response.body.content": "ocsp", "input.type": "log", "log.offset": 7619, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.238" + "216.58.219.238", + "10.100.0.1" ], "related.user": [ "-" @@ -4431,8 +4431,8 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1483809788.504 224 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.238 application/ocsp-response", + "file.name": "ocsp", "fileset.name": "log", - "http.response.body.content": "ocsp", "input.type": "log", "log.offset": 7756, "observer.product": "Proxy", @@ -4450,8 +4450,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4490,16 +4490,16 @@ "event.dataset": "squid.log", "event.module": "squid", "event.original": "1492721605.095 1894 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response", + "file.name": "ocsp", "fileset.name": "log", - "http.response.body.content": "ocsp", "input.type": "log", "log.offset": 7893, "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.6.238", - "10.100.0.1" + "10.100.0.1", + "172.217.6.238" ], "related.user": [ "-" @@ -4509,8 +4509,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "application/ocsp-response", "rsa.misc.result_code": "200", @@ -4556,8 +4556,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "related.user": [ "-" @@ -4672,8 +4672,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.10.14", - "10.100.2.85" + "10.100.2.85", + "172.217.10.14" ], "related.user": [ "-" @@ -4730,8 +4730,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.2.85" + "10.100.2.85", + "172.217.12.174" ], "related.user": [ "-" @@ -4741,8 +4741,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4857,8 +4857,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4904,8 +4904,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.2.85" + "10.100.2.85", + "172.217.12.174" ], "related.user": [ "-" @@ -4915,8 +4915,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4962,8 +4962,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.2.85", - "172.217.10.14" + "172.217.10.14", + "10.100.2.85" ], "related.user": [ "-" @@ -5020,8 +5020,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "173.194.204.156", - "10.100.2.85" + "10.100.2.85", + "173.194.204.156" ], "related.user": [ "-" @@ -5089,8 +5089,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5194,8 +5194,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.0.1" + "10.100.0.1", + "172.217.12.174" ], "related.user": [ "-" @@ -5321,8 +5321,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5368,8 +5368,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.12.174" + "172.217.12.174", + "10.100.0.1" ], "related.user": [ "-" @@ -5379,8 +5379,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5562,8 +5562,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5623,8 +5623,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5673,8 +5673,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "216.58.219.206" + "216.58.219.206", + "10.100.0.1" ], "related.user": [ "-" @@ -5684,8 +5684,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5731,8 +5731,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "172.217.12.174", - "10.100.0.1" + "10.100.0.1", + "172.217.12.174" ], "related.user": [ "-" @@ -5742,8 +5742,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5803,8 +5803,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5850,8 +5850,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.100.0.1", - "172.217.12.174" + "172.217.12.174", + "10.100.0.1" ], "related.user": [ "-" @@ -5861,8 +5861,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/tenable/README.md b/x-pack/filebeat/module/tenable/README.md index 892366efc66..5900664019f 100644 --- a/x-pack/filebeat/module/tenable/README.md +++ b/x-pack/filebeat/module/tenable/README.md @@ -3,5 +3,5 @@ This is a module for Tenable Network Security Nessus logs. Autogenerated from RSA NetWitness log parser 2.0 XML nessusvs version 0 -at 2020-07-13 17:12:04.056255 +0000 UTC. +at 2020-07-13 17:55:39.468229 +0000 UTC. diff --git a/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js b/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js +++ b/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/tomcat/README.md b/x-pack/filebeat/module/tomcat/README.md index 3c18b901d1d..3a24ecf13e5 100644 --- a/x-pack/filebeat/module/tomcat/README.md +++ b/x-pack/filebeat/module/tomcat/README.md @@ -3,5 +3,5 @@ This is a module for Apache Tomcat logs. Autogenerated from RSA NetWitness log parser 2.0 XML apachetomcat version 105 -at 2020-07-13 17:11:56.134376 +0000 UTC. +at 2020-07-13 17:55:32.188756 +0000 UTC. diff --git a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js +++ b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json index ce484daec7a..4df04b99e4d 100644 --- a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json @@ -6,9 +6,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-1516-asdf: 10.251.224.219||eacommod||rci||[29/Jan/2016:6:09:59 OMST]||exercita||https://example.com/illumqui/ventore.html?min=ite#utl||vol||amremap||oremi||ntsunti||5293||https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aliqu", "event.timezone": "OMST", + "file.name": "vol", "fileset.name": "log", "http.request.referrer": "https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer", - "http.response.body.content": "vol", "input.type": "log", "log.offset": 0, "observer.product": "TomCat", @@ -60,9 +60,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-259-CFYZ: 10.196.153.12||sequa||abo||[12/Feb/2016:1:12:33 PST]||umqui||https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev||pisciv||uii||umexe||estlabo||5222||https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nulapari", "event.timezone": "PST", + "file.name": "pisciv", "fileset.name": "log", "http.request.referrer": "https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn", - "http.response.body.content": "pisciv", "input.type": "log", "log.offset": 369, "observer.product": "TomCat", @@ -112,10 +112,10 @@ "event.module": "tomcat", "event.original": "February 26 20:15:08 ctetur5806.api.home %APACHETOMCAT- COOK: 10.156.194.38||gnaali||enatus||[26/Feb/2016:8:15:08 PT]||incid||https://internal.example.com/tetur/idolor.html?ntex=eius#luptat||emape||aer||lupt||tia||7019||https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||nul", "event.timezone": "PT", + "file.name": "emape", "fileset.name": "log", "host.name": "ctetur5806.api.home", "http.request.referrer": "https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons", - "http.response.body.content": "emape", "input.type": "log", "log.offset": 708, "observer.product": "TomCat", @@ -169,9 +169,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-1060-INDEX: 10.196.118.192||tinculp||tur||[12/Mar/2016:3:17:42 CT]||equat||https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu||ionofde||con||uia||quiavo||1156||https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tconsec", "event.timezone": "CT", + "file.name": "ionofde", "fileset.name": "log", "http.request.referrer": "https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit", - "http.response.body.content": "ionofde", "input.type": "log", "log.offset": 1166, "observer.product": "TomCat", @@ -223,9 +223,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-4141-BADMTHD: 10.246.209.145||oluptas||llu||[26/Mar/2016:10:20:16 GMT+02:00]||ommod||https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn||equuntu||eos||enimad||rmagni||1998||https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||fug", "event.timezone": "GMT+02:00", + "file.name": "equuntu", "fileset.name": "log", "http.request.referrer": "https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat", - "http.response.body.content": "equuntu", "input.type": "log", "log.offset": 1603, "observer.product": "TomCat", @@ -277,9 +277,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-2964-BADMETHOD: 10.114.191.225||uian||tempo||[09/Apr/2016:5:22:51 PST]||exercit||https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu||pori||occ||ect||reetdolo||2770||https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||tanimi", "event.timezone": "PST", + "file.name": "pori", "fileset.name": "log", "http.request.referrer": "https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu", - "http.response.body.content": "pori", "input.type": "log", "log.offset": 1997, "observer.product": "TomCat", @@ -331,10 +331,10 @@ "event.module": "tomcat", "event.original": "April 24 00:25:25 erep2696.www.home %APACHETOMCAT- INDEX: 10.38.77.13||aquaeab||liqu||[24/Apr/2016:12:25:25 PT]||ehend||https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat||loremagn||ipis||gelits||tatevel||3856||https://api.example.com/uovol/dmi.txt?quunt=ptat#ore||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||tsed", "event.timezone": "PT", + "file.name": "loremagn", "fileset.name": "log", "host.name": "erep2696.www.home", "http.request.referrer": "https://api.example.com/uovol/dmi.txt?quunt=ptat#ore", - "http.response.body.content": "loremagn", "input.type": "log", "log.offset": 2400, "observer.product": "TomCat", @@ -388,10 +388,10 @@ "event.module": "tomcat", "event.original": "May 8 07:27:59 mUt2398.invalid %APACHETOMCAT- DEBUG: 10.11.201.109||boree||ugits||[08/May/2016:7:27:59 CEST]||iinea||https://www.example.org/idexea/riat.txt?tvol=moll#tatione||inB||deomni||tquovol||ntsuntin||3341||https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||iam", "event.timezone": "CEST", + "file.name": "inB", "fileset.name": "log", "host.name": "mUt2398.invalid", "http.request.referrer": "https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio", - "http.response.body.content": "inB", "input.type": "log", "log.offset": 2830, "observer.product": "TomCat", @@ -445,9 +445,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-3097-BADMTHD: 10.182.166.181||apariat||mol||[22/May/2016:2:30:33 CT]||olupta||https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan||iqu||ollit||usan||aper||5529||https://example.org/uaera/sitas.txt?aedic=atquovo#iumto||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||mquaera", "event.timezone": "CT", + "file.name": "iqu", "fileset.name": "log", "http.request.referrer": "https://example.org/uaera/sitas.txt?aedic=atquovo#iumto", - "http.response.body.content": "iqu", "input.type": "log", "log.offset": 3299, "observer.product": "TomCat", @@ -499,9 +499,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-6283-null: 10.185.126.247||vel||quu||[05/Jun/2016:9:33:08 OMST]||avol||https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq||metcon||smo||litessec||emporinc||5075||https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||caecatc", "event.timezone": "OMST", + "file.name": "metcon", "fileset.name": "log", "http.request.referrer": "https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist", - "http.response.body.content": "metcon", "input.type": "log", "log.offset": 3696, "observer.product": "TomCat", @@ -551,10 +551,10 @@ "event.module": "tomcat", "event.original": "June 20 04:35:42 siuta2896.www.localhost %APACHETOMCAT- SEARCH: 10.72.114.23||enia||nsequu||[20/Jun/2016:4:35:42 PST]||rsint||https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf||antiumto||strude||ctetura||usmod||1640||https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||orain", "event.timezone": "PST", + "file.name": "antiumto", "fileset.name": "log", "host.name": "siuta2896.www.localhost", "http.request.referrer": "https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea", - "http.response.body.content": "antiumto", "input.type": "log", "log.offset": 4044, "observer.product": "TomCat", @@ -608,10 +608,10 @@ "event.module": "tomcat", "event.original": "July 4 11:38:16 oin6316.www5.host %APACHETOMCAT- TRACE: 10.129.241.147||lores||lapariat||[04/Jul/2016:11:38:16 PST]||etc||https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun||onproide||luptat||itaut||imaven||152||https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||inculpaq", "event.timezone": "PST", + "file.name": "onproide", "fileset.name": "log", "host.name": "oin6316.www5.host", "http.request.referrer": "https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE", - "http.response.body.content": "onproide", "input.type": "log", "log.offset": 4460, "observer.product": "TomCat", @@ -665,10 +665,10 @@ "event.module": "tomcat", "event.original": "July 18 18:40:50 tionemu7691.www.local %APACHETOMCAT- BDMTHD: 10.185.101.76||errorsi||des||[18/Jul/2016:6:40:50 GMT+02:00]||stl||https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol||tectobe||colabor||iusmodt||etdolo||3768||https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||itecto", "event.timezone": "GMT+02:00", + "file.name": "tectobe", "fileset.name": "log", "host.name": "tionemu7691.www.local", "http.request.referrer": "https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu", - "http.response.body.content": "tectobe", "input.type": "log", "log.offset": 4878, "observer.product": "TomCat", @@ -722,9 +722,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-3217-GET: 10.57.170.140||nsec||onse||[02/Aug/2016:1:43:25 OMST]||inibusBo||https://example.net/tion/eataev.htm?uiineavo=tisetq#irati||ici||giatquov||eritquii||dexeac||3088||https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||iadese", "event.timezone": "OMST", + "file.name": "ici", "fileset.name": "log", "http.request.referrer": "https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten", - "http.response.body.content": "ici", "input.type": "log", "log.offset": 5364, "observer.product": "TomCat", @@ -776,9 +776,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-1109-PUT: 10.33.153.47||hil||atquovo||[16/Aug/2016:8:45:59 GMT+02:00]||iineavo||https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip||idolor||emeumfu||CSed||lupt||6136||https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||tio", "event.timezone": "GMT+02:00", + "file.name": "idolor", "fileset.name": "log", "http.request.referrer": "https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu", - "http.response.body.content": "idolor", "input.type": "log", "log.offset": 5761, "observer.product": "TomCat", @@ -830,10 +830,10 @@ "event.module": "tomcat", "event.original": "August 30 15:48:33 conse2991.internal.lan %APACHETOMCAT- FGET: 10.116.104.101||gnam||tat||[30/Aug/2016:3:48:33 CET]||lumqui||https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla||olorema||iades||siarchi||datatn||5076||https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||remagn", "event.timezone": "CET", + "file.name": "olorema", "fileset.name": "log", "host.name": "conse2991.internal.lan", "http.request.referrer": "https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit", - "http.response.body.content": "olorema", "input.type": "log", "log.offset": 6206, "observer.product": "TomCat", @@ -887,9 +887,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-3361-null: 10.202.194.67||samvolu||ittenbyC||[13/Sep/2016:10:51:07 ET]||eirure||https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame||iadese||nsectet||utla||utei||2716||https://example.com/tlabori/oin.jpg?quisnos=ite#ationul||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||eritqu", "event.timezone": "ET", + "file.name": "iadese", "fileset.name": "log", "http.request.referrer": "https://example.com/tlabori/oin.jpg?quisnos=ite#ationul", - "http.response.body.content": "iadese", "input.type": "log", "log.offset": 6628, "observer.product": "TomCat", @@ -941,10 +941,10 @@ "event.module": "tomcat", "event.original": "September 28 05:53:42 wri2784.api.domain %APACHETOMCAT- PUT: 10.153.111.103||itquiin||modocon||[28/Sep/2016:5:53:42 PST]||taevit||https://www5.example.com/etconse/tincu.txt?lit=asun#estia||eaq||occae||ctetura||labore||4621||https://www.example.com/adeseru/emoe.html?atur=itanimi#itame||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||rehender", "event.timezone": "PST", + "file.name": "eaq", "fileset.name": "log", "host.name": "wri2784.api.domain", "http.request.referrer": "https://www.example.com/adeseru/emoe.html?atur=itanimi#itame", - "http.response.body.content": "eaq", "input.type": "log", "log.offset": 7086, "observer.product": "TomCat", @@ -998,9 +998,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-1637-DETECT_METHOD_TYPE: 10.52.186.29||equat||doloreme||[12/Oct/2016:12:56:16 GMT+02:00]||ione||https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex||radipisc||tmo||fficiade||uscipit||4168||https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mcolab", "event.timezone": "GMT+02:00", + "file.name": "radipisc", "fileset.name": "log", "http.request.referrer": "https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos", - "http.response.body.content": "radipisc", "input.type": "log", "log.offset": 7515, "observer.product": "TomCat", @@ -1052,10 +1052,10 @@ "event.module": "tomcat", "event.original": "October 26 19:58:50 oquisqu2937.mail.domain %APACHETOMCAT- BDMTHD: 10.209.182.237||tper||olor||[26/Oct/2016:7:58:50 GMT-07:00]||osqui||https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela||boN||eprehend||aevit||aboN||3423||https://example.net/tlabo/uames.gif?mpo=offi#giatnu||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||lor", "event.timezone": "GMT-07:00", + "file.name": "boN", "fileset.name": "log", "host.name": "oquisqu2937.mail.domain", "http.request.referrer": "https://example.net/tlabo/uames.gif?mpo=offi#giatnu", - "http.response.body.content": "boN", "input.type": "log", "log.offset": 7922, "observer.product": "TomCat", @@ -1109,10 +1109,10 @@ "event.module": "tomcat", "event.original": "November 10 03:01:24 dolore1287.internal.lan %APACHETOMCAT- CFYZ: 10.63.194.87||quisno||sin||[10/Nov/2016:3:01:24 CT]||aliquam||https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn||isnisiu||bore||tsu||tcons||3128||https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||dol", "event.timezone": "CT", + "file.name": "isnisiu", "fileset.name": "log", "host.name": "dolore1287.internal.lan", "http.request.referrer": "https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid", - "http.response.body.content": "isnisiu", "input.type": "log", "log.offset": 8486, "observer.product": "TomCat", @@ -1166,9 +1166,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-4307-TRACE: 10.62.191.18||tevelite||orporiss||[24/Nov/2016:10:03:59 OMST]||tlabo||https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli||eroi||dtemp||aliquide||ofde||4940||https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||udan", "event.timezone": "OMST", + "file.name": "eroi", "fileset.name": "log", "http.request.referrer": "https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema", - "http.response.body.content": "eroi", "input.type": "log", "log.offset": 8961, "observer.product": "TomCat", @@ -1220,9 +1220,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-6040-CFYZ: 10.238.164.29||aturQui||utlabor||[08/Dec/2016:5:06:33 ET]||temvel||https://example.net/nisi/dant.txt?ecte=tinvolu#iurer||iciadese||quidolor||tessec||olupta||2660||https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat||Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||uiinea", "event.timezone": "ET", + "file.name": "iciadese", "fileset.name": "log", "http.request.referrer": "https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat", - "http.response.body.content": "iciadese", "input.type": "log", "log.offset": 9407, "observer.product": "TomCat", @@ -1274,9 +1274,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-1612-SEARCH: 10.155.230.17||eni||ionevo||[23/Dec/2016:12:09:07 CT]||Ute||https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius||ipsumdol||tet||etdo||urerepr||4674||https://example.com/tetu/stru.htm?tlabore=Exc#pora||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uteirure", "event.timezone": "CT", + "file.name": "ipsumdol", "fileset.name": "log", "http.request.referrer": "https://example.com/tetu/stru.htm?tlabore=Exc#pora", - "http.response.body.content": "ipsumdol", "input.type": "log", "log.offset": 9841, "observer.product": "TomCat", @@ -1328,10 +1328,10 @@ "event.module": "tomcat", "event.original": "January 6 07:11:41 ide2767.www5.local %APACHETOMCAT- RNDMMTD: 10.102.229.102||nnum||tenbyCi||[06/Jan/2017:7:11:41 PST]||tco||https://example.net/officiad/itam.html?madmi=tur#roi||niamqui||orem||sno||atno||5263||https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||sec", "event.timezone": "PST", + "file.name": "niamqui", "fileset.name": "log", "host.name": "ide2767.www5.local", "http.request.referrer": "https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav", - "http.response.body.content": "niamqui", "input.type": "log", "log.offset": 10224, "observer.product": "TomCat", @@ -1385,10 +1385,10 @@ "event.module": "tomcat", "event.original": "January 20 14:14:16 sBon1759.invalid %APACHETOMCAT- HEAD: 10.194.14.7||ten||vita||[20/Jan/2017:2:14:16 OMST]||ullamcor||https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon||etconsec||ios||evolu||ersp||3536||https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||orain", "event.timezone": "OMST", + "file.name": "etconsec", "fileset.name": "log", "host.name": "sBon1759.invalid", "http.request.referrer": "https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol", - "http.response.body.content": "etconsec", "input.type": "log", "log.offset": 10625, "observer.product": "TomCat", @@ -1442,9 +1442,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-6113-get: 10.99.0.226||madmi||uidol||[03/Feb/2017:9:16:50 ET]||quameius||https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp||utp||ema||rsitv||iciade||5649||https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi||Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36||uredol", "event.timezone": "ET", + "file.name": "utp", "fileset.name": "log", "http.request.referrer": "https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi", - "http.response.body.content": "utp", "input.type": "log", "log.offset": 11083, "observer.product": "TomCat", @@ -1496,9 +1496,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-6945-DETECT_METHOD_TYPE: 10.107.174.213||tenimad||minimav||[18/Feb/2017:4:19:24 OMST]||taedicta||https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut||uamni||ctet||ati||uine||2438||https://api.example.org/loreme/untu.htm?ven=con#nisist||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||ium", "event.timezone": "OMST", + "file.name": "uamni", "fileset.name": "log", "http.request.referrer": "https://api.example.org/loreme/untu.htm?ven=con#nisist", - "http.response.body.content": "uamni", "input.type": "log", "log.offset": 11478, "observer.product": "TomCat", @@ -1550,10 +1550,10 @@ "event.module": "tomcat", "event.original": "March 4 11:21:59 idunt4707.host %APACHETOMCAT- ABCD: 10.84.25.23||laudant||isnost||[04/Mar/2017:11:21:59 CET]||rQuisau||https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem||gitsedqu||borios||rsitvolu||quam||5315||https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||gitsed", "event.timezone": "CET", + "file.name": "gitsedqu", "fileset.name": "log", "host.name": "idunt4707.host", "http.request.referrer": "https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser", - "http.response.body.content": "gitsedqu", "input.type": "log", "log.offset": 11878, "observer.product": "TomCat", @@ -1607,9 +1607,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-4367-uGET: 10.193.143.108||idolo||luptate||[18/Mar/2017:6:24:33 PT]||atisun||https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab||rnatur||ofdeFin||essequam||acommo||3105||https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ercita", "event.timezone": "PT", + "file.name": "rnatur", "fileset.name": "log", "http.request.referrer": "https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre", - "http.response.body.content": "rnatur", "input.type": "log", "log.offset": 12362, "observer.product": "TomCat", @@ -1661,10 +1661,10 @@ "event.module": "tomcat", "event.original": "April 2 01:27:07 emquia1497.www5.lan %APACHETOMCAT- INDEX: 10.190.51.22||uamei||siut||[02/Apr/2017:1:27:07 CT]||uisa||https://example.com/mexe/its.htm?ice=oles#edic||seq||tutlab||sau||atevelit||2450||https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||orumSe", "event.timezone": "CT", + "file.name": "seq", "fileset.name": "log", "host.name": "emquia1497.www5.lan", "http.request.referrer": "https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu", - "http.response.body.content": "seq", "input.type": "log", "log.offset": 12826, "observer.product": "TomCat", @@ -1718,10 +1718,10 @@ "event.module": "tomcat", "event.original": "April 16 08:29:41 riat3854.www5.home %APACHETOMCAT- BADMETHOD: 10.194.90.130||siut||tconsect||[16/Apr/2017:8:29:41 PT]||piscinge||https://www.example.com/velitess/naali.htm?nre=veli#volupta||rnatu||elitse||ima||quasia||2382||https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla||mobmail android 2.1.3.3150||sequamni", "event.timezone": "PT", + "file.name": "rnatu", "fileset.name": "log", "host.name": "riat3854.www5.home", "http.request.referrer": "https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla", - "http.response.body.content": "rnatu", "input.type": "log", "log.offset": 13211, "observer.product": "TomCat", @@ -1771,9 +1771,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-6198-BDMTHD: 10.10.213.83||nea||psum||[30/Apr/2017:3:32:16 OMST]||ncididun||https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita||dolore||uptate||quidexea||ect||23||https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||labo", "event.timezone": "OMST", + "file.name": "dolore", "fileset.name": "log", "http.request.referrer": "https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim", - "http.response.body.content": "dolore", "input.type": "log", "log.offset": 13540, "observer.product": "TomCat", @@ -1825,10 +1825,10 @@ "event.module": "tomcat", "event.original": "May 14 22:34:50 aboreetd5461.host %APACHETOMCAT- uGET: 10.52.125.9||hit||urv||[14/May/2017:10:34:50 ET]||nimid||https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon||liqua||mvele||isis||uasiar||2552||https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||rauto", "event.timezone": "ET", + "file.name": "liqua", "fileset.name": "log", "host.name": "aboreetd5461.host", "http.request.referrer": "https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem", - "http.response.body.content": "liqua", "input.type": "log", "log.offset": 14078, "observer.product": "TomCat", @@ -1882,9 +1882,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-5770-RNDMMTD: 10.19.17.202||nby||mve||[29/May/2017:5:37:24 PT]||isau||https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun||reprehe||tincu||suntin||itse||814||https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aec", "event.timezone": "PT", + "file.name": "reprehe", "fileset.name": "log", "http.request.referrer": "https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo", - "http.response.body.content": "reprehe", "input.type": "log", "log.offset": 14644, "observer.product": "TomCat", @@ -1936,10 +1936,10 @@ "event.module": "tomcat", "event.original": "June 12 12:39:58 iquidexe304.mail.test %APACHETOMCAT- RNDMMTD: 10.195.64.5||oreetd||uat||[12/Jun/2017:12:39:58 PT]||moenimi||https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal||qua||rsita||ate||ipsamvo||344||https://api.example.com/tdol/upt.htm?asper=idunt#luptat||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||ica", "event.timezone": "PT", + "file.name": "qua", "fileset.name": "log", "host.name": "iquidexe304.mail.test", "http.request.referrer": "https://api.example.com/tdol/upt.htm?asper=idunt#luptat", - "http.response.body.content": "qua", "input.type": "log", "log.offset": 15012, "observer.product": "TomCat", @@ -1993,10 +1993,10 @@ "event.module": "tomcat", "event.original": "June 26 19:42:33 remips4828.www5.host %APACHETOMCAT- POST: 10.209.77.194||tvolup||itesseq||[26/Jun/2017:7:42:33 OMST]||snost||https://internal.example.com/llamc/nte.htm?utali=porinc#tetur||xce||dat||aincidu||nimadmin||4843||https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||elites", "event.timezone": "OMST", + "file.name": "xce", "fileset.name": "log", "host.name": "remips4828.www5.host", "http.request.referrer": "https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor", - "http.response.body.content": "xce", "input.type": "log", "log.offset": 15419, "observer.product": "TomCat", @@ -2050,9 +2050,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-1952-MKCOL: 10.168.6.90||rem||amvolupt||[11/Jul/2017:2:45:07 GMT+02:00]||atisund||https://example.net/ites/isetq.gif?nisiut=tur#avolupt||ariatur||rer||iconseq||porincid||6941||https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||tae", "event.timezone": "GMT+02:00", + "file.name": "ariatur", "fileset.name": "log", "http.request.referrer": "https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", - "http.response.body.content": "ariatur", "input.type": "log", "log.offset": 15838, "observer.product": "TomCat", @@ -2104,9 +2104,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-7717-rndmmtd: 10.89.137.238||plica||ore||[25/Jul/2017:9:47:41 OMST]||emqu||https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu||est||uptatemU||leumiu||tla||4765||https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||erun", "event.timezone": "OMST", + "file.name": "est", "fileset.name": "log", "http.request.referrer": "https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc", - "http.response.body.content": "est", "input.type": "log", "log.offset": 16270, "observer.product": "TomCat", @@ -2158,9 +2158,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-4574-OPTIONS: 10.246.61.213||ntutlabo||iusmodte||[08/Aug/2017:4:50:15 CT]||loi||https://example.org/Nequepor/eirure.htm?idid=tesse#sequat||giatquov||tconsec||miurerep||toccaec||7645||https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||orroq", "event.timezone": "CT", + "file.name": "giatquov", "fileset.name": "log", "http.request.referrer": "https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame", - "http.response.body.content": "giatquov", "input.type": "log", "log.offset": 16704, "observer.product": "TomCat", @@ -2212,10 +2212,10 @@ "event.module": "tomcat", "event.original": "August 22 23:52:50 orin5238.host %APACHETOMCAT- MKCOL: 10.117.44.138||orem||rcit||[22/Aug/2017:11:52:50 PST]||enderit||https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo||oluptas||emvele||isnost||olorem||2760||https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||aliq", "event.timezone": "PST", + "file.name": "oluptas", "fileset.name": "log", "host.name": "orin5238.host", "http.request.referrer": "https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita", - "http.response.body.content": "oluptas", "input.type": "log", "log.offset": 17094, "observer.product": "TomCat", @@ -2269,9 +2269,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-4801-PRONECT: 10.69.30.196||tore||elits||[06/Sep/2017:6:55:24 OMST]||ruredo||https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov||itlab||urmag||omm||equ||4808||https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nimveni", "event.timezone": "OMST", + "file.name": "itlab", "fileset.name": "log", "http.request.referrer": "https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve", - "http.response.body.content": "itlab", "input.type": "log", "log.offset": 17515, "observer.product": "TomCat", @@ -2321,9 +2321,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-7668-BADMTHD: 10.135.91.88||ercit||eporroq||[20/Sep/2017:1:57:58 CT]||ugiatn||https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq||tate||urExce||asi||ectiono||2241||https://example.org/onu/liquaUte.txt?velillu=ria#atDu||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||emq", "event.timezone": "CT", + "file.name": "tate", "fileset.name": "log", "http.request.referrer": "https://example.org/onu/liquaUte.txt?velillu=ria#atDu", - "http.response.body.content": "tate", "input.type": "log", "log.offset": 17856, "observer.product": "TomCat", @@ -2375,10 +2375,10 @@ "event.module": "tomcat", "event.original": "October 4 21:00:32 agnaaliq1829.mail.test %APACHETOMCAT- ABCD: 10.81.45.174||tin||fugitse||[04/Oct/2017:9:00:32 CEST]||liquide||https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor||estl||erun||iruredol||incidid||7699||https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mipsamvo", "event.timezone": "CEST", + "file.name": "estl", "fileset.name": "log", "host.name": "agnaaliq1829.mail.test", "http.request.referrer": "https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl", - "http.response.body.content": "estl", "input.type": "log", "log.offset": 18224, "observer.product": "TomCat", @@ -2432,9 +2432,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-3517-rndmmtd: 10.87.179.233||mnisiut||avolu||[19/Oct/2017:4:03:07 PST]||eum||https://www.example.org/umetMal/asper.htm?metcons=itasper#uae||mve||uia||iciad||lorem||6137||https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||dexerc", "event.timezone": "PST", + "file.name": "mve", "fileset.name": "log", "http.request.referrer": "https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut", - "http.response.body.content": "mve", "input.type": "log", "log.offset": 18644, "observer.product": "TomCat", @@ -2486,9 +2486,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-2669-COOK: 10.198.57.130||hitec||henderit||[02/Nov/2017:11:05:41 OMST]||perspici||https://api.example.net/mquisn/queips.gif?emUte=molestia#quir||eavolup||emip||ver||erc||294||https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ||Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90||emo", "event.timezone": "OMST", + "file.name": "eavolup", "fileset.name": "log", "http.request.referrer": "https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ", - "http.response.body.content": "eavolup", "input.type": "log", "log.offset": 19027, "observer.product": "TomCat", @@ -2540,9 +2540,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-494-GET: 10.218.0.197||dolor||econs||[16/Nov/2017:6:08:15 ET]||eritin||https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu||iscive||quasiar||aeab||teur||609||https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||eetd", "event.timezone": "ET", + "file.name": "iscive", "fileset.name": "log", "http.request.referrer": "https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea", - "http.response.body.content": "iscive", "input.type": "log", "log.offset": 19452, "observer.product": "TomCat", @@ -2594,10 +2594,10 @@ "event.module": "tomcat", "event.original": "December 1 01:10:49 iatqu7310.api.home %APACHETOMCAT- get: 10.123.199.198||irured||illumqui||[01/Dec/2017:1:10:49 PST]||tionula||https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem||turvel||eratv||ipsa||asuntexp||1390||https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||mpo", "event.timezone": "PST", + "file.name": "turvel", "fileset.name": "log", "host.name": "iatqu7310.api.home", "http.request.referrer": "https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed", - "http.response.body.content": "turvel", "input.type": "log", "log.offset": 19817, "observer.product": "TomCat", @@ -2651,10 +2651,10 @@ "event.module": "tomcat", "event.original": "December 15 08:13:24 uamnihil6127.api.domain %APACHETOMCAT- POST: 10.29.119.245||tatnon||leumiur||[15/Dec/2017:8:13:24 ET]||ore||https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu||rsi||taliqui||mides||ciun||39||https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex||Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36||anim", "event.timezone": "ET", + "file.name": "rsi", "fileset.name": "log", "host.name": "uamnihil6127.api.domain", "http.request.referrer": "https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex", - "http.response.body.content": "rsi", "input.type": "log", "log.offset": 20237, "observer.product": "TomCat", @@ -2708,10 +2708,10 @@ "event.module": "tomcat", "event.original": "December 29 15:15:58 uov1629.internal.invalid %APACHETOMCAT- DETECT_METHOD_TYPE: 10.130.175.17||quide||quaU||[29/Dec/2017:3:15:58 PT]||inimav||https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom||des||atnulapa||billo||rroqu||2170||https://www.example.org/taedi/tquido.html?etconsec=elillum#upt||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||onsectet", "event.timezone": "PT", + "file.name": "des", "fileset.name": "log", "host.name": "uov1629.internal.invalid", "http.request.referrer": "https://www.example.org/taedi/tquido.html?etconsec=elillum#upt", - "http.response.body.content": "des", "input.type": "log", "log.offset": 20688, "observer.product": "TomCat", @@ -2765,9 +2765,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-5752-PROPFIND: 10.166.90.130||mdolore||eosquira||[12/Jan/2018:10:18:32 CET]||lloinven||https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat||lupta||npr||etconsec||caboNem||1043||https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||deF", "event.timezone": "CET", + "file.name": "lupta", "fileset.name": "log", "http.request.referrer": "https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih", - "http.response.body.content": "lupta", "input.type": "log", "log.offset": 21121, "observer.product": "TomCat", @@ -2819,10 +2819,10 @@ "event.module": "tomcat", "event.original": "January 27 05:21:06 orumw5960.www5.home %APACHETOMCAT- GET: 10.248.111.207||dolor||tiumto||[27/Jan/2018:5:21:06 GMT-07:00]||quiavol||https://api.example.org/ratv/alorum.jpg?tali=BCS#qui||ugiatquo||incidid||quin||autemv||6174||https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atatnon", "event.timezone": "GMT-07:00", + "file.name": "ugiatquo", "fileset.name": "log", "host.name": "orumw5960.www5.home", "http.request.referrer": "https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema", - "http.response.body.content": "ugiatquo", "input.type": "log", "log.offset": 21574, "observer.product": "TomCat", @@ -2876,9 +2876,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-2940-asdf: 10.185.37.32||ame||tesseq||[10/Feb/2018:12:23:41 GMT+02:00]||tem||https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore||red||sinto||tatev||luptas||3286||https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ptatem", "event.timezone": "GMT+02:00", + "file.name": "red", "fileset.name": "log", "http.request.referrer": "https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad", - "http.response.body.content": "red", "input.type": "log", "log.offset": 21994, "observer.product": "TomCat", @@ -2930,9 +2930,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-4927-SEARCH: 10.5.194.202||onproide||ntmo||[24/Feb/2018:7:26:15 CET]||riosa||https://example.org/pisc/urEx.html?rautod=olest#eataev||atcupi||atem||qui||otamr||7278||https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||iqua", "event.timezone": "CET", + "file.name": "atcupi", "fileset.name": "log", "http.request.referrer": "https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa", - "http.response.body.content": "atcupi", "input.type": "log", "log.offset": 22449, "observer.product": "TomCat", @@ -2984,10 +2984,10 @@ "event.module": "tomcat", "event.original": "March 11 02:28:49 deriti6952.mail.domain %APACHETOMCAT- PRONECT: 10.183.34.1||boree||isn||[11/Mar/2018:2:28:49 CEST]||der||https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation||veleum||piciatis||nes||lmolesti||1559||https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||ntmoll", "event.timezone": "CEST", + "file.name": "veleum", "fileset.name": "log", "host.name": "deriti6952.mail.domain", "http.request.referrer": "https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio", - "http.response.body.content": "veleum", "input.type": "log", "log.offset": 22822, "observer.product": "TomCat", @@ -3041,9 +3041,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-4472-CFYZ: 10.101.163.40||abor||nBCSe||[25/Mar/2018:9:31:24 CEST]||remips||https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema||odi||ptatems||runtmo||ore||3512||https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||liq", "event.timezone": "CEST", + "file.name": "odi", "fileset.name": "log", "http.request.referrer": "https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab", - "http.response.body.content": "odi", "input.type": "log", "log.offset": 23258, "observer.product": "TomCat", @@ -3095,10 +3095,10 @@ "event.module": "tomcat", "event.original": "April 8 16:33:58 nse3421.mail.localhost %APACHETOMCAT- uGET: 10.216.188.152||oremi||ugitsedq||[08/Apr/2018:4:33:58 ET]||atDuis||https://www5.example.com/mUteni/quira.htm?ore=tation#loinve||tatevel||iumdolo||untu||ict||2699||https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||Nequepo", "event.timezone": "ET", + "file.name": "tatevel", "fileset.name": "log", "host.name": "nse3421.mail.localhost", "http.request.referrer": "https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui", - "http.response.body.content": "tatevel", "input.type": "log", "log.offset": 23666, "observer.product": "TomCat", @@ -3152,9 +3152,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-1033-nGET: 10.94.140.77||veniam||isnisiu||[22/Apr/2018:11:36:32 OMST]||dol||https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna||isiutali||lumqu||onulamco||ons||5050||https://mail.example.net/unt/tass.html?tla=mquiad#CSe||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||psa", "event.timezone": "OMST", + "file.name": "isiutali", "fileset.name": "log", "http.request.referrer": "https://mail.example.net/unt/tass.html?tla=mquiad#CSe", - "http.response.body.content": "isiutali", "input.type": "log", "log.offset": 24141, "observer.product": "TomCat", @@ -3204,9 +3204,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-4133-PUT: 10.223.205.204||lor||ccaec||[07/May/2018:6:39:06 PST]||ommo||https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo||iamea||imaveni||uiacon||iam||7526||https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||tutla", "event.timezone": "PST", + "file.name": "iamea", "fileset.name": "log", "http.request.referrer": "https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto", - "http.response.body.content": "iamea", "input.type": "log", "log.offset": 24484, "observer.product": "TomCat", @@ -3258,10 +3258,10 @@ "event.module": "tomcat", "event.original": "May 21 13:41:41 tautfug689.localdomain %APACHETOMCAT- PUT: 10.85.137.156||atiset||serror||[21/May/2018:1:41:41 CEST]||isiut||https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula||ditautf||itametc||ori||uamqu||2804||https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||Except", "event.timezone": "CEST", + "file.name": "ditautf", "fileset.name": "log", "host.name": "tautfug689.localdomain", "http.request.referrer": "https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag", - "http.response.body.content": "ditautf", "input.type": "log", "log.offset": 24917, "observer.product": "TomCat", @@ -3315,10 +3315,10 @@ "event.module": "tomcat", "event.original": "June 4 20:44:15 totam6886.api.localhost %APACHETOMCAT- QUALYS: 10.12.54.142||trudex||liquam||[04/Jun/2018:8:44:15 PST]||lor||https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS||iciadese||riatur||oeni||dol||3000||https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aer", "event.timezone": "PST", + "file.name": "iciadese", "fileset.name": "log", "host.name": "totam6886.api.localhost", "http.request.referrer": "https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo", - "http.response.body.content": "iciadese", "input.type": "log", "log.offset": 25326, "observer.product": "TomCat", @@ -3372,9 +3372,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-3864-RNDMMTD: 10.158.6.52||dolorem||sed||[19/Jun/2018:3:46:49 OMST]||Nemoenim||https://example.net/labori/porai.gif?utali=sed#xeac||umdolors||lumdo||acom||eFini||4262||https://internal.example.org/uovol/prehend.html?eque=eufug#est||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||ntincul", "event.timezone": "OMST", + "file.name": "umdolors", "fileset.name": "log", "http.request.referrer": "https://internal.example.org/uovol/prehend.html?eque=eufug#est", - "http.response.body.content": "umdolors", "input.type": "log", "log.offset": 25746, "observer.product": "TomCat", @@ -3426,10 +3426,10 @@ "event.module": "tomcat", "event.original": "July 3 10:49:23 tquo854.api.domain %APACHETOMCAT- MKCOL: 10.195.160.182||ine||urerepre||[03/Jul/2018:10:49:23 CT]||itessequ||https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni||atnul||umfugi||stquidol||Nemoenim||1325||https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isau", "event.timezone": "CT", + "file.name": "atnul", "fileset.name": "log", "host.name": "tquo854.api.domain", "http.request.referrer": "https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl", - "http.response.body.content": "atnul", "input.type": "log", "log.offset": 26190, "observer.product": "TomCat", @@ -3483,9 +3483,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-6084-CONNECT: 10.20.68.117||rQuisaut||quas||[17/Jul/2018:5:51:58 ET]||metco||https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat||udan||archi||iutaliq||urQuis||1742||https://example.net/orum/Bonoru.txt?agnamal=quei#quio||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lamcola", "event.timezone": "ET", + "file.name": "udan", "fileset.name": "log", "http.request.referrer": "https://example.net/orum/Bonoru.txt?agnamal=quei#quio", - "http.response.body.content": "udan", "input.type": "log", "log.offset": 26601, "observer.product": "TomCat", @@ -3537,10 +3537,10 @@ "event.module": "tomcat", "event.original": "August 1 00:54:32 venia6656.api.domain %APACHETOMCAT- CONNECT: 10.94.136.235||mmod||iti||[01/Aug/2018:12:54:32 PST]||amqu||https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex||radip||upta||tetura||rumet||6923||https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||ore", "event.timezone": "PST", + "file.name": "radip", "fileset.name": "log", "host.name": "venia6656.api.domain", "http.request.referrer": "https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica", - "http.response.body.content": "radip", "input.type": "log", "log.offset": 26982, "observer.product": "TomCat", @@ -3594,10 +3594,10 @@ "event.module": "tomcat", "event.original": "August 15 07:57:06 veniam1216.www5.invalid %APACHETOMCAT- NCIRCLE: 10.152.11.26||expli||ugiat||[15/Aug/2018:7:57:06 GMT+02:00]||oinBCSed||https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol||elillum||veleumi||nsequatu||nula||2783||https://example.com/santi/ritati.gif?turadip=dip#idolo||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||aco", "event.timezone": "GMT+02:00", + "file.name": "elillum", "fileset.name": "log", "host.name": "veniam1216.www5.invalid", "http.request.referrer": "https://example.com/santi/ritati.gif?turadip=dip#idolo", - "http.response.body.content": "elillum", "input.type": "log", "log.offset": 27454, "observer.product": "TomCat", @@ -3647,10 +3647,10 @@ "event.module": "tomcat", "event.original": "August 29 14:59:40 runtm5729.invalid %APACHETOMCAT- PRONECT: 10.82.118.95||bore||ptate||[29/Aug/2018:2:59:40 GMT+02:00]||labo||https://www5.example.com/quu/xeac.htm?abor=oreverit#scip||Finibus||Utenimad||olupta||tau||5211||https://www5.example.com/itametco/vel.htm?rere=pta#nonn||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||met", "event.timezone": "GMT+02:00", + "file.name": "Finibus", "fileset.name": "log", "host.name": "runtm5729.invalid", "http.request.referrer": "https://www5.example.com/itametco/vel.htm?rere=pta#nonn", - "http.response.body.content": "Finibus", "input.type": "log", "log.offset": 27908, "observer.product": "TomCat", @@ -3704,9 +3704,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-4322-id: 10.187.152.213||conse||ventor||[12/Sep/2018:10:02:15 CEST]||mag||https://www.example.net/mini/Loremip.html?tur=atnonpr#ita||amquaer||aqui||enby||lpa||3948||https://www5.example.net/iat/ffic.htm?cte=aparia#CSe||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||ugitsedq", "event.timezone": "CEST", + "file.name": "amquaer", "fileset.name": "log", "http.request.referrer": "https://www5.example.net/iat/ffic.htm?cte=aparia#CSe", - "http.response.body.content": "amquaer", "input.type": "log", "log.offset": 28378, "observer.product": "TomCat", @@ -3758,10 +3758,10 @@ "event.module": "tomcat", "event.original": "September 27 05:04:49 pta6012.www.local %APACHETOMCAT- uGET: 10.98.71.45||destla||fugitse||[27/Sep/2018:5:04:49 GMT+02:00]||eirur||https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo||ever||civelits||eos||ipitlabo||5440||https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||unt", "event.timezone": "GMT+02:00", + "file.name": "ever", "fileset.name": "log", "host.name": "pta6012.www.local", "http.request.referrer": "https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei", - "http.response.body.content": "ever", "input.type": "log", "log.offset": 28738, "observer.product": "TomCat", @@ -3815,9 +3815,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-5971-uGET: 10.86.123.33||ugia||meum||[11/Oct/2018:12:07:23 OMST]||doei||https://www5.example.net/tev/nre.html?occaeca=eturadip#ent||rumSecti||Utenima||olore||orumS||757||https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||yCiceroi", "event.timezone": "OMST", + "file.name": "rumSecti", "fileset.name": "log", "http.request.referrer": "https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu", - "http.response.body.content": "rumSecti", "input.type": "log", "log.offset": 29180, "observer.product": "TomCat", @@ -3869,9 +3869,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-2852-FGET: 10.6.112.183||deom||oluptat||[25/Oct/2018:7:09:57 GMT-07:00]||eni||https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi||tam||oremip||eufugi||dunt||6169||https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||idatat", "event.timezone": "GMT-07:00", + "file.name": "tam", "fileset.name": "log", "http.request.referrer": "https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc", - "http.response.body.content": "tam", "input.type": "log", "log.offset": 29627, "observer.product": "TomCat", @@ -3923,10 +3923,10 @@ "event.module": "tomcat", "event.original": "November 9 02:12:32 orsi2109.internal.home %APACHETOMCAT- LOCK: 10.227.156.143||sis||idolo||[09/Nov/2018:2:12:32 CEST]||tsedquia||https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu||inimav||tatevel||midestl||nci||6587||https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||seq", "event.timezone": "CEST", + "file.name": "inimav", "fileset.name": "log", "host.name": "orsi2109.internal.home", "http.request.referrer": "https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev", - "http.response.body.content": "inimav", "input.type": "log", "log.offset": 30008, "observer.product": "TomCat", @@ -3976,10 +3976,10 @@ "event.module": "tomcat", "event.original": "November 23 09:15:06 quaeabil2539.www5.lan %APACHETOMCAT- get: 10.124.129.248||iamqui||quide||[23/Nov/2018:9:15:06 CT]||cididun||https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu||eprehen||hilmole||sequ||sectetu||7182||https://example.net/dolor/lorumwri.htm?mquis=lab#uido||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mwrit", "event.timezone": "CT", + "file.name": "eprehen", "fileset.name": "log", "host.name": "quaeabil2539.www5.lan", "http.request.referrer": "https://example.net/dolor/lorumwri.htm?mquis=lab#uido", - "http.response.body.content": "eprehen", "input.type": "log", "log.offset": 30458, "observer.product": "TomCat", @@ -4033,10 +4033,10 @@ "event.module": "tomcat", "event.original": "December 7 16:17:40 aal1598.mail.host %APACHETOMCAT- CONNECT: 10.173.125.112||quiavolu||upta||[07/Dec/2018:4:17:40 OMST]||umtota||https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa||eaqueip||itaedict||olorema||rep||3380||https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isnisiut", "event.timezone": "OMST", + "file.name": "eaqueip", "fileset.name": "log", "host.name": "aal1598.mail.host", "http.request.referrer": "https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab", - "http.response.body.content": "eaqueip", "input.type": "log", "log.offset": 30879, "observer.product": "TomCat", @@ -4090,9 +4090,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-5227-GET: 10.37.156.140||uisnos||olores||[21/Dec/2018:11:20:14 PST]||epo||https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit||tno||iss||taspe||lum||5911||https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||idolorem", "event.timezone": "PST", + "file.name": "tno", "fileset.name": "log", "http.request.referrer": "https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa", - "http.response.body.content": "tno", "input.type": "log", "log.offset": 31317, "observer.product": "TomCat", @@ -4142,9 +4142,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-5776-PRONECT: 10.121.225.135||ufugi||cin||[05/Jan/2019:6:22:49 ET]||byC||https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex||nse||miurere||evit||uatu||2448||https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tnulapa", "event.timezone": "ET", + "file.name": "nse", "fileset.name": "log", "http.request.referrer": "https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq", - "http.response.body.content": "nse", "input.type": "log", "log.offset": 31660, "observer.product": "TomCat", @@ -4196,9 +4196,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-7708-DEBUG: 10.123.68.56||expl||olore||[19/Jan/2019:1:25:23 CEST]||dentsunt||https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN||ipis||itautfu||nesci||tam||1206||https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||ntor", "event.timezone": "CEST", + "file.name": "ipis", "fileset.name": "log", "http.request.referrer": "https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam", - "http.response.body.content": "ipis", "input.type": "log", "log.offset": 32096, "observer.product": "TomCat", @@ -4250,10 +4250,10 @@ "event.module": "tomcat", "event.original": "February 2 20:27:57 oid218.api.invalid %APACHETOMCAT- RNDMMTD: 10.63.56.164||iquid||evo||[02/Feb/2019:8:27:57 GMT-07:00]||avolu||https://api.example.net/itesse/expl.html?prehende=lup#tpers||orsitv||temseq||uisaute||uun||4638||https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||umd", "event.timezone": "GMT-07:00", + "file.name": "orsitv", "fileset.name": "log", "host.name": "oid218.api.invalid", "http.request.referrer": "https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi", - "http.response.body.content": "orsitv", "input.type": "log", "log.offset": 32480, "observer.product": "TomCat", @@ -4307,10 +4307,10 @@ "event.module": "tomcat", "event.original": "February 17 03:30:32 sectetur2674.www5.test %APACHETOMCAT- HEAD: 10.62.10.137||eeufugi||deomnisi||[17/Feb/2019:3:30:32 ET]||issus||https://example.net/deritinv/evelite.html?iav=odico#rsint||itl||ttenb||olor||quiav||6648||https://example.com/eumfu/lors.gif?upidata=ici#usant||Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10||con", "event.timezone": "ET", + "file.name": "itl", "fileset.name": "log", "host.name": "sectetur2674.www5.test", "http.request.referrer": "https://example.com/eumfu/lors.gif?upidata=ici#usant", - "http.response.body.content": "itl", "input.type": "log", "log.offset": 32919, "observer.product": "TomCat", @@ -4364,10 +4364,10 @@ "event.module": "tomcat", "event.original": "March 3 10:33:06 sequatD4487.internal.localhost %APACHETOMCAT- INDEX: 10.89.154.115||oeiusmo||nimv||[03/Mar/2019:10:33:06 GMT+02:00]||tconse||https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB||umqui||citation||temsequi||mquia||1119||https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||cti", "event.timezone": "GMT+02:00", + "file.name": "umqui", "fileset.name": "log", "host.name": "sequatD4487.internal.localhost", "http.request.referrer": "https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi", - "http.response.body.content": "umqui", "input.type": "log", "log.offset": 33403, "observer.product": "TomCat", @@ -4421,9 +4421,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-4758-TRACE: 10.122.252.130||tuser||mmo||[17/Mar/2019:5:35:40 PST]||tlaboru||https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus||boreet||luptasnu||ento||snostr||3904||https://api.example.org/xerc/Nequep.htm?ria=beat#rro||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||uisau", "event.timezone": "PST", + "file.name": "boreet", "fileset.name": "log", "http.request.referrer": "https://api.example.org/xerc/Nequep.htm?ria=beat#rro", - "http.response.body.content": "boreet", "input.type": "log", "log.offset": 33846, "observer.product": "TomCat", @@ -4475,9 +4475,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-2573-id: 10.195.152.53||ueporroq||ute||[01/Apr/2019:12:38:14 GMT-07:00]||tationu||https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun||tesse||olupta||isno||oluptas||5560||https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut||mobmail android 2.1.3.3150||paq", "event.timezone": "GMT-07:00", + "file.name": "tesse", "fileset.name": "log", "http.request.referrer": "https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut", - "http.response.body.content": "tesse", "input.type": "log", "log.offset": 34283, "observer.product": "TomCat", @@ -4525,10 +4525,10 @@ "event.module": "tomcat", "event.original": "April 15 07:40:49 nul5107.www5.domain %APACHETOMCAT- ABCD: 10.9.255.204||illoin||emUtenim||[15/Apr/2019:7:40:49 CT]||uid||https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa||mexerci||urEx||ditaut||ctetur||3089||https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||iaeconse", "event.timezone": "CT", + "file.name": "mexerci", "fileset.name": "log", "host.name": "nul5107.www5.domain", "http.request.referrer": "https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi", - "http.response.body.content": "mexerci", "input.type": "log", "log.offset": 34572, "observer.product": "TomCat", @@ -4582,10 +4582,10 @@ "event.module": "tomcat", "event.original": "April 29 14:43:23 nimadmin5630.localdomain %APACHETOMCAT- RNDMMTD: 10.214.235.133||equ||nulapari||[29/Apr/2019:2:43:23 GMT-07:00]||tsunt||https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor||boriosa||cillumdo||ditau||moenimip||5930||https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||evel", "event.timezone": "GMT-07:00", + "file.name": "boriosa", "fileset.name": "log", "host.name": "nimadmin5630.localdomain", "http.request.referrer": "https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost", - "http.response.body.content": "boriosa", "input.type": "log", "log.offset": 35009, "observer.product": "TomCat", @@ -4639,10 +4639,10 @@ "event.module": "tomcat", "event.original": "May 13 21:45:57 sequuntu3563.internal.test %APACHETOMCAT- TRACE: 10.5.134.204||apari||iarchit||[13/May/2019:9:45:57 PT]||orum||https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu||lors||eumfu||docons||tur||3197||https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||taevit", "event.timezone": "PT", + "file.name": "lors", "fileset.name": "log", "host.name": "sequuntu3563.internal.test", "http.request.referrer": "https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi", - "http.response.body.content": "lors", "input.type": "log", "log.offset": 35444, "observer.product": "TomCat", @@ -4696,9 +4696,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-6820-SEARCH: 10.144.111.42||sumquia||vento||[28/May/2019:4:48:31 CEST]||asnu||https://example.org/rep/mveni.txt?utpers=num#ctetura||quaerat||tDuisau||aturve||ptateve||7615||https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||lorumw", "event.timezone": "CEST", + "file.name": "quaerat", "fileset.name": "log", "http.request.referrer": "https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi", - "http.response.body.content": "quaerat", "input.type": "log", "log.offset": 35912, "observer.product": "TomCat", @@ -4750,9 +4750,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-3071-FGET: 10.122.0.80||olupt||ola||[11/Jun/2019:11:51:06 CT]||etquasia||https://example.net/adm/snostr.jpg?tec=itaspe#con||illumdo||antium||remaper||eseosq||2945||https://www.example.com/uae/ata.htm?snulap=cidu#hilmol||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||quamq", "event.timezone": "CT", + "file.name": "illumdo", "fileset.name": "log", "http.request.referrer": "https://www.example.com/uae/ata.htm?snulap=cidu#hilmol", - "http.response.body.content": "illumdo", "input.type": "log", "log.offset": 36349, "observer.product": "TomCat", @@ -4804,10 +4804,10 @@ "event.module": "tomcat", "event.original": "June 25 18:53:40 tdolo2150.www.example %APACHETOMCAT- ABCD: 10.165.33.19||uamqu||iusmodi||[25/Jun/2019:6:53:40 ET]||aparia||https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec||dit||namaliqu||yCic||tetura||1569||https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lapari", "event.timezone": "ET", + "file.name": "dit", "fileset.name": "log", "host.name": "tdolo2150.www.example", "http.request.referrer": "https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug", - "http.response.body.content": "dit", "input.type": "log", "log.offset": 36779, "observer.product": "TomCat", @@ -4861,10 +4861,10 @@ "event.module": "tomcat", "event.original": "July 10 01:56:14 cinge6032.api.local %APACHETOMCAT- BADMTHD: 10.87.92.17||utlabore||tamr||[10/Jul/2019:1:56:14 CT]||iutaliq||https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa||quiav||ctionofd||elit||sam||6211||https://internal.example.org/unt/isni.htm?ecillum=olor#amei||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||quid", "event.timezone": "CT", + "file.name": "quiav", "fileset.name": "log", "host.name": "cinge6032.api.local", "http.request.referrer": "https://internal.example.org/unt/isni.htm?ecillum=olor#amei", - "http.response.body.content": "quiav", "input.type": "log", "log.offset": 37193, "observer.product": "TomCat", @@ -4918,9 +4918,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-7615-BADMETHOD: 10.51.52.203||wri||itame||[24/Jul/2019:8:58:48 ET]||dictasun||https://example.com/lorese/olupta.jpg?onsec=idestl#litani||emp||arch||non||mollit||5823||https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mqu", "event.timezone": "ET", + "file.name": "emp", "fileset.name": "log", "http.request.referrer": "https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat", - "http.response.body.content": "emp", "input.type": "log", "log.offset": 37607, "observer.product": "TomCat", @@ -4972,10 +4972,10 @@ "event.module": "tomcat", "event.original": "August 7 16:01:23 ende6053.local %APACHETOMCAT- rndmmtd: 10.0.211.86||rsp||imipsa||[07/Aug/2019:4:01:23 CEST]||int||https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN||utfugi||ursintoc||tio||mmodicon||6776||https://internal.example.net/tvol/lup.gif?ollita=qua#ionula||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||cusa", "event.timezone": "CEST", + "file.name": "utfugi", "fileset.name": "log", "host.name": "ende6053.local", "http.request.referrer": "https://internal.example.net/tvol/lup.gif?ollita=qua#ionula", - "http.response.body.content": "utfugi", "input.type": "log", "log.offset": 37977, "observer.product": "TomCat", @@ -5029,9 +5029,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-264-OPTIONS: 10.106.34.244||eumiu||nim||[21/Aug/2019:11:03:57 PST]||rehen||https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet||leumiur||ssequamn||ave||taliqui||3714||https://example.net/undeomn/ape.jpg?amco=ons#onsecte||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atquo", "event.timezone": "PST", + "file.name": "leumiur", "fileset.name": "log", "http.request.referrer": "https://example.net/undeomn/ape.jpg?amco=ons#onsecte", - "http.response.body.content": "leumiur", "input.type": "log", "log.offset": 38442, "observer.product": "TomCat", @@ -5083,9 +5083,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-2943-nGET: 10.191.210.188||inculpa||ruredol||[05/Sep/2019:6:06:31 OMST]||ipit||https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu||onorume||abill||ametcon||ofdeFini||7052||https://example.net/tionev/uasiarch.html?qui=ehender#equa||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||nimides", "event.timezone": "OMST", + "file.name": "onorume", "fileset.name": "log", "http.request.referrer": "https://example.net/tionev/uasiarch.html?qui=ehender#equa", - "http.response.body.content": "onorume", "input.type": "log", "log.offset": 38823, "observer.product": "TomCat", @@ -5137,9 +5137,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-6165-BDMTHD: 10.2.38.49||asiarc||lor||[19/Sep/2019:1:09:05 GMT+02:00]||snula||https://www.example.com/bori/dipi.gif?utf=dolor#dexe||nemul||Duis||lupt||quatur||5775||https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira||mobmail android 2.1.3.3150||aea", "event.timezone": "GMT+02:00", + "file.name": "nemul", "fileset.name": "log", "http.request.referrer": "https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira", - "http.response.body.content": "nemul", "input.type": "log", "log.offset": 39233, "observer.product": "TomCat", @@ -5187,10 +5187,10 @@ "event.module": "tomcat", "event.original": "October 3 20:11:40 didun1193.example %APACHETOMCAT- id: 10.66.92.90||orumwri||atisu||[03/Oct/2019:8:11:40 PST]||tse||https://example.com/iat/tqui.gif?utaliqui=emse#emqui||cipitla||tlab||vel||ionevo||4580||https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||samvol", "event.timezone": "PST", + "file.name": "cipitla", "fileset.name": "log", "host.name": "didun1193.example", "http.request.referrer": "https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo", - "http.response.body.content": "cipitla", "input.type": "log", "log.offset": 39505, "observer.product": "TomCat", @@ -5244,10 +5244,10 @@ "event.module": "tomcat", "event.original": "October 18 03:14:14 apari2660.www5.lan %APACHETOMCAT- BADMTHD: 10.97.108.108||fficiad||teirured||[18/Oct/2019:3:14:14 PST]||sistena||https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost||sequines||olor||sequa||lorum||7649||https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||toditau", "event.timezone": "PST", + "file.name": "sequines", "fileset.name": "log", "host.name": "apari2660.www5.lan", "http.request.referrer": "https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve", - "http.response.body.content": "sequines", "input.type": "log", "log.offset": 39956, "observer.product": "TomCat", @@ -5301,10 +5301,10 @@ "event.module": "tomcat", "event.original": "November 1 10:16:48 nvolupta238.www.host %APACHETOMCAT- COOK: 10.147.147.248||onpr||uira||[01/Nov/2019:10:16:48 CET]||ptatev||https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni||econ||aborio||rve||catcup||177||https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||lupta", "event.timezone": "CET", + "file.name": "econ", "fileset.name": "log", "host.name": "nvolupta238.www.host", "http.request.referrer": "https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons", - "http.response.body.content": "econ", "input.type": "log", "log.offset": 40457, "observer.product": "TomCat", @@ -5358,10 +5358,10 @@ "event.module": "tomcat", "event.original": "November 15 17:19:22 icer123.mail.example %APACHETOMCAT- NCIRCLE: 10.152.190.61||imvenia||culp||[15/Nov/2019:5:19:22 GMT-07:00]||nesciu||https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed||sedd||atione||tvolup||oremeu||6708||https://api.example.com/dan/pta.html?oNem=itaedict#eroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uptateve", "event.timezone": "GMT-07:00", + "file.name": "sedd", "fileset.name": "log", "host.name": "icer123.mail.example", "http.request.referrer": "https://api.example.com/dan/pta.html?oNem=itaedict#eroi", - "http.response.body.content": "sedd", "input.type": "log", "log.offset": 40863, "observer.product": "TomCat", @@ -5415,10 +5415,10 @@ "event.module": "tomcat", "event.original": "November 30 00:21:57 lumqui6488.api.example %APACHETOMCAT- DETECT_METHOD_TYPE: 10.129.232.105||des||deFini||[30/Nov/2019:12:21:57 GMT-07:00]||aliquaU||https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti||edictasu||eturadi||umS||noru||5321||https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||quamqua", "event.timezone": "GMT-07:00", + "file.name": "edictasu", "fileset.name": "log", "host.name": "lumqui6488.api.example", "http.request.referrer": "https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe", - "http.response.body.content": "edictasu", "input.type": "log", "log.offset": 41290, "observer.product": "TomCat", @@ -5472,9 +5472,9 @@ "event.module": "tomcat", "event.original": "%APACHETOMCAT-5473-TRACE: 10.12.173.112||Excepteu||mco||[14/Dec/2019:7:24:31 PT]||undeom||https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui||litsedd||nidol||inBC||hite||423||https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||emeumfu", "event.timezone": "PT", + "file.name": "litsedd", "fileset.name": "log", "http.request.referrer": "https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse", - "http.response.body.content": "litsedd", "input.type": "log", "log.offset": 41781, "observer.product": "TomCat", diff --git a/x-pack/filebeat/module/zscaler/README.md b/x-pack/filebeat/module/zscaler/README.md index 27378a361f7..0cd50920c35 100644 --- a/x-pack/filebeat/module/zscaler/README.md +++ b/x-pack/filebeat/module/zscaler/README.md @@ -3,5 +3,5 @@ This is a module for Zscaler NSS logs. Autogenerated from RSA NetWitness log parser 2.0 XML zscalernss version 108 -at 2020-07-13 17:12:07.752747 +0000 UTC. +at 2020-07-13 17:55:42.808847 +0000 UTC. diff --git a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js index 0348f89e2d8..c8cf5e2ee06 100644 --- a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js +++ b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js @@ -960,7 +960,7 @@ var ecs_mappings = { "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, @@ -1050,7 +1050,7 @@ var ecs_mappings = { "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "http.response.body.content", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, }; var rsa_mappings = { diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index f58fde3637d..2df5f4bcff8 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -23,8 +23,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.206.191.17", - "10.176.10.114" + "10.176.10.114", + "10.206.191.17" ], "related.user": [ "sumdo" @@ -94,8 +94,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.26.46.95", - "10.173.22.152" + "10.173.22.152", + "10.26.46.95" ], "related.user": [ "eataevi" @@ -313,8 +313,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.136.153.149", - "10.61.78.108" + "10.61.78.108", + "10.136.153.149" ], "related.user": [ "ercit" @@ -386,8 +386,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.66.250.92", - "10.183.16.166" + "10.183.16.166", + "10.66.250.92" ], "related.user": [ "tessec" @@ -401,8 +401,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "avol", "rsa.misc.action": [ - "Allowed", - "ist" + "ist", + "Allowed" ], "rsa.misc.category": "lorema", "rsa.misc.filter": "sun", @@ -459,8 +459,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.243.224.205", - "10.123.104.59" + "10.123.104.59", + "10.243.224.205" ], "related.user": [ "xercitat" @@ -532,8 +532,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.119.185.63", - "10.74.17.5" + "10.74.17.5", + "10.119.185.63" ], "related.user": [ "erc" @@ -605,8 +605,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.25.192.202", - "10.78.151.178" + "10.78.151.178", + "10.25.192.202" ], "related.user": [ "quip" @@ -620,8 +620,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atquovo", "rsa.misc.action": [ - "Allowed", - "amvolup" + "amvolup", + "Allowed" ], "rsa.misc.category": "hil", "rsa.misc.filter": "deFinibu", @@ -678,8 +678,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.135.225.244", - "10.71.170.37" + "10.71.170.37", + "10.135.225.244" ], "related.user": [ "atu" @@ -766,8 +766,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "sci", "rsa.misc.action": [ - "Allowed", - "emseq" + "emseq", + "Allowed" ], "rsa.misc.category": "exercit", "rsa.misc.filter": "taevit", @@ -824,8 +824,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.181.80.139", - "10.2.53.125" + "10.2.53.125", + "10.181.80.139" ], "related.user": [ "ihilmo" @@ -839,8 +839,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dolorem", "rsa.misc.action": [ - "lorsitam", - "Allowed" + "Allowed", + "lorsitam" ], "rsa.misc.category": "proide", "rsa.misc.filter": "pariatu", @@ -912,8 +912,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "catc", "rsa.misc.action": [ - "veni", - "Allowed" + "Allowed", + "veni" ], "rsa.misc.category": "sBono", "rsa.misc.filter": "isnisiu", @@ -985,8 +985,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iurer", "rsa.misc.action": [ - "ionevo", - "Allowed" + "Allowed", + "ionevo" ], "rsa.misc.category": "tinvolu", "rsa.misc.filter": "idex", @@ -1116,8 +1116,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.252.124.150", - "10.5.126.127" + "10.5.126.127", + "10.252.124.150" ], "related.user": [ "inibusB" @@ -1189,8 +1189,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.91.126.231", - "10.201.171.120" + "10.201.171.120", + "10.91.126.231" ], "related.user": [ "exercita" @@ -1277,8 +1277,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quid", "rsa.misc.action": [ - "Allowed", - "itecto" + "itecto", + "Allowed" ], "rsa.misc.category": "quam", "rsa.misc.filter": "adeser", @@ -1335,8 +1335,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.31.198.58", - "10.215.205.216" + "10.215.205.216", + "10.31.198.58" ], "related.user": [ "aturve" @@ -1423,8 +1423,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedi", "rsa.misc.action": [ - "Allowed", - "llitanim" + "llitanim", + "Allowed" ], "rsa.misc.category": "apariat", "rsa.misc.filter": "tasnulap", @@ -1642,8 +1642,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iutali", "rsa.misc.action": [ - "atcupi", - "Blocked" + "Blocked", + "atcupi" ], "rsa.misc.category": "isetq", "rsa.misc.filter": "equinesc", @@ -1715,8 +1715,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ulpa", "rsa.misc.action": [ - "Allowed", - "gnaal" + "gnaal", + "Allowed" ], "rsa.misc.category": "nte", "rsa.misc.filter": "pid", @@ -1788,8 +1788,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "riss", "rsa.misc.action": [ - "risnis", - "Blocked" + "Blocked", + "risnis" ], "rsa.misc.category": "emqu", "rsa.misc.filter": "oluptas", @@ -1934,8 +1934,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mnisiut", "rsa.misc.action": [ - "mod", - "Allowed" + "Allowed", + "mod" ], "rsa.misc.category": "uiinea", "rsa.misc.filter": "aturQu", @@ -2007,8 +2007,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quatD", "rsa.misc.action": [ - "tatem", - "Allowed" + "Allowed", + "tatem" ], "rsa.misc.category": "aincidun", "rsa.misc.filter": "uela", @@ -2065,8 +2065,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.101.38.213", - "10.204.214.251" + "10.204.214.251", + "10.101.38.213" ], "related.user": [ "ueipsa" @@ -2153,8 +2153,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "moles", "rsa.misc.action": [ - "vitaed", - "Allowed" + "Allowed", + "vitaed" ], "rsa.misc.category": "billoi", "rsa.misc.filter": "suntex", @@ -2284,8 +2284,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.229.242.223", - "10.80.57.247" + "10.80.57.247", + "10.229.242.223" ], "related.user": [ "itasp" @@ -2357,8 +2357,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.193.66.155", - "10.106.77.138" + "10.106.77.138", + "10.193.66.155" ], "related.user": [ "iusmodt" @@ -2503,8 +2503,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.49.242.174", - "10.131.246.134" + "10.131.246.134", + "10.49.242.174" ], "related.user": [ "umdolo" @@ -2518,8 +2518,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tvolup", "rsa.misc.action": [ - "Allowed", - "utemvel" + "utemvel", + "Allowed" ], "rsa.misc.category": "untutlab", "rsa.misc.filter": "dol", @@ -2649,8 +2649,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.138.188.201", - "10.128.184.241" + "10.128.184.241", + "10.138.188.201" ], "related.user": [ "etur" @@ -2664,8 +2664,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issu", "rsa.misc.action": [ - "sed", - "Allowed" + "Allowed", + "sed" ], "rsa.misc.category": "atur", "rsa.misc.filter": "iciadese", @@ -2722,8 +2722,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.213.57.165", - "10.53.101.131" + "10.53.101.131", + "10.213.57.165" ], "related.user": [ "isau" @@ -2737,8 +2737,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ese", "rsa.misc.action": [ - "Allowed", - "litanim" + "litanim", + "Allowed" ], "rsa.misc.category": "idata", "rsa.misc.filter": "urerepre", @@ -2795,8 +2795,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.243.6.41", - "10.55.81.14" + "10.55.81.14", + "10.243.6.41" ], "related.user": [ "eiusmo" @@ -2810,8 +2810,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "Blocked", - "lestia" + "lestia", + "Blocked" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2868,8 +2868,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.202.224.79", - "10.33.144.10" + "10.33.144.10", + "10.202.224.79" ], "related.user": [ "rios" @@ -2883,8 +2883,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lit", "rsa.misc.action": [ - "quu", - "Blocked" + "Blocked", + "quu" ], "rsa.misc.category": "oluptate", "rsa.misc.filter": "exercita", @@ -2941,8 +2941,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.158.18.51", - "10.20.124.138" + "10.20.124.138", + "10.158.18.51" ], "related.user": [ "CSe" @@ -3014,8 +3014,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.118.177.136", - "10.134.128.27" + "10.134.128.27", + "10.118.177.136" ], "related.user": [ "Utenima" @@ -3029,8 +3029,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "voluptas", "rsa.misc.action": [ - "Allowed", - "olor" + "olor", + "Allowed" ], "rsa.misc.category": "ataevita", "rsa.misc.filter": "nderi", @@ -3087,8 +3087,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.68.8.143", - "10.125.120.97" + "10.125.120.97", + "10.68.8.143" ], "related.user": [ "reet" @@ -3102,8 +3102,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "amni", "rsa.misc.action": [ - "Allowed", - "edutp" + "edutp", + "Allowed" ], "rsa.misc.category": "ames", "rsa.misc.filter": "dmi", @@ -3175,8 +3175,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "etdol", "rsa.misc.action": [ - "mwrit", - "Blocked" + "Blocked", + "mwrit" ], "rsa.misc.category": "inim", "rsa.misc.filter": "aturQu", @@ -3306,8 +3306,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.83.138.34", - "10.111.249.184" + "10.111.249.184", + "10.83.138.34" ], "related.user": [ "dentsunt" @@ -3321,8 +3321,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatemse", "rsa.misc.action": [ - "Blocked", - "upta" + "upta", + "Blocked" ], "rsa.misc.category": "tlabo", "rsa.misc.filter": "aliqui", @@ -3379,8 +3379,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.180.150.47", - "10.141.195.13" + "10.141.195.13", + "10.180.150.47" ], "related.user": [ "taliq" @@ -3452,8 +3452,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.166.195.20", - "10.255.40.12" + "10.255.40.12", + "10.166.195.20" ], "related.user": [ "lamcolab" @@ -3538,8 +3538,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ento", "rsa.misc.action": [ - "Bonoru", - "Blocked" + "Blocked", + "Bonoru" ], "rsa.misc.category": "luptasnu", "rsa.misc.filter": "quamni", @@ -3611,8 +3611,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dexea", "rsa.misc.action": [ - "Blocked", - "tinvolup" + "tinvolup", + "Blocked" ], "rsa.misc.category": "ende", "rsa.misc.filter": "onse", @@ -3669,8 +3669,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.31.153.177", - "10.237.0.173" + "10.237.0.173", + "10.31.153.177" ], "related.user": [ "sci" @@ -3755,8 +3755,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "epor", "rsa.misc.action": [ - "Allowed", - "etquasia" + "etquasia", + "Allowed" ], "rsa.misc.category": "iaturE", "rsa.misc.filter": "rep", @@ -3809,8 +3809,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.120.138.109", - "10.39.46.155" + "10.39.46.155", + "10.120.138.109" ], "related.user": [ "picia" @@ -3897,8 +3897,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ecillum", "rsa.misc.action": [ - "Blocked", - "emp" + "emp", + "Blocked" ], "rsa.misc.category": "ciati", "rsa.misc.filter": "elit", @@ -3970,8 +3970,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iuntN", "rsa.misc.action": [ - "Allowed", - "nim" + "nim", + "Allowed" ], "rsa.misc.category": "etco", "rsa.misc.filter": "autodita", @@ -4101,8 +4101,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.155.252.123", - "10.178.148.188" + "10.178.148.188", + "10.155.252.123" ], "related.user": [ "inrepreh" @@ -4174,8 +4174,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.190.42.245", - "10.220.1.249" + "10.220.1.249", + "10.190.42.245" ], "related.user": [ "olup" @@ -4318,8 +4318,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.250.48.82", - "10.195.153.42" + "10.195.153.42", + "10.250.48.82" ], "related.user": [ "tsedquia" @@ -4333,8 +4333,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tDuisaut", "rsa.misc.action": [ - "Allowed", - "upidatat" + "upidatat", + "Allowed" ], "rsa.misc.category": "aliquide", "rsa.misc.filter": "deriti", @@ -4391,8 +4391,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.60.52.219", - "10.252.164.230" + "10.252.164.230", + "10.60.52.219" ], "related.user": [ "gnamali" @@ -4406,8 +4406,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rroq", "rsa.misc.action": [ - "Blocked", - "fdeFin" + "fdeFin", + "Blocked" ], "rsa.misc.category": "diduntut", "rsa.misc.filter": "ano", @@ -4533,8 +4533,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.120.215.174", - "10.248.108.55" + "10.248.108.55", + "10.120.215.174" ], "related.user": [ "prehend" @@ -4604,8 +4604,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.15.254.181", - "10.51.161.245" + "10.51.161.245", + "10.15.254.181" ], "related.user": [ "abo" @@ -4619,8 +4619,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "modit", "rsa.misc.action": [ - "Allowed", - "uteiru" + "uteiru", + "Allowed" ], "rsa.misc.category": "qua", "rsa.misc.filter": "saute", @@ -4677,8 +4677,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.129.66.196", - "10.7.152.238" + "10.7.152.238", + "10.129.66.196" ], "related.user": [ "equamn" @@ -4750,8 +4750,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.29.162.157", - "10.185.107.27" + "10.185.107.27", + "10.29.162.157" ], "related.user": [ "evelite" @@ -4765,8 +4765,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "orinrep", "rsa.misc.action": [ - "Blocked", - "squirat" + "squirat", + "Blocked" ], "rsa.misc.category": "sequa", "rsa.misc.filter": "orainci", @@ -4823,8 +4823,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.138.0.214", - "10.215.63.248" + "10.215.63.248", + "10.138.0.214" ], "related.user": [ "eavolupt" @@ -4838,8 +4838,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "Blocked", - "dqu" + "dqu", + "Blocked" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -4896,8 +4896,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.12.130.224", - "10.26.115.88" + "10.26.115.88", + "10.12.130.224" ], "related.user": [ "Nequepo" @@ -5057,8 +5057,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnisi", "rsa.misc.action": [ - "userro", - "Allowed" + "Allowed", + "userro" ], "rsa.misc.category": "etd", "rsa.misc.filter": "loremeum", @@ -5130,8 +5130,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Utenim", "rsa.misc.action": [ - "onevo", - "Allowed" + "Allowed", + "onevo" ], "rsa.misc.category": "tdolore", "rsa.misc.filter": "ptasn", @@ -5203,8 +5203,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ect", "rsa.misc.action": [ - "maccu", - "Blocked" + "Blocked", + "maccu" ], "rsa.misc.category": "iaecon", "rsa.misc.filter": "eni", @@ -5495,8 +5495,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iamquisn", "rsa.misc.action": [ - "Blocked", - "lupta" + "lupta", + "Blocked" ], "rsa.misc.category": "uasiarch", "rsa.misc.filter": "usBonor", @@ -5568,8 +5568,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnis", "rsa.misc.action": [ - "uianonnu", - "Allowed" + "Allowed", + "uianonnu" ], "rsa.misc.category": "Excepteu", "rsa.misc.filter": "enimadmi", @@ -5626,8 +5626,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.26.222.144", - "10.124.119.48" + "10.124.119.48", + "10.26.222.144" ], "related.user": [ "nre" @@ -5699,8 +5699,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.223.11.164", - "10.164.190.2" + "10.164.190.2", + "10.223.11.164" ], "related.user": [ "ten" @@ -5772,8 +5772,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.121.181.243", - "10.14.37.8" + "10.14.37.8", + "10.121.181.243" ], "related.user": [ "umwr" @@ -5787,8 +5787,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedic", "rsa.misc.action": [ - "rinc", - "Blocked" + "Blocked", + "rinc" ], "rsa.misc.category": "prehende", "rsa.misc.filter": "rume", @@ -5991,8 +5991,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.75.144.118", - "10.176.233.249" + "10.176.233.249", + "10.75.144.118" ], "related.user": [ "isnos" @@ -6064,8 +6064,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.236.55.236", - "10.149.6.107" + "10.149.6.107", + "10.236.55.236" ], "related.user": [ "redolo" @@ -6079,8 +6079,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uis", "rsa.misc.action": [ - "Allowed", - "mvele" + "mvele", + "Allowed" ], "rsa.misc.category": "vitaedi", "rsa.misc.filter": "ndeomni", @@ -6225,8 +6225,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itautf", "rsa.misc.action": [ - "mini", - "Blocked" + "Blocked", + "mini" ], "rsa.misc.category": "gna", "rsa.misc.filter": "usmo", @@ -6356,8 +6356,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.234.34.40", - "10.247.255.107" + "10.247.255.107", + "10.234.34.40" ], "related.user": [ "aeabillo" @@ -6502,8 +6502,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.166.205.159", - "10.154.188.132" + "10.154.188.132", + "10.166.205.159" ], "related.user": [ "uptat" @@ -6517,8 +6517,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "proid", "rsa.misc.action": [ - "onevolu", - "Allowed" + "Allowed", + "onevolu" ], "rsa.misc.category": "iratio", "rsa.misc.filter": "odita", @@ -6571,8 +6571,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.46.71.46", - "10.138.193.38" + "10.138.193.38", + "10.46.71.46" ], "related.user": [ "sintocca" @@ -6640,8 +6640,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.254.119.31", - "10.172.159.251" + "10.172.159.251", + "10.254.119.31" ], "related.user": [ "usm" @@ -6655,8 +6655,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "imadmi", "rsa.misc.action": [ - "Blocked", - "tatemacc" + "tatemacc", + "Blocked" ], "rsa.misc.category": "tutlabor", "rsa.misc.filter": "eturad", @@ -6728,8 +6728,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "isnost", "rsa.misc.action": [ - "oriosa", - "Allowed" + "Allowed", + "oriosa" ], "rsa.misc.category": "uis", "rsa.misc.filter": "nemul", @@ -6786,8 +6786,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.144.93.186", - "10.84.140.5" + "10.84.140.5", + "10.144.93.186" ], "related.user": [ "eroi" @@ -6874,8 +6874,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tquovo", "rsa.misc.action": [ - "Allowed", - "qua" + "qua", + "Allowed" ], "rsa.misc.category": "ectet", "rsa.misc.filter": "lites", @@ -6947,8 +6947,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rrorsi", "rsa.misc.action": [ - "Allowed", - "exe" + "exe", + "Allowed" ], "rsa.misc.category": "mnihi", "rsa.misc.filter": "consequa", @@ -7005,8 +7005,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.128.43.71", - "10.152.217.174" + "10.152.217.174", + "10.128.43.71" ], "related.user": [ "mquiado" @@ -7093,8 +7093,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tionemu", "rsa.misc.action": [ - "rehe", - "Blocked" + "Blocked", + "rehe" ], "rsa.misc.category": "aecons", "rsa.misc.filter": "aturve", @@ -7151,8 +7151,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.109.192.53", - "10.172.17.6" + "10.172.17.6", + "10.109.192.53" ], "related.user": [ "eprehen" @@ -7166,8 +7166,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "temUte", "rsa.misc.action": [ - "Blocked", - "tassit" + "tassit", + "Blocked" ], "rsa.misc.category": "ita", "rsa.misc.filter": "scive", @@ -7239,8 +7239,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "exeacomm", "rsa.misc.action": [ - "volup", - "Blocked" + "Blocked", + "volup" ], "rsa.misc.category": "ten", "rsa.misc.filter": "ssecil", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index 66ca65108fd..423d10f5ac2 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -28,8 +28,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "", "rsa.misc.action": [ - "", - "" + "", + "" ], "rsa.misc.category": "", "rsa.misc.filter": "", From 14e7d41fe33f7e859d88bf3e569557810dbbc6f4 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 13 Jul 2020 23:37:33 +0200 Subject: [PATCH 18/19] Changelog entries --- CHANGELOG.next.asciidoc | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 503a13111b6..e59e3c7612e 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -439,6 +439,27 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings in traefik module. {issue}16183[16183] {pull}19379[19379] - Improve ECS categorization field mappings in azure module. {issue}16155[16155] {pull}19376[19376] - Add text & flattened versions of fields with unknown subfields in aws cloudtrail fileset. {issue}18866[18866] {pull}19121[19121] +- Add experimental dataset tomcat/log for Apache TomCat logs {pull}19713[19713] +- Add experimental dataset netscout/sightline for Netscout Arbor Sightline logs {pull}19713[19713] +- Add experimental dataset barracuda/waf for Barracuda Web Application Firewall logs {pull}19713[19713] +- Add experimental dataset f5/bigipapm for F5 Big-IP Access Policy Manager logs {pull}19713[19713] +- Add experimental dataset bluecoat/director for Bluecoat Director logs {pull}19713[19713] +- Add experimental dataset cisco/nexus for Cisco Nexus logs {pull}19713[19713] +- Add experimental dataset citrix/virtualapps for Citrix Virtual Apps logs {pull}19713[19713] +- Add experimental dataset cylance/protect for Cylance Protect logs {pull}19713[19713] +- Add experimental dataset f5/firepass for F5 FirePass SSL VPN logs {pull}19713[19713] +- Add experimental dataset fortinet/clientendpoint for Fortinet FortiClient Endpoint Protection logs {pull}19713[19713] +- Add experimental dataset imperva/securesphere for Imperva Secure Sphere logs {pull}19713[19713] +- Add experimental dataset infoblox/nios for Infoblox Network Identity Operating System logs {pull}19713[19713] +- Add experimental dataset juniper/junos for Juniper Junos OS logs {pull}19713[19713] +- Add experimental dataset kaspersky/av for Kaspersky Anti-Virus logs {pull}19713[19713] +- Add experimental dataset microsoft/dhcp for Microsoft DHCP Server logs {pull}19713[19713] +- Add experimental dataset tenable/nessus_security for Tenable Nessus Security Scanner logs {pull}19713[19713] +- Add experimental dataset rapid7/nexpose for Rapid7 Nexpose logs {pull}19713[19713] +- Add experimental dataset radware/defensepro for Radware DefensePro logs {pull}19713[19713] +- Add experimental dataset sonicwall/firewall for Sonicwall Firewalls logs {pull}19713[19713] +- Add experimental dataset squid/log for Squid Proxy Server logs {pull}19713[19713] +- Add experimental dataset zscaler/zia for Zscaler Internet Access logs {pull}19713[19713] *Heartbeat* From 27573b71bca7aab2caf6bed5e636e29f20dceb1c Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 14 Jul 2020 00:07:13 +0200 Subject: [PATCH 19/19] Remove questionable log files from squid --- .../module/squid/log/test/access2.log | 100 - .../squid/log/test/access2.log-expected.json | 5610 ---------------- .../module/squid/log/test/access3.log | 100 - .../squid/log/test/access3.log-expected.json | 5620 ---------------- .../module/squid/log/test/access4.log | 100 - .../squid/log/test/access4.log-expected.json | 5888 ----------------- 6 files changed, 17418 deletions(-) delete mode 100644 x-pack/filebeat/module/squid/log/test/access2.log delete mode 100644 x-pack/filebeat/module/squid/log/test/access2.log-expected.json delete mode 100644 x-pack/filebeat/module/squid/log/test/access3.log delete mode 100644 x-pack/filebeat/module/squid/log/test/access3.log-expected.json delete mode 100644 x-pack/filebeat/module/squid/log/test/access4.log delete mode 100644 x-pack/filebeat/module/squid/log/test/access4.log-expected.json diff --git a/x-pack/filebeat/module/squid/log/test/access2.log b/x-pack/filebeat/module/squid/log/test/access2.log deleted file mode 100644 index de787cfea17..00000000000 --- a/x-pack/filebeat/module/squid/log/test/access2.log +++ /dev/null @@ -1,100 +0,0 @@ -1035368729.430 371 210.8.79.228 TCP_MISS/200 2136 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r3_c6.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg -1035368730.746 297 210.8.79.228 TCP_MISS/200 1467 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg -1035368731.283 344 210.8.79.228 TCP_MISS/200 1330 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg -1035368732.162 2 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/anglais/produit4.html - NONE/- text/html -1035368732.391 6 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/produits-ang.gif - NONE/- image/gif -1035368732.456 6 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/cale.gif - NONE/- image/gif -1035368732.512 3 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/fond2.gif - NONE/- image/gif -1035368732.545 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/logo_orange.gif - NONE/- image/gif -1035368732.599 19 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/chat.gif - NONE/- image/gif -1035368732.675 115 210.8.79.192 TCP_REFRESH_MISS/200 2111 GET http://www.call-kelly.com/horizontal.js - PARENT_HIT/proxy1.syd.connect.com.au application/x-javascript -1035368732.701 11 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/icone_notice.gif - NONE/- image/gif -1035368732.775 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium1.gif - NONE/- image/gif -1035368732.830 1 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium2.gif - NONE/- image/gif -1035368732.877 3 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium3.gif - NONE/- image/gif -1035368732.913 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/speleniumgold.gif - NONE/- image/gif -1035368732.962 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/antipode.gif - NONE/- image/gif -1035368733.035 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/logospelenium.gif - NONE/- image/gif -1035368733.087 7 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium1.gif - NONE/- image/gif -1035368733.096 307 210.8.79.228 TCP_MISS/200 1623 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg -1035368733.151 1 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium2.gif - NONE/- image/gif -1035368733.194 5 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium3.gif - NONE/- image/gif -1035368733.342 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0antipode.gif - NONE/- image/gif -1035368733.387 7 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium4.gif - NONE/- image/gif -1035368733.758 299 210.8.79.228 TCP_MISS/200 1448 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg -1035368733.821 302 210.8.79.228 TCP_MISS/200 1365 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c7.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg -1035368733.822 2382 210.8.79.192 TCP_MISS/200 24756 GET http://www.call-kelly.com/ - FIRST_PARENT_MISS/proxy1.syd.connect.com.au text/html -1035368733.894 104 210.8.79.192 TCP_REFRESH_HIT/200 1214 GET http://www.call-kelly.com/vertical.js - PARENT_HIT/proxy1.syd.connect.com.au application/x-javascript -1035368734.169 320 210.8.79.228 TCP_MISS/200 1466 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c9.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg -1035368734.580 330 210.8.79.228 TCP_MISS/200 1321 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c10.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg -1035368734.883 333 210.8.79.228 TCP_MISS/200 824 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c11.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg -1035368735.255 386 210.8.79.228 TCP_MISS/200 1969 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r5_c1.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg -1035368735.749 630 210.8.79.228 TCP_MISS/200 15187 GET http://www.fas.harvard.edu/~hpcws/journalCWS2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg -1035368735.884 625 210.8.79.192 TCP_MISS/200 8623 GET http://counter11.sextracker.com/c4/id/0/259914 - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368736.258 299 210.8.79.228 TCP_MISS/200 609 GET http://www.fas.harvard.edu/~hpcws/vertbar.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif -1035368736.295 64 210.8.79.192 TCP_REFRESH_HIT/200 6080 GET http://66.181.163.170/pics/12.jpg - PARENT_HIT/proxy1.syd.connect.com.au image/jpeg -1035368736.750 570 210.8.79.192 TCP_REFRESH_HIT/200 5935 GET http://66.181.163.170/pics/tease.jpg - PARENT_HIT/proxy1.syd.connect.com.au image/jpeg -1035368736.989 319 210.8.79.228 TCP_MISS/200 2135 GET http://www.fas.harvard.edu/~hpcws/getacro.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif -1035368737.286 2056 210.8.79.228 TCP_MISS/200 3677 GET http://www.fas.harvard.edu/~hpcws/journaltitle.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif -1035368738.516 598 210.8.79.192 TCP_REFRESH_HIT/200 8851 GET http://66.181.163.170/pics/5.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg -1035368739.275 346 210.8.79.228 TCP_MISS/200 3719 GET http://www.fas.harvard.edu/~hpcws/msbutton.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368739.396 1056 210.8.79.228 TCP_MISS/200 3693 GET http://www.fas.harvard.edu/~hpcws/msbutton_f2.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif -1035368740.659 639 210.8.79.192 TCP_REFRESH_HIT/200 7652 GET http://66.181.163.170/pics/8.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg -1035368741.676 306 210.8.79.228 TCP_MISS/200 2671 GET http://www.fas.harvard.edu/~hpcws/subsbutton_f2.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368742.029 300 210.8.79.228 TCP_MISS/200 2690 GET http://www.fas.harvard.edu/~hpcws/subsbutton.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif -1035368742.102 123 210.8.79.192 TCP_REFRESH_HIT/200 4530 GET http://66.181.163.170/pics/17.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg -1035368742.150 321 210.8.79.228 TCP_MISS/200 483 GET http://www.fas.harvard.edu/~hpcws/shim.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif -1035368742.474 104 210.8.79.192 TCP_REFRESH_HIT/200 9437 GET http://www.penis-enlargement-product.com/banners/ban2.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif -1035368743.319 330 210.8.79.228 TCP_MISS/200 1664 GET http://www.fas.harvard.edu/~hpcws/jcwspanel_r1_c1.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368747.045 15 210.8.79.199 TCP_IMS_HIT/304 269 GET http://www.bealplanet.com/produits/img/fond2.gif - NONE/- image/gif -1035368747.103 1424 210.8.79.199 TCP_MISS/200 13119 GET http://www.bealplanet.com/notices/speleo-ang.html - FIRST_PARENT_MISS/proxy2.syd.connect.com.au text/html -1035368747.266 5 210.8.79.199 TCP_IMS_HIT/304 269 GET http://www.bealplanet.com/produits/img/cale.gif - NONE/- image/gif -1035368747.556 416 210.8.79.199 TCP_MISS/200 1973 GET http://www.bealplanet.com/notices/img/titre_speleo.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368747.990 3690 210.8.79.192 TCP_REFRESH_HIT/200 22832 GET http://botw.topbucks.com/mx_vertical_04_ani.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif -1035368748.012 442 210.8.79.199 TCP_MISS/200 958 GET http://www.bealplanet.com/notices/img/francais.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368748.601 722 210.8.79.199 TCP_MISS/200 948 GET http://www.bealplanet.com/notices/img/anglais_bis.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368748.823 753 210.8.79.199 TCP_MISS/200 952 GET http://www.bealplanet.com/notices/img/deutsch.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif -1035368748.883 403 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/espanol.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368749.090 381 210.8.79.199 TCP_MISS/200 936 GET http://www.bealplanet.com/notices/img/italiano.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368749.346 407 210.8.79.199 TCP_MISS/200 993 GET http://www.bealplanet.com/notices/img/nederlands.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif -1035368749.763 402 210.8.79.199 TCP_MISS/200 980 GET http://www.bealplanet.com/notices/img/portuges.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368749.879 709 210.8.79.199 TCP_MISS/200 954 GET http://www.bealplanet.com/notices/img/japanese.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif -1035368749.955 405 210.8.79.199 TCP_MISS/200 4039 GET http://www.bealplanet.com/notices/img/logobeal.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368750.213 394 210.8.79.199 TCP_MISS/200 2014 GET http://www.bealplanet.com/notices/img/spelenium1.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368750.666 436 210.8.79.199 TCP_MISS/200 1783 GET http://www.bealplanet.com/notices/img/bout1_ang.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368750.847 397 210.8.79.199 TCP_MISS/200 1991 GET http://www.bealplanet.com/notices/img/bout2_ang.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368751.598 398 210.8.79.199 TCP_MISS/200 758 GET http://www.bealplanet.com/notices/img/attention.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368752.992 402 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/francais_bis.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif -1035368753.137 487 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/deutsch_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368753.141 486 210.8.79.199 TCP_MISS/200 958 GET http://www.bealplanet.com/notices/img/espanol_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368753.496 787 210.8.79.199 TCP_MISS/200 951 GET http://www.bealplanet.com/notices/img/italiano_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368753.728 388 210.8.79.199 TCP_MISS/200 999 GET http://www.bealplanet.com/notices/img/nederlands_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368753.905 375 210.8.79.199 TCP_MISS/200 965 GET http://www.bealplanet.com/notices/img/japanese_bis.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif -1035368754.163 424 210.8.79.199 TCP_MISS/200 974 GET http://www.bealplanet.com/notices/img/portuges_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif -1035368754.200 4246 210.8.79.192 TCP_MISS/200 15594 GET http://cybercatinc.com/banners/July/logo16.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif -1035368754.332 393 210.8.79.199 TCP_MISS/200 1661 GET http://www.bealplanet.com/notices/img/bout1bis_ang.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif -1035368757.241 3100 210.8.79.199 TCP_MISS/200 1866 GET http://www.bealplanet.com/notices/img/bout2bis_ang.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif -1035368757.301 0 210.8.79.199 TCP_MEM_HIT/200 1872 GET http://www.bealplanet.com/notices/img/bout2bis_ang.gif - NONE/- image/gif -1035368758.063 134 210.8.79.192 TCP_MISS/200 7436 GET http://www.frenchcum.com/ - PARENT_HIT/proxy1.syd.connect.com.au text/html -1035368759.420 5831 210.8.79.192 TCP_REFRESH_HIT/200 18075 GET http://www.cyberhairy.com/advertisingbanners/468x60-CFF-01.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif -1035368761.410 15150 210.8.79.192 TCP_REFRESH_HIT/200 22445 GET http://www.girls-home-alone.com/banners/call-kelly.gif - PARENT_HIT/proxy1.syd.connect.com.au image/gif -1035368761.607 637 210.8.79.192 TCP_REFRESH_HIT/200 14489 GET http://cybercatinc.com/banners/July/npban_adult.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif -1035368769.137 467 210.8.79.192 TCP_MISS/302 449 GET http://c2.xxxcounter.com/c2/id/2/148582/0/ - FIRST_PARENT_MISS/proxy2.syd.connect.com.au text/html -1035368773.118 87 210.8.79.192 TCP_REFRESH_HIT/200 1762 GET http://www.frenchcum.com/eclair.gif - PARENT_HIT/proxy1.syd.connect.com.au image/gif -1035368773.734 3183 210.8.79.192 TCP_REFRESH_HIT/200 3257 GET http://www.frenchcum.com/frenchcumnew.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif -1035368773.875 3915 210.8.79.192 TCP_MISS/200 1388 GET http://www.usaminutes.tv/iframe_pix/index_3.php? - DIRECT/80.69.64.224 text/html -1035368774.928 1157 210.8.79.192 TCP_REFRESH_MISS/200 3600 GET http://www.frenchcum.com/oki02.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif -1035368775.066 2886 210.8.79.192 TCP_MISS/302 666 GET http://rr3.xxxcounter.com/c2/id/2/148582/0/ - FIRST_PARENT_MISS/proxy2.syd.connect.com.au text/html -1035368775.140 43001 210.8.79.228 TCP_MISS/000 0 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3.jpg - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au - -1035368775.441 619 210.8.79.192 TCP_MISS/200 6681 GET http://counter4.sextracker.com/c7/id/0/315043 - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif -1035368775.871 570 210.8.79.228 TCP_MISS/200 1352 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r2_c6_f2.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg -1035368775.957 586 210.8.79.228 TCP_MISS/200 1630 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg -1035368776.160 580 210.8.79.228 TCP_MISS/200 1487 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2_f2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg -1035368776.779 1559 210.8.79.228 TCP_MISS/200 23518 GET http://www.fas.harvard.edu/~hpcws/carafano.pdf - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au application/pdf -1035368776.928 317 210.8.79.228 TCP_MISS/200 1390 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg -1035368777.082 1031 210.8.79.192 TCP_REFRESH_HIT/200 12995 GET http://www.usaminutes.tv/iframe_pix/7.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg -1035368777.709 4 202.67.67.124 TCP_DENIED/403 1119 GET http://rmapup.real.com/fcgi-bin/upgrade.fcgi? - NONE/- - -1035368777.800 309 210.8.79.228 TCP_MISS/200 1859 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg -1035368777.845 955 210.8.79.228 TCP_MISS/200 22446 GET http://www.fas.harvard.edu/~hpcws/carafano.pdf - FIRST_PARENT_MISS/proxy2.syd.connect.com.au application/pdf -1035368778.102 452 210.8.79.192 TCP_MISS/302 450 GET http://c1.xxxcounter.com/c2/id/16/190203/0/ - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au text/html -1035368778.117 317 210.8.79.228 TCP_MISS/200 1629 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5_f2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg diff --git a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json b/x-pack/filebeat/module/squid/log/test/access2.log-expected.json deleted file mode 100644 index 5d095a17bd4..00000000000 --- a/x-pack/filebeat/module/squid/log/test/access2.log-expected.json +++ /dev/null @@ -1,5610 +0,0 @@ -[ - { - "@timestamp": "2002-10-23T10:25:29.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368729.430 371 210.8.79.228 TCP_MISS/200 2136 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r3_c6.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", - "file.name": "navbar_r3_c6.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 0, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 371, - "rsa.time.event_time": "2002-10-23T10:25:29.000Z", - "rsa.time.event_time_str": "1035368729", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 2136, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r3_c6.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:30.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368730.746 297 210.8.79.228 TCP_MISS/200 1467 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", - "file.name": "navbar_r4_c1.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 169, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 297, - "rsa.time.event_time": "2002-10-23T10:25:30.000Z", - "rsa.time.event_time_str": "1035368730", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1467, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:31.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368731.283 344 210.8.79.228 TCP_MISS/200 1330 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", - "file.name": "navbar_r4_c2.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 338, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 344, - "rsa.time.event_time": "2002-10-23T10:25:31.000Z", - "rsa.time.event_time_str": "1035368731", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1330, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368732.162 2 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/anglais/produit4.html - NONE/- text/html", - "file.name": "produit4.html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 515, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 2, - "rsa.time.event_time": "2002-10-23T10:25:32.000Z", - "rsa.time.event_time_str": "1035368732", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/anglais/produit4.html", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368732.391 6 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/produits-ang.gif - NONE/- image/gif", - "file.name": "produits-ang.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 650, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 6, - "rsa.time.event_time": "2002-10-23T10:25:32.000Z", - "rsa.time.event_time_str": "1035368732", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/produits-ang.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368732.456 6 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/cale.gif - NONE/- image/gif", - "file.name": "cale.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 784, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 6, - "rsa.time.event_time": "2002-10-23T10:25:32.000Z", - "rsa.time.event_time_str": "1035368732", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/cale.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368732.512 3 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/fond2.gif - NONE/- image/gif", - "file.name": "fond2.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 910, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 3, - "rsa.time.event_time": "2002-10-23T10:25:32.000Z", - "rsa.time.event_time_str": "1035368732", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/fond2.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368732.545 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/logo_orange.gif - NONE/- image/gif", - "file.name": "logo_orange.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1037, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 15, - "rsa.time.event_time": "2002-10-23T10:25:32.000Z", - "rsa.time.event_time_str": "1035368732", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/logo_orange.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368732.599 19 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/chat.gif - NONE/- image/gif", - "file.name": "chat.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1170, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 19, - "rsa.time.event_time": "2002-10-23T10:25:32.000Z", - "rsa.time.event_time_str": "1035368732", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/chat.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_REFRESH_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368732.675 115 210.8.79.192 TCP_REFRESH_MISS/200 2111 GET http://www.call-kelly.com/horizontal.js - PARENT_HIT/proxy1.syd.connect.com.au application/x-javascript", - "file.name": "horizontal.js", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1296, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_MISS" - ], - "rsa.misc.content_type": "application/x-javascript", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.call-kelly.com", - "rsa.time.duration_time": 115, - "rsa.time.event_time": "2002-10-23T10:25:32.000Z", - "rsa.time.event_time_str": "1035368732", - "rsa.web.alias_host": "www.call-kelly.com", - "server.domain": "www.call-kelly.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 2111, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.call-kelly.com", - "url.original": "http://www.call-kelly.com/horizontal.js", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368732.701 11 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/icone_notice.gif - NONE/- image/gif", - "file.name": "icone_notice.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1465, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 11, - "rsa.time.event_time": "2002-10-23T10:25:32.000Z", - "rsa.time.event_time_str": "1035368732", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/icone_notice.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368732.775 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium1.gif - NONE/- image/gif", - "file.name": "spelenium1.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1599, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 15, - "rsa.time.event_time": "2002-10-23T10:25:32.000Z", - "rsa.time.event_time_str": "1035368732", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/spelenium1.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368732.830 1 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium2.gif - NONE/- image/gif", - "file.name": "spelenium2.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1731, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 1, - "rsa.time.event_time": "2002-10-23T10:25:32.000Z", - "rsa.time.event_time_str": "1035368732", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/spelenium2.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368732.877 3 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/spelenium3.gif - NONE/- image/gif", - "file.name": "spelenium3.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1863, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 3, - "rsa.time.event_time": "2002-10-23T10:25:32.000Z", - "rsa.time.event_time_str": "1035368732", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/spelenium3.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368732.913 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/speleniumgold.gif - NONE/- image/gif", - "file.name": "speleniumgold.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1995, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 12, - "rsa.time.event_time": "2002-10-23T10:25:32.000Z", - "rsa.time.event_time_str": "1035368732", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/speleniumgold.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:32.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368732.962 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/antipode.gif - NONE/- image/gif", - "file.name": "antipode.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2130, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 12, - "rsa.time.event_time": "2002-10-23T10:25:32.000Z", - "rsa.time.event_time_str": "1035368732", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/antipode.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368733.035 15 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/logospelenium.gif - NONE/- image/gif", - "file.name": "logospelenium.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2260, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 15, - "rsa.time.event_time": "2002-10-23T10:25:33.000Z", - "rsa.time.event_time_str": "1035368733", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/logospelenium.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368733.087 7 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium1.gif - NONE/- image/gif", - "file.name": "0spelenium1.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2395, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 7, - "rsa.time.event_time": "2002-10-23T10:25:33.000Z", - "rsa.time.event_time_str": "1035368733", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/0spelenium1.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368733.096 307 210.8.79.228 TCP_MISS/200 1623 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", - "file.name": "navbar_r4_c4.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2528, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 307, - "rsa.time.event_time": "2002-10-23T10:25:33.000Z", - "rsa.time.event_time_str": "1035368733", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1623, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368733.151 1 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium2.gif - NONE/- image/gif", - "file.name": "0spelenium2.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2697, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 1, - "rsa.time.event_time": "2002-10-23T10:25:33.000Z", - "rsa.time.event_time_str": "1035368733", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/0spelenium2.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368733.194 5 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium3.gif - NONE/- image/gif", - "file.name": "0spelenium3.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2830, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 5, - "rsa.time.event_time": "2002-10-23T10:25:33.000Z", - "rsa.time.event_time_str": "1035368733", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/0spelenium3.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368733.342 12 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0antipode.gif - NONE/- image/gif", - "file.name": "0antipode.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2963, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 12, - "rsa.time.event_time": "2002-10-23T10:25:33.000Z", - "rsa.time.event_time_str": "1035368733", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/0antipode.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368733.387 7 210.8.79.199 TCP_IMS_HIT/304 268 GET http://www.bealplanet.com/produits/img/0spelenium4.gif - NONE/- image/gif", - "file.name": "0spelenium4.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3094, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 7, - "rsa.time.event_time": "2002-10-23T10:25:33.000Z", - "rsa.time.event_time_str": "1035368733", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 268, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/0spelenium4.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368733.758 299 210.8.79.228 TCP_MISS/200 1448 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", - "file.name": "navbar_r4_c5.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3227, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 299, - "rsa.time.event_time": "2002-10-23T10:25:33.000Z", - "rsa.time.event_time_str": "1035368733", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1448, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368733.821 302 210.8.79.228 TCP_MISS/200 1365 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c7.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", - "file.name": "navbar_r4_c7.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3404, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 302, - "rsa.time.event_time": "2002-10-23T10:25:33.000Z", - "rsa.time.event_time_str": "1035368733", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1365, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c7.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368733.822 2382 210.8.79.192 TCP_MISS/200 24756 GET http://www.call-kelly.com/ - FIRST_PARENT_MISS/proxy1.syd.connect.com.au text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3573, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.call-kelly.com", - "rsa.time.duration_time": 2382, - "rsa.time.event_time": "2002-10-23T10:25:33.000Z", - "rsa.time.event_time_str": "1035368733", - "rsa.web.alias_host": "www.call-kelly.com", - "server.domain": "www.call-kelly.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 24756, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.call-kelly.com", - "url.original": "http://www.call-kelly.com/", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:33.000Z", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368733.894 104 210.8.79.192 TCP_REFRESH_HIT/200 1214 GET http://www.call-kelly.com/vertical.js - PARENT_HIT/proxy1.syd.connect.com.au application/x-javascript", - "file.name": "vertical.js", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3714, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" - ], - "rsa.misc.content_type": "application/x-javascript", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.call-kelly.com", - "rsa.time.duration_time": 104, - "rsa.time.event_time": "2002-10-23T10:25:33.000Z", - "rsa.time.event_time_str": "1035368733", - "rsa.web.alias_host": "www.call-kelly.com", - "server.domain": "www.call-kelly.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1214, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.call-kelly.com", - "url.original": "http://www.call-kelly.com/vertical.js", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:34.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368734.169 320 210.8.79.228 TCP_MISS/200 1466 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c9.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", - "file.name": "navbar_r4_c9.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3880, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 320, - "rsa.time.event_time": "2002-10-23T10:25:34.000Z", - "rsa.time.event_time_str": "1035368734", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1466, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c9.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:34.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368734.580 330 210.8.79.228 TCP_MISS/200 1321 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c10.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", - "file.name": "navbar_r4_c10.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4049, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 330, - "rsa.time.event_time": "2002-10-23T10:25:34.000Z", - "rsa.time.event_time_str": "1035368734", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1321, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c10.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:34.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368734.883 333 210.8.79.228 TCP_MISS/200 824 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c11.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", - "file.name": "navbar_r4_c11.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4227, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 333, - "rsa.time.event_time": "2002-10-23T10:25:34.000Z", - "rsa.time.event_time_str": "1035368734", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 824, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c11.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:35.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368735.255 386 210.8.79.228 TCP_MISS/200 1969 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r5_c1.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", - "file.name": "navbar_r5_c1.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4404, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 386, - "rsa.time.event_time": "2002-10-23T10:25:35.000Z", - "rsa.time.event_time_str": "1035368735", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1969, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r5_c1.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:35.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368735.749 630 210.8.79.228 TCP_MISS/200 15187 GET http://www.fas.harvard.edu/~hpcws/journalCWS2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", - "file.name": "journalCWS2.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4573, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 630, - "rsa.time.event_time": "2002-10-23T10:25:35.000Z", - "rsa.time.event_time_str": "1035368735", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 15187, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/journalCWS2.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:35.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368735.884 625 210.8.79.192 TCP_MISS/200 8623 GET http://counter11.sextracker.com/c4/id/0/259914 - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "259914", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4738, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "counter11.sextracker.com", - "rsa.time.duration_time": 625, - "rsa.time.event_time": "2002-10-23T10:25:35.000Z", - "rsa.time.event_time_str": "1035368735", - "rsa.web.alias_host": "counter11.sextracker.com", - "server.domain": "counter11.sextracker.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 8623, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "counter11.sextracker.com", - "url.original": "http://counter11.sextracker.com/c4/id/0/259914", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:36.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368736.258 299 210.8.79.228 TCP_MISS/200 609 GET http://www.fas.harvard.edu/~hpcws/vertbar.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", - "file.name": "vertbar.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4898, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 299, - "rsa.time.event_time": "2002-10-23T10:25:36.000Z", - "rsa.time.event_time_str": "1035368736", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 609, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/vertbar.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:36.000Z", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368736.295 64 210.8.79.192 TCP_REFRESH_HIT/200 6080 GET http://66.181.163.170/pics/12.jpg - PARENT_HIT/proxy1.syd.connect.com.au image/jpeg", - "file.name": "12.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5056, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "66.181.163.170", - "rsa.time.duration_time": 64, - "rsa.time.event_time": "2002-10-23T10:25:36.000Z", - "rsa.time.event_time_str": "1035368736", - "rsa.web.alias_host": "66.181.163.170", - "server.domain": "66.181.163.170", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 6080, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "66.181.163.170", - "url.original": "http://66.181.163.170/pics/12.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:36.000Z", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368736.750 570 210.8.79.192 TCP_REFRESH_HIT/200 5935 GET http://66.181.163.170/pics/tease.jpg - PARENT_HIT/proxy1.syd.connect.com.au image/jpeg", - "file.name": "tease.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5204, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "66.181.163.170", - "rsa.time.duration_time": 570, - "rsa.time.event_time": "2002-10-23T10:25:36.000Z", - "rsa.time.event_time_str": "1035368736", - "rsa.web.alias_host": "66.181.163.170", - "server.domain": "66.181.163.170", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 5935, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "66.181.163.170", - "url.original": "http://66.181.163.170/pics/tease.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:36.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368736.989 319 210.8.79.228 TCP_MISS/200 2135 GET http://www.fas.harvard.edu/~hpcws/getacro.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", - "file.name": "getacro.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5355, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 319, - "rsa.time.event_time": "2002-10-23T10:25:36.000Z", - "rsa.time.event_time_str": "1035368736", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 2135, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/getacro.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:37.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368737.286 2056 210.8.79.228 TCP_MISS/200 3677 GET http://www.fas.harvard.edu/~hpcws/journaltitle.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif", - "file.name": "journaltitle.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5514, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_DEFAULT_PARENT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 2056, - "rsa.time.event_time": "2002-10-23T10:25:37.000Z", - "rsa.time.event_time_str": "1035368737", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 3677, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/journaltitle.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:38.000Z", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368738.516 598 210.8.79.192 TCP_REFRESH_HIT/200 8851 GET http://66.181.163.170/pics/5.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg", - "file.name": "5.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5682, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "66.181.163.170", - "rsa.time.duration_time": 598, - "rsa.time.event_time": "2002-10-23T10:25:38.000Z", - "rsa.time.event_time_str": "1035368738", - "rsa.web.alias_host": "66.181.163.170", - "server.domain": "66.181.163.170", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 8851, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "66.181.163.170", - "url.original": "http://66.181.163.170/pics/5.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:39.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368739.275 346 210.8.79.228 TCP_MISS/200 3719 GET http://www.fas.harvard.edu/~hpcws/msbutton.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "msbutton.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5829, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 346, - "rsa.time.event_time": "2002-10-23T10:25:39.000Z", - "rsa.time.event_time_str": "1035368739", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 3719, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/msbutton.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:39.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368739.396 1056 210.8.79.228 TCP_MISS/200 3693 GET http://www.fas.harvard.edu/~hpcws/msbutton_f2.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif", - "file.name": "msbutton_f2.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5989, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_DEFAULT_PARENT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 1056, - "rsa.time.event_time": "2002-10-23T10:25:39.000Z", - "rsa.time.event_time_str": "1035368739", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 3693, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/msbutton_f2.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:40.000Z", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368740.659 639 210.8.79.192 TCP_REFRESH_HIT/200 7652 GET http://66.181.163.170/pics/8.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg", - "file.name": "8.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6156, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "66.181.163.170", - "rsa.time.duration_time": 639, - "rsa.time.event_time": "2002-10-23T10:25:40.000Z", - "rsa.time.event_time_str": "1035368740", - "rsa.web.alias_host": "66.181.163.170", - "server.domain": "66.181.163.170", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 7652, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "66.181.163.170", - "url.original": "http://66.181.163.170/pics/8.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:41.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368741.676 306 210.8.79.228 TCP_MISS/200 2671 GET http://www.fas.harvard.edu/~hpcws/subsbutton_f2.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "subsbutton_f2.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6303, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 306, - "rsa.time.event_time": "2002-10-23T10:25:41.000Z", - "rsa.time.event_time_str": "1035368741", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 2671, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/subsbutton_f2.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:42.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368742.029 300 210.8.79.228 TCP_MISS/200 2690 GET http://www.fas.harvard.edu/~hpcws/subsbutton.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", - "file.name": "subsbutton.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6468, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 300, - "rsa.time.event_time": "2002-10-23T10:25:42.000Z", - "rsa.time.event_time_str": "1035368742", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 2690, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/subsbutton.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:42.000Z", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368742.102 123 210.8.79.192 TCP_REFRESH_HIT/200 4530 GET http://66.181.163.170/pics/17.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg", - "file.name": "17.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6638, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "66.181.163.170", - "rsa.time.duration_time": 123, - "rsa.time.event_time": "2002-10-23T10:25:42.000Z", - "rsa.time.event_time_str": "1035368742", - "rsa.web.alias_host": "66.181.163.170", - "server.domain": "66.181.163.170", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 4530, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "66.181.163.170", - "url.original": "http://66.181.163.170/pics/17.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:42.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368742.150 321 210.8.79.228 TCP_MISS/200 483 GET http://www.fas.harvard.edu/~hpcws/shim.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", - "file.name": "shim.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6786, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 321, - "rsa.time.event_time": "2002-10-23T10:25:42.000Z", - "rsa.time.event_time_str": "1035368742", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 483, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/shim.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:42.000Z", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368742.474 104 210.8.79.192 TCP_REFRESH_HIT/200 9437 GET http://www.penis-enlargement-product.com/banners/ban2.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", - "file.name": "ban2.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6949, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.penis-enlargement-product.com", - "rsa.time.duration_time": 104, - "rsa.time.event_time": "2002-10-23T10:25:42.000Z", - "rsa.time.event_time_str": "1035368742", - "rsa.web.alias_host": "www.penis-enlargement-product.com", - "server.domain": "www.penis-enlargement-product.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 9437, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.penis-enlargement-product.com", - "url.original": "http://www.penis-enlargement-product.com/banners/ban2.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:43.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368743.319 330 210.8.79.228 TCP_MISS/200 1664 GET http://www.fas.harvard.edu/~hpcws/jcwspanel_r1_c1.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "jcwspanel_r1_c1.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7120, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 330, - "rsa.time.event_time": "2002-10-23T10:25:43.000Z", - "rsa.time.event_time_str": "1035368743", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1664, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/jcwspanel_r1_c1.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368747.045 15 210.8.79.199 TCP_IMS_HIT/304 269 GET http://www.bealplanet.com/produits/img/fond2.gif - NONE/- image/gif", - "file.name": "fond2.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7295, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 15, - "rsa.time.event_time": "2002-10-23T10:25:47.000Z", - "rsa.time.event_time_str": "1035368747", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 269, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/fond2.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368747.103 1424 210.8.79.199 TCP_MISS/200 13119 GET http://www.bealplanet.com/notices/speleo-ang.html - FIRST_PARENT_MISS/proxy2.syd.connect.com.au text/html", - "file.name": "speleo-ang.html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7422, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 1424, - "rsa.time.event_time": "2002-10-23T10:25:47.000Z", - "rsa.time.event_time_str": "1035368747", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 13119, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/speleo-ang.html", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368747.266 5 210.8.79.199 TCP_IMS_HIT/304 269 GET http://www.bealplanet.com/produits/img/cale.gif - NONE/- image/gif", - "file.name": "cale.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7586, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 5, - "rsa.time.event_time": "2002-10-23T10:25:47.000Z", - "rsa.time.event_time_str": "1035368747", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 269, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/produits/img/cale.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368747.556 416 210.8.79.199 TCP_MISS/200 1973 GET http://www.bealplanet.com/notices/img/titre_speleo.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "titre_speleo.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7712, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 416, - "rsa.time.event_time": "2002-10-23T10:25:47.000Z", - "rsa.time.event_time_str": "1035368747", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1973, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/titre_speleo.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:47.000Z", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368747.990 3690 210.8.79.192 TCP_REFRESH_HIT/200 22832 GET http://botw.topbucks.com/mx_vertical_04_ani.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", - "file.name": "mx_vertical_04_ani.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7888, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "botw.topbucks.com", - "rsa.time.duration_time": 3690, - "rsa.time.event_time": "2002-10-23T10:25:47.000Z", - "rsa.time.event_time_str": "1035368747", - "rsa.web.alias_host": "botw.topbucks.com", - "server.domain": "botw.topbucks.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 22832, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "botw.topbucks.com", - "url.original": "http://botw.topbucks.com/mx_vertical_04_ani.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:48.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368748.012 442 210.8.79.199 TCP_MISS/200 958 GET http://www.bealplanet.com/notices/img/francais.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "francais.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8050, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 442, - "rsa.time.event_time": "2002-10-23T10:25:48.000Z", - "rsa.time.event_time_str": "1035368748", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 958, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/francais.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:48.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368748.601 722 210.8.79.199 TCP_MISS/200 948 GET http://www.bealplanet.com/notices/img/anglais_bis.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "anglais_bis.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8221, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 722, - "rsa.time.event_time": "2002-10-23T10:25:48.000Z", - "rsa.time.event_time_str": "1035368748", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 948, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/anglais_bis.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:48.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368748.823 753 210.8.79.199 TCP_MISS/200 952 GET http://www.bealplanet.com/notices/img/deutsch.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", - "file.name": "deutsch.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8395, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 753, - "rsa.time.event_time": "2002-10-23T10:25:48.000Z", - "rsa.time.event_time_str": "1035368748", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 952, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/deutsch.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:48.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368748.883 403 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/espanol.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "espanol.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8565, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 403, - "rsa.time.event_time": "2002-10-23T10:25:48.000Z", - "rsa.time.event_time_str": "1035368748", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 957, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/espanol.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368749.090 381 210.8.79.199 TCP_MISS/200 936 GET http://www.bealplanet.com/notices/img/italiano.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "italiano.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8735, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 381, - "rsa.time.event_time": "2002-10-23T10:25:49.000Z", - "rsa.time.event_time_str": "1035368749", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 936, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/italiano.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368749.346 407 210.8.79.199 TCP_MISS/200 993 GET http://www.bealplanet.com/notices/img/nederlands.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", - "file.name": "nederlands.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8898, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 407, - "rsa.time.event_time": "2002-10-23T10:25:49.000Z", - "rsa.time.event_time_str": "1035368749", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 993, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/nederlands.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368749.763 402 210.8.79.199 TCP_MISS/200 980 GET http://www.bealplanet.com/notices/img/portuges.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "portuges.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9063, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 402, - "rsa.time.event_time": "2002-10-23T10:25:49.000Z", - "rsa.time.event_time_str": "1035368749", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 980, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/portuges.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368749.879 709 210.8.79.199 TCP_MISS/200 954 GET http://www.bealplanet.com/notices/img/japanese.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", - "file.name": "japanese.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9234, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 709, - "rsa.time.event_time": "2002-10-23T10:25:49.000Z", - "rsa.time.event_time_str": "1035368749", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 954, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/japanese.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:49.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368749.955 405 210.8.79.199 TCP_MISS/200 4039 GET http://www.bealplanet.com/notices/img/logobeal.gif - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "logobeal.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9397, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 405, - "rsa.time.event_time": "2002-10-23T10:25:49.000Z", - "rsa.time.event_time_str": "1035368749", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 4039, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/logobeal.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:50.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368750.213 394 210.8.79.199 TCP_MISS/200 2014 GET http://www.bealplanet.com/notices/img/spelenium1.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "spelenium1.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9569, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 394, - "rsa.time.event_time": "2002-10-23T10:25:50.000Z", - "rsa.time.event_time_str": "1035368750", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 2014, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/spelenium1.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:50.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368750.666 436 210.8.79.199 TCP_MISS/200 1783 GET http://www.bealplanet.com/notices/img/bout1_ang.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "bout1_ang.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9735, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 436, - "rsa.time.event_time": "2002-10-23T10:25:50.000Z", - "rsa.time.event_time_str": "1035368750", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1783, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/bout1_ang.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:50.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368750.847 397 210.8.79.199 TCP_MISS/200 1991 GET http://www.bealplanet.com/notices/img/bout2_ang.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "bout2_ang.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9900, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 397, - "rsa.time.event_time": "2002-10-23T10:25:50.000Z", - "rsa.time.event_time_str": "1035368750", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1991, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/bout2_ang.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:51.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368751.598 398 210.8.79.199 TCP_MISS/200 758 GET http://www.bealplanet.com/notices/img/attention.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "attention.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10065, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 398, - "rsa.time.event_time": "2002-10-23T10:25:51.000Z", - "rsa.time.event_time_str": "1035368751", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 758, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/attention.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:52.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368752.992 402 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/francais_bis.gif - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", - "file.name": "francais_bis.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10229, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 402, - "rsa.time.event_time": "2002-10-23T10:25:52.000Z", - "rsa.time.event_time_str": "1035368752", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 957, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/francais_bis.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368753.137 487 210.8.79.199 TCP_MISS/200 957 GET http://www.bealplanet.com/notices/img/deutsch_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "deutsch_bis.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10404, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 487, - "rsa.time.event_time": "2002-10-23T10:25:53.000Z", - "rsa.time.event_time_str": "1035368753", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 957, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/deutsch_bis.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368753.141 486 210.8.79.199 TCP_MISS/200 958 GET http://www.bealplanet.com/notices/img/espanol_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "espanol_bis.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10570, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 486, - "rsa.time.event_time": "2002-10-23T10:25:53.000Z", - "rsa.time.event_time_str": "1035368753", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 958, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/espanol_bis.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368753.496 787 210.8.79.199 TCP_MISS/200 951 GET http://www.bealplanet.com/notices/img/italiano_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "italiano_bis.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10736, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 787, - "rsa.time.event_time": "2002-10-23T10:25:53.000Z", - "rsa.time.event_time_str": "1035368753", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 951, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/italiano_bis.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368753.728 388 210.8.79.199 TCP_MISS/200 999 GET http://www.bealplanet.com/notices/img/nederlands_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "nederlands_bis.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10903, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 388, - "rsa.time.event_time": "2002-10-23T10:25:53.000Z", - "rsa.time.event_time_str": "1035368753", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 999, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/nederlands_bis.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:53.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368753.905 375 210.8.79.199 TCP_MISS/200 965 GET http://www.bealplanet.com/notices/img/japanese_bis.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", - "file.name": "japanese_bis.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11072, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 375, - "rsa.time.event_time": "2002-10-23T10:25:53.000Z", - "rsa.time.event_time_str": "1035368753", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 965, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/japanese_bis.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:54.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368754.163 424 210.8.79.199 TCP_MISS/200 974 GET http://www.bealplanet.com/notices/img/portuges_bis.gif - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/gif", - "file.name": "portuges_bis.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11239, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 424, - "rsa.time.event_time": "2002-10-23T10:25:54.000Z", - "rsa.time.event_time_str": "1035368754", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 974, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/portuges_bis.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:54.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368754.200 4246 210.8.79.192 TCP_MISS/200 15594 GET http://cybercatinc.com/banners/July/logo16.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", - "file.name": "logo16.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11406, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "cybercatinc.com", - "rsa.time.duration_time": 4246, - "rsa.time.event_time": "2002-10-23T10:25:54.000Z", - "rsa.time.event_time_str": "1035368754", - "rsa.web.alias_host": "cybercatinc.com", - "server.domain": "cybercatinc.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 15594, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "cybercatinc.com", - "url.original": "http://cybercatinc.com/banners/July/logo16.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:54.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368754.332 393 210.8.79.199 TCP_MISS/200 1661 GET http://www.bealplanet.com/notices/img/bout1bis_ang.gif - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", - "file.name": "bout1bis_ang.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11560, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 393, - "rsa.time.event_time": "2002-10-23T10:25:54.000Z", - "rsa.time.event_time_str": "1035368754", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1661, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/bout1bis_ang.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:57.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368757.241 3100 210.8.79.199 TCP_MISS/200 1866 GET http://www.bealplanet.com/notices/img/bout2bis_ang.gif - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au image/gif", - "file.name": "bout2bis_ang.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11728, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_DEFAULT_PARENT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 3100, - "rsa.time.event_time": "2002-10-23T10:25:57.000Z", - "rsa.time.event_time_str": "1035368757", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1866, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/bout2bis_ang.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:57.000Z", - "event.action": "TCP_MEM_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368757.301 0 210.8.79.199 TCP_MEM_HIT/200 1872 GET http://www.bealplanet.com/notices/img/bout2bis_ang.gif - NONE/- image/gif", - "file.name": "bout2bis_ang.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11900, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.199" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MEM_HIT", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.bealplanet.com", - "rsa.time.duration_time": 0, - "rsa.time.event_time": "2002-10-23T10:25:57.000Z", - "rsa.time.event_time_str": "1035368757", - "rsa.web.alias_host": "www.bealplanet.com", - "server.domain": "www.bealplanet.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1872, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.199" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.bealplanet.com", - "url.original": "http://www.bealplanet.com/notices/img/bout2bis_ang.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:58.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368758.063 134 210.8.79.192 TCP_MISS/200 7436 GET http://www.frenchcum.com/ - PARENT_HIT/proxy1.syd.connect.com.au text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12034, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.frenchcum.com", - "rsa.time.duration_time": 134, - "rsa.time.event_time": "2002-10-23T10:25:58.000Z", - "rsa.time.event_time_str": "1035368758", - "rsa.web.alias_host": "www.frenchcum.com", - "server.domain": "www.frenchcum.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 7436, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.frenchcum.com", - "url.original": "http://www.frenchcum.com/", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:25:59.000Z", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368759.420 5831 210.8.79.192 TCP_REFRESH_HIT/200 18075 GET http://www.cyberhairy.com/advertisingbanners/468x60-CFF-01.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", - "file.name": "468x60-CFF-01.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12166, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.cyberhairy.com", - "rsa.time.duration_time": 5831, - "rsa.time.event_time": "2002-10-23T10:25:59.000Z", - "rsa.time.event_time_str": "1035368759", - "rsa.web.alias_host": "www.cyberhairy.com", - "server.domain": "www.cyberhairy.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 18075, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.cyberhairy.com", - "url.original": "http://www.cyberhairy.com/advertisingbanners/468x60-CFF-01.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:01.000Z", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368761.410 15150 210.8.79.192 TCP_REFRESH_HIT/200 22445 GET http://www.girls-home-alone.com/banners/call-kelly.gif - PARENT_HIT/proxy1.syd.connect.com.au image/gif", - "file.name": "call-kelly.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12343, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.girls-home-alone.com", - "rsa.time.duration_time": 15150, - "rsa.time.event_time": "2002-10-23T10:26:01.000Z", - "rsa.time.event_time_str": "1035368761", - "rsa.web.alias_host": "www.girls-home-alone.com", - "server.domain": "www.girls-home-alone.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 22445, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.girls-home-alone.com", - "url.original": "http://www.girls-home-alone.com/banners/call-kelly.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:01.000Z", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368761.607 637 210.8.79.192 TCP_REFRESH_HIT/200 14489 GET http://cybercatinc.com/banners/July/npban_adult.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", - "file.name": "npban_adult.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12512, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "cybercatinc.com", - "rsa.time.duration_time": 637, - "rsa.time.event_time": "2002-10-23T10:26:01.000Z", - "rsa.time.event_time_str": "1035368761", - "rsa.web.alias_host": "cybercatinc.com", - "server.domain": "cybercatinc.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 14489, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "cybercatinc.com", - "url.original": "http://cybercatinc.com/banners/July/npban_adult.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:09.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368769.137 467 210.8.79.192 TCP_MISS/302 449 GET http://c2.xxxcounter.com/c2/id/2/148582/0/ - FIRST_PARENT_MISS/proxy2.syd.connect.com.au text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12678, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "302", - "rsa.network.domain": "c2.xxxcounter.com", - "rsa.time.duration_time": 467, - "rsa.time.event_time": "2002-10-23T10:26:09.000Z", - "rsa.time.event_time_str": "1035368769", - "rsa.web.alias_host": "c2.xxxcounter.com", - "server.domain": "c2.xxxcounter.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 449, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "c2.xxxcounter.com", - "url.original": "http://c2.xxxcounter.com/c2/id/2/148582/0/", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:13.000Z", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368773.118 87 210.8.79.192 TCP_REFRESH_HIT/200 1762 GET http://www.frenchcum.com/eclair.gif - PARENT_HIT/proxy1.syd.connect.com.au image/gif", - "file.name": "eclair.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12833, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.frenchcum.com", - "rsa.time.duration_time": 87, - "rsa.time.event_time": "2002-10-23T10:26:13.000Z", - "rsa.time.event_time_str": "1035368773", - "rsa.web.alias_host": "www.frenchcum.com", - "server.domain": "www.frenchcum.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1762, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.frenchcum.com", - "url.original": "http://www.frenchcum.com/eclair.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:13.000Z", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368773.734 3183 210.8.79.192 TCP_REFRESH_HIT/200 3257 GET http://www.frenchcum.com/frenchcumnew.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", - "file.name": "frenchcumnew.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12982, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.frenchcum.com", - "rsa.time.duration_time": 3183, - "rsa.time.event_time": "2002-10-23T10:26:13.000Z", - "rsa.time.event_time_str": "1035368773", - "rsa.web.alias_host": "www.frenchcum.com", - "server.domain": "www.frenchcum.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 3257, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.frenchcum.com", - "url.original": "http://www.frenchcum.com/frenchcumnew.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:13.000Z", - "destination.as.number": 20857, - "destination.as.organization.name": "Transip B.V.", - "destination.geo.continent_name": "Europe", - "destination.geo.country_iso_code": "NL", - "destination.geo.location.lat": 52.3824, - "destination.geo.location.lon": 4.8995, - "destination.ip": [ - "80.69.64.224" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368773.875 3915 210.8.79.192 TCP_MISS/200 1388 GET http://www.usaminutes.tv/iframe_pix/index_3.php? - DIRECT/80.69.64.224 text/html", - "file.name": "index_3.php", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13137, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "80.69.64.224", - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.usaminutes.tv", - "rsa.time.duration_time": 3915, - "rsa.time.event_time": "2002-10-23T10:26:13.000Z", - "rsa.time.event_time_str": "1035368773", - "rsa.web.alias_host": "www.usaminutes.tv", - "server.domain": "www.usaminutes.tv", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1388, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.usaminutes.tv", - "url.original": "http://www.usaminutes.tv/iframe_pix/index_3.php?", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:14.000Z", - "event.action": "TCP_REFRESH_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368774.928 1157 210.8.79.192 TCP_REFRESH_MISS/200 3600 GET http://www.frenchcum.com/oki02.gif - PARENT_HIT/proxy2.syd.connect.com.au image/gif", - "file.name": "oki02.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13275, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.frenchcum.com", - "rsa.time.duration_time": 1157, - "rsa.time.event_time": "2002-10-23T10:26:14.000Z", - "rsa.time.event_time_str": "1035368774", - "rsa.web.alias_host": "www.frenchcum.com", - "server.domain": "www.frenchcum.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 3600, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.frenchcum.com", - "url.original": "http://www.frenchcum.com/oki02.gif", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368775.066 2886 210.8.79.192 TCP_MISS/302 666 GET http://rr3.xxxcounter.com/c2/id/2/148582/0/ - FIRST_PARENT_MISS/proxy2.syd.connect.com.au text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13424, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "302", - "rsa.network.domain": "rr3.xxxcounter.com", - "rsa.time.duration_time": 2886, - "rsa.time.event_time": "2002-10-23T10:26:15.000Z", - "rsa.time.event_time_str": "1035368775", - "rsa.web.alias_host": "rr3.xxxcounter.com", - "server.domain": "rr3.xxxcounter.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 666, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "rr3.xxxcounter.com", - "url.original": "http://rr3.xxxcounter.com/c2/id/2/148582/0/", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368775.140 43001 210.8.79.228 TCP_MISS/000 0 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3.jpg - TIMEOUT_DEFAULT_PARENT/proxy.mel.connect.com.au -", - "file.name": "navbar_r4_c3.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13580, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_DEFAULT_PARENT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "000", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 43001, - "rsa.time.event_time": "2002-10-23T10:26:15.000Z", - "rsa.time.event_time_str": "1035368775", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 0, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368775.441 619 210.8.79.192 TCP_MISS/200 6681 GET http://counter4.sextracker.com/c7/id/0/315043 - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/gif", - "file.name": "315043", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13741, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "counter4.sextracker.com", - "rsa.time.duration_time": 619, - "rsa.time.event_time": "2002-10-23T10:26:15.000Z", - "rsa.time.event_time_str": "1035368775", - "rsa.web.alias_host": "counter4.sextracker.com", - "server.domain": "counter4.sextracker.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 6681, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "counter4.sextracker.com", - "url.original": "http://counter4.sextracker.com/c7/id/0/315043", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368775.871 570 210.8.79.228 TCP_MISS/200 1352 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r2_c6_f2.jpg - FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", - "file.name": "navbar_r2_c6_f2.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13900, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 570, - "rsa.time.event_time": "2002-10-23T10:26:15.000Z", - "rsa.time.event_time_str": "1035368775", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1352, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r2_c6_f2.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:15.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368775.957 586 210.8.79.228 TCP_MISS/200 1630 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", - "file.name": "navbar_r4_c1_f2.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14072, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 586, - "rsa.time.event_time": "2002-10-23T10:26:15.000Z", - "rsa.time.event_time_str": "1035368775", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1630, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c1_f2.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:16.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368776.160 580 210.8.79.228 TCP_MISS/200 1487 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2_f2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", - "file.name": "navbar_r4_c2_f2.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14252, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 580, - "rsa.time.event_time": "2002-10-23T10:26:16.000Z", - "rsa.time.event_time_str": "1035368776", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1487, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c2_f2.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:16.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368776.779 1559 210.8.79.228 TCP_MISS/200 23518 GET http://www.fas.harvard.edu/~hpcws/carafano.pdf - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au application/pdf", - "file.name": "carafano.pdf", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14424, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "application/pdf", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 1559, - "rsa.time.event_time": "2002-10-23T10:26:16.000Z", - "rsa.time.event_time_str": "1035368776", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 23518, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/carafano.pdf", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:16.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368776.928 317 210.8.79.228 TCP_MISS/200 1390 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", - "file.name": "navbar_r4_c3_f2.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14599, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 317, - "rsa.time.event_time": "2002-10-23T10:26:16.000Z", - "rsa.time.event_time_str": "1035368776", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1390, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c3_f2.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:17.000Z", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368777.082 1031 210.8.79.192 TCP_REFRESH_HIT/200 12995 GET http://www.usaminutes.tv/iframe_pix/7.jpg - PARENT_HIT/proxy2.syd.connect.com.au image/jpeg", - "file.name": "7.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14779, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "PARENT_HIT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.usaminutes.tv", - "rsa.time.duration_time": 1031, - "rsa.time.event_time": "2002-10-23T10:26:17.000Z", - "rsa.time.event_time_str": "1035368777", - "rsa.web.alias_host": "www.usaminutes.tv", - "server.domain": "www.usaminutes.tv", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 12995, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.usaminutes.tv", - "url.original": "http://www.usaminutes.tv/iframe_pix/7.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:17.000Z", - "event.action": "TCP_DENIED", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368777.709 4 202.67.67.124 TCP_DENIED/403 1119 GET http://rmapup.real.com/fcgi-bin/upgrade.fcgi? - NONE/- -", - "file.name": "upgrade.fcgi", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14936, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "202.67.67.124" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_DENIED" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "403", - "rsa.network.domain": "rmapup.real.com", - "rsa.time.duration_time": 4, - "rsa.time.event_time": "2002-10-23T10:26:17.000Z", - "rsa.time.event_time_str": "1035368777", - "rsa.web.alias_host": "rmapup.real.com", - "server.domain": "rmapup.real.com", - "service.type": "squid", - "source.as.number": 9443, - "source.as.organization.name": "Primus Telecommunications", - "source.bytes": 1119, - "source.geo.city_name": "Toongabbie", - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.7908, - "source.geo.location.lon": 150.9469, - "source.geo.region_iso_code": "AU-NSW", - "source.geo.region_name": "New South Wales", - "source.ip": [ - "202.67.67.124" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "rmapup.real.com", - "url.original": "http://rmapup.real.com/fcgi-bin/upgrade.fcgi?", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:17.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368777.800 309 210.8.79.228 TCP_MISS/200 1859 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4_f2.jpg - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au image/jpeg", - "file.name": "navbar_r4_c4_f2.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 15053, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 309, - "rsa.time.event_time": "2002-10-23T10:26:17.000Z", - "rsa.time.event_time_str": "1035368777", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1859, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c4_f2.jpg", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:17.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368777.845 955 210.8.79.228 TCP_MISS/200 22446 GET http://www.fas.harvard.edu/~hpcws/carafano.pdf - FIRST_PARENT_MISS/proxy2.syd.connect.com.au application/pdf", - "file.name": "carafano.pdf", - "fileset.name": "log", - "input.type": "log", - "log.offset": 15233, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "application/pdf", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 955, - "rsa.time.event_time": "2002-10-23T10:26:17.000Z", - "rsa.time.event_time_str": "1035368777", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 22446, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/carafano.pdf", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:18.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368778.102 452 210.8.79.192 TCP_MISS/302 450 GET http://c1.xxxcounter.com/c2/id/16/190203/0/ - TIMEOUT_FIRST_PARENT_MISS/proxy1.syd.connect.com.au text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 15400, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.192" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "TIMEOUT_FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "302", - "rsa.network.domain": "c1.xxxcounter.com", - "rsa.time.duration_time": 452, - "rsa.time.event_time": "2002-10-23T10:26:18.000Z", - "rsa.time.event_time_str": "1035368778", - "rsa.web.alias_host": "c1.xxxcounter.com", - "server.domain": "c1.xxxcounter.com", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 450, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.192" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "c1.xxxcounter.com", - "url.original": "http://c1.xxxcounter.com/c2/id/16/190203/0/", - "user.name": "-" - }, - { - "@timestamp": "2002-10-23T10:26:18.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1035368778.117 317 210.8.79.228 TCP_MISS/200 1629 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5_f2.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg", - "file.name": "navbar_r4_c5_f2.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 15564, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "210.8.79.228" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "FIRST_PARENT_MISS", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.fas.harvard.edu", - "rsa.time.duration_time": 317, - "rsa.time.event_time": "2002-10-23T10:26:18.000Z", - "rsa.time.event_time_str": "1035368778", - "rsa.web.alias_host": "www.fas.harvard.edu", - "server.domain": "www.fas.harvard.edu", - "service.type": "squid", - "source.as.number": 2764, - "source.as.organization.name": "AAPT Limited", - "source.bytes": 1629, - "source.geo.continent_name": "Oceania", - "source.geo.country_iso_code": "AU", - "source.geo.location.lat": -33.494, - "source.geo.location.lon": 143.2104, - "source.ip": [ - "210.8.79.228" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.fas.harvard.edu", - "url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r4_c5_f2.jpg", - "user.name": "-" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/squid/log/test/access3.log b/x-pack/filebeat/module/squid/log/test/access3.log deleted file mode 100644 index 66c9fb45ddf..00000000000 --- a/x-pack/filebeat/module/squid/log/test/access3.log +++ /dev/null @@ -1,100 +0,0 @@ -1348870295.249 59723 192.168.0.35 TCP_MISS/503 0 CONNECT safebrowsing.google.com:443 - DIRECT/- - -1348870298.072 59140 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- - -1348870316.251 60022 192.168.0.35 TCP_MISS/503 0 CONNECT clients4.google.com:443 - DIRECT/- - -1348870321.251 60143 192.168.0.35 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/- - -1348870325.850 9 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - -1348870326.168 95 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - -1348870326.810 124 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - -1348870327.186 169 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - -1348870327.634 71 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - -1348870327.842 1 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - -1348870327.958 67795 192.168.0.35 TCP_MISS/000 0 GET http://www.amazon.com/ - DIRECT/www.amazon.com - -1348870346.253 60022 192.168.0.35 TCP_MISS/503 0 CONNECT clients4.google.com:443 - DIRECT/- - -1348870404.068 0 192.168.0.35 TCP_MISS/404 0 CONNECT clients3.google.com:443 - DIRECT/- - -1348870563.266 60119 192.168.0.35 TCP_MISS/503 0 CONNECT safebrowsing.google.com:443 - DIRECT/- - -1348870584.268 60142 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- - -1348870653.273 60096 192.168.0.35 TCP_MISS/503 0 CONNECT safebrowsing.google.com:443 - DIRECT/- - -1348870689.175 0 192.168.0.35 TCP_MISS/404 0 CONNECT clients3.google.com:443 - DIRECT/- - -1348870772.279 155623 192.168.0.35 TCP_MISS/503 3310 GET http://clients2.google.com/service/update2/crx? - DIRECT/clients2.google.com text/html -1348870869.283 60063 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- - -1348870947.061 39 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - -1348870947.797 268 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - -1348870949.342 163 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - -1348870949.733 191 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - -1348870950.054 120 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com - -1348870974.291 0 192.168.0.35 TCP_MISS/404 0 CONNECT clients3.google.com:443 - DIRECT/- - -1348871088.713 137787 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/ - DIRECT/www.google.com - -1348871102.295 13511 192.168.0.35 TCP_MISS/503 4436 GET http://www.google.com/ - DIRECT/www.google.com text/html -1348871159.296 59931 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- - -1348871160.382 3 192.168.0.35 TCP_MISS/503 4244 GET http://www.google.com/ - NONE/- text/html -1348871190.265 174 192.168.0.35 TCP_MISS/200 28149 GET http://www.google.com/ - DIRECT/74.125.131.147 text/html -1348871190.364 26 192.168.0.35 TCP_MISS/304 290 GET http://www.google.com/images/srpr/logo3w.png - DIRECT/74.125.131.147 - -1348871190.477 136 192.168.0.35 TCP_MISS/200 166258 GET http://www.google.com/xjs/_/js/s/s,jsa,c,sb,hv,wta,cr,cdos,nos,tbpr,tbui,rsn,ob,cb,mb,lc,du,ada,amcl,klc,kat,aut,esp,bihu,ifl,kp,lu,m,rtis,shb,sfa,tng,hsm,j,p,pcc,csi/rt=j/ver=P7Lew-MRiXo.en_US./d=1/sv=1/rs=AItRSTNwfvJBHcoKbi4wjkZ-Mr1w-Pv9LA - DIRECT/74.125.131.147 text/javascript -1348871190.671 50 192.168.0.35 TCP_MISS/200 20129 GET http://www.google.com/extern_chrome/359533f6f71ee9c1.js - DIRECT/74.125.131.147 text/javascript -1348871190.763 36 192.168.0.35 TCP_MISS/204 369 GET http://www.google.com/csi? - DIRECT/74.125.131.147 image/gif -1348871195.222 58 192.168.0.35 TCP_MISS/200 2831 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 - -1348871195.223 62 192.168.0.35 TCP_MISS/200 2536 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 - -1348871195.223 62 192.168.0.35 TCP_MISS/200 2536 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 - -1348871203.841 9011 192.168.0.35 TCP_MISS/200 11085 CONNECT apis.google.com:443 - DIRECT/74.125.228.6 - -1348871203.843 8681 192.168.0.35 TCP_MISS/200 63315 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 - -1348871203.843 8682 192.168.0.35 TCP_MISS/200 404199 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 - -1348871203.849 9482 192.168.0.35 TCP_MISS/200 192122 CONNECT play.google.com:443 - DIRECT/74.125.228.14 - -1348871203.851 8989 192.168.0.35 TCP_MISS/200 8875 CONNECT www.google.com:443 - DIRECT/74.125.131.147 - -1348871203.852 8685 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 - -1348871203.853 8686 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 - -1348871203.853 8685 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 - -1348871203.854 8686 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 - -1348871203.854 8688 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 - -1349057385.253 170 192.168.0.35 TCP_MISS/200 574 GET http://clients1.google.com/tools/swg2/update? - DIRECT/74.125.228.97 text/plain -1349057413.337 170 192.168.0.35 TCP_MISS/200 8577 CONNECT configuration.apple.com:443 - DIRECT/23.11.236.224 - -1349057425.626 147 192.168.0.35 TCP_MISS/200 8577 CONNECT configuration.apple.com:443 - DIRECT/23.11.236.224 - -1349057446.149 1715 192.168.0.35 TCP_MISS/200 2921 CONNECT docs.google.com:443 - DIRECT/74.125.228.100 - -1349057446.149 417 192.168.0.35 TCP_MISS/200 4161 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 - -1349057446.974 119 192.168.0.35 TCP_MISS/200 4153 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 - -1349057451.693 4784 192.168.0.35 TCP_MISS/200 2201 CONNECT www.google.com:443 - DIRECT/173.194.73.104 - -1349057451.694 652 192.168.0.35 TCP_MISS/200 12807 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 - -1349057451.719 4875 192.168.0.35 TCP_MISS/200 4132 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 - -1349057452.613 815 192.168.0.35 TCP_MISS/200 3481 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 - -1349057466.259 467 192.168.0.35 TCP_MISS/200 161462 GET http://swcatalog.apple.com/content/catalogs/others/index-windows-1.sucatalog - DIRECT/208.44.23.184 application/x-apple-plist -1349057469.784 470 192.168.0.35 TCP_MISS/200 6546 GET http://swcdn.apple.com/content/downloads/61/34/061-8153/WgWXrHyJVmFn9KrXRg3w2XPXNFXxhnZFS6/061-8153.English.dist - DIRECT/208.44.23.185 text/xml -1349057470.770 334 192.168.0.35 TCP_MISS/200 31622 GET http://swcdn.apple.com/content/downloads/02/58/061-3418/n6BBhLszLr6SN3XDXWT9N3YgpfHChbQTgb/061-3418.English.dist - DIRECT/208.44.23.185 text/plain -1349057470.907 109 192.168.0.35 TCP_MISS/200 3798 GET http://swcdn.apple.com/content/downloads/25/60/061-6867/WjSJ6JqjV34mZLtS944ndrx9RYQZJX6qHY/061-6867.English.dist - DIRECT/208.44.23.185 text/xml -1349057472.794 219 192.168.0.35 TCP_MISS/200 7217 GET http://swcdn.apple.com/content/downloads/21/23/061-4512/BKYTZyKmtNr5wpxQCTy9f8xDSYPZ5MTGf4/061-4512.English.dist - DIRECT/208.44.23.185 text/plain -1349057472.980 109 192.168.0.35 TCP_MISS/200 7370 GET http://swcdn.apple.com/content/downloads/20/63/061-7511/XJqPCzWtXgkNgSZXp6DTn7gjNvHQVMZ4dP/061-7511.English.dist - DIRECT/208.44.23.185 text/xml -1349057473.173 110 192.168.0.35 TCP_MISS/200 6939 GET http://swcdn.apple.com/content/downloads/27/49/061-4514/Tcfqf4NdtQTpYj7Pn8qwLgWgj6kYcy26Zf/061-4514.English.dist - DIRECT/208.44.23.185 text/xml -1349057473.340 111 192.168.0.35 TCP_MISS/200 5451 GET http://swcdn.apple.com/content/downloads/57/25/061-7340/TJXt7nNzc4cS57fvwx8zg3GScrcLBWtdpR/061-7340.English.dist - DIRECT/208.44.23.185 text/plain -1349057473.825 330 192.168.0.35 TCP_MISS/200 18008 GET http://swcdn.apple.com/content/downloads/56/25/041-3097/SrjbZVKzSxP5VNSHnnDMQrb78YZz66DYww/041-3097.English.dist - DIRECT/208.44.23.185 text/plain -1349057474.139 221 192.168.0.35 TCP_MISS/200 6992 GET http://swcdn.apple.com/content/downloads/51/48/061-9539/XzrZsqWRT9FLLVN6tBfk4mjVmtqvNDHwC7/061-9539.English.dist - DIRECT/208.44.23.185 text/xml -1349057474.330 112 192.168.0.35 TCP_MISS/200 4197 GET http://swcdn.apple.com/content/downloads/51/08/zzz061-3452/5bxNyT8NCFYPz9qff69kBjH4y3zxqSFt5B/061-3452.English.dist - DIRECT/208.44.23.185 text/xml -1349057474.842 329 192.168.0.35 TCP_MISS/200 19447 GET http://swcdn.apple.com/content/downloads/28/51/041-0517/cvDMxJL5q6TQ2t8899HH8mvzjdHkDFwr99/041-0517.English.dist - DIRECT/208.44.23.185 text/xml -1349057475.092 221 192.168.0.35 TCP_MISS/200 7370 GET http://swcdn.apple.com/content/downloads/28/43/061-7509/P7wtsjhJPsT9FM8Zff4FKg6FYM4W2yGP5B/061-7509.English.dist - DIRECT/208.44.23.185 text/xml -1349057475.582 434 192.168.0.35 TCP_MISS/200 5297 GET http://swcdn.apple.com/content/downloads/01/21/041-1673/s6XjZyFGmdTf5YHq6C8CPWjJ4sWz9pz3vX/041-1673.English.dist - DIRECT/208.44.23.185 text/xml -1349057475.860 217 192.168.0.35 TCP_MISS/200 6480 GET http://swcdn.apple.com/content/downloads/12/45/061-4249/7ck27nGQBsHQNcnMMjtmLbDJm2zPbRxj4h/061-4249.English.dist - DIRECT/208.44.23.185 text/xml -1349057476.242 331 192.168.0.35 TCP_MISS/200 18211 GET http://swcdn.apple.com/content/downloads/54/37/061-5790/mxbPrKRvB9G6cvrjY2QPNVQPYj3nrjwbgX/061-5790.English.dist - DIRECT/208.44.23.185 text/xml -1349057476.800 543 192.168.0.35 TCP_MISS/200 6525 GET http://swcdn.apple.com/content/downloads/26/11/061-8155/wdTHYKkFWMCC8dDLHkycj3BLMxvq2wjwYD/061-8155.English.dist - DIRECT/208.44.23.185 text/plain -1349057477.417 552 192.168.0.35 TCP_MISS/200 19458 GET http://swcdn.apple.com/content/downloads/59/27/041-0516/rRmQxLKryPBcF33yFvzhw7SYLDRntjXj9K/041-0516.English.dist - DIRECT/208.44.23.185 text/plain -1349057478.304 870 192.168.0.35 TCP_MISS/200 18041 GET http://swcdn.apple.com/content/downloads/50/36/061-9848/kJvM5Qq2gBCSHSrxsdNfyn7NPjVYNHX7ZR/061-9848.English.dist - DIRECT/208.44.23.185 text/xml -1349057478.759 437 192.168.0.35 TCP_MISS/200 17576 GET http://swcdn.apple.com/content/downloads/45/03/041-1676/ZMjp6WLTqS9GDRdnzdLqHXgS838bwRNVn6/041-1676.English.dist - DIRECT/208.44.23.185 text/plain -1349057478.905 111 192.168.0.35 TCP_MISS/200 6991 GET http://swcdn.apple.com/content/downloads/03/00/061-9537/xkqVg9ZybxffPsFvSjqgxnHK7HGJ4b9zLy/061-9537.English.dist - DIRECT/208.44.23.185 text/xml -1349057479.343 332 192.168.0.35 TCP_MISS/200 25935 GET http://swcdn.apple.com/content/downloads/41/25/041-4336/M2r89dmfRR9jmgt2Gr4ZB7wftMfHSmhpnX/041-4336.English.dist - DIRECT/208.44.23.185 text/xml -1349057479.593 223 192.168.0.35 TCP_MISS/200 18205 GET http://swcdn.apple.com/content/downloads/10/51/061-5850/6T9D3ShR4mRKT3YgFK7JG5sDytGYDYCJ3L/061-5850.English.dist - DIRECT/208.44.23.185 text/xml -1349057479.728 110 192.168.0.35 TCP_MISS/200 7326 GET http://swcdn.apple.com/content/downloads/10/26/061-4513/nY7s8PkHbJYHKKDtjh7FJQr7JYBTzHvnr2/061-4513.English.dist - DIRECT/208.44.23.185 text/plain -1349057479.893 111 192.168.0.35 TCP_MISS/200 6973 GET http://swcdn.apple.com/content/downloads/29/33/061-7306/hwpP4sYb2wmfHdYHjsQ23VrSbXXGKCK378/061-7306.English.dist - DIRECT/208.44.23.185 text/xml -1349057480.599 679 192.168.0.35 TCP_MISS/200 6748 GET http://swcdn.apple.com/content/downloads/07/44/061-4200/3DtF5LrT3BL2b86P57Kyrs5dH9NTs9ctNV/061-4200.English.dist - DIRECT/208.44.23.185 text/xml -1349057481.530 889 192.168.0.35 TCP_MISS/200 19858 GET http://swcdn.apple.com/content/downloads/37/12/041-0255/lfinb0xmk5ten4ojrimcebpl6561xez6xk/041-0255.English.dist - DIRECT/208.44.23.185 text/xml -1349057482.097 550 192.168.0.35 TCP_MISS/200 19848 GET http://swcdn.apple.com/content/downloads/06/39/041-0256/orwba7zrt5npsr5wvhsljprdyd1jtt62oz/041-0256.English.dist - DIRECT/208.44.23.185 text/xml -1349057483.427 771 192.168.0.35 TCP_MISS/200 38188 GET http://swcdn.apple.com/content/downloads/32/19/041-6756/gntu51zjuiyzu4l94ezxy3g1tb3jfpaoit/041-6756.English.dist - DIRECT/208.44.23.185 text/xml -1349057483.787 320 192.168.0.35 TCP_MISS/200 8913 GET http://swcdn.apple.com/content/downloads/40/54/041-6905/v0fukt9lmfcv18d4wczh49ap9z6r5p5c0c/041-6905.English.dist - DIRECT/208.44.23.185 text/xml -1349057484.139 222 192.168.0.35 TCP_MISS/200 8113 GET http://swcdn.apple.com/content/downloads/23/10/041-6906/nr0v270bqzt428sd57s1slz78hgkzg38tc/041-6906.English.dist - DIRECT/208.44.23.185 text/xml -1349057486.034 1694 192.168.0.35 TCP_MISS/200 31969 GET http://swcdn.apple.com/content/downloads/00/31/041-1612/xqbjtqo1qzy7cz1v2yflklj5kg1v2tlncj/041-1612.English.dist - DIRECT/208.44.23.185 text/xml -1349057486.672 550 192.168.0.35 TCP_MISS/200 31972 GET http://swcdn.apple.com/content/downloads/30/32/041-1613/nysxhnpjpllehg0d54krf0yr8fa17jymjf/041-1613.English.dist - DIRECT/208.44.23.185 text/xml -1349057487.172 436 192.168.0.35 TCP_MISS/200 23087 GET http://swcdn.apple.com/content/downloads/01/20/041-5328/74a52anhihangc837n25490jxt30a59gid/041-5328.English.dist - DIRECT/208.44.23.185 text/xml -1349057583.918 101348 192.168.0.35 TCP_MISS/200 2488 CONNECT www.google.com:443 - DIRECT/173.194.73.104 - -1349057583.929 100999 192.168.0.35 TCP_MISS/200 2974 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 - -1349057583.929 105631 192.168.0.35 TCP_MISS/200 2969 CONNECT clients4.google.com:443 - DIRECT/74.125.228.96 - -1349057583.929 43683 192.168.0.35 TCP_MISS/200 662274 CONNECT safebrowsing-cache.google.com:443 - DIRECT/74.125.228.101 - -1349057583.930 44106 192.168.0.35 TCP_MISS/200 6152 CONNECT safebrowsing.google.com:443 - DIRECT/74.125.228.102 - -1349057715.339 267 192.168.0.35 TCP_MISS/302 379 GET http://www.facebook.com/ - DIRECT/69.171.228.74 text/html -1349057718.031 2684 192.168.0.35 TCP_MISS/200 1871 CONNECT s-static.ak.facebook.com:443 - DIRECT/23.62.194.110 - -1349057718.398 3047 192.168.0.35 TCP_MISS/200 87179 CONNECT www.facebook.com:443 - DIRECT/69.171.228.74 - -1349057719.228 3879 192.168.0.35 TCP_MISS/200 2894 CONNECT www.facebook.com:443 - DIRECT/69.171.228.74 - diff --git a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json b/x-pack/filebeat/module/squid/log/test/access3.log-expected.json deleted file mode 100644 index 13c87d647c5..00000000000 --- a/x-pack/filebeat/module/squid/log/test/access3.log-expected.json +++ /dev/null @@ -1,5620 +0,0 @@ -[ - { - "@timestamp": "2012-09-28T22:11:35.000Z", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870295.249 59723 192.168.0.35 TCP_MISS/503 0 CONNECT safebrowsing.google.com:443 - DIRECT/- -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 0, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "503", - "rsa.network.domain": "safebrowsing.google.com", - "rsa.time.duration_time": 59723, - "rsa.time.event_time": "2012-09-28T22:11:35.000Z", - "rsa.time.event_time_str": "1348870295", - "rsa.web.alias_host": "safebrowsing.google.com", - "server.domain": "safebrowsing.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "safebrowsing.google.com", - "url.original": "safebrowsing.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:11:38.000Z", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870298.072 59140 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 99, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "503", - "rsa.network.domain": "clients3.google.com", - "rsa.time.duration_time": 59140, - "rsa.time.event_time": "2012-09-28T22:11:38.000Z", - "rsa.time.event_time_str": "1348870298", - "rsa.web.alias_host": "clients3.google.com", - "server.domain": "clients3.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients3.google.com", - "url.original": "clients3.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:11:56.000Z", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870316.251 60022 192.168.0.35 TCP_MISS/503 0 CONNECT clients4.google.com:443 - DIRECT/- -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 194, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "503", - "rsa.network.domain": "clients4.google.com", - "rsa.time.duration_time": 60022, - "rsa.time.event_time": "2012-09-28T22:11:56.000Z", - "rsa.time.event_time_str": "1348870316", - "rsa.web.alias_host": "clients4.google.com", - "server.domain": "clients4.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients4.google.com", - "url.original": "clients4.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:12:01.000Z", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870321.251 60143 192.168.0.35 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/- -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 289, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "503", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 60143, - "rsa.time.event_time": "2012-09-28T22:12:01.000Z", - "rsa.time.event_time_str": "1348870321", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "www.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:12:05.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870325.850 9 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", - "file.name": "search", - "fileset.name": "log", - "input.type": "log", - "log.offset": 379, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "000", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 9, - "rsa.time.event_time": "2012-09-28T22:12:05.000Z", - "rsa.time.event_time_str": "1348870325", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/complete/search?", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:12:06.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870326.168 95 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", - "file.name": "search", - "fileset.name": "log", - "input.type": "log", - "log.offset": 498, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "000", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 95, - "rsa.time.event_time": "2012-09-28T22:12:06.000Z", - "rsa.time.event_time_str": "1348870326", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/complete/search?", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:12:06.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870326.810 124 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", - "file.name": "search", - "fileset.name": "log", - "input.type": "log", - "log.offset": 617, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "000", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 124, - "rsa.time.event_time": "2012-09-28T22:12:06.000Z", - "rsa.time.event_time_str": "1348870326", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/complete/search?", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:12:07.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870327.186 169 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", - "file.name": "search", - "fileset.name": "log", - "input.type": "log", - "log.offset": 736, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "000", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 169, - "rsa.time.event_time": "2012-09-28T22:12:07.000Z", - "rsa.time.event_time_str": "1348870327", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/complete/search?", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:12:07.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870327.634 71 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", - "file.name": "search", - "fileset.name": "log", - "input.type": "log", - "log.offset": 855, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "000", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 71, - "rsa.time.event_time": "2012-09-28T22:12:07.000Z", - "rsa.time.event_time_str": "1348870327", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/complete/search?", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:12:07.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870327.842 1 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", - "file.name": "search", - "fileset.name": "log", - "input.type": "log", - "log.offset": 974, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "000", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 1, - "rsa.time.event_time": "2012-09-28T22:12:07.000Z", - "rsa.time.event_time_str": "1348870327", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/complete/search?", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:12:07.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870327.958 67795 192.168.0.35 TCP_MISS/000 0 GET http://www.amazon.com/ - DIRECT/www.amazon.com -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1093, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "000", - "rsa.network.domain": "www.amazon.com", - "rsa.time.duration_time": 67795, - "rsa.time.event_time": "2012-09-28T22:12:07.000Z", - "rsa.time.event_time_str": "1348870327", - "rsa.web.alias_host": "www.amazon.com", - "server.domain": "www.amazon.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.amazon.com", - "url.original": "http://www.amazon.com/", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:12:26.000Z", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870346.253 60022 192.168.0.35 TCP_MISS/503 0 CONNECT clients4.google.com:443 - DIRECT/- -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1196, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "503", - "rsa.network.domain": "clients4.google.com", - "rsa.time.duration_time": 60022, - "rsa.time.event_time": "2012-09-28T22:12:26.000Z", - "rsa.time.event_time_str": "1348870346", - "rsa.web.alias_host": "clients4.google.com", - "server.domain": "clients4.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients4.google.com", - "url.original": "clients4.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:13:24.000Z", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870404.068 0 192.168.0.35 TCP_MISS/404 0 CONNECT clients3.google.com:443 - DIRECT/- -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1291, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "404", - "rsa.network.domain": "clients3.google.com", - "rsa.time.duration_time": 0, - "rsa.time.event_time": "2012-09-28T22:13:24.000Z", - "rsa.time.event_time_str": "1348870404", - "rsa.web.alias_host": "clients3.google.com", - "server.domain": "clients3.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients3.google.com", - "url.original": "clients3.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:16:03.000Z", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870563.266 60119 192.168.0.35 TCP_MISS/503 0 CONNECT safebrowsing.google.com:443 - DIRECT/- -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1386, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "503", - "rsa.network.domain": "safebrowsing.google.com", - "rsa.time.duration_time": 60119, - "rsa.time.event_time": "2012-09-28T22:16:03.000Z", - "rsa.time.event_time_str": "1348870563", - "rsa.web.alias_host": "safebrowsing.google.com", - "server.domain": "safebrowsing.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "safebrowsing.google.com", - "url.original": "safebrowsing.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:16:24.000Z", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870584.268 60142 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1485, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "503", - "rsa.network.domain": "clients3.google.com", - "rsa.time.duration_time": 60142, - "rsa.time.event_time": "2012-09-28T22:16:24.000Z", - "rsa.time.event_time_str": "1348870584", - "rsa.web.alias_host": "clients3.google.com", - "server.domain": "clients3.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients3.google.com", - "url.original": "clients3.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:17:33.000Z", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870653.273 60096 192.168.0.35 TCP_MISS/503 0 CONNECT safebrowsing.google.com:443 - DIRECT/- -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1580, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "503", - "rsa.network.domain": "safebrowsing.google.com", - "rsa.time.duration_time": 60096, - "rsa.time.event_time": "2012-09-28T22:17:33.000Z", - "rsa.time.event_time_str": "1348870653", - "rsa.web.alias_host": "safebrowsing.google.com", - "server.domain": "safebrowsing.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "safebrowsing.google.com", - "url.original": "safebrowsing.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:18:09.000Z", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870689.175 0 192.168.0.35 TCP_MISS/404 0 CONNECT clients3.google.com:443 - DIRECT/- -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1679, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "404", - "rsa.network.domain": "clients3.google.com", - "rsa.time.duration_time": 0, - "rsa.time.event_time": "2012-09-28T22:18:09.000Z", - "rsa.time.event_time_str": "1348870689", - "rsa.web.alias_host": "clients3.google.com", - "server.domain": "clients3.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients3.google.com", - "url.original": "clients3.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:19:32.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870772.279 155623 192.168.0.35 TCP_MISS/503 3310 GET http://clients2.google.com/service/update2/crx? - DIRECT/clients2.google.com text/html", - "file.name": "crx", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1774, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "503", - "rsa.network.domain": "clients2.google.com", - "rsa.time.duration_time": 155623, - "rsa.time.event_time": "2012-09-28T22:19:32.000Z", - "rsa.time.event_time_str": "1348870772", - "rsa.web.alias_host": "clients2.google.com", - "server.domain": "clients2.google.com", - "service.type": "squid", - "source.bytes": 3310, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients2.google.com", - "url.original": "http://clients2.google.com/service/update2/crx?", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:21:09.000Z", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870869.283 60063 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1918, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "503", - "rsa.network.domain": "clients3.google.com", - "rsa.time.duration_time": 60063, - "rsa.time.event_time": "2012-09-28T22:21:09.000Z", - "rsa.time.event_time_str": "1348870869", - "rsa.web.alias_host": "clients3.google.com", - "server.domain": "clients3.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients3.google.com", - "url.original": "clients3.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:22:27.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870947.061 39 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", - "file.name": "search", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2013, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "000", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 39, - "rsa.time.event_time": "2012-09-28T22:22:27.000Z", - "rsa.time.event_time_str": "1348870947", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/complete/search?", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:22:27.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870947.797 268 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", - "file.name": "search", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2132, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "000", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 268, - "rsa.time.event_time": "2012-09-28T22:22:27.000Z", - "rsa.time.event_time_str": "1348870947", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/complete/search?", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:22:29.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870949.342 163 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", - "file.name": "search", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2251, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "000", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 163, - "rsa.time.event_time": "2012-09-28T22:22:29.000Z", - "rsa.time.event_time_str": "1348870949", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/complete/search?", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:22:29.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870949.733 191 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", - "file.name": "search", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2370, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "000", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 191, - "rsa.time.event_time": "2012-09-28T22:22:29.000Z", - "rsa.time.event_time_str": "1348870949", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/complete/search?", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:22:30.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870950.054 120 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/complete/search? - DIRECT/www.google.com -", - "file.name": "search", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2489, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "000", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 120, - "rsa.time.event_time": "2012-09-28T22:22:30.000Z", - "rsa.time.event_time_str": "1348870950", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/complete/search?", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:22:54.000Z", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348870974.291 0 192.168.0.35 TCP_MISS/404 0 CONNECT clients3.google.com:443 - DIRECT/- -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2608, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "404", - "rsa.network.domain": "clients3.google.com", - "rsa.time.duration_time": 0, - "rsa.time.event_time": "2012-09-28T22:22:54.000Z", - "rsa.time.event_time_str": "1348870974", - "rsa.web.alias_host": "clients3.google.com", - "server.domain": "clients3.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients3.google.com", - "url.original": "clients3.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:24:48.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871088.713 137787 192.168.0.35 TCP_MISS/000 0 GET http://www.google.com/ - DIRECT/www.google.com -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2703, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "000", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 137787, - "rsa.time.event_time": "2012-09-28T22:24:48.000Z", - "rsa.time.event_time_str": "1348871088", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:25:02.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871102.295 13511 192.168.0.35 TCP_MISS/503 4436 GET http://www.google.com/ - DIRECT/www.google.com text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2806, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "503", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 13511, - "rsa.time.event_time": "2012-09-28T22:25:02.000Z", - "rsa.time.event_time_str": "1348871102", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 4436, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:25:59.000Z", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871159.296 59931 192.168.0.35 TCP_MISS/503 0 CONNECT clients3.google.com:443 - DIRECT/- -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2920, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "503", - "rsa.network.domain": "clients3.google.com", - "rsa.time.duration_time": 59931, - "rsa.time.event_time": "2012-09-28T22:25:59.000Z", - "rsa.time.event_time_str": "1348871159", - "rsa.web.alias_host": "clients3.google.com", - "server.domain": "clients3.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients3.google.com", - "url.original": "clients3.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:00.000Z", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871160.382 3 192.168.0.35 TCP_MISS/503 4244 GET http://www.google.com/ - NONE/- text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3015, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "503", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 3, - "rsa.time.event_time": "2012-09-28T22:26:00.000Z", - "rsa.time.event_time_str": "1348871160", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 4244, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:30.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.131.147" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871190.265 174 192.168.0.35 TCP_MISS/200 28149 GET http://www.google.com/ - DIRECT/74.125.131.147 text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3114, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.131.147", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 174, - "rsa.time.event_time": "2012-09-28T22:26:30.000Z", - "rsa.time.event_time_str": "1348871190", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 28149, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:30.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.131.147" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871190.364 26 192.168.0.35 TCP_MISS/304 290 GET http://www.google.com/images/srpr/logo3w.png - DIRECT/74.125.131.147 -", - "file.name": "logo3w.png", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3229, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.131.147", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 26, - "rsa.time.event_time": "2012-09-28T22:26:30.000Z", - "rsa.time.event_time_str": "1348871190", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 290, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/images/srpr/logo3w.png", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:30.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.131.147" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871190.477 136 192.168.0.35 TCP_MISS/200 166258 GET http://www.google.com/xjs/_/js/s/s,jsa,c,sb,hv,wta,cr,cdos,nos,tbpr,tbui,rsn,ob,cb,mb,lc,du,ada,amcl,klc,kat,aut,esp,bihu,ifl,kp,lu,m,rtis,shb,sfa,tng,hsm,j,p,pcc,csi/rt=j/ver=P7Lew-MRiXo.en_US./d=1/sv=1/rs=AItRSTNwfvJBHcoKbi4wjkZ-Mr1w-Pv9LA - DIRECT/74.125.131.147 text/javascript", - "file.name": "rs=AItRSTNwfvJBHcoKbi4wjkZ-Mr1w-Pv9LA", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3356, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.131.147", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/javascript", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 136, - "rsa.time.event_time": "2012-09-28T22:26:30.000Z", - "rsa.time.event_time_str": "1348871190", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 166258, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/xjs/_/js/s/s,jsa,c,sb,hv,wta,cr,cdos,nos,tbpr,tbui,rsn,ob,cb,mb,lc,du,ada,amcl,klc,kat,aut,esp,bihu,ifl,kp,lu,m,rtis,shb,sfa,tng,hsm,j,p,pcc,csi/rt=j/ver=P7Lew-MRiXo.en_US./d=1/sv=1/rs=AItRSTNwfvJBHcoKbi4wjkZ-Mr1w-Pv9LA", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:30.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.131.147" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871190.671 50 192.168.0.35 TCP_MISS/200 20129 GET http://www.google.com/extern_chrome/359533f6f71ee9c1.js - DIRECT/74.125.131.147 text/javascript", - "file.name": "359533f6f71ee9c1.js", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3697, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.131.147", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/javascript", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 50, - "rsa.time.event_time": "2012-09-28T22:26:30.000Z", - "rsa.time.event_time_str": "1348871190", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 20129, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/extern_chrome/359533f6f71ee9c1.js", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:30.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.131.147" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871190.763 36 192.168.0.35 TCP_MISS/204 369 GET http://www.google.com/csi? - DIRECT/74.125.131.147 image/gif", - "file.name": "csi", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3851, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.131.147", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "204", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 36, - "rsa.time.event_time": "2012-09-28T22:26:30.000Z", - "rsa.time.event_time_str": "1348871190", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 369, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/csi?", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:35.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.3" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871195.222 58 192.168.0.35 TCP_MISS/200 2831 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3968, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "74.125.228.3" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "encrypted.google.com", - "rsa.time.duration_time": 58, - "rsa.time.event_time": "2012-09-28T22:26:35.000Z", - "rsa.time.event_time_str": "1348871195", - "rsa.web.alias_host": "encrypted.google.com", - "server.domain": "encrypted.google.com", - "service.type": "squid", - "source.bytes": 2831, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "encrypted.google.com", - "url.original": "encrypted.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:35.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.3" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871195.223 62 192.168.0.35 TCP_MISS/200 2536 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4078, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "74.125.228.3" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "encrypted.google.com", - "rsa.time.duration_time": 62, - "rsa.time.event_time": "2012-09-28T22:26:35.000Z", - "rsa.time.event_time_str": "1348871195", - "rsa.web.alias_host": "encrypted.google.com", - "server.domain": "encrypted.google.com", - "service.type": "squid", - "source.bytes": 2536, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "encrypted.google.com", - "url.original": "encrypted.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:35.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.3" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871195.223 62 192.168.0.35 TCP_MISS/200 2536 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4188, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.228.3", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "encrypted.google.com", - "rsa.time.duration_time": 62, - "rsa.time.event_time": "2012-09-28T22:26:35.000Z", - "rsa.time.event_time_str": "1348871195", - "rsa.web.alias_host": "encrypted.google.com", - "server.domain": "encrypted.google.com", - "service.type": "squid", - "source.bytes": 2536, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "encrypted.google.com", - "url.original": "encrypted.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:43.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.6" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871203.841 9011 192.168.0.35 TCP_MISS/200 11085 CONNECT apis.google.com:443 - DIRECT/74.125.228.6 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4298, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.228.6", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "apis.google.com", - "rsa.time.duration_time": 9011, - "rsa.time.event_time": "2012-09-28T22:26:43.000Z", - "rsa.time.event_time_str": "1348871203", - "rsa.web.alias_host": "apis.google.com", - "server.domain": "apis.google.com", - "service.type": "squid", - "source.bytes": 11085, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "apis.google.com", - "url.original": "apis.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:43.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.3" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871203.843 8681 192.168.0.35 TCP_MISS/200 63315 CONNECT encrypted.google.com:443 - DIRECT/74.125.228.3 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4404, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.228.3", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "encrypted.google.com", - "rsa.time.duration_time": 8681, - "rsa.time.event_time": "2012-09-28T22:26:43.000Z", - "rsa.time.event_time_str": "1348871203", - "rsa.web.alias_host": "encrypted.google.com", - "server.domain": "encrypted.google.com", - "service.type": "squid", - "source.bytes": 63315, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "encrypted.google.com", - "url.original": "encrypted.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:43.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.14" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871203.843 8682 192.168.0.35 TCP_MISS/200 404199 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4515, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "74.125.228.14" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 8682, - "rsa.time.event_time": "2012-09-28T22:26:43.000Z", - "rsa.time.event_time_str": "1348871203", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 404199, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:43.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.14" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871203.849 9482 192.168.0.35 TCP_MISS/200 192122 CONNECT play.google.com:443 - DIRECT/74.125.228.14 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4619, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.228.14", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "play.google.com", - "rsa.time.duration_time": 9482, - "rsa.time.event_time": "2012-09-28T22:26:43.000Z", - "rsa.time.event_time_str": "1348871203", - "rsa.web.alias_host": "play.google.com", - "server.domain": "play.google.com", - "service.type": "squid", - "source.bytes": 192122, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "play.google.com", - "url.original": "play.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:43.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.131.147" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871203.851 8989 192.168.0.35 TCP_MISS/200 8875 CONNECT www.google.com:443 - DIRECT/74.125.131.147 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4727, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "74.125.131.147" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 8989, - "rsa.time.event_time": "2012-09-28T22:26:43.000Z", - "rsa.time.event_time_str": "1348871203", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 8875, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "www.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:43.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.14" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871203.852 8685 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4833, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "74.125.228.14" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 8685, - "rsa.time.event_time": "2012-09-28T22:26:43.000Z", - "rsa.time.event_time_str": "1348871203", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 2815, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:43.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.14" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871203.853 8686 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4935, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.228.14", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 8686, - "rsa.time.event_time": "2012-09-28T22:26:43.000Z", - "rsa.time.event_time_str": "1348871203", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 2815, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:43.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.14" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871203.853 8685 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5037, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.228.14", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 8685, - "rsa.time.event_time": "2012-09-28T22:26:43.000Z", - "rsa.time.event_time_str": "1348871203", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 2815, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:43.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.14" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871203.854 8686 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5139, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.228.14", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 8686, - "rsa.time.event_time": "2012-09-28T22:26:43.000Z", - "rsa.time.event_time_str": "1348871203", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 2815, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-09-28T22:26:43.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.14" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1348871203.854 8688 192.168.0.35 TCP_MISS/200 2815 CONNECT i.ytimg.com:443 - DIRECT/74.125.228.14 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5241, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.228.14", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 8688, - "rsa.time.event_time": "2012-09-28T22:26:43.000Z", - "rsa.time.event_time_str": "1348871203", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 2815, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:09:45.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.97" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057385.253 170 192.168.0.35 TCP_MISS/200 574 GET http://clients1.google.com/tools/swg2/update? - DIRECT/74.125.228.97 text/plain", - "file.name": "update", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5343, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "74.125.228.97" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/plain", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients1.google.com", - "rsa.time.duration_time": 170, - "rsa.time.event_time": "2012-10-01T02:09:45.000Z", - "rsa.time.event_time_str": "1349057385", - "rsa.web.alias_host": "clients1.google.com", - "server.domain": "clients1.google.com", - "service.type": "squid", - "source.bytes": 574, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients1.google.com", - "url.original": "http://clients1.google.com/tools/swg2/update?", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:10:13.000Z", - "destination.as.number": 16625, - "destination.as.organization.name": "Akamai Technologies, Inc.", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "23.11.236.224" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057413.337 170 192.168.0.35 TCP_MISS/200 8577 CONNECT configuration.apple.com:443 - DIRECT/23.11.236.224 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5479, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "23.11.236.224", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "configuration.apple.com", - "rsa.time.duration_time": 170, - "rsa.time.event_time": "2012-10-01T02:10:13.000Z", - "rsa.time.event_time_str": "1349057413", - "rsa.web.alias_host": "configuration.apple.com", - "server.domain": "configuration.apple.com", - "service.type": "squid", - "source.bytes": 8577, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "configuration.apple.com", - "url.original": "configuration.apple.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:10:25.000Z", - "destination.as.number": 16625, - "destination.as.organization.name": "Akamai Technologies, Inc.", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "23.11.236.224" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057425.626 147 192.168.0.35 TCP_MISS/200 8577 CONNECT configuration.apple.com:443 - DIRECT/23.11.236.224 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5593, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "23.11.236.224", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "configuration.apple.com", - "rsa.time.duration_time": 147, - "rsa.time.event_time": "2012-10-01T02:10:25.000Z", - "rsa.time.event_time_str": "1349057425", - "rsa.web.alias_host": "configuration.apple.com", - "server.domain": "configuration.apple.com", - "service.type": "squid", - "source.bytes": 8577, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "configuration.apple.com", - "url.original": "configuration.apple.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:10:46.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.100" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057446.149 1715 192.168.0.35 TCP_MISS/200 2921 CONNECT docs.google.com:443 - DIRECT/74.125.228.100 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5707, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.228.100", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "docs.google.com", - "rsa.time.duration_time": 1715, - "rsa.time.event_time": "2012-10-01T02:10:46.000Z", - "rsa.time.event_time_str": "1349057446", - "rsa.web.alias_host": "docs.google.com", - "server.domain": "docs.google.com", - "service.type": "squid", - "source.bytes": 2921, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "docs.google.com", - "url.original": "docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:10:46.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.100" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057446.149 417 192.168.0.35 TCP_MISS/200 4161 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5814, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.228.100", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients3.google.com", - "rsa.time.duration_time": 417, - "rsa.time.event_time": "2012-10-01T02:10:46.000Z", - "rsa.time.event_time_str": "1349057446", - "rsa.web.alias_host": "clients3.google.com", - "server.domain": "clients3.google.com", - "service.type": "squid", - "source.bytes": 4161, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients3.google.com", - "url.original": "clients3.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:10:46.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.100" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057446.974 119 192.168.0.35 TCP_MISS/200 4153 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5925, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.228.100", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients3.google.com", - "rsa.time.duration_time": 119, - "rsa.time.event_time": "2012-10-01T02:10:46.000Z", - "rsa.time.event_time_str": "1349057446", - "rsa.web.alias_host": "clients3.google.com", - "server.domain": "clients3.google.com", - "service.type": "squid", - "source.bytes": 4153, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients3.google.com", - "url.original": "clients3.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:10:51.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.73.104" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057451.693 4784 192.168.0.35 TCP_MISS/200 2201 CONNECT www.google.com:443 - DIRECT/173.194.73.104 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6036, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.73.104", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 4784, - "rsa.time.event_time": "2012-10-01T02:10:51.000Z", - "rsa.time.event_time_str": "1349057451", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 2201, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "www.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:10:51.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.100" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057451.694 652 192.168.0.35 TCP_MISS/200 12807 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6142, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "74.125.228.100" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients3.google.com", - "rsa.time.duration_time": 652, - "rsa.time.event_time": "2012-10-01T02:10:51.000Z", - "rsa.time.event_time_str": "1349057451", - "rsa.web.alias_host": "clients3.google.com", - "server.domain": "clients3.google.com", - "service.type": "squid", - "source.bytes": 12807, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients3.google.com", - "url.original": "clients3.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:10:51.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.100" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057451.719 4875 192.168.0.35 TCP_MISS/200 4132 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6254, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "74.125.228.100" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients3.google.com", - "rsa.time.duration_time": 4875, - "rsa.time.event_time": "2012-10-01T02:10:51.000Z", - "rsa.time.event_time_str": "1349057451", - "rsa.web.alias_host": "clients3.google.com", - "server.domain": "clients3.google.com", - "service.type": "squid", - "source.bytes": 4132, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients3.google.com", - "url.original": "clients3.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:10:52.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.100" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057452.613 815 192.168.0.35 TCP_MISS/200 3481 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6365, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.228.100", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients3.google.com", - "rsa.time.duration_time": 815, - "rsa.time.event_time": "2012-10-01T02:10:52.000Z", - "rsa.time.event_time_str": "1349057452", - "rsa.web.alias_host": "clients3.google.com", - "server.domain": "clients3.google.com", - "service.type": "squid", - "source.bytes": 3481, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients3.google.com", - "url.original": "clients3.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:06.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.184" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057466.259 467 192.168.0.35 TCP_MISS/200 161462 GET http://swcatalog.apple.com/content/catalogs/others/index-windows-1.sucatalog - DIRECT/208.44.23.184 application/x-apple-plist", - "file.name": "index-windows-1.sucatalog", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6476, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "208.44.23.184", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "application/x-apple-plist", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcatalog.apple.com", - "rsa.time.duration_time": 467, - "rsa.time.event_time": "2012-10-01T02:11:06.000Z", - "rsa.time.event_time_str": "1349057466", - "rsa.web.alias_host": "swcatalog.apple.com", - "server.domain": "swcatalog.apple.com", - "service.type": "squid", - "source.bytes": 161462, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcatalog.apple.com", - "url.original": "http://swcatalog.apple.com/content/catalogs/others/index-windows-1.sucatalog", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:09.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057469.784 470 192.168.0.35 TCP_MISS/200 6546 GET http://swcdn.apple.com/content/downloads/61/34/061-8153/WgWXrHyJVmFn9KrXRg3w2XPXNFXxhnZFS6/061-8153.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "061-8153.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6661, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "208.44.23.185", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 470, - "rsa.time.event_time": "2012-10-01T02:11:09.000Z", - "rsa.time.event_time_str": "1349057469", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 6546, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/61/34/061-8153/WgWXrHyJVmFn9KrXRg3w2XPXNFXxhnZFS6/061-8153.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:10.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057470.770 334 192.168.0.35 TCP_MISS/200 31622 GET http://swcdn.apple.com/content/downloads/02/58/061-3418/n6BBhLszLr6SN3XDXWT9N3YgpfHChbQTgb/061-3418.English.dist - DIRECT/208.44.23.185 text/plain", - "file.name": "061-3418.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6863, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "208.44.23.185", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/plain", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 334, - "rsa.time.event_time": "2012-10-01T02:11:10.000Z", - "rsa.time.event_time_str": "1349057470", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 31622, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/02/58/061-3418/n6BBhLszLr6SN3XDXWT9N3YgpfHChbQTgb/061-3418.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:10.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057470.907 109 192.168.0.35 TCP_MISS/200 3798 GET http://swcdn.apple.com/content/downloads/25/60/061-6867/WjSJ6JqjV34mZLtS944ndrx9RYQZJX6qHY/061-6867.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "061-6867.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7068, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 109, - "rsa.time.event_time": "2012-10-01T02:11:10.000Z", - "rsa.time.event_time_str": "1349057470", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 3798, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/25/60/061-6867/WjSJ6JqjV34mZLtS944ndrx9RYQZJX6qHY/061-6867.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:12.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057472.794 219 192.168.0.35 TCP_MISS/200 7217 GET http://swcdn.apple.com/content/downloads/21/23/061-4512/BKYTZyKmtNr5wpxQCTy9f8xDSYPZ5MTGf4/061-4512.English.dist - DIRECT/208.44.23.185 text/plain", - "file.name": "061-4512.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7270, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "208.44.23.185", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/plain", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 219, - "rsa.time.event_time": "2012-10-01T02:11:12.000Z", - "rsa.time.event_time_str": "1349057472", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 7217, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/21/23/061-4512/BKYTZyKmtNr5wpxQCTy9f8xDSYPZ5MTGf4/061-4512.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:12.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057472.980 109 192.168.0.35 TCP_MISS/200 7370 GET http://swcdn.apple.com/content/downloads/20/63/061-7511/XJqPCzWtXgkNgSZXp6DTn7gjNvHQVMZ4dP/061-7511.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "061-7511.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7474, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 109, - "rsa.time.event_time": "2012-10-01T02:11:12.000Z", - "rsa.time.event_time_str": "1349057472", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 7370, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/20/63/061-7511/XJqPCzWtXgkNgSZXp6DTn7gjNvHQVMZ4dP/061-7511.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:13.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057473.173 110 192.168.0.35 TCP_MISS/200 6939 GET http://swcdn.apple.com/content/downloads/27/49/061-4514/Tcfqf4NdtQTpYj7Pn8qwLgWgj6kYcy26Zf/061-4514.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "061-4514.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7676, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 110, - "rsa.time.event_time": "2012-10-01T02:11:13.000Z", - "rsa.time.event_time_str": "1349057473", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 6939, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/27/49/061-4514/Tcfqf4NdtQTpYj7Pn8qwLgWgj6kYcy26Zf/061-4514.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:13.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057473.340 111 192.168.0.35 TCP_MISS/200 5451 GET http://swcdn.apple.com/content/downloads/57/25/061-7340/TJXt7nNzc4cS57fvwx8zg3GScrcLBWtdpR/061-7340.English.dist - DIRECT/208.44.23.185 text/plain", - "file.name": "061-7340.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7878, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "208.44.23.185", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/plain", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 111, - "rsa.time.event_time": "2012-10-01T02:11:13.000Z", - "rsa.time.event_time_str": "1349057473", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 5451, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/57/25/061-7340/TJXt7nNzc4cS57fvwx8zg3GScrcLBWtdpR/061-7340.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:13.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057473.825 330 192.168.0.35 TCP_MISS/200 18008 GET http://swcdn.apple.com/content/downloads/56/25/041-3097/SrjbZVKzSxP5VNSHnnDMQrb78YZz66DYww/041-3097.English.dist - DIRECT/208.44.23.185 text/plain", - "file.name": "041-3097.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8082, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "208.44.23.185", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/plain", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 330, - "rsa.time.event_time": "2012-10-01T02:11:13.000Z", - "rsa.time.event_time_str": "1349057473", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 18008, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/56/25/041-3097/SrjbZVKzSxP5VNSHnnDMQrb78YZz66DYww/041-3097.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:14.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057474.139 221 192.168.0.35 TCP_MISS/200 6992 GET http://swcdn.apple.com/content/downloads/51/48/061-9539/XzrZsqWRT9FLLVN6tBfk4mjVmtqvNDHwC7/061-9539.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "061-9539.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8287, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "208.44.23.185", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 221, - "rsa.time.event_time": "2012-10-01T02:11:14.000Z", - "rsa.time.event_time_str": "1349057474", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 6992, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/51/48/061-9539/XzrZsqWRT9FLLVN6tBfk4mjVmtqvNDHwC7/061-9539.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:14.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057474.330 112 192.168.0.35 TCP_MISS/200 4197 GET http://swcdn.apple.com/content/downloads/51/08/zzz061-3452/5bxNyT8NCFYPz9qff69kBjH4y3zxqSFt5B/061-3452.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "061-3452.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8489, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 112, - "rsa.time.event_time": "2012-10-01T02:11:14.000Z", - "rsa.time.event_time_str": "1349057474", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 4197, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/51/08/zzz061-3452/5bxNyT8NCFYPz9qff69kBjH4y3zxqSFt5B/061-3452.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:14.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057474.842 329 192.168.0.35 TCP_MISS/200 19447 GET http://swcdn.apple.com/content/downloads/28/51/041-0517/cvDMxJL5q6TQ2t8899HH8mvzjdHkDFwr99/041-0517.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "041-0517.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8694, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "208.44.23.185", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 329, - "rsa.time.event_time": "2012-10-01T02:11:14.000Z", - "rsa.time.event_time_str": "1349057474", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 19447, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/28/51/041-0517/cvDMxJL5q6TQ2t8899HH8mvzjdHkDFwr99/041-0517.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:15.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057475.092 221 192.168.0.35 TCP_MISS/200 7370 GET http://swcdn.apple.com/content/downloads/28/43/061-7509/P7wtsjhJPsT9FM8Zff4FKg6FYM4W2yGP5B/061-7509.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "061-7509.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8897, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 221, - "rsa.time.event_time": "2012-10-01T02:11:15.000Z", - "rsa.time.event_time_str": "1349057475", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 7370, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/28/43/061-7509/P7wtsjhJPsT9FM8Zff4FKg6FYM4W2yGP5B/061-7509.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:15.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057475.582 434 192.168.0.35 TCP_MISS/200 5297 GET http://swcdn.apple.com/content/downloads/01/21/041-1673/s6XjZyFGmdTf5YHq6C8CPWjJ4sWz9pz3vX/041-1673.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "041-1673.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9099, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 434, - "rsa.time.event_time": "2012-10-01T02:11:15.000Z", - "rsa.time.event_time_str": "1349057475", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 5297, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/01/21/041-1673/s6XjZyFGmdTf5YHq6C8CPWjJ4sWz9pz3vX/041-1673.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:15.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057475.860 217 192.168.0.35 TCP_MISS/200 6480 GET http://swcdn.apple.com/content/downloads/12/45/061-4249/7ck27nGQBsHQNcnMMjtmLbDJm2zPbRxj4h/061-4249.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "061-4249.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9301, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 217, - "rsa.time.event_time": "2012-10-01T02:11:15.000Z", - "rsa.time.event_time_str": "1349057475", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 6480, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/12/45/061-4249/7ck27nGQBsHQNcnMMjtmLbDJm2zPbRxj4h/061-4249.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:16.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057476.242 331 192.168.0.35 TCP_MISS/200 18211 GET http://swcdn.apple.com/content/downloads/54/37/061-5790/mxbPrKRvB9G6cvrjY2QPNVQPYj3nrjwbgX/061-5790.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "061-5790.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9503, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 331, - "rsa.time.event_time": "2012-10-01T02:11:16.000Z", - "rsa.time.event_time_str": "1349057476", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 18211, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/54/37/061-5790/mxbPrKRvB9G6cvrjY2QPNVQPYj3nrjwbgX/061-5790.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:16.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057476.800 543 192.168.0.35 TCP_MISS/200 6525 GET http://swcdn.apple.com/content/downloads/26/11/061-8155/wdTHYKkFWMCC8dDLHkycj3BLMxvq2wjwYD/061-8155.English.dist - DIRECT/208.44.23.185 text/plain", - "file.name": "061-8155.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9706, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/plain", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 543, - "rsa.time.event_time": "2012-10-01T02:11:16.000Z", - "rsa.time.event_time_str": "1349057476", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 6525, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/26/11/061-8155/wdTHYKkFWMCC8dDLHkycj3BLMxvq2wjwYD/061-8155.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:17.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057477.417 552 192.168.0.35 TCP_MISS/200 19458 GET http://swcdn.apple.com/content/downloads/59/27/041-0516/rRmQxLKryPBcF33yFvzhw7SYLDRntjXj9K/041-0516.English.dist - DIRECT/208.44.23.185 text/plain", - "file.name": "041-0516.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9910, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/plain", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 552, - "rsa.time.event_time": "2012-10-01T02:11:17.000Z", - "rsa.time.event_time_str": "1349057477", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 19458, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/59/27/041-0516/rRmQxLKryPBcF33yFvzhw7SYLDRntjXj9K/041-0516.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:18.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057478.304 870 192.168.0.35 TCP_MISS/200 18041 GET http://swcdn.apple.com/content/downloads/50/36/061-9848/kJvM5Qq2gBCSHSrxsdNfyn7NPjVYNHX7ZR/061-9848.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "061-9848.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10115, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "208.44.23.185", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 870, - "rsa.time.event_time": "2012-10-01T02:11:18.000Z", - "rsa.time.event_time_str": "1349057478", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 18041, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/50/36/061-9848/kJvM5Qq2gBCSHSrxsdNfyn7NPjVYNHX7ZR/061-9848.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:18.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057478.759 437 192.168.0.35 TCP_MISS/200 17576 GET http://swcdn.apple.com/content/downloads/45/03/041-1676/ZMjp6WLTqS9GDRdnzdLqHXgS838bwRNVn6/041-1676.English.dist - DIRECT/208.44.23.185 text/plain", - "file.name": "041-1676.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10318, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "208.44.23.185", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/plain", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 437, - "rsa.time.event_time": "2012-10-01T02:11:18.000Z", - "rsa.time.event_time_str": "1349057478", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 17576, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/45/03/041-1676/ZMjp6WLTqS9GDRdnzdLqHXgS838bwRNVn6/041-1676.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:18.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057478.905 111 192.168.0.35 TCP_MISS/200 6991 GET http://swcdn.apple.com/content/downloads/03/00/061-9537/xkqVg9ZybxffPsFvSjqgxnHK7HGJ4b9zLy/061-9537.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "061-9537.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10523, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 111, - "rsa.time.event_time": "2012-10-01T02:11:18.000Z", - "rsa.time.event_time_str": "1349057478", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 6991, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/03/00/061-9537/xkqVg9ZybxffPsFvSjqgxnHK7HGJ4b9zLy/061-9537.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:19.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057479.343 332 192.168.0.35 TCP_MISS/200 25935 GET http://swcdn.apple.com/content/downloads/41/25/041-4336/M2r89dmfRR9jmgt2Gr4ZB7wftMfHSmhpnX/041-4336.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "041-4336.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10725, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 332, - "rsa.time.event_time": "2012-10-01T02:11:19.000Z", - "rsa.time.event_time_str": "1349057479", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 25935, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/41/25/041-4336/M2r89dmfRR9jmgt2Gr4ZB7wftMfHSmhpnX/041-4336.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:19.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057479.593 223 192.168.0.35 TCP_MISS/200 18205 GET http://swcdn.apple.com/content/downloads/10/51/061-5850/6T9D3ShR4mRKT3YgFK7JG5sDytGYDYCJ3L/061-5850.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "061-5850.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10928, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 223, - "rsa.time.event_time": "2012-10-01T02:11:19.000Z", - "rsa.time.event_time_str": "1349057479", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 18205, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/10/51/061-5850/6T9D3ShR4mRKT3YgFK7JG5sDytGYDYCJ3L/061-5850.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:19.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057479.728 110 192.168.0.35 TCP_MISS/200 7326 GET http://swcdn.apple.com/content/downloads/10/26/061-4513/nY7s8PkHbJYHKKDtjh7FJQr7JYBTzHvnr2/061-4513.English.dist - DIRECT/208.44.23.185 text/plain", - "file.name": "061-4513.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11131, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/plain", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 110, - "rsa.time.event_time": "2012-10-01T02:11:19.000Z", - "rsa.time.event_time_str": "1349057479", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 7326, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/10/26/061-4513/nY7s8PkHbJYHKKDtjh7FJQr7JYBTzHvnr2/061-4513.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:19.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057479.893 111 192.168.0.35 TCP_MISS/200 6973 GET http://swcdn.apple.com/content/downloads/29/33/061-7306/hwpP4sYb2wmfHdYHjsQ23VrSbXXGKCK378/061-7306.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "061-7306.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11335, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 111, - "rsa.time.event_time": "2012-10-01T02:11:19.000Z", - "rsa.time.event_time_str": "1349057479", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 6973, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/29/33/061-7306/hwpP4sYb2wmfHdYHjsQ23VrSbXXGKCK378/061-7306.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:20.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057480.599 679 192.168.0.35 TCP_MISS/200 6748 GET http://swcdn.apple.com/content/downloads/07/44/061-4200/3DtF5LrT3BL2b86P57Kyrs5dH9NTs9ctNV/061-4200.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "061-4200.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11537, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 679, - "rsa.time.event_time": "2012-10-01T02:11:20.000Z", - "rsa.time.event_time_str": "1349057480", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 6748, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/07/44/061-4200/3DtF5LrT3BL2b86P57Kyrs5dH9NTs9ctNV/061-4200.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:21.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057481.530 889 192.168.0.35 TCP_MISS/200 19858 GET http://swcdn.apple.com/content/downloads/37/12/041-0255/lfinb0xmk5ten4ojrimcebpl6561xez6xk/041-0255.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "041-0255.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11739, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 889, - "rsa.time.event_time": "2012-10-01T02:11:21.000Z", - "rsa.time.event_time_str": "1349057481", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 19858, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/37/12/041-0255/lfinb0xmk5ten4ojrimcebpl6561xez6xk/041-0255.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:22.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057482.097 550 192.168.0.35 TCP_MISS/200 19848 GET http://swcdn.apple.com/content/downloads/06/39/041-0256/orwba7zrt5npsr5wvhsljprdyd1jtt62oz/041-0256.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "041-0256.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11942, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 550, - "rsa.time.event_time": "2012-10-01T02:11:22.000Z", - "rsa.time.event_time_str": "1349057482", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 19848, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/06/39/041-0256/orwba7zrt5npsr5wvhsljprdyd1jtt62oz/041-0256.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:23.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057483.427 771 192.168.0.35 TCP_MISS/200 38188 GET http://swcdn.apple.com/content/downloads/32/19/041-6756/gntu51zjuiyzu4l94ezxy3g1tb3jfpaoit/041-6756.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "041-6756.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12145, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 771, - "rsa.time.event_time": "2012-10-01T02:11:23.000Z", - "rsa.time.event_time_str": "1349057483", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 38188, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/32/19/041-6756/gntu51zjuiyzu4l94ezxy3g1tb3jfpaoit/041-6756.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:23.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057483.787 320 192.168.0.35 TCP_MISS/200 8913 GET http://swcdn.apple.com/content/downloads/40/54/041-6905/v0fukt9lmfcv18d4wczh49ap9z6r5p5c0c/041-6905.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "041-6905.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12348, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 320, - "rsa.time.event_time": "2012-10-01T02:11:23.000Z", - "rsa.time.event_time_str": "1349057483", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 8913, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/40/54/041-6905/v0fukt9lmfcv18d4wczh49ap9z6r5p5c0c/041-6905.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:24.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057484.139 222 192.168.0.35 TCP_MISS/200 8113 GET http://swcdn.apple.com/content/downloads/23/10/041-6906/nr0v270bqzt428sd57s1slz78hgkzg38tc/041-6906.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "041-6906.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12550, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "208.44.23.185", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 222, - "rsa.time.event_time": "2012-10-01T02:11:24.000Z", - "rsa.time.event_time_str": "1349057484", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 8113, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/23/10/041-6906/nr0v270bqzt428sd57s1slz78hgkzg38tc/041-6906.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:26.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057486.034 1694 192.168.0.35 TCP_MISS/200 31969 GET http://swcdn.apple.com/content/downloads/00/31/041-1612/xqbjtqo1qzy7cz1v2yflklj5kg1v2tlncj/041-1612.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "041-1612.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12752, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 1694, - "rsa.time.event_time": "2012-10-01T02:11:26.000Z", - "rsa.time.event_time_str": "1349057486", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 31969, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/00/31/041-1612/xqbjtqo1qzy7cz1v2yflklj5kg1v2tlncj/041-1612.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:26.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057486.672 550 192.168.0.35 TCP_MISS/200 31972 GET http://swcdn.apple.com/content/downloads/30/32/041-1613/nysxhnpjpllehg0d54krf0yr8fa17jymjf/041-1613.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "041-1613.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12955, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "208.44.23.185", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 550, - "rsa.time.event_time": "2012-10-01T02:11:26.000Z", - "rsa.time.event_time_str": "1349057486", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 31972, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/30/32/041-1613/nysxhnpjpllehg0d54krf0yr8fa17jymjf/041-1613.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:11:27.000Z", - "destination.as.number": 209, - "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "208.44.23.185" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057487.172 436 192.168.0.35 TCP_MISS/200 23087 GET http://swcdn.apple.com/content/downloads/01/20/041-5328/74a52anhihangc837n25490jxt30a59gid/041-5328.English.dist - DIRECT/208.44.23.185 text/xml", - "file.name": "041-5328.English.dist", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13158, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "208.44.23.185" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "swcdn.apple.com", - "rsa.time.duration_time": 436, - "rsa.time.event_time": "2012-10-01T02:11:27.000Z", - "rsa.time.event_time_str": "1349057487", - "rsa.web.alias_host": "swcdn.apple.com", - "server.domain": "swcdn.apple.com", - "service.type": "squid", - "source.bytes": 23087, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "swcdn.apple.com", - "url.original": "http://swcdn.apple.com/content/downloads/01/20/041-5328/74a52anhihangc837n25490jxt30a59gid/041-5328.English.dist", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:13:03.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.73.104" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057583.918 101348 192.168.0.35 TCP_MISS/200 2488 CONNECT www.google.com:443 - DIRECT/173.194.73.104 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13361, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "173.194.73.104" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 101348, - "rsa.time.event_time": "2012-10-01T02:13:03.000Z", - "rsa.time.event_time_str": "1349057583", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 2488, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "www.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:13:03.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.100" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057583.929 100999 192.168.0.35 TCP_MISS/200 2974 CONNECT clients3.google.com:443 - DIRECT/74.125.228.100 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13467, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "74.125.228.100" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients3.google.com", - "rsa.time.duration_time": 100999, - "rsa.time.event_time": "2012-10-01T02:13:03.000Z", - "rsa.time.event_time_str": "1349057583", - "rsa.web.alias_host": "clients3.google.com", - "server.domain": "clients3.google.com", - "service.type": "squid", - "source.bytes": 2974, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients3.google.com", - "url.original": "clients3.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:13:03.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.96" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057583.929 105631 192.168.0.35 TCP_MISS/200 2969 CONNECT clients4.google.com:443 - DIRECT/74.125.228.96 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13578, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "74.125.228.96" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients4.google.com", - "rsa.time.duration_time": 105631, - "rsa.time.event_time": "2012-10-01T02:13:03.000Z", - "rsa.time.event_time_str": "1349057583", - "rsa.web.alias_host": "clients4.google.com", - "server.domain": "clients4.google.com", - "service.type": "squid", - "source.bytes": 2969, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients4.google.com", - "url.original": "clients4.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:13:03.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.101" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057583.929 43683 192.168.0.35 TCP_MISS/200 662274 CONNECT safebrowsing-cache.google.com:443 - DIRECT/74.125.228.101 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13688, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "74.125.228.101" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "safebrowsing-cache.google.com", - "rsa.time.duration_time": 43683, - "rsa.time.event_time": "2012-10-01T02:13:03.000Z", - "rsa.time.event_time_str": "1349057583", - "rsa.web.alias_host": "safebrowsing-cache.google.com", - "server.domain": "safebrowsing-cache.google.com", - "service.type": "squid", - "source.bytes": 662274, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "safebrowsing-cache.google.com", - "url.original": "safebrowsing-cache.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:13:03.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.228.102" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057583.930 44106 192.168.0.35 TCP_MISS/200 6152 CONNECT safebrowsing.google.com:443 - DIRECT/74.125.228.102 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13811, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "74.125.228.102" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "safebrowsing.google.com", - "rsa.time.duration_time": 44106, - "rsa.time.event_time": "2012-10-01T02:13:03.000Z", - "rsa.time.event_time_str": "1349057583", - "rsa.web.alias_host": "safebrowsing.google.com", - "server.domain": "safebrowsing.google.com", - "service.type": "squid", - "source.bytes": 6152, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "safebrowsing.google.com", - "url.original": "safebrowsing.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:15:15.000Z", - "destination.as.number": 32934, - "destination.as.organization.name": "Facebook, Inc.", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "69.171.228.74" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057715.339 267 192.168.0.35 TCP_MISS/302 379 GET http://www.facebook.com/ - DIRECT/69.171.228.74 text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13926, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "69.171.228.74", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "302", - "rsa.network.domain": "www.facebook.com", - "rsa.time.duration_time": 267, - "rsa.time.event_time": "2012-10-01T02:15:15.000Z", - "rsa.time.event_time_str": "1349057715", - "rsa.web.alias_host": "www.facebook.com", - "server.domain": "www.facebook.com", - "service.type": "squid", - "source.bytes": 379, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.facebook.com", - "url.original": "http://www.facebook.com/", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:15:18.000Z", - "destination.as.number": 16625, - "destination.as.organization.name": "Akamai Technologies, Inc.", - "destination.geo.continent_name": "Europe", - "destination.geo.country_iso_code": "NL", - "destination.geo.location.lat": 52.3824, - "destination.geo.location.lon": 4.8995, - "destination.ip": [ - "23.62.194.110" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057718.031 2684 192.168.0.35 TCP_MISS/200 1871 CONNECT s-static.ak.facebook.com:443 - DIRECT/23.62.194.110 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14040, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "23.62.194.110", - "192.168.0.35" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "s-static.ak.facebook.com", - "rsa.time.duration_time": 2684, - "rsa.time.event_time": "2012-10-01T02:15:18.000Z", - "rsa.time.event_time_str": "1349057718", - "rsa.web.alias_host": "s-static.ak.facebook.com", - "server.domain": "s-static.ak.facebook.com", - "service.type": "squid", - "source.bytes": 1871, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "s-static.ak.facebook.com", - "url.original": "s-static.ak.facebook.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:15:18.000Z", - "destination.as.number": 32934, - "destination.as.organization.name": "Facebook, Inc.", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "69.171.228.74" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057718.398 3047 192.168.0.35 TCP_MISS/200 87179 CONNECT www.facebook.com:443 - DIRECT/69.171.228.74 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14155, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "69.171.228.74" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.facebook.com", - "rsa.time.duration_time": 3047, - "rsa.time.event_time": "2012-10-01T02:15:18.000Z", - "rsa.time.event_time_str": "1349057718", - "rsa.web.alias_host": "www.facebook.com", - "server.domain": "www.facebook.com", - "service.type": "squid", - "source.bytes": 87179, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.facebook.com", - "url.original": "www.facebook.com:443", - "user.name": "-" - }, - { - "@timestamp": "2012-10-01T02:15:19.000Z", - "destination.as.number": 32934, - "destination.as.organization.name": "Facebook, Inc.", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "69.171.228.74" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1349057719.228 3879 192.168.0.35 TCP_MISS/200 2894 CONNECT www.facebook.com:443 - DIRECT/69.171.228.74 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14263, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "192.168.0.35", - "69.171.228.74" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.facebook.com", - "rsa.time.duration_time": 3879, - "rsa.time.event_time": "2012-10-01T02:15:19.000Z", - "rsa.time.event_time_str": "1349057719", - "rsa.web.alias_host": "www.facebook.com", - "server.domain": "www.facebook.com", - "service.type": "squid", - "source.bytes": 2894, - "source.ip": [ - "192.168.0.35" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.facebook.com", - "url.original": "www.facebook.com:443", - "user.name": "-" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/squid/log/test/access4.log b/x-pack/filebeat/module/squid/log/test/access4.log deleted file mode 100644 index c8e40013cb5..00000000000 --- a/x-pack/filebeat/module/squid/log/test/access4.log +++ /dev/null @@ -1,100 +0,0 @@ -1431966856.793 48016 ::1 TCP_MISS/200 16674 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431966858.959 118352 ::1 TCP_MISS/200 1384 CONNECT 0.client-channel.google.com:443 - DIRECT/173.194.206.189 - -1431966860.960 141516 ::1 TCP_MISS/200 29012 CONNECT clients4.google.com:443 - DIRECT/173.194.123.102 - -1431966862.972 179667 ::1 TCP_MISS/200 1551 CONNECT clients6.google.com:443 - DIRECT/173.194.123.102 - -1431966888.037 226448 ::1 TCP_MISS/200 907245 CONNECT drive.google.com:443 - DIRECT/173.194.123.97 - -1431966902.944 46063 ::1 TCP_MISS/200 6663 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431966907.045 230072 ::1 TCP_MISS/200 4784 CONNECT clients2.google.com:443 - DIRECT/173.194.123.102 - -1431966916.065 117889 ::1 TCP_MISS/200 865 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 - -1431966917.064 118888 ::1 TCP_MISS/200 1262 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 - -1431966927.088 128911 ::1 TCP_MISS/200 2485 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 - -1431966929.071 117252 ::1 TCP_MISS/200 1270 CONNECT accounts.google.com:443 - DIRECT/216.58.219.237 - -1431966934.075 254028 ::1 TCP_MISS/200 200095 CONNECT apis.google.com:443 - DIRECT/173.194.123.68 - -1431966934.076 250120 ::1 TCP_MISS/200 14577 CONNECT clients6.google.com:443 - DIRECT/173.194.123.102 - -1431966950.318 47289 ::1 TCP_MISS/200 1391 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431966958.711 276 ::1 TCP_MISS/200 934 POST http://clients1.google.com/ocsp - DIRECT/173.194.123.105 application/ocsp-response -1431967010.962 212785 ::1 TCP_MISS/200 313787 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 - -1431967010.962 60560 ::1 TCP_MISS/200 2323 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967067.416 56361 ::1 TCP_MISS/200 940 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967094.510 350082 ::1 TCP_MISS/200 952006 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 - -1431967104.597 146762 ::1 TCP_MISS/200 6013 CONNECT drive.google.com:443 - DIRECT/173.194.123.71 - -1431967119.333 51829 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967171.526 52115 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967221.312 49708 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967273.790 52393 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967328.486 54590 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967385.358 56797 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967440.782 55339 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967498.549 57685 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967553.286 54658 ::1 TCP_MISS/200 774 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967611.006 57645 ::1 TCP_MISS/200 774 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967667.705 56621 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967671.980 115965 ::1 TCP_MISS/200 937 CONNECT docs.google.com:443 - DIRECT/173.194.123.67 - -1431967721.078 53297 ::1 TCP_MISS/200 870 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967773.775 52610 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967827.637 53774 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967881.971 54254 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967935.923 53860 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431967989.089 53080 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431968041.539 52374 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431968099.212 57477 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431968156.648 57347 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431968210.299 53575 ::1 TCP_MISS/200 774 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431968265.132 54585 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431968273.671 116138 ::1 TCP_MISS/200 1093 CONNECT docs.google.com:443 - DIRECT/173.194.123.101 - -1431968319.296 54086 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431968372.410 52982 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1431968374.119 8177 ::1 TCP_MISS/200 2705 CONNECT docs.google.com:443 - DIRECT/173.194.123.99 - -1431968374.150 1601 ::1 TCP_MISS/200 844 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 - -1432789884.994 297 ::1 TCP_MISS/302 696 GET http://www.google.com/ - DIRECT/74.125.226.83 text/html -1432789885.671 220 ::1 TCP_MISS/200 934 POST http://clients1.google.com/ocsp - DIRECT/173.194.123.40 application/ocsp-response -1432789950.885 59335 ::1 TCP_MISS/200 55721 CONNECT apis.google.com:443 - DIRECT/173.194.123.41 - -1432789952.891 67776 ::1 TCP_MISS/200 254589 CONNECT www.google.com:443 - DIRECT/74.125.226.83 - -1445267990.313 759 ::1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.174 application/ocsp-response -1445268003.557 192 ::1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.174 application/ocsp-response -1445268029.709 59991 ::1 TCP_MISS/200 5188 CONNECT mail.google.com:443 - DIRECT/216.58.219.165 - -1445268062.046 66005 ::1 TCP_MISS/200 5310 CONNECT clients6.google.com:443 - DIRECT/216.58.219.174 - -1445268064.055 73369 ::1 TCP_MISS/200 6975 CONNECT clients6.google.com:443 - DIRECT/216.58.219.174 - -1445268069.665 59549 ::1 TCP_MISS/200 4871 CONNECT play.google.com:443 - DIRECT/216.58.219.174 - -1445268140.447 180 ::1 TCP_MISS/200 0 CONNECT www.google.com:443 - DIRECT/216.58.219.132 - -1445268140.539 74 ::1 TCP_MISS/200 0 CONNECT www.google.com:443 - DIRECT/216.58.219.132 - -1445268140.703 112 ::1 TCP_MISS/200 0 CONNECT www.google.com:443 - DIRECT/216.58.219.132 - -1445268152.177 264 ::1 TCP_MISS/200 0 CONNECT plus.google.com:443 - DIRECT/216.58.219.142 - -1445268187.113 59699 ::1 TCP_MISS/200 5020 CONNECT docs.google.com:443 - DIRECT/216.58.219.142 - -1445268224.938 70176 ::1 TCP_MISS/200 14737 CONNECT plus.google.com:443 - DIRECT/216.58.219.142 - -1445268261.980 121174 ::1 TCP_MISS/200 528022 CONNECT www.google.com:443 - DIRECT/216.58.219.132 - -1445268314.711 361370 ::1 TCP_MISS/200 6518 CONNECT 0.docs.google.com:443 - DIRECT/74.125.141.189 - -1445268314.711 355919 ::1 TCP_MISS/200 9695 CONNECT 0.talkgadget.google.com:443 - DIRECT/74.125.141.189 - -1445268314.711 257778 ::1 TCP_MISS/200 6024 CONNECT 0.client-channel.google.com:443 - DIRECT/74.125.141.189 - -1445268314.711 43887 ::1 TCP_MISS/200 1833 CONNECT mail.google.com:443 - DIRECT/216.58.219.133 - -1454336396.005 63622 10.100.0.1 TCP_MISS/200 272954 CONNECT www.google.com:443 - DIRECT/216.58.219.228 - -1454336398.988 59761 10.100.0.1 TCP_MISS/200 54752 CONNECT apis.google.com:443 - DIRECT/216.58.219.238 - -1462898750.708 288 10.100.0.1 TCP_MISS/301 695 GET http://google.com/ - DIRECT/173.194.205.113 text/html -1483547243.947 153 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response -1483547244.218 110 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response -1483809788.490 217 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.238 application/ocsp-response -1483809788.504 224 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.238 application/ocsp-response -1492721605.095 1894 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response -1514415283.110 3338 10.100.2.85 TCP_MISS/200 25103 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 - -1514415285.181 5317 10.100.2.85 TCP_MISS/200 30037 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 - -1514415287.601 7719 10.100.2.85 TCP_MISS/200 31365 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 - -1514415293.832 11122 10.100.2.85 TCP_MISS/200 4120 CONNECT play.google.com:443 - DIRECT/172.217.12.174 - -1514415295.359 15462 10.100.2.85 TCP_MISS/200 135019 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 - -1514415297.207 17318 10.100.2.85 TCP_MISS/200 193786 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 - -1514415468.723 195307 10.100.2.85 TCP_MISS/200 207119 CONNECT news.google.com:443 - DIRECT/172.217.12.174 - -1514415469.795 189952 10.100.2.85 TCP_MISS/200 372304 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 - -1514415470.873 171312 10.100.2.85 TCP_MISS/200 3517 CONNECT stats.g.doubleclick.net:443 - DIRECT/173.194.204.156 - -1514415471.953 170700 10.100.2.85 TCP_MISS/200 5679 CONNECT play.google.com:443 - DIRECT/172.217.12.174 - -1521148405.505 170531 10.100.0.1 TCP_MISS/200 5650 CONNECT news.google.com:443 - DIRECT/172.217.12.174 - -1521148583.607 171280 10.100.0.1 TCP_MISS/200 5549 CONNECT play.google.com:443 - DIRECT/172.217.12.174 - -1521148701.183 232347 10.100.0.1 TCP_MISS/200 947 CONNECT news.google.com:443 - DIRECT/172.217.12.174 - -1521148880.382 170896 10.100.0.1 TCP_MISS/200 785 CONNECT news.google.com:443 - DIRECT/172.217.12.174 - -1521149008.672 59245 10.100.0.1 TCP_MISS/200 1723 CONNECT news.google.com:443 - DIRECT/172.217.12.174 - -1521149028.248 14405 10.100.0.1 TCP_MISS/200 28315 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 - -1521149028.574 15142 10.100.0.1 TCP_MISS/200 32424 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 - -1521149029.151 15722 10.100.0.1 TCP_MISS/200 31526 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 - -1521149029.888 16453 10.100.0.1 TCP_MISS/200 45630 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 - -1521149030.562 17135 10.100.0.1 TCP_MISS/200 26443 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 - -1521149041.120 24645 10.100.0.1 TCP_MISS/200 52379 CONNECT apis.google.com:443 - DIRECT/172.217.12.174 - -1521149041.124 27963 10.100.0.1 TCP_MISS/200 510095 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 - -1521149041.125 32394 10.100.0.1 TCP_MISS/200 235026 CONNECT news.google.com:443 - DIRECT/172.217.12.174 - diff --git a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json b/x-pack/filebeat/module/squid/log/test/access4.log-expected.json deleted file mode 100644 index e9821274376..00000000000 --- a/x-pack/filebeat/module/squid/log/test/access4.log-expected.json +++ /dev/null @@ -1,5888 +0,0 @@ -[ - { - "@timestamp": "2015-05-18T16:34:16.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966856.793 48016 ::1 TCP_MISS/200 16674 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 0, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 48016, - "rsa.time.event_time": "2015-05-18T16:34:16.000Z", - "rsa.time.event_time_str": "1431966856", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 16674, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:34:18.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966858.959 118352 ::1 TCP_MISS/200 1384 CONNECT 0.client-channel.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 102, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.206.189", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.client-channel.google.com", - "rsa.time.duration_time": 118352, - "rsa.time.event_time": "2015-05-18T16:34:18.000Z", - "rsa.time.event_time_str": "1431966858", - "rsa.web.alias_host": "0.client-channel.google.com", - "server.domain": "0.client-channel.google.com", - "service.type": "squid", - "source.bytes": 1384, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.client-channel.google.com", - "url.original": "0.client-channel.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:34:20.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.102" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966860.960 141516 ::1 TCP_MISS/200 29012 CONNECT clients4.google.com:443 - DIRECT/173.194.123.102 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 213, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.123.102", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients4.google.com", - "rsa.time.duration_time": 141516, - "rsa.time.event_time": "2015-05-18T16:34:20.000Z", - "rsa.time.event_time_str": "1431966860", - "rsa.web.alias_host": "clients4.google.com", - "server.domain": "clients4.google.com", - "service.type": "squid", - "source.bytes": 29012, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients4.google.com", - "url.original": "clients4.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:34:22.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.102" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966862.972 179667 ::1 TCP_MISS/200 1551 CONNECT clients6.google.com:443 - DIRECT/173.194.123.102 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 317, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.123.102" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients6.google.com", - "rsa.time.duration_time": 179667, - "rsa.time.event_time": "2015-05-18T16:34:22.000Z", - "rsa.time.event_time_str": "1431966862", - "rsa.web.alias_host": "clients6.google.com", - "server.domain": "clients6.google.com", - "service.type": "squid", - "source.bytes": 1551, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients6.google.com", - "url.original": "clients6.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:34:48.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.97" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966888.037 226448 ::1 TCP_MISS/200 907245 CONNECT drive.google.com:443 - DIRECT/173.194.123.97 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 420, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.123.97", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "drive.google.com", - "rsa.time.duration_time": 226448, - "rsa.time.event_time": "2015-05-18T16:34:48.000Z", - "rsa.time.event_time_str": "1431966888", - "rsa.web.alias_host": "drive.google.com", - "server.domain": "drive.google.com", - "service.type": "squid", - "source.bytes": 907245, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "drive.google.com", - "url.original": "drive.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:35:02.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966902.944 46063 ::1 TCP_MISS/200 6663 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 521, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.206.189", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 46063, - "rsa.time.event_time": "2015-05-18T16:35:02.000Z", - "rsa.time.event_time_str": "1431966902", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 6663, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:35:07.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.102" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966907.045 230072 ::1 TCP_MISS/200 4784 CONNECT clients2.google.com:443 - DIRECT/173.194.123.102 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 622, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.123.102", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients2.google.com", - "rsa.time.duration_time": 230072, - "rsa.time.event_time": "2015-05-18T16:35:07.000Z", - "rsa.time.event_time_str": "1431966907", - "rsa.web.alias_host": "clients2.google.com", - "server.domain": "clients2.google.com", - "service.type": "squid", - "source.bytes": 4784, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients2.google.com", - "url.original": "clients2.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:35:16.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.96" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966916.065 117889 ::1 TCP_MISS/200 865 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 725, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.123.96" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "docs.google.com", - "rsa.time.duration_time": 117889, - "rsa.time.event_time": "2015-05-18T16:35:16.000Z", - "rsa.time.event_time_str": "1431966916", - "rsa.web.alias_host": "docs.google.com", - "server.domain": "docs.google.com", - "service.type": "squid", - "source.bytes": 865, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "docs.google.com", - "url.original": "docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:35:17.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.96" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966917.064 118888 ::1 TCP_MISS/200 1262 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 822, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.123.96", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "docs.google.com", - "rsa.time.duration_time": 118888, - "rsa.time.event_time": "2015-05-18T16:35:17.000Z", - "rsa.time.event_time_str": "1431966917", - "rsa.web.alias_host": "docs.google.com", - "server.domain": "docs.google.com", - "service.type": "squid", - "source.bytes": 1262, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "docs.google.com", - "url.original": "docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:35:27.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.96" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966927.088 128911 ::1 TCP_MISS/200 2485 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 920, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.123.96", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "docs.google.com", - "rsa.time.duration_time": 128911, - "rsa.time.event_time": "2015-05-18T16:35:27.000Z", - "rsa.time.event_time_str": "1431966927", - "rsa.web.alias_host": "docs.google.com", - "server.domain": "docs.google.com", - "service.type": "squid", - "source.bytes": 2485, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "docs.google.com", - "url.original": "docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:35:29.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Bluffdale", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 40.4953, - "destination.geo.location.lon": -111.9439, - "destination.geo.region_iso_code": "US-UT", - "destination.geo.region_name": "Utah", - "destination.ip": [ - "216.58.219.237" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966929.071 117252 ::1 TCP_MISS/200 1270 CONNECT accounts.google.com:443 - DIRECT/216.58.219.237 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1018, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "216.58.219.237" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "accounts.google.com", - "rsa.time.duration_time": 117252, - "rsa.time.event_time": "2015-05-18T16:35:29.000Z", - "rsa.time.event_time_str": "1431966929", - "rsa.web.alias_host": "accounts.google.com", - "server.domain": "accounts.google.com", - "service.type": "squid", - "source.bytes": 1270, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "accounts.google.com", - "url.original": "accounts.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:35:34.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.68" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966934.075 254028 ::1 TCP_MISS/200 200095 CONNECT apis.google.com:443 - DIRECT/173.194.123.68 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1120, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.123.68" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "apis.google.com", - "rsa.time.duration_time": 254028, - "rsa.time.event_time": "2015-05-18T16:35:34.000Z", - "rsa.time.event_time_str": "1431966934", - "rsa.web.alias_host": "apis.google.com", - "server.domain": "apis.google.com", - "service.type": "squid", - "source.bytes": 200095, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "apis.google.com", - "url.original": "apis.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:35:34.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.102" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966934.076 250120 ::1 TCP_MISS/200 14577 CONNECT clients6.google.com:443 - DIRECT/173.194.123.102 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1220, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.123.102", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients6.google.com", - "rsa.time.duration_time": 250120, - "rsa.time.event_time": "2015-05-18T16:35:34.000Z", - "rsa.time.event_time_str": "1431966934", - "rsa.web.alias_host": "clients6.google.com", - "server.domain": "clients6.google.com", - "service.type": "squid", - "source.bytes": 14577, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients6.google.com", - "url.original": "clients6.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:35:50.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966950.318 47289 ::1 TCP_MISS/200 1391 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1324, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 47289, - "rsa.time.event_time": "2015-05-18T16:35:50.000Z", - "rsa.time.event_time_str": "1431966950", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 1391, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:35:58.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.105" - ], - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431966958.711 276 ::1 TCP_MISS/200 934 POST http://clients1.google.com/ocsp - DIRECT/173.194.123.105 application/ocsp-response", - "file.name": "ocsp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1425, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.123.105", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "TCP_MISS" - ], - "rsa.misc.content_type": "application/ocsp-response", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients1.google.com", - "rsa.time.duration_time": 276, - "rsa.time.event_time": "2015-05-18T16:35:58.000Z", - "rsa.time.event_time_str": "1431966958", - "rsa.web.alias_host": "clients1.google.com", - "server.domain": "clients1.google.com", - "service.type": "squid", - "source.bytes": 934, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients1.google.com", - "url.original": "http://clients1.google.com/ocsp", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:36:50.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.96" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967010.962 212785 ::1 TCP_MISS/200 313787 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1556, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.123.96" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "docs.google.com", - "rsa.time.duration_time": 212785, - "rsa.time.event_time": "2015-05-18T16:36:50.000Z", - "rsa.time.event_time_str": "1431967010", - "rsa.web.alias_host": "docs.google.com", - "server.domain": "docs.google.com", - "service.type": "squid", - "source.bytes": 313787, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "docs.google.com", - "url.original": "docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:36:50.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967010.962 60560 ::1 TCP_MISS/200 2323 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1656, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 60560, - "rsa.time.event_time": "2015-05-18T16:36:50.000Z", - "rsa.time.event_time_str": "1431967010", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 2323, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:37:47.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967067.416 56361 ::1 TCP_MISS/200 940 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1757, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 56361, - "rsa.time.event_time": "2015-05-18T16:37:47.000Z", - "rsa.time.event_time_str": "1431967067", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 940, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:38:14.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.96" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967094.510 350082 ::1 TCP_MISS/200 952006 CONNECT docs.google.com:443 - DIRECT/173.194.123.96 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1857, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.123.96" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "docs.google.com", - "rsa.time.duration_time": 350082, - "rsa.time.event_time": "2015-05-18T16:38:14.000Z", - "rsa.time.event_time_str": "1431967094", - "rsa.web.alias_host": "docs.google.com", - "server.domain": "docs.google.com", - "service.type": "squid", - "source.bytes": 952006, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "docs.google.com", - "url.original": "docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:38:24.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.71" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967104.597 146762 ::1 TCP_MISS/200 6013 CONNECT drive.google.com:443 - DIRECT/173.194.123.71 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1957, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.123.71" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "drive.google.com", - "rsa.time.duration_time": 146762, - "rsa.time.event_time": "2015-05-18T16:38:24.000Z", - "rsa.time.event_time_str": "1431967104", - "rsa.web.alias_host": "drive.google.com", - "server.domain": "drive.google.com", - "service.type": "squid", - "source.bytes": 6013, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "drive.google.com", - "url.original": "drive.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:38:39.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967119.333 51829 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2056, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 51829, - "rsa.time.event_time": "2015-05-18T16:38:39.000Z", - "rsa.time.event_time_str": "1431967119", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 716, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:39:31.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967171.526 52115 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2156, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 52115, - "rsa.time.event_time": "2015-05-18T16:39:31.000Z", - "rsa.time.event_time_str": "1431967171", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 745, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:40:21.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967221.312 49708 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2256, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.206.189", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 49708, - "rsa.time.event_time": "2015-05-18T16:40:21.000Z", - "rsa.time.event_time_str": "1431967221", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 745, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:41:13.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967273.790 52393 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2356, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 52393, - "rsa.time.event_time": "2015-05-18T16:41:13.000Z", - "rsa.time.event_time_str": "1431967273", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 716, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:42:08.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967328.486 54590 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2456, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.206.189", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 54590, - "rsa.time.event_time": "2015-05-18T16:42:08.000Z", - "rsa.time.event_time_str": "1431967328", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 745, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:43:05.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967385.358 56797 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2556, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.206.189", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 56797, - "rsa.time.event_time": "2015-05-18T16:43:05.000Z", - "rsa.time.event_time_str": "1431967385", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 716, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:44:00.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967440.782 55339 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2656, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 55339, - "rsa.time.event_time": "2015-05-18T16:44:00.000Z", - "rsa.time.event_time_str": "1431967440", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 716, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:44:58.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967498.549 57685 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2756, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 57685, - "rsa.time.event_time": "2015-05-18T16:44:58.000Z", - "rsa.time.event_time_str": "1431967498", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 716, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:45:53.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967553.286 54658 ::1 TCP_MISS/200 774 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2856, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 54658, - "rsa.time.event_time": "2015-05-18T16:45:53.000Z", - "rsa.time.event_time_str": "1431967553", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 774, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:46:51.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967611.006 57645 ::1 TCP_MISS/200 774 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2956, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 57645, - "rsa.time.event_time": "2015-05-18T16:46:51.000Z", - "rsa.time.event_time_str": "1431967611", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 774, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:47:47.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967667.705 56621 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3056, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.206.189", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 56621, - "rsa.time.event_time": "2015-05-18T16:47:47.000Z", - "rsa.time.event_time_str": "1431967667", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 716, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:47:51.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.67" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967671.980 115965 ::1 TCP_MISS/200 937 CONNECT docs.google.com:443 - DIRECT/173.194.123.67 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3156, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.123.67", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "docs.google.com", - "rsa.time.duration_time": 115965, - "rsa.time.event_time": "2015-05-18T16:47:51.000Z", - "rsa.time.event_time_str": "1431967671", - "rsa.web.alias_host": "docs.google.com", - "server.domain": "docs.google.com", - "service.type": "squid", - "source.bytes": 937, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "docs.google.com", - "url.original": "docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:48:41.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967721.078 53297 ::1 TCP_MISS/200 870 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3253, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 53297, - "rsa.time.event_time": "2015-05-18T16:48:41.000Z", - "rsa.time.event_time_str": "1431967721", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 870, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:49:33.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967773.775 52610 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3353, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 52610, - "rsa.time.event_time": "2015-05-18T16:49:33.000Z", - "rsa.time.event_time_str": "1431967773", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 745, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:50:27.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967827.637 53774 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3453, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.206.189", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 53774, - "rsa.time.event_time": "2015-05-18T16:50:27.000Z", - "rsa.time.event_time_str": "1431967827", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 745, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:51:21.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967881.971 54254 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3553, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.206.189", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 54254, - "rsa.time.event_time": "2015-05-18T16:51:21.000Z", - "rsa.time.event_time_str": "1431967881", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 716, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:52:15.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967935.923 53860 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3653, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 53860, - "rsa.time.event_time": "2015-05-18T16:52:15.000Z", - "rsa.time.event_time_str": "1431967935", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 716, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:53:09.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431967989.089 53080 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3753, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.206.189", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 53080, - "rsa.time.event_time": "2015-05-18T16:53:09.000Z", - "rsa.time.event_time_str": "1431967989", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 745, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:54:01.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431968041.539 52374 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3853, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 52374, - "rsa.time.event_time": "2015-05-18T16:54:01.000Z", - "rsa.time.event_time_str": "1431968041", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 745, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:54:59.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431968099.212 57477 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3953, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.206.189", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 57477, - "rsa.time.event_time": "2015-05-18T16:54:59.000Z", - "rsa.time.event_time_str": "1431968099", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 745, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:55:56.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431968156.648 57347 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4053, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 57347, - "rsa.time.event_time": "2015-05-18T16:55:56.000Z", - "rsa.time.event_time_str": "1431968156", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 716, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:56:50.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431968210.299 53575 ::1 TCP_MISS/200 774 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4153, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.206.189", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 53575, - "rsa.time.event_time": "2015-05-18T16:56:50.000Z", - "rsa.time.event_time_str": "1431968210", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 774, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:57:45.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431968265.132 54585 ::1 TCP_MISS/200 716 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4253, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 54585, - "rsa.time.event_time": "2015-05-18T16:57:45.000Z", - "rsa.time.event_time_str": "1431968265", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 716, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:57:53.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.101" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431968273.671 116138 ::1 TCP_MISS/200 1093 CONNECT docs.google.com:443 - DIRECT/173.194.123.101 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4353, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.123.101" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "docs.google.com", - "rsa.time.duration_time": 116138, - "rsa.time.event_time": "2015-05-18T16:57:53.000Z", - "rsa.time.event_time_str": "1431968273", - "rsa.web.alias_host": "docs.google.com", - "server.domain": "docs.google.com", - "service.type": "squid", - "source.bytes": 1093, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "docs.google.com", - "url.original": "docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:58:39.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431968319.296 54086 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4452, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.206.189", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 54086, - "rsa.time.event_time": "2015-05-18T16:58:39.000Z", - "rsa.time.event_time_str": "1431968319", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 745, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:59:32.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431968372.410 52982 ::1 TCP_MISS/200 745 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4552, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.206.189", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 52982, - "rsa.time.event_time": "2015-05-18T16:59:32.000Z", - "rsa.time.event_time_str": "1431968372", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 745, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:59:34.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.99" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431968374.119 8177 ::1 TCP_MISS/200 2705 CONNECT docs.google.com:443 - DIRECT/173.194.123.99 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4652, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.123.99", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "docs.google.com", - "rsa.time.duration_time": 8177, - "rsa.time.event_time": "2015-05-18T16:59:34.000Z", - "rsa.time.event_time_str": "1431968374", - "rsa.web.alias_host": "docs.google.com", - "server.domain": "docs.google.com", - "service.type": "squid", - "source.bytes": 2705, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "docs.google.com", - "url.original": "docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-18T16:59:34.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.206.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1431968374.150 1601 ::1 TCP_MISS/200 844 CONNECT 0.docs.google.com:443 - DIRECT/173.194.206.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4750, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.206.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 1601, - "rsa.time.event_time": "2015-05-18T16:59:34.000Z", - "rsa.time.event_time_str": "1431968374", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 844, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-28T05:11:24.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.226.83" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1432789884.994 297 ::1 TCP_MISS/302 696 GET http://www.google.com/ - DIRECT/74.125.226.83 text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4850, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "74.125.226.83" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "302", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 297, - "rsa.time.event_time": "2015-05-28T05:11:24.000Z", - "rsa.time.event_time_str": "1432789884", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 696, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/", - "user.name": "-" - }, - { - "@timestamp": "2015-05-28T05:11:25.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.40" - ], - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1432789885.671 220 ::1 TCP_MISS/200 934 POST http://clients1.google.com/ocsp - DIRECT/173.194.123.40 application/ocsp-response", - "file.name": "ocsp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4953, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.123.40" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "TCP_MISS" - ], - "rsa.misc.content_type": "application/ocsp-response", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients1.google.com", - "rsa.time.duration_time": 220, - "rsa.time.event_time": "2015-05-28T05:11:25.000Z", - "rsa.time.event_time_str": "1432789885", - "rsa.web.alias_host": "clients1.google.com", - "server.domain": "clients1.google.com", - "service.type": "squid", - "source.bytes": 934, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients1.google.com", - "url.original": "http://clients1.google.com/ocsp", - "user.name": "-" - }, - { - "@timestamp": "2015-05-28T05:12:30.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.123.41" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1432789950.885 59335 ::1 TCP_MISS/200 55721 CONNECT apis.google.com:443 - DIRECT/173.194.123.41 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5083, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "173.194.123.41" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "apis.google.com", - "rsa.time.duration_time": 59335, - "rsa.time.event_time": "2015-05-28T05:12:30.000Z", - "rsa.time.event_time_str": "1432789950", - "rsa.web.alias_host": "apis.google.com", - "server.domain": "apis.google.com", - "service.type": "squid", - "source.bytes": 55721, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "apis.google.com", - "url.original": "apis.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-05-28T05:12:32.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.226.83" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1432789952.891 67776 ::1 TCP_MISS/200 254589 CONNECT www.google.com:443 - DIRECT/74.125.226.83 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5182, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.226.83", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 67776, - "rsa.time.event_time": "2015-05-28T05:12:32.000Z", - "rsa.time.event_time_str": "1432789952", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 254589, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "www.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:19:50.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Mountain View", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.4043, - "destination.geo.location.lon": -122.0748, - "destination.geo.region_iso_code": "US-CA", - "destination.geo.region_name": "California", - "destination.ip": [ - "216.58.219.174" - ], - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445267990.313 759 ::1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.174 application/ocsp-response", - "file.name": "ocsp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5280, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "216.58.219.174", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "POST" - ], - "rsa.misc.content_type": "application/ocsp-response", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients1.google.com", - "rsa.time.duration_time": 759, - "rsa.time.event_time": "2015-10-19T15:19:50.000Z", - "rsa.time.event_time_str": "1445267990", - "rsa.web.alias_host": "clients1.google.com", - "server.domain": "clients1.google.com", - "service.type": "squid", - "source.bytes": 901, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients1.google.com", - "url.original": "http://clients1.google.com/ocsp", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:20:03.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Mountain View", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.4043, - "destination.geo.location.lon": -122.0748, - "destination.geo.region_iso_code": "US-CA", - "destination.geo.region_name": "California", - "destination.ip": [ - "216.58.219.174" - ], - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268003.557 192 ::1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.174 application/ocsp-response", - "file.name": "ocsp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5410, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "216.58.219.174" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "POST" - ], - "rsa.misc.content_type": "application/ocsp-response", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients1.google.com", - "rsa.time.duration_time": 192, - "rsa.time.event_time": "2015-10-19T15:20:03.000Z", - "rsa.time.event_time_str": "1445268003", - "rsa.web.alias_host": "clients1.google.com", - "server.domain": "clients1.google.com", - "service.type": "squid", - "source.bytes": 901, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients1.google.com", - "url.original": "http://clients1.google.com/ocsp", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:20:29.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Mountain View", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.4043, - "destination.geo.location.lon": -122.0748, - "destination.geo.region_iso_code": "US-CA", - "destination.geo.region_name": "California", - "destination.ip": [ - "216.58.219.165" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268029.709 59991 ::1 TCP_MISS/200 5188 CONNECT mail.google.com:443 - DIRECT/216.58.219.165 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5540, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "216.58.219.165" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "mail.google.com", - "rsa.time.duration_time": 59991, - "rsa.time.event_time": "2015-10-19T15:20:29.000Z", - "rsa.time.event_time_str": "1445268029", - "rsa.web.alias_host": "mail.google.com", - "server.domain": "mail.google.com", - "service.type": "squid", - "source.bytes": 5188, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "mail.google.com", - "url.original": "mail.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:21:02.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Mountain View", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.4043, - "destination.geo.location.lon": -122.0748, - "destination.geo.region_iso_code": "US-CA", - "destination.geo.region_name": "California", - "destination.ip": [ - "216.58.219.174" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268062.046 66005 ::1 TCP_MISS/200 5310 CONNECT clients6.google.com:443 - DIRECT/216.58.219.174 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5638, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "216.58.219.174", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients6.google.com", - "rsa.time.duration_time": 66005, - "rsa.time.event_time": "2015-10-19T15:21:02.000Z", - "rsa.time.event_time_str": "1445268062", - "rsa.web.alias_host": "clients6.google.com", - "server.domain": "clients6.google.com", - "service.type": "squid", - "source.bytes": 5310, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients6.google.com", - "url.original": "clients6.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:21:04.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Mountain View", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.4043, - "destination.geo.location.lon": -122.0748, - "destination.geo.region_iso_code": "US-CA", - "destination.geo.region_name": "California", - "destination.ip": [ - "216.58.219.174" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268064.055 73369 ::1 TCP_MISS/200 6975 CONNECT clients6.google.com:443 - DIRECT/216.58.219.174 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5740, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "216.58.219.174" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients6.google.com", - "rsa.time.duration_time": 73369, - "rsa.time.event_time": "2015-10-19T15:21:04.000Z", - "rsa.time.event_time_str": "1445268064", - "rsa.web.alias_host": "clients6.google.com", - "server.domain": "clients6.google.com", - "service.type": "squid", - "source.bytes": 6975, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients6.google.com", - "url.original": "clients6.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:21:09.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Mountain View", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.4043, - "destination.geo.location.lon": -122.0748, - "destination.geo.region_iso_code": "US-CA", - "destination.geo.region_name": "California", - "destination.ip": [ - "216.58.219.174" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268069.665 59549 ::1 TCP_MISS/200 4871 CONNECT play.google.com:443 - DIRECT/216.58.219.174 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5842, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "216.58.219.174", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "play.google.com", - "rsa.time.duration_time": 59549, - "rsa.time.event_time": "2015-10-19T15:21:09.000Z", - "rsa.time.event_time_str": "1445268069", - "rsa.web.alias_host": "play.google.com", - "server.domain": "play.google.com", - "service.type": "squid", - "source.bytes": 4871, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "play.google.com", - "url.original": "play.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:22:20.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Mountain View", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.4043, - "destination.geo.location.lon": -122.0748, - "destination.geo.region_iso_code": "US-CA", - "destination.geo.region_name": "California", - "destination.ip": [ - "216.58.219.132" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268140.447 180 ::1 TCP_MISS/200 0 CONNECT www.google.com:443 - DIRECT/216.58.219.132 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5940, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "216.58.219.132" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 180, - "rsa.time.event_time": "2015-10-19T15:22:20.000Z", - "rsa.time.event_time_str": "1445268140", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "www.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:22:20.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Mountain View", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.4043, - "destination.geo.location.lon": -122.0748, - "destination.geo.region_iso_code": "US-CA", - "destination.geo.region_name": "California", - "destination.ip": [ - "216.58.219.132" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268140.539 74 ::1 TCP_MISS/200 0 CONNECT www.google.com:443 - DIRECT/216.58.219.132 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6034, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "216.58.219.132" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 74, - "rsa.time.event_time": "2015-10-19T15:22:20.000Z", - "rsa.time.event_time_str": "1445268140", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "www.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:22:20.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Mountain View", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.4043, - "destination.geo.location.lon": -122.0748, - "destination.geo.region_iso_code": "US-CA", - "destination.geo.region_name": "California", - "destination.ip": [ - "216.58.219.132" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268140.703 112 ::1 TCP_MISS/200 0 CONNECT www.google.com:443 - DIRECT/216.58.219.132 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6128, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "216.58.219.132" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 112, - "rsa.time.event_time": "2015-10-19T15:22:20.000Z", - "rsa.time.event_time_str": "1445268140", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "www.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:22:32.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Mountain View", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.4043, - "destination.geo.location.lon": -122.0748, - "destination.geo.region_iso_code": "US-CA", - "destination.geo.region_name": "California", - "destination.ip": [ - "216.58.219.142" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268152.177 264 ::1 TCP_MISS/200 0 CONNECT plus.google.com:443 - DIRECT/216.58.219.142 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6222, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "216.58.219.142" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "plus.google.com", - "rsa.time.duration_time": 264, - "rsa.time.event_time": "2015-10-19T15:22:32.000Z", - "rsa.time.event_time_str": "1445268152", - "rsa.web.alias_host": "plus.google.com", - "server.domain": "plus.google.com", - "service.type": "squid", - "source.bytes": 0, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "plus.google.com", - "url.original": "plus.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:23:07.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Mountain View", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.4043, - "destination.geo.location.lon": -122.0748, - "destination.geo.region_iso_code": "US-CA", - "destination.geo.region_name": "California", - "destination.ip": [ - "216.58.219.142" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268187.113 59699 ::1 TCP_MISS/200 5020 CONNECT docs.google.com:443 - DIRECT/216.58.219.142 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6317, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "216.58.219.142", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "docs.google.com", - "rsa.time.duration_time": 59699, - "rsa.time.event_time": "2015-10-19T15:23:07.000Z", - "rsa.time.event_time_str": "1445268187", - "rsa.web.alias_host": "docs.google.com", - "server.domain": "docs.google.com", - "service.type": "squid", - "source.bytes": 5020, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "docs.google.com", - "url.original": "docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:23:44.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Mountain View", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.4043, - "destination.geo.location.lon": -122.0748, - "destination.geo.region_iso_code": "US-CA", - "destination.geo.region_name": "California", - "destination.ip": [ - "216.58.219.142" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268224.938 70176 ::1 TCP_MISS/200 14737 CONNECT plus.google.com:443 - DIRECT/216.58.219.142 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6415, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "216.58.219.142", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "plus.google.com", - "rsa.time.duration_time": 70176, - "rsa.time.event_time": "2015-10-19T15:23:44.000Z", - "rsa.time.event_time_str": "1445268224", - "rsa.web.alias_host": "plus.google.com", - "server.domain": "plus.google.com", - "service.type": "squid", - "source.bytes": 14737, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "plus.google.com", - "url.original": "plus.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:24:21.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Mountain View", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.4043, - "destination.geo.location.lon": -122.0748, - "destination.geo.region_iso_code": "US-CA", - "destination.geo.region_name": "California", - "destination.ip": [ - "216.58.219.132" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268261.980 121174 ::1 TCP_MISS/200 528022 CONNECT www.google.com:443 - DIRECT/216.58.219.132 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6514, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "216.58.219.132" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 121174, - "rsa.time.event_time": "2015-10-19T15:24:21.000Z", - "rsa.time.event_time_str": "1445268261", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 528022, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "www.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:25:14.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.141.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268314.711 361370 ::1 TCP_MISS/200 6518 CONNECT 0.docs.google.com:443 - DIRECT/74.125.141.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6613, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "74.125.141.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.docs.google.com", - "rsa.time.duration_time": 361370, - "rsa.time.event_time": "2015-10-19T15:25:14.000Z", - "rsa.time.event_time_str": "1445268314", - "rsa.web.alias_host": "0.docs.google.com", - "server.domain": "0.docs.google.com", - "service.type": "squid", - "source.bytes": 6518, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.docs.google.com", - "url.original": "0.docs.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:25:14.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.141.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268314.711 355919 ::1 TCP_MISS/200 9695 CONNECT 0.talkgadget.google.com:443 - DIRECT/74.125.141.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6713, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "74.125.141.189" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.talkgadget.google.com", - "rsa.time.duration_time": 355919, - "rsa.time.event_time": "2015-10-19T15:25:14.000Z", - "rsa.time.event_time_str": "1445268314", - "rsa.web.alias_host": "0.talkgadget.google.com", - "server.domain": "0.talkgadget.google.com", - "service.type": "squid", - "source.bytes": 9695, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.talkgadget.google.com", - "url.original": "0.talkgadget.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:25:14.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "74.125.141.189" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268314.711 257778 ::1 TCP_MISS/200 6024 CONNECT 0.client-channel.google.com:443 - DIRECT/74.125.141.189 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6819, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "74.125.141.189", - "::1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "0.client-channel.google.com", - "rsa.time.duration_time": 257778, - "rsa.time.event_time": "2015-10-19T15:25:14.000Z", - "rsa.time.event_time_str": "1445268314", - "rsa.web.alias_host": "0.client-channel.google.com", - "server.domain": "0.client-channel.google.com", - "service.type": "squid", - "source.bytes": 6024, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "0.client-channel.google.com", - "url.original": "0.client-channel.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2015-10-19T15:25:14.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Mountain View", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.4043, - "destination.geo.location.lon": -122.0748, - "destination.geo.region_iso_code": "US-CA", - "destination.geo.region_name": "California", - "destination.ip": [ - "216.58.219.133" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1445268314.711 43887 ::1 TCP_MISS/200 1833 CONNECT mail.google.com:443 - DIRECT/216.58.219.133 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6929, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "::1", - "216.58.219.133" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "mail.google.com", - "rsa.time.duration_time": 43887, - "rsa.time.event_time": "2015-10-19T15:25:14.000Z", - "rsa.time.event_time_str": "1445268314", - "rsa.web.alias_host": "mail.google.com", - "server.domain": "mail.google.com", - "service.type": "squid", - "source.bytes": 1833, - "source.ip": [ - "::1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "mail.google.com", - "url.original": "mail.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2016-02-01T14:19:56.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Bluffdale", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 40.4953, - "destination.geo.location.lon": -111.9439, - "destination.geo.region_iso_code": "US-UT", - "destination.geo.region_name": "Utah", - "destination.ip": [ - "216.58.219.228" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1454336396.005 63622 10.100.0.1 TCP_MISS/200 272954 CONNECT www.google.com:443 - DIRECT/216.58.219.228 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7027, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "216.58.219.228", - "10.100.0.1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 63622, - "rsa.time.event_time": "2016-02-01T14:19:56.000Z", - "rsa.time.event_time_str": "1454336396", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "service.type": "squid", - "source.bytes": 272954, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "www.google.com", - "url.original": "www.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2016-02-01T14:19:58.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Bluffdale", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 40.4953, - "destination.geo.location.lon": -111.9439, - "destination.geo.region_iso_code": "US-UT", - "destination.geo.region_name": "Utah", - "destination.ip": [ - "216.58.219.238" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1454336398.988 59761 10.100.0.1 TCP_MISS/200 54752 CONNECT apis.google.com:443 - DIRECT/216.58.219.238 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7133, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "216.58.219.238", - "10.100.0.1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "apis.google.com", - "rsa.time.duration_time": 59761, - "rsa.time.event_time": "2016-02-01T14:19:58.000Z", - "rsa.time.event_time_str": "1454336398", - "rsa.web.alias_host": "apis.google.com", - "server.domain": "apis.google.com", - "service.type": "squid", - "source.bytes": 54752, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "apis.google.com", - "url.original": "apis.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2016-05-10T16:45:50.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.205.113" - ], - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1462898750.708 288 10.100.0.1 TCP_MISS/301 695 GET http://google.com/ - DIRECT/173.194.205.113 text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7239, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "173.194.205.113", - "10.100.0.1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "GET" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "301", - "rsa.network.domain": "google.com", - "rsa.time.duration_time": 288, - "rsa.time.event_time": "2016-05-10T16:45:50.000Z", - "rsa.time.event_time_str": "1462898750", - "rsa.web.alias_host": "google.com", - "server.domain": "google.com", - "service.type": "squid", - "source.bytes": 695, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "google.com", - "url.original": "http://google.com/", - "user.name": "-" - }, - { - "@timestamp": "2017-01-04T16:27:23.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.6.238" - ], - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1483547243.947 153 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response", - "file.name": "ocsp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7347, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "10.100.0.1", - "172.217.6.238" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "TCP_MISS" - ], - "rsa.misc.content_type": "application/ocsp-response", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients1.google.com", - "rsa.time.duration_time": 153, - "rsa.time.event_time": "2017-01-04T16:27:23.000Z", - "rsa.time.event_time_str": "1483547243", - "rsa.web.alias_host": "clients1.google.com", - "server.domain": "clients1.google.com", - "service.type": "squid", - "source.bytes": 901, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients1.google.com", - "url.original": "http://clients1.google.com/ocsp", - "user.name": "-" - }, - { - "@timestamp": "2017-01-04T16:27:24.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.6.238" - ], - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1483547244.218 110 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response", - "file.name": "ocsp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7483, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "172.217.6.238", - "10.100.0.1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "TCP_MISS" - ], - "rsa.misc.content_type": "application/ocsp-response", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients1.google.com", - "rsa.time.duration_time": 110, - "rsa.time.event_time": "2017-01-04T16:27:24.000Z", - "rsa.time.event_time_str": "1483547244", - "rsa.web.alias_host": "clients1.google.com", - "server.domain": "clients1.google.com", - "service.type": "squid", - "source.bytes": 901, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients1.google.com", - "url.original": "http://clients1.google.com/ocsp", - "user.name": "-" - }, - { - "@timestamp": "2017-01-07T17:23:08.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Bluffdale", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 40.4953, - "destination.geo.location.lon": -111.9439, - "destination.geo.region_iso_code": "US-UT", - "destination.geo.region_name": "Utah", - "destination.ip": [ - "216.58.219.238" - ], - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1483809788.490 217 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.238 application/ocsp-response", - "file.name": "ocsp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7619, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "216.58.219.238", - "10.100.0.1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "POST" - ], - "rsa.misc.content_type": "application/ocsp-response", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients1.google.com", - "rsa.time.duration_time": 217, - "rsa.time.event_time": "2017-01-07T17:23:08.000Z", - "rsa.time.event_time_str": "1483809788", - "rsa.web.alias_host": "clients1.google.com", - "server.domain": "clients1.google.com", - "service.type": "squid", - "source.bytes": 901, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients1.google.com", - "url.original": "http://clients1.google.com/ocsp", - "user.name": "-" - }, - { - "@timestamp": "2017-01-07T17:23:08.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Bluffdale", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 40.4953, - "destination.geo.location.lon": -111.9439, - "destination.geo.region_iso_code": "US-UT", - "destination.geo.region_name": "Utah", - "destination.ip": [ - "216.58.219.238" - ], - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1483809788.504 224 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/216.58.219.238 application/ocsp-response", - "file.name": "ocsp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7756, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "10.100.0.1", - "216.58.219.238" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "POST" - ], - "rsa.misc.content_type": "application/ocsp-response", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients1.google.com", - "rsa.time.duration_time": 224, - "rsa.time.event_time": "2017-01-07T17:23:08.000Z", - "rsa.time.event_time_str": "1483809788", - "rsa.web.alias_host": "clients1.google.com", - "server.domain": "clients1.google.com", - "service.type": "squid", - "source.bytes": 901, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients1.google.com", - "url.original": "http://clients1.google.com/ocsp", - "user.name": "-" - }, - { - "@timestamp": "2017-04-20T20:53:25.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.6.238" - ], - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1492721605.095 1894 10.100.0.1 TCP_MISS/200 901 POST http://clients1.google.com/ocsp - DIRECT/172.217.6.238 application/ocsp-response", - "file.name": "ocsp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7893, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "10.100.0.1", - "172.217.6.238" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "POST" - ], - "rsa.misc.content_type": "application/ocsp-response", - "rsa.misc.result_code": "200", - "rsa.network.domain": "clients1.google.com", - "rsa.time.duration_time": 1894, - "rsa.time.event_time": "2017-04-20T20:53:25.000Z", - "rsa.time.event_time_str": "1492721605", - "rsa.web.alias_host": "clients1.google.com", - "server.domain": "clients1.google.com", - "service.type": "squid", - "source.bytes": 901, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "clients1.google.com", - "url.original": "http://clients1.google.com/ocsp", - "user.name": "-" - }, - { - "@timestamp": "2017-12-27T22:54:43.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.10.14" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1514415283.110 3338 10.100.2.85 TCP_MISS/200 25103 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8029, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "10.100.2.85", - "172.217.10.14" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 3338, - "rsa.time.event_time": "2017-12-27T22:54:43.000Z", - "rsa.time.event_time_str": "1514415283", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 25103, - "source.ip": [ - "10.100.2.85" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2017-12-27T22:54:45.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.10.14" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1514415285.181 5317 10.100.2.85 TCP_MISS/200 30037 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8131, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "172.217.10.14", - "10.100.2.85" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 5317, - "rsa.time.event_time": "2017-12-27T22:54:45.000Z", - "rsa.time.event_time_str": "1514415285", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 30037, - "source.ip": [ - "10.100.2.85" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2017-12-27T22:54:47.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.10.14" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1514415287.601 7719 10.100.2.85 TCP_MISS/200 31365 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8233, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "10.100.2.85", - "172.217.10.14" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 7719, - "rsa.time.event_time": "2017-12-27T22:54:47.000Z", - "rsa.time.event_time_str": "1514415287", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 31365, - "source.ip": [ - "10.100.2.85" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2017-12-27T22:54:53.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.12.174" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1514415293.832 11122 10.100.2.85 TCP_MISS/200 4120 CONNECT play.google.com:443 - DIRECT/172.217.12.174 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8335, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "10.100.2.85", - "172.217.12.174" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "play.google.com", - "rsa.time.duration_time": 11122, - "rsa.time.event_time": "2017-12-27T22:54:53.000Z", - "rsa.time.event_time_str": "1514415293", - "rsa.web.alias_host": "play.google.com", - "server.domain": "play.google.com", - "service.type": "squid", - "source.bytes": 4120, - "source.ip": [ - "10.100.2.85" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "play.google.com", - "url.original": "play.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2017-12-27T22:54:55.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.10.14" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1514415295.359 15462 10.100.2.85 TCP_MISS/200 135019 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8441, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "172.217.10.14", - "10.100.2.85" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 15462, - "rsa.time.event_time": "2017-12-27T22:54:55.000Z", - "rsa.time.event_time_str": "1514415295", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 135019, - "source.ip": [ - "10.100.2.85" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2017-12-27T22:54:57.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.10.14" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1514415297.207 17318 10.100.2.85 TCP_MISS/200 193786 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8544, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "172.217.10.14", - "10.100.2.85" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 17318, - "rsa.time.event_time": "2017-12-27T22:54:57.000Z", - "rsa.time.event_time_str": "1514415297", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 193786, - "source.ip": [ - "10.100.2.85" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2017-12-27T22:57:48.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.12.174" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1514415468.723 195307 10.100.2.85 TCP_MISS/200 207119 CONNECT news.google.com:443 - DIRECT/172.217.12.174 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8647, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "10.100.2.85", - "172.217.12.174" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "news.google.com", - "rsa.time.duration_time": 195307, - "rsa.time.event_time": "2017-12-27T22:57:48.000Z", - "rsa.time.event_time_str": "1514415468", - "rsa.web.alias_host": "news.google.com", - "server.domain": "news.google.com", - "service.type": "squid", - "source.bytes": 207119, - "source.ip": [ - "10.100.2.85" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "news.google.com", - "url.original": "news.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2017-12-27T22:57:49.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.10.14" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1514415469.795 189952 10.100.2.85 TCP_MISS/200 372304 CONNECT i.ytimg.com:443 - DIRECT/172.217.10.14 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8755, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "172.217.10.14", - "10.100.2.85" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 189952, - "rsa.time.event_time": "2017-12-27T22:57:49.000Z", - "rsa.time.event_time_str": "1514415469", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 372304, - "source.ip": [ - "10.100.2.85" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2017-12-27T22:57:50.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "173.194.204.156" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1514415470.873 171312 10.100.2.85 TCP_MISS/200 3517 CONNECT stats.g.doubleclick.net:443 - DIRECT/173.194.204.156 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8858, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "10.100.2.85", - "173.194.204.156" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "stats.g.doubleclick.net", - "rsa.time.duration_time": 171312, - "rsa.time.event_time": "2017-12-27T22:57:50.000Z", - "rsa.time.event_time_str": "1514415470", - "rsa.web.alias_host": "stats.g.doubleclick.net", - "server.domain": "stats.g.doubleclick.net", - "service.type": "squid", - "source.bytes": 3517, - "source.ip": [ - "10.100.2.85" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "stats.g.doubleclick.net", - "url.original": "stats.g.doubleclick.net:443", - "user.name": "-" - }, - { - "@timestamp": "2017-12-27T22:57:51.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.12.174" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1514415471.953 170700 10.100.2.85 TCP_MISS/200 5679 CONNECT play.google.com:443 - DIRECT/172.217.12.174 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8973, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "10.100.2.85", - "172.217.12.174" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "play.google.com", - "rsa.time.duration_time": 170700, - "rsa.time.event_time": "2017-12-27T22:57:51.000Z", - "rsa.time.event_time_str": "1514415471", - "rsa.web.alias_host": "play.google.com", - "server.domain": "play.google.com", - "service.type": "squid", - "source.bytes": 5679, - "source.ip": [ - "10.100.2.85" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "play.google.com", - "url.original": "play.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2018-03-15T21:13:25.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.12.174" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1521148405.505 170531 10.100.0.1 TCP_MISS/200 5650 CONNECT news.google.com:443 - DIRECT/172.217.12.174 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9079, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "10.100.0.1", - "172.217.12.174" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "news.google.com", - "rsa.time.duration_time": 170531, - "rsa.time.event_time": "2018-03-15T21:13:25.000Z", - "rsa.time.event_time_str": "1521148405", - "rsa.web.alias_host": "news.google.com", - "server.domain": "news.google.com", - "service.type": "squid", - "source.bytes": 5650, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "news.google.com", - "url.original": "news.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2018-03-15T21:16:23.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.12.174" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1521148583.607 171280 10.100.0.1 TCP_MISS/200 5549 CONNECT play.google.com:443 - DIRECT/172.217.12.174 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9184, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "10.100.0.1", - "172.217.12.174" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "play.google.com", - "rsa.time.duration_time": 171280, - "rsa.time.event_time": "2018-03-15T21:16:23.000Z", - "rsa.time.event_time_str": "1521148583", - "rsa.web.alias_host": "play.google.com", - "server.domain": "play.google.com", - "service.type": "squid", - "source.bytes": 5549, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "play.google.com", - "url.original": "play.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2018-03-15T21:18:21.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.12.174" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1521148701.183 232347 10.100.0.1 TCP_MISS/200 947 CONNECT news.google.com:443 - DIRECT/172.217.12.174 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9289, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "10.100.0.1", - "172.217.12.174" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "news.google.com", - "rsa.time.duration_time": 232347, - "rsa.time.event_time": "2018-03-15T21:18:21.000Z", - "rsa.time.event_time_str": "1521148701", - "rsa.web.alias_host": "news.google.com", - "server.domain": "news.google.com", - "service.type": "squid", - "source.bytes": 947, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "news.google.com", - "url.original": "news.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2018-03-15T21:21:20.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.12.174" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1521148880.382 170896 10.100.0.1 TCP_MISS/200 785 CONNECT news.google.com:443 - DIRECT/172.217.12.174 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9393, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "172.217.12.174", - "10.100.0.1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "news.google.com", - "rsa.time.duration_time": 170896, - "rsa.time.event_time": "2018-03-15T21:21:20.000Z", - "rsa.time.event_time_str": "1521148880", - "rsa.web.alias_host": "news.google.com", - "server.domain": "news.google.com", - "service.type": "squid", - "source.bytes": 785, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "news.google.com", - "url.original": "news.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2018-03-15T21:23:28.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.12.174" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1521149008.672 59245 10.100.0.1 TCP_MISS/200 1723 CONNECT news.google.com:443 - DIRECT/172.217.12.174 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9497, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "172.217.12.174", - "10.100.0.1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "news.google.com", - "rsa.time.duration_time": 59245, - "rsa.time.event_time": "2018-03-15T21:23:28.000Z", - "rsa.time.event_time_str": "1521149008", - "rsa.web.alias_host": "news.google.com", - "server.domain": "news.google.com", - "service.type": "squid", - "source.bytes": 1723, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "news.google.com", - "url.original": "news.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2018-03-15T21:23:48.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Bluffdale", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 40.4953, - "destination.geo.location.lon": -111.9439, - "destination.geo.region_iso_code": "US-UT", - "destination.geo.region_name": "Utah", - "destination.ip": [ - "216.58.219.206" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1521149028.248 14405 10.100.0.1 TCP_MISS/200 28315 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9602, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "10.100.0.1", - "216.58.219.206" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 14405, - "rsa.time.event_time": "2018-03-15T21:23:48.000Z", - "rsa.time.event_time_str": "1521149028", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 28315, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2018-03-15T21:23:48.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Bluffdale", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 40.4953, - "destination.geo.location.lon": -111.9439, - "destination.geo.region_iso_code": "US-UT", - "destination.geo.region_name": "Utah", - "destination.ip": [ - "216.58.219.206" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1521149028.574 15142 10.100.0.1 TCP_MISS/200 32424 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9704, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "216.58.219.206", - "10.100.0.1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 15142, - "rsa.time.event_time": "2018-03-15T21:23:48.000Z", - "rsa.time.event_time_str": "1521149028", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 32424, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2018-03-15T21:23:49.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Bluffdale", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 40.4953, - "destination.geo.location.lon": -111.9439, - "destination.geo.region_iso_code": "US-UT", - "destination.geo.region_name": "Utah", - "destination.ip": [ - "216.58.219.206" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1521149029.151 15722 10.100.0.1 TCP_MISS/200 31526 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9806, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "216.58.219.206", - "10.100.0.1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 15722, - "rsa.time.event_time": "2018-03-15T21:23:49.000Z", - "rsa.time.event_time_str": "1521149029", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 31526, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2018-03-15T21:23:49.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Bluffdale", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 40.4953, - "destination.geo.location.lon": -111.9439, - "destination.geo.region_iso_code": "US-UT", - "destination.geo.region_name": "Utah", - "destination.ip": [ - "216.58.219.206" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1521149029.888 16453 10.100.0.1 TCP_MISS/200 45630 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9908, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "216.58.219.206", - "10.100.0.1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 16453, - "rsa.time.event_time": "2018-03-15T21:23:49.000Z", - "rsa.time.event_time_str": "1521149029", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 45630, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2018-03-15T21:23:50.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Bluffdale", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 40.4953, - "destination.geo.location.lon": -111.9439, - "destination.geo.region_iso_code": "US-UT", - "destination.geo.region_name": "Utah", - "destination.ip": [ - "216.58.219.206" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1521149030.562 17135 10.100.0.1 TCP_MISS/200 26443 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10010, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "216.58.219.206", - "10.100.0.1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 17135, - "rsa.time.event_time": "2018-03-15T21:23:50.000Z", - "rsa.time.event_time_str": "1521149030", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 26443, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2018-03-15T21:24:01.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.12.174" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1521149041.120 24645 10.100.0.1 TCP_MISS/200 52379 CONNECT apis.google.com:443 - DIRECT/172.217.12.174 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10112, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "10.100.0.1", - "172.217.12.174" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "apis.google.com", - "rsa.time.duration_time": 24645, - "rsa.time.event_time": "2018-03-15T21:24:01.000Z", - "rsa.time.event_time_str": "1521149041", - "rsa.web.alias_host": "apis.google.com", - "server.domain": "apis.google.com", - "service.type": "squid", - "source.bytes": 52379, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "apis.google.com", - "url.original": "apis.google.com:443", - "user.name": "-" - }, - { - "@timestamp": "2018-03-15T21:24:01.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.city_name": "Bluffdale", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 40.4953, - "destination.geo.location.lon": -111.9439, - "destination.geo.region_iso_code": "US-UT", - "destination.geo.region_name": "Utah", - "destination.ip": [ - "216.58.219.206" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1521149041.124 27963 10.100.0.1 TCP_MISS/200 510095 CONNECT i.ytimg.com:443 - DIRECT/216.58.219.206 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10218, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "216.58.219.206", - "10.100.0.1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "i.ytimg.com", - "rsa.time.duration_time": 27963, - "rsa.time.event_time": "2018-03-15T21:24:01.000Z", - "rsa.time.event_time_str": "1521149041", - "rsa.web.alias_host": "i.ytimg.com", - "server.domain": "i.ytimg.com", - "service.type": "squid", - "source.bytes": 510095, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "i.ytimg.com", - "url.original": "i.ytimg.com:443", - "user.name": "-" - }, - { - "@timestamp": "2018-03-15T21:24:01.000Z", - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": [ - "172.217.12.174" - ], - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1521149041.125 32394 10.100.0.1 TCP_MISS/200 235026 CONNECT news.google.com:443 - DIRECT/172.217.12.174 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10321, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.ip": [ - "172.217.12.174", - "10.100.0.1" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "news.google.com", - "rsa.time.duration_time": 32394, - "rsa.time.event_time": "2018-03-15T21:24:01.000Z", - "rsa.time.event_time_str": "1521149041", - "rsa.web.alias_host": "news.google.com", - "server.domain": "news.google.com", - "service.type": "squid", - "source.bytes": 235026, - "source.ip": [ - "10.100.0.1" - ], - "tags": [ - "squid.log", - "forwarded" - ], - "url.domain": "news.google.com", - "url.original": "news.google.com:443", - "user.name": "-" - } -] \ No newline at end of file